Repository: winsiderss/systeminformer Branch: master Commit: 0d2893cc8929 Files: 1190 Total size: 44.0 MB Directory structure: gitextract_4bdkv5wf/ ├── .editorconfig ├── .gitattributes ├── .github/ │ ├── CODEOWNERS │ ├── FUNDING.yml │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.yml │ │ ├── config.yml │ │ └── feature_request.yml │ └── workflows/ │ ├── cla.yml │ ├── cmake.yml │ ├── msbuild.yml │ └── scan.yml ├── .gitignore ├── .vscode/ │ ├── launch.json │ └── tasks.json ├── .vsconfig ├── CHANGELOG.txt ├── CLA.md ├── CMakeLists.txt ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── COPYRIGHT.txt ├── Common.Kernel.props ├── Common.Kernel.ruleset ├── Common.User.props ├── Directory.Build.props ├── HACKING.md ├── KSystemInformer/ │ ├── Directory.Build.props │ ├── KSystemInformer.inf │ ├── KSystemInformer.sln │ ├── KSystemInformer.slnx │ ├── KSystemInformer.vcxproj │ ├── KSystemInformer.vcxproj.filters │ ├── README.md │ ├── alloc.c │ ├── alpc.c │ ├── back_trace.c │ ├── bin-signed/ │ │ ├── amd64/ │ │ │ ├── ksi.pdb │ │ │ ├── systeminformer.pdb │ │ │ └── systeminformer.sys │ │ └── arm64/ │ │ ├── ksi.pdb │ │ ├── systeminformer.pdb │ │ └── systeminformer.sys │ ├── cid_table.c │ ├── cid_tracking.c │ ├── comms.c │ ├── comms_handlers.c │ ├── device.c │ ├── driver.c │ ├── dyndata.c │ ├── dynimp.c │ ├── file.c │ ├── hash.c │ ├── imgcoherency.c │ ├── include/ │ │ ├── comms.h │ │ ├── informer.h │ │ ├── informer_filep.h │ │ ├── kph.h │ │ ├── ntfill.h │ │ ├── pooltags.h │ │ └── trace.h │ ├── informer.c │ ├── informer_debug.c │ ├── informer_file.c │ ├── informer_filenc.c │ ├── informer_fileop.c │ ├── informer_image.c │ ├── informer_object.c │ ├── informer_process.c │ ├── informer_registry.c │ ├── informer_thread.c │ ├── knowndll.c │ ├── kphobject.c │ ├── kphthread.c │ ├── ksidll.c │ ├── ksidll.def │ ├── ksidll.vcxproj │ ├── lsa.c │ ├── main.c │ ├── object.c │ ├── parameters.c │ ├── process.c │ ├── protection.c │ ├── ratelmt.c │ ├── resource.rc │ ├── ringbuff.c │ ├── session_token.c │ ├── system.c │ ├── thread.c │ ├── umaccess.c │ ├── util.c │ ├── verify.c │ └── vm.c ├── LICENSE.txt ├── README.md ├── README.txt ├── SECURITY.md ├── SystemInformer/ │ ├── CMakeLists.txt │ ├── Directory.Build.props │ ├── SystemInformer.def │ ├── SystemInformer.def.h │ ├── SystemInformer.manifest │ ├── SystemInformer.rc │ ├── SystemInformer.vcxproj │ ├── SystemInformer.vcxproj.filters │ ├── about.c │ ├── actions.c │ ├── admintask.c │ ├── affinity.c │ ├── anawait.c │ ├── appsup.c │ ├── chcol.c │ ├── chdlg.c │ ├── chproc.c │ ├── colmgr.c │ ├── colsetmgr.c │ ├── dbgcon.c │ ├── delayhook.c │ ├── delayload.c │ ├── devprv.c │ ├── extmgr.c │ ├── findobj.c │ ├── gdihndl.c │ ├── heapinfo.c │ ├── hidnproc.c │ ├── hndllist.c │ ├── hndlmenu.c │ ├── hndlprp.c │ ├── hndlprv.c │ ├── hndlstat.c │ ├── include/ │ │ ├── actions.h │ │ ├── appsup.h │ │ ├── colmgr.h │ │ ├── colsetmgr.h │ │ ├── devprv.h │ │ ├── extmgr.h │ │ ├── extmgri.h │ │ ├── heapstruct.h │ │ ├── hidnproc.h │ │ ├── hndllist.h │ │ ├── hndlmenu.h │ │ ├── hndlprv.h │ │ ├── informer.h │ │ ├── ksisup.h │ │ ├── mainwnd.h │ │ ├── mainwndp.h │ │ ├── memlist.h │ │ ├── memprv.h │ │ ├── memsrch.h │ │ ├── miniinfo.h │ │ ├── miniinfop.h │ │ ├── modlist.h │ │ ├── modprv.h │ │ ├── netlist.h │ │ ├── netprv.h │ │ ├── notifico.h │ │ ├── notificop.h │ │ ├── notiftoast.h │ │ ├── phapp.h │ │ ├── phappres.h │ │ ├── phfwddef.h │ │ ├── phplug.h │ │ ├── phsettings.h │ │ ├── phsvc.h │ │ ├── phsvcapi.h │ │ ├── phsvccl.h │ │ ├── phuisup.h │ │ ├── procgrp.h │ │ ├── procmtgn.h │ │ ├── procprp.h │ │ ├── procprpp.h │ │ ├── procprv.h │ │ ├── proctree.h │ │ ├── srvlist.h │ │ ├── srvprv.h │ │ ├── sysinfo.h │ │ ├── sysinfop.h │ │ ├── thrdlist.h │ │ └── thrdprv.h │ ├── infodlg.c │ ├── informer.c │ ├── itemtips.c │ ├── jobprp.c │ ├── kdump.c │ ├── ksidbg.c │ ├── ksisup.c │ ├── ksyscall.c │ ├── log.c │ ├── logwnd.c │ ├── main.c │ ├── mainwnd.c │ ├── mdump.c │ ├── memedit.c │ ├── memlist.c │ ├── memlists.c │ ├── memmod.c │ ├── memprot.c │ ├── memprv.c │ ├── memrslt.c │ ├── memsrch.c │ ├── memsrcht.c │ ├── miniinfo.c │ ├── modlist.c │ ├── modprv.c │ ├── mtgndlg.c │ ├── mwpgdev.c │ ├── mwpgnet.c │ ├── mwpgproc.c │ ├── mwpgsrv.c │ ├── netlist.c │ ├── netprv.c │ ├── netstk.c │ ├── netsup.c │ ├── notifico.c │ ├── notiftoast.cpp │ ├── ntobjprp.c │ ├── options.c │ ├── pagfiles.c │ ├── phsvc/ │ │ ├── clapi.c │ │ ├── svcapi.c │ │ ├── svcapiport.c │ │ ├── svcclient.c │ │ └── svcmain.c │ ├── plugin.c │ ├── plugman.c │ ├── procgrp.c │ ├── procmtgn.c │ ├── procprp.c │ ├── procprv.c │ ├── procrec.c │ ├── proctree.c │ ├── prpgenv.c │ ├── prpggen.c │ ├── prpghndl.c │ ├── prpgjob.c │ ├── prpgmem.c │ ├── prpgmod.c │ ├── prpgperf.c │ ├── prpgsrv.c │ ├── prpgstat.c │ ├── prpgthrd.c │ ├── prpgtok.c │ ├── prpgvdm.c │ ├── prpgwmi.c │ ├── resource.h │ ├── resources/ │ │ ├── capslist.txt │ │ ├── etwguids.txt │ │ └── pooltag.txt │ ├── runas.c │ ├── searchbox.c │ ├── sessmsg.c │ ├── sessprp.c │ ├── sessshad.c │ ├── settings.c │ ├── srvcr.c │ ├── srvctl.c │ ├── srvlist.c │ ├── srvprp.c │ ├── srvprv.c │ ├── sysinfo.c │ ├── syssccpu.c │ ├── sysscio.c │ ├── sysscmem.c │ ├── thrdlist.c │ ├── thrdprv.c │ ├── thrdstk.c │ ├── thrdstks.c │ ├── tokprp.c │ ├── usrlist.c │ └── version.rc ├── SystemInformer.natvis ├── SystemInformer.sln ├── SystemInformer.slnx ├── build/ │ ├── KSystemInformer.ddf │ ├── README.md │ ├── build_clean.cmd │ ├── build_cmake.cmd │ ├── build_compile_commands.cmd │ ├── build_debug.cmd │ ├── build_devenv.cmd │ ├── build_dyndata.cmd │ ├── build_header.cmd │ ├── build_init.cmd │ ├── build_msix.cmd │ ├── build_release.cmd │ ├── build_sdk.cmd │ ├── build_sdk_rebuild.cmd │ ├── build_thirdparty.cmd │ ├── build_tools.cmd │ ├── build_verbose.cmd │ ├── build_zdriver.cmd │ ├── build_zdriver_cab.cmd │ ├── build_zdriver_sdk.cmd │ ├── build_zsign.cmd │ └── build_zwntapi.ps1 ├── cmake/ │ ├── commands.cmake │ ├── platform.cmake │ ├── prefast.cmake │ ├── toolchain/ │ │ ├── clang-msvc-amd64.cmake │ │ ├── clang-msvc-arm64.cmake │ │ ├── clang-msvc-x86.cmake │ │ ├── clang-msvc.cmake │ │ ├── finalize-msvc.cmake │ │ ├── msvc-amd64.cmake │ │ ├── msvc-arm64.cmake │ │ ├── msvc-x86.cmake │ │ ├── msvc.cmake │ │ └── override-msvc.cmake │ ├── tools.cmake │ └── tracewpp.cmake ├── kphlib/ │ ├── CMakeLists.txt │ ├── Directory.Build.props │ ├── include/ │ │ ├── kphapi.h │ │ ├── kphdyn.h │ │ ├── kphdyndata.h │ │ ├── kphlibbase.h │ │ ├── kphmsg.h │ │ ├── kphmsgdefs.h │ │ ├── kphmsgdyn.h │ │ ├── kphringbuff.h │ │ ├── sistatus.h │ │ └── sistatus.rc │ ├── kphdyn.c │ ├── kphdyn.xml │ ├── kphdyndata.c │ ├── kphlib_km.filters │ ├── kphlib_km.vcxproj │ ├── kphlib_km.vcxproj.filters │ ├── kphlib_um.vcxproj │ ├── kphlib_um.vcxproj.filters │ ├── kphmsg.c │ ├── kphmsgdyn.c │ ├── kphringbuff.c │ └── sistatus.mc ├── packages.config ├── phlib/ │ ├── CMakeLists.txt │ ├── Directory.Build.props │ ├── apiimport.c │ ├── apistubs.cpp │ ├── appresolver.c │ ├── appruntime.c │ ├── avltree.c │ ├── basestring.c │ ├── basesup.c │ ├── bcd.cpp │ ├── circbuf.c │ ├── circbuf_i.h │ ├── colorbox.c │ ├── cpysave.c │ ├── data.c │ ├── directdraw.cpp │ ├── dspick.c │ ├── emenu.c │ ├── error.c │ ├── extlv.c │ ├── fastlock.c │ ├── filepool.c │ ├── filestream.c │ ├── firmware.c │ ├── format.c │ ├── format_i.h │ ├── format_std.cpp │ ├── global.c │ ├── graph.c │ ├── guisup.c │ ├── guisuplistview.cpp │ ├── handle.c │ ├── hexedit.c │ ├── hndlinfo.c │ ├── http.c │ ├── hvsocketcontrol.c │ ├── icotobmp.c │ ├── imgcoherency.c │ ├── include/ │ │ ├── apiimport.h │ │ ├── appresolver.h │ │ ├── appresolverp.h │ │ ├── bcd.h │ │ ├── circbuf.h │ │ ├── circbuf_h.h │ │ ├── colorbox.h │ │ ├── cpysave.h │ │ ├── dltmgr.h │ │ ├── dspick.h │ │ ├── emenu.h │ │ ├── exlf.h │ │ ├── exprodid.h │ │ ├── fastlock.h │ │ ├── filepool.h │ │ ├── filepoolp.h │ │ ├── filestream.h │ │ ├── filestreamp.h │ │ ├── graph.h │ │ ├── guisup.h │ │ ├── guisupp.h │ │ ├── guisupview.h │ │ ├── handle.h │ │ ├── handlep.h │ │ ├── hexedit.h │ │ ├── hexeditp.h │ │ ├── hndlinfo.h │ │ ├── hvsocketcontrol.h │ │ ├── json.h │ │ ├── kphcomms.h │ │ ├── kphuser.h │ │ ├── lsamsup.h │ │ ├── lsasup.h │ │ ├── mapimg.h │ │ ├── mapldr.h │ │ ├── ph.h │ │ ├── phafd.h │ │ ├── phbase.h │ │ ├── phbasesup.h │ │ ├── phconfig.h │ │ ├── phconsole.h │ │ ├── phdata.h │ │ ├── phfirmware.h │ │ ├── phintrin.h │ │ ├── phintrnl.h │ │ ├── phnative.h │ │ ├── phnativeinl.h │ │ ├── phnet.h │ │ ├── phsup.h │ │ ├── phutil.h │ │ ├── provider.h │ │ ├── queuedlock.h │ │ ├── ref.h │ │ ├── refp.h │ │ ├── searchbox.h │ │ ├── secedit.h │ │ ├── seceditp.h │ │ ├── secwmi.h │ │ ├── settings.h │ │ ├── strsrch.h │ │ ├── svcsup.h │ │ ├── symprv.h │ │ ├── symprvp.h │ │ ├── templ.h │ │ ├── thirdparty.h │ │ ├── trace.h │ │ ├── treenew.h │ │ ├── treenewp.h │ │ ├── verify.h │ │ ├── verifyp.h │ │ ├── workqueue.h │ │ ├── workqueuep.h │ │ └── wslsup.h │ ├── json.c │ ├── kph.c │ ├── kphcomms.c │ ├── lsamsup.c │ ├── lsasup.c │ ├── mapexlf.c │ ├── mapimg.c │ ├── mapldr.c │ ├── maplib.c │ ├── native.c │ ├── nativefile.c │ ├── nativeflt.c │ ├── nativejob.c │ ├── nativekey.c │ ├── nativemodule.c │ ├── nativepipe.c │ ├── nativeprocess.c │ ├── nativesocket.c │ ├── nativethread.c │ ├── nativetoken.c │ ├── nativetxn.c │ ├── nativeuser.c │ ├── phlib.vcxproj │ ├── phlib.vcxproj.filters │ ├── provider.c │ ├── queuedlock.c │ ├── ref.c │ ├── searchbox.c │ ├── secdata.c │ ├── secedit.c │ ├── secwmi.c │ ├── settings.c │ ├── strsrch.c │ ├── svcsup.c │ ├── symprv.c │ ├── symprv_std.cpp │ ├── sync.c │ ├── theme.c │ ├── treenew.c │ ├── util.c │ ├── verify.c │ ├── workqueue.c │ └── wslsup.c ├── phnt/ │ ├── CMakeLists.txt │ ├── README.md │ ├── include/ │ │ ├── ntafd.h │ │ ├── ntbcd.h │ │ ├── ntdbg.h │ │ ├── ntexapi.h │ │ ├── ntgdi.h │ │ ├── ntimage.h │ │ ├── ntintsafe.h │ │ ├── ntioapi.h │ │ ├── ntkeapi.h │ │ ├── ntldr.h │ │ ├── ntlpcapi.h │ │ ├── ntmisc.h │ │ ├── ntmmapi.h │ │ ├── ntnls.h │ │ ├── ntobapi.h │ │ ├── ntpebteb.h │ │ ├── ntpfapi.h │ │ ├── ntpnpapi.h │ │ ├── ntpoapi.h │ │ ├── ntpsapi.h │ │ ├── ntregapi.h │ │ ├── ntrtl.h │ │ ├── ntsam.h │ │ ├── ntseapi.h │ │ ├── ntsmss.h │ │ ├── ntstrsafe.h │ │ ├── ntsxs.h │ │ ├── nttmapi.h │ │ ├── nttp.h │ │ ├── ntuser.h │ │ ├── ntwmi.h │ │ ├── ntwow64.h │ │ ├── ntxcapi.h │ │ ├── ntzwapi.h │ │ ├── phnt.h │ │ ├── phnt_ntdef.h │ │ ├── phnt_windows.h │ │ ├── smbios.h │ │ ├── subprocesstag.h │ │ ├── usermgr.h │ │ └── winsta.h │ ├── meson.build │ └── zw_options.txt ├── plugins/ │ ├── CMakeLists.txt │ ├── Directory.Build.props │ ├── DotNetTools/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── DotNetTools.rc │ │ ├── DotNetTools.vcxproj │ │ ├── DotNetTools.vcxproj.filters │ │ ├── asmpage.c │ │ ├── clr/ │ │ │ ├── LICENSE.TXT │ │ │ ├── clrdata.h │ │ │ ├── cor.h │ │ │ ├── corsym.h │ │ │ ├── dacprivate.h │ │ │ ├── dbgappdomain.h │ │ │ ├── ipcenums.h │ │ │ ├── ipcheader.h │ │ │ ├── ipcshared.h │ │ │ ├── perfcounterdefs.h │ │ │ ├── sospriv.h │ │ │ └── xclrdata.h │ │ ├── clretw.h │ │ ├── clrsup.c │ │ ├── clrsup.h │ │ ├── counters.c │ │ ├── dn.h │ │ ├── main.c │ │ ├── perfpage.c │ │ ├── resource.h │ │ ├── stackext.c │ │ ├── svcext.c │ │ ├── svcext.h │ │ ├── treeext.c │ │ └── version.rc │ ├── ExtendedNotifications/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── ExtendedNotifications.rc │ │ ├── ExtendedNotifications.vcxproj │ │ ├── ExtendedNotifications.vcxproj.filters │ │ ├── extnoti.h │ │ ├── filelog.c │ │ ├── main.c │ │ ├── resource.h │ │ └── version.rc │ ├── ExtendedServices/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── ExtendedServices.rc │ │ ├── ExtendedServices.vcxproj │ │ ├── ExtendedServices.vcxproj.filters │ │ ├── depend.c │ │ ├── extsrv.h │ │ ├── main.c │ │ ├── other.c │ │ ├── recovery.c │ │ ├── resource.h │ │ ├── srvprgrs.c │ │ ├── svcpkg.c │ │ ├── svcpnp.c │ │ ├── trigger.c │ │ ├── triggpg.c │ │ └── version.rc │ ├── ExtendedTools/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── Efi/ │ │ │ ├── EfiDevicePath.h │ │ │ └── EfiTypes.h │ │ ├── ExtendedTools.rc │ │ ├── ExtendedTools.vcxproj │ │ ├── ExtendedTools.vcxproj.filters │ │ ├── PresentMon/ │ │ │ ├── ETW/ │ │ │ │ ├── Microsoft_Windows_D3D9.h │ │ │ │ ├── Microsoft_Windows_DXGI.h │ │ │ │ ├── Microsoft_Windows_Dwm_Core.h │ │ │ │ ├── Microsoft_Windows_DxgKrnl.h │ │ │ │ ├── Microsoft_Windows_EventMetadata.h │ │ │ │ └── Microsoft_Windows_Win32k.h │ │ │ ├── LICENSE.txt │ │ │ ├── PresentMon.cpp │ │ │ ├── PresentMon.hpp │ │ │ ├── PresentMonTraceConsumer.cpp │ │ │ ├── PresentMonTraceConsumer.hpp │ │ │ ├── TraceConsumer.cpp │ │ │ ├── TraceConsumer.hpp │ │ │ └── TraceSession.cpp │ │ ├── counters.c │ │ ├── d3dkmt/ │ │ │ ├── LICENSE │ │ │ ├── d3dkmdt.h │ │ │ ├── d3dkmthk.h │ │ │ └── d3dukmdt.h │ │ ├── disktab.c │ │ ├── disktabp.h │ │ ├── efi_guid_list.h │ │ ├── etwdisk.c │ │ ├── etwmini.c │ │ ├── etwmini.h │ │ ├── etwmon.c │ │ ├── etwmon.h │ │ ├── etwprprp.c │ │ ├── etwstat.c │ │ ├── etwsys.c │ │ ├── etwsys.h │ │ ├── extension/ │ │ │ └── plugin.h │ │ ├── exttools.h │ │ ├── firmware.c │ │ ├── firmware_editor.c │ │ ├── framemon.cpp │ │ ├── framemon.h │ │ ├── frameprp.c │ │ ├── fwmon.c │ │ ├── fwtab.c │ │ ├── gpudetails.c │ │ ├── gpumini.c │ │ ├── gpumini.h │ │ ├── gpumon.c │ │ ├── gpumon.h │ │ ├── gpunodes.c │ │ ├── gpuprprp.c │ │ ├── gpusys.c │ │ ├── gpusys.h │ │ ├── iconext.c │ │ ├── main.c │ │ ├── modsrv.c │ │ ├── namedpipes.c │ │ ├── npudetails.c │ │ ├── npumini.c │ │ ├── npumini.h │ │ ├── npumon.c │ │ ├── npumon.h │ │ ├── npunodes.c │ │ ├── npuprprp.c │ │ ├── npusys.c │ │ ├── npusys.h │ │ ├── objmgr.c │ │ ├── objprp.c │ │ ├── options.c │ │ ├── pooldb.c │ │ ├── pooldialog.c │ │ ├── pooldialogbig.c │ │ ├── poolmon.h │ │ ├── pooltree.c │ │ ├── reparse.c │ │ ├── resource.h │ │ ├── smbios.c │ │ ├── svcext.c │ │ ├── thrdact.c │ │ ├── tpm.c │ │ ├── tpm.h │ │ ├── tpm_editor.c │ │ ├── treeext.c │ │ ├── unldll.c │ │ ├── utils.c │ │ ├── version.rc │ │ ├── waitchain.c │ │ └── wswatch.c │ ├── HardwareDevices/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── HardwareDevices.rc │ │ ├── HardwareDevices.vcxproj │ │ ├── HardwareDevices.vcxproj.filters │ │ ├── adapter.c │ │ ├── d3dkmt/ │ │ │ ├── LICENSE │ │ │ ├── d3dkmdt.h │ │ │ ├── d3dkmthk.h │ │ │ └── d3dukmdt.h │ │ ├── deviceprops.c │ │ ├── devices.h │ │ ├── devicetree.c │ │ ├── disk.c │ │ ├── diskdetails.c │ │ ├── diskgraph.c │ │ ├── disknotify.c │ │ ├── diskoptions.c │ │ ├── fmifs.h │ │ ├── gpu.c │ │ ├── gpudetails.c │ │ ├── gpugraph.c │ │ ├── gpunodes.c │ │ ├── gpuoptions.c │ │ ├── graphics.c │ │ ├── main.c │ │ ├── ndis.c │ │ ├── ndiswlan.c │ │ ├── ndiswlan.h │ │ ├── netdetails.c │ │ ├── netgraph.c │ │ ├── netoptions.c │ │ ├── power.c │ │ ├── powergraph.c │ │ ├── poweroptions.c │ │ ├── prpsh.c │ │ ├── prpsh.h │ │ ├── resource.h │ │ ├── storage.c │ │ └── version.rc │ ├── NetworkTools/ │ │ ├── CMakeLists.txt │ │ ├── NetworkTools.rc │ │ ├── NetworkTools.vcxproj │ │ ├── NetworkTools.vcxproj.filters │ │ ├── country.c │ │ ├── main.c │ │ ├── nettools.h │ │ ├── options.c │ │ ├── pages.c │ │ ├── ping.c │ │ ├── ports.c │ │ ├── resource.h │ │ ├── resources/ │ │ │ └── licence.txt │ │ ├── tracert.c │ │ ├── tracert.h │ │ ├── tracetree.c │ │ ├── update.c │ │ ├── version.rc │ │ └── whois.c │ ├── OnlineChecks/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── OnlineChecks.rc │ │ ├── OnlineChecks.vcxproj │ │ ├── OnlineChecks.vcxproj.filters │ │ ├── api.c │ │ ├── main.c │ │ ├── onlnchk.h │ │ ├── options.c │ │ ├── page1.c │ │ ├── page2.c │ │ ├── page3.c │ │ ├── page4.c │ │ ├── resource.h │ │ ├── scan.c │ │ ├── upload.c │ │ └── version.rc │ ├── Plugins.props │ ├── Plugins.sln │ ├── Plugins.slnx │ ├── ToolStatus/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── ToolStatus.rc │ │ ├── ToolStatus.vcxproj │ │ ├── ToolStatus.vcxproj.filters │ │ ├── customizesb.c │ │ ├── customizetb.c │ │ ├── filter.c │ │ ├── find.c │ │ ├── graph.c │ │ ├── main.c │ │ ├── options.c │ │ ├── plugin.c │ │ ├── resource.h │ │ ├── statusbar.c │ │ ├── taskbar.c │ │ ├── toolbar.c │ │ ├── toolbarsup.c │ │ ├── toolstatus.h │ │ └── version.rc │ ├── Updater/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── Updater.rc │ │ ├── Updater.vcxproj │ │ ├── Updater.vcxproj.filters │ │ ├── main.c │ │ ├── options.c │ │ ├── page1.c │ │ ├── page2.c │ │ ├── page3.c │ │ ├── page4.c │ │ ├── page5.c │ │ ├── resource.h │ │ ├── updater.c │ │ ├── updater.h │ │ ├── verify.c │ │ └── version.rc │ ├── UserNotes/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── UserNotes.rc │ │ ├── UserNotes.vcxproj │ │ ├── UserNotes.vcxproj.filters │ │ ├── db.c │ │ ├── db.h │ │ ├── main.c │ │ ├── options.c │ │ ├── prpcmpage.c │ │ ├── resource.h │ │ ├── usernotes.h │ │ └── version.rc │ ├── WindowExplorer/ │ │ ├── CHANGELOG.txt │ │ ├── CMakeLists.txt │ │ ├── WindowExplorer.rc │ │ ├── WindowExplorer.vcxproj │ │ ├── WindowExplorer.vcxproj.filters │ │ ├── main.c │ │ ├── prpsh.c │ │ ├── prpsh.h │ │ ├── resource.h │ │ ├── utils.c │ │ ├── version.rc │ │ ├── wnddlg.c │ │ ├── wndexp.h │ │ ├── wndprp.c │ │ ├── wndtree.c │ │ └── wndtree.h │ ├── include/ │ │ ├── commonutil.h │ │ ├── networktoolsintf.h │ │ └── toolstatusintf.h │ └── readme.txt └── tools/ ├── CMakeLists.txt ├── CompileCommandsJson/ │ ├── CompileCommandsJson.cs │ ├── CompileCommandsJson.csproj │ ├── CompileCommandsJson.sln │ ├── CompileCommandsJson.slnx │ └── Properties/ │ └── PublishProfiles/ │ ├── amd64.pubxml │ └── arm64.pubxml ├── CustomBuildTool/ │ ├── AzureClient.cs │ ├── AzureSignTool/ │ │ ├── AuthenticodeKeyVaultSigner.cs │ │ ├── ECDsaKeyVault.cs │ │ ├── ECDsaKeyVaultExtensions.cs │ │ ├── KeyVaultConfigurationDiscoverer.cs │ │ ├── KeyVaultContext.cs │ │ ├── LICENSE.txt │ │ ├── MemoryCertificateStore.cs │ │ ├── NativeMethods.cs │ │ ├── RSAKeyVault.cs │ │ ├── RSAKeyVaultExtensions.cs │ │ └── TimeStampConfiguration.cs │ ├── Build.cs │ ├── BuildAzure.cs │ ├── BuildConfig.cs │ ├── BuildDevOps.cs │ ├── BuildGithub.cs │ ├── BuildHttpClient.cs │ ├── BuildSourceForge.cs │ ├── BuildToolsId.cs │ ├── BuildVerify.cs │ ├── BuildVirusTotal.cs │ ├── BuildVisualStudio.cs │ ├── CustomBuildTool.csproj │ ├── CustomBuildTool.sln │ ├── CustomBuildTool.slnx │ ├── DynData.cs │ ├── GlobalSuppressions.cs │ ├── HeaderGen.cs │ ├── NativeImports.txt │ ├── NativeMethods.json │ ├── NativeMethods.txt │ ├── Program.cs │ ├── Properties/ │ │ └── PublishProfiles/ │ │ ├── amd64.pubxml │ │ └── arm64.pubxml │ ├── Utils.cs │ ├── Win32.cs │ ├── Zip.cs │ └── app.manifest ├── CustomCmdTool/ │ ├── CustomCmdTool.sln │ ├── CustomCmdTool.slnx │ ├── CustomCmdTool.vcxproj │ ├── CustomCmdTool.vcxproj.filters │ ├── app.manifest │ └── main.c ├── CustomDebugTool/ │ └── CustomDebugTool.slnx ├── CustomSetupTool/ │ ├── CustomSetupTool.sln │ ├── CustomSetupTool.slnx │ ├── CustomSetupTool.vcxproj │ ├── CustomSetupTool.vcxproj.filters │ ├── app.manifest │ ├── extract.c │ ├── install.c │ ├── main.c │ ├── resource.h │ ├── resource.rc │ ├── setup.h │ ├── startpage.c │ ├── uninstall.c │ ├── update.c │ ├── util.c │ └── version.rc ├── CustomSignTool/ │ ├── CustomSignTool.manifest │ ├── CustomSignTool.sln │ ├── CustomSignTool.slnx │ ├── CustomSignTool.vcxproj │ ├── CustomSignTool.vcxproj.filters │ ├── main.c │ ├── resource.h │ └── resource.rc ├── CustomStartTool/ │ ├── CustomStartTool.sln │ ├── CustomStartTool.slnx │ ├── CustomStartTool.vcxproj │ ├── CustomStartTool.vcxproj.filters │ ├── app.manifest │ └── main.c ├── Directory.Build.props ├── GenerateZw/ │ ├── GenerateZw.csproj │ ├── GenerateZw.sln │ ├── GenerateZw.slnx │ ├── Program.cs │ ├── Properties/ │ │ └── PublishProfiles/ │ │ └── 64Bit.pubxml │ └── ZwGen.cs ├── fixlib/ │ ├── fixlib.c │ ├── fixlib.sln │ ├── fixlib.slnx │ ├── fixlib.vcxproj │ └── fixlib.vcxproj.filters ├── fixlib_bcd/ │ ├── lib32/ │ │ └── bcd.def │ ├── lib64/ │ │ └── bcd.def │ └── make_bcd_lib.cmd ├── msix/ │ ├── PackageManifest64.msix.xml │ ├── PackageTemplate.appinstaller │ ├── PackageTemplate.msix.xml │ └── build.cmd ├── peview/ │ ├── CMakeLists.txt │ ├── appmanifest.c │ ├── attributes.c │ ├── cfgprp.c │ ├── chcol.c │ ├── clrprp.c │ ├── clrprptables.c │ ├── clrtableimportprp.c │ ├── clrtableimports.cpp │ ├── colmgr.c │ ├── colmgr.h │ ├── debugprp.c │ ├── delayhook.c │ ├── disimp.c │ ├── ehcontprp.c │ ├── exlfdynamic.c │ ├── exlfexports.c │ ├── exlfimports.c │ ├── exlfprp.c │ ├── expprp.c │ ├── hashprp.c │ ├── impprp.c │ ├── include/ │ │ ├── peview.h │ │ └── prpsh.h │ ├── layout.c │ ├── ldprp.c │ ├── libprp.c │ ├── links.c │ ├── main.c │ ├── mappings.c │ ├── metahost/ │ │ ├── CorError.h │ │ ├── CorHdr.h │ │ ├── cor.h │ │ ├── gchost.h │ │ ├── ivalidator.h │ │ ├── ivehandler.h │ │ ├── metahost.h │ │ └── mscoree.h │ ├── misc.c │ ├── options.c │ ├── pdb.c │ ├── pdbprp.c │ ├── pechpeprp.c │ ├── pedirprp.c │ ├── pedynrelocprp.c │ ├── peexceptprp.c │ ├── peheaderprp.c │ ├── pemuiprp.c │ ├── pepogoprp.c │ ├── peprp.c │ ├── peprpwnd.c │ ├── perelocprp.c │ ├── pesectionprp.c │ ├── peview.manifest │ ├── peview.rc │ ├── peview.vcxproj │ ├── peview.vcxproj.filters │ ├── previewprp.c │ ├── processes.c │ ├── propstore.c │ ├── prpsh.c │ ├── resource.h │ ├── resprp.c │ ├── richprp.c │ ├── searchbox.c │ ├── secprp.c │ ├── settings.c │ ├── streams.c │ ├── strings.c │ ├── tlsprp.c │ ├── version.rc │ ├── versioninfoprp.c │ └── volatileprp.c ├── tests/ │ └── phlib-test/ │ ├── main.c │ ├── phlib-test.manifest │ ├── phlib-test.sln │ ├── phlib-test.slnx │ ├── phlib-test.vcxproj │ ├── phlib-test.vcxproj.filters │ ├── t_avltree.c │ ├── t_basesup.c │ ├── t_format.c │ ├── t_util.c │ └── tests.h ├── thirdparty/ │ ├── CMakeLists.txt │ ├── detours/ │ │ ├── LICENSE.txt │ │ ├── detours.cpp │ │ ├── detours.h │ │ ├── disasm.cpp │ │ ├── disolarm.cpp │ │ ├── disolarm64.cpp │ │ ├── disolia64.cpp │ │ ├── disolx64.cpp │ │ ├── disolx86.cpp │ │ └── modules.cpp │ ├── jsonc/ │ │ ├── COPYING │ │ ├── ChangeLog │ │ ├── arraylist.c │ │ ├── arraylist.h │ │ ├── config.h │ │ ├── debug.c │ │ ├── debug.h │ │ ├── json.h │ │ ├── json_c_version.c │ │ ├── json_c_version.h │ │ ├── json_config.h │ │ ├── json_inttypes.h │ │ ├── json_object.c │ │ ├── json_object.h │ │ ├── json_object_iterator.c │ │ ├── json_object_iterator.h │ │ ├── json_object_private.h │ │ ├── json_pointer.c │ │ ├── json_pointer.h │ │ ├── json_pointer_private.h │ │ ├── json_tokener.c │ │ ├── json_tokener.h │ │ ├── json_types.h │ │ ├── json_util.c │ │ ├── json_util.h │ │ ├── json_visit.c │ │ ├── json_visit.h │ │ ├── libjson.c │ │ ├── linkhash.c │ │ ├── linkhash.h │ │ ├── math_compat.h │ │ ├── printbuf.c │ │ ├── printbuf.h │ │ ├── random_seed.c │ │ ├── random_seed.h │ │ ├── snprintf_compat.h │ │ ├── strdup_compat.h │ │ ├── strerror_override.c │ │ ├── strerror_override.h │ │ └── vasprintf_compat.h │ ├── maxminddb/ │ │ ├── LICENSE │ │ ├── data-pool.c │ │ ├── data-pool.h │ │ ├── maxminddb-compat-util.h │ │ ├── maxminddb.c │ │ ├── maxminddb.h │ │ └── maxminddb_config.h │ ├── md5/ │ │ ├── LICENSE │ │ ├── md5.c │ │ └── md5.h │ ├── miniz/ │ │ ├── LICENSE │ │ ├── miniz.c │ │ ├── miniz.h │ │ ├── miniz_common.h │ │ ├── miniz_tdef.c │ │ ├── miniz_tdef.h │ │ ├── miniz_tinfl.c │ │ ├── miniz_tinfl.h │ │ ├── miniz_zip.c │ │ └── miniz_zip.h │ ├── mxml/ │ │ ├── LICENSE │ │ ├── config.h │ │ ├── mxml-attr.c │ │ ├── mxml-file.c │ │ ├── mxml-get.c │ │ ├── mxml-index.c │ │ ├── mxml-node.c │ │ ├── mxml-options.c │ │ ├── mxml-private.c │ │ ├── mxml-private.h │ │ ├── mxml-search.c │ │ ├── mxml-set.c │ │ └── mxml.h │ ├── pcre/ │ │ ├── LICENCE │ │ ├── README │ │ ├── config.h │ │ ├── pcre2.h │ │ ├── pcre2_auto_possess.c │ │ ├── pcre2_chartables.c │ │ ├── pcre2_chkdint.c │ │ ├── pcre2_compile.c │ │ ├── pcre2_compile.h │ │ ├── pcre2_compile_class.c │ │ ├── pcre2_config.c │ │ ├── pcre2_context.c │ │ ├── pcre2_convert.c │ │ ├── pcre2_dfa_match.c │ │ ├── pcre2_dftables.c │ │ ├── pcre2_error.c │ │ ├── pcre2_extuni.c │ │ ├── pcre2_find_bracket.c │ │ ├── pcre2_fuzzsupport.c │ │ ├── pcre2_internal.h │ │ ├── pcre2_intmodedep.h │ │ ├── pcre2_jit_char_inc.h │ │ ├── pcre2_jit_compile.c │ │ ├── pcre2_jit_match.c │ │ ├── pcre2_jit_misc.c │ │ ├── pcre2_jit_neon_inc.h │ │ ├── pcre2_jit_simd_inc.h │ │ ├── pcre2_jit_test.c │ │ ├── pcre2_maketables.c │ │ ├── pcre2_match.c │ │ ├── pcre2_match_data.c │ │ ├── pcre2_newline.c │ │ ├── pcre2_ord2utf.c │ │ ├── pcre2_pattern_info.c │ │ ├── pcre2_printint.c │ │ ├── pcre2_script_run.c │ │ ├── pcre2_serialize.c │ │ ├── pcre2_string_utils.c │ │ ├── pcre2_study.c │ │ ├── pcre2_substitute.c │ │ ├── pcre2_substring.c │ │ ├── pcre2_tables.c │ │ ├── pcre2_ucd.c │ │ ├── pcre2_ucp.h │ │ ├── pcre2_ucptables.c │ │ ├── pcre2_util.h │ │ ├── pcre2_valid_utf.c │ │ ├── pcre2_xclass.c │ │ ├── pcre2posix.c │ │ └── pcre2posix.h │ ├── sha/ │ │ ├── LICENSE │ │ ├── sha.c │ │ └── sha.h │ ├── sha256/ │ │ ├── LICENSE │ │ ├── sha256.c │ │ └── sha256.h │ ├── ssdeep/ │ │ ├── COPYING.txt │ │ ├── fuzzy.c │ │ └── fuzzy.h │ ├── thirdparty.sln │ ├── thirdparty.slnx │ ├── thirdparty.vcxproj │ ├── thirdparty.vcxproj.filters │ ├── tlsh/ │ │ ├── LICENSE │ │ ├── tlsh.cpp │ │ ├── tlsh.h │ │ ├── tlsh_impl.cpp │ │ ├── tlsh_impl.h │ │ ├── tlsh_util.cpp │ │ ├── tlsh_util.h │ │ ├── tlsh_win_version.h │ │ ├── tlsh_wrapper.cpp │ │ └── tlsh_wrapper.h │ ├── winsdk/ │ │ ├── cvconst.h │ │ ├── dia2.h │ │ └── dia3.h │ ├── xxhash/ │ │ ├── CHANGELOG │ │ ├── LICENSE │ │ ├── xxhash.c │ │ ├── xxhash.h │ │ ├── xxhashwrapper.c │ │ └── xxhashwrapper.h │ └── zydis/ │ ├── LICENSE │ ├── Zydis.c │ └── Zydis.h └── versioning/ ├── build_version.cmd └── version.rc ================================================ FILE CONTENTS ================================================ ================================================ FILE: .editorconfig ================================================ root = true [*.{c,c++,cc,cpp,cppm,cxx,h,h++,hh,hpp,hxx,inl,ipp,ixx,tlh,tli}] charset = utf-8 end_of_line = crlf indent_style = space indent_size = 4 trim_trailing_whitespace = true insert_final_newline = true ================================================ FILE: .gitattributes ================================================ # Auto detect text files * text=auto working-tree-encoding=UTF-8 # Custom for Visual Studio *.cs diff=csharp *.sln merge=union *.slnx merge=union *.csproj merge=union *.vbproj merge=union *.fsproj merge=union *.dbproj merge=union # Project files *.appinstaller text *.bat text *.c text *.cs text *.cpp text *.config text *.cmake text *.cmd text *.csproj text *.def text *.ddf text *.editorconfig text *.gitattributes text *.gitignore text *.h text *.hpp text *.inc text *.inf text *.json text *.map text *.manifest text *.mc text *.md text *.natvis text *.ps1 text *.props text *.pubxml text *.resx text *.rc text *.sh text eol=lf *.sln text *.slnx text *.txt text *.vsconfig text *.vcxproj text *.filters text *.xml text *.yml text *.yaml text **AUTHORS text **COPYING text **CHANGELOG text **CODEOWNERS text **LICENSE text **LICENCE text **README text *.bmp binary *.dll binary *.exe binary *.ico binary *.lib binary *.pdb binary *.png binary *.s binary *.sys binary *.zip binary # svg standard require LF *.svg text eol=lf # Standard to msysgit *.doc diff=astextplain *.DOC diff=astextplain *.docx diff=astextplain *.DOCX diff=astextplain *.dot diff=astextplain *.DOT diff=astextplain *.pdf diff=astextplain *.PDF diff=astextplain *.rtf diff=astextplain *.RTF diff=astextplain # Ignore files during repository export .gitattributes export-ignore .gitignore export-ignore .gitmodules export-ignore .github export-ignore ================================================ FILE: .github/CODEOWNERS ================================================ # Below is a list of System Informer team members' GitHub handles who are # suggested reviewers for contributions to this repository. # # These names are just suggestions. It is fine to have your changes # reviewed by someone else. # # Use git ls-files '' without a / prefix to see the list of matching files. /CODEOWNERS @dmex @jxy-s /KSystemInformer @jxy-s /SystemInformer @dmex @jxy-s /build @dmex @jxy-s /kphlib @jxy-s /phlib @dmex @jxy-s /phnt @dmex @jxy-s /plugins @dmex @jxy-s /tools @dmex /tools/CustomBuildTool/DynData.cs @jxy-s .github/workflows @dmex @jxy-s ================================================ FILE: .github/FUNDING.yml ================================================ # These are supported funding model platforms github: [dmex, jxy-s] ================================================ FILE: .github/ISSUE_TEMPLATE/bug_report.yml ================================================ name: 'Bug report' description: Report bugs or other issues body: - type: textarea attributes: label: Brief description of your issue placeholder: Briefly describe your issue here. validations: required: true - type: textarea attributes: label: Steps to reproduce (optional) placeholder: How to reproduce the issue? validations: required: false - type: textarea attributes: label: Expected behavior (optional) placeholder: What did you expect to happen? validations: required: false - type: textarea attributes: label: Actual behavior (optional) placeholder: What is currently happening? validations: required: false - type: textarea attributes: label: Environment (optional) placeholder: | System Informer version Windows version Any other information? render: shell validations: required: false ================================================ FILE: .github/ISSUE_TEMPLATE/config.yml ================================================ blank_issues_enabled: true contact_links: - name: General Questions url: https://github.com/winsiderss/systeminformer/discussions/new about: Have a question? Start a new discussion. - name: Review open issues url: https://github.com/winsiderss/systeminformer/issues about: Check existing bug reports for already reported issues. - name: Create a blank issue url: https://github.com/winsiderss/systeminformer/issues/new about: Create a blank issue for anything else. ================================================ FILE: .github/ISSUE_TEMPLATE/feature_request.yml ================================================ name: "Feature request" description: Suggest features, modifications or ideas type: "Feature" labels: ["enhancement"] body: - type: textarea attributes: label: Description of the feature, modification, idea or suggestion validations: required: true - type: textarea attributes: label: Proposed implementation details (optional) placeholder: Suggest how to implement the feature. validations: required: false ================================================ FILE: .github/workflows/cla.yml ================================================ name: "CLA Assistant" on: issue_comment: types: [created] pull_request_target: types: [opened,closed,synchronize] permissions: actions: write checks: read contents: read issues: read discussions: read pull-requests: write statuses: read jobs: CLAssistant: if: ${{ github.event_name == 'pull_request_target' || github.event.issue.pull_request }} runs-on: ubuntu-latest steps: - name: "CLA Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' uses: cla-assistant/github-action@dbc1c64d82d3aad5072007a41fff2828ae6d23ec env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PERSONAL_ACCESS_TOKEN : ${{ secrets.CLA_ASSISTANT_TOKEN }} with: path-to-signatures: 'systeminformer/cla-signatures.json' path-to-document: 'https://github.com/winsiderss/systeminformer/blob/master/CLA.md' branch: 'main' remote-organization-name: 'winsiderss' remote-repository-name: 'winsiderss-cla' lock-pullrequest-aftermerge: false ================================================ FILE: .github/workflows/cmake.yml ================================================ name: 'cmake-continuous-integration' on: workflow_dispatch: push: branches: ['master'] pull_request: branches: ['master'] jobs: build: permissions: contents: read strategy: fail-fast: false matrix: os: - windows-latest toolchain: - msvc-amd64 - msvc-arm64 - msvc-x86 - clang-msvc-amd64 - clang-msvc-arm64 - clang-msvc-x86 configuration: - Debug - Release generator: - Ninja runs-on: ${{ matrix.os }} name: ${{ matrix.configuration }} ${{ matrix.toolchain }} steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: NuGet Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd working-directory: ${{github.workspace}} run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Tools shell: cmd working-directory: ${{github.workspace}} run: build\build_tools.cmd - name: Generate shell: cmd working-directory: ${{github.workspace}} run: build\build_cmake.cmd "${{ matrix.generator }}" ${{ matrix.configuration }} ${{ matrix.toolchain }} generate - name: Build shell: cmd working-directory: ${{github.workspace}} run: build\build_cmake.cmd "${{ matrix.generator }}" ${{ matrix.configuration }} ${{ matrix.toolchain }} build ================================================ FILE: .github/workflows/msbuild.yml ================================================ name: 'continuous-integration' on: workflow_dispatch: push: branches: ['master'] pull_request: branches: ['master'] jobs: build: permissions: contents: read strategy: fail-fast: false matrix: os: ['windows-latest'] runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: NuGet Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd working-directory: ${{github.workspace}} run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Tools shell: cmd working-directory: ${{github.workspace}} run: build\build_init.cmd - name: Build Solution shell: cmd working-directory: ${{github.workspace}} run: build\build_debug.cmd build-release: permissions: contents: read strategy: matrix: os: ['windows-latest'] runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: NuGet Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd working-directory: ${{github.workspace}} run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Tools shell: cmd working-directory: ${{github.workspace}} run: build\build_init.cmd - name: Build Solution shell: cmd working-directory: ${{github.workspace}} run: build\build_release.cmd build-driver: permissions: contents: read strategy: matrix: os: ['windows-latest'] runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: NuGet Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd working-directory: ${{github.workspace}} run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Tools shell: cmd working-directory: ${{github.workspace}} run: build\build_tools.cmd - name: Build Driver shell: cmd working-directory: ${{github.workspace}} run: build\build_zdriver.cmd prefast build-driver-release: permissions: contents: read strategy: matrix: os: ['windows-latest'] runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 - name: NuGet Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd working-directory: ${{github.workspace}} run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Tools shell: cmd working-directory: ${{github.workspace}} run: build\build_tools.cmd - name: Build Driver shell: cmd working-directory: ${{github.workspace}} run: build\build_zdriver.cmd release ================================================ FILE: .github/workflows/scan.yml ================================================ name: 'CodeQL Analysis' on: workflow_dispatch: schedule: - cron: '0 0 * * 0' jobs: analyze_driver: name: analyze-driver runs-on: windows-2025 permissions: security-events: write actions: read contents: read strategy: fail-fast: false matrix: language: ['cpp'] steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 with: fetch-depth: 0 - name: Nuget Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Tools shell: cmd run: build\build_tools.cmd - name: Initialize CodeQL uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: languages: ${{ matrix.language }} - name: Build Driver shell: cmd run: build\build_zdriver.cmd - name: Finalize CodeQL Database run: | $codeqlPath = (Get-ChildItem -Path "$env:RUNNER_TOOL_CACHE\CodeQL" -Recurse -Filter "codeql.exe" | Select-Object -First 1).FullName & $codeqlPath database finalize "${{ runner.temp }}\codeql_databases\cpp" - name: Download Windows Driver Query Packs shell: pwsh run: | $codeqlPath = (Get-ChildItem -Path "$env:RUNNER_TOOL_CACHE\CodeQL" -Recurse -Filter "codeql.exe" | Select-Object -First 1).FullName & $codeqlPath pack download microsoft/windows-drivers@1.8.2 & $codeqlPath pack download microsoft/cpp-queries@0.0.4 - name: Run Windows Driver Analysis shell: pwsh run: | $codeqlPath = (Get-ChildItem -Path "$env:RUNNER_TOOL_CACHE\CodeQL" -Recurse -Filter "codeql.exe" | Select-Object -First 1).FullName $sarifOut = Join-Path "${{ runner.temp }}" "driver-analysis.sarif" & $codeqlPath database analyze "${{ runner.temp }}\codeql_databases\cpp" microsoft/windows-drivers --format=sarifv2.1.0 --output=$sarifOut if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - name: Filter CodeQL Results uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # 1.0.1 with: input: ${{ runner.temp }}\driver-analysis.sarif output: ${{ runner.temp }}\driver-filtered.sarif patterns: packages/** - name: Upload CodeQL Results uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: sarif_file: ${{ runner.temp }}\driver-filtered.sarif analyze_library: name: analyze-software runs-on: windows-2025 permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: ['cpp'] steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 with: fetch-depth: 0 - name: Nuget Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Build Init shell: cmd run: build\build_init.cmd - name: Initialize CodeQL uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: languages: ${{ matrix.language }} - name: Build Driver shell: cmd run: build\build_zdriver.cmd - name: Build Release shell: cmd run: build\build_release.cmd - name: Perform CodeQL analysis uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: category: '/language:${{ matrix.language }}' output: sarif-results upload: never - name: Filter CodeQL Results uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # 1.0.1 with: input: sarif-results/cpp.sarif output: sarif-results/filtered.sarif patterns: | packages/**/* tools/CustomBuildTool/generated/**/* tools/CustomBuildTool/obj/**/* tools/thirdparty/**/* - name: Upload CodeQL Results uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: sarif_file: sarif-results/filtered.sarif analyze_csharp: name: analyze-tools runs-on: windows-2025 permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: ['csharp'] steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1 with: fetch-depth: 0 - name: Nuget Cache uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # 5.0.0 with: path: packages key: nuget-${{ runner.os }}-${{ hashFiles('**/packages.config') }} restore-keys: nuget-${{ runner.os }}- - name: Nuget Restore shell: cmd run: nuget restore .\packages.config -PackagesDirectory .\packages\ - name: Initialize CodeQL uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: languages: ${{ matrix.language }} - name: Build Tools shell: cmd run: build\build_tools.cmd - name: Perform CodeQL analysis uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: category: '/language:${{ matrix.language }}' output: sarif-results upload: never - name: Filter CodeQL Results uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # 1.0.1 with: input: sarif-results/csharp.sarif output: sarif-results/filtered.sarif patterns: | packages/**/* tools/CustomBuildTool/generated/**/* tools/CustomBuildTool/obj/**/* tools/thirdparty/**/* - name: Upload CodeQL Results uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # 4.31.7 with: sarif_file: sarif-results/filtered.sarif ================================================ FILE: .gitignore ================================================ ################# ## Visual Studio ################# # User-specific files *.suo *.user *.key *.sig *.orig # Build results *.exe *.sys *.dll *.lib *.appx *.appxbundle *.cer *.ilk *.meta *.obj *.pch *.pdb *.pfx *.pgc *.pgd *.pvk *.res *.rsp *.sbr *.tlb *.tli *.tlh *.tlog *.tmp *.vspscc *_i.c *_p.c *.bak # Visual C++ cache files *.aps *.idb *.ncb *.opendb *.opensdf *.sdf *.db # Visual Studio profiler *.psess *.vsp # ReSharper is a .NET coding add-in _ReSharper* # Click-Once directory publish # Others [Bb]in [Oo]bj *.Cache ~$* # Backup & report files _UpgradeReport_Files/ #Backup*/ UpgradeLog*.XML # Windows image file caches Thumbs.db # Folder config file Desktop.ini # Visual Studio files ipch/ .vs/ # VS Code files .vscode/* .vscode/settings.json !.vscode/launch.json !.vscode/tasks.json !.vscode/extensions.json *.code-workspace # NuGet Packages *.nupkg **/packages/ **/vcpkg_installed/ # CMake files **/.cmake/ **/CMakeCache.txt **/CMakeFiles/ # JSON Compilation Database **/compile_commands.json **/.cache/ # AI instructions and caches .github/copilot-instructions.md .clinerules memory-bank/ ########################## ## Project specific rules ########################## **/bin/ **/out/ build/output/ plugins-extra/ sdk/ target/ tools/thirdparty/vcpkg_installed/* bin-cmake/ build-*/ !KSystemInformer/bin-signed/*/ksi.dll !KSystemInformer/bin-signed/*/ksi.pdb !KSystemInformer/bin-signed/*/systeminformer.sys !KSystemInformer/bin-signed/*/systeminformer.pdb !tools/CustomSignTool/bin/Release*/CustomSignTool.exe !tools/fixlib/bin/Release/fixlib.exe ================================================ FILE: .vscode/launch.json ================================================ { "version": "0.2.0", "configurations": [ { "name": "Launch SystemInformer (Debug64)", "type": "cppvsdbg", "request": "launch", "program": "${workspaceFolder}/bin/Debug64/SystemInformer.exe", "args": [], "stopAtEntry": false, "cwd": "${workspaceFolder}", "environment": [], "console": "integratedTerminal" }, { "name": "Attach to Process", "type": "cppvsdbg", "request": "attach", "processId": "${command:pickProcess}" } ] } ================================================ FILE: .vscode/tasks.json ================================================ { "version": "2.0.0", "tasks": [ { "label": "Build SystemInformer (Debug64)", "type": "shell", "command": "msbuild", "args": [ "${workspaceFolder}/SystemInformer.sln", "/p:Configuration=Debug", "/p:Platform=x64", "/t:Rebuild", "/m" ], "group": { "kind": "build", "isDefault": true }, "problemMatcher": "$msCompile" }, { "label": "Build Plugins (Debug64)", "type": "shell", "command": "msbuild", "args": [ "${workspaceFolder}/Plugins/Plugins.sln", "/p:Configuration=Debug", "/p:Platform=x64", "/t:Rebuild", "/m" ], "group": { "kind": "build", "isDefault": true }, "problemMatcher": "$msCompile" }, { "label": "Build ThirdParty (Debug64)", "type": "shell", "command": "msbuild", "args": [ "${workspaceFolder}/tools/thirdparty/thirdparty.sln", "/p:Configuration=Debug", "/p:Platform=x64", "/t:Rebuild", "/m" ], "group": { "kind": "build", "isDefault": true }, "problemMatcher": "$msCompile" }, { "label": "Build SystemInformer (kernel driver) (Debug64)", "type": "shell", "command": "msbuild", "args": [ "${workspaceFolder}/KSystemInformer/KSystemInformer.sln", "/p:Configuration=Debug", "/p:Platform=x64", "/t:Rebuild", "/m" ], "options": { "env": { "KSI_NO_WPP": "1" } }, "group": { "kind": "build", "isDefault": true }, "problemMatcher": "$msCompile" }, { "label": "Build Initialize (Debug64)", "type": "shell", "command": "${workspaceFolder}/build/build_init.cmd", "group": { "kind": "build", "isDefault": true }, }, { "label": "Build devenv [CMD] (Debug64)", "type": "shell", "command": "${workspaceFolder}/build/build_devenv.cmd", "group": { "kind": "build", } }, { "label": "Build prefast [CMD] (Debug64)", "type": "shell", "command": "${workspaceFolder}/build/build_zdriver.cmd", "args": [ "debug", "rebuild", "prefast" ], "options": { "env": { "KSI_NO_WPP": "1" } }, "group": { "kind": "build", } } ] } ================================================ FILE: .vsconfig ================================================ { "version": "1.0", "components": [ "Microsoft.Component.MSBuild", "Microsoft.VisualStudio.Component.Git", "Microsoft.VisualStudio.Component.VC.Redist.14.Latest", "Microsoft.VisualStudio.Component.VC.Tools.x86.x64", "Microsoft.VisualStudio.Component.VC.Tools.ARM64", "Microsoft.VisualStudio.Component.VC.Runtimes.x86.x64.Spectre", "Microsoft.VisualStudio.Component.VC.Runtimes.ARM64.Spectre", "Microsoft.VisualStudio.Component.NuGet.BuildTools", "Microsoft.VisualStudio.Workload.NativeDesktop" ], "extensions": [] } ================================================ FILE: CHANGELOG.txt ================================================ Process Hacker 3.0 * HIGHLIGHTS: * New Process Hacker setup. * New process properties handle search. * Added F11 hotkey for fullscreen System Information window. * OTHER CHANGES: * Updated Updater plugin: * New design and layout. * Updated WindowExplorer plugin: * Added Windows process properties page. * NOTE: * Support for Windows XP and Vista has been dropped. For those platforms, use Process Hacker 2.38. * This release has significant internal code changes. Please make sure all plugins are up-to-date. 2.39 * HIGHLIGHTS: * Improved compatibility with security and anti-cheat software * Added ability to edit process environment variables * Fixed .NET process detection * OTHER CHANGES: * Improved tooltip information for dllhost.exe * Removed Terminator * Updated DotNetTools plugin: * Fixed .NET assembly tab performance issues * Added extra .NET memory counters to the .NET performance tab * Added "Show sizes in bytes" checkbox to the .NET performance tab * Added right-click menu to the .NET assembly tab * Updated ExtendedTools plugin: * Fixed "No process" disk event bug * Updated HardwareDevices plugin: * Fixed incorrect drive letters * Fixed drive letter and panel clipping issue 2.38 * HIGHLIGHTS: * Added labels to indicate the maximum data point in each I/O graph * Graph grids now scale correctly when resized * Improved high DPI scaling * Added exploit mitigation policy information to process properties (Windows 8 and above) * Added File modified time and File size columns for processes and modules * Added Key modified time column for services * Clicking a tray icon now shows the pop-up UI (useful for touch-enabled devices) * The NetAdapters plugin has been renamed to HardwareDevices * This plugin shows network adapter and disk drive graphs * If you are manually upgrading, please delete NetAdapters.dll from the plugins folder * Updated UserNotes plugin: * Added "Collapse by default" option for processes * OTHER CHANGES: * Added "Start when I log on" option * Added "Not responding" text to tray icon rich pop-up for programs that are hung * Added right-click menu and double-click action for environment variables * Added dialog box to show long command line strings * Added Time stamp column for processes * Added -sysinfo command line parameter for opening System Information at startup * Added 32x32 icons for high DPI displays * Digital signature verification is now performed with very low I/O priority * Improved performance when handling a large number of threads, modules or handles * The pop-up UI no longer displays when double-clicking the tray icon * Fixed ASLR state being shown as N/A in process properties * Fixed multi monitor window placement bug * Fixed handle enumeration bug affecting processes with PID >= 65536 * Fixed Interrupts being missing from the max CPU usage history * Updated ToolStatus plugin: * Added 32x32 icons for high DPI displays * Fixed status bar crash * NOTE: * This release has significant internal code changes. Please make sure all plugins are up-to-date. 2.37 * HIGHLIGHTS: * Updated for Windows 10 * The "Include CPU (and other) usage of children in collapsed processes" option now aggregates memory and I/O statistics * Added regex search to "Find Handles or DLLs" * Added process exit codes to log * Fixed crash that occurred under some conditions when processes terminated * OTHER CHANGES: * Added warning when trying to search for handles when the system has too many handles open * Upgraded to PCRE2 * Updated DotNetTools plugin: * Rewrite of .NET Performance statistics and AppDomain enumeration * Updated OnlineChecks plugin: * Fixed virusscan.jotti.org uploader * Updated NetAdapters plugin: * Added adapter details window * Updated ToolStatus plugin: * Added CPU, Memory and I/O graphs to the toolbar (not enabled by default) * Added toolbar and status bar customization, as well as a new theme * Added option to auto-hide the main menu * Updated UserNotes plugin: * Added individual process highlighting support 2.36 * HIGHLIGHTS: * New rich pop-up UI when hovering the cursor over a tray icon, showing the most active processes * Completely new Memory tab for processes, with heap, stack and working set usage * Process Hacker now takes 32-bit dumps of 32-bit processes on 64-bit Windows * NOTE: When using the portable (.zip) release, the entire archive must be extracted * Updated DotNetTools plugin: * Process Hacker now displays managed stack traces for 32-bit .NET processes on 64-bit Windows * Fixed inaccurate stack traces when clicking Refresh * Added AppDomain column for threads in .NET programs * OTHER CHANGES: * Added customizable bytes per row setting for memory editor * Dramatically faster handle listing and search when running without administrative privileges * Improved accuracy and speed of symbol resolution, especially when new modules are loaded * Added trigger and delayed start information to service list * Added file information to service list tooltips * Balloon tips for process/service notifications are now clickable * Added handle names for unnamed File objects * Added I/O Priority to tray icon process menu * Added warning for users who attempt to start the 32-bit version on 64-bit Windows * Updated ExtendedServices plugin: * Added service protection and SID information * Added auto-elevation when saving recovery information, triggers and other service settings * Updated ExtendedTools plugin: * Added tray icon mini info window support * Improved automatic GPU node selection * Updated UserNotes plugin: * Added tray icon mini info window support * Fixed a bug in phsvc that caused hangs when automatically elevating actions * Fixed hang when viewing handle security for certain File objects * Fixed lack of information on startup when using slower refresh intervals * Fixed Read/Write Address crash * Fixed service non-polling mode on Windows 8 and above * Fixed file dialog crash in Windows PE environments * Fixed string scanning false positive case * Fixed process window detection for Modern UI apps * Fixed handle list selection bug when disabling "Hide unnamed handles" * NOTE: * This release has significant internal code changes. Please make sure all plugins are up-to-date. 2.35 * NEW/IMPROVED: * Added Load Time and Load Reason columns for modules (Windows 8 and above) * Added handle names for Job and Section objects * Added Read/Write Memory for Section objects (in process Handles tab) * Added CF Guard (Control Flow Guard) column for processes and modules * Added highlighting for AppContainer DLLs * Added AppContainer and CF Guard image characteristics to peview * Added Open Key and Open File Location menu items for services * Set priority and I/O priority for multiple processes at once * Support for up to 64 processors when setting process/thread affinity * Updated ExtendedTools plugin: * Added Disk and Network graphs for all processes * Updated UserNotes plugin: * Added ability to save I/O priority * FIXED: * Fixed memory editor copy bug 2.34 * NEW/IMPROVED: * Proper Unicode support * CPU and GPU graphs are displayed in a grid now (thanks pavel_kv!) * Start Task Manager now elevates when necessary * Better names for memory regions in Memory tab (for PEBs, TEBs, thread stacks) * Added tooltip information for user-mode driver framework (UMDF) host processes * Added option to reduce row height (set ThinRows to 1 in settings.xml) * Added NetAdapters plugin: adds graphs for selected network adapters to the System Information window * Updated ExtendedTools plugin: * Added GPU graphs for all processes * Can now use the search box in the Disk tab * Improved kernel logger handling * FIXED: * Fixed touch scrolling * Fixed EtwRegistration object names for 64-bit Windows 8.1 * Fixed tray icons being clipped in high DPI environments * Fixed crash in memory editor * Fixed multi monitor window placement bug 2.33 * NEW/IMPROVED: * View digital signature information from process properties and peview * Signatures for Windows 8 apps are now detected * Improved file, key, process and thread handle properties * Added DPI Awareness column * Added new Windows 8.1 process protection information * KProcessHacker is no longer needed for highlighting of GUI threads * Added suspend count for threads on Windows 8.1 * Updated DotNetTools plugin: * Improved .NET assembly enumeration timeout handling * FIXED: * Service start type and error control are never updated if modified outside of Process Hacker 2.32 * NOTE: * All executable files are now signed. * NEW/IMPROVED: * Updated for Windows 8.1 * Added progress display for thread stacks * Updated ExtendedServices plugin: * Added new trigger data types * Updated NetworkTools plugin: * Updated UI * Updated OnlineChecks plugin: * Added file analyzed prompt * FIXED: * Fixed handling of long symbol names * Fixed Run As preventing Windows 8 apps from starting * Fixed console host information for Windows 8.1 * Fixed reflected processes not terminating on Windows 8.1 * Fixed CPU frequency on Windows 8.1 2.31 * NEW/IMPROVED: * Updated ExtendedServices plugin: * Fixed some bugs relating to Windows 8 * Updated OnlineChecks plugin: * Added upload progress * Updated UserNotes plugin: * Fixed bug where process priorities were not actually saved * FIXED: * Fixed module list not updating properly * DLL enumeration crash 2.30 * NEW/IMPROVED: * Added "Icon click toggles visibility" option * Re-enabled powerful process termination on 32-bit Windows 8 * Updated UserNotes plugin: * Added ability to save process priority * Added "Only for processes with the same command line" option for process comments * FIXED: * Fixed crash on CPUs without SSE2 2.29 * NEW/IMPROVED: * Added App ID column for processes * Added new ASLR information for Windows 8 * Added Restart to Boot Options and Hybrid Shutdown menu items for Windows 8 * Added ability to specify processes by their names and inject and unload DLLs in command line * Removed 512 character limit when copying text * Moved Terminator to Miscellaneous menu * Updated default dbghelp.dll path for Windows SDK v8 * Updated ExtendedServices plugin: * Added new triggers for Windows 8 * Fixed bug when restarting services * Updated ExtendedTools plugin: * Improved support for multiple GPUs (again) * GPU column now respects "Include CPU usage of children" option * Updated ToolStatus plugin: * Fixed search box fonts * Fixed controls not being properly hidden/removed from the window when disabled * Updated WindowExplorer plugin: * Fixed window list not displaying Modern UI windows * FIXED: * Fixed Load Count column sorting bug * Fixed signature verification on Windows 8 * Fixed task scheduler information on Windows 8 * Fixed drag bug in tree list * Fixed KProcessHacker bug affecting TmTx objects * Fixed Run As feature on Windows 8 * Fixed bug where -settings parameter is not propagated * Fixed tab key behavior on main window * Fixed recognition of Modern UI windows 2.28 * NEW/IMPROVED: * peview now resolves .lnk targets * Fixed Ctrl+A for processes, services and network connections and added Ctrl+A for other windows * Changed confirmation prompts to select the destructive action by default * Updated DotNetTools plugin: * Fixed inaccurate stack traces for certain .NET programs * Updated ExtendedTools plugin: * Fixed network graph scaling * Updated ToolStatus plugin: * Added search box * Updated Updater plugin * FIXED: * Fixed Verification Status column sorting bug in module list * Fixed rare System Information crash * Fixed bug in opening process handles * Fixed freezing when viewing stack traces of certain system threads 2.27 * NEW/IMPROVED: * Updated OnlineChecks plugin: * 2012-01-16: Updated VirusTotal uploader and added hash checking * FIXED: * Fixed Description column sorting bug * Fixed notification icon bug 2.26 * NEW/IMPROVED: * Added option to show Commit Charge in system information summary view * Added -priority and -selectpid command line options * Updated ExtendedTools plugin: * Improved support for multiple GPUs * FIXED: * Fixed 100% CPU when starting on some machines 2.25 * NEW/IMPROVED: * Improved CPU frequency calculation * Updated ExtendedTools plugin: * Added GPU node selection * Fixed incorrect GPU usage calculation * FIXED: * Graph tooltip position with large cursors * Fixed .NET process detection * Fixed incorrect values in Bits column 2.24 * NOTE: * This release has significant internal code changes. Please make sure all plugins are up-to-date. * NEW/IMPROVED: * Completely new system information window * Added option to scroll to new processes * Added option to hide driver services * Added menu item to copy individual cells * Improved module scanning * Added Start Task Manager menu item * Added Image base to peview * Updated ExtendedTools plugin: * Added support for new system information window * Added Disk, Network and GPU tray icons * Added support for custom fonts in the Disk tab * Updated Updater plugin: * Added download speed * Added remaining time * FIXED: * Fixed retrieval of version information for certain files * Fixed driver file names on Windows XP * Fixed Run As Administrator when used with complex commands 2.23 * NEW/IMPROVED: * Added display of token capabilities, user/device claims and security attributes * Added ability to change token integrity levels * Added Description column to service list * Added option to reset all settings * Made grid color darker * Enabled multi-selection in the hidden processes window * Added UserNotes plugin * Updated ExtendedNotifications plugin: * Added Growl support * Updated ExtendedTools plugin: * Added GPU monitoring * Added rate columns for disk and network I/O * FIXED: * Fixed copying lists when plugin columns are enabled * Freezing when viewing the tooltip for a process with a very long command line * Disabled Hidden Processes feature on 64-bit systems 2.22 * NEW/IMPROVED: * Added highlighting for metro style apps * Added Package Name column * Added package name to process tooltip * Improved .NET process detection * Updated OS Context column for Windows 8 * Updated ExtendedTools plugin: * Updated disk monitoring for Windows 8 * Updated memory list information for Windows 8 * Updated WindowExplorer plugin: * Fixed hook support for low integrity processes * FIXED: * Fixed memory leaks * Fixed bug preventing Interrupts/DPCs from being shown as the max. CPU process on 64-bit systems * Fixed DEP Status column on 64-bit systems 2.21 * NEW/IMPROVED: * Added Private Bytes Delta, ASLR and Subsystem columns * Added ASLR and Time Stamp columns to modules list * Added check for debugger in Terminator * FIXED: * Fixed Show CPU Below 0.01 not respecting locale * Fixed copying from network list 2.20 * NEW/IMPROVED: * Added support for managed thread stacks on x64 * Added column selection for handle list * Added CPU column to threads list * Improved module detection * Added Ideal Processor to Threads tab * Added pool usage and minimum/maximum working set columns * Implemented Properties button for Thread handles * Set descending sort as the default for most numeric columns * Extended header context menu * Removed tooltip text truncation * Improved cycle-based CPU usage calculation * Set default KProcessHacker security level to only allow connections when Process Hacker is running as administrator. See README.txt for instructions on how to restore the old behavior. * Added Updater plugin * Updated DotNetTools plugin: * Added managed symbol resolution for thread stacks * Updated ExtendedTools plugin: * Added Disk tab * Added Hard Faults, Hard Faults Delta and Peak Threads columns to process tree list * Added Firewall Status column * FIXED: * Fixed file name resolution bug * Save settings on shutdown/logoff * Fixed state highlighting bug * Fixed command line propagation for -elevate * Fixed tree list mouse wheel handling * Fixed saving network list 2.19 * NEW/IMPROVED: * Added cycle-based CPU usage for Windows 7 * Added Show CPU Below 0.01 * Added OS Context column * Rewrote graph drawing code for improved performance * Optimized retrieval of cycle time and private working set information for Windows 7 * Added Open File Location to process context menu and reorganized some items * Added checkboxes to Terminator * FIXED: * Crash when sorting by Time Stamp * GDI handle leak in drag selection 2.18 * NEW/IMPROVED: * Completely rewritten tree list control: * Process Name column is now fixed to the left * Tooltips for column headers * Improved performance * Bug fixes * Added more process tree list columns * Added Time stamp column to network list * Date/time display is now swapped (so time is shown before date) * Added W3 terminator test * Added DotNetTools plugin * Updated ExtendedServices plugin: * Disabled editing of required privileges for drivers * Updated ExtendedTools plugin: * Added ETW columns for processes and network connections * Updated OnlineChecks plugin: * Added Comodo Instant Malware Analysis * Updated WindowExplorer plugin: * Fixed hook bugs * FIXED: * Fixed Run As This User * Verification Status sorting 2.17 * NEW/IMPROVED: * Added support for setting page priority * Added elevation support for setting priority * Added support for automatically using a settings file in the program directory (e.g. ProcessHacker.exe.settings.xml) * Improved Run As mechanism * Updated ExtendedServices plugin: * Added support for editing triggers * Added support for editing preshutdown time-out * Added support for editing required privileges * Added elevation support for restarting services * Updated WindowExplorer plugin: * Added more window properties * FIXED: * Handle leak 2.16 * NEW/IMPROVED: * Updated WindowExplorer plugin * PE viewer: Added version string to CLR tab * PE viewer: Added display of delay imports * PE viewer: Added Load Config tab * Improved wait analysis * Added arrows to the service list to indicate whether a service is running * FIXED: * Fixed the IPv6-related workaround causing crashes * Incorrect handling of window positions 2.15 * NEW/IMPROVED: * Updated ExtendedServices plugin * Updated ToolStatus plugin * Added DEP Status column * Improved User Name column * FIXED: * Image file versions * Workaround for an IPv6-related bug in Windows XP * DPCs and Interrupts in System Information tooltips * File dialog crash on Windows XP * ExtendedTools plugin: WS Watch refresh bug 2.14 * NEW/IMPROVED: * ExtendedServices plugin: Option to add a Services menu for processes * Command line support for setting process priority and I/O priority * Improved termination of explorer.exe * FIXED: * Icon should restore the main window if it is minimized * System Information window crashes * Hide Processes From Other Users and Hide Signed Processes settings are now saved * Font selection on Windows XP * ToolStatus plugin: Always on Top status being reset by Find Window * Service-related crashes * WindowExplorer plugin: sorting in tree list * Process minidump creation with old versions of dbghelp.dll 2.13 * NEW/IMPROVED: * Added copy support to PE viewer * Added Connect Time, Disconnect Time and Last Input Time to session properties * Added more working set counters to the Statistics tab * FIXED: * Column sort arrows * CPU usage calculations 2.12 * NEW/IMPROVED: * Updated KProcessHacker for Windows 7 SP1 * Added elevation support for more actions * Added ability to disable plugins * Updated ToolStatus plugin * Added Remote Control for sessions * More command line options * FIXED: * Memory leaks * Run As issues with different sessions 2.11 * NEW/IMPROVED: * Added WS Watch and other features to ExtendedTools plugin * Added WindowExplorer plugin * Properties for hidden processes * Improved menus * Debug console can now be closed without affecting the entire program * FIXED: * Always on Top issues * Hang when setting DEP status of a terminating process * Encoding bug in NetworkTools plugin * LSA interfacing issues * Creating dumps of self 2.10 * NEW/IMPROVED: * KProcessHacker is now signed, so it works on 64-bit systems. Thank you to the ReactOS Foundation. * Added Run As Limited User * Added CPU, private bytes and I/O history columns * Added font selection * Slightly improved highlighting configuration * FIXED: * High DPI support * Multi-monitor support in graph tooltips * DEP status retrieval * ExtendedTools plugin crash * Notification icon menu crash * Memory leaks * Other small bug fixes 2.9 * NEW/IMPROVED: * Added column selection for modules list * Added wait analysis for 64-bit systems * Added signature verification for modules * Added ExtendedTools plugin (Vista and above only) with Disk and Network information * Updated ExtendedNotifications plugin: added ability to log events to a file * Updated ExtendedServices plugin: new tab on Vista and above * Updated ToolStatus plugin: resolves ghost windows to hung windows * Environment variables and current directory are now correctly shown for WOW64 processes * I/O priority names are now used instead of numbers * FIXED: * Network list bug * Memory leaks 2.8 * NEW/IMPROVED: * Better service list (including column selection) * Added Peak Handles * Process tree sorting is now preserved * Save works for services and network connections * Pausing now works correctly with the Network tab * Added option to display inclusive CPU usages for collapsed processes * Added CLR tab to peview * Added ability to destroy heaps * Improved process tree list appearance * Certain command line parameters are now propagated * FIXED: * Icon handling bugs * Memory leaks * Extended tooltips for WOW64 processes 2.7 * NEW/IMPROVED: * Vastly improved startup time and lower memory usage * Added Cycles and Cycles Delta columns * Added option to disable address resolution for network connections * Added Logon Time to session properties * Added time stamp display to peview * FIXED: * ToolStatus layout problems * .NET highlighting crashes * Run As on Windows XP 2.6 * NEW/IMPROVED: * Sorting for most lists is now much faster * Hide Signed Processes option * Added plugin for uploading files to online virus scanners * Added Network tools plugin * Updated ExtendedServices plugin * PE viewer now verifies checksums * Performance improvements * FIXED: * Fixed service handle leak 2.5 * NEW/IMPROVED: * Unmap section views in Memory tab * Plugin for extended service information (including recovery information, dependencies and dependents) * FIXED: * Critical bug for file dialogs on Windows XP * Esc couldn't close Service Properties on open * Small bug fixes 2.4 * NEW/IMPROVED: * Better Run As behaviour * Show Processes From All Users option * Can now unmap section views * Control over thread affinity * Window Title and Window Status columns * Plugin for filtering notifications * Plugin for toolbar and status bar * Performance improvements * FIXED: * Memory leak * SbieSupport plugin on 64-bit * Crash when running under certain conditions * Memory case-insensitive filter * Process parent association bug * REMOVED: * Process database 2.3 * NEW/IMPROVED: * Can add processes to jobs * Double-clicking in the system information graphs now opens information for the relevant process * Setting I/O priority doesn't need KProcessHacker anymore * Elevation for certain actions * FIXED: * HKCU key name resolution * Network connection host resolution * Information window resizing * Log clearing 2.2 * NEW/IMPROVED: * Plugins support * Can now unload 32-bit modules on 64-bit systems * Tasks are shown in tooltips for taskeng.exe/taskhost.exe processes * Run As can now start processes elevated * Handle count by type * Process priorities in notification icon menu * CSV export * Relative start times * FIXED: * Run and Run As shortcuts * Command line handling * Process tree selection 2.1 * NEW/IMPROVED: * Add Pause key shortcut to pause/resume updates * Added Ctrl+Tab and Ctrl+Shift+Tab shortcuts * Grid is a bit darker * Checks for digital signatures and packing is now off by default and optional * FIXED: * MD5 calculation code for files was wrong * Process record bugs 2.0 * First release in the Process Hacker 2.x branch. ================================================ FILE: CLA.md ================================================ # Contribution License Agreement This Contribution License Agreement (“Agreement”) is agreed to by the party signing (“You”), and conveys certain license rights to Winsider Seminars & Solutions, Inc. and its affiliates (“Winsiderss”) for Your contributions to Winsider Seminars & Solutions, Inc. open source projects. This Agreement is effective as of the latest signature date. 1. **Definitions**. “**Code**” means the computer software code, whether in human-readable or machine-executable form, that is delivered by You to Winsider Seminars & Solutions, Inc. under this Agreement. “**Project**” means the System Informer project owned or managed by Winsider Seminars & Solutions, Inc. and offered under the terms of the following license(s) MIT (including any right to adopt any future version of a license if permitted). “**Submit**” is the act of uploading, submitting, transmitting, or distributing code or other content to any Project, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Project for the purpose of discussing and improving that Project, but excluding communication that is conspicuously marked or otherwise designated in writing by You as “Not a Submission.” “**Submission**” means the Code and any other copyrightable material Submitted by You, including any associated comments and documentation. 2. **Your Submission**. You must agree to the terms of this Agreement before making a Submission to any Project. This Agreement covers any and all Submissions that You, now or in the future (except as described in Section 4 below), Submit to any Project. 3. **Originality of Work**. You represent that each of Your Submissions is entirely Your original work. Should You wish to Submit materials that are not Your original work, You may Submit them separately to the Project if You (a) retain all copyright and license information that was in the materials as You received them, (b) in the description accompanying Your Submission, include the phrase “Submission containing materials of a third party:” followed by the names of the third party and any licenses or other restrictions of which You are aware, and (c) follow any other instructions in the Project’s written guidelines concerning Submissions. 4. **Your Employer**. References to “employer” in this Agreement include Your employer or anyone else for whom You are acting in making Your Submission, e.g. as a contractor, vendor, or agent. If Your Submission is made in the course of Your work for an employer or Your employer has intellectual property rights in Your Submission by contract or applicable law, You must secure permission from Your employer to make the Submission before signing this Agreement. In that case, the term “You” in this Agreement will refer to You and the employer collectively. If You change employers in the future and desire to Submit additional Submissions for the new employer, then You agree to sign a new Agreement and secure permission from the new employer before Submitting those Submissions. 5. **Licenses**. - **Copyright License**. You grant Winsider Seminars & Solutions, Inc., and those who receive the Submission directly or indirectly from Winsider Seminars & Solutions, Inc., a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license in the Submission to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute the Submission and such derivative works, and to sublicense any or all of the foregoing rights to third parties. - **Patent License**. You grant Winsider Seminars & Solutions, Inc., and those who receive the Submission directly or indirectly from Winsider Seminars & Solutions, Inc., a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license under Your patent claims that are necessarily infringed by the Submission or the combination of the Submission with the Project to which it was Submitted to make, have made, use, offer to sell, sell and import or otherwise dispose of the Submission alone or with the Project. - **Other Rights Reserved**. Each party reserves all rights not expressly granted in this Agreement. No additional licenses or rights whatsoever (including, without limitation, any implied licenses) are granted by implication, exhaustion, estoppel or otherwise. 6. **Representations and Warranties**. You represent that You are legally entitled to grant the above licenses. You represent that each of Your Submissions is entirely Your original work (except as You may have disclosed under Section 3). You represent that You have secured permission from Your employer to make the Submission in cases where Your Submission is made in the course of Your work for Your employer or Your employer has intellectual property rights in Your Submission by contract or applicable law. If You are signing this Agreement on behalf of Your employer, You represent and warrant that You have the necessary authority to bind the listed employer to the obligations contained in this Agreement. You are not expected to provide support for Your Submission, unless You choose to do so. UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, AND EXCEPT FOR THE WARRANTIES EXPRESSLY STATED IN SECTIONS 3, 4, AND 6, THE SUBMISSION PROVIDED UNDER THIS AGREEMENT IS PROVIDED WITHOUT WARRANTY OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. 7. **Notice to Winsider Seminars & Solutions, Inc.**. You agree to notify Winsider Seminars & Solutions, Inc. in writing of any facts or circumstances of which You later become aware that would make Your representations in this Agreement inaccurate in any respect. 8. **Information about Submissions**. You agree that contributions to Projects and information about contributions may be maintained indefinitely and disclosed publicly, including Your name and other information that You submit with Your Submission. 9. **Governing Law/Jurisdiction**. This Agreement and all disputes, claims, actions, suits or other proceedings arising out of this agreement or relating in any way to it shall be governed by the laws of Quebec, Canada excluding its private international law provisions. 10. **Entire Agreement/Assignment**. This Agreement is the entire agreement between the parties, and supersedes any and all prior agreements, understandings or communications, written or oral, between the parties relating to the subject matter hereof. This Agreement may be assigned by Winsider Seminars & Solutions, Inc.. ================================================ FILE: CMakeLists.txt ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # cmake_minimum_required(VERSION 3.30.0 FATAL_ERROR) project(SystemInformer) set(SI_ROOT ${CMAKE_CURRENT_SOURCE_DIR}) list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake) include(commands) set(CMAKE_CONFIGURATION_TYPES "Debug;Release" CACHE STRING "" FORCE) # TODO change this to bin once we fully transition to cmake # set up to allow user to disable with "" or "OFF" set(SI_OUTPUT_DIR "${SI_ROOT}/bin-cmake" CACHE PATH "Output directory") option(SI_WITH_CORE "Configure core projects" ON) option(SI_WITH_PLUGINS "Configure plugin projects" OFF) option(SI_WITH_KERNEL "Configure kernel projects" OFF) option(SI_WITH_PREFAST "Enables prefast analysis" OFF) option(SI_WITH_WPP_USER "Enables user mode WPP trace" OFF) option(SI_WITH_WPP_KERNEL "Enables kernel mode WPP trace" ON) if (MSVC_NOT_CLANG AND CMAKE_BUILD_TYPE STREQUAL "Release") add_compile_options(/d1trimfile:${SI_ROOT}) endif() if(SI_WITH_CORE) add_subdirectory(SystemInformer) add_subdirectory(phnt) add_subdirectory(phlib) add_subdirectory(tools) endif() if(SI_WITH_KERNEL) message(FATAL_ERROR "Kernel mode projects are not supported") add_subdirectory(KSystemInformer) endif() if(SI_WITH_PLUGINS) add_subdirectory(plugins) endif() if(SI_WITH_CORE OR SI_WITH_KERNEL) add_subdirectory(kphlib) endif() ================================================ FILE: CODE_OF_CONDUCT.md ================================================ # Contributor Covenant Code of Conduct ## Our Pledge In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. ## Our Standards Examples of behavior that contributes to creating a positive environment include: * Using welcoming and inclusive language * Being respectful of differing viewpoints and experiences * Gracefully accepting constructive criticism * Focusing on what is best for the community * Showing empathy towards other community members Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery and unwelcome sexual attention or advances * Trolling, insulting/derogatory comments, and personal or political attacks * Public or private harassment * Publishing others' private information, such as a physical or electronic address, without explicit permission * Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at dmex04@gmail.com and johnny.shaw@live.com. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html [homepage]: https://www.contributor-covenant.org For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq ================================================ FILE: CONTRIBUTING.md ================================================ # Contribution Guidelines ================================================ FILE: COPYRIGHT.txt ================================================ == System Informer == System Informer is licensed. A full copy of the license is provided in LICENSE.txt. Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. == Mini-XML == System Informer uses Mini-XML licensed under the following terms: The Mini-XML library and included programs are provided under the terms of the GNU Library General Public License (LGPL) with the following exceptions: 1. Static linking of applications to the Mini-XML library does not constitute a derivative work and does not require the author to provide source code for the application, use the shared Mini-XML libraries, or link their applications against a user-supplied version of Mini-XML. If you link the application to a modified version of Mini-XML, then the changes to Mini-XML must be provided under the terms of the LGPL in sections 1, 2, and 4. 2. You do not have to provide a copy of the Mini-XML license with programs that are linked to the Mini-XML library, nor do you have to identify the Mini-XML license in your program or documentation as required by section 6 of the LGPL. == PCRE == System Informer uses Perl-Compatible Regular Expressions licensed under the following terms: PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 8 of PCRE is distributed under the terms of the "BSD" licence, as specified below. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the name of Google Inc. nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. == MD5 == System Informer uses a MD5 implementation licensed under the following terms: MD5 hash implementation and interface functions Copyright (c) 2003-2005, Jouni Malinen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. == SHA == System Informer uses a SHA implementation licensed under the following terms: Copyright 2004 Filip Navara Based on public domain SHA code by Steve Reid This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA == Natural order string comparison == System Informer uses "strnatcmp.c" licensed under the following terms: strnatcmp.c -- Perform 'natural order' comparisons of strings in C. Copyright (C) 2000, 2004 by Martin Pool This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. This code has been modified for System Informer. ================================================ FILE: Common.Kernel.props ================================================ true WDM $(ProjectDir)$(ProjectName)\obj\ WindowsKernelModeDriver10.0 false Off $(LatestTargetPlatformVersion) Unicode Spectre Windows10 <_NT_TARGET_VERSION Condition="'$(Platform)'=='x64'">0x0A00 <_NT_TARGET_VERSION Condition="'$(Platform)'=='ARM64'">0xA000004 true true false false false true $(SystemInformerRoot)\Common.Kernel.ruleset DbgengKernelDebugger false $(CRT_IncludePath);$(KM_IncludePath);$(KIT_SHARED_IncludePath) %(AdditionalIncludeDirectories);$(SystemInformerRoot)phnt\include\ %(AdditionalIncludeDirectories);$(SystemInformerRoot)kphlib\include\ %(AdditionalIncludeDirectories);$(ProjectDir)include\ /kernel /utf-8 /INTEGRITYCHECK /d1nodatetime %(AdditionalOptions) /d2guardretpoline %(AdditionalOptions) StdCall true Guard ProgramDatabase 4201 true true stdcpp20 stdc17 true POOL_NX_OPTIN;POOL_ZERO_DOWN_LEVEL_SUPPORT;%(PreprocessorDefinitions) _WIN64;%(PreprocessorDefinitions) _AMD64_;AMD64;%(PreprocessorDefinitions) _ARM64_;ARM64;%(PreprocessorDefinitions) _DEBUG;DEBUG;%(PreprocessorDefinitions) true true true Level4 Speed AnySuitable true MaxSpeed %(AdditionalLibraryDirectories);$(OutDir) /INTEGRITYCHECK /DEPENDENTLOADFLAG:0x800 /FILEALIGN:0x1000 %(AdditionalOptions) /NATVIS:$(SystemInformerRoot)SystemInformer.natvis %(AdditionalOptions) /guard:retpoline %(AdditionalOptions) /BREPRO /NOVCFEATURE /NOCOFFGRPINFO %(AdditionalOptions) true UseLinkTimeCodeGeneration true true UseLinkTimeCodeGeneration true true /c 65001 %(AdditionalOptions) true tracewpp.exe $(TraceWppCmd) -km $(TraceWppCmd) -ext:.c.cpp.h.hpp $(TraceWppCmd) -preserveext:.c.cpp.h.hpp $(TraceWppCmd) -I"$(WindowsSdkDir)bin\$(TargetPlatformVersion)\WppConfig\Rev1" $(TraceWppCmd) -odir:"$(IntDir)tmh" $(TraceWppCmd) -scan:"$(SystemInformerRoot)KSystemInformer\include\trace.h" %(AdditionalIncludeDirectories);$(IntDir)tmh\ TMH_FILE=%(FileName)%(Extension).tmh;%(PreprocessorDefinitions) KSI_NO_WPP;%(PreprocessorDefinitions) ================================================ FILE: Common.Kernel.ruleset ================================================  ================================================ FILE: Common.User.props ================================================ true Level3 true false true stdcpplatest stdclatest true false false true true true $(LatestTargetPlatformVersion) true Windows true true true true 0x0009 /c 65001 %(AdditionalOptions) %(PreprocessorDefinitions);$(ExternalPreprocessorOptions) true tracewpp.exe $(TraceWppCmd) -um $(TraceWppCmd) -ext:.c.cpp.h.hpp $(TraceWppCmd) -preserveext:.c.cpp.h.hpp $(TraceWppCmd) -I"$(WindowsSdkDir)bin\$(TargetPlatformVersion)\WppConfig\Rev1" $(TraceWppCmd) -odir:"$(IntDir)tmh" $(TraceWppCmd) -scan:"$(SystemInformerRoot)phlib\include\trace.h" %(AdditionalIncludeDirectories);$(IntDir)tmh\ TMH_FILE=%(FileName)%(Extension).tmh;%(PreprocessorDefinitions) SI_NO_WPP;%(PreprocessorDefinitions) Unicode true v143 false true false Unicode true v143 false true false Unicode true v143 false true false Unicode false v143 Spectre false true Unicode false v143 Spectre false true Unicode false v143 Spectre false true /utf-8 /d1nodatetime %(AdditionalOptions) WIN32;DEBUG;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) EditAndContinue $(ExternalSimdOptions) Disabled MultiThreadedDebug StdCall Speed Precise true AnySuitable false true /BREPRO /DEBUGTYPE:CV,PDATA /DEPENDENTLOADFLAG:0x800 /FILEALIGN:0x1000 /NOOPTIDATA /BASERELOCCLUSTERING /NATVIS:$(MSBuildThisFileDirectory)\SystemInformer.natvis %(AdditionalOptions) $(ExternalLinkerOptions) invalidcontinue.obj;noarg.obj;noenv.obj;nothrownew.obj;%(AdditionalDependencies) 6.01 MachineX86 true true true true Default /utf-8 /d1nodatetime /d1import_no_registry /jumptablerdata %(AdditionalOptions) $(ExternalAdditionalOptions) WIN64;DEBUG;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) EditAndContinue $(ExternalSimdOptions) Disabled MultiThreadedDebug StdCall Speed Precise true AnySuitable false true /BREPRO /DEBUGTYPE:CV,PDATA /DEPENDENTLOADFLAG:0x800 /FILEALIGN:0x1000 /NOOPTIDATA /BASERELOCCLUSTERING /NATVIS:$(MSBuildThisFileDirectory)\SystemInformer.natvis %(AdditionalOptions) $(ExternalLinkerOptions) invalidcontinue.obj;noarg.obj;noenv.obj;nothrownew.obj;%(AdditionalDependencies) 6.01 MachineX64 true true true true Default /utf-8 /d1nodatetime /d1import_no_registry %(AdditionalOptions) WIN64;DEBUG;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) EditAndContinue $(ExternalSimdOptions) Disabled MultiThreadedDebug StdCall Speed Precise true AnySuitable false true true /BREPRO /DEBUGTYPE:CV,PDATA /DEPENDENTLOADFLAG:0x800 /FILEALIGN:0x1000 /NOOPTIDATA /BASERELOCCLUSTERING /NATVIS:$(MSBuildThisFileDirectory)\SystemInformer.natvis %(AdditionalOptions) $(ExternalLinkerOptions) invalidcontinue.obj;noarg.obj;noenv.obj;nothrownew.obj;%(AdditionalDependencies) 10 MachineARM64 true true true true Default /utf-8 /d1nodatetime /d1import_no_registry /d1trimfile:"$(MSBuildThisFileDirectory)\" %(AdditionalOptions) WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) ProgramDatabase MaxSpeed MultiThreaded StdCall Precise true true Spectre true AnySuitable true Speed Guard /BREPRO /DEBUGTYPE:CV,PDATA /DEPENDENTLOADFLAG:0x800 /PDBALTPATH:%_PDB% /FILEALIGN:0x1000 /NOOPTIDATA /NOVCFEATURE /NOCOFFGRPINFO /BASERELOCCLUSTERING %(AdditionalOptions) $(ExternalLinkerOptions) invalidcontinue.obj;noarg.obj;noenv.obj;nothrownew.obj;%(AdditionalDependencies) true 6.01 MachineX86 true true $(OutDir)$(TargetName)_stripped.pdb true true true true UseLinkTimeCodeGeneration /utf-8 /d1nodatetime /d1import_no_registry /guard:xfg /jumptablerdata /d1trimfile:"$(MSBuildThisFileDirectory)\" %(AdditionalOptions) WIN64;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) ProgramDatabase $(ExternalSimdOptions) MaxSpeed MultiThreaded StdCall Precise true true Spectre true true AnySuitable true Speed Guard /BREPRO /DEBUGTYPE:CV,PDATA /DEPENDENTLOADFLAG:0x800 /PDBALTPATH:%_PDB% /FILEALIGN:0x1000 /LTCG /GUARD:XFG /NOOPTIDATA /NOVCFEATURE /NOCOFFGRPINFO /BASERELOCCLUSTERING %(AdditionalOptions) $(ExternalLinkerOptions) invalidcontinue.obj;noarg.obj;noenv.obj;nothrownew.obj;%(AdditionalDependencies) true 6.01 MachineX64 true true $(OutDir)$(TargetName)_stripped.pdb true true true true UseLinkTimeCodeGeneration /utf-8 /d1nodatetime /d1import_no_registry /d1trimfile:"$(MSBuildThisFileDirectory)\" %(AdditionalOptions) WIN64;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) ProgramDatabase $(ExternalSimdOptions) MaxSpeed MultiThreaded StdCall Precise true true true true AnySuitable true Speed Guard /BREPRO /DEBUGTYPE:CV,PDATA /DEPENDENTLOADFLAG:0x800 /PDBALTPATH:%_PDB% /FILEALIGN:0x1000 /LTCG /NOOPTIDATA /NOVCFEATURE /NOCOFFGRPINFO /BASERELOCCLUSTERING %(AdditionalOptions) $(ExternalLinkerOptions) invalidcontinue.obj;noarg.obj;noenv.obj;nothrownew.obj;%(AdditionalDependencies) 10 MachineARM64 true true $(OutDir)$(TargetName)_stripped.pdb true true true true UseLinkTimeCodeGeneration ================================================ FILE: Directory.Build.props ================================================ $(MSBuildThisFileDirectory) ================================================ FILE: HACKING.md ================================================ ## Conventions ### Names * Functions, function parameters, and global variables use CamelCase. * Local variables use lowerCamelCase. * Structs, enums and unions use CAPS_WITH_UNDERSCORES. All names must have an appropriate prefix (with some exceptions): * `Ph` or `PH_` (structures) for public names. * `Php` or `PHP_` for private names. * Some variants such as `Pha`. * Private prefixes are created by appending `p` to the prefix. E.g. `Ph` -> `Php`, `Pha` -> `Phap`. * Functions and global variables without a prefix must be declared "static". * `static` names must not have a public prefix. * Names with a private prefix do not have to be `static`. * Structures without a prefix must be declared in a `.c/.cpp` file. Structures declared in a `.c/.cpp` file do not require a prefix. ### Types Unless used for the Win32 API, the standard types are: * `BOOLEAN` for a 1 byte boolean, or `LOGICAL` for a 4 byte boolean. * `UCHAR` for 1 byte. * `SHORT`/`USHORT` for 2 bytes. * `LONG`/`ULONG` for 4 bytes. * `LONG64`/`ULONG64` for 8 bytes. * `CHAR` for a 1 byte character. * `WCHAR` for a 2 byte character. * `PSTR` for a string of 1 byte characters. * `PWSTR` for a string of 2 byte characters. #### Booleans Always use: ``` if (booleanVariable) // not "if (booleanVariable == TRUE)" { ... } ``` to test a boolean value. ### Annotations, qualifiers * All functions use SAL annotations, such as `_In_`, `_Inout_`, `_Out_`, etc. * Do not use `volatile` in definitions. Instead, cast to a volatile pointer when necessary. ### Function success indicators There are three main types of indicators used: * A `BOOLEAN` value is returned. `TRUE` indicates success. * A `NTSTATUS` value is returned. The `NT_SUCCESS` macro checks if a status value indicates success. * A `HRESULT` value is returned. The `HR_SUCCESS` macro checks if a status value indicates success. * Do not use the `SUCCEEDED` macro since third parties return `S_FALSE` for errors which `SUCCEEDED` considers a success code. * The result of the function is returned (e.g. a pointer). A special value (e.g. `NULL`) indicates failure. Unless indicated, a function which fails is guaranteed not to modify any of its output parameters (`_Out_`, `_Out_opt_`, etc.). For functions which are passed a callback function, it is not guaranteed that a failed function has not executed the callback function. ### Threads Every thread start routine must have the following signature: ``` _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI NameOfRoutine( _In_ PVOID Parameter ); ``` Thread creation is done through the `PhCreateThread` and `PhCreateThreadEx` functions. ### Collections The collections available are summarized below: Name | Use | Type --------------------- | ----------------------- | --------------- `PH_ARRAY` | Array | Non-intrusive `PH_LIST` | Array | Non-intrusive `LIST_ENTRY` | Doubly linked list | Intrusive `SINGLE_LIST_ENTRY` | Singly linked list | Intrusive `PH_POINTER_LIST` | Array | Non-intrusive `LIST_ENTRY` | Stack | Intrusive `SINGLE_LIST_ENTRY` | Stack | Intrusive `LIST_ENTRY` | Queue | Intrusive `RTL_AVL_TABLE` | Binary tree (AVL) | Non-intrusive `PH_AVL_LINKS` | Binary tree (AVL) | Intrusive `RTL_GENERIC_TABLE` | Binary tree (splay) | Non-intrusive `PH_HASHTABLE` | Hashtable | Non-intrusive `PH_HASH_ENTRY` | Hashtable | Intrusive `PH_CIRCULAR_BUFFER` | Circular buffer | Non-intrusive ### Synchronization The queued lock should be used for all synchronization, due to its small size and good performance. Although the queued lock is a reader-writer lock, it can be used as a mutex simply by using the exclusive acquire/release functions. - Events can be used through `PH_EVENT`. This object does not create a kernel event object until needed, and testing its state is very fast. - Rundown protection is available through `PH_RUNDOWN_PROTECT`. - Condition variables are available using the queued lock. Simply declare and initialize a queued lock variable, and use the `PhPulse(All)Condition` and `PhWaitForCondition` functions. - Custom locking with low overhead can be built using the wake event, built on the queued lock. Test one or more conditions in a loop and use `PhQueueWakeEvent`/`PhWaitForWakeEvent` to block. When a condition is modified use `PhSetWakeEvent` to wake waiters. If after calling `PhQueueWakeEvent` it is determined that no blocking should occur, use `PhSetWakeEvent`. ### Exceptions (SEH) The only method of error handling used in Process Hacker is the return value (`NTSTATUS`, `BOOLEAN`, etc.). Exceptions are used for exceptional situations which cannot easily be recovered from (e.g. a lock acquire function fails to block, or an object has a negative reference count. Exceptions to this rule include: * `PhAllocate`, which raises an exception if it fails to allocate. Checking the return value of each allocation to increase reliability is not worth the extra effort involved, as failed allocations are very rare. * `PhProbeAddress`, which raises an exception if an address lies outside of a specified range. Raising an exception makes it possible to conduct multiple checks in one SEH block. * `STATUS_NOT_IMPLEMENTED` exceptions triggered by code paths which should not be reached, purely due to programmer error. `assert(FALSE)` could also be used in this case. ### Memory management Use `PhAllocate`/`PhFree` to allocate/free memory. For complex objects, use the reference counting system. There is semi-automatic reference counting available in the form of auto-dereference pools (similar to Apple's `NSAutoreleasePool`s). Use the `PhAutoDereferenceObject` to add an object to the thread's pool, and the object will be dereferenced at an unspecified time in the future. However, the object is guaranteed to not be dereferenced while the current function is executing. Referencing an object is necessary whenever a pointer to the object is stored in a globally visible location or passed to another thread. In most other cases, referencing is not necessary. All objects passed to functions must have a guaranteed reference for the duration of that call. One mistake is to keep a reference which could be destroyed in a window procedure, and to use that reference implicitly inside the window procedure. Messages can still be pumped (e.g. dialog boxes) while the window procedure is executing, so the window procedure must reference the object as soon as possible. ### Names (2) #### Object creation/deletion * Allocate means allocate memory without initialization. * Create means allocate memory for an object and initialize the object. * Free can be used for objects created with Allocate or Create functions. * Destroy can also be used for objects created with Create functions. * Initialize means initialize an object with caller-supplied storage. * Delete is paired with Initialize and does not free the object as it was allocated by the caller. * Create is used when objects are being created through the reference counting system. Examples: * `PhAllocateFromFreeList`/`PhFreeToFreeList` * `PhCreateFileDialog`/`PhFreeFileDialog` * `PhInitializeWorkQueue`/`PhDeleteWorkQueue` * `PhCreateString`/`PhDereferenceObject` #### Element counts * Length specifies the length in bytes. E.g. `PhCreateString` requires the length to be specified in bytes. * Count specifies the length in elements. E.g. `PhSubstring` requires the length to be specified in characters. * Index specifies the index in elements. E.g. `PhSubstring` requires the index to be specified in characters. When null terminated strings are being written to output, the return count, if any, must be specified as the number of characters written including the null terminator. ### Strings Strings use the `PH_STRING` type, managed by reference counting. To create a string object from a null-terminated string: ``` PPH_STRING myString = PhCreateString(L"My string"); wprintf( L"My string is \"%s\", and uses %Iu bytes.\n", myString->Buffer, myString->Length ); ``` All string objects have an embedded length (always in bytes), and the string is additionally null-terminated for compatibility reasons. String objects must be treated as immutable unless a string object is created and modified before the pointer is shared with any other functions or stored in any global variables. This exception applies only when creating a string using `PhCreateString` or `PhCreateStringEx`. Strings can be concatenated with `PhConcatStrings`: ``` PPH_STRING newString; newString = PhConcatStrings( 4, L"My first string, ", L"My second string, ", aStringFromSomewhere, L"My fourth string." ); ``` Another version concatenates two strings: ``` PPH_STRING newString; newString = PhConcatStrings2( L"My first string, ", L"My second string." ); ``` Strings can be formatted: ``` PPH_STRING newString; newString = PhFormatString( L"%d: %s, %#x", 100, L"test", 0xff ); ``` ### Tips * Use !! to "cast" to a boolean. ================================================ FILE: KSystemInformer/Directory.Build.props ================================================ ================================================ FILE: KSystemInformer/KSystemInformer.inf ================================================ ; ; Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. ; ; This file is part of System Informer. ; ; Authors: ; ; jxy-s 2022-2025 ; [Version] Signature = "$WINDOWS NT$" Class = ActivityMonitor ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} Provider = SystemInformer DriverVer = 09/01/2022,3.0.0000.0000 CatalogFile = KSystemInformer.cat PnpLockdown = 1 [DestinationDirs] DefaultDestDir = 13 [SystemInformer.Service] DisplayName = KSystemInformer ServiceType = 1 ; SERVICE_KERNEL_DRIVER StartType = 3 ; SERVICE_DEMAND_START ErrorControl = 1 ; SERVICE_ERROR_NORMAL ServiceBinary = %13%\systeminformer.sys [SystemInformer.CopyFiles] systeminformer.sys ksi.dll [SourceDisksFiles] systeminformer.sys = 1,, ksi.dll = 1,, [SourceDisksNames] 1 = %DiskId1%,,,"" [Strings] DiskId1 = "KSystemInformer Disk #1" ; ; AMD64 Section ; [DefaultInstall.NTamd64] CopyFiles = SystemInformer.CopyFiles [DefaultInstall.NTamd64.Services] AddService = KSystemInformer,,SystemInformer.Service ; ; ARM64 Section ; [DefaultInstall.NTarm64] CopyFiles = SystemInformer.CopyFiles [DefaultInstall.NTarm64.Services] AddService = KSystemInformer,,SystemInformer.Service ================================================ FILE: KSystemInformer/KSystemInformer.sln ================================================  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.7.34024.191 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KSystemInformer", "KSystemInformer.vcxproj", "{F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}" ProjectSection(ProjectDependencies) = postProject {B1863396-A667-42DB-97AC-C5E033CEE321} = {B1863396-A667-42DB-97AC-C5E033CEE321} {B385D394-19CC-48BC-827E-AF9ADCE559E0} = {B385D394-19CC-48BC-827E-AF9ADCE559E0} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kphlib", "..\kphlib\kphlib_km.vcxproj", "{B1863396-A667-42DB-97AC-C5E033CEE321}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ksidll", "ksidll.vcxproj", "{B385D394-19CC-48BC-827E-AF9ADCE559E0}" ProjectSection(ProjectDependencies) = postProject {B1863396-A667-42DB-97AC-C5E033CEE321} = {B1863396-A667-42DB-97AC-C5E033CEE321} EndProjectSection EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|ARM64 = Debug|ARM64 Debug|x64 = Debug|x64 Release|ARM64 = Release|ARM64 Release|x64 = Release|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Debug|ARM64.ActiveCfg = Debug|ARM64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Debug|ARM64.Build.0 = Debug|ARM64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Debug|ARM64.Deploy.0 = Debug|ARM64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Debug|x64.ActiveCfg = Debug|x64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Debug|x64.Build.0 = Debug|x64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Debug|x64.Deploy.0 = Debug|x64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Release|ARM64.ActiveCfg = Release|ARM64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Release|ARM64.Build.0 = Release|ARM64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Release|ARM64.Deploy.0 = Release|ARM64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Release|x64.ActiveCfg = Release|x64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Release|x64.Build.0 = Release|x64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF}.Release|x64.Deploy.0 = Release|x64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Debug|ARM64.ActiveCfg = Debug|ARM64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Debug|ARM64.Build.0 = Debug|ARM64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Debug|ARM64.Deploy.0 = Debug|ARM64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Debug|x64.ActiveCfg = Debug|x64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Debug|x64.Build.0 = Debug|x64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Debug|x64.Deploy.0 = Debug|x64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Release|ARM64.ActiveCfg = Release|ARM64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Release|ARM64.Build.0 = Release|ARM64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Release|ARM64.Deploy.0 = Release|ARM64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Release|x64.ActiveCfg = Release|x64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Release|x64.Build.0 = Release|x64 {B1863396-A667-42DB-97AC-C5E033CEE321}.Release|x64.Deploy.0 = Release|x64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Debug|ARM64.ActiveCfg = Debug|ARM64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Debug|ARM64.Build.0 = Debug|ARM64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Debug|ARM64.Deploy.0 = Debug|ARM64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Debug|x64.ActiveCfg = Debug|x64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Debug|x64.Build.0 = Debug|x64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Debug|x64.Deploy.0 = Debug|x64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Release|ARM64.ActiveCfg = Release|ARM64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Release|ARM64.Build.0 = Release|ARM64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Release|ARM64.Deploy.0 = Release|ARM64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Release|x64.ActiveCfg = Release|x64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Release|x64.Build.0 = Release|x64 {B385D394-19CC-48BC-827E-AF9ADCE559E0}.Release|x64.Deploy.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {4989C8A8-DCF1-48A9-9012-23369AB01403} EndGlobalSection EndGlobal ================================================ FILE: KSystemInformer/KSystemInformer.slnx ================================================ ================================================ FILE: KSystemInformer/KSystemInformer.vcxproj ================================================  Debug ARM64 Release ARM64 Debug x64 Release x64 {F4853009-C5D2-4A25-BE4D-BB0D9F84E2FF} {dd38f7fc-d7bd-488b-9242-7d8754cde80d} Driver KSystemInformer $(SystemInformerRoot)KSystemInformer\obj\$(Configuration)$(PlatformArchitecture)\$(ProjectName)\ $(SystemInformerRoot)KSystemInformer\bin\$(Configuration)$(PlatformArchitecture)\ SystemInformer ksi.lib;FltMgr.lib;ksecdd.lib;kphlib_km.lib;volatileaccessk.lib;umaccess.lib%(AdditionalDependencies) %(AdditionalIncludeDirectories);$(SystemInformerRoot)kphlib\include\ ================================================ FILE: KSystemInformer/KSystemInformer.vcxproj.filters ================================================  {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hpp;hxx;hm;inl;inc;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Resource Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files ================================================ FILE: KSystemInformer/README.md ================================================ # System Informer Kernel - optimizes retrieval of information from the system - enables broader inspection into the system - informs of system activity in realtime - assists in removal of malware ## Security [Security Policies and Procedures](../SECURITY.md) Because the information exposed through the driver enables, by design, broader access into the system. Access is strictly limited to verified callers. Access is restricted based on the state of the calling process. This involves signing, privilege, and other state checks. If the client does not meet the state requirements they are denied access. Any binaries built with the intention of loading into System Informer must have a `.sig` from the key pair integrated into the build process and driver. Or be signed by Microsoft or an anti-malware vendor. Loading of unsigned modules will restrict access to the driver. Third-party plugins are supported, however when they are loaded access to the driver will be restricted as they are not signed. The driver tracks verified clients, restricts access by other actors on the system, and denies access if the process is tampered with. The intention is to discourage exploitation of the client when the driver is active. If tampering or exploitation is detected the client is denied access. ## Development Developers may suppress protections and state requirements by disabling secure boot (if applicable) then enabling debug and test signing mode. Doing this will permit the client process to be debugged and enables use of test signing keys. ``` bcdedit /debug on bcdedit /set testsigning on ``` Developers may generate their own key pair for use in their environment. 1. execute `tools\CustomSignTool\bin\Release64\CustomSignTool.exe createkeypair kph.key public.key` 2. copy `kph.key` into `tools\CustomSignTool\resources` 3. copy the bytes for `public.key` into the `KphpPublicKeys` array in [verify.c](verify.c) - `KphKeyTypeProd` does not require debug and test signing enablement - `KphKeyTypeTest` requires debug and test signing enablement 4. regenerate dynamic data `tools\CustomBuildTool\bin\Release\amd64\CustomBuildTool.exe -dyndata` 5. rebuild the kernel _and_ user components It's important to regenerate the dynamic data and build the kernel and user components after creating and placing the new key pair. The driver uses the public key to validate the dynamic data and user mode binaries. Neglecting to do this will result in failures to load or connect to the driver. Once these steps are completed builds of System Informer components will generate a `.sig` file next to the output binaries. And the developer built driver will use the specified key when doing verification checks. Any plugins not built through the regular build process must also have their own `.sig`. ================================================ FILE: KSystemInformer/alloc.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include typedef struct _KPH_LOOKASIDE_INIT { SIZE_T Size; ULONG Tag; } KPH_LOOKASIDE_INIT, *PKPH_LOOKASIDE_INIT; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpPagedLookasideObjectTypeName = RTL_CONSTANT_STRING(L"KphPagedLookaside"); static const UNICODE_STRING KphpNPagedLookasideObjectTypeName = RTL_CONSTANT_STRING(L"KphNPagedLookaside"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpPagedLookasideObjectType = NULL; static PKPH_OBJECT_TYPE KphpNPagedLookasideObjectType = NULL; static ULONG KphpRandomPoolTag = 0; KPH_PROTECTED_DATA_SECTION_POP(); /** * \brief Allocates non-page-able memory. * * \param[in] NumberOfBytes The number of bytes to allocate. * \param[in] Tag The pool tag to use. * * \return Allocated non-page-able memory. Null on failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(NumberOfBytes) PVOID KphAllocateNPaged( _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } #pragma warning(suppress: 4995) // suppress deprecation warning return ExAllocatePoolZero(NonPagedPoolNx, NumberOfBytes, Tag); } /** * \brief Frees memory. * * \param[in] Memory The memory to free. * \param[in] Tag The tag associated with the allocation. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFree( _FreesMem_ PVOID Memory, _In_ ULONG Tag ) { KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(Memory); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } #pragma warning(suppress: 4995) // suppress deprecation warning ExFreePoolWithTag(Memory, Tag); } /** * \brief Initialized a non-page-able lookaside list. * * \param[out] Lookaside The lookaside list to initialize. * \param[in] Size The size of entries in the lookaside list. * \param[in] Tag The pool tag to use. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphInitializeNPagedLookaside( _Out_ PNPAGED_LOOKASIDE_LIST Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } #pragma warning(suppress: 4995) // suppress deprecation warning ExInitializeNPagedLookasideList(Lookaside, NULL, NULL, POOL_NX_ALLOCATION, Size, Tag, 0); } /** * \brief Deletes a non-page-able lookaside list. * * \param[in,out] Lookaside The lookaside to delete. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphDeleteNPagedLookaside( _Inout_ PNPAGED_LOOKASIDE_LIST Lookaside ) { KPH_NPAGED_CODE_DISPATCH_MAX(); #pragma warning(suppress: 4995) // suppress deprecation warning ExDeleteNPagedLookasideList(Lookaside); } /** * \brief Allocates non-page-able memory from the lookaside list. * * \param[in,out] Lookaside The lookaside list to allocate from. * * \return Allocated non-page-able memory. Null on failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromNPagedLookaside( _Inout_ PNPAGED_LOOKASIDE_LIST Lookaside ) { PVOID memory; KPH_NPAGED_CODE_DISPATCH_MAX(); #pragma warning(suppress: 4995) // suppress deprecation warning memory = ExAllocateFromNPagedLookasideList(Lookaside); if (memory) { RtlZeroMemory(memory, Lookaside->L.Size); } return memory; } /** * \brief Frees non-page-able memory back to the lookaside list. * * \param[in,out] Lookaside The lookaside list to free back to. * \param[in] Memory The memory to free. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFreeToNPagedLookaside( _Inout_ PNPAGED_LOOKASIDE_LIST Lookaside, _In_freesMem_ PVOID Memory ) { KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(Memory); #pragma warning(suppress: 4995) // suppress deprecation warning ExFreeToNPagedLookasideList(Lookaside, Memory); } /** * \brief Allocates a non-page-able lookaside object. * * \param[in] Size The size of the lookaside object. * * \return Allocated lookaside object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateNPagedLookasideObject( _In_ SIZE_T Size ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphAllocateNPaged(Size, KPH_TAG_NPAGED_LOOKASIDE_OBJECT); } /** * \brief Initializes a non-page-able lookaside object. * * \param[in,out] Object The lookaside object to initialize. * \param[in] Parameter The lookaside initialization parameters. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeNPagedLookasideObject( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_NPAGED_LOOKASIDE_OBJECT lookaside; PKPH_LOOKASIDE_INIT init; KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(Parameter); lookaside = Object; init = Parameter; KphInitializeNPagedLookaside((PNPAGED_LOOKASIDE_LIST)lookaside, init->Size, init->Tag); return STATUS_SUCCESS; } /** * \brief Deletes a non-page-able lookaside object. * * \param[in,out] Object The lookaside object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) VOID KSIAPI KphpDeleteNPagedLookasideObject( _Inout_ PVOID Object ) { PKPH_NPAGED_LOOKASIDE_OBJECT lookaside; KPH_NPAGED_CODE_DISPATCH_MAX(); lookaside = Object; KphDeleteNPagedLookaside((PNPAGED_LOOKASIDE_LIST)Object); } /** * \brief Frees a non-page-page lookaside object. * * \param[in] Object The lookaside object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) VOID KSIAPI KphpFreeNPagedLookasideObject( _In_freesMem_ PVOID Object ) { KPH_NPAGED_CODE_DISPATCH_MAX(); KphFree(Object, KPH_TAG_NPAGED_LOOKASIDE_OBJECT); } /** * \brief Creates a non-page-able lookaside object. * * \param[out] Lookaside Set to the new non-page-able lookaside object on success. * \param[in] Size The size of entries in the lookaside list. * \param[in] Tag The pool tag to use. * * \return Successful or errant status. */ _IRQL_requires_max_(DISPATCH_LEVEL) NTSTATUS KphCreateNPagedLookasideObject( _Outptr_result_nullonfailure_ PKPH_NPAGED_LOOKASIDE_OBJECT* Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ) { NTSTATUS status; KPH_LOOKASIDE_INIT init; KPH_NPAGED_CODE_DISPATCH_MAX(); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } init.Size = Size; init.Tag = Tag; *Lookaside = NULL; status = KphCreateObject(KphpNPagedLookasideObjectType, sizeof(KPH_NPAGED_LOOKASIDE_OBJECT), Lookaside, &init); if (!NT_SUCCESS(status)) { *Lookaside = NULL; } return status; } /** * \brief Allocates from a non-page-able lookaside object. * * \param[in,out] Lookaside The non-page-able lookaside object to allocate from. * * \return Allocated non-page-able memory. Null on failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromNPagedLookasideObject( _Inout_ PKPH_NPAGED_LOOKASIDE_OBJECT Lookaside ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphAllocateFromNPagedLookaside((PNPAGED_LOOKASIDE_LIST)Lookaside); } /** * \brief Frees non-page-able memory back to the lookaside object. * * \param[in,out] Lookaside The lookaside object to free back to. * \param[in] Memory The memory to free. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFreeToNPagedLookasideObject( _Inout_ PKPH_NPAGED_LOOKASIDE_OBJECT Lookaside, _In_freesMem_ PVOID Memory ) { KPH_NPAGED_CODE_DISPATCH_MAX(); KphFreeToNPagedLookaside((PNPAGED_LOOKASIDE_LIST)Lookaside, Memory); } KPH_PAGED_FILE(); /** * \brief Allocates page-able memory. * * \param[in] NumberOfBytes The number of bytes to allocate. * \param[in] Tag The pool tag to use. * * \return Allocated page-able memory. Null on failure. */ _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(NumberOfBytes) PVOID KphAllocatePaged( _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag ) { KPH_PAGED_CODE(); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } #pragma warning(suppress: 4995) // suppress deprecation warning return ExAllocatePoolZero(PagedPool, NumberOfBytes, Tag); } /** * \brief Initialized a page-able lookaside list. * * \param[in] Lookaside The lookaside list to initialize. * \param[in] Size The size of entries in the lookaside list. * \param[in] Tag The pool tag to use. */ _IRQL_requires_max_(APC_LEVEL) VOID KphInitializePagedLookaside( _Out_ PPAGED_LOOKASIDE_LIST Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ) { KPH_PAGED_CODE(); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } #pragma warning(suppress: 4995) // suppress deprecation warning ExInitializePagedLookasideList(Lookaside, NULL, NULL, 0, Size, Tag, 0); } /** * \brief Deletes a page-able lookaside list. * * \param[in,out] Lookaside The lookaside to delete. */ _IRQL_requires_max_(APC_LEVEL) VOID KphDeletePagedLookaside( _Inout_ PPAGED_LOOKASIDE_LIST Lookaside ) { KPH_PAGED_CODE(); #pragma warning(suppress: 4995) // suppress deprecation warning ExDeletePagedLookasideList(Lookaside); } /** * \brief Allocates page-able memory from the lookaside list. * * \param[in,out] Lookaside The lookaside list to allocate from. * * \return Allocated page-able memory. Null on failure. */ _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromPagedLookaside( _Inout_ PPAGED_LOOKASIDE_LIST Lookaside ) { PVOID memory; KPH_PAGED_CODE(); #pragma warning(suppress: 4995) // suppress deprecation warning memory = ExAllocateFromPagedLookasideList(Lookaside); if (memory) { RtlZeroMemory(memory, Lookaside->L.Size); } return memory; } /** * \brief Frees page-able memory back to the lookaside list. * * \param[in,out] Lookaside The lookaside list to free back to. * \param[in] Memory The memory to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeToPagedLookaside( _Inout_ PPAGED_LOOKASIDE_LIST Lookaside, _In_freesMem_ PVOID Memory ) { KPH_PAGED_CODE(); NT_ASSERT(Memory); #pragma warning(suppress: 4995) // suppress deprecation warning ExFreeToPagedLookasideList(Lookaside, Memory); } /** * \brief Allocates a page-able lookaside object. * * \param[in] Size The size of the lookaside object. * * \return Allocated lookaside object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocatePagedLookasideObject( _In_ SIZE_T Size ) { KPH_PAGED_CODE(); return KphAllocateNPaged(Size, KPH_TAG_PAGED_LOOKASIDE_OBJECT); } /** * \brief Initializes a page-able lookaside object. * * \param[in,out] Object The lookaside object to initialize. * \param[in] Parameter The lookaside initialization parameters. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializePagedLookasideObject( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_PAGED_LOOKASIDE_OBJECT lookaside; PKPH_LOOKASIDE_INIT init; KPH_PAGED_CODE(); NT_ASSERT(Parameter); lookaside = Object; init = Parameter; KphInitializePagedLookaside((PPAGED_LOOKASIDE_LIST)lookaside, init->Size, init->Tag); return STATUS_SUCCESS; } /** * \brief Deletes a page-able lookaside object. * * \param[in,out] Object The lookaside object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) VOID KSIAPI KphpDeletePagedLookasideObject( _Inout_ PVOID Object ) { PKPH_PAGED_LOOKASIDE_OBJECT lookaside; KPH_PAGED_CODE(); lookaside = Object; KphDeletePagedLookaside((PPAGED_LOOKASIDE_LIST)Object); } /** * \brief Frees a page-page lookaside object. * * \param[in] Object The lookaside object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) VOID KSIAPI KphpFreePagedLookasideObject( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE(); KphFree(Object, KPH_TAG_PAGED_LOOKASIDE_OBJECT); } /** * \brief Creates a page-able lookaside object. * * \param[out] Lookaside Set to the new page-able lookaside object on success. * \param[in] Size The size of entries in the lookaside list. * \param[in] Tag The pool tag to use. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphCreatePagedLookasideObject( _Outptr_result_nullonfailure_ PKPH_PAGED_LOOKASIDE_OBJECT* Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ) { NTSTATUS status; KPH_LOOKASIDE_INIT init; KPH_PAGED_CODE(); if (KphpRandomPoolTag) { Tag = KphpRandomPoolTag; } init.Size = Size; init.Tag = Tag; *Lookaside = NULL; status = KphCreateObject(KphpPagedLookasideObjectType, sizeof(KPH_PAGED_LOOKASIDE_OBJECT), Lookaside, &init); if (!NT_SUCCESS(status)) { *Lookaside = NULL; } return status; } /** * \brief Allocates from a page-able lookaside object. * * \param[in,out] Lookaside The page-able lookaside object to allocate from. * * \return Allocated page-able memory. Null on failure. */ _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromPagedLookasideObject( _Inout_ PKPH_PAGED_LOOKASIDE_OBJECT Lookaside ) { KPH_PAGED_CODE(); return KphAllocateFromPagedLookaside((PPAGED_LOOKASIDE_LIST)Lookaside); } /** * \brief Frees page-able memory back to the lookaside object. * * \param[in,out] Lookaside The lookaside object to free back to. * \param[in] Memory The memory to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeToPagedLookasideObject( _Inout_ PKPH_PAGED_LOOKASIDE_OBJECT Lookaside, _In_freesMem_ PVOID Memory ) { KPH_PAGED_CODE(); KphFreeToPagedLookaside((PPAGED_LOOKASIDE_LIST)Lookaside, Memory); } /** * \brief Makes a byte suitable for a pool tag. * * \param[in] Byte A byte to make suitable for a pool tag. * * \return A byte suitable for a pool tag. */ _IRQL_requires_max_(PASSIVE_LEVEL) BYTE KphpMakePoolTagByte( _In_ BYTE Byte ) { BYTE outByte; KPH_PAGED_CODE_PASSIVE(); outByte = Byte % '~'; if (outByte < ' ') { outByte += ' '; } return outByte; } /** * \brief Generates a randomized pool tag. * * \return Randomized pool tag. */ _IRQL_requires_max_(PASSIVE_LEVEL) ULONG KphpGenerateRandomPoolTag( VOID ) { ULONG64 interruptTime; ULONG seed; ULONG randomValue; BYTE byte; ULONG poolTag; KPH_PAGED_CODE_PASSIVE(); interruptTime = KeQueryInterruptTime(); seed = (ULONG)(interruptTime >> 32); seed |= (ULONG)interruptTime; seed ^= PtrToUlong(PsGetCurrentThread()); do { randomValue = RtlRandomEx(&seed); } while (!randomValue); poolTag = 0; byte = KphpMakePoolTagByte(randomValue & 0xff); poolTag = (ULONG)byte; byte = KphpMakePoolTagByte((randomValue >> 8) & 0xff); poolTag |= ((ULONG)byte << 8); byte = KphpMakePoolTagByte((randomValue >> 16) & 0xff); poolTag |= ((ULONG)byte << 16); byte = KphpMakePoolTagByte((randomValue >> 24) & 0xff); poolTag |= ((ULONG)byte << 24); return poolTag; } /** * \brief Initializes allocation infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeAlloc( VOID ) { KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); if (KphParameterFlags.RandomizedPoolTag) { KphpRandomPoolTag = KphpGenerateRandomPoolTag(); } typeInfo.Allocate = KphpAllocatePagedLookasideObject; typeInfo.Initialize = KphpInitializePagedLookasideObject; typeInfo.Delete = KphpDeletePagedLookasideObject; typeInfo.Free = KphpFreePagedLookasideObject; typeInfo.Flags = 0; KphCreateObjectType(&KphpPagedLookasideObjectTypeName, &typeInfo, &KphpPagedLookasideObjectType); typeInfo.Allocate = KphpAllocateNPagedLookasideObject; typeInfo.Initialize = KphpInitializeNPagedLookasideObject; typeInfo.Delete = KphpDeleteNPagedLookasideObject; typeInfo.Free = KphpFreeNPagedLookasideObject; typeInfo.Flags = 0; KphCreateObjectType(&KphpNPagedLookasideObjectTypeName, &typeInfo, &KphpNPagedLookasideObjectType); } ================================================ FILE: KSystemInformer/alpc.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include KPH_PAGED_FILE(); #define KPH_ALPC_NAME_BUFFER_SIZE ((MAX_PATH * 2) + sizeof(OBJECT_NAME_INFORMATION)) /** * \brief References any communication ports associated with the input port. * The caller must dereference any returned objects by calling ObDereferenceObject. * * \param[in] Dyn Dynamic configuration. * \param[in] Port The ALPC port to references the associated ports of. * \param[out] ConnectionPort Set to the connection port. * \param[out] ServerPort Set to the server port. * \param[out] ClientPort Set to the client port. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpReferenceAlpcCommunicationPorts( _In_ PKPH_DYN Dyn, _In_ PVOID Port, _Outptr_result_maybenull_ PVOID* ConnectionPort, _Outptr_result_maybenull_ PVOID* ServerPort, _Outptr_result_maybenull_ PVOID* ClientPort ) { NTSTATUS status; PVOID communicationInfo; PVOID handleTable; PVOID handleTableLock; BOOLEAN typeMismatch; PVOID connectionPort; PVOID serverPort; PVOID clientPort; KPH_PAGED_CODE_PASSIVE(); *ConnectionPort = NULL; *ServerPort = NULL; *ClientPort = NULL; connectionPort = NULL; serverPort = NULL; clientPort = NULL; if ((Dyn->AlpcCommunicationInfo == ULONG_MAX) || (Dyn->AlpcHandleTable == ULONG_MAX) || (Dyn->AlpcHandleTableLock == ULONG_MAX)) { status = STATUS_NOINTERFACE; goto Exit; } communicationInfo = *(PVOID*)Add2Ptr(Port, Dyn->AlpcCommunicationInfo); if (!communicationInfo) { status = STATUS_NOT_FOUND; goto Exit; } handleTable = Add2Ptr(communicationInfo, Dyn->AlpcHandleTable); handleTableLock = Add2Ptr(handleTable, Dyn->AlpcHandleTableLock); typeMismatch = FALSE; FltAcquirePushLockShared(handleTableLock); if (Dyn->AlpcConnectionPort != ULONG_MAX) { connectionPort = *(PVOID*)Add2Ptr(communicationInfo, Dyn->AlpcConnectionPort); if (connectionPort) { if (ObGetObjectType(connectionPort) != *AlpcPortObjectType) { typeMismatch = TRUE; connectionPort = NULL; } else { ObReferenceObject(connectionPort); } } } if (Dyn->AlpcServerCommunicationPort != ULONG_MAX) { serverPort = *(PVOID*)Add2Ptr(communicationInfo, Dyn->AlpcServerCommunicationPort); if (serverPort) { if (ObGetObjectType(serverPort) != *AlpcPortObjectType) { typeMismatch = TRUE; serverPort = NULL; } else { ObReferenceObject(serverPort); } } } if (Dyn->AlpcClientCommunicationPort != ULONG_MAX) { clientPort = *(PVOID*)Add2Ptr(communicationInfo, Dyn->AlpcClientCommunicationPort); if (clientPort) { if (ObGetObjectType(clientPort) != *AlpcPortObjectType) { typeMismatch = TRUE; clientPort = NULL; } else { ObReferenceObject(clientPort); } } } FltReleasePushLock(handleTableLock); if (typeMismatch) { status = STATUS_OBJECT_TYPE_MISMATCH; goto Exit; } *ConnectionPort = connectionPort; connectionPort = NULL; *ServerPort = serverPort; serverPort = NULL; *ClientPort = clientPort; clientPort = NULL; status = STATUS_SUCCESS; Exit: if (connectionPort) { ObDereferenceObject(connectionPort); } if (serverPort) { ObDereferenceObject(serverPort); } if (clientPort) { ObDereferenceObject(clientPort); } return status; } /** * \brief Retrieves the basic information for an ALPC port. * * \param[in] Dyn Dynamic configuration. * \param[in] Port The ALPC port to get the basic information of. * \param[out] Info Populated with the basic information. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpAlpcBasicInfo( _In_ PKPH_DYN Dyn, _In_ PVOID Port, _Out_ PKPH_ALPC_BASIC_INFORMATION Info ) { PEPROCESS process; PVOID portObjectLock; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(Info, sizeof(*Info)); if ((Dyn->AlpcOwnerProcess == ULONG_MAX) || (Dyn->AlpcPortObjectLock == ULONG_MAX)) { return STATUS_NOINTERFACE; } // // The OS uses the first bit of the OwnerProcess to denote if it is valid, // if the first bit of the OwnerProcess is set is it invalid. Checking the // bit should be done under the PortObjectLock. // See: ntoskrnl!AlpcpPortQueryServerSessionInfo // portObjectLock = Add2Ptr(Port, Dyn->AlpcPortObjectLock); FltAcquirePushLockShared(portObjectLock); process = *(PEPROCESS*)Add2Ptr(Port, Dyn->AlpcOwnerProcess); if (process && (((ULONG_PTR)process & 1) == 0)) { Info->OwnerProcessId = PsGetProcessId(process); } FltReleasePushLock(portObjectLock); if ((Dyn->AlpcAttributes != ULONG_MAX) && (Dyn->AlpcAttributesFlags != ULONG_MAX)) { Info->Flags = *(PULONG)Add2Ptr(Add2Ptr(Port, Dyn->AlpcAttributes), Dyn->AlpcAttributesFlags); } if (Dyn->AlpcPortContext != ULONG_MAX) { Info->PortContext = *(PVOID*)Add2Ptr(Port, Dyn->AlpcPortContext); } if (Dyn->AlpcSequenceNo != ULONG_MAX) { Info->SequenceNo = *(PULONG)Add2Ptr(Port, Dyn->AlpcSequenceNo); } if (Dyn->AlpcState != ULONG_MAX) { Info->State = *(PULONG)Add2Ptr(Port, Dyn->AlpcState); } return STATUS_SUCCESS; } /** * \brief Retrieves the communication information for an ALPC port. * * \param[in] Dyn Dynamic configuration. * \param[in] Port The ALPC port to get the information of. * \param[out] Info Populated with the communication information. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpAlpcCommunicationInfo( _In_ PKPH_DYN Dyn, _In_ PVOID Port, _Out_ PKPH_ALPC_COMMUNICATION_INFORMATION Info ) { NTSTATUS status; PVOID connectionPort; PVOID serverPort; PVOID clientPort; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(Info, sizeof(*Info)); status = KphpReferenceAlpcCommunicationPorts(Dyn, Port, &connectionPort, &serverPort, &clientPort); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpReferenceAlpcCommunicationPorts failed: %!STATUS!", status); connectionPort = NULL; serverPort = NULL; clientPort = NULL; goto Exit; } if (connectionPort) { status = KphpAlpcBasicInfo(Dyn, connectionPort, &Info->ConnectionPort); if (!NT_SUCCESS(status)) { goto Exit; } } if (serverPort) { status = KphpAlpcBasicInfo(Dyn, serverPort, &Info->ServerCommunicationPort); if (!NT_SUCCESS(status)) { goto Exit; } } if (clientPort) { status = KphpAlpcBasicInfo(Dyn, clientPort, &Info->ClientCommunicationPort); if (!NT_SUCCESS(status)) { goto Exit; } } Exit: if (connectionPort) { ObDereferenceObject(connectionPort); } if (serverPort) { ObDereferenceObject(serverPort); } if (clientPort) { ObDereferenceObject(clientPort); } return status; } /** * \brief Utility function for copying the ALPC port name into an output string. * * \param[in] Port The ALPC port to copy the name of. * \param[in] NameBuffer Preallocated name buffer to use to get the name. * \param[in,out] Buffer The space to write the string. * \param[in,out] RemainingLength The remaining space to write the string. * \param[in,out] ReturnLength Updated by number of bytes written or required. * \param[out] String The string to populate. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpAlpcCopyPortName( _In_ PVOID Port, _In_bytecount_(KPH_ALPC_NAME_BUFFER_SIZE) POBJECT_NAME_INFORMATION NameBuffer, _Inout_ PVOID* Buffer, _Inout_ PULONG RemainingLength, _Inout_ PULONG ReturnLength, _Out_opt_ PUNICODE_STRING String ) { NTSTATUS status; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); if (String) { RtlZeroMemory(String, sizeof(*String)); } status = KphQueryNameObject(Port, NameBuffer, KPH_ALPC_NAME_BUFFER_SIZE, &returnLength); if (!NT_SUCCESS(status) || (NameBuffer->Name.Length == 0)) { // // We're best effort here. // return STATUS_SUCCESS; } status = RtlULongAdd(*ReturnLength, NameBuffer->Name.Length, ReturnLength); if (!NT_SUCCESS(status)) { return status; } if (!String || (NameBuffer->Name.Length > *RemainingLength)) { // // Success, return length is updated with the needed length. // return STATUS_SUCCESS; } String->Buffer = *Buffer; String->MaximumLength = NameBuffer->Name.Length; *Buffer = Add2Ptr(*Buffer, NameBuffer->Name.Length); *RemainingLength -= NameBuffer->Name.Length; RtlCopyUnicodeString(String, &NameBuffer->Name); return STATUS_SUCCESS; } /** * \brief Retrieves the names of the communication ports for a given ALPC port. * * \param[in] Dyn Dynamic configuration. * \param[in] Port The port to retrieve the names of. * \param[out] Info Populated with the name information. * \param[in] InfoLength The length of the information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpAlpcCommunicationNamesInfo( _In_ PKPH_DYN Dyn, _In_ PVOID Port, _Out_writes_bytes_opt_(InfoLength) PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION Info, _In_ ULONG InfoLength, _Out_ PULONG ReturnLength ) { NTSTATUS status; POBJECT_NAME_INFORMATION nameBuffer; PVOID connectionPort; PVOID serverPort; PVOID clientPort; PVOID buffer; ULONG remainingLength; KPH_PAGED_CODE_PASSIVE(); *ReturnLength = sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION); nameBuffer = NULL; if (Info && (InfoLength >= sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION))) { RtlZeroMemory(Info, sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION)); remainingLength = (InfoLength - sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION)); buffer = Add2Ptr(Info, sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION)); } else { remainingLength = 0; buffer = NULL; } status = KphpReferenceAlpcCommunicationPorts(Dyn, Port, &connectionPort, &serverPort, &clientPort); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpReferenceAlpcCommunicationPorts failed: %!STATUS!", status); connectionPort = NULL; serverPort = NULL; clientPort = NULL; goto Exit; } nameBuffer = KphAllocatePaged(KPH_ALPC_NAME_BUFFER_SIZE, KPH_TAG_ALPC_NAME_QUERY); if (!nameBuffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } if (connectionPort) { status = KphpAlpcCopyPortName(connectionPort, nameBuffer, &buffer, &remainingLength, ReturnLength, (Info ? &Info->ConnectionPort : NULL)); if (!NT_SUCCESS(status)) { goto Exit; } } if (serverPort) { status = KphpAlpcCopyPortName(serverPort, nameBuffer, &buffer, &remainingLength, ReturnLength, (Info ? &Info->ServerCommunicationPort : NULL)); if (!NT_SUCCESS(status)) { goto Exit; } } if (clientPort) { status = KphpAlpcCopyPortName(clientPort, nameBuffer, &buffer, &remainingLength, ReturnLength, (Info ? &Info->ClientCommunicationPort : NULL)); if (!NT_SUCCESS(status)) { goto Exit; } } if (*ReturnLength > InfoLength) { status = STATUS_BUFFER_TOO_SMALL; } else { status = STATUS_SUCCESS; } Exit: if (nameBuffer) { KphFree(nameBuffer, KPH_TAG_ALPC_NAME_QUERY); } if (connectionPort) { ObDereferenceObject(connectionPort); } if (serverPort) { ObDereferenceObject(serverPort); } if (clientPort) { ObDereferenceObject(clientPort); } return status; } /** * \brief Queries information about an ALPC port. * * \param[in] ProceessHandle Handle to the process where the ALPC handle resides. * \param[in] PortHandle Handle to the ALPC port to query. * \param[in] AlpcInformationClass Information class to query. * \param[out] AlpcInformation Populated with information by ALPC port. * \param[in] AlpcInformationLength Length of the ALPC information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphAlpcQueryInformation( _In_ HANDLE ProcessHandle, _In_ HANDLE PortHandle, _In_ KPH_ALPC_INFORMATION_CLASS AlpcInformationClass, _Out_writes_bytes_opt_(AlpcInformationLength) PVOID AlpcInformation, _In_ ULONG AlpcInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_DYN dyn; PEPROCESS process; KAPC_STATE apcState; PVOID port; ULONG returnLength; PVOID buffer; BYTE stackBuffer[64]; KPROCESSOR_MODE accessMode; KPH_PAGED_CODE_PASSIVE(); dyn = NULL; port = NULL; returnLength = 0; buffer = NULL; status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); process = NULL; goto Exit; } if (process == PsInitialSystemProcess) { PortHandle = MakeKernelHandle(PortHandle); accessMode = KernelMode; } else { if (IsKernelHandle(PortHandle)) { status = STATUS_INVALID_HANDLE; goto Exit; } accessMode = AccessMode; } KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(PortHandle, 0, *AlpcPortObjectType, accessMode, &port, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); port = NULL; goto Exit; } switch (AlpcInformationClass) { case KphAlpcBasicInformation: { KPH_ALPC_BASIC_INFORMATION info; dyn = KphReferenceDynData(); if (!dyn) { status = STATUS_NOINTERFACE; goto Exit; } if (!AlpcInformation || (AlpcInformationLength < sizeof(KPH_ALPC_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_ALPC_BASIC_INFORMATION); goto Exit; } status = KphpAlpcBasicInfo(dyn, port, &info); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpAlpcBasicInfo failed: %!STATUS!", status); goto Exit; } status = KphCopyToMode(AlpcInformation, &info, sizeof(KPH_ALPC_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_ALPC_BASIC_INFORMATION); } break; } case KphAlpcCommunicationInformation: { KPH_ALPC_COMMUNICATION_INFORMATION info; dyn = KphReferenceDynData(); if (!dyn) { status = STATUS_NOINTERFACE; goto Exit; } if (!AlpcInformation || (AlpcInformationLength < sizeof(KPH_ALPC_COMMUNICATION_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_ALPC_COMMUNICATION_INFORMATION); goto Exit; } status = KphpAlpcCommunicationInfo(dyn, port, &info); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpAlpcCommunicationInfo failed: %!STATUS!", status); goto Exit; } status = KphCopyToMode(AlpcInformation, &info, sizeof(KPH_ALPC_COMMUNICATION_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_ALPC_COMMUNICATION_INFORMATION); } break; } case KphAlpcCommunicationNamesInformation: { ULONG allocatedSize; PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION info; dyn = KphReferenceDynData(); if (!dyn) { status = STATUS_NOINTERFACE; goto Exit; } allocatedSize = AlpcInformationLength; if (allocatedSize < sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION)) { allocatedSize = sizeof(KPH_ALPC_COMMUNICATION_NAMES_INFORMATION); } buffer = KphAllocatePagedA(allocatedSize, KPH_TAG_ALPC_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } info = buffer; status = KphpAlpcCommunicationNamesInfo(dyn, port, info, AlpcInformationLength, &returnLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpAlpcCommunicationNamesInfo failed: %!STATUS!", status); goto Exit; } if (!AlpcInformation) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } RebaseUnicodeString(&info->ConnectionPort, buffer, AlpcInformation); RebaseUnicodeString(&info->ServerCommunicationPort, buffer, AlpcInformation); RebaseUnicodeString(&info->ClientCommunicationPort, buffer, AlpcInformation); status = KphCopyToMode(AlpcInformation, info, returnLength, AccessMode); break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (buffer) { KphFreeA(buffer, KPH_TAG_ALPC_QUERY, stackBuffer); } if (port) { ObDereferenceObject(port); } if (process) { ObDereferenceObject(process); } if (dyn) { KphDereferenceObject(dyn); } if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } return status; } ================================================ FILE: KSystemInformer/back_trace.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include typedef struct _KPH_STACK_BACK_TRACE_OBJECT { KSI_KAPC Apc; KEVENT CompletedEvent; ULONG FramesToSkip; ULONG FramesToCapture; ULONG CapturedFrames; ULONG BackTraceHash; ULONG Flags; BOOLEAN DoHash; PKPH_THREAD_CONTEXT Thread; PVOID BackTrace[ANYSIZE_ARRAY]; } KPH_STACK_BACK_TRACE_OBJECT, *PKPH_STACK_BACK_TRACE_OBJECT; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpStackBackTraceTypeName = RTL_CONSTANT_STRING(L"KphStackBackTrace"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PVOID KphpSelfImageBase = NULL; static PVOID KphpSelfImageEnd = NULL; static PVOID KphpKsiImageBase = NULL; static PVOID KphpKsiImageEnd = NULL; static PKPH_OBJECT_TYPE KphpStackBackTraceType = NULL; KPH_PROTECTED_DATA_SECTION_POP(); // // Sentinel value inserted into the stack back trace when part of the stack // couldn't be captured for some reason. // #define KPH_STACK_SENTINEL_FRAME ((PVOID)(ULONG_PTR)0xbad) /** * \brief Tries to add a sentinel frame to the stack back trace. * * \param[in] FramesToCapture The number of frames to capture. * \param[out] BackTrace Buffer to store the back trace in. * \param[in,out] Frames On input, the number of frames captured so far. If a * sentinel frame is added, this is incremented. * \param[in] Flags A combination of KPH_STACK_BACK_TRACE_* flags. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpTryAddSentinelFrame( _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Inout_ PULONG Frames, _In_ ULONG Flags ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (FlagOn(Flags, KPH_STACK_BACK_TRACE_NO_SENTINEL)) { return; } if (*Frames < FramesToCapture) { BackTrace[*Frames] = KPH_STACK_SENTINEL_FRAME; (*Frames)++; } } /** * \brief Captures a stack back trace. * * \param[in] FramesToSkip The number of kernel frames to skip. * \param[in] FramesToCapture The number of frames to capture. * \param[out] BackTrace Buffer to store the back trace in. * \param[out] BackTraceHash Optionally receives a hash of the back trace. * \param[in] Flags A combination of KPH_STACK_BACK_TRACE_* flags. * \param[in] Thread Optional thread context of the target thread, used for * internal tracking to prevent accidental recursion. * * \return The number of captured frames. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Success_(return != 0) ULONG KphpCaptureStackBackTrace( _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags, _In_opt_ PKPH_THREAD_CONTEXT Thread ) { ULONG frames; ULONG skip; KPH_NPAGED_CODE_DISPATCH_MAX(); FramesToSkip += 1; skip = (FramesToSkip << RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT); frames = RtlWalkFrameChain(BackTrace, FramesToCapture, skip); if (frames <= FramesToSkip) { frames = 0; goto ContinueCapture; } frames -= FramesToSkip; if (FlagOn(Flags, KPH_STACK_BACK_TRACE_SKIP_KPH)) { for (skip = 0; skip < frames; skip++) { if (((BackTrace[skip] < KphpSelfImageBase) || (BackTrace[skip] >= KphpSelfImageEnd)) && ((BackTrace[skip] < KphpKsiImageBase) || (BackTrace[skip] >= KphpKsiImageEnd))) { break; } } if (frames <= skip) { frames = 0; goto ContinueCapture; } frames -= skip; RtlMoveMemory(BackTrace, &BackTrace[skip], frames * sizeof(PVOID)); } ContinueCapture: if (!FlagOn(Flags, KPH_STACK_BACK_TRACE_USER_MODE) || (KeGetCurrentIrql() == DISPATCH_LEVEL)) { goto Exit; } if (!Thread) { KphpTryAddSentinelFrame(FramesToCapture, BackTrace, &frames, Flags); goto Exit; } NT_ASSERT(Thread->EThread == PsGetCurrentThread()); // // N.B. This path can become accidentally recursive if the user mode stack // needs to be paged in and another kernel callback lands here again. In // that case skip the capture. // if (Thread->CapturingUserModeStack) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Skipping user mode stack capture for " "thread %lu in process %wZ (%lu)", HandleToULong(Thread->ClientId.UniqueThread), KphGetThreadImageName(Thread), HandleToULong(Thread->ClientId.UniqueProcess)); KphpTryAddSentinelFrame(FramesToCapture, BackTrace, &frames, Flags); goto Exit; } Thread->CapturingUserModeStack = TRUE; __try { frames += RtlWalkFrameChain(&BackTrace[frames], FramesToCapture - frames, RTL_WALK_USER_MODE_STACK); } __except (EXCEPTION_EXECUTE_HANDLER) { KphpTryAddSentinelFrame(FramesToCapture, BackTrace, &frames, Flags); } Thread->CapturingUserModeStack = FALSE; Exit: NT_ASSERT(frames <= FramesToCapture); if (BackTraceHash) { *BackTraceHash = 0; for (ULONG i = 0; i < frames; i++) { #pragma prefast(suppress: 6385) *BackTraceHash += PtrToUlong(BackTrace[i]); } } return frames; } /** * \brief Captures a stack back trace. * * \param[in] FramesToSkip The number of kernel frames to skip. * \param[in] FramesToCapture The number of frames to capture. * \param[out] BackTrace Buffer to store the back trace in. * \param[out] BackTraceHash Optionally receives a hash of the back trace. * \param[in] Flags A combination of KPH_STACK_BACK_TRACE_* flags. * * \return The number of captured frames. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Success_(return != 0) ULONG KphCaptureStackBackTrace( _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags ) { ULONG frames; PKPH_THREAD_CONTEXT thread; KPH_NPAGED_CODE_DISPATCH_MAX(); if (FlagOn(Flags, KPH_STACK_BACK_TRACE_USER_MODE) && (KeGetCurrentIrql() < DISPATCH_LEVEL)) { thread = KphGetCurrentThreadContext(); } else { thread = NULL; } frames = KphpCaptureStackBackTrace(FramesToSkip, FramesToCapture, BackTrace, BackTraceHash, Flags, thread); if (thread) { KphDereferenceObject(thread); } return frames; } KPH_PAGED_FILE(); /** * \brief Captures the current stack back trace into a back trace object. * * \param[in,out] BackTrace The back trace object to populate. */ _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KphpCaptureStackBackTraceIntoObject( _Inout_ PKPH_STACK_BACK_TRACE_OBJECT BackTrace ) { PULONG backTraceHash; ULONG capturedFrames; KPH_PAGED_CODE_APC(); if (BackTrace->DoHash) { backTraceHash = &BackTrace->BackTraceHash; } else { backTraceHash = NULL; } capturedFrames = KphpCaptureStackBackTrace(BackTrace->FramesToSkip, BackTrace->FramesToCapture, BackTrace->BackTrace, backTraceHash, BackTrace->Flags, BackTrace->Thread); BackTrace->CapturedFrames = capturedFrames; KeSetEvent(&BackTrace->CompletedEvent, EVENT_INCREMENT, FALSE); } /** * \brief APC routine for capturing the stack back trace of a thread. * * \param[in] Apc The ACP executed, contained within the back trace object. * \param[in] NormalRoutine Unused. * \param[in] NormalContext Unused. * \param[in] SystemArgument1 Unused. * \param[in] SystemArgument2 Unused. */ _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpCaptureStackBackTraceThreadSpecialApc( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE *NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID *NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID *SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID *SystemArgument2 ) { PKPH_STACK_BACK_TRACE_OBJECT backTrace; KPH_PAGED_CODE_APC(); UNREFERENCED_PARAMETER(NormalRoutine); UNREFERENCED_PARAMETER(NormalContext); UNREFERENCED_PARAMETER(SystemArgument1); UNREFERENCED_PARAMETER(SystemArgument2); backTrace = CONTAINING_RECORD(Apc, KPH_STACK_BACK_TRACE_OBJECT, Apc); KphpCaptureStackBackTraceIntoObject(backTrace); } /** * \brief APC cleanup routine for stack back trace capture. * * \param[in] Apc The ACP to clean up. * \param[in] Reason Unused. */ _Function_class_(KSI_KCLEANUP_ROUTINE) _IRQL_requires_min_(PASSIVE_LEVEL) _IRQL_requires_max_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpCaptureStackBackTraceThreadSpecialApcCleanup( _In_ PKSI_KAPC Apc, _In_ KSI_KAPC_CLEANUP_REASON Reason ) { PKPH_STACK_BACK_TRACE_OBJECT backTrace; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Apc); DBG_UNREFERENCED_PARAMETER(Reason); backTrace = CONTAINING_RECORD(Apc, KPH_STACK_BACK_TRACE_OBJECT, Apc); KphDereferenceObject(backTrace); } /** * \brief Allocates a stack back trace object. * * \param[in] Size The size to allocate. * * \return Allocated object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpStackBackTraceAllocate( _In_ SIZE_T Size ) { KPH_PAGED_CODE(); return KphAllocateNPaged(Size, KPH_TAG_BACK_TRACE_OBJECT); } /** * \brief Frees a stack back trace object. * * \param[in] Object The stack back trace object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) VOID KSIAPI KphpStackBackTraceFree( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE(); KphFree(Object, KPH_TAG_BACK_TRACE_OBJECT); } /** * \brief Initializes a stack back trace object. * * \param[in,out] Object The stack back trace object to initialize. * \param[in] Parameter The thread to initialize the back trace object for. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KphpStackBackTraceInitialize( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_STACK_BACK_TRACE_OBJECT backTrace; PETHREAD thread; KPH_PAGED_CODE(); NT_ASSERT(Parameter); backTrace = Object; thread = Parameter; KsiInitializeApc(&backTrace->Apc, KphDriverObject, thread, OriginalApcEnvironment, KphpCaptureStackBackTraceThreadSpecialApc, KphpCaptureStackBackTraceThreadSpecialApcCleanup, NULL, KernelMode, NULL); KeInitializeEvent(&backTrace->CompletedEvent, NotificationEvent, FALSE); backTrace->Thread = KphGetEThreadContext(thread); return STATUS_SUCCESS; } /** * \brief Deletes a stack back trace object. * * \param[in] Object The stack back trace object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) VOID KSIAPI KphpStackBackTraceDelete( _Inout_ PVOID Object ) { PKPH_STACK_BACK_TRACE_OBJECT backTrace; KPH_PAGED_CODE(); backTrace = Object; if (backTrace->Thread) { KphDereferenceObject(backTrace->Thread); } } /** * \brief Captures a stack back trace for a given thread. * * \param[in] Thread The thread to capture the stack back trace of. * \param[in] FramesToSkip The number of kernel frames to skip. * \param[in] FramesToCapture The number of frames to capture. * \param[out] BackTrace Buffer to store the back trace in. * \param[out] CapturedFrames Receives the number of captured frames. * \param[out] BackTraceHash Optionally receives a hash of the back trace. * \param[in] Flags A combination of KPH_STACK_BACK_TRACE_* flags. * \param[in] Timeout Optionally specifies a timeout for the capture operation. * * \return STATUS_SUCCES, STATUS_TIMEOUT, or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphCaptureStackBackTraceThread( _In_ PETHREAD Thread, _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_ PULONG CapturedFrames, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER Timeout ) { NTSTATUS status; ULONG backTraceSize; PKPH_STACK_BACK_TRACE_OBJECT backTrace; KPH_PAGED_CODE(); if (Thread == PsGetCurrentThread()) { *CapturedFrames = KphCaptureStackBackTrace(FramesToSkip, FramesToCapture, BackTrace, BackTraceHash, Flags); return (*CapturedFrames ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL); } NT_ASSERT(KphpStackBackTraceType); *CapturedFrames = 0; if (BackTraceHash) { *BackTraceHash = 0; } backTrace = NULL; status = RtlULongAdd(FramesToCapture, sizeof(KPH_STACK_BACK_TRACE_OBJECT), &backTraceSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "RtlULongAdd failed: %!STATUS!", status); goto Exit; } status = KphCreateObject(KphpStackBackTraceType, backTraceSize, &backTrace, Thread); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateObject failed: %!STATUS!", status); backTrace = NULL; goto Exit; } backTrace->FramesToCapture = FramesToCapture; backTrace->FramesToSkip = FramesToSkip; backTrace->Flags = Flags; backTrace->DoHash = (BackTraceHash != NULL); // // The APC could fire immediately we must reference before trying to queue. // KphReferenceObject(backTrace); if (!KsiInsertQueueApc(&backTrace->Apc, NULL, NULL, IO_NO_INCREMENT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KsiInsertQueueApc failed"); KphDereferenceObject(backTrace); status = STATUS_UNSUCCESSFUL; goto Exit; } status = KeWaitForSingleObject(&backTrace->CompletedEvent, Executive, KernelMode, FALSE, Timeout); if (status != STATUS_SUCCESS) { NTSTATUS removeStatus; NT_ASSERT(status == STATUS_TIMEOUT); removeStatus = KsiRemoveQueueApc(&backTrace->Apc); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KsiRemoveQueueApc: %!STATUS!", removeStatus); goto Exit; } NT_ASSERT(backTrace->CapturedFrames <= FramesToCapture); RtlCopyMemory(BackTrace, backTrace->BackTrace, backTrace->CapturedFrames * sizeof(PVOID)); *CapturedFrames = backTrace->CapturedFrames; if (BackTraceHash) { *BackTraceHash = backTrace->BackTraceHash; } Exit: if (backTrace) { KphDereferenceObject(backTrace); } return status; } /** * \brief Initialized stack back trace infrastructure. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeStackBackTrace( VOID ) { NTSTATUS status; KPH_OBJECT_TYPE_INFO typeInfo; SYSTEM_SINGLE_MODULE_INFORMATION info; KPH_PAGED_CODE_PASSIVE(); typeInfo.Allocate = KphpStackBackTraceAllocate; typeInfo.Initialize = KphpStackBackTraceInitialize; typeInfo.Delete = KphpStackBackTraceDelete; typeInfo.Free = KphpStackBackTraceFree; typeInfo.Flags = 0; KphCreateObjectType(&KphpStackBackTraceTypeName, &typeInfo, &KphpStackBackTraceType); RtlZeroMemory(&info, sizeof(SYSTEM_SINGLE_MODULE_INFORMATION)); info.TargetModuleAddress = (PVOID)KphInitializeStackBackTrace; status = ZwQuerySystemInformation(SystemSingleModuleInformation, &info, sizeof(SYSTEM_SINGLE_MODULE_INFORMATION), NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwQuerySystemInformation failed: %!STATUS!", status); return status; } KphpSelfImageBase = info.ExInfo.BaseInfo.ImageBase; KphpSelfImageEnd = Add2Ptr(KphpSelfImageBase, info.ExInfo.BaseInfo.ImageSize); RtlZeroMemory(&info, sizeof(SYSTEM_SINGLE_MODULE_INFORMATION)); info.TargetModuleAddress = (PVOID)KsiInitializeApc; status = ZwQuerySystemInformation(SystemSingleModuleInformation, &info, sizeof(SYSTEM_SINGLE_MODULE_INFORMATION), NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwQuerySystemInformation failed: %!STATUS!", status); return status; } KphpKsiImageBase = info.ExInfo.BaseInfo.ImageBase; KphpKsiImageEnd = Add2Ptr(KphpKsiImageBase, info.ExInfo.BaseInfo.ImageSize); return STATUS_SUCCESS; } ================================================ FILE: KSystemInformer/cid_table.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #define KPH_CID_TABLE_LEVEL_MASK ((ULONG_PTR)3) #define KPH_CID_TABLE_L0 ((ULONG_PTR)0) #define KPH_CID_TABLE_L1 ((ULONG_PTR)1) #define KPH_CID_TABLE_L2 ((ULONG_PTR)2) #define KPH_CID_TABLE_POINTER_MASK ~KPH_CID_TABLE_LEVEL_MASK #define KPH_CID_LIMIT (1 << 24) #define KPH_CID_L0_COUNT (PAGE_SIZE / sizeof(KPH_CID_TABLE_ENTRY)) #define KPH_CID_L1_COUNT (PAGE_SIZE / sizeof(PKPH_CID_TABLE_ENTRY)) #define KPH_CID_L2_COUNT (KPH_CID_LIMIT / (KPH_CID_L0_COUNT * KPH_CID_L1_COUNT)) #define KPH_CID_MAX_L0 KPH_CID_L0_COUNT #define KPH_CID_MAX_L1 (KPH_CID_L1_COUNT * KPH_CID_L0_COUNT) #define KPH_CID_MAX_L2 (KPH_CID_L2_COUNT * KPH_CID_L1_COUNT * KPH_CID_L0_COUNT) #define KPH_CID_MAX KPH_CID_MAX_L2 C_ASSERT(KPH_CID_MAX == KPH_CID_LIMIT); #define KphpCidToId(x) ((ULONG_PTR)x / 4) /** * \brief Assigns an object to the table entry. * * \param[in,out] Entry The entry to assign to. * \param[in] Object Optional object pointer to assign into the table entry. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidAssignObject( _Inout_ PKPH_CID_TABLE_ENTRY Entry, _In_opt_ PVOID Object ) { KPH_NPAGED_CODE_DISPATCH_MAX(); KphAtomicAssignObjectReference(&Entry->ObjectRef, Object); } /** * \brief References the object in the table entry. * * \param[in,out] Entry The entry to reference the object of. * * \return Referenced object pointer, NULL if no object is assigned. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PVOID KphCidReferenceObject( _In_ PKPH_CID_TABLE_ENTRY Entry ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphAtomicReferenceObject(&Entry->ObjectRef); } /** * \brief Allocates a CID table for a given level. * * \param[in] Level The level to allocate for. * * \return Allocated table or null on allocation failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _When_(Level == KPH_CID_TABLE_L0, _Return_allocatesMem_size_(KPH_CID_L0_COUNT * sizeof(KPH_CID_TABLE_ENTRY))) _When_(Level == KPH_CID_TABLE_L1, _Return_allocatesMem_size_(KPH_CID_L1_COUNT * sizeof(PKPH_CID_TABLE_ENTRY))) _When_(Level == KPH_CID_TABLE_L2, _Return_allocatesMem_size_(KPH_CID_L2_COUNT * sizeof(PKPH_CID_TABLE_ENTRY))) PVOID KphpCidAllocateTable( _In_ ULONG_PTR Level ) { KPH_NPAGED_CODE_DISPATCH_MAX(); switch (Level) { case KPH_CID_TABLE_L0: { return KphAllocateNPaged(KPH_CID_L0_COUNT * sizeof(KPH_CID_TABLE_ENTRY), KPH_TAG_CID_TABLE); } case KPH_CID_TABLE_L1: { return KphAllocateNPaged(KPH_CID_L1_COUNT * sizeof(PKPH_CID_TABLE_ENTRY), KPH_TAG_CID_TABLE); } case KPH_CID_TABLE_L2: { return KphAllocateNPaged(KPH_CID_L2_COUNT * sizeof(PKPH_CID_TABLE_ENTRY), KPH_TAG_CID_TABLE); } default: { NT_ASSERT(FALSE); break; } } return NULL; } /** * \brief Creates and initializes a CID table * * \param[out] Table The table to create an initialize. * * \return Successful or errant status. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ NTSTATUS KphCidTableCreate( _Out_ PKPH_CID_TABLE Table ) { KPH_NPAGED_CODE_DISPATCH_MAX(); Table->Table = (ULONG_PTR)KphpCidAllocateTable(KPH_CID_TABLE_L0); if (!Table->Table) { return STATUS_INSUFFICIENT_RESOURCES; } KeInitializeSpinLock(&Table->Lock); return STATUS_SUCCESS; } /** * \brief Deletes a CID table. * * \param[in] Table The table to delete. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidTableDelete( _In_ PKPH_CID_TABLE Table ) { ULONG_PTR tableCode; PKPH_CID_TABLE_ENTRY tableL0; PKPH_CID_TABLE_ENTRY* tableL1; PKPH_CID_TABLE_ENTRY** tableL2; KPH_NPAGED_CODE_DISPATCH_MAX(); tableCode = ReadULongPtrAcquire(&Table->Table); if (!tableCode) { return; } switch (tableCode & KPH_CID_TABLE_LEVEL_MASK) { case KPH_CID_TABLE_L0: { tableL0 = (PKPH_CID_TABLE_ENTRY)(tableCode & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(tableL0); KphFree(tableL0, KPH_TAG_CID_TABLE); break; } case KPH_CID_TABLE_L1: { tableL1 = (PKPH_CID_TABLE_ENTRY*)(tableCode & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(tableL1); for (ULONG i = 0; i < KPH_CID_L1_COUNT; i++) { #pragma prefast(suppress : 6001) // memory is initialized if (tableL1[i]) { KphFree(tableL1[i], KPH_TAG_CID_TABLE); } } KphFree(tableL1, KPH_TAG_CID_TABLE); break; } case KPH_CID_TABLE_L2: { tableL2 = (PKPH_CID_TABLE_ENTRY**)(tableCode & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(tableL2); for (ULONG i = 0; i < KPH_CID_L2_COUNT; i++) { tableL1 = tableL2[i]; if (!tableL1) { continue; } for (ULONG j = 0; j < KPH_CID_L1_COUNT; j++) { #pragma prefast(suppress : 6001) // memory is initialized if (tableL1[j]) { KphFree(tableL1[j], KPH_TAG_CID_TABLE); } } KphFree(tableL1, KPH_TAG_CID_TABLE); } KphFree(tableL2, KPH_TAG_CID_TABLE); break; } default: { NT_ASSERT(FALSE); break; } } } /** * \brief Looks up an entry in the CID table. * * \param[in] Cid The CID to look up the entry of. * \param[in] Table The table to look up the CID in. * * \return Pointer to the CID table entry, null if the table hasn't been * expanded enough. */ _IRQL_requires_max_(DISPATCH_LEVEL) PKPH_CID_TABLE_ENTRY KphpCidLookupEntry( _In_ HANDLE Cid, _In_ PKPH_CID_TABLE Table ) { ULONG_PTR table; PKPH_CID_TABLE_ENTRY tableL0; PKPH_CID_TABLE_ENTRY* tableL1; PKPH_CID_TABLE_ENTRY** tableL2; ULONG_PTR id; KPH_NPAGED_CODE_DISPATCH_MAX(); id = KphpCidToId(Cid); table = ReadULongPtrAcquire(&Table->Table); switch (table & KPH_CID_TABLE_LEVEL_MASK) { case KPH_CID_TABLE_L0: { if (id >= KPH_CID_MAX_L0) { return NULL; } tableL0 = (PKPH_CID_TABLE_ENTRY)(table & KPH_CID_TABLE_POINTER_MASK); return &tableL0[id]; } case KPH_CID_TABLE_L1: { if (id >= KPH_CID_MAX_L1) { return NULL; } tableL1 = (PKPH_CID_TABLE_ENTRY*)(table & KPH_CID_TABLE_POINTER_MASK); tableL0 = tableL1[id / KPH_CID_MAX_L0]; if (!tableL0) { return NULL; } return &tableL0[id % KPH_CID_MAX_L0]; } case KPH_CID_TABLE_L2: { if (id >= KPH_CID_MAX_L2) { return NULL; } tableL2 = (PKPH_CID_TABLE_ENTRY**)(table & KPH_CID_TABLE_POINTER_MASK); tableL1 = tableL2[id / KPH_CID_MAX_L1]; if (!tableL1) { return NULL; } tableL0 = tableL1[(id % KPH_CID_MAX_L1) / KPH_CID_MAX_L0]; if (!tableL0) { return NULL; } return &tableL0[(id % KPH_CID_MAX_L1) % KPH_CID_MAX_L0]; } default: { NT_ASSERT(FALSE); return NULL; } } } /** * \brief Expands a CID table making it capable of holding an entry for a CID. * * \param[in] Cid The CID for which the table should be expanded for. * \param[in,out] Table The table that should be expanded to hold the CID. * * \return Pointer to the table entry for the CID, null on allocation failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) PKPH_CID_TABLE_ENTRY KphpCidExpandTableFor( _In_ HANDLE Cid, _Inout_ PKPH_CID_TABLE Table ) { PKPH_CID_TABLE_ENTRY entry; ULONG_PTR table; ULONG_PTR level; PKPH_CID_TABLE_ENTRY tableL0; PKPH_CID_TABLE_ENTRY* tableL1; PKPH_CID_TABLE_ENTRY** tableL2; ULONG_PTR id; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); id = KphpCidToId(Cid); if (id >= KPH_CID_MAX) { // // We can't, as of now, service CIDs over the maximum. It is extremely // unlikely we'll ever get here. The system is likely to run out of // memory before this happens. It also should be impossible given the // limit enforced by handle tables for PspCidTable. Unless Microsoft // changes it, the limit is 1 << 24. // NT_ASSERT(FALSE); return NULL; } KeAcquireSpinLock(&Table->Lock, &oldIrql); // // See if another thread beat us. // entry = KphpCidLookupEntry(Cid, Table); if (entry) { // // Rock and roll! // goto Exit; } // // We are the chosen one. Go expand the tree. // table = ReadULongPtrAcquire(&Table->Table); level = (table & KPH_CID_TABLE_LEVEL_MASK); if (level == KPH_CID_TABLE_L0) { // // If we're here then we *must* be migrating to level 1. // NT_ASSERT(id >= KPH_CID_MAX_L0); tableL1 = KphpCidAllocateTable(KPH_CID_TABLE_L1); if (!tableL1) { entry = NULL; goto Exit; } tableL1[0] = (PKPH_CID_TABLE_ENTRY)(table & KPH_CID_TABLE_POINTER_MASK); table = ((ULONG_PTR)tableL1 | KPH_CID_TABLE_L1); level = KPH_CID_TABLE_L1; InterlockedExchangePointer((PVOID*)&Table->Table, (PVOID)table); // // Fall through for level 1 expansion. // } if (level == KPH_CID_TABLE_L1) { if (id < KPH_CID_MAX_L1) { // // Allocate a new block in the level 1 table. // tableL1 = (PKPH_CID_TABLE_ENTRY*)(table & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(!tableL1[id / KPH_CID_MAX_L0]); tableL1[id / KPH_CID_MAX_L0] = KphpCidAllocateTable(KPH_CID_TABLE_L0); tableL0 = tableL1[id / KPH_CID_MAX_L0]; if (!tableL0) { entry = NULL; goto Exit; } entry = &tableL0[id % KPH_CID_MAX_L0]; goto Exit; } // // We have to migrate to a level 2 table. // tableL2 = KphpCidAllocateTable(KPH_CID_TABLE_L2); if (!tableL2) { entry = NULL; goto Exit; } tableL2[0] = (PKPH_CID_TABLE_ENTRY*)(table & KPH_CID_TABLE_POINTER_MASK); table = ((ULONG_PTR)tableL2 | KPH_CID_TABLE_L2); level = KPH_CID_TABLE_L2; InterlockedExchangePointer((PVOID*)&Table->Table, (PVOID)table); // // Fall through for level 2 expansion // } NT_ASSERT(level == KPH_CID_TABLE_L2); NT_ASSERT(id < KPH_CID_MAX_L2); // // Allocate new block(s) in the level 2 table. // tableL2 = (PKPH_CID_TABLE_ENTRY**)(table & KPH_CID_TABLE_POINTER_MASK); tableL1 = tableL2[id / KPH_CID_MAX_L1]; if (!tableL1) { tableL2[id / KPH_CID_MAX_L1] = KphpCidAllocateTable(KPH_CID_TABLE_L1); tableL1 = tableL2[id / KPH_CID_MAX_L1]; if (!tableL1) { entry = NULL; goto Exit; } } NT_ASSERT(!tableL1[(id % KPH_CID_MAX_L1) / KPH_CID_MAX_L0]); tableL1[(id % KPH_CID_MAX_L1) / KPH_CID_MAX_L0] = KphpCidAllocateTable(KPH_CID_TABLE_L0); tableL0 = tableL1[(id % KPH_CID_MAX_L1) / KPH_CID_MAX_L0]; if (!tableL0) { entry = NULL; goto Exit; } entry = &tableL0[(id % KPH_CID_MAX_L1) % KPH_CID_MAX_L0]; Exit: KeReleaseSpinLock(&Table->Lock, oldIrql); return entry; } /** * \brief Retrieves the table entry for a given CID. * * \param[in] Cid The CID to retrieve the entry for. * \param[in,out] Table The table to retrieve the entry from. * * \return Pointer to the table entry for the CID, null on allocation failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_CID_TABLE_ENTRY KphCidGetEntry( _In_ HANDLE Cid, _Inout_ PKPH_CID_TABLE Table ) { PKPH_CID_TABLE_ENTRY entry; KPH_NPAGED_CODE_DISPATCH_MAX(); entry = KphpCidLookupEntry(Cid, Table); if (entry) { return entry; } return KphpCidExpandTableFor(Cid, Table); } /** * \brief Handles invoking the callback during enumeration. * * \param[in] Entry The CID table entry to invoke the callback for. * \param[in] Callback The object callback to invoke. * \param[in] Rundown The rundown callback to invoke. * \param[in] Parameter Optional parameter passed to the callback. * * \return TRUE if enumeration should stop, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ BOOLEAN KphpCidEnumerateInvokeCallback( _In_ PKPH_CID_TABLE_ENTRY Entry, _When_(!Rundown, _In_) _When_(Rundown, _Pre_null_) PKPH_CID_ENUMERATE_CALLBACK Callback, _When_(!Callback, _In_) _When_(Callback, _Pre_null_) PKPH_CID_RUNDOWN_CALLBACK Rundown, _In_opt_ PVOID Parameter ) { PVOID object; BOOLEAN res; KPH_NPAGED_CODE_DISPATCH_MAX(); res = FALSE; if (Callback) { object = KphAtomicReferenceObject(&Entry->ObjectRef); if (object) { res = Callback(object, Parameter); KphDereferenceObject(object); } } else { NT_ASSERT(Rundown); object = KphAtomicMoveObjectReference(&Entry->ObjectRef, NULL); if (object) { Rundown(object, Parameter); KphDereferenceObject(object); } } return res; } /** * \brief Enumerates a CID table. * * \param[in] Table The table to enumerate. * \param[in] Callback The object callback to invoke. * \param[in] Rundown The rundown callback to invoke. * \param[in] Parameter Optional parameter passed to the callback. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpCidEnumerate( _In_ PKPH_CID_TABLE Table, _When_(!Rundown, _In_) _When_(Rundown, _Pre_null_) PKPH_CID_ENUMERATE_CALLBACK Callback, _When_(!Callback, _In_) _When_(Callback, _Pre_null_) PKPH_CID_RUNDOWN_CALLBACK Rundown, _In_opt_ PVOID Parameter ) { ULONG_PTR table; BOOLEAN leaveCriticalRegion; PKPH_CID_TABLE_ENTRY tableL0; PKPH_CID_TABLE_ENTRY* tableL1; PKPH_CID_TABLE_ENTRY** tableL2; KPH_NPAGED_CODE_DISPATCH_MAX(); table = ReadULongPtrAcquire(&Table->Table); if (!table) { return; } if (KeGetCurrentIrql() <= APC_LEVEL) { KeEnterCriticalRegion(); leaveCriticalRegion = TRUE; } else { leaveCriticalRegion = FALSE; } switch (table & KPH_CID_TABLE_LEVEL_MASK) { case KPH_CID_TABLE_L0: { tableL0 = (PKPH_CID_TABLE_ENTRY)(table & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(tableL0); for (ULONG i = 0; i < KPH_CID_L0_COUNT; i++) { if (KphpCidEnumerateInvokeCallback(&tableL0[i], Callback, Rundown, Parameter)) { goto Exit; } } break; } case KPH_CID_TABLE_L1: { tableL1 = (PKPH_CID_TABLE_ENTRY*)(table & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(tableL1); for (ULONG i = 0; i < KPH_CID_L1_COUNT; i++) { tableL0 = tableL1[i]; if (!tableL0) { continue; } for (ULONG j = 0; j < KPH_CID_L0_COUNT; j++) { if (KphpCidEnumerateInvokeCallback(&tableL0[j], Callback, Rundown, Parameter)) { goto Exit; } } } break; } case KPH_CID_TABLE_L2: { tableL2 = (PKPH_CID_TABLE_ENTRY**)(table & KPH_CID_TABLE_POINTER_MASK); NT_ASSERT(tableL2); for (ULONG i = 0; i < KPH_CID_L2_COUNT; i++) { tableL1 = tableL2[i]; if (!tableL1) { continue; } for (ULONG j = 0; j < KPH_CID_L1_COUNT; j++) { tableL0 = tableL1[j]; if (!tableL0) { continue; } for (ULONG k = 0; k < KPH_CID_L0_COUNT; k++) { if (KphpCidEnumerateInvokeCallback(&tableL0[k], Callback, Rundown, Parameter)) { goto Exit; } } } } break; } default: { NT_ASSERT(FALSE); break; } } Exit: if (leaveCriticalRegion) { KeLeaveCriticalRegion(); } } /** * \brief Enumerates objects in a CID table. * * \param[in] Table The table to enumerate. * \param[in] Callback The object callback to invoke. The callback should * return TRUE to stop enumerating and return FALSE to continue. * \param[in] Parameter Optional parameter passed to the callback. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidEnumerate( _In_ PKPH_CID_TABLE Table, _In_ PKPH_CID_ENUMERATE_CALLBACK Callback, _In_opt_ PVOID Parameter ) { KPH_NPAGED_CODE_DISPATCH_MAX(); KphpCidEnumerate(Table, Callback, NULL, Parameter); } /** * \brief Enumerates CID entries a CID table for rundown. * * \details This routine removes all items from the table. After the callback * returns all object references in the table is dereferenced and removed from * the table. * * \param[in] Table The table to enumerate. * \param[in] Callback The rundown callback to invoke. * \param[in] Parameter Optional parameter passed to the callback. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidRundown( _In_ PKPH_CID_TABLE Table, _In_ PKPH_CID_RUNDOWN_CALLBACK Callback, _In_opt_ PVOID Parameter ) { KPH_NPAGED_CODE_DISPATCH_MAX(); KphpCidEnumerate(Table, NULL, Callback, Parameter); } ================================================ FILE: KSystemInformer/cid_tracking.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include typedef struct _KPH_CID_APC { KSI_KAPC Apc; KEVENT CompletedEvent; PKPH_THREAD_CONTEXT Thread; } KPH_CID_APC, *PKPH_CID_APC; KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpCidApcType = NULL; PKPH_OBJECT_TYPE KphProcessContextType = NULL; PKPH_OBJECT_TYPE KphThreadContextType = NULL; static PKPH_NPAGED_LOOKASIDE_OBJECT KphpCidApcLookaside = NULL; static PKPH_NPAGED_LOOKASIDE_OBJECT KphpProcessContextLookaside = NULL; static PKPH_NPAGED_LOOKASIDE_OBJECT KphpThreadContextLookaside = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpCidApcTypeName = RTL_CONSTANT_STRING(L"KphCidApc"); static const UNICODE_STRING KphpProcessContextTypeName = RTL_CONSTANT_STRING(L"KphProcessContext"); static const UNICODE_STRING KphpThreadContextTypeName = RTL_CONSTANT_STRING(L"KphThreadContext"); static const LARGE_INTEGER KphpCidApcTimeout = KPH_TIMEOUT(3 * 1000); KPH_PROTECTED_DATA_SECTION_RO_POP(); static BOOLEAN KphpCidTrackingInitialized = FALSE; static KPH_CID_TABLE KphpCidTable; static LONG KphpCidPopulated = 0; static KEVENT KphpCidPopulatedEvent; static PKPH_PROCESS_CONTEXT KphpSystemProcessContext = NULL; static ULONG64 KphpProcessSequence = 0; /** * \brief Looks up a context object in the CID tracking. * * \param[in] Cid The CID of the object to look up. * \param[in] ObjectType The expected object type if the CID. * * \return Pointer to the context object, null if not found or the object is * not of the expected type. The caller *must* dereference the object when * they are through with it. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PVOID KphpLookupContext( _In_ HANDLE Cid, _In_ PKPH_OBJECT_TYPE ObjectType ) { PVOID object; PKPH_CID_TABLE_ENTRY entry; KPH_NPAGED_CODE_DISPATCH_MAX(); entry = KphCidGetEntry(Cid, &KphpCidTable); if (!entry) { return NULL; } object = KphCidReferenceObject(entry); if (object && (KphGetObjectType(object) != ObjectType)) { KphDereferenceObject(object); object = NULL; } return object; } /** * \brief Retrieves the system process context. * * \return Pointer to the system process context, null if not found. The caller * *must* dereference the object when they are through with it. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphGetSystemProcessContext( VOID ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (KphpSystemProcessContext) { KphReferenceObject(KphpSystemProcessContext); } return KphpSystemProcessContext; } /** * \brief Retrieves a process context. * * \param[in] ProcessId The process ID of the process to get the context for. * * \return Pointer to the process context, null if not found. The caller * *must* dereference the object when they are through with it. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphGetProcessContext( _In_ HANDLE ProcessId ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphpLookupContext(ProcessId, KphProcessContextType); } /** * \brief Retrieves a process context by process object. * * \param[in] Process The process object of the process to get the context for. * * \return Pointer to the process context, null if not found. The caller * *must* dereference the object when they are through with it. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphGetEProcessContext( _In_ PEPROCESS Process ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (Process == PsInitialSystemProcess) { return KphGetSystemProcessContext(); } return KphGetProcessContext(PsGetProcessId(Process)); } /** * \brief Retrieves a thread context. * * \param[in] ThreadId The thread ID of the thread to get the context for. * * \return Pointer to the thread context, null if not found. The caller * *must* dereference the object when they are through with it. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphGetThreadContext( _In_ HANDLE ThreadId ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphpLookupContext(ThreadId, KphThreadContextType); } KPH_PAGED_FILE(); /** * \brief Marks the CID tracking populated, which unblocks public tracking APIs. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCidMarkPopulated( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (!KphpCidTrackingInitialized) { return; } WriteRelease(&KphpCidPopulated, 1); KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Marked CID tracking populated, unblocking routines."); KeSetEvent(&KphpCidPopulatedEvent, EVENT_INCREMENT, FALSE); } /** * \brief Waits for the CID tracking to be marked as populated. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpCidWaitForPopulate( VOID ) { KPH_PAGED_CODE(); if (ReadAcquire(&KphpCidPopulated)) { return; } KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Waiting for CID tracking population..."); KeWaitForSingleObject(&KphpCidPopulatedEvent, Executive, KernelMode, FALSE, NULL); } /** * \brief Allocates a CID APC object. * * \return Pointer to CID APC object, null on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateCidApc( _In_ SIZE_T Size ) { PVOID object; KPH_PAGED_CODE(); NT_ASSERT(KphpCidApcLookaside); NT_ASSERT(Size <= KphpCidApcLookaside->L.Size); DBG_UNREFERENCED_PARAMETER(Size); object = KphAllocateFromNPagedLookasideObject(KphpCidApcLookaside); if (object) { KphReferenceObject(KphpCidApcLookaside); } return object; } /** * \brief Initializes a CID APC object. * * \param[in] Object The CID APC object to initialize. * \param[in] Parameter Unused. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeCidApc( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_CID_APC apc; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Parameter); apc = Object; KeInitializeEvent(&apc->CompletedEvent, NotificationEvent, FALSE); return STATUS_SUCCESS; } /** * \brief Deletes a CID APC object. * * \param[in] Object The CID APC object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) VOID KSIAPI KphpDeleteCidApc( _Inout_ PVOID Object ) { PKPH_CID_APC apc; KPH_PAGED_CODE(); apc = Object; if (apc->Thread) { KphDereferenceObject(apc->Thread); } } /** * \brief Frees a CID APC object. * * \param[in] Object The CID APC object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) VOID KSIAPI KphpFreeCidApc( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE(); NT_ASSERT(KphpCidApcLookaside); KphFreeToNPagedLookasideObject(KphpCidApcLookaside, Object); KphDereferenceObject(KphpCidApcLookaside); } /** * \brief APC cleanup routine for APC APCs. * * \param[in] Apc The ACP to clean up. * \param[in] Reason Unused. */ _Function_class_(KSI_KCLEANUP_ROUTINE) _IRQL_requires_min_(PASSIVE_LEVEL) _IRQL_requires_max_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpCidApcCleanup( _In_ PKSI_KAPC Apc, _In_ KSI_KAPC_CLEANUP_REASON Reason ) { PKPH_CID_APC apc; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Apc); DBG_UNREFERENCED_PARAMETER(Reason); apc = CONTAINING_RECORD(Apc, KPH_CID_APC, Apc); KphDereferenceObject(apc); } /** * \brief Allocates a process context object. * * \param[in] Size The size requested from the object infrastructure. * * \return Allocated process context object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateProcessContext( _In_ SIZE_T Size ) { PVOID object; KPH_PAGED_CODE_PASSIVE(); DBG_UNREFERENCED_PARAMETER(Size); NT_ASSERT(KphpProcessContextLookaside); NT_ASSERT(Size <= KphpProcessContextLookaside->L.Size); object = KphAllocateFromNPagedLookasideObject(KphpProcessContextLookaside); if (object) { KphReferenceObject(KphpProcessContextLookaside); } return object; } /** * \brief Initializes a process context. * * \param[in] Object The process context object to initialize. * \param[in] Parameter The kernel process object associated with this context. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeProcessContext( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_PROCESS_CONTEXT process; PEPROCESS processObject; HANDLE processHandle; PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; KPH_PAGED_CODE_PASSIVE(); process = Object; processObject = Parameter; process->SequenceNumber = InterlockedIncrementU64(&KphpProcessSequence); status = ObOpenObjectByPointer(processObject, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &processHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ObOpenObjectByPointer failed: %!STATUS!", status); processHandle = NULL; goto Exit; } status = ZwQueryInformationProcess(processHandle, ProcessSubsystemInformation, &process->SubsystemType, sizeof(SUBSYSTEM_INFORMATION_TYPE), NULL); if (status == STATUS_INVALID_INFO_CLASS) { process->SubsystemType = SubsystemInformationTypeWin32; } else if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ProcessSubsystemInformation failed: %!STATUS!", status); goto Exit; } basicInfo.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION); status = ZwQueryInformationProcess(processHandle, ProcessBasicInformation, &basicInfo, sizeof(PROCESS_EXTENDED_BASIC_INFORMATION), NULL); if (status == STATUS_INVALID_INFO_CLASS) { process->IsSubsystemProcess = FALSE; } else if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ProcessBasicInformation failed: %!STATUS!", status); goto Exit; } else { process->IsSubsystemProcess = basicInfo.IsSubsystemProcess; } process->EProcess = processObject; ObReferenceObject(process->EProcess); process->ProcessId = PsGetProcessId(process->EProcess); if (KphDynPsGetProcessStartKey) { process->ProcessStartKey = KphDynPsGetProcessStartKey(processObject); } else { PROCESS_TELEMETRY_ID_INFORMATION telemetryIdInfo; telemetryIdInfo.HeaderSize = 0; status = ZwQueryInformationProcess(processHandle, ProcessTelemetryIdInformation, &telemetryIdInfo, sizeof(PROCESS_TELEMETRY_ID_INFORMATION), NULL); if ((status == STATUS_BUFFER_OVERFLOW) && RTL_CONTAINS_FIELD(&telemetryIdInfo, telemetryIdInfo.HeaderSize, ProcessStartKey)) { status = STATUS_SUCCESS; } if (NT_SUCCESS(status)) { process->ProcessStartKey = telemetryIdInfo.ProcessStartKey; } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ProcessTelemetryIdInformation failed: %!STATUS!", status); NT_ASSERT(process->ProcessStartKey == 0); } } #ifdef _WIN64 if (PsGetProcessWow64Process(process->EProcess)) { process->IsWow64 = TRUE; } else #endif { process->IsWow64 = FALSE; } KphInitializeRWLock(&process->ThreadListLock); InitializeListHead(&process->ThreadListHead); KphInitializeRWLock(&process->ProtectionLock); status = PsReferenceProcessFilePointer(process->EProcess, &process->FileObject); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "PsReferenceProcessFilePointer failed: %!STATUS!", status); process->FileObject = NULL; } if (process->FileObject) { ULONG returnLength; status = KphQueryNameFileObject(process->FileObject, NULL, 0, &returnLength); if (status == STATUS_BUFFER_TOO_SMALL) { POBJECT_NAME_INFORMATION nameInfo; nameInfo = KphAllocateNPaged(returnLength, KPH_TAG_PROCESS_IMAGE_FILE_NAME); if (nameInfo) { status = KphQueryNameFileObject(process->FileObject, nameInfo, returnLength, &returnLength); if (NT_SUCCESS(status)) { C_ASSERT(FIELD_OFFSET(OBJECT_NAME_INFORMATION, Name) == 0); process->ImageFileName = (PUNICODE_STRING)nameInfo; } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphQueryNameFileObject failed: %!STATUS!", status); KphFree(nameInfo, KPH_TAG_PROCESS_IMAGE_FILE_NAME); } } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to allocate process image file name."); } } } if (!process->ImageFileName) { status = SeLocateProcessImageName(process->EProcess, &process->ImageFileName); if (NT_SUCCESS(status)) { process->SystemAllocatedImageFileName = TRUE; } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "SeLocateProcessImageName failed: %!STATUS!", status); process->ImageFileName = NULL; } } if (process->ImageFileName) { status = KphGetFileNameFinalComponent(process->ImageFileName, &process->ImageName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphGetFileNameFinalComponent failed: %!STATUS!", status); NT_ASSERT(process->ImageName.Length == 0); } } if (process->ImageName.Length == 0) { status = KphGetProcessImageName(process->EProcess, &process->ImageName); if (NT_SUCCESS(status)) { process->AllocatedImageName = TRUE; } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphGetProcessImageName failed: %!STATUS!", status); NT_ASSERT(process->ImageName.Length == 0); } } if (process->EProcess == PsInitialSystemProcess) { NT_ASSERT(!KphpSystemProcessContext); KphReferenceObject(process); KphpSystemProcessContext = process; } KphValidateLsass(process->EProcess); status = STATUS_SUCCESS; Exit: if (processHandle) { ObCloseHandle(processHandle, KernelMode); } return status; } /** * \brief Deletes a process context. * * \param[in] Object The process context object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpDeleteProcessContext( _Inout_ PVOID Object ) { PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE_PASSIVE(); process = Object; KphAtomicAssignObjectReference(&process->InformerState.Atomic, NULL); KphAtomicAssignObjectReference(&process->SessionToken.Atomic, NULL); if (process->Protected) { KphStopProtectingProcess(process); } if (process->ImageFileName) { if (process->SystemAllocatedImageFileName) { KphFreePool(process->ImageFileName); } else { KphFree(process->ImageFileName, KPH_TAG_PROCESS_IMAGE_FILE_NAME); } } if (process->AllocatedImageName) { KphFreeProcessImageName(&process->ImageName); } if (process->FileObject) { ObDereferenceObject(process->FileObject); } KphDeleteRWLock(&process->ProtectionLock); NT_ASSERT(IsListEmpty(&process->ThreadListHead)); NT_ASSERT(process->NumberOfThreads == 0); KphDeleteRWLock(&process->ThreadListLock); KphInvalidateLsass(process->EProcess); NT_ASSERT(process->EProcess); ObDereferenceObject(process->EProcess); } /** * \brief Frees a process context object. * * \param[in] Object The process context object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpFreeProcessContext( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphpProcessContextLookaside); KphFreeToNPagedLookasideObject(KphpProcessContextLookaside, Object); KphDereferenceObject(KphpProcessContextLookaside); } /** * \brief Allocates a thread context object. * * \param[in] Size The size requested from the object infrastructure. * * \return Allocated thread context object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateThreadContext( _In_ SIZE_T Size ) { PVOID object; KPH_PAGED_CODE(); DBG_UNREFERENCED_PARAMETER(Size); NT_ASSERT(KphpThreadContextLookaside); NT_ASSERT(Size <= KphpThreadContextLookaside->L.Size); object = KphAllocateFromNPagedLookasideObject(KphpThreadContextLookaside); if (object) { KphReferenceObject(KphpThreadContextLookaside); } return object; } /** * \brief Performs thread context initialization for a WSL thread. * * \param[in] Dyn Dynamic configuration. * \param[in] ThreadContext The thread context to initialize. */ _IRQL_requires_(APC_LEVEL) VOID KphpInitializeWSLThreadContext( _In_ PKPH_DYN Dyn, _In_ PKPH_THREAD_CONTEXT ThreadContext ) { PVOID picoContext; PVOID value; KPH_PAGED_CODE_APC(); // // We use an APC here to reach into the thread pico context. We could // reach directly into the pico context elsewhere, but reversing shows // intent for possible other pico subsystem providers in the future. // So, we use some "undocumented" APIs in the APC to ask "nicely" for // the correct pico context. // if ((ThreadContext->SubsystemType != SubsystemInformationTypeWSL) || !KphDynLxpThreadGetCurrent || (Dyn->LxPicoThrdInfo == ULONG_MAX) || (Dyn->LxPicoThrdInfoTID == ULONG_MAX) || (Dyn->LxPicoProc == ULONG_MAX) || (Dyn->LxPicoProcInfo == ULONG_MAX) || (Dyn->LxPicoProcInfoPID == ULONG_MAX)) { return; } if (!KphDynLxpThreadGetCurrent(&picoContext)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "LxpThreadGetCurrent failed"); return; } if (!ThreadContext->WSL.ValidThreadId) { value = *(PVOID*)Add2Ptr(picoContext, Dyn->LxPicoThrdInfo); ThreadContext->WSL.ThreadId = *(PULONG)Add2Ptr(value, Dyn->LxPicoThrdInfoTID); ThreadContext->WSL.ValidThreadId = TRUE; } if (ThreadContext->ProcessContext && !ThreadContext->ProcessContext->WSL.ValidProcessId) { value = *(PVOID*)Add2Ptr(picoContext, Dyn->LxPicoProc); value = *(PVOID*)Add2Ptr(value, Dyn->LxPicoProcInfo); ThreadContext->ProcessContext->WSL.ProcessId = *(PULONG)Add2Ptr(value, Dyn->LxPicoProcInfoPID); ThreadContext->ProcessContext->WSL.ValidProcessId = TRUE; } } /** * \brief APC routine for thread tracking. * * \param[in] Apc The ACP executed, contained within the CID APC. * \param[in] NormalRoutine Unused. * \param[in] NormalContext Unused. * \param[in] SystemArgument1 Unused. * \param[in] SystemArgument2 Unused. */ _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpInitializeThreadContextSpecialApc( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ) { PKPH_CID_APC apc; PKPH_DYN dyn; PTEB teb; KPH_PAGED_CODE_APC(); UNREFERENCED_PARAMETER(NormalRoutine); UNREFERENCED_PARAMETER(NormalContext); UNREFERENCED_PARAMETER(SystemArgument1); UNREFERENCED_PARAMETER(SystemArgument2); apc = CONTAINING_RECORD(Apc, KPH_CID_APC, Apc); NT_ASSERT(apc->Thread->EThread == KeGetCurrentThread()); #ifdef _WIN64 C_ASSERT(FIELD_OFFSET(TEB, SubProcessTag) == 0x1720); #endif teb = PsGetCurrentThreadTeb(); if (teb) { __try { apc->Thread->SubProcessTag = ReadPointerFromUser(&teb->SubProcessTag); } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to populate SubProcessTag: %!STATUS!", GetExceptionCode()); } } dyn = KphReferenceDynData(); if (dyn) { KphpInitializeWSLThreadContext(dyn, apc->Thread); KphDereferenceObject(dyn); } KeSetEvent(&apc->CompletedEvent, EVENT_INCREMENT, FALSE); } /** * \brief Initializes thread context parts in the original thread environment. * * \param[in] ThreadContext The thread context to initialize. * \param[in] Wait If TRUE this routine will try to wait for the APC to * complete, otherwise this routine will not wait. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpInitThreadContextInOriginalEnvironment( _In_ PKPH_THREAD_CONTEXT ThreadContext, _In_ BOOLEAN Wait ) { NTSTATUS status; PKPH_CID_APC apc; KPH_PAGED_CODE(); status = KphCreateObject(KphpCidApcType, sizeof(KPH_CID_APC), &apc, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreateObject failed: %!STATUS!", status); goto Exit; } apc->Thread = ThreadContext; KphReferenceObject(apc->Thread); KsiInitializeApc(&apc->Apc, KphDriverObject, ThreadContext->EThread, OriginalApcEnvironment, KphpInitializeThreadContextSpecialApc, KphpCidApcCleanup, NULL, KernelMode, NULL); // // The APC could fire immediately we must reference before trying to queue. // KphReferenceObject(apc); if (!KsiInsertQueueApc(&apc->Apc, NULL, NULL, IO_NO_INCREMENT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KsiInsertQueueApc failed"); KphDereferenceObject(apc); status = STATUS_UNSUCCESSFUL; goto Exit; } if (!Wait) { status = STATUS_SUCCESS; goto Exit; } status = KeWaitForSingleObject(&apc->CompletedEvent, Executive, KernelMode, FALSE, (PLARGE_INTEGER)&KphpCidApcTimeout); if (status != STATUS_SUCCESS) { NTSTATUS removeStatus; NT_ASSERT(status == STATUS_TIMEOUT); removeStatus = KsiRemoveQueueApc(&apc->Apc); KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KsiRemoveQueueApc: %!STATUS!", removeStatus); goto Exit; } Exit: if (apc) { KphDereferenceObject(apc); } if (!NT_SUCCESS(status) || (status == STATUS_TIMEOUT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphpInitializeThreadContextApc failed: %!STATUS!", status); } } /** * \brief Initializes a thread context. * * \param[in] Object The thread context object to initialize. * \param[in] Parameter Unused * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeThreadContext( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_THREAD_CONTEXT thread; PETHREAD threadObject; HANDLE threadHandle; KPH_PAGED_CODE(); NT_ASSERT(Parameter); thread = Object; threadObject = Parameter; status = ObOpenObjectByPointer(threadObject, OBJ_KERNEL_HANDLE, NULL, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, &threadHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ObOpenObjectByPointer failed %!STATUS!", status); threadHandle = NULL; goto Exit; } status = ZwQueryInformationThread(threadHandle, ThreadSubsystemInformation, &thread->SubsystemType, sizeof(SUBSYSTEM_INFORMATION_TYPE), NULL); if (status == STATUS_INVALID_INFO_CLASS) { thread->SubsystemType = SubsystemInformationTypeWin32; } else if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ThreadSubsystemInformation failed %!STATUS!", status); goto Exit; } thread->EThread = threadObject; ObReferenceObject(thread->EThread); thread->ClientId.UniqueThread = PsGetThreadId(thread->EThread); thread->ClientId.UniqueProcess = PsGetThreadProcessId(thread->EThread); NT_ASSERT(!thread->ProcessContext); thread->ProcessContext = KphGetProcessContext(thread->ClientId.UniqueProcess); if (thread->ProcessContext) { KphAcquireRWLockExclusive(&thread->ProcessContext->ThreadListLock); if (!thread->ProcessContext->InitialThread) { thread->ProcessContext->InitialThread = thread; KphReferenceObject(thread); } InsertTailList(&thread->ProcessContext->ThreadListHead, &thread->ThreadListEntry); thread->ProcessContext->NumberOfThreads++; thread->InThreadList = TRUE; KphReferenceObject(thread); KphReleaseRWLock(&thread->ProcessContext->ThreadListLock); } if (!PsIsSystemThread(thread->EThread)) { KphpInitThreadContextInOriginalEnvironment(thread, FALSE); } status = STATUS_SUCCESS; Exit: if (threadHandle) { ObCloseHandle(threadHandle, KernelMode); } return status; } /** * \brief Deletes a thread context. * * \param[in] Object The thread context object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpDeleteThreadContext( _Inout_ PVOID Object ) { PKPH_THREAD_CONTEXT thread; KPH_PAGED_CODE_PASSIVE(); thread = Object; NT_ASSERT(!thread->InThreadList); KphAtomicAssignObjectReference(&thread->RequestSessionToken.Atomic, NULL); KphAtomicAssignObjectReference(&thread->SessionToken.Atomic, NULL); NT_ASSERT(thread->EThread); ObDereferenceObject(thread->EThread); if (thread->ProcessContext) { KphDereferenceObject(thread->ProcessContext); } } /** * \brief Frees a thread context object. * * \param[in] Object The thread context object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpFreeThreadContext( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphpThreadContextLookaside); KphFreeToNPagedLookasideObject(KphpThreadContextLookaside, Object); KphDereferenceObject(KphpThreadContextLookaside); } /** * \brief Initializes the CID tracking infrastructure. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCidInitialize( VOID ) { NTSTATUS status; KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); status = KphCidTableCreate(&KphpCidTable); if (!NT_SUCCESS(status)) { return status; } KeInitializeEvent(&KphpCidPopulatedEvent, NotificationEvent, FALSE); status = KphCreateNPagedLookasideObject(&KphpCidApcLookaside, KphAddObjectHeaderSize(sizeof(KPH_CID_APC)), KPH_TAG_CID_APC); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreateNPagedLookasideObject failed: %!STATUS!", status); KphpCidApcLookaside = NULL; goto Exit; } status = KphCreateNPagedLookasideObject(&KphpProcessContextLookaside, KphAddObjectHeaderSize(sizeof(KPH_PROCESS_CONTEXT)), KPH_TAG_PROCESS_CONTEXT); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreatePagedLookasideObject failed: %!STATUS!", status); KphpProcessContextLookaside = NULL; goto Exit; } status = KphCreateNPagedLookasideObject(&KphpThreadContextLookaside, KphAddObjectHeaderSize(sizeof(KPH_THREAD_CONTEXT)), KPH_TAG_THREAD_CONTEXT); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreatePagedLookasideObject failed: %!STATUS!", status); KphpThreadContextLookaside = NULL; goto Exit; } typeInfo.Allocate = KphpAllocateProcessContext; typeInfo.Initialize = KphpInitializeProcessContext; typeInfo.Delete = KphpDeleteProcessContext; typeInfo.Free = KphpFreeProcessContext; typeInfo.Flags = 0; typeInfo.DeferDelete = TRUE; KphCreateObjectType(&KphpProcessContextTypeName, &typeInfo, &KphProcessContextType); typeInfo.Allocate = KphpAllocateThreadContext; typeInfo.Initialize = KphpInitializeThreadContext; typeInfo.Delete = KphpDeleteThreadContext; typeInfo.Free = KphpFreeThreadContext; typeInfo.Flags = 0; typeInfo.DeferDelete = TRUE; KphCreateObjectType(&KphpThreadContextTypeName, &typeInfo, &KphThreadContextType); typeInfo.Allocate = KphpAllocateCidApc; typeInfo.Initialize = KphpInitializeCidApc; typeInfo.Delete = KphpDeleteCidApc; typeInfo.Free = KphpFreeCidApc; typeInfo.Flags = 0; KphCreateObjectType(&KphpCidApcTypeName, &typeInfo, &KphpCidApcType); KphpCidTrackingInitialized = TRUE; status = STATUS_SUCCESS; Exit: if (!NT_SUCCESS(status)) { KphCidTableDelete(&KphpCidTable); if (KphpProcessContextLookaside) { KphDereferenceObject(KphpProcessContextLookaside); KphpProcessContextLookaside = NULL; } if (KphpThreadContextLookaside) { KphDereferenceObject(KphpThreadContextLookaside); KphpThreadContextLookaside = NULL; } if (KphpCidApcLookaside) { KphDereferenceObject(KphpCidApcLookaside); KphpCidApcLookaside = NULL; } } return status; } /** * \brief Unlinks thread contexts from a process context. * * \param[in] Process The process context to unlink thread contexts from. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpUnlinkProcessContextThreadContexts( _In_ PKPH_PROCESS_CONTEXT Process ) { KPH_PAGED_CODE(); KphAcquireRWLockExclusive(&Process->ThreadListLock); while (!IsListEmpty(&Process->ThreadListHead)) { PKPH_THREAD_CONTEXT thread; thread = CONTAINING_RECORD(RemoveHeadList(&Process->ThreadListHead), KPH_THREAD_CONTEXT, ThreadListEntry); NT_ASSERT(thread->InThreadList); Process->NumberOfThreads--; Process->NumberOfUnlinkedThreads++; thread->InThreadList = FALSE; KphDereferenceObject(thread); } if (Process->InitialThread) { KphDereferenceObject(Process->InitialThread); Process->InitialThread = NULL; } KphReleaseRWLock(&Process->ThreadListLock); } /** * \brief Cleanup callback for enumerating the CID tracking table. * * \param[in] Object The CID table entry to clean up. * \param[in] Parameter Unused * * \return FALSE to continue enumerating. */ _Function_class_(KPH_CID_RUNDOWN_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpCidCleanupCallback( _In_ PVOID Object, _In_opt_ PVOID Parameter ) { KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(Parameter); if (KphGetObjectType(Object) == KphProcessContextType) { PKPH_PROCESS_CONTEXT process; process = Object; KphpUnlinkProcessContextThreadContexts(process); } } /** * \brief Cleans up the CID tracking infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCidCleanup( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (!KphpCidTrackingInitialized) { return; } KphCidRundown(&KphpCidTable, KphpCidCleanupCallback, NULL); if (KphpSystemProcessContext) { KphDereferenceObject(KphpSystemProcessContext); } KphCidTableDelete(&KphpCidTable); KphDereferenceObject(KphpCidApcLookaside); KphDereferenceObject(KphpThreadContextLookaside); KphDereferenceObject(KphpProcessContextLookaside); } /** * \brief Begins tracking a context object in the CID tracking. May return an * existing object if it is already being tracked. * * \param[in] Cid The CID of the object to being tracking. * \param[in] ObjectType The expected object type if the CID. * \param[in] ObjectBodySize The size of the context body. * \param[in] Parameter The parameter passed to the creation routine. * * \return Pointer to the context object, null on allocation failure or if the * object is already being tracked and is not of the expected type. The caller * *must* dereference the object when they are through with it. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PVOID KphpTrackContext( _In_ HANDLE Cid, _In_ PKPH_OBJECT_TYPE ObjectType, _In_ ULONG ObjectBodySize, _In_ PVOID Parameter ) { NTSTATUS status; PKPH_CID_TABLE_ENTRY entry; PVOID object; KPH_PAGED_CODE(); entry = KphCidGetEntry(Cid, &KphpCidTable); if (!entry) { return NULL; } object = KphCidReferenceObject(entry); if (object) { if (KphGetObjectType(object) != ObjectType) { KphDereferenceObject(object); object = NULL; } return object; } status = KphCreateObject(ObjectType, ObjectBodySize, &object, Parameter); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreateObject (%lu) failed: %!STATUS!", HandleToULong(Cid), status); return NULL; } KphCidAssignObject(entry, object); return object; } /** * \brief Stops tracking a context object in the CID tracking. * * \param[in] Cid The CID of the object to being tracking. * \param[in] ObjectType The expected object type if the CID. * \param[in] ObjectBodySize The size of the context body. * * \return Pointer to the context object, null if not found or the object is * not of the expected type. The caller *must* dereference the object when they * are through with it. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PVOID KphpUntrackContext( _In_ HANDLE Cid, _In_ PKPH_OBJECT_TYPE ObjectType ) { PKPH_CID_TABLE_ENTRY entry; PVOID object; KPH_PAGED_CODE(); entry = KphCidGetEntry(Cid, &KphpCidTable); if (!entry) { return NULL; } object = KphCidReferenceObject(entry); if (object && (KphGetObjectType(object) != ObjectType)) { KphDereferenceObject(object); return NULL; } KphCidAssignObject(entry, NULL); return object; } /** * \brief Performs actions post population of CID table. * * \param[in] Process The context being enumerated. * \param[in] Parameter Unused. * * \return FALSE */ _Function_class_(KPH_ENUM_CID_CONTEXTS_CALLBACK) _Must_inspect_result_ BOOLEAN KSIAPI KphpCidEnumPostPopulate( _In_ PVOID Context, _In_opt_ PVOID Parameter ) { PKPH_OBJECT_TYPE objectType; PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(Parameter); objectType = KphGetObjectType(Context); if (objectType == KphProcessContextType) { process = Context; KphVerifyProcessAndProtectIfAppropriate(process); } return FALSE; } // from phnative.h #define KPH_FIRST_PROCESS(Processes) ((PSYSTEM_PROCESS_INFORMATION)(Processes)) #define KPH_NEXT_PROCESS(Process) ( \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NextEntryOffset ? \ (PSYSTEM_PROCESS_INFORMATION)Add2Ptr((Process), \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NextEntryOffset) : \ NULL \ ) /** * \brief Populates the CID tracking. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCidPopulate( VOID ) { NTSTATUS status; ULONG size; PVOID buffer; PSYSTEM_PROCESS_INFORMATION info; KPH_PAGED_CODE_PASSIVE(); size = (PAGE_SIZE * 4); buffer = KphAllocatePaged(size, KPH_TAG_CID_POPULATE); if (!buffer) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to allocate buffer for process information."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } for (;;) { status = ZwQuerySystemInformation(SystemProcessInformation, buffer, size, &size); if (NT_SUCCESS(status)) { break; } if ((status != STATUS_BUFFER_TOO_SMALL) && (status != STATUS_INFO_LENGTH_MISMATCH)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ZwQuerySystemInformation failed: %!STATUS!", status); goto Exit; } if (size == 0) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ZwQuerySystemInformation returned zero size!"); NT_ASSERT(!NT_SUCCESS(status)); goto Exit; } KphFree(buffer, KPH_TAG_CID_POPULATE); buffer = KphAllocatePaged(size, KPH_TAG_CID_POPULATE); if (!buffer) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to allocate buffer for process information."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Trying again with larger buffer (%lu)...", size); } // // N.B. Because of the way we start up we guarantee the thread and process // notifications routines are blocked until we complete this work. This // gives us a guarantee that a new process/thread can't be fully created or // tracked before we get here. However, this is still the possibility of // a TOCTOU for an exiting process/thread. We need to take care here during // initialization. If the process/thread is already exited we should not // track it. // NT_ASSERT(NT_SUCCESS(status)); NT_ASSERT(size >= sizeof(SYSTEM_PROCESS_INFORMATION)); for (info = KPH_FIRST_PROCESS(buffer); info; info = KPH_NEXT_PROCESS(info)) { PKPH_PROCESS_CONTEXT process; PEPROCESS processObject; if (!info->UniqueProcessId) { // // Idle Process. // For now we aren't going to track it. There are "valid" watchdog // threads in the idle process, but we can't look up their thread // objects in a documented way. For simplicity, for now, we opt // not to track it. // continue; } if (info->UniqueProcessId == PsGetProcessId(PsInitialSystemProcess)) { // // System Process // processObject = PsInitialSystemProcess; ObReferenceObject(processObject); } else { // // Check if we should track this process during population. // Ultimately here we're ensuring the process isn't already exited. // Otherwise there is the possibility of an object leak from TOCTOU. // status = PsLookupProcessByProcessId(info->UniqueProcessId, &processObject); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "PsLookupProcessByProcessId failed: %!STATUS!", status); continue; } if (PsGetProcessExitProcessCalled(processObject)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "PsGetProcessExitProcessCalled reported TRUE " "(process %lu)", HandleToULong(info->UniqueProcessId)); ObDereferenceObject(processObject); continue; } } process = KphpTrackContext(info->UniqueProcessId, KphProcessContextType, sizeof(KPH_PROCESS_CONTEXT), processObject); ObDereferenceObject(processObject); processObject = NULL; if (!process) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphpTrackContext failed (process %lu)", HandleToULong(info->UniqueProcessId)); continue; } process->CreatorClientId.UniqueProcess = NtCurrentProcess(); process->CreatorClientId.UniqueThread = NtCurrentThread(); KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Tracking process %wZ (%lu)", &process->ImageName, HandleToULong(process->ProcessId)); for (ULONG i = 0; i < info->NumberOfThreads; i++) { PKPH_THREAD_CONTEXT thread; PETHREAD threadObject; PSYSTEM_THREAD_INFORMATION threadInfo; threadInfo = &info->Threads[i]; status = PsLookupThreadByThreadId(threadInfo->ClientId.UniqueThread, &threadObject); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "PsLookupThreadByThreadId failed " "(thread %lu in process %wZ (%lu))): %!STATUS!", HandleToULong(threadInfo->ClientId.UniqueThread), &process->ImageName, HandleToULong(process->ProcessId), status); continue; } if (PsIsThreadTerminating(threadObject)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "PsIsThreadTerminating reported TRUE " "(thread %lu in process %wZ (%lu)))", HandleToULong(threadInfo->ClientId.UniqueThread), &process->ImageName, HandleToULong(process->ProcessId)); ObDereferenceObject(threadObject); continue; } thread = KphpTrackContext(threadInfo->ClientId.UniqueThread, KphThreadContextType, sizeof(KPH_THREAD_CONTEXT), threadObject); ObDereferenceObject(threadObject); threadObject = NULL; if (!thread) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphpTrackContext failed " "(thread %lu in process %wZ (%lu))", HandleToULong(threadInfo->ClientId.UniqueThread), &process->ImageName, HandleToULong(process->ProcessId)); continue; } thread->CreatorClientId.UniqueProcess = NtCurrentProcess(); thread->CreatorClientId.UniqueThread = NtCurrentThread(); KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Tracking thread %lu in process %wZ (%lu)", HandleToULong(thread->ClientId.UniqueThread), &process->ImageName, HandleToULong(thread->ClientId.UniqueProcess)); KphDereferenceObject(thread); } KphDereferenceObject(process); } Exit: KphCidMarkPopulated(); if (buffer) { KphFree(buffer, KPH_TAG_CID_POPULATE); } if (NT_SUCCESS(status)) { KphEnumerateCidContexts(KphpCidEnumPostPopulate, NULL); } return status; } /** * \brief Tracks a process context. * * \param[in] Process The process to start tracking. * * \return Pointer to the process context, null on allocation failure. May * return an existing process context if the process is already tracked. The * caller *must* dereference the object when they are through with it. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphTrackProcessContext( _In_ PEPROCESS Process ) { KPH_PAGED_CODE_PASSIVE(); KphpCidWaitForPopulate(); return KphpTrackContext(PsGetProcessId(Process), KphProcessContextType, sizeof(KPH_PROCESS_CONTEXT), Process); } /** * \brief Stops tracking a process context. * * \param[in] ProcessId The process ID of the process stop tracking. * * \return Pointer to the process context, null if not found. The caller *must* * dereference the object when they are through with it. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphUntrackProcessContext( _In_ HANDLE ProcessId ) { PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE_PASSIVE(); KphpCidWaitForPopulate(); process = KphpUntrackContext(ProcessId, KphProcessContextType); if (!process) { return NULL; } KphpUnlinkProcessContextThreadContexts(process); return process; } /** * \brief Tracks a thread context. * * \param[in] Thread The thread to start tracking. * * \return Pointer to the thread context, null on allocation failure. May * return an existing thread context if the thread is already tracked. The * caller *must* dereference the object when they are through with it. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphTrackThreadContext( _In_ PETHREAD Thread ) { KPH_PAGED_CODE(); KphpCidWaitForPopulate(); return KphpTrackContext(PsGetThreadId(Thread), KphThreadContextType, sizeof(KPH_THREAD_CONTEXT), Thread); } /** * \brief Stops tracking a thread context. * * \param[in] ThreadId The thread ID of the thread stop tracking. * * \return Pointer to the thread context, null if not found. The caller *must* * dereference the object when they are through with it. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphUntrackThreadContext( _In_ HANDLE ThreadId ) { PKPH_THREAD_CONTEXT thread; KPH_PAGED_CODE(); KphpCidWaitForPopulate(); thread = KphpUntrackContext(ThreadId, KphThreadContextType); if (!thread) { return NULL; } if (thread->ProcessContext) { KphAcquireRWLockExclusive(&thread->ProcessContext->ThreadListLock); if (thread->InThreadList) { RemoveEntryList(&thread->ThreadListEntry); thread->InThreadList = FALSE; thread->ProcessContext->NumberOfThreads--; KphDereferenceObject(thread); } if (thread->ProcessContext->InitialThread == thread) { thread->ProcessContext->InitialThread = NULL; KphDereferenceObject(thread); } KphReleaseRWLock(&thread->ProcessContext->ThreadListLock); } return thread; } typedef struct _KPH_ENUM_CONTEXT { PKPH_ENUM_CID_CONTEXTS_CALLBACK CidCallback; PKPH_ENUM_PROCESS_CONTEXTS_CALLBACK ProcessCallback; PKPH_ENUM_THREAD_CONTEXTS_CALLBACK ThreadCallback; PVOID Parameter; } KPH_ENUM_CONTEXT, *PKPH_ENUM_CONTEXT; /** * \brief Enumeration callback. * * \param[in] Object The object from the enumeration. * \param[in] Parameter The enumeration context from the caller. * * \return FALSE to keep enumerating if the object type is not what was asked * for or the return value from callers callback. */ _Function_class_(KPH_CID_ENUMERATE_CALLBACK) BOOLEAN KSIAPI KphpEnumerateContexts( _In_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_ENUM_CONTEXT context; PKPH_OBJECT_TYPE objectType; KPH_PAGED_CODE(); NT_ASSERT(Parameter); context = Parameter; objectType = KphGetObjectType(Object); if (context->CidCallback) { NT_ASSERT((objectType == KphProcessContextType) || (objectType == KphThreadContextType)); NT_ASSERT(!context->ProcessCallback); NT_ASSERT(!context->ThreadCallback); return context->CidCallback(Object, context->Parameter); } if (context->ProcessCallback) { NT_ASSERT(!context->CidCallback); NT_ASSERT(!context->ThreadCallback); if (objectType != KphProcessContextType) { return FALSE; } return context->ProcessCallback(Object, context->Parameter); } NT_ASSERT(!context->CidCallback); NT_ASSERT(!context->ProcessCallback); NT_ASSERT(context->ThreadCallback); if (objectType != KphThreadContextType) { return FALSE; } return context->ThreadCallback(Object, context->Parameter); } /** * \brief Enumerates process contexts. * * \param[in] Callback The callback to invoke for each process context. The * callback should return TRUE to stop enumerating or FALSE to continue. * \param[in] Parameter Optional parameter passed to the callback. */ _IRQL_requires_max_(APC_LEVEL) VOID KphEnumerateProcessContexts( _In_ PKPH_ENUM_PROCESS_CONTEXTS_CALLBACK Callback, _In_opt_ PVOID Parameter ) { KPH_ENUM_CONTEXT context; KPH_PAGED_CODE(); context.CidCallback = NULL; context.ProcessCallback = Callback; context.ThreadCallback = NULL; context.Parameter = Parameter; KphCidEnumerate(&KphpCidTable, KphpEnumerateContexts, &context); } /** * \brief Enumerates thread contexts. * * \param[in] Callback The callback to invoke for each thread context. The * callback should return TRUE to stop enumerating or FALSE to continue. * \param[in] Parameter Optional parameter passed to the callback. */ _IRQL_requires_max_(APC_LEVEL) VOID KphEnumerateThreadContexts( _In_ PKPH_ENUM_THREAD_CONTEXTS_CALLBACK Callback, _In_opt_ PVOID Parameter ) { KPH_ENUM_CONTEXT context; KPH_PAGED_CODE(); context.CidCallback = NULL; context.ProcessCallback = NULL; context.ThreadCallback = Callback; context.Parameter = Parameter; KphCidEnumerate(&KphpCidTable, KphpEnumerateContexts, &context); } /** * \brief Enumerates CID contexts. * * \param[in] Callback The callback to invoke for each CID context. The * callback should return TRUE to stop enumerating or FALSE to continue. * \param[in] Parameter Optional parameter passed to the callback. */ _IRQL_requires_max_(APC_LEVEL) VOID KphEnumerateCidContexts( _In_ KPH_ENUM_CID_CONTEXTS_CALLBACK Callback, _In_opt_ PVOID Parameter ) { KPH_ENUM_CONTEXT context; KPH_PAGED_CODE(); context.CidCallback = Callback; context.ProcessCallback = NULL; context.ThreadCallback = NULL; context.Parameter = Parameter; KphCidEnumerate(&KphpCidTable, KphpEnumerateContexts, &context); } /** * \brief Checks the APC no-op routine for a given process. * * \param[in] Process The context of a process to check the routine of. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCheckProcessApcNoopRoutine( _In_ PKPH_PROCESS_CONTEXT Process ) { NTSTATUS status; HANDLE processHandle; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; KPH_PAGED_CODE_PASSIVE(); if (Process->ApcNoopRoutine) { return STATUS_SUCCESS; } status = ObOpenObjectByPointer(Process->EProcess, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &processHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ObOpenObjectByPointer failed: %!STATUS!", status); processHandle = NULL; goto Exit; } policyInfo.Policy = ProcessControlFlowGuardPolicy; policyInfo.ControlFlowGuardPolicy.Flags = 0; status = ZwQueryInformationProcess(processHandle, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "ZwQueryInformationProcess failed: %!STATUS!", status); goto Exit; } if (policyInfo.ControlFlowGuardPolicy.EnableXfg) { status = KphDisableXfgOnTarget(processHandle, KphNtDllRtlSetBits); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphDisableXfgOnTarget failed (0x%08lx): %!STATUS!", policyInfo.ControlFlowGuardPolicy.Flags, status); goto Exit; } } if (policyInfo.ControlFlowGuardPolicy.EnableExportSuppression) { status = KphGuardGrantSuppressedCallAccess(processHandle, KphNtDllRtlSetBits); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphGuardGrantSuppressedCallAccess failed " "(0x%08lx): %!STATUS!", policyInfo.ControlFlowGuardPolicy.Flags, status); goto Exit; } } Process->ApcNoopRoutine = (PKNORMAL_ROUTINE)KphNtDllRtlSetBits; status = STATUS_SUCCESS; Exit: if (processHandle) { ObCloseHandle(processHandle, KernelMode); } return status; } /** * \brief Performs actions to verify a process and begin protecting it. Process * protection is only started processes that meet the necessary requirements. * * \param[in] Process The context of a process verify and protect. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphVerifyProcessAndProtectIfAppropriate( _In_ PKPH_PROCESS_CONTEXT Process ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); if (Process->ImageFileName && Process->FileObject && !Process->VerifiedProcess) { status = KphVerifyFile(Process->ImageFileName, Process->FileObject); KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphVerifyFile: %lu \"%wZ\": %!STATUS!", HandleToULong(Process->ProcessId), Process->ImageFileName, status); if (NT_SUCCESS(status)) { Process->VerifiedProcess = TRUE; } } if (KphTestProcessContextState(Process, KPH_PROCESS_STATE_LOW)) { ACCESS_MASK processAllowedMask; ACCESS_MASK threadAllowedMask; if (KphProtectionsSuppressed()) { // // Allow all access, but still exercise the code by registering. // processAllowedMask = ((ACCESS_MASK)-1); threadAllowedMask = ((ACCESS_MASK)-1); } else { processAllowedMask = KPH_PROTECTED_PROCESS_MASK; threadAllowedMask = KPH_PROTECTED_THREAD_MASK; } status = KphStartProtectingProcess(Process, processAllowedMask, threadAllowedMask); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphStartProtectingProcess failed: %!STATUS!", status); NT_ASSERT(!Process->Protected); } } } /** * \brief Gets the process image name for a given thread. * * \details The image name of a thread might not be available if there is no * process context associated with the thread. This is very unlikely but * possible if resources are constrained on the system. If there is no process * context associated with the thread, this function will return NULL. * * \param[in] Thread The thread context to get the process image name of. * * \return Image name for the process of the given thread, otherwise NULL. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ _Maybenull_ PUNICODE_STRING KphGetThreadImageName( _In_ PKPH_THREAD_CONTEXT Thread ) { KPH_PAGED_CODE(); if (!Thread->ProcessContext) { return NULL; } return &Thread->ProcessContext->ImageName; } /** * \brief Retrieves the process state mask from a process. * * \param[in] Process The process to get the state from. * * \return State mask describing what state the process is in. */ _IRQL_requires_max_(APC_LEVEL) KPH_PROCESS_STATE KphGetProcessState( _In_ PKPH_PROCESS_CONTEXT Process ) { KPH_PROCESS_STATE processState; KPH_PAGED_CODE(); if (KphProtectionsSuppressed()) { // // This ultimately permits low state callers into the driver. But still // check for verification. We still want to exercise the code below, // regardless. // processState = ~KPH_PROCESS_VERIFIED_PROCESS; } else { processState = 0; } if (Process->SecurelyCreated) { processState |= KPH_PROCESS_SECURELY_CREATED; } if (Process->VerifiedProcess) { processState |= KPH_PROCESS_VERIFIED_PROCESS; } if (Process->Protected) { processState |= KPH_PROCESS_PROTECTED_PROCESS; } if (Process->CreateNotification) { processState |= KPH_PROCESS_CREATE_NOTIFICATION; } if (ReadSizeTAcquire(&Process->NumberOfUntrustedImageLoads) == 0) { processState |= KPH_PROCESS_NO_UNTRUSTED_IMAGES; } if (!Process->StateTracking.Debugged) { if (!PsIsProcessBeingDebugged(Process->EProcess)) { processState |= KPH_PROCESS_NOT_BEING_DEBUGGED; } else { Process->StateTracking.Debugged = TRUE; } } if (!Process->FileObject) { return processState; } processState |= KPH_PROCESS_HAS_FILE_OBJECT; if (!Process->StateTracking.FileObjectWritable) { if (!Process->FileObject->WriteAccess || !Process->FileObject->SharedWrite) { processState |= KPH_PROCESS_NO_WRITABLE_FILE_OBJECT; } else { Process->StateTracking.FileObjectWritable = TRUE; } } if (!Process->StateTracking.FileObjectTransaction) { if (!IoGetTransactionParameterBlock(Process->FileObject)) { processState |= KPH_PROCESS_NO_FILE_TRANSACTION; } else { Process->StateTracking.FileObjectTransaction = TRUE; } } if (!Process->FileObject->SectionObjectPointer) { return processState; } processState |= KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS; if (!Process->StateTracking.UserWritableReferences) { if (!MmDoesFileHaveUserWritableReferences(Process->FileObject->SectionObjectPointer)) { processState |= KPH_PROCESS_NO_USER_WRITABLE_REFERENCES; } else { Process->StateTracking.UserWritableReferences = TRUE; } } return processState; } /** * \brief Queries information about a process context. * * \details Some information is not cached up front for one reason or another. * Usually because dynamic data isn't available. This path enables a generic * way to query information about a process context and try to populate and the * cache the information if it is not already available. * * \param[in] Process The process context to query. * \param[in] InformationClass The information class to query. * \param[out] Information Optional buffer to receive the information. * \param[in] InformationLength The size of the information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationProcessContext( _In_ PKPH_PROCESS_CONTEXT Process, _In_ KPH_PROCESS_CONTEXT_INFORMATION_CLASS InformationClass, _Out_writes_bytes_opt_(InformationLength) PVOID Information, _In_ ULONG InformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); returnLength = 0; switch (InformationClass) { case KphProcessContextWSLProcessId: { if (Process->SubsystemType != SubsystemInformationTypeWSL) { status = STATUS_INVALID_PARAMETER; goto Exit; } returnLength = sizeof(ULONG); if (!Information || (InformationLength < sizeof(ULONG))) { status = STATUS_INFO_LENGTH_MISMATCH; goto Exit; } if (!Process->WSL.ValidProcessId) { PKPH_THREAD_CONTEXT thread; KphAcquireRWLockShared(&Process->ThreadListLock); thread = Process->InitialThread; if (thread) { KphReferenceObject(thread); } KphReleaseRWLock(&Process->ThreadListLock); if (!thread) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } KphpInitThreadContextInOriginalEnvironment(thread, TRUE); KphDereferenceObject(thread); } if (!Process->WSL.ValidProcessId) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "WSL process ID is not valid."); status = STATUS_NOINTERFACE; goto Exit; } *(PULONG)Information = Process->WSL.ProcessId; status = STATUS_SUCCESS; break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (ReturnLength) { *ReturnLength = returnLength; } return status; } /** * \brief Queries information about a thread context. * * \details Some information is not cached up front for one reason or another. * Usually because dynamic data isn't available. This path enables a generic * way to query information about a thread context and try to populate and the * cache the information if it is not already available. * * \param[in] Thread The thread context to query. * \param[in] InformationClass The information class to query. * \param[out] Information Optional buffer to receive the information. * \param[in] InformationLength The size of the information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationThreadContext( _In_ PKPH_THREAD_CONTEXT Thread, _In_ KPH_THREAD_CONTEXT_INFORMATION_CLASS InformationClass, _Out_writes_bytes_opt_(InformationLength) PVOID Information, _In_ ULONG InformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); returnLength = 0; switch (InformationClass) { case KphThreadContextWSLThreadId: { if (Thread->SubsystemType != SubsystemInformationTypeWSL) { status = STATUS_INVALID_HANDLE; goto Exit; } returnLength = sizeof(ULONG); if (!Information || (InformationLength < sizeof(ULONG))) { status = STATUS_INFO_LENGTH_MISMATCH; goto Exit; } if (!Thread->WSL.ValidThreadId) { KphpInitThreadContextInOriginalEnvironment(Thread, TRUE); } if (!Thread->WSL.ValidThreadId) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "WSL thread ID is not valid."); status = STATUS_NOINTERFACE; goto Exit; } *(PULONG)Information = Thread->WSL.ThreadId; status = STATUS_SUCCESS; break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (ReturnLength) { *ReturnLength = returnLength; } return status; } ================================================ FILE: KSystemInformer/comms.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include #include #define KPH_COMMS_MIN_QUEUE_THREADS 2 #define KPH_COMMS_MAX_QUEUE_THREADS 64 #define KPH_COMMS_MAX_CLIENTS 32 typedef struct _KPHM_QUEUE_ITEM { LIST_ENTRY Entry; BOOLEAN NonPaged; PKPH_MESSAGE Message; ULONG TargetClientCount; PKPH_CLIENT TargetClients[KPH_COMMS_MAX_CLIENTS]; } KPHM_QUEUE_ITEM, *PKPHM_QUEUE_ITEM; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpClientTypeName = RTL_CONSTANT_STRING(L"KphClient"); static const UNICODE_STRING KphpClientInformerStateTypeName = RTL_CONSTANT_STRING(L"KphClientInformerState"); static const LARGE_INTEGER KphpMessageMinTimeout = KPH_TIMEOUT(300); static const UNICODE_STRING KphpMessageQueueThreadName = RTL_CONSTANT_STRING(L"System Informer Message Queue"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PFLT_PORT KphpFltServerPort = NULL; static PKPH_OBJECT_TYPE KphpClientType = NULL; static PKPH_OBJECT_TYPE KphpClientInformerStateType = NULL; KPH_PROTECTED_DATA_SECTION_POP(); static KPH_RUNDOWN KphpCommsRundown; static PAGED_LOOKASIDE_LIST KphpMessageLookaside; static NPAGED_LOOKASIDE_LIST KphpNPagedMessageLookaside; static NPAGED_LOOKASIDE_LIST KphpMessageQueueItemLookaside; static ALIGNED_EX_SPINLOCK KphpConnectedClientsLock = 0; static ULONG KphpConnectedClientsCount = 0; static PKPH_CLIENT KphpConnectedClients[KPH_COMMS_MAX_CLIENTS] = { NULL }; static KQUEUE KphpMessageQueue; static PETHREAD* KphpMessageQueueThreads = NULL; static ULONG KphpMessageQueueThreadsCount = 0; /** * \brief Gets the number of connected clients. * * \return Number of connected clients. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphGetConnectedClientCount( VOID ) { ULONG count; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); oldIrql = ExAcquireSpinLockShared(&KphpConnectedClientsLock); count = KphpConnectedClientsCount; ExReleaseSpinLockShared(&KphpConnectedClientsLock, oldIrql); return count; } /** * \brief Gets the number of active informer clients. * * \return Number of active informer clients. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphGetInformerClientCount( VOID ) { ULONG count; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); count = 0; oldIrql = ExAcquireSpinLockShared(&KphpConnectedClientsLock); for (ULONG i = 0; i < KphpConnectedClientsCount; i++) { PKPH_CLIENT client; PKPH_CLIENT_INFORMER_STATE state; client = KphpConnectedClients[i]; state = KphAtomicReferenceObject(&client->InformerState.Atomic); if (state) { count++; KphDereferenceObject(state); } } ExReleaseSpinLockShared(&KphpConnectedClientsLock, oldIrql); return count; } /** * \brief Retrieves the connected clients. The caller is responsible for * dereferencing the clients after use. * * \param[out] Clients Receives the connected clients. * * \return Number of connected clients. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphpGetInformerClients( _Out_writes_to_(KPH_COMMS_MAX_CLIENTS, return) PKPH_CLIENT* Clients ) { ULONG count; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); count = 0; oldIrql = ExAcquireSpinLockShared(&KphpConnectedClientsLock); for (ULONG i = 0; i < KphpConnectedClientsCount; i++) { PKPH_CLIENT client; PKPH_CLIENT_INFORMER_STATE state; client = KphpConnectedClients[i]; state = KphAtomicReferenceObject(&client->InformerState.Atomic); if (state) { KphReferenceObject(client); Clients[count++] = client; KphDereferenceObject(state); } } ExReleaseSpinLockShared(&KphpConnectedClientsLock, oldIrql); return count; } /** * \brief Adds a client to the connected clients list. * * \param[in] Client The client to add. * * \return TRUE if the client was added successfully, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ BOOLEAN KphpAddConnectedClient( _In_ PKPH_CLIENT Client ) { BOOLEAN result; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); result = FALSE; oldIrql = ExAcquireSpinLockExclusive(&KphpConnectedClientsLock); if (KphpConnectedClientsCount < KPH_COMMS_MAX_CLIENTS) { KphpConnectedClients[KphpConnectedClientsCount++] = Client; KphReferenceObject(Client); result = TRUE; } ExReleaseSpinLockExclusive(&KphpConnectedClientsLock, oldIrql); return result; } /** * \brief Removes a client from the connected clients list. The caller is * responsible for dereferencing any return client. * * \param[in] Client The client to remove. * * \return The removed client if it was found, NULL otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_CLIENT KphpRemoveConnectedClient( _In_ PKPH_CLIENT Client ) { PKPH_CLIENT client; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); client = NULL; oldIrql = ExAcquireSpinLockExclusive(&KphpConnectedClientsLock); for (ULONG i = 0; i < KphpConnectedClientsCount; i++) { if (KphpConnectedClients[i] != Client) { continue; } client = KphpConnectedClients[i]; KphpConnectedClientsCount--; RtlMoveMemory(&KphpConnectedClients[i], &KphpConnectedClients[i + 1], sizeof(PKPH_CLIENT) * ((KPH_COMMS_MAX_CLIENTS - i) - 1)); KphpConnectedClients[KPH_COMMS_MAX_CLIENTS - 1] = NULL; break; } ExReleaseSpinLockExclusive(&KphpConnectedClientsLock, oldIrql); return client; } /** * \brief Allocates a message queue item. * * \return Message queue item, null on allocation failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_ PKPHM_QUEUE_ITEM KphpAllocateMessageQueueItem() { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphAllocateFromNPagedLookaside(&KphpMessageQueueItemLookaside); } /** * \brief Allocates a non-paged message. * * \return Non-paged message, null on allocation failure. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_ PKPH_MESSAGE KphAllocateNPagedMessage( VOID ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphAllocateFromNPagedLookaside(&KphpNPagedMessageLookaside); } /** * \brief Frees a non-paged message. * * \param[in] Message The message to free. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFreeNPagedMessage( _In_freesMem_ PKPH_MESSAGE Message ) { NT_ASSERT(Message); KPH_NPAGED_CODE_DISPATCH_MAX(); KphFreeToNPagedLookaside(&KphpNPagedMessageLookaside, Message); } /** * \brief Determines whether a message is rate limited for a client. * * \param[in] Client The client to check the rate limit for. * \param[in] Message The message to check the rate limit for. * * \return TRUE if the message is rate limited, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphpCommsMessageIsRateLimited( _In_ PKPH_CLIENT Client, _In_ PKPH_MESSAGE Message ) { PKPH_CLIENT_INFORMER_STATE state; BOOLEAN limited; ULONG index; KPH_NPAGED_CODE_DISPATCH_MAX(); limited = FALSE; state = KphAtomicReferenceObject(&Client->InformerState.Atomic); if (!state) { goto Exit; } index = (Message->Header.MessageId - (MaxKphMsgClientAllowed + 1)); if (!NT_VERIFY(index < KPH_INFORMER_COUNT)) { goto Exit; } if (KphRateLimitConsumeToken(&state->InformerRateLimit[index], &Message->Header.TimeStamp)) { goto Exit; } limited = TRUE; KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Message rate limited (%lu - %!TIME!) to client: " "%wZ (%lu)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); Exit: if (state) { KphDereferenceObject(state); } return limited; } /** * \brief Determines whether a queue is rate limited for a client. * * \param[in] Client The client to check the rate limit for. * \param[in] Message The message to check the rate limit for. * * \return TRUE if the queue is rate limited, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphpCommsQueueIsRateLimited( _In_ PKPH_CLIENT Client, _In_ PKPH_MESSAGE Message ) { PKPH_CLIENT_INFORMER_STATE state; BOOLEAN limited; KPH_NPAGED_CODE_DISPATCH_MAX(); limited = FALSE; state = KphAtomicReferenceObject(&Client->InformerState.Atomic); if (!state) { goto Exit; } if (KphRateLimitConsumeToken(&state->AsyncQueueRateLimit, &Message->Header.TimeStamp)) { goto Exit; } limited = TRUE; KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Message rate limited (%lu - %!TIME!) to client: " "%wZ (%lu)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); Exit: if (state) { KphDereferenceObject(state); } return limited; } /** * \brief Retrieves the non-rate-limited clients for a message. The caller is * responsible for dereferencing the clients after use. * * \param[in] Message The message to check the rate limits for. * \param[out] Clients Receives the non-rate-limited clients. * * \return Number of non-rate-limited clients. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphpGetNonRateLimitedClients( _Out_writes_to_(KPH_COMMS_MAX_CLIENTS, return) PKPH_CLIENT* Clients, _In_ PKPH_MESSAGE Message ) { ULONG count; ULONG clientsCount; PKPH_CLIENT clients[KPH_COMMS_MAX_CLIENTS]; count = 0; clientsCount = KphpGetInformerClients(clients); for (ULONG i = 0; i < clientsCount; i++) { if (KphpCommsMessageIsRateLimited(clients[i], Message)) { KphDereferenceObjectDeferDelete(clients[i]); continue; } Clients[count++] = clients[i]; } return count; } /** * \brief Copies a message to a client ring buffer. * * \param[in] Client The client to copy the message to. * \param[in] Message The message to copy to the ring buffer. * * \return TRUE if the message was copied successfully, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphpCommsCopyMessageToRingBuffer( _In_ PKPH_CLIENT Client, _In_ PKPH_MESSAGE Message ) { PVOID buffer; KPH_NPAGED_CODE_DISPATCH_MAX(); if (!Client->RingBuffer) { return FALSE; } KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Sending message (%lu - %!TIME!) to client: %wZ (%lu)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); buffer = KphReserveRingBuffer(Client->RingBuffer, Message->Header.Size); if (!buffer) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Ring buffer exhausted (%lu - %!TIME!) %wZ (%lu)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); return FALSE; } RtlCopyMemory(buffer, Message, Message->Header.Size); KphCommitRingBuffer(Client->RingBuffer, buffer); return TRUE; } /** * \brief Sends a message to all connected client ring buffers. * * \details If a client can not receive the message in its ring buffer, it is * added to the output. The caller is responsible for dereferencing the clients * that could not receive the message. The output clients are destined to have * the message send to them using the asynchronous queue. Client rate limits * are checked for the message by this routine. If the client is rate limited * then the client is not added to the output. * * \param[out] Clients Receives the clients that could not receive the message. * \param[in] Message The message to send to the clients. * * \return Number of clients that could not receive the message. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphpCommsSendMessageToRingBuffers( _Out_writes_to_(KPH_COMMS_MAX_CLIENTS, return) PKPH_CLIENT* Clients, _In_ PKPH_MESSAGE Message ) { ULONG count; ULONG clientsCount; PKPH_CLIENT clients[KPH_COMMS_MAX_CLIENTS]; KPH_NPAGED_CODE_DISPATCH_MAX(); count = 0; clientsCount = KphpGetNonRateLimitedClients(clients, Message); for (ULONG i = 0; i < clientsCount; i++) { if (KphpCommsCopyMessageToRingBuffer(clients[i], Message) || KphpCommsQueueIsRateLimited(clients[i], Message)) { KphDereferenceObjectDeferDelete(clients[i]); continue; } Clients[count++] = clients[i]; } return count; } /** * \brief Sends a non-paged message asynchronously. * * \param[in] Message The message to send asynchronously. The call assumes * ownership over the message. The caller should *not* free the message after * it is passed to this function. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCommsSendNPagedMessageAsync( _In_aliasesMem_ PKPH_MESSAGE Message ) { PKPHM_QUEUE_ITEM item; ULONG targetClientCount; PKPH_CLIENT targetClients[KPH_COMMS_MAX_CLIENTS]; KPH_NPAGED_CODE_DISPATCH_MAX(); if (!KphAcquireRundown(&KphpCommsRundown)) { KphTracePrint(TRACE_LEVEL_WARNING, COMMS, "Failed to acquire rundown, dropping message " "(%lu - %!TIME!)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart); KphFreeNPagedMessage(Message); return; } targetClientCount = KphpCommsSendMessageToRingBuffers(targetClients, Message); if (!targetClientCount) { goto Exit; } item = KphpAllocateMessageQueueItem(); if (!item) { KphTracePrint(TRACE_LEVEL_WARNING, COMMS, "Failed to allocate queue item, dropping message " "(%lu - %!TIME!)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart); goto Exit; } item->Message = Message; item->NonPaged = TRUE; Message = NULL; item->TargetClientCount = targetClientCount; RtlCopyMemory(item->TargetClients, targetClients, sizeof(PKPH_CLIENT) * targetClientCount); targetClientCount = 0; KeInsertQueue(&KphpMessageQueue, &item->Entry); Exit: for (ULONG i = 0; i < targetClientCount; i++) { KphDereferenceObjectDeferDelete(targetClients[i]); } if (Message) { KphFreeNPagedMessage(Message); } KphReleaseRundown(&KphpCommsRundown); } /** * \brief Captures the current stack and adds it to the message. * * \param[in,out] Message The message to populate with the current stack. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCaptureStackInMessage( _Inout_ PKPH_MESSAGE Message ) { NTSTATUS status; PVOID frames[150]; KPHM_STACK_TRACE stack; ULONG flags; KPH_NPAGED_CODE_DISPATCH_MAX(); flags = (KPH_STACK_BACK_TRACE_USER_MODE | KPH_STACK_BACK_TRACE_SKIP_KPH); stack.Count = (USHORT)KphCaptureStackBackTrace(0, ARRAYSIZE(frames), frames, NULL, flags); if (stack.Count == 0) { return; } stack.Frames = frames; status = KphMsgDynAddStackTrace(Message, KphMsgFieldStackTrace, &stack); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphMsgDynAddStackTrace failed: %!STATUS!", status); } } KPH_PAGED_FILE(); /** * \brief Frees a message queue item. * * \param[in] Item Message queue item to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFreeMessageQueueItem(_In_freesMem_ PKPHM_QUEUE_ITEM Item) { KPH_PAGED_CODE(); for (ULONG i = 0; i < Item->TargetClientCount; i++) { KphDereferenceObject(Item->TargetClients[i]); } if (Item->NonPaged) { KphFreeNPagedMessage(Item->Message); } else { KphFreeMessage(Item->Message); } KphFreeToNPagedLookaside(&KphpMessageQueueItemLookaside, Item); } /** * \brief Allocates a client object. * * \param[in] Size The size requested from the object infrastructure. * * \return Allocated client object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateClient( _In_ SIZE_T Size ) { KPH_PAGED_CODE_PASSIVE(); return KphAllocateNPaged(Size, KPH_TAG_CLIENT); } /** * \brief Initializes a client object. * * \param[in] Object The client object to initialize. * \param[in] Parameter The process context associated with the client. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeClient( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_CLIENT client; KPH_PAGED_CODE(); NT_ASSERT(Parameter); client = Object; client->Process = Parameter; KphReferenceObject(client->Process); return STATUS_SUCCESS; } /** * \brief Deletes a client object. * * \param[in] Object The client object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpDeleteClient( _Inout_ PVOID Object ) { NTSTATUS status; PKPH_CLIENT client; KPH_PAGED_CODE_PASSIVE(); client = Object; if (client->DriverUnloadProtectionRef.Count) { // // The client is being destroyed while it has acquired driver unload // protection. The communication handlers only acquire or release the // protection once for each client, so we only need to call this once // here. // status = KphReleaseDriverUnloadProtection(NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphReleaseDriverUnloadProtection failed: %!STATUS!", status); } } KphDereferenceObject(client->Process); if (client->Port) { FltCloseClientPort(KphFltFilter, &client->Port); } if (client->RingBuffer) { KphDereferenceObject(client->RingBuffer); } KphAtomicAssignObjectReference(&client->InformerState.Atomic, NULL); } /** * \brief Frees a client object. * * \param[in] Object The client object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpFreeClient( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE_PASSIVE(); KphFree(Object, KPH_TAG_CLIENT); } /** * \brief Allocates a client informer state object. * * \param[in] Size The size requested from the object infrastructure. * * \return Allocated client informer state object, null on allocation failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateClientInformerState( _In_ SIZE_T Size ) { KPH_PAGED_CODE_PASSIVE(); return KphAllocateNPaged(Size, KPH_TAG_CLIENT_INFORMER_STATE); } /** * \brief Initializes a client informer state object. * * \param[in] Object The client informer state object to initialize. * \param[in] Parameter The client informer settings. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeClientInformerState( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_CLIENT_INFORMER_STATE state; PKPH_INFORMER_CLIENT_SETTINGS settings; LARGE_INTEGER timeStamp; KPH_PAGED_CODE(); NT_ASSERT(Parameter); state = Object; settings = Parameter; KeQuerySystemTime(&timeStamp); RtlCopyMemory(&state->MessageTimeouts, &settings->MessageTimeouts, sizeof(KPH_MESSAGE_TIMEOUTS)); KphInitializeRateLimit(&settings->AsyncQueuePolicy, &timeStamp, &state->AsyncQueueRateLimit); for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { KphInitializeRateLimit(&settings->InformerPolicy[i], &timeStamp, &state->InformerRateLimit[i]); } return STATUS_SUCCESS; } /** * \brief Frees a client informer state object. * * \param[in] Object The client informer state object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpFreeClientInformerState( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE_PASSIVE(); KphFree(Object, KPH_TAG_CLIENT_INFORMER_STATE); } /** * \brief Initializes the client ring buffer. * * \param[in] Client The client to initialize the ring buffer for. * \param[in,out] Connection Pointer to the ring buffer connection context. * * \return Successful status or an errant one. */ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphpCommsInitializeRingBuffer( _In_ PKPH_CLIENT Client, _Inout_ PKPH_RING_BUFFER_CONNECT Connection ) { NTSTATUS status; PKPH_RING_BUFFER ring; KPH_RING_BUFFER_CONNECT connection; PKEVENT event; KPH_PAGED_CODE_PASSIVE(); ring = NULL; event = NULL; __try { CopyFromUser(&connection, Connection, sizeof(KPH_RING_BUFFER_CONNECT)); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } if (connection.EventHandle) { status = ObReferenceObjectByHandle(connection.EventHandle, EVENT_MODIFY_STATE, *ExEventObjectType, UserMode, &event, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "ObReferenceObjectByHandle failed: %!STATUS!", status); event = NULL; goto Exit; } } status = KphCreateRingBuffer(&ring, &Connection->Ring, connection.Length, event, UserMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphCreateRingBuffer failed: %!STATUS!", status); ring = NULL; goto Exit; } Client->RingBuffer = ring; KphReferenceObject(ring); Exit: if (ring) { KphDereferenceObject(ring); } if (event) { ObDereferenceObject(event); } return status; } /** * \brief Communication port connect notify callback. * * \param[in] ClientPort Client port for this client. * \param[in] ServerPortCookie Unused * \param[in] ConnectionContext Context from the connecting client. * \param[in] SizeOfContext Size of the connection context from the client. * \param[out] ConnectionPortCookie Returns the client object on success. * * \return Successful status or an errant one. */ _Function_class_(PFLT_CONNECT_NOTIFY) _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS FLTAPI KphpCommsConnectNotifyCallback( _In_ PFLT_PORT ClientPort, _In_ PVOID ServerPortCookie, _In_ PVOID ConnectionContext, _In_ ULONG SizeOfContext, _Out_ PVOID* ConnectionPortCookie ) { NTSTATUS status; PKPH_PROCESS_CONTEXT process; KPH_PROCESS_STATE processState; PKPH_CLIENT client; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(ServerPortCookie); *ConnectionPortCookie = NULL; process = NULL; client = NULL; if (!KphSinglePrivilegeCheck(SeDebugPrivilege, UserMode)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphSinglePrivilegeCheck failed %lu", HandleToULong(PsGetCurrentProcessId())); status = STATUS_PRIVILEGE_NOT_HELD; goto Exit; } process = KphGetCurrentProcessContext(); if (!process) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Untracked process %lu", HandleToULong(PsGetCurrentProcessId())); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } processState = KphGetProcessState(process); if (!KphTestProcessState(processState, KPH_PROCESS_STATE_LOW)) { KphTracePrint(TRACE_LEVEL_CRITICAL, COMMS, "Untrusted client %wZ (%lu) (0x%08x)", &process->ImageName, HandleToULong(process->ProcessId), processState); status = STATUS_ACCESS_DENIED; goto Exit; } status = KphCreateObject(KphpClientType, sizeof(KPH_CLIENT), &client, process); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Failed to allocate client object"); client = NULL; goto Exit; } if (ConnectionContext && (SizeOfContext >= sizeof(PVOID))) { PKPH_RING_BUFFER_CONNECT connection; NT_ASSERT(ConnectionContext > MmHighestUserAddress); connection = *(PVOID*)ConnectionContext; status = KphpCommsInitializeRingBuffer(client, connection); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphpCommsInitializeRingBuffer failed: %!STATUS!", status); goto Exit; } } client->Port = ClientPort; if (!KphpAddConnectedClient(client)) { KphTracePrint(TRACE_LEVEL_ERROR, COMMS, "Clients at maximum: %wZ (%lu) (0x%08x)", &client->Process->ImageName, HandleToULong(client->Process->ProcessId), processState); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } KphTracePrint(TRACE_LEVEL_INFORMATION, COMMS, "Client connected: %wZ (%lu) (0x%08x)", &client->Process->ImageName, HandleToULong(client->Process->ProcessId), processState); *ConnectionPortCookie = client; status = STATUS_SUCCESS; Exit: if (client) { KphDereferenceObject(client); } if (process) { KphDereferenceObject(process); } return status; } /** * \brief Communication port disconnect notification callback. * * \param[in] ConnectionCookie Client object */ _Function_class_(PFLT_DISCONNECT_NOTIFY) _IRQL_requires_max_(PASSIVE_LEVEL) VOID FLTAPI KphpCommsDisconnectNotifyCallback( _In_ PVOID ConnectionCookie ) { PKPH_CLIENT client; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ConnectionCookie); client = KphpRemoveConnectedClient(ConnectionCookie); if (client) { KphTracePrint(TRACE_LEVEL_INFORMATION, COMMS, "Client disconnected: %wZ (%lu)", &client->Process->ImageName, HandleToULong(client->Process->ProcessId)); KphDereferenceObject(client); } } /** * \brief Signals clients when a required state failure occurs on inbound requests. * * \param[in] MessageId The message ID that failed. * \param[in] ClientState The client state that was checked. * \param[in] RequiredState The state that was required. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpSendRequiredStateFailure( _In_ KPH_MESSAGE_ID MessageId, _In_ KPH_PROCESS_STATE ClientState, _In_ KPH_PROCESS_STATE RequiredState ) { PKPH_MESSAGE msg; KPH_PAGED_CODE_PASSIVE(); msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Failed to allocate message"); return; } KphMsgInit(msg, KphMsgRequiredStateFailure); msg->Kernel.RequiredStateFailure.ClientId.UniqueProcess = PsGetCurrentProcessId(); msg->Kernel.RequiredStateFailure.ClientId.UniqueThread = PsGetCurrentThreadId(); msg->Kernel.RequiredStateFailure.MessageId = MessageId; msg->Kernel.RequiredStateFailure.ClientState = ClientState; msg->Kernel.RequiredStateFailure.RequiredState = RequiredState; if (KphInformerOpts(NULL).EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); } /** * \brief Connection port message notification callback. * * \param[in] PortCookie Client object * \param[in] InputBuffer Input buffer from client. * \param[in] InputBufferLength Length of the input buffer. * \param[out] OutputBuffer Output buffer from client. * \param[in] OutputBufferLength Length of the output buffer. * \param[out] ReturnOutputBufferLength Receives the number of bytes written. * * \return Successful or errant status. */ _Function_class_(PFLT_MESSAGE_NOTIFY) _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS FLTAPI KphpCommsMessageNotifyCallback( _In_ PVOID PortCookie, _In_opt_ PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_opt_ PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _Out_ PULONG ReturnOutputBufferLength ) { NTSTATUS status; PKPH_CLIENT client; PKPH_MESSAGE msg; const KPH_MESSAGE_HANDLER* handler; KPH_PROCESS_STATE processState; KPH_PROCESS_STATE requiredState; KPH_PAGED_CODE_PASSIVE(); client = (PKPH_CLIENT)PortCookie; msg = NULL; if ((PsGetCurrentProcess() != client->Process->EProcess) || (ExGetPreviousMode() != UserMode)) { KphTracePrint(TRACE_LEVEL_CRITICAL, COMMS, "Unexpected caller process!"); status = STATUS_ACCESS_DENIED; goto Exit; } *ReturnOutputBufferLength = 0; if (!InputBuffer || (InputBufferLength < KPH_MESSAGE_MIN_SIZE) || (InputBufferLength > sizeof(KPH_MESSAGE)) || OutputBuffer || (OutputBufferLength > 0)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Client message input invalid"); status = STATUS_INVALID_PARAMETER; goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Failed to allocate message"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(msg, InputBuffer, KPH_MESSAGE_MIN_SIZE); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } status = KphMsgValidate(msg); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphMsgValidate failed: %!STATUS!", status); goto Exit; } if (msg->Header.Size > KPH_MESSAGE_MIN_SIZE) { __try { CopyFromUser(msg->_Dyn.Buffer, Add2Ptr(InputBuffer, KPH_MESSAGE_MIN_SIZE), (msg->Header.Size - KPH_MESSAGE_MIN_SIZE)); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } if ((msg->Header.MessageId <= InvalidKphMsg) || (msg->Header.MessageId >= MaxKphMsgClient) || ((ULONG)msg->Header.MessageId >= KphCommsMessageHandlerCount)) { KphTracePrint(TRACE_LEVEL_WARNING, COMMS, "Client message ID invalid: %lu", (ULONG)msg->Header.MessageId); status = STATUS_MESSAGE_NOT_FOUND; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Received input (%lu - %!TIME!) from client: %wZ (%lu)", (ULONG)msg->Header.MessageId, msg->Header.TimeStamp.QuadPart, &client->Process->ImageName, HandleToULong(client->Process->ProcessId)); handler = &KphCommsMessageHandlers[msg->Header.MessageId]; NT_ASSERT(handler->MessageId == msg->Header.MessageId); NT_ASSERT(handler->Handler); NT_ASSERT(handler->RequiredState); processState = KphGetProcessState(client->Process); requiredState = handler->RequiredState(client, msg); if (!KphTestProcessState(processState, requiredState)) { KphTracePrint(TRACE_LEVEL_CRITICAL, COMMS, "Untrusted client %wZ (%lu) (0x%08x, 0x%08x)", &client->Process->ImageName, HandleToULong(client->Process->ProcessId), processState, requiredState); KphpSendRequiredStateFailure(handler->MessageId, processState, requiredState); status = STATUS_ACCESS_DENIED; goto Exit; } status = handler->Handler(client, msg); if (!NT_SUCCESS(status)) { goto Exit; } NT_ASSERT(NT_SUCCESS(KphMsgValidate(msg))); // // We use the input buffer as the input and output. This is on purpose // to minimize the allocations and copies we have to do. // if (InputBufferLength < msg->Header.Size) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } __try { CopyToUser(InputBuffer, msg, msg->Header.Size); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Sending output (%lu - %!TIME!) to client: %wZ (%lu)", (ULONG)msg->Header.MessageId, msg->Header.TimeStamp.QuadPart, &client->Process->ImageName, HandleToULong(client->Process->ProcessId)); status = STATUS_SUCCESS; Exit: if (msg) { KphFreeMessage(msg); } return status; } /** * \brief Frees the communication port security descriptor. * * \param[in] SecurityDescriptor Security descriptor to free. */ _IRQL_always_function_max_(PASSIVE_LEVEL) VOID KphpFreeCommsSecurityDescriptor( _In_freesMem_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { KPH_PAGED_CODE_PASSIVE(); FltFreeSecurityDescriptor(SecurityDescriptor); } /** * \brief Builds the communication port security descriptor. * * \param[out] SecurityDescriptor On success set to the security descriptor for * the communication port. Null on failure. The caller should free this pointer * with KphpFreeCommsSecurityDescriptor. * * \return Successful or errant status. */ _IRQL_always_function_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpBuildCommsSecurityDescriptor( _Outptr_allocatesMem_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = FltBuildDefaultSecurityDescriptor(SecurityDescriptor, FLT_PORT_ALL_ACCESS); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "FltBuildDefaultSecurityDescriptor failed: %!STATUS!", status); *SecurityDescriptor = NULL; goto Exit; } Exit: return status; } /** * \brief Gets the client informer settings. * * \param[in] Client The client to get the settings from. * \param[out] Settings Receives the informer settings. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerClientSettings( _In_ PKPH_CLIENT Client, _Out_ PKPH_INFORMER_CLIENT_SETTINGS Settings ) { NTSTATUS status; PKPH_CLIENT_INFORMER_STATE state; KPH_PAGED_CODE_PASSIVE(); state = NULL; __try { ZeroUserMemory(Settings, sizeof(KPH_INFORMER_CLIENT_SETTINGS)); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } state = KphAtomicReferenceObject(&Client->InformerState.Atomic); if (!state) { status = STATUS_NOT_FOUND; goto Exit; } __try { CopyToUser(&Settings->MessageTimeouts, &state->MessageTimeouts, sizeof(KPH_MESSAGE_TIMEOUTS)); CopyToUser(&Settings->AsyncQueuePolicy, &state->AsyncQueueRateLimit.Policy, sizeof(KPH_RATE_LIMIT_POLICY)); for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { CopyToUser(&Settings->InformerPolicy[i], &state->InformerRateLimit[i].Policy, sizeof(KPH_RATE_LIMIT_POLICY)); } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } status = STATUS_SUCCESS; Exit: if (state) { KphDereferenceObject(state); } return status; } /** * \brief Sets the client informer settings. * * \param[in] Client The client to get the settings for. * \param[in] Settings The settings to apply. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformerClientSettings( _In_ PKPH_CLIENT Client, _In_ PKPH_INFORMER_CLIENT_SETTINGS Settings ) { NTSTATUS status; PKPH_INFORMER_CLIENT_SETTINGS settings; PKPH_CLIENT_INFORMER_STATE state; KPH_PAGED_CODE_PASSIVE(); state = NULL; settings = KphAllocatePaged(sizeof(KPH_INFORMER_CLIENT_SETTINGS), KPH_TAG_CLIENT_INFORMER_SETTINGS); if (!settings) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Failed to allocate message settings"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(settings, Settings, sizeof(KPH_INFORMER_CLIENT_SETTINGS)); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } status = KphCreateObject(KphpClientInformerStateType, sizeof(KPH_CLIENT_INFORMER_STATE), &state, settings); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphCreateObject failed: %!STATUS!", status); state = NULL; goto Exit; } KphAtomicAssignObjectReference(&Client->InformerState.Atomic, state); status = STATUS_SUCCESS; Exit: if (state) { KphDereferenceObject(state); } if (settings) { KphFree(settings, KPH_TAG_CLIENT_INFORMER_SETTINGS); } return status; } /** * \brief Gets informer statistics for a client. * * \param[in] Client The client to get the informer statistics for. * \param[out] Stats Receives the informer statistics. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerClientStats( _In_ PKPH_CLIENT Client, _Out_ PKPH_INFORMER_CLIENT_STATS Stats ) { NTSTATUS status; PKPH_CLIENT_INFORMER_STATE state; KPH_PAGED_CODE_PASSIVE(); state = NULL; __try { ZeroUserMemory(Stats, sizeof(KPH_INFORMER_STATS)); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } state = KphAtomicReferenceObject(&Client->InformerState.Atomic); if (!state) { status = STATUS_NOT_FOUND; goto Exit; } __try { CopyToUser(&Stats->AsyncQueueRateLimit.Policy, &state->AsyncQueueRateLimit.Policy, sizeof(KPH_RATE_LIMIT_POLICY)); WriteLong64ToUser(&Stats->AsyncQueueRateLimit.Allowed, ReadNoFence64(&state->AsyncQueueRateLimit.Allowed)); WriteLong64ToUser(&Stats->AsyncQueueRateLimit.Dropped, ReadNoFence64(&state->AsyncQueueRateLimit.Dropped)); WriteLong64ToUser(&Stats->AsyncQueueRateLimit.CasMiss, ReadNoFence64(&state->AsyncQueueRateLimit.CasMiss)); for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { CopyToUser(&Stats->InformerRateLimit[i].Policy, &state->InformerRateLimit[i].Policy, sizeof(KPH_RATE_LIMIT_POLICY)); WriteLong64ToUser(&Stats->InformerRateLimit[i].Allowed, ReadNoFence64(&state->InformerRateLimit[i].Allowed)); WriteLong64ToUser(&Stats->InformerRateLimit[i].Dropped, ReadNoFence64(&state->InformerRateLimit[i].Dropped)); WriteLong64ToUser(&Stats->InformerRateLimit[i].CasMiss, ReadNoFence64(&state->InformerRateLimit[i].CasMiss)); } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } status = STATUS_SUCCESS; Exit: if (state) { KphDereferenceObject(state); } return status; } /** * \brief Retrieves the timeout for a message. * * \param[in] Client The client to get the timeout for. * \param[in] Message The message to retrieve the timeout for. * \param[in] AsyncTimeout If TRUE the asynchronous timeout is returned, else * the timeout appropriate for the message is returned. * \param[out] Timeout Receives the timeout for the message. * * \return TRUE if a timeout was retrieved, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphpGetTimeoutForMessage( _In_ PKPH_CLIENT Client, _In_ PKPH_MESSAGE Message, _In_ BOOLEAN AsyncTimeout, _Out_ PLARGE_INTEGER Timeout ) { PKPH_CLIENT_INFORMER_STATE state; KPH_PAGED_CODE(); state = KphAtomicReferenceObject(&Client->InformerState.Atomic); if (!state) { RtlZeroMemory(Timeout, sizeof(LARGE_INTEGER)); return FALSE; } if (AsyncTimeout) { *Timeout = state->MessageTimeouts.AsyncTimeout; } else { switch (Message->Header.MessageId) { case KphMsgProcessCreate: { *Timeout = state->MessageTimeouts.ProcessCreateTimeout; break; } case KphMsgFilePreCreate: { *Timeout = state->MessageTimeouts.FilePreCreateTimeout; break; } case KphMsgFilePostCreate: { *Timeout = state->MessageTimeouts.FilePostCreateTimeout; break; } default: { *Timeout = state->MessageTimeouts.DefaultTimeout; break; } } } KphDereferenceObject(state); return TRUE; } /** * \brief Wrapper for the communication port message send API. * * \param[in] ClientPort Client port to send message to. * \param[in] SendBuffer Buffer to send. * \param[in] SendBufferLength Length of send buffer. * \param[out] ReplyBuffer Reply buffer. * \param[in,out] ReplyBufferLength Length of reply buffer on input, set to * number of bytes written to reply buffer on output. * \param[in] Timeout Time allotted for message to be received. If a reply is * expected this waits for a reply to be received too. If not provided the * call waits indefinitely. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltSendMessage( _In_ PFLT_PORT* ClientPort, _In_reads_bytes_(SendBufferLength) PVOID SendBuffer, _In_ ULONG SendBufferLength, _Out_writes_bytes_opt_(*ReplyBufferLength) PVOID ReplyBuffer, _Inout_opt_ PULONG ReplyBufferLength, _In_opt_ PLARGE_INTEGER Timeout ) { NTSTATUS status; KPH_PAGED_CODE(); NT_ASSERT(KphFltFilter); status = FltObjectReference(KphFltFilter); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "FltObjectReference failed: %!STATUS!", status); return status; } status = FltSendMessage(KphFltFilter, ClientPort, SendBuffer, SendBufferLength, ReplyBuffer, ReplyBufferLength, Timeout); if (status == STATUS_TIMEOUT) { // // return an error status instead // status = STATUS_IO_TIMEOUT; } FltObjectDereference(KphFltFilter); return status; } /** * \brief Sends a message asynchronously to a single target client process. * * \param[in] Message The message to send asynchronously. This function assumes * ownership over the message. The caller should *not* free the message after * it is passed to this function. * \param[in] TargetClient Optional target client to send the message to. If * provided the message will only be sent to the target client from the queue * processing. Otherwise, the message will be sent to all clients. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpCommsSendMessageAsync( _In_aliasesMem_ PKPH_MESSAGE Message, _In_opt_ PKPH_CLIENT TargetClient ) { PKPHM_QUEUE_ITEM item; ULONG targetClientCount; PKPH_CLIENT targetClients[KPH_COMMS_MAX_CLIENTS]; KPH_PAGED_CODE(); if (!KphAcquireRundown(&KphpCommsRundown)) { KphTracePrint(TRACE_LEVEL_WARNING, COMMS, "Failed to acquire rundown, dropping message " "(%lu - %!TIME!)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart); KphFreeMessage(Message); return; } if (TargetClient) { targetClientCount = 1; targetClients[0] = TargetClient; KphReferenceObject(TargetClient); } else { targetClientCount = KphpCommsSendMessageToRingBuffers(targetClients, Message); if (!targetClientCount) { goto Exit; } } item = KphpAllocateMessageQueueItem(); if (!item) { KphTracePrint(TRACE_LEVEL_WARNING, COMMS, "Failed to allocate queue item, dropping message " "(%lu - %!TIME!)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart); goto Exit; } item->Message = Message; item->NonPaged = FALSE; Message = NULL; item->TargetClientCount = targetClientCount; RtlCopyMemory(item->TargetClients, targetClients, sizeof(PKPH_CLIENT) * targetClientCount); targetClientCount = 0; KeInsertQueue(&KphpMessageQueue, &item->Entry); Exit: for (ULONG i = 0; i < targetClientCount; i++) { KphDereferenceObject(targetClients[i]); } if (Message) { KphFreeMessage(Message); } KphReleaseRundown(&KphpCommsRundown); } /** * \brief Sends a message to a specific client. * * \param[in] Client The client to send the message to. * \param[in] Message The message to send. May contain multiple messages if * the send is originating from the asynchronous message queue and the * asynchronous message queue has coalesced multiple messages into one. * \param[in] Length The length of the message to send. May constitute multiple * messages if the send is originating from the asynchronous message queue and * the asynchronous message queue has coalesced multiple messages into one. * \param[out] Reply The reply from last client. * \param[in] FromAsyncQueue If TRUE the message is being sent from the * asynchronous message queue, otherwise FALSE. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpCommsSendMessage( _In_ PKPH_CLIENT Client, _In_ PKPH_MESSAGE Message, _In_ ULONG Length, _Inout_opt_ PKPH_MESSAGE Reply, _In_ BOOLEAN FromAsyncQueue ) { NTSTATUS status; PKPH_MESSAGE reply; ULONG replyLength; KPH_PROCESS_STATE processState; LARGE_INTEGER timeout; KPH_PAGED_CODE(); // // Since we support multiple clients and only one client may be the // authoritative reply. We choose to honor the first client to reply. // if (Reply && (Reply->Header.MessageId == KphMsgUnhandled)) { reply = Reply; replyLength = sizeof(KPH_MESSAGE); } else { reply = NULL; replyLength = 0; } if (reply && (PsGetCurrentProcess() == Client->Process->EProcess)) { PKPH_MESSAGE async; NT_ASSERT(!FromAsyncQueue); NT_ASSERT(Message->Header.Size == Length); // // This is a precaution to prevent a bottleneck. In this case the kernel // will block for the client to fully reply. If the client generates // more activity that too ends up fully synchronous it could exhaust // the client thread pool. This may introduce a bottleneck into the // system. To avoid this we force this one message to be sent to the // target client asynchronously. The client will not be permitted to // reply but will still have visibility. // KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Bottleneck protection, forcing asynchronous send " "(%lu - %!TIME!) to client: %wZ (%lu)", (ULONG)Message->Header.MessageId, Message->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); // // We must make a copy of this message to send asynchronously. // async = KphAllocateMessage(); if (!async) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Failed to allocate message"); return; } RtlCopyMemory(async, Message, Message->Header.Size); KphpCommsSendMessageAsync(async, Client); status = STATUS_POSSIBLE_DEADLOCK; goto Exit; } for (ULONG offset = 0; offset < Length; NOTHING) { PKPH_MESSAGE message; NT_ASSERT(offset < sizeof(KPH_MESSAGE)); message = Add2Ptr(Message, offset); KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Sending message (%lu - %!TIME!) to client: %wZ (%lu)", (ULONG)message->Header.MessageId, message->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); offset += message->Header.Size; } if (!KphpGetTimeoutForMessage(Client, Message, FromAsyncQueue, &timeout)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphpGetTimeoutForMessage failed"); status = STATUS_NOT_FOUND; goto Exit; } status = KphpFltSendMessage(&Client->Port, Message, Length, reply, (reply ? &replyLength : NULL), &timeout); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphpFltSendMessage failed: %!STATUS!", status); goto Exit; } if (!reply) { goto Exit; } processState = KphGetProcessState(Client->Process); if (!KphTestProcessState(processState, KPH_PROCESS_STATE_MAXIMUM)) { KphTracePrint(TRACE_LEVEL_CRITICAL, COMMS, "Untrusted client %wZ (%lu) (0x%08x)", &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId), processState); status = STATUS_REPLY_MESSAGE_MISMATCH; goto Exit; } status = KphMsgValidate(reply); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_WARNING, COMMS, "Received invalid reply from client: %wZ (%lu)", &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Received reply (%lu - %!TIME!) from client: %wZ (%lu)", (ULONG)reply->Header.MessageId, reply->Header.TimeStamp.QuadPart, &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId)); Exit: if (!NT_SUCCESS(status) && reply) { KphMsgInit(reply, KphMsgUnhandled); } } /** * \brief Attempts to coalesce consecutive items in a message queue to minimize * the number of individual message transactions. * * \details This function optimizes message transmission by combining compatible * items from the queue into a single message. If coalescing is not possible, * it simply returns the next item to be sent as-is. * * \param[in] Items The items to process. * \param[in] Count The number of items to process. * \param[in,out] Index The index of the first item to consider for coalescing. * Incremented for each coalesced item. * \param[out] Length Receives the length (in bytes) of the message to send, * including any coalesced items. * \param[out] Rundown Set to TRUE if rundown is active, FALSE otherwise. * * \return The next item to send, NULL otherwise. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ PKPHM_QUEUE_ITEM KphpMessageQueueCoalesceItems( _In_reads_(Count) PLIST_ENTRY* Items, _In_ ULONG Count, _Inout_ PULONG Index, _Out_ PULONG Length, _Out_ PBOOLEAN Rundown ) { NTSTATUS status; PKPHM_QUEUE_ITEM first; ULONG coalescedCount; ULONG remainingLength; PVOID messagePointer; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(*Index < Count); *Rundown = FALSE; first = NULL; remainingLength = sizeof(KPH_MESSAGE); coalescedCount = 0; status = (NTSTATUS)(LONG_PTR)Items[*Index]; if ((status == STATUS_TIMEOUT) || (status == STATUS_USER_APC)) { KphTracePrint(TRACE_LEVEL_ERROR, COMMS, "Unexpected queue status: %!STATUS!", status); goto Exit; } if (status == STATUS_ABANDONED) { // // The rundown logic is responsible for draining/servicing the // remaining queue items. // KphTracePrint(TRACE_LEVEL_INFORMATION, COMMS, "Message queue running down"); *Rundown = TRUE; goto Exit; } first = CONTAINING_RECORD(Items[*Index], KPHM_QUEUE_ITEM, Entry); NT_ASSERT(first); messagePointer = Add2Ptr(first->Message, first->Message->Header.Size); remainingLength = (sizeof(KPH_MESSAGE) - first->Message->Header.Size); for (ULONG i = (*Index + 1); i < Count; i++) { PKPHM_QUEUE_ITEM item; BOOLEAN clientsMatch; status = (NTSTATUS)(LONG_PTR)Items[i]; if ((status == STATUS_TIMEOUT) || (status == STATUS_USER_APC)) { KphTracePrint(TRACE_LEVEL_ERROR, COMMS, "Unexpected queue status: %!STATUS!", status); continue; } if (status == STATUS_ABANDONED) { // // The rundown logic is responsible for draining/servicing the // remaining queue items. // KphTracePrint(TRACE_LEVEL_INFORMATION, COMMS, "Message queue running down"); *Rundown = TRUE; goto Exit; } item = CONTAINING_RECORD(Items[i], KPHM_QUEUE_ITEM, Entry); NT_ASSERT(item); // // Verify that the client list matches and there is sufficient room to // coalesce this message into the first. // if (first->TargetClientCount != item->TargetClientCount) { break; } clientsMatch = TRUE; for (ULONG j = 0; j < first->TargetClientCount; j++) { if (first->TargetClients[j] != item->TargetClients[j]) { clientsMatch = FALSE; break; } } if (!clientsMatch) { break; } if (remainingLength < item->Message->Header.Size) { break; } RtlCopyMemory(messagePointer, item->Message, item->Message->Header.Size); messagePointer = Add2Ptr(messagePointer, item->Message->Header.Size); remainingLength -= item->Message->Header.Size; (*Index)++; coalescedCount++; KphpFreeMessageQueueItem(item); } Exit: *Length = (sizeof(KPH_MESSAGE) - remainingLength); if (coalescedCount) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Coalesced %lu messages (%lu bytes)", coalescedCount + 1, *Length); } return first; } /** * \brief Processes message queue items. * * \param[in] Items The items to process. * \param[in] Count The number of items to process. * * \return TRUE if rundown is active, FALSE otherwise. */ _IRQL_requires_max_(PASSIVE_LEVEL) BOOLEAN KphpMessageQueueProcessItems( _In_reads_(Count) PLIST_ENTRY* Items, _In_ ULONG Count ) { BOOLEAN rundown; KPH_PAGED_CODE_PASSIVE(); rundown = FALSE; for (ULONG i = 0; i < Count; i++) { PKPHM_QUEUE_ITEM item; ULONG length; item = KphpMessageQueueCoalesceItems(Items, Count, &i, &length, &rundown); if (item) { for (ULONG j = 0; j < item->TargetClientCount; j++) { KphpCommsSendMessage(item->TargetClients[j], item->Message, length, NULL, TRUE); } KphpFreeMessageQueueItem(item); } if (rundown) { break; } } return rundown; } /** * \brief Asynchronous message queue thread. * * \param[in] Parameter Unused */ _Function_class_(KPH_THREAD_START_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_same_ NTSTATUS KphpMessageQueueThread( _In_opt_ PVOID Parameter ) { PLIST_ENTRY items[32]; ULONG count; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(Parameter); count = ARRAYSIZE(items); for (;;) { RtlZeroMemory(items, count * sizeof(PLIST_ENTRY)); count = KeRemoveQueueEx(&KphpMessageQueue, KernelMode, FALSE, NULL, items, ARRAYSIZE(items)); if (KphpMessageQueueProcessItems(items, count)) { break; } } return STATUS_SUCCESS; } /** * \brief Starts the communications infrastructure. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCommsStart( VOID ) { NTSTATUS status; KPH_OBJECT_TYPE_INFO typeInfo; OBJECT_ATTRIBUTES objectAttributes; PSECURITY_DESCRIPTOR securityDescriptor; ULONG threadCount; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphFltFilter); NT_ASSERT(!KphpFltServerPort); NT_ASSERT(KphPortName); securityDescriptor = NULL; KphInitializeRundown(&KphpCommsRundown); threadCount = KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS); typeInfo.Allocate = KphpAllocateClient; typeInfo.Initialize = KphpInitializeClient; typeInfo.Delete = KphpDeleteClient; typeInfo.Free = KphpFreeClient; typeInfo.Flags = 0; KphCreateObjectType(&KphpClientTypeName, &typeInfo, &KphpClientType); typeInfo.Allocate = KphpAllocateClientInformerState; typeInfo.Initialize = KphpInitializeClientInformerState; typeInfo.Delete = NULL; typeInfo.Free = KphpFreeClientInformerState; typeInfo.Flags = 0; KphCreateObjectType(&KphpClientInformerStateTypeName, &typeInfo, &KphpClientInformerStateType); KphInitializePagedLookaside(&KphpMessageLookaside, sizeof(KPH_MESSAGE), KPH_TAG_MESSAGE); KphInitializeNPagedLookaside(&KphpNPagedMessageLookaside, sizeof(KPH_MESSAGE), KPH_TAG_NPAGED_MESSAGE); KphInitializeNPagedLookaside(&KphpMessageQueueItemLookaside, sizeof(KPHM_QUEUE_ITEM), KPH_TAG_QUEUE_ITEM); if (threadCount < KPH_COMMS_MIN_QUEUE_THREADS) { threadCount = KPH_COMMS_MIN_QUEUE_THREADS; } else if (threadCount > KPH_COMMS_MAX_QUEUE_THREADS) { threadCount = KPH_COMMS_MAX_QUEUE_THREADS; } KeInitializeQueue(&KphpMessageQueue, threadCount); KphpMessageQueueThreads = KphAllocatePaged((sizeof(PKTHREAD) * threadCount), KPH_TAG_THREAD_POOL); if (!KphpMessageQueueThreads) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "Failed to allocate queue threads array"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } NT_ASSERT(KphpMessageQueueThreadsCount == 0); for (ULONG i = 0; i < threadCount; i++) { status = KphCreateSystemThread(NULL, &KphpMessageQueueThreads[i], KphpMessageQueueThread, NULL, &KphpMessageQueueThreadName, KPH_CREATE_SYSTEM_THREAD_IN_KSI_PROCESS); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphCreateSystemThread failed: %!STATUS!", status); KphpMessageQueueThreads[i] = NULL; goto Exit; } ++KphpMessageQueueThreadsCount; } status = KphpBuildCommsSecurityDescriptor(&securityDescriptor); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "KphpBuildCommsSecurityDescriptor failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, KphPortName, OBJ_KERNEL_HANDLE, NULL, securityDescriptor); status = FltCreateCommunicationPort(KphFltFilter, &KphpFltServerPort, &objectAttributes, NULL, KphpCommsConnectNotifyCallback, KphpCommsDisconnectNotifyCallback, KphpCommsMessageNotifyCallback, KPH_COMMS_MAX_CLIENTS); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, COMMS, "FltCreateCommunicationPort failed: %!STATUS!", status); KphpFltServerPort = NULL; goto Exit; } status = STATUS_SUCCESS; Exit: if (!NT_SUCCESS(status)) { NT_ASSERT(!KphpFltServerPort); KphDeleteNPagedLookaside(&KphpMessageQueueItemLookaside); KphDeleteNPagedLookaside(&KphpNPagedMessageLookaside); KphDeletePagedLookaside(&KphpMessageLookaside); NT_VERIFY(KeRundownQueue(&KphpMessageQueue) == NULL); if (KphpMessageQueueThreads) { for (ULONG i = 0; i < KphpMessageQueueThreadsCount; i++) { KeWaitForSingleObject(KphpMessageQueueThreads[i], Executive, KernelMode, FALSE, NULL); ObDereferenceObject(KphpMessageQueueThreads[i]); } KphFree(KphpMessageQueueThreads, KPH_TAG_THREAD_POOL); KphpMessageQueueThreads = NULL; KphpMessageQueueThreadsCount = 0; } } if (securityDescriptor) { KphpFreeCommsSecurityDescriptor(securityDescriptor); } return status; } /** * \brief Stops the communications infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCommsStop( VOID ) { PLIST_ENTRY entry; KPH_PAGED_CODE_PASSIVE(); if (!KphpFltServerPort) { return; } KphWaitForRundown(&KphpCommsRundown); entry = KeRundownQueue(&KphpMessageQueue); for (ULONG i = 0; i < KphpMessageQueueThreadsCount; i++) { KeWaitForSingleObject(KphpMessageQueueThreads[i], Executive, KernelMode, FALSE, NULL); ObDereferenceObject(KphpMessageQueueThreads[i]); } KphFree(KphpMessageQueueThreads, KPH_TAG_THREAD_POOL); KphpMessageQueueThreads = NULL; KphpMessageQueueThreadsCount = 0; // // Rundown any remaining items in the queue, if there are any. // if (entry != NULL) { PLIST_ENTRY first; first = entry; do { PLIST_ENTRY item; item = entry; entry = entry->Flink; KphpMessageQueueProcessItems(&item, 1); } while (entry != first); } FltCloseCommunicationPort(KphpFltServerPort); KphDeleteNPagedLookaside(&KphpMessageQueueItemLookaside); KphDeleteNPagedLookaside(&KphpNPagedMessageLookaside); KphDeletePagedLookaside(&KphpMessageLookaside); } /** * \brief Allocates a message. * * \return Allocated message, null on allocation failure. */ _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_ PKPH_MESSAGE KphAllocateMessage( VOID ) { KPH_PAGED_CODE(); return KphAllocateFromPagedLookaside(&KphpMessageLookaside); } /** * \brief Frees a message. * * \param[in] Message The message to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeMessage( _In_freesMem_ PKPH_MESSAGE Message ) { KPH_PAGED_CODE(); NT_ASSERT(Message); KphFreeToPagedLookaside(&KphpMessageLookaside, Message); } /** * \brief Sends a message asynchronously. * * \param[in] Message The message to send asynchronously. This function assumes * ownership over the message. The caller should *not* free the message after * it is passed to this function. */ _IRQL_requires_max_(APC_LEVEL) VOID KphCommsSendMessageAsync( _In_aliasesMem_ PKPH_MESSAGE Message ) { KPH_PAGED_CODE(); KphpCommsSendMessageAsync(Message, NULL); } /** * \brief Sends a message to all connected clients. The first client to respond * is given authority for any reply. * * \details Callers expecting a specific reply should check for the reply * message identifier even on success. This function will return success with * KphMsgUnhandled when no client handles the message. * * \param[in] Message The message to send. * \param[out] Reply Optional reply from last client. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphCommsSendMessage( _In_ PKPH_MESSAGE Message, _Out_opt_ PKPH_MESSAGE Reply ) { NTSTATUS status; ULONG clientCount; PKPH_CLIENT clients[KPH_COMMS_MAX_CLIENTS]; KPH_PAGED_CODE(); NT_ASSERT(NT_SUCCESS(KphMsgValidate(Message))); if (!KphAcquireRundown(&KphpCommsRundown)) { return STATUS_TOO_LATE; } if (Reply) { KphMsgInit(Reply, KphMsgUnhandled); } status = STATUS_PORT_DISCONNECTED; clientCount = KphpGetNonRateLimitedClients(clients, Message); for (ULONG i = 0; i < clientCount; i++) { KphpCommsSendMessage(clients[i], Message, Message->Header.Size, Reply, FALSE); KphDereferenceObject(clients[i]); status = STATUS_SUCCESS; } KphReleaseRundown(&KphpCommsRundown); return status; } ================================================ FILE: KSystemInformer/comms_handlers.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include KPHM_DEFINE_HANDLER(KphpCommsGetInformerSettings); KPHM_DEFINE_HANDLER(KphpCommsSetInformerSettings); KPHM_DEFINE_HANDLER(KphpCommsOpenProcess); KPHM_DEFINE_HANDLER(KphpCommsOpenProcessToken); KPHM_DEFINE_HANDLER(KphpCommsOpenProcessJob); KPHM_DEFINE_HANDLER(KphpCommsTerminateProcess); KPHM_DEFINE_HANDLER(KphpCommsReadVirtualMemory); KPHM_DEFINE_HANDLER(KphpCommsOpenThread); KPHM_DEFINE_HANDLER(KphpCommsOpenThreadProcess); KPHM_DEFINE_HANDLER(KphpCommsCaptureStackBackTraceThread); KPHM_DEFINE_HANDLER(KphpCommsEnumerateProcessHandles); KPHM_DEFINE_HANDLER(KphpCommsQueryInformationObject); KPHM_DEFINE_HANDLER(KphpCommsSetInformationObject); KPHM_DEFINE_HANDLER(KphpCommsOpenDriver); KPHM_DEFINE_HANDLER(KphpCommsQueryInformationDriver); KPHM_DEFINE_HANDLER(KphpCommsQueryInformationProcess); KPHM_DEFINE_HANDLER(KphpCommsSetInformationProcess); KPHM_DEFINE_HANDLER(KphpCommsSetInformationThread); KPHM_DEFINE_HANDLER(KphpCommsSystemControl); KPHM_DEFINE_HANDLER(KphpCommsAlpcQueryInformation); KPHM_DEFINE_HANDLER(KphpCommsQueryInformationFile); KPHM_DEFINE_HANDLER(KphpCommsQueryVolumeInformationFile); KPHM_DEFINE_HANDLER(KphpCommsDuplicateObject); KPHM_DEFINE_HANDLER(KphpCommsQueryPerformanceCounter); KPHM_DEFINE_HANDLER(KphpCommsCreateFile); KPHM_DEFINE_HANDLER(KphpCommsQueryInformationThread); KPHM_DEFINE_HANDLER(KphpCommsQuerySection); KPHM_DEFINE_HANDLER(KphpCommsCompareObjects); KPHM_DEFINE_HANDLER(KphpCommsGetInformerClientSettings); KPHM_DEFINE_HANDLER(KphpCommsSetInformerClientSettings); KPHM_DEFINE_HANDLER(KphpCommsAcquireDriverUnloadProtection); KPHM_DEFINE_HANDLER(KphpCommsReleaseDriverUnloadProtection); KPHM_DEFINE_HANDLER(KphpCommsGetConnectedClientCount); KPHM_DEFINE_HANDLER(KphpCommsActivateDynData); KPHM_DEFINE_HANDLER(KphpCommsIsDynDataActive); KPHM_DEFINE_HANDLER(KphpCommsRequestSessionAccessToken); KPHM_DEFINE_HANDLER(KphpCommsAssignProcessSessionToken); KPHM_DEFINE_HANDLER(KphpCommsAssignThreadSessionToken); KPHM_DEFINE_HANDLER(KphpCommsGetInformerProcessSettings); KPHM_DEFINE_HANDLER(KphpCommsSetInformerProcessSettings); KPHM_DEFINE_HANDLER(KphpCommsStripProtectedProcessMasks); KPHM_DEFINE_HANDLER(KphpCommsQueryVirtualMemory); KPHM_DEFINE_HANDLER(KphpCommsQueryHashInformationFile); KPHM_DEFINE_HANDLER(KphpCommsOpenDevice); KPHM_DEFINE_HANDLER(KphpCommsOpenDeviceDriver); KPHM_DEFINE_HANDLER(KphpCommsOpenDeviceBaseDevice); KPHM_DEFINE_HANDLER(KphpCommsGetInformerStats); KPHM_DEFINE_HANDLER(KphpCommsGetInformerClientStats); KPHM_DEFINE_REQUIRED_STATE(KphpCommsRequireMaximum); KPHM_DEFINE_REQUIRED_STATE(KphpCommsRequireMedium); KPHM_DEFINE_REQUIRED_STATE(KphpCommsRequireLow); KPHM_DEFINE_REQUIRED_STATE(KphpCommsOpenProcessRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsOpenProcessTokenRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsOpenProcessJobRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsOpenThreadRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsOpenThreadProcessRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsQueryInformationProcessRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsCreateFileRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsQueryInformationThreadRequires); KPHM_DEFINE_REQUIRED_STATE(KphpCommsQueryVirtualMemoryRequires); KPH_PROTECTED_DATA_SECTION_RO_PUSH(); const KPH_MESSAGE_HANDLER KphCommsMessageHandlers[] = { { InvalidKphMsg, NULL, NULL }, { KphMsgGetInformerSettings, KphpCommsGetInformerSettings, KphpCommsRequireLow }, { KphMsgSetInformerSettings, KphpCommsSetInformerSettings, KphpCommsRequireLow }, { KphMsgOpenProcess, KphpCommsOpenProcess, KphpCommsOpenProcessRequires }, { KphMsgOpenProcessToken, KphpCommsOpenProcessToken, KphpCommsOpenProcessTokenRequires }, { KphMsgOpenProcessJob, KphpCommsOpenProcessJob, KphpCommsOpenProcessJobRequires }, { KphMsgTerminateProcess, KphpCommsTerminateProcess, KphpCommsRequireMaximum }, { KphMsgReadVirtualMemory, KphpCommsReadVirtualMemory, KphpCommsRequireMaximum }, { KphMsgOpenThread, KphpCommsOpenThread, KphpCommsOpenThreadRequires }, { KphMsgOpenThreadProcess, KphpCommsOpenThreadProcess, KphpCommsOpenThreadProcessRequires }, { KphMsgCaptureStackBackTraceThread, KphpCommsCaptureStackBackTraceThread, KphpCommsRequireMedium }, { KphMsgEnumerateProcessHandles, KphpCommsEnumerateProcessHandles, KphpCommsRequireMedium }, { KphMsgQueryInformationObject, KphpCommsQueryInformationObject, KphpCommsRequireMedium }, { KphMsgSetInformationObject, KphpCommsSetInformationObject, KphpCommsRequireMaximum }, { KphMsgOpenDriver, KphpCommsOpenDriver, KphpCommsRequireMaximum }, { KphMsgQueryInformationDriver, KphpCommsQueryInformationDriver, KphpCommsRequireMaximum }, { KphMsgQueryInformationProcess, KphpCommsQueryInformationProcess, KphpCommsQueryInformationProcessRequires }, { KphMsgSetInformationProcess, KphpCommsSetInformationProcess, KphpCommsRequireMaximum }, { KphMsgSetInformationThread, KphpCommsSetInformationThread, KphpCommsRequireMaximum }, { KphMsgSystemControl, KphpCommsSystemControl, KphpCommsRequireMaximum }, { KphMsgAlpcQueryInformation, KphpCommsAlpcQueryInformation, KphpCommsRequireMedium }, { KphMsgQueryInformationFile, KphpCommsQueryInformationFile, KphpCommsRequireMedium }, { KphMsgQueryVolumeInformationFile, KphpCommsQueryVolumeInformationFile, KphpCommsRequireMedium }, { KphMsgDuplicateObject, KphpCommsDuplicateObject, KphpCommsRequireMaximum }, { KphMsgQueryPerformanceCounter, KphpCommsQueryPerformanceCounter, KphpCommsRequireLow }, { KphMsgCreateFile, KphpCommsCreateFile, KphpCommsCreateFileRequires }, { KphMsgQueryInformationThread, KphpCommsQueryInformationThread, KphpCommsQueryInformationThreadRequires }, { KphMsgQuerySection, KphpCommsQuerySection, KphpCommsRequireMedium }, { KphMsgCompareObjects, KphpCommsCompareObjects, KphpCommsRequireMedium }, { KphMsgGetInformerClientSettings, KphpCommsGetInformerClientSettings, KphpCommsRequireLow }, { KphMsgSetInformerClientSettings, KphpCommsSetInformerClientSettings, KphpCommsRequireLow }, { KphMsgAcquireDriverUnloadProtection, KphpCommsAcquireDriverUnloadProtection, KphpCommsRequireMaximum }, { KphMsgReleaseDriverUnloadProtection, KphpCommsReleaseDriverUnloadProtection, KphpCommsRequireMaximum }, { KphMsgGetConnectedClientCount, KphpCommsGetConnectedClientCount, KphpCommsRequireLow }, { KphMsgActivateDynData, KphpCommsActivateDynData, KphpCommsRequireLow }, { KphMsgIsDynDataActive, KphpCommsIsDynDataActive, KphpCommsRequireLow }, { KphMsgRequestSessionAccessToken, KphpCommsRequestSessionAccessToken, KphpCommsRequireMaximum }, { KphMsgAssignProcessSessionToken, KphpCommsAssignProcessSessionToken, KphpCommsRequireMaximum }, { KphMsgAssignThreadSessionToken, KphpCommsAssignThreadSessionToken, KphpCommsRequireMaximum }, { KphMsgGetInformerProcessSettings, KphpCommsGetInformerProcessSettings, KphpCommsRequireLow }, { KphMsgSetInformerProcessSettings, KphpCommsSetInformerProcessSettings, KphpCommsRequireLow }, { KphMsgStripProtectedProcessMasks, KphpCommsStripProtectedProcessMasks, KphpCommsRequireMaximum }, { KphMsgQueryVirtualMemory, KphpCommsQueryVirtualMemory, KphpCommsQueryVirtualMemoryRequires }, { KphMsgQueryHashInformationFile, KphpCommsQueryHashInformationFile, KphpCommsRequireMaximum }, { KphMsgOpenDevice, KphpCommsOpenDevice, KphpCommsRequireMaximum }, { KphMsgOpenDeviceDriver, KphpCommsOpenDeviceDriver, KphpCommsRequireMaximum }, { KphMsgOpenDeviceBaseDevice, KphpCommsOpenDeviceBaseDevice, KphpCommsRequireMaximum }, { KphMsgGetInformerStats, KphpCommsGetInformerStats, KphpCommsRequireLow }, { KphMsgGetInformerClientStats, KphpCommsGetInformerClientStats, KphpCommsRequireLow }, }; const ULONG KphCommsMessageHandlerCount = ARRAYSIZE(KphCommsMessageHandlers); C_ASSERT(ARRAYSIZE(KphCommsMessageHandlers) == MaxKphMsgClient); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PAGED_FILE(); _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsRequireMaximum( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); UNREFERENCED_PARAMETER(Client); UNREFERENCED_PARAMETER(Message); return KPH_PROCESS_STATE_MAXIMUM; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsRequireMedium( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); UNREFERENCED_PARAMETER(Client); UNREFERENCED_PARAMETER(Message); return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsRequireLow( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); UNREFERENCED_PARAMETER(Client); UNREFERENCED_PARAMETER(Message); return KPH_PROCESS_STATE_LOW; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsGetInformerSettings( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_GET_INFORMER_SETTINGS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgGetInformerSettings); UNREFERENCED_PARAMETER(Client); msg = &Message->User.GetInformerSettings; msg->Status = KphGetInformerSettings(msg->Settings, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSetInformerSettings( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SET_INFORMER_SETTINGS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSetInformerSettings); UNREFERENCED_PARAMETER(Client); msg = &Message->User.SetInformerSettings; msg->Status = KphSetInformerSettings(msg->Settings, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsOpenProcessRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { ACCESS_MASK desiredAccess; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenProcess); UNREFERENCED_PARAMETER(Client); desiredAccess = Message->User.OpenProcess.DesiredAccess; if ((desiredAccess & KPH_PROCESS_READ_ACCESS) != desiredAccess) { return KPH_PROCESS_STATE_MAXIMUM; } return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenProcess( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_PROCESS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenProcess); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenProcess; msg->Status = KphOpenProcess(msg->ProcessHandle, msg->DesiredAccess, msg->ClientId, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsOpenProcessTokenRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { ACCESS_MASK desiredAccess; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenProcessToken); UNREFERENCED_PARAMETER(Client); desiredAccess = Message->User.OpenProcessToken.DesiredAccess; if ((desiredAccess & KPH_TOKEN_READ_ACCESS) != desiredAccess) { return KPH_PROCESS_STATE_MAXIMUM; } return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenProcessToken( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_PROCESS_TOKEN msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenProcessToken); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenProcessToken; msg->Status = KphOpenProcessToken(msg->ProcessHandle, msg->DesiredAccess, msg->TokenHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsOpenProcessJobRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { ACCESS_MASK desiredAccess; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenProcessJob); UNREFERENCED_PARAMETER(Client); desiredAccess = Message->User.OpenProcessJob.DesiredAccess; if ((desiredAccess & KPH_JOB_READ_ACCESS) != desiredAccess) { return KPH_PROCESS_STATE_MAXIMUM; } return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenProcessJob( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_PROCESS_JOB msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenProcessJob); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenProcessJob; msg->Status = KphOpenProcessJob(msg->ProcessHandle, msg->DesiredAccess, msg->JobHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsTerminateProcess( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_TERMINATE_PROCESS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgTerminateProcess); UNREFERENCED_PARAMETER(Client); msg = &Message->User.TerminateProcess; msg->Status = KphTerminateProcess(msg->ProcessHandle, msg->ExitStatus, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsReadVirtualMemory( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_READ_VIRTUAL_MEMORY msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgReadVirtualMemory); UNREFERENCED_PARAMETER(Client); msg = &Message->User.ReadVirtualMemory; msg->Status = KphReadVirtualMemory(msg->ProcessHandle, msg->BaseAddress, msg->Buffer, msg->BufferSize, msg->NumberOfBytesRead, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsOpenThreadRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { ACCESS_MASK desiredAccess; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenThread); UNREFERENCED_PARAMETER(Client); desiredAccess = Message->User.OpenThread.DesiredAccess; if ((desiredAccess & KPH_THREAD_READ_ACCESS) != desiredAccess) { return KPH_PROCESS_STATE_MAXIMUM; } return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenThread( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_THREAD msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenThread); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenThread; msg->Status = KphOpenThread(msg->ThreadHandle, msg->DesiredAccess, msg->ClientId, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsOpenThreadProcessRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { ACCESS_MASK desiredAccess; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenThreadProcess); UNREFERENCED_PARAMETER(Client); desiredAccess = Message->User.OpenThreadProcess.DesiredAccess; if ((desiredAccess & KPH_PROCESS_READ_ACCESS) != desiredAccess) { return KPH_PROCESS_STATE_MAXIMUM; } return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenThreadProcess( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_THREAD_PROCESS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenThreadProcess); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenThreadProcess; msg->Status = KphOpenThreadProcess(msg->ThreadHandle, msg->DesiredAccess, msg->ProcessHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsCaptureStackBackTraceThread( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_CAPTURE_STACK_BACKTRACE_THREAD msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgCaptureStackBackTraceThread); UNREFERENCED_PARAMETER(Client); msg = &Message->User.CaptureStackBackTraceThread; msg->Status = KphCaptureStackBackTraceThreadByHandle(msg->ThreadHandle, msg->FramesToSkip, msg->FramesToCapture, msg->BackTrace, msg->CapturedFrames, msg->BackTraceHash, msg->Flags, msg->Timeout, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsEnumerateProcessHandles( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_ENUMERATE_PROCESS_HANDLES msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgEnumerateProcessHandles); UNREFERENCED_PARAMETER(Client); msg = &Message->User.EnumerateProcessHandles; msg->Status = KphEnumerateProcessHandles(msg->ProcessHandle, msg->Buffer, msg->BufferLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryInformationObject( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_INFORMATION_OBJECT msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationObject); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryInformationObject; msg->Status = KphQueryInformationObject(msg->ProcessHandle, msg->Handle, msg->ObjectInformationClass, msg->ObjectInformation, msg->ObjectInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSetInformationObject( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SET_INFORMATION_OBJECT msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSetInformationObject); UNREFERENCED_PARAMETER(Client); msg = &Message->User.SetInformationObject; msg->Status = KphSetInformationObject(msg->ProcessHandle, msg->Handle, msg->ObjectInformationClass, msg->ObjectInformation, msg->ObjectInformationLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenDriver( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_DRIVER msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenDriver); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenDriver; msg->Status = KphOpenDriver(msg->DriverHandle, msg->DesiredAccess, msg->ObjectAttributes, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryInformationDriver( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_INFORMATION_DRIVER msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationDriver); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryInformationDriver; msg->Status = KphQueryInformationDriver(msg->DriverHandle, msg->DriverInformationClass, msg->DriverInformation, msg->DriverInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsQueryInformationProcessRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationProcess); UNREFERENCED_PARAMETER(Client); switch (Message->User.QueryInformationProcess.ProcessInformationClass) { case KphProcessWSLProcessId: case KphProcessStateInformation: case KphProcessSequenceNumber: case KphProcessStartKey: { return KPH_PROCESS_STATE_LOW; } case KphProcessBasicInformation: case KphProcessImageSection: { return KPH_PROCESS_STATE_MEDIUM; } default: { return KPH_PROCESS_STATE_MAXIMUM; } } } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryInformationProcess( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_INFORMATION_PROCESS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationProcess); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryInformationProcess; msg->Status = KphQueryInformationProcess(msg->ProcessHandle, msg->ProcessInformationClass, msg->ProcessInformation, msg->ProcessInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSetInformationProcess( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SET_INFORMATION_PROCESS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSetInformationProcess); UNREFERENCED_PARAMETER(Client); msg = &Message->User.SetInformationProcess; msg->Status = KphSetInformationProcess(msg->ProcessHandle, msg->ProcessInformationClass, msg->ProcessInformation, msg->ProcessInformationLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSetInformationThread( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SET_INFORMATION_THREAD msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSetInformationThread); UNREFERENCED_PARAMETER(Client); msg = &Message->User.SetInformationThread; msg->Status = KphSetInformationThread(msg->ThreadHandle, msg->ThreadInformationClass, msg->ThreadInformation, msg->ThreadInformationLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSystemControl( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SYSTEM_CONTROL msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSystemControl); UNREFERENCED_PARAMETER(Client); msg = &Message->User.SystemControl; msg->Status = KphSystemControl(msg->SystemControlClass, msg->SystemControlInfo, msg->SystemControlInfoLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsAlpcQueryInformation( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_ALPC_QUERY_INFORMATION msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgAlpcQueryInformation); UNREFERENCED_PARAMETER(Client); msg = &Message->User.AlpcQueryInformation; msg->Status = KphAlpcQueryInformation(msg->ProcessHandle, msg->PortHandle, msg->AlpcInformationClass, msg->AlpcInformation, msg->AlpcInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryInformationFile( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_INFORMATION_FILE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationFile); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryInformationFile; msg->Status = KphQueryInformationFile(msg->ProcessHandle, msg->FileHandle, msg->FileInformationClass, msg->FileInformation, msg->FileInformationLength, msg->IoStatusBlock, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryVolumeInformationFile( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_VOLUME_INFORMATION_FILE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryVolumeInformationFile); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryVolumeInformationFile; msg->Status = KphQueryVolumeInformationFile(msg->ProcessHandle, msg->FileHandle, msg->FsInformationClass, msg->FsInformation, msg->FsInformationLength, msg->IoStatusBlock, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsDuplicateObject( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_DUPLICATE_OBJECT msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgDuplicateObject); UNREFERENCED_PARAMETER(Client); msg = &Message->User.DuplicateObject; msg->Status = KphDuplicateObject(msg->ProcessHandle, msg->SourceHandle, msg->DesiredAccess, msg->TargetHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryPerformanceCounter( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_PERFORMANCE_COUNTER msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryPerformanceCounter); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryPerformanceCounter; msg->PerformanceCounter = KeQueryPerformanceCounter(&msg->PerformanceFrequency); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsCreateFileRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { ACCESS_MASK desiredAccess; ULONG createDisposition; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgCreateFile); UNREFERENCED_PARAMETER(Client); desiredAccess = Message->User.CreateFile.DesiredAccess; if ((desiredAccess & KPH_FILE_READ_ACCESS) != desiredAccess) { return KPH_PROCESS_STATE_MAXIMUM; } createDisposition = Message->User.CreateFile.CreateDisposition; if (createDisposition != KPH_FILE_READ_DISPOSITION) { return KPH_PROCESS_STATE_MAXIMUM; } return KPH_PROCESS_STATE_MEDIUM; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsCreateFile( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_CREATE_FILE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgCreateFile); UNREFERENCED_PARAMETER(Client); msg = &Message->User.CreateFile; msg->Status = KphCreateFile(msg->FileHandle, msg->DesiredAccess, msg->ObjectAttributes, msg->IoStatusBlock, msg->AllocationSize, msg->FileAttributes, msg->ShareAccess, msg->CreateDisposition, msg->CreateOptions, msg->EaBuffer, msg->EaLength, msg->Options, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsQueryInformationThreadRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationThread); UNREFERENCED_PARAMETER(Client); switch (Message->User.QueryInformationThread.ThreadInformationClass) { case KphThreadIoCounters: case KphThreadWSLThreadId: { return KPH_PROCESS_STATE_LOW; } case KphThreadKernelStackInformation: { return KPH_PROCESS_STATE_MAXIMUM; } default: { return KPH_PROCESS_STATE_MAXIMUM; } } } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryInformationThread( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_INFORMATION_THREAD msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryInformationThread); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryInformationThread; msg->Status = KphQueryInformationThread(msg->ThreadHandle, msg->ThreadInformationClass, msg->ThreadInformation, msg->ThreadInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQuerySection( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_SECTION msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQuerySection); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QuerySection; msg->Status = KphQuerySection(msg->SectionHandle, msg->SectionInformationClass, msg->SectionInformation, msg->SectionInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsCompareObjects( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_COMPARE_OBJECTS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgCompareObjects); UNREFERENCED_PARAMETER(Client); msg = &Message->User.CompareObjects; msg->Status = KphCompareObjects(msg->ProcessHandle, msg->FirstObjectHandle, msg->SecondObjectHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsGetInformerClientSettings( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_GET_INFORMER_CLIENT_SETTINGS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgGetInformerClientSettings); msg = &Message->User.GetInformerClientSettings; msg->Status = KphGetInformerClientSettings(Client, msg->Settings); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSetInformerClientSettings( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SET_INFORMER_CLIENT_SETTINGS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSetInformerClientSettings); msg = &Message->User.SetInformerClientSettings; msg->Status = KphSetInformerClientSettings(Client, msg->Settings); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsAcquireDriverUnloadProtection( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_ACQUIRE_DRIVER_UNLOAD_PROTECTION msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgAcquireDriverUnloadProtection); msg = &Message->User.AcquireDriverUnloadProtection; msg->Status = KphAcquireReference(&Client->DriverUnloadProtectionRef, &msg->ClientPreviousCount); if (NT_SUCCESS(msg->Status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Client %wZ (%lu) " "acquired driver unload protection (%ld)", &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId), msg->ClientPreviousCount + 1); if (msg->ClientPreviousCount == 0) { msg->Status = KphAcquireDriverUnloadProtection(&msg->PreviousCount); } else { msg->PreviousCount = KphGetDriverUnloadProtectionCount(); } } return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsReleaseDriverUnloadProtection( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_RELEASE_DRIVER_UNLOAD_PROTECTION msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgReleaseDriverUnloadProtection); msg = &Message->User.ReleaseDriverUnloadProtection; msg->Status = KphReleaseReference(&Client->DriverUnloadProtectionRef, &msg->ClientPreviousCount); if (NT_SUCCESS(msg->Status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Client %wZ (%lu) " "released driver unload protection (%ld)", &Client->Process->ImageName, HandleToULong(Client->Process->ProcessId), msg->ClientPreviousCount - 1); if (msg->ClientPreviousCount == 1) { msg->Status = KphReleaseDriverUnloadProtection(&msg->PreviousCount); } else { msg->PreviousCount = KphGetDriverUnloadProtectionCount(); } } return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsGetConnectedClientCount( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_GET_CONNECTED_CLIENT_COUNT msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgGetConnectedClientCount); UNREFERENCED_PARAMETER(Client); msg = &Message->User.GetConnectedClientCount; msg->Count = KphGetConnectedClientCount(); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsActivateDynData( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_ACTIVATE_DYNDATA msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgActivateDynData); UNREFERENCED_PARAMETER(Client); msg = &Message->User.ActivateDynData; msg->Status = KphActivateDynData(msg->DynData, msg->DynDataLength, msg->Signature, msg->SignatureLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsIsDynDataActive( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_IS_DYNDATA_ACTIVE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgIsDynDataActive); UNREFERENCED_PARAMETER(Client); msg = &Message->User.IsDynDataActive; msg->Status = KphIsDynDataActive(msg->IsActive, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsRequestSessionAccessToken( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_REQUEST_SESSION_ACCESS_TOKEN msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgRequestSessionAccessToken); UNREFERENCED_PARAMETER(Client); msg = &Message->User.RequestSessionAccessToken; msg->Status = KphRequestSessionAccessToken(&msg->AccessToken, &msg->Expiry, msg->Privileges, msg->Uses); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsAssignProcessSessionToken( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_ASSIGN_PROCESS_SESSION_TOKEN msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgAssignProcessSessionToken); UNREFERENCED_PARAMETER(Client); msg = &Message->User.AssignProcessSessionToken; msg->Status = KphAssignProcessSessionToken(msg->ProcessHandle, msg->Signature, msg->SignatureLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsAssignThreadSessionToken( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_ASSIGN_THREAD_SESSION_TOKEN msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgAssignThreadSessionToken); UNREFERENCED_PARAMETER(Client); msg = &Message->User.AssignThreadSessionToken; msg->Status = KphAssignThreadSessionToken(msg->ThreadHandle, msg->Signature, msg->SignatureLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsGetInformerProcessSettings( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_GET_INFORMER_PROCESS_SETTINGS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgGetInformerProcessSettings); UNREFERENCED_PARAMETER(Client); msg = &Message->User.GetInformerProcessSettings; msg->Status = KphGetInformerProcessSettings(msg->ProcessHandle, msg->Settings, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsSetInformerProcessSettings( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_SET_INFORMER_PROCESS_SETTINGS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgSetInformerProcessSettings); UNREFERENCED_PARAMETER(Client); msg = &Message->User.SetInformerProcessSettings; msg->Status = KphSetInformerProcessSettings(msg->ProcessHandle, msg->Settings, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsStripProtectedProcessMasks( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_STRIP_PROTECTED_PROCESS_MASKS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgStripProtectedProcessMasks); UNREFERENCED_PARAMETER(Client); msg = &Message->User.StripProtectedProcessMasks; msg->Status = KphStripProtectedProcessMasks(msg->ProcessHandle, msg->ProcessAllowedMask, msg->ThreadAllowedMask, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KphpCommsQueryVirtualMemoryRequires( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryVirtualMemory); UNREFERENCED_PARAMETER(Client); switch (Message->User.QueryVirtualMemory.MemoryInformationClass) { case KphMemoryImageSection: case KphMemoryDataSection: { return KPH_PROCESS_STATE_MEDIUM; } case KphMemoryMappedInformation: default: { return KPH_PROCESS_STATE_MAXIMUM; } } } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryVirtualMemory( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_VIRTUAL_MEMORY msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryVirtualMemory); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryVirtualMemory; msg->Status = KphQueryVirtualMemory(msg->ProcessHandle, msg->BaseAddress, msg->MemoryInformationClass, msg->MemoryInformation, msg->MemoryInformationLength, msg->ReturnLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsQueryHashInformationFile( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_QUERY_HASH_INFORMATION_FILE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgQueryHashInformationFile); UNREFERENCED_PARAMETER(Client); msg = &Message->User.QueryHashInformationFile; msg->Status = KphQueryHashInformationFile(msg->FileHandle, msg->HashingInformation, msg->HashingInformationLength, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenDevice( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_DEVICE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenDevice); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenDevice; msg->Status = KphOpenDevice(msg->DeviceHandle, msg->DesiredAccess, msg->ObjectAttributes, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenDeviceDriver( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_DEVICE_DRIVER msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenDeviceDriver); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenDeviceDriver; msg->Status = KphOpenDeviceDriver(msg->DeviceHandle, msg->DesiredAccess, msg->DriverHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsOpenDeviceBaseDevice( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_OPEN_DEVICE_BASE_DEVICE msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgOpenDeviceBaseDevice); UNREFERENCED_PARAMETER(Client); msg = &Message->User.OpenDeviceBaseDevice; msg->Status = KphOpenDeviceBaseDevice(msg->DeviceHandle, msg->DesiredAccess, msg->BaseDeviceHandle, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsGetInformerStats( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_GET_INFORMER_STATS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgGetInformerStats); UNREFERENCED_PARAMETER(Client); msg = &Message->User.GetInformerStats; msg->Status = KphGetInformerStats(msg->ProcessHandle, msg->Stats, UserMode); return STATUS_SUCCESS; } _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpCommsGetInformerClientStats( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ) { PKPHM_GET_INFORMER_CLIENT_STATS msg; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(ExGetPreviousMode() == UserMode); NT_ASSERT(Message->Header.MessageId == KphMsgGetInformerClientStats); msg = &Message->User.GetInformerClientStats; msg->Status = KphGetInformerClientStats(Client, msg->Stats); return STATUS_SUCCESS; } ================================================ FILE: KSystemInformer/device.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Open a device object. * * \param[out] DriverHandle Set to the opened handle to the device. * \param[in] DesiredAccess Desired access to the device object. * \param[in] ObjectAttributes Object attributes for opening the device object. * \param[in] AccessMode The mode in which to perform access checks. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenDevice( _Out_ PHANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; HANDLE fileHandle; PFILE_OBJECT fileObject; PUNICODE_STRING capturedObjectName; OBJECT_ATTRIBUTES objectAttributes; POBJECT_ATTRIBUTES objectAttributesPtr; ULONG options; IO_STATUS_BLOCK ioStatusBlock; HANDLE deviceHandle; KPH_PAGED_CODE_PASSIVE(); fileHandle = NULL; fileObject = NULL; capturedObjectName = NULL; if (AccessMode != KernelMode) { OBJECT_ATTRIBUTES capturedAttributes; __try { ReadStructFromUser(&capturedAttributes, ObjectAttributes); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } if (capturedAttributes.ObjectName) { status = KphCaptureUnicodeString(capturedAttributes.ObjectName, &capturedObjectName); if (!NT_SUCCESS(status)) { goto Exit; } } SetFlag(capturedAttributes.Attributes, OBJ_KERNEL_HANDLE); SetFlag(capturedAttributes.Attributes, OBJ_FORCE_ACCESS_CHECK); InitializeObjectAttributes(&objectAttributes, capturedObjectName, capturedAttributes.Attributes, capturedAttributes.RootDirectory, NULL); objectAttributesPtr = &objectAttributes; options = IO_FORCE_ACCESS_CHECK; } else { objectAttributesPtr = ObjectAttributes; options = 0; } status = KphCreateFile(&fileHandle, DesiredAccess, objectAttributesPtr, &ioStatusBlock, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0, options, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateFile failed: %!STATUS!", status); fileHandle = NULL; goto Exit; } status = ObReferenceObjectByHandle(fileHandle, 0, *IoFileObjectType, KernelMode, &fileObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); fileObject = NULL; goto Exit; } status = ObOpenObjectByPointer(IoGetRelatedDeviceObject(fileObject), (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *IoDeviceObjectType, AccessMode, &deviceHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); deviceHandle = NULL; goto Exit; } status = KphWriteHandleToMode(DeviceHandle, deviceHandle, AccessMode); Exit: if (fileObject) { ObDereferenceObject(fileObject); } if (fileHandle) { ObCloseHandle(fileHandle, KernelMode); } if (capturedObjectName) { KphReleaseUnicodeString(capturedObjectName); } return status; } /** * \brief Opens a driver object associated with a device object. * * \param[in] DeviceHandle Handle to a device object. * \param[in] DesiredAccess Desired access to the driver object. * \param[out] DriverHandle Set to the opened handle to the driver object. * \param[in] AccessMode The mode in which to perform access checks. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenDeviceDriver( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE DriverHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PDEVICE_OBJECT deviceObject; HANDLE driverHandle; KPH_PAGED_CODE_PASSIVE(); status = ObReferenceObjectByHandle(DeviceHandle, DesiredAccess, *IoDeviceObjectType, AccessMode, &deviceObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); deviceObject = NULL; goto Exit; } status = ObOpenObjectByPointer(deviceObject->DriverObject, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *IoDriverObjectType, AccessMode, &driverHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); driverHandle = NULL; goto Exit; } status = KphWriteHandleToMode(DriverHandle, driverHandle, AccessMode); Exit: if (deviceObject) { ObDereferenceObject(deviceObject); } return status; } /** * \brief Opens the base device object associated with a device object. * * \details The base device object is the lowest-level device object in the file * system or device driver stack. * * \param[in] DeviceHandle Handle to a device object. * \param[in] DesiredAccess Desired access to the base device object. * \param[out] BaseDeviceHandle Set to the opened handle to the device object. * \param[in] AccessMode The mode in which to perform access checks. */ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphOpenDeviceBaseDevice( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE BaseDeviceHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PDEVICE_OBJECT deviceObject; PDEVICE_OBJECT baseDeviceObject; HANDLE baseDeviceHandle; KPH_PAGED_CODE_PASSIVE(); baseDeviceObject = NULL; status = ObReferenceObjectByHandle(DeviceHandle, DesiredAccess, *IoDeviceObjectType, AccessMode, &deviceObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); deviceObject = NULL; goto Exit; } baseDeviceObject = IoGetDeviceAttachmentBaseRef(deviceObject); status = ObOpenObjectByPointer(baseDeviceObject, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *IoDeviceObjectType, AccessMode, &baseDeviceHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); baseDeviceHandle = NULL; goto Exit; } status = KphWriteHandleToMode(BaseDeviceHandle, baseDeviceHandle, AccessMode); Exit: if (baseDeviceObject) { ObDereferenceObject(baseDeviceObject); } if (deviceObject) { ObDereferenceObject(deviceObject); } return status; } ================================================ FILE: KSystemInformer/driver.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2022-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Opens a driver object. * * \param[out] DriverHandle Set to the opened handle to the driver. * \param[in] DesiredAccess Desired access to the driver object. * \param[in] ObjectAttributes Object attributes for opening the driver object. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenDriver( _Out_ PHANDLE DriverHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE_PASSIVE(); return KphOpenNamedObject(DriverHandle, DesiredAccess, ObjectAttributes, *IoDriverObjectType, AccessMode); } /** * \brief Queries information about a driver. * * \param[in] DriverHandle Handle to driver to query. * \param[in] DriverInformationClass Information class to query. * \param[out] DriverInformation Populated with driver information by class. * \param[in] DriverInformationLength Length of the driver information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationDriver( _In_ HANDLE DriverHandle, _In_ KPH_DRIVER_INFORMATION_CLASS DriverInformationClass, _Out_writes_bytes_opt_(DriverInformationLength) PVOID DriverInformation, _In_ ULONG DriverInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PDRIVER_OBJECT driverObject; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); returnLength = 0; status = ObReferenceObjectByHandle(DriverHandle, 0, *IoDriverObjectType, KernelMode, &driverObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); driverObject = NULL; goto Exit; } // // We reach into the driver object on purpose // #pragma prefast(push) #pragma prefast(disable : 28175) switch (DriverInformationClass) { case KphDriverBasicInformation: { // // Basic information such as flags, driver base and driver size. // KPH_DRIVER_BASIC_INFORMATION basicInfo; if (!DriverInformation || (DriverInformationLength < sizeof(KPH_DRIVER_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_DRIVER_BASIC_INFORMATION); goto Exit; } RtlZeroMemory(&basicInfo, sizeof(KPH_DRIVER_BASIC_INFORMATION)); basicInfo.Flags = driverObject->Flags; basicInfo.DriverStart = driverObject->DriverStart; basicInfo.DriverSize = driverObject->DriverSize; status = KphCopyToMode(DriverInformation, &basicInfo, sizeof(KPH_DRIVER_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_DRIVER_BASIC_INFORMATION); } break; } case KphDriverNameInformation: { // // The name of the driver - e.g. \Driver\Null. // status = KphCopyUnicodeStringToMode(DriverInformation, DriverInformationLength, &driverObject->DriverName, &returnLength, AccessMode); break; } case KphDriverServiceKeyNameInformation: { PCUNICODE_STRING serviceKeyName; // // The name of the driver's service key - e.g. \REGISTRY\... // if (driverObject->DriverExtension) { serviceKeyName = &driverObject->DriverExtension->ServiceKeyName; } else { serviceKeyName = NULL; } status = KphCopyUnicodeStringToMode(DriverInformation, DriverInformationLength, serviceKeyName, &returnLength, AccessMode); break; } case KphDriverImageFileNameInformation: { UNICODE_STRING fullDriverPath; if ((KphOsVersionInfo.dwMajorVersion < 10) || (KphOsVersionInfo.dwMajorVersion == 10) && (KphOsVersionInfo.dwBuildNumber < 16299)) { // // Per documentation it is not safe to call IoQueryFullDriverPath // on anything but our own driver object. // status = STATUS_NOINTERFACE; goto Exit; } RtlZeroMemory(&fullDriverPath, sizeof(UNICODE_STRING)); status = IoQueryFullDriverPath(driverObject, &fullDriverPath); if (!NT_SUCCESS(status)) { goto Exit; } status = KphCopyUnicodeStringToMode(DriverInformation, DriverInformationLength, &fullDriverPath, &returnLength, AccessMode); KphFreePool(fullDriverPath.Buffer); break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } #pragma prefast(pop) Exit: if (driverObject) { ObDereferenceObject(driverObject); } if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } return status; } ================================================ FILE: KSystemInformer/dyndata.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2022-2026 * */ #include #include #include typedef struct _KPH_DYN_INIT { PKPH_DYN_CONFIG Config; PKPH_DYN_KERNEL_FIELDS Kernel; PKPH_DYN_LXCORE_FIELDS Lxcore; } KPH_DYN_INIT, *PKPH_DYN_INIT; typedef union _KPH_DYN_ATOMIC { PKPH_DYN Dyn; KPH_ATOMIC_OBJECT_REF Atomic; } KPH_DYN_ATOMIC, *PKPH_DYN_ATOMIC; typedef struct _KPH_DYN_MODULE { USHORT Class; UNICODE_STRING Name; BOOLEAN Valid; USHORT Machine; ULONG TimeDateStamp; ULONG SizeOfImage; } KPH_DYN_MODULE, *PKPH_DYN_MODULE; typedef enum _KPH_DYN_MODULE_CLASS { KphDynNtoskrnl, KphDynNtkrla57, KphDynLxcore, } KPH_DYN_MODULE_CLASS, *PKPH_DYN_MODULE_CLASS; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpDynDataTypeName = RTL_CONSTANT_STRING(L"KphDynData"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpDynDataType = NULL; static KPH_DYN_MODULE KphpDynModules[] = { { KPH_DYN_CLASS_NTOSKRNL, RTL_CONSTANT_STRING(L"ntoskrnl.exe"), FALSE, 0, 0, 0 }, { KPH_DYN_CLASS_NTKRLA57, RTL_CONSTANT_STRING(L"ntkrla57.exe"), FALSE, 0, 0, 0 }, { KPH_DYN_CLASS_LXCORE, RTL_CONSTANT_STRING(L"lxcore.sys"), FALSE, 0, 0, 0 }, }; KPH_PROTECTED_DATA_SECTION_POP(); static KPH_DYN_ATOMIC KphpDynData = { .Atomic = KPH_ATOMIC_OBJECT_REF_INIT }; /** * \brief Reference the dynamic configuration. * * \return Pointer to the dynamic configuration, NULL if not activated. The * caller must eventually dereference the object. */ _Must_inspect_result_ PKPH_DYN KphReferenceDynData( VOID ) { return KphAtomicReferenceObject(&KphpDynData.Atomic); } KPH_PAGED_FILE(); /** * \brief Allocates a dynamic configuration object. * * \param[in] Size The size of the object to allocate. * * \return Pointer to the allocated object, NULL on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateDynData( _In_ SIZE_T Size ) { KPH_PAGED_CODE_PASSIVE(); return KphAllocateNPaged(Size, KPH_TAG_DYNDATA); } /** * \brief Initializes a dynamic configuration object. * * \param[in] Object Dynamic configuration object to initialize. * \param[in] Parameter Initialization parameters for dynamic configuration. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeDynData( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_DYN dyn; PKPH_DYN_INIT init; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Parameter); dyn = Object; init = Parameter; #define KPH_LOAD_DYNITEM_KERNEL(x) dyn->x = C_2sTo4(init->Kernel->x) #define KPH_LOAD_DYNITEM_LXCORE(x) dyn->x = init->Lxcore ? C_2sTo4(init->Lxcore->x) : ULONG_MAX; KPH_LOAD_DYNITEM_KERNEL(EgeGuid); KPH_LOAD_DYNITEM_KERNEL(EpObjectTable); KPH_LOAD_DYNITEM_KERNEL(EreGuidEntry); KPH_LOAD_DYNITEM_KERNEL(HtHandleContentionEvent); KPH_LOAD_DYNITEM_KERNEL(OtName); KPH_LOAD_DYNITEM_KERNEL(OtIndex); KPH_LOAD_DYNITEM_KERNEL(ObDecodeShift); KPH_LOAD_DYNITEM_KERNEL(ObAttributesShift); KPH_LOAD_DYNITEM_KERNEL(AlpcCommunicationInfo); KPH_LOAD_DYNITEM_KERNEL(AlpcOwnerProcess); KPH_LOAD_DYNITEM_KERNEL(AlpcConnectionPort); KPH_LOAD_DYNITEM_KERNEL(AlpcServerCommunicationPort); KPH_LOAD_DYNITEM_KERNEL(AlpcClientCommunicationPort); KPH_LOAD_DYNITEM_KERNEL(AlpcHandleTable); KPH_LOAD_DYNITEM_KERNEL(AlpcHandleTableLock); KPH_LOAD_DYNITEM_KERNEL(AlpcAttributes); KPH_LOAD_DYNITEM_KERNEL(AlpcAttributesFlags); KPH_LOAD_DYNITEM_KERNEL(AlpcPortContext); KPH_LOAD_DYNITEM_KERNEL(AlpcPortObjectLock); KPH_LOAD_DYNITEM_KERNEL(AlpcSequenceNo); KPH_LOAD_DYNITEM_KERNEL(AlpcState); KPH_LOAD_DYNITEM_KERNEL(KtInitialStack); KPH_LOAD_DYNITEM_KERNEL(KtStackLimit); KPH_LOAD_DYNITEM_KERNEL(KtStackBase); KPH_LOAD_DYNITEM_KERNEL(KtKernelStack); KPH_LOAD_DYNITEM_KERNEL(KtReadOperationCount); KPH_LOAD_DYNITEM_KERNEL(KtWriteOperationCount); KPH_LOAD_DYNITEM_KERNEL(KtOtherOperationCount); KPH_LOAD_DYNITEM_KERNEL(KtReadTransferCount); KPH_LOAD_DYNITEM_KERNEL(KtWriteTransferCount); KPH_LOAD_DYNITEM_KERNEL(KtOtherTransferCount); KPH_LOAD_DYNITEM_KERNEL(MmSectionControlArea); KPH_LOAD_DYNITEM_KERNEL(MmControlAreaListHead); KPH_LOAD_DYNITEM_KERNEL(MmControlAreaLock); KPH_LOAD_DYNITEM_KERNEL(EpSectionObject); KPH_LOAD_DYNITEM_LXCORE(LxPicoProc); KPH_LOAD_DYNITEM_LXCORE(LxPicoProcInfo); KPH_LOAD_DYNITEM_LXCORE(LxPicoProcInfoPID); KPH_LOAD_DYNITEM_LXCORE(LxPicoThrdInfo); KPH_LOAD_DYNITEM_LXCORE(LxPicoThrdInfoTID); status = KphVerifyCreateKey(&dyn->SessionTokenPublicKeyHandle, init->Config->SessionTokenPublicKey, KPH_DYN_SESSION_TOKEN_PUBLIC_KEY_LENGTH); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphVerifyCreateKey failed: %!STATUS!", status); dyn->SessionTokenPublicKeyHandle = NULL; } return status; } /** * \brief Deletes a dynamic configuration object. * * \param[in] Object Dynamic configuration object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpDeleteDynData( _In_freesMem_ PVOID Object ) { PKPH_DYN dyn; KPH_PAGED_CODE_PASSIVE(); dyn = Object; if (dyn->SessionTokenPublicKeyHandle) { KphVerifyCloseKey(dyn->SessionTokenPublicKeyHandle); } } /** * \brief Frees a dynamic configuration object. * * \param[in] Object Dynamic configuration object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpFreeDynData( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE_PASSIVE(); KphFree(Object, KPH_TAG_DYNDATA); } /** * \brief Activates dynamic data. * * \param[in] DynConfig The dynamic configuration to activate. * \param[in] DynConfigLength The length of the dynamic configuration. * \param[in] Signature The signature of the dynamic data. * \param[in] SignatureLength The length of the signature. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpActivateDynData( _In_ PBYTE DynConfig, _In_ ULONG DynConfigLength, _In_opt_ PBYTE Signature, _In_ ULONG SignatureLength ) { NTSTATUS status; PKPH_DYN dyn; KPH_DYN_INIT init; PKPH_DYN_KERNEL_FIELDS kernel; PKPH_DYN_LXCORE_FIELDS lxcore; KPH_PAGED_CODE_PASSIVE(); dyn = NULL; kernel = NULL; lxcore = NULL; if (Signature) { status = KphVerifyBuffer(DynConfig, DynConfigLength, Signature, SignatureLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphVerifyBuffer failed: %!STATUS!", status); status = STATUS_SI_DYNDATA_INVALID_SIGNATURE; goto Exit; } } if (KphpDynModules[KphDynNtoskrnl].Valid) { status = KphDynDataLookup((PKPH_DYN_CONFIG)DynConfig, DynConfigLength, KphpDynModules[KphDynNtoskrnl].Class, KphpDynModules[KphDynNtoskrnl].Machine, KphpDynModules[KphDynNtoskrnl].TimeDateStamp, KphpDynModules[KphDynNtoskrnl].SizeOfImage, NULL, &kernel); } else if (KphpDynModules[KphDynNtkrla57].Valid) { status = KphDynDataLookup((PKPH_DYN_CONFIG)DynConfig, DynConfigLength, KphpDynModules[KphDynNtkrla57].Class, KphpDynModules[KphDynNtkrla57].Machine, KphpDynModules[KphDynNtkrla57].TimeDateStamp, KphpDynModules[KphDynNtkrla57].SizeOfImage, NULL, &kernel); } else { status = STATUS_NOT_FOUND; } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDynDataLookup failed: %!STATUS!", status); // // Activating dynamic data requires at least kernel data. // goto Exit; } if (KphpDynModules[KphDynLxcore].Valid) { status = KphDynDataLookup((PKPH_DYN_CONFIG)DynConfig, DynConfigLength, KphpDynModules[KphDynLxcore].Class, KphpDynModules[KphDynLxcore].Machine, KphpDynModules[KphDynLxcore].TimeDateStamp, KphpDynModules[KphDynLxcore].SizeOfImage, NULL, &lxcore); } else { status = STATUS_NOT_FOUND; } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDynDataLookup failed: %!STATUS!", status); // // Activating dynamic data does not require lxcore data. // lxcore = NULL; } init.Config = (PKPH_DYN_CONFIG)DynConfig; init.Kernel = kernel; init.Lxcore = lxcore; status = KphCreateObject(KphpDynDataType, sizeof(KPH_DYN), &dyn, &init); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateObject failed: %!STATUS!", status); goto Exit; } KphAtomicAssignObjectReference(&KphpDynData.Atomic, dyn); KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Activated Dynamic Configuration " "for Windows %lu.%lu.%lu Kernel %hu.%hu.%hu.%hu", KphOsVersionInfo.dwMajorVersion, KphOsVersionInfo.dwMinorVersion, KphOsVersionInfo.dwBuildNumber, KphKernelVersion.MajorVersion, KphKernelVersion.MinorVersion, KphKernelVersion.BuildNumber, KphKernelVersion.Revision); Exit: if (dyn) { KphDereferenceObject(dyn); } return status; } /** * \brief Activates dynamic data. * * \param[in] DynData The dynamic data to activate. * \param[in] DynDataLength The length of the dynamic data. * \param[in] Signature The signature of the dynamic data. * \param[in] SignatureLength The length of the signature. * \param[in] AccessMode The access mode of the caller. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphActivateDynData( _In_ PBYTE DynData, _In_ ULONG DynDataLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PBYTE dynData; PBYTE signature; KPH_PAGED_CODE_PASSIVE(); dynData = NULL; signature = NULL; if (!DynData || !DynDataLength) { status = STATUS_INVALID_PARAMETER; goto Exit; } if (!Signature || !SignatureLength) { status = STATUS_SI_DYNDATA_INVALID_SIGNATURE; goto Exit; } if (AccessMode != KernelMode) { dynData = KphAllocatePaged(DynDataLength, KPH_TAG_DYNDATA); if (!dynData) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } signature = KphAllocatePaged(SignatureLength, KPH_TAG_DYNDATA); if (!signature) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(dynData, DynData, DynDataLength); CopyFromUser(signature, Signature, SignatureLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } else { dynData = DynData; signature = Signature; } status = KphpActivateDynData(dynData, DynDataLength, signature, SignatureLength); Exit: if (dynData && (dynData != DynData)) { KphFree(dynData, KPH_TAG_DYNDATA); } if (signature && (signature != Signature)) { KphFree(signature, KPH_TAG_DYNDATA); } return status; } /** * \brief Checks if dynamic data is active. * * \param[out] IsActive Receives TRUE if active, FALSE otherwise. * \param[in] AccessMode The access mode of the caller. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphIsDynDataActive( _Out_ PBOOLEAN IsActive, _In_ KPROCESSOR_MODE AccessMode ) { PKPH_DYN dyn; BOOLEAN isActive; KPH_PAGED_CODE_PASSIVE(); dyn = KphReferenceDynData(); if (dyn) { isActive = TRUE; KphDereferenceObject(dyn); } else { isActive = FALSE; } return KphWriteUCharToMode(IsActive, isActive, AccessMode); } /** * \brief Initializes the dynamic modules. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpInitializeDynModules( VOID ) { KPH_PAGED_CODE_PASSIVE(); KeEnterCriticalRegion(); if (!ExAcquireResourceSharedLite(PsLoadedModuleResource, TRUE)) { KeLeaveCriticalRegion(); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to acquire PsLoadedModuleResource"); return; } for (ULONG i = 0; i < ARRAYSIZE(KphpDynModules); i++) { PKPH_DYN_MODULE dynModule; dynModule = &KphpDynModules[i]; for (PLIST_ENTRY link = PsLoadedModuleList->Flink; link != PsLoadedModuleList; link = link->Flink) { NTSTATUS status; PKLDR_DATA_TABLE_ENTRY entry; KPH_IMAGE_NT_HEADERS image; entry = CONTAINING_RECORD(link, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (!RtlEqualUnicodeString(&entry->BaseDllName, &dynModule->Name, TRUE)) { continue; } __try { status = KphImageNtHeader(entry->DllBase, entry->SizeOfImage, &image); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphImageNtHeader failed: %!STATUS!", status); break; } dynModule->Machine = image.Headers->FileHeader.Machine; dynModule->TimeDateStamp = image.Headers->FileHeader.TimeDateStamp; if (RTL_CONTAINS_FIELD(&image.Headers->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, SizeOfImage)) { dynModule->SizeOfImage = image.Headers->OptionalHeader.SizeOfImage; dynModule->Valid = TRUE; } } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to read module headers: %!STATUS!", GetExceptionCode()); } break; } } ExReleaseResourceLite(PsLoadedModuleResource); KeLeaveCriticalRegion(); } /** * \brief Initializes the dynamic data infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeDynData( VOID ) { NTSTATUS status; KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); KphpInitializeDynModules(); typeInfo.Allocate = KphpAllocateDynData; typeInfo.Initialize = KphpInitializeDynData; typeInfo.Delete = KphpDeleteDynData; typeInfo.Free = KphpFreeDynData; typeInfo.Flags = 0; typeInfo.DeferDelete = TRUE; KphCreateObjectType(&KphpDynDataTypeName, &typeInfo, &KphpDynDataType); if (KphParameterFlags.DynDataNoEmbedded) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Embedded Dynamic Configuration disabled"); } else { status = KphpActivateDynData((PBYTE)KphDynConfig, KphDynConfigLength, NULL, 0); NT_ANALYSIS_ASSUME(NT_SUCCESS(status)); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Embedded Dynamic Configuration: %!STATUS!", status); } } /** * \brief Cleans up the dynamic data infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupDynData( VOID ) { KPH_PAGED_CODE_PASSIVE(); KphAtomicAssignObjectReference(&KphpDynData.Atomic, NULL); } ================================================ FILE: KSystemInformer/dynimp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2020-2026 * */ #include #include KPH_PROTECTED_DATA_SECTION_PUSH(); PPS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX KphDynPsSetLoadImageNotifyRoutineEx = NULL; PPS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2 KphDynPsSetCreateProcessNotifyRoutineEx2 = NULL; PMM_PROTECT_DRIVER_SECTION KphDynMmProtectDriverSection = NULL; PPS_GET_PROCESS_SEQUENCE_NUMBER KphDynPsGetProcessSequenceNumber = NULL; PPS_GET_PROCESS_START_KEY KphDynPsGetProcessStartKey = NULL; PSE_REGISTER_IMAGE_VERIFICATION_CALLBACK KphSeRegisterImageVerificationCallback = NULL; PSE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK KphSeUnregisterImageVerificationCallback = NULL; PCI_VALIDATE_FILE_OBJECT KphDynCiValidateFileObject = NULL; PCI_FREE_POLICY_INFO KphDynCiFreePolicyInfo = NULL; PLXP_THREAD_GET_CURRENT KphDynLxpThreadGetCurrent = NULL; PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE KphDynIoCheckFileObjectOpenedAsCopySource = NULL; PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION KphDynIoCheckFileObjectOpenedAsCopyDestination = NULL; PFLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA KphDynFltGetCopyInformationFromCallbackData = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Dynamically imports routines. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphDynamicImport( VOID ) { KPH_PAGED_CODE_PASSIVE(); KphDynPsSetLoadImageNotifyRoutineEx = (PPS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX)KphGetSystemRoutineAddress(L"PsSetLoadImageNotifyRoutineEx"); KphDynPsSetCreateProcessNotifyRoutineEx2 = (PPS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2)KphGetSystemRoutineAddress(L"PsSetCreateProcessNotifyRoutineEx2"); KphDynMmProtectDriverSection = (PMM_PROTECT_DRIVER_SECTION)KphGetSystemRoutineAddress(L"MmProtectDriverSection"); KphDynPsGetProcessSequenceNumber = (PPS_GET_PROCESS_SEQUENCE_NUMBER)KphGetSystemRoutineAddress(L"PsGetProcessSequenceNumber"); KphDynPsGetProcessStartKey = (PPS_GET_PROCESS_START_KEY)KphGetSystemRoutineAddress(L"PsGetProcessStartKey"); KphSeRegisterImageVerificationCallback = (PSE_REGISTER_IMAGE_VERIFICATION_CALLBACK)KphGetSystemRoutineAddress(L"SeRegisterImageVerificationCallback"); KphSeUnregisterImageVerificationCallback = (PSE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK)KphGetSystemRoutineAddress(L"SeUnregisterImageVerificationCallback"); KphDynCiValidateFileObject = (PCI_VALIDATE_FILE_OBJECT)KphGetRoutineAddress(L"ci.dll", "CiValidateFileObject"); KphDynCiFreePolicyInfo = (PCI_FREE_POLICY_INFO)KphGetRoutineAddress(L"ci.dll", "CiFreePolicyInfo"); KphDynLxpThreadGetCurrent = (PLXP_THREAD_GET_CURRENT)KphGetRoutineAddress(L"lxcore.sys", "LxpThreadGetCurrent"); KphDynIoCheckFileObjectOpenedAsCopySource = (PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE)KphGetSystemRoutineAddress(L"IoCheckFileObjectOpenedAsCopySource"); KphDynIoCheckFileObjectOpenedAsCopyDestination = (PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION)KphGetSystemRoutineAddress(L"IoCheckFileObjectOpenedAsCopyDestination"); KphDynFltGetCopyInformationFromCallbackData = (PFLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA)KphGetRoutineAddress(L"fltMgr.sys", "FltGetCopyInformationFromCallbackData"); } /** * \brief Retrieves the address of a function exported by NTOS or HAL. * * \param SystemRoutineName The name of the function. * * \return The address of the function, or NULL if the function could * not be found. */ _IRQL_requires_max_(PASSIVE_LEVEL) PVOID KphGetSystemRoutineAddress( _In_z_ PCWSTR SystemRoutineName ) { UNICODE_STRING systemRoutineName; KPH_PAGED_CODE_PASSIVE(); RtlInitUnicodeString(&systemRoutineName, SystemRoutineName); return MmGetSystemRoutineAddress(&systemRoutineName); } /** * \brief Retrieves the address of a function using the exported module list. * Caller must guarantee that PsLoadedModuleList and PsLoadedModuleResource * is available prior to this call. * * \param ModuleName The name of the module to retrieve the function from. * \param RoutineName The name of the routine to retrieve. * * \return The address of the function, or NULL if the function could * not be found. */ _IRQL_requires_max_(PASSIVE_LEVEL) PVOID KphpGetRoutineAddressByModuleList( _In_z_ PCWSTR ModuleName, _In_z_ PCSTR RoutineName ) { PVOID routine; UNICODE_STRING moduleName; KPH_PAGED_CODE_PASSIVE(); routine = NULL; RtlInitUnicodeString(&moduleName, ModuleName); KeEnterCriticalRegion(); if (!ExAcquireResourceSharedLite(PsLoadedModuleResource, TRUE)) { KeLeaveCriticalRegion(); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to acquire PsLoadedModuleResource to " "get routine %ls!%hs", ModuleName, RoutineName); return routine; } for (PLIST_ENTRY link = PsLoadedModuleList->Flink; link != PsLoadedModuleList; link = link->Flink) { PKLDR_DATA_TABLE_ENTRY entry; entry = CONTAINING_RECORD(link, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (!RtlEqualUnicodeString(&entry->BaseDllName, &moduleName, TRUE)) { continue; } routine = RtlFindExportedRoutineByName(entry->DllBase, RoutineName); if (routine) { break; } } ExReleaseResourceLite(PsLoadedModuleResource); KeLeaveCriticalRegion(); if (!routine) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to find routine %ls!%hs", ModuleName, RoutineName); } return routine; } /** * \brief Retrieves the address of a function. * * \param ModuleName The name of the module to retrieve the function from. * \param RoutineName The name of the routine to retrieve. * * \return The address of the function, or NULL if the function could * not be found. */ _IRQL_requires_max_(PASSIVE_LEVEL) PVOID KphGetRoutineAddress( _In_z_ PCWSTR ModuleName, _In_z_ PCSTR RoutineName ) { KPH_PAGED_CODE_PASSIVE(); return KphpGetRoutineAddressByModuleList(ModuleName, RoutineName); } ================================================ FILE: KSystemInformer/file.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Checks if a file handle is safe to issue a query through. * * \details Expects to be stack attached to the process that owns the handle. * * \param[in] FileHandle The file handle to check. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpCheckFileHandleForQuery( _In_ HANDLE FileHandle ) { NTSTATUS status; PFILE_OBJECT fileObject; KPH_PAGED_CODE_PASSIVE(); // // We are stack attached and "invading" the process to perform the query. // If the file object is "Busy" it means it's a synchronous file object // that is currently servicing an I/O request. If we were to issue another // request the call would block until the other completes. Since we don't // control this handle it's possible the call will never complete. // // This check isn't perfect, there is still a race, but it's narrower and // makes it safer and faster for the client. As this stands it's a pretty // gross hack, but we get value out of these APIs, so the hack is better // than nothing. // // TODO(jxy-s) investigate other options to close or eliminate the race // status = ObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, KernelMode, &fileObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); return status; } status = fileObject->Busy ? STATUS_POSSIBLE_DEADLOCK : STATUS_SUCCESS; ObDereferenceObject(fileObject); return status; } /** * \brief Queries file information. * * \param[in] ProcessHandle A handle to a process. * \param[in] FileHandle A file handle which is present in the process. * \param[in] FileInformationClass The type of information to retrieve. * \param[out] FileInformation The buffer to store the information. * \param[in] FileInformationLength Length of the information buffer. * \param[in] IoStatusBlock Receives completion status and information. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS process; KAPC_STATE apcState; IO_STATUS_BLOCK ioStatusBlock; PVOID buffer; BYTE stackBuffer[64]; KPH_PAGED_CODE_PASSIVE(); process = NULL; buffer = NULL; RtlZeroMemory(&ioStatusBlock, sizeof(IO_STATUS_BLOCK)); if (!FileInformation || !IoStatusBlock) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); goto Exit; } if (process == PsInitialSystemProcess) { FileHandle = MakeKernelHandle(FileHandle); } else { if (IsKernelHandle(FileHandle)) { status = STATUS_INVALID_HANDLE; goto Exit; } } buffer = KphAllocatePagedA(FileInformationLength, KPH_TAG_FILE_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } KeStackAttachProcess(process, &apcState); status = KphpCheckFileHandleForQuery(FileHandle); if (NT_SUCCESS(status)) { status = ZwQueryInformationFile(FileHandle, &ioStatusBlock, buffer, FileInformationLength, FileInformationClass); } KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(FileInformation, buffer, FileInformationLength, AccessMode); } KphCopyToMode(IoStatusBlock, &ioStatusBlock, sizeof(IO_STATUS_BLOCK), AccessMode); Exit: if (buffer) { KphFreeA(buffer, KPH_TAG_FILE_QUERY, stackBuffer); } if (process) { ObDereferenceObject(process); } return status; } /** * \brief Queries file volume information. * * \param[in] ProcessHandle A handle to a process. * \param[in] FileHandle A file handle which is present in the process. * \param[in] FsInformationClass The type of information to retrieve. * \param[out] FsInformation The buffer to store the information. * \param[in] FsInformationLength Length of the information buffer. * \param[in] IoStatusBlock Receives completion status and information. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryVolumeInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FS_INFORMATION_CLASS FsInformationClass, _Out_writes_bytes_(FsInformationLength) PVOID FsInformation, _In_ ULONG FsInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS process; KAPC_STATE apcState; IO_STATUS_BLOCK ioStatusBlock; PVOID buffer; BYTE stackBuffer[64]; KPH_PAGED_CODE_PASSIVE(); process = NULL; buffer = NULL; RtlZeroMemory(&ioStatusBlock, sizeof(IO_STATUS_BLOCK)); if (!FsInformation || !IoStatusBlock) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); goto Exit; } if (process == PsInitialSystemProcess) { FileHandle = MakeKernelHandle(FileHandle); } else { if (IsKernelHandle(FileHandle)) { status = STATUS_INVALID_HANDLE; goto Exit; } } buffer = KphAllocatePagedA(FsInformationLength, KPH_TAG_VOL_FILE_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } KeStackAttachProcess(process, &apcState); status = KphpCheckFileHandleForQuery(FileHandle); if (NT_SUCCESS(status)) { status = ZwQueryVolumeInformationFile(FileHandle, &ioStatusBlock, buffer, FsInformationLength, FsInformationClass); } KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(FsInformation, buffer, FsInformationLength, AccessMode); } KphCopyToMode(IoStatusBlock, &ioStatusBlock, sizeof(IO_STATUS_BLOCK), AccessMode); Exit: if (buffer) { KphFreeA(buffer, KPH_TAG_VOL_FILE_QUERY, stackBuffer); } if (process) { ObDereferenceObject(process); } return status; } /** * \brief Creates a file. * * \param[out] FileHandle Populated with file handle on success. * \param[in] DesiredAccess The desired access to the file. * \param[in] ObjectAttributes Object attributes for the create. * \param[out] IoStatusBlock Receives final completion status and information. * \param[in] AllocationSize Optional allocation size, in bytes, for the file. * \param[in] FileAttributes Explicitly specified attributes are applied only * when the file is created, superseded, or, in some cases, overwritten. * \param[in] ShareAccess Specifies the type of share access to the file that * the caller would like. * \param[in] CreateDisposition Value that determines how the file should be * handled when the file already exists. * \param[in] CreateOptions Specifies the options to be applied when creating * or opening the file. * \param[in] EaBuffer Optional pointer to an EA buffer. * \param[in] EaLength Length of EA buffer. * \param[in] Options Specifies options to be used during the generation of * the create request. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCreateFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, _In_ ULONG EaLength, _In_ ULONG Options, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); if (AccessMode != KernelMode) { if (ExGetPreviousMode() == KernelMode) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Unexpected previous mode"); NT_ASSERT(ExGetPreviousMode() != KernelMode); status = STATUS_INVALID_LEVEL; goto Exit; } if (Options & ~(IO_OPEN_TARGET_DIRECTORY | IO_STOP_ON_SYMLINK | IO_IGNORE_SHARE_ACCESS_CHECK | IO_OPEN_PAGING_FILE)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Invalid options 0x%lx", Options); status = STATUS_INVALID_PARAMETER; goto Exit; } } else { Options |= (IO_NO_PARAMETER_CHECKING | IO_CHECK_CREATE_PARAMETERS); } status = IoCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength, CreateFileTypeNone, NULL, Options); Exit: return status; } ================================================ FILE: KSystemInformer/hash.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #define KPH_HASHING_BUFFER_SIZE (16 * 1024) #define KPH_HASH_EACACHE_MD5 KPH_KERNEL_PURGE_EA "MD5" #define KPH_HASH_EACACHE_SHA1 KPH_KERNEL_PURGE_EA "SHA1" #define KPH_HASH_EACACHE_SHA1_AUTHENTICODE KPH_KERNEL_PURGE_EA "SHA1A" #define KPH_HASH_EACACHE_SHA256 KPH_KERNEL_PURGE_EA "SHA256" #define KPH_HASH_EACACHE_SHA256_AUTHENTICODE KPH_KERNEL_PURGE_EA "SHA256A" #define KPH_HASH_EACACHE_SHA384 KPH_KERNEL_PURGE_EA "SHA384" #define KPH_HASH_EACACHE_SHA512 KPH_KERNEL_PURGE_EA "SHA512" C_ASSERT(sizeof(KPH_HASH_EACACHE_MD5) < MAXUCHAR); C_ASSERT(sizeof(KPH_HASH_EACACHE_SHA1) < MAXUCHAR); C_ASSERT(sizeof(KPH_HASH_EACACHE_SHA1_AUTHENTICODE) < MAXUCHAR); C_ASSERT(sizeof(KPH_HASH_EACACHE_SHA256) < MAXUCHAR); C_ASSERT(sizeof(KPH_HASH_EACACHE_SHA256_AUTHENTICODE) < MAXUCHAR); C_ASSERT(sizeof(KPH_HASH_EACACHE_SHA384) < MAXUCHAR); C_ASSERT(sizeof(KPH_HASH_EACACHE_SHA512) < MAXUCHAR); #define KPH_HASH_EACACHE_LEN(x) \ ALIGN_UP_BY(FIELD_OFFSET(FILE_GET_EA_INFORMATION, EaName) + \ sizeof(x), \ sizeof(ULONG)) #define KPH_HASH_EACACHE_FULL_LEN(x) \ ALIGN_UP_BY(FIELD_OFFSET(FILE_FULL_EA_INFORMATION, EaName) + \ sizeof(x) + \ KPH_HASH_ALGORITHM_MAX_LENGTH, \ sizeof(ULONG)) #define KPH_HASH_EACACHE_MAX_LENGTH ( \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_MD5) + \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_SHA1) + \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_SHA1_AUTHENTICODE) + \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_SHA256) + \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_SHA256_AUTHENTICODE) + \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_SHA384) + \ KPH_HASH_EACACHE_LEN(KPH_HASH_EACACHE_SHA512)) #define KPH_HASH_EACACHE_FULL_MAX_LENGTH ( \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_MD5) + \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_SHA1) + \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_SHA1_AUTHENTICODE) + \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_SHA256) + \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_SHA256_AUTHENTICODE) + \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_SHA384) + \ KPH_HASH_EACACHE_FULL_LEN(KPH_HASH_EACACHE_SHA512)) C_ASSERT(KPH_HASH_EACACHE_FULL_MAX_LENGTH <= KPH_HASHING_BUFFER_SIZE); typedef struct _KPH_HASHING_INFRASTRUCTURE { PAGED_LOOKASIDE_LIST HashingLookaside; BYTE EaList[KPH_HASH_EACACHE_MAX_LENGTH]; } KPH_HASHING_INFRASTRUCTURE, *PKPH_HASHING_INFRASTRUCTURE; typedef struct _KPH_HASHING_EACACHE_INFORMATION { ULONG HashSize; ANSI_STRING EaName; } KPH_HASHING_EACACHE_INFORMATION, *PKPH_HASHING_EACACHE_INFORMATION; typedef const KPH_HASHING_EACACHE_INFORMATION *PCKPH_HASHING_EACACHE_INFORMATION; typedef struct _KPH_HASHING_EACACHE_CONTEXT { HANDLE FileHandle; PFILE_OBJECT FileObject; HANDLE OplockEventHandle; PKEVENT OplockEventObject; IO_STATUS_BLOCK IoStatusBlock; REQUEST_OPLOCK_OUTPUT_BUFFER OplockOutput; } KPH_HASHING_EACACHE_CONTEXT, *PKPH_HASHING_EACACHE_CONTEXT; typedef struct _KPH_HASHING_AUTHENTICODE_CONTEXT { KPH_MEMORY_REGION Regions[4]; PVOID SecurityBase; ULONG SecuritySize; } KPH_HASHING_AUTHENTICODE_CONTEXT, *PKPH_HASHING_AUTHENTICODE_CONTEXT; typedef struct _KPH_HASHING_ENTRY { BCRYPT_HASH_HANDLE Handle; BOOLEAN HashComplete; ULONG Length; BYTE Hash[KPH_HASH_ALGORITHM_MAX_LENGTH]; } KPH_HASHING_ENTRY, *PKPH_HASHING_ENTRY; typedef struct _KPH_HASHING_CONTEXT { KPH_HASHING_ENTRY Hash[MaxKphHashAlgorithm]; KPH_HASHING_AUTHENTICODE_CONTEXT Authenticode; BOOLEAN RequiresHashing; KPH_HASHING_EACACHE_CONTEXT EaCache; BYTE Buffer[KPH_HASHING_BUFFER_SIZE]; } KPH_HASHING_CONTEXT, *PKPH_HASHING_CONTEXT; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpHashingInfraName = RTL_CONSTANT_STRING(L"KphHashingInfrastructure"); static const KPH_HASHING_EACACHE_INFORMATION KphpHashEaCacheInfo[] = { { (128 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_MD5) }, { (160 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_SHA1) }, { (160 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_SHA1_AUTHENTICODE) }, { (256 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_SHA256) }, { (256 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_SHA256_AUTHENTICODE) }, { (384 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_SHA384) }, { (512 / 8), RTL_CONSTANT_STRING(KPH_HASH_EACACHE_SHA512) }, }; C_ASSERT(ARRAYSIZE(KphpHashEaCacheInfo) == MaxKphHashAlgorithm); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_HASHING_INFRASTRUCTURE KphpHashingInfra = NULL; static PKPH_OBJECT_TYPE KphpHashingInfraType = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Allocates hashing infrastructure object. * * \param[in] Size The size to allocate. * * \return Allocated hashing infrastructure object, null on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateHashingInfra( _In_ SIZE_T Size ) { KPH_PAGED_CODE(); return KphAllocateNPaged(Size, KPH_TAG_HASHING_INFRA); } /** * \brief Initializes hashing infrastructure. * * \param[in,out] Object The hashing infrastructure to initialize. * \param[in] Parameter Unused * * \return Successful or errant status. */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitHashingInfra( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_HASHING_INFRASTRUCTURE infra; PFILE_GET_EA_INFORMATION eaInfo; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Parameter); infra = Object; // // Pre-populate the EA cache items into the buffer to be used when querying // for the cached EA values. We compile time assert that it will all fit in // the buffer. // eaInfo = (PFILE_GET_EA_INFORMATION)infra->EaList; eaInfo->NextEntryOffset = 0; for (ULONG i = 0; i < ARRAYSIZE(KphpHashEaCacheInfo); i++) { PCKPH_HASHING_EACACHE_INFORMATION eaCacheInfo; eaInfo = Add2Ptr(eaInfo, eaInfo->NextEntryOffset); eaCacheInfo = &KphpHashEaCacheInfo[i]; RtlCopyMemory(eaInfo->EaName, eaCacheInfo->EaName.Buffer, eaCacheInfo->EaName.Length); eaInfo->EaNameLength = (UCHAR)eaCacheInfo->EaName.Length; eaInfo->EaName[eaInfo->EaNameLength] = ANSI_NULL; eaInfo->NextEntryOffset = FIELD_OFFSET(FILE_GET_EA_INFORMATION, EaName); eaInfo->NextEntryOffset += eaCacheInfo->EaName.Length; eaInfo->NextEntryOffset += sizeof(ANSI_NULL); eaInfo->NextEntryOffset = ALIGN_UP_BY(eaInfo->NextEntryOffset, sizeof(ULONG)); } eaInfo->NextEntryOffset = 0; KphInitializePagedLookaside(&infra->HashingLookaside, sizeof(KPH_HASHING_CONTEXT), KPH_TAG_HASHING_CONTEXT); return STATUS_SUCCESS; } /** * \brief Deletes hashing infrastructure. * * \param[in,out] Object The hashing infrastructure to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) VOID KSIAPI KphpDeleteHashingInfra( _Inout_ PVOID Object ) { PKPH_HASHING_INFRASTRUCTURE infra; KPH_PAGED_CODE(); infra = Object; KphDeletePagedLookaside(&infra->HashingLookaside); } /** * \brief Frees hashing infrastructure object. * * \param[in] Object The object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) VOID KSIAPI KphpFreeHashingInfra( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE(); KphFree(Object, KPH_TAG_HASHING_INFRA); } /** * \brief Allocates a hashing context from the hashing look-aside list. * * \return Hashing context, null on failure. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_ PKPH_HASHING_CONTEXT KphpAllocateHashingContext( VOID ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphpHashingInfra); return KphAllocateFromPagedLookaside(&KphpHashingInfra->HashingLookaside); } _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpCloseHashingEaCacheContext( _Inout_ PKPH_HASHING_EACACHE_CONTEXT Context ) { KPH_PAGED_CODE_PASSIVE(); if (Context->FileObject) { ObDereferenceObject(Context->FileObject); Context->FileObject = NULL; } if (Context->FileHandle) { NT_ASSERT(!KeAreAllApcsDisabled()); ObCloseHandle(Context->FileHandle, KernelMode); Context->FileHandle = NULL; } if (Context->OplockEventObject) { KeWaitForSingleObject(Context->OplockEventObject, Executive, KernelMode, FALSE, NULL); ObDereferenceObject(Context->OplockEventObject); Context->OplockEventObject = NULL; } if (Context->OplockEventHandle) { ObCloseHandle(Context->OplockEventHandle, KernelMode); Context->OplockEventHandle = NULL; } } /** * \brief Frees a hashing context back to the look-aside list. * * \param[in] Buffer The context to free back to the look-aside list. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFreeHashingContext( _In_freesMem_ PKPH_HASHING_CONTEXT Context ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphpHashingInfra); for (ULONG i = 0; i < ARRAYSIZE(Context->Hash); i++) { if (Context->Hash[i].Handle) { BCryptDestroyHash(Context->Hash[i].Handle); } } KphpCloseHashingEaCacheContext(&Context->EaCache); KphFreeToPagedLookaside(&KphpHashingInfra->HashingLookaside, Context); } /** * \brief Initializes hashing infrastructure. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeHashing( VOID ) { NTSTATUS status; KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); typeInfo.Allocate = KphpAllocateHashingInfra; typeInfo.Initialize = KphpInitHashingInfra; typeInfo.Delete = KphpDeleteHashingInfra; typeInfo.Free = KphpFreeHashingInfra; typeInfo.Flags = 0; KphCreateObjectType(&KphpHashingInfraName, &typeInfo, &KphpHashingInfraType); status = KphCreateObject(KphpHashingInfraType, sizeof(KPH_HASHING_INFRASTRUCTURE), &KphpHashingInfra, NULL); if (!NT_SUCCESS(status)) { KphpHashingInfra = NULL; } return status; } /** * \brief Cleans up hashing infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupHashing( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (KphpHashingInfra) { KphDereferenceObject(KphpHashingInfra); } } /** * \brief References the signing infrastructure. */ _IRQL_requires_max_(APC_LEVEL) VOID KphReferenceHashingInfrastructure( VOID ) { KPH_PAGED_CODE(); NT_ASSERT(KphpHashingInfra); KphReferenceObject(KphpHashingInfra); } /** * \brief Dereferences the signing infrastructure. */ _IRQL_requires_max_(APC_LEVEL) VOID KphDereferenceHashingInfrastructure( VOID ) { KPH_PAGED_CODE(); NT_ASSERT(KphpHashingInfra); KphDereferenceObject(KphpHashingInfra); } /** * \brief Hashes a buffer. * * \param[in] Buffer The buffer to hash. * \param[in] BufferLength The length of the buffer. * \param[in] HashAlgorithm The algorithm to use for hashing. * \param[out] HashInformation Populated with the hash information. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphHashBuffer( _In_ PBYTE Buffer, _In_ ULONG BufferLength, _In_ KPH_HASH_ALGORITHM HashAlgorithm, _Out_ PKPH_HASH_INFORMATION HashInformation ) { NTSTATUS status; BCRYPT_ALG_HANDLE algHandle; BCRYPT_HASH_HANDLE hashHandle; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphpHashingInfra); hashHandle = NULL; RtlZeroMemory(HashInformation, sizeof(*HashInformation)); HashInformation->Algorithm = HashAlgorithm; switch (HashAlgorithm) { case KphHashAlgorithmMd5: { HashInformation->Length = (128 / 8); algHandle = BCRYPT_MD5_ALG_HANDLE; break; } case KphHashAlgorithmSha1: { HashInformation->Length = (160 / 8); algHandle = BCRYPT_SHA1_ALG_HANDLE; break; } case KphHashAlgorithmSha256: { HashInformation->Length = (256 / 8); algHandle = BCRYPT_SHA256_ALG_HANDLE; break; } case KphHashAlgorithmSha384: { HashInformation->Length = (384 / 8); algHandle = BCRYPT_SHA384_ALG_HANDLE; break; } case KphHashAlgorithmSha512: { HashInformation->Length = (512 / 8); algHandle = BCRYPT_SHA512_ALG_HANDLE; break; } default: { status = STATUS_INVALID_PARAMETER; goto Exit; } } status = BCryptCreateHash(algHandle, &hashHandle, NULL, 0, NULL, 0, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "BCryptCreateHash failed: %!STATUS!", status); hashHandle = NULL; goto Exit; } status = BCryptHashData(hashHandle, Buffer, BufferLength, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "BCryptHashData failed: %!STATUS!", status); goto Exit; } status = BCryptFinishHash(hashHandle, HashInformation->Hash, HashInformation->Length, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "BCryptFinishHash failed: %!STATUS!", status); goto Exit; } Exit: if (hashHandle) { BCryptDestroyHash(hashHandle); } return status; } /** * \brief Updates a hash with a buffer from the context. * * \details The internal context buffer must already be updated with a copy of * data pointed to by UnsafeBuffer. * * \param[in,out] Entry The hash entry to update. * \param[in] Context The hashing context. * \param[in] Authenticode Whether the hash is for authenticode or not. * \param[in] UnsafeBuffer Address from which the information was copied. * \param[in] Length The length of the buffer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpUpdateHash( _Inout_ PKPH_HASHING_ENTRY Entry, _In_ PKPH_HASHING_CONTEXT Context, _In_ BOOLEAN Authenticode, _In_ PVOID UnsafeBuffer, _In_ ULONG Length ) { PVOID unsafeEnd; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Entry->Handle && !Entry->HashComplete); if (!Authenticode) { return BCryptHashData(Entry->Handle, Context->Buffer, Length, 0); } // // Only hash within a region relevant for authenticode hashing. // unsafeEnd = Add2Ptr(UnsafeBuffer, Length); for (ULONG i = 0; i < ARRAYSIZE(Context->Authenticode.Regions); i++) { NTSTATUS status; PKPH_MEMORY_REGION region; PVOID start; PVOID end; PVOID buffer; ULONG length; region = &Context->Authenticode.Regions[i]; if (!region->Start) { break; } if ((UnsafeBuffer >= region->Start) && (UnsafeBuffer < region->End)) { start = UnsafeBuffer; } else if ((region->Start >= UnsafeBuffer) && (region->Start < unsafeEnd)) { start = region->Start; } else { start = NULL; } if ((unsafeEnd >= region->Start) && (unsafeEnd < region->End)) { end = unsafeEnd; } else if ((region->End >= UnsafeBuffer) && (region->End < unsafeEnd)) { end = region->End; } else { end = NULL; } if (start && end) { NOTHING; } else if (start && !end) { end = unsafeEnd; } else if (!start && end) { start = UnsafeBuffer; } else { continue; } NT_ASSERT(start <= end); buffer = Add2Ptr(Context->Buffer, PtrOffset(UnsafeBuffer, start)); length = PtrOffset(start, end); status = BCryptHashData(Entry->Handle, buffer, length, 0); if (!NT_SUCCESS(status)) { return status; } } return STATUS_SUCCESS; } /** * \brief Updates all hashes in the context with the context buffer. * * \details The internal context buffer must already be updated with a copy of * data pointed to by UnsafeBuffer. * * \param[in,out] Context The hashing context. * \param[in] UnsafeBuffer Address from which the information was copied. * \param[in] Length The length of the buffer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpUpdateHashes( _Inout_ PKPH_HASHING_CONTEXT Context, _In_ PVOID UnsafeBuffer, _In_ ULONG Length ) { KPH_PAGED_CODE_PASSIVE(); for (ULONG i = 0; i < ARRAYSIZE(Context->Hash); i++) { NTSTATUS status; PKPH_HASHING_ENTRY entry; BOOLEAN authenticode; entry = &Context->Hash[i]; if (entry->HashComplete || !entry->Handle) { continue; } authenticode = ((i == KphHashAlgorithmSha1Authenticode) || (i == KphHashAlgorithmSha256Authenticode)); status = KphpUpdateHash(entry, Context, authenticode, UnsafeBuffer, Length); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphpUpdateHash failed: %!STATUS!", status); return status; } } return STATUS_SUCCESS; } /** * \brief Initializes a hashing context. * * \param[in,out] Context The hashing context to initialize. * \param[in] HashInformation The hash information to use for initialization. * \param[in] NumberOfHashes The number of hashing information items. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpInitializeHashingContext( _Inout_ PKPH_HASHING_CONTEXT Context, _In_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG NumberOfHashes ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = STATUS_SUCCESS; for (ULONG i = 0; i < NumberOfHashes; i++) { PKPH_HASHING_ENTRY entry; BCRYPT_ALG_HANDLE algHandle; if ((HashInformation[i].Algorithm >= MaxKphHashAlgorithm) || (HashInformation[i].Algorithm < 0)) { status = STATUS_INVALID_PARAMETER; goto Exit; } entry = &Context->Hash[HashInformation[i].Algorithm]; if (entry->HashComplete || entry->Handle) { continue; } Context->RequiresHashing = TRUE; switch (HashInformation[i].Algorithm) { case KphHashAlgorithmMd5: { entry->Length = (128 / 8); algHandle = BCRYPT_MD5_ALG_HANDLE; break; } case KphHashAlgorithmSha1: case KphHashAlgorithmSha1Authenticode: { entry->Length = (160 / 8); algHandle = BCRYPT_SHA1_ALG_HANDLE; break; } case KphHashAlgorithmSha256: case KphHashAlgorithmSha256Authenticode: { entry->Length = (256 / 8); algHandle = BCRYPT_SHA256_ALG_HANDLE; break; } case KphHashAlgorithmSha384: { entry->Length = (384 / 8); algHandle = BCRYPT_SHA384_ALG_HANDLE; break; } case KphHashAlgorithmSha512: { entry->Length = (512 / 8); algHandle = BCRYPT_SHA512_ALG_HANDLE; break; } DEFAULT_UNREACHABLE; } NT_ASSERT(entry->Length <= sizeof(Context->Hash)); status = BCryptCreateHash(algHandle, &entry->Handle, NULL, 0, NULL, 0, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "BCryptCreateHash failed: %!STATUS!", status); entry->Handle = NULL; goto Exit; } } Exit: return status; } /** * \brief Loads hashes from the EA cache into the hashing context. * * \param[in,out] Context The hashing context to load the hashes into. * \param[in] FileHandle The file handle to load the hashes from. * \param[in] AccessMode The mode in which to perform access checks. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpLoadHashesFromEaCache( _Inout_ PKPH_HASHING_CONTEXT Context, _In_ HANDLE FileHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PFILE_OBJECT fileObject; ULONG returnLength; PFILE_FULL_EA_INFORMATION fullEaInfo; KPH_PAGED_CODE_PASSIVE(); status = ObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, AccessMode, &fileObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "ObReferenceObjectByHandle failed: %!STATUS!", status); return; } // // N.B. We compile time assert that all the information we might store in // our extended attributes will fit within the supplied buffer. // status = FsRtlQueryKernelEaFile(fileObject, Context->Buffer, sizeof(Context->Buffer), FALSE, KphpHashingInfra->EaList, sizeof(KphpHashingInfra->EaList), NULL, TRUE, &returnLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "FsRtlQueryKernelEaFile failed: %!STATUS!", status); goto Exit; } fullEaInfo = (PFILE_FULL_EA_INFORMATION)Context->Buffer; for (;;) { ANSI_STRING eaName; eaName.Buffer = fullEaInfo->EaName; eaName.Length = fullEaInfo->EaNameLength; eaName.MaximumLength = fullEaInfo->EaNameLength; for (ULONG i = 0; i < ARRAYSIZE(KphpHashEaCacheInfo); i++) { PCKPH_HASHING_EACACHE_INFORMATION eaCacheInfo; PKPH_HASHING_ENTRY entry; PVOID buffer; eaCacheInfo = &KphpHashEaCacheInfo[i]; // // None of our EA names will reach this limit. We compile time // assert this and runtime assert here for clarity. This is // necessary when advancing the buffer pointer below. // NT_ASSERT(eaCacheInfo->EaName.Length < MAXUCHAR); if (fullEaInfo->EaValueLength != eaCacheInfo->HashSize) { continue; } if (!RtlEqualString(&eaName, &eaCacheInfo->EaName, FALSE)) { continue; } entry = &Context->Hash[i]; buffer = Add2Ptr(fullEaInfo->EaName, fullEaInfo->EaNameLength + sizeof(ANSI_NULL)); RtlCopyMemory(entry->Hash, buffer, fullEaInfo->EaValueLength); entry->Length = fullEaInfo->EaValueLength; entry->HashComplete = TRUE; break; } if (!fullEaInfo->NextEntryOffset) { break; } fullEaInfo = Add2Ptr(fullEaInfo, fullEaInfo->NextEntryOffset); } Exit: ObDereferenceObject(fileObject); } /** * \brief Initializes the EA cache context for hashing. * * \details The EA caching is completely opportunistic and will only be used if * we can guarantee cache consistency. We do this using an opportunistic lock. * The caller should call KphpProgressEaCacheContext to after each read from * the file data to determine if there is another contender for writing to the * file. If contention is detected, the EA cache will be closed and the cache * will not be updated. This avoids contention on the system and ensures cache * consistency. * * \param[in,out] Context The hashing context to initialize. * \param[in] FileHandle The file handle to initialize the context with. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpInitializeEaCacheContext( _Inout_ PKPH_HASHING_CONTEXT Context, _In_ HANDLE FileHandle ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; REQUEST_OPLOCK_INPUT_BUFFER oplockInput; ULONG64 usnValue; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); RtlInitUnicodeString(&objectName, NULL); InitializeObjectAttributes(&objectAttributes, &objectName, OBJ_KERNEL_HANDLE, FileHandle, NULL); status = KphCreateFile(&Context->EaCache.FileHandle, FILE_WRITE_EA | FILE_READ_DATA | FILE_READ_ATTRIBUTES, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_OPEN_REQUIRING_OPLOCK, NULL, 0, 0, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphCreateFile failed: %!STATUS!", status); Context->EaCache.FileHandle = NULL; goto Exit; } status = ObReferenceObjectByHandle(Context->EaCache.FileHandle, FILE_ALL_ACCESS, *IoFileObjectType, KernelMode, &Context->EaCache.FileObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "ObReferenceObjectByHandle failed: %!STATUS!", status); Context->EaCache.FileObject = NULL; goto Exit; } status = ZwCreateEvent(&Context->EaCache.OplockEventHandle, EVENT_ALL_ACCESS, NULL, NotificationEvent, TRUE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "ZwCreateEvent failed: %!STATUS!", status); Context->EaCache.OplockEventHandle = NULL; goto Exit; } status = ObReferenceObjectByHandle(Context->EaCache.OplockEventHandle, EVENT_ALL_ACCESS, *ExEventObjectType, KernelMode, &Context->EaCache.OplockEventObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "ObReferenceObjectByHandle failed: %!STATUS!", status); Context->EaCache.OplockEventObject = NULL; goto Exit; } oplockInput.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; oplockInput.StructureLength = sizeof(REQUEST_OPLOCK_INPUT_BUFFER); oplockInput.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST; oplockInput.RequestedOplockLevel = (OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE); KeResetEvent(Context->EaCache.OplockEventObject); status = ZwFsControlFile(Context->EaCache.FileHandle, Context->EaCache.OplockEventHandle, NULL, NULL, &Context->EaCache.IoStatusBlock, FSCTL_REQUEST_OPLOCK, &oplockInput, sizeof(REQUEST_OPLOCK_INPUT_BUFFER), &Context->EaCache.OplockOutput, sizeof(Context->EaCache.OplockOutput)); if (status != STATUS_PENDING) { KeSetEvent(Context->EaCache.OplockEventObject, IO_NO_INCREMENT, FALSE); KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "ZwFsControlFile returned: %!STATUS!", status); if (NT_SUCCESS(status)) { status = STATUS_UNEXPECTED_IO_ERROR; } goto Exit; } status = FsRtlKernelFsControlFile(Context->EaCache.FileObject, FSCTL_WRITE_USN_CLOSE_RECORD, NULL, 0, &usnValue, sizeof(ULONG64), &returnLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "FsRtlKernelFsControlFile failed: %!STATUS!", status); goto Exit; } Exit: if (!NT_SUCCESS(status)) { KphpCloseHashingEaCacheContext(&Context->EaCache); } } /** * \brief Progresses the EA cache context. * * \details This function should be called after each read from the file data. * * \param[in,out] Context The hashing context to progress the EA cache of. * * \return TRUE if the EA cache is available and the opportunistic lock has not * been broken, FALSE otherwise. */ _IRQL_requires_max_(PASSIVE_LEVEL) BOOLEAN KphpProgressEaCacheContext( _Inout_ PKPH_HASHING_CONTEXT Context ) { LARGE_INTEGER zeroTimeout = KPH_TIMEOUT(0); KPH_PAGED_CODE_PASSIVE(); if (!Context->EaCache.OplockEventObject) { return FALSE; } if (KeWaitForSingleObject(Context->EaCache.OplockEventObject, Executive, KernelMode, FALSE, &zeroTimeout) != STATUS_SUCCESS) { return TRUE; } // // The opportunistic lock has been broken. We could try to guarantee cache // consistency by not closing the handle. Doing so would block the thread // attempting to open a write handle until we acknowledge the break. // // An opportunistic lock break can also happen when a write occurs to the // file, but this will not suspend the write operation for acknowledgment. // Therefore, acknowledging the break here is important to avoid the // possible cache inconsistency. // // We choose to completely get out of the way of the system and acknowledge // the break of the opportunistic lock by closing the handle. We will // continue to hash and return whatever that result is, but we will not // update the EA cache since we can not guarantee cash consistency. // // N.B. It is important to close the handle instead of using the lock break // acknowledgment control code, otherwise we could be the cause of a // sharing violation. // KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "Opportunistic lock broken"); KphpCloseHashingEaCacheContext(&Context->EaCache); return FALSE; } /** * \brief Initializes the hashing context for file hashing. * * \param[in,out] Context The hashing context to initialize. * \param[in] FileHandle The file handle to initialize the context with. * \param[in] HashInformation The hash information to use for initialization. * \param[in] NumberOfHashes The number of hashing information items. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpInitializeFileHashingContext( _Inout_ PKPH_HASHING_CONTEXT Context, _In_ HANDLE FileHandle, _In_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG NumberOfHashes, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); KphpLoadHashesFromEaCache(Context, FileHandle, AccessMode); status = KphpInitializeHashingContext(Context, HashInformation, NumberOfHashes); if (NT_SUCCESS(status) && Context->RequiresHashing) { KphpInitializeEaCacheContext(Context, FileHandle); } return status; } /** * \brief Initializes the hashing context for authenticode hashing. * * \details This function can raise a structured exception due to an in-page * error, which callers should be prepared to handle. * * \param[in,out] Context The hashing context to initialize. * \param[in] MappedBase The base address of the mapped image. * \param[in] ViewSize The size of the mapped image. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphpInitializeAuthenticodeHashing( _Inout_ PKPH_HASHING_CONTEXT Context, _In_ PVOID MappedBase, _In_ SIZE_T ViewSize ) { NTSTATUS status; PVOID mappedEnd; KPH_IMAGE_NT_HEADERS image; PIMAGE_DATA_DIRECTORY securityDir; PVOID securityBase; ULONG securitySize; PVOID securityEnd; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(&Context->Authenticode, sizeof(Context->Authenticode)); mappedEnd = Add2Ptr(MappedBase, ViewSize); securityDir = NULL; securityBase = NULL; securityEnd = NULL; NT_ASSERT(MappedBase <= mappedEnd); status = KphImageNtHeader(MappedBase, ViewSize, &image); if (!NT_SUCCESS(status)) { goto Exit; } if (!RTL_CONTAINS_FIELD(&image.Headers->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, Magic)) { Context->Authenticode.Regions[0].Start = MappedBase; Context->Authenticode.Regions[0].End = mappedEnd; status = STATUS_SUCCESS; goto VerifyRegions; } if (image.Headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { if (!RTL_CONTAINS_FIELD(&image.Headers32->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, CheckSum)) { Context->Authenticode.Regions[0].Start = MappedBase; Context->Authenticode.Regions[0].End = mappedEnd; status = STATUS_SUCCESS; goto VerifyRegions; } Context->Authenticode.Regions[0].Start = MappedBase; Context->Authenticode.Regions[0].End = &image.Headers32->OptionalHeader.CheckSum; Context->Authenticode.Regions[1].Start = &image.Headers32->OptionalHeader.Subsystem; if (!RTL_CONTAINS_FIELD(&image.Headers32->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, NumberOfRvaAndSizes) || (image.Headers32->OptionalHeader.NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_SECURITY)) { Context->Authenticode.Regions[1].End = mappedEnd; status = STATUS_SUCCESS; goto VerifyRegions; } securityDir = &image.Headers32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]; Context->Authenticode.Regions[1].End = securityDir; } else if (image.Headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { if (!RTL_CONTAINS_FIELD(&image.Headers64->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, CheckSum)) { Context->Authenticode.Regions[0].Start = MappedBase; Context->Authenticode.Regions[0].End = mappedEnd; status = STATUS_SUCCESS; goto VerifyRegions; } Context->Authenticode.Regions[0].Start = MappedBase; Context->Authenticode.Regions[0].End = &image.Headers64->OptionalHeader.CheckSum; Context->Authenticode.Regions[1].Start = &image.Headers64->OptionalHeader.Subsystem; if (!RTL_CONTAINS_FIELD(&image.Headers64->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, NumberOfRvaAndSizes) || (image.Headers64->OptionalHeader.NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_SECURITY)) { Context->Authenticode.Regions[1].End = mappedEnd; status = STATUS_SUCCESS; goto VerifyRegions; } securityDir = &image.Headers64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]; Context->Authenticode.Regions[1].End = securityDir; } else { status = STATUS_INVALID_IMAGE_FORMAT; goto Exit; } NT_ASSERT(securityDir); Context->Authenticode.Regions[2].Start = &securityDir[1]; if (!securityDir->VirtualAddress || !securityDir->Size) { Context->Authenticode.Regions[2].End = mappedEnd; status = STATUS_SUCCESS; goto VerifyRegions; } securityBase = Add2Ptr(MappedBase, securityDir->VirtualAddress); securitySize = securityDir->Size; securityEnd = Add2Ptr(securityBase, securitySize); Context->Authenticode.SecurityBase = securityBase; Context->Authenticode.SecuritySize = securitySize; Context->Authenticode.Regions[2].End = securityBase; if (securityEnd < mappedEnd) { Context->Authenticode.Regions[3].Start = securityEnd; Context->Authenticode.Regions[3].End = mappedEnd; } VerifyRegions: for (ULONG i = 0; i < ARRAYSIZE(Context->Authenticode.Regions); i++) { PKPH_MEMORY_REGION region; region = &Context->Authenticode.Regions[i]; if (!region->Start) { break; } if (!KphIsValidMemoryRegion(region, MappedBase, mappedEnd)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "Authenticode region overflows mapping."); status = STATUS_BUFFER_OVERFLOW; goto Exit; } } if (securityBase) { KPH_MEMORY_REGION securityRegion; securityRegion.Start = securityBase; securityRegion.End = securityEnd; if (!KphIsValidMemoryRegion(&securityRegion, MappedBase, mappedEnd)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "Security directory overflows mapping."); status = STATUS_BUFFER_OVERFLOW; goto Exit; } } Exit: if (!NT_SUCCESS(status)) { RtlZeroMemory(&Context->Authenticode, sizeof(Context->Authenticode)); } return status; } /** * \brief Finishes hashes in the hashing context. * * \param[in,out] Context The hashing context to finish the hashes in. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpFinishHashes( _In_ PKPH_HASHING_CONTEXT Context ) { NTSTATUS status; PFILE_FULL_EA_INFORMATION fullEaInfo; ULONG fullEaInfoLength; KPH_PAGED_CODE_PASSIVE(); fullEaInfoLength = 0; if (Context->EaCache.FileObject) { fullEaInfo = (PFILE_FULL_EA_INFORMATION)Context->Buffer; fullEaInfo->NextEntryOffset = 0; } else { fullEaInfo = NULL; } for (ULONG i = 0; i < ARRAYSIZE(Context->Hash); i++) { PKPH_HASHING_ENTRY entry; PCKPH_HASHING_EACACHE_INFORMATION eaInfo; PVOID buffer; entry = &Context->Hash[i]; if (!entry->Handle) { continue; } status = BCryptFinishHash(entry->Handle, entry->Hash, entry->Length, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "BCryptFinishHash failed: %!STATUS!", status); return status; } entry->HashComplete = TRUE; if (!fullEaInfo) { continue; } fullEaInfo = Add2Ptr(fullEaInfo, fullEaInfo->NextEntryOffset); eaInfo = &KphpHashEaCacheInfo[i]; fullEaInfo->Flags = 0; fullEaInfo->EaNameLength = (UCHAR)eaInfo->EaName.Length; fullEaInfo->EaValueLength = (USHORT)entry->Length; RtlCopyMemory(fullEaInfo->EaName, eaInfo->EaName.Buffer, eaInfo->EaName.Length); fullEaInfo->EaName[eaInfo->EaName.Length] = ANSI_NULL; buffer = Add2Ptr(fullEaInfo->EaName, fullEaInfo->EaNameLength + sizeof(ANSI_NULL)); RtlCopyMemory(buffer, entry->Hash, entry->Length); buffer = Add2Ptr(buffer, entry->Length); fullEaInfo->NextEntryOffset = ALIGN_UP_BY(PtrOffset(fullEaInfo, buffer), sizeof(ULONG)); fullEaInfoLength += fullEaInfo->NextEntryOffset; } if (fullEaInfoLength && KphpProgressEaCacheContext(Context)) { NT_ASSERT(Context->EaCache.FileObject); NT_ASSERT(fullEaInfo); fullEaInfo->NextEntryOffset = 0; status = FsRtlSetKernelEaFile(Context->EaCache.FileObject, Context->Buffer, fullEaInfoLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "FsRtlSetKernelEaFile failed: %!STATUS!", status); } } return STATUS_SUCCESS; } /** * \brief Copies hashes from the hashing context to the hash information. * * \param[in] Context The hashing context to copy the hashes from. * \param[in,out] HashInformation The hash information to copy the hashes to. * \param[in] NumberOfHashes The number of hashing information items. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpCopyHashes( _In_ PKPH_HASHING_CONTEXT Context, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG NumberOfHashes ) { KPH_PAGED_CODE_PASSIVE(); for (ULONG i = 0; i < NumberOfHashes; i++) { PKPH_HASHING_ENTRY entry; PKPH_HASH_INFORMATION info; info = &HashInformation[i]; NT_ASSERT((info->Algorithm < MaxKphHashAlgorithm) && (info->Algorithm >= 0)); entry = &Context->Hash[info->Algorithm]; NT_ASSERT(entry->HashComplete); info->Length = entry->Length; RtlCopyMemory(info->Hash, entry->Hash, entry->Length); } } /** * \brief Hashes a file. * * \param[in] FileHandle Handle to a file to hash. * \param[in,out] HashInformation The hash information to populate with the * requested hash algorithms. On input this array contains the requested hash * algorithms to use, and on output the hash information items are populated * with the requested hash values. * \param[in] NumberOfHashes The number of hash information items. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpHashFile( _In_ HANDLE FileHandle, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG NumberOfHashes, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_HASHING_CONTEXT context; PVOID mappedBase; SIZE_T viewSize; ULONG readSize; KPH_PAGED_CODE_PASSIVE(); mappedBase = NULL; context = KphpAllocateHashingContext(); if (!context) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphpInitializeFileHashingContext(context, FileHandle, HashInformation, NumberOfHashes, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphpInitializeFileHashingContext failed: %!STATUS!", status); goto Exit; } if (!context->RequiresHashing) { goto Finish; } viewSize = 0; status = KphMapViewInSystem(FileHandle, KPH_MAP_DATA, &mappedBase, &viewSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphMapViewInSystem failed: %!STATUS!", status); mappedBase = NULL; goto Exit; } if (context->Hash[KphHashAlgorithmSha1Authenticode].Handle || context->Hash[KphHashAlgorithmSha256Authenticode].Handle) { __try { KphpInitializeAuthenticodeHashing(context, mappedBase, viewSize); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } readSize = 0; for (SIZE_T offset = 0; offset < viewSize; offset += readSize) { PVOID buffer; buffer = &((PBYTE)mappedBase)[offset]; readSize = (ULONG)min(viewSize - offset, sizeof(context->Buffer)); __try { RtlCopyMemory(context->Buffer, buffer, readSize); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } KphpProgressEaCacheContext(context); status = KphpUpdateHashes(context, buffer, readSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphpUpdateHashes failed: %!STATUS!", status); goto Exit; } } status = KphpFinishHashes(context); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphpFinishHashes failed: %!STATUS!", status); goto Exit; } Finish: KphpCopyHashes(context, HashInformation, NumberOfHashes); Exit: if (mappedBase) { KphUnmapViewInSystem(mappedBase); } if (context) { KphpFreeHashingContext(context); } return status; } /** * \brief Queries hash information for a file. * * \param[in] FileHandle Handle to a file to query. * \param[in,out] HashInformation The hash information to populate with the * requested hash algorithms. On input this array contains the requested hash * algorithms to use, and on output the hash information items are populated * with the requested hash values. * \param[in] HashInformationLength The length of the hash information in bytes. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryHashInformationFile( _In_ HANDLE FileHandle, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG HashInformationLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_HASH_INFORMATION hashInfo; ULONG numberOfHashes; KPH_PAGED_CODE_PASSIVE(); hashInfo = NULL; numberOfHashes = HashInformationLength / sizeof(KPH_HASH_INFORMATION); if (!HashInformation || !numberOfHashes) { status = STATUS_INVALID_PARAMETER; goto Exit; } if (AccessMode != KernelMode) { hashInfo = KphAllocatePaged(HashInformationLength, KPH_TAG_CAPTURED_HASHES); if (!hashInfo) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(hashInfo, HashInformation, HashInformationLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } else { hashInfo = HashInformation; } status = KphpHashFile(FileHandle, hashInfo, numberOfHashes, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "KphpHashFile failed: %!STATUS!", status); goto Exit; } if (AccessMode != KernelMode) { __try { CopyToUser(HashInformation, hashInfo, HashInformationLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } Exit: if (hashInfo && (hashInfo != HashInformation)) { KphFree(hashInfo, KPH_TAG_CAPTURED_HASHES); } return status; } /** * \brief Queries hash information for a file object. * * \param[in] FileObject The file to query. * \param[in,out] HashInformation The hash information to populate with the * requested hash algorithms. On input this array contains the requested hash * algorithms to use, and on output the hash information items are populated * with the requested hash values. * \param[in] HashInformationLength The length of the hash information in bytes. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryHashInformationFileObject( _In_ PFILE_OBJECT FileObject, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG HashInformationLength ) { NTSTATUS status; HANDLE fileHandle; KPH_PAGED_CODE_PASSIVE(); status = ObOpenObjectByPointer(FileObject, OBJ_KERNEL_HANDLE, NULL, 0, *IoFileObjectType, KernelMode, &fileHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, HASH, "ObOpenObjectByPointer failed: %!STATUS!", status); return status; } status = KphQueryHashInformationFile(fileHandle, HashInformation, HashInformationLength, KernelMode); ObCloseHandle(fileHandle, KernelMode); return status; } ================================================ FILE: KSystemInformer/imgcoherency.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Checks an image for coherency against the data backing the image. * * \details Always called from within structured exception handling. * * \param[in] ImageBase Base address of the image mapping. * \param[in] ImageSize Size of the image mapping. * \param[in] DataBase Base address of the data mapping. * \param[in] DataSize Size of the data mapping. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpCheckImageCoherency( _In_ PVOID ImageBase, _In_ SIZE_T ImageSize, _In_ PVOID DataBase, _In_ SIZE_T DataSize ) { NTSTATUS status; KPH_MEMORY_REGION regions[4]; KPH_IMAGE_NT_HEADERS image; SIZE_T size; PVOID dataEnd; PVOID imageEnd; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(®ions, sizeof(regions)); regions[0].Start = DataBase; regions[0].End = Add2Ptr(DataBase, sizeof(IMAGE_DOS_HEADER)); status = KphImageNtHeader(DataBase, DataSize, &image); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphImageNtHeader failed: %!STATUS!", status); return status; } size = (image.Headers->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER)); regions[1].Start = IMAGE_FIRST_SECTION(image.Headers); regions[1].End = Add2Ptr(regions[1].Start, size); regions[2].Start = &image.Headers->FileHeader.NumberOfSections; if (!RTL_CONTAINS_FIELD(&image.Headers->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, Magic)) { regions[2].End = &image.Headers->OptionalHeader.Magic; goto VerifyRegions; } if (image.Headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { if (!RTL_CONTAINS_FIELD(&image.Headers32->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, ImageBase)) { regions[2].End = Add2Ptr(&image.Headers32->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader); goto VerifyRegions; } regions[2].End = &image.Headers32->OptionalHeader.ImageBase; regions[3].Start = &image.Headers32->OptionalHeader.SectionAlignment; regions[3].End = Add2Ptr(&image.Headers32->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader); } else if (image.Headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { if (!RTL_CONTAINS_FIELD(&image.Headers64->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader, ImageBase)) { regions[2].End = Add2Ptr(&image.Headers64->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader); goto VerifyRegions; } regions[2].End = &image.Headers64->OptionalHeader.ImageBase; regions[3].Start = &image.Headers64->OptionalHeader.SectionAlignment; regions[3].End = Add2Ptr(&image.Headers64->OptionalHeader, image.Headers->FileHeader.SizeOfOptionalHeader); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Invalid image optional header magic: 0x%04x", image.Headers->OptionalHeader.Magic); return STATUS_INVALID_IMAGE_FORMAT; } VerifyRegions: imageEnd = Add2Ptr(ImageBase, ImageSize); dataEnd = Add2Ptr(DataBase, DataSize); for (ULONG i = 0; i < ARRAYSIZE(regions); i++) { PKPH_MEMORY_REGION region; KPH_MEMORY_REGION other; region = ®ions[i]; if (!region->Start) { break; } if (!KphIsValidMemoryRegion(region, DataBase, dataEnd)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Image region overflows mapping."); return STATUS_BUFFER_OVERFLOW; } other.Start = RebasePtr(region->Start, DataBase, ImageBase); other.End = RebasePtr(region->End, DataBase, ImageBase); if (!KphIsValidMemoryRegion(&other, ImageBase, imageEnd)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Data region overflows mapping."); return STATUS_BUFFER_OVERFLOW; } size = PtrOffset(region->Start, region->End); if (!KphEqualMemory(region->Start, other.Start, size)) { return STATUS_IMAGE_CHECKSUM_MISMATCH; } } return STATUS_SUCCESS; } /** * \brief Checks an image for coherency against the data backing the image. * * \param[in] ImageBase Base address of the image mapping. * \param[in] ImageSize Size of the image mapping. * \param[in] DataBase Base address of the data mapping. * \param[in] DataSize Size of the data mapping. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCheckImageCoherency( _In_ PVOID ImageBase, _In_ SIZE_T ImageSize, _In_ PVOID DataBase, _In_ SIZE_T DataSize ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); __try { status = KphpCheckImageCoherency(ImageBase, ImageSize, DataBase, DataSize); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } return status; } ================================================ FILE: KSystemInformer/include/comms.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #include typedef struct _KPH_CLIENT_INFORMER_STATE { KPH_MESSAGE_TIMEOUTS MessageTimeouts; KPH_RATE_LIMIT AsyncQueueRateLimit; KPH_RATE_LIMIT InformerRateLimit[KPH_INFORMER_COUNT]; } KPH_CLIENT_INFORMER_STATE, *PKPH_CLIENT_INFORMER_STATE; typedef union _KPH_CLIENT_INFORMER_STATE_ATOMIC { struct _KPH_CLIENT_RATE_LIMITS* Limits; KPH_ATOMIC_OBJECT_REF Atomic; } KPH_CLIENT_INFORMER_STATE_ATOMIC, *PKPH_CLIENT_INFORMER_STATE_ATOMIC; typedef struct _KPH_CLIENT { PKPH_PROCESS_CONTEXT Process; PFLT_PORT Port; KPH_REFERENCE DriverUnloadProtectionRef; KPH_CLIENT_INFORMER_STATE_ATOMIC InformerState; PKPH_RING_BUFFER RingBuffer; } KPH_CLIENT, *PKPH_CLIENT; typedef _Function_class_(KPHM_HANDLER) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KPHM_HANDLER ( _In_ PKPH_CLIENT Client, _Inout_ PKPH_MESSAGE Message ); typedef KPHM_HANDLER* PKPHM_HANDLER; #define KPHM_DEFINE_HANDLER(name) \ _Function_class_(KPHM_HANDLER) \ _IRQL_requires_max_(PASSIVE_LEVEL) \ _Must_inspect_result_ \ NTSTATUS name( \ _In_ PKPH_CLIENT Client, \ _Inout_ PKPH_MESSAGE Message \ ) typedef _Function_class_(KPHM_REQUIRED_STATE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ KPH_PROCESS_STATE KSIAPI KPHM_REQUIRED_STATE ( _In_ PKPH_CLIENT Client, _In_ PCKPH_MESSAGE Message ); typedef KPHM_REQUIRED_STATE* PKPHM_REQUIRED_STATE; #define KPHM_DEFINE_REQUIRED_STATE(name) \ _Function_class_(KPHM_REQUIRED_STATE) \ _IRQL_requires_max_(PASSIVE_LEVEL) \ _Must_inspect_result_ \ KPH_PROCESS_STATE name( \ _In_ PKPH_CLIENT Client, \ _In_ PCKPH_MESSAGE Message \ ) typedef struct _KPH_MESSAGE_HANDLER { KPH_MESSAGE_ID MessageId; PKPHM_HANDLER Handler; PKPHM_REQUIRED_STATE RequiredState; } KPH_MESSAGE_HANDLER, *PKPH_MESSAGE_HANDLER; extern const KPH_MESSAGE_HANDLER KphCommsMessageHandlers[]; extern const ULONG KphCommsMessageHandlerCount; _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCommsStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCommsStop( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphGetConnectedClientCount( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) ULONG KphGetInformerClientCount( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerClientSettings( _In_ PKPH_CLIENT Client, _Out_ PKPH_INFORMER_CLIENT_SETTINGS Settings ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformerClientSettings( _In_ PKPH_CLIENT Client, _In_ PKPH_INFORMER_CLIENT_SETTINGS Settings ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerClientStats( _In_ PKPH_CLIENT Client, _Out_ PKPH_INFORMER_CLIENT_STATS Stats ); _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_ PKPH_MESSAGE KphAllocateMessage( VOID ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeMessage( _In_freesMem_ PKPH_MESSAGE Message ); _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_ PKPH_MESSAGE KphAllocateNPagedMessage( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFreeNPagedMessage( _In_freesMem_ PKPH_MESSAGE Message ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphCommsSendMessage( _In_ PKPH_MESSAGE Message, _Out_opt_ PKPH_MESSAGE Reply ); _IRQL_requires_max_(APC_LEVEL) VOID KphCommsSendMessageAsync( _In_aliasesMem_ PKPH_MESSAGE Message ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCommsSendNPagedMessageAsync( _In_aliasesMem_ PKPH_MESSAGE Message ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCaptureStackInMessage( _Inout_ PKPH_MESSAGE Message ); ================================================ FILE: KSystemInformer/include/informer.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #include #include _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupInformer( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeInformer( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphInformerAllowed( _In_ ULONG Index, _In_opt_ PKPH_PROCESS_CONTEXT ActorProcess, _In_opt_ PKPH_PROCESS_CONTEXT TargetProcess ); #define KphInformerEnabled(name, proc) \ KphInformerAllowed(KPH_INFORMER_INDEX(name), proc, NULL) #define KphInformerEnabled2(name, actor, target) \ KphInformerAllowed(KPH_INFORMER_INDEX(name), actor, target) _IRQL_requires_max_(DISPATCH_LEVEL) KPH_INFORMER_OPTIONS KphInformerOptions( _In_opt_ PKPH_PROCESS_CONTEXT ActorProcess, _In_opt_ PKPH_PROCESS_CONTEXT TargetProcess ); #define KphInformerOpts(proc) \ KphInformerOptions(proc, NULL) #define KphInformerOpts2(proc, target) \ KphInformerOptions(proc, target) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerSettings( _Out_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformerSettings( _In_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerProcessSettings( _In_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformerProcessSettings( _In_opt_ HANDLE ProcessHandle, _In_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerStats( _In_opt_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_STATS Stats, _In_ KPROCESSOR_MODE AccessMode ); // mini-filter informer extern PFLT_FILTER KphFltFilter; _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphFltRegister( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphFltUnregister( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphFltInformerStart( VOID ); // process informer _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphProcessInformerStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphProcessInformerStop( VOID ); // thread informer _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphThreadInformerStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphThreadInformerStop( VOID ); // image informer _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphImageInformerStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphImageInformerStop( VOID ); // object informer _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphObjectInformerStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphObjectInformerStop( VOID ); // registry informer _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphRegistryInformerStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphRegistryInformerStop( VOID ); // debug informer _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphDebugInformerStart( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphDebugInformerStop( VOID ); ================================================ FILE: KSystemInformer/include/informer_filep.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #pragma once // informer_fileop.c _Function_class_(PFLT_POST_OPERATION_CALLBACK) _IRQL_requires_max_(DISPATCH_LEVEL) FLT_POSTOP_CALLBACK_STATUS FLTAPI KphpFltPostOp( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags ); _Function_class_(PFLT_PRE_OPERATION_CALLBACK) _IRQL_requires_max_(APC_LEVEL) FLT_PREOP_CALLBACK_STATUS FLTAPI KphpFltPreOp( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Outptr_result_maybenull_ PVOID* CompletionContext ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltCleanupFileOp( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltInitializeFileOp( VOID ); // informer_filenc.c typedef enum _KPH_FLT_FILE_NAME_TYPE { KphFltFileNameTypeNone, KphFltFileNameTypeNameInfo, KphFltFileNameTypeContext, KphFltFileNameTypeFileName, KphFltFileNameTypeNameCache, } KPH_FLT_FILE_NAME_TYPE, *PKPH_FLT_FILE_NAME_ITYPE; typedef struct _KPH_FLT_FILE_NAME_CACHE_ENTRY { LIST_ENTRY ListEntry; PFILE_OBJECT FileObject; UNICODE_STRING FileName; } KPH_FLT_FILE_NAME_CACHE_ENTRY, *PKPH_FLT_FILE_NAME_CACHE_ENTRY; typedef struct _KPH_FLT_FILE_NAME { // // N.B. PFLT_CONTEXT stores a PUNICODE_STRING // KPH_FLT_FILE_NAME_TYPE Type; union { PFLT_FILE_NAME_INFORMATION NameInfo; PFLT_CONTEXT Context; PUNICODE_STRING FileName; PKPH_FLT_FILE_NAME_CACHE_ENTRY NameCache; }; } KPH_FLT_FILE_NAME, *PKPH_FLT_FILE_NAME; #define KphpFltZeroFileName(info) \ (info)->Type = KphFltFileNameTypeNone; \ (info)->NameInfo = NULL; _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetFileName( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltFileName ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetDestFileName( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltDestFileName ); _IRQL_requires_max_(APC_LEVEL) VOID KphpFltReleaseFileName( _In_ PKPH_FLT_FILE_NAME FltFileName ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpFltReapFileNameCache( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltCleanupFileNameCache( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltInitializeFileNameCache( VOID ); ================================================ FILE: KSystemInformer/include/kph.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #pragma warning(push) #pragma warning(disable: 5103) // invalid preprocessing token (/Zc:preprocessor) #include #include #include #include #include #include #include #include #pragma warning(pop) #include #define PHNT_MODE PHNT_MODE_KERNEL #include #include #include #include #include #include #include #define KSIAPI NTAPI #define KPH_PAGED_CODE() \ PAGED_CODE(); \ NT_ANALYSIS_ASSUME((KeGetCurrentIrql() == APC_LEVEL) || \ (KeGetCurrentIrql() == PASSIVE_LEVEL)) #define KPH_PAGED_CODE_PASSIVE() \ PAGED_CODE(); \ NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); \ NT_ANALYSIS_ASSUME(KeGetCurrentIrql() == PASSIVE_LEVEL) #define KPH_PAGED_CODE_APC() \ PAGED_CODE(); \ NT_ASSERT(KeGetCurrentIrql() == APC_LEVEL); \ NT_ANALYSIS_ASSUME(KeGetCurrentIrql() == APC_LEVEL) #define KPH_NPAGED_CODE_PASSIVE() \ NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); \ NT_ANALYSIS_ASSUME(KeGetCurrentIrql() == PASSIVE_LEVEL) #define KPH_NPAGED_CODE_APC_MAX() \ NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); \ NT_ANALYSIS_ASSUME((KeGetCurrentIrql() == APC_LEVEL) || \ (KeGetCurrentIrql() == PASSIVE_LEVEL)) #define KPH_NPAGED_CODE_DISPATCH_MAX() \ NT_ASSERT(KeGetCurrentIrql() <= DISPATCH_LEVEL); \ NT_ANALYSIS_ASSUME((KeGetCurrentIrql() == DISPATCH_LEVEL) || \ (KeGetCurrentIrql() == APC_LEVEL) || \ (KeGetCurrentIrql() == PASSIVE_LEVEL)) #define KPH_NPAGED_CODE_DISPATCH_MIN() \ NT_ASSERT(KeGetCurrentIrql() >= DISPATCH_LEVEL); \ NT_ANALYSIS_ASSUME((KeGetCurrentIrql() == DISPATCH_LEVEL) || \ (KeGetCurrentIrql() == HIGH_LEVEL)) #define KPH_NPAGED_CODE_DISPATCH() \ NT_ASSERT(KeGetCurrentIrql() == DISPATCH_LEVEL); \ NT_ANALYSIS_ASSUME(KeGetCurrentIrql() == DISPATCH_LEVEL) // // N.B. This decorates code to indicate that the code supports up to APC_LEVEL // but is in a non-paged segment since it can be called in a paging I/O path. // Code in this path should also only allocate from non-paged pool to avoid // deadlocks. // #define KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO() KPH_NPAGED_CODE_APC_MAX() #define KPH_PAGED_FILE() \ __pragma(bss_seg("PAGEBBS")) \ __pragma(code_seg("PAGE")) \ __pragma(data_seg("PAGEDATA")) \ __pragma(const_seg("PAGERO")) #define KPH_PROTECTED_DATA_SECTION_PUSH() \ __pragma(data_seg(push)) \ __pragma(data_seg("KSIDATA")) #define KPH_PROTECTED_DATA_SECTION_POP() \ __pragma(data_seg(pop)) #define KPH_PROTECTED_DATA_SECTION_RO_PUSH() \ __pragma(const_seg(push)) \ __pragma(const_seg("KSIRO")) #define KPH_PROTECTED_DATA_SECTION_RO_POP() \ __pragma(const_seg(pop)) #define _Outptr_allocatesMem_ _Outptr_result_nullonfailure_ __drv_allocatesMem(Mem) #define _Out_allocatesMem_ _Out_ __drv_allocatesMem(Mem) #define _Out_allocatesMem_size_(size) _Out_allocatesMem_ _Post_writable_byte_size_(size) #define _FreesMem_ _Pre_notnull_ _Post_ptr_invalid_ __drv_freesMem(Mem) #define _In_freesMem_ _In_ _FreesMem_ #define _In_aliasesMem_ _In_ _Pre_notnull_ _Post_ptr_invalid_ __drv_aliasesMem #define _Return_allocatesMem_ __drv_allocatesMem(Mem) _Check_return_ _Ret_maybenull_ #define _Return_allocatesMem_size_(size) _Return_allocatesMem_ _Post_writable_byte_size_(size) #define _IRQL_requires_for_wait_(timeout) \ _When_(((timeout == NULL) || (timeout->QuadPart != 0)), \ _IRQL_requires_max_(APC_LEVEL)) \ _When_(((timeout != NULL) && (timeout->QuadPart == 0)), \ _IRQL_requires_max_(DISPATCH_LEVEL)) typedef const void* PCVOID; #ifndef MAX_PATH #define MAX_PATH 260 #endif FORCEINLINE ULONG64 InterlockedExchangeU64( _Inout_ _Interlocked_operand_ volatile ULONG64* Target, _In_ ULONG64 Value ) { return (ULONG64)InterlockedExchange64((LONG64*)Target, (LONG64)Value); } FORCEINLINE ULONG64 InterlockedCompareExchangeU64( _Inout_ _Interlocked_operand_ volatile ULONG64* Target, _In_ ULONG64 Value, _In_ ULONG64 Expected ) { return (ULONG64)InterlockedCompareExchange64((LONG64*)Target, (LONG64)Value, (LONG64)Expected); } FORCEINLINE ULONG64 InterlockedIncrementU64( _Inout_ _Interlocked_operand_ volatile ULONG64* Target ) { return (ULONG64)InterlockedIncrement64((LONG64*)Target); } FORCEINLINE ULONG_PTR InterlockedExchangeULongPtr( _Inout_ _Interlocked_operand_ volatile ULONG_PTR* Target, _In_ ULONG_PTR Value ) { #ifdef _WIN64 return (ULONG_PTR)InterlockedExchange64((LONG64*)Target, (LONG64)Value); #else return (ULONG_PTR)InterlockedExchange((LONG*)Target, (LONG)Value); #endif } FORCEINLINE ULONG_PTR InterlockedExchangeAddULongPtr( _Inout_ _Interlocked_operand_ volatile ULONG_PTR* Target, _In_ ULONG_PTR Value ) { return (ULONG_PTR)InterlockedExchangeAddSizeT((SIZE_T*)Target, (SIZE_T)Value); } FORCEINLINE BOOLEAN InterlockedBitTestAndResetULongPtr( _Inout_ _Interlocked_operand_ volatile ULONG_PTR* Target, _In_ ULONG_PTR Bit ) { #ifdef _WIN64 return InterlockedBitTestAndReset64((LONG64*)Target, (LONG64)Bit); #else return InterlockedBitTestAndReset((LONG*)Target, (LONG)Bit); #endif } FORCEINLINE ULONG_PTR InterlockedCompareExchangeULongPtr( _Inout_ _Interlocked_operand_ volatile ULONG_PTR* Target, _In_ ULONG_PTR Value, _In_ ULONG_PTR Expected ) { #ifdef _WIN64 return (ULONG_PTR)InterlockedCompareExchange64((LONG64*)Target, (LONG64)Value, (LONG64)Expected); #else return (ULONG_PTR)InterlockedCompareExchange((LONG*)Target, (LONG)Value, (LONG)Expected); #endif } FORCEINLINE ULONG_PTR InterlockedDecrementULongPtr( _Inout_ _Interlocked_operand_ volatile ULONG_PTR* Target ) { return (ULONG_PTR)InterlockedDecrementSizeT((SIZE_T*)Target); } FORCEINLINE SSIZE_T InterlockedIncrementSSizeT( _Inout_ _Interlocked_operand_ volatile SSIZE_T* Target ) { return (SSIZE_T)InterlockedIncrementSizeT((SIZE_T*)Target); } FORCEINLINE VOID WriteSSizeTNoFence( _Out_ _Interlocked_operand_ volatile SSIZE_T* Target, _In_ SSIZE_T Value ) { WriteSizeTNoFence((SIZE_T*)Target, (SIZE_T)Value); } FORCEINLINE SSIZE_T InterlockedIncrementSSizeTNoFence( _Inout_ _Interlocked_operand_ volatile SSIZE_T* Target ) { return (SSIZE_T)InterlockedIncrementSizeTNoFence((SIZE_T*)Target); } FORCEINLINE SSIZE_T InterlockedDecrementSSizeT( _Inout_ _Interlocked_operand_ volatile SSIZE_T* Target ) { return (SSIZE_T)InterlockedDecrementSizeT((SIZE_T*)Target); } FORCEINLINE SIZE_T InterlockedCompareExchangeSizeT( _Inout_ _Interlocked_operand_ volatile SIZE_T* Target, _In_ SIZE_T Value, _In_ SIZE_T Expected ) { return (SIZE_T)InterlockedCompareExchangePointer((PVOID*)Target, (PVOID)Value, (PVOID)Expected); } FORCEINLINE VOID InterlockedExchangeIfGreaterSizeT( _Inout_ _Interlocked_operand_ volatile SIZE_T* Target, _In_ SIZE_T Value ) { SIZE_T max; max = ReadSizeTAcquire(Target); while (Value > max) { SIZE_T expected; expected = max; max = InterlockedCompareExchangeSizeT(Target, Value, expected); if (max == expected) { break; } } } // // Use user-mode accessors (UMA) APIs instead. // #pragma deprecated("ProbeForRead") #pragma deprecated("ProbeForWrite") #define C_2sTo4(x) ((unsigned int)(signed short)(x)) #define RebasePtr(pointer, oldBase, newBase) \ Add2Ptr(newBase, PtrOffset(oldBase, pointer)) #define RebaseUnicodeString(string, oldBase, newBase) \ if ((string)->Buffer) \ { \ (string)->Buffer = Add2Ptr(newBase, PtrOffset(oldBase, (string)->Buffer)); \ } #define KPH_TIMEOUT(ms) { .QuadPart = (-10000ll * (ms)) } #define KPH_KERNEL_PURGE_EA "$KERNEL.PURGE.SI." typedef struct _KPH_FILE_VERSION { USHORT MajorVersion; USHORT MinorVersion; USHORT BuildNumber; USHORT Revision; } KPH_FILE_VERSION, *PKPH_FILE_VERSION; typedef struct _KPH_MEMORY_REGION { PVOID Start; PVOID End; } KPH_MEMORY_REGION, *PKPH_MEMORY_REGION; _Must_inspect_result_ FORCEINLINE BOOLEAN KphIsValidMemoryRegion( _In_ PKPH_MEMORY_REGION Region, _In_ PVOID Start, _In_ PVOID End ) { return ((Region->Start <= Region->End) && (Region->Start >= Start) && (Region->End <= End)); } // // C30030 - Probably allocating executable memory via specifying a // MM_PAGE_PRIORITY type without a bitwise OR with MdlMappingNoExecute // #pragma deprecated("MmGetSystemAddressForMdl") #pragma deprecated("MmGetSystemAddressForMdlSafe") _IRQL_requires_max_(DISPATCH_LEVEL) _Post_writable_byte_size_(Mdl->ByteCount) _At_(Mdl->MappedSystemVa, _Post_writable_byte_size_(Mdl->ByteCount)) _Check_return_ _Success_(return != NULL) FORCEINLINE PVOID KphpGetSystemAddressForMdl( _Inout_ PMDL Mdl, _In_ MM_PAGE_PRIORITY Priority ) { #pragma warning(suppress: 4995) // suppress deprecation warning return MmGetSystemAddressForMdlSafe(Mdl, Priority | MdlMappingNoExecute); } #define KphGetSystemAddressForMdl(mdl, priority) \ _Pragma("warning(push)") \ _Pragma("warning(disable : 30030)") \ KphpGetSystemAddressForMdl(mdl, priority) \ _Pragma("warning(pop)") #pragma deprecated("ObReferenceObjectByHandle") _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ FORCEINLINE NTSTATUS KphpObReferenceObjectByHandle( _In_ HANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_TYPE ObjectType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PVOID *Object, _Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation ) { #pragma warning(disable: 4995) // suppress deprecation warning #pragma prefast(suppress: 28118) // allow at APC_LEVEL return ObReferenceObjectByHandle(Handle, DesiredAccess, ObjectType, AccessMode, Object, HandleInformation); } #define ObReferenceObjectByHandle KphpObReferenceObjectByHandle // main extern PDRIVER_OBJECT KphDriverObject; extern RTL_OSVERSIONINFOEXW KphOsVersionInfo; extern KPH_FILE_VERSION KphKernelVersion; extern BOOLEAN KphIgnoreProtectionsSuppressed; extern BOOLEAN KphIgnoreTestSigningEnabled; extern SYSTEM_SECUREBOOT_INFORMATION KphSecureBootInfo; extern SYSTEM_CODEINTEGRITY_INFORMATION KphCodeIntegrityInfo; FORCEINLINE BOOLEAN KphInDeveloperMode( VOID ) { if (KphSecureBootInfo.SecureBootCapable && KphSecureBootInfo.SecureBootEnabled) { return FALSE; } if (!KD_DEBUGGER_ENABLED) { return FALSE; } if (!FlagOn(KphCodeIntegrityInfo.CodeIntegrityOptions, CODEINTEGRITY_OPTION_TESTSIGN)) { return FALSE; } return TRUE; } FORCEINLINE BOOLEAN KphProtectionsSuppressed( VOID ) { if (KphIgnoreProtectionsSuppressed) { return FALSE; } return KphInDeveloperMode(); } FORCEINLINE BOOLEAN KphTestSigningEnabled( VOID ) { if (KphIgnoreTestSigningEnabled) { return FALSE; } return KphInDeveloperMode(); } // parameters extern PUNICODE_STRING KphAltitude; extern PUNICODE_STRING KphPortName; extern KPH_PARAMETER_FLAGS KphParameterFlags; extern PUNICODE_STRING KphSystemProcessName; _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupParameters( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeParameters( _In_ PCUNICODE_STRING RegistryPath ); // alloc // // Always use wrapped allocators, unless explicitly necessary. // // This helps catch programmer error. Deprecate the original ones here, the // allocation infrastructure will internally suppress the deprecated warnings. // #pragma deprecated("ExAllocateCacheAwareRundownProtection") #pragma deprecated("ExAllocateFromLookasideListEx") #pragma deprecated("ExAllocateFromNPagedLookasideList") #pragma deprecated("ExAllocateFromPagedLookasideList") #pragma deprecated("ExAllocatePool") #pragma deprecated("ExAllocatePool2") #pragma deprecated("ExAllocatePool3") #pragma deprecated("ExAllocatePoolPriorityUninitialized") #pragma deprecated("ExAllocatePoolPriorityZero") #pragma deprecated("ExAllocatePoolQuotaUninitialized") #pragma deprecated("ExAllocatePoolQuotaZero") #pragma deprecated("ExAllocatePoolUninitialized") #pragma deprecated("ExAllocatePoolWithQuota") #pragma deprecated("ExAllocatePoolWithQuotaTag") #pragma deprecated("ExAllocatePoolWithTag") #pragma deprecated("ExAllocatePoolWithTagPriority") #pragma deprecated("ExAllocatePoolZero") #pragma deprecated("ExFreePool") #pragma deprecated("ExFreePool2") #pragma deprecated("ExFreePoolWithTag") #pragma deprecated("ExFreeToLookasideListEx") #pragma deprecated("ExFreeToNPagedLookasideList") #pragma deprecated("ExFreeToPagedLookasideList") #pragma deprecated("ExDeleteLookasideListEx") #pragma deprecated("ExDeleteNPagedLookasideList") #pragma deprecated("ExDeletePagedLookasideList") #pragma deprecated("ExInitializeLookasideListEx") #pragma deprecated("ExInitializeNPagedLookasideList") #pragma deprecated("ExInitializePagedLookasideList") FORCEINLINE VOID KphFreePool( _FreesMem_ PVOID Memory ) { #pragma warning(suppress: 4995) // intentional use of ExFreePool ExFreePoolWithTag(Memory, 0); } _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeAlloc( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(NumberOfBytes) PVOID KphAllocateNPaged( _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag ); _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(NumberOfBytes) PVOID KphAllocatePaged( _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFree( _FreesMem_ PVOID Memory, _In_ ULONG Tag ); #pragma prefast(push) #pragma prefast(disable: 28195) // acquire memory without doing so _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(NumberOfBytes) FORCEINLINE PVOID KphpAllocateNPagedA( _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag, _Out_writes_bytes_(SizeOfStack) PBYTE Stack, _In_ ULONG SizeOfStack ) { if (NumberOfBytes <= SizeOfStack) { RtlZeroMemory(Stack, SizeOfStack); return Stack; } return KphAllocateNPaged(NumberOfBytes, Tag); } #pragma prefast(pop) #define KphAllocateNPagedA(NumberOfBytes, Tag, Stack) \ KphpAllocateNPagedA(NumberOfBytes, Tag, Stack, sizeof(Stack)) #pragma prefast(push) #pragma prefast(disable: 28195) // acquire memory without doing so _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(NumberOfBytes) FORCEINLINE PVOID KphpAllocatePagedA( _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag, _Out_writes_bytes_(SizeOfStack) PBYTE Stack, _In_ ULONG SizeOfStack ) { if (NumberOfBytes <= SizeOfStack) { RtlZeroMemory(Stack, SizeOfStack); return Stack; } return KphAllocatePaged(NumberOfBytes, Tag); } #pragma prefast(pop) #define KphAllocatePagedA(NumberOfBytes, Tag, Stack) \ KphpAllocatePagedA(NumberOfBytes, Tag, Stack, sizeof(Stack)) #pragma prefast(push) #pragma prefast(disable: 6014) // leaking memory _IRQL_requires_max_(DISPATCH_LEVEL) FORCEINLINE VOID KphpFreeA( _FreesMem_ PVOID Memory, _In_ ULONG Tag, _In_ PBYTE Stack ) { if (Memory != Stack) { KphFree(Memory, Tag); } } #pragma prefast(pop) #define KphFreeA(Memory, Tag, Stack) KphpFreeA(Memory, Tag, Stack) _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphInitializeNPagedLookaside( _Out_ PNPAGED_LOOKASIDE_LIST Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphDeleteNPagedLookaside( _Inout_ PNPAGED_LOOKASIDE_LIST Lookaside ); _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromNPagedLookaside( _Inout_ PNPAGED_LOOKASIDE_LIST Lookaside ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFreeToNPagedLookaside( _Inout_ PNPAGED_LOOKASIDE_LIST Lookaside, _In_freesMem_ PVOID Memory ); _IRQL_requires_max_(APC_LEVEL) VOID KphInitializePagedLookaside( _Out_ PPAGED_LOOKASIDE_LIST Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ); _IRQL_requires_max_(APC_LEVEL) VOID KphDeletePagedLookaside( _Inout_ PPAGED_LOOKASIDE_LIST Lookaside ); _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromPagedLookaside( _Inout_ PPAGED_LOOKASIDE_LIST Lookaside ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeToPagedLookaside( _Inout_ PPAGED_LOOKASIDE_LIST Lookaside, _In_freesMem_ PVOID Memory ); typedef PAGED_LOOKASIDE_LIST KPH_PAGED_LOOKASIDE_OBJECT; typedef KPH_PAGED_LOOKASIDE_OBJECT* PKPH_PAGED_LOOKASIDE_OBJECT; _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphCreatePagedLookasideObject( _Outptr_result_nullonfailure_ PKPH_PAGED_LOOKASIDE_OBJECT* Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ); _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromPagedLookasideObject( _Inout_ PKPH_PAGED_LOOKASIDE_OBJECT Lookaside ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeToPagedLookasideObject( _Inout_ PKPH_PAGED_LOOKASIDE_OBJECT Lookaside, _In_freesMem_ PVOID Memory ); typedef NPAGED_LOOKASIDE_LIST KPH_NPAGED_LOOKASIDE_OBJECT; typedef KPH_NPAGED_LOOKASIDE_OBJECT* PKPH_NPAGED_LOOKASIDE_OBJECT; _IRQL_requires_max_(DISPATCH_LEVEL) NTSTATUS KphCreateNPagedLookasideObject( _Outptr_result_nullonfailure_ PKPH_NPAGED_LOOKASIDE_OBJECT* Lookaside, _In_ SIZE_T Size, _In_ ULONG Tag ); _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(Lookaside->L.Size) PVOID KphAllocateFromNPagedLookasideObject( _Inout_ PKPH_NPAGED_LOOKASIDE_OBJECT Lookaside ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphFreeToNPagedLookasideObject( _Inout_ PKPH_NPAGED_LOOKASIDE_OBJECT Lookaside, _In_freesMem_ PVOID Memory ); // dynimp extern PPS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX KphDynPsSetLoadImageNotifyRoutineEx; extern PPS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2 KphDynPsSetCreateProcessNotifyRoutineEx2; extern PMM_PROTECT_DRIVER_SECTION KphDynMmProtectDriverSection; extern PPS_GET_PROCESS_SEQUENCE_NUMBER KphDynPsGetProcessSequenceNumber; extern PPS_GET_PROCESS_START_KEY KphDynPsGetProcessStartKey; extern PSE_REGISTER_IMAGE_VERIFICATION_CALLBACK KphSeRegisterImageVerificationCallback; extern PSE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK KphSeUnregisterImageVerificationCallback; extern PCI_VALIDATE_FILE_OBJECT KphDynCiValidateFileObject; extern PCI_FREE_POLICY_INFO KphDynCiFreePolicyInfo; extern PLXP_THREAD_GET_CURRENT KphDynLxpThreadGetCurrent; extern PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE KphDynIoCheckFileObjectOpenedAsCopySource; extern PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION KphDynIoCheckFileObjectOpenedAsCopyDestination; extern PFLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA KphDynFltGetCopyInformationFromCallbackData; _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphDynamicImport( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) PVOID KphGetSystemRoutineAddress( _In_z_ PCWSTR SystemRoutineName ); _IRQL_requires_max_(PASSIVE_LEVEL) PVOID KphGetRoutineAddress( _In_z_ PCWSTR ModuleName, _In_z_ PCSTR RoutineName ); // dyndata typedef struct _KPH_DYN { ULONG EgeGuid; ULONG EpObjectTable; ULONG EreGuidEntry; ULONG HtHandleContentionEvent; ULONG OtName; ULONG OtIndex; ULONG ObDecodeShift; ULONG ObAttributesShift; ULONG AlpcCommunicationInfo; ULONG AlpcOwnerProcess; ULONG AlpcConnectionPort; ULONG AlpcServerCommunicationPort; ULONG AlpcClientCommunicationPort; ULONG AlpcHandleTable; ULONG AlpcHandleTableLock; ULONG AlpcAttributes; ULONG AlpcAttributesFlags; ULONG AlpcPortContext; ULONG AlpcPortObjectLock; ULONG AlpcSequenceNo; ULONG AlpcState; ULONG KtInitialStack; ULONG KtStackLimit; ULONG KtStackBase; ULONG KtKernelStack; ULONG KtReadOperationCount; ULONG KtWriteOperationCount; ULONG KtOtherOperationCount; ULONG KtReadTransferCount; ULONG KtWriteTransferCount; ULONG KtOtherTransferCount; ULONG MmSectionControlArea; ULONG MmControlAreaListHead; ULONG MmControlAreaLock; ULONG EpSectionObject; ULONG LxPicoProc; ULONG LxPicoProcInfo; ULONG LxPicoProcInfoPID; ULONG LxPicoThrdInfo; ULONG LxPicoThrdInfoTID; BCRYPT_KEY_HANDLE SessionTokenPublicKeyHandle; } KPH_DYN, *PKPH_DYN; _Must_inspect_result_ PKPH_DYN KphReferenceDynData( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphActivateDynData( _In_ PBYTE DynData, _In_ ULONG DynDataLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphIsDynDataActive( _Out_ PBOOLEAN IsActive, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeDynData( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupDynData( VOID ); // object #ifdef _X86_ #define KERNEL_HANDLE_BIT (0x80000000) #else #define KERNEL_HANDLE_BIT (0xffffffff80000000) #endif #define IsKernelHandle(Handle) ((LONG_PTR)(Handle) < 0) #define MakeKernelHandle(Handle) ((HANDLE)((ULONG_PTR)(Handle) | KERNEL_HANDLE_BIT)) #define IsPseudoHandle(Handle) (((ULONG_PTR)(Handle) <= (ULONG_PTR)-1) && \ ((ULONG_PTR)(Handle) >= (ULONG_PTR)-6)) _Must_inspect_result_ PVOID KphObpDecodeObject( _In_ PKPH_DYN Dyn, _In_ PHANDLE_TABLE_ENTRY HandleTableEntry ); ULONG KphObpGetHandleAttributes( _In_ PKPH_DYN Dyn, _In_ PHANDLE_TABLE_ENTRY HandleTableEntry ); _When_(NT_SUCCESS(return), _Acquires_lock_(Process)) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphReferenceProcessHandleTable( _In_ PKPH_DYN Dyn, _In_ PEPROCESS Process, _Outptr_result_nullonfailure_ PHANDLE_TABLE* HandleTable ); _Releases_lock_(Process) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphDereferenceProcessHandleTable( _In_ PEPROCESS Process ); typedef _Function_class_(KPH_ENUM_PROCESS_HANDLES_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ BOOLEAN KSIAPI KPH_ENUM_PROCESS_HANDLES_CALLBACK( _Inout_ PHANDLE_TABLE_ENTRY HandleTableEntry, _In_ HANDLE Handle, _In_opt_ PVOID Parameter ); typedef KPH_ENUM_PROCESS_HANDLES_CALLBACK* PKPH_ENUM_PROCESS_HANDLES_CALLBACK; _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphEnumerateProcessHandlesEx( _In_ PEPROCESS Process, _In_ PKPH_ENUM_PROCESS_HANDLES_CALLBACK Callback, _In_opt_ PVOID Parameter ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphEnumerateProcessHandles( _In_ HANDLE ProcessHandle, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryNameObject( _In_ PVOID Object, _Out_writes_bytes_opt_(BufferLength) POBJECT_NAME_INFORMATION Buffer, _In_ ULONG BufferLength, _Out_ PULONG ReturnLength ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryNameFileObject( _In_ PFILE_OBJECT FileObject, _Out_writes_bytes_opt_(BufferLength) POBJECT_NAME_INFORMATION Buffer, _In_ ULONG BufferLength, _Out_ PULONG ReturnLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenNamedObject( _Out_ PHANDLE ObjectHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_TYPE ObjectType, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphDuplicateObject( _In_ HANDLE ProcessHandle, _In_ HANDLE SourceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TargetHandle, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCompareObjects( _In_ HANDLE ProcessHandle, _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle, _In_ KPROCESSOR_MODE AccessMode ); // process _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenProcessJob( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE JobHandle, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _Out_writes_bytes_opt_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _In_ KPROCESSOR_MODE AccessMode ); // driver _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenDriver( _Out_ PHANDLE DriverHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationDriver( _In_ HANDLE DriverHandle, _In_ KPH_DRIVER_INFORMATION_CLASS DriverInformationClass, _Out_writes_bytes_opt_(DriverInformationLength) PVOID DriverInformation, _In_ ULONG DriverInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); // device _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenDevice( _Out_ PHANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenDeviceDriver( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE DriverHandle, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphOpenDeviceBaseDevice( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE BaseDeviceHandle, _In_ KPROCESSOR_MODE AccessMode ); // thread _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCaptureStackBackTraceThreadByHandle( _In_ HANDLE ThreadHandle, _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_ PULONG CapturedFrames, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER Timeout, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _Out_writes_bytes_opt_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); // util #pragma deprecated("memcmp") #pragma deprecated("RtlCompareMemory") #pragma deprecated("RtlEqualMemory") _Must_inspect_result_ FORCEINLINE INT KphCompareMemory( _In_reads_bytes_(Length) PVOID Buffer1, _In_reads_bytes_(Length) PVOID Buffer2, _In_ SIZE_T Length ) { #pragma warning(suppress: 4995) // suppress deprecation warning return memcmp(Buffer1, Buffer2, Length); } _Must_inspect_result_ FORCEINLINE BOOLEAN KphEqualMemory( _In_reads_bytes_(Length) PVOID Buffer1, _In_reads_bytes_(Length) PVOID Buffer2, _In_ SIZE_T Length ) { #pragma warning(suppress: 4995) // suppress deprecation warning return (memcmp(Buffer1, Buffer2, Length) == 0); } typedef _Function_class_(KPH_BINARY_SEARCH_CALLBACK) INT KSIAPI KPH_BINARY_SEARCH_CALLBACK( _In_opt_ PVOID Context, _In_ PCVOID Key, _In_ PCVOID Element ); typedef KPH_BINARY_SEARCH_CALLBACK* PKPH_BINARY_SEARCH_CALLBACK; _Must_inspect_result_ _Success_(return != NULL) PVOID KphBinarySearch( _In_ PCVOID Key, _In_reads_bytes_(NumberOfElements * SizeOfElement) PCVOID Base, _In_ ULONG NumberOfElements, _In_ ULONG SizeOfElement, _In_ PKPH_BINARY_SEARCH_CALLBACK Callback, _In_opt_ PVOID Context ); typedef _Function_class_(KPH_QUICK_SORT_CALLBACK) INT KSIAPI KPH_QUICK_SORT_CALLBACK( _In_opt_ PVOID Context, _In_ PCVOID LeftElement, _In_ PCVOID RightElement ); typedef KPH_QUICK_SORT_CALLBACK* PKPH_QUICK_SORT_CALLBACK; VOID KphQuickSort( _Inout_updates_bytes_(NumberOfElements * SizeOfElement) PVOID Base, _In_ ULONG NumberOfElements, _In_ ULONG SizeOfElement, _In_ PKPH_QUICK_SORT_CALLBACK Callback, _In_opt_ PVOID Context ); _Must_inspect_result_ _Success_(return != NULL) PVOID KphSearchMemory( _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _In_reads_bytes_(PatternLength) PVOID Pattern, _In_ ULONG PatternLength ); typedef EX_RUNDOWN_REF KPH_RUNDOWN; typedef KPH_RUNDOWN* PKPH_RUNDOWN; _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ BOOLEAN KphAcquireRundown( _Inout_ PKPH_RUNDOWN Rundown ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphReleaseRundown( _Inout_ PKPH_RUNDOWN Rundown ); _IRQL_requires_max_(APC_LEVEL) VOID KphInitializeRundown( _Out_ PKPH_RUNDOWN Rundown ); _IRQL_requires_max_(APC_LEVEL) VOID KphWaitForRundown( _Inout_ PKPH_RUNDOWN Rundown ); typedef EX_PUSH_LOCK KPH_RWLOCK; typedef KPH_RWLOCK* PKPH_RWLOCK; _IRQL_requires_max_(APC_LEVEL) VOID KphInitializeRWLock( _Out_ PKPH_RWLOCK Lock ); _IRQL_requires_max_(APC_LEVEL) VOID KphDeleteRWLock( _In_ PKPH_RWLOCK Lock ); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Global_critical_region_) VOID KphAcquireRWLockExclusive( _Inout_ _Requires_lock_not_held_(*_Curr_) _Acquires_lock_(*_Curr_) PKPH_RWLOCK Lock ); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Global_critical_region_) VOID KphAcquireRWLockShared( _Inout_ _Requires_lock_not_held_(*_Curr_) _Acquires_lock_(*_Curr_) PKPH_RWLOCK Lock ); _IRQL_requires_max_(APC_LEVEL) _Releases_lock_(_Global_critical_region_) VOID KphReleaseRWLock( _Inout_ _Requires_lock_held_(*_Curr_) _Releases_lock_(*_Curr_) PKPH_RWLOCK Lock ); _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ BOOLEAN KphIsSameFile( _In_ PFILE_OBJECT FirstFileObject, _In_ PFILE_OBJECT SecondFileObject ); typedef struct _KPH_REFERENCE { LONG Count; } KPH_REFERENCE, *PKPH_REFERENCE; _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphAcquireReference( _Inout_ PKPH_REFERENCE Reference, _Out_opt_ PLONG PreviousCount ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphReleaseReference( _Inout_ PKPH_REFERENCE Reference, _Out_opt_ PLONG PreviousCount ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphValidateAddressForSystemModules( _In_ PVOID Address, _In_ SIZE_T Length ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryRegistryString( _In_ HANDLE KeyHandle, _In_ PCUNICODE_STRING ValueName, _Outptr_allocatesMem_ PUNICODE_STRING* String ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeRegistryString( _In_freesMem_ PUNICODE_STRING String ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryRegistryBinary( _In_ HANDLE KeyHandle, _In_ PCUNICODE_STRING ValueName, _Outptr_allocatesMem_ PBYTE* Buffer, _Out_ PULONG Length ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeRegistryBinary( _In_freesMem_ PBYTE Buffer ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryRegistryULong( _In_ HANDLE KeyHandle, _In_ PCUNICODE_STRING ValueName, _Out_ PULONG Value ); #define KPH_MAP_DATA 0x00000000ul #define KPH_MAP_IMAGE 0x00000001ul _IRQL_always_function_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphMapViewInSystem( _In_ HANDLE FileHandle, _In_ ULONG Flags, _Outptr_result_bytebuffer_(*ViewSize) PVOID *MappedBase, _Inout_ PSIZE_T ViewSize ); _IRQL_always_function_max_(PASSIVE_LEVEL) VOID KphUnmapViewInSystem( _In_ PVOID MappedBase ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetNameFileObject( _In_ PFILE_OBJECT FileObject, _Outptr_allocatesMem_ PUNICODE_STRING* FileName ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeNameFileObject( _In_freesMem_ PUNICODE_STRING FileName ); _IRQL_requires_max_(APC_LEVEL) BOOLEAN KphSinglePrivilegeCheckEx( _In_ LUID PrivilegeValue, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) BOOLEAN KphSinglePrivilegeCheck( _In_ LUID PrivilegeValue, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetFileVersion( _In_ PCUNICODE_STRING FileName, _Out_ PKPH_FILE_VERSION Version ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetKernelVersion( _Out_ PKPH_FILE_VERSION Version ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGuardGrantSuppressedCallAccess( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphDisableXfgOnTarget( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphGetFileNameFinalComponent( _In_ PCUNICODE_STRING FileName, _Out_ PUNICODE_STRING FinalComponent ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetProcessImageName( _In_ PEPROCESS Process, _Out_allocatesMem_ PUNICODE_STRING ImageName ); _IRQL_requires_max_(APC_LEVEL) VOID KphFreeProcessImageName( _In_freesMem_ PUNICODE_STRING ImageName ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenParametersKey( _In_ PCUNICODE_STRING RegistryPath, _Out_ PHANDLE KeyHandle ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphDominationCheck( _In_ PEPROCESS Process, _In_ PEPROCESS ProcessTarget, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphDominationAndPrivilegeCheck( _In_ ULONG Privileges, _In_ PETHREAD Thread, _In_ PEPROCESS ProcessTarget, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(DISPATCH_LEVEL) ULONG64 KphGetProcessSequenceNumber( _In_ PEPROCESS Process ); _IRQL_requires_max_(DISPATCH_LEVEL) ULONG64 KphGetProcessStartKey( _In_ PEPROCESS Process ); #define KphGetCurrentProcessStartKey() KphGetProcessStartKey(PsGetCurrentProcess()) #define KphGetThreadProcessStartKey(thread) KphGetProcessStartKey(PsGetThreadProcess(thread)) _IRQL_requires_max_(DISPATCH_LEVEL) PVOID KphGetCurrentThreadSubProcessTag( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) PVOID KphGetThreadSubProcessTagEx( _In_ PETHREAD Thread, _In_ BOOLEAN CacheOnly ); _IRQL_requires_max_(DISPATCH_LEVEL) PVOID KphGetThreadSubProcessTag( _In_ PETHREAD Thread ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetSigningLevel( _In_ PFILE_OBJECT FileObject, _Out_ PSE_SIGNING_LEVEL SigningLevel ); typedef union _KPH_IMAGE_NT_HEADERS { PIMAGE_NT_HEADERS Headers; PIMAGE_NT_HEADERS32 Headers32; PIMAGE_NT_HEADERS64 Headers64; } KPH_IMAGE_NT_HEADERS, *PKPH_IMAGE_NT_HEADERS; _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphImageNtHeader( _In_ PVOID Base, _In_ ULONG64 Size, _Out_ PKPH_IMAGE_NT_HEADERS Headers ); // lsa _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphProcessIsLsass( _In_ PEPROCESS Process, _Out_ PBOOLEAN IsLsass ); _IRQL_requires_max_(APC_LEVEL) VOID KphValidateLsass( _In_ PEPROCESS Process ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInvalidateLsass( _In_ PEPROCESS Process ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphCanIdentifyLsass( VOID ); // vm _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphReadVirtualMemory( _In_opt_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQuerySection( _In_ HANDLE SectionHandle, _In_ KPH_SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_opt_(SectionInformationLength) PVOID SectionInformation, _In_ ULONG SectionInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); typedef struct _KPH_VM_TLS_CREATE_DATA_SECTION { NTSTATUS Status; HANDLE SectionHandle; LARGE_INTEGER SectionFileSize; KPROCESSOR_MODE AccessMode; } KPH_VM_TLS_CREATE_DATA_SECTION, *PKPH_VM_TLS_CREATE_DATA_SECTION; _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ KPH_MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_opt_(MemoryInformationLength) PVOID MemoryInformation, _In_ ULONG MemoryInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); // hash _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeHashing( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupHashing( VOID ); _IRQL_requires_max_(APC_LEVEL) VOID KphReferenceHashingInfrastructure( VOID ); _IRQL_requires_max_(APC_LEVEL) VOID KphDereferenceHashingInfrastructure( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphHashBuffer( _In_ PBYTE Buffer, _In_ ULONG BufferLength, _In_ KPH_HASH_ALGORITHM HashAlgorithm, _Out_ PKPH_HASH_INFORMATION HashInformation ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryHashInformationFile( _In_ HANDLE FileHandle, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG HashInformationLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryHashInformationFileObject( _In_ PFILE_OBJECT FileObject, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG HashInformationLength ); // kphobject typedef struct _KPH_OBJECT_HEADER { SSIZE_T PointerCount; UCHAR TypeIndex; SLIST_ENTRY ListEntry; QUAD Body; } KPH_OBJECT_HEADER, *PKPH_OBJECT_HEADER; C_ASSERT((FIELD_OFFSET(KPH_OBJECT_HEADER, Body) % MEMORY_ALLOCATION_ALIGNMENT) == 0); #define KphObjectToObjectHeader(x) ((PKPH_OBJECT_HEADER)CONTAINING_RECORD((PCHAR)x, KPH_OBJECT_HEADER, Body)) #define KphObjectHeaderToObject(x) ((PVOID)&((PKPH_OBJECT_HEADER)(x))->Body) #define KphAddObjectHeaderSize(x) ((SIZE_T)(x) + FIELD_OFFSET(KPH_OBJECT_HEADER, Body)) typedef _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _Return_allocatesMem_size_(Size) PVOID KSIAPI KPH_TYPE_ALLOCATE_PROCEDURE( _In_ SIZE_T Size ); typedef KPH_TYPE_ALLOCATE_PROCEDURE* PKPH_TYPE_ALLOCATE_PROCEDURE; typedef _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KPH_TYPE_INITIALIZE_PROCEDURE( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ); typedef KPH_TYPE_INITIALIZE_PROCEDURE* PKPH_TYPE_INITIALIZE_PROCEDURE; typedef _Function_class_(KPH_TYPE_DELETE_PROCEDURE) VOID KSIAPI KPH_TYPE_DELETE_PROCEDURE( _Inout_ PVOID Object ); typedef KPH_TYPE_DELETE_PROCEDURE* PKPH_TYPE_DELETE_PROCEDURE; typedef _Function_class_(KPH_TYPE_FREE_PROCEDURE) VOID KSIAPI KPH_TYPE_FREE_PROCEDURE( _In_freesMem_ PVOID Object ); typedef KPH_TYPE_FREE_PROCEDURE* PKPH_TYPE_FREE_PROCEDURE; typedef struct _KPH_OBJECT_TYPE_INFO { PKPH_TYPE_ALLOCATE_PROCEDURE Allocate; PKPH_TYPE_INITIALIZE_PROCEDURE Initialize; PKPH_TYPE_DELETE_PROCEDURE Delete; PKPH_TYPE_FREE_PROCEDURE Free; union { struct { ULONG DeferDelete : 1; ULONG Spare : 31; }; ULONG Flags; }; } KPH_OBJECT_TYPE_INFO, *PKPH_OBJECT_TYPE_INFO; typedef struct _KPH_OBJECT_TYPE { UNICODE_STRING Name; UCHAR Index; SIZE_T TotalNumberOfObjects; SIZE_T HighWaterNumberOfObjects; KPH_OBJECT_TYPE_INFO TypeInfo; } KPH_OBJECT_TYPE, *PKPH_OBJECT_TYPE; _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphObjectInitialize( VOID ); VOID KphCreateObjectType( _In_ PCUNICODE_STRING TypeName, _In_ PKPH_OBJECT_TYPE_INFO TypeInfo, _Outptr_ PKPH_OBJECT_TYPE* ObjectType ); _Must_inspect_result_ NTSTATUS KphCreateObject( _In_ PKPH_OBJECT_TYPE ObjectType, _In_ ULONG ObjectBodySize, _Outptr_result_nullonfailure_ PVOID* Object, _In_opt_ PVOID Parameter ); VOID KphReferenceObject( _In_ PVOID Object ); VOID KphDereferenceObject( _In_ PVOID Object ); VOID KphDereferenceObjectDeferDelete( _In_ PVOID Object ); _Must_inspect_result_ PKPH_OBJECT_TYPE KphGetObjectType( _In_ PVOID Object ); typedef struct _KPH_ATOMIC_OBJECT_REF { ULONG_PTR Object; } KPH_ATOMIC_OBJECT_REF, *PKPH_ATOMIC_OBJECT_REF; #define KPH_ATOMIC_OBJECT_REF_INIT { .Object = 0 } _Must_inspect_result_ PVOID KphAtomicReferenceObject( _In_ PKPH_ATOMIC_OBJECT_REF ObjectRef ); VOID KphAtomicAssignObjectReference( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef, _In_opt_ PVOID Object ); _Must_inspect_result_ PVOID KphAtomicMoveObjectReference( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef, _In_opt_ PVOID Object ); // cid_table typedef struct _KPH_CID_TABLE_ENTRY { KPH_ATOMIC_OBJECT_REF ObjectRef; } KPH_CID_TABLE_ENTRY, *PKPH_CID_TABLE_ENTRY; typedef struct _KPH_CID_TABLE { KSPIN_LOCK Lock; ULONG_PTR Table; } KPH_CID_TABLE, *PKPH_CID_TABLE; _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ NTSTATUS KphCidTableCreate( _Out_ PKPH_CID_TABLE Table ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidTableDelete( _In_ PKPH_CID_TABLE Table ); _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidAssignObject( _Inout_ PKPH_CID_TABLE_ENTRY Entry, _In_opt_ PVOID Object ); _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PVOID KphCidReferenceObject( _In_ PKPH_CID_TABLE_ENTRY Entry ); _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_CID_TABLE_ENTRY KphCidGetEntry( _In_ HANDLE Cid, _Inout_ PKPH_CID_TABLE Table ); typedef _Function_class_(KPH_CID_ENUMERATE_CALLBACK) BOOLEAN KSIAPI KPH_CID_ENUMERATE_CALLBACK( _In_ PVOID Object, _In_opt_ PVOID Parameter ); typedef KPH_CID_ENUMERATE_CALLBACK* PKPH_CID_ENUMERATE_CALLBACK; _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidEnumerate( _In_ PKPH_CID_TABLE Table, _In_ PKPH_CID_ENUMERATE_CALLBACK Callback, _In_opt_ PVOID Parameter ); typedef _Function_class_(KPH_CID_RUNDOWN_CALLBACK) VOID KSIAPI KPH_CID_RUNDOWN_CALLBACK( _In_ PVOID Object, _In_opt_ PVOID Parameter ); typedef KPH_CID_RUNDOWN_CALLBACK* PKPH_CID_RUNDOWN_CALLBACK; _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphCidRundown( _In_ PKPH_CID_TABLE Table, _In_ PKPH_CID_RUNDOWN_CALLBACK Callback, _In_opt_ PVOID Parameter ); // cid_tracking #define KPH_PROTECTED_PROCESS_MASK (KPH_PROCESS_READ_ACCESS |\ PROCESS_TERMINATE |\ PROCESS_SUSPEND_RESUME) #define KPH_PROTECTED_THREAD_MASK (KPH_THREAD_READ_ACCESS |\ THREAD_TERMINATE |\ THREAD_SUSPEND_RESUME |\ THREAD_RESUME) typedef union _KPH_SESSION_TOKEN_ATOMIC { struct _KPH_SESSION_TOKEN* Token; KPH_ATOMIC_OBJECT_REF Atomic; } KPH_SESSION_TOKEN_ATOMIC, *PKPH_SESSION_TOKEN_ATOMIC; typedef union _KPH_INFORMER_STATE_ATOMIC { struct _KPH_INFORMER_STATE* State; KPH_ATOMIC_OBJECT_REF Atomic; } KPH_INFORMER_STATE_ATOMIC, *PKPH_INFORMER_STATE_ATOMIC; typedef struct _KPH_PROCESS_CONTEXT { PEPROCESS EProcess; HANDLE ProcessId; ULONG64 SequenceNumber; ULONG64 ProcessStartKey; CLIENT_ID CreatorClientId; PUNICODE_STRING ImageFileName; UNICODE_STRING ImageName; PFILE_OBJECT FileObject; SIZE_T NumberOfImageLoads; KPH_SESSION_TOKEN_ATOMIC SessionToken; KPH_INFORMER_STATE_ATOMIC InformerState; union { ULONG Flags; struct { ULONG CreateNotification : 1; ULONG ExitNotification : 1; ULONG VerifiedProcess : 1; ULONG SecurelyCreated : 1; ULONG Protected : 1; ULONG IsWow64 : 1; ULONG IsSubsystemProcess : 1; ULONG AllocatedImageName : 1; ULONG SystemAllocatedImageFileName : 1; ULONG Reserved : 23; }; }; KPH_RWLOCK ThreadListLock; struct _KPH_THREAD_CONTEXT* InitialThread; SIZE_T NumberOfThreads; LIST_ENTRY ThreadListHead; SIZE_T NumberOfUnlinkedThreads; // // Masks are only valid if Protected flag is set. // KPH_RWLOCK ProtectionLock; ACCESS_MASK ProcessAllowedMask; ACCESS_MASK ThreadAllowedMask; union { ULONG Flags; struct { ULONG Debugged : 1; ULONG FileObjectWritable : 1; ULONG FileObjectTransaction : 1; ULONG UserWritableReferences : 1; ULONG Reserved : 28; }; } StateTracking; // // Only tracked for verified processes. // SIZE_T NumberOfMicrosoftImageLoads; SIZE_T NumberOfAntimalwareImageLoads; SIZE_T NumberOfVerifiedImageLoads; SIZE_T NumberOfUntrustedImageLoads; PKNORMAL_ROUTINE ApcNoopRoutine; SUBSYSTEM_INFORMATION_TYPE SubsystemType; // // SubsystemInformationTypeWSL information // struct { BOOLEAN ValidProcessId; ULONG ProcessId; } WSL; } KPH_PROCESS_CONTEXT, *PKPH_PROCESS_CONTEXT; extern PKPH_OBJECT_TYPE KphProcessContextType; typedef enum _KPH_PROCESS_CONTEXT_INFORMATION_CLASS { KphProcessContextWSLProcessId, // q: ULONG } KPH_PROCESS_CONTEXT_INFORMATION_CLASS, *PKPH_PROCESS_CONTEXT_INFORMATION_CLASS; _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationProcessContext( _In_ PKPH_PROCESS_CONTEXT Process, _In_ KPH_PROCESS_CONTEXT_INFORMATION_CLASS InformationClass, _Out_writes_bytes_opt_(InformationLength) PVOID Information, _In_ ULONG InformationLength, _Out_opt_ PULONG ReturnLength ); typedef struct _KPH_THREAD_CONTEXT { PETHREAD EThread; PKPH_PROCESS_CONTEXT ProcessContext; CLIENT_ID ClientId; CLIENT_ID CreatorClientId; PVOID SubProcessTag; KPH_SESSION_TOKEN_ATOMIC SessionToken; KPH_SESSION_TOKEN_ATOMIC RequestSessionToken; union { volatile ULONG Flags; struct { ULONG CreateNotification : 1; ULONG ExecuteNotification : 1; ULONG ExitNotification : 1; ULONG InThreadList : 1; ULONG IsCreatingProcess : 1; ULONG CapturingUserModeStack : 1; ULONG Reserved : 26; }; }; LIST_ENTRY ThreadListEntry; // // Only valid if IsCreatingProcess flag is set. // HANDLE IsCreatingProcessId; SUBSYSTEM_INFORMATION_TYPE SubsystemType; // // SubsystemInformationTypeWSL information // struct { BOOLEAN ValidThreadId; ULONG ThreadId; } WSL; PVOID VmTlsCreateDataSection; PVOID VmTlsMappedInformation; } KPH_THREAD_CONTEXT, *PKPH_THREAD_CONTEXT; extern PKPH_OBJECT_TYPE KphThreadContextType; typedef enum _KPH_THREAD_CONTEXT_INFORMATION_CLASS { KphThreadContextWSLThreadId, // q: ULONG } KPH_THREAD_CONTEXT_INFORMATION_CLASS, *PKPH_THREAD_CONTEXT_INFORMATION_CLASS; _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationThreadContext( _In_ PKPH_THREAD_CONTEXT Thread, _In_ KPH_THREAD_CONTEXT_INFORMATION_CLASS InformationClass, _Out_writes_bytes_opt_(InformationLength) PVOID Information, _In_ ULONG InformationLength, _Out_opt_ PULONG ReturnLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCidInitialize( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCidPopulate( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCidCleanup( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCidMarkPopulated( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphGetSystemProcessContext( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphGetProcessContext( _In_ HANDLE ProcessId ); _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphGetEProcessContext( _In_ PEPROCESS Process ); #define KphGetCurrentProcessContext() KphGetEProcessContext(PsGetCurrentProcess()) _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphGetThreadContext( _In_ HANDLE ThreadId ); #define KphGetEThreadContext(thread) KphGetThreadContext(PsGetThreadId(thread)) #define KphGetCurrentThreadContext() KphGetThreadContext(PsGetCurrentThreadId()) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphTrackProcessContext( _In_ PEPROCESS Process ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphUntrackProcessContext( _In_ HANDLE ProcessId ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphTrackThreadContext( _In_ PETHREAD Thread ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphUntrackThreadContext( _In_ HANDLE ThreadId ); typedef _Function_class_(KPH_ENUM_PROCESS_CONTEXTS_CALLBACK) _Must_inspect_result_ BOOLEAN KSIAPI KPH_ENUM_PROCESS_CONTEXTS_CALLBACK( _In_ PKPH_PROCESS_CONTEXT Process, _In_opt_ PVOID Parameter ); typedef KPH_ENUM_PROCESS_CONTEXTS_CALLBACK* PKPH_ENUM_PROCESS_CONTEXTS_CALLBACK; _IRQL_requires_max_(APC_LEVEL) VOID KphEnumerateProcessContexts( _In_ PKPH_ENUM_PROCESS_CONTEXTS_CALLBACK Callback, _In_opt_ PVOID Parameter ); typedef _Function_class_(KPH_ENUM_THREAD_CONTEXTS_CALLBACK) _Must_inspect_result_ BOOLEAN KSIAPI KPH_ENUM_THREAD_CONTEXTS_CALLBACK( _In_ PKPH_PROCESS_CONTEXT Thread, _In_opt_ PVOID Parameter ); typedef KPH_ENUM_THREAD_CONTEXTS_CALLBACK* PKPH_ENUM_THREAD_CONTEXTS_CALLBACK; _IRQL_requires_max_(APC_LEVEL) VOID KphEnumerateThreadContexts( _In_ PKPH_ENUM_THREAD_CONTEXTS_CALLBACK Callback, _In_opt_ PVOID Parameter ); typedef _Function_class_(KPH_ENUM_CID_CONTEXTS_CALLBACK) _Must_inspect_result_ BOOLEAN KSIAPI KPH_ENUM_CID_CONTEXTS_CALLBACK( _In_ PVOID Context, _In_opt_ PVOID Parameter ); typedef KPH_ENUM_CID_CONTEXTS_CALLBACK* PKPH_ENUM_CID_CONTEXTS_CALLBACK; _IRQL_requires_max_(APC_LEVEL) VOID KphEnumerateCidContexts( _In_ KPH_ENUM_CID_CONTEXTS_CALLBACK Callback, _In_opt_ PVOID Parameter ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCheckProcessApcNoopRoutine( _In_ PKPH_PROCESS_CONTEXT ProcessContext ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphVerifyProcessAndProtectIfAppropriate( _In_ PKPH_PROCESS_CONTEXT Process ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ _Maybenull_ PUNICODE_STRING KphGetThreadImageName( _In_ PKPH_THREAD_CONTEXT Thread ); _IRQL_requires_max_(APC_LEVEL) KPH_PROCESS_STATE KphGetProcessState( _In_ PKPH_PROCESS_CONTEXT Process ); _IRQL_requires_max_(APC_LEVEL) FORCEINLINE BOOLEAN KphTestProcessState( _In_ KPH_PROCESS_STATE ProcessState, _In_ KPH_PROCESS_STATE State ) { return ((ProcessState & State) == State); } _IRQL_requires_max_(APC_LEVEL) FORCEINLINE BOOLEAN KphTestProcessContextState( _In_ PKPH_PROCESS_CONTEXT Process, _In_ KPH_PROCESS_STATE State ) { return KphTestProcessState(KphGetProcessState(Process), State); } // protection _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeProtection( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphStartProtectingProcess( _In_ PKPH_PROCESS_CONTEXT Process, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask ); _IRQL_requires_max_(APC_LEVEL) VOID KphStopProtectingProcess( _In_ PKPH_PROCESS_CONTEXT Process ); _IRQL_requires_max_(PASSIVE_LEVEL) BOOLEAN KphIsProtectedProcess( _In_ PKPH_PROCESS_CONTEXT Process ); _IRQL_requires_max_(APC_LEVEL) VOID KphApplyObProtections( _Inout_ POB_PRE_OPERATION_INFORMATION Info ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphApplyImageProtections( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PIMAGE_INFO_EX ImageInfo ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphAcquireDriverUnloadProtection( _Out_opt_ PLONG PreviousCount ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphReleaseDriverUnloadProtection( _Out_opt_ PLONG PreviousCount ); _IRQL_requires_max_(APC_LEVEL) LONG KphGetDriverUnloadProtectionCount( VOID ); FORCEINLINE BOOLEAN KphIsDriverUnloadProtected( VOID ) { return (KphGetDriverUnloadProtectionCount() > 0); } _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphStripProtectedProcessMasks( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask, _In_ KPROCESSOR_MODE AccessMode ); // imgcoherency _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCheckImageCoherency( _In_ PVOID ImageBase, _In_ SIZE_T ImageSize, _In_ PVOID DataBase, _In_ SIZE_T DataSize ); // verify _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphVerifyCloseKey( _In_ BCRYPT_KEY_HANDLE KeyHandle ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyCreateKey( _Out_ BCRYPT_KEY_HANDLE* KeyHandle, _In_ PBYTE KeyMaterial, _In_ ULONG KeyMaterialLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyBufferEx( _In_opt_ BCRYPT_KEY_HANDLE KeyHandle, _In_ PBYTE Buffer, _In_ ULONG BufferLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyBuffer( _In_ PBYTE Buffer, _In_ ULONG BufferLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyFileObject( _In_ PFILE_OBJECT FileObject, _In_opt_ PCUNICODE_STRING FileName ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyFile( _In_ PCUNICODE_STRING FileName, _In_opt_ PFILE_OBJECT FileObject ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeVerify( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupVerify( VOID ); // ksi.dll #if !defined(_KSIDLL_) #define KSISYSAPI DECLSPEC_IMPORT #else #define KSISYSAPI #endif #define KSIDLL_CURRENT_VERSION 1 KSISYSAPI _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KsiInitialize( _In_ ULONG Version, _In_ PDRIVER_OBJECT DriverObject, _In_opt_ PVOID Reserved ); KSISYSAPI _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KsiUninitialize( _In_ PDRIVER_OBJECT DriverObject, _In_ ULONG Reserved ); typedef struct _KSI_KAPC { KAPC Apc; PDRIVER_OBJECT DriverObject; PVOID InternalRoutine; PVOID InternalCleanup; PVOID InternalContext; } KSI_KAPC, *PKSI_KAPC; typedef enum _KSI_KAPC_CLEANUP_REASON { KsiApcCleanupKernel, KsiApcCleanupNormal, KsiApcCleanupRundown, KsiApcCleanupRemoved } KSI_KAPC_CLEANUP_REASON; typedef _Function_class_(KSI_KCLEANUP_ROUTINE) _IRQL_requires_min_(PASSIVE_LEVEL) _IRQL_requires_max_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KSI_KCLEANUP_ROUTINE( _In_ PKSI_KAPC Apc, _In_ KSI_KAPC_CLEANUP_REASON Reason ); typedef KSI_KCLEANUP_ROUTINE *PKSI_KCLEANUP_ROUTINE; typedef _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KSI_KKERNEL_ROUTINE( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ); typedef KSI_KKERNEL_ROUTINE *PKSI_KKERNEL_ROUTINE; C_ASSERT(FIELD_OFFSET(KSI_KAPC, Apc) == 0); KSISYSAPI VOID KSIAPI KsiInitializeApc( _Out_ PKSI_KAPC Apc, _In_ PDRIVER_OBJECT DriverObject, _In_ PRKTHREAD Thread, _In_ KAPC_ENVIRONMENT Environment, _In_ PKSI_KKERNEL_ROUTINE KernelRoutine, _In_ PKSI_KCLEANUP_ROUTINE CleanupRoutine, _In_opt_ PKNORMAL_ROUTINE NormalRoutine, _In_ KPROCESSOR_MODE ApcMode, _In_opt_ PVOID NormalContext ); KSISYSAPI BOOLEAN KSIAPI KsiInsertQueueApc( _Inout_ PKSI_KAPC Apc, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2, _In_ KPRIORITY PriorityBoost ); KSISYSAPI NTSTATUS KSIAPI KsiRemoveQueueApc( _Inout_ PKSI_KAPC Apc ); typedef _Function_class_(KSI_WORK_QUEUE_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID KSIAPI KSI_WORK_QUEUE_ROUTINE( _In_opt_ PVOID Parameter ); typedef KSI_WORK_QUEUE_ROUTINE *PKSI_WORK_QUEUE_ROUTINE; typedef struct _KSI_WORK_QUEUE_ITEM { WORK_QUEUE_ITEM WorkItem; PDRIVER_OBJECT DriverObject; PKSI_WORK_QUEUE_ROUTINE Routine; PVOID Parameter; } KSI_WORK_QUEUE_ITEM, *PKSI_WORK_QUEUE_ITEM; _IRQL_requires_max_(DISPATCH_LEVEL) KSISYSAPI VOID KSIAPI KsiInitializeWorkItem( _Out_ PKSI_WORK_QUEUE_ITEM WorkItem, _In_ PDRIVER_OBJECT DriverObject, _In_ PKSI_WORK_QUEUE_ROUTINE Routine, _In_opt_ PVOID Parameter ); _IRQL_requires_max_(DISPATCH_LEVEL) KSISYSAPI VOID KSIAPI KsiQueueWorkItem( _Inout_ PKSI_WORK_QUEUE_ITEM WorkItem, _In_ WORK_QUEUE_TYPE QueueType ); extern KSISYSAPI PEPROCESS KsiSystemProcess; _IRQL_requires_max_(PASSIVE_LEVEL) KSISYSAPI NTSTATUS KSIAPI KsiInitializeSystemProcess( _In_ PCUNICODE_STRING ProcessName ); // system _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSystemControl( _In_ KPH_SYSTEM_CONTROL_CLASS SystemControlClass, _In_reads_bytes_(SystemControlInfoLength) PVOID SystemControlInfo, _In_ ULONG SystemControlInfoLength, _In_ KPROCESSOR_MODE AccessMode ); // alpc _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphAlpcQueryInformation( _In_ HANDLE ProcessHandle, _In_ HANDLE PortHandle, _In_ KPH_ALPC_INFORMATION_CLASS AlpcInformationClass, _Out_writes_bytes_opt_(AlpcInformationLength) PVOID AlpcInformation, _In_ ULONG AlpcInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); // file _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryVolumeInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FS_INFORMATION_CLASS FsInformationClass, _Out_writes_bytes_(FsInformationLength) PVOID FsInformation, _In_ ULONG FsInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCreateFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, _In_ ULONG EaLength, _In_ ULONG Options, _In_ KPROCESSOR_MODE AccessMode ); // knowndll extern PVOID KphNtDllBaseAddress; extern PVOID KphNtDllRtlSetBits; _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphInitializeKnownDll( VOID ); // back_trace #define KPH_STACK_BACK_TRACE_USER_MODE 0x00000001ul #define KPH_STACK_BACK_TRACE_SKIP_KPH 0x00000002ul #define KPH_STACK_BACK_TRACE_NO_SENTINEL 0x00000004ul _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeStackBackTrace( VOID ); _IRQL_requires_max_(DISPATCH_LEVEL) _Success_(return != 0) ULONG KphCaptureStackBackTrace( _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphCaptureStackBackTraceThread( _In_ PETHREAD Thread, _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_ PULONG CapturedFrames, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER Timeout ); // session_token typedef struct _KPH_SESSION_TOKEN { KPH_SESSION_ACCESS_TOKEN AccessToken; LONG UseCount; } KPH_SESSION_TOKEN, *PKPH_SESSION_TOKEN; _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphRequestSessionAccessToken( _Out_ PKPH_SESSION_ACCESS_TOKEN AccessToken, _In_ PLARGE_INTEGER Expiry, _In_ ULONG Privileges, _In_ LONG Uses ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphAssignProcessSessionToken( _In_ HANDLE ProcessHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphAssignThreadSessionToken( _In_ HANDLE ThreadHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphSessionTokenPrivilegeCheck( _In_ PKPH_THREAD_CONTEXT Thread, _In_ ULONG Privileges ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeSessionToken( VOID ); // ringbuff typedef struct _KPH_RING_SECTION { PVOID SectionObject; PMDL Mdl; PVOID KernelBase; } KPH_RING_SECTION, *PKPH_RING_SECTION; typedef struct _KPH_RING_BUFFER { KSPIN_LOCK ProducerLock; PULONG ProducerPos; PULONG ConsumerPos; PULONG ConsumerProcessing; ULONG Length; PVOID Buffer; PKEVENT Event; KPH_RING_SECTION ProducerSection; KPH_RING_SECTION ConsumerSection; PEPROCESS Process; } KPH_RING_BUFFER, *PKPH_RING_BUFFER; _Return_allocatesMem_size_(Length) PVOID KphReserveRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_ ULONG Length ); VOID KphCommitRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_freesMem_ PVOID Buffer ); VOID KphDiscardRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_freesMem_ PVOID Buffer ); _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCreateRingBuffer( _Out_ PKPH_RING_BUFFER* Ring, _Out_ PKPH_RING_BUFFER_USER User, _In_ ULONG Length, _In_opt_ PKEVENT Event, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeRingBuffer( VOID ); // kphthread typedef _Function_class_(KPH_THREAD_START_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_same_ NTSTATUS KPH_THREAD_START_ROUTINE( _In_opt_ PVOID Parameter ); typedef KPH_THREAD_START_ROUTINE *PKPH_THREAD_START_ROUTINE; #define KPH_CREATE_SYSTEM_THREAD_IN_KSI_PROCESS 0x00000001ul _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphCreateSystemThread( _Out_opt_ PHANDLE ThreadHandle, _Out_opt_ PETHREAD* ThreadObject, _In_ PKPH_THREAD_START_ROUTINE StartRoutine, _In_opt_ _When_(return >= 0, __drv_aliasesMem) PVOID Parameter, _In_opt_ PCUNICODE_STRING ThreadName, _In_ ULONG Flags ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupThreading( VOID ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeThreading( VOID ); // umaccess _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCaptureUnicodeString( _In_ PUNICODE_STRING UnicodeString, _Out_ PUNICODE_STRING* CapturedUnicodeString ); _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphReleaseUnicodeString( _In_ PUNICODE_STRING UnicodeString ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphZeroModeMemory( _Out_writes_bytes_all_(Length) PVOID Destination, _In_ SIZE_T Length, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphCopyToMode( _Out_writes_bytes_all_(Length) PVOID Destination, _In_reads_bytes_(Length) PVOID Source, _In_ SIZE_T Length, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphCopyFromMode( _Out_writes_bytes_all_(Length) PVOID Destination, _In_reads_bytes_(Length) PVOID Source, _In_ SIZE_T Length, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteUCharToMode( _Out_ PUCHAR Destination, _In_ UCHAR Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteULongToMode( _Out_ PULONG Destination, _In_ ULONG Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteULong64ToMode( _Out_ PULONG64 Destination, _In_ ULONG64 Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteLong64ToMode( _Out_ PLONG64 Destination, _In_ LONG64 Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteSizeTToMode( _Out_ PSIZE_T Destination, _In_ SIZE_T Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWritePointerToMode( _Out_ PVOID* Destination, _In_ PVOID Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteHandleToMode( _Out_ PHANDLE Destination, _In_ _Post_ptr_invalid_ HANDLE Source, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphCopyUnicodeStringToMode( _Out_writes_bytes_opt_(Length) PVOID Destination, _In_ SIZE_T Length, _In_opt_ PCUNICODE_STRING String, _Out_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ); _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphReadLargeIntegerFromMode( _Out_ PLARGE_INTEGER Destination, _In_ PLARGE_INTEGER Source, _In_ KPROCESSOR_MODE AccessMode ); // ratelmt typedef union _KPH_RATE_BUCKET { struct { ULONG CurrentTokens; ULONG LastRefillTime; }; LONG64 Quad; } KPH_RATE_BUCKET, *PKPH_RATE_BUCKET; typedef struct _KPH_RATE_LIMIT { KPH_RATE_BUCKET Bucket; KPH_RATE_LIMIT_POLICY Policy; LONG64 Allowed; LONG64 Dropped; LONG64 CasMiss; } KPH_RATE_LIMIT, *PKPH_RATE_LIMIT; _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphInitializeRateLimit( _In_ PCKPH_RATE_LIMIT_POLICY Policy, _In_ PLARGE_INTEGER TimeStamp, _Out_ PKPH_RATE_LIMIT RateLimit ); _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphRateLimitConsumeToken( _Inout_ PKPH_RATE_LIMIT RateLimit, _In_ PLARGE_INTEGER TimeStamp ); ================================================ FILE: KSystemInformer/include/ntfill.h ================================================ /* * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once typedef struct _CLIENT_ID32 { ULONG UniqueProcess; ULONG UniqueThread; } CLIENT_ID32, *PCLIENT_ID32; typedef struct _CLIENT_ID64 { ULONGLONG UniqueProcess; ULONGLONG UniqueThread; } CLIENT_ID64, *PCLIENT_ID64; typedef const STRING32 *PCUNICODE_STRING32; // EX typedef struct _EX_FAST_REF { union { PVOID Object; ULONG_PTR RefCnt : 4; ULONG_PTR Value; }; } EX_FAST_REF, *PEX_FAST_REF; typedef struct _EX_PUSH_LOCK_WAIT_BLOCK *PEX_PUSH_LOCK_WAIT_BLOCK; NTKERNELAPI VOID FASTCALL ExfUnblockPushLock( _Inout_ PEX_PUSH_LOCK PushLock, _Inout_opt_ PEX_PUSH_LOCK_WAIT_BLOCK WaitBlock ); /* 0:000> dt ntoskrnl!_HANDLE_TABLE_ENTRY +0x000 VolatileLowValue : Int8B +0x000 LowValue : Int8B +0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO +0x008 HighValue : Int8B +0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY +0x008 LeafHandleValue : _EXHANDLE +0x000 RefCountField : Int8B +0x000 Unlocked : Pos 0, 1 Bit +0x000 RefCnt : Pos 1, 16 Bits +0x000 Attributes : Pos 17, 3 Bits +0x000 ObjectPointerBits : Pos 20, 44 Bits +0x008 GrantedAccessBits : Pos 0, 25 Bits +0x008 NoRightsUpgrade : Pos 25, 1 Bit +0x008 Spare1 : Pos 26, 6 Bits +0x00c Spare2 : Uint4B 0:000> dt ntkrla57!_HANDLE_TABLE_ENTRY +0x000 VolatileLowValue : Int8B +0x000 LowValue : Int8B +0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO +0x008 HighValue : Int8B +0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY +0x008 LeafHandleValue : _EXHANDLE +0x000 RefCountField : Int8B +0x000 Unlocked : Pos 0, 1 Bit +0x000 RefCnt : Pos 1, 7 Bits +0x000 Attributes : Pos 8, 3 Bits +0x000 ObjectPointerBits : Pos 11, 53 Bits +0x008 GrantedAccessBits : Pos 0, 25 Bits +0x008 NoRightsUpgrade : Pos 25, 1 Bit +0x008 Spare1 : Pos 26, 6 Bits +0x00c Spare2 : Uint4B */ // // N.B. We define HANDLE_TABLE_ENTRY this way to allow for dynamic data to // support different kernels (see above). The number of ObjectPointerBits are // different for LA57. // typedef struct _HANDLE_TABLE_ENTRY { union { PVOID Object; ULONG ObAttributes; ULONG_PTR Value; }; union { ACCESS_MASK GrantedAccess; LONG NextFreeTableEntry; }; } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; typedef struct _HANDLE_TABLE HANDLE_TABLE, *PHANDLE_TABLE; typedef _Function_class_(EX_ENUM_HANDLE_CALLBACK) _Must_inspect_result_ BOOLEAN NTAPI EX_ENUM_HANDLE_CALLBACK( _In_ PHANDLE_TABLE HandleTable, _Inout_ PHANDLE_TABLE_ENTRY HandleTableEntry, _In_ HANDLE Handle, _In_opt_ PVOID Context ); typedef EX_ENUM_HANDLE_CALLBACK* PEX_ENUM_HANDLE_CALLBACK; NTKERNELAPI BOOLEAN NTAPI ExEnumHandleTable( _In_ PHANDLE_TABLE HandleTable, _In_ PEX_ENUM_HANDLE_CALLBACK EnumHandleProcedure, _Inout_ PVOID Context, _Out_opt_ PHANDLE Handle ); NTSYSCALLAPI NTSTATUS NTAPI ZwQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI ZwQuerySection( _In_ HANDLE SectionHandle, _In_ SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, _In_ SIZE_T SectionInformationLength, _Out_opt_ PSIZE_T ReturnLength ); // IO extern POBJECT_TYPE *IoDriverObjectType; extern POBJECT_TYPE *IoDeviceObjectType; typedef _Function_class_(IO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE) BOOLEAN NTAPI IO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE( _In_ PFILE_OBJECT FileObject ); typedef IO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE* PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_SOURCE; typedef _Function_class_(IO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION) BOOLEAN IO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION( _In_ PFILE_OBJECT FileObject ); typedef IO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION* PIO_CHECK_FILE_OBJECT_OPENED_AS_COPY_DESTINATION; typedef struct _COPY_INFORMATION { PFILE_OBJECT SourceFileObject; LONGLONG SourceFileOffset; } COPY_INFORMATION, *PCOPY_INFORMATION; typedef _Function_class_(IO_GET_COPY_INFORMATION_EXTENSION) NTSTATUS IO_GET_COPY_INFORMATION_EXTENSION( _In_ PIRP Irp, _Out_ PCOPY_INFORMATION CopyInformation ); typedef IO_GET_COPY_INFORMATION_EXTENSION* PIO_GET_COPY_INFORMATION_EXTENSION; // FLT typedef _Function_class_(FLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA) _IRQL_requires_max_(DISPATCH_LEVEL) NTSTATUS FLTAPI FLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA( _In_ PFLT_CALLBACK_DATA Data, _Out_ PCOPY_INFORMATION CopyInformation ); typedef FLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA* PFLT_GET_COPY_INFORMATION_FROM_CALLBACK_DATA; // KE typedef enum _KAPC_ENVIRONMENT { OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment, InsertApcEnvironment } KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT; typedef _Function_class_(KNORMAL_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID NTAPI KNORMAL_ROUTINE( _In_opt_ PVOID NormalContext, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2 ); typedef KNORMAL_ROUTINE *PKNORMAL_ROUTINE; typedef _Function_class_(KRUNDOWN_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID NTAPI KRUNDOWN_ROUTINE( _In_ PRKAPC Apc ); typedef KRUNDOWN_ROUTINE *PKRUNDOWN_ROUTINE; typedef _Function_class_(KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID NTAPI KKERNEL_ROUTINE( _In_ PRKAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE *NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ); typedef KKERNEL_ROUTINE *PKKERNEL_ROUTINE; NTKERNELAPI VOID NTAPI KeInitializeApc( _Out_ PRKAPC Apc, _In_ PRKTHREAD Thread, _In_ KAPC_ENVIRONMENT Environment, _In_ PKKERNEL_ROUTINE KernelRoutine, _In_opt_ PKRUNDOWN_ROUTINE RundownRoutine, _In_opt_ PKNORMAL_ROUTINE NormalRoutine, _In_ KPROCESSOR_MODE Mode, _In_opt_ PVOID NormalContext ); NTKERNELAPI BOOLEAN NTAPI KeInsertQueueApc( _Inout_ PRKAPC Apc, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2, _In_ KPRIORITY Increment ); NTKERNELAPI BOOLEAN NTAPI KeTestAlertThread( _In_ KPROCESSOR_MODE Mode ); typedef _Function_class_(KE_REMOVE_QUEUE_APC) BOOLEAN NTAPI KE_REMOVE_QUEUE_APC( _Inout_ PKAPC Apc ); typedef KE_REMOVE_QUEUE_APC* PKE_REMOVE_QUEUE_APC; // OB // These definitions are no longer correct, but they produce correct results. #define OBJ_PROTECT_CLOSE 0x00000001 #define OBJ_HANDLE_ATTRIBUTES (OBJ_PROTECT_CLOSE | OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE) // This attribute is now stored in the GrantedAccess field. #define ObpAccessProtectCloseBit 0x2000000 // GrantedAccess in the table entry is the low 25 bits #define OBJ_GRANTED_ACCESS_MASK 0x01ffffff #define ObpDecodeGrantedAccess(Access) ((Access) & OBJ_GRANTED_ACCESS_MASK) FORCEINLINE VOID ObpSetGrantedAccess( _Inout_ PACCESS_MASK GrantedAccess, _In_ ACCESS_MASK Access ) { // // Preserve the high bits and only set the low 25 bits. // *GrantedAccess = (Access | (*GrantedAccess & ~OBJ_GRANTED_ACCESS_MASK)); } typedef struct _OBJECT_CREATE_INFORMATION OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION; typedef struct _OBJECT_HEADER { SSIZE_T PointerCount; union { SSIZE_T HandleCount; PVOID NextToFree; }; EX_PUSH_LOCK Lock; UCHAR TypeIndex; union { UCHAR TraceFlags; struct { UCHAR DbgRefTrace : 1; UCHAR DbgTracePermanent : 1; }; }; UCHAR InfoMask; union { UCHAR Flags; struct { UCHAR NewObject : 1; UCHAR KernelObject : 1; UCHAR KernelOnlyAccess : 1; UCHAR ExclusiveObject : 1; UCHAR PermanentObject : 1; UCHAR DefaultSecurityQuota : 1; UCHAR SingleHandleEntry : 1; UCHAR DeletedInline : 1; }; }; #ifdef _WIN64 ULONG Reserved; #endif union { POBJECT_CREATE_INFORMATION ObjectCreateInfo; PVOID QuotaBlockCharged; }; PVOID SecurityDescriptor; QUAD Body; } OBJECT_HEADER, *POBJECT_HEADER; #if defined(_M_X64) || defined(_M_ARM64) C_ASSERT(FIELD_OFFSET(OBJECT_HEADER, Body) == 0x030); C_ASSERT(sizeof(OBJECT_HEADER) == 0x038); #else C_ASSERT(FIELD_OFFSET(OBJECT_HEADER, Body) == 0x018); C_ASSERT(sizeof(OBJECT_HEADER) == 0x020); #endif #define OBJECT_TO_OBJECT_HEADER(Object) CONTAINING_RECORD((Object), OBJECT_HEADER, Body) NTKERNELAPI POBJECT_TYPE NTAPI ObGetObjectType( _In_ PVOID Object ); NTKERNELAPI NTSTATUS NTAPI ObOpenObjectByName( _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_TYPE ObjectType, _In_ KPROCESSOR_MODE AccessMode, _In_opt_ PACCESS_STATE AccessState, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID ParseContext, _Out_ PHANDLE Handle ); NTKERNELAPI NTSTATUS NTAPI ObSetHandleAttributes( _In_ HANDLE Handle, _In_ POBJECT_HANDLE_FLAG_INFORMATION HandleFlags, _In_ KPROCESSOR_MODE AccessMode ); NTKERNELAPI NTSTATUS NTAPI ObDuplicateObject( _In_ PEPROCESS SourceProcess, _In_ HANDLE SourceHandle, _In_opt_ PEPROCESS TargetProcess, _Out_opt_ PHANDLE TargetHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _In_ ULONG Options, _In_ KPROCESSOR_MODE PreviousMode ); // CM #if (NTDDI_VERSION < NTDDI_WIN10_FE) typedef struct _REG_SAVE_MERGED_KEY_INFORMATION { PVOID Object; HANDLE FileHandle; PVOID HighKeyObject; PVOID LowKeyObject; PVOID CallContext; PVOID ObjectContext; PVOID Reserved; } REG_SAVE_MERGED_KEY_INFORMATION, *PREG_SAVE_MERGED_KEY_INFORMATION; #endif // LDR #define IS_INTRESOURCE(_r) ((((ULONG_PTR)(_r)) >> 16) == 0) #define MAKEINTRESOURCEA(i) ((LPSTR)((ULONG_PTR)((WORD)(i)))) #define MAKEINTRESOURCEW(i) ((LPWSTR)((ULONG_PTR)((WORD)(i)))) #ifdef UNICODE #define MAKEINTRESOURCE MAKEINTRESOURCEW #else #define MAKEINTRESOURCE MAKEINTRESOURCEA #endif #define RT_VERSION MAKEINTRESOURCE(16) #define VS_FILE_INFO RT_VERSION #define VS_VERSION_INFO 1 #define VS_FFI_SIGNATURE 0xFEEF04BDL typedef struct _IMAGE_RESOURCE_DATA_ENTRY IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY; NTKERNELAPI NTSTATUS NTAPI LdrAccessResource( _In_ PVOID DllHandle, _In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry, _Out_opt_ PVOID *ResourceBuffer, _Out_opt_ ULONG *ResourceLength ); typedef struct _LDR_RESOURCE_INFO { ULONG_PTR Type; ULONG_PTR Name; ULONG_PTR Language; } LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; #define RESOURCE_TYPE_LEVEL 0 #define RESOURCE_NAME_LEVEL 1 #define RESOURCE_LANGUAGE_LEVEL 2 #define RESOURCE_DATA_LEVEL 3 NTKERNELAPI NTSTATUS NTAPI LdrFindResource_U( _In_ PVOID DllHandle, _In_ PLDR_RESOURCE_INFO ResourceInfo, _In_ ULONG Level, _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry ); typedef struct _VS_VERSION_INFO_STRUCT { USHORT Length; USHORT ValueLength; USHORT Type; WCHAR Key[1]; } VS_VERSION_INFO_STRUCT, *PVS_VERSION_INFO_STRUCT; typedef struct _FIXEDFILEINFO { DWORD dwSignature; DWORD dwStrucVersion; DWORD dwFileVersionMS; DWORD dwFileVersionLS; DWORD dwProductVersionMS; DWORD dwProductVersionLS; DWORD dwFileFlagsMask; DWORD dwFileFlags; DWORD dwFileOS; DWORD dwFileType; DWORD dwFileSubtype; DWORD dwFileDateMS; DWORD dwFileDateLS; } VS_FIXEDFILEINFO, *PVS_FIXEDFILEINFO; typedef struct _NON_PAGED_DEBUG_INFO NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO; typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; PVOID ExceptionTable; ULONG ExceptionTableSize; PVOID GpValue; PNON_PAGED_DEBUG_INFO NonPagedDebugInfo; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; union { USHORT SignatureLevel : 4; USHORT SignatureType : 3; USHORT Frozen : 2; USHORT HotPatch : 1; USHORT Unused : 6; USHORT EntireField; } u1; PVOID SectionPointer; ULONG CheckSum; ULONG CoverageSectionSize; PVOID CoverageSection; PVOID LoadedImports; union { PVOID Spare; struct _KLDR_DATA_TABLE_ENTRY* NtDataTableEntry; // win11 }; ULONG SizeOfImageNotRounded; ULONG TimeDateStamp; } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; // PS NTSYSCALLAPI NTSTATUS NTAPI ZwQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI ZwQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ THREADINFOCLASS ThreadInformationClass, _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength ); NTKERNELAPI NTSTATUS NTAPI PsLookupProcessThreadByCid( _In_ PCLIENT_ID ClientId, _Out_opt_ PEPROCESS *Process, _Out_ PETHREAD *Thread ); typedef struct _EJOB *PEJOB; extern POBJECT_TYPE *PsJobType; NTKERNELAPI PEJOB NTAPI PsGetProcessJob( _In_ PEPROCESS Process ); _When_(NT_SUCCESS(return), _Acquires_lock_(Process)) NTKERNELAPI NTSTATUS NTAPI PsAcquireProcessExitSynchronization( _In_ PEPROCESS Process ); _Releases_lock_(Process) NTKERNELAPI VOID NTAPI PsReleaseProcessExitSynchronization( _In_ PEPROCESS Process ); NTKERNELAPI PVOID NTAPI PsGetProcessSectionBaseAddress( _In_ PEPROCESS Process ); NTKERNELAPI BOOLEAN NTAPI PsGetProcessExitProcessCalled( _In_ PEPROCESS Process ); NTKERNELAPI NTSTATUS NTAPI PsSuspendProcess( _In_ PEPROCESS Process ); NTKERNELAPI NTSTATUS NTAPI PsResumeProcess( _In_ PEPROCESS Process ); typedef struct _PS_PROTECTION { union { UCHAR Level; struct { UCHAR Type : 3; UCHAR Audit : 1; // Reserved UCHAR Signer : 4; }; }; } PS_PROTECTION, *PPS_PROTECTION; typedef enum _PS_PROTECTED_TYPE { PsProtectedTypeNone = 0, PsProtectedTypeProtectedLight = 1, PsProtectedTypeProtected = 2 } PS_PROTECTED_TYPE, *PPS_PROTECTED_TYPE; typedef enum _PS_PROTECTED_SIGNER { PsProtectedSignerNone = 0, PsProtectedSignerAuthenticode, PsProtectedSignerCodeGen, PsProtectedSignerAntimalware, PsProtectedSignerLsa, PsProtectedSignerWindows, PsProtectedSignerWinTcb, PsProtectedSignerWinSystem, PsProtectedSignerApp, PsProtectedSignerMax } PS_PROTECTED_SIGNER, *PPS_PROTECTED_SIGNER; #if (NTDDI_VERSION >= NTDDI_WIN10) NTKERNELAPI PS_PROTECTION NTAPI PsGetProcessProtection( _In_ PEPROCESS Process ); #endif typedef _Function_class_(PS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX) NTSTATUS NTAPI PS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX( _In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine, _In_ ULONG_PTR Flags ); typedef PS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX* PPS_SET_LOAD_IMAGE_NOTIFY_ROUTINE_EX; #if (NTDDI_VERSION < NTDDI_WIN10_RS2) typedef enum _PSCREATEPROCESSNOTIFYTYPE { PsCreateProcessNotifySubsystems = 0 } PSCREATEPROCESSNOTIFYTYPE; #endif typedef _Function_class_(PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2) NTSTATUS NTAPI PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2( _In_ PSCREATEPROCESSNOTIFYTYPE NotifyType, _In_ PVOID NotifyInformation, _In_ BOOLEAN Remove ); typedef PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2* PPS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_EX2; #ifndef PS_IMAGE_NOTIFY_CONFLICTING_ARCHITECTURE #define PS_IMAGE_NOTIFY_CONFLICTING_ARCHITECTURE 0x1 #endif NTKERNELAPI _Must_inspect_result_ NTSTATUS NTAPI PsReferenceProcessFilePointer( _In_ PEPROCESS Process, _Out_ PFILE_OBJECT* FileObject ); NTKERNELAPI HANDLE NTAPI PsGetProcessInheritedFromUniqueProcessId( _In_ PEPROCESS Process ); #ifdef _WIN64 NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process( _In_ PEPROCESS Process ); NTKERNELAPI PVOID NTAPI PsGetCurrentProcessWow64Process( VOID ); #endif NTKERNELAPI PVOID NTAPI PsGetThreadTeb( _In_ PETHREAD Thread ); NTKERNELAPI BOOLEAN NTAPI PsIsProcessBeingDebugged( _In_ PEPROCESS Process ); NTKERNELAPI NTSTATUS NTAPI ZwSetInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength ); #define ProcessPowerThrottlingState 77 #define ProcessPriorityClassEx 108 #define ThreadPowerThrottlingState 49 #define ThreadNameInformation 38 #define ThreadExplicitCaseSensitivity 43 #if (NTDDI_VERSION >= NTDDI_WIN10) extern PLIST_ENTRY PsLoadedModuleList; extern PERESOURCE PsLoadedModuleResource; #endif typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION { PROCESS_MITIGATION_POLICY Policy; union { PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy; PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY UserShadowStackPolicy; PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY RedirectionTrustPolicy; PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY UserPointerAuthPolicy; PROCESS_MITIGATION_SEHOP_POLICY SEHOPPolicy; }; } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION; NTKERNELAPI PUCHAR NTAPI PsGetProcessImageFileName( _In_ PEPROCESS Process ); typedef _Function_class_(PS_GET_PROCESS_SEQUENCE_NUMBER) _IRQL_requires_max_(DISPATCH_LEVEL) ULONGLONG PS_GET_PROCESS_SEQUENCE_NUMBER( _In_ PEPROCESS Process ); typedef PS_GET_PROCESS_SEQUENCE_NUMBER* PPS_GET_PROCESS_SEQUENCE_NUMBER; typedef _Function_class_(PS_GET_PROCESS_START_KEY) _IRQL_requires_max_(DISPATCH_LEVEL) ULONGLONG PS_GET_PROCESS_START_KEY( _In_ PEPROCESS Process ); typedef PS_GET_PROCESS_START_KEY* PPS_GET_PROCESS_START_KEY; typedef struct _PROCESS_TELEMETRY_ID_INFORMATION { ULONG HeaderSize; ULONG ProcessId; ULONGLONG ProcessStartKey; ULONGLONG CreateTime; ULONGLONG CreateInterruptTime; ULONGLONG CreateUnbiasedInterruptTime; ULONGLONG ProcessSequenceNumber; ULONGLONG SessionCreateTime; ULONG SessionId; ULONG BootId; ULONG ImageChecksum; ULONG ImageTimeDateStamp; ULONG UserSidOffset; ULONG ImagePathOffset; ULONG PackageNameOffset; ULONG RelativeAppNameOffset; ULONG CommandLineOffset; } PROCESS_TELEMETRY_ID_INFORMATION, *PPROCESS_TELEMETRY_ID_INFORMATION; #define PROCESS_CREATE_FLAGS_MINIMAL_PROCESS 0x00000800 // NtCreateProcessEx only typedef _Function_class_(ZW_CREATE_PROCESS_EX) NTSYSCALLAPI NTSTATUS NTAPI ZW_CREATE_PROCESS_EX( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ ULONG Flags, // PROCESS_CREATE_FLAGS_* _In_opt_ HANDLE SectionHandle, _In_opt_ HANDLE DebugPort, _In_opt_ HANDLE TokenHandle, _Reserved_ ULONG Reserved // JobMemberLevel ); typedef ZW_CREATE_PROCESS_EX* PZW_CREATE_PROCESS_EX; // RTL #ifndef RTL_MAX_DRIVE_LETTERS #define RTL_MAX_DRIVE_LETTERS 32 #endif #define RTL_WALK_USER_MODE_STACK 0x00000001 #define RTL_WALK_VALID_FLAGS 0x00000001 #define RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT 8 NTKERNELAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader( _In_ PVOID Base ); #define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK 0x00000001 NTKERNELAPI NTSTATUS NTAPI RtlImageNtHeaderEx( _In_ ULONG Flags, _In_ PVOID Base, _In_ ULONG64 Size, _Out_ PIMAGE_NT_HEADERS* OutHeaders ); NTKERNELAPI PVOID NTAPI RtlImageDirectoryEntryToData( _In_ PVOID BaseAddress, _In_ BOOLEAN MappedAsImage, _In_ USHORT Directory, _Out_ PULONG Size ); #if (NTDDI_VERSION >= NTDDI_WIN10) NTKERNELAPI PVOID NTAPI RtlFindExportedRoutineByName( _In_ PVOID BaseAddress, _In_z_ PCSTR RoutineName ); #endif // MM #define SEC_DRIVER_IMAGE 0x00100000 extern POBJECT_TYPE *MmSectionObjectType; typedef _Function_class_(MM_PROTECT_DRIVER_SECTION) NTSTATUS MM_PROTECT_DRIVER_SECTION( _In_ PVOID AddressWithinSection, _In_ SIZE_T Size, _In_ ULONG Flags ); typedef MM_PROTECT_DRIVER_SECTION* PMM_PROTECT_DRIVER_SECTION; #define MM_PROTECT_DRIVER_SECTION_ALLOW_UNLOAD (0x1) #define MM_PROTECT_DRIVER_SECTION_VALID_FLAGS \ (MM_PROTECT_DRIVER_SECTION_ALLOW_UNLOAD) typedef struct _MMVAD_FLAGS { ULONG Lock : 1; ULONG LockContended : 1; ULONG DeleteInProgress : 1; ULONG NoChange : 1; ULONG VadType : 3; ULONG Protection : 5; ULONG PreferredNode : 7; ULONG PageSize : 2; ULONG PrivateMemory : 1; } MMVAD_FLAGS, *PMMVAD_FLAGS; typedef struct _MM_PRIVATE_VAD_FLAGS { ULONG Lock : 1; ULONG LockContended : 1; ULONG DeleteInProgress : 1; ULONG NoChange : 1; ULONG VadType : 3; ULONG Protection : 5; ULONG PreferredNode : 7; ULONG PageSize : 2; ULONG PrivateMemoryAlwaysSet : 1; ULONG WriteWatch : 1; ULONG FixedLargePageSize : 1; ULONG ZeroFillPagesOptional : 1; ULONG Graphics : 1; ULONG Enclave : 1; ULONG ShadowStack : 1; ULONG PhysicalMemoryPfnsReferenced : 1; } MM_PRIVATE_VAD_FLAGS, *PMM_PRIVATE_VAD_FLAGS; typedef struct _MM_GRAPHICS_VAD_FLAGS { ULONG Lock : 1; ULONG LockContended : 1; ULONG DeleteInProgress : 1; ULONG NoChange : 1; ULONG VadType : 3; ULONG Protection : 5; ULONG PreferredNode : 7; ULONG PageSize : 2; ULONG PrivateMemoryAlwaysSet : 1; ULONG WriteWatch : 1; ULONG FixedLargePageSize : 1; ULONG ZeroFillPagesOptional : 1; ULONG GraphicsAlwaysSet : 1; ULONG GraphicsUseCoherentBus : 1; ULONG GraphicsNoCache : 1; ULONG GraphicsPageProtection : 3; } MM_GRAPHICS_VAD_FLAGS, *PMM_GRAPHICS_VAD_FLAGS; typedef struct _MM_SHARED_VAD_FLAGS { ULONG Lock : 1; ULONG LockContended : 1; ULONG DeleteInProgress : 1; ULONG NoChange : 1; ULONG VadType : 3; ULONG Protection : 5; ULONG PreferredNode : 7; ULONG PageSize : 2; ULONG PrivateMemoryAlwaysClear : 1; ULONG PrivateFixup : 1; ULONG HotPatchState : 2; } MM_SHARED_VAD_FLAGS, *PMM_SHARED_VAD_FLAGS; typedef struct _MMVAD_FLAGS1 { ULONG CommitCharge : 31; ULONG MemCommit : 1; }MMVAD_FLAGS1, *PMMVAD_FLAGS1; typedef struct _MMVAD_SHORT { union { struct { struct _MMVAD_SHORT* NextVad; PVOID ExtraCreateInfo; }; RTL_BALANCED_NODE VadNode; }; ULONG StartingVpn; ULONG EndingVpn; #ifdef _WIN64 UCHAR StartingVpnHigh; UCHAR EndingVpnHigh; UCHAR CommitChargeHigh; union { UCHAR SpareNT64VadUChar; struct // LA57 { UCHAR EndingVpnHigher : 4; UCHAR CommitChargeHigher : 4; }; }; #endif LONG ReferenceCount; EX_PUSH_LOCK PushLock; union { ULONG LongFlags; MMVAD_FLAGS VadFlags; MM_PRIVATE_VAD_FLAGS PrivateVadFlags; MM_GRAPHICS_VAD_FLAGS GraphicsVadFlags; MM_SHARED_VAD_FLAGS SharedVadFlags; volatile ULONG VolatileVadLong; } u; union { ULONG LongFlags1; MMVAD_FLAGS1 VadFlags1; } u1; #ifdef _WIN64 union { ULONG_PTR EventListULongPtr; UCHAR StartingVpnHigher : 4; // LA57 } u5; #else PVOID EventList; // PMI_VAD_EVENT_BLOCK #endif } MMVAD_SHORT, *PMMVAD_SHORT; FORCEINLINE PVOID MiGetVadShortStartAddress( _In_ PMMVAD_SHORT Vad ) { #ifdef _WIN64 ULONG_PTR higher = Vad->u5.StartingVpnHigher; ULONG_PTR high = Vad->StartingVpnHigh; ULONG_PTR low = Vad->StartingVpn; return (PVOID)((low | ((high | (higher << 8)) << 32)) << PAGE_SHIFT); #else return (PVOID)((ULONG_PTR)Vad->StartingVpn << PAGE_SHIFT); #endif } FORCEINLINE PVOID MiGetVadShortEndAddress( _In_ PMMVAD_SHORT Vad ) { #ifdef _WIN64 ULONG_PTR higher = Vad->EndingVpnHigher; ULONG_PTR high = Vad->EndingVpnHigh; ULONG_PTR low = Vad->EndingVpn; return (PVOID)(((low + 1) | ((high | (higher << 8)) << 32)) << PAGE_SHIFT); #else return (PVOID)(((ULONG_PTR)Vad->StartingVpn + 1) << PAGE_SHIFT); #endif } typedef struct _MMVAD_FLAGS2 { ULONG FileOffset : 24; ULONG Large : 1; ULONG TrimBehind : 1; ULONG Inherit : 1; ULONG NoValidationNeeded : 1; ULONG PrivateDemandZero : 1; ULONG Spare : 3; } MMVAD_FLAGS2, *PMMVAD_FLAGS2; typedef struct _MI_VAD_SEQUENTIAL_INFO { ULONGLONG Length : 12; ULONGLONG Vpn : 52; } MI_VAD_SEQUENTIAL_INFO, *PMI_VAD_SEQUENTIAL_INFO; typedef struct _MMEXTEND_INFO { ULONGLONG CommittedSize; ULONG ReferenceCount; } MMEXTEND_INFO, *PMMEXTEND_INFO; typedef struct _MMPTE_HIGHLOW { ULONG LowPart; ULONG HighPart; } MMPTE_HIGHLOW, *PMMPTE_HIGHLOW; typedef struct _MMPTE_HARDWARE { ULONGLONG Valid : 1; ULONGLONG Dirty1 : 1; ULONGLONG Owner : 1; ULONGLONG WriteThrough : 1; ULONGLONG CacheDisable : 1; ULONGLONG Accessed : 1; ULONGLONG Dirty : 1; ULONGLONG LargePage : 1; ULONGLONG Global : 1; ULONGLONG CopyOnWrite : 1; ULONGLONG Unused : 1; ULONGLONG Write : 1; ULONGLONG PageFrameNumber : 40; ULONGLONG ReservedForSoftware : 4; ULONGLONG WsleAge : 4; ULONGLONG WsleProtection : 3; ULONGLONG NoExecute : 1; } MMPTE_HARDWARE, *PMMPTE_HARDWARE; typedef struct _MMPTE_PROTOTYPE { ULONGLONG Valid : 1; ULONGLONG DemandFillProto : 1; ULONGLONG HiberVerifyConverted : 1; ULONGLONG ReadOnly : 1; ULONGLONG SwizzleBit : 1; ULONGLONG Protection : 5; ULONGLONG Prototype : 1; ULONGLONG Combined : 1; ULONGLONG Unused1 : 4; LONGLONG ProtoAddress : 48; } MMPTE_PROTOTYPE, * PMMPTE_PROTOTYPE; typedef struct _MMPTE_SOFTWARE { ULONGLONG Valid : 1; ULONGLONG PageFileReserved : 1; ULONGLONG PageFileAllocated : 1; ULONGLONG ColdPage : 1; ULONGLONG SwizzleBit : 1; ULONGLONG Protection : 5; ULONGLONG Prototype : 1; ULONGLONG Transition : 1; ULONGLONG PageFileLow : 4; ULONGLONG UsedPageTableEntries : 10; ULONGLONG ShadowStack : 1; ULONGLONG OnStandbyLookaside : 1; ULONGLONG Unused : 4; ULONGLONG PageFileHigh : 32; } MMPTE_SOFTWARE, * PMMPTE_SOFTWARE; typedef struct _MMPTE_TIMESTAMP { ULONGLONG MustBeZero : 1; ULONGLONG Unused : 3; ULONGLONG SwizzleBit : 1; ULONGLONG Protection : 5; ULONGLONG Prototype : 1; ULONGLONG Transition : 1; ULONGLONG PageFileLow : 4; ULONGLONG Reserved : 16; ULONGLONG GlobalTimeStamp : 32; } MMPTE_TIMESTAMP, *PMMPTE_TIMESTAMP; typedef struct _MMPTE_TRANSITION { ULONGLONG Valid : 1; ULONGLONG Write : 1; ULONGLONG OnStandbyLookaside : 1; ULONGLONG IoTracker : 1; ULONGLONG SwizzleBit : 1; ULONGLONG Protection : 5; ULONGLONG Prototype : 1; ULONGLONG Transition : 1; ULONGLONG PageFrameNumber : 40; ULONGLONG Unused : 12; } MMPTE_TRANSITION, *PMMPTE_TRANSITION; typedef struct _MMPTE_SUBSECTION { ULONGLONG Valid : 1; ULONGLONG Unused0 : 2; ULONGLONG OnStandbyLookaside : 1; ULONGLONG SwizzleBit : 1; ULONGLONG Protection : 5; ULONGLONG Prototype : 1; ULONGLONG ColdPage : 1; ULONGLONG Unused2 : 3; ULONGLONG ExecutePrivilege : 1; LONGLONG SubsectionAddress : 48; } MMPTE_SUBSECTION, * PMMPTE_SUBSECTION; typedef struct _MMPTE_LIST { ULONGLONG Valid : 1; ULONGLONG OneEntry : 1; ULONGLONG filler0 : 2; ULONGLONG SwizzleBit : 1; ULONGLONG Protection : 5; ULONGLONG Prototype : 1; ULONGLONG Transition : 1; ULONGLONG filler1 : 16; ULONGLONG NextEntry : 36; } MMPTE_LIST, *PMMPTE_LIST; typedef struct _MMPTE { union { ULONGLONG Long; volatile ULONGLONG VolatileLong; #ifndef _WIN64 MMPTE_HIGHLOW HighLow; #endif MMPTE_HARDWARE Hard; MMPTE_PROTOTYPE Proto; MMPTE_SOFTWARE Soft; MMPTE_TIMESTAMP TimeStamp; MMPTE_TRANSITION Trans; MMPTE_SUBSECTION Subsect; MMPTE_LIST List; } u; } MMPTE, *PMMPTE; typedef struct _MMVAD { struct _MMVAD_SHORT Core; union { ULONG LongFlags2; MMVAD_FLAGS2 VadFlags2; } u2; PVOID Subsection; // PSUBSECTION PMMPTE FirstPrototypePte; PMMPTE LastContiguousPte; LIST_ENTRY ViewLinks; union { PEPROCESS VadsProcess; UCHAR ViewMapType : 3; // VIEW_MAP_TYPE_* }; union { MI_VAD_SEQUENTIAL_INFO SequentialVa; PMMEXTEND_INFO ExtendedInfo; } u4; PFILE_OBJECT FileObject; // since WIN10 } MMVAD, *PMMVAD; FORCEINLINE PVOID MiGetVadStartAddress( _In_ PMMVAD Vad ) { return MiGetVadShortStartAddress(&Vad->Core); } FORCEINLINE PVOID MiGetVadEndAddress( _In_ PMMVAD Vad ) { return MiGetVadShortEndAddress(&Vad->Core); } NTKERNELAPI NTSTATUS NTAPI MmCreateSection( _Out_ PVOID* SectionObject, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle, _In_opt_ PFILE_OBJECT FileObject ); NTKERNELAPI NTSTATUS NTAPI MmMapViewOfSection( _In_ PVOID SectionObject, _In_ PEPROCESS Process, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ SECTION_INHERIT InheritDisposition, _In_ ULONG AllocationType, _In_ ULONG PageProtection ); NTKERNELAPI NTSTATUS NTAPI MmUnmapViewOfSection( _In_ PEPROCESS Process, _In_ PVOID BaseAddress ); NTKERNELAPI NTSTATUS NTAPI MmCopyVirtualMemory( _In_ PEPROCESS SourceProcess, _In_reads_bytes_(BufferSize) PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _Out_writes_bytes_(BufferSize) PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize ); // CI #ifndef ALGIDDEF #define ALGIDDEF typedef unsigned int ALG_ID; #endif #ifndef ALG_SID_MD5 #define ALG_SID_MD5 3 #endif ALG_SID_MD5 #ifndef ALG_SID_SHA1 #define ALG_SID_SHA1 4 #endif #ifndef ALG_SID_SHA_256 #define ALG_SID_SHA_256 12 #endif #ifndef ALG_CLASS_HASH #define ALG_CLASS_HASH (4 << 13) #endif #ifndef ALG_TYPE_ANY #define ALG_TYPE_ANY (0) #endif #ifndef CALG_MD5 #define CALG_MD5 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD5) #endif #ifndef CALG_SHA1 #define CALG_SHA1 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA1) #endif #ifndef CALG_SHA_256 #define CALG_SHA_256 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_256) #endif #ifndef CRYPTO_BLOBS_DEFINED #define CRYPTO_BLOBS_DEFINED typedef struct _CRYPTOAPI_BLOB { ULONG cbData; _Field_size_bytes_(cbData) UCHAR *pbData; } CRYPT_INTEGER_BLOB, *PCRYPT_INTEGER_BLOB, CRYPT_UINT_BLOB, *PCRYPT_UINT_BLOB, CRYPT_OBJID_BLOB, *PCRYPT_OBJID_BLOB, CERT_NAME_BLOB, *PCERT_NAME_BLOB, CERT_RDN_VALUE_BLOB, *PCERT_RDN_VALUE_BLOB, CERT_BLOB, *PCERT_BLOB, CRL_BLOB, *PCRL_BLOB, DATA_BLOB, *PDATA_BLOB, CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB, CRYPT_HASH_BLOB, *PCRYPT_HASH_BLOB, CRYPT_DIGEST_BLOB, *PCRYPT_DIGEST_BLOB, CRYPT_DER_BLOB, *PCRYPT_DER_BLOB, CRYPT_ATTR_BLOB, *PCRYPT_ATTR_BLOB; #endif #ifndef MINCRYPT_MAX_HASH_LEN #define MINCRYPT_MAX_HASH_LEN 64 #endif #ifndef MINCRYPT_SHA1_HASH_LEN #define MINCRYPT_SHA1_HASH_LEN (160 / 8) #endif #ifndef MINCRYPT_SHA256_HASH_LEN #define MINCRYPT_SHA256_HASH_LEN (256 / 8) #endif // // Self-signed // #define MINCRYPT_POLICY_NO_ROOT 0x1 // // Microsoft Authenticode Root Authority // Microsoft Root Authority // Microsoft Root Certificate Authority // #define MINCRYPT_POLICY_MICROSOFT_ROOT 0x2 // // Microsoft Test Root Authority // #define MINCRYPT_POLICY_TEST_ROOT 0x4 // // Microsoft Code Verification Root // #define MINCRYPT_POLICY_CODE_ROOT 0x8 // // Win 10 RS5 started using Unknown Root // #define MINCRYPT_POLICY_UNKNOWN_ROOT 0x10 // // Microsoft Digital Media Authority 2005 // Microsoft Digital Media Authority 2005 for preview releases // #define MINCRYPT_POLICY_DMD_ROOT 0x20 // // MS Protected Media Test Root // #define MINCRYPT_POLICY_DMD_TEST_ROOT 0x40 // // Win 8.1/10 flags // #define MINCRYPT_POLICY_3RD_PARTY_ROOT 0x80 #define MINCRYPT_POLICY_TRUSTED_BOOT_ROOT 0x100 #define MINCRYPT_POLICY_UEFI_ROOT 0x200 #define MINCRYPT_POLICY_FLIGHT_ROOT 0x400 #define MINCRYPT_POLICY_PRS_WIN81_ROOT 0x800 #define MINCRYPT_POLICY_TEST_WIN81_ROOT 0x1000 #define MINCRYPT_POLICY_OTHER_ROOT 0x2000 // // Undefined bits // #define MINCRYPT_POLICY_INVALID_BITS 0xC000 // // This flag masks out errors and only keeps policies // #define MINCRYPT_POLICY_ROOT_FLAG 0xFFFF // // All these are errors instead // #define MINCRYPT_POLICY_NO_SIGNATURE 0x00010000 #define MINCRYPT_POLICY_BAD_CHAIN 0x00020000 #define MINCRYPT_POLICY_BAD_SIGNATURE 0x00040000 #define MINCRYPT_POLICY_NO_CODE_EKU 0x00080000 #define MINCRYPT_POLICY_NO_PAGE_HASHES 0x00100000 #define MINCRYPT_POLICY_CERT_REVOKED 0x00200000 #define MINCRYPT_POLICY_CERT_EXPIRED 0x00400000 #define MINCRYPT_POLICY_UNKNOWN_ERROR 0x10000000 #define MINCRYPT_POLICY_ERROR_BIT_SHIFT 16 #define MINCRYPT_POLICY_ERROR_FLAGS 0xFFFF0000 // // This set of flags ignores an invalid/unknown root authority and too long // signing chain. // #define MINCRYPT_POLICY_BAD_ERROR_FLAGS (MINCRYPT_POLICY_ERROR_FLAGS & ~MINCRYPT_POLICY_BAD_CHAIN) // https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#microsoft-root-cas-trusted-by-windows typedef enum _MINCRYPT_KNOWN_ROOT { MincryptRootNone, MincryptRootUnknown, MincryptRootSelfSigned, MincryptRootAuthenticode, MincryptRootMicrosoftProduct1997, MincryptRootMicrosoftProduct2001, MincryptRootMicrosoftProduct2010, MincryptRootMicrosoftStandard2011, MincryptRootMicrosoftCodeVerification2006, MincryptRootMicrosoftTest1999, MincryptRootMicrosoftTest2010, MincryptRootMicrosoftDMDTest2005, MincryptRootMicrosoftDMD2005, MincryptRootMicrosoftDMDPreview2005, MincryptRootMicrosoftFlight2014, MincryptRootMicrosoftThirdPartyMarketplace, MincryptRootMicrosoftECCTestingRoot2017, MincryptRootMicrosoftECCDevelopmentRoot2018, MincryptRootMicrosoftECCProduct2018, MincryptRootMicrosoftECCProduct2017 } MINCRYPT_KNOWN_ROOT; typedef struct _MINCRYPT_STRING { PCHAR Buffer; USHORT Length; UCHAR Asn1EncodingTag; UCHAR Spare[1]; } MINCRYPT_STRING, *PMINCRYPT_STRING; typedef struct _MINCRYPT_CHAIN_ELEMENT { ALG_ID AlgorithmId; ULONG HashSize; UCHAR Hash[MINCRYPT_MAX_HASH_LEN]; MINCRYPT_STRING Subject; MINCRYPT_STRING Issuer; CRYPT_DER_BLOB Certificate; } MINCRYPT_CHAIN_ELEMENT, *PMINCRYPT_CHAIN_ELEMENT; typedef struct _MINCRYPT_CHAIN_INFO { ULONG Size; PCRYPT_DER_BLOB PublicKeys; ULONG NumberOfPublicKeys; PCRYPT_OBJID_BLOB ExtendedKeyUses; ULONG NumberOfExtendedKeyUses; // win10+ PMINCRYPT_CHAIN_ELEMENT ChainElements; ULONG NumberOfChainElements; MINCRYPT_KNOWN_ROOT KnownRoot; CRYPT_ATTR_BLOB AuthenticodeAttributes; UCHAR PlatformManifest[MINCRYPT_SHA256_HASH_LEN]; } MINCRYPT_CHAIN_INFO, *PMINCRYPT_CHAIN_INFO; typedef struct _MINCRYPT_POLICY_INFO { ULONG Size; NTSTATUS VerificationStatus; ULONG PolicyBits; PMINCRYPT_CHAIN_INFO ChainInfo; // win8+ LARGE_INTEGER RevocationTime; // win10+ LARGE_INTEGER ValidFromTime; LARGE_INTEGER ValidToTime; } MINCRYPT_POLICY_INFO, *PMINCRYPT_POLICY_INFO; // rev // CiFreePolicyInfo typedef _Function_class_(CI_FREE_POLICY_INFO) _IRQL_requires_max_(PASSIVE_LEVEL) VOID NTAPI CI_FREE_POLICY_INFO( _Inout_ PMINCRYPT_POLICY_INFO PolicyInfo ); typedef CI_FREE_POLICY_INFO* PCI_FREE_POLICY_INFO; // rev // CiCheckSignedFile (pre 6.1.7601.18519) typedef _Function_class_(CI_CHECK_SIGNED_FILE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS NTAPI CI_CHECK_SIGNED_FILE( _In_bytecount_(MINCRYPT_SHA1_HASH_LEN) PBYTE Hash, _In_bytecount_(SignatureSize) PBYTE Signature, _In_ ULONG SignatureSize, _Inout_opt_ PMINCRYPT_POLICY_INFO PolicyInfo, _Out_opt_ PLARGE_INTEGER SigningTime, _Inout_opt_ PMINCRYPT_POLICY_INFO TimeStampPolicyInfo ); typedef CI_CHECK_SIGNED_FILE* PCI_CHECK_SIGNED_FILE; // rev // CiCheckSignedFile typedef _Function_class_(CI_CHECK_SIGNED_FILE_EX) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS NTAPI CI_CHECK_SIGNED_FILE_EX( _In_bytecount_(HashSize) PBYTE Hash, _In_ ULONG HashSize, _In_ ALG_ID AlgorithmId, _In_bytecount_(SignatureSize) PBYTE Signature, _In_ ULONG SignatureSize, _Inout_opt_ PMINCRYPT_POLICY_INFO PolicyInfo, _Out_opt_ PLARGE_INTEGER SigningTime, _Inout_opt_ PMINCRYPT_POLICY_INFO TimeStampPolicyInfo ); typedef CI_CHECK_SIGNED_FILE_EX* PCI_CHECK_SIGNED_FILE_EX; // rev // CiVerifyHashInCatalog (pre 6.1.7601.18519) typedef _Function_class_(CI_VERIFY_HASH_IN_CATALOG) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS NTAPI CI_VERIFY_HASH_IN_CATALOG( _In_bytecount_(MINCRYPT_SHA1_HASH_LEN) PBYTE Hash, _In_ ULONG ReloadCatalogs, _In_ ULONG SecureProcess, _In_ ULONG AcceptRoots, _Inout_opt_ PMINCRYPT_POLICY_INFO PolicyInfo, _Out_opt_ PUNICODE_STRING CatalogName, // RtlFreeUnicodeString _Out_opt_ PLARGE_INTEGER SigningTime, _Inout_opt_ PMINCRYPT_POLICY_INFO TimeStampPolicyInfo ); typedef CI_VERIFY_HASH_IN_CATALOG* PCI_VERIFY_HASH_IN_CATALOG; // rev // CiVerifyHashInCatalog typedef _Function_class_(CI_VERIFY_HASH_IN_CATALOG_EX) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS NTAPI CI_VERIFY_HASH_IN_CATALOG_EX( _In_bytecount_(HashSize) PBYTE Hash, _In_ ULONG HashSize, _In_ ALG_ID AlgorithmId, _In_ ULONG ReloadCatalogs, _In_ ULONG SecureProcess, _In_ ULONG AcceptRoots, _Inout_opt_ PMINCRYPT_POLICY_INFO PolicyInfo, _Out_opt_ PUNICODE_STRING CatalogName, // RtlFreeUnicodeString _Out_opt_ PLARGE_INTEGER SigningTime, _Inout_opt_ PMINCRYPT_POLICY_INFO TimeStampPolicyInfo ); typedef CI_VERIFY_HASH_IN_CATALOG_EX* PCI_VERIFY_HASH_IN_CATALOG_EX; // rev #define CI_POLICY_VALID_FLAGS 0x1BE00078ul #define CI_POLICY_DEFAULT 0x00000000ul #define CI_POLICY_REQUIRE_MICROSOFT 0x00000001ul // ? legacy #define CI_POLICY_REQUIRE_SIGNED 0x00000002ul // ? legacy #define CI_POLICY_ALLOW_UNSIGNED 0x00000004ul // ? legacy #define CI_POLICY_REJECT_UNSIGNED 0x80000000ul // ? legacy #define CI_POLICY_CHECK_PROTECTED_PROCESS_EKU 0x00000008ul #define CI_POLICY_FORCE_PROTECTED_PROCESS_POLICY 0x00000010ul #define CI_POLICY_ACCEPT_ANY_ROOT_CERTIFICATE 0x00000020ul #define CI_POLICY_ALLOW_REVOKED_CERTIFICATE 0x00800000ul #define CI_POLICY_ALLOW_EXPIRED_REVOKED_CERTIFICATE 0x08000000ul // rev // CiValidateFileObject typedef _Function_class_(CI_VALIDATE_FILE_OBJECT) NTSTATUS NTAPI CI_VALIDATE_FILE_OBJECT( _In_ PFILE_OBJECT FileObject, _In_ ULONG PolicyFlags, _In_ SE_SIGNING_LEVEL LevelCheck, _Inout_ PMINCRYPT_POLICY_INFO PolicyInfo, _Inout_ PMINCRYPT_POLICY_INFO TimeStampPolicyInfo, _Out_ PLARGE_INTEGER SigningTime, _Out_writes_bytes_to_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, _Inout_ PULONG ThumbprintSize, _Out_ PULONG ThumbprintAlgorithm ); typedef CI_VALIDATE_FILE_OBJECT* PCI_VALIDATE_FILE_OBJECT; // rev typedef _Function_class_(CI_ALLOCATE_ROUTINE) PVOID NTAPI CI_ALLOCATE_ROUTINE( _In_ ULONG NumberOfBytes ); typedef CI_ALLOCATE_ROUTINE* PCI_ALLOCATE_ROUTINE; // rev // CiGetCertPublisherName typedef _Function_class_(CI_GET_CERT_PUBLISHER_NAME) NTSTATUS NTAPI CI_GET_CERT_PUBLISHER_NAME( _In_ PCRYPT_DER_BLOB Certificate, // MINCRYPT_POLICY_INFO.ChainInfo.ChainElements.Certificate _In_ PCI_ALLOCATE_ROUTINE AllocateRoutine, _Out_ PUNICODE_STRING PublisherName ); typedef CI_GET_CERT_PUBLISHER_NAME* PCI_GET_CERT_PUBLISHER_NAME; // alpc extern POBJECT_TYPE *LpcPortObjectType; #define AlpcPortObjectType LpcPortObjectType #define PORT_CONNECT 0x0001 #define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PORT_CONNECT) typedef struct _PORT_MESSAGE { union { struct { CSHORT DataLength; CSHORT TotalLength; } s1; ULONG Length; } u1; union { struct { CSHORT Type; CSHORT DataInfoOffset; } s2; ULONG ZeroInit; } u2; union { CLIENT_ID ClientId; double DoNotUseThisField; }; ULONG MessageId; union { SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages ULONG CallbackId; // only valid for LPC_REQUEST messages }; } PORT_MESSAGE, *PPORT_MESSAGE; typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE; #define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev #define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg #define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg typedef struct _ALPC_PORT_ATTRIBUTES { ULONG Flags; SECURITY_QUALITY_OF_SERVICE SecurityQos; SIZE_T MaxMessageLength; SIZE_T MemoryBandwidth; SIZE_T MaxPoolUsage; SIZE_T MaxSectionSize; SIZE_T MaxViewSize; SIZE_T MaxTotalSectionSize; ULONG DupObjectTypes; #ifdef _WIN64 ULONG Reserved; #endif } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; #define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000 #define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000 #define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000 #define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000 typedef struct _ALPC_MESSAGE_ATTRIBUTES { ULONG AllocatedAttributes; ULONG ValidAttributes; } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; #define ALPC_MSGFLG_REPLY_MESSAGE 0x1 #define ALPC_MSGFLG_LPC_MODE 0x2 // ? #define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg #define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg #define ALPC_MSGFLG_WAIT_USER_MODE 0x100000 #define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000 #define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg NTSYSCALLAPI NTSTATUS NTAPI ZwAlpcConnectPort( _Out_ PHANDLE PortHandle, _In_ PUNICODE_STRING PortName, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, _In_ ULONG Flags, _In_opt_ PSID RequiredServerSid, _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, _Inout_opt_ PSIZE_T BufferLength, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, _In_opt_ PLARGE_INTEGER Timeout ); // LXCORE typedef _Function_class_(LXP_PROCESS_GET_CURRENT) _Must_inspect_result_ BOOLEAN NTAPI LXP_PROCESS_GET_CURRENT( _Out_ PVOID* Thread ); typedef LXP_PROCESS_GET_CURRENT* PLXP_PROCESS_GET_CURRENT; typedef _Function_class_(LXP_THREAD_GET_CURRENT) _Must_inspect_result_ BOOLEAN NTAPI LXP_THREAD_GET_CURRENT( _Out_ PVOID* Thread ); typedef LXP_THREAD_GET_CURRENT* PLXP_THREAD_GET_CURRENT; // CFG // // Define flags for setting process CFG valid call target entries. // // // Call target should be made valid. If not set, the call target is made // invalid. Input flag. // #define CFG_CALL_TARGET_VALID (0x00000001) // // Call target has been successfully processed. Used to report to the caller // how much progress has been made. Output flag. // #define CFG_CALL_TARGET_PROCESSED (0x00000002) // // Call target should be made valid only if it is suppressed export. // What this flag means is that it can *only* be used on a cell which is // currently in the CFG export suppressed state (only considered for export // suppressed processes and not legacy CFG processes!), and it is also // allowed to be used even if the process is a restricted (i.e. no ACG) process. // #define CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID (0x00000004) // // Call target should be made into an XFG call target. // #define CFG_CALL_TARGET_VALID_XFG (0x00000008) // // Call target should be made valid only if it is already an XFG target // in a process which has XFG audit mode enabled. // #define CFG_CALL_TARGET_CONVERT_XFG_TO_CFG (0x00000010) typedef struct _CFG_CALL_TARGET_INFO { ULONG_PTR Offset; ULONG_PTR Flags; } CFG_CALL_TARGET_INFO, *PCFG_CALL_TARGET_INFO; typedef struct _CFG_CALL_TARGET_LIST_INFORMATION { ULONG NumberOfEntries; ULONG Reserved; PULONG NumberOfEntriesProcessed; PCFG_CALL_TARGET_INFO CallTargetInfo; PVOID Section; // since REDSTONE5 ULONGLONG FileOffset; } CFG_CALL_TARGET_LIST_INFORMATION, *PCFG_CALL_TARGET_LIST_INFORMATION; // SE #define SeDebugPrivilege RtlConvertUlongToLuid(SE_DEBUG_PRIVILEGE) #define SeCreateTokenPrivilege RtlConvertUlongToLuid(SE_CREATE_TOKEN_PRIVILEGE) NTKERNELAPI NTSTATUS NTAPI SeCaptureSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor ); NTKERNELAPI NTSTATUS NTAPI SeReleaseSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode ); #if (NTDDI_VERSION >= NTDDI_WINBLUE) NTKERNELAPI NTSTATUS NTAPI SeGetCachedSigningLevel( _In_ PFILE_OBJECT FileObject, _Out_ PULONG Flags, _Out_ PSE_SIGNING_LEVEL SigningLevel, _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, _Inout_opt_ PULONG ThumbprintSize, _Out_opt_ PULONG ThumbprintAlgorithm ); #endif typedef _IRQL_requires_max_(PASSIVE_LEVEL) _Function_class_(SE_REGISTER_IMAGE_VERIFICATION_CALLBACK) NTKERNELAPI NTSTATUS SE_REGISTER_IMAGE_VERIFICATION_CALLBACK( _In_ SE_IMAGE_TYPE ImageType, _In_ SE_IMAGE_VERIFICATION_CALLBACK_TYPE CallbackType, _In_ PSE_IMAGE_VERIFICATION_CALLBACK_FUNCTION CallbackFunction, _In_opt_ PVOID CallbackContext, _Reserved_ SE_IMAGE_VERIFICATION_CALLBACK_TOKEN Token, _Out_ PVOID* CallbackHandle ); typedef SE_REGISTER_IMAGE_VERIFICATION_CALLBACK* PSE_REGISTER_IMAGE_VERIFICATION_CALLBACK; typedef _IRQL_requires_max_(PASSIVE_LEVEL) _Function_class_(SE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK) NTKERNELAPI VOID SE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK( _In_ PVOID CallbackHandle ); typedef SE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK* PSE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK; // schannel.h #define UNISP_NAME_A "Microsoft Unified Security Protocol Provider" #define UNISP_NAME_W L"Microsoft Unified Security Protocol Provider" #define SSL2SP_NAME_A "Microsoft SSL 2.0" #define SSL2SP_NAME_W L"Microsoft SSL 2.0" #define SSL3SP_NAME_A "Microsoft SSL 3.0" #define SSL3SP_NAME_W L"Microsoft SSL 3.0" #define TLS1SP_NAME_A "Microsoft TLS 1.0" #define TLS1SP_NAME_W L"Microsoft TLS 1.0" #define PCT1SP_NAME_A "Microsoft PCT 1.0" #define PCT1SP_NAME_W L"Microsoft PCT 1.0" #define SCHANNEL_NAME_A "Schannel" #define SCHANNEL_NAME_W L"Schannel" #define DEFAULT_TLS_SSP_NAME_A "Default TLS SSP" #define DEFAULT_TLS_SSP_NAME_W L"Default TLS SSP" #ifdef UNICODE #define UNISP_NAME UNISP_NAME_W #define PCT1SP_NAME PCT1SP_NAME_W #define SSL2SP_NAME SSL2SP_NAME_W #define SSL3SP_NAME SSL3SP_NAME_W #define TLS1SP_NAME TLS1SP_NAME_W #define SCHANNEL_NAME SCHANNEL_NAME_W #define DEFAULT_TLS_SSP_NAME DEFAULT_TLS_SSP_NAME_W #else #define UNISP_NAME UNISP_NAME_A #define PCT1SP_NAME PCT1SP_NAME_A #define SSL2SP_NAME SSL2SP_NAME_A #define SSL3SP_NAME SSL3SP_NAME_A #define TLS1SP_NAME TLS1SP_NAME_A #define SCHANNEL_NAME SCHANNEL_NAME_A #define DEFAULT_TLS_SSP_NAME DEFAULT_TLS_SSP_NAME_A #endif #define SP_PROT_PCT1_SERVER 0x00000001 #define SP_PROT_PCT1_CLIENT 0x00000002 #define SP_PROT_PCT1 (SP_PROT_PCT1_SERVER | SP_PROT_PCT1_CLIENT) #define SP_PROT_SSL2_SERVER 0x00000004 #define SP_PROT_SSL2_CLIENT 0x00000008 #define SP_PROT_SSL2 (SP_PROT_SSL2_SERVER | SP_PROT_SSL2_CLIENT) #define SP_PROT_SSL3_SERVER 0x00000010 #define SP_PROT_SSL3_CLIENT 0x00000020 #define SP_PROT_SSL3 (SP_PROT_SSL3_SERVER | SP_PROT_SSL3_CLIENT) #define SP_PROT_TLS1_SERVER 0x00000040 #define SP_PROT_TLS1_CLIENT 0x00000080 #define SP_PROT_TLS1 (SP_PROT_TLS1_SERVER | SP_PROT_TLS1_CLIENT) #define SP_PROT_SSL3TLS1_CLIENTS (SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT) #define SP_PROT_SSL3TLS1_SERVERS (SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER) #define SP_PROT_SSL3TLS1 (SP_PROT_SSL3 | SP_PROT_TLS1) #define SP_PROT_UNI_SERVER 0x40000000 #define SP_PROT_UNI_CLIENT 0x80000000 #define SP_PROT_UNI (SP_PROT_UNI_SERVER | SP_PROT_UNI_CLIENT) #define SP_PROT_ALL 0xffffffff #define SP_PROT_NONE 0 #define SP_PROT_CLIENTS (SP_PROT_PCT1_CLIENT | SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_UNI_CLIENT | SP_PROT_TLS1_CLIENT) #define SP_PROT_SERVERS (SP_PROT_PCT1_SERVER | SP_PROT_SSL2_SERVER | SP_PROT_SSL3_SERVER | SP_PROT_UNI_SERVER | SP_PROT_TLS1_SERVER) #define SP_PROT_TLS1_0_SERVER SP_PROT_TLS1_SERVER #define SP_PROT_TLS1_0_CLIENT SP_PROT_TLS1_CLIENT #define SP_PROT_TLS1_0 (SP_PROT_TLS1_0_SERVER | \ SP_PROT_TLS1_0_CLIENT) #define SP_PROT_TLS1_1_SERVER 0x00000100 #define SP_PROT_TLS1_1_CLIENT 0x00000200 #define SP_PROT_TLS1_1 (SP_PROT_TLS1_1_SERVER | \ SP_PROT_TLS1_1_CLIENT) #define SP_PROT_TLS1_2_SERVER 0x00000400 #define SP_PROT_TLS1_2_CLIENT 0x00000800 #define SP_PROT_TLS1_2 (SP_PROT_TLS1_2_SERVER | \ SP_PROT_TLS1_2_CLIENT) #define SP_PROT_TLS1_3_SERVER 0x00001000 #define SP_PROT_TLS1_3_CLIENT 0x00002000 #define SP_PROT_TLS1_3 (SP_PROT_TLS1_3_SERVER | \ SP_PROT_TLS1_3_CLIENT) #define SP_PROT_DTLS_SERVER 0x00010000 #define SP_PROT_DTLS_CLIENT 0x00020000 #define SP_PROT_DTLS (SP_PROT_DTLS_SERVER | \ SP_PROT_DTLS_CLIENT) #define SP_PROT_DTLS1_0_SERVER SP_PROT_DTLS_SERVER #define SP_PROT_DTLS1_0_CLIENT SP_PROT_DTLS_CLIENT #define SP_PROT_DTLS1_0 (SP_PROT_DTLS1_0_SERVER | SP_PROT_DTLS1_0_CLIENT) #define SP_PROT_DTLS1_2_SERVER 0x00040000 #define SP_PROT_DTLS1_2_CLIENT 0x00080000 #define SP_PROT_DTLS1_2 (SP_PROT_DTLS1_2_SERVER | SP_PROT_DTLS1_2_CLIENT) #define SP_PROT_DTLS1_X_SERVER (SP_PROT_DTLS1_0_SERVER | \ SP_PROT_DTLS1_2_SERVER) #define SP_PROT_DTLS1_X_CLIENT (SP_PROT_DTLS1_0_CLIENT | \ SP_PROT_DTLS1_2_CLIENT) #define SP_PROT_DTLS1_X (SP_PROT_DTLS1_X_SERVER | \ SP_PROT_DTLS1_X_CLIENT) #define SP_PROT_TLS1_1PLUS_SERVER (SP_PROT_TLS1_1_SERVER | \ SP_PROT_TLS1_2_SERVER | \ SP_PROT_TLS1_3_SERVER) #define SP_PROT_TLS1_1PLUS_CLIENT (SP_PROT_TLS1_1_CLIENT | \ SP_PROT_TLS1_2_CLIENT | \ SP_PROT_TLS1_3_CLIENT) #define SP_PROT_TLS1_1PLUS (SP_PROT_TLS1_1PLUS_SERVER | \ SP_PROT_TLS1_1PLUS_CLIENT) #define SP_PROT_TLS1_3PLUS_SERVER SP_PROT_TLS1_3_SERVER #define SP_PROT_TLS1_3PLUS_CLIENT SP_PROT_TLS1_3_CLIENT #define SP_PROT_TLS1_3PLUS (SP_PROT_TLS1_3PLUS_SERVER | \ SP_PROT_TLS1_3PLUS_CLIENT) #define SP_PROT_TLS1_X_SERVER (SP_PROT_TLS1_0_SERVER | \ SP_PROT_TLS1_1_SERVER | \ SP_PROT_TLS1_2_SERVER | \ SP_PROT_TLS1_3_SERVER) #define SP_PROT_TLS1_X_CLIENT (SP_PROT_TLS1_0_CLIENT | \ SP_PROT_TLS1_1_CLIENT | \ SP_PROT_TLS1_2_CLIENT | \ SP_PROT_TLS1_3_CLIENT) #define SP_PROT_TLS1_X (SP_PROT_TLS1_X_SERVER | \ SP_PROT_TLS1_X_CLIENT) #define SP_PROT_SSL3TLS1_X_CLIENTS (SP_PROT_TLS1_X_CLIENT | \ SP_PROT_SSL3_CLIENT) #define SP_PROT_SSL3TLS1_X_SERVERS (SP_PROT_TLS1_X_SERVER | \ SP_PROT_SSL3_SERVER) #define SP_PROT_SSL3TLS1_X (SP_PROT_SSL3 | SP_PROT_TLS1_X) #define SP_PROT_X_CLIENTS (SP_PROT_CLIENTS | \ SP_PROT_TLS1_X_CLIENT | \ SP_PROT_DTLS1_X_CLIENT) #define SP_PROT_X_SERVERS (SP_PROT_SERVERS | \ SP_PROT_TLS1_X_SERVER | \ SP_PROT_DTLS1_X_SERVER) #define SCH_CRED_NO_SYSTEM_MAPPER 0x00000002 #define SCH_CRED_NO_SERVERNAME_CHECK 0x00000004 #define SCH_CRED_MANUAL_CRED_VALIDATION 0x00000008 #define SCH_CRED_NO_DEFAULT_CREDS 0x00000010 #define SCH_CRED_AUTO_CRED_VALIDATION 0x00000020 #define SCH_CRED_USE_DEFAULT_CREDS 0x00000040 #define SCH_CRED_DISABLE_RECONNECTS 0x00000080 #define SCH_CRED_REVOCATION_CHECK_END_CERT 0x00000100 #define SCH_CRED_REVOCATION_CHECK_CHAIN 0x00000200 #define SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x00000400 #define SCH_CRED_IGNORE_NO_REVOCATION_CHECK 0x00000800 #define SCH_CRED_IGNORE_REVOCATION_OFFLINE 0x00001000 #define SCH_CRED_RESTRICTED_ROOTS 0x00002000 #define SCH_CRED_REVOCATION_CHECK_CACHE_ONLY 0x00004000 #define SCH_CRED_CACHE_ONLY_URL_RETRIEVAL 0x00008000 #define SCH_CRED_MEMORY_STORE_CERT 0x00010000 #define SCH_CRED_CACHE_ONLY_URL_RETRIEVAL_ON_CREATE 0x00020000 #define SCH_SEND_ROOT_CERT 0x00040000 #define SCH_CRED_SNI_CREDENTIAL 0x00080000 #define SCH_CRED_SNI_ENABLE_OCSP 0x00100000 #define SCH_SEND_AUX_RECORD 0x00200000 #define SCH_USE_STRONG_CRYPTO 0x00400000 #define SCH_USE_PRESHAREDKEY_ONLY 0x00800000 #define SCH_USE_DTLS_ONLY 0x01000000 #define SCH_ALLOW_NULL_ENCRYPTION 0x02000000 #define SCHANNEL_RENEGOTIATE 0 // renegotiate a connection #define SCHANNEL_SHUTDOWN 1 // gracefully close down a connection #define SCHANNEL_ALERT 2 // build an error message #define SCHANNEL_SESSION 3 // session control #define SCH_CRED_V1 0x00000001 #define SCH_CRED_V2 0x00000002 // for legacy code #define SCH_CRED_VERSION 0x00000002 // for legacy code #define SCH_CRED_V3 0x00000003 // for legacy code #define SCHANNEL_CRED_VERSION 0x00000004 // for legacy code #define SCH_CREDENTIALS_VERSION 0x00000005 typedef struct _SCHANNEL_CRED { DWORD dwVersion; // always SCHANNEL_CRED_VERSION DWORD cCreds; //PCCERT_CONTEXT *paCred; PVOID paCred; //HCERTSTORE hRootStore; PVOID hRootStore; DWORD cMappers; struct _HMAPPER **aphMappers; DWORD cSupportedAlgs; ALG_ID * palgSupportedAlgs; DWORD grbitEnabledProtocols; DWORD dwMinimumCipherStrength; DWORD dwMaximumCipherStrength; DWORD dwSessionLifespan; DWORD dwFlags; DWORD dwCredFormat; } SCHANNEL_CRED, *PSCHANNEL_CRED; typedef enum _eTlsAlgorithmUsage { TlsParametersCngAlgUsageKeyExchange, // Key exchange algorithm. RSA, ECHDE, DHE, etc. TlsParametersCngAlgUsageSignature, // Signature algorithm. RSA, DSA, ECDSA, etc. TlsParametersCngAlgUsageCipher, // Encryption algorithm. AES, DES, RC4, etc. TlsParametersCngAlgUsageDigest, // Digest of cipher suite. SHA1, SHA256, SHA384, etc. TlsParametersCngAlgUsageCertSig // Signature and/or hash used to sign certificate. RSA, DSA, ECDSA, SHA1, SHA256, etc. } eTlsAlgorithmUsage; // // SCH_CREDENTIALS structures // typedef struct _CRYPTO_SETTINGS { eTlsAlgorithmUsage eAlgorithmUsage; // How this algorithm is being used. UNICODE_STRING strCngAlgId; // CNG algorithm identifier. DWORD cChainingModes; // Set to 0 if CNG algorithm does not have a chaining mode. PUNICODE_STRING rgstrChainingModes; // Set to NULL if CNG algorithm does not have a chaining mode. DWORD dwMinBitLength; // Blacklist key sizes less than this. Set to 0 if not defined or CNG algorithm implies bit length. DWORD dwMaxBitLength; // Blacklist key sizes greater than this. Set to 0 if not defined or CNG algorithm implies bit length. } CRYPTO_SETTINGS, *PCRYPTO_SETTINGS; typedef struct _TLS_PARAMETERS { DWORD cAlpnIds; // Valid for server applications only. Must be zero otherwise. Number of ALPN IDs in rgstrAlpnIds; set to 0 if applies to all. PUNICODE_STRING rgstrAlpnIds; // Valid for server applications only. Must be NULL otherwise. Array of ALPN IDs that the following settings apply to; set to NULL if applies to all. DWORD grbitDisabledProtocols; // List protocols you DO NOT want negotiated. DWORD cDisabledCrypto; // Number of CRYPTO_SETTINGS structures; set to 0 if there are none. PCRYPTO_SETTINGS pDisabledCrypto; // Array of CRYPTO_SETTINGS structures; set to NULL if there are none; DWORD dwFlags; // Optional flags to pass; set to 0 if there are none. } TLS_PARAMETERS, *PTLS_PARAMETERS; #define TLS_PARAMS_OPTIONAL 0x00000001 // Valid for server applications only. Must be zero otherwise. // TLS_PARAMETERS that will only be honored if they do not cause this server to terminate the handshake. typedef struct _SCH_CREDENTIALS { DWORD dwVersion; // Always SCH_CREDENTIALS_VERSION. DWORD dwCredFormat; DWORD cCreds; //PCCERT_CONTEXT *paCred; PVOID *paCred; //HCERTSTORE hRootStore; PVOID hRootStore; DWORD cMappers; struct _HMAPPER **aphMappers; DWORD dwSessionLifespan; DWORD dwFlags; DWORD cTlsParameters; PTLS_PARAMETERS pTlsParameters; } SCH_CREDENTIALS, *PSCH_CREDENTIALS; #define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16 #define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16 #define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16 #define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16 #define SECPKG_ATTR_ISSUER_LIST 0x50 // (OBSOLETE) returns SecPkgContext_IssuerListInfo #define SECPKG_ATTR_REMOTE_CRED 0x51 // (OBSOLETE) returns SecPkgContext_RemoteCredentialInfo #define SECPKG_ATTR_LOCAL_CRED 0x52 // (OBSOLETE) returns SecPkgContext_LocalCredentialInfo #define SECPKG_ATTR_REMOTE_CERT_CONTEXT 0x53 // returns PCCERT_CONTEXT #define SECPKG_ATTR_LOCAL_CERT_CONTEXT 0x54 // returns PCCERT_CONTEXT #define SECPKG_ATTR_ROOT_STORE 0x55 // returns HCERTCONTEXT to the root store #define SECPKG_ATTR_SUPPORTED_ALGS 0x56 // returns SecPkgCred_SupportedAlgs #define SECPKG_ATTR_CIPHER_STRENGTHS 0x57 // returns SecPkgCred_CipherStrengths #define SECPKG_ATTR_SUPPORTED_PROTOCOLS 0x58 // returns SecPkgCred_SupportedProtocols #define SECPKG_ATTR_ISSUER_LIST_EX 0x59 // returns SecPkgContext_IssuerListInfoEx #define SECPKG_ATTR_CONNECTION_INFO 0x5a // returns SecPkgContext_ConnectionInfo #define SECPKG_ATTR_EAP_KEY_BLOCK 0x5b // returns SecPkgContext_EapKeyBlock #define SECPKG_ATTR_MAPPED_CRED_ATTR 0x5c // returns SecPkgContext_MappedCredAttr #define SECPKG_ATTR_SESSION_INFO 0x5d // returns SecPkgContext_SessionInfo #define SECPKG_ATTR_APP_DATA 0x5e // sets/returns SecPkgContext_SessionAppData #define SECPKG_ATTR_REMOTE_CERTIFICATES 0x5F // returns SecPkgContext_Certificates #define SECPKG_ATTR_CLIENT_CERT_POLICY 0x60 // sets SecPkgCred_ClientCertCtlPolicy #define SECPKG_ATTR_CC_POLICY_RESULT 0x61 // returns SecPkgContext_ClientCertPolicyResult #define SECPKG_ATTR_USE_NCRYPT 0x62 // Sets the CRED_FLAG_USE_NCRYPT_PROVIDER FLAG on cred group #define SECPKG_ATTR_LOCAL_CERT_INFO 0x63 // returns SecPkgContext_CertInfo #define SECPKG_ATTR_CIPHER_INFO 0x64 // returns new CNG SecPkgContext_CipherInfo #define SECPKG_ATTR_EAP_PRF_INFO 0x65 // sets SecPkgContext_EapPrfInfo #define SECPKG_ATTR_SUPPORTED_SIGNATURES 0x66 // returns SecPkgContext_SupportedSignatures #define SECPKG_ATTR_REMOTE_CERT_CHAIN 0x67 // returns PCCERT_CONTEXT #define SECPKG_ATTR_UI_INFO 0x68 // sets SEcPkgContext_UiInfo #define SECPKG_ATTR_EARLY_START 0x69 // sets SecPkgContext_EarlyStart #define SECPKG_ATTR_KEYING_MATERIAL_INFO 0x6a // sets SecPkgContext_KeyingMaterialInfo #define SECPKG_ATTR_KEYING_MATERIAL 0x6b // returns SecPkgContext_KeyingMaterial #define SECPKG_ATTR_SRTP_PARAMETERS 0x6c // returns negotiated SRTP parameters #define SECPKG_ATTR_TOKEN_BINDING 0x6d // returns SecPkgContext_TokenBinding #define SECPKG_ATTR_CONNECTION_INFO_EX 0x6e // returns SecPkgContext_ConnectionInfoEx #define SECPKG_ATTR_KEYING_MATERIAL_TOKEN_BINDING 0x6f // returns SecPkgContext_KeyingMaterial specific to Token Binding #define SECPKG_ATTR_KEYING_MATERIAL_INPROC 0x70 // returns SecPkgContext_KeyingMaterial_Inproc #define SECPKG_ATTR_CERT_CHECK_RESULT 0x71 // returns SecPkgContext_CertificateValidationResult, use during and after SSPI handshake loop #define SECPKG_ATTR_CERT_CHECK_RESULT_INPROC 0x72 // returns SecPkgContext_CertificateValidationResult, use only after SSPI handshake loop #define SECPKG_ATTR_SESSION_TICKET_KEYS 0x73 // sets SecPkgCred_SessionTicketKeys #define SECPKG_ATTR_SERIALIZED_REMOTE_CERT_CONTEXT_INPROC 0x74 // returns CERT_BLOB, use only after SSPI handshake loop #define SECPKG_ATTR_SERIALIZED_REMOTE_CERT_CONTEXT 0x75 // returns CERT_BLOB, use during and after SSPI handshake loop typedef struct _SecPkgContext_ConnectionInfo { DWORD dwProtocol; ALG_ID aiCipher; DWORD dwCipherStrength; ALG_ID aiHash; DWORD dwHashStrength; ALG_ID aiExch; DWORD dwExchStrength; } SecPkgContext_ConnectionInfo, *PSecPkgContext_ConnectionInfo; #define SZ_ALG_MAX_SIZE 64 #define SECPKGCONTEXT_CONNECTION_INFO_EX_V1 1 typedef struct _SecPkgContext_ConnectionInfoEx { DWORD dwVersion; DWORD dwProtocol; WCHAR szCipher[SZ_ALG_MAX_SIZE]; DWORD dwCipherStrength; WCHAR szHash[SZ_ALG_MAX_SIZE]; DWORD dwHashStrength; WCHAR szExchange[SZ_ALG_MAX_SIZE]; DWORD dwExchStrength; } SecPkgContext_ConnectionInfoEx, *PSecPkgContext_ConnectionInfoEx; #define SECPKGCONTEXT_CIPHERINFO_V1 1 typedef struct _SecPkgContext_CipherInfo { DWORD dwVersion; DWORD dwProtocol; DWORD dwCipherSuite; DWORD dwBaseCipherSuite; WCHAR szCipherSuite[SZ_ALG_MAX_SIZE]; WCHAR szCipher[SZ_ALG_MAX_SIZE]; DWORD dwCipherLen; DWORD dwCipherBlockLen; // in bytes WCHAR szHash[SZ_ALG_MAX_SIZE]; DWORD dwHashLen; WCHAR szExchange[SZ_ALG_MAX_SIZE]; DWORD dwMinExchangeLen; DWORD dwMaxExchangeLen; WCHAR szCertificate[SZ_ALG_MAX_SIZE]; DWORD dwKeyType; } SecPkgContext_CipherInfo, *PSecPkgContext_CipherInfo; ================================================ FILE: KSystemInformer/include/pooltags.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once // alloc #define KPH_TAG_PAGED_LOOKASIDE_OBJECT '0ApK' #define KPH_TAG_NPAGED_LOOKASIDE_OBJECT '1ApK' // comms #define KPH_TAG_CLIENT '0CpK' #define KPH_TAG_MESSAGE '1CpK' #define KPH_TAG_NPAGED_MESSAGE '2CpK' #define KPH_TAG_QUEUE_ITEM '3CpK' #define KPH_TAG_THREAD_POOL '4CpK' #define KPH_TAG_CLIENT_INFORMER_STATE '5CpK' #define KPH_TAG_CLIENT_INFORMER_SETTINGS '6CpK' // dyndata #define KPH_TAG_DYNDATA '0YpK' // object #define KPH_TAG_OBJECT_QUERY '0OpK' #define KPH_TAG_OBJECT_INFO '1OpK' // process #define KPH_TAG_PROCESS_INFO '0PpK' // thread #define KPH_TAG_THREAD_BACK_TRACE '0TpK' #define KPH_TAG_THREAD_INFO '1TpK' // util #define KPH_TAG_REG_STRING '0UpK' #define KPH_TAG_REG_BINARY '1UpK' #define KPH_TAG_FILE_OBJECT_NAME '2UpK' #define KPH_TAG_CAPTURED_UNICODE_STRING '3UpK' // vm #define KPH_TAG_COPY_VM '0vpK' #define KPH_TAG_SECTION_QUERY '1vpK' #define KPH_TAG_VM_QUERY '2vpK' // debug #define KPH_TAG_DBG_SLOTS '0dpK' // hash #define KPH_TAG_HASHING_CONTEXT '0HpK' #define KPH_TAG_HASHING_INFRA '1HpK' #define KPH_TAG_CAPTURED_HASHES '2HpK' // verify #define KPH_TAG_VERIFY_SIGNATURE '0VpK' // informer #define KPH_TAG_OB_OBJECT_NAME '0IpK' #define KPH_TAG_PROCESS_CREATE_APC '1IpK' #define KPH_TAG_FLT_STREAMHANDLE_CONTEXT '2IpK' #define KPH_TAG_FLT_FILE_NAME '3IpK' #define KPH_TAG_FLT_CACHED_FILE_NAME '4IpK' #define KPH_TAG_FLT_COMPLETION_CONTEXT '5IpK' #define KPH_TAG_REG_CALL_CONTEXT '6IpK' #define KPH_TAG_REG_OBJECT_NAME '7IpK' #define KPH_TAG_REG_VALUE_NAMES '8IpK' #define KPH_TAG_OB_CALL_CONTEXT '9IpK' #define KPH_TAG_INFORMER_STATE 'SIpK' #define KPH_TAG_INFORMER_SETTINGS 'sIpK' // cid_tracking #define KPH_TAG_CID_TABLE '0cpK' #define KPH_TAG_CID_POPULATE '1cpK' #define KPH_TAG_PROCESS_CONTEXT '2cpK' #define KPH_TAG_THREAD_CONTEXT '3cpK' #define KPH_TAG_CID_APC '4cpK' #define KPH_TAG_PROCESS_IMAGE_FILE_NAME '5cpK' // protection #define KPH_TAG_IMAGE_LOAD_APC '0ppK' // alpc #define KPH_TAG_ALPC_NAME_QUERY '0apK' #define KPH_TAG_ALPC_QUERY '1apK' // file #define KPH_TAG_FILE_QUERY '0FpK' #define KPH_TAG_VOL_FILE_QUERY '1FpK' // back_trace #define KPH_TAG_BACK_TRACE_OBJECT '0BpK' // session_token #define KPH_TAG_SESSION_TOKEN_OBJECT '0tpK' #define KPH_TAG_SESSION_TOKEN_SIGNATURE '1tpK' // ringbuff #define KPH_TAG_RING_BUFFER '0RpK' // kphthread #define KPH_TAG_THREAD_START_CONTEXT '0rpK' ================================================ FILE: KSystemInformer/include/trace.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #define WPP_CONTROL_GUIDS \ WPP_DEFINE_CONTROL_GUID( \ KSystemInformer, (f64b58a2, 8214, 4037, 8c7d, b96ce6098f3d), \ WPP_DEFINE_BIT(GENERAL) /* bit 0 = 0x00000001 */ \ WPP_DEFINE_BIT(UTIL) /* bit 1 = 0x00000002 */ \ WPP_DEFINE_BIT(COMMS) /* bit 2 = 0x00000004 */ \ WPP_DEFINE_BIT(INFORMER) /* bit 3 = 0x00000008 */ \ WPP_DEFINE_BIT(VERIFY) /* bit 4 = 0x00000010 */ \ WPP_DEFINE_BIT(HASH) /* bit 5 = 0x00000020 */ \ WPP_DEFINE_BIT(TRACKING) /* bit 5 = 0x00000040 */ \ WPP_DEFINE_BIT(PROTECTION) /* bit 5 = 0x00000080 */ \ ) #define WPP_LEVEL_EVENT_LOGGER(level,event) WPP_LEVEL_LOGGER(event) #define WPP_LEVEL_EVENT_ENABLED(level,event) \ (WPP_LEVEL_ENABLED(event) && \ WPP_CONTROL(WPP_BIT_ ## event).Level >= level) // // begin_wpp config // FUNC KphTracePrint(LEVEL,EVENT,MSG, ...); // end_wpp // #ifdef KSI_NO_WPP #define KphTracePrint(LEVEL,EVENT,MSG,...) ((void)(MSG, ## __VA_ARGS__)) #define WPP_INIT_TRACING(...) ((void)0) #define WPP_CLEANUP(...) ((void)0) #endif #define TMH_STRINGIFYX(x) #x #define TMH_STRINGIFY(x) TMH_STRINGIFYX(x) #ifdef TMH_FILE #include TMH_STRINGIFY(TMH_FILE) #endif ================================================ FILE: KSystemInformer/informer.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include #include #include typedef struct _KPH_INFORMER_STATE { KPH_INFORMER_OPTIONS Options; KPH_RATE_LIMIT RateLimit[KPH_INFORMER_COUNT]; } KPH_INFORMER_STATE, *PKPH_INFORMER_STATE; KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpInformerStateType = NULL; static PKPH_NPAGED_LOOKASIDE_OBJECT KphpInformerStateLookaside = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpInformerStateTypeName = RTL_CONSTANT_STRING(L"KphInformerState"); KPH_PROTECTED_DATA_SECTION_RO_POP(); static KPH_INFORMER_STATE_ATOMIC KphpInformerState = { .Atomic = KPH_ATOMIC_OBJECT_REF_INIT }; /** * \brief Allocates an informer state object. * * \return Pointer to informer state object, null on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(DISPATCH_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateInformerState( _In_ SIZE_T Size ) { PVOID object; KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(KphpInformerStateLookaside); NT_ASSERT(Size <= KphpInformerStateLookaside->L.Size); DBG_UNREFERENCED_PARAMETER(Size); object = KphAllocateFromNPagedLookasideObject(KphpInformerStateLookaside); if (object) { KphReferenceObject(KphpInformerStateLookaside); } return object; } /** * \brief Initializes an informer state object. * * \param[in] Object The informer state object to initialize. * \param[in] Parameter Optional settings to initialize with. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeInformerState( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_INFORMER_STATE state; PKPH_INFORMER_SETTINGS settings; LARGE_INTEGER timeStamp; state = Object; settings = Parameter; KeQuerySystemTime(&timeStamp); if (settings) { state->Options.Flags = settings->Options.Flags; for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { KphInitializeRateLimit(&settings->Policy[i], &timeStamp, &state->RateLimit[i]); } } else { KPH_RATE_LIMIT_POLICY policy = KPH_RATE_LIMIT_DENY_ALL; state->Options.Flags = 0; for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { KphInitializeRateLimit(&policy, &timeStamp, &state->RateLimit[i]); } } return STATUS_SUCCESS; } /** * \brief Frees an informer state object. * * \param[in] Object The informer state object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(DISPATCH_LEVEL) VOID KSIAPI KphpFreeInformerState( _In_freesMem_ PVOID Object ) { KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(KphpInformerStateLookaside); KphFreeToNPagedLookasideObject(KphpInformerStateLookaside, Object); KphDereferenceObject(KphpInformerStateLookaside); } /** * \brief Checks if an informer is allowed for a process. * * \param[in] Index The informer index to check. * \param[in] TimeStamp The current time stamp. * \param[in] Process The process context to check. * * \return TRUE if the informer is allowed, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphInformerProcessAllowed( _In_ ULONG Index, _In_ PLARGE_INTEGER TimeStamp, _In_opt_ PKPH_PROCESS_CONTEXT Process ) { BOOLEAN allowed; PKPH_INFORMER_STATE state; KPH_NPAGED_CODE_DISPATCH_MAX(); if (!Process) { return TRUE; } if (!NT_VERIFY(Index < KPH_INFORMER_COUNT)) { return FALSE; } state = KphAtomicReferenceObject(&Process->InformerState.Atomic); if (!state) { return TRUE; } allowed = KphRateLimitConsumeToken(&state->RateLimit[Index], TimeStamp); KphDereferenceObject(state); return allowed; } /** * \brief Checks if an informer is globally allowed. * * \param[in] Index The informer index to check. * \param[in] TimeStamp The current time stamp. * * \return TRUE if the informer is allowed, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphInformerGlobalAllowed( _In_ ULONG Index, _In_ PLARGE_INTEGER TimeStamp ) { BOOLEAN allowed; PKPH_INFORMER_STATE state; KPH_NPAGED_CODE_DISPATCH_MAX(); if (!NT_VERIFY(Index < KPH_INFORMER_COUNT)) { return FALSE; } state = KphAtomicReferenceObject(&KphpInformerState.Atomic); NT_ASSERT(state); allowed = KphRateLimitConsumeToken(&state->RateLimit[Index], TimeStamp); KphDereferenceObject(state); return allowed; } /** * \brief Checks if an informer is allowed. * * \param[in] Index The informer index to check. * \param[in] ActorProcess The actor process check. * \param[in] TargetProcess The target process check. * * \return TRUE if the informer is allowed, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphInformerAllowed( _In_ ULONG Index, _In_opt_ PKPH_PROCESS_CONTEXT ActorProcess, _In_opt_ PKPH_PROCESS_CONTEXT TargetProcess ) { LARGE_INTEGER timeStamp; KPH_NPAGED_CODE_DISPATCH_MAX(); if (!KphGetInformerClientCount()) { return FALSE; } KeQuerySystemTime(&timeStamp); if (!KphInformerProcessAllowed(Index, &timeStamp, ActorProcess)) { if (ActorProcess == TargetProcess) { return FALSE; } if (!KphInformerProcessAllowed(Index, &timeStamp, TargetProcess)) { return FALSE; } } if (!KphInformerGlobalAllowed(Index, &timeStamp)) { return FALSE; } return TRUE; } /** * \brief Retrieves the active informer options. * * \param[in] ActorProcess The actor process check. * \param[in] TargetProcess The target process check. * * \return Active informer options. */ _IRQL_requires_max_(DISPATCH_LEVEL) KPH_INFORMER_OPTIONS KphInformerOptions( _In_opt_ PKPH_PROCESS_CONTEXT ActorProcess, _In_opt_ PKPH_PROCESS_CONTEXT TargetProcess ) { PKPH_INFORMER_STATE state; KPH_INFORMER_OPTIONS options; KPH_NPAGED_CODE_DISPATCH_MAX(); options.Flags = 0; state = KphAtomicReferenceObject(&KphpInformerState.Atomic); NT_ASSERT(state); SetFlag(options.Flags, state->Options.Flags); KphDereferenceObject(state); if (ActorProcess) { state = KphAtomicReferenceObject(&ActorProcess->InformerState.Atomic); if (state) { SetFlag(options.Flags, state->Options.Flags); KphDereferenceObject(state); } } if (TargetProcess) { state = KphAtomicReferenceObject(&TargetProcess->InformerState.Atomic); if (state) { SetFlag(options.Flags, state->Options.Flags); KphDereferenceObject(state); } } return options; } KPH_PAGED_FILE(); /** * \brief Copies informer settings from state to mode. * * \param[out] Settings Receives the settings. * \param[in] State The informer state to copy from. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpInformerCopySettingsToMode( _Out_ PKPH_INFORMER_SETTINGS Settings, _In_ PKPH_INFORMER_STATE State, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = KphCopyToMode(Settings, &State->Options, sizeof(KPH_INFORMER_OPTIONS), AccessMode); if (!NT_SUCCESS(status)) { return status; } for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { status = KphCopyToMode(&Settings->Policy[i], &State->RateLimit[i].Policy, sizeof(KPH_RATE_LIMIT_POLICY), AccessMode); if (!NT_SUCCESS(status)) { return status; } } return STATUS_SUCCESS; } /** * \brief Gets informer settings. * * \param[out] Settings Receives the settings. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerSettings( _Out_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_INFORMER_STATE state; KPH_PAGED_CODE_PASSIVE(); state = KphAtomicReferenceObject(&KphpInformerState.Atomic); NT_ASSERT(state); status = KphZeroModeMemory(Settings, sizeof(KPH_INFORMER_SETTINGS), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = KphpInformerCopySettingsToMode(Settings, state, AccessMode); Exit: KphDereferenceObject(state); return status; } /** * \brief Sets informer settings. * * \param[in] Settings The settings to apply. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformerSettings( _In_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_INFORMER_SETTINGS settings; PKPH_INFORMER_STATE state; KPH_PAGED_CODE_PASSIVE(); state = NULL; settings = KphAllocatePaged(sizeof(KPH_INFORMER_SETTINGS), KPH_TAG_INFORMER_SETTINGS); if (!settings) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate informer settings"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphCopyFromMode(settings, Settings, sizeof(KPH_INFORMER_SETTINGS), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = KphCreateObject(KphpInformerStateType, sizeof(KPH_INFORMER_STATE), &state, settings); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateObject failed: %!STATUS!", status); state = NULL; goto Exit; } KphAtomicAssignObjectReference(&KphpInformerState.Atomic, state); Exit: if (state) { KphDereferenceObject(state); } if (settings) { KphFree(settings, KPH_TAG_INFORMER_SETTINGS); } return status; } /** * \brief Gets informer settings for a process. * * \param[in] ProcessHandle Handle to the process to get settings of. * \param[out] Settings Receives the settings. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerProcessSettings( _In_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS processObject; PKPH_PROCESS_CONTEXT processContext; PKPH_INFORMER_STATE state; KPH_PAGED_CODE_PASSIVE(); processObject = NULL; processContext = NULL; state = NULL; status = KphZeroModeMemory(Settings, sizeof(KPH_INFORMER_SETTINGS), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &processObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); processObject = NULL; goto Exit; } processContext = KphGetEProcessContext(processObject); if (!processContext) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphGetEProcessContext return null."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } state = KphAtomicReferenceObject(&processContext->InformerState.Atomic); if (!state) { status = STATUS_NOT_FOUND; goto Exit; } status = KphpInformerCopySettingsToMode(Settings, state, AccessMode); Exit: if (processContext) { KphDereferenceObject(processContext); } if (processObject) { ObDereferenceObject(processObject); } if (state) { KphDereferenceObject(state); } return status; } typedef struct _KPH_SET_INFORMER_PROCESS_SETTINGS_CONTEXT { NTSTATUS Status; PKPH_INFORMER_SETTINGS Settings; } KPH_SET_INFORMER_PROCESS_SETTINGS_CONTEXT, *PKPH_SET_INFORMER_PROCESS_SETTINGS_CONTEXT; /** * \brief Callback for setting process informer settings. * * \param[in] Process The process to set the informer settings for. * \param[in] Parameter The settings to apply. * * \return FALSE */ _Function_class_(KPH_ENUM_PROCESS_CONTEXTS_CALLBACK) _Must_inspect_result_ BOOLEAN KSIAPI KphpSetInformerProcessSettings( _In_ PKPH_PROCESS_CONTEXT Process, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_SET_INFORMER_PROCESS_SETTINGS_CONTEXT context; PKPH_PROCESS_STATE state; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Parameter); context = Parameter; status = KphCreateObject(KphpInformerStateType, sizeof(KPH_INFORMER_STATE), &state, context->Settings); if (!NT_SUCCESS(status)) { if (NT_SUCCESS(context->Status)) { context->Status = status; } return FALSE; } KphAtomicAssignObjectReference(&Process->InformerState.Atomic, state); KphDereferenceObject(state); return FALSE; } /** * \brief Sets informer settings for a process. * * \param[in] ProcessHandle Optional handle to the process to set settings of. * If not provided the settings are applied to all processes. * \param[in] Settings The settings to apply. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformerProcessSettings( _In_opt_ HANDLE ProcessHandle, _In_ PKPH_INFORMER_SETTINGS Settings, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS processObject; PKPH_PROCESS_CONTEXT processContext; PKPH_INFORMER_SETTINGS settings; KPH_SET_INFORMER_PROCESS_SETTINGS_CONTEXT context; KPH_PAGED_CODE_PASSIVE(); processObject = NULL; processContext = NULL; settings = KphAllocatePaged(sizeof(KPH_INFORMER_SETTINGS), KPH_TAG_INFORMER_SETTINGS); if (!settings) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate informer settings"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphCopyFromMode(settings, Settings, sizeof(KPH_INFORMER_SETTINGS), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } if (ProcessHandle) { status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &processObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); processObject = NULL; goto Exit; } processContext = KphGetEProcessContext(processObject); if (!processContext) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphGetEProcessContext return null."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } context.Status = STATUS_SUCCESS; context.Settings = settings; (VOID)KphpSetInformerProcessSettings(processContext, &context); status = context.Status; } else { context.Status = STATUS_SUCCESS; context.Settings = settings; KphEnumerateProcessContexts(KphpSetInformerProcessSettings, &context); status = context.Status; } Exit: if (processContext) { KphDereferenceObject(processContext); } if (processObject) { ObDereferenceObject(processObject); } if (settings) { KphFree(settings, KPH_TAG_INFORMER_SETTINGS); } return status; } /** * \brief Gets informer statistics. * * \param[in] ProcessHandle Optional handle to the process to get stats of. If * not provided the global stats are returned. * \param[out] Stats Receives the informer statistics. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetInformerStats( _In_opt_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_STATS Stats, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_INFORMER_STATE state; PEPROCESS processObject; PKPH_PROCESS_CONTEXT processContext; KPH_PAGED_CODE_PASSIVE(); state = NULL; processObject = NULL; processContext = NULL; status = KphZeroModeMemory(Stats, sizeof(KPH_INFORMER_STATS), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } if (ProcessHandle) { status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &processObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); processObject = NULL; goto Exit; } processContext = KphGetEProcessContext(processObject); if (!processContext) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphGetEProcessContext return null."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } state = KphAtomicReferenceObject(&processContext->InformerState.Atomic); if (!state) { status = STATUS_NOT_FOUND; goto Exit; } } else { state = KphAtomicReferenceObject(&KphpInformerState.Atomic); } NT_ASSERT(state); for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) { status = KphCopyToMode(&Stats->RateLimit[i].Policy, &state->RateLimit[i].Policy, sizeof(KPH_RATE_LIMIT_POLICY), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = KphWriteLong64ToMode(&Stats->RateLimit[i].Allowed, ReadNoFence64(&state->RateLimit[i].Allowed), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = KphWriteLong64ToMode(&Stats->RateLimit[i].Dropped, ReadNoFence64(&state->RateLimit[i].Dropped), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = KphWriteLong64ToMode(&Stats->RateLimit[i].CasMiss, ReadNoFence64(&state->RateLimit[i].CasMiss), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } } Exit: if (processContext) { KphDereferenceObject(processContext); } if (processObject) { ObDereferenceObject(processObject); } if (state) { KphDereferenceObject(state); } return status; } /** * \brief Cleans up informer infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupInformer( VOID ) { KPH_PAGED_CODE_PASSIVE(); KphAtomicAssignObjectReference(&KphpInformerState.Atomic, NULL); if (KphpInformerStateLookaside) { KphDereferenceObject(KphpInformerStateLookaside); } } /** * \brief Initialize the informer infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeInformer( VOID ) { NTSTATUS status; PKPH_INFORMER_STATE state; KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); state = NULL; status = KphCreateNPagedLookasideObject(&KphpInformerStateLookaside, KphAddObjectHeaderSize(sizeof(KPH_INFORMER_STATE)), KPH_TAG_INFORMER_STATE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreatePagedLookasideObject failed: %!STATUS!", status); KphpInformerStateLookaside = NULL; goto Exit; } typeInfo.Allocate = KphpAllocateInformerState; typeInfo.Initialize = KphpInitializeInformerState; typeInfo.Delete = NULL; typeInfo.Free = KphpFreeInformerState; KphCreateObjectType(&KphpInformerStateTypeName, &typeInfo, &KphpInformerStateType); status = KphCreateObject(KphpInformerStateType, sizeof(KPH_INFORMER_STATE), &state, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCreateObject failed: %!STATUS!", status); state = NULL; goto Exit; } KphAtomicAssignObjectReference(&KphpInformerState.Atomic, state); Exit: if (state) { KphDereferenceObject(state); } return status; } ================================================ FILE: KSystemInformer/informer_debug.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include #include typedef struct _KPH_DBG_PRINT_SLOT { KDPC Dpc; LARGE_INTEGER TimeStamp; CLIENT_ID ContextClientId; ULONG ComponentId; ULONG Level; USHORT Length; CHAR Buffer[FIELD_SIZE(KPH_MESSAGE, _Dyn.Buffer)]; } KPH_DBG_PRINT_SLOT, *PKPH_DBG_PRINT_SLOT; static BOOLEAN KphpDbgPrintInitialized = FALSE; static KSPIN_LOCK KphpDbgPrintLock; static ULONG KphpDbgPrintSlotNext = 0; static ULONG KphpDbgPrintSlotCount = 0; static PKPH_DBG_PRINT_SLOT KphpDbgPrintSlots = NULL; /** * \brief Flushes the debug print slots to the communication port. */ _IRQL_requires_max_(DISPATCH_LEVEL) _IRQL_requires_min_(DISPATCH_LEVEL) _IRQL_requires_(DISPATCH_LEVEL) _Requires_lock_held_(KphpDbgPrintLock) VOID KphpDebugPrintFlush( VOID ) { KPH_NPAGED_CODE_DISPATCH(); for (ULONG i = 0; i < KphpDbgPrintSlotNext; i++) { NTSTATUS status; PKPH_PROCESS_CONTEXT process; BOOLEAN enabled; USHORT remaining; ANSI_STRING output; PKPH_MESSAGE msg; PKPH_DBG_PRINT_SLOT slot; slot = &KphpDbgPrintSlots[i]; process = KphGetProcessContext(slot->ContextClientId.UniqueProcess); enabled = KphInformerEnabled(DebugPrint, process); if (process) { KphDereferenceObjectDeferDelete(process); } if (!enabled) { continue; } msg = KphAllocateNPagedMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); continue; } KphMsgInit(msg, KphMsgDebugPrint); msg->Header.TimeStamp.QuadPart = slot->TimeStamp.QuadPart; msg->Kernel.DebugPrint.ContextClientId.UniqueProcess = slot->ContextClientId.UniqueProcess; msg->Kernel.DebugPrint.ContextClientId.UniqueThread = slot->ContextClientId.UniqueThread; msg->Kernel.DebugPrint.ComponentId = slot->ComponentId; msg->Kernel.DebugPrint.Level = slot->Level; remaining = KphMsgDynRemaining(msg); if (slot->Length > remaining) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Truncated debug print line"); } output.Length = min(slot->Length, remaining); output.MaximumLength = slot->Length; output.Buffer = slot->Buffer; status = KphMsgDynAddAnsiString(msg, KphMsgFieldOutput, &output); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddAnsiString failed: %!STATUS!", status); } KphCommsSendNPagedMessageAsync(msg); } KphpDbgPrintSlotNext = 0; } /** * \brief DPC routine for debug informer. * * \param Dpc Unused * \param DeferredContext Unused * \param SystemArgument1 Unused * \param SystemArgument2 Unused */ _Function_class_(KDEFERRED_ROUTINE) _IRQL_requires_max_(DISPATCH_LEVEL) _IRQL_requires_min_(DISPATCH_LEVEL) _IRQL_requires_(DISPATCH_LEVEL) _IRQL_requires_same_ VOID KphpDebugPrintDpc( _In_ PKDPC Dpc, _In_opt_ PVOID DeferredContext, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2 ) { KIRQL oldIrql; UNREFERENCED_PARAMETER(Dpc); UNREFERENCED_PARAMETER(DeferredContext); UNREFERENCED_PARAMETER(SystemArgument1); UNREFERENCED_PARAMETER(SystemArgument2); // // We use threaded DPCs so we could be invoked at passive or dispatch. // oldIrql = KeAcquireSpinLockForDpc(&KphpDbgPrintLock); KphpDebugPrintFlush(); KeReleaseSpinLockForDpc(&KphpDbgPrintLock, oldIrql); } /** * \brief Debug print callback. * * \param[in] Output Debug print string output. * \param[in] ComponentId Component ID printing to the debug output. * \param[in] Level Debug print level. */ _IRQL_always_function_min_(DISPATCH_LEVEL) VOID KphpDebugPrintCallback( _In_ PSTRING Output, _In_ ULONG ComponentId, _In_ ULONG Level ) { PKPH_DBG_PRINT_SLOT slot; KPH_NPAGED_CODE_DISPATCH_MIN(); slot = NULL; if (!Output->Buffer || (Output->Length == 0)) { return; } KeAcquireSpinLockAtDpcLevel(&KphpDbgPrintLock); if (KphpDbgPrintSlotNext >= KphpDbgPrintSlotCount) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Out of debug print slots!"); goto Exit; } slot = &KphpDbgPrintSlots[KphpDbgPrintSlotNext++]; KeQuerySystemTime(&slot->TimeStamp); slot->ContextClientId.UniqueProcess = PsGetCurrentProcessId(); slot->ContextClientId.UniqueThread = PsGetCurrentThreadId(); slot->ComponentId = ComponentId; slot->Level = Level; slot->Length = min(Output->Length, ARRAYSIZE(slot->Buffer)); RtlCopyMemory(slot->Buffer, Output->Buffer, slot->Length); if (Output->Length > ARRAYSIZE(slot->Buffer)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Truncated debug print line"); } Exit: KeReleaseSpinLockFromDpcLevel(&KphpDbgPrintLock); if (slot) { KeInsertQueueDpc(&slot->Dpc, NULL, NULL); } } /** * \brief Starts the debug informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphDebugInformerStart( VOID ) { NTSTATUS status; ULONG count; KPH_NPAGED_CODE_PASSIVE(); NT_ASSERT(KphpDbgPrintSlotNext == 0); NT_ASSERT(!KphpDbgPrintInitialized); KeInitializeSpinLock(&KphpDbgPrintLock); count = (KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS) * 2); KphpDbgPrintSlots = KphAllocateNPaged((sizeof(KPH_DBG_PRINT_SLOT) * count), KPH_TAG_DBG_SLOTS); if (!KphpDbgPrintSlots) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate slots for debug print callback"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(KphpDbgPrintSlots, sizeof(KPH_DBG_PRINT_SLOT) * count); KphpDbgPrintSlotCount = count; for (ULONG i = 0; i < KphpDbgPrintSlotCount; i++) { KeInitializeThreadedDpc(&KphpDbgPrintSlots[i].Dpc, KphpDebugPrintDpc, NULL); } status = DbgSetDebugPrintCallback(KphpDebugPrintCallback, TRUE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register debug print callback: %!STATUS!", status); goto Exit; } status = STATUS_SUCCESS; KphpDbgPrintInitialized = TRUE; Exit: if (!NT_SUCCESS(status)) { NT_ASSERT(!KphpDbgPrintInitialized); KphpDbgPrintSlotCount = 0; if (KphpDbgPrintSlots) { KphFree(KphpDbgPrintSlots, KPH_TAG_DBG_SLOTS); KphpDbgPrintSlots = NULL; } } return status; } /** * \brief Stops the debug informer. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphDebugInformerStop( VOID ) { KIRQL oldIrql; KPH_NPAGED_CODE_PASSIVE(); if (!KphpDbgPrintInitialized) { return; } DbgSetDebugPrintCallback(KphpDebugPrintCallback, FALSE); for (ULONG i = 0; i < KphpDbgPrintSlotCount; i++) { KeRemoveQueueDpcEx(&KphpDbgPrintSlots[i].Dpc, TRUE); } KeAcquireSpinLock(&KphpDbgPrintLock, &oldIrql); KphpDebugPrintFlush(); KphpDbgPrintSlotCount = 0; KphFree(KphpDbgPrintSlots, KPH_TAG_DBG_SLOTS); KphpDbgPrintSlots = NULL; KeReleaseSpinLock(&KphpDbgPrintLock, oldIrql); KphpDbgPrintInitialized = FALSE; } ================================================ FILE: KSystemInformer/informer_file.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpDefaultInstaceName = RTL_CONSTANT_STRING(L"DefaultInstance"); static const UNICODE_STRING KphpAltitudeName = RTL_CONSTANT_STRING(L"Altitude"); static const UNICODE_STRING KphpFlagsName = RTL_CONSTANT_STRING(L"Flags"); static const DWORD KphpFlagsValue = 0; KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); PFLT_FILTER KphFltFilter = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Invoked when the mini-filter driver is asked to unload. * * \param[in] Flags Unused * * \return STATUS_SUCCESS */ _Function_class_(PFLT_FILTER_UNLOAD_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS FLTAPI KphpFltFilterUnloadCallback( _In_ FLT_FILTER_UNLOAD_FLAGS Flags ) { KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(Flags); KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Filter unload invoked"); if (KphIsDriverUnloadProtected()) { return STATUS_FLT_DO_NOT_DETACH; } return STATUS_SUCCESS; } /** * \brief Invoked when the mini-filter instance is asked to be removed. * * \param[in] FltObjects Unused * \param[in] Flags Unused * * \return STATUS_SUCCESS */ _Function_class_(PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS FLTAPI KphpFltInstanceQueryTeardownCallback( _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags ) { KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(FltObjects); UNREFERENCED_PARAMETER(Flags); KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Filter query teardown invoked"); if (KphIsDriverUnloadProtected()) { return STATUS_FLT_DO_NOT_DETACH; } return STATUS_SUCCESS; } KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const FLT_OPERATION_REGISTRATION KphpFltOperationRegistration[] = { { IRP_MJ_CREATE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_CREATE_NAMED_PIPE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_CLOSE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_READ, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_WRITE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_QUERY_INFORMATION, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SET_INFORMATION, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_QUERY_EA, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SET_EA, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_FLUSH_BUFFERS, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_QUERY_VOLUME_INFORMATION, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SET_VOLUME_INFORMATION, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_DIRECTORY_CONTROL, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_DEVICE_CONTROL, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_INTERNAL_DEVICE_CONTROL, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SHUTDOWN, 0, KphpFltPreOp, NULL, 0 }, { IRP_MJ_LOCK_CONTROL, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_CLEANUP, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_CREATE_MAILSLOT, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_QUERY_SECURITY, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SET_SECURITY, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_POWER, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SYSTEM_CONTROL, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_DEVICE_CHANGE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_QUERY_QUOTA, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_SET_QUOTA, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_PNP, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_QUERY_OPEN, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_NETWORK_QUERY_OPEN, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_MDL_READ, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_MDL_READ_COMPLETE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_PREPARE_MDL_WRITE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_MDL_WRITE_COMPLETE, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_VOLUME_MOUNT, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_VOLUME_DISMOUNT, 0, KphpFltPreOp, KphpFltPostOp, 0 }, { IRP_MJ_OPERATION_END } }; static const FLT_CONTEXT_REGISTRATION KphpFltContextRegistration[] = { { FLT_STREAMHANDLE_CONTEXT, 0, NULL, FLT_VARIABLE_SIZED_CONTEXTS, KPH_TAG_FLT_STREAMHANDLE_CONTEXT }, { FLT_CONTEXT_END } }; static const FLT_REGISTRATION KphpFltRegistration = { sizeof(FLT_REGISTRATION), FLT_REGISTRATION_VERSION, (FLTFL_REGISTRATION_SUPPORT_NPFS_MSFS | FLTFL_REGISTRATION_SUPPORT_DAX_VOLUME | FLTFL_REGISTRATION_SUPPORT_WCOS), KphpFltContextRegistration, KphpFltOperationRegistration, KphpFltFilterUnloadCallback, NULL, KphpFltInstanceQueryTeardownCallback, NULL, NULL, NULL, NULL, NULL, NULL }; KPH_PROTECTED_DATA_SECTION_RO_POP(); /** * \brief Registers the driver with the mini-filter. * * \param[in] DriverObject Driver object of this driver. * \param[in] RegistryPath Registry path from the entry point. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphFltRegister( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; HANDLE instancesKeyHandle; HANDLE defaultInstanceKeyHandle; WCHAR instancesBuffer[MAX_PATH]; UNICODE_STRING keyName; BYTE objectInfoBuffer[MAX_PATH]; POBJECT_NAME_INFORMATION objectInfo; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(!KphFltFilter); instancesKeyHandle = NULL; defaultInstanceKeyHandle = NULL; objectInfo = (POBJECT_NAME_INFORMATION)objectInfoBuffer; status = ObQueryNameString(DriverObject, objectInfo, sizeof(objectInfoBuffer), &returnLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ObQueryNameString failed: %!STATUS!", status); goto Exit; } for (USHORT i = (objectInfo->Name.Length / sizeof(WCHAR)); i > 0; i--) { if (i == 1) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Driver object name is invalid"); status = STATUS_OBJECT_NAME_INVALID; goto Exit; } if (objectInfo->Name.Buffer[i - 1] == OBJ_NAME_PATH_SEPARATOR) { objectInfo->Name.Length -= (i * sizeof(WCHAR)); RtlMoveMemory(objectInfo->Name.Buffer, &objectInfo->Name.Buffer[i], objectInfo->Name.Length); break; } } // // We null terminate this for the registry later. // NT_ASSERT(objectInfo->Name.MaximumLength >= (objectInfo->Name.Length + sizeof(WCHAR))); objectInfo->Name.Buffer[objectInfo->Name.Length / sizeof(WCHAR)] = UNICODE_NULL; keyName.Buffer = instancesBuffer; keyName.Length = 0; keyName.MaximumLength = sizeof(instancesBuffer); status = RtlAppendUnicodeStringToString(&keyName, RegistryPath); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "RtlAppendUnicodeStringToString failed: %!STATUS!", status); goto Exit; } status = RtlAppendUnicodeToString(&keyName, L"\\Instances"); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "RtlAppendUnicodeToString failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, &keyName, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateKey(&instancesKeyHandle, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, 0, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ZwCreateKey failed: %!STATUS!", status); instancesKeyHandle = NULL; goto Exit; } // // We guarantee this above. // NT_ASSERT(objectInfo->Name.MaximumLength >= (objectInfo->Name.Length + sizeof(WCHAR))); NT_ASSERT(objectInfo->Name.Buffer[objectInfo->Name.Length / sizeof(WCHAR)] == UNICODE_NULL); status = ZwSetValueKey(instancesKeyHandle, (PUNICODE_STRING)&KphpDefaultInstaceName, 0, REG_SZ, objectInfo->Name.Buffer, objectInfo->Name.Length + sizeof(WCHAR)); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ZwSetValueKey failed: %!STATUS!", status); goto Exit; } status = RtlAppendUnicodeToString(&keyName, L"\\"); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "RtlAppendUnicodeToString failed: %!STATUS!", status); goto Exit; } status = RtlAppendUnicodeStringToString(&keyName, &objectInfo->Name); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "RtlAppendUnicodeStringToString failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, &keyName, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateKey(&defaultInstanceKeyHandle, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, 0, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ZwCreateKey failed: %!STATUS!", status); defaultInstanceKeyHandle = NULL; goto Exit; } NT_ASSERT(KphAltitude); NT_ASSERT(KphAltitude->MaximumLength >= (KphAltitude->Length + sizeof(WCHAR))); NT_ASSERT(KphAltitude->Buffer[KphAltitude->Length / sizeof(WCHAR)] == UNICODE_NULL); status = ZwSetValueKey(defaultInstanceKeyHandle, (PUNICODE_STRING)&KphpAltitudeName, 0, REG_SZ, KphAltitude->Buffer, KphAltitude->Length + sizeof(WCHAR)); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ZwSetValueKey failed: %!STATUS!", status); goto Exit; } status = ZwSetValueKey(defaultInstanceKeyHandle, (PUNICODE_STRING)&KphpFlagsName, 0, REG_DWORD, (PVOID)&KphpFlagsValue, sizeof(KphpFlagsValue)); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ZwSetValueKey failed: %!STATUS!", status); goto Exit; } status = FltRegisterFilter(DriverObject, &KphpFltRegistration, &KphFltFilter); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "FltRegisterFilter failed: %!STATUS!", status); KphFltFilter = NULL; goto Exit; } status = KphCommsStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphCommsStart failed: %!STATUS!", status); goto Exit; } status = STATUS_SUCCESS; Exit: if (instancesKeyHandle) { ObCloseHandle(instancesKeyHandle, KernelMode); } if (defaultInstanceKeyHandle) { ObCloseHandle(defaultInstanceKeyHandle, KernelMode); } return status; } /** * \brief Unregisters this driver with the mini-filter. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphFltUnregister( VOID ) { KPH_PAGED_CODE_PASSIVE(); KphCommsStop(); if (!KphFltFilter) { return; } FltUnregisterFilter(KphFltFilter); KphpFltCleanupFileNameCache(); KphpFltCleanupFileOp(); } /** * \brief Begins informing on file activity from the mini-filter. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphFltInformerStart( VOID ) { KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphFltFilter); KphpFltInitializeFileOp(); KphpFltInitializeFileNameCache(); return FltStartFiltering(KphFltFilter); } ================================================ FILE: KSystemInformer/informer_filenc.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include #include KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static UNICODE_STRING KphpCachedFileNameTypeName = RTL_CONSTANT_STRING(L"KphCachedFileName"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpCachedFileNameType = NULL; static BOOLEAN KphpFileNameCacheInitialized = FALSE; KPH_PROTECTED_DATA_SECTION_POP(); // // We use a simple list and spin lock here since we are very selective about // what we cache. The list is not expected to grow very large. // static ALIGNED_EX_SPINLOCK KphpFileNameCacheLock = 0; static LIST_ENTRY KphpFileNameCacheList; /** * \brief Retrieves file name information using the filter name cache. * * \param[in] Data The callback data for the operation. * \param[out] FltFileName Receives the file name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetFileNameInformation( _In_ PFLT_CALLBACK_DATA Data, _Out_ PKPH_FLT_FILE_NAME FltFileName ) { NTSTATUS status; ULONG flags; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(Data->Iopb->TargetFileObject); flags = (FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP); status = FltGetFileNameInformation(Data, flags, &FltFileName->NameInfo); if (NT_SUCCESS(status)) { FltFileName->Type = KphFltFileNameTypeNameInfo; return status; } flags = (FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP); status = FltGetFileNameInformation(Data, flags, &FltFileName->NameInfo); if (NT_SUCCESS(status)) { FltFileName->Type = KphFltFileNameTypeNameInfo; } return status; } /** * \brief Retrieves the length of the file name from the related objects. * * \param[in] FltObjects The related objects for the operation. * * \return The length of the file name. */ _IRQL_requires_max_(APC_LEVEL) ULONG KphpFltNameCacheFileNameLength( _In_ PCFLT_RELATED_OBJECTS FltObjects ) { ULONG length; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject && FltObjects->Volume); NT_VERIFY(FltGetVolumeName(FltObjects->Volume, NULL, &length) == STATUS_BUFFER_TOO_SMALL); length += FltObjects->FileObject->FileName.Length; return length; } /** * \brief Copies the file name into the related objects. * * \param[in] FltObjects The related objects for the operation. * \param[in,out] FileName The file name to copy into. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltNameCacheCopyFileName( _In_ PCFLT_RELATED_OBJECTS FltObjects, _Inout_ PUNICODE_STRING FileName ) { PUNICODE_STRING fileName; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject && FltObjects->Volume); NT_VERIFY(NT_SUCCESS(FltGetVolumeName(FltObjects->Volume, FileName, NULL))); fileName = &FltObjects->FileObject->FileName; NT_VERIFY(NT_SUCCESS(RtlAppendUnicodeStringToString(FileName, fileName))); } /** * \brief Retrieves the file name, using the stream handle context as a cache. * * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the file name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetFileNameUseContext( _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltFileName ) { NTSTATUS status; ULONG length; PFLT_CONTEXT oldContext; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject); // // Check if the context already exists. // status = FltGetStreamHandleContext(FltObjects->Instance, FltObjects->FileObject, &FltFileName->Context); if (NT_SUCCESS(status)) { FltFileName->Type = KphFltFileNameTypeContext; return status; } // // Try to create a new context. // length = KphpFltNameCacheFileNameLength(FltObjects); status = FltAllocateContext(FltObjects->Filter, FLT_STREAMHANDLE_CONTEXT, length + sizeof(UNICODE_STRING), NonPagedPoolNx, &FltFileName->Context); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "FltAllocateContext failed: %!STATUS!", status); FltFileName->Context = NULL; return status; } NT_ASSERT(FltFileName->Context == FltFileName->FileName); FltFileName->FileName->Length = 0; FltFileName->FileName->MaximumLength = (USHORT)length; FltFileName->FileName->Buffer = Add2Ptr(FltFileName->FileName, sizeof(UNICODE_STRING)); KphpFltNameCacheCopyFileName(FltObjects, FltFileName->FileName); // // Set the new context. // status = FltSetStreamHandleContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_KEEP_IF_EXISTS, FltFileName->Context, &oldContext); if (NT_SUCCESS(status)) { FltFileName->Type = KphFltFileNameTypeContext; return status; } // // We raced and lost, or failed for some other reason. // FltReleaseContext(FltFileName->Context); FltFileName->Context = NULL; if (status == STATUS_FLT_CONTEXT_ALREADY_DEFINED) { // // Return the existing context. // FltFileName->Type = KphFltFileNameTypeContext; FltFileName->Context = oldContext; return STATUS_SUCCESS; } // // This is unexpected, we could do more juggling, but instead choose to // just give up. // KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "FltSetStreamHandleContext failed: %!STATUS!", status); return status; } /** * \brief Retrieves the file name, using the global name cache. * * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the file name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetFileNameUseNameCache( _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltFileName ) { NTSTATUS status; KIRQL previousIrql; ULONG length; PKPH_FLT_FILE_NAME_CACHE_ENTRY cacheEntry; PKPH_FLT_FILE_NAME_CACHE_ENTRY existingCacheEntry; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject); // // Check if the file object is already in the cache. // cacheEntry = NULL; previousIrql = ExAcquireSpinLockShared(&KphpFileNameCacheLock); for (PLIST_ENTRY entry = KphpFileNameCacheList.Flink; entry != &KphpFileNameCacheList; entry = entry->Flink) { cacheEntry = CONTAINING_RECORD(entry, KPH_FLT_FILE_NAME_CACHE_ENTRY, ListEntry); if (FltObjects->FileObject == cacheEntry->FileObject) { KphReferenceObject(cacheEntry); break; } cacheEntry = NULL; } ExReleaseSpinLockShared(&KphpFileNameCacheLock, previousIrql); if (cacheEntry) { // // Return a reference (taken above) to the existing cached entry. // FltFileName->NameCache = cacheEntry; FltFileName->Type = KphFltFileNameTypeNameCache; return STATUS_SUCCESS; } // // Try to create new entry and insert it into the cache. // length = KphpFltNameCacheFileNameLength(FltObjects); status = KphCreateObject(KphpCachedFileNameType, length + sizeof(KPH_FLT_FILE_NAME_CACHE_ENTRY), &cacheEntry, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphCreateObject failed: %!STATUS!", status); return status; } cacheEntry->FileObject = FltObjects->FileObject; cacheEntry->FileName.Length = 0; cacheEntry->FileName.MaximumLength = (USHORT)length; cacheEntry->FileName.Buffer = Add2Ptr(cacheEntry, sizeof(KPH_FLT_FILE_NAME_CACHE_ENTRY)); KphpFltNameCacheCopyFileName(FltObjects, &cacheEntry->FileName); // // Insert it into the cache, and check if we've raced. // existingCacheEntry = NULL; previousIrql = ExAcquireSpinLockExclusive(&KphpFileNameCacheLock); for (PLIST_ENTRY entry = KphpFileNameCacheList.Flink; entry != &KphpFileNameCacheList; entry = entry->Flink) { existingCacheEntry = CONTAINING_RECORD(entry, KPH_FLT_FILE_NAME_CACHE_ENTRY, ListEntry); if (cacheEntry->FileObject == existingCacheEntry->FileObject) { KphReferenceObject(existingCacheEntry); break; } existingCacheEntry = NULL; } if (!existingCacheEntry) { // // Insert the new entry (with a reference) in the list. // KphReferenceObject(cacheEntry); InsertHeadList(&KphpFileNameCacheList, &cacheEntry->ListEntry); } ExReleaseSpinLockExclusive(&KphpFileNameCacheLock, previousIrql); if (existingCacheEntry) { // // Return the existing cached entry reference (taken above) to the // caller, and drop the one we just created. // FltFileName->NameCache = existingCacheEntry; KphDereferenceObject(cacheEntry); } else { // // New entry inserted into the cache // FltFileName->NameCache = cacheEntry; } FltFileName->Type = KphFltFileNameTypeNameCache; return STATUS_SUCCESS; } /** * \brief Retrieves the file name, by copying it from the related objects. * * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the file name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetFileNameCopy( _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltFileName ) { ULONG length; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->Volume); NT_ASSERT(FltObjects->FileObject); length = KphpFltNameCacheFileNameLength(FltObjects); FltFileName->FileName = KphAllocateNPaged(length + sizeof(UNICODE_STRING), KPH_TAG_FLT_FILE_NAME); if (!FltFileName->FileName) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate file name."); return STATUS_INSUFFICIENT_RESOURCES; } FltFileName->FileName->Length = 0; FltFileName->FileName->MaximumLength = (USHORT)length; FltFileName->FileName->Buffer = Add2Ptr(FltFileName->FileName, sizeof(UNICODE_STRING)); KphpFltNameCacheCopyFileName(FltObjects, FltFileName->FileName); FltFileName->Type = KphFltFileNameTypeFileName; return STATUS_SUCCESS; } /** * \brief Retrieves the volume name, by copying it from the related objects. * * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the file name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetVolumeName( _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltFileName ) { ULONG length; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); if (!FltObjects->Volume) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Volume is null"); return STATUS_OBJECT_NAME_NOT_FOUND; } (VOID)FltGetVolumeName(FltObjects->Volume, NULL, &length); FltFileName->FileName = KphAllocateNPaged(length + sizeof(UNICODE_STRING), KPH_TAG_FLT_FILE_NAME); if (!FltFileName->FileName) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate file name."); return STATUS_INSUFFICIENT_RESOURCES; } FltFileName->FileName->Length = 0; FltFileName->FileName->MaximumLength = (USHORT)length; FltFileName->FileName->Buffer = Add2Ptr(FltFileName->FileName, sizeof(UNICODE_STRING)); (VOID)FltGetVolumeName(FltObjects->Volume, FltFileName->FileName, NULL); FltFileName->Type = KphFltFileNameTypeFileName; return STATUS_SUCCESS; } /** * \brief Retrieves the file name for the given callback data. * * \param[in] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the file name, must be related using * KphpFltReleaseFileName. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetFileName( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltFileName ) { NTSTATUS status; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject == Data->Iopb->TargetFileObject); KphpFltZeroFileName(FltFileName); if (!FltObjects->FileObject) { if ((Data->Iopb->MajorFunction == IRP_MJ_VOLUME_MOUNT) || (Data->Iopb->MajorFunction == IRP_MJ_VOLUME_DISMOUNT)) { return KphpFltGetVolumeName(FltObjects, FltFileName); } KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "FileObject is null"); return STATUS_OBJECT_NAME_NOT_FOUND; } status = KphpFltGetFileNameInformation(Data, FltFileName); if (NT_SUCCESS(status)) { return status; } if (!FltObjects->Volume) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Volume is null"); return STATUS_OBJECT_NAME_NOT_FOUND; } if (FltSupportsStreamHandleContexts(FltObjects->FileObject)) { status = KphpFltGetFileNameUseContext(FltObjects, FltFileName); } else if (FsRtlIsPagingFile(FltObjects->FileObject)) { status = KphpFltGetFileNameUseNameCache(FltObjects, FltFileName); } else { status = KphpFltGetFileNameCopy(FltObjects, FltFileName); } return status; } /** * \brief Retrieves destination file name information using the filter name * cache. * * \param[in] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the destination file name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetDestinationFileNameInformation( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltDestFileName ) { NTSTATUS status; HANDLE rootDirectory; PWSTR fileName; ULONG fileNameLength; ULONG flags; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject); if (Data->Iopb->MajorFunction != IRP_MJ_SET_INFORMATION) { NT_ASSERT(Data->Iopb->MinorFunction == IRP_MJ_SET_INFORMATION); return STATUS_INVALID_PARAMETER; } switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) { case FileRenameInformation: case FileRenameInformationBypassAccessCheck: case FileRenameInformationEx: case FileRenameInformationExBypassAccessCheck: { PFILE_RENAME_INFORMATION renameInfo; renameInfo = Data->Iopb->Parameters.SetFileInformation.InfoBuffer; rootDirectory = renameInfo->RootDirectory; fileName = renameInfo->FileName; fileNameLength = renameInfo->FileNameLength; break; } case FileLinkInformation: case FileLinkInformationBypassAccessCheck: case FileLinkInformationEx: case FileLinkInformationExBypassAccessCheck: { PFILE_LINK_INFORMATION linkInfo; linkInfo = Data->Iopb->Parameters.SetFileInformation.InfoBuffer; rootDirectory = linkInfo->RootDirectory; fileName = linkInfo->FileName; fileNameLength = linkInfo->FileNameLength; break; } default: { NT_ASSERT(FALSE); return STATUS_INVALID_PARAMETER; } } flags = (FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP); status = FltGetDestinationFileNameInformation(FltObjects->Instance, FltObjects->FileObject, rootDirectory, fileName, fileNameLength, flags, &FltDestFileName->NameInfo); if (NT_SUCCESS(status)) { FltDestFileName->Type = KphFltFileNameTypeNameInfo; return status; } flags = (FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP); status = FltGetDestinationFileNameInformation(FltObjects->Instance, FltObjects->FileObject, rootDirectory, fileName, fileNameLength, flags, &FltDestFileName->NameInfo); if (NT_SUCCESS(status)) { FltDestFileName->Type = KphFltFileNameTypeNameInfo; } return status; } /** * \brief Retrieves the destination file name for the given callback data. * * \param[in] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[out] FltFileName Receives the destination file name, must be related * using KphpFltReleaseFileName. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltGetDestFileName( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Out_ PKPH_FLT_FILE_NAME FltDestFileName ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FltObjects->FileObject == Data->Iopb->TargetFileObject); KphpFltZeroFileName(FltDestFileName); if (!FltObjects->FileObject) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "FileObject is null"); return STATUS_OBJECT_NAME_NOT_FOUND; } return KphpFltGetDestinationFileNameInformation(Data, FltObjects, FltDestFileName); } /** * \brief Releases the file name. * * \param[in] FltFileName The file name to release. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltReleaseFileName( _In_ PKPH_FLT_FILE_NAME FltFileName ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); switch (FltFileName->Type) { case KphFltFileNameTypeNameInfo: { NT_ASSERT(FltFileName->NameInfo); FltReleaseFileNameInformation(FltFileName->NameInfo); break; } case KphFltFileNameTypeContext: { NT_ASSERT(FltFileName->Context); FltReleaseContext(FltFileName->Context); break; } case KphFltFileNameTypeFileName: { NT_ASSERT(FltFileName->FileName); KphFree(FltFileName->FileName, KPH_TAG_FLT_FILE_NAME); break; } case KphFltFileNameTypeNameCache: { NT_ASSERT(FltFileName->NameCache); KphDereferenceObject(FltFileName->NameCache); break; } case KphFltFileNameTypeNone: default: { // // This is a union, assert is only needed once. // NT_ASSERT(!FltFileName->NameInfo); break; } } } /** * \brief Reaps the file name cache entry for the given callback data. * * \details A global name cache is used in limited cases to cache the file name * for a given file object. In order to cleanly reap information from the cache * this must be called in the post operation callback for IRP_MJ_CLOSE. * * \param[in] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpFltReapFileNameCache( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects ) { KIRQL previosIrql; PKPH_FLT_FILE_NAME_CACHE_ENTRY cacheEntry; KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)); NT_ASSERT(Data->Iopb->MajorFunction == IRP_MJ_CLOSE); DBG_UNREFERENCED_PARAMETER(Data); cacheEntry = NULL; previosIrql = ExAcquireSpinLockExclusive(&KphpFileNameCacheLock); for (PLIST_ENTRY entry = KphpFileNameCacheList.Flink; entry != &KphpFileNameCacheList; entry = entry->Flink) { cacheEntry = CONTAINING_RECORD(entry, KPH_FLT_FILE_NAME_CACHE_ENTRY, ListEntry); if (cacheEntry->FileObject == FltObjects->FileObject) { RemoveEntryList(&cacheEntry->ListEntry); break; } cacheEntry = NULL; } ExReleaseSpinLockExclusive(&KphpFileNameCacheLock, previosIrql); if (cacheEntry) { KphDereferenceObject(cacheEntry); } } /** * \brief Allocates a cached file name object. * * \param[in] Size The size of the object to allocate. * * \return The allocated object, or NULL on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpFltAllocateCachedFileName( _In_ SIZE_T Size ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); return KphAllocateNPaged(Size, KPH_TAG_FLT_CACHED_FILE_NAME); } /** * \brief Frees a cached file name object. * * \param[in] Object The object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) VOID KSIAPI KphpFltFreeCachedFileName( _In_freesMem_ PVOID Object ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); KphFree(Object, KPH_TAG_FLT_CACHED_FILE_NAME); } KPH_PAGED_FILE(); /** * \brief Cleans up the file name cache. * * \details A global name cache is used in limited cases to cache the file name * for a given file object. This must be called after the filter stops * filtering. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltCleanupFileNameCache( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (!KphpFileNameCacheInitialized) { return; } while (!IsListEmpty(&KphpFileNameCacheList)) { PKPH_FLT_FILE_NAME_CACHE_ENTRY cacheEntry; cacheEntry = CONTAINING_RECORD(RemoveHeadList(&KphpFileNameCacheList), KPH_FLT_FILE_NAME_CACHE_ENTRY, ListEntry); KphDereferenceObject(cacheEntry); } } /** * \brief Initializes the file name cache. * * \details A global name cache is used in limited cases to cache the file name * for a given file object. This must be called before the filter is begins * filtering. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltInitializeFileNameCache( VOID ) { KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); InitializeListHead(&KphpFileNameCacheList); typeInfo.Allocate = KphpFltAllocateCachedFileName; typeInfo.Initialize = NULL; typeInfo.Delete = NULL; typeInfo.Free = KphpFltFreeCachedFileName; typeInfo.Flags = 0; KphCreateObjectType(&KphpCachedFileNameTypeName, &typeInfo, &KphpCachedFileNameType); KphpFileNameCacheInitialized = TRUE; } ================================================ FILE: KSystemInformer/informer_fileop.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include #include #include #include #include typedef union _KPH_FLT_OPTIONS { USHORT Flags; struct { USHORT PreEnabled : 1; USHORT PostEnabled : 1; USHORT EnableStackTraces : 1; USHORT EnablePostFileNames : 1; USHORT EnablePagingIo : 1; USHORT EnableSyncPagingIo : 1; USHORT EnableIoControlBuffers : 1; USHORT EnableFsControlBuffers : 1; USHORT EnableDirControlBuffers : 1; USHORT EnablePreCreateReply : 1; USHORT EnablePostCreateReply : 1; USHORT Spare : 5; }; } KPH_FLT_OPTIONS, *PKPH_FLT_OPTIONS; typedef struct _KPH_FLT_COMPLETION_CONTEXT { PKPH_MESSAGE Message; KPH_FLT_OPTIONS Options; PFLT_FILE_NAME_INFORMATION FileNameInfo; PFLT_FILE_NAME_INFORMATION DestFileNameInfo; } KPH_FLT_COMPLETION_CONTEXT, *PKPH_FLT_COMPLETION_CONTEXT; static ULONG64 KphpFltSequence = 0; static BOOLEAN KphpFltOpInitialized = FALSE; static NPAGED_LOOKASIDE_LIST KphpFltCompletionContextLookaside = { 0 }; /** * \brief Gets the options for the filter. * * \param[in] Data The callback data for the operation. * * \return Options for the filter. */ _IRQL_requires_max_(APC_LEVEL) KPH_FLT_OPTIONS KphpFltGetOptions( _In_ PFLT_CALLBACK_DATA Data ) { KPH_FLT_OPTIONS options; PKPH_PROCESS_CONTEXT process; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); options.Flags = 0; if (Data->Thread) { process = KphGetEProcessContext(PsGetThreadProcess(Data->Thread)); } else { process = KphGetSystemProcessContext(); } #define KPH_FLT_SETTING(majorFunction, name) \ case majorFunction: \ { \ if (KphInformerEnabled(FilePre##name, process)) \ { \ options.PreEnabled = TRUE; \ } \ if (KphInformerEnabled(FilePost##name, process)) \ { \ options.PostEnabled = TRUE; \ } \ break; \ } switch (Data->Iopb->MajorFunction) { KPH_FLT_SETTING(IRP_MJ_CREATE, Create) KPH_FLT_SETTING(IRP_MJ_CREATE_NAMED_PIPE, CreateNamedPipe) KPH_FLT_SETTING(IRP_MJ_CLOSE, Close) KPH_FLT_SETTING(IRP_MJ_READ, Read) KPH_FLT_SETTING(IRP_MJ_WRITE, Write) KPH_FLT_SETTING(IRP_MJ_QUERY_INFORMATION, QueryInformation) KPH_FLT_SETTING(IRP_MJ_SET_INFORMATION, SetInformation) KPH_FLT_SETTING(IRP_MJ_QUERY_EA, QueryEa) KPH_FLT_SETTING(IRP_MJ_SET_EA, SetEa) KPH_FLT_SETTING(IRP_MJ_FLUSH_BUFFERS, FlushBuffers) KPH_FLT_SETTING(IRP_MJ_QUERY_VOLUME_INFORMATION, QueryVolumeInformation) KPH_FLT_SETTING(IRP_MJ_SET_VOLUME_INFORMATION, SetVolumeInformation) KPH_FLT_SETTING(IRP_MJ_DIRECTORY_CONTROL, DirectoryControl) KPH_FLT_SETTING(IRP_MJ_FILE_SYSTEM_CONTROL, FileSystemControl) KPH_FLT_SETTING(IRP_MJ_DEVICE_CONTROL, DeviceControl) KPH_FLT_SETTING(IRP_MJ_INTERNAL_DEVICE_CONTROL, InternalDeviceControl) KPH_FLT_SETTING(IRP_MJ_SHUTDOWN, Shutdown) KPH_FLT_SETTING(IRP_MJ_LOCK_CONTROL, LockControl) KPH_FLT_SETTING(IRP_MJ_CLEANUP, Cleanup) KPH_FLT_SETTING(IRP_MJ_CREATE_MAILSLOT, CreateMailslot) KPH_FLT_SETTING(IRP_MJ_QUERY_SECURITY, QuerySecurity) KPH_FLT_SETTING(IRP_MJ_SET_SECURITY, SetSecurity) KPH_FLT_SETTING(IRP_MJ_POWER, Power) KPH_FLT_SETTING(IRP_MJ_SYSTEM_CONTROL, SystemControl) KPH_FLT_SETTING(IRP_MJ_DEVICE_CHANGE, DeviceChange) KPH_FLT_SETTING(IRP_MJ_QUERY_QUOTA, QueryQuota) KPH_FLT_SETTING(IRP_MJ_SET_QUOTA, SetQuota) KPH_FLT_SETTING(IRP_MJ_PNP, Pnp) KPH_FLT_SETTING(IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, AcquireForSectionSync) KPH_FLT_SETTING(IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, ReleaseForSectionSync) KPH_FLT_SETTING(IRP_MJ_ACQUIRE_FOR_MOD_WRITE, AcquireForModWrite) KPH_FLT_SETTING(IRP_MJ_RELEASE_FOR_MOD_WRITE, ReleaseForModWrite) KPH_FLT_SETTING(IRP_MJ_ACQUIRE_FOR_CC_FLUSH, AcquireForCcFlush) KPH_FLT_SETTING(IRP_MJ_RELEASE_FOR_CC_FLUSH, ReleaseForCcFlush) KPH_FLT_SETTING(IRP_MJ_QUERY_OPEN, QueryOpen) KPH_FLT_SETTING(IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, FastIoCheckIfPossible) KPH_FLT_SETTING(IRP_MJ_NETWORK_QUERY_OPEN, NetworkQueryOpen) KPH_FLT_SETTING(IRP_MJ_MDL_READ, MdlRead) KPH_FLT_SETTING(IRP_MJ_MDL_READ_COMPLETE, MdlReadComplete) KPH_FLT_SETTING(IRP_MJ_PREPARE_MDL_WRITE, PrepareMdlWrite) KPH_FLT_SETTING(IRP_MJ_MDL_WRITE_COMPLETE, MdlWriteComplete) KPH_FLT_SETTING(IRP_MJ_VOLUME_MOUNT, VolumeMount) KPH_FLT_SETTING(IRP_MJ_VOLUME_DISMOUNT, VolumeDismount) DEFAULT_UNREACHABLE; } if (options.PreEnabled || options.PostEnabled) { KPH_INFORMER_OPTIONS opts; opts = KphInformerOpts(process); options.EnableStackTraces = !!opts.EnableStackTraces; options.EnablePostFileNames = !!opts.FileEnablePostFileNames; options.EnablePagingIo = !!opts.FileEnablePagingIo; options.EnableSyncPagingIo = !!opts.FileEnableSyncPagingIo; options.EnableIoControlBuffers = !!opts.FileEnableIoControlBuffers; options.EnableFsControlBuffers = !!opts.FileEnableFsControlBuffers; options.EnableDirControlBuffers = !!opts.FileEnableDirControlBuffers; options.EnablePreCreateReply = !!opts.FileEnablePreCreateReply; options.EnablePostCreateReply = !!opts.FileEnablePostCreateReply; } if (process) { KphDereferenceObject(process); } return options; } /** * \brief Retrieves the message ID for a given operation. * * \param[in] MajorFunction The major function of the operation. * \param[in] PostOperation Denotes if this is a pre or post operation message. * * \return The message ID for the operation. */ _IRQL_requires_max_(DISPATCH_LEVEL) KPH_MESSAGE_ID KphpFltGetMessageId( _In_ UCHAR MajorFunction, _In_ BOOLEAN PostOperation ) { KPH_MESSAGE_ID messageId; KPH_NPAGED_CODE_DISPATCH_MAX(); #define KPH_FLT_MESSAGE_ID(majorFunction, name) \ case majorFunction: \ { \ if (PostOperation) \ { \ messageId = KphMsgFilePost##name; \ } \ else \ { \ messageId = KphMsgFilePre##name; \ } \ break; \ } switch (MajorFunction) { KPH_FLT_MESSAGE_ID(IRP_MJ_CREATE, Create) KPH_FLT_MESSAGE_ID(IRP_MJ_CREATE_NAMED_PIPE, CreateNamedPipe) KPH_FLT_MESSAGE_ID(IRP_MJ_CLOSE, Close) KPH_FLT_MESSAGE_ID(IRP_MJ_READ, Read) KPH_FLT_MESSAGE_ID(IRP_MJ_WRITE, Write) KPH_FLT_MESSAGE_ID(IRP_MJ_QUERY_INFORMATION, QueryInformation) KPH_FLT_MESSAGE_ID(IRP_MJ_SET_INFORMATION, SetInformation) KPH_FLT_MESSAGE_ID(IRP_MJ_QUERY_EA, QueryEa) KPH_FLT_MESSAGE_ID(IRP_MJ_SET_EA, SetEa) KPH_FLT_MESSAGE_ID(IRP_MJ_FLUSH_BUFFERS, FlushBuffers) KPH_FLT_MESSAGE_ID(IRP_MJ_QUERY_VOLUME_INFORMATION, QueryVolumeInformation) KPH_FLT_MESSAGE_ID(IRP_MJ_SET_VOLUME_INFORMATION, SetVolumeInformation) KPH_FLT_MESSAGE_ID(IRP_MJ_DIRECTORY_CONTROL, DirectoryControl) KPH_FLT_MESSAGE_ID(IRP_MJ_FILE_SYSTEM_CONTROL, FileSystemControl) KPH_FLT_MESSAGE_ID(IRP_MJ_DEVICE_CONTROL, DeviceControl) KPH_FLT_MESSAGE_ID(IRP_MJ_INTERNAL_DEVICE_CONTROL, InternalDeviceControl) KPH_FLT_MESSAGE_ID(IRP_MJ_SHUTDOWN, Shutdown) KPH_FLT_MESSAGE_ID(IRP_MJ_LOCK_CONTROL, LockControl) KPH_FLT_MESSAGE_ID(IRP_MJ_CLEANUP, Cleanup) KPH_FLT_MESSAGE_ID(IRP_MJ_CREATE_MAILSLOT, CreateMailslot) KPH_FLT_MESSAGE_ID(IRP_MJ_QUERY_SECURITY, QuerySecurity) KPH_FLT_MESSAGE_ID(IRP_MJ_SET_SECURITY, SetSecurity) KPH_FLT_MESSAGE_ID(IRP_MJ_POWER, Power) KPH_FLT_MESSAGE_ID(IRP_MJ_SYSTEM_CONTROL, SystemControl) KPH_FLT_MESSAGE_ID(IRP_MJ_DEVICE_CHANGE, DeviceChange) KPH_FLT_MESSAGE_ID(IRP_MJ_QUERY_QUOTA, QueryQuota) KPH_FLT_MESSAGE_ID(IRP_MJ_SET_QUOTA, SetQuota) KPH_FLT_MESSAGE_ID(IRP_MJ_PNP, Pnp) KPH_FLT_MESSAGE_ID(IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, AcquireForSectionSync) KPH_FLT_MESSAGE_ID(IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, ReleaseForSectionSync) KPH_FLT_MESSAGE_ID(IRP_MJ_ACQUIRE_FOR_MOD_WRITE, AcquireForModWrite) KPH_FLT_MESSAGE_ID(IRP_MJ_RELEASE_FOR_MOD_WRITE, ReleaseForModWrite) KPH_FLT_MESSAGE_ID(IRP_MJ_ACQUIRE_FOR_CC_FLUSH, AcquireForCcFlush) KPH_FLT_MESSAGE_ID(IRP_MJ_RELEASE_FOR_CC_FLUSH, ReleaseForCcFlush) KPH_FLT_MESSAGE_ID(IRP_MJ_QUERY_OPEN, QueryOpen) KPH_FLT_MESSAGE_ID(IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, FastIoCheckIfPossible) KPH_FLT_MESSAGE_ID(IRP_MJ_NETWORK_QUERY_OPEN, NetworkQueryOpen) KPH_FLT_MESSAGE_ID(IRP_MJ_MDL_READ, MdlRead) KPH_FLT_MESSAGE_ID(IRP_MJ_MDL_READ_COMPLETE, MdlReadComplete) KPH_FLT_MESSAGE_ID(IRP_MJ_PREPARE_MDL_WRITE, PrepareMdlWrite) KPH_FLT_MESSAGE_ID(IRP_MJ_MDL_WRITE_COMPLETE, MdlWriteComplete) KPH_FLT_MESSAGE_ID(IRP_MJ_VOLUME_MOUNT, VolumeMount) KPH_FLT_MESSAGE_ID(IRP_MJ_VOLUME_DISMOUNT, VolumeDismount) DEFAULT_UNREACHABLE; } return messageId; } /** * \brief Initializes a message for a file operation. * * \param[in,out] Message The message to initialize. * \param[in] FltObjects The filter objects for the operation. * \param[in] MajorFunction The major function of the operation. * \param[in] PostOperation Denotes if this is a pre or post operation message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltInitMessage( _Inout_ PKPH_MESSAGE Message, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ UCHAR MajorFunction, _In_ BOOLEAN PostOperation ) { ULONG_PTR stackLowLimit; ULONG_PTR stackHighLimit; POPLOCK_KEY_CONTEXT oplockKeyContext; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); KphMsgInit(Message, KphpFltGetMessageId(MajorFunction, PostOperation)); Message->Kernel.File.TransactionContext = FltObjects->TransactionContext; Message->Kernel.File.Volume = FltObjects->Volume; Message->Kernel.File.FileObject = FltObjects->FileObject; Message->Kernel.File.Transaction = FltObjects->Transaction; if (!FltObjects->FileObject) { return; } if (FltObjects->FileObject->SectionObjectPointer) { PSECTION_OBJECT_POINTERS sectionPointers; sectionPointers = FltObjects->FileObject->SectionObjectPointer; Message->Kernel.File.DataSectionObject = sectionPointers->DataSectionObject; Message->Kernel.File.ImageSectionObject = sectionPointers->ImageSectionObject; } if (FsRtlIsPagingFile(FltObjects->FileObject)) { Message->Kernel.File.IsPagingFile = TRUE; } if (FsRtlIsSystemPagingFile(FltObjects->FileObject)) { Message->Kernel.File.IsSystemPagingFile = TRUE; } if (IoIsFileOriginRemote(FltObjects->FileObject)) { Message->Kernel.File.OriginRemote = TRUE; } if (IoIsFileObjectIgnoringSharing(FltObjects->FileObject)) { Message->Kernel.File.IgnoringSharing = TRUE; } IoGetStackLimits(&stackLowLimit, &stackHighLimit); if (((ULONG_PTR)FltObjects->FileObject >= stackLowLimit) && ((ULONG_PTR)FltObjects->FileObject <= stackHighLimit)) { Message->Kernel.File.InStackFileObject = TRUE; } Message->Kernel.File.LockOperation = (FltObjects->FileObject->LockOperation != FALSE); Message->Kernel.File.ReadAccess = (FltObjects->FileObject->ReadAccess != FALSE); Message->Kernel.File.WriteAccess = (FltObjects->FileObject->WriteAccess != FALSE); Message->Kernel.File.DeleteAccess = (FltObjects->FileObject->DeleteAccess != FALSE); Message->Kernel.File.SharedRead = (FltObjects->FileObject->SharedRead != FALSE); Message->Kernel.File.SharedWrite = (FltObjects->FileObject->SharedWrite != FALSE); Message->Kernel.File.SharedDelete = (FltObjects->FileObject->SharedDelete != FALSE); oplockKeyContext = IoGetOplockKeyContextEx(FltObjects->FileObject); if (oplockKeyContext) { RtlCopyMemory(&Message->Kernel.File.OplockKeyContext, oplockKeyContext, sizeof(OPLOCK_KEY_CONTEXT)); } if (KphDynIoCheckFileObjectOpenedAsCopySource && KphDynIoCheckFileObjectOpenedAsCopySource(FltObjects->FileObject)) { Message->Kernel.File.OpenedAsCopySource = TRUE; } if (KphDynIoCheckFileObjectOpenedAsCopyDestination && KphDynIoCheckFileObjectOpenedAsCopyDestination(FltObjects->FileObject)) { Message->Kernel.File.OpenedAsCopyDestination = TRUE; } } /** * \brief Copies a file name into a message. * * \param[in,out] Message The message to copy the file name into. * \param[in] FieldId The field to copy the file name into. * \param[in] FltFileName The file name information to copy. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltCopyFileName( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PKPH_FLT_FILE_NAME FltFileName ) { NTSTATUS status; PUNICODE_STRING string; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); switch (FltFileName->Type) { case KphFltFileNameTypeNameInfo: { string = &FltFileName->NameInfo->Name; break; } case KphFltFileNameTypeContext: { // // N.B. PFLT_CONTEXT stores a PUNICODE_STRING, this is a union so // fall through and use the FileName field. // NT_ASSERT(FltFileName->Context == FltFileName->FileName); __fallthrough; } case KphFltFileNameTypeFileName: { string = FltFileName->FileName; break; } case KphFltFileNameTypeNameCache: { string = &FltFileName->NameCache->FileName; break; } default: { return; } } status = KphMsgDynAddUnicodeString(Message, FieldId, string); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } /** * \brief Copies a file system buffer into a message. * * \details This function handles various buffers from the file system filter * to capture and copy information into the message. This function is overall * best effort. It can truncate buffers to fit into the message. * * \param[in,out] Message The message to copy the buffer into. * \param[in] Data The callback data for the operation. * \param[in] FieldId The field to copy the buffer into. Optional if DestBuffer * is non-NULL. Certain Unicode string fields are special cased to be copied as * a Unicode string instead of a sized buffer. * \param[in] SystemBuffer Denotes if the buffer is a system buffer. If TRUE * this function assumes the buffer doesn't need to be probed and locked. In * some cases the filter parameters are known to be a system buffer, such as * METHOD_BUFFERED. * \param[out] DestBuffer Optional destination buffer to copy into, if NULL the * data will be copied into the dynamic message buffer for FieldId. * \param[in] DestLength The length of the destination buffer. * \param[in] Mdl Optional memory descriptor list which the buffer will be * copied from instead, if non-NULL the MDL is used instead of any provided * input buffer. * \param[in] Buffer Optional buffer to copy from, if NULL and the Mdl is NULL * this function will do nothing. * \param[in] Length The length to copy. * \param[in] Truncate If TRUE the buffer will be truncated to fit into the * message, otherwise the buffer copy may fail. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltCopyBuffer( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ BOOLEAN SystemBuffer, _Out_writes_bytes_to_opt_(DestLength, Length) PVOID DestBuffer, _In_ ULONG DestLength, _In_opt_ PMDL Mdl, _In_opt_ PVOID Buffer, _In_ ULONG Length, _In_ BOOLEAN Truncate ) { NTSTATUS status; PVOID buffer; PMDL mdl; BOOLEAN unlockPages; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); mdl = NULL; unlockPages = FALSE; if (DestBuffer) { NT_ASSERT(FieldId == InvalidKphMsgField); NT_ASSERT(DestLength >= Length); RtlZeroMemory(DestBuffer, DestLength); } else if (Truncate) { USHORT remaining; NT_ASSERT(FieldId != InvalidKphMsgField); remaining = KphMsgDynRemaining(Message); if (Length > remaining) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Buffer too large for message, truncating %lu -> %lu", Length, remaining); Length = remaining; } } if (!Length) { goto Exit; } if (Mdl) { buffer = KphGetSystemAddressForMdl(Mdl, NormalPagePriority); goto CopyBuffer; } if (SystemBuffer || FLT_IS_FASTIO_OPERATION(Data) || FLT_IS_SYSTEM_BUFFER(Data)) { buffer = Buffer; goto CopyBuffer; } if (!Buffer) { goto Exit; } if (!Data->Thread) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Missing thread for buffer capture"); goto Exit; } mdl = IoAllocateMdl(Buffer, Length, FALSE, FALSE, NULL); if (!mdl) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate MDL"); goto Exit; } __try { MmProbeAndLockProcessPages(mdl, PsGetThreadProcess(Data->Thread), KernelMode, IoReadAccess); unlockPages = TRUE; } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "MmProbeAndLockProcessPages failed: %!STATUS!", GetExceptionCode()); goto Exit; } buffer = KphGetSystemAddressForMdl(mdl, NormalPagePriority); CopyBuffer: if (!buffer) { goto Exit; } __try { if (DestBuffer) { NT_ASSERT(FieldId == InvalidKphMsgField); NT_ASSERT(Length <= DestLength); RtlCopyMemory(DestBuffer, buffer, Length); } else if (FieldId == KphMsgFieldDestinationFileName) { UNICODE_STRING fileName; NT_ASSERT(Length <= USHORT_MAX); fileName.Buffer = Buffer; fileName.Length = (USHORT)Length; fileName.MaximumLength = fileName.Length; status = KphMsgDynAddUnicodeString(Message, FieldId, &fileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddSizedBuffer failed: %!STATUS!", status); } } else { KPHM_SIZED_BUFFER sizedBuffer; NT_ASSERT(FieldId != InvalidKphMsgField); NT_ASSERT(Length <= USHORT_MAX); sizedBuffer.Buffer = buffer; sizedBuffer.Size = (USHORT)Length; status = KphMsgDynAddSizedBuffer(Message, FieldId, &sizedBuffer); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddSizedBuffer failed: %!STATUS!", status); } } } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception copying buffer: %!STATUS!", GetExceptionCode()); if (FieldId != InvalidKphMsgField) { // // N.B. The KphMsgDynAdd* routines will first reserve a table // entry then copy data into the buffer. If we get here it means // the control flow was arrested after the reservation. Since we // can't guarantee it was all copied successfully clear the last // entry that was reserved. // KphMsgDynClearLast(Message); } } Exit: if (mdl) { if (unlockPages) { MmUnlockPages(mdl); } IoFreeMdl(mdl); } } /** * \brief Copies file system control buffers into the message. * * \param[in,out] Message The message to copy the buffers into. * \param[in] Data The callback data for the operation. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltCopyFsControl( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data ) { UCHAR method; PMDL mdl; PVOID buffer; ULONG length; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(Data->Iopb->MajorFunction == IRP_MJ_FILE_SYSTEM_CONTROL); method = METHOD_FROM_CTL_CODE(Data->Iopb->Parameters.FileSystemControl.Common.FsControlCode); switch (method) { case METHOD_NEITHER: { // // Capture the input and output buffer always since it is possible // to use them interchangeably. // buffer = Data->Iopb->Parameters.FileSystemControl.Neither.InputBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.FileSystemControl.Neither.InputBufferLength); } else { length = Data->Iopb->Parameters.FileSystemControl.Neither.InputBufferLength; } KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, FALSE, NULL, 0, NULL, buffer, length, TRUE); mdl = Data->Iopb->Parameters.FileSystemControl.Neither.OutputMdlAddress; buffer = Data->Iopb->Parameters.FileSystemControl.Neither.OutputBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.FileSystemControl.Neither.OutputBufferLength); } else { length = Data->Iopb->Parameters.FileSystemControl.Neither.OutputBufferLength; } KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, FALSE, NULL, 0, mdl, buffer, length, TRUE); break; } case METHOD_BUFFERED: { buffer = Data->Iopb->Parameters.FileSystemControl.Buffered.SystemBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.FileSystemControl.Buffered.OutputBufferLength); KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, TRUE, NULL, 0, NULL, buffer, length, TRUE); } else { length = Data->Iopb->Parameters.FileSystemControl.Buffered.InputBufferLength; KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, TRUE, NULL, 0, NULL, buffer, length, TRUE); } break; } case METHOD_IN_DIRECT: case METHOD_OUT_DIRECT: { if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { mdl = Data->Iopb->Parameters.FileSystemControl.Direct.OutputMdlAddress; buffer = Data->Iopb->Parameters.FileSystemControl.Direct.OutputBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.FileSystemControl.Direct.OutputBufferLength); KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, FALSE, NULL, 0, mdl, buffer, length, TRUE); } else { buffer = Data->Iopb->Parameters.FileSystemControl.Direct.InputSystemBuffer; length = Data->Iopb->Parameters.FileSystemControl.Direct.InputBufferLength; KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, TRUE, NULL, 0, NULL, buffer, length, TRUE); } break; } default: { return; } } } /** * \brief Copies device control buffers into the message. * * \param[in,out] Message The message to copy the buffers into. * \param[in] Data The callback data for the operation. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltCopyIoControl( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data ) { UCHAR method; PMDL mdl; PVOID buffer; ULONG length; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT((Data->Iopb->MajorFunction == IRP_MJ_DEVICE_CONTROL) || (Data->Iopb->MajorFunction == IRP_MJ_INTERNAL_DEVICE_CONTROL)); if (FLT_IS_FASTIO_OPERATION(Data)) { // // Capture the input and output buffer always since it is possible // to use them interchangeably. // buffer = Data->Iopb->Parameters.DeviceIoControl.FastIo.InputBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, length = Data->Iopb->Parameters.DeviceIoControl.FastIo.InputBufferLength); } else { length = Data->Iopb->Parameters.DeviceIoControl.FastIo.InputBufferLength; } KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, FALSE, NULL, 0, NULL, buffer, length, TRUE); buffer = Data->Iopb->Parameters.DeviceIoControl.FastIo.OutputBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DeviceIoControl.FastIo.OutputBufferLength); } else { length = Data->Iopb->Parameters.DeviceIoControl.FastIo.OutputBufferLength; } KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, FALSE, NULL, 0, NULL, buffer, length, TRUE); return; } method = METHOD_FROM_CTL_CODE(Data->Iopb->Parameters.DeviceIoControl.Common.IoControlCode); switch (method) { case METHOD_NEITHER: { // // Capture the input and output buffer always since it is possible // to use them interchangeably. // buffer = Data->Iopb->Parameters.DeviceIoControl.Neither.InputBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DeviceIoControl.Neither.InputBufferLength); } else { length = Data->Iopb->Parameters.DeviceIoControl.Neither.InputBufferLength; } KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, FALSE, NULL, 0, NULL, buffer, length, TRUE); mdl = Data->Iopb->Parameters.DeviceIoControl.Neither.OutputMdlAddress; buffer = Data->Iopb->Parameters.DeviceIoControl.Neither.OutputBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DeviceIoControl.Neither.OutputBufferLength); } else { length = Data->Iopb->Parameters.DeviceIoControl.Neither.OutputBufferLength; } KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, FALSE, NULL, 0, mdl, buffer, length, TRUE); break; } case METHOD_BUFFERED: { buffer = Data->Iopb->Parameters.DeviceIoControl.Buffered.SystemBuffer; if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DeviceIoControl.Buffered.OutputBufferLength); KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, TRUE, NULL, 0, NULL, buffer, length, TRUE); } else { length = Data->Iopb->Parameters.DeviceIoControl.Buffered.InputBufferLength; KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, TRUE, NULL, 0, NULL, buffer, length, TRUE); } break; } case METHOD_IN_DIRECT: case METHOD_OUT_DIRECT: { if (FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { mdl = Data->Iopb->Parameters.DeviceIoControl.Direct.OutputMdlAddress; buffer = Data->Iopb->Parameters.DeviceIoControl.Direct.OutputBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DeviceIoControl.Direct.OutputBufferLength); KphpFltCopyBuffer(Message, Data, KphMsgFieldOutput, FALSE, NULL, 0, mdl, buffer, length, TRUE); } else { buffer = Data->Iopb->Parameters.DeviceIoControl.Direct.InputSystemBuffer; length = Data->Iopb->Parameters.DeviceIoControl.Direct.InputBufferLength; KphpFltCopyBuffer(Message, Data, KphMsgFieldInput, TRUE, NULL, 0, NULL, buffer, length, TRUE); } break; } default: { return; } } } /** * \brief Fills a message with common information. * * \param[in,out] Message The message to fill. * \param[in] Data The callback data for the operation. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpFltFillCommonMessage( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data ) { COPY_INFORMATION copyInfo; KPH_NPAGED_CODE_DISPATCH_MAX(); if (Data->Thread) { PEPROCESS process; BOOLEAN cacheOnly; process = PsGetThreadProcess(Data->Thread); Message->Kernel.File.ClientId.UniqueProcess = PsGetProcessId(process); Message->Kernel.File.ClientId.UniqueThread = PsGetThreadId(Data->Thread); Message->Kernel.File.ProcessStartKey = KphGetProcessStartKey(process); cacheOnly = (FlagOn(Data->Iopb->IrpFlags, IRP_PAGING_IO) || FlagOn(Data->Iopb->IrpFlags, IRP_SYNCHRONOUS_PAGING_IO)); Message->Kernel.File.ThreadSubProcessTag = KphGetThreadSubProcessTagEx(Data->Thread, cacheOnly); } if (KphDynFltGetCopyInformationFromCallbackData && NT_SUCCESS(KphDynFltGetCopyInformationFromCallbackData(Data, ©Info))) { Message->Kernel.File.CopyInformation.SourceFileObject = copyInfo.SourceFileObject; Message->Kernel.File.CopyInformation.SourceFileOffset = copyInfo.SourceFileOffset; } Message->Kernel.File.RequestorMode = (Data->RequestorMode != KernelMode); Message->Kernel.File.MajorFunction = Data->Iopb->MajorFunction; Message->Kernel.File.MinorFunction = Data->Iopb->MinorFunction; Message->Kernel.File.Irql = KeGetCurrentIrql(); Message->Kernel.File.OperationFlags = Data->Iopb->OperationFlags; Message->Kernel.File.FltFlags = Data->Flags; Message->Kernel.File.IrpFlags = Data->Iopb->IrpFlags; Message->Kernel.File.Parameters.Others.Argument1 = Data->Iopb->Parameters.Others.Argument1; Message->Kernel.File.Parameters.Others.Argument2 = Data->Iopb->Parameters.Others.Argument2; Message->Kernel.File.Parameters.Others.Argument3 = Data->Iopb->Parameters.Others.Argument3; Message->Kernel.File.Parameters.Others.Argument4 = Data->Iopb->Parameters.Others.Argument4; Message->Kernel.File.Parameters.Others.Argument5 = Data->Iopb->Parameters.Others.Argument5; Message->Kernel.File.Parameters.Others.Argument6 = Data->Iopb->Parameters.Others.Argument6; if (!Data->Iopb->TargetFileObject) { return; } Message->Kernel.File.DeletePending = (Data->Iopb->TargetFileObject->DeletePending != FALSE); Message->Kernel.File.Busy = (Data->Iopb->TargetFileObject->Busy != 0); Message->Kernel.File.Flags = Data->Iopb->TargetFileObject->Flags; Message->Kernel.File.Waiters = Data->Iopb->TargetFileObject->Waiters; Message->Kernel.File.CurrentByteOffset = Data->Iopb->TargetFileObject->CurrentByteOffset; } /** * \brief Fills a message with pre operation information. * * \param[in,out] Message The message to fill. * \param[in] Data The callback data for the operation. * \param[in] Options The options for the filter. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFltFillPreOpMessage( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data, _In_ PKPH_FLT_OPTIONS Options ) { PMDL mdl; PVOID buffer; ULONG length; KPH_MESSAGE_FIELD_ID fieldId; PVOID destBuffer; ULONG destLength; BOOLEAN truncate; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); KphpFltFillCommonMessage(Message, Data); mdl = NULL; fieldId = InvalidKphMsgField; destBuffer = NULL; destLength = 0; truncate = TRUE; switch (Data->Iopb->MajorFunction) { case IRP_MJ_CREATE: { NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); buffer = Data->Iopb->Parameters.Create.EaBuffer; length = Data->Iopb->Parameters.Create.EaLength; fieldId = KphMsgFieldEaBuffer; break; } case IRP_MJ_CREATE_NAMED_PIPE: { buffer = Data->Iopb->Parameters.CreatePipe.Parameters; length = sizeof(NAMED_PIPE_CREATE_PARAMETERS); destBuffer = &Message->Kernel.File.Pre.CreateNamedPipe.Parameters; destLength = sizeof(NAMED_PIPE_CREATE_PARAMETERS); break; } case IRP_MJ_SET_INFORMATION: { buffer = Data->Iopb->Parameters.SetFileInformation.InfoBuffer; length = Data->Iopb->Parameters.SetFileInformation.Length; fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MJ_QUERY_EA: { // // Pre operation captures the input query list. Post operation will // capture any returned information. // buffer = Data->Iopb->Parameters.QueryEa.EaList; length = Data->Iopb->Parameters.QueryEa.EaListLength; fieldId = KphMsgFieldInformationBuffer; // FILE_GET_EA_INFORMATION break; } case IRP_MJ_SET_EA: { mdl = Data->Iopb->Parameters.SetEa.MdlAddress; buffer = Data->Iopb->Parameters.SetEa.EaBuffer; length = Data->Iopb->Parameters.SetEa.Length; fieldId = KphMsgFieldInformationBuffer; // FILE_FULL_EA_INFORMATION break; } case IRP_MJ_SET_VOLUME_INFORMATION: { buffer = Data->Iopb->Parameters.SetVolumeInformation.VolumeBuffer; length = Data->Iopb->Parameters.SetVolumeInformation.Length; fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MJ_DIRECTORY_CONTROL: { PUNICODE_STRING fileName; if (Data->Iopb->MinorFunction != IRP_MN_QUERY_DIRECTORY) { return; } fileName = Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileName; if (!fileName) { return; } __try { buffer = fileName->Buffer; length = fileName->Length; fieldId = KphMsgFieldDestinationFileName; } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception capturing file name: %!STATUS!", GetExceptionCode()); return; } truncate = FALSE; break; } case IRP_MJ_FILE_SYSTEM_CONTROL: { if (Options->EnableFsControlBuffers) { KphpFltCopyFsControl(Message, Data); } return; } case IRP_MJ_DEVICE_CONTROL: case IRP_MJ_INTERNAL_DEVICE_CONTROL: { if (Options->EnableIoControlBuffers) { KphpFltCopyIoControl(Message, Data); } return; } case IRP_MJ_LOCK_CONTROL: { buffer = Data->Iopb->Parameters.LockControl.Length; length = sizeof(LARGE_INTEGER); destBuffer = &Message->Kernel.File.Pre.LockControl.Length; destLength = sizeof(LARGE_INTEGER); break; } case IRP_MJ_CREATE_MAILSLOT: { buffer = Data->Iopb->Parameters.CreateMailslot.Parameters; length = sizeof(MAILSLOT_CREATE_PARAMETERS); destBuffer = &Message->Kernel.File.Pre.CreateMailslot.Parameters; destLength = sizeof(MAILSLOT_CREATE_PARAMETERS); break; } case IRP_MJ_ACQUIRE_FOR_MOD_WRITE: { buffer = Data->Iopb->Parameters.AcquireForModifiedPageWriter.EndingOffset; length = sizeof(LARGE_INTEGER); destBuffer = &Message->Kernel.File.Pre.AcquireForModWrite.EndingOffset; destLength = sizeof(LARGE_INTEGER); break; } case IRP_MJ_QUERY_OPEN: { buffer = Data->Iopb->Parameters.QueryOpen.Length; length = sizeof(ULONG); destBuffer = &Message->Kernel.File.Pre.QueryOpen.Length; destLength = sizeof(ULONG); break; } default: { return; } } KphpFltCopyBuffer(Message, Data, fieldId, FALSE, destBuffer, destLength, mdl, buffer, length, truncate); } /** * \brief Fills a message with post operation information. * * \param[in,out] Message The message to fill. * \param[in] Data The callback data for the operation. * \param[in] Options The options for the filter. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpFltFillPostOpMessage( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data, _In_ PKPH_FLT_OPTIONS Options ) { PMDL mdl; PVOID buffer; ULONG length; KPH_MESSAGE_FIELD_ID fieldId; KPH_NPAGED_CODE_DISPATCH_MAX(); KphpFltFillCommonMessage(Message, Data); Message->Kernel.File.Post.IoStatus = Data->IoStatus; if (KeGetCurrentIrql() > APC_LEVEL) { return; } mdl = NULL; fieldId = InvalidKphMsgField; switch (Data->Iopb->MajorFunction) { case IRP_MJ_QUERY_INFORMATION: { buffer = Data->Iopb->Parameters.QueryFileInformation.InfoBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.QueryFileInformation.Length); fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MJ_QUERY_EA: { // // Pre operation captured the input EA list. // mdl = Data->Iopb->Parameters.QueryEa.MdlAddress; buffer = Data->Iopb->Parameters.QueryEa.EaBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.QueryEa.Length); fieldId = KphMsgFieldInformationBuffer; // FILE_FULL_EA_INFORMATION break; } case IRP_MJ_QUERY_VOLUME_INFORMATION: { buffer = Data->Iopb->Parameters.QueryVolumeInformation.VolumeBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.QueryVolumeInformation.Length); fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MJ_DIRECTORY_CONTROL: { if (!Options->EnableDirControlBuffers) { return; } switch (Data->Iopb->MinorFunction) { case IRP_MN_QUERY_DIRECTORY: { // // Pre operation captured the input file name. // mdl = Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress; buffer = Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DirectoryControl.QueryDirectory.Length); fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MN_NOTIFY_CHANGE_DIRECTORY: { buffer = Data->Iopb->Parameters.DirectoryControl.NotifyDirectory.DirectoryBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DirectoryControl.NotifyDirectory.Length); fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MN_NOTIFY_CHANGE_DIRECTORY_EX: { mdl = Data->Iopb->Parameters.DirectoryControl.NotifyDirectoryEx.MdlAddress; buffer = Data->Iopb->Parameters.DirectoryControl.NotifyDirectoryEx.DirectoryBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.DirectoryControl.NotifyDirectoryEx.Length); fieldId = KphMsgFieldInformationBuffer; break; } default: { return; } } break; } case IRP_MJ_FILE_SYSTEM_CONTROL: { if (Options->EnableFsControlBuffers) { KphpFltCopyFsControl(Message, Data); } return; } case IRP_MJ_DEVICE_CONTROL: case IRP_MJ_INTERNAL_DEVICE_CONTROL: { if (Options->EnableIoControlBuffers) { KphpFltCopyIoControl(Message, Data); } return; } case IRP_MJ_QUERY_SECURITY: { mdl = Data->Iopb->Parameters.QuerySecurity.MdlAddress; buffer = Data->Iopb->Parameters.QuerySecurity.SecurityBuffer; length = min((ULONG)Data->IoStatus.Information, Data->Iopb->Parameters.QuerySecurity.Length); fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MJ_QUERY_OPEN: { // // The File System does not fill in the Information field in the // IO_STATUS block. Filters shouldn't inspect this value in their // post-calls. Use the length from the QueryOpen parameters. // if (!Data->Iopb->Parameters.QueryOpen.Length) { return; } __try { length = *Data->Iopb->Parameters.QueryOpen.Length; } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception capturing length: %!STATUS!", GetExceptionCode()); return; } buffer = Data->Iopb->Parameters.QueryOpen.FileInformation; fieldId = KphMsgFieldInformationBuffer; break; } case IRP_MJ_NETWORK_QUERY_OPEN: { buffer = Data->Iopb->Parameters.NetworkQueryOpen.NetworkInformation; length = sizeof(FILE_NETWORK_OPEN_INFORMATION); fieldId = KphMsgFieldInformationBuffer; break; } default: { return; } } KphpFltCopyBuffer(Message, Data, fieldId, FALSE, NULL, 0, mdl, buffer, length, TRUE); } /** * \brief Handles name tunneling for a given file name information. * * \details If the file name was tunneled, the re-tunneled file name will be * copied into the message, otherwise the original file name will be copied. * * \param[in,out] Message The message to copy the file name into. * \param[in] Data The callback data for the operation. * \param[in] FieldId The field to copy the file name into. * \param[in] FileNameInfo The file name information to handle. * * \return TRUE if the file name was tunneled, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) BOOLEAN KphpFltHandleNameTunneling( _Inout_ PKPH_MESSAGE Message, _In_ PFLT_CALLBACK_DATA Data, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PFLT_FILE_NAME_INFORMATION FileNameInfo ) { NTSTATUS status; PFLT_FILE_NAME_INFORMATION reTunneledFileNameInfo; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); NT_ASSERT(FileNameInfo->Format == FLT_FILE_NAME_NORMALIZED); status = FltGetTunneledName(Data, FileNameInfo, &reTunneledFileNameInfo); if (!NT_SUCCESS(status)) { if (NT_SUCCESS(Data->IoStatus.Status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "FltGetTunneledName failed: %!STATUS!", status); } reTunneledFileNameInfo = FALSE; } if (!reTunneledFileNameInfo) { // // The file name was not tunneled. // status = KphMsgDynAddUnicodeString(Message, FieldId, &FileNameInfo->Name); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } return FALSE; } status = KphMsgDynAddUnicodeString(Message, FieldId, &reTunneledFileNameInfo->Name); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } FltReleaseFileNameInformation(reTunneledFileNameInfo); return TRUE; } /** * \brief Check if name tunneling is relevant for the operation. * * \param[in] Data The callback data for the operation. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphpFltIsNameTunnelingPossible( _In_ PFLT_CALLBACK_DATA Data ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) { return TRUE; } else if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) { switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) { case FileRenameInformation: case FileRenameInformationBypassAccessCheck: case FileRenameInformationEx: case FileRenameInformationExBypassAccessCheck: case FileLinkInformation: case FileLinkInformationBypassAccessCheck: case FileLinkInformationEx: case FileLinkInformationExBypassAccessCheck: { return TRUE; } default: { break; } } } return FALSE; } /** * \brief Handles name tunneling in the post operation callback. * * \param[in] Data The callback data for the operation. * \param[in,out] Context The completion context for the operation. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpFltPostOpHandleNameTunneling( _In_ PFLT_CALLBACK_DATA Data, _Inout_ PKPH_FLT_COMPLETION_CONTEXT Context ) { BOOLEAN tunneledFileName; BOOLEAN tunneledDestFileName; KPH_NPAGED_CODE_DISPATCH_MAX(); NT_ASSERT(KphpFltIsNameTunnelingPossible(Data)); tunneledFileName = FALSE; tunneledDestFileName = FALSE; if (Context->FileNameInfo) { NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); NT_ASSERT(Context->FileNameInfo->Format == FLT_FILE_NAME_NORMALIZED); NT_ASSERT((Data->Iopb->MajorFunction == IRP_MJ_CREATE) || (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION)); if (KphpFltHandleNameTunneling(Context->Message, Data, KphMsgFieldFileName, Context->FileNameInfo)) { tunneledFileName = TRUE; } } if (Context->DestFileNameInfo) { NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); NT_ASSERT(Context->DestFileNameInfo->Format == FLT_FILE_NAME_NORMALIZED); NT_ASSERT(Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION); if (KphpFltHandleNameTunneling(Context->Message, Data, KphMsgFieldDestinationFileName, Context->DestFileNameInfo)) { tunneledDestFileName = TRUE; } } if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) { Context->Message->Kernel.File.Post.Create.TunneledFileName = tunneledFileName; } else if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) { Context->Message->Kernel.File.Post.SetInformation.TunneledFileName = tunneledFileName; Context->Message->Kernel.File.Post.SetInformation.TunneledDestinationFileName = tunneledDestFileName; } } /** * \brief Frees a completion context. * * \param[in] CompletionContext The completion context to free. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphpFltFreeCompletionContext( _In_ PKPH_FLT_COMPLETION_CONTEXT CompletionContext ) { KPH_NPAGED_CODE_DISPATCH_MAX(); if (CompletionContext->Message) { KphFreeNPagedMessage(CompletionContext->Message); } // // N.B. The file name information is released in the post operation should // only occur from IRP_MJ_CREATE or IRP_MJ_SET_INFORMATION when the name // needs to be possibly re-tunneled. This should only happen at or below // APC_LEVEL. // if (CompletionContext->FileNameInfo) { NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); FltReleaseFileNameInformation(CompletionContext->FileNameInfo); } if (CompletionContext->DestFileNameInfo) { NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); FltReleaseFileNameInformation(CompletionContext->DestFileNameInfo); } KphFreeToNPagedLookaside(&KphpFltCompletionContextLookaside, CompletionContext); } /** * \brief Filter post operation callback for file operations. * * \param[in] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[in] CompletionContext The completion context for the operation. * \param[in] Flags Filter post operation flags. * * \return FLT_POSTOP_FINISHED_PROCESSING */ _Function_class_(PFLT_POST_OPERATION_CALLBACK) _IRQL_requires_max_(DISPATCH_LEVEL) FLT_POSTOP_CALLBACK_STATUS FLTAPI KphpFltPostOp( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags ) { NTSTATUS status; ULONG64 sequence; KPH_MESSAGE_ID messageId; PKPH_FLT_COMPLETION_CONTEXT context; PKPH_MESSAGE reply; KPH_NPAGED_CODE_DISPATCH_MAX(); sequence = InterlockedIncrementU64(&KphpFltSequence); context = CompletionContext; reply = NULL; if (!context) { goto Exit; } if (FlagOn(Flags, FLTFL_POST_OPERATION_DRAINING)) { NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); goto Exit; } // // Message was already initialized by the pre operation callback. // But we need to update a few things for the post operation callback. // NT_ASSERT(NT_SUCCESS(KphMsgValidate(context->Message))); NT_ASSERT(context->Message->Kernel.File.Sequence == 0); NT_ASSERT(context->Message->Header.TimeStamp.QuadPart == 0); messageId = KphpFltGetMessageId(Data->Iopb->MajorFunction, TRUE); context->Message->Header.MessageId = messageId; KeQuerySystemTime(&context->Message->Header.TimeStamp); context->Message->Kernel.File.Sequence = sequence; if (KphpFltIsNameTunnelingPossible(Data)) { KphpFltPostOpHandleNameTunneling(Data, context); } KphpFltFillPostOpMessage(context->Message, Data, &context->Options); if (context->Options.EnableStackTraces) { KphCaptureStackInMessage(context->Message); } if ((Data->Iopb->MajorFunction != IRP_MJ_CREATE) || !context->Options.EnablePostCreateReply) { KphCommsSendNPagedMessageAsync(context->Message); context->Message = NULL; goto Exit; } NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); reply = KphAllocateNPagedMessage(); if (!reply) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateNPagedMessage failed"); goto Exit; } status = KphCommsSendMessage(context->Message, reply); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to send message (%lu): %!STATUS!", (ULONG)context->Message->Header.MessageId, status); goto Exit; } if ((reply->Header.MessageId == KphMsgFilePostCreate) && (reply->Reply.File.Post.Create.Status != STATUS_SUCCESS)) { Data->IoStatus.Status = reply->Reply.File.Post.Create.Status; Data->IoStatus.Information = 0; FltCancelFileOpen(FltObjects->Instance, FltObjects->FileObject); } Exit: if (reply) { KphFreeNPagedMessage(reply); } if (context) { KphpFltFreeCompletionContext(context); } if (Data->Iopb->MajorFunction == IRP_MJ_CLOSE) { KphpFltReapFileNameCache(Data, FltObjects); } return FLT_POSTOP_FINISHED_PROCESSING; } /** * \brief Creates a message from pre the operation callback the post operation. * * \param[in] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[in] Options The options for the filter. * \param[in] FltFileName The file name information for the operation. * \param[in] FltDestFileName The destination file name information, if any. * \param[in] Sequence The sequence number for the pre operation. * \param[in] TimeStamp The time stamp for the pre operation. * \param[out] Context Set to the completion context for the operation. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpFltPreOpCreateCompletionContext( _In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ PKPH_FLT_OPTIONS Options, _In_ PKPH_FLT_FILE_NAME FltFileName, _In_ PKPH_FLT_FILE_NAME FltDestFileName, _In_ ULONG64 Sequence, _In_ PLARGE_INTEGER TimeStamp, _Out_ PKPH_FLT_COMPLETION_CONTEXT* CompletionContext ) { NTSTATUS status; PKPH_FLT_COMPLETION_CONTEXT context; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); *CompletionContext = NULL; context = KphAllocateFromNPagedLookaside(&KphpFltCompletionContextLookaside); if (!context) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateFromNPagedLookaside failed"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } context->Options.Flags = Options->Flags; // // Create the message for the post operation to finish filling in. We // will populate what we can in the pre operation callback. In some cases // this is necessary since post operation can complete at dispatch. // context->Message = KphAllocateNPagedMessage(); if (!context->Message) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateNPagedMessage failed"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } KphpFltInitMessage(context->Message, FltObjects, Data->Iopb->MajorFunction, TRUE); // // Will be populated when the operation completes. Set a sentinel value // for the time stamp to indicate that it is not yet valid. // NT_ASSERT(context->Message->Kernel.File.Sequence == 0); context->Message->Header.TimeStamp.QuadPart = 0; context->Message->Kernel.File.Post.PreSequence = Sequence; context->Message->Kernel.File.Post.PreTimeStamp = *TimeStamp; if (Options->EnablePostFileNames) { // // Only if we have to will we fill in the file name information in the post // operation (and resolve a possibly tunneled names there). In most cases // we will copy the file name information into the post message here. // if (!KphpFltIsNameTunnelingPossible(Data)) { KphpFltCopyFileName(context->Message, KphMsgFieldFileName, FltFileName); KphpFltCopyFileName(context->Message, KphMsgFieldDestinationFileName, FltDestFileName); } else if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) { if ((FltFileName->Type == KphFltFileNameTypeNameInfo) && (FltFileName->NameInfo->Format == FLT_FILE_NAME_NORMALIZED)) { context->FileNameInfo = FltFileName->NameInfo; FltReferenceFileNameInformation(context->FileNameInfo); } else { KphpFltCopyFileName(context->Message, KphMsgFieldFileName, FltFileName); } } else { NT_ASSERT(Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION); if ((FltFileName->Type == KphFltFileNameTypeNameInfo) && (FltFileName->NameInfo->Format == FLT_FILE_NAME_NORMALIZED)) { context->FileNameInfo = FltFileName->NameInfo; FltReferenceFileNameInformation(context->FileNameInfo); } else { KphpFltCopyFileName(context->Message, KphMsgFieldFileName, FltFileName); } if ((FltDestFileName->Type == KphFltFileNameTypeNameInfo) && (FltDestFileName->NameInfo->Format == FLT_FILE_NAME_NORMALIZED)) { context->DestFileNameInfo = FltDestFileName->NameInfo; FltReferenceFileNameInformation(context->DestFileNameInfo); } else { KphpFltCopyFileName(context->Message, KphMsgFieldDestinationFileName, FltDestFileName); } } } *CompletionContext = context; context = NULL; status = STATUS_SUCCESS; Exit: if (context) { KphpFltFreeCompletionContext(context); } return status; } /** * \brief Sends a pre operation message. * * \param[in,out] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[in] Options The options for the filter. * \param[in] FltFileName The file name information for the operation. * \param[in] FltDestFileName The destination file name information, if any. * \param[in] Sequence The sequence number for the operation. * \param[out] TimeStamp Set to the time stamp for the pre operation. * * \return FLT_PREOP_SUCCESS_NO_CALLBACK or FLT_PREOP_COMPLETE */ _IRQL_requires_max_(APC_LEVEL) FLT_PREOP_CALLBACK_STATUS KphpFltPreOpSend( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ PKPH_FLT_OPTIONS Options, _In_ PKPH_FLT_FILE_NAME FltFileName, _In_ PKPH_FLT_FILE_NAME FltDestFileName, _In_ ULONG64 Sequence, _Out_ PLARGE_INTEGER TimeStamp ) { FLT_PREOP_CALLBACK_STATUS callbackStatus; NTSTATUS status; PKPH_MESSAGE message; PKPH_MESSAGE reply; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); callbackStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; reply = NULL; message = KphAllocateNPagedMessage(); if (!message) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateNPagedMessage failed"); KeQuerySystemTime(TimeStamp); goto Exit; } KphpFltInitMessage(message, FltObjects, Data->Iopb->MajorFunction, FALSE); *TimeStamp = message->Header.TimeStamp; message->Kernel.File.Sequence = Sequence; KphpFltCopyFileName(message, KphMsgFieldFileName, FltFileName); KphpFltCopyFileName(message, KphMsgFieldDestinationFileName, FltDestFileName); // // The post operation callback will resolve this name and note if it // was a re-tunneled file name. For the pre operation callback we can // only denote in the message that the file name is possibly tunneled. // if (!KphpFltIsNameTunnelingPossible(Data)) { NOTHING; } else if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) { if ((FltFileName->Type == KphFltFileNameTypeNameInfo) && (FltFileName->NameInfo->Format == FLT_FILE_NAME_NORMALIZED)) { message->Kernel.File.Pre.Create.MaybeTunneledFileName = TRUE; } } else { NT_ASSERT(Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION); if ((FltFileName->Type == KphFltFileNameTypeNameInfo) && (FltFileName->NameInfo->Format == FLT_FILE_NAME_NORMALIZED)) { message->Kernel.File.Pre.SetInformation.MaybeTunneledFileName = TRUE; } if ((FltDestFileName->Type == KphFltFileNameTypeNameInfo) && (FltDestFileName->NameInfo->Format == FLT_FILE_NAME_NORMALIZED)) { message->Kernel.File.Pre.SetInformation.MaybeTunneledDestinationFileName = TRUE; } } KphpFltFillPreOpMessage(message, Data, Options); if (Options->EnableStackTraces) { KphCaptureStackInMessage(message); } if ((Data->Iopb->MajorFunction != IRP_MJ_CREATE) || !Options->EnablePreCreateReply) { KphCommsSendNPagedMessageAsync(message); message = NULL; goto Exit; } reply = KphAllocateNPagedMessage(); if (!reply) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateNPagedMessage failed"); goto Exit; } status = KphCommsSendMessage(message, reply); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to send message (%lu): %!STATUS!", (ULONG)message->Header.MessageId, status); goto Exit; } if ((reply->Header.MessageId == KphMsgFilePreCreate) && (reply->Reply.File.Pre.Create.Status != STATUS_SUCCESS)) { Data->IoStatus.Status = reply->Reply.File.Pre.Create.Status; Data->IoStatus.Information = 0; callbackStatus = FLT_PREOP_COMPLETE; } Exit: if (reply) { KphFreeNPagedMessage(reply); } if (message) { KphFreeNPagedMessage(message); } return callbackStatus; } /** * \brief Handles a request to perform an action inside of the filter. * * \param[in,out] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. */ VOID KphpFltRequestHandler( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects ) { PKPH_THREAD_CONTEXT thread; // // KphQueryVirtualMemory will use this to create a data section object. // It will do this by issuing a MemoryMappedFilenameInformation. This // results in an IRP_MJ_QUERY_INFORMATION with FileNameInformation. And will // have previously set the one of the "TLS slots" to the address of the // KphQueryVirtualMemory stack to pass information to and from this call. // if ((Data->Iopb->MajorFunction != IRP_MJ_QUERY_INFORMATION) || (Data->Iopb->Parameters.QueryFileInformation.FileInformationClass != FileNameInformation)) { return; } thread = KphGetCurrentThreadContext(); if (!thread) { return; } if (thread->VmTlsCreateDataSection) { PKPH_VM_TLS_CREATE_DATA_SECTION tls; NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; PVOID sectionObject; tls = thread->VmTlsCreateDataSection; thread->VmTlsCreateDataSection = NULL; InitializeObjectAttributes(&objectAttributes, NULL, (tls->AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, NULL); status = FsRtlCreateSectionForDataScan(&tls->SectionHandle, §ionObject, &tls->SectionFileSize, FltObjects->FileObject, SECTION_QUERY | SECTION_MAP_READ, &objectAttributes, NULL, PAGE_READONLY, SEC_COMMIT, 0); if (NT_SUCCESS(status)) { ObDereferenceObject(sectionObject); } tls->Status = status; } else if (thread->VmTlsMappedInformation) { PKPH_MEMORY_MAPPED_INFORMATION tls; tls = thread->VmTlsMappedInformation; thread->VmTlsMappedInformation = NULL; tls->FileObject = FltObjects->FileObject; tls->SectionObjectPointers = FltObjects->FileObject->SectionObjectPointer; if (FltObjects->FileObject->SectionObjectPointer) { tls->DataControlArea = FltObjects->FileObject->SectionObjectPointer->DataSectionObject; tls->SharedCacheMap = FltObjects->FileObject->SectionObjectPointer->SharedCacheMap; tls->ImageControlArea = FltObjects->FileObject->SectionObjectPointer->ImageSectionObject; tls->UserWritableReferences = MmDoesFileHaveUserWritableReferences(FltObjects->FileObject->SectionObjectPointer); } } KphDereferenceObject(thread); } /** * \brief Filter pre operation callback for file operations. * * \param[in,out] Data The callback data for the operation. * \param[in] FltObjects The related objects for the operation. * \param[out] CompletionContext Set to the completion context if necessary. * * \return An appropriate callback status depending on the a post operation * is needed or the pre operation should be completed. */ _Function_class_(PFLT_PRE_OPERATION_CALLBACK) _IRQL_requires_max_(APC_LEVEL) FLT_PREOP_CALLBACK_STATUS FLTAPI KphpFltPreOp( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Outptr_result_maybenull_ PVOID* CompletionContext ) { ULONG64 sequence; FLT_PREOP_CALLBACK_STATUS callbackStatus; KPH_FLT_OPTIONS options; NTSTATUS status; KPH_FLT_FILE_NAME fltFileName; KPH_FLT_FILE_NAME fltDestFileName; LARGE_INTEGER timeStamp; KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); *CompletionContext = NULL; KphpFltRequestHandler(Data, FltObjects); sequence = InterlockedIncrementU64(&KphpFltSequence); callbackStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; KphpFltZeroFileName(&fltFileName); KphpFltZeroFileName(&fltDestFileName); options = KphpFltGetOptions(Data); if (!options.PreEnabled && !options.PostEnabled) { goto Exit; } if (!options.EnablePagingIo && FlagOn(Data->Iopb->IrpFlags, IRP_PAGING_IO)) { goto Exit; } if (!options.EnableSyncPagingIo && FlagOn(Data->Iopb->IrpFlags, IRP_SYNCHRONOUS_PAGING_IO)) { goto Exit; } // // Either pre or post is enabled, gather what is needed. // status = KphpFltGetFileName(Data, FltObjects, &fltFileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphpFltGetFileName failed: %!STATUS!", status); } if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) { switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) { case FileRenameInformation: case FileRenameInformationBypassAccessCheck: case FileRenameInformationEx: case FileRenameInformationExBypassAccessCheck: case FileLinkInformation: case FileLinkInformationBypassAccessCheck: case FileLinkInformationEx: case FileLinkInformationExBypassAccessCheck: { status = KphpFltGetDestFileName(Data, FltObjects, &fltDestFileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphpFltGetDestFileName failed: %!STATUS!", status); } break; } } } if (options.PreEnabled) { callbackStatus = KphpFltPreOpSend(Data, FltObjects, &options, &fltFileName, &fltDestFileName, sequence, &timeStamp); NT_ASSERT((callbackStatus == FLT_PREOP_SUCCESS_NO_CALLBACK) || (callbackStatus == FLT_PREOP_COMPLETE)); if (callbackStatus == FLT_PREOP_COMPLETE) { goto Exit; } } else { // // Pre operations aren't enabled, but we need to grab the time stamp // for the post operation to use. // KeQuerySystemTime(&timeStamp); } if (options.PostEnabled) { PKPH_FLT_COMPLETION_CONTEXT context; status = KphpFltPreOpCreateCompletionContext(Data, FltObjects, &options, &fltFileName, &fltDestFileName, sequence, &timeStamp, &context); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphpFltPreOpCreatePostOpMessage failed: %!STATUS!", status); goto Exit; } if (Data->Iopb->MajorFunction == IRP_MJ_SHUTDOWN) { // // Post operation for IRP_MJ_SHUTDOWN is not supported, we do not // register for one, fake it here by directly calling the post // operation handler. // KphpFltPostOp(Data, FltObjects, context, 0); } else { *CompletionContext = context; callbackStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK; } } Exit: KphpFltReleaseFileName(&fltDestFileName); KphpFltReleaseFileName(&fltFileName); NT_ASSERT((callbackStatus == FLT_PREOP_SUCCESS_NO_CALLBACK) || (callbackStatus == FLT_PREOP_SUCCESS_WITH_CALLBACK) || (callbackStatus == FLT_PREOP_COMPLETE)); if ((callbackStatus != FLT_PREOP_SUCCESS_WITH_CALLBACK) && (Data->Iopb->MajorFunction == IRP_MJ_CLOSE)) { NT_ASSERT(callbackStatus != FLT_PREOP_COMPLETE); // // N.B. We always require a post operation callback for IRP_MJ_CLOSE // in order to do reaping (see: KphpFltReapFileNameCache). // callbackStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK; } return callbackStatus; } KPH_PAGED_FILE(); /** * \brief Cleans up the file operation filter. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltCleanupFileOp( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (!KphpFltOpInitialized) { return; } KphDeleteNPagedLookaside(&KphpFltCompletionContextLookaside); } /** * \brief Initializes the file operation filter. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpFltInitializeFileOp( VOID ) { KPH_PAGED_CODE_PASSIVE(); KphInitializeNPagedLookaside(&KphpFltCompletionContextLookaside, sizeof(KPH_FLT_COMPLETION_CONTEXT), KPH_TAG_FLT_COMPLETION_CONTEXT); KphpFltOpInitialized = TRUE; } // // These are some ugly compile time asserts intentionally hidden at the bottom // of the file. Essentially, this is asserting that FLT_PARAMETERS has not // changed enough to update KPHM_FILE_PARAMETERS. Realistically it should never // change, but they're here for posterity. // C_ASSERT(sizeof(KPHM_FILE_PARAMETERS) == sizeof(FLT_PARAMETERS)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Create) == RTL_FIELD_SIZE(FLT_PARAMETERS, Create)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, CreateNamedPipe) == RTL_FIELD_SIZE(FLT_PARAMETERS, CreatePipe)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, CreateMailslot) == RTL_FIELD_SIZE(FLT_PARAMETERS, CreateMailslot)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Read) == RTL_FIELD_SIZE(FLT_PARAMETERS, Read)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Write) == RTL_FIELD_SIZE(FLT_PARAMETERS, Write)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryInformation) == RTL_FIELD_SIZE(FLT_PARAMETERS, QueryFileInformation)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetInformation) == RTL_FIELD_SIZE(FLT_PARAMETERS, SetFileInformation)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryEa) == RTL_FIELD_SIZE(FLT_PARAMETERS, QueryEa)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetEa) == RTL_FIELD_SIZE(FLT_PARAMETERS, SetEa)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryVolumeInformation) == RTL_FIELD_SIZE(FLT_PARAMETERS, QueryVolumeInformation)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetVolumeInformation) == RTL_FIELD_SIZE(FLT_PARAMETERS, SetVolumeInformation)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, DirectoryControl) == RTL_FIELD_SIZE(FLT_PARAMETERS, DirectoryControl)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, FileSystemControl) == RTL_FIELD_SIZE(FLT_PARAMETERS, FileSystemControl)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, DeviceControl) == RTL_FIELD_SIZE(FLT_PARAMETERS, DeviceIoControl)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, LockControl) == RTL_FIELD_SIZE(FLT_PARAMETERS, LockControl)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QuerySecurity) == RTL_FIELD_SIZE(FLT_PARAMETERS, QuerySecurity)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetSecurity) == RTL_FIELD_SIZE(FLT_PARAMETERS, SetSecurity)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SystemControl) == RTL_FIELD_SIZE(FLT_PARAMETERS, WMI)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryQuota) == RTL_FIELD_SIZE(FLT_PARAMETERS, QueryQuota)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetQuota) == RTL_FIELD_SIZE(FLT_PARAMETERS, SetQuota)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Pnp) == RTL_FIELD_SIZE(FLT_PARAMETERS, Pnp)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, AcquireForSectionSync) == RTL_FIELD_SIZE(FLT_PARAMETERS, AcquireForSectionSynchronization)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, AcquireForModWrite) == RTL_FIELD_SIZE(FLT_PARAMETERS, AcquireForModifiedPageWriter)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, ReleaseForModWrite) == RTL_FIELD_SIZE(FLT_PARAMETERS, ReleaseForModifiedPageWriter)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryOpen) == RTL_FIELD_SIZE(FLT_PARAMETERS, QueryOpen)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, FastIoCheckIfPossible) == RTL_FIELD_SIZE(FLT_PARAMETERS, FastIoCheckIfPossible)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, NetworkQueryOpen) == RTL_FIELD_SIZE(FLT_PARAMETERS, NetworkQueryOpen)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, MdlRead) == RTL_FIELD_SIZE(FLT_PARAMETERS, MdlRead)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, MdlReadComplete) == RTL_FIELD_SIZE(FLT_PARAMETERS, MdlReadComplete)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, PrepareMdlWrite) == RTL_FIELD_SIZE(FLT_PARAMETERS, PrepareMdlWrite)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, MdlWriteComplete) == RTL_FIELD_SIZE(FLT_PARAMETERS, MdlWriteComplete)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, VolumeMount) == RTL_FIELD_SIZE(FLT_PARAMETERS, MountVolume)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Others) == RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); // // N.B. We make an optimization that we only need to copy these 6 arguments // when copying the parameter data into the message. Any of these asserts fire // we must update KPHM_FILE_PARAMETERS. // C_ASSERT(RTL_SIZEOF_THROUGH_FIELD(FLT_PARAMETERS, Others.Argument1) == 0x08); C_ASSERT(RTL_SIZEOF_THROUGH_FIELD(FLT_PARAMETERS, Others.Argument2) == 0x10); C_ASSERT(RTL_SIZEOF_THROUGH_FIELD(FLT_PARAMETERS, Others.Argument3) == 0x18); C_ASSERT(RTL_SIZEOF_THROUGH_FIELD(FLT_PARAMETERS, Others.Argument4) == 0x20); C_ASSERT(RTL_SIZEOF_THROUGH_FIELD(FLT_PARAMETERS, Others.Argument5) == 0x28); C_ASSERT(RTL_SIZEOF_THROUGH_FIELD(FLT_PARAMETERS, Others.Argument6) == 0x30); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Create) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, CreateNamedPipe) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, CreateMailslot) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Read) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Write) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryInformation) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetInformation) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryEa) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetEa) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryVolumeInformation) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetVolumeInformation) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, DirectoryControl) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, FileSystemControl) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, DeviceControl) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, LockControl) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QuerySecurity) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetSecurity) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SystemControl) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryQuota) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, SetQuota) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, Pnp) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, AcquireForSectionSync) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, AcquireForModWrite) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, ReleaseForModWrite) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, QueryOpen) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, FastIoCheckIfPossible) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, NetworkQueryOpen) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, MdlRead) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, MdlReadComplete) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, PrepareMdlWrite) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, MdlWriteComplete) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); C_ASSERT(RTL_FIELD_SIZE(KPHM_FILE_PARAMETERS, VolumeMount) <= RTL_FIELD_SIZE(FLT_PARAMETERS, Others)); ================================================ FILE: KSystemInformer/informer_image.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include #include KPH_PROTECTED_DATA_SECTION_PUSH(); static PVOID KphpImageVerificationCallbackHandle = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Performs image tracking. * * \param[in,out] Process The process loading the image. * \param[in] ImageInfo The image info from the notification routine. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpPerformImageTracking( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PIMAGE_INFO_EX ImageInfo ) { KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(ImageInfo); InterlockedIncrementSizeT(&Process->NumberOfImageLoads); } /** * \brief Informs any clients of image notify routine invocations. * * \param[in] FullImageName File name of the loading image. * \param[in] ProcessId Process ID where the image is being loaded. * \param[in] ImageInfo Information about the image being loaded. */ _Function_class_(PLOAD_IMAGE_NOTIFY_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpLoadImageNotifyInformer( _In_opt_ PUNICODE_STRING FullImageName, _In_ HANDLE ProcessId, _In_ PIMAGE_INFO_EX ImageInfo ) { NTSTATUS status; PKPH_PROCESS_CONTEXT targetProcess; PKPH_PROCESS_CONTEXT actorProcess; PKPH_MESSAGE msg; PUNICODE_STRING fileName; BOOLEAN freeFileName; KPH_PAGED_CODE_PASSIVE(); actorProcess = KphGetCurrentProcessContext(); targetProcess = KphGetProcessContext(ProcessId); if (!KphInformerEnabled2(ImageLoad, actorProcess, targetProcess)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } freeFileName = TRUE; status = KphGetNameFileObject(ImageInfo->FileObject, &fileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphGetNameFileObject failed: %!STATUS!", status); freeFileName = FALSE; fileName = FullImageName; } KphMsgInit(msg, KphMsgImageLoad); msg->Kernel.ImageLoad.LoadingClientId.UniqueProcess = PsGetCurrentProcessId(); msg->Kernel.ImageLoad.LoadingClientId.UniqueThread = PsGetCurrentThreadId(); msg->Kernel.ImageLoad.LoadingProcessStartKey = KphGetCurrentProcessStartKey(); msg->Kernel.ImageLoad.LoadingThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); msg->Kernel.ImageLoad.TargetProcessId = ProcessId; msg->Kernel.ImageLoad.Properties = ImageInfo->ImageInfo.Properties; msg->Kernel.ImageLoad.ImageBase = ImageInfo->ImageInfo.ImageBase; msg->Kernel.ImageLoad.ImageSelector = ImageInfo->ImageInfo.ImageSelector; msg->Kernel.ImageLoad.ImageSectionNumber = ImageInfo->ImageInfo.ImageSectionNumber; msg->Kernel.ImageLoad.FileObject = ImageInfo->FileObject; if (targetProcess) { ULONG64 startKey; startKey = KphGetProcessStartKey(targetProcess->EProcess); msg->Kernel.ImageLoad.TargetProcessStartKey = startKey; } if (fileName) { status = KphMsgDynAddUnicodeString(msg, KphMsgFieldFileName, fileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } if (freeFileName) { KphFreeNameFileObject(fileName); } } if (KphInformerOpts2(actorProcess, targetProcess).EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); Exit: if (targetProcess) { KphDereferenceObject(targetProcess); } if (actorProcess) { KphDereferenceObject(actorProcess); } } /** * \brief Image load notify routine. * * \param[in] FullImageName File name of the loading image. * \param[in] ProcessId Process ID where the image is being loaded. * \param[in] ImageInfo Information about the image being loaded. */ _Function_class_(PLOAD_IMAGE_NOTIFY_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpLoadImageNotifyRoutine( _In_opt_ PUNICODE_STRING FullImageName, _In_ HANDLE ProcessId, _In_ PIMAGE_INFO ImageInfo ) { PKPH_PROCESS_CONTEXT process; PIMAGE_INFO_EX imageInfo; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(FullImageName); NT_ASSERT(ImageInfo->ExtendedInfoPresent); imageInfo = CONTAINING_RECORD(ImageInfo, IMAGE_INFO_EX, ImageInfo); process = KphGetProcessContext(ProcessId); if (process) { KphpPerformImageTracking(process, imageInfo); KphApplyImageProtections(process, imageInfo); KphDereferenceObject(process); } KphpLoadImageNotifyInformer(FullImageName, ProcessId, imageInfo); } /** * \brief Image verification callback. * * \param[in] CallbackContext Unused. * \param[in] ImageType The type of image being verified. * \param[in,out] ImageInformation Information about the image being verified. */ _IRQL_requires_same_ _Function_class_(SE_IMAGE_VERIFICATION_CALLBACK_FUNCTION) VOID KphpImageVerificationCallback( _In_opt_ PVOID CallbackContext, _In_ SE_IMAGE_TYPE ImageType, _Inout_ PBDCB_IMAGE_INFORMATION ImageInformation ) { NTSTATUS status; PKPH_PROCESS_CONTEXT actorProcess; PKPH_MESSAGE msg; KPHM_SIZED_BUFFER buffer; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(CallbackContext); actorProcess = KphGetCurrentProcessContext(); if (!KphInformerEnabled(ImageVerify, actorProcess)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } KphMsgInit(msg, KphMsgImageVerify); msg->Kernel.ImageVerify.ClientId.UniqueProcess = PsGetCurrentProcessId(); msg->Kernel.ImageVerify.ClientId.UniqueThread = PsGetCurrentThreadId(); msg->Kernel.ImageVerify.ProcessStartKey = KphGetCurrentProcessStartKey(); msg->Kernel.ImageVerify.ThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); msg->Kernel.ImageVerify.ImageType = ImageType; msg->Kernel.ImageVerify.Classification = ImageInformation->Classification; msg->Kernel.ImageVerify.ImageFlags = ImageInformation->ImageFlags; msg->Kernel.ImageVerify.ImageHashAlgorithm = ImageInformation->ImageHashAlgorithm; msg->Kernel.ImageVerify.ThumbprintHashAlgorithm = ImageInformation->ThumbprintHashAlgorithm; status = KphMsgDynAddUnicodeString(msg, KphMsgFieldFileName, &ImageInformation->ImageName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } buffer.Buffer = ImageInformation->ImageHash; buffer.Size = (USHORT)ImageInformation->ImageHashLength; status = KphMsgDynAddSizedBuffer(msg, KphMsgFieldHash, &buffer); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddSizedBuffer failed: %!STATUS!", status); } status = KphMsgDynAddUnicodeString(msg, KphMsgFieldCertificatePublisher, &ImageInformation->CertificatePublisher); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } status = KphMsgDynAddUnicodeString(msg, KphMsgFieldCertificateIssuer, &ImageInformation->CertificateIssuer); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } buffer.Buffer = ImageInformation->CertificateThumbprint; buffer.Size = (USHORT)ImageInformation->CertificateThumbprintLength; status = KphMsgDynAddSizedBuffer(msg, KphMsgFieldCertificateThumbprint, &buffer); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddSizedBuffer failed: %!STATUS!", status); } status = KphMsgDynAddUnicodeString(msg, KphMsgFieldRegistryPath, &ImageInformation->RegistryPath); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } if (KphInformerOpts(actorProcess).EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); Exit: if (actorProcess) { KphDereferenceObject(actorProcess); } } /** * \brief Starts the image informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphImageInformerStart( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); if (KphDynPsSetLoadImageNotifyRoutineEx) { status = KphDynPsSetLoadImageNotifyRoutineEx( KphpLoadImageNotifyRoutine, PS_IMAGE_NOTIFY_CONFLICTING_ARCHITECTURE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register image notify routine: %!STATUS!", status); return status; } } else { status = PsSetLoadImageNotifyRoutine(KphpLoadImageNotifyRoutine); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register image notify routine: %!STATUS!", status); return status; } } if (!KphSeRegisterImageVerificationCallback || !KphSeUnregisterImageVerificationCallback) { return STATUS_SUCCESS; } status = KphSeRegisterImageVerificationCallback( SeImageTypeDriver, SeImageVerificationCallbackInformational, KphpImageVerificationCallback, NULL, NULL, &KphpImageVerificationCallbackHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register image verification callback: " "%!STATUS!", status); KphpImageVerificationCallbackHandle = NULL; return status; } return STATUS_SUCCESS; } /** * \brief Stops the image informer. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphImageInformerStop( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (KphpImageVerificationCallbackHandle) { NT_ASSERT(KphSeUnregisterImageVerificationCallback); KphSeUnregisterImageVerificationCallback(KphpImageVerificationCallbackHandle); } PsRemoveLoadImageNotifyRoutine(KphpLoadImageNotifyRoutine); } ================================================ FILE: KSystemInformer/informer_object.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include #include typedef union _KPH_OB_OPTIONS { UCHAR Flags; struct { UCHAR PreEnabled : 1; UCHAR PostEnabled : 1; UCHAR EnableStackTraces : 1; UCHAR Spare : 5; }; } KPH_OB_OPTIONS, *PKPH_OB_OPTIONS; typedef struct _KPH_OB_CALL_CONTEXT { ULONG64 PreSequence; LARGE_INTEGER PreTimeStamp; KPH_OB_OPTIONS Options; ACCESS_MASK DesiredAccess; ACCESS_MASK OriginalDesiredAccess; HANDLE SourceProcessId; HANDLE TargetProcessId; } KPH_OB_CALL_CONTEXT, *PKPH_OB_CALL_CONTEXT; KPH_PROTECTED_DATA_SECTION_PUSH(); static PVOID KphpObRegistrationHandle = NULL; KPH_PROTECTED_DATA_SECTION_POP(); static PAGED_LOOKASIDE_LIST KphpObCallContextLookaside = { 0 }; KPH_PAGED_FILE(); static ULONG64 KphpObSequence = 0; /** * \brief Retrieves the object operation options. * * \param[in] Info Object manager pre-operation callback information. * * \return The object operation options. */ _IRQL_requires_max_(APC_LEVEL) KPH_OB_OPTIONS KphpObGetOptions( _In_ POB_PRE_OPERATION_INFORMATION Info ) { KPH_OB_OPTIONS options; PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE(); options.Flags = 0; if (Info->KernelHandle) { process = KphGetSystemProcessContext(); } else { process = KphGetCurrentProcessContext(); } #define KPH_OB_SETTING(name) \ if (KphInformerEnabled(HandlePre##name, process)) \ { \ options.PreEnabled = TRUE; \ } \ if (KphInformerEnabled(HandlePost##name, process)) \ { \ options.PostEnabled = TRUE; \ } if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { if (Info->ObjectType == *PsProcessType) { KPH_OB_SETTING(CreateProcess); } else if (Info->ObjectType == *PsThreadType) { KPH_OB_SETTING(CreateThread); } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); KPH_OB_SETTING(CreateDesktop); } } else { if (Info->ObjectType == *PsProcessType) { KPH_OB_SETTING(DuplicateProcess); } else if (Info->ObjectType == *PsThreadType) { KPH_OB_SETTING(DuplicateThread); } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); KPH_OB_SETTING(DuplicateDesktop); } } if (options.PreEnabled || options.PostEnabled) { options.EnableStackTraces = !!KphInformerOpts(process).EnableStackTraces; } if (process) { KphDereferenceObject(process); } return options; } /** * \brief Retrieves the message ID for the object pre-operation callback. * * \param[in] Info Object manager pre-operation callback information. * * \return The message ID for the callback. */ _IRQL_requires_max_(APC_LEVEL) KPH_MESSAGE_ID KphpObPreGetMessageId( _In_ POB_PRE_OPERATION_INFORMATION Info ) { KPH_MESSAGE_ID messageId; KPH_PAGED_CODE(); if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { if (Info->ObjectType == *PsProcessType) { messageId = KphMsgHandlePreCreateProcess; } else if (Info->ObjectType == *PsThreadType) { messageId = KphMsgHandlePreCreateThread; } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); messageId = KphMsgHandlePreCreateDesktop; } } else { NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_DUPLICATE); if (Info->ObjectType == *PsProcessType) { messageId = KphMsgHandlePreDuplicateProcess; } else if (Info->ObjectType == *PsThreadType) { messageId = KphMsgHandlePreDuplicateThread; } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); messageId = KphMsgHandlePreDuplicateDesktop; } } return messageId; } /** * \brief Retrieves the message ID for the object post-operation callback. * * \param[in] Info Object manager post-operation callback information. * * \return The message ID for the callback. */ _IRQL_requires_max_(APC_LEVEL) KPH_MESSAGE_ID KphpObPostGetMessageId( _In_ POB_POST_OPERATION_INFORMATION Info ) { KPH_MESSAGE_ID messageId; KPH_PAGED_CODE(); if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { if (Info->ObjectType == *PsProcessType) { messageId = KphMsgHandlePostCreateProcess; } else if (Info->ObjectType == *PsThreadType) { messageId = KphMsgHandlePostCreateThread; } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); messageId = KphMsgHandlePostCreateDesktop; } } else { NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_DUPLICATE); if (Info->ObjectType == *PsProcessType) { messageId = KphMsgHandlePostDuplicateProcess; } else if (Info->ObjectType == *PsThreadType) { messageId = KphMsgHandlePostDuplicateThread; } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); messageId = KphMsgHandlePostDuplicateDesktop; } } return messageId; } /** * \brief Copies the object name into a message for registered object callbacks. * * \details Used to populate the desktop name for desktop object callbacks. * * \param[in,out] Message The message to populate. * \param[in] Object The object for which the name is populated in the message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObCopyObjectName( _Inout_ PKPH_MESSAGE Message, _In_ PVOID Object ) { NTSTATUS status; POBJECT_NAME_INFORMATION info; ULONG length; KPH_PAGED_CODE(); info = NULL; status = ObQueryNameString(Object, NULL, 0, &length); if ((status != STATUS_INFO_LENGTH_MISMATCH) && (status != STATUS_BUFFER_TOO_SMALL)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ObQueryNameString: %!STATUS!", status); goto Exit; } info = KphAllocatePaged(length, KPH_TAG_OB_OBJECT_NAME); if (!info) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate buffer for object name"); goto Exit; } status = ObQueryNameString(Object, info, length, &length); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ObQueryNameString failed: %!STATUS!", status); goto Exit; } status = KphMsgDynAddUnicodeString(Message, KphMsgFieldObjectName, &info->Name); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } Exit: if (info) { KphFree(info, KPH_TAG_OB_OBJECT_NAME); } } /** * \brief Fills the object pre-operation callback message. * * \param[in,out] Message The message to populate. * \param[in] Info Object manager pre-operation callback information. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPreFillMessage( _Inout_ PKPH_MESSAGE Message, _In_ POB_PRE_OPERATION_INFORMATION Info ) { KPH_PAGED_CODE(); Message->Kernel.Handle.ContextClientId.UniqueProcess = PsGetCurrentProcessId(); Message->Kernel.Handle.ContextClientId.UniqueThread = PsGetCurrentThreadId(); Message->Kernel.Handle.ContextProcessStartKey = KphGetCurrentProcessStartKey(); Message->Kernel.Handle.Flags = Info->Flags; Message->Kernel.Handle.Object = Info->Object; if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { POB_PRE_CREATE_HANDLE_INFORMATION params; params = &Info->Parameters->CreateHandleInformation; Message->Kernel.Handle.Pre.DesiredAccess = params->DesiredAccess; Message->Kernel.Handle.Pre.OriginalDesiredAccess = params->OriginalDesiredAccess; if (Info->ObjectType == *PsProcessType) { Message->Kernel.Handle.Pre.Create.Process.ProcessId = PsGetProcessId(Info->Object); } else if (Info->ObjectType == *PsThreadType) { Message->Kernel.Handle.Pre.Create.Thread.ClientId.UniqueProcess = PsGetProcessId(PsGetThreadProcess(Info->Object)); Message->Kernel.Handle.Pre.Create.Thread.ClientId.UniqueThread = PsGetThreadId(Info->Object); Message->Kernel.Handle.Pre.Create.Thread.SubProcessTag = KphGetThreadSubProcessTag(Info->Object); } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); KphpObCopyObjectName(Message, Info->Object); } } else { POB_PRE_DUPLICATE_HANDLE_INFORMATION params; NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_DUPLICATE); params = &Info->Parameters->DuplicateHandleInformation; Message->Kernel.Handle.Duplicate = TRUE; Message->Kernel.Handle.Pre.DesiredAccess = params->DesiredAccess; Message->Kernel.Handle.Pre.OriginalDesiredAccess = params->OriginalDesiredAccess; Message->Kernel.Handle.Pre.Duplicate.SourceProcessId = PsGetProcessId(params->SourceProcess); Message->Kernel.Handle.Pre.Duplicate.TargetProcessId = PsGetProcessId(params->TargetProcess); if (Info->ObjectType == *PsProcessType) { Message->Kernel.Handle.Pre.Duplicate.Process.ProcessId = PsGetProcessId(Info->Object); } else if (Info->ObjectType == *PsThreadType) { Message->Kernel.Handle.Pre.Duplicate.Thread.ClientId.UniqueProcess = PsGetProcessId(PsGetThreadProcess(Info->Object)); Message->Kernel.Handle.Pre.Duplicate.Thread.ClientId.UniqueThread = PsGetThreadId(Info->Object); Message->Kernel.Handle.Pre.Duplicate.Thread.SubProcessTag = KphGetThreadSubProcessTag(Info->Object); } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); KphpObCopyObjectName(Message, Info->Object); } } } /** * \brief Fills the object post-operation callback message. * * \param[in,out] Message The message to populate. * \param[in] Info Object manager post-operation callback information. * \param[in] Context The object call context. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPostFillMessage( _Inout_ PKPH_MESSAGE Message, _In_ POB_POST_OPERATION_INFORMATION Info, _In_ PKPH_OB_CALL_CONTEXT Context ) { KPH_PAGED_CODE(); Message->Kernel.Handle.ContextClientId.UniqueProcess = PsGetCurrentProcessId(); Message->Kernel.Handle.ContextClientId.UniqueThread = PsGetCurrentThreadId(); Message->Kernel.Handle.ContextProcessStartKey = KphGetCurrentProcessStartKey(); Message->Kernel.Handle.ContextThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); Message->Kernel.Handle.Flags = Info->Flags; Message->Kernel.Handle.Object = Info->Object; Message->Kernel.Handle.PostOperation = TRUE; Message->Kernel.Handle.Post.PreSequence = Context->PreSequence; Message->Kernel.Handle.Post.PreTimeStamp = Context->PreTimeStamp; Message->Kernel.Handle.Post.ReturnStatus = Info->ReturnStatus; Message->Kernel.Handle.Post.DesiredAccess = Context->DesiredAccess; Message->Kernel.Handle.Post.OriginalDesiredAccess = Context->OriginalDesiredAccess; if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { POB_POST_CREATE_HANDLE_INFORMATION params; params = &Info->Parameters->CreateHandleInformation; Message->Kernel.Handle.Post.GrantedAccess = params->GrantedAccess; if (Info->ObjectType == *PsProcessType) { Message->Kernel.Handle.Post.Create.Process.ProcessId = PsGetProcessId(Info->Object); } else if (Info->ObjectType == *PsThreadType) { Message->Kernel.Handle.Post.Create.Thread.ClientId.UniqueProcess = PsGetProcessId(PsGetThreadProcess(Info->Object)); Message->Kernel.Handle.Post.Create.Thread.ClientId.UniqueThread = PsGetThreadId(Info->Object); Message->Kernel.Handle.Post.Create.Thread.SubProcessTag = KphGetThreadSubProcessTag(Info->Object); } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); KphpObCopyObjectName(Message, Info->Object); } } else { POB_POST_DUPLICATE_HANDLE_INFORMATION params; NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_DUPLICATE); params = &Info->Parameters->DuplicateHandleInformation; Message->Kernel.Handle.Duplicate = TRUE; Message->Kernel.Handle.Post.GrantedAccess = params->GrantedAccess; Message->Kernel.Handle.Post.Duplicate.SourceProcessId = Context->SourceProcessId; Message->Kernel.Handle.Post.Duplicate.TargetProcessId = Context->TargetProcessId; if (Info->ObjectType == *PsProcessType) { Message->Kernel.Handle.Post.Duplicate.Process.ProcessId = PsGetProcessId(Info->Object); } else if (Info->ObjectType == *PsThreadType) { Message->Kernel.Handle.Post.Duplicate.Thread.ClientId.UniqueProcess = PsGetProcessId(PsGetThreadProcess(Info->Object)); Message->Kernel.Handle.Post.Duplicate.Thread.ClientId.UniqueThread = PsGetThreadId(Info->Object); Message->Kernel.Handle.Post.Duplicate.Thread.SubProcessTag = KphGetThreadSubProcessTag(Info->Object); } else { NT_ASSERT(Info->ObjectType == *ExDesktopObjectType); KphpObCopyObjectName(Message, Info->Object); } } } /** * \brief Sends an object post-operation callback message. * * \param[in] Info Object manager post-operation callback information. * \param[in] Sequence The sequence number for the message. * \param[in] Context The object call context. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPostOpSend( _In_ POB_POST_OPERATION_INFORMATION Info, _In_ ULONG64 Sequence, _In_ PKPH_OB_CALL_CONTEXT Context ) { PKPH_MESSAGE msg; KPH_PAGED_CODE(); msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); return; } KphMsgInit(msg, KphpObPostGetMessageId(Info)); msg->Kernel.Handle.Sequence = Sequence; KphpObPostFillMessage(msg, Info, Context); if (Context->Options.EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); } /** * \brief Object manager post-operation callback. * * \param[in] Context Not used. * \param[in] Info The object post-operation information. */ _Function_class_(POB_POST_OPERATION_CALLBACK) _IRQL_requires_max_(APC_LEVEL) VOID KphpObPostOp( _In_ PVOID Context, _In_ POB_POST_OPERATION_INFORMATION Info ) { PKPH_OB_CALL_CONTEXT context; ULONG64 sequence; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Context); sequence = InterlockedIncrementU64(&KphpObSequence); context = Info->CallContext; if (context) { KphpObPostOpSend(Info, sequence, context); KphFreeToPagedLookaside(&KphpObCallContextLookaside, context); } } /** * \brief Sets the object callback call context for the post-operation to use. * * \param[in] Info Object manager pre-operation callback information. * \param[in] Options Object operation options to use. * \param[in] Sequence The pre-operation sequence number. * \param[in] TimeStamp The pre-operation time stamp. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPreOpSetCallContext( _In_ POB_PRE_OPERATION_INFORMATION Info, _In_ PKPH_OB_OPTIONS Options, _In_ ULONG64 Sequence, _In_ PLARGE_INTEGER TimeStamp ) { PKPH_OB_CALL_CONTEXT context; KPH_PAGED_CODE(); context = KphAllocateFromPagedLookaside(&KphpObCallContextLookaside); if (!context) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate call context"); return; } context->PreSequence = Sequence; context->PreTimeStamp = *TimeStamp; context->Options.Flags = Options->Flags; if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { POB_PRE_CREATE_HANDLE_INFORMATION params; params = &Info->Parameters->CreateHandleInformation; context->DesiredAccess = params->DesiredAccess; context->OriginalDesiredAccess = params->OriginalDesiredAccess; } else { POB_PRE_DUPLICATE_HANDLE_INFORMATION params; NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_DUPLICATE); params = &Info->Parameters->DuplicateHandleInformation; context->DesiredAccess = params->DesiredAccess; context->OriginalDesiredAccess = params->OriginalDesiredAccess; context->SourceProcessId = PsGetProcessId(params->SourceProcess); context->TargetProcessId = PsGetProcessId(params->TargetProcess); } Info->CallContext = context; } /** * \brief Sends an object pre-operation callback message. * * \param[in] Info Object manager pre-operation callback information. * \param[in] Options Object operation options to use. * \param[in] Sequence The sequence number for the message. * \param[out] TimeStamp Receives the time stamp of the pre-operation message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPreOpSend( _In_ POB_PRE_OPERATION_INFORMATION Info, _In_ PKPH_OB_OPTIONS Options, _In_ ULONG64 Sequence, _Out_ PLARGE_INTEGER TimeStamp ) { PKPH_MESSAGE msg; KPH_PAGED_CODE(); msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); KeQuerySystemTime(TimeStamp); return; } KphMsgInit(msg, KphpObPreGetMessageId(Info)); *TimeStamp = msg->Header.TimeStamp; msg->Kernel.Handle.Sequence = Sequence; KphpObPreFillMessage(msg, Info); if (Options->EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); } /** * \brief Performs process tracking in object manager callbacks. * * \param[in] ProcessObject The process object to track. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpObPerformProcessTracking( _In_ PEPROCESS ProcessObject ) { PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE_PASSIVE(); process = KphGetEProcessContext(ProcessObject); if (process) { if (process->CreateNotification || process->NumberOfThreads) { // // Let the process notification routine handle this process. // // N.B. We check CreateNotification and NumberOfThreads because we // may have loaded too late to observe the original create // notification. This avoids unnecessarily entering the logic below. // goto Exit; } // // N.B. If a process is created and terminated without ever having a // thread, the registered process notifications will not be called. // // In this case, indicators such as ExitTime, ExitStatus, and // ProcessExiting will not be updated. However, the process exit // synchronization (rundown) will be activated when the process // terminates. // if (NT_SUCCESS(PsAcquireProcessExitSynchronization(ProcessObject))) { PsReleaseProcessExitSynchronization(ProcessObject); goto Exit; } KphDereferenceObject(process); process = KphUntrackProcessContext(PsGetProcessId(ProcessObject)); if (process) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Stopped tracking process %wZ (%lu)", &process->ImageName, HandleToULong(process->ProcessId)); } goto Exit; } if (PsGetProcessExitProcessCalled(ProcessObject)) { // // Do not begin tracking the process if it has already exited. // goto Exit; } process = KphTrackProcessContext(ProcessObject); if (process) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Tracking process %wZ (%lu)", &process->ImageName, HandleToULong(process->ProcessId)); KphVerifyProcessAndProtectIfAppropriate(process); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to track process %lu", HandleToULong(PsGetProcessId(ProcessObject))); } Exit: if (process) { KphDereferenceObject(process); } } /** * \brief Performs thread tracking in object manager callbacks. * * \param[in] ThreadObject The thread object to track. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPerformThreadTracking( _In_ PETHREAD ThreadObject ) { PKPH_THREAD_CONTEXT thread; // // N.B. Although Microsoft's documentation states that object callbacks // are invoked at PASSIVE_LEVEL, they can and *do* get invoked at APC_LEVEL // in practice. // // This is because thread creation can happen at APC_LEVEL and thread // creation will open a handle to the thread object, which in turn invokes // the object manager callbacks. This behavior has been observed and is // triggered by Microsoft's own kernel components - no third-party drivers. // As such, assuming callbacks always run at PASSIVE_LEVEL is unsafe. This // contradicts the stated IRQL guarantees - use caution. // // For reference, see the documentation for PCREATE_THREAD_NOTIFY_ROUTINE. // Note that although PsCreateSystemThread being documented as requiring // PASSIVE_LEVEL, it can and *does* get invoked at APC_LEVEL in practice. // KPH_PAGED_CODE(); thread = KphGetEThreadContext(ThreadObject); if (thread) { // // Let the thread notification routine handle any exiting threads. // goto Exit; } if (PsIsThreadTerminating(ThreadObject)) { // // Do not begin tracking the thread if it is terminating. // goto Exit; } thread = KphTrackThreadContext(ThreadObject); if (thread) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Tracking thread %lu in process %wZ (%lu)", HandleToULong(thread->ClientId.UniqueThread), KphGetThreadImageName(thread), HandleToULong(thread->ClientId.UniqueProcess)); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to track thread %lu in process %lu", HandleToULong(PsGetThreadId(ThreadObject)), HandleToULong(PsGetThreadProcessId(ThreadObject))); } Exit: if (thread) { KphDereferenceObject(thread); } } /** * \brief Performs process and thread tracking in object manager callbacks. * * \param[in] Info Object manager pre-operation callback information. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpObPerformProcessAndThreadTracking( _In_ POB_PRE_OPERATION_INFORMATION Info ) { KIRQL currentIrql; KPH_PAGED_CODE(); // // During the object pre-operation callback, supplement process and thread // tracking that is normally performed in the process and thread // notification routines. // // The process notification routines are called when the initial thread is // inserted into a process. However, a process can exist before those // routines are invoked. If no thread is ever created in the process, it // may exist without triggering any notification callbacks. When a handle is // created for such a process (either during creation or by being opened // from another process), we take this opportunity to perform tracking. // // We also use this point to sanity check that other contexts exist. // If one doesn’t, it may be due to earlier resource constraints. // // N.B. If another driver has registered a process or thread notification // routine before ours, it can cause us to land here before our own routines // are called. Our tracking handles this scenario gracefully. This typically // happens with security products that invoke user-mode code during process // creation, and their user-mode component opens the process. // if (Info->KernelHandle) { // // N.B. This prevents our own tracking routines from becoming reentrant. // Our tracking routines always open a kernel handle. // return; } // // N.B. Thread creation routines can be invoked at APC_LEVEL, which in turn // causes the object manager's pre-operation callbacks to be invoked. Our // thread tracking supports being called at APC_LEVEL, but process tracking // requires PASSIVE_LEVEL. Therefore, we check the current IRQL below before // attempting any process tracking. // currentIrql = KeGetCurrentIrql(); if (currentIrql == PASSIVE_LEVEL) { KphpObPerformProcessTracking(PsGetCurrentProcess()); } KphpObPerformThreadTracking(PsGetCurrentThread()); if (Info->ObjectType == *PsProcessType) { if (currentIrql == PASSIVE_LEVEL) { KphpObPerformProcessTracking(Info->Object); } } else if (Info->ObjectType == *PsThreadType) { if (currentIrql == PASSIVE_LEVEL) { KphpObPerformProcessTracking(PsGetThreadProcess(Info->Object)); } KphpObPerformThreadTracking(Info->Object); } } /** * \brief Object manager pre-operation callback. * * \param[in] Context Not used. * \param[in,out] Info The object pre-operation information. * * \return OB_PREOP_SUCCESS */ _Function_class_(POB_PRE_OPERATION_CALLBACK) _IRQL_requires_max_(APC_LEVEL) OB_PREOP_CALLBACK_STATUS KphpObPreOp( _In_ PVOID Context, _Inout_ POB_PRE_OPERATION_INFORMATION Info ) { KPH_OB_OPTIONS options; ULONG64 sequence; LARGE_INTEGER timeStamp; // // N.B. Although Microsoft's documentation states that object callbacks // are invoked at PASSIVE_LEVEL, they can and *do* get invoked at APC_LEVEL // in practice. // // This is because thread creation can happen at APC_LEVEL and thread // creation will open a handle to the thread object, which in turn invokes // the object manager callbacks. This behavior has been observed and is // triggered by Microsoft's own kernel components - no third-party drivers. // As such, assuming callbacks always run at PASSIVE_LEVEL is unsafe. This // contradicts the stated IRQL guarantees - use caution. // // For reference, see the documentation for PCREATE_THREAD_NOTIFY_ROUTINE. // Note that although PsCreateSystemThread being documented as requiring // PASSIVE_LEVEL, it can and *does* get invoked at APC_LEVEL in practice. // KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Context); KphpObPerformProcessAndThreadTracking(Info); KphApplyObProtections(Info); sequence = InterlockedIncrementU64(&KphpObSequence); options = KphpObGetOptions(Info); if (options.PreEnabled) { KphpObPreOpSend(Info, &options, sequence, &timeStamp); } else { // // Pre operations aren't enabled, but we need the time stamp for the // post operation to use. // KeQuerySystemTime(&timeStamp); } if (options.PostEnabled) { KphpObPreOpSetCallContext(Info, &options, sequence, &timeStamp); } return OB_PREOP_SUCCESS; } /** * \brief Starts the object informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphObjectInformerStart( VOID ) { NTSTATUS status; OB_CALLBACK_REGISTRATION callbackRegistration; OB_OPERATION_REGISTRATION operationRegistration[3]; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphAltitude); RtlZeroMemory(operationRegistration, sizeof(operationRegistration)); operationRegistration[0].ObjectType = PsProcessType; operationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; operationRegistration[0].PreOperation = KphpObPreOp; operationRegistration[0].PostOperation = KphpObPostOp; operationRegistration[1].ObjectType = PsThreadType; operationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; operationRegistration[1].PreOperation = KphpObPreOp; operationRegistration[1].PostOperation = KphpObPostOp; operationRegistration[2].ObjectType = ExDesktopObjectType; operationRegistration[2].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; operationRegistration[2].PreOperation = KphpObPreOp; operationRegistration[2].PostOperation = KphpObPostOp; callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION; callbackRegistration.OperationRegistrationCount = ARRAYSIZE(operationRegistration); callbackRegistration.Altitude.Buffer = KphAltitude->Buffer; callbackRegistration.Altitude.Length = KphAltitude->Length; callbackRegistration.Altitude.MaximumLength = KphAltitude->MaximumLength; callbackRegistration.RegistrationContext = NULL; callbackRegistration.OperationRegistration = operationRegistration; KphInitializePagedLookaside(&KphpObCallContextLookaside, sizeof(KPH_OB_CALL_CONTEXT), KPH_TAG_OB_CALL_CONTEXT); status = ObRegisterCallbacks(&callbackRegistration, &KphpObRegistrationHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ObRegisterCallbacks failed: %!STATUS!", status); KphDeletePagedLookaside(&KphpObCallContextLookaside); KphpObRegistrationHandle = NULL; } return status; } /** * \brief Stops the object informer. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphObjectInformerStop( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (KphpObRegistrationHandle) { ObUnRegisterCallbacks(KphpObRegistrationHandle); KphDeletePagedLookaside(&KphpObCallContextLookaside); } } ================================================ FILE: KSystemInformer/informer_process.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include #include typedef struct _KPH_PROCESS_CREATE_APC { KSI_KAPC Apc; PKPH_THREAD_CONTEXT Actor; } KPH_PROCESS_CREATE_APC, *PKPH_PROCESS_CREATE_APC; KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_NPAGED_LOOKASIDE_OBJECT KphpProcesCreateApcLookaside = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Allocates the process create APC which is used to track when a thread * is actively in the kernel creating a process. * * \return Pointer to allocates process create APC, null on failure. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_ PKPH_PROCESS_CREATE_APC KphpAllocateProcessCreateApc( VOID ) { PKPH_PROCESS_CREATE_APC apc; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KphpProcesCreateApcLookaside); apc = KphAllocateFromNPagedLookasideObject(KphpProcesCreateApcLookaside); if (apc) { KphReferenceObject(KphpProcesCreateApcLookaside); } return apc; } /** * \brief Frees a previously allocated process create APC. * * \param[in] Apc The process create APC to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpFreeProcessCreateApc( _In_freesMem_ PKPH_PROCESS_CREATE_APC Apc ) { KPH_PAGED_CODE(); NT_ASSERT(KphpProcesCreateApcLookaside); KphDereferenceObject(Apc->Actor); KphFreeToNPagedLookasideObject(KphpProcesCreateApcLookaside, Apc); KphDereferenceObject(KphpProcesCreateApcLookaside); } /** * \brief Performing process tracking. * * \param[in] Process The process object from the notification callback. * \param[in] ProcessId Process ID from the notification callback. * \param[in] CreateInfo The create information from the callback. * * \return Pointer to the process context, may be null, the caller should * dereference this object if it is non-null. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ PKPH_PROCESS_CONTEXT KphpPerformProcessTracking( _Inout_ PEPROCESS Process, _In_ HANDLE ProcessId, _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo ) { PKPH_PROCESS_CONTEXT process; PKPH_PROCESS_CONTEXT creatorProcess; KPH_PAGED_CODE_PASSIVE(); creatorProcess = NULL; if (!CreateInfo) { process = KphUntrackProcessContext(ProcessId); if (!process) { goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Stopped tracking process %wZ (%lu)", &process->ImageName, HandleToULong(process->ProcessId)); process->ExitNotification = TRUE; NT_ASSERT(process->NumberOfThreads == 0); NT_ASSERT(IsListEmpty(&process->ThreadListHead)); goto Exit; } NT_ASSERT(CreateInfo); process = KphTrackProcessContext(Process); if (!process) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to track process %lu", HandleToULong(ProcessId)); goto Exit; } process->CreateNotification = TRUE; process->CreatorClientId.UniqueProcess = PsGetCurrentProcessId(); process->CreatorClientId.UniqueThread = PsGetCurrentThreadId(); KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Tracking process %wZ (%lu)", &process->ImageName, HandleToULong(process->ProcessId)); KphVerifyProcessAndProtectIfAppropriate(process); creatorProcess = KphGetCurrentProcessContext(); if (!creatorProcess) { goto Exit; } if (!KphTestProcessContextState(process, KPH_PROCESS_STATE_HIGH)) { goto Exit; } if (KphTestProcessContextState(creatorProcess, KPH_PROCESS_STATE_MAXIMUM)) { process->SecurelyCreated = TRUE; } else { PS_PROTECTION processProtection; processProtection = PsGetProcessProtection(creatorProcess->EProcess); if ((processProtection.Type != PsProtectedTypeNone) && ((processProtection.Signer == PsProtectedSignerWinTcb) || (processProtection.Signer == PsProtectedSignerWinSystem))) { process->SecurelyCreated = TRUE; } } Exit: if (creatorProcess) { KphDereferenceObject(creatorProcess); } return process; } /** * \brief Informs any clients of process notify routine invocations. * * \param[in,out] Process The process being created. * \param[in,out] CreateInfo Information on the process being created, if the * process is being destroyed this is NULL. * */ _Function_class_(PCREATE_PROCESS_NOTIFY_ROUTINE_EX) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpCreateProcessNotifyInformer( _In_ PKPH_PROCESS_CONTEXT Process, _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo ) { NTSTATUS status; PKPH_MESSAGE msg; PKPH_MESSAGE reply; PEPROCESS parentProcess; PKPH_PROCESS_CONTEXT actorProcess; KPH_INFORMER_OPTIONS opts; KPH_PAGED_CODE_PASSIVE(); msg = NULL; reply = NULL; parentProcess = NULL; actorProcess = KphGetCurrentProcessContext(); if (CreateInfo) { if (!KphInformerEnabled(ProcessCreate, actorProcess)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } status = PsLookupProcessByProcessId(CreateInfo->ParentProcessId, &parentProcess); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "PsLookupProcessByProcessId failed: %!STATUS!", status); parentProcess = NULL; } KphMsgInit(msg, KphMsgProcessCreate); msg->Kernel.ProcessCreate.CreatingClientId.UniqueProcess = PsGetCurrentProcessId(); msg->Kernel.ProcessCreate.CreatingClientId.UniqueThread = PsGetCurrentThreadId(); msg->Kernel.ProcessCreate.CreatingProcessStartKey = KphGetCurrentProcessStartKey(); msg->Kernel.ProcessCreate.CreatingThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); msg->Kernel.ProcessCreate.TargetProcessId = Process->ProcessId; msg->Kernel.ProcessCreate.TargetProcessStartKey = KphGetProcessStartKey(Process->EProcess); msg->Kernel.ProcessCreate.Flags = CreateInfo->Flags; msg->Kernel.ProcessCreate.FileObject = CreateInfo->FileObject; msg->Kernel.ProcessCreate.ParentProcessId = CreateInfo->ParentProcessId; if (parentProcess) { msg->Kernel.ProcessCreate.ParentProcessStartKey = KphGetProcessStartKey(parentProcess); } if (Process->ImageFileName) { status = KphMsgDynAddUnicodeString(msg, KphMsgFieldFileName, Process->ImageFileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } if (CreateInfo->CommandLine) { status = KphMsgDynAddUnicodeString(msg, KphMsgFieldCommandLine, CreateInfo->CommandLine); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } opts = KphInformerOpts(actorProcess); if (opts.EnableStackTraces) { KphCaptureStackInMessage(msg); } if (!opts.EnableProcessCreateReply) { KphCommsSendMessageAsync(msg); msg = NULL; goto Exit; } reply = KphAllocateMessage(); if (!reply) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } status = KphCommsSendMessage(msg, reply); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to send message (%lu): %!STATUS!", (ULONG)msg->Header.MessageId, status); goto Exit; } if ((reply->Header.MessageId == KphMsgProcessCreate) && (reply->Reply.ProcessCreate.CreationStatus != STATUS_SUCCESS)) { CreateInfo->CreationStatus = reply->Reply.ProcessCreate.CreationStatus; } } else { if (!KphInformerEnabled(ProcessExit, actorProcess)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } KphMsgInit(msg, KphMsgProcessExit); msg->Kernel.ProcessExit.ClientId.UniqueProcess = PsGetCurrentProcessId(); msg->Kernel.ProcessExit.ClientId.UniqueThread = PsGetCurrentThreadId(); msg->Kernel.ProcessExit.ProcessStartKey = KphGetProcessStartKey(Process->EProcess); msg->Kernel.ProcessExit.ExitStatus = PsGetProcessExitStatus(Process->EProcess); if (KphInformerOpts(actorProcess).EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); msg = NULL; } Exit: if (reply) { KphFreeMessage(reply); } if (msg) { KphFreeMessage(msg); } if (parentProcess) { ObDereferenceObject(parentProcess); } if (actorProcess) { KphDereferenceObject(actorProcess); } } /** * \brief Cleanup routine for the create process APC. * * \param[in] Apc The APC to clean up. * \param[in] Reason Unused. */ _Function_class_(KSI_KCLEANUP_ROUTINE) _IRQL_requires_min_(PASSIVE_LEVEL) _IRQL_requires_max_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpProcessCreateCleanupRoutine( _In_ PKSI_KAPC Apc, _In_ KSI_KAPC_CLEANUP_REASON Reason ) { PKPH_PROCESS_CREATE_APC apc; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Reason); apc = CONTAINING_RECORD(Apc, KPH_PROCESS_CREATE_APC, Apc); KphpFreeProcessCreateApc(apc); } /** * \brief Performs process creation actions at return from system. * * \details We use an APC to do state tracking in the current thread context. * This enables us to identify when the thread is currently in the kernel * creating a process. In this kernel routine we clear state from the acting * thread before it returns from the system. * * \param[in] Apc The APC that is executing. * \param[in] NormalRoutine Set to NULL to cancel the faked routine. * \param[in,out] NormalContext Unused. * \param[in,out] SystemArgument1 Unused. * \param[in,out] SystemArgument2 Unused. */ _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpProcessCreateKernelRoutine( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ) { PKPH_PROCESS_CREATE_APC apc; KPH_PAGED_CODE_APC(); apc = CONTAINING_RECORD(Apc, KPH_PROCESS_CREATE_APC, Apc); DBG_UNREFERENCED_PARAMETER(NormalRoutine); NT_ASSERT(apc->Actor->ProcessContext->ApcNoopRoutine); NT_ASSERT(*NormalRoutine == apc->Actor->ProcessContext->ApcNoopRoutine); *NormalContext = NULL; *SystemArgument1 = NULL; *SystemArgument2 = NULL; NT_ASSERT(apc->Actor->IsCreatingProcess); apc->Actor->IsCreatingProcess = FALSE; apc->Actor->IsCreatingProcessId = NULL; } /** * \brief Performs tracking of the actor thread creating a process. * * \details We use an APC to do state tracking in the current thread context. * This enables us to identify when the thread is currently in the kernel * creating a process. This will be cleared when the kernel routine fires * before returning from the system. * * \param[in] Process The process context of the process being created. * \param[in,out] CreateInfo Information on the process being created, if the * process is being destroyed this is NULL. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpPerformProcessCreationTracking( _In_ PKPH_PROCESS_CONTEXT Process, _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo ) { NTSTATUS status; PKPH_THREAD_CONTEXT actor; PKPH_PROCESS_CREATE_APC apc; BOOLEAN stopProtecting; KPH_PAGED_CODE_PASSIVE(); if (!CreateInfo) { return; } NT_ASSERT(PsGetCurrentProcessId() == CreateInfo->CreatingThreadId.UniqueProcess); NT_ASSERT(PsGetCurrentThreadId() == CreateInfo->CreatingThreadId.UniqueThread); if (!KphIsProtectedProcess(Process)) { return; } // // If we fail here we will stop protecting the process. If protection is // stopped the process will not be given full access to the driver APIs. // stopProtecting = TRUE; apc = NULL; actor = KphGetCurrentThreadContext(); if (!actor || !actor->ProcessContext) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Insufficient tracking."); goto Exit; } if (actor->ProcessContext->IsSubsystemProcess) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Skipping for subsystem process."); goto Exit; } status = KphCheckProcessApcNoopRoutine(actor->ProcessContext); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KphCheckProcessApcNoopRoutine failed: %!STATUS!", status); goto Exit; } apc = KphpAllocateProcessCreateApc(); if (!apc) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to allocate create process APC"); goto Exit; } apc->Actor = actor; actor = NULL; apc->Actor->IsCreatingProcess = TRUE; apc->Actor->IsCreatingProcessId = Process->ProcessId; KsiInitializeApc(&apc->Apc, KphDriverObject, apc->Actor->EThread, OriginalApcEnvironment, KphpProcessCreateKernelRoutine, KphpProcessCreateCleanupRoutine, apc->Actor->ProcessContext->ApcNoopRoutine, UserMode, NULL); if (!KsiInsertQueueApc(&apc->Apc, NULL, NULL, IO_NO_INCREMENT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "KsiInsertQueueApc failed"); // // No choice other than to reset the actor state immediately. // apc->Actor->IsCreatingProcess = FALSE; apc->Actor->IsCreatingProcessId = NULL; goto Exit; } // // Stage the thread for user mode APC delivery. // KeTestAlertThread(UserMode); stopProtecting = FALSE; apc = NULL; Exit: if (apc) { KphpFreeProcessCreateApc(apc); } if (actor) { KphDereferenceObject(actor); } if (stopProtecting) { KphStopProtectingProcess(Process); } } /** * \brief Process create notify routine. * * \param[in,out] Process The process object being created. * \param[in] ProcessId ProcessID of the process being created. * \param[in,out] CreateInfo Information on the process being created, if the * process is being destroyed this is NULL. */ _Function_class_(PCREATE_PROCESS_NOTIFY_ROUTINE_EX) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpCreateProcessNotifyRoutine( _Inout_ PEPROCESS Process, _In_ HANDLE ProcessId, _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo ) { PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE_PASSIVE(); process = KphpPerformProcessTracking(Process, ProcessId, CreateInfo); if (process) { KphpPerformProcessCreationTracking(process, CreateInfo); KphpCreateProcessNotifyInformer(process, CreateInfo); KphDereferenceObject(process); } } /** * \brief Starts the process informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphProcessInformerStart( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = KphCreateNPagedLookasideObject(&KphpProcesCreateApcLookaside, sizeof(KPH_PROCESS_CREATE_APC), KPH_TAG_PROCESS_CREATE_APC); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphCreateNPagedLookasideObject failed: %!STATUS!", status); KphpProcesCreateApcLookaside = NULL; goto Exit; } if (KphDynPsSetCreateProcessNotifyRoutineEx2) { status = KphDynPsSetCreateProcessNotifyRoutineEx2(PsCreateProcessNotifySubsystems, (PVOID)KphpCreateProcessNotifyRoutine, FALSE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register process notify routine: %!STATUS!", status); goto Exit; } } else { status = PsSetCreateProcessNotifyRoutineEx(KphpCreateProcessNotifyRoutine, FALSE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register process notify routine: %!STATUS!", status); goto Exit; } } Exit: if (!NT_SUCCESS(status)) { if (KphpProcesCreateApcLookaside) { KphDereferenceObject(KphpProcesCreateApcLookaside); KphpProcesCreateApcLookaside = NULL; } } return status; } /** * \brief Stops the process informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphProcessInformerStop( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (!KphpProcesCreateApcLookaside) { return; } if (KphDynPsSetCreateProcessNotifyRoutineEx2) { KphDynPsSetCreateProcessNotifyRoutineEx2(PsCreateProcessNotifySubsystems, (PVOID)KphpCreateProcessNotifyRoutine, TRUE); } else { PsSetCreateProcessNotifyRoutineEx(KphpCreateProcessNotifyRoutine, TRUE); } KphDereferenceObject(KphpProcesCreateApcLookaside); } ================================================ FILE: KSystemInformer/informer_registry.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include #include #include #include typedef union _KPH_REG_OPTIONS { UCHAR Flags; struct { UCHAR InPost : 1; UCHAR PreEnabled : 1; UCHAR PostEnabled : 1; UCHAR EnableStackTraces : 1; UCHAR EnablePostObjectNames : 1; UCHAR EnablePostValueNames : 1; UCHAR EnableValueBuffers : 1; UCHAR Spare : 1; }; } KPH_REG_OPTIONS, *PKPH_REG_OPTIONS; typedef struct _KPH_REG_CALL_CONTEXT { ULONG64 PreSequence; LARGE_INTEGER PreTimeStamp; KPH_REG_OPTIONS Options; ULONG_PTR ObjectId; PUNICODE_STRING ObjectName; PVOID Transaction; } KPH_REG_CALL_CONTEXT, *PKPH_REG_CALL_CONTEXT; typedef union _KPH_REG_PRE_INFORMATION { // // Invalid for CreateKey and OpenKey. RootObject for LoadKey. Always NULL // for SaveMergedKey. Otherwise valid. // PVOID Object; REG_DELETE_KEY_INFORMATION DeleteKey; REG_SET_VALUE_KEY_INFORMATION SetValueKey; REG_DELETE_VALUE_KEY_INFORMATION DeleteValueKey; REG_SET_INFORMATION_KEY_INFORMATION SetInformationKey; REG_RENAME_KEY_INFORMATION RenameKey; REG_ENUMERATE_KEY_INFORMATION EnumerateKey; REG_ENUMERATE_VALUE_KEY_INFORMATION EnumerateValueKey; REG_QUERY_KEY_INFORMATION QueryKey; REG_QUERY_VALUE_KEY_INFORMATION QueryValueKey; REG_QUERY_MULTIPLE_VALUE_KEY_INFORMATION QueryMultipleValueKey; REG_KEY_HANDLE_CLOSE_INFORMATION KeyHandleClose; REG_CREATE_KEY_INFORMATION_V1 CreateKey; REG_OPEN_KEY_INFORMATION_V1 OpenKey; REG_FLUSH_KEY_INFORMATION FlushKey; REG_LOAD_KEY_INFORMATION_V2 LoadKey; REG_UNLOAD_KEY_INFORMATION UnLoadKey; REG_QUERY_KEY_SECURITY_INFORMATION QueryKeySecurity; REG_SET_KEY_SECURITY_INFORMATION SetKeySecurity; REG_RESTORE_KEY_INFORMATION RestoreKey; REG_SAVE_KEY_INFORMATION SaveKey; REG_REPLACE_KEY_INFORMATION ReplaceKey; REG_QUERY_KEY_NAME QueryKeyName; REG_SAVE_MERGED_KEY_INFORMATION SaveMergedKey; } KPH_REG_PRE_INFORMATION, *PKPH_REG_PRE_INFORMATION; typedef union _KPH_REG_POST_INFORMATION { // // Must inspect Common.Status for STATUS_SUCCESS for CreateKey and OpenKey. // Always NULL for LoadKey and SaveMergedKey. Unsafe to use with // CmCallbackGetKeyObjectIDEx during post KeyHandleClose. Otherwise valid. // PVOID Object; REG_POST_OPERATION_INFORMATION Common; } KPH_REG_POST_INFORMATION, *PKPH_REG_POST_INFORMATION; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpCmDefaultValueName = RTL_CONSTANT_STRING(L"(Default)"); KPH_PROTECTED_DATA_SECTION_RO_POP(); static PAGED_LOOKASIDE_LIST KphpCmCallContextLookaside = { 0 }; KPH_PAGED_FILE(); static ULONG64 KphpCmSequence = 0; static BOOLEAN KphpCmRegistered = FALSE; static LARGE_INTEGER KphpCmCookie = { 0 }; /** * \brief Retrieves the registry operation options for the specified class. * * \param[in] RegClass The registry operation class. * * \return Options for the specified class. */ _IRQL_requires_max_(APC_LEVEL) KPH_REG_OPTIONS KphpRegGetOptions( _In_ REG_NOTIFY_CLASS RegClass ) { KPH_REG_OPTIONS options; PKPH_PROCESS_CONTEXT process; KPH_PAGED_CODE(); options.Flags = 0; if (ExGetPreviousMode() != KernelMode) { process = KphGetCurrentProcessContext(); } else { process = KphGetSystemProcessContext(); } #define KPH_REG_SETTING2(reg, name) \ case RegNtPre##reg: \ { \ if (KphInformerEnabled(RegPre##name, process)) \ { \ options.PreEnabled = TRUE; \ } \ if (KphInformerEnabled(RegPost##name, process)) \ { \ options.PostEnabled = TRUE; \ } \ break; \ } \ case RegNtPost##reg: \ { \ options.InPost = TRUE; \ break; \ } #define KPH_REG_SETTING(name) KPH_REG_SETTING2(name, name) switch (RegClass) { KPH_REG_SETTING(DeleteKey) KPH_REG_SETTING(SetValueKey) KPH_REG_SETTING(DeleteValueKey) KPH_REG_SETTING(SetInformationKey) KPH_REG_SETTING(RenameKey) KPH_REG_SETTING(EnumerateKey) KPH_REG_SETTING(EnumerateValueKey) KPH_REG_SETTING(QueryKey) KPH_REG_SETTING(QueryValueKey) KPH_REG_SETTING(QueryMultipleValueKey) KPH_REG_SETTING(KeyHandleClose) KPH_REG_SETTING2(CreateKeyEx, CreateKey) KPH_REG_SETTING2(OpenKeyEx, OpenKey) KPH_REG_SETTING(FlushKey) KPH_REG_SETTING(LoadKey) KPH_REG_SETTING(UnLoadKey) KPH_REG_SETTING(QueryKeySecurity) KPH_REG_SETTING(SetKeySecurity) KPH_REG_SETTING(RestoreKey) KPH_REG_SETTING(SaveKey) KPH_REG_SETTING(ReplaceKey) KPH_REG_SETTING(QueryKeyName) KPH_REG_SETTING(SaveMergedKey) case RegNtPreCreateKey: // XP case RegNtPostCreateKey: // XP case RegNtPreOpenKey: // XP case RegNtPostOpenKey: // XP default: { NT_ASSERT(FALSE); KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Unsupported registry operation: %lu", RegClass); break; } } if (!options.InPost && (options.PreEnabled || options.PostEnabled)) { KPH_INFORMER_OPTIONS opts; opts = KphInformerOpts(process); options.EnableStackTraces = !!opts.EnableStackTraces; options.EnablePostObjectNames = !!opts.RegEnablePostObjectNames; options.EnablePostValueNames = !!opts.RegEnablePostValueNames; options.EnableValueBuffers = !!opts.RegEnableValueBuffers; } if (process) { KphDereferenceObject(process); } return options; } /** * \brief Retrieves the message ID for the specified registry operation class. * * \param[in] RegClass The registry operation class. * * \return The message ID for the specified class. */ _IRQL_requires_max_(APC_LEVEL) KPH_MESSAGE_ID KphpRegGetMessageId( _In_ REG_NOTIFY_CLASS RegClass ) { KPH_MESSAGE_ID messageId; KPH_PAGED_CODE(); #define KPH_REG_MESSAGE_ID2(reg, name) \ case RegNtPre##reg: \ { \ messageId = KphMsgRegPre##name; \ break; \ } \ case RegNtPost##reg: \ { \ messageId = KphMsgRegPost##name; \ break; \ } #define KPH_REG_MESSAGE_ID(name) KPH_REG_MESSAGE_ID2(name, name) switch (RegClass) { KPH_REG_MESSAGE_ID(DeleteKey) KPH_REG_MESSAGE_ID(SetValueKey) KPH_REG_MESSAGE_ID(DeleteValueKey) KPH_REG_MESSAGE_ID(SetInformationKey) KPH_REG_MESSAGE_ID(RenameKey) KPH_REG_MESSAGE_ID(EnumerateKey) KPH_REG_MESSAGE_ID(EnumerateValueKey) KPH_REG_MESSAGE_ID(QueryKey) KPH_REG_MESSAGE_ID(QueryValueKey) KPH_REG_MESSAGE_ID(QueryMultipleValueKey) KPH_REG_MESSAGE_ID(KeyHandleClose) KPH_REG_MESSAGE_ID2(CreateKeyEx, CreateKey) KPH_REG_MESSAGE_ID2(OpenKeyEx, OpenKey) KPH_REG_MESSAGE_ID(FlushKey) KPH_REG_MESSAGE_ID(LoadKey) KPH_REG_MESSAGE_ID(UnLoadKey) KPH_REG_MESSAGE_ID(QueryKeySecurity) KPH_REG_MESSAGE_ID(SetKeySecurity) KPH_REG_MESSAGE_ID(RestoreKey) KPH_REG_MESSAGE_ID(SaveKey) KPH_REG_MESSAGE_ID(ReplaceKey) KPH_REG_MESSAGE_ID(QueryKeyName) KPH_REG_MESSAGE_ID(SaveMergedKey) DEFAULT_UNREACHABLE; } return messageId; } /** * \brief Populates a registry operation message with common information. * * \param[in,out] Message The message to populate. * \param[in] RegClass The registry operation class. * \param[in] PreInfo The pre-operation information. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFillCommonMessage( _Inout_ PKPH_MESSAGE Message, _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_PRE_INFORMATION PreInfo ) { KPH_PAGED_CODE(); Message->Kernel.Reg.ClientId.UniqueProcess = PsGetCurrentProcessId(); Message->Kernel.Reg.ClientId.UniqueThread = PsGetCurrentThreadId(); Message->Kernel.Reg.ProcessStartKey = KphGetCurrentProcessStartKey(); Message->Kernel.Reg.ThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); Message->Kernel.Reg.PreviousMode = (ExGetPreviousMode() != KernelMode); #define KPH_REG_COPY_PARAMETER(name, value) \ Message->Kernel.Reg.Parameters.name.value = PreInfo->name.value switch (RegClass) { case RegNtPreDeleteKey: case RegNtPostDeleteKey: { break; } case RegNtPreSetValueKey: case RegNtPostSetValueKey: { KPH_REG_COPY_PARAMETER(SetValueKey, TitleIndex); KPH_REG_COPY_PARAMETER(SetValueKey, Type); KPH_REG_COPY_PARAMETER(SetValueKey, Data); KPH_REG_COPY_PARAMETER(SetValueKey, DataSize); break; } case RegNtPreDeleteValueKey: case RegNtPostDeleteValueKey: { KPH_REG_COPY_PARAMETER(DeleteValueKey, ValueName); break; } case RegNtPreSetInformationKey: case RegNtPostSetInformationKey: { KPH_REG_COPY_PARAMETER(SetInformationKey, KeySetInformationClass); KPH_REG_COPY_PARAMETER(SetInformationKey, KeySetInformation); KPH_REG_COPY_PARAMETER(SetInformationKey, KeySetInformationLength); break; } case RegNtPreRenameKey: case RegNtPostRenameKey: { KPH_REG_COPY_PARAMETER(RenameKey, NewName); break; } case RegNtPreEnumerateKey: case RegNtPostEnumerateKey: { KPH_REG_COPY_PARAMETER(EnumerateKey, Index); KPH_REG_COPY_PARAMETER(EnumerateKey, KeyInformationClass); KPH_REG_COPY_PARAMETER(EnumerateKey, KeyInformation); KPH_REG_COPY_PARAMETER(EnumerateKey, Length); KPH_REG_COPY_PARAMETER(EnumerateKey, ResultLength); break; } case RegNtPreEnumerateValueKey: case RegNtPostEnumerateValueKey: { KPH_REG_COPY_PARAMETER(EnumerateValueKey, Index); KPH_REG_COPY_PARAMETER(EnumerateValueKey, KeyValueInformationClass); KPH_REG_COPY_PARAMETER(EnumerateValueKey, KeyValueInformation); KPH_REG_COPY_PARAMETER(EnumerateValueKey, Length); KPH_REG_COPY_PARAMETER(EnumerateValueKey, ResultLength); break; } case RegNtPreQueryKey: case RegNtPostQueryKey: { KPH_REG_COPY_PARAMETER(QueryKey, KeyInformationClass); KPH_REG_COPY_PARAMETER(QueryKey, KeyInformation); KPH_REG_COPY_PARAMETER(QueryKey, Length); KPH_REG_COPY_PARAMETER(QueryKey, ResultLength); break; } case RegNtPreQueryValueKey: case RegNtPostQueryValueKey: { KPH_REG_COPY_PARAMETER(QueryValueKey, ValueName); KPH_REG_COPY_PARAMETER(QueryValueKey, KeyValueInformationClass); KPH_REG_COPY_PARAMETER(QueryValueKey, KeyValueInformation); KPH_REG_COPY_PARAMETER(QueryValueKey, Length); KPH_REG_COPY_PARAMETER(QueryValueKey, ResultLength); break; } case RegNtPreQueryMultipleValueKey: case RegNtPostQueryMultipleValueKey: { KPH_REG_COPY_PARAMETER(QueryMultipleValueKey, ValueEntries); KPH_REG_COPY_PARAMETER(QueryMultipleValueKey, EntryCount); KPH_REG_COPY_PARAMETER(QueryMultipleValueKey, ValueBuffer); KPH_REG_COPY_PARAMETER(QueryMultipleValueKey, BufferLength); KPH_REG_COPY_PARAMETER(QueryMultipleValueKey, RequiredBufferLength); break; } case RegNtPreKeyHandleClose: case RegNtPostKeyHandleClose: { break; } case RegNtPreCreateKeyEx: case RegNtPostCreateKeyEx: { KPH_REG_COPY_PARAMETER(CreateKey, CompleteName); KPH_REG_COPY_PARAMETER(CreateKey, RootObject); KPH_REG_COPY_PARAMETER(CreateKey, ObjectType); KPH_REG_COPY_PARAMETER(CreateKey, Options); KPH_REG_COPY_PARAMETER(CreateKey, Class); KPH_REG_COPY_PARAMETER(CreateKey, SecurityDescriptor); KPH_REG_COPY_PARAMETER(CreateKey, SecurityQualityOfService); KPH_REG_COPY_PARAMETER(CreateKey, DesiredAccess); KPH_REG_COPY_PARAMETER(CreateKey, GrantedAccess); KPH_REG_COPY_PARAMETER(CreateKey, Disposition); KPH_REG_COPY_PARAMETER(CreateKey, RemainingName); KPH_REG_COPY_PARAMETER(CreateKey, Wow64Flags); KPH_REG_COPY_PARAMETER(CreateKey, Attributes); KPH_REG_COPY_PARAMETER(CreateKey, CheckAccessMode); break; } case RegNtPreOpenKeyEx: case RegNtPostOpenKeyEx: { KPH_REG_COPY_PARAMETER(OpenKey, CompleteName); KPH_REG_COPY_PARAMETER(OpenKey, RootObject); KPH_REG_COPY_PARAMETER(OpenKey, ObjectType); KPH_REG_COPY_PARAMETER(OpenKey, Options); KPH_REG_COPY_PARAMETER(OpenKey, Class); KPH_REG_COPY_PARAMETER(OpenKey, SecurityDescriptor); KPH_REG_COPY_PARAMETER(OpenKey, SecurityQualityOfService); KPH_REG_COPY_PARAMETER(OpenKey, DesiredAccess); KPH_REG_COPY_PARAMETER(OpenKey, GrantedAccess); KPH_REG_COPY_PARAMETER(OpenKey, Disposition); KPH_REG_COPY_PARAMETER(OpenKey, RemainingName); KPH_REG_COPY_PARAMETER(OpenKey, Wow64Flags); KPH_REG_COPY_PARAMETER(OpenKey, Attributes); KPH_REG_COPY_PARAMETER(OpenKey, CheckAccessMode); break; } case RegNtPreFlushKey: case RegNtPostFlushKey: { break; } case RegNtPreLoadKey: case RegNtPostLoadKey: { Message->Kernel.Reg.Parameters.LoadKey.RootObject = PreInfo->LoadKey.Object; KPH_REG_COPY_PARAMETER(LoadKey, KeyName); KPH_REG_COPY_PARAMETER(LoadKey, SourceFile); KPH_REG_COPY_PARAMETER(LoadKey, Flags); KPH_REG_COPY_PARAMETER(LoadKey, TrustClassObject); KPH_REG_COPY_PARAMETER(LoadKey, UserEvent); KPH_REG_COPY_PARAMETER(LoadKey, DesiredAccess); KPH_REG_COPY_PARAMETER(LoadKey, RootHandle); KPH_REG_COPY_PARAMETER(LoadKey, FileAccessToken); break; } case RegNtPreUnLoadKey: case RegNtPostUnLoadKey: { KPH_REG_COPY_PARAMETER(UnLoadKey, UserEvent); break; } case RegNtPreQueryKeySecurity: case RegNtPostQueryKeySecurity: { KPH_REG_COPY_PARAMETER(QueryKeySecurity, SecurityInformation); KPH_REG_COPY_PARAMETER(QueryKeySecurity, SecurityDescriptor); KPH_REG_COPY_PARAMETER(QueryKeySecurity, Length); break; } case RegNtPreSetKeySecurity: case RegNtPostSetKeySecurity: { KPH_REG_COPY_PARAMETER(SetKeySecurity, SecurityInformation); KPH_REG_COPY_PARAMETER(SetKeySecurity, SecurityDescriptor); break; } case RegNtPreRestoreKey: case RegNtPostRestoreKey: { KPH_REG_COPY_PARAMETER(RestoreKey, FileHandle); KPH_REG_COPY_PARAMETER(RestoreKey, Flags); break; } case RegNtPreSaveKey: case RegNtPostSaveKey: { KPH_REG_COPY_PARAMETER(SaveKey, FileHandle); KPH_REG_COPY_PARAMETER(SaveKey, Format); break; } case RegNtPreReplaceKey: case RegNtPostReplaceKey: { KPH_REG_COPY_PARAMETER(ReplaceKey, OldFileName); KPH_REG_COPY_PARAMETER(ReplaceKey, NewFileName); break; } case RegNtPreQueryKeyName: case RegNtPostQueryKeyName: { KPH_REG_COPY_PARAMETER(QueryKeyName, ObjectNameInfo); KPH_REG_COPY_PARAMETER(QueryKeyName, Length); KPH_REG_COPY_PARAMETER(QueryKeyName, ReturnLength); break; } case RegNtPreSaveMergedKey: case RegNtPostSaveMergedKey: { KPH_REG_COPY_PARAMETER(SaveMergedKey, FileHandle); KPH_REG_COPY_PARAMETER(SaveMergedKey, HighKeyObject); KPH_REG_COPY_PARAMETER(SaveMergedKey, LowKeyObject); break; } DEFAULT_UNREACHABLE; } } /** * \brief Copies the object name information into a message. And returns other * associated information for the object. * * \param[in,out] Message The message to populate. * \param[in] FieldId The object name field ID to populate. Optional, when the * identifier is InvalidKphMsgField the object name is not copied. * \param[in] InputObject The object to copy the information from. * \param[out] Object Receives a copy of the input object pointer. * \param[out] ObjectId Receives the object ID for the object. * \param[out] Transaction Receives the transaction for the object, if any. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyObjectInfo( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PVOID InputObject, _Out_opt_ PVOID* Object, _Out_opt_ PULONG_PTR ObjectId, _Out_opt_ PVOID* Transaction ) { NTSTATUS status; PUNICODE_STRING objectName; PUNICODE_STRING* objectNamePointer; KPH_PAGED_CODE(); objectName = NULL; if (Object) { *Object = InputObject; } if (ObjectId) { *ObjectId = 0; } if (Transaction) { *Transaction = CmGetBoundTransaction(&KphpCmCookie, InputObject); } if (FieldId != InvalidKphMsgField) { objectNamePointer = &objectName; } else { objectNamePointer = NULL; } status = CmCallbackGetKeyObjectIDEx(&KphpCmCookie, InputObject, ObjectId, objectNamePointer, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "CmCallbackGetKeyObjectIDEx failed: %!STATUS!", status); if (ObjectId) { *ObjectId = 0; } objectName = NULL; goto Exit; } if (FieldId != InvalidKphMsgField) { status = KphMsgDynAddUnicodeString(Message, FieldId, objectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } Exit: if (objectName) { CmCallbackReleaseKeyObjectIDEx(objectName); } } /** * \brief Fills a message with information about the specified registry object. * * \param[in,out] Message The message to populate. * \param[in] Object The object to copy the information from. * \param[in] IncludeObjectName If TRUE the object name is included in the * message, when FALSE the object name is not copied into the message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFillObjectInfo( _Inout_ PKPH_MESSAGE Message, _In_ PVOID Object, _In_ BOOLEAN IncludeObjectName ) { KPH_MESSAGE_FIELD_ID fieldId; KPH_PAGED_CODE(); if (IncludeObjectName) { fieldId = KphMsgFieldObjectName; } else { fieldId = InvalidKphMsgField; } KphpRegCopyObjectInfo(Message, fieldId, Object, &Message->Kernel.Reg.Object, &Message->Kernel.Reg.ObjectId, &Message->Kernel.Reg.Transaction); } /** * \brief Creates a registry object name from a root object and relative name. * * \param[in] RootObject The root registry object. * \param[in] RelativeName The relative name from the root object. * \param[out] ObjectName Receives a pointer to the allocated object name. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpRegMakeObjectName( _In_ PVOID RootObject, _In_ PUNICODE_STRING RelativeName, _Outptr_allocatesMem_ PUNICODE_STRING* ObjectName ) { NTSTATUS status; PUNICODE_STRING rootName; PUNICODE_STRING objectName; BOOLEAN needsSeparator; ULONG length; KPH_PAGED_CODE(); *ObjectName = NULL; objectName = NULL; status = CmCallbackGetKeyObjectIDEx(&KphpCmCookie, RootObject, NULL, &rootName, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "CmCallbackGetKeyObjectIDEx failed: %!STATUS!", status); rootName = NULL; goto Exit; } length = (rootName->Length + RelativeName->Length); if ((rootName->Length >= sizeof(WCHAR)) && (rootName->Buffer[(rootName->Length / sizeof(WCHAR)) - 1] != OBJ_NAME_PATH_SEPARATOR) && (RelativeName->Length >= sizeof(WCHAR)) && (RelativeName->Buffer[0] != OBJ_NAME_PATH_SEPARATOR)) { needsSeparator = TRUE; length += sizeof(WCHAR); } else { needsSeparator = FALSE; } if (length > UNICODE_STRING_MAX_BYTES) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Object name too long: %lu", length); status = STATUS_INTEGER_OVERFLOW; goto Exit; } objectName = KphAllocatePaged((length + sizeof(UNICODE_STRING)), KPH_TAG_REG_OBJECT_NAME); if (!objectName) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate object name."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } objectName->Length = 0; objectName->MaximumLength = (USHORT)length; objectName->Buffer = Add2Ptr(objectName, sizeof(UNICODE_STRING)); RtlAppendUnicodeStringToString(objectName, rootName); if (needsSeparator) { RtlAppendUnicodeToString(objectName, L"\\"); } RtlAppendUnicodeStringToString(objectName, RelativeName); *ObjectName = objectName; objectName = NULL; Exit: if (rootName) { CmCallbackReleaseKeyObjectIDEx(rootName); } if (objectName) { KphFree(objectName, KPH_TAG_REG_OBJECT_NAME); } return status; } /** * \brief Fills a message with information about a creation or open operation. * * \param[in,out] Message The message to populate. * \param[in] CreateInfo The creation or open information. * \param[in] IncludeObjectName If TRUE the object name is included in the * message, when FALSE the object name is not copied into the message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFillCreateKeyObjectInfo( _Inout_ PKPH_MESSAGE Message, _In_ PREG_CREATE_KEY_INFORMATION_V1 CreateInfo, _In_ BOOLEAN IncludeObjectName ) { NTSTATUS status; PUNICODE_STRING objectName; KPH_PAGED_CODE(); Message->Kernel.Reg.Transaction = CreateInfo->Transaction; if (!IncludeObjectName) { return; } if ((CreateInfo->CompleteName->Length >= sizeof(WCHAR)) && (CreateInfo->CompleteName->Buffer[0] == OBJ_NAME_PATH_SEPARATOR)) { objectName = CreateInfo->CompleteName; } else { status = KphpRegMakeObjectName(CreateInfo->RootObject, CreateInfo->CompleteName, &objectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphpRegMakeObjectName failed: %!STATUS!", status); goto Exit; } } status = KphMsgDynAddUnicodeString(Message, KphMsgFieldObjectName, objectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } Exit: if (objectName && (objectName != CreateInfo->CompleteName)) { KphFree(objectName, KPH_TAG_REG_OBJECT_NAME); } } /** * \brief Fills a message with information about a load key operation. * * \param[in,out] Message The message to populate. * \param[in] LoadInfo The load key information. * \param[in] IncludeObjectName If TRUE the object name is included in the * message, when FALSE the object name is not copied into the message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFillLoadKeyObjectInfo( _Inout_ PKPH_MESSAGE Message, _In_ PREG_LOAD_KEY_INFORMATION_V2 LoadInfo, _In_ BOOLEAN IncludeObjectName ) { NTSTATUS status; PUNICODE_STRING objectName; KPH_PAGED_CODE(); if (!IncludeObjectName) { return; } if (LoadInfo->Object) { status = KphpRegMakeObjectName(LoadInfo->Object, LoadInfo->KeyName, &objectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphpRegMakeObjectName failed: %!STATUS!", status); goto Exit; } } else { objectName = LoadInfo->KeyName; } status = KphMsgDynAddUnicodeString(Message, KphMsgFieldObjectName, objectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } Exit: if (objectName && (objectName != LoadInfo->KeyName)) { KphFree(objectName, KPH_TAG_REG_OBJECT_NAME); } } /** * \brief Copies a Unicode string into a message * * \param[in] Message The message to populate. * \param[in] FieldId The field ID for the Unicode string. * \param[in] String The string to populate into the message. * \param[in] Default Default string to use input string length is zero. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyUnicodeStringWithDefault( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_opt_ PUNICODE_STRING String, _In_opt_ PCUNICODE_STRING Default ) { NTSTATUS status; UNICODE_STRING string; KPH_PAGED_CODE(); if (!String) { return; } __try { string.Buffer = String->Buffer; string.Length = String->Length; string.MaximumLength = string.Length; } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception accessing string: %!STATUS!", GetExceptionCode()); return; } if (!string.Length) { if (Default) { status = KphMsgDynAddUnicodeString(Message, FieldId, Default); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } return; } __try { status = KphMsgDynAddUnicodeString(Message, FieldId, &string); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception copying string: %!STATUS!", GetExceptionCode()); // // N.B. The KphMsgDynAdd* routines will first reserve a table // entry then copy data into the buffer. If we get here it means // the control flow was arrested after the reservation. Since we // can't guarantee it was all copied successfully clear the last // entry that was reserved. // KphMsgDynClearLast(Message); } } /** * \brief Copies a Unicode string into a message. * * \param[in,out] Message The message to populate. * \param[in] FieldId The field ID for the Unicode string. * \param[in] String The string to populate into the message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyUnicodeString( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_opt_ PUNICODE_STRING String ) { KPH_PAGED_CODE(); KphpRegCopyUnicodeStringWithDefault(Message, FieldId, String, NULL); } /** * \brief Copies a registry value name into a message. * * \param[in,out] Message The message to populate. * \param[in] ValueName The value name to populate into the message. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyValueName( _Inout_ PKPH_MESSAGE Message, _In_opt_ PUNICODE_STRING ValueName ) { KPH_PAGED_CODE(); KphpRegCopyUnicodeStringWithDefault(Message, KphMsgFieldValueName, ValueName, &KphpCmDefaultValueName); } /** * \brief Copies multiple value names into a message. * * \param[in,out] Message The message to populate. * \param[in] ValueEntries The value entries to populate into the message. * \param[in] EntryCount The number of value entries. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyMultipleValueNames( _Inout_ PKPH_MESSAGE Message, _In_opt_ PKEY_VALUE_ENTRY ValueEntries, _In_ ULONG EntryCount ) { NTSTATUS status; ULONG length; PUNICODE_STRING valueNames; ULONG remaining; KPH_PAGED_CODE(); if (!ValueEntries || !EntryCount) { return; } valueNames = NULL; // // Try to capture the values names as a sequence of null terminated strings. // length = sizeof(WCHAR); __try { for (ULONG i = 0; i < EntryCount; i++) { PCUNICODE_STRING entry; ULONG valueLength; entry = ValueEntries[i].ValueName; valueLength = entry->Length; if (valueLength) { valueLength += sizeof(WCHAR); } else { valueLength = (KphpCmDefaultValueName.Length + sizeof(WCHAR)); } status = RtlULongAdd(length, valueLength, &length); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "RtlULongAdd failed: %!STATUS!", status); goto Exit; } } } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception accessing value entries: %!STATUS!", GetExceptionCode()); goto Exit; } if (length > UNICODE_STRING_MAX_BYTES) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Value names too long: %lu", length); goto Exit; } valueNames = KphAllocatePaged((length + sizeof(UNICODE_STRING)), KPH_TAG_REG_VALUE_NAMES); if (!valueNames) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate value names."); goto Exit; } valueNames->Length = 0; valueNames->MaximumLength = (USHORT)length; valueNames->Buffer = Add2Ptr(valueNames, sizeof(UNICODE_STRING)); __try { for (ULONG i = 0; i < EntryCount; i++) { PCUNICODE_STRING entry; entry = ValueEntries[i].ValueName; if (!entry->Length) { entry = &KphpCmDefaultValueName; } status = RtlAppendUnicodeStringToString(valueNames, entry); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "RtlAppendUnicodeStringToString failed: %!STATUS!", status); goto Exit; } remaining = (valueNames->MaximumLength - valueNames->Length); if (remaining < sizeof(WCHAR)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exhausted value names buffer."); goto Exit; } valueNames->Buffer[valueNames->Length / sizeof(WCHAR)] = UNICODE_NULL; valueNames->Length += sizeof(WCHAR); } } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception accessing value entries: %!STATUS!", GetExceptionCode()); goto Exit; } remaining = (valueNames->MaximumLength - valueNames->Length); if (remaining < sizeof(WCHAR)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exhausted value names buffer."); goto Exit; } valueNames->Buffer[valueNames->Length / sizeof(WCHAR)] = UNICODE_NULL; valueNames->Length += sizeof(WCHAR); status = KphMsgDynAddUnicodeString(Message, KphMsgFieldMultipleValueNames, valueNames); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } Exit: if (valueNames) { KphFree(valueNames, KPH_TAG_REG_VALUE_NAMES); } } /** * \brief Copies a buffer into a message. * * \param[in,out] Message The message to populate. * \param[in] FieldId The field ID for the buffer. * \param[in] Buffer The buffer to copy. * \param[in] Length The length of the buffer. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyBuffer( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_opt_ PVOID Buffer, _In_ ULONG Length ) { NTSTATUS status; USHORT remaining; KPHM_SIZED_BUFFER sizedBuffer; KPH_PAGED_CODE(); if (!Buffer) { return; } remaining = KphMsgDynRemaining(Message); if (remaining < Length) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Buffer too large for message, truncating %lu -> %lu", Length, remaining); Length = remaining; } if (!Length) { return; } sizedBuffer.Buffer = Buffer; sizedBuffer.Size = (USHORT)Length; __try { status = KphMsgDynAddSizedBuffer(Message, FieldId, &sizedBuffer); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddSizedBuffer failed: %!STATUS!", status); } } __except (EXCEPTION_EXECUTE_HANDLER) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Exception copying buffer: %!STATUS!", GetExceptionCode()); // // N.B. The KphMsgDynAdd* routines will first reserve a table // entry then copy data into the buffer. If we get here it means // the control flow was arrested after the reservation. Since we // can't guarantee it was all copied successfully clear the last // entry that was reserved. // KphMsgDynClearLast(Message); } } /** * \brief Copies an object name into a message. * * \param[in,out] Message The message to populate. * \param[in] FieldId The field ID for the object name. * \param[in] Object The object to copy the name from. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyObjectName( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_opt_ PVOID Object ) { NTSTATUS status; PUNICODE_STRING objectName; PUNICODE_STRING keyName; POBJECT_NAME_INFORMATION nameInfo; ULONG length; KPH_PAGED_CODE(); if (!Object) { return; } keyName = NULL; nameInfo = NULL; if (ObGetObjectType(Object) == *CmKeyObjectType) { status = CmCallbackGetKeyObjectIDEx(&KphpCmCookie, Object, NULL, &keyName, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "CmCallbackGetKeyObjectIDEx failed: %!STATUS!", status); keyName = NULL; goto Exit; } objectName = keyName; } else { status = KphQueryNameObject(Object, NULL, 0, &length); if (status != STATUS_BUFFER_TOO_SMALL) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphQueryNameObject: %!STATUS!", status); goto Exit; } nameInfo = KphAllocatePaged(length, KPH_TAG_REG_OBJECT_NAME); if (!nameInfo) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate object name."); goto Exit; } status = KphQueryNameObject(Object, nameInfo, length, &length); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphQueryNameObject failed: %!STATUS!", status); goto Exit; } objectName = &nameInfo->Name; } status = KphMsgDynAddUnicodeString(Message, FieldId, objectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } Exit: if (nameInfo) { KphFree(nameInfo, KPH_TAG_REG_OBJECT_NAME); } if (keyName) { CmCallbackReleaseKeyObjectIDEx(keyName); } } /** * \brief Copies a handle name into a message. * * \param[in,out] Message The message to populate. * \param[in] FieldId The field ID for the handle name. * \param[in] Handle The handle to copy the name from. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegCopyHandleName( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ HANDLE Handle ) { NTSTATUS status; KAPC_STATE apcState; PVOID object; KPH_PAGED_CODE(); if (!Handle) { return; } if (IsKernelHandle(Handle) && !IsPseudoHandle(Handle)) { KeStackAttachProcess(PsInitialSystemProcess, &apcState); } NT_ASSERT(Handle); #pragma prefast(suppress : 6387) status = ObReferenceObjectByHandle(Handle, 0, NULL, KernelMode, &object, NULL); if (IsKernelHandle(Handle) && !IsPseudoHandle(Handle)) { KeUnstackDetachProcess(&apcState); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "ObReferenceObjectByHandle failed: %!STATUS!", status); return; } KphpRegCopyObjectName(Message, FieldId, object); ObDereferenceObject(object); } /** * \brief Fills a message with post operation information. * * \param[in,out] Message The message to populate. * \param[in] RegClass The registry operation class. * \param[in] PostInfo The post operation information. * \param[in] Context The call context. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFillPostOpMessage( _Inout_ PKPH_MESSAGE Message, _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_POST_INFORMATION PostInfo, _In_ PKPH_REG_CALL_CONTEXT Context ) { NTSTATUS status; PKPH_REG_PRE_INFORMATION preInfo; BOOLEAN enableObjectNames; BOOLEAN enableValueNames; KPH_PAGED_CODE(); enableObjectNames = Context->Options.EnablePostObjectNames; enableValueNames = Context->Options.EnablePostValueNames; Message->Kernel.Reg.PostOperation = TRUE; Message->Kernel.Reg.Post.PreSequence = Context->PreSequence; Message->Kernel.Reg.Post.PreTimeStamp = Context->PreTimeStamp; preInfo = PostInfo->Common.PreInformation; Message->Kernel.Reg.Post.Status = PostInfo->Common.Status; KphpRegFillCommonMessage(Message, RegClass, preInfo); #define KPH_REG_COPY_OUT_PARAM(n, v) \ if (preInfo->n.v) \ { \ __try \ { \ Message->Kernel.Reg.Post.n.v = *preInfo->n.v; \ } \ __except (EXCEPTION_EXECUTE_HANDLER) \ { \ Message->Kernel.Reg.Post.n.v = 0; \ } \ } switch (RegClass) { case RegNtPostSetValueKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (enableValueNames) { KphpRegCopyValueName(Message, preInfo->SetValueKey.ValueName); } break; } case RegNtPostDeleteValueKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (enableValueNames) { KphpRegCopyValueName(Message, preInfo->DeleteValueKey.ValueName); } break; } case RegNtPostEnumerateKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (!NT_SUCCESS(Message->Kernel.Reg.Post.Status)) { break; } KPH_REG_COPY_OUT_PARAM(EnumerateKey, ResultLength); KphpRegCopyBuffer(Message, KphMsgFieldInformationBuffer, preInfo->EnumerateKey.KeyInformation, Message->Kernel.Reg.Post.EnumerateKey.ResultLength); break; } case RegNtPostEnumerateValueKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (!NT_SUCCESS(PostInfo->Common.Status)) { break; } KPH_REG_COPY_OUT_PARAM(EnumerateValueKey, ResultLength); KphpRegCopyBuffer(Message, KphMsgFieldInformationBuffer, preInfo->EnumerateValueKey.KeyValueInformation, Message->Kernel.Reg.Post.EnumerateValueKey.ResultLength); break; } case RegNtPostQueryKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (!NT_SUCCESS(PostInfo->Common.Status)) { break; } KPH_REG_COPY_OUT_PARAM(QueryKey, ResultLength); KphpRegCopyBuffer(Message, KphMsgFieldInformationBuffer, preInfo->QueryKey.KeyInformation, Message->Kernel.Reg.Post.QueryKey.ResultLength); break; } case RegNtPostQueryValueKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (enableValueNames) { KphpRegCopyValueName(Message, preInfo->QueryValueKey.ValueName); } if (!NT_SUCCESS(PostInfo->Common.Status)) { break; } KPH_REG_COPY_OUT_PARAM(QueryValueKey, ResultLength); if (Context->Options.EnableValueBuffers) { KphpRegCopyBuffer(Message, KphMsgFieldValueBuffer, preInfo->QueryValueKey.KeyValueInformation, Message->Kernel.Reg.Post.QueryValueKey.ResultLength); } break; } case RegNtPostQueryMultipleValueKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (enableValueNames) { KphpRegCopyMultipleValueNames(Message, preInfo->QueryMultipleValueKey.ValueEntries, preInfo->QueryMultipleValueKey.EntryCount); } KPH_REG_COPY_OUT_PARAM(QueryMultipleValueKey, RequiredBufferLength); if (!NT_SUCCESS(PostInfo->Common.Status)) { break; } KPH_REG_COPY_OUT_PARAM(QueryMultipleValueKey, BufferLength); if (Context->Options.EnableValueBuffers) { ULONG entriesLength; if (!NT_SUCCESS(RtlULongMult(preInfo->QueryMultipleValueKey.EntryCount, sizeof(KEY_VALUE_ENTRY), &entriesLength))) { break; } KphpRegCopyBuffer(Message, KphMsgFieldMultipleValueEntries, preInfo->QueryMultipleValueKey.ValueEntries, entriesLength); KphpRegCopyBuffer(Message, KphMsgFieldValueBuffer, preInfo->QueryMultipleValueKey.ValueBuffer, Message->Kernel.Reg.Post.QueryMultipleValueKey.BufferLength); } break; } case RegNtPostKeyHandleClose: { Message->Kernel.Reg.Object = preInfo->Object; Message->Kernel.Reg.ObjectId = Context->ObjectId; Message->Kernel.Reg.Transaction = Context->Transaction; if (Context->ObjectName) { status = KphMsgDynAddUnicodeString(Message, KphMsgFieldObjectName, Context->ObjectName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphMsgDynAddUnicodeString failed: %!STATUS!", status); } } break; } case RegNtPostCreateKeyEx: { if (PostInfo->Common.Status == STATUS_SUCCESS) { KphpRegFillObjectInfo(Message, PostInfo->Common.Object, enableObjectNames); } else { KphpRegFillCreateKeyObjectInfo(Message, &preInfo->CreateKey, enableObjectNames); } if (NT_SUCCESS(PostInfo->Common.Status)) { KPH_REG_COPY_OUT_PARAM(CreateKey, Disposition); } break; } case RegNtPostOpenKeyEx: { if (PostInfo->Common.Status == STATUS_SUCCESS) { KphpRegFillObjectInfo(Message, PostInfo->Common.Object, enableObjectNames); } else { KphpRegFillCreateKeyObjectInfo(Message, &preInfo->OpenKey, enableObjectNames); } if (NT_SUCCESS(PostInfo->Common.Status)) { KPH_REG_COPY_OUT_PARAM(OpenKey, Disposition); } break; } case RegNtPostLoadKey: { KphpRegFillLoadKeyObjectInfo(Message, &preInfo->LoadKey, enableObjectNames); if (enableObjectNames) { KphpRegCopyUnicodeString(Message, KphMsgFieldFileName, preInfo->LoadKey.SourceFile); } if (NT_SUCCESS(PostInfo->Common.Status)) { KPH_REG_COPY_OUT_PARAM(LoadKey, RootHandle); } break; } case RegNtPostQueryKeySecurity: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (NT_SUCCESS(PostInfo->Common.Status)) { KPH_REG_COPY_OUT_PARAM(QueryKeySecurity, Length); } break; } case RegNtPostRestoreKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, TRUE); if (enableObjectNames) { KphpRegCopyHandleName(Message, KphMsgFieldFileName, preInfo->RestoreKey.FileHandle); } break; } case RegNtPostSaveKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, TRUE); if (enableObjectNames) { KphpRegCopyHandleName(Message, KphMsgFieldFileName, preInfo->SaveKey.FileHandle); } break; } case RegNtPostReplaceKey: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (enableObjectNames) { KphpRegCopyUnicodeString(Message, KphMsgFieldFileName, preInfo->ReplaceKey.NewFileName); KphpRegCopyUnicodeString(Message, KphMsgFieldDestinationFileName, preInfo->ReplaceKey.OldFileName); } break; } case RegNtPostQueryKeyName: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); if (NT_SUCCESS(PostInfo->Common.Status)) { KPH_REG_COPY_OUT_PARAM(QueryKeyName, ReturnLength); } break; } case RegNtPostSaveMergedKey: { KPH_MESSAGE_FIELD_ID fieldId; KphpRegFillObjectInfo(Message, preInfo->SaveMergedKey.HighKeyObject, enableObjectNames); if (enableObjectNames) { fieldId = KphMsgFieldOtherObjectName; } else { fieldId = InvalidKphMsgField; } KphpRegCopyObjectInfo(Message, fieldId, preInfo->SaveMergedKey.LowKeyObject, NULL, &Message->Kernel.Reg.Post.SaveMergedKey.LowKeyObjectId, &Message->Kernel.Reg.Post.SaveMergedKey.LowKeyTransaction); if (enableObjectNames) { KphpRegCopyHandleName(Message, KphMsgFieldFileName, preInfo->SaveMergedKey.FileHandle); } break; } default: { KphpRegFillObjectInfo(Message, PostInfo->Object, enableObjectNames); break; } } } /** * \brief Fills a message with pre operation information. * * \param[in,out] Message The message to populate. * \param[in] RegClass The registry operation class. * \param[in] PreInfo The pre operation information. * \param[in] Options Registry options to use. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFillPreOpMessage( _Inout_ PKPH_MESSAGE Message, _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_PRE_INFORMATION PreInfo, _In_ PKPH_REG_OPTIONS Options ) { KPH_PAGED_CODE(); Message->Kernel.Reg.PostOperation = FALSE; KphpRegFillCommonMessage(Message, RegClass, PreInfo); #define KPH_REG_COPY_IN_PARAM(n, v) \ if (PreInfo->n.v) \ { \ __try \ { \ Message->Kernel.Reg.Pre.n.v = *PreInfo->n.v; \ } \ __except (EXCEPTION_EXECUTE_HANDLER) \ { \ Message->Kernel.Reg.Pre.n.v = 0; \ } \ } switch (RegClass) { case RegNtPreSetValueKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyValueName(Message, PreInfo->SetValueKey.ValueName); if (Options->EnableValueBuffers) { KphpRegCopyBuffer(Message, KphMsgFieldValueBuffer, PreInfo->SetValueKey.Data, PreInfo->SetValueKey.DataSize); } break; } case RegNtPreDeleteValueKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyValueName(Message, PreInfo->DeleteValueKey.ValueName); break; } case RegNtPreSetInformationKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyBuffer(Message, KphMsgFieldInformationBuffer, PreInfo->SetInformationKey.KeySetInformation, PreInfo->SetInformationKey.KeySetInformationLength); break; } case RegNtPreRenameKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyUnicodeString(Message, KphMsgFieldNewName, PreInfo->RenameKey.NewName); break; } case RegNtPreQueryValueKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyValueName(Message, PreInfo->QueryValueKey.ValueName); break; } case RegNtPreQueryMultipleValueKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyMultipleValueNames(Message, PreInfo->QueryMultipleValueKey.ValueEntries, PreInfo->QueryMultipleValueKey.EntryCount); KPH_REG_COPY_IN_PARAM(QueryMultipleValueKey, BufferLength); break; } case RegNtPreCreateKeyEx: { KphpRegFillCreateKeyObjectInfo(Message, &PreInfo->CreateKey, TRUE); KphpRegCopyUnicodeString(Message, KphMsgFieldClass, PreInfo->CreateKey.Class); break; } case RegNtPreOpenKeyEx: { KphpRegFillCreateKeyObjectInfo(Message, &PreInfo->OpenKey, TRUE); break; } case RegNtPreLoadKey: { KphpRegFillLoadKeyObjectInfo(Message, &PreInfo->LoadKey, TRUE); KphpRegCopyUnicodeString(Message, KphMsgFieldFileName, PreInfo->LoadKey.SourceFile); break; } case RegNtPreQueryKeySecurity: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KPH_REG_COPY_IN_PARAM(QueryKeySecurity, SecurityInformation); KPH_REG_COPY_IN_PARAM(QueryKeySecurity, Length); break; } case RegNtPreSetKeySecurity: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KPH_REG_COPY_IN_PARAM(SetKeySecurity, SecurityInformation); break; } case RegNtPreRestoreKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyHandleName(Message, KphMsgFieldFileName, PreInfo->RestoreKey.FileHandle); break; } case RegNtPreSaveKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyHandleName(Message, KphMsgFieldFileName, PreInfo->SaveKey.FileHandle); break; } case RegNtPreReplaceKey: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); KphpRegCopyUnicodeString(Message, KphMsgFieldFileName, PreInfo->ReplaceKey.NewFileName); KphpRegCopyUnicodeString(Message, KphMsgFieldDestinationFileName, PreInfo->ReplaceKey.OldFileName); break; } case RegNtPreSaveMergedKey: { KphpRegFillObjectInfo(Message, PreInfo->SaveMergedKey.HighKeyObject, TRUE); KphpRegCopyObjectInfo(Message, KphMsgFieldOtherObjectName, PreInfo->SaveMergedKey.LowKeyObject, NULL, &Message->Kernel.Reg.Pre.SaveMergedKey.LowKeyObjectId, &Message->Kernel.Reg.Pre.SaveMergedKey.LowKeyTransaction); KphpRegCopyHandleName(Message, KphMsgFieldFileName, PreInfo->SaveMergedKey.FileHandle); break; } default: { KphpRegFillObjectInfo(Message, PreInfo->Object, TRUE); break; } } } /** * \brief Sends a post operation message. * * \param[in] RegClass The registry operation class. * \param[in] PostInfo The post operation information. * \param[in] Sequence The registry sequence number. * \param[in] Context The call context. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegPostOpSend( _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_POST_INFORMATION PostInfo, _In_ ULONG64 Sequence, _In_ PKPH_REG_CALL_CONTEXT Context ) { PKPH_MESSAGE msg; KPH_PAGED_CODE(); msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateMessage failed"); return; } KphMsgInit(msg, KphpRegGetMessageId(RegClass)); msg->Kernel.Reg.Sequence = Sequence; KphpRegFillPostOpMessage(msg, RegClass, PostInfo, Context); if (Context->Options.EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); } _IRQL_requires_max_(APC_LEVEL) VOID KphpRegFreeCallContext( _In_ PKPH_REG_CALL_CONTEXT Context ) { KPH_PAGED_CODE(); if (Context->ObjectName) { CmCallbackReleaseKeyObjectIDEx(Context->ObjectName); } KphFreeToPagedLookaside(&KphpCmCallContextLookaside, Context); } /** * \brief Registry post operation callback. * * \param[in] RegClass The registry operation class. * \param[in] PostInfo The post operation information. * \param[in] Sequence The registry sequence number for the post operation. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegPostOp( _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_POST_INFORMATION PostInfo, _In_ ULONG64 Sequence ) { PKPH_REG_CALL_CONTEXT context; KPH_PAGED_CODE(); context = PostInfo->Common.CallContext; if (context) { KphpRegPostOpSend(RegClass, PostInfo, Sequence, context); KphpRegFreeCallContext(context); } } /** * \brief Sets the call context for a registry operation. * * \details This routine sets the call context in the pre operation information * in preparation for the post operation to handle it. * * \param[in] RegClass The registry operation class. * \param[in] PreInfo The pre operation information. * \param[in] Options Registry options to use. * \param[in] Sequence The registry sequence number for the pre operation. * \param[in] TimeStamp The time stamp for the pre operation. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpRegPreOpSetCallContext( _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_PRE_INFORMATION PreInfo, _In_ PKPH_REG_OPTIONS Options, _In_ ULONG64 Sequence, _In_ PLARGE_INTEGER TimeStamp ) { NTSTATUS status; PKPH_REG_CALL_CONTEXT context; KPH_PAGED_CODE(); context = KphAllocateFromPagedLookaside(&KphpCmCallContextLookaside); if (!context) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateFromPagedLookaside failed"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } context->PreSequence = Sequence; context->PreTimeStamp = *TimeStamp; context->Options.Flags = Options->Flags; if (RegClass == RegNtPreKeyHandleClose) { PVOID object; PUNICODE_STRING* objectNamePointer; object = PreInfo->KeyHandleClose.Object; context->Transaction = CmGetBoundTransaction(&KphpCmCookie, object); if (Options->EnablePostObjectNames) { objectNamePointer = &context->ObjectName; } else { objectNamePointer = NULL; } status = CmCallbackGetKeyObjectIDEx(&KphpCmCookie, object, &context->ObjectId, objectNamePointer, 0); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "CmCallbackGetKeyObjectIDEx failed: %!STATUS!", status); context->ObjectId = 0; context->ObjectName = NULL; } } status = STATUS_SUCCESS; #define KPH_REG_SET_CALL_CONTEXT2(reg, name) \ case RegNtPre##reg: \ { \ NT_ASSERT(!PreInfo->name.CallContext); \ PreInfo->name.CallContext = context; \ context = NULL; \ break; \ } #define KPH_REG_SET_CALL_CONTEXT(name) KPH_REG_SET_CALL_CONTEXT2(name, name) switch (RegClass) { KPH_REG_SET_CALL_CONTEXT(DeleteKey) KPH_REG_SET_CALL_CONTEXT(SetValueKey) KPH_REG_SET_CALL_CONTEXT(DeleteValueKey) KPH_REG_SET_CALL_CONTEXT(SetInformationKey) KPH_REG_SET_CALL_CONTEXT(RenameKey) KPH_REG_SET_CALL_CONTEXT(EnumerateKey) KPH_REG_SET_CALL_CONTEXT(EnumerateValueKey) KPH_REG_SET_CALL_CONTEXT(QueryKey) KPH_REG_SET_CALL_CONTEXT(QueryValueKey) KPH_REG_SET_CALL_CONTEXT(QueryMultipleValueKey) KPH_REG_SET_CALL_CONTEXT(KeyHandleClose) KPH_REG_SET_CALL_CONTEXT2(CreateKeyEx, CreateKey) KPH_REG_SET_CALL_CONTEXT2(OpenKeyEx, OpenKey) KPH_REG_SET_CALL_CONTEXT(FlushKey) KPH_REG_SET_CALL_CONTEXT(LoadKey) KPH_REG_SET_CALL_CONTEXT(UnLoadKey) KPH_REG_SET_CALL_CONTEXT(QueryKeySecurity) KPH_REG_SET_CALL_CONTEXT(SetKeySecurity) KPH_REG_SET_CALL_CONTEXT(RestoreKey) KPH_REG_SET_CALL_CONTEXT(SaveKey) KPH_REG_SET_CALL_CONTEXT(ReplaceKey) KPH_REG_SET_CALL_CONTEXT(QueryKeyName) KPH_REG_SET_CALL_CONTEXT(SaveMergedKey) DEFAULT_UNREACHABLE; } Exit: if (context) { KphFreeToPagedLookaside(&KphpCmCallContextLookaside, context); } return status; } /** * \brief Sends a pre operation message. * * \param[in] RegClass The registry operation class. * \param[in] PreInfo The pre operation information. * \param[in] Options Registry options to use. * \param[in] Sequence The registry sequence number for the pre operation. * \param[out] TimeStamp Receives time stamp for the pre operation. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegPreOpSend( _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_PRE_INFORMATION PreInfo, _In_ PKPH_REG_OPTIONS Options, _In_ ULONG64 Sequence, _Out_ PLARGE_INTEGER TimeStamp ) { PKPH_MESSAGE msg; KPH_PAGED_CODE(); msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphAllocateMessage failed"); KeQuerySystemTime(TimeStamp); return; } KphMsgInit(msg, KphpRegGetMessageId(RegClass)); *TimeStamp = msg->Header.TimeStamp; msg->Kernel.Reg.Sequence = Sequence; KphpRegFillPreOpMessage(msg, RegClass, PreInfo, Options); if (Options->EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); } /** * \brief Registry pre operation callback. * * \param[in] RegClass The registry operation class. * \param[in] PreInfo The pre operation information. * \param[in] Options Registry options to use. * \param[in] Sequence The registry sequence number for the pre operation. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpRegPreOp( _In_ REG_NOTIFY_CLASS RegClass, _In_ PKPH_REG_PRE_INFORMATION PreInfo, _In_ PKPH_REG_OPTIONS Options, _In_ ULONG64 Sequence ) { NTSTATUS status; LARGE_INTEGER timeStamp; KPH_PAGED_CODE(); NT_ASSERT(!Options->InPost); if (Options->PreEnabled) { KphpRegPreOpSend(RegClass, PreInfo, Options, Sequence, &timeStamp); } else { // // Pre operations aren't enabled, but we need the time stamp for the // post operation to use. // KeQuerySystemTime(&timeStamp); } if (Options->PostEnabled) { status = KphpRegPreOpSetCallContext(RegClass, PreInfo, Options, Sequence, &timeStamp); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "KphpRegPreOpSetCallContext failed: %!STATUS!", status); } } } /** * \brief System registry callback, registered with the configuration manager. * * \param[in] CallbackContext Unused. * \param[in] Argument1 The registry operation class. * \param[in] Argument2 The registry operation information. * * \return STATUS_SUCCESS */ _IRQL_requires_max_(APC_LEVEL) _IRQL_requires_same_ _Function_class_(EX_CALLBACK_FUNCTION) NTSTATUS KphpRegistryCallback( _In_ PVOID CallbackContext, _In_opt_ PVOID Argument1, _In_opt_ PVOID Argument2 ) { REG_NOTIFY_CLASS regClass; ULONG64 sequence; KPH_REG_OPTIONS options; // // N.B. Although Microsoft’s documentation states that registry callbacks // (e.g. CmRegisterCallbackEx) are invoked at PASSIVE_LEVEL, they can and // *do* get invoked at APC_LEVEL in practice. // // This behavior has been observed and is triggered by code in Microsoft’s // own kernel components - not third-party drivers. As such, assuming // callbacks always run at PASSIVE_LEVEL is unsafe. This contradicts the // stated IRQL guarantees - use caution. // KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(CallbackContext); NT_ASSERT(Argument2); regClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1; if (regClass == RegNtCallbackObjectContextCleanup) { return STATUS_SUCCESS; } sequence = InterlockedIncrementU64(&KphpCmSequence); options = KphpRegGetOptions(regClass); if (options.InPost) { KphpRegPostOp(regClass, Argument2, sequence); } else { KphpRegPreOp(regClass, Argument2, &options, sequence); } return STATUS_SUCCESS; } /** * \brief Starts the registry informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphRegistryInformerStart( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); KphInitializePagedLookaside(&KphpCmCallContextLookaside, sizeof(KPH_REG_CALL_CONTEXT), KPH_TAG_REG_CALL_CONTEXT); status = CmRegisterCallbackEx(KphpRegistryCallback, KphAltitude, KphDriverObject, NULL, &KphpCmCookie, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "CmRegisterCallbackEx failed: %!STATUS!", status); KphDeletePagedLookaside(&KphpCmCallContextLookaside); return status; } KphpCmRegistered = TRUE; return STATUS_SUCCESS; } /** * \brief Stops the registry informer. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphRegistryInformerStop( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); if (!KphpCmRegistered) { return; } status = CmUnRegisterCallback(KphpCmCookie); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "CmUnRegisterCallback failed: %!STATUS!", status); } KphDeletePagedLookaside(&KphpCmCallContextLookaside); } ================================================ FILE: KSystemInformer/informer_thread.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include #include typedef enum _KPH_THREAD_NOTIFY_TYPE { KphThreadNotifyCreate, KphThreadNotifyExecute, KphThreadNotifyExit } KPH_THREAD_NOTIFY_TYPE; KPH_PAGED_FILE(); /** * \brief Performing thread tracking. * * \param[in] ProcessId Process ID from the notification callback. * \param[in] ThreadId Thread ID from the notification callback. * \param[in] Create The create parameter from the notification callback. * \param[in] Thread The thread object of the thread ID. * * \return Pointer to the thread context, may be null, the caller should * dereference this object if it is non-null. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ PKPH_THREAD_CONTEXT KphpPerformThreadTracking( _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ BOOLEAN Create, _In_opt_ PETHREAD Thread ) { PKPH_THREAD_CONTEXT thread; KPH_PAGED_CODE(); if (!Create) { thread = KphUntrackThreadContext(ThreadId); if (!thread) { return NULL; } KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Stopped tracking thread %lu in process %wZ (%lu)", HandleToULong(thread->ClientId.UniqueThread), KphGetThreadImageName(thread), HandleToULong(thread->ClientId.UniqueProcess)); thread->ExitNotification = TRUE; return thread; } if (!Thread) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to track thread %lu in process %lu", HandleToULong(ThreadId), HandleToULong(ProcessId)); return NULL; } thread = KphTrackThreadContext(Thread); if (!thread) { KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Failed to track thread %lu in process %lu", HandleToULong(ThreadId), HandleToULong(ProcessId)); return NULL; } thread->CreateNotification = TRUE; thread->CreatorClientId.UniqueProcess = PsGetCurrentProcessId(); thread->CreatorClientId.UniqueThread = PsGetCurrentThreadId(); KphTracePrint(TRACE_LEVEL_VERBOSE, TRACKING, "Tracking thread %lu in process %wZ (%lu)", HandleToULong(thread->ClientId.UniqueThread), KphGetThreadImageName(thread), HandleToULong(thread->ClientId.UniqueProcess)); return thread; } /** * \brief Informs any clients of thread notify routine invocations. * * \param[in] Thread The thread being created. * \param[in] ProcessId Process ID of the process where the thread is being * created. * \param[in] ThreadID Thread ID of the thread being created. * \param[in] Create If true the thread is being created, if false the thread * is being destroyed. */ _Function_class_(PCREATE_THREAD_NOTIFY_ROUTINE) _IRQL_requires_max_(APC_LEVEL) VOID KphpCreateThreadNotifyInformer( _In_ PKPH_THREAD_CONTEXT Thread, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ KPH_THREAD_NOTIFY_TYPE Type ) { PKPH_MESSAGE msg; PKPH_PROCESS_CONTEXT actorProcess; KPH_PAGED_CODE(); msg = NULL; actorProcess = KphGetCurrentProcessContext(); if (Type == KphThreadNotifyCreate) { if (!KphInformerEnabled2(ThreadCreate, actorProcess, Thread->ProcessContext)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } KphMsgInit(msg, KphMsgThreadCreate); msg->Kernel.ThreadCreate.CreatingClientId.UniqueProcess = PsGetCurrentProcessId(); msg->Kernel.ThreadCreate.CreatingClientId.UniqueThread = PsGetCurrentThreadId(); msg->Kernel.ThreadCreate.CreatingProcessStartKey = KphGetCurrentProcessStartKey(); msg->Kernel.ThreadCreate.CreatingThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); msg->Kernel.ThreadCreate.TargetClientId.UniqueProcess = ProcessId; msg->Kernel.ThreadCreate.TargetClientId.UniqueThread = ThreadId; msg->Kernel.ThreadCreate.TargetProcessStartKey = KphGetThreadProcessStartKey(Thread->EThread); } else if (Type == KphThreadNotifyExecute) { PVOID subProcessTag; // // Call this even if the informer is disabled since this is the best // place to update the cached sub-process tag in the thread context. // subProcessTag = KphGetCurrentThreadSubProcessTag(); if (!KphInformerEnabled2(ThreadExecute, actorProcess, Thread->ProcessContext)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } KphMsgInit(msg, KphMsgThreadExecute); msg->Kernel.ThreadExecute.ClientId.UniqueProcess = ProcessId; msg->Kernel.ThreadExecute.ClientId.UniqueThread = ThreadId; NT_ASSERT(ProcessId == PsGetCurrentProcessId()); msg->Kernel.ThreadExecute.ProcessStartKey = KphGetCurrentProcessStartKey(); msg->Kernel.ThreadExecute.ThreadSubProcessTag = subProcessTag; } else { NT_ASSERT(Type == KphThreadNotifyExit); if (!KphInformerEnabled2(ThreadExit, actorProcess, Thread->ProcessContext)) { goto Exit; } msg = KphAllocateMessage(); if (!msg) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to allocate message"); goto Exit; } KphMsgInit(msg, KphMsgThreadExit); msg->Kernel.ThreadExit.ClientId.UniqueProcess = ProcessId; msg->Kernel.ThreadExit.ClientId.UniqueThread = ThreadId; msg->Kernel.ThreadExit.ExitStatus = PsGetThreadExitStatus(Thread->EThread); NT_ASSERT(ProcessId == PsGetCurrentProcessId()); msg->Kernel.ThreadExit.ProcessStartKey = KphGetCurrentProcessStartKey(); msg->Kernel.ThreadExit.ThreadSubProcessTag = KphGetCurrentThreadSubProcessTag(); } if (KphInformerOpts2(actorProcess, Thread->ProcessContext).EnableStackTraces) { KphCaptureStackInMessage(msg); } KphCommsSendMessageAsync(msg); msg = NULL; Exit: if (msg) { KphFreeMessage(msg); } if (actorProcess) { KphDereferenceObject(actorProcess); } } /** * \brief Thread execution notify routine. * * \param[in] ProcessId Process ID of the process where the thread is beginning * execution. * \param[in] ThreadId Thread ID of the thread beginning execution. * \param[in] Create Unused */ _Function_class_(PCREATE_THREAD_NOTIFY_ROUTINE) _IRQL_requires_max_(APC_LEVEL) VOID KphpExecuteThreadNotifyRoutine( _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ BOOLEAN Create ) { PKPH_THREAD_CONTEXT thread; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Create); thread = KphGetThreadContext(ThreadId); if (thread) { thread->ExecuteNotification = TRUE; KphpCreateThreadNotifyInformer(thread, ProcessId, ThreadId, KphThreadNotifyExecute); KphDereferenceObject(thread); } } /** * \brief Thread create notify routine. * * \param[in] ProcessId Process ID of the process where the thread is being * created. * \param[in] ThreadID Thread ID of the thread being created. * \param[in] Create If true the thread is being created, if false the thread * is being destroyed. */ _Function_class_(PCREATE_THREAD_NOTIFY_ROUTINE) _IRQL_requires_max_(APC_LEVEL) VOID KphpCreateThreadNotifyRoutine( _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ BOOLEAN Create ) { NTSTATUS status; PKPH_THREAD_CONTEXT thread; PETHREAD threadObject; KPH_PAGED_CODE(); status = PsLookupThreadByThreadId(ThreadId, &threadObject); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "PsLookupThreadByThreadId failed: %!STATUS!", status); threadObject = NULL; } if (Create) { thread = KphpPerformThreadTracking(ProcessId, ThreadId, TRUE, threadObject); if (thread) { KphpCreateThreadNotifyInformer(thread, ProcessId, ThreadId, KphThreadNotifyCreate); } } else { thread = KphGetThreadContext(ThreadId); if (thread) { KphpCreateThreadNotifyInformer(thread, ProcessId, ThreadId, KphThreadNotifyExit); KphDereferenceObject(thread); } thread = KphpPerformThreadTracking(ProcessId, ThreadId, FALSE, threadObject); } if (thread) { KphDereferenceObject(thread); } if (threadObject) { ObDereferenceObject(threadObject); } } /** * \brief Starts the thread informer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphThreadInformerStart( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = PsSetCreateThreadNotifyRoutineEx(PsCreateThreadNotifySubsystems, (PVOID)KphpCreateThreadNotifyRoutine); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register thread notify routine: %!STATUS!", status); return status; } status = PsSetCreateThreadNotifyRoutineEx(PsCreateThreadNotifyNonSystem, (PVOID)KphpExecuteThreadNotifyRoutine); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, INFORMER, "Failed to register thread notify routine: %!STATUS!", status); return status; } return STATUS_SUCCESS; } /** * \brief Stops the thread informer. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphThreadInformerStop( VOID ) { KPH_PAGED_CODE_PASSIVE(); PsRemoveCreateThreadNotifyRoutine(KphpExecuteThreadNotifyRoutine); PsRemoveCreateThreadNotifyRoutine(KphpCreateThreadNotifyRoutine); } ================================================ FILE: KSystemInformer/knowndll.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include typedef struct _KPH_KNOWN_DLL_EXPORT { PCHAR Name; PVOID* Storage; } KPH_KNOWN_DLL_EXPORT, *PKPH_KNOWN_DLL_EXPORT; typedef struct _KPH_KNOWN_DLL_INFORMATION { UNICODE_STRING SectionName; PVOID* BaseAddressStorage; PKPH_KNOWN_DLL_EXPORT Exports; } KPH_KNOWN_DLL_INFORMATION, *PKPH_KNOWN_DLL_INFORMATION; KPH_PROTECTED_DATA_SECTION_PUSH(); PVOID KphNtDllBaseAddress = NULL; PVOID KphNtDllRtlSetBits = NULL; static KPH_KNOWN_DLL_EXPORT KphpNtDllExports[] = { { "RtlSetBits", &KphNtDllRtlSetBits }, { NULL, NULL } }; static KPH_KNOWN_DLL_INFORMATION KphpKnownDllInformation[] = { { RTL_CONSTANT_STRING(L"\\KnownDlls\\ntdll.dll"), &KphNtDllBaseAddress, KphpNtDllExports } }; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Populates known DLL information. */ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphInitializeKnownDll( VOID ) { NTSTATUS status; HANDLE sectionHandle; PVOID sectionObject; PVOID baseAddress; SIZE_T viewSize; KPH_PAGED_CODE_PASSIVE(); sectionHandle = NULL; sectionObject = NULL; baseAddress = NULL; for (ULONG i = 0; i < ARRAYSIZE(KphpKnownDllInformation); i++) { PKPH_KNOWN_DLL_INFORMATION info; OBJECT_ATTRIBUTES objectAttributes; SECTION_IMAGE_INFORMATION sectionImageInfo; if (baseAddress) { MmUnmapViewInSystemSpace(baseAddress); baseAddress = NULL; } if (sectionObject) { ObDereferenceObject(sectionObject); sectionObject = NULL; } if (sectionHandle) { ObCloseHandle(sectionHandle, KernelMode); sectionHandle = NULL; } info = &KphpKnownDllInformation[i]; NT_ASSERT(info->BaseAddressStorage); InitializeObjectAttributes(&objectAttributes, &info->SectionName, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenSection(§ionHandle, SECTION_MAP_READ | SECTION_QUERY, &objectAttributes); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwOpenSection failed: %!STATUS!", status); sectionHandle = NULL; goto Exit; } status = ZwQuerySection(sectionHandle, SectionImageInformation, §ionImageInfo, sizeof(SECTION_IMAGE_INFORMATION), NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwQuerySection failed: %!STATUS!", status); goto Exit; } *info->BaseAddressStorage = sectionImageInfo.TransferAddress; if (!info->Exports) { continue; } status = ObReferenceObjectByHandle(sectionHandle, SECTION_MAP_READ | SECTION_QUERY, *MmSectionObjectType, KernelMode, §ionObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); sectionObject = NULL; goto Exit; } viewSize = 0; status = MmMapViewInSystemSpace(sectionObject, &baseAddress, &viewSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmMapViewInSystemSpace failed: %!STATUS!", status); baseAddress = NULL; goto Exit; } for (PKPH_KNOWN_DLL_EXPORT export = info->Exports; export->Name != NULL; export = export + 1) { PVOID exportAddress; NT_ASSERT(export->Storage); exportAddress = RtlFindExportedRoutineByName(baseAddress, export->Name); if (!exportAddress) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to find %hs in %wZ", export->Name, &info->SectionName); status = STATUS_NOT_FOUND; goto Exit; } *export->Storage = Add2Ptr(sectionImageInfo.TransferAddress, PtrOffset(baseAddress, exportAddress)); } } status = STATUS_SUCCESS; Exit: if (baseAddress) { MmUnmapViewInSystemSpace(baseAddress); } if (sectionObject) { ObDereferenceObject(sectionObject); } if (sectionHandle) { ObCloseHandle(sectionHandle, KernelMode); } return status; } ================================================ FILE: KSystemInformer/kphobject.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #ifdef _WIN64 #define KPH_ATOMIC_OBJECT_REF_SHARED_MAX 7 #define KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_BIT 3 #define KPH_ATOMIC_OBJECT_REF_LOCK_MASK 0x000000000000000f #define KPH_ATOMIC_OBJECT_REF_OBJECT_MASK 0xfffffffffffffff0 #else #define KPH_ATOMIC_OBJECT_REF_SHARED_MAX 3 #define KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_BIT 2 #define KPH_ATOMIC_OBJECT_REF_LOCK_MASK 0x00000007 #define KPH_ATOMIC_OBJECT_REF_OBJECT_MASK 0xfffffff8 #endif #define KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_FLAG (1 << KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_BIT) // // N.B. If more object types are added the array must be expanded. // static KPH_OBJECT_TYPE KphpObjectTypes[16] = { 0 }; C_ASSERT(ARRAYSIZE(KphpObjectTypes) < MAXUCHAR); static LONG KphpObjectTypeCount = 0; static KSI_WORK_QUEUE_ITEM KphpDeferDeleteObjectWorkItem; static SLIST_HEADER KphpDeferDeleteObjectList; /** * \brief Carries out the deletion of an object. * * \param[in] Header The header of an object to delete. */ VOID KphpObjectDelete( _In_freesMem_ PKPH_OBJECT_HEADER Header ) { PKPH_OBJECT_TYPE type; type = &KphpObjectTypes[Header->TypeIndex]; if (type->TypeInfo.Delete) { type->TypeInfo.Delete(KphObjectHeaderToObject(Header)); } type->TypeInfo.Free(Header); InterlockedDecrementSizeTNoFence(&type->TotalNumberOfObjects); } /** * \brief Defers the deletion of an object. * * \param[in] Header The header of an object to defer deletion of. */ VOID KphpObjectDeferDelete( _In_ PKPH_OBJECT_HEADER Header ) { // // Only queue the work item when the list was empty. The worker will flush // the list, at that point the work item is already removed from the work // queue and ready to be re-queued. // if (!InterlockedPushEntrySList(&KphpDeferDeleteObjectList, &Header->ListEntry)) { KsiQueueWorkItem(&KphpDeferDeleteObjectWorkItem, CriticalWorkQueue); } } /** * \brief Creates an object type. * * \param[in] TypeName The name of the type, this must always be resident. * Preferably a string literal. * \param[in] TypeInfo The information for the type being created. * \param[out] ObjectType Set to a pointer to the object type on success. */ VOID KphCreateObjectType( _In_ PCUNICODE_STRING TypeName, _In_ PKPH_OBJECT_TYPE_INFO TypeInfo, _Outptr_ PKPH_OBJECT_TYPE* ObjectType ) { PKPH_OBJECT_TYPE type; LONG index; index = (InterlockedIncrement(&KphpObjectTypeCount) - 1); // // We have failure free object type creation, to achieve this we have // a pre-reserved sized array above. If this asserts the array wasn't // expanded correctly to support a new type. // NT_ASSERT((index >= 0) && (index < ARRAYSIZE(KphpObjectTypes))); NT_ASSERT(index < MAXUCHAR); type = &KphpObjectTypes[index]; type->Name.Buffer = TypeName->Buffer; type->Name.MaximumLength = TypeName->MaximumLength; type->Name.Length = TypeName->Length; type->Index = (UCHAR)index; WriteSizeTNoFence(&type->TotalNumberOfObjects, 0); WriteSizeTNoFence(&type->HighWaterNumberOfObjects, 0); RtlCopyMemory(&type->TypeInfo, TypeInfo, sizeof(*TypeInfo)); *ObjectType = type; } /** * \brief Creates an object of a given type. * * \param[in] ObjectType The type of object to create. * \param[in] ObjectBodySize The size of the object body to create. * \param[out] Object Set to the new object on success. * \param[in] Parameter Optional parameter passed to initialization routine. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphCreateObject( _In_ PKPH_OBJECT_TYPE ObjectType, _In_ ULONG ObjectBodySize, _Outptr_result_nullonfailure_ PVOID* Object, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_OBJECT_HEADER header; PVOID object; SIZE_T total; *Object = NULL; header = ObjectType->TypeInfo.Allocate(KphAddObjectHeaderSize(ObjectBodySize)); if (!header) { return STATUS_INSUFFICIENT_RESOURCES; } WriteSSizeTNoFence(&header->PointerCount, 1); header->TypeIndex = ObjectType->Index; object = KphObjectHeaderToObject(header); if (ObjectType->TypeInfo.Initialize) { status = ObjectType->TypeInfo.Initialize(object, Parameter); if (!NT_SUCCESS(status)) { ObjectType->TypeInfo.Free(header); return status; } } total = InterlockedIncrementSizeTNoFence(&ObjectType->TotalNumberOfObjects); InterlockedExchangeIfGreaterSizeT(&ObjectType->HighWaterNumberOfObjects, total); *Object = object; return STATUS_SUCCESS; } /** * \brief References an object. * * \param[in] Object The object to reference. */ VOID KphReferenceObject( _In_ PVOID Object ) { PKPH_OBJECT_HEADER header; header = KphObjectToObjectHeader(Object); NT_VERIFY(InterlockedIncrementSSizeTNoFence(&header->PointerCount) > 0); } /** * \brief Dereferences an object. * * \param[in] Object The object to dereference. */ VOID KphDereferenceObject( _In_ PVOID Object ) { PKPH_OBJECT_HEADER header; PKPH_OBJECT_TYPE type; SSIZE_T refCount; header = KphObjectToObjectHeader(Object); refCount = InterlockedDecrementSSizeT(&header->PointerCount); if (refCount > 0) { return; } NT_ASSERT(refCount == 0); type = &KphpObjectTypes[header->TypeIndex]; if (type->TypeInfo.DeferDelete) { KphpObjectDeferDelete(header); } else { KphpObjectDelete(header); } } /** * \brief Dereferences an object and defers deletion of the object. * * \param[in] Object The object to dereference. */ VOID KphDereferenceObjectDeferDelete( _In_ PVOID Object ) { PKPH_OBJECT_HEADER header; SSIZE_T refCount; header = KphObjectToObjectHeader(Object); refCount = InterlockedDecrementSSizeT(&header->PointerCount); if (refCount > 0) { return; } NT_ASSERT(refCount == 0); KphpObjectDeferDelete(header); } /** * \brief Retrieves the type from an object. * * \param[in] Object The object to get the type of. * * \return Pointer to the type of object. */ _Must_inspect_result_ PKPH_OBJECT_TYPE KphGetObjectType( _In_ PVOID Object ) { PKPH_OBJECT_HEADER header; UCHAR index; LONG count; header = KphObjectToObjectHeader(Object); index = header->TypeIndex; count = ReadAcquire(&KphpObjectTypeCount); if (index >= count) { return NULL; } return &KphpObjectTypes[index]; } // // Custom locking routines follow, disable pedantic prefast locking checks. // #pragma prefast(push) #pragma prefast(disable: 26165) // possibly failing to release lock #pragma prefast(disable: 26166) // possibly failing to acquire lock /** * \brief Acquires the atomic object reference lock shared. * * \param[in,out] ObjectRef The object reference to acquire the lock for. */ _Requires_lock_not_held_(*ObjectRef) _Acquires_lock_(*ObjectRef) FORCEINLINE VOID KphpAtomicAcquireObjectLockShared( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef ) { ULONG_PTR object; object = ReadULongPtrAcquire(&ObjectRef->Object); for (;; YieldProcessor()) { ULONG_PTR lock; ULONG_PTR expected; lock = object & KPH_ATOMIC_OBJECT_REF_LOCK_MASK; if (lock >= KPH_ATOMIC_OBJECT_REF_SHARED_MAX) { object = ReadULongPtrAcquire(&ObjectRef->Object); continue; } expected = object; object = InterlockedCompareExchangeULongPtr(&ObjectRef->Object, object + 1, expected); if (object == expected) { break; } } } /** * \brief Releases the atomic object reference lock shared. * * \param[in,out] ObjectRef The object reference to release the lock of. */ _Requires_lock_held_(*ObjectRef) _Releases_lock_(*ObjectRef) FORCEINLINE VOID KphpAtomicReleaseObjectLockShared( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef ) { ULONG_PTR object; object = InterlockedDecrementULongPtr(&ObjectRef->Object); object = object & KPH_ATOMIC_OBJECT_REF_SHARED_MAX; NT_ASSERT(object < KPH_ATOMIC_OBJECT_REF_SHARED_MAX); } /** * \brief Acquires the atomic object reference lock exclusive. * * \param[in,out] ObjectRef The object reference to acquire the lock for. */ _Requires_lock_not_held_(*ObjectRef) _Acquires_lock_(*ObjectRef) FORCEINLINE VOID KphpAtomicAcquireObjectLockExclusive( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef ) { ULONG_PTR object; object = ReadULongPtrAcquire(&ObjectRef->Object); for (;; YieldProcessor()) { ULONG_PTR locked; ULONG_PTR expected; if (object & KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_FLAG) { object = ReadULongPtrAcquire(&ObjectRef->Object); continue; } locked = object | KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_FLAG; expected = object; object = InterlockedCompareExchangeULongPtr(&ObjectRef->Object, locked, expected); if (object == expected) { break; } } for (; object & KPH_ATOMIC_OBJECT_REF_SHARED_MAX; YieldProcessor()) { object = ReadULongPtrAcquire(&ObjectRef->Object); } } /** * \brief Releases the atomic object reference lock shared. * * \param[in,out] ObjectRef The object reference to release the lock of. */ _Requires_lock_held_(*ObjectRef) _Releases_lock_(*ObjectRef) FORCEINLINE VOID KphpAtomicReleaseObjectLockExclusive( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef ) { BOOLEAN result; result = InterlockedBitTestAndResetULongPtr(&ObjectRef->Object, KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_BIT); NT_ASSERT(result); } #pragma prefast(pop) // // End of custom locking routines. // /** * \brief Retrieves an addition object reference to an atomically managed * object reference. * * \details This mechanism provides a light weight and fast way to atomically * managed a reference to an object. If an object is currently managed an * additional reference to that object is acquired and must be eventually * released by calling KphDereferenceObject. * * \param[in] ObjectRef The object reference to retrieve the object from. * * \return A referenced object, NULL if no object is managed. */ _Must_inspect_result_ PVOID KphAtomicReferenceObject( _In_ PKPH_ATOMIC_OBJECT_REF ObjectRef ) { ULONG_PTR value; PVOID object; KphpAtomicAcquireObjectLockShared(ObjectRef); value = ReadULongPtrNoFence(&ObjectRef->Object); object = (PVOID)(value & KPH_ATOMIC_OBJECT_REF_OBJECT_MASK); if (object) { KphReferenceObject(object); } KphpAtomicReleaseObjectLockShared(ObjectRef); return object; } /** * \brief Stores an object to an atomically managed object reference. * * \param[in,out] ObjectRef The object reference to assign the object to. * \param[in] Object Optional object to reference and assign. * * \return The previous object that was managed, NULL if no object was managed. */ _Must_inspect_result_ PVOID KphpAtomicStoreObjectReference( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef, _In_opt_ PVOID Object ) { PVOID previous; ULONG_PTR value; ULONG_PTR object; NT_ASSERT(((ULONG_PTR)Object & KPH_ATOMIC_OBJECT_REF_LOCK_MASK) == 0); KphpAtomicAcquireObjectLockExclusive(ObjectRef); value = ReadULongPtrNoFence(&ObjectRef->Object); previous = (PVOID)(value & KPH_ATOMIC_OBJECT_REF_OBJECT_MASK); object = (ULONG_PTR)Object | KPH_ATOMIC_OBJECT_REF_EXCLUSIVE_FLAG; InterlockedExchangeULongPtr(&ObjectRef->Object, object); KphpAtomicReleaseObjectLockExclusive(ObjectRef); return previous; } /** * \brief Assigns an object to an atomically managed object reference. * * \details This mechanism provides a light weight and fast way to atomically * managed a reference to an object. Any previously managed reference will be * released. If an object is provided, this function will acquire an additional * reference to the object, the caller should still release their reference. * * \param[in,out] ObjectRef The object reference to assign the object to. * \param[in] Object Optional object to reference and assign, if NULL the * managed reference will be cleared. */ VOID KphAtomicAssignObjectReference( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef, _In_opt_ PVOID Object ) { PVOID previous; if (Object) { KphReferenceObject(Object); } previous = KphpAtomicStoreObjectReference(ObjectRef, Object); if (previous) { KphDereferenceObject(previous); } } /** * \brief Moves an object to an atomically managed object reference. * * \details This mechanism provides a light weight and fast way to atomically * managed a reference to an object. If any object is provided, this function * will assume ownership over the reference, the caller should *not* release * their reference. If an object is returned the ownership of it is transferred * to the caller, the caller is responsible for eventually releasing it. * * \param[in,out] ObjectRef The object reference to move the object into. * \param[in] Object Optional object move into the object reference. * * \return The previous object that was managed, NULL if no object was managed. */ _Must_inspect_result_ PVOID KphAtomicMoveObjectReference( _Inout_ PKPH_ATOMIC_OBJECT_REF ObjectRef, _In_opt_ PVOID Object ) { return KphpAtomicStoreObjectReference(ObjectRef, Object); } KPH_PAGED_FILE(); /** * \brief Worker routine for deleting objects in a deferred manner. * * \param[in] Parameter Unused parameter. */ _Function_class_(KSI_WORK_QUEUE_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpDeferDeleteObjectWorker( _In_opt_ PVOID Parameter ) { PSLIST_ENTRY entry; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(Parameter); entry = InterlockedFlushSList(&KphpDeferDeleteObjectList); while (entry) { PKPH_OBJECT_HEADER header; header = CONTAINING_RECORD(entry, KPH_OBJECT_HEADER, ListEntry); entry = entry->Next; KphpObjectDelete(header); } } /** * \brief Initializes the object subsystem. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphObjectInitialize( VOID ) { KPH_PAGED_CODE_PASSIVE(); InitializeSListHead(&KphpDeferDeleteObjectList); KsiInitializeWorkItem(&KphpDeferDeleteObjectWorkItem, KphDriverObject, &KphpDeferDeleteObjectWorker, NULL); } ================================================ FILE: KSystemInformer/kphthread.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025-2026 * */ #include #include typedef struct _KPH_THREAD_START_CONTEXT { PKPH_THREAD_START_ROUTINE StartRoutine; PVOID Parameter; UNICODE_STRING ThreadName; } KPH_THREAD_START_CONTEXT, *PKPH_THREAD_START_CONTEXT; KPH_PROTECTED_DATA_SECTION_PUSH(); static HANDLE KphpKsiSystemProcessHandle = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Thread start routine for system threads. * * \param[in] Context Pointer to a KPH_THREAD_START_CONTEXT. */ _Function_class_(KSTART_ROUTINE) _IRQL_requires_same_ VOID KphpThreadStartRoutine( _In_ PVOID StartContext ) { NTSTATUS status; PKPH_THREAD_START_CONTEXT context; PKPH_THREAD_START_ROUTINE startRoutine; PVOID parameter; KPH_PAGED_CODE_PASSIVE(); context = StartContext; startRoutine = context->StartRoutine; parameter = context->Parameter; if (context->ThreadName.Length && !KphParameterFlags.DisableThreadNames) { status = ZwSetInformationThread(ZwCurrentThread(), ThreadNameInformation, &context->ThreadName, sizeof(UNICODE_STRING)); if (NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Set thread (%lu) name \"%wZ\"", HandleToULong(PsGetCurrentThreadId()), &context->ThreadName); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to set thread (%lu) name \"%wZ\": %!STATUS!", HandleToULong(PsGetCurrentThreadId()), &context->ThreadName, status); } } KphFree(context, KPH_TAG_THREAD_START_CONTEXT); status = startRoutine(parameter); PsTerminateSystemThread(status); } /** * \brief Creates a system thread. * * \param[out] ThreadHandle Optionally receives a handle to the created thread. * The caller must close the handle once the handle is no longer in use. The * handle is a kernel handle with THREAD_ALL_ACCESS access rights. * \param[out] ThreadObject Optionally receives a the created thread object. * The caller must dereference the object once it is no longer in use. * \param[in] StartRoutine The entry point for the newly created system thread. * \param[in] Parameter Argument that is passed to the thread. * \param[in] ThreadName Optionally specifies a name for the thread. * \param[in] Flags Optional flags that control the thread creation. * KPH_CREATE_SYSTEM_THREAD_IN_KSI_PROCESS if possible the thread will be * created in a dedicated process that is used for system threads. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphCreateSystemThread( _Out_opt_ PHANDLE ThreadHandle, _Out_opt_ PETHREAD* ThreadObject, _In_ PKPH_THREAD_START_ROUTINE StartRoutine, _In_opt_ _When_(return >= 0, __drv_aliasesMem) PVOID Parameter, _In_opt_ PCUNICODE_STRING ThreadName, _In_ ULONG Flags ) { NTSTATUS status; HANDLE threadHandle; ULONG contextLength; PKPH_THREAD_START_CONTEXT context; HANDLE processHandle; KPH_PAGED_CODE_PASSIVE(); if (ThreadHandle) { *ThreadHandle = NULL; } if (ThreadObject) { *ThreadObject = NULL; } threadHandle = NULL; contextLength = sizeof(KPH_THREAD_START_CONTEXT); if (ThreadName) { contextLength += ThreadName->Length; } context = KphAllocatePaged(contextLength, KPH_TAG_THREAD_START_CONTEXT); if (!context) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate thread start context."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } context->StartRoutine = StartRoutine; context->Parameter = Parameter; if (ThreadName) { context->ThreadName.MaximumLength = ThreadName->Length; context->ThreadName.Buffer = Add2Ptr(context, sizeof(KPH_THREAD_START_CONTEXT)); RtlCopyUnicodeString(&context->ThreadName, ThreadName); } if (FlagOn(Flags, KPH_CREATE_SYSTEM_THREAD_IN_KSI_PROCESS)) { processHandle = KphpKsiSystemProcessHandle; } else { processHandle = NULL; } status = PsCreateSystemThread(&threadHandle, THREAD_ALL_ACCESS, NULL, processHandle, NULL, KphpThreadStartRoutine, context); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsCreateSystemThread failed: %!STATUS!", status); threadHandle = NULL; goto Exit; } context = NULL; if (ThreadObject) { NT_VERIFY(NT_SUCCESS(ObReferenceObjectByHandle(threadHandle, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, ThreadObject, NULL))); } if (ThreadHandle) { *ThreadHandle = threadHandle; threadHandle = NULL; } Exit: if (threadHandle) { ObCloseHandle(threadHandle, KernelMode); } if (context) { KphFree(context, KPH_TAG_THREAD_START_CONTEXT); } return status; } /** * \brief Cleans up the threading subsystem. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupThreading( VOID ) { KPH_PAGED_CODE_PASSIVE(); if (KphpKsiSystemProcessHandle) { ObCloseHandle(KphpKsiSystemProcessHandle, KernelMode); } } /** * \brief Initializes threading subsystem. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeThreading( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); if (KphParameterFlags.DisableSystemProcess) { KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "System process disabled."); return; } status = KsiInitializeSystemProcess(KphSystemProcessName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KsiInitializeSystemProcess failed: %!STATUS!", status); return; } status = ObOpenObjectByPointer(KsiSystemProcess, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &KphpKsiSystemProcessHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); KphpKsiSystemProcessHandle = NULL; } } ================================================ FILE: KSystemInformer/ksidll.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #include // // This library is intended to be an extension of core OS functionality which // enables drivers to perform operations within the system that would otherwise // be dangerous or impossible. // KPH_PROTECTED_DATA_SECTION_PUSH(); static BYTE KsipProtectedSection = 0; static PMM_PROTECT_DRIVER_SECTION KsipMmProtectDriverSection = NULL; static PKE_REMOVE_QUEUE_APC KsipKeRemoveQueueApc = NULL; static PZW_CREATE_PROCESS_EX KsipZwCreateProcessEx = NULL; KPH_PROTECTED_DATA_SECTION_POP(); static KEVENT KsipDummyThreadEvent; static HANDLE KsipSystemProcessHandle = NULL; PEPROCESS KsiSystemProcess = NULL; _IRQL_requires_max_(PASSIVE_LEVEL) PVOID KsipGetSystemRoutineAddress( _In_z_ PCWSTR SystemRoutineName ) { UNICODE_STRING systemRoutineName; RtlInitUnicodeString(&systemRoutineName, SystemRoutineName); return MmGetSystemRoutineAddress(&systemRoutineName); } // // This is an extension of the APC functionality in Windows to enable a driver // to be unloaded while there are outstanding APCs on the system which // reference it. // // N.B. While this library guarantees the driver will not be unmapped, it does // not prevent DriverUnload from being invoked. Drivers using this library may // check DIRVER_OBJECT.Flags for DRVO_UNLOAD_INVOKED to know if the system has // or is about to invoke DriverUnload. If applicable the driver should act // accordingly in their routines. // // This extension guarantees that the cleanup routine will always be invoked. // Either due to normal APC rundown, removal, immediately after the kernel // routine is executed, or (in the case of normal kernel APC execution) after // the normal kernel routine executes. KSI_KAPC_CLEANUP_REASON indicates the // context in which this is called. Users may choose to implement their own // mechanism in the cleanup routine to synchronize with DriverUnload. // _Function_class_(KRUNDOWN_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID NTAPI KsipApcRundownRoutine( _In_ PKAPC Apc ) { PKSI_KAPC apc; PDRIVER_OBJECT driverObject; PKSI_KCLEANUP_ROUTINE cleanupRoutine; apc = (PKSI_KAPC)Apc; driverObject = apc->DriverObject; cleanupRoutine = (PKSI_KCLEANUP_ROUTINE)apc->InternalCleanup; cleanupRoutine(apc, KsiApcCleanupRundown); ObDereferenceObjectDeferDelete(driverObject); } _Function_class_(KNORMAL_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID NTAPI KsipApcNormalRoutine( _In_opt_ PVOID NormalContext, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2 ) { PKSI_KAPC apc; PDRIVER_OBJECT driverObject; PKNORMAL_ROUTINE normalRoutine; PKSI_KCLEANUP_ROUTINE cleanupRoutine; NT_ASSERT(NormalContext); apc = (PKSI_KAPC)NormalContext; driverObject = apc->DriverObject; normalRoutine = (PKNORMAL_ROUTINE)apc->InternalRoutine; cleanupRoutine = (PKSI_KCLEANUP_ROUTINE)apc->InternalCleanup; normalRoutine(apc->InternalContext, SystemArgument1, SystemArgument2); cleanupRoutine(apc, KsiApcCleanupNormal); ObDereferenceObjectDeferDelete(driverObject); } _Function_class_(KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID NTAPI KsipApcKernelRoutine( _In_ PKAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE *NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ) { PKSI_KAPC apc; PDRIVER_OBJECT driverObject; PKSI_KKERNEL_ROUTINE kernelRoutine; PKSI_KCLEANUP_ROUTINE cleanupRoutine; apc = (PKSI_KAPC)Apc; driverObject = apc->DriverObject; kernelRoutine = (PKSI_KKERNEL_ROUTINE)apc->InternalRoutine; cleanupRoutine = (PKSI_KCLEANUP_ROUTINE)apc->InternalCleanup; kernelRoutine(apc, NormalRoutine, NormalContext, SystemArgument1, SystemArgument2); if ((apc->Apc.ApcMode == KernelMode) && *NormalRoutine) { apc->InternalRoutine = (PVOID)*NormalRoutine; apc->InternalContext = *NormalContext; *NormalRoutine = KsipApcNormalRoutine; *NormalContext = apc; return; } cleanupRoutine(apc, KsiApcCleanupKernel); ObDereferenceObjectDeferDelete(driverObject); } VOID KSIAPI KsiInitializeApc( _Out_ PKSI_KAPC Apc, _In_ PDRIVER_OBJECT DriverObject, _In_ PRKTHREAD Thread, _In_ KAPC_ENVIRONMENT Environment, _In_ PKSI_KKERNEL_ROUTINE KernelRoutine, _In_ PKSI_KCLEANUP_ROUTINE CleanupRoutine, _In_opt_ PKNORMAL_ROUTINE NormalRoutine, _In_ KPROCESSOR_MODE Mode, _In_opt_ PVOID NormalContext ) { KeInitializeApc(&Apc->Apc, Thread, Environment, KsipApcKernelRoutine, KsipApcRundownRoutine, NormalRoutine, Mode, NormalContext); Apc->DriverObject = DriverObject; Apc->InternalRoutine = (PVOID)KernelRoutine; Apc->InternalCleanup = (PVOID)CleanupRoutine; Apc->InternalContext = NULL; } BOOLEAN KSIAPI KsiInsertQueueApc( _Inout_ PKSI_KAPC Apc, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2, _In_ KPRIORITY PriorityBoost ) { BOOLEAN result; ObReferenceObject(Apc->DriverObject); result = KeInsertQueueApc(&Apc->Apc, SystemArgument1, SystemArgument2, PriorityBoost); if (!result) { ObDereferenceObject(Apc->DriverObject); } return result; } NTSTATUS KSIAPI KsiRemoveQueueApc( _Inout_ PKSI_KAPC Apc ) { PDRIVER_OBJECT driverObject; PKSI_KCLEANUP_ROUTINE cleanupRoutine; if (!KsipKeRemoveQueueApc) { return STATUS_NOINTERFACE; } if (!KsipKeRemoveQueueApc(&Apc->Apc)) { return STATUS_INVALID_STATE_TRANSITION; } driverObject = Apc->DriverObject; cleanupRoutine = (PKSI_KCLEANUP_ROUTINE)Apc->InternalCleanup; cleanupRoutine(Apc, KsiApcCleanupRemoved); ObDereferenceObjectDeferDelete(driverObject); return STATUS_SUCCESS; } // // This is an extension of the work queue functionality in Windows to enable a // driver to be unloaded while there are outstanding queued work items on the // system with which reference it. // // N.B. WORK_QUEUE_ITEM and IO_WORKITEM are not equivalent. WORK_QUEUE_ITEM does // not provide a mechanism to reference an object associated with the driver // that queued the work item. IO_WORKITEM does, but its implementation for work // scheduling and accounting differs. They are not interchangeable. Therefore, // this implementation adds support for associating a driver object with a // WORK_QUEUE_ITEM. // // N.B. While this library guarantees the driver will not be unmapped, it does // not prevent DriverUnload from being invoked. Drivers using this library may // check DIRVER_OBJECT.Flags for DRVO_UNLOAD_INVOKED to know if the system has // or is about to invoke DriverUnload. If applicable the driver should act // accordingly in their routines. // _Function_class_(WORKER_THREAD_ROUTINE) _IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID KsipWorkItemRoutine( _In_ PVOID Parameter ) { PKSI_WORK_QUEUE_ITEM workItem; PDRIVER_OBJECT driverObject; PKSI_WORK_QUEUE_ROUTINE routine; workItem = Parameter; driverObject = workItem->DriverObject; routine = workItem->Routine; routine(workItem->Parameter); ObDereferenceObjectDeferDelete(driverObject); } _IRQL_requires_max_(DISPATCH_LEVEL) VOID KSIAPI KsiInitializeWorkItem( _Out_ PKSI_WORK_QUEUE_ITEM WorkItem, _In_ PDRIVER_OBJECT DriverObject, _In_ PKSI_WORK_QUEUE_ROUTINE Routine, _In_opt_ PVOID Parameter ) { WorkItem->DriverObject = DriverObject; WorkItem->Routine = Routine; WorkItem->Parameter = Parameter; #pragma warning(suppress: 4996) ExInitializeWorkItem(&WorkItem->WorkItem, KsipWorkItemRoutine, WorkItem); } _IRQL_requires_max_(DISPATCH_LEVEL) VOID KSIAPI KsiQueueWorkItem( _Inout_ PKSI_WORK_QUEUE_ITEM WorkItem, _In_ WORK_QUEUE_TYPE QueueType ) { ObReferenceObject(WorkItem->DriverObject); #pragma prefast(push) #pragma prefast(disable: 28159) // obsolete function #pragma warning(suppress: 4996) ExQueueWorkItem(&WorkItem->WorkItem, QueueType); #pragma prefast(pop) } // // This is an extension that allows a minimal system process to be created. // Minimal processes must be terminated using PsTerminateMinimalProcess, but // this routine is not exported or accessible through normal means. If a minimal // process is deleted without first calling PsTerminateMinimalProcess, the // system will bug check with INVALID_MINIMAL_PROCESS_STATE. // // This implementation creates and exposes a minimal system process object that // the System Informer driver can use. To work around the limitation, the // lifetime of this process object is managed by this pinned module. This allows // System Informer to reuse the existing minimal process object without needing // to terminate it. // // As a result, the minimal process object is effectively "leaked" and requires // a system reboot to be removed. This is currently the most practical approach // until Microsoft provides official APIs for drivers to manage minimal // processes more appropriately. // // N.B. This implementation makes some assumptions. It assumes that the current // process is PsInitialSystemProcess. And the routine is not thread safe. It // should be used only by System Informer during driver initialization. // _IRQL_requires_same_ _Function_class_(KSTART_ROUTINE) VOID KsipDummyThreadRoutine( _In_ PVOID StartContext ) { UNREFERENCED_PARAMETER(StartContext); // // This dummy thread ensures the process remains active. This is the same // pattern that the Registry process uses to keep itself active (without a // call to KeBugCheckEx if the wait returns). // KeWaitForSingleObject(&KsipDummyThreadEvent, Executive, KernelMode, FALSE, NULL); PsTerminateSystemThread(STATUS_SUCCESS); } _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KSIAPI KsiInitializeSystemProcess( _In_ PCUNICODE_STRING ProcessName ) { NTSTATUS status; HANDLE threadHandle; OBJECT_ATTRIBUTES objectAttributes; NT_ASSERT(PsGetCurrentProcess() == PsInitialSystemProcess); if (!KsipZwCreateProcessEx) { return STATUS_NOINTERFACE; } if (KsiSystemProcess) { return STATUS_SUCCESS; } threadHandle = NULL; if (!KsipSystemProcessHandle) { HANDLE processHandle; InitializeObjectAttributes(&objectAttributes, (PUNICODE_STRING)ProcessName, OBJ_KERNEL_HANDLE, NULL, NULL); status = KsipZwCreateProcessEx(&processHandle, PROCESS_ALL_ACCESS, &objectAttributes, ZwCurrentProcess(), PROCESS_CREATE_FLAGS_MINIMAL_PROCESS, NULL, NULL, NULL, 0); if (!NT_SUCCESS(status)) { goto Exit; } // // N.B. We cannot close the handle at this point, as there is no clean // way to call PsTerminateMinimalProcess. Closing the handle risks // triggering a bug check with INVALID_MINIMAL_PROCESS_STATE. If we fail // below, the process object pointer (KsiSystemProcess) will remain // NULL, allowing us to re-enter this path and try again - though it // will likely continue to fail. // KsipSystemProcessHandle = processHandle; } InitializeObjectAttributes(&objectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = PsCreateSystemThread(&threadHandle, THREAD_ALL_ACCESS, &objectAttributes, KsipSystemProcessHandle, NULL, KsipDummyThreadRoutine, NULL); if (!NT_SUCCESS(status)) { threadHandle = NULL; goto Exit; } NT_VERIFY(NT_SUCCESS(ObReferenceObjectByHandle(KsipSystemProcessHandle, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &KsiSystemProcess, NULL))); Exit: if (threadHandle) { ObCloseHandle(threadHandle, KernelMode); } return status; } // // General Library Functions // _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KsiInitialize( _In_ ULONG Version, _In_ PDRIVER_OBJECT DriverObject, _In_opt_ PVOID Reserved ) { UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(Reserved); if (Version != KSIDLL_CURRENT_VERSION) { return STATUS_SI_KSIDLL_VERSION_MISMATCH; } return STATUS_SUCCESS; } _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KsiUninitialize( _In_ PDRIVER_OBJECT DriverObject, _In_ ULONG Reserved ) { UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(Reserved); } NTSTATUS DllUnload( VOID ) { // // N.B. It used to be that not specifying a DllUnload routine would // enforce that your export driver can not be unloaded by not activating // the reference count mechanism. 10.0.25997.1010 changed this so if you // do not specify DllUnload the driver can be unmapped. This is resolved // by implementing DllUnload and returning an error. // return STATUS_NOT_SUPPORTED; } NTSTATUS DllInitialize( _In_ PUNICODE_STRING RegistryPath ) { UNREFERENCED_PARAMETER(RegistryPath); __security_init_cookie(); ExInitializeDriverRuntime(DrvRtPoolNxOptIn); KeInitializeEvent(&KsipDummyThreadEvent, SynchronizationEvent, FALSE); KsipMmProtectDriverSection = (PMM_PROTECT_DRIVER_SECTION)KsipGetSystemRoutineAddress(L"MmProtectDriverSection"); KsipKeRemoveQueueApc = (PKE_REMOVE_QUEUE_APC)KsipGetSystemRoutineAddress(L"KeRemoveQueueApc"); KsipZwCreateProcessEx = (PZW_CREATE_PROCESS_EX)KsipGetSystemRoutineAddress(L"ZwCreateProcessEx"); if (KsipMmProtectDriverSection) { KsipMmProtectDriverSection(&KsipProtectedSection, 0, 0); } return STATUS_SUCCESS; } ================================================ FILE: KSystemInformer/ksidll.def ================================================ LIBRARY ksi.dll EXPORTS DllInitialize PRIVATE DllUnload PRIVATE KsiInitialize KsiUninitialize KsiInitializeApc KsiInsertQueueApc KsiRemoveQueueApc KsiInitializeWorkItem KsiQueueWorkItem KsiInitializeSystemProcess KsiSystemProcess DATA ================================================ FILE: KSystemInformer/ksidll.vcxproj ================================================  Debug ARM64 Release ARM64 Debug x64 Release x64 17.0 {B385D394-19CC-48BC-827E-AF9ADCE559E0} {dd38f7fc-d7bd-488b-9242-7d8754cde80d} DynamicLibrary KSystemInformer $(SystemInformerRoot)KSystemInformer\obj\$(Configuration)$(PlatformArchitecture)\$(ProjectName)\ $(SystemInformerRoot)KSystemInformer\bin\$(Configuration)$(PlatformArchitecture)\ ksi _KSIDLL_;%(PreprocessorDefinitions) true ksidll.def %(AdditionalIncludeDirectories);$(SystemInformerRoot)kphlib\include\; ================================================ FILE: KSystemInformer/lsa.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024-2026 * */ #include #include KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpLsaPortName = RTL_CONSTANT_STRING(L"\\SeLsaCommandPort"); KPH_PROTECTED_DATA_SECTION_RO_POP(); static HANDLE KphpLsassProcessId = NULL; KPH_PAGED_FILE(); /** * \brief Retrieves the process ID of lsass. * * \param[out] ProcessId Set to the process ID of lsass. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphpGetLsassProcessId( _Out_ PHANDLE ProcessId ) { NTSTATUS status; KIRQL currentIrql; PKPH_DYN dyn; HANDLE portHandle; KAPC_STATE apcState; KPH_ALPC_COMMUNICATION_INFORMATION info; KPH_PAGED_CODE(); // // We cache the process ID of lsass since opening and closing the connection // port frequently can cause significant performance degradation. This cache // is invalidated when: // // - A process exits and the process ID is what was cached. // - The process does not have SeCreateTokenPrivilege. // // N.B. The privilege check is always performed when checking if a process // is lsass, even when the cached process ID is used. // *ProcessId = InterlockedCompareExchangePointer(&KphpLsassProcessId, NULL, NULL); if (*ProcessId) { return STATUS_SUCCESS; } currentIrql = KeGetCurrentIrql(); if (currentIrql > PASSIVE_LEVEL) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpGetLsassProcessId called at %!irql!", currentIrql); return STATUS_INVALID_LEVEL; } // // N.B. This is an optimization. In order to query the process ID of lsass // through the LSA port, we need the dynamic data. Rather than doing the // work to attach to the system process and open the port, if we know we // do not have the dynamic data, exit early. // dyn = KphReferenceDynData(); if (!dyn) { return STATUS_NOINTERFACE; } // // Attach to system to ensure we get a kernel handle from the following // ZwAlpcConnectPort call. Opening the handle here does not ask for the // object attributes. To keep our imports simple we choose to use this // over the Ex version (might change in the future). Pattern is adopted // from msrpc.sys. // KeStackAttachProcess(PsInitialSystemProcess, &apcState); status = ZwAlpcConnectPort(&portHandle, (PUNICODE_STRING)&KphpLsaPortName, NULL, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwAlpcConnectPort failed: %!STATUS!", status); portHandle = NULL; goto Exit; } status = KphAlpcQueryInformation(ZwCurrentProcess(), portHandle, KphAlpcCommunicationInformation, &info, sizeof(KPH_ALPC_COMMUNICATION_INFORMATION), NULL, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphAlpcQueryInformation failed: %!STATUS!", status); goto Exit; } *ProcessId = info.ConnectionPort.OwnerProcessId; Exit: if (portHandle) { ObCloseHandle(portHandle, KernelMode); } KeUnstackDetachProcess(&apcState); KphDereferenceObject(dyn); return status; } /** * \brief Caches the lsass process ID if appropriate. * * \param[in] Process Optional lsass process object. * \param[in] ProcessId The lsass process ID to cache. */ _IRQL_requires_max_(APC_LEVEL) VOID KphpCacheLsassProcessId( _In_opt_ PEPROCESS Process, _In_ HANDLE ProcessId ) { PEPROCESS process; KPH_PAGED_CODE(); if (ReadPointerAcquire(&KphpLsassProcessId) == ProcessId) { return; } if (Process) { process = Process; } else if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &process))) { return; } NT_ASSERT(PsGetProcessId(process) == ProcessId); if (NT_SUCCESS(PsAcquireProcessExitSynchronization(process))) { InterlockedExchangePointer(&KphpLsassProcessId, ProcessId); PsReleaseProcessExitSynchronization(process); } if (process != Process) { ObDereferenceObject(process); } } /** * \brief Checks if a given process is lsass. * * \param[in] Process The process to check. * \param[out] IsLsass TRUE if the process is lsass, FALSE otherwise. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphProcessIsLsass( _In_ PEPROCESS Process, _Out_ PBOOLEAN IsLsass ) { NTSTATUS status; PS_PROTECTION processProtection; HANDLE processId; SECURITY_SUBJECT_CONTEXT subjectContext; BOOLEAN result; KPH_PAGED_CODE(); *IsLsass = FALSE; processProtection = PsGetProcessProtection(Process); if ((processProtection.Type != PsProtectedTypeNone) && (processProtection.Signer == PsProtectedSignerLsa)) { processId = PsGetProcessId(Process); KphpCacheLsassProcessId(Process, processId); } else { status = KphpGetLsassProcessId(&processId); if (!NT_SUCCESS(status)) { return status; } KphpCacheLsassProcessId(NULL, processId); if (processId != PsGetProcessId(Process)) { return STATUS_SUCCESS; } } SeCaptureSubjectContextEx(NULL, Process, &subjectContext); result = KphSinglePrivilegeCheckEx(SeCreateTokenPrivilege, &subjectContext, UserMode); SeReleaseSubjectContext(&subjectContext); if (result) { *IsLsass = TRUE; } else { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PID %lu does not have SeCreateTokenPrivilege", HandleToULong(processId)); InterlockedExchangePointer(&KphpLsassProcessId, NULL); } return STATUS_SUCCESS; } /** * \brief Validates if a process is lsass and caches it. * * \details This should be called whenever a new process is identified. * * \param[in] Process The process to validate. */ _IRQL_requires_max_(APC_LEVEL) VOID KphValidateLsass( _In_ PEPROCESS Process ) { NTSTATUS status; BOOLEAN isLsass; KPH_PAGED_CODE(); status = KphProcessIsLsass(Process, &isLsass); if (NT_SUCCESS(status) && isLsass) { KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Validated LSA process (%lu)", HandleToULong(PsGetProcessId(Process))); } } /** * \brief Invalidates the cached lsass process ID if it matches. * * \details This should be called whenever a process ID could be recycled. * * \param[in] Process The process to invalidate. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInvalidateLsass( _In_ PEPROCESS Process ) { HANDLE processId; KPH_PAGED_CODE(); processId = PsGetProcessId(Process); if (InterlockedCompareExchangePointer(&KphpLsassProcessId, NULL, processId) == processId) { KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Invalidated LSA process (%lu)", HandleToULong(processId)); } } /** * \brief Checks if lsass can be identified. * * \return TRUE if lsass can be identified, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphCanIdentifyLsass( VOID ) { NTSTATUS status; BOOLEAN isLsass; KPH_PAGED_CODE(); // // N.B. It does not matter what process we use here and we intentionally // ignore the output boolean. What matters is the return succeeds which // indicates that we can identify lsass. // status = KphProcessIsLsass(PsInitialSystemProcess, &isLsass); return NT_SUCCESS(status); } ================================================ FILE: KSystemInformer/main.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2021-2026 * */ #include #include #include KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const BYTE KphpProtectedSectionReadOnly = 0; KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static BYTE KphpProtectedSection = 0; PDRIVER_OBJECT KphDriverObject = NULL; RTL_OSVERSIONINFOEXW KphOsVersionInfo = { 0 }; KPH_FILE_VERSION KphKernelVersion = { 0 }; BOOLEAN KphIgnoreProtectionsSuppressed = FALSE; BOOLEAN KphIgnoreTestSigningEnabled = FALSE; SYSTEM_SECUREBOOT_INFORMATION KphSecureBootInfo = { 0 }; SYSTEM_CODEINTEGRITY_INFORMATION KphCodeIntegrityInfo = { 0 }; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Protects select sections. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpProtectSections( VOID ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); if (!KphDynMmProtectDriverSection) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmProtectDriverSection not found"); return; } status = KphDynMmProtectDriverSection(&KphpProtectedSection, 0, MM_PROTECT_DRIVER_SECTION_ALLOW_UNLOAD); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmProtectDriverSection %!STATUS!", status); status = KphDynMmProtectDriverSection((PVOID)&KphpProtectedSectionReadOnly, 0, MM_PROTECT_DRIVER_SECTION_ALLOW_UNLOAD); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmProtectDriverSection %!STATUS!", status); } /** * \brief Cleans up the driver state. * * \param[in] DriverObject Driver object of this driver. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpDriverCleanup( _In_ PDRIVER_OBJECT DriverObject ) { KPH_PAGED_CODE_PASSIVE(); KphDebugInformerStop(); KphRegistryInformerStop(); KphObjectInformerStop(); KphImageInformerStop(); KphCidMarkPopulated(); KphThreadInformerStop(); KphProcessInformerStop(); KphFltUnregister(); KphCidCleanup(); KphCleanupInformer(); KphCleanupDynData(); KphCleanupVerify(); KphCleanupHashing(); KphCleanupThreading(); KphCleanupParameters(); KsiUninitialize(DriverObject, 0); } /** * \brief Driver unload routine. * * \param[in] DriverObject Driver object of this driver. */ _Function_class_(DRIVER_UNLOAD) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID DriverUnload( _In_ PDRIVER_OBJECT DriverObject ) { KPH_PAGED_CODE_PASSIVE(); KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Driver Unloading..."); KphpDriverCleanup(DriverObject); KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Driver Unloaded"); WPP_CLEANUP(DriverObject); } /** * \brief Driver entry point. * * \param[in] DriverObject Driver object for this driver. * \param[in] RegistryPath Registry path for this driver. * * \return Successful or errant status. */ _Function_class_(DRIVER_INITIALIZE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); WPP_INIT_TRACING(DriverObject, RegistryPath); KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Driver Loading..."); KphDriverObject = DriverObject; KphDriverObject->DriverUnload = DriverUnload; ExInitializeDriverRuntime(DrvRtPoolNxOptIn); status = KsiInitialize(KSIDLL_CURRENT_VERSION, DriverObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "KsiInitialize failed: %!STATUS!", status); goto Exit; } KphOsVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW); status = RtlGetVersion((PRTL_OSVERSIONINFOW)&KphOsVersionInfo); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "RtlGetVersion failed: %!STATUS!", status); goto Exit; } if (!NT_SUCCESS(ZwQuerySystemInformation(SystemSecureBootInformation, &KphSecureBootInfo, sizeof(KphSecureBootInfo), NULL))) { RtlZeroMemory(&KphSecureBootInfo, sizeof(KphSecureBootInfo)); } KphCodeIntegrityInfo.Length = sizeof(KphCodeIntegrityInfo); if (!NT_SUCCESS(ZwQuerySystemInformation(SystemCodeIntegrityInformation, &KphCodeIntegrityInfo, sizeof(KphCodeIntegrityInfo), NULL))) { RtlZeroMemory(&KphCodeIntegrityInfo, sizeof(KphCodeIntegrityInfo)); } if (KphInDeveloperMode()) { KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Developer Mode"); } KphDynamicImport(); KphObjectInitialize(); KphInitializeRingBuffer(); KphInitializeParameters(RegistryPath); KphInitializeAlloc(); KphInitializeThreading(); status = KphInitializeKnownDll(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "KphInitializeKnownDll failed: %!STATUS!", status); goto Exit; } status = KphGetKernelVersion(&KphKernelVersion); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "KphGetKernelVersion failed: %!STATUS!", status); goto Exit; } KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Windows %lu.%lu.%lu Kernel %lu.%lu.%lu.%lu", KphOsVersionInfo.dwMajorVersion, KphOsVersionInfo.dwMinorVersion, KphOsVersionInfo.dwBuildNumber, KphKernelVersion.MajorVersion, KphKernelVersion.MinorVersion, KphKernelVersion.BuildNumber, KphKernelVersion.Revision); status = KphInitializeHashing(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to initialize hashing: %!STATUS!", status); goto Exit; } status = KphInitializeVerify(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to initialize verify: %!STATUS!", status); goto Exit; } KphInitializeDynData(); KphInitializeProtection(); KphInitializeSessionToken(); status = KphInitializeStackBackTrace(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to initialize stack back trace: %!STATUS!", status); goto Exit; } status = KphInitializeInformer(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to initialize informer: %!STATUS!", status); goto Exit; } status = KphFltRegister(DriverObject, RegistryPath); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to register mini-filter: %!STATUS!", status); goto Exit; } status = KphCidInitialize(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to initialize CID tracking: %!STATUS!", status); goto Exit; } status = KphProcessInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start process informer: %!STATUS!", status); goto Exit; } status = KphThreadInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start thread informer: %!STATUS!", status); goto Exit; } status = KphCidPopulate(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to populate CID tracking: %!STATUS!", status); goto Exit; } KphCidMarkPopulated(); status = KphFltInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start mini-filter informer: %!STATUS!", status); goto Exit; } status = KphImageInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start image informer: %!STATUS!", status); goto Exit; } status = KphObjectInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start object informer: %!STATUS!", status); goto Exit; } status = KphRegistryInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start registry informer: %!STATUS!", status); goto Exit; } status = KphDebugInformerStart(); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Failed to start debug informer: %!STATUS!", status); goto Exit; } KphpProtectSections(); Exit: if (NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_INFORMATION, GENERAL, "Driver Loaded"); } else { KphTracePrint(TRACE_LEVEL_ERROR, GENERAL, "Driver Load Failed: %!STATUS!", status); KphpDriverCleanup(DriverObject); WPP_CLEANUP(DriverObject); } return status; } ================================================ FILE: KSystemInformer/object.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2021-2026 * */ #include #include typedef struct _KPH_ENUMERATE_PROCESS_HANDLES_CONTEXT { PKPH_DYN Dyn; KPROCESSOR_MODE AccessMode; PVOID Buffer; PVOID BufferLimit; PVOID CurrentEntry; ULONG Count; NTSTATUS Status; } KPH_ENUMERATE_PROCESS_HANDLES_CONTEXT, *PKPH_ENUMERATE_PROCESS_HANDLES_CONTEXT; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpEtwRegistrationName = RTL_CONSTANT_STRING(L"EtwRegistration"); KPH_PROTECTED_DATA_SECTION_RO_POP(); _Must_inspect_result_ PVOID KphObpDecodeObject( _In_ PKPH_DYN Dyn, _In_ PHANDLE_TABLE_ENTRY HandleTableEntry ) { #if defined(_M_X64) || defined(_M_ARM64) if (Dyn->ObDecodeShift != ULONG_MAX) { LONG_PTR object; object = (LONG_PTR)(HandleTableEntry->Object); // // Decode the object pointer, shift back up the lower nibble to zeros. // N.B. LA57 is special but the way we define HANDLE_TABLE_ENTRY and // use dynamic data supports it. // object >>= Dyn->ObDecodeShift; object <<= 4; return (PVOID)object; } else { return NULL; } #else return (PVOID)((ULONG_PTR)(HandleTableEntry->Object) & ~OBJ_HANDLE_ATTRIBUTES); #endif } ULONG KphObpGetHandleAttributes( _In_ PKPH_DYN Dyn, _In_ PHANDLE_TABLE_ENTRY HandleTableEntry ) { #if defined(_M_X64) || defined(_M_ARM64) if (Dyn->ObAttributesShift != ULONG_MAX) { return (ULONG)(HandleTableEntry->Value >> Dyn->ObAttributesShift) & 0x3; } else { return 0; } #else return (HandleTableEntry->ObAttributes & (OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)) | ((HandleTableEntry->GrantedAccess & ObpAccessProtectCloseBit) ? OBJ_PROTECT_CLOSE : 0); #endif } /** * \brief Retrieves information about a file object. * * \param[in] FileObject The file object to retrieve information for. * \param[out] Information Receives the file object information. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpGetFileObjectInformation( _In_ PFILE_OBJECT FileObject, _Out_ PKPH_FILE_OBJECT_INFORMATION Information ) { PDEVICE_OBJECT attachedDevice; PDEVICE_OBJECT relatedDevice; KIRQL irql; PVPB vpb; // // VPB lock will be acquired, code placed in non-paged segment on purpose. // KPH_NPAGED_CODE_PASSIVE(); attachedDevice = IoGetAttachedDevice(FileObject->DeviceObject); relatedDevice = IoGetRelatedDeviceObject(FileObject); RtlZeroMemory(Information, sizeof(KPH_FILE_OBJECT_INFORMATION)); Information->LockOperation = FileObject->LockOperation; Information->DeletePending = FileObject->DeletePending; Information->ReadAccess = FileObject->ReadAccess; Information->WriteAccess = FileObject->WriteAccess; Information->DeleteAccess = FileObject->DeleteAccess; Information->SharedRead = FileObject->SharedRead; Information->SharedWrite = FileObject->SharedWrite; Information->SharedDelete = FileObject->SharedDelete; Information->CurrentByteOffset = FileObject->CurrentByteOffset; Information->Flags = FileObject->Flags; if (FileObject->SectionObjectPointer) { Information->UserWritableReferences = MmDoesFileHaveUserWritableReferences(FileObject->SectionObjectPointer); } Information->HasActiveTransaction = (IoGetTransactionParameterBlock(FileObject) ? TRUE : FALSE); Information->IsIgnoringSharing = IoIsFileObjectIgnoringSharing(FileObject); Information->Waiters = FileObject->Waiters; Information->Busy = FileObject->Busy; Information->Device.Type = FileObject->DeviceObject->DeviceType; Information->Device.Characteristics = FileObject->DeviceObject->Characteristics; Information->Device.Flags = FileObject->DeviceObject->Flags; Information->AttachedDevice.Type = attachedDevice->DeviceType; Information->AttachedDevice.Characteristics = attachedDevice->Characteristics; Information->AttachedDevice.Flags = attachedDevice->Flags; Information->RelatedDevice.Type = relatedDevice->DeviceType; Information->RelatedDevice.Characteristics = relatedDevice->Characteristics; Information->RelatedDevice.Flags = relatedDevice->Flags; C_ASSERT(ARRAYSIZE(Information->Vpb.VolumeLabel) == ARRAYSIZE(vpb->VolumeLabel)); IoAcquireVpbSpinLock(&irql); // // Accessing the VPB is reserved for "certain classes of drivers". // #pragma prefast(push) #pragma prefast(disable : 28175) vpb = FileObject->Vpb; if (vpb) { Information->Vpb.Type = vpb->Type; Information->Vpb.Size = vpb->Size; Information->Vpb.Flags = vpb->Flags; Information->Vpb.VolumeLabelLength = vpb->VolumeLabelLength; Information->Vpb.SerialNumber = vpb->SerialNumber; Information->Vpb.ReferenceCount = vpb->ReferenceCount; RtlCopyMemory(Information->Vpb.VolumeLabel, vpb->VolumeLabel, ARRAYSIZE(vpb->VolumeLabel) * sizeof(WCHAR)); } vpb = FileObject->DeviceObject->Vpb; if (vpb) { Information->Device.Vpb.Type = vpb->Type; Information->Device.Vpb.Size = vpb->Size; Information->Device.Vpb.Flags = vpb->Flags; Information->Device.Vpb.VolumeLabelLength = vpb->VolumeLabelLength; Information->Device.Vpb.SerialNumber = vpb->SerialNumber; Information->Device.Vpb.ReferenceCount = vpb->ReferenceCount; RtlCopyMemory(Information->Device.Vpb.VolumeLabel, vpb->VolumeLabel, ARRAYSIZE(vpb->VolumeLabel) * sizeof(WCHAR)); } vpb = attachedDevice->Vpb; if (vpb) { Information->AttachedDevice.Vpb.Type = vpb->Type; Information->AttachedDevice.Vpb.Size = vpb->Size; Information->AttachedDevice.Vpb.Flags = vpb->Flags; Information->AttachedDevice.Vpb.VolumeLabelLength = vpb->VolumeLabelLength; Information->AttachedDevice.Vpb.SerialNumber = vpb->SerialNumber; Information->AttachedDevice.Vpb.ReferenceCount = vpb->ReferenceCount; RtlCopyMemory(Information->AttachedDevice.Vpb.VolumeLabel, vpb->VolumeLabel, ARRAYSIZE(vpb->VolumeLabel) * sizeof(WCHAR)); } vpb = relatedDevice->Vpb; if (vpb) { Information->RelatedDevice.Vpb.Type = vpb->Type; Information->RelatedDevice.Vpb.Size = vpb->Size; Information->RelatedDevice.Vpb.Flags = vpb->Flags; Information->RelatedDevice.Vpb.VolumeLabelLength = vpb->VolumeLabelLength; Information->RelatedDevice.Vpb.SerialNumber = vpb->SerialNumber; Information->RelatedDevice.Vpb.ReferenceCount = vpb->ReferenceCount; RtlCopyMemory(Information->RelatedDevice.Vpb.VolumeLabel, vpb->VolumeLabel, ARRAYSIZE(vpb->VolumeLabel) * sizeof(WCHAR)); } #pragma prefast(pop) IoReleaseVpbSpinLock(irql); } KPH_PAGED_FILE(); /** * \brief Gets a pointer to the handle table of a process. On success, acquires * process exit synchronization, the process should be released by calling * KphDereferenceProcessHandleTable. * * \param[in] Dyn Dynamic configuration. * \param[in] Process A process object. * \param[out] HandleTable On success set to the process handle table. * * \return Successful or errant status. */ _When_(NT_SUCCESS(return), _Acquires_lock_(Process)) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphReferenceProcessHandleTable( _In_ PKPH_DYN Dyn, _In_ PEPROCESS Process, _Outptr_result_nullonfailure_ PHANDLE_TABLE* HandleTable ) { PHANDLE_TABLE handleTable; NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); *HandleTable = NULL; // // Fail if we don't have an offset. // if (Dyn->EpObjectTable == ULONG_MAX) { return STATUS_NOINTERFACE; } // // Prevent the process from terminating and get its handle table. // status = PsAcquireProcessExitSynchronization(Process); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsAcquireProcessExitSynchronization failed: %!STATUS!", status); return STATUS_TOO_LATE; } handleTable = *(PHANDLE_TABLE*)Add2Ptr(Process, Dyn->EpObjectTable); if (!handleTable) { PsReleaseProcessExitSynchronization(Process); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Process has no handle table."); return STATUS_NOT_FOUND; } *HandleTable = handleTable; return STATUS_SUCCESS; } /** * \brief Releases process after acquiring the process handle table. * * \param[in] Process A process object. */ _Releases_lock_(Process) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphDereferenceProcessHandleTable( _In_ PEPROCESS Process ) { KPH_PAGED_CODE_PASSIVE(); PsReleaseProcessExitSynchronization(Process); } /** * \brief Unlocks a handle table entry. * * \param[in] Dyn Dynamic configuration. * \param[in] HandleTable Handle table to unlock. * \param[in] HandleTableEntry Handle table entry to unlock. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpUnlockHandleTableEntry( _In_ PKPH_DYN Dyn, _In_ PHANDLE_TABLE HandleTable, _In_ PHANDLE_TABLE_ENTRY HandleTableEntry ) { PEX_PUSH_LOCK handleContentionEvent; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Dyn->HtHandleContentionEvent != ULONG_MAX); // // Set the unlocked bit. // InterlockedExchangeAddULongPtr(&HandleTableEntry->Value, 1); // // Allow waiters to wake up. // handleContentionEvent = (PEX_PUSH_LOCK)Add2Ptr(HandleTable, Dyn->HtHandleContentionEvent); if (*(PULONG_PTR)handleContentionEvent != 0) { ExfUnblockPushLock(handleContentionEvent, NULL); } } typedef struct _KPH_ENUM_PROC_HANDLE_EX_CONTEXT { PKPH_DYN Dyn; PKPH_ENUM_PROCESS_HANDLES_CALLBACK Callback; PVOID Parameter; } KPH_ENUM_PROC_HANDLE_EX_CONTEXT, *PKPH_ENUM_PROC_HANDLE_EX_CONTEXT; /** * \brief Pass-through callback for handle table enumeration. * * \param[in,out] HandleTableEntry Related handle table entry. * \param[in] Handle The handle for this entry. * \param[in] Context Enumeration context. * * \return Result from wrapped callback. */ _Function_class_(EX_ENUM_HANDLE_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ BOOLEAN NTAPI KphEnumerateProcessHandlesExCallback( _In_ PHANDLE_TABLE HandleTable, _Inout_ PHANDLE_TABLE_ENTRY HandleTableEntry, _In_ HANDLE Handle, _In_opt_ PVOID Context ) { PKPH_ENUM_PROC_HANDLE_EX_CONTEXT context; BOOLEAN result; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Context); context = Context; result = context->Callback(HandleTableEntry, Handle, context->Parameter); KphpUnlockHandleTableEntry(context->Dyn, HandleTable, HandleTableEntry); return result; } /** * \brief Enumerates the handles of a process. * * \param[in] Process The process to enumerate handles of. * \param[in] Callback The callback to invoke for each handle table entry. * \param[in] Parameter Optional parameter to pass to the callback. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS KphEnumerateProcessHandlesEx( _In_ PEPROCESS Process, _In_ PKPH_ENUM_PROCESS_HANDLES_CALLBACK Callback, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_DYN dyn; KPH_ENUM_PROC_HANDLE_EX_CONTEXT context; PHANDLE_TABLE handleTable; KPH_PAGED_CODE_PASSIVE(); dyn = KphReferenceDynData(); if (!dyn || (dyn->HtHandleContentionEvent == ULONG_MAX) || (dyn->EpObjectTable == ULONG_MAX)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphEnumerateProcessHandlesEx not supported"); status = STATUS_NOINTERFACE; goto Exit; } status = KphReferenceProcessHandleTable(dyn, Process, &handleTable); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphReferenceProcessHandleTable failed: %!STATUS!", status); goto Exit; } context.Dyn = dyn; context.Callback = Callback; context.Parameter = Parameter; ExEnumHandleTable(handleTable, KphEnumerateProcessHandlesExCallback, &context, NULL); KphDereferenceProcessHandleTable(Process); Exit: if (dyn) { KphDereferenceObject(dyn); } return status; } /** * \brief Enumeration callback for handle enumeration. * * \param[in,out] HandleTableEntry Related handle table entry. * \param[in] Handle The handle for this entry. * \param[in] Context Enumeration context. * * \return FALSE */ _Function_class_(KPH_ENUM_PROCESS_HANDLES_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ BOOLEAN KphpEnumerateProcessHandlesCallback( _Inout_ PHANDLE_TABLE_ENTRY HandleTableEntry, _In_ HANDLE Handle, _In_ PVOID Context ) { PKPH_ENUMERATE_PROCESS_HANDLES_CONTEXT context; KPH_PROCESS_HANDLE handleInfo; POBJECT_HEADER objectHeader; POBJECT_TYPE objectType; PKPH_PROCESS_HANDLE entryInBuffer; KPH_MEMORY_REGION region; KPH_PAGED_CODE_PASSIVE(); context = Context; objectHeader = KphObpDecodeObject(context->Dyn, HandleTableEntry); handleInfo.Handle = Handle; handleInfo.Object = objectHeader ? &objectHeader->Body : NULL; handleInfo.GrantedAccess = ObpDecodeGrantedAccess(HandleTableEntry->GrantedAccess); handleInfo.ObjectTypeIndex = USHORT_MAX; handleInfo.Reserved1 = 0; handleInfo.HandleAttributes = KphObpGetHandleAttributes(context->Dyn, HandleTableEntry); handleInfo.Reserved2 = 0; if (handleInfo.Object) { objectType = ObGetObjectType(handleInfo.Object); if (objectType && (context->Dyn->OtIndex != ULONG_MAX)) { UCHAR typeIndex; typeIndex = *(PUCHAR)Add2Ptr(objectType, context->Dyn->OtIndex); handleInfo.ObjectTypeIndex = (USHORT)typeIndex; } } // // Advance the current entry pointer regardless of whether the information // will be written. This will allow the parent function to report the // correct return length. // entryInBuffer = context->CurrentEntry; context->CurrentEntry = Add2Ptr(context->CurrentEntry, sizeof(KPH_PROCESS_HANDLE)); context->Count++; // // Only write if we have not exceeded the buffer length. Also check for a // potential overflow (if the process has an extremely large number of // handles, the buffer pointer may wrap). // region.Start = entryInBuffer; region.End = Add2Ptr(entryInBuffer, sizeof(KPH_PROCESS_HANDLE)); if (KphIsValidMemoryRegion(®ion, context->Buffer, context->BufferLimit)) { context->Status = KphCopyToMode(entryInBuffer, &handleInfo, sizeof(KPH_PROCESS_HANDLE), context->AccessMode); if (!NT_SUCCESS(context->Status)) { return TRUE; } } else { if (context->Status == STATUS_SUCCESS) { context->Status = STATUS_BUFFER_TOO_SMALL; } } return FALSE; } /** * \brief Enumerates the handles of a process. * * \param[in] ProcessHandle A handle to a process. * \param[out] Buffer The buffer in which the handle information will be stored. * \param[in] BufferLength The number of bytes available in Buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphEnumerateProcessHandles( _In_ HANDLE ProcessHandle, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_DYN dyn; PEPROCESS process; KPH_ENUMERATE_PROCESS_HANDLES_CONTEXT context; KPH_PAGED_CODE_PASSIVE(); dyn = NULL; process = NULL; if (!Buffer) { status = STATUS_INVALID_PARAMETER_2; goto Exit; } dyn = KphReferenceDynData(); if (!dyn) { status = STATUS_NOINTERFACE; goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); goto Exit; } context.Dyn = dyn; context.AccessMode = AccessMode; context.Buffer = Buffer; context.BufferLimit = Add2Ptr(Buffer, BufferLength); context.CurrentEntry = ((PKPH_PROCESS_HANDLE_INFORMATION)Buffer)->Handles; context.Count = 0; context.Status = STATUS_SUCCESS; status = KphEnumerateProcessHandlesEx(process, KphpEnumerateProcessHandlesCallback, &context); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphEnumerateProcessHandlesEx failed: %!STATUS!", status); goto Exit; } if (BufferLength >= UFIELD_OFFSET(KPH_PROCESS_HANDLE_INFORMATION, Handles)) { PKPH_PROCESS_HANDLE_INFORMATION info; info = Buffer; status = KphWriteULongToMode(&info->HandleCount, context.Count, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } } if (ReturnLength) { ULONG_PTR returnLength; status = RtlULongPtrSub((ULONG_PTR)context.CurrentEntry, (ULONG_PTR)Buffer, &returnLength); if (!NT_SUCCESS(status) || (returnLength > ULONG_MAX)) { status = STATUS_INTEGER_OVERFLOW; goto Exit; } status = KphWriteULongToMode(ReturnLength, (ULONG)returnLength, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } } status = context.Status; Exit: if (process) { ObDereferenceObject(process); } if (dyn) { KphDereferenceObject(dyn); } return status; } /** * \brief Queries the name of an object. * * \param[in] Object A pointer to an object. * \param[out] Buffer The buffer in which the object name will be stored. * \param[in] BufferLength The number of bytes available in Buffer. * \param[out] ReturnLength Receives the number of bytes written. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryNameObject( _In_ PVOID Object, _Out_writes_bytes_opt_(BufferLength) POBJECT_NAME_INFORMATION Buffer, _In_ ULONG BufferLength, _Out_ PULONG ReturnLength ) { NTSTATUS status; POBJECT_TYPE objectType; KPH_PAGED_CODE(); objectType = ObGetObjectType(Object); if (objectType == *IoFileObjectType) { status = KphQueryNameFileObject(Object, Buffer, BufferLength, ReturnLength); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphQueryNameFileObject: %!STATUS!", status); } else { status = ObQueryNameString(Object, Buffer, BufferLength, ReturnLength); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObQueryNameString: %!STATUS!", status); } // // Make the error returns consistent. // if ((status == STATUS_BUFFER_OVERFLOW) || // returned by I/O subsystem (status == STATUS_INFO_LENGTH_MISMATCH)) // returned by ObQueryNameString { status = STATUS_BUFFER_TOO_SMALL; } if (NT_SUCCESS(status)) { NT_ASSERT(Buffer); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphQueryNameObject: %wZ", &Buffer->Name); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphQueryNameObject: %!STATUS!", status); } return status; } /** * \brief Extracts the name of a file object by retrieving the device name, * walking the related file objects, and the target file object. * * \param[in] FileObject A pointer to a file object. * \param[out] Buffer The buffer in which the object name will be stored. * \param[in] BufferLength The number of bytes available in Buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpExtractNameFileObject( _In_ PFILE_OBJECT FileObject, _Out_writes_bytes_opt_(BufferLength) POBJECT_NAME_INFORMATION Buffer, _In_ ULONG BufferLength, _Out_ PULONG ReturnLength ) { NTSTATUS status; ULONG returnLength; PFILE_OBJECT fileObject; PUCHAR pos; USHORT len; KPH_PAGED_CODE(); *ReturnLength = 0; if (!Buffer && BufferLength) { return STATUS_INVALID_PARAMETER; } if (FlagOn(FileObject->Flags, FO_CLEANUP_COMPLETE)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "File object closed"); return STATUS_FILE_CLOSED; } if (FileObject->DeviceObject) { returnLength = 0; status = ObQueryNameString(FileObject->DeviceObject, Buffer, BufferLength, &returnLength); if (NT_SUCCESS(status)) { NT_ASSERT(Buffer && BufferLength); NT_ASSERT(returnLength >= sizeof(OBJECT_NAME_INFORMATION)); NT_ASSERT(Buffer->Name.Buffer == Add2Ptr(Buffer, sizeof(OBJECT_NAME_INFORMATION))); } else if (status == STATUS_INFO_LENGTH_MISMATCH) { NT_ASSERT(returnLength); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObQueryNameString failed: %!STATUS!", status); return status; } } else { if (Buffer && (BufferLength >= sizeof(OBJECT_NAME_INFORMATION))) { Buffer->Name.Length = 0; Buffer->Name.Buffer = Add2Ptr(Buffer, sizeof(OBJECT_NAME_INFORMATION)); } returnLength = sizeof(OBJECT_NAME_INFORMATION); } // // Walk the file object and related objects. This is walking the name in // reverse order. Place the name at the end of the buffer to be moved into // place afterwards. If along the way we exhaust the buffer we'll continue // to calculate the needed length but not write to the buffer. // fileObject = FileObject; pos = Buffer ? Add2Ptr(Buffer, BufferLength) : NULL; len = 0; do { // // N.B. There are some drivers that aren't as tidy with their related // file objects (condrv.sys) and leave a dangling pointer. Admittedly // we're doing a "non-blessed" thing by extracting the name like this. // So we sanity check that the pointer is a valid file object to work // around this, it's not perfect but we get value from this routine // for cases where extracting the full name is otherwise impossible. // if ((ObGetObjectType(fileObject) != *IoFileObjectType) || FlagOn(fileObject->Flags, FO_CLEANUP_COMPLETE)) { break; } status = RtlULongAdd(returnLength, fileObject->FileName.Length, &returnLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "RtlULongAdd failed: %!STATUS!", status); return status; } status = RtlUShortAdd(len, fileObject->FileName.Length, &len); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "RtlUShortAdd failed: %!STATUS!", status); return status; } if (Buffer && (returnLength <= BufferLength)) { pos -= fileObject->FileName.Length; RtlCopyMemory(pos, fileObject->FileName.Buffer, fileObject->FileName.Length); } fileObject = fileObject->RelatedFileObject; } while (fileObject); *ReturnLength = returnLength; if (!Buffer || (returnLength > BufferLength)) { return STATUS_BUFFER_TOO_SMALL; } RtlMoveMemory(Add2Ptr(Buffer->Name.Buffer, Buffer->Name.Length), pos, len); status = RtlUShortAdd(Buffer->Name.Length, len, &Buffer->Name.Length); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "RtlUShortAdd failed: %!STATUS!", status); return status; } if ((BufferLength - returnLength) > sizeof(UNICODE_NULL)) { Buffer->Name.Buffer[Buffer->Name.Length / sizeof(WCHAR)] = UNICODE_NULL; returnLength += sizeof(UNICODE_NULL); } NT_ASSERT(returnLength >= sizeof(OBJECT_NAME_INFORMATION)); returnLength -= sizeof(OBJECT_NAME_INFORMATION); NT_ASSERT(returnLength <= USHORT_MAX); Buffer->Name.MaximumLength = (USHORT)returnLength; return STATUS_SUCCESS; } /** * \brief Queries the name of a file object. * * \param[in] FileObject A pointer to a file object. * \param[out] Buffer The buffer in which the object name will be stored. * \param[in] BufferLength The number of bytes available in Buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryNameFileObject( _In_ PFILE_OBJECT FileObject, _Out_writes_bytes_opt_(BufferLength) POBJECT_NAME_INFORMATION Buffer, _In_ ULONG BufferLength, _Out_ PULONG ReturnLength ) { NTSTATUS status; PFLT_FILE_NAME_INFORMATION fileNameInfo; FLT_FILE_NAME_OPTIONS nameOptions; KPH_PAGED_CODE(); nameOptions = FLT_FILE_NAME_NORMALIZED; if (IoGetTopLevelIrp() || KeAreAllApcsDisabled()) { nameOptions |= FLT_FILE_NAME_QUERY_CACHE_ONLY; } else { nameOptions |= FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP; } status = FltGetFileNameInformationUnsafe(FileObject, NULL, nameOptions, &fileNameInfo); if (!NT_SUCCESS(status)) { fileNameInfo = NULL; status = KphpExtractNameFileObject(FileObject, Buffer, BufferLength, ReturnLength); goto Exit; } *ReturnLength = sizeof(OBJECT_NAME_INFORMATION); *ReturnLength += fileNameInfo->Name.Length; if (!Buffer || (BufferLength < *ReturnLength)) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } Buffer->Name.Length = 0; Buffer->Name.MaximumLength = (USHORT)(BufferLength - sizeof(OBJECT_NAME_INFORMATION)); Buffer->Name.Buffer = (PWSTR)Add2Ptr(Buffer, sizeof(OBJECT_NAME_INFORMATION)); RtlCopyUnicodeString(&Buffer->Name, &fileNameInfo->Name); Exit: if (fileNameInfo) { FltReleaseFileNameInformation(fileNameInfo); } return status; } /** * \brief Queries object information. * * \param[in] ProcessHandle A handle to a process. * \param[in] Handle A handle which is present in the process. * \param[in] ObjectInformationClass The type of information to retrieve. * \param[out] ObjectInformation Information buffer to populate. * \param[in] ObjectInformationLength Length of the information buffer in bytes. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_DYN dyn; PEPROCESS process; KAPC_STATE apcState; PVOID object; ULONG returnLength; PVOID buffer; BYTE stackBuffer[64]; KPROCESSOR_MODE accessMode; PKPH_PROCESS_CONTEXT processContext; KPH_PAGED_CODE_PASSIVE(); dyn = NULL; returnLength = 0; object = NULL; buffer = NULL; processContext = NULL; status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); goto Exit; } if (process == PsInitialSystemProcess) { Handle = MakeKernelHandle(Handle); accessMode = KernelMode; } else { if (IsKernelHandle(Handle) && !IsPseudoHandle(Handle)) { status = STATUS_INVALID_HANDLE; goto Exit; } accessMode = AccessMode; } switch (ObjectInformationClass) { case KphObjectBasicInformation: { OBJECT_BASIC_INFORMATION basicInfo; if (!ObjectInformation || (ObjectInformationLength < sizeof(OBJECT_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(OBJECT_BASIC_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryObject(Handle, ObjectBasicInformation, &basicInfo, sizeof(OBJECT_BASIC_INFORMATION), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, &basicInfo, sizeof(OBJECT_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(OBJECT_BASIC_INFORMATION); } } break; } case KphObjectNameInformation: { ULONG allocateSize; POBJECT_NAME_INFORMATION nameInfo; KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(Handle, 0, NULL, accessMode, &object, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); object = NULL; goto Exit; } allocateSize = ObjectInformationLength; if (allocateSize < sizeof(OBJECT_NAME_INFORMATION)) { allocateSize = sizeof(OBJECT_NAME_INFORMATION); } buffer = KphAllocatePagedA(allocateSize, KPH_TAG_OBJECT_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } nameInfo = (POBJECT_NAME_INFORMATION)buffer; status = KphQueryNameObject(object, nameInfo, ObjectInformationLength, &returnLength); if (NT_SUCCESS(status)) { if (!ObjectInformation) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } RebaseUnicodeString(&nameInfo->Name, nameInfo, ObjectInformation); status = KphCopyToMode(ObjectInformation, nameInfo, returnLength, AccessMode); } break; } case KphObjectTypeInformation: { ULONG allocateSize; POBJECT_TYPE_INFORMATION typeInfo; returnLength = sizeof(OBJECT_TYPE_INFORMATION); allocateSize = ObjectInformationLength; if (allocateSize < sizeof(OBJECT_TYPE_INFORMATION)) { allocateSize = sizeof(OBJECT_TYPE_INFORMATION); } // // ObQueryTypeInfo uses ObjectType->Name.MaximumLength instead of // ObjectType->Name.Length + sizeof(WCHAR) to calculate the // required buffer size. In Windows 8, certain object types // (e.g. TmTx) do NOT include the null terminator in MaximumLength, // which causes ObQueryTypeInfo to overrun the given buffer. To // work around this bug, we add some (generous) padding to our // allocation. // allocateSize += sizeof(ULONG64); buffer = KphAllocatePagedA(allocateSize, KPH_TAG_OBJECT_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } typeInfo = (POBJECT_TYPE_INFORMATION)buffer; KeStackAttachProcess(process, &apcState); status = ZwQueryObject(Handle, ObjectTypeInformation, typeInfo, ObjectInformationLength, &returnLength); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { if (!ObjectInformation) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } RebaseUnicodeString(&typeInfo->TypeName, typeInfo, ObjectInformation); status = KphCopyToMode(ObjectInformation, typeInfo, returnLength, AccessMode); } break; } case KphObjectHandleFlagInformation: { OBJECT_HANDLE_FLAG_INFORMATION handleFlagInfo; if (!ObjectInformation || (ObjectInformationLength < sizeof(OBJECT_HANDLE_FLAG_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(OBJECT_HANDLE_FLAG_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryObject(Handle, ObjectHandleFlagInformation, &handleFlagInfo, sizeof(OBJECT_HANDLE_FLAG_INFORMATION), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, &handleFlagInfo, sizeof(OBJECT_HANDLE_FLAG_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(OBJECT_HANDLE_FLAG_INFORMATION); } } break; } case KphObjectProcessBasicInformation: { PROCESS_BASIC_INFORMATION basicInfo; if (!ObjectInformation || (ObjectInformationLength < sizeof(PROCESS_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(PROCESS_BASIC_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryInformationProcess(Handle, ProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(PROCESS_BASIC_INFORMATION); } } break; } case KphObjectThreadBasicInformation: { THREAD_BASIC_INFORMATION basicInfo; if (!ObjectInformation || (ObjectInformationLength < sizeof(THREAD_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(THREAD_BASIC_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryInformationThread(Handle, ThreadBasicInformation, &basicInfo, sizeof(THREAD_BASIC_INFORMATION), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, &basicInfo, sizeof(THREAD_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(THREAD_BASIC_INFORMATION); } } break; } case KphObjectEtwRegBasicInformation: { PVOID objectType; PUNICODE_STRING objectTypeName; PVOID guidEntry; KPH_ETWREG_BASIC_INFORMATION basicInfo; dyn = KphReferenceDynData(); if (!dyn || (dyn->EgeGuid == ULONG_MAX) || (dyn->EreGuidEntry == ULONG_MAX) || (dyn->OtName == ULONG_MAX)) { status = STATUS_NOINTERFACE; goto Exit; } if (!ObjectInformation || (ObjectInformationLength < sizeof(KPH_ETWREG_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_ETWREG_BASIC_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(Handle, 0, NULL, accessMode, &object, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); object = NULL; goto Exit; } objectType = ObGetObjectType(object); if (!objectType) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObGetObjectType returned null"); status = STATUS_NOT_SUPPORTED; goto Exit; } objectTypeName = (PUNICODE_STRING)Add2Ptr(objectType, dyn->OtName); if (!RtlEqualUnicodeString(objectTypeName, &KphpEtwRegistrationName, FALSE)) { status = STATUS_OBJECT_TYPE_MISMATCH; goto Exit; } guidEntry = *(PVOID*)Add2Ptr(object, dyn->EreGuidEntry); if (guidEntry) { RtlCopyMemory(&basicInfo.Guid, Add2Ptr(guidEntry, dyn->EgeGuid), sizeof(GUID)); } else { RtlZeroMemory(&basicInfo.Guid, sizeof(GUID)); } // // Not implemented. // basicInfo.SessionId = 0; status = KphCopyToMode(ObjectInformation, &basicInfo, sizeof(KPH_ETWREG_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_ETWREG_BASIC_INFORMATION); } break; } case KphObjectFileObjectInformation: { KPH_FILE_OBJECT_INFORMATION fileInfo; if (!ObjectInformation || (ObjectInformationLength < sizeof(KPH_FILE_OBJECT_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_FILE_OBJECT_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(Handle, 0, *IoFileObjectType, accessMode, &object, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); object = NULL; goto Exit; } KphpGetFileObjectInformation(object, &fileInfo); status = KphCopyToMode(ObjectInformation, &fileInfo, sizeof(KPH_FILE_OBJECT_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_FILE_OBJECT_INFORMATION); } break; } case KphObjectFileObjectDriver: { PFILE_OBJECT fileObject; HANDLE driverHandle; if (!ObjectInformation || (ObjectInformationLength < sizeof(HANDLE))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(HANDLE); goto Exit; } KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(Handle, 0, *IoFileObjectType, accessMode, &object, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); object = NULL; goto Exit; } fileObject = (PFILE_OBJECT)object; if (!fileObject->DeviceObject || !fileObject->DeviceObject->DriverObject) { status = STATUS_INVALID_DEVICE_REQUEST; goto Exit; } status = ObOpenObjectByPointer(fileObject->DeviceObject->DriverObject, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, SYNCHRONIZE, *IoDriverObjectType, AccessMode, &driverHandle); if (NT_SUCCESS(status)) { status = KphWriteHandleToMode(ObjectInformation, driverHandle, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(HANDLE); } } break; } case KphObjectProcessTimes: { KERNEL_USER_TIMES times; if (!ObjectInformation || (ObjectInformationLength < sizeof(KERNEL_USER_TIMES))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KERNEL_USER_TIMES); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryInformationProcess(Handle, ProcessTimes, ×, sizeof(KERNEL_USER_TIMES), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, ×, sizeof(KERNEL_USER_TIMES), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KERNEL_USER_TIMES); } } break; } case KphObjectThreadTimes: { KERNEL_USER_TIMES times; if (!ObjectInformation || (ObjectInformationLength < sizeof(KERNEL_USER_TIMES))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KERNEL_USER_TIMES); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryInformationThread(Handle, ThreadTimes, ×, sizeof(KERNEL_USER_TIMES), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, ×, sizeof(KERNEL_USER_TIMES), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KERNEL_USER_TIMES); } } break; } case KphObjectProcessImageFileName: { PEPROCESS targetProcess; KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(Handle, 0, *PsProcessType, accessMode, &targetProcess, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); goto Exit; } processContext = KphGetEProcessContext(targetProcess); ObDereferenceObject(targetProcess); if (!processContext || !processContext->ImageFileName) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphCopyUnicodeStringToMode(ObjectInformation, ObjectInformationLength, processContext->ImageFileName, &returnLength, AccessMode); break; } case KphObjectThreadNameInformation: { ULONG allocateSize; PTHREAD_NAME_INFORMATION nameInfo; returnLength = sizeof(THREAD_NAME_INFORMATION); allocateSize = ObjectInformationLength; if (allocateSize < sizeof(THREAD_NAME_INFORMATION)) { allocateSize = sizeof(THREAD_NAME_INFORMATION); } allocateSize += sizeof(ULONG64); buffer = KphAllocatePagedA(allocateSize, KPH_TAG_OBJECT_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } nameInfo = (PTHREAD_NAME_INFORMATION)buffer; KeStackAttachProcess(process, &apcState); status = ZwQueryInformationThread(Handle, ThreadNameInformation, nameInfo, ObjectInformationLength, &returnLength); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { if (!ObjectInformation) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } RebaseUnicodeString(&nameInfo->ThreadName, nameInfo, ObjectInformation); status = KphCopyToMode(ObjectInformation, nameInfo, returnLength, AccessMode); } break; } case KphObjectThreadIsTerminated: { ULONG threadIsTerminated; if (!ObjectInformation || (ObjectInformationLength < sizeof(ULONG))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(ULONG); goto Exit; } KeStackAttachProcess(process, &apcState); status = ZwQueryInformationThread(Handle, ThreadIsTerminated, &threadIsTerminated, sizeof(ULONG), NULL); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphWriteULongToMode(ObjectInformation, threadIsTerminated, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(ULONG); } } break; } case KphObjectSectionBasicInformation: case KphObjectSectionImageInformation: case KphObjectSectionRelocationInformation: case KphObjectSectionOriginalBaseInformation: case KphObjectSectionInternalImageInformation: case KphObjectSectionMappingsInformation: { if (ObjectInformation) { buffer = KphAllocatePagedA(ObjectInformationLength, KPH_TAG_OBJECT_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } } else { NT_ASSERT(!buffer); ObjectInformationLength = 0; } if (ObjectInformationClass == KphObjectSectionMappingsInformation) { KeStackAttachProcess(process, &apcState); status = KphQuerySection(Handle, KphSectionMappingsInformation, buffer, ObjectInformationLength, &returnLength, KernelMode); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { status = KphCopyToMode(ObjectInformation, buffer, returnLength, AccessMode); } } else { SIZE_T length; SECTION_INFORMATION_CLASS sectionInfoClass; if (ObjectInformationClass == KphObjectSectionBasicInformation) { sectionInfoClass = SectionBasicInformation; } else if (ObjectInformationClass == KphObjectSectionImageInformation) { sectionInfoClass = SectionImageInformation; } else if (ObjectInformationClass == KphObjectSectionRelocationInformation) { sectionInfoClass = SectionRelocationInformation; } else if (ObjectInformationClass == KphObjectSectionOriginalBaseInformation) { sectionInfoClass = SectionOriginalBaseInformation; } else { NT_ASSERT(ObjectInformationClass == KphObjectSectionInternalImageInformation); sectionInfoClass = SectionInternalImageInformation; } length = 0; KeStackAttachProcess(process, &apcState); status = ZwQuerySection(Handle, sectionInfoClass, buffer, ObjectInformationLength, &length); KeUnstackDetachProcess(&apcState); if (NT_SUCCESS(status)) { if (length > ULONG_MAX) { status = STATUS_INTEGER_OVERFLOW; returnLength = 0; goto Exit; } status = KphCopyToMode(ObjectInformation, buffer, length, AccessMode); if (NT_SUCCESS(status)) { returnLength = (ULONG)length; } } } break; } case KphObjectSectionFileName: { PUNICODE_STRING sectionFileName; ULONG allocateSize; HANDLE sectionHandle; PVOID baseAddress; SIZE_T viewSize; returnLength = sizeof(UNICODE_STRING); allocateSize = ObjectInformationLength; if (allocateSize < sizeof(UNICODE_STRING)) { allocateSize = sizeof(UNICODE_STRING); } allocateSize += sizeof(ULONG64); buffer = KphAllocatePagedA(allocateSize, KPH_TAG_OBJECT_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } sectionFileName = (PUNICODE_STRING)buffer; status = ObDuplicateObject(process, Handle, PsInitialSystemProcess, §ionHandle, SECTION_QUERY | SECTION_MAP_READ, OBJ_KERNEL_HANDLE, 0, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObDuplicateObject failed: %!STATUS!", status); goto Exit; } KeStackAttachProcess(PsInitialSystemProcess, &apcState); baseAddress = NULL; viewSize = PAGE_SIZE; status = ZwMapViewOfSection(sectionHandle, ZwCurrentProcess(), &baseAddress, 0, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY); if (NT_SUCCESS(status)) { SIZE_T length; length = 0; status = ZwQueryVirtualMemory(ZwCurrentProcess(), baseAddress, MemoryMappedFilenameInformation, sectionFileName, ObjectInformationLength, &length); if (length > ULONG_MAX) { status = STATUS_INTEGER_OVERFLOW; returnLength = 0; } else { returnLength = (ULONG)length; } ZwUnmapViewOfSection(ZwCurrentProcess(), baseAddress); } KeUnstackDetachProcess(&apcState); ObCloseHandle(sectionHandle, KernelMode); if (NT_SUCCESS(status)) { if (!ObjectInformation) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } RebaseUnicodeString(sectionFileName, sectionFileName, ObjectInformation); status = KphCopyToMode(ObjectInformation, sectionFileName, returnLength, AccessMode); } break; } case KphObjectAttributesInformation: { PKPH_OBJECT_ATTRIBUTES_INFORMATION attributesInfo; if (!ObjectInformation || (ObjectInformationLength < sizeof(KPH_OBJECT_ATTRIBUTES_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_OBJECT_ATTRIBUTES_INFORMATION); goto Exit; } KeStackAttachProcess(process, &apcState); status = ObReferenceObjectByHandle(Handle, 0, NULL, accessMode, &object, NULL); KeUnstackDetachProcess(&apcState); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); object = NULL; goto Exit; } attributesInfo = ObjectInformation; C_ASSERT(sizeof(KPH_OBJECT_ATTRIBUTES_INFORMATION) == sizeof(UCHAR)); status = KphWriteUCharToMode(&attributesInfo->Flags, OBJECT_TO_OBJECT_HEADER(object)->Flags, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_OBJECT_ATTRIBUTES_INFORMATION); } break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (processContext) { KphDereferenceObject(processContext); } if (buffer) { KphFreeA(buffer, KPH_TAG_OBJECT_QUERY, stackBuffer); } if (object) { ObDereferenceObject(object); } if (process) { ObDereferenceObject(process); } if (dyn) { KphDereferenceObject(dyn); } if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } return status; } /** * \brief Sets object information. * * \param[in] ProcessHandle A handle to a process. * \param[in] Handle A handle which is present in the process. * \param[in] ObjectInformationClass The type of information to set. * \param[in] ObjectInformation A buffer which contains the information to set. * \param[in] ObjectInformationLength Length of the information buffer in bytes. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PVOID objectInformation; BYTE stackBuffer[64]; PEPROCESS process; KAPC_STATE apcState; KPH_PAGED_CODE_PASSIVE(); objectInformation = NULL; process = NULL; if (!ObjectInformation) { status = STATUS_INVALID_PARAMETER_4; goto Exit; } if (AccessMode != KernelMode) { objectInformation = KphAllocatePagedA(ObjectInformationLength, KPH_TAG_OBJECT_INFO, stackBuffer); if (!objectInformation) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate object info buffer."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(objectInformation, ObjectInformation, ObjectInformationLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } else { objectInformation = ObjectInformation; } status = ObReferenceObjectByHandle(ProcessHandle, PROCESS_SET_INFORMATION, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); process = NULL; goto Exit; } if (process == PsInitialSystemProcess) { Handle = MakeKernelHandle(Handle); } else { if (IsKernelHandle(Handle)) { status = STATUS_INVALID_HANDLE; goto Exit; } } switch (ObjectInformationClass) { case KphObjectHandleFlagInformation: { if (ObjectInformationLength < sizeof(OBJECT_HANDLE_FLAG_INFORMATION)) { status = STATUS_INFO_LENGTH_MISMATCH; goto Exit; } KeStackAttachProcess(process, &apcState); status = ObSetHandleAttributes(Handle, objectInformation, KernelMode); KeUnstackDetachProcess(&apcState); break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (objectInformation && (objectInformation != ObjectInformation)) { KphFreeA(objectInformation, KPH_TAG_OBJECT_INFO, stackBuffer); } if (process) { ObDereferenceObject(process); } return status; } /** * \brief Opens a named object. * * \param[out] ObjectHandle Set to the opened handle. * \param[in] DesiredAccess Desires access to the object. * \param[in] ObjectAttributes Attributes to open the object. * \param[in] ObjectType Type of object to open. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenNamedObject( _Out_ PHANDLE ObjectHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_TYPE ObjectType, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; HANDLE objectHandle; KPH_PAGED_CODE_PASSIVE(); status = ObOpenObjectByName(ObjectAttributes, ObjectType, AccessMode, NULL, DesiredAccess, NULL, &objectHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByName failed: %!STATUS!", status); objectHandle = NULL; goto Exit; } status = KphWriteHandleToMode(ObjectHandle, objectHandle, AccessMode); Exit: return status; } /** * \brief Duplicates an object. * * \param[in] ProcessHandle Handle to process where the source handle exists. * \param[in] SourceHandle Source handle in the target process. * \param[in] DesiredAccess Desired access for duplicated handle. * \param[out] TargetHandle Populated with the duplicated handle. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphDuplicateObject( _In_ HANDLE ProcessHandle, _In_ HANDLE SourceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TargetHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS sourceProcess; PEPROCESS targetProcess; HANDLE targetHandle; KPH_PAGED_CODE_PASSIVE(); targetProcess = NULL; sourceProcess = NULL; if (DesiredAccess & ~(READ_CONTROL | ACCESS_SYSTEM_SECURITY | SYNCHRONIZE)) { status = STATUS_ACCESS_DENIED; goto Exit; } if (!TargetHandle) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &sourceProcess, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); sourceProcess = NULL; goto Exit; } if (sourceProcess == PsInitialSystemProcess) { SourceHandle = MakeKernelHandle(SourceHandle); } else { if (IsKernelHandle(SourceHandle)) { status = STATUS_INVALID_HANDLE; goto Exit; } } status = ObReferenceObjectByHandle(ZwCurrentProcess(), 0, *PsProcessType, AccessMode, &targetProcess, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); targetProcess = NULL; goto Exit; } status = ObDuplicateObject(sourceProcess, SourceHandle, targetProcess, &targetHandle, DesiredAccess, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), 0, KernelMode); if (NT_SUCCESS(status)) { status = KphWriteHandleToMode(TargetHandle, targetHandle, AccessMode); } Exit: if (targetProcess) { ObDereferenceObject(targetProcess); } if (sourceProcess) { ObDereferenceObject(sourceProcess); } return status; } /** * \brief Checks if two object handles refer to the same object. * * \param[in] FirstObjectHandle First handle to compare with the second. * \param[in] SecondObjectHandle Second handle to compare with the first. * \param[in] AccessMode The mode in which to perform access checks. * * \return STATUS_SUCCESS if the object handles refer to the same object, * STATUS_NOT_SAME_OBJECT if the object handles refer to different objects, * and STATUS_INVALID_HANDLE if one of the handles is invalid. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpCompareObjects( _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PVOID firstObject; PVOID secondObject; KPH_PAGED_CODE_PASSIVE(); status = ObReferenceObjectByHandle(FirstObjectHandle, 0, NULL, AccessMode, &firstObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); firstObject = NULL; secondObject = NULL; goto Exit; } status = ObReferenceObjectByHandle(SecondObjectHandle, 0, NULL, AccessMode, &secondObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); secondObject = NULL; goto Exit; } status = (firstObject == secondObject) ? STATUS_SUCCESS : STATUS_NOT_SAME_OBJECT; Exit: if (secondObject) { ObDereferenceObject(secondObject); } if (firstObject) { ObDereferenceObject(firstObject); } return status; } /** * \brief Checks if two object handles refer to the same object, for a process. * * \param[in] ProcessHandle A handle to a process. * \param[in] FirstObjectHandle First handle to compare with the second. * \param[in] SecondObjectHandle Second handle to compare with the first. * \param[in] AccessMode The mode in which to perform access checks. * * \return STATUS_SUCCESS if the object handles refer to the same object, * STATUS_NOT_SAME_OBJECT if the object handles refer to different objects, * and STATUS_INVALID_HANDLE if one of the handles is invalid. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCompareObjects( _In_ HANDLE ProcessHandle, _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS process; KPROCESSOR_MODE accessMode; KAPC_STATE apcState; KPH_PAGED_CODE_PASSIVE(); status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed %!STATUS!", status); process = NULL; goto Exit; } if (process == PsInitialSystemProcess) { FirstObjectHandle = MakeKernelHandle(FirstObjectHandle); SecondObjectHandle = MakeKernelHandle(SecondObjectHandle); accessMode = KernelMode; } else { accessMode = AccessMode; } KeStackAttachProcess(process, &apcState); status = KphpCompareObjects(FirstObjectHandle, SecondObjectHandle, accessMode); KeUnstackDetachProcess(&apcState); Exit: if (process) { ObDereferenceObject(process); } return status; } ================================================ FILE: KSystemInformer/parameters.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include typedef enum _KPH_PARAMETER_TYPE { KphParameterTypeULong, KphParameterTypeString, } KPH_PARAMETER_TYPE, *PKPH_PARAMETER_TYPE; typedef struct _KPH_PARAMETER { UNICODE_STRING Name; KPH_PARAMETER_TYPE Type; PVOID Value; PVOID Default; } KPH_PARAMETER, *PKPH_PARAMETER; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpDefaultAltitude = RTL_CONSTANT_STRING(L"385210.5"); static const UNICODE_STRING KphpDefaultPortName = RTL_CONSTANT_STRING(L"\\KSystemInformer"); static const UNICODE_STRING KphpDefaultSystemProcessName = RTL_CONSTANT_STRING(L"System Informer Kernel"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); PUNICODE_STRING KphAltitude = NULL; PUNICODE_STRING KphPortName = NULL; KPH_PARAMETER_FLAGS KphParameterFlags = { .Flags = 0 }; PUNICODE_STRING KphSystemProcessName = NULL; C_ASSERT(sizeof(KPH_PARAMETER_FLAGS) == sizeof(ULONG)); static KPH_PARAMETER KphpParameters[] = { { RTL_CONSTANT_STRING(L"Altitude"), KphParameterTypeString, &KphAltitude, (PVOID)&KphpDefaultAltitude }, { RTL_CONSTANT_STRING(L"PortName"), KphParameterTypeString, &KphPortName, (PVOID)&KphpDefaultPortName }, { RTL_CONSTANT_STRING(L"Flags"), KphParameterTypeULong, &KphParameterFlags, (PVOID)(ULONG_PTR)0 }, { RTL_CONSTANT_STRING(L"SystemProcessName"), KphParameterTypeString, &KphSystemProcessName, (PVOID)&KphpDefaultSystemProcessName }, }; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Cleans up the driver parameters. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupParameters( VOID ) { KPH_PAGED_CODE_PASSIVE(); for (ULONG i = 0; i < ARRAYSIZE(KphpParameters); i++) { PKPH_PARAMETER parameter; PUNICODE_STRING value; parameter = &KphpParameters[i]; if (parameter->Type != KphParameterTypeString) { continue; } value = *(PUNICODE_STRING*)parameter->Value; if (value && (value != parameter->Default)) { KphFreeRegistryString(value); } } } /** * \brief Initializes the driver parameters. * * \param[in] RegistryPath Registry path from the entry point. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeParameters( _In_ PCUNICODE_STRING RegistryPath ) { NTSTATUS status; HANDLE keyHandle; status = KphOpenParametersKey(RegistryPath, &keyHandle); if (!NT_SUCCESS(status)) { keyHandle = NULL; } KPH_PAGED_CODE_PASSIVE(); for (ULONG i = 0; i < ARRAYSIZE(KphpParameters); i++) { PKPH_PARAMETER parameter; parameter = &KphpParameters[i]; switch (parameter->Type) { case KphParameterTypeULong: { ULONG value; if (keyHandle) { status = KphQueryRegistryULong(keyHandle, ¶meter->Name, &value); if (!NT_SUCCESS(status)) { value = (ULONG)(ULONG_PTR)parameter->Default; } } else { value = (ULONG)(ULONG_PTR)parameter->Default; } *(PULONG)parameter->Value = value; break; } case KphParameterTypeString: { PUNICODE_STRING value; if (keyHandle) { status = KphQueryRegistryString(keyHandle, ¶meter->Name, &value); if (!NT_SUCCESS(status)) { value = (PUNICODE_STRING)parameter->Default; } } else { value = (PUNICODE_STRING)parameter->Default; } *(PUNICODE_STRING*)parameter->Value = value; break; } DEFAULT_UNREACHABLE; } } if (keyHandle) { ObCloseHandle(keyHandle, KernelMode); } } ================================================ FILE: KSystemInformer/process.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2020-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Opens a process. * * \param[out] ProcessHandle A variable which receives the process handle. * \param[in] DesiredAccess The desired access to the process. * \param[in] ClientId The identifier of a client. UniqueThread is optional. * If UniqueThread is present, the thread of the referenced process will be * checked against this identifier. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; CLIENT_ID clientId; PEPROCESS process; HANDLE processHandle; KPH_PAGED_CODE_PASSIVE(); process = NULL; status = KphCopyFromMode(&clientId, ClientId, sizeof(CLIENT_ID), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } // // Use the thread ID if it was specified. // if (clientId.UniqueThread) { PETHREAD thread; status = PsLookupProcessThreadByCid(&clientId, &process, &thread); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsLookupProcessThreadByCid failed: %!STATUS!", status); process = NULL; thread = NULL; goto Exit; } ObDereferenceObject(thread); } else { status = PsLookupProcessByProcessId(clientId.UniqueProcess, &process); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsLookupProcessByProcessId failed: %!STATUS!", status); process = NULL; goto Exit; } } if ((DesiredAccess & KPH_PROCESS_READ_ACCESS) != DesiredAccess) { status = KphDominationCheck(PsGetCurrentProcess(), process, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } } // // Always open in KernelMode to skip ordinary access checks. // status = ObOpenObjectByPointer(process, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *PsProcessType, KernelMode, &processHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); processHandle = NULL; goto Exit; } status = KphWriteHandleToMode(ProcessHandle, processHandle, AccessMode); Exit: if (process) { ObDereferenceObject(process); } return status; } /** * \brief Opens the token of a process. * * \param[in] ProcessHandle A handle to a process. * \param[in] DesiredAccess The desired access to the token. * \param[out] TokenHandle A variable which receives the token handle. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS process; PACCESS_TOKEN primaryToken; HANDLE tokenHandle; KPH_PAGED_CODE_PASSIVE(); primaryToken = NULL; status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); process = NULL; goto Exit; } primaryToken = PsReferencePrimaryToken(process); if (!primaryToken) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsReferencePrimaryToken returned null"); status = STATUS_NO_TOKEN; goto Exit; } if ((DesiredAccess & KPH_TOKEN_READ_ACCESS) != DesiredAccess) { status = KphDominationCheck(PsGetCurrentProcess(), process, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } } // // Always open in KernelMode to skip ordinary access checks. // status = ObOpenObjectByPointer(primaryToken, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *SeTokenObjectType, KernelMode, &tokenHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); tokenHandle = NULL; goto Exit; } status = KphWriteHandleToMode(TokenHandle, tokenHandle, AccessMode); Exit: if (primaryToken) { PsDereferencePrimaryToken(primaryToken); } if (process) { ObDereferenceObject(process); } return status; } /** * \brief Opens the job object of a process. * * \param[in] ProcessHandle A handle to a process. * \param[in] DesiredAccess The desired access to the job. * \param[out] JobHandle A variable which receives the job object handle. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenProcessJob( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE JobHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS process; PEJOB job; HANDLE jobHandle; KPH_PAGED_CODE_PASSIVE(); status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); process = NULL; goto Exit; } job = PsGetProcessJob(process); if (!job) { status = STATUS_NOT_FOUND; goto Exit; } if ((DesiredAccess & KPH_JOB_READ_ACCESS) != DesiredAccess) { status = KphDominationCheck(PsGetCurrentProcess(), process, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } } // // Always open in KernelMode to skip ordinary access checks. // status = ObOpenObjectByPointer(job, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *PsJobType, KernelMode, &jobHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); jobHandle = NULL; goto Exit; } status = KphWriteHandleToMode(JobHandle, jobHandle, AccessMode); Exit: if (process) { ObDereferenceObject(process); } return status; } /** * Terminates a process. * * \param[in] ProcessHandle A handle to a process. * \param[in] ExitStatus A status value initiating why the process terminated. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS process; HANDLE processHandle; KPH_PAGED_CODE_PASSIVE(); process = NULL; processHandle = NULL; status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); process = NULL; goto Exit; } status = KphDominationAndPrivilegeCheck(KPH_TOKEN_PRIVILEGE_TERMINATE, PsGetCurrentThread(), process, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationAndPrivilegeCheck failed: %!STATUS!", status); goto Exit; } if (process == PsGetCurrentProcess()) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Can not terminate self."); status = STATUS_ACCESS_DENIED; goto Exit; } // // Re-open the process to get a kernel handle. // status = ObOpenObjectByPointer(process, OBJ_KERNEL_HANDLE, NULL, PROCESS_TERMINATE, *PsProcessType, KernelMode, &processHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); processHandle = NULL; goto Exit; } status = ZwTerminateProcess(processHandle, ExitStatus); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwTerminateProcess failed: %!STATUS!", status); } Exit: if (processHandle) { ObCloseHandle(processHandle, KernelMode); } if (process) { ObDereferenceObject(process); } return status; } /** * \brief Queries information about a process. * * \param[in] ProcessHandle Handle to process to query. * \param[in] ProcessInformationClass Information class to query. * \param[out] ProcessInformation Populated with process information by class. * \param[in] ProcessInformationLength Length of the process information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _Out_writes_bytes_opt_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_DYN dyn; PEPROCESS processObject; PKPH_PROCESS_CONTEXT process; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); dyn = NULL; process = NULL; returnLength = 0; status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &processObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); processObject = NULL; goto Exit; } process = KphGetEProcessContext(processObject); if (!process) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphGetEProcessContext return null."); status = STATUS_OBJECTID_NOT_FOUND; goto Exit; } switch (ProcessInformationClass) { case KphProcessBasicInformation: { KPH_PROCESS_BASIC_INFORMATION info; if (!ProcessInformation || (ProcessInformationLength < sizeof(KPH_PROCESS_BASIC_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_PROCESS_BASIC_INFORMATION); goto Exit; } KphAcquireRWLockShared(&process->ThreadListLock); KphAcquireRWLockShared(&process->ProtectionLock); info.ProcessState = KphGetProcessState(process); info.ProcessStartKey = KphGetProcessStartKey(processObject); info.CreatorClientId.UniqueProcess = process->CreatorClientId.UniqueProcess; info.CreatorClientId.UniqueThread = process->CreatorClientId.UniqueThread; info.NumberOfImageLoads = ReadSizeTNoFence(&process->NumberOfImageLoads); info.Flags = process->Flags; info.NumberOfThreads = process->NumberOfThreads; info.ProcessAllowedMask = process->ProcessAllowedMask; info.ThreadAllowedMask = process->ThreadAllowedMask; info.NumberOfMicrosoftImageLoads = ReadSizeTNoFence(&process->NumberOfMicrosoftImageLoads); info.NumberOfAntimalwareImageLoads = ReadSizeTNoFence(&process->NumberOfAntimalwareImageLoads); info.NumberOfVerifiedImageLoads = ReadSizeTNoFence(&process->NumberOfVerifiedImageLoads); info.NumberOfUntrustedImageLoads = ReadSizeTNoFence(&process->NumberOfUntrustedImageLoads); info.UserWritableReferences = 0; if (process->FileObject && process->FileObject->SectionObjectPointer) { info.UserWritableReferences = MmDoesFileHaveUserWritableReferences(process->FileObject->SectionObjectPointer); } KphReleaseRWLock(&process->ProtectionLock); KphReleaseRWLock(&process->ThreadListLock); status = KphCopyToMode(ProcessInformation, &info, sizeof(KPH_PROCESS_BASIC_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_PROCESS_BASIC_INFORMATION); } break; } case KphProcessStateInformation: { KPH_PROCESS_STATE processState; if (!ProcessInformation || (ProcessInformationLength < sizeof(KPH_PROCESS_STATE))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_PROCESS_STATE); goto Exit; } processState = KphGetProcessState(process); status = KphWriteULongToMode(ProcessInformation, processState, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_PROCESS_STATE); } break; } case KphProcessWSLProcessId: { ULONG processId; if (process->SubsystemType != SubsystemInformationTypeWSL) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Invalid subsystem for WSL process ID query."); status = STATUS_INVALID_HANDLE; goto Exit; } if (!ProcessInformation || (ProcessInformationLength < sizeof(ULONG))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(ULONG); goto Exit; } status = KphQueryInformationProcessContext(process, KphProcessContextWSLProcessId, &processId, sizeof(ULONG), NULL); if (!NT_SUCCESS(status)) { goto Exit; } status = KphWriteULongToMode(ProcessInformation, processId, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(ULONG); } break; } case KphProcessSequenceNumber: { ULONG64 sequenceNumber; if (!ProcessInformation || (ProcessInformationLength < sizeof(ULONG64))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(ULONG64); goto Exit; } sequenceNumber = KphGetProcessSequenceNumber(processObject); status = KphWriteULong64ToMode(ProcessInformation, sequenceNumber, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(ULONG64); } break; } case KphProcessStartKey: { ULONG64 startKey; if (!ProcessInformation || (ProcessInformationLength < sizeof(ULONG64))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(ULONG64); goto Exit; } startKey = KphGetProcessStartKey(processObject); status = KphWriteULong64ToMode(ProcessInformation, startKey, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(ULONG64); } break; } case KphProcessImageSection: { PVOID processSectionObject; HANDLE processSectionHandle; dyn = KphReferenceDynData(); if (!dyn || (dyn->EpSectionObject == ULONG_MAX)) { status = STATUS_NOINTERFACE; goto Exit; } if (!ProcessInformation || (ProcessInformationLength < sizeof(HANDLE))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(HANDLE); goto Exit; } status = PsAcquireProcessExitSynchronization(processObject); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsAcquireProcessExitSynchronization failed: %!STATUS!", status); goto Exit; } processSectionObject = *(PVOID*)Add2Ptr(processObject, dyn->EpSectionObject); if (processSectionObject) { ObReferenceObject(processSectionObject); } PsReleaseProcessExitSynchronization(processObject); if (!processSectionObject) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Process section object pointer is null."); status = STATUS_INVALID_PARAMETER; goto Exit; } status = ObOpenObjectByPointer(processSectionObject, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, SECTION_QUERY | SECTION_MAP_READ, *MmSectionObjectType, KernelMode, &processSectionHandle); ObDereferenceObject(processSectionObject); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); goto Exit; } status = KphWriteHandleToMode(ProcessInformation, processSectionHandle, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(HANDLE); } break; } case KphProcessImageFileName: { if (!process->ImageFileName) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphCopyUnicodeStringToMode(ProcessInformation, ProcessInformationLength, process->ImageFileName, &returnLength, AccessMode); break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } if (process) { KphDereferenceObject(process); } if (processObject) { ObDereferenceObject(processObject); } if (dyn) { KphDereferenceObject(dyn); } return status; } /** * \brief Sets information about a process. * * \param[in] ProcessHandle Handle to process to set information for. * \param[in] ProcessInformationClass Information class to set. * \param[in] ProcessInformation Information to set. * \param[in] ProcessInformationLength Length of the process information buffer. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PVOID processInformation; BYTE stackBuffer[64]; PEPROCESS process; HANDLE processHandle; PROCESSINFOCLASS processInformationClass; KPH_PAGED_CODE_PASSIVE(); processInformation = NULL; process = NULL; processHandle = NULL; if (!ProcessInformation) { status = STATUS_INVALID_PARAMETER; goto Exit; } if (AccessMode != KernelMode) { processInformation = KphAllocatePagedA(ProcessInformationLength, KPH_TAG_PROCESS_INFO, stackBuffer); if (!processInformation) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate process info buffer."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(processInformation, ProcessInformation, ProcessInformationLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } else { processInformation = ProcessInformation; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); process = NULL; goto Exit; } switch (ProcessInformationClass) { case KphProcessEmptyWorkingSet: { // // Permitted across PPL boundaries. // break; } case KphProcessQuotaLimits: case KphProcessBasePriority: case KphProcessRaisePriority: case KphProcessPriorityClass: case KphProcessAffinityMask: case KphProcessPriorityBoost: case KphProcessIoPriority: case KphProcessPagePriority: case KphProcessPowerThrottlingState: case KphProcessPriorityClassEx: default: { status = KphDominationCheck(PsGetCurrentProcess(), process, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } break; } } status = ObOpenObjectByPointer(process, OBJ_KERNEL_HANDLE, NULL, PROCESS_SET_INFORMATION, *PsProcessType, KernelMode, &processHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); processHandle = NULL; goto Exit; } switch (ProcessInformationClass) { case KphProcessQuotaLimits: { processInformationClass = ProcessQuotaLimits; break; } case KphProcessBasePriority: { processInformationClass = ProcessBasePriority; break; } case KphProcessRaisePriority: { processInformationClass = ProcessRaisePriority; break; } case KphProcessPriorityClass: { processInformationClass = ProcessPriorityClass; break; } case KphProcessAffinityMask: { processInformationClass = ProcessAffinityMask; break; } case KphProcessPriorityBoost: { processInformationClass = ProcessPriorityBoost; break; } case KphProcessIoPriority: { processInformationClass = ProcessIoPriority; break; } case KphProcessPagePriority: { processInformationClass = ProcessPagePriority; break; } case KphProcessPowerThrottlingState: { processInformationClass = ProcessPowerThrottlingState; break; } case KphProcessPriorityClassEx: { processInformationClass = ProcessPriorityClassEx; break; } case KphProcessEmptyWorkingSet: { QUOTA_LIMITS_EX quotaLimits; RtlZeroMemory("aLimits, sizeof(QUOTA_LIMITS_EX)); quotaLimits.MinimumWorkingSetSize = SIZE_T_MAX; quotaLimits.MaximumWorkingSetSize = SIZE_T_MAX; status = ZwSetInformationProcess(processHandle, ProcessQuotaLimits, "aLimits, sizeof(QUOTA_LIMITS_EX)); // // Bypass generic call to exit immediately. // goto Exit; } default: { status = STATUS_INVALID_INFO_CLASS; goto Exit; } } status = ZwSetInformationProcess(processHandle, processInformationClass, processInformation, ProcessInformationLength); Exit: if (processHandle) { ObCloseHandle(processHandle, KernelMode); } if (process) { ObDereferenceObject(process); } if (processInformation && (processInformation != ProcessInformation)) { KphFreeA(processInformation, KPH_TAG_PROCESS_INFO, stackBuffer); } return status; } ================================================ FILE: KSystemInformer/protection.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2020-2026 * */ #include #include typedef struct _KPH_ENUM_FOR_PROTECTION { PKPH_DYN Dyn; PKPH_PROCESS_CONTEXT ProcessEnum; PKPH_PROCESS_CONTEXT Process; NTSTATUS Status; } KPH_ENUM_FOR_PROTECTION, *PKPH_ENUM_FOR_PROTECTION; typedef struct _KPH_IMAGE_LOAD_APC { KSI_KAPC Apc; PKPH_PROCESS_CONTEXT Process; PVOID ImageBase; PFILE_OBJECT FileObject; } KPH_IMAGE_LOAD_APC, *PKPH_IMAGE_LOAD_APC; typedef struct _KPH_IMAGE_LOAD_APC_INIT { PKPH_PROCESS_CONTEXT Process; PVOID ImageBase; PFILE_OBJECT FileObject; } KPH_IMAGE_LOAD_APC_INIT, *PKPH_IMAGE_LOAD_APC_INIT; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpImageLoadApcTypeName = RTL_CONSTANT_STRING(L"KphImageLoadApc"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpImageLoadApcType = NULL; KPH_PROTECTED_DATA_SECTION_POP(); static KPH_REFERENCE KphpDriverUnloadProtectionRef = { 0 }; static PVOID KphpDriverUnloadPreviousRoutine = NULL; KPH_PAGED_FILE(); /** * \brief Allocates an image load APC object. * * \param[in] Size The size to allocate. * * \return Allocates image load APC object, null on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateImageLoadApc( _In_ SIZE_T Size ) { KPH_PAGED_CODE(); return KphAllocateNPaged(Size, KPH_TAG_IMAGE_LOAD_APC); } /** * \brief Initializes image load APC object. * * \param[in,out] Object The image load APC object to initialize. * \param[in] Parameter The image load ACP initialization structure. * * \return STATUS_SUCCESS */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeImageLoadApc( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { PKPH_IMAGE_LOAD_APC apc; PKPH_IMAGE_LOAD_APC_INIT init; KPH_PAGED_CODE(); NT_ASSERT(Parameter); apc = Object; init = Parameter; apc->Process = init->Process; KphReferenceObject(apc->Process); apc->ImageBase = init->ImageBase; apc->FileObject = init->FileObject; if (apc->FileObject) { ObReferenceObject(apc->FileObject); } KphReferenceHashingInfrastructure(); return STATUS_SUCCESS; } /** * \brief Deletes image load APC object. * * \param[in,out] Object The image load APC object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) VOID KSIAPI KphpDeleteImageLoadApc( _Inout_ PVOID Object ) { PKPH_IMAGE_LOAD_APC apc; KPH_PAGED_CODE(); apc = Object; KphDereferenceObject(apc->Process); if (apc->FileObject) { ObDereferenceObject(apc->FileObject); } KphDereferenceHashingInfrastructure(); } /** * \brief Frees an image load APC object. * * \param[in] Object Image load APC object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) VOID KSIAPI KphpFreeImageLoadApc( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE(); KphFree(Object, KPH_TAG_IMAGE_LOAD_APC); } /** * \brief Checks if object protections should be allowed. * * \param[in] Info Optional object pre operation information. * \param[in] Actor The actor process requesting access. * \param[in] Object The process context associated with the object. * \param[out] Allow Receives TRUE if object protections should be allowed, * FALSE otherwise. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphpShouldAllowObjectAccess( _In_opt_ POB_PRE_OPERATION_INFORMATION Info, _In_ PKPH_PROCESS_CONTEXT Actor, _In_ PKPH_PROCESS_CONTEXT Object, _Out_ PBOOLEAN Allow ) { NTSTATUS status; PKPH_PROCESS_CONTEXT source; PKPH_PROCESS_CONTEXT target; BOOLEAN isLsass; KPH_PAGED_CODE(); *Allow = FALSE; source = NULL; target = NULL; NT_ASSERT(Object->Protected); if (!Info || (Info->Operation == OB_OPERATION_HANDLE_CREATE)) { // // Allow access to itself. // if (Actor->EProcess == Object->EProcess) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Process %wZ (%lu) allowed to access itself", &Actor->ImageName, HandleToULong(Actor->ProcessId)); *Allow = TRUE; status = STATUS_SUCCESS; goto Exit; } // // Allow maximum state processes access to one another. // if (KphTestProcessContextState(Actor, KPH_PROCESS_STATE_MAXIMUM) && KphTestProcessContextState(Object, KPH_PROCESS_STATE_MAXIMUM)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Maximum state process %wZ (%lu) allowed to access " "maximum state process %wZ (%lu)", &Actor->ImageName, HandleToULong(Actor->ProcessId), &Object->ImageName, HandleToULong(Object->ProcessId)); *Allow = TRUE; status = STATUS_SUCCESS; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Process %wZ (%lu) possibly subject to limited access " "to process %wZ (%lu)", &Actor->ImageName, HandleToULong(Actor->ProcessId), &Object->ImageName, HandleToULong(Object->ProcessId)); } else if (Info && (Info->Operation == OB_OPERATION_HANDLE_DUPLICATE)) { PEPROCESS process; // // Allow duplication to itself into itself from itself. // if ((Object->EProcess == Actor->EProcess) && (Object->EProcess == Info->Parameters->DuplicateHandleInformation.SourceProcess) && (Object->EProcess == Info->Parameters->DuplicateHandleInformation.TargetProcess)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Process %wZ (%lu) allowed to access itself", &Actor->ImageName, HandleToULong(Actor->ProcessId)); *Allow = TRUE; status = STATUS_SUCCESS; goto Exit; } process = Info->Parameters->DuplicateHandleInformation.SourceProcess; source = KphGetEProcessContext(process); if (!source) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphGetEProcessContext(%lu) returned NULL", HandleToULong(PsGetProcessId(process))); status = STATUS_INVALID_CID; goto Exit; } process = Info->Parameters->DuplicateHandleInformation.TargetProcess; target = KphGetEProcessContext(process); if (!target) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphGetEProcessContext(%lu) returned NULL", HandleToULong(PsGetProcessId(process))); status = STATUS_INVALID_CID; goto Exit; } // // Allow duplication between maximum state processes. // if (KphTestProcessContextState(Actor, KPH_PROCESS_STATE_MAXIMUM) && KphTestProcessContextState(source, KPH_PROCESS_STATE_MAXIMUM) && KphTestProcessContextState(target, KPH_PROCESS_STATE_MAXIMUM)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Maximum state process %wZ (%lu) allowed to duplicate " "object for process %wZ (%lu) from maximum state " "process %wZ (%lu) to maximum state process %wZ (%lu)", &Actor->ImageName, HandleToULong(Actor->ProcessId), &Object->ImageName, HandleToULong(Object->ProcessId), &source->ImageName, HandleToULong(source->ProcessId), &target->ImageName, HandleToULong(target->ProcessId)); *Allow = TRUE; status = STATUS_SUCCESS; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Process %wZ (%lu) possibly subject to limited access " "to object for process %wZ (%lu) when duplicating object " "from process %wZ (%lu) to process %wZ (%lu)", &Actor->ImageName, HandleToULong(Actor->ProcessId), &Object->ImageName, HandleToULong(Object->ProcessId), &source->ImageName, HandleToULong(source->ProcessId), &target->ImageName, HandleToULong(target->ProcessId)); } status = KphDominationCheck(Object->EProcess, Actor->EProcess, UserMode); if (!NT_SUCCESS(status)) { // // Allow access when the actor is a protected process and the target is // not protected at a higher level. // KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "PPL process %wZ (%lu) allowed to access process %wZ (%lu)", &Actor->ImageName, HandleToULong(Actor->ProcessId), &Object->ImageName, HandleToULong(Object->ProcessId)); *Allow = TRUE; status = STATUS_SUCCESS; goto Exit; } status = KphProcessIsLsass(Actor->EProcess, &isLsass); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphProcessIsLsass failed: %!STATUS!", status); goto Exit; } if (isLsass) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "LSA process %wZ (%lu) allowed to access process %wZ (%lu)", &Actor->ImageName, HandleToULong(Actor->ProcessId), &Object->ImageName, HandleToULong(Object->ProcessId)); *Allow = TRUE; goto Exit; } Exit: if (target) { KphDereferenceObject(target); } if (source) { KphDereferenceObject(source); } return status; } /** * \brief Handle enumeration callback for protecting a process. * * \param[in,out] HandleTableEntry The handle table entry being enumerated. * \param[in] Handle The handle being enumerated. * \param[in] Parameter The enumerate for protection context. * * \return FALSE to continue enumerating, TRUE to stop. */ _Function_class_(KPH_ENUM_PROCESS_HANDLES_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ BOOLEAN KSIAPI KphpEnumProcessHandlesForProtection( _Inout_ PHANDLE_TABLE_ENTRY HandleTableEntry, _In_ HANDLE Handle, _In_opt_ PVOID Parameter ) { PKPH_ENUM_FOR_PROTECTION parameter; POBJECT_HEADER objectHeader; PVOID object; POBJECT_TYPE objectType; ACCESS_MASK grantedAccess; ACCESS_MASK allowedAccessMask; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Parameter); parameter = Parameter; if (IsKernelHandle(Handle)) { // // Don't screw with kernel handles. // return FALSE; } objectHeader = KphObpDecodeObject(parameter->Dyn, HandleTableEntry); if (!objectHeader) { // // We don't have the dynamic data necessary to do work. // parameter->Status = STATUS_NOINTERFACE; return TRUE; } object = (PVOID)&objectHeader->Body; objectType = ObGetObjectType(object); if (objectType == *PsProcessType) { if (parameter->Process->EProcess != object) { return FALSE; } grantedAccess = ObpDecodeGrantedAccess(HandleTableEntry->GrantedAccess); allowedAccessMask = parameter->Process->ProcessAllowedMask; if ((grantedAccess & allowedAccessMask) != grantedAccess) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Modifying process handle (0x%04x, 0x%08x -> 0x%08x) " "permissions in process %wZ (%lu) for process %wZ (%lu)", HandleToULong(Handle), grantedAccess, (grantedAccess & allowedAccessMask), ¶meter->ProcessEnum->ImageName, HandleToULong(parameter->ProcessEnum->ProcessId), ¶meter->Process->ImageName, HandleToULong(parameter->Process->ProcessId)); ObpSetGrantedAccess(&HandleTableEntry->GrantedAccess, (grantedAccess & allowedAccessMask)); } return FALSE; } if (objectType == *PsThreadType) { PEPROCESS process; process = PsGetThreadProcess(object); if (parameter->Process->EProcess != process) { return FALSE; } grantedAccess = ObpDecodeGrantedAccess(HandleTableEntry->GrantedAccess); allowedAccessMask = parameter->Process->ThreadAllowedMask; if ((grantedAccess & allowedAccessMask) != grantedAccess) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Modifying thread handle (0x%04x, 0x%08x -> 0x%08x) " "permissions in process %wZ (%lu) for process %wZ (%lu)", HandleToULong(Handle), grantedAccess, (grantedAccess & allowedAccessMask), ¶meter->ProcessEnum->ImageName, HandleToULong(parameter->ProcessEnum->ProcessId), ¶meter->Process->ImageName, HandleToULong(parameter->Process->ProcessId)); ObpSetGrantedAccess(&HandleTableEntry->GrantedAccess, (grantedAccess & allowedAccessMask)); } } return FALSE; } /** * \brief Process context enumeration callback for process protection. * * \param[in] Process The process context being enumerated. * \param[in] Parameter The enumerate for protection context. * * \return FALSE to continue enumerating, TRUE to stop. */ _Function_class_(KPH_ENUM_PROCESS_CONTEXTS_CALLBACK) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ BOOLEAN KSIAPI KphpEnumProcessContextsForProtection( _In_ PKPH_PROCESS_CONTEXT Process, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_ENUM_FOR_PROTECTION parameter; BOOLEAN allow; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Parameter); parameter = Parameter; allow = FALSE; status = KphpShouldAllowObjectAccess(NULL, Process, parameter->Process, &allow); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphpShouldAllowObjectAccess failed: %!STATUS!", status); // // This usually means we don't have the dynamic data to do work. // We can't guarantee both protection and application compatibility. // parameter->Status = status; return TRUE; } if (allow) { return FALSE; } parameter->ProcessEnum = Process; status = KphEnumerateProcessHandlesEx(Process->EProcess, KphpEnumProcessHandlesForProtection, parameter); if (status == STATUS_NOINTERFACE) { // // This means we don't have the dynamic data necessary to do work. // All other errors are failure to access process objects because // the process is exiting or has no object table. // parameter->Status = status; return TRUE; } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphEnumerateProcessHandlesEx failed: %!STATUS!", status); } return FALSE; } /** * \brief Stops protecting a process. * * \param[in] Process The process to stop protecting. */ _IRQL_requires_max_(APC_LEVEL) VOID KphStopProtectingProcess( _In_ PKPH_PROCESS_CONTEXT Process ) { KPH_PAGED_CODE(); KphAcquireRWLockExclusive(&Process->ProtectionLock); Process->Protected = FALSE; Process->ProcessAllowedMask = 0; Process->ThreadAllowedMask = 0; KphReleaseRWLock(&Process->ProtectionLock); KphTracePrint(TRACE_LEVEL_INFORMATION, PROTECTION, "Stopped protecting process %wZ (%lu)", &Process->ImageName, HandleToULong(Process->ProcessId)); } /** * \brief Determines if a process is protected. * * \param[in] Process The process to check. * * \return TRUE if the process is protected, FALSE otherwise. */ _IRQL_requires_max_(PASSIVE_LEVEL) BOOLEAN KphIsProtectedProcess( _In_ PKPH_PROCESS_CONTEXT Process ) { BOOLEAN isProtectedProcess; KPH_PAGED_CODE_PASSIVE(); KphAcquireRWLockShared(&Process->ProtectionLock); isProtectedProcess = Process->Protected ? TRUE : FALSE; KphReleaseRWLock(&Process->ProtectionLock); return isProtectedProcess; } /** * \brief Starts protecting a process. * * \param[in] Process The process to start protecting. * \param[in] ProcessAllowedMask Access mask containing the allowed access to * the process. * \param[in] ThreadAllowedMask Access mask containing the allowed access to * the process threads. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphStartProtectingProcess( _In_ PKPH_PROCESS_CONTEXT Process, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask ) { NTSTATUS status; BOOLEAN releaseLock; SECURITY_SUBJECT_CONTEXT subjectContext; BOOLEAN accessGranted; KPH_PAGED_CODE_PASSIVE(); releaseLock = FALSE; // // N.B. We must be able to identify lsass before applying protections. // Without the ability to identify lsass, a process may fail to start. // Normally, lsass runs as a protected process; however, if it is not, // we rely on dynamic data to identify it. If a system configuration // does not run lsass as a protected process and also lacks dynamic data // support, we cannot guarantee application compatibility or protection. // In that case, access to the driver will be restricted. // // This distinction is important later within the object callbacks. // Note that the KphpShouldAllowObjectAccess call in KphApplyObProtections // depends on KphProcessIsLsass. // if (!KphCanIdentifyLsass()) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCanIdentifyLsass failed"); status = STATUS_NOINTERFACE; goto Exit; } SeCaptureSubjectContextEx(NULL, Process->EProcess, &subjectContext); accessGranted = KphSinglePrivilegeCheckEx(SeDebugPrivilege, &subjectContext, UserMode); SeReleaseSubjectContext(&subjectContext); if (!accessGranted) { status = STATUS_PRIVILEGE_NOT_HELD; goto Exit; } KphAcquireRWLockExclusive(&Process->ProtectionLock); releaseLock = TRUE; if (Process->Protected) { KphTracePrint(TRACE_LEVEL_INFORMATION, PROTECTION, "Already protecting process %wZ (%lu)", &Process->ImageName, HandleToULong(Process->ProcessId)); status = STATUS_ALREADY_COMPLETE; goto Exit; } KphTracePrint(TRACE_LEVEL_INFORMATION, PROTECTION, "Started protecting process %wZ (%lu)", &Process->ImageName, HandleToULong(Process->ProcessId)); Process->Protected = TRUE; Process->ProcessAllowedMask = ProcessAllowedMask; Process->ThreadAllowedMask = ThreadAllowedMask; status = STATUS_SUCCESS; Exit: if (releaseLock) { KphReleaseRWLock(&Process->ProtectionLock); } return status; } /** * \brief Returns true if we should permit extending handle permissions for * the creator process. * * \param[in] Info Object pre operation information. * \param[in] Actor The actor thread. * \param[in] ProcessTarget The process to check against. * * \return TRUE if we should permit, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) BOOLEAN KphpShouldPermitCreatorProcess( _In_ POB_PRE_OPERATION_INFORMATION Info, _In_ PKPH_THREAD_CONTEXT Actor, _In_ PKPH_PROCESS_CONTEXT Process ) { KPH_PAGED_CODE(); NT_ASSERT(Process->VerifiedProcess); if (Info->Operation == OB_OPERATION_HANDLE_DUPLICATE) { return FALSE; } NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_CREATE); if (!Actor->IsCreatingProcess || (Actor->IsCreatingProcessId != Process->ProcessId)) { return FALSE; } return KphTestProcessContextState(Actor->ProcessContext, KPH_PROCESS_STATE_MINIMUM); } /** * \brief Applies object protections to protected processes. Invoked by the * object manager callbacks. * * \param[in,out] Info Object pre operation information to apply protections. */ _IRQL_requires_max_(APC_LEVEL) VOID KphApplyObProtections( _Inout_ POB_PRE_OPERATION_INFORMATION Info ) { NTSTATUS status; PKPH_PROCESS_CONTEXT process; PKPH_THREAD_CONTEXT actor; BOOLEAN releaseLock; ACCESS_MASK allowedAccessMask; ACCESS_MASK desiredAccess; PACCESS_MASK access; BOOLEAN allow; KPH_PAGED_CODE(); process = NULL; actor = NULL; releaseLock = FALSE; if ((Info->ObjectType != *PsProcessType) && (Info->ObjectType != *PsThreadType)) { goto Exit; } if (Info->KernelHandle) { goto Exit; } actor = KphGetCurrentThreadContext(); if (!actor || !actor->ProcessContext) { goto Exit; } if (Info->ObjectType == *PsProcessType) { process = KphGetEProcessContext(Info->Object); } else { PKPH_THREAD_CONTEXT thread; NT_ASSERT(Info->ObjectType == *PsThreadType); thread = KphGetEThreadContext(Info->Object); if (thread) { process = thread->ProcessContext; if (process) { KphReferenceObject(process); } KphDereferenceObject(thread); } } if (!process) { goto Exit; } if (Info->Operation == OB_OPERATION_HANDLE_CREATE) { access = &Info->Parameters->CreateHandleInformation.DesiredAccess; desiredAccess = *access; } else { NT_ASSERT(Info->Operation == OB_OPERATION_HANDLE_DUPLICATE); access = &Info->Parameters->DuplicateHandleInformation.DesiredAccess; desiredAccess = *access; } KphAcquireRWLockShared(&process->ProtectionLock); releaseLock = TRUE; if (!process->Protected) { goto Exit; } allow = FALSE; status = KphpShouldAllowObjectAccess(Info, actor->ProcessContext, process, &allow); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_WARNING, PROTECTION, "KphpShouldAllowObjectAccess failed: %!STATUS!", status); // // We shouldn't get here since we would have succeeded when starting to // protect the process to begin with. So if we fail here we fail-safe // and do not allow. // allow = FALSE; } if (allow) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Allowing process %wZ (%lu) access (0x%08x) to " "process %wZ (%lu)", &actor->ProcessContext->ImageName, HandleToULong(actor->ProcessContext->ProcessId), desiredAccess, &process->ImageName, HandleToULong(process->ProcessId)); goto Exit; } if (Info->ObjectType == *PsProcessType) { allowedAccessMask = process->ProcessAllowedMask; if (KphpShouldPermitCreatorProcess(Info, actor, process)) { allowedAccessMask |= (KPH_PROCESS_READ_ACCESS | PROCESS_TERMINATE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE); if ((allowedAccessMask & process->ProcessAllowedMask) != allowedAccessMask) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Permitting extra process handle access " "(0x%08x -> 0x%08x) in creator process %wZ (%lu) for " "process %wZ (%lu)", process->ProcessAllowedMask, allowedAccessMask, &actor->ProcessContext->ImageName, HandleToULong(actor->ProcessContext->ProcessId), &process->ImageName, HandleToULong(process->ProcessId)); } } if ((desiredAccess & allowedAccessMask) != desiredAccess) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Stripping process handle (0x%08x -> 0x%08x) " "permissions in process %wZ (%lu) for process %wZ (%lu) (0x%08x)", desiredAccess, (desiredAccess & allowedAccessMask), &actor->ProcessContext->ImageName, HandleToULong(actor->ProcessContext->ProcessId), &process->ImageName, HandleToULong(process->ProcessId), allowedAccessMask); *access = (desiredAccess & allowedAccessMask); } } else { NT_ASSERT(Info->ObjectType == *PsThreadType); allowedAccessMask = process->ThreadAllowedMask; if (KphpShouldPermitCreatorProcess(Info, actor, process)) { allowedAccessMask |= (KPH_THREAD_READ_ACCESS | THREAD_TERMINATE | THREAD_RESUME); if ((allowedAccessMask & process->ThreadAllowedMask) != allowedAccessMask) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Permitting extra thread handle access " "(0x%08x -> 0x%08x) in creator process %wZ (%lu) for " "process %wZ (%lu)", process->ThreadAllowedMask, allowedAccessMask, &actor->ProcessContext->ImageName, HandleToULong(actor->ProcessContext->ProcessId), &process->ImageName, HandleToULong(process->ProcessId)); } } if ((desiredAccess & allowedAccessMask) != desiredAccess) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Stripping thread handle (0x%08x -> 0x%08x) " "permissions in process %wZ (%lu) for process %wZ (%lu) (0x%08x)", desiredAccess, (desiredAccess & allowedAccessMask), &actor->ProcessContext->ImageName, HandleToULong(actor->ProcessContext->ProcessId), &process->ImageName, HandleToULong(process->ProcessId), allowedAccessMask); *access = (desiredAccess & allowedAccessMask); } } Exit: if (process) { if (releaseLock) { KphReleaseRWLock(&process->ProtectionLock); } KphDereferenceObject(process); } if (actor) { KphDereferenceObject(actor); } } /** * \brief Cleanup routine for the image load APC. * * \param[in] Apc The APC to clean up. * \param[in] Reason Unused. */ _Function_class_(KSI_KCLEANUP_ROUTINE) _IRQL_requires_min_(PASSIVE_LEVEL) _IRQL_requires_max_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpImageLoadCleanupRoutine( _In_ PKSI_KAPC Apc, _In_ KSI_KAPC_CLEANUP_REASON Reason ) { PKPH_IMAGE_LOAD_APC apc; KPH_PAGED_CODE(); UNREFERENCED_PARAMETER(Reason); apc = CONTAINING_RECORD(Apc, KPH_IMAGE_LOAD_APC, Apc); KphDereferenceObject(apc); } /** * \brief Normal kernel APC routine where we carry out image load denial. * * \param[in] NormalContext Unused. * \param[in] SystemArgument1 Image load APC object. * \param[in] SystemArgument2 Unused. */ _Function_class_(KNORMAL_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID NTAPI KphpImageLoadKernelNormalRoutine( _In_opt_ PVOID NormalContext, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2 ) { NTSTATUS status; PKPH_IMAGE_LOAD_APC apc; KAPC_STATE apcState; BOOLEAN attachToTarget; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(NormalContext); UNREFERENCED_PARAMETER(SystemArgument2); NT_ASSERT(SystemArgument1); apc = SystemArgument1; NT_ASSERT(apc->ImageBase <= MmHighestUserAddress); attachToTarget = (apc->Process->EProcess != PsGetCurrentProcess()); if (attachToTarget) { KeStackAttachProcess(apc->Process->EProcess, &apcState); } status = ZwUnmapViewOfSection(ZwCurrentProcess(), apc->ImageBase); if (attachToTarget) { KeUnstackDetachProcess(&apcState); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "ZwUnmapViewOfSection failed (%wZ (%lu), %p): %!STATUS!", &apc->Process->ImageName, HandleToULong(apc->Process->ProcessId), apc->ImageBase, status); InterlockedIncrementSizeT(&apc->Process->NumberOfUntrustedImageLoads); } else { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Unmapped %p from process %wZ (%lu)", apc->ImageBase, &apc->Process->ImageName, HandleToULong(apc->Process->ProcessId)); } } /** * \param Second kernel APC routine, say hi on the way down to passive :). * * \param[in] Apc Unused. * \param[in,out] NormalRoutine Pointer to the normal kernel APC routine. * \param[in,out] NormalContext Unused. * \param[in,out] SystemArgument1 Pointer to the image load APC object. * \param[in,out] SystemArgument2 Unused. */ _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpImageLoadKernelRoutineSecond( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ) { KPH_PAGED_CODE_APC(); UNREFERENCED_PARAMETER(Apc); DBG_UNREFERENCED_PARAMETER(NormalRoutine); UNREFERENCED_PARAMETER(NormalContext); DBG_UNREFERENCED_PARAMETER(SystemArgument1); UNREFERENCED_PARAMETER(SystemArgument2); NT_ASSERT(*NormalRoutine == KphpImageLoadKernelNormalRoutine); NT_ASSERT(*SystemArgument1); NT_ASSERT(KphGetObjectType(*SystemArgument1) == KphpImageLoadApcType); } /** * \brief First kernel APC routine, fired by the thread returning from the * system. We will stage another normal kernel APC to fire at passive here. * * \param[in] Apc The APC object that is executing. * \param[in,out] NormalRoutine Points to the faked routine, we'll cancel it. * \param[in,out] NormalContext Unused. * \param[in,out] SystemArgument1 Unused. * \param[in,out] SystemArgument2 Unused. */ _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpImageLoadKernelRoutineFirst( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ) { NTSTATUS status; PKPH_IMAGE_LOAD_APC firstApc; PKPH_IMAGE_LOAD_APC secondApc; KPH_IMAGE_LOAD_APC_INIT init; KPH_PAGED_CODE_APC(); secondApc = NULL; firstApc = CONTAINING_RECORD(Apc, KPH_IMAGE_LOAD_APC, Apc); UNREFERENCED_PARAMETER(NormalRoutine); *NormalContext = NULL; *SystemArgument1 = NULL; *SystemArgument2 = NULL; init.Process = firstApc->Process; init.ImageBase = firstApc->ImageBase; init.FileObject = NULL; status = KphCreateObject(KphpImageLoadApcType, sizeof(KPH_IMAGE_LOAD_APC), &secondApc, &init); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCreateObject failed: %!STATUS!", status); secondApc = NULL; goto Exit; } // // Initialize a normal kernel ACP to drop down to passive. // KsiInitializeApc(&secondApc->Apc, KphDriverObject, KeGetCurrentThread(), OriginalApcEnvironment, KphpImageLoadKernelRoutineSecond, KphpImageLoadCleanupRoutine, KphpImageLoadKernelNormalRoutine, KernelMode, NULL); if (!KsiInsertQueueApc(&secondApc->Apc, secondApc, NULL, IO_NO_INCREMENT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KsiInsertQueueApc failed"); status = STATUS_UNSUCCESSFUL; goto Exit; } secondApc = NULL; status = STATUS_SUCCESS; Exit: if (secondApc) { KphDereferenceObject(secondApc); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Untrusted image load (%wZ (%lu), %p): %!STATUS!", &firstApc->Process->ImageName, HandleToULong(firstApc->Process->ProcessId), firstApc->ImageBase, status); // // No choice other than to just track that there is an untrusted image. // InterlockedIncrementSizeT(&firstApc->Process->NumberOfUntrustedImageLoads); } } /** * \brief Handles an untrusted image load in a verified process. * * \details If a failure is encountered in this path or if image load denial * is disabled we will denote in the target process that an untrusted image * was loaded. The approach here is to queue a user APC to execute when * the thread returns from the system. Then, we issue another APC to drop * down to passive level and remove the image mapping from the process. * * \param[in,out] Process The process where the image is being loaded. * \param[in] ImageBase The base address of the untrusted image. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpHandleUntrustedImageLoad( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PVOID ImageBase ) { NTSTATUS status; PKPH_THREAD_CONTEXT actor; KPH_IMAGE_LOAD_APC_INIT init; PKPH_IMAGE_LOAD_APC apc; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Process->VerifiedProcess); status = STATUS_UNSUCCESSFUL; actor = NULL; apc = NULL; if (KphParameterFlags.DisableImageLoadProtection) { // // Image load protections are disable. Do not deny the image load. We // will still mark an untrusted image load. This will restrict access // to the driver. // KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Image load protections are disabled."); goto Exit; } if ((ReadSizeTAcquire(&Process->NumberOfImageLoads) == 1) && (PsGetProcessSectionBaseAddress(Process->EProcess) == ImageBase)) { // // The primary image is being loaded. Rather than deny the image load // we will allow it to go through but will still mark an untrusted // image load. This will restrict access to the driver. But will allow // the process to continue starting. // // N.B. If another untrusted image is loaded other than the primary // image that is critical to starting the process, it will still fail // to start. // KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Image base is the process section base address."); goto Exit; } actor = KphGetCurrentThreadContext(); if (!actor || !actor->ProcessContext) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Insufficient tracking."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphCheckProcessApcNoopRoutine(actor->ProcessContext); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCheckProcessApcNoopRoutine failed: %!STATUS!", status); goto Exit; } if (ImageBase > MmHighestUserAddress) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Invalid image base!"); // // This isn't an error, we just check for safety downstream. // status = STATUS_SUCCESS; goto Exit; } init.Process = Process; init.ImageBase = ImageBase; init.FileObject = NULL; status = KphCreateObject(KphpImageLoadApcType, sizeof(KPH_IMAGE_LOAD_APC), &apc, &init); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCreateObject failed: %!STATUS!", status); apc = NULL; goto Exit; } KsiInitializeApc(&apc->Apc, KphDriverObject, actor->EThread, OriginalApcEnvironment, KphpImageLoadKernelRoutineFirst, KphpImageLoadCleanupRoutine, actor->ProcessContext->ApcNoopRoutine, UserMode, NULL); if (!KsiInsertQueueApc(&apc->Apc, NULL, NULL, IO_NO_INCREMENT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KsiInsertQueueApc failed"); status = STATUS_UNSUCCESSFUL; goto Exit; } // // Stage the thread for user mode APC delivery. // KeTestAlertThread(UserMode); apc = NULL; status = STATUS_SUCCESS; Exit: if (apc) { KphDereferenceObject(apc); } if (actor) { KphDereferenceObject(actor); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Untrusted image load (%wZ (%lu), %p): %!STATUS!", &Process->ImageName, HandleToULong(Process->ProcessId), ImageBase, status); // // No choice other than to just track that there is an untrusted image. // InterlockedIncrementSizeT(&Process->NumberOfUntrustedImageLoads); } } /** * \brief Re-opens the image file object for the image being loaded. * * \details This is unfortunately necessary since the file object from the * image load callback is in a state that renders I/O inoperable, due to * FO_CLEANUP_COMPLETE being set. * * \param[in] ImageFileObject The image file object. * \param[out] FileHandle Receives a handle the to the file. * \param[out] FileObject Receives a reference to the file object. * \param[out] Filename Receives the file name of the image, must be freed * using KphFreeNameFileObject. * \param[out] ImageBase Receives the base address of the image mapping in the * system address space. Must be unmapped with KphUnmapViewInSystem. * \param[out] ImageSize Receives the size of the image mapping. * \param[out] DataBase Receives the base address of the data mapping in the * system address space. Must be unmapped with KphUnmapViewInSystem. * \param[out] DataSize Receives the size of the data mapping. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpReOpenImageFile( _In_ PFILE_OBJECT ImageFileObject, _Out_ PHANDLE FileHandle, _Out_ PFILE_OBJECT* FileObject, _Out_ PUNICODE_STRING* FileName, _Out_ PVOID* ImageBase, _Out_ PSIZE_T ImageSize, _Out_ PVOID* DataBase, _Out_ PSIZE_T DataSize ) { NTSTATUS status; PUNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; HANDLE fileHandle; PFILE_OBJECT fileObject; PVOID imageBase; SIZE_T imageSize; PVOID dataBase; SIZE_T dataSize; KPH_PAGED_CODE_PASSIVE(); fileHandle = NULL; fileObject = NULL; imageBase = NULL; dataBase = NULL; *FileObject = NULL; *FileName = NULL; *ImageBase = NULL; *ImageSize = 0; *DataBase = NULL; *DataSize = 0; status = KphGetNameFileObject(ImageFileObject, &fileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphGetNameFileObject failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, fileName, OBJ_KERNEL_HANDLE | OBJ_DONT_REPARSE, NULL, NULL); status = KphCreateFile(&fileHandle, FILE_READ_ACCESS | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_COMPLETE_IF_OPLOCKED), NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCreateFile failed: %!STATUS!", status); fileHandle = NULL; goto Exit; } else if (status == STATUS_OPLOCK_BREAK_IN_PROGRESS) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCreateFile failed: %!STATUS!", status); status = STATUS_SHARING_VIOLATION; goto Exit; } status = ObReferenceObjectByHandle(fileHandle, 0, *IoFileObjectType, KernelMode, &fileObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "ObReferenceObjectByHandle failed: %!STATUS!", status); fileObject = NULL; goto Exit; } imageSize = 0; status = KphMapViewInSystem(fileHandle, KPH_MAP_IMAGE, &imageBase, &imageSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphMapViewInSystem failed: %!STATUS!", status); imageBase = NULL; goto Exit; } dataSize = 0; status = KphMapViewInSystem(fileHandle, KPH_MAP_DATA, &dataBase, &dataSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphMapViewInSystem failed: %!STATUS!", status); imageBase = NULL; goto Exit; } *FileHandle = fileHandle; fileHandle = NULL; *FileObject = fileObject; fileObject = NULL; *FileName = fileName; fileName = NULL; *ImageBase = imageBase; imageBase = NULL; *ImageSize = imageSize; *DataBase = dataBase; dataBase = NULL; *DataSize = dataSize; Exit: if (dataBase) { KphUnmapViewInSystem(dataBase); } if (imageBase) { KphUnmapViewInSystem(imageBase); } if (fileHandle) { ObCloseHandle(fileHandle, KernelMode); } if (fileObject) { ObDereferenceObject(fileObject); } if (fileName) { KphFreeNameFileObject(fileName); } return status; } /** * \brief Applies image protections on verified processes. * * \param[in,out] Process The process where the image is being loaded. * \param[in] ImageBase The base address of the image. * \param[in] FileObject The file object for the image being loaded. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpApplyImageProtections( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PVOID ImageBase, _In_ PFILE_OBJECT FileObject ) { NTSTATUS status; PSIZE_T imageLoadCounter; HANDLE fileHandle; PFILE_OBJECT fileObject; PUNICODE_STRING fileName; PVOID imageBase; SIZE_T imageSize; PVOID dataBase; SIZE_T dataSize; SE_SIGNING_LEVEL signingLevel; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(!KeAreAllApcsDisabled()); imageLoadCounter = NULL; fileHandle = NULL; fileObject = NULL; fileName = NULL; imageBase = NULL; dataBase = NULL; if (FileObject->WriteAccess) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "%wZ (%lu) image \"%wZ\" is writable", &Process->ImageName, HandleToULong(Process->ProcessId), &FileObject->FileName); goto Exit; } if (IoGetTransactionParameterBlock(FileObject)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "%wZ (%lu) image \"%wZ\" is in a transaction", &Process->ImageName, HandleToULong(Process->ProcessId), &FileObject->FileName); goto Exit; } if (!FileObject->SectionObjectPointer || MmDoesFileHaveUserWritableReferences(FileObject->SectionObjectPointer)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "%wZ (%lu) image \"%wZ\" has user writable references", &Process->ImageName, HandleToULong(Process->ProcessId), &FileObject->FileName); goto Exit; } status = KphpReOpenImageFile(FileObject, &fileHandle, &fileObject, &fileName, &imageBase, &imageSize, &dataBase, &dataSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphpReOpenImageFile: %wZ (%lu) \"%wZ\": %!STATUS!", &Process->ImageName, HandleToULong(Process->ProcessId), &FileObject->FileName, status); goto Exit; } if (!KphIsSameFile(FileObject, fileObject)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphIsSameFile failed: %wZ (%lu) \"%wZ\" \"%wZ\"", &Process->ImageName, HandleToULong(Process->ProcessId), &FileObject->FileName, fileName); goto Exit; } status = KphGetSigningLevel(fileObject, &signingLevel); KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphpGetSigningLevel: %wZ (%lu) \"%wZ\": 0x%02x %!STATUS!", &Process->ImageName, HandleToULong(Process->ProcessId), fileName, signingLevel, status); if (!NT_SUCCESS(status)) { signingLevel = SE_SIGNING_LEVEL_UNCHECKED; } switch (signingLevel) { case SE_SIGNING_LEVEL_MICROSOFT: case SE_SIGNING_LEVEL_WINDOWS: case SE_SIGNING_LEVEL_WINDOWS_TCB: { imageLoadCounter = &Process->NumberOfMicrosoftImageLoads; goto CheckCoherency; } case SE_SIGNING_LEVEL_ANTIMALWARE: { imageLoadCounter = &Process->NumberOfAntimalwareImageLoads; goto CheckCoherency; } default: { break; } } status = KphVerifyFileObject(fileObject, fileName); KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphVerifyFileObject: %wZ (%lu) \"%wZ\": %!STATUS!", &Process->ImageName, HandleToULong(Process->ProcessId), fileName, status); if (NT_SUCCESS(status)) { imageLoadCounter = &Process->NumberOfVerifiedImageLoads; goto CheckCoherency; } CheckCoherency: status = KphCheckImageCoherency(imageBase, imageSize, dataBase, dataSize); KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCheckImageCoherency: %wZ (%lu) \"%wZ\": %!STATUS!", &Process->ImageName, HandleToULong(Process->ProcessId), fileName, status); if (!NT_SUCCESS(status)) { imageLoadCounter = NULL; goto Exit; } Exit: if (dataBase) { KphUnmapViewInSystem(dataBase); } if (imageBase) { KphUnmapViewInSystem(imageBase); } if (imageLoadCounter) { InterlockedIncrementSizeT(imageLoadCounter); } else { KphpHandleUntrustedImageLoad(Process, ImageBase); } if (fileName) { KphFreeNameFileObject(fileName); } if (fileObject) { ObDereferenceObject(fileObject); } if (fileHandle) { ObCloseHandle(fileHandle, KernelMode); } } /** * \brief Normal kernel APC routine for when we must get outside of APC * disablement. * * \param[in] NormalContext Unused. * \param[in] SystemArgument1 Image load APC object. * \param[in] SystemArgument2 Unused. */ _Function_class_(KNORMAL_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL) _IRQL_requires_same_ VOID NTAPI KphpImageLoadKernelNormalRoutineApcsDisabled( _In_opt_ PVOID NormalContext, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2 ) { PKPH_IMAGE_LOAD_APC apc; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(NormalContext); UNREFERENCED_PARAMETER(SystemArgument2); NT_ASSERT(SystemArgument1); apc = SystemArgument1; NT_ASSERT(apc->FileObject); KphpApplyImageProtections(apc->Process, apc->ImageBase, apc->FileObject); } /** * \brief Kernel APC routine for when we must get outside of APC disablement. * * \param[in] Apc Unused. * \param[in,out] NormalRoutine Pointer to the normal kernel APC routine. * \param[in,out] NormalContext Unused. * \param[in,out] SystemArgument1 Pointer to the image load APC object. * \param[in,out] SystemArgument2 Unused. */ _Function_class_(KSI_KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL) _IRQL_requires_same_ VOID KSIAPI KphpImageLoadKernelRoutineApcsDisabled( _In_ PKSI_KAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine, _Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2 ) { KPH_PAGED_CODE_APC(); UNREFERENCED_PARAMETER(Apc); DBG_UNREFERENCED_PARAMETER(NormalRoutine); UNREFERENCED_PARAMETER(NormalContext); DBG_UNREFERENCED_PARAMETER(SystemArgument1); UNREFERENCED_PARAMETER(SystemArgument2); NT_ASSERT(*NormalRoutine == KphpImageLoadKernelNormalRoutineApcsDisabled); NT_ASSERT(*SystemArgument1); NT_ASSERT(KphGetObjectType(*SystemArgument1) == KphpImageLoadApcType); } /** * \brief Applies image protections on verified processes. * * \param[in,out] Process The process where the image is being loaded. * \param[in] ImageBase The base address of the image. * \param[in] FileObject The file object for the image being loaded. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpApplyImageProtectionsApcsDisabled( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PVOID ImageBase, _In_ PFILE_OBJECT FileObject ) { NTSTATUS status; PKPH_IMAGE_LOAD_APC apc; KPH_IMAGE_LOAD_APC_INIT init; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(KeAreAllApcsDisabled()); init.Process = Process; init.ImageBase = ImageBase; init.FileObject = FileObject; status = KphCreateObject(KphpImageLoadApcType, sizeof(KPH_IMAGE_LOAD_APC), &apc, &init); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphCreateObject failed: %!STATUS!", status); apc = NULL; goto Exit; } // // Initialize a normal kernel ACP to handle this outside of the callback. // KsiInitializeApc(&apc->Apc, KphDriverObject, KeGetCurrentThread(), OriginalApcEnvironment, KphpImageLoadKernelRoutineApcsDisabled, KphpImageLoadCleanupRoutine, KphpImageLoadKernelNormalRoutineApcsDisabled, KernelMode, NULL); if (!KsiInsertQueueApc(&apc->Apc, apc, NULL, IO_NO_INCREMENT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KsiInsertQueueApc failed"); status = STATUS_UNSUCCESSFUL; goto Exit; } apc = NULL; status = STATUS_SUCCESS; Exit: if (apc) { KphDereferenceObject(apc); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Untrusted image load (%wZ (%lu), %p): %!STATUS!", &Process->ImageName, HandleToULong(Process->ProcessId), ImageBase, status); // // No choice other than to just track that there is an untrusted image. // InterlockedIncrementSizeT(&Process->NumberOfUntrustedImageLoads); } } /** * \brief Applies image protections on verified processes. * * \param[in,out] Process The process where the image is being loaded. * \param[in] ImageInfo The image info from the notification routine. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphApplyImageProtections( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PIMAGE_INFO_EX ImageInfo ) { KPH_PAGED_CODE_PASSIVE(); KphAcquireRWLockShared(&Process->ProtectionLock); if (!Process->VerifiedProcess || !Process->Protected) { goto Exit; } if ((ImageInfo->ImageInfo.ImageSignatureLevel == SE_SIGNING_LEVEL_MICROSOFT) || (ImageInfo->ImageInfo.ImageSignatureLevel == SE_SIGNING_LEVEL_WINDOWS) || (ImageInfo->ImageInfo.ImageSignatureLevel == SE_SIGNING_LEVEL_WINDOWS_TCB)) { InterlockedIncrementSizeT(&Process->NumberOfMicrosoftImageLoads); goto Exit; } if (ImageInfo->ImageInfo.ImageSignatureLevel == SE_SIGNING_LEVEL_ANTIMALWARE) { InterlockedIncrementSizeT(&Process->NumberOfAntimalwareImageLoads); goto Exit; } // // We have to do a signing check ourselves which involves looking up the // file name. If we can do it now, do so, otherwise handle it later. // if (KeAreAllApcsDisabled()) { // // We can't safely (or accurately) look up the file name. We have to // special case it. // KphpApplyImageProtectionsApcsDisabled(Process, ImageInfo->ImageInfo.ImageBase, ImageInfo->FileObject); } else { KphpApplyImageProtections(Process, ImageInfo->ImageInfo.ImageBase, ImageInfo->FileObject); } Exit: KphReleaseRWLock(&Process->ProtectionLock); } /** * \brief Acquires a reference to the driver unload protection. Enables driver * unload protection if this is the first reference. * * \param[out] PreviousCount Optionally set to the previous reference count. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphAcquireDriverUnloadProtection( _Out_opt_ PLONG PreviousCount ) { NTSTATUS status; LONG previousCount; KPH_PAGED_CODE(); status = KphAcquireReference(&KphpDriverUnloadProtectionRef, &previousCount); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphAcquireReference failed: %!STATUS!", status); previousCount = 0; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Acquired driver unload protection (%ld)", previousCount + 1); if (previousCount == 0) { #pragma prefast(push) #pragma prefast(disable : 28175) NT_ASSERT(KphDriverObject->DriverUnload); NT_ASSERT(!KphpDriverUnloadPreviousRoutine); KphpDriverUnloadPreviousRoutine = InterlockedExchangePointer( (PVOID*)&KphDriverObject->DriverUnload, NULL); NT_ASSERT(!KphDriverObject->DriverUnload); NT_ASSERT(KphpDriverUnloadPreviousRoutine); #pragma prefast(pop) KphTracePrint(TRACE_LEVEL_INFORMATION, PROTECTION, "Driver unload protection activated"); } Exit: if (PreviousCount) { *PreviousCount = previousCount; } return STATUS_SUCCESS; } /** * \brief Releases a reference to the driver unload protection. Disables driver * unload protection if this is the last reference. * * \param[out] PreviousCount Optionally set to the previous reference count. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphReleaseDriverUnloadProtection( _Out_opt_ PLONG PreviousCount ) { NTSTATUS status; LONG previousCount; KPH_PAGED_CODE(); status = KphReleaseReference(&KphpDriverUnloadProtectionRef, &previousCount); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphReleaseReference failed: %!STATUS!", status); previousCount = 0; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Released driver unload protection (%ld)", previousCount - 1); if (previousCount == 1) { #pragma prefast(push) #pragma prefast(disable : 28175) NT_ASSERT(!KphDriverObject->DriverUnload); NT_ASSERT(KphpDriverUnloadPreviousRoutine); KphpDriverUnloadPreviousRoutine = InterlockedExchangePointer( (PVOID*)&KphDriverObject->DriverUnload, KphpDriverUnloadPreviousRoutine); NT_ASSERT(KphDriverObject->DriverUnload); NT_ASSERT(!KphpDriverUnloadPreviousRoutine); #pragma prefast(pop) KphTracePrint(TRACE_LEVEL_INFORMATION, PROTECTION, "Driver unload protection deactivated"); } Exit: if (PreviousCount) { *PreviousCount = previousCount; } return status; } /** * \brief Retrieves the current driver unload protection reference count. * * \details If the driver unload protection reference count is greater than * zero, the driver unload protection is active. * * \return The current driver unload protection reference count. */ _IRQL_requires_max_(APC_LEVEL) LONG KphGetDriverUnloadProtectionCount( VOID ) { LONG count; KPH_PAGED_CODE(); count = ReadAcquire(&KphpDriverUnloadProtectionRef.Count); return count; } /** * \brief Strips the process and thread allowed masks from a protected process. * * \details Callers may only strip allowed masks. In other words, callers may * only make the protection more restrictive. * * \param[in] Process The protected process to strip the masks from. * \param[in] ProcessAllowedMask The process allowed mask to strip. * \param[in] ThreadAllowedMask The thread allowed mask to strip. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpStripProtectedProcessMasks( _In_ PKPH_PROCESS_CONTEXT Process, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask ) { NTSTATUS status; PKPH_DYN dyn; KPH_ENUM_FOR_PROTECTION context; ACCESS_MASK prevProcessAllowedMask; ACCESS_MASK prevThreadAllowedMask; KPH_PAGED_CODE_PASSIVE(); dyn = KphReferenceDynData(); if (!dyn) { return STATUS_NOINTERFACE; } KphAcquireRWLockExclusive(&Process->ProtectionLock); if (!Process->Protected) { status = STATUS_INVALID_PARAMETER; goto Exit; } prevProcessAllowedMask = Process->ProcessAllowedMask; prevThreadAllowedMask = Process->ThreadAllowedMask; Process->ProcessAllowedMask &= ~ProcessAllowedMask; Process->ThreadAllowedMask &= ~ThreadAllowedMask; KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "Modifying protected process %wZ (%lu) allowed masks, " "process: 0x%08x -> 0x%08x, " "thread: 0x%08x -> 0x%08x", &Process->ImageName, HandleToULong(Process->ProcessId), prevProcessAllowedMask, Process->ProcessAllowedMask, prevThreadAllowedMask, Process->ThreadAllowedMask); if ((Process->ProcessAllowedMask == prevProcessAllowedMask) && (Process->ThreadAllowedMask == prevThreadAllowedMask)) { status = STATUS_SUCCESS; goto Exit; } context.Dyn = dyn; context.Status = STATUS_SUCCESS; context.Process = Process; KphEnumerateProcessContexts(KphpEnumProcessContextsForProtection, &context); status = context.Status; if (!NT_SUCCESS(status)) { Process->ProcessAllowedMask = prevProcessAllowedMask; Process->ThreadAllowedMask = prevThreadAllowedMask; } Exit: KphReleaseRWLock(&Process->ProtectionLock); KphDereferenceObject(dyn); return status; } /** * \brief Strips the process and thread allowed masks from a protected process. * * \details Callers may only strip allowed masks. In other words, callers may * only make the protection more restrictive. * * \param[in] ProcessHandle A handle to a process to strip the masks from. * \param[in] ProcessAllowedMask The process allowed mask to strip. * \param[in] ThreadAllowedMask The thread allowed mask to strip. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphStripProtectedProcessMasks( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS processObject; PKPH_PROCESS_CONTEXT processContext; KPH_PAGED_CODE_PASSIVE(); processContext = NULL; status = ObReferenceObjectByHandle(ProcessHandle, PROCESS_SET_INFORMATION, *PsProcessType, AccessMode, &processObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "ObReferenceObjectByHandle failed: %!STATUS!", status); processObject = NULL; goto Exit; } processContext = KphGetEProcessContext(processObject); if (!processContext) { KphTracePrint(TRACE_LEVEL_VERBOSE, PROTECTION, "KphGetEProcessContext failed"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphpStripProtectedProcessMasks(processContext, ProcessAllowedMask, ThreadAllowedMask); Exit: if (processContext) { KphDereferenceObject(processContext); } if (processObject) { ObDereferenceObject(processObject); } return status; } /** * \brief Initializes the protection infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeProtection( VOID ) { KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); typeInfo.Allocate = KphpAllocateImageLoadApc; typeInfo.Initialize = KphpInitializeImageLoadApc; typeInfo.Delete = KphpDeleteImageLoadApc; typeInfo.Free = KphpFreeImageLoadApc; typeInfo.Flags = 0; KphCreateObjectType(&KphpImageLoadApcTypeName, &typeInfo, &KphpImageLoadApcType); } ================================================ FILE: KSystemInformer/ratelmt.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025-2026 * */ #include #include // // Time granularity for rate limiter timestamps (100-nano units per tick). // 10,000,000 / 100 = 100 ms granularity. // 2^32 * 100 ms ~= 13.62 years before rollover. // 100 ms granularity provides a good balance of fill frequency and rollover. // #define KPH_RATE_LIMIT_SEC_MULT (100) #define KPH_RATE_LIMIT_TIME_UNIT (10000000 / KPH_RATE_LIMIT_SEC_MULT) #define KPH_RATE_LIMIT_ROLL_CHECK (86400 * KPH_RATE_LIMIT_SEC_MULT) /** * \brief Initializes a rate limit. * * \param[in] Policy The rate limit policy to use. * \param[in] TimeStamp The current time stamp. * \param[in] RateLimit Receives the initialized rate limit. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphInitializeRateLimit( _In_ PCKPH_RATE_LIMIT_POLICY Policy, _In_ PLARGE_INTEGER TimeStamp, _Out_ PKPH_RATE_LIMIT RateLimit ) { KPH_RATE_BUCKET bucket; KPH_NPAGED_CODE_DISPATCH_MAX(); bucket.CurrentTokens = Policy->MaxBucketSize; bucket.LastRefillTime = (ULONG)(TimeStamp->QuadPart / KPH_RATE_LIMIT_TIME_UNIT); RtlZeroMemory(RateLimit, sizeof(KPH_RATE_LIMIT)); WriteNoFence64(&RateLimit->Bucket.Quad, bucket.Quad); RtlCopyMemory(&RateLimit->Policy, Policy, sizeof(KPH_RATE_LIMIT_POLICY)); } /** * \brief Consumes a token from the rate limit. * * \param[in] RateLimit The rate limit to consume a token from. * \param[in] TimeStamp The current time stamp. * * \return TRUE if a token was consumed, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) BOOLEAN KphRateLimitConsumeToken( _Inout_ PKPH_RATE_LIMIT RateLimit, _In_ PLARGE_INTEGER TimeStamp ) { KPH_RATE_BUCKET oldBucket; KPH_RATE_BUCKET newBucket; ULONG currentTime; ULONG elapsedTime; ULONG64 tokensToAdd; BOOLEAN allowed; LONG64 expected; KPH_NPAGED_CODE_DISPATCH_MAX(); // // KPH_RATE_LIMIT_UNLIMITED // if ((RateLimit->Policy.TokensPerPeriod == ULONG_MAX) || (RateLimit->Policy.MaxBucketSize == ULONG_MAX)) { InterlockedIncrementNoFence64(&RateLimit->Allowed); return TRUE; } // // KPH_RATE_LIMIT_DENY_ALL // if ((RateLimit->Policy.TokensPerPeriod == 0) || (RateLimit->Policy.PeriodInSeconds == 0) || (RateLimit->Policy.MaxBucketSize == 0)) { InterlockedIncrementNoFence64(&RateLimit->Dropped); return FALSE; } currentTime = (ULONG)(TimeStamp->QuadPart / KPH_RATE_LIMIT_TIME_UNIT); oldBucket.Quad = ReadNoFence64(&RateLimit->Bucket.Quad); for (;;) { newBucket.Quad = oldBucket.Quad; if (newBucket.LastRefillTime > currentTime) { if ((newBucket.LastRefillTime - currentTime) > KPH_RATE_LIMIT_ROLL_CHECK) { newBucket.CurrentTokens = RateLimit->Policy.MaxBucketSize; newBucket.LastRefillTime = currentTime; } goto ConsumeToken; } elapsedTime = (currentTime - newBucket.LastRefillTime); tokensToAdd = ((ULONG64)elapsedTime * RateLimit->Policy.TokensPerPeriod); tokensToAdd /= ((ULONG64)RateLimit->Policy.PeriodInSeconds * KPH_RATE_LIMIT_SEC_MULT); if (tokensToAdd == 0) { goto ConsumeToken; } if ((tokensToAdd >= RateLimit->Policy.MaxBucketSize) || (tokensToAdd > (RateLimit->Policy.MaxBucketSize - newBucket.CurrentTokens))) { newBucket.CurrentTokens = RateLimit->Policy.MaxBucketSize; } else { newBucket.CurrentTokens = (newBucket.CurrentTokens + (ULONG)tokensToAdd); } newBucket.LastRefillTime = currentTime; ConsumeToken: if (newBucket.CurrentTokens > 0) { newBucket.CurrentTokens--; allowed = TRUE; } else { allowed = FALSE; } expected = oldBucket.Quad; oldBucket.Quad = InterlockedCompareExchange64(&RateLimit->Bucket.Quad, newBucket.Quad, expected); if (oldBucket.Quad != expected) { InterlockedIncrementNoFence64(&RateLimit->CasMiss); continue; } if (allowed) { InterlockedIncrementNoFence64(&RateLimit->Allowed); return TRUE; } else { InterlockedIncrementNoFence64(&RateLimit->Dropped); return FALSE; } } } ================================================ FILE: KSystemInformer/resource.rc ================================================ // Microsoft Visual C++ generated resource script. // #pragma code_page(65001) #include #include #define VER_FILEVERSION 4,0,0,0 #define VER_FILEVERSION_STR "4.0.0\0" #define VER_PRODUCTVERSION VER_FILEVERSION #define VER_PRODUCTVERSION_STR VER_FILEVERSION_STR #if DEBUG #define VER_DEBUG VS_FF_DEBUG #define VER_PRERELEASE VS_FF_PRERELEASE #define VER_PRIVATE VS_FF_PRIVATEBUILD #else #define VER_DEBUG 0 #define VER_PRERELEASE 0 #define VER_PRIVATE 0 #endif #define VER_FILEFLAGSMASK VS_FFI_FILEFLAGSMASK #define VER_FILEFLAGS (VER_PRERELEASE | VER_DEBUG | VER_PRIVATE) #define VER_FILEOS VOS_NT_WINDOWS32 #define VER_FILETYPE VFT_DRV #define VER_FILESUBTYPE VFT2_DRV_SYSTEM #define VER_COMPANYNAME_STR "System Informer\0" #define VER_FILEDESCRIPTION_STR "System Informer\0" #define VER_LEGALCOPYRIGHT_STR "Copyright (c) Winsider Seminars & Solutions, Inc. All rights reserved.\0" #define VER_ORIGINALFILENAME_STR "SystemInformer.sys\0" #define VER_INTERNALNAME_STR "SystemInformer.sys\0" #define VER_PRODUCTNAME_STR "System Informer\0" #if !defined(DEFAULT_VERSIONINFO) VS_VERSION_INFO VERSIONINFO FILEVERSION VER_FILEVERSION PRODUCTVERSION VER_PRODUCTVERSION FILEFLAGSMASK VER_FILEFLAGSMASK FILEFLAGS VER_FILEFLAGS FILEOS VER_FILEOS FILETYPE VER_FILETYPE FILESUBTYPE VER_FILESUBTYPE BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904E4" BEGIN VALUE "CompanyName", VER_COMPANYNAME_STR VALUE "FileDescription", VER_FILEDESCRIPTION_STR VALUE "FileVersion", VER_FILEVERSION_STR VALUE "InternalName", VER_INTERNALNAME_STR VALUE "LegalCopyright", VER_LEGALCOPYRIGHT_STR VALUE "OriginalFilename", VER_ORIGINALFILENAME_STR VALUE "ProductName", VER_PRODUCTNAME_STR VALUE "ProductVersion", VER_PRODUCTVERSION_STR END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x409, 1252 END END #else #include #include "common.ver" #endif ================================================ FILE: KSystemInformer/ringbuff.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025-2026 * */ #include #include KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpRingBufferType = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpRingBufferTypeName = RTL_CONSTANT_STRING(L"KphRingBuffer"); KPH_PROTECTED_DATA_SECTION_RO_POP(); /** * \brief Reserves a ring buffer entry. * * \details This routine reserves space in the ring buffer to be written to. On * a successful call to this routine the returned buffer is marked busy and the * caller must commit the buffer with KphCommitRingBuffer or discard it with * KphDiscardRingBuffer. * * \param[in] Ring Pointer to a buffer object. * \param[in] Length The length of the buffer to reserve. * * \return Reserved buffer, null on failure. */ _Return_allocatesMem_size_(Length) PVOID KphReserveRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_ ULONG Length ) { PVOID buffer; KIRQL previousIrql; KLOCK_QUEUE_HANDLE lockHandle; ULONG consumerPos; ULONG producerPos; ULONG remainingLength; ULONG requiredLength; ULONG alignment; PKPH_RING_HEADER headerPointer; KPH_RING_HEADER header; // // Maximum reserve accounts for the maximum encoded length bits, additional // headers, and any necessary alignment. // if (Length > KPH_RING_BUFFER_RESERVE_MAX) { return NULL; } buffer = NULL; previousIrql = KeGetCurrentIrql(); if (previousIrql >= DISPATCH_LEVEL) { KeAcquireInStackQueuedSpinLockAtDpcLevel(&Ring->ProducerLock, &lockHandle); } else { KeAcquireInStackQueuedSpinLock(&Ring->ProducerLock, &lockHandle); } consumerPos = ReadULongAcquire(Ring->ConsumerPos); producerPos = ReadULongNoFence(Ring->ProducerPos); if (producerPos >= consumerPos) { remainingLength = (Ring->Length - producerPos); } else { // // Producer position wrapped. // remainingLength = (consumerPos - producerPos); } if (!NT_VERIFY(remainingLength <= Ring->Length)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Ring buffer position overflow: %lu %lu %lu", producerPos, consumerPos, Ring->Length); goto Exit; } requiredLength = (Length + KPH_RING_BUFFER_HEADER_SIZE); requiredLength = ALIGN_UP_BY(requiredLength, MEMORY_ALLOCATION_ALIGNMENT); alignment = (requiredLength - Length - KPH_RING_BUFFER_HEADER_SIZE); // // Always reserve an extra header for the reset marker. // requiredLength += KPH_RING_BUFFER_HEADER_SIZE; if (requiredLength > remainingLength) { if ((producerPos < consumerPos) || (requiredLength > consumerPos)) { // // Ring buffer exhausted. // goto Exit; } // // There is sufficient space to wrap, do so now. // if (!NT_VERIFY(remainingLength >= KPH_RING_BUFFER_HEADER_SIZE)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Ring buffer accounting failure: %lu %lu %lu", producerPos, consumerPos, Ring->Length); goto Exit; } headerPointer = Add2Ptr(Ring->Buffer, producerPos); header.Value = 0; header.Reset = TRUE; WriteULong64Release(&headerPointer->Value, header.Value); producerPos = 0; } headerPointer = Add2Ptr(Ring->Buffer, producerPos); buffer = Add2Ptr(headerPointer, KPH_RING_BUFFER_HEADER_SIZE); header.Value = 0; header.Length = Length; header.Busy = TRUE; header.Alignment = alignment; producerPos += (requiredLength - KPH_RING_BUFFER_HEADER_SIZE); // // Sync with the consumer. // WriteULong64Release(&headerPointer->Value, header.Value); WriteULongRelease(Ring->ProducerPos, producerPos); Exit: if (previousIrql >= DISPATCH_LEVEL) { KeReleaseInStackQueuedSpinLockFromDpcLevel(&lockHandle); } else { KeReleaseInStackQueuedSpinLock(&lockHandle); } return buffer; } /** * \brief Helper routine to submits a previously reserved ring buffer entry. * * \param[in] Ring Pointer to a ring buffer object. * \param[in] Buffer Pointer to the buffer to submit. * \param[in] Discard If TRUE the buffer is discarded, if FALSE is it committed. */ VOID KphpSubmitRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_aliasesMem_ PVOID Buffer, _In_ BOOLEAN Discard ) { PKPH_RING_HEADER headerPointer; KPH_RING_HEADER header; headerPointer = Add2Ptr(Buffer, -KPH_RING_BUFFER_HEADER_SIZE); header.Value = ReadULong64NoFence(&headerPointer->Value); header.Busy = FALSE; header.Discard = !!Discard; WriteULong64Release(&headerPointer->Value, header.Value); if (Ring->Event && !ReadULongAcquire(Ring->ConsumerProcessing)) { KeSetEvent(Ring->Event, EVENT_INCREMENT, FALSE); } } /** * \brief Commits a previously reserved ring buffer entry. * * \details After this call the busy ring buffer entry is made available for * for the consumer to process. * * \param[in] Ring Pointer to a ring buffer object. * \param[in] Buffer Pointer to the buffer to commit, previously returned from * KphReserveRingBuffer. */ VOID KphCommitRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_freesMem_ PVOID Buffer ) { KphpSubmitRingBuffer(Ring, Buffer, FALSE); } /** * \brief Discards a previously reserved ring buffer entry. * * \details After this call the busy ring buffer entry is marked as discarded * the consumer should skip over it when processing the ring buffer. * * \param[in] Ring Pointer to a ring buffer object. * \param[in] Buffer Pointer to the buffer to discard, previously returned from * KphReserveRingBuffer. */ VOID KphDiscardRingBuffer( _In_ PKPH_RING_BUFFER Ring, _In_freesMem_ PVOID Buffer ) { KphpSubmitRingBuffer(Ring, Buffer, TRUE); } KPH_PAGED_FILE(); /** * \brief Creates a ring buffer section. * * \details The section is created in a way that restricts read or write access * to the ring buffer section by user mode. Kernel mode is always permitted to * read or write to the section. The kernel mapping is locked in the system * virtual address space. This routine does not map the section into user mode. * It does provide the section object to be mapped to user mode by the caller. * The method for creating the sections ensures appropriate memory protection is * applied to the related section objects and that an eventual mapping into * user mode can be paged out if necessary. * * \param[in] Section Pointer to a ring buffer section to populate. * \param[in] Length The length of the ring buffer section. * \param[in] PageProtection The page protection for the ring buffer section. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpCreateRingBufferSection( _Out_ PKPH_RING_SECTION Section, _In_ ULONG Length, _In_ ULONG PageProtection ) { NTSTATUS status; ULONG sectionAccess; LARGE_INTEGER maximumSize; SIZE_T viewSize; PVOID kernelMappedBase; KPH_PAGED_CODE_PASSIVE(); kernelMappedBase = NULL; if (PageProtection == PAGE_READONLY) { sectionAccess = SECTION_MAP_READ; } else if (PageProtection == PAGE_READWRITE) { sectionAccess = SECTION_MAP_READ | SECTION_MAP_WRITE; } else { status = STATUS_INVALID_PARAMETER; goto Exit; } maximumSize.QuadPart = Length; status = MmCreateSection(&Section->SectionObject, sectionAccess, NULL, &maximumSize, PageProtection, SEC_COMMIT, NULL, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmCreateSection failed: %!STATUS!", status); Section->SectionObject = NULL; goto Exit; } kernelMappedBase = NULL; viewSize = 0; status = MmMapViewInSystemSpace(Section->SectionObject, &kernelMappedBase, &viewSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmMapViewInSystemSpace failed: %!STATUS!", status); kernelMappedBase = NULL; goto Exit; } NT_ASSERT((viewSize >= Length) && (viewSize <= ULONG_MAX)); Section->Mdl = IoAllocateMdl(kernelMappedBase, (ULONG)viewSize, FALSE, FALSE, NULL); if (!Section->Mdl) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "IoAllocateMdl failed"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { MmProbeAndLockPages(Section->Mdl, KernelMode, IoReadAccess); } __except (EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl(Section->Mdl); Section->Mdl = NULL; status = GetExceptionCode(); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmProbeAndLockPages failed: %!STATUS!", status); goto Exit; } Section->KernelBase = KphGetSystemAddressForMdl(Section->Mdl, NormalPagePriority); if (!Section->KernelBase) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmGetSystemAddressForMdlSafe failed"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(Section->KernelBase, viewSize); status = STATUS_SUCCESS; Exit: if (kernelMappedBase) { MmUnmapViewInSystemSpace(kernelMappedBase); } return status; } /** * \brief Deletes a ring buffer section. * * \param[in] Section Pointer to a ring buffer section to delete. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphpDeleteRingBufferSection( _In_ PKPH_RING_SECTION Section ) { KPH_PAGED_CODE_PASSIVE(); if (Section->Mdl) { MmUnlockPages(Section->Mdl); IoFreeMdl(Section->Mdl); } if (Section->SectionObject) { ObDereferenceObject(Section->SectionObject); } } /** * \brief Allocates a ring buffer object. * * \param[in] Size The size of the ring buffer object to allocate. * * \return Allocated ring buffer object, null on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateRingBuffer( _In_ SIZE_T Size ) { KPH_PAGED_CODE_PASSIVE(); return KphAllocateNPaged(Size, KPH_TAG_RING_BUFFER); } /** * \brief Deletes a ring buffer object. * * \param[in,out] Object Pointer to a ring buffer object to delete. */ _Function_class_(KPH_TYPE_DELETE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpDeleteRingBuffer( _Inout_ PVOID Object ) { PKPH_RING_BUFFER ring; KPH_PAGED_CODE_PASSIVE(); ring = Object; KphpDeleteRingBufferSection(&ring->ProducerSection); KphpDeleteRingBufferSection(&ring->ConsumerSection); if (ring->Event) { ObDereferenceObject(ring->Event); } ObDereferenceObject(ring->Process); } /** * \brief Frees a ring buffer object. * * \param[in] Object Pointer to a ring buffer object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) VOID KSIAPI KphpFreeRingBuffer( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE_PASSIVE(); KphFree(Object, KPH_TAG_RING_BUFFER); } /** * \brief Creates a ring buffer object. * * \details This ring buffer is a multiple-producer single-consumer ring buffer. * The producer (kernel mode) populates to the ring buffer and single consumer * (in user mode) processes the data written to the buffer. The producer may * reserve, write, and commit to the ring buffer from an arbitrary thread. * * \param[out] Ring Receives the ring buffer object. * \param[out] User Receives the user mode ring buffer information. * \param[in] Length Desired length of the ring buffer. * \param[in] Event Optional event object to an event to signal when new data is * committed and the consumer was previously caught up with processing. Must be * an ExEventObjectType as a reference is taken to the object. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCreateRingBuffer( _Out_ PKPH_RING_BUFFER* Ring, _Out_ PKPH_RING_BUFFER_USER User, _In_ ULONG Length, _In_opt_ PKEVENT Event, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_RING_BUFFER ring; PVOID userProducerBase; PVOID userConsumerBase; ULONG sectionLength; ULONG roundedLength; ULONG bufferLength; PKPH_RING_PRODUCER_BLOCK producer; PKPH_RING_CONSUMER_BLOCK consumer; LARGE_INTEGER sectionOffset; SIZE_T viewSize; KPH_PAGED_CODE_PASSIVE(); *Ring = NULL; ring = NULL; userProducerBase = NULL; userConsumerBase = NULL; if (Event && (ObGetObjectType(Event) != *ExEventObjectType)) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = KphZeroModeMemory(User, sizeof(KPH_RING_BUFFER_USER), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = RtlULongAdd(Length, FIELD_OFFSET(KPH_RING_PRODUCER_BLOCK, Buffer), §ionLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "RtlULongAdd failed: %!STATUS!", status); goto Exit; } roundedLength = ROUND_TO_PAGES(sectionLength); if (roundedLength < sectionLength) { status = STATUS_INTEGER_OVERFLOW; goto Exit; } sectionLength = roundedLength; bufferLength = sectionLength; bufferLength -= FIELD_OFFSET(KPH_RING_PRODUCER_BLOCK, Buffer); status = KphCreateObject(KphpRingBufferType, sizeof(KPH_RING_BUFFER), &ring, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateObject failed: %!STATUS!", status); goto Exit; } ring->Process = PsGetCurrentProcess(); ObReferenceObject(ring->Process); KeInitializeSpinLock(&ring->ProducerLock); if (Event) { ring->Event = Event; ObReferenceObject(ring->Event); } status = KphpCreateRingBufferSection(&ring->ProducerSection, sectionLength, PAGE_READONLY); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpCreateRingBufferSection failed: %!STATUS!", status); goto Exit; } status = KphpCreateRingBufferSection(&ring->ConsumerSection, sizeof(KPH_RING_CONSUMER_BLOCK), PAGE_READWRITE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpCreateRingBufferSection failed: %!STATUS!", status); goto Exit; } producer = ring->ProducerSection.KernelBase; consumer = ring->ConsumerSection.KernelBase; producer->Length = bufferLength; ring->ProducerPos = &producer->Position; ring->ConsumerPos = &consumer->Position; ring->ConsumerProcessing = &consumer->Processing; ring->Length = bufferLength; ring->Buffer = producer->Buffer; // // Set up the user mode portion of the ring buffer. // sectionOffset.QuadPart = 0; viewSize = 0; status = MmMapViewOfSection(ring->ProducerSection.SectionObject, PsGetCurrentProcess(), &userProducerBase, 0, 0, §ionOffset, &viewSize, ViewUnmap, 0, PAGE_READONLY); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmMapViewOfSection failed: %!STATUS!", status); userProducerBase = NULL; goto Exit; } sectionOffset.QuadPart = 0; viewSize = 0; status = MmMapViewOfSection(ring->ConsumerSection.SectionObject, PsGetCurrentProcess(), &userConsumerBase, 0, 0, §ionOffset, &viewSize, ViewUnmap, 0, PAGE_READWRITE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "MmMapViewOfSection failed: %!STATUS!", status); userConsumerBase = NULL; goto Exit; } status = KphWritePointerToMode(&User->Consumer, userConsumerBase, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } status = KphWritePointerToMode(&User->Producer, userProducerBase, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } userProducerBase = NULL; userConsumerBase = NULL; *Ring = ring; ring = NULL; status = STATUS_SUCCESS; Exit: if (userConsumerBase) { MmUnmapViewOfSection(PsGetCurrentProcess(), userConsumerBase); } if (userProducerBase) { MmUnmapViewOfSection(PsGetCurrentProcess(), userProducerBase); } if (ring) { KphDereferenceObject(ring); } return status; } /** * \brief Initializes the ring buffer infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeRingBuffer( VOID ) { KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); typeInfo.Allocate = KphpAllocateRingBuffer; typeInfo.Initialize = NULL; typeInfo.Delete = KphpDeleteRingBuffer; typeInfo.Free = KphpFreeRingBuffer; typeInfo.Flags = 0; KphCreateObjectType(&KphpRingBufferTypeName, &typeInfo, &KphpRingBufferType); } ================================================ FILE: KSystemInformer/session_token.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include typedef struct _KPH_SESSION_TOKEN_INIT { LARGE_INTEGER Expiry; ULONG Privileges; LONG Uses; } KPH_SESSION_TOKEN_INIT, *PKPH_SESSION_TOKEN_INIT; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const UNICODE_STRING KphpSessionTokenTypeName = RTL_CONSTANT_STRING(L"KphSessionToken"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static PKPH_OBJECT_TYPE KphpSessionTokenType = NULL; KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Allocate a session token object. * * \param[in] Size The size of the object to allocate. * * \return A pointer to the allocated object, NULL on failure. */ _Function_class_(KPH_TYPE_ALLOCATE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) _Return_allocatesMem_size_(Size) PVOID KSIAPI KphpAllocateSessionToken( _In_ SIZE_T Size ) { KPH_PAGED_CODE(); // // N.B. The session token object is allocated from non-paged pool because it // is stored in an atomic object reference in process and thread contexts. // return KphAllocateNPaged(Size, KPH_TAG_SESSION_TOKEN_OBJECT); } /** * \brief Free a session token object. * * \param[in] Object The session token object to free. */ _Function_class_(KPH_TYPE_FREE_PROCEDURE) _IRQL_requires_max_(APC_LEVEL) VOID KSIAPI KphpFreeSessionToken( _In_freesMem_ PVOID Object ) { KPH_PAGED_CODE(); KphFree(Object, KPH_TAG_SESSION_TOKEN_OBJECT); } /** * \brief Initialize a session token object. * * \param[in] Object The session token object to initialize. * \param[in] Parameter The session token object initialization parameters. * * \return Successful or errant status. */ _Function_class_(KPH_TYPE_INITIALIZE_PROCEDURE) _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KSIAPI KphpInitializeSessionToken( _Inout_ PVOID Object, _In_opt_ PVOID Parameter ) { NTSTATUS status; PKPH_SESSION_TOKEN token; PKPH_SESSION_TOKEN_INIT init; KPH_PAGED_CODE_PASSIVE(); NT_ASSERT(Parameter); token = Object; init = Parameter; status = ExUuidCreate(&token->AccessToken.Identifier); if (status != STATUS_SUCCESS) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ExUuidCreate failed: %!STATUS!", status); if (NT_SUCCESS(status)) { status = STATUS_UNSUCCESSFUL; } return status; } status = BCryptGenRandom(NULL, token->AccessToken.Material, sizeof(token->AccessToken.Material), BCRYPT_USE_SYSTEM_PREFERRED_RNG); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "BCryptGenRandom failed: %!STATUS!", status); return status; } if (init->Expiry.QuadPart < 0) { KeQuerySystemTime(&token->AccessToken.Expiry); token->AccessToken.Expiry.QuadPart += -(init->Expiry.QuadPart); } else { token->AccessToken.Expiry = init->Expiry; } token->AccessToken.Privileges = init->Privileges; token->AccessToken.Uses = init->Uses; WriteNoFence(&token->UseCount, 0); return STATUS_SUCCESS; } /** * \brief Requests an access session token. * * \details After a request for an access session token has been made, the * current thread is responsible for assigning the session token to a process * or thread later by providing the signature for the access session token * content. * * \param[out] AccessToken Populated with the access session token. * \param[in] Expiry The expiry time of the session token. * \param[in] Privileges The privileges of the session token. * \param[in] Uses The number of uses of the session token. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphRequestSessionAccessToken( _Out_ PKPH_SESSION_ACCESS_TOKEN AccessToken, _In_ PLARGE_INTEGER Expiry, _In_ ULONG Privileges, _In_ LONG Uses ) { NTSTATUS status; PKPH_THREAD_CONTEXT thread; KPH_SESSION_TOKEN_INIT tokenInit; PKPH_SESSION_TOKEN token; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(AccessToken, sizeof(KPH_SESSION_ACCESS_TOKEN)); thread = NULL; token = NULL; if (!Privileges || (Privileges & ~KPH_TOKEN_VALID_PRIVILEGES)) { status = STATUS_INVALID_PARAMETER; goto Exit; } thread = KphGetCurrentThreadContext(); if (!thread) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } tokenInit.Expiry = *Expiry; tokenInit.Privileges = Privileges; tokenInit.Uses = Uses; status = KphCreateObject(KphpSessionTokenType, sizeof(KPH_SESSION_TOKEN), &token, &tokenInit); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateObject failed: %!STATUS!", status); goto Exit; } RtlCopyMemory(AccessToken, &token->AccessToken, sizeof(KPH_SESSION_ACCESS_TOKEN)); KphAtomicAssignObjectReference(&thread->RequestSessionToken.Atomic, token); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "[%!GUID!] %!TIME! %ld", &token->AccessToken.Identifier, token->AccessToken.Expiry.QuadPart, token->AccessToken.Uses); Exit: if (token) { KphDereferenceObject(token); } if (thread) { KphDereferenceObject(thread); } return status; } /** * \brief Verifies an access session token. * * \param[in] Actor The actor process setting the session token. * \param[in] Target The target process receiving the session token. * \param[in] Token The session token to verify. * \param[in] Signature The signature of the session token. * \param[in] SignatureLength The length of the signature. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpVerifySessionToken( _In_ PKPH_PROCESS_CONTEXT Actor, _In_ PKPH_PROCESS_CONTEXT Target, _In_ PKPH_SESSION_TOKEN Token, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_DYN dyn; PBYTE signature; KPH_PAGED_CODE_PASSIVE(); signature = NULL; dyn = NULL; dyn = KphReferenceDynData(); if (!dyn || !dyn->SessionTokenPublicKeyHandle) { status = STATUS_NOINTERFACE; goto Exit; } if (AccessMode != KernelMode) { signature = KphAllocatePaged(SignatureLength, KPH_TAG_SESSION_TOKEN_SIGNATURE); if (!signature) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate signature buffer."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(signature, Signature, SignatureLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } else { signature = Signature; } status = KphVerifyBufferEx(dyn->SessionTokenPublicKeyHandle, (PBYTE)&Token->AccessToken, sizeof(Token->AccessToken), signature, SignatureLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphVerifyBufferEx failed: %!STATUS!", status); goto Exit; } if (!KphTestProcessContextState(Actor, KPH_PROCESS_STATE_MAXIMUM) || !KphTestProcessContextState(Target, KPH_PROCESS_STATE_MAXIMUM)) { status = STATUS_ACCESS_DENIED; goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "[%!GUID!] %!TIME! %ld", &Token->AccessToken.Identifier, Token->AccessToken.Expiry.QuadPart, Token->AccessToken.Uses); status = STATUS_SUCCESS; Exit: if (dyn) { KphDereferenceObject(dyn); } if (signature && (signature != Signature)) { KphFree(signature, KPH_TAG_SESSION_TOKEN_SIGNATURE); } return status; } /** * \brief Assigns an access session token to a process. * * \param[in] Process The process to assign the session token to. * \param[in] Signature The signature of the session token. * \param[in] SignatureLength The length of the signature. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpAssignProcessSessionToken( _Inout_ PKPH_PROCESS_CONTEXT Process, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_THREAD_CONTEXT actor; PKPH_SESSION_TOKEN token; KPH_PAGED_CODE_PASSIVE(); token = NULL; actor = KphGetCurrentThreadContext(); if (!actor) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } token = KphAtomicMoveObjectReference(&actor->RequestSessionToken.Atomic, NULL); if (!token) { status = STATUS_INVALID_STATE_TRANSITION; goto Exit; } if (!actor->ProcessContext) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphpVerifySessionToken(actor->ProcessContext, Process, token, Signature, SignatureLength, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpVerifyToken failed: %!STATUS!", status); goto Exit; } KphAtomicAssignObjectReference(&Process->SessionToken.Atomic, token); status = STATUS_SUCCESS; Exit: if (token) { KphDereferenceObject(token); } if (actor) { KphDereferenceObject(actor); } return status; } /** * \brief Assigns an access session token to a process. * * \param[in] ProcessHandle Handle to the process to assign the session token. * \param[in] Signature The signature of the session token. * \param[in] SignatureLength The length of the signature. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphAssignProcessSessionToken( _In_ HANDLE ProcessHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PEPROCESS processObject; PKPH_PROCESS_CONTEXT processContext; KPH_PAGED_CODE_PASSIVE(); processObject = NULL; processContext = NULL; if (!Signature || !SignatureLength) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &processObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); processObject = NULL; goto Exit; } processContext = KphGetEProcessContext(processObject); if (!processContext) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphpAssignProcessSessionToken(processContext, Signature, SignatureLength, AccessMode); Exit: if (processContext) { KphDereferenceObject(processContext); } if (processObject) { ObDereferenceObject(processObject); } return status; } /** * \brief Assigns an access session token to a thread. * * \param[in] Thread The thread to assign the session token to. * \param[in] Signature The signature of the session token. * \param[in] SignatureLength The length of the signature. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpAssignThreadSessionToken( _Inout_ PKPH_THREAD_CONTEXT Thread, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_THREAD_CONTEXT actor; PKPH_SESSION_TOKEN token; KPH_PAGED_CODE_PASSIVE(); actor = NULL; token = NULL; actor = KphGetCurrentThreadContext(); if (!actor) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } token = KphAtomicMoveObjectReference(&actor->RequestSessionToken.Atomic, NULL); if (!token) { status = STATUS_INVALID_STATE_TRANSITION; goto Exit; } if (!actor->ProcessContext || !Thread->ProcessContext) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphpVerifySessionToken(actor->ProcessContext, Thread->ProcessContext, token, Signature, SignatureLength, AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphpVerifyToken failed: %!STATUS!", status); goto Exit; } KphAtomicAssignObjectReference(&Thread->SessionToken.Atomic, token); status = STATUS_SUCCESS; Exit: if (token) { KphDereferenceObject(token); } if (actor) { KphDereferenceObject(actor); } return status; } /** * \brief Assigns an access session token to a thread. * * \param[in] ThreadHandle Handle to the thread to assign the session token. * \param[in] Signature The signature of the session token. * \param[in] SignatureLength The length of the signature. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphAssignThreadSessionToken( _In_ HANDLE ThreadHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PETHREAD threadObject; PKPH_THREAD_CONTEXT threadContext; KPH_PAGED_CODE_PASSIVE(); threadObject = NULL; threadContext = NULL; if (!Signature || !SignatureLength) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = ObReferenceObjectByHandle(ThreadHandle, 0, *PsThreadType, AccessMode, &threadObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); threadObject = NULL; goto Exit; } threadContext = KphGetEThreadContext(threadObject); if (!threadContext) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphpAssignThreadSessionToken(threadContext, Signature, SignatureLength, AccessMode); Exit: if (threadContext) { KphDereferenceObject(threadContext); } if (threadObject) { ObDereferenceObject(threadObject); } return status; } /** * \brief Performs a session token privilege check. * * \param[in,out] Token The session token to perform the check on. * \param[in] Privileges The privileges to check. * * \return TRUE if the privilege is granted, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphpSessionTokenPrivilegeCheck( _Inout_ PKPH_SESSION_TOKEN Token, _In_ ULONG Privileges ) { NTSTATUS status; LARGE_INTEGER systemTime; LONG useCount; KPH_PAGED_CODE(); KeQuerySystemTime(&systemTime); useCount = ReadAcquire(&Token->UseCount); if (Token->AccessToken.Expiry.QuadPart <= systemTime.QuadPart) { status = STATUS_TIMEOUT; goto Exit; } if ((Token->AccessToken.Privileges & Privileges) != Privileges) { status = STATUS_PRIVILEGE_NOT_HELD; goto Exit; } if (Token->AccessToken.Uses < 0) { status = STATUS_SUCCESS; goto Exit; } for (;;) { LONG expected; if (useCount >= Token->AccessToken.Uses) { status = STATUS_QUOTA_EXCEEDED; goto Exit; } expected = useCount; useCount = InterlockedCompareExchange(&Token->UseCount, useCount + 1, expected); if (useCount == expected) { useCount++; status = STATUS_SUCCESS; break; } } Exit: KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "[%!GUID!] %!TIME! %ld/%ld %!STATUS!", &Token->AccessToken.Identifier, Token->AccessToken.Expiry.QuadPart, useCount, Token->AccessToken.Uses, status); return (status == STATUS_SUCCESS); } /** * \brief Performs a session token privilege check on a thread. * * \param[in] Thread The thread to perform the session token check on. * \param[in] Privileges The privileges to check. * * \return TRUE if the privilege is granted, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphpThreadSessionTokenPrivilegeCheck( _In_ PKPH_THREAD_CONTEXT Thread, _In_ ULONG Privileges ) { BOOLEAN result; PKPH_SESSION_TOKEN token; KPH_PAGED_CODE(); result = FALSE; token = KphAtomicReferenceObject(&Thread->SessionToken.Atomic); if (token) { result = KphpSessionTokenPrivilegeCheck(token, Privileges); KphDereferenceObject(token); } return result; } /** * \brief Performs a session token privilege check on a process. * * \param[in] Process The process to perform the session token check on. * \param[in] Privileges The privileges to check. * * \return TRUE if the privilege is granted, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphpProcessSessionTokenPrivilegeCheck( _In_ PKPH_PROCESS_CONTEXT Process, _In_ ULONG Privileges ) { BOOLEAN result; PKPH_SESSION_TOKEN token; KPH_PAGED_CODE(); result = FALSE; token = KphAtomicReferenceObject(&Process->SessionToken.Atomic); if (token) { result = KphpSessionTokenPrivilegeCheck(token, Privileges); KphDereferenceObject(token); } return result; } /** * \brief Performs a session token privilege check. * * \param[in] Thread The thread to perform the session token check on. * \param[in] Privileges The privileges to check. * * \return TRUE if the privilege is granted, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ BOOLEAN KphSessionTokenPrivilegeCheck( _In_ PKPH_THREAD_CONTEXT Thread, _In_ ULONG Privileges ) { KPH_PAGED_CODE(); if (KphpThreadSessionTokenPrivilegeCheck(Thread, Privileges)) { return TRUE; } if (!Thread->ProcessContext) { return FALSE; } return KphpProcessSessionTokenPrivilegeCheck(Thread->ProcessContext, Privileges); } /** * \brief Initialize the session token infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphInitializeSessionToken( VOID ) { KPH_OBJECT_TYPE_INFO typeInfo; KPH_PAGED_CODE_PASSIVE(); typeInfo.Allocate = KphpAllocateSessionToken; typeInfo.Initialize = KphpInitializeSessionToken; typeInfo.Delete = NULL; typeInfo.Free = KphpFreeSessionToken; typeInfo.Flags = 0; KphCreateObjectType(&KphpSessionTokenTypeName, &typeInfo, &KphpSessionTokenType); } ================================================ FILE: KSystemInformer/system.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Performs generic system control actions. * * \param[in] SystemControlClass System control classification. * \param[in] SystemControlInfo Control input buffer. * \param[in] SystemControlInfoLength Length of control input buffer. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSystemControl( _In_ KPH_SYSTEM_CONTROL_CLASS SystemControlClass, _In_reads_bytes_(SystemControlInfoLength) PVOID SystemControlInfo, _In_ ULONG SystemControlInfoLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; HANDLE processHandle; KPH_PAGED_CODE_PASSIVE(); UNREFERENCED_PARAMETER(SystemControlInfo); UNREFERENCED_PARAMETER(SystemControlInfoLength); UNREFERENCED_PARAMETER(AccessMode); processHandle = NULL; switch (SystemControlClass) { case KphSystemControlEmptyCompressionStore: { SYSTEM_STORE_INFORMATION storeInfo; SM_STORE_COMPRESSION_INFORMATION_REQUEST compressionInfo; CLIENT_ID clientId; OBJECT_ATTRIBUTES objectAttributes; QUOTA_LIMITS_EX quotaLimits; #ifdef _WIN64 C_ASSERT(sizeof(SYSTEM_STORE_INFORMATION) == 24); C_ASSERT(SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION_V1 == 3); C_ASSERT(SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V1 == 40); #endif RtlZeroMemory(&compressionInfo, sizeof(SM_STORE_COMPRESSION_INFORMATION_REQUEST)); compressionInfo.Version = SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION_V1; RtlZeroMemory(&storeInfo, sizeof(SYSTEM_STORE_INFORMATION)); storeInfo.Version = SYSTEM_STORE_INFORMATION_VERSION; storeInfo.StoreInformationClass = MemCompressionInfoRequest; storeInfo.Data = &compressionInfo; storeInfo.Length = SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V1; status = ZwQuerySystemInformation(SystemStoreInformation, &storeInfo, sizeof(SYSTEM_STORE_INFORMATION), NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwQuerySystemInformation failed: %!STATUS!", status); goto Exit; } if (compressionInfo.CompressionPid == 0) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Compression PID is zero"); status = STATUS_INVALID_CID; goto Exit; } InitializeObjectAttributes(&objectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); clientId.UniqueProcess = ULongToHandle(compressionInfo.CompressionPid); clientId.UniqueThread = NULL; status = ZwOpenProcess(&processHandle, PROCESS_SET_QUOTA, &objectAttributes, &clientId); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwOpenProcess failed: %!STATUS!", status); processHandle = NULL; goto Exit; } RtlZeroMemory("aLimits, sizeof(QUOTA_LIMITS_EX)); quotaLimits.MinimumWorkingSetSize = SIZE_T_MAX; quotaLimits.MaximumWorkingSetSize = SIZE_T_MAX; status = ZwSetInformationProcess(processHandle, ProcessQuotaLimits, "aLimits, sizeof(QUOTA_LIMITS_EX)); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwSetInformationProcess failed: %!STATUS!", status); } break; } default: { status = STATUS_INVALID_INFO_CLASS; goto Exit; } } Exit: if (processHandle) { ObCloseHandle(processHandle, KernelMode); } return status; } ================================================ FILE: KSystemInformer/thread.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2022-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Opens a thread. * * \param[out] ThreadHandle A variable which receives the thread handle. * \param[in] DesiredAccess The desired access to the thread. * \param[in] ClientId The identifier of a client. UniqueThread must be present. * If UniqueProcess is present, the process of the referenced thread will be * checked against this identifier. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; CLIENT_ID clientId; PETHREAD thread; HANDLE threadHandle = NULL; KPH_PAGED_CODE_PASSIVE(); thread = NULL; status = KphCopyFromMode(&clientId, ClientId, sizeof(CLIENT_ID), AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } // // Use the process ID if it was specified. // if (clientId.UniqueProcess) { status = PsLookupProcessThreadByCid(&clientId, NULL, &thread); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsLookupProcessThreadByCid failed: %!STATUS!", status); thread = NULL; goto Exit; } } else { status = PsLookupThreadByThreadId(clientId.UniqueThread, &thread); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "PsLookupThreadByThreadId failed: %!STATUS!", status); thread = NULL; goto Exit; } } if ((DesiredAccess & KPH_THREAD_READ_ACCESS) != DesiredAccess) { status = KphDominationCheck(PsGetCurrentProcess(), PsGetThreadProcess(thread), AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } } // // Always open in KernelMode to skip access checks. // status = ObOpenObjectByPointer(thread, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *PsThreadType, KernelMode, &threadHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); threadHandle = NULL; goto Exit; } status = KphWriteHandleToMode(ThreadHandle, threadHandle, AccessMode); Exit: if (thread) { ObDereferenceObject(thread); } return status; } /** * \brief Opens the process of a thread. * * \param[in] ThreadHandle A handle to a thread. * \param[in] DesiredAccess The desired access to the process. * \param[out] ProcessHandle A variable which receives the process handle. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PETHREAD thread; HANDLE processHandle; KPH_PAGED_CODE_PASSIVE(); status = ObReferenceObjectByHandle(ThreadHandle, 0, *PsThreadType, AccessMode, &thread, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); thread = NULL; goto Exit; } if ((DesiredAccess & KPH_PROCESS_READ_ACCESS) != DesiredAccess) { status = KphDominationCheck(PsGetCurrentProcess(), PsGetThreadProcess(thread), AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } } // // Always open in KernelMode to skip access checks. // status = ObOpenObjectByPointer(PsGetThreadProcess(thread), (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, DesiredAccess, *PsProcessType, KernelMode, &processHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); processHandle = NULL; goto Exit; } status = KphWriteHandleToMode(ProcessHandle, processHandle, AccessMode); Exit: if (thread) { ObDereferenceObject(thread); } return status; } /** * \brief Captures the stack trace of a thread. * * \param[in] ThreadHandle A handle to the thread to capture the stack trace of. * \param[in] FramesToSkip The number of kernel frames to skip. * \param[in] FramesToCapture The number of frames to capture. * \param[out] BackTrace Buffer to store the back trace in. * \param[out] CapturedFrames Receives the number of captured frames. * \param[out] BackTraceHash Optionally receives a hash of the back trace. * \param[in] Flags A combination of KPH_STACK_BACK_TRACE_* flags. * \param[in] Timeout Optionally specifies a timeout for the capture operation. * * \return STATUS_SUCCES, STATUS_TIMEOUT, or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCaptureStackBackTraceThreadByHandle( _In_ HANDLE ThreadHandle, _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_ PULONG CapturedFrames, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER Timeout, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status = STATUS_SUCCESS; PETHREAD thread; PVOID backTrace; ULONG capturedFrames; ULONG backTraceHash; LARGE_INTEGER timeout; KPH_PAGED_CODE_PASSIVE(); backTrace = NULL; thread = NULL; backTraceHash = 0; if (!CapturedFrames) { status = STATUS_INVALID_PARAMETER; goto Exit; } status = KphWriteULongToMode(CapturedFrames, 0, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } if (BackTraceHash) { status = KphWriteULongToMode(BackTraceHash, 0, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } } if (Timeout) { status = KphReadLargeIntegerFromMode(&timeout, Timeout, AccessMode); if (!NT_SUCCESS(status)) { goto Exit; } } if (AccessMode != KernelMode) { backTrace = KphAllocatePaged(FramesToCapture * sizeof(PVOID), KPH_TAG_THREAD_BACK_TRACE); if (!backTrace) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate back trace buffer."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } } else { backTrace = BackTrace; } status = ObReferenceObjectByHandle(ThreadHandle, 0, *PsThreadType, AccessMode, &thread, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); thread = NULL; goto Exit; } status = KphCaptureStackBackTraceThread(thread, FramesToSkip, FramesToCapture, backTrace, &capturedFrames, (BackTraceHash ? &backTraceHash : NULL), Flags, (Timeout ? &timeout : NULL)); if (!NT_SUCCESS(status) || (status == STATUS_TIMEOUT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCaptureStackBackTraceThread failed: %!STATUS!", status); goto Exit; } if (AccessMode != KernelMode) { __try { CopyToUser(BackTrace, backTrace, capturedFrames * sizeof(PVOID)); WriteULongToUser(CapturedFrames, capturedFrames); if (BackTraceHash) { WriteULongToUser(BackTraceHash, backTraceHash); } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } } else { *CapturedFrames = capturedFrames; if (BackTraceHash) { *BackTraceHash = backTraceHash; } } Exit: if (backTrace && (backTrace != BackTrace)) { KphFree(backTrace, KPH_TAG_THREAD_BACK_TRACE); } if (thread) { ObDereferenceObject(thread); } return status; } /** * \brief Sets information about a thread. * * \param[in] ThreadHandle Handle to thread to set information for. * \param[in] ThreadInformationClass Information class to set. * \param[in] ThreadInformation Information to set. * \param[in] ThreadInformationLength Length of the thread information buffer. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphSetInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PVOID threadInformation; BYTE stackBuffer[64]; PETHREAD thread; HANDLE threadHandle; THREADINFOCLASS threadInformationClass; KPH_PAGED_CODE_PASSIVE(); threadInformation = NULL; thread = NULL; threadHandle = NULL; if (!ThreadInformation) { status = STATUS_INVALID_PARAMETER; goto Exit; } if (AccessMode != KernelMode) { threadInformation = KphAllocatePagedA(ThreadInformationLength, KPH_TAG_THREAD_INFO, stackBuffer); if (!threadInformation) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate thread info buffer."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } __try { CopyFromUser(threadInformation, ThreadInformation, ThreadInformationLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } } else { threadInformation = ThreadInformation; } status = ObReferenceObjectByHandle(ThreadHandle, 0, *PsThreadType, AccessMode, &thread, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); thread = NULL; goto Exit; } status = KphDominationCheck(PsGetCurrentProcess(), PsGetThreadProcess(thread), AccessMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphDominationCheck failed: %!STATUS!", status); goto Exit; } status = ObOpenObjectByPointer(thread, OBJ_KERNEL_HANDLE, NULL, THREAD_SET_INFORMATION, *PsThreadType, KernelMode, &threadHandle); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObOpenObjectByPointer failed: %!STATUS!", status); threadHandle = NULL; goto Exit; } switch (ThreadInformationClass) { case KphThreadPriority: { threadInformationClass = ThreadPriority; break; } case KphThreadBasePriority: { threadInformationClass = ThreadBasePriority; break; } case KphThreadAffinityMask: { threadInformationClass = ThreadAffinityMask; break; } case KphThreadIdealProcessor: { threadInformationClass = ThreadIdealProcessor; break; } case KphThreadPriorityBoost: { threadInformationClass = ThreadPriorityBoost; break; } case KphThreadIoPriority: { threadInformationClass = ThreadIoPriority; break; } case KphThreadPagePriority: { threadInformationClass = ThreadPagePriority; break; } case KphThreadActualBasePriority: { threadInformationClass = ThreadActualBasePriority; break; } case KphThreadGroupInformation: { threadInformationClass = ThreadGroupInformation; break; } case KphThreadIdealProcessorEx: { threadInformationClass = ThreadIdealProcessorEx; break; } case KphThreadActualGroupAffinity: { threadInformationClass = ThreadActualGroupAffinity; break; } case KphThreadPowerThrottlingState: { threadInformationClass = ThreadPowerThrottlingState; break; } case KphThreadExplicitCaseSensitivity: { threadInformationClass = ThreadExplicitCaseSensitivity; break; } default: { status = STATUS_INVALID_INFO_CLASS; goto Exit; } } status = ZwSetInformationThread(threadHandle, threadInformationClass, threadInformation, ThreadInformationLength); Exit: if (threadHandle) { ObCloseHandle(threadHandle, KernelMode); } if (thread) { ObDereferenceObject(thread); } if (threadInformation && (threadInformation != ThreadInformation)) { KphFreeA(threadInformation, KPH_TAG_THREAD_INFO, stackBuffer); } return status; } /** * \brief Queries thread information. * * \param[in] ThreadHandle Handle to thread to query information of. * \param[in] ThreadInformationClass Information class to query. * \param[out] ThreadInformation Populated with thread information by class. * \param[in] ThreadInformationLength Length of the thread information buffer. * \param[out] ReturnLength Received the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _Out_writes_bytes_opt_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PKPH_DYN dyn; PETHREAD threadObject; PKPH_THREAD_CONTEXT thread; ULONG returnLength; KPH_PAGED_CODE_PASSIVE(); dyn = NULL; thread = NULL; returnLength = 0; status = ObReferenceObjectByHandle(ThreadHandle, 0, *PsThreadType, AccessMode, &threadObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); threadObject = NULL; goto Exit; } thread = KphGetEThreadContext(threadObject); if (!thread) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphGetThreadContext returned null."); status = STATUS_OBJECTID_NOT_FOUND; goto Exit; } switch (ThreadInformationClass) { case KphThreadIoCounters: { IO_COUNTERS counters; PULONG64 value; dyn = KphReferenceDynData(); if (!dyn || (dyn->KtReadOperationCount == ULONG_MAX) || (dyn->KtWriteOperationCount == ULONG_MAX) || (dyn->KtOtherOperationCount == ULONG_MAX) || (dyn->KtReadTransferCount == ULONG_MAX) || (dyn->KtWriteTransferCount == ULONG_MAX) || (dyn->KtOtherTransferCount == ULONG_MAX)) { status = STATUS_NOINTERFACE; goto Exit; } if (!ThreadInformation || (ThreadInformationLength < sizeof(IO_COUNTERS))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(IO_COUNTERS); goto Exit; } RtlZeroMemory(&counters, sizeof(IO_COUNTERS)); value = Add2Ptr(threadObject, dyn->KtReadOperationCount); counters.ReadOperationCount = *value; value = Add2Ptr(threadObject, dyn->KtWriteOperationCount); counters.WriteOperationCount = *value; value = Add2Ptr(threadObject, dyn->KtOtherOperationCount); counters.OtherOperationCount = *value; value = Add2Ptr(threadObject, dyn->KtReadTransferCount); counters.ReadTransferCount = *value; value = Add2Ptr(threadObject, dyn->KtWriteTransferCount); counters.WriteTransferCount = *value; value = Add2Ptr(threadObject, dyn->KtOtherTransferCount); counters.OtherTransferCount = *value; status = KphCopyToMode(ThreadInformation, &counters, sizeof(IO_COUNTERS), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(IO_COUNTERS); } break; } case KphThreadWSLThreadId: { ULONG threadId; if (thread->SubsystemType != SubsystemInformationTypeWSL) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Invalid subsystem for WSL thread ID query."); status = STATUS_INVALID_HANDLE; goto Exit; } if (!ThreadInformation || (ThreadInformationLength < sizeof(ULONG))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(ULONG); goto Exit; } status = KphQueryInformationThreadContext(thread, KphThreadContextWSLThreadId, &threadId, sizeof(ULONG), NULL); if (!NT_SUCCESS(status)) { goto Exit; } status = KphWriteULongToMode(ThreadInformation, threadId, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(ULONG); } break; } case KphThreadKernelStackInformation: { KPH_KERNEL_STACK_INFORMATION info; dyn = KphReferenceDynData(); if (!dyn || (dyn->KtInitialStack == ULONG_MAX) || (dyn->KtStackLimit == ULONG_MAX) || (dyn->KtStackBase == ULONG_MAX) || (dyn->KtKernelStack == ULONG_MAX)) { status = STATUS_NOINTERFACE; goto Exit; } if (!ThreadInformation || (ThreadInformationLength < sizeof(KPH_KERNEL_STACK_INFORMATION))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_KERNEL_STACK_INFORMATION); goto Exit; } RtlZeroMemory(&info, sizeof(KPH_KERNEL_STACK_INFORMATION)); info.InitialStack = *(PVOID*)Add2Ptr(threadObject, dyn->KtInitialStack); info.StackLimit = *(PVOID*)Add2Ptr(threadObject, dyn->KtStackLimit); info.StackBase = *(PVOID*)Add2Ptr(threadObject, dyn->KtStackBase); info.KernelStack = *(PVOID*)Add2Ptr(threadObject, dyn->KtKernelStack); status = KphCopyToMode(ThreadInformation, &info, sizeof(KPH_KERNEL_STACK_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_KERNEL_STACK_INFORMATION); } break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } if (thread) { KphDereferenceObject(thread); } if (threadObject) { ObDereferenceObject(threadObject); } if (dyn) { KphDereferenceObject(dyn); } return status; } ================================================ FILE: KSystemInformer/umaccess.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025-2026 * */ #include #include KPH_PAGED_FILE(); /** * \brief Captures a Unicode string from user mode. * * \param[in] UnicodeString Unicode string to capture from user mode. * \param[out] CapturedUnicodeString Receives the captured Unicode string, the * captured buffer must be freed using KphReleaseUnicodeString. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphCaptureUnicodeString( _In_ PUNICODE_STRING UnicodeString, _Out_ PUNICODE_STRING* CapturedUnicodeString ) { NTSTATUS status; UNICODE_STRING inputString; PUNICODE_STRING outputString; KPH_PAGED_CODE_PASSIVE(); outputString = NULL; __try { CopyFromUser(&inputString, UnicodeString, sizeof(UNICODE_STRING)); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } outputString = KphAllocatePaged(sizeof(UNICODE_STRING) + inputString.Length, KPH_TAG_CAPTURED_UNICODE_STRING); if (!outputString) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } outputString->Buffer = Add2Ptr(outputString, sizeof(UNICODE_STRING)); outputString->Length = 0; outputString->MaximumLength = inputString.Length; __try { CopyFromUser(outputString->Buffer, inputString.Buffer, inputString.Length); outputString->Length = inputString.Length; } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); goto Exit; } *CapturedUnicodeString = outputString; outputString = NULL; status = STATUS_SUCCESS; Exit: if (outputString) { KphFree(outputString, KPH_TAG_CAPTURED_UNICODE_STRING); } return status; } /** * \brief Releases a previously captured Unicode string. * * \param[in] UnicodeString Unicode string to release. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphReleaseUnicodeString( _In_ PUNICODE_STRING CaputredUnicodeString ) { KPH_PAGED_CODE_PASSIVE(); KphFree(CaputredUnicodeString, KPH_TAG_CAPTURED_UNICODE_STRING); } /** * \brief Zeros memory in the specified mode. * * \param[out] Destination Address to zero memory at. * \param[in] Length The length of the memory to zero, in bytes. * \param[in] AccessMode The access mode to use for the zeroing. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphZeroModeMemory( _Out_writes_bytes_all_(Length) PVOID Destination, _In_ SIZE_T Length, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { ZeroModeMemory(Destination, Length, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Copies memory to the specified mode. * * \param[out] Destination Address to copy memory to. * \param[in] Source Address to copy memory from. * \param[in] Length The length of the memory to copy, in bytes. * \param[in] AccessMode The access mode to use for the copy. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphCopyToMode( _Out_writes_bytes_all_(Length) PVOID Destination, _In_reads_bytes_(Length) PVOID Source, _In_ SIZE_T Length, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { CopyToMode(Destination, Source, Length, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Copies memory from the specified mode. * * \param[out] Destination Address to copy memory to. * \param[in] Source Address to copy memory from. * \param[in] Length The length of the memory to copy, in bytes. * \param[in] AccessMode The access mode to use for the copy. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphCopyFromMode( _Out_writes_bytes_all_(Length) PVOID Destination, _In_reads_bytes_(Length) PVOID Source, _In_ SIZE_T Length, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { CopyFromMode(Destination, Source, Length, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes an unsigned 8-bit value to the specified mode. * * \param[out] Destination Address to write the unsigned 8-bit value to. * \param[in] Source The unsigned 8-bit value to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteUCharToMode( _Out_ PUCHAR Destination, _In_ UCHAR Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WriteUCharToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes an unsigned 32-bit value to the specified mode. * * \param[out] Destination Address to write the unsigned 32-bit value to. * \param[in] Source The unsigned 32-bit value to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteULongToMode( _Out_ PULONG Destination, _In_ ULONG Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WriteULongToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes an unsigned 64-bit value to the specified mode. * * \param[out] Destination Address to write the unsigned 64-bit value to. * \param[in] Source The unsigned 64-bit value to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteULong64ToMode( _Out_ PULONG64 Destination, _In_ ULONG64 Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WriteULong64ToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes an signed 64-bit value to the specified mode. * * \param[out] Destination Address to write the signed 64-bit value to. * \param[in] Source The signed 64-bit value to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteLong64ToMode( _Out_ PLONG64 Destination, _In_ LONG64 Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WriteLong64ToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes an unsigned size width value to the specified mode. * * \param[out] Destination Address to write the unsigned sized width value to. * \param[in] Source The unsigned sized width value to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteSizeTToMode( _Out_ PSIZE_T Destination, _In_ SIZE_T Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WriteSizeTToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes a pointer to the specified mode. * * \param[out] Destination Address to write the pointer to. * \param[in] Source The pointer to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWritePointerToMode( _Out_ PVOID* Destination, _In_ PVOID Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WritePointerToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Writes a handle to the specified mode. * * \details If the write fails then the handle is closed oh behalf of the caller * to prevent a handle leak. * * \param[out] Destination Address to write the handle to. * \param[in] Source The handle to write. * \param[in] AccessMode The access mode to use for the write. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphWriteHandleToMode( _Out_ PHANDLE Destination, _In_ _Post_ptr_invalid_ HANDLE Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { WriteHandleToMode(Destination, Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { ObCloseHandle(Source, AccessMode); return GetExceptionCode(); } return STATUS_SUCCESS; } /** * \brief Copies a Unicode string to the specified mode. * * \details The Unicode string is constructed at the destination address and the * string content immediately follows the string structure. * * \param[out] Destination Optional address to copy the Unicode string to. * \param[in] Length The length of the destination buffer, in bytes. * \param[in] String Optional Unicode string to copy. * \param[out] ReturnLength Number of bytes copied to the destination buffer, * including the string structure and following content. * \param[in] AccessMode The access mode to use for the copy. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) NTSTATUS KphCopyUnicodeStringToMode( _Out_writes_bytes_opt_(Length) PVOID Destination, _In_ SIZE_T Length, _In_opt_ PCUNICODE_STRING String, _Out_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { PUNICODE_STRING destination; USHORT maximumLength; KPH_PAGED_CODE(); if (!String) { *ReturnLength = sizeof(UNICODE_STRING); if (!Destination || (Length < sizeof(UNICODE_STRING))) { return STATUS_BUFFER_TOO_SMALL; } destination = Destination; return KphZeroModeMemory(destination, sizeof(UNICODE_STRING), AccessMode); } *ReturnLength = (sizeof(UNICODE_STRING) + String->Length); if (!Destination || (Length < (sizeof(UNICODE_STRING) + String->Length))) { return STATUS_BUFFER_TOO_SMALL; } destination = Destination; maximumLength = (USHORT)(Length - sizeof(UNICODE_STRING)); if (AccessMode != KernelMode) { __try { WriteUShortToUser(&destination->Length, String->Length); WriteUShortToUser(&destination->MaximumLength, maximumLength); WritePointerToUser(&destination->Buffer, Add2Ptr(destination, sizeof(UNICODE_STRING))); NT_ASSERT(destination->Buffer); CopyToUser(destination->Buffer, String->Buffer, String->Length); if ((String->Length + sizeof(UNICODE_NULL)) <= maximumLength) { PWCHAR end; end = &destination->Buffer[String->Length / sizeof(WCHAR)]; WriteUShortToUser(end, UNICODE_NULL); } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { destination->Length = 0; destination->MaximumLength = maximumLength; destination->Buffer = Add2Ptr(destination, sizeof(UNICODE_STRING)); RtlCopyUnicodeString(destination, String); } return STATUS_SUCCESS; } /** * \brief Reads a LARGE_INTEGER from the specified mode. * * \param[out] Destination Address to read the LARGE_INTEGER to. * \param[in] Source The LARGE_INTEGER to read. * \param[in] AccessMode The access mode to use for the read. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphReadLargeIntegerFromMode( _Out_ PLARGE_INTEGER Destination, _In_ PLARGE_INTEGER Source, _In_ KPROCESSOR_MODE AccessMode ) { KPH_PAGED_CODE(); __try { *Destination = ReadLargeIntegerFromMode(Source, AccessMode); } __except (UmaExceptionFilter(AccessMode)) { return GetExceptionCode(); } return STATUS_SUCCESS; } ================================================ FILE: KSystemInformer/util.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * jxy-s 2022-2026 * */ #include #include #include /** * \brief Performs a binary search of a sorted array. * * \param[in] Key Pointer to the key to search for. * \param[in] Base Pointer to the base of the search data. * \param[in] NumberOfElements Number of elements in the array. * \param[in] SizeOfElement Size of each element in the array. * \param[in] Callback Comparison callback. * \param[in] Context Optional context for the callback. * * \return Pointer to the found element, NULL if not found. */ _Must_inspect_result_ _Success_(return != NULL) PVOID KphBinarySearch( _In_ PCVOID Key, _In_reads_bytes_(NumberOfElements * SizeOfElement) PCVOID Base, _In_ ULONG NumberOfElements, _In_ ULONG SizeOfElement, _In_ PKPH_BINARY_SEARCH_CALLBACK Callback, _In_opt_ PVOID Context ) { return bsearch_s(Key, Base, NumberOfElements, SizeOfElement, Callback, Context); } /** * \brief Performs a quick sort of an array. * * \param[in] Base Pointer to the base of the array to sort. * \param[in] NumberOfElements Number of elements in the array. * \param[in] SizeOfElement Size of each element in the array. * \param[in] Callback Comparison callback. * \param[in] Context Optional context for the callback. */ VOID KphQuickSort( _Inout_updates_bytes_(NumberOfElements * SizeOfElement) PVOID Base, _In_ ULONG NumberOfElements, _In_ ULONG SizeOfElement, _In_ PKPH_QUICK_SORT_CALLBACK Callback, _In_opt_ PVOID Context ) { qsort_s(Base, NumberOfElements, SizeOfElement, Callback, Context); } /** * \brief Searches memory for a given pattern. * * \param[in] Buffer The memory to search. * \param[in] BufferLength The length of the memory to search. * \param[in] Pattern The pattern to search for. * \param[in] PatternLength The length of the pattern to search for. * * \return Pointer to the beginning of the first found pattern, NULL if the * pattern is not found. */ _Must_inspect_result_ _Success_(return != NULL) PVOID KphSearchMemory( _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _In_reads_bytes_(PatternLength) PVOID Pattern, _In_ ULONG PatternLength ) { PBYTE buffer; PBYTE end; if (!BufferLength || !PatternLength) { return NULL; } if (PatternLength > BufferLength) { return NULL; } buffer = Buffer; end = Add2Ptr(Buffer, BufferLength - PatternLength); // // Move the loop into the switch to ensure optimal code generation. // #define KPH_SEARCH_MEMORY_FOR for (; buffer <= end; buffer++) // // Optimization for a pattern size that fits into a register. // #define KPH_SEARCH_MEMORY_SIZED(type) \ case sizeof(type): \ { \ KPH_SEARCH_MEMORY_FOR \ { \ if (*(type*)buffer == *(type*)Pattern) \ { \ return buffer; \ } \ } \ break; \ } switch (PatternLength) { KPH_SEARCH_MEMORY_SIZED(UCHAR) KPH_SEARCH_MEMORY_SIZED(USHORT) KPH_SEARCH_MEMORY_SIZED(ULONG) KPH_SEARCH_MEMORY_SIZED(ULONG64) default: { KPH_SEARCH_MEMORY_FOR { #pragma warning(suppress: 4995) // suppress deprecation warning if (memcmp(buffer, Pattern, PatternLength) == 0) { return buffer; } } break; } } return NULL; } /** * \brief Acquires rundown. On successful return the caller should release * the rundown using KphReleaseRundown. * * \param[in,out] Rundown The rundown object to acquire. * * \return TRUE if rundown is acquired, FALSE if object is already ran down. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ BOOLEAN KphAcquireRundown( _Inout_ PKPH_RUNDOWN Rundown ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return ExAcquireRundownProtection(Rundown); } /** * \brief Releases rundown previously acquired by KphAcquireRundown. * * \param[in,out] Rundown The rundown object to release. */ _IRQL_requires_max_(DISPATCH_LEVEL) VOID KphReleaseRundown( _Inout_ PKPH_RUNDOWN Rundown ) { KPH_NPAGED_CODE_DISPATCH_MAX(); ExReleaseRundownProtection(Rundown); } /** * \brief Retrieves the process sequence number for a given process. * * \param[in] Process The process to get the sequence number of. * * \return The sequence number key. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG64 KphGetProcessSequenceNumber( _In_ PEPROCESS Process ) { ULONG64 sequence; PKPH_PROCESS_CONTEXT process; KPH_NPAGED_CODE_DISPATCH_MAX(); if (KphDynPsGetProcessSequenceNumber) { return KphDynPsGetProcessSequenceNumber(Process); } process = KphGetEProcessContext(Process); if (!process) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Failed to get process sequence number for PID %lu", HandleToULong(PsGetProcessId(Process))); return 0; } sequence = process->SequenceNumber; KphDereferenceObject(process); return sequence; } /** * \brief Retrieves the process start key for a given process. * * \param[in] Process The process to get the start key of. * * \return The process start key. */ _IRQL_requires_max_(DISPATCH_LEVEL) ULONG64 KphGetProcessStartKey( _In_ PEPROCESS Process ) { ULONG64 key; PKPH_PROCESS_CONTEXT process; KPH_NPAGED_CODE_DISPATCH_MAX(); if (KphDynPsGetProcessStartKey) { return KphDynPsGetProcessStartKey(Process); } process = KphGetEProcessContext(Process); if (!process) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Failed to get process start key for PID %lu", HandleToULong(PsGetProcessId(Process))); return 0; } if (process->ProcessStartKey) { key = process->ProcessStartKey; } else { key = (process->SequenceNumber | ((ULONG64)SharedUserData->BootId << 48)); } KphDereferenceObject(process); return key; } /** * \brief Retrieves the current thread's sub-process tag. * * \return The current thread's sub-process tag. */ _IRQL_requires_max_(DISPATCH_LEVEL) PVOID KphGetCurrentThreadSubProcessTag( VOID ) { PKPH_THREAD_CONTEXT thread; PVOID subProcessTag; PTEB teb; KPH_NPAGED_CODE_DISPATCH_MAX(); if (PsIsSystemThread(PsGetCurrentThread())) { return NULL; } // // We support lookups at dispatch. To achieve this we cache the last lookup // in the thread context. If we're at dispatch use the cache. Otherwise go // do the lookup and cache the result in the thread context. // if (KeGetCurrentIrql() > APC_LEVEL) { subProcessTag = NULL; thread = KphGetCurrentThreadContext(); if (thread) { subProcessTag = thread->SubProcessTag; KphDereferenceObject(thread); } return subProcessTag; } teb = PsGetCurrentThreadTeb(); if (!teb) { return NULL; } __try { subProcessTag = ReadPointerFromUser(&teb->SubProcessTag); } __except (EXCEPTION_EXECUTE_HANDLER) { return NULL; } thread = KphGetCurrentThreadContext(); if (thread) { thread->SubProcessTag = subProcessTag; KphDereferenceObject(thread); } return subProcessTag; } /** * \brief Retrieves a thread's sub-process tag. * * \param[in] Thread The thread to get the sub-process tag of. * \param[in] CacheOnly If TRUE, only the cached value is returned. This is * useful when the caller knows that touching the TEB is not safe. * * \return The thread's sub-process tag. */ _IRQL_requires_max_(DISPATCH_LEVEL) PVOID KphGetThreadSubProcessTagEx( _In_ PETHREAD Thread, _In_ BOOLEAN CacheOnly ) { PKPH_THREAD_CONTEXT thread; PVOID subProcessTag; PTEB teb; KPH_NPAGED_CODE_DISPATCH_MAX(); if (PsIsSystemThread(Thread)) { return NULL; } // // We support lookups at dispatch and across process boundaries. To achieve // this we cache the last lookup in the thread context. If we're at dispatch // or across process boundaries use the cache. Otherwise go do the lookup // and cache the result in the thread context. We choose not to attach to // a process to retrieve the information to avoid performance penalties. // if (CacheOnly || (KeGetCurrentIrql() > APC_LEVEL) || (PsGetThreadProcess(Thread) != PsGetCurrentProcess())) { subProcessTag = NULL; thread = KphGetEThreadContext(Thread); if (thread) { subProcessTag = thread->SubProcessTag; KphDereferenceObject(thread); } return subProcessTag; } teb = PsGetThreadTeb(Thread); if (!teb) { return NULL; } __try { subProcessTag = ReadPointerFromUser(&teb->SubProcessTag); } __except (EXCEPTION_EXECUTE_HANDLER) { return NULL; } thread = KphGetEThreadContext(Thread); if (thread) { thread->SubProcessTag = subProcessTag; KphDereferenceObject(thread); } return subProcessTag; } /** * \brief Retrieves a thread's sub-process tag. * * \param[in] Thread The thread to get the sub-process tag of. * * \return The thread's sub-process tag. */ _IRQL_requires_max_(DISPATCH_LEVEL) PVOID KphGetThreadSubProcessTag( _In_ PETHREAD Thread ) { KPH_NPAGED_CODE_DISPATCH_MAX(); return KphGetThreadSubProcessTagEx(Thread, FALSE); } /** * \brief Initializes rundown object. * * \param[out] Rundown The rundown object to initialize. */ _IRQL_requires_max_(APC_LEVEL) VOID KphInitializeRundown( _Out_ PKPH_RUNDOWN Rundown ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); ExInitializeRundownProtection(Rundown); } /** * \brief Marks rundown active and waits for rundown release. Subsequent * attempts to acquire rundown will fail. * * \param[in,out] Rundown The rundown object to activate and wait for. */ _IRQL_requires_max_(APC_LEVEL) VOID KphWaitForRundown( _Inout_ PKPH_RUNDOWN Rundown ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); ExWaitForRundownProtectionRelease(Rundown); } /** * \brief Initializes a readers-writer lock. * * \param[in] Lock The readers-writer lock to initialize. */ _IRQL_requires_max_(APC_LEVEL) VOID KphInitializeRWLock( _Out_ PKPH_RWLOCK Lock ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); FltInitializePushLock(Lock); } /** * \brief Deletes a readers-writer lock. * * \param[in] Lock The readers-writer lock to delete. */ _IRQL_requires_max_(APC_LEVEL) VOID KphDeleteRWLock( _In_ PKPH_RWLOCK Lock ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); FltDeletePushLock(Lock); } /** * \brief Acquires a readers-writer lock exclusive. * * \param[in,out] Lock The readers-writer lock to acquire exclusively. */ _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Global_critical_region_) VOID KphAcquireRWLockExclusive( _Inout_ _Requires_lock_not_held_(*_Curr_) _Acquires_lock_(*_Curr_) PKPH_RWLOCK Lock ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); FltAcquirePushLockExclusive(Lock); } /** * \brief Acquires readers-writer lock shared. * * \param[in,out] Lock The readers-writer lock to acquire shared. */ _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Global_critical_region_) VOID KphAcquireRWLockShared( _Inout_ _Requires_lock_not_held_(*_Curr_) _Acquires_lock_(*_Curr_) PKPH_RWLOCK Lock ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); FltAcquirePushLockShared(Lock); } /** * \brief Releases a readers-writer lock. * * \param[in,out] Lock The readers-writer lock to release. */ _IRQL_requires_max_(APC_LEVEL) _Releases_lock_(_Global_critical_region_) VOID KphReleaseRWLock( _Inout_ _Requires_lock_held_(*_Curr_) _Releases_lock_(*_Curr_) PKPH_RWLOCK Lock ) { KPH_NPAGED_CODE_APC_MAX_FOR_PAGING_IO(); FltReleasePushLock(Lock); } /** * \brief Checks if two file objects are associated with the same data. * * \param[in] FirstFileObject The first file object to check. * \param[in] SecondFileObject The second file object to check. * * \return TRUE if the files are the same, FALSE otherwise. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ BOOLEAN KphIsSameFile( _In_ PFILE_OBJECT FirstFileObject, _In_ PFILE_OBJECT SecondFileObject ) { PSECTION_OBJECT_POINTERS first; PSECTION_OBJECT_POINTERS second; KPH_NPAGED_CODE_DISPATCH_MAX(); first = FirstFileObject->SectionObjectPointer; second = SecondFileObject->SectionObjectPointer; if (first != second) { return FALSE; } if (!first) { return TRUE; } if ((first->DataSectionObject != second->DataSectionObject) || (first->SharedCacheMap != second->SharedCacheMap) || (first->ImageSectionObject != second->ImageSectionObject)) { return FALSE; } return TRUE; } KPH_PAGED_FILE(); /** * \brief Acquires a reference to a reference object. * * \details KPH_REFERENCE provides underflow and overflow guarantees. For this * reason, KPH_REFERENCE may not be suitable for all applications since it is * more expensive than a simple reference count. * * \param[in,out] Reference The reference object to acquire. * \param[out] PreviousCount Optionally set to the previous reference count. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphAcquireReference( _Inout_ PKPH_REFERENCE Reference, _Out_opt_ PLONG PreviousCount ) { LONG count; KPH_PAGED_CODE(); count = ReadAcquire(&Reference->Count); for (;;) { LONG expected; if (count == LONG_MAX) { if (PreviousCount) { *PreviousCount = LONG_MAX; } return STATUS_INTEGER_OVERFLOW; } expected = count; count = InterlockedCompareExchange(&Reference->Count, count + 1, expected); if (count == expected) { if (PreviousCount) { *PreviousCount = count; } return STATUS_SUCCESS; } } } /** * \brief Releases a reference to a reference object. * * \details KPH_REFERENCE provides underflow and overflow guarantees. For this * reason, KPH_REFERENCE may not be suitable for all applications since it is * more expensive than a simple reference count. * * \param[in,out] Reference The reference object to release. * \param[out] PreviousCount Optionally set to the previous reference count. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphReleaseReference( _Inout_ PKPH_REFERENCE Reference, _Out_opt_ PLONG PreviousCount ) { LONG count; KPH_PAGED_CODE(); count = ReadAcquire(&Reference->Count); for (;;) { LONG expected; if (count == 0) { if (PreviousCount) { *PreviousCount = 0; } return STATUS_INTEGER_OVERFLOW; } expected = count; count = InterlockedCompareExchange(&Reference->Count, count - 1, count); if (count == expected) { if (PreviousCount) { *PreviousCount = count; } return STATUS_SUCCESS; } } } /** * \brief Checks if an address range lies within a kernel module. * * \param[in] Address The beginning of the address range. * \param[in] Length The number of bytes in the address range. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphValidateAddressForSystemModules( _In_ PVOID Address, _In_ SIZE_T Length ) { BOOLEAN valid; PVOID endAddress; KPH_PAGED_CODE(); if (Add2Ptr(Address, Length) < Address) { return STATUS_BUFFER_OVERFLOW; } endAddress = Add2Ptr(Address, Length); KeEnterCriticalRegion(); if (!ExAcquireResourceSharedLite(PsLoadedModuleResource, TRUE)) { KeLeaveCriticalRegion(); KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Failed to acquire PsLoadedModuleResource"); return STATUS_RESOURCE_NOT_OWNED; } valid = FALSE; for (PLIST_ENTRY link = PsLoadedModuleList->Flink; link != PsLoadedModuleList; link = link->Flink) { PKLDR_DATA_TABLE_ENTRY entry; PVOID endOfImage; entry = CONTAINING_RECORD(link, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); endOfImage = Add2Ptr(entry->DllBase, entry->SizeOfImage); if ((Address >= entry->DllBase) && (endAddress <= endOfImage)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Validated address in %wZ", &entry->FullDllName); valid = TRUE; break; } } ExReleaseResourceLite(PsLoadedModuleResource); KeLeaveCriticalRegion(); return (valid ? STATUS_SUCCESS : STATUS_ACCESS_VIOLATION); } /** * \brief Queries the registry key for a string value. * * \param[in] KeyHandle Handle to key to query. * \param[in] ValueName Name of value to query. * \param[out] String Populated with the queried registry string. The string is * guaranteed to be null terminated and the MaximumLength will reflect this * when compared to the Length. This string should be freed using * KphFreeRegistryString. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryRegistryString( _In_ HANDLE KeyHandle, _In_ PCUNICODE_STRING ValueName, _Outptr_allocatesMem_ PUNICODE_STRING* String ) { NTSTATUS status; ULONG resultLength; PKEY_VALUE_PARTIAL_INFORMATION info; PUNICODE_STRING string; ULONG length; KPH_PAGED_CODE_PASSIVE(); *String = NULL; info = NULL; status = ZwQueryValueKey(KeyHandle, (PUNICODE_STRING)ValueName, KeyValuePartialInformation, NULL, 0, &resultLength); if ((status != STATUS_BUFFER_OVERFLOW) && (status != STATUS_BUFFER_TOO_SMALL)) { if (NT_SUCCESS(status)) { status = STATUS_UNSUCCESSFUL; } goto Exit; } info = KphAllocatePaged(resultLength, KPH_TAG_REG_STRING); if (!info) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = ZwQueryValueKey(KeyHandle, (PUNICODE_STRING)ValueName, KeyValuePartialInformation, info, resultLength, &resultLength); if (!NT_SUCCESS(status)) { goto Exit; } if (resultLength < sizeof(KEY_VALUE_PARTIAL_INFORMATION)) { status = STATUS_INFO_LENGTH_MISMATCH; goto Exit; } status = RtlULongAdd(info->DataLength, sizeof(WCHAR), &length); if (!NT_SUCCESS(status)) { goto Exit; } if ((info->Type != REG_SZ) || (length > UNICODE_STRING_MAX_BYTES) || ((info->DataLength % 2) != 0)) { status = STATUS_OBJECT_TYPE_MISMATCH; goto Exit; } string = KphAllocatePaged((sizeof(UNICODE_STRING) + length), KPH_TAG_REG_STRING); if (!string) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } string->Buffer = Add2Ptr(string, sizeof(UNICODE_STRING)); RtlZeroMemory(string->Buffer, length); NT_ASSERT(info->DataLength < UNICODE_STRING_MAX_BYTES); NT_ASSERT(length < UNICODE_STRING_MAX_BYTES); string->Length = (USHORT)info->DataLength; string->MaximumLength = (USHORT)length; if (string->Length) { PWCHAR sz; sz = (PWCHAR)info->Data; NT_ASSERT(info->DataLength >= sizeof(WCHAR)); if (sz[(info->DataLength / sizeof(WCHAR)) - 1] == UNICODE_NULL) { string->Length -= sizeof(WCHAR); } RtlCopyMemory(string->Buffer, info->Data, string->Length); } *String = string; status = STATUS_SUCCESS; Exit: if (info) { KphFree(info, KPH_TAG_REG_STRING); } return status; } /** * \brief Frees a string retrieved by KphQueryRegistryString. * * \param[in] String The string to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeRegistryString( _In_freesMem_ PUNICODE_STRING String ) { KPH_PAGED_CODE(); KphFree(String, KPH_TAG_REG_STRING); } /** * \brief Queries the registry key for a string value. * * \param[in] KeyHandle Handle to key to query. * \param[in] ValueName Name of value to query. * \param[out] Buffer Registry binary buffer on success, should be freed using * KphFreeRegistryBinary. * \param[out] Length Set to the length of the buffer. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryRegistryBinary( _In_ HANDLE KeyHandle, _In_ PCUNICODE_STRING ValueName, _Outptr_allocatesMem_ PBYTE* Buffer, _Out_ PULONG Length ) { NTSTATUS status; PBYTE buffer; ULONG resultLength; PKEY_VALUE_PARTIAL_INFORMATION info; KPH_PAGED_CODE_PASSIVE(); *Buffer = NULL; *Length = 0; buffer = NULL; status = ZwQueryValueKey(KeyHandle, (PUNICODE_STRING)ValueName, KeyValuePartialInformation, NULL, 0, &resultLength); if ((status != STATUS_BUFFER_OVERFLOW) && (status != STATUS_BUFFER_TOO_SMALL)) { if (NT_SUCCESS(status)) { status = STATUS_UNSUCCESSFUL; } goto Exit; } buffer = KphAllocatePaged(resultLength, KPH_TAG_REG_BINARY); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = ZwQueryValueKey(KeyHandle, (PUNICODE_STRING)ValueName, KeyValuePartialInformation, buffer, resultLength, &resultLength); if (!NT_SUCCESS(status)) { goto Exit; } if (resultLength < sizeof(KEY_VALUE_PARTIAL_INFORMATION)) { status = STATUS_INFO_LENGTH_MISMATCH; goto Exit; } info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer; if (info->Type != REG_BINARY) { status = STATUS_OBJECT_TYPE_MISMATCH; goto Exit; } *Length = info->DataLength; *Buffer = info->Data; buffer = NULL; status = STATUS_SUCCESS; Exit: if (buffer) { KphFree(buffer, KPH_TAG_REG_BINARY); } return status; } /** * \brief Frees a buffer retrieved by KphQueryRegistryBinary. * * \param[in] String String to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeRegistryBinary( _In_freesMem_ PBYTE Buffer ) { KPH_PAGED_CODE(); KphFree(CONTAINING_RECORD(Buffer, KEY_VALUE_PARTIAL_INFORMATION, Data), KPH_TAG_REG_BINARY); } /** * \brief Queries the registry key for a string value. * * \param[in] KeyHandle Handle to key to query. * \param[in] ValueName Name of value to query. * \param[out] Value Registry unsigned long. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryRegistryULong( _In_ HANDLE KeyHandle, _In_ PCUNICODE_STRING ValueName, _Out_ PULONG Value ) { NTSTATUS status; BYTE buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG64)]; ULONG resultLength; PKEY_VALUE_PARTIAL_INFORMATION info; KPH_PAGED_CODE_PASSIVE(); *Value = 0; status = ZwQueryValueKey(KeyHandle, (PUNICODE_STRING)ValueName, KeyValuePartialInformation, buffer, ARRAYSIZE(buffer), &resultLength); if (!NT_SUCCESS(status)) { return status; } if (resultLength < sizeof(KEY_VALUE_PARTIAL_INFORMATION)) { return STATUS_INFO_LENGTH_MISMATCH; } info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer; #pragma prefast(suppress: 28199) // possibly uninitialized if (info->Type != REG_DWORD) { return STATUS_OBJECT_TYPE_MISMATCH; } if (info->DataLength != sizeof(ULONG)) { return STATUS_INFO_LENGTH_MISMATCH; } *Value = *(PULONG)info->Data; return STATUS_SUCCESS; } /** * \brief Maps view into the system address space. The caller should unmap the * view by calling KphUnmapViewInSystem. * * \param[in] FileHandle Handle to file to map. * \param[in] Flags Options for the mapping (see: KPH_MAP..). * \param[out] MappedBase Base address of the mapping. * \param[out] ViewSize Size of the mapped view. If not an image mapping and * if the view exceeds the file size, it is clamped to the file size. * * \return Successful or errant status. */ _IRQL_always_function_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphMapViewInSystem( _In_ HANDLE FileHandle, _In_ ULONG Flags, _Outptr_result_bytebuffer_(*ViewSize) PVOID *MappedBase, _Inout_ PSIZE_T ViewSize ) { NTSTATUS status; HANDLE sectionHandle; PVOID sectionObject; OBJECT_ATTRIBUTES objectAttributes; ULONG allocationAttributes; SIZE_T fileSize; LARGE_INTEGER sectionOffset; KPH_PAGED_CODE_PASSIVE(); sectionHandle = NULL; sectionObject = NULL; *MappedBase = NULL; if (BooleanFlagOn(Flags, KPH_MAP_IMAGE)) { allocationAttributes = SEC_IMAGE_NO_EXECUTE; fileSize = SIZE_T_MAX; } else { IO_STATUS_BLOCK ioStatusBlock; FILE_STANDARD_INFORMATION fileInfo; allocationAttributes = SEC_COMMIT; status = ZwQueryInformationFile(FileHandle, &ioStatusBlock, &fileInfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); if (!NT_SUCCESS(status)) { goto Exit; } if (fileInfo.EndOfFile.QuadPart < 0) { status = STATUS_FILE_TOO_LARGE; goto Exit; } #ifdef _WIN64 fileSize = (SIZE_T)fileInfo.EndOfFile.QuadPart; #else if (fileInfo.EndOfFile.HighPart != 0) { status = STATUS_FILE_TOO_LARGE; goto Exit; } fileSize = fileInfo.EndOfFile.LowPart; #endif } InitializeObjectAttributes(&objectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateSection(§ionHandle, SECTION_MAP_READ, &objectAttributes, NULL, PAGE_READONLY, allocationAttributes, FileHandle); if (!NT_SUCCESS(status)) { sectionHandle = NULL; goto Exit; } status = ObReferenceObjectByHandle(sectionHandle, SECTION_MAP_READ, *MmSectionObjectType, KernelMode, §ionObject, NULL); if (!NT_SUCCESS(status)) { sectionObject = NULL; goto Exit; } sectionOffset.QuadPart = 0; status = MmMapViewInSystemSpaceEx(sectionObject, MappedBase, ViewSize, §ionOffset, MM_SYSTEM_VIEW_EXCEPTIONS_FOR_INPAGE_ERRORS); if (!NT_SUCCESS(status)) { *MappedBase = NULL; *ViewSize = 0; goto Exit; } if (*ViewSize > fileSize) { *ViewSize = fileSize; } status = STATUS_SUCCESS; Exit: if (sectionObject) { ObDereferenceObject(sectionObject); } if (sectionHandle) { ObCloseHandle(sectionHandle, KernelMode); } return status; } /** * \brief Unmaps view from the system process address space. * * \param[in] MappedBase Base address of the mapping. */ _IRQL_always_function_max_(PASSIVE_LEVEL) VOID KphUnmapViewInSystem( _In_ PVOID MappedBase ) { KPH_PAGED_CODE_PASSIVE(); MmUnmapViewInSystemSpace(MappedBase); } /** * \brief Gets the file name from a file object. * * \param[in] FileObject The file object to get the name from. * \param[out] FileName Set to a point to the file name on success, caller * should free this using KphFreeFileNameObject. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetNameFileObject( _In_ PFILE_OBJECT FileObject, _Outptr_allocatesMem_ PUNICODE_STRING* FileName ) { NTSTATUS status; ULONG returnLength; POBJECT_NAME_INFORMATION nameInfo; KPH_PAGED_CODE_PASSIVE(); *FileName = NULL; returnLength = (sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH); nameInfo = KphAllocatePaged(returnLength, KPH_TAG_FILE_OBJECT_NAME); if (!nameInfo) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Failed to allocate for file object name."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphQueryNameFileObject(FileObject, nameInfo, returnLength, &returnLength); if (status == STATUS_BUFFER_TOO_SMALL) { KphFree(nameInfo, KPH_TAG_FILE_OBJECT_NAME); nameInfo = KphAllocatePaged(returnLength, KPH_TAG_FILE_OBJECT_NAME); if (!nameInfo) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Failed to allocate for file object name."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = KphQueryNameFileObject(FileObject, nameInfo, returnLength, &returnLength); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphQueryNameFileObject failed: %!STATUS!", status); goto Exit; } *FileName = &nameInfo->Name; nameInfo = NULL; status = STATUS_SUCCESS; Exit: if (nameInfo) { KphFree(nameInfo, KPH_TAG_FILE_OBJECT_NAME); } return status; } /** * \brief Frees a file name previously retrieved by KphGetFileNameObject. * * \param[out] FileName The file name to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeNameFileObject( _In_freesMem_ PUNICODE_STRING FileName ) { KPH_PAGED_CODE(); KphFree(CONTAINING_RECORD(FileName, OBJECT_NAME_INFORMATION, Name), KPH_TAG_FILE_OBJECT_NAME); } /** * \brief Perform a single privilege check on the supplied subject context. * * \param[in] PrivilegeValue The privilege value to check. * \param[in] SubjectSecurityContext The subject context to check. * \param[in] AccessMode The access mode used for the access check. * * \return TRUE if the subject has the desired privilege, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) BOOLEAN KphSinglePrivilegeCheckEx( _In_ LUID PrivilegeValue, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, _In_ KPROCESSOR_MODE AccessMode ) { PRIVILEGE_SET requiredPrivileges; KPH_PAGED_CODE(); requiredPrivileges.PrivilegeCount = 1; requiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY; requiredPrivileges.Privilege[0].Luid = PrivilegeValue; requiredPrivileges.Privilege[0].Attributes = 0; return SePrivilegeCheck(&requiredPrivileges, SubjectSecurityContext, AccessMode); } /** * \brief Perform a single privilege check on the current subject context. * * \param[in] PrivilegeValue The privilege value to check. * \param[in] AccessMode The access mode used for the access check. * * \return TRUE if the subject has the desired privilege, FALSE otherwise. */ _IRQL_requires_max_(APC_LEVEL) BOOLEAN KphSinglePrivilegeCheck( _In_ LUID PrivilegeValue, _In_ KPROCESSOR_MODE AccessMode ) { BOOLEAN accessGranted; SECURITY_SUBJECT_CONTEXT subjectContext; KPH_PAGED_CODE(); SeCaptureSubjectContext(&subjectContext); accessGranted = KphSinglePrivilegeCheckEx(PrivilegeValue, &subjectContext, AccessMode); SeReleaseSubjectContext(&subjectContext); return accessGranted; } /** * \brief Retrieves the kernel file name. * * \param[out] FileName On success set to the file name for the kernel. Must be * freed using RtlFreeUnicodeString. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpGetKernelFileName( _Out_allocatesMem_ PUNICODE_STRING FileName ) { NTSTATUS status; SYSTEM_SINGLE_MODULE_INFORMATION info; ANSI_STRING fullPathName; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(FileName, sizeof(UNICODE_STRING)); RtlZeroMemory(&info, sizeof(SYSTEM_SINGLE_MODULE_INFORMATION)); info.TargetModuleAddress = (PVOID)ObCloseHandle; status = ZwQuerySystemInformation(SystemSingleModuleInformation, &info, sizeof(SYSTEM_SINGLE_MODULE_INFORMATION), NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "ZwQuerySystemInformation failed: %!STATUS!", status); return status; } status = RtlInitAnsiStringEx(&fullPathName, (PCSZ)info.ExInfo.BaseInfo.FullPathName); if (!NT_SUCCESS(status)) { return status; } return RtlAnsiStringToUnicodeString(FileName, &fullPathName, TRUE); } /** * \brief Retrieves the version of the kernel. * * \param[out] Version Set to the kernel build version. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetKernelVersion( _Out_ PKPH_FILE_VERSION Version ) { NTSTATUS status; UNICODE_STRING kernelFileName; KPH_PAGED_CODE_PASSIVE(); status = KphpGetKernelFileName(&kernelFileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphGetKernelFileName failed: %!STATUS!", status); RtlZeroMemory(Version, sizeof(KPH_FILE_VERSION)); goto Exit; } KphTracePrint(TRACE_LEVEL_INFORMATION, UTIL, "Kernel file name: \"%wZ\"", &kernelFileName); status = KphGetFileVersion(&kernelFileName, Version); Exit: RtlFreeUnicodeString(&kernelFileName); return status; } /** * \brief Retrieves the file version from a mapped file. * * \param[in] ImageBase The base address of the mapped file. * \param[in] ViewSize The size of the mapped file. * \param[in] ResourceLanguage The language of the resource to locate. * \param[out] Version Set to the file version. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpParseFileVersion( _In_ PVOID ImageBase, _In_ SIZE_T ViewSize, _In_ ULONG_PTR ResourceLanguage, _Out_ PKPH_FILE_VERSION Version ) { NTSTATUS status; LDR_RESOURCE_INFO resourceInfo; PIMAGE_RESOURCE_DATA_ENTRY resourceData; PVOID resourceBuffer; ULONG resourceLength; PVOID imageEnd; PVS_VERSION_INFO_STRUCT versionInfo; UNICODE_STRING keyName; PVS_FIXEDFILEINFO fileInfo; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(Version, sizeof(KPH_FILE_VERSION)); resourceInfo.Type = (ULONG_PTR)VS_FILE_INFO; resourceInfo.Name = (ULONG_PTR)MAKEINTRESOURCEW(VS_VERSION_INFO); resourceInfo.Language = ResourceLanguage; __try { status = LdrFindResource_U(ImageBase, &resourceInfo, RESOURCE_DATA_LEVEL, &resourceData); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "LdrFindResource_U failed: %!STATUS!", status); goto Exit; } status = LdrAccessResource(ImageBase, resourceData, &resourceBuffer, &resourceLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "LdrAccessResource failed: %!STATUS!", status); goto Exit; } imageEnd = Add2Ptr(ImageBase, ViewSize); if (Add2Ptr(resourceBuffer, resourceLength) >= imageEnd) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Resource buffer overflows mapping"); status = STATUS_BUFFER_OVERFLOW; goto Exit; } if (resourceLength < sizeof(VS_VERSION_INFO_STRUCT)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Resource length insufficient"); status = STATUS_BUFFER_TOO_SMALL; goto Exit; } versionInfo = resourceBuffer; if (Add2Ptr(resourceBuffer, versionInfo->Length) >= imageEnd) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Version info overflows mapping"); status = STATUS_BUFFER_OVERFLOW; goto Exit; } if (versionInfo->ValueLength < sizeof(VS_FIXEDFILEINFO)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Value length insufficient"); status = STATUS_BUFFER_TOO_SMALL; goto Exit; } status = RtlInitUnicodeStringEx(&keyName, versionInfo->Key); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "RtlInitUnicodeStringEx failed: %!STATUS!", status); goto Exit; } fileInfo = Add2Ptr(versionInfo, RTL_SIZEOF_THROUGH_FIELD(VS_VERSION_INFO_STRUCT, Type)); fileInfo = (PVS_FIXEDFILEINFO)ALIGN_UP(Add2Ptr(fileInfo, keyName.MaximumLength), ULONG); if (Add2Ptr(fileInfo, sizeof(VS_FIXEDFILEINFO)) >= imageEnd) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "File version info overflows mapping"); status = STATUS_BUFFER_TOO_SMALL; goto Exit; } if (fileInfo->dwSignature != VS_FFI_SIGNATURE) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Invalid file version information signature (0x%08x)", fileInfo->dwSignature); status = STATUS_INVALID_SIGNATURE; goto Exit; } if (fileInfo->dwStrucVersion != 0x10000) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Unknown file version information structure (0x%08x)", fileInfo->dwStrucVersion); status = STATUS_REVISION_MISMATCH; goto Exit; } Version->MajorVersion = HIWORD(fileInfo->dwFileVersionMS); Version->MinorVersion = LOWORD(fileInfo->dwFileVersionMS); Version->BuildNumber = HIWORD(fileInfo->dwFileVersionLS); Version->Revision = LOWORD(fileInfo->dwFileVersionLS); status = STATUS_SUCCESS; } __except (EXCEPTION_EXECUTE_HANDLER) { RtlZeroMemory(Version, sizeof(KPH_FILE_VERSION)); status = GetExceptionCode(); } Exit: return status; } /** * \brief Retrieves the file version from a file. * * \param[in] FileName The name of the file to get the version from. * \param[out] Version Set to the file version. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetFileVersion( _In_ PCUNICODE_STRING FileName, _Out_ PKPH_FILE_VERSION Version ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; HANDLE fileHandle; IO_STATUS_BLOCK ioStatusBlock; PVOID imageBase; SIZE_T imageSize; KPH_PAGED_CODE_PASSIVE(); RtlZeroMemory(Version, sizeof(KPH_FILE_VERSION)); imageBase = NULL; fileHandle = NULL; InitializeObjectAttributes(&objectAttributes, (PUNICODE_STRING)FileName, OBJ_KERNEL_HANDLE, NULL, NULL); status = KphCreateFile(&fileHandle, FILE_READ_ACCESS | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphCreateFile failed: %!STATUS!", status); fileHandle = NULL; goto Exit; } imageSize = 0; status = KphMapViewInSystem(fileHandle, KPH_MAP_IMAGE, &imageBase, &imageSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphMapViewInSystem failed: %!STATUS!", status); imageBase = NULL; goto Exit; } status = KphpParseFileVersion(imageBase, imageSize, MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), Version); if (NT_SUCCESS(status)) { goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphpParseFileVersion failed: %!STATUS!", status); // // Try again with a neutral sub language. // status = KphpParseFileVersion(imageBase, imageSize, MAKELANGID(LANG_ENGLISH, SUBLANG_NEUTRAL), Version); if (NT_SUCCESS(status)) { goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphpParseFileVersion failed: %!STATUS!", status); // // Try again with neutral language and sub language. // status = KphpParseFileVersion(imageBase, imageSize, MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), Version); if (NT_SUCCESS(status)) { goto Exit; } KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "KphpParseFileVersion failed: %!STATUS!", status); Exit: if (imageBase) { KphUnmapViewInSystem(imageBase); } if (fileHandle) { ObCloseHandle(fileHandle, KernelMode); } return status; } /** * \brief Sets CFG call target information for a process. * * \param[in] ProcessHandle Handle to the process to configure CFG for. * \param[in] VirtualAddress Virtual address to configure CFG for. * \param[in] Flags CFG call target flags (CFG_CALL_TARGET_). * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpSetCfgCallTargetInformation( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress, _In_ ULONG Flags ) { MEMORY_RANGE_ENTRY memoryRange; CFG_CALL_TARGET_INFO targetInfo; CFG_CALL_TARGET_LIST_INFORMATION targetListInfo; ULONG numberOfEntriesProcessed; KPH_PAGED_CODE_PASSIVE(); #ifdef _WIN64 C_ASSERT(sizeof(CFG_CALL_TARGET_INFO) == 16); C_ASSERT(sizeof(CFG_CALL_TARGET_LIST_INFORMATION) == 40); #endif memoryRange.VirtualAddress = PAGE_ALIGN(VirtualAddress); memoryRange.NumberOfBytes = PAGE_SIZE; targetInfo.Offset = BYTE_OFFSET(VirtualAddress); targetInfo.Flags = Flags; numberOfEntriesProcessed = 0; RtlZeroMemory(&targetListInfo, sizeof(CFG_CALL_TARGET_LIST_INFORMATION)); targetListInfo.NumberOfEntries = 1; targetListInfo.NumberOfEntriesProcessed = &numberOfEntriesProcessed; targetListInfo.CallTargetInfo = &targetInfo; return ZwSetInformationVirtualMemory(ProcessHandle, VmCfgCallTargetInformation, 1, &memoryRange, &targetListInfo, sizeof(CFG_CALL_TARGET_LIST_INFORMATION)); } /** * \brief Grants a suppressed call access to a target. * * \param[in] ProcessHandle Handle to the process to configure CFG for. * \param[in] VirtualAddress Virtual address of the target. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGuardGrantSuppressedCallAccess( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ) { ULONG flags; KPH_PAGED_CODE_PASSIVE(); flags = CFG_CALL_TARGET_CONVERT_EXPORT_SUPPRESSED_TO_VALID; return KphpSetCfgCallTargetInformation(ProcessHandle, VirtualAddress, flags); } /** * \brief Disables XFG on a target. * * \param[in] ProcessHandle Handle to the process to configure CFG for. * \param[in] VirtualAddress Virtual address of the target. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphDisableXfgOnTarget( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ) { ULONG flags; KPH_PAGED_CODE_PASSIVE(); flags = CFG_CALL_TARGET_CONVERT_XFG_TO_CFG; return KphpSetCfgCallTargetInformation(ProcessHandle, VirtualAddress, flags); } /** * \brief Gets the final component of a file name. * * \details The final component is the last part of the file name, e.g. for * "\SystemRoot\System32\ntoskrnl.exe" it would be "ntoskrnl.exe". Returns an * error if the final component is not found. * * \param[in] FileName File name to get the final component of. * \param[out] FinalComponent Final component of the file name, references * input string, this string should not be freed and the input string must * remain valid as long as this is in use. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphGetFileNameFinalComponent( _In_ PCUNICODE_STRING FileName, _Out_ PUNICODE_STRING FinalComponent ) { KPH_PAGED_CODE(); for (USHORT i = (FileName->Length / sizeof(WCHAR)); i > 0; i--) { if (FileName->Buffer[i - 1] == OBJ_NAME_PATH_SEPARATOR) { FinalComponent->Buffer = &FileName->Buffer[i]; FinalComponent->Length = FileName->Length - (i * sizeof(WCHAR)); FinalComponent->MaximumLength = FinalComponent->Length; return STATUS_SUCCESS; } } RtlZeroMemory(FinalComponent, sizeof(*FinalComponent)); return STATUS_NOT_FOUND; } /** * \brief Gets the image name from a process. * * \param[in] Process The process to get the image name from. * \param[out] ImageName Populated with the image name of the process, this * string should be freed using KphFreeProcessImageName. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetProcessImageName( _In_ PEPROCESS Process, _Out_allocatesMem_ PUNICODE_STRING ImageName ) { NTSTATUS status; PUCHAR fileName; SIZE_T len; KPH_PAGED_CODE_PASSIVE(); fileName = PsGetProcessImageFileName(Process); status = RtlStringCbLengthA((STRSAFE_PCNZCH)fileName, 15, &len); if (NT_SUCCESS(status)) { ANSI_STRING string; string.Buffer = (PCHAR)fileName; string.Length = (USHORT)len; string.MaximumLength = string.Length; status = RtlAnsiStringToUnicodeString(ImageName, &string, TRUE); if (NT_SUCCESS(status)) { return status; } } RtlZeroMemory(ImageName, sizeof(*ImageName)); return status; } /** * \brief Frees a process image file name from KphGetProcessImageName. * * \param[in] ImageName The image name to free. */ _IRQL_requires_max_(APC_LEVEL) VOID KphFreeProcessImageName( _In_freesMem_ PUNICODE_STRING ImageName ) { KPH_PAGED_CODE(); #pragma prefast(suppress : 28121) // SAL is incorrect in wdm.h RtlFreeUnicodeString(ImageName); } /** * \brief Opens the driver parameters key. * * \param[in] RegistryPath Registry path from the entry point. * \param[out] KeyHandle Handle to parameters key on success, null on failure. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphOpenParametersKey( _In_ PCUNICODE_STRING RegistryPath, _Out_ PHANDLE KeyHandle ) { NTSTATUS status; WCHAR buffer[MAX_PATH]; UNICODE_STRING parametersKeyName; OBJECT_ATTRIBUTES objectAttributes; KPH_PAGED_CODE_PASSIVE(); *KeyHandle = NULL; parametersKeyName.Buffer = buffer; parametersKeyName.Length = 0; parametersKeyName.MaximumLength = sizeof(buffer); status = RtlAppendUnicodeStringToString(¶metersKeyName, RegistryPath); if (!NT_SUCCESS(status)) { return status; } status = RtlAppendUnicodeToString(¶metersKeyName, L"\\Parameters"); if (!NT_SUCCESS(status)) { return status; } InitializeObjectAttributes(&objectAttributes, ¶metersKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenKey(KeyHandle, KEY_READ, &objectAttributes); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "Unable to open Parameters key: %!STATUS!", status); *KeyHandle = NULL; return status; } return STATUS_SUCCESS; } /** * \brief Performs a domination check between a calling process and a target * process. * * \details A process dominates the other when the protected level of the * process exceeds the other. This domination check is not ideal, it is overly * strict and lacks enough information from the kernel to fully understand the * protected process state. * * \param[in] Process The calling process. * \param[in] ProcessTarget Target process to check against the caller. * \param[in] AccessMode Access mode of the request. * * \return Appropriate status: * STATUS_SUCCESS The calling process dominates the target. * STATUS_ACCESS_DENIED The calling process does not dominate the target. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphDominationCheck( _In_ PEPROCESS Process, _In_ PEPROCESS ProcessTarget, _In_ KPROCESSOR_MODE AccessMode ) { PS_PROTECTION processProtection; PS_PROTECTION targetProtection; KPH_PAGED_CODE(); if (AccessMode == KernelMode) { // // Give the kernel what it wants... // return STATUS_SUCCESS; } // // Until Microsoft gives us more insight into protected process domination // we'll do a very strict check here: // processProtection = PsGetProcessProtection(Process); targetProtection = PsGetProcessProtection(ProcessTarget); if ((targetProtection.Type != PsProtectedTypeNone) && (targetProtection.Type >= processProtection.Type)) { // // Calling process protection does not dominate the other, deny access. // We could do our own domination check/mapping here with the signing // level, but it won't be great and Microsoft might change it, so we'll // do this strict check until Microsoft exports: // PsTestProtectedProcessIncompatibility // RtlProtectedAccess/RtlTestProtectedAccess // return STATUS_ACCESS_DENIED; } return STATUS_SUCCESS; } /** * \brief Performs a domination and privilege check to verify that the calling * thread has the required privilege to perform the action. * * \details This function replaces a call to KphDominationCheck in certain * paths. It grants access to a protected process *only* if the calling thread * or associated process has been granted permission to do so. Session tokens * implement an expiring token validated using asymmetric keys. This involves * verification coordinated between the driver, client, and server which * requires end user authentication and may be audited or revoked at any time. * This feature is a service similar to those provided by various security * or system management focused products. System Informer provides this service * to users in this same light. System Informer provides security and system * management capabilities to users. * * \param[in] Privileges The specific privileges to be checked. * \param[in] Thread The calling thread. * \param[in] ProcessTarget Target process to check against the caller. * \param[in] AccessMode Describes the access mode of the request. * * \return Appropriate status: * STATUS_SUCCESS The calling thread or process is granted access. * STATUS_ACCESS_DENIED The calling process does not dominate the target. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphDominationAndPrivilegeCheck( _In_ ULONG Privileges, _In_ PETHREAD Thread, _In_ PEPROCESS ProcessTarget, _In_ KPROCESSOR_MODE AccessMode ) { BOOLEAN granted; PKPH_THREAD_CONTEXT thread; KPH_PAGED_CODE(); if (AccessMode == KernelMode) { return STATUS_SUCCESS; } granted = FALSE; thread = KphGetEThreadContext(Thread); if (thread) { granted = KphSessionTokenPrivilegeCheck(thread, Privileges); KphDereferenceObject(thread); } if (granted) { return STATUS_SUCCESS; } return KphDominationCheck(PsGetThreadProcess(Thread), ProcessTarget, AccessMode); } /** * \brief Retrieves the signing level of a file object. * * \param[in] FileObject The file object to query. * \param[out] SigningLevel Receives the signing level of the file object. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphGetSigningLevel( _In_ PFILE_OBJECT FileObject, _Out_ PSE_SIGNING_LEVEL SigningLevel ) { NTSTATUS status; ULONG flags; MINCRYPT_POLICY_INFO policyInfo; MINCRYPT_POLICY_INFO timeStampPolicyInfo; LARGE_INTEGER signingTime; UCHAR thumbprint[MINCRYPT_MAX_HASH_LEN]; ULONG thumbprintSize; ULONG thumbprintAlgorithm; ANSI_STRING issuer; ANSI_STRING subject; BOOLEAN microsoftSigned; KPH_PAGED_CODE_PASSIVE(); status = SeGetCachedSigningLevel(FileObject, &flags, SigningLevel, NULL, NULL, NULL); if (NT_SUCCESS(status) && (*SigningLevel != SE_SIGNING_LEVEL_UNCHECKED)) { return status; } // // Invoke CI to update the cache. // if (!KphDynCiValidateFileObject || !KphDynCiFreePolicyInfo) { return STATUS_NOINTERFACE; } RtlZeroMemory(&policyInfo, sizeof(MINCRYPT_POLICY_INFO)); RtlZeroMemory(&timeStampPolicyInfo, sizeof(MINCRYPT_POLICY_INFO)); thumbprintSize = sizeof(thumbprint); thumbprintAlgorithm = 0; status = KphDynCiValidateFileObject(FileObject, CI_POLICY_ACCEPT_ANY_ROOT_CERTIFICATE, SE_SIGNING_LEVEL_UNCHECKED, &policyInfo, &timeStampPolicyInfo, &signingTime, thumbprint, &thumbprintSize, &thumbprintAlgorithm); if (policyInfo.ChainInfo && RTL_CONTAINS_FIELD(policyInfo.ChainInfo, policyInfo.ChainInfo->Size, ChainElements) && policyInfo.ChainInfo->ChainElements && policyInfo.ChainInfo->NumberOfChainElements) { issuer.Buffer = policyInfo.ChainInfo->ChainElements[0].Issuer.Buffer; issuer.Length = policyInfo.ChainInfo->ChainElements[0].Issuer.Length; issuer.MaximumLength = issuer.Length; subject.Buffer = policyInfo.ChainInfo->ChainElements[0].Subject.Buffer; subject.Length = policyInfo.ChainInfo->ChainElements[0].Subject.Length; subject.MaximumLength = subject.Length; } else { RtlZeroMemory(&issuer, sizeof(ANSI_STRING)); RtlZeroMemory(&subject, sizeof(ANSI_STRING)); } if (!NT_SUCCESS(status) || !NT_SUCCESS(policyInfo.VerificationStatus) || BooleanFlagOn(policyInfo.PolicyBits, (MINCRYPT_POLICY_ERROR_FLAGS | MINCRYPT_POLICY_3RD_PARTY_ROOT | MINCRYPT_POLICY_NO_ROOT | MINCRYPT_POLICY_OTHER_ROOT))) { microsoftSigned = FALSE; } else { microsoftSigned = TRUE; } KphTracePrint(TRACE_LEVEL_VERBOSE, UTIL, "CiValidateFileObject: \"%wZ\" 0x%08lx \"%Z\" \"%Z\" " "%!STATUS! %!STATUS!", &FileObject->FileName, policyInfo.PolicyBits, &subject, &issuer, policyInfo.VerificationStatus, status); KphDynCiFreePolicyInfo(&policyInfo); KphDynCiFreePolicyInfo(&timeStampPolicyInfo); status = SeGetCachedSigningLevel(FileObject, &flags, SigningLevel, NULL, NULL, NULL); if (NT_SUCCESS(status)) { return status; } // // Caching of the signing level failed. If CI tells us this is Microsoft // signed then we'll return that, otherwise return the errant status. // if (microsoftSigned) { *SigningLevel = SE_SIGNING_LEVEL_MICROSOFT; status = STATUS_SUCCESS; } else { *SigningLevel = SE_SIGNING_LEVEL_UNCHECKED; } return status; } /** * \brief Retrieves image headers from a mapped image. * * \details Extends RtlImageNtHeaderEx and verifies that the optional headers * are within the region. The caller should still check that the optional * headers contains a given field with RTL_CONTAINS_FIELD. * * \param[in] Base The base address of the image. * \param[in] Size The size of the image. * \param[out] Headers Receives the image headers. * * \return Successful or errant status. */ _IRQL_requires_max_(APC_LEVEL) _Must_inspect_result_ NTSTATUS KphImageNtHeader( _In_ PVOID Base, _In_ ULONG64 Size, _Out_ PKPH_IMAGE_NT_HEADERS Headers ) { NTSTATUS status; ULONG64 size; KPH_PAGED_CODE(); status = RtlImageNtHeaderEx(0, Base, Size, &Headers->Headers); if (!NT_SUCCESS(status)) { Headers->Headers = NULL; return status; } size = PtrOffset(Base, Headers->Headers); size += RTL_SIZEOF_THROUGH_FIELD(IMAGE_NT_HEADERS, FileHeader); size += Headers->Headers->FileHeader.SizeOfOptionalHeader; if (size > Size) { Headers->Headers = NULL; return STATUS_INVALID_IMAGE_FORMAT; } return STATUS_SUCCESS; } ================================================ FILE: KSystemInformer/verify.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * jxy-s 2020-2026 * */ #include #include #define KPH_KEY_MATERIAL_SIZE ((ULONG)0x21B) #define KPH_KEY_ALG_HANDLE BCRYPT_RSA_ALG_HANDLE #define KPH_KEY_ALGORITHM BCRYPT_RSA_ALGORITHM #define KPH_KEY_HASH_ALGORITHM BCRYPT_SHA512_ALGORITHM #define KPH_KEY_HASH_ALGORITHM_BYTES (512 / 8) #define KPH_KEY_BLOB_PUBLIC BCRYPT_RSAPUBLIC_BLOB #define KPH_KEY_PADDING_FLAGS BCRYPT_PAD_PSS #define KPH_KEY_PADDING_INFO (PVOID)&KphpKeyPaddingInfo #define KPH_VERIFY_SIGNATURE_MAX_LENGTH 1024 typedef enum _KPH_KEY_TYPE { KphKeyTypeTest, KphKeyTypeProd, } KPH_KEY_TYPE, *PKPH_KEY_TYPE; typedef struct _KPH_KEY { KPH_KEY_TYPE Type; BYTE Material[KPH_KEY_MATERIAL_SIZE]; } KPH_KEY, *PKPH_KEY; typedef const KPH_KEY* PCKPH_KEY; KPH_PROTECTED_DATA_SECTION_RO_PUSH(); static const KPH_KEY KphpPublicKeys[] = { { KphKeyTypeProd, // kph { 0x52, 0x53, 0x41, 0x31, 0x00, 0x10, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0xE5, 0xF2, 0xEF, 0xE0, 0xE0, 0x02, 0x05, 0xEA, 0x55, 0xF8, 0x4C, 0x26, 0xED, 0xF9, 0x55, 0xE3, 0xBD, 0x38, 0x06, 0x5D, 0xF6, 0x26, 0xA4, 0xFF, 0x69, 0xFC, 0x4D, 0x8C, 0x02, 0x7E, 0x82, 0x96, 0x3D, 0x90, 0xE8, 0xB7, 0xEB, 0x1A, 0xE3, 0x02, 0x57, 0x0F, 0x1C, 0xE9, 0x93, 0xD0, 0x61, 0xFC, 0x75, 0xF1, 0xF3, 0xC6, 0x49, 0xF9, 0xBC, 0x39, 0x6F, 0x80, 0x40, 0xC3, 0xF9, 0xB3, 0xDC, 0xFD, 0x21, 0x28, 0x25, 0x1B, 0x91, 0x42, 0xB0, 0x29, 0xA4, 0x76, 0x4D, 0x71, 0x4D, 0x38, 0x3C, 0x9F, 0x80, 0xD9, 0x11, 0xFD, 0xD5, 0x80, 0xB1, 0xFC, 0xB9, 0xC8, 0xCB, 0xE4, 0x6C, 0x1A, 0x11, 0x8E, 0xE4, 0x9D, 0x3C, 0x24, 0x58, 0x70, 0x64, 0x88, 0x08, 0x53, 0x7F, 0x8A, 0x30, 0x67, 0x59, 0x91, 0x2E, 0x77, 0xD5, 0x1F, 0x21, 0x9C, 0x8E, 0x7B, 0x5E, 0xC0, 0x3E, 0x52, 0x26, 0x69, 0x0F, 0x95, 0x14, 0x72, 0xE5, 0xE9, 0xA2, 0xF7, 0xFC, 0x22, 0x43, 0xB5, 0x1A, 0xB1, 0xDB, 0x01, 0xC4, 0x6A, 0x13, 0x99, 0xBE, 0x0F, 0x82, 0x59, 0xC8, 0x8F, 0xCA, 0xF2, 0x86, 0x54, 0x34, 0xF5, 0x4D, 0xD9, 0xD2, 0xA7, 0x4A, 0xDF, 0x94, 0x9E, 0x13, 0x53, 0xEA, 0xD0, 0x98, 0xB1, 0x15, 0x2D, 0x59, 0xD7, 0xFF, 0x9B, 0x9C, 0x78, 0x81, 0xDE, 0x90, 0xAF, 0x7E, 0xF4, 0x7D, 0x14, 0xAC, 0x40, 0x46, 0x13, 0x45, 0x16, 0x0A, 0x22, 0x51, 0xEC, 0x4F, 0x4F, 0xCF, 0x63, 0x0F, 0x6B, 0xF3, 0xFC, 0x7C, 0x85, 0x1C, 0x1E, 0xBB, 0xF1, 0x80, 0x34, 0x9F, 0x13, 0x57, 0xB5, 0x02, 0x37, 0xF6, 0xE5, 0x3A, 0x77, 0x90, 0x1B, 0xB7, 0x6E, 0xA9, 0xA3, 0xF1, 0x33, 0xE2, 0xC7, 0xD8, 0xFF, 0x82, 0x44, 0x0E, 0x28, 0x30, 0xD6, 0x25, 0x7D, 0x71, 0x4A, 0x68, 0x1C, 0xCD, 0x70, 0x6F, 0xB0, 0x64, 0x46, 0x0E, 0xE0, 0x1D, 0x30, 0x79, 0xE6, 0x69, 0x6D, 0x47, 0xF7, 0xEB, 0x09, 0x96, 0x30, 0x40, 0xEF, 0x5C, 0x62, 0xC0, 0x18, 0x36, 0xA4, 0x95, 0x85, 0x74, 0x91, 0x50, 0xFE, 0x6D, 0xE2, 0xD5, 0x52, 0xE4, 0x1F, 0x4A, 0x28, 0xB6, 0x9D, 0x5E, 0x34, 0xD5, 0x0C, 0x28, 0x4D, 0x49, 0xDD, 0x58, 0x40, 0x83, 0x84, 0xA4, 0x0E, 0x1D, 0xE6, 0xF5, 0xF0, 0x3B, 0x46, 0xAD, 0x2D, 0x64, 0xFA, 0xAC, 0x44, 0x95, 0x52, 0x31, 0x83, 0x43, 0x67, 0x65, 0x84, 0x74, 0xB3, 0xBD, 0x59, 0x2C, 0x13, 0x8A, 0x4B, 0xA2, 0xE2, 0x32, 0xF7, 0x42, 0xC6, 0xD6, 0x3D, 0x29, 0x39, 0x1D, 0x0F, 0xEC, 0x47, 0xA2, 0xBF, 0xED, 0x69, 0x6B, 0xEC, 0x45, 0x04, 0x32, 0x01, 0x8D, 0x50, 0x48, 0x8B, 0x9C, 0x8E, 0x1E, 0xFA, 0x11, 0x03, 0x87, 0x47, 0x23, 0x83, 0x98, 0x29, 0x2B, 0xB8, 0x76, 0xD3, 0x64, 0xE7, 0x8C, 0x22, 0xAE, 0x68, 0xA3, 0xC3, 0x58, 0xC0, 0xA0, 0xFE, 0x37, 0x90, 0x26, 0x27, 0x78, 0x4E, 0xC3, 0x63, 0x87, 0x3E, 0x20, 0xEF, 0x8A, 0xEA, 0x44, 0x1E, 0xCC, 0xAD, 0x1F, 0xFC, 0x05, 0x7B, 0x0A, 0x1B, 0x02, 0xFA, 0x1C, 0xEB, 0x5D, 0x81, 0x6B, 0x09, 0x2B, 0xDE, 0x49, 0x2A, 0xA6, 0xA1, 0x82, 0xE5, 0x08, 0xBF, 0x40, 0x6E, 0x67, 0x03, 0xAC, 0xB0, 0xDB, 0xB4, 0x9B, 0x66, 0x38, 0x78, 0x91, 0x79, 0x48, 0x54, 0xCE, 0xC5, 0x32, 0xAE, 0xAB, 0x35, 0x8B, 0x9C, 0xE9, 0x00, 0x42, 0xBE, 0x98, 0x2C, 0x00, 0x0F, 0x3C, 0xC7, 0x55, 0xA4, 0x45, 0x98, 0x7C, 0xE2, 0x5E, 0xFF, 0xC0, 0xEC, 0x97, 0x9C, 0x29, 0x5D, 0x65, 0x00, 0x68, 0x68, 0x97, 0x3B, 0x32, 0x4E, 0x39, 0x51, 0x95, 0x59, 0xA3, 0x81, 0xE5, 0xDC, 0xF0, 0xAF, 0x77, 0x34, 0x64, 0x6F, 0xD6, 0x88, 0x03, 0x23, 0xFB, 0x82, 0x62, 0x86, 0xFF, 0x59 } }, { KphKeyTypeTest, // kph-dev { 0x52, 0x53, 0x41, 0x31, 0x00, 0x10, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0xAB, 0xDB, 0x39, 0x5E, 0xD1, 0xFA, 0x54, 0x35, 0xD7, 0x6B, 0x83, 0x62, 0x82, 0x06, 0xC7, 0x20, 0xDB, 0x05, 0x5E, 0x55, 0xF2, 0x3C, 0x6A, 0x52, 0x1F, 0x0B, 0xC6, 0xC2, 0xB4, 0x83, 0x13, 0xA9, 0xF2, 0xD6, 0xF7, 0x19, 0x99, 0xB5, 0xB3, 0x52, 0xE7, 0x54, 0x55, 0x17, 0x7F, 0xE3, 0xA6, 0x6B, 0xD6, 0xB7, 0xDA, 0x38, 0xC8, 0x44, 0xFF, 0x3F, 0x4A, 0x59, 0x0C, 0x3C, 0x45, 0xA3, 0x35, 0x8B, 0x34, 0x01, 0x82, 0xBD, 0x25, 0x9B, 0xAF, 0xFC, 0x56, 0x1F, 0x6E, 0xFE, 0xE2, 0xF5, 0xE1, 0x2D, 0xFB, 0x42, 0x41, 0x46, 0x48, 0x02, 0xEB, 0xEF, 0xEA, 0x41, 0x08, 0x8D, 0x58, 0xA5, 0x32, 0xFE, 0x8F, 0xE8, 0xBB, 0xF6, 0x36, 0xD9, 0x48, 0xC3, 0x2C, 0x30, 0x70, 0x57, 0xE0, 0x25, 0x1C, 0xA3, 0xE1, 0x72, 0x76, 0x48, 0xF9, 0x57, 0x8B, 0x50, 0x67, 0x27, 0x66, 0xD5, 0x70, 0x4F, 0x02, 0x94, 0x9F, 0xB3, 0xDE, 0x74, 0xF7, 0x7C, 0xD4, 0xEE, 0xFD, 0x95, 0x5D, 0x47, 0xF6, 0x0A, 0xDE, 0xA1, 0x76, 0x99, 0x52, 0x40, 0x0D, 0xB1, 0x63, 0x1C, 0x65, 0xA0, 0x04, 0xC8, 0x48, 0xE3, 0xC6, 0x3C, 0x6D, 0x26, 0x10, 0xB9, 0x22, 0x7D, 0x67, 0x5D, 0x81, 0x44, 0xAF, 0xE0, 0x85, 0xC3, 0xB3, 0x13, 0x27, 0xB8, 0xA3, 0xC2, 0x28, 0x2A, 0x57, 0xE2, 0xAE, 0x2D, 0xB7, 0x95, 0xC4, 0x13, 0x65, 0xB9, 0x5C, 0xF5, 0x29, 0x9D, 0x0E, 0x85, 0x37, 0x34, 0x34, 0xFF, 0x04, 0x17, 0x39, 0x0A, 0x5C, 0x31, 0xD8, 0x59, 0x11, 0xDA, 0x82, 0x1B, 0x18, 0x0C, 0x8E, 0x24, 0x24, 0x9B, 0x7F, 0x02, 0xB6, 0x5D, 0x31, 0x6D, 0xB5, 0x15, 0xB6, 0x54, 0x67, 0x1C, 0x6F, 0xF5, 0x2C, 0x42, 0x4B, 0x7F, 0x6F, 0xAC, 0xD7, 0x56, 0x8A, 0x18, 0xB7, 0x31, 0x02, 0x36, 0xF3, 0xB6, 0x8B, 0x47, 0x03, 0xFA, 0x84, 0xB5, 0x33, 0x90, 0xD7, 0x33, 0xF8, 0x32, 0x89, 0x7C, 0x0C, 0x31, 0xB8, 0xA3, 0xF3, 0xAF, 0x46, 0x3F, 0x77, 0x1A, 0x38, 0x8B, 0x82, 0xBD, 0x4A, 0xAD, 0x93, 0xC6, 0xFC, 0x24, 0x9F, 0xD4, 0xFF, 0xBB, 0x27, 0xE2, 0x6B, 0x5A, 0x99, 0x5F, 0x70, 0x08, 0xDB, 0xC9, 0x3A, 0xE8, 0x73, 0x87, 0x63, 0x09, 0x7F, 0x5D, 0x2A, 0x91, 0x24, 0xFA, 0xEE, 0x9D, 0xC5, 0x81, 0x97, 0x83, 0xC6, 0xD2, 0x6C, 0x5C, 0xFE, 0x45, 0x5A, 0xA4, 0xA9, 0x9C, 0xEA, 0xEF, 0x98, 0x52, 0xAE, 0x3A, 0xD0, 0x12, 0x54, 0x75, 0x9E, 0xD0, 0x1E, 0xF7, 0x9D, 0x03, 0x7E, 0xD5, 0x89, 0x3B, 0xE6, 0x87, 0x75, 0xB3, 0x7B, 0x7C, 0x45, 0x58, 0x1F, 0x8E, 0xE8, 0x59, 0x78, 0x54, 0xC3, 0xD5, 0x9B, 0x0F, 0xC7, 0x05, 0x34, 0xF2, 0x6C, 0xCF, 0x19, 0x40, 0x92, 0xDD, 0xF0, 0x1E, 0x5F, 0xA7, 0x04, 0xA2, 0x4D, 0x2E, 0x7C, 0x57, 0x43, 0x3C, 0xCC, 0xA0, 0x68, 0x0A, 0xEC, 0x47, 0x3D, 0x27, 0x16, 0x8C, 0x62, 0x33, 0x7F, 0x7D, 0x2D, 0xAA, 0x9D, 0x2F, 0x39, 0xF7, 0x44, 0xD7, 0x66, 0xE8, 0x1A, 0x38, 0x0C, 0x68, 0x9E, 0x37, 0x3E, 0x8F, 0xCF, 0x20, 0xBF, 0x9D, 0x3F, 0x4D, 0xA4, 0xFA, 0xFA, 0x67, 0xA8, 0xAD, 0xB5, 0x04, 0xFF, 0x29, 0x72, 0x4A, 0x87, 0xFD, 0x95, 0xC6, 0x1B, 0xE2, 0xA7, 0xB3, 0x7F, 0xC7, 0xCB, 0x4A, 0x5A, 0x7A, 0x02, 0x0B, 0x24, 0xBD, 0x27, 0xC1, 0xED, 0x94, 0x12, 0x5E, 0x7F, 0x45, 0x6E, 0xE5, 0x24, 0x38, 0x24, 0xA4, 0xF4, 0x93, 0xE6, 0xF6, 0x3F, 0x12, 0xD7, 0x9D, 0x2E, 0x15, 0xAC, 0x29, 0x2D, 0x83, 0xB2, 0x95, 0x5D, 0x7A, 0x1A, 0xCB, 0x9F, 0x23, 0xF3, 0x80, 0x3E, 0x8C, 0x72, 0x5F, 0x0F, 0xB2, 0x93, 0x1E, 0x15, 0xC5, 0xC0, 0x8B, 0xC3, 0xF8, 0x0A, 0xCA, 0x88, 0x07, 0x7F, 0x79 } }, { KphKeyTypeTest, // kph-test { 0x52, 0x53, 0x41, 0x31, 0x00, 0x10, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0xC7, 0x95, 0x12, 0x92, 0x18, 0x6F, 0xA2, 0x01, 0x6C, 0x9A, 0x5F, 0xC1, 0x70, 0x7B, 0xF9, 0xE3, 0x57, 0x75, 0x28, 0x13, 0xC9, 0xBF, 0xBC, 0x93, 0xCD, 0x55, 0x5C, 0xA9, 0xC2, 0x80, 0x23, 0xA2, 0xEF, 0xF4, 0xB6, 0x3A, 0xBF, 0x6E, 0x39, 0xC6, 0x23, 0xC1, 0x3B, 0x04, 0xBE, 0xB5, 0x9B, 0x5C, 0x8A, 0x64, 0xAA, 0x7A, 0x1C, 0x20, 0x7E, 0x2D, 0x52, 0x55, 0xEC, 0x3E, 0x5C, 0x40, 0xD5, 0x76, 0xC8, 0x2F, 0xFF, 0x14, 0xD7, 0xA1, 0xE7, 0x1D, 0xF1, 0x3C, 0x73, 0x89, 0x6B, 0xF5, 0xA4, 0xC6, 0x01, 0x20, 0xB1, 0xD8, 0x21, 0x70, 0xF9, 0x61, 0x76, 0x87, 0x1D, 0x24, 0x0F, 0x79, 0xEF, 0x5A, 0xE9, 0x91, 0xB0, 0x97, 0x33, 0xB5, 0x6C, 0x9F, 0x91, 0xED, 0x56, 0x80, 0x6B, 0x40, 0x3C, 0xEF, 0x46, 0xB0, 0xC5, 0xD7, 0xA7, 0xB5, 0x9D, 0x45, 0x7F, 0x03, 0xEA, 0x70, 0xA1, 0x64, 0xE2, 0x29, 0xB4, 0x08, 0x69, 0x09, 0xC0, 0xD0, 0x57, 0x38, 0xF7, 0x4B, 0x33, 0x9D, 0xF4, 0x36, 0x28, 0x15, 0xBF, 0xB1, 0x62, 0x04, 0x10, 0x4D, 0xAB, 0x47, 0x03, 0x15, 0xAB, 0xC4, 0x78, 0x0E, 0x78, 0x9D, 0x8A, 0x28, 0x74, 0x54, 0xEB, 0x66, 0xE8, 0x89, 0x45, 0x45, 0x70, 0x2E, 0xB9, 0x03, 0x1C, 0xCB, 0x83, 0xA0, 0x7C, 0x0B, 0xC5, 0xB2, 0x93, 0x6A, 0x7F, 0x65, 0x4E, 0x35, 0xFB, 0xF1, 0x58, 0x21, 0xC7, 0x2D, 0x44, 0x53, 0x69, 0x9B, 0x46, 0x23, 0x10, 0x51, 0xAE, 0x4C, 0x36, 0x18, 0xC4, 0x62, 0xBE, 0x4E, 0x44, 0xFB, 0x98, 0x42, 0x46, 0x0B, 0x33, 0x48, 0x45, 0x86, 0xEA, 0x7F, 0x75, 0x32, 0xD2, 0x6B, 0x49, 0x5A, 0x0A, 0x18, 0x37, 0xB1, 0xC3, 0x3E, 0xB0, 0x94, 0xE8, 0x46, 0x01, 0x07, 0x59, 0x5F, 0xCD, 0xFF, 0x25, 0xE6, 0xB1, 0x23, 0x34, 0xD5, 0x3A, 0xBA, 0xB9, 0x96, 0xB8, 0xCA, 0xA5, 0x15, 0xD5, 0x07, 0xE3, 0xE1, 0x63, 0x6F, 0x97, 0x4F, 0x11, 0xA5, 0x49, 0x8E, 0x29, 0x3F, 0xC9, 0xAF, 0x59, 0x56, 0x4B, 0x11, 0x04, 0x6C, 0xBE, 0x3F, 0xAE, 0x3F, 0x72, 0xD1, 0x81, 0x15, 0xDE, 0xDB, 0x5B, 0x21, 0xA7, 0x02, 0xE6, 0x50, 0x6D, 0xB0, 0x9E, 0x98, 0x23, 0x44, 0x9D, 0x1D, 0x21, 0x12, 0x7C, 0x28, 0x1F, 0x37, 0x6D, 0xCB, 0xCB, 0x1B, 0x01, 0x63, 0xF3, 0xAC, 0xAF, 0x30, 0x41, 0xBD, 0xA8, 0x39, 0xD7, 0x37, 0x59, 0x56, 0xCC, 0x3B, 0x73, 0x5C, 0xF1, 0x21, 0x9C, 0xD2, 0x75, 0xEA, 0xE7, 0xBD, 0x82, 0xDF, 0x3D, 0x5A, 0x0E, 0x9D, 0x7A, 0x41, 0x16, 0x26, 0x72, 0x12, 0xA0, 0x89, 0xFF, 0xAC, 0x83, 0x87, 0xB5, 0x9F, 0xF0, 0x56, 0xAA, 0x36, 0x9A, 0x1B, 0x41, 0x3C, 0xDF, 0x75, 0x07, 0x0E, 0xC6, 0xF5, 0xB4, 0x41, 0xF6, 0xCA, 0xB6, 0xE8, 0xF0, 0x38, 0x98, 0x4C, 0xB1, 0x56, 0xBC, 0xFD, 0xD4, 0xD9, 0xB5, 0x7E, 0x80, 0x0D, 0xB2, 0xD0, 0x2F, 0x2E, 0x6F, 0x7D, 0xFF, 0xB0, 0xF7, 0x8C, 0xE2, 0x90, 0xDC, 0x3B, 0x15, 0xF6, 0x07, 0xBC, 0x36, 0x2C, 0x40, 0x93, 0x05, 0xEF, 0xF3, 0x02, 0xEB, 0x4D, 0xB0, 0xE8, 0xC9, 0x38, 0x4B, 0xBE, 0xA1, 0xBF, 0xEE, 0x9F, 0x8A, 0x31, 0xE0, 0x76, 0xE1, 0x79, 0x94, 0xB7, 0x4D, 0x7C, 0xF4, 0x65, 0xF6, 0x8C, 0x35, 0xF5, 0x78, 0x5E, 0xFE, 0x13, 0x72, 0xC6, 0x13, 0x4C, 0x3A, 0x5E, 0x2C, 0x2B, 0x68, 0x68, 0x59, 0x02, 0x06, 0xD5, 0x7F, 0x02, 0xA6, 0xF2, 0xB6, 0x16, 0xCA, 0xE8, 0x14, 0x75, 0xDA, 0x3D, 0xF5, 0x85, 0x3D, 0x6B, 0x2D, 0x03, 0xA4, 0xC1, 0x5F, 0x5D, 0x68, 0xCC, 0xB1, 0xDE, 0xC1, 0x69, 0x22, 0x99, 0x00, 0x4A, 0x5C, 0x61, 0x14, 0xAD, 0x50, 0x05, 0xCF, 0x6E, 0xEE, 0x4C, 0xC9, 0x58, 0xA4, 0xE5 } } }; static const BCRYPT_PSS_PADDING_INFO KphpKeyPaddingInfo = { KPH_KEY_HASH_ALGORITHM, KPH_KEY_HASH_ALGORITHM_BYTES }; static const UNICODE_STRING KphpSigExtension = RTL_CONSTANT_STRING(L".sig"); KPH_PROTECTED_DATA_SECTION_RO_POP(); KPH_PROTECTED_DATA_SECTION_PUSH(); static BCRYPT_KEY_HANDLE KphpPublicKeyHandles[ARRAYSIZE(KphpPublicKeys)] = { 0 }; static ULONG KphpPublicKeyHandlesCount = 0; C_ASSERT(ARRAYSIZE(KphpPublicKeyHandles) == ARRAYSIZE(KphpPublicKeys)); KPH_PROTECTED_DATA_SECTION_POP(); KPH_PAGED_FILE(); /** * \brief Verifies that the specified signature matches the specified hash by * using one of the known public keys. * * \param[in] KeyHandle The key handle to use for verification, if NULL the * pinned keys are used to verify the signature. * \param[in] Hash The hash to verify. * \param[in] Signature The signature to check. * \param[in] SignatureLength The length of the signature. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphpVerifyHash( _In_opt_ BCRYPT_KEY_HANDLE KeyHandle, _In_ PKPH_HASH_INFORMATION HashInformation, _In_ PBYTE Signature, _In_ ULONG SignatureLength ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = STATUS_UNSUCCESSFUL; if (KeyHandle) { status = BCryptVerifySignature(KeyHandle, KPH_KEY_PADDING_INFO, HashInformation->Hash, HashInformation->Length, Signature, SignatureLength, KPH_KEY_PADDING_FLAGS); } else { for (ULONG i = 0; i < KphpPublicKeyHandlesCount; i++) { status = BCryptVerifySignature(KphpPublicKeyHandles[i], KPH_KEY_PADDING_INFO, HashInformation->Hash, HashInformation->Length, Signature, SignatureLength, KPH_KEY_PADDING_FLAGS); if (NT_SUCCESS(status)) { return status; } } } return status; } /** * \brief Closes a verification key handle. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphVerifyCloseKey( _In_ BCRYPT_KEY_HANDLE KeyHandle ) { KPH_PAGED_CODE_PASSIVE(); BCryptDestroyKey(KeyHandle); } /** * \brief Creates a verification key handle. * * \param[out] KeyHandle The created key handle. * \param[in] KeyMaterial The key material to use. * \param[in] KeyMaterialLength The length of the key material. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyCreateKey( _Out_ BCRYPT_KEY_HANDLE* KeyHandle, _In_ PBYTE KeyMaterial, _In_ ULONG KeyMaterialLength ) { NTSTATUS status; KPH_PAGED_CODE_PASSIVE(); status = BCryptImportKeyPair(KPH_KEY_ALG_HANDLE, NULL, KPH_KEY_BLOB_PUBLIC, KeyHandle, (PUCHAR)KeyMaterial, KeyMaterialLength, 0); if (!NT_SUCCESS(status)) { *KeyHandle = NULL; } return status; } /** * \brief Verifies a buffer matches the provided signature. * * \param[in] KeyHandle The key handle to use for verification, if NULL the * pinned keys are used to verify the signature. * \param[in] Buffer The buffer to verify. * \param[in] BufferLength The length of the buffer. * \param[in] Signature The signature to check. * \param[in] SignatureLength The length of the signature. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyBufferEx( _In_opt_ BCRYPT_KEY_HANDLE KeyHandle, _In_ PBYTE Buffer, _In_ ULONG BufferLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength ) { NTSTATUS status; KPH_HASH_INFORMATION hashInfo; KPH_PAGED_CODE_PASSIVE(); status = KphHashBuffer(Buffer, BufferLength, KphHashAlgorithmSha512, &hashInfo); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphHashBuffer failed: %!STATUS!", status); return status; } status = KphpVerifyHash(KeyHandle, &hashInfo, Signature, SignatureLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphpVerifyHash failed: %!STATUS!", status); return status; } return STATUS_SUCCESS; } /** * \brief Verifies a buffer matches the provided signature. * * \param[in] Buffer The buffer to verify. * \param[in] BufferLength The length of the buffer. * \param[in] Signature The signature to check. * \param[in] SignatureLength The length of the signature. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyBuffer( _In_ PBYTE Buffer, _In_ ULONG BufferLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength ) { KPH_PAGED_CODE_PASSIVE(); return KphVerifyBufferEx(NULL, Buffer, BufferLength, Signature, SignatureLength); } #define KphpVerifyValidFileName(FileName) \ (((FileName)->Length > KphpSigExtension.Length) && \ ((FileName)->Buffer[0] == OBJ_NAME_PATH_SEPARATOR)) /** * \brief Verifies a file object. * * \param[in] FileObject File object to verify. * \param[in] FileName Optional file name to use for verification, if not * provided the file name is looked up from the file object. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyFileObject( _In_ PFILE_OBJECT FileObject, _In_opt_ PCUNICODE_STRING FileName ) { NTSTATUS status; PCUNICODE_STRING fileName; PUNICODE_STRING localFileName; UNICODE_STRING signatureFileName; OBJECT_ATTRIBUTES objectAttributes; HANDLE signatureFileHandle; IO_STATUS_BLOCK ioStatusBlock; PBYTE signature; ULONG signatureLength; KPH_HASH_INFORMATION hashInfo; KPH_PAGED_CODE_PASSIVE(); localFileName = NULL; RtlZeroMemory(&signatureFileName, sizeof(UNICODE_STRING)); signatureFileHandle = NULL; signature = NULL; if (FileName) { fileName = FileName; } else { status = KphGetNameFileObject(FileObject, &localFileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphGetNameFileObject failed: %!STATUS!", status); goto Exit; } fileName = localFileName; } if (!KphpVerifyValidFileName(fileName)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "File name is invalid \"%wZ\"", fileName); status = STATUS_OBJECT_NAME_INVALID; goto Exit; } status = RtlDuplicateUnicodeString(0, fileName, &signatureFileName); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "RtlDuplicateUnicodeString failed: %!STATUS!", status); RtlZeroMemory(&signatureFileName, sizeof(UNICODE_STRING)); goto Exit; } // // Replace the file extension with ".sig". Our verification requires that // the signature file be placed alongside the file we're verifying. // if (signatureFileName.Length < KphpSigExtension.Length) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "Signature file name length invalid \"%wZ\"", &signatureFileName); status = STATUS_OBJECT_NAME_INVALID; goto Exit; } signatureFileName.Length -= KphpSigExtension.Length; status = RtlAppendUnicodeStringToString(&signatureFileName, &KphpSigExtension); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "RtlAppendUnicodeStringToString failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, &signatureFileName, OBJ_KERNEL_HANDLE | OBJ_DONT_REPARSE, NULL, NULL); status = KphCreateFile(&signatureFileHandle, FILE_READ_ACCESS | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_COMPLETE_IF_OPLOCKED), NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "Failed to open signature file \"%wZ\": %!STATUS!", &signatureFileName, status); signatureFileHandle = NULL; goto Exit; } else if (status == STATUS_OPLOCK_BREAK_IN_PROGRESS) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "Failed to open signature file \"%wZ\": %!STATUS!", &signatureFileName, status); status = STATUS_SHARING_VIOLATION; goto Exit; } signature = KphAllocatePaged(KPH_VERIFY_SIGNATURE_MAX_LENGTH, KPH_TAG_VERIFY_SIGNATURE); if (!signature) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "Failed to allocate signature buffer"); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = ZwReadFile(signatureFileHandle, NULL, NULL, NULL, &ioStatusBlock, signature, KPH_VERIFY_SIGNATURE_MAX_LENGTH, NULL, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "Failed to read signature file \"%wZ\": %!STATUS!", &signatureFileName, status); goto Exit; } signatureLength = (ULONG)ioStatusBlock.Information; hashInfo.Algorithm = KphHashAlgorithmSha512; status = KphQueryHashInformationFileObject(FileObject, &hashInfo, sizeof(KPH_HASH_INFORMATION)); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphQueryHashInformationFileObject failed: %!STATUS!", status); goto Exit; } status = KphpVerifyHash(NULL, &hashInfo, signature, signatureLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphpVerifyHash failed: %!STATUS!", status); goto Exit; } status = STATUS_SUCCESS; Exit: if (signature) { KphFree(signature, KPH_TAG_VERIFY_SIGNATURE); } if (signatureFileHandle) { ObCloseHandle(signatureFileHandle, KernelMode); } RtlFreeUnicodeString(&signatureFileName); if (localFileName) { KphFreeNameFileObject(localFileName); } return status; } /** * \brief Verifies a file by name. * * \param[in] FileName File name to verify. * \param[in] FileObject Optional file object to use for verification. If * provided the opened file object is checked to match. This is useful when the * file object is known but not in a state where you can use it directly. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphVerifyFile( _In_ PCUNICODE_STRING FileName, _In_opt_ PFILE_OBJECT FileObject ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; HANDLE fileHandle; PFILE_OBJECT fileObject; KPH_PAGED_CODE_PASSIVE(); fileObject = NULL; fileHandle = NULL; if (!KphpVerifyValidFileName(FileName)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "File name is invalid \"%wZ\"", FileName); status = STATUS_OBJECT_NAME_INVALID; goto Exit; } InitializeObjectAttributes(&objectAttributes, (PUNICODE_STRING)FileName, OBJ_KERNEL_HANDLE | OBJ_DONT_REPARSE, NULL, NULL); status = KphCreateFile(&fileHandle, FILE_READ_ACCESS | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_COMPLETE_IF_OPLOCKED), NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphCreateFile failed: %!STATUS!", status); fileHandle = NULL; goto Exit; } else if (status == STATUS_OPLOCK_BREAK_IN_PROGRESS) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphCreateFile failed: %!STATUS!", status); status = STATUS_SHARING_VIOLATION; goto Exit; } status = ObReferenceObjectByHandle(fileHandle, 0, *IoFileObjectType, KernelMode, &fileObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "ObReferenceObjectByHandle failed: %!STATUS!", status); fileObject = NULL; goto Exit; } if (FileObject && !KphIsSameFile(FileObject, fileObject)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "File objects do not match!"); status = STATUS_INVALID_PARAMETER; goto Exit; } status = KphVerifyFileObject(fileObject, FileName); Exit: if (fileObject) { ObDereferenceObject(fileObject); } if (fileHandle) { ObCloseHandle(fileHandle, KernelMode); } return status; } /** * \brief Initializes verification infrastructure. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphInitializeVerify( VOID ) { BOOLEAN testSigning; KPH_PAGED_CODE_PASSIVE(); testSigning = KphTestSigningEnabled(); for (ULONG i = 0; i < ARRAYSIZE(KphpPublicKeys); i++) { NTSTATUS status; PCKPH_KEY key; BCRYPT_KEY_HANDLE keyHandle; key = &KphpPublicKeys[i]; if (!testSigning && (key->Type == KphKeyTypeTest)) { continue; } status = KphVerifyCreateKey(&keyHandle, (PBYTE)key->Material, KPH_KEY_MATERIAL_SIZE); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, VERIFY, "KphVerifyCreateKey failed: %!STATUS!", status); return status; } KphpPublicKeyHandles[KphpPublicKeyHandlesCount++] = keyHandle; } return STATUS_SUCCESS; } /** * \brief Cleans up verification infrastructure. */ _IRQL_requires_max_(PASSIVE_LEVEL) VOID KphCleanupVerify( VOID ) { KPH_PAGED_CODE_PASSIVE(); for (ULONG i = 0; i < KphpPublicKeyHandlesCount; i++) { KphVerifyCloseKey(KphpPublicKeyHandles[i]); } } ================================================ FILE: KSystemInformer/vm.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * jxy-s 2022-2026 * */ #include #include /** * \brief Queries information on mappings for a given section object. * * \param[in] SectionObject The section object to query the info of. * \param[out] SectionInformation Populated with the information. This storage * must be located in non-paged system-space memory. * \param[in] SectionInformationLength Length of the section information. * \param[out] ReturnLength Receives the number of bytes written or required. * * \return Successful or errant status. */ _IRQL_requires_max_(DISPATCH_LEVEL) _Must_inspect_result_ NTSTATUS KphpQuerySectionMappings( _In_ PVOID SectionObject, _Out_writes_bytes_opt_(SectionInformationLength) PVOID SectionInformation, _In_ ULONG SectionInformationLength, _Out_ PULONG ReturnLength ) { NTSTATUS status; PKPH_DYN dyn; ULONG returnLength; PVOID controlArea; PLIST_ENTRY listHead; PKPH_SECTION_MAPPINGS_INFORMATION info; PEX_SPIN_LOCK lock; KIRQL oldIrql; KPH_NPAGED_CODE_DISPATCH_MAX(); lock = NULL; oldIrql = 0; returnLength = 0; dyn = KphReferenceDynData(); if (!dyn || (dyn->MmSectionControlArea == ULONG_MAX) || (dyn->MmControlAreaListHead == ULONG_MAX) || (dyn->MmControlAreaLock == ULONG_MAX)) { status = STATUS_NOINTERFACE; goto Exit; } controlArea = *(PVOID*)Add2Ptr(SectionObject, dyn->MmSectionControlArea); if ((ULONG_PTR)controlArea & 3) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Section remote mappings not supported."); status = STATUS_NOT_SUPPORTED; goto Exit; } controlArea = (PVOID)((ULONG_PTR)controlArea & ~3); if (!controlArea) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Section control area is null."); status = STATUS_INVALID_PARAMETER; goto Exit; } lock = Add2Ptr(controlArea, dyn->MmControlAreaLock); oldIrql = ExAcquireSpinLockShared(lock); listHead = Add2Ptr(controlArea, dyn->MmControlAreaListHead); // // Links are shared in a union with AweContext pointer. Ensure that both // links look valid. // if (!listHead->Flink || !listHead->Blink || (listHead->Flink->Blink != listHead) || (listHead->Blink->Flink != listHead)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Section unexpected control area links."); status = STATUS_INVALID_PARAMETER; goto Exit; } returnLength = UFIELD_OFFSET(KPH_SECTION_MAPPINGS_INFORMATION, Mappings); for (PLIST_ENTRY link = listHead->Flink; link != listHead; link = link->Flink) { status = RtlULongAdd(returnLength, sizeof(KPH_SECTION_MAP_ENTRY), &returnLength); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "RtlULongAdd failed: %!STATUS!", status); goto Exit; } } if (!SectionInformation || (SectionInformationLength < returnLength)) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } info = SectionInformation; info->NumberOfMappings = 0; for (PLIST_ENTRY link = listHead->Flink; link != listHead; link = link->Flink) { PMMVAD vad; PKPH_SECTION_MAP_ENTRY entry; vad = CONTAINING_RECORD(link, MMVAD, ViewLinks); entry = &info->Mappings[info->NumberOfMappings++]; entry->ViewMapType = vad->ViewMapType; entry->ProcessId = NULL; if (vad->ViewMapType == VIEW_MAP_TYPE_PROCESS) { PEPROCESS process; process = (PEPROCESS)((ULONG_PTR)vad->VadsProcess & ~VIEW_MAP_TYPE_PROCESS); if (process) { entry->ProcessId = PsGetProcessId(process); } } entry->StartVa = MiGetVadStartAddress(vad); entry->EndVa = MiGetVadEndAddress(vad); } status = STATUS_SUCCESS; Exit: *ReturnLength = returnLength; if (lock) { ExReleaseSpinLockShared(lock, oldIrql); } if (dyn) { KphDereferenceObject(dyn); } return status; } KPH_PAGED_FILE(); /** * \brief Copies process or kernel memory into the current process. * * \param[in] ProcessHandle A handle to a process. The handle must have * PROCESS_VM_READ access. This parameter may be NULL if BaseAddress is a kernel * address. * \param[in] BaseAddress The address from which memory is to be copied. * \param[out] Buffer A buffer which receives the copied memory. * \param[in] BufferSize The number of bytes to copy. * \param[out] NumberOfBytesRead Receives the number of bytes written. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphReadVirtualMemory( _In_opt_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; SIZE_T numberOfBytesRead; BOOLEAN releaseModuleLock; PVOID buffer; BYTE stackBuffer[0x200]; KPH_PAGED_CODE_PASSIVE(); numberOfBytesRead = 0; releaseModuleLock = FALSE; buffer = NULL; if (!Buffer) { status = STATUS_INVALID_PARAMETER_3; goto Exit; } if (Add2Ptr(BaseAddress, BufferSize) < BaseAddress) { status = STATUS_ACCESS_VIOLATION; goto Exit; } if (!BufferSize) { status = STATUS_SUCCESS; goto Exit; } // // Select the appropriate copy method. // if (Add2Ptr(BaseAddress, BufferSize) > MmHighestUserAddress) { MM_COPY_ADDRESS copyAddress; // // Only permit reading from the system module ranges. Prevent TOCTOU // between checking the system module list and copying. // KeEnterCriticalRegion(); if (!ExAcquireResourceSharedLite(PsLoadedModuleResource, TRUE)) { KeLeaveCriticalRegion(); KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to acquire PsLoadedModuleResource"); status = STATUS_RESOURCE_NOT_OWNED; goto Exit; } releaseModuleLock = TRUE; status = KphValidateAddressForSystemModules(BaseAddress, BufferSize); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphValidateAddressForSystemModules failed: %!STATUS!", status); goto Exit; } buffer = KphAllocateNPagedA(BufferSize, KPH_TAG_COPY_VM, stackBuffer); if (!buffer) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "Failed to allocate copy buffer."); status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } copyAddress.VirtualAddress = BaseAddress; status = MmCopyMemory(buffer, copyAddress, BufferSize, MM_COPY_MEMORY_VIRTUAL, &numberOfBytesRead); if (AccessMode != KernelMode) { __try { CopyToUser(Buffer, buffer, numberOfBytesRead); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } } else { RtlCopyMemory(Buffer, buffer, numberOfBytesRead); } } else { PEPROCESS process; if (!ProcessHandle) { status = STATUS_INVALID_PARAMETER_1; goto Exit; } status = ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, AccessMode, &process, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); goto Exit; } status = MmCopyVirtualMemory(process, BaseAddress, PsGetCurrentProcess(), Buffer, BufferSize, AccessMode, &numberOfBytesRead); ObDereferenceObject(process); } Exit: if (buffer) { KphFreeA(buffer, KPH_TAG_COPY_VM, stackBuffer); } if (releaseModuleLock) { ExReleaseResourceLite(PsLoadedModuleResource); KeLeaveCriticalRegion(); } if (NumberOfBytesRead) { KphWriteSizeTToMode(NumberOfBytesRead, numberOfBytesRead, AccessMode); } return status; } /** * \brief Queries information about a section. * * \param[in] SectionHandle Handle to the query to query information of. * \param[in] SectionInformationClass Classification of information to query. * \param[out] SectionInformation Populated with the requested information. * \param[in] SectionInformationLength Length of the information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQuerySection( _In_ HANDLE SectionHandle, _In_ KPH_SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_opt_(SectionInformationLength) PVOID SectionInformation, _In_ ULONG SectionInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; PVOID sectionObject; ULONG returnLength; PVOID buffer; BYTE stackBuffer[64]; KPH_PAGED_CODE_PASSIVE(); returnLength = 0; buffer = NULL; status = ObReferenceObjectByHandle(SectionHandle, 0, *MmSectionObjectType, KernelMode, §ionObject, NULL); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ObReferenceObjectByHandle failed: %!STATUS!", status); sectionObject = NULL; goto Exit; } switch (SectionInformationClass) { case KphSectionMappingsInformation: { if (SectionInformation) { buffer = KphAllocateNPagedA(SectionInformationLength, KPH_TAG_SECTION_QUERY, stackBuffer); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } } else { NT_ASSERT(!buffer); SectionInformationLength = 0; } status = KphpQuerySectionMappings(sectionObject, buffer, SectionInformationLength, &returnLength); if (!NT_SUCCESS(status)) { goto Exit; } if (!SectionInformation) { status = STATUS_BUFFER_TOO_SMALL; goto Exit; } status = KphCopyToMode(SectionInformation, buffer, returnLength, AccessMode); break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } if (sectionObject) { ObDereferenceObject(sectionObject); } if (buffer) { KphFreeA(buffer, KPH_TAG_SECTION_QUERY, stackBuffer); } return status; } /** * \brief Queries information about a region of pages within the virtual address * space of the specified process. * * \param[in] ProcessHandle Handle for the process whose context the pages to be * queried resides. * \param[in] BaseAddress The base address of the region of pages to be queried. * \param[in] MemoryInformationClass The memory information to retrieve. * \param[out] MemoryInformation Populated with the requested information. * \param[in] MemoryInformationLength Length of the information buffer. * \param[out] ReturnLength Receives the number of bytes written or required. * \param[in] AccessMode The mode in which to perform access checks. * * \return Successful or errant status. */ _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSTATUS KphQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ KPH_MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_opt_(MemoryInformationLength) PVOID MemoryInformation, _In_ ULONG MemoryInformationLength, _Out_opt_ PULONG ReturnLength, _In_ KPROCESSOR_MODE AccessMode ) { NTSTATUS status; ULONG returnLength; PKPH_THREAD_CONTEXT thread; PUNICODE_STRING mappedFileName; KPH_PAGED_CODE_PASSIVE(); returnLength = 0; thread = NULL; mappedFileName = NULL; switch (MemoryInformationClass) { case KphMemoryImageSection: { SIZE_T length; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; HANDLE fileHandle; HANDLE sectionHandle; if (!MemoryInformation || (MemoryInformationLength < sizeof(HANDLE))) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(HANDLE); goto Exit; } // // At this time there is no known way to open the image section // for an address in a process without reopening the file. // // For image mappings the VAD does not retain a reference to the // actual section object but does contain a pointer to the file // object. There are a few exported APIs for creating sections // using a file object directly. And, using the file object in the // VAD, it is possible to map the data section but not the image // section. Internally, MiCreateSection has checks for SEC_IMAGE // when passing in a file object - this check will fail the // operation. // // Unfortunately, to create the image section, we have to query the // file name and open the file again. This introduces two points of // failure that could be avoided if we could create the image // section using the file object. The unfortunate failure mode is // the file being "gone" or otherwise inaccessible. The other cases // might be a resource constraint or a filter interfering with // access to the file. // mappedFileName = KphAllocatePaged(MAX_PATH, KPH_TAG_VM_QUERY); if (!mappedFileName) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, mappedFileName, MAX_PATH, &length); if ((status == STATUS_BUFFER_OVERFLOW) && (length > 0)) { KphFree(mappedFileName, KPH_TAG_VM_QUERY); mappedFileName = KphAllocatePaged(length, KPH_TAG_VM_QUERY); if (!mappedFileName) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, mappedFileName, length, &length); } if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwQueryVirtualMemory failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, mappedFileName, OBJ_KERNEL_HANDLE, NULL, NULL); status = KphCreateFile(&fileHandle, FILE_READ_ACCESS | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KphCreateFile failed: %!STATUS!", status); goto Exit; } InitializeObjectAttributes(&objectAttributes, NULL, (AccessMode ? 0 : OBJ_KERNEL_HANDLE), NULL, NULL); status = ZwCreateSection(§ionHandle, SECTION_QUERY | SECTION_MAP_READ, &objectAttributes, NULL, PAGE_READONLY, SEC_IMAGE_NO_EXECUTE, fileHandle); ObCloseHandle(fileHandle, KernelMode); if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "ZwCreateSection failed: %!STATUS!", status); goto Exit; } status = KphWriteHandleToMode(MemoryInformation, sectionHandle, AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(HANDLE); } break; } case KphMemoryDataSection: { SIZE_T length; KPH_VM_TLS_CREATE_DATA_SECTION tls; PKPH_MEMORY_DATA_SECTION memoryInformation; if (!MemoryInformation || (MemoryInformationLength) < sizeof(KPH_MEMORY_DATA_SECTION)) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_MEMORY_DATA_SECTION); goto Exit; } // // The data section may be created using the file object in the VAD. // First we have to access the file object from the VAD. We could do // some dynamic data and walk the process VAD ourselves, but there // is a "cleaner" option. Querying for the memory mapped file name // will do the work to enumerate the VAD and will land us in our // mini-filter instance with the file object. This still comes with // possibility of filters interfering with the name query, but at // least we don't have to go through an entire IRP_MJ_CREATE. The // advantage here is we are able to create a section object for a // file that might be "gone" or otherwise inaccessible. // thread = KphGetCurrentThreadContext(); if (!thread) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(&tls, sizeof(KPH_VM_TLS_CREATE_DATA_SECTION)); tls.AccessMode = AccessMode; thread->VmTlsCreateDataSection = &tls; status = ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, NULL, 0, &length); NT_ANALYSIS_ASSUME(NT_SUCCESS(status)); if (thread->VmTlsCreateDataSection) { thread->VmTlsCreateDataSection = NULL; KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "VmTlsCreateDataSection was not null! " "ZwQueryVirtualMemory returned: %!STATUS!", status); status = STATUS_UNEXPECTED_IO_ERROR; goto Exit; } status = tls.Status; if (!NT_SUCCESS(status)) { KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "KPH_VM_TLS_CREATE_DATA_SECTION status: %!STATUS!", status); goto Exit; } memoryInformation = MemoryInformation; status = KphCopyToMode(&memoryInformation->SectionFileSize, &tls.SectionFileSize, sizeof(LARGE_INTEGER), AccessMode); if (!NT_SUCCESS(status)) { ObCloseHandle(tls.SectionHandle, AccessMode); goto Exit; } status = KphWriteHandleToMode(&memoryInformation->SectionHandle, tls.SectionHandle, AccessMode); break; } case KphMemoryMappedInformation: { SIZE_T length; KPH_MEMORY_MAPPED_INFORMATION tls; KPH_MEMORY_MAPPED_INFORMATION memoryInformation; if (!MemoryInformation || (MemoryInformationLength) < sizeof(KPH_MEMORY_MAPPED_INFORMATION)) { status = STATUS_INFO_LENGTH_MISMATCH; returnLength = sizeof(KPH_MEMORY_MAPPED_INFORMATION); goto Exit; } thread = KphGetCurrentThreadContext(); if (!thread) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(&tls, sizeof(KPH_MEMORY_MAPPED_INFORMATION)); thread->VmTlsMappedInformation = &tls; status = ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, NULL, 0, &length); NT_ANALYSIS_ASSUME(NT_SUCCESS(status)); if (thread->VmTlsMappedInformation) { thread->VmTlsMappedInformation = NULL; KphTracePrint(TRACE_LEVEL_VERBOSE, GENERAL, "VmTlsMappedInformation was not null! " "ZwQueryVirtualMemory returned: %!STATUS!", status); status = STATUS_UNEXPECTED_IO_ERROR; goto Exit; } RtlZeroMemory(&memoryInformation, sizeof(KPH_MEMORY_MAPPED_INFORMATION)); memoryInformation.FileObject = tls.FileObject; memoryInformation.SectionObjectPointers = tls.SectionObjectPointers; memoryInformation.DataControlArea = tls.DataControlArea; memoryInformation.SharedCacheMap = tls.SharedCacheMap; memoryInformation.ImageControlArea = tls.ImageControlArea; memoryInformation.UserWritableReferences = tls.UserWritableReferences; status = KphCopyToMode(MemoryInformation, &memoryInformation, sizeof(KPH_MEMORY_MAPPED_INFORMATION), AccessMode); if (NT_SUCCESS(status)) { returnLength = sizeof(KPH_MEMORY_MAPPED_INFORMATION); } break; } default: { status = STATUS_INVALID_INFO_CLASS; break; } } Exit: if (ReturnLength) { KphWriteULongToMode(ReturnLength, returnLength, AccessMode); } if (mappedFileName) { KphFree(mappedFileName, KPH_TAG_VM_QUERY); } if (thread) { KphDereferenceObject(thread); } return status; } ================================================ FILE: LICENSE.txt ================================================ MIT License Copyright (c) 2022 Winsider Seminars & Solutions, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================

System Informer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
Brought to you by Winsider Seminars & Solutions, Inc.

## System requirements Windows 10 or higher, 32-bit or 64-bit. ## Features * A detailed overview of system activity with highlighting. * Graphs and statistics allow you quickly to track down resource hogs and runaway processes. * Can't edit or delete a file? Discover which processes are using that file. * See what programs have active network connections, and close them if necessary. * Get real-time information on disk access. * View detailed stack traces with kernel-mode, WOW64 and .NET support. * Go beyond services.msc: create, edit and control services. * Small, portable and no installation required. * 100% [Free Software](https://www.gnu.org/philosophy/free-sw.en.html) ([MIT](https://opensource.org/licenses/MIT)) ## Building the project Requires Visual Studio (2022 or later). After cloning the repo run `build_init.cmd` located in the `build` directory, this doesn't not run again unless there are updates to the tools or third party libraries. Execute `build_release.cmd` located in the `build` directory to compile the project or load the `SystemInformer.sln` and `Plugins.sln` solutions if you prefer building the project using Visual Studio. You can download the free [Visual Studio Community Edition](https://www.visualstudio.com/vs/community/) to build the System Informer source code. See the [build readme](./build/README.md) for more information or if you're having trouble building. ## Enhancements/Bugs Please use the [GitHub issue tracker](https://github.com/winsiderss/systeminformer/issues) for reporting problems or suggesting new features. ## Settings If you are running System Informer from a USB drive, you may want to save System Informer's settings there as well. To do this, create a blank file named "SystemInformer.exe.settings.xml" in the same directory as SystemInformer.exe. You can do this using Windows Explorer: 1. Make sure "Hide extensions for known file types" is unticked in Tools > Folder options > View. 2. Right-click in the folder and choose New > Text Document. 3. Rename the file to SystemInformer.exe.settings.xml (delete the ".txt" extension). ================================================ FILE: README.txt ================================================ System Informer is a powerful free and open source process viewer. ## Getting started Simply run SystemInformer.exe to start System Informer. There are two versions, 32-bit (x86) and 64-bit (x64). If you are not sure which version to use, open Control Panel > System and check the "System type". You cannot run the 32-bit version of System Informer on a 64-bit system and expect it to work correctly, unlike other programs. ## System requirements Windows 7 or higher, 32-bit or 64-bit. ## Settings If you are running System Informer from a USB drive, you may want to save System Informer's settings there as well. To do this, create a blank file named "SystemInformer.exe.settings.xml" in the same directory as SystemInformer.exe. You can do this using Windows Explorer: 1. Make sure "Hide extensions for known file types" is unticked in Tools > Folder options > View. 2. Right-click in the folder and choose New > Text Document. 3. Rename the file to SystemInformer.exe.settings.xml (delete the ".txt" extension). ## Plugins Plugins can be configured from Hacker > Plugins. If you experience any crashes involving plugins, make sure they are up to date. The ExtendedTools plugin is only available for Windows Vista and above. Disk and Network information provided by this plugin is only available when running Process Hacker with administrative rights. ================================================ FILE: SECURITY.md ================================================ # Security Policies and Procedures This document outlines security procedures and general policies for the System Informer project. * [Reporting a Bug](#reporting-a-bug) * [Disclosure Policy](#disclosure-policy) ## Reporting a Bug The System Informer team considers security our top priority and reviews all reports of vulnerabilities or security issues very seriously. We appreciate responsible disclosure efforts and are committed to acknowledging your contributions. If you discover a security issue, please send a report by emailing security@systeminformer.com or security@systeminformer.io. The System Informer team will acknowledge your email within 48 hours, and will send a more detailed response indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. Report security bugs in third-party modules to the person or team maintaining the module. ## Disclosure Policy When the System Informer team receives a security bug report, they will assign it to a primary developer. This person will coordinate the fix and release process, involving the following steps: * Confirm the problem and determine the affected versions. * Audit code to find any potential similar problems. * Seek review from respected third-party security experts. * Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible. ================================================ FILE: SystemInformer/CMakeLists.txt ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(HEADERS "include/actions.h" "include/appsup.h" "include/colmgr.h" "include/colsetmgr.h" "include/devprv.h" "include/extmgr.h" "include/extmgri.h" "include/heapstruct.h" "include/hidnproc.h" "include/hndllist.h" "include/hndlmenu.h" "include/hndlprv.h" "include/informer.h" "include/ksisup.h" "include/mainwnd.h" "include/mainwndp.h" "include/memlist.h" "include/memprv.h" "include/memsrch.h" "include/miniinfo.h" "include/miniinfop.h" "include/modlist.h" "include/modprv.h" "include/netlist.h" "include/netprv.h" "include/notifico.h" "include/notificop.h" "include/notiftoast.h" "include/phapp.h" "include/phappres.h" "include/phfwddef.h" "include/phplug.h" "include/phsettings.h" "include/phsvc.h" "include/phsvcapi.h" "include/phsvccl.h" "include/phuisup.h" "include/procgrp.h" "include/procmtgn.h" "include/procprp.h" "include/procprpp.h" "include/procprv.h" "include/proctree.h" "include/srvlist.h" "include/srvprv.h" "include/sysinfo.h" "include/sysinfop.h" "include/thrdlist.h" "include/thrdprv.h" "resource.h" "sdk/phdk.h" ) source_group("Header Files" FILES ${HEADERS}) set(RESOURCES "version.rc" "SystemInformer.def" "SystemInformer.rc" "SystemInformer.manifest" "resources/application.ico" "resources/capslist.txt" "resources/case_sensitive_modern_dark.svg" "resources/case_sensitive_modern_light.svg" "resources/cog.ico" "resources/etwguids.txt" "resources/pooltag.txt" "resources/regex_modern_dark.svg" "resources/regex_modern_light.svg" "resources/search_modern_dark.svg" "resources/search_modern_light.svg" "resources/search_stop_modern_dark.svg" "resources/search_stop_modern_light.svg" "resources/systeminformer.png" "SystemInformer.ico" ) source_group("Resource Files" FILES ${RESOURCES}) set(SOURCES "about.c" "actions.c" "admintask.c" "affinity.c" "anawait.c" "appsup.c" "chcol.c" "chdlg.c" "chproc.c" "colmgr.c" "colsetmgr.c" "dbgcon.c" "delayhook.c" "delayload.c" "devprv.c" "extmgr.c" "findobj.c" "gdihndl.c" "heapinfo.c" "hidnproc.c" "hndllist.c" "hndlmenu.c" "hndlprp.c" "hndlprv.c" "hndlstat.c" "infodlg.c" "informer.c" "itemtips.c" "jobprp.c" "kdump.c" "ksidbg.c" "ksisup.c" "ksyscall.c" "log.c" "logwnd.c" "main.c" "mainwnd.c" "mdump.c" "memedit.c" "memlist.c" "memlists.c" "memmod.c" "memprot.c" "memprv.c" "memrslt.c" "memsrch.c" "memsrcht.c" "miniinfo.c" "modlist.c" "modprv.c" "mtgndlg.c" "mwpgdev.c" "mwpgnet.c" "mwpgproc.c" "mwpgsrv.c" "netlist.c" "netprv.c" "netsup.c" "notifico.c" "notiftoast.cpp" "ntobjprp.c" "options.c" "pagfiles.c" "plugin.c" "plugman.c" "procgrp.c" "procmtgn.c" "procprp.c" "procprv.c" "procrec.c" "proctree.c" "prpgenv.c" "prpggen.c" "prpghndl.c" "prpgjob.c" "prpgmem.c" "prpgmod.c" "prpgperf.c" "prpgsrv.c" "prpgstat.c" "prpgthrd.c" "prpgtok.c" "prpgvdm.c" "prpgwmi.c" "runas.c" "searchbox.c" "sessmsg.c" "sessprp.c" "sessshad.c" "settings.c" "srvcr.c" "srvctl.c" "srvlist.c" "srvprp.c" "srvprv.c" "sysinfo.c" "syssccpu.c" "sysscio.c" "sysscmem.c" "thrdlist.c" "thrdprv.c" "thrdstk.c" "thrdstks.c" "tokprp.c" "usrlist.c" "phsvc/clapi.c" "phsvc/svcapi.c" "phsvc/svcapiport.c" "phsvc/svcclient.c" "phsvc/svcmain.c" ) source_group("Source Files" FILES ${SOURCES}) set(ALL_FILES ${HEADERS} ${RESOURCES} ${SOURCES} ) si_add_executable(SystemInformer WIN32 ${ALL_FILES}) set_target_properties(SystemInformer PROPERTIES ENABLE_EXPORTS TRUE) target_include_directories(SystemInformer PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/include" ) target_include_directories(SystemInformer INTERFACE "${SI_ROOT}/phnt/include" "${SI_ROOT}/sdk/include" ) target_compile_definitions(SystemInformer PRIVATE _PHAPP_ ) target_link_libraries(SystemInformer PRIVATE phnt phlib kphlib_um delayimp user32 gdi32 comdlg32 advapi32 ole32 oleaut32 setupapi cfgmgr32 aclui comctl32 dnsapi ntdll userenv wbemuuid windowscodecs winhttp winsta ) target_link_options(SystemInformer PRIVATE /DELAYLOAD:setupapi.dll /DELAYLOAD:cfgmgr32.dll /DELAYLOAD:aclui.dll /DELAYLOAD:comdlg32.dll /DELAYLOAD:gdiplus.dll /DELAYLOAD:oleaut32.dll /DELAYLOAD:winhttp.dll /DELAYLOAD:winsta.dll ) si_sdkbuild(SystemInformer) ================================================ FILE: SystemInformer/Directory.Build.props ================================================ ================================================ FILE: SystemInformer/SystemInformer.def ================================================ ;/* ; * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. ; * ; * This file is part of System Informer. ; * ; * Authors: ; * ; * wj32 2008-2016 ; * dmex 2017-2024 ; * ; */ ; ; This file was automatically generated. ; ; Do not link at runtime. Use the SystemInformer.def.h header file instead. ; EXPORTS ; main PhAddProcessPropPage PhAddProcessPropPage2 PhAddPropPageLayoutItem PhAddTreeNewFilter PhAggregateProcessFieldIfNeeded PhApplyTreeNewFilters PhApplyTreeNewFiltersToNode PhChoiceDialog PhCmLoadSettings PhCmSaveSettings PhCopyListView PhCopyListViewInfoTip PhCreateKsiSettingsBlob PhCreateHandleItem PhCreateProcessPropContext PhCreateProcessPropPageContext PhCreateProcessPropPageContextEx PhCreateSearchControl PhCreateServiceListControl PhDeleteMemoryItemList PhDeleteStaticWindowIcon PhDeleteTreeNewColumnMenu PhDeleteTreeNewFilterSupport PhDereferenceProcessRecord PhDeselectAllProcessNodes PhDeselectAllServiceNodes PhDeselectAllNetworkNodes PhDestroyWindowIcon PhDeviceProviderInitialization PhDoPropPageLayout PhDuplicateProcessInformation PhDuplicateProcessNodeList PhEnumDeviceResources PhEnumNetworkItems PhEnumNetworkItemsByProcessId PhEnumProcessItems PhExecuteRunAsCommand2 PhExecuteRunAsCommand3 PhExpandAllProcessNodes PhFindNetworkNode PhFindProcessNode PhFindProcessRecord PhFindServiceNode PhFormatLocalSystemTimeISO PhFormatLogEntry PhFormatLogType PhFreezeThread PhGetApplicationIcon PhGetApplicationIconEx PhGetClientIdName PhGetClientIdNameEx PhGetDeviceIcon PhGetDeviceProperty PhGetFilterSupportNetworkTreeList PhGetFilterSupportProcessTreeList PhGetFilterSupportServiceTreeList PhGetGeneralCallback PhGetImageListIcon PhGetListViewContextMenuPoint PhGetPhReleaseChannel PhGetPhReleaseChannelString PhGetPhVersion PhGetPhVersionHash PhGetPhVersionNumbers PhGetProcessIsSuspended PhGetProcessKnownType PhGetProcessKnownTypeEx PhGetProcessPriorityClassString PhGetProcessSmallImageList PhGetProtocolTypeName PhGetSelectedAndPropagateProcessItems PhGetSelectedProcessItem PhGetSelectedProcessItems PhGetSelectedProcessNode PhGetSelectedProcessNodes PhGetSelectedServiceItem PhGetSelectedServiceItems PhGetServiceChange PhGetShieldBitmap PhGetStatisticsTime PhGetStatisticsTimeString PhGetTcpStateName PhHandleCopyCellEMenuItem PhHandleCopyListViewEMenuItem PhHandleListViewNotifyBehaviors PhHandleListViewNotifyForCopy PhHandleTreeNewColumnMenu PhImageListExtractIcon PhImageListFlushCache PhInitializeTreeNewColumnMenu PhInitializeTreeNewColumnMenuEx PhInitializeTreeNewFilterSupport PhInsertCopyCellEMenuItem PhInsertCopyListViewEMenuItem PhInsertHandleObjectPropertiesEMenuItems PhInvalidateAllProcessNodes PhIsProcessBackground PhIsProcessSuspended PhLoadSymbolProviderOptions PhLogMessageEntry PhLookupDeviceItem PhLookupDeviceItemByHash PhLookupDevicePropertyClass PhLookupMemoryItemList PhProcessImageListInitialization PhPropPageDlgProcHeader PhQueryKphCounters PhQueryMemoryItemList PhReferenceDeviceItem PhReferenceDeviceItem2 PhReferenceDeviceItemByHash PhReferenceDeviceTree PhReferenceDeviceTreeEx PhReferenceNetworkItem PhReferenceProcessItem PhReferenceProcessItemForParent PhReferenceProcessItemForRecord PhReferenceProcessRecord PhReferenceProcessRecordForStatistics PhReferenceProcessRecordSafe PhReferenceServiceItem PhRegisterDialog PhRegisterMessageLoopFilter PhRemoveTreeNewFilter PhSearchControlClear PhSearchControlMatch PhSearchControlMatchLongHintZ PhSearchControlMatchPointer PhSearchControlMatchPointerRange PhSearchControlMatchZ PhSearchOnlineString PhSelectAndEnsureVisibleProcessNode PhSelectAndEnsureVisibleServiceNode PhSetApplicationWindowIcon PhSetApplicationWindowIconEx PhSetProcessItemAffinityMask PhSetProcessItemIoPriority PhSetProcessItemPagePriority PhSetProcessItemPriority PhSetProcessItemPriorityBoost PhSetProcessItemThrottlingState PhSetSelectThreadIdProcessPropContext PhSetStaticWindowIcon PhSetWindowIcon PhShellExecuteUserString PhShellOpenKey PhShellOpenKey2 PhShellProcessHacker PhShowChooseProcessDialog PhShowHandleObjectProperties1 PhShowHandleObjectProperties2 PhShowIconNotification PhShowIconNotificationEx PhShowProcessAffinityDialog2 PhShowProcessProperties PhShowProcessRecordDialog PhShowSystemInformationDialog PhShowThreadAffinityDialog PhSiDoubleLabelYFunction PhSiSetColorsGraphDrawInfo PhSiSizeLabelYFunction PhSiUInt64LabelYFunction PhThawThread PhUnregisterDialog PhUnregisterMessageLoopFilter PhUpdateProcessNode PhUpdateServiceNode PhWordMatchStringRef PhWritePhTextHeader PhaChoiceDialog PhaGetProcessKnownCommandLine ; plugin PhEnumeratePlugins PhFindPlugin2 PhGetPluginCallback PhGetPluginFileName PhGetPluginInformation PhGetPluginInterface PhGetPluginName PhPluginAddMenuHook PhPluginAddTreeNewColumn PhPluginCallPhSvc PhPluginCreateEMenuItem PhPluginCreateTabPage PhPluginEnableTreeNewNotify PhPluginGetObjectExtension PhPluginGetSystemStatistics PhPluginInvokeWindowCallback PhPluginQueryPhSvc PhPluginReserveIds PhPluginSetObjectExtension PhRegisterPluginByName ; phsvc PhSvcCallChangeServiceConfig PhSvcCallChangeServiceConfig2 PhSvcCallPostMessage PhSvcCallSendMessage ; UI PhUiCloseConnections PhUiCloseHandles PhUiConnectSession PhUiConnectToPhSvc PhUiConnectToPhSvcEx PhUiContinueService PhUiContinueServices PhUiDebugProcess PhUiDeleteService PhUiDetachFromDebuggerProcess PhUiDisconnectFromPhSvc PhUiDisconnectSession PhUiEmptyProcessMemoryWorkingSet PhUiFlushHeapProcesses PhUiFreeMemory PhUiFreezeTreeProcess PhUiHibernateComputer PhUiLoadDllProcess PhUiLockComputer PhUiLogoffComputer PhUiLogoffSession PhUiPauseService PhUiPauseServices PhUiReduceWorkingSetProcesses PhUiRestartComputer PhUiRestartProcess PhUiRestartServices PhUiResumeProcesses PhUiResumeThreads PhUiResumeTreeProcess PhUiSetActivityModeration PhUiSetAttributesHandle PhUiSetBoostPriorityProcess PhUiSetBoostPriorityProcesses PhUiSetBoostPriorityThread PhUiSetBoostPriorityThreads PhUiSetCriticalProcess PhUiSetEcoModeProcess PhUiSetEmptyWorkingSetProcesses PhUiSetExecutionRequiredProcess PhUiSetIoPriorityProcesses PhUiSetIoPriorityThread PhUiSetPagePriorityProcess PhUiSetPagePriorityThread PhUiSetPriorityClassProcesses PhUiSetPriorityThread PhUiSetPriorityThreads PhUiSetVirtualizationProcess PhUiShutdownComputer PhUiSleepComputer PhUiStartService PhUiStartServices PhUiStopService PhUiStopServices PhUiSuspendProcesses PhUiSuspendThreads PhUiSuspendTreeProcess PhUiTerminateProcesses PhUiTerminateThreads PhUiTerminateTreeProcess PhUiThawTreeProcess PhUiUnloadModule ; ; phlib exports ; ; ref PhAutoDereferenceObject PhCreateAlloc PhCreateObject PhCreateObjectType PhCreateObjectTypeEx PhDeleteAutoPool PhDereferenceObject PhDereferenceObjectDeferDelete PhDereferenceObjectEx PhDrainAutoPool PhGetObjectType PhGetObjectTypeInformation PhInitializeAutoPool PhReferenceObject PhReferenceObjectEx PhReferenceObjectSafe ; queuedlock PhfAcquireQueuedLockExclusive PhfAcquireQueuedLockShared PhfPulseAllCondition PhfPulseCondition PhfQueueWakeEvent PhfReleaseQueuedLockExclusive PhfReleaseQueuedLockShared PhfSetWakeEvent PhfWaitForCondition PhfWaitForConditionEx PhfWaitForWakeEvent PhfWakeForReleaseQueuedLock ; phconfig PhIsExecutingInWow64 PhSystemBasicInformation DATA ; phbasesup PhAddElementAvlTree PhAddEntryHashtable PhAddEntryHashtableEx PhAddItemArray PhAddItemList PhAddItemPointerList PhAddItemSimpleHashtable PhAddItemsArray PhAddItemsList PhAddPlusMaxMemorySingles PhAllocate PhAllocateExSafe PhAllocateFromFreeList PhAllocatePage PhAllocateSafe PhAppendBytesBuilder PhAppendBytesBuilderEx PhAppendCharStringBuilder PhAppendCharStringBuilder2 PhAppendFormatStringBuilder PhAppendFormatStringBuilder_V PhAppendFormatBytesBuilder PhAppendFormatBytesBuilder_V PhAppendStringBuilderEx PhBufferToHexString PhBufferToHexStringEx PhClearArray PhClearHashtable PhClearList PhCompareStringRef PhCompareStringZNatural PhConcatStringRef2 PhConcatStringRef3 PhConcatStringRef4 PhConcatStrings PhConcatStrings2 PhConcatStrings_V PhConvertMultiByteToUtf16 PhConvertMultiByteToUtf16Ex PhConvertUtf16ToAsciiEx PhConvertUtf16ToMultiByte PhConvertUtf16ToMultiByteEx PhConvertUtf16ToUtf8 PhConvertUtf16ToUtf8Buffer PhConvertUtf16ToUtf8Ex PhConvertUtf16ToUtf8Size PhConvertUtf8ToUtf16 PhConvertUtf8ToUtf16Buffer PhConvertUtf8ToUtf16Ex PhConvertUtf8ToUtf16Size PhCopyBytesZ PhCopyConvertCircularBufferULONG PhCopyStringZ PhCopyStringZFromBytes PhCopyStringZFromMultiByte PhCountStringZ PhCreateBytesEx PhCreateHashtable PhCreateList PhCreatePointerList PhCreateSimpleHashtable PhCreateString3 PhCreateStringEx PhCreateThread PhCreateThread2 PhCreateThreadEx PhDecodeUnicodeDecoder PhDelayExecution PhDeleteArray PhDeleteBytesBuilder PhDeleteCallback PhDeleteFreeList PhDeleteStringBuilder PhDivideSinglesBySingle PhDoesNameContainWildCards PhDosErrorToNtStatus PhDuplicateBytesZ PhDuplicateBytesZSafe PhDuplicateStringZ PhEncodeUnicode PhEnumAvlTree PhEnumHashtable PhEnumPointerListEx PhEqualStringRef PhExponentiate PhExponentiate64 PhExtractIcon PhExtractIconEx PhFillMemoryUlong PhFinalBytesBuilderBytes PhFinalStringBuilderString PhFindCharInStringRef PhFindElementAvlTree PhFindEntryHashtable PhFindItemList PhFindItemPointerList PhFindItemSimpleHashtable PhFindLastCharInStringRef PhFindStringInStringRef PhFormat PhFormatBytes PhFormatBytes_V PhFormatString PhFormatString_V PhFormatSystemTimeISO PhFormatToBuffer PhFree PhFreePage PhFreeToFreeList PhGetLastError PhGetPrimeNumber PhHashBytes PhHashStringRef PhHashStringRefEx PhHexStringToBuffer PhHexStringToBufferEx PhHungWindowFromGhostWindow PhInitializeArray PhInitializeAvlTree PhInitializeBytesBuilder PhInitializeCallback PhInitializeFreeList PhInitializeStringBuilder PhInsertItemList PhInsertItemsList PhInsertStringBuilder PhInsertStringBuilder2 PhInsertStringBuilderEx PhIntegerToString64 PhInvokeCallback PhIsNameInExpression PhLoadIndirectString PhLoadResource PhLocalTimeToSystemTime PhLowerBoundElementAvlTree PhLowerDualBoundElementAvlTree PhMaxMemorySingles PhMaximumElementAvlTree PhMinimumElementAvlTree PhNtStatusFileNotFound PhNtStatusToDosError PhPredecessorElementAvlTree PhPrintTimeSpan PhQueryPerformanceCounter PhQueryPerformanceFrequency PhQuerySystemTime PhQueryTimeZoneBias PhReAllocate PhReAllocateSafe PhReferenceEmptyString PhRegisterCallback PhRegisterCallbackEx PhRemoveElementAvlTree PhRemoveEntryHashtable PhRemoveItemArray PhRemoveItemList PhRemoveItemPointerList PhRemoveItemSimpleHashtable PhRemoveItemsArray PhRemoveItemsList PhRemoveStringBuilder PhResizeArray PhResizeList PhRoundUpToPowerOfTwo PhSecondsSince1970ToTime PhSplitStringRefAtChar PhSplitStringRefAtLastChar PhSplitStringRefAtString PhSplitStringRefEx PhSplitStringRef PhFreeStringArray PhStringFuzzyMatch PhStringToDouble PhStringToInteger64 PhStringToUInt64 PhSuccessorElementAvlTree PhSystemTimeToLocalTime PhTimeToSecondsSince1970 PhTrimStringRef PhUnregisterCallback PhUpperBoundElementAvlTree PhUpperDualBoundElementAvlTree PhWriteUnicodeDecoder PhZeroExtendToUtf16Buffer PhZeroExtendToUtf16Ex PhfAcquireRundownProtection PhfBeginInitOnce PhfEndInitOnce PhfInitializeBarrier PhfInitializeEvent PhfInitializeInitOnce PhfInitializeRundownProtection PhfReleaseRundownProtection PhfResetEvent PhfSetEvent PhfWaitForBarrier PhfWaitForEvent PhfWaitForRundownProtection ; phfirmware PhEnumSMBIOS PhGetSMBIOSString ; phnative PhAdjustPrivilege PhConnectPipe PhCreateDirectoryFullPathWin32 PhCreateDirectoryWin32 PhCreateEvent PhCreateFile PhCreateFileWin32 PhCreateFileWin32Ex PhCreateKey PhCreateNamedPipe PhCreatePipe PhDeleteDirectoryWin32 PhDeleteFile PhDeleteFileWin32 PhDeleteValueKey PhDestroyWindowRemote PhDetermineDosPathNameType PhDeviceIoControlFile PhDisconnectNamedPipe PhDoesFileExist PhDoesFileExistWin32 PhDosPathNameToNtPathName PhEnumBigPoolInformation PhEnumDirectoryFile PhEnumDirectoryObjects PhEnumFileStreams PhEnumFirmwareEnvironmentValues PhEnumGenericModules PhEnumHandlesEx PhEnumKernelModules PhEnumNextProcess PhEnumNextThread PhEnumObjectIdInformation PhEnumPagefiles PhEnumPoolTagInformation PhEnumProcessEnvironmentVariables PhEnumProcesses PhEnumProcessesEx PhEnumReparsePointInformation PhEnumerateKey PhEnumerateValueKey PhEnumerateValueKeyEx PhFilterConnectCommunicationPort PhFindProcessInformation PhFindProcessInformationByImageName PhGetActiveProcessorCount PhGetContextThread PhGetDeviceType PhGetDllHandle PhGetDriverImageFileName PhGetDriverName PhGetDriverServiceKeyName PhGetFileFullAttributesInformation PhGetFileName PhGetFilePosition PhGetFileSize PhGetFirmwareEnvironmentVariable PhGetJobProcessIdList PhGetKernelFileName PhGetKernelFileNameEx PhGetModuleProcAddress PhGetNamedPipeClientComputerName PhGetNamedPipeClientProcessId PhGetNamedPipeServerProcessId PhGetObjectSecurity PhGetObjectTypeIndexName PhGetObjectTypeNumber PhGetOwnTokenAttributes PhGetPnPDeviceName PhGetProcedureAddress PhGetProcedureAddressRemote PhGetProcessAffinityMask PhGetProcessCommandLine PhGetProcessDepStatus PhGetProcessDeviceMap PhGetProcessEnvironment PhGetProcessExtendedBasicInformation PhGetProcessGroupAffinity PhGetProcessGroupInformation PhGetProcessImageFileName PhGetProcessImageFileNameById PhGetProcessImageFileNameByProcessId PhGetProcessImageFileNameWin32 PhGetProcessIoPriority PhGetProcessIsDotNet PhGetProcessIsDotNetEx PhGetProcessIsTerminated PhGetProcessIsWow64 PhGetProcessMappedFileName PhGetProcessPagePriority PhGetProcessPebString PhGetProcessPowerThrottlingState PhGetProcessPriorityBoost PhGetProcessPriorityClass PhGetProcessUnloadedDlls PhGetProcessWindowTitle PhGetProcessWorkingSetInformation PhGetProcessWsCounters PhGetSectionFileName PhGetThreadBasePriority PhGetThreadBasicInformation PhGetThreadIsTerminated PhGetThreadIoPriority PhGetThreadName PhGetTokenAppContainerSid PhGetTokenGroups PhGetTokenIntegrityLevel PhGetTokenIntegrityLevelRID PhGetTokenOwner PhGetTokenPackageFullName PhGetTokenPrimaryGroup PhGetTokenPrivileges PhGetTokenUser PhImpersonateToken PhIsDebuggerPresent PhIsFirmwareSupported PhListenNamedPipe PhLoadAppKey PhMoveFileWin32 PhOpenDirectoryObject PhOpenDriver PhOpenFile PhOpenFileById PhOpenKey PhOpenProcess PhOpenProcessClientId PhOpenProcessToken PhOpenThread PhOpenThreadClientId PhOpenThreadProcess PhPeekNamedPipe PhQueryEnvironmentVariable PhQueryFullAttributesFileWin32 PhQueryKey PhQueryKeyLastWriteTime PhQuerySymbolicLinkObject PhQueryTokenVariableSize PhQueryValueKey PhQueueUserWorkItem PhReadFile PhResolveDevicePrefix PhRevertImpersonationToken PhSetFileAllocationSize PhSetFileIoPriorityHint PhSetFilePosition PhSetFileSize PhSetFirmwareEnvironmentVariable PhSetObjectSecurity PhSetProcessPowerThrottlingState PhSetProcessPriorityBoost PhSetProcessPriorityClass PhSetThreadBasePriority PhSetThreadIoPriority PhSetThreadName PhSetTokenIsVirtualizationEnabled PhSetTokenPrivilege PhSetTokenPrivilege2 PhSetTokenSessionId PhSetValueKey PhTerminateProcess PhTraceControl PhTransceiveNamedPipe PhUnloadDllProcess PhUnloadDriver PhUpdateDosDevicePrefixes PhUpdateMupDevicePrefixes PhWaitForNamedPipe PhWriteFile ; phutil PhAdjustRectangleToBounds PhAdjustRectangleToWorkingArea PhCenterRectangle PhCenterWindow PhCompareUnicodeStringZIgnoreMenuPrefix PhConsoleSetForeground PhConsoleSetWindow PhCreateOpenFileDialog PhCreateProcess PhCreateProcessAsUser PhCreateProcessRedirection PhCreateProcessWin32 PhCreateProcessWin32Ex PhCreateSaveFileDialog PhDeleteImageVersionInfo PhDevFreeObjectProperties PhDevFreeObjects PhDevGetObjectProperties PhDevGetObjects PhEllipsisString PhEllipsisStringPath PhEscapeCommandLinePart PhEscapeStringForMenuPrefix PhExpandEnvironmentStrings PhFileReadAllTextWin32 PhFinalHash PhFormatDate PhFormatDateTime PhFormatDecimal PhFormatGuid PhFormatImageVersionInfo PhFormatSize PhFormatTime PhFormatTimeSpan PhFormatTimeSpanRelative PhFormatUInt64 PhFreeFileDialog PhFreeLibrary PhFreeLibraryAsImageResource PhGenerateGuid PhGenerateGuidFromName PhGenerateRandomAlphaString PhGenerateRandomNumber64 PhGetApplicationDataFileName PhGetApplicationDirectory PhGetApplicationDirectoryFileName PhGetApplicationDirectoryWin32 PhGetApplicationFileNameWin32 PhGetApplicationFileName PhGetBaseDirectory PhGetBaseName PhGetClassObject PhGetDllFileName PhGetDpiValue PhGetFileDialogFileName PhGetFileDialogFilterIndex PhGetFileDialogOptions PhGetFileVersionFixedInfo PhGetFileVersionInfo PhGetFileVersionInfoEx PhGetFileVersionInfoLangCodePage PhGetFileVersionInfoString PhGetFileVersionInfoString2 PhGetFullPath PhGetKnownFolderPath PhGetKnownLocation PhGetMessage PhGetMonitorDpi PhGetNtMessage PhGetNtSystemRoot PhGetRoamingAppDataDirectory PhGetStatusMessage PhGetSystemDirectory PhGetSystemDpi PhGetSystemMetrics PhGetSystemParametersInfo PhGetSystemRoot PhGetTaskbarDpi PhGetTemporaryDirectoryRandomAlphaFileName PhGetUserLocaleInfoBool PhGetWin32Message PhGetWindowDpi PhInitializeHash PhInitializeImageVersionInfo PhInitializeImageVersionInfoEx PhInitializeProcThreadAttributeList PhLargeIntegerToLocalSystemTime PhLargeIntegerToSystemTime PhLoadLibrary PhLoadLibraryAsImageResource PhMapFlags1 PhMapFlags2 PhMatchWildcards PhParseCommandLine PhParseCommandLineFuzzy PhParseCommandLinePart PhQueryRegistryString PhQueryRegistryUlong PhQueryRegistryUlong64 PhSetFileDialogFileName PhSetFileDialogFilter PhSetFileDialogOptions PhShellExecute PhShellExecuteEx PhShellExploreFile PhShellProperties PhShowConfirmMessage PhShowContinueStatus PhShowFileDialog PhShowMessage PhShowMessage2 PhShowMessageOneTime PhShowStatus PhShowTaskDialog PhStringToGuid PhSystemTimeToLargeInteger PhSystemTimeToTzSpecificLocalTime PhTaskbarListCreate PhTaskbarListDestroy PhTaskbarListSetOverlayIcon PhTaskbarListSetProgressState PhTaskbarListSetProgressValue PhUpdateHash PhUpdateProcThreadAttribute PhWaitForMultipleObjectsAndPump ; circbuf PhClearCircularBuffer_FLOAT PhClearCircularBuffer_PVOID PhClearCircularBuffer_ULONG PhClearCircularBuffer_ULONG64 PhCopyCircularBuffer_FLOAT PhCopyCircularBuffer_PVOID PhCopyCircularBuffer_ULONG PhCopyCircularBuffer_ULONG64 PhDeleteCircularBuffer_FLOAT PhDeleteCircularBuffer_PVOID PhDeleteCircularBuffer_ULONG PhDeleteCircularBuffer_ULONG64 PhInitializeCircularBuffer_FLOAT PhInitializeCircularBuffer_PVOID PhInitializeCircularBuffer_ULONG PhInitializeCircularBuffer_ULONG64 PhResizeCircularBuffer_FLOAT PhResizeCircularBuffer_PVOID PhResizeCircularBuffer_ULONG PhResizeCircularBuffer_ULONG64 ; cpysave PhGetGenericTreeNewLines PhGetListViewItemText PhGetListViewSelectedItemText PhGetTreeNewText ; emenu PhCreateEMenu PhCreateEMenuItem PhDestroyEMenu PhDestroyEMenuItem PhFindEMenuItem PhIndexOfEMenuItem PhInsertEMenuItem PhLoadResourceEMenuItem PhModifyEMenuItem PhRemoveAllEMenuItems PhRemoveEMenuItem PhSetFlagsAllEMenuItems PhSetFlagsEMenuItem PhShowEMenu ; fastlock PhDeleteFastLock PhInitializeFastLock PhfAcquireFastLockExclusive PhfAcquireFastLockShared PhfReleaseFastLockExclusive PhfReleaseFastLockShared PhfTryAcquireFastLockExclusive PhfTryAcquireFastLockShared ; filestream PhCreateFileStream PhCreateFileStream2 PhFlushFileStream PhGetPositionFileStream PhLockFileStream PhReadFileStream PhSeekFileStream PhUnlockFileStream PhVerifyFileStream PhWriteFileStream PhWriteStringAsUtf8FileStream PhWriteStringAsUtf8FileStreamEx PhWriteStringFormatAsUtf8FileStream PhWriteStringFormatAsUtf8FileStream_V ; graph PhDeleteGraphState PhDrawGraphDirect PhDrawTrayIconText PhGetDrawInfoGraphBuffers PhGraphStateGetDrawInfo PhInitializeGraphState PhNfGetTrayIconFont PhSetGraphText ; guisup PhAddLayoutItem PhAddLayoutItemEx PhAddListViewColumn PhAddListViewGroup PhAddListViewGroupItem PhAddListViewItem PhAddTabControlTab PhBitmapSetAlpha PhCloseThemeData PhCreateCommonFont PhCreateDialog PhCreateDIBSection PhCreateIconTitleFont PhCreateWindowEx PhDeleteLayoutManager PhDialogBox PhDuplicateFont PhDuplicateFontWithNewWeight PhEnumChildWindows PhEnumWindows PhEnumWindowsEx PhFindListViewItemByFlags PhFindListViewItemByParam PhGetClassName PhGetComboBoxString PhGetDialogItemValue PhGetListBoxString PhGetListViewItemImageIndex PhGetListViewItemParam PhGetSelectedListViewItemParam PhGetSelectedListViewItemParams PhGetStockApplicationIcon PhGetStockObject PhGetThemeMargins PhGetThemePartSize PhGetWindowClientId PhGetWindowCompositionAttribute PhGetWindowContext PhGetWindowText PhGetWindowTextEx PhGetWindowTextToBuffer PhIconToBitmap PhImageListAddBitmap PhImageListAddIcon PhImageListCreate PhImageListDestroy PhImageListDrawEx PhImageListDrawIcon PhImageListGetIcon PhImageListRemoveIcon PhImageListReplace PhImageListSetBkColor PhImageListSetIconSize PhImageListSetImageCount PhInitializeLayoutManager PhIsThemeActive PhLayoutManagerUpdate PhLayoutManagerLayout PhLoadIcon PhLoadImageFormatFromResource PhModalPropertySheet PhOpenThemeData PhQueryDirectXExclusiveOwnership PhInitializeWindowTheme PhReInitializeWindowTheme PhRegisterWindowCallback PhRemoveListViewItem PhRemoveWindowContext PhSelectComboBoxString PhSetClipboardString PhSetControlTheme PhSetDialogItemText PhSetDialogItemValue PhSetExtendedListView PhSetGroupBoxText PhSetHeaderSortIcon PhSetImageListBitmap PhSetListViewItemImageIndex PhSetListViewItemParam PhSetListViewSubItem PhSetStateAllListViewItems PhSetWindowContext PhSetWindowText PhTerminateWindow PhThemeWindowDrawRebar PhThemeWindowDrawToolbar PhUnregisterWindowCallback PhUserQueryWindow PhWindowThemeControlColor ; hndlinfo PhCallKphQueryFileInformationWithTimeout PhCompareObjects PhEnumObjectTypes PhFormatNativeKeyName PhGetEtwPublisherName PhGetHandleInformation PhGetHandleInformationEx PhGetObjectTypeName PhQueryObjectName PhStdGetClientIdName ; lsasup PhEnumeratePrivileges PhGetSidFullName PhLookupName PhLookupPrivilegeDisplayName PhLookupPrivilegeName PhLookupPrivilegeValue PhLookupSid PhOpenLsaPolicy PhSidToStringSid ; mapimg PhLoadMappedImage PhLoadMappedImageEx PhLoadMappedImageHeaderPageSize PhUnloadMappedImage ; provider PhBoostProvider PhDeleteProviderThread PhGetEnabledProvider PhInitializeProviderThread PhRegisterProvider PhSetEnabledProvider PhSetIntervalProviderThread PhStartProviderThread PhStopProviderThread PhUnregisterProvider ; settings PhAddSetting PhAddSettings PhClearIgnoredSettings PhConvertIgnoredSettings PhGetIntegerPairStringRefSetting PhGetIntegerStringRefSetting PhGetScalableIntegerPairStringRefSetting PhGetStringRefSetting PhLoadCustomColorList PhLoadListViewColumnSettings PhLoadListViewColumnsFromSetting PhLoadListViewGroupStatesFromSetting PhLoadListViewSortColumnsFromSetting PhLoadSettings PhLoadWindowPlacementFromSetting PhResetSettings PhSaveCustomColorList PhSaveListViewColumnSettings PhSaveListViewColumnsToSetting PhSaveListViewGroupStatesToSetting PhSaveListViewSortColumnsToSetting PhSaveSettings PhSaveWindowPlacementToSetting PhSetIntegerPairStringRefSetting PhSetIntegerStringRefSetting PhSetScalableIntegerPairStringRefSetting PhSetScalableIntegerPairStringRefSetting2 PhSetStringRefSetting PhUpdateCachedSettings ; secedit PhCreateSecurityPage PhEditSecurity PhGetAccessEntries PhGetAccessString PhGetSeObjectSecurity PhSetSeObjectSecurity PhStdGetObjectSecurity PhStdSetObjectSecurity ; svcsup PhChangeServiceConfig2 PhCloseServiceHandle PhEnumDependentServices PhGetServiceConfig PhGetServiceConfigFileName PhGetServiceDescription PhGetServiceDllParameter PhGetServiceErrorControlInteger PhGetServiceErrorControlString PhGetServiceFileName PhGetServiceNameFromTag PhGetServiceStartTypeInteger PhGetServiceStartTypeString PhGetServiceStateString PhGetServiceTypeInteger PhGetServiceTypeString PhGetThreadServiceTag PhOpenService PhOpenServiceKey PhQueryServiceConfig PhQueryServiceConfig2 PhQueryServiceStatus PhQueryServiceVariableSize PhStartService PhStopService ; symprv PhCreateSymbolProvider PhGetLineFromAddress PhGetModuleFromAddress PhGetSymbolFromAddress PhGetSymbolFromName PhLoadSymbolProviderModules PhLoadModuleSymbolProvider PhLoadModulesForVirtualSymbolProvider PhSetOptionsSymbolProvider PhSetSearchPathSymbolProvider PhStackWalk PhWalkThreadStack PhWriteMiniDumpProcess ; verify PhVerifyFile PhVerifyFileIsChainedToMicrosoft ; workqueue PhDeleteWorkQueue PhGetGlobalWorkQueue PhInitializeWorkQueue PhInitializeWorkQueueEnvironment PhQueueItemWorkQueue PhQueueItemWorkQueueEx PhWaitForWorkQueue ; json PhAddJsonArrayObject PhAddJsonObject PhAddJsonObject2 PhAddJsonObjectUtf8 PhAddJsonObjectInt64 PhAddJsonObjectUInt64 PhAddJsonObjectValue PhCreateJsonArray PhCreateJsonObject PhCreateJsonParser PhCreateJsonParserEx PhFreeJsonObject PhGetJsonArrayIndexObject PhGetJsonArrayLength PhGetJsonArrayLong64 PhGetJsonArrayString PhGetJsonObject PhGetJsonObjectAsArrayList PhGetJsonObjectBool PhGetJsonObjectLength PhGetJsonObjectType PhGetJsonValueAsInt64 PhGetJsonValueAsString PhGetJsonValueAsUInt64 PhLoadJsonObjectFromFile PhSaveJsonObjectToFile ; xml PhCreateXmlNode PhCreateXmlOpaqueNode PhFindXmlObject PhFreeXmlObject PhGetXmlNodeAttributeByIndex PhGetXmlNodeAttributeCount PhGetXmlNodeAttributeText PhGetXmlNodeElementText PhGetXmlNodeFirstChild PhGetXmlNodeNextChild PhGetXmlNodeOpaqueText PhGetXmlObject PhLoadXmlObjectFromFile PhLoadXmlObjectFromString PhSaveXmlObjectToFile PhSetXmlNodeAttributeText ; cache PhClearCacheDirectory PhCreateCacheFile PhDeleteCacheFile ; appresolver PhAppResolverGetAppIdForWindow PhGetProcessPackageFullName ; http PhDnsFree PhDnsQuery PhDnsQuery2 PhDnsReverseLookupNameFromAddress PhHttpAddRequestHeaders PhHttpBeginRequest PhHttpClose PhHttpConnect PhHttpCrackUrl PhHttpInitialize PhHttpDestroy PhHttpDownloadString PhHttpReceiveResponse PhHttpGetErrorMessage PhHttpQueryHeaderString PhHttpQueryHeaderUlong PhHttpQueryHeaderUlong64 PhHttpQueryHeaders PhHttpQueryOptionString PhHttpReadData PhHttpReadDataToBuffer PhHttpSendRequest PhHttpSetCredentials PhHttpSetFeature PhHttpSetSecurity PhHttpSetProtocol PhHttpWriteData PhIpv4AddressToString PhIpv6AddressToString PhIpv4StringToAddress PhIpv6StringToAddress ; ksiuser KsiLevel KphAlpcQueryInformation KphDuplicateObject KphOpenDevice KphOpenDeviceBaseDevice KphOpenDeviceDriver KphQueryInformationDriver KphQueryInformationObject KsiEnumerateProcessHandles KsiQueryHashInformationFile ================================================ FILE: SystemInformer/SystemInformer.def.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2008-2016 * dmex 2017-2024 * * * This file was automatically generated. * * Do not link at runtime. Use the SystemInformer.def.h header file instead. * */ #pragma once #ifndef _PH_EXPORT_DEF_H #define _PH_EXPORT_DEF_H #define EXPORT_PHADDPROCESSPROPPAGE 1001 #define EXPORT_PHADDPROCESSPROPPAGE2 1002 #define EXPORT_PHADDPROPPAGELAYOUTITEM 1003 #define EXPORT_PHADDTREENEWFILTER 1004 #define EXPORT_PHAPPLYTREENEWFILTERS 1005 #define EXPORT_PHAPPLYTREENEWFILTERSTONODE 1006 #define EXPORT_PHCHOICEDIALOG 1007 #define EXPORT_PHCMLOADSETTINGS 1008 #define EXPORT_PHCMSAVESETTINGS 1009 #define EXPORT_PHCOPYLISTVIEW 1010 #define EXPORT_PHCOPYLISTVIEWINFOTIP 1011 #define EXPORT_PHCREATEKSISETTINGSBLOB 1012 #define EXPORT_PHCREATEPROCESSPROPCONTEXT 1013 #define EXPORT_PHCREATEPROCESSPROPPAGECONTEXT 1014 #define EXPORT_PHCREATEPROCESSPROPPAGECONTEXTEX 1015 #define EXPORT_PHCREATESEARCHCONTROL 1016 #define EXPORT_PHCREATESERVICELISTCONTROL 1017 #define EXPORT_PHDELETEMEMORYITEMLIST 1018 #define EXPORT_PHDELETESTATICWINDOWICON 1019 #define EXPORT_PHDELETETREENEWCOLUMNMENU 1020 #define EXPORT_PHDELETETREENEWFILTERSUPPORT 1021 #define EXPORT_PHDEREFERENCEPROCESSRECORD 1022 #define EXPORT_PHDESELECTALLPROCESSNODES 1023 #define EXPORT_PHDESELECTALLSERVICENODES 1024 #define EXPORT_PHDESTROYWINDOWICON 1025 #define EXPORT_PHDEVICEPROVIDERINITIALIZATION 1026 #define EXPORT_PHDOPROPPAGELAYOUT 1027 #define EXPORT_PHDUPLICATEPROCESSINFORMATION 1028 #define EXPORT_PHDUPLICATEPROCESSNODELIST 1029 #define EXPORT_PHENUMNETWORKITEMS 1030 #define EXPORT_PHENUMNETWORKITEMSBYPROCESSID 1031 #define EXPORT_PHENUMPROCESSITEMS 1032 #define EXPORT_PHEXECUTERUNASCOMMAND2 1033 #define EXPORT_PHEXECUTERUNASCOMMAND3 1034 #define EXPORT_PHEXPANDALLPROCESSNODES 1035 #define EXPORT_PHFINDNETWORKNODE 1036 #define EXPORT_PHFINDPROCESSNODE 1037 #define EXPORT_PHFINDPROCESSRECORD 1038 #define EXPORT_PHFINDSERVICENODE 1039 #define EXPORT_PHFORMATLOGENTRY 1040 #define EXPORT_PHGETAPPLICATIONICON 1041 #define EXPORT_PHGETAPPLICATIONICONEX 1042 #define EXPORT_PHGETCLIENTIDNAME 1043 #define EXPORT_PHGETCLIENTIDNAMEEX 1044 #define EXPORT_PHGETDEVICEICON 1045 #define EXPORT_PHGETDEVICEPROPERTY 1046 #define EXPORT_PHGETFILTERSUPPORTNETWORKTREELIST 1047 #define EXPORT_PHGETFILTERSUPPORTPROCESSTREELIST 1048 #define EXPORT_PHGETFILTERSUPPORTSERVICETREELIST 1049 #define EXPORT_PHGETGENERALCALLBACK 1050 #define EXPORT_PHGETIMAGELISTICON 1051 #define EXPORT_PHGETLISTVIEWCONTEXTMENUPOINT 1052 #define EXPORT_PHGETPHRELEASECHANNEL 1053 #define EXPORT_PHGETPHRELEASECHANNELSTRING 1054 #define EXPORT_PHGETPHVERSION 1055 #define EXPORT_PHGETPHVERSIONHASH 1056 #define EXPORT_PHGETPHVERSIONNUMBERS 1057 #define EXPORT_PHGETPROCESSISSUSPENDED 1058 #define EXPORT_PHGETPROCESSKNOWNTYPE 1059 #define EXPORT_PHGETPROCESSKNOWNTYPEEX 1060 #define EXPORT_PHGETPROCESSPRIORITYCLASSSTRING 1061 #define EXPORT_PHGETPROCESSSMALLIMAGELIST 1062 #define EXPORT_PHGETPROTOCOLTYPENAME 1063 #define EXPORT_PHGETSELECTEDANDPROPAGATEPROCESSITEMS 1064 #define EXPORT_PHGETSELECTEDPROCESSITEM 1065 #define EXPORT_PHGETSELECTEDPROCESSITEMS 1066 #define EXPORT_PHGETSELECTEDPROCESSNODES 1067 #define EXPORT_PHGETSELECTEDSERVICEITEM 1068 #define EXPORT_PHGETSELECTEDSERVICEITEMS 1069 #define EXPORT_PHGETSERVICECHANGE 1070 #define EXPORT_PHGETSHIELDBITMAP 1071 #define EXPORT_PHGETSTATISTICSTIME 1072 #define EXPORT_PHGETSTATISTICSTIMESTRING 1073 #define EXPORT_PHGETTCPSTATENAME 1074 #define EXPORT_PHHANDLECOPYCELLEMENUITEM 1075 #define EXPORT_PHHANDLECOPYLISTVIEWEMENUITEM 1076 #define EXPORT_PHHANDLELISTVIEWNOTIFYBEHAVIORS 1077 #define EXPORT_PHHANDLELISTVIEWNOTIFYFORCOPY 1078 #define EXPORT_PHHANDLETREENEWCOLUMNMENU 1079 #define EXPORT_PHIMAGELISTEXTRACTICON 1080 #define EXPORT_PHIMAGELISTFLUSHCACHE 1081 #define EXPORT_PHINITIALIZETREENEWCOLUMNMENU 1082 #define EXPORT_PHINITIALIZETREENEWCOLUMNMENUEX 1083 #define EXPORT_PHINITIALIZETREENEWFILTERSUPPORT 1084 #define EXPORT_PHINSERTCOPYCELLEMENUITEM 1085 #define EXPORT_PHINSERTCOPYLISTVIEWEMENUITEM 1086 #define EXPORT_PHINSERTHANDLEOBJECTPROPERTIESEMENUITEMS 1087 #define EXPORT_PHINVALIDATEALLPROCESSNODES 1088 #define EXPORT_PHISPROCESSSUSPENDED 1089 #define EXPORT_PHLOADSYMBOLPROVIDEROPTIONS 1090 #define EXPORT_PHLOGMESSAGEENTRY 1091 #define EXPORT_PHLOOKUPDEVICEITEM 1092 #define EXPORT_PHLOOKUPDEVICEITEMBYHASH 1093 #define EXPORT_PHLOOKUPDEVICEPROPERTYCLASS 1094 #define EXPORT_PHLOOKUPMEMORYITEMLIST 1095 #define EXPORT_PHPROCESSIMAGELISTINITIALIZATION 1096 #define EXPORT_PHPROPPAGEDLGPROCHEADER 1097 #define EXPORT_PHQUERYMEMORYITEMLIST 1098 #define EXPORT_PHREFERENCEDEVICEITEM 1099 #define EXPORT_PHREFERENCEDEVICEITEM2 1100 #define EXPORT_PHREFERENCEDEVICEITEMBYHASH 1101 #define EXPORT_PHREFERENCEDEVICETREE 1102 #define EXPORT_PHREFERENCEDEVICETREEEX 1103 #define EXPORT_PHREFERENCENETWORKITEM 1104 #define EXPORT_PHREFERENCEPROCESSITEM 1105 #define EXPORT_PHREFERENCEPROCESSITEMFORPARENT 1106 #define EXPORT_PHREFERENCEPROCESSITEMFORRECORD 1107 #define EXPORT_PHREFERENCEPROCESSRECORD 1108 #define EXPORT_PHREFERENCEPROCESSRECORDFORSTATISTICS 1109 #define EXPORT_PHREFERENCEPROCESSRECORDSAFE 1110 #define EXPORT_PHREFERENCESERVICEITEM 1111 #define EXPORT_PHREGISTERDIALOG 1112 #define EXPORT_PHREGISTERMESSAGELOOPFILTER 1113 #define EXPORT_PHREMOVETREENEWFILTER 1114 #define EXPORT_PHSEARCHCONTROLMATCH 1115 #define EXPORT_PHSEARCHCONTROLMATCHLONGHINTZ 1116 #define EXPORT_PHSEARCHCONTROLMATCHPOINTER 1117 #define EXPORT_PHSEARCHCONTROLMATCHPOINTERRANGE 1118 #define EXPORT_PHSEARCHCONTROLMATCHZ 1119 #define EXPORT_PHSEARCHONLINESTRING 1120 #define EXPORT_PHSELECTANDENSUREVISIBLEPROCESSNODE 1121 #define EXPORT_PHSELECTANDENSUREVISIBLESERVICENODE 1122 #define EXPORT_PHSETAPPLICATIONWINDOWICON 1123 #define EXPORT_PHSETAPPLICATIONWINDOWICONEX 1124 #define EXPORT_PHSETPROCESSITEMAFFINITYMASK 1125 #define EXPORT_PHSETPROCESSITEMIOPRIORITY 1126 #define EXPORT_PHSETPROCESSITEMPAGEPRIORITY 1127 #define EXPORT_PHSETPROCESSITEMPRIORITY 1128 #define EXPORT_PHSETPROCESSITEMPRIORITYBOOST 1129 #define EXPORT_PHSETPROCESSITEMTHROTTLINGSTATE 1130 #define EXPORT_PHSETSELECTTHREADIDPROCESSPROPCONTEXT 1131 #define EXPORT_PHSETSTATICWINDOWICON 1132 #define EXPORT_PHSETWINDOWICON 1133 #define EXPORT_PHSHELLEXECUTEUSERSTRING 1134 #define EXPORT_PHSHELLOPENKEY 1135 #define EXPORT_PHSHELLOPENKEY2 1136 #define EXPORT_PHSHELLPROCESSHACKER 1137 #define EXPORT_PHSHOWCHOOSEPROCESSDIALOG 1138 #define EXPORT_PHSHOWHANDLEOBJECTPROPERTIES1 1139 #define EXPORT_PHSHOWHANDLEOBJECTPROPERTIES2 1140 #define EXPORT_PHSHOWICONNOTIFICATION 1141 #define EXPORT_PHSHOWPROCESSAFFINITYDIALOG2 1142 #define EXPORT_PHSHOWPROCESSPROPERTIES 1143 #define EXPORT_PHSHOWPROCESSRECORDDIALOG 1144 #define EXPORT_PHSHOWSYSTEMINFORMATIONDIALOG 1145 #define EXPORT_PHSHOWTHREADAFFINITYDIALOG 1146 #define EXPORT_PHSIDOUBLELABELYFUNCTION 1147 #define EXPORT_PHSISETCOLORSGRAPHDRAWINFO 1148 #define EXPORT_PHSISIZELABELYFUNCTION 1149 #define EXPORT_PHSIUINT64LABELYFUNCTION 1150 #define EXPORT_PHUNREGISTERDIALOG 1151 #define EXPORT_PHUNREGISTERMESSAGELOOPFILTER 1152 #define EXPORT_PHUPDATEPROCESSNODE 1153 #define EXPORT_PHUPDATESERVICENODE 1154 #define EXPORT_PHWORDMATCHSTRINGREF 1155 #define EXPORT_PHWRITEPHTEXTHEADER 1156 #define EXPORT_PHACHOICEDIALOG 1157 #define EXPORT_PHAGETPROCESSKNOWNCOMMANDLINE 1158 #define EXPORT_PHENUMERATEPLUGINS 1159 #define EXPORT_PHFINDPLUGIN2 1160 #define EXPORT_PHGETPLUGINCALLBACK 1161 #define EXPORT_PHGETPLUGINFILENAME 1162 #define EXPORT_PHGETPLUGININFORMATION 1163 #define EXPORT_PHGETPLUGININTERFACE 1164 #define EXPORT_PHGETPLUGINNAME 1165 #define EXPORT_PHPLUGINADDMENUHOOK 1166 #define EXPORT_PHPLUGINADDTREENEWCOLUMN 1167 #define EXPORT_PHPLUGINCALLPHSVC 1168 #define EXPORT_PHPLUGINCREATEEMENUITEM 1169 #define EXPORT_PHPLUGINCREATETABPAGE 1170 #define EXPORT_PHPLUGINENABLETREENEWNOTIFY 1171 #define EXPORT_PHPLUGINGETOBJECTEXTENSION 1172 #define EXPORT_PHPLUGINGETSYSTEMSTATISTICS 1173 #define EXPORT_PHPLUGININVOKEWINDOWCALLBACK 1174 #define EXPORT_PHPLUGINQUERYPHSVC 1175 #define EXPORT_PHPLUGINRESERVEIDS 1176 #define EXPORT_PHPLUGINSETOBJECTEXTENSION 1177 #define EXPORT_PHREGISTERPLUGIN 1178 #define EXPORT_PHSVCCALLCHANGESERVICECONFIG 1179 #define EXPORT_PHSVCCALLCHANGESERVICECONFIG2 1180 #define EXPORT_PHSVCCALLPOSTMESSAGE 1181 #define EXPORT_PHSVCCALLSENDMESSAGE 1182 #define EXPORT_PHUICLOSECONNECTIONS 1183 #define EXPORT_PHUICLOSEHANDLES 1184 #define EXPORT_PHUICONNECTSESSION 1185 #define EXPORT_PHUICONNECTTOPHSVC 1186 #define EXPORT_PHUICONNECTTOPHSVCEX 1187 #define EXPORT_PHUICONTINUESERVICE 1188 #define EXPORT_PHUICONTINUESERVICES 1189 #define EXPORT_PHUIDEBUGPROCESS 1190 #define EXPORT_PHUIDELETESERVICE 1191 #define EXPORT_PHUIDETACHFROMDEBUGGERPROCESS 1192 #define EXPORT_PHUIDISCONNECTFROMPHSVC 1193 #define EXPORT_PHUIDISCONNECTSESSION 1194 #define EXPORT_PHUIFLUSHHEAPPROCESSES 1195 #define EXPORT_PHUIFREEMEMORY 1196 #define EXPORT_PHUIFREEZETREEPROCESS 1197 #define EXPORT_PHUIHIBERNATECOMPUTER 1198 #define EXPORT_PHUILOADDLLPROCESS 1199 #define EXPORT_PHUILOCKCOMPUTER 1200 #define EXPORT_PHUILOGOFFCOMPUTER 1201 #define EXPORT_PHUILOGOFFSESSION 1202 #define EXPORT_PHUIPAUSESERVICE 1203 #define EXPORT_PHUIPAUSESERVICES 1204 #define EXPORT_PHUIREDUCEWORKINGSETPROCESSES 1205 #define EXPORT_PHUIRESTARTCOMPUTER 1206 #define EXPORT_PHUIRESTARTPROCESS 1207 #define EXPORT_PHUIRESUMEPROCESSES 1208 #define EXPORT_PHUIRESUMETHREADS 1209 #define EXPORT_PHUIRESUMETREEPROCESS 1210 #define EXPORT_PHUISETATTRIBUTESHANDLE 1211 #define EXPORT_PHUISETBOOSTPRIORITYPROCESS 1212 #define EXPORT_PHUISETBOOSTPRIORITYPROCESSES 1213 #define EXPORT_PHUISETBOOSTPRIORITYTHREAD 1214 #define EXPORT_PHUISETBOOSTPRIORITYTHREADS 1215 #define EXPORT_PHUISETCRITICALPROCESS 1216 #define EXPORT_PHUISETECOMODEPROCESS 1217 #define EXPORT_PHUISETEXECUTIONREQUIREDPROCESS 1218 #define EXPORT_PHUISETIOPRIORITYPROCESSES 1219 #define EXPORT_PHUISETIOPRIORITYTHREAD 1220 #define EXPORT_PHUISETPAGEPRIORITYPROCESS 1221 #define EXPORT_PHUISETPAGEPRIORITYTHREAD 1222 #define EXPORT_PHUISETPRIORITYPROCESSES 1223 #define EXPORT_PHUISETPRIORITYTHREAD 1224 #define EXPORT_PHUISETPRIORITYTHREADS 1225 #define EXPORT_PHUISETVIRTUALIZATIONPROCESS 1226 #define EXPORT_PHUISHUTDOWNCOMPUTER 1227 #define EXPORT_PHUISLEEPCOMPUTER 1228 #define EXPORT_PHUISTARTSERVICE 1229 #define EXPORT_PHUISTARTSERVICES 1230 #define EXPORT_PHUISTOPSERVICE 1231 #define EXPORT_PHUISTOPSERVICES 1232 #define EXPORT_PHUISUSPENDPROCESSES 1233 #define EXPORT_PHUISUSPENDTHREADS 1234 #define EXPORT_PHUISUSPENDTREEPROCESS 1235 #define EXPORT_PHUITERMINATEPROCESSES 1236 #define EXPORT_PHUITERMINATETHREADS 1237 #define EXPORT_PHUITERMINATETREEPROCESS 1238 #define EXPORT_PHUITHAWTREEPROCESS 1239 #define EXPORT_PHUIUNLOADMODULE 1240 #define EXPORT_PHAUTODEREFERENCEOBJECT 1241 #define EXPORT_PHCREATEALLOC 1242 #define EXPORT_PHCREATEOBJECT 1243 #define EXPORT_PHCREATEOBJECTTYPE 1244 #define EXPORT_PHCREATEOBJECTTYPEEX 1245 #define EXPORT_PHDELETEAUTOPOOL 1246 #define EXPORT_PHDEREFERENCEOBJECT 1247 #define EXPORT_PHDEREFERENCEOBJECTDEFERDELETE 1248 #define EXPORT_PHDEREFERENCEOBJECTEX 1249 #define EXPORT_PHDRAINAUTOPOOL 1250 #define EXPORT_PHGETOBJECTTYPE 1251 #define EXPORT_PHGETOBJECTTYPEINFORMATION 1252 #define EXPORT_PHINITIALIZEAUTOPOOL 1253 #define EXPORT_PHREFERENCEOBJECT 1254 #define EXPORT_PHREFERENCEOBJECTEX 1255 #define EXPORT_PHREFERENCEOBJECTSAFE 1256 #define EXPORT_PHFACQUIREQUEUEDLOCKEXCLUSIVE 1257 #define EXPORT_PHFACQUIREQUEUEDLOCKSHARED 1258 #define EXPORT_PHFPULSEALLCONDITION 1259 #define EXPORT_PHFPULSECONDITION 1260 #define EXPORT_PHFQUEUEWAKEEVENT 1261 #define EXPORT_PHFRELEASEQUEUEDLOCKEXCLUSIVE 1262 #define EXPORT_PHFRELEASEQUEUEDLOCKSHARED 1263 #define EXPORT_PHFSETWAKEEVENT 1264 #define EXPORT_PHFWAITFORCONDITION 1265 #define EXPORT_PHFWAITFORCONDITIONEX 1266 #define EXPORT_PHFWAITFORWAKEEVENT 1267 #define EXPORT_PHFWAKEFORRELEASEQUEUEDLOCK 1268 #define EXPORT_PHISEXECUTINGINWOW64 1269 #define EXPORT_PHSYSTEMBASICINFORMATION 1270 #define EXPORT_PHADDELEMENTAVLTREE 1271 #define EXPORT_PHADDENTRYHASHTABLE 1272 #define EXPORT_PHADDENTRYHASHTABLEEX 1273 #define EXPORT_PHADDITEMARRAY 1274 #define EXPORT_PHADDITEMLIST 1275 #define EXPORT_PHADDITEMPOINTERLIST 1276 #define EXPORT_PHADDITEMSIMPLEHASHTABLE 1277 #define EXPORT_PHADDITEMSARRAY 1278 #define EXPORT_PHADDITEMSLIST 1279 #define EXPORT_PHADDPLUSMAXMEMORYSINGLES 1280 #define EXPORT_PHALLOCATE 1281 #define EXPORT_PHALLOCATEEXSAFE 1282 #define EXPORT_PHALLOCATEFROMFREELIST 1283 #define EXPORT_PHALLOCATEPAGE 1284 #define EXPORT_PHALLOCATESAFE 1285 #define EXPORT_PHAPPENDBYTESBUILDER 1286 #define EXPORT_PHAPPENDBYTESBUILDER2 1287 #define EXPORT_PHAPPENDBYTESBUILDEREX 1288 #define EXPORT_PHAPPENDCHARSTRINGBUILDER 1289 #define EXPORT_PHAPPENDCHARSTRINGBUILDER2 1290 #define EXPORT_PHAPPENDFORMATSTRINGBUILDER 1291 #define EXPORT_PHAPPENDFORMATSTRINGBUILDER_V 1292 #define EXPORT_PHAPPENDSTRINGBUILDEREX 1293 #define EXPORT_PHBUFFERTOHEXSTRING 1294 #define EXPORT_PHBUFFERTOHEXSTRINGEX 1295 #define EXPORT_PHCLEARARRAY 1296 #define EXPORT_PHCLEARHASHTABLE 1297 #define EXPORT_PHCLEARLIST 1298 #define EXPORT_PHCOMPARESTRINGREF 1299 #define EXPORT_PHCOMPARESTRINGZNATURAL 1300 #define EXPORT_PHCONCATSTRINGREF2 1301 #define EXPORT_PHCONCATSTRINGREF3 1302 #define EXPORT_PHCONCATSTRINGREF4 1303 #define EXPORT_PHCONCATSTRINGS 1304 #define EXPORT_PHCONCATSTRINGS2 1305 #define EXPORT_PHCONCATSTRINGS_V 1306 #define EXPORT_PHCONVERTMULTIBYTETOUTF16 1307 #define EXPORT_PHCONVERTMULTIBYTETOUTF16EX 1308 #define EXPORT_PHCONVERTUTF16TOASCIIEX 1309 #define EXPORT_PHCONVERTUTF16TOMULTIBYTE 1310 #define EXPORT_PHCONVERTUTF16TOMULTIBYTEEX 1311 #define EXPORT_PHCONVERTUTF16TOUTF8 1312 #define EXPORT_PHCONVERTUTF16TOUTF8BUFFER 1313 #define EXPORT_PHCONVERTUTF16TOUTF8EX 1314 #define EXPORT_PHCONVERTUTF16TOUTF8SIZE 1315 #define EXPORT_PHCONVERTUTF8TOUTF16 1316 #define EXPORT_PHCONVERTUTF8TOUTF16BUFFER 1317 #define EXPORT_PHCONVERTUTF8TOUTF16EX 1318 #define EXPORT_PHCONVERTUTF8TOUTF16SIZE 1319 #define EXPORT_PHCOPYBYTESZ 1320 #define EXPORT_PHCOPYCONVERTCIRCULARBUFFERULONG 1321 #define EXPORT_PHCOPYSTRINGZ 1322 #define EXPORT_PHCOPYSTRINGZFROMBYTES 1323 #define EXPORT_PHCOPYSTRINGZFROMMULTIBYTE 1324 #define EXPORT_PHCOUNTSTRINGZ 1325 #define EXPORT_PHCREATEBYTES 1326 #define EXPORT_PHCREATEBYTESEX 1327 #define EXPORT_PHCREATEHASHTABLE 1328 #define EXPORT_PHCREATELIST 1329 #define EXPORT_PHCREATEPOINTERLIST 1330 #define EXPORT_PHCREATESIMPLEHASHTABLE 1331 #define EXPORT_PHCREATESTRING3 1332 #define EXPORT_PHCREATESTRINGEX 1333 #define EXPORT_PHCREATETHREAD 1334 #define EXPORT_PHCREATETHREAD2 1335 #define EXPORT_PHCREATETHREADEX 1336 #define EXPORT_PHDECODEUNICODEDECODER 1337 #define EXPORT_PHDELAYEXECUTION 1338 #define EXPORT_PHDELETEARRAY 1339 #define EXPORT_PHDELETEBYTESBUILDER 1340 #define EXPORT_PHDELETECALLBACK 1341 #define EXPORT_PHDELETEFREELIST 1342 #define EXPORT_PHDELETESTRINGBUILDER 1343 #define EXPORT_PHDIVIDESINGLESBYSINGLE 1344 #define EXPORT_PHDOSERRORTONTSTATUS 1345 #define EXPORT_PHDUPLICATEBYTESZ 1346 #define EXPORT_PHDUPLICATEBYTESZSAFE 1347 #define EXPORT_PHDUPLICATESTRINGZ 1348 #define EXPORT_PHENCODEUNICODE 1349 #define EXPORT_PHENUMAVLTREE 1350 #define EXPORT_PHENUMHASHTABLE 1351 #define EXPORT_PHENUMPOINTERLISTEX 1352 #define EXPORT_PHEQUALSTRINGREF 1353 #define EXPORT_PHEXPONENTIATE 1354 #define EXPORT_PHEXPONENTIATE64 1355 #define EXPORT_PHEXTRACTICON 1356 #define EXPORT_PHEXTRACTICONEX 1357 #define EXPORT_PHFILLMEMORYULONG 1358 #define EXPORT_PHFINALBYTESBUILDERBYTES 1359 #define EXPORT_PHFINALSTRINGBUILDERSTRING 1360 #define EXPORT_PHFINDCHARINSTRINGREF 1361 #define EXPORT_PHFINDELEMENTAVLTREE 1362 #define EXPORT_PHFINDENTRYHASHTABLE 1363 #define EXPORT_PHFINDITEMLIST 1364 #define EXPORT_PHFINDITEMPOINTERLIST 1365 #define EXPORT_PHFINDITEMSIMPLEHASHTABLE 1366 #define EXPORT_PHFINDLASTCHARINSTRINGREF 1367 #define EXPORT_PHFINDSTRINGINSTRINGREF 1368 #define EXPORT_PHFORMAT 1369 #define EXPORT_PHFORMATBYTES 1370 #define EXPORT_PHFORMATBYTES_V 1371 #define EXPORT_PHFORMATSTRING 1372 #define EXPORT_PHFORMATSTRING_V 1373 #define EXPORT_PHFORMATTOBUFFER 1374 #define EXPORT_PHFREE 1375 #define EXPORT_PHFREEPAGE 1376 #define EXPORT_PHFREETOFREELIST 1377 #define EXPORT_PHGETLASTERROR 1378 #define EXPORT_PHGETPRIMENUMBER 1379 #define EXPORT_PHHASHBYTES 1380 #define EXPORT_PHHASHSTRINGREF 1381 #define EXPORT_PHHASHSTRINGREFEX 1382 #define EXPORT_PHHEXSTRINGTOBUFFER 1383 #define EXPORT_PHHEXSTRINGTOBUFFEREX 1384 #define EXPORT_PHHUNGWINDOWFROMGHOSTWINDOW 1385 #define EXPORT_PHINITIALIZEARRAY 1386 #define EXPORT_PHINITIALIZEAVLTREE 1387 #define EXPORT_PHINITIALIZEBYTESBUILDER 1388 #define EXPORT_PHINITIALIZECALLBACK 1389 #define EXPORT_PHINITIALIZEFREELIST 1390 #define EXPORT_PHINITIALIZESTRINGBUILDER 1391 #define EXPORT_PHINSERTITEMLIST 1392 #define EXPORT_PHINSERTITEMSLIST 1393 #define EXPORT_PHINSERTSTRINGBUILDER 1394 #define EXPORT_PHINSERTSTRINGBUILDER2 1395 #define EXPORT_PHINSERTSTRINGBUILDEREX 1396 #define EXPORT_PHINTEGERTOSTRING64 1397 #define EXPORT_PHINVOKECALLBACK 1398 #define EXPORT_PHLOADINDIRECTSTRING 1399 #define EXPORT_PHLOADRESOURCE 1400 #define EXPORT_PHLOCALTIMETOSYSTEMTIME 1401 #define EXPORT_PHLOWERBOUNDELEMENTAVLTREE 1402 #define EXPORT_PHLOWERDUALBOUNDELEMENTAVLTREE 1403 #define EXPORT_PHMAXMEMORYSINGLES 1404 #define EXPORT_PHMAXIMUMELEMENTAVLTREE 1405 #define EXPORT_PHMINIMUMELEMENTAVLTREE 1406 #define EXPORT_PHNTSTATUSFILENOTFOUND 1407 #define EXPORT_PHNTSTATUSTODOSERROR 1408 #define EXPORT_PHPREDECESSORELEMENTAVLTREE 1409 #define EXPORT_PHPRINTTIMESPAN 1410 #define EXPORT_PHQUERYPERFORMANCECOUNTER 1411 #define EXPORT_PHQUERYPERFORMANCEFREQUENCY 1412 #define EXPORT_PHQUERYSYSTEMTIME 1413 #define EXPORT_PHQUERYTIMEZONEBIAS 1414 #define EXPORT_PHREALLOCATE 1415 #define EXPORT_PHREALLOCATESAFE 1416 #define EXPORT_PHREADTIMESTAMPCOUNTER 1417 #define EXPORT_PHREFERENCEEMPTYSTRING 1418 #define EXPORT_PHREGISTERCALLBACK 1419 #define EXPORT_PHREGISTERCALLBACKEX 1420 #define EXPORT_PHREMOVEELEMENTAVLTREE 1421 #define EXPORT_PHREMOVEENTRYHASHTABLE 1422 #define EXPORT_PHREMOVEITEMARRAY 1423 #define EXPORT_PHREMOVEITEMLIST 1424 #define EXPORT_PHREMOVEITEMPOINTERLIST 1425 #define EXPORT_PHREMOVEITEMSIMPLEHASHTABLE 1426 #define EXPORT_PHREMOVEITEMSARRAY 1427 #define EXPORT_PHREMOVEITEMSLIST 1428 #define EXPORT_PHREMOVESTRINGBUILDER 1429 #define EXPORT_PHRESIZEARRAY 1430 #define EXPORT_PHRESIZELIST 1431 #define EXPORT_PHROUNDUPTOPOWEROFTWO 1432 #define EXPORT_PHSECONDSSINCE1970TOTIME 1433 #define EXPORT_PHSPLITSTRINGREFATCHAR 1434 #define EXPORT_PHSPLITSTRINGREFATLASTCHAR 1435 #define EXPORT_PHSPLITSTRINGREFATSTRING 1436 #define EXPORT_PHSPLITSTRINGREFEX 1437 #define EXPORT_PHSTRINGTODOUBLE 1438 #define EXPORT_PHSTRINGTOINTEGER64 1439 #define EXPORT_PHSTRINGTOUINT64 1440 #define EXPORT_PHSUCCESSORELEMENTAVLTREE 1441 #define EXPORT_PHSYSTEMTIMETOLOCALTIME 1442 #define EXPORT_PHTIMETOSECONDSSINCE1970 1443 #define EXPORT_PHTRIMSTRINGREF 1444 #define EXPORT_PHUNREGISTERCALLBACK 1445 #define EXPORT_PHUPPERBOUNDELEMENTAVLTREE 1446 #define EXPORT_PHUPPERDUALBOUNDELEMENTAVLTREE 1447 #define EXPORT_PHWRITEUNICODEDECODER 1448 #define EXPORT_PHZEROEXTENDTOUTF16BUFFER 1449 #define EXPORT_PHZEROEXTENDTOUTF16EX 1450 #define EXPORT_PHFACQUIRERUNDOWNPROTECTION 1451 #define EXPORT_PHFBEGININITONCE 1452 #define EXPORT_PHFENDINITONCE 1453 #define EXPORT_PHFINITIALIZEBARRIER 1454 #define EXPORT_PHFINITIALIZEEVENT 1455 #define EXPORT_PHFINITIALIZEINITONCE 1456 #define EXPORT_PHFINITIALIZERUNDOWNPROTECTION 1457 #define EXPORT_PHFRELEASERUNDOWNPROTECTION 1458 #define EXPORT_PHFRESETEVENT 1459 #define EXPORT_PHFSETEVENT 1460 #define EXPORT_PHFWAITFORBARRIER 1461 #define EXPORT_PHFWAITFOREVENT 1462 #define EXPORT_PHFWAITFORRUNDOWNPROTECTION 1463 #define EXPORT_PHENUMSMBIOS 1464 #define EXPORT_PHGETSMBIOSSTRING 1465 #define EXPORT_PHADJUSTPRIVILEGE 1466 #define EXPORT_PHCONNECTPIPE 1467 #define EXPORT_PHCREATEDIRECTORYFULLPATHWIN32 1468 #define EXPORT_PHCREATEDIRECTORYWIN32 1469 #define EXPORT_PHCREATEEVENT 1470 #define EXPORT_PHCREATEFILE 1471 #define EXPORT_PHCREATEFILEWIN32 1472 #define EXPORT_PHCREATEFILEWIN32EX 1473 #define EXPORT_PHCREATEKEY 1474 #define EXPORT_PHCREATENAMEDPIPE 1475 #define EXPORT_PHCREATEPIPE 1476 #define EXPORT_PHDELETEDIRECTORYWIN32 1477 #define EXPORT_PHDELETEFILE 1478 #define EXPORT_PHDELETEFILEWIN32 1479 #define EXPORT_PHDELETEVALUEKEY 1480 #define EXPORT_PHDESTROYWINDOWREMOTE 1481 #define EXPORT_PHDETERMINEDOSPATHNAMETYPE 1482 #define EXPORT_PHDEVICEIOCONTROLFILE 1483 #define EXPORT_PHDISCONNECTNAMEDPIPE 1484 #define EXPORT_PHDOESFILEEXIST 1485 #define EXPORT_PHDOESFILEEXISTWIN32 1486 #define EXPORT_PHDOSPATHNAMETONTPATHNAME 1487 #define EXPORT_PHENUMBIGPOOLINFORMATION 1488 #define EXPORT_PHENUMDIRECTORYFILE 1489 #define EXPORT_PHENUMDIRECTORYOBJECTS 1490 #define EXPORT_PHENUMFILESTREAMS 1491 #define EXPORT_PHENUMFIRMWAREENVIRONMENTVALUES 1492 #define EXPORT_PHENUMGENERICMODULES 1493 #define EXPORT_PHENUMHANDLESEX 1494 #define EXPORT_PHENUMKERNELMODULES 1495 #define EXPORT_PHENUMNEXTPROCESS 1496 #define EXPORT_PHENUMNEXTTHREAD 1497 #define EXPORT_PHENUMOBJECTIDINFORMATION 1498 #define EXPORT_PHENUMPAGEFILES 1499 #define EXPORT_PHENUMPOOLTAGINFORMATION 1500 #define EXPORT_PHENUMPROCESSENVIRONMENTVARIABLES 1501 #define EXPORT_PHENUMPROCESSES 1502 #define EXPORT_PHENUMPROCESSESEX 1503 #define EXPORT_PHENUMPROCESSHANDLES 1504 #define EXPORT_PHENUMREPARSEPOINTINFORMATION 1505 #define EXPORT_PHENUMERATEKEY 1506 #define EXPORT_PHENUMERATEVALUEKEY 1507 #define EXPORT_PHFILTERCONNECTCOMMUNICATIONPORT 1508 #define EXPORT_PHFINDPROCESSINFORMATION 1509 #define EXPORT_PHFINDPROCESSINFORMATIONBYIMAGENAME 1510 #define EXPORT_PHGETACTIVEPROCESSORCOUNT 1511 #define EXPORT_PHGETCONTEXTTHREAD 1512 #define EXPORT_PHGETDEVICETYPE 1513 #define EXPORT_PHGETDLLHANDLE 1514 #define EXPORT_PHGETDRIVERIMAGEFILENAME 1515 #define EXPORT_PHGETDRIVERNAME 1516 #define EXPORT_PHGETDRIVERSERVICEKEYNAME 1517 #define EXPORT_PHGETFILEFULLATTRIBUTESINFORMATION 1518 #define EXPORT_PHGETFILENAME 1519 #define EXPORT_PHGETFILEPOSITION 1520 #define EXPORT_PHGETFILESIZE 1521 #define EXPORT_PHGETFIRMWAREENVIRONMENTVARIABLE 1522 #define EXPORT_PHGETJOBPROCESSIDLIST 1523 #define EXPORT_PHGETKERNELFILENAME 1524 #define EXPORT_PHGETKERNELFILENAME2 1525 #define EXPORT_PHGETKERNELFILENAMEEX 1526 #define EXPORT_PHGETMODULEPROCADDRESS 1527 #define EXPORT_PHGETNAMEDPIPECLIENTCOMPUTERNAME 1528 #define EXPORT_PHGETNAMEDPIPECLIENTPROCESSID 1529 #define EXPORT_PHGETNAMEDPIPESERVERPROCESSID 1530 #define EXPORT_PHGETOBJECTSECURITY 1531 #define EXPORT_PHGETOBJECTTYPEINDEXNAME 1532 #define EXPORT_PHGETOBJECTTYPENUMBER 1533 #define EXPORT_PHGETOWNTOKENATTRIBUTES 1534 #define EXPORT_PHGETPNPDEVICENAME 1535 #define EXPORT_PHGETPROCEDUREADDRESS 1536 #define EXPORT_PHGETPROCEDUREADDRESSREMOTE 1537 #define EXPORT_PHGETPROCESSCOMMANDLINE 1538 #define EXPORT_PHGETPROCESSDEPSTATUS 1539 #define EXPORT_PHGETPROCESSDEVICEMAP 1540 #define EXPORT_PHGETPROCESSENVIRONMENT 1541 #define EXPORT_PHGETPROCESSIMAGEFILENAME 1542 #define EXPORT_PHGETPROCESSIMAGEFILENAMEBYPROCESSID 1543 #define EXPORT_PHGETPROCESSIMAGEFILENAMEWIN32 1544 #define EXPORT_PHGETPROCESSISDOTNET 1545 #define EXPORT_PHGETPROCESSISDOTNETEX 1546 #define EXPORT_PHGETPROCESSMAPPEDFILENAME 1547 #define EXPORT_PHGETPROCESSPEBSTRING 1548 #define EXPORT_PHGETPROCESSPRIORITYCLASS 1549 #define EXPORT_PHGETPROCESSUNLOADEDDLLS 1550 #define EXPORT_PHGETPROCESSWINDOWTITLE 1551 #define EXPORT_PHGETPROCESSWORKINGSETINFORMATION 1552 #define EXPORT_PHGETPROCESSWSCOUNTERS 1553 #define EXPORT_PHGETSECTIONFILENAME 1554 #define EXPORT_PHGETTOKENGROUPS 1555 #define EXPORT_PHGETTOKENINTEGRITYLEVEL 1556 #define EXPORT_PHGETTOKENINTEGRITYLEVELRID 1557 #define EXPORT_PHGETTOKENOWNER 1558 #define EXPORT_PHGETTOKENPRIMARYGROUP 1559 #define EXPORT_PHGETTOKENPRIVILEGES 1560 #define EXPORT_PHGETTOKENUSER 1561 #define EXPORT_PHIMPERSONATETOKEN 1562 #define EXPORT_PHISDEBUGGERPRESENT 1563 #define EXPORT_PHISFIRMWARESUPPORTED 1564 #define EXPORT_PHLISTENNAMEDPIPE 1565 #define EXPORT_PHLOADAPPKEY 1566 #define EXPORT_PHMOVEFILEWIN32 1567 #define EXPORT_PHOPENDIRECTORYOBJECT 1568 #define EXPORT_PHOPENDRIVER 1569 #define EXPORT_PHOPENFILE 1570 #define EXPORT_PHOPENFILEBYID 1571 #define EXPORT_PHOPENKEY 1572 #define EXPORT_PHOPENPROCESS 1573 #define EXPORT_PHOPENPROCESSCLIENTID 1574 #define EXPORT_PHOPENPROCESSTOKEN 1575 #define EXPORT_PHOPENTHREAD 1576 #define EXPORT_PHOPENTHREADPROCESS 1577 #define EXPORT_PHPEEKNAMEDPIPE 1578 #define EXPORT_PHQUERYENVIRONMENTVARIABLE 1579 #define EXPORT_PHQUERYFULLATTRIBUTESFILEWIN32 1580 #define EXPORT_PHQUERYKEY 1581 #define EXPORT_PHQUERYSYMBOLICLINKOBJECT 1582 #define EXPORT_PHQUERYTOKENVARIABLESIZE 1583 #define EXPORT_PHQUERYVALUEKEY 1584 #define EXPORT_PHQUEUEUSERWORKITEM 1585 #define EXPORT_PHREADFILE 1586 #define EXPORT_PHRESOLVEDEVICEPREFIX 1587 #define EXPORT_PHREVERTIMPERSONATIONTOKEN 1588 #define EXPORT_PHSETFILEALLOCATIONSIZE 1589 #define EXPORT_PHSETFILEPOSITION 1590 #define EXPORT_PHSETFILESIZE 1591 #define EXPORT_PHSETFIRMWAREENVIRONMENTVARIABLE 1592 #define EXPORT_PHSETOBJECTSECURITY 1593 #define EXPORT_PHSETPROCESSPOWERTHROTTLINGSTATE 1594 #define EXPORT_PHSETPROCESSPRIORITYBOOST 1595 #define EXPORT_PHSETPROCESSPRIORITYCLASS 1596 #define EXPORT_PHSETTHREADBASEPRIORITY 1597 #define EXPORT_PHSETTHREADIOPRIORITY 1598 #define EXPORT_PHSETTHREADNAME 1599 #define EXPORT_PHSETTOKENISVIRTUALIZATIONENABLED 1600 #define EXPORT_PHSETTOKENPRIVILEGE 1601 #define EXPORT_PHSETTOKENPRIVILEGE2 1602 #define EXPORT_PHSETTOKENSESSIONID 1603 #define EXPORT_PHSETVALUEKEY 1604 #define EXPORT_PHTERMINATEPROCESS 1605 #define EXPORT_PHTRACECONTROL 1606 #define EXPORT_PHTRANSCEIVENAMEDPIPE 1607 #define EXPORT_PHUNLOADDLLPROCESS 1608 #define EXPORT_PHUNLOADDRIVER 1609 #define EXPORT_PHUPDATEDOSDEVICEPREFIXES 1610 #define EXPORT_PHUPDATEMUPDEVICEPREFIXES 1611 #define EXPORT_PHWAITFORNAMEDPIPE 1612 #define EXPORT_PHWRITEFILE 1613 #define EXPORT_PHADJUSTRECTANGLETOBOUNDS 1614 #define EXPORT_PHADJUSTRECTANGLETOWORKINGAREA 1615 #define EXPORT_PHCENTERRECTANGLE 1616 #define EXPORT_PHCENTERWINDOW 1617 #define EXPORT_PHCOMPAREUNICODESTRINGZIGNOREMENUPREFIX 1618 #define EXPORT_PHCONSOLESETFOREGROUND 1619 #define EXPORT_PHCONSOLESETWINDOW 1620 #define EXPORT_PHCREATEOPENFILEDIALOG 1621 #define EXPORT_PHCREATEPROCESS 1622 #define EXPORT_PHCREATEPROCESSASUSER 1623 #define EXPORT_PHCREATEPROCESSREDIRECTION 1624 #define EXPORT_PHCREATEPROCESSWIN32 1625 #define EXPORT_PHCREATEPROCESSWIN32EX 1626 #define EXPORT_PHCREATESAVEFILEDIALOG 1627 #define EXPORT_PHDELETEIMAGEVERSIONINFO 1628 #define EXPORT_PHDEVFREEOBJECTPROPERTIES 1629 #define EXPORT_PHDEVFREEOBJECTS 1630 #define EXPORT_PHDEVGETOBJECTPROPERTIES 1631 #define EXPORT_PHDEVGETOBJECTS 1632 #define EXPORT_PHELLIPSISSTRING 1633 #define EXPORT_PHELLIPSISSTRINGPATH 1634 #define EXPORT_PHESCAPECOMMANDLINEPART 1635 #define EXPORT_PHESCAPESTRINGFORMENUPREFIX 1636 #define EXPORT_PHEXPANDENVIRONMENTSTRINGS 1637 #define EXPORT_PHFILEREADALLTEXTWIN32 1638 #define EXPORT_PHFINALHASH 1639 #define EXPORT_PHFORMATDATE 1640 #define EXPORT_PHFORMATDATETIME 1641 #define EXPORT_PHFORMATDECIMAL 1642 #define EXPORT_PHFORMATGUID 1643 #define EXPORT_PHFORMATIMAGEVERSIONINFO 1644 #define EXPORT_PHFORMATSIZE 1645 #define EXPORT_PHFORMATTIME 1646 #define EXPORT_PHFORMATTIMESPAN 1647 #define EXPORT_PHFORMATTIMESPANRELATIVE 1648 #define EXPORT_PHFORMATUINT64 1649 #define EXPORT_PHFREEFILEDIALOG 1650 #define EXPORT_PHFREELIBRARY 1651 #define EXPORT_PHFREELIBRARYASIMAGERESOURCE 1652 #define EXPORT_PHGENERATEGUID 1653 #define EXPORT_PHGENERATEGUIDFROMNAME 1654 #define EXPORT_PHGENERATERANDOMALPHASTRING 1655 #define EXPORT_PHGENERATERANDOMNUMBER64 1656 #define EXPORT_PHGETAPPLICATIONDATAFILENAME 1657 #define EXPORT_PHGETAPPLICATIONDIRECTORY 1658 #define EXPORT_PHGETAPPLICATIONDIRECTORYFILENAME 1659 #define EXPORT_PHGETAPPLICATIONDIRECTORYWIN32 1660 #define EXPORT_PHGETAPPLICATIONFILENAMEWIN32 1661 #define EXPORT_PHGETBASEDIRECTORY 1662 #define EXPORT_PHGETBASENAME 1663 #define EXPORT_PHGETCLASSOBJECT 1664 #define EXPORT_PHGETDLLFILENAME 1665 #define EXPORT_PHGETCLIENTRECT 1666 #define EXPORT_PHGETDPI 1667 #define EXPORT_PHGETDPIVALUE 1668 #define EXPORT_PHGETFILEDIALOGFILENAME 1669 #define EXPORT_PHGETFILEDIALOGFILTERINDEX 1670 #define EXPORT_PHGETFILEDIALOGOPTIONS 1671 #define EXPORT_PHGETFILEVERSIONFIXEDINFO 1672 #define EXPORT_PHGETFILEVERSIONINFO 1673 #define EXPORT_PHGETFILEVERSIONINFOEX 1674 #define EXPORT_PHGETFILEVERSIONINFOLANGCODEPAGE 1675 #define EXPORT_PHGETFILEVERSIONINFOSTRING 1676 #define EXPORT_PHGETFILEVERSIONINFOSTRING2 1677 #define EXPORT_PHGETFULLPATH 1678 #define EXPORT_PHGETKNOWNFOLDERPATH 1679 #define EXPORT_PHGETKNOWNLOCATION 1680 #define EXPORT_PHGETMESSAGE 1681 #define EXPORT_PHGETMONITORDPI 1682 #define EXPORT_PHGETNTMESSAGE 1683 #define EXPORT_PHGETNTSYSTEMROOT 1684 #define EXPORT_PHGETSIZEDPIVALUE 1685 #define EXPORT_PHGETSTATUSMESSAGE 1686 #define EXPORT_PHGETSYSTEMDIRECTORY 1687 #define EXPORT_PHGETSYSTEMDPI 1688 #define EXPORT_PHGETSYSTEMMETRICS 1689 #define EXPORT_PHGETSYSTEMPARAMETERSINFO 1690 #define EXPORT_PHGETSYSTEMROOT 1691 #define EXPORT_PHGETTASKBARDPI 1692 #define EXPORT_PHGETTEMPORARYDIRECTORYRANDOMALPHAFILENAME 1693 #define EXPORT_PHGETWIN32MESSAGE 1694 #define EXPORT_PHGETWINDOWDPI 1695 #define EXPORT_PHINITIALIZEHASH 1696 #define EXPORT_PHINITIALIZEIMAGEVERSIONINFO 1697 #define EXPORT_PHINITIALIZEIMAGEVERSIONINFOEX 1698 #define EXPORT_PHINITIALIZEPROCTHREADATTRIBUTELIST 1699 #define EXPORT_PHLARGEINTEGERTOLOCALSYSTEMTIME 1700 #define EXPORT_PHLARGEINTEGERTOSYSTEMTIME 1701 #define EXPORT_PHLOADLIBRARY 1702 #define EXPORT_PHLOADLIBRARYASIMAGERESOURCE 1703 #define EXPORT_PHMAPFLAGS1 1704 #define EXPORT_PHMAPFLAGS2 1705 #define EXPORT_PHMATCHWILDCARDS 1706 #define EXPORT_PHPARSECOMMANDLINE 1707 #define EXPORT_PHPARSECOMMANDLINEFUZZY 1708 #define EXPORT_PHPARSECOMMANDLINEPART 1709 #define EXPORT_PHQUERYREGISTRYSTRING 1710 #define EXPORT_PHQUERYREGISTRYULONG 1711 #define EXPORT_PHQUERYREGISTRYULONG64 1712 #define EXPORT_PHSETFILEDIALOGFILENAME 1713 #define EXPORT_PHSETFILEDIALOGFILTER 1714 #define EXPORT_PHSETFILEDIALOGOPTIONS 1715 #define EXPORT_PHSHELLEXECUTE 1716 #define EXPORT_PHSHELLEXECUTEEX 1717 #define EXPORT_PHSHELLEXPLOREFILE 1718 #define EXPORT_PHSHELLPROPERTIES 1719 #define EXPORT_PHSHOWCONFIRMMESSAGE 1720 #define EXPORT_PHSHOWCONTINUESTATUS 1721 #define EXPORT_PHSHOWFILEDIALOG 1722 #define EXPORT_PHSHOWMESSAGE 1723 #define EXPORT_PHSHOWMESSAGE2 1724 #define EXPORT_PHSHOWMESSAGEONETIME 1725 #define EXPORT_PHSHOWSTATUS 1726 #define EXPORT_PHSHOWTASKDIALOG 1727 #define EXPORT_PHSTRINGTOGUID 1728 #define EXPORT_PHSYSTEMTIMETOLARGEINTEGER 1729 #define EXPORT_PHSYSTEMTIMETOTZSPECIFICLOCALTIME 1730 #define EXPORT_PHTASKBARLISTCREATE 1731 #define EXPORT_PHTASKBARLISTDESTROY 1732 #define EXPORT_PHTASKBARLISTSETOVERLAYICON 1733 #define EXPORT_PHTASKBARLISTSETPROGRESSSTATE 1734 #define EXPORT_PHTASKBARLISTSETPROGRESSVALUE 1735 #define EXPORT_PHUPDATEHASH 1736 #define EXPORT_PHUPDATEPROCTHREADATTRIBUTE 1737 #define EXPORT_PHWAITFORMULTIPLEOBJECTSANDPUMP 1738 #define EXPORT_PHCLEARCIRCULARBUFFER_FLOAT 1739 #define EXPORT_PHCLEARCIRCULARBUFFER_PVOID 1740 #define EXPORT_PHCLEARCIRCULARBUFFER_ULONG 1741 #define EXPORT_PHCLEARCIRCULARBUFFER_ULONG64 1742 #define EXPORT_PHCOPYCIRCULARBUFFER_FLOAT 1743 #define EXPORT_PHCOPYCIRCULARBUFFER_PVOID 1744 #define EXPORT_PHCOPYCIRCULARBUFFER_ULONG 1745 #define EXPORT_PHCOPYCIRCULARBUFFER_ULONG64 1746 #define EXPORT_PHDELETECIRCULARBUFFER_FLOAT 1747 #define EXPORT_PHDELETECIRCULARBUFFER_PVOID 1748 #define EXPORT_PHDELETECIRCULARBUFFER_ULONG 1749 #define EXPORT_PHDELETECIRCULARBUFFER_ULONG64 1750 #define EXPORT_PHINITIALIZECIRCULARBUFFER_FLOAT 1751 #define EXPORT_PHINITIALIZECIRCULARBUFFER_PVOID 1752 #define EXPORT_PHINITIALIZECIRCULARBUFFER_ULONG 1753 #define EXPORT_PHINITIALIZECIRCULARBUFFER_ULONG64 1754 #define EXPORT_PHRESIZECIRCULARBUFFER_FLOAT 1755 #define EXPORT_PHRESIZECIRCULARBUFFER_PVOID 1756 #define EXPORT_PHRESIZECIRCULARBUFFER_ULONG 1757 #define EXPORT_PHRESIZECIRCULARBUFFER_ULONG64 1758 #define EXPORT_PHGETGENERICTREENEWLINES 1759 #define EXPORT_PHGETLISTVIEWITEMTEXT 1760 #define EXPORT_PHGETLISTVIEWSELECTEDITEMTEXT 1761 #define EXPORT_PHGETTREENEWTEXT 1762 #define EXPORT_PHCREATEEMENU 1763 #define EXPORT_PHCREATEEMENUITEM 1764 #define EXPORT_PHDESTROYEMENU 1765 #define EXPORT_PHDESTROYEMENUITEM 1766 #define EXPORT_PHFINDEMENUITEM 1767 #define EXPORT_PHINDEXOFEMENUITEM 1768 #define EXPORT_PHINSERTEMENUITEM 1769 #define EXPORT_PHLOADRESOURCEEMENUITEM 1770 #define EXPORT_PHMODIFYEMENUITEM 1771 #define EXPORT_PHREMOVEALLEMENUITEMS 1772 #define EXPORT_PHREMOVEEMENUITEM 1773 #define EXPORT_PHSETFLAGSALLEMENUITEMS 1774 #define EXPORT_PHSETFLAGSEMENUITEM 1775 #define EXPORT_PHSHOWEMENU 1776 #define EXPORT_PHDELETEFASTLOCK 1777 #define EXPORT_PHINITIALIZEFASTLOCK 1778 #define EXPORT_PHFACQUIREFASTLOCKEXCLUSIVE 1779 #define EXPORT_PHFACQUIREFASTLOCKSHARED 1780 #define EXPORT_PHFRELEASEFASTLOCKEXCLUSIVE 1781 #define EXPORT_PHFRELEASEFASTLOCKSHARED 1782 #define EXPORT_PHFTRYACQUIREFASTLOCKEXCLUSIVE 1783 #define EXPORT_PHFTRYACQUIREFASTLOCKSHARED 1784 #define EXPORT_PHCREATEFILESTREAM 1785 #define EXPORT_PHCREATEFILESTREAM2 1786 #define EXPORT_PHFLUSHFILESTREAM 1787 #define EXPORT_PHGETPOSITIONFILESTREAM 1788 #define EXPORT_PHLOCKFILESTREAM 1789 #define EXPORT_PHREADFILESTREAM 1790 #define EXPORT_PHSEEKFILESTREAM 1791 #define EXPORT_PHUNLOCKFILESTREAM 1792 #define EXPORT_PHVERIFYFILESTREAM 1793 #define EXPORT_PHWRITEFILESTREAM 1794 #define EXPORT_PHWRITESTRINGASUTF8FILESTREAM 1795 #define EXPORT_PHWRITESTRINGASUTF8FILESTREAMEX 1796 #define EXPORT_PHWRITESTRINGFORMATASUTF8FILESTREAM 1797 #define EXPORT_PHWRITESTRINGFORMATASUTF8FILESTREAM_V 1798 #define EXPORT_PHDELETEGRAPHSTATE 1799 #define EXPORT_PHDRAWGRAPHDIRECT 1800 #define EXPORT_PHDRAWTRAYICONTEXT 1801 #define EXPORT_PHGETDRAWINFOGRAPHBUFFERS 1802 #define EXPORT_PHGRAPHSTATEGETDRAWINFO 1803 #define EXPORT_PHINITIALIZEGRAPHSTATE 1804 #define EXPORT_PHNFGETTRAYICONFONT 1805 #define EXPORT_PHSETGRAPHTEXT 1806 #define EXPORT_PHADDLAYOUTITEM 1807 #define EXPORT_PHADDLAYOUTITEMEX 1808 #define EXPORT_PHADDLISTVIEWCOLUMN 1809 #define EXPORT_PHADDILISTVIEWCOLUMN 1810 #define EXPORT_PHADDILISTVIEWGROUP 1811 #define EXPORT_PHADDILISTVIEWGROUPITEM 1812 #define EXPORT_PHADDLISTVIEWGROUP 1813 #define EXPORT_PHADDLISTVIEWGROUPITEM 1814 #define EXPORT_PHADDLISTVIEWITEM 1815 #define EXPORT_PHADDILISTVIEWITEM 1816 #define EXPORT_PHADDTABCONTROLTAB 1817 #define EXPORT_PHBITMAPSETALPHA 1818 #define EXPORT_PHCREATEDIALOG 1819 #define EXPORT_PHCREATEWINDOWEX 1820 #define EXPORT_PHDELETELAYOUTMANAGER 1821 #define EXPORT_PHDIALOGBOX 1822 #define EXPORT_PHENUMCHILDWINDOWS 1823 #define EXPORT_PHENUMWINDOWS 1824 #define EXPORT_PHFINDILISTVIEWITEMBYFLAGS 1825 #define EXPORT_PHFINDLISTVIEWITEMBYFLAGS 1826 #define EXPORT_PHFINDLISTVIEWITEMBYPARAM 1827 #define EXPORT_PHGETCOMBOBOXSTRING 1828 #define EXPORT_PHGETDIALOGITEMVALUE 1829 #define EXPORT_PHGETILISTVIEWITEMPARAM 1830 #define EXPORT_PHGETLISTBOXSTRING 1831 #define EXPORT_PHGETLISTVIEWITEMIMAGEINDEX 1832 #define EXPORT_PHGETLISTVIEWITEMPARAM 1833 #define EXPORT_PHGETSELECTEDLISTVIEWITEMPARAM 1834 #define EXPORT_PHGETSELECTEDLISTVIEWITEMPARAMS 1835 #define EXPORT_PHGETSELECTEDILISTVIEWITEMPARAMS 1836 #define EXPORT_PHGETSTOCKAPPLICATIONICON 1837 #define EXPORT_PHGETSTOCKOBJECT 1838 #define EXPORT_PHGETWINDOWCLIENTID 1839 #define EXPORT_PHGETWINDOWCONTEXT 1840 #define EXPORT_PHGETWINDOWTEXT 1841 #define EXPORT_PHGETWINDOWTEXTEX 1842 #define EXPORT_PHICONTOBITMAP 1843 #define EXPORT_PHIMAGELISTADDBITMAP 1844 #define EXPORT_PHIMAGELISTADDICON 1845 #define EXPORT_PHIMAGELISTCREATE 1846 #define EXPORT_PHIMAGELISTDESTROY 1847 #define EXPORT_PHIMAGELISTDRAWEX 1848 #define EXPORT_PHIMAGELISTDRAWICON 1849 #define EXPORT_PHIMAGELISTGETICON 1850 #define EXPORT_PHIMAGELISTREMOVEICON 1851 #define EXPORT_PHIMAGELISTREPLACE 1852 #define EXPORT_PHIMAGELISTSETBKCOLOR 1853 #define EXPORT_PHIMAGELISTSETICONSIZE 1854 #define EXPORT_PHIMAGELISTSETIMAGECOUNT 1855 #define EXPORT_PHINITIALIZELAYOUTMANAGER 1856 #define EXPORT_PHLAYOUTMANAGERLAYOUT 1857 #define EXPORT_PHLOADICON 1858 #define EXPORT_PHLOADIMAGEFORMATFROMRESOURCE 1859 #define EXPORT_PHMODALPROPERTYSHEET 1860 #define EXPORT_PHQUERYDIRECTXEXCLUSIVEOWNERSHIP 1861 #define EXPORT_PHINITIALIZEWINDOWTHEME 1862 #define EXPORT_PHREINITIALIZEWINDOWTHEME 1863 #define EXPORT_PHREGISTERWINDOWCALLBACK 1864 #define EXPORT_PHREMOVELISTVIEWITEM 1865 #define EXPORT_PHREMOVEWINDOWCONTEXT 1866 #define EXPORT_PHSELECTCOMBOBOXSTRING 1867 #define EXPORT_PHSETCLIPBOARDSTRING 1868 #define EXPORT_PHSETCONTROLTHEME 1869 #define EXPORT_PHSETDIALOGITEMTEXT 1870 #define EXPORT_PHSETDIALOGITEMVALUE 1871 #define EXPORT_PHSETEXTENDEDLISTVIEW 1872 #define EXPORT_PHSETGROUPBOXTEXT 1873 #define EXPORT_PHSETHEADERSORTICON 1874 #define EXPORT_PHSETIMAGELISTBITMAP 1875 #define EXPORT_PHSETLISTVIEWITEMIMAGEINDEX 1876 #define EXPORT_PHSETLISTVIEWITEMPARAM 1877 #define EXPORT_PHSETLISTVIEWSUBITEM 1878 #define EXPORT_PHSETILISTVIEWSUBITEM 1879 #define EXPORT_PHSETSTATEALLLISTVIEWITEMS 1880 #define EXPORT_PHSETWINDOWCONTEXT 1881 #define EXPORT_PHSETWINDOWTEXT 1882 #define EXPORT_PHTHEMEWINDOWDRAWREBAR 1883 #define EXPORT_PHTHEMEWINDOWDRAWTOOLBAR 1884 #define EXPORT_PHUNREGISTERWINDOWCALLBACK 1885 #define EXPORT_PHWINDOWTHEMECONTROLCOLOR 1886 #define EXPORT_PHCALLKPHQUERYFILEINFORMATIONWITHTIMEOUT 1887 #define EXPORT_PHCOMPAREOBJECTS 1888 #define EXPORT_PHENUMOBJECTTYPES 1889 #define EXPORT_PHFORMATNATIVEKEYNAME 1890 #define EXPORT_PHGETETWPUBLISHERNAME 1891 #define EXPORT_PHGETHANDLEINFORMATION 1892 #define EXPORT_PHGETHANDLEINFORMATIONEX 1893 #define EXPORT_PHGETOBJECTTYPENAME 1894 #define EXPORT_PHQUERYOBJECTNAME 1895 #define EXPORT_PHSTDGETCLIENTIDNAME 1896 #define EXPORT_PHENUMERATEPRIVILEGES 1897 #define EXPORT_PHGETSIDFULLNAME 1898 #define EXPORT_PHLOOKUPNAME 1899 #define EXPORT_PHLOOKUPPRIVILEGEDISPLAYNAME 1900 #define EXPORT_PHLOOKUPPRIVILEGENAME 1901 #define EXPORT_PHLOOKUPPRIVILEGEVALUE 1902 #define EXPORT_PHLOOKUPSID 1903 #define EXPORT_PHOPENLSAPOLICY 1904 #define EXPORT_PHSIDTOSTRINGSID 1905 #define EXPORT_PHLOADMAPPEDIMAGE 1906 #define EXPORT_PHLOADMAPPEDIMAGEEX 1907 #define EXPORT_PHLOADMAPPEDIMAGEHEADERPAGESIZE 1908 #define EXPORT_PHUNLOADMAPPEDIMAGE 1909 #define EXPORT_PHBOOSTPROVIDER 1910 #define EXPORT_PHDELETEPROVIDERTHREAD 1911 #define EXPORT_PHGETENABLEDPROVIDER 1912 #define EXPORT_PHINITIALIZEPROVIDERTHREAD 1913 #define EXPORT_PHREGISTERPROVIDER 1914 #define EXPORT_PHSETENABLEDPROVIDER 1915 #define EXPORT_PHSETINTERVALPROVIDERTHREAD 1916 #define EXPORT_PHSTARTPROVIDERTHREAD 1917 #define EXPORT_PHSTOPPROVIDERTHREAD 1918 #define EXPORT_PHUNREGISTERPROVIDER 1919 #define EXPORT_PHADDSETTING 1920 #define EXPORT_PHADDSETTINGS 1921 #define EXPORT_PHCLEARIGNOREDSETTINGS 1922 #define EXPORT_PHCONVERTIGNOREDSETTINGS 1923 #define EXPORT_PHGETINTEGERPAIRSTRINGREFSETTING 1924 #define EXPORT_PHGETINTEGERSTRINGREFSETTING 1925 #define EXPORT_PHGETSCALABLEINTEGERPAIRSTRINGREFSETTING 1926 #define EXPORT_PHGETSTRINGREFSETTING 1927 #define EXPORT_PHLOADCUSTOMCOLORLIST 1928 #define EXPORT_PHLOADLISTVIEWCOLUMNSETTINGS 1929 #define EXPORT_PHLOADLISTVIEWCOLUMNSFROMSETTING 1930 #define EXPORT_PHLOADLISTVIEWGROUPSTATESFROMSETTING 1931 #define EXPORT_PHLOADLISTVIEWSORTCOLUMNSFROMSETTING 1932 #define EXPORT_PHLOADSETTINGS 1933 #define EXPORT_PHLOADWINDOWPLACEMENTFROMSETTING 1934 #define EXPORT_PHRESETSETTINGS 1935 #define EXPORT_PHSAVECUSTOMCOLORLIST 1936 #define EXPORT_PHSAVELISTVIEWCOLUMNSETTINGS 1937 #define EXPORT_PHSAVELISTVIEWCOLUMNSTOSETTING 1938 #define EXPORT_PHSAVELISTVIEWGROUPSTATESTOSETTING 1939 #define EXPORT_PHSAVELISTVIEWSORTCOLUMNSTOSETTING 1940 #define EXPORT_PHSAVESETTINGS 1941 #define EXPORT_PHSAVEWINDOWPLACEMENTTOSETTING 1942 #define EXPORT_PHSETINTEGERPAIRSTRINGREFSETTING 1943 #define EXPORT_PHSETINTEGERSTRINGREFSETTING 1944 #define EXPORT_PHSETSCALABLEINTEGERPAIRSTRINGREFSETTING 1945 #define EXPORT_PHSETSCALABLEINTEGERPAIRSTRINGREFSETTING2 1946 #define EXPORT_PHSETSTRINGREFSETTING 1947 #define EXPORT_PHUPDATECACHEDSETTINGS 1948 #define EXPORT_PHCREATESECURITYPAGE 1949 #define EXPORT_PHEDITSECURITY 1950 #define EXPORT_PHGETACCESSENTRIES 1951 #define EXPORT_PHGETACCESSSTRING 1952 #define EXPORT_PHGETSEOBJECTSECURITY 1953 #define EXPORT_PHSETSEOBJECTSECURITY 1954 #define EXPORT_PHSTDGETOBJECTSECURITY 1955 #define EXPORT_PHSTDSETOBJECTSECURITY 1956 #define EXPORT_PHCHANGESERVICECONFIG2 1957 #define EXPORT_PHCLOSESERVICEHANDLE 1958 #define EXPORT_PHENUMDEPENDENTSERVICES 1959 #define EXPORT_PHGETSERVICECONFIG 1960 #define EXPORT_PHGETSERVICECONFIGFILENAME 1961 #define EXPORT_PHGETSERVICEDESCRIPTION 1962 #define EXPORT_PHGETSERVICEDLLPARAMETER 1963 #define EXPORT_PHGETSERVICEERRORCONTROLINTEGER 1964 #define EXPORT_PHGETSERVICEERRORCONTROLSTRING 1965 #define EXPORT_PHGETSERVICEFILENAME 1966 #define EXPORT_PHGETSERVICENAMEFROMTAG 1967 #define EXPORT_PHGETSERVICESTARTTYPEINTEGER 1968 #define EXPORT_PHGETSERVICESTARTTYPESTRING 1969 #define EXPORT_PHGETSERVICESTATESTRING 1970 #define EXPORT_PHGETSERVICETYPEINTEGER 1971 #define EXPORT_PHGETSERVICETYPESTRING 1972 #define EXPORT_PHGETTHREADSERVICETAG 1973 #define EXPORT_PHOPENSERVICE 1974 #define EXPORT_PHOPENSERVICEKEY 1975 #define EXPORT_PHQUERYSERVICECONFIG 1976 #define EXPORT_PHQUERYSERVICECONFIG2 1977 #define EXPORT_PHQUERYSERVICESTATUS 1978 #define EXPORT_PHQUERYSERVICEVARIABLESIZE 1979 #define EXPORT_PHSTARTSERVICE 1980 #define EXPORT_PHSTOPSERVICE 1981 #define EXPORT_PHCREATESYMBOLPROVIDER 1982 #define EXPORT_PHGETLINEFROMADDRESS 1983 #define EXPORT_PHGETMODULEFROMADDRESS 1984 #define EXPORT_PHGETSYMBOLFROMADDRESS 1985 #define EXPORT_PHGETSYMBOLFROMNAME 1986 #define EXPORT_PHLOADSYMBOLPROVIDERMODULES 1987 #define EXPORT_PHLOADMODULESYMBOLPROVIDER 1988 #define EXPORT_PHLOADMODULESFORVIRTUALSYMBOLPROVIDER 1989 #define EXPORT_PHSETOPTIONSSYMBOLPROVIDER 1990 #define EXPORT_PHSETSEARCHPATHSYMBOLPROVIDER 1991 #define EXPORT_PHSTACKWALK 1992 #define EXPORT_PHWALKTHREADSTACK 1993 #define EXPORT_PHWRITEMINIDUMPPROCESS 1994 #define EXPORT_PHVERIFYFILE 1995 #define EXPORT_PHVERIFYFILEISCHAINEDTOMICROSOFT 1996 #define EXPORT_PHDELETEWORKQUEUE 1997 #define EXPORT_PHGETGLOBALWORKQUEUE 1998 #define EXPORT_PHINITIALIZEWORKQUEUE 1999 #define EXPORT_PHINITIALIZEWORKQUEUEENVIRONMENT 2000 #define EXPORT_PHQUEUEITEMWORKQUEUE 2001 #define EXPORT_PHQUEUEITEMWORKQUEUEEX 2002 #define EXPORT_PHWAITFORWORKQUEUE 2003 #define EXPORT_PHADDJSONARRAYOBJECT 2004 #define EXPORT_PHADDJSONOBJECT 2005 #define EXPORT_PHADDJSONOBJECT2 2006 #define EXPORT_PHADDJSONOBJECTINT64 2007 #define EXPORT_PHADDJSONOBJECTUINT64 2008 #define EXPORT_PHADDJSONOBJECTVALUE 2009 #define EXPORT_PHCREATEJSONARRAY 2010 #define EXPORT_PHCREATEJSONOBJECT 2011 #define EXPORT_PHCREATEJSONPARSER 2012 #define EXPORT_PHCREATEJSONPARSEREX 2013 #define EXPORT_PHFREEJSONOBJECT 2014 #define EXPORT_PHGETJSONARRAYINDEXOBJECT 2015 #define EXPORT_PHGETJSONARRAYLENGTH 2016 #define EXPORT_PHGETJSONARRAYLONG64 2017 #define EXPORT_PHGETJSONARRAYSTRING 2018 #define EXPORT_PHGETJSONOBJECT 2019 #define EXPORT_PHGETJSONOBJECTASARRAYLIST 2020 #define EXPORT_PHGETJSONOBJECTBOOL 2021 #define EXPORT_PHGETJSONOBJECTLENGTH 2022 #define EXPORT_PHGETJSONOBJECTTYPE 2023 #define EXPORT_PHGETJSONVALUEASINT64 2024 #define EXPORT_PHGETJSONVALUEASSTRING 2025 #define EXPORT_PHGETJSONVALUEASUINT64 2026 #define EXPORT_PHCREATEXMLNODE 2027 #define EXPORT_PHCREATEXMLOPAQUENODE 2028 #define EXPORT_PHFINDXMLOBJECT 2029 #define EXPORT_PHFREEXMLOBJECT 2030 #define EXPORT_PHGETXMLINTERFACE 2031 #define EXPORT_PHGETXMLNODEATTRIBUTEBYINDEX 2032 #define EXPORT_PHGETXMLNODEATTRIBUTECOUNT 2033 #define EXPORT_PHGETXMLNODEATTRIBUTETEXT 2034 #define EXPORT_PHGETXMLNODEELEMENTTEXT 2035 #define EXPORT_PHGETXMLNODEFIRSTCHILD 2036 #define EXPORT_PHGETXMLNODENEXTCHILD 2037 #define EXPORT_PHGETXMLNODEOPAQUETEXT 2038 #define EXPORT_PHGETXMLOBJECT 2039 #define EXPORT_PHLOADXMLOBJECTFROMFILE 2040 #define EXPORT_PHLOADXMLOBJECTFROMSTRING 2041 #define EXPORT_PHSAVEXMLOBJECTTOFILE 2042 #define EXPORT_PHSETXMLNODEATTRIBUTETEXT 2043 #define EXPORT_PHCLEARCACHEDIRECTORY 2044 #define EXPORT_PHCREATECACHEFILE 2045 #define EXPORT_PHDELETECACHEFILE 2046 #define EXPORT_PHAPPRESOLVERGETAPPIDFORWINDOW 2047 #define EXPORT_PHGETPROCESSPACKAGEFULLNAME 2048 #define EXPORT_PHDNSFREE 2049 #define EXPORT_PHDNSQUERY 2050 #define EXPORT_PHDNSQUERY2 2051 #define EXPORT_PHHTTPDNSQUERY 2052 #define EXPORT_PHHTTPSOCKETADDREQUESTHEADERS 2053 #define EXPORT_PHHTTPSOCKETBEGINREQUEST 2054 #define EXPORT_PHHTTPSOCKETCLOSE 2055 #define EXPORT_PHHTTPSOCKETCONNECT 2056 #define EXPORT_PHHTTPSOCKETCREATE 2057 #define EXPORT_PHHTTPSOCKETDESTROY 2058 #define EXPORT_PHHTTPSOCKETDOWNLOADSTRING 2059 #define EXPORT_PHHTTPSOCKETENDREQUEST 2060 #define EXPORT_PHHTTPSOCKETGETERRORMESSAGE 2061 #define EXPORT_PHHTTPSOCKETPARSEURL 2062 #define EXPORT_PHHTTPSOCKETQUERYHEADERSTRING 2063 #define EXPORT_PHHTTPSOCKETQUERYHEADERULONG 2064 #define EXPORT_PHHTTPSOCKETQUERYHEADERULONG64 2065 #define EXPORT_PHHTTPSOCKETQUERYHEADERS 2066 #define EXPORT_PHHTTPSOCKETQUERYOPTIONSTRING 2067 #define EXPORT_PHHTTPSOCKETREADDATA 2068 #define EXPORT_PHHTTPSOCKETREADDATATOBUFFER 2069 #define EXPORT_PHHTTPSOCKETSENDREQUEST 2070 #define EXPORT_PHHTTPSOCKETSETCREDENTIALS 2071 #define EXPORT_PHHTTPSOCKETSETFEATURE 2072 #define EXPORT_PHHTTPSOCKETSETSECURITY 2073 #define EXPORT_PHHTTPSOCKETWRITEDATA 2074 #define EXPORT_KSILEVEL 2075 #define EXPORT_KPHALPCQUERYINFORMATION 2076 #define EXPORT_KPHDUPLICATEOBJECT 2077 #define EXPORT_KPHOPENDEVICE 2078 #define EXPORT_KPHOPENDEVICEBASEDEVICE 2079 #define EXPORT_KPHOPENDEVICEDRIVER 2080 #define EXPORT_KPHQUERYINFORMATIONDRIVER 2081 #define EXPORT_KPHQUERYINFORMATIONOBJECT 2082 #define EXPORT_KSIENUMERATEPROCESSHANDLES 2083 #define EXPORT_KSIQUERYHASHINFORMATIONFILE 2084 #endif _PH_EXPORT_DEF_H ================================================ FILE: SystemInformer/SystemInformer.manifest ================================================ System Informer true/pm true true PerMonitorV2, PerMonitor true UTF-8 SegmentHeap ================================================ FILE: SystemInformer/SystemInformer.rc ================================================ // Microsoft Visual C++ generated resource script. // #pragma code_page(65001) #include "resource.h" #define APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // // Generated from the TEXTINCLUDE 2 resource. // #include "winres.h" #include "include/phappres.h" ///////////////////////////////////////////////////////////////////////////// #undef APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // English (United States) resources #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US #ifdef APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // TEXTINCLUDE // 1 TEXTINCLUDE BEGIN "resource.h\0" END 2 TEXTINCLUDE BEGIN "#include ""winres.h""\r\n" "#include ""include/phappres.h""\0" END 3 TEXTINCLUDE BEGIN "\0" END #endif // APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // PNG // IDB_SEARCH_ACTIVE_MODERN_LIGHT PNG "resources\\search_stop_modern_light.png" IDB_SEARCH_ACTIVE PNG "resources\\active_search.png" IDB_SEARCH_INACTIVE PNG "resources\\inactive_search.png" IDB_SEARCH_ACTIVE_SMALL PNG "resources\\active_search_small.png" IDB_SEARCH_INACTIVE_SMALL PNG "resources\\inactive_search_small.png" IDB_SEARCH_REGEX_MODERN_DARK PNG "resources\\regex_modern_dark.png" IDB_SEARCH_REGEX_MODERN_LIGHT PNG "resources\\regex_modern_light.png" IDB_SEARCH_CASE_MODERN_DARK PNG "resources\\case_sensitive_modern_dark.png" IDB_SEARCH_CASE_MODERN_LIGHT PNG "resources\\case_sensitive_modern_light.png" IDB_SEARCH_ACTIVE_MODERN_DARK PNG "resources\\search_stop_modern_dark.png" IDB_SEARCH_INACTIVE_MODERN_LIGHT PNG "resources\\search_modern_light.png" IDB_SEARCH_INACTIVE_MODERN_DARK PNG "resources\\search_modern_dark.png" ///////////////////////////////////////////////////////////////////////////// // // Icon // // Icon with lowest ID value placed first to ensure application icon // remains consistent on all systems. IDI_PROCESSHACKER ICON "SystemInformer.ico" IDI_PHAPPLICATION ICON "resources\\application.ico" IDI_COG ICON "resources\\cog.ico" IDI_PIN ICON "resources\\pin.ico" IDI_FOLDER ICON "resources\\folder.ico" IDI_MAGNIFIER ICON "resources\\magnifier.ico" IDI_UACSHIELD ICON "resources\\shield.ico" ///////////////////////////////////////////////////////////////////////////// // // Dialog // IDD_PROCGENERAL DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "General" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Permissions",IDC_PERMISSIONS,143,218,50,14 PUSHBUTTON "Terminate",IDC_TERMINATE,197,218,50,14 GROUPBOX "File",IDC_FILE,7,7,246,103 ICON "",IDC_FILEICON,14,18,20,20 EDITTEXT IDC_NAME,44,17,182,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER EDITTEXT IDC_COMPANYNAME,44,29,183,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER CONTROL "Company name link",IDC_COMPANYNAME_LINK,"SysLink",LWS_NOPREFIX | NOT WS_VISIBLE | WS_TABSTOP,46,29,183,9 LTEXT "Version:",IDC_STATIC,15,41,27,8 EDITTEXT IDC_VERSION,44,41,113,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Image file name (Win32):",IDC_STATIC,15,55,86,8 EDITTEXT IDC_FILENAME,15,65,191,12,ES_AUTOHSCROLL | ES_READONLY PUSHBUTTON "Inspect",IDC_INSPECT,210,64,17,15,BS_ICON PUSHBUTTON "Open",IDC_OPENFILENAME,230,64,17,15,BS_ICON GROUPBOX "Process",IDC_PROCESS,7,112,246,142 LTEXT "Command line:",IDC_STATIC,13,124,50,8 EDITTEXT IDC_CMDLINE,79,122,147,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Current directory:",IDC_STATIC,13,140,60,8 EDITTEXT IDC_CURDIR,79,138,168,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Started:",IDC_STATIC,13,156,28,8 EDITTEXT IDC_STARTED,79,154,168,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Parent console:",IDC_STATIC,13,172,52,8 EDITTEXT IDC_PARENTCONSOLE,79,170,168,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Parent process:",IDC_STATIC,13,188,52,8 EDITTEXT IDC_PARENTPROCESS,79,186,147,12,ES_AUTOHSCROLL | ES_READONLY PUSHBUTTON "View",IDC_VIEWPARENTPROCESS,230,185,17,15,BS_ICON LTEXT "Mitigation policies:",IDC_STATIC,13,204,59,8 EDITTEXT IDC_MITIGATION,79,202,126,12,ES_AUTOHSCROLL | ES_READONLY PUSHBUTTON "Details",IDC_VIEWMITIGATION,209,201,38,14 LTEXT "Protection:",IDC_STATIC,13,222,40,8 EDITTEXT IDC_PROTECTION,53,222,80,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Image type:",IDC_STATIC,13,233,40,8 EDITTEXT IDC_PROCESSTYPETEXT,53,233,160,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER PUSHBUTTON "View",IDC_VIEWCOMMANDLINE,230,121,17,15,BS_ICON LTEXT "Image file name:",IDC_STATIC,15,80,86,8 EDITTEXT IDC_FILENAMEWIN32,15,91,191,12,ES_AUTOHSCROLL | ES_READONLY PUSHBUTTON "Inspect",IDC_INSPECT2,210,90,17,15,BS_ICON PUSHBUTTON "Open",IDC_OPENFILENAME2,230,90,17,15,BS_ICON PUSHBUTTON "Policy",IDC_INTEGRITY,90,218,50,14 END IDD_PROCMODULES DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Modules" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,19,256,239,WS_EX_CLIENTEDGE EDITTEXT IDC_SEARCH,114,3,144,14,ES_AUTOHSCROLL PUSHBUTTON "Options",IDC_FILTEROPTIONS,2,2,50,14 END IDD_PROCTHREADS DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Threads" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,19,256,239,WS_EX_CLIENTEDGE EDITTEXT IDC_SEARCH,114,3,144,14,ES_AUTOHSCROLL PUSHBUTTON "Options",IDC_OPTIONS,2,2,50,14 LTEXT "",IDC_STATE,56,5,8,8 END IDD_PROCHANDLES DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Handles" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Options",IDC_OPTIONS,2,2,50,14 EDITTEXT IDC_HANDLESEARCH,114,3,144,14,ES_AUTOHSCROLL CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x2,2,19,256,239,WS_EX_CLIENTEDGE END IDD_PROCENVIRONMENT DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Environment" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,19,256,239,WS_EX_CLIENTEDGE EDITTEXT IDC_SEARCH,114,3,144,14,ES_AUTOHSCROLL PUSHBUTTON "Refresh",IDC_REFRESH,53,2,50,14 PUSHBUTTON "Options",IDC_OPTIONS,2,2,50,14 END IDD_THRDSTACK DIALOGEX 0, 0, 273, 228 STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Thread Stack" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Copy",IDC_COPY,113,212,50,14 PUSHBUTTON "Refresh",IDC_REFRESH,167,212,50,14 PUSHBUTTON "Close",IDOK,221,212,50,14 CONTROL "",IDC_TREELIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x2,0,0,273,211,WS_EX_CLIENTEDGE PUSHBUTTON "Options",IDC_OPTIONS,2,212,50,14 END IDD_ABOUT DIALOGEX 0, 0, 270, 215 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "About" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN ICON IDI_PROCESSHACKER,IDC_FILEICON,16,11,20,20 CONTROL "System Informer",IDC_ABOUT_NAME,"SysLink",WS_TABSTOP,45,12,192,8 LTEXT "Copyright (c) Winsider Seminars && Solutions, Inc.",IDC_STATIC,45,24,193,8 CONTROL "Credits.",IDC_CREDITS,"SysLink",WS_TABSTOP,15,49,248,141 CONTROL "System Informer on SourceForge.net",IDC_LINK_SF, "SysLink",WS_TABSTOP,7,197,130,11 PUSHBUTTON "Diagnostics",IDC_DIAGNOSTICS,160,194,50,14 DEFPUSHBUTTON "OK",IDOK,213,194,50,14 END IDD_SRVLIST DIALOGEX 0, 0, 237, 201 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD | WS_SYSMENU FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,0,0,237,141 EDITTEXT IDC_DESCRIPTION,0,144,237,40,ES_MULTILINE | ES_READONLY | NOT WS_BORDER PUSHBUTTON "&Start",IDC_START,134,187,50,14 PUSHBUTTON "&Pause",IDC_PAUSE,187,187,50,14 END IDD_SRVGENERAL DIALOGEX 0, 0, 282, 183 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "General" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_DESCRIPTION,7,7,268,45,ES_MULTILINE | ES_READONLY | WS_VSCROLL LTEXT "Type:",IDC_STATIC,7,57,20,8 COMBOBOX IDC_TYPE,30,56,110,65,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Start type:",IDC_STATIC,147,57,38,8 COMBOBOX IDC_STARTTYPE,188,56,87,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Error control:",IDC_STATIC,7,75,47,8 COMBOBOX IDC_ERRORCONTROL,58,73,82,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Group:",IDC_STATIC,147,75,23,8 EDITTEXT IDC_GROUP,173,74,102,12,ES_AUTOHSCROLL LTEXT "Binary path:",IDC_STATIC,7,92,40,8 EDITTEXT IDC_BINARYPATH,58,91,163,12,ES_AUTOHSCROLL PUSHBUTTON "Browse...",IDC_BROWSE,225,90,50,14 LTEXT "User account:",IDC_STATIC,7,110,46,8 EDITTEXT IDC_USERACCOUNT,58,108,217,12,ES_AUTOHSCROLL LTEXT "Password:",IDC_STATIC,7,127,34,8 EDITTEXT IDC_PASSWORD,58,125,204,12,ES_PASSWORD | ES_AUTOHSCROLL CONTROL "",IDC_PASSWORDCHECK,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,266,126,9,10 LTEXT "Service DLL:",IDC_STATIC,7,144,48,8 EDITTEXT IDC_SERVICEDLL,58,142,217,12,ES_AUTOHSCROLL | ES_READONLY CONTROL "Delayed start",IDC_DELAYEDSTART,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,158,59,10 PUSHBUTTON "Permissions",IDC_PERMISSIONS,225,162,50,14 END IDD_HNDLGENERAL DIALOGEX 0, 0, 260, 181 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "General" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_TABSTOP,0,2,260,179 END IDD_INFORMATION DIALOGEX 0, 0, 317, 184 STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Information" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_TEXT,7,7,303,152,ES_MULTILINE | ES_READONLY | WS_VSCROLL PUSHBUTTON "Save...",IDC_SAVE,154,163,50,14 PUSHBUTTON "Copy",IDC_COPY,207,163,50,14 DEFPUSHBUTTON "Close",IDOK,260,163,50,14 END IDD_FINDOBJECTS DIALOGEX 0, 0, 357, 233 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Find Handles or DLLs" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_FILTER,97,4,207,14,ES_AUTOHSCROLL PUSHBUTTON "Find",IDOK,306,4,50,14 COMBOBOX IDC_FILTERTYPE,2,5,93,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP CONTROL "",IDC_TREELIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x2,2,20,353,212,WS_EX_CLIENTEDGE END IDD_THRDSTACKS DIALOGEX 0, 0, 443, 254 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Thread Stacks" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_FILTER,2,3,388,14,ES_AUTOHSCROLL PUSHBUTTON "Refresh",IDC_REFRESH,391,3,50,14 CONTROL "",IDC_TREELIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x2,2,19,439,219,WS_EX_CLIENTEDGE LTEXT "",IDC_MESSAGE,8,242,427,10 END IDD_USRLIST DIALOGEX 0, 0, 443, 254 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Users List" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_FILTER,2,3,388,14,ES_AUTOHSCROLL PUSHBUTTON "Refresh",IDC_REFRESH,391,3,50,14 CONTROL "",IDC_TREELIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x2,2,19,439,219,WS_EX_CLIENTEDGE LTEXT "",IDC_MESSAGE,8,242,427,10 END IDD_OBJTOKEN DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Token" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "User:",IDC_TOKENUSER,7,7,18,8 EDITTEXT IDC_USER,48,7,205,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "User SID:",IDC_TOKENSID,7,18,32,8 EDITTEXT IDC_USERSID,48,18,205,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Session:",IDC_STATIC,7,29,28,8 LTEXT "Unknown",IDC_SESSIONID,38,29,30,8 LTEXT "Elevated:",IDC_STATIC,78,29,32,8 LTEXT "Unknown",IDC_ELEVATED,113,29,45,8 LTEXT "Virtualized:",IDC_STATIC,169,29,36,8 LTEXT "Unknown",IDC_VIRTUALIZED,209,29,44,8 CONTROL "",IDC_GROUPS,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_SHAREIMAGELISTS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,42,246,194 PUSHBUTTON "Integrity",IDC_INTEGRITY,149,239,50,14 PUSHBUTTON "Advanced",IDC_ADVANCED,203,239,50,14 PUSHBUTTON "Permissions",IDC_PERMISSIONS,95,239,50,14 PUSHBUTTON "Default token",IDC_DEFAULTPERM,41,239,50,14 END IDD_ZOMBIEPROCESSES DIALOGEX 0, 0, 337, 221 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Zombie Processes" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Processes highlighted red are hidden while those highlighted grey have terminated.",IDC_INTRO,7,7,323,12 CONTROL "",IDC_PROCESSES,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,23,323,162 RTEXT "",IDC_DESCRIPTION,7,187,323,11 COMBOBOX IDC_METHOD,7,201,73,30,CBS_DROPDOWNLIST | CBS_SORT | WS_VSCROLL | WS_TABSTOP PUSHBUTTON "Terminate",IDC_TERMINATE,115,200,50,14 PUSHBUTTON "Save...",IDC_SAVE,170,200,50,14 PUSHBUTTON "&Scan",IDC_SCAN,225,200,50,14 DEFPUSHBUTTON "Close",IDOK,280,200,50,14 END IDD_RUNAS DIALOGEX 0, 0, 293, 127 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Run As" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Enter the command to start as the specified user.",IDC_TITLE,7,7,160,8 LTEXT "Program:",IDC_STATIC,7,23,30,8 LTEXT "User name:",IDC_STATIC,7,40,38,8 COMBOBOX IDC_USERNAME,53,38,123,12,CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_VSCROLL | WS_TABSTOP LTEXT "Type:",IDC_STATIC,184,40,20,8 COMBOBOX IDC_TYPE,208,38,78,12,CBS_DROPDOWNLIST | CBS_SORT | WS_VSCROLL | WS_TABSTOP LTEXT "Password:",IDC_STATIC,7,56,34,8 EDITTEXT IDC_PASSWORD,53,55,123,12,ES_PASSWORD | ES_AUTOHSCROLL CONTROL "Toggle elevation",IDC_TOGGLEELEVATION,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,183,56,69,10 LTEXT "Session ID:",IDC_STATIC,7,73,37,8 LTEXT "Desktop:",IDC_STATIC,7,90,30,8 DEFPUSHBUTTON "OK",IDOK,127,106,50,14 PUSHBUTTON "Cancel",IDCANCEL,182,106,50,14 COMBOBOX IDC_SESSIONCOMBO,53,72,123,12,CBS_DROPDOWNLIST | CBS_AUTOHSCROLL | CBS_SORT | WS_VSCROLL | WS_TABSTOP COMBOBOX IDC_DESKTOPCOMBO,53,88,123,12,CBS_DROPDOWNLIST | CBS_AUTOHSCROLL | CBS_SORT | WS_VSCROLL | WS_TABSTOP PUSHBUTTON "Browse",IDC_BROWSE,237,106,50,14 CONTROL "Create suspended",IDC_TOGGLESUSPENDED,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,183,70,75,10 COMBOBOX IDC_PROGRAMCOMBO,53,21,233,12,CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_VSCROLL | WS_TABSTOP CONTROL "Create UIAccess",IDC_TOGGLEUIACCESS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,183,84,69,10 END IDD_PROGRESS DIALOGEX 0, 0, 216, 62 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Progress" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Cancel",IDCANCEL,159,41,50,14 CONTROL "",IDC_PROGRESS,"msctls_progress32",0x0,7,23,202,14 LTEXT "Please wait...",IDC_PROGRESSTEXT,7,7,202,12 END IDD_PAGEFILES DIALOGEX 0, 0, 322, 162 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Pagefiles" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,2,2,318,142 PUSHBUTTON "Refresh",IDC_REFRESH,215,146,50,14 DEFPUSHBUTTON "Close",IDOK,269,146,50,14 END IDD_TOKGENERAL DIALOGEX 0, 0, 270, 228 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "General" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN GROUPBOX "Token",IDC_STATIC,7,7,256,149 LTEXT "User:",IDC_STATIC,15,19,18,8 EDITTEXT IDC_USER,71,17,185,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "User SID:",IDC_STATIC,15,36,32,8 EDITTEXT IDC_USERSID,71,34,185,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Owner:",IDC_STATIC,15,53,25,8 EDITTEXT IDC_OWNER,71,51,185,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Primary group:",IDC_STATIC,15,70,49,8 EDITTEXT IDC_PRIMARYGROUP,71,68,185,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Session ID:",IDC_STATIC,15,87,37,8 EDITTEXT IDC_SESSIONID,71,85,88,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Elevated:",IDC_STATIC,15,104,32,8 EDITTEXT IDC_ELEVATED,71,102,117,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Virtualization:",IDC_STATIC,15,121,44,8 EDITTEXT IDC_VIRTUALIZATION,71,119,185,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "UIAccess:",IDC_STATIC,15,138,32,8 EDITTEXT IDC_UIACCESS,71,136,185,12,ES_AUTOHSCROLL | ES_READONLY PUSHBUTTON "Linked token",IDC_LINKEDTOKEN,193,101,63,14 GROUPBOX "Source",IDC_STATIC,7,160,256,47 LTEXT "Name:",IDC_STATIC,15,172,22,8 EDITTEXT IDC_SOURCENAME,71,170,185,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "LUID:",IDC_STATIC,15,190,19,8 EDITTEXT IDC_SOURCELUID,71,188,185,12,ES_AUTOHSCROLL | ES_READONLY END IDD_TOKADVANCED DIALOGEX 0, 0, 236, 186 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Advanced" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | WS_TABSTOP,0,0,236,186 END IDD_OBJJOB DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Job" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Name:",IDC_STATIC,7,9,22,8 EDITTEXT IDC_NAME,35,8,164,12,ES_AUTOHSCROLL PUSHBUTTON "Terminate",IDC_TERMINATE,203,7,50,14 LTEXT "Processes in job:",IDC_STATIC,7,25,55,8 CONTROL "",IDC_PROCESSES,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_SORTASCENDING | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,38,246,62 PUSHBUTTON "Add...",IDC_ADD,203,103,50,14 LTEXT "Limits:",IDC_STATIC,7,117,21,8 CONTROL "",IDC_LIMITS,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_SORTASCENDING | LVS_ALIGNLEFT | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,129,246,107 PUSHBUTTON "Advanced",IDC_ADVANCED,203,239,50,14 END IDD_OBJEVENT DIALOGEX 0, 0, 186, 76 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Event" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Type:",IDC_STATIC,7,7,20,8 LTEXT "Unknown",IDC_TYPE,42,7,137,8 LTEXT "Signaled:",IDC_STATIC,7,18,30,8 LTEXT "Unknown",IDC_SIGNALED,42,18,137,8 PUSHBUTTON "Set",IDC_SET,7,34,50,14 PUSHBUTTON "Reset",IDC_RESET,61,34,50,14 PUSHBUTTON "Pulse",IDC_PULSE,115,34,50,14 END IDD_OBJMUTANT DIALOGEX 0, 0, 186, 76 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Mutant" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Count:",IDC_STATIC,7,7,23,8 LTEXT "Unknown",IDC_COUNT,55,7,124,8 LTEXT "Abandoned:",IDC_STATIC,7,18,40,8 LTEXT "Unknown",IDC_ABANDONED,55,18,124,8 LTEXT "Owner:",IDC_OWNERLABEL,7,29,25,8 LTEXT "Unknown",IDC_OWNER,55,29,124,8 END IDD_OBJSEMAPHORE DIALOGEX 0, 0, 186, 76 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Semaphore" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Current count:",IDC_STATIC,7,7,50,8 LTEXT "Unknown",IDC_CURRENTCOUNT,66,7,113,8 LTEXT "Maximum count:",IDC_STATIC,7,18,54,8 LTEXT "Unknown",IDC_MAXIMUMCOUNT,66,18,113,8 PUSHBUTTON "Acquire",IDC_ACQUIRE,7,34,50,14 PUSHBUTTON "Release",IDC_RELEASE,61,34,50,14 END IDD_OBJTIMER DIALOGEX 0, 0, 186, 76 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Timer" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Signaled:",-1,7,7,30,8 LTEXT "Unknown",IDC_SIGNALED,42,7,137,8 PUSHBUTTON "Cancel",IDC_CANCEL,7,19,50,14 END IDD_JOBSTATISTICS DIALOGEX 0, 0, 259, 186 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Statistics" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN GROUPBOX "General",IDC_STATIC,7,7,133,47 LTEXT "Active processes",IDC_STATIC,15,18,55,8 RTEXT "Static",IDC_ZACTIVEPROCESSES_V,99,18,37,8,SS_ENDELLIPSIS LTEXT "Total processes",IDC_STATIC,15,28,51,8 RTEXT "Static",IDC_ZTOTALPROCESSES_V,95,29,41,8,SS_ENDELLIPSIS LTEXT "Terminated due to job limits",IDC_STATIC,15,39,98,8 RTEXT "Static",IDC_ZTERMINATEDPROCESSES_V,107,39,29,8,SS_ENDELLIPSIS GROUPBOX "Time",IDC_STATIC,7,57,133,57 LTEXT "User time",IDC_STATIC,15,68,32,8 LTEXT "Kernel time",IDC_STATIC,15,79,38,8 LTEXT "User time (period)",IDC_STATIC,15,89,60,8 LTEXT "Kernel time (period)",IDC_STATIC,15,99,65,8 RTEXT "Static",IDC_ZUSERTIME_V,83,68,53,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZKERNELTIME_V,85,79,51,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZUSERTIMEPERIOD_V,87,89,49,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZKERNELTIMEPERIOD_V,87,99,49,8,SS_ENDELLIPSIS GROUPBOX "Memory",IDC_STATIC,7,118,133,48 LTEXT "Page faults",IDC_STATIC,15,129,38,8 LTEXT "Peak process usage",IDC_STATIC,15,140,65,8 LTEXT "Peak job usage",IDC_STATIC,15,151,52,8 RTEXT "Static",IDC_ZPAGEFAULTS_V,86,129,50,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPEAKPROCESSUSAGE_V,85,140,51,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPEAKJOBUSAGE_V,86,151,50,8,SS_ENDELLIPSIS GROUPBOX "I/O",IDC_STATIC,146,7,106,75 LTEXT "Reads",IDC_STATIC,152,17,21,8 LTEXT "Read bytes",IDC_STATIC,152,27,38,8 LTEXT "Writes",IDC_STATIC,152,37,22,8 LTEXT "Write bytes",IDC_STATIC,152,47,38,8 LTEXT "Other",IDC_STATIC,152,57,20,8 LTEXT "Other bytes",IDC_STATIC,152,67,40,8 RTEXT "Static",IDC_ZIOREADS_V,200,17,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZIOREADBYTES_V,200,27,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZIOWRITES_V,200,37,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZIOWRITEBYTES_V,200,47,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZIOOTHER_V,200,57,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZIOOTHERBYTES_V,200,67,47,8,SS_ENDELLIPSIS END IDD_OBJEVENTPAIR DIALOGEX 0, 0, 186, 76 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Event Pair" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Set low",IDC_SETLOW,7,7,50,14 PUSHBUTTON "Set high",IDC_SETHIGH,61,7,50,14 END IDD_AFFINITY DIALOGEX 0, 0, 279, 227 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Affinity" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "OK",IDOK,169,206,50,14 PUSHBUTTON "Cancel",IDCANCEL,222,206,50,14 LTEXT "Affinity controls which CPUs threads are allowed to execute on.",IDC_STATIC,7,7,212,11 CONTROL "CPU 0",IDC_CPU0,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,21,35,10 CONTROL "CPU 1",IDC_CPU1,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,33,35,10 CONTROL "CPU 2",IDC_CPU2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,44,35,10 CONTROL "CPU 3",IDC_CPU3,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,56,35,10 CONTROL "CPU 4",IDC_CPU4,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,67,35,10 CONTROL "CPU 5",IDC_CPU5,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,78,35,10 CONTROL "CPU 6",IDC_CPU6,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,89,35,10 CONTROL "CPU 7",IDC_CPU7,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,100,35,10 CONTROL "CPU 8",IDC_CPU8,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,111,35,10 CONTROL "CPU 9",IDC_CPU9,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,122,35,10 CONTROL "CPU 10",IDC_CPU10,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,134,39,10 CONTROL "CPU 11",IDC_CPU11,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,145,39,10 CONTROL "CPU 12",IDC_CPU12,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,156,39,10 CONTROL "CPU 13",IDC_CPU13,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,167,39,10 CONTROL "CPU 14",IDC_CPU14,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,178,39,10 CONTROL "CPU 15",IDC_CPU15,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,190,39,10 CONTROL "CPU 16",IDC_CPU16,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,21,39,10 CONTROL "CPU 17",IDC_CPU17,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,33,39,10 CONTROL "CPU 18",IDC_CPU18,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,44,39,10 CONTROL "CPU 19",IDC_CPU19,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,56,39,10 CONTROL "CPU 20",IDC_CPU20,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,67,39,10 CONTROL "CPU 21",IDC_CPU21,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,78,39,10 CONTROL "CPU 22",IDC_CPU22,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,89,39,10 CONTROL "CPU 23",IDC_CPU23,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,100,39,10 CONTROL "CPU 24",IDC_CPU24,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,111,39,10 CONTROL "CPU 25",IDC_CPU25,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,122,39,10 CONTROL "CPU 26",IDC_CPU26,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,134,39,10 CONTROL "CPU 27",IDC_CPU27,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,145,39,10 CONTROL "CPU 28",IDC_CPU28,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,156,39,10 CONTROL "CPU 29",IDC_CPU29,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,167,39,10 CONTROL "CPU 30",IDC_CPU30,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,178,39,10 CONTROL "CPU 31",IDC_CPU31,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,79,190,39,10 CONTROL "CPU 32",IDC_CPU32,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,21,39,10 CONTROL "CPU 33",IDC_CPU33,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,33,39,10 CONTROL "CPU 34",IDC_CPU34,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,44,39,10 CONTROL "CPU 35",IDC_CPU35,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,56,39,10 CONTROL "CPU 36",IDC_CPU36,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,67,39,10 CONTROL "CPU 37",IDC_CPU37,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,78,39,10 CONTROL "CPU 38",IDC_CPU38,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,89,39,10 CONTROL "CPU 39",IDC_CPU39,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,100,39,10 CONTROL "CPU 40",IDC_CPU40,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,111,39,10 CONTROL "CPU 41",IDC_CPU41,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,122,39,10 CONTROL "CPU 42",IDC_CPU42,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,134,39,10 CONTROL "CPU 43",IDC_CPU43,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,145,39,10 CONTROL "CPU 44",IDC_CPU44,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,156,39,10 CONTROL "CPU 45",IDC_CPU45,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,167,39,10 CONTROL "CPU 46",IDC_CPU46,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,178,39,10 CONTROL "CPU 47",IDC_CPU47,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,150,190,39,10 CONTROL "CPU 48",IDC_CPU48,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,21,39,10 CONTROL "CPU 49",IDC_CPU49,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,33,39,10 CONTROL "CPU 50",IDC_CPU50,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,44,39,10 CONTROL "CPU 51",IDC_CPU51,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,56,39,10 CONTROL "CPU 52",IDC_CPU52,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,67,39,10 CONTROL "CPU 53",IDC_CPU53,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,78,39,10 CONTROL "CPU 54",IDC_CPU54,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,89,39,10 CONTROL "CPU 55",IDC_CPU55,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,100,39,10 CONTROL "CPU 56",IDC_CPU56,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,111,39,10 CONTROL "CPU 57",IDC_CPU57,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,122,39,10 CONTROL "CPU 58",IDC_CPU58,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,134,39,10 CONTROL "CPU 59",IDC_CPU59,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,145,39,10 CONTROL "CPU 60",IDC_CPU60,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,156,39,10 CONTROL "CPU 61",IDC_CPU61,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,167,39,10 CONTROL "CPU 62",IDC_CPU62,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,178,39,10 CONTROL "CPU 63",IDC_CPU63,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,224,190,39,10 PUSHBUTTON "Select all",IDC_SELECTALL,7,206,50,14 PUSHBUTTON "Deselect all",IDC_DESELECTALL,60,206,50,14 COMBOBOX IDC_GROUPCPU,220,4,52,30,CBS_DROPDOWNLIST | CBS_SORT | NOT WS_VISIBLE | WS_VSCROLL | WS_TABSTOP END IDD_SYSINFO DIALOGEX 0, 0, 423, 247 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME EXSTYLE WS_EX_APPWINDOW CAPTION "System Information" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN END IDD_EDITMESSAGE DIALOGEX 0, 0, 282, 163 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Message" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Title:",IDC_STATIC,7,8,17,8 EDITTEXT IDC_TITLE,52,7,223,12,ES_AUTOHSCROLL LTEXT "Text:",IDC_STATIC,7,24,18,8 EDITTEXT IDC_TEXT,52,23,223,79,ES_MULTILINE | ES_AUTOVSCROLL | ES_WANTRETURN | WS_VSCROLL LTEXT "Icon:",IDC_STATIC,7,107,18,8 COMBOBOX IDC_TYPE,52,105,80,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Timeout (s):",IDC_STATIC,7,123,40,8 EDITTEXT IDC_TIMEOUT,52,122,43,12,ES_AUTOHSCROLL DEFPUSHBUTTON "OK",IDOK,172,142,50,14 PUSHBUTTON "Cancel",IDCANCEL,225,142,50,14 END IDD_SESSION DIALOGEX 0, 0, 317, 267 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Session Properties" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "Close",IDOK,265,251,50,14 CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,2,2,313,247 END IDD_PROCMEMORY DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Memory" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Refresh",IDC_REFRESH,53,2,50,14 CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,19,256,239,WS_EX_CLIENTEDGE PUSHBUTTON "Options",IDC_FILTEROPTIONS,2,2,50,14 EDITTEXT IDC_SEARCH,114,3,144,14,ES_AUTOHSCROLL END IDD_CHOOSE DIALOGEX 0, 0, 199, 73 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Dialog" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Text:",IDC_MESSAGE,7,7,185,8,SS_ENDELLIPSIS COMBOBOX IDC_CHOICE,7,20,185,30,CBS_DROPDOWNLIST | CBS_AUTOHSCROLL | NOT WS_VISIBLE | WS_VSCROLL | WS_TABSTOP CONTROL "Option",IDC_OPTION,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,39,185,10 DEFPUSHBUTTON "OK",IDOK,89,52,50,14 PUSHBUTTON "Cancel",IDCANCEL,142,52,50,14 COMBOBOX IDC_CHOICEUSER,7,20,185,30,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_SORT | NOT WS_VISIBLE | WS_VSCROLL | WS_TABSTOP EDITTEXT IDC_CHOICESIMPLE,7,20,185,13,ES_PASSWORD | ES_AUTOHSCROLL | NOT WS_VISIBLE END IDD_OPTGENERAL DIALOGEX 0, 0, 315, 220 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "General" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Search engine:",IDC_STATIC,7,8,49,8 EDITTEXT IDC_SEARCHENGINE,61,7,247,12,ES_AUTOHSCROLL LTEXT "PE viewer:",IDC_STATIC,7,23,35,8 EDITTEXT IDC_PEVIEWER,61,22,247,12,ES_AUTOHSCROLL LTEXT "Max. size unit:",IDC_STATIC,7,55,49,8 COMBOBOX IDC_MAXSIZEUNIT,61,54,39,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Icon processes:",IDC_STATIC,7,72,52,8 EDITTEXT IDC_ICONPROCESSES,61,70,40,12,ES_AUTOHSCROLL | ES_NUMBER PUSHBUTTON "Font...",IDC_FONT,179,70,49,14 PUSHBUTTON "Monospace...",IDC_FONTMONOSPACE,230,70,70,14 PUSHBUTTON "Make default...",IDC_REPLACETASKMANAGER,179,86,72,14 LTEXT "Graph history length:",IDC_STATIC,106,56,69,8 EDITTEXT IDC_SAMPLECOUNT,180,55,48,12,ES_AUTOHSCROLL | ES_NUMBER CONTROL "Automatic",IDC_SAMPLECOUNTAUTOMATIC,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,233,56,48,10 CONTROL "",IDC_SETTINGS,"SysListView32",LVS_LIST | LVS_SINGLESEL | LVS_ALIGNLEFT | WS_TABSTOP,7,103,301,110 LTEXT "Application font:",IDC_STATIC,121,72,54,8 RTEXT "System Informer is the default Task Manager:",IDC_DEFSTATE,7,88,166,8 LTEXT "Symbol path:",IDC_STATIC,7,39,43,8 EDITTEXT IDC_DBGHELPSEARCHPATH,61,38,247,12,ES_AUTOHSCROLL END IDD_OPTHIGHLIGHTING DIALOGEX 0, 0, 250, 174 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Highlighting" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Highlighting duration:",IDC_STATIC,7,8,70,8 EDITTEXT IDC_HIGHLIGHTINGDURATION,79,7,40,12,ES_AUTOHSCROLL | ES_NUMBER LTEXT "New objects:",IDC_STATIC,7,25,44,8 CONTROL "New objects",IDC_NEWOBJECTS,"PhColorBox",WS_CLIPSIBLINGS | WS_TABSTOP,57,23,33,13 LTEXT "Removed objects:",IDC_STATIC,127,25,60,8 CONTROL "Removed objects",IDC_REMOVEDOBJECTS,"PhColorBox",WS_CLIPSIBLINGS | WS_TABSTOP,193,23,33,13 CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_BORDER | WS_TABSTOP,7,41,236,107 LTEXT "Double-click an item to change it.",IDC_INFO,7,156,106,8 PUSHBUTTON "Enable all",IDC_ENABLEALL,140,153,50,14 PUSHBUTTON "Disable all",IDC_DISABLEALL,193,153,50,14 END IDD_CHOOSECOLUMNS DIALOGEX 0, 0, 381, 226 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Choose Columns" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Inactive columns:",IDC_STATIC,7,21,57,8 LISTBOX IDC_INACTIVE,7,49,129,153,LBS_SORT | LBS_OWNERDRAWFIXED | LBS_HASSTRINGS | LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_TABSTOP PUSHBUTTON "Show >",IDC_SHOW,139,105,50,14 PUSHBUTTON "< Hide",IDC_HIDE,139,121,50,14 LISTBOX IDC_ACTIVE,192,49,129,153,LBS_OWNERDRAWFIXED | LBS_HASSTRINGS | LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_TABSTOP PUSHBUTTON "Move up",IDC_MOVEUP,326,49,50,14 PUSHBUTTON "Move down",IDC_MOVEDOWN,326,66,50,14 PUSHBUTTON "OK",IDOK,272,206,50,14 DEFPUSHBUTTON "Cancel",IDCANCEL,326,206,50,14 LTEXT "Active columns:",IDC_STATIC,192,21,51,8 LTEXT "Select the columns that will appear in the list.",IDC_MESSAGE,7,7,369,10 EDITTEXT IDC_SEARCH,7,33,129,14,ES_AUTOHSCROLL EDITTEXT IDC_FILTER,192,33,129,14,ES_AUTOHSCROLL END IDD_NETSTACK DIALOGEX 0, 0, 261, 228 STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Network Stack" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,7,247,196 PUSHBUTTON "Close",IDOK,204,207,50,14 END IDD_CREATESERVICE DIALOGEX 0, 0, 287, 133 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Create Service" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Name:",IDC_STATIC,7,8,22,8 EDITTEXT IDC_NAME,61,7,219,12,ES_AUTOHSCROLL LTEXT "Display name:",IDC_STATIC,7,24,46,8 EDITTEXT IDC_DISPLAYNAME,61,23,219,12,ES_AUTOHSCROLL LTEXT "Type:",IDC_STATIC,7,41,20,8 COMBOBOX IDC_TYPE,61,39,97,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Start type:",IDC_STATIC,7,58,38,8 COMBOBOX IDC_STARTTYPE,61,56,97,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Error control:",IDC_STATIC,7,75,45,8 COMBOBOX IDC_ERRORCONTROL,61,73,97,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP LTEXT "Binary path:",IDC_STATIC,7,91,40,8 EDITTEXT IDC_BINARYPATH,61,90,165,12,ES_AUTOHSCROLL PUSHBUTTON "Browse...",IDC_BROWSE,230,89,50,14 DEFPUSHBUTTON "OK",IDOK,176,112,50,14 PUSHBUTTON "Cancel",IDCANCEL,230,112,50,14 END IDD_PROCPERFORMANCE DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Performance" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN GROUPBOX "CPU",IDC_GROUPCPU,7,7,246,74,0,WS_EX_TRANSPARENT GROUPBOX "Private bytes",IDC_GROUPPRIVATEBYTES,7,86,246,77,0,WS_EX_TRANSPARENT GROUPBOX "I/O",IDC_GROUPIO,7,164,246,89,0,WS_EX_TRANSPARENT CONTROL "",IDC_CPU,"PhGraph",WS_CLIPSIBLINGS,105,42,50,14 CONTROL "",IDC_PRIVATEBYTES,"PhGraph",WS_CLIPSIBLINGS,105,122,50,14 CONTROL "",IDC_IO,"PhGraph",WS_CLIPSIBLINGS,105,204,50,14 END IDD_PROCSTATISTICS DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Statistics" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_STATISTICS_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,2,3,255,255 END IDD_OPTADVANCED DIALOGEX 0, 0, 317, 225 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Advanced" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_SEARCH,171,3,144,14,ES_AUTOHSCROLL PUSHBUTTON "Options",IDC_FILTEROPTIONS,2,3,50,14 CONTROL "",IDC_SETTINGS,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,19,313,204,WS_EX_CLIENTEDGE PUSHBUTTON "Refresh",IDC_REFRESH,53,3,50,14 END IDD_GDIHANDLES DIALOGEX 0, 0, 351, 307 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "GDI Handles" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,7,337,275 PUSHBUTTON "Refresh",IDC_REFRESH,240,286,50,14 DEFPUSHBUTTON "Close",IDOK,294,286,50,14 END IDD_LOG DIALOGEX 0, 0, 313, 303 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME EXSTYLE WS_EX_APPWINDOW CAPTION "Log" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_OWNERDATA | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,7,299,272 PUSHBUTTON "Clear",IDC_CLEAR,7,282,50,14 CONTROL "Auto-scroll",IDC_AUTOSCROLL,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,61,284,50,10 PUSHBUTTON "Save...",IDC_SAVE,148,282,50,14 PUSHBUTTON "Copy",IDC_COPY,202,282,50,14 DEFPUSHBUTTON "Close",IDOK,256,282,50,14 END IDD_MEMEDIT DIALOGEX 0, 0, 441, 269 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME EXSTYLE WS_EX_APPWINDOW CAPTION "Memory" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_MEMORY,"PhHexEdit",WS_CLIPSIBLINGS | WS_VSCROLL | WS_TABSTOP,7,7,427,239 PUSHBUTTON "Re-read",IDC_REREAD,7,248,50,14 PUSHBUTTON "Write",IDC_WRITE,60,248,50,14 PUSHBUTTON "Go to...",IDC_GOTO,112,248,50,14 PUSHBUTTON "Save...",IDC_SAVE,331,248,50,14 PUSHBUTTON "Close",IDOK,384,248,50,14 COMBOBOX IDC_BYTESPERROW,164,249,86,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP END IDD_MEMPROTECT DIALOGEX 0, 0, 270, 171 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Memory Protection" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN EDITTEXT IDC_INTRO,7,7,256,122,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "New value:",IDC_STATIC,120,136,37,8 EDITTEXT IDC_VALUE,161,135,102,12,ES_AUTOHSCROLL DEFPUSHBUTTON "OK",IDOK,161,150,50,14 PUSHBUTTON "Cancel",IDCANCEL,213,150,50,14 END IDD_MEMSTRINGS DIALOGEX 0, 0, 443, 254 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Strings" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Options",IDC_SETTINGS,2,3,50,14 PUSHBUTTON "Filter",IDC_FILTER,53,3,50,14 EDITTEXT IDC_SEARCH,105,3,336,14,ES_AUTOHSCROLL CONTROL "",IDC_TREELIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x2,2,19,439,219,WS_EX_CLIENTEDGE LTEXT "",IDC_MESSAGE,8,242,427,10 END IDD_MEMSTRINGSMINLEN DIALOGEX 0, 0, 123, 46 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "String Search" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Minimum length:",IDC_STATIC,7,8,54,8 EDITTEXT IDC_MINIMUMLENGTH,67,7,51,12,ES_AUTOHSCROLL DEFPUSHBUTTON "OK",IDOK,13,25,50,14 PUSHBUTTON "Cancel",IDCANCEL,67,25,50,14 END IDD_MEMRESULTS DIALOGEX 0, 0, 313, 266 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Results" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Results.",IDC_INTRO,7,9,299,8 CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_OWNERDATA | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,21,299,221 PUSHBUTTON "Filter",IDC_FILTER,7,245,50,14 PUSHBUTTON "Save...",IDC_SAVE,149,245,50,14 PUSHBUTTON "Copy",IDC_COPY,203,245,50,14 DEFPUSHBUTTON "Close",IDOK,256,245,50,14 END IDD_MEMSTRING DIALOGEX 0, 0, 241, 86 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "String Search" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Minimum length:",IDC_STATIC,7,8,54,8 EDITTEXT IDC_MINIMUMLENGTH,67,7,51,12,ES_AUTOHSCROLL CONTROL "Detect Unicode",IDC_DETECTUNICODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,22,65,10 LTEXT "Search in the following types of memory regions:",IDC_STATIC,7,36,157,8 CONTROL "Private",IDC_PRIVATE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,49,39,10 CONTROL "Image",IDC_IMAGE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,55,49,36,10 CONTROL "Mapped",IDC_MAPPED,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,101,49,41,10 DEFPUSHBUTTON "OK",IDOK,131,65,50,14 PUSHBUTTON "Cancel",IDCANCEL,184,65,50,14 CONTROL "Extended Unicode",IDC_EXTENDEDUNICODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,80,22,74,10 END IDD_OPTGRAPHS DIALOGEX 0, 0, 250, 156 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Graphs" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "Show text",IDC_SHOWTEXT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,7,49,10 CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_DISABLED | WS_TABSTOP,7,44,236,105 CONTROL "Use old colors (black background)",IDC_USEOLDCOLORS, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,19,123,10 CONTROL "Show commit charge instead of physical memory in summary view",IDC_SHOWCOMMITINSUMMARY, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,31,227,10 END IDD_PLUGINMANAGER DIALOGEX 0, 0, 501, 272 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Plugins" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Changes may require a restart to take effect.",IDC_INSTRUCTION,2,262,148,8 CONTROL "",IDC_PLUGINTREE,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,2,497,253,WS_EX_CLIENTEDGE PUSHBUTTON "Disabled plugins (0)",IDC_DISABLED,427,256,72,14 END IDD_HANDLESTATS DIALOGEX 0, 0, 219, 175 STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Handle Statistics" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,7,205,143 DEFPUSHBUTTON "Close",IDOK,162,154,50,14 END IDD_PROCRECORD DIALOGEX 0, 0, 260, 202 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Process Record" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Name:",IDC_STATIC,7,9,22,8 EDITTEXT IDC_PROCESSNAME,39,9,214,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Parent:",IDC_STATIC,7,21,25,8 EDITTEXT IDC_PARENT,39,21,214,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER GROUPBOX "File",IDC_FILE,7,38,246,79 ICON "",IDC_FILEICON,14,49,20,20 EDITTEXT IDC_NAME,44,48,182,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER EDITTEXT IDC_COMPANYNAME,44,60,183,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Version:",IDC_STATIC,15,72,27,8 EDITTEXT IDC_VERSION,44,72,183,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Image file name:",IDC_STATIC,15,86,56,8 EDITTEXT IDC_FILENAME,15,96,211,12,ES_AUTOHSCROLL | ES_READONLY PUSHBUTTON "Open",IDC_OPENFILENAME,230,95,17,15,BS_ICON LTEXT "Command line:",IDC_STATIC,7,123,50,8 EDITTEXT IDC_CMDLINE,65,121,188,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Started:",IDC_STATIC,7,139,28,8 EDITTEXT IDC_STARTED,65,137,188,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Terminated:",IDC_STATIC,7,155,40,8 EDITTEXT IDC_TERMINATED,65,153,188,12,ES_AUTOHSCROLL | ES_READONLY LTEXT "Session ID:",IDC_STATIC,7,170,37,8 LTEXT "Static",IDC_SESSIONID,50,170,19,8 PUSHBUTTON "Properties",IDC_PROPERTIES,150,181,50,14 DEFPUSHBUTTON "Close",IDOK,203,181,50,14 END IDD_CHOOSEPROCESS DIALOGEX 0, 0, 317, 239 STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Select a Process" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Select a process from the list below.",IDC_MESSAGE,7,7,303,8,SS_ENDELLIPSIS CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_SHAREIMAGELISTS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,21,303,193 PUSHBUTTON "Refresh",IDC_REFRESH,7,218,50,14 DEFPUSHBUTTON "OK",IDOK,205,218,50,14 PUSHBUTTON "Cancel",IDCANCEL,260,218,50,14 END IDD_PROCSERVICES DIALOGEX 0, 0, 260, 261 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Services" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Services",IDC_SERVICES_LAYOUT,7,7,246,247,NOT WS_VISIBLE | WS_BORDER END IDD_SHADOWSESSION DIALOGEX 0, 0, 228, 84 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Remote Control" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "To end the remote control session, press this key and the modifiers selected below:",IDC_STATIC,7,7,214,19 COMBOBOX IDC_VIRTUALKEY,7,27,74,30,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP CONTROL "Shift",IDC_SHIFT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,47,31,10 CONTROL "Ctrl",IDC_CTRL,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,49,47,27,10 CONTROL "Alt",IDC_ALT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,47,25,10 DEFPUSHBUTTON "OK",IDOK,117,63,50,14 PUSHBUTTON "Cancel",IDCANCEL,171,63,50,14 END IDD_TOKCAPABILITIES DIALOGEX 0, 0, 270, 228 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Capabilities" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x32,0,0,270,228 END IDD_TOKATTRIBUTES DIALOGEX 0, 0, 270, 228 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Attributes" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x32,0,0,270,228 END IDD_TOKAPPPOLICY DIALOGEX 0, 0, 270, 228 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Policy" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,0,0,270,228 END IDD_SYSINFO_CPU DIALOGEX 0, 0, 316, 195 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CONTROL | WS_CHILD | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_CONTROLPARENT CAPTION "CPU" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN RTEXT "CPU name",IDC_CPUNAME,41,4,274,16,SS_WORDELLIPSIS LTEXT "CPU",IDC_TITLE,0,0,37,21 LTEXT "Panel layout",IDC_LAYOUT,0,105,315,88,NOT WS_VISIBLE LTEXT "Graph layout",IDC_GRAPH_LAYOUT,0,22,315,82,NOT WS_VISIBLE END IDD_SYSINFO_CPUPANEL DIALOGEX 0, 0, 506, 86 STYLE DS_SETFONT | DS_FIXEDSYS | WS_CHILD | WS_SYSMENU EXSTYLE WS_EX_CONTROLPARENT FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Utilization:",IDC_STATIC,6,3,34,8 LTEXT "Speed:",IDC_STATIC,108,3,24,8 LTEXT "Virtualization:",IDC_STATIC,247,3,60,8 LTEXT "Static",IDC_UTILIZATION,46,0,60,15 LTEXT "Static",IDC_SPEED,137,0,100,15 LTEXT "Static",IDC_VIRTUALIZATION,296,0,500,15 GROUPBOX "System",IDC_STATIC,0,17,97,55 LTEXT "Processes",IDC_STATIC,7,28,33,8 LTEXT "Threads",IDC_STATIC,7,38,27,8 LTEXT "Handles",IDC_STATIC,7,48,26,8 LTEXT "Uptime",IDC_STATIC,7,58,23,8 RTEXT "Static",IDC_ZPROCESSES_V,45,28,46,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZTHREADS_V,45,38,46,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZHANDLES_V,45,48,46,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZUPTIME_V,46,58,45,8,SS_ENDELLIPSIS CONTROL "&Show one graph per CPU",IDC_ONEGRAPHPERCPU,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,0,76,96,10 GROUPBOX "CPU",IDC_STATIC,101,17,136,55 LTEXT "Context switches delta",IDC_STATIC,109,28,76,8 LTEXT "Interrupts delta",IDC_STATIC,109,38,52,8 LTEXT "DPCs delta",IDC_STATIC,109,48,36,8 LTEXT "System calls delta",IDC_STATIC,109,58,60,8 RTEXT "Static",IDC_ZCONTEXTSWITCHESDELTA_V,191,28,40,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZINTERRUPTSDELTA_V,185,39,46,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZDPCSDELTA_V,181,48,50,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZSYSTEMCALLSDELTA_V,179,58,52,8,SS_ENDELLIPSIS GROUPBOX "Topology",IDC_STATIC,241,17,109,55 LTEXT "Cores",IDC_STATIC,249,28,76,8 LTEXT "Sockets",IDC_STATIC,249,38,26,8 LTEXT "Logical processors",IDC_STATIC,249,48,58,8 LTEXT "Latency",IDC_STATIC,249,58,60,8 RTEXT "Static",IDC_ZCORES,305,28,40,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZSOCKETS,299,38,46,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLOGICAL,314,48,31,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLATENCY,293,58,52,8,SS_ENDELLIPSIS GROUPBOX "Hardware",IDC_STATIC,354,17,97,55 LTEXT "L1 cache",IDC_STATIC,362,28,52,8 RTEXT "Static",IDC_ZL1CACHE_V,394,28,52,8,SS_ENDELLIPSIS LTEXT "L2 cache",IDC_STATIC,362,38,53,8 RTEXT "Static",IDC_ZL2CACHE_V,394,38,52,8,SS_ENDELLIPSIS LTEXT "L3 cache",IDC_STATIC,362,48,53,8 RTEXT "Static",IDC_ZL3CACHE_V,394,48,52,8,SS_ENDELLIPSIS END IDD_SYSINFO_MEMPANEL DIALOGEX 0, 0, 488, 171 STYLE DS_SETFONT | DS_FIXEDSYS | WS_CHILD | WS_SYSMENU EXSTYLE WS_EX_CONTROLPARENT FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN GROUPBOX "Commit charge",IDC_STATIC,0,0,108,44 LTEXT "Current",IDC_STATIC,7,11,26,8 LTEXT "Peak",IDC_STATIC,7,21,16,8 LTEXT "Limit",IDC_STATIC,7,31,15,8 RTEXT "Static",IDC_ZCOMMITCURRENT_V,45,11,56,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZCOMMITPEAK_V,41,21,60,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZCOMMITLIMIT_V,40,31,61,8,SS_ENDELLIPSIS GROUPBOX "Physical memory",IDC_STATIC,112,0,118,73 LTEXT "Current",IDC_STATIC,120,11,26,8 LTEXT "Cache WS",IDC_STATIC,120,41,34,8 RTEXT "Static",IDC_ZPHYSICALCURRENT_V,151,11,71,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPHYSICALTOTAL_V,145,21,77,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPHYSICALCACHEWS_V,159,41,63,8,SS_ENDELLIPSIS LTEXT "Total",IDC_STATIC,120,21,17,8 LTEXT "Kernel WS",IDC_STATIC,120,51,34,8 RTEXT "Static",IDC_ZPHYSICALKERNELWS_V,159,51,63,8,SS_ENDELLIPSIS LTEXT "Driver WS",IDC_STATIC,120,61,33,8 RTEXT "Static",IDC_ZPHYSICALDRIVERWS_V,159,61,63,8,SS_ENDELLIPSIS GROUPBOX "Paged pool",IDC_STATIC,0,47,108,64 LTEXT "Working set",IDC_STATIC,7,58,40,8 LTEXT "Limit",IDC_STATIC,7,78,15,8 RTEXT "Static",IDC_ZPAGEDWORKINGSET_V,54,58,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPAGEDVIRTUALSIZE_V,52,68,49,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPAGEDLIMIT_V,36,78,65,8,SS_ENDELLIPSIS LTEXT "Virtual size",IDC_STATIC,7,68,36,8 LTEXT "Allocs delta",IDC_STATIC,7,88,38,8 RTEXT "Static",IDC_ZPAGEDALLOCSDELTA_V,53,88,48,8,SS_ENDELLIPSIS LTEXT "Frees delta",IDC_STATIC,7,98,38,8 RTEXT "Static",IDC_ZPAGEDFREESDELTA_V,51,98,50,8,SS_ENDELLIPSIS GROUPBOX "Non-paged pool",IDC_STATIC,0,114,108,55 LTEXT "Usage",IDC_STATIC,7,125,21,8 LTEXT "Allocs delta",IDC_STATIC,7,145,38,8 RTEXT "Static",IDC_ZNONPAGEDUSAGE_V,36,125,65,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZNONPAGEDLIMIT_V,29,135,72,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZNONPAGEDALLOCSDELTA_V,50,145,51,8,SS_ENDELLIPSIS LTEXT "Limit",IDC_STATIC,7,135,15,8 LTEXT "Frees delta",IDC_STATIC,7,155,38,8 RTEXT "Static",IDC_ZNONPAGEDFREESDELTA_V,48,155,53,8,SS_ENDELLIPSIS GROUPBOX "Memory lists",IDC_STATIC,234,0,123,169 LTEXT "Zeroed",IDC_STATIC,242,11,24,8 LTEXT "Modified",IDC_STATIC,242,31,28,8 RTEXT "Static",IDC_ZLISTZEROED_V,304,11,47,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTFREE_V,302,21,49,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTMODIFIED_V,298,31,53,8,SS_ENDELLIPSIS LTEXT "Free",IDC_STATIC,242,21,16,8 LTEXT "Modified no-write",IDC_STATIC,242,41,60,8 RTEXT "Static",IDC_ZLISTMODIFIEDNOWRITE_V,303,41,48,8,SS_ENDELLIPSIS LTEXT "Standby",IDC_STATIC,242,61,28,8 LTEXT "Priority 0",IDC_STATIC,251,71,30,8 LTEXT "Priority 1",IDC_STATIC,251,80,30,8 LTEXT "Priority 2",IDC_STATIC,251,90,30,8 LTEXT "Priority 3",IDC_STATIC,251,100,30,8 LTEXT "Priority 4",IDC_STATIC,251,110,30,8 LTEXT "Priority 5",IDC_STATIC,251,120,30,8 LTEXT "Priority 6",IDC_STATIC,251,130,30,8 LTEXT "Priority 7",IDC_STATIC,251,140,30,8 RTEXT "Static",IDC_ZLISTSTANDBY_V,303,61,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY0_V,303,71,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY1_V,303,80,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY2_V,303,90,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY3_V,303,100,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY4_V,303,110,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY5_V,303,120,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY6_V,303,130,48,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY7_V,303,140,48,8,SS_ENDELLIPSIS GROUPBOX "Paging",IDC_STATIC,112,75,118,55 LTEXT "Page faults delta",IDC_STATIC,120,86,57,8 LTEXT "Pagefile writes delta",IDC_STATIC,120,106,68,8 RTEXT "Static",IDC_ZPAGINGPAGEFAULTSDELTA_V,183,86,39,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPAGINGPAGEREADSDELTA_V,179,96,43,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZPAGINGPAGEFILEWRITESDELTA_V,189,106,33,8,SS_ENDELLIPSIS LTEXT "Page reads delta",IDC_STATIC,120,96,58,8 LTEXT "Mapped writes delta",IDC_STATIC,120,116,68,8 RTEXT "Static",IDC_ZPAGINGMAPPEDWRITESDELTA_V,191,116,31,8,SS_ENDELLIPSIS LTEXT "Modified pagefile",IDC_STATIC,242,51,60,8 RTEXT "Static",IDC_ZLISTMODIFIEDPAGEFILE_V,303,51,48,8,SS_ENDELLIPSIS PUSHBUTTON "&More",IDC_MORE,242,152,50,14 RTEXT "Static",IDC_ZPHYSICALRESERVED_V,157,31,65,8,SS_ENDELLIPSIS LTEXT "Reserved",IDC_STATIC,120,31,32,8 GROUPBOX "Mapped IO",IDC_STATIC,112,132,118,36 LTEXT "Mapped reads",IDC_STATIC,119,145,68,8 RTEXT "Static",IDC_ZMAPPEDREADIO,180,145,42,8,SS_ENDELLIPSIS LTEXT "Mapped writes",IDC_STATIC,119,156,68,8 RTEXT "Static",IDC_ZMAPPEDWRITEIO,180,156,42,8,SS_ENDELLIPSIS PUSHBUTTON "&Empty",IDC_EMPTY,299,152,50,14 GROUPBOX "Hardware",IDC_STATIC,361,0,114,63 LTEXT "Slots used",IDC_STATIC,369,11,40,8 RTEXT "Static",IDC_ZMEMSLOTS_V,415,11,54,8,SS_ENDELLIPSIS LTEXT "Form factor",IDC_STATIC,369,21,48,8 RTEXT "Static",IDC_ZMEMFORMFACTOR_V,419,21,50,8,SS_ENDELLIPSIS LTEXT "Technology",IDC_STATIC,369,31,48,8 RTEXT "Static",IDC_ZMEMTECHNOLOGY_V,419,31,50,8,SS_ENDELLIPSIS LTEXT "Memory type",IDC_STATIC,369,41,48,8 RTEXT "Static",IDC_ZMEMTYPE_V,419,41,50,8,SS_ENDELLIPSIS LTEXT "Speed",IDC_STATIC,369,51,26,8 RTEXT "Static",IDC_ZMEMSPEED_V,397,51,72,8,SS_ENDELLIPSIS END IDD_SYSINFO_MEM DIALOGEX 0, 0, 316, 250 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CONTROL | WS_CHILD | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_CONTROLPARENT CAPTION "Memory" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Memory",IDC_TITLE,0,0,110,21 LTEXT "Panel layout",IDC_LAYOUT,0,74,315,175,NOT WS_VISIBLE LTEXT "Graph layout",IDC_GRAPH_LAYOUT,0,22,315,51,NOT WS_VISIBLE RTEXT "Total physical",IDC_TOTALPHYSICAL,127,4,188,16,SS_WORDELLIPSIS LTEXT "Commit charge:",IDC_COMMIT_L,111,1,52,8 LTEXT "Physical memory:",IDC_PHYSICAL_L,111,7,56,8 END IDD_SYSINFO_IO DIALOGEX 0, 0, 316, 187 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CONTROL | WS_CHILD | WS_CAPTION | WS_SYSMENU CAPTION "I/O" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "I/O",IDC_TITLE,0,0,110,21 LTEXT "Panel layout",IDC_LAYOUT,0,109,315,78,NOT WS_VISIBLE LTEXT "Graph layout",IDC_GRAPH_LAYOUT,0,22,315,84,NOT WS_VISIBLE LTEXT "Read bytes:",IDC_IOREAD_L,111,1,52,8 LTEXT "Write bytes:",IDC_IOWRITE_L,111,7,56,8 LTEXT "Other bytes:",IDC_IOOTHER_L,111,14,60,8 END IDD_SYSINFO_IOPANEL DIALOGEX 0, 0, 276, 75 STYLE DS_SETFONT | DS_FIXEDSYS | WS_CHILD | WS_SYSMENU FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN GROUPBOX "I/O deltas",IDC_STATIC,0,0,133,74 LTEXT "Reads delta",IDC_STATIC,7,11,40,8 LTEXT "Read bytes delta",IDC_STATIC,7,21,56,8 LTEXT "Writes delta",IDC_STATIC,7,31,40,8 LTEXT "Write bytes delta",IDC_STATIC,7,41,57,8 RTEXT "Static",IDC_ZREADSDELTA_V,59,11,67,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZREADBYTESDELTA_V,75,21,51,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZWRITESDELTA_V,57,31,69,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZWRITEBYTESDELTA_V,73,41,53,8,SS_ENDELLIPSIS LTEXT "Other delta",IDC_STATIC,7,51,38,8 LTEXT "Other bytes delta",IDC_STATIC,7,61,58,8 RTEXT "Static",IDC_ZOTHERDELTA_V,67,51,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZOTHERBYTESDELTA_V,81,61,45,8,SS_ENDELLIPSIS GROUPBOX "I/O totals",IDC_STATIC,137,0,133,74 LTEXT "Reads",IDC_STATIC,145,11,21,8 LTEXT "Read bytes",IDC_STATIC,145,21,38,8 LTEXT "Writes",IDC_STATIC,145,31,22,8 LTEXT "Write bytes",IDC_STATIC,145,41,38,8 RTEXT "Static",IDC_ZREADS_V,197,11,67,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZREADBYTES_V,192,21,72,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZWRITES_V,195,31,69,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZWRITEBYTES_V,190,41,74,8,SS_ENDELLIPSIS LTEXT "Other",IDC_STATIC,145,51,20,8 LTEXT "Other bytes",IDC_STATIC,145,61,40,8 RTEXT "Static",IDC_ZOTHER_V,191,51,73,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZOTHERBYTES_V,192,61,72,8,SS_ENDELLIPSIS END IDD_MEMLISTS DIALOGEX 0, 0, 228, 195 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_TOPMOST CAPTION "Memory Lists" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "Close",IDOK,171,174,50,14 LTEXT "Zeroed",IDC_STATIC,7,7,24,8 LTEXT "Free",IDC_STATIC,7,17,16,8 LTEXT "Modified",IDC_STATIC,7,28,28,8 LTEXT "Modified no-write",IDC_STATIC,7,39,56,8 LTEXT "Bad",IDC_STATIC,7,60,13,8 LTEXT "Standby",IDC_STATIC,7,72,28,8 LTEXT "Priority 0",IDC_STATIC,23,83,30,8 LTEXT "Priority 1",IDC_STATIC,23,94,30,8 LTEXT "Priority 2",IDC_STATIC,23,105,30,8 LTEXT "Priority 3",IDC_STATIC,23,116,30,8 LTEXT "Priority 4",IDC_STATIC,23,128,30,8 LTEXT "Priority 5",IDC_STATIC,23,139,30,8 LTEXT "Priority 6",IDC_STATIC,23,150,30,8 LTEXT "Priority 7",IDC_STATIC,23,161,30,8 RTEXT "Static",IDC_ZLISTZEROED_V,73,7,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTFREE_V,73,17,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTMODIFIED_V,73,28,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTMODIFIEDNOWRITE_V,73,39,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTBAD_V,73,60,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY_V,73,72,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY0_V,73,83,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY1_V,73,94,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY2_V,73,105,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY3_V,73,116,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY4_V,73,128,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY5_V,73,139,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY6_V,73,150,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTSTANDBY7_V,73,161,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED_V,162,72,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED0_V,162,84,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED1_V,162,95,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED2_V,162,106,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED3_V,162,117,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED4_V,162,128,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED5_V,162,139,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED6_V,162,150,59,8,SS_ENDELLIPSIS RTEXT "Static",IDC_ZLISTREPURPOSED7_V,162,161,59,8,SS_ENDELLIPSIS RTEXT "(Repurposed)",IDC_STATIC,162,60,59,8 PUSHBUTTON "&Empty",IDC_EMPTY,117,174,50,14 LTEXT "Modified pagefile",IDC_STATIC,7,49,55,8 RTEXT "Static",IDC_ZLISTMODIFIEDPAGEFILE_V,73,49,59,8,SS_ENDELLIPSIS END IDD_CONTAINER DIALOGEX 0, 0, 316, 182 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD | WS_SYSMENU EXSTYLE WS_EX_CONTROLPARENT FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN END IDD_MINIINFO DIALOGEX 0, 0, 217, 150 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Content layout",IDC_LAYOUT,4,3,210,128,NOT WS_VISIBLE CONTROL "Section",IDC_SECTION,"Static",SS_LEFTNOWORDWRAP | SS_NOTIFY | SS_ENDELLIPSIS | WS_GROUP,4,134,177,13 PUSHBUTTON "Options",IDC_OPTIONS,183,133,15,14,BS_ICON CONTROL "Pin",IDC_PINWINDOW,"Button",BS_AUTOCHECKBOX | BS_ICON | BS_PUSHLIKE | WS_TABSTOP,199,133,15,14 END IDD_MINIINFO_LIST DIALOGEX 0, 0, 217, 141 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "CPU" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0x82,0,0,217,140,WS_EX_CLIENTEDGE END IDD_MITIGATION DIALOGEX 0, 0, 277, 217 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Mitigation Policies" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_BORDER | WS_TABSTOP,7,7,263,108 LTEXT "Description:",IDC_DESCRIPTIONLABEL,7,118,38,8 EDITTEXT IDC_DESCRIPTION,7,129,263,62,ES_MULTILINE | ES_READONLY | WS_VSCROLL DEFPUSHBUTTON "OK",IDOK,220,196,50,14 END IDD_EDITENV DIALOGEX 0, 0, 311, 177 STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Edit Environment Variable" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Name:",IDC_STATIC,7,8,21,8 EDITTEXT IDC_NAME,38,7,266,12,ES_AUTOHSCROLL LTEXT "Value:",IDC_STATIC,7,25,21,8 EDITTEXT IDC_VALUE,38,24,266,128,ES_MULTILINE | WS_VSCROLL DEFPUSHBUTTON "OK",IDOK,200,156,50,14 PUSHBUTTON "Cancel",IDCANCEL,254,156,50,14 END IDD_OPTIONS DIALOGEX 0, 0, 423, 247 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Options" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "Close",IDOK,371,231,50,14 CONTROL "",IDC_SECTIONTREE,"SysTreeView32",TVS_SHOWSELALWAYS | TVS_TRACKSELECT | TVS_FULLROWSELECT | WS_HSCROLL | WS_TABSTOP,2,1,103,244 CONTROL "",IDD_CONTAINER,"#32770",0x44c,107,0,316,229,WS_EX_TOPMOST | WS_EX_TOOLWINDOW | WS_EX_CONTROLPARENT | 0xc0000800L PUSHBUTTON "Reset",IDC_RESET,108,231,50,14 PUSHBUTTON "Apply",IDC_APPLY,319,231,50,14,NOT WS_VISIBLE PUSHBUTTON "Cleanup",IDC_CLEANUP,160,231,50,14 END IDD_PLUGINPROPERTIES DIALOGEX 0, 0, 291, 152 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Plugin Properties" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN GROUPBOX "Plugin",IDC_STATIC,7,7,277,122 LTEXT "Name:",IDC_STATIC,15,18,22,8 EDITTEXT IDC_NAME,71,18,104,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Internal name:",IDC_STATIC,15,30,49,8 EDITTEXT IDC_INTERNALNAME,71,30,203,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Author:",IDC_STATIC,15,41,26,8 EDITTEXT IDC_AUTHOR,71,41,203,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "URL:",IDC_STATIC,15,52,16,8 EDITTEXT IDC_URL,71,52,174,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER CONTROL "Open",IDC_OPENURL,"SysLink",WS_TABSTOP,250,52,26,10 LTEXT "File name:",IDC_STATIC,15,63,34,8 EDITTEXT IDC_FILENAME,71,63,203,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Version:",IDC_STATIC,183,18,27,8 EDITTEXT IDC_VERSION,215,18,59,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER LTEXT "Description:",IDC_STATIC,15,74,39,8 EDITTEXT IDC_DESCRIPTION,14,86,263,37,ES_MULTILINE | ES_READONLY PUSHBUTTON "Options...",IDC_OPTIONS,7,131,50,14 DEFPUSHBUTTON "Close",IDOK,234,131,50,14 END IDD_PLUGINSDISABLED DIALOGEX 0, 0, 309, 176 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Disabled Plugins" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "OK",IDOK,257,160,50,14 CONTROL "",IDC_LIST_DISABLED,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_BORDER | WS_TABSTOP,2,2,305,157 LTEXT "Changes may require a restart to take effect.",IDC_INSTRUCTION,2,163,148,8,NOT WS_VISIBLE END IDD_PROCWMIPROVIDERS DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "WMI" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Refresh",IDC_REFRESH,53,2,50,14 PUSHBUTTON "Options",IDC_OPTIONS,2,2,50,14 EDITTEXT IDC_SEARCH,114,3,144,14,ES_AUTOHSCROLL CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,2,19,256,239,WS_EX_CLIENTEDGE END IDD_COLUMNSETS DIALOGEX 0, 0, 231, 188 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Organize Column Sets" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN PUSHBUTTON "Move up",IDC_MOVEUP,177,42,50,14 PUSHBUTTON "Move down",IDC_MOVEDOWN,177,59,50,14 PUSHBUTTON "OK",IDOK,177,171,50,14 PUSHBUTTON "Rename",IDC_RENAME,177,4,50,14 PUSHBUTTON "Delete",IDC_REMOVE,177,94,50,14 CONTROL "",IDC_COLUMNSETLIST,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_EDITLABELS | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_BORDER | WS_TABSTOP,4,4,170,180 END IDD_RUNFILEDLG DIALOGEX 0, 0, 235, 105 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Run" FONT 9, "Segoe UI", 0, 0, 0x1 BEGIN ICON 100,IDC_FILEICON,7,11,20,20 LTEXT "Type the name of a program, folder, document, or Internet resource, and Windows will open it for you.",IDC_STATIC,36,11,182,22 LTEXT "&Open:",IDC_STATIC,7,39,28,10 COMBOBOX IDC_PROGRAMCOMBO,36,37,183,200,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_DISABLENOSCROLL | WS_VSCROLL | WS_TABSTOP DEFPUSHBUTTON "OK",IDOK,62,82,50,14 PUSHBUTTON "Cancel",IDCANCEL,116,82,50,14 PUSHBUTTON "&Browse...",IDC_BROWSE,170,82,50,14 CONTROL "Create this task with TrustedInstaller privileges.",IDC_TRUSTEDINSTALLER, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,40,62,180,10 CONTROL "Create this task with Administrative privileges.",IDC_TOGGLEELEVATION, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,40,51,180,10 END IDD_PROCDUMP DIALOGEX 0, 0, 191, 296 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Process dump" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "Normal",IDC_MINIDUMP_NORMAL,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,7,177,10 CONTROL "With data segments",IDC_MINIDUMP_WITH_DATA_SEGS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,17,177,10 CONTROL "With full memory",IDC_MINIDUMP_WITH_FULL_MEM,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,27,177,10 CONTROL "With handle data",IDC_MINIDUMP_WITH_HANDLE_DATA,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,37,177,10 CONTROL "Filter memory",IDC_MINIDUMP_FILTER_MEMORY,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,47,177,10 CONTROL "Scan memory",IDC_MINIDUMP_SCAN_MEMORY,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,57,177,10 CONTROL "With unloaded modules",IDC_MINIDUMP_WITH_UNLOADED_MODULES, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,67,177,10 CONTROL "With indirectly referenced memory",IDC_MINIDUMP_WITH_INDIRECT_REFERENCED_MEM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,77,177,10 CONTROL "Filter module paths",IDC_MINIDUMP_FILTER_MODULE_PATHS, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,87,179,10 CONTROL "With process and thread data",IDC_MINIDUMP_WITH_PROC_THRD_DATA, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,97,177,10 CONTROL "With private read-write memory",IDC_MINIDUMP_WITH_PRIVATE_RW_MEM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,107,177,10 CONTROL "Without optional data",IDC_MINIDUMP_WITHOUT_OPTIONAL_DATA, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,117,177,10 CONTROL "With full memory info",IDC_MINIDUMP_WITH_FULL_MEM_INFO, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,127,177,10 CONTROL "With thread info",IDC_MINIDUMP_WITH_THRD_INFO,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,137,177,10 CONTROL "With code segments",IDC_MINIDUMP_WITH_CODE_SEGS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,147,177,10 CONTROL "Without auxiliary state",IDC_MINIDUMP_WITHOUT_AUXILIARY_STATE, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,157,177,10 CONTROL "With full auxiliary state",IDC_MINIDUMP_WITH_FULL_AUXILIARY_STATE, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,167,177,10 CONTROL "With private write-copy memory",IDC_MINIDUMP_WITH_PRIVATE_WRITE_COPY_MEM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,177,177,10 CONTROL "Ignore inaccessible memory",IDC_MINIDUMP_IGNORE_INACCESSIBLE_MEM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,187,177,10 CONTROL "With token information",IDC_MINIDUMP_WITH_TOKEN_INFO, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,197,177,10 CONTROL "With module headers",IDC_MINIDUMP_WITH_MODULE_HEADERS, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,207,177,10 CONTROL "With filter triage data",IDC_MINIDUMP_FILTER_TRIAGE, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,217,177,10 CONTROL "With AVX state context registers",IDC_MINIDUMP_WITH_AVXX_STATE_CONTEXT, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,227,177,10 CONTROL "With Intel processor trace data",IDC_MINIDUMP_WITH_IPT_TRACE, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,237,177,10 CONTROL "Scan inaccessible partial pages",IDC_MINIDUMP_SCAN_INACCESSIBLE_PARTIAL_PAGES, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,247,177,10 CONTROL "Filter write-combined memory",IDC_MINIDUMP_FILTER_WRITE_COMBINE_MEM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,257,177,10 DEFPUSHBUTTON "Save",IDOK,80,275,50,14 PUSHBUTTON "Cancel",IDCANCEL,134,275,50,14 END IDD_LIVEDUMP DIALOGEX 0, 0, 191, 97 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Live kernel dump" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "Use dump storage stack",IDC_DUMPSTACK,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,7,177,10 CONTROL "Compress memory pages",IDC_COMPRESS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,17,177,10 CONTROL "Capture user pages",IDC_USERMODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,27,177,10 CONTROL "Capture Hypervisor pages",IDC_HYPERVISOR,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,37,177,10 CONTROL "Include nonessential Hypervisor pages",IDC_HYPERVISORNONESSENTIAL, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,47,177,10 CONTROL "Only kernel thread stacks",IDC_ONLYKERNELTHREADSTACKS, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,57,177,10 DEFPUSHBUTTON "Save",IDOK,80,76,50,14 PUSHBUTTON "Cancel",IDCANCEL,134,76,50,14 END IDD_HEAPS DIALOGEX 0, 0, 343, 268 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Heaps" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "Close",IDCANCEL,289,251,50,14 CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_TABSTOP,0,0,343,248 CONTROL "Sizes in bytes",IDC_SIZESINBYTES,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,6,254,59,10 PUSHBUTTON "Refresh",IDC_REFRESH,235,251,50,14 END IDD_PROCVDMHOST DIALOGEX 0, 0, 260, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "NTVDM" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,2,2,256,256 END IDD_RUNPACKAGE DIALOGEX 0, 0, 317, 239 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Select a package" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN LTEXT "Select the identity for access to the package file system and registry.",IDC_MESSAGE,7,36,303,8,SS_ENDELLIPSIS PUSHBUTTON "Refresh",IDC_REFRESH,144,218,50,14 DEFPUSHBUTTON "OK",IDOK,205,218,50,14 PUSHBUTTON "Cancel",IDCANCEL,260,218,50,14 COMBOBOX IDC_PROGRAMCOMBO,7,20,250,200,CBS_DROPDOWN | CBS_AUTOHSCROLL | CBS_DISABLENOSCROLL | WS_VSCROLL | WS_TABSTOP LTEXT "Enter the command to start as the specified package.",IDC_TITLE,7,7,172,8 PUSHBUTTON "Browse",IDC_BROWSE,260,19,50,14 CONTROL "",IDC_LIST,"PhTreeNew",WS_CLIPSIBLINGS | WS_CLIPCHILDREN | WS_TABSTOP | 0xa,7,49,303,165,WS_EX_CLIENTEDGE EDITTEXT IDC_SEARCH,7,218,135,14,ES_AUTOHSCROLL END IDD_OBJMAPPINGS DIALOGEX 0, 0, 300, 260 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Mappings" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_SHAREIMAGELISTS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,7,286,246 LTEXT "Static",IDC_TEXT,7,7,286,246,NOT WS_VISIBLE END IDD_MODIFIEDPAGES DIALOGEX 0, 0, 351, 307 STYLE DS_SETFONT | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Modified pages" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_SHOWSELALWAYS | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,2,2,347,286 PUSHBUTTON "Refresh",IDC_REFRESH,240,291,50,14 DEFPUSHBUTTON "Close",IDOK,294,291,50,14 LTEXT "Status",IDC_STATE,4,294,20,8 END IDD_CHOOSENEW DIALOGEX 0, 0, 270, 120 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Input Prompt" FONT 8, "MS Shell Dlg", 400, 0, 0x0 BEGIN LTEXT "Input Prompt",IDC_TITLE,7,7,262,22 CONTROL "Input Prompt",IDC_TEXT,"SysLink",WS_TABSTOP,7,33,259,23 CONTROL "",IDC_SIZE_,"Static",SS_ETCHEDHORZ,0,90,271,1 DEFPUSHBUTTON "&Ok",IDOK,158,98,50,14 PUSHBUTTON "Cancel",IDCANCEL,212,98,50,14 COMBOBOX IDC_INPUT,7,64,255,30,CBS_DROPDOWN | CBS_SORT | WS_VSCROLL | WS_TABSTOP END IDD_OBJAFDSOCKET DIALOGEX 0, 0, 260, 234 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Socket" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_TABSTOP,0,2,260,232 END IDD_HNDLSECURITY DIALOGEX 0, 0, 260, 181 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Permissions" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,0,60,260,94 PUSHBUTTON "Add",IDC_ADD,1,160,47,14 PUSHBUTTON "Advanced",IDC_ADVANCED,212,160,47,14 PUSHBUTTON "Remove",IDC_REMOVE,51,160,47,14 PUSHBUTTON "View",IDC_SHOW,103,160,47,14 CONTROL "",IDC_SETTINGS,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_TABSTOP,0,2,260,46 END IDD_HNDLSECAUDIT DIALOGEX 0, 0, 260, 181 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Auditing" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "",IDC_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,0,60,260,94 PUSHBUTTON "Add",IDC_ADD,1,160,47,14,NOT WS_VISIBLE PUSHBUTTON "Advanced",IDC_ADVANCED,212,160,47,14 PUSHBUTTON "Remove",IDC_REMOVE,51,160,47,14,NOT WS_VISIBLE PUSHBUTTON "View",IDC_SHOW,103,160,47,14,NOT WS_VISIBLE CONTROL "",IDC_SETTINGS,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | LVS_NOCOLUMNHEADER | WS_TABSTOP,0,2,260,46 END ///////////////////////////////////////////////////////////////////////////// // // DESIGNINFO // #ifdef APSTUDIO_INVOKED GUIDELINES DESIGNINFO BEGIN IDD_PROCGENERAL, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 254 END IDD_PROCMODULES, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 258 TOPMARGIN, 2 BOTTOMMARGIN, 258 END IDD_PROCTHREADS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 253 END IDD_PROCHANDLES, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 258 TOPMARGIN, 2 BOTTOMMARGIN, 258 END IDD_PROCENVIRONMENT, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 258 TOPMARGIN, 2 BOTTOMMARGIN, 258 END IDD_THRDSTACK, DIALOG BEGIN BOTTOMMARGIN, 226 END IDD_USRLIST, DIALOG BEGIN BOTTOMMARGIN, 226 END IDD_ABOUT, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 263 TOPMARGIN, 7 BOTTOMMARGIN, 188 END IDD_SRVLIST, DIALOG BEGIN END IDD_SRVGENERAL, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 275 TOPMARGIN, 7 BOTTOMMARGIN, 176 END IDD_HNDLGENERAL, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 174 END IDD_INFORMATION, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 310 TOPMARGIN, 7 BOTTOMMARGIN, 177 END IDD_FINDOBJECTS, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 355 TOPMARGIN, 4 BOTTOMMARGIN, 231 END IDD_THRDSTACKS, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 441 TOPMARGIN, 4 BOTTOMMARGIN, 252 END IDD_USRLIST, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 441 TOPMARGIN, 4 BOTTOMMARGIN, 252 END IDD_OBJTOKEN, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 253 END IDD_ZOMBIEPROCESSES, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 330 TOPMARGIN, 7 BOTTOMMARGIN, 214 END IDD_RUNAS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 286 TOPMARGIN, 7 BOTTOMMARGIN, 120 END IDD_PROGRESS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 209 TOPMARGIN, 7 BOTTOMMARGIN, 55 END IDD_PAGEFILES, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 320 TOPMARGIN, 2 BOTTOMMARGIN, 160 END IDD_TOKGENERAL, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 263 TOPMARGIN, 7 BOTTOMMARGIN, 221 END IDD_TOKADVANCED, DIALOG BEGIN END IDD_OBJJOB, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 253 END IDD_OBJEVENT, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 179 TOPMARGIN, 7 BOTTOMMARGIN, 69 END IDD_OBJMUTANT, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 179 TOPMARGIN, 7 BOTTOMMARGIN, 69 END IDD_OBJSEMAPHORE, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 179 TOPMARGIN, 7 BOTTOMMARGIN, 69 END IDD_OBJTIMER, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 179 TOPMARGIN, 7 BOTTOMMARGIN, 69 END IDD_JOBSTATISTICS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 252 TOPMARGIN, 7 BOTTOMMARGIN, 179 END IDD_OBJEVENTPAIR, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 179 TOPMARGIN, 7 BOTTOMMARGIN, 69 END IDD_AFFINITY, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 272 TOPMARGIN, 7 BOTTOMMARGIN, 220 END IDD_SYSINFO, DIALOG BEGIN END IDD_EDITMESSAGE, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 275 TOPMARGIN, 7 BOTTOMMARGIN, 156 END IDD_SESSION, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 315 VERTGUIDE, 164 TOPMARGIN, 2 BOTTOMMARGIN, 265 END IDD_PROCMEMORY, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 258 TOPMARGIN, 2 BOTTOMMARGIN, 258 END IDD_CHOOSE, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 192 TOPMARGIN, 7 BOTTOMMARGIN, 66 END IDD_OPTGENERAL, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 308 TOPMARGIN, 7 BOTTOMMARGIN, 213 END IDD_OPTHIGHLIGHTING, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 243 TOPMARGIN, 7 BOTTOMMARGIN, 167 END IDD_CHOOSECOLUMNS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 376 TOPMARGIN, 7 BOTTOMMARGIN, 220 END IDD_NETSTACK, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 254 TOPMARGIN, 7 BOTTOMMARGIN, 221 END IDD_CREATESERVICE, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 280 TOPMARGIN, 7 BOTTOMMARGIN, 126 END IDD_PROCPERFORMANCE, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 253 END IDD_PROCSTATISTICS, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 257 TOPMARGIN, 3 BOTTOMMARGIN, 258 END IDD_OPTADVANCED, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 310 TOPMARGIN, 7 BOTTOMMARGIN, 218 END IDD_GDIHANDLES, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 344 TOPMARGIN, 7 BOTTOMMARGIN, 300 END IDD_LOG, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 306 TOPMARGIN, 7 BOTTOMMARGIN, 296 END IDD_MEMEDIT, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 434 TOPMARGIN, 7 BOTTOMMARGIN, 262 END IDD_MEMPROTECT, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 263 TOPMARGIN, 7 BOTTOMMARGIN, 164 END IDD_MEMSTRINGS, DIALOG BEGIN LEFTMARGIN, 3 RIGHTMARGIN, 298 TOPMARGIN, 3 END IDD_MEMSTRINGSMINLEN, DIALOG BEGIN LEFTMARGIN, 3 TOPMARGIN, 3 END IDD_OPTGRAPHS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 243 TOPMARGIN, 7 BOTTOMMARGIN, 149 END IDD_PLUGINMANAGER, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 499 TOPMARGIN, 2 BOTTOMMARGIN, 270 END IDD_HANDLESTATS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 212 TOPMARGIN, 7 BOTTOMMARGIN, 168 END IDD_PROCRECORD, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 195 END IDD_CHOOSEPROCESS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 310 TOPMARGIN, 7 BOTTOMMARGIN, 232 END IDD_PROCSERVICES, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 254 END IDD_SHADOWSESSION, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 221 TOPMARGIN, 7 BOTTOMMARGIN, 77 END IDD_TOKCAPABILITIES, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 263 TOPMARGIN, 7 BOTTOMMARGIN, 221 END IDD_TOKATTRIBUTES, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 263 TOPMARGIN, 7 BOTTOMMARGIN, 221 END IDD_SYSINFO_CPU, DIALOG BEGIN BOTTOMMARGIN, 193 END IDD_SYSINFO_CPUPANEL, DIALOG BEGIN BOTTOMMARGIN, 85 END IDD_SYSINFO_MEMPANEL, DIALOG BEGIN END IDD_SYSINFO_MEM, DIALOG BEGIN BOTTOMMARGIN, 247 END IDD_SYSINFO_IO, DIALOG BEGIN END IDD_SYSINFO_IOPANEL, DIALOG BEGIN BOTTOMMARGIN, 74 END IDD_MEMLISTS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 221 TOPMARGIN, 7 BOTTOMMARGIN, 188 END IDD_CONTAINER, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 309 TOPMARGIN, 7 BOTTOMMARGIN, 175 END IDD_MINIINFO, DIALOG BEGIN LEFTMARGIN, 4 RIGHTMARGIN, 214 TOPMARGIN, 3 BOTTOMMARGIN, 147 END IDD_MINIINFO_LIST, DIALOG BEGIN END IDD_MITIGATION, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 270 TOPMARGIN, 7 BOTTOMMARGIN, 210 END IDD_EDITENV, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 304 TOPMARGIN, 7 BOTTOMMARGIN, 170 END IDD_OPTIONS, DIALOG BEGIN LEFTMARGIN, 2 BOTTOMMARGIN, 245 END IDD_PLUGINPROPERTIES, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 284 TOPMARGIN, 7 BOTTOMMARGIN, 145 END IDD_PLUGINSDISABLED, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 307 TOPMARGIN, 2 BOTTOMMARGIN, 174 END IDD_PROCWMIPROVIDERS, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 258 TOPMARGIN, 2 BOTTOMMARGIN, 258 END IDD_COLUMNSETS, DIALOG BEGIN LEFTMARGIN, 4 RIGHTMARGIN, 227 TOPMARGIN, 4 BOTTOMMARGIN, 184 END IDD_RUNFILEDLG, DIALOG BEGIN END IDD_PROCDUMP, DIALOG BEGIN BOTTOMMARGIN, 289 END IDD_LIVEDUMP, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 184 TOPMARGIN, 7 BOTTOMMARGIN, 90 END IDD_HEAPS, DIALOG BEGIN END IDD_PROCVDMHOST, DIALOG BEGIN LEFTMARGIN, 2 RIGHTMARGIN, 258 TOPMARGIN, 2 BOTTOMMARGIN, 258 END IDD_RUNPACKAGE, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 310 TOPMARGIN, 7 BOTTOMMARGIN, 232 END IDD_OBJMAPPINGS, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 BOTTOMMARGIN, 253 END IDD_MODIFIEDPAGES, DIALOG BEGIN END IDD_CHOOSENEW, DIALOG BEGIN LEFTMARGIN, 7 TOPMARGIN, 7 END IDD_OBJAFDSOCKET, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 253 TOPMARGIN, 7 END IDD_HNDLSECURITY, DIALOG BEGIN END IDD_HNDLSECAUDIT, DIALOG BEGIN END END #endif // APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // Accelerator // IDR_MAINWND_ACCEL ACCELERATORS BEGIN VK_ESCAPE, ID_ESC_EXIT, VIRTKEY, NOINVERT "F", ID_HACKER_FINDHANDLESORDLLS, VIRTKEY, CONTROL, NOINVERT "R", ID_HACKER_RUN, VIRTKEY, CONTROL, NOINVERT "R", ID_HACKER_RUNAS, VIRTKEY, SHIFT, CONTROL, NOINVERT "S", ID_HACKER_SAVE, VIRTKEY, CONTROL, NOINVERT "L", ID_HELP_LOG, VIRTKEY, CONTROL, NOINVERT "M", ID_PROCESS_SEARCHONLINE, VIRTKEY, CONTROL, NOINVERT VK_TAB, ID_TAB_NEXT, VIRTKEY, CONTROL, NOINVERT VK_TAB, ID_TAB_PREV, VIRTKEY, SHIFT, CONTROL, NOINVERT VK_F5, ID_VIEW_REFRESH, VIRTKEY, NOINVERT "I", ID_VIEW_SYSTEMINFORMATION, VIRTKEY, CONTROL, NOINVERT VK_PAUSE, ID_VIEW_UPDATEAUTOMATICALLY, VIRTKEY, NOINVERT VK_F6, ID_VIEW_UPDATEAUTOMATICALLY, VIRTKEY, NOINVERT END IDR_SYSINFO_ACCEL ACCELERATORS BEGIN "1", ID_DIGIT1, VIRTKEY, NOINVERT "2", ID_DIGIT2, VIRTKEY, NOINVERT "3", ID_DIGIT3, VIRTKEY, NOINVERT "4", ID_DIGIT4, VIRTKEY, NOINVERT "5", ID_DIGIT5, VIRTKEY, NOINVERT "6", ID_DIGIT6, VIRTKEY, NOINVERT "7", ID_DIGIT7, VIRTKEY, NOINVERT "8", ID_DIGIT8, VIRTKEY, NOINVERT "9", ID_DIGIT9, VIRTKEY, NOINVERT "B", IDC_BACK, VIRTKEY, ALT, NOINVERT VK_BACK, IDC_BACK, VIRTKEY, NOINVERT VK_F6, IDC_PAUSE, VIRTKEY, NOINVERT VK_PAUSE, IDC_PAUSE, VIRTKEY, NOINVERT VK_F5, IDC_REFRESH, VIRTKEY, NOINVERT VK_F11, IDC_MAXSCREEN, VIRTKEY, NOINVERT END ///////////////////////////////////////////////////////////////////////////// // // Bitmap // IDB_SEARCH_ACTIVE_BMP BITMAP "resources\\active_search.bmp" IDB_SEARCH_INACTIVE_BMP BITMAP "resources\\inactive_search.bmp" #endif // English (United States) resources ///////////////////////////////////////////////////////////////////////////// ================================================ FILE: SystemInformer/SystemInformer.vcxproj ================================================ Debug Win32 Debug x64 Debug ARM64 Release Win32 Release x64 Release ARM64 17.0 {0271DD27-6707-4290-8DFE-285702B7115D} Win32Proj SystemInformer SystemInformer $(LatestTargetPlatformVersion) Application WindowsLocalDebugger Application WindowsLocalDebugger Application WindowsLocalDebugger Application WindowsLocalDebugger Application WindowsLocalDebugger Application WindowsLocalDebugger $(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;include;%(AdditionalIncludeDirectories) _PHLIB_;_PHAPP_;_WINDOWS;WIN32;_DEBUG;DEBUG;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) setupapi.lib;cfgmgr32.lib;aclui.lib;comctl32.lib;dnsapi.lib;gdiplus.lib;ntdll.lib;phlib.lib;userenv.lib;wbemuuid.lib;windowscodecs.lib;winhttp.lib;winsta.lib;kphlib_um.lib;%(AdditionalDependencies) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);$(SolutionDir)phlib\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) SystemInformer.def setupapi.dll;cfgmgr32.dll;aclui.dll;comdlg32.dll;gdiplus.dll;oleaut32.dll;winhttp.dll;winsta.dll;%(DelayLoadDLLs) $(SolutionDir)kphlib\include;$(SolutionDir)phnt\include;$(SolutionDir)phlib\include;include;%(AdditionalIncludeDirectories) "$(SolutionDir)build\build_zdriver_sdk.cmd" "$(OutDir)$(TargetName)$(TargetExt)" "-$(Configuration)" "-$(PlatformName)" systeminformer.manifest $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;include;%(AdditionalIncludeDirectories) _PHLIB_;_PHAPP_;_WINDOWS;WIN64;_DEBUG;DEBUG;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) setupapi.lib;cfgmgr32.lib;aclui.lib;comctl32.lib;dnsapi.lib;gdiplus.lib;ntdll.lib;phlib.lib;userenv.lib;wbemuuid.lib;windowscodecs.lib;winhttp.lib;winsta.lib;kphlib_um.lib;%(AdditionalDependencies) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);$(SolutionDir)phlib\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) SystemInformer.def setupapi.dll;cfgmgr32.dll;aclui.dll;comdlg32.dll;gdiplus.dll;oleaut32.dll;winhttp.dll;winsta.dll;%(DelayLoadDLLs) $(SolutionDir)kphlib\include;$(SolutionDir)phnt\include;$(SolutionDir)phlib\include;include;%(AdditionalIncludeDirectories) "$(SolutionDir)build\build_zdriver_sdk.cmd" "$(OutDir)$(TargetName)$(TargetExt)" "-$(Configuration)" "-$(PlatformName)" systeminformer.manifest $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;include;%(AdditionalIncludeDirectories) _PHLIB_;_PHAPP_;_WINDOWS;WIN64;_DEBUG;DEBUG;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) setupapi.lib;cfgmgr32.lib;aclui.lib;comctl32.lib;dnsapi.lib;gdiplus.lib;ntdll.lib;phlib.lib;userenv.lib;wbemuuid.lib;windowscodecs.lib;winhttp.lib;winsta.lib;kphlib_um.lib;%(AdditionalDependencies) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);$(SolutionDir)phlib\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) SystemInformer.def setupapi.dll;cfgmgr32.dll;aclui.dll;comdlg32.dll;gdiplus.dll;oleaut32.dll;winhttp.dll;winsta.dll;%(DelayLoadDLLs) $(SolutionDir)kphlib\include;$(SolutionDir)phnt\include;$(SolutionDir)phlib\include;include;%(AdditionalIncludeDirectories) "$(SolutionDir)build\build_zdriver_sdk.cmd" "$(OutDir)$(TargetName)$(TargetExt)" "-$(Configuration)" "-$(PlatformName)" systeminformer.manifest $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;include;%(AdditionalIncludeDirectories) _PHLIB_;_PHAPP_;_WINDOWS;WIN32;NDEBUG;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) setupapi.lib;cfgmgr32.lib;aclui.lib;comctl32.lib;dnsapi.lib;gdiplus.lib;ntdll.lib;phlib.lib;userenv.lib;wbemuuid.lib;windowscodecs.lib;winhttp.lib;winsta.lib;kphlib_um.lib;%(AdditionalDependencies) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);$(SolutionDir)phlib\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) SystemInformer.def setupapi.dll;cfgmgr32.dll;aclui.dll;comdlg32.dll;gdiplus.dll;oleaut32.dll;winhttp.dll;winsta.dll;%(DelayLoadDLLs) $(SolutionDir)kphlib\include;$(SolutionDir)phnt\include;$(SolutionDir)phlib\include;include;%(AdditionalIncludeDirectories) "$(SolutionDir)build\build_zdriver_sdk.cmd" "$(OutDir)$(TargetName)$(TargetExt)" "-$(Configuration)" "-$(PlatformName)" systeminformer.manifest $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;include;%(AdditionalIncludeDirectories) _PHLIB_;_PHAPP_;_WINDOWS;WIN64;NDEBUG;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) setupapi.lib;cfgmgr32.lib;aclui.lib;comctl32.lib;dnsapi.lib;gdiplus.lib;ntdll.lib;phlib.lib;userenv.lib;wbemuuid.lib;windowscodecs.lib;winhttp.lib;winsta.lib;kphlib_um.lib;%(AdditionalDependencies) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);$(SolutionDir)phlib\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) SystemInformer.def setupapi.dll;cfgmgr32.dll;aclui.dll;comdlg32.dll;gdiplus.dll;oleaut32.dll;winhttp.dll;winsta.dll;%(DelayLoadDLLs) $(SolutionDir)kphlib\include;$(SolutionDir)phnt\include;$(SolutionDir)phlib\include;include;%(AdditionalIncludeDirectories) "$(SolutionDir)build\build_zdriver_sdk.cmd" "$(OutDir)$(TargetName)$(TargetExt)" "-$(Configuration)" "-$(PlatformName)" systeminformer.manifest $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;include;%(AdditionalIncludeDirectories) _PHLIB_;_PHAPP_;_WINDOWS;WIN64;NDEBUG;%(PreprocessorDefinitions);$(ExternalPreprocessorOptions) setupapi.lib;cfgmgr32.lib;aclui.lib;comctl32.lib;dnsapi.lib;gdiplus.lib;ntdll.lib;phlib.lib;userenv.lib;wbemuuid.lib;windowscodecs.lib;winhttp.lib;winsta.lib;kphlib_um.lib;%(AdditionalDependencies) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);$(SolutionDir)phlib\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) SystemInformer.def setupapi.dll;cfgmgr32.dll;aclui.dll;comdlg32.dll;gdiplus.dll;oleaut32.dll;winhttp.dll;winsta.dll;%(DelayLoadDLLs) $(SolutionDir)kphlib\include;$(SolutionDir)phnt\include;$(SolutionDir)phlib\include;include;%(AdditionalIncludeDirectories) "$(SolutionDir)build\build_zdriver_sdk.cmd" "$(OutDir)$(TargetName)$(TargetExt)" "-$(Configuration)" "-$(PlatformName)" systeminformer.manifest ================================================ FILE: SystemInformer/SystemInformer.vcxproj.filters ================================================  {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hpp;hxx;hm;inl;inc;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {84a3be0b-42cf-42ae-bcd3-16f165caa0db} {67c40321-0b28-4c16-8c48-dc0b64c148d7} System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer phsvc phsvc phsvc phsvc phsvc System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer System Informer Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Headers Resources Resources Resources Resources Module Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources ================================================ FILE: SystemInformer/about.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include static HWND PhAboutWindowHandle = NULL; static INT_PTR CALLBACK PhpAboutDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PPH_STRING versionString; PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, PhMainWndHandle); versionString = PhGetApplicationVersionString(TRUE); PhMoveReference(&versionString, PhConcatStringRefZ(&versionString->sr, L"\r\n")); PhSetDialogItemText(hwndDlg, IDC_ABOUT_NAME, versionString->Buffer); PhDereferenceObject(versionString); PhSetDialogItemText(hwndDlg, IDC_CREDITS, L"Thanks to:\n" L" wj32 - Wen Jia Liu\n" L" dmex - Steven G\n" L" jxy-s - Johnny Shaw\n" L" ionescu007 - Alex Ionescu\n" L" yardenshafir - Yarden Shafir\n" L" Contributors - thank you for your additions!\n" L" Donors - thank you for your support!\n\n" L"System Informer uses the following components:\n" L" PresentMon by Intel Corporation\n" L" Mini-XML by Michael Sweet\n" L" PCRE2 by Philip Hazel\n" L" json-c by Michael Clark\n" L" MD5 code by Jouni Malinen\n" L" SHA1 code by Filip Navara, based on code by Steve Reid\n" ); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhRegisterWindowCallback(hwndDlg, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhUnregisterWindowCallback(hwndDlg); PhUnregisterDialog(PhAboutWindowHandle); PhAboutWindowHandle = NULL; } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_DIAGNOSTICS: { PhShowInformationDialog(hwndDlg, PH_AUTO_T(PH_STRING, PhGetDiagnosticsString())->Buffer, 0); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_CLICK: { switch (header->idFrom) { case IDC_ABOUT_NAME: case IDC_CREDITS: case IDC_LINK_SF: PhShellExecute(hwndDlg, ((PNMLINK)header)->item.szUrl, NULL); break; } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowAboutDialog( _In_ HWND ParentWindowHandle ) { if (!PhAboutWindowHandle) { PhAboutWindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_ABOUT), PhCsForceNoParent ? NULL : ParentWindowHandle, PhpAboutDlgProc, NULL ); PhRegisterDialog(PhAboutWindowHandle); ShowWindow(PhAboutWindowHandle, SW_SHOW); } if (IsMinimized(PhAboutWindowHandle)) ShowWindow(PhAboutWindowHandle, SW_RESTORE); else SetForegroundWindow(PhAboutWindowHandle); } FORCEINLINE ULONG PhpGetObjectTypeObjectCount( _In_ PPH_OBJECT_TYPE ObjectType ) { PH_OBJECT_TYPE_INFORMATION info; memset(&info, 0, sizeof(PH_OBJECT_TYPE_INFORMATION)); if (ObjectType) PhGetObjectTypeInformation(ObjectType, &info); return info.NumberOfObjects; } PPH_STRING PhGetDiagnosticsString( VOID ) { PPH_STRING versionString; PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 50); versionString = PhGetApplicationVersionString(FALSE); PhAppendStringBuilder(&stringBuilder, &versionString->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(versionString); PhAppendStringBuilder2(&stringBuilder, L"OBJECT INFORMATION\r\n"); #define OBJECT_TYPE_COUNT(Type) PhAppendFormatStringBuilder(&stringBuilder, \ TEXT(#Type) L": %lu objects\r\n", PhpGetObjectTypeObjectCount(Type)) // ref OBJECT_TYPE_COUNT(PhObjectTypeObject); // basesup OBJECT_TYPE_COUNT(PhStringType); OBJECT_TYPE_COUNT(PhBytesType); OBJECT_TYPE_COUNT(PhListType); OBJECT_TYPE_COUNT(PhPointerListType); OBJECT_TYPE_COUNT(PhHashtableType); OBJECT_TYPE_COUNT(PhFileStreamType); // ph OBJECT_TYPE_COUNT(PhSymbolProviderType); OBJECT_TYPE_COUNT(PhProcessItemType); OBJECT_TYPE_COUNT(PhServiceItemType); OBJECT_TYPE_COUNT(PhNetworkItemType); OBJECT_TYPE_COUNT(PhModuleProviderType); OBJECT_TYPE_COUNT(PhModuleItemType); OBJECT_TYPE_COUNT(PhThreadProviderType); OBJECT_TYPE_COUNT(PhThreadItemType); OBJECT_TYPE_COUNT(PhHandleProviderType); OBJECT_TYPE_COUNT(PhHandleItemType); OBJECT_TYPE_COUNT(PhMemoryItemType); OBJECT_TYPE_COUNT(PhImageListItemType); #ifdef DEBUG PhAppendStringBuilder2(&stringBuilder, L"STATISTIC INFORMATION\r\n"); #define PRINT_STATISTIC(Name) PhAppendFormatStringBuilder(&stringBuilder, \ TEXT(#Name) L": %u\r\n", PhLibStatisticsBlock.Name) PRINT_STATISTIC(BaseThreadsCreated); PRINT_STATISTIC(BaseThreadsCreateFailed); PRINT_STATISTIC(BaseStringBuildersCreated); PRINT_STATISTIC(BaseStringBuildersResized); PRINT_STATISTIC(RefObjectsCreated); PRINT_STATISTIC(RefObjectsDestroyed); PRINT_STATISTIC(RefObjectsAllocated); PRINT_STATISTIC(RefObjectsFreed); PRINT_STATISTIC(RefObjectsAllocatedFromSmallFreeList); PRINT_STATISTIC(RefObjectsFreedToSmallFreeList); PRINT_STATISTIC(RefObjectsAllocatedFromTypeFreeList); PRINT_STATISTIC(RefObjectsFreedToTypeFreeList); PRINT_STATISTIC(RefObjectsDeleteDeferred); PRINT_STATISTIC(RefAutoPoolsCreated); PRINT_STATISTIC(RefAutoPoolsDestroyed); PRINT_STATISTIC(RefAutoPoolsDynamicAllocated); PRINT_STATISTIC(RefAutoPoolsDynamicResized); PRINT_STATISTIC(QlBlockSpins); PRINT_STATISTIC(QlBlockWaits); PRINT_STATISTIC(QlAcquireExclusiveBlocks); PRINT_STATISTIC(QlAcquireSharedBlocks); PRINT_STATISTIC(WqWorkQueueThreadsCreated); PRINT_STATISTIC(WqWorkQueueThreadsCreateFailed); PRINT_STATISTIC(WqWorkItemsQueued); #endif return PhFinalStringBuilderString(&stringBuilder); } PPH_STRING PhGetApplicationVersionString( _In_ BOOLEAN LinkToCommit ) { PPH_STRING versionString; PCWSTR channelName = PhGetPhReleaseChannelString(); PPH_STRING commitversionString = PhGetPhVersion(); PPH_STRING commitHashString = PhGetPhVersionHash(); #if (PHAPP_VERSION_REVISION != 0) if (LinkToCommit) { PH_FORMAT format[8]; // "System Informer %lu.%lu.%lu (%hs) %ls" PhInitFormatS(&format[0], L"System Informer "); PhInitFormatSR(&format[1], commitversionString->sr); PhInitFormatS(&format[2], L" (sr); PhInitFormatS(&format[4], L"\">"); PhInitFormatSR(&format[5], commitHashString->sr); PhInitFormatS(&format[6], L") "); PhInitFormatS(&format[7], channelName); versionString = PhFormat(format, RTL_NUMBER_OF(format), 0); } else { PH_FORMAT format[6]; // "System Informer %lu.%lu.%lu (%hs) %ls" PhInitFormatS(&format[0], L"System Informer "); PhInitFormatSR(&format[1], commitversionString->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], commitHashString->sr); PhInitFormatS(&format[4], L") "); PhInitFormatS(&format[5], channelName); versionString = PhFormat(format, RTL_NUMBER_OF(format), 0); } #else PH_FORMAT format[4]; // "System Informer %lu.%lu %ls" PhInitFormatS(&format[0], L"System Informer "); PhInitFormatSR(&format[1], commitversionString->sr); PhInitFormatC(&format[2], L' '); PhInitFormatS(&format[3], channelName); versionString = PhFormat(format, RTL_NUMBER_OF(format), 0); #endif PhClearReference(&commitHashString); PhClearReference(&commitversionString); return versionString; } ================================================ FILE: SystemInformer/actions.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2024 * */ /* * These are a set of consistent functions which will perform actions on objects such as processes, * threads and services, while displaying any necessary prompts and error messages. Automatic * elevation can also easily be added if necessary. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static volatile LONG PhSvcReferenceCount = 0; static PH_PHSVC_MODE PhSvcCurrentMode; static PH_QUEUED_LOCK PhSvcStartLock = PH_QUEUED_LOCK_INIT; /** * Callback used by elevation Task Dialogs to mark the primary action button * as requiring elevation when the dialog is constructed. * * \param WindowHandle The handle to the task dialog window. * \param Notification The Task Dialog notification code (e.g. TDN_DIALOG_CONSTRUCTED). * \param wParam Notification-specific word parameter. * \param lParam Notification-specific long parameter. * \param Context Callback context (passed through lpCallbackData). * \return HRESULT S_OK. */ HRESULT CALLBACK PhpElevateActionCallbackProc( _In_ HWND WindowHandle, _In_ UINT Notification, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { switch (Notification) { case TDN_DIALOG_CONSTRUCTED: SendMessage(WindowHandle, TDM_SET_BUTTON_ELEVATION_REQUIRED_STATE, IDYES, TRUE); break; } return S_OK; } /** * Display a Task Dialog asking the user to continue with an elevated action. * * \param WindowHandle Parent window for the dialog. * \param Message Main instruction text describing the operation requiring elevation. * \param Context Optional callback context passed to the dialog callback. * \param Button Receives the ID of the button pressed by the user when the dialog returns. * \return BOOLEAN TRUE if the dialog was shown and a button value was returned, FALSE otherwise. */ _Success_(return) BOOLEAN PhpShowElevatePrompt( _In_ HWND WindowHandle, _In_ PCWSTR Message, _In_opt_ PVOID Context, _Out_ PLONG Button ) { TASKDIALOGCONFIG config; CONST TASKDIALOG_BUTTON buttons[1] = { { IDYES, L"Continue"} }; LONG button; // Currently the error dialog box is similar to the one displayed // when you try to label a drive in Windows Explorer. It's much better // than the clunky dialog in PH 1.x. memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.hwndParent = WindowHandle; config.hInstance = NtCurrentImageBase(); config.dwFlags = IsWindowVisible(WindowHandle) ? TDF_POSITION_RELATIVE_TO_WINDOW : 0; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_ERROR_ICON; config.pszMainInstruction = PhaConcatStrings2(Message, L".")->Buffer; config.pszContent = L"You will need to provide administrator permission. " L"Click Continue to complete this operation."; config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.cButtons = 1; config.pButtons = buttons; config.nDefaultButton = IDYES; config.pfCallback = PhpElevateActionCallbackProc; config.lpCallbackData = (LONG_PTR)Context; if (PhShowTaskDialog( &config, &button, NULL, NULL )) { *Button = button; return TRUE; } else { return FALSE; } } /** * Shows an error, prompts for elevation, and executes a command. * * \param WindowHandle The window to display user interface components on. * \param Connected A variable which receives TRUE if the elevated * action succeeded or FALSE if the action failed. * \return TRUE if the user was prompted for elevation, otherwise * FALSE, in which case you need to show your own error message. */ _Success_(return) BOOLEAN PhpElevationLevelAndConnectToPhSvc( _In_ HWND WindowHandle, _Out_ PBOOLEAN Connected ) { PH_ACTION_ELEVATION_LEVEL elevationLevel; *Connected = FALSE; if (PhGetOwnTokenAttributes().Elevated) return FALSE; elevationLevel = PhGetIntegerSetting(SETTING_ELEVATION_LEVEL); if (elevationLevel == NeverElevateAction) return FALSE; // Try to connect now so we can avoid prompting the user. if (PhUiConnectToPhSvc(WindowHandle, TRUE)) { *Connected = TRUE; return TRUE; } if ( elevationLevel == PromptElevateAction || elevationLevel == AlwaysElevateAction ) { *Connected = PhUiConnectToPhSvc(WindowHandle, FALSE); return TRUE; } return FALSE; } /** * Shows an error, prompts for elevation, and connects to phsvc. * * \param WindowHandle The window to display user interface components on. * \param Message A message describing the operation that failed. * \param Status A NTSTATUS value. * \param Connected A variable which receives TRUE if the user * elevated the action and phsvc was started, or FALSE if the user * cancelled elevation. If the value is TRUE, you need to * perform any necessary phsvc calls and use PhUiDisconnectFromPhSvc() * to disconnect from phsvc. * \param Cancelled A variable which receives TRUE if the user cancelled * the action and phsvc was started. * * \return TRUE if the user was prompted for elevation, otherwise * FALSE, in which case you need to show your own error message. */ BOOLEAN PhpShowErrorAndConnectToPhSvc( _In_ HWND WindowHandle, _In_ PCWSTR Message, _In_ NTSTATUS Status, _Out_ PBOOLEAN Connected, _Out_ PBOOLEAN Cancelled ) { PH_ACTION_ELEVATION_LEVEL elevationLevel; LONG button = IDNO; *Connected = FALSE; *Cancelled = FALSE; if (!(Status == STATUS_ACCESS_DENIED || Status == STATUS_PRIVILEGE_NOT_HELD)) return FALSE; if (PhGetOwnTokenAttributes().Elevated) return FALSE; elevationLevel = PhGetIntegerSetting(SETTING_ELEVATION_LEVEL); if (elevationLevel == NeverElevateAction) return FALSE; // Try to connect now so we can avoid prompting the user. if (PhUiConnectToPhSvc(WindowHandle, TRUE)) { *Connected = TRUE; return TRUE; } if (elevationLevel == PromptElevateAction) { if (!PhpShowElevatePrompt(WindowHandle, Message, NULL, &button)) return FALSE; } if (elevationLevel == AlwaysElevateAction || button == IDYES) { *Connected = PhUiConnectToPhSvc(WindowHandle, FALSE); return TRUE; } if (button == IDCANCEL) { *Cancelled = TRUE; } return FALSE; } /** * Connects to phsvc. * * \param WindowHandle The window to display user interface components on. * \param ConnectOnly TRUE to only try to connect to phsvc, otherwise * FALSE to try to elevate and start phsvc if the initial connection * attempt failed. */ BOOLEAN PhUiConnectToPhSvc( _In_opt_ HWND WindowHandle, _In_ BOOLEAN ConnectOnly ) { return PhUiConnectToPhSvcEx(WindowHandle, ElevatedPhSvcMode, ConnectOnly); } /** * Get the LPC/ALPC port name for the phsvc instance corresponding to the requested mode. * * \param Mode The phsvc mode for which the port name is required. * \param PortName Receives the UNICODE_STRING for the port name. * \note Raises STATUS_INVALID_PARAMETER for unknown modes. */ VOID PhpGetPhSvcPortName( _In_ PH_PHSVC_MODE Mode, _Out_ PUNICODE_STRING PortName ) { switch (Mode) { case ElevatedPhSvcMode: if (!PhIsExecutingInWow64()) RtlInitUnicodeString(PortName, PHSVC_PORT_NAME); else RtlInitUnicodeString(PortName, PHSVC_WOW64_PORT_NAME); break; case Wow64PhSvcMode: RtlInitUnicodeString(PortName, PHSVC_WOW64_PORT_NAME); break; default: PhRaiseStatus(STATUS_INVALID_PARAMETER); break; } } /** * Attempt to start the phsvc helper process for the specified mode. * * \param WindowHandle Optional parent window for elevation UI created by ShellExecute. * \param Mode The phsvc mode to start (ElevatedPhSvcMode or Wow64PhSvcMode). * \return BOOLEAN TRUE on success (an attempt to start phsvc was made and succeeded), FALSE otherwise. */ BOOLEAN PhpStartPhSvcProcess( _In_opt_ HWND WindowHandle, _In_ PH_PHSVC_MODE Mode ) { switch (Mode) { case ElevatedPhSvcMode: if (NT_SUCCESS(PhShellProcessHacker( WindowHandle, L"-phsvc", SW_HIDE, PH_SHELL_EXECUTE_ADMIN, 0, 0, NULL ))) { return TRUE; } break; case Wow64PhSvcMode: { static CONST PH_STRINGREF relativeFileNames[] = { PH_STRINGREF_INIT(L"\\x86\\"), #ifdef DEBUG PH_STRINGREF_INIT(L"\\..\\Debug32\\"), PH_STRINGREF_INIT(L"\\..\\Release32\\") #endif }; ULONG i; PPH_STRING applicationDirectory; PPH_STRING applicationFileName; if (!(applicationDirectory = PhGetApplicationDirectoryWin32())) return FALSE; if (!(applicationFileName = PhGetApplicationFileNameWin32())) return FALSE; PhMoveReference(&applicationFileName, PhGetBaseName(applicationFileName)); for (i = 0; i < RTL_NUMBER_OF(relativeFileNames); i++) { PPH_STRING fileName; PPH_STRING fileFullPath; fileName = PhConcatStringRef3( &applicationDirectory->sr, &relativeFileNames[i], &applicationFileName->sr ); if (NT_SUCCESS(PhGetFullPath(PhGetString(fileName), &fileFullPath, NULL))) { PhMoveReference(&fileName, fileFullPath); } if (PhDoesFileExistWin32(PhGetString(fileName))) { if (NT_SUCCESS(PhShellProcessHackerEx( WindowHandle, PhGetString(fileName), L"-phsvc", SW_HIDE, PH_SHELL_EXECUTE_DEFAULT, 0, 0, NULL ))) { PhDereferenceObject(fileName); PhDereferenceObject(applicationFileName); PhDereferenceObject(applicationDirectory); return TRUE; } } PhDereferenceObject(fileName); } PhDereferenceObject(applicationFileName); PhDereferenceObject(applicationDirectory); } break; } return FALSE; } /** * Connects to phsvc. * * \param WindowHandle The window to display user interface components on. * \param Mode The type of phsvc instance to connect to. * \param ConnectOnly TRUE to only try to connect to phsvc, otherwise * FALSE to try to elevate and start phsvc if the initial connection * attempt failed. */ BOOLEAN PhUiConnectToPhSvcEx( _In_opt_ HWND WindowHandle, _In_ PH_PHSVC_MODE Mode, _In_ BOOLEAN ConnectOnly ) { NTSTATUS status; BOOLEAN started; UNICODE_STRING portName; if (_InterlockedIncrementNoZero(&PhSvcReferenceCount)) { if (PhSvcCurrentMode == Mode) { started = TRUE; } else { _InterlockedDecrement(&PhSvcReferenceCount); started = FALSE; } } else { PhAcquireQueuedLockExclusive(&PhSvcStartLock); if (_InterlockedExchange(&PhSvcReferenceCount, 0) == 0) { started = FALSE; PhpGetPhSvcPortName(Mode, &portName); // Try to connect first, then start the server if we failed. status = PhSvcConnectToServer(&portName, 0); if (NT_SUCCESS(status)) { started = TRUE; PhSvcCurrentMode = Mode; _InterlockedIncrement(&PhSvcReferenceCount); } else if (!ConnectOnly) { // Prompt for elevation, and then try to connect to the server. if (PhpStartPhSvcProcess(WindowHandle, Mode)) started = TRUE; if (started) { ULONG attempts = 10; // Try to connect several times because the server may take // a while to initialize. do { status = PhSvcConnectToServer(&portName, 0); if (NT_SUCCESS(status)) break; PhDelayExecution(1000); } while (--attempts != 0); // Increment the reference count even if we failed. // We don't want to prompt the user again. PhSvcCurrentMode = Mode; _InterlockedIncrement(&PhSvcReferenceCount); } } } else { if (PhSvcCurrentMode == Mode) { started = TRUE; _InterlockedIncrement(&PhSvcReferenceCount); } else { started = FALSE; } } PhReleaseQueuedLockExclusive(&PhSvcStartLock); } return started; } /** * Disconnects from phsvc. */ VOID PhUiDisconnectFromPhSvc( VOID ) { PhAcquireQueuedLockExclusive(&PhSvcStartLock); if (_InterlockedDecrement(&PhSvcReferenceCount) == 0) { PhSvcDisconnectFromServer(); } PhReleaseQueuedLockExclusive(&PhSvcStartLock); } /** * Locks the current workstation. * * \param WindowHandle Parent window used for error reporting. * \return BOOLEAN TRUE on success, FALSE on failure (and an error UI is shown). */ BOOLEAN PhUiLockComputer( _In_ HWND WindowHandle ) { if (LockWorkStation()) return TRUE; else PhShowStatus(WindowHandle, L"Unable to lock the computer.", 0, PhGetLastError()); return FALSE; } /** * Log the current user off. * * \param WindowHandle Parent window used for error reporting. * \return BOOLEAN TRUE on success, FALSE on failure (and an error UI is shown). */ BOOLEAN PhUiLogoffComputer( _In_ HWND WindowHandle ) { if (ExitWindowsEx(EWX_LOGOFF, 0)) return TRUE; else PhShowStatus(WindowHandle, L"Unable to log off the computer.", 0, PhGetLastError()); return FALSE; } /** * Put the system into sleep (standby) state. * * \param WindowHandle Parent window used for error reporting. * \return BOOLEAN TRUE on success, FALSE on failure (and an error UI is shown). */ BOOLEAN PhUiSleepComputer( _In_ HWND WindowHandle ) { NTSTATUS status; if (NT_SUCCESS(status = NtInitiatePowerAction( PowerActionSleep, PowerSystemSleeping1, 0, FALSE ))) return TRUE; else PhShowStatus(WindowHandle, L"Unable to sleep the computer.", status, 0); return FALSE; } /** * Put the system into hibernate state. * * \param WindowHandle Parent window used for error reporting. * \return BOOLEAN TRUE on success, FALSE on failure (and an error UI is shown). */ BOOLEAN PhUiHibernateComputer( _In_ HWND WindowHandle ) { NTSTATUS status; if (NT_SUCCESS(status = NtInitiatePowerAction( PowerActionHibernate, PowerSystemSleeping1, 0, FALSE ))) return TRUE; else PhShowStatus(WindowHandle, L"Unable to hibernate the computer.", status, 0); return FALSE; } /** * Restart the computer using the specified power action type. * * \param WindowHandle Parent window used for confirmation and error UI. * \param Action The type of restart to perform (PH_POWERACTION_TYPE_*). * \param Flags Additional flags passed to PhInitiateShutdown for Win32 restart. * \return BOOLEAN TRUE if the restart action was initiated, FALSE otherwise. */ BOOLEAN PhUiRestartComputer( _In_ HWND WindowHandle, _In_ PH_POWERACTION_TYPE Action, _In_ ULONG Flags ) { switch (Action) { case PH_POWERACTION_TYPE_WIN32: { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", NULL, FALSE )) { ULONG status = PhInitiateShutdown(PH_SHUTDOWN_RESTART | Flags); if (status == ERROR_SUCCESS) return TRUE; PhShowStatus(WindowHandle, L"Unable to restart the computer.", 0, status); //if (ExitWindowsEx(EWX_REBOOT | EWX_BOOTOPTIONS, 0)) // return TRUE; //else // PhShowStatus(WindowHandle, L"Unable to restart the computer.", 0, GetLastError()); } } break; case PH_POWERACTION_TYPE_NATIVE: { PPH_STRING messageText; messageText = PhaFormatString( L"This option %s %s in a disorderly manner and may cause file corruption or system instability.", L"performs a hard", L"restart"); // Ignore the EnableWarnings preference and always show the warning prompt. (dmex) if (PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", messageText->Buffer, TRUE )) { NTSTATUS status; status = NtShutdownSystem(ShutdownReboot); if (NT_SUCCESS(status)) return TRUE; PhShowStatus(WindowHandle, L"Unable to restart the computer.", status, 0); } } break; case PH_POWERACTION_TYPE_CRITICAL: { PPH_STRING messageText; messageText = PhaFormatString( L"This option %s %s in an disorderly manner and may cause corrupted files or instability in the system.", L"forces a critical", L"restart"); // Ignore the EnableWarnings preference and always show the warning prompt. (dmex) if (PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", messageText->Buffer, TRUE )) { NTSTATUS status; status = NtSetSystemPowerState( PowerActionShutdownReset, PowerSystemShutdown, POWER_ACTION_CRITICAL ); //status = NtInitiatePowerAction( // PowerActionShutdownReset, // PowerSystemShutdown, // POWER_ACTION_CRITICAL, // FALSE // ); if (NT_SUCCESS(status)) return TRUE; PhShowStatus(WindowHandle, L"Unable to restart the computer.", status, 0); } } break; case PH_POWERACTION_TYPE_ADVANCEDBOOT: { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", NULL, FALSE )) { NTSTATUS status; status = PhBcdSetAdvancedOptionsOneTime( TRUE ); if (NT_SUCCESS(status)) { status = PhInitiateShutdown(PH_SHUTDOWN_RESTART); if (status == ERROR_SUCCESS) return TRUE; PhShowStatus(WindowHandle, L"Unable to configure the advanced boot options.", 0, status); } else { PhShowStatus(WindowHandle, L"Unable to configure the advanced boot options.", status, 0); } } } break; case PH_POWERACTION_TYPE_FIRMWAREBOOT: { if (!PhGetOwnTokenAttributes().Elevated) { PhShowMessage2( WindowHandle, TD_OK_BUTTON, TD_ERROR_ICON, L"Unable to restart to firmware options.", L"Make sure System Informer is running with administrative privileges." ); break; } if (!NT_SUCCESS(PhAdjustPrivilege(NULL, SE_SYSTEM_ENVIRONMENT_PRIVILEGE, TRUE))) { PhShowMessage2( WindowHandle, TD_OK_BUTTON, TD_ERROR_ICON, L"Unable to restart to firmware options.", L"Make sure System Informer is running with administrative privileges." ); break; } if (!PhIsFirmwareSupported()) { PhShowMessage2( WindowHandle, TD_OK_BUTTON, TD_ERROR_ICON, L"Unable to restart to firmware options.", L"This machine does not have UEFI support." ); break; } if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", NULL, FALSE )) { NTSTATUS status; status = PhSetSystemEnvironmentBootToFirmware(); if (NT_SUCCESS(status)) { status = PhInitiateShutdown(PH_SHUTDOWN_RESTART); if (status == ERROR_SUCCESS) return TRUE; PhShowStatus(WindowHandle, L"Unable to restart the computer.", 0, status); } else { PhShowStatus(WindowHandle, L"Unable to restart the computer.", status, 0); } } } break; case PH_POWERACTION_TYPE_UPDATE: { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"update and restart", L"the computer", NULL, FALSE )) { ULONG status = PhInitiateShutdown(PH_SHUTDOWN_RESTART | PH_SHUTDOWN_INSTALL_UPDATES); if (status == ERROR_SUCCESS) return TRUE; PhShowStatus(WindowHandle, L"Unable to restart the computer.", 0, status); } } break; case PH_POWERACTION_TYPE_WDOSCAN: { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"restart", L"the computer for Windows Defender Offline Scan", NULL, FALSE )) { HRESULT status = PhRestartDefenderOfflineScan(); if (status == S_OK) return TRUE; if ((status & 0xFFFF0000) == MAKE_HRESULT(SEVERITY_ERROR, FACILITY_WIN32, 0)) { PhShowStatus(WindowHandle, L"Unable to restart the computer.", 0, HRESULT_CODE(status)); } else { PhShowStatus(WindowHandle, L"Unable to restart the computer.", STATUS_UNSUCCESSFUL, 0); } } } break; } return FALSE; } /** * Shutdown the computer using the specified power action type. * * \param WindowHandle Parent window used for confirmation and error UI. * \param Action The type of shutdown to perform (PH_POWERACTION_TYPE_*). * \param Flags Additional flags passed to PhInitiateShutdown for Win32 shutdown. * \return BOOLEAN TRUE if the shutdown action was initiated, FALSE otherwise. */ BOOLEAN PhUiShutdownComputer( _In_ HWND WindowHandle, _In_ PH_POWERACTION_TYPE Action, _In_ ULONG Flags ) { switch (Action) { case PH_POWERACTION_TYPE_WIN32: { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"shut down", L"the computer", NULL, FALSE )) { ULONG status = PhInitiateShutdown(PH_SHUTDOWN_POWEROFF | Flags); if (status == ERROR_SUCCESS) return TRUE; PhShowStatus(WindowHandle, L"Unable to shut down the computer.", 0, status); //if (ExitWindowsEx(EWX_POWEROFF | EWX_HYBRID_SHUTDOWN, 0)) // return TRUE; //else if (ExitWindowsEx(EWX_SHUTDOWN | EWX_HYBRID_SHUTDOWN, 0)) // return TRUE; //else // PhShowStatus(WindowHandle, L"Unable to shut down the computer.", 0, GetLastError()); } } break; case PH_POWERACTION_TYPE_NATIVE: { PPH_STRING messageText; messageText = PhaFormatString( L"This option %s %s in an disorderly manner and may cause corrupted files or instability in the system.", L"performs a hard", L"shut down"); // Ignore the EnableWarnings preference and always show the warning prompt. (dmex) if (PhShowConfirmMessage( WindowHandle, L"shut down", L"the computer", messageText->Buffer, TRUE )) { NTSTATUS status; status = NtShutdownSystem(ShutdownPowerOff); if (NT_SUCCESS(status)) return TRUE; PhShowStatus(WindowHandle, L"Unable to shut down the computer.", status, 0); } } break; case PH_POWERACTION_TYPE_CRITICAL: { PPH_STRING messageText; messageText = PhaFormatString( L"This option %s %s in an disorderly manner and may cause corrupted files or instability in the system.", L"forces a critical", L"shut down"); // Ignore the EnableWarnings preference and always show the warning prompt. (dmex) if (PhShowConfirmMessage( WindowHandle, L"shut down", L"the computer", messageText->Buffer, TRUE )) { NTSTATUS status; status = NtSetSystemPowerState( PowerActionShutdownOff, PowerSystemShutdown, POWER_ACTION_CRITICAL ); //status = NtInitiatePowerAction( // PowerActionShutdownReset, // PowerSystemShutdown, // POWER_ACTION_CRITICAL, // FALSE // ); if (NT_SUCCESS(status)) return TRUE; PhShowStatus(WindowHandle, L"Unable to shut down the computer.", status, 0); } } break; case PH_POWERACTION_TYPE_UPDATE: { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"update and shutdown", L"the computer", NULL, FALSE )) { ULONG status = PhInitiateShutdown(PH_SHUTDOWN_POWEROFF | PH_SHUTDOWN_INSTALL_UPDATES); if (status == ERROR_SUCCESS) return TRUE; PhShowStatus(WindowHandle, L"Unable to shut down the computer.", 0, status); } } break; } return FALSE; } /** * Build a dynamic menu listing boot applications (one-time boot entries). * * \param DelayLoadMenu If TRUE, the function will create a placeholder menu item * and delay enumerating boot applications until the menu is opened. * \return PVOID A menu item object (owner-managed); may be disabled if the caller lacks privileges. */ PVOID PhUiCreateComputerBootDeviceMenu( _In_ BOOLEAN DelayLoadMenu ) { PPH_EMENU_ITEM menuItem; PPH_LIST bootApplicationList; menuItem = PhCreateEMenuItem(PH_EMENU_DISABLED, ID_COMPUTER_RESTARTBOOTDEVICE, L"Restart to boot application", NULL, NULL); if (!PhGetOwnTokenAttributes().Elevated) return menuItem; if (!DelayLoadMenu) { BOOLEAN bootEnumerateAllObjects = !!PhGetIntegerSetting(SETTING_ENABLE_BOOT_OBJECTS_ENUMERATE); if (bootApplicationList = PhBcdQueryBootApplicationList(bootEnumerateAllObjects)) { for (ULONG i = 0; i < bootApplicationList->Count; i++) { PPH_BCD_OBJECT_LIST entry = bootApplicationList->Items[i]; PPH_EMENU_ITEM menuItemNew; menuItemNew = PhCreateEMenuItem( PH_EMENU_TEXT_OWNED, ID_COMPUTER_RESTARTBOOTDEVICE, PhAllocateCopy(entry->ObjectName->Buffer, entry->ObjectName->Length + sizeof(UNICODE_NULL)), NULL, UlongToPtr(i) ); PhInsertEMenuItem(menuItem, menuItemNew, ULONG_MAX); } if (bootApplicationList->Count) PhSetEnabledEMenuItem(menuItem, TRUE); PhBcdDestroyBootApplicationList(bootApplicationList); } } return menuItem; } /** * Build a dynamic menu listing firmware boot applications (UEFI). * * \param DelayLoadMenu If TRUE, the function will create a placeholder menu item * and delay enumerating firmware applications until the menu is opened. * \return PVOID A menu item object (owner-managed); may be disabled if the caller lacks privileges. */ PVOID PhUiCreateComputerFirmwareDeviceMenu( _In_ BOOLEAN DelayLoadMenu ) { PPH_EMENU_ITEM menuItem; PPH_LIST firmwareApplicationList; menuItem = PhCreateEMenuItem(PH_EMENU_DISABLED, ID_COMPUTER_RESTARTFWDEVICE, L"Restart to firmware application", NULL, NULL); if (!PhGetOwnTokenAttributes().Elevated) return menuItem; if (!DelayLoadMenu) { if (firmwareApplicationList = PhBcdQueryFirmwareBootApplicationList()) { for (ULONG i = 0; i < firmwareApplicationList->Count; i++) { PPH_BCD_OBJECT_LIST entry = firmwareApplicationList->Items[i]; PPH_EMENU_ITEM menuItemNew; menuItemNew = PhCreateEMenuItem( PH_EMENU_TEXT_OWNED, ID_COMPUTER_RESTARTFWDEVICE, PhAllocateCopy(entry->ObjectName->Buffer, entry->ObjectName->Length + sizeof(UNICODE_NULL)), NULL, UlongToPtr(i) ); PhInsertEMenuItem(menuItem, menuItemNew, ULONG_MAX); } if (firmwareApplicationList->Count) PhSetEnabledEMenuItem(menuItem, TRUE); PhBcdDestroyBootApplicationList(firmwareApplicationList); } } return menuItem; } /** * Handle selection of a boot application menu entry by configuring a one-time boot entry * and initiating a restart if the operation succeeded. * * \param WindowHandle Parent window for confirmation and error dialogs. * \param MenuIndex Index of the selected boot application as returned from the created menu. */ VOID PhUiHandleComputerBootApplicationMenu( _In_ HWND WindowHandle, _In_ ULONG MenuIndex ) { NTSTATUS status = STATUS_UNSUCCESSFUL; BOOLEAN bootEnumerateAllObjects; BOOLEAN bootUpdateFwBootObjects; PPH_LIST bootApplicationList; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && !PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", NULL, FALSE )) { return; } bootEnumerateAllObjects = !!PhGetIntegerSetting(SETTING_ENABLE_BOOT_OBJECTS_ENUMERATE); bootUpdateFwBootObjects = !!PhGetIntegerSetting(SETTING_ENABLE_UPDATE_DEFAULT_FIRMWARE_BOOT_ENTRY); if (bootApplicationList = PhBcdQueryBootApplicationList(bootEnumerateAllObjects)) { if (MenuIndex < bootApplicationList->Count) { PPH_BCD_OBJECT_LIST entry = bootApplicationList->Items[MenuIndex]; status = PhBcdSetBootApplicationOneTime(&entry->ObjectGuid, bootUpdateFwBootObjects); } PhBcdDestroyBootApplicationList(bootApplicationList); } if (NT_SUCCESS(status)) { status = PhInitiateShutdown(PH_SHUTDOWN_RESTART); if (status != ERROR_SUCCESS) { PhShowStatus(WindowHandle, L"Unable to configure the boot application.", 0, status); } } else { PhShowStatus(WindowHandle, L"Unable to configure the boot application.", status, 0); } } /** * Handle selection of a firmware boot application menu entry by configuring a one-time firmware boot * entry and initiating a restart if the operation succeeded. * * \param WindowHandle Parent window for confirmation and error dialogs. * \param MenuIndex Index of the selected firmware application as returned from the created menu. */ VOID PhUiHandleComputerFirmwareApplicationMenu( _In_ HWND WindowHandle, _In_ ULONG MenuIndex ) { NTSTATUS status = STATUS_UNSUCCESSFUL; PPH_LIST firmwareApplicationList; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && !PhShowConfirmMessage( WindowHandle, L"restart", L"the computer", NULL, FALSE )) { return; } if (firmwareApplicationList = PhBcdQueryFirmwareBootApplicationList()) { if (MenuIndex < firmwareApplicationList->Count) { PPH_BCD_OBJECT_LIST entry = firmwareApplicationList->Items[MenuIndex]; status = PhBcdSetFirmwareBootApplicationOneTime(&entry->ObjectGuid); } PhBcdDestroyBootApplicationList(firmwareApplicationList); } if (NT_SUCCESS(status)) { status = PhInitiateShutdown(PH_SHUTDOWN_RESTART); if (status != ERROR_SUCCESS) { PhShowStatus(WindowHandle, L"Unable to configure the boot application.", 0, status); } } else { PhShowStatus(WindowHandle, L"Unable to configure the boot application.", status, 0); } } typedef struct _PHP_USERSMENU_ENTRY { ULONG SessionId; PPH_STRING UserName; } PHP_USERSMENU_ENTRY, *PPHP_USERSMENU_ENTRY; /** * Comparison callback used to sort user session menu entries. * * \param Context Unused callback context. * \param elem1 Pointer to the first element to compare. * \param elem2 Pointer to the second element to compare. * \return int <0 if elem1 < elem2, 0 if equal, >0 if elem1 > elem2. */ static int __cdecl PhpUsersMainMenuNameCompare( _In_ void* Context, _In_ void const* elem1, _In_ void const* elem2 ) { PPHP_USERSMENU_ENTRY item1 = *(PPHP_USERSMENU_ENTRY*)elem1; PPHP_USERSMENU_ENTRY item2 = *(PPHP_USERSMENU_ENTRY*)elem2; return PhCompareString(item1->UserName, item2->UserName, TRUE); } /** * Populate the provided users menu item with entries for each active WinStation session. * * \param UsersMenuItem Menu object to populate with per-session submenus. */ VOID PhUiCreateSessionMenu( _In_ PVOID UsersMenuItem ) { PPH_LIST userSessionList; PSESSIONIDW sessions; ULONG numberOfSessions; ULONG i; userSessionList = PhCreateList(1); if (WinStationEnumerateW(WINSTATION_CURRENT_SERVER, &sessions, &numberOfSessions)) { for (i = 0; i < numberOfSessions; i++) { WINSTATIONINFORMATION winStationInfo; ULONG returnLength; SIZE_T formatLength; PH_FORMAT format[5]; PH_STRINGREF menuTextSr; WCHAR formatBuffer[0x100]; if (!WinStationQueryInformationW( WINSTATION_CURRENT_SERVER, sessions[i].SessionId, WinStationInformation, &winStationInfo, sizeof(WINSTATIONINFORMATION), &returnLength )) { winStationInfo.Domain[0] = UNICODE_NULL; winStationInfo.UserName[0] = UNICODE_NULL; } if (winStationInfo.Domain[0] == UNICODE_NULL || winStationInfo.UserName[0] == UNICODE_NULL) { // Probably the Services or RDP-Tcp session. continue; } PhInitFormatU(&format[0], sessions[i].SessionId); PhInitFormatS(&format[1], L": "); PhInitFormatS(&format[2], winStationInfo.Domain); PhInitFormatC(&format[3], OBJ_NAME_PATH_SEPARATOR); PhInitFormatS(&format[4], winStationInfo.UserName); if (!PhFormatToBuffer( format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &formatLength )) { continue; } menuTextSr.Length = formatLength - sizeof(UNICODE_NULL); menuTextSr.Buffer = formatBuffer; { PPHP_USERSMENU_ENTRY entry; entry = PhCreateAlloc(sizeof(PHP_USERSMENU_ENTRY)); entry->SessionId = sessions[i].SessionId; entry->UserName = PhCreateString2(&menuTextSr); PhAddItemList(userSessionList, entry); } } WinStationFreeMemory(sessions); } // Sort the users. (dmex) qsort_s(userSessionList->Items, userSessionList->Count, sizeof(PVOID), PhpUsersMainMenuNameCompare, NULL); // Update the users menu. (dmex) for (i = 0; i < userSessionList->Count; i++) { PPHP_USERSMENU_ENTRY entry; PPH_STRING escapedMenuText; PPH_EMENU_ITEM userMenu; entry = userSessionList->Items[i]; escapedMenuText = PhEscapeStringForMenuPrefix(&entry->UserName->sr); userMenu = PhCreateEMenuItem( PH_EMENU_TEXT_OWNED, 0, PhAllocateCopy(escapedMenuText->Buffer, escapedMenuText->Length + sizeof(UNICODE_NULL)), NULL, UlongToPtr(entry->SessionId) ); PhDereferenceObject(escapedMenuText); PhDereferenceObject(entry->UserName); PhInsertEMenuItem(userMenu, PhCreateEMenuItem(0, ID_USER_CONNECT, L"&Connect", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(userMenu, PhCreateEMenuItem(0, ID_USER_DISCONNECT, L"&Disconnect", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(userMenu, PhCreateEMenuItem(0, ID_USER_LOGOFF, L"&Logoff", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(userMenu, PhCreateEMenuItem(0, ID_USER_REMOTECONTROL, L"Rem&ote control", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(userMenu, PhCreateEMenuItem(0, ID_USER_SENDMESSAGE, L"Send &message...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(userMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(userMenu, PhCreateEMenuItem(0, ID_USER_PROPERTIES, L"P&roperties", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(UsersMenuItem, userMenu, ULONG_MAX); } PhDereferenceObjects(userSessionList->Items, userSessionList->Count); PhDereferenceObject(userSessionList); } /** * Connect the current console to a remote/non-current WinStation session. Prompts for a password * if an initial attempt without credentials fails. * * \param WindowHandle Parent window for password prompts and error UI. * \param SessionId The WinStation session id to connect to. * \return BOOLEAN TRUE on success, FALSE on failure or user cancel. */ BOOLEAN PhUiConnectSession( _In_ HWND WindowHandle, _In_ ULONG SessionId ) { BOOLEAN success = FALSE; PPH_STRING selectedChoice = NULL; PPH_STRING oldSelectedChoice = NULL; // Try once with no password. if (WinStationConnectW(WINSTATION_CURRENT_SERVER, SessionId, LOGONID_CURRENT, L"", TRUE)) return TRUE; while (PhaChoiceDialog( WindowHandle, L"Connect to session", L"Password:", NULL, 0, NULL, PH_CHOICE_DIALOG_PASSWORD, &selectedChoice, NULL, NULL )) { if (oldSelectedChoice) { RtlSecureZeroMemory(oldSelectedChoice->Buffer, oldSelectedChoice->Length); PhDereferenceObject(oldSelectedChoice); } oldSelectedChoice = selectedChoice; if (WinStationConnectW(WINSTATION_CURRENT_SERVER, SessionId, LOGONID_CURRENT, selectedChoice->Buffer, TRUE)) { success = TRUE; break; } else { if (!PhShowContinueStatus(WindowHandle, L"Unable to connect to the session", 0, GetLastError())) break; } } if (oldSelectedChoice) { RtlSecureZeroMemory(oldSelectedChoice->Buffer, oldSelectedChoice->Length); PhDereferenceObject(oldSelectedChoice); } return success; } /** * Disconnect a WinStation session. * * \param WindowHandle Parent window for error reporting. * \param SessionId The WinStation session id to disconnect. * \return BOOLEAN TRUE on success, FALSE on failure (and an error UI is shown). */ BOOLEAN PhUiDisconnectSession( _In_ HWND WindowHandle, _In_ ULONG SessionId ) { if (WinStationDisconnect(WINSTATION_CURRENT_SERVER, SessionId, FALSE)) return TRUE; else PhShowStatus(WindowHandle, L"Unable to disconnect the session", 0, GetLastError()); return FALSE; } /** * Log off a specific WinStation session after optional confirmation. * * \param WindowHandle Parent window for confirmation and error UI. * \param SessionId The WinStation session id to log off. * \return BOOLEAN TRUE on success, FALSE on failure or if the user cancelled. */ BOOLEAN PhUiLogoffSession( _In_ HWND WindowHandle, _In_ ULONG SessionId ) { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"logoff", L"the user", NULL, FALSE )) { if (WinStationReset(WINSTATION_CURRENT_SERVER, SessionId, FALSE)) return TRUE; else PhShowStatus(WindowHandle, L"Unable to logoff the session", 0, GetLastError()); } return FALSE; } /** * Determines if a process is a system process. * * \param ProcessId The PID of the process to check. */ BOOLEAN PhIsDangerousProcess( _In_ HANDLE ProcessId ) { static CONST ULONG DangerousProcesses[] = { 0x6ccbdb46, // csrss.exe 0x5920bffe, // dwm.exe 0x8880527b, // logonui.exe 0x9fd9b2be, // lsass.exe 0xb1c6af0a, // lsm.exe 0xaafce8c2, // services.exe 0xfe38787e, // smss.exe 0x9d662730, // wininit.exe 0x2aa5caab, // winlogon.exe }; PPH_STRING fileName; ULONG hash; if (ProcessId == SYSTEM_PROCESS_ID) return TRUE; if (!NT_SUCCESS(PhGetProcessImageFileNameByProcessId(ProcessId, &fileName))) return FALSE; PhMoveReference(&fileName, PhGetBaseName(fileName)); hash = PhHashStringRefEx(&fileName->sr, TRUE, PH_STRING_HASH_X65599); PhDereferenceObject(fileName); for (ULONG i = 0; i < RTL_NUMBER_OF(DangerousProcesses); i++) { if (hash == DangerousProcesses[i]) return TRUE; } if (PhPluginsEnabled) { PH_PLUGIN_IS_DANGEROUS_PROCESS processInfo; processInfo.ProcessId = ProcessId; processInfo.DangerousProcess = FALSE; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackDangerousProcess), &processInfo); if (processInfo.DangerousProcess) return TRUE; } return FALSE; } #if defined(PH_TS_IS_SYSTEM_PROCESS) typedef struct _PH_IS_SYSTEM_PROCESS_CONTEXT { PPH_STRING BaseName; BOOLEAN Found; } PH_IS_SYSTEM_PROCESS_CONTEXT, *PPH_IS_SYSTEM_PROCESS_CONTEXT; _Function_class_(PH_ENUM_KEY_CALLBACK) static BOOLEAN NTAPI PhIsSystemProcessCallback( _In_ HANDLE RootDirectory, _In_ PKEY_VALUE_FULL_INFORMATION Information, _In_ PPH_IS_SYSTEM_PROCESS_CONTEXT Context ) { if (Information->Type == REG_DWORD) { PH_STRINGREF string; string.Buffer = PTR_ADD_OFFSET(Information, Information->DataOffset); string.Length = Information->DataLength; if (PhEqualStringRef(&string, &Context->BaseName->sr, TRUE)) { Context->Found = TRUE; return FALSE; } } return TRUE; } /** * Determines if a process is a system process. * * \param ProcessId The PID of the process to check. */ BOOLEAN PhIsTerminalServerSystemProcess( _In_ HANDLE ProcessId ) { static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control\\Terminal Server\\SysProcs"); PPH_STRING fileName; HANDLE keyHandle; if (ProcessId == SYSTEM_PROCESS_ID) return TRUE; if (!NT_SUCCESS(PhGetProcessImageFileNameByProcessId(ProcessId, &fileName))) return FALSE; PhMoveReference(&fileName, PhGetBaseName(fileName)); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName, 0 ))) { PH_IS_SYSTEM_PROCESS_CONTEXT context; memset(&context, 0, sizeof(PH_IS_SYSTEM_PROCESS_CONTEXT)); context.BaseName = fileName; context.Found = FALSE; PhEnumerateValueKey( keyHandle, KeyValueFullInformation, PhIsSystemProcessCallback, &context ); NtClose(keyHandle); if (context.Found) { PhDereferenceObject(fileName); return TRUE; } } PhDereferenceObject(fileName); return FALSE; } #endif /** * Checks if the user wants to proceed with an operation. * * \param WindowHandle A handle to the parent window. * \param Verb A verb describing the action. * \param Message A message containing additional information * about the action. * \param WarnOnlyIfDangerous TRUE to skip the confirmation * dialog if none of the processes are system processes, * FALSE to always show the confirmation dialog. * \param Processes An array of pointers to process items. * \param NumberOfProcesses The number of process items. * \return TRUE if the user wants to proceed with the operation, * otherwise FALSE. */ static BOOLEAN PhpShowContinueMessageProcesses( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_opt_ PCWSTR Message, _In_ BOOLEAN WarnOnlyIfDangerous, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { PWSTR object; ULONG i; BOOLEAN critical = FALSE; BOOLEAN dangerous = FALSE; BOOLEAN cont = FALSE; if (NumberOfProcesses == 0) return FALSE; for (i = 0; i < NumberOfProcesses; i++) { HANDLE processHandle; BOOLEAN breakOnTermination = FALSE; if (PhIsDangerousProcess(Processes[i]->ProcessId)) { critical = TRUE; dangerous = TRUE; break; } if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_INFORMATION, Processes[i]->ProcessId))) { PhGetProcessBreakOnTermination(processHandle, &breakOnTermination); NtClose(processHandle); } if (breakOnTermination) { critical = TRUE; dangerous = TRUE; break; } } if (WarnOnlyIfDangerous && !dangerous) return TRUE; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { if (NumberOfProcesses == 1) { object = Processes[0]->ProcessName->Buffer; } else if (NumberOfProcesses == 2) { object = PhaConcatStrings( 3, Processes[0]->ProcessName->Buffer, L" and ", Processes[1]->ProcessName->Buffer )->Buffer; } else { object = L"the selected processes"; } if (!dangerous) { cont = PhShowConfirmMessage( WindowHandle, Verb, object, Message, FALSE ); } else if (!critical) { cont = PhShowConfirmMessage( WindowHandle, Verb, object, PhaConcatStrings( 3, L"You are about to ", Verb, L" one or more system processes." )->Buffer, TRUE ); } else { PPH_STRING message; if (PhEqualStringZ(Verb, L"terminate", FALSE)) { message = PhaConcatStrings( 3, L"You are about to ", Verb, L" one or more critical processes. This will shut down the operating system immediately." ); } else { message = PhaConcatStrings( 3, L"You are about to ", Verb, L" one or more critical processes." ); } cont = PhShowConfirmMessage( WindowHandle, Verb, object, message->Buffer, TRUE ); } } else { cont = TRUE; } return cont; } /** * Shows an error message to the user and checks * if the user wants to continue. * * \param WindowHandle A handle to the parent window. * \param Verb A verb describing the action which * resulted in an error. * \param Process The process item which the action * was performed on. * \param Status A NT status value representing the * error. * \param Win32Result A Win32 error code representing * the error. * * \return TRUE if the user wants to continue, otherwise * FALSE. The result is typically only useful when * executing an action on multiple processes. */ static BOOLEAN PhpShowErrorProcess( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_ PPH_PROCESS_ITEM Process, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { if (!PH_IS_FAKE_PROCESS_ID(Process->ProcessId)) { return PhShowContinueStatus( WindowHandle, PhaFormatString( L"Unable to %s %s (PID %lu)", Verb, Process->ProcessName->Buffer, HandleToUlong(Process->ProcessId) )->Buffer, Status, Win32Result ); } else { return PhShowContinueStatus( WindowHandle, PhaFormatString( L"Unable to %s %s", Verb, Process->ProcessName->Buffer )->Buffer, Status, Win32Result ); } } BOOLEAN PhUiTerminateProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (!PhpShowContinueMessageProcesses( WindowHandle, L"terminate", L"Terminating a process will cause unsaved data to be lost.", FALSE, Processes, NumberOfProcesses )) return FALSE; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; // Note: The current process is a special case (see GH#1770) (dmex) if (Processes[i]->ProcessId == NtCurrentProcessId()) { RtlExitUserProcess(STATUS_SUCCESS); } if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_TERMINATE, Processes[i]->ProcessId ))) { // An exit status of 1 is used here for compatibility reasons: // 1. Both Task Manager and Process Explorer use 1. // 2. winlogon tries to restart explorer.exe if the exit status is not 1. status = PhTerminateProcess(processHandle, 1); if (status == STATUS_SUCCESS || status == STATUS_PROCESS_IS_TERMINATING) PhTerminateProcess(processHandle, DBG_TERMINATE_PROCESS); // debug terminate (dmex) NtClose(processHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to terminate ", Processes[i]->ProcessName->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlProcess(Processes[i]->ProcessId, PhSvcControlProcessTerminate, 0))) success = TRUE; else PhpShowErrorProcess(WindowHandle, L"terminate", Processes[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorProcess(WindowHandle, L"terminate", Processes[i], status, 0)) break; } } } return success; } BOOLEAN PhpUiTerminateTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ PVOID Processes, _Inout_ PBOOLEAN Success ) { NTSTATUS status; PSYSTEM_PROCESS_INFORMATION process; HANDLE processHandle; PPH_PROCESS_ITEM processItem; // Note: // FALSE should be written to Success if any part of the operation failed. // The return value of this function indicates whether to continue with // the operation (FALSE if user cancelled). // Terminate the process. if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_TERMINATE, Process->ProcessId ))) { status = PhTerminateProcess(processHandle, 1); if (status == STATUS_SUCCESS || status == STATUS_PROCESS_IS_TERMINATING) PhTerminateProcess(processHandle, DBG_TERMINATE_PROCESS); // debug terminate (dmex) NtClose(processHandle); } if (!NT_SUCCESS(status)) { *Success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"terminate", Process, status, 0)) return FALSE; } // Terminate the process' children. process = PH_FIRST_PROCESS(Processes); do { if (process->UniqueProcessId != Process->ProcessId && process->InheritedFromUniqueProcessId == Process->ProcessId) { if (processItem = PhReferenceProcessItem(process->UniqueProcessId)) { if (WindowsVersion >= WINDOWS_10_RS3) { // Check the sequence number to make sure it is a descendant. if (processItem->ProcessSequenceNumber >= Process->ProcessSequenceNumber) { if (!PhpUiTerminateTreeProcess(WindowHandle, processItem, Processes, Success)) { PhDereferenceObject(processItem); return FALSE; } } } else { // Check the creation time to make sure it is a descendant. if (processItem->CreateTime.QuadPart >= Process->CreateTime.QuadPart) { if (!PhpUiTerminateTreeProcess(WindowHandle, processItem, Processes, Success)) { PhDereferenceObject(processItem); return FALSE; } } } PhDereferenceObject(processItem); } } } while (process = PH_NEXT_PROCESS(process)); return TRUE; } BOOLEAN PhUiTerminateTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; BOOLEAN success = TRUE; BOOLEAN cont = FALSE; PVOID processes; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { cont = PhShowConfirmMessage( WindowHandle, L"terminate", PhaConcatStrings2(Process->ProcessName->Buffer, L" and its descendants")->Buffer, L"Terminating a process tree will cause the process and its descendants to be terminated.", FALSE ); } else { cont = TRUE; } if (!cont) return FALSE; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) { PhShowStatus(WindowHandle, L"Unable to enumerate processes", status, 0); return FALSE; } PhpUiTerminateTreeProcess(WindowHandle, Process, processes, &success); PhFree(processes); return success; } BOOLEAN PhUiSuspendProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (!PhpShowContinueMessageProcesses( WindowHandle, L"suspend", NULL, TRUE, Processes, NumberOfProcesses )) return FALSE; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SUSPEND_RESUME, Processes[i]->ProcessId ))) { status = NtSuspendProcess(processHandle); NtClose(processHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to suspend ", Processes[i]->ProcessName->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlProcess(Processes[i]->ProcessId, PhSvcControlProcessSuspend, 0))) success = TRUE; else PhpShowErrorProcess(WindowHandle, L"suspend", Processes[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorProcess(WindowHandle, L"suspend", Processes[i], status, 0)) break; } } } return success; } BOOLEAN PhpUiSuspendTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ PVOID Processes, _Inout_ PBOOLEAN Success ) { NTSTATUS status; PSYSTEM_PROCESS_INFORMATION process; HANDLE processHandle; PPH_PROCESS_ITEM processItem; // Note: // FALSE should be written to Success if any part of the operation failed. // The return value of this function indicates whether to continue with // the operation (FALSE if user cancelled). // Suspend the process. if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SUSPEND_RESUME, Process->ProcessId ))) { status = NtSuspendProcess(processHandle); NtClose(processHandle); } if (!NT_SUCCESS(status)) { *Success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"suspend", Process, status, 0)) return FALSE; } // Suspend the process' children. process = PH_FIRST_PROCESS(Processes); do { if (process->UniqueProcessId != Process->ProcessId && process->InheritedFromUniqueProcessId == Process->ProcessId) { if (processItem = PhReferenceProcessItem(process->UniqueProcessId)) { if (WindowsVersion >= WINDOWS_10_RS3) { // Check the sequence number to make sure it is a descendant. if (processItem->ProcessSequenceNumber >= Process->ProcessSequenceNumber) { if (!PhpUiSuspendTreeProcess(WindowHandle, processItem, Processes, Success)) { PhDereferenceObject(processItem); return FALSE; } } } else { // Check the creation time to make sure it is a descendant. if (processItem->CreateTime.QuadPart >= Process->CreateTime.QuadPart) { if (!PhpUiSuspendTreeProcess(WindowHandle, processItem, Processes, Success)) { PhDereferenceObject(processItem); return FALSE; } } } PhDereferenceObject(processItem); } } } while (process = PH_NEXT_PROCESS(process)); return TRUE; } BOOLEAN PhUiSuspendTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; BOOLEAN result; PVOID processes; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { result = PhShowConfirmMessage( WindowHandle, L"suspend", PhaConcatStrings2(Process->ProcessName->Buffer, L" and its descendants")->Buffer, L"Suspending a process tree will cause the process and its descendants to be suspend.", FALSE ); } else { result = TRUE; } if (!result) return FALSE; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) { PhShowStatus(WindowHandle, L"Unable to enumerate processes", status, 0); return FALSE; } PhpUiSuspendTreeProcess(WindowHandle, Process, processes, &result); PhFree(processes); return result; } BOOLEAN PhUiResumeProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (!PhpShowContinueMessageProcesses( WindowHandle, L"resume", NULL, TRUE, Processes, NumberOfProcesses )) return FALSE; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SUSPEND_RESUME, Processes[i]->ProcessId ))) { status = NtResumeProcess(processHandle); NtClose(processHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to resume ", Processes[i]->ProcessName->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlProcess(Processes[i]->ProcessId, PhSvcControlProcessResume, 0))) success = TRUE; else PhpShowErrorProcess(WindowHandle, L"resume", Processes[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorProcess(WindowHandle, L"resume", Processes[i], status, 0)) break; } } } return success; } BOOLEAN PhpUiResumeTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ PVOID Processes, _Inout_ PBOOLEAN Success ) { NTSTATUS status; PSYSTEM_PROCESS_INFORMATION process; HANDLE processHandle; PPH_PROCESS_ITEM processItem; // Note: // FALSE should be written to Success if any part of the operation failed. // The return value of this function indicates whether to continue with // the operation (FALSE if user cancelled). // Resume the process. if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SUSPEND_RESUME, Process->ProcessId ))) { status = NtResumeProcess(processHandle); NtClose(processHandle); } if (!NT_SUCCESS(status)) { *Success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"resume", Process, status, 0)) return FALSE; } // Resume the process' children. process = PH_FIRST_PROCESS(Processes); do { if (process->UniqueProcessId != Process->ProcessId && process->InheritedFromUniqueProcessId == Process->ProcessId) { if (processItem = PhReferenceProcessItem(process->UniqueProcessId)) { if (WindowsVersion >= WINDOWS_10_RS3) { // Check the sequence number to make sure it is a descendant. if (processItem->ProcessSequenceNumber >= Process->ProcessSequenceNumber) { if (!PhpUiResumeTreeProcess(WindowHandle, processItem, Processes, Success)) { PhDereferenceObject(processItem); return FALSE; } } } else { // Check the creation time to make sure it is a descendant. if (processItem->CreateTime.QuadPart >= Process->CreateTime.QuadPart) { if (!PhpUiResumeTreeProcess(WindowHandle, processItem, Processes, Success)) { PhDereferenceObject(processItem); return FALSE; } } } PhDereferenceObject(processItem); } } } while (process = PH_NEXT_PROCESS(process)); return TRUE; } BOOLEAN PhUiResumeTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; BOOLEAN result; PVOID processes; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { result = PhShowConfirmMessage( WindowHandle, L"resume", PhConcatStringRefZ(&Process->ProcessName->sr, L" and its descendants")->Buffer, L"Resuming a process tree will cause the process and its descendants to be resumed.", FALSE ); } else { result = TRUE; } if (!result) return FALSE; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) { PhShowStatus(WindowHandle, L"Unable to enumerate processes", status, 0); return FALSE; } PhpUiResumeTreeProcess(WindowHandle, Process, processes, &result); PhFree(processes); return result; } BOOLEAN PhUiFreezeTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; BOOLEAN result = FALSE; HANDLE freezeHandle; if (ReadPointerAcquire(&Process->FreezeHandle)) return FALSE; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { result = PhShowConfirmMessage( WindowHandle, L"freeze", Process->ProcessName->Buffer, L"Freezing does not persist after exiting System Informer.", FALSE ); } else { result = TRUE; } if (!result) return FALSE; status = PhFreezeProcessById( &freezeHandle, Process->ProcessId ); if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"freeze", Process, status, 0); return FALSE; } if (freezeHandle = InterlockedExchangePointer(&Process->FreezeHandle, freezeHandle)) { NtClose(freezeHandle); } return TRUE; } BOOLEAN PhUiThawTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; HANDLE freezeHandle; if (!ReadPointerAcquire(&Process->FreezeHandle)) return FALSE; status = PhThawProcessById( Process->FreezeHandle, Process->ProcessId ); if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"thaw", Process, status, 0); return FALSE; } if (freezeHandle = InterlockedExchangePointer(&Process->FreezeHandle, NULL)) { NtClose(freezeHandle); } return TRUE; } BOOLEAN PhUiRestartProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; BOOLEAN result = FALSE; BOOLEAN elevated = !!PhGetOwnTokenAttributes().Elevated; BOOLEAN tokenIsStronglyNamed = FALSE; BOOLEAN tokenIsUIAccessEnabled = FALSE; BOOLEAN tokenRevertImpersonation = FALSE; HANDLE processHandle = NULL; HANDLE newProcessHandle = NULL; HANDLE tokenHandle = NULL; PPH_STRING fileNameWin32 = NULL; PPH_STRING commandLine = NULL; PPH_STRING currentDirectory = NULL; STARTUPINFOEX startupInfo = { 0 }; PSECURITY_DESCRIPTOR processSecurityDescriptor = NULL; PSECURITY_DESCRIPTOR tokenSecurityDescriptor = NULL; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; BOOLEAN environmentAllocated = FALSE; PVOID environmentBuffer = NULL; ULONG environmentLength; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { result = PhShowConfirmMessage( WindowHandle, L"restart", Process->ProcessName->Buffer, L"The process will be restarted with the same command line, " L"working directory and privileges.", FALSE ); } else { result = TRUE; } if (!result) return FALSE; // Fail when restarting the current process otherwise // we get terminated before creating the new process. (dmex) if (Process->ProcessId == NtCurrentProcessId()) return FALSE; // Special handling for the current shell process. (dmex) { CLIENT_ID shellClientId; if (NT_SUCCESS(PhGetWindowClientId(PhGetShellWindow(), &shellClientId))) { if (Process->ProcessId == shellClientId.UniqueProcess) { if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_TERMINATE, Process->ProcessId ))) { status = PhTerminateProcess( processHandle, STATUS_SUCCESS ); NtClose(processHandle); if (NT_SUCCESS(status)) goto CleanupExit; } } } } fileNameWin32 = Process->FileName ? PhGetFileName(Process->FileName) : NULL; if (PhIsNullOrEmptyString(fileNameWin32) || !PhDoesFileExistWin32(PhGetString(fileNameWin32))) { status = STATUS_NO_SUCH_FILE; goto CleanupExit; } // Open the process and get the command line and current directory. if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, Process->ProcessId ))) goto CleanupExit; if (!NT_SUCCESS(status = PhGetProcessCurrentDirectory( processHandle, !!Process->IsWow64Process, ¤tDirectory ))) goto CleanupExit; if (!NT_SUCCESS(status = PhGetProcessCommandLine( processHandle, &commandLine ))) goto CleanupExit; if (!NT_SUCCESS(status = PhGetProcessEnvironment( processHandle, !!Process->IsWow64Process, &environmentBuffer, &environmentLength ))) goto CleanupExit; NtClose(processHandle); processHandle = NULL; // Start the process. // // Use the existing process as the parent, and restarting the process will inherit most of the process configuration from itself (dmex) status = PhOpenProcess( &processHandle, PROCESS_CREATE_PROCESS | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE | (elevated ? READ_CONTROL : 0), Process->ProcessId ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhInitializeProcThreadAttributeList(&attributeList, 1); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &processHandle, sizeof(HANDLE) ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhOpenProcessToken( processHandle, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | (elevated ? READ_CONTROL : 0), &tokenHandle ); if (NT_SUCCESS(status)) { status = PhGetTokenUIAccess(tokenHandle, &tokenIsUIAccessEnabled); if (!NT_SUCCESS(status)) goto CleanupExit; } else { status = PhOpenProcessToken( processHandle, TOKEN_QUERY | (elevated ? READ_CONTROL : 0), &tokenHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; } if (elevated) { PhGetObjectSecurity( processHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, &processSecurityDescriptor ); PhGetObjectSecurity( tokenHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, &tokenSecurityDescriptor ); } if (!environmentBuffer) { if (NT_SUCCESS(PhCreateEnvironmentBlock(&environmentBuffer, tokenHandle, FALSE))) { environmentAllocated = TRUE; } } if (NT_SUCCESS(PhGetProcessIsStronglyNamed(processHandle, &tokenIsStronglyNamed)) && tokenIsStronglyNamed) { tokenRevertImpersonation = NT_SUCCESS(PhImpersonateToken(NtCurrentThread(), tokenHandle)); } memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW; startupInfo.StartupInfo.wShowWindow = SW_SHOWNORMAL; startupInfo.lpAttributeList = attributeList; status = PhCreateProcessWin32Ex( PhGetString(fileNameWin32), PhGetString(commandLine), environmentBuffer, PhGetString(currentDirectory), &startupInfo, PH_CREATE_PROCESS_SUSPENDED | PH_CREATE_PROCESS_NEW_CONSOLE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_UNICODE_ENVIRONMENT, tokenHandle, NULL, &newProcessHandle, NULL ); if (!NT_SUCCESS(status)) // Try without the token (dmex) { status = PhCreateProcessWin32Ex( PhGetString(fileNameWin32), PhGetString(commandLine), environmentBuffer, PhGetString(currentDirectory), &startupInfo, PH_CREATE_PROCESS_SUSPENDED | PH_CREATE_PROCESS_NEW_CONSOLE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_UNICODE_ENVIRONMENT, NULL, NULL, &newProcessHandle, NULL ); } if (!NT_SUCCESS(status) && tokenIsUIAccessEnabled) // Try UIAccess (dmex) { status = PhShellExecuteEx( WindowHandle, PhGetString(fileNameWin32), PhGetString(commandLine), PhGetString(currentDirectory), SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, 0, &newProcessHandle ); } if (tokenRevertImpersonation) { PhRevertImpersonationToken(NtCurrentThread()); } if (NT_SUCCESS(status)) { // See runas.c for a description of the Windows issue with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS // requiring the reset of the security descriptor. (dmex) if (elevated && !tokenIsUIAccessEnabled) // Skip processes with UIAccess (dmex) { HANDLE tokenWriteHandle = NULL; if (processSecurityDescriptor) { PhSetObjectSecurity( newProcessHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, processSecurityDescriptor ); } if (tokenSecurityDescriptor && NT_SUCCESS(PhOpenProcessToken( newProcessHandle, WRITE_DAC | WRITE_OWNER, &tokenWriteHandle ))) { PhSetObjectSecurity( tokenWriteHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, tokenSecurityDescriptor ); NtClose(tokenWriteHandle); } } // Terminate the existing process. PhTerminateProcess(processHandle, STATUS_SUCCESS); // Update the console foreground. PhConsoleSetForeground(newProcessHandle, TRUE); // Resume the new process. NtResumeProcess(newProcessHandle); } CleanupExit: if (tokenHandle) { NtClose(tokenHandle); } if (newProcessHandle) { NtClose(newProcessHandle); } if (processHandle) { NtClose(processHandle); } if (attributeList) { PhDeleteProcThreadAttributeList(attributeList); } if (environmentBuffer && environmentAllocated) { PhDestroyEnvironmentBlock(environmentBuffer); } if (tokenSecurityDescriptor) { PhFree(tokenSecurityDescriptor); } if (processSecurityDescriptor) { PhFree(processSecurityDescriptor); } if (currentDirectory) { PhDereferenceObject(currentDirectory); } if (commandLine) { PhDereferenceObject(commandLine); } if (fileNameWin32) { PhDereferenceObject(fileNameWin32); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"restart", Process, status, 0); return FALSE; } return TRUE; } static PPH_STRING PhFindDebuggerPath( _In_ PCWSTR DebuggerName ) { static PH_STRINGREF windowsKitsKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows Kits\\Installed Roots"); PPH_STRING debuggerPath = NULL; HANDLE keyHandle; PPH_STRING kitsRoot; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &windowsKitsKeyName, 0 ))) { if (kitsRoot = PhQueryRegistryStringZ(keyHandle, L"KitsRoot10")) { PPH_STRING testPath; #ifdef _WIN64 testPath = PhConcatStringRefZ(&kitsRoot->sr, L"Debuggers\\x64\\"); #else testPath = PhConcatStringRefZ(&kitsRoot->sr, L"Debuggers\\x86\\"); #endif PhMoveReference(&testPath, PhConcatStringRefZ(&testPath->sr, DebuggerName)); if (PhDoesFileExistWin32(PhGetString(testPath))) { debuggerPath = testPath; } else { PhDereferenceObject(testPath); } PhDereferenceObject(kitsRoot); } NtClose(keyHandle); } if (PhIsNullOrEmptyString(debuggerPath)) { PhMoveReference(&debuggerPath, PhSearchFilePath(DebuggerName, L".exe")); } return debuggerPath; } //static PPH_STRING PhFindVisualStudioDebugger( // _In_ PCPH_STRINGREF VersionRange // ) //{ // static const PH_STRINGREF vswhere = PH_STRINGREF_INIT(L"%ProgramFiles(x86)%\\Microsoft Visual Studio\\Installer\\vswhere.exe"); // static const PH_STRINGREF trimSet = PH_STRINGREF_INIT(L"\r\n"); // static const PH_STRINGREF args01 = PH_STRINGREF_INIT(L" -prerelease -version "); // static const PH_STRINGREF args02 = PH_STRINGREF_INIT(L" -property installationPath "); // NTSTATUS status; // PPH_STRING expandedfileName = NULL; // PPH_STRING expandedCommand = NULL; // PPH_STRING devenvPath = NULL; // PPH_STRING output = NULL; // // if (!(expandedfileName = PhExpandEnvironmentStrings(&vswhere))) // return NULL; // // if (!PhDoesFileExistWin32(PhGetString(expandedfileName))) // { // PhDereferenceObject(expandedfileName); // return NULL; // } // // // vswhere.exe -prerelease -version %s -property installationPath // expandedCommand = PhConcatStringRef3( // &args01, // VersionRange, // &args02 // ); // // status = PhCreateProcessRedirection( // &expandedfileName->sr, // &expandedCommand->sr, // NULL, // &output // ); // // if (!NT_SUCCESS(status) || PhIsNullOrEmptyString(output)) // goto CleanupExit; // // PhTrimStringRef( // &output->sr, // &trimSet, // PH_TRIM_END_ONLY // ); // // devenvPath = PhConcatStringRefZ(&output->sr, L"\\Common7\\IDE\\devenv.exe"); // // if (PhDoesFileExistWin32(devenvPath->Buffer)) // { // PhClearReference(&output); // PhClearReference(&expandedCommand); // PhClearReference(&expandedfileName); // // return devenvPath; // } // //CleanupExit: // PhClearReference(&output); // PhClearReference(&devenvPath); // PhClearReference(&expandedCommand); // PhClearReference(&expandedfileName); // return NULL; //} /** * Launch a system debugger attached to the specified process. * * \param WindowHandle: The parent HWND for dialogs (Task Dialogs, errors, etc.). * \param Process A pointer to a `PPH_PROCESS_ITEM` describing the target process. * \return BOOLEAN: TRUE on success (debugger launched), FALSE on cancel or failure. */ BOOLEAN PhUiDebugProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { static CONST PH_STRINGREF aeDebugKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug"); #ifdef _WIN64 static CONST PH_STRINGREF aeDebugWow64KeyName = PH_STRINGREF_INIT(L"Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug"); #endif NTSTATUS status; PPH_STRING commandLine = NULL; PPH_STRING debuggerCommand = NULL; PH_STRING_BUILDER commandLineBuilder; HANDLE keyHandle; PPH_STRING debugger; PH_STRINGREF commandPart; PH_STRINGREF dummy; LONG debuggerChoice = 0; PPH_STRING registryDebuggerPath = NULL; PPH_STRING registryDebuggerName = NULL; //if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) //{ // result = PhShowConfirmMessage( // WindowHandle, // L"debug", // Process->ProcessName->Buffer, // L"Debugging a process may result in loss of data.", // FALSE // ); //} //else //{ // result = TRUE; //} // //if (!result) // return FALSE; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, #ifdef _WIN64 Process->IsWow64Process ? &aeDebugWow64KeyName : &aeDebugKeyName, #else &aeDebugKeyName, #endif 0 ); if (NT_SUCCESS(status)) { if (debugger = PhQueryRegistryStringZ(keyHandle, L"Debugger")) { if (PhSplitStringRefAtChar(&debugger->sr, L'"', &dummy, &commandPart) && PhSplitStringRefAtChar(&commandPart, L'"', &commandPart, &dummy)) { registryDebuggerPath = PhCreateString2(&commandPart); registryDebuggerName = PhGetFileName(registryDebuggerPath); } PhDereferenceObject(debugger); } NtClose(keyHandle); } // Check for available debuggers and show selection dialog { PPH_STRING windbgPath = NULL; PPH_STRING windbgPreviewPath = NULL; //PPH_STRING vs2026Path = NULL; //PPH_STRING vs2022Path = NULL; PPH_STRING cdbPath = NULL; PPH_STRING kdPath = NULL; PPH_STRING ntsdPath = NULL; TASKDIALOGCONFIG config; TASKDIALOG_BUTTON buttons[11]; ULONG buttonCount = 0; PPH_STRING registryButtonText = NULL; if (windbgPath = PhFindDebuggerPath(L"windbg.exe")) buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 101, L"\U0001FA9F WinDbg\nGraphical debugger for both user-mode and kernel-mode debugging." }; if (windbgPreviewPath = PhFindDebuggerPath(L"windbgx.exe")) buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 102, L"\U0001FA9F WinDbg (Preview)\nModern graphical debugger for both user-mode and kernel-mode debugging." }; //if (vs2026Path = PhFindVisualStudioDebugger(SREF(L"[18.0,19.0)"))) // buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 107, L"\U0001F4D8 Visual Studio 2026\nFull-featured IDE with integrated debugging." }; //if (vs2022Path = PhFindVisualStudioDebugger(SREF(L"[16.0,17.0)"))) // buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 108, L"\U0001F4D8 Visual Studio 2022\nFull-featured IDE with integrated debugging." }; if (cdbPath = PhFindDebuggerPath(L"cdb.exe")) buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 103, L"\U0001F4FA CDB\nCommand-line debugger for user-mode applications." }; if (kdPath = PhFindDebuggerPath(L"kd.exe")) buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 104, L"\U0001F4FA KD\nKernel debugger for low-level system debugging." }; if (ntsdPath = PhFindDebuggerPath(L"ntsd.exe")) buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 105, L"\U0001F4FA NTSD\nLegacy command-line debugger similar to CDB." }; // Always add registry debugger option if (registryDebuggerPath && registryDebuggerName) { registryButtonText = PhFormatString( L"\U00002699 (System Default)\n%s", registryDebuggerName->Buffer, registryDebuggerPath->Buffer ); buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 106, registryButtonText->Buffer }; } else { buttons[buttonCount++] = (TASKDIALOG_BUTTON){ 106, L"\U00002699 System Default\nNo debugger configured in AeDebug registry key." }; } memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.hwndParent = WindowHandle; config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_USE_COMMAND_LINKS | TDF_POSITION_RELATIVE_TO_WINDOW | TDF_CAN_BE_MINIMIZED; config.hMainIcon = PhGetApplicationIcon(FALSE); config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Select a system debugger to use for this process:"; config.pszContent = L"You can choose from the installed debugging tools below."; config.cButtons = buttonCount; config.pButtons = buttons; if (PhShowTaskDialog(&config, &debuggerChoice, NULL, NULL) && debuggerChoice != 0) { switch (debuggerChoice) { case 101: debuggerCommand = windbgPath; windbgPath = NULL; break; case 102: debuggerCommand = windbgPreviewPath; windbgPreviewPath = NULL; break; case 103: debuggerCommand = cdbPath; cdbPath = NULL; break; case 104: debuggerCommand = kdPath; kdPath = NULL; break; case 105: debuggerCommand = ntsdPath; ntsdPath = NULL; break; case 106: debuggerCommand = registryDebuggerPath; registryDebuggerPath = NULL; break; //case 107: // debuggerCommand = vs2026Path; // vs2026Path = NULL; // break; //case 108: // debuggerCommand = vs2022Path; // vs2022Path = NULL; // break; } } PhClearReference(&windbgPath); PhClearReference(&windbgPreviewPath); //PhClearReference(&vs2026Path); //PhClearReference(&vs2022Path); PhClearReference(&cdbPath); PhClearReference(&kdPath); PhClearReference(&ntsdPath); PhClearReference(®istryButtonText); } PhClearReference(®istryDebuggerName); PhClearReference(®istryDebuggerPath); if (!debuggerCommand || debuggerChoice == 0) { // User cancelled return FALSE; } PhInitializeStringBuilder(&commandLineBuilder, debuggerCommand->Length + 30); PhAppendCharStringBuilder(&commandLineBuilder, L'"'); PhAppendStringBuilder(&commandLineBuilder, &debuggerCommand->sr); PhAppendCharStringBuilder(&commandLineBuilder, L'"'); switch (debuggerChoice) { case 101: case 102: case 103: case 104: case 105: case 106: PhAppendFormatStringBuilder(&commandLineBuilder, L" -p %lu", HandleToUlong(Process->ProcessId)); break; case 107: case 108: PhAppendFormatStringBuilder(&commandLineBuilder, L" /JITDebug /JITDebugParam %lx", HandleToUlong(Process->ProcessId)); break; } commandLine = PhFinalStringBuilderString(&commandLineBuilder); status = PhCreateProcessWin32( NULL, PhGetString(commandLine), NULL, NULL, 0, NULL, NULL, NULL ); PhDeleteStringBuilder(&commandLineBuilder); PhDereferenceObject(debuggerCommand); if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"debug", Process, status, 0); return FALSE; } return TRUE; } /** * Reduce the working set of a list of processes. * * \param WindowHandle Parent window used for error reporting. * \param Processes Array of process items to operate on. * \param NumberOfProcesses Number of processes in the array. * \return BOOLEAN TRUE if the operation succeeded for all processes, FALSE if one or more failed. */ BOOLEAN PhUiReduceWorkingSetProcesses( _In_ HWND WindowHandle, _In_ CONST PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { BOOLEAN success = TRUE; ULONG i; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_QUOTA, Processes[i]->ProcessId ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, // HACK for KphProcessEmptyWorkingSet (dmex) Processes[i]->ProcessId ); } if (NT_SUCCESS(status)) { status = PhSetProcessEmptyWorkingSet(processHandle); NtClose(processHandle); } if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"reduce the working set of", Processes[i], status, 0)) break; } } return success; } /** * Empty the working set of a list of processes. * * \param WindowHandle Parent window used for error reporting. * \param Processes Array of process items to operate on. * \param NumberOfProcesses Number of processes in the array. * \return BOOLEAN TRUE if the operation succeeded for all processes, FALSE if one or more failed. */ BOOLEAN PhUiSetEmptyWorkingSetProcesses( _In_ HWND WindowHandle, _In_ CONST PPH_PROCESS_ITEM* Processes, _In_ ULONG NumberOfProcesses ) { BOOLEAN success = TRUE; ULONG i; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_VM_OPERATION, Processes[i]->ProcessId ); if (NT_SUCCESS(status)) { status = PhSetProcessWorkingSetEmpty(processHandle); NtClose(processHandle); } if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"empty the working set of", Processes[i], status, 0)) break; } } return success; } /** * Configure activity moderation (Eco/foreground throttling) for a process. * * \param WindowHandle Parent window for dialogs. * \param Process The process item to configure. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetActivityModeration( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { static CONST TASKDIALOG_BUTTON TaskDialogRadioButtonArray[] = { { SystemActivityModerationStateSystemManaged, L"System managed" }, { SystemActivityModerationStateUserManagedAllowThrottling, L"Allow activity moderation throttling" }, { SystemActivityModerationStateUserManagedDisableThrottling, L"Disable activity moderation throttling" }, }; static CONST TASKDIALOG_BUTTON TaskDialogButtonArray[] = { { IDYES, L"Save" }, { IDCANCEL, L"Cancel" }, }; NTSTATUS status; SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS activityModerationInfo = { 0 }; TASKDIALOGCONFIG config; ULONG buttonId; ULONG moderationState; LARGE_INTEGER startTime; LARGE_INTEGER currentTime; SYSTEMTIME startTimeFields; PPH_STRING startTimeRelativeString = NULL; PPH_STRING startTimeString = NULL; memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED | TDF_POSITION_RELATIVE_TO_WINDOW; config.hMainIcon = PhGetApplicationIcon(FALSE); config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Select the process activity moderation throttling state."; config.nDefaultButton = IDCANCEL; config.pRadioButtons = TaskDialogRadioButtonArray; config.cRadioButtons = RTL_NUMBER_OF(TaskDialogRadioButtonArray); config.pButtons = TaskDialogButtonArray; config.cButtons = RTL_NUMBER_OF(TaskDialogButtonArray); config.hwndParent = WindowHandle; config.cxWidth = 220; if (PhIsNullOrEmptyString(Process->FileName)) return TRUE; status = PhGetProcessActivityModerationState( &Process->FileName->sr, &activityModerationInfo ); if (NT_SUCCESS(status)) { config.nDefaultRadioButton = activityModerationInfo.ModerationState; PhQuerySystemTime(¤tTime); if (activityModerationInfo.LastUpdatedTime.QuadPart < currentTime.QuadPart) { startTime = activityModerationInfo.LastUpdatedTime; startTimeRelativeString = PH_AUTO(PhFormatTimeSpanRelative(currentTime.QuadPart - startTime.QuadPart)); PhLargeIntegerToLocalSystemTime(&startTimeFields, &startTime); startTimeString = PhaFormatDateTime(&startTimeFields); } } else { config.nDefaultRadioButton = SystemActivityModerationStateSystemManaged; } config.pszContent = PhaFormatString( L"System-managed activity moderation settings are automatically removed by Windows when the executable is deleted or was last executed more than 7 days ago.\r\n\r\n" L"Image: %s\r\nUpdated: %s", PH_AUTO_T(PH_STRING, PhGetBaseName(Process->FileName))->Buffer, (startTimeRelativeString && startTimeString) ? PhaFormatString(L"%s ago (%s)", PhGetString(startTimeRelativeString), PhGetString(startTimeString))->Buffer : L"N/A" )->Buffer; if (PhShowTaskDialog( &config, &buttonId, &moderationState, NULL ) && buttonId == IDYES) { if (Process->IsPackagedProcess) { status = PhSetProcessActivityModerationState( &Process->FileName->sr, SystemActivityModerationAppTypePackaged, moderationState ); } else { status = PhSetProcessActivityModerationState( &Process->FileName->sr, SystemActivityModerationAppTypeClassic, moderationState ); } } else { status = STATUS_SUCCESS; } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"set background activity moderation for", Process, status, 0); return FALSE; } return TRUE; } /** * Enable or disable token virtualization for the specified process. * * \param WindowHandle Parent window used for confirmation and error UI. * \param Process The process item to operate on. * \param Enable TRUE to enable virtualization, FALSE to disable. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetVirtualizationProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ BOOLEAN Enable ) { NTSTATUS status; BOOLEAN cont = FALSE; HANDLE processHandle; HANDLE tokenHandle; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { cont = PhShowConfirmMessage( WindowHandle, L"set", L"virtualization for the process", L"Enabling or disabling virtualization for a process may " L"alter its functionality and produce undesirable effects.", FALSE ); } else { cont = TRUE; } if (!cont) return FALSE; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Process->ProcessId ))) { if (NT_SUCCESS(status = PhOpenProcessToken( processHandle, TOKEN_WRITE, &tokenHandle ))) { status = PhSetTokenIsVirtualizationEnabled(tokenHandle, Enable); NtClose(tokenHandle); } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"set virtualization for", Process, status, 0); return FALSE; } return TRUE; } /** * Toggle break-on-termination (critical process) for a process. * * \param WindowHandle Parent window used for confirmation and error UI. * \param Process The process item to operate on. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetCriticalProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; HANDLE processHandle; BOOLEAN breakOnTermination; status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION, Process->ProcessId ); if (NT_SUCCESS(status)) { status = PhGetProcessBreakOnTermination( processHandle, &breakOnTermination ); if (NT_SUCCESS(status)) { if (!breakOnTermination && (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"enable", L"critical status on the process", L"If the process ends, the operating system will shut down immediately.", TRUE ))) { status = PhSetProcessBreakOnTermination(processHandle, TRUE); } else if (breakOnTermination && (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"disable", L"critical status on the process", NULL, FALSE ))) { status = PhSetProcessBreakOnTermination(processHandle, FALSE); } } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"set critical status for", Process, status, 0); return FALSE; } return TRUE; } /** * Enable or disable Eco mode for a process (power throttling). * * \param WindowHandle Parent window used for confirmation and error UI. * \param Process The process item to operate on. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetEcoModeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; HANDLE processHandle; POWER_THROTTLING_PROCESS_STATE powerThrottlingState; status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_INFORMATION, Process->ProcessId ); if (NT_SUCCESS(status)) { status = PhGetProcessPowerThrottlingState( processHandle, &powerThrottlingState ); if (NT_SUCCESS(status)) { if (!( FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_EXECUTION_SPEED) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_EXECUTION_SPEED) )) { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( WindowHandle, L"enable", L"Eco mode for this process", L"Eco mode will lower process priority and improve power efficiency but may cause instability in some processes.", FALSE )) { // Taskmgr sets the process priority to idle before enabling 'Eco mode'. (dmex) PhSetProcessPriorityClass(processHandle, PROCESS_PRIORITY_CLASS_IDLE); // // Turn PROCESS_EXECUTION_SPEED throttling on. // status = PhSetProcessPowerThrottlingState( processHandle, POWER_THROTTLING_PROCESS_EXECUTION_SPEED, POWER_THROTTLING_PROCESS_EXECUTION_SPEED ); } } else { //if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( // WindowHandle, // L"disable", // L"Eco mode for this process", // L"Eco mode will lower process priority and improve power efficiency but may cause instability in some processes.", // FALSE // )) { // Taskmgr does not properly restore the original priority after it has exited // and you later decide to disable 'Eco mode', so we'll restore normal priority // which isn't quite correct but still way better than what taskmgr does. (dmex) PhSetProcessPriorityClass(processHandle, PROCESS_PRIORITY_CLASS_NORMAL); // // Let system manage all power throttling. // status = PhSetProcessPowerThrottlingState(processHandle, 0, 0); } } } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"set Eco mode for", Process, status, 0); return FALSE; } return TRUE; } /** * Toggle the "execution required" state for a process (prevent PLM suspension/termination). * * \param WindowHandle Parent window used for confirmation and error UI. * \param Process The process item to operate on. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetExecutionRequiredProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { if (!PhShowConfirmMessage( WindowHandle, L"change the execution required state", PhaConcatStrings2(L"of ", Process->ProcessName->Buffer)->Buffer, L"The process continues to run instead of being suspended or terminated by process lifetime management (PLM).", FALSE )) { return FALSE; } } if (PhIsProcessExecutionRequired(Process->ProcessId)) { status = PhProcessExecutionRequiredDisable(Process->ProcessId); } else { status = PhProcessExecutionRequiredEnable(Process->ProcessId); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"create execution required state for", Process, status, 0); return FALSE; } return TRUE; } /** * Detach the debugger from a process. * * \param WindowHandle Parent window used for confirmation and error UI. * \param Process The process item to operate on. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiDetachFromDebuggerProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { NTSTATUS status; HANDLE processHandle; HANDLE debugObjectHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_SUSPEND_RESUME, Process->ProcessId ))) { if (NT_SUCCESS(status = PhGetProcessDebugObject( processHandle, &debugObjectHandle ))) { // Disable kill-on-close. if (NT_SUCCESS(status = PhSetDebugKillProcessOnExit( debugObjectHandle, FALSE ))) { status = NtRemoveProcessDebug(processHandle, debugObjectHandle); } NtClose(debugObjectHandle); } NtClose(processHandle); } if (status == STATUS_PORT_NOT_SET) { PhShowInformation2(WindowHandle, L"Unable to detach the debugger.", L"%s", L"The process is not being debugged."); return FALSE; } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"detach debugger from", Process, status, 0); return FALSE; } return TRUE; } /** * Load a DLL into the target process. * * \param WindowHandle Parent window for dialogs. * \param Process The process item to load the DLL into. * \return BOOLEAN TRUE on success, FALSE on failure or cancel. */ BOOLEAN PhUiLoadDllProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ) { static PH_FILETYPE_FILTER filters[] = { { L"DLL files (*.dll)", L"*.dll" }, { L"All files (*.*)", L"*.*" } }; NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE processHandle = NULL; PVOID fileDialog; PPH_STRING fileName; fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogOptions(fileDialog, PH_FILEDIALOG_DONTADDTORECENT); PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); if (!PhShowFileDialog(WindowHandle, fileDialog)) { PhFreeFileDialog(fileDialog); return FALSE; } fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); PhFreeFileDialog(fileDialog); // Windows 8 requires ALL_ACCESS for PLM execution requests. (dmex) if (WindowsVersion >= WINDOWS_8 && WindowsVersion <= WINDOWS_8_1) { status = PhOpenProcess( &processHandle, PROCESS_ALL_ACCESS, Process->ProcessId ); } // Windows 10 and above require SET_LIMITED for PLM execution requests. (dmex) if (!NT_SUCCESS(status)) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | SYNCHRONIZE, Process->ProcessId ); } if (NT_SUCCESS(status)) { status = PhLoadDllProcess( processHandle, &fileName->sr, 5000 ); NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"load the DLL into", Process, status, 0); return FALSE; } return TRUE; } /** * Set I/O priority for a list of processes. * * \param WindowHandle Parent window used for error reporting. * \param Processes Array of process items to operate on. * \param NumberOfProcesses Number of processes in the array. * \param IoPriority The IO priority hint to set. * \return BOOLEAN TRUE if the operation succeeded for all processes, FALSE otherwise. */ BOOLEAN PhUiSetIoPriorityProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses, _In_ IO_PRIORITY_HINT IoPriority ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, Processes[i]->ProcessId ))) { if (Processes[i]->ProcessId != SYSTEM_PROCESS_ID) { status = PhSetProcessIoPriority(processHandle, IoPriority); } else { // See comment in PhUiSetPriorityClassProcesses. status = STATUS_UNSUCCESSFUL; } NtClose(processHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; // The operation may have failed due to the lack of SeIncreaseBasePriorityPrivilege. if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to set the I/O priority of ", Processes[i]->ProcessName->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlProcess(Processes[i]->ProcessId, PhSvcControlProcessIoPriority, IoPriority))) success = TRUE; else PhpShowErrorProcess(WindowHandle, L"set the I/O priority of", Processes[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorProcess(WindowHandle, L"set the I/O priority of", Processes[i], status, 0)) break; } } } return success; } /** * Set page priority for a process. * * \param WindowHandle Parent window used for error reporting. * \param Process The process item to operate on. * \param PagePriority Page priority value to set. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetPagePriorityProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ ULONG PagePriority ) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, Process->ProcessId ))) { if (Process->ProcessId != SYSTEM_PROCESS_ID) { status = PhSetProcessPagePriority(processHandle, PagePriority); } else { // See comment in PhUiSetPriorityClassProcesses. status = STATUS_UNSUCCESSFUL; } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"set the page priority of", Process, status, 0); return FALSE; } return TRUE; } /** * Set the priority class for a list of processes. * * \param WindowHandle Parent window used for error reporting. * \param Processes Array of process items to operate on. * \param NumberOfProcesses Number of processes in the array. * \param PriorityClass Priority class value to set. * \return BOOLEAN TRUE if the operation succeeded for all processes, FALSE otherwise. */ BOOLEAN PhUiSetPriorityClassProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses, _In_ ULONG PriorityClass ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, Processes[i]->ProcessId ))) { if (Processes[i]->ProcessId != SYSTEM_PROCESS_ID) { status = PhSetProcessPriorityClass(processHandle, (UCHAR)PriorityClass); } else { // Changing the priority of System can lead to a BSOD on some versions of Windows, // so disallow this. status = STATUS_UNSUCCESSFUL; } NtClose(processHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; // The operation may have failed due to the lack of SeIncreaseBasePriorityPrivilege. if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to set the priority class of ", Processes[i]->ProcessName->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlProcess(Processes[i]->ProcessId, PhSvcControlProcessPriority, PriorityClass))) success = TRUE; else PhpShowErrorProcess(WindowHandle, L"set the priority class of", Processes[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorProcess(WindowHandle, L"set the priority class of", Processes[i], status, 0)) break; } } } return success; } /** * Set or clear priority boost for a list of processes. * * \param WindowHandle Parent window used for error reporting. * \param Processes Array of process items to operate on. * \param NumberOfProcesses Number of processes in the array. * \param PriorityBoost TRUE to enable boost, FALSE to disable. * \return BOOLEAN TRUE if the operation succeeded for all processes, FALSE otherwise. */ BOOLEAN PhUiSetBoostPriorityProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM* Processes, _In_ ULONG NumberOfProcesses, _In_ BOOLEAN PriorityBoost ) { BOOLEAN success = TRUE; ULONG i; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, Processes[i]->ProcessId ))) { status = PhSetProcessPriorityBoost(processHandle, PriorityBoost); NtClose(processHandle); if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"change boost priority of", Processes[i], status, 0)) break; } } } return success; } /** * Set or clear priority boost for a single process. * * \param WindowHandle Parent window used for error reporting. * \param Process The process item to operate on. * \param PriorityBoost TRUE to enable boost, FALSE to disable. * \return BOOLEAN TRUE on success, FALSE on failure. */ BOOLEAN PhUiSetBoostPriorityProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ BOOLEAN PriorityBoost ) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, Process->ProcessId ))) { status = PhSetProcessPriorityBoost(processHandle, PriorityBoost); NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorProcess(WindowHandle, L"set the boost priority of", Process, status, 0); return FALSE; } return TRUE; } #pragma region Service Progress Dialog typedef struct _PH_UI_SERVICE_PROGRESS_DIALOG { HWND WindowHandle; HWND ParentWindowHandle; PCWSTR Verb; PCWSTR Message; PPH_STRING StatusMessage; PPH_STRING StatusContent; PPH_LIST ServiceItemList; volatile LONG RequireElevation; struct { BOOLEAN Flags; union { BOOLEAN Warning : 1; BOOLEAN Spare : 7; }; }; WNDPROC OldWndProc; PUSER_THREAD_START_ROUTINE ActionCallback; PHSVC_API_CONTROLSERVICE_COMMAND ActionCommand; } PH_UI_SERVICE_PROGRESS_DIALOG, *PPH_UI_SERVICE_PROGRESS_DIALOG; typedef struct _PH_UI_SERVICE_ITEM { NTSTATUS Status; PPH_SERVICE_ITEM Service; } PH_UI_SERVICE_ITEM, *PPH_UI_SERVICE_ITEM; #define WM_PHSVC_ERROR (WM_APP + 1) #define WM_PHSVC_EXIT (WM_APP + 2) VOID PhShowServiceProgressDialogStatusPage( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ); #pragma endregion VOID PhpShowServiceProgressInitializeText( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context, _Out_ PPH_STRING* Verb, _Out_ PPH_STRING* VerbCaps, _Out_ PPH_STRING* Action, _Out_ PCWSTR* Object ) { if (Context->ServiceItemList->Count == 1) *Object = L"the selected service"; else *Object = L"the selected services"; // Make sure the verb is all lowercase. *Verb = PhaLowerString(PhaCreateString(Context->Verb)); // "terminate" -> "Terminate" *VerbCaps = PhaDuplicateString(*Verb); if (!PhIsNullOrEmptyString(*VerbCaps)) (*VerbCaps)->Buffer[0] = PhUpcaseUnicodeChar((*VerbCaps)->Buffer[0]); // "terminate", "the process" -> "terminate the process" *Action = PhaConcatStrings(3, (*Verb)->Buffer, L" ", *Object); } HRESULT CALLBACK PhpUiServiceErrorDialogCallbackProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { PPH_UI_SERVICE_PROGRESS_DIALOG context = (PPH_UI_SERVICE_PROGRESS_DIALOG)Context; switch (WindowMessage) { case TDN_NAVIGATED: { if (InterlockedCompareExchange(&context->RequireElevation, FALSE, FALSE)) { SendMessage(WindowHandle, TDM_SET_BUTTON_ELEVATION_REQUIRED_STATE, IDYES, TRUE); } } break; case TDN_BUTTON_CLICKED: { ULONG buttonId = (ULONG)wParam; if (buttonId == IDYES) { PhShowServiceProgressDialogStatusPage(context); return S_FALSE; } } break; } return S_OK; } VOID PhUiNavigateServiceErrorDialogPage( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context, _In_ PPH_STRING MainInstruction, _In_opt_ PPH_STRING MainContent ) { static CONST TASKDIALOG_BUTTON buttons[1] = { { IDNO, L"Close" } }; static CONST TASKDIALOG_BUTTON buttonsElevation[2] = { { IDYES, L"Continue" }, { IDNO, L"Cancel" }, }; TASKDIALOGCONFIG config; memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_ERROR_ICON; config.lpCallbackData = (LONG_PTR)Context; config.pfCallback = PhpUiServiceErrorDialogCallbackProc; config.pszMainInstruction = PhGetString(MainInstruction); if (MainContent) config.pszContent = PhGetString(MainContent); config.cxWidth = 200; if (InterlockedCompareExchange(&Context->RequireElevation, FALSE, FALSE)) { config.cButtons = RTL_NUMBER_OF(buttonsElevation); config.pButtons = buttonsElevation; config.nDefaultButton = IDYES; } else { config.cButtons = RTL_NUMBER_OF(buttons); config.pButtons = buttons; config.nDefaultButton = IDNO; } PhTaskDialogNavigatePage(Context->WindowHandle, &config); } VOID PhUiNavigateServiceCompleteDialogPage( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ) { PostMessage(Context->WindowHandle, WM_PHSVC_EXIT, 0, 0); } VOID PhUiNavigateServiceErrorDialogPageFromThread( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ) { PostMessage(Context->WindowHandle, WM_PHSVC_ERROR, 0, 0); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpUiServicePendingStartCallback( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ) { PPH_LIST serviceErrorList = PhCreateList(1); if (InterlockedCompareExchange(&Context->RequireElevation, FALSE, FALSE)) { NTSTATUS status; BOOLEAN connected; if (PhpElevationLevelAndConnectToPhSvc(Context->WindowHandle, &connected) && connected) { for (ULONG i = 0; i < Context->ServiceItemList->Count; i++) { PPH_SERVICE_ITEM serviceItem = Context->ServiceItemList->Items[i]; status = PhSvcCallControlService( PhGetString(serviceItem->Name), Context->ActionCommand ); if (NT_SUCCESS(status)) { ULONG index; index = PhFindItemList(Context->ServiceItemList, serviceItem); if (index != ULONG_MAX) { PhRemoveItemList(Context->ServiceItemList, index); PhDereferenceObject(serviceItem); } } else { PhAddItemList(serviceErrorList, LongToPtr(status)); } } PhUiDisconnectFromPhSvc(); } else { PhUiNavigateServiceCompleteDialogPage(Context); goto CleanupExit; } } else { for (ULONG i = 0; i < Context->ServiceItemList->Count; i++) { PPH_SERVICE_ITEM serviceItem = Context->ServiceItemList->Items[i]; NTSTATUS status; status = Context->ActionCallback(serviceItem); if (NT_SUCCESS(status)) { ULONG index; index = PhFindItemList(Context->ServiceItemList, serviceItem); if (index != ULONG_MAX) { PhRemoveItemList(Context->ServiceItemList, index); PhDereferenceObject(serviceItem); } } else { PhAddItemList(serviceErrorList, LongToPtr(status)); } } } InterlockedExchange(&Context->RequireElevation, FALSE); if (serviceErrorList->Count && !PhGetOwnTokenAttributes().Elevated) { for (ULONG i = 0; i < serviceErrorList->Count; i++) { NTSTATUS status = PtrToLong(serviceErrorList->Items[i]); if (status == STATUS_ACCESS_DENIED || status == STATUS_PRIVILEGE_NOT_HELD) { InterlockedExchange(&Context->RequireElevation, TRUE); break; } } } if (Context->ServiceItemList->Count) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 0x50); for (ULONG i = 0; i < Context->ServiceItemList->Count; i++) { PPH_STRING serviceName = NULL; PPH_STRING statusMessage = NULL; if (!PhIsNullOrEmptyString(((PPH_SERVICE_ITEM)Context->ServiceItemList->Items[i])->Name)) { serviceName = ((PPH_SERVICE_ITEM)Context->ServiceItemList->Items[i])->Name; } if (i < serviceErrorList->Count) { statusMessage = PhGetStatusMessage(PtrToLong(serviceErrorList->Items[i]), 0); } if (!PhIsNullOrEmptyString(serviceName)) PhAppendStringBuilder(&stringBuilder, &serviceName->sr); PhAppendStringBuilder2(&stringBuilder, L": "); PhAppendFormatStringBuilder(&stringBuilder, L"(0x%lx) ", PtrToLong(serviceErrorList->Items[i])); if (!PhIsNullOrEmptyString(statusMessage)) { PhAppendStringBuilder(&stringBuilder, &statusMessage->sr); PhClearReference(&statusMessage); } PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } if (stringBuilder.String->Length != 0) { PhRemoveEndStringBuilder(&stringBuilder, 2); } if (InterlockedCompareExchange(&Context->RequireElevation, FALSE, FALSE)) { PhAppendStringBuilder2(&stringBuilder, L"\r\n\r\n"); PhAppendStringBuilder2(&stringBuilder, L"You will need to provide administrator permission. " L"Click Continue to complete this operation."); } { PPH_STRING message; PPH_STRING content; message = PhFormatString(L"Unable to %s services:", Context->Verb); content = PhFinalStringBuilderString(&stringBuilder); InterlockedExchangePointer(&Context->StatusMessage, message); InterlockedExchangePointer(&Context->StatusContent, content); PhUiNavigateServiceErrorDialogPageFromThread(Context); } } else { PhUiNavigateServiceCompleteDialogPage(Context); } CleanupExit: PhClearReference(&serviceErrorList); PhDereferenceObject(Context); return STATUS_SUCCESS; } HRESULT CALLBACK PhpUiServiceProgressDialogCallbackProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { PPH_UI_SERVICE_PROGRESS_DIALOG context = (PPH_UI_SERVICE_PROGRESS_DIALOG)Context; switch (WindowMessage) { case TDN_NAVIGATED: { SendMessage(WindowHandle, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(WindowHandle, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); PhReferenceObject(context); PhCreateThread2(PhpUiServicePendingStartCallback, context); } break; case TDN_BUTTON_CLICKED: { ULONG buttonId = (ULONG)wParam; if (buttonId != IDCANCEL) { return S_FALSE; } } break; } return S_OK; } VOID PhShowServiceProgressDialogStatusPage( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ) { TASKDIALOGCONFIG config; PPH_STRING verb; PPH_STRING verbCaps; PPH_STRING action; PCWSTR object; PhpShowServiceProgressInitializeText(Context, &verb, &verbCaps, &action, &object); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_SHOW_MARQUEE_PROGRESS_BAR | TDF_CAN_BE_MINIMIZED; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_INFORMATION_ICON; config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.lpCallbackData = (LONG_PTR)Context; config.pfCallback = PhpUiServiceProgressDialogCallbackProc; config.pszMainInstruction = PhaConcatStrings(5, L"Attempting to ", PhGetString(verb), L" ", object, L"...")->Buffer; config.cxWidth = 200; PhTaskDialogNavigatePage(Context->WindowHandle, &config); } HRESULT CALLBACK PhpUiServiceConfirmDialogCallbackProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { PPH_UI_SERVICE_PROGRESS_DIALOG context = (PPH_UI_SERVICE_PROGRESS_DIALOG)Context; switch (WindowMessage) { case TDN_BUTTON_CLICKED: { ULONG buttonId = (ULONG)wParam; if (buttonId == IDYES) { PhShowServiceProgressDialogStatusPage(context); return S_FALSE; } } break; } return S_OK; } VOID PhShowServiceProgressDialogConfirmMessage( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ) { TASKDIALOGCONFIG config; TASKDIALOG_BUTTON buttons[2]; PPH_STRING verb; PPH_STRING verbCaps; PPH_STRING action; PCWSTR object; PhpShowServiceProgressInitializeText(Context, &verb, &verbCaps, &action, &object); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED; config.pszWindowTitle = PhApplicationName; config.lpCallbackData = (LONG_PTR)Context; config.pfCallback = PhpUiServiceConfirmDialogCallbackProc; config.pszMainIcon = Context->Warning ? TD_WARNING_ICON : TD_INFORMATION_ICON; config.pszMainInstruction = PhaConcatStrings(3, L"Do you want to ", action->Buffer, L"?")->Buffer; if (Context->Message) config.pszContent = PhaConcatStrings2(Context->Message, L" Are you sure you want to continue?")->Buffer; buttons[0].nButtonID = IDYES; buttons[0].pszButtonText = verbCaps->Buffer; buttons[1].nButtonID = IDNO; buttons[1].pszButtonText = L"Cancel"; config.cButtons = 2; config.pButtons = buttons; config.nDefaultButton = IDYES; config.cxWidth = 200; PhTaskDialogNavigatePage(Context->WindowHandle, &config); } static LRESULT CALLBACK PhpUiServiceProgressDialogWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_UI_SERVICE_PROGRESS_DIALOG context; WNDPROC oldWndProc; context = PhGetWindowContext(WindowHandle, MAXCHAR); if (!context) goto DefaultWndProc; oldWndProc = context->OldWndProc; switch (WindowMessage) { case WM_DESTROY: { PhSetWindowProcedure(WindowHandle, oldWndProc); PhRemoveWindowContext(WindowHandle, MAXCHAR); } break; case WM_DPICHANGED: { PhSetApplicationWindowIconEx(WindowHandle, HIWORD(wParam)); } break; case WM_PHSVC_ERROR: { PPH_STRING message; PPH_STRING content; message = InterlockedExchangePointer(&context->StatusMessage, NULL); content = InterlockedExchangePointer(&context->StatusContent, NULL); PhUiNavigateServiceErrorDialogPage( context, message, content ); PhClearReference(&message); PhClearReference(&content); } goto DefaultWndProc; case WM_PHSVC_EXIT: { CallWindowProc(oldWndProc, WindowHandle, TDM_CLICK_BUTTON, IDCANCEL, 0); } goto DefaultWndProc; } return CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); DefaultWndProc: return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } HRESULT CALLBACK PhpUiServiceInitializeDialogCallbackProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { PPH_UI_SERVICE_PROGRESS_DIALOG context = (PPH_UI_SERVICE_PROGRESS_DIALOG)Context; switch (WindowMessage) { case TDN_DIALOG_CONSTRUCTED: { context->WindowHandle = WindowHandle; PhSetApplicationWindowIconEx(WindowHandle, PhGetWindowDpi(WindowHandle)); PhCenterWindow(WindowHandle, context->ParentWindowHandle); PhRegisterWindowCallback(WindowHandle, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); context->OldWndProc = PhGetWindowProcedure(WindowHandle); PhSetWindowContext(WindowHandle, MAXCHAR, context); PhSetWindowProcedure(WindowHandle, PhpUiServiceProgressDialogWndProc); if ( PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && context->ActionCommand != PhSvcControlServiceStart ) { PhShowServiceProgressDialogConfirmMessage(context); } else { PhShowServiceProgressDialogStatusPage(context); } PhInitializeWindowTheme(WindowHandle, !!PhGetIntegerSetting(SETTING_ENABLE_THEME_SUPPORT)); } break; } return S_OK; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhShowServiceProgressDialogThread( _In_ PPH_UI_SERVICE_PROGRESS_DIALOG Context ) { PH_AUTO_POOL autoPool; TASKDIALOGCONFIG config; PhInitializeAutoPool(&autoPool); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED; config.pfCallback = PhpUiServiceInitializeDialogCallbackProc; config.lpCallbackData = (LONG_PTR)Context; config.pszContent = L"Initializing..."; config.cxWidth = 200; PhShowTaskDialog(&config, NULL, NULL, NULL); PhDeleteAutoPool(&autoPool); PhDereferenceObject(Context); return STATUS_SUCCESS; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) static VOID PhServiceProgressContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_UI_SERVICE_PROGRESS_DIALOG context = Object; PhDereferenceObjects(context->ServiceItemList->Items, context->ServiceItemList->Count); PhDereferenceObject(context->ServiceItemList); } PPH_UI_SERVICE_PROGRESS_DIALOG PhCreateServiceProgressContext( VOID ) { static PPH_OBJECT_TYPE PhServiceProgressObjectType = NULL; static PH_INITONCE PhServiceProgressTypeInitOnce = PH_INITONCE_INIT; PPH_UI_SERVICE_PROGRESS_DIALOG context; if (PhBeginInitOnce(&PhServiceProgressTypeInitOnce)) { PhServiceProgressObjectType = PhCreateObjectType(L"ServiceProgressObjectType", 0, PhServiceProgressContextDeleteProcedure); PhEndInitOnce(&PhServiceProgressTypeInitOnce); } context = PhCreateObject(sizeof(PH_UI_SERVICE_PROGRESS_DIALOG), PhServiceProgressObjectType); memset(context, 0, sizeof(PH_UI_SERVICE_PROGRESS_DIALOG)); return context; } VOID PhShowServiceProgressDialog( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_ PCWSTR Message, _In_ BOOLEAN Warning, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices, _In_ PUSER_THREAD_START_ROUTINE ActionCallback, _In_ PHSVC_API_CONTROLSERVICE_COMMAND ActionCommand ) { PPH_UI_SERVICE_PROGRESS_DIALOG context; if (NumberOfServices == 0) return; PhReferenceObjects(Services, NumberOfServices); context = PhCreateServiceProgressContext(); context->ParentWindowHandle = WindowHandle; context->Verb = Verb; context->Message = Message; context->Warning = Warning; context->ActionCallback = ActionCallback; context->ActionCommand = ActionCommand; context->ServiceItemList = PhCreateList(NumberOfServices); PhAddItemsList(context->ServiceItemList, Services, NumberOfServices); PhCreateThread2(PhShowServiceProgressDialogThread, context); } static BOOLEAN PhpShowContinueMessageServices( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_ PCWSTR Message, _In_ BOOLEAN Warning, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { if (NumberOfServices == 0) return FALSE; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { PCWSTR object; if (NumberOfServices == 1) { object = L"the selected service"; } else { object = L"the selected services"; } return PhShowConfirmMessage( WindowHandle, Verb, object, Message, Warning ); } else { return TRUE; } } static BOOLEAN PhpShowErrorService( _In_ HWND WindowHandle, _In_ PWSTR Verb, _In_ PPH_SERVICE_ITEM Service, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { return PhShowContinueStatus( WindowHandle, PhaFormatString( L"Unable to %s %s.", Verb, Service->Name->Buffer )->Buffer, Status, Win32Result ); } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhUiServiceStartCallback( _In_ PPH_SERVICE_ITEM ServiceItem ) { NTSTATUS status; SC_HANDLE serviceHandle; status = PhOpenService( &serviceHandle, SERVICE_START, PhGetString(ServiceItem->Name) ); if (NT_SUCCESS(status)) { status = PhStartService(serviceHandle, 0, NULL); PhCloseServiceHandle(serviceHandle); } return status; } BOOLEAN PhUiStartServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (PhGetIntegerSetting(SETTING_ENABLE_SERVICE_PROGRESS_DIALOG)) { PhShowServiceProgressDialog( WindowHandle, L"start", L"Starting a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices, PhUiServiceStartCallback, PhSvcControlServiceStart ); return FALSE; } if (!PhpShowContinueMessageServices( WindowHandle, L"start", L"Starting a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices )) return FALSE; for (i = 0; i < NumberOfServices; i++) { NTSTATUS status; SC_HANDLE serviceHandle; success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_START, PhGetString(Services[i]->Name)); if (NT_SUCCESS(status)) { status = PhStartService(serviceHandle, 0, NULL); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to start ", PhGetString(Services[i]->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Services[i]->Name), PhSvcControlServiceStart))) success = TRUE; else PhpShowErrorService(WindowHandle, L"start", Services[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorService(WindowHandle, L"start", Services[i], status, 0)) break; } } } return success; //BOOLEAN result = TRUE; //ULONG i; // //for (i = 0; i < NumberOfServices; i++) //{ // SC_HANDLE serviceHandle; // BOOLEAN success = FALSE; // // serviceHandle = PhOpenService(PhGetString(Services[i]->Name), SERVICE_START); // // if (serviceHandle) // { // if (StartService(serviceHandle, 0, NULL)) // success = TRUE; // // PhCloseServiceHandle(serviceHandle); // } // // if (!success) // { // NTSTATUS status; // // status = PhGetLastWin32ErrorAsNtStatus(); // result = FALSE; // // PhpShowErrorService(WindowHandle, L"start", Services[i], status, 0); // } //} // //return result; } BOOLEAN PhUiStartService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ) { SC_HANDLE serviceHandle; NTSTATUS status; BOOLEAN success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_START, PhGetString(Service->Name)); if (NT_SUCCESS(status)) { status = PhStartService(serviceHandle, 0, NULL); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; BOOLEAN cancelled; if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to start ", PhGetString(Service->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Service->Name), PhSvcControlServiceStart))) success = TRUE; else PhpShowErrorService(WindowHandle, L"start", Service, status, 0); PhUiDisconnectFromPhSvc(); } } else { if (!cancelled) { PhpShowErrorService(WindowHandle, L"start", Service, status, 0); } } } return success; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhUiServiceContinueCallback( _In_ PPH_SERVICE_ITEM ServiceItem ) { NTSTATUS status; SC_HANDLE serviceHandle; status = PhOpenService( &serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(ServiceItem->Name) ); if (NT_SUCCESS(status)) { status = PhContinueService(serviceHandle); PhCloseServiceHandle(serviceHandle); } return status; } BOOLEAN PhUiContinueServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (PhGetIntegerSetting(SETTING_ENABLE_SERVICE_PROGRESS_DIALOG)) { PhShowServiceProgressDialog( WindowHandle, L"continue", L"Continuing a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices, PhUiServiceContinueCallback, PhSvcControlServiceContinue ); return FALSE; } if (!PhpShowContinueMessageServices( WindowHandle, L"continue", L"Continuing a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices )) return FALSE; for (i = 0; i < NumberOfServices; i++) { NTSTATUS status; SC_HANDLE serviceHandle; success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(Services[i]->Name)); if (NT_SUCCESS(status)) { status = PhContinueService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to continue ", PhGetString(Services[i]->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Services[i]->Name), PhSvcControlServiceContinue))) success = TRUE; else PhpShowErrorService(WindowHandle, L"continue", Services[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorService(WindowHandle, L"continue", Services[i], status, 0)) break; } } } return success; //BOOLEAN result = TRUE; //ULONG i; // //for (i = 0; i < NumberOfServices; i++) //{ // SC_HANDLE serviceHandle; // BOOLEAN success = FALSE; // // serviceHandle = PhOpenService(PhGetString(Services[i]->Name), SERVICE_PAUSE_CONTINUE); // // if (serviceHandle) // { // SERVICE_STATUS serviceStatus; // // if (ControlService(serviceHandle, SERVICE_CONTROL_CONTINUE, &serviceStatus)) // success = TRUE; // // PhCloseServiceHandle(serviceHandle); // } // // if (!success) // { // NTSTATUS status; // // status = PhGetLastWin32ErrorAsNtStatus(); // result = FALSE; // // PhpShowErrorService(WindowHandle, L"continue", Services[i], status, 0); // } //} // //return result; } BOOLEAN PhUiContinueService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ) { SC_HANDLE serviceHandle; NTSTATUS status; BOOLEAN success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(Service->Name)); if (NT_SUCCESS(status)) { status = PhContinueService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; BOOLEAN cancelled; if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to continue ", PhGetString(Service->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Service->Name), PhSvcControlServiceContinue))) success = TRUE; else PhpShowErrorService(WindowHandle, L"continue", Service, status, 0); PhUiDisconnectFromPhSvc(); } } else { if (!cancelled) { PhpShowErrorService(WindowHandle, L"continue", Service, status, 0); } } } return success; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhUiServicePauseCallback( _In_ PPH_SERVICE_ITEM ServiceItem ) { NTSTATUS status; SC_HANDLE serviceHandle; status = PhOpenService( &serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(ServiceItem->Name) ); if (NT_SUCCESS(status)) { status = PhPauseService(serviceHandle); PhCloseServiceHandle(serviceHandle); } return status; } BOOLEAN PhUiPauseServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (PhGetIntegerSetting(SETTING_ENABLE_SERVICE_PROGRESS_DIALOG)) { PhShowServiceProgressDialog( WindowHandle, L"pause", L"Pausing a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices, PhUiServicePauseCallback, PhSvcControlServicePause ); return FALSE; } if (!PhpShowContinueMessageServices( WindowHandle, L"pause", L"Pausing a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices )) return FALSE; for (i = 0; i < NumberOfServices; i++) { NTSTATUS status; SC_HANDLE serviceHandle; success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(Services[i]->Name)); if (NT_SUCCESS(status)) { status = PhPauseService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to pause ", PhGetString(Services[i]->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Services[i]->Name), PhSvcControlServicePause))) success = TRUE; else PhpShowErrorService(WindowHandle, L"pause", Services[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorService(WindowHandle, L"pause", Services[i], status, 0)) break; } } } return success; //BOOLEAN result = TRUE; //ULONG i; // //for (i = 0; i < NumberOfServices; i++) //{ // SC_HANDLE serviceHandle; // BOOLEAN success = FALSE; // // serviceHandle = PhOpenService(PhGetString(Services[i]->Name), SERVICE_PAUSE_CONTINUE); // // if (serviceHandle) // { // SERVICE_STATUS serviceStatus; // // if (ControlService(serviceHandle, SERVICE_CONTROL_PAUSE, &serviceStatus)) // success = TRUE; // // PhCloseServiceHandle(serviceHandle); // } // // if (!success) // { // NTSTATUS status; // // status = PhGetLastWin32ErrorAsNtStatus(); // result = FALSE; // // PhpShowErrorService(WindowHandle, L"pause", Services[i], status, 0); // } //} // //return result; } BOOLEAN PhUiPauseService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ) { SC_HANDLE serviceHandle; NTSTATUS status; BOOLEAN success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(Service->Name)); if (NT_SUCCESS(status)) { status = PhPauseService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; BOOLEAN cancelled; if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to pause ", Service->Name->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Service->Name), PhSvcControlServicePause))) success = TRUE; else PhpShowErrorService(WindowHandle, L"pause", Service, status, 0); PhUiDisconnectFromPhSvc(); } } else { if (!cancelled) { PhpShowErrorService(WindowHandle, L"pause", Service, status, 0); } } } return success; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhUiServiceStopCallback( _In_ PPH_SERVICE_ITEM ServiceItem ) { NTSTATUS status; SC_HANDLE serviceHandle; status = PhOpenService( &serviceHandle, SERVICE_STOP, PhGetString(ServiceItem->Name) ); if (NT_SUCCESS(status)) { status = PhStopService(serviceHandle); PhCloseServiceHandle(serviceHandle); } return status; } BOOLEAN PhUiStopServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (PhGetIntegerSetting(SETTING_ENABLE_SERVICE_PROGRESS_DIALOG)) { PhShowServiceProgressDialog( WindowHandle, L"stop", L"Stopping a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices, PhUiServiceStopCallback, PhSvcControlServiceStop ); return FALSE; } if (!PhpShowContinueMessageServices( WindowHandle, L"stop", L"Stopping a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices )) return FALSE; for (i = 0; i < NumberOfServices; i++) { NTSTATUS status; SC_HANDLE serviceHandle; success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_STOP, PhGetString(Services[i]->Name)); if (NT_SUCCESS(status)) { status = PhStopService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to stop ", PhGetString(Services[i]->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Services[i]->Name), PhSvcControlServiceStop))) success = TRUE; else PhpShowErrorService(WindowHandle, L"stop", Services[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorService(WindowHandle, L"stop", Services[i], status, 0)) break; } } } return success; //BOOLEAN result = TRUE; //ULONG i; // //for (i = 0; i < NumberOfServices; i++) //{ // SC_HANDLE serviceHandle; // BOOLEAN success = FALSE; // // serviceHandle = PhOpenService(PhGetString(Services[i]->Name), SERVICE_STOP); // // if (serviceHandle) // { // SERVICE_STATUS serviceStatus; // // if (ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus)) // success = TRUE; // // PhCloseServiceHandle(serviceHandle); // } // // if (!success) // { // NTSTATUS status; // // status = PhGetLastWin32ErrorAsNtStatus(); // result = FALSE; // // PhpShowErrorService(WindowHandle, L"stop", Services[i], status, 0); // } //} // //return result; } BOOLEAN PhUiStopService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ) { SC_HANDLE serviceHandle; NTSTATUS status; BOOLEAN success = FALSE; status = PhOpenService(&serviceHandle, SERVICE_STOP, PhGetString(Service->Name)); if (NT_SUCCESS(status)) { status = PhStopService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; BOOLEAN cancelled; if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to stop ", PhGetString(Service->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Service->Name), PhSvcControlServiceStop))) success = TRUE; else PhpShowErrorService(WindowHandle, L"stop", Service, status, 0); PhUiDisconnectFromPhSvc(); } } else { PhpShowErrorService(WindowHandle, L"stop", Service, status, 0); } } return success; } BOOLEAN PhUiDeleteService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ) { SC_HANDLE serviceHandle; NTSTATUS status; BOOLEAN success = FALSE; // Warnings cannot be disabled for service deletion. if (!PhShowConfirmMessage( WindowHandle, L"delete", Service->Name->Buffer, L"Deleting a service can prevent the system from starting " L"or functioning properly.", TRUE )) return FALSE; status = PhOpenService(&serviceHandle, DELETE, PhGetString(Service->Name)); if (NT_SUCCESS(status)) { status = PhDeleteService(serviceHandle); if (NT_SUCCESS(status)) success = TRUE; PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; BOOLEAN cancelled; if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to delete ", PhGetString(Service->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Service->Name), PhSvcControlServiceDelete))) success = TRUE; else PhpShowErrorService(WindowHandle, L"delete", Service, status, 0); PhUiDisconnectFromPhSvc(); } } else { PhpShowErrorService(WindowHandle, L"delete", Service, status, 0); } } return success; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhUiServiceRestartCallback( _In_ PPH_SERVICE_ITEM ServiceItem ) { NTSTATUS status; SC_HANDLE serviceHandle; status = PhOpenService( &serviceHandle, SERVICE_QUERY_STATUS | SERVICE_START | SERVICE_STOP, PhGetString(ServiceItem->Name) ); if (NT_SUCCESS(status)) { status = PhStopService(serviceHandle); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus( serviceHandle, SERVICE_STOPPED, 60 * 1000 ); if (NT_SUCCESS(status)) { status = PhStartService(serviceHandle, 0, NULL); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus( serviceHandle, SERVICE_RUNNING, 60 * 1000 ); } } } PhCloseServiceHandle(serviceHandle); } return status; } BOOLEAN PhUiRestartServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (PhGetIntegerSetting(SETTING_ENABLE_SERVICE_PROGRESS_DIALOG)) { PhShowServiceProgressDialog( WindowHandle, L"restart", L"Restarting a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices, PhUiServiceRestartCallback, PhSvcControlServiceRestart ); return FALSE; } if (!PhpShowContinueMessageServices( WindowHandle, L"restart", L"Restarting a service might prevent the system from functioning properly.", FALSE, Services, NumberOfServices )) return FALSE; for (i = 0; i < NumberOfServices; i++) { NTSTATUS status; SC_HANDLE serviceHandle; success = FALSE; status = PhOpenService( &serviceHandle, SERVICE_QUERY_STATUS | SERVICE_START | SERVICE_STOP, PhGetString(Services[i]->Name) ); if (NT_SUCCESS(status)) { status = PhStopService(serviceHandle); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus( serviceHandle, SERVICE_STOPPED, 60 * 1000 ); if (NT_SUCCESS(status)) { status = PhStartService(serviceHandle, 0, NULL); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus( serviceHandle, SERVICE_RUNNING, 60 * 1000 ); if (NT_SUCCESS(status)) { success = TRUE; } } } } PhCloseServiceHandle(serviceHandle); } if (!success) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to restart ", PhGetString(Services[i]->Name))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlService(PhGetString(Services[i]->Name), PhSvcControlServiceRestart))) success = TRUE; else PhpShowErrorService(WindowHandle, L"restart", Services[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorService(WindowHandle, L"restart", Services[i], status, 0)) break; } } } return success; } BOOLEAN PhUiCloseConnections( _In_ HWND WindowHandle, _In_ PPH_NETWORK_ITEM *Connections, _In_ ULONG NumberOfConnections ) { static ULONG (WINAPI* SetTcpEntry_I)(_In_ PMIB_TCPROW pTcpRow) = NULL; BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG result; ULONG i; MIB_TCPROW tcpRow; if (!SetTcpEntry_I) { SetTcpEntry_I = PhGetDllProcedureAddressZ(L"iphlpapi.dll", "SetTcpEntry", 0); } if (!SetTcpEntry_I) { PhShowStatus(WindowHandle, L"Unable to close the TCP connection", STATUS_NOT_SUPPORTED, 0); return FALSE; } for (i = 0; i < NumberOfConnections; i++) { if (Connections[i]->State != MIB_TCP_STATE_ESTAB) continue; result = PhSetTcpEntry(Connections[i]); if (NT_SUCCESS(result)) continue; if (Connections[i]->ProtocolType != PH_NETWORK_PROTOCOL_TCP4) continue; tcpRow.dwState = MIB_TCP_STATE_DELETE_TCB; tcpRow.dwLocalAddr = Connections[i]->LocalEndpoint.Address.InAddr.s_addr; tcpRow.dwLocalPort = _byteswap_ushort((USHORT)Connections[i]->LocalEndpoint.Port); tcpRow.dwRemoteAddr = Connections[i]->RemoteEndpoint.Address.InAddr.s_addr; tcpRow.dwRemotePort = _byteswap_ushort((USHORT)Connections[i]->RemoteEndpoint.Port); if ((result = SetTcpEntry_I(&tcpRow)) != NO_ERROR) { NTSTATUS status; BOOLEAN connected; success = FALSE; // SetTcpEntry returns ERROR_MR_MID_NOT_FOUND for access denied errors for some reason. if (result == ERROR_MR_MID_NOT_FOUND) result = ERROR_ACCESS_DENIED; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, L"Unable to close the TCP connection", PhDosErrorToNtStatus(result), &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallSetTcpEntry(&tcpRow))) success = TRUE; else PhShowStatus(WindowHandle, L"Unable to close the TCP connection", status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (PhShowMessage2( WindowHandle, TD_OK_BUTTON, TD_ERROR_ICON, L"Unable to close the TCP connection.", L"Make sure System Informer is running with administrative privileges." ) != IDOK) break; } } } return success; } static BOOLEAN PhpShowContinueMessageThreads( _In_ HWND WindowHandle, _In_ PWSTR Verb, _In_ PWSTR Message, _In_ BOOLEAN Warning, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ) { PWSTR object; BOOLEAN cont = FALSE; if (NumberOfThreads == 0) return FALSE; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { if (NumberOfThreads == 1) { object = L"the selected thread"; } else { object = L"the selected threads"; } cont = PhShowConfirmMessage( WindowHandle, Verb, object, Message, Warning ); } else { cont = TRUE; } return cont; } static BOOLEAN PhpShowErrorThread( _In_ HWND WindowHandle, _In_ PWSTR Verb, _In_ PPH_THREAD_ITEM Thread, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { return PhShowContinueStatus( WindowHandle, PhaFormatString( L"Unable to %s thread %lu", Verb, HandleToUlong(Thread->ThreadId) )->Buffer, Status, Win32Result ); } BOOLEAN PhUiTerminateThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; if (!PhpShowContinueMessageThreads( WindowHandle, L"terminate", L"Terminating a thread may cause the process to stop working.", FALSE, Threads, NumberOfThreads )) return FALSE; for (i = 0; i < NumberOfThreads; i++) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_TERMINATE, Threads[i]->ThreadId ))) { status = PhTerminateThread(threadHandle, STATUS_SUCCESS); if (status == STATUS_SUCCESS || status == STATUS_THREAD_IS_TERMINATING) PhTerminateThread(threadHandle, DBG_TERMINATE_THREAD); // debug terminate (dmex) NtClose(threadHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaFormatString(L"Unable to terminate thread %lu", HandleToUlong(Threads[i]->ThreadId))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlThread(Threads[i]->ThreadId, PhSvcControlThreadTerminate, 0))) success = TRUE; else PhpShowErrorThread(WindowHandle, L"terminate", Threads[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorThread(WindowHandle, L"terminate", Threads[i], status, 0)) break; } } } return success; } BOOLEAN PhUiSuspendThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; for (i = 0; i < NumberOfThreads; i++) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_SUSPEND_RESUME, Threads[i]->ThreadId ))) { status = NtSuspendThread(threadHandle, NULL); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaFormatString(L"Unable to suspend thread %lu", HandleToUlong(Threads[i]->ThreadId))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlThread(Threads[i]->ThreadId, PhSvcControlThreadSuspend, 0))) success = TRUE; else PhpShowErrorThread(WindowHandle, L"suspend", Threads[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorThread(WindowHandle, L"suspend", Threads[i], status, 0)) break; } } } return success; } BOOLEAN PhUiResumeThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ) { BOOLEAN success = TRUE; BOOLEAN cancelled = FALSE; ULONG i; for (i = 0; i < NumberOfThreads; i++) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_SUSPEND_RESUME, Threads[i]->ThreadId ))) { status = NtResumeThread(threadHandle, NULL); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; success = FALSE; if (!cancelled && PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaFormatString(L"Unable to resume thread %lu", HandleToUlong(Threads[i]->ThreadId))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlThread(Threads[i]->ThreadId, PhSvcControlThreadResume, 0))) success = TRUE; else PhpShowErrorThread(WindowHandle, L"resume", Threads[i], status, 0); PhUiDisconnectFromPhSvc(); } else { cancelled = TRUE; } } else { if (cancelled) break; if (!PhpShowErrorThread(WindowHandle, L"resume", Threads[i], status, 0)) break; } } } return success; } BOOLEAN PhUiSetBoostPriorityThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads, _In_ BOOLEAN PriorityBoost ) { BOOLEAN success = TRUE; ULONG i; for (i = 0; i < NumberOfThreads; i++) { NTSTATUS status; HANDLE threadHandle; status = PhOpenThread( &threadHandle, THREAD_SET_LIMITED_INFORMATION, Threads[i]->ThreadId ); if (NT_SUCCESS(status)) { status = PhSetThreadPriorityBoost(threadHandle, PriorityBoost); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorThread(WindowHandle, L"change boost priority of", Threads[i], status, 0)) break; } } return success; } BOOLEAN PhUiSetBoostPriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ BOOLEAN PriorityBoost ) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_SET_LIMITED_INFORMATION, Thread->ThreadId ))) { status = PhSetThreadPriorityBoost(threadHandle, PriorityBoost); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorThread(WindowHandle, L"set the boost priority of", Thread, status, 0); return FALSE; } return TRUE; } BOOLEAN PhUiSetPriorityThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads, _In_ LONG Increment ) { BOOLEAN success = TRUE; ULONG i; // Special saturation values if (Increment == THREAD_PRIORITY_TIME_CRITICAL) Increment = THREAD_BASE_PRIORITY_LOWRT + 1; else if (Increment == THREAD_PRIORITY_IDLE) Increment = THREAD_BASE_PRIORITY_IDLE - 1; for (i = 0; i < NumberOfThreads; i++) { NTSTATUS status; HANDLE threadHandle; status = PhOpenThread( &threadHandle, THREAD_SET_LIMITED_INFORMATION, Threads[i]->ThreadId ); if (NT_SUCCESS(status)) { status = PhSetThreadBasePriority(threadHandle, Increment); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorThread(WindowHandle, L"change priority of", Threads[i], status, 0)) break; } } return success; } BOOLEAN PhUiSetPriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ LONG Increment ) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_SET_LIMITED_INFORMATION, Thread->ThreadId ))) { status = PhSetThreadBasePriority(threadHandle, Increment); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorThread(WindowHandle, L"set the priority of", Thread, status, 0); return FALSE; } return TRUE; } BOOLEAN PhUiSetIoPriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ IO_PRIORITY_HINT IoPriority ) { NTSTATUS status; BOOLEAN success = TRUE; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_SET_INFORMATION, Thread->ThreadId ))) { status = PhSetThreadIoPriority(threadHandle, IoPriority); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { BOOLEAN connected; BOOLEAN cancelled; success = FALSE; // The operation may have failed due to the lack of SeIncreaseBasePriorityPrivilege. if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaFormatString(L"Unable to set the I/O priority of thread %lu", HandleToUlong(Thread->ThreadId))->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallControlThread(Thread->ThreadId, PhSvcControlThreadIoPriority, IoPriority))) success = TRUE; else PhpShowErrorThread(WindowHandle, L"set the I/O priority of", Thread, status, 0); PhUiDisconnectFromPhSvc(); } } else { PhpShowErrorThread(WindowHandle, L"set the I/O priority of", Thread, status, 0); } } return success; } BOOLEAN PhUiSetPagePriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ ULONG PagePriority ) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_SET_INFORMATION, Thread->ThreadId ))) { status = PhSetThreadPagePriority(threadHandle, PagePriority); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorThread(WindowHandle, L"set the page priority of", Thread, status, 0); return FALSE; } return TRUE; } BOOLEAN PhUiUnloadModule( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_MODULE_ITEM Module ) { NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE processHandle = NULL; BOOLEAN cont = FALSE; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { PWSTR verb; PWSTR message; switch (Module->Type) { case PH_MODULE_TYPE_MODULE: case PH_MODULE_TYPE_WOW64_MODULE: verb = L"unload"; message = L"Unloading a module may cause the process to crash."; if (WindowsVersion >= WINDOWS_8) message = L"Unloading a module may cause the process to crash. NOTE: This feature may not work correctly on your version of Windows and some programs may restrict access or ban your account."; break; case PH_MODULE_TYPE_KERNEL_MODULE: verb = L"unload"; message = L"Unloading a driver may cause system instability."; break; case PH_MODULE_TYPE_MAPPED_FILE: case PH_MODULE_TYPE_MAPPED_IMAGE: verb = L"unmap"; message = L"Unmapping a section view may cause the process to crash."; break; default: return FALSE; } cont = PhShowConfirmMessage( WindowHandle, verb, Module->Name->Buffer, message, TRUE ); } else { cont = TRUE; } if (!cont) return FALSE; switch (Module->Type) { case PH_MODULE_TYPE_MODULE: case PH_MODULE_TYPE_WOW64_MODULE: { if (WindowsVersion < WINDOWS_8) { // Windows 7 requires QUERY_INFORMATION for MemoryMappedFileName. (dmex) status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, ProcessId ); } else if (WindowsVersion < WINDOWS_10) { // Windows 8 requires ALL_ACCESS for PLM execution requests. (dmex) status = PhOpenProcess( &processHandle, PROCESS_ALL_ACCESS, ProcessId ); } if (!NT_SUCCESS(status)) { // Windows 10 and above require SET_LIMITED for PLM execution requests. (dmex) status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, ProcessId ); } if (NT_SUCCESS(status)) { status = PhUnloadDllProcess( processHandle, Module->BaseAddress, 5000 ); NtClose(processHandle); } if (status == STATUS_DLL_NOT_FOUND) { PhShowStatus(WindowHandle, L"Unable to unload the module", 0, ERROR_MOD_NOT_FOUND); return FALSE; } if (!NT_SUCCESS(status)) { PhShowStatus( WindowHandle, PhaConcatStrings2(L"Unable to unload ", Module->Name->Buffer)->Buffer, status, 0 ); return FALSE; } } break; case PH_MODULE_TYPE_KERNEL_MODULE: status = PhUnloadDriver(Module->BaseAddress, &Module->Name->sr, &Module->FileName->sr); if (!NT_SUCCESS(status)) { BOOLEAN success = FALSE; BOOLEAN connected; BOOLEAN cancelled; if (PhpShowErrorAndConnectToPhSvc( WindowHandle, PhaConcatStrings2(L"Unable to unload ", Module->Name->Buffer)->Buffer, status, &connected, &cancelled )) { if (connected) { if (NT_SUCCESS(status = PhSvcCallUnloadDriver(Module->BaseAddress, Module->Name->Buffer, Module->FileName->Buffer))) success = TRUE; else PhShowStatus(WindowHandle, PhaConcatStrings2(L"Unable to unload ", Module->Name->Buffer)->Buffer, status, 0); PhUiDisconnectFromPhSvc(); } } else { if (cancelled) return FALSE; PhShowStatus( WindowHandle, PhaConcatStrings( 3, L"Unable to unload ", Module->Name->Buffer, L". Make sure System Informer is running with " L"administrative privileges." )->Buffer, status, 0 ); return FALSE; } return success; } break; case PH_MODULE_TYPE_MAPPED_FILE: case PH_MODULE_TYPE_MAPPED_IMAGE: if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_VM_OPERATION, ProcessId ))) { status = PhUnmapViewOfSection(processHandle, Module->BaseAddress); NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhShowStatus( WindowHandle, PhaFormatString(L"Unable to unmap the section view at 0x%p", Module->BaseAddress)->Buffer, status, 0 ); return FALSE; } break; default: return FALSE; } return TRUE; } BOOLEAN PhUiFreeMemory( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_MEMORY_ITEM MemoryItem, _In_ BOOLEAN Free ) { NTSTATUS status; BOOLEAN cont = FALSE; HANDLE processHandle; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { PWSTR verb; PWSTR message; if (!(MemoryItem->Type & (MEM_MAPPED | MEM_IMAGE))) { if (Free) { verb = L"free"; message = L"Freeing memory regions may cause the process to crash.\r\n\r\nSome programs may also restrict access or ban your account when freeing the memory of the process."; } else { verb = L"decommit"; message = L"Decommitting memory regions may cause the process to crash.\r\n\r\nSome programs may also restrict access or ban your account when decommitting the memory of the process."; } } else { verb = L"unmap"; message = L"Unmapping a section view may cause the process to crash.\r\n\r\nSome programs may also restrict access or ban your account when unmapping the memory of the process."; } cont = PhShowConfirmMessage( WindowHandle, verb, L"the memory region", message, TRUE ); } else { cont = TRUE; } if (!cont) return FALSE; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_VM_OPERATION, ProcessId ))) { PVOID baseAddress; SIZE_T regionSize; baseAddress = MemoryItem->BaseAddress; if (!(MemoryItem->Type & (MEM_MAPPED | MEM_IMAGE))) { // The size needs to be 0 if we're freeing. if (Free) regionSize = 0; else regionSize = MemoryItem->RegionSize; status = NtFreeVirtualMemory( processHandle, &baseAddress, ®ionSize, Free ? MEM_RELEASE : MEM_DECOMMIT ); } else { status = PhUnmapViewOfSection(processHandle, baseAddress); } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PWSTR message; if (!(MemoryItem->Type & (MEM_MAPPED | MEM_IMAGE))) { if (Free) message = L"Unable to free the memory region"; else message = L"Unable to decommit the memory region"; } else { message = L"Unable to unmap the section view"; } PhShowStatus( WindowHandle, message, status, 0 ); return FALSE; } return TRUE; } BOOLEAN PhUiEmptyProcessMemoryWorkingSet( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_MEMORY_ITEM MemoryItem ) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_VM_OPERATION, ProcessId ))) { status = PhSetProcessEmptyPageWorkingSet( processHandle, MemoryItem->BaseAddress, MemoryItem->RegionSize ); NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to empty the region working set.", status, 0); return FALSE; } return TRUE; } static BOOLEAN PhpShowErrorHandle( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_ PCWSTR Verb2, _In_ PPH_HANDLE_ITEM Handle, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { WCHAR value[PH_PTR_STR_LEN_1]; PhPrintPointer(value, (PVOID)Handle->Handle); if (!PhIsNullOrEmptyString(Handle->BestObjectName)) { return PhShowContinueStatus( WindowHandle, PhaFormatString( L"Unable to %s handle \"%s\" (%s)%s", Verb, Handle->BestObjectName->Buffer, value, Verb2 )->Buffer, Status, Win32Result ); } else { return PhShowContinueStatus( WindowHandle, PhaFormatString( L"Unable to %s handle %s%s", Verb, value, Verb2 )->Buffer, Status, Win32Result ); } } BOOLEAN PhUiCloseHandles( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM *Handles, _In_ ULONG NumberOfHandles, _In_ BOOLEAN Warn ) { NTSTATUS status; BOOLEAN result = FALSE; BOOLEAN success = TRUE; HANDLE processHandle; if (NumberOfHandles == 0) return FALSE; if (Warn && PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) { result = PhShowConfirmMessage( WindowHandle, L"close", NumberOfHandles == 1 ? L"the selected handle" : L"the selected handles", L"Closing handles may cause system instability and data corruption.", FALSE ); } else { result = TRUE; } if (!result) return FALSE; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, ProcessId ))) { BOOLEAN critical = FALSE; BOOLEAN strict = FALSE; if (WindowsVersion >= WINDOWS_10) { BOOLEAN breakOnTermination; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; if (NT_SUCCESS(PhGetProcessBreakOnTermination( processHandle, &breakOnTermination ))) { if (breakOnTermination) { critical = TRUE; } } if (NT_SUCCESS(PhGetProcessMitigationPolicy( processHandle, ProcessStrictHandleCheckPolicy, &policyInfo ))) { if (policyInfo.StrictHandleCheckPolicy.Flags != 0) { strict = TRUE; } } } if (critical && strict) { result = PhShowConfirmMessage( WindowHandle, L"close", L"critical process handle(s)", L"You are about to close one or more handles for a critical process with strict handle checks enabled. This will shut down the operating system immediately.\r\n\r\n", TRUE ); } if (!result) return FALSE; for (ULONG i = 0; i < NumberOfHandles; i++) { if (FlagOn(Handles[i]->Attributes, OBJ_PROTECT_CLOSE)) { if (!PhpShowErrorHandle( WindowHandle, L"close", NULL, Handles[i], STATUS_HANDLE_NOT_CLOSABLE, 0 )) { break; } } status = NtDuplicateObject( processHandle, Handles[i]->Handle, NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE ); if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorHandle( WindowHandle, L"close", NULL, Handles[i], status, 0 )) break; } } NtClose(processHandle); } else { PhShowStatus(WindowHandle, L"Unable to open the process", status, 0); return FALSE; } return success; } BOOLEAN PhUiSetAttributesHandle( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM Handle, _In_ ULONG Attributes ) { NTSTATUS status; HANDLE processHandle; if (KsiLevel() < KphLevelMax) { PhShowKsiNotConnected( WindowHandle, L"Setting handle attributes requires a connection to the kernel driver." ); return FALSE; } if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessId ))) { OBJECT_HANDLE_FLAG_INFORMATION handleFlagInfo; handleFlagInfo.Inherit = !!(Attributes & OBJ_INHERIT); handleFlagInfo.ProtectFromClose = !!(Attributes & OBJ_PROTECT_CLOSE); status = KphSetInformationObject( processHandle, Handle->Handle, KphObjectHandleFlagInformation, &handleFlagInfo, sizeof(OBJECT_HANDLE_FLAG_INFORMATION) ); NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhpShowErrorHandle(WindowHandle, L"set attributes of", NULL, Handle, status, 0); return FALSE; } return TRUE; } /** * Flush process heap(s) remotely for a list of processes. * * \param WindowHandle Parent window used for error reporting. * \param Processes Array of process items to operate on. * \param NumberOfProcesses Number of processes in the array. * \return BOOLEAN TRUE if all flush operations succeeded, FALSE if any failed. */ BOOLEAN PhUiFlushHeapProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { BOOLEAN success = TRUE; ULONG i; LARGE_INTEGER timeout; for (i = 0; i < NumberOfProcesses; i++) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_CREATE_THREAD | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_VM_READ, Processes[i]->ProcessId ); if (NT_SUCCESS(status)) { status = PhFlushProcessHeapsRemote(processHandle, PhTimeoutFromMilliseconds(&timeout, 4000)); NtClose(processHandle); } if (!NT_SUCCESS(status)) { success = FALSE; if (!PhpShowErrorProcess(WindowHandle, L"flush the process heap(s) of", Processes[i], status, 0)) break; } } return success; } ================================================ FILE: SystemInformer/admintask.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #include #include #include #include #include #include DEFINE_GUID(CLSID_TaskScheduler, 0x0f87369f, 0xa4e5, 0x4cfc, 0xbd, 0x3e, 0x73, 0xe6, 0x15, 0x45, 0x72, 0xdd); DEFINE_GUID(IID_ITaskService, 0x2FABA4C7, 0x4DA9, 0x4013, 0x96, 0x97, 0x20, 0xCC, 0x3F, 0xD4, 0x0F, 0x85); DEFINE_GUID(IID_ITaskSettings2, 0x2C05C3F0, 0x6EED, 0x4C05, 0xA1, 0x5F, 0xED, 0x7D, 0x7A, 0x98, 0xA3, 0x69); DEFINE_GUID(IID_ILogonTrigger, 0x72DADE38, 0xFAE4, 0x4b3e, 0xBA, 0xF4, 0x5D, 0x00, 0x9A, 0xF0, 0x2B, 0x1C); DEFINE_GUID(IID_IExecAction, 0x4C3D624D, 0xfd6b, 0x49A3, 0xB9, 0xB7, 0x09, 0xCB, 0x3C, 0xD3, 0xF0, 0x47); HRESULT PhCreateAdminTask( _In_ PPH_STRINGREF TaskName, _In_ PPH_STRINGREF FileName ) { static CONST PH_STRINGREF taskTimeLimit = PH_STRINGREF_INIT(L"PT0S"); #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) static CONST PH_STRINGREF taskArguments = PH_STRINGREF_INIT(L"$(Arg0)"); #endif HRESULT status; BSTR taskNameString = NULL; BSTR taskFileNameString = NULL; #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) BSTR taskArgumentsString = NULL; #endif BSTR taskFolderString = NULL; BSTR taskTimeLimitString = NULL; VARIANT empty = { VT_EMPTY }; ITaskService* taskService = NULL; ITaskFolder* taskFolder = NULL; ITaskDefinition* taskDefinition = NULL; ITaskSettings* taskSettings = NULL; ITaskSettings2* taskSettings2 = NULL; ITriggerCollection* taskTriggerCollection = NULL; ITrigger* taskTrigger = NULL; ILogonTrigger* taskLogonTrigger = NULL; IRegisteredTask* taskRegisteredTask = NULL; IPrincipal* taskPrincipal = NULL; IActionCollection* taskActionCollection = NULL; IAction* taskAction = NULL; IExecAction* taskExecAction = NULL; status = PhGetClassObject( L"taskschd.dll", &CLSID_TaskScheduler, &IID_ITaskService, &taskService ); if (FAILED(status)) goto CleanupExit; taskNameString = PhStringRefToBSTR(TaskName); taskFileNameString = PhStringRefToBSTR(FileName); taskFolderString = PhStringRefToBSTR(&PhNtPathSeparatorString); taskTimeLimitString = PhStringRefToBSTR(&taskTimeLimit); #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) taskArgumentsString = PhStringRefToBSTR(&taskArguments); #endif status = ITaskService_Connect( taskService, empty, empty, empty, empty ); if (FAILED(status)) goto CleanupExit; status = ITaskService_GetFolder( taskService, taskFolderString, &taskFolder ); if (FAILED(status)) goto CleanupExit; status = ITaskService_NewTask( taskService, 0, &taskDefinition ); if (FAILED(status)) goto CleanupExit; status = ITaskDefinition_get_Settings( taskDefinition, &taskSettings ); if (FAILED(status)) goto CleanupExit; ITaskSettings_put_Compatibility(taskSettings, TASK_COMPATIBILITY_V2_1); ITaskSettings_put_StartWhenAvailable(taskSettings, VARIANT_TRUE); ITaskSettings_put_DisallowStartIfOnBatteries(taskSettings, VARIANT_FALSE); ITaskSettings_put_StopIfGoingOnBatteries(taskSettings, VARIANT_FALSE); ITaskSettings_put_ExecutionTimeLimit(taskSettings, taskTimeLimitString); ITaskSettings_put_Priority(taskSettings, 1); if (SUCCEEDED(ITaskSettings_QueryInterface( taskSettings, &IID_ITaskSettings2, &taskSettings2 ))) { ITaskSettings2_put_UseUnifiedSchedulingEngine(taskSettings2, VARIANT_TRUE); ITaskSettings2_put_DisallowStartOnRemoteAppSession(taskSettings2, VARIANT_TRUE); ITaskSettings2_Release(taskSettings2); } //status = ITaskDefinition_get_Triggers( // taskDefinition, // &taskTriggerCollection // ); // //if (FAILED(status)) // goto CleanupExit; // //status = ITriggerCollection_Create( // taskTriggerCollection, // TASK_TRIGGER_LOGON, // &taskTrigger // ); // //if (FAILED(status)) // goto CleanupExit; // //status = ITrigger_QueryInterface( // taskTrigger, // &IID_ILogonTrigger, // &taskLogonTrigger // ); // //if (FAILED(status)) // goto CleanupExit; // //ILogonTrigger_put_Id(taskLogonTrigger, L"LogonTriggerId"); //ILogonTrigger_put_UserId(taskLogonTrigger, PhGetString(PhGetTokenUserString(PhGetOwnTokenAttributes().TokenHandle, TRUE))); status = ITaskDefinition_get_Principal( taskDefinition, &taskPrincipal ); if (FAILED(status)) goto CleanupExit; #define TASK_RUNLEVEL_LUA 0 #define TASK_RUNLEVEL_HIGHEST 1 #define RUNLEVEL_ADMIN 2 #define RUNLEVEL_MAX_NON_UIA 3 #define RUNLEVEL_LUA_UIA 4 #define RUNLEVEL_HIGHEST_UIA 5 #define RUNLEVEL_ADMIN_UIA 6 #define RUNLEVEL_MAX 7 IPrincipal_put_RunLevel(taskPrincipal, TASK_RUNLEVEL_HIGHEST); IPrincipal_put_LogonType(taskPrincipal, TASK_LOGON_INTERACTIVE_TOKEN); status = ITaskDefinition_get_Actions( taskDefinition, &taskActionCollection ); if (FAILED(status)) goto CleanupExit; status = IActionCollection_Create( taskActionCollection, TASK_ACTION_EXEC, &taskAction ); if (FAILED(status)) goto CleanupExit; status = IAction_QueryInterface( taskAction, &IID_IExecAction, &taskExecAction ); if (FAILED(status)) goto CleanupExit; status = IExecAction_put_Path( taskExecAction, taskFileNameString ); if (FAILED(status)) goto CleanupExit; #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) status = IExecAction_put_Arguments( taskExecAction, taskArgumentsString ); if (FAILED(status)) goto CleanupExit; #endif ITaskFolder_DeleteTask( taskFolder, taskNameString, 0 ); status = ITaskFolder_RegisterTaskDefinition( taskFolder, taskNameString, taskDefinition, TASK_CREATE_OR_UPDATE, empty, empty, TASK_LOGON_INTERACTIVE_TOKEN, empty, &taskRegisteredTask ); CleanupExit: if (taskRegisteredTask) IRegisteredTask_Release(taskRegisteredTask); if (taskActionCollection) IActionCollection_Release(taskActionCollection); if (taskPrincipal) IPrincipal_Release(taskPrincipal); if (taskLogonTrigger) ILogonTrigger_Release(taskLogonTrigger); if (taskTrigger) ITrigger_Release(taskTrigger); if (taskTriggerCollection) ITriggerCollection_Release(taskTriggerCollection); if (taskSettings) ITaskSettings_Release(taskSettings); if (taskDefinition) ITaskDefinition_Release(taskDefinition); if (taskFolder) ITaskFolder_Release(taskFolder); if (taskService) ITaskService_Release(taskService); if (taskTimeLimitString) SysFreeString(taskTimeLimitString); if (taskNameString) SysFreeString(taskNameString); if (taskFileNameString) SysFreeString(taskFileNameString); #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) if (taskArgumentsString) SysFreeString(taskArgumentsString); #endif if (taskFolderString) SysFreeString(taskFolderString); return status; } HRESULT PhDeleteAdminTask( _In_ PPH_STRINGREF TaskName ) { HRESULT status; BSTR taskNameString = NULL; BSTR taskFolderString = NULL; VARIANT empty = { VT_EMPTY }; ITaskService* taskService = NULL; ITaskFolder* taskFolder = NULL; status = PhGetClassObject( L"taskschd.dll", &CLSID_TaskScheduler, &IID_ITaskService, &taskService ); if (FAILED(status)) goto CleanupExit; taskNameString = PhStringRefToBSTR(TaskName); taskFolderString = PhStringRefToBSTR(&PhNtPathSeparatorString); status = ITaskService_Connect( taskService, empty, empty, empty, empty ); if (FAILED(status)) goto CleanupExit; status = ITaskService_GetFolder( taskService, taskFolderString, &taskFolder ); if (FAILED(status)) goto CleanupExit; status = ITaskFolder_DeleteTask( taskFolder, taskNameString, 0 ); CleanupExit: if (taskFolder) ITaskFolder_Release(taskFolder); if (taskService) ITaskService_Release(taskService); if (taskFolderString) SysFreeString(taskFolderString); if (taskNameString) SysFreeString(taskNameString); return status; } HRESULT PhRunAsAdminTask( _In_ PPH_STRINGREF TaskName ) { HRESULT status; ULONG sessionId = ULONG_MAX; BSTR taskNameString = NULL; BSTR taskFolderString = NULL; VARIANT empty = { VT_EMPTY }; VARIANT params = { VT_EMPTY }; ITaskService* taskService = NULL; ITaskFolder* taskFolder = NULL; IRegisteredTask* taskRegisteredTask = NULL; IRunningTask* taskRunningTask = NULL; PhTraceFuncEnter("Run as admin task"); status = PhGetClassObject( L"taskschd.dll", &CLSID_TaskScheduler, &IID_ITaskService, &taskService ); if (FAILED(status)) goto CleanupExit; taskNameString = PhStringRefToBSTR(TaskName); taskFolderString = PhStringRefToBSTR(&PhNtPathSeparatorString); status = ITaskService_Connect( taskService, empty, empty, empty, empty ); if (FAILED(status)) goto CleanupExit; status = ITaskService_GetFolder( taskService, taskFolderString, &taskFolder ); if (FAILED(status)) goto CleanupExit; status = ITaskFolder_GetTask( taskFolder, taskNameString, &taskRegisteredTask ); if (FAILED(status)) goto CleanupExit; #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) if (CommandLine) { PH_STRINGREF commandline; if (NT_SUCCESS(PhGetProcessCommandLineStringRef(&commandline))) { V_VT(¶ms) = VT_BSTR; V_BSTR(¶ms) = PhStringRefToBSTR(&commandline); } } #endif status = IRegisteredTask_RunEx( taskRegisteredTask, params, TASK_RUN_AS_SELF | TASK_RUN_USE_SESSION_ID, USER_SHARED_DATA->ActiveConsoleId, NULL, &taskRunningTask ); CleanupExit: if (taskRunningTask) IRunningTask_Release(taskRunningTask); if (taskRegisteredTask) IRegisteredTask_Release(taskRegisteredTask); if (taskFolder) ITaskFolder_Release(taskFolder); if (taskService) ITaskService_Release(taskService); #if (PH_ADMIN_TASK_FORWARD_COMMANDLINE_UNPRIVILEGED) if (V_BSTR(¶ms)) SysFreeString(V_BSTR(¶ms)); #endif if (taskFolderString) SysFreeString(taskFolderString); if (taskNameString) SysFreeString(taskNameString); PhTraceFuncExit("Run as admin task: %!STATUS!", status); return status; } NTSTATUS PhRunAsAdminTaskUIAccess( VOID ) { NTSTATUS status; BOOLEAN tokenIsUIAccess; ULONG sessionId; CLIENT_ID desktopId; PPH_STRING fileName = NULL; PhTraceFuncEnter("Run as admin task UI access"); if (!PhGetOwnTokenAttributes().Elevated) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } if (!NT_SUCCESS(PhGetTokenUIAccess( PhGetOwnTokenAttributes().TokenHandle, &tokenIsUIAccess )) || tokenIsUIAccess) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } fileName = PhGetApplicationFileNameWin32(); if (PhIsNullOrEmptyString(fileName)) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } // Query the process from the current desktop. status = PhGetWindowClientId(PhGetShellWindow(), &desktopId); if (!NT_SUCCESS(status)) goto CleanupExit; // Query the session from the current process. status = PhGetProcessSessionId(NtCurrentProcess(), &sessionId); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhExecuteRunAsCommand3( NULL, PhGetString(fileName), NULL, NULL, LOGON32_LOGON_INTERACTIVE, desktopId.UniqueProcess, sessionId, NULL, TRUE, FALSE, TRUE ); CleanupExit: PhClearReference(&fileName); PhTraceFuncExit("Run as admin task UI access: %!STATUS!", status); return status; } ================================================ FILE: SystemInformer/affinity.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2020-2023 * */ /* * The affinity dialog was originally created to support the modification * of process affinity masks, but now supports modifying thread affinity * and generic masks. */ #include #include #include typedef struct _PH_AFFINITY_DIALOG_CONTEXT { HWND WindowHandle; HWND GroupComboHandle; PPH_PROCESS_ITEM ProcessItem; PPH_THREAD_ITEM ThreadItem; KAFFINITY NewAffinityMask; PPH_LIST CpuControlList; USHORT AffinityGroup; KAFFINITY AffinityMask; KAFFINITY SystemAffinityMask; // Multiple selected items (dmex) PPH_THREAD_ITEM* Threads; ULONG NumberOfThreads; PHANDLE ThreadHandles; } PH_AFFINITY_DIALOG_CONTEXT, *PPH_AFFINITY_DIALOG_CONTEXT; INT_PTR CALLBACK PhpProcessAffinityDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowProcessAffinityDialog( _In_ HWND ParentWindowHandle, _In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_opt_ PPH_THREAD_ITEM ThreadItem ) { PH_AFFINITY_DIALOG_CONTEXT context; assert(!!ProcessItem != !!ThreadItem); // make sure we have one and not the other (wj32) memset(&context, 0, sizeof(PH_AFFINITY_DIALOG_CONTEXT)); context.ProcessItem = ProcessItem; context.ThreadItem = ThreadItem; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_AFFINITY), ParentWindowHandle, PhpProcessAffinityDlgProc, &context ); } _Success_(return) BOOLEAN PhShowProcessAffinityDialog2( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _Out_ PKAFFINITY NewAffinityMask ) { PH_AFFINITY_DIALOG_CONTEXT context; memset(&context, 0, sizeof(PH_AFFINITY_DIALOG_CONTEXT)); context.ProcessItem = ProcessItem; context.ThreadItem = NULL; if (PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_AFFINITY), ParentWindowHandle, PhpProcessAffinityDlgProc, &context ) == IDOK) { *NewAffinityMask = context.NewAffinityMask; return TRUE; } else { return FALSE; } } VOID PhShowThreadAffinityDialog( _In_ HWND ParentWindowHandle, _In_ PPH_THREAD_ITEM* Threads, _In_ ULONG NumberOfThreads ) { PH_AFFINITY_DIALOG_CONTEXT context; memset(&context, 0, sizeof(PH_AFFINITY_DIALOG_CONTEXT)); context.Threads = Threads; context.NumberOfThreads = NumberOfThreads; context.ThreadHandles = PhAllocateZero(NumberOfThreads * sizeof(HANDLE)); // Cache handles to each thread since the ThreadId gets // reassigned to a different process after the thread exits. (dmex) for (ULONG i = 0; i < NumberOfThreads; i++) { if (!NT_SUCCESS(PhOpenThread( &context.ThreadHandles[i], THREAD_QUERY_LIMITED_INFORMATION | THREAD_SET_LIMITED_INFORMATION | THREAD_SET_INFORMATION, Threads[i]->ThreadId ))) { if (!NT_SUCCESS(PhOpenThread( &context.ThreadHandles[i], THREAD_QUERY_LIMITED_INFORMATION | THREAD_SET_LIMITED_INFORMATION, Threads[i]->ThreadId ))) { context.ThreadHandles[i] = INVALID_HANDLE_VALUE; } } } PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_AFFINITY), ParentWindowHandle, PhpProcessAffinityDlgProc, &context ); } static BOOLEAN PhpShowProcessErrorAffinity( _In_ HWND hWnd, _In_ PPH_PROCESS_ITEM Process, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { return PhShowContinueStatus( hWnd, PhaFormatString( L"Unable to change affinity of process %lu", HandleToUlong(Process->ProcessId) )->Buffer, Status, Win32Result ); } static BOOLEAN PhpShowThreadErrorAffinity( _In_ HWND hWnd, _In_ PPH_THREAD_ITEM Thread, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { return PhShowContinueStatus( hWnd, PhaFormatString( L"Unable to change affinity of thread %lu", HandleToUlong(Thread->ThreadId) )->Buffer, Status, Win32Result ); } VOID PhpShowThreadErrorAffinityList( _In_ PPH_AFFINITY_DIALOG_CONTEXT Context, _Inout_ PPH_LIST AffinityErrorsList ) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 100); for (ULONG i = 0; i < AffinityErrorsList->Count; i++) { PhAppendFormatStringBuilder( &stringBuilder, L"%s\n", PhGetStringOrDefault(AffinityErrorsList->Items[i], L"An unknown error occurred.") ); } if (PhEndsWithStringRef2(&stringBuilder.String->sr, L"\n", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhShowInformation2( Context->WindowHandle, L"Unable to update affinity for thread(s)", L"Unable to update affinity for thread(s):\r\n%s", PhGetString(PhFinalStringBuilderString(&stringBuilder)) ); PhDeleteStringBuilder(&stringBuilder); PhDereferenceObjects(AffinityErrorsList->Items, AffinityErrorsList->Count); PhDereferenceObject(AffinityErrorsList); } BOOLEAN PhpCheckThreadsHaveSameAffinity( _In_ PPH_AFFINITY_DIALOG_CONTEXT Context ) { BOOLEAN result = TRUE; GROUP_AFFINITY groupAffinity; KAFFINITY lastAffinityMask = 0; KAFFINITY affinityMask = 0; if (Context->ThreadHandles[0] != INVALID_HANDLE_VALUE) { if (NT_SUCCESS(PhGetThreadGroupAffinity(Context->ThreadHandles[0], &groupAffinity))) { lastAffinityMask = groupAffinity.Mask; } } for (ULONG i = 0; i < Context->NumberOfThreads; i++) { if (Context->ThreadHandles[i] == INVALID_HANDLE_VALUE) continue; if (NT_SUCCESS(PhGetThreadGroupAffinity(Context->ThreadHandles[i], &groupAffinity))) { affinityMask = groupAffinity.Mask; } if (lastAffinityMask != affinityMask) { result = FALSE; break; } } return result; } INT_PTR CALLBACK PhpProcessAffinityDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_AFFINITY_DIALOG_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PPH_AFFINITY_DIALOG_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { NTSTATUS status = STATUS_UNSUCCESSFUL; BOOLEAN differentAffinity = FALSE; ULONG i; context->WindowHandle = hwndDlg; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetApplicationWindowIcon(hwndDlg); { context->CpuControlList = PhCreateList(MAXIMUM_PROC_PER_GROUP); for (i = 0; i < MAXIMUM_PROC_PER_GROUP; i++) { PhAddItemList(context->CpuControlList, GetDlgItem(hwndDlg, IDC_CPU0 + i)); } } if (!PhSystemProcessorInformation.SingleProcessorGroup) { context->GroupComboHandle = GetDlgItem(hwndDlg, IDC_GROUPCPU); for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { ComboBox_AddString(context->GroupComboHandle, PhaFormatString(L"Group %hu", processorGroup)->Buffer); } ShowWindow(context->GroupComboHandle, SW_SHOW); } if (context->ProcessItem) { HANDLE processHandle; GROUP_AFFINITY processGroupAffinity = { 0 }; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, context->ProcessItem->ProcessId ))) { status = PhGetProcessGroupAffinity(processHandle, &processGroupAffinity); if (NT_SUCCESS(status)) { context->AffinityMask = processGroupAffinity.Mask; context->AffinityGroup = processGroupAffinity.Group; if (context->GroupComboHandle) { ComboBox_SetCurSel(context->GroupComboHandle, processGroupAffinity.Group); } } NtClose(processHandle); } } else if (context->ThreadItem) { HANDLE threadHandle; THREAD_BASIC_INFORMATION basicInfo; GROUP_AFFINITY groupAffinity = { 0 }; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, context->ThreadItem->ThreadId ))) { status = PhGetThreadGroupAffinity(threadHandle, &groupAffinity); if (NT_SUCCESS(status)) { context->AffinityMask = groupAffinity.Mask; context->AffinityGroup = groupAffinity.Group; if (context->GroupComboHandle) { ComboBox_SetCurSel(context->GroupComboHandle, groupAffinity.Group); } if (NT_SUCCESS(PhGetThreadBasicInformation( threadHandle, &basicInfo ))) { // A thread's affinity mask is restricted by the process affinity mask, // so use that as the system affinity mask. (wj32) if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, basicInfo.ClientId.UniqueProcess ))) { GROUP_AFFINITY processGroupAffinity = { 0 }; if (NT_SUCCESS(PhGetProcessGroupAffinity(processHandle, &processGroupAffinity))) { context->SystemAffinityMask = processGroupAffinity.Mask; } NtClose(processHandle); } } } NtClose(threadHandle); } } else if (context->Threads) { HANDLE processHandle; THREAD_BASIC_INFORMATION basicInfo; GROUP_AFFINITY groupAffinity = { 0 }; PPH_STRING windowText; windowText = PH_AUTO(PhGetWindowText(hwndDlg)); PhSetWindowText(hwndDlg, PhaFormatString( L"%s (%lu threads)", windowText->Buffer, context->NumberOfThreads )->Buffer); differentAffinity = !PhpCheckThreadsHaveSameAffinity(context); if (context->ThreadHandles[0] != INVALID_HANDLE_VALUE) { // Use affinity from the first thread when all threads are identical (dmex) status = PhGetThreadGroupAffinity( context->ThreadHandles[0], &groupAffinity ); } else { status = STATUS_UNSUCCESSFUL; } if (NT_SUCCESS(status)) { context->AffinityMask = groupAffinity.Mask; context->AffinityGroup = groupAffinity.Group; if (context->GroupComboHandle) { ComboBox_SetCurSel(context->GroupComboHandle, groupAffinity.Group); } if (NT_SUCCESS(PhGetThreadBasicInformation( context->ThreadHandles[0], &basicInfo ))) { if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, basicInfo.ClientId.UniqueProcess ))) { GROUP_AFFINITY processGroupAffinity = { 0 }; if (NT_SUCCESS(PhGetProcessGroupAffinity(processHandle, &processGroupAffinity))) { context->SystemAffinityMask = processGroupAffinity.Mask; } NtClose(processHandle); } } } } if (NT_SUCCESS(status) && context->SystemAffinityMask == 0) { KAFFINITY systemAffinityMask; if (PhSystemProcessorInformation.SingleProcessorGroup) { status = PhGetProcessorSystemAffinityMask(&systemAffinityMask); } else { status = PhGetProcessorGroupActiveAffinityMask(context->AffinityGroup, &systemAffinityMask); } if (NT_SUCCESS(status)) { context->SystemAffinityMask = systemAffinityMask; } } if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to query the current affinity.", status, 0); EndDialog(hwndDlg, IDCANCEL); break; } // Disable the CPU checkboxes which aren't part of the system affinity mask, // and check the CPU checkboxes which are part of the affinity mask. (wj32) for (i = 0; i < MAXIMUM_PROC_PER_GROUP; i++) { if ((context->SystemAffinityMask >> i) & 0x1) { if (differentAffinity) // Skip for multiple selection (dmex) continue; if ((context->AffinityMask >> i) & 0x1) { Button_SetCheck(context->CpuControlList->Items[i], BST_CHECKED); } } else { EnableWindow(context->CpuControlList->Items[i], FALSE); } } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (context->ThreadHandles) { for (ULONG i = 0; i < context->NumberOfThreads; i++) { if (context->ThreadHandles[i] != INVALID_HANDLE_VALUE) { NtClose(context->ThreadHandles[i]); context->ThreadHandles[i] = NULL; } } PhFree(context->ThreadHandles); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { NTSTATUS status = STATUS_SUCCESS; KAFFINITY affinityMask = 0; USHORT affinityGroup = 0; // Work out the affinity mask. for (ULONG i = 0; i < MAXIMUM_PROC_PER_GROUP; i++) { if (Button_GetCheck(context->CpuControlList->Items[i]) == BST_CHECKED) affinityMask |= AFFINITY_MASK(i); } if (context->GroupComboHandle) { LONG affinityGroupSelection = ComboBox_GetCurSel(context->GroupComboHandle); if (affinityGroupSelection == CB_ERR) affinityGroup = context->AffinityGroup; else affinityGroup = (USHORT)affinityGroupSelection; } if (affinityMask == 0) { PhShowError2(hwndDlg, L"Unable to change affinity settings.", L"%s", L"You must select at least one CPU."); break; } if (context->ProcessItem) { HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, context->ProcessItem->ProcessId ))) { if (PhSystemProcessorInformation.SingleProcessorGroup) { status = PhSetProcessAffinityMask(processHandle, affinityMask); } else { GROUP_AFFINITY groupAffinity; memset(&groupAffinity, 0, sizeof(GROUP_AFFINITY)); groupAffinity.Group = affinityGroup; groupAffinity.Mask = affinityMask; status = PhSetProcessGroupAffinity(processHandle, groupAffinity); } NtClose(processHandle); } if (NT_SUCCESS(status)) { context->NewAffinityMask = affinityMask; } else { PhpShowProcessErrorAffinity(hwndDlg, context->ProcessItem, status, 0); } } else if (context->ThreadItem) { if (PhSystemProcessorInformation.SingleProcessorGroup) { HANDLE threadHandle; status = PhOpenThread( &threadHandle, THREAD_SET_LIMITED_INFORMATION, context->ThreadItem->ThreadId ); if (NT_SUCCESS(status)) { status = PhSetThreadAffinityMask(threadHandle, affinityMask); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { PhpShowThreadErrorAffinity(hwndDlg, context->ThreadItem, status, 0); } } else { HANDLE threadHandle; status = PhOpenThread( &threadHandle, THREAD_SET_INFORMATION, context->ThreadItem->ThreadId ); if (NT_SUCCESS(status)) { GROUP_AFFINITY groupAffinity; memset(&groupAffinity, 0, sizeof(GROUP_AFFINITY)); groupAffinity.Group = affinityGroup; groupAffinity.Mask = affinityMask; status = PhSetThreadGroupAffinity(threadHandle, groupAffinity); NtClose(threadHandle); } if (!NT_SUCCESS(status)) { PhpShowThreadErrorAffinity(hwndDlg, context->ThreadItem, status, 0); } } } else if (context->Threads) { PPH_LIST threadAffinityErrors = PhCreateList(1); for (ULONG i = 0; i < context->NumberOfThreads; i++) { if (context->ThreadHandles[i] == INVALID_HANDLE_VALUE) continue; if (PhSystemProcessorInformation.SingleProcessorGroup) { status = PhSetThreadAffinityMask(context->ThreadHandles[i], affinityMask); } else { GROUP_AFFINITY groupAffinity; memset(&groupAffinity, 0, sizeof(GROUP_AFFINITY)); groupAffinity.Group = affinityGroup; groupAffinity.Mask = affinityMask; status = PhSetThreadGroupAffinity(context->ThreadHandles[i], groupAffinity); } if (!NT_SUCCESS(status)) { PPH_STRING errorMessage; if (errorMessage = PhGetNtMessage(status)) { PhAddItemList(threadAffinityErrors, errorMessage); } } } if (threadAffinityErrors->Count > 0) PhpShowThreadErrorAffinityList(context, threadAffinityErrors); else PhDereferenceObject(threadAffinityErrors); } if (NT_SUCCESS(status)) { EndDialog(hwndDlg, IDOK); } } break; case IDC_SELECTALL: case IDC_DESELECTALL: { for (ULONG i = 0; i < MAXIMUM_PROC_PER_GROUP; i++) { HWND checkBox = context->CpuControlList->Items[i]; if (IsWindowEnabled(checkBox)) Button_SetCheck(checkBox, GET_WM_COMMAND_ID(wParam, lParam) == IDC_SELECTALL ? BST_CHECKED : BST_UNCHECKED); } } break; case IDC_GROUPCPU: { LONG index; if (!context->GroupComboHandle) break; index = ComboBox_GetCurSel(context->GroupComboHandle); if (index != CB_ERR) { if (index != context->AffinityGroup) { for (ULONG i = 0; i < MAXIMUM_PROC_PER_GROUP; i++) { Button_SetCheck(context->CpuControlList->Items[i], BST_UNCHECKED); } } else { BOOLEAN differentAffinity = FALSE; if (context->Threads) { differentAffinity = !PhpCheckThreadsHaveSameAffinity(context); } for (ULONG i = 0; i < MAXIMUM_PROC_PER_GROUP; i++) { if ((context->SystemAffinityMask >> i) & 0x1) { if (differentAffinity) // Skip for multiple selection (dmex) continue; if ((context->AffinityMask >> i) & 0x1) { Button_SetCheck(context->CpuControlList->Items[i], BST_CHECKED); } } } } } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } // Note: Workaround for UserNotes plugin dialog overrides (dmex) NTSTATUS PhSetProcessItemAffinityMask( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ KAFFINITY AffinityMask ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessItem->ProcessId ); if (NT_SUCCESS(status)) { status = PhSetProcessAffinityMask(processHandle, AffinityMask); NtClose(processHandle); } return status; } // Note: Workaround for UserNotes plugin dialog overrides (dmex) NTSTATUS PhSetProcessItemPagePriority( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG PagePriority ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessItem->ProcessId ); if (NT_SUCCESS(status)) { status = PhSetProcessPagePriority(processHandle, PagePriority); NtClose(processHandle); } return status; } // Note: Workaround for UserNotes plugin dialog overrides (dmex) NTSTATUS PhSetProcessItemIoPriority( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ IO_PRIORITY_HINT IoPriority ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessItem->ProcessId ); if (NT_SUCCESS(status)) { status = PhSetProcessIoPriority(processHandle, IoPriority); NtClose(processHandle); } return status; } // Note: Workaround for UserNotes plugin dialog overrides (dmex) NTSTATUS PhSetProcessItemPriority( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ UCHAR PriorityClass ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessItem->ProcessId ); if (NT_SUCCESS(status)) { status = PhSetProcessPriorityClass(processHandle, PriorityClass); NtClose(processHandle); } return status; } // Note: Workaround for UserNotes plugin dialog overrides (dmex) NTSTATUS PhSetProcessItemPriorityBoost( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN PriorityBoost ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessItem->ProcessId ); if (NT_SUCCESS(status)) { status = PhSetProcessPriorityBoost(processHandle, PriorityBoost); NtClose(processHandle); } return status; } // Note: Workaround for UserNotes plugin dialog overrides (dmex) NTSTATUS PhSetProcessItemThrottlingState( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN ClearThrottlingState ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION, ProcessItem->ProcessId ); if (NT_SUCCESS(status)) { if (ClearThrottlingState) { PhSetProcessPriorityClass(processHandle, PROCESS_PRIORITY_CLASS_NORMAL); status = PhSetProcessPowerThrottlingState(processHandle, 0, 0); } else { // Taskmgr sets the process priority to idle before enabling 'Eco mode'. (dmex) PhSetProcessPriorityClass(processHandle, PROCESS_PRIORITY_CLASS_IDLE); status = PhSetProcessPowerThrottlingState( processHandle, POWER_THROTTLING_PROCESS_EXECUTION_SPEED, POWER_THROTTLING_PROCESS_EXECUTION_SPEED ); } NtClose(processHandle); } return status; } ================================================ FILE: SystemInformer/anawait.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * */ /* * There are two ways of seeing what a thread is waiting on. The first method * is to walk the stack of a thread and read the arguments to whatever system * call it is blocking on; this only works on x86 because on x64 the arguments * are passed in registers (at least the first four are). The second method * involves using the ThreadLastSystemCall info class for NtQueryInformationThread * to retrieve the first argument to the system call the thread is blocking on. * This is obviously only useful for NtWaitForSingleObject. * * There are other methods for specific scenarios, like USER messages and ALPC * calls. */ #include #include #include #include typedef struct _ANALYZE_WAIT_CONTEXT { BOOLEAN Found; BOOLEAN IsWow64Process; HANDLE ProcessId; HANDLE ThreadId; HANDLE ProcessHandle; PPH_SYMBOL_PROVIDER SymbolProvider; PH_STRING_BUILDER StringBuilder; PVOID PrevParams[4]; } ANALYZE_WAIT_CONTEXT, *PANALYZE_WAIT_CONTEXT; VOID PhpAnalyzeWaitPassive( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId ); _Function_class_(PH_WALK_THREAD_STACK_CALLBACK) BOOLEAN NTAPI PhpWalkThreadStackAnalyzeCallback( _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_ PVOID Context ); VOID PhpAnalyzeWaitFallbacks( _In_ PANALYZE_WAIT_CONTEXT Context ); VOID PhpInitializeServiceNumbers( VOID ); PPH_STRING PhpaGetHandleString( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle ); VOID PhpGetWfmoInformation( _In_ HANDLE ProcessHandle, _In_ BOOLEAN IsWow64Process, _In_ ULONG NumberOfHandles, _In_ PHANDLE AddressOfHandles, _In_ WAIT_TYPE WaitType, _In_ BOOLEAN Alertable, _Inout_ PPH_STRING_BUILDER StringBuilder ); PPH_STRING PhpaGetSendMessageReceiver( _In_ HANDLE ThreadId ); PPH_STRING PhpaGetAlpcInformation( _In_ HANDLE ThreadId ); static PH_INITONCE ServiceNumbersInitOnce = PH_INITONCE_INIT; static USHORT NumberForWfso = USHRT_MAX; static USHORT NumberForWfmo = USHRT_MAX; static USHORT NumberForRf = USHRT_MAX; VOID PhUiAnalyzeWaitThread( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ PPH_SYMBOL_PROVIDER SymbolProvider ) { NTSTATUS status; HANDLE threadHandle; HANDLE processHandle; #ifdef _WIN64 BOOLEAN isWow64; #endif CLIENT_ID clientId; ANALYZE_WAIT_CONTEXT context; if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId))) { PhShowStatus(WindowHandle, L"Unable to open the process.", status, 0); return; } #ifdef _WIN64 // Determine if the process is WOW64. If not, we use the passive method. if (!NT_SUCCESS(status = PhGetProcessIsWow64(processHandle, &isWow64)) || !isWow64) { PhpAnalyzeWaitPassive(WindowHandle, ProcessId, ThreadId); NtClose(processHandle); return; } #endif if (!NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, ThreadId ))) { PhShowStatus(WindowHandle, L"Unable to open the thread.", status, 0); NtClose(processHandle); return; } memset(&context, 0, sizeof(ANALYZE_WAIT_CONTEXT)); context.ProcessId = ProcessId; context.ThreadId = ThreadId; context.ProcessHandle = processHandle; context.SymbolProvider = SymbolProvider; PhInitializeStringBuilder(&context.StringBuilder, 100); clientId.UniqueProcess = ProcessId; clientId.UniqueThread = ThreadId; PhWalkThreadStack( threadHandle, processHandle, &clientId, SymbolProvider, PH_WALK_USER_WOW64_STACK, PhpWalkThreadStackAnalyzeCallback, &context ); NtClose(threadHandle); NtClose(processHandle); PhpAnalyzeWaitFallbacks(&context); if (context.Found) { PhShowInformationDialog(WindowHandle, PhFinalStringBuilderString(&context.StringBuilder)->Buffer, 0); } else { PhShowInformation2(WindowHandle, L"Unable to analyze the thread.", L"%s", L"The thread does not appear to be waiting."); } PhDeleteStringBuilder(&context.StringBuilder); } VOID PhpAnalyzeWaitPassive( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId ) { NTSTATUS status; HANDLE processHandle = NULL; HANDLE threadHandle = NULL; PPH_STRING lastSystemCallName; THREAD_LAST_SYSCALL_INFORMATION lastSystemCall; PH_STRING_BUILDER stringBuilder; PPH_STRING string; if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_DUP_HANDLE, ProcessId))) { PhShowStatus(WindowHandle, L"Unable to open the process.", status, 0); goto CleanupExit; } if (!NT_SUCCESS(status = PhOpenThread(&threadHandle, THREAD_GET_CONTEXT, ThreadId))) { PhShowStatus(WindowHandle, L"Unable to open the thread.", status, 0); return; } if (!NT_SUCCESS(status = PhGetThreadLastSystemCall(threadHandle, &lastSystemCall))) { PhShowStatus(WindowHandle, L"Unable to determine whether the thread is waiting.", status, 0); goto CleanupExit; } PhInitializeStringBuilder(&stringBuilder, 100); lastSystemCallName = PhGetSystemCallNumberName(lastSystemCall.SystemCallNumber); if (!PhIsNullOrEmptyString(lastSystemCallName)) { PhAppendStringBuilder2(&stringBuilder, L"Thread is waiting on system call: "); PhAppendStringBuilder(&stringBuilder, &lastSystemCallName->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); if ( PhEqualString2(lastSystemCallName, L"NtWaitForSingleObject", TRUE) ) { string = PhpaGetHandleString(processHandle, lastSystemCall.FirstArgument); PhAppendFormatStringBuilder(&stringBuilder, L"Thread is waiting for:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } else if ( PhEqualString2(lastSystemCallName, L"NtWaitForMultipleObjects", TRUE) || PhEqualString2(lastSystemCallName, L"NtUserMsgWaitForMultipleObjects", TRUE) || PhEqualString2(lastSystemCallName, L"NtUserMsgWaitForMultipleObjectsEx", TRUE) ) { PhAppendFormatStringBuilder(&stringBuilder, L"Thread is waiting for multiple (%lu) objects.", PtrToUlong(lastSystemCall.FirstArgument)); } else if ( PhEqualString2(lastSystemCallName, L"NtReadFile", TRUE) || PhEqualString2(lastSystemCallName, L"NtWriteFile", TRUE) ) { string = PhpaGetHandleString(processHandle, lastSystemCall.FirstArgument); PhAppendFormatStringBuilder(&stringBuilder, L"Thread is waiting for file I/O:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } else { string = PhpaGetSendMessageReceiver(ThreadId); if (string) { PhAppendStringBuilder2(&stringBuilder, L"Thread is sending a USER message:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } else { string = PhpaGetAlpcInformation(ThreadId); if (string) { PhAppendStringBuilder2(&stringBuilder, L"Thread is waiting for an ALPC port:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } } } } else { PhpInitializeServiceNumbers(); if (lastSystemCall.SystemCallNumber == NumberForWfso) { string = PhpaGetHandleString(processHandle, lastSystemCall.FirstArgument); PhAppendFormatStringBuilder(&stringBuilder, L"Thread is waiting for:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } else if (lastSystemCall.SystemCallNumber == NumberForWfmo) { PhAppendFormatStringBuilder(&stringBuilder, L"Thread is waiting for multiple (%lu) objects.", PtrToUlong(lastSystemCall.FirstArgument)); } else if (lastSystemCall.SystemCallNumber == NumberForRf) { string = PhpaGetHandleString(processHandle, lastSystemCall.FirstArgument); PhAppendFormatStringBuilder(&stringBuilder, L"Thread is waiting for file I/O:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } else { string = PhpaGetSendMessageReceiver(ThreadId); if (string) { PhAppendStringBuilder2(&stringBuilder, L"Thread is sending a USER message:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } else { string = PhpaGetAlpcInformation(ThreadId); if (string) { PhAppendStringBuilder2(&stringBuilder, L"Thread is waiting for an ALPC port:\r\n"); PhAppendStringBuilder(&stringBuilder, &string->sr); } } } } if (stringBuilder.String->Length == 0) PhAppendStringBuilder2(&stringBuilder, L"Unable to determine why the thread is waiting."); PhShowInformationDialog(WindowHandle, stringBuilder.String->Buffer, 0); PhDeleteStringBuilder(&stringBuilder); CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (processHandle) { NtClose(processHandle); } } _Function_class_(PH_WALK_THREAD_STACK_CALLBACK) BOOLEAN NTAPI PhpWalkThreadStackAnalyzeCallback( _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_ PVOID Context ) { PANALYZE_WAIT_CONTEXT context = (PANALYZE_WAIT_CONTEXT)Context; PPH_STRING name; name = PhGetSymbolFromAddress( context->SymbolProvider, StackFrame->PcAddress, NULL, NULL, NULL, NULL ); if (PhIsNullOrEmptyString(name)) return TRUE; context->Found = TRUE; #define FUNC_MATCH(Name) PhStartsWithString2(name, L##Name, TRUE) #define NT_FUNC_MATCH(Name) ( \ PhStartsWithString2(name, L"ntdll.dll!Nt" L##Name, TRUE) || \ PhStartsWithString2(name, L"ntdll.dll!Zw" L##Name, TRUE) \ ) if (!name) { // Dummy } else if (FUNC_MATCH("kernel32.dll!Sleep")) { PhAppendFormatStringBuilder( &context->StringBuilder, L"Thread is sleeping. Timeout: %lu milliseconds.", PtrToUlong(StackFrame->Params[0]) ); } else if (NT_FUNC_MATCH("DelayExecution")) { BOOLEAN alertable = !!StackFrame->Params[0]; PVOID timeoutAddress = StackFrame->Params[1]; LONGLONG timeout; if (NT_SUCCESS(PhReadVirtualMemory( context->ProcessHandle, timeoutAddress, &timeout, sizeof(LONGLONG), NULL ))) { if (timeout < 0) { PhAppendFormatStringBuilder( &context->StringBuilder, L"Thread is sleeping. Timeout: %llu milliseconds.", -timeout / PH_TIMEOUT_MS ); } else { // TODO } } else { PhAppendStringBuilder2( &context->StringBuilder, L"Thread is sleeping." ); } } else if (NT_FUNC_MATCH("DeviceIoControlFile")) { HANDLE handle = (HANDLE)StackFrame->Params[0]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for an I/O control request:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if (NT_FUNC_MATCH("FsControlFile")) { HANDLE handle = StackFrame->Params[0]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for a FS control request:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if (NT_FUNC_MATCH("QueryObject")) { HANDLE handle = StackFrame->Params[0]; // Use the KiFastSystemCall args if the handle we have is wrong. if ((ULONG_PTR)handle % 4 != 0 || !handle) handle = context->PrevParams[1]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is querying an object:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if (NT_FUNC_MATCH("ReadFile") || NT_FUNC_MATCH("WriteFile")) { HANDLE handle = StackFrame->Params[0]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for file I/O:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if (NT_FUNC_MATCH("RemoveIoCompletion") || NT_FUNC_MATCH("RemoveIoCompletionEx")) { HANDLE handle = StackFrame->Params[0]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for an I/O completion port:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if ( NT_FUNC_MATCH("ReplyWaitReceivePort") || NT_FUNC_MATCH("RequestWaitReplyPort") || NT_FUNC_MATCH("AlpcSendWaitReceivePort") ) { HANDLE handle = StackFrame->Params[0]; PPH_STRING alpcInfo; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for an ALPC port:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); if (alpcInfo = PhpaGetAlpcInformation(context->ThreadId)) { PhAppendStringBuilder2( &context->StringBuilder, L"\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &alpcInfo->sr ); } } else if ( NT_FUNC_MATCH("SetHighWaitLowEventPair") || NT_FUNC_MATCH("SetLowWaitHighEventPair") || NT_FUNC_MATCH("WaitHighEventPair") || NT_FUNC_MATCH("WaitLowEventPair") ) { HANDLE handle = StackFrame->Params[0]; if ((ULONG_PTR)handle % 4 != 0 || !handle) handle = context->PrevParams[1]; PhAppendFormatStringBuilder( &context->StringBuilder, L"Thread is waiting (%s) for an event pair:\r\n", name->Buffer ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if ( FUNC_MATCH("user32.dll!NtUserGetMessage") || FUNC_MATCH("user32.dll!NtUserWaitMessage") ) { PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for a USER message.\r\n" ); } else if (FUNC_MATCH("user32.dll!NtUserMessageCall")) { PPH_STRING receiverString; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is sending a USER message:\r\n" ); receiverString = PhpaGetSendMessageReceiver(context->ThreadId); if (receiverString) { PhAppendStringBuilder(&context->StringBuilder, &receiverString->sr); PhAppendStringBuilder2(&context->StringBuilder, L"\r\n"); } else { PhAppendStringBuilder2(&context->StringBuilder, L"Unknown.\r\n"); } } else if (NT_FUNC_MATCH("WaitForDebugEvent")) { HANDLE handle = StackFrame->Params[0]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for a debug event:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if ( NT_FUNC_MATCH("WaitForKeyedEvent") || NT_FUNC_MATCH("ReleaseKeyedEvent") ) { HANDLE handle = StackFrame->Params[0]; ULONG_PTR key = (ULONG_PTR)StackFrame->Params[1]; PhAppendFormatStringBuilder( &context->StringBuilder, L"Thread is waiting (%s) for a keyed event (key 0x%Ix):\r\n", name->Buffer, key ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if ( NT_FUNC_MATCH("WaitForMultipleObjects") || FUNC_MATCH("kernel32.dll!WaitForMultipleObjects") ) { ULONG numberOfHandles = PtrToUlong(StackFrame->Params[0]); PVOID addressOfHandles = StackFrame->Params[1]; WAIT_TYPE waitType = (WAIT_TYPE)PtrToUlong(StackFrame->Params[2]); BOOLEAN alertable = !!StackFrame->Params[3]; if (numberOfHandles > MAXIMUM_WAIT_OBJECTS) { numberOfHandles = PtrToUlong(context->PrevParams[1]); addressOfHandles = context->PrevParams[2]; waitType = (WAIT_TYPE)PtrToUlong(context->PrevParams[3]); alertable = FALSE; } PhpGetWfmoInformation( context->ProcessHandle, TRUE, // on x64 this function is only called for WOW64 processes numberOfHandles, addressOfHandles, waitType, alertable, &context->StringBuilder ); } else if ( NT_FUNC_MATCH("WaitForSingleObject") || FUNC_MATCH("kernel32.dll!WaitForSingleObject") ) { HANDLE handle = StackFrame->Params[0]; BOOLEAN alertable = !!StackFrame->Params[1]; if ((ULONG_PTR)handle % 4 != 0 || !handle) { handle = context->PrevParams[1]; alertable = !!context->PrevParams[2]; } PhAppendFormatStringBuilder( &context->StringBuilder, L"Thread is waiting (%s) for:\r\n", alertable ? L"alertable" : L"non-alertable" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if (NT_FUNC_MATCH("WaitForWorkViaWorkerFactory")) { HANDLE handle = StackFrame->Params[0]; PhAppendStringBuilder2( &context->StringBuilder, L"Thread is waiting for work from a worker factory:\r\n" ); PhAppendStringBuilder( &context->StringBuilder, &PhpaGetHandleString(context->ProcessHandle, handle)->sr ); } else if ( FUNC_MATCH("win32u.dll!NtUserMsgWaitForMultipleObjects") || FUNC_MATCH("win32u.dll!NtUserMsgWaitForMultipleObjectsEx") ) { ULONG numberOfHandles = 0; ULONG milliseconds = 0; PVOID addressOfHandles = NULL; BOOLEAN waitAllHandles = FALSE; BOOLEAN alertable = FALSE; if (FUNC_MATCH("win32u.dll!NtUserMsgWaitForMultipleObjects")) { numberOfHandles = PtrToUlong(StackFrame->Params[0]); addressOfHandles = StackFrame->Params[1]; waitAllHandles = !!StackFrame->Params[2]; milliseconds = PtrToUlong(StackFrame->Params[3]); } else { numberOfHandles = PtrToUlong(StackFrame->Params[0]); addressOfHandles = StackFrame->Params[1]; milliseconds = PtrToUlong(StackFrame->Params[2]); ULONG flags = PtrToUlong(StackFrame->Params[3]); if (FlagOn(flags, MWMO_ALERTABLE)) { alertable = TRUE; } if (FlagOn(flags, MWMO_WAITALL)) { waitAllHandles = TRUE; } } // if (numberOfHandles > MAXIMUM_WAIT_OBJECTS) PhpGetWfmoInformation( context->ProcessHandle, TRUE, numberOfHandles, addressOfHandles, waitAllHandles ? WaitAll : WaitAny, alertable, &context->StringBuilder ); } else { context->Found = FALSE; } PhDereferenceObject(name); memcpy(&context->PrevParams, StackFrame->Params, sizeof(StackFrame->Params)); return !context->Found; } VOID PhpAnalyzeWaitFallbacks( _In_ PANALYZE_WAIT_CONTEXT Context ) { PPH_STRING info; // We didn't detect NtUserMessageCall, but this may still apply due to another // win32k system call (e.g. from EnableWindow). if (!Context->Found && (info = PhpaGetSendMessageReceiver(Context->ThreadId))) { PhAppendStringBuilder2( &Context->StringBuilder, L"Thread is sending a USER message:\r\n" ); PhAppendStringBuilder(&Context->StringBuilder, &info->sr); PhAppendStringBuilder2(&Context->StringBuilder, L"\r\n"); Context->Found = TRUE; } // Nt(Alpc)ConnectPort doesn't get detected anywhere else. if (!Context->Found && (info = PhpaGetAlpcInformation(Context->ThreadId))) { PhAppendStringBuilder2( &Context->StringBuilder, L"Thread is waiting for an ALPC port:\r\n" ); PhAppendStringBuilder(&Context->StringBuilder, &info->sr); PhAppendStringBuilder2(&Context->StringBuilder, L"\r\n"); Context->Found = TRUE; } } static BOOLEAN PhpWaitUntilThreadIsWaiting( _In_ HANDLE ThreadHandle ) { ULONG attempts; BOOLEAN isWaiting = FALSE; THREAD_BASIC_INFORMATION basicInfo; if (!NT_SUCCESS(PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return FALSE; for (attempts = 0; attempts < 20; attempts++) { PVOID processes; PSYSTEM_PROCESS_INFORMATION processInfo; ULONG i; PhDelayExecution(100); if (!NT_SUCCESS(PhEnumProcesses(&processes))) break; processInfo = PhFindProcessInformation(processes, basicInfo.ClientId.UniqueProcess); if (processInfo) { for (i = 0; i < processInfo->NumberOfThreads; i++) { if ( processInfo->Threads[i].ClientId.UniqueThread == basicInfo.ClientId.UniqueThread && processInfo->Threads[i].ThreadState == Waiting && (processInfo->Threads[i].WaitReason == UserRequest || processInfo->Threads[i].WaitReason == Executive) ) { isWaiting = TRUE; break; } } } PhFree(processes); if (isWaiting) break; PhDelayExecution(500); } return isWaiting; } _Success_(return) static BOOLEAN PhpGetThreadLastSystemCallNumber( _In_ HANDLE ThreadHandle, _Out_ PUSHORT LastSystemCallNumber ) { THREAD_LAST_SYSCALL_INFORMATION lastSystemCall; if (NT_SUCCESS(PhGetThreadLastSystemCall(ThreadHandle, &lastSystemCall))) { *LastSystemCallNumber = lastSystemCall.SystemCallNumber; return TRUE; } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhpWfsoThreadStart( _In_ PVOID Parameter ) { HANDLE eventHandle; LARGE_INTEGER timeout; eventHandle = Parameter; timeout.QuadPart = -(LONGLONG)UInt32x32To64(5, PH_TIMEOUT_SEC); NtWaitForSingleObject(eventHandle, FALSE, &timeout); return STATUS_SUCCESS; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhpWfmoThreadStart( _In_ PVOID Parameter ) { HANDLE eventHandle; LARGE_INTEGER timeout; eventHandle = Parameter; timeout.QuadPart = -(LONGLONG)UInt32x32To64(5, PH_TIMEOUT_SEC); NtWaitForMultipleObjects(1, &eventHandle, WaitAll, FALSE, &timeout); return STATUS_SUCCESS; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhpRfThreadStart( _In_ PVOID Parameter ) { HANDLE fileHandle; IO_STATUS_BLOCK isb; ULONG data; fileHandle = Parameter; NtReadFile(fileHandle, NULL, NULL, NULL, &isb, &data, sizeof(ULONG), NULL, NULL); return STATUS_SUCCESS; } VOID PhpInitializeServiceNumbers( VOID ) { if (PhBeginInitOnce(&ServiceNumbersInitOnce)) { NTSTATUS status; HANDLE eventHandle; HANDLE threadHandle; HANDLE pipeReadHandle; HANDLE pipeWriteHandle; // The ThreadLastSystemCall info class only works when the thread is in the Waiting // state. We'll create a thread which blocks on an event object we create, then wait // until it is in the Waiting state. Only then can we query the thread using // ThreadLastSystemCall. // NtWaitForSingleObject status = PhCreateEvent(&eventHandle, EVENT_ALL_ACCESS, NotificationEvent, FALSE); if (NT_SUCCESS(status)) { if (NT_SUCCESS(PhCreateThreadEx(&threadHandle, PhpWfsoThreadStart, eventHandle))) { if (PhpWaitUntilThreadIsWaiting(threadHandle)) { PhpGetThreadLastSystemCallNumber(threadHandle, &NumberForWfso); } // Allow the thread to exit. NtSetEvent(eventHandle, NULL); NtClose(threadHandle); } NtClose(eventHandle); } // NtWaitForMultipleObjects status = PhCreateEvent(&eventHandle, EVENT_ALL_ACCESS, NotificationEvent, FALSE); if (NT_SUCCESS(status)) { if (NT_SUCCESS(PhCreateThreadEx(&threadHandle, PhpWfmoThreadStart, eventHandle))) { if (PhpWaitUntilThreadIsWaiting(threadHandle)) { PhpGetThreadLastSystemCallNumber(threadHandle, &NumberForWfmo); } NtSetEvent(eventHandle, NULL); NtClose(threadHandle); } NtClose(eventHandle); } // NtReadFile status = PhCreatePipe(&pipeReadHandle, &pipeWriteHandle); if (NT_SUCCESS(status)) { if (NT_SUCCESS(PhCreateThreadEx(&threadHandle, PhpRfThreadStart, pipeReadHandle))) { ULONG data = 0; IO_STATUS_BLOCK isb; if (PhpWaitUntilThreadIsWaiting(threadHandle)) { PhpGetThreadLastSystemCallNumber(threadHandle, &NumberForRf); } NtWriteFile(pipeWriteHandle, NULL, NULL, NULL, &isb, &data, sizeof(data), NULL, NULL); NtClose(threadHandle); } NtClose(pipeReadHandle); NtClose(pipeWriteHandle); } PhEndInitOnce(&ServiceNumbersInitOnce); } } PPH_STRING PhpaGetHandleString( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle ) { PPH_STRING typeName = NULL; PPH_STRING name = NULL; PPH_STRING result; PhGetHandleInformation( ProcessHandle, Handle, ULONG_MAX, NULL, &typeName, NULL, &name ); if (typeName && name) { result = PhaFormatString( L"Handle 0x%lx (%s): %s", HandleToUlong(Handle), typeName->Buffer, !PhIsNullOrEmptyString(name) ? name->Buffer : L"(unnamed object)" ); } else { result = PhaFormatString( L"Handle 0x%lx: (error querying handle)", HandleToUlong(Handle) ); } if (typeName) PhDereferenceObject(typeName); if (name) PhDereferenceObject(name); return result; } VOID PhpGetWfmoInformation( _In_ HANDLE ProcessHandle, _In_ BOOLEAN IsWow64Process, _In_ ULONG NumberOfHandles, _In_ PHANDLE AddressOfHandles, _In_ WAIT_TYPE WaitType, _In_ BOOLEAN Alertable, _Inout_ PPH_STRING_BUILDER StringBuilder ) { NTSTATUS status; HANDLE handles[MAXIMUM_WAIT_OBJECTS]; ULONG i; status = STATUS_SUCCESS; if (NumberOfHandles <= MAXIMUM_WAIT_OBJECTS) { #ifdef _WIN64 if (IsWow64Process) { ULONG handles32[MAXIMUM_WAIT_OBJECTS]; if (NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, AddressOfHandles, handles32, NumberOfHandles * sizeof(ULONG), NULL ))) { for (i = 0; i < NumberOfHandles; i++) handles[i] = UlongToHandle(handles32[i]); } } else { #endif status = PhReadVirtualMemory( ProcessHandle, AddressOfHandles, handles, NumberOfHandles * sizeof(HANDLE), NULL ); #ifdef _WIN64 } #endif if (NT_SUCCESS(status)) { PhAppendFormatStringBuilder( StringBuilder, L"Thread is waiting (%s, %s) for:\r\n", Alertable ? L"alertable" : L"non-alertable", WaitType == WaitAll ? L"wait all" : L"wait any" ); for (i = 0; i < NumberOfHandles; i++) { PhAppendStringBuilder( StringBuilder, &PhpaGetHandleString(ProcessHandle, handles[i])->sr ); PhAppendStringBuilder2( StringBuilder, L"\r\n" ); } } } if (!NT_SUCCESS(status) || NumberOfHandles > MAXIMUM_WAIT_OBJECTS) { PhAppendStringBuilder2( StringBuilder, L"Thread is waiting for multiple objects." ); } } PPH_STRING PhpaGetSendMessageReceiver( _In_ HANDLE ThreadId ) { HWND windowHandle; CLIENT_ID clientId; PPH_STRING clientIdName; WCHAR windowClass[64]; PPH_STRING windowText; if (!NT_SUCCESS(PhGetSendMessageReceiver(ThreadId, &windowHandle))) return NULL; if (!NT_SUCCESS(PhGetWindowClientId(windowHandle, &clientId))) return NULL; clientIdName = PH_AUTO(PhGetClientIdName(&clientId)); if (!GetClassName(windowHandle, windowClass, sizeof(windowClass) / sizeof(WCHAR))) windowClass[0] = UNICODE_NULL; windowText = PH_AUTO(PhGetWindowText(windowHandle)); return PhaFormatString(L"Window 0x%Ix (%s): %s \"%s\"", (ULONG_PTR)windowHandle, clientIdName->Buffer, windowClass, PhGetStringOrEmpty(windowText)); } PPH_STRING PhpaGetAlpcInformation( _In_ HANDLE ThreadId ) { NTSTATUS status; PPH_STRING string = NULL; HANDLE threadHandle; PALPC_SERVER_INFORMATION serverInfo; ULONG bufferLength; if (!NT_SUCCESS(PhOpenThread(&threadHandle, THREAD_QUERY_INFORMATION, ThreadId))) return NULL; bufferLength = 0x110; serverInfo = PhAllocate(bufferLength); serverInfo->In.ThreadHandle = threadHandle; status = NtAlpcQueryInformation(NULL, AlpcServerInformation, serverInfo, bufferLength, &bufferLength); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(serverInfo); serverInfo = PhAllocate(bufferLength); serverInfo->In.ThreadHandle = threadHandle; status = NtAlpcQueryInformation(NULL, AlpcServerInformation, serverInfo, bufferLength, &bufferLength); } if (NT_SUCCESS(status) && serverInfo->Out.ThreadBlocked) { CLIENT_ID clientId; PPH_STRING clientIdName; clientId.UniqueProcess = serverInfo->Out.ConnectedProcessId; clientId.UniqueThread = NULL; clientIdName = PH_AUTO(PhGetClientIdName(&clientId)); string = PhaFormatString(L"ALPC Port: %.*s (%s)", serverInfo->Out.ConnectionPortName.Length / sizeof(WCHAR), serverInfo->Out.ConnectionPortName.Buffer, clientIdName->Buffer); } PhFree(serverInfo); NtClose(threadHandle); return string; } ================================================ FILE: SystemInformer/appsup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include /** * Determines whether a process is suspended. * * \param Process The SYSTEM_PROCESS_INFORMATION structure * of the process. */ BOOLEAN PhGetProcessIsSuspended( _In_ PSYSTEM_PROCESS_INFORMATION Process ) { ULONG i; for (i = 0; i < Process->NumberOfThreads; i++) { if ( Process->Threads[i].ThreadState != Waiting || Process->Threads[i].WaitReason != Suspended ) return FALSE; } return Process->UserTime.QuadPart + Process->KernelTime.QuadPart != 0 && Process->NumberOfThreads != 0; } BOOLEAN PhIsProcessSuspended( _In_ HANDLE ProcessId ) { BOOLEAN suspended = FALSE; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; if (NT_SUCCESS(PhEnumProcesses(&processes))) { if (process = PhFindProcessInformation(processes, ProcessId)) { suspended = PhGetProcessIsSuspended(process); } PhFree(processes); } return suspended; } BOOLEAN PhIsProcessBackground( _In_ ULONG PriorityClass ) { // This is similar to PROCESS_MODE_BACKGROUND_BEGIN (dmex) if ( PriorityClass == PROCESS_PRIORITY_CLASS_BELOW_NORMAL || PriorityClass == PROCESS_PRIORITY_CLASS_IDLE ) { return TRUE; } return FALSE; } static CONST PH_KEY_VALUE_PAIR ProcessPriorityClassTypePairs[] = { SIP(SREF(L"Unknown"), PROCESS_PRIORITY_CLASS_UNKNOWN), SIP(SREF(L"Idle"), PROCESS_PRIORITY_CLASS_IDLE), SIP(SREF(L"Normal"), PROCESS_PRIORITY_CLASS_NORMAL), SIP(SREF(L"High"), PROCESS_PRIORITY_CLASS_HIGH), SIP(SREF(L"Real time"), PROCESS_PRIORITY_CLASS_REALTIME), SIP(SREF(L"Below normal"), PROCESS_PRIORITY_CLASS_BELOW_NORMAL), SIP(SREF(L"Above normal"), PROCESS_PRIORITY_CLASS_ABOVE_NORMAL), }; PCPH_STRINGREF PhGetProcessPriorityClassString( _In_ ULONG PriorityClass ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( ProcessPriorityClassTypePairs, sizeof(ProcessPriorityClassTypePairs), PriorityClass, &string )) { return string; } static_assert(ARRAYSIZE(ProcessPriorityClassTypePairs) == PROCESS_PRIORITY_CLASS_ABOVE_NORMAL + 1, "PriorityClassString must equal PROCESS_PRIORITY_CLASS_MAX"); return (PCPH_STRINGREF)ProcessPriorityClassTypePairs[PROCESS_PRIORITY_CLASS_UNKNOWN].Key; //switch (PriorityClass) //{ //case PROCESS_PRIORITY_CLASS_REALTIME: // return L"Real time"; //case PROCESS_PRIORITY_CLASS_HIGH: // return L"High"; //case PROCESS_PRIORITY_CLASS_ABOVE_NORMAL: // return L"Above normal"; //case PROCESS_PRIORITY_CLASS_NORMAL: // return L"Normal"; //case PROCESS_PRIORITY_CLASS_BELOW_NORMAL: // return L"Below normal"; //case PROCESS_PRIORITY_CLASS_IDLE: // return L"Idle"; //case PROCESS_PRIORITY_CLASS_UNKNOWN: //default: // return L"Unknown"; //} } static CONST PH_KEY_VALUE_PAIR PhProtectedTypeStrings[] = { SIP(L"None", NULL), // PsProtectedTypeNone SIP(L"Light", PsProtectedTypeProtectedLight), SIP(L"Full", PsProtectedTypeProtected), }; static CONST PH_KEY_VALUE_PAIR PhProtectedSignerStrings[] = { SIP(L"None", NULL), // PsProtectedSignerNone SIP(L"Authenticode", PsProtectedSignerAuthenticode), SIP(L"CodeGen", PsProtectedSignerCodeGen), SIP(L"Antimalware", PsProtectedSignerAntimalware), SIP(L"Lsa", PsProtectedSignerLsa), SIP(L"Windows", PsProtectedSignerWindows), SIP(L"WinTcb", PsProtectedSignerWinTcb), SIP(L"WinSystem", PsProtectedSignerWinSystem), SIP(L"StoreApp", PsProtectedSignerApp), }; static_assert(RTL_NUMBER_OF(PhProtectedTypeStrings) == PsProtectedTypeMax, "PsProtectedTypeStrings must equal PsProtectedTypeMax (value offsets)"); static_assert(RTL_NUMBER_OF(PhProtectedSignerStrings) == PsProtectedSignerMax, "PhProtectedSignerStrings must equal PsProtectedSignerMax (value offsets)"); PPH_STRING PhGetProcessProtectionString( _In_ PS_PROTECTION Protection, _In_ BOOLEAN IsSecureProcess ) { if (Protection.Level) { static PPH_STRING PhpProtectionNoneString = NULL; PH_FORMAT format[6]; ULONG count = 0; PCWSTR type; PCWSTR signer; if (!PhpProtectionNoneString) PhpProtectionNoneString = PhCreateString(L"None"); if (IsSecureProcess) { PhInitFormatS(&format[count++], L"Secure "); } if (PhIndexStringSiKeyValuePairs( PhProtectedTypeStrings, sizeof(PhProtectedTypeStrings), Protection.Type, &type )) { PhInitFormatS(&format[count++], type); } else { PhInitFormatS(&format[count++], L"Unknown"); } if (PhIndexStringSiKeyValuePairs( PhProtectedSignerStrings, sizeof(PhProtectedSignerStrings), Protection.Signer, &signer )) { PhInitFormatS(&format[count++], L" ("); PhInitFormatS(&format[count++], signer); PhInitFormatS(&format[count++], L")"); } else { PhInitFormatS(&format[count++], L" ("); PhInitFormatS(&format[count++], L"Unknown"); PhInitFormatS(&format[count++], L")"); } if (Protection.Audit) { PhInitFormatS(&format[count++], L" (Audit)"); } return PhFormat(format, count, 10); } else { static PPH_STRING PhpProtectionSecureIUMString = NULL; if (!PhpProtectionSecureIUMString) PhpProtectionSecureIUMString = PhCreateString(L"Secure (IUM)"); if (IsSecureProcess) { return PhReferenceObject(PhpProtectionSecureIUMString); } } return NULL; } /** * Determines the OS compatibility context of a process. * * \param ProcessHandle A handle to a process. * \param Guid A variable which receives a GUID identifying an * operating system version. */ NTSTATUS PhGetProcessSwitchContext( _In_ HANDLE ProcessHandle, _Out_ PGUID Guid ) { NTSTATUS status; PROCESS_BASIC_INFORMATION basicInfo; #ifdef _WIN64 PVOID peb32; ULONG data32; #endif PVOID data; // Reverse-engineered from WdcGetProcessSwitchContext (wdc.dll). // On Windows 8, the function is now SdbGetAppCompatData (apphelp.dll). // On Windows 10, the function is again WdcGetProcessSwitchContext. #ifdef _WIN64 if (NT_SUCCESS(PhGetProcessPeb32(ProcessHandle, &peb32)) && peb32) { if (WindowsVersion >= WINDOWS_8) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(peb32, FIELD_OFFSET(PEB32, pShimData)), &data32, sizeof(ULONG), NULL ))) return status; } else { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(peb32, FIELD_OFFSET(PEB32, pContextData)), &data32, sizeof(ULONG), NULL ))) return status; } data = UlongToPtr(data32); } else { #endif if (!NT_SUCCESS(status = PhGetProcessBasicInformation(ProcessHandle, &basicInfo))) return status; if (WindowsVersion >= WINDOWS_8) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, pShimData)), &data, sizeof(PVOID), NULL ))) return status; } else { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, pContextData)), &data, sizeof(PVOID), NULL ))) return status; } #ifdef _WIN64 } #endif if (!data) return STATUS_UNSUCCESSFUL; // no compatibility context data if (WindowsVersion >= WINDOWS_10_RS5) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(data, 2040 + 24), // Magic value from SbReadProcContextByHandle Guid, sizeof(GUID), NULL ))) return status; } else if (WindowsVersion >= WINDOWS_10_RS2) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(data, 1544), Guid, sizeof(GUID), NULL ))) return status; } else if (WindowsVersion >= WINDOWS_10) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(data, 2040 + 24), // Magic value from SbReadProcContextByHandle Guid, sizeof(GUID), NULL ))) return status; } else if (WindowsVersion >= WINDOWS_8_1) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(data, 2040 + 16), // Magic value from SbReadProcContextByHandle Guid, sizeof(GUID), NULL ))) return status; } else if (WindowsVersion >= WINDOWS_8) { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(data, 2040), // Magic value from SbReadProcContextByHandle Guid, sizeof(GUID), NULL ))) return status; } else { if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(data, 32), // Magic value from WdcGetProcessSwitchContext Guid, sizeof(GUID), NULL ))) return status; } //static ULONG (WINAPI *BaseReadAppCompatDataForProcess_I)( // _In_ HANDLE ProcessHandle, // _Out_ PULONG_PTR ShimData, // _Out_opt_ PULONG_PTR ShimDataBaseAddress // ) = NULL; //static ULONG (WINAPI *BaseFreeAppCompatDataForProcess_I)( // _In_ ULONG_PTR ShimData // ) = NULL; // //if (!BaseReadAppCompatDataForProcess_I) // BaseReadAppCompatDataForProcess_I = PhGetDllProcedureAddressZ(L"kernelbase.dll", "BaseReadAppCompatDataForProcess", 0); //if (!BaseFreeAppCompatDataForProcess_I) // BaseFreeAppCompatDataForProcess_I = PhGetDllProcedureAddressZ(L"kernelbase.dll", "BaseFreeAppCompatDataForProcess", 0); // //if (BaseReadAppCompatDataForProcess_I && BaseFreeAppCompatDataForProcess_I) //{ // ULONG_PTR pShimData; // // if (BaseReadAppCompatDataForProcess_I(ProcessHandle, &pShimData, NULL) == ERROR_SUCCESS) // { // if (WindowsVersion >= WINDOWS_10_RS5) // { // *Guid = *(PGUID)PTR_ADD_OFFSET(pShimData, 2040 + 24); // BaseFreeAppCompatDataForProcess_I(pShimData); // return STATUS_SUCCESS; // } // // BaseFreeAppCompatDataForProcess_I(pShimData); // } // // return STATUS_UNSUCCESSFUL; //} return STATUS_SUCCESS; } NTSTATUS PhGetProcessDefaultHeap( _In_ HANDLE ProcessHandle, _Out_ PVOID *Heap ) { NTSTATUS status; #ifdef _WIN64 BOOLEAN IsWow64; status = PhGetProcessIsWow64(ProcessHandle, &IsWow64); if (!NT_SUCCESS(status)) return status; if (IsWow64) { PVOID peb32; ULONG processHeapsPtr32; status = PhGetProcessPeb32(ProcessHandle, &peb32); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(peb32, UFIELD_OFFSET(PEB32, ProcessHeap)), &processHeapsPtr32, sizeof(ULONG), NULL ); if (!NT_SUCCESS(status)) return status; if (Heap) { *Heap = UlongToPtr(processHeapsPtr32); } return status; } else { #endif PROCESS_BASIC_INFORMATION basicInfo; PVOID processHeapsPtr; status = PhGetProcessBasicInformation( ProcessHandle, &basicInfo ); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.PebBaseAddress, UFIELD_OFFSET(PEB, ProcessHeap)), &processHeapsPtr, sizeof(PVOID), NULL ); if (!NT_SUCCESS(status)) return status; if (Heap) { *Heap = processHeapsPtr; } return status; #ifdef _WIN64 } #endif } /** * Determines the type of a process based on its image file name. * * \param ProcessHandle A handle to a process. * \param KnownProcessType A variable which receives the process * type. */ NTSTATUS PhGetProcessKnownType( _In_ HANDLE ProcessHandle, _Out_ PH_KNOWN_PROCESS_TYPE *KnownProcessType ) { NTSTATUS status; PROCESS_BASIC_INFORMATION basicInfo; PPH_STRING fileName; if (!NT_SUCCESS(status = PhGetProcessBasicInformation( ProcessHandle, &basicInfo ))) return status; if (basicInfo.UniqueProcessId == SYSTEM_PROCESS_ID) { *KnownProcessType = SystemProcessType; return STATUS_SUCCESS; } if (!NT_SUCCESS(status = PhGetProcessImageFileName( ProcessHandle, &fileName ))) { return status; } *KnownProcessType = PhGetProcessKnownTypeEx( basicInfo.UniqueProcessId, fileName ); PhDereferenceObject(fileName); return status; } PH_KNOWN_PROCESS_TYPE PhGetProcessKnownTypeEx( _In_opt_ HANDLE ProcessId, _In_ PPH_STRING FileName ) { PH_KNOWN_PROCESS_TYPE knownProcessType; PH_STRINGREF systemRootPrefix; PPH_STRING fileName; PH_STRINGREF name; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (ProcessId == SYSTEM_PROCESS_ID || ProcessId == SYSTEM_IDLE_PROCESS_ID) return SystemProcessType; if (PhIsNullOrEmptyString(FileName)) return UnknownProcessType; PhGetNtSystemRoot(&systemRootPrefix); fileName = PhReferenceObject(FileName); name = fileName->sr; knownProcessType = UnknownProcessType; if (PhStartsWithStringRef(&name, &systemRootPrefix, TRUE)) { // Skip the system root, and we now have three cases: // 1. \\xyz.exe - Windows executable. // 2. \\System32\\xyz.exe - system32 executable. // 3. \\SysWow64\\xyz.exe - system32 executable + WOW64. PhSkipStringRef(&name, systemRootPrefix.Length); if (PhEqualStringRef2(&name, L"\\explorer.exe", TRUE)) { knownProcessType = ExplorerProcessType; } else if ( PhStartsWithStringRef2(&name, L"\\System32", TRUE) #ifdef _WIN64 || (PhStartsWithStringRef2(&name, L"\\SysWOW64", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary #ifdef _M_ARM64 || (PhStartsWithStringRef2(&name, L"\\SysArm32", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary || (PhStartsWithStringRef2(&name, L"\\SyChpe32", TRUE) && (isWow64 = TRUE, TRUE)) // ugly but necessary #endif #endif ) { // System32, SysWow64, SysArm32, and SyChpe32 are all 8 characters long. PhSkipStringRef(&name, 9 * sizeof(WCHAR)); if (FALSE) ; // Dummy else if (PhEqualStringRef2(&name, L"\\smss.exe", TRUE)) knownProcessType = SessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\csrss.exe", TRUE)) knownProcessType = WindowsSubsystemProcessType; else if (PhEqualStringRef2(&name, L"\\wininit.exe", TRUE)) knownProcessType = WindowsStartupProcessType; else if (PhEqualStringRef2(&name, L"\\services.exe", TRUE)) knownProcessType = ServiceControlManagerProcessType; else if (PhEqualStringRef2(&name, L"\\lsass.exe", TRUE)) knownProcessType = LocalSecurityAuthorityProcessType; else if (PhEqualStringRef2(&name, L"\\lsm.exe", TRUE)) knownProcessType = LocalSessionManagerProcessType; else if (PhEqualStringRef2(&name, L"\\winlogon.exe", TRUE)) knownProcessType = WindowsLogonProcessType; else if (PhEqualStringRef2(&name, L"\\svchost.exe", TRUE)) knownProcessType = ServiceHostProcessType; else if (PhEqualStringRef2(&name, L"\\rundll32.exe", TRUE)) knownProcessType = RunDllAsAppProcessType; else if (PhEqualStringRef2(&name, L"\\dllhost.exe", TRUE)) knownProcessType = ComSurrogateProcessType; else if (PhEqualStringRef2(&name, L"\\taskeng.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\taskhost.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\taskhostex.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\taskhostw.exe", TRUE)) knownProcessType = TaskHostProcessType; else if (PhEqualStringRef2(&name, L"\\wudfhost.exe", TRUE)) knownProcessType = UmdfHostProcessType; else if (PhEqualStringRef2(&name, L"\\wbem\\WmiPrvSE.exe", TRUE)) knownProcessType = WmiProviderHostType; //else if (PhEqualStringRef2(&name, L"\\MicrosoftEdgeCP.exe", TRUE)) // RS5 // knownProcessType = EdgeProcessType; //else if (PhEqualStringRef2(&name, L"\\MicrosoftEdgeSH.exe", TRUE)) // RS5 // knownProcessType = EdgeProcessType; #ifdef _M_IX86 else if (PhEqualStringRef2(&name, L"\\ntvdm.exe", TRUE)) knownProcessType = NtVdmHostProcessType; #endif } //else //{ // if (PhEndsWithStringRef2(&name, L"\\MicrosoftEdgeCP.exe", TRUE)) // RS4 // knownProcessType = EdgeProcessType; // else if (PhEndsWithStringRef2(&name, L"\\MicrosoftEdge.exe", TRUE)) // knownProcessType = EdgeProcessType; // else if (PhEndsWithStringRef2(&name, L"\\ServiceWorkerHost.exe", TRUE)) // knownProcessType = EdgeProcessType; // else if (PhEndsWithStringRef2(&name, L"\\Windows.WARP.JITService.exe", TRUE)) // knownProcessType = EdgeProcessType; //} } PhDereferenceObject(fileName); #ifdef _WIN64 if (isWow64) knownProcessType |= KnownProcessWow64; #endif return knownProcessType; } _Function_class_(PH_COMMAND_LINE_CALLBACK) static BOOLEAN NTAPI PhpSvchostCommandLineCallback( _In_opt_ PCPH_COMMAND_LINE_OPTION Option, _In_opt_ PPH_STRING Value, _In_opt_ PVOID Context ) { PPH_KNOWN_PROCESS_COMMAND_LINE knownCommandLine = Context; if (knownCommandLine && Option && Option->Id == 1) { PhSwapReference(&knownCommandLine->ServiceHost.GroupName, Value); } return TRUE; } _Success_(return) BOOLEAN PhaGetProcessKnownCommandLine( _In_ PPH_STRING CommandLine, _In_ PH_KNOWN_PROCESS_TYPE KnownProcessType, _Out_ PPH_KNOWN_PROCESS_COMMAND_LINE KnownCommandLine ) { switch (KnownProcessType & KnownProcessTypeMask) { case ServiceHostProcessType: { // svchost.exe -k static CONST PH_COMMAND_LINE_OPTION options[] = { { 1, L"k", MandatoryArgumentType } }; KnownCommandLine->ServiceHost.GroupName = NULL; PhParseCommandLine( &CommandLine->sr, options, sizeof(options) / sizeof(PH_COMMAND_LINE_OPTION), PH_COMMAND_LINE_IGNORE_UNKNOWN_OPTIONS, PhpSvchostCommandLineCallback, KnownCommandLine ); if (KnownCommandLine->ServiceHost.GroupName) { PH_AUTO(KnownCommandLine->ServiceHost.GroupName); return TRUE; } else { return FALSE; } } break; case RunDllAsAppProcessType: { // rundll32.exe , ... SIZE_T i; PH_STRINGREF dllNamePart; PH_STRINGREF procedureNamePart; PPH_STRING dllName; PPH_STRING procedureName; i = 0; // Get the rundll32.exe part. dllName = PhParseCommandLinePart(&CommandLine->sr, &i); if (!dllName) return FALSE; PhDereferenceObject(dllName); // Get the DLL name part. while (i < CommandLine->Length / sizeof(WCHAR) && CommandLine->Buffer[i] == L' ') i++; dllName = PhParseCommandLinePart(&CommandLine->sr, &i); if (!dllName) return FALSE; PH_AUTO(dllName); // The procedure name begins after the last comma. if (!PhSplitStringRefAtLastChar(&dllName->sr, L',', &dllNamePart, &procedureNamePart)) return FALSE; dllName = PH_AUTO(PhCreateString2(&dllNamePart)); procedureName = PH_AUTO(PhCreateString2(&procedureNamePart)); // If the DLL name isn't an absolute path, assume it's in system32. // TODO: Use a proper search function. if (PhDetermineDosPathNameType(&dllName->sr) == RtlPathTypeRelative) { dllName = PhGetSystemDirectoryWin32(&dllName->sr); } KnownCommandLine->RunDllAsApp.FileName = dllName; KnownCommandLine->RunDllAsApp.ProcedureName = procedureName; } break; case ComSurrogateProcessType: { // dllhost.exe /processid: static CONST PH_STRINGREF inprocServer32Name = PH_STRINGREF_INIT(L"InprocServer32"); SIZE_T i; ULONG_PTR indexOfProcessId; PPH_STRING argPart; PPH_STRING guidString; GUID guid; HANDLE rootKeyHandle; HANDLE inprocServer32KeyHandle; PPH_STRING fileName; i = 0; // Get the dllhost.exe part. argPart = PhParseCommandLinePart(&CommandLine->sr, &i); if (!argPart) return FALSE; PhDereferenceObject(argPart); // Get the argument part. while (i < (ULONG)CommandLine->Length / sizeof(WCHAR) && CommandLine->Buffer[i] == L' ') i++; argPart = PhParseCommandLinePart(&CommandLine->sr, &i); if (!argPart) return FALSE; PH_AUTO(argPart); // Find "/processid:"; the GUID is just after that. PhUpperStringRef(&argPart->sr); indexOfProcessId = PhFindStringInString(argPart, 0, L"/PROCESSID:"); if (indexOfProcessId == SIZE_MAX) return FALSE; guidString = PhaSubstring( argPart, indexOfProcessId + 11, argPart->Length / sizeof(WCHAR) - indexOfProcessId - 11 ); if (!NT_SUCCESS(PhStringToGuid(&guidString->sr, &guid))) return FALSE; KnownCommandLine->ComSurrogate.Guid = guid; KnownCommandLine->ComSurrogate.Name = NULL; KnownCommandLine->ComSurrogate.FileName = NULL; // Lookup the GUID in the registry to determine the name and file name. if (NT_SUCCESS(PhOpenKey( &rootKeyHandle, KEY_READ, PH_KEY_CLASSES_ROOT, &PhaConcatStrings2(L"CLSID\\", guidString->Buffer)->sr, 0 ))) { KnownCommandLine->ComSurrogate.Name = PH_AUTO(PhQueryRegistryString(rootKeyHandle, NULL)); if (NT_SUCCESS(PhOpenKey( &inprocServer32KeyHandle, KEY_READ, rootKeyHandle, &inprocServer32Name, 0 ))) { KnownCommandLine->ComSurrogate.FileName = PH_AUTO(PhQueryRegistryString(inprocServer32KeyHandle, NULL)); if (fileName = PH_AUTO(PhExpandEnvironmentStrings(&KnownCommandLine->ComSurrogate.FileName->sr))) { KnownCommandLine->ComSurrogate.FileName = fileName; } NtClose(inprocServer32KeyHandle); } NtClose(rootKeyHandle); } else if (NT_SUCCESS(PhOpenKey( &rootKeyHandle, KEY_READ, PH_KEY_CLASSES_ROOT, &PhaConcatStrings2(L"AppID\\", guidString->Buffer)->sr, 0 ))) { KnownCommandLine->ComSurrogate.Name = PH_AUTO(PhQueryRegistryString(rootKeyHandle, NULL)); NtClose(rootKeyHandle); } } break; default: return FALSE; } return TRUE; } PPH_STRING PhEscapeStringForDelimiter( _In_ PPH_STRING String, _In_ WCHAR Delimiter ) { PH_STRING_BUILDER stringBuilder; SIZE_T length; SIZE_T i; WCHAR temp[2]; length = String->Length / sizeof(WCHAR); PhInitializeStringBuilder(&stringBuilder, String->Length / sizeof(WCHAR) * 3); temp[0] = L'\\'; for (i = 0; i < length; i++) { if (String->Buffer[i] == L'\\' || String->Buffer[i] == Delimiter) { temp[1] = String->Buffer[i]; PhAppendStringBuilderEx(&stringBuilder, temp, 4); } else { PhAppendCharStringBuilder(&stringBuilder, String->Buffer[i]); } } return PhFinalStringBuilderString(&stringBuilder); } PPH_STRING PhUnescapeStringForDelimiter( _In_ PPH_STRING String, _In_ WCHAR Delimiter ) { PH_STRING_BUILDER stringBuilder; SIZE_T length; SIZE_T i; length = String->Length / sizeof(WCHAR); PhInitializeStringBuilder(&stringBuilder, String->Length / sizeof(WCHAR) * 3); for (i = 0; i < length; i++) { if (String->Buffer[i] == L'\\') { if (i != length - 1) { PhAppendCharStringBuilder(&stringBuilder, String->Buffer[i + 1]); i++; } else { // Trailing backslash. Just ignore it. break; } } else { PhAppendCharStringBuilder(&stringBuilder, String->Buffer[i]); } } return PhFinalStringBuilderString(&stringBuilder); } VOID PhSearchOnlineString( _In_ HWND WindowHandle, _In_ PCWSTR String ) { PhShellExecuteUserString(WindowHandle, SETTING_SEARCH_ENGINE, String, TRUE, NULL); } VOID PhShellExecuteUserString( _In_ HWND WindowHandle, _In_ PCWSTR Setting, _In_ PCWSTR String, _In_ BOOLEAN UseShellExecute, _In_opt_ PCWSTR ErrorMessage ) { static CONST PH_STRINGREF replacementToken = PH_STRINGREF_INIT(L"%s"); PPH_STRING applicationDirectory; PPH_STRING executeString; PH_STRINGREF stringBefore; PH_STRINGREF stringAfter; PPH_STRING ntMessage; // Get the execute command. (dmex) executeString = PhGetStringSetting(Setting); if (PhEqualString2(executeString, L"%SystemRoot%\\explorer.exe /select,\"%s\"", TRUE)) { // Special case: Use PhShowFileInExplorer for this specific setting. (dmex) if (String[0] == OBJ_NAME_PATH_SEPARATOR) { PPH_STRING stringTemp; PPH_STRING stringMiddle; stringTemp = PhCreateString(String); stringMiddle = PhGetFileName(stringTemp); PhShellExploreFile(WindowHandle, PhGetString(stringMiddle)); PhDereferenceObject(stringMiddle); PhDereferenceObject(stringTemp); } else { PhShellExploreFile(WindowHandle, String); } PhDereferenceObject(executeString); return; } // Expand environment strings. (dmex) PhMoveReference(&executeString, PhExpandEnvironmentStrings(&executeString->sr)); if (!(applicationDirectory = PhGetApplicationDirectoryWin32())) { PhShowStatus(WindowHandle, L"Unable to locate the application directory.", STATUS_NOT_FOUND, 0); return; } // Make sure the user executable string is absolute. We can't use PhDetermineDosPathNameType // here because the string may be a URL. (dmex) if (PhFindCharInString(executeString, 0, L':') == SIZE_MAX) { static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); static CONST PH_STRINGREF space = PH_STRINGREF_INIT(L" "); PPH_LIST stringArgList; PPH_STRING fileName = NULL; PPH_STRING fileArgs = NULL; // HACK: Escape the individual executeString components. (dmex) if (stringArgList = PhCommandLineToList(executeString->Buffer)) { fileName = PhReferenceObject(stringArgList->Items[0]); if (stringArgList->Count == 2) { fileArgs = PhReferenceObject(stringArgList->Items[1]); } PhDereferenceObjects(stringArgList->Items, stringArgList->Count); PhDereferenceObject(stringArgList); } if (fileName && fileArgs) { // Make sure the string is absolute and escape the filename. if (PhDetermineDosPathNameType(&fileName->sr) == RtlPathTypeRelative) { PhMoveReference(&fileName, PhConcatStringRef3(&separator, &applicationDirectory->sr, &fileName->sr)); PhMoveReference(&fileName, PhConcatStringRef2(&fileName->sr, &separator)); } else { PhMoveReference(&fileName, PhConcatStringRef3(&separator, &fileName->sr, &separator)); } // Escape the parameters. PhMoveReference(&fileArgs, PhConcatStringRef3(&separator, &fileArgs->sr, &separator)); // Create the escaped execute string. PhMoveReference(&executeString, PhConcatStringRef3(&fileName->sr, &space, &fileArgs->sr)); } else { if (PhDetermineDosPathNameType(&executeString->sr) == RtlPathTypeRelative) { PhMoveReference(&executeString, PhConcatStringRef3(&separator, &applicationDirectory->sr, &executeString->sr)); PhMoveReference(&executeString, PhConcatStringRef2(&executeString->sr, &separator)); } else { PhMoveReference(&executeString, PhConcatStringRef3(&separator, &executeString->sr, &separator)); } } PhClearReference(&fileArgs); PhClearReference(&fileName); } // Replace the token with the string, or use the original string if the token is not present. if (PhSplitStringRefAtString(&executeString->sr, &replacementToken, FALSE, &stringBefore, &stringAfter)) { // Note: See PhGetProcessImageFileNameWin32 for a description of // the issue with some filenames and faulty RamDisk software (dmex) if (String[0] == OBJ_NAME_PATH_SEPARATOR) // Workaround faulty software (dmex) { PPH_STRING stringTemp; PPH_STRING stringMiddle; stringTemp = PhCreateString(String); stringMiddle = PhGetFileName(stringTemp); PhMoveReference(&executeString, PhConcatStringRef3(&stringBefore, &stringMiddle->sr, &stringAfter)); PhDereferenceObject(stringMiddle); PhDereferenceObject(stringTemp); } else { PH_STRINGREF stringMiddle; PhInitializeStringRefLongHint(&stringMiddle, String); PhMoveReference(&executeString, PhConcatStringRef3(&stringBefore, &stringMiddle, &stringAfter)); } } if (UseShellExecute) { PhShellExecute(WindowHandle, executeString->Buffer, NULL); } else { NTSTATUS status; HANDLE processHandle; status = PhCreateProcessWin32( NULL, executeString->Buffer, NULL, NULL, 0, NULL, &processHandle, NULL ); if (NT_SUCCESS(status)) { PhConsoleSetForeground(processHandle, TRUE); NtClose(processHandle); } else { if (ErrorMessage) { ntMessage = PhGetNtMessage(status); PhShowError2( WindowHandle, L"Unable to execute the command.", L"%s\n%s", PhGetStringOrDefault(ntMessage, L"An unknown error occurred."), ErrorMessage ); PhDereferenceObject(ntMessage); } else { PhShowStatus(WindowHandle, L"Unable to execute the command.", status, 0); } } } PhDereferenceObject(executeString); PhDereferenceObject(applicationDirectory); } VOID PhLoadSymbolProviderOptions( _Inout_ PPH_SYMBOL_PROVIDER SymbolProvider ) { static CONST PH_STRINGREF symbolPath = PH_STRINGREF_INIT(L"_NT_SYMBOL_PATH"); PPH_STRING searchPath = NULL; PhSetOptionsSymbolProvider( PH_SYMOPT_UNDNAME | PH_SYMOPT_VERIFY_MICROSOFT_CHAIN, (PhGetIntegerSetting(SETTING_DBGHELP_UNDECORATE) ? PH_SYMOPT_UNDNAME : 0) | (PhGetIntegerSetting(SETTING_DBGHELP_VERIFY_MICROSOFT_CHAIN) ? PH_SYMOPT_VERIFY_MICROSOFT_CHAIN : 0) ); PhQueryEnvironmentVariable(NULL, &symbolPath, &searchPath); if (PhIsNullOrEmptyString(searchPath)) searchPath = PhGetStringSetting(SETTING_DBGHELP_SEARCH_PATH); if (!PhIsNullOrEmptyString(searchPath)) PhSetSearchPathSymbolProvider(SymbolProvider, searchPath->Buffer); if (searchPath) PhDereferenceObject(searchPath); } /** * Copies a string into a NMLVGETINFOTIP structure. * * \param GetInfoTip The NMLVGETINFOTIP structure. * \param Tip The string to copy. * * \remarks The text is truncated if it is too long. */ VOID PhCopyListViewInfoTip( _Inout_ LPNMLVGETINFOTIP GetInfoTip, _In_ PPH_STRINGREF Tip ) { ULONG copyIndex; ULONG bufferRemaining; ULONG copyLength; if (GetInfoTip->dwFlags == 0) { copyIndex = (ULONG)PhCountStringZ(GetInfoTip->pszText) + 1; // plus one for newline if (GetInfoTip->cchTextMax - copyIndex < 2) // need at least two bytes return; bufferRemaining = GetInfoTip->cchTextMax - copyIndex - 1; GetInfoTip->pszText[copyIndex - 1] = L'\n'; } else { copyIndex = 0; bufferRemaining = GetInfoTip->cchTextMax; } copyLength = min((ULONG)Tip->Length / sizeof(WCHAR), bufferRemaining - 1); memcpy( &GetInfoTip->pszText[copyIndex], Tip->Buffer, copyLength * sizeof(WCHAR) ); GetInfoTip->pszText[copyIndex + copyLength] = UNICODE_NULL; } VOID PhCopyListView( _In_ HWND ListViewHandle ) { PPH_STRING text; text = PhGetListViewText(ListViewHandle); PhSetClipboardString(ListViewHandle, &text->sr); PhDereferenceObject(text); } VOID PhHandleListViewNotifyForCopy( _In_ LPARAM lParam, _In_ HWND ListViewHandle ) { PhHandleListViewNotifyBehaviors(lParam, ListViewHandle, PH_LIST_VIEW_CTRL_C_BEHAVIOR); } VOID PhHandleListViewNotifyBehaviors( _In_ LPARAM lParam, _In_ HWND ListViewHandle, _In_ ULONG Behaviors ) { #pragma warning(push) #pragma warning(disable:26454) // disable Windows SDK warning (dmex) if (((LPNMHDR)lParam)->hwndFrom == ListViewHandle && ((LPNMHDR)lParam)->code == LVN_KEYDOWN) { LPNMLVKEYDOWN keyDown = (LPNMLVKEYDOWN)lParam; switch (keyDown->wVKey) { case 'C': if (Behaviors & PH_LIST_VIEW_CTRL_C_BEHAVIOR) { if (GetKeyState(VK_CONTROL) < 0) PhCopyListView(ListViewHandle); } break; case 'A': if (Behaviors & PH_LIST_VIEW_CTRL_A_BEHAVIOR) { if (GetKeyState(VK_CONTROL) < 0) PhSetStateAllListViewItems(ListViewHandle, LVIS_SELECTED, LVIS_SELECTED); } break; } } #pragma warning(pop) } BOOLEAN PhGetListViewContextMenuPoint( _In_ HWND ListViewHandle, _Out_ PPOINT Point ) { LONG selectedIndex; RECT bounds; RECT clientRect; // The user pressed a key to display the context menu. // Suggest where the context menu should display. if ((selectedIndex = PhFindListViewItemByFlags(ListViewHandle, INT_ERROR, LVNI_SELECTED)) != INT_ERROR) { if (ListView_GetItemRect(ListViewHandle, selectedIndex, &bounds, LVIR_BOUNDS)) { LONG dpiValue = PhGetWindowDpi(ListViewHandle); Point->x = bounds.left + PhGetSystemMetrics(SM_CXSMICON, dpiValue) / 2; Point->y = bounds.top + PhGetSystemMetrics(SM_CYSMICON, dpiValue) / 2; if (!PhGetClientRect(ListViewHandle, &clientRect)) return FALSE; if (Point->x < 0 || Point->y < 0 || Point->x >= clientRect.right || Point->y >= clientRect.bottom) { // The menu is going to be outside of the control. Just put it at the top-left. Point->x = 0; Point->y = 0; } ClientToScreen(ListViewHandle, Point); return TRUE; } } Point->x = 0; Point->y = 0; ClientToScreen(ListViewHandle, Point); return FALSE; } VOID PhSetWindowOpacity( _In_ HWND WindowHandle, _In_ ULONG OpacityPercent ) { if (OpacityPercent == 0) { // Make things a bit faster by removing the WS_EX_LAYERED bit. PhSetWindowExStyle(WindowHandle, WS_EX_LAYERED, 0); RedrawWindow(WindowHandle, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_FRAME | RDW_ALLCHILDREN); return; } PhSetWindowExStyle(WindowHandle, WS_EX_LAYERED, WS_EX_LAYERED); // Disallow opacity values of less than 10%. OpacityPercent = min(OpacityPercent, 90); // The opacity value is backwards - 0 means opaque, 100 means transparent. SetLayeredWindowAttributes( WindowHandle, 0, (BYTE)(255 * (100 - OpacityPercent) / 100), LWA_ALPHA ); } PPH_STRING PhGetPhVersion( VOID ) { PH_FORMAT format[7]; PhInitFormatU(&format[0], PHAPP_VERSION_MAJOR); PhInitFormatC(&format[1], L'.'); PhInitFormatU(&format[2], PHAPP_VERSION_MINOR); PhInitFormatC(&format[3], L'.'); PhInitFormatU(&format[4], PHAPP_VERSION_BUILD); PhInitFormatC(&format[5], L'.'); PhInitFormatU(&format[6], PHAPP_VERSION_REVISION); return PhFormat(format, RTL_NUMBER_OF(format), 0); } VOID PhGetPhVersionNumbers( _Out_opt_ PULONG MajorVersion, _Out_opt_ PULONG MinorVersion, _Out_opt_ PULONG BuildNumber, _Out_opt_ PULONG RevisionNumber ) { if (MajorVersion) *MajorVersion = PHAPP_VERSION_MAJOR; if (MinorVersion) *MinorVersion = PHAPP_VERSION_MINOR; if (BuildNumber) *BuildNumber = PHAPP_VERSION_BUILD; if (RevisionNumber) *RevisionNumber = PHAPP_VERSION_REVISION; } PPH_STRING PhGetPhVersionHash( VOID ) { return PhConvertUtf8ToUtf16(PHAPP_VERSION_COMMIT); } PH_RELEASE_CHANNEL PhGetPhReleaseChannel( VOID ) { return PhGetIntegerSetting(SETTING_RELEASE_CHANNEL); } PCWSTR PhGetPhReleaseChannelString( VOID ) { switch (PhGetIntegerSetting(SETTING_RELEASE_CHANNEL)) { case PhReleaseChannel: return L"Release"; case PhPreviewChannel: return L"Preview"; case PhCanaryChannel: return L"Canary"; case PhDeveloperChannel: return L"Developer"; } return L"Unknown"; } VOID PhWritePhTextHeader( _Inout_ PPH_FILE_STREAM FileStream ) { PPH_STRING version; LARGE_INTEGER time; SYSTEMTIME systemTime; PPH_STRING timeString; PhWriteStringAsUtf8FileStream2(FileStream, L"System Informer "); if (version = PhGetPhVersion()) { PhWriteStringAsUtf8FileStream(FileStream, &version->sr); PhDereferenceObject(version); } PhWriteStringFormatAsUtf8FileStream(FileStream, L"\r\nWindows NT %lu.%lu", PhOsVersion.MajorVersion, PhOsVersion.MinorVersion); if (PhOsVersion.CSDVersion[0] != UNICODE_NULL) PhWriteStringFormatAsUtf8FileStream(FileStream, L" %s", PhOsVersion.CSDVersion); #ifdef _WIN64 PhWriteStringAsUtf8FileStream2(FileStream, L" (64-bit)"); #else PhWriteStringAsUtf8FileStream2(FileStream, L" (32-bit)"); #endif PhQuerySystemTime(&time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); timeString = PhFormatDateTime(&systemTime); PhWriteStringFormatAsUtf8FileStream(FileStream, L"\r\n%s\r\n\r\n", timeString->Buffer); PhDereferenceObject(timeString); } NTSTATUS PhShellProcessHacker( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Parameters, _In_ ULONG ShowWindowType, _In_ ULONG Flags, _In_ ULONG AppFlags, _In_opt_ ULONG Timeout, _Out_opt_ PHANDLE ProcessHandle ) { return PhShellProcessHackerEx( WindowHandle, NULL, Parameters, ShowWindowType, Flags, AppFlags, Timeout, ProcessHandle ); } VOID PhpAppendCommandLineArgument( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ PCWSTR Name, _In_ PPH_STRINGREF Value ) { PPH_STRING temp; PhAppendStringBuilder2(StringBuilder, L" -"); PhAppendStringBuilder2(StringBuilder, Name); PhAppendStringBuilder2(StringBuilder, L" \""); temp = PhEscapeCommandLinePart(Value); PhAppendStringBuilder(StringBuilder, &temp->sr); PhDereferenceObject(temp); PhAppendCharStringBuilder(StringBuilder, L'\"'); } NTSTATUS PhShellProcessHackerEx( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR FileName, _In_opt_ PCWSTR Parameters, _In_ ULONG ShowWindowType, _In_ ULONG Flags, _In_ ULONG AppFlags, _In_opt_ ULONG Timeout, _Out_opt_ PHANDLE ProcessHandle ) { NTSTATUS status; PPH_STRING applicationFileName; PH_STRING_BUILDER sb; PCWSTR parameters; if (!(applicationFileName = PhGetApplicationFileNameWin32())) return FALSE; if (AppFlags & PH_SHELL_APP_PROPAGATE_PARAMETERS) { PhInitializeStringBuilder(&sb, 128); // Propagate parameters. if (PhStartupParameters.NoSettings) { PhAppendStringBuilder2(&sb, L" -nosettings"); } else { if (!PhIsNullOrEmptyString(PhSettingsFileName)) { PhAppendStringBuilder2(&sb, L" -settings \""); PhAppendStringBuilder(&sb, &PhSettingsFileName->sr); PhAppendStringBuilder2(&sb, L"\""); } } if (PhStartupParameters.NoKph) PhAppendStringBuilder2(&sb, L" -nokph"); if (PhStartupParameters.Debug) PhAppendStringBuilder2(&sb, L" -debug"); if (PhStartupParameters.NoPlugins) PhAppendStringBuilder2(&sb, L" -noplugins"); if (PhStartupParameters.NewInstance) PhAppendStringBuilder2(&sb, L" -newinstance"); if (PhStartupParameters.SelectPid != 0) PhAppendFormatStringBuilder(&sb, L" -selectpid %lu", PhStartupParameters.SelectPid); if (PhStartupParameters.PriorityClass != 0) { CHAR value = 0; switch (PhStartupParameters.PriorityClass) { case PROCESS_PRIORITY_CLASS_REALTIME: value = L'r'; break; case PROCESS_PRIORITY_CLASS_HIGH: value = L'h'; break; case PROCESS_PRIORITY_CLASS_NORMAL: value = L'n'; break; case PROCESS_PRIORITY_CLASS_IDLE: value = L'l'; break; } if (value != 0) { PhAppendStringBuilder2(&sb, L" -priority "); PhAppendCharStringBuilder(&sb, value); } } if (PhStartupParameters.PluginParameters) { ULONG i; for (i = 0; i < PhStartupParameters.PluginParameters->Count; i++) { PPH_STRING value = PhStartupParameters.PluginParameters->Items[i]; PhpAppendCommandLineArgument(&sb, L"plugin", &value->sr); } } if (PhStartupParameters.SelectTab) PhpAppendCommandLineArgument(&sb, L"selecttab", &PhStartupParameters.SelectTab->sr); if (!(AppFlags & PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY)) { if (PhStartupParameters.ShowVisible) PhAppendStringBuilder2(&sb, L" -v"); if (PhStartupParameters.ShowHidden) PhAppendStringBuilder2(&sb, L" -hide"); } // Add user-specified parameters last so they can override the propagated parameters. if (Parameters) { PhAppendCharStringBuilder(&sb, L' '); PhAppendStringBuilder2(&sb, Parameters); } if (sb.String->Length != 0 && sb.String->Buffer[0] == L' ') parameters = sb.String->Buffer + 1; else parameters = sb.String->Buffer; } else { parameters = Parameters; } status = PhShellExecuteEx( WindowHandle, FileName ? FileName : PhGetString(applicationFileName), parameters, NULL, ShowWindowType, Flags, Timeout, ProcessHandle ); if (AppFlags & PH_SHELL_APP_PROPAGATE_PARAMETERS) PhDeleteStringBuilder(&sb); PhDereferenceObject(applicationFileName); return status; } BOOLEAN PhCreateProcessIgnoreIfeoDebugger( _In_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine ) { BOOLEAN result; BOOLEAN originalValue; HANDLE processHandle; result = FALSE; RtlAcquirePebLock(); originalValue = NtCurrentPeb()->ReadImageFileExecOptions; NtCurrentPeb()->ReadImageFileExecOptions = FALSE; RtlReleasePebLock(); // The combination of ReadImageFileExecOptions = FALSE and the DEBUG_PROCESS flag // allows us to skip the Debugger IFEO value. (wj32) if (NT_SUCCESS(PhCreateProcessWin32( FileName, CommandLine, NULL, NULL, PH_CREATE_PROCESS_DEBUG | PH_CREATE_PROCESS_DEBUG_ONLY_THIS_PROCESS, NULL, &processHandle, NULL ))) { HANDLE debugObjectHandle; if (NT_SUCCESS(PhGetProcessDebugObject( processHandle, &debugObjectHandle ))) { // Disable kill-on-close. if (NT_SUCCESS(PhSetDebugKillProcessOnExit( debugObjectHandle, FALSE ))) { // Stop debugging the process now. NtRemoveProcessDebug(processHandle, debugObjectHandle); } NtClose(debugObjectHandle); } // Ignore the debug object status. result = TRUE; PhConsoleSetForeground(processHandle, TRUE); NtClose(processHandle); } if (originalValue) { RtlAcquirePebLock(); NtCurrentPeb()->ReadImageFileExecOptions = originalValue; RtlReleasePebLock(); } return result; } VOID PhInitializeTreeNewColumnMenu( _Inout_ PPH_TN_COLUMN_MENU_DATA Data ) { PhInitializeTreeNewColumnMenuEx(Data, 0); } VOID PhInitializeTreeNewColumnMenuEx( _Inout_ PPH_TN_COLUMN_MENU_DATA Data, _In_ ULONG Flags ) { PPH_EMENU_ITEM resetSortMenuItem = NULL; PPH_EMENU_ITEM sizeColumnToFitMenuItem; PPH_EMENU_ITEM sizeAllColumnsToFitMenuItem; PPH_EMENU_ITEM hideColumnMenuItem = NULL; PPH_EMENU_ITEM chooseColumnsMenuItem = NULL; ULONG minimumNumberOfColumns; Data->Menu = PhCreateEMenu(); Data->Selection = NULL; Data->ProcessedId = 0; sizeColumnToFitMenuItem = PhCreateEMenuItem(0, PH_TN_COLUMN_MENU_SIZE_COLUMN_TO_FIT_ID, L"Size column to fit", NULL, NULL); sizeAllColumnsToFitMenuItem = PhCreateEMenuItem(0, PH_TN_COLUMN_MENU_SIZE_ALL_COLUMNS_TO_FIT_ID, L"Size all columns to fit", NULL, NULL); if (!(Flags & PH_TN_COLUMN_MENU_NO_VISIBILITY)) { hideColumnMenuItem = PhCreateEMenuItem(0, PH_TN_COLUMN_MENU_HIDE_COLUMN_ID, L"Hide column", NULL, NULL); chooseColumnsMenuItem = PhCreateEMenuItem(0, PH_TN_COLUMN_MENU_CHOOSE_COLUMNS_ID, L"Choose columns...", NULL, NULL); } if (Flags & PH_TN_COLUMN_MENU_SHOW_RESET_SORT) { ULONG sortColumn = 0; PH_SORT_ORDER sortOrder = NoSortOrder; TreeNew_GetSort(Data->TreeNewHandle, &sortColumn, &sortOrder); if (sortOrder != Data->DefaultSortOrder || (Data->DefaultSortOrder != NoSortOrder && sortColumn != Data->DefaultSortColumn)) resetSortMenuItem = PhCreateEMenuItem(0, PH_TN_COLUMN_MENU_RESET_SORT_ID, L"Reset sort", NULL, NULL); } PhInsertEMenuItem(Data->Menu, sizeColumnToFitMenuItem, ULONG_MAX); PhInsertEMenuItem(Data->Menu, sizeAllColumnsToFitMenuItem, ULONG_MAX); if (!(Flags & PH_TN_COLUMN_MENU_NO_VISIBILITY)) { if (hideColumnMenuItem) PhInsertEMenuItem(Data->Menu, hideColumnMenuItem, ULONG_MAX); if (resetSortMenuItem) PhInsertEMenuItem(Data->Menu, resetSortMenuItem, ULONG_MAX); PhInsertEMenuItem(Data->Menu, PhCreateEMenuSeparator(), ULONG_MAX); if (chooseColumnsMenuItem) PhInsertEMenuItem(Data->Menu, chooseColumnsMenuItem, ULONG_MAX); if (TreeNew_GetFixedColumn(Data->TreeNewHandle)) minimumNumberOfColumns = 2; // don't allow user to remove all normal columns (the fixed column can never be removed) else minimumNumberOfColumns = 1; if (!Data->MouseEvent || !Data->MouseEvent->Column || Data->MouseEvent->Column->Fixed || // don't allow the fixed column to be hidden TreeNew_GetVisibleColumnCount(Data->TreeNewHandle) < minimumNumberOfColumns + 1 ) { if (hideColumnMenuItem) PhSetDisabledEMenuItem(hideColumnMenuItem); } } else { if (resetSortMenuItem) PhInsertEMenuItem(Data->Menu, resetSortMenuItem, ULONG_MAX); } if (!Data->MouseEvent || !Data->MouseEvent->Column) { PhSetDisabledEMenuItem(sizeColumnToFitMenuItem); } } VOID PhpEnsureValidSortColumnTreeNew( _Inout_ HWND TreeNewHandle, _In_ ULONG DefaultSortColumn, _In_ PH_SORT_ORDER DefaultSortOrder ) { ULONG sortColumn = 0; PH_SORT_ORDER sortOrder = NoSortOrder; // Make sure the column we're sorting by is actually visible, and if not, don't sort anymore. TreeNew_GetSort(TreeNewHandle, &sortColumn, &sortOrder); if (sortOrder != NoSortOrder) { PH_TREENEW_COLUMN column; TreeNew_GetColumn(TreeNewHandle, sortColumn, &column); if (!column.Visible) { if (DefaultSortOrder != NoSortOrder) { // Make sure the default sort column is visible. TreeNew_GetColumn(TreeNewHandle, DefaultSortColumn, &column); if (!column.Visible) { ULONG maxId; ULONG id; BOOLEAN found; // Use the first visible column. maxId = TreeNew_GetMaxId(TreeNewHandle); id = 0; found = FALSE; while (id <= maxId) { if (TreeNew_GetColumn(TreeNewHandle, id, &column)) { if (column.Visible) { DefaultSortColumn = id; found = TRUE; break; } } id++; } if (!found) { DefaultSortColumn = 0; DefaultSortOrder = NoSortOrder; } } } TreeNew_SetSort(TreeNewHandle, DefaultSortColumn, DefaultSortOrder); } } } BOOLEAN PhHandleTreeNewColumnMenu( _Inout_ PPH_TN_COLUMN_MENU_DATA Data ) { if (!Data->Selection) return FALSE; switch (Data->Selection->Id) { case PH_TN_COLUMN_MENU_RESET_SORT_ID: { TreeNew_SetSort(Data->TreeNewHandle, Data->DefaultSortColumn, Data->DefaultSortOrder); } break; case PH_TN_COLUMN_MENU_SIZE_COLUMN_TO_FIT_ID: { if (Data->MouseEvent && Data->MouseEvent->Column) { TreeNew_AutoSizeColumn(Data->TreeNewHandle, Data->MouseEvent->Column->Id, 0); } } break; case PH_TN_COLUMN_MENU_SIZE_ALL_COLUMNS_TO_FIT_ID: { ULONG maxId; ULONG id; maxId = TreeNew_GetMaxId(Data->TreeNewHandle); id = 0; while (id <= maxId) { TreeNew_AutoSizeColumn(Data->TreeNewHandle, id, 0); id++; } } break; case PH_TN_COLUMN_MENU_HIDE_COLUMN_ID: { PH_TREENEW_COLUMN column; if (Data->MouseEvent && Data->MouseEvent->Column && !Data->MouseEvent->Column->Fixed) { column.Id = Data->MouseEvent->Column->Id; column.Visible = FALSE; TreeNew_SetColumn(Data->TreeNewHandle, TN_COLUMN_FLAG_VISIBLE, &column); PhpEnsureValidSortColumnTreeNew(Data->TreeNewHandle, Data->DefaultSortColumn, Data->DefaultSortOrder); InvalidateRect(Data->TreeNewHandle, NULL, FALSE); } } break; case PH_TN_COLUMN_MENU_CHOOSE_COLUMNS_ID: { PhShowChooseColumnsDialog(Data->TreeNewHandle, Data->TreeNewHandle, PH_CONTROL_TYPE_TREE_NEW); PhpEnsureValidSortColumnTreeNew(Data->TreeNewHandle, Data->DefaultSortColumn, Data->DefaultSortOrder); } break; default: return FALSE; } Data->ProcessedId = Data->Selection->Id; return TRUE; } VOID PhDeleteTreeNewColumnMenu( _In_ PPH_TN_COLUMN_MENU_DATA Data ) { if (Data->Menu) { PhDestroyEMenu(Data->Menu); Data->Menu = NULL; } } VOID PhInitializeTreeNewFilterSupport( _Out_ PPH_TN_FILTER_SUPPORT Support, _In_ HWND TreeNewHandle, _In_ PPH_LIST NodeList ) { Support->FilterList = NULL; Support->TreeNewHandle = TreeNewHandle; Support->NodeList = NodeList; } VOID PhDeleteTreeNewFilterSupport( _In_ PPH_TN_FILTER_SUPPORT Support ) { if (!Support->FilterList) return; PhDereferenceObject(Support->FilterList); Support->FilterList = NULL; } PPH_TN_FILTER_ENTRY PhAddTreeNewFilter( _In_ PPH_TN_FILTER_SUPPORT Support, _In_ PPH_TN_FILTER_FUNCTION Filter, _In_opt_ PVOID Context ) { PPH_TN_FILTER_ENTRY entry; entry = PhAllocate(sizeof(PH_TN_FILTER_ENTRY)); entry->Filter = Filter; entry->Context = Context; if (!Support->FilterList) Support->FilterList = PhCreateList(2); PhAddItemList(Support->FilterList, entry); return entry; } VOID PhRemoveTreeNewFilter( _In_ PPH_TN_FILTER_SUPPORT Support, _In_ PPH_TN_FILTER_ENTRY Entry ) { ULONG index; if (!Support->FilterList) return; index = PhFindItemList(Support->FilterList, Entry); if (index != ULONG_MAX) { PhRemoveItemList(Support->FilterList, index); PhFree(Entry); } } BOOLEAN PhApplyTreeNewFiltersToNode( _In_ PPH_TN_FILTER_SUPPORT Support, _In_ PPH_TREENEW_NODE Node ) { BOOLEAN show; ULONG i; show = TRUE; if (Support->FilterList) { for (i = 0; i < Support->FilterList->Count; i++) { PPH_TN_FILTER_ENTRY entry; entry = Support->FilterList->Items[i]; if (!entry->Filter(Node, entry->Context)) { show = FALSE; break; } } } return show; } VOID PhApplyTreeNewFilters( _In_ PPH_TN_FILTER_SUPPORT Support ) { ULONG i; for (i = 0; i < Support->NodeList->Count; i++) { PPH_TREENEW_NODE node; node = Support->NodeList->Items[i]; node->Visible = PhApplyTreeNewFiltersToNode(Support, node); if (!node->Visible && node->Selected) { node->Selected = FALSE; } } if (Support->NodeList->Count) { TreeNew_NodesStructured(Support->TreeNewHandle); } } _Function_class_(PH_EMENU_ITEM_DELETE_FUNCTION) VOID NTAPI PhpCopyCellEMenuItemDeleteFunction( _In_ PPH_EMENU_ITEM Item ) { PPH_COPY_CELL_CONTEXT context; context = Item->Context; PhDereferenceObject(context->MenuItemText); PhFree(context); } BOOLEAN PhInsertCopyCellEMenuItem( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG InsertAfterId, _In_ HWND TreeNewHandle, _In_ PPH_TREENEW_COLUMN Column ) { PPH_EMENU_ITEM parentItem = NULL; ULONG indexInParent = 0; PPH_COPY_CELL_CONTEXT context; PH_STRINGREF columnText; PPH_STRING escapedText; PPH_STRING menuItemText; PPH_EMENU_ITEM copyCellItem; PH_FORMAT format[3]; if (!Column) return FALSE; if (!PhFindEMenuItemEx(Menu, 0, NULL, InsertAfterId, &parentItem, &indexInParent)) return FALSE; indexInParent++; PhInitializeStringRefLongHint(&columnText, Column->Text); escapedText = PhEscapeStringForMenuPrefix(&columnText); PhInitFormatS(&format[0], L"Copy \""); // Copy \"%s\" PhInitFormatSR(&format[1], escapedText->sr); PhInitFormatS(&format[2], L"\""); menuItemText = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(escapedText); context = PhAllocate(sizeof(PH_COPY_CELL_CONTEXT)); context->TreeNewHandle = TreeNewHandle; context->Id = Column->Id; context->MenuItemText = menuItemText; copyCellItem = PhCreateEMenuItem(0, ID_COPY_CELL, menuItemText->Buffer, NULL, context); copyCellItem->DeleteFunction = PhpCopyCellEMenuItemDeleteFunction; if (Column->CustomDraw) copyCellItem->Flags |= PH_EMENU_DISABLED; PhInsertEMenuItem(parentItem, copyCellItem, indexInParent); return TRUE; } BOOLEAN PhHandleCopyCellEMenuItem( _In_ PPH_EMENU_ITEM SelectedItem ) { PPH_COPY_CELL_CONTEXT context; PH_STRING_BUILDER stringBuilder; ULONG count; ULONG selectedCount; ULONG i; PPH_TREENEW_NODE node; PH_TREENEW_GET_CELL_TEXT getCellText; if (!SelectedItem) return FALSE; if (SelectedItem->Id != ID_COPY_CELL) return FALSE; context = SelectedItem->Context; PhInitializeStringBuilder(&stringBuilder, 0x100); count = TreeNew_GetFlatNodeCount(context->TreeNewHandle); selectedCount = 0; for (i = 0; i < count; i++) { node = TreeNew_GetFlatNode(context->TreeNewHandle, i); if (node && node->Selected) { selectedCount++; getCellText.Flags = 0; getCellText.Node = node; getCellText.Id = context->Id; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(context->TreeNewHandle, &getCellText); PhAppendStringBuilder(&stringBuilder, &getCellText.Text); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } } if (stringBuilder.String->Length != 0 && selectedCount == 1) PhRemoveEndStringBuilder(&stringBuilder, 2); PhSetClipboardString(context->TreeNewHandle, &stringBuilder.String->sr); PhDeleteStringBuilder(&stringBuilder); return TRUE; } _Function_class_(PH_EMENU_ITEM_DELETE_FUNCTION) VOID NTAPI PhpCopyListViewEMenuItemDeleteFunction( _In_ PPH_EMENU_ITEM Item ) { PPH_COPY_ITEM_CONTEXT context; context = Item->Context; PhDereferenceObject(context->MenuItemText); PhFree(context); } BOOLEAN PhInsertCopyListViewEMenuItem( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG InsertAfterId, _In_ HWND ListViewHandle ) { PPH_EMENU_ITEM parentItem = NULL; ULONG indexInParent = 0; PPH_COPY_ITEM_CONTEXT context; PH_STRINGREF columnText; PPH_STRING escapedText; PPH_STRING menuItemText; PPH_EMENU_ITEM copyMenuItem; POINT location; LVHITTESTINFO lvHitInfo; HDITEM headerItem; HWND headerHandle; PH_FORMAT format[3]; WCHAR headerText[MAX_PATH] = L""; if (!PhGetClientPos(ListViewHandle, &location)) return FALSE; memset(&lvHitInfo, 0, sizeof(LVHITTESTINFO)); lvHitInfo.pt = location; if (ListView_SubItemHitTest(ListViewHandle, &lvHitInfo) == INT_ERROR) return FALSE; memset(&headerItem, 0, sizeof(HDITEM)); headerItem.mask = HDI_TEXT; headerItem.cchTextMax = RTL_NUMBER_OF(headerText); headerItem.pszText = headerText; headerHandle = ListView_GetHeader(ListViewHandle); if (!Header_GetItem(headerHandle, lvHitInfo.iSubItem, &headerItem)) return FALSE; PhInitializeStringRefLongHint(&columnText, headerText); if (PhIsNullOrEmptyStringRef(&columnText)) return FALSE; if (!PhFindEMenuItemEx(Menu, 0, NULL, InsertAfterId, &parentItem, &indexInParent)) return FALSE; indexInParent++; escapedText = PhEscapeStringForMenuPrefix(&columnText); PhInitFormatS(&format[0], L"Copy \""); // Copy \"%s\" PhInitFormatSR(&format[1], escapedText->sr); PhInitFormatS(&format[2], L"\""); menuItemText = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(escapedText); context = PhAllocate(sizeof(PH_COPY_ITEM_CONTEXT)); context->ListViewHandle = ListViewHandle; context->Id = lvHitInfo.iItem; context->SubId = lvHitInfo.iSubItem; context->MenuItemText = menuItemText; copyMenuItem = PhCreateEMenuItem(0, ID_COPY_CELL, menuItemText->Buffer, NULL, context); copyMenuItem->DeleteFunction = PhpCopyListViewEMenuItemDeleteFunction; PhInsertEMenuItem(parentItem, copyMenuItem, indexInParent); return TRUE; } BOOLEAN PhHandleCopyListViewEMenuItem( _In_ PPH_EMENU_ITEM SelectedItem ) { PPH_COPY_ITEM_CONTEXT context; PH_STRING_BUILDER stringBuilder; ULONG state = 0; ULONG count = 0; ULONG selectedCount; ULONG i; PPH_STRING getItemText; if (!SelectedItem) return FALSE; if (SelectedItem->Id != ID_COPY_CELL) return FALSE; context = SelectedItem->Context; PhInitializeStringBuilder(&stringBuilder, 0x100); count = ListView_GetItemCount(context->ListViewHandle); selectedCount = 0; for (i = 0; i < count; i++) { state = ListView_GetItemState(context->ListViewHandle, i, LVIS_SELECTED); if (!FlagOn(state, LVIS_SELECTED)) continue; if (getItemText = PhaGetListViewItemText(context->ListViewHandle, i, context->SubId)) PhAppendStringBuilder(&stringBuilder, &getItemText->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); selectedCount++; } if (stringBuilder.String->Length != 0 && selectedCount == 1) PhRemoveEndStringBuilder(&stringBuilder, 2); PhSetClipboardString(context->ListViewHandle, &stringBuilder.String->sr); PhDeleteStringBuilder(&stringBuilder); return TRUE; } BOOLEAN PhpSelectFavoriteInRegedit( _In_ HWND RegeditWindow, _In_ PPH_STRINGREF FavoriteName, _In_ BOOLEAN UsePhSvc ) { HMENU menu; HMENU favoritesMenu; ULONG count; ULONG i; ULONG id = ULONG_MAX; if (!(menu = GetMenu(RegeditWindow))) return FALSE; // Cause the Registry Editor to refresh the Favorites menu. if (UsePhSvc) PhSvcCallSendMessage(RegeditWindow, WM_MENUSELECT, MAKEWPARAM(3, MF_POPUP), (LPARAM)menu); else PhSendMessageTimeout(RegeditWindow, WM_MENUSELECT, MAKEWPARAM(3, MF_POPUP), (LPARAM)menu, 5000, NULL); if (!(favoritesMenu = GetSubMenu(menu, 3))) return FALSE; // Find our entry. count = GetMenuItemCount(favoritesMenu); if (count == ULONG_MAX) return FALSE; if (count > 1000) count = 1000; for (i = 0; i < count; i++) { MENUITEMINFO info; WCHAR buffer[MAX_PATH]; memset(&info, 0, sizeof(MENUITEMINFO)); info.cbSize = sizeof(MENUITEMINFO); info.fMask = MIIM_ID | MIIM_STRING; info.dwTypeData = buffer; info.cch = RTL_NUMBER_OF(buffer); if (!GetMenuItemInfo(favoritesMenu, i, TRUE, &info)) continue; if (info.cch == FavoriteName->Length / sizeof(WCHAR)) { PH_STRINGREF text; text.Buffer = buffer; text.Length = info.cch * sizeof(WCHAR); if (PhEqualStringRef(&text, FavoriteName, TRUE)) { id = info.wID; break; } } } if (id == ULONG_MAX) return FALSE; // Activate our entry. if (UsePhSvc) PhSvcCallSendMessage(RegeditWindow, WM_COMMAND, MAKEWPARAM(id, 0), 0); else PhSendMessageTimeout(RegeditWindow, WM_COMMAND, MAKEWPARAM(id, 0), 0, 5000, NULL); // "Close" the Favorites menu and restore normal status bar text. if (UsePhSvc) PhSvcCallPostMessage(RegeditWindow, WM_MENUSELECT, MAKEWPARAM(0, 0xffff), 0); else PostMessage(RegeditWindow, WM_MENUSELECT, MAKEWPARAM(0, 0xffff), 0); // Bring regedit to the top. if (IsMinimized(RegeditWindow)) { ShowWindow(RegeditWindow, SW_RESTORE); } SetForegroundWindow(RegeditWindow); return TRUE; } /** * Opens a key in the Registry Editor. * * \param WindowHandle A handle to the parent window. * \param KeyName The key name to open. */ VOID PhShellOpenKey( _In_ HWND WindowHandle, _In_ PPH_STRING KeyName ) { static CONST PH_STRINGREF regeditKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit"); NTSTATUS status; HANDLE regeditKeyHandle; PPH_STRING lastKey; PPH_STRING regeditFileName; PH_STRINGREF systemRootString; status = PhCreateKey( ®editKeyHandle, KEY_WRITE, PH_KEY_CURRENT_USER, ®editKeyName, 0, 0, NULL ); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to execute the program.", status, 0); return; } lastKey = PhExpandKeyName(KeyName, FALSE); PhSetValueKeyZ(regeditKeyHandle, L"LastKey", REG_SZ, lastKey->Buffer, (ULONG)lastKey->Length + sizeof(UNICODE_NULL)); NtClose(regeditKeyHandle); PhDereferenceObject(lastKey); // Start regedit. If we aren't elevated, request that regedit be elevated. This is so we can get // the consent dialog in the center of the specified window. (wj32) PhGetSystemRoot(&systemRootString); regeditFileName = PhConcatStringRefZ(&systemRootString, L"\\regedit.exe"); if (PhGetOwnTokenAttributes().Elevated) { status = PhShellExecuteEx( WindowHandle, regeditFileName->Buffer, NULL, NULL, SW_SHOW, 0, 0, NULL ); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to execute the program.", status, 0); } } else { status = PhShellExecuteEx( WindowHandle, regeditFileName->Buffer, NULL, NULL, SW_SHOW, PH_SHELL_EXECUTE_ADMIN, 0, NULL ); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to execute the program.", status, 0); } } PhDereferenceObject(regeditFileName); } NTSTATUS PhRegeditOpenUserFavoritesKey( _In_ HWND RegeditWindow, _Out_ PHANDLE KeyHandle ) { static CONST PH_STRINGREF favoritesKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit\\Favorites"); NTSTATUS status; CLIENT_ID clientId; HANDLE processHandle; HANDLE tokenHandle; HANDLE keyUserHandle; HANDLE keyFavoritesHandle; PH_TOKEN_USER tokenUser; PPH_STRING tokenUserSid; status = PhGetWindowClientId(RegeditWindow, &clientId); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhOpenProcessClientId( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, &clientId ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhOpenProcessToken( processHandle, TOKEN_QUERY, &tokenHandle ); NtClose(processHandle); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetTokenUser( tokenHandle, &tokenUser ); NtClose(tokenHandle); if (!NT_SUCCESS(status)) goto CleanupExit; if (!(tokenUserSid = PhSidToStringSid(tokenUser.User.Sid))) { status = STATUS_NO_MEMORY; goto CleanupExit; } status = PhOpenKey( &keyUserHandle, KEY_READ, PH_KEY_USERS, &tokenUserSid->sr, 0 ); PhDereferenceObject(tokenUserSid); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateKey( &keyFavoritesHandle, KEY_WRITE, keyUserHandle, &favoritesKeyName, 0, 0, NULL ); NtClose(keyUserHandle); if (NT_SUCCESS(status)) { *KeyHandle = keyFavoritesHandle; return STATUS_SUCCESS; } CleanupExit: status = PhCreateKey( &keyFavoritesHandle, KEY_WRITE, PH_KEY_CURRENT_USER, &favoritesKeyName, 0, 0, NULL ); if (NT_SUCCESS(status)) { *KeyHandle = keyFavoritesHandle; return STATUS_SUCCESS; } return status; } /** * Opens a key in the Registry Editor. If the Registry Editor is already open, * the specified key is selected in the Registry Editor. * * \param WindowHandle A handle to the parent window. * \param KeyName The key name to open. */ BOOLEAN PhShellOpenKey2( _In_ HWND WindowHandle, _In_ PPH_STRING KeyName ) { BOOLEAN result = FALSE; HWND regeditWindow; HANDLE favoritesKeyHandle; WCHAR favoriteName[33]; PH_STRINGREF valueName; PPH_STRING expandedKeyName; regeditWindow = FindWindow(L"RegEdit_RegEdit", NULL); if (!regeditWindow) { PhShellOpenKey(WindowHandle, KeyName); return TRUE; } if (!PhGetOwnTokenAttributes().Elevated) { if (!PhUiConnectToPhSvc(WindowHandle, FALSE)) return FALSE; } // Create our entry in Favorites. if (!NT_SUCCESS(PhRegeditOpenUserFavoritesKey(regeditWindow, &favoritesKeyHandle))) goto CleanupExit; memcpy(favoriteName, L"A_SystemInformer", 16 * sizeof(WCHAR)); PhGenerateRandomAlphaString(&favoriteName[16], ARRAYSIZE(favoriteName) - 16); valueName.Buffer = favoriteName; valueName.Length = sizeof(favoriteName) - sizeof(UNICODE_NULL); expandedKeyName = PhExpandKeyName(KeyName, FALSE); PhSetValueKey(favoritesKeyHandle, &valueName, REG_SZ, expandedKeyName->Buffer, (ULONG)expandedKeyName->Length + sizeof(UNICODE_NULL)); PhDereferenceObject(expandedKeyName); // Select our entry in regedit. result = PhpSelectFavoriteInRegedit(regeditWindow, &valueName, !PhGetOwnTokenAttributes().Elevated); PhDeleteValueKey(favoritesKeyHandle, &valueName); NtClose(favoritesKeyHandle); CleanupExit: if (!PhGetOwnTokenAttributes().Elevated) PhUiDisconnectFromPhSvc(); return result; } PPH_STRING PhPcre2GetErrorMessage( _In_ LONG ErrorCode ) { PPH_STRING buffer; SIZE_T bufferLength; INT_PTR returnLength; bufferLength = 128 * sizeof(WCHAR); buffer = PhCreateStringEx(NULL, bufferLength); while (TRUE) { if ((returnLength = pcre2_get_error_message(ErrorCode, buffer->Buffer, bufferLength / sizeof(WCHAR) + 1)) >= 0) break; PhDereferenceObject(buffer); bufferLength *= 2; if (bufferLength > 0x1000 * sizeof(WCHAR)) break; buffer = PhCreateStringEx(NULL, bufferLength); } if (returnLength < 0) return NULL; buffer->Length = returnLength * sizeof(WCHAR); return buffer; } HBITMAP PhGetShieldBitmap( _In_ LONG WindowDpi, _In_opt_ LONG Width, _In_opt_ LONG Height ) { HICON shieldIcon; HBITMAP shieldBitmap = NULL; shieldIcon = PhLoadIcon( PhInstanceHandle, MAKEINTRESOURCE(IDI_UACSHIELD), 0, Width, Height, WindowDpi ); if (!shieldIcon) { shieldIcon = PhLoadIcon( NULL, IDI_SHIELD, 0, Width, Height, WindowDpi ); } if (shieldIcon) { shieldBitmap = PhIconToBitmap( shieldIcon, Width, Height ); DestroyIcon(shieldIcon); } return shieldBitmap; } HICON PhGetApplicationIcon( _In_ BOOLEAN SmallIcon ) { static HICON smallIcon = NULL; static HICON largeIcon = NULL; static LONG systemDpi = 0; if (systemDpi != PhSystemDpi) { if (smallIcon) { DestroyIcon(smallIcon); smallIcon = NULL; } if (largeIcon) { DestroyIcon(largeIcon); largeIcon = NULL; } systemDpi = PhSystemDpi; } if (!smallIcon || !largeIcon) { if (!smallIcon) smallIcon = PhLoadIcon(NtCurrentImageBase(), MAKEINTRESOURCE(IDI_PROCESSHACKER), PH_LOAD_ICON_SIZE_SMALL, 0, 0, systemDpi); if (!largeIcon) largeIcon = PhLoadIcon(NtCurrentImageBase(), MAKEINTRESOURCE(IDI_PROCESSHACKER), PH_LOAD_ICON_SIZE_LARGE, 0, 0, systemDpi); } return SmallIcon ? smallIcon : largeIcon; } HICON PhGetApplicationIconEx( _In_ BOOLEAN SmallIcon, _In_opt_ LONG WindowDpi ) { if (SmallIcon) return PhLoadIcon(NtCurrentImageBase(), MAKEINTRESOURCE(IDI_PROCESSHACKER), PH_LOAD_ICON_SIZE_SMALL, 0, 0, WindowDpi); return PhLoadIcon(NtCurrentImageBase(), MAKEINTRESOURCE(IDI_PROCESSHACKER), PH_LOAD_ICON_SIZE_LARGE, 0, 0, WindowDpi); } VOID PhSetWindowIcon( _In_ HWND WindowHandle, _In_opt_ HICON SmallIcon, _In_opt_ HICON LargeIcon, _In_ BOOLEAN CleanupIcon ) { if (SmallIcon) { HICON iconHandle = (HICON)SendMessage(WindowHandle, WM_SETICON, ICON_SMALL, (LPARAM)SmallIcon); if (iconHandle && CleanupIcon) { DestroyIcon(iconHandle); } } if (LargeIcon) { HICON iconHandle = (HICON)SendMessage(WindowHandle, WM_SETICON, ICON_BIG, (LPARAM)LargeIcon); if (iconHandle && CleanupIcon) { DestroyIcon(iconHandle); } } } VOID PhDestroyWindowIcon( _In_ HWND WindowHandle ) { HICON iconHandle; if (iconHandle = (HICON)SendMessage(WindowHandle, WM_SETICON, ICON_SMALL, 0)) { DestroyIcon(iconHandle); } if (iconHandle = (HICON)SendMessage(WindowHandle, WM_SETICON, ICON_BIG, 0)) { DestroyIcon(iconHandle); } } VOID PhSetApplicationWindowIcon( _In_ HWND WindowHandle ) { PhSetWindowIcon( WindowHandle, PhGetApplicationIcon(TRUE), PhGetApplicationIcon(FALSE), TRUE ); } VOID PhSetApplicationWindowIconEx( _In_ HWND WindowHandle, _In_opt_ LONG WindowDpi ) { PhSetWindowIcon( WindowHandle, PhGetApplicationIconEx(TRUE, WindowDpi), PhGetApplicationIconEx(FALSE, WindowDpi), TRUE ); } VOID PhSetStaticWindowIcon( _In_ HWND WindowHandle, _In_opt_ LONG WindowDpi ) { HICON largeIcon; HICON destroyIcon; if (largeIcon = PhGetApplicationIconEx(FALSE, WindowDpi)) { if (destroyIcon = Static_SetIcon(WindowHandle, largeIcon)) { DestroyIcon(destroyIcon); } } } VOID PhDeleteStaticWindowIcon( _In_ HWND WindowHandle ) { HICON destroyIcon; if (destroyIcon = Static_GetIcon(WindowHandle, 0)) { DestroyIcon(destroyIcon); } } BOOLEAN PhWordMatchStringRef( _In_ PPH_STRINGREF SearchText, _In_ PPH_STRINGREF Text ) { PH_STRINGREF part; PH_STRINGREF remainingPart; remainingPart = *SearchText; while (remainingPart.Length) { PhSplitStringRefAtChar(&remainingPart, L'|', &part, &remainingPart); if (part.Length) { if (PhFindStringInStringRef(Text, &part, TRUE) != SIZE_MAX) return TRUE; } } return FALSE; } //BOOLEAN PhIsSystemRebootRequired( // VOID // ) //{ // static PH_STRINGREF keyRootPath = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate"); // static PH_STRINGREF keyAuPath = PH_STRINGREF_INIT(L"Auto Update\\RebootRequired"); // static PH_STRINGREF keyOrcPath = PH_STRINGREF_INIT(L"Orchestrator\\RebootRequired"); // BOOLEAN keyRebootRequired = FALSE; // HANDLE keyRootHandle; // HANDLE keyHandle; // // if (NT_SUCCESS(PhOpenKey( // &keyRootHandle, // KEY_READ, // PH_KEY_LOCAL_MACHINE, // &keyRootPath, // 0 // ))) // { // if (NT_SUCCESS(PhOpenKey( // &keyHandle, // KEY_READ, // keyRootHandle, // &keyAuPath, // 0 // ))) // { // keyRebootRequired = TRUE; // NtClose(keyHandle); // } // // if (NT_SUCCESS(PhOpenKey( // &keyHandle, // KEY_READ, // keyRootHandle, // &keyOrcPath, // 0 // ))) // { // keyRebootRequired = TRUE; // NtClose(keyHandle); // } // // NtClose(keyRootHandle); // } // // //#include // //ISystemInformation* systemInformation = NULL; // // // //if (SUCCEEDED(PhGetClassObject( // // L"wuapi.dll", // // &CLSID_SystemInformation, // // &IID_ISystemInformation, // // &systemInformation // // ))) // //{ // // VARIANT_BOOL rebootRequiredVariant = VARIANT_FALSE; // // // // ISystemInformation_get_RebootRequired(systemInformation, &rebootRequiredVariant); // // ISystemInformation_Release(systemInformation); // // // // keyRebootRequired = rebootRequiredVariant == VARIANT_TRUE; // //} // // return keyRebootRequired; //} ================================================ FILE: SystemInformer/chcol.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2017-2023 * */ #include #include typedef struct _COLUMNS_DIALOG_CONTEXT { HWND ControlHandle; HFONT ControlFont; ULONG Type; PPH_LIST Columns; HBRUSH BrushNormal; HBRUSH BrushPushed; HBRUSH BrushHot; COLORREF TextColor; HWND InactiveWindowHandle; HWND ActiveWindowHandle; HWND SearchInactiveHandle; HWND SearchActiveHandle; HWND HideWindowHandle; HWND ShowWindowHandle; HWND MoveUpHandle; HWND MoveDownHandle; PPH_LIST InactiveListArray; PPH_LIST ActiveListArray; } COLUMNS_DIALOG_CONTEXT, *PCOLUMNS_DIALOG_CONTEXT; INT_PTR CALLBACK PhpColumnsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowChooseColumnsDialog( _In_ HWND ParentWindowHandle, _In_ HWND ControlHandle, _In_ ULONG Type ) { COLUMNS_DIALOG_CONTEXT context; memset(&context, 0, sizeof(COLUMNS_DIALOG_CONTEXT)); context.ControlHandle = ControlHandle; context.Type = Type; if (Type == PH_CONTROL_TYPE_TREE_NEW) context.Columns = PhCreateList(TreeNew_GetColumnCount(ControlHandle)); else return; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_CHOOSECOLUMNS), ParentWindowHandle, PhpColumnsDlgProc, &context ); PhDereferenceObject(context.Columns); } static int __cdecl PhpColumnsCompareDisplayIndexTn( _In_ void* Context, _In_ void const* elem1, _In_ void const* elem2 ) { PPH_TREENEW_COLUMN column1 = *(PPH_TREENEW_COLUMN *)elem1; PPH_TREENEW_COLUMN column2 = *(PPH_TREENEW_COLUMN *)elem2; return uintcmp(column1->DisplayIndex, column2->DisplayIndex); } static long __cdecl PhpInactiveColumnsCompareNameTn( _In_ const void* Context, _In_ const void *elem1, _In_ const void *elem2 ) { PCWSTR column1 = *(PCWSTR *)elem1; PCWSTR column2 = *(PCWSTR *)elem2; return PhCompareStringZ(column1, column2, FALSE); } _Success_(return != ULONG_MAX) static ULONG IndexOfStringInList( _In_ PPH_LIST List, _In_ PCWSTR String ) { for (ULONG i = 0; i < List->Count; i++) { if (PhEqualStringZ(List->Items[i], String, FALSE)) return i; } return ULONG_MAX; } VOID PhpColumnsResetListBox( _In_ HWND ListBoxHandle, _In_ ULONG_PTR MatchHandle, _In_ PPH_LIST Array, _In_opt_ PVOID CompareFunction ) { SendMessage(ListBoxHandle, WM_SETREDRAW, FALSE, 0); ListBox_ResetContent(ListBoxHandle); if (CompareFunction) qsort_s(Array->Items, Array->Count, sizeof(ULONG_PTR), CompareFunction, NULL); if (!MatchHandle) { for (ULONG i = 0; i < Array->Count; i++) { ListBox_InsertString(ListBoxHandle, i, Array->Items[i]); } } else { ULONG index = 0; for (ULONG i = 0; i < Array->Count; i++) { PH_STRINGREF text; PhInitializeStringRefLongHint(&text, Array->Items[i]); if (PhSearchControlMatch(MatchHandle, &text)) { ListBox_InsertString(ListBoxHandle, index, Array->Items[i]); index++; } } } SendMessage(ListBoxHandle, WM_SETREDRAW, TRUE, 0); } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpInactiveColumnsSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PCOLUMNS_DIALOG_CONTEXT context = Context; PhpColumnsResetListBox( context->InactiveWindowHandle, MatchHandle, context->InactiveListArray, PhpInactiveColumnsCompareNameTn ); } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpActiveColumnsSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PCOLUMNS_DIALOG_CONTEXT context = Context; PhpColumnsResetListBox( context->ActiveWindowHandle, MatchHandle, context->ActiveListArray, NULL ); } INT_PTR CALLBACK PhpColumnsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PCOLUMNS_DIALOG_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PCOLUMNS_DIALOG_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { ULONG count; ULONG total; ULONG i; PPH_LIST displayOrderList = NULL; LONG dpiValue; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetApplicationWindowIcon(hwndDlg); dpiValue = PhGetWindowDpi(hwndDlg); context->InactiveWindowHandle = GetDlgItem(hwndDlg, IDC_INACTIVE); context->ActiveWindowHandle = GetDlgItem(hwndDlg, IDC_ACTIVE); context->SearchInactiveHandle = GetDlgItem(hwndDlg, IDC_SEARCH); context->SearchActiveHandle = GetDlgItem(hwndDlg, IDC_FILTER); context->HideWindowHandle = GetDlgItem(hwndDlg, IDC_HIDE); context->ShowWindowHandle = GetDlgItem(hwndDlg, IDC_SHOW); context->MoveUpHandle = GetDlgItem(hwndDlg, IDC_MOVEUP); context->MoveDownHandle = GetDlgItem(hwndDlg, IDC_MOVEDOWN); context->InactiveListArray = PhCreateList(1); context->ActiveListArray = PhCreateList(1); context->ControlFont = PhCreateMessageFont(dpiValue); // PhDuplicateFont(PhTreeWindowFont) PhCreateSearchControl( hwndDlg, context->SearchInactiveHandle, L"Inactive columns...", PhpInactiveColumnsSearchControlCallback, context ); PhCreateSearchControl( hwndDlg, context->SearchActiveHandle, L"Active columns...", PhpActiveColumnsSearchControlCallback, context ); ListBox_SetItemHeight(context->InactiveWindowHandle, 0, PhGetDpi(16, dpiValue)); ListBox_SetItemHeight(context->ActiveWindowHandle, 0, PhGetDpi(16, dpiValue)); Button_Enable(context->HideWindowHandle, FALSE); Button_Enable(context->ShowWindowHandle, FALSE); Button_Enable(context->MoveUpHandle, FALSE); Button_Enable(context->MoveDownHandle, FALSE); if (PhEnableThemeSupport) { context->BrushNormal = CreateSolidBrush(PhThemeWindowBackgroundColor); context->BrushHot = CreateSolidBrush(PhThemeWindowHighlightColor); context->BrushPushed = CreateSolidBrush(PhThemeWindowHighlight2Color); context->TextColor = PhThemeWindowTextColor; } else { context->BrushNormal = GetSysColorBrush(COLOR_WINDOW); context->BrushHot = CreateSolidBrush(RGB(145, 201, 247)); context->BrushPushed = CreateSolidBrush(RGB(153, 209, 255)); context->TextColor = GetSysColor(COLOR_WINDOWTEXT); } if (context->Type == PH_CONTROL_TYPE_TREE_NEW) { PH_TREENEW_COLUMN column; count = 0; total = TreeNew_GetColumnCount(context->ControlHandle); i = 0; displayOrderList = PhCreateList(total); while (count < total) { if (TreeNew_GetColumn(context->ControlHandle, i, &column)) { PPH_TREENEW_COLUMN copy; if (column.Fixed) { i++; total--; continue; } copy = PhAllocateCopy(&column, sizeof(PH_TREENEW_COLUMN)); PhAddItemList(context->Columns, copy); count++; if (column.Visible) { PhAddItemList(displayOrderList, copy); } else { PhAddItemList(context->InactiveListArray, (PWSTR)column.Text); } } i++; } qsort_s(displayOrderList->Items, displayOrderList->Count, sizeof(PVOID), PhpColumnsCompareDisplayIndexTn, NULL); } PhpColumnsResetListBox( context->InactiveWindowHandle, 0, context->InactiveListArray, PhpInactiveColumnsCompareNameTn ); if (displayOrderList) { for (i = 0; i < displayOrderList->Count; i++) { if (context->Type == PH_CONTROL_TYPE_TREE_NEW) { PPH_TREENEW_COLUMN copy = displayOrderList->Items[i]; PhAddItemList(context->ActiveListArray, (PWSTR)copy->Text); ListBox_InsertString(context->ActiveWindowHandle, i, copy->Text); } } PhDereferenceObject(displayOrderList); } SendMessage(hwndDlg, WM_COMMAND, MAKEWPARAM(IDC_INACTIVE, LBN_SELCHANGE), (LPARAM)context->InactiveWindowHandle); SendMessage(hwndDlg, WM_COMMAND, MAKEWPARAM(IDC_ACTIVE, LBN_SELCHANGE), (LPARAM)context->ActiveWindowHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDCANCEL)); } break; case WM_DESTROY: { for (ULONG i = 0; i < context->Columns->Count; i++) PhFree(context->Columns->Items[i]); if (context->BrushNormal) DeleteBrush(context->BrushNormal); if (context->BrushHot) DeleteBrush(context->BrushHot); if (context->BrushPushed) DeleteBrush(context->BrushPushed); if (context->ControlFont) DeleteFont(context->ControlFont); if (context->InactiveListArray) PhDereferenceObject(context->InactiveListArray); if (context->ActiveListArray) PhDereferenceObject(context->ActiveListArray); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_DPICHANGED: { if (context->ControlFont) DeleteFont(context->ControlFont); context->ControlFont = PhCreateMessageFont(LOWORD(wParam)); ListBox_SetItemHeight(context->InactiveWindowHandle, 0, PhGetDpi(16, LOWORD(wParam))); ListBox_SetItemHeight(context->ActiveWindowHandle, 0, PhGetDpi(16, LOWORD(wParam))); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { ULONG i; ULONG orderArraySize; PULONG orderArray; ULONG maxOrder; if (context->Type == PH_CONTROL_TYPE_TREE_NEW) { orderArraySize = (TreeNew_GetColumnCount(context->ControlHandle) + 1) * sizeof(ULONG); orderArray = _malloca(orderArraySize); memset(orderArray, 0, orderArraySize); maxOrder = 0; // Apply visibility settings and build the order array. TreeNew_SetRedraw(context->ControlHandle, FALSE); for (i = 0; i < context->Columns->Count; i++) { PPH_TREENEW_COLUMN column = context->Columns->Items[i]; ULONG index; index = IndexOfStringInList(context->ActiveListArray, column->Text); column->Visible = index != ULONG_MAX; TreeNew_SetColumn(context->ControlHandle, TN_COLUMN_FLAG_VISIBLE, column); if (column->Visible) { orderArray[index] = column->Id; if (maxOrder < index + 1) maxOrder = index + 1; } } // Apply display order. TreeNew_SetColumnOrderArray(context->ControlHandle, maxOrder, orderArray); TreeNew_SetRedraw(context->ControlHandle, TRUE); InvalidateRect(context->ControlHandle, NULL, FALSE); _freea(orderArray); } EndDialog(hwndDlg, IDOK); } break; case IDC_INACTIVE: { switch (GET_WM_COMMAND_CMD(wParam, lParam)) { case LBN_DBLCLK: { SendMessage(hwndDlg, WM_COMMAND, IDC_SHOW, 0); } break; case LBN_SELCHANGE: { LONG sel = ListBox_GetCurSel(context->InactiveWindowHandle); EnableWindow(context->ShowWindowHandle, sel != LB_ERR); } break; } } break; case IDC_ACTIVE: { switch (GET_WM_COMMAND_CMD(wParam, lParam)) { case LBN_DBLCLK: { SendMessage(hwndDlg, WM_COMMAND, IDC_HIDE, 0); } break; case LBN_SELCHANGE: { LONG sel = ListBox_GetCurSel(context->ActiveWindowHandle); LONG count = ListBox_GetCount(context->ActiveWindowHandle); if (sel != LB_ERR) { EnableWindow(context->HideWindowHandle, sel != 0); EnableWindow(context->MoveUpHandle, sel != 0); EnableWindow(context->MoveDownHandle, sel != count - 1); } } break; } } break; case IDC_SHOW: { LONG sel; LONG count; PPH_STRING string; sel = ListBox_GetCurSel(context->InactiveWindowHandle); count = ListBox_GetCount(context->InactiveWindowHandle); if (sel != LB_ERR) { string = PhGetListBoxString(context->InactiveWindowHandle, sel); if (!PhIsNullOrEmptyString(string)) { ULONG index = IndexOfStringInList(context->InactiveListArray, string->Buffer); if (index != ULONG_MAX) { PVOID item = context->InactiveListArray->Items[index]; PhRemoveItemsList(context->InactiveListArray, index, 1); PhAddItemList(context->ActiveListArray, item); ListBox_DeleteString(context->InactiveWindowHandle, sel); ListBox_AddString(context->ActiveWindowHandle, item); } count--; if (sel >= count - 1) sel = count - 1; if (sel != LB_ERR) { ListBox_SetCurSel(context->InactiveWindowHandle, sel); } } } SendMessage(hwndDlg, WM_COMMAND, MAKEWPARAM(IDC_INACTIVE, LBN_SELCHANGE), (LPARAM)context->InactiveWindowHandle); SendMessage(hwndDlg, WM_COMMAND, MAKEWPARAM(IDC_ACTIVE, LBN_SELCHANGE), (LPARAM)context->ActiveWindowHandle); } break; case IDC_HIDE: { LONG sel; LONG count; PPH_STRING string; sel = ListBox_GetCurSel(context->ActiveWindowHandle); count = ListBox_GetCount(context->ActiveWindowHandle); if (sel != LB_ERR) { string = PhGetListBoxString(context->ActiveWindowHandle, sel); if (!PhIsNullOrEmptyString(string)) { ULONG index = IndexOfStringInList(context->ActiveListArray, string->Buffer); if (index != ULONG_MAX) { PVOID item = context->ActiveListArray->Items[index]; // Remove from active array, insert into inactive PhRemoveItemsList(context->ActiveListArray, index, 1); PhAddItemList(context->InactiveListArray, item); // Sort inactive list with new entry qsort_s(context->InactiveListArray->Items, context->InactiveListArray->Count, sizeof(ULONG_PTR), PhpInactiveColumnsCompareNameTn, NULL); // Find index of new entry in inactive list ULONG lb_index = IndexOfStringInList(context->InactiveListArray, item); // Delete from active list ListBox_DeleteString(context->ActiveWindowHandle, sel); // Add to list in the same position as the inactive list ListBox_InsertString(context->InactiveWindowHandle, lb_index, item); PhpColumnsResetListBox(context->InactiveWindowHandle, 0, context->InactiveListArray, PhpInactiveColumnsCompareNameTn); } count--; if (sel >= count - 1) sel = count - 1; if (sel != LB_ERR) { ListBox_SetCurSel(context->ActiveWindowHandle, sel); } } PhClearReference(&string); } SendMessage(hwndDlg, WM_COMMAND, MAKEWPARAM(IDC_INACTIVE, LBN_SELCHANGE), (LPARAM)context->InactiveWindowHandle); SendMessage(hwndDlg, WM_COMMAND, MAKEWPARAM(IDC_ACTIVE, LBN_SELCHANGE), (LPARAM)context->ActiveWindowHandle); } break; case IDC_MOVEUP: { LONG sel; LONG count; PPH_STRING string; sel = ListBox_GetCurSel(context->ActiveWindowHandle); count = ListBox_GetCount(context->ActiveWindowHandle); if (sel != LB_ERR) { string = PhGetListBoxString(context->ActiveWindowHandle, sel); if (!PhIsNullOrEmptyString(string)) { ULONG index = IndexOfStringInList(context->ActiveListArray, string->Buffer); if (index != ULONG_MAX) { PVOID item = context->ActiveListArray->Items[index]; PhRemoveItemsList(context->ActiveListArray, index, 1); PhInsertItemList(context->ActiveListArray, index - 1, item); ListBox_DeleteString(context->ActiveWindowHandle, sel); sel -= 1; ListBox_InsertString(context->ActiveWindowHandle, sel, item); ListBox_SetCurSel(context->ActiveWindowHandle, sel); EnableWindow(context->MoveUpHandle, sel != 0); EnableWindow(context->MoveDownHandle, sel != count - 1); } } PhClearReference(&string); } } break; case IDC_MOVEDOWN: { LONG sel; LONG count; PPH_STRING string; sel = ListBox_GetCurSel(context->ActiveWindowHandle); count = ListBox_GetCount(context->ActiveWindowHandle); if (sel != LB_ERR && sel != count - 1) { string = PhGetListBoxString(context->ActiveWindowHandle, sel); if (!PhIsNullOrEmptyString(string)) { ULONG index = IndexOfStringInList(context->ActiveListArray, string->Buffer); if (index != ULONG_MAX) { PVOID item = context->ActiveListArray->Items[index]; PhRemoveItemsList(context->ActiveListArray, index, 1); PhInsertItemList(context->ActiveListArray, index + 1, item); ListBox_DeleteString(context->ActiveWindowHandle, sel); sel += 1; ListBox_InsertString(context->ActiveWindowHandle, sel, item); ListBox_SetCurSel(context->ActiveWindowHandle, sel); EnableWindow(context->MoveUpHandle, sel != 0); EnableWindow(context->MoveDownHandle, sel != count - 1); } } PhClearReference(&string); } } break; } } break; case WM_DRAWITEM: { LPDRAWITEMSTRUCT drawInfo = (LPDRAWITEMSTRUCT)lParam; if ( drawInfo->hwndItem == context->InactiveWindowHandle || drawInfo->hwndItem == context->ActiveWindowHandle ) { HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; PPH_STRING string; RECT bufferRect = { 0, 0, drawInfo->rcItem.right - drawInfo->rcItem.left, drawInfo->rcItem.bottom - drawInfo->rcItem.top }; BOOLEAN isSelected = (drawInfo->itemState & ODS_SELECTED) == ODS_SELECTED; BOOLEAN isFocused = (drawInfo->itemState & ODS_FOCUS) == ODS_FOCUS; if (drawInfo->itemID == LB_ERR) break; string = PhGetListBoxString(drawInfo->hwndItem, drawInfo->itemID); if (PhIsNullOrEmptyString(string)) { PhClearReference(&string); break; } bufferDc = CreateCompatibleDC(drawInfo->hDC); bufferBitmap = CreateCompatibleBitmap(drawInfo->hDC, bufferRect.right, bufferRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); SelectFont(bufferDc, context->ControlFont); SetBkMode(bufferDc, TRANSPARENT); if (isSelected || isFocused) { FillRect(bufferDc, &bufferRect, context->BrushHot); //FrameRect(bufferDc, &bufferRect, PhGetStockBrush(BLACK_BRUSH)); SetTextColor(bufferDc, context->TextColor); } else { FillRect(bufferDc, &bufferRect, context->BrushNormal); //FrameRect(bufferDc, &bufferRect, GetSysColorBrush(COLOR_HIGHLIGHTTEXT)); SetTextColor(bufferDc, context->TextColor); } bufferRect.left += 5; DrawText( bufferDc, string->Buffer, (UINT)string->Length / sizeof(WCHAR), &bufferRect, DT_LEFT | DT_VCENTER | DT_SINGLELINE | DT_END_ELLIPSIS | DT_NOCLIP ); bufferRect.left -= 5; BitBlt( drawInfo->hDC, drawInfo->rcItem.left, drawInfo->rcItem.top, drawInfo->rcItem.right, drawInfo->rcItem.bottom, bufferDc, 0, 0, SRCCOPY ); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); PhClearReference(&string); return TRUE; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/chdlg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2015-2024 * */ #include #include #include #include #include typedef struct _PH_CHOICE_DIALOG_CONTEXT { PCWSTR Title; PCWSTR Message; PCWSTR *Choices; ULONG NumberOfChoices; PCWSTR Option; ULONG Flags; PPH_STRING *SelectedChoice; PBOOLEAN SelectedOption; PCWSTR SavedChoicesSettingName; HWND ComboBoxHandle; HFONT FontHandle; } PH_CHOICE_DIALOG_CONTEXT, *PPH_CHOICE_DIALOG_CONTEXT; INT_PTR CALLBACK PhChoiceDlgProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_CHOICE_DIALOG_CONTEXT context; if (WindowMessage == WM_INITDIALOG) { context = (PPH_CHOICE_DIALOG_CONTEXT)lParam; PhSetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (WindowMessage) { case WM_INITDIALOG: { ULONG type; SIZE_T i; HWND comboBoxHandle; HWND checkBoxHandle; RECT checkBoxRect; RECT rect; ULONG diff; checkBoxHandle = GetDlgItem(WindowHandle, IDC_OPTION); PhSetWindowText(WindowHandle, context->Title); PhSetWindowText(GetDlgItem(WindowHandle, IDC_MESSAGE), context->Message); PhCenterWindow(WindowHandle, GetParent(WindowHandle)); type = context->Flags & PH_CHOICE_DIALOG_TYPE_MASK; // Select the control to show, depending on the type. This is // because it is impossible to change the style of the combo box // after it is created. switch (type) { case PH_CHOICE_DIALOG_USER_CHOICE: comboBoxHandle = GetDlgItem(WindowHandle, IDC_CHOICEUSER); break; case PH_CHOICE_DIALOG_PASSWORD: comboBoxHandle = GetDlgItem(WindowHandle, IDC_CHOICESIMPLE); // Disable combo box features since it isn't a combo box. context->SavedChoicesSettingName = NULL; break; case PH_CHOICE_DIALOG_CHOICE: default: comboBoxHandle = GetDlgItem(WindowHandle, IDC_CHOICE); break; } context->ComboBoxHandle = comboBoxHandle; ShowWindow(context->ComboBoxHandle, SW_SHOW); if (type == PH_CHOICE_DIALOG_PASSWORD) { // Nothing } else if (type == PH_CHOICE_DIALOG_USER_CHOICE && context->SavedChoicesSettingName) { PPH_STRING savedChoices = PhGetStringSetting(context->SavedChoicesSettingName); ULONG_PTR indexOfDelim; PPH_STRING savedChoice; i = 0; // Split the saved choices using the delimiter. while (i < savedChoices->Length / sizeof(WCHAR)) { // BUG BUG BUG - what if the user saves "\s"? indexOfDelim = PhFindStringInString(savedChoices, i, L"\\s"); if (indexOfDelim == SIZE_MAX) indexOfDelim = savedChoices->Length / sizeof(WCHAR); savedChoice = PhSubstring(savedChoices, i, indexOfDelim - i); if (savedChoice->Length != 0) { PPH_STRING unescaped; unescaped = PhUnescapeStringForDelimiter(savedChoice, L'\\'); ComboBox_InsertString(comboBoxHandle, -1, unescaped->Buffer); PhDereferenceObject(unescaped); } PhDereferenceObject(savedChoice); i = indexOfDelim + 2; } PhDereferenceObject(savedChoices); } else { for (i = 0; i < context->NumberOfChoices; i++) { ComboBox_AddString(comboBoxHandle, context->Choices[i]); } context->SavedChoicesSettingName = NULL; // make sure we don't try to save the choices } if (type == PH_CHOICE_DIALOG_PASSWORD) { if (!PhIsNullOrEmptyString(*context->SelectedChoice)) { PhSetWindowText(comboBoxHandle, PhGetString(*context->SelectedChoice)); } Edit_SetSel(comboBoxHandle, 0, -1); } else if (type == PH_CHOICE_DIALOG_USER_CHOICE || type == PH_CHOICE_DIALOG_CHOICE) { // If we failed to choose a default choice based on what was specified, // select the first one if possible, or set the text directly. if ( !PhIsNullOrEmptyString(*context->SelectedChoice) || PhSelectComboBoxString(comboBoxHandle, PhGetString(*context->SelectedChoice), FALSE) == CB_ERR ) { if (type == PH_CHOICE_DIALOG_USER_CHOICE && !PhIsNullOrEmptyString(*context->SelectedChoice)) { PhSetWindowText(comboBoxHandle, PhGetString(*context->SelectedChoice)); } else if (type == PH_CHOICE_DIALOG_CHOICE && context->NumberOfChoices != 0) { ComboBox_SetCurSel(comboBoxHandle, 0); } } if (type == PH_CHOICE_DIALOG_USER_CHOICE) ComboBox_SetEditSel(comboBoxHandle, 0, -1); } if (context->Option) { PhSetWindowText(checkBoxHandle, context->Option); if (context->SelectedOption) Button_SetCheck(checkBoxHandle, *context->SelectedOption ? BST_CHECKED : BST_UNCHECKED); } else { // Hide the check box and move the buttons up. ShowWindow(checkBoxHandle, SW_HIDE); PhGetWindowRect(checkBoxHandle, &checkBoxRect); MapWindowRect(NULL, WindowHandle, &checkBoxRect); PhGetWindowRect(GetDlgItem(WindowHandle, IDOK), &rect); MapWindowRect(NULL, WindowHandle, &rect); diff = rect.top - checkBoxRect.top; // OK rect.top -= diff; rect.bottom -= diff; SetWindowPos(GetDlgItem(WindowHandle, IDOK), NULL, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER); // Cancel PhGetWindowRect(GetDlgItem(WindowHandle, IDCANCEL), &rect); MapWindowRect(NULL, WindowHandle, &rect); rect.top -= diff; rect.bottom -= diff; SetWindowPos(GetDlgItem(WindowHandle, IDCANCEL), NULL, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER); // Window PhGetWindowRect(WindowHandle, &rect); rect.bottom -= diff; SetWindowPos(WindowHandle, NULL, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER); } PhInitializeWindowTheme(WindowHandle, PhEnableThemeSupport); PhSetDialogFocus(WindowHandle, comboBoxHandle); } break; case WM_DESTROY: { PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(WindowHandle, IDCANCEL); break; case IDOK: { PPH_STRING selectedChoice; if (FlagOn(context->Flags, PH_CHOICE_DIALOG_TYPE_MASK) != PH_CHOICE_DIALOG_PASSWORD) { selectedChoice = PH_AUTO(PhGetWindowText(context->ComboBoxHandle)); *context->SelectedChoice = selectedChoice; } else { // Password values are never auto-dereferenced. selectedChoice = PhGetWindowText(context->ComboBoxHandle); *context->SelectedChoice = selectedChoice; } if (context->Option && context->SelectedOption) { *context->SelectedOption = Button_GetCheck(GetDlgItem(WindowHandle, IDC_OPTION)) == BST_CHECKED; } if (context->SavedChoicesSettingName) { PH_STRING_BUILDER savedChoices; ULONG i; ULONG choicesToSave = PH_CHOICE_DIALOG_SAVED_CHOICES; PPH_STRING choice; PPH_STRING escaped; PhInitializeStringBuilder(&savedChoices, 100); // Push the selected choice to the top, then save the others. if (selectedChoice->Length != 0) { escaped = PH_AUTO(PhEscapeStringForDelimiter(selectedChoice, L'\\')); PhAppendStringBuilder(&savedChoices, &escaped->sr); PhAppendStringBuilder2(&savedChoices, L"\\s"); } for (i = 1; i < choicesToSave; i++) { choice = PH_AUTO(PhGetComboBoxString(context->ComboBoxHandle, i - 1)); if (PhIsNullOrEmptyString(choice)) break; // Don't save the choice if it's the same as the one // entered by the user (since we already saved it above). if (PhEqualString(choice, selectedChoice, FALSE)) { choicesToSave++; // useless for now, but may be needed in the future continue; } escaped = PH_AUTO(PhEscapeStringForDelimiter(choice, L'\\')); PhAppendStringBuilder(&savedChoices, &escaped->sr); PhAppendStringBuilder2(&savedChoices, L"\\s"); } if (PhEndsWithString2(savedChoices.String, L"\\s", FALSE)) PhRemoveEndStringBuilder(&savedChoices, 2); PhSetStringSetting2(context->SavedChoicesSettingName, &savedChoices.String->sr); PhDeleteStringBuilder(&savedChoices); } EndDialog(WindowHandle, IDOK); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(WindowHandle, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhChooseNewPageDlgProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_CHOICE_DIALOG_CONTEXT context; if (WindowMessage == WM_INITDIALOG) { context = (PPH_CHOICE_DIALOG_CONTEXT)lParam; PhSetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (WindowMessage) { case WM_INITDIALOG: { context->ComboBoxHandle = GetDlgItem(WindowHandle, IDC_INPUT); PhCenterWindow(WindowHandle, GetParent(WindowHandle)); PhSetApplicationWindowIcon(WindowHandle); PhSetWindowText(WindowHandle, PhApplicationName); PhSetWindowText(GetDlgItem(WindowHandle, IDC_TITLE), context->Title); PhSetWindowText(GetDlgItem(WindowHandle, IDC_TEXT), context->Message); { NONCLIENTMETRICS metrics = { sizeof(NONCLIENTMETRICS) }; LONG dpi = PhGetWindowDpi(WindowHandle); if (PhGetSystemParametersInfo(SPI_GETNONCLIENTMETRICS, sizeof(metrics), &metrics, dpi)) { metrics.lfMessageFont.lfHeight = 4 * metrics.lfMessageFont.lfHeight / 3; if (context->FontHandle = CreateFontIndirect(&metrics.lfMessageFont)) { SetWindowFont(GetDlgItem(WindowHandle, IDC_TITLE), context->FontHandle, FALSE); } metrics.lfMessageFont.lfHeight = -14; if (context->FontHandle = CreateFontIndirect(&metrics.lfMessageFont)) { SetWindowFont(context->ComboBoxHandle, context->FontHandle, FALSE); } } } { if (FlagOn(context->Flags, PH_CHOICE_DIALOG_TYPE_MASK) == PH_CHOICE_DIALOG_PASSWORD) { NOTHING; } else if (FlagOn(context->Flags, PH_CHOICE_DIALOG_TYPE_MASK) == PH_CHOICE_DIALOG_USER_CHOICE && context->SavedChoicesSettingName) { PPH_STRING savedChoices = PhGetStringSetting(context->SavedChoicesSettingName); PPH_STRING savedChoice; ULONG_PTR indexOfDelim; ULONG_PTR i = 0; // Split the saved choices using the delimiter. while (i < savedChoices->Length / sizeof(WCHAR)) { // BUG BUG BUG - what if the user saves "\s"? indexOfDelim = PhFindStringInString(savedChoices, i, L"\\s"); if (indexOfDelim == SIZE_MAX) indexOfDelim = savedChoices->Length / sizeof(WCHAR); savedChoice = PhSubstring(savedChoices, i, indexOfDelim - i); if (savedChoice->Length) { PPH_STRING unescaped; unescaped = PhUnescapeStringForDelimiter(savedChoice, L'\\'); ComboBox_InsertString(context->ComboBoxHandle, UINT_MAX, unescaped->Buffer); PhDereferenceObject(unescaped); } PhDereferenceObject(savedChoice); i = indexOfDelim + 2; } PhDereferenceObject(savedChoices); } else { for (ULONG i = 0; i < context->NumberOfChoices; i++) { ComboBox_AddString(context->ComboBoxHandle, context->Choices[i]); } context->SavedChoicesSettingName = NULL; // make sure we don't try to save the choices } } PhSetDialogFocus(WindowHandle, context->ComboBoxHandle); if (PhEnableThemeSupport) ShowWindow(GetDlgItem(WindowHandle, IDC_SIZE_), SW_HIDE); PhInitializeWindowTheme(WindowHandle, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); if (context->FontHandle) { DeleteFont(context->FontHandle); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: { EndDialog(WindowHandle, IDCANCEL); } break; case IDOK: { PPH_STRING selectedChoice; if (FlagOn(context->Flags, PH_CHOICE_DIALOG_TYPE_MASK) != PH_CHOICE_DIALOG_PASSWORD) { selectedChoice = PH_AUTO(PhGetWindowText(context->ComboBoxHandle)); *context->SelectedChoice = selectedChoice; } else { // Password values are never auto-dereferenced. selectedChoice = PhGetWindowText(context->ComboBoxHandle); *context->SelectedChoice = selectedChoice; } if (context->SavedChoicesSettingName) { PH_STRING_BUILDER savedChoices; ULONG i; ULONG choicesToSave = PH_CHOICE_DIALOG_SAVED_CHOICES; PPH_STRING choice; PPH_STRING escaped; PhInitializeStringBuilder(&savedChoices, 100); // Push the selected choice to the top, then save the others. if (selectedChoice->Length != 0) { escaped = PH_AUTO(PhEscapeStringForDelimiter(selectedChoice, L'\\')); PhAppendStringBuilder(&savedChoices, &escaped->sr); PhAppendStringBuilder2(&savedChoices, L"\\s"); } for (i = 1; i < choicesToSave; i++) { choice = PH_AUTO(PhGetComboBoxString(context->ComboBoxHandle, i - 1)); if (PhIsNullOrEmptyString(choice)) break; // Don't save the choice if it's the same as the one // entered by the user (since we already saved it above). if (PhEqualString(choice, selectedChoice, FALSE)) { choicesToSave++; // useless for now, but may be needed in the future continue; } escaped = PH_AUTO(PhEscapeStringForDelimiter(choice, L'\\')); PhAppendStringBuilder(&savedChoices, &escaped->sr); PhAppendStringBuilder2(&savedChoices, L"\\s"); } if (PhEndsWithString2(savedChoices.String, L"\\s", FALSE)) PhRemoveEndStringBuilder(&savedChoices, 2); PhSetStringSetting2(context->SavedChoicesSettingName, &savedChoices.String->sr); PhDeleteStringBuilder(&savedChoices); } EndDialog(WindowHandle, IDOK); } break; } } break; case WM_ERASEBKGND: { LONG dpi = PhGetWindowDpi(WindowHandle); HDC hdc = (HDC)wParam; RECT clientRect; if (!PhGetClientRect(WindowHandle, &clientRect)) break; SetBkMode(hdc, TRANSPARENT); clientRect.bottom -= PhGetDpi(50, dpi); FillRect(hdc, &clientRect, PhEnableThemeSupport ? PhThemeWindowBackgroundBrush : GetSysColorBrush(COLOR_WINDOW)); clientRect.top = clientRect.bottom; clientRect.bottom = clientRect.top + PhGetDpi(50, dpi); if (PhEnableThemeSupport) { SetDCBrushColor(hdc, RGB(50, 50, 50)); FillRect(hdc, &clientRect, PhGetStockBrush(DC_BRUSH)); clientRect.bottom = clientRect.top + 1; SetDCBrushColor(hdc, PhThemeWindowForegroundColor); FillRect(hdc, &clientRect, PhGetStockBrush(DC_BRUSH)); PhOffsetRect(&clientRect, 0, 1); SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FillRect(hdc, &clientRect, PhGetStockBrush(DC_BRUSH)); } else { FillRect(hdc, &clientRect, GetSysColorBrush(COLOR_3DFACE)); } SetWindowLongPtr(WindowHandle, DWLP_MSGRESULT, TRUE); } return TRUE; case WM_CTLCOLORSTATIC: { HDC hdc = (HDC)wParam; if (PhEnableThemeSupport) break; SetBkMode(hdc, TRANSPARENT); if ((HWND)lParam == GetDlgItem(WindowHandle, IDC_TITLE)) { static COLORREF color = 0; if (color == 0) { HTHEME theme; if (theme = PhOpenThemeData(NULL, VSCLASS_TASKDIALOG, 0)) { PhGetThemeColor(theme, TDLG_MAININSTRUCTIONPANE, 0, TMT_TEXTCOLOR, &color); PhCloseThemeData(theme); } } SetTextColor(hdc, color); } return (INT_PTR)PhGetStockBrush(WHITE_BRUSH); } break; } return FALSE; } /** * Prompts the user for input. * * \remarks If \c PH_CHOICE_DIALOG_PASSWORD is specified, the string * returned in \a SelectedChoice is NOT auto-dereferenced. */ BOOLEAN PhaChoiceDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR Title, _In_ PCWSTR Message, _In_opt_ PCWSTR*Choices, _In_opt_ ULONG NumberOfChoices, _In_opt_ PCWSTR Option, _In_ ULONG Flags, _Inout_ PPH_STRING *SelectedChoice, _Inout_opt_ PBOOLEAN SelectedOption, _In_opt_ PCWSTR SavedChoicesSettingName ) { PH_CHOICE_DIALOG_CONTEXT context; memset(&context, 0, sizeof(PH_CHOICE_DIALOG_CONTEXT)); context.Title = Title; context.Message = Message; context.Choices = Choices; context.NumberOfChoices = NumberOfChoices; context.Option = Option; context.Flags = Flags; context.SelectedChoice = SelectedChoice; context.SelectedOption = SelectedOption; context.SavedChoicesSettingName = SavedChoicesSettingName; return PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_CHOOSE), ParentWindowHandle, PhChoiceDlgProc, &context ) == IDOK; } BOOLEAN PhChoiceDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR Title, _In_ PCWSTR Message, _In_opt_ PCWSTR*Choices, _In_opt_ ULONG NumberOfChoices, _In_opt_ PCWSTR Option, _In_ ULONG Flags, _Inout_ PPH_STRING *SelectedChoice, _Inout_opt_ PBOOLEAN SelectedOption, _In_opt_ PCWSTR SavedChoicesSettingName ) { PH_CHOICE_DIALOG_CONTEXT context; memset(&context, 0, sizeof(PH_CHOICE_DIALOG_CONTEXT)); context.Title = Title; context.Message = Message; context.Choices = Choices; context.NumberOfChoices = NumberOfChoices; context.Option = Option; context.Flags = Flags; context.SelectedChoice = SelectedChoice; context.SelectedOption = SelectedOption; context.SavedChoicesSettingName = SavedChoicesSettingName; return PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_CHOOSENEW), PhCsForceNoParent ? NULL : ParentWindowHandle, PhChooseNewPageDlgProc, &context ) == IDOK; } ================================================ FILE: SystemInformer/chproc.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2016-2023 * */ #include #include #include typedef struct _PH_CHOOSE_PROCESS_DIALOG_CONTEXT { PCWSTR Message; HANDLE ProcessId; PH_LAYOUT_MANAGER LayoutManager; RECT MinimumSize; HIMAGELIST ImageList; HWND ListViewHandle; } PH_CHOOSE_PROCESS_DIALOG_CONTEXT, *PPH_CHOOSE_PROCESS_DIALOG_CONTEXT; INT_PTR CALLBACK PhpChooseProcessDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Success_(return) BOOLEAN PhShowChooseProcessDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR Message, _Out_ PHANDLE ProcessId ) { PH_CHOOSE_PROCESS_DIALOG_CONTEXT context; memset(&context, 0, sizeof(PH_CHOOSE_PROCESS_DIALOG_CONTEXT)); context.Message = Message; context.ProcessId = NULL; if (PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_CHOOSEPROCESS), ParentWindowHandle, PhpChooseProcessDlgProc, &context ) == IDOK) { *ProcessId = context.ProcessId; return TRUE; } else { return FALSE; } } static VOID PhpRefreshProcessList( _In_ HWND hwndDlg, _In_ PPH_CHOOSE_PROCESS_DIALOG_CONTEXT Context ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) { PhShowStatus(hwndDlg, L"Unable to enumerate processes", status, 0); return; } ExtendedListView_SetRedraw(Context->ListViewHandle, FALSE); ListView_DeleteAllItems(Context->ListViewHandle); PhImageListRemoveAll(Context->ImageList); process = PH_FIRST_PROCESS(processes); do { LONG lvItemIndex; PPH_STRING name; HANDLE processHandle; PPH_STRING fileName = NULL; HICON icon = NULL; WCHAR processIdString[PH_INT32_STR_LEN_1]; PPH_STRING userName = NULL; LONG imageIndex = INT_MAX; if (process->UniqueProcessId != SYSTEM_IDLE_PROCESS_ID) name = PhCreateStringFromUnicodeString(&process->ImageName); else name = PhCreateStringFromUnicodeString(&SYSTEM_IDLE_PROCESS_NAME); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, name->Buffer, process->UniqueProcessId); PhDereferenceObject(name); if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, process->UniqueProcessId))) { HANDLE tokenHandle; PH_TOKEN_USER tokenUser; if (NT_SUCCESS(PhOpenProcessToken(processHandle, TOKEN_QUERY, &tokenHandle))) { if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) { userName = PhGetSidFullName(tokenUser.User.Sid, TRUE, NULL); } NtClose(tokenHandle); } NtClose(processHandle); } if (process->UniqueProcessId == SYSTEM_IDLE_PROCESS_ID && !userName) { PhSetReference(&userName, PhGetSidFullName((PSID)&PhSeLocalSystemSid, TRUE, NULL)); } if (process->UniqueProcessId == SYSTEM_PROCESS_ID) fileName = PhGetKernelFileName(); else if (PH_IS_REAL_PROCESS_ID(process->UniqueProcessId)) PhGetProcessImageFileNameByProcessId(process->UniqueProcessId, &fileName); if (fileName) PhMoveReference(&fileName, PhGetFileName(fileName)); // Icon if (!PhIsNullOrEmptyString(fileName)) { PhExtractIcon(PhGetString(fileName), &icon, NULL); } if (icon) { imageIndex = PhImageListAddIcon(Context->ImageList, icon); PhSetListViewItemImageIndex(Context->ListViewHandle, lvItemIndex, imageIndex); DestroyIcon(icon); } else { PhGetStockApplicationIcon(NULL, &icon); imageIndex = PhImageListAddIcon(Context->ImageList, icon); PhSetListViewItemImageIndex(Context->ListViewHandle, lvItemIndex, imageIndex); } // PID PhPrintUInt32(processIdString, HandleToUlong(process->UniqueProcessId)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, processIdString); // User Name PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhGetString(userName)); if (userName) PhDereferenceObject(userName); if (fileName) PhDereferenceObject(fileName); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); ExtendedListView_SortItems(Context->ListViewHandle); ExtendedListView_SetRedraw(Context->ListViewHandle, TRUE); } static VOID PhpChooseProcessSetImagelist( _Inout_ PPH_CHOOSE_PROCESS_DIALOG_CONTEXT context ) { LONG dpiValue; dpiValue = PhGetWindowDpi(context->ListViewHandle); if (context->ImageList) { PhImageListSetIconSize( context->ImageList, PhGetSystemMetrics(SM_CXSMICON, dpiValue), PhGetSystemMetrics(SM_CYSMICON, dpiValue) ); } else { context->ImageList = PhImageListCreate( PhGetSystemMetrics(SM_CXSMICON, dpiValue), PhGetSystemMetrics(SM_CYSMICON, dpiValue), ILC_MASK | ILC_COLOR32, 0, 40 ); } ListView_SetImageList(context->ListViewHandle, context->ImageList, LVSIL_SMALL); } INT_PTR CALLBACK PhpChooseProcessDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_CHOOSE_PROCESS_DIALOG_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PPH_CHOOSE_PROCESS_DIALOG_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HWND lvHandle; PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetDialogItemText(hwndDlg, IDC_MESSAGE, context->Message); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_MESSAGE), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT | PH_LAYOUT_FORCE_INVALIDATE); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhLayoutManagerLayout(&context->LayoutManager); context->MinimumSize.left = 0; context->MinimumSize.top = 0; context->MinimumSize.right = 280; context->MinimumSize.bottom = 170; MapDialogRect(hwndDlg, &context->MinimumSize); context->ListViewHandle = lvHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(lvHandle, FALSE, TRUE); PhSetControlTheme(lvHandle, L"explorer"); PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 180, L"Name"); PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 60, L"PID"); PhAddListViewColumn(lvHandle, 2, 2, 2, LVCFMT_LEFT, 160, L"User name"); PhSetExtendedListView(lvHandle); PhpChooseProcessSetImagelist(context); PhpRefreshProcessList(hwndDlg, context); EnableWindow(GetDlgItem(hwndDlg, IDOK), FALSE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhDeleteLayoutManager(&context->LayoutManager); if (context->ImageList) { PhImageListDestroy(context->ImageList); context->ImageList = NULL; } PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); PhpChooseProcessSetImagelist(context); PhpRefreshProcessList(hwndDlg, context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: { EndDialog(hwndDlg, IDCANCEL); } break; case IDOK: { if (ListView_GetSelectedCount(context->ListViewHandle) == 1) { context->ProcessId = (HANDLE)PhGetSelectedListViewItemParam(context->ListViewHandle); EndDialog(hwndDlg, IDOK); } } break; case IDC_REFRESH: { PhpRefreshProcessList(hwndDlg, context); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case LVN_ITEMCHANGED: { EnableWindow(GetDlgItem(hwndDlg, IDOK), ListView_GetSelectedCount(context->ListViewHandle) == 1); } break; case NM_DBLCLK: { SendMessage(hwndDlg, WM_COMMAND, IDOK, 0); } break; } } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/colmgr.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #include #include #include #include typedef struct _PH_CM_SORT_CONTEXT { PPH_PLUGIN_TREENEW_SORT_FUNCTION SortFunction; ULONG SubId; PVOID Context; PPH_CM_POST_SORT_FUNCTION PostSortFunction; PH_SORT_ORDER SortOrder; } PH_CM_SORT_CONTEXT, *PPH_CM_SORT_CONTEXT; VOID PhCmInitializeManager( _Out_ PPH_CM_MANAGER Manager, _In_ HWND Handle, _In_ ULONG MinId, _In_ PPH_CM_POST_SORT_FUNCTION PostSortFunction ) { Manager->Handle = Handle; Manager->MinId = MinId; Manager->NextId = MinId; Manager->PostSortFunction = PostSortFunction; InitializeListHead(&Manager->ColumnListHead); Manager->NotifyList = NULL; } VOID PhCmDeleteManager( _In_ PPH_CM_MANAGER Manager ) { PLIST_ENTRY listEntry; PPH_CM_COLUMN column; listEntry = Manager->ColumnListHead.Flink; while (listEntry != &Manager->ColumnListHead) { column = CONTAINING_RECORD(listEntry, PH_CM_COLUMN, ListEntry); listEntry = listEntry->Flink; PhFree(column); } if (Manager->NotifyList) PhDereferenceObject(Manager->NotifyList); } PPH_CM_COLUMN PhCmCreateColumn( _Inout_ PPH_CM_MANAGER Manager, _In_ PPH_TREENEW_COLUMN Column, _In_ PPH_PLUGIN Plugin, _In_ ULONG SubId, _In_opt_ PVOID Context, _In_opt_ PVOID SortFunction ) { PPH_CM_COLUMN column; PH_TREENEW_COLUMN tnColumn; column = PhAllocateZero(sizeof(PH_CM_COLUMN)); column->Id = Manager->NextId++; column->Plugin = Plugin; column->SubId = SubId; column->Context = Context; column->SortFunction = SortFunction; InsertTailList(&Manager->ColumnListHead, &column->ListEntry); memset(&tnColumn, 0, sizeof(PH_TREENEW_COLUMN)); tnColumn.Id = column->Id; tnColumn.Context = column; tnColumn.Visible = Column->Visible; tnColumn.CustomDraw = Column->CustomDraw; tnColumn.SortDescending = Column->SortDescending; tnColumn.Text = Column->Text; tnColumn.Width = Column->Width; tnColumn.Alignment = Column->Alignment; tnColumn.DisplayIndex = Column->Visible ? Column->DisplayIndex : ULONG_MAX; tnColumn.TextFlags = Column->TextFlags; TreeNew_AddColumn(Manager->Handle, &tnColumn); return column; } PPH_CM_COLUMN PhCmFindColumn( _In_ PPH_CM_MANAGER Manager, _In_ PCPH_STRINGREF PluginName, _In_ ULONG SubId ) { PLIST_ENTRY listEntry; PPH_CM_COLUMN column; listEntry = Manager->ColumnListHead.Flink; while (listEntry != &Manager->ColumnListHead) { column = CONTAINING_RECORD(listEntry, PH_CM_COLUMN, ListEntry); if (column->SubId == SubId && PhEqualStringRef(PluginName, &column->Plugin->AppContext.AppName, FALSE)) return column; listEntry = listEntry->Flink; } return NULL; } VOID PhCmSetNotifyPlugin( _In_ PPH_CM_MANAGER Manager, _In_ PPH_PLUGIN Plugin ) { if (!Manager->NotifyList) { Manager->NotifyList = PhCreateList(8); } else { if (PhFindItemList(Manager->NotifyList, Plugin) != ULONG_MAX) return; } PhAddItemList(Manager->NotifyList, Plugin); } BOOLEAN PhCmForwardMessage( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PPH_CM_MANAGER Manager ) { PH_PLUGIN_TREENEW_MESSAGE pluginMessage; PPH_PLUGIN plugin; switch (Message) { case TreeNewDestroying: { return FALSE; } break; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PH_TREENEW_COLUMN tnColumn; PPH_CM_COLUMN column; if (getCellText->Id < Manager->MinId) return FALSE; if (!TreeNew_GetColumn(WindowHandle, getCellText->Id, &tnColumn)) return FALSE; column = tnColumn.Context; pluginMessage.SubId = column->SubId; pluginMessage.Context = column->Context; plugin = column->Plugin; } break; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_CM_COLUMN column; if (customDraw->Column->Id < Manager->MinId) return FALSE; column = customDraw->Column->Context; pluginMessage.SubId = column->SubId; pluginMessage.Context = column->Context; plugin = column->Plugin; } break; case TreeNewColumnResized: { PPH_TREENEW_COLUMN tlColumn = Parameter1; PPH_CM_COLUMN column; if (tlColumn->Id < Manager->MinId) return FALSE; column = tlColumn->Context; pluginMessage.SubId = column->SubId; pluginMessage.Context = column->Context; plugin = column->Plugin; } break; case TreeNewGetHeaderText: { PPH_TREENEW_GET_HEADER_TEXT getHeaderText = Parameter1; PPH_TREENEW_COLUMN tlColumn = getHeaderText->Column; PPH_CM_COLUMN column; if (tlColumn->Id < Manager->MinId) return FALSE; column = tlColumn->Context; pluginMessage.SubId = column->SubId; pluginMessage.Context = column->Context; plugin = column->Plugin; } break; default: { // Some plugins want to be notified about all messages. if (Manager->NotifyList) { for (ULONG i = 0; i < Manager->NotifyList->Count; i++) { plugin = Manager->NotifyList->Items[i]; pluginMessage.TreeNewHandle = WindowHandle; pluginMessage.Message = Message; pluginMessage.Parameter1 = Parameter1; pluginMessage.Parameter2 = Parameter2; pluginMessage.SubId = 0; pluginMessage.Context = NULL; PhInvokeCallback(PhGetPluginCallback(plugin, PluginCallbackTreeNewMessage), &pluginMessage); } } } return FALSE; } pluginMessage.TreeNewHandle = WindowHandle; pluginMessage.Message = Message; pluginMessage.Parameter1 = Parameter1; pluginMessage.Parameter2 = Parameter2; PhInvokeCallback(PhGetPluginCallback(plugin, PluginCallbackTreeNewMessage), &pluginMessage); return TRUE; } static int __cdecl PhCmpSortFunction( _In_ void *context, _In_ const void *elem1, _In_ const void *elem2 ) { PPH_CM_SORT_CONTEXT sortContext = context; PVOID node1 = *(PVOID *)elem1; PVOID node2 = *(PVOID *)elem2; LONG result; result = sortContext->SortFunction(node1, node2, sortContext->SubId, sortContext->SortOrder, sortContext->Context); return sortContext->PostSortFunction(result, node1, node2, sortContext->SortOrder); } BOOLEAN PhCmForwardSort( _In_ PPH_TREENEW_NODE *Nodes, _In_ ULONG NumberOfNodes, _In_ ULONG SortColumn, _In_ PH_SORT_ORDER SortOrder, _In_ PPH_CM_MANAGER Manager ) { PH_TREENEW_COLUMN tnColumn; PPH_CM_COLUMN column; PH_CM_SORT_CONTEXT sortContext; if (SortColumn < Manager->MinId) return FALSE; if (!Manager->Handle) return TRUE; if (!TreeNew_GetColumn(Manager->Handle, SortColumn, &tnColumn)) return TRUE; column = tnColumn.Context; if (!column->SortFunction) return TRUE; sortContext.SortFunction = column->SortFunction; sortContext.SubId = column->SubId; sortContext.Context = column->Context; sortContext.PostSortFunction = Manager->PostSortFunction; sortContext.SortOrder = SortOrder; qsort_s(Nodes, NumberOfNodes, sizeof(PVOID), PhCmpSortFunction, &sortContext); return TRUE; } BOOLEAN PhCmLoadSettings( _In_ HWND TreeNewHandle, _In_ PCPH_STRINGREF Settings ) { return PhCmLoadSettingsEx(TreeNewHandle, NULL, 0, Settings, NULL); } BOOLEAN PhCmLoadSettingsEx( _In_ HWND TreeNewHandle, _In_opt_ PPH_CM_MANAGER Manager, _In_ ULONG Flags, _In_ PCPH_STRINGREF Settings, _In_opt_ PCPH_STRINGREF SortSettings ) { BOOLEAN result = FALSE; PH_STRINGREF scalePart; PH_STRINGREF columnPart; PH_STRINGREF remainingColumnPart; PH_STRINGREF valuePart; PH_STRINGREF subPart; ULONG64 integer; ULONG scale; ULONG total; BOOLEAN hasFixedColumn; ULONG count; ULONG i; PPH_HASHTABLE columnHashtable; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_KEY_VALUE_PAIR pair; ULONG orderArray[PH_CM_ORDER_LIMIT]; ULONG maxOrder; LONG dpiValue; dpiValue = PhGetWindowDpi(TreeNewHandle); if (Settings->Length != 0) { columnHashtable = PhCreateSimpleHashtable(20); remainingColumnPart = *Settings; if (remainingColumnPart.Length != 0 && remainingColumnPart.Buffer[0] == L'@') { PhSkipStringRef(&remainingColumnPart, sizeof(WCHAR)); PhSplitStringRefAtChar(&remainingColumnPart, L'|', &scalePart, &remainingColumnPart); if (scalePart.Length == 0 || !PhStringToUInt64(&scalePart, 10, &integer)) goto CleanupExit; scale = (ULONG)integer; } else { scale = USER_DEFAULT_SCREEN_DPI; } while (remainingColumnPart.Length != 0) { PPH_TREENEW_COLUMN column; ULONG id; ULONG displayIndex; LONG width; PhSplitStringRefAtChar(&remainingColumnPart, L'|', &columnPart, &remainingColumnPart); if (columnPart.Length != 0) { // Id PhSplitStringRefAtChar(&columnPart, L',', &valuePart, &columnPart); if (valuePart.Length == 0) goto CleanupExit; if (valuePart.Buffer[0] == L'+') { PH_STRINGREF pluginName; ULONG subId; PPH_CM_COLUMN cmColumn; // This is a plugin-owned column. if (!Manager) continue; if (!PhEmParseCompoundId(&valuePart, &pluginName, &subId)) continue; cmColumn = PhCmFindColumn(Manager, &pluginName, subId); if (!cmColumn) continue; // can't find the column, skip this part id = cmColumn->Id; } else { if (!PhStringToUInt64(&valuePart, 10, &integer)) goto CleanupExit; id = (ULONG)integer; } // Display Index PhSplitStringRefAtChar(&columnPart, L',', &valuePart, &columnPart); if (!(Flags & PH_CM_COLUMN_WIDTHS_ONLY)) { if (valuePart.Length == 0 || !PhStringToUInt64(&valuePart, 10, &integer)) goto CleanupExit; displayIndex = (ULONG)integer; } else { if (valuePart.Length != 0) goto CleanupExit; displayIndex = ULONG_MAX; } // Width if (columnPart.Length == 0 || !PhStringToUInt64(&columnPart, 10, &integer)) goto CleanupExit; width = (LONG)integer; if (scale != dpiValue && scale != 0) width = PhMultiplyDivideSigned(width, dpiValue, scale); column = PhAllocateZero(sizeof(PH_TREENEW_COLUMN)); column->Id = id; column->DisplayIndex = displayIndex; column->Width = width; PhAddItemSimpleHashtable(columnHashtable, UlongToPtr(column->Id), column); } } TreeNew_SetRedraw(TreeNewHandle, FALSE); // Set visibility and width. i = 0; count = 0; total = TreeNew_GetColumnCount(TreeNewHandle); hasFixedColumn = !!TreeNew_GetFixedColumn(TreeNewHandle); memset(orderArray, 0, sizeof(orderArray)); maxOrder = 0; while (count < total) { PH_TREENEW_COLUMN setColumn; PPH_TREENEW_COLUMN *columnPtr; if (TreeNew_GetColumn(TreeNewHandle, i, &setColumn)) { columnPtr = (PPH_TREENEW_COLUMN *)PhFindItemSimpleHashtable(columnHashtable, UlongToPtr(i)); if (!(Flags & PH_CM_COLUMN_WIDTHS_ONLY)) { if (columnPtr) { setColumn.Visible = TRUE; setColumn.Width = (*columnPtr)->Width; TreeNew_SetColumn(TreeNewHandle, TN_COLUMN_FLAG_VISIBLE | TN_COLUMN_WIDTH, &setColumn); if (!setColumn.Fixed) { // For compatibility reasons, normal columns have their display indices stored // one higher than usual (so they start from 1, not 0). Fix that here. if (hasFixedColumn && (*columnPtr)->DisplayIndex != 0) (*columnPtr)->DisplayIndex--; if ((*columnPtr)->DisplayIndex < PH_CM_ORDER_LIMIT) { orderArray[(*columnPtr)->DisplayIndex] = i; if (maxOrder < (*columnPtr)->DisplayIndex + 1) maxOrder = (*columnPtr)->DisplayIndex + 1; } } } else if (!setColumn.Fixed) // never hide the fixed column { setColumn.Visible = FALSE; TreeNew_SetColumn(TreeNewHandle, TN_COLUMN_FLAG_VISIBLE, &setColumn); } } else { if (columnPtr) { setColumn.Width = (*columnPtr)->Width; TreeNew_SetColumn(TreeNewHandle, TN_COLUMN_WIDTH, &setColumn); } } count++; } i++; } if (!(Flags & PH_CM_COLUMN_WIDTHS_ONLY)) { // Set the order array. TreeNew_SetColumnOrderArray(TreeNewHandle, maxOrder, orderArray); } TreeNew_SetRedraw(TreeNewHandle, TRUE); result = TRUE; CleanupExit: PhBeginEnumHashtable(columnHashtable, &enumContext); while (pair = PhNextEnumHashtable(&enumContext)) PhFree(pair->Value); PhDereferenceObject(columnHashtable); } // Load sort settings. if (SortSettings && SortSettings->Length != 0) { PhSplitStringRefAtChar(SortSettings, L',', &valuePart, &subPart); if (valuePart.Length != 0 && subPart.Length != 0) { ULONG sortColumn; PH_SORT_ORDER sortOrder; sortColumn = ULONG_MAX; if (valuePart.Buffer[0] == L'+') { PH_STRINGREF pluginName; ULONG subId; PPH_CM_COLUMN cmColumn; if ( Manager && PhEmParseCompoundId(&valuePart, &pluginName, &subId) && (cmColumn = PhCmFindColumn(Manager, &pluginName, subId)) ) { sortColumn = cmColumn->Id; } } else { PhStringToUInt64(&valuePart, 10, &integer); sortColumn = (ULONG)integer; } PhStringToUInt64(&subPart, 10, &integer); sortOrder = (PH_SORT_ORDER)integer; if (sortColumn != ULONG_MAX && sortOrder <= DescendingSortOrder) { TreeNew_SetSort(TreeNewHandle, sortColumn, sortOrder); } } } return result; } PPH_STRING PhCmSaveSettings( _In_ HWND TreeNewHandle ) { return PhCmSaveSettingsEx(TreeNewHandle, NULL, 0, NULL); } PPH_STRING PhCmSaveSettingsEx( _In_ HWND TreeNewHandle, _In_opt_ PPH_CM_MANAGER Manager, _In_ ULONG Flags, _Out_opt_ PPH_STRING *SortSettings ) { PH_STRING_BUILDER stringBuilder; ULONG i = 0; ULONG count = 0; ULONG total; ULONG increment; PH_TREENEW_COLUMN column; LONG dpiValue; dpiValue = PhGetWindowDpi(TreeNewHandle); total = TreeNew_GetColumnCount(TreeNewHandle); if (TreeNew_GetFixedColumn(TreeNewHandle)) increment = 1; // the first normal column should have a display index that starts with 1, for compatibility else increment = 0; PhInitializeStringBuilder(&stringBuilder, 100); { PH_FORMAT format[3]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // @%lu| PhInitFormatC(&format[0], L'@'); PhInitFormatU(&format[1], dpiValue); PhInitFormatC(&format[2], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder(&stringBuilder, L"@%lu|", dpiValue); } } while (count < total) { if (TreeNew_GetColumn(TreeNewHandle, i, &column)) { if (!(Flags & PH_CM_COLUMN_WIDTHS_ONLY)) { if (column.Visible) { if (!Manager || i < Manager->MinId) { PH_FORMAT format[6]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // %lu,%lu,%ld| PhInitFormatU(&format[0], i); PhInitFormatC(&format[1], L','); PhInitFormatU(&format[2], column.Fixed ? 0 : column.DisplayIndex + increment); PhInitFormatC(&format[3], L','); PhInitFormatU(&format[4], column.Width); PhInitFormatC(&format[5], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &stringBuilder, L"%lu,%lu,%ld|", i, column.Fixed ? 0 : column.DisplayIndex + increment, column.Width ); } } else { PPH_CM_COLUMN cmColumn = column.Context; PH_FORMAT format[9]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // +%s+%lu,%lu,%ld| PhInitFormatC(&format[0], L'+'); PhInitFormatSR(&format[1], cmColumn->Plugin->Name); PhInitFormatC(&format[2], L'+'); PhInitFormatU(&format[3], cmColumn->SubId); PhInitFormatC(&format[4], L','); PhInitFormatU(&format[5], column.DisplayIndex + increment); PhInitFormatC(&format[6], L','); PhInitFormatD(&format[7], column.Width); PhInitFormatC(&format[8], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &stringBuilder, L"+%s+%lu,%lu,%ld|", cmColumn->Plugin->Name.Buffer, cmColumn->SubId, column.DisplayIndex + increment, column.Width ); } } } } else { if (!Manager || i < Manager->MinId) { PhAppendFormatStringBuilder( &stringBuilder, L"%lu,,%ld|", i, column.Width ); } else { PPH_CM_COLUMN cmColumn; cmColumn = column.Context; PhAppendFormatStringBuilder( &stringBuilder, L"+%s+%lu,,%ld|", cmColumn->Plugin->Name.Buffer, cmColumn->SubId, column.Width ); } } count++; } i++; } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); if (SortSettings) { ULONG sortColumn; PH_SORT_ORDER sortOrder; if (TreeNew_GetSort(TreeNewHandle, &sortColumn, &sortOrder)) { if (sortOrder != NoSortOrder) { if (!Manager || sortColumn < Manager->MinId) { PH_FORMAT format[3]; // %lu,%lu PhInitFormatU(&format[0], sortColumn); PhInitFormatC(&format[1], L','); PhInitFormatU(&format[2], sortOrder); *SortSettings = PhFormat(format, RTL_NUMBER_OF(format), 32); } else { if (TreeNew_GetColumn(TreeNewHandle, sortColumn, &column)) { PPH_CM_COLUMN cmColumn; PH_FORMAT format[6]; cmColumn = column.Context; // +%s+%lu,%lu PhInitFormatC(&format[0], L'+'); PhInitFormatSR(&format[1], cmColumn->Plugin->Name); PhInitFormatC(&format[2], L'+'); PhInitFormatU(&format[3], cmColumn->SubId); PhInitFormatC(&format[4], L','); PhInitFormatU(&format[5], sortOrder); *SortSettings = PhFormat(format, RTL_NUMBER_OF(format), 64); } else { *SortSettings = PhReferenceEmptyString(); } } } else { *SortSettings = PhCreateString(L"0,0"); } } else { *SortSettings = PhReferenceEmptyString(); } } return PhFinalStringBuilderString(&stringBuilder); } ================================================ FILE: SystemInformer/colsetmgr.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2022 * */ #include #include #include PPH_LIST PhInitializeColumnSetList( _In_ PCWSTR SettingName ) { PPH_LIST columnSetList; PPH_STRING settingsString; ULONG64 count; ULONG64 index; PH_STRINGREF remaining; PH_STRINGREF part; columnSetList = PhCreateList(10); settingsString = PhaGetStringSetting(SettingName); remaining = settingsString->sr; if (remaining.Length == 0) goto CleanupExit; if (!PhSplitStringRefAtChar(&remaining, L'-', &part, &remaining)) goto CleanupExit; if (!PhStringToInteger64(&part, 10, &count)) goto CleanupExit; for (index = 0; index < count; index++) { PH_STRINGREF columnSetNamePart; PH_STRINGREF columnSetSettingPart; PH_STRINGREF columnSetSortPart; if (remaining.Length == 0) break; PhSplitStringRefAtChar(&remaining, L'-', &columnSetNamePart, &remaining); PhSplitStringRefAtChar(&remaining, L'-', &columnSetSettingPart, &remaining); PhSplitStringRefAtChar(&remaining, L'-', &columnSetSortPart, &remaining); { PPH_COLUMN_SET_ENTRY entry; entry = PhAllocate(sizeof(PH_COLUMN_SET_ENTRY)); entry->Name = PhCreateString2(&columnSetNamePart); entry->Setting = PhCreateString2(&columnSetSettingPart); entry->Sorting = PhCreateString2(&columnSetSortPart); PhAddItemList(columnSetList, entry); } } CleanupExit: return columnSetList; } VOID PhSaveSettingsColumnList( _In_ PCWSTR SettingName, _In_ PPH_LIST ColumnSetList ) { ULONG index; PPH_STRING settingsString; PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 100); PhAppendFormatStringBuilder( &stringBuilder, L"%lu-", ColumnSetList->Count ); for (index = 0; index < ColumnSetList->Count; index++) { PPH_COLUMN_SET_ENTRY entry = ColumnSetList->Items[index]; if (PhIsNullOrEmptyString(entry->Name)) continue; PhAppendFormatStringBuilder( &stringBuilder, L"%s-%s-%s-", PhGetStringOrEmpty(entry->Name), PhGetStringOrEmpty(entry->Setting), PhGetStringOrEmpty(entry->Sorting) ); } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); settingsString = PH_AUTO(PhFinalStringBuilderString(&stringBuilder)); PhSetStringSetting2(SettingName, &settingsString->sr); } VOID PhDeleteColumnSetList( _In_ PPH_LIST ColumnSetList ) { for (ULONG i = 0; i < ColumnSetList->Count; i++) { PPH_COLUMN_SET_ENTRY entry = ColumnSetList->Items[i]; //PhRemoveItemList(ColumnSetList, PhFindItemList(ColumnSetList, entry)); PhClearReference(&entry->Name); PhClearReference(&entry->Setting); PhClearReference(&entry->Sorting); PhFree(entry); } PhDereferenceObject(ColumnSetList); } _Success_(return) BOOLEAN PhLoadSettingsColumnSet( _In_ PCWSTR SettingName, _In_ PPH_STRING ColumnSetName, _Out_ PPH_STRING *TreeListSettings, _Out_ PPH_STRING *TreeSortSettings ) { PPH_STRING treeSettings = NULL; PPH_STRING sortSettings = NULL; PPH_STRING settingsString; ULONG64 count; ULONG64 index; PH_STRINGREF remaining; PH_STRINGREF part; settingsString = PhaGetStringSetting(SettingName); remaining = settingsString->sr; if (remaining.Length == 0) return FALSE; if (!PhSplitStringRefAtChar(&remaining, L'-', &part, &remaining)) return FALSE; if (!PhStringToInteger64(&part, 10, &count)) return FALSE; for (index = 0; index < count; index++) { PH_STRINGREF columnSetNamePart; PH_STRINGREF columnSetSettingPart; PH_STRINGREF columnSetSortPart; if (remaining.Length == 0) break; PhSplitStringRefAtChar(&remaining, L'-', &columnSetNamePart, &remaining); PhSplitStringRefAtChar(&remaining, L'-', &columnSetSettingPart, &remaining); PhSplitStringRefAtChar(&remaining, L'-', &columnSetSortPart, &remaining); if (PhEqualStringRef(&columnSetNamePart, &ColumnSetName->sr, FALSE)) { treeSettings = PhCreateString2(&columnSetSettingPart); sortSettings = PhCreateString2(&columnSetSortPart); break; } } if (!PhIsNullOrEmptyString(treeSettings) && !PhIsNullOrEmptyString(sortSettings)) { *TreeListSettings = treeSettings; *TreeSortSettings = sortSettings; return TRUE; } else { if (treeSettings) PhDereferenceObject(treeSettings); if (sortSettings) PhDereferenceObject(sortSettings); return FALSE; } } VOID PhSaveSettingsColumnSet( _In_ PCWSTR SettingName, _In_ PPH_STRING ColumnSetName, _In_ PPH_STRING TreeListSettings, _In_ PPH_STRING TreeSortSettings ) { ULONG index; BOOLEAN found = FALSE; PPH_LIST columnSetList; columnSetList = PhInitializeColumnSetList(SettingName); for (index = 0; index < columnSetList->Count; index++) { PPH_COLUMN_SET_ENTRY entry = columnSetList->Items[index]; if (PhEqualString(entry->Name, ColumnSetName, FALSE)) { PhReferenceObject(TreeListSettings); PhReferenceObject(TreeSortSettings); PhMoveReference(&entry->Setting, TreeListSettings); PhMoveReference(&entry->Sorting, TreeSortSettings); found = TRUE; break; } } if (!found) { PPH_COLUMN_SET_ENTRY entry; PhReferenceObject(ColumnSetName); PhReferenceObject(TreeListSettings); PhReferenceObject(TreeSortSettings); entry = PhAllocate(sizeof(PH_COLUMN_SET_ENTRY)); entry->Name = ColumnSetName; entry->Setting = TreeListSettings; entry->Sorting = TreeSortSettings; PhAddItemList(columnSetList, entry); } PhSaveSettingsColumnList(SettingName, columnSetList); PhDeleteColumnSetList(columnSetList); } // Column Set Editor Dialog typedef struct _PH_COLUMNSET_DIALOG_CONTEXT { HWND DialogHandle; HWND ListViewHandle; HWND RenameButtonHandle; HWND MoveUpButtonHandle; HWND MoveDownButtonHandle; HWND RemoveButtonHandle; PPH_STRING SettingName; PPH_LIST ColumnSetList; BOOLEAN LabelEditActive; } PH_COLUMNSET_DIALOG_CONTEXT, *PPH_COLUMNSET_DIALOG_CONTEXT; INT_PTR CALLBACK PhpColumnSetEditorDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowColumnSetEditorDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR SettingName ) { PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_COLUMNSETS), ParentWindowHandle, PhpColumnSetEditorDlgProc, (PVOID)SettingName ); } VOID PhpMoveListViewItem( _In_ HWND ListViewHandle, _In_ LONG ItemIndex1, _In_ LONG ItemIndex2 ) { LVITEM item1; LVITEM item2; WCHAR buffer1[MAX_PATH]; WCHAR buffer2[MAX_PATH]; item1.mask = LVIF_TEXT | LVIF_PARAM | LVIF_STATE; item1.stateMask = (UINT)-1; item1.iItem = ItemIndex1; item1.iSubItem = 0; item1.cchTextMax = sizeof(buffer1); item1.pszText = buffer1; item2.mask = LVIF_TEXT | LVIF_PARAM | LVIF_STATE; item2.stateMask = (UINT)-1; item2.iItem = ItemIndex2; item2.iSubItem = 0; item2.cchTextMax = sizeof(buffer2); item2.pszText = buffer2; if ( ListView_GetItem(ListViewHandle, &item1) && ListView_GetItem(ListViewHandle, &item2) ) { item1.iItem = ItemIndex2; item2.iItem = ItemIndex1; ListView_SetItem(ListViewHandle, &item1); ListView_SetItem(ListViewHandle, &item2); } } VOID PhpMoveSelectedListViewItemUp( _In_ HWND ListViewHandle ) { LONG lvItemIndex = PhFindListViewItemByFlags(ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR) { PhpMoveListViewItem(ListViewHandle, lvItemIndex, lvItemIndex - 1); } SetFocus(ListViewHandle); ListView_SetItemState(ListViewHandle, lvItemIndex - 1, LVNI_SELECTED, LVNI_SELECTED); //ListView_EnsureVisible(ListViewHandle, lvItemIndex - 1, FALSE); } VOID PhpMoveSelectedListViewItemDown( _In_ HWND ListViewHandle ) { LONG lvItemIndex = PhFindListViewItemByFlags(ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR) { PhpMoveListViewItem(ListViewHandle, lvItemIndex, lvItemIndex + 1); } SetFocus(ListViewHandle); ListView_SetItemState(ListViewHandle, lvItemIndex + 1, LVNI_SELECTED, LVNI_SELECTED); //ListView_EnsureVisible(ListViewHandle, lvItemIndex + 1, FALSE); } INT_PTR CALLBACK PhpColumnSetEditorDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_COLUMNSET_DIALOG_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PH_COLUMNSET_DIALOG_CONTEXT)); context->SettingName = PhCreateString((PCWSTR)lParam); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->DialogHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_COLUMNSETLIST); context->RenameButtonHandle = GetDlgItem(hwndDlg, IDC_RENAME); context->MoveUpButtonHandle = GetDlgItem(hwndDlg, IDC_MOVEUP); context->MoveDownButtonHandle = GetDlgItem(hwndDlg, IDC_MOVEDOWN); context->RemoveButtonHandle = GetDlgItem(hwndDlg, IDC_REMOVE); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 250, L"Name"); PhSetExtendedListView(context->ListViewHandle); context->ColumnSetList = PhInitializeColumnSetList(PhGetString(context->SettingName)); for (ULONG i = 0; i < context->ColumnSetList->Count; i++) { PPH_COLUMN_SET_ENTRY entry = context->ColumnSetList->Items[i]; PhAddListViewItem(context->ListViewHandle, MAXINT, entry->Name->Buffer, entry); } Button_Enable(context->RenameButtonHandle, FALSE); Button_Enable(context->MoveUpButtonHandle, FALSE); Button_Enable(context->MoveDownButtonHandle, FALSE); Button_Enable(context->RemoveButtonHandle, FALSE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteColumnSetList(context->ColumnSetList); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { if (context->LabelEditActive) break; PhSaveSettingsColumnList(PhGetString(context->SettingName), context->ColumnSetList); EndDialog(hwndDlg, IDOK); } break; case IDC_RENAME: { LONG lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR) { SetFocus(context->ListViewHandle); ListView_EditLabel(context->ListViewHandle, lvItemIndex); } } break; case IDC_MOVEUP: { LONG lvItemIndex; PPH_COLUMN_SET_ENTRY entry; ULONG index; PhpMoveSelectedListViewItemUp(context->ListViewHandle); lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR && PhGetListViewItemParam(context->ListViewHandle, lvItemIndex, (PVOID *)&entry)) { index = PhFindItemList(context->ColumnSetList, entry); if (index != ULONG_MAX) { PhRemoveItemList(context->ColumnSetList, index); PhInsertItemList(context->ColumnSetList, lvItemIndex, entry); } } } break; case IDC_MOVEDOWN: { LONG lvItemIndex; PPH_COLUMN_SET_ENTRY entry; ULONG index; PhpMoveSelectedListViewItemDown(context->ListViewHandle); lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR && PhGetListViewItemParam(context->ListViewHandle, lvItemIndex, (PVOID *)&entry)) { index = PhFindItemList(context->ColumnSetList, entry); if (index != ULONG_MAX) { PhRemoveItemList(context->ColumnSetList, index); PhInsertItemList(context->ColumnSetList, lvItemIndex, entry); } } } break; case IDC_REMOVE: { LONG lvItemIndex; PPH_COLUMN_SET_ENTRY entry; ULONG index; lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR && PhGetListViewItemParam(context->ListViewHandle, lvItemIndex, (PVOID *)&entry)) { index = PhFindItemList(context->ColumnSetList, entry); if (index != ULONG_MAX) { PhRemoveItemList(context->ColumnSetList, index); PhRemoveListViewItem(context->ListViewHandle, lvItemIndex); PhClearReference(&entry->Name); PhClearReference(&entry->Setting); PhClearReference(&entry->Sorting); PhFree(entry); } SetFocus(context->ListViewHandle); ListView_SetItemState(context->ListViewHandle, 0, LVNI_SELECTED, LVNI_SELECTED); //ListView_EnsureVisible(context->ListViewHandle, 0, FALSE); } } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_DBLCLK: { LONG lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR) { SetFocus(context->ListViewHandle); ListView_EditLabel(context->ListViewHandle, lvItemIndex); } } break; case LVN_ITEMCHANGED: { LPNMLISTVIEW listview = (LPNMLISTVIEW)lParam; LONG index; LONG lvItemIndex; LONG count; index = listview->iItem; lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); count = ListView_GetItemCount(context->ListViewHandle); if (count == 0 || index == -1 || lvItemIndex == -1) { Button_Enable(context->RenameButtonHandle, FALSE); Button_Enable(context->MoveUpButtonHandle, FALSE); Button_Enable(context->MoveDownButtonHandle, FALSE); Button_Enable(context->RemoveButtonHandle, FALSE); break; } if (index != lvItemIndex) break; if (index == 0 && count == 1) { // First and last item Button_Enable(context->MoveUpButtonHandle, FALSE); Button_Enable(context->MoveDownButtonHandle, FALSE); } else if (index == (count - 1)) { // Last item Button_Enable(context->MoveUpButtonHandle, TRUE); Button_Enable(context->MoveDownButtonHandle, FALSE); } else if (index == 0) { // First item Button_Enable(context->MoveUpButtonHandle, FALSE); Button_Enable(context->MoveDownButtonHandle, TRUE); } else { Button_Enable(context->MoveUpButtonHandle, TRUE); Button_Enable(context->MoveDownButtonHandle, TRUE); } Button_Enable(context->RenameButtonHandle, TRUE); Button_Enable(context->RemoveButtonHandle, TRUE); } break; case LVN_BEGINLABELEDIT: context->LabelEditActive = TRUE; break; case LVN_ENDLABELEDIT: { LV_DISPINFO* lvinfo = (LV_DISPINFO*)lParam; if (lvinfo->item.iItem != -1 && lvinfo->item.pszText) { BOOLEAN found = FALSE; PPH_COLUMN_SET_ENTRY entry; ULONG index; for (ULONG i = 0; i < context->ColumnSetList->Count; i++) { entry = context->ColumnSetList->Items[i]; if (PhEqualStringRef2(&entry->Name->sr, lvinfo->item.pszText, FALSE)) { found = TRUE; break; } } if (!found && PhGetListViewItemParam(context->ListViewHandle, lvinfo->item.iItem, (PVOID *)&entry)) { index = PhFindItemList(context->ColumnSetList, entry); if (index != -1) { PhMoveReference(&entry->Name, PhCreateString(lvinfo->item.pszText)); ListView_SetItemText(context->ListViewHandle, lvinfo->item.iItem, 0, lvinfo->item.pszText); } } } context->LabelEditActive = FALSE; } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/dbgcon.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * */ /* * This is a simple debugging console which is able to explore phlib's * systems easily. Commands are provided to debug reference counting * problems and memory usage, as well as to do general performance testing. */ #include #include #include #include #include #include #include #include #include #include #include #include #include typedef struct _STRING_TABLE_ENTRY { PPH_STRING String; ULONG_PTR Count; } STRING_TABLE_ENTRY, *PSTRING_TABLE_ENTRY; BOOL ConsoleHandlerRoutine( _In_ ULONG dwCtrlType ); VOID PhpPrintHashtableStatistics( _In_ PPH_HASHTABLE Hashtable ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpDebugConsoleThreadStart( _In_ PVOID Parameter ); extern PH_FREE_LIST PhObjectSmallFreeList; static HANDLE DebugConsoleThreadHandle; static PPH_SYMBOL_PROVIDER DebugConsoleSymbolProvider; static PPH_HASHTABLE ObjectListSnapshot = NULL; #ifdef DEBUG static PPH_LIST NewObjectList = NULL; static PH_QUEUED_LOCK NewObjectListLock; #endif static BOOLEAN ShowAllLeaks = FALSE; static BOOLEAN InLeakDetection = FALSE; static ULONG NumberOfLeaks; static ULONG NumberOfLeaksShown; VOID PhShowDebugConsole( VOID ) { if (AllocConsole()) { HMENU menu; // Disable the close button because it's impossible to handle // those events. menu = GetSystemMenu(GetConsoleWindow(), FALSE); EnableMenuItem(menu, SC_CLOSE, MF_GRAYED | MF_DISABLED); DeleteMenu(menu, SC_CLOSE, 0); // Set a handler so we can catch Ctrl+C and Ctrl+Break. SetConsoleCtrlHandler(ConsoleHandlerRoutine, TRUE); _wfreopen(L"CONOUT$", L"w", stdout); _wfreopen(L"CONOUT$", L"w", stderr); _wfreopen(L"CONIN$", L"r", stdin); SetConsoleCP(CP_UTF8); SetConsoleOutputCP(CP_UTF8); PhCreateThreadEx(&DebugConsoleThreadHandle, PhpDebugConsoleThreadStart, NULL); } else { HWND consoleWindow; consoleWindow = GetConsoleWindow(); // Console window already exists, so bring it to the top. if (IsMinimized(consoleWindow)) ShowWindow(consoleWindow, SW_RESTORE); else BringWindowToTop(consoleWindow); return; } } VOID PhCloseDebugConsole( VOID ) { _wfreopen(L"NUL", L"w", stdout); _wfreopen(L"NUL", L"w", stderr); _wfreopen(L"NUL", L"r", stdin); PhFreeConsole(); } BOOL ConsoleHandlerRoutine( _In_ ULONG dwCtrlType ) { switch (dwCtrlType) { case CTRL_C_EVENT: case CTRL_BREAK_EVENT: case CTRL_CLOSE_EVENT: PhCloseDebugConsole(); return TRUE; } return FALSE; } static PWSTR PhpGetSymbolForAddress( _In_ PVOID Address ) { return PH_AUTO_T(PH_STRING, PhGetSymbolFromAddress( DebugConsoleSymbolProvider, Address, NULL, NULL, NULL, NULL ))->Buffer; } static VOID PhpPrintObjectInfo( _In_ PPH_OBJECT_HEADER ObjectHeader, _In_ LONG RefToSubtract ) { PVOID object; PPH_OBJECT_TYPE objectType; WCHAR c = L' '; object = PhObjectHeaderToObject(ObjectHeader); wprintf(L"%Ix", (ULONG_PTR)object); objectType = PhGetObjectType(object); wprintf(L"\t%20s", objectType->Name); if (ObjectHeader->Flags & PH_OBJECT_FROM_SMALL_FREE_LIST) c = L'f'; else if (ObjectHeader->Flags & PH_OBJECT_FROM_TYPE_FREE_LIST) c = L'F'; wprintf(L"\t%4d %c", ObjectHeader->RefCount - RefToSubtract, c); if (!objectType) { // Dummy } else if (objectType == PhObjectTypeObject) { wprintf(L"\t%.32s", ((PPH_OBJECT_TYPE)object)->Name); } else if (objectType == PhStringType) { wprintf(L"\t%.32s", ((PPH_STRING)object)->Buffer); } else if (objectType == PhBytesType) { wprintf(L"\t%.32S", ((PPH_BYTES)object)->Buffer); } else if (objectType == PhListType) { wprintf(L"\tCount: %u", ((PPH_LIST)object)->Count); } else if (objectType == PhPointerListType) { wprintf(L"\tCount: %u", ((PPH_POINTER_LIST)object)->Count); } else if (objectType == PhHashtableType) { wprintf(L"\tCount: %u", ((PPH_HASHTABLE)object)->Count); } else if (objectType == PhProcessItemType) { wprintf( L"\t%.28s (%lu)", ((PPH_PROCESS_ITEM)object)->ProcessName->Buffer, HandleToUlong(((PPH_PROCESS_ITEM)object)->ProcessId) ); } else if (objectType == PhServiceItemType) { wprintf(L"\t%s", ((PPH_SERVICE_ITEM)object)->Name->Buffer); } else if (objectType == PhThreadItemType) { wprintf(L"\tTID: %lu", HandleToUlong(((PPH_THREAD_ITEM)object)->ThreadId)); } wprintf(L"\n"); } static VOID PhpDumpObjectInfo( _In_ PPH_OBJECT_HEADER ObjectHeader ) { PVOID object; PPH_OBJECT_TYPE objectType; object = PhObjectHeaderToObject(ObjectHeader); objectType = PhGetObjectType(object); __try { wprintf(L"Type: %s\n", objectType->Name); wprintf(L"Reference count: %ld\n", ObjectHeader->RefCount); wprintf(L"Flags: %x\n", ObjectHeader->Flags); if (objectType == PhObjectTypeObject) { wprintf(L"Name: %s\n", ((PPH_OBJECT_TYPE)object)->Name); wprintf(L"Number of objects: %lu\n", ((PPH_OBJECT_TYPE)object)->NumberOfObjects); wprintf(L"Flags: %u\n", ((PPH_OBJECT_TYPE)object)->Flags); wprintf(L"Type index: %u\n", ((PPH_OBJECT_TYPE)object)->TypeIndex); wprintf(L"Free list count: %lu\n", ((PPH_OBJECT_TYPE)object)->FreeList.Count); } else if (objectType == PhStringType) { wprintf(L"%s\n", ((PPH_STRING)object)->Buffer); } else if (objectType == PhBytesType) { wprintf(L"%S\n", ((PPH_BYTES)object)->Buffer); } else if (objectType == PhHashtableType) { PhpPrintHashtableStatistics((PPH_HASHTABLE)object); } } __except (EXCEPTION_EXECUTE_HANDLER) { wprintf(L"Error.\n"); } } VOID PhpPrintHashtableStatistics( _In_ PPH_HASHTABLE Hashtable ) { ULONG i; ULONG expectedLookupMisses = 0; wprintf(L"Count: %u\n", Hashtable->Count); wprintf(L"Allocated buckets: %u\n", Hashtable->AllocatedBuckets); wprintf(L"Allocated entries: %u\n", Hashtable->AllocatedEntries); wprintf(L"Next free entry: %d\n", Hashtable->FreeEntry); wprintf(L"Next usable entry: %d\n", Hashtable->NextEntry); wprintf(L"Equal function: %s\n", PhpGetSymbolForAddress(Hashtable->EqualFunction)); wprintf(L"Hash function: %s\n", PhpGetSymbolForAddress(Hashtable->HashFunction)); wprintf(L"\nBuckets:\n"); for (i = 0; i < Hashtable->AllocatedBuckets; i++) { ULONG index; ULONG count = 0; // Count the number of entries in this bucket. index = Hashtable->Buckets[i]; while (index != ULONG_MAX) { index = PH_HASHTABLE_GET_ENTRY(Hashtable, index)->Next; count++; } if (count != 0) { expectedLookupMisses += count - 1; } if (count != 0) { wprintf(L"%lu: ", i); // Print out the entry indicies. index = Hashtable->Buckets[i]; while (index != ULONG_MAX) { wprintf(L"%lu", index); index = PH_HASHTABLE_GET_ENTRY(Hashtable, index)->Next; count--; if (count != 0) wprintf(L", "); } wprintf(L"\n"); } else { //wprintf(L"%u: (empty)\n"); } } wprintf(L"\nExpected lookup misses: %lu\n", expectedLookupMisses); } #ifdef DEBUG static VOID PhpDebugCreateObjectHook( _In_ PVOID Object, _In_ SIZE_T Size, _In_ ULONG Flags, _In_ PPH_OBJECT_TYPE ObjectType ) { PhAcquireQueuedLockExclusive(&NewObjectListLock); if (NewObjectList) { PhReferenceObject(Object); PhAddItemList(NewObjectList, Object); } PhReleaseQueuedLockExclusive(&NewObjectListLock); } #endif #ifdef DEBUG static VOID PhpDeleteNewObjectList( VOID ) { if (NewObjectList) { PhDereferenceObjects(NewObjectList->Items, NewObjectList->Count); PhDereferenceObject(NewObjectList); NewObjectList = NULL; } } #endif _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN PhpStringHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PSTRING_TABLE_ENTRY entry1 = Entry1; PSTRING_TABLE_ENTRY entry2 = Entry2; return PhEqualString(entry1->String, entry2->String, FALSE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG PhpStringHashtableHashFunction( _In_ PVOID Entry ) { PSTRING_TABLE_ENTRY entry = Entry; return PhHashBytes((PUCHAR)entry->String->Buffer, entry->String->Length); } static int __cdecl PhpStringEntryCompareByCount( _In_ const void *elem1, _In_ const void *elem2 ) { PSTRING_TABLE_ENTRY entry1 = *(PSTRING_TABLE_ENTRY *)elem1; PSTRING_TABLE_ENTRY entry2 = *(PSTRING_TABLE_ENTRY *)elem2; return uintptrcmp(entry2->Count, entry1->Count); } static NTSTATUS PhpLeakEnumerationRoutine( _In_ LONG Reserved, _In_ PVOID HeapHandle, _In_ PVOID BaseAddress, _In_ SIZE_T BlockSize, _In_ ULONG StackTraceDepth, _In_ PVOID *StackTrace ) { ULONG i; if (!InLeakDetection) return 0; if (!HeapHandle) // means no more entries return 0; if (ShowAllLeaks || HeapHandle == PhHeapHandle) { wprintf(L"Leak at 0x%Ix (%Iu bytes). Stack trace:\n", (ULONG_PTR)BaseAddress, BlockSize); for (i = 0; i < StackTraceDepth; i++) { PPH_STRING symbol; symbol = PhGetSymbolFromAddress(DebugConsoleSymbolProvider, StackTrace[i], NULL, NULL, NULL, NULL); if (symbol) { wprintf(L"\t%s\n", symbol->Buffer); PhDereferenceObject(symbol); } else { wprintf(L"\t?\n"); } } NumberOfLeaksShown++; } NumberOfLeaks++; return 0; } typedef VOID (FASTCALL *PPHF_RW_LOCK_FUNCTION)( _In_ PVOID Parameter ); typedef struct _RW_TEST_CONTEXT { PWSTR Name; PPHF_RW_LOCK_FUNCTION AcquireExclusive; PPHF_RW_LOCK_FUNCTION AcquireShared; PPHF_RW_LOCK_FUNCTION ReleaseExclusive; PPHF_RW_LOCK_FUNCTION ReleaseShared; PVOID Parameter; } RW_TEST_CONTEXT, *PRW_TEST_CONTEXT; static PH_BARRIER RwStartBarrier; static LONG RwReadersActive; static LONG RwWritersActive; _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhpRwLockTestThreadStart( _In_ PVOID Parameter ) { #define RW_ITERS 10000 #define RW_READ_ITERS 100 #define RW_WRITE_ITERS 10 #define RW_READ_SPIN_ITERS 60 #define RW_WRITE_SPIN_ITERS 200 RW_TEST_CONTEXT context = *(PRW_TEST_CONTEXT)Parameter; ULONG i; ULONG j; ULONG k; ULONG m; PhWaitForBarrier(&RwStartBarrier, FALSE); for (i = 0; i < RW_ITERS; i++) { for (j = 0; j < RW_READ_ITERS; j++) { // Read zone context.AcquireShared(context.Parameter); _InterlockedIncrement(&RwReadersActive); for (m = 0; m < RW_READ_SPIN_ITERS; m++) YieldProcessor(); if (ReadAcquire(&RwWritersActive) != 0) { wprintf(L"[fail]: writers active in read zone!\n"); NtWaitForSingleObject(NtCurrentProcess(), FALSE, NULL); } _InterlockedDecrement(&RwReadersActive); context.ReleaseShared(context.Parameter); // Spin for a while for (m = 0; m < 10; m++) YieldProcessor(); if (j == RW_READ_ITERS / 2) { // Write zone for (k = 0; k < RW_WRITE_ITERS; k++) { context.AcquireExclusive(context.Parameter); _InterlockedIncrement(&RwWritersActive); for (m = 0; m < RW_WRITE_SPIN_ITERS; m++) YieldProcessor(); if (ReadAcquire(&RwReadersActive) != 0) { wprintf(L"[fail]: readers active in write zone!\n"); NtWaitForSingleObject(NtCurrentProcess(), FALSE, NULL); } _InterlockedDecrement(&RwWritersActive); context.ReleaseExclusive(context.Parameter); } } } } return STATUS_SUCCESS; } static VOID PhpTestRwLock( _In_ PRW_TEST_CONTEXT Context ) { #define RW_PROCESSORS 4 PH_STOPWATCH stopwatch; ULONG i; HANDLE threadHandles[RW_PROCESSORS]; // Dummy Context->AcquireExclusive(Context->Parameter); Context->ReleaseExclusive(Context->Parameter); Context->AcquireShared(Context->Parameter); Context->ReleaseShared(Context->Parameter); // Null test PhInitializeStopwatch(&stopwatch); PhStartStopwatch(&stopwatch); for (i = 0; i < 2000000; i++) { Context->AcquireExclusive(Context->Parameter); Context->ReleaseExclusive(Context->Parameter); Context->AcquireShared(Context->Parameter); Context->ReleaseShared(Context->Parameter); } PhStopStopwatch(&stopwatch); wprintf(L"[null] %s: %ums\n", Context->Name, PhGetMillisecondsStopwatch(&stopwatch)); // Stress test PhInitializeBarrier(&RwStartBarrier, RW_PROCESSORS + 1); RwReadersActive = 0; RwWritersActive = 0; for (i = 0; i < RW_PROCESSORS; i++) { PhCreateThreadEx(&threadHandles[i], PhpRwLockTestThreadStart, Context); } PhWaitForBarrier(&RwStartBarrier, FALSE); PhInitializeStopwatch(&stopwatch); PhStartStopwatch(&stopwatch); NtWaitForMultipleObjects(RW_PROCESSORS, threadHandles, WaitAll, FALSE, NULL); PhStopStopwatch(&stopwatch); for (i = 0; i < RW_PROCESSORS; i++) NtClose(threadHandles[i]); wprintf(L"[strs] %s: %ums\n", Context->Name, PhGetMillisecondsStopwatch(&stopwatch)); } _Acquires_exclusive_lock_(*CriticalSection) VOID FASTCALL PhfAcquireCriticalSection( _In_ PRTL_CRITICAL_SECTION CriticalSection ) { RtlEnterCriticalSection(CriticalSection); } _Releases_exclusive_lock_(*CriticalSection) VOID FASTCALL PhfReleaseCriticalSection( _In_ PRTL_CRITICAL_SECTION CriticalSection ) { RtlLeaveCriticalSection(CriticalSection); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpDebugConsoleThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; BOOLEAN exit = FALSE; PhInitializeAutoPool(&autoPool); DebugConsoleSymbolProvider = PhCreateSymbolProvider(NtCurrentProcessId()); PhLoadSymbolProviderOptions(DebugConsoleSymbolProvider); { static CONST PH_STRINGREF variableNameSr = PH_STRINGREF_INIT(L"_NT_SYMBOL_PATH"); PPH_STRING variableValue; PPH_STRING newSearchPath; if (NT_SUCCESS(PhQueryEnvironmentVariable(NULL, &variableNameSr, &variableValue))) { PPH_STRING currentDirectory = PhGetApplicationDirectoryWin32(); PPH_STRING currentSearchPath = PhGetStringSetting(SETTING_DBGHELP_SEARCH_PATH); if (currentSearchPath->Length != 0) { newSearchPath = PhFormatString( L"%s;%s;%s", variableValue->Buffer, PhGetStringOrEmpty(currentSearchPath), PhGetStringOrEmpty(currentDirectory) ); } else { newSearchPath = PhFormatString( L"%s;%s", variableValue->Buffer, PhGetStringOrEmpty(currentDirectory) ); } PhSetSearchPathSymbolProvider(DebugConsoleSymbolProvider, PhGetString(newSearchPath)); PhDereferenceObject(variableValue); PhDereferenceObject(newSearchPath); PhDereferenceObject(currentDirectory); } } PhLoadSymbolProviderModules( DebugConsoleSymbolProvider, NtCurrentProcessId() ); #ifdef DEBUG PhInitializeQueuedLock(&NewObjectListLock); PhDbgCreateObjectHook = PhpDebugCreateObjectHook; #endif wprintf(L"Press Ctrl+C or type \"exit\" to close the debug console. Type \"help\" for a list of commands.\n"); while (!exit) { static PCWSTR delims = L" \t"; static PCWSTR commandDebugOnly = L"This command is not available on non-debug builds.\n"; WCHAR line[201]; ULONG inputLength; PWSTR context; PWSTR command; wprintf(L"dbg>"); if (!fgetws(line, sizeof(line) / sizeof(WCHAR) - 1, stdin)) break; // Remove the terminating new line character. inputLength = (ULONG)PhCountStringZ(line); if (inputLength != 0) line[inputLength - 1] = UNICODE_NULL; context = NULL; command = wcstok_s(line, delims, &context); if (!command) { continue; } else if (PhEqualStringZ(command, L"help", TRUE)) { wprintf( L"Commands:\n" L"exit\n" L"testperf\n" L"testlocks\n" L"stats\n" L"objects [type-name-filter]\n" L"objtrace object-address\n" L"objmksnap\n" L"objcmpsnap\n" L"objmknew\n" L"objdelnew\n" L"objviewnew\n" L"dumpobj\n" L"dumpautopool\n" L"threads\n" L"provthreads\n" L"workqueues\n" L"procrecords\n" L"procitem\n" L"uniquestr\n" L"enableleakdetect\n" L"leakdetect\n" L"mem\n" ); } else if (PhEqualStringZ(command, L"exit", TRUE)) { PhCloseDebugConsole(); exit = TRUE; } else if (PhEqualStringZ(command, L"testperf", TRUE)) { PH_STOPWATCH stopwatch; ULONG i; PPH_STRING testString; RTL_CRITICAL_SECTION testCriticalSection; PH_FAST_LOCK testFastLock; PH_QUEUED_LOCK testQueuedLock; // Control (string reference counting) testString = PhCreateString(L""); PhReferenceObject(testString); PhDereferenceObject(testString); PhStartStopwatch(&stopwatch); for (i = 0; i < 10000000; i++) { PhReferenceObject(testString); PhDereferenceObject(testString); } PhStopStopwatch(&stopwatch); PhDereferenceObject(testString); wprintf(L"Referencing: %ums\n", PhGetMillisecondsStopwatch(&stopwatch)); // Critical section RtlInitializeCriticalSection(&testCriticalSection); RtlEnterCriticalSection(&testCriticalSection); RtlLeaveCriticalSection(&testCriticalSection); PhStartStopwatch(&stopwatch); for (i = 0; i < 10000000; i++) { RtlEnterCriticalSection(&testCriticalSection); RtlLeaveCriticalSection(&testCriticalSection); } PhStopStopwatch(&stopwatch); RtlDeleteCriticalSection(&testCriticalSection); wprintf(L"Critical section: %ums\n", PhGetMillisecondsStopwatch(&stopwatch)); // Fast lock PhInitializeFastLock(&testFastLock); PhAcquireFastLockExclusive(&testFastLock); PhReleaseFastLockExclusive(&testFastLock); PhStartStopwatch(&stopwatch); for (i = 0; i < 10000000; i++) { PhAcquireFastLockExclusive(&testFastLock); PhReleaseFastLockExclusive(&testFastLock); } PhStopStopwatch(&stopwatch); PhDeleteFastLock(&testFastLock); wprintf(L"Fast lock: %ums\n", PhGetMillisecondsStopwatch(&stopwatch)); // Queued lock PhInitializeQueuedLock(&testQueuedLock); PhAcquireQueuedLockExclusive(&testQueuedLock); PhReleaseQueuedLockExclusive(&testQueuedLock); PhStartStopwatch(&stopwatch); for (i = 0; i < 10000000; i++) { PhAcquireQueuedLockExclusive(&testQueuedLock); PhReleaseQueuedLockExclusive(&testQueuedLock); } PhStopStopwatch(&stopwatch); wprintf(L"Queued lock: %ums\n", PhGetMillisecondsStopwatch(&stopwatch)); } else if (PhEqualStringZ(command, L"testlocks", TRUE)) { RW_TEST_CONTEXT testContext; PH_FAST_LOCK fastLock; PH_QUEUED_LOCK queuedLock; RTL_CRITICAL_SECTION criticalSection; testContext.Name = L"FastLock"; testContext.AcquireExclusive = PhfAcquireFastLockExclusive; testContext.AcquireShared = PhfAcquireFastLockShared; testContext.ReleaseExclusive = PhfReleaseFastLockExclusive; testContext.ReleaseShared = PhfReleaseFastLockShared; testContext.Parameter = &fastLock; PhInitializeFastLock(&fastLock); PhpTestRwLock(&testContext); PhDeleteFastLock(&fastLock); testContext.Name = L"QueuedLock"; testContext.AcquireExclusive = PhfAcquireQueuedLockExclusive; testContext.AcquireShared = PhfAcquireQueuedLockShared; testContext.ReleaseExclusive = PhfReleaseQueuedLockExclusive; testContext.ReleaseShared = PhfReleaseQueuedLockShared; testContext.Parameter = &queuedLock; PhInitializeQueuedLock(&queuedLock); PhpTestRwLock(&testContext); testContext.Name = L"CriticalSection"; testContext.AcquireExclusive = PhfAcquireCriticalSection; testContext.AcquireShared = PhfAcquireCriticalSection; testContext.ReleaseExclusive = PhfReleaseCriticalSection; testContext.ReleaseShared = PhfReleaseCriticalSection; testContext.Parameter = &criticalSection; RtlInitializeCriticalSection(&criticalSection); PhpTestRwLock(&testContext); RtlDeleteCriticalSection(&criticalSection); testContext.Name = L"QueuedLockMutex"; testContext.AcquireExclusive = PhfAcquireQueuedLockExclusive; testContext.AcquireShared = PhfAcquireQueuedLockExclusive; testContext.ReleaseExclusive = PhfReleaseQueuedLockExclusive; testContext.ReleaseShared = PhfReleaseQueuedLockExclusive; testContext.Parameter = &queuedLock; PhInitializeQueuedLock(&queuedLock); PhpTestRwLock(&testContext); } else if (PhEqualStringZ(command, L"stats", TRUE)) { #ifdef DEBUG wprintf(L"Object small free list count: %u\n", PhObjectSmallFreeList.Count); wprintf(L"Statistics:\n"); #define PRINT_STATISTIC(Name) wprintf(TEXT(#Name) L": %u\n", PhLibStatisticsBlock.Name); PRINT_STATISTIC(BaseThreadsCreated); PRINT_STATISTIC(BaseThreadsCreateFailed); PRINT_STATISTIC(BaseStringBuildersCreated); PRINT_STATISTIC(BaseStringBuildersResized); PRINT_STATISTIC(RefObjectsCreated); PRINT_STATISTIC(RefObjectsDestroyed); PRINT_STATISTIC(RefObjectsAllocated); PRINT_STATISTIC(RefObjectsFreed); PRINT_STATISTIC(RefObjectsAllocatedFromSmallFreeList); PRINT_STATISTIC(RefObjectsFreedToSmallFreeList); PRINT_STATISTIC(RefObjectsAllocatedFromTypeFreeList); PRINT_STATISTIC(RefObjectsFreedToTypeFreeList); PRINT_STATISTIC(RefObjectsDeleteDeferred); PRINT_STATISTIC(RefAutoPoolsCreated); PRINT_STATISTIC(RefAutoPoolsDestroyed); PRINT_STATISTIC(RefAutoPoolsDynamicAllocated); PRINT_STATISTIC(RefAutoPoolsDynamicResized); PRINT_STATISTIC(QlBlockSpins); PRINT_STATISTIC(QlBlockWaits); PRINT_STATISTIC(QlAcquireExclusiveBlocks); PRINT_STATISTIC(QlAcquireSharedBlocks); PRINT_STATISTIC(WqWorkQueueThreadsCreated); PRINT_STATISTIC(WqWorkQueueThreadsCreateFailed); PRINT_STATISTIC(WqWorkItemsQueued); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objects", TRUE)) { #ifdef DEBUG PWSTR typeFilter = wcstok_s(NULL, delims, &context); PLIST_ENTRY currentEntry; ULONG totalNumberOfObjects = 0; //SIZE_T totalNumberOfBytes = 0; if (typeFilter) _wcslwr(typeFilter); PhAcquireQueuedLockShared(&PhDbgObjectListLock); currentEntry = PhDbgObjectListHead.Flink; while (currentEntry != &PhDbgObjectListHead) { PPH_OBJECT_HEADER objectHeader; WCHAR typeName[32]; objectHeader = CONTAINING_RECORD(currentEntry, PH_OBJECT_HEADER, ObjectListEntry); // Make sure the object isn't being destroyed. if (!PhReferenceObjectSafe(PhObjectHeaderToObject(objectHeader))) { currentEntry = currentEntry->Flink; continue; } totalNumberOfObjects++; //totalNumberOfBytes += objectHeader->Size; if (typeFilter) { wcscpy_s(typeName, sizeof(typeName) / sizeof(WCHAR), PhGetObjectType(PhObjectHeaderToObject(objectHeader))->Name); _wcslwr(typeName); } if ( !typeFilter || (typeFilter && wcsstr(typeName, typeFilter)) ) { PhpPrintObjectInfo(objectHeader, 1); } currentEntry = currentEntry->Flink; PhDereferenceObjectDeferDelete(PhObjectHeaderToObject(objectHeader)); } PhReleaseQueuedLockShared(&PhDbgObjectListLock); wprintf(L"\n"); wprintf(L"Total number: %lu\n", totalNumberOfObjects); /*wprintf(L"Total size (excl. header): %s\n", ((PPH_STRING)PH_AUTO(PhFormatSize(totalNumberOfBytes, 1)))->Buffer);*/ wprintf(L"Total overhead (header): %s\n", ((PPH_STRING)PH_AUTO( PhFormatSize(PhAddObjectHeaderSize(0) * totalNumberOfObjects, 1) ))->Buffer); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objtrace", TRUE)) { #ifdef DEBUG PWSTR objectAddress = wcstok_s(NULL, delims, &context); PH_STRINGREF objectAddressString; ULONG64 address; if (!objectAddress) { wprintf(L"Missing object address.\n"); goto EndCommand; } PhInitializeStringRef(&objectAddressString, objectAddress); if (PhStringToUInt64(&objectAddressString, 16, &address)) { PPH_OBJECT_HEADER objectHeader = (PPH_OBJECT_HEADER)PhObjectToObjectHeader((PVOID)address); PVOID stackBackTrace[16]; ULONG i; // The address may not be valid. __try { memcpy(stackBackTrace, objectHeader->StackBackTrace, 16 * sizeof(PVOID)); } __except (EXCEPTION_EXECUTE_HANDLER) { PPH_STRING message; message = PH_AUTO(PhGetNtMessage(GetExceptionCode())); wprintf(L"Error: %s\n", PhGetString(message)); goto EndCommand; } for (i = 0; i < 16; i++) { if (!stackBackTrace[i]) break; wprintf(L"%s\n", PhpGetSymbolForAddress(stackBackTrace[i])); } } else { wprintf(L"Invalid object address.\n"); } #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objmksnap", TRUE)) { #ifdef DEBUG PLIST_ENTRY currentEntry; if (ObjectListSnapshot) { PhDereferenceObject(ObjectListSnapshot); ObjectListSnapshot = NULL; } ObjectListSnapshot = PhCreateSimpleHashtable(100); PhAcquireQueuedLockShared(&PhDbgObjectListLock); currentEntry = PhDbgObjectListHead.Flink; while (currentEntry != &PhDbgObjectListHead) { PPH_OBJECT_HEADER objectHeader; objectHeader = CONTAINING_RECORD(currentEntry, PH_OBJECT_HEADER, ObjectListEntry); currentEntry = currentEntry->Flink; if (PhObjectHeaderToObject(objectHeader) != ObjectListSnapshot) PhAddItemSimpleHashtable(ObjectListSnapshot, objectHeader, NULL); } PhReleaseQueuedLockShared(&PhDbgObjectListLock); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objcmpsnap", TRUE)) { #ifdef DEBUG PLIST_ENTRY currentEntry; PPH_LIST newObjects; ULONG i; if (!ObjectListSnapshot) { wprintf(L"No snapshot.\n"); goto EndCommand; } newObjects = PhCreateList(10); PhAcquireQueuedLockShared(&PhDbgObjectListLock); currentEntry = PhDbgObjectListHead.Flink; while (currentEntry != &PhDbgObjectListHead) { PPH_OBJECT_HEADER objectHeader; objectHeader = CONTAINING_RECORD(currentEntry, PH_OBJECT_HEADER, ObjectListEntry); currentEntry = currentEntry->Flink; if ( PhObjectHeaderToObject(objectHeader) != ObjectListSnapshot && PhObjectHeaderToObject(objectHeader) != newObjects ) { if (!PhFindItemSimpleHashtable(ObjectListSnapshot, objectHeader)) { if (PhReferenceObjectSafe(PhObjectHeaderToObject(objectHeader))) PhAddItemList(newObjects, objectHeader); } } } PhReleaseQueuedLockShared(&PhDbgObjectListLock); for (i = 0; i < newObjects->Count; i++) { PPH_OBJECT_HEADER objectHeader = newObjects->Items[i]; PhpPrintObjectInfo(objectHeader, 1); PhDereferenceObject(PhObjectHeaderToObject(objectHeader)); } PhDereferenceObject(newObjects); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objmknew", TRUE)) { #ifdef DEBUG PhAcquireQueuedLockExclusive(&NewObjectListLock); PhpDeleteNewObjectList(); PhReleaseQueuedLockExclusive(&NewObjectListLock); // Creation needs to be done outside of the lock, // otherwise a deadlock will occur. NewObjectList = PhCreateList(100); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objdelnew", TRUE)) { #ifdef DEBUG PhAcquireQueuedLockExclusive(&NewObjectListLock); PhpDeleteNewObjectList(); PhReleaseQueuedLockExclusive(&NewObjectListLock); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"objviewnew", TRUE)) { #ifdef DEBUG ULONG i; PhAcquireQueuedLockExclusive(&NewObjectListLock); if (!NewObjectList) { wprintf(L"Object creation hooking not active.\n"); PhReleaseQueuedLockExclusive(&NewObjectListLock); goto EndCommand; } for (i = 0; i < NewObjectList->Count; i++) { PhpPrintObjectInfo(PhObjectToObjectHeader(NewObjectList->Items[i]), 1); } PhReleaseQueuedLockExclusive(&NewObjectListLock); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"dumpobj", TRUE)) { PWSTR addressString = wcstok_s(NULL, delims, &context); PH_STRINGREF addressStringRef; ULONG64 address; if (!addressString) goto EndCommand; PhInitializeStringRef(&addressStringRef, addressString); if (PhStringToUInt64(&addressStringRef, 16, &address)) { PhpDumpObjectInfo((PPH_OBJECT_HEADER)PhObjectToObjectHeader((PVOID)address)); } } else if (PhEqualStringZ(command, L"dumpautopool", TRUE)) { PWSTR addressString = wcstok_s(NULL, delims, &context); PH_STRINGREF addressStringRef; ULONG64 address; if (!addressString) goto EndCommand; PhInitializeStringRef(&addressStringRef, addressString); if (PhStringToUInt64(&addressStringRef, 16, &address)) { PPH_AUTO_POOL userAutoPool = (PPH_AUTO_POOL)address; ULONG i; __try { wprintf(L"Static count: %u\n", userAutoPool->StaticCount); wprintf(L"Dynamic count: %u\n", userAutoPool->DynamicCount); wprintf(L"Dynamic allocated: %u\n", userAutoPool->DynamicAllocated); wprintf(L"Static objects:\n"); for (i = 0; i < userAutoPool->StaticCount; i++) PhpPrintObjectInfo(PhObjectToObjectHeader(userAutoPool->StaticObjects[i]), 0); wprintf(L"Dynamic objects:\n"); for (i = 0; i < userAutoPool->DynamicCount; i++) PhpPrintObjectInfo(PhObjectToObjectHeader(userAutoPool->DynamicObjects[i]), 0); } __except (EXCEPTION_EXECUTE_HANDLER) { goto EndCommand; } } } else if (PhEqualStringZ(command, L"threads", TRUE)) { #ifdef DEBUG PLIST_ENTRY currentEntry; PhAcquireQueuedLockShared(&PhDbgThreadListLock); currentEntry = PhDbgThreadListHead.Flink; while (currentEntry != &PhDbgThreadListHead) { PPHP_BASE_THREAD_DBG dbg; dbg = CONTAINING_RECORD(currentEntry, PHP_BASE_THREAD_DBG, ListEntry); wprintf(L"Thread %u\n", HandleToUlong(dbg->ClientId.UniqueThread)); wprintf(L"\tStart Address: %s\n", PhpGetSymbolForAddress(dbg->StartAddress)); wprintf(L"\tParameter: %Ix\n", (ULONG_PTR)dbg->Parameter); wprintf(L"\tCurrent auto-pool: %Ix\n", (ULONG_PTR)dbg->CurrentAutoPool); currentEntry = currentEntry->Flink; } PhReleaseQueuedLockShared(&PhDbgThreadListLock); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"provthreads", TRUE)) { #ifdef DEBUG ULONG i; if (PhDbgProviderList) { PhAcquireQueuedLockShared(&PhDbgProviderListLock); for (i = 0; i < PhDbgProviderList->Count; i++) { PPH_PROVIDER_THREAD providerThread = PhDbgProviderList->Items[i]; THREAD_BASIC_INFORMATION basicInfo; PLIST_ENTRY providerEntry; if (providerThread->ThreadHandle) { PhGetThreadBasicInformation(providerThread->ThreadHandle, &basicInfo); wprintf(L"Thread %u\n", HandleToUlong(basicInfo.ClientId.UniqueThread)); } else { wprintf(L"Thread not running\n"); } PhAcquireQueuedLockExclusive(&providerThread->Lock); providerEntry = providerThread->ListHead.Flink; while (providerEntry != &providerThread->ListHead) { PPH_PROVIDER_REGISTRATION registration; registration = CONTAINING_RECORD(providerEntry, PH_PROVIDER_REGISTRATION, ListEntry); wprintf(L"\tProvider registration at %Ix\n", (ULONG_PTR)registration); wprintf(L"\t\tEnabled: %s\n", registration->Enabled ? L"Yes" : L"No"); wprintf(L"\t\tFunction: %s\n", PhpGetSymbolForAddress(registration->Function)); if (registration->Object) { wprintf(L"\t\tObject:\n"); PhpPrintObjectInfo(PhObjectToObjectHeader(registration->Object), 0); } providerEntry = providerEntry->Flink; } PhReleaseQueuedLockExclusive(&providerThread->Lock); wprintf(L"\n"); } PhReleaseQueuedLockShared(&PhDbgProviderListLock); } #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"workqueues", TRUE)) { #ifdef DEBUG ULONG i; if (PhDbgWorkQueueList) { PhAcquireQueuedLockShared(&PhDbgWorkQueueListLock); for (i = 0; i < PhDbgWorkQueueList->Count; i++) { PPH_WORK_QUEUE workQueue = PhDbgWorkQueueList->Items[i]; PLIST_ENTRY workQueueItemEntry; wprintf(L"Work queue at %s\n", PhpGetSymbolForAddress(workQueue)); wprintf(L"Maximum threads: %lu\n", workQueue->MaximumThreads); wprintf(L"Minimum threads: %lu\n", workQueue->MinimumThreads); wprintf(L"No work timeout: %lu\n", workQueue->NoWorkTimeout); wprintf(L"Current threads: %lu\n", workQueue->CurrentThreads); wprintf(L"Busy count: %lu\n", workQueue->BusyCount); PhAcquireQueuedLockExclusive(&workQueue->QueueLock); // List the items backwards. workQueueItemEntry = workQueue->QueueListHead.Blink; while (workQueueItemEntry != &workQueue->QueueListHead) { PPH_WORK_QUEUE_ITEM workQueueItem; workQueueItem = CONTAINING_RECORD(workQueueItemEntry, PH_WORK_QUEUE_ITEM, ListEntry); wprintf(L"\tWork queue item at %Ix\n", (ULONG_PTR)workQueueItem); wprintf(L"\t\tFunction: %s\n", PhpGetSymbolForAddress(workQueueItem->Function)); wprintf(L"\t\tContext: %Ix\n", (ULONG_PTR)workQueueItem->Context); workQueueItemEntry = workQueueItemEntry->Blink; } PhReleaseQueuedLockExclusive(&workQueue->QueueLock); wprintf(L"\n"); } PhReleaseQueuedLockShared(&PhDbgWorkQueueListLock); } #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"procrecords", TRUE)) { PPH_PROCESS_RECORD record; ULONG i; SYSTEMTIME systemTime; PPH_PROCESS_RECORD startRecord; PhAcquireQueuedLockShared(&PhProcessRecordListLock); for (i = 0; i < PhProcessRecordList->Count; i++) { record = (PPH_PROCESS_RECORD)PhProcessRecordList->Items[i]; PhLargeIntegerToLocalSystemTime(&systemTime, &record->CreateTime); wprintf(L"Records for %s %s:\n", ((PPH_STRING)PH_AUTO(PhFormatDate(&systemTime, NULL)))->Buffer, ((PPH_STRING)PH_AUTO(PhFormatTime(&systemTime, NULL)))->Buffer ); startRecord = record; do { wprintf(L"\tRecord at %Ix: %s (%lu) (refs: %ld)\n", (ULONG_PTR)record, record->ProcessName->Buffer, HandleToUlong(record->ProcessId), record->RefCount); if (record->FileName) wprintf(L"\t\t%s\n", record->FileName->Buffer); record = CONTAINING_RECORD(record->ListEntry.Flink, PH_PROCESS_RECORD, ListEntry); } while (record != startRecord); } PhReleaseQueuedLockShared(&PhProcessRecordListLock); } else if (PhEqualStringZ(command, L"procitem", TRUE)) { PWSTR filterString; PH_STRINGREF filterRef; ULONG64 filter64; LONG_PTR processIdFilter = -9; // can't use -2, -1 or 0 because they're all used for process IDs ULONG_PTR processAddressFilter = 0; PWSTR imageNameFilter = NULL; BOOLEAN showAll = FALSE; PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; ULONG i; filterString = wcstok_s(NULL, delims, &context); if (filterString) { PhInitializeStringRef(&filterRef, filterString); if (PhStringToInteger64(&filterRef, 10, &filter64)) processIdFilter = (LONG_PTR)filter64; if (PhStringToInteger64(&filterRef, 16, &filter64)) processAddressFilter = (ULONG_PTR)filter64; imageNameFilter = filterString; } else { showAll = TRUE; } PhEnumProcessItems(&processes, &numberOfProcesses); for (i = 0; i < numberOfProcesses; i++) { PPH_PROCESS_ITEM process = processes[i]; if ( showAll || (processIdFilter != -9 && (LONG_PTR)process->ProcessId == processIdFilter) || (processAddressFilter != 0 && (ULONG_PTR)process == processAddressFilter) || (imageNameFilter && PhMatchWildcards(imageNameFilter, process->ProcessName->Buffer, TRUE)) ) { wprintf(L"Process item at %Ix: %s (%u)\n", (ULONG_PTR)process, process->ProcessName->Buffer, HandleToUlong(process->ProcessId)); wprintf(L"\tRecord at %Ix\n", (ULONG_PTR)process->Record); wprintf(L"\tQuery handle %Ix\n", (ULONG_PTR)process->QueryHandle); wprintf(L"\tFile name at %Ix: %s\n", (ULONG_PTR)process->FileName, PhGetStringOrDefault(process->FileName, L"(null)")); wprintf(L"\tCommand line at %Ix: %s\n", (ULONG_PTR)process->CommandLine, PhGetStringOrDefault(process->CommandLine, L"(null)")); wprintf(L"\tFlags: %u\n", process->Flags); wprintf(L"\n"); } } PhDereferenceObjects(processes, numberOfProcesses); } else if (PhEqualStringZ(command, L"uniquestr", TRUE)) { #ifdef DEBUG PLIST_ENTRY currentEntry; PPH_HASHTABLE hashtable; PPH_LIST list; PSTRING_TABLE_ENTRY stringEntry; ULONG enumerationKey; ULONG i; hashtable = PhCreateHashtable( sizeof(STRING_TABLE_ENTRY), PhpStringHashtableEqualFunction, PhpStringHashtableHashFunction, 1024 ); PhAcquireQueuedLockShared(&PhDbgObjectListLock); currentEntry = PhDbgObjectListHead.Flink; while (currentEntry != &PhDbgObjectListHead) { PPH_OBJECT_HEADER objectHeader; PPH_STRING string; STRING_TABLE_ENTRY localStringEntry; BOOLEAN added; objectHeader = CONTAINING_RECORD(currentEntry, PH_OBJECT_HEADER, ObjectListEntry); currentEntry = currentEntry->Flink; string = PhObjectHeaderToObject(objectHeader); // Make sure this is a string. if (PhGetObjectType(string) != PhStringType) continue; // Make sure the object isn't being destroyed. if (!PhReferenceObjectSafe(string)) continue; localStringEntry.String = string; stringEntry = PhAddEntryHashtableEx(hashtable, &localStringEntry, &added); if (added) { stringEntry->Count = 1; PhReferenceObject(string); } else { stringEntry->Count++; } PhDereferenceObjectDeferDelete(string); } PhReleaseQueuedLockShared(&PhDbgObjectListLock); // Sort the string entries by count. list = PhCreateList(hashtable->Count); enumerationKey = 0; while (PhEnumHashtable(hashtable, &stringEntry, &enumerationKey)) { PhAddItemList(list, stringEntry); } qsort(list->Items, list->Count, sizeof(PSTRING_TABLE_ENTRY), PhpStringEntryCompareByCount); // Display... for (i = 0; i < 40 && i < list->Count; i++) { stringEntry = list->Items[i]; wprintf(L"%Iu\t%.64s\n", stringEntry->Count, stringEntry->String->Buffer); } wprintf(L"\nTotal unique strings: %u\n", list->Count); // Cleanup for (i = 0; i < list->Count; i++) { stringEntry = list->Items[i]; PhDereferenceObject(stringEntry->String); } PhDereferenceObject(list); PhDereferenceObject(hashtable); #else wprintf(commandDebugOnly); #endif } else if (PhEqualStringZ(command, L"enableleakdetect", TRUE)) { HEAP_DEBUGGING_INFORMATION debuggingInfo; memset(&debuggingInfo, 0, sizeof(HEAP_DEBUGGING_INFORMATION)); debuggingInfo.StackTraceDepth = 32; debuggingInfo.HeapLeakEnumerationRoutine = PhpLeakEnumerationRoutine; if (!NT_SUCCESS(RtlSetHeapInformation(NULL, HeapSetDebuggingInformation, &debuggingInfo, sizeof(HEAP_DEBUGGING_INFORMATION)))) { wprintf(L"Unable to initialize heap debugging. Make sure that you are using Windows 7 or above."); } } else if (PhEqualStringZ(command, L"leakdetect", TRUE)) { VOID (NTAPI *rtlDetectHeapLeaks)(VOID); PWSTR options = wcstok_s(NULL, delims, &context); rtlDetectHeapLeaks = PhGetDllProcedureAddressZ(L"ntdll.dll", "RtlDetectHeapLeaks", 0); if (!(NtCurrentPeb()->NtGlobalFlag & FLG_USER_STACK_TRACE_DB)) { wprintf(L"Warning: user-mode stack trace database is not enabled. Stack traces will not be displayed.\n"); } ShowAllLeaks = FALSE; if (options) { if (PhEqualStringZ(options, L"all", TRUE)) ShowAllLeaks = TRUE; } if (rtlDetectHeapLeaks) { InLeakDetection = TRUE; NumberOfLeaks = 0; NumberOfLeaksShown = 0; rtlDetectHeapLeaks(); InLeakDetection = FALSE; wprintf(L"\nNumber of leaks: %lu (%lu displayed)\n", NumberOfLeaks, NumberOfLeaksShown); } } else if (PhEqualStringZ(command, L"mem", TRUE)) { PWSTR addressString; PWSTR bytesString; PH_STRINGREF addressStringRef; PH_STRINGREF bytesStringRef; ULONG64 address64; ULONG64 numberOfBytes64; PUCHAR address; ULONG numberOfBytes; ULONG blockSize; UCHAR buffer[16]; ULONG i; addressString = wcstok_s(NULL, delims, &context); if (!addressString) goto PrintMemUsage; bytesString = wcstok_s(NULL, delims, &context); if (!bytesString) { bytesString = L"16"; } PhInitializeStringRef(&addressStringRef, addressString); PhInitializeStringRef(&bytesStringRef, bytesString); if (PhStringToUInt64(&addressStringRef, 16, &address64) && PhStringToUInt64(&bytesStringRef, 10, &numberOfBytes64)) { address = (PUCHAR)address64; numberOfBytes = (ULONG)numberOfBytes64; if (numberOfBytes > 256) { wprintf(L"Number of bytes must be 256 or smaller.\n"); goto EndCommand; } blockSize = sizeof(buffer); while (numberOfBytes != 0) { if (blockSize > numberOfBytes) blockSize = numberOfBytes; __try { memcpy(buffer, address, blockSize); } __except (EXCEPTION_EXECUTE_HANDLER) { wprintf(L"Error reading address near %Ix.\n", (ULONG_PTR)address); goto EndCommand; } // Print hex dump for (i = 0; i < blockSize; i++) wprintf(L"%02x ", buffer[i]); // Fill remaining space (for last, possibly partial block) for (; i < sizeof(buffer); i++) wprintf(L" "); wprintf(L" "); // Print ASCII dump for (i = 0; i < blockSize; i++) putwchar((ULONG)(buffer[i] - ' ') <= (ULONG)('~' - ' ') ? buffer[i] : '.'); wprintf(L"\n"); address += blockSize; numberOfBytes -= blockSize; } } goto EndCommand; PrintMemUsage: wprintf(L"Usage: mem address [numberOfBytes]\n"); wprintf(L"Example: mem 12345678 16\n"); } else { wprintf(L"Unrecognized command.\n"); goto EndCommand; // get rid of the compiler warning about the label being unreferenced } EndCommand: PhDrainAutoPool(&autoPool); } PhDereferenceObject(DebugConsoleSymbolProvider); PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } ================================================ FILE: SystemInformer/delayhook.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2022-2023 * */ #include #include #include #include #include #include #include #include "settings.h" #include // https://learn.microsoft.com/en-us/windows/win32/winmsg/about-window-procedures#window-procedure-superclassing static WNDPROC PhDefaultMenuWindowProcedure = NULL; static WNDPROC PhDefaultDialogWindowProcedure = NULL; static WNDPROC PhDefaultRebarWindowProcedure = NULL; static WNDPROC PhDefaultComboBoxWindowProcedure = NULL; static WNDPROC PhDefaultStaticWindowProcedure = NULL; static WNDPROC PhDefaultStatusbarWindowProcedure = NULL; static WNDPROC PhDefaultEditWindowProcedure = NULL; static WNDPROC PhDefaultHeaderWindowProcedure = NULL; static BOOLEAN PhDefaultEnableStreamerMode = FALSE; static BOOLEAN PhDefaultEnableThemeAcrylicWindowSupport = FALSE; static BOOLEAN PhDefaultEnableThemeAnimation = FALSE; LRESULT CALLBACK PhMenuWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_NCCREATE: { //CREATESTRUCT* createStruct = (CREATESTRUCT*)lParam; if (PhEnableThemeSupport) { HFONT fontHandle; LONG windowDpi = PhGetWindowDpi(WindowHandle); if (fontHandle = PhCreateMessageFont(windowDpi)) { PhSetWindowContext(WindowHandle, (ULONG)'font', fontHandle); SetWindowFont(WindowHandle, fontHandle, TRUE); } } } break; case WM_CREATE: { //CREATESTRUCT* createStruct = (CREATESTRUCT*)lParam; if (PhDefaultEnableStreamerMode) { SetWindowDisplayAffinity(WindowHandle, WDA_EXCLUDEFROMCAPTURE); } if (PhEnableThemeSupport) { if (PhEnableThemeAcrylicSupport) { // Note: DWM crashes if called from WM_NCCREATE (dmex) PhSetWindowAcrylicCompositionColor(WindowHandle, MakeABGRFromCOLORREF(0, RGB(10, 10, 10))); } } } break; case WM_NCDESTROY: { if (PhEnableThemeSupport) { HFONT fontHandle; fontHandle = PhGetWindowContext(WindowHandle, (ULONG)'font'); PhRemoveWindowContext(WindowHandle, (ULONG)'font'); if (fontHandle) { DeleteFont(fontHandle); } } } break; } return CallWindowProc(PhDefaultMenuWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); } LRESULT CALLBACK PhDialogWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_CREATE: { //CREATESTRUCT* createStruct = (CREATESTRUCT*)lParam; //IsTopLevelWindow(createStruct->hwndParent) if (WindowHandle == GetAncestor(WindowHandle, GA_ROOT)) { if (PhDefaultEnableStreamerMode) { SetWindowDisplayAffinity(WindowHandle, WDA_EXCLUDEFROMCAPTURE); } if (PhEnableThemeSupport && PhDefaultEnableThemeAcrylicWindowSupport) { // Note: DWM crashes if called from WM_NCCREATE (dmex) PhSetWindowAcrylicCompositionColor(WindowHandle, MakeABGRFromCOLORREF(0, RGB(10, 10, 10))); } } } break; } return CallWindowProc(PhDefaultDialogWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); } LRESULT CALLBACK PhRebarWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_CTLCOLOREDIT: { HDC hdc = (HDC)wParam; SetBkMode(hdc, TRANSPARENT); SetTextColor(hdc, PhThemeWindowTextColor); SetDCBrushColor(hdc, PhThemeWindowBackground2Color); return (INT_PTR)PhGetStockBrush(DC_BRUSH); } break; } return CallWindowProc(PhDefaultRebarWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); } LRESULT CALLBACK PhComboBoxWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LRESULT result = CallWindowProc(PhDefaultComboBoxWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); switch (WindowMessage) { case WM_NCCREATE: { //CREATESTRUCT* createStruct = (CREATESTRUCT*)lParam; COMBOBOXINFO info = { sizeof(COMBOBOXINFO) }; if (SendMessage(WindowHandle, CB_GETCOMBOBOXINFO, 0, (LPARAM)&info)) { if (PhDefaultEnableStreamerMode) { SetWindowDisplayAffinity(info.hwndList, WDA_EXCLUDEFROMCAPTURE); } } } break; } return result; } LRESULT CALLBACK PhStaticWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { if (WindowMessage == WM_NCCREATE) { ULONG style = PhGetWindowStyle(WindowHandle); if ((style & SS_ICON) == SS_ICON) { PhSetWindowContext(WindowHandle, SCHAR_MAX, UlongToPtr(TRUE)); } } if (WindowMessage != WM_KILLFOCUS && !PhGetWindowContext(WindowHandle, SCHAR_MAX)) return CallWindowProc(PhDefaultStaticWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); switch (WindowMessage) { case WM_NCDESTROY: PhRemoveWindowContext(WindowHandle, SCHAR_MAX); break; case WM_ERASEBKGND: return TRUE; case WM_KILLFOCUS: { WCHAR windowClassName[MAX_PATH]; HWND ParentHandle = GetParent(WindowHandle); if (!GetClassName(ParentHandle, windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; if (PhEqualStringZ(windowClassName, L"CHECKLIST_ACLUI", FALSE)) { RECT rectClient; if (PhGetClientRect(WindowHandle, &rectClient)) { PhInflateRect(&rectClient, 2, 2); MapWindowRect(WindowHandle, ParentHandle, &rectClient); InvalidateRect(ParentHandle, &rectClient, TRUE); // fix the annoying white border left by the previous active control } } } break; case WM_PAINT: { HICON iconHandle; PAINTSTRUCT ps; RECT clientRect; WCHAR windowClassName[MAX_PATH]; if (!GetClassName(GetParent(WindowHandle), windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; if (PhEqualStringZ(windowClassName, L"CHECKLIST_ACLUI", FALSE)) { if (iconHandle = (HICON)(UINT_PTR)CallWindowProc(PhDefaultStaticWindowProcedure, WindowHandle, STM_GETICON, 0, 0)) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HFONT hCheckFont = NULL; HDC hdc = BeginPaint(WindowHandle, &ps); clientRect = ps.rcPaint; HDC bufferDc = CreateCompatibleDC(hdc); HBITMAP bufferBitmap = CreateCompatibleBitmap(hdc, clientRect.right, clientRect.bottom); HBITMAP oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); enum { nocheck, check, graycheck } checkType = nocheck; INT startX = clientRect.left + (clientRect.right - clientRect.bottom) / 2 + 1; INT startY = clientRect.top + (clientRect.bottom - clientRect.top) / 2; DrawIconEx(bufferDc, clientRect.left, clientRect.top, iconHandle, clientRect.right - clientRect.left, clientRect.bottom - clientRect.top, 0, NULL, DI_NORMAL); for (INT x = startX, y = startY; x < clientRect.right; x++) { COLORREF pixel = GetPixel(bufferDc, x, y); if (pixel == RGB(0xB4, 0xB4, 0xB4)) { checkType = graycheck; goto draw_acl_check; } } for (INT x = startX, y = startY; x < clientRect.right; x++) { COLORREF pixel = GetPixel(bufferDc, x, y); if (pixel == RGB(0, 0, 0) || pixel == PhThemeWindowTextColor) { checkType = check; goto draw_acl_check; } } draw_acl_check: if (checkType == check || checkType == graycheck) // right is checked or special permission checked { if (PhBeginInitOnce(&initOnce)) // cache font { hCheckFont = CreateFont( clientRect.bottom - clientRect.top - 1, clientRect.right - clientRect.left - 3, 0, 0, FW_BOLD, FALSE, FALSE, FALSE, DEFAULT_CHARSET, OUT_OUTLINE_PRECIS, CLIP_DEFAULT_PRECIS, CLEARTYPE_QUALITY, VARIABLE_PITCH, L"Segoe UI"); PhEndInitOnce(&initOnce); } SetBkMode(hdc, TRANSPARENT); SetTextColor(hdc, checkType == check ? PhThemeWindowTextColor : RGB(0xB4, 0xB4, 0xB4)); SelectFont(hdc, hCheckFont); //HFONT hFontOriginal = SelectFont(hdc, hCheckFont); FillRect(hdc, &clientRect, PhThemeWindowBackgroundBrush); DrawText(hdc, L"✓", 1, &clientRect, DT_CENTER | DT_VCENTER); //SelectFont(hdc, hFontOriginal); } SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); EndPaint(WindowHandle, &ps); return 0; } } //else if (iconHandle = (HICON)(UINT_PTR)CallWindowProc(PhDefaultStaticWindowProcedure, WindowHandle, STM_GETICON, 0, 0)) // Static_GetIcon(WindowHandle, 0) //{ // PAINTSTRUCT ps; // if (PhGetWindowContext(GetParent(WindowHandle), LONG_MAX) && // BeginPaint(WindowHandle, &ps)) // { // // Fix artefacts when window moving back from off-screen (Dart Vanya) // hdc = GetDC(WindowHandle); // GetClientRect(WindowHandle, &clientRect); // FillRect(hdc, &clientRect, PhThemeWindowBackgroundBrush); // DrawIconEx( // hdc, // clientRect.left, // clientRect.top, // iconHandle, // clientRect.right - clientRect.left, // clientRect.bottom - clientRect.top, // 0, // NULL, // DI_NORMAL // ); // ReleaseDC(WindowHandle, hdc); // EndPaint(WindowHandle, &ps); // } //} } } return CallWindowProc(PhDefaultStaticWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); } typedef struct _PHP_THEME_WINDOW_STATUSBAR_CONTEXT { struct { BOOLEAN Flags; union { BOOLEAN NonMouseActive : 1; BOOLEAN MouseActive : 1; BOOLEAN HotTrack : 1; BOOLEAN Hot : 1; BOOLEAN Spare : 4; }; }; HTHEME ThemeHandle; POINT CursorPos; HDC BufferedDc; HBITMAP BufferedOldBitmap; HBITMAP BufferedBitmap; RECT BufferedContextRect; } PHP_THEME_WINDOW_STATUSBAR_CONTEXT, *PPHP_THEME_WINDOW_STATUSBAR_CONTEXT; VOID ThemeWindowStatusBarCreateBufferedContext( _In_ PPHP_THEME_WINDOW_STATUSBAR_CONTEXT Context, _In_ HDC Hdc, _In_ PRECT BufferRect ) { Context->BufferedDc = CreateCompatibleDC(Hdc); if (!Context->BufferedDc) return; Context->BufferedContextRect = *BufferRect; Context->BufferedBitmap = CreateCompatibleBitmap( Hdc, BufferRect->right, BufferRect->bottom ); Context->BufferedOldBitmap = SelectBitmap(Context->BufferedDc, Context->BufferedBitmap); } VOID ThemeWindowStatusBarDestroyBufferedContext( _In_ PPHP_THEME_WINDOW_STATUSBAR_CONTEXT Context ) { if (Context->BufferedDc && Context->BufferedOldBitmap) { SelectBitmap(Context->BufferedDc, Context->BufferedOldBitmap); } if (Context->BufferedBitmap) { DeleteBitmap(Context->BufferedBitmap); Context->BufferedBitmap = NULL; } if (Context->BufferedDc) { DeleteDC(Context->BufferedDc); Context->BufferedDc = NULL; } } LONG ThemeWindowStatusBarUpdateRectToIndex( _In_ HWND WindowHandle, _In_ WNDPROC WindowProcedure, _In_ PRECT UpdateRect, _In_ LONG Count ) { for (LONG i = 0; i < Count; i++) { RECT blockRect = { 0 }; if (!CallWindowProc(WindowProcedure, WindowHandle, SB_GETRECT, (WPARAM)i, (WPARAM)&blockRect)) continue; if ( UpdateRect->bottom == blockRect.bottom && //UpdateRect->left == blockRect.left && UpdateRect->right == blockRect.right //UpdateRect->top == blockRect.top ) { return i; } } return INT_ERROR; } VOID ThemeWindowStatusBarDrawPart( _In_ PPHP_THEME_WINDOW_STATUSBAR_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC bufferDc, _In_ PRECT clientRect, _In_ LONG Index ) { RECT blockRect = { 0 }; WCHAR text[0x80] = { 0 }; if (!CallWindowProc(PhDefaultStatusbarWindowProcedure, WindowHandle, SB_GETRECT, (WPARAM)Index, (WPARAM)&blockRect)) return; if (!RectVisible(bufferDc, &blockRect)) return; if (CallWindowProc(PhDefaultStatusbarWindowProcedure, WindowHandle, SB_GETTEXTLENGTH, (WPARAM)Index, 0) >= RTL_NUMBER_OF(text)) return; if (!CallWindowProc(PhDefaultStatusbarWindowProcedure, WindowHandle, SB_GETTEXT, (WPARAM)Index, (LPARAM)text)) return; if (PhPtInRect(&blockRect, &Context->CursorPos)) { SetTextColor(bufferDc, PhThemeWindowTextColor); SetDCBrushColor(bufferDc, PhThemeWindowHighlightColor); blockRect.left -= 3, blockRect.top -= 1; FillRect(bufferDc, &blockRect, PhGetStockBrush(DC_BRUSH)); blockRect.left += 3, blockRect.top += 1; } else { RECT separator; SetTextColor(bufferDc, PhThemeWindowTextColor); FillRect(bufferDc, &blockRect, PhThemeWindowBackgroundBrush); separator = blockRect; separator.left = separator.right - 1; PhInflateRect(&separator, 0, -1); SetDCBrushColor(bufferDc, PhThemeWindowHighlightColor); FillRect(bufferDc, &separator, PhGetStockBrush(DC_BRUSH)); } blockRect.left += 2, blockRect.bottom -= 1; DrawText( bufferDc, text, (UINT)PhCountStringZ(text), &blockRect, DT_LEFT | DT_VCENTER | DT_SINGLELINE | DT_HIDEPREFIX ); blockRect.left -= 2, blockRect.bottom += 1; } VOID ThemeWindowRenderStatusBar( _In_ PPHP_THEME_WINDOW_STATUSBAR_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC bufferDc, _In_ PRECT clientRect ) { SetBkMode(bufferDc, TRANSPARENT); SelectFont(bufferDc, GetWindowFont(WindowHandle)); FillRect(bufferDc, clientRect, PhThemeWindowBackgroundBrush); LONG blockCount = (LONG)CallWindowProc( PhDefaultStatusbarWindowProcedure, WindowHandle, SB_GETPARTS, 0, 0 ); //INT index = ThemeWindowStatusBarUpdateRectToIndex( // used with BeginBufferedPaint (dmex) // WindowHandle, // WindowProcedure, // clientRect, // blockCount // ); // //if (index == UINT_MAX) { RECT sizeGripRect; LONG dpi; dpi = PhGetWindowDpi(WindowHandle); sizeGripRect.left = clientRect->right - PhGetSystemMetrics(SM_CXHSCROLL, dpi); sizeGripRect.top = clientRect->bottom - PhGetSystemMetrics(SM_CYVSCROLL, dpi); sizeGripRect.right = clientRect->right; sizeGripRect.bottom = clientRect->bottom; if (Context->ThemeHandle) { //if (IsThemeBackgroundPartiallyTransparent(Context->ThemeHandle, SP_GRIPPER, 0)) // DrawThemeParentBackground(WindowHandle, bufferDc, NULL); PhDrawThemeBackground(Context->ThemeHandle, bufferDc, SP_GRIPPER, 0, &sizeGripRect, &sizeGripRect); } else { DrawFrameControl(bufferDc, &sizeGripRect, DFC_SCROLL, DFCS_SCROLLSIZEGRIP); } // Top statusbar border will be drawn by bottom tabcontrol border for (LONG i = 0; i < blockCount; i++) { ThemeWindowStatusBarDrawPart(Context, WindowHandle, bufferDc, clientRect, i); } } //else //{ // ThemeWindowStatusBarDrawPart(Context, WindowHandle, bufferDc, clientRect, WindowProcedure, index); //} } LRESULT CALLBACK PhStatusBarWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_THEME_WINDOW_STATUSBAR_CONTEXT context = NULL; if (WindowMessage == WM_NCCREATE) { context = PhAllocateZero(sizeof(PHP_THEME_WINDOW_STATUSBAR_CONTEXT)); context->ThemeHandle = PhOpenThemeData(WindowHandle, VSCLASS_STATUS, PhGetWindowDpi(WindowHandle)); context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; PhSetWindowContext(WindowHandle, LONG_MAX, context); } else { context = PhGetWindowContext(WindowHandle, LONG_MAX); } if (context) { switch (WindowMessage) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, LONG_MAX); ThemeWindowStatusBarDestroyBufferedContext(context); if (context->ThemeHandle) { PhCloseThemeData(context->ThemeHandle); } PhFree(context); } break; case WM_THEMECHANGED: { if (context->ThemeHandle) { PhCloseThemeData(context->ThemeHandle); context->ThemeHandle = NULL; } context->ThemeHandle = PhOpenThemeData(WindowHandle, VSCLASS_STATUS, PhGetWindowDpi(WindowHandle)); } break; case WM_ERASEBKGND: return TRUE; case WM_MOUSEMOVE: { if (!context->MouseActive) { TRACKMOUSEEVENT trackEvent = { sizeof(TRACKMOUSEEVENT), TME_LEAVE, WindowHandle, 0 }; TrackMouseEvent(&trackEvent); context->MouseActive = TRUE; } context->CursorPos.x = GET_X_LPARAM(lParam); context->CursorPos.y = GET_Y_LPARAM(lParam); InvalidateRect(WindowHandle, NULL, FALSE); } break; case WM_MOUSELEAVE: { context->MouseActive = FALSE; context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; InvalidateRect(WindowHandle, NULL, FALSE); } break; case WM_PAINT: { //PAINTSTRUCT ps; //HDC BufferedHDC; //HPAINTBUFFER BufferedPaint; // //if (!BeginPaint(WindowHandle, &ps)) // break; // //if (BufferedPaint = BeginBufferedPaint(ps.hdc, &ps.rcPaint, BPBF_COMPATIBLEBITMAP, NULL, &BufferedHDC)) //{ // ThemeWindowRenderStatusBar(context, WindowHandle, BufferedHDC, &ps.rcPaint, oldWndProc); // EndBufferedPaint(BufferedPaint, TRUE); //} //else { RECT clientRect; RECT bufferRect; HDC hdc; if (!PhGetClientRect(WindowHandle, &clientRect)) break; bufferRect.left = 0; bufferRect.top = 0; bufferRect.right = clientRect.right - clientRect.left; bufferRect.bottom = clientRect.bottom - clientRect.top; hdc = GetDC(WindowHandle); if (context->BufferedDc && ( context->BufferedContextRect.right < bufferRect.right || context->BufferedContextRect.bottom < bufferRect.bottom)) { ThemeWindowStatusBarDestroyBufferedContext(context); } if (!context->BufferedDc) { ThemeWindowStatusBarCreateBufferedContext(context, hdc, &bufferRect); } if (context->BufferedDc) { ThemeWindowRenderStatusBar( context, WindowHandle, context->BufferedDc, &clientRect ); BitBlt(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom, context->BufferedDc, 0, 0, SRCCOPY); } ReleaseDC(WindowHandle, hdc); } //EndPaint(WindowHandle, &ps); } goto DefaultWndProc; } } return CallWindowProc(PhDefaultStatusbarWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); DefaultWndProc: return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } LRESULT CALLBACK PhEditWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_NCPAINT: { HDC hdc; ULONG flags; RECT windowRect; HRGN updateRegion; // The searchbox control does its own theme drawing. if (PhGetWindowContext(WindowHandle, SHRT_MAX)) break; if (!PhGetWindowRect(WindowHandle, &windowRect)) break; updateRegion = (HRGN)wParam; if (updateRegion == HRGN_FULL) updateRegion = NULL; flags = DCX_WINDOW | DCX_CACHE | DCX_USESTYLE; if (updateRegion) flags |= DCX_INTERSECTRGN | DCX_NODELETERGN; if (hdc = GetDCEx(WindowHandle, updateRegion, flags)) { PhOffsetRect(&windowRect, -windowRect.left, -windowRect.top); if (GetFocus() == WindowHandle) { // A little bit nicer and contrast color (Dart Vanya) SetDCBrushColor(hdc, PhMakeColorBrighter(GetSysColor(COLOR_HOTLIGHT), 85)); // PhThemeWindowHighlightColor FrameRect(hdc, &windowRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FrameRect(hdc, &windowRect, PhGetStockBrush(DC_BRUSH)); } ReleaseDC(WindowHandle, hdc); return 0; } } break; } return CallWindowProc(PhDefaultEditWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); } typedef struct _PHP_THEME_WINDOW_HEADER_CONTEXT { HTHEME ThemeHandle; BOOLEAN MouseActive; POINT CursorPos; } PHP_THEME_WINDOW_HEADER_CONTEXT, *PPHP_THEME_WINDOW_HEADER_CONTEXT; VOID ThemeWindowRenderHeaderControl( _In_ PPHP_THEME_WINDOW_HEADER_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC bufferDc, _In_ PRECT clientRect ) { SetBkMode(bufferDc, TRANSPARENT); SelectFont(bufferDc, GetWindowFont(WindowHandle)); FillRect(bufferDc, clientRect, PhThemeWindowBackgroundBrush); //INT headerItemCount = Header_GetItemCount(WindowHandle); INT headerItemCount = (INT)CallWindowProc( PhDefaultHeaderWindowProcedure, WindowHandle, HDM_GETITEMCOUNT, 0, 0 ); for (INT i = 0; i < headerItemCount; i++) { RECT headerRect = { 0 }; //Header_GetItemRect(WindowHandle, i, &headerRect); if (!(BOOL)CallWindowProc( PhDefaultHeaderWindowProcedure, WindowHandle, HDM_GETITEMRECT, (WPARAM)i, (LPARAM)&headerRect )) { continue; } if (PhPtInRect(&headerRect, &Context->CursorPos)) { SetTextColor(bufferDc, PhThemeWindowTextColor); SetDCBrushColor(bufferDc, PhThemeWindowBackground2Color); // PhThemeWindowHighlightColor); FillRect(bufferDc, &headerRect, PhGetStockBrush(DC_BRUSH)); //FrameRect(bufferDc, &headerRect, GetSysColorBrush(COLOR_HIGHLIGHT)); } else { SetTextColor(bufferDc, PhThemeWindowTextColor); FillRect(bufferDc, &headerRect, PhThemeWindowBackgroundBrush); //FrameRect(hdc, &headerRect, GetSysColorBrush(COLOR_HIGHLIGHT)); //SetDCPenColor(hdc, RGB(0, 255, 0)); //SetDCBrushColor(hdc, RGB(0, 255, 0)); //DrawEdge(hdc, &headerRect, BDR_RAISEDOUTER | BF_FLAT, BF_RIGHT); //RECT frameRect; //frameRect.bottom = headerRect.bottom - 2; //frameRect.left = headerRect.right - 1; //frameRect.right = headerRect.right; //frameRect.top = headerRect.top; //SetDCBrushColor(hdc, RGB(68, 68, 68)); // RGB(0x77, 0x77, 0x77)); //FrameRect(hdc, &headerRect, PhGetStockBrush(DC_BRUSH)); //PatBlt(DrawInfo->hDC, DrawInfo->rcItem.right - 1, DrawInfo->rcItem.top, 1, DrawInfo->rcItem.bottom - DrawInfo->rcItem.top, PATCOPY); //PatBlt(DrawInfo->hDC, DrawInfo->rcItem.left, DrawInfo->rcItem.bottom - 1, DrawInfo->rcItem.right - DrawInfo->rcItem.left, 1, PATCOPY); DrawEdge(bufferDc, &headerRect, BDR_RAISEDOUTER, BF_RIGHT); } INT drawTextFlags = DT_SINGLELINE | DT_HIDEPREFIX | DT_WORD_ELLIPSIS; WCHAR headerText[0x80] = { 0 }; HDITEM headerItem; ZeroMemory(&headerItem, sizeof(HDITEM)); headerItem.mask = HDI_TEXT | HDI_FORMAT; headerItem.cchTextMax = MAX_PATH; headerItem.pszText = headerText; //Header_GetItem(WindowHandle, i, &headerItem); if (!(BOOL)CallWindowProc( PhDefaultHeaderWindowProcedure, WindowHandle, HDM_GETITEM, (WPARAM)i, (LPARAM)&headerItem )) { break; } if (headerItem.fmt & HDF_SORTUP) { if (Context->ThemeHandle) { RECT sortArrowRect = headerRect; SIZE sortArrowSize; if (PhGetThemePartSize( Context->ThemeHandle, bufferDc, HP_HEADERSORTARROW, HSAS_SORTEDUP, NULL, THEMEPARTSIZE_TRUE, &sortArrowSize )) { sortArrowRect.bottom = sortArrowSize.cy; } PhDrawThemeBackground( Context->ThemeHandle, bufferDc, HP_HEADERSORTARROW, HSAS_SORTEDUP, &sortArrowRect, NULL ); } } else if (headerItem.fmt & HDF_SORTDOWN) { if (Context->ThemeHandle) { RECT sortArrowRect = headerRect; SIZE sortArrowSize; if (PhGetThemePartSize( Context->ThemeHandle, bufferDc, HP_HEADERSORTARROW, HSAS_SORTEDDOWN, NULL, THEMEPARTSIZE_TRUE, &sortArrowSize )) { sortArrowRect.bottom = sortArrowSize.cy; } PhDrawThemeBackground( Context->ThemeHandle, bufferDc, HP_HEADERSORTARROW, HSAS_SORTEDDOWN, &sortArrowRect, NULL ); } } if (headerItem.fmt & HDF_RIGHT) drawTextFlags |= DT_VCENTER | DT_RIGHT; else drawTextFlags |= DT_VCENTER | DT_LEFT; headerRect.left += 4; headerRect.right -= 8; DrawText( bufferDc, headerText, (UINT)PhCountStringZ(headerText), &headerRect, drawTextFlags ); } } LRESULT CALLBACK PhHeaderWindowHookProcedure( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_THEME_WINDOW_HEADER_CONTEXT context = NULL; if (WindowMessage == WM_NCCREATE) { CREATESTRUCT* createStruct = (CREATESTRUCT*)lParam; if (createStruct->hwndParent) { WCHAR windowClassName[MAX_PATH]; if (!GetClassName(createStruct->hwndParent, windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; if (PhEqualStringZ(windowClassName, L"PhTreeNew", FALSE)) { ULONG windowStyle = PhGetWindowStyle(createStruct->hwndParent); if (BooleanFlagOn(windowStyle, TN_STYLE_CUSTOM_HEADERDRAW)) { PhSetControlTheme(WindowHandle, L"DarkMode_ItemsView"); return CallWindowProc(PhDefaultHeaderWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); } } } context = PhAllocateZero(sizeof(PHP_THEME_WINDOW_HEADER_CONTEXT)); context->ThemeHandle = PhOpenThemeData(WindowHandle, VSCLASS_HEADER, PhGetWindowDpi(WindowHandle)); context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; PhSetWindowContext(WindowHandle, LONG_MAX, context); PhSetControlTheme(WindowHandle, L"DarkMode_ItemsView"); InvalidateRect(WindowHandle, NULL, FALSE); } else { context = PhGetWindowContext(WindowHandle, LONG_MAX); } if (context) { switch (WindowMessage) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, LONG_MAX); if (context->ThemeHandle) { PhCloseThemeData(context->ThemeHandle); } PhFree(context); } break; case WM_THEMECHANGED: { if (context->ThemeHandle) { PhCloseThemeData(context->ThemeHandle); context->ThemeHandle = NULL; } context->ThemeHandle = PhOpenThemeData(WindowHandle, VSCLASS_HEADER, PhGetWindowDpi(WindowHandle)); } break; case WM_ERASEBKGND: return TRUE; case WM_MOUSEMOVE: { if (GetCapture() == WindowHandle) break; if (!context->MouseActive) { TRACKMOUSEEVENT trackEvent = { sizeof(TRACKMOUSEEVENT), TME_LEAVE, WindowHandle, 0 }; TrackMouseEvent(&trackEvent); context->MouseActive = TRUE; } context->CursorPos.x = GET_X_LPARAM(lParam); context->CursorPos.y = GET_Y_LPARAM(lParam); InvalidateRect(WindowHandle, NULL, FALSE); } break; case WM_CONTEXTMENU: { LRESULT result = CallWindowProc(PhDefaultHeaderWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); InvalidateRect(WindowHandle, NULL, TRUE); return result; } break; case WM_MOUSELEAVE: { LRESULT result = CallWindowProc(PhDefaultHeaderWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); context->MouseActive = FALSE; context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; InvalidateRect(WindowHandle, NULL, TRUE); return result; } break; case WM_PAINT: { // Don't apply header theme for unsupported dialogs: Advanced Security, Digital Signature Details, etc. (Dart Vanya) if (!PhIsDarkModeAllowedForWindow(GetParent(WindowHandle))) { PhRemoveWindowContext(WindowHandle, LONG_MAX); if (context->ThemeHandle) PhCloseThemeData(context->ThemeHandle); PhFree(context); PhSetControlTheme(WindowHandle, L"Explorer"); break; } //PAINTSTRUCT ps; //HDC BufferedHDC; //HPAINTBUFFER BufferedPaint; // //if (!BeginPaint(WindowHandle, &ps)) // break; // //DEBUG_BEGINPAINT_RECT(WindowHandle, ps.rcPaint); // //if (BufferedPaint = BeginBufferedPaint(ps.hdc, &ps.rcPaint, BPBF_COMPATIBLEBITMAP, NULL, &BufferedHDC)) //{ // ThemeWindowRenderHeaderControl(context, WindowHandle, BufferedHDC, &ps.rcPaint, oldWndProc); // EndBufferedPaint(BufferedPaint, TRUE); //} //else { RECT clientRect; HDC hdc; HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; if (!PhGetClientRect(WindowHandle, &clientRect)) break; hdc = GetDC(WindowHandle); bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, clientRect.right, clientRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); ThemeWindowRenderHeaderControl(context, WindowHandle, bufferDc, &clientRect); BitBlt(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom, bufferDc, 0, 0, SRCCOPY); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); ReleaseDC(WindowHandle, hdc); } //EndPaint(WindowHandle, &ps); } goto DefaultWndProc; } } return CallWindowProc(PhDefaultHeaderWindowProcedure, WindowHandle, WindowMessage, wParam, lParam); DefaultWndProc: return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } VOID PhRegisterDialogSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, L"#32770", &wcex)) return; PhDefaultDialogWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhDialogWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(L"#32770", NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterMenuSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, L"#32768", &wcex)) return; PhDefaultMenuWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhMenuWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(L"#32768", NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterRebarSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, REBARCLASSNAME, &wcex)) return; PhDefaultRebarWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhRebarWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(REBARCLASSNAME, NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterComboBoxSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, WC_COMBOBOX, &wcex)) return; PhDefaultComboBoxWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhComboBoxWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(WC_COMBOBOX, NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterStaticSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, WC_STATIC, &wcex)) return; PhDefaultStaticWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhStaticWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(WC_STATIC, NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterStatusBarSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, STATUSCLASSNAME, &wcex)) return; PhDefaultStatusbarWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhStatusBarWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(STATUSCLASSNAME, NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterEditSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, WC_EDIT, &wcex)) return; PhDefaultEditWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhEditWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(WC_EDIT, NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } VOID PhRegisterHeaderSuperClass( VOID ) { WNDCLASSEX wcex = { sizeof(WNDCLASSEX) }; if (!GetClassInfoEx(NULL, WC_HEADER, &wcex)) return; PhDefaultHeaderWindowProcedure = wcex.lpfnWndProc; wcex.lpfnWndProc = PhHeaderWindowHookProcedure; wcex.style = wcex.style | CS_GLOBALCLASS; UnregisterClass(WC_HEADER, NULL); if (RegisterClassEx(&wcex) == INVALID_ATOM) { PhShowStatus(NULL, L"Unable to register window class.", 0, GetLastError()); } } // Detours export procedure hooks static typeof(&DrawThemeBackground) DefaultDrawThemeBackground = NULL; static typeof(&DrawThemeBackgroundEx) DefaultDrawThemeBackgroundEx = NULL; static typeof(&DrawThemeText) DefaultDrawThemeText = NULL; static typeof(&DrawThemeTextEx) DefaultDrawThemeTextEx = NULL; static typeof(&DrawTextW) DefaultComCtl32DrawTextW = NULL; static typeof(&TaskDialogIndirect) DefaultTaskDialogIndirect = NULL; static typeof(&GetThemeColor) DefaultGetThemeColor = NULL; static typeof(&SystemParametersInfoW) DefaultSystemParametersInfo = NULL; static typeof(&CreateWindowExW) DefaultCreateWindowEx = NULL; // uxtheme.dll ordinal 49 static HTHEME(WINAPI* DefaultOpenNcThemeData)( _In_ HWND hwnd, _In_ LPCWSTR pszClassList ) = NULL; typedef struct _TASKDIALOG_CALLBACK_WRAP { PFTASKDIALOGCALLBACK pfCallback; LONG_PTR lpCallbackData; } TASKDIALOG_CALLBACK_WRAP, *PTASKDIALOG_CALLBACK_WRAP; typedef struct _TASKDIALOG_COMMON_CONTEXT { WNDPROC DefaultWindowProc; ULONG Painting; } TASKDIALOG_COMMON_CONTEXT, *PTASKDIALOG_COMMON_CONTEXT; typedef struct _TASKDIALOG_WINDOW_CONTEXT { WNDPROC DefaultWindowProc; ULONG Painting; PTASKDIALOG_CALLBACK_WRAP CallbackData; } TASKDIALOG_WINDOW_CONTEXT, *PTASKDIALOG_WINDOW_CONTEXT; #define TASKDIALOG_CONTEXT_TAG (ULONG)'TDLG' #define GETCLASSNAME_OR_NULL(WindowHandle, ClassName) if (!GetClassName(WindowHandle, ClassName, RTL_NUMBER_OF(ClassName))) ClassName[0] = UNICODE_NULL HRESULT CALLBACK ThemeTaskDialogCallbackHook( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ); LRESULT CALLBACK ThemeTaskDialogMasterSubclass( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhInitializeTaskDialogTheme( _In_ HWND hwndDlg, _In_opt_ PVOID Context ); HRESULT PhDrawThemeBackgroundHook( _In_ HTHEME Theme, _In_ HDC Hdc, _In_ LONG PartId, _In_ LONG StateId, _In_ LPCRECT Rect, _In_ LPCRECT ClipRect ) { WCHAR className[MAX_PATH]; BOOLEAN hasThemeClass = PhGetThemeClass(Theme, className, RTL_NUMBER_OF(className)); if (WindowsVersion >= WINDOWS_11 && hasThemeClass) { if (PhEqualStringZ(className, VSCLASS_MENU, TRUE)) { if (PartId == MENU_POPUPGUTTER || PartId == MENU_POPUPBORDERS) { FillRect(Hdc, Rect, PhThemeWindowBackgroundBrush); return S_OK; } } } if (hasThemeClass && PhEqualStringZ(className, VSCLASS_PROGRESS, TRUE) /*|| WindowsVersion < WINDOWS_11 && WindowFromDC(Hdc) == NULL*/) { if (PartId == PP_TRANSPARENTBAR || PartId == PP_TRANSPARENTBARVERT) // Progress bar background { FillRect(Hdc, Rect, PhThemeWindowBackgroundBrush); SetDCBrushColor(Hdc, RGB(0x60, 0x60, 0x60)); FrameRect(Hdc, Rect, PhGetStockBrush(DC_BRUSH)); return S_OK; } } return DefaultDrawThemeBackground(Theme, Hdc, PartId, StateId, Rect, ClipRect); } HRESULT WINAPI PhDrawThemeBackgroundExHook( _In_ HTHEME hTheme, _In_ HDC hdc, _In_ int iPartId, _In_ int iStateId, _In_ LPCRECT pRect, _In_ const DTBGOPTS* pOptions ) { WCHAR className[MAX_PATH]; // Apply theme to ListView checkboxes if (iPartId == BP_CHECKBOX /*|| iPartId == BP_RADIOBUTTON*/) { if (PhGetThemeClass(hTheme, className, RTL_NUMBER_OF(className)) && PhEqualStringZ(className, VSCLASS_BUTTON, TRUE)) { HTHEME darkButtonTheme = PhOpenThemeData(NULL, L"DarkMode_Explorer::Button", 0); HRESULT retVal = DefaultDrawThemeBackgroundEx(darkButtonTheme ? darkButtonTheme : hTheme, hdc, iPartId, iStateId, pRect, pOptions); if (darkButtonTheme) PhCloseThemeData(darkButtonTheme); return retVal; } } // Micro optimization if ((iPartId == TDLG_PRIMARYPANEL || iPartId == TDLG_FOOTNOTEPANE || iPartId == TDLG_SECONDARYPANEL || iPartId == TDLG_FOOTNOTESEPARATOR || iPartId == TDLG_EXPANDOBUTTON) && PhGetThemeClass(hTheme, className, RTL_NUMBER_OF(className)) && PhEqualStringZ(className, VSCLASS_TASKDIALOG, TRUE) /*|| WindowsVersion < WINDOWS_11 && WindowFromDC(hdc) == NULL*/) { switch (iPartId) { case TDLG_PRIMARYPANEL: SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FillRect(hdc, pRect, PhGetStockBrush(DC_BRUSH)); return S_OK; case TDLG_FOOTNOTEPANE: FillRect(hdc, pRect, PhThemeWindowBackgroundBrush); return S_OK; case TDLG_SECONDARYPANEL: { FillRect(hdc, pRect, PhThemeWindowBackgroundBrush); RECT rect = *pRect; rect.bottom = rect.top + 1; SetDCBrushColor(hdc, PhThemeWindowForegroundColor); FillRect(hdc, &rect, PhGetStockBrush(DC_BRUSH)); PhOffsetRect(&rect, 0, 1); SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FillRect(hdc, &rect, PhGetStockBrush(DC_BRUSH)); return S_OK; } case TDLG_FOOTNOTESEPARATOR: { SetDCBrushColor(hdc, PhThemeWindowForegroundColor); FillRect(hdc, pRect, PhGetStockBrush(DC_BRUSH)); RECT rect = *pRect; rect.top += 1; SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FillRect(hdc, &rect, PhGetStockBrush(DC_BRUSH)); return S_OK; } case TDLG_EXPANDOBUTTON: if (WindowsVersion >= WINDOWS_11) { // In Windows 11, buttons lack background, making them indistinguishable on dark backgrounds. // To address this, we invert the button. This technique isn't applicable to Windows 10 as it causes the button's border to appear chipped. static enum { yes, no, unknown } mustInvertButton = unknown; if (mustInvertButton == unknown) { DefaultDrawThemeBackgroundEx(hTheme, hdc, iPartId, iStateId, pRect, pOptions); int buttonCenterX = pOptions->rcClip.left + (pOptions->rcClip.right - pOptions->rcClip.left) / 2; int buttonCenterY = pOptions->rcClip.top + (pOptions->rcClip.bottom - pOptions->rcClip.top) / 2; COLORREF centerPixel = GetPixel(hdc, buttonCenterX, buttonCenterY); mustInvertButton = centerPixel == PhThemeWindowTextColor ? no : yes; } FillRect(hdc, pRect, PhThemeWindowBackgroundBrush); if (mustInvertButton == yes) InvertRect(hdc, pRect); HRESULT retVal = DefaultDrawThemeBackgroundEx(hTheme, hdc, iPartId, iStateId, pRect, pOptions); if (mustInvertButton == yes) InvertRect(hdc, pRect); return retVal; } } } return DefaultDrawThemeBackgroundEx(hTheme, hdc, iPartId, iStateId, pRect, pOptions); } HWND PhCreateWindowExHook( _In_ ULONG ExStyle, _In_opt_ PCWSTR ClassName, _In_opt_ PCWSTR WindowName, _In_ ULONG Style, _In_ LONG X, _In_ LONG Y, _In_ LONG Width, _In_ LONG Height, _In_opt_ HWND Parent, _In_opt_ HMENU Menu, _In_opt_ PVOID Instance, _In_opt_ PVOID Param ) { HWND windowHandle = DefaultCreateWindowEx( ExStyle, ClassName, WindowName, Style, X, Y, Width, Height, Parent, Menu, Instance, Param ); if (Parent == NULL) { if (PhDefaultEnableStreamerMode) { SetWindowDisplayAffinity(windowHandle, WDA_EXCLUDEFROMCAPTURE); } if (PhEnableThemeSupport && PhDefaultEnableThemeAcrylicWindowSupport) { PhSetWindowAcrylicCompositionColor(windowHandle, MakeABGRFromCOLORREF(0, RGB(10, 10, 10))); } } else if (PhEnableThemeSupport) { // Early subclassing of the SysLink control to eliminate blinking during page switches. if (!IS_INTRESOURCE(ClassName) && PhEqualStringZ(ClassName, WC_LINK, TRUE)) { PhInitializeTaskDialogTheme(windowHandle, 0); } else if (!IS_INTRESOURCE(ClassName) && PhEqualStringZ(ClassName, WC_BUTTON, TRUE) && PhGetWindowContext(GetAncestor(Parent, GA_ROOT), LONG_MAX)) { PhSetControlTheme(windowHandle, L"DarkMode_Explorer"); } } return windowHandle; } BOOL WINAPI PhSystemParametersInfoHook( _In_ UINT uiAction, _In_ UINT uiParam, _Pre_maybenull_ _Post_valid_ PVOID pvParam, _In_ UINT fWinIni ) { if (uiAction == SPI_GETMENUFADE && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } if (uiAction == SPI_GETCLIENTAREAANIMATION && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } if (uiAction == SPI_GETCOMBOBOXANIMATION && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } if (uiAction == SPI_GETTOOLTIPANIMATION && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } if (uiAction == SPI_GETMENUANIMATION && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } if (uiAction == SPI_GETTOOLTIPFADE && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } if (uiAction == SPI_GETMOUSEVANISH && pvParam) { *((PBOOL)pvParam) = FALSE; return TRUE; } return DefaultSystemParametersInfo(uiAction, uiParam, pvParam, fWinIni); } //ULONG WINAPI GetSysColorHook(int nIndex) //{ // if (nIndex == COLOR_WINDOW) // return PhThemeWindowTextColor; // if (nIndex == COLOR_MENUTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_WINDOWTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_CAPTIONTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_HIGHLIGHTTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_GRAYTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_BTNTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_INACTIVECAPTIONTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_BTNFACE) // return PhThemeWindowBackgroundColor; // if (nIndex == COLOR_BTNTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_BTNHIGHLIGHT) // return PhThemeWindowBackgroundColor; // if (nIndex == COLOR_INFOTEXT) // return PhThemeWindowTextColor; // if (nIndex == COLOR_INFOBK) // return PhThemeWindowBackgroundColor; // if (nIndex == COLOR_MENU) // return PhThemeWindowBackgroundColor; // if (nIndex == COLOR_HIGHLIGHT) // return PhThemeWindowForegroundColor; // return originalGetSysColor(nIndex); //} // //HBRUSH WINAPI GetSysColorBrushHook(_In_ int nIndex) //{ // //if (nIndex == COLOR_WINDOW) // // return originalCreateSolidBrush(PhThemeWindowBackgroundColor); // if (nIndex == COLOR_BTNFACE) // return originalCreateSolidBrush(PhThemeWindowBackgroundColor); // return originalHook(nIndex); //} // // RGB(GetBValue(color), GetGValue(color), GetRValue(color)); //#define RGB_FROM_COLOREF(cref) \ // ((((cref) & 0x000000FF) << 16) | (((cref) & 0x0000FF00)) | (((cref) & 0x00FF0000) >> 16)) HRESULT WINAPI PhDrawThemeTextHook( _In_ HTHEME hTheme, _In_ HDC hdc, _In_ int iPartId, _In_ int iStateId, _In_ LPCWSTR pszText, _In_ int cchText, _In_ DWORD dwTextFlags, _In_ DWORD dwTextFlags2, _In_ LPCRECT pRect ) { if ((iPartId == BP_COMMANDLINK /*|| iPartId == BP_RADIOBUTTON*/) && iStateId != PBS_DISABLED) { WCHAR className[MAX_PATH]; if (PhGetThemeClass(hTheme, className, RTL_NUMBER_OF(className)) && PhEqualStringZ(className, VSCLASS_BUTTON, TRUE) /*|| WindowsVersion < WINDOWS_11 && WindowFromDC(hdc) == NULL*/) { DTTOPTS options = { sizeof(DTTOPTS), DTT_TEXTCOLOR, PhThemeWindowTextColor }; return DefaultDrawThemeTextEx(hTheme, hdc, iPartId, iStateId, pszText, cchText, dwTextFlags, (LPRECT)pRect, &options); } } return DefaultDrawThemeText(hTheme, hdc, iPartId, iStateId, pszText, cchText, dwTextFlags, dwTextFlags2, pRect); } HRESULT WINAPI PhDrawThemeTextExHook( _In_ HTHEME hTheme, _In_ HDC hdc, _In_ int iPartId, _In_ int iStateId, _In_ LPCWSTR pszText, _In_ int cchText, _In_ DWORD dwTextFlags, _Inout_ LPRECT pRect, _In_ const DTTOPTS* pOptions ) { if (iPartId == BP_COMMANDLINK) { WCHAR className[MAX_PATH]; if (PhGetThemeClass(hTheme, className, RTL_NUMBER_OF(className)) && PhEqualStringZ(className, VSCLASS_BUTTON, TRUE) /*|| WindowsVersion < WINDOWS_11 && WindowFromDC(hdc) == NULL*/) { DTTOPTS options = { sizeof(DTTOPTS) }; if (pOptions) options = *pOptions; options.dwFlags |= DTT_TEXTCOLOR; DefaultGetThemeColor(hTheme, iPartId, iStateId, TMT_TEXTCOLOR, &options.crText); options.crText = PhMakeColorBrighter(options.crText, 90); return DefaultDrawThemeTextEx(hTheme, hdc, iPartId, iStateId, pszText, cchText, dwTextFlags, pRect, &options); } } return DefaultDrawThemeTextEx(hTheme, hdc, iPartId, iStateId, pszText, cchText, dwTextFlags, pRect, pOptions); } int PhDetoursComCtl32DrawTextW( _In_ HDC hdc, _Inout_ LPCWSTR lpchText, _In_ int cchText, _Inout_ LPRECT lprc, _In_ UINT format ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static COLORREF colLinkNormal = RGB(0, 0 ,0); static COLORREF colLinkHot = RGB(0, 0, 0); static COLORREF colLinkPressed = RGB(0, 0, 0); HWND WindowHandle; if ((WindowHandle = WindowFromDC(hdc)) && (PhIsDarkModeAllowedForWindow(WindowHandle) || PhGetWindowContext(WindowHandle, TASKDIALOG_CONTEXT_TAG))) // HACK { WCHAR windowClassName[MAX_PATH]; GETCLASSNAME_OR_NULL(WindowHandle, windowClassName); if (PhEqualStringZ(windowClassName, WC_LINK, FALSE)) { if (PhBeginInitOnce(&initOnce)) { HTHEME hTextTheme = PhOpenThemeData(WindowHandle, VSCLASS_TEXTSTYLE, PhGetWindowDpi(WindowHandle)); if (hTextTheme) { PhGetThemeColor(hTextTheme, TEXT_HYPERLINKTEXT, TS_HYPERLINK_NORMAL, TMT_TEXTCOLOR, &colLinkNormal); PhGetThemeColor(hTextTheme, TEXT_HYPERLINKTEXT, TS_HYPERLINK_HOT, TMT_TEXTCOLOR, &colLinkHot); PhGetThemeColor(hTextTheme, TEXT_HYPERLINKTEXT, TS_HYPERLINK_PRESSED, TMT_TEXTCOLOR, &colLinkPressed); PhCloseThemeData(hTextTheme); } PhEndInitOnce(&initOnce); } COLORREF color = GetTextColor(hdc); if (color == colLinkNormal || color == colLinkHot || color == colLinkPressed || WindowsVersion < WINDOWS_11 && color == RGB(0x00, 0x66, 0xCC)) // on Windows 10 PhGetThemeColor returns 0xFFFFFF for any StateId { SetTextColor(hdc, PhMakeColorBrighter(color, 95)); } } } return DefaultComCtl32DrawTextW(hdc, lpchText, cchText, lprc, format); } HRESULT PhGetThemeColorHook( _In_ HTHEME hTheme, _In_ int iPartId, _In_ int iStateId, _In_ int iPropId, _Out_ COLORREF* pColor ) { WCHAR className[MAX_PATH]; HRESULT retVal = DefaultGetThemeColor(hTheme, iPartId, iStateId, iPropId, pColor); if (iPropId == TMT_TEXTCOLOR && iPartId == TDLG_MAININSTRUCTIONPANE) { if (PhGetThemeClass(hTheme, className, RTL_NUMBER_OF(className)) && PhEqualStringZ(className, VSCLASS_TASKDIALOGSTYLE, TRUE) /*|| WindowsVersion < WINDOWS_11*/) { *pColor = PhMakeColorBrighter(*pColor, 150); // Main header. } } else if (iPropId == TMT_TEXTCOLOR) { if (PhGetThemeClass(hTheme, className, RTL_NUMBER_OF(className)) && PhEqualStringZ(className, VSCLASS_TASKDIALOGSTYLE, TRUE) /*|| WindowsVersion < WINDOWS_11*/) { *pColor = PhThemeWindowTextColor; // Text color for check boxes, expanded text, and expander button text. } } return retVal; } HTHEME PhOpenNcThemeDataHook( _In_ HWND hwnd, _In_ LPCWSTR pszClassList ) { if (PhEqualStringZ((PWSTR)pszClassList, VSCLASS_SCROLLBAR, TRUE) && PhIsDarkModeAllowedForWindow(hwnd)) { return DefaultOpenNcThemeData(NULL, L"Explorer::ScrollBar"); } return DefaultOpenNcThemeData(hwnd, pszClassList); } _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhInitializeTaskDialogTheme( _In_ HWND WindowHandle, _In_opt_ PVOID CallbackData ) { WCHAR windowClassName[MAX_PATH]; PTASKDIALOG_COMMON_CONTEXT context; BOOLEAN windowHasContext = !!PhGetWindowContext(WindowHandle, TASKDIALOG_CONTEXT_TAG); if (CallbackData && !windowHasContext) { if (PhDefaultEnableStreamerMode) { SetWindowDisplayAffinity(WindowHandle, WDA_EXCLUDEFROMCAPTURE); } PhInitializeThemeWindowFrame(WindowHandle); PTASKDIALOG_WINDOW_CONTEXT context = PhAllocateZero(sizeof(TASKDIALOG_WINDOW_CONTEXT)); context->DefaultWindowProc = PhSetWindowProcedure(WindowHandle, ThemeTaskDialogMasterSubclass); context->CallbackData = CallbackData; PhSetWindowContext(WindowHandle, TASKDIALOG_CONTEXT_TAG, context); windowHasContext = TRUE; } PhEnumChildWindows( WindowHandle, PhInitializeTaskDialogTheme, NULL ); if (windowHasContext) // HACK return TRUE; GETCLASSNAME_OR_NULL(WindowHandle, windowClassName); context = PhAllocateZero(sizeof(TASKDIALOG_COMMON_CONTEXT)); context->DefaultWindowProc = PhSetWindowProcedure(WindowHandle, ThemeTaskDialogMasterSubclass); PhSetWindowContext(WindowHandle, TASKDIALOG_CONTEXT_TAG, context); if (PhEqualStringZ(windowClassName, WC_BUTTON, FALSE) || PhEqualStringZ(windowClassName, WC_SCROLLBAR, FALSE)) { PhSetControlTheme(WindowHandle, L"DarkMode_Explorer"); } //else if (PhEqualStringZ(windowClassName, WC_LINK, FALSE)) //{ // PhAllowDarkModeForWindow(WindowHandle); // this doesn't work, idk why //} else if (PhEqualStringZ(windowClassName, L"DirectUIHWND", FALSE)) { //WINDOWPLACEMENT pos = { 0 }; //GetWindowPlacement(GetParent(WindowHandle), &pos); PhSetControlTheme(WindowHandle, L"DarkMode_Explorer"); //SetWindowPlacement(GetParent(WindowHandle), &pos); } return TRUE; } LRESULT CALLBACK ThemeTaskDialogMasterSubclass( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LRESULT result; PTASKDIALOG_COMMON_CONTEXT context; WNDPROC OldWndProc; if (!(context = PhGetWindowContext(hwnd, TASKDIALOG_CONTEXT_TAG))) return 0; OldWndProc = context->DefaultWindowProc; switch (uMsg) { case WM_ERASEBKGND: { HDC hdc = (HDC)wParam; RECT rect; WCHAR windowClassName[MAX_PATH]; SetTextColor(hdc, PhThemeWindowTextColor); // Color for SysLink, which must be set in its parent. if (!context->Painting) { GETCLASSNAME_OR_NULL(hwnd, windowClassName); // Avoid erasing the background for links, as they will blink white on the extender and during page switches. if (!PhEqualStringZ(windowClassName, WC_LINK, FALSE)) { GetClipBox(hdc, &rect); SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FillRect(hdc, &rect, PhGetStockBrush(DC_BRUSH)); } } } return TRUE; case WM_NOTIFY: { LPNMHDR data = (LPNMHDR)lParam; if (data->code == NM_CUSTOMDRAW) { LPNMCUSTOMDRAW customDraw = (LPNMCUSTOMDRAW)lParam; WCHAR className[MAX_PATH]; if (!GetClassName(customDraw->hdr.hwndFrom, className, RTL_NUMBER_OF(className))) className[0] = UNICODE_NULL; if (PhEqualStringZ(className, WC_BUTTON, FALSE)) { return PhThemeWindowDrawButton(customDraw); } } } break; case TDM_NAVIGATE_PAGE: { PTASKDIALOG_WINDOW_CONTEXT WindowContext = (PTASKDIALOG_WINDOW_CONTEXT)context; PTASKDIALOGCONFIG trueConfig = (PTASKDIALOGCONFIG)lParam; PTASKDIALOGCONFIG myConfig; TASKDIALOGCONFIG config = { sizeof(TASKDIALOGCONFIG) }; WindowContext->CallbackData->pfCallback = trueConfig ? trueConfig->pfCallback : NULL; WindowContext->CallbackData->lpCallbackData = trueConfig ? trueConfig->lpCallbackData : 0; myConfig = trueConfig ? trueConfig : &config; myConfig->pfCallback = ThemeTaskDialogCallbackHook; myConfig->lpCallbackData = (LONG_PTR)WindowContext->CallbackData; return CallWindowProc(OldWndProc, hwnd, uMsg, wParam, (LPARAM)myConfig); } case WM_DESTROY: { PhSetWindowProcedure(hwnd, OldWndProc); PhRemoveWindowContext(hwnd, TASKDIALOG_CONTEXT_TAG); PhFree(context); } return CallWindowProc(OldWndProc, hwnd, uMsg, wParam, lParam); case WM_CTLCOLORDLG: return (LRESULT)PhThemeWindowBackgroundBrush; // Window background color when the extender resizes upward (Windows 10 only). } context->Painting++; result = CallWindowProc(OldWndProc, hwnd, uMsg, wParam, lParam); context->Painting--; return result; } HRESULT CALLBACK ThemeTaskDialogCallbackHook( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { HRESULT result = S_OK; PTASKDIALOG_CALLBACK_WRAP CallbackData = (PTASKDIALOG_CALLBACK_WRAP)dwRefData; if (uMsg == TDN_DIALOG_CONSTRUCTED) // Called on each new page, including the first one. { PhInitializeTaskDialogTheme(hwndDlg, CallbackData); } if (CallbackData->pfCallback) result = CallbackData->pfCallback(hwndDlg, uMsg, wParam, lParam, CallbackData->lpCallbackData); return result; } // https://github.com/SFTRS/DarkTaskDialog HRESULT PhTaskDialogIndirectHook( _In_ const TASKDIALOGCONFIG* pTaskConfig, _Out_opt_ int* pnButton, _Out_opt_ int* pnRadioButton, _Out_opt_ BOOL* pfVerificationFlagChecked ) { TASKDIALOG_CALLBACK_WRAP CallbackData; CallbackData.pfCallback = pTaskConfig->pfCallback; CallbackData.lpCallbackData = pTaskConfig->lpCallbackData; TASKDIALOGCONFIG myConfig = *pTaskConfig; myConfig.pfCallback = ThemeTaskDialogCallbackHook; myConfig.lpCallbackData = (LONG_PTR)&CallbackData; return DefaultTaskDialogIndirect(&myConfig, pnButton, pnRadioButton, pfVerificationFlagChecked); } VOID PhRegisterDetoursHooks( VOID ) { NTSTATUS status; PVOID baseAddress; // For early TaskDialog with PhStartupParameters.ShowOptions if (!PhThemeWindowBackgroundBrush) { PhThemeWindowBackgroundBrush = CreateSolidBrush(PhThemeWindowBackgroundColor); } if (baseAddress = PhGetLoaderEntryDllBaseZ(L"user32.dll")) { DefaultCreateWindowEx = PhGetDllBaseProcedureAddress(baseAddress, "CreateWindowExW", 0); DefaultSystemParametersInfo = PhGetDllBaseProcedureAddress(baseAddress, "SystemParametersInfoW", 0); } if (baseAddress = PhGetLoaderEntryDllBaseZ(L"uxtheme.dll")) { DefaultDrawThemeBackground = PhGetDllBaseProcedureAddress(baseAddress, "DrawThemeBackground", 0); DefaultDrawThemeBackgroundEx = PhGetDllBaseProcedureAddress(baseAddress, "DrawThemeBackgroundEx", 0); DefaultDrawThemeText = PhGetDllBaseProcedureAddress(baseAddress, "DrawThemeText", 0); DefaultDrawThemeTextEx = PhGetDllBaseProcedureAddress(baseAddress, "DrawThemeTextEx", 0); DefaultGetThemeColor = PhGetDllBaseProcedureAddress(baseAddress, "GetThemeColor", 0); DefaultOpenNcThemeData = PhGetDllBaseProcedureAddress(baseAddress, NULL, 49); } if (baseAddress = PhGetLoaderEntryDllBaseZ(L"Comctl32.dll")) { if (WindowsVersion >= WINDOWS_11) // TaskDialog theme on Windows 10 currently unsupported... DefaultTaskDialogIndirect = PhGetDllBaseProcedureAddress(baseAddress, "TaskDialogIndirect", 0); PhLoaderEntryDetourImportProcedure(baseAddress, "User32.dll", "DrawTextW", PhDetoursComCtl32DrawTextW, (PVOID*)&DefaultComCtl32DrawTextW); } if (!NT_SUCCESS(status = DetourTransactionBegin())) goto CleanupExit; if (PhEnableThemeSupport || PhEnableThemeAcrylicSupport) { if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultDrawThemeBackground, (PVOID)PhDrawThemeBackgroundHook))) goto CleanupExit; if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultDrawThemeBackgroundEx, (PVOID)PhDrawThemeBackgroundExHook))) goto CleanupExit; if (!PhDefaultEnableThemeAnimation) { if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultSystemParametersInfo, (PVOID)PhSystemParametersInfoHook))) goto CleanupExit; } if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultDrawThemeText, (PVOID)PhDrawThemeTextHook))) goto CleanupExit; if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultDrawThemeTextEx, (PVOID)PhDrawThemeTextExHook))) goto CleanupExit; if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultGetThemeColor, (PVOID)PhGetThemeColorHook))) goto CleanupExit; if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultOpenNcThemeData, (PVOID)PhOpenNcThemeDataHook))) goto CleanupExit; if (WindowsVersion >= WINDOWS_11) if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultTaskDialogIndirect, (PVOID)PhTaskDialogIndirectHook))) goto CleanupExit; } if (!NT_SUCCESS(status = DetourAttach((PVOID)&DefaultCreateWindowEx, (PVOID)PhCreateWindowExHook))) goto CleanupExit; if (!NT_SUCCESS(status = DetourTransactionCommit())) goto CleanupExit; CleanupExit: if (!NT_SUCCESS(status)) { PhShowStatus(NULL, L"Unable to commit detours transaction.", status, 0); } } BOOLEAN PhIsThemeTransparencyEnabled( VOID ) { static CONST PH_STRINGREF themesKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"); BOOLEAN themesEnableTransparency = FALSE; HANDLE keyHandle; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_QUERY_VALUE, PH_KEY_CURRENT_USER, &themesKeyName, 0 ))) { themesEnableTransparency = !!PhQueryRegistryUlongZ(keyHandle, L"EnableTransparency"); NtClose(keyHandle); } return themesEnableTransparency; } VOID PhInitializeSuperclassControls( VOID ) { PhDefaultEnableStreamerMode = !!PhGetIntegerSetting(SETTING_ENABLE_STREAMER_MODE); if (PhEnableThemeAcrylicSupport && !PhEnableThemeSupport) PhEnableThemeAcrylicSupport = FALSE; if (PhEnableThemeAcrylicSupport) PhEnableThemeAcrylicSupport = PhIsThemeTransparencyEnabled(); if (PhEnableThemeSupport || PhDefaultEnableStreamerMode) { if (WindowsVersion >= WINDOWS_11) { PhDefaultEnableThemeAcrylicWindowSupport = !!PhGetIntegerSetting(SETTING_ENABLE_THEME_ACRYLIC_WINDOW_SUPPORT); } PhDefaultEnableThemeAnimation = !!PhGetIntegerSetting(SETTING_ENABLE_THEME_ANIMATION); PhRegisterDialogSuperClass(); PhRegisterMenuSuperClass(); PhRegisterRebarSuperClass(); PhRegisterComboBoxSuperClass(); PhRegisterStaticSuperClass(); PhRegisterStatusBarSuperClass(); PhRegisterEditSuperClass(); PhRegisterHeaderSuperClass(); PhRegisterDetoursHooks(); } } ================================================ FILE: SystemInformer/delayload.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2021-2023 * */ #include #include // CRT delayload support // The msvc delayload handler throws exceptions when // imports are unavailable instead of returning NULL (dmex) #ifndef PH_NATIVE_DELAYLOAD PH_QUEUED_LOCK PhDelayLoadImportLock = PH_QUEUED_LOCK_INIT; ULONG PhDelayLoadOldProtection = PAGE_WRITECOPY; ULONG PhDelayLoadLockCount = 0; // based on \MSVC\14.31.31103\include\dloadsup.h (dmex) VOID PhDelayLoadImportAcquire( _In_ PVOID ImportDirectorySectionAddress, _In_ SIZE_T ImportDirectorySectionSize ) { PhAcquireQueuedLockExclusive(&PhDelayLoadImportLock); PhDelayLoadLockCount += 1; if (PhDelayLoadLockCount == 1) { NTSTATUS status; if (!NT_SUCCESS(status = PhProtectVirtualMemory( NtCurrentProcess(), ImportDirectorySectionAddress, ImportDirectorySectionSize, PAGE_READWRITE, &PhDelayLoadOldProtection ))) { PhRaiseStatus(status); } } PhReleaseQueuedLockExclusive(&PhDelayLoadImportLock); } VOID PhDelayLoadImportRelease( _In_ PVOID ImportDirectorySectionAddress, _In_ SIZE_T ImportDirectorySectionSize ) { PhAcquireQueuedLockExclusive(&PhDelayLoadImportLock); PhDelayLoadLockCount -= 1; if (PhDelayLoadLockCount == 0) { ULONG importSectionOldProtection; PhProtectVirtualMemory( NtCurrentProcess(), ImportDirectorySectionAddress, ImportDirectorySectionSize, PhDelayLoadOldProtection, &importSectionOldProtection ); #ifdef _M_ARM64 NtFlushInstructionCache( NtCurrentProcess(), ImportDirectorySectionAddress, ImportDirectorySectionSize ); #endif } PhReleaseQueuedLockExclusive(&PhDelayLoadImportLock); } #endif PVOID WINAPI __delayLoadHelper2( _In_ PIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor, _In_ PIMAGE_THUNK_DATA ThunkAddress ) { #if !defined(PH_NATIVE_DELAYLOAD) BOOLEAN importNeedsFree = FALSE; PCSTR importDllName; PVOID procedureAddress; PVOID moduleHandle; PVOID* importHandle; PIMAGE_THUNK_DATA importEntry; PIMAGE_THUNK_DATA importTable; PIMAGE_THUNK_DATA importNameTable; PIMAGE_NT_HEADERS imageNtHeaders; SIZE_T importDirectorySectionSize; PVOID importDirectorySectionAddress; importDllName = PTR_ADD_OFFSET(NtCurrentImageBase(), DelayloadDescriptor->DllNameRVA); importHandle = PTR_ADD_OFFSET(NtCurrentImageBase(), DelayloadDescriptor->ModuleHandleRVA); importTable = PTR_ADD_OFFSET(NtCurrentImageBase(), DelayloadDescriptor->ImportAddressTableRVA); importNameTable = PTR_ADD_OFFSET(NtCurrentImageBase(), DelayloadDescriptor->ImportNameTableRVA); if (!(moduleHandle = InterlockedCompareExchangePointer(importHandle, NULL, NULL))) { WCHAR importDllNameBuffer[DOS_MAX_PATH_LENGTH] = L""; PhZeroExtendToUtf16Buffer(importDllName, strlen(importDllName), importDllNameBuffer); if (!(moduleHandle = PhLoadLibrary(importDllNameBuffer))) { return NULL; } importNeedsFree = TRUE; } importEntry = PTR_ADD_OFFSET(importNameTable, PTR_SUB_OFFSET(ThunkAddress, importTable)); if (IMAGE_SNAP_BY_ORDINAL(importEntry->u1.Ordinal)) { USHORT procedureOrdinal = IMAGE_ORDINAL(importEntry->u1.Ordinal); procedureAddress = PhGetDllBaseProcedureAddress(moduleHandle, NULL, procedureOrdinal); } else { PIMAGE_IMPORT_BY_NAME importByName = PTR_ADD_OFFSET(NtCurrentImageBase(), importEntry->u1.AddressOfData); procedureAddress = PhGetDllBaseProcedureAddressWithHint(moduleHandle, importByName->Name, importByName->Hint); } if (!procedureAddress) return NULL; if (!NT_SUCCESS(PhGetLoaderEntryImageNtHeaders( NtCurrentImageBase(), &imageNtHeaders ))) { return NULL; } if (!NT_SUCCESS(PhGetLoaderEntryImageVaToSection( NtCurrentImageBase(), imageNtHeaders, importTable, &importDirectorySectionAddress, &importDirectorySectionSize ))) { return NULL; } PhDelayLoadImportAcquire(importDirectorySectionAddress, importDirectorySectionSize); InterlockedExchangePointer((PVOID)ThunkAddress, procedureAddress); PhDelayLoadImportRelease(importDirectorySectionAddress, importDirectorySectionSize); if ((InterlockedExchangePointer(importHandle, moduleHandle) == moduleHandle) && importNeedsFree) { PhFreeLibrary(moduleHandle); // already updated the cache (dmex) } return procedureAddress; #else static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID (WINAPI* DelayLoadFailureHook)( _In_ PCSTR DllName, _In_ PCSTR ProcName ) = NULL; if (PhBeginInitOnce(&initOnce)) { DelayLoadFailureHook = PhGetModuleProcAddress(L"kernel32.dll", "DelayLoadFailureHook"); // kernelbase.dll PhEndInitOnce(&initOnce); } return LdrResolveDelayLoadedAPI( NtCurrentImageBase(), DelayloadDescriptor, NULL, DelayLoadFailureHook, ThunkAddress, 0 ); #endif } ================================================ FILE: SystemInformer/devprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2023 * */ #include #include #include #include #include #include DEFINE_GUID(GUID_DEVINTERFACE_A2DP_SIDEBAND_AUDIO, 0xf3b1362f, 0xc9f4, 0x4dd1, 0x9d, 0x55, 0xe0, 0x20, 0x38, 0xa1, 0x29, 0xfb); DEFINE_GUID(GUID_DEVINTERFACE_BLUETOOTH_HFP_SCO_HCIBYPASS, 0xbe446647, 0xf655, 0x4919, 0x8b, 0xd0, 0x12, 0x5b, 0xa5, 0xd4, 0xce, 0x65); DEFINE_GUID(GUID_DEVINTERFACE_CHARGING_ARBITRATION, 0xec0a1cc9, 0x4294, 0x43fb, 0xbf, 0x37, 0xb8, 0x50, 0xce, 0x95, 0xf3, 0x37); DEFINE_GUID(GUID_DEVINTERFACE_CONFIGURABLE_USBFN_CHARGER, 0x7158c35c, 0xc1bc, 0x4d90, 0xac, 0xb1, 0x80, 0x20, 0xbd, 0xe, 0x19, 0xca); DEFINE_GUID(GUID_DEVINTERFACE_CONFIGURABLE_WIRELESS_CHARGER, 0x3612b1c8, 0x3633, 0x47d3, 0x8a, 0xf5, 0x0, 0xa4, 0xdf, 0xa0, 0x47, 0x93); DEFINE_GUID(GUID_DEVINTERFACE_I2C, 0x2564AA4F, 0xDDDB, 0x4495, 0xB4, 0x97, 0x6A, 0xD4, 0xA8, 0x41, 0x63, 0xD7); DEFINE_GUID(GUID_DEVINTERFACE_OPM, 0xBF4672DE, 0x6B4E, 0x4BE4, 0xA3, 0x25, 0x68, 0xA9, 0x1E, 0xA4, 0x9C, 0x09); DEFINE_GUID(GUID_DEVINTERFACE_OPM_2_JTP, 0xE929EEA4, 0xB9F1, 0x407B, 0xAA, 0xB9, 0xAB, 0x08, 0xBB, 0x44, 0xFB, 0xF4); DEFINE_GUID(GUID_DEVINTERFACE_OPM_2, 0x7F098726, 0x2EBB, 0x4FF3, 0xA2, 0x7F, 0x10, 0x46, 0xB9, 0x5D, 0xC5, 0x17); DEFINE_GUID(GUID_DEVINTERFACE_OPM_3, 0x693a2cb1, 0x8c8d, 0x4ab6, 0x95, 0x55, 0x4b, 0x85, 0xef, 0x2c, 0x7c, 0x6b); DEFINE_GUID(GUID_DEVINTERFACE_BRIGHTNESS, 0xFDE5BBA4, 0xB3F9, 0x46FB, 0xBD, 0xAA, 0x07, 0x28, 0xCE, 0x31, 0x00, 0xB4); DEFINE_GUID(GUID_DEVINTERFACE_BRIGHTNESS_2, 0x148A3C98, 0x0ECD, 0x465A, 0xB6, 0x34, 0xB0, 0x5F, 0x19, 0x5F, 0x77, 0x39); DEFINE_GUID(GUID_DEVINTERFACE_MIRACAST_DISPLAY, 0xaf03f190, 0x22af, 0x48cb, 0x94, 0xbb, 0xb7, 0x8e, 0x76, 0xa2, 0x51, 0x7); DEFINE_GUID(GUID_DEVINTERFACE_BRIGHTNESS_3, 0x197a4a6e, 0x391, 0x4322, 0x96, 0xea, 0xc2, 0x76, 0xf, 0x88, 0x1d, 0x3a); DEFINE_GUID(GUID_DEVINTERFACE_HPMI, 0xdedae202, 0x1d20, 0x4c40, 0xa6, 0xf3, 0x18, 0x97, 0xe3, 0x19, 0xd5, 0x4f); DEFINE_GUID(GUID_DEVINTERFACE_VIRTUALIZABLE_DEVICE, 0xa13a7a93, 0x11f0, 0x4bd2, 0xa9, 0xf5, 0x6b, 0x5c, 0x5b, 0x88, 0x52, 0x7d); DEFINE_GUID(GUID_DEVINTERFACE_EMMC_PARTITION_ACCESS_RPMB, 0x27447c21L, 0xbcc3, 0x4d07, 0xa0, 0x5b, 0xa3, 0x39, 0x5b, 0xb4, 0xee, 0xe7); DEFINE_GUID(GUID_DEVINTERFACE_EMMC_PARTITION_ACCESS_GPP, 0x2e0e2e39L, 0x1f19, 0x4595, 0xa9, 0x06, 0x88, 0x78, 0x82, 0xe7, 0x39, 0x03); DEFINE_GUID(GUID_DEVINTERFACE_USB_SIDEBAND_AUDIO_HS_HCIBYPASS, 0x2baa4b5, 0x33b5, 0x4d97, 0xae, 0x4f, 0xe8, 0x6d, 0xde, 0x17, 0x53, 0x6f); DEFINE_GUID(GUID_BUS_VPCI, 0xc066f39a, 0xde00, 0x4667, 0x89, 0x41, 0x33, 0x68, 0xed, 0x5d, 0x83, 0xb5); DEFINE_GUID(GUID_VPCI_INTERFACE_STANDARD, 0x12e65e71, 0xb651, 0x4067, 0x83, 0x1a, 0x13, 0x83, 0x20, 0x3c, 0xb0, 0xcb); DEFINE_GUID(GUID_DEVINTERFACE_VPCI, 0x57863182, 0xc948, 0x4692, 0x97, 0xe3, 0x34, 0xb5, 0x76, 0x62, 0xa3, 0xe0); DEFINE_GUID(GUID_DEVINTERFACE_WWAN_CONTROLLER, 0x669159fd, 0xe3c0, 0x45cb, 0xbc, 0x5f, 0x95, 0x99, 0x5b, 0xcd, 0x6, 0xcd); DEFINE_GUID(GUID_DEVINTERFACE_WDDM3_ON_VB, 0xe922004d, 0xeb9c, 0x4de1, 0x92, 0x24, 0xa9, 0xce, 0xaa, 0x95, 0x9b, 0xce); DEFINE_GUID(GUID_DEVINTERFACE_GRAPHICSPOWER, 0xea5c6870, 0xe93c, 0x4588, 0xbe, 0xf1, 0xfe, 0xc4, 0x2f, 0xc9, 0x42, 0x9a); DEFINE_GUID(GUID_DEVINTERFACE_GNSS, 0x3336e5e4, 0x18a, 0x4669, 0x84, 0xc5, 0xbd, 0x5, 0xf3, 0xbd, 0x36, 0x8b); DEFINE_GUID(GUID_DEVINTERFACE_HID, 0x4D1E55B2L, 0xF16F, 0x11CF, 0x88, 0xCB, 0x00, 0x11, 0x11, 0x00, 0x00, 0x30); DEFINE_GUID(GUID_DEVINTERFACE_LAMP, 0x6c11e9e3, 0x8238, 0x4f0a, 0x0a, 0x19, 0xaa, 0xec, 0x26, 0xca, 0x5e, 0x98); DEFINE_GUID(GUID_DEVINTERFACE_NFCDTA, 0x7fd3f30b, 0x5e49, 0x4be1, 0xb3, 0xaa, 0xaf, 0x06, 0x26, 0x0d, 0x23, 0x6a); DEFINE_GUID(GUID_DEVINTERFACE_NFCSE, 0x8dc7c854, 0xf5e5, 0x4bed, 0x81, 0x5d, 0xc, 0x85, 0xad, 0x4, 0x77, 0x25); DEFINE_GUID(GUID_DEVINTERFACE_NFP, 0xFB3842CD, 0x9E2A, 0x4F83, 0x8F, 0xCC, 0x4B, 0x07, 0x61, 0x13, 0x9A, 0xE9); DEFINE_GUID(GUID_DEVINTERFACE_KEYBOARD, 0x884b96c3, 0x56ef, 0x11d1, 0xbc, 0x8c, 0x00, 0xa0, 0xc9, 0x14, 0x05, 0xdd); DEFINE_GUID(GUID_DEVINTERFACE_MODEM, 0x2c7089aa, 0x2e0e, 0x11d1, 0xb1, 0x14, 0x00, 0xc0, 0x4f, 0xc2, 0xaa, 0xe4); DEFINE_GUID(GUID_DEVINTERFACE_MOUSE, 0x378de44c, 0x56ef, 0x11d1, 0xbc, 0x8c, 0x00, 0xa0, 0xc9, 0x14, 0x05, 0xdd ); DEFINE_GUID(GUID_DEVINTERFACE_PARALLEL, 0x97F76EF0, 0xF883, 0x11D0, 0xAF, 0x1F, 0x00, 0x00, 0xF8, 0x00, 0x84, 0x5C); DEFINE_GUID(GUID_DEVINTERFACE_PARCLASS, 0x811FC6A5, 0xF728, 0x11D0, 0xA5, 0x37, 0x00, 0x00, 0xF8, 0x75, 0x3E, 0xD1); DEFINE_GUID(GUID_PARALLEL_DEVICE, 0x97F76EF0, 0xF883, 0x11D0, 0xAF, 0x1F, 0x00, 0x00, 0xF8, 0x00, 0x84, 0x5C); DEFINE_GUID(GUID_PARCLASS_DEVICE, 0x811FC6A5, 0xF728, 0x11D0, 0xA5, 0x37, 0x00, 0x00, 0xF8, 0x75, 0x3E, 0xD1); DEFINE_GUID(GUID_DEVINTERFACE_DISPLAY_ADAPTER, 0x5b45201d, 0xf2f2, 0x4f3b, 0x85, 0xbb, 0x30, 0xff, 0x1f, 0x95, 0x35, 0x99); DEFINE_GUID(GUID_DEVINTERFACE_MONITOR, 0xe6f07b5f, 0xee97, 0x4a90, 0xb0, 0x76, 0x33, 0xf5, 0x7b, 0xf4, 0xea, 0xa7); DEFINE_GUID(GUID_DEVICE_BATTERY, 0x72631e54L, 0x78A4, 0x11d0, 0xbc, 0xf7, 0x00, 0xaa, 0x00, 0xb7, 0xb3, 0x2a); DEFINE_GUID(GUID_DEVICE_APPLICATIONLAUNCH_BUTTON, 0x629758eel, 0x986e, 0x4d9e, 0x8e, 0x47, 0xde, 0x27, 0xf8, 0xab, 0x05, 0x4d); DEFINE_GUID(GUID_DEVICE_SYS_BUTTON, 0x4AFA3D53L, 0x74A7, 0x11d0, 0xbe, 0x5e, 0x00, 0xA0, 0xC9, 0x06, 0x28, 0x57); DEFINE_GUID(GUID_DEVICE_LID, 0x4AFA3D52L, 0x74A7, 0x11d0, 0xbe, 0x5e, 0x00, 0xA0, 0xC9, 0x06, 0x28, 0x57); DEFINE_GUID(GUID_DEVICE_THERMAL_ZONE, 0x4AFA3D51L, 0x74A7, 0x11d0, 0xbe, 0x5e, 0x00, 0xA0, 0xC9, 0x06, 0x28, 0x57); DEFINE_GUID(GUID_DEVICE_FAN, 0x05ecd13dL, 0x81da, 0x4a2a, 0x8a, 0x4c, 0x52, 0x4f, 0x23, 0xdd, 0x4d, 0xc9); DEFINE_GUID(GUID_DEVICE_PROCESSOR, 0x97fadb10L, 0x4e33, 0x40ae, 0x35, 0x9c, 0x8b, 0xef, 0x02, 0x9d, 0xbd, 0xd0); DEFINE_GUID(GUID_DEVICE_MEMORY, 0x3fd0f03dL, 0x92e0, 0x45fb, 0xb7, 0x5c, 0x5e, 0xd8, 0xff, 0xb0, 0x10, 0x21); DEFINE_GUID(GUID_DEVICE_ACPI_TIME, 0x97f99bf6L, 0x4497, 0x4f18, 0xbb, 0x22, 0x4b, 0x9f, 0xb2, 0xfb, 0xef, 0x9c); DEFINE_GUID(GUID_DEVICE_MESSAGE_INDICATOR, 0XCD48A365L, 0xfa94, 0x4ce2, 0xa2, 0x32, 0xa1, 0xb7, 0x64, 0xe5, 0xd8, 0xb4); DEFINE_GUID(GUID_CLASS_INPUT, 0x4D1E55B2L, 0xF16F, 0x11CF, 0x88, 0xCB, 0x00, 0x11, 0x11, 0x00, 0x00, 0x30); DEFINE_GUID(GUID_DEVINTERFACE_THERMAL_COOLING, 0xdbe4373d, 0x3c81, 0x40cb, 0xac, 0xe4, 0xe0, 0xe5, 0xd0, 0x5f, 0xc, 0x9f); DEFINE_GUID(GUID_DEVINTERFACE_THERMAL_MANAGER, 0x927ec093, 0x69a4, 0x4bc0, 0xbd, 0x2, 0x71, 0x16, 0x64, 0x71, 0x44, 0x63); DEFINE_GUID(GUID_DEVINTERFACE_PWM_CONTROLLER, 0x60824b4c, 0xeed1, 0x4c9c, 0xb4, 0x9c, 0x1b, 0x96, 0x14, 0x61, 0xa8, 0x19); DEFINE_GUID(GUID_DEVINTERFACE_USBPRINT, 0x28d78fad, 0x5a12, 0x11d1, 0xae, 0x5b, 0x0, 0x0, 0xf8, 0x3, 0xa8, 0xc2); DEFINE_GUID(GUID_DEVINTERFACE_IPPUSB_PRINT, 0xf2f40381, 0xf46d, 0x4e51, 0xbc, 0xe7, 0x62, 0xde, 0x6c, 0xf2, 0xd0, 0x98); DEFINE_GUID(GUID_DEVINTERFACE_VM_GENCOUNTER, 0x3ff2c92b, 0x6598, 0x4e60, 0x8e, 0x1c, 0x0c, 0xcf, 0x49, 0x27, 0xe3, 0x19); DEFINE_GUID(GUID_DEVINTERFACE_BIOMETRIC_READER, 0xe2b5183a, 0x99ea, 0x4cc3, 0xad, 0x6b, 0x80, 0xca, 0x8d, 0x71, 0x5b, 0x80); DEFINE_GUID(GUID_DEVINTERFACE_SMARTCARD_READER, 0x50DD5230, 0xBA8A, 0x11D1, 0xBF, 0x5D, 0x00, 0x00, 0xF8, 0x05, 0xF5, 0x30); DEFINE_GUID(GUID_DEVINTERFACE_DMR, 0xD0875FB4, 0x2196, 0x4c7a, 0xA6, 0x3D, 0xE4, 0x16, 0xAD, 0xDD, 0x60, 0xA1); DEFINE_GUID(GUID_DEVINTERFACE_DMP, 0x25B4E268, 0x2A05, 0x496e, 0x80, 0x3B, 0x26, 0x68, 0x37, 0xFB, 0xDA, 0x4B); DEFINE_GUID(GUID_DEVINTERFACE_DMS, 0xC96037AE, 0xA558, 0x4470, 0xB4, 0x32, 0x11, 0x5A, 0x31, 0xB8, 0x55, 0x53); DEFINE_GUID(GUID_DEVINTERFACE_ENHANCED_STORAGE_SILO, 0x3897f6a4, 0xfd35, 0x4bc8, 0xa0, 0xb7, 0x5d, 0xbb, 0xa3, 0x6a, 0xda, 0xfa); DEFINE_GUID(GUID_DEVINTERFACE_WPD, 0x6AC27878, 0xA6FA, 0x4155, 0xBA, 0x85, 0xF9, 0x8F, 0x49, 0x1D, 0x4F, 0x33); DEFINE_GUID(GUID_DEVINTERFACE_WPD_PRIVATE, 0xBA0C718F, 0x4DED, 0x49B7, 0xBD, 0xD3, 0xFA, 0xBE, 0x28, 0x66, 0x12, 0x11); DEFINE_GUID(GUID_DEVINTERFACE_WPD_SERVICE, 0x9EF44F80, 0x3D64, 0x4246, 0xA6, 0xAA, 0x20, 0x6F, 0x32, 0x8D, 0x1E, 0xDC); DEFINE_GUID(GUID_DEVINTERFACE_SENSOR, 0XBA1BB692, 0X9B7A, 0X4833, 0X9A, 0X1E, 0X52, 0X5E, 0XD1, 0X34, 0XE7, 0XE2); DEFINE_GUID(GUID_DEVINTERFACE_IMAGE, 0x6bdd1fc6L, 0x810f, 0x11d0, 0xbe, 0xc7, 0x08, 0x00, 0x2b, 0xe2, 0x09, 0x2f); DEFINE_GUID(GUID_DEVINTERFACE_SIDESHOW, 0x152e5811, 0xfeb9, 0x4b00, 0x90, 0xf4, 0xd3, 0x29, 0x47, 0xae, 0x16, 0x81); DEFINE_GUID(GUID_DEVINTERFACE_WIFIDIRECT_DEVICE, 0x439b20af, 0x8955, 0x405b, 0x99, 0xf0, 0xa6, 0x2a, 0xf0, 0xc6, 0x8d, 0x43); DEFINE_GUID(GUID_AEPSERVICE_WIFIDIRECT_DEVICE, 0xcc29827c, 0x9caf, 0x4928, 0x99, 0xa9, 0x18, 0xf7, 0xc2, 0x38, 0x13, 0x89); DEFINE_GUID(GUID_DEVINTERFACE_ASP_INFRA_DEVICE, 0xff823995, 0x7a72, 0x4c80, 0x87, 0x57, 0xc6, 0x7e, 0xe1, 0x3d, 0x1a, 0x49); DEFINE_GUID(GUID_DXGKDDI_MITIGABLE_DEVICE_INTERFACE, 0x1387f270, 0x121a, 0x4a4a, 0xb2, 0x5e, 0x3b, 0x15, 0x89, 0x97, 0x6c, 0x61); DEFINE_GUID(GUID_DXGKDDI_FLEXIOV_DEVICE_INTERFACE, 0x7b73a997, 0x48e8, 0x4cab, 0x9f, 0xab, 0xe0, 0x77, 0x4b, 0x44, 0xf5, 0x99); DEFINE_GUID(GUID_SRIOV_DEVICE_INTERFACE_STANDARD, 0x937ee9b6, 0xed3, 0x411c, 0x98, 0x2b, 0x1f, 0x56, 0x4a, 0xfb, 0xab, 0xd3); DEFINE_GUID(GUID_MITIGABLE_DEVICE_INTERFACE, 0xadfd9567, 0x4245, 0x497e, 0x85, 0x72, 0x78, 0xd4, 0x5c, 0x16, 0x22, 0xb8); DEFINE_GUID(GUID_IO_VOLUME_DEVICE_INTERFACE, 0x53f5630d, 0xb6bf, 0x11d0, 0x94, 0xf2, 0x00, 0xa0, 0xc9, 0x1e, 0xfb, 0x8b); DEFINE_GUID(GUID_NFC_RADIO_MEDIA_DEVICE_INTERFACE, 0x4d51e930, 0x750d, 0x4a36, 0xa9, 0xf7, 0x91, 0xdc, 0x54, 0x0f, 0xcd, 0x30); DEFINE_GUID(GUID_NFCSE_RADIO_MEDIA_DEVICE_INTERFACE, 0xef8ba08f, 0x148d, 0x4116, 0x83, 0xef, 0xa2, 0x67, 0x9d, 0xfc, 0x3f, 0xa5); DEFINE_GUID(GUID_BLUETOOTHLE_DEVICE_INTERFACE, 0x781aee18, 0x7733, 0x4ce4, 0xad, 0xd0, 0x91, 0xf4, 0x1c, 0x67, 0xb5, 0x92); DEFINE_GUID(GUID_BLUETOOTH_GATT_SERVICE_DEVICE_INTERFACE, 0x6e3bb679, 0x4372, 0x40c8, 0x9e, 0xaa, 0x45, 0x09, 0xdf, 0x26, 0x0c, 0xd8); DEFINE_GUID(GUID_BUS_TYPE_TREE, 0x4E815EE1, 0x20F8, 0x41EF, 0x8C, 0xFF, 0x3C, 0x28, 0x3F, 0x02, 0xD7, 0x22); DEFINE_GUID(GUID_TREE_TPM_SERVICE_FDTPM, 0x36deaa79, 0xc5dd, 0x447c, 0x95, 0xe6, 0xb3, 0x85, 0x95, 0x89, 0x29, 0x1a); DEFINE_GUID(GUID_TREE_TPM_SERVICE_STPM, 0x1F75CF6D, 0xF709, 0x4C0C, 0x8B, 0xCB, 0x0C, 0xDC, 0xA1, 0x28, 0x9D, 0xDD); DEFINE_GUID(GUID_DISPLAY_DEVICE_ARRIVAL, 0x1CA05180, 0xA699, 0x450A, 0x9A, 0x0C, 0xDE, 0x4F, 0xBE, 0x3D, 0xDD, 0x89); DEFINE_GUID(GUID_COMPUTE_DEVICE_ARRIVAL, 0x1024e4c9, 0x47c9, 0x48d3, 0xb4, 0xa8, 0xf9, 0xdf, 0x78, 0x52, 0x3b, 0x53); DEFINE_DEVPROPKEY(DEVPKEY_Gpu_Luid, 0x60b193cb, 0x5276, 0x4d0f, 0x96, 0xfc, 0xf1, 0x73, 0xab, 0xad, 0x3e, 0xc6, 2); // DEVPROP_TYPE_UINT64 DEFINE_DEVPROPKEY(DEVPKEY_Gpu_PhysicalAdapterIndex, 0x60b193cb, 0x5276, 0x4d0f, 0x96, 0xfc, 0xf1, 0x73, 0xab, 0xad, 0x3e, 0xc6, 3); // DEVPROP_TYPE_UINT32 #include #include #include #include #include #include #include #pragma push_macro("DEFINE_GUID") #undef DEFINE_GUID #include #include #pragma pop_macro("DEFINE_GUID") static CONST PH_STRINGREF RootInstanceId = PH_STRINGREF_INIT(L"HTREE\\ROOT\\0"); static ULONG RootInstanceIdHash = 2387464428; // PhHashStringRefEx(TRUE, PH_STRING_HASH_X65599); PPH_OBJECT_TYPE PhDeviceTreeType = NULL; PPH_OBJECT_TYPE PhDeviceItemType = NULL; PPH_OBJECT_TYPE PhDeviceNotifyType = NULL; static PPH_OBJECT_TYPE PhpDeviceInfoType = NULL; static PH_FAST_LOCK PhpDeviceTreeLock = PH_FAST_LOCK_INIT; static PPH_DEVICE_TREE PhpDeviceTree = NULL; static HCMNOTIFICATION PhpDeviceNotification = NULL; static HCMNOTIFICATION PhpDeviceInterfaceNotification = NULL; static PH_CALLBACK_REGISTRATION ServiceProviderUpdatedRegistration; static SLIST_HEADER PhDeviceNotifyListHead; static PH_FREE_LIST PhDeviceNotifyFreeList; #if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) // Note: This propkey is required for building with 22H1 and older Windows SDK (dmex) DEFINE_DEVPROPKEY(DEVPKEY_Device_FirmwareVendor, 0x540b947e, 0x8b40, 0x45bc, 0xa8, 0xa2, 0x6a, 0x0b, 0x89, 0x4c, 0xbd, 0xa2, 26); // DEVPROP_TYPE_STRING #endif #define DEVPROP_FILL_FLAG_CLASS 0x00000001 _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) typedef VOID NTAPI PH_DEVICE_PROPERTY_FILL_CALLBACK( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ); typedef PH_DEVICE_PROPERTY_FILL_CALLBACK* PPH_DEVICE_PROPERTY_FILL_CALLBACK; typedef struct _PH_DEVICE_PROPERTY_TABLE_ENTRY { PH_DEVICE_PROPERTY_CLASS PropClass; const DEVPROPKEY* PropKey; PPH_DEVICE_PROPERTY_FILL_CALLBACK Callback; ULONG CallbackFlags; } PH_DEVICE_PROPERTY_TABLE_ENTRY, *PPH_DEVICE_PROPERTY_TABLE_ENTRY; BOOLEAN PhpGetDevicePropertyGuid( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PGUID Guid ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(GUID); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)Guid, sizeof(GUID), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_GUID)) { return TRUE; } RtlZeroMemory(Guid, sizeof(GUID)); return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyGuid( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PGUID Guid ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(GUID); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)Guid, sizeof(GUID), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_GUID)) { return TRUE; } RtlZeroMemory(Guid, sizeof(GUID)); return FALSE; } BOOLEAN PhpGetClassPropertyGuid( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PGUID Guid ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(GUID); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)Guid, sizeof(GUID), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_GUID)) { return TRUE; } RtlZeroMemory(Guid, sizeof(GUID)); return FALSE; } BOOLEAN PhpGetDevicePropertyUInt64( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PULONG64 Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(ULONG64); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(ULONG64), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_UINT64)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyUInt64( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PULONG64 Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(ULONG64); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(ULONG64), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_UINT64)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetClassPropertyUInt64( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PULONG64 Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(ULONG64); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(ULONG64), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_UINT64)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDevicePropertyInt64( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PLONG64 Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(LONG64); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(LONG64), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_INT64)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyInt64( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PLONG64 Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(LONG64); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(LONG64), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_INT64)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetClassPropertyInt64( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PLONG64 Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(LONG64); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(LONG64), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_INT64)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDevicePropertyUInt32( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PULONG Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(ULONG); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(ULONG), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_UINT32)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyUInt32( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PULONG Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(ULONG); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(ULONG), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_UINT32)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetClassPropertyUInt32( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PULONG Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(ULONG); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(ULONG), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_UINT32)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDevicePropertyInt32( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PLONG Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(LONG); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(LONG), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_INT32)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyInt32( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PLONG Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(LONG); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(LONG), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_INT32)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetClassPropertyInt32( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PLONG Value ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(LONG); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)Value, sizeof(LONG), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_INT32)) { return TRUE; } *Value = 0; return FALSE; } BOOLEAN PhpGetDevicePropertyNTSTATUS( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PNTSTATUS Status ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(NTSTATUS); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)Status, sizeof(NTSTATUS), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_NTSTATUS)) { return TRUE; } *Status = 0; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyNTSTATUS( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PNTSTATUS Status ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(NTSTATUS); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)Status, sizeof(NTSTATUS), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_NTSTATUS)) { return TRUE; } *Status = 0; return FALSE; } BOOLEAN PhpGetClassPropertyNTSTATUS( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PNTSTATUS Status ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = sizeof(NTSTATUS); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)Status, sizeof(NTSTATUS), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_NTSTATUS)) { return TRUE; } *Status = 0; return FALSE; } BOOLEAN PhpGetDevicePropertyBoolean( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PBOOLEAN Boolean ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; DEVPROP_BOOLEAN boolean; ULONG requiredLength = sizeof(DEVPROP_BOOLEAN); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)&boolean, sizeof(DEVPROP_BOOLEAN), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_BOOLEAN)) { *Boolean = boolean == DEVPROP_TRUE; return TRUE; } *Boolean = FALSE; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyBoolean( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PBOOLEAN Boolean ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; DEVPROP_BOOLEAN boolean; ULONG requiredLength = sizeof(DEVPROP_BOOLEAN); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)&boolean, sizeof(DEVPROP_BOOLEAN), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_BOOLEAN)) { *Boolean = boolean == DEVPROP_TRUE; return TRUE; } *Boolean = FALSE; return FALSE; } BOOLEAN PhpGetClassPropertyBoolean( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PBOOLEAN Boolean ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; DEVPROP_BOOLEAN boolean; ULONG requiredLength = sizeof(DEVPROP_BOOLEAN); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)&boolean, sizeof(DEVPROP_BOOLEAN), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_BOOLEAN)) { *Boolean = boolean == DEVPROP_TRUE; return TRUE; } *Boolean = FALSE; return FALSE; } BOOLEAN PhpGetDevicePropertyTimeStamp( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PLARGE_INTEGER TimeStamp ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; FILETIME fileTime; ULONG requiredLength = sizeof(FILETIME); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)&fileTime, sizeof(FILETIME), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_FILETIME)) { TimeStamp->HighPart = fileTime.dwHighDateTime; TimeStamp->LowPart = fileTime.dwLowDateTime; return TRUE; } TimeStamp->QuadPart = 0; return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyTimeStamp( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PLARGE_INTEGER TimeStamp ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; FILETIME fileTime; ULONG requiredLength = sizeof(FILETIME); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)&fileTime, sizeof(FILETIME), &requiredLength, 0 ); if (result && (devicePropertyType == DEVPROP_TYPE_FILETIME)) { TimeStamp->HighPart = fileTime.dwHighDateTime; TimeStamp->LowPart = fileTime.dwLowDateTime; return TRUE; } TimeStamp->QuadPart = 0; return FALSE; } BOOLEAN PhpGetClassPropertyTimeStamp( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PLARGE_INTEGER TimeStamp ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; FILETIME fileTime; ULONG requiredLength = sizeof(FILETIME); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)&fileTime, sizeof(FILETIME), &requiredLength, Flags ); if (result && (devicePropertyType == DEVPROP_TYPE_FILETIME)) { TimeStamp->HighPart = fileTime.dwHighDateTime; TimeStamp->LowPart = fileTime.dwLowDateTime; return TRUE; } TimeStamp->QuadPart = 0; return FALSE; } BOOLEAN PhpGetDevicePropertyString( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PPH_STRING* String ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PPH_STRING string; *String = NULL; result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, 0 ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || ((devicePropertyType != DEVPROP_TYPE_STRING) && (devicePropertyType != DEVPROP_TYPE_SECURITY_DESCRIPTOR_STRING))) { return FALSE; } if (requiredLength < sizeof(UNICODE_NULL)) { *String = PhReferenceEmptyString(); return TRUE; } string = PhCreateStringEx(NULL, requiredLength - sizeof(UNICODE_NULL)); if (SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, (PBYTE)string->Buffer, requiredLength, &requiredLength, 0 )) { *String = string; return TRUE; } PhClearReference(&string); return FALSE; } BOOLEAN PhpGetDeviceInterfacePropertyString( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PPH_STRING* String ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PPH_STRING string; *String = NULL; result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, 0 ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || ((devicePropertyType != DEVPROP_TYPE_STRING) && (devicePropertyType != DEVPROP_TYPE_SECURITY_DESCRIPTOR_STRING))) { return FALSE; } if (requiredLength < sizeof(UNICODE_NULL)) { *String = PhReferenceEmptyString(); return TRUE; } string = PhCreateStringEx(NULL, requiredLength - sizeof(UNICODE_NULL)); if (SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, (PBYTE)string->Buffer, requiredLength, &requiredLength, 0 )) { *String = string; return TRUE; } PhClearReference(&string); return FALSE; } BOOLEAN PhpGetClassPropertyString( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PPH_STRING* String ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PPH_STRING string; *String = NULL; result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, Flags ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || ((devicePropertyType != DEVPROP_TYPE_STRING) && (devicePropertyType != DEVPROP_TYPE_SECURITY_DESCRIPTOR_STRING))) { return FALSE; } if (requiredLength < sizeof(UNICODE_NULL)) { *String = PhReferenceEmptyString(); return TRUE; } string = PhCreateStringEx(NULL, requiredLength - sizeof(UNICODE_NULL)); if (SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, (PBYTE)string->Buffer, requiredLength, &requiredLength, Flags )) { *String = string; return TRUE; } PhClearReference(&string); return FALSE; } BOOLEAN PhpGetDevicePropertyStringList( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PPH_LIST* StringList ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PVOID buffer = NULL; PPH_LIST stringList; *StringList = NULL; result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, 0 ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || (devicePropertyType != DEVPROP_TYPE_STRING_LIST)) { goto Exit; } buffer = PhAllocate(requiredLength); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, buffer, requiredLength, &requiredLength, 0 ); if (!result) { goto Exit; } stringList = PhCreateList(1); for (PZZWSTR item = buffer;;) { PH_STRINGREF string; PhInitializeStringRefLongHint(&string, item); if (string.Length == 0) { break; } PhAddItemList(stringList, PhCreateString2(&string)); item = PTR_ADD_OFFSET(item, string.Length + sizeof(UNICODE_NULL)); } *StringList = stringList; Exit: if (buffer) PhFree(buffer); return !!result; } BOOLEAN PhpGetDeviceInterfacePropertyStringList( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PPH_LIST* StringList ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PVOID buffer = NULL; PPH_LIST stringList; *StringList = NULL; result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, 0 ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || (devicePropertyType != DEVPROP_TYPE_STRING_LIST)) { goto Exit; } buffer = PhAllocate(requiredLength); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, buffer, requiredLength, &requiredLength, 0 ); if (!result) { goto Exit; } stringList = PhCreateList(1); for (PZZWSTR item = buffer;;) { PH_STRINGREF string; PhInitializeStringRefLongHint(&string, item); if (string.Length == 0) { break; } PhAddItemList(stringList, PhCreateString2(&string)); item = PTR_ADD_OFFSET(item, string.Length + sizeof(UNICODE_NULL)); } *StringList = stringList; Exit: if (buffer) PhFree(buffer); return !!result; } BOOLEAN PhpGetClassPropertyStringList( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PPH_LIST* StringList ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PVOID buffer = NULL; PPH_LIST stringList; *StringList = NULL; result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, Flags ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || (devicePropertyType != DEVPROP_TYPE_STRING_LIST)) { goto Exit; } buffer = PhAllocate(requiredLength); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, buffer, requiredLength, &requiredLength, Flags ); if (!result) { goto Exit; } stringList = PhCreateList(1); for (PZZWSTR item = buffer;;) { PH_STRINGREF string; PhInitializeStringRefLongHint(&string, item); if (string.Length == 0) { break; } PhAddItemList(stringList, PhCreateString2(&string)); item = PTR_ADD_OFFSET(item, string.Length + sizeof(UNICODE_NULL)); } *StringList = stringList; Exit: if (buffer) PhFree(buffer); return !!result; } BOOLEAN PhpGetDevicePropertyBinary( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PBYTE* Buffer, _Out_ PULONG Size ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PVOID buffer = NULL; *Buffer = NULL; *Size = 0; result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, 0 ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || ((devicePropertyType != DEVPROP_TYPE_BINARY) && (devicePropertyType != DEVPROP_TYPE_SECURITY_DESCRIPTOR))) { goto Exit; } buffer = PhAllocate(requiredLength); result = SetupDiGetDevicePropertyW( DeviceInfoSet, DeviceInfoData, DeviceProperty, &devicePropertyType, buffer, requiredLength, &requiredLength, 0 ); if (!result) { goto Exit; } *Size = requiredLength; *Buffer = buffer; buffer = NULL; Exit: if (buffer) PhFree(buffer); return !!result; } BOOLEAN PhpGetDeviceInterfacePropertyBinary( _In_ HDEVINFO DeviceInfoSet, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, _In_ const DEVPROPKEY* DeviceProperty, _Out_ PBYTE* Buffer, _Out_ PULONG Size ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PVOID buffer = NULL; *Buffer = NULL; *Size = 0; result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, 0 ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || ((devicePropertyType != DEVPROP_TYPE_BINARY) && (devicePropertyType != DEVPROP_TYPE_SECURITY_DESCRIPTOR))) { goto Exit; } buffer = PhAllocate(requiredLength); result = SetupDiGetDeviceInterfacePropertyW( DeviceInfoSet, DeviceInterfaceData, DeviceProperty, &devicePropertyType, buffer, requiredLength, &requiredLength, 0 ); if (!result) { goto Exit; } *Size = requiredLength; *Buffer = buffer; buffer = NULL; Exit: if (buffer) PhFree(buffer); return !!result; } BOOLEAN PhpGetClassPropertyBinary( _In_ const GUID* ClassGuid, _In_ const DEVPROPKEY* DeviceProperty, _In_ ULONG Flags, _Out_ PBYTE* Buffer, _Out_ PULONG Size ) { BOOL result; DEVPROPTYPE devicePropertyType = DEVPROP_TYPE_EMPTY; ULONG requiredLength = 0; PVOID buffer = NULL; *Buffer = NULL; *Size = 0; result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, NULL, 0, &requiredLength, Flags ); if (result || (requiredLength == 0) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER) || ((devicePropertyType != DEVPROP_TYPE_BINARY) && (devicePropertyType != DEVPROP_TYPE_SECURITY_DESCRIPTOR))) { goto Exit; } buffer = PhAllocate(requiredLength); result = SetupDiGetClassPropertyW( ClassGuid, DeviceProperty, &devicePropertyType, buffer, requiredLength, &requiredLength, Flags ); if (!result) { goto Exit; } *Size = requiredLength; *Buffer = buffer; buffer = NULL; Exit: if (buffer) PhFree(buffer); return !!result; } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillString( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeString; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyString( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->String ); } else { Property->Valid = PhpGetDeviceInterfacePropertyString( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->String ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyString( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->String ); } else { Property->Valid = PhpGetDevicePropertyString( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->String ); } } if (Property->Valid) { Property->AsString = Property->String; PhReferenceObject(Property->AsString); } } VOID PhpDevPropFillUInt64Common( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeUInt64; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyUInt64( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->UInt64 ); } else { Property->Valid = PhpGetDeviceInterfacePropertyUInt64( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->UInt64 ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyUInt64( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->UInt64 ); } else { Property->Valid = PhpGetDevicePropertyUInt64( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->UInt64 ); } } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillUInt64( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt64Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { PH_FORMAT format[1]; PhInitFormatI64U(&format[0], Property->UInt64); Property->AsString = PhFormat(format, ARRAYSIZE(format), 1); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillUInt64Hex( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt64Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { PH_FORMAT format[2]; PhInitFormatI64X(&format[1], Property->UInt64); Property->AsString = PhFormat(format, ARRAYSIZE(format), 10); } } VOID PhpDevPropFillInt64Common( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeInt64; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyInt64( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->Int64 ); } else { Property->Valid = PhpGetDeviceInterfacePropertyInt64( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->Int64 ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyInt64( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->Int64 ); } else { Property->Valid = PhpGetDevicePropertyInt64( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->Int64 ); } } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillInt64( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillInt64Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { PH_FORMAT format[1]; PhInitFormatI64D(&format[0], Property->Int64); Property->AsString = PhFormat(format, ARRAYSIZE(format), 1); } } VOID PhpDevPropFillUInt32Common( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeUInt32; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyUInt32( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->UInt32 ); } else { Property->Valid = PhpGetDeviceInterfacePropertyUInt32( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->UInt32 ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyUInt32( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->UInt32 ); } else { Property->Valid = PhpGetDevicePropertyUInt32( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->UInt32 ); } } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillUInt32( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { PH_FORMAT format[1]; PhInitFormatU(&format[0], Property->UInt32); Property->AsString = PhFormat(format, ARRAYSIZE(format), 1); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillUInt32Hex( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"0x"); PhInitFormatIX(&format[1], Property->UInt32); Property->AsString = PhFormat(format, ARRAYSIZE(format), 10); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillInt32( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeUInt32; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyInt32( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->Int32 ); } else { Property->Valid = PhpGetDeviceInterfacePropertyInt32( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->Int32 ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyInt32( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->Int32 ); } else { Property->Valid = PhpGetDevicePropertyInt32( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->Int32 ); } } if (Property->Valid) { PH_FORMAT format[1]; PhInitFormatD(&format[0], Property->Int32); Property->AsString = PhFormat(format, ARRAYSIZE(format), 1); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillNTSTATUS( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeNTSTATUS; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyNTSTATUS( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->Status ); } else { Property->Valid = PhpGetDeviceInterfacePropertyNTSTATUS( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->Status ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyNTSTATUS( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->Status ); } else { Property->Valid = PhpGetDevicePropertyNTSTATUS( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->Status ); } } if (Property->Valid && Property->Status != STATUS_SUCCESS) { Property->AsString = PhGetStatusMessage(Property->Status, 0); } } typedef struct _PH_WELL_KNOWN_GUID { const GUID* Guid; PH_STRINGREF Symbol; } PH_WELL_KNOWN_GUID, *PPH_WELL_KNOWN_GUID; #define PH_DEFINE_WELL_KNOWN_GUID(guid) const PH_WELL_KNOWN_GUID PH_WELL_KNOWN_##guid = { &(guid), PH_STRINGREF_INIT(TEXT(#guid)) } PH_DEFINE_WELL_KNOWN_GUID(GUID_HWPROFILE_QUERY_CHANGE); PH_DEFINE_WELL_KNOWN_GUID(GUID_HWPROFILE_CHANGE_CANCELLED); PH_DEFINE_WELL_KNOWN_GUID(GUID_HWPROFILE_CHANGE_COMPLETE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_INTERFACE_ARRIVAL); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_INTERFACE_REMOVAL); PH_DEFINE_WELL_KNOWN_GUID(GUID_TARGET_DEVICE_QUERY_REMOVE); PH_DEFINE_WELL_KNOWN_GUID(GUID_TARGET_DEVICE_REMOVE_CANCELLED); PH_DEFINE_WELL_KNOWN_GUID(GUID_TARGET_DEVICE_REMOVE_COMPLETE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PNP_CUSTOM_NOTIFICATION); PH_DEFINE_WELL_KNOWN_GUID(GUID_PNP_POWER_NOTIFICATION); PH_DEFINE_WELL_KNOWN_GUID(GUID_PNP_POWER_SETTING_CHANGE); PH_DEFINE_WELL_KNOWN_GUID(GUID_TARGET_DEVICE_TRANSPORT_RELATIONS_CHANGED); PH_DEFINE_WELL_KNOWN_GUID(GUID_KERNEL_SOFT_RESTART_PREPARE); PH_DEFINE_WELL_KNOWN_GUID(GUID_KERNEL_SOFT_RESTART_CANCEL); PH_DEFINE_WELL_KNOWN_GUID(GUID_RECOVERY_PCI_PREPARE_SHUTDOWN); PH_DEFINE_WELL_KNOWN_GUID(GUID_RECOVERY_NVMED_PREPARE_SHUTDOWN); PH_DEFINE_WELL_KNOWN_GUID(GUID_KERNEL_SOFT_RESTART_FINALIZE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_BUS_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_BUS_INTERFACE_STANDARD2); PH_DEFINE_WELL_KNOWN_GUID(GUID_ARBITER_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_TRANSLATOR_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_ACPI_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_INT_ROUTE_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCMCIA_BUS_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_ACPI_REGS_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_LEGACY_DEVICE_DETECTION_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_DEVICE_PRESENT_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_MF_ENUMERATION_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_REENUMERATE_SELF_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_AGP_TARGET_BUS_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_ACPI_CMOS_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_ACPI_PORT_RANGES_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_ACPI_INTERFACE_STANDARD2); PH_DEFINE_WELL_KNOWN_GUID(GUID_PNP_LOCATION_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_EXPRESS_LINK_QUIESCENT_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_EXPRESS_ROOT_PORT_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_MSIX_TABLE_CONFIG_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_D3COLD_SUPPORT_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PROCESSOR_PCC_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_VIRTUALIZATION_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCC_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCC_INTERFACE_INTERNAL); PH_DEFINE_WELL_KNOWN_GUID(GUID_THERMAL_COOLING_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DMA_CACHE_COHERENCY_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_RESET_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_IOMMU_BUS_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_SECURITY_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SCM_BUS_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SECURE_DRIVER_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SDEV_IDENTIFIER_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SCM_BUS_NVD_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SCM_BUS_LD_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SCM_PHYSICAL_NVDIMM_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PNP_EXTENDED_ADDRESS_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_D3COLD_AUX_POWER_AND_TIMING_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_FPGA_CONTROL_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_PTM_CONTROL_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_RESOURCE_UPDATE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_NPEM_CONTROL_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PCI_ATS_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_INTERNAL); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_PCMCIA); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_PCI); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_ISAPNP); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_EISA); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_MCA); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_SERENUM); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_USB); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_LPTENUM); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_USBPRINT); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_DOT4PRT); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_1394); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_HID); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_AVC); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_IRDA); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_SD); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_ACPI); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_SW_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_SCM); PH_DEFINE_WELL_KNOWN_GUID(GUID_POWER_DEVICE_ENABLE); PH_DEFINE_WELL_KNOWN_GUID(GUID_POWER_DEVICE_TIMEOUTS); PH_DEFINE_WELL_KNOWN_GUID(GUID_POWER_DEVICE_WAKE_ENABLE); PH_DEFINE_WELL_KNOWN_GUID(GUID_WUDF_DEVICE_HOST_PROBLEM); PH_DEFINE_WELL_KNOWN_GUID(GUID_PARTITION_UNIT_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_QUERY_CRASHDUMP_FUNCTIONS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_DISK); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_CDROM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_PARTITION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_TAPE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WRITEONCEDISK); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_VOLUME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_MEDIUMCHANGER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_FLOPPY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_CDCHANGER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_STORAGEPORT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_VMLUN); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SES); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_ZNSDISK); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SERVICE_VOLUME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_HIDDEN_VOLUME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_UNIFIED_ACCESS_RPMB); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SCM_PHYSICAL_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SCM_PD_HEALTH_NOTIFICATION); PH_DEFINE_WELL_KNOWN_GUID(GUID_SCM_PD_PASSTHROUGH_INVDIMM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_COMPORT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SERENUM_BUS_ENUMERATOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_BTHPORT_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BTH_RFCOMM_SERVICE_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_1394); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_1394DEBUG); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_61883); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_ADAPTER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_APMSUPPORT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_AVC); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_BATTERY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_BIOMETRIC); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_BLUETOOTH); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_CAMERA); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_CDROM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_COMPUTEACCELERATOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_COMPUTER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_DECODER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_DISKDRIVE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_DISPLAY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_DOT4); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_DOT4PRINT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_EHSTORAGESILO); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_ENUM1394); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_EXTENSION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FDC); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FIRMWARE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FLOPPYDISK); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_GENERIC); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_GPS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_HDC); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_HIDCLASS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_HOLOGRAPHIC); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_IMAGE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_INFINIBAND); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_INFRARED); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_KEYBOARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_LEGACYDRIVER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MEDIA); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MEDIUM_CHANGER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MEMORY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MODEM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MONITOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MOUSE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MTD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MULTIFUNCTION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_MULTIPORTSERIAL); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NET); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NETCLIENT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NETDRIVER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NETSERVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NETTRANS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NETUIO); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_NODRIVER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PCMCIA); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PNPPRINTERS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PORTS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PRIMITIVE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PRINTER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PRINTERUPGRADE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PRINTQUEUE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_PROCESSOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SBP2); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SCMDISK); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SCMVOLUME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SCSIADAPTER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SECURITYACCELERATOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SENSOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SIDESHOW); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SMARTCARDREADER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SMRDISK); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SMRVOLUME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SOFTWARECOMPONENT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SOUND); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_SYSTEM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_TAPEDRIVE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_UNKNOWN); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_UCM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_USB); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_VOLUME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_VOLUMESNAPSHOT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_WCEUSBS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_WPD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_TOP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_ACTIVITYMONITOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_UNDELETE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_ANTIVIRUS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_REPLICATION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_CONTINUOUSBACKUP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_CONTENTSCREENER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_QUOTAMANAGEMENT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_SYSTEMRECOVERY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_CFSMETADATASERVER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_HSM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_COMPRESSION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_ENCRYPTION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_VIRTUALIZATION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_PHYSICALQUOTAMANAGEMENT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_OPENFILEBACKUP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_SECURITYENHANCER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_COPYPROTECTION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_BOTTOM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_SYSTEM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVCLASS_FSFILTER_INFRASTRUCTURE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_USB_HUB); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_USB_BILLBOARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_USB_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_USB_HOST_CONTROLLER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_A2DP_SIDEBAND_AUDIO); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_BLUETOOTH_HFP_SCO_HCIBYPASS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_CHARGING_ARBITRATION); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_CONFIGURABLE_USBFN_CHARGER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_CONFIGURABLE_WIRELESS_CHARGER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_I2C); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_OPM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_OPM_2_JTP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_OPM_2); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_OPM_3); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_BRIGHTNESS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_BRIGHTNESS_2); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_MIRACAST_DISPLAY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_BRIGHTNESS_3); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_HPMI); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_VIRTUALIZABLE_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_EMMC_PARTITION_ACCESS_RPMB); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_EMMC_PARTITION_ACCESS_GPP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_USB_SIDEBAND_AUDIO_HS_HCIBYPASS); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_VPCI); PH_DEFINE_WELL_KNOWN_GUID(GUID_VPCI_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_VPCI); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WWAN_CONTROLLER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WDDM3_ON_VB); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_GRAPHICSPOWER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_GNSS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_HID); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_LAMP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_NET); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_NETUIO); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_NFCDTA); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_NFCSE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_NFP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_KEYBOARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_MODEM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_MOUSE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_PARALLEL); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_PARCLASS); PH_DEFINE_WELL_KNOWN_GUID(GUID_PARALLEL_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_PARCLASS_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_DISPLAY_ADAPTER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_MONITOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_BATTERY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_APPLICATIONLAUNCH_BUTTON); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_SYS_BUTTON); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_LID); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_THERMAL_ZONE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_FAN); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_PROCESSOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_MEMORY); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_ACPI_TIME); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVICE_MESSAGE_INDICATOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_CLASS_INPUT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_THERMAL_COOLING); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_THERMAL_MANAGER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_PWM_CONTROLLER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_USBPRINT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_IPPUSB_PRINT); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_VM_GENCOUNTER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_BIOMETRIC_READER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SMARTCARD_READER); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_DMR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_DMP); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_DMS); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_ENHANCED_STORAGE_SILO); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WPD); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WPD_PRIVATE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WPD_SERVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SENSOR); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_IMAGE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_SIDESHOW); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_WIFIDIRECT_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_AEPSERVICE_WIFIDIRECT_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DEVINTERFACE_ASP_INFRA_DEVICE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DXGKDDI_MITIGABLE_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_DXGKDDI_FLEXIOV_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_SRIOV_DEVICE_INTERFACE_STANDARD); PH_DEFINE_WELL_KNOWN_GUID(GUID_MITIGABLE_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_IO_VOLUME_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_NDIS_LAN_CLASS); PH_DEFINE_WELL_KNOWN_GUID(GUID_NFC_RADIO_MEDIA_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_NFCSE_RADIO_MEDIA_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BLUETOOTHLE_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BLUETOOTH_GATT_SERVICE_DEVICE_INTERFACE); PH_DEFINE_WELL_KNOWN_GUID(GUID_BUS_TYPE_TREE); PH_DEFINE_WELL_KNOWN_GUID(GUID_TREE_TPM_SERVICE_FDTPM); PH_DEFINE_WELL_KNOWN_GUID(GUID_TREE_TPM_SERVICE_STPM); PH_DEFINE_WELL_KNOWN_GUID(GUID_DISPLAY_DEVICE_ARRIVAL); PH_DEFINE_WELL_KNOWN_GUID(GUID_COMPUTE_DEVICE_ARRIVAL); static PH_INITONCE PhpWellKnownGuidsInitOnce = PH_INITONCE_INIT; static const PH_WELL_KNOWN_GUID* PhpWellKnownGuids[] = { &PH_WELL_KNOWN_GUID_HWPROFILE_QUERY_CHANGE, &PH_WELL_KNOWN_GUID_HWPROFILE_CHANGE_CANCELLED, &PH_WELL_KNOWN_GUID_HWPROFILE_CHANGE_COMPLETE, &PH_WELL_KNOWN_GUID_DEVICE_INTERFACE_ARRIVAL, &PH_WELL_KNOWN_GUID_DEVICE_INTERFACE_REMOVAL, &PH_WELL_KNOWN_GUID_TARGET_DEVICE_QUERY_REMOVE, &PH_WELL_KNOWN_GUID_TARGET_DEVICE_REMOVE_CANCELLED, &PH_WELL_KNOWN_GUID_TARGET_DEVICE_REMOVE_COMPLETE, &PH_WELL_KNOWN_GUID_PNP_CUSTOM_NOTIFICATION, &PH_WELL_KNOWN_GUID_PNP_POWER_NOTIFICATION, &PH_WELL_KNOWN_GUID_PNP_POWER_SETTING_CHANGE, &PH_WELL_KNOWN_GUID_TARGET_DEVICE_TRANSPORT_RELATIONS_CHANGED, &PH_WELL_KNOWN_GUID_KERNEL_SOFT_RESTART_PREPARE, &PH_WELL_KNOWN_GUID_KERNEL_SOFT_RESTART_CANCEL, &PH_WELL_KNOWN_GUID_RECOVERY_PCI_PREPARE_SHUTDOWN, &PH_WELL_KNOWN_GUID_RECOVERY_NVMED_PREPARE_SHUTDOWN, &PH_WELL_KNOWN_GUID_KERNEL_SOFT_RESTART_FINALIZE, &PH_WELL_KNOWN_GUID_BUS_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_PCI_BUS_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_PCI_BUS_INTERFACE_STANDARD2, &PH_WELL_KNOWN_GUID_ARBITER_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_TRANSLATOR_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_ACPI_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_INT_ROUTE_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_PCMCIA_BUS_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_ACPI_REGS_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_LEGACY_DEVICE_DETECTION_STANDARD, &PH_WELL_KNOWN_GUID_PCI_DEVICE_PRESENT_INTERFACE, &PH_WELL_KNOWN_GUID_MF_ENUMERATION_INTERFACE, &PH_WELL_KNOWN_GUID_REENUMERATE_SELF_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_AGP_TARGET_BUS_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_ACPI_CMOS_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_ACPI_PORT_RANGES_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_ACPI_INTERFACE_STANDARD2, &PH_WELL_KNOWN_GUID_PNP_LOCATION_INTERFACE, &PH_WELL_KNOWN_GUID_PCI_EXPRESS_LINK_QUIESCENT_INTERFACE, &PH_WELL_KNOWN_GUID_PCI_EXPRESS_ROOT_PORT_INTERFACE, &PH_WELL_KNOWN_GUID_MSIX_TABLE_CONFIG_INTERFACE, &PH_WELL_KNOWN_GUID_D3COLD_SUPPORT_INTERFACE, &PH_WELL_KNOWN_GUID_PROCESSOR_PCC_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_PCI_VIRTUALIZATION_INTERFACE, &PH_WELL_KNOWN_GUID_PCC_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_PCC_INTERFACE_INTERNAL, &PH_WELL_KNOWN_GUID_THERMAL_COOLING_INTERFACE, &PH_WELL_KNOWN_GUID_DMA_CACHE_COHERENCY_INTERFACE, &PH_WELL_KNOWN_GUID_DEVICE_RESET_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_IOMMU_BUS_INTERFACE, &PH_WELL_KNOWN_GUID_PCI_SECURITY_INTERFACE, &PH_WELL_KNOWN_GUID_SCM_BUS_INTERFACE, &PH_WELL_KNOWN_GUID_SECURE_DRIVER_INTERFACE, &PH_WELL_KNOWN_GUID_SDEV_IDENTIFIER_INTERFACE, &PH_WELL_KNOWN_GUID_SCM_BUS_NVD_INTERFACE, &PH_WELL_KNOWN_GUID_SCM_BUS_LD_INTERFACE, &PH_WELL_KNOWN_GUID_SCM_PHYSICAL_NVDIMM_INTERFACE, &PH_WELL_KNOWN_GUID_PNP_EXTENDED_ADDRESS_INTERFACE, &PH_WELL_KNOWN_GUID_D3COLD_AUX_POWER_AND_TIMING_INTERFACE, &PH_WELL_KNOWN_GUID_PCI_FPGA_CONTROL_INTERFACE, &PH_WELL_KNOWN_GUID_PCI_PTM_CONTROL_INTERFACE, &PH_WELL_KNOWN_GUID_BUS_RESOURCE_UPDATE_INTERFACE, &PH_WELL_KNOWN_GUID_NPEM_CONTROL_INTERFACE, &PH_WELL_KNOWN_GUID_PCI_ATS_INTERFACE, &PH_WELL_KNOWN_GUID_BUS_TYPE_INTERNAL, &PH_WELL_KNOWN_GUID_BUS_TYPE_PCMCIA, &PH_WELL_KNOWN_GUID_BUS_TYPE_PCI, &PH_WELL_KNOWN_GUID_BUS_TYPE_ISAPNP, &PH_WELL_KNOWN_GUID_BUS_TYPE_EISA, &PH_WELL_KNOWN_GUID_BUS_TYPE_MCA, &PH_WELL_KNOWN_GUID_BUS_TYPE_SERENUM, &PH_WELL_KNOWN_GUID_BUS_TYPE_USB, &PH_WELL_KNOWN_GUID_BUS_TYPE_LPTENUM, &PH_WELL_KNOWN_GUID_BUS_TYPE_USBPRINT, &PH_WELL_KNOWN_GUID_BUS_TYPE_DOT4PRT, &PH_WELL_KNOWN_GUID_BUS_TYPE_1394, &PH_WELL_KNOWN_GUID_BUS_TYPE_HID, &PH_WELL_KNOWN_GUID_BUS_TYPE_AVC, &PH_WELL_KNOWN_GUID_BUS_TYPE_IRDA, &PH_WELL_KNOWN_GUID_BUS_TYPE_SD, &PH_WELL_KNOWN_GUID_BUS_TYPE_ACPI, &PH_WELL_KNOWN_GUID_BUS_TYPE_SW_DEVICE, &PH_WELL_KNOWN_GUID_BUS_TYPE_SCM, &PH_WELL_KNOWN_GUID_POWER_DEVICE_ENABLE, &PH_WELL_KNOWN_GUID_POWER_DEVICE_TIMEOUTS, &PH_WELL_KNOWN_GUID_POWER_DEVICE_WAKE_ENABLE, &PH_WELL_KNOWN_GUID_WUDF_DEVICE_HOST_PROBLEM, &PH_WELL_KNOWN_GUID_PARTITION_UNIT_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_QUERY_CRASHDUMP_FUNCTIONS, &PH_WELL_KNOWN_GUID_DEVINTERFACE_DISK, &PH_WELL_KNOWN_GUID_DEVINTERFACE_CDROM, &PH_WELL_KNOWN_GUID_DEVINTERFACE_PARTITION, &PH_WELL_KNOWN_GUID_DEVINTERFACE_TAPE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WRITEONCEDISK, &PH_WELL_KNOWN_GUID_DEVINTERFACE_VOLUME, &PH_WELL_KNOWN_GUID_DEVINTERFACE_MEDIUMCHANGER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_FLOPPY, &PH_WELL_KNOWN_GUID_DEVINTERFACE_CDCHANGER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_STORAGEPORT, &PH_WELL_KNOWN_GUID_DEVINTERFACE_VMLUN, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SES, &PH_WELL_KNOWN_GUID_DEVINTERFACE_ZNSDISK, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SERVICE_VOLUME, &PH_WELL_KNOWN_GUID_DEVINTERFACE_HIDDEN_VOLUME, &PH_WELL_KNOWN_GUID_DEVINTERFACE_UNIFIED_ACCESS_RPMB, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SCM_PHYSICAL_DEVICE, &PH_WELL_KNOWN_GUID_SCM_PD_HEALTH_NOTIFICATION, &PH_WELL_KNOWN_GUID_SCM_PD_PASSTHROUGH_INVDIMM, &PH_WELL_KNOWN_GUID_DEVINTERFACE_COMPORT, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SERENUM_BUS_ENUMERATOR, &PH_WELL_KNOWN_GUID_BTHPORT_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_BTH_RFCOMM_SERVICE_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_DEVCLASS_1394, &PH_WELL_KNOWN_GUID_DEVCLASS_1394DEBUG, &PH_WELL_KNOWN_GUID_DEVCLASS_61883, &PH_WELL_KNOWN_GUID_DEVCLASS_ADAPTER, &PH_WELL_KNOWN_GUID_DEVCLASS_APMSUPPORT, &PH_WELL_KNOWN_GUID_DEVCLASS_AVC, &PH_WELL_KNOWN_GUID_DEVCLASS_BATTERY, &PH_WELL_KNOWN_GUID_DEVCLASS_BIOMETRIC, &PH_WELL_KNOWN_GUID_DEVCLASS_BLUETOOTH, &PH_WELL_KNOWN_GUID_DEVCLASS_CAMERA, &PH_WELL_KNOWN_GUID_DEVCLASS_CDROM, &PH_WELL_KNOWN_GUID_DEVCLASS_COMPUTEACCELERATOR, &PH_WELL_KNOWN_GUID_DEVCLASS_COMPUTER, &PH_WELL_KNOWN_GUID_DEVCLASS_DECODER, &PH_WELL_KNOWN_GUID_DEVCLASS_DISKDRIVE, &PH_WELL_KNOWN_GUID_DEVCLASS_DISPLAY, &PH_WELL_KNOWN_GUID_DEVCLASS_DOT4, &PH_WELL_KNOWN_GUID_DEVCLASS_DOT4PRINT, &PH_WELL_KNOWN_GUID_DEVCLASS_EHSTORAGESILO, &PH_WELL_KNOWN_GUID_DEVCLASS_ENUM1394, &PH_WELL_KNOWN_GUID_DEVCLASS_EXTENSION, &PH_WELL_KNOWN_GUID_DEVCLASS_FDC, &PH_WELL_KNOWN_GUID_DEVCLASS_FIRMWARE, &PH_WELL_KNOWN_GUID_DEVCLASS_FLOPPYDISK, &PH_WELL_KNOWN_GUID_DEVCLASS_GENERIC, &PH_WELL_KNOWN_GUID_DEVCLASS_GPS, &PH_WELL_KNOWN_GUID_DEVCLASS_HDC, &PH_WELL_KNOWN_GUID_DEVCLASS_HIDCLASS, &PH_WELL_KNOWN_GUID_DEVCLASS_HOLOGRAPHIC, &PH_WELL_KNOWN_GUID_DEVCLASS_IMAGE, &PH_WELL_KNOWN_GUID_DEVCLASS_INFINIBAND, &PH_WELL_KNOWN_GUID_DEVCLASS_INFRARED, &PH_WELL_KNOWN_GUID_DEVCLASS_KEYBOARD, &PH_WELL_KNOWN_GUID_DEVCLASS_LEGACYDRIVER, &PH_WELL_KNOWN_GUID_DEVCLASS_MEDIA, &PH_WELL_KNOWN_GUID_DEVCLASS_MEDIUM_CHANGER, &PH_WELL_KNOWN_GUID_DEVCLASS_MEMORY, &PH_WELL_KNOWN_GUID_DEVCLASS_MODEM, &PH_WELL_KNOWN_GUID_DEVCLASS_MONITOR, &PH_WELL_KNOWN_GUID_DEVCLASS_MOUSE, &PH_WELL_KNOWN_GUID_DEVCLASS_MTD, &PH_WELL_KNOWN_GUID_DEVCLASS_MULTIFUNCTION, &PH_WELL_KNOWN_GUID_DEVCLASS_MULTIPORTSERIAL, &PH_WELL_KNOWN_GUID_DEVCLASS_NET, &PH_WELL_KNOWN_GUID_DEVCLASS_NETCLIENT, &PH_WELL_KNOWN_GUID_DEVCLASS_NETDRIVER, &PH_WELL_KNOWN_GUID_DEVCLASS_NETSERVICE, &PH_WELL_KNOWN_GUID_DEVCLASS_NETTRANS, &PH_WELL_KNOWN_GUID_DEVCLASS_NETUIO, &PH_WELL_KNOWN_GUID_DEVCLASS_NODRIVER, &PH_WELL_KNOWN_GUID_DEVCLASS_PCMCIA, &PH_WELL_KNOWN_GUID_DEVCLASS_PNPPRINTERS, &PH_WELL_KNOWN_GUID_DEVCLASS_PORTS, &PH_WELL_KNOWN_GUID_DEVCLASS_PRIMITIVE, &PH_WELL_KNOWN_GUID_DEVCLASS_PRINTER, &PH_WELL_KNOWN_GUID_DEVCLASS_PRINTERUPGRADE, &PH_WELL_KNOWN_GUID_DEVCLASS_PRINTQUEUE, &PH_WELL_KNOWN_GUID_DEVCLASS_PROCESSOR, &PH_WELL_KNOWN_GUID_DEVCLASS_SBP2, &PH_WELL_KNOWN_GUID_DEVCLASS_SCMDISK, &PH_WELL_KNOWN_GUID_DEVCLASS_SCMVOLUME, &PH_WELL_KNOWN_GUID_DEVCLASS_SCSIADAPTER, &PH_WELL_KNOWN_GUID_DEVCLASS_SECURITYACCELERATOR, &PH_WELL_KNOWN_GUID_DEVCLASS_SENSOR, &PH_WELL_KNOWN_GUID_DEVCLASS_SIDESHOW, &PH_WELL_KNOWN_GUID_DEVCLASS_SMARTCARDREADER, &PH_WELL_KNOWN_GUID_DEVCLASS_SMRDISK, &PH_WELL_KNOWN_GUID_DEVCLASS_SMRVOLUME, &PH_WELL_KNOWN_GUID_DEVCLASS_SOFTWARECOMPONENT, &PH_WELL_KNOWN_GUID_DEVCLASS_SOUND, &PH_WELL_KNOWN_GUID_DEVCLASS_SYSTEM, &PH_WELL_KNOWN_GUID_DEVCLASS_TAPEDRIVE, &PH_WELL_KNOWN_GUID_DEVCLASS_UNKNOWN, &PH_WELL_KNOWN_GUID_DEVCLASS_UCM, &PH_WELL_KNOWN_GUID_DEVCLASS_USB, &PH_WELL_KNOWN_GUID_DEVCLASS_VOLUME, &PH_WELL_KNOWN_GUID_DEVCLASS_VOLUMESNAPSHOT, &PH_WELL_KNOWN_GUID_DEVCLASS_WCEUSBS, &PH_WELL_KNOWN_GUID_DEVCLASS_WPD, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_TOP, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_ACTIVITYMONITOR, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_UNDELETE, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_ANTIVIRUS, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_REPLICATION, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_CONTINUOUSBACKUP, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_CONTENTSCREENER, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_QUOTAMANAGEMENT, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_SYSTEMRECOVERY, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_CFSMETADATASERVER, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_HSM, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_COMPRESSION, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_ENCRYPTION, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_VIRTUALIZATION, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_PHYSICALQUOTAMANAGEMENT, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_OPENFILEBACKUP, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_SECURITYENHANCER, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_COPYPROTECTION, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_BOTTOM, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_SYSTEM, &PH_WELL_KNOWN_GUID_DEVCLASS_FSFILTER_INFRASTRUCTURE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_USB_HUB, &PH_WELL_KNOWN_GUID_DEVINTERFACE_USB_BILLBOARD, &PH_WELL_KNOWN_GUID_DEVINTERFACE_USB_DEVICE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_USB_HOST_CONTROLLER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_A2DP_SIDEBAND_AUDIO, &PH_WELL_KNOWN_GUID_DEVINTERFACE_BLUETOOTH_HFP_SCO_HCIBYPASS, &PH_WELL_KNOWN_GUID_DEVINTERFACE_CHARGING_ARBITRATION, &PH_WELL_KNOWN_GUID_DEVINTERFACE_CONFIGURABLE_USBFN_CHARGER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_CONFIGURABLE_WIRELESS_CHARGER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_I2C, &PH_WELL_KNOWN_GUID_DEVINTERFACE_OPM, &PH_WELL_KNOWN_GUID_DEVINTERFACE_OPM_2_JTP, &PH_WELL_KNOWN_GUID_DEVINTERFACE_OPM_2, &PH_WELL_KNOWN_GUID_DEVINTERFACE_OPM_3, &PH_WELL_KNOWN_GUID_DEVINTERFACE_BRIGHTNESS, &PH_WELL_KNOWN_GUID_DEVINTERFACE_BRIGHTNESS_2, &PH_WELL_KNOWN_GUID_DEVINTERFACE_MIRACAST_DISPLAY, &PH_WELL_KNOWN_GUID_DEVINTERFACE_BRIGHTNESS_3, &PH_WELL_KNOWN_GUID_DEVINTERFACE_HPMI, &PH_WELL_KNOWN_GUID_DEVINTERFACE_VIRTUALIZABLE_DEVICE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_EMMC_PARTITION_ACCESS_RPMB, &PH_WELL_KNOWN_GUID_DEVINTERFACE_EMMC_PARTITION_ACCESS_GPP, &PH_WELL_KNOWN_GUID_DEVINTERFACE_USB_SIDEBAND_AUDIO_HS_HCIBYPASS, &PH_WELL_KNOWN_GUID_BUS_VPCI, &PH_WELL_KNOWN_GUID_VPCI_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_DEVINTERFACE_VPCI, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WWAN_CONTROLLER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WDDM3_ON_VB, &PH_WELL_KNOWN_GUID_DEVINTERFACE_GRAPHICSPOWER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_GNSS, &PH_WELL_KNOWN_GUID_DEVINTERFACE_HID, &PH_WELL_KNOWN_GUID_DEVINTERFACE_LAMP, &PH_WELL_KNOWN_GUID_DEVINTERFACE_NET, &PH_WELL_KNOWN_GUID_DEVINTERFACE_NETUIO, &PH_WELL_KNOWN_GUID_DEVINTERFACE_NFCDTA, &PH_WELL_KNOWN_GUID_DEVINTERFACE_NFCSE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_NFP, &PH_WELL_KNOWN_GUID_DEVINTERFACE_KEYBOARD, &PH_WELL_KNOWN_GUID_DEVINTERFACE_MODEM, &PH_WELL_KNOWN_GUID_DEVINTERFACE_MOUSE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_PARALLEL, &PH_WELL_KNOWN_GUID_DEVINTERFACE_PARCLASS, &PH_WELL_KNOWN_GUID_PARALLEL_DEVICE, &PH_WELL_KNOWN_GUID_PARCLASS_DEVICE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_DISPLAY_ADAPTER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_MONITOR, &PH_WELL_KNOWN_GUID_DEVICE_BATTERY, &PH_WELL_KNOWN_GUID_DEVICE_APPLICATIONLAUNCH_BUTTON, &PH_WELL_KNOWN_GUID_DEVICE_SYS_BUTTON, &PH_WELL_KNOWN_GUID_DEVICE_LID, &PH_WELL_KNOWN_GUID_DEVICE_THERMAL_ZONE, &PH_WELL_KNOWN_GUID_DEVICE_FAN, &PH_WELL_KNOWN_GUID_DEVICE_PROCESSOR, &PH_WELL_KNOWN_GUID_DEVICE_MEMORY, &PH_WELL_KNOWN_GUID_DEVICE_ACPI_TIME, &PH_WELL_KNOWN_GUID_DEVICE_MESSAGE_INDICATOR, &PH_WELL_KNOWN_GUID_CLASS_INPUT, &PH_WELL_KNOWN_GUID_DEVINTERFACE_THERMAL_COOLING, &PH_WELL_KNOWN_GUID_DEVINTERFACE_THERMAL_MANAGER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_PWM_CONTROLLER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_USBPRINT, &PH_WELL_KNOWN_GUID_DEVINTERFACE_IPPUSB_PRINT, &PH_WELL_KNOWN_GUID_DEVINTERFACE_VM_GENCOUNTER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_BIOMETRIC_READER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SMARTCARD_READER, &PH_WELL_KNOWN_GUID_DEVINTERFACE_DMR, &PH_WELL_KNOWN_GUID_DEVINTERFACE_DMP, &PH_WELL_KNOWN_GUID_DEVINTERFACE_DMS, &PH_WELL_KNOWN_GUID_DEVINTERFACE_ENHANCED_STORAGE_SILO, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WPD, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WPD_PRIVATE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WPD_SERVICE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SENSOR, &PH_WELL_KNOWN_GUID_DEVINTERFACE_IMAGE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_SIDESHOW, &PH_WELL_KNOWN_GUID_DEVINTERFACE_WIFIDIRECT_DEVICE, &PH_WELL_KNOWN_GUID_AEPSERVICE_WIFIDIRECT_DEVICE, &PH_WELL_KNOWN_GUID_DEVINTERFACE_ASP_INFRA_DEVICE, &PH_WELL_KNOWN_GUID_DXGKDDI_MITIGABLE_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_DXGKDDI_FLEXIOV_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_SRIOV_DEVICE_INTERFACE_STANDARD, &PH_WELL_KNOWN_GUID_MITIGABLE_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_IO_VOLUME_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_NDIS_LAN_CLASS, &PH_WELL_KNOWN_GUID_NFC_RADIO_MEDIA_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_NFCSE_RADIO_MEDIA_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_BLUETOOTHLE_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_BLUETOOTH_GATT_SERVICE_DEVICE_INTERFACE, &PH_WELL_KNOWN_GUID_BUS_TYPE_TREE, &PH_WELL_KNOWN_GUID_TREE_TPM_SERVICE_FDTPM, &PH_WELL_KNOWN_GUID_TREE_TPM_SERVICE_STPM, &PH_WELL_KNOWN_GUID_DISPLAY_DEVICE_ARRIVAL, &PH_WELL_KNOWN_GUID_COMPUTE_DEVICE_ARRIVAL, }; static int __cdecl PhpWellKnownGuidSortFunction( const void* Left, const void* Right ) { PPH_WELL_KNOWN_GUID lhsItem; PPH_WELL_KNOWN_GUID rhsItem; lhsItem = *(PPH_WELL_KNOWN_GUID*)Left; rhsItem = *(PPH_WELL_KNOWN_GUID*)Right; return memcmp(lhsItem->Guid, rhsItem->Guid, sizeof(GUID)); } static int __cdecl PhpWellKnownGuidSearchFunction( const GUID* Guid, const void* Item ) { PPH_WELL_KNOWN_GUID item; item = *(PPH_WELL_KNOWN_GUID*)Item; return memcmp(Guid, item->Guid, sizeof(GUID)); } PPH_STRING PhpDevPropWellKnownGuidToString( _In_ PGUID Guid ) { const PH_WELL_KNOWN_GUID** entry; if (PhBeginInitOnce(&PhpWellKnownGuidsInitOnce)) { qsort( (void*)PhpWellKnownGuids, RTL_NUMBER_OF(PhpWellKnownGuids), sizeof(PPH_WELL_KNOWN_GUID), PhpWellKnownGuidSortFunction ); #ifdef DEBUG // check for collisions for (ULONG i = 0; i < RTL_NUMBER_OF(PhpWellKnownGuids) - 1; i++) { const PH_WELL_KNOWN_GUID* lhs = PhpWellKnownGuids[i]; const PH_WELL_KNOWN_GUID* rhs = PhpWellKnownGuids[i + 1]; assert(!IsEqualGUID(&lhs->Guid, &rhs->Guid)); } #endif PhEndInitOnce(&PhpWellKnownGuidsInitOnce); } entry = bsearch( Guid, PhpWellKnownGuids, RTL_NUMBER_OF(PhpWellKnownGuids), sizeof(PPH_WELL_KNOWN_GUID), PhpWellKnownGuidSearchFunction ); if (!entry) return NULL; return PhCreateString2((PPH_STRINGREF)&(*entry)->Symbol); } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillGuid( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeGUID; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyGuid( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->Guid ); } else { Property->Valid = PhpGetDeviceInterfacePropertyGuid( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->Guid ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyGuid( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->Guid ); } else { Property->Valid = PhpGetDevicePropertyGuid( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->Guid ); } } if (Property->Valid) { Property->AsString = PhpDevPropWellKnownGuidToString(&Property->Guid); if (!Property->AsString) Property->AsString = PhFormatGuid(&Property->Guid); } } PPH_STRING PhpDevPropPciDeviceTypeToString( _In_ ULONG Flags ) { PH_STRING_BUILDER stringBuilder; WCHAR pointer[PH_PTR_STR_LEN_1]; PhInitializeStringBuilder(&stringBuilder, 10); if (BooleanFlagOn(Flags, DevProp_PciDevice_DeviceType_PciConventional)) PhAppendStringBuilder2(&stringBuilder, L"PciConventional, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_DeviceType_PciX)) PhAppendStringBuilder2(&stringBuilder, L"PciX, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_DeviceType_PciExpressEndpoint)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressEndpoint, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_DeviceType_PciExpressLegacyEndpoint)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressLegacyEndpoint, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_DeviceType_PciExpressRootComplexIntegratedEndpoint)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressRootComplexIntegratedEndpoint, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_DeviceType_PciExpressTreatedAsPci)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressTreatedAsPci, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciConventional)) PhAppendStringBuilder2(&stringBuilder, L"PciConventional, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciX)) PhAppendStringBuilder2(&stringBuilder, L"PciX, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciExpressRootPort)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressRootPort, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciExpressUpstreamSwitchPort)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressUpstreamSwitchPort, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciExpressDownstreamSwitchPort)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressDownstreamSwitchPort, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciExpressToPciXBridge)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressToPciXBridge, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciXToExpressBridge)) PhAppendStringBuilder2(&stringBuilder, L"PciXToExpressBridge, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciExpressTreatedAsPci)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressTreatedAsPci, "); else if (BooleanFlagOn(Flags, DevProp_PciDevice_BridgeType_PciExpressEventCollector)) PhAppendStringBuilder2(&stringBuilder, L"PciExpressEventCollector, "); if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); if (Flags) { PhPrintPointer(pointer, UlongToPtr(Flags)); PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); } return PhFinalStringBuilderString(&stringBuilder); } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillPciDeviceType( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { Property->AsString = PhpDevPropPciDeviceTypeToString(Property->UInt32); } } PPH_STRING PhpDevPropPciDeviceInterruptSupportToString( _In_ ULONG Flags ) { PH_STRING_BUILDER stringBuilder; WCHAR pointer[PH_PTR_STR_LEN_1]; PhInitializeStringBuilder(&stringBuilder, 10); if (BooleanFlagOn(Flags, DevProp_PciDevice_InterruptType_LineBased)) PhAppendStringBuilder2(&stringBuilder, L"Line based, "); if (BooleanFlagOn(Flags, DevProp_PciDevice_InterruptType_Msi)) PhAppendStringBuilder2(&stringBuilder, L"Msi, "); if (BooleanFlagOn(Flags, DevProp_PciDevice_InterruptType_MsiX)) PhAppendStringBuilder2(&stringBuilder, L"MsiX, "); if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhPrintPointer(pointer, UlongToPtr(Flags)); PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); return PhFinalStringBuilderString(&stringBuilder); } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillPciDeviceInterruptSupport( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { Property->AsString = PhpDevPropPciDeviceInterruptSupportToString(Property->UInt32); } } PPH_STRING PhpDevPropPciDeviceRequestSizeToString( _In_ ULONG Flags ) { PH_STRING_BUILDER stringBuilder; WCHAR pointer[PH_PTR_STR_LEN_1]; PhInitializeStringBuilder(&stringBuilder, 10); if (BooleanFlagOn(Flags, DevProp_PciExpressDevice_PayloadOrRequestSize_128Bytes)) PhAppendStringBuilder2(&stringBuilder, L"128B, "); else if (BooleanFlagOn(Flags, DevProp_PciExpressDevice_PayloadOrRequestSize_256Bytes)) PhAppendStringBuilder2(&stringBuilder, L"256B, "); else if (BooleanFlagOn(Flags, DevProp_PciExpressDevice_PayloadOrRequestSize_512Bytes)) PhAppendStringBuilder2(&stringBuilder, L"512B, "); else if (BooleanFlagOn(Flags, DevProp_PciExpressDevice_PayloadOrRequestSize_1024Bytes)) PhAppendStringBuilder2(&stringBuilder, L"1024B, "); else if (BooleanFlagOn(Flags, DevProp_PciExpressDevice_PayloadOrRequestSize_2048Bytes)) PhAppendStringBuilder2(&stringBuilder, L"2048B, "); else if (BooleanFlagOn(Flags, DevProp_PciExpressDevice_PayloadOrRequestSize_4096Bytes)) PhAppendStringBuilder2(&stringBuilder, L"4096B, "); if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhPrintPointer(pointer, UlongToPtr(Flags)); PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); return PhFinalStringBuilderString(&stringBuilder); } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillPciDeviceRequestSize( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { Property->AsString = PhpDevPropPciDeviceRequestSizeToString(Property->UInt32); } } PPH_STRING PhpDevPropPciDeviceSriovSupportToString( _In_ ULONG Flags ) { PH_STRING_BUILDER stringBuilder; WCHAR pointer[PH_PTR_STR_LEN_1]; PhInitializeStringBuilder(&stringBuilder, 10); if (BooleanFlagOn(Flags, DevProp_PciDevice_SriovSupport_Ok)) PhAppendStringBuilder2(&stringBuilder, L"Ok, "); if (BooleanFlagOn(Flags, DevProp_PciDevice_SriovSupport_MissingAcs)) PhAppendStringBuilder2(&stringBuilder, L"MissingAcs, "); if (BooleanFlagOn(Flags, DevProp_PciDevice_SriovSupport_MissingPfDriver)) PhAppendStringBuilder2(&stringBuilder, L"MissingPfDriver, "); if (BooleanFlagOn(Flags, DevProp_PciDevice_SriovSupport_NoBusResource)) PhAppendStringBuilder2(&stringBuilder, L"NoBusResource, "); if (BooleanFlagOn(Flags, DevProp_PciDevice_SriovSupport_DidntGetVfBarSpace)) PhAppendStringBuilder2(&stringBuilder, L"DidntGetVfBarSpace, "); if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhPrintPointer(pointer, UlongToPtr(Flags)); PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); return PhFinalStringBuilderString(&stringBuilder); } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillPciDeviceSriovSupport( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { Property->AsString = PhpDevPropPciDeviceSriovSupportToString(Property->UInt32); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillBoolean( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeBoolean; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyBoolean( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->Boolean ); } else { Property->Valid = PhpGetDeviceInterfacePropertyBoolean( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->Boolean ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyBoolean( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->Boolean ); } else { Property->Valid = PhpGetDevicePropertyBoolean( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->Boolean ); } } if (Property->Valid) { if (Property->Boolean) { static CONST PH_STRINGREF string = PH_STRINGREF_INIT(L"true"); Property->AsString = PhCreateString2(&string); } else { static CONST PH_STRINGREF string = PH_STRINGREF_INIT(L"false"); Property->AsString = PhCreateString2(&string); } } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillTimeStamp( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeTimeStamp; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyTimeStamp( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->TimeStamp ); } else { Property->Valid = PhpGetDeviceInterfacePropertyTimeStamp( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->TimeStamp ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyTimeStamp( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->TimeStamp ); } else { Property->Valid = PhpGetDevicePropertyTimeStamp( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->TimeStamp ); } } if (Property->Valid) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &Property->TimeStamp); Property->AsString = PhFormatDateTime(&systemTime); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillStringList( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeStringList; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyStringList( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->StringList ); } else { Property->Valid = PhpGetDeviceInterfacePropertyStringList( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->StringList ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyStringList( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->StringList ); } else { Property->Valid = PhpGetDevicePropertyStringList( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->StringList ); } } if (Property->Valid && Property->StringList->Count > 0) { PH_STRING_BUILDER stringBuilder; PPH_STRING string; PhInitializeStringBuilder(&stringBuilder, Property->StringList->Count); for (ULONG i = 0; i < Property->StringList->Count - 1; i++) { string = Property->StringList->Items[i]; PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L", "); } string = Property->StringList->Items[Property->StringList->Count - 1]; PhAppendStringBuilder(&stringBuilder, &string->sr); Property->AsString = PhFinalStringBuilderString(&stringBuilder); PhReferenceObject(Property->AsString); PhDeleteStringBuilder(&stringBuilder); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillStringOrStringList( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillString( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (!Property->Valid) { PhpDevPropFillStringList( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); } } VOID PhpDevPropFillBinaryCommon( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { Property->Type = PhDevicePropertyTypeBinary; if (DeviceInfoData->Interface) { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyBinary( &DeviceInfoData->InterfaceData.InterfaceClassGuid, PropertyKey, DICLASSPROP_INTERFACE, &Property->Binary.Buffer, &Property->Binary.Size ); } else { Property->Valid = PhpGetDeviceInterfacePropertyBinary( DeviceInfoSet, &DeviceInfoData->InterfaceData, PropertyKey, &Property->Binary.Buffer, &Property->Binary.Size ); } } else { if (Flags & DEVPROP_FILL_FLAG_CLASS) { Property->Valid = PhpGetClassPropertyBinary( &DeviceInfoData->DeviceData.ClassGuid, PropertyKey, DICLASSPROP_INSTALLER, &Property->Binary.Buffer, &Property->Binary.Size ); } else { Property->Valid = PhpGetDevicePropertyBinary( DeviceInfoSet, &DeviceInfoData->DeviceData, PropertyKey, &Property->Binary.Buffer, &Property->Binary.Size ); } } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillBinary( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillBinaryCommon( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { Property->AsString = PhBufferToHexString(Property->Binary.Buffer, Property->Binary.Size); } } static const PH_STRINGREF UnknownString = PH_STRINGREF_INIT(L"Unk"); PCPH_STRINGREF PhpDevPowerStateString( _In_ DEVICE_POWER_STATE PowerState ) { static const PH_STRINGREF states[] = { PH_STRINGREF_INIT(L"Uns"), // PowerDeviceUnspecified PH_STRINGREF_INIT(L"D0"), // PowerDeviceD0 PH_STRINGREF_INIT(L"D1"), // PowerDeviceD1 PH_STRINGREF_INIT(L"D2"), // PowerDeviceD2 PH_STRINGREF_INIT(L"D3"), // PowerDeviceD3 PH_STRINGREF_INIT(L"D4"), // PowerDeviceD4 PH_STRINGREF_INIT(L"Max"), // PowerDeviceMaximum }; if (PowerState >= 0 && PowerState < RTL_NUMBER_OF(states)) return &states[PowerState]; return &UnknownString; } PCPH_STRINGREF PhpDevSysPowerStateString( _In_ SYSTEM_POWER_STATE PowerState ) { static const PH_STRINGREF states[] = { PH_STRINGREF_INIT(L"Uns"), // PowerSystemUnspecified PH_STRINGREF_INIT(L"S0"), // PowerSystemWorking PH_STRINGREF_INIT(L"S1"), // PowerSystemSleep1 PH_STRINGREF_INIT(L"S2"), // PowerSystemSleep2 PH_STRINGREF_INIT(L"S3"), // PowerSystemSleep3 PH_STRINGREF_INIT(L"S4"), // PowerSystemHybernate PH_STRINGREF_INIT(L"S5"), // PowerSystemShutdown PH_STRINGREF_INIT(L"Max"), // PowerSystemMaximum }; if (PowerState >= 0 && PowerState < RTL_NUMBER_OF(states)) return &states[PowerState]; return &UnknownString; } PPH_STRING PhpDevSysPowerPowerDataString( _In_ PCM_POWER_DATA PowerData ) { static const PH_ACCESS_ENTRY pdCap[] = { { L"PDCAP_D0_SUPPORTED", PDCAP_D0_SUPPORTED, FALSE, FALSE, L"D0" }, { L"PDCAP_D1_SUPPORTED", PDCAP_D1_SUPPORTED, FALSE, FALSE, L"D1" }, { L"PDCAP_D2_SUPPORTED", PDCAP_D2_SUPPORTED, FALSE, FALSE, L"D2" }, { L"PDCAP_D3_SUPPORTED", PDCAP_D3_SUPPORTED, FALSE, FALSE, L"D3" }, { L"PDCAP_WAKE_FROM_D0_SUPPORTED", PDCAP_WAKE_FROM_D0_SUPPORTED, FALSE, FALSE, L"Wake from D0" }, { L"PDCAP_WAKE_FROM_D1_SUPPORTED", PDCAP_WAKE_FROM_D1_SUPPORTED, FALSE, FALSE, L"Wake from D1" }, { L"PDCAP_WAKE_FROM_D2_SUPPORTED", PDCAP_WAKE_FROM_D2_SUPPORTED, FALSE, FALSE, L"Wake from D2" }, { L"PDCAP_WAKE_FROM_D3_SUPPORTED", PDCAP_WAKE_FROM_D3_SUPPORTED, FALSE, FALSE, L"Wake from D3" }, { L"PDCAP_WARM_EJECT_SUPPORTED", PDCAP_WARM_EJECT_SUPPORTED, FALSE, FALSE, L"Warm eject" }, }; PH_FORMAT format[29]; ULONG count = 0; PPH_STRING capabilities; PPH_STRING string; PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_MostRecentPowerState)); if (PowerData->PD_D1Latency) { PhInitFormatS(&format[count++], L", "); PhInitFormatU(&format[count++], PowerData->PD_D1Latency); PhInitFormatS(&format[count++], L" D1 latency"); } if (PowerData->PD_D2Latency) { PhInitFormatS(&format[count++], L", "); PhInitFormatU(&format[count++], PowerData->PD_D2Latency); PhInitFormatS(&format[count++], L" D2 latency"); } if (PowerData->PD_D2Latency) { PhInitFormatS(&format[count++], L", "); PhInitFormatU(&format[count++], PowerData->PD_D3Latency); PhInitFormatS(&format[count++], L" D3 latency"); } PhInitFormatS(&format[count++], L", S0->"); PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_PowerStateMapping[PowerSystemWorking])); PhInitFormatS(&format[count++], L", S1->"); PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_PowerStateMapping[PowerSystemSleeping1])); PhInitFormatS(&format[count++], L", S2->"); PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_PowerStateMapping[PowerSystemSleeping2])); PhInitFormatS(&format[count++], L", S3->"); PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_PowerStateMapping[PowerSystemSleeping3])); PhInitFormatS(&format[count++], L", S4->"); PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_PowerStateMapping[PowerSystemHibernate])); PhInitFormatS(&format[count++], L", S5->"); PhInitFormatSR(&format[count++], *PhpDevPowerStateString(PowerData->PD_PowerStateMapping[PowerSystemShutdown])); capabilities = PhGetAccessString(PowerData->PD_Capabilities, (PVOID)pdCap, RTL_NUMBER_OF(pdCap)); PhInitFormatS(&format[count++], L", ("); PhInitFormatSR(&format[count++], capabilities->sr); PhInitFormatS(&format[count++], L" (0x"); PhInitFormatX(&format[count++], PowerData->PD_Capabilities); PhInitFormatS(&format[count++], L"))"); if (PowerData->PD_DeepestSystemWake != PowerSystemUnspecified) { PhInitFormatS(&format[count++], L", Deepest wake "); PhInitFormatSR(&format[count++], *PhpDevSysPowerStateString(PowerData->PD_DeepestSystemWake)); } string = PhFormat(format, count, 20); PhClearReference(&capabilities); return string; } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillPowerData( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { PhpDevPropFillBinaryCommon( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (Property->Valid) { if (Property->Binary.Size >= sizeof(CM_POWER_DATA)) Property->AsString = PhpDevSysPowerPowerDataString((PCM_POWER_DATA)Property->Binary.Buffer); else Property->AsString = PhBufferToHexString(Property->Binary.Buffer, Property->Binary.Size); } } _Function_class_(PH_DEVICE_PROPERTY_FILL_CALLBACK) VOID NTAPI PhpDevPropFillUInt32Flags( _In_ HDEVINFO DeviceInfoSet, _In_ PPH_DEVINFO_DATA DeviceInfoData, _In_ const DEVPROPKEY* PropertyKey, _Out_ PPH_DEVICE_PROPERTY Property, _In_ ULONG Flags ) { #define PH_DEVICE_FLAG(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY deviceCapabilities[] = { PH_DEVICE_FLAG(CM_DEVCAP_LOCKSUPPORTED, L"Lock supported"), PH_DEVICE_FLAG(CM_DEVCAP_EJECTSUPPORTED, L"Eject supported"), PH_DEVICE_FLAG(CM_DEVCAP_REMOVABLE, L"Removable"), PH_DEVICE_FLAG(CM_DEVCAP_DOCKDEVICE, L"Dock device"), PH_DEVICE_FLAG(CM_DEVCAP_UNIQUEID, L"Unique ID"), PH_DEVICE_FLAG(CM_DEVCAP_SILENTINSTALL, L"Silent install"), PH_DEVICE_FLAG(CM_DEVCAP_RAWDEVICEOK, L"Raw device ok"), PH_DEVICE_FLAG(CM_DEVCAP_SURPRISEREMOVALOK, L"Surprise removal ok"), PH_DEVICE_FLAG(CM_DEVCAP_HARDWAREDISABLED, L"Hardware disabled"), PH_DEVICE_FLAG(CM_DEVCAP_NONDYNAMIC, L"No dynamic"), PH_DEVICE_FLAG(CM_DEVCAP_SECUREDEVICE, L"Secure device"), }; static const PH_ACCESS_ENTRY devNodeStatus[] = { PH_DEVICE_FLAG(DN_ROOT_ENUMERATED, L"Enumerated"), PH_DEVICE_FLAG(DN_DRIVER_LOADED, L"Driver loaded"), PH_DEVICE_FLAG(DN_ENUM_LOADED, L"Enumerator loaded"), PH_DEVICE_FLAG(DN_STARTED, L"Started"), PH_DEVICE_FLAG(DN_MANUAL, L"Manually installed"), PH_DEVICE_FLAG(DN_NEED_TO_ENUM, L"Needs enumerated"), PH_DEVICE_FLAG(DN_DRIVER_BLOCKED, L"Driver blocked"), PH_DEVICE_FLAG(DN_HARDWARE_ENUM, L"Hardware enum"), PH_DEVICE_FLAG(DN_NEED_RESTART, L"Needs reboot"), PH_DEVICE_FLAG(DN_CHILD_WITH_INVALID_ID, L"Child with invalid ID"), PH_DEVICE_FLAG(DN_HAS_PROBLEM, L"Has problem"), PH_DEVICE_FLAG(DN_FILTERED, L"Filtered"), PH_DEVICE_FLAG(DN_LEGACY_DRIVER, L"Legacy driver"), PH_DEVICE_FLAG(DN_DISABLEABLE, L"Disabled"), PH_DEVICE_FLAG(DN_REMOVABLE, L"Removable"), PH_DEVICE_FLAG(DN_PRIVATE_PROBLEM, L"Has problem"), PH_DEVICE_FLAG(DN_QUERY_REMOVE_PENDING, L"Query remove pending"), PH_DEVICE_FLAG(DN_QUERY_REMOVE_ACTIVE, L"Query remove active"), PH_DEVICE_FLAG(DN_WILL_BE_REMOVED, L"Being removed"), PH_DEVICE_FLAG(DN_NOT_FIRST_TIMEE, L"Received config"), PH_DEVICE_FLAG(DN_STOP_FREE_RES, L"To be freed"), PH_DEVICE_FLAG(DN_REBAL_CANDIDATE, L"Rebalance candidate"), PH_DEVICE_FLAG(DN_BAD_PARTIAL, L"Bad partial"), PH_DEVICE_FLAG(DN_NT_ENUMERATOR, L"NT enumerator"), PH_DEVICE_FLAG(DN_NT_DRIVER, L"NT driver"), PH_DEVICE_FLAG(DN_DEVICE_DISCONNECTED, L"Disconnected"), PH_DEVICE_FLAG(DN_ARM_WAKEUP, L"Wakeup device"), PH_DEVICE_FLAG(DN_APM_ENUMERATOR, L"Advanced power enumerator"), PH_DEVICE_FLAG(DN_APM_DRIVER, L"Advanced power aware"), PH_DEVICE_FLAG(DN_SILENT_INSTALL, L"Silent install"), PH_DEVICE_FLAG(DN_NO_SHOW_IN_DM, L"Hidden from device manager"), PH_DEVICE_FLAG(DN_BOOT_LOG_PROB, L"Boot log problem"), }; static const PH_ACCESS_ENTRY characteristics[] = { PH_DEVICE_FLAG(FILE_REMOVABLE_MEDIA, L"Removable media"), PH_DEVICE_FLAG(FILE_READ_ONLY_DEVICE, L"Read only device"), PH_DEVICE_FLAG(FILE_FLOPPY_DISKETTE, L"Floppy disk"), PH_DEVICE_FLAG(FILE_WRITE_ONCE_MEDIA, L"Write once media"), PH_DEVICE_FLAG(FILE_REMOTE_DEVICE, L"Remote device"), PH_DEVICE_FLAG(FILE_DEVICE_IS_MOUNTED, L"Mounted"), PH_DEVICE_FLAG(FILE_VIRTUAL_VOLUME, L"Virtual volume"), PH_DEVICE_FLAG(FILE_AUTOGENERATED_DEVICE_NAME, L"Autogenerated device name"), PH_DEVICE_FLAG(FILE_DEVICE_SECURE_OPEN, L"Secure open"), PH_DEVICE_FLAG(FILE_CHARACTERISTIC_PNP_DEVICE, L"PnP device"), PH_DEVICE_FLAG(FILE_CHARACTERISTIC_TS_DEVICE, L"Terminal services device"), PH_DEVICE_FLAG(FILE_CHARACTERISTIC_WEBDAV_DEVICE, L"WebDAV device"), PH_DEVICE_FLAG(FILE_CHARACTERISTIC_CSV, L"Cluster shared volume"), PH_DEVICE_FLAG(FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL, L"Allow app container traversal"), PH_DEVICE_FLAG(FILE_PORTABLE_DEVICE, L"Portable device"), PH_DEVICE_FLAG(FILE_REMOTE_DEVICE_VSMB, L"Virtual SCSI device"), PH_DEVICE_FLAG(FILE_DEVICE_REQUIRE_SECURITY_CHECK, L"Require security check"), }; static const PH_ACCESS_ENTRY nameAttributes[] = { PH_DEVICE_FLAG(CM_NAME_ATTRIBUTE_NAME_RETRIEVED_FROM_DEVICE, L"Retrieved from device"), PH_DEVICE_FLAG(CM_NAME_ATTRIBUTE_USER_ASSIGNED_NAME, L"User assigned name"), }; PPH_ACCESS_ENTRY entries = NULL; ULONG count = 0; PhpDevPropFillUInt32Common( DeviceInfoSet, DeviceInfoData, PropertyKey, Property, Flags ); if (PropertyKey == &DEVPKEY_Device_DevNodeStatus) { entries = (PPH_ACCESS_ENTRY)devNodeStatus; count = RTL_NUMBER_OF(devNodeStatus); } else if (PropertyKey == &DEVPKEY_Device_Capabilities) { entries = (PPH_ACCESS_ENTRY)deviceCapabilities; count = RTL_NUMBER_OF(deviceCapabilities); } else if (PropertyKey == &DEVPKEY_Device_Characteristics || PropertyKey == &DEVPKEY_DeviceClass_Characteristics) { entries = (PPH_ACCESS_ENTRY)characteristics; count = RTL_NUMBER_OF(characteristics); } else if (PropertyKey == &DEVPKEY_Device_FriendlyNameAttributes) { entries = (PPH_ACCESS_ENTRY)nameAttributes; count = RTL_NUMBER_OF(nameAttributes); } if (entries) { if (Property->UInt32) { PH_FORMAT format[4]; PPH_STRING string; string = PhGetAccessString(Property->UInt32, entries, count); PhInitFormatSR(&format[0], string->sr); PhInitFormatS(&format[1], L" (0x"); PhInitFormatX(&format[2], Property->UInt32); PhInitFormatS(&format[3], L")"); Property->AsString = PhFormat(format, ARRAYSIZE(format), 10); PhDereferenceObject(string); } else { Property->AsString = PhReferenceEmptyString(); } } else { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"0x"); PhInitFormatIX(&format[1], Property->UInt32); Property->AsString = PhFormat(format, ARRAYSIZE(format), 10); } } static const PH_DEVICE_PROPERTY_TABLE_ENTRY PhpDeviceItemPropertyTable[] = { { PhDevicePropertyName, &DEVPKEY_NAME, PhpDevPropFillString, 0 }, { PhDevicePropertyManufacturer, &DEVPKEY_Device_Manufacturer, PhpDevPropFillString, 0 }, { PhDevicePropertyService, &DEVPKEY_Device_Service, PhpDevPropFillString, 0 }, { PhDevicePropertyClass, &DEVPKEY_Device_Class, PhpDevPropFillString, 0 }, { PhDevicePropertyEnumeratorName, &DEVPKEY_Device_EnumeratorName, PhpDevPropFillString, 0 }, { PhDevicePropertyInstallDate, &DEVPKEY_Device_InstallDate, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyFirstInstallDate, &DEVPKEY_Device_FirstInstallDate, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyLastArrivalDate, &DEVPKEY_Device_LastArrivalDate, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyLastRemovalDate, &DEVPKEY_Device_LastRemovalDate, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyDeviceDesc, &DEVPKEY_Device_DeviceDesc, PhpDevPropFillString, 0 }, { PhDevicePropertyFriendlyName, &DEVPKEY_Device_FriendlyName, PhpDevPropFillString, 0 }, { PhDevicePropertyInstanceId, &DEVPKEY_Device_InstanceId, PhpDevPropFillString, 0 }, { PhDevicePropertyParentInstanceId, &DEVPKEY_Device_Parent, PhpDevPropFillString, 0 }, { PhDevicePropertyPDOName, &DEVPKEY_Device_PDOName, PhpDevPropFillString, 0 }, { PhDevicePropertyLocationInfo, &DEVPKEY_Device_LocationInfo, PhpDevPropFillString, 0 }, { PhDevicePropertyClassGuid, &DEVPKEY_Device_ClassGuid, PhpDevPropFillGuid, 0 }, { PhDevicePropertyDriver, &DEVPKEY_Device_Driver, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverVersion, &DEVPKEY_Device_DriverVersion, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverDate, &DEVPKEY_Device_DriverDate, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyFirmwareDate, &DEVPKEY_Device_FirmwareDate, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyFirmwareVersion, &DEVPKEY_Device_FirmwareVersion, PhpDevPropFillString, 0 }, { PhDevicePropertyFirmwareRevision, &DEVPKEY_Device_FirmwareRevision, PhpDevPropFillString, 0 }, { PhDevicePropertyHasProblem, &DEVPKEY_Device_HasProblem, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyProblemCode, &DEVPKEY_Device_ProblemCode, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyProblemStatus, &DEVPKEY_Device_ProblemStatus, PhpDevPropFillNTSTATUS, 0 }, { PhDevicePropertyDevNodeStatus, &DEVPKEY_Device_DevNodeStatus, PhpDevPropFillUInt32Flags, 0 }, { PhDevicePropertyDevCapabilities, &DEVPKEY_Device_Capabilities, PhpDevPropFillUInt32Flags, 0 }, { PhDevicePropertyUpperFilters, &DEVPKEY_Device_UpperFilters, PhpDevPropFillStringList, 0 }, { PhDevicePropertyLowerFilters, &DEVPKEY_Device_LowerFilters, PhpDevPropFillStringList, 0 }, { PhDevicePropertyHardwareIds, &DEVPKEY_Device_HardwareIds, PhpDevPropFillStringList, 0 }, { PhDevicePropertyCompatibleIds, &DEVPKEY_Device_CompatibleIds, PhpDevPropFillStringList, 0 }, { PhDevicePropertyConfigFlags, &DEVPKEY_Device_ConfigFlags, PhpDevPropFillUInt32Hex, 0 }, { PhDevicePropertyUINumber, &DEVPKEY_Device_UINumber, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyBusTypeGuid, &DEVPKEY_Device_BusTypeGuid, PhpDevPropFillGuid, 0 }, { PhDevicePropertyLegacyBusType, &DEVPKEY_Device_LegacyBusType, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyBusNumber, &DEVPKEY_Device_BusNumber, PhpDevPropFillUInt32, 0 }, { PhDevicePropertySecurity, &DEVPKEY_Device_Security, PhpDevPropFillBinary, 0 }, // DEVPROP_TYPE_SECURITY_DESCRIPTOR as binary, PhDevicePropertySecuritySDS for string { PhDevicePropertySecuritySDS, &DEVPKEY_Device_SecuritySDS, PhpDevPropFillString, 0 }, { PhDevicePropertyDevType, &DEVPKEY_Device_DevType, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyExclusive, &DEVPKEY_Device_Exclusive, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyCharacteristics, &DEVPKEY_Device_Characteristics, PhpDevPropFillUInt32Flags, 0 }, { PhDevicePropertyAddress, &DEVPKEY_Device_Address, PhpDevPropFillUInt32Hex, 0 }, { PhDevicePropertyPowerData, &DEVPKEY_Device_PowerData, PhpDevPropFillPowerData, 0 }, { PhDevicePropertyRemovalPolicy, &DEVPKEY_Device_RemovalPolicy, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyRemovalPolicyDefault, &DEVPKEY_Device_RemovalPolicyDefault, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyRemovalPolicyOverride, &DEVPKEY_Device_RemovalPolicyOverride, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyInstallState, &DEVPKEY_Device_InstallState, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyLocationPaths, &DEVPKEY_Device_LocationPaths, PhpDevPropFillStringList, 0 }, { PhDevicePropertyBaseContainerId, &DEVPKEY_Device_BaseContainerId, PhpDevPropFillGuid, 0 }, { PhDevicePropertyEjectionRelations, &DEVPKEY_Device_EjectionRelations, PhpDevPropFillStringList, 0 }, { PhDevicePropertyRemovalRelations, &DEVPKEY_Device_RemovalRelations, PhpDevPropFillStringList, 0 }, { PhDevicePropertyPowerRelations, &DEVPKEY_Device_PowerRelations, PhpDevPropFillStringList, 0 }, { PhDevicePropertyBusRelations, &DEVPKEY_Device_BusRelations, PhpDevPropFillStringList, 0 }, { PhDevicePropertyChildren, &DEVPKEY_Device_Children, PhpDevPropFillStringList, 0 }, { PhDevicePropertySiblings, &DEVPKEY_Device_Siblings, PhpDevPropFillStringList, 0 }, { PhDevicePropertyTransportRelations, &DEVPKEY_Device_TransportRelations, PhpDevPropFillStringList, 0 }, { PhDevicePropertyReported, &DEVPKEY_Device_Reported, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyLegacy, &DEVPKEY_Device_Legacy, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerId, &DEVPKEY_Device_ContainerId, PhpDevPropFillGuid, 0 }, { PhDevicePropertyInLocalMachineContainer, &DEVPKEY_Device_InLocalMachineContainer, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyModel, &DEVPKEY_Device_Model, PhpDevPropFillString, 0 }, { PhDevicePropertyModelId, &DEVPKEY_Device_ModelId, PhpDevPropFillGuid, 0 }, { PhDevicePropertyFriendlyNameAttributes, &DEVPKEY_Device_FriendlyNameAttributes, PhpDevPropFillUInt32Flags, 0 }, { PhDevicePropertyManufacturerAttributes, &DEVPKEY_Device_ManufacturerAttributes, PhpDevPropFillUInt32Hex, 0 }, { PhDevicePropertyPresenceNotForDevice, &DEVPKEY_Device_PresenceNotForDevice, PhpDevPropFillBoolean, 0 }, { PhDevicePropertySignalStrength, &DEVPKEY_Device_SignalStrength, PhpDevPropFillInt32, 0 }, { PhDevicePropertyIsAssociateableByUserAction, &DEVPKEY_Device_IsAssociateableByUserAction, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyShowInUninstallUI, &DEVPKEY_Device_ShowInUninstallUI, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyNumaProximityDomain, &DEVPKEY_Device_Numa_Proximity_Domain, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyDHPRebalancePolicy, &DEVPKEY_Device_DHP_Rebalance_Policy, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyNumaNode, &DEVPKEY_Device_Numa_Node, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyBusReportedDeviceDesc, &DEVPKEY_Device_BusReportedDeviceDesc, PhpDevPropFillString, 0 }, { PhDevicePropertyIsPresent, &DEVPKEY_Device_IsPresent, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyConfigurationId, &DEVPKEY_Device_ConfigurationId, PhpDevPropFillString, 0 }, { PhDevicePropertyReportedDeviceIdsHash, &DEVPKEY_Device_ReportedDeviceIdsHash, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPhysicalDeviceLocation, &DEVPKEY_Device_PhysicalDeviceLocation, PhpDevPropFillBinary, 0 }, // TODO(jxy-s) look into ACPI 4.0a Specification, section 6.1.6 for AsString formatting { PhDevicePropertyBiosDeviceName, &DEVPKEY_Device_BiosDeviceName, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverProblemDesc, &DEVPKEY_Device_DriverProblemDesc, PhpDevPropFillString, 0 }, { PhDevicePropertyDebuggerSafe, &DEVPKEY_Device_DebuggerSafe, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPostInstallInProgress, &DEVPKEY_Device_PostInstallInProgress, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyStack, &DEVPKEY_Device_Stack, PhpDevPropFillStringList, 0 }, { PhDevicePropertyExtendedConfigurationIds, &DEVPKEY_Device_ExtendedConfigurationIds, PhpDevPropFillStringList, 0 }, { PhDevicePropertyIsRebootRequired, &DEVPKEY_Device_IsRebootRequired, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyDependencyProviders, &DEVPKEY_Device_DependencyProviders, PhpDevPropFillStringList, 0 }, { PhDevicePropertyDependencyDependents, &DEVPKEY_Device_DependencyDependents, PhpDevPropFillStringList, 0 }, { PhDevicePropertySoftRestartSupported, &DEVPKEY_Device_SoftRestartSupported, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyExtendedAddress, &DEVPKEY_Device_ExtendedAddress, PhpDevPropFillUInt64Hex, 0 }, { PhDevicePropertyAssignedToGuest, &DEVPKEY_Device_AssignedToGuest, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyCreatorProcessId, &DEVPKEY_Device_CreatorProcessId, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyFirmwareVendor, &DEVPKEY_Device_FirmwareVendor, PhpDevPropFillString, 0 }, { PhDevicePropertySessionId, &DEVPKEY_Device_SessionId, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyDriverDesc, &DEVPKEY_Device_DriverDesc, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverInfPath, &DEVPKEY_Device_DriverInfPath, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverInfSection, &DEVPKEY_Device_DriverInfSection, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverInfSectionExt, &DEVPKEY_Device_DriverInfSectionExt, PhpDevPropFillString, 0 }, { PhDevicePropertyMatchingDeviceId, &DEVPKEY_Device_MatchingDeviceId, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverProvider, &DEVPKEY_Device_DriverProvider, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverPropPageProvider, &DEVPKEY_Device_DriverPropPageProvider, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverCoInstallers, &DEVPKEY_Device_DriverCoInstallers, PhpDevPropFillStringList, 0 }, { PhDevicePropertyResourcePickerTags, &DEVPKEY_Device_ResourcePickerTags, PhpDevPropFillString, 0 }, { PhDevicePropertyResourcePickerExceptions, &DEVPKEY_Device_ResourcePickerExceptions, PhpDevPropFillString, 0 }, { PhDevicePropertyDriverRank, &DEVPKEY_Device_DriverRank, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyDriverLogoLevel, &DEVPKEY_Device_DriverLogoLevel, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyNoConnectSound, &DEVPKEY_Device_NoConnectSound, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyGenericDriverInstalled, &DEVPKEY_Device_GenericDriverInstalled, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyAdditionalSoftwareRequested, &DEVPKEY_Device_AdditionalSoftwareRequested, PhpDevPropFillBoolean, 0 }, { PhDevicePropertySafeRemovalRequired, &DEVPKEY_Device_SafeRemovalRequired, PhpDevPropFillBoolean, 0 }, { PhDevicePropertySafeRemovalRequiredOverride, &DEVPKEY_Device_SafeRemovalRequiredOverride, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyPkgModel, &DEVPKEY_DrvPkg_Model, PhpDevPropFillString, 0 }, { PhDevicePropertyPkgVendorWebSite, &DEVPKEY_DrvPkg_VendorWebSite, PhpDevPropFillString, 0 }, { PhDevicePropertyPkgDetailedDescription, &DEVPKEY_DrvPkg_DetailedDescription, PhpDevPropFillString, 0 }, { PhDevicePropertyPkgDocumentationLink, &DEVPKEY_DrvPkg_DocumentationLink, PhpDevPropFillString, 0 }, { PhDevicePropertyPkgIcon, &DEVPKEY_DrvPkg_Icon, PhpDevPropFillStringList, 0 }, { PhDevicePropertyPkgBrandingIcon, &DEVPKEY_DrvPkg_BrandingIcon, PhpDevPropFillStringList, 0 }, { PhDevicePropertyClassUpperFilters, &DEVPKEY_DeviceClass_UpperFilters, PhpDevPropFillStringList, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassLowerFilters, &DEVPKEY_DeviceClass_LowerFilters, PhpDevPropFillStringList, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassSecurity, &DEVPKEY_DeviceClass_Security, PhpDevPropFillBinary, DEVPROP_FILL_FLAG_CLASS }, // DEVPROP_TYPE_SECURITY_DESCRIPTOR as binary, PhDevicePropertyClassSecuritySDS for string { PhDevicePropertyClassSecuritySDS, &DEVPKEY_DeviceClass_SecuritySDS, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassDevType, &DEVPKEY_DeviceClass_DevType, PhpDevPropFillUInt32, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassExclusive, &DEVPKEY_DeviceClass_Exclusive, PhpDevPropFillBoolean, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassCharacteristics, &DEVPKEY_DeviceClass_Characteristics, PhpDevPropFillUInt32Flags, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassName, &DEVPKEY_DeviceClass_Name, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassClassName, &DEVPKEY_DeviceClass_ClassName, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassIcon, &DEVPKEY_DeviceClass_Icon, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassClassInstaller, &DEVPKEY_DeviceClass_ClassInstaller, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassPropPageProvider, &DEVPKEY_DeviceClass_PropPageProvider, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassNoInstallClass, &DEVPKEY_DeviceClass_NoInstallClass, PhpDevPropFillBoolean, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassNoDisplayClass, &DEVPKEY_DeviceClass_NoDisplayClass, PhpDevPropFillBoolean, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassSilentInstall, &DEVPKEY_DeviceClass_SilentInstall, PhpDevPropFillBoolean, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassNoUseClass, &DEVPKEY_DeviceClass_NoUseClass, PhpDevPropFillBoolean, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassDefaultService, &DEVPKEY_DeviceClass_DefaultService, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassIconPath, &DEVPKEY_DeviceClass_IconPath, PhpDevPropFillStringList, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassDHPRebalanceOptOut, &DEVPKEY_DeviceClass_DHPRebalanceOptOut, PhpDevPropFillBoolean, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyClassClassCoInstallers, &DEVPKEY_DeviceClass_ClassCoInstallers, PhpDevPropFillStringList, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyInterfaceFriendlyName, &DEVPKEY_DeviceInterface_FriendlyName, PhpDevPropFillString, 0 }, { PhDevicePropertyInterfaceEnabled, &DEVPKEY_DeviceInterface_Enabled, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyInterfaceClassGuid, &DEVPKEY_DeviceInterface_ClassGuid, PhpDevPropFillGuid, 0 }, { PhDevicePropertyInterfaceReferenceString, &DEVPKEY_DeviceInterface_ReferenceString, PhpDevPropFillString, 0 }, { PhDevicePropertyInterfaceRestricted, &DEVPKEY_DeviceInterface_Restricted, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyInterfaceUnrestrictedAppCapabilities, &DEVPKEY_DeviceInterface_UnrestrictedAppCapabilities, PhpDevPropFillStringList, 0 }, { PhDevicePropertyInterfaceSchematicName, &DEVPKEY_DeviceInterface_SchematicName, PhpDevPropFillString, 0 }, { PhDevicePropertyInterfaceClassDefaultInterface, &DEVPKEY_DeviceInterfaceClass_DefaultInterface, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyInterfaceClassName, &DEVPKEY_DeviceInterfaceClass_Name, PhpDevPropFillString, DEVPROP_FILL_FLAG_CLASS }, { PhDevicePropertyContainerAddress, &DEVPKEY_DeviceContainer_Address, PhpDevPropFillStringOrStringList, 0 }, { PhDevicePropertyContainerDiscoveryMethod, &DEVPKEY_DeviceContainer_DiscoveryMethod, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerIsEncrypted, &DEVPKEY_DeviceContainer_IsEncrypted, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsAuthenticated, &DEVPKEY_DeviceContainer_IsAuthenticated, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsConnected, &DEVPKEY_DeviceContainer_IsConnected, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsPaired, &DEVPKEY_DeviceContainer_IsPaired, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIcon, &DEVPKEY_DeviceContainer_Icon, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerVersion, &DEVPKEY_DeviceContainer_Version, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerLastSeen, &DEVPKEY_DeviceContainer_Last_Seen, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyContainerLastConnected, &DEVPKEY_DeviceContainer_Last_Connected, PhpDevPropFillTimeStamp, 0 }, { PhDevicePropertyContainerIsShowInDisconnectedState, &DEVPKEY_DeviceContainer_IsShowInDisconnectedState, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsLocalMachine, &DEVPKEY_DeviceContainer_IsLocalMachine, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerMetadataPath, &DEVPKEY_DeviceContainer_MetadataPath, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerIsMetadataSearchInProgress, &DEVPKEY_DeviceContainer_IsMetadataSearchInProgress, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsMetadataChecksum, &DEVPKEY_DeviceContainer_MetadataChecksum, PhpDevPropFillBinary, 0 }, { PhDevicePropertyContainerIsNotInterestingForDisplay, &DEVPKEY_DeviceContainer_IsNotInterestingForDisplay, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerLaunchDeviceStageOnDeviceConnect, &DEVPKEY_DeviceContainer_LaunchDeviceStageOnDeviceConnect, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerLaunchDeviceStageFromExplorer, &DEVPKEY_DeviceContainer_LaunchDeviceStageFromExplorer, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerBaselineExperienceId, &DEVPKEY_DeviceContainer_BaselineExperienceId, PhpDevPropFillGuid, 0 }, { PhDevicePropertyContainerIsDeviceUniquelyIdentifiable, &DEVPKEY_DeviceContainer_IsDeviceUniquelyIdentifiable, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerAssociationArray, &DEVPKEY_DeviceContainer_AssociationArray, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerDeviceDescription1, &DEVPKEY_DeviceContainer_DeviceDescription1, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerDeviceDescription2, &DEVPKEY_DeviceContainer_DeviceDescription2, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerHasProblem, &DEVPKEY_DeviceContainer_HasProblem, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsSharedDevice, &DEVPKEY_DeviceContainer_IsSharedDevice, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsNetworkDevice, &DEVPKEY_DeviceContainer_IsNetworkDevice, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerIsDefaultDevice, &DEVPKEY_DeviceContainer_IsDefaultDevice, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerMetadataCabinet, &DEVPKEY_DeviceContainer_MetadataCabinet, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerRequiresPairingElevation, &DEVPKEY_DeviceContainer_RequiresPairingElevation, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerExperienceId, &DEVPKEY_DeviceContainer_ExperienceId, PhpDevPropFillGuid, 0 }, { PhDevicePropertyContainerCategory, &DEVPKEY_DeviceContainer_Category, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerCategoryDescSingular, &DEVPKEY_DeviceContainer_Category_Desc_Singular, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerCategoryDescPlural, &DEVPKEY_DeviceContainer_Category_Desc_Plural, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerCategoryIcon, &DEVPKEY_DeviceContainer_Category_Icon, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerCategoryGroupDesc, &DEVPKEY_DeviceContainer_CategoryGroup_Desc, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerCategoryGroupIcon, &DEVPKEY_DeviceContainer_CategoryGroup_Icon, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerPrimaryCategory, &DEVPKEY_DeviceContainer_PrimaryCategory, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerUnpairUninstall, &DEVPKEY_DeviceContainer_UnpairUninstall, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerRequiresUninstallElevation, &DEVPKEY_DeviceContainer_RequiresUninstallElevation, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerDeviceFunctionSubRank, &DEVPKEY_DeviceContainer_DeviceFunctionSubRank, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyContainerAlwaysShowDeviceAsConnected, &DEVPKEY_DeviceContainer_AlwaysShowDeviceAsConnected, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerConfigFlags, &DEVPKEY_DeviceContainer_ConfigFlags, PhpDevPropFillUInt32Hex, 0 }, { PhDevicePropertyContainerPrivilegedPackageFamilyNames, &DEVPKEY_DeviceContainer_PrivilegedPackageFamilyNames, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerCustomPrivilegedPackageFamilyNames, &DEVPKEY_DeviceContainer_CustomPrivilegedPackageFamilyNames, PhpDevPropFillStringList, 0 }, { PhDevicePropertyContainerIsRebootRequired, &DEVPKEY_DeviceContainer_IsRebootRequired, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyContainerFriendlyName, &DEVPKEY_DeviceContainer_FriendlyName, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerManufacturer, &DEVPKEY_DeviceContainer_Manufacturer, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerModelName, &DEVPKEY_DeviceContainer_ModelName, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerModelNumber, &DEVPKEY_DeviceContainer_ModelNumber, PhpDevPropFillString, 0 }, { PhDevicePropertyContainerInstallInProgress, &DEVPKEY_DeviceContainer_InstallInProgress, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyObjectType, &DEVPKEY_DevQuery_ObjectType, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciDeviceType, &DEVPKEY_PciDevice_DeviceType, PhpDevPropFillPciDeviceType, 0 }, { PhDevicePropertyPciCurrentSpeedAndMode, &DEVPKEY_PciDevice_CurrentSpeedAndMode, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciBaseClass, &DEVPKEY_PciDevice_BaseClass, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciSubClass, &DEVPKEY_PciDevice_SubClass, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciProgIf, &DEVPKEY_PciDevice_ProgIf, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciCurrentPayloadSize, &DEVPKEY_PciDevice_CurrentPayloadSize, PhpDevPropFillPciDeviceRequestSize, 0 }, { PhDevicePropertyPciMaxPayloadSize, &DEVPKEY_PciDevice_MaxPayloadSize, PhpDevPropFillPciDeviceRequestSize, 0 }, { PhDevicePropertyPciMaxReadRequestSize, &DEVPKEY_PciDevice_MaxReadRequestSize, PhpDevPropFillPciDeviceRequestSize, 0 }, { PhDevicePropertyPciCurrentLinkSpeed, &DEVPKEY_PciDevice_CurrentLinkSpeed, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciCurrentLinkWidth, &DEVPKEY_PciDevice_CurrentLinkWidth, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciMaxLinkSpeed, &DEVPKEY_PciDevice_MaxLinkSpeed, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciMaxLinkWidth, &DEVPKEY_PciDevice_MaxLinkWidth, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciExpressSpecVersion, &DEVPKEY_PciDevice_ExpressSpecVersion, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciInterruptSupport, &DEVPKEY_PciDevice_InterruptSupport, PhpDevPropFillPciDeviceInterruptSupport, 0 }, { PhDevicePropertyPciInterruptMessageMaximum, &DEVPKEY_PciDevice_InterruptMessageMaximum, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciBarTypes, &DEVPKEY_PciDevice_BarTypes, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciSriovSupport, &DEVPKEY_PciDevice_SriovSupport, PhpDevPropFillPciDeviceSriovSupport, 0 }, { PhDevicePropertyPciLabel_Id, &DEVPKEY_PciDevice_Label_Id, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciLabel_String, &DEVPKEY_PciDevice_Label_String, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciSerialNumber, &DEVPKEY_PciDevice_SerialNumber, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyPciExpressCapabilityControl, &DEVPKEY_PciRootBus_PCIExpressCapabilityControl, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyPciNativeExpressControl, &DEVPKEY_PciRootBus_NativePciExpressControl, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyPciSystemMsiSupport, &DEVPKEY_PciRootBus_SystemMsiSupport, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyStoragePortable, &DEVPKEY_Storage_Portable, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyStorageRemovableMedia, &DEVPKEY_Storage_Removable_Media, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyStorageSystemCritical, &DEVPKEY_Storage_System_Critical, PhpDevPropFillBoolean, 0 }, { PhDevicePropertyStorageDiskNumber, &DEVPKEY_Storage_Disk_Number, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyStoragePartitionNumber, &DEVPKEY_Storage_Partition_Number, PhpDevPropFillUInt32, 0 }, { PhDevicePropertyGpuLuid, &DEVPKEY_Gpu_Luid, PhpDevPropFillUInt64, 0 }, { PhDevicePropertyGpuPhysicalAdapterIndex, &DEVPKEY_Gpu_PhysicalAdapterIndex, PhpDevPropFillUInt32, 0 }, }; C_ASSERT(RTL_NUMBER_OF(PhpDeviceItemPropertyTable) == PhMaxDeviceProperty); #ifdef DEBUG static BOOLEAN PhpBreakOnDeviceProperty = FALSE; static PH_DEVICE_PROPERTY_CLASS PhpBreakOnDevicePropertyClass = 0; #endif PPH_DEVICE_PROPERTY PhGetDeviceProperty( _In_ PPH_DEVICE_ITEM Item, _In_ PH_DEVICE_PROPERTY_CLASS Class ) { PPH_DEVICE_PROPERTY prop; prop = &Item->Properties[Class]; if (!prop->Initialized) { const PH_DEVICE_PROPERTY_TABLE_ENTRY* entry; entry = &PhpDeviceItemPropertyTable[Class]; #ifdef DEBUG if (PhpBreakOnDeviceProperty && (PhpBreakOnDevicePropertyClass == Class)) __debugbreak(); #endif entry->Callback( Item->DeviceInfo->Handle, &Item->DeviceInfoData, entry->PropKey, prop, entry->CallbackFlags ); prop->Initialized = TRUE; } return prop; } BOOLEAN PhLookupDevicePropertyClass( _In_ const DEVPROPKEY* Key, _Out_ PPH_DEVICE_PROPERTY_CLASS Class ) { for (ULONG i = 0; i < RTL_NUMBER_OF(PhpDeviceItemPropertyTable); i++) { const PH_DEVICE_PROPERTY_TABLE_ENTRY* entry = &PhpDeviceItemPropertyTable[i]; if (IsEqualDevPropKey(*Key, *entry->PropKey)) { *Class = entry->PropClass; return TRUE; } } *Class = PhMaxDeviceProperty; return FALSE; } HICON PhGetDeviceIcon( _In_ PPH_DEVICE_ITEM Item, _In_ PPH_INTEGER_PAIR IconSize ) { HICON iconHandle; if (Item->DeviceInfoData.Interface) { // try to give the icon for the parent device if (Item->Parent && !Item->Parent->DeviceInfoData.Interface) { if (!SetupDiLoadDeviceIcon( Item->Parent->DeviceInfo->Handle, &Item->Parent->DeviceInfoData.DeviceData, IconSize->X, IconSize->Y, 0, &iconHandle )) { iconHandle = NULL; } } else { iconHandle = NULL; } } else { if (!SetupDiLoadDeviceIcon( Item->DeviceInfo->Handle, &Item->DeviceInfoData.DeviceData, IconSize->X, IconSize->Y, 0, &iconHandle )) { iconHandle = NULL; } } return iconHandle; } ULONG PhpGenerateInstanceIdHash( _In_ PPH_STRINGREF InstanceId ) { return PhHashStringRefEx(InstanceId, TRUE, PH_STRING_HASH_X65599); } static int __cdecl PhpDeviceItemSortFunction( const void* Left, const void* Right ) { PPH_DEVICE_ITEM lhsItem; PPH_DEVICE_ITEM rhsItem; lhsItem = *(PPH_DEVICE_ITEM*)Left; rhsItem = *(PPH_DEVICE_ITEM*)Right; return uintcmp(lhsItem->InstanceIdHash, rhsItem->InstanceIdHash); } static int __cdecl PhpDeviceItemSearchFunction( const void* Hash, const void* Item ) { PPH_DEVICE_ITEM item; item = *(PPH_DEVICE_ITEM*)Item; return uintcmp(PtrToUlong(Hash), item->InstanceIdHash); } _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM PhLookupDeviceItemByHash( _In_ PPH_DEVICE_TREE Tree, _In_ ULONG InstanceIdHash ) { PPH_DEVICE_ITEM* deviceItem; deviceItem = bsearch( UlongToPtr(InstanceIdHash), Tree->DeviceList->Items, Tree->DeviceList->Count, sizeof(PVOID), PhpDeviceItemSearchFunction ); return deviceItem ? *deviceItem : NULL; } _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM PhLookupDeviceItem( _In_ PPH_DEVICE_TREE Tree, _In_ PPH_STRINGREF InstanceId ) { return PhLookupDeviceItemByHash(Tree, PhpGenerateInstanceIdHash(InstanceId)); } _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM PhReferenceDeviceItemByHash( _In_ PPH_DEVICE_TREE Tree, _In_ ULONG InstanceIdHash ) { PPH_DEVICE_ITEM deviceItem; PhSetReference(&deviceItem, PhLookupDeviceItemByHash(Tree, InstanceIdHash)); return deviceItem; } _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM PhReferenceDeviceItem( _In_ PPH_DEVICE_TREE Tree, _In_ PPH_STRINGREF InstanceId ) { PPH_DEVICE_ITEM deviceItem; PhSetReference(&deviceItem, PhLookupDeviceItem(Tree, InstanceId)); return deviceItem; } _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM PhReferenceDeviceItem2( _In_ PPH_STRINGREF InstanceId ) { PPH_DEVICE_TREE tree; PPH_DEVICE_ITEM deviceItem; tree = PhReferenceDeviceTree(); PhSetReference(&deviceItem, PhLookupDeviceItem(tree, InstanceId)); PhClearReference(&tree); return deviceItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpDeviceInfoDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_DEVINFO info = Object; if (info->Handle != INVALID_HANDLE_VALUE) { SetupDiDestroyDeviceInfoList(info->Handle); info->Handle = INVALID_HANDLE_VALUE; } } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpDeviceItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_DEVICE_ITEM item = Object; for (ULONG i = 0; i < ARRAYSIZE(item->Properties); i++) { PPH_DEVICE_PROPERTY prop; prop = &item->Properties[i]; if (prop->Valid) { if (prop->Type == PhDevicePropertyTypeString) { PhClearReference(&prop->String); } else if (prop->Type == PhDevicePropertyTypeStringList) { for (ULONG j = 0; j < prop->StringList->Count; j++) { PhClearReference(&prop->StringList->Items[j]); } PhClearReference(&prop->StringList); } else if (prop->Type == PhDevicePropertyTypeBinary) { #pragma warning(suppress : 6001) // buffer is valid and initialized PhFree(prop->Binary.Buffer); } } PhClearReference(&prop->AsString); } PhClearReference(&item->InstanceId); PhClearReference(&item->ParentInstanceId); PhClearReference(&item->DeviceInfo); } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpDeviceTreeDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_DEVICE_TREE tree = Object; for (ULONG i = 0; i < tree->DeviceList->Count; i++) { PPH_DEVICE_ITEM item; item = tree->DeviceList->Items[i]; PhClearReference(&item); } for (ULONG i = 0; i < tree->DeviceInterfaceList->Count; i++) { PPH_DEVICE_ITEM item; item = tree->DeviceInterfaceList->Items[i]; PhClearReference(&item); } PhClearReference(&tree->DeviceList); PhClearReference(&tree->DeviceInterfaceList); PhClearReference(&tree->DeviceInfo); } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpDeviceNotifyDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_DEVICE_NOTIFY notify = Object; if (notify->Action == PhDeviceNotifyInstanceEnumerated || notify->Action == PhDeviceNotifyInstanceStarted || notify->Action == PhDeviceNotifyInstanceRemoved) { PhClearReference(¬ify->DeviceInstance.InstanceId); } } PPH_DEVICE_ITEM NTAPI PhpAddDeviceItem( _In_ PPH_DEVICE_TREE Tree, _In_ PSP_DEVINFO_DATA DeviceInfoData ) { PPH_DEVICE_ITEM item; item = PhCreateObjectZero(sizeof(PH_DEVICE_ITEM), PhDeviceItemType); item->Tree = Tree; item->DeviceInfo = PhReferenceObject(Tree->DeviceInfo); RtlCopyMemory(&item->DeviceInfoData.DeviceData, DeviceInfoData, sizeof(SP_DEVINFO_DATA)); RtlCopyMemory(&item->ClassGuid, &DeviceInfoData->ClassGuid, sizeof(GUID)); // // Only get the minimum here, the rest will be retrieved later if necessary. // For convenience later, other frequently referenced items are gotten here too. // item->InstanceId = PhGetDeviceProperty(item, PhDevicePropertyInstanceId)->AsString; if (item->InstanceId) { item->InstanceIdHash = PhpGenerateInstanceIdHash(&item->InstanceId->sr); // // If this is the root enumerator override some properties. // //if (PhEqualStringRef(&item->InstanceId->sr, &RootInstanceId, TRUE)) if (item->InstanceIdHash == RootInstanceIdHash) { PPH_DEVICE_PROPERTY prop; prop = &item->Properties[PhDevicePropertyName]; assert(!prop->Initialized); prop->AsString = PhGetActiveComputerName(); prop->Initialized = TRUE; } PhReferenceObject(item->InstanceId); } item->ParentInstanceId = PhGetDeviceProperty(item, PhDevicePropertyParentInstanceId)->AsString; if (item->ParentInstanceId) PhReferenceObject(item->ParentInstanceId); PhGetDeviceProperty(item, PhDevicePropertyProblemCode); if (item->Properties[PhDevicePropertyProblemCode].Valid) item->ProblemCode = item->Properties[PhDevicePropertyProblemCode].UInt32; else item->ProblemCode = CM_PROB_PHANTOM; PhGetDeviceProperty(item, PhDevicePropertyDevNodeStatus); if (item->Properties[PhDevicePropertyDevNodeStatus].Valid) item->DevNodeStatus = item->Properties[PhDevicePropertyDevNodeStatus].UInt32; else item->DevNodeStatus = 0; PhGetDeviceProperty(item, PhDevicePropertyDevCapabilities); if (item->Properties[PhDevicePropertyDevCapabilities].Valid) item->Capabilities = item->Properties[PhDevicePropertyDevCapabilities].UInt32; else item->Capabilities = 0; PhGetDeviceProperty(item, PhDevicePropertyUpperFilters); PhGetDeviceProperty(item, PhDevicePropertyClassUpperFilters); if ((item->Properties[PhDevicePropertyUpperFilters].Valid && (item->Properties[PhDevicePropertyUpperFilters].StringList->Count > 0)) || (item->Properties[PhDevicePropertyClassUpperFilters].Valid && (item->Properties[PhDevicePropertyClassUpperFilters].StringList->Count > 0))) { item->HasUpperFilters = TRUE; } PhGetDeviceProperty(item, PhDevicePropertyLowerFilters); PhGetDeviceProperty(item, PhDevicePropertyClassLowerFilters); if ((item->Properties[PhDevicePropertyLowerFilters].Valid && (item->Properties[PhDevicePropertyLowerFilters].StringList->Count > 0)) || (item->Properties[PhDevicePropertyClassLowerFilters].Valid && (item->Properties[PhDevicePropertyClassLowerFilters].StringList->Count > 0))) { item->HasLowerFilters = TRUE; } PhAddItemList(Tree->DeviceList, item); return item; } PPH_DEVICE_ITEM NTAPI PhpAddDeviceInterfaceItem( _In_ PPH_DEVICE_TREE Tree, _In_ PPH_DEVICE_ITEM DeviceItem, _In_ PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData ) { PPH_DEVICE_ITEM item; PPH_DEVICE_PROPERTY prop; item = PhCreateObjectZero(sizeof(PH_DEVICE_ITEM), PhDeviceItemType); item->Tree = Tree; item->DeviceInfo = PhReferenceObject(Tree->DeviceInfo); item->DeviceInfoData.Interface = TRUE; RtlCopyMemory(&item->DeviceInfoData.InterfaceData, DeviceInterfaceData, sizeof(SP_DEVICE_INTERFACE_DATA)); RtlCopyMemory(&item->ClassGuid, &DeviceInterfaceData->InterfaceClassGuid, sizeof(GUID)); item->Parent = DeviceItem; item->InstanceId = PhGetDeviceProperty(item, PhDevicePropertyInstanceId)->AsString; if (item->InstanceId) PhReferenceObject(item->InstanceId); item->ParentInstanceId = PhReferenceObject(DeviceItem->InstanceId); item->DeviceInterface = TRUE; // link the interface as a "child" of the device DeviceItem->InterfaceCount++; if (DeviceItem->Child) { PPH_DEVICE_ITEM sibling = DeviceItem->Child; while (sibling->Sibling) sibling = sibling->Sibling; sibling->Sibling = item; } else { DeviceItem->Child = item; } // if the interface has no name, override it to be the best possible name prop = PhGetDeviceProperty(item, PhDevicePropertyName); if (!prop->AsString) { PPH_STRING string; if (string = PhGetDeviceProperty(item, PhDevicePropertyInterfaceFriendlyName)->AsString) prop->AsString = PhReferenceObject(string); else if (string = PhGetDeviceProperty(item, PhDevicePropertyInterfaceClassName)->AsString) prop->AsString = PhReferenceObject(string); else if (string = PhGetDeviceProperty(item, PhDevicePropertyInstanceId)->AsString) prop->AsString = PhReferenceObject(string); else prop->AsString = PhFormatGuid(&DeviceInterfaceData->InterfaceClassGuid); } PhAddItemList(Tree->DeviceInterfaceList, item); return item; } VOID PhpGetInterfaceClassList( _Out_ PGUID* InterfaceClassList, _Out_ PSIZE_T InterfaceClassListCount ) { const DEV_OBJECT* objects = NULL; ULONG objectCount; PH_ARRAY objectArray; if (HR_FAILED(PhDevGetObjects( DevObjectTypeDeviceInterfaceClass, DevQueryFlagNone, 0, NULL, 0, NULL, &objectCount, &objects )) || !objects) { *InterfaceClassList = NULL; *InterfaceClassListCount = 0; return; } PhInitializeArray(&objectArray, sizeof(GUID), objectCount); for (ULONG i = 0; i < objectCount; i++) { GUID interfaceClassGuid; PH_STRINGREF interfaceClassGuidString; PhInitializeStringRefLongHint(&interfaceClassGuidString, objects[i].pszObjectId); if (!NT_SUCCESS(PhStringToGuid(&interfaceClassGuidString, &interfaceClassGuid))) continue; PhAddItemArray(&objectArray, &interfaceClassGuid); } *InterfaceClassList = PhFinalArrayItems(&objectArray); *InterfaceClassListCount = PhFinalArrayCount(&objectArray); PhDevFreeObjects(objectCount, objects); } VOID PhpAssociateDeviceInterfaces( _Inout_ PPH_DEVICE_TREE Tree, _In_ PPH_DEVICE_ITEM DeviceItem, _In_ PGUID InterfaceClassList, _In_ SIZE_T InterfaceClassListCount ) { assert(!DeviceItem->DeviceInfoData.Interface); for (SIZE_T i = 0; i < InterfaceClassListCount; i++) { for (ULONG j = 0;; j++) { SP_DEVICE_INTERFACE_DATA deviceInterfaceData; RtlZeroMemory(&deviceInterfaceData, sizeof(SP_DEVICE_INTERFACE_DATA)); deviceInterfaceData.cbSize = sizeof(SP_DEVICE_INTERFACE_DATA); if (!SetupDiEnumDeviceInterfaces( Tree->DeviceInfo->Handle, &DeviceItem->DeviceInfoData.DeviceData, &InterfaceClassList[i], j, &deviceInterfaceData )) { break; } PhpAddDeviceInterfaceItem(Tree, DeviceItem, &deviceInterfaceData); } } } #ifdef DEBUG VOID PhpCheckDeviceTree( _In_ PPH_DEVICE_TREE Tree ) { static ULONG runawayLimit = 5000; ULONG count; assert(!Tree->Root->Sibling); assert(!Tree->Root->Parent); for (ULONG i = 0; i < Tree->DeviceList->Count; i++) { PPH_DEVICE_ITEM item; PPH_DEVICE_ITEM other; item = Tree->DeviceList->Items[i]; // ensure children terminate other = item->Child; count = 0; while (other) { other = other->Child; assert(count < runawayLimit); } // ensure siblings terminate other = item->Sibling; count = 0; while (other) { other = other->Sibling; assert(count < runawayLimit); } // ensure parents terminate other = item->Parent; count = 0; while (other) { other = other->Parent; assert(count < runawayLimit); } } for (ULONG i = 0; i < Tree->DeviceInterfaceList->Count; i++) { PPH_DEVICE_ITEM item; PPH_DEVICE_ITEM other; item = Tree->DeviceInterfaceList->Items[i]; // ensure children terminate other = item->Child; count = 0; while (other) { other = other->Child; assert(count < runawayLimit); } // ensure siblings terminate other = item->Sibling; count = 0; while (other) { other = other->Sibling; assert(count < runawayLimit); } // ensure parents terminate other = item->Parent; count = 0; while (other) { other = other->Parent; assert(count < runawayLimit); } } } #endif PPH_DEVICE_TREE PhpCreateDeviceTree( VOID ) { PPH_DEVICE_TREE tree; PPH_DEVICE_ITEM root; PGUID interfaceClassList; SIZE_T interfaceClassListCount; tree = PhCreateObjectZero(sizeof(PH_DEVICE_TREE), PhDeviceTreeType); tree->DeviceList = PhCreateList(250); tree->DeviceInterfaceList = PhCreateList(1024); tree->DeviceInfo = PhCreateObject(sizeof(PH_DEVINFO), PhpDeviceInfoType); tree->DeviceInfo->Handle = SetupDiGetClassDevsW( NULL, NULL, NULL, DIGCF_ALLCLASSES ); if (tree->DeviceInfo->Handle == INVALID_HANDLE_VALUE) { return tree; } for (ULONG i = 0;; i++) { SP_DEVINFO_DATA deviceInfoData; RtlZeroMemory(&deviceInfoData, sizeof(SP_DEVINFO_DATA)); deviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA); if (!SetupDiEnumDeviceInfo(tree->DeviceInfo->Handle, i, &deviceInfoData)) break; PhpAddDeviceItem(tree, &deviceInfoData); } // now add interfaces to the device info set, the return value will be the // same pointer as the existing handle (VOID)SetupDiGetClassDevsExW( NULL, NULL, NULL, DIGCF_ALLCLASSES | DIGCF_DEVICEINTERFACE, tree->DeviceInfo->Handle, NULL, NULL ); PhpGetInterfaceClassList(&interfaceClassList, &interfaceClassListCount); // Link the device relations. root = NULL; for (ULONG i = 0; i < tree->DeviceList->Count; i++) { BOOLEAN found; PPH_DEVICE_ITEM item; PPH_DEVICE_ITEM other; found = FALSE; item = tree->DeviceList->Items[i]; // for this device item associate any device interfaces PhpAssociateDeviceInterfaces(tree, item, interfaceClassList, interfaceClassListCount); for (ULONG j = 0; j < tree->DeviceList->Count; j++) { other = tree->DeviceList->Items[j]; if (item == other) { continue; } if (!other->InstanceId || !item->ParentInstanceId) { continue; } if (!PhEqualString(other->InstanceId, item->ParentInstanceId, TRUE)) { continue; } found = TRUE; item->Parent = other; item->Parent->ChildrenCount++; if (!other->Child) { other->Child = item; break; } other = other->Child; while (other->Sibling) { other = other->Sibling; } other->Sibling = item; break; } if (!found) { assert(!root); root = item; } } tree->Root = root; // sort the list for faster lookups later qsort( tree->DeviceList->Items, tree->DeviceList->Count, sizeof(PVOID), PhpDeviceItemSortFunction ); if (interfaceClassList) PhFree(interfaceClassList); #ifdef DEBUG PhpCheckDeviceTree(tree); #endif return tree; } PPH_DEVICE_TREE PhpPublishDeviceTree( VOID ) { PPH_DEVICE_TREE newTree; PPH_DEVICE_TREE oldTree; newTree = PhpCreateDeviceTree(); PhReferenceObject(newTree); PhAcquireFastLockExclusive(&PhpDeviceTreeLock); oldTree = PhpDeviceTree; PhpDeviceTree = newTree; PhReleaseFastLockExclusive(&PhpDeviceTreeLock); PhClearReference(&oldTree); return newTree; } VOID PhpDeviceNotify( _In_ PSLIST_ENTRY List ) { PPH_DEVICE_TREE deviceTree; PPH_DEVICE_NOTIFY entry; // We process device notifications in blocks so that bursts of device changes // don't each trigger a new tree each time. THe internal is determined by the // interval update and the Service Provider Updated Event. (500ms/1000ms) if (deviceTree = PhpPublishDeviceTree()) { while (List) { entry = CONTAINING_RECORD(List, PH_DEVICE_NOTIFY, ListEntry); List = List->Next; // Restore TypeIndex and Flags. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackDeviceNotificationEvent), entry); PhFreeToFreeList(&PhDeviceNotifyFreeList, entry); } } PhClearReference(&deviceTree); } _Function_class_(PCM_NOTIFY_CALLBACK) ULONG CALLBACK PhpCmNotifyCallback( _In_ HCMNOTIFICATION hNotify, _In_opt_ PVOID Context, _In_ CM_NOTIFY_ACTION Action, _In_reads_bytes_(EventDataSize) PCM_NOTIFY_EVENT_DATA EventData, _In_ ULONG EventDataSize ) { PPH_DEVICE_NOTIFY entry; switch (Action) { case CM_NOTIFY_ACTION_DEVICEINTERFACEARRIVAL: { entry = PhAllocateFromFreeList(&PhDeviceNotifyFreeList); memset(entry, 0, sizeof(PH_DEVICE_NOTIFY)); entry->Action = PhDeviceNotifyInterfaceArrival; RtlCopyMemory(&entry->DeviceInterface.ClassGuid, &EventData->u.DeviceInterface.ClassGuid, sizeof(GUID)); InterlockedPushEntrySList(&PhDeviceNotifyListHead, &entry->ListEntry); } break; case CM_NOTIFY_ACTION_DEVICEINTERFACEREMOVAL: { entry = PhAllocateFromFreeList(&PhDeviceNotifyFreeList); memset(entry, 0, sizeof(PH_DEVICE_NOTIFY)); entry->Action = PhDeviceNotifyInterfaceRemoval; RtlCopyMemory(&entry->DeviceInterface.ClassGuid, &EventData->u.DeviceInterface.ClassGuid, sizeof(GUID)); InterlockedPushEntrySList(&PhDeviceNotifyListHead, &entry->ListEntry); } break; case CM_NOTIFY_ACTION_DEVICEINSTANCEENUMERATED: { entry = PhAllocateFromFreeList(&PhDeviceNotifyFreeList); memset(entry, 0, sizeof(PH_DEVICE_NOTIFY)); entry->Action = PhDeviceNotifyInstanceEnumerated; entry->DeviceInstance.InstanceId = PhCreateString(EventData->u.DeviceInstance.InstanceId); InterlockedPushEntrySList(&PhDeviceNotifyListHead, &entry->ListEntry); } break; case CM_NOTIFY_ACTION_DEVICEINSTANCESTARTED: { entry = PhAllocateFromFreeList(&PhDeviceNotifyFreeList); memset(entry, 0, sizeof(PH_DEVICE_NOTIFY)); entry->Action = PhDeviceNotifyInstanceStarted; entry->DeviceInstance.InstanceId = PhCreateString(EventData->u.DeviceInstance.InstanceId); InterlockedPushEntrySList(&PhDeviceNotifyListHead, &entry->ListEntry); } break; case CM_NOTIFY_ACTION_DEVICEINSTANCEREMOVED: { entry = PhAllocateFromFreeList(&PhDeviceNotifyFreeList); memset(entry, 0, sizeof(PH_DEVICE_NOTIFY)); entry->Action = PhDeviceNotifyInstanceRemoved; entry->DeviceInstance.InstanceId = PhCreateString(EventData->u.DeviceInstance.InstanceId); InterlockedPushEntrySList(&PhDeviceNotifyListHead, &entry->ListEntry); } break; } return ERROR_SUCCESS; } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ServiceProviderUpdatedCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PSLIST_ENTRY list; // drain the list if (list = RtlInterlockedFlushSList(&PhDeviceNotifyListHead)) { PhpDeviceNotify(list); } } BOOLEAN PhpDeviceProviderInitialization( VOID ) { CM_NOTIFY_FILTER cmFilter; if (WindowsVersion < WINDOWS_10 || !PhGetIntegerSetting(L"EnableDeviceSupport")) return FALSE; PhDeviceItemType = PhCreateObjectType(L"DeviceItem", 0, PhpDeviceItemDeleteProcedure); PhDeviceTreeType = PhCreateObjectType(L"DeviceTree", 0, PhpDeviceTreeDeleteProcedure); PhDeviceNotifyType = PhCreateObjectType(L"DeviceNotify", 0, PhpDeviceNotifyDeleteProcedure); PhpDeviceInfoType = PhCreateObjectType(L"DeviceInfo", 0, PhpDeviceInfoDeleteProcedure); PhInitializeSListHead(&PhDeviceNotifyListHead); PhInitializeFreeList(&PhDeviceNotifyFreeList, sizeof(PH_DEVICE_NOTIFY), 16); RtlZeroMemory(&cmFilter, sizeof(CM_NOTIFY_FILTER)); cmFilter.cbSize = sizeof(CM_NOTIFY_FILTER); cmFilter.FilterType = CM_NOTIFY_FILTER_TYPE_DEVICEINSTANCE; cmFilter.Flags = CM_NOTIFY_FILTER_FLAG_ALL_DEVICE_INSTANCES; if (CM_Register_Notification( &cmFilter, NULL, PhpCmNotifyCallback, &PhpDeviceNotification ) != CR_SUCCESS) { return FALSE; } RtlZeroMemory(&cmFilter, sizeof(CM_NOTIFY_FILTER)); cmFilter.cbSize = sizeof(CM_NOTIFY_FILTER); cmFilter.FilterType = CM_NOTIFY_FILTER_TYPE_DEVICEINTERFACE; cmFilter.Flags = CM_NOTIFY_FILTER_FLAG_ALL_INTERFACE_CLASSES; if (CM_Register_Notification( &cmFilter, NULL, PhpCmNotifyCallback, &PhpDeviceInterfaceNotification ) != CR_SUCCESS) { return FALSE; } PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderUpdatedEvent), ServiceProviderUpdatedCallback, NULL, &ServiceProviderUpdatedRegistration ); return TRUE; } BOOLEAN PhDeviceProviderInitialization( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN initialized = FALSE; if (PhBeginInitOnce(&initOnce)) { initialized = PhpDeviceProviderInitialization(); PhEndInitOnce(&initOnce); } return initialized; } PPH_DEVICE_TREE PhReferenceDeviceTree( VOID ) { return PhReferenceDeviceTreeEx(FALSE); } PPH_DEVICE_TREE PhReferenceDeviceTreeEx( _In_ BOOLEAN ForceRefresh ) { PPH_DEVICE_TREE deviceTree; PhAcquireFastLockShared(&PhpDeviceTreeLock); PhSetReference(&deviceTree, PhpDeviceTree); PhReleaseFastLockShared(&PhpDeviceTreeLock); if (ForceRefresh || !deviceTree) { PhMoveReference(&deviceTree, PhpPublishDeviceTree()); } return deviceTree; } BOOLEAN PhEnumDeviceResources( _In_ PPH_DEVICE_ITEM Item, _In_ ULONG LogicalConfig, _In_ PPH_DEVICE_ENUM_RESOURCES_CALLBACK Callback, _In_opt_ PVOID Context ) { BOOLEAN done; LOG_CONF logicalConfig; PVOID buffer; ULONG length; if (CM_Get_First_Log_Conf( &logicalConfig, Item->DeviceInfoData.DeviceData.DevInst, LogicalConfig ) != CR_SUCCESS) return FALSE; done = FALSE; buffer = PhAllocate(64); length = 64; while (!done) { LOG_CONF nextConfig; ULONG size; RES_DES deviceResource; RESOURCEID resourceId; if (CM_Get_Next_Res_Des( &deviceResource, logicalConfig, ResType_All, &resourceId, 0 ) == CR_SUCCESS) { while (!done) { RES_DES nextResource; if (CM_Get_Res_Des_Data_Size(&size, deviceResource, 0) == CR_SUCCESS) { if (size > length) { buffer = PhReAllocate(buffer, size); length = size; } assert(buffer); if (CM_Get_Res_Des_Data(deviceResource, buffer, size, 0) == CR_SUCCESS) { done = Callback(LogicalConfig, resourceId, buffer, size, Context); if (done) break; } } if (CM_Get_Next_Res_Des( &nextResource, deviceResource, ResType_All, &resourceId, 0 ) != CR_SUCCESS) break; CM_Free_Res_Des_Handle(deviceResource); deviceResource = nextResource; } } CM_Free_Res_Des_Handle(deviceResource); if (done) break; if (CM_Get_Next_Log_Conf(&nextConfig, logicalConfig, 0) != CR_SUCCESS) break; CM_Free_Log_Conf_Handle(logicalConfig); logicalConfig = nextConfig; } CM_Free_Log_Conf_Handle(logicalConfig); PhFree(buffer); return TRUE; } ================================================ FILE: SystemInformer/extmgr.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011 * */ /* * The extension manager provides support for generic extensions. It sits directly * underneath the plugin manager, and has no knowledge of plugin details (how they are * loaded, plugin information, etc.). */ #include #include LIST_ENTRY PhEmAppContextListHead = { &PhEmAppContextListHead, &PhEmAppContextListHead }; ULONG PhEmAppContextCount = 0; PH_EM_OBJECT_TYPE_STATE PhEmObjectTypeState[EmMaximumObjectType] = { 0 }; /** * Initializes the extension manager module. */ VOID PhEmInitialization( VOID ) { ULONG i; for (i = 0; i < EmMaximumObjectType; i++) { InitializeListHead(&PhEmObjectTypeState[i].ExtensionListHead); } } /** * Initializes an extension application context. * * \param AppContext The application context. * \param AppName The application name. */ VOID PhEmInitializeAppContext( _Out_ PPH_EM_APP_CONTEXT AppContext, _In_ PCPH_STRINGREF AppName ) { AppContext->AppName = *AppName; memset(AppContext->Extensions, 0, sizeof(AppContext->Extensions)); InsertTailList(&PhEmAppContextListHead, &AppContext->ListEntry); PhEmAppContextCount++; } /** * Sets the object extension size and callbacks for an object type. * * \param AppContext The application context. * \param ObjectType The type of object for which the extension is being registered. * \param ExtensionSize The size of the extension, in bytes. * \param CreateCallback The object creation callback. * \param DeleteCallback The object deletion callback. */ VOID PhEmSetObjectExtension( _Inout_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ SIZE_T ExtensionSize, _In_opt_ PPH_EM_OBJECT_CALLBACK CreateCallback, _In_opt_ PPH_EM_OBJECT_CALLBACK DeleteCallback ) { PPH_EM_OBJECT_TYPE_STATE objectTypeState; PPH_EM_OBJECT_EXTENSION objectExtension; objectTypeState = &PhEmObjectTypeState[ObjectType]; objectExtension = AppContext->Extensions[ObjectType]; if (!objectExtension) { objectExtension = PhAllocate(sizeof(PH_EM_OBJECT_EXTENSION)); memset(objectExtension, 0, sizeof(PH_EM_OBJECT_EXTENSION)); InsertTailList(&objectTypeState->ExtensionListHead, &objectExtension->ListEntry); AppContext->Extensions[ObjectType] = objectExtension; objectExtension->ExtensionSize = ExtensionSize; objectExtension->ExtensionOffset = objectTypeState->ExtensionOffset; objectTypeState->ExtensionOffset += ExtensionSize; } objectExtension->Callbacks[EmObjectCreate] = CreateCallback; objectExtension->Callbacks[EmObjectDelete] = DeleteCallback; } /** * Gets the object for an extension. * * \param AppContext The application context. * \param ObjectType The type of object for which an extension has been registered. * \param Extension The object extension. */ PVOID PhEmGetObject( _In_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Extension ) { PPH_EM_OBJECT_EXTENSION objectExtension; objectExtension = AppContext->Extensions[ObjectType]; if (!objectExtension) return NULL; return PTR_SUB_OFFSET(Extension, PhEmObjectTypeState[ObjectType].InitialSize + objectExtension->ExtensionOffset); } /** * Gets the object extension for an object. * * \param AppContext The application context. * \param ObjectType The type of object for which an extension has been registered. * \param Object The object. */ PVOID PhEmGetObjectExtension( _In_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Object ) { PPH_EM_OBJECT_EXTENSION objectExtension; objectExtension = AppContext->Extensions[ObjectType]; if (!objectExtension) return NULL; return PTR_ADD_OFFSET(Object, PhEmObjectTypeState[ObjectType].InitialSize + objectExtension->ExtensionOffset); } /** * Determines the size of an object, including extensions. * * \param ObjectType The object type. * \param InitialSize The initial size of the object. */ SIZE_T PhEmGetObjectSize( _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ SIZE_T InitialSize ) { PhEmObjectTypeState[ObjectType].InitialSize = InitialSize; return InitialSize + PhEmObjectTypeState[ObjectType].ExtensionOffset; } /** * Invokes callbacks for an object operation. * * \param ObjectType The object type. * \param Object The object. * \param Operation The operation being performed. */ VOID PhEmCallObjectOperation( _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Object, _In_ PH_EM_OBJECT_OPERATION Operation ) { PPH_EM_OBJECT_TYPE_STATE objectTypeState; PLIST_ENTRY listEntry; PPH_EM_OBJECT_EXTENSION objectExtension; if (PhEmAppContextCount == 0) return; objectTypeState = &PhEmObjectTypeState[ObjectType]; listEntry = objectTypeState->ExtensionListHead.Flink; while (listEntry != &objectTypeState->ExtensionListHead) { objectExtension = CONTAINING_RECORD(listEntry, PH_EM_OBJECT_EXTENSION, ListEntry); if (objectExtension->Callbacks[Operation]) { objectExtension->Callbacks[Operation]( Object, ObjectType, PTR_ADD_OFFSET(Object, objectTypeState->InitialSize + objectExtension->ExtensionOffset) ); } listEntry = listEntry->Flink; } } /** * Parses an application name and sub-ID pair. * * \param CompoundId The compound identifier. * \param AppName A variable which receives the application name. * \param SubId A variable which receives the sub-ID. */ _Success_(return) BOOLEAN PhEmParseCompoundId( _In_ PCPH_STRINGREF CompoundId, _Out_ PPH_STRINGREF AppName, _Out_ PULONG SubId ) { PH_STRINGREF firstPart; PH_STRINGREF secondPart; ULONG64 integer; firstPart = *CompoundId; if (firstPart.Length == 0) return FALSE; if (firstPart.Buffer[0] != L'+') return FALSE; PhSkipStringRef(&firstPart, sizeof(WCHAR)); PhSplitStringRefAtChar(&firstPart, L'+', &firstPart, &secondPart); if (firstPart.Length == 0 || secondPart.Length == 0) return FALSE; if (!PhStringToUInt64(&secondPart, 10, &integer)) return FALSE; if (PhIsLegacyPrefix(&firstPart)) { PhSkipStringRef(&firstPart, 14 * sizeof(WCHAR)); } *AppName = firstPart; *SubId = (ULONG)integer; return TRUE; } ================================================ FILE: SystemInformer/findobj.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define WM_PH_SEARCH_SHOWDIALOG (WM_APP + 801) #define WM_PH_SEARCH_FINISHED (WM_APP + 802) #define WM_PH_SEARCH_SHOWMENU (WM_APP + 803) static PPH_OBJECT_TYPE PhFindObjectsItemType = NULL; static HANDLE PhFindObjectsThreadHandle = NULL; static HWND PhFindObjectsWindowHandle = NULL; static PH_EVENT PhFindObjectsInitializedEvent = PH_EVENT_INIT; typedef struct _PH_HANDLE_SEARCH_CONTEXT { PH_LAYOUT_MANAGER LayoutManager; RECT MinimumSize; HWND WindowHandle; HWND TreeNewHandle; HWND TypeWindowHandle; HWND SearchWindowHandle; PPH_STRING WindowText; HFONT TypeWindowFont; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; //PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; HANDLE SearchThreadHandle; BOOLEAN SearchAll; BOOLEAN SearchStop; PPH_STRING SearchTypeString; ULONG_PTR SearchMatchHandle; PPH_LIST SearchResults; ULONG SearchResultsAddIndex; PH_QUEUED_LOCK SearchResultsLock; } PH_HANDLE_SEARCH_CONTEXT, *PPH_HANDLE_SEARCH_CONTEXT; typedef enum _PHP_OBJECT_RESULT_TYPE { HandleSearchResult, ModuleSearchResult, MappedFileSearchResult } PHP_OBJECT_RESULT_TYPE; typedef struct _PHP_OBJECT_SEARCH_RESULT { HANDLE ProcessId; PHP_OBJECT_RESULT_TYPE ResultType; HANDLE Handle; PVOID Object; PPH_STRING TypeName; PPH_STRING ObjectName; PPH_STRING BestObjectName; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Info; } PHP_OBJECT_SEARCH_RESULT, *PPHP_OBJECT_SEARCH_RESULT; typedef enum _PH_HANDLE_OBJECT_TREE_COLUMN_ITEM_NAME { PH_OBJECT_SEARCH_TREE_COLUMN_PROCESS, PH_OBJECT_SEARCH_TREE_COLUMN_TYPE, PH_OBJECT_SEARCH_TREE_COLUMN_NAME, PH_OBJECT_SEARCH_TREE_COLUMN_HANDLE, PH_OBJECT_SEARCH_TREE_COLUMN_OBJECTADDRESS, PH_OBJECT_SEARCH_TREE_COLUMN_ORIGINALNAME, PH_OBJECT_SEARCH_TREE_COLUMN_GRANTEDACCESS, PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM } PH_HANDLE_OBJECT_TREE_COLUMN_ITEM_NAME; typedef struct _PH_HANDLE_OBJECT_TREE_ROOT_NODE { PH_TREENEW_NODE Node; ULONG64 UniqueId; // used to stabilize sorting PHP_OBJECT_RESULT_TYPE ResultType; PVOID HandleObject; HANDLE Handle; HANDLE ProcessId; PPH_STRING ClientIdName; PPH_STRING TypeNameString; PPH_STRING ObjectNameString; PPH_STRING BestObjectName; PPH_STRING GrantedAccessSymbolicText; WCHAR HandleString[PH_PTR_STR_LEN_1]; WCHAR ObjectString[PH_PTR_STR_LEN_1]; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleInfo; PH_STRINGREF TextCache[PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM]; } PH_HANDLE_OBJECT_TREE_ROOT_NODE, *PPH_HANDLE_OBJECT_TREE_ROOT_NODE; #define SORT_FUNCTION(Column) PhpHandleObjectTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpHandleObjectTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_HANDLE_SEARCH_CONTEXT context = ((PPH_HANDLE_SEARCH_CONTEXT)_context); \ PPH_HANDLE_OBJECT_TREE_ROOT_NODE node1 = *(PPH_HANDLE_OBJECT_TREE_ROOT_NODE*)_elem1; \ PPH_HANDLE_OBJECT_TREE_ROOT_NODE node2 = *(PPH_HANDLE_OBJECT_TREE_ROOT_NODE*)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->UniqueId, (ULONG_PTR)node2->UniqueId); \ \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(Process) { sortResult = PhCompareStringWithNullSortOrder(node1->ClientIdName, node2->ClientIdName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Type) { sortResult = PhCompareStringWithNullSortOrder(node1->TypeNameString, node2->TypeNameString, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNullSortOrder(node1->BestObjectName, node2->BestObjectName, context->TreeNewSortOrder, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Handle) { sortResult = uintptrcmp((ULONG_PTR)node1->Handle, (ULONG_PTR)node2->Handle); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ObjectAddress) { sortResult = uintptrcmp((ULONG_PTR)node1->HandleObject, (ULONG_PTR)node2->HandleObject); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(OriginalName) { sortResult = PhCompareStringWithNullSortOrder(node1->ObjectNameString, node2->ObjectNameString, context->TreeNewSortOrder, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(GrantedAccess) { sortResult = PhCompareStringWithNullSortOrder(node1->GrantedAccessSymbolicText, node2->GrantedAccessSymbolicText, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION VOID PhpHandleObjectLoadSettingsTreeList( _Inout_ PPH_HANDLE_SEARCH_CONTEXT Context ) { PPH_STRING settings; settings = PhGetStringSetting(SETTING_FIND_OBJ_TREE_LIST_COLUMNS); PhCmLoadSettings(Context->TreeNewHandle, &settings->sr); PhDereferenceObject(settings); } VOID PhpHandleObjectSaveSettingsTreeList( _Inout_ PPH_HANDLE_SEARCH_CONTEXT Context ) { PPH_STRING settings; settings = PhCmSaveSettings(Context->TreeNewHandle); PhSetStringSetting2(SETTING_FIND_OBJ_TREE_LIST_COLUMNS, &settings->sr); PhDereferenceObject(settings); } //BOOLEAN PhpHandleObjectNodeHashtableEqualFunction( // _In_ PVOID Entry1, // _In_ PVOID Entry2 // ) //{ // PPH_HANDLE_OBJECT_TREE_ROOT_NODE node1 = *(PPH_HANDLE_OBJECT_TREE_ROOT_NODE *)Entry1; // PPH_HANDLE_OBJECT_TREE_ROOT_NODE node2 = *(PPH_HANDLE_OBJECT_TREE_ROOT_NODE *)Entry2; // // return node1->HandleObject == node2->HandleObject; //} // //ULONG PhpHandleObjectNodeHashtableHashFunction( // _In_ PVOID Entry // ) //{ // return PhHashIntPtr((ULONG_PTR)(*(PPH_HANDLE_OBJECT_TREE_ROOT_NODE*)Entry)->Handle); //} VOID PhpDestroyHandleObjectNode( _In_ PPH_HANDLE_OBJECT_TREE_ROOT_NODE Node ) { PhClearReference(&Node->ClientIdName); PhClearReference(&Node->TypeNameString); PhClearReference(&Node->ObjectNameString); PhClearReference(&Node->BestObjectName); PhClearReference(&Node->GrantedAccessSymbolicText); PhFree(Node); } PPH_HANDLE_OBJECT_TREE_ROOT_NODE PhpAddHandleObjectNode( _Inout_ PPH_HANDLE_SEARCH_CONTEXT Context, _In_ HANDLE Handle ) { static ULONG64 NextUniqueId = 0; PPH_HANDLE_OBJECT_TREE_ROOT_NODE handleObjectNode; handleObjectNode = PhAllocate(sizeof(PH_HANDLE_OBJECT_TREE_ROOT_NODE)); memset(handleObjectNode, 0, sizeof(PH_HANDLE_OBJECT_TREE_ROOT_NODE)); PhInitializeTreeNewNode(&handleObjectNode->Node); memset(handleObjectNode->TextCache, 0, sizeof(PH_STRINGREF) * PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM); handleObjectNode->Node.TextCache = handleObjectNode->TextCache; handleObjectNode->Node.TextCacheSize = PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM; handleObjectNode->Handle = Handle; handleObjectNode->UniqueId = ++NextUniqueId; //PhAddEntryHashtable(Context->NodeHashtable, &handleObjectNode); PhAddItemList(Context->NodeList, handleObjectNode); //TreeNew_NodesStructured(Context->TreeNewHandle); return handleObjectNode; } //PPH_HANDLE_OBJECT_TREE_ROOT_NODE PhpFindHandleObjectNode( // _In_ PPH_HANDLE_SEARCH_CONTEXT Context, // _In_ HANDLE Handle // ) //{ // PH_HANDLE_OBJECT_TREE_ROOT_NODE lookupHandleObjectNode; // PPH_HANDLE_OBJECT_TREE_ROOT_NODE lookupHandleObjectNodePtr = &lookupHandleObjectNode; // PPH_HANDLE_OBJECT_TREE_ROOT_NODE *handleObjectNode; // // lookupHandleObjectNode.Handle = Handle; // // handleObjectNode = (PPH_HANDLE_OBJECT_TREE_ROOT_NODE*)PhFindEntryHashtable( // Context->NodeHashtable, // &lookupHandleObjectNodePtr // ); // // if (handleObjectNode) // return *handleObjectNode; // else // return NULL; //} VOID PhpRemoveHandleObjectNode( _In_ PPH_HANDLE_SEARCH_CONTEXT Context, _In_ PPH_HANDLE_OBJECT_TREE_ROOT_NODE Node ) { ULONG index = 0; //PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } PhpDestroyHandleObjectNode(Node); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpUpdateHandleObjectNode( _In_ PPH_HANDLE_SEARCH_CONTEXT Context, _In_ PPH_HANDLE_OBJECT_TREE_ROOT_NODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } BOOLEAN NTAPI PhpHandleObjectTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_HANDLE_SEARCH_CONTEXT context = Context; PPH_HANDLE_OBJECT_TREE_ROOT_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_HANDLE_OBJECT_TREE_ROOT_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Process), SORT_FUNCTION(Type), SORT_FUNCTION(Name), SORT_FUNCTION(Handle), SORT_FUNCTION(ObjectAddress), SORT_FUNCTION(OriginalName), SORT_FUNCTION(GrantedAccess), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < PH_OBJECT_SEARCH_TREE_COLUMN_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; node = (PPH_HANDLE_OBJECT_TREE_ROOT_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPH_HANDLE_OBJECT_TREE_ROOT_NODE)getCellText->Node; switch (getCellText->Id) { case PH_OBJECT_SEARCH_TREE_COLUMN_PROCESS: getCellText->Text = PhGetStringRef(node->ClientIdName); break; case PH_OBJECT_SEARCH_TREE_COLUMN_TYPE: getCellText->Text = PhGetStringRef(node->TypeNameString); break; case PH_OBJECT_SEARCH_TREE_COLUMN_NAME: getCellText->Text = PhGetStringRef(node->BestObjectName); break; case PH_OBJECT_SEARCH_TREE_COLUMN_HANDLE: PhInitializeStringRefLongHint(&getCellText->Text, node->HandleString); break; case PH_OBJECT_SEARCH_TREE_COLUMN_OBJECTADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->ObjectString); break; case PH_OBJECT_SEARCH_TREE_COLUMN_ORIGINALNAME: getCellText->Text = PhGetStringRef(node->ObjectNameString); break; case PH_OBJECT_SEARCH_TREE_COLUMN_GRANTEDACCESS: getCellText->Text = PhGetStringRef(node->GrantedAccessSymbolicText); break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_HANDLE_OBJECT_TREE_ROOT_NODE)getNodeColor->Node; if (!node) ; // Dummy else if (PhCsUseColorProtectedInheritHandles && FlagOn(node->HandleInfo.HandleAttributes, OBJ_PROTECT_CLOSE) && FlagOn(node->HandleInfo.HandleAttributes, OBJ_INHERIT)) getNodeColor->BackColor = PhCsColorProtectedInheritHandles; else if (PhCsUseColorProtectedHandles && FlagOn(node->HandleInfo.HandleAttributes, OBJ_PROTECT_CLOSE)) getNodeColor->BackColor = PhCsColorProtectedHandles; else if (PhCsUseColorInheritHandles && FlagOn(node->HandleInfo.HandleAttributes, OBJ_INHERIT)) getNodeColor->BackColor = PhCsColorInheritHandles; getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_COPY, 0); break; case VK_DELETE: SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_CLOSE, 0); break; } } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_PROPERTIES, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage( context->WindowHandle, WM_COMMAND, WM_PH_SEARCH_SHOWMENU, (LPARAM)contextMenuEvent ); } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; memset(&data, 0, sizeof(PH_TN_COLUMN_MENU_DATA)); data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = PH_OBJECT_SEARCH_TREE_COLUMN_PROCESS; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; } return FALSE; } VOID PhpClearHandleObjectTree( _In_ PPH_HANDLE_SEARCH_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) PhpDestroyHandleObjectNode(Context->NodeList->Items[i]); //PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); TreeNew_NodesStructured(Context->TreeNewHandle); } PPH_HANDLE_OBJECT_TREE_ROOT_NODE PhpGetSelectedHandleObjectNode( _In_ PPH_HANDLE_SEARCH_CONTEXT Context ) { PPH_HANDLE_OBJECT_TREE_ROOT_NODE handleNode = NULL; for (ULONG i = 0; i < Context->NodeList->Count; i++) { handleNode = Context->NodeList->Items[i]; if (handleNode->Node.Selected) return handleNode; } return NULL; } _Success_(return) BOOLEAN PhpGetSelectedHandleObjectNodes( _In_ PPH_HANDLE_SEARCH_CONTEXT Context, _Out_ PPH_HANDLE_OBJECT_TREE_ROOT_NODE **HandleObjectNodes, _Out_ PULONG NumberOfHandleObjectNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_HANDLE_OBJECT_TREE_ROOT_NODE node = (PPH_HANDLE_OBJECT_TREE_ROOT_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *HandleObjectNodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfHandleObjectNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } VOID PhpInitializeHandleObjectTree( _Inout_ PPH_HANDLE_SEARCH_CONTEXT Context ) { Context->NodeList = PhCreateList(100); //Context->NodeHashtable = PhCreateHashtable( // sizeof(PPH_HANDLE_OBJECT_TREE_ROOT_NODE), // PhpHandleObjectNodeHashtableEqualFunction, // PhpHandleObjectNodeHashtableHashFunction, // 100 // ); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); TreeNew_SetCallback(Context->TreeNewHandle, PhpHandleObjectTreeNewCallback, Context); // Default columns PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_PROCESS, TRUE, L"Process", 100, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_TYPE, TRUE, L"Type", 100, PH_ALIGN_LEFT, 1, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_NAME, TRUE, L"Name", 200, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_HANDLE, TRUE, L"Handle", 80, PH_ALIGN_LEFT, 3, 0); // Customizable columns PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_OBJECTADDRESS, FALSE, L"Object address", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_ORIGINALNAME, FALSE, L"Original name", 200, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_OBJECT_SEARCH_TREE_COLUMN_GRANTEDACCESS, FALSE, L"Granted access", 200, PH_ALIGN_LEFT, ULONG_MAX, 0); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); PhpHandleObjectLoadSettingsTreeList(Context); } VOID PhpDeleteHandleObjectTree( _In_ PPH_HANDLE_SEARCH_CONTEXT Context ) { PhpHandleObjectSaveSettingsTreeList(Context); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PhpDestroyHandleObjectNode(Context->NodeList->Items[i]); } //PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } VOID PhpInitializeFindObjMenu( _In_ PPH_EMENU Menu, _In_ PPH_HANDLE_OBJECT_TREE_ROOT_NODE *Results, _In_ ULONG NumberOfResults ) { BOOLEAN allCanBeClosed = TRUE; ULONG i; if (NumberOfResults == 1) { PH_HANDLE_ITEM_INFO info; info.ProcessId = Results[0]->ProcessId; info.Handle = Results[0]->Handle; info.TypeName = Results[0]->TypeNameString; info.BestObjectName = Results[0]->BestObjectName; PhInsertHandleObjectPropertiesEMenuItems(Menu, ID_OBJECT_PROPERTIES, FALSE, &info); } else { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_OBJECT_COPY, TRUE); } for (i = 0; i < NumberOfResults; i++) { if (Results[i]->ResultType != HandleSearchResult) { allCanBeClosed = FALSE; break; } } PhEnableEMenuItem(Menu, ID_OBJECT_CLOSE, allCanBeClosed); } static int __cdecl PhpStringObjectTypeCompare( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_STRING entry1 = *(PPH_STRING *)elem1; PPH_STRING entry2 = *(PPH_STRING *)elem2; return PhCompareString(entry1, entry2, TRUE); } VOID PhpUpdateDropdownThemeMetrics( _In_ PPH_HANDLE_SEARCH_CONTEXT Context, _In_ LONG WindowDpi ) { LONG maxLength; HDC comboDc; HFONT oldFont; INT count; maxLength = 0; comboDc = GetDC(Context->TypeWindowHandle); oldFont = SelectFont(comboDc, Context->TypeWindowFont); count = ComboBox_GetCount(Context->TypeWindowHandle); for (INT i = 0; i < count; i++) { PPH_STRING entry = PhGetComboBoxString(Context->TypeWindowHandle, i); SIZE textSize; if (GetTextExtentPoint32(comboDc, entry->Buffer, (ULONG)entry->Length / sizeof(WCHAR), &textSize)) { if (textSize.cx > maxLength) maxLength = textSize.cx; } PhDereferenceObject(entry); } if (oldFont) SelectFont(comboDc, oldFont); ReleaseDC(Context->TypeWindowHandle, comboDc); // Add some padding for the vertical scroll bar and margins. maxLength += PhGetSystemMetrics(SM_CXVSCROLL, WindowDpi) * 2; if (maxLength) { SendMessage(Context->TypeWindowHandle, CB_SETDROPPEDWIDTH, maxLength, 0); } } VOID PhpPopulateObjectTypes( _In_ PPH_HANDLE_SEARCH_CONTEXT Context ) { POBJECT_TYPES_INFORMATION objectTypes; POBJECT_TYPE_INFORMATION objectType; PPH_LIST objectTypeList; objectTypeList = PhCreateList(100); // Add a custom object type for searching all objects. ComboBox_AddString(Context->TypeWindowHandle, L"Everything"); ComboBox_SetCurSel(Context->TypeWindowHandle, 0); // Enumerate the available object types. if (NT_SUCCESS(PhEnumObjectTypes(&objectTypes))) { objectType = PH_FIRST_OBJECT_TYPE(objectTypes); for (ULONG i = 0; i < objectTypes->NumberOfTypes; i++) { PhAddItemList(objectTypeList, PhCreateStringFromUnicodeString(&objectType->TypeName)); objectType = PH_NEXT_OBJECT_TYPE(objectType); } PhFree(objectTypes); } // Sort the object types. qsort(objectTypeList->Items, objectTypeList->Count, sizeof(PVOID), PhpStringObjectTypeCompare); // Set the font, add the dropdown entries and adjust the dropdown width. { LONG maxLength; HDC comboDc; HFONT oldFont; maxLength = 0; comboDc = GetDC(Context->TypeWindowHandle); oldFont = SelectFont(comboDc, Context->TypeWindowFont); SetWindowFont(Context->TypeWindowHandle, Context->TypeWindowFont, TRUE); for (ULONG i = 0; i < objectTypeList->Count; i++) { PPH_STRING entry = objectTypeList->Items[i]; SIZE textSize; if (GetTextExtentPoint32(comboDc, entry->Buffer, (ULONG)entry->Length / sizeof(WCHAR), &textSize)) { if (textSize.cx > maxLength) maxLength = textSize.cx; } ComboBox_AddString(Context->TypeWindowHandle, PhGetString(objectTypeList->Items[i])); PhDereferenceObject(objectTypeList->Items[i]); } if (oldFont) SelectFont(comboDc, oldFont); ReleaseDC(Context->TypeWindowHandle, comboDc); maxLength += PhGetSystemMetrics(SM_CXVSCROLL, PhGetWindowDpi(Context->TypeWindowHandle)) * 2; if (maxLength) { SendMessage(Context->TypeWindowHandle, CB_SETDROPPEDWIDTH, maxLength, 0); } } PhDereferenceObject(objectTypeList); } VOID PhpFindObjectAddResultEntries( _In_ PPH_HANDLE_SEARCH_CONTEXT Context ) { ULONG i; PhAcquireQueuedLockExclusive(&Context->SearchResultsLock); if (Context->SearchResults->Count == 0 || Context->SearchResultsAddIndex == Context->SearchResults->Count) { PhReleaseQueuedLockExclusive(&Context->SearchResultsLock); return; } TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); for (i = Context->SearchResultsAddIndex; i < Context->SearchResults->Count; i++) { PPHP_OBJECT_SEARCH_RESULT searchResult = Context->SearchResults->Items[i]; CLIENT_ID clientId; PPH_PROCESS_ITEM processItem; PPH_HANDLE_OBJECT_TREE_ROOT_NODE objectNode; clientId.UniqueProcess = searchResult->ProcessId; clientId.UniqueThread = NULL; processItem = PhReferenceProcessItem(clientId.UniqueProcess); objectNode = PhpAddHandleObjectNode(Context, searchResult->Handle); objectNode->ProcessId = searchResult->ProcessId; objectNode->ResultType = searchResult->ResultType; objectNode->ClientIdName = PhGetClientIdNameEx(&clientId, processItem ? processItem->ProcessName : NULL); objectNode->TypeNameString = searchResult->TypeName; objectNode->ObjectNameString = searchResult->ObjectName; objectNode->BestObjectName = searchResult->BestObjectName; objectNode->HandleInfo = searchResult->Info; PhPrintPointer(objectNode->HandleString, searchResult->Handle); if (searchResult->Object) { objectNode->HandleObject = searchResult->Object; PhPrintPointer(objectNode->ObjectString, searchResult->Object); } if (searchResult->Info.GrantedAccess != 0) { PPH_ACCESS_ENTRY accessEntries; ULONG numberOfAccessEntries; if (PhGetAccessEntries(PhGetStringOrEmpty(searchResult->TypeName), &accessEntries, &numberOfAccessEntries)) { objectNode->GrantedAccessSymbolicText = PhGetAccessString(searchResult->Info.GrantedAccess, accessEntries, numberOfAccessEntries); PhFree(accessEntries); } if (objectNode->GrantedAccessSymbolicText) { WCHAR grantedAccessString[PH_PTR_STR_LEN_1]; PhPrintPointer(grantedAccessString, UlongToPtr(searchResult->Info.GrantedAccess)); PhMoveReference(&objectNode->GrantedAccessSymbolicText, PhFormatString( L"%s (%s)", PhGetString(objectNode->GrantedAccessSymbolicText), grantedAccessString )); } } if (processItem) { PhDereferenceObject(processItem); } } TreeNew_NodesStructured(Context->TreeNewHandle); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); Context->SearchResultsAddIndex = i; PhReleaseQueuedLockExclusive(&Context->SearchResultsLock); } VOID PhpFindObjectClearResultEntries( _In_ PPH_HANDLE_SEARCH_CONTEXT Context ) { PhpClearHandleObjectTree(Context); Context->SearchResultsAddIndex = 0; for (ULONG i = 0; i < Context->SearchResults->Count; i++) PhFree(Context->SearchResults->Items[i]); PhClearList(Context->SearchResults); } static BOOLEAN MatchSearchString( _In_ PPH_HANDLE_SEARCH_CONTEXT Context, _In_ PPH_STRINGREF Input ) { return PhSearchControlMatch(Context->SearchMatchHandle, Input); } static BOOLEAN MatchTypeString( _In_ PPH_HANDLE_SEARCH_CONTEXT Context, _In_ PPH_STRINGREF Input ) { if (PhEqualString2(Context->SearchTypeString, L"Everything", FALSE)) return TRUE; return PhEqualStringRef(Input, &Context->SearchTypeString->sr, TRUE); } typedef struct _SEARCH_HANDLE_CONTEXT { PPH_HANDLE_SEARCH_CONTEXT WindowContext; BOOLEAN NeedToFree; PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleInfo; HANDLE ProcessHandle; } SEARCH_HANDLE_CONTEXT, *PSEARCH_HANDLE_CONTEXT; _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS NTAPI SearchHandleFunction( _In_ PVOID Parameter ) { PSEARCH_HANDLE_CONTEXT handleContext = Parameter; PPH_HANDLE_SEARCH_CONTEXT context = handleContext->WindowContext; PPH_STRING typeName; PPH_STRING objectName; PPH_STRING bestObjectName; if (NT_SUCCESS(PhGetHandleInformation( handleContext->ProcessHandle, handleContext->HandleInfo->HandleValue, handleContext->HandleInfo->ObjectTypeIndex, NULL, &typeName, &objectName, &bestObjectName ))) { PPH_STRING upperObjectName; PPH_STRING upperBestObjectName; PPH_STRING upperTypeName; upperObjectName = PhUpperString(objectName); upperBestObjectName = PhUpperString(bestObjectName); upperTypeName = PhUpperString(typeName); if (((context->SearchAll || MatchSearchString(context, &upperObjectName->sr) || MatchSearchString(context, &upperBestObjectName->sr)) && MatchTypeString(context, &upperTypeName->sr)) || PhSearchControlMatchPointer(context->SearchMatchHandle, handleContext->HandleInfo->Object) || PhSearchControlMatchPointer(context->SearchMatchHandle, handleContext->HandleInfo->HandleValue)) { PPHP_OBJECT_SEARCH_RESULT searchResult; searchResult = PhAllocateZero(sizeof(PHP_OBJECT_SEARCH_RESULT)); searchResult->ProcessId = handleContext->HandleInfo->UniqueProcessId; searchResult->ResultType = HandleSearchResult; searchResult->Object = handleContext->HandleInfo->Object; searchResult->Handle = handleContext->HandleInfo->HandleValue; searchResult->TypeName = typeName; searchResult->ObjectName = objectName; searchResult->BestObjectName = bestObjectName; searchResult->Info = *handleContext->HandleInfo; PhAcquireQueuedLockExclusive(&context->SearchResultsLock); PhAddItemList(context->SearchResults, searchResult); PhReleaseQueuedLockExclusive(&context->SearchResultsLock); } else { PhDereferenceObject(typeName); PhDereferenceObject(objectName); PhDereferenceObject(bestObjectName); } PhDereferenceObject(upperTypeName); PhDereferenceObject(upperBestObjectName); PhDereferenceObject(upperObjectName); } if (handleContext->NeedToFree) PhFree(handleContext); return STATUS_SUCCESS; } typedef struct _SEARCH_MODULE_CONTEXT { PPH_HANDLE_SEARCH_CONTEXT WindowContext; HANDLE ProcessId; } SEARCH_MODULE_CONTEXT, *PSEARCH_MODULE_CONTEXT; _Function_class_(PH_ENUM_GENERIC_MODULES_CALLBACK) static BOOLEAN NTAPI EnumModulesCallback( _In_ PPH_MODULE_INFO Module, _In_ PSEARCH_MODULE_CONTEXT Context ) { PPH_HANDLE_SEARCH_CONTEXT context = Context->WindowContext; PPH_STRING filenameWin32; PPH_STRING upperFileName; PPH_STRING upperOriginalFileName; filenameWin32 = PhGetFileName(Module->FileName); upperFileName = PhUpperString(filenameWin32); upperOriginalFileName = PhUpperString(Module->FileName); if (( context->SearchAll || MatchSearchString(context, &upperFileName->sr) || MatchSearchString(context, &upperOriginalFileName->sr)) || PhSearchControlMatchPointer(context->SearchMatchHandle, Module->BaseAddress)) { PPHP_OBJECT_SEARCH_RESULT searchResult; PCWSTR typeName; switch (Module->Type) { case PH_MODULE_TYPE_MAPPED_FILE: typeName = L"Mapped file"; break; case PH_MODULE_TYPE_MAPPED_IMAGE: typeName = L"Mapped image"; break; default: typeName = L"DLL"; break; } searchResult = PhAllocateZero(sizeof(PHP_OBJECT_SEARCH_RESULT)); searchResult->ProcessId = Context->ProcessId; searchResult->ResultType = (Module->Type == PH_MODULE_TYPE_MAPPED_FILE || Module->Type == PH_MODULE_TYPE_MAPPED_IMAGE) ? MappedFileSearchResult : ModuleSearchResult; searchResult->Handle = Module->BaseAddress; searchResult->TypeName = PhCreateString(typeName); PhSetReference(&searchResult->BestObjectName, filenameWin32); PhSetReference(&searchResult->ObjectName, Module->FileName); PhAcquireQueuedLockExclusive(&context->SearchResultsLock); PhAddItemList(context->SearchResults, searchResult); PhReleaseQueuedLockExclusive(&context->SearchResultsLock); } PhDereferenceObject(upperOriginalFileName); PhDereferenceObject(upperFileName); PhDereferenceObject(filenameWin32); return TRUE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpFindObjectsThreadStart( _In_ PVOID Parameter ) { PPH_HANDLE_SEARCH_CONTEXT context = Parameter; NTSTATUS status = STATUS_SUCCESS; PSYSTEM_HANDLE_INFORMATION_EX handles; PPH_HASHTABLE processHandleHashtable; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; ULONG i; // Refuse to search with no filter. if (!context->SearchMatchHandle && !context->SearchAll) { goto CleanupExit; } status = PhEnumHandlesEx(&handles); if (NT_SUCCESS(status)) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static USHORT fileObjectTypeIndex = USHRT_MAX; BOOLEAN useWorkQueue = FALSE; PH_WORK_QUEUE workQueue; processHandleHashtable = PhCreateSimpleHashtable(8); if (KsiLevel() < KphLevelMed) { useWorkQueue = TRUE; PhInitializeWorkQueue(&workQueue, 1, 20, 1000); if (PhBeginInitOnce(&initOnce)) { fileObjectTypeIndex = (USHORT)PhGetObjectTypeNumberZ(L"File"); PhEndInitOnce(&initOnce); } } for (i = 0; i < handles->NumberOfHandles; i++) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo = &handles->Handles[i]; HANDLE processHandle; // Don't continue if the user requested cancellation. if (context->SearchStop) break; // Open a handle to the process if we don't already have one. if (!(processHandle = PhFindItemSimpleHashtable2(processHandleHashtable, handleInfo->UniqueProcessId))) { if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, handleInfo->UniqueProcessId))) { PhAddItemSimpleHashtable(processHandleHashtable, handleInfo->UniqueProcessId, processHandle); } else { if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_INFORMATION, handleInfo->UniqueProcessId))) { PhAddItemSimpleHashtable(processHandleHashtable, handleInfo->UniqueProcessId, processHandle); } else { continue; } } } if (useWorkQueue && handleInfo->ObjectTypeIndex == fileObjectTypeIndex) { PSEARCH_HANDLE_CONTEXT searchHandleContext; searchHandleContext = PhAllocateZero(sizeof(SEARCH_HANDLE_CONTEXT)); searchHandleContext->WindowContext = context; searchHandleContext->NeedToFree = TRUE; searchHandleContext->HandleInfo = handleInfo; searchHandleContext->ProcessHandle = processHandle; PhQueueItemWorkQueue(&workQueue, SearchHandleFunction, searchHandleContext); } else { SEARCH_HANDLE_CONTEXT searchHandleContext; searchHandleContext.WindowContext = context; searchHandleContext.NeedToFree = FALSE; searchHandleContext.HandleInfo = handleInfo; searchHandleContext.ProcessHandle = processHandle; SearchHandleFunction(&searchHandleContext); } } if (useWorkQueue) { PhWaitForWorkQueue(&workQueue); PhDeleteWorkQueue(&workQueue); } { PPH_KEY_VALUE_PAIR entry; i = 0; while (PhEnumHashtable(processHandleHashtable, &entry, &i)) { if (entry->Value) { status = NtClose(entry->Value); if (!NT_SUCCESS(status)) { PhShowStatus(NULL, L"Unidentified third party object.", status, 0); } } } } PhDereferenceObject(processHandleHashtable); PhFree(handles); } if (context->SearchStop) goto CleanupExit; if (PhEqualString2(context->SearchTypeString, L"File", TRUE) || PhEqualString2(context->SearchTypeString, L"Everything", FALSE)) { if (NT_SUCCESS(PhEnumProcesses(&processes))) { process = PH_FIRST_PROCESS(processes); do { SEARCH_MODULE_CONTEXT searchModuleContext; if (context->SearchStop) break; searchModuleContext.WindowContext = context; searchModuleContext.ProcessId = process->UniqueProcessId; PhEnumGenericModules( process->UniqueProcessId, NULL, PH_ENUM_GENERIC_MAPPED_FILES | PH_ENUM_GENERIC_MAPPED_IMAGES, EnumModulesCallback, &searchModuleContext ); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); } } CleanupExit: PostMessage(context->WindowHandle, WM_PH_SEARCH_FINISHED, status, 0); PhDereferenceObject(context); return STATUS_SUCCESS; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpFindObjectsDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_HANDLE_SEARCH_CONTEXT context = Object; if (context->SearchResults) { for (ULONG i = 0; i < context->SearchResults->Count; i++) PhFree(context->SearchResults->Items[i]); PhClearList(context->SearchResults); PhClearReference(&context->SearchResults); } PhClearReference(&context->SearchTypeString); } PPH_HANDLE_SEARCH_CONTEXT PhCreateFindObjectContext( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_HANDLE_SEARCH_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { PhFindObjectsItemType = PhCreateObjectType(L"FindObjectsItem", 0, PhpFindObjectsDeleteProcedure); PhEndInitOnce(&initOnce); } context = PhCreateObject(sizeof(PH_HANDLE_SEARCH_CONTEXT), PhFindObjectsItemType); memset(context, 0, sizeof(PH_HANDLE_SEARCH_CONTEXT)); return context; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhFindObjectsSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_HANDLE_SEARCH_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; } INT_PTR CALLBACK PhFindObjectsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_HANDLE_SEARCH_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhCreateFindObjectContext(); PhSetDialogContext(hwndDlg, context); } else { context = PhGetDialogContext(hwndDlg); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_TREELIST); context->TypeWindowHandle = GetDlgItem(hwndDlg, IDC_FILTERTYPE); context->SearchWindowHandle = GetDlgItem(hwndDlg, IDC_FILTER); context->TypeWindowFont = PhDuplicateFont(PhApplicationFont); context->WindowText = PhGetWindowText(hwndDlg); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->TypeWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP); PhAddLayoutItem(&context->LayoutManager, context->SearchWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhRegisterDialog(hwndDlg); PhCreateSearchControl( hwndDlg, context->SearchWindowHandle, L"Find Handles or DLLs", PhFindObjectsSearchControlCallback, context ); PhpPopulateObjectTypes(context); PhpInitializeHandleObjectTree(context); context->MinimumSize.left = 0; context->MinimumSize.top = 0; context->MinimumSize.right = 300; context->MinimumSize.bottom = 100; MapDialogRect(hwndDlg, &context->MinimumSize); if (PhValidWindowPlacementFromSetting(SETTING_FIND_OBJ_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_FIND_OBJ_WINDOW_POSITION, SETTING_FIND_OBJ_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, (HWND)lParam); PhRegisterWindowCallback(hwndDlg, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); context->SearchResults = PhCreateList(128); context->SearchResultsAddIndex = 0; PhSetTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT, 1000, NULL); Edit_SetSel(context->SearchWindowHandle, 0, -1); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveDialogContext(hwndDlg); context->SearchStop = TRUE; PhKillTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT); if (context->SearchThreadHandle) { NtWaitForSingleObject(context->SearchThreadHandle, FALSE, NULL); NtClose(context->SearchThreadHandle); context->SearchThreadHandle = NULL; } PhSaveWindowPlacementToSetting(SETTING_FIND_OBJ_WINDOW_POSITION, SETTING_FIND_OBJ_WINDOW_SIZE, hwndDlg); PhUnregisterWindowCallback(hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); PhpDeleteHandleObjectTree(context); if (context->WindowText) PhDereferenceObject(context->WindowText); if (context->TypeWindowFont) DeleteFont(context->TypeWindowFont); PhDereferenceObject(context); PostQuitMessage(0); } break; case WM_PH_SEARCH_SHOWDIALOG: { if (IsMinimized(hwndDlg)) ShowWindow(hwndDlg, SW_RESTORE); else ShowWindow(hwndDlg, SW_SHOW); SetForegroundWindow(hwndDlg); } break; case WM_SETCURSOR: { if (context->SearchThreadHandle) { PhSetCursor(PhLoadCursor(NULL, IDC_APPSTARTING)); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); return TRUE; } } break; case WM_COMMAND: { if (GET_WM_COMMAND_HWND(wParam, lParam) == context->TypeWindowHandle) { switch (GET_WM_COMMAND_CMD(wParam, lParam)) { case CBN_SELCHANGE: { // Change focus from the dropdown list to the searchbox. SetFocus(context->SearchWindowHandle); } break; } } switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDOK: { // Don't continue if the user requested cancellation. if (context->SearchStop) break; // Restore the original window title. (dmex) PhSetWindowText(hwndDlg, PhGetStringOrEmpty(context->WindowText)); if (!context->SearchThreadHandle) { // Setup search parameters. context->SearchAll = !!PhIsNullOrEmptyString(PhaGetWindowText(context->SearchWindowHandle)); PhMoveReference(&context->SearchTypeString, PhGetWindowText(context->TypeWindowHandle)); // Clean up previous results. PhpFindObjectClearResultEntries(context); // Start the search. PhReferenceObject(context); if (!NT_SUCCESS(PhCreateThreadEx(&context->SearchThreadHandle, PhpFindObjectsThreadStart, context))) { PhDereferenceObject(context); break; } PhSetDialogItemText(hwndDlg, IDOK, L"Cancel"); PhSetCursor(PhLoadCursor(NULL, IDC_APPSTARTING)); } else { context->SearchStop = TRUE; EnableWindow(GetDlgItem(hwndDlg, IDOK), FALSE); } } break; case IDCANCEL: { DestroyWindow(hwndDlg); } break; case WM_PH_SEARCH_SHOWMENU: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_HANDLE_OBJECT_TREE_ROOT_NODE *handleObjectNodes = NULL; ULONG numberOfHandleObjectNodes = 0; if (!PhpGetSelectedHandleObjectNodes(context, &handleObjectNodes, &numberOfHandleObjectNodes)) break; if (numberOfHandleObjectNodes != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_OBJECT_CLOSE, L"C&lose\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_OBJECT_GOTOOWNINGPROCESS, L"Go to &process...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_OBJECT_PROPERTIES, L"Prope&rties", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_OBJECT_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, ID_OBJECT_COPY, context->TreeNewHandle, contextMenuEvent->Column); PhSetFlagsEMenuItem(menu, ID_OBJECT_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhpInitializeFindObjMenu(menu, handleObjectNodes, numberOfHandleObjectNodes); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { PhHandleCopyCellEMenuItem(selectedItem); } PhDestroyEMenu(menu); } PhFree(handleObjectNodes); } break; case ID_OBJECT_CLOSE: { PPH_HANDLE_OBJECT_TREE_ROOT_NODE *handleObjectNodes = NULL; ULONG numberOfHandleObjectNodes = 0; BOOLEAN allCanBeClosed = TRUE; if (!PhpGetSelectedHandleObjectNodes(context, &handleObjectNodes, &numberOfHandleObjectNodes)) break; // Check the item called by TreeNewKeyDown is valid (dmex) for (ULONG i = 0; i < numberOfHandleObjectNodes; i++) { if (handleObjectNodes[i]->ResultType != HandleSearchResult) { allCanBeClosed = FALSE; break; } } if (!allCanBeClosed) break; if (numberOfHandleObjectNodes != 0 && PhShowConfirmMessage( hwndDlg, L"close", numberOfHandleObjectNodes == 1 ? L"the selected handle" : L"the selected handles", L"Closing handles may cause system instability and data corruption.", FALSE )) { for (ULONG i = 0; i < numberOfHandleObjectNodes; i++) { NTSTATUS status; HANDLE processHandle; if (handleObjectNodes[i]->ResultType != HandleSearchResult) continue; if (WindowsVersion >= WINDOWS_10) { if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION, handleObjectNodes[i]->ProcessId ))) { BOOLEAN critical = FALSE; BOOLEAN strict = FALSE; BOOLEAN breakOnTermination; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; if (NT_SUCCESS(PhGetProcessBreakOnTermination( processHandle, &breakOnTermination ))) { if (breakOnTermination) { critical = TRUE; } } policyInfo.Policy = ProcessStrictHandleCheckPolicy; policyInfo.StrictHandleCheckPolicy.Flags = 0; if (NT_SUCCESS(NtQueryInformationProcess( processHandle, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL ))) { if (policyInfo.StrictHandleCheckPolicy.Flags != 0) { strict = TRUE; } } NtClose(processHandle); if (critical && strict) { if (!PhShowConfirmMessage( hwndDlg, L"close", L"critical handle(s)", L"You are about to close one or more handles for a critical process with strict handle checks enabled. This will shut down the operating system immediately.\r\n\r\n", TRUE )) { continue; } } } } if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, handleObjectNodes[i]->ProcessId ))) { if (NT_SUCCESS(status = NtDuplicateObject( processHandle, handleObjectNodes[i]->Handle, NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE ))) { if (handleObjectNodes[i]->HandleInfo.HandleAttributes & OBJ_PROTECT_CLOSE) status = STATUS_HANDLE_NOT_CLOSABLE; else PhpRemoveHandleObjectNode(context, handleObjectNodes[i]); } NtClose(processHandle); } if (!NT_SUCCESS(status)) { if (!PhShowContinueStatus(hwndDlg, PhaFormatString(L"Unable to close \"%s\"", PhGetStringOrDefault(handleObjectNodes[i]->BestObjectName, L"??"))->Buffer, status, 0 )) break; } } } PhFree(handleObjectNodes); } break; case ID_HANDLE_OBJECTPROPERTIES1: case ID_HANDLE_OBJECTPROPERTIES2: { PPH_HANDLE_OBJECT_TREE_ROOT_NODE handleObjectNode; if (handleObjectNode = PhpGetSelectedHandleObjectNode(context)) { PH_HANDLE_ITEM_INFO info; info.ProcessId = handleObjectNode->ProcessId; info.Handle = handleObjectNode->Handle; info.TypeName = handleObjectNode->TypeNameString; info.BestObjectName = handleObjectNode->BestObjectName; if (GET_WM_COMMAND_ID(wParam, lParam) == ID_HANDLE_OBJECTPROPERTIES1) PhShowHandleObjectProperties1(hwndDlg, &info); else PhShowHandleObjectProperties2(hwndDlg, &info); } } break; case ID_OBJECT_GOTOOWNINGPROCESS: { PPH_HANDLE_OBJECT_TREE_ROOT_NODE handleObjectNode; if (handleObjectNode = PhpGetSelectedHandleObjectNode(context)) { PPH_PROCESS_NODE processNode; if (processNode = PhFindProcessNode(handleObjectNode->ProcessId)) { SystemInformer_SelectTabPage(0); SystemInformer_SelectProcessNode(processNode); SystemInformer_ToggleVisible(TRUE); } else { PhShowStatus(hwndDlg, L"The process does not exist.", STATUS_INVALID_CID, 0); } } } break; case ID_OBJECT_PROPERTIES: { PPH_HANDLE_OBJECT_TREE_ROOT_NODE handleObjectNode; if (handleObjectNode = PhpGetSelectedHandleObjectNode(context)) { if (handleObjectNode->ResultType == HandleSearchResult) { PPH_HANDLE_ITEM handleItem; handleItem = PhCreateHandleItem(&handleObjectNode->HandleInfo); if (!PhIsNullOrEmptyString(handleObjectNode->TypeNameString)) handleItem->TypeName = PhReferenceObject(handleObjectNode->TypeNameString); if (!PhIsNullOrEmptyString(handleObjectNode->ObjectNameString)) handleItem->ObjectName = PhReferenceObject(handleObjectNode->ObjectNameString); if (!PhIsNullOrEmptyString(handleObjectNode->BestObjectName)) handleItem->BestObjectName = PhReferenceObject(handleObjectNode->BestObjectName); PhShowHandleProperties( hwndDlg, handleObjectNode->ProcessId, handleItem ); PhDereferenceObject(handleItem); } else { // DLL or Mapped File. Just show file properties. PhShellProperties(hwndDlg, handleObjectNode->BestObjectName->Buffer); } } } break; case ID_OBJECT_COPY: { PPH_STRING text; text = PhGetTreeNewText(context->TreeNewHandle, 0); PhSetClipboardString(context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); PhpUpdateDropdownThemeMetrics(context, LOWORD(wParam)); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_TIMER: { switch (wParam) { case PH_WINDOW_TIMER_DEFAULT: { if (!context->SearchThreadHandle) break; // Update the search results. PhpFindObjectAddResultEntries(context); } break; } } break; case WM_PH_SEARCH_FINISHED: { // Add any un-added items. PhpFindObjectAddResultEntries(context); // Add the result count to the window title. (dmex) PhSetWindowText(hwndDlg, PhaFormatString( L"%s (%lu results)", PhGetStringOrEmpty(context->WindowText), context->SearchResultsAddIndex )->Buffer); NtWaitForSingleObject(context->SearchThreadHandle, FALSE, NULL); NtClose(context->SearchThreadHandle); context->SearchThreadHandle = NULL; context->SearchStop = FALSE; PhSetDialogItemText(hwndDlg, IDOK, L"Find"); EnableWindow(GetDlgItem(hwndDlg, IDOK), TRUE); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if ((NTSTATUS)wParam == STATUS_INSUFFICIENT_RESOURCES) { PhShowWarning2( hwndDlg, L"Unable to search for handles because the total number of handles on the system is too large.", L"%s", L"Please check if there are any processes with an extremely large number of handles open." ); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpFindObjectsDialogThreadStart( _In_ PVOID Parameter ) { BOOL result; MSG message; PH_AUTO_POOL autoPool; PhInitializeAutoPool(&autoPool); PhFindObjectsWindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_FINDOBJECTS), NULL, PhFindObjectsDlgProc, Parameter ); PhSetEvent(&PhFindObjectsInitializedEvent); while (result = GetMessage(&message, NULL, 0, 0)) { if (result == INT_ERROR) break; if (!IsDialogMessage(PhFindObjectsWindowHandle, &message)) { TranslateMessage(&message); DispatchMessage(&message); } PhDrainAutoPool(&autoPool); } PhDeleteAutoPool(&autoPool); PhResetEvent(&PhFindObjectsInitializedEvent); if (PhFindObjectsThreadHandle) { NtClose(PhFindObjectsThreadHandle); PhFindObjectsThreadHandle = NULL; } return STATUS_SUCCESS; } VOID PhShowFindObjectsDialog( _In_ HWND ParentWindowHandle ) { if (!PhFindObjectsThreadHandle) { if (!NT_SUCCESS(PhCreateThreadEx(&PhFindObjectsThreadHandle, PhpFindObjectsDialogThreadStart, ParentWindowHandle))) { PhShowStatus(ParentWindowHandle, L"Unable to create the window.", 0, ERROR_OUTOFMEMORY); return; } PhWaitForEvent(&PhFindObjectsInitializedEvent, NULL); } PostMessage(PhFindObjectsWindowHandle, WM_PH_SEARCH_SHOWDIALOG, 0, 0); } ================================================ FILE: SystemInformer/gdihndl.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2021-2023 * */ #include #include #include #include #include typedef struct _PH_GDI_HANDLES_CONTEXT { HWND ListViewHandle; HWND ParentWindowHandle; PPH_PROCESS_ITEM ProcessItem; PPH_LIST List; PH_LAYOUT_MANAGER LayoutManager; } PH_GDI_HANDLES_CONTEXT, *PPH_GDI_HANDLES_CONTEXT; typedef struct _PH_GDI_HANDLE_ITEM { PGDI_HANDLE_ENTRY Entry; ULONG Handle; PVOID Object; PCWSTR TypeName; PPH_STRING Information; } PH_GDI_HANDLE_ITEM, *PPH_GDI_HANDLE_ITEM; INT_PTR CALLBACK PhpGdiHandlesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowGdiHandlesDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_GDI_HANDLES_CONTEXT context; HWND windowHandle; context = PhAllocateZero(sizeof(PH_GDI_HANDLES_CONTEXT)); context->ProcessItem = PhReferenceObject(ProcessItem); context->List = PhCreateList(20); context->ParentWindowHandle = ParentWindowHandle; windowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_GDIHANDLES), PhCsForceNoParent ? NULL : ParentWindowHandle, PhpGdiHandlesDlgProc, context ); ShowWindow(windowHandle, SW_SHOW); SetForegroundWindow(windowHandle); } PCWSTR PhpGetGdiHandleTypeName( _In_ ULONG Unique ) { switch (GDI_CLIENT_TYPE_FROM_UNIQUE(Unique)) { case GDI_CLIENT_ALTDC_TYPE: return L"Alt. DC"; case GDI_CLIENT_BITMAP_TYPE: return L"Bitmap"; case GDI_CLIENT_BRUSH_TYPE: return L"Brush"; case GDI_CLIENT_CLIENTOBJ_TYPE: return L"Client Object"; case GDI_CLIENT_DIBSECTION_TYPE: return L"DIB Section"; case GDI_CLIENT_DC_TYPE: return L"DC"; case GDI_CLIENT_EXTPEN_TYPE: return L"ExtPen"; case GDI_CLIENT_FONT_TYPE: return L"Font"; case GDI_CLIENT_METADC16_TYPE: return L"Metafile DC"; case GDI_CLIENT_METAFILE_TYPE: return L"Enhanced Metafile"; case GDI_CLIENT_METAFILE16_TYPE: return L"Metafile"; case GDI_CLIENT_PALETTE_TYPE: return L"Palette"; case GDI_CLIENT_PEN_TYPE: return L"Pen"; case GDI_CLIENT_REGION_TYPE: return L"Region"; default: return NULL; } } PPH_STRING PhpGetGdiHandleInformation( _In_ ULONG Handle ) { HGDIOBJ handle; handle = (HGDIOBJ)UlongToPtr(Handle); switch (GDI_CLIENT_TYPE_FROM_HANDLE(Handle)) { case GDI_CLIENT_BITMAP_TYPE: case GDI_CLIENT_DIBSECTION_TYPE: { BITMAP bitmap; if (GetObject(handle, sizeof(BITMAP), &bitmap)) { return PhFormatString( L"Width: %u, Height: %u, Depth: %u", bitmap.bmWidth, bitmap.bmHeight, bitmap.bmBitsPixel ); } } break; case GDI_CLIENT_BRUSH_TYPE: { LOGBRUSH brush; if (GetObject(handle, sizeof(LOGBRUSH), &brush)) { return PhFormatString( L"Style: %u, Color: 0x%08x, Hatch: 0x%Ix", brush.lbStyle, _byteswap_ulong(brush.lbColor), brush.lbHatch ); } } break; case GDI_CLIENT_EXTPEN_TYPE: { EXTLOGPEN pen; if (GetObject(handle, sizeof(EXTLOGPEN), &pen)) { return PhFormatString( L"Style: 0x%x, Width: %u, Color: 0x%08x", pen.elpPenStyle, pen.elpWidth, _byteswap_ulong(pen.elpColor) ); } } break; case GDI_CLIENT_FONT_TYPE: { LOGFONT font; if (GetObject(handle, sizeof(LOGFONT), &font)) { return PhFormatString( L"Face: %s, Height: %d", font.lfFaceName, font.lfHeight ); } } break; case GDI_CLIENT_PALETTE_TYPE: { USHORT count; if (GetObject(handle, sizeof(USHORT), &count)) { return PhFormatString( L"Entries: %u", (ULONG)count ); } } break; case GDI_CLIENT_PEN_TYPE: { LOGPEN pen; if (GetObject(handle, sizeof(LOGPEN), &pen)) { return PhFormatString( L"Style: %u, Width: %u, Color: 0x%08x", pen.lopnStyle, pen.lopnWidth.x, _byteswap_ulong(pen.lopnColor) ); } } break; } return NULL; } VOID PhpRefreshGdiHandles( _In_ PPH_GDI_HANDLES_CONTEXT Context ) { ULONG i; PGDI_SHARED_MEMORY gdiShared; USHORT processId; ULONG handleCount; PGDI_HANDLE_ENTRY handle; PPH_GDI_HANDLE_ITEM gdiHandleItem; MEMORY_BASIC_INFORMATION basicInfo; memset(&basicInfo, 0, sizeof(MEMORY_BASIC_INFORMATION)); ExtendedListView_SetRedraw(Context->ListViewHandle, FALSE); ListView_DeleteAllItems(Context->ListViewHandle); for (i = 0; i < Context->List->Count; i++) { gdiHandleItem = Context->List->Items[i]; if (gdiHandleItem->Information) PhDereferenceObject(gdiHandleItem->Information); PhFree(Context->List->Items[i]); Context->List->Items[i] = NULL; } PhClearList(Context->List); gdiShared = (PGDI_SHARED_MEMORY)NtCurrentPeb()->GdiSharedHandleTable; processId = (USHORT)HandleToUlong(Context->ProcessItem->ProcessId); handleCount = GDI_MAX_HANDLE_COUNT; if (NT_SUCCESS(NtQueryVirtualMemory( NtCurrentProcess(), gdiShared, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { handleCount = (ULONG)(basicInfo.RegionSize / sizeof(GDI_HANDLE_ENTRY)); handleCount = __min(GDI_MAX_HANDLE_COUNT, handleCount); } for (i = 0; i < handleCount; i++) { PCWSTR typeName; LONG lvItemIndex; WCHAR pointer[PH_PTR_STR_LEN_1]; handle = &gdiShared->Handles[i]; if (handle->Owner.ProcessId != processId) continue; typeName = PhpGetGdiHandleTypeName(handle->Unique); if (!typeName) continue; gdiHandleItem = PhAllocateZero(sizeof(PH_GDI_HANDLE_ITEM)); gdiHandleItem->Entry = handle; gdiHandleItem->Handle = GDI_MAKE_HANDLE(i, handle->Unique); gdiHandleItem->Object = handle->Object; gdiHandleItem->TypeName = typeName; gdiHandleItem->Information = PhpGetGdiHandleInformation(gdiHandleItem->Handle); PhAddItemList(Context->List, gdiHandleItem); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, gdiHandleItem->TypeName, gdiHandleItem); PhPrintPointer(pointer, UlongToPtr(gdiHandleItem->Handle)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, pointer); PhPrintPointer(pointer, gdiHandleItem->Object); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, pointer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 3, PhGetString(gdiHandleItem->Information)); } ExtendedListView_SortItems(Context->ListViewHandle); ExtendedListView_SetRedraw(Context->ListViewHandle, TRUE); } LONG NTAPI PhpGdiHandleHandleCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_opt_ PVOID Context ) { PPH_GDI_HANDLE_ITEM item1 = Item1; PPH_GDI_HANDLE_ITEM item2 = Item2; return uintcmp(item1->Handle, item2->Handle); } LONG NTAPI PhpGdiHandleObjectCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_opt_ PVOID Context ) { PPH_GDI_HANDLE_ITEM item1 = Item1; PPH_GDI_HANDLE_ITEM item2 = Item2; return uintptrcmp((ULONG_PTR)item1->Object, (ULONG_PTR)item2->Object); } INT_PTR CALLBACK PhpGdiHandlesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_GDI_HANDLES_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PPH_GDI_HANDLES_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, context->ParentWindowHandle); PhRegisterDialog(hwndDlg); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 100, L"Type"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 80, L"Handle"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 102, L"Object"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 200, L"Information"); PhSetExtendedListView(context->ListViewHandle); ExtendedListView_SetCompareFunction(context->ListViewHandle, 1, PhpGdiHandleHandleCompareFunction); ExtendedListView_SetCompareFunction(context->ListViewHandle, 2, PhpGdiHandleObjectCompareFunction); ExtendedListView_AddFallbackColumn(context->ListViewHandle, 0); ExtendedListView_AddFallbackColumn(context->ListViewHandle, 1); { PPH_STRING windowTitle; windowTitle = PhGetWindowText(hwndDlg); PhMoveReference(&windowTitle, PhFormatString( L"%s: %s (%lu)", PhGetStringOrEmpty(windowTitle), PhGetStringOrEmpty(context->ProcessItem->ProcessName), HandleToUlong(context->ProcessItem->ProcessId) )); PhSetWindowText(hwndDlg, PhGetStringOrEmpty(windowTitle)); PhDereferenceObject(windowTitle); } PhpRefreshGdiHandles(context); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhUnregisterDialog(hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); if (context->List) { for (ULONG i = 0; i < context->List->Count; i++) { PPH_GDI_HANDLE_ITEM gdiHandleItem = context->List->Items[i]; if (gdiHandleItem->Information) PhDereferenceObject(gdiHandleItem->Information); PhFree(context->List->Items[i]); context->List->Items[i] = NULL; } PhDereferenceObject(context->List); } if (context->ProcessItem) { PhDereferenceObject(context->ProcessItem); } PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_REFRESH: PhpRefreshGdiHandles(context); break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_NOTIFY: { PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { if (!PhHandleCopyListViewEMenuItem(item)) { switch (item->Id) { case IDC_COPY: PhCopyListView(context->ListViewHandle); break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/heapinfo.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2020-2023 * */ #include #include #include #include #include #include #include typedef struct _PH_PROCESS_HEAPS_CONTEXT { HWND WindowHandle; HWND ParentWindowHandle; HWND ListViewHandle; HFONT BoldFont; union { BOOLEAN Flags; struct { BOOLEAN Initialized : 1; BOOLEAN IsWow64Process : 1; BOOLEAN Spare : 6; }; }; PPH_PROCESS_ITEM ProcessItem; PVOID ProcessHeap; PVOID DebugBuffer; PH_LAYOUT_MANAGER LayoutManager; } PH_PROCESS_HEAPS_CONTEXT, *PPH_PROCESS_HEAPS_CONTEXT; typedef struct _HEAP_COUNTERS { ULONG_PTR TotalMemoryReserved; ULONG_PTR TotalMemoryCommitted; ULONG_PTR TotalMemoryLargeUCR; ULONG_PTR TotalSizeInVirtualBlocks; ULONG TotalSegments; ULONG TotalUCRs; ULONG CommittOps; ULONG DeCommitOps; ULONG LockAcquires; ULONG LockCollisions; ULONG CommitRate; ULONG DecommittRate; ULONG CommitFailures; ULONG InBlockCommitFailures; ULONG PollIntervalCounter; ULONG DecommitsSinceLastCheck; ULONG HeapPollInterval; ULONG AllocAndFreeOps; ULONG AllocationIndicesActive; ULONG InBlockDeccommits; ULONG_PTR InBlockDeccomitSize; ULONG_PTR HighWatermarkSize; ULONG_PTR LastPolledSize; } HEAP_COUNTERS, *PHEAP_COUNTERS; typedef struct _HEAP_COUNTERS32 { ULONG TotalMemoryReserved; ULONG TotalMemoryCommitted; ULONG TotalMemoryLargeUCR; ULONG TotalSizeInVirtualBlocks; ULONG TotalSegments; ULONG TotalUCRs; ULONG CommittOps; ULONG DeCommitOps; ULONG LockAcquires; ULONG LockCollisions; ULONG CommitRate; ULONG DecommittRate; ULONG CommitFailures; ULONG InBlockCommitFailures; ULONG PollIntervalCounter; ULONG DecommitsSinceLastCheck; ULONG HeapPollInterval; ULONG AllocAndFreeOps; ULONG AllocationIndicesActive; ULONG InBlockDeccommits; ULONG InBlockDeccomitSize; ULONG HighWatermarkSize; ULONG LastPolledSize; } HEAP_COUNTERS32, *PHEAP_COUNTERS32; typedef struct _HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS { ULONG_PTR SmallPagesInUseWithinLarge; ULONG_PTR OpportunisticLargePageCount; } HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS, *PHEAP_OPPORTUNISTIC_LARGE_PAGE_STATS; typedef struct _HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS32 { ULONG SmallPagesInUseWithinLarge; ULONG OpportunisticLargePageCount; } HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS32, *PHEAP_OPPORTUNISTIC_LARGE_PAGE_STATS32; typedef struct _HEAP_RUNTIME_MEMORY_STATS { ULONG_PTR TotalReservedPages; ULONG_PTR TotalCommittedPages; ULONG_PTR FreeCommittedPages; ULONG_PTR LfhFreeCommittedPages; HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS LargePageStats[2]; //RTL_HP_SEG_ALLOC_POLICY LargePageUtilizationPolicy; } HEAP_RUNTIME_MEMORY_STATS, *PHEAP_RUNTIME_MEMORY_STATS; typedef struct _HEAP_RUNTIME_MEMORY_STATS32 { ULONG TotalReservedPages; ULONG TotalCommittedPages; ULONG FreeCommittedPages; ULONG LfhFreeCommittedPages; HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS32 LargePageStats[2]; //RTL_HP_SEG_ALLOC_POLICY32 LargePageUtilizationPolicy; } HEAP_RUNTIME_MEMORY_STATS32, *PHEAP_RUNTIME_MEMORY_STATS32; NTSTATUS PhGetProcessDefaultHeap( _In_ HANDLE ProcessHandle, _Out_ PVOID *Heap ); NTSTATUS PhGetProcessHeapSignature( _In_ HANDLE ProcessHandle, _In_ PVOID HeapAddress, _In_ ULONG IsWow64Process, _Out_ ULONG* HeapSignature ); INT_PTR CALLBACK PhpProcessHeapsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowProcessHeapsDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_PROCESS_HEAPS_CONTEXT context; context = PhAllocateZero(sizeof(PH_PROCESS_HEAPS_CONTEXT)); context->ParentWindowHandle = ParentWindowHandle; context->ProcessItem = PhReferenceObject(ProcessItem); context->IsWow64Process = !!ProcessItem->IsWow64Process; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_HEAPS), NULL, PhpProcessHeapsDlgProc, context ); } static INT NTAPI PhpHeapAddressCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_ PVOID Context ) { PPH_PROCESS_HEAPS_CONTEXT context = Context; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo2 = Item2; return uintptrcmp((ULONG_PTR)heapInfo1->BaseAddress, (ULONG_PTR)heapInfo2->BaseAddress); } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo2 = Item2; return uintptrcmp((ULONG_PTR)heapInfo1->BaseAddress, (ULONG_PTR)heapInfo2->BaseAddress); } } static INT NTAPI PhpHeapUsedCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_ PVOID Context ) { PPH_PROCESS_HEAPS_CONTEXT context = Context; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo2 = Item2; return uintptrcmp(heapInfo1->BytesAllocated, heapInfo2->BytesAllocated); } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo2 = Item2; return uintptrcmp(heapInfo1->BytesAllocated, heapInfo2->BytesAllocated); } } static INT NTAPI PhpHeapCommittedCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_ PVOID Context ) { PPH_PROCESS_HEAPS_CONTEXT context = Context; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo2 = Item2; return uintptrcmp(heapInfo1->BytesCommitted, heapInfo2->BytesCommitted); } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo2 = Item2; return uintptrcmp(heapInfo1->BytesCommitted, heapInfo2->BytesCommitted); } } static INT NTAPI PhpHeapEntriesCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_ PVOID Context ) { PPH_PROCESS_HEAPS_CONTEXT context = Context; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo2 = Item2; return uintcmp(heapInfo1->NumberOfEntries, heapInfo2->NumberOfEntries); } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo1 = Item1; PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo2 = Item2; return uintcmp(heapInfo1->NumberOfEntries, heapInfo2->NumberOfEntries); } } static HFONT NTAPI PhpHeapFontFunction( _In_ INT Index, _In_ PVOID Param, _In_ PVOID Context ) { PVOID heapBaseAddress = Param; PPH_PROCESS_HEAPS_CONTEXT context = Context; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo = Param; heapBaseAddress = UlongToPtr(heapInfo->BaseAddress); } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo = Param; heapBaseAddress = heapInfo->BaseAddress; } if (!context->ProcessHeap) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, context->ProcessItem->ProcessId ))) { PhGetProcessDefaultHeap(processHandle, &context->ProcessHeap); NtClose(processHandle); } } if (heapBaseAddress == context->ProcessHeap) { if (!context->BoldFont) context->BoldFont = PhDuplicateFontWithNewWeight((HFONT)SendMessage(context->ListViewHandle, WM_GETFONT, 0, 0), FW_BOLD); return context->BoldFont; } return NULL; } PPH_STRING PhGetProcessHeapFlagsText( _In_ ULONG Flags ) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 10); if (Flags & HEAP_NO_SERIALIZE) PhAppendStringBuilder2(&stringBuilder, L"No serialize, "); if (Flags & HEAP_GROWABLE) PhAppendStringBuilder2(&stringBuilder, L"Growable, "); if (Flags & HEAP_GENERATE_EXCEPTIONS) PhAppendStringBuilder2(&stringBuilder, L"Generate exceptions, "); if (Flags & HEAP_ZERO_MEMORY) PhAppendStringBuilder2(&stringBuilder, L"Zero memory, "); if (Flags & HEAP_REALLOC_IN_PLACE_ONLY) PhAppendStringBuilder2(&stringBuilder, L"Realloc in-place, "); if (Flags & HEAP_TAIL_CHECKING_ENABLED) PhAppendStringBuilder2(&stringBuilder, L"Tail checking, "); if (Flags & HEAP_FREE_CHECKING_ENABLED) PhAppendStringBuilder2(&stringBuilder, L"Free checking, "); if (Flags & HEAP_DISABLE_COALESCE_ON_FREE) PhAppendStringBuilder2(&stringBuilder, L"Coalesce on free, "); if (Flags & HEAP_CREATE_ALIGN_16) PhAppendStringBuilder2(&stringBuilder, L"Align 16, "); if (Flags & HEAP_CREATE_ENABLE_TRACING) PhAppendStringBuilder2(&stringBuilder, L"Traceable, "); if (Flags & HEAP_CREATE_ENABLE_EXECUTE) PhAppendStringBuilder2(&stringBuilder, L"Executable, "); if (Flags & HEAP_CREATE_SEGMENT_HEAP) PhAppendStringBuilder2(&stringBuilder, L"Segment heap, "); if (Flags & HEAP_CREATE_HARDENED) PhAppendStringBuilder2(&stringBuilder, L"Segment hardened, "); if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); if (Flags) { WCHAR pointer[PH_PTR_STR_LEN_1]; PhPrintPointer(pointer, UlongToPtr(Flags)); if (PhIsNullOrEmptyString(stringBuilder.String)) PhAppendFormatStringBuilder(&stringBuilder, L"%s", pointer); else PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); } return PhFinalStringBuilderString(&stringBuilder); } PCWSTR PhGetProcessHeapClassText( _In_ ULONG HeapClass ) { switch (HeapClass) { case HEAP_CLASS_0: return L"Process Heap"; case HEAP_CLASS_1: return L"Private Heap"; case HEAP_CLASS_2: return L"Kernel Heap"; case HEAP_CLASS_3: return L"GDI Heap"; case HEAP_CLASS_4: return L"User Heap"; case HEAP_CLASS_5: return L"Console Heap"; case HEAP_CLASS_6: return L"Desktop Heap"; case HEAP_CLASS_7: return L"CSRSS Shared Heap"; case HEAP_CLASS_8: return L"CSRSS Port Heap"; } return L"Unknown Heap"; } VOID PhpEnumerateProcessHeaps( _In_ PPH_PROCESS_HEAPS_CONTEXT Context ) { NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE processHandle = NULL; HANDLE powerRequestHandle = NULL; PROCESS_REFLECTION_INFORMATION reflectionInfo = { 0 }; HANDLE clientProcessId = Context->ProcessItem->ProcessId; BOOLEAN sizesInBytes; sizesInBytes = Button_GetCheck(GetDlgItem(Context->WindowHandle, IDC_SIZESINBYTES)) == BST_CHECKED; ExtendedListView_SetRedraw(Context->ListViewHandle, FALSE); ListView_DeleteAllItems(Context->ListViewHandle); if (Context->DebugBuffer) { PhFree(Context->DebugBuffer); Context->DebugBuffer = NULL; } if (WindowsVersion >= WINDOWS_8 && WindowsVersion <= WINDOWS_8_1) { // Windows 8 requires ALL_ACCESS for PLM execution requests. (dmex) status = PhOpenProcess( &processHandle, PROCESS_ALL_ACCESS, clientProcessId ); } else { // Windows 10 and above require SET_LIMITED for PLM execution requests. (dmex) status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | // PLM PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE, // Reflection clientProcessId ); } if (processHandle) { PhCreateExecutionRequiredRequest(processHandle, &powerRequestHandle); if (PhGetIntegerSetting(SETTING_ENABLE_HEAP_REFLECTION)) { // NOTE: RtlQueryProcessDebugInformation injects a thread into the process causing deadlocks and other issues in rare cases. // We mitigate these problems by reflecting the process and querying heap information from the clone. (dmex) status = PhCreateProcessReflection( &reflectionInfo, processHandle ); if (NT_SUCCESS(status)) { clientProcessId = reflectionInfo.ReflectionClientId.UniqueProcess; } } } #ifdef _WIN64 if (Context->ProcessItem->IsWow64Process) { if (PhUiConnectToPhSvcEx(Context->WindowHandle, Wow64PhSvcMode, FALSE)) { PPH_STRING capturedHeapInfoString; PPH_PROCESS_DEBUG_HEAP_INFORMATION32 capturedHeapInfo; ULONG capturedHeapInfoLength; status = PhSvcCallQueryProcessHeapInformation( clientProcessId, &capturedHeapInfoString ); if (!NT_SUCCESS(status)) { PhUiDisconnectFromPhSvc(); PhShowStatus(Context->WindowHandle, L"Unable to query heap information.", status, 0); goto CleanupExit; } PhUiDisconnectFromPhSvc(); capturedHeapInfoLength = sizeof(PH_PROCESS_DEBUG_HEAP_INFORMATION32) + 100 * sizeof(PH_PROCESS_DEBUG_HEAP_ENTRY32); capturedHeapInfo = PhAllocateZero(capturedHeapInfoLength); if (!PhHexStringToBufferEx( &capturedHeapInfoString->sr, capturedHeapInfoLength, capturedHeapInfo )) { PhFree(capturedHeapInfo); goto CleanupExit; } Context->DebugBuffer = capturedHeapInfo; Context->ProcessHeap = UlongToPtr(capturedHeapInfo->DefaultHeap); for (ULONG i = 0; i < capturedHeapInfo->NumberOfHeaps; i++) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 entry = &capturedHeapInfo->Heaps[i]; INT lvItemIndex; WCHAR value[PH_INT64_STR_LEN_1]; PhPrintUInt32(value, i + 1); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, value, entry); PhPrintPointer(value, UlongToPtr(entry->BaseAddress)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, value); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhaFormatSize(entry->BytesAllocated, sizesInBytes ? 0 : ULONG_MAX)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 3, PhaFormatSize(entry->BytesCommitted, sizesInBytes ? 0 : ULONG_MAX)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 4, PhaFormatUInt64(entry->NumberOfEntries, TRUE)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 5, PH_AUTO_T(PH_STRING, PhGetProcessHeapFlagsText(entry->Flags & ~HEAP_CLASS_MASK))->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 6, PhGetProcessHeapClassText(entry->Flags & HEAP_CLASS_MASK)); switch (entry->Signature) { case RTL_HEAP_SIGNATURE: { switch (entry->HeapFrontEndType) { case 1: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"NT Heap (Lookaside)"); break; case 2: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"NT Heap (LFH)"); break; default: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"NT Heap"); break; } } break; case RTL_HEAP_SEGMENT_SIGNATURE: { switch (entry->HeapFrontEndType) { case 1: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"Segment Heap (Lookaside)"); break; case 2: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"Segment Heap (LFH)"); break; default: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"Segment Heap"); break; } } break; } } PhDereferenceObject(capturedHeapInfoString); } else { PhShowError2( Context->WindowHandle, L"Unable to query 32bit heap information.", L"%s", L"The 32-bit version of System Informer could not be located." ); goto CleanupExit; } } else { #endif PPH_PROCESS_DEBUG_HEAP_INFORMATION heapDebugInfo; status = PhQueryProcessHeapInformation( clientProcessId, &heapDebugInfo ); if (!NT_SUCCESS(status)) { PhShowStatus(Context->WindowHandle, L"Unable to query heap information.", status, 0); goto CleanupExit; } Context->DebugBuffer = heapDebugInfo; Context->ProcessHeap = heapDebugInfo->DefaultHeap; for (ULONG i = 0; i < heapDebugInfo->NumberOfHeaps; i++) { PPH_PROCESS_DEBUG_HEAP_ENTRY entry = &heapDebugInfo->Heaps[i]; INT lvItemIndex; WCHAR value[PH_INT64_STR_LEN_1]; PhPrintUInt32(value, i + 1); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, value, entry); PhPrintPointer(value, entry->BaseAddress); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, value); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhaFormatSize(entry->BytesAllocated, sizesInBytes ? 0 : ULONG_MAX)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 3, PhaFormatSize(entry->BytesCommitted, sizesInBytes ? 0 : ULONG_MAX)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 4, PhaFormatUInt64(entry->NumberOfEntries, TRUE)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 5, PH_AUTO_T(PH_STRING, PhGetProcessHeapFlagsText(entry->Flags & ~HEAP_CLASS_MASK))->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 6, PhGetProcessHeapClassText(entry->Flags & HEAP_CLASS_MASK)); switch (entry->Signature) { case RTL_HEAP_SIGNATURE: { switch (entry->HeapFrontEndType) { case 1: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"NT Heap (Lookaside)"); break; case 2: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"NT Heap (LFH)"); break; default: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"NT Heap"); break; } } break; case RTL_HEAP_SEGMENT_SIGNATURE: { switch (entry->HeapFrontEndType) { case 1: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"Segment Heap (Lookaside)"); break; case 2: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"Segment Heap (LFH)"); break; default: PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 7, L"Segment Heap"); break; } } break; } } #ifdef _WIN64 } #endif CleanupExit: PhFreeProcessReflection(&reflectionInfo); if (processHandle) NtClose(processHandle); if (powerRequestHandle) PhDestroyExecutionRequiredRequest(powerRequestHandle); ExtendedListView_SortItems(Context->ListViewHandle); ExtendedListView_SetRedraw(Context->ListViewHandle, TRUE); } VOID PhpSetProcessHeapsWindowText( _In_ HWND WindowHandle, _In_ PCWSTR Title, _In_ PPH_PROCESS_ITEM ProcessItem ) { PH_FORMAT format[5]; WCHAR formatBuffer[260]; PhInitFormatS(&format[0], Title); PhInitFormatSR(&format[1], ProcessItem->ProcessName->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(ProcessItem->ProcessId)); PhInitFormatC(&format[4], L')'); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL )) { PhSetWindowText(WindowHandle, formatBuffer); } } INT_PTR CALLBACK PhpProcessHeapsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_HEAPS_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PPH_PROCESS_HEAPS_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetApplicationWindowIcon(hwndDlg); PhpSetProcessHeapsWindowText(hwndDlg, L"Heaps - ", context->ProcessItem); PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 40, L"#"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 100, L"Address"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 120, L"Used"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 120, L"Committed"); PhAddListViewColumn(context->ListViewHandle, 4, 4, 4, LVCFMT_LEFT, 80, L"Entries"); PhAddListViewColumn(context->ListViewHandle, 5, 5, 5, LVCFMT_LEFT, 80, L"Flags"); PhAddListViewColumn(context->ListViewHandle, 6, 6, 6, LVCFMT_LEFT, 80, L"Class"); PhAddListViewColumn(context->ListViewHandle, 7, 7, 7, LVCFMT_LEFT, 80, L"Type"); PhSetExtendedListView(context->ListViewHandle); ExtendedListView_SetContext(context->ListViewHandle, context); ExtendedListView_SetCompareFunction(context->ListViewHandle, 1, PhpHeapAddressCompareFunction); ExtendedListView_SetCompareFunction(context->ListViewHandle, 2, PhpHeapUsedCompareFunction); ExtendedListView_SetCompareFunction(context->ListViewHandle, 3, PhpHeapCommittedCompareFunction); ExtendedListView_SetCompareFunction(context->ListViewHandle, 4, PhpHeapEntriesCompareFunction); ExtendedListView_SetItemFontFunction(context->ListViewHandle, PhpHeapFontFunction); PhLoadListViewColumnsFromSetting(SETTING_SEGMENT_HEAP_LIST_VIEW_COLUMNS, context->ListViewHandle); PhLoadListViewSortColumnsFromSetting(SETTING_SEGMENT_HEAP_LIST_VIEW_SORT, context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SIZESINBYTES), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (PhValidWindowPlacementFromSetting(SETTING_SEGMENT_HEAP_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_SEGMENT_HEAP_WINDOW_POSITION, SETTING_SEGMENT_HEAP_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, context->ParentWindowHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhSaveListViewSortColumnsToSetting(SETTING_SEGMENT_HEAP_LIST_VIEW_SORT, context->ListViewHandle); PhSaveListViewColumnsToSetting(SETTING_SEGMENT_HEAP_LIST_VIEW_COLUMNS, context->ListViewHandle); PhSaveWindowPlacementToSetting(SETTING_SEGMENT_HEAP_WINDOW_POSITION, SETTING_SEGMENT_HEAP_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); if (context->BoldFont) { DeleteFont(context->BoldFont); context->BoldFont = NULL; } if (context->DebugBuffer) { PhFree(context->DebugBuffer); context->DebugBuffer = NULL; } if (context->ProcessItem) { PhDereferenceObject(context->ProcessItem); context->ProcessItem = NULL; } PhFree(context); } break; case WM_SHOWWINDOW: { if (!context->Initialized) { PostMessage(context->WindowHandle, WM_COMMAND, MAKEWPARAM(IDC_REFRESH, 0), 0); context->Initialized = TRUE; } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDOK); break; case IDC_SIZESINBYTES: { BOOLEAN sizesInBytes = Button_GetCheck(GET_WM_COMMAND_HWND(wParam, lParam)) == BST_CHECKED; INT index = -1; ExtendedListView_SetRedraw(context->ListViewHandle, FALSE); while ((index = ListView_GetNextItem(context->ListViewHandle, index, LVNI_ALL)) != -1) { PPH_STRING usedString = NULL; PPH_STRING committedString = NULL; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo; if (PhGetListViewItemParam(context->ListViewHandle, index, &heapInfo)) { usedString = PhFormatSize(heapInfo->BytesAllocated, sizesInBytes ? 0 : ULONG_MAX); committedString = PhFormatSize(heapInfo->BytesCommitted, sizesInBytes ? 0 : ULONG_MAX); } } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo; if (PhGetListViewItemParam(context->ListViewHandle, index, &heapInfo)) { usedString = PhFormatSize(heapInfo->BytesAllocated, sizesInBytes ? 0 : ULONG_MAX); committedString = PhFormatSize(heapInfo->BytesCommitted, sizesInBytes ? 0 : ULONG_MAX); } } if (usedString) { PhSetListViewSubItem(context->ListViewHandle, index, 2, usedString->Buffer); PhDereferenceObject(usedString); } if (committedString) { PhSetListViewSubItem(context->ListViewHandle, index, 3, committedString->Buffer); PhDereferenceObject(committedString); } } ExtendedListView_SetRedraw(context->ListViewHandle, TRUE); } break; case IDC_REFRESH: { PhpEnumerateProcessHeaps(context); } break; } } break; case WM_NOTIFY: { PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); REFLECT_MESSAGE_DLG(hwndDlg, context->ListViewHandle, uMsg, wParam, lParam); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo; PPH_EMENU menu; INT selectedCount; PPH_EMENU_ITEM menuItem; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); selectedCount = ListView_GetSelectedCount(context->ListViewHandle); heapInfo = PhGetSelectedListViewItemParam(context->ListViewHandle); if (selectedCount != 0) { menu = PhCreateEMenu(); //PhInsertEMenuItem(menu, PhCreateEMenuItem(selectedCount != 1 ? PH_EMENU_DISABLED : 0, 1, L"Destroy", NULL, NULL), ULONG_MAX); //PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, USHRT_MAX, L"Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, USHRT_MAX, context->ListViewHandle); menuItem = PhShowEMenu( menu, context->ListViewHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (menuItem) { if (PhHandleCopyListViewEMenuItem(menuItem)) break; switch (menuItem->Id) { case 1: //if (PhpDestroyHeap(hwndDlg, context->ProcessItem->ProcessId, heapInfo->BaseAddress)) // ListView_DeleteItem(context->ListViewHandle, PhFindListViewItemByParam(context->ListViewHandle, -1, heapInfo)); //break; case USHRT_MAX: PhCopyListView(context->ListViewHandle); break; } } PhDestroyEMenu(menu); } } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } //NTSTATUS PhGetProcessHeapCompatibilityInformation( // _In_ HANDLE ProcessHandle, // _In_ PVOID HeapAddress, // _In_ ULONG IsWow64Process, // _Out_ ULONG* HeapCompatibility // ) //{ // NTSTATUS status = STATUS_UNSUCCESSFUL; // ULONG frontEndHeapType = ULONG_MAX; // // if (WindowsVersion >= WINDOWS_10_20H1) // { // status = PhReadVirtualMemory( // ProcessHandle, // PTR_ADD_OFFSET(HeapAddress, IsWow64Process ? 0xEA : 0x1A2), // &frontEndHeapType, // sizeof(ULONG), // NULL // ); // } // // if (NT_SUCCESS(status)) // { // if (HeapCompatibility) // *HeapCompatibility = frontEndHeapType; // } // // return status; //} // //NTSTATUS PhGetProcessHeapCounters( // _In_ HANDLE ProcessHandle, // _In_ PVOID HeapAddress, // _In_ ULONG IsWow64Process, // _Out_ PVOID *HeapCounters // ) //{ // NTSTATUS status = STATUS_UNSUCCESSFUL; // PVOID heapCounters; // ULONG heapCountersLength; // // if (IsWow64Process) // heapCountersLength = sizeof(HEAP_COUNTERS32); // else // heapCountersLength = sizeof(HEAP_COUNTERS); // // heapCounters = PhAllocate(heapCountersLength); // memset(heapCounters, 0, heapCountersLength); // // if (WindowsVersion >= WINDOWS_10_20H1) // { // status = PhReadVirtualMemory( // ProcessHandle, // PTR_ADD_OFFSET(HeapAddress, IsWow64Process ? 0x1F4 : 0x238), // heapCounters, // heapCountersLength, // NULL // ); // } // // if (NT_SUCCESS(status)) // { // if (HeapCounters) // *HeapCounters = heapCounters; // return status; // } // // PhFree(heapCounters); // return status; //} // //NTSTATUS PhGetProcessSegmentHeapCounters( // _In_ HANDLE ProcessHandle, // _In_ PVOID HeapAddress, // _In_ ULONG IsWow64Process, // _Out_ PVOID *HeapCounters // ) //{ // NTSTATUS status = STATUS_UNSUCCESSFUL; // PVOID heapCounters; // ULONG heapCountersLength; // // if (IsWow64Process) // heapCountersLength = sizeof(HEAP_RUNTIME_MEMORY_STATS32); // else // heapCountersLength = sizeof(HEAP_RUNTIME_MEMORY_STATS); // // heapCounters = PhAllocate(heapCountersLength); // memset(heapCounters, 0, heapCountersLength); // // if (WindowsVersion >= WINDOWS_10_20H1) // { // status = PhReadVirtualMemory( // ProcessHandle, // PTR_ADD_OFFSET(HeapAddress, IsWow64Process ? 0x80 : 0x80), // heapCounters, // heapCountersLength, // NULL // ); // } // // if (NT_SUCCESS(status)) // { // if (HeapCounters) // *HeapCounters = heapCounters; // return status; // } // // PhFree(heapCounters); // return status; //} // //NTSTATUS PhGetProcessHeaps( // _In_ HANDLE ProcessHandle // ) //{ // PROCESS_BASIC_INFORMATION basicInfo; // ULONG numberOfHeaps; // PVOID processHeapsPtr; // PVOID* processHeaps; //#ifdef _WIN64 // PVOID peb32; // ULONG processHeapsPtr32; // ULONG* processHeaps32; //#endif // // if (NT_SUCCESS(PhGetProcessBasicInformation(ProcessHandle, &basicInfo)) && basicInfo.PebBaseAddress != 0) // { // if (NT_SUCCESS(PhReadVirtualMemory( // ProcessHandle, // PTR_ADD_OFFSET(basicInfo.PebBaseAddress, UFIELD_OFFSET(PEB, NumberOfHeaps)), // &numberOfHeaps, // sizeof(ULONG), // NULL // )) && numberOfHeaps < 1000) // { // processHeaps = PhAllocateZero(numberOfHeaps * sizeof(PVOID)); // // if ( // NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, PTR_ADD_OFFSET(basicInfo.PebBaseAddress, UFIELD_OFFSET(PEB, ProcessHeaps)), &processHeapsPtr, sizeof(PVOID), NULL)) && // NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, processHeapsPtr, processHeaps, numberOfHeaps * sizeof(PVOID), NULL)) // ) // { // for (ULONG i = 0; i < numberOfHeaps; i++) // { // ULONG signature = ULONG_MAX; // // if (!NT_SUCCESS(PhGetProcessHeapSignature(ProcessHandle, processHeaps[i], FALSE, &signature))) // continue; // // if (signature == RTL_HEAP_SIGNATURE) // { // PHEAP_COUNTERS counters; // // if (NT_SUCCESS(PhGetProcessHeapCounters(ProcessHandle, processHeaps[i], FALSE, &counters))) // { // dprintf( // "NT-%lu - 0x%I64x - committed: %lu - allocated: %lu - count: %lu\n", // i + 1, // processHeaps[i], // counters->TotalMemoryCommitted, // counters->LastPolledSize, // counters->TotalSegments // ); // // PhFree(counters); // } // } // else if (signature == RTL_HEAP_SEGMENT_SIGNATURE) // { // dprintf("Segment Heap"); // } // } // } // // PhFree(processHeaps); // } // } //#ifdef _WIN64 // // if (NT_SUCCESS(PhGetProcessPeb32(ProcessHandle, &peb32)) && peb32 != 0) // { // if (NT_SUCCESS(PhReadVirtualMemory( // ProcessHandle, // PTR_ADD_OFFSET(peb32, UFIELD_OFFSET(PEB32, NumberOfHeaps)), // &numberOfHeaps, // sizeof(ULONG), // NULL // )) && numberOfHeaps < 1000) // { // processHeaps32 = PhAllocateZero(numberOfHeaps * sizeof(ULONG)); // // if ( // NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, PTR_ADD_OFFSET(peb32, UFIELD_OFFSET(PEB32, ProcessHeaps)), &processHeapsPtr32, sizeof(ULONG), NULL)) && // NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, UlongToPtr(processHeapsPtr32), processHeaps32, numberOfHeaps * sizeof(ULONG), NULL)) // ) // { // for (ULONG i = 0; i < numberOfHeaps; i++) // { // ULONG signature = ULONG_MAX; // // if (!NT_SUCCESS(PhGetProcessHeapSignature(ProcessHandle, UlongToPtr(processHeaps32[i]), TRUE, &signature))) // continue; // // if (signature == RTL_HEAP_SIGNATURE) // { // PHEAP_COUNTERS32 counters; // // if (NT_SUCCESS(PhGetProcessHeapCounters(ProcessHandle, UlongToPtr(processHeaps32[i]), TRUE, &counters))) // { // PhFree(counters); // } // } // else if (signature == RTL_HEAP_SEGMENT_SIGNATURE) // { // dprintf("Segment Heap\n"); // } // } // } // // PhFree(processHeaps32); // } // } //#endif // // return STATUS_SUCCESS; //} // //BOOLEAN PhpDestroyHeap( // _In_ HWND hWnd, // _In_ HANDLE ProcessId, // _In_ PVOID HeapHandle // ) //{ // NTSTATUS status; // BOOLEAN cont = FALSE; // HANDLE processHandle; // HANDLE threadHandle; // // if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) // { // cont = PhShowConfirmMessage( // hWnd, // L"destroy", // L"the selected heap", // L"Destroying heaps may cause the process to crash.", // FALSE // ); // } // else // { // cont = TRUE; // } // // if (!cont) // return FALSE; // // if (NT_SUCCESS(status = PhOpenProcess( // &processHandle, // PROCESS_CREATE_THREAD, // ProcessId // ))) // { // if (WindowsVersion >= WINDOWS_VISTA) // { // status = RtlCreateUserThread( // processHandle, // NULL, // FALSE, // 0, // 0, // 0, // PhGetModuleProcAddress(L"ntdll.dll", "RtlDestroyHeap"), // HeapHandle, // &threadHandle, // NULL // ); // } // else // { // if (!(threadHandle = CreateRemoteThread( // processHandle, // NULL, // 0, // PhGetModuleProcAddress(L"ntdll.dll", "RtlDestroyHeap"), // HeapHandle, // 0, // NULL // ))) // { // status = PhGetLastWin32ErrorAsNtStatus(); // } // } // // if (NT_SUCCESS(status)) // NtClose(threadHandle); // // NtClose(processHandle); // } // // if (!NT_SUCCESS(status)) // { // PhShowStatus(hWnd, L"Unable to destroy the heap", status, 0); // return FALSE; // } // // return TRUE; //} // //#include // //BOOLEAN PhpEnumerateHeapsWin32( // _In_ PPROCESS_HEAPS_CONTEXT Context // ) //{ // HANDLE snapshotHandle; // HEAPLIST32 heapList32; // // snapshotHandle = CreateToolhelp32Snapshot( // TH32CS_SNAPHEAPLIST, // Context->ProcessItem->ProcessId // ); // // if (snapshotHandle == INVALID_HANDLE_VALUE) // return FALSE; // // memset(&heapList32, 0, sizeof(HEAPLIST32)); // heapList32.dwSize = sizeof(HEAPLIST32); // // if (Heap32ListFirst(snapshotHandle, &heapList32)) // { // do // { // HEAPENTRY32 entry; // // memset(&entry, 0, sizeof(HEAPENTRY32)); // entry.dwSize = sizeof(HEAPENTRY32); // // dprintf("\nHeap ID: %lu\n", heapList32.th32HeapID); // // if (Heap32First(&entry, Context->ProcessItem->ProcessId, heapList32.th32HeapID)) // { // do // { // dprintf("Block size: %lu\n", entry.dwBlockSize); // // memset(&entry, 0, sizeof(HEAPENTRY32)); // entry.dwSize = sizeof(HEAPENTRY32); // } while (Heap32Next(&entry)); // } // // memset(&heapList32, 0, sizeof(HEAPLIST32)); // heapList32.dwSize = sizeof(HEAPLIST32); // } while (Heap32ListNext(snapshotHandle, &heapList32)); // } // // NtClose(snapshotHandle); //} typedef struct _PH_PROCESS_LOCKS_CONTEXT { HWND WindowHandle; HWND ParentWindowHandle; HWND ListViewHandle; HFONT BoldFont; union { BOOLEAN Flags; struct { BOOLEAN Initialized : 1; BOOLEAN IsWow64Process : 1; BOOLEAN Spare : 6; }; }; PPH_PROCESS_ITEM ProcessItem; PVOID ProcessHeap; PVOID DebugBuffer; PH_LAYOUT_MANAGER LayoutManager; } PH_PROCESS_LOCKS_CONTEXT, *PPH_PROCESS_LOCKS_CONTEXT; INT_PTR CALLBACK PhProcessLocksDlgProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowProcessLocksDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_PROCESS_LOCKS_CONTEXT context; context = PhAllocateZero(sizeof(PH_PROCESS_LOCKS_CONTEXT)); context->ParentWindowHandle = ParentWindowHandle; context->ProcessItem = PhReferenceObject(ProcessItem); context->IsWow64Process = !!ProcessItem->IsWow64Process; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_HEAPS), NULL, PhProcessLocksDlgProc, context ); } _Function_class_(PH_ENUM_PROCESS_LOCKS) NTSTATUS NTAPI PhEnumProcessLocksCallback( _In_ ULONG NumberOfLocks, _In_ PRTL_PROCESS_LOCK_INFORMATION Locks, _In_opt_ PVOID Context ) { if (!Context) return STATUS_INVALID_PARAMETER; PPH_PROCESS_LOCKS_CONTEXT context = Context; NTSTATUS status; HANDLE processHandle = NULL; status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, context->ProcessItem->ProcessId ); if (!NT_SUCCESS(status)) return status; for (ULONG i = 0; i < NumberOfLocks; i++) { PRTL_PROCESS_LOCK_INFORMATION entry = &Locks[i]; INT lvItemIndex; WCHAR value[PH_INT64_STR_LEN_1]; CLIENT_ID clientId; PPH_STRING fileName = NULL; clientId.UniqueProcess = NULL; clientId.UniqueThread = entry->OwningThread; if (processHandle && entry->Address) { if (NT_SUCCESS(PhGetProcessMappedFileName(processHandle, entry->Address, &fileName))) { PhMoveReference(&fileName, PhGetFileName(fileName)); } } PhPrintUInt32(value, i + 1); lvItemIndex = PhAddListViewItem(context->ListViewHandle, MAXINT, value, PhAllocateCopy(entry, sizeof(*entry))); PhPrintPointer(value, entry->Address); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 2, value); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 3, PhGetStringOrEmpty(fileName)); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 4, entry->OwningThread ? PH_AUTO_T(PH_STRING, PhGetClientIdName(&clientId))->Buffer : L""); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 5, entry->LockCount != ULONG_MAX ? PhaFormatUInt64(entry->LockCount, TRUE)->Buffer : L""); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 6, PhaFormatUInt64(entry->ContentionCount, TRUE)->Buffer); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 7, PhaFormatUInt64(entry->EntryCount, TRUE)->Buffer); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 8, PhaFormatUInt64(entry->RecursionCount, TRUE)->Buffer); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 9, PhaFormatUInt64(entry->NumberOfWaitingShared, TRUE)->Buffer); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 10, PhaFormatUInt64(entry->NumberOfWaitingExclusive, TRUE)->Buffer); switch (entry->Type) { case RTL_CRITSECT_TYPE: PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 1, L"Critical section"); break; case RTL_RESOURCE_TYPE: PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 1, L"Resource"); break; } } NtClose(processHandle); return STATUS_SUCCESS; } VOID PhEnumerateProcessLocks( _In_ PPH_PROCESS_LOCKS_CONTEXT Context ) { NTSTATUS status; ExtendedListView_SetRedraw(Context->ListViewHandle, FALSE); ListView_DeleteAllItems(Context->ListViewHandle); status = PhQueryProcessLockInformation( Context->ProcessItem->ProcessId, PhEnumProcessLocksCallback, Context ); if (!NT_SUCCESS(status)) { PhShowStatus(Context->WindowHandle, L"Unable to query lock information.", status, 0); return; } ExtendedListView_SortItems(Context->ListViewHandle); ExtendedListView_SetRedraw(Context->ListViewHandle, TRUE); } INT_PTR CALLBACK PhProcessLocksDlgProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_LOCKS_CONTEXT context = NULL; if (WindowMessage == WM_INITDIALOG) { context = (PPH_PROCESS_LOCKS_CONTEXT)lParam; PhSetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (WindowMessage) { case WM_INITDIALOG: { context->WindowHandle = WindowHandle; context->ListViewHandle = GetDlgItem(WindowHandle, IDC_LIST); PhSetApplicationWindowIcon(WindowHandle); PhpSetProcessHeapsWindowText(WindowHandle, L"Locks - ", context->ProcessItem); PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 40, L"#"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 50, L"Type"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 100, L"Address"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 120, L"Filename"); PhAddListViewColumn(context->ListViewHandle, 4, 4, 4, LVCFMT_LEFT, 120, L"Thread"); PhAddListViewColumn(context->ListViewHandle, 5, 5, 5, LVCFMT_LEFT, 80, L"Lock count"); PhAddListViewColumn(context->ListViewHandle, 6, 6, 6, LVCFMT_LEFT, 80, L"Entry count"); PhAddListViewColumn(context->ListViewHandle, 7, 7, 7, LVCFMT_LEFT, 80, L"Recursion count"); PhAddListViewColumn(context->ListViewHandle, 8, 8, 8, LVCFMT_LEFT, 80, L"Waiting shared count"); PhAddListViewColumn(context->ListViewHandle, 9, 9, 9, LVCFMT_LEFT, 80, L"Waiting exclusive count"); PhSetExtendedListView(context->ListViewHandle); ExtendedListView_SetContext(context->ListViewHandle, context); ExtendedListView_SetItemFontFunction(context->ListViewHandle, PhpHeapFontFunction); PhLoadListViewColumnsFromSetting(SETTING_SEGMENT_LOCKS_LIST_VIEW_COLUMNS, context->ListViewHandle); PhLoadListViewSortColumnsFromSetting(SETTING_SEGMENT_LOCKS_LIST_VIEW_SORT, context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, WindowHandle); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDC_SIZESINBYTES), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDC_REFRESH), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (PhValidWindowPlacementFromSetting(SETTING_SEGMENT_LOCKS_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_SEGMENT_LOCKS_WINDOW_POSITION, SETTING_SEGMENT_LOCKS_WINDOW_SIZE, WindowHandle); else PhCenterWindow(WindowHandle, context->ParentWindowHandle); PhInitializeWindowTheme(WindowHandle, PhEnableThemeSupport); ShowWindow(GetDlgItem(WindowHandle, IDC_SIZESINBYTES), SW_HIDE); } break; case WM_DESTROY: { PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); PhSaveListViewSortColumnsToSetting(SETTING_SEGMENT_LOCKS_LIST_VIEW_SORT, context->ListViewHandle); PhSaveListViewColumnsToSetting(SETTING_SEGMENT_LOCKS_LIST_VIEW_COLUMNS, context->ListViewHandle); PhSaveWindowPlacementToSetting(SETTING_SEGMENT_LOCKS_WINDOW_POSITION, SETTING_SEGMENT_LOCKS_WINDOW_SIZE, WindowHandle); PhDeleteLayoutManager(&context->LayoutManager); if (context->BoldFont) { DeleteFont(context->BoldFont); context->BoldFont = NULL; } if (context->DebugBuffer) { PhFree(context->DebugBuffer); context->DebugBuffer = NULL; } if (context->ProcessItem) { PhDereferenceObject(context->ProcessItem); context->ProcessItem = NULL; } PhFree(context); } break; case WM_SHOWWINDOW: { if (!context->Initialized) { PostMessage(context->WindowHandle, WM_COMMAND, MAKEWPARAM(IDC_REFRESH, 0), 0); context->Initialized = TRUE; } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(WindowHandle, IDOK); break; case IDC_SIZESINBYTES: { BOOLEAN sizesInBytes = Button_GetCheck(GET_WM_COMMAND_HWND(wParam, lParam)) == BST_CHECKED; INT index = -1; ExtendedListView_SetRedraw(context->ListViewHandle, FALSE); while ((index = ListView_GetNextItem(context->ListViewHandle, index, LVNI_ALL)) != -1) { PPH_STRING usedString = NULL; PPH_STRING committedString = NULL; if (context->IsWow64Process) { PPH_PROCESS_DEBUG_HEAP_ENTRY32 heapInfo; if (PhGetListViewItemParam(context->ListViewHandle, index, &heapInfo)) { usedString = PhFormatSize(heapInfo->BytesAllocated, sizesInBytes ? 0 : ULONG_MAX); committedString = PhFormatSize(heapInfo->BytesCommitted, sizesInBytes ? 0 : ULONG_MAX); } } else { PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo; if (PhGetListViewItemParam(context->ListViewHandle, index, &heapInfo)) { usedString = PhFormatSize(heapInfo->BytesAllocated, sizesInBytes ? 0 : ULONG_MAX); committedString = PhFormatSize(heapInfo->BytesCommitted, sizesInBytes ? 0 : ULONG_MAX); } } if (usedString) { PhSetListViewSubItem(context->ListViewHandle, index, 2, usedString->Buffer); PhDereferenceObject(usedString); } if (committedString) { PhSetListViewSubItem(context->ListViewHandle, index, 3, committedString->Buffer); PhDereferenceObject(committedString); } } ExtendedListView_SetRedraw(context->ListViewHandle, TRUE); } break; case IDC_REFRESH: { PhEnumerateProcessLocks(context); } break; } } break; case WM_NOTIFY: { PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); REFLECT_MESSAGE_DLG(WindowHandle, context->ListViewHandle, WindowMessage, wParam, lParam); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_PROCESS_DEBUG_HEAP_ENTRY heapInfo; PPH_EMENU menu; INT selectedCount; PPH_EMENU_ITEM menuItem; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); selectedCount = ListView_GetSelectedCount(context->ListViewHandle); heapInfo = PhGetSelectedListViewItemParam(context->ListViewHandle); if (selectedCount != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, USHRT_MAX, L"Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, USHRT_MAX, context->ListViewHandle); menuItem = PhShowEMenu( menu, context->ListViewHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (menuItem) { if (PhHandleCopyListViewEMenuItem(menuItem)) break; switch (menuItem->Id) { case 1: case USHRT_MAX: PhCopyListView(context->ListViewHandle); break; } } PhDestroyEMenu(menu); } } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(WindowHandle, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/hidnproc.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2019-2023 * */ /* * There are two methods of zombie process detection implemented in this module. * * Brute Force. This attempts to open all possible PIDs within a certain range * in order to find processes which have been unlinked from the active process * list (EPROCESS.ActiveProcessLinks). This method is not effective when * either NtOpenProcess is hooked or PsLookupProcessByProcessId is hooked * (KSystemInformer cannot bypass this). * * CSR Handles. This enumerates handles in all running CSR processes, and works * even when a process has been unlinked from the active process list and * has been removed from the client ID table (PspCidTable). However, the method * does not detect native executables since CSR is not notified about them. * Some rootkits hook NtQuerySystemInformation in order to modify the returned * handle information; System Informer bypasses this by using KSystemInformer, * which calls ExEnumHandleTable directly. Note that both process and thread * handles are examined. */ #include #include #include #include #include #include #include #include #include INT_PTR CALLBACK PhpZombieProcessesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); COLORREF NTAPI PhpZombieProcessesColorFunction( _In_ INT Index, _In_ PVOID Param, _In_opt_ PVOID Context ); BOOLEAN NTAPI PhpZombieProcessesCallback( _In_ PPH_ZOMBIE_PROCESS_ENTRY Process, _In_opt_ PVOID Context ); VOID PhZombieProcessesUpdateListView( _In_ PPH_LIST UpdateList ); NTSTATUS PhpCreateProcessItemForZombieProcess( _In_ HWND WindowHandle, _In_ PPH_ZOMBIE_PROCESS_ENTRY Entry, _Out_ PPH_PROCESS_ITEM* ProcessItem ); static HWND PhZombieProcessesWindowHandle = NULL; static HWND PhZombieProcessesListViewHandle = NULL; static PH_LAYOUT_MANAGER WindowLayoutManager; static RECT MinimumSize; static PH_ZOMBIE_PROCESS_METHOD ProcessesMethod; static PPH_LIST ProcessesList = NULL; static ULONG NumberOfZombieProcesses; static ULONG NumberOfTerminatedProcesses; VOID PhShowZombieProcessesDialog( VOID ) { if (!PhZombieProcessesWindowHandle) { PhZombieProcessesWindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_ZOMBIEPROCESSES), NULL, PhpZombieProcessesDlgProc, NULL ); } if (!IsWindowVisible(PhZombieProcessesWindowHandle)) ShowWindow(PhZombieProcessesWindowHandle, SW_SHOW); else SetForegroundWindow(PhZombieProcessesWindowHandle); } VOID PhZombieProcessesCleanupList( _In_opt_ PPH_LIST UpdateList ) { if (UpdateList) { for (ULONG i = 0; i < UpdateList->Count; i++) { PPH_ZOMBIE_PROCESS_ENTRY entry = UpdateList->Items[i]; PhClearReference(&entry->FileName); PhFree(entry); } PhDereferenceObject(UpdateList); } { PPH_STRING string = PhFormatString(L"%u zombie process(es), %u terminated process(es).", NumberOfZombieProcesses, NumberOfTerminatedProcesses); PhSetDialogItemText(PhZombieProcessesWindowHandle, IDC_DESCRIPTION, string->Buffer); InvalidateRect(GetDlgItem(PhZombieProcessesWindowHandle, IDC_DESCRIPTION), NULL, TRUE); PhDereferenceObject(string); } } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhZombieProcessesThread( _In_ PVOID Context ) { NTSTATUS status; PPH_LIST processList; ExtendedListView_SetRedraw(PhZombieProcessesListViewHandle, FALSE); ListView_DeleteAllItems(PhZombieProcessesListViewHandle); ExtendedListView_SetRedraw(PhZombieProcessesListViewHandle, TRUE); processList = PhCreateList(100); status = PhEnumZombieProcesses( ProcessesMethod, PhpZombieProcessesCallback, processList ); if (PhZombieProcessesWindowHandle) PostMessage(PhZombieProcessesWindowHandle, WM_PH_UPDATE_DIALOG, status, (LPARAM)processList); else PhZombieProcessesCleanupList(processList); return STATUS_SUCCESS; } INT_PTR CALLBACK PhpZombieProcessesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { HWND lvHandle; HWND methodHandle; PhSetApplicationWindowIcon(hwndDlg); PhZombieProcessesListViewHandle = lvHandle = GetDlgItem(hwndDlg, IDC_PROCESSES); methodHandle = GetDlgItem(hwndDlg, IDC_METHOD); PhInitializeLayoutManager(&WindowLayoutManager, hwndDlg); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_INTRO), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT | PH_LAYOUT_FORCE_INVALIDATE); PhAddLayoutItem(&WindowLayoutManager, lvHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_DESCRIPTION), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM | PH_LAYOUT_FORCE_INVALIDATE); PhAddLayoutItem(&WindowLayoutManager, methodHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_TERMINATE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_SCAN), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhSetListViewStyle(lvHandle, TRUE, TRUE); PhSetControlTheme(lvHandle, L"explorer"); PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 320, L"Process"); PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 60, L"PID"); PhSetExtendedListView(lvHandle); PhLoadListViewColumnsFromSetting(SETTING_ZOMBIE_PROCESSES_LIST_VIEW_COLUMNS, lvHandle); ExtendedListView_AddFallbackColumn(lvHandle, 0); ExtendedListView_AddFallbackColumn(lvHandle, 1); ExtendedListView_SetItemColorFunction(lvHandle, PhpZombieProcessesColorFunction); ComboBox_AddString(methodHandle, L"Brute force"); ComboBox_AddString(methodHandle, L"CSR handles"); ComboBox_AddString(methodHandle, L"ETW handles"); ComboBox_AddString(methodHandle, L"Process handles"); ComboBox_AddString(methodHandle, L"Registry handles"); ComboBox_AddString(methodHandle, L"Ntdll handles"); PhSelectComboBoxString(methodHandle, L"Process handles", FALSE); MinimumSize.left = 0; MinimumSize.top = 0; MinimumSize.right = 330; MinimumSize.bottom = 140; MapDialogRect(hwndDlg, &MinimumSize); if (PhValidWindowPlacementFromSetting(SETTING_ZOMBIE_PROCESSES_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_ZOMBIE_PROCESSES_WINDOW_POSITION, SETTING_ZOMBIE_PROCESSES_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, GetParent(hwndDlg)); EnableWindow(GetDlgItem(hwndDlg, IDC_TERMINATE), FALSE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveWindowPlacementToSetting(SETTING_ZOMBIE_PROCESSES_WINDOW_POSITION, SETTING_ZOMBIE_PROCESSES_WINDOW_SIZE, hwndDlg); PhSaveListViewColumnsToSetting(SETTING_ZOMBIE_PROCESSES_LIST_VIEW_COLUMNS, PhZombieProcessesListViewHandle); PhZombieProcessesCleanupList(ProcessesList); PhZombieProcessesWindowHandle = NULL; } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: { DestroyWindow(hwndDlg); } break; case IDC_SCAN: { PPH_STRING method; method = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_METHOD))); PhZombieProcessesCleanupList(NULL); ProcessesList = PhCreateList(40); if (PhEqualString2(method, L"Brute force", TRUE)) ProcessesMethod = BruteForceScanMethod; else if (PhEqualString2(method, L"CSR handles", TRUE)) ProcessesMethod = CsrHandlesScanMethod; else if (PhEqualString2(method, L"Process handles", TRUE)) ProcessesMethod = ProcessHandleScanMethod; else if (PhEqualString2(method, L"Registry handles", TRUE)) ProcessesMethod = RegistryScanMethod; else if (PhEqualString2(method, L"ETW handles", TRUE)) ProcessesMethod = EtwGuidScanMethod; else if (PhEqualString2(method, L"Ntdll handles", TRUE)) ProcessesMethod = NtdllScanMethod; NumberOfZombieProcesses = 0; NumberOfTerminatedProcesses = 0; EnableWindow(GetDlgItem(hwndDlg, IDC_SCAN), FALSE); PhCreateThread2(PhZombieProcessesThread, NULL); } break; case IDC_TERMINATE: { PPH_ZOMBIE_PROCESS_ENTRY *entries; ULONG numberOfEntries; ULONG i; PhGetSelectedListViewItemParams(PhZombieProcessesListViewHandle, &entries, &numberOfEntries); if (numberOfEntries != 0) { if (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( hwndDlg, L"terminate", L"the selected process(es)", L"Terminating a Zombie process may cause the system to become unstable " L"or crash.", TRUE )) { NTSTATUS status; HANDLE processHandle; BOOLEAN refresh; refresh = FALSE; for (i = 0; i < numberOfEntries; i++) { if (ProcessesMethod == BruteForceScanMethod || ProcessesMethod == ProcessHandleScanMethod) { status = PhOpenProcess( &processHandle, PROCESS_TERMINATE, entries[i]->ProcessId ); } else { status = PhOpenProcessByCsrHandles( &processHandle, PROCESS_TERMINATE, entries[i]->ProcessId ); } if (NT_SUCCESS(status)) { status = PhTerminateProcess(processHandle, STATUS_SUCCESS); NtClose(processHandle); if (NT_SUCCESS(status)) refresh = TRUE; } else { PhShowStatus(hwndDlg, L"Unable to terminate the process", status, 0); } } if (refresh) { // Sleep for a bit before continuing. It seems to help avoid BSODs. PhDelayExecution(250); SendMessage(hwndDlg, WM_COMMAND, IDC_SCAN, 0); } } } PhFree(entries); } break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt)", L"*.txt" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, L"Zombie Processes.txt"); if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); PhWritePhTextHeader(fileStream); PhWriteStringAsUtf8FileStream2(fileStream, L"Method: "); PhWriteStringAsUtf8FileStream2(fileStream, ProcessesMethod == BruteForceScanMethod ? L"Brute Force\r\n" : L"CSR Handles\r\n"); PhWriteStringFormatAsUtf8FileStream( fileStream, L"Zombie: %u\r\nTerminated: %u\r\n\r\n", NumberOfZombieProcesses, NumberOfTerminatedProcesses ); if (ProcessesList) { ULONG i; for (i = 0; i < ProcessesList->Count; i++) { PPH_ZOMBIE_PROCESS_ENTRY entry = ProcessesList->Items[i]; if (entry->Type == ZombieProcess) PhWriteStringAsUtf8FileStream2(fileStream, L"[Zombie] "); else if (entry->Type == TerminatedProcess) PhWriteStringAsUtf8FileStream2(fileStream, L"[Terminated] "); else if (entry->Type != NormalProcess) continue; PhWriteStringFormatAsUtf8FileStream( fileStream, L"%s (%u)\r\n", entry->FileName->Buffer, HandleToUlong(entry->ProcessId) ); } } PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; PhHandleListViewNotifyBehaviors(lParam, PhZombieProcessesListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); switch (header->code) { case LVN_ITEMCHANGED: { if (header->hwndFrom == PhZombieProcessesListViewHandle) { EnableWindow( GetDlgItem(hwndDlg, IDC_TERMINATE), ListView_GetSelectedCount(PhZombieProcessesListViewHandle) > 0 ); } } break; case NM_DBLCLK: { if (header->hwndFrom == PhZombieProcessesListViewHandle) { PPH_ZOMBIE_PROCESS_ENTRY entry; entry = PhGetSelectedListViewItemParam(PhZombieProcessesListViewHandle); if (entry) { NTSTATUS status; PPH_PROCESS_ITEM processItem; status = PhpCreateProcessItemForZombieProcess(hwndDlg, entry, &processItem); if (NT_SUCCESS(status)) { SystemInformer_ShowProcessProperties(processItem); PhDereferenceObject(processItem); } else { PhShowStatus(hwndDlg, L"Unable to create a process structure for the selected process.", status, 0); } } } } break; } REFLECT_MESSAGE_DLG(hwndDlg, PhZombieProcessesListViewHandle, uMsg, wParam, lParam); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&WindowLayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&WindowLayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&WindowLayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == PhZombieProcessesListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(PhZombieProcessesListViewHandle, &point); PhGetSelectedListViewItemParams(PhZombieProcessesListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, PhZombieProcessesListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: PhCopyListView(PhZombieProcessesListViewHandle); break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_PH_UPDATE_DIALOG: { NTSTATUS status = (NTSTATUS)wParam; PPH_LIST list = (PPH_LIST)lParam; ExtendedListView_SetRedraw(PhZombieProcessesListViewHandle, FALSE); ListView_DeleteAllItems(PhZombieProcessesListViewHandle); PhZombieProcessesUpdateListView(list); ExtendedListView_SortItems(PhZombieProcessesListViewHandle); ExtendedListView_SetRedraw(PhZombieProcessesListViewHandle, TRUE); if (NT_SUCCESS(status)) { PhSetDialogItemText(hwndDlg, IDC_DESCRIPTION, PhaFormatString( L"%u zombie process(es), %u terminated process(es).", NumberOfZombieProcesses, NumberOfTerminatedProcesses )->Buffer); InvalidateRect(GetDlgItem(hwndDlg, IDC_DESCRIPTION), NULL, TRUE); } else { PhShowStatus(hwndDlg, L"Unable to perform the scan", status, 0); } EnableWindow(GetDlgItem(hwndDlg, IDC_SCAN), TRUE); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: { if ((HWND)lParam == GetDlgItem(hwndDlg, IDC_DESCRIPTION)) { if (NumberOfZombieProcesses != 0) { SetTextColor((HDC)wParam, RGB(0xff, 0x00, 0x00)); } SetBkColor((HDC)wParam, GetSysColor(COLOR_WINDOW)); return (INT_PTR)GetSysColorBrush(COLOR_WINDOW); } return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } } return FALSE; } COLORREF NTAPI PhpZombieProcessesColorFunction( _In_ INT Index, _In_ PVOID Param, _In_opt_ PVOID Context ) { PPH_ZOMBIE_PROCESS_ENTRY entry = Param; switch (entry->Type) { case UnknownProcess: case ZombieProcess: return RGB(229, 186, 208); case TerminatedProcess: return RGB(0x77, 0x77, 0x77); } return PhEnableThemeSupport ? PhThemeWindowBackgroundColor : GetSysColor(COLOR_WINDOW); } BOOLEAN NTAPI PhpZombieProcessesCallback( _In_ PPH_ZOMBIE_PROCESS_ENTRY Process, _In_ PVOID Context ) { PPH_ZOMBIE_PROCESS_ENTRY entry; ULONG count = ((PPH_LIST)Context)->Count; for (ULONG i = 0; i < count; i++) { PPH_ZOMBIE_PROCESS_ENTRY item = ((PPH_LIST)Context)->Items[i]; if (item->ProcessId == Process->ProcessId) { return TRUE; // duplicate } } entry = PhAllocateCopy(Process, sizeof(PH_ZOMBIE_PROCESS_ENTRY)); if (entry->FileName) PhReferenceObject(entry->FileName); PhAddItemList(Context, entry); if (entry->Type == ZombieProcess) InterlockedIncrement(&NumberOfZombieProcesses); else if (entry->Type == TerminatedProcess) InterlockedIncrement(&NumberOfTerminatedProcesses); return TRUE; } VOID PhZombieProcessesUpdateListView( _In_ PPH_LIST UpdateList ) { for (ULONG i = 0; i < UpdateList->Count; i++) { PPH_ZOMBIE_PROCESS_ENTRY entry = UpdateList->Items[i]; INT lvItemIndex; WCHAR pidString[PH_INT32_STR_LEN_1]; if (entry->FileName) { PhMoveReference(&entry->FileName, PhGetFileName(entry->FileName)); } lvItemIndex = PhAddListViewItem( PhZombieProcessesListViewHandle, MAXINT, PhGetStringOrDefault(entry->FileName, L"(unknown)"), entry ); PhPrintUInt32(pidString, HandleToUlong(entry->ProcessId)); PhSetListViewSubItem(PhZombieProcessesListViewHandle, lvItemIndex, 1, pidString); PhAddItemList(ProcessesList, entry); } } NTSTATUS PhpCreateProcessItemForZombieProcess( _In_ HWND WindowHandle, _In_ PPH_ZOMBIE_PROCESS_ENTRY Entry, _Out_ PPH_PROCESS_ITEM* ProcessItem ) { NTSTATUS status; PPH_PROCESS_ITEM processItem; HANDLE processHandle; if (Entry->Type == NormalProcess) { if (processItem = PhReferenceProcessItem(Entry->ProcessId)) { *ProcessItem = processItem; return STATUS_SUCCESS; } } if (ProcessesMethod != CsrHandlesScanMethod) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Entry->ProcessId ); } else { status = PhOpenProcessByCsrHandles( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Entry->ProcessId ); } if (NT_SUCCESS(status)) { if (processItem = PhCreateProcessItemFromHandle( Entry->ProcessId, processHandle, Entry->Type == TerminatedProcess )) { *ProcessItem = processItem; return STATUS_SUCCESS; } NtClose(processHandle); } return status; } NTSTATUS PhpEnumZombieProcessesBruteForce( _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; PPH_LIST pids; ULONG pid; BOOLEAN stop = FALSE; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; pids = PhCreateList(40); process = PH_FIRST_PROCESS(processes); do { PhAddItemList(pids, process->UniqueProcessId); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); for (pid = 8; pid <= 65536; pid += 4) { NTSTATUS status2; HANDLE processHandle; PH_ZOMBIE_PROCESS_ENTRY entry; KERNEL_USER_TIMES times; PPH_STRING fileName; status2 = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, UlongToHandle(pid) ); if (NT_SUCCESS(status2)) { entry.ProcessId = UlongToHandle(pid); if (NT_SUCCESS(status2 = PhGetProcessTimes( processHandle, × )) && NT_SUCCESS(status2 = PhGetProcessImageFileName( processHandle, &fileName ))) { entry.FileName = fileName; if (times.ExitTime.QuadPart != 0) entry.Type = TerminatedProcess; else if (PhFindItemList(pids, UlongToHandle(pid)) != ULONG_MAX) entry.Type = NormalProcess; else entry.Type = ZombieProcess; if (!Callback(&entry, Context)) stop = TRUE; PhDereferenceObject(fileName); } NtClose(processHandle); } // Use an alternative method if we don't have sufficient access. if (status2 == STATUS_ACCESS_DENIED) { if (NT_SUCCESS(status2 = PhGetProcessImageFileNameByProcessId(UlongToHandle(pid), &fileName))) { entry.ProcessId = UlongToHandle(pid); entry.FileName = fileName; if (PhFindItemList(pids, UlongToHandle(pid)) != ULONG_MAX) entry.Type = NormalProcess; else entry.Type = ZombieProcess; if (!Callback(&entry, Context)) stop = TRUE; PhDereferenceObject(fileName); } } if (status2 == STATUS_INVALID_CID || status2 == STATUS_INVALID_PARAMETER) status2 = STATUS_SUCCESS; if (!NT_SUCCESS(status2)) { entry.ProcessId = UlongToHandle(pid); entry.FileName = NULL; entry.Type = UnknownProcess; if (!Callback(&entry, Context)) stop = TRUE; } if (stop) break; } PhDereferenceObject(pids); return status; } typedef struct _CSR_HANDLES_CONTEXT { PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback; PVOID Context; PPH_LIST Pids; } CSR_HANDLES_CONTEXT, *PCSR_HANDLES_CONTEXT; static BOOLEAN NTAPI PhpCsrProcessHandlesCallback( _In_ PPH_CSR_HANDLE_INFO Handle, _In_opt_ PVOID Context ) { NTSTATUS status; BOOLEAN cont = TRUE; PCSR_HANDLES_CONTEXT context = Context; HANDLE processHandle; KERNEL_USER_TIMES times; PPH_STRING fileName; PH_ZOMBIE_PROCESS_ENTRY entry; entry.ProcessId = Handle->ProcessId; if (NT_SUCCESS(status = PhOpenProcessByCsrHandle( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Handle ))) { if (NT_SUCCESS(status = PhGetProcessTimes( processHandle, × )) && NT_SUCCESS(status = PhGetProcessImageFileName( processHandle, &fileName ))) { entry.FileName = fileName; if (times.ExitTime.QuadPart != 0) entry.Type = TerminatedProcess; else if (context && PhFindItemList(context->Pids, Handle->ProcessId) != ULONG_MAX) entry.Type = NormalProcess; else entry.Type = ZombieProcess; if (context && !context->Callback(&entry, context->Context)) cont = FALSE; PhDereferenceObject(fileName); } NtClose(processHandle); } if (!NT_SUCCESS(status)) { entry.FileName = NULL; entry.Type = UnknownProcess; if (context && !context->Callback(&entry, context->Context)) cont = FALSE; } return cont; } NTSTATUS PhpEnumZombieProcessesCsrHandles( _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; PPH_LIST pids; CSR_HANDLES_CONTEXT context; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; pids = PhCreateList(40); process = PH_FIRST_PROCESS(processes); do { PhAddItemList(pids, process->UniqueProcessId); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); context.Callback = Callback; context.Context = Context; context.Pids = pids; status = PhEnumCsrProcessHandles(PhpCsrProcessHandlesCallback, &context); PhDereferenceObject(pids); return status; } typedef struct _PH_ENUM_NEXT_PROCESS_CONTEXT { PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback; PVOID Context; } PH_ENUM_NEXT_PROCESS_CONTEXT, *PPH_ENUM_NEXT_PROCESS_CONTEXT; NTSTATUS NTAPI PhpEnumNextProcessHandles( _In_ HANDLE ProcessHandle, _In_ PVOID Context ) { PPH_ENUM_NEXT_PROCESS_CONTEXT context = Context; PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; NTSTATUS status; PVOID processes = NULL; status = PhGetProcessExtendedBasicInformation(ProcessHandle, &basicInfo); if (NT_SUCCESS(status)) { status = PhEnumProcesses(&processes); if (NT_SUCCESS(status)) { if (!PhFindProcessInformation(processes, basicInfo.BasicInfo.UniqueProcessId)) { PH_ZOMBIE_PROCESS_ENTRY entry; PPH_STRING fileName; entry.ProcessId = basicInfo.BasicInfo.UniqueProcessId; if (NT_SUCCESS(PhGetProcessImageFileName(ProcessHandle, &fileName))) { entry.FileName = fileName; entry.Type = ZombieProcess; //if (basicInfo.IsProcessDeleting) // entry.Type = TerminatedProcess; if (!context->Callback(&entry, context->Context)) goto CleanupExit; PhDereferenceObject(fileName); } else { entry.FileName = NULL; entry.Type = UnknownProcess; if (!context->Callback(&entry, context->Context)) goto CleanupExit; } } } } CleanupExit: if (processes) { PhFree(processes); } return STATUS_SUCCESS; } NTSTATUS PhpEnumZombieProcessHandles( _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PH_ENUM_NEXT_PROCESS_CONTEXT context; context.Callback = Callback; context.Context = Context; status = PhEnumNextProcess( NULL, PROCESS_QUERY_LIMITED_INFORMATION, PhpEnumNextProcessHandles, &context ); return status; } NTSTATUS PhpEnumZombieSubKeyHandles( _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; ULONG bufferSize; PKEY_OPEN_SUBKEYS_INFORMATION buffer; UNICODE_STRING subkeyName; OBJECT_ATTRIBUTES objectAttributes; bufferSize = 0x200; buffer = PhAllocate(bufferSize); RtlInitUnicodeString(&subkeyName, L"\\REGISTRY"); InitializeObjectAttributes( &objectAttributes, &subkeyName, OBJ_CASE_INSENSITIVE, NULL, NULL ); while (TRUE) { status = NtQueryOpenSubKeysEx( &objectAttributes, bufferSize, buffer, &bufferSize ); if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; buffer = PhAllocate(bufferSize); } else { break; } } if (NT_SUCCESS(status)) { for (ULONG i = 0; i < buffer->Count; i++) { KEY_PID_ARRAY entry = buffer->KeyArray[i]; HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, entry.ProcessId))) { PVOID processes; if (NT_SUCCESS(PhEnumProcesses(&processes))) { if (!PhFindProcessInformation(processes, entry.ProcessId)) { PH_ZOMBIE_PROCESS_ENTRY process; PPH_STRING fileName; process.ProcessId = entry.ProcessId; if (NT_SUCCESS(PhGetProcessImageFileName(processHandle, &fileName))) { PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; process.FileName = fileName; process.Type = ZombieProcess; if (NT_SUCCESS(PhGetProcessExtendedBasicInformation(processHandle, &basicInfo))) { if (basicInfo.IsProcessDeleting) process.Type = TerminatedProcess; } if (!Callback(&process, Context)) break; PhDereferenceObject(fileName); } else { process.FileName = NULL; process.Type = UnknownProcess; if (!Callback(&process, Context)) break; } } PhFree(processes); } NtClose(processHandle); } else { PH_ZOMBIE_PROCESS_ENTRY process; PPH_STRING fileName; process.ProcessId = entry.ProcessId; if (NT_SUCCESS(PhGetProcessImageFileNameByProcessId(process.ProcessId, &fileName))) { process.FileName = fileName; process.Type = ZombieProcess; if (!Callback(&process, Context)) break; PhDereferenceObject(fileName); } else { process.FileName = NULL; process.Type = UnknownProcess; if (!Callback(&process, Context)) break; } } } } else { PhFree(buffer); } return status; } #define PH_FIRST_ETW_GUID(TraceGuid) \ (((PETW_TRACE_GUID_INFO)(TraceGuid))->InstanceCount ? \ ((PETW_TRACE_PROVIDER_INSTANCE_INFO)PTR_ADD_OFFSET(TraceGuid, \ sizeof(ETW_TRACE_GUID_INFO))) : NULL) #define PH_NEXT_ETW_GUID(TraceGuid) \ (((PETW_TRACE_PROVIDER_INSTANCE_INFO)(TraceGuid))->NextOffset ? \ (PETW_TRACE_PROVIDER_INSTANCE_INFO)PTR_ADD_OFFSET((TraceGuid), \ ((PETW_TRACE_PROVIDER_INSTANCE_INFO)(TraceGuid))->NextOffset) : NULL) NTSTATUS PhpEnumEtwGuidHandles( _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PGUID traceGuidList = NULL; ULONG traceGuidListLength = 0; status = PhTraceControlVariableSize( EtwEnumTraceGuidList, NULL, 0, &traceGuidList, &traceGuidListLength ); if (NT_SUCCESS(status)) { for (ULONG i = 0; i < traceGuidListLength / sizeof(GUID); i++) { GUID providerGuid = traceGuidList[i]; PETW_TRACE_GUID_INFO traceGuidInfo; status = PhTraceControlVariableSize( EtwGetTraceGuidInfo, &providerGuid, sizeof(GUID), &traceGuidInfo, NULL ); if (NT_SUCCESS(status)) { PETW_TRACE_PROVIDER_INSTANCE_INFO instance; HANDLE processHandle; //PVOID processes; for (instance = PH_FIRST_ETW_GUID(traceGuidInfo); instance; instance = PH_NEXT_ETW_GUID(instance)) { if (instance->Pid == 0) continue; if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, UlongToHandle(instance->Pid)))) { PPH_PROCESS_ITEM processItem; processItem = PhReferenceProcessItem(UlongToHandle(instance->Pid)); //if (NT_SUCCESS(PhEnumProcesses(&processes))) { //if (!PhFindProcessInformation(processes, UlongToHandle(instance->Pid))) if (!processItem) { PH_ZOMBIE_PROCESS_ENTRY process; PPH_STRING fileName; process.ProcessId = UlongToHandle(instance->Pid); if (NT_SUCCESS(PhGetProcessImageFileName(processHandle, &fileName))) { PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; process.FileName = fileName; process.Type = ZombieProcess; if (NT_SUCCESS(PhGetProcessExtendedBasicInformation(processHandle, &basicInfo))) { if (basicInfo.IsProcessDeleting) process.Type = TerminatedProcess; } if (!Callback(&process, Context)) break; PhDereferenceObject(fileName); } else { process.FileName = NULL; process.Type = UnknownProcess; if (!Callback(&process, Context)) break; } } //PhFree(processes); } PhClearReference(&processItem); NtClose(processHandle); } else { PH_ZOMBIE_PROCESS_ENTRY process; PPH_STRING fileName; process.ProcessId = UlongToHandle(instance->Pid); if (NT_SUCCESS(PhGetProcessImageFileNameByProcessId(process.ProcessId, &fileName))) { process.FileName = fileName; process.Type = ZombieProcess; if (!Callback(&process, Context)) break; PhDereferenceObject(process.FileName); } else { process.FileName = NULL; process.Type = UnknownProcess; if (!Callback(&process, Context)) break; } } } PhFree(traceGuidInfo); } } PhFree(traceGuidList); } return status; } NTSTATUS PhpEnumNtdllHandles( _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { static CONST PH_STRINGREF ntdllPath = PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\ntdll.dll"); static CONST PH_STRINGREF ntfsPath = PH_STRINGREF_INIT(L"\\ntfs"); NTSTATUS status; HANDLE fileHandle; status = PhCreateFile( &fileHandle, &ntfsPath, FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) { status = PhCreateFile( &fileHandle, &ntdllPath, FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); } if (NT_SUCCESS(status)) { PFILE_PROCESS_IDS_USING_FILE_INFORMATION processIds; status = PhGetProcessIdsUsingFile( fileHandle, &processIds ); if (NT_SUCCESS(status)) { for (ULONG i = 0; i < processIds->NumberOfProcessIdsInList; i++) { HANDLE processId; HANDLE processHandle; processId = (HANDLE)processIds->ProcessIdList[i]; if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, processId))) { PVOID processes; if (NT_SUCCESS(PhEnumProcesses(&processes))) { if (!PhFindProcessInformation(processes, processId)) { PH_ZOMBIE_PROCESS_ENTRY process; PPH_STRING fileName; process.ProcessId = processId; if (NT_SUCCESS(PhGetProcessImageFileName(processHandle, &fileName))) { PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; process.FileName = fileName; process.Type = ZombieProcess; if (NT_SUCCESS(PhGetProcessExtendedBasicInformation(processHandle, &basicInfo))) { //if (basicInfo.IsProcessDeleting) // process.Type = TerminatedProcess; } if (!Callback(&process, Context)) break; PhDereferenceObject(fileName); } else { process.FileName = NULL; process.Type = UnknownProcess; if (!Callback(&process, Context)) break; } } PhFree(processes); } NtClose(processHandle); } else { PH_ZOMBIE_PROCESS_ENTRY process; PPH_STRING fileName; process.ProcessId = processId; if (NT_SUCCESS(PhGetProcessImageFileNameByProcessId(process.ProcessId, &fileName))) { process.FileName = fileName; process.Type = ZombieProcess; if (!Callback(&process, Context)) break; PhDereferenceObject(fileName); } else { process.FileName = NULL; process.Type = UnknownProcess; if (!Callback(&process, Context)) break; } } } PhFree(processIds); } NtClose(fileHandle); } return status; } NTSTATUS PhEnumZombieProcesses( _In_ PH_ZOMBIE_PROCESS_METHOD Method, _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ) { switch (Method) { case BruteForceScanMethod: return PhpEnumZombieProcessesBruteForce(Callback, Context); case CsrHandlesScanMethod: return PhpEnumZombieProcessesCsrHandles(Callback, Context); case ProcessHandleScanMethod: return PhpEnumZombieProcessHandles(Callback, Context); case RegistryScanMethod: return PhpEnumZombieSubKeyHandles(Callback, Context); case EtwGuidScanMethod: return PhpEnumEtwGuidHandles(Callback, Context); case NtdllScanMethod: return PhpEnumNtdllHandles(Callback, Context); } return STATUS_FAIL_CHECK; } NTSTATUS PhpOpenCsrProcesses( _Out_ PHANDLE *ProcessHandles, _Out_ PULONG NumberOfProcessHandles ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; PPH_LIST processHandleList; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; processHandleList = PhCreateList(8); process = PH_FIRST_PROCESS(processes); do { HANDLE processHandle; PH_KNOWN_PROCESS_TYPE knownProcessType; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_DUP_HANDLE, process->UniqueProcessId ))) { if (NT_SUCCESS(PhGetProcessKnownType( processHandle, &knownProcessType )) && (knownProcessType & KnownProcessTypeMask) == WindowsSubsystemProcessType) { PhAddItemList(processHandleList, processHandle); } else { NtClose(processHandle); } } } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); if (processHandleList->Count) { *ProcessHandles = PhAllocateCopy(processHandleList->Items, processHandleList->Count * sizeof(HANDLE)); *NumberOfProcessHandles = processHandleList->Count; PhDereferenceObject(processHandleList); return status; } PhDereferenceObject(processHandleList); return STATUS_UNSUCCESSFUL; } NTSTATUS PhpGetCsrHandleProcessId( _Inout_ PPH_CSR_HANDLE_INFO Handle ) { NTSTATUS status; PROCESS_BASIC_INFORMATION processBasicInfo; THREAD_BASIC_INFORMATION threadBasicInfo; Handle->IsThreadHandle = FALSE; Handle->ProcessId = NULL; // Assume the handle is a process handle, and get the // process ID. status = KphQueryInformationObject( Handle->CsrProcessHandle, Handle->Handle, KphObjectProcessBasicInformation, &processBasicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { Handle->ProcessId = processBasicInfo.UniqueProcessId; } else { // We failed to get the process ID. Assume the handle // is a thread handle, and get the process ID. status = KphQueryInformationObject( Handle->CsrProcessHandle, Handle->Handle, KphObjectThreadBasicInformation, &threadBasicInfo, sizeof(THREAD_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { Handle->ProcessId = threadBasicInfo.ClientId.UniqueProcess; Handle->IsThreadHandle = TRUE; } } return status; } NTSTATUS PhEnumCsrProcessHandles( _In_ PPH_ENUM_CSR_PROCESS_HANDLES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PHANDLE csrProcessHandles; ULONG numberOfCsrProcessHandles; ULONG i; BOOLEAN stop = FALSE; PPH_LIST pids; if (!NT_SUCCESS(status = PhpOpenCsrProcesses( &csrProcessHandles, &numberOfCsrProcessHandles ))) return status; pids = PhCreateList(40); for (i = 0; i < numberOfCsrProcessHandles; i++) { PKPH_PROCESS_HANDLE_INFORMATION handles; ULONG j; if (stop) break; if (NT_SUCCESS(KsiEnumerateProcessHandles(csrProcessHandles[i], &handles))) { for (j = 0; j < handles->HandleCount; j++) { PH_CSR_HANDLE_INFO handle; handle.CsrProcessHandle = csrProcessHandles[i]; handle.Handle = handles->Handles[j].Handle; // Get the process ID associated with the handle. // This call will fail if the handle is not a // process or thread handle. if (!NT_SUCCESS(PhpGetCsrHandleProcessId(&handle))) continue; // Avoid duplicate PIDs. if (PhFindItemList(pids, handle.ProcessId) != ULONG_MAX) continue; PhAddItemList(pids, handle.ProcessId); if (!Callback(&handle, Context)) { stop = TRUE; break; } } PhFree(handles); } } PhDereferenceObject(pids); for (i = 0; i < numberOfCsrProcessHandles; i++) NtClose(csrProcessHandles[i]); PhFree(csrProcessHandles); return status; } NTSTATUS PhOpenProcessByCsrHandle( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_CSR_HANDLE_INFO Handle ) { NTSTATUS status; if (!Handle->IsThreadHandle) { status = NtDuplicateObject( Handle->CsrProcessHandle, Handle->Handle, NtCurrentProcess(), ProcessHandle, DesiredAccess, 0, 0 ); } else { HANDLE threadHandle; if (!NT_SUCCESS(status = NtDuplicateObject( Handle->CsrProcessHandle, Handle->Handle, NtCurrentProcess(), &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, 0, 0 ))) return status; status = KphOpenThreadProcess( threadHandle, DesiredAccess, ProcessHandle ); NtClose(threadHandle); } return status; } typedef struct _OPEN_PROCESS_BY_CSR_CONTEXT { NTSTATUS Status; PHANDLE ProcessHandle; ACCESS_MASK DesiredAccess; HANDLE ProcessId; } OPEN_PROCESS_BY_CSR_CONTEXT, *POPEN_PROCESS_BY_CSR_CONTEXT; static BOOLEAN NTAPI PhpOpenProcessByCsrHandlesCallback( _In_ PPH_CSR_HANDLE_INFO Handle, _In_opt_ PVOID Context ) { POPEN_PROCESS_BY_CSR_CONTEXT context = Context; if (context && Handle->ProcessId == context->ProcessId) { context->Status = PhOpenProcessByCsrHandle( context->ProcessHandle, context->DesiredAccess, Handle ); return FALSE; } return TRUE; } NTSTATUS PhOpenProcessByCsrHandles( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ) { NTSTATUS status; OPEN_PROCESS_BY_CSR_CONTEXT context; context.Status = STATUS_INVALID_CID; context.ProcessHandle = ProcessHandle; context.DesiredAccess = DesiredAccess; context.ProcessId = ProcessId; if (!NT_SUCCESS(status = PhEnumCsrProcessHandles( PhpOpenProcessByCsrHandlesCallback, &context ))) return status; return context.Status; } ================================================ FILE: SystemInformer/hndllist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2013 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpHandleNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpHandleNodeHashtableHashFunction( _In_ PVOID Entry ); VOID PhpDestroyHandleNode( _In_ PPH_HANDLE_NODE HandleNode ); VOID PhpRemoveHandleNode( _In_ PPH_HANDLE_NODE HandleNode, _In_ PPH_HANDLE_LIST_CONTEXT Context ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpHandleTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpHandleTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); VOID PhInitializeHandleList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_HANDLE_LIST_CONTEXT Context ) { HWND hwnd; memset(Context, 0, sizeof(PH_HANDLE_LIST_CONTEXT)); Context->EnableStateHighlighting = TRUE; Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_HANDLE_NODE), PhpHandleNodeHashtableEqualFunction, PhpHandleNodeHashtableHashFunction, 100 ); Context->NodeList = PhCreateList(100); Context->ParentWindowHandle = ParentWindowHandle; Context->TreeNewHandle = TreeNewHandle; hwnd = TreeNewHandle; PhSetControlTheme(hwnd, L"explorer"); TreeNew_SetCallback(hwnd, PhpHandleTreeNewCallback, Context); TreeNew_SetRedraw(hwnd, FALSE); // Default columns PhAddTreeNewColumn(hwnd, PHHNTLC_TYPE, TRUE, L"Type", 100, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_NAME, TRUE, L"Name", 200, PH_ALIGN_LEFT, 1, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_GRANTEDACCESSSYMBOLIC, TRUE, L"Granted access (symbolic)", 140, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_HANDLE, FALSE, L"Handle", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_OBJECTADDRESS, FALSE, L"Object address", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHHNTLC_ATTRIBUTES, FALSE, L"Attributes", 120, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(hwnd, PHHNTLC_GRANTEDACCESS, FALSE, L"Granted access", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_ORIGINALNAME, FALSE, L"Original name", 200, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHHNTLC_FILESHAREACCESS, FALSE, L"File share access", 50, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(hwnd, PHHNTLC_HANDLEVALUE, FALSE, L"Handle value", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_HANDLECOUNT, FALSE, L"Handle count", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_POINTERCOUNT, FALSE, L"Reference count", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_PAGEDSIZE, FALSE, L"Paged size", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHHNTLC_NONPAGEDSIZE, FALSE, L"Nonpaged size", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); TreeNew_SetRedraw(hwnd, TRUE); TreeNew_SetSort(hwnd, 0, AscendingSortOrder); PhCmInitializeManager(&Context->Cm, hwnd, PHHNTLC_MAXIMUM, PhpHandleTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, hwnd, Context->NodeList); } VOID PhDeleteHandleList( _In_ PPH_HANDLE_LIST_CONTEXT Context ) { ULONG i; PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); PhCmDeleteManager(&Context->Cm); for (i = 0; i < Context->NodeList->Count; i++) PhpDestroyHandleNode(Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpHandleNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_HANDLE_NODE handleNode1 = *(PPH_HANDLE_NODE *)Entry1; PPH_HANDLE_NODE handleNode2 = *(PPH_HANDLE_NODE *)Entry2; return handleNode1->Handle == handleNode2->Handle; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpHandleNodeHashtableHashFunction( _In_ PVOID Entry ) { return HandleToUlong((*(PPH_HANDLE_NODE *)Entry)->Handle) / 4; } VOID PhLoadSettingsHandleList( _Inout_ PPH_HANDLE_LIST_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_HANDLE_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_HANDLE_TREE_LIST_SORT); Context->Flags = PhGetIntegerSetting(SETTING_HANDLE_TREE_LIST_FLAGS); PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSaveSettingsHandleList( _Inout_ PPH_HANDLE_LIST_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_HANDLE_TREE_LIST_FLAGS, Context->Flags); PhSetStringSetting2(SETTING_HANDLE_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_HANDLE_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSetOptionsHandleList( _Inout_ PPH_HANDLE_LIST_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case PH_HANDLE_TREE_MENUITEM_HIDE_PROTECTED_HANDLES: Context->HideProtectedHandles = !Context->HideProtectedHandles; break; case PH_HANDLE_TREE_MENUITEM_HIDE_INHERIT_HANDLES: Context->HideInheritHandles = !Context->HideInheritHandles; break; case PH_HANDLE_TREE_MENUITEM_HIDE_UNNAMED_HANDLES: Context->HideUnnamedHandles = !Context->HideUnnamedHandles; break; case PH_HANDLE_TREE_MENUITEM_HIDE_ETW_HANDLES: Context->HideEtwHandles = !Context->HideEtwHandles; break; } } PPH_HANDLE_NODE PhAddHandleNode( _Inout_ PPH_HANDLE_LIST_CONTEXT Context, _In_ PPH_HANDLE_ITEM HandleItem, _In_ ULONG RunId ) { PPH_HANDLE_NODE handleNode; handleNode = PhAllocate(PhEmGetObjectSize(EmHandleNodeType, sizeof(PH_HANDLE_NODE))); memset(handleNode, 0, sizeof(PH_HANDLE_NODE)); PhInitializeTreeNewNode(&handleNode->Node); if (Context->EnableStateHighlighting && RunId != 1) { PhChangeShStateTn( &handleNode->Node, &handleNode->ShState, &Context->NodeStateList, NewItemState, PhCsColorNew, NULL ); } handleNode->Handle = HandleItem->Handle; handleNode->HandleItem = HandleItem; PhReferenceObject(HandleItem); memset(handleNode->TextCache, 0, sizeof(PH_STRINGREF) * PHHNTLC_MAXIMUM); handleNode->Node.TextCache = handleNode->TextCache; handleNode->Node.TextCacheSize = PHHNTLC_MAXIMUM; PhAddEntryHashtable(Context->NodeHashtable, &handleNode); PhAddItemList(Context->NodeList, handleNode); if (Context->TreeFilterSupport.FilterList) handleNode->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &handleNode->Node); PhEmCallObjectOperation(EmHandleNodeType, handleNode, EmObjectCreate); TreeNew_NodesStructured(Context->TreeNewHandle); return handleNode; } PPH_HANDLE_NODE PhFindHandleNode( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ HANDLE Handle ) { PH_HANDLE_NODE lookupHandleNode; PPH_HANDLE_NODE lookupHandleNodePtr = &lookupHandleNode; PPH_HANDLE_NODE *handleNode; lookupHandleNode.Handle = Handle; handleNode = (PPH_HANDLE_NODE *)PhFindEntryHashtable( Context->NodeHashtable, &lookupHandleNodePtr ); if (handleNode) return *handleNode; else return NULL; } VOID PhRemoveHandleNode( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ PPH_HANDLE_NODE HandleNode ) { // Remove from the hashtable here to avoid problems in case the key is re-used. PhRemoveEntryHashtable(Context->NodeHashtable, &HandleNode); if (Context->EnableStateHighlighting) { PhChangeShStateTn( &HandleNode->Node, &HandleNode->ShState, &Context->NodeStateList, RemovingItemState, PhCsColorRemoved, Context->TreeNewHandle ); } else { PhpRemoveHandleNode(HandleNode, Context); } } VOID PhpDestroyHandleNode( _In_ PPH_HANDLE_NODE HandleNode ) { PhEmCallObjectOperation(EmHandleNodeType, HandleNode, EmObjectDelete); if (HandleNode->GrantedAccessSymbolicText) PhDereferenceObject(HandleNode->GrantedAccessSymbolicText); if (HandleNode->HandleValue) PhDereferenceObject(HandleNode->HandleValue); if (HandleNode->HandleCountText) PhDereferenceObject(HandleNode->HandleCountText); if (HandleNode->PointerCountText) PhDereferenceObject(HandleNode->PointerCountText); if (HandleNode->PageSizeText) PhDereferenceObject(HandleNode->PageSizeText); if (HandleNode->NonPageSizeText) PhDereferenceObject(HandleNode->NonPageSizeText); PhDereferenceObject(HandleNode->HandleItem); PhFree(HandleNode); } VOID PhpRemoveHandleNode( _In_ PPH_HANDLE_NODE HandleNode, _In_ PPH_HANDLE_LIST_CONTEXT Context // PH_TICK_SH_STATE requires this parameter to be after HandleNode ) { ULONG index; // Remove from list and cleanup. if ((index = PhFindItemList(Context->NodeList, HandleNode)) != ULONG_MAX) PhRemoveItemList(Context->NodeList, index); PhpDestroyHandleNode(HandleNode); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhUpdateHandleNode( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ PPH_HANDLE_NODE HandleNode ) { memset(HandleNode->TextCache, 0, sizeof(PH_STRINGREF) * PHHNTLC_MAXIMUM); PhInvalidateTreeNewNode(&HandleNode->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhExpandAllHandleNodes( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ BOOLEAN Expand ) { ULONG i; BOOLEAN needsRestructure = FALSE; for (i = 0; i < Context->NodeList->Count; i++) { PPH_HANDLE_NODE node = Context->NodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhTickHandleNodes( _In_ PPH_HANDLE_LIST_CONTEXT Context ) { PH_TICK_SH_STATE_TN(PH_HANDLE_NODE, ShState, Context->NodeStateList, PhpRemoveHandleNode, PhCsHighlightingDuration, Context->TreeNewHandle, TRUE, NULL, Context); } #define SORT_FUNCTION(Column) PhpHandleTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpHandleTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_HANDLE_LIST_CONTEXT context = (PPH_HANDLE_LIST_CONTEXT)_context; \ PPH_HANDLE_NODE node1 = *(PPH_HANDLE_NODE *)_elem1; \ PPH_HANDLE_NODE node2 = *(PPH_HANDLE_NODE *)_elem2; \ PPH_HANDLE_ITEM handleItem1 = node1->HandleItem; \ PPH_HANDLE_ITEM handleItem2 = node2->HandleItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Handle, (ULONG_PTR)node2->Handle); \ \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpHandleTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPH_HANDLE_NODE)Node1)->Handle, (ULONG_PTR)((PPH_HANDLE_NODE)Node2)->Handle); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Type) { sortResult = PhCompareStringWithNullSortOrder(handleItem1->TypeName, handleItem2->TypeName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNullSortOrder(handleItem1->BestObjectName, handleItem2->BestObjectName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Handle) { sortResult = uintptrcmp((ULONG_PTR)node1->Handle, (ULONG_PTR)node2->Handle); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ObjectAddress) { sortResult = uintptrcmp((ULONG_PTR)handleItem1->Object, (ULONG_PTR)handleItem2->Object); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Attributes) { sortResult = uintcmp(handleItem1->Attributes, handleItem2->Attributes); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(GrantedAccess) { sortResult = uintcmp(handleItem1->GrantedAccess, handleItem2->GrantedAccess); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(OriginalName) { sortResult = PhCompareStringWithNullSortOrder(handleItem1->ObjectName, handleItem2->ObjectName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileShareAccess) { sortResult = uintcmp(handleItem1->FileFlags & (PH_HANDLE_FILE_SHARED_MASK), handleItem2->FileFlags & (PH_HANDLE_FILE_SHARED_MASK)); // Make sure all file handles get grouped together regardless of share access. if (sortResult == 0 && !PhIsNullOrEmptyString(handleItem1->TypeName)) sortResult = intcmp(PhEqualString2(handleItem1->TypeName, L"File", TRUE), PhEqualString2(handleItem2->TypeName, L"File", TRUE)); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(HandleCount) { sortResult = uintcmp(handleItem1->HandleCount, handleItem2->HandleCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PointerCount) { sortResult = uintcmp(handleItem1->PointerCount, handleItem2->PointerCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PagedPoolCharge) { sortResult = uintcmp(handleItem1->PagedPoolCharge, handleItem2->PagedPoolCharge); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(NonPagedPoolCharge) { sortResult = uintcmp(handleItem1->NonPagedPoolCharge, handleItem2->NonPagedPoolCharge); } END_SORT_FUNCTION BOOLEAN NTAPI PhpHandleTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_HANDLE_LIST_CONTEXT context = Context; PPH_HANDLE_NODE node; if (PhCmForwardMessage(hwnd, Message, Parameter1, Parameter2, &context->Cm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; if (!getChildren->Node) { static PVOID sortFunctions[] = { SORT_FUNCTION(Type), SORT_FUNCTION(Name), SORT_FUNCTION(Handle), SORT_FUNCTION(ObjectAddress), SORT_FUNCTION(Attributes), SORT_FUNCTION(GrantedAccess), SORT_FUNCTION(GrantedAccess), // Granted Access (Symbolic) SORT_FUNCTION(OriginalName), SORT_FUNCTION(FileShareAccess), SORT_FUNCTION(Handle), SORT_FUNCTION(HandleCount), SORT_FUNCTION(PointerCount), SORT_FUNCTION(PagedPoolCharge), SORT_FUNCTION(NonPagedPoolCharge), }; int (__cdecl *sortFunction)(void *, const void *, const void *); static_assert(RTL_NUMBER_OF(sortFunctions) == PHHNTLC_MAXIMUM, "SortFunctions must equal maximum."); if (!PhCmForwardSort( (PPH_TREENEW_NODE *)context->NodeList->Items, context->NodeList->Count, context->TreeNewSortColumn, context->TreeNewSortOrder, &context->Cm )) { if (context->TreeNewSortColumn < PHHNTLC_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; } else { sortFunction = NULL; } if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_HANDLE_ITEM handleItem; node = (PPH_HANDLE_NODE)getCellText->Node; handleItem = node->HandleItem; switch (getCellText->Id) { case PHHNTLC_TYPE: getCellText->Text = PhGetStringRef(handleItem->TypeName); break; case PHHNTLC_NAME: getCellText->Text = PhGetStringRef(handleItem->BestObjectName); break; case PHHNTLC_HANDLE: { PhInitializeStringRefLongHint(&getCellText->Text, handleItem->HandleString); } break; case PHHNTLC_OBJECTADDRESS: { if (handleItem->Object) PhInitializeStringRefLongHint(&getCellText->Text, handleItem->ObjectString); } break; case PHHNTLC_ATTRIBUTES: { switch (handleItem->Attributes & (OBJ_PROTECT_CLOSE | OBJ_INHERIT)) { case OBJ_PROTECT_CLOSE: PhInitializeStringRef(&getCellText->Text, L"Protected"); break; case OBJ_INHERIT: PhInitializeStringRef(&getCellText->Text, L"Inherit"); break; case OBJ_PROTECT_CLOSE | OBJ_INHERIT: PhInitializeStringRef(&getCellText->Text, L"Protected, Inherit"); break; } } break; case PHHNTLC_GRANTEDACCESS: { PhInitializeStringRefLongHint(&getCellText->Text, handleItem->GrantedAccessString); } break; case PHHNTLC_GRANTEDACCESSSYMBOLIC: { if (handleItem->GrantedAccess != 0) { if (!node->GrantedAccessSymbolicText) { PPH_ACCESS_ENTRY accessEntries; ULONG numberOfAccessEntries; if (PhGetAccessEntries(PhGetStringOrEmpty(handleItem->TypeName), &accessEntries, &numberOfAccessEntries)) { node->GrantedAccessSymbolicText = PhGetAccessString(handleItem->GrantedAccess, accessEntries, numberOfAccessEntries); PhFree(accessEntries); } } getCellText->Text = PhGetStringRef(node->GrantedAccessSymbolicText); } } break; case PHHNTLC_ORIGINALNAME: { getCellText->Text = PhGetStringRef(handleItem->ObjectName); } break; case PHHNTLC_FILESHAREACCESS: { if (handleItem->FileFlags & PH_HANDLE_FILE_SHARED_MASK) { node->FileShareAccessText[0] = L'-'; node->FileShareAccessText[1] = L'-'; node->FileShareAccessText[2] = L'-'; node->FileShareAccessText[3] = UNICODE_NULL; if (handleItem->FileFlags & PH_HANDLE_FILE_SHARED_READ) node->FileShareAccessText[0] = L'R'; if (handleItem->FileFlags & PH_HANDLE_FILE_SHARED_WRITE) node->FileShareAccessText[1] = L'W'; if (handleItem->FileFlags & PH_HANDLE_FILE_SHARED_DELETE) node->FileShareAccessText[2] = L'D'; PhInitializeStringRefLongHint(&getCellText->Text, node->FileShareAccessText); } } break; case PHHNTLC_HANDLEVALUE: { PhMoveReference(&node->HandleValue, PhFormatUInt64((HANDLE_PTR)handleItem->Handle, FALSE)); getCellText->Text = PhGetStringRef(node->HandleValue); } break; case PHHNTLC_HANDLECOUNT: { if (handleItem->HandleCount != 0) { PhMoveReference(&node->HandleCountText, PhFormatUInt64(handleItem->HandleCount, FALSE)); getCellText->Text = PhGetStringRef(node->HandleCountText); } } break; case PHHNTLC_POINTERCOUNT: { if (handleItem->PointerCount != 0) { PhMoveReference(&node->PointerCountText, PhFormatUInt64(handleItem->PointerCount, FALSE)); getCellText->Text = PhGetStringRef(node->PointerCountText); } } break; case PHHNTLC_PAGEDSIZE: { if (handleItem->PagedPoolCharge != 0) { PhMoveReference(&node->PageSizeText, PhFormatSize(handleItem->PagedPoolCharge, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->PageSizeText); } } break; case PHHNTLC_NONPAGEDSIZE: { if (handleItem->NonPagedPoolCharge != 0) { PhMoveReference(&node->NonPageSizeText, PhFormatSize(handleItem->NonPagedPoolCharge, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->NonPageSizeText); } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; PPH_HANDLE_ITEM handleItem; node = (PPH_HANDLE_NODE)getNodeColor->Node; handleItem = node->HandleItem; if (!handleItem) ; // Dummy else if (PhCsUseColorProtectedInheritHandles && FlagOn(handleItem->Attributes, OBJ_PROTECT_CLOSE) && FlagOn(handleItem->Attributes, OBJ_INHERIT)) getNodeColor->BackColor = PhCsColorProtectedInheritHandles; else if (PhCsUseColorProtectedHandles && FlagOn(handleItem->Attributes, OBJ_PROTECT_CLOSE)) getNodeColor->BackColor = PhCsColorProtectedHandles; else if (PhCsUseColorInheritHandles && FlagOn(handleItem->Attributes, OBJ_INHERIT)) getNodeColor->BackColor = PhCsColorInheritHandles; getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(hwnd); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_HANDLE_COPY, 0); break; case VK_DELETE: // Pass a 1 in lParam to indicate that warnings should be enabled. SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_HANDLE_CLOSE, 1); break; case VK_RETURN: if (GetKeyState(VK_CONTROL) >= 0) SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_HANDLE_PROPERTIES, 0); else SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_HANDLE_OBJECTPROPERTIES1, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; memset(&data, 0, sizeof(PH_TN_COLUMN_MENU_DATA)); data.TreeNewHandle = hwnd; data.MouseEvent = Parameter1; data.DefaultSortColumn = PHHNTLC_TYPE; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, hwnd, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_HANDLE_PROPERTIES, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, (LPARAM)contextMenu); } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_RETURN) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } PPH_HANDLE_ITEM PhGetSelectedHandleItem( _In_ PPH_HANDLE_LIST_CONTEXT Context ) { PPH_HANDLE_ITEM handleItem = NULL; ULONG i; for (i = 0; i < Context->NodeList->Count; i++) { PPH_HANDLE_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) { handleItem = node->HandleItem; break; } } return handleItem; } VOID PhGetSelectedHandleItems( _In_ PPH_HANDLE_LIST_CONTEXT Context, _Out_ PPH_HANDLE_ITEM **Handles, _Out_ PULONG NumberOfHandles ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < Context->NodeList->Count; i++) { PPH_HANDLE_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node->HandleItem); } *NumberOfHandles = (ULONG)PhFinalArrayCount(&array); *Handles = PhFinalArrayItems(&array); } VOID PhDeselectAllHandleNodes( _In_ PPH_HANDLE_LIST_CONTEXT Context ) { TreeNew_DeselectRange(Context->TreeNewHandle, 0, -1); } ================================================ FILE: SystemInformer/hndlmenu.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * */ #include #include #include #include #include #include #include #include #include VOID PhInsertHandleObjectPropertiesEMenuItems( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG InsertBeforeId, _In_ BOOLEAN EnableShortcut, _In_ PPH_HANDLE_ITEM_INFO Info ) { PPH_EMENU_ITEM parentItem; ULONG indexInParent; if (!PhFindEMenuItemEx(Menu, 0, NULL, InsertBeforeId, &parentItem, &indexInParent)) return; if (PhIsNullOrEmptyString(Info->TypeName)) return; if (PhEqualString2(Info->TypeName, L"File", TRUE) || PhEqualString2(Info->TypeName, L"DLL", TRUE) || PhEqualString2(Info->TypeName, L"Mapped file", TRUE) || PhEqualString2(Info->TypeName, L"Mapped image", TRUE)) { if (PhEqualString2(Info->TypeName, L"File", TRUE)) { PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES2, L"File propert&ies", NULL, NULL), indexInParent); PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES1, PhaAppendCtrlEnter(L"Open &file location", EnableShortcut), NULL, NULL), indexInParent + 1); PhInsertEMenuItem(parentItem, PhCreateEMenuSeparator(), indexInParent + 2); } else { PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES1, PhaAppendCtrlEnter(L"Open &file location", EnableShortcut), NULL, NULL), indexInParent); PhInsertEMenuItem(parentItem, PhCreateEMenuSeparator(), indexInParent + 1); } } else if (PhEqualString2(Info->TypeName, L"Key", TRUE)) { PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES1, PhaAppendCtrlEnter(L"Open &key", EnableShortcut), NULL, NULL), indexInParent); PhInsertEMenuItem(parentItem, PhCreateEMenuSeparator(), indexInParent + 1); } else if (PhEqualString2(Info->TypeName, L"Process", TRUE)) { PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_GOTOOWNINGPROCESS, L"Go to process...", NULL, NULL), indexInParent); PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES1, PhaAppendCtrlEnter(L"Process propert&ies", EnableShortcut), NULL, NULL), indexInParent + 1); PhInsertEMenuItem(parentItem, PhCreateEMenuSeparator(), indexInParent + 2); } else if (PhEqualString2(Info->TypeName, L"Section", TRUE)) { PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES1, PhaAppendCtrlEnter(L"Read/Write &memory", EnableShortcut), NULL, NULL), indexInParent); PhInsertEMenuItem(parentItem, PhCreateEMenuSeparator(), indexInParent + 1); } else if (PhEqualString2(Info->TypeName, L"Thread", TRUE)) { PhInsertEMenuItem(parentItem, PhCreateEMenuItem(0, ID_HANDLE_OBJECTPROPERTIES1, PhaAppendCtrlEnter(L"Go to t&hread...", EnableShortcut), NULL, NULL), indexInParent); PhInsertEMenuItem(parentItem, PhCreateEMenuSeparator(), indexInParent + 1); } } static NTSTATUS PhpDuplicateHandleFromProcessItem( _Out_ PHANDLE NewHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId, _In_ HANDLE Handle ) { NTSTATUS status; HANDLE processHandle; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, ProcessId ))) return status; status = NtDuplicateObject( processHandle, Handle, NtCurrentProcess(), NewHandle, DesiredAccess, 0, 0 ); NtClose(processHandle); return status; } static VOID PhpShowProcessPropContext( _In_ PVOID Parameter ) { PhShowProcessProperties(Parameter); PhDereferenceObject(Parameter); } VOID PhShowHandleObjectProperties1( _In_ HWND hWnd, _In_ PPH_HANDLE_ITEM_INFO Info ) { if (PhIsNullOrEmptyString(Info->TypeName)) return; if (PhEqualString2(Info->TypeName, L"File", TRUE) || PhEqualString2(Info->TypeName, L"DLL", TRUE) || PhEqualString2(Info->TypeName, L"Mapped file", TRUE) || PhEqualString2(Info->TypeName, L"Mapped image", TRUE)) { if (Info->BestObjectName) { PhShellExecuteUserString( hWnd, SETTING_FILE_BROWSE_EXECUTABLE, Info->BestObjectName->Buffer, FALSE, L"Make sure the Explorer executable file is present." ); } else PhShowError2(hWnd, L"Unable to open the file location.", L"%s", L"The object is unnamed."); } else if (PhEqualString2(Info->TypeName, L"Key", TRUE)) { if (Info->BestObjectName) PhShellOpenKey2(hWnd, Info->BestObjectName); else PhShowError2(hWnd, L"Unable to open key.", L"%s", L"The object is unnamed."); } else if (PhEqualString2(Info->TypeName, L"Process", TRUE)) { HANDLE processHandle; HANDLE processId; PPH_PROCESS_ITEM targetProcessItem; processId = NULL; if (KsiLevel() >= KphLevelMed) { if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Info->ProcessId ))) { PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(KphQueryInformationObject( processHandle, Info->Handle, KphObjectProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL ))) { processId = basicInfo.UniqueProcessId; } NtClose(processHandle); } } else { HANDLE handle; PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhpDuplicateHandleFromProcessItem( &handle, PROCESS_QUERY_LIMITED_INFORMATION, Info->ProcessId, Info->Handle ))) { if (NT_SUCCESS(PhGetProcessBasicInformation(handle, &basicInfo))) processId = basicInfo.UniqueProcessId; NtClose(handle); } } if (processId) { targetProcessItem = PhReferenceProcessItem(processId); if (!targetProcessItem) { NTSTATUS status; status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, processId ); if (NT_SUCCESS(status)) { targetProcessItem = PhCreateProcessItemFromHandle( processId, processHandle, TRUE ); } } if (targetProcessItem) { SystemInformer_ShowProcessProperties(targetProcessItem); PhDereferenceObject(targetProcessItem); } else { PhShowError2(hWnd, L"Unable to show the process properties.", L"%s", L"The process does not exist."); } } } else if (PhEqualString2(Info->TypeName, L"Section", TRUE)) { NTSTATUS status; HANDLE handle = NULL; BOOLEAN readOnly = FALSE; if (!NT_SUCCESS(status = PhpDuplicateHandleFromProcessItem( &handle, SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE, Info->ProcessId, Info->Handle ))) { status = PhpDuplicateHandleFromProcessItem( &handle, SECTION_QUERY | SECTION_MAP_READ, Info->ProcessId, Info->Handle ); readOnly = TRUE; } if (handle) { PPH_STRING sectionName = NULL; SECTION_BASIC_INFORMATION basicInfo; SIZE_T viewSize = PH_MAX_SECTION_EDIT_SIZE; PVOID viewBase = NULL; BOOLEAN tooBig = FALSE; PhGetHandleInformation(NtCurrentProcess(), handle, ULONG_MAX, NULL, NULL, NULL, §ionName); if (NT_SUCCESS(status = PhGetSectionBasicInformation(handle, &basicInfo))) { if (basicInfo.MaximumSize.QuadPart <= PH_MAX_SECTION_EDIT_SIZE) viewSize = (SIZE_T)basicInfo.MaximumSize.QuadPart; else tooBig = TRUE; status = PhMapViewOfSection( handle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, 0, readOnly ? PAGE_READONLY : PAGE_READWRITE ); if (status == STATUS_SECTION_PROTECTION && !readOnly) { status = PhMapViewOfSection( handle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY ); } if (NT_SUCCESS(status)) { PPH_SHOW_MEMORY_EDITOR showMemoryEditor = PhAllocate(sizeof(PH_SHOW_MEMORY_EDITOR)); if (tooBig) { PhShowWarning2(hWnd, L"Unable to map a view of the section.", L"%s", L"The section size is greater than 32 MB. Only the first 32 MB will be available."); } memset(showMemoryEditor, 0, sizeof(PH_SHOW_MEMORY_EDITOR)); showMemoryEditor->ProcessId = NtCurrentProcessId(); showMemoryEditor->BaseAddress = viewBase; showMemoryEditor->RegionSize = viewSize; showMemoryEditor->SelectOffset = ULONG_MAX; showMemoryEditor->SelectLength = 0; showMemoryEditor->Title = sectionName ? PhConcatStrings2(L"Section - ", sectionName->Buffer) : PhCreateString(L"Section"); showMemoryEditor->Flags = PH_MEMORY_EDITOR_UNMAP_VIEW_OF_SECTION; SystemInformer_ShowMemoryEditor(showMemoryEditor); } else { PhShowStatus(hWnd, L"Unable to map a view of the section.", status, 0); } } else { PhShowStatus(hWnd, L"Unable to query the section.", status, 0); } PhClearReference(§ionName); NtClose(handle); } } else if (PhEqualString2(Info->TypeName, L"Thread", TRUE)) { HANDLE processHandle; CLIENT_ID clientId; PPH_PROCESS_ITEM targetProcessItem; PPH_PROCESS_PROPCONTEXT propContext; clientId.UniqueProcess = NULL; clientId.UniqueThread = NULL; if (KsiLevel() >= KphLevelMed) { if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Info->ProcessId ))) { THREAD_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(KphQueryInformationObject( processHandle, Info->Handle, KphObjectThreadBasicInformation, &basicInfo, sizeof(THREAD_BASIC_INFORMATION), NULL ))) { clientId = basicInfo.ClientId; } NtClose(processHandle); } } else { HANDLE handle; THREAD_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhpDuplicateHandleFromProcessItem( &handle, THREAD_QUERY_LIMITED_INFORMATION, Info->ProcessId, Info->Handle ))) { if (NT_SUCCESS(PhGetThreadBasicInformation(handle, &basicInfo))) clientId = basicInfo.ClientId; NtClose(handle); } } if (clientId.UniqueProcess) { targetProcessItem = PhReferenceProcessItem(clientId.UniqueProcess); if (!targetProcessItem) { NTSTATUS status; status = PhOpenProcessClientId( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, &clientId ); if (NT_SUCCESS(status)) { targetProcessItem = PhCreateProcessItemFromHandle( clientId.UniqueProcess, processHandle, TRUE ); } } if (targetProcessItem) { propContext = PhCreateProcessPropContext(NULL, targetProcessItem); PhDereferenceObject(targetProcessItem); PhSetSelectThreadIdProcessPropContext(propContext, clientId.UniqueThread); SystemInformer_Invoke(PhpShowProcessPropContext, propContext); } else { PhShowError2(hWnd, L"Unable to show the process properties.", L"%s", L"The process does not exist."); } } } } VOID PhShowHandleObjectProperties2( _In_ HWND hWnd, _In_ PPH_HANDLE_ITEM_INFO Info ) { if (PhIsNullOrEmptyString(Info->TypeName)) return; if (PhEqualString2(Info->TypeName, L"File", TRUE) || PhEqualString2(Info->TypeName, L"DLL", TRUE) || PhEqualString2(Info->TypeName, L"Mapped file", TRUE) || PhEqualString2(Info->TypeName, L"Mapped image", TRUE)) { if (Info->BestObjectName) PhShellProperties(hWnd, Info->BestObjectName->Buffer); else PhShowError2(hWnd, L"Unable to open the file properties.", L"%s", L"The object is unnamed."); } } ================================================ FILE: SystemInformer/hndlprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2018-2024 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include typedef enum _PHP_HANDLE_GENERAL_CATEGORY { // common PH_HANDLE_GENERAL_CATEGORY_BASICINFO, PH_HANDLE_GENERAL_CATEGORY_SECURITY, PH_HANDLE_GENERAL_CATEGORY_REFERENCES, PH_HANDLE_GENERAL_CATEGORY_QUOTA, // extra PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_CATEGORY_SECTION, PH_HANDLE_GENERAL_CATEGORY_MUTANT, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_CATEGORY_ETW, PH_HANDLE_GENERAL_CATEGORY_SYMBOLICLINK, PH_HANDLE_GENERAL_CATEGORY_MAXIMUM } PHP_HANDLE_GENERAL_CATEGORY; typedef enum _PHP_HANDLE_GENERAL_INDEX { PH_HANDLE_GENERAL_INDEX_NAME, PH_HANDLE_GENERAL_INDEX_TYPE, PH_HANDLE_GENERAL_INDEX_OBJECT, PH_HANDLE_GENERAL_INDEX_FULLNAME, PH_HANDLE_GENERAL_INDEX_ACCESSS, PH_HANDLE_GENERAL_INDEX_ACCESSGENERIC, PH_HANDLE_GENERAL_INDEX_ACCESSMASK, PH_HANDLE_GENERAL_INDEX_SDDL, PH_HANDLE_GENERAL_INDEX_REFERENCES, PH_HANDLE_GENERAL_INDEX_HANDLES, PH_HANDLE_GENERAL_INDEX_PAGED, PH_HANDLE_GENERAL_INDEX_NONPAGED, PH_HANDLE_GENERAL_INDEX_FLAGS, PH_HANDLE_GENERAL_INDEX_SEQUENCENUMBER, PH_HANDLE_GENERAL_INDEX_PORTCONTEXT, PH_HANDLE_GENERAL_INDEX_FILETYPE, PH_HANDLE_GENERAL_INDEX_FILEMODE, PH_HANDLE_GENERAL_INDEX_FILEPOSITION, PH_HANDLE_GENERAL_INDEX_FILESIZE, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, PH_HANDLE_GENERAL_INDEX_FILEDRIVER, PH_HANDLE_GENERAL_INDEX_FILEDRIVERIMAGE, PH_HANDLE_GENERAL_INDEX_SECTIONTYPE, PH_HANDLE_GENERAL_INDEX_SECTIONFILE, PH_HANDLE_GENERAL_INDEX_SECTIONSIZE, PH_HANDLE_GENERAL_INDEX_MUTANTCOUNT, PH_HANDLE_GENERAL_INDEX_MUTANTABANDONED, PH_HANDLE_GENERAL_INDEX_MUTANTOWNER, PH_HANDLE_GENERAL_INDEX_ALPCCONNECTION, PH_HANDLE_GENERAL_INDEX_ALPCSERVER, PH_HANDLE_GENERAL_INDEX_ALPCCLIENT, PH_HANDLE_GENERAL_INDEX_ALPCOWNER, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADNAME, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADCREATETIME, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITTIME, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITCODE, PH_HANDLE_GENERAL_INDEX_ETWORIGINALNAME, PH_HANDLE_GENERAL_INDEX_ETWGROUPNAME, PH_HANDLE_GENERAL_INDEX_SYMBOLICLINKLINK, PH_HANDLE_GENERAL_INDEX_MAXIMUM } PHP_HANDLE_GENERAL_INDEX; typedef struct _HANDLE_PROPERTIES_CONTEXT { HWND ListViewHandle; HWND ParentWindow; HANDLE ProcessId; PPH_LISTVIEW_CONTEXT ListViewClass; PPH_HANDLE_ITEM HandleItem; PH_LAYOUT_MANAGER LayoutManager; } HANDLE_PROPERTIES_CONTEXT, *PHANDLE_PROPERTIES_CONTEXT; typedef struct _HANDLE_PERMISSIONS_CONTEXT { PHANDLE_PROPERTIES_CONTEXT HandleProperties; HWND ListViewHeader; HWND ListViewHandle; HWND ParentWindow; HANDLE ProcessId; PPH_LISTVIEW_CONTEXT ListViewClass; PPH_HANDLE_ITEM HandleItem; PH_LAYOUT_MANAGER LayoutManager; } HANDLE_PERMISSIONS_CONTEXT, *PHANDLE_PERMISSIONS_CONTEXT; #define PH_FILEMODE_ASYNC 0x01000000 #define PhFileModeUpdAsyncFlag(mode) \ ((mode) & (FILE_SYNCHRONOUS_IO_ALERT | FILE_SYNCHRONOUS_IO_NONALERT) ? (mode) &~ PH_FILEMODE_ASYNC: (mode) | PH_FILEMODE_ASYNC) CONST PH_ACCESS_ENTRY FileModeAccessEntries[] = { { L"FILE_FLAG_OVERLAPPED", PH_FILEMODE_ASYNC, FALSE, FALSE, L"Asynchronous" }, { L"FILE_FLAG_WRITE_THROUGH", FILE_WRITE_THROUGH, FALSE, FALSE, L"Write through" }, { L"FILE_FLAG_SEQUENTIAL_SCAN", FILE_SEQUENTIAL_ONLY, FALSE, FALSE, L"Sequential" }, { L"FILE_FLAG_NO_BUFFERING", FILE_NO_INTERMEDIATE_BUFFERING, FALSE, FALSE, L"No buffering" }, { L"FILE_SYNCHRONOUS_IO_ALERT", FILE_SYNCHRONOUS_IO_ALERT, FALSE, FALSE, L"Synchronous alert" }, { L"FILE_SYNCHRONOUS_IO_NONALERT", FILE_SYNCHRONOUS_IO_NONALERT, FALSE, FALSE, L"Synchronous non-alert" }, }; CONST PH_ACCESS_ENTRY AlpcFlags[] = { { L"ALPC_PORFLG_LPC_MODE", ALPC_PORFLG_LPC_MODE, FALSE, FALSE, L"LPC mode"}, { L"ALPC_PORFLG_ALLOW_IMPERSONATION", ALPC_PORFLG_ALLOW_IMPERSONATION, FALSE, FALSE, L"Allow impersonation"}, { L"ALPC_PORFLG_ALLOW_LPC_REQUESTS", ALPC_PORFLG_ALLOW_LPC_REQUESTS, FALSE, FALSE, L"Allow LPC requests"}, { L"ALPC_PORFLG_WAITABLE_PORT", ALPC_PORFLG_WAITABLE_PORT, FALSE, FALSE, L"Waitable"}, { L"ALPC_PORFLG_ALLOW_DUP_OBJECT", ALPC_PORFLG_ALLOW_DUP_OBJECT, FALSE, FALSE, L"Allow object duplication"}, { L"ALPC_PORFLG_SYSTEM_PROCESS", ALPC_PORFLG_SYSTEM_PROCESS, FALSE, FALSE, L"System process only"}, { L"ALPC_PORFLG_WAKE_POLICY1", ALPC_PORFLG_WAKE_POLICY1, FALSE, FALSE, L"Wake policy (1)"}, { L"ALPC_PORFLG_WAKE_POLICY2", ALPC_PORFLG_WAKE_POLICY2, FALSE, FALSE, L"Wake policy (2)"}, { L"ALPC_PORFLG_WAKE_POLICY3", ALPC_PORFLG_WAKE_POLICY3, FALSE, FALSE, L"Wake policy (3)"}, { L"ALPC_PORFLG_DIRECT_MESSAGE", ALPC_PORFLG_DIRECT_MESSAGE, FALSE, FALSE, L"No shared section (direct)"}, { L"ALPC_PORFLG_ALLOW_MULTIHANDLE_ATTRIBUTE", ALPC_PORFLG_ALLOW_MULTIHANDLE_ATTRIBUTE, FALSE, FALSE, L"Allow multi-handle attributes"}, }; INT_PTR CALLBACK PhpHandleGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpHandlePermissionsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpHandleAuditingDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpDuplicateHandleFromProcess( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_ PVOID Context ) { PHANDLE_PROPERTIES_CONTEXT context = Context; NTSTATUS status; HANDLE processHandle; *Handle = NULL; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, context->ProcessId ))) { status = NtDuplicateObject( processHandle, context->HandleItem->Handle, NtCurrentProcess(), Handle, DesiredAccess, 0, 0 ); NtClose(processHandle); } if (!NT_SUCCESS(status) && KsiLevel() >= KphLevelMax) { if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, context->ProcessId ))) { status = KphDuplicateObject( processHandle, context->HandleItem->Handle, DesiredAccess, Handle ); NtClose(processHandle); } } return status; } _Function_class_(PH_CLOSE_OBJECT) static NTSTATUS PhpDuplicateHandleCloseProcess( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) NtClose(Handle); return STATUS_SUCCESS; } typedef struct _HANDLE_PROPERTIES_THREAD_CONTEXT { HWND ParentWindowHandle; HANDLE ProcessId; PPH_HANDLE_ITEM HandleItem; } HANDLE_PROPERTIES_THREAD_CONTEXT, *PHANDLE_PROPERTIES_THREAD_CONTEXT; BOOLEAN PhpIsVerboseBestObjectName( _In_ PPH_HANDLE_ITEM HandleItem ) { // Some handles use a verbose BestObjectName for the sake of searching. And will display // extended information in the property window consisting of the information contained in the // BestObjectName. This routine is used to fall back to the normal ObjectName in the property // window for these cases. (jxy-s) if (PhIsNullOrEmptyString(HandleItem->TypeName)) return FALSE; if (PhEqualString2(HandleItem->TypeName, L"ALPC Port", TRUE)) return TRUE; if (PhEqualString2(HandleItem->TypeName, L"File", TRUE) && PhAfdIsSocketObjectName(HandleItem->ObjectName)) return TRUE; return FALSE; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) static VOID PhHandlePropertiesContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PHANDLE_PROPERTIES_CONTEXT context = Object; PhDereferenceObject(context->HandleItem); } PHANDLE_PROPERTIES_CONTEXT PhCreateHandlePropertiesContext( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_OBJECT_TYPE PhHandlePropertiesContextType = NULL; PHANDLE_PROPERTIES_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { PhHandlePropertiesContextType = PhCreateObjectType(L"HandlePropertiesItem", 0, PhHandlePropertiesContextDeleteProcedure); PhEndInitOnce(&initOnce); } context = PhCreateObject(sizeof(HANDLE_PROPERTIES_CONTEXT), PhHandlePropertiesContextType); memset(context, 0, sizeof(HANDLE_PROPERTIES_CONTEXT)); return context; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpShowHandlePropertiesThread( _In_ PVOID Parameter ) { PHANDLE_PROPERTIES_THREAD_CONTEXT handleContext = Parameter; PROPSHEETHEADER propSheetHeader = { sizeof(PROPSHEETHEADER) }; PROPSHEETPAGE propSheetPage; HPROPSHEETPAGE pages[16]; PHANDLE_PROPERTIES_CONTEXT context; PH_AUTO_POOL autoPool; context = PhCreateHandlePropertiesContext(); context->ProcessId = handleContext->ProcessId; context->HandleItem = handleContext->HandleItem; context->ParentWindow = handleContext->ParentWindowHandle; PhInitializeAutoPool(&autoPool); propSheetHeader.dwFlags = PSH_MODELESS | PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP | PSH_PROPTITLE; propSheetHeader.hInstance = NtCurrentImageBase(); propSheetHeader.hwndParent = PhCsForceNoParent ? NULL : handleContext->ParentWindowHandle; propSheetHeader.pszCaption = L"Handle"; propSheetHeader.nPages = 0; propSheetHeader.nStartPage = 0; propSheetHeader.phpage = pages; // General page memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_HNDLGENERAL); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpHandleGeneralDlgProc; propSheetPage.lParam = (LPARAM)context; pages[propSheetHeader.nPages++] = CreatePropertySheetPage(&propSheetPage); // Permissions page memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_HNDLSECURITY); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpHandlePermissionsDlgProc; propSheetPage.lParam = (LPARAM)context; pages[propSheetHeader.nPages++] = CreatePropertySheetPage(&propSheetPage); // Audiing page memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_HNDLSECAUDIT); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpHandleAuditingDlgProc; propSheetPage.lParam = (LPARAM)context; pages[propSheetHeader.nPages++] = CreatePropertySheetPage(&propSheetPage); // Object-specific page if (PhIsNullOrEmptyString(handleContext->HandleItem->TypeName)) { NOTHING; } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"Event", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateEventPage( PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"EventPair", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateEventPairPage( PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"Job", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateJobPage( PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context, NULL ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"Semaphore", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateSemaphorePage( PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"Timer", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateTimerPage( PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"Token", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateTokenPage( PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context->ProcessId, context, NULL ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"Section", TRUE)) { pages[propSheetHeader.nPages++] = PhCreateMappingsPage( handleContext->ProcessId, handleContext->HandleItem->Handle ); } else if (PhEqualString2(handleContext->HandleItem->TypeName, L"File", TRUE) && PhAfdIsSocketObjectName(handleContext->HandleItem->ObjectName)) { pages[propSheetHeader.nPages++] = PhCreateAfdSocketPage( context->ProcessId, context->HandleItem->Handle ); } // Security page { PCWSTR objectName; if (PhpIsVerboseBestObjectName(handleContext->HandleItem)) objectName = PhGetStringOrEmpty(handleContext->HandleItem->ObjectName); else objectName = PhGetStringOrEmpty(handleContext->HandleItem->BestObjectName); pages[propSheetHeader.nPages++] = PhCreateSecurityPage( objectName, PhGetStringOrEmpty(handleContext->HandleItem->TypeName), PhpDuplicateHandleFromProcess, PhpDuplicateHandleCloseProcess, context ); } if (PhPluginsEnabled) { PH_PLUGIN_OBJECT_PROPERTIES objectProperties; PH_PLUGIN_HANDLE_PROPERTIES_CONTEXT propertiesContext; memset(&propertiesContext, 0, sizeof(PH_PLUGIN_HANDLE_PROPERTIES_CONTEXT)); propertiesContext.ParentWindowHandle = handleContext->ParentWindowHandle; propertiesContext.ProcessId = handleContext->ProcessId; propertiesContext.HandleItem = handleContext->HandleItem; memset(&objectProperties, 0, sizeof(PH_PLUGIN_OBJECT_PROPERTIES)); objectProperties.Parameter = &propertiesContext; objectProperties.NumberOfPages = propSheetHeader.nPages; objectProperties.MaximumNumberOfPages = RTL_NUMBER_OF(pages); objectProperties.Pages = pages; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackHandlePropertiesInitializing), &objectProperties); propSheetHeader.nPages = objectProperties.NumberOfPages; } PhModalPropertySheet(&propSheetHeader); PhDeleteAutoPool(&autoPool); PhDereferenceObject(context); PhFree(handleContext); return STATUS_SUCCESS; } VOID PhShowHandleProperties( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM HandleItem ) { PHANDLE_PROPERTIES_THREAD_CONTEXT context; context = PhAllocateZero(sizeof(HANDLE_PROPERTIES_THREAD_CONTEXT)); context->ParentWindowHandle = ParentWindowHandle; context->ProcessId = ProcessId; context->HandleItem = HandleItem; PhReferenceObject(HandleItem); PhCreateThread2(PhpShowHandlePropertiesThread, context); } VOID PhAddHandleListViewItem( _In_ PPH_LISTVIEW_CONTEXT ListViewClass, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text ) { PhListView_AddGroupItem(ListViewClass, GroupId, Index, Text, UlongToPtr(Index)); } VOID PhSetHandleListViewItem( _In_ PHANDLE_PROPERTIES_CONTEXT Context, _In_ LONG Index, _In_ LONG SubItemIndex, _In_ PCWSTR Text ) { LONG index = PhFindListViewItemByParam(Context->ListViewHandle, INT_ERROR, UlongToPtr(Index)); if (index != INT_ERROR) { PhListView_SetSubItem(Context->ListViewClass, index, SubItemIndex, Text); } } VOID PhpUpdateHandleGeneralListViewGroups( _In_ PHANDLE_PROPERTIES_CONTEXT Context ) { PhListView_EnableGroupView(Context->ListViewClass, TRUE); PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_BASICINFO, L"Basic information"); PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECURITY, L"Security information"); PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_REFERENCES, L"References"); PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_QUOTA, L"Quota charges"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_BASICINFO, PH_HANDLE_GENERAL_INDEX_NAME, L"Name"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_BASICINFO, PH_HANDLE_GENERAL_INDEX_TYPE, L"Type"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_BASICINFO, PH_HANDLE_GENERAL_INDEX_OBJECT, L"Object address"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_BASICINFO, PH_HANDLE_GENERAL_INDEX_FULLNAME, L"FullPath"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECURITY, PH_HANDLE_GENERAL_INDEX_ACCESSS, L"Granted access"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECURITY, PH_HANDLE_GENERAL_INDEX_ACCESSGENERIC, L"Granted access (generic)"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECURITY, PH_HANDLE_GENERAL_INDEX_ACCESSMASK, L"Granted access (mask)"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECURITY, PH_HANDLE_GENERAL_INDEX_SDDL, L"SDDL"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_REFERENCES, PH_HANDLE_GENERAL_INDEX_REFERENCES, L"References"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_REFERENCES, PH_HANDLE_GENERAL_INDEX_HANDLES, L"Handles"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_QUOTA, PH_HANDLE_GENERAL_INDEX_PAGED, L"Paged"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_QUOTA, PH_HANDLE_GENERAL_INDEX_NONPAGED, L"Virtual size"); if (PhIsNullOrEmptyString(Context->HandleItem->TypeName)) { NOTHING; } else if (PhEqualString2(Context->HandleItem->TypeName, L"ALPC Port", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, L"ALPC Port"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_FLAGS, L"Flags"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_SEQUENCENUMBER, L"Sequence Number"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_PORTCONTEXT, L"Port Context"); if (KsiLevel() >= KphLevelMed) { PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_ALPCCONNECTION, L"Connection"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_ALPCSERVER, L"Server"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_ALPCCLIENT, L"Client"); } if (WindowsVersion >= WINDOWS_10_19H2) { PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ALPC, PH_HANDLE_GENERAL_INDEX_ALPCOWNER, L"Owner"); } } else if (PhEqualString2(Context->HandleItem->TypeName, L"EtwRegistration", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ETW, L"Event trace information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ETW, PH_HANDLE_GENERAL_INDEX_ETWORIGINALNAME, L"GUID"); //PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_ETW, PH_HANDLE_GENERAL_INDEX_ETWGROUPNAME, L"Group GUID"); } else if (PhEqualStringRef2(&Context->HandleItem->TypeName->sr, L"File", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, L"File information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILETYPE, L"Type"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILEMODE, L"Mode"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILEPOSITION, L"Position"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILESIZE, L"Size"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, L"Priority"); if (KsiLevel() >= KphLevelMed) { PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILEDRIVER, L"Driver"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_FILE, PH_HANDLE_GENERAL_INDEX_FILEDRIVERIMAGE, L"Driver Image"); } } else if (PhEqualStringRef2(&Context->HandleItem->TypeName->sr, L"Section", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECTION, L"Section information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECTION, PH_HANDLE_GENERAL_INDEX_SECTIONTYPE, L"Type"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECTION, PH_HANDLE_GENERAL_INDEX_SECTIONFILE, L"File"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SECTION, PH_HANDLE_GENERAL_INDEX_SECTIONSIZE, L"Size"); } else if (PhEqualStringRef2(&Context->HandleItem->TypeName->sr, L"Mutant", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_MUTANT, L"Mutant information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_MUTANT, PH_HANDLE_GENERAL_INDEX_MUTANTCOUNT, L"Count"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_MUTANT, PH_HANDLE_GENERAL_INDEX_MUTANTABANDONED, L"Abandoned"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_MUTANT, PH_HANDLE_GENERAL_INDEX_MUTANTOWNER, L"Owner"); } else if (PhEqualStringRef2(&Context->HandleItem->TypeName->sr, L"Process", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, L"Process information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADNAME, L"Name"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADCREATETIME, L"Created"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITTIME, L"Exited"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITCODE, L"Exit status"); } else if (PhEqualStringRef2(&Context->HandleItem->TypeName->sr, L"Thread", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, L"Thread information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADNAME, L"Name"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADCREATETIME, L"Created"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITTIME, L"Exited"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITCODE, L"Exit status"); } else if (PhEqualStringRef2(&Context->HandleItem->TypeName->sr, L"SymbolicLink", TRUE)) { PhListView_AddGroup(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SYMBOLICLINK, L"Symbolic Link information"); PhAddHandleListViewItem(Context->ListViewClass, PH_HANDLE_GENERAL_CATEGORY_SYMBOLICLINK, PH_HANDLE_GENERAL_INDEX_SYMBOLICLINKLINK, L"Link target"); } } VOID PhpUpdateHandleGeneral( _In_ PHANDLE_PROPERTIES_CONTEXT Context ) { HANDLE processHandle; // Name, FullName if (PhpIsVerboseBestObjectName(Context->HandleItem) && !PhIsNullOrEmptyString(Context->HandleItem->ObjectName)) { PPH_STRING objectName; objectName = PhGetBaseName(Context->HandleItem->ObjectName); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_NAME, 1, PhGetStringOrEmpty(objectName)); PhClearReference(&objectName); objectName = PhReferenceObject(Context->HandleItem->ObjectName); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FULLNAME, 1, PhGetStringOrEmpty(objectName)); PhClearReference(&objectName); } else if (!PhIsNullOrEmptyString(Context->HandleItem->BestObjectName)) { PPH_STRING objectName; objectName = PhGetBaseName(Context->HandleItem->BestObjectName); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_NAME, 1, PhGetStringOrEmpty(objectName)); PhClearReference(&objectName); objectName = PhReferenceObject(Context->HandleItem->BestObjectName); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FULLNAME, 1, PhGetStringOrEmpty(objectName)); PhClearReference(&objectName); } // Type PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_TYPE, 1, PhGetStringOrEmpty(Context->HandleItem->TypeName)); // Address if (Context->HandleItem->Object) { WCHAR string[PH_INT64_STR_LEN_1]; PhPrintPointer(string, Context->HandleItem->Object); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_OBJECT, 1, string); } else { if (PhGetIntegerSetting(SETTING_ENABLE_HANDLE_SNAPSHOT)) PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_OBJECT, 1, L"N/A (snapshot)"); else PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_OBJECT, 1, L"N/A"); } // AccessMask (Symbolic) { PPH_ACCESS_ENTRY accessEntries; ULONG numberOfAccessEntries; if (PhGetAccessEntries( PhGetStringOrEmpty(Context->HandleItem->TypeName), &accessEntries, &numberOfAccessEntries )) { PPH_STRING accessString; if (accessString = PH_AUTO(PhGetAccessString( Context->HandleItem->GrantedAccess, accessEntries, numberOfAccessEntries ))) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ACCESSS, 1, PhGetString(accessString)); } else { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ACCESSS, 1, L"N/A"); } PhFree(accessEntries); } else { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ACCESSS, 1, L"N/A"); } } // AccessMask (Generic) { PPH_STRING genericString = NULL; GENERIC_MAPPING genericMapping; if (Context->HandleItem->TypeName && NT_SUCCESS(PhGetObjectTypeMask( &Context->HandleItem->TypeName->sr, &genericMapping ))) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 64); if (FlagOn(Context->HandleItem->GrantedAccess, genericMapping.GenericRead)) PhAppendStringBuilder2(&stringBuilder, L"Read, "); if (FlagOn(Context->HandleItem->GrantedAccess, genericMapping.GenericWrite)) PhAppendStringBuilder2(&stringBuilder, L"Write, "); if (FlagOn(Context->HandleItem->GrantedAccess, genericMapping.GenericExecute)) PhAppendStringBuilder2(&stringBuilder, L"Execute, "); if (FlagOn(Context->HandleItem->GrantedAccess, genericMapping.GenericAll)) PhAppendStringBuilder2(&stringBuilder, L"All, "); if (PhEndsWithStringRef2(&stringBuilder.String->sr, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); genericString = PH_AUTO(PhFinalStringBuilderString(&stringBuilder)); } if (!PhIsNullOrEmptyString(genericString)) PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ACCESSGENERIC, 1, PhGetString(genericString)); else PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ACCESSGENERIC, 1, L"N/A"); } // AccessMask (Hex) { WCHAR string[PH_INT64_STR_LEN_1]; PhPrintPointer(string, UlongToPtr(Context->HandleItem->GrantedAccess)); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ACCESSMASK, 1, string); } // AccessMask (SDDL) { NTSTATUS status; PPH_STRING handleSddlString; status = PhGetObjectSecurityDescriptorAsString( Context->HandleItem->Handle, &handleSddlString ); if (NT_SUCCESS(status)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SDDL, 1, PhGetString(handleSddlString)); PhDereferenceObject(handleSddlString); } else { WCHAR string[PH_INT64_STR_LEN_1]; PhPrintPointer(string, UlongToPtr(status)); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SDDL, 1, string); } } if (NT_SUCCESS(PhOpenProcess( &processHandle, (KsiLevel() >= KphLevelMed ? PROCESS_QUERY_LIMITED_INFORMATION : PROCESS_DUP_HANDLE), Context->ProcessId ))) { OBJECT_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetHandleInformation( processHandle, Context->HandleItem->Handle, ULONG_MAX, &basicInfo, NULL, NULL, NULL ))) { WCHAR string[PH_INT64_STR_LEN_1]; PhPrintUInt32(string, basicInfo.PointerCount); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_REFERENCES, 1, string); PhPrintUInt32(string, basicInfo.HandleCount); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_HANDLES, 1, string); PhPrintUInt32(string, basicInfo.PagedPoolCharge); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PAGED, 1, string); PhPrintUInt32(string, basicInfo.NonPagedPoolCharge); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_NONPAGED, 1, string); } NtClose(processHandle); } if (PhIsNullOrEmptyString(Context->HandleItem->TypeName)) { NOTHING; } else if (PhEqualString2(Context->HandleItem->TypeName, L"ALPC Port", TRUE)) { NTSTATUS status; if (KsiLevel() >= KphLevelMed && NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Context->ProcessId ))) { // // TODO this path doesn't use all the ALPC info returned yet // see: KPH_ALPC_BASIC_INFORMATION.State // KPH_ALPC_BASIC_INFORMATION basicInfo; PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION connectionNames; KPH_ALPC_COMMUNICATION_INFORMATION connectionInfo; if (NT_SUCCESS(KphAlpcQueryInformation( processHandle, Context->HandleItem->Handle, KphAlpcBasicInformation, &basicInfo, sizeof(basicInfo), NULL ))) { PH_FORMAT format[5]; PPH_STRING alpcFlagsString; WCHAR string[PH_INT64_STR_LEN_1]; alpcFlagsString = PhGetAccessString( basicInfo.Flags, (PPH_ACCESS_ENTRY)AlpcFlags, RTL_NUMBER_OF(AlpcFlags) ); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], basicInfo.Flags); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], alpcFlagsString->sr); PhInitFormatS(&format[4], L")"); PhMoveReference(&alpcFlagsString, PhFormat(format, RTL_NUMBER_OF(format), 40)); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FLAGS, 1, PhGetString(alpcFlagsString)); PhDereferenceObject(alpcFlagsString); PhPrintUInt32(string, basicInfo.SequenceNo); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SEQUENCENUMBER, 1, string); PhPrintPointer(string, basicInfo.PortContext); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PORTCONTEXT, 1, string); } if (!NT_SUCCESS(KphAlpcQueryCommunicationsNamesInfo( processHandle, Context->HandleItem->Handle, &connectionNames))) { connectionNames = NULL; } if (NT_SUCCESS(KphAlpcQueryInformation( processHandle, Context->HandleItem->Handle, KphAlpcCommunicationInformation, &connectionInfo, sizeof(connectionInfo), NULL ))) { CLIENT_ID clientId; PPH_STRING name; if (connectionInfo.ConnectionPort.OwnerProcessId) { clientId.UniqueProcess = connectionInfo.ConnectionPort.OwnerProcessId; clientId.UniqueThread = 0; name = PhStdGetClientIdName(&clientId); if (connectionNames && connectionNames->ConnectionPort.Length > 0) { PPH_STRING newName; PH_FORMAT format[3]; PhInitFormatSR(&format[0], name->sr); PhInitFormatS(&format[1], L" - "); PhInitFormatUCS(&format[2], &connectionNames->ConnectionPort); newName = PhFormat(format, 3, MAX_PATH); PhDereferenceObject(name); name = newName; } PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ALPCCONNECTION, 1, name->Buffer); PhDereferenceObject(name); } if (connectionInfo.ServerCommunicationPort.OwnerProcessId) { clientId.UniqueProcess = connectionInfo.ServerCommunicationPort.OwnerProcessId; clientId.UniqueThread = 0; name = PhStdGetClientIdName(&clientId); if (connectionNames && connectionNames->ServerCommunicationPort.Length > 0) { PPH_STRING newName; PH_FORMAT format[3]; PhInitFormatSR(&format[0], name->sr); PhInitFormatS(&format[1], L" - "); PhInitFormatUCS(&format[2], &connectionNames->ServerCommunicationPort); newName = PhFormat(format, 3, MAX_PATH); PhDereferenceObject(name); name = newName; } PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ALPCSERVER, 1, name->Buffer); PhDereferenceObject(name); } if (connectionInfo.ClientCommunicationPort.OwnerProcessId) { clientId.UniqueProcess = connectionInfo.ClientCommunicationPort.OwnerProcessId; clientId.UniqueThread = 0; name = PhStdGetClientIdName(&clientId); if (connectionNames && connectionNames->ClientCommunicationPort.Length > 0) { PPH_STRING newName; PH_FORMAT format[3]; PhInitFormatSR(&format[0], name->sr); PhInitFormatS(&format[1], L" - "); PhInitFormatUCS(&format[2], &connectionNames->ClientCommunicationPort); newName = PhFormat(format, 3, MAX_PATH); PhDereferenceObject(name); name = newName; } PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ALPCCLIENT, 1, name->Buffer); PhDereferenceObject(name); } if (connectionNames) PhFree(connectionNames); NtClose(processHandle); } else { HANDLE alpcPortHandle = NULL; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &alpcPortHandle, READ_CONTROL, 0, 0 ); NtClose(processHandle); } if (NT_SUCCESS(status) && alpcPortHandle) { ALPC_BASIC_INFORMATION alpcBasicInfo; if (NT_SUCCESS(NtAlpcQueryInformation( alpcPortHandle, AlpcBasicInformation, &alpcBasicInfo, sizeof(ALPC_BASIC_INFORMATION), NULL ))) { PH_FORMAT format[5]; PPH_STRING alpcFlagsString; WCHAR string[PH_INT64_STR_LEN_1]; alpcFlagsString = PhGetAccessString( alpcBasicInfo.Flags, (PPH_ACCESS_ENTRY)AlpcFlags, RTL_NUMBER_OF(AlpcFlags) ); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], alpcBasicInfo.Flags); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], alpcFlagsString->sr); PhInitFormatS(&format[4], L")"); PhMoveReference(&alpcFlagsString, PhFormat(format, RTL_NUMBER_OF(format), 40)); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FLAGS, 1, PhGetString(alpcFlagsString)); PhDereferenceObject(alpcFlagsString); PhPrintUInt32(string, basicInfo.SequenceNo); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SEQUENCENUMBER, 1, string); PhPrintPointer(string, basicInfo.PortContext); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PORTCONTEXT, 1, string); } if (WindowsVersion >= WINDOWS_10_19H2) { ALPC_SERVER_SESSION_INFORMATION serverInfo; if (NT_SUCCESS(NtAlpcQueryInformation( alpcPortHandle, AlpcServerSessionInformation, &serverInfo, sizeof(ALPC_SERVER_SESSION_INFORMATION), NULL ))) { CLIENT_ID clientId; PPH_STRING name; clientId.UniqueProcess = UlongToHandle(serverInfo.ProcessId); clientId.UniqueThread = NULL; name = PhGetClientIdName(&clientId); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ALPCOWNER, 1, name->Buffer); PhDereferenceObject(name); } } NtClose(alpcPortHandle); } } } } else if (PhEqualString2(Context->HandleItem->TypeName, L"EtwRegistration", TRUE)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_ETWORIGINALNAME, 1, PhGetString(Context->HandleItem->ObjectName)); } else if (PhEqualString2(Context->HandleItem->TypeName, L"File", TRUE)) { NTSTATUS status; if (KsiLevel() >= KphLevelMed && NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Context->ProcessId ))) { BOOLEAN isFileOrDirectory = FALSE; BOOLEAN isConsoleHandle = FALSE; FILE_FS_DEVICE_INFORMATION fileDeviceInfo; FILE_MODE_INFORMATION fileModeInfo; FILE_STANDARD_INFORMATION fileStandardInfo; FILE_POSITION_INFORMATION filePositionInfo; FILE_IO_PRIORITY_HINT_INFORMATION_EX priorityInfo; IO_STATUS_BLOCK isb; HANDLE fileObjectDriver; if (NT_SUCCESS(KphQueryVolumeInformationFile( processHandle, Context->HandleItem->Handle, FileFsDeviceInformation, &fileDeviceInfo, sizeof(FILE_FS_DEVICE_INFORMATION), &isb ))) { switch (fileDeviceInfo.DeviceType) { case FILE_DEVICE_NAMED_PIPE: //isPipeHandle = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Pipe"); break; case FILE_DEVICE_NETWORK: //isNetworkHandle = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Network"); break; case FILE_DEVICE_CD_ROM: case FILE_DEVICE_CD_ROM_FILE_SYSTEM: case FILE_DEVICE_CONTROLLER: case FILE_DEVICE_DATALINK: case FILE_DEVICE_DFS: case FILE_DEVICE_DISK: case FILE_DEVICE_DISK_FILE_SYSTEM: case FILE_DEVICE_VIRTUAL_DISK: isFileOrDirectory = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"File or directory"); break; case FILE_DEVICE_CONSOLE: isConsoleHandle = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Console"); break; default: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Other"); break; } } // Note: These devices deadlock without a timeout (dmex) // 1) Named pipes // 2) \Device\ConDrv\CurrentIn // 3) \Device\VolMgrControl if (NT_SUCCESS(status = PhCallKphQueryFileInformationWithTimeout( processHandle, Context->HandleItem->Handle, FileModeInformation, &fileModeInfo, sizeof(FILE_MODE_INFORMATION) ))) { PH_FORMAT format[5]; PPH_STRING fileModeAccessStr; WCHAR fileModeString[MAX_PATH]; // Since FILE_MODE_INFORMATION has no flag for asynchronous I/O we should use our own flag and set // it only if none of synchronous flags are present. That's why we need PhFileModeUpdAsyncFlag. fileModeAccessStr = PhGetAccessString( PhFileModeUpdAsyncFlag(fileModeInfo.Mode), (PPH_ACCESS_ENTRY)FileModeAccessEntries, RTL_NUMBER_OF(FileModeAccessEntries) ); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], fileModeInfo.Mode); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], fileModeAccessStr->sr); PhInitFormatS(&format[4], L")"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), fileModeString, sizeof(fileModeString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEMODE, 1, fileModeString); } PhDereferenceObject(fileModeAccessStr); } if (!isConsoleHandle) { if (NT_SUCCESS(status = PhCallKphQueryFileInformationWithTimeout( processHandle, Context->HandleItem->Handle, FileStandardInformation, &fileStandardInfo, sizeof(FILE_STANDARD_INFORMATION) ))) { PH_FORMAT format[1]; WCHAR fileSizeString[PH_INT64_STR_LEN]; PhInitFormatSize(&format[0], fileStandardInfo.EndOfFile.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), fileSizeString, sizeof(fileSizeString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILESIZE, 1, fileSizeString); } if (isFileOrDirectory) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, fileStandardInfo.Directory ? L"Directory" : L"File"); } //disableFlushButton |= fileStandardInfo.Directory; } if (NT_SUCCESS(status = PhCallKphQueryFileInformationWithTimeout( processHandle, Context->HandleItem->Handle, FilePositionInformation, &filePositionInfo, sizeof(FILE_POSITION_INFORMATION) ))) { if (filePositionInfo.CurrentByteOffset.QuadPart != 0 && fileStandardInfo.EndOfFile.QuadPart != 0) { PH_FORMAT format[4]; WCHAR filePositionString[PH_INT64_STR_LEN]; PhInitFormatI64UGroupDigits(&format[0], filePositionInfo.CurrentByteOffset.QuadPart); PhInitFormatS(&format[1], L" ("); PhInitFormatF(&format[2], (FLOAT)filePositionInfo.CurrentByteOffset.QuadPart / fileStandardInfo.EndOfFile.QuadPart * 100.f, 1); PhInitFormatS(&format[3], L"%)"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), filePositionString, sizeof(filePositionString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPOSITION, 1, filePositionString); } } else if (filePositionInfo.CurrentByteOffset.QuadPart != 0) { PH_FORMAT format[1]; WCHAR filePositionString[PH_INT64_STR_LEN]; PhInitFormatI64UGroupDigits(&format[0], filePositionInfo.CurrentByteOffset.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), filePositionString, sizeof(filePositionString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPOSITION, 1, filePositionString); } } } } if (NT_SUCCESS(status = PhCallKphQueryFileInformationWithTimeout( processHandle, Context->HandleItem->Handle, FileIoPriorityHintInformation, &priorityInfo, sizeof(priorityInfo) ))) { switch (priorityInfo.PriorityHint) { case IoPriorityVeryLow: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Very Low"); break; case IoPriorityLow: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Low"); break; case IoPriorityNormal: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Normal"); break; case IoPriorityHigh: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"High"); break; case IoPriorityCritical: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Critical"); break; } } if (NT_SUCCESS(KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectFileObjectDriver, &fileObjectDriver, sizeof(HANDLE), NULL ))) { PPH_STRING driverName; if (NT_SUCCESS(PhGetDriverName(fileObjectDriver, &driverName))) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEDRIVER, 1, PhGetString(driverName)); PhDereferenceObject(driverName); } if (NT_SUCCESS(PhGetDriverImageFileName(fileObjectDriver, &driverName))) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEDRIVERIMAGE, 1, PhGetString(driverName)); PhDereferenceObject(driverName); } NtClose(fileObjectDriver); } NtClose(processHandle); } else { HANDLE fileHandle = NULL; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &fileHandle, FILE_READ_ACCESS | SYNCHRONIZE, 0, 0 ); if (!NT_SUCCESS(status)) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &fileHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, 0, 0 ); } //if (!NT_SUCCESS(status)) //{ // status = NtDuplicateObject( // processHandle, // Context->HandleItem->Handle, // NtCurrentProcess(), // &fileHandle, // MAXIMUM_ALLOWED | SYNCHRONIZE, // 0, // 0 // ); //} if (!NT_SUCCESS(status)) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &fileHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (NT_SUCCESS(status)) { HANDLE newhandle; if (NT_SUCCESS(PhReOpenFile( &newhandle, fileHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_SHARE_READ, 0 ))) { NtClose(fileHandle); fileHandle = newhandle; } } } NtClose(processHandle); } if (NT_SUCCESS(status) && fileHandle) { //BOOLEAN disableFlushButton = FALSE; BOOLEAN isFileOrDirectory = FALSE; BOOLEAN isConsoleHandle = FALSE; //BOOLEAN isPipeHandle = FALSE; //BOOLEAN isNetworkHandle = FALSE; FILE_FS_DEVICE_INFORMATION fileDeviceInfo; FILE_MODE_INFORMATION fileModeInfo; FILE_STANDARD_INFORMATION fileStandardInfo; FILE_POSITION_INFORMATION filePositionInfo; FILE_IO_PRIORITY_HINT_INFORMATION_EX priorityInfo; IO_STATUS_BLOCK isb; if (NT_SUCCESS(NtQueryVolumeInformationFile( fileHandle, &isb, &fileDeviceInfo, sizeof(FILE_FS_DEVICE_INFORMATION), FileFsDeviceInformation ))) { switch (fileDeviceInfo.DeviceType) { case FILE_DEVICE_NAMED_PIPE: //isPipeHandle = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Pipe"); break; case FILE_DEVICE_NETWORK: //isNetworkHandle = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Network"); break; case FILE_DEVICE_CD_ROM: case FILE_DEVICE_CD_ROM_FILE_SYSTEM: case FILE_DEVICE_CONTROLLER: case FILE_DEVICE_DATALINK: case FILE_DEVICE_DFS: case FILE_DEVICE_DISK: case FILE_DEVICE_DISK_FILE_SYSTEM: case FILE_DEVICE_VIRTUAL_DISK: isFileOrDirectory = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"File or directory"); break; case FILE_DEVICE_CONSOLE: isConsoleHandle = TRUE; PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Console"); break; default: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, L"Other"); break; } } // Note: These devices deadlock without a timeout (dmex) // 1) Named pipes // 2) \Device\ConDrv\CurrentIn // 3) \Device\VolMgrControl if (NT_SUCCESS(status = PhCallNtQueryFileInformationWithTimeout( fileHandle, FileModeInformation, &fileModeInfo, sizeof(FILE_MODE_INFORMATION) ))) { PH_FORMAT format[5]; PPH_STRING fileModeAccessStr; WCHAR fileModeString[MAX_PATH]; // Since FILE_MODE_INFORMATION has no flag for asynchronous I/O we should use our own flag and set // it only if none of synchronous flags are present. That's why we need PhFileModeUpdAsyncFlag. fileModeAccessStr = PhGetAccessString( PhFileModeUpdAsyncFlag(fileModeInfo.Mode), (PPH_ACCESS_ENTRY)FileModeAccessEntries, RTL_NUMBER_OF(FileModeAccessEntries) ); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], fileModeInfo.Mode); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], fileModeAccessStr->sr); PhInitFormatS(&format[4], L")"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), fileModeString, sizeof(fileModeString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEMODE, 1, fileModeString); } PhDereferenceObject(fileModeAccessStr); } if (!isConsoleHandle) { if (NT_SUCCESS(status = PhCallNtQueryFileInformationWithTimeout( fileHandle, FileStandardInformation, &fileStandardInfo, sizeof(FILE_STANDARD_INFORMATION) ))) { PH_FORMAT format[1]; WCHAR fileSizeString[PH_INT64_STR_LEN]; PhInitFormatSize(&format[0], fileStandardInfo.EndOfFile.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), fileSizeString, sizeof(fileSizeString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILESIZE, 1, fileSizeString); } if (isFileOrDirectory) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILETYPE, 1, fileStandardInfo.Directory ? L"Directory" : L"File"); } //disableFlushButton |= fileStandardInfo.Directory; } if (NT_SUCCESS(status = PhCallNtQueryFileInformationWithTimeout( fileHandle, FilePositionInformation, &filePositionInfo, sizeof(FILE_POSITION_INFORMATION) ))) { if (fileStandardInfo.EndOfFile.QuadPart != 0) { PH_FORMAT format[4]; WCHAR filePositionString[PH_INT64_STR_LEN]; PhInitFormatI64UGroupDigits(&format[0], filePositionInfo.CurrentByteOffset.QuadPart); PhInitFormatS(&format[1], L" ("); PhInitFormatF(&format[2], (FLOAT)filePositionInfo.CurrentByteOffset.QuadPart / fileStandardInfo.EndOfFile.QuadPart * 100.f, 1); PhInitFormatS(&format[3], L"%)"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), filePositionString, sizeof(filePositionString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPOSITION, 1, filePositionString); } } else { PH_FORMAT format[1]; WCHAR filePositionString[PH_INT64_STR_LEN]; PhInitFormatI64UGroupDigits(&format[0], filePositionInfo.CurrentByteOffset.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), filePositionString, sizeof(filePositionString), NULL)) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPOSITION, 1, filePositionString); } } } } if (NT_SUCCESS(status = PhCallNtQueryFileInformationWithTimeout( fileHandle, FileIoPriorityHintInformation, &priorityInfo, sizeof(priorityInfo) ))) { switch (priorityInfo.PriorityHint) { case IoPriorityVeryLow: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Very Low"); break; case IoPriorityLow: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Low"); break; case IoPriorityNormal: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Normal"); break; case IoPriorityHigh: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"High"); break; case IoPriorityCritical: PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_FILEPRIORITY, 1, L"Critical"); break; } } NtClose(fileHandle); } } } else if (PhEqualString2(Context->HandleItem->TypeName, L"Section", TRUE)) { NTSTATUS status; SECTION_BASIC_INFORMATION basicInfo = { NULL }; PPH_STRING fileName = NULL; if (KsiLevel() >= KphLevelMed && NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Context->ProcessId ))) { ULONG bufferSize; ULONG returnLength; PUNICODE_STRING buffer; NTSTATUS status2; returnLength = 0; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectSectionBasicInformation, &basicInfo, sizeof(basicInfo), NULL ); status2 = KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectSectionFileName, buffer, bufferSize, &returnLength ); if (status2 == STATUS_BUFFER_OVERFLOW && returnLength > 0) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(returnLength); status2 = KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectSectionFileName, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status2)) { fileName = PhCreateStringFromUnicodeString(buffer); } PhFree(buffer); NtClose(processHandle); } else { HANDLE sectionHandle = NULL; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), §ionHandle, SECTION_QUERY | SECTION_MAP_READ, 0, 0 ); if (!NT_SUCCESS(status)) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), §ionHandle, SECTION_QUERY, 0, 0 ); } NtClose(processHandle); } if (NT_SUCCESS(status) && sectionHandle) { status = PhGetSectionBasicInformation(sectionHandle, &basicInfo); if (!NT_SUCCESS(PhGetSectionFileName(sectionHandle, &fileName))) { fileName = NULL; } NtClose(sectionHandle); } } if (NT_SUCCESS(status)) { PCWSTR sectionType = L"Unknown"; PPH_STRING sectionSize = NULL; if (FlagOn(basicInfo.AllocationAttributes, SEC_COMMIT)) sectionType = L"Commit"; else if (FlagOn(basicInfo.AllocationAttributes, SEC_FILE)) sectionType = L"File"; else if (FlagOn(basicInfo.AllocationAttributes, SEC_IMAGE)) sectionType = L"Image"; else if (FlagOn(basicInfo.AllocationAttributes, SEC_RESERVE)) sectionType = L"Reserve"; sectionSize = PhaFormatSize(basicInfo.MaximumSize.QuadPart, ULONG_MAX); if (fileName) { PhMoveReference(&fileName, PhGetFileName(fileName)); } PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SECTIONFILE, 1, PhGetStringOrDefault(fileName, L"N/A")); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SECTIONTYPE, 1, sectionType); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SECTIONSIZE, 1, PhGetStringOrDefault(sectionSize, L"Unknown")); } } else if (PhEqualString2(Context->HandleItem->TypeName, L"Mutant", TRUE)) { NTSTATUS status; HANDLE mutantHandle = NULL; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &mutantHandle, SEMAPHORE_QUERY_STATE, 0, 0 ); NtClose(processHandle); } if (NT_SUCCESS(status) && mutantHandle) { MUTANT_BASIC_INFORMATION basicInfo; MUTANT_OWNER_INFORMATION ownerInfo; if (NT_SUCCESS(PhGetMutantBasicInformation(mutantHandle, &basicInfo))) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_MUTANTCOUNT, 1, PhaFormatUInt64(basicInfo.CurrentCount, TRUE)->Buffer); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_MUTANTABANDONED, 1, basicInfo.AbandonedState ? L"True" : L"False"); } if (NT_SUCCESS(PhGetMutantOwnerInformation(mutantHandle, &ownerInfo))) { PPH_STRING name; if (ownerInfo.ClientId.UniqueProcess) { name = PhGetClientIdName(&ownerInfo.ClientId); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_MUTANTOWNER, 1, name->Buffer); PhDereferenceObject(name); } } NtClose(mutantHandle); } } else if (PhEqualString2(Context->HandleItem->TypeName, L"Process", TRUE)) { NTSTATUS status; NTSTATUS exitStatus = STATUS_PENDING; PPH_STRING fileName = NULL; PROCESS_BASIC_INFORMATION basicInfo; KERNEL_USER_TIMES times; BOOLEAN haveTimes = FALSE; // TODO(jxy-s): Uncomment following code after next driver release (commented out as workaround for KphObjectProcessImageFileName memory leak) (dmex) //if (KsiLevel() >= KphLevelMed && NT_SUCCESS(PhOpenProcess( // &processHandle, // PROCESS_QUERY_LIMITED_INFORMATION, // Context->ProcessId // ))) //{ // ULONG bufferSize; // ULONG returnLength; // PUNICODE_STRING buffer; // NTSTATUS status2; // returnLength = 0; // bufferSize = 0x100; // buffer = PhAllocate(bufferSize); // if (NT_SUCCESS(KphQueryInformationObject( // processHandle, // Context->HandleItem->Handle, // KphObjectProcessBasicInformation, // &basicInfo, // sizeof(basicInfo), // NULL // ))) // { // exitStatus = basicInfo.ExitStatus; // } // haveTimes = NT_SUCCESS(KphQueryInformationObject( // processHandle, // Context->HandleItem->Handle, // KphObjectProcessTimes, // ×, // sizeof(times), // NULL // )); // status2 = KphQueryInformationObject( // processHandle, // Context->HandleItem->Handle, // KphObjectProcessImageFileName, // buffer, // bufferSize, // &returnLength // ); // if (status2 == STATUS_BUFFER_TOO_SMALL && returnLength > 0) // { // PhFree(buffer); // bufferSize = returnLength; // buffer = PhAllocate(returnLength); // status2 = KphQueryInformationObject( // processHandle, // Context->HandleItem->Handle, // KphObjectProcessImageFileName, // buffer, // bufferSize, // &returnLength // ); // } // if (NT_SUCCESS(status2)) // { // fileName = PhCreateStringFromUnicodeString(buffer); // PhMoveReference(&fileName, PhGetFileName(fileName)); // } // NtClose(processHandle); //} //else { HANDLE dupHandle = NULL; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &dupHandle, PROCESS_QUERY_LIMITED_INFORMATION, 0, 0 ); NtClose(processHandle); } if (NT_SUCCESS(status) && dupHandle) { if (NT_SUCCESS(PhGetProcessImageFileName(dupHandle, &fileName))) { PhMoveReference(&fileName, PhGetFileName(fileName)); } if (NT_SUCCESS(PhGetProcessBasicInformation(dupHandle, &basicInfo))) { exitStatus = basicInfo.ExitStatus; } haveTimes = NT_SUCCESS(PhGetProcessTimes(dupHandle, ×)); NtClose(dupHandle); } } if (fileName) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADNAME, 1, PhGetStringOrEmpty(fileName)); PhDereferenceObject(fileName); } if (haveTimes) { SYSTEMTIME time; PhLargeIntegerToLocalSystemTime(&time, ×.CreateTime); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADCREATETIME, 1, PhaFormatDateTime(&time)->Buffer); if (exitStatus != STATUS_PENDING) { PhLargeIntegerToLocalSystemTime(&time, ×.ExitTime); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITTIME, 1, PhaFormatDateTime(&time)->Buffer); } } if (exitStatus != STATUS_PENDING) { PPH_STRING message; PPH_STRING exitcode; message = PhGetStatusMessage(exitStatus, 0); exitcode = PhFormatString(L"0x%x (%s)", exitStatus, PhGetStringOrDefault(message, L"Unknown")); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITCODE, 1, PhGetStringOrEmpty(exitcode)); PhClearReference(&exitcode); PhClearReference(&message); } } else if (PhEqualString2(Context->HandleItem->TypeName, L"Thread", TRUE)) { NTSTATUS status; BOOLEAN isTerminated = FALSE; PPH_STRING name = NULL; KERNEL_USER_TIMES times; NTSTATUS exitStatus = STATUS_PENDING; if (KsiLevel() >= KphLevelMed && NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Context->ProcessId ))) { PPH_STRING threadName; ULONG threadIsTerminated; THREAD_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(KphQueryObjectThreadName( processHandle, Context->HandleItem->Handle, &threadName ))) { name = threadName; } if (NT_SUCCESS(KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectThreadIsTerminated, &threadIsTerminated, sizeof(threadIsTerminated), NULL ))) { isTerminated = !!threadIsTerminated; } if (isTerminated && NT_SUCCESS(KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectThreadBasicInformation, &basicInfo, sizeof(basicInfo), NULL ))) { exitStatus = basicInfo.ExitStatus; } status = KphQueryInformationObject( processHandle, Context->HandleItem->Handle, KphObjectThreadTimes, ×, sizeof(times), NULL ); NtClose(processHandle); } else { HANDLE dupHandle = NULL; PPH_STRING threadName; THREAD_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleItem->Handle, NtCurrentProcess(), &dupHandle, THREAD_QUERY_LIMITED_INFORMATION, 0, 0 ); NtClose(processHandle); } if (NT_SUCCESS(status) && dupHandle) { if (NT_SUCCESS(PhGetThreadName(dupHandle, &threadName))) { name = threadName; } PhGetThreadIsTerminated(dupHandle, &isTerminated); if (isTerminated && NT_SUCCESS(PhGetThreadBasicInformation(dupHandle, &basicInfo))) { exitStatus = basicInfo.ExitStatus; } status = PhGetThreadTimes(dupHandle, ×); NtClose(dupHandle); } } if (name) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADNAME, 1, PhGetStringOrEmpty(name)); PhDereferenceObject(name); } if (isTerminated) { PPH_STRING message; PPH_STRING exitcode; message = PhGetStatusMessage(exitStatus, 0); exitcode = PhFormatString(L"0x%x (%s)", exitStatus, PhGetStringOrDefault(message, L"Unknown")); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITCODE, 1, PhGetStringOrEmpty(exitcode)); PhClearReference(&exitcode); PhClearReference(&message); } if (NT_SUCCESS(status)) { SYSTEMTIME time; PhLargeIntegerToLocalSystemTime(&time, ×.CreateTime); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADCREATETIME, 1, PhaFormatDateTime(&time)->Buffer); if (isTerminated) { PhLargeIntegerToLocalSystemTime(&time, ×.ExitTime); PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITTIME, 1, PhaFormatDateTime(&time)->Buffer); } } } else if (PhEqualString2(Context->HandleItem->TypeName, L"SymbolicLink", TRUE)) { PPH_STRING linkTarget; if (!PhIsNullOrEmptyString(Context->HandleItem->ObjectName) && NT_SUCCESS(PhQuerySymbolicLinkObject(&linkTarget, NULL, &Context->HandleItem->ObjectName->sr))) { PhSetHandleListViewItem(Context, PH_HANDLE_GENERAL_INDEX_SYMBOLICLINKLINK, 1, PhGetStringOrEmpty(linkTarget)); PhDereferenceObject(linkTarget); } } } INT_PTR CALLBACK PhpHandleGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PHANDLE_PROPERTIES_CONTEXT context; if (uMsg == WM_INITDIALOG) { LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam; context = (PHANDLE_PROPERTIES_CONTEXT)propSheetPage->lParam; PhSetDialogContext(hwndDlg, context); } else { context = PhGetDialogContext(hwndDlg); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(context->ParentWindow); context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->ParentWindow = GetParent(hwndDlg); context->ListViewClass = PhListView_Initialize(context->ListViewHandle); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 250, L"Value"); PhSetExtendedListView(context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); if (PhValidWindowPlacementFromSetting(SETTING_HANDLE_PROPERTIES_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_HANDLE_PROPERTIES_WINDOW_POSITION, NULL, context->ParentWindow); else PhCenterWindow(context->ParentWindow, GetParent(context->ParentWindow)); // HACK PhpUpdateHandleGeneralListViewGroups(context); PhpUpdateHandleGeneral(context); PhRegisterWindowCallback(context->ParentWindow, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); if (PhPluginsEnabled) { PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT Context; Context = (PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT)context; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackHandlePropertiesWindowInitialized), Context); } if (PhEnableThemeSupport) // TODO: Required for compat (dmex) PhInitializeWindowTheme(context->ParentWindow, PhEnableThemeSupport); else PhInitializeWindowTheme(hwndDlg, FALSE); } break; case WM_DESTROY: { PhUnregisterWindowCallback(context->ParentWindow); PhSaveWindowPlacementToSetting(SETTING_HANDLE_PROPERTIES_WINDOW_POSITION, NULL, context->ParentWindow); PhDeleteLayoutManager(&context->LayoutManager); PhListView_Destroy(context->ListViewClass); PhRemoveDialogContext(hwndDlg); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; PhHandleListViewNotifyBehaviors(lParam, context->ListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)context->ListViewHandle); return TRUE; } REFLECT_MESSAGE_DLG(hwndDlg, context->ListViewHandle, uMsg, wParam, lParam); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; HANDLE_MSG(hwndDlg, WM_CTLCOLORBTN, PhWindowThemeControlColor); HANDLE_MSG(hwndDlg, WM_CTLCOLORDLG, PhWindowThemeControlColor); HANDLE_MSG(hwndDlg, WM_CTLCOLORSTATIC, PhWindowThemeControlColor); } return FALSE; } VOID PhAddStatusPermissionsTrustee( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HWND ListViewHandle, _In_ NTSTATUS status, _In_ ULONG Index ) { //LONG index = PhAddListViewItem(ListViewHandle, MAXINT, Message, NULL); //PhSetListViewSubItem(ListViewHandle, index, 1, L"N/A"); //PhSetListViewSubItem(ListViewHandle, index, 2, L"N/A"); //if (!NT_SUCCESS(status)) { PPH_STRING string; string = PhGetNtMessage(status); PhMoveReference(&string, PhFormatString(L"0x%x: %s", status, PhGetStringOrDefault(string, L"N/A") )); PhSetListViewSubItem(ListViewHandle, 1, 1, PhGetString(string)); //PhSetListViewSubItem(ListViewHandle, 2, 1, PhGetString(string)); //PhSetListViewSubItem(ListViewHandle, 3, 1, PhGetString(string)); PhClearReference(&string); } } VOID PhAddHandlePermissionsTrustee( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HWND ListViewHandle, _In_ PSID TrusteeSid, _In_ ACCESS_MASK TrusteeMask, _In_ ULONG Index ) { LONG index; PPH_ACCESS_ENTRY accessEntries; ULONG numberOfAccessEntries; PPH_STRING string; SID_NAME_USE sidNameUse; if (string = PhGetSidFullName(TrusteeSid, FALSE, &sidNameUse)) { switch (sidNameUse) { case SidTypeUser: case SidTypeLogonSession: case SidTypeDeletedAccount: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (User)")); break; case SidTypeAlias: case SidTypeGroup: case SidTypeWellKnownGroup: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (Group)")); break; case SidTypeDomain: case SidTypeComputer: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (Computer)")); break; } } else if (string = PhGetAppContainerPackageName(TrusteeSid)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_PACKAGE)")); } else if (string = PhGetAppContainerName(TrusteeSid)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_CONTAINER)")); } else if (string = PhGetCapabilitySidName(TrusteeSid)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_CAPABILITY)")); } if (Index) { index = Index; PhSetListViewSubItem(ListViewHandle, Index, 1, PhGetStringOrDefault(string, L"N/A")); } else { index = PhAddListViewItem( ListViewHandle, MAXINT, PhGetStringOrDefault(string, L"N/A"), NULL ); PhSetListViewSubItem(ListViewHandle, index, 1, L"Allow"); } if (PhGetAccessEntries( PhGetStringOrEmpty(Context->HandleProperties->HandleItem->TypeName), &accessEntries, &numberOfAccessEntries )) { PPH_STRING accessString; if (accessString = PH_AUTO(PhGetAccessString( TrusteeMask, accessEntries, numberOfAccessEntries ))) { PhSetListViewSubItem(Context->ListViewHandle, index, 2, PhGetStringOrEmpty(accessString)); } else { PhSetListViewSubItem(Context->ListViewHandle, index, 2, L"N/A"); } PhFree(accessEntries); } } VOID PhUpdateHandlePermissionsOwnerSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HANDLE QueryHandle ) { NTSTATUS status; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentOwnerDefaulted; PACL currentOwner; status = PhGetObjectSecurity( QueryHandle, OWNER_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { status = PhGetOwnerSecurityDescriptor( currentSecurityDescriptor, ¤tOwner, ¤tOwnerDefaulted ); if (NT_SUCCESS(status)) { if (currentOwner) { PPH_STRING string; SID_NAME_USE sidNameUse; if (string = PhGetSidFullName(currentOwner, FALSE, &sidNameUse)) { switch (sidNameUse) { case SidTypeUser: case SidTypeLogonSession: case SidTypeDeletedAccount: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (User)")); break; case SidTypeAlias: case SidTypeGroup: case SidTypeWellKnownGroup: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (Group)")); break; case SidTypeDomain: case SidTypeComputer: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (Computer)")); break; } } else if (string = PhGetAppContainerPackageName(currentOwner)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_PACKAGE)")); } else if (string = PhGetAppContainerName(currentOwner)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_CONTAINER)")); } else if (string = PhGetCapabilitySidName(currentOwner)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_CAPABILITY)")); } PhSetListViewSubItem(Context->ListViewHeader, 0, 1, PhGetStringOrDefault(string, L"N/A")); PhClearReference(&string); } else { PhSetListViewSubItem(Context->ListViewHeader, 0, 1, L"NULL"); } } else { PPH_STRING string = PhGetNtMessage(status);; PhSetListViewSubItem(Context->ListViewHeader, 0, 1, PH_AUTO_T(PH_STRING, PhFormatString( L"0x%x: %s", status, PhGetStringOrEmpty(string)))->Buffer); PhClearReference(&string); } PhFree(currentSecurityDescriptor); } else { PPH_STRING string = PhGetNtMessage(status);; PhSetListViewSubItem(Context->ListViewHeader, 0, 1, PH_AUTO_T(PH_STRING, PhFormatString( L"0x%x: %s", status, PhGetStringOrEmpty(string)))->Buffer); PhClearReference(&string); } } VOID PhUpdateHandlePermissionsGroupSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HANDLE QueryHandle ) { NTSTATUS status; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentGroupDefaulted; PACL currentGroupSid; status = PhGetObjectSecurity( QueryHandle, GROUP_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { status = PhGetGroupSecurityDescriptor( currentSecurityDescriptor, ¤tGroupSid, ¤tGroupDefaulted ); if (NT_SUCCESS(status)) { if (currentGroupSid) { PPH_STRING string; SID_NAME_USE sidNameUse; if (string = PhGetSidFullName(currentGroupSid, FALSE, &sidNameUse)) { switch (sidNameUse) { case SidTypeUser: case SidTypeLogonSession: case SidTypeDeletedAccount: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (User)")); break; case SidTypeAlias: case SidTypeGroup: case SidTypeWellKnownGroup: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (Group)")); break; case SidTypeDomain: case SidTypeComputer: PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (Computer)")); break; } } else if (string = PhGetAppContainerPackageName(currentGroupSid)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_PACKAGE)")); } else if (string = PhGetAppContainerName(currentGroupSid)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_CONTAINER)")); } else if (string = PhGetCapabilitySidName(currentGroupSid)) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (APP_CAPABILITY)")); } PhSetListViewSubItem(Context->ListViewHeader, 1, 1, PhGetStringOrDefault(string, L"N/A")); PhClearReference(&string); } else { PhSetListViewSubItem(Context->ListViewHeader, 1, 1, L"NULL"); } } else { PPH_STRING string = PhGetNtMessage(status);; PhSetListViewSubItem(Context->ListViewHeader, 1, 1, PH_AUTO_T(PH_STRING, PhFormatString( L"0x%x: %s", status, PhGetStringOrEmpty(string)))->Buffer); PhClearReference(&string); } PhFree(currentSecurityDescriptor); } else { PPH_STRING string = PhGetNtMessage(status);; PhSetListViewSubItem(Context->ListViewHeader, 1, 1, PH_AUTO_T(PH_STRING, PhFormatString( L"0x%x: %s", status, PhGetStringOrEmpty(string)))->Buffer); PhClearReference(&string); } } VOID PhUpdateHandlePermissionsSaclSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HANDLE QueryHandle ) { NTSTATUS status; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentSaclPresent; BOOLEAN currentSaclDefaulted; PACL currentSacl; status = PhGetObjectSecurity( QueryHandle, SACL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { status = PhGetSaclSecurityDescriptor( currentSecurityDescriptor, ¤tSaclPresent, ¤tSacl, ¤tSaclDefaulted ); if (NT_SUCCESS(status) && currentSaclPresent && currentSacl) { PSYSTEM_MANDATORY_LABEL_ACE currentAce; for (USHORT i = 0; i < currentSacl->AceCount; i++) { status = PhGetAce(currentSacl, i, ¤tAce); if (NT_SUCCESS(status)) { switch (currentAce->Header.AceType) { case SYSTEM_MANDATORY_LABEL_ACE_TYPE: { PSID trusteeSidBuffer = ¤tAce->SidStart; ULONG trusteeSidlength = PhLengthSid(trusteeSidBuffer); ULONG opaqueDataLength = currentAce->Header.AceSize - trusteeSidlength - FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart); // The remaining bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data. PhAddHandlePermissionsTrustee(Context, Context->ListViewHandle, trusteeSidBuffer, currentAce->Mask, 0); } break; } } else { PhAddStatusPermissionsTrustee(Context, Context->ListViewHeader, status, 0); } } } PhFree(currentSecurityDescriptor); } if (!NT_SUCCESS(status)) { PhAddStatusPermissionsTrustee(Context, Context->ListViewHeader, status, 0); } } VOID PhUpdateHandlePermissionsLabelSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HANDLE QueryHandle ) { NTSTATUS status; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentSaclPresent; BOOLEAN currentSaclDefaulted; PACL currentSacl; status = PhGetObjectSecurity( QueryHandle, LABEL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { status = PhGetSaclSecurityDescriptor( currentSecurityDescriptor, ¤tSaclPresent, ¤tSacl, ¤tSaclDefaulted ); if (NT_SUCCESS(status) && currentSaclPresent && currentSacl) { PSYSTEM_MANDATORY_LABEL_ACE currentAce; for (USHORT i = 0; i < currentSacl->AceCount; i++) { status = PhGetAce(currentSacl, i, ¤tAce); if (NT_SUCCESS(status)) { switch (currentAce->Header.AceType) { case SYSTEM_MANDATORY_LABEL_ACE_TYPE: { PSID trusteeSidBuffer = ¤tAce->SidStart; ULONG trusteeSidlength = PhLengthSid(trusteeSidBuffer); ULONG opaqueDataLength = currentAce->Header.AceSize - trusteeSidlength - FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart); // The remaining bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data. PhAddHandlePermissionsTrustee(Context, Context->ListViewHeader, trusteeSidBuffer, currentAce->Mask, 2); } break; } } else { PhAddStatusPermissionsTrustee(Context, Context->ListViewHeader, status, 2); } } } PhFree(currentSecurityDescriptor); } if (!NT_SUCCESS(status)) { PhAddStatusPermissionsTrustee(Context, Context->ListViewHeader, status, 2); } } VOID PhUpdateHandlePermissionsDaclSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context, _In_ HANDLE QueryHandle ) { NTSTATUS status; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentSaclPresent; BOOLEAN currentSaclDefaulted; PACL currentSacl; status = PhGetObjectSecurity( QueryHandle, DACL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { status = PhGetDaclSecurityDescriptor( currentSecurityDescriptor, ¤tSaclPresent, ¤tSacl, ¤tSaclDefaulted ); if (NT_SUCCESS(status) && currentSaclPresent && currentSacl) { PACCESS_ALLOWED_ACE currentAce; for (USHORT i = 0; i < currentSacl->AceCount; i++) { status = PhGetAce(currentSacl, i, ¤tAce); if (NT_SUCCESS(status)) { switch (currentAce->Header.AceType) { case ACCESS_ALLOWED_ACE_TYPE: { PSID trusteeSidBuffer = ¤tAce->SidStart; ULONG trusteeSidlength = PhLengthSid(trusteeSidBuffer); ULONG opaqueDataLength = currentAce->Header.AceSize - trusteeSidlength - FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart); // The remaining bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data. PhAddHandlePermissionsTrustee(Context, Context->ListViewHandle, trusteeSidBuffer, currentAce->Mask, 0); if (FlagOn(currentAce->Header.AceFlags, INHERITED_ACE)) { // This ACE is inherited } if (FlagOn(currentAce->Header.AceFlags, OBJECT_INHERIT_ACE)) { // This ACE can be inherited by child objects } if (FlagOn(currentAce->Header.AceFlags, CONTAINER_INHERIT_ACE)) { // This ACE can be inherited by container child objects } } break; } } } } PhFree(currentSecurityDescriptor); } if (!NT_SUCCESS(status)) { PhAddStatusPermissionsTrustee(Context, Context->ListViewHeader, status, 2); } } VOID PhUpdateHandlePermissionSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context ) { NTSTATUS status; HANDLE processHandle; HANDLE dupHandle = NULL; PhSetListViewStyle(Context->ListViewHeader, FALSE, TRUE); PhSetControlTheme(Context->ListViewHeader, L"explorer"); PhAddListViewColumn(Context->ListViewHeader, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(Context->ListViewHeader, 1, 1, 1, LVCFMT_LEFT, 250, L"Value"); PhSetExtendedListView(Context->ListViewHeader); ListView_EnableGroupView(Context->ListViewHeader, TRUE); PhAddListViewGroup(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, L"Security information"); PhAddListViewGroupItem(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, 0, L"Owner", NULL); PhAddListViewGroupItem(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, 1, L"Group", NULL); PhAddListViewGroupItem(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, 2, L"Integrity", NULL); PhSetListViewSubItem(Context->ListViewHeader, 0, 1, L"N/A"); PhSetListViewSubItem(Context->ListViewHeader, 1, 1, L"N/A"); PhSetListViewSubItem(Context->ListViewHeader, 2, 1, L"N/A"); if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->HandleProperties->ProcessId ))) { if (!NT_SUCCESS(status = NtDuplicateObject( processHandle, Context->HandleProperties->HandleItem->Handle, NtCurrentProcess(), &dupHandle, READ_CONTROL | ACCESS_SYSTEM_SECURITY, 0, 0 ))) { status = NtDuplicateObject( processHandle, Context->HandleProperties->HandleItem->Handle, NtCurrentProcess(), &dupHandle, READ_CONTROL, 0, 0 ); } NtClose(processHandle); } if (NT_SUCCESS(status)) { PhUpdateHandlePermissionsDaclSecurity(Context, dupHandle); PhUpdateHandlePermissionsOwnerSecurity(Context, dupHandle); PhUpdateHandlePermissionsGroupSecurity(Context, dupHandle); PhUpdateHandlePermissionsLabelSecurity(Context, dupHandle); NtClose(dupHandle); } else { PPH_STRING string; if (string = PhGetWin32Message(PhNtStatusToDosError(status))) { PhMoveReference(&string, PhFormatString(L"0x%x: %s", status, PhGetStringOrDefault(string, L"N/A") )); } else { string = PhGetNtMessage(status); PhMoveReference(&string, PhFormatString(L"0x%x: %s", status, PhGetStringOrDefault(string, L"N/A") )); } PhSetListViewSubItem(Context->ListViewHeader, 0, 1, PhGetString(string)); PhSetListViewSubItem(Context->ListViewHeader, 1, 1, PhGetString(string)); PhSetListViewSubItem(Context->ListViewHeader, 2, 1, PhGetString(string)); PhClearReference(&string); } } VOID PhUpdateHandleAuditingSecurity( _In_ PHANDLE_PERMISSIONS_CONTEXT Context ) { NTSTATUS status; HANDLE processHandle; HANDLE dupHandle = NULL; PhSetListViewStyle(Context->ListViewHeader, FALSE, TRUE); PhSetControlTheme(Context->ListViewHeader, L"explorer"); PhAddListViewColumn(Context->ListViewHeader, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(Context->ListViewHeader, 1, 1, 1, LVCFMT_LEFT, 250, L"Value"); PhSetExtendedListView(Context->ListViewHeader); ListView_EnableGroupView(Context->ListViewHeader, TRUE); PhAddListViewGroup(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, L"Auditing information"); PhAddListViewGroupItem(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, 0, L"Owner", NULL); PhAddListViewGroupItem(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, 1, L"Group", NULL); PhAddListViewGroupItem(Context->ListViewHeader, PH_HANDLE_GENERAL_CATEGORY_SECURITY, 2, L"Integrity", NULL); PhSetListViewSubItem(Context->ListViewHeader, 0, 1, L"N/A"); PhSetListViewSubItem(Context->ListViewHeader, 1, 1, L"N/A"); PhSetListViewSubItem(Context->ListViewHeader, 2, 1, L"N/A"); if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->HandleProperties->ProcessId ))) { if (!NT_SUCCESS(status = NtDuplicateObject( processHandle, Context->HandleProperties->HandleItem->Handle, NtCurrentProcess(), &dupHandle, READ_CONTROL | ACCESS_SYSTEM_SECURITY, 0, 0 ))) { status = NtDuplicateObject( processHandle, Context->HandleProperties->HandleItem->Handle, NtCurrentProcess(), &dupHandle, READ_CONTROL, 0, 0 ); } NtClose(processHandle); } if (NT_SUCCESS(status)) { PhUpdateHandlePermissionsOwnerSecurity(Context, dupHandle); PhUpdateHandlePermissionsGroupSecurity(Context, dupHandle); PhUpdateHandlePermissionsLabelSecurity(Context, dupHandle); NtClose(dupHandle); } else { PPH_STRING string; if (string = PhGetWin32Message(PhNtStatusToDosError(status))) { PhMoveReference(&string, PhFormatString(L"0x%x: %s", status, PhGetStringOrDefault(string, L"N/A") )); } else { string = PhGetNtMessage(status); PhMoveReference(&string, PhFormatString(L"0x%x: %s", status, PhGetStringOrDefault(string, L"N/A") )); } PhSetListViewSubItem(Context->ListViewHeader, 0, 1, PhGetString(string)); PhSetListViewSubItem(Context->ListViewHeader, 1, 1, PhGetString(string)); PhSetListViewSubItem(Context->ListViewHeader, 2, 1, PhGetString(string)); PhClearReference(&string); } } INT_PTR CALLBACK PhpHandlePermissionsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PHANDLE_PERMISSIONS_CONTEXT context; if (uMsg == WM_INITDIALOG) { LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam; context = PhAllocateZero(sizeof(HANDLE_PERMISSIONS_CONTEXT)); context->HandleProperties = (PHANDLE_PROPERTIES_CONTEXT)propSheetPage->lParam; PhSetDialogContext(hwndDlg, context); } else { context = PhGetDialogContext(hwndDlg); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(context->ParentWindow); context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->ListViewHeader = GetDlgItem(hwndDlg, IDC_SETTINGS); context->ParentWindow = GetParent(hwndDlg); //context->ListViewClass = PhGetListViewInterface(context->ListViewHandle); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"Principal"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 50, L"Type"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 80, L"Access"); //PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 80, L"Inherited from"); PhSetExtendedListView(context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHeader, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_ADD), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REMOVE), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SHOW), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_ADVANCED), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); ShowWindow(GetDlgItem(hwndDlg, IDC_ADD), SW_HIDE); ShowWindow(GetDlgItem(hwndDlg, IDC_REMOVE), SW_HIDE); ShowWindow(GetDlgItem(hwndDlg, IDC_SHOW), SW_HIDE); EnableWindow(GetDlgItem(hwndDlg, IDC_ADVANCED), FALSE); PhUpdateHandlePermissionSecurity(context); //if (PhPluginsEnabled) //{ // PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT Context; // Context = (PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT)context; // // PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackHandlePropertiesWindowInitialized), Context); //} if (PhEnableThemeSupport) // TODO: Required for compat (dmex) PhInitializeWindowTheme(context->ParentWindow, PhEnableThemeSupport); else PhInitializeWindowTheme(hwndDlg, FALSE); } break; case WM_DESTROY: { //PhUnregisterWindowCallback(context->ParentWindow); //PhSaveWindowPlacementToSetting(SETTING_HANDLE_PROPERTIES_WINDOW_POSITION, NULL, context->ParentWindow); PhDeleteLayoutManager(&context->LayoutManager); //PhDestroyListViewInterface(context->ListViewClass); PhRemoveDialogContext(hwndDlg); PhFree(context); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; PhHandleListViewNotifyBehaviors(lParam, context->ListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)context->ListViewHandle); return TRUE; } REFLECT_MESSAGE_DLG(hwndDlg, context->ListViewHandle, uMsg, wParam, lParam); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; HANDLE_MSG(hwndDlg, WM_CTLCOLORBTN, PhWindowThemeControlColor); HANDLE_MSG(hwndDlg, WM_CTLCOLORDLG, PhWindowThemeControlColor); HANDLE_MSG(hwndDlg, WM_CTLCOLORSTATIC, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhpHandleAuditingDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PHANDLE_PERMISSIONS_CONTEXT context; if (uMsg == WM_INITDIALOG) { LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam; context = PhAllocateZero(sizeof(HANDLE_PERMISSIONS_CONTEXT)); context->HandleProperties = (PHANDLE_PROPERTIES_CONTEXT)propSheetPage->lParam; PhSetDialogContext(hwndDlg, context); } else { context = PhGetDialogContext(hwndDlg); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(context->ParentWindow); context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->ListViewHeader = GetDlgItem(hwndDlg, IDC_SETTINGS); context->ParentWindow = GetParent(hwndDlg); //context->ListViewClass = PhGetListViewInterface(context->ListViewHandle); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"Principal"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 50, L"Type"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 80, L"Access"); //PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 80, L"Inherited from"); //PhAddListViewColumn(context->ListViewHandle, 4, 4, 4, LVCFMT_LEFT, 80, L"Source"); PhSetExtendedListView(context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHeader, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_ADD), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REMOVE), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SHOW), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_ADVANCED), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); ShowWindow(GetDlgItem(hwndDlg, IDC_ADD), SW_HIDE); ShowWindow(GetDlgItem(hwndDlg, IDC_REMOVE), SW_HIDE); ShowWindow(GetDlgItem(hwndDlg, IDC_SHOW), SW_HIDE); EnableWindow(GetDlgItem(hwndDlg, IDC_ADVANCED), FALSE); PhUpdateHandleAuditingSecurity(context); } break; case WM_DESTROY: { //PhSaveWindowPlacementToSetting(SETTING_HANDLE_PROPERTIES_WINDOW_POSITION, NULL, context->ParentWindow); PhDeleteLayoutManager(&context->LayoutManager); //PhDestroyListViewInterface(context->ListViewClass); PhRemoveDialogContext(hwndDlg); PhFree(context); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; PhHandleListViewNotifyBehaviors(lParam, context->ListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)context->ListViewHandle); return TRUE; } REFLECT_MESSAGE_DLG(hwndDlg, context->ListViewHandle, uMsg, wParam, lParam); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; HANDLE_MSG(hwndDlg, WM_CTLCOLORBTN, PhWindowThemeControlColor); HANDLE_MSG(hwndDlg, WM_CTLCOLORDLG, PhWindowThemeControlColor); HANDLE_MSG(hwndDlg, WM_CTLCOLORSTATIC, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/hndlprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include typedef struct _PHP_CREATE_HANDLE_ITEM_CONTEXT { PPH_HANDLE_PROVIDER Provider; PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle; } PHP_CREATE_HANDLE_ITEM_CONTEXT, *PPHP_CREATE_HANDLE_ITEM_CONTEXT; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpHandleProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpHandleItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); PPH_OBJECT_TYPE PhHandleProviderType = NULL; PPH_OBJECT_TYPE PhHandleItemType = NULL; PPH_HANDLE_PROVIDER PhCreateHandleProvider( _In_ HANDLE ProcessId ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_HANDLE_PROVIDER handleProvider; if (PhBeginInitOnce(&initOnce)) { PhHandleProviderType = PhCreateObjectType(L"HandleProvider", 0, PhpHandleProviderDeleteProcedure); PhEndInitOnce(&initOnce); } handleProvider = PhCreateObject( PhEmGetObjectSize(EmHandleProviderType, sizeof(PH_HANDLE_PROVIDER)), PhHandleProviderType ); memset(handleProvider, 0, sizeof(PH_HANDLE_PROVIDER)); handleProvider->HandleHashSetSize = 128; handleProvider->HandleHashSet = PhCreateHashSet(handleProvider->HandleHashSetSize); handleProvider->HandleHashSetCount = 0; PhInitializeQueuedLock(&handleProvider->HandleHashSetLock); PhInitializeCallback(&handleProvider->HandleAddedEvent); PhInitializeCallback(&handleProvider->HandleModifiedEvent); PhInitializeCallback(&handleProvider->HandleRemovedEvent); PhInitializeCallback(&handleProvider->HandleUpdatedEvent); handleProvider->ProcessId = ProcessId; handleProvider->ProcessHandle = NULL; handleProvider->RunStatus = PhOpenProcess( &handleProvider->ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, ProcessId ); if (!NT_SUCCESS(handleProvider->RunStatus)) { handleProvider->RunStatus = PhOpenProcess( &handleProvider->ProcessHandle, PROCESS_QUERY_INFORMATION, ProcessId ); } handleProvider->TempListHashtable = PhCreateSimpleHashtable(512); PhEmCallObjectOperation(EmHandleProviderType, handleProvider, EmObjectCreate); return handleProvider; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpHandleProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_HANDLE_PROVIDER handleProvider = (PPH_HANDLE_PROVIDER)Object; PhEmCallObjectOperation(EmHandleProviderType, handleProvider, EmObjectDelete); // Dereference all handle items (we referenced them // when we added them to the hashtable). PhDereferenceAllHandleItems(handleProvider); PhFree(handleProvider->HandleHashSet); PhDeleteCallback(&handleProvider->HandleAddedEvent); PhDeleteCallback(&handleProvider->HandleModifiedEvent); PhDeleteCallback(&handleProvider->HandleRemovedEvent); if (handleProvider->ProcessHandle) NtClose(handleProvider->ProcessHandle); PhDereferenceObject(handleProvider->TempListHashtable); } PPH_HANDLE_ITEM PhCreateHandleItem( _In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_HANDLE_ITEM handleItem; if (PhBeginInitOnce(&initOnce)) { PhHandleItemType = PhCreateObjectType(L"HandleItem", 0, PhpHandleItemDeleteProcedure); PhEndInitOnce(&initOnce); } handleItem = PhCreateObject( PhEmGetObjectSize(EmHandleItemType, sizeof(PH_HANDLE_ITEM)), PhHandleItemType ); memset(handleItem, 0, sizeof(PH_HANDLE_ITEM)); if (Handle) { handleItem->Object = Handle->Object; handleItem->ProcessId = Handle->UniqueProcessId; handleItem->Handle = Handle->HandleValue; handleItem->Attributes = Handle->HandleAttributes; handleItem->GrantedAccess = Handle->GrantedAccess; handleItem->TypeIndex = Handle->ObjectTypeIndex; PhPrintPointer(handleItem->HandleString, (PVOID)handleItem->Handle); PhPrintPointer(handleItem->GrantedAccessString, UlongToPtr(handleItem->GrantedAccess)); if (handleItem->Object) PhPrintPointer(handleItem->ObjectString, handleItem->Object); } PhEmCallObjectOperation(EmHandleItemType, handleItem, EmObjectCreate); return handleItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpHandleItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_HANDLE_ITEM handleItem = (PPH_HANDLE_ITEM)Object; PhEmCallObjectOperation(EmHandleItemType, handleItem, EmObjectDelete); if (handleItem->TypeName) PhDereferenceObject(handleItem->TypeName); if (handleItem->ObjectName) PhDereferenceObject(handleItem->ObjectName); if (handleItem->BestObjectName) PhDereferenceObject(handleItem->BestObjectName); } FORCEINLINE BOOLEAN PhCompareHandleItem( _In_ PPH_HANDLE_ITEM Value1, _In_ PPH_HANDLE_ITEM Value2 ) { return Value1->Handle == Value2->Handle; } FORCEINLINE ULONG PhHashHandleItem( _In_ PPH_HANDLE_ITEM Value ) { return HandleToUlong(Value->Handle) / 4; } PPH_HANDLE_ITEM PhpLookupHandleItem( _In_ PPH_HANDLE_PROVIDER HandleProvider, _In_ HANDLE Handle ) { PH_HANDLE_ITEM lookupHandleItem; PPH_HASH_ENTRY entry; PPH_HANDLE_ITEM handleItem; lookupHandleItem.Handle = Handle; entry = PhFindEntryHashSet( HandleProvider->HandleHashSet, HandleProvider->HandleHashSetSize, PhHashHandleItem(&lookupHandleItem) ); for (; entry; entry = entry->Next) { handleItem = CONTAINING_RECORD(entry, PH_HANDLE_ITEM, HashEntry); if (PhCompareHandleItem(&lookupHandleItem, handleItem)) return handleItem; } return NULL; } PPH_HANDLE_ITEM PhReferenceHandleItem( _In_ PPH_HANDLE_PROVIDER HandleProvider, _In_ HANDLE Handle ) { PPH_HANDLE_ITEM handleItem; PhAcquireQueuedLockShared(&HandleProvider->HandleHashSetLock); handleItem = PhpLookupHandleItem(HandleProvider, Handle); if (handleItem) PhReferenceObject(handleItem); PhReleaseQueuedLockShared(&HandleProvider->HandleHashSetLock); return handleItem; } VOID PhDereferenceAllHandleItems( _In_ PPH_HANDLE_PROVIDER HandleProvider ) { ULONG i; PPH_HASH_ENTRY entry; PPH_HANDLE_ITEM handleItem; PhAcquireQueuedLockExclusive(&HandleProvider->HandleHashSetLock); for (i = 0; i < HandleProvider->HandleHashSetSize; i++) { entry = HandleProvider->HandleHashSet[i]; while (entry) { handleItem = CONTAINING_RECORD(entry, PH_HANDLE_ITEM, HashEntry); entry = entry->Next; PhDereferenceObject(handleItem); } } PhReleaseQueuedLockExclusive(&HandleProvider->HandleHashSetLock); } VOID PhpAddHandleItem( _In_ PPH_HANDLE_PROVIDER HandleProvider, _In_ _Assume_refs_(1) PPH_HANDLE_ITEM HandleItem ) { if (HandleProvider->HandleHashSetSize < HandleProvider->HandleHashSetCount + 1) { PhResizeHashSet( &HandleProvider->HandleHashSet, &HandleProvider->HandleHashSetSize, HandleProvider->HandleHashSetSize * 2 ); } PhAddEntryHashSet( HandleProvider->HandleHashSet, HandleProvider->HandleHashSetSize, &HandleItem->HashEntry, PhHashHandleItem(HandleItem) ); HandleProvider->HandleHashSetCount++; } VOID PhpRemoveHandleItem( _In_ PPH_HANDLE_PROVIDER HandleProvider, _In_ PPH_HANDLE_ITEM HandleItem ) { PhRemoveEntryHashSet(HandleProvider->HandleHashSet, HandleProvider->HandleHashSetSize, &HandleItem->HashEntry); HandleProvider->HandleHashSetCount--; PhDereferenceObject(HandleItem); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpCreateHandleItemFunction( _In_ PVOID Parameter ) { PPHP_CREATE_HANDLE_ITEM_CONTEXT context = Parameter; PPH_HANDLE_ITEM handleItem; OBJECT_BASIC_INFORMATION handleBasicInformation = { 0 }; handleItem = PhCreateHandleItem(context->Handle); PhGetHandleInformationEx( context->Provider->ProcessHandle, handleItem->Handle, context->Handle->ObjectTypeIndex, 0, NULL, &handleBasicInformation, &handleItem->TypeName, &handleItem->ObjectName, &handleItem->BestObjectName, NULL ); if (PhIsNullOrEmptyString(handleItem->TypeName)) { PhMoveReference(&handleItem->TypeName, PhGetObjectTypeIndexName(handleItem->TypeIndex)); } handleItem->HandleCount = handleBasicInformation.HandleCount; handleItem->PointerCount = handleBasicInformation.PointerCount; handleItem->PagedPoolCharge = handleBasicInformation.PagedPoolCharge; handleItem->NonPagedPoolCharge = handleBasicInformation.NonPagedPoolCharge; if (handleItem->TypeName) { // Add the handle item to the hashtable. PhAcquireQueuedLockExclusive(&context->Provider->HandleHashSetLock); PhpAddHandleItem(context->Provider, handleItem); PhReleaseQueuedLockExclusive(&context->Provider->HandleHashSetLock); // Raise the handle added event. PhInvokeCallback(&context->Provider->HandleAddedEvent, handleItem); } else { PhDereferenceObject(handleItem); } PhFree(context); return STATUS_SUCCESS; } _Function_class_(PH_PROVIDER_FUNCTION) VOID PhHandleProviderUpdate( _In_ PVOID Object ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static ULONG fileObjectTypeIndex = ULONG_MAX; PPH_HANDLE_PROVIDER handleProvider = (PPH_HANDLE_PROVIDER)Object; PSYSTEM_HANDLE_INFORMATION_EX handleInfo; PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handles; ULONG_PTR numberOfHandles; ULONG i; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_KEY_VALUE_PAIR handlePair; BOOLEAN useWorkQueue = FALSE; PH_WORK_QUEUE workQueue; KPH_LEVEL level; handleProvider->RunStatus = PhEnumHandlesGeneric( handleProvider->ProcessId, handleProvider->ProcessHandle, !!PhCsEnableHandleSnapshot, &handleInfo ); level = KsiLevel(); if (level < KphLevelMed) { useWorkQueue = TRUE; PhInitializeWorkQueue(&workQueue, 1, 20, 1000); if (PhBeginInitOnce(&initOnce)) { fileObjectTypeIndex = PhGetObjectTypeNumberZ(L"File"); PhEndInitOnce(&initOnce); } } if (NT_SUCCESS(handleProvider->RunStatus)) { handles = handleInfo->Handles; numberOfHandles = handleInfo->NumberOfHandles; for (i = 0; i < numberOfHandles; i++) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle = &handles[i]; PhAddItemSimpleHashtable( handleProvider->TempListHashtable, handle->HandleValue, handle ); } } // Look for closed handles. { PPH_LIST handlesToRemove = NULL; PPH_HASH_ENTRY entry; PPH_HANDLE_ITEM handleItem; PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX *tempHashtableValue; for (i = 0; i < handleProvider->HandleHashSetSize; i++) { for (entry = handleProvider->HandleHashSet[i]; entry; entry = entry->Next) { BOOLEAN found = FALSE; handleItem = CONTAINING_RECORD(entry, PH_HANDLE_ITEM, HashEntry); // Check if the handle still exists. tempHashtableValue = (PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX *)PhFindItemSimpleHashtable( handleProvider->TempListHashtable, handleItem->Handle ); if (tempHashtableValue) { // Also compare the object pointers to make sure a different object wasn't // re-opened with the same handle value. if (level >= KphLevelMed && handleProvider->ProcessHandle) { found = NT_SUCCESS(KphCompareObjects( handleProvider->ProcessHandle, handleItem->Handle, (*tempHashtableValue)->HandleValue )); } // This isn't 100% accurate as pool addresses may be re-used, but it works well. else if (handleItem->Object && handleItem->Object == (*tempHashtableValue)->Object) { found = TRUE; } else { if ( handleItem->Handle == (*tempHashtableValue)->HandleValue && handleItem->GrantedAccess == (*tempHashtableValue)->GrantedAccess && handleItem->TypeIndex == (*tempHashtableValue)->ObjectTypeIndex && handleItem->Attributes == (*tempHashtableValue)->HandleAttributes && handleItem->ProcessId == (*tempHashtableValue)->UniqueProcessId ) { found = TRUE; } } } if (!found) { // Raise the handle removed event. PhInvokeCallback(&handleProvider->HandleRemovedEvent, handleItem); if (!handlesToRemove) handlesToRemove = PhCreateList(2); PhAddItemList(handlesToRemove, handleItem); } } } if (handlesToRemove) { PhAcquireQueuedLockExclusive(&handleProvider->HandleHashSetLock); for (i = 0; i < handlesToRemove->Count; i++) { PhpRemoveHandleItem(handleProvider, handlesToRemove->Items[i]); } PhReleaseQueuedLockExclusive(&handleProvider->HandleHashSetLock); PhDereferenceObject(handlesToRemove); } } // Look for new handles and update existing ones. PhBeginEnumHashtable(handleProvider->TempListHashtable, &enumContext); while (handlePair = PhNextEnumHashtable(&enumContext)) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle = handlePair->Value; PPH_HANDLE_ITEM handleItem; handleItem = PhpLookupHandleItem(handleProvider, handle->HandleValue); if (!handleItem) { OBJECT_BASIC_INFORMATION handleBasicInformation = { 0 }; // When we don't have KPH, query handle information in parallel to take full advantage of the // PhCallWithTimeout functionality. if (useWorkQueue && handle->ObjectTypeIndex == fileObjectTypeIndex) { PPHP_CREATE_HANDLE_ITEM_CONTEXT context; context = PhAllocate(sizeof(PHP_CREATE_HANDLE_ITEM_CONTEXT)); context->Provider = handleProvider; context->Handle = handle; PhQueueItemWorkQueue(&workQueue, PhpCreateHandleItemFunction, context); continue; } handleItem = PhCreateHandleItem(handle); PhGetHandleInformationEx( handleProvider->ProcessHandle, handleItem->Handle, handle->ObjectTypeIndex, 0, NULL, &handleBasicInformation, &handleItem->TypeName, &handleItem->ObjectName, &handleItem->BestObjectName, NULL ); handleItem->HandleCount = handleBasicInformation.HandleCount; handleItem->PointerCount = handleBasicInformation.PointerCount; handleItem->PagedPoolCharge = handleBasicInformation.PagedPoolCharge; handleItem->NonPagedPoolCharge = handleBasicInformation.NonPagedPoolCharge; if (PhIsNullOrEmptyString(handleItem->TypeName)) { PPH_STRING typeName; if (typeName = PhGetObjectTypeIndexName(handleItem->TypeIndex)) { PhMoveReference(&handleItem->TypeName, typeName); } } if (handle->ObjectTypeIndex == fileObjectTypeIndex) { if (level >= KphLevelMed) { KPH_FILE_OBJECT_INFORMATION objectInfo; if (NT_SUCCESS(KphQueryInformationObject( handleProvider->ProcessHandle, handleItem->Handle, KphObjectFileObjectInformation, &objectInfo, sizeof(KPH_FILE_OBJECT_INFORMATION), NULL ))) { if (objectInfo.SharedRead) handleItem->FileFlags |= PH_HANDLE_FILE_SHARED_READ; if (objectInfo.SharedWrite) handleItem->FileFlags |= PH_HANDLE_FILE_SHARED_WRITE; if (objectInfo.SharedDelete) handleItem->FileFlags |= PH_HANDLE_FILE_SHARED_DELETE; // TODO add extra info from file objects here (jxy-s) // objectInfo.HasActiveTransaction; // objectInfo.UserWritableReferences; // objectInfo.IsIgnoringSharing; // ... more } } } // Add the handle item to the hashtable. PhAcquireQueuedLockExclusive(&handleProvider->HandleHashSetLock); PhpAddHandleItem(handleProvider, handleItem); PhReleaseQueuedLockExclusive(&handleProvider->HandleHashSetLock); // Raise the handle added event. PhInvokeCallback(&handleProvider->HandleAddedEvent, handleItem); } else { BOOLEAN modified = FALSE; OBJECT_BASIC_INFORMATION handleBasicInformation = { 0 }; if (NT_SUCCESS(PhGetHandleInformationEx( handleProvider->ProcessHandle, handleItem->Handle, handle->ObjectTypeIndex, 0, NULL, &handleBasicInformation, NULL, NULL, NULL, NULL ))) { if (handleItem->HandleCount != handleBasicInformation.HandleCount) { handleItem->HandleCount = handleBasicInformation.HandleCount; modified = TRUE; } if (handleItem->PointerCount != handleBasicInformation.PointerCount) { handleItem->PointerCount = handleBasicInformation.PointerCount; modified = TRUE; } if (handleItem->PagedPoolCharge != handleBasicInformation.PagedPoolCharge) { handleItem->PagedPoolCharge = handleBasicInformation.PagedPoolCharge; modified = TRUE; } if (handleItem->NonPagedPoolCharge != handleBasicInformation.NonPagedPoolCharge) { handleItem->NonPagedPoolCharge = handleBasicInformation.NonPagedPoolCharge; modified = TRUE; } } if (handleItem->Attributes != handle->HandleAttributes) { handleItem->Attributes = handle->HandleAttributes; modified = TRUE; } if (modified) { // Raise the handle modified event. PhInvokeCallback(&handleProvider->HandleModifiedEvent, handleItem); } } } if (useWorkQueue) { PhWaitForWorkQueue(&workQueue); PhDeleteWorkQueue(&workQueue); } if (NT_SUCCESS(handleProvider->RunStatus)) { PhFree(handleInfo); } // Re-create the temporary hashtable if it got too big. if (handleProvider->TempListHashtable->AllocatedEntries > 8192) { PhDereferenceObject(handleProvider->TempListHashtable); handleProvider->TempListHashtable = PhCreateSimpleHashtable(512); } else { PhClearHashtable(handleProvider->TempListHashtable); } PhInvokeCallback(&handleProvider->HandleUpdatedEvent, NULL); } ================================================ FILE: SystemInformer/hndlstat.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2022-2023 * */ #include #include #include #include typedef struct _HANDLE_STATISTICS_ENTRY { PPH_STRING Name; ULONG Count; } HANDLE_STATISTICS_ENTRY, *PHANDLE_STATISTICS_ENTRY; typedef struct _HANDLE_STATISTICS_CONTEXT { HANDLE ProcessId; HANDLE ProcessHandle; HWND ListViewHandle; PH_LAYOUT_MANAGER LayoutManager; PSYSTEM_HANDLE_INFORMATION_EX Handles; HANDLE_STATISTICS_ENTRY Entries[MAX_OBJECT_TYPE_NUMBER]; } HANDLE_STATISTICS_CONTEXT, *PHANDLE_STATISTICS_CONTEXT; INT_PTR CALLBACK PhpHandleStatisticsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowHandleStatisticsDialog( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId ) { NTSTATUS status; PHANDLE_STATISTICS_CONTEXT context; PSYSTEM_HANDLE_INFORMATION_EX handleInfo; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, ProcessId ); if (!NT_SUCCESS(status)) { PhShowStatus(ParentWindowHandle, L"Unable to open the process", status, 0); return; } status = PhEnumHandlesGeneric( ProcessId, processHandle, !!PhCsEnableHandleSnapshot, &handleInfo ); if (!NT_SUCCESS(status)) { NtClose(processHandle); PhShowStatus(ParentWindowHandle, L"Unable to enumerate process handles", status, 0); return; } context = PhAllocateZero(sizeof(HANDLE_STATISTICS_CONTEXT)); context->ProcessId = ProcessId; context->ProcessHandle = processHandle; context->Handles = handleInfo; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_HANDLESTATS), ParentWindowHandle, PhpHandleStatisticsDlgProc, context ); } void PhDestroyHandleStatistics( _In_ PHANDLE_STATISTICS_CONTEXT Context) { for (ULONG i = 0; i < MAX_OBJECT_TYPE_NUMBER; i++) { if (Context->Entries[i].Name) { PhDereferenceObject(Context->Entries[i].Name); } } if (Context->Handles) { PhFree(Context->Handles); } if (Context->ProcessHandle) { NtClose(Context->ProcessHandle); } } static LONG NTAPI PhpTypeCountCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_opt_ PVOID Context ) { PHANDLE_STATISTICS_ENTRY entry1 = Item1; PHANDLE_STATISTICS_ENTRY entry2 = Item2; return uintcmp(entry1->Count, entry2->Count); } INT_PTR CALLBACK PhpHandleStatisticsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PHANDLE_STATISTICS_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PHANDLE_STATISTICS_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HANDLE processId; ULONG_PTR i; PhSetApplicationWindowIcon(hwndDlg); processId = context->ProcessId; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"Type"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 100, L"Count"); PhSetExtendedListView(context->ListViewHandle); ExtendedListView_SetCompareFunction(context->ListViewHandle, 1, PhpTypeCountCompareFunction); PhLoadListViewColumnsFromSetting(SETTING_HANDLE_STATISTICS_LIST_VIEW_COLUMNS, context->ListViewHandle); PhLoadListViewSortColumnsFromSetting(SETTING_HANDLE_STATISTICS_LIST_VIEW_SORT, context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); if (PhValidWindowPlacementFromSetting(SETTING_HANDLE_STATISTICS_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_HANDLE_STATISTICS_WINDOW_POSITION, SETTING_HANDLE_STATISTICS_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, GetParent(hwndDlg)); for (i = 0; i < context->Handles->NumberOfHandles; i++) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo; PHANDLE_STATISTICS_ENTRY entry; handleInfo = &context->Handles->Handles[i]; if (handleInfo->UniqueProcessId != processId) continue; if (handleInfo->ObjectTypeIndex >= MAX_OBJECT_TYPE_NUMBER) continue; entry = &context->Entries[handleInfo->ObjectTypeIndex]; if (PhIsNullOrEmptyString(entry->Name)) { entry->Name = PhGetObjectTypeIndexName(handleInfo->ObjectTypeIndex); if (PhIsNullOrEmptyString(entry->Name)) { PPH_STRING typeName = NULL; PhGetHandleInformation( context->ProcessHandle, handleInfo->HandleValue, handleInfo->ObjectTypeIndex, NULL, &typeName, NULL, NULL ); PhMoveReference(&entry->Name, typeName); } } entry->Count++; } for (i = 0; i < MAX_OBJECT_TYPE_NUMBER; i++) { PHANDLE_STATISTICS_ENTRY entry; PPH_STRING unknownType; PPH_STRING countString; LONG lvItemIndex; entry = &context->Entries[i]; if (entry->Count == 0) continue; if (PhIsNullOrEmptyString(entry->Name)) { unknownType = PhFormatString(L"(unknown: %lu)", (ULONG)i); lvItemIndex = PhAddListViewItem( context->ListViewHandle, MAXINT, PhGetString(unknownType), entry ); PhDereferenceObject(unknownType); } else { lvItemIndex = PhAddListViewItem( context->ListViewHandle, MAXINT, PhGetString(entry->Name), entry ); } countString = PhFormatUInt64(entry->Count, TRUE); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 1, PhGetString(countString)); PhDereferenceObject(countString); } ExtendedListView_SortItems(context->ListViewHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhDestroyHandleStatistics(context); PhSaveListViewSortColumnsToSetting(SETTING_HANDLE_STATISTICS_LIST_VIEW_SORT, context->ListViewHandle); PhSaveListViewColumnsToSetting(SETTING_HANDLE_STATISTICS_LIST_VIEW_COLUMNS, context->ListViewHandle); PhSaveWindowPlacementToSetting(SETTING_HANDLE_STATISTICS_WINDOW_POSITION, SETTING_HANDLE_STATISTICS_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; } } break; case WM_NOTIFY: { PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/include/actions.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2018-2023 * */ #ifndef PH_ACTIONS_H #define PH_ACTIONS_H EXTERN_C_START typedef enum _PH_ACTION_ELEVATION_LEVEL { NeverElevateAction = 0, PromptElevateAction = 1, AlwaysElevateAction = 2 } PH_ACTION_ELEVATION_LEVEL; // begin_phapppub typedef enum _PH_PHSVC_MODE { ElevatedPhSvcMode, Wow64PhSvcMode } PH_PHSVC_MODE; PHAPPAPI BOOLEAN NTAPI PhUiConnectToPhSvc( _In_opt_ HWND WindowHandle, _In_ BOOLEAN ConnectOnly ); PHAPPAPI BOOLEAN NTAPI PhUiConnectToPhSvcEx( _In_opt_ HWND WindowHandle, _In_ PH_PHSVC_MODE Mode, _In_ BOOLEAN ConnectOnly ); PHAPPAPI VOID NTAPI PhUiDisconnectFromPhSvc( VOID ); PHAPPAPI BOOLEAN NTAPI PhUiLockComputer( _In_ HWND WindowHandle ); PHAPPAPI BOOLEAN NTAPI PhUiLogoffComputer( _In_ HWND WindowHandle ); PHAPPAPI BOOLEAN NTAPI PhUiSleepComputer( _In_ HWND WindowHandle ); PHAPPAPI BOOLEAN NTAPI PhUiHibernateComputer( _In_ HWND WindowHandle ); typedef enum _PH_POWERACTION_TYPE { PH_POWERACTION_TYPE_NONE, PH_POWERACTION_TYPE_WIN32, PH_POWERACTION_TYPE_NATIVE, PH_POWERACTION_TYPE_CRITICAL, PH_POWERACTION_TYPE_ADVANCEDBOOT, PH_POWERACTION_TYPE_FIRMWAREBOOT, PH_POWERACTION_TYPE_UPDATE, PH_POWERACTION_TYPE_WDOSCAN, PH_POWERACTION_TYPE_MAXIMUM } PH_POWERACTION_TYPE; PHAPPAPI BOOLEAN NTAPI PhUiRestartComputer( _In_ HWND WindowHandle, _In_ PH_POWERACTION_TYPE Action, _In_ ULONG Flags ); PHAPPAPI BOOLEAN NTAPI PhUiShutdownComputer( _In_ HWND WindowHandle, _In_ PH_POWERACTION_TYPE Action, _In_ ULONG Flags ); PVOID PhUiCreateComputerBootDeviceMenu( _In_ BOOLEAN DelayLoadMenu ); PVOID PhUiCreateComputerFirmwareDeviceMenu( _In_ BOOLEAN DelayLoadMenu ); VOID PhUiHandleComputerBootApplicationMenu( _In_ HWND WindowHandle, _In_ ULONG MenuIndex ); VOID PhUiHandleComputerFirmwareApplicationMenu( _In_ HWND WindowHandle, _In_ ULONG MenuIndex ); VOID PhUiCreateSessionMenu( _In_ PVOID UsersMenuItem ); PHAPPAPI BOOLEAN NTAPI PhUiConnectSession( _In_ HWND WindowHandle, _In_ ULONG SessionId ); PHAPPAPI BOOLEAN NTAPI PhUiDisconnectSession( _In_ HWND WindowHandle, _In_ ULONG SessionId ); PHAPPAPI BOOLEAN NTAPI PhUiLogoffSession( _In_ HWND WindowHandle, _In_ ULONG SessionId ); PHAPPAPI BOOLEAN NTAPI PhUiTerminateProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); PHAPPAPI BOOLEAN NTAPI PhUiTerminateTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiSuspendProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); PHAPPAPI BOOLEAN NTAPI PhUiSuspendTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiResumeProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); PHAPPAPI BOOLEAN NTAPI PhUiResumeTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiFreezeTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiThawTreeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiRestartProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiDebugProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiReduceWorkingSetProcesses( _In_ HWND WindowHandle, _In_ CONST PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); PHAPPAPI BOOLEAN NTAPI PhUiSetEmptyWorkingSetProcesses( _In_ HWND WindowHandle, _In_ CONST PPH_PROCESS_ITEM* Processes, _In_ ULONG NumberOfProcesses ); PHAPPAPI BOOLEAN NTAPI PhUiSetActivityModeration( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiSetVirtualizationProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ BOOLEAN Enable ); PHAPPAPI BOOLEAN NTAPI PhUiSetCriticalProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiSetEcoModeProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiDetachFromDebuggerProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiSetExecutionRequiredProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiLoadDllProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process ); PHAPPAPI BOOLEAN NTAPI PhUiSetIoPriorityProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses, _In_ IO_PRIORITY_HINT IoPriority ); PHAPPAPI BOOLEAN NTAPI PhUiSetPagePriorityProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ ULONG PagePriority ); PHAPPAPI BOOLEAN NTAPI PhUiSetPriorityClassProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses, _In_ ULONG PriorityClass ); PHAPPAPI BOOLEAN NTAPI PhUiSetBoostPriorityProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM* Processes, _In_ ULONG NumberOfProcesses, _In_ BOOLEAN PriorityBoost ); PHAPPAPI BOOLEAN NTAPI PhUiSetBoostPriorityProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM Process, _In_ BOOLEAN PriorityBoost ); PHAPPAPI BOOLEAN NTAPI PhUiStartServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ); PHAPPAPI BOOLEAN NTAPI PhUiStartService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ); PHAPPAPI BOOLEAN NTAPI PhUiContinueServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ); PHAPPAPI BOOLEAN NTAPI PhUiContinueService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ); PHAPPAPI BOOLEAN NTAPI PhUiPauseServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ); PHAPPAPI BOOLEAN NTAPI PhUiPauseService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ); PHAPPAPI BOOLEAN NTAPI PhUiStopServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ); PHAPPAPI BOOLEAN NTAPI PhUiStopService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ); PHAPPAPI BOOLEAN NTAPI PhUiDeleteService( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM Service ); PHAPPAPI BOOLEAN NTAPI PhUiRestartServices( _In_ HWND WindowHandle, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ); PHAPPAPI BOOLEAN NTAPI PhUiCloseConnections( _In_ HWND WindowHandle, _In_ PPH_NETWORK_ITEM *Connections, _In_ ULONG NumberOfConnections ); PHAPPAPI BOOLEAN NTAPI PhUiTerminateThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ); PHAPPAPI BOOLEAN NTAPI PhUiSuspendThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ); PHAPPAPI BOOLEAN NTAPI PhUiResumeThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ); PHAPPAPI BOOLEAN NTAPI PhUiSetBoostPriorityThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM* Threads, _In_ ULONG NumberOfThreads, _In_ BOOLEAN PriorityBoost ); PHAPPAPI BOOLEAN NTAPI PhUiSetBoostPriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ BOOLEAN PriorityBoost ); PHAPPAPI BOOLEAN NTAPI PhUiSetPriorityThreads( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM* Threads, _In_ ULONG NumberOfThreads, _In_ LONG Increment ); PHAPPAPI BOOLEAN NTAPI PhUiSetPriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ LONG Increment ); PHAPPAPI BOOLEAN NTAPI PhUiSetIoPriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ IO_PRIORITY_HINT IoPriority ); PHAPPAPI BOOLEAN NTAPI PhUiSetPagePriorityThread( _In_ HWND WindowHandle, _In_ PPH_THREAD_ITEM Thread, _In_ ULONG PagePriority ); PHAPPAPI BOOLEAN NTAPI PhUiUnloadModule( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_MODULE_ITEM Module ); PHAPPAPI BOOLEAN NTAPI PhUiFreeMemory( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_MEMORY_ITEM MemoryItem, _In_ BOOLEAN Free ); PHAPPAPI BOOLEAN NTAPI PhUiEmptyProcessMemoryWorkingSet( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_MEMORY_ITEM MemoryItem ); PHAPPAPI BOOLEAN NTAPI PhUiCloseHandles( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM *Handles, _In_ ULONG NumberOfHandles, _In_ BOOLEAN Warn ); PHAPPAPI BOOLEAN NTAPI PhUiSetAttributesHandle( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM Handle, _In_ ULONG Attributes ); PHAPPAPI BOOLEAN NTAPI PhUiFlushHeapProcesses( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM* Processes, _In_ ULONG NumberOfProcesses ); // end_phapppub EXTERN_C_END #endif ================================================ FILE: SystemInformer/include/appsup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016-2017 * dmex 2017-2023 * */ #ifndef PH_APPSUP_H #define PH_APPSUP_H DEFINE_GUID(XP_CONTEXT_GUID, 0xbeb1b341, 0x6837, 0x4c83, 0x83, 0x66, 0x2b, 0x45, 0x1e, 0x7c, 0xe6, 0x9b); DEFINE_GUID(VISTA_CONTEXT_GUID, 0xe2011457, 0x1546, 0x43c5, 0xa5, 0xfe, 0x00, 0x8d, 0xee, 0xe3, 0xd3, 0xf0); DEFINE_GUID(WIN7_CONTEXT_GUID, 0x35138b9a, 0x5d96, 0x4fbd, 0x8e, 0x2d, 0xa2, 0x44, 0x02, 0x25, 0xf9, 0x3a); DEFINE_GUID(WIN8_CONTEXT_GUID, 0x4a2f28e3, 0x53b9, 0x4441, 0xba, 0x9c, 0xd6, 0x9d, 0x4a, 0x4a, 0x6e, 0x38); DEFINE_GUID(WINBLUE_CONTEXT_GUID, 0x1f676c76, 0x80e1, 0x4239, 0x95, 0xbb, 0x83, 0xd0, 0xf6, 0xd0, 0xda, 0x78); DEFINE_GUID(WIN10_CONTEXT_GUID, 0x8e0f7a12, 0xbfb3, 0x4fe8, 0xb9, 0xa5, 0x48, 0xfd, 0x50, 0xa1, 0x5a, 0x9a); // begin_phapppub PHAPPAPI BOOLEAN NTAPI PhGetProcessIsSuspended( _In_ PSYSTEM_PROCESS_INFORMATION Process ); PHAPPAPI BOOLEAN NTAPI PhIsProcessSuspended( _In_ HANDLE ProcessId ); PHAPPAPI BOOLEAN NTAPI PhIsProcessBackground( _In_ ULONG PriorityClass ); PHAPPAPI PCPH_STRINGREF NTAPI PhGetProcessPriorityClassString( _In_ ULONG PriorityClass ); // end_phapppub PPH_STRING PhGetProcessProtectionString( _In_ PS_PROTECTION Protection, _In_ BOOLEAN IsSecureProcess ); NTSTATUS PhGetProcessSwitchContext( _In_ HANDLE ProcessHandle, _Out_ PGUID Guid ); NTSTATUS PhGetProcessDefaultHeap( _In_ HANDLE ProcessHandle, _Out_ PVOID* Heap ); // begin_phapppub typedef enum _PH_KNOWN_PROCESS_TYPE { UnknownProcessType, SystemProcessType, // ntoskrnl/ntkrnlpa/... SessionManagerProcessType, // smss WindowsSubsystemProcessType, // csrss WindowsStartupProcessType, // wininit ServiceControlManagerProcessType, // services LocalSecurityAuthorityProcessType, // lsass LocalSessionManagerProcessType, // lsm WindowsLogonProcessType, // winlogon ServiceHostProcessType, // svchost RunDllAsAppProcessType, // rundll32 ComSurrogateProcessType, // dllhost TaskHostProcessType, // taskeng, taskhost, taskhostex ExplorerProcessType, // explorer UmdfHostProcessType, // wudfhost NtVdmHostProcessType, // ntvdm //EdgeProcessType, // Microsoft Edge WmiProviderHostType, MaximumProcessType, KnownProcessTypeMask = 0xffff, KnownProcessWow64 = 0x20000 } PH_KNOWN_PROCESS_TYPE; PHAPPAPI NTSTATUS NTAPI PhGetProcessKnownType( _In_ HANDLE ProcessHandle, _Out_ PH_KNOWN_PROCESS_TYPE *KnownProcessType ); PHAPPAPI PH_KNOWN_PROCESS_TYPE NTAPI PhGetProcessKnownTypeEx( _In_opt_ HANDLE ProcessId, _In_ PPH_STRING FileName ); typedef union _PH_KNOWN_PROCESS_COMMAND_LINE { struct { PPH_STRING GroupName; } ServiceHost; struct { PPH_STRING FileName; PPH_STRING ProcedureName; } RunDllAsApp; struct { GUID Guid; PPH_STRING Name; // optional PPH_STRING FileName; // optional } ComSurrogate; } PH_KNOWN_PROCESS_COMMAND_LINE, *PPH_KNOWN_PROCESS_COMMAND_LINE; _Success_(return) PHAPPAPI BOOLEAN NTAPI PhaGetProcessKnownCommandLine( _In_ PPH_STRING CommandLine, _In_ PH_KNOWN_PROCESS_TYPE KnownProcessType, _Out_ PPH_KNOWN_PROCESS_COMMAND_LINE KnownCommandLine ); // end_phapppub PPH_STRING PhEscapeStringForDelimiter( _In_ PPH_STRING String, _In_ WCHAR Delimiter ); PPH_STRING PhUnescapeStringForDelimiter( _In_ PPH_STRING String, _In_ WCHAR Delimiter ); // begin_phapppub PHAPPAPI VOID NTAPI PhSearchOnlineString( _In_ HWND WindowHandle, _In_ PCWSTR String ); PHAPPAPI VOID NTAPI PhShellExecuteUserString( _In_ HWND WindowHandle, _In_ PCWSTR Setting, _In_ PCWSTR String, _In_ BOOLEAN UseShellExecute, _In_opt_ PCWSTR ErrorMessage ); PHAPPAPI VOID NTAPI PhLoadSymbolProviderOptions( _Inout_ PPH_SYMBOL_PROVIDER SymbolProvider ); PHAPPAPI VOID NTAPI PhCopyListViewInfoTip( _Inout_ LPNMLVGETINFOTIP GetInfoTip, _In_ PPH_STRINGREF Tip ); PHAPPAPI VOID NTAPI PhCopyListView( _In_ HWND ListViewHandle ); PHAPPAPI VOID NTAPI PhHandleListViewNotifyForCopy( _In_ LPARAM lParam, _In_ HWND ListViewHandle ); #define PH_LIST_VIEW_CTRL_C_BEHAVIOR 0x1 #define PH_LIST_VIEW_CTRL_A_BEHAVIOR 0x2 #define PH_LIST_VIEW_DEFAULT_1_BEHAVIORS (PH_LIST_VIEW_CTRL_C_BEHAVIOR | PH_LIST_VIEW_CTRL_A_BEHAVIOR) PHAPPAPI VOID NTAPI PhHandleListViewNotifyBehaviors( _In_ LPARAM lParam, _In_ HWND ListViewHandle, _In_ ULONG Behaviors ); PHAPPAPI BOOLEAN NTAPI PhGetListViewContextMenuPoint( _In_ HWND ListViewHandle, _Out_ PPOINT Point ); // end_phapppub VOID PhSetWindowOpacity( _In_ HWND WindowHandle, _In_ ULONG OpacityPercent ); #define PH_OPACITY_TO_ID(Opacity) (ID_OPACITY_10 + (10 - (Opacity) / 10) - 1) #define PH_ID_TO_OPACITY(Id) (100 - (((Id) - ID_OPACITY_10) + 1) * 10) // begin_phapppub PHAPPAPI PPH_STRING NTAPI PhGetPhVersion( VOID ); PHAPPAPI VOID NTAPI PhGetPhVersionNumbers( _Out_opt_ PULONG MajorVersion, _Out_opt_ PULONG MinorVersion, _Out_opt_ PULONG BuildNumber, _Out_opt_ PULONG RevisionNumber ); PHAPPAPI PPH_STRING NTAPI PhGetPhVersionHash( VOID ); typedef enum _PH_RELEASE_CHANNEL { PhReleaseChannel = 0, PhPreviewChannel = 1, // unused, reserved PhCanaryChannel = 2, PhDeveloperChannel = 3, PhInvalidChannel = ULONG_MAX, } PH_RELEASE_CHANNEL, *PPH_RELEASE_CHANNEL; PHAPPAPI PH_RELEASE_CHANNEL NTAPI PhGetPhReleaseChannel( VOID ); PHAPPAPI PCWSTR NTAPI PhGetPhReleaseChannelString( VOID ); PHAPPAPI VOID NTAPI PhWritePhTextHeader( _Inout_ PPH_FILE_STREAM FileStream ); #define PH_SHELL_APP_PROPAGATE_PARAMETERS 0x1 #define PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY 0x2 PHAPPAPI NTSTATUS NTAPI PhShellProcessHacker( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Parameters, _In_ ULONG ShowWindowType, _In_ ULONG Flags, _In_ ULONG AppFlags, _In_opt_ ULONG Timeout, _Out_opt_ PHANDLE ProcessHandle ); // end_phapppub NTSTATUS PhShellProcessHackerEx( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR FileName, _In_opt_ PCWSTR Parameters, _In_ ULONG ShowWindowType, _In_ ULONG Flags, _In_ ULONG AppFlags, _In_opt_ ULONG Timeout, _Out_opt_ PHANDLE ProcessHandle ); BOOLEAN PhCreateProcessIgnoreIfeoDebugger( _In_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine ); // begin_phapppub typedef struct _PH_EMENU_ITEM* PPH_EMENU_ITEM; typedef struct _PH_TN_COLUMN_MENU_DATA { HWND TreeNewHandle; PPH_TREENEW_HEADER_MOUSE_EVENT MouseEvent; ULONG DefaultSortColumn; PH_SORT_ORDER DefaultSortOrder; PPH_EMENU_ITEM Menu; PPH_EMENU_ITEM Selection; ULONG ProcessedId; } PH_TN_COLUMN_MENU_DATA, *PPH_TN_COLUMN_MENU_DATA; #define PH_TN_COLUMN_MENU_HIDE_COLUMN_ID ((ULONG)-1) #define PH_TN_COLUMN_MENU_CHOOSE_COLUMNS_ID ((ULONG)-2) #define PH_TN_COLUMN_MENU_SIZE_COLUMN_TO_FIT_ID ((ULONG)-3) #define PH_TN_COLUMN_MENU_SIZE_ALL_COLUMNS_TO_FIT_ID ((ULONG)-4) #define PH_TN_COLUMN_MENU_RESET_SORT_ID ((ULONG)-5) PHAPPAPI VOID NTAPI PhInitializeTreeNewColumnMenu( _Inout_ PPH_TN_COLUMN_MENU_DATA Data ); #define PH_TN_COLUMN_MENU_NO_VISIBILITY 0x1 #define PH_TN_COLUMN_MENU_SHOW_RESET_SORT 0x2 PHAPPAPI VOID NTAPI PhInitializeTreeNewColumnMenuEx( _Inout_ PPH_TN_COLUMN_MENU_DATA Data, _In_ ULONG Flags ); PHAPPAPI BOOLEAN NTAPI PhHandleTreeNewColumnMenu( _Inout_ PPH_TN_COLUMN_MENU_DATA Data ); PHAPPAPI VOID NTAPI PhDeleteTreeNewColumnMenu( _In_ PPH_TN_COLUMN_MENU_DATA Data ); typedef struct _PH_TN_FILTER_SUPPORT { PPH_LIST FilterList; HWND TreeNewHandle; PPH_LIST NodeList; } PH_TN_FILTER_SUPPORT, *PPH_TN_FILTER_SUPPORT; typedef _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN NTAPI PH_TN_FILTER_FUNCTION( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); typedef PH_TN_FILTER_FUNCTION* PPH_TN_FILTER_FUNCTION; typedef struct _PH_TN_FILTER_ENTRY { PPH_TN_FILTER_FUNCTION Filter; PVOID Context; } PH_TN_FILTER_ENTRY, *PPH_TN_FILTER_ENTRY; PHAPPAPI VOID NTAPI PhInitializeTreeNewFilterSupport( _Out_ PPH_TN_FILTER_SUPPORT Support, _In_ HWND TreeNewHandle, _In_ PPH_LIST NodeList ); PHAPPAPI VOID NTAPI PhDeleteTreeNewFilterSupport( _In_ PPH_TN_FILTER_SUPPORT Support ); PHAPPAPI PPH_TN_FILTER_ENTRY NTAPI PhAddTreeNewFilter( _In_ PPH_TN_FILTER_SUPPORT Support, _In_ PPH_TN_FILTER_FUNCTION Filter, _In_opt_ PVOID Context ); PHAPPAPI VOID NTAPI PhRemoveTreeNewFilter( _In_ PPH_TN_FILTER_SUPPORT Support, _In_ PPH_TN_FILTER_ENTRY Entry ); PHAPPAPI BOOLEAN NTAPI PhApplyTreeNewFiltersToNode( _In_ PPH_TN_FILTER_SUPPORT Support, _In_ PPH_TREENEW_NODE Node ); PHAPPAPI VOID NTAPI PhApplyTreeNewFilters( _In_ PPH_TN_FILTER_SUPPORT Support ); typedef struct _PH_COPY_CELL_CONTEXT { HWND TreeNewHandle; ULONG Id; // column ID PPH_STRING MenuItemText; } PH_COPY_CELL_CONTEXT, *PPH_COPY_CELL_CONTEXT; PHAPPAPI BOOLEAN NTAPI PhInsertCopyCellEMenuItem( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG InsertAfterId, _In_ HWND TreeNewHandle, _In_ PPH_TREENEW_COLUMN Column ); PHAPPAPI BOOLEAN NTAPI PhHandleCopyCellEMenuItem( _In_ PPH_EMENU_ITEM SelectedItem ); typedef struct _PH_COPY_ITEM_CONTEXT { HWND ListViewHandle; ULONG Id; ULONG SubId; PPH_STRING MenuItemText; } PH_COPY_ITEM_CONTEXT, *PPH_COPY_ITEM_CONTEXT; PHAPPAPI BOOLEAN NTAPI PhInsertCopyListViewEMenuItem( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG InsertAfterId, _In_ HWND ListViewHandle ); PHAPPAPI BOOLEAN NTAPI PhHandleCopyListViewEMenuItem( _In_ PPH_EMENU_ITEM SelectedItem ); PHAPPAPI VOID NTAPI PhShellOpenKey( _In_ HWND WindowHandle, _In_ PPH_STRING KeyName ); PHAPPAPI BOOLEAN NTAPI PhShellOpenKey2( _In_ HWND WindowHandle, _In_ PPH_STRING KeyName ); // end_phapppub PPH_STRING PhPcre2GetErrorMessage( _In_ LONG ErrorCode ); // begin_phapppub PHAPPAPI HBITMAP NTAPI PhGetShieldBitmap( _In_ LONG WindowDpi, _In_opt_ LONG Width, _In_opt_ LONG Height ); PHAPPAPI HICON NTAPI PhGetApplicationIcon( _In_ BOOLEAN SmallIcon ); PHAPPAPI HICON NTAPI PhGetApplicationIconEx( _In_ BOOLEAN SmallIcon, _In_opt_ LONG WindowDpi ); PHAPPAPI VOID NTAPI PhSetApplicationWindowIcon( _In_ HWND WindowHandle ); PHAPPAPI VOID NTAPI PhSetApplicationWindowIconEx( _In_ HWND WindowHandle, _In_opt_ LONG WindowDpi ); PHAPPAPI VOID NTAPI PhSetWindowIcon( _In_ HWND WindowHandle, _In_opt_ HICON SmallIcon, _In_opt_ HICON LargeIcon, _In_ BOOLEAN CleanupIcon ); PHAPPAPI VOID NTAPI PhDestroyWindowIcon( _In_ HWND WindowHandle ); PHAPPAPI VOID NTAPI PhSetStaticWindowIcon( _In_ HWND WindowHandle, _In_opt_ LONG WindowDpi ); PHAPPAPI VOID NTAPI PhDeleteStaticWindowIcon( _In_ HWND WindowHandle ); // end_phapppub #define SI_RUNAS_ADMIN_TASK_NAME ((PH_STRINGREF)PH_STRINGREF_INIT(L"SystemInformerTaskAdmin")) HRESULT PhRunAsAdminTask( _In_ PPH_STRINGREF TaskName ); HRESULT PhDeleteAdminTask( _In_ PPH_STRINGREF TaskName ); HRESULT PhCreateAdminTask( _In_ PPH_STRINGREF TaskName, _In_ PPH_STRINGREF FileName ); NTSTATUS PhRunAsAdminTaskUIAccess( VOID ); // begin_phapppub PHAPPAPI BOOLEAN NTAPI PhWordMatchStringRef( _In_ PPH_STRINGREF SearchText, _In_ PPH_STRINGREF Text ); FORCEINLINE BOOLEAN NTAPI PhWordMatchStringZ( _In_ PPH_STRING SearchText, _In_ PCWSTR Text ) { PH_STRINGREF text; PhInitializeStringRef(&text, Text); return PhWordMatchStringRef(&SearchText->sr, &text); } FORCEINLINE BOOLEAN NTAPI PhWordMatchStringLongHintZ( _In_ PPH_STRING SearchText, _In_ PCWSTR Text ) { PH_STRINGREF text; PhInitializeStringRefLongHint(&text, Text); return PhWordMatchStringRef(&SearchText->sr, &text); } PHAPPAPI PVOID NTAPI PhCreateKsiSettingsBlob( // ksisup.c VOID ); PHAPPAPI NTSTATUS NTAPI PhQueryKphCounters( // ksisup.c _Out_ PULONG64 Duration, _Out_ PULONG64 DurationDown, _Out_ PULONG64 DurationUp ); // end_phapppub #define PH_LOAD_SHARED_ICON_SMALL(BaseAddress, Name, dpiValue) PhLoadIcon(BaseAddress, (Name), PH_LOAD_ICON_SHARED | PH_LOAD_ICON_SIZE_SMALL, 0, 0, dpiValue) // phapppub #define PH_LOAD_SHARED_ICON_LARGE(BaseAddress, Name, dpiValue) PhLoadIcon(BaseAddress, (Name), PH_LOAD_ICON_SHARED | PH_LOAD_ICON_SIZE_LARGE, 0, 0, dpiValue) // phapppub FORCEINLINE PVOID PhpGenericPropertyPageHeader( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ ULONG ContextHash ) { PVOID context; switch (uMsg) { case WM_INITDIALOG: { LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam; context = (PVOID)propSheetPage->lParam; PhSetWindowContext(hwndDlg, ContextHash, context); } break; case WM_NCDESTROY: { context = PhGetWindowContext(hwndDlg, ContextHash); PhRemoveWindowContext(hwndDlg, ContextHash); } break; default: { context = PhGetWindowContext(hwndDlg, ContextHash); } break; } return context; } #define SWP_NO_ACTIVATE_MOVE_SIZE_ZORDER (SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE | SWP_NOZORDER) #define SWP_SHOWWINDOW_ONLY (SWP_NO_ACTIVATE_MOVE_SIZE_ZORDER | SWP_SHOWWINDOW) #define SWP_HIDEWINDOW_ONLY (SWP_NO_ACTIVATE_MOVE_SIZE_ZORDER | SWP_HIDEWINDOW) #endif ================================================ FILE: SystemInformer/include/colmgr.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * dmex 2023-2024 * */ #ifndef PH_COLMGR_H #define PH_COLMGR_H #define PH_CM_ORDER_LIMIT 160 // begin_phapppub typedef _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG NTAPI PH_CM_POST_SORT_FUNCTION( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); typedef PH_CM_POST_SORT_FUNCTION* PPH_CM_POST_SORT_FUNCTION; // end_phapppub typedef struct _PH_CM_MANAGER { HWND Handle; ULONG MinId; ULONG NextId; PPH_CM_POST_SORT_FUNCTION PostSortFunction; LIST_ENTRY ColumnListHead; PPH_LIST NotifyList; } PH_CM_MANAGER, *PPH_CM_MANAGER; typedef struct _PH_PLUGIN PH_PLUGIN, *PPH_PLUGIN; typedef struct _PH_CM_COLUMN { LIST_ENTRY ListEntry; ULONG Id; PPH_PLUGIN Plugin; ULONG SubId; PVOID Context; PVOID SortFunction; } PH_CM_COLUMN, *PPH_CM_COLUMN; VOID PhCmInitializeManager( _Out_ PPH_CM_MANAGER Manager, _In_ HWND Handle, _In_ ULONG MinId, _In_ PPH_CM_POST_SORT_FUNCTION PostSortFunction ); VOID PhCmDeleteManager( _In_ PPH_CM_MANAGER Manager ); PPH_CM_COLUMN PhCmCreateColumn( _Inout_ PPH_CM_MANAGER Manager, _In_ PPH_TREENEW_COLUMN Column, _In_ PPH_PLUGIN Plugin, _In_ ULONG SubId, _In_opt_ PVOID Context, _In_opt_ PVOID SortFunction ); PPH_CM_COLUMN PhCmFindColumn( _In_ PPH_CM_MANAGER Manager, _In_ PCPH_STRINGREF PluginName, _In_ ULONG SubId ); VOID PhCmSetNotifyPlugin( _In_ PPH_CM_MANAGER Manager, _In_ PPH_PLUGIN Plugin ); BOOLEAN PhCmForwardMessage( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PPH_CM_MANAGER Manager ); BOOLEAN PhCmForwardSort( _In_ PPH_TREENEW_NODE *Nodes, _In_ ULONG NumberOfNodes, _In_ ULONG SortColumn, _In_ PH_SORT_ORDER SortOrder, _In_ PPH_CM_MANAGER Manager ); // begin_phapppub PHAPPAPI BOOLEAN NTAPI PhCmLoadSettings( _In_ HWND TreeNewHandle, _In_ PCPH_STRINGREF Settings ); // end_phapppub #define PH_CM_COLUMN_WIDTHS_ONLY 0x1 BOOLEAN PhCmLoadSettingsEx( _In_ HWND TreeNewHandle, _In_opt_ PPH_CM_MANAGER Manager, _In_ ULONG Flags, _In_ PCPH_STRINGREF Settings, _In_opt_ PCPH_STRINGREF SortSettings ); // begin_phapppub PHAPPAPI PPH_STRING NTAPI PhCmSaveSettings( _In_ HWND TreeNewHandle ); // end_phapppub PPH_STRING PhCmSaveSettingsEx( _In_ HWND TreeNewHandle, _In_opt_ PPH_CM_MANAGER Manager, _In_ ULONG Flags, _Out_opt_ PPH_STRING *SortSettings ); #endif ================================================ FILE: SystemInformer/include/colsetmgr.h ================================================ #ifndef PH_COLSETMGR_H #define PH_COLSETMGR_H typedef struct _PH_COLUMN_SET_ENTRY { PPH_STRING Name; PPH_STRING Setting; PPH_STRING Sorting; } PH_COLUMN_SET_ENTRY, *PPH_COLUMN_SET_ENTRY; PPH_LIST PhInitializeColumnSetList( _In_ PCWSTR SettingName ); VOID PhDeleteColumnSetList( _In_ PPH_LIST ColumnSetList ); _Success_(return) BOOLEAN PhLoadSettingsColumnSet( _In_ PCWSTR SettingName, _In_ PPH_STRING ColumnSetName, _Out_ PPH_STRING *TreeListSettings, _Out_ PPH_STRING *TreeSortSettings ); VOID PhSaveSettingsColumnSet( _In_ PCWSTR SettingName, _In_ PPH_STRING ColumnSetName, _In_ PPH_STRING TreeListSettings, _In_ PPH_STRING TreeSortSettings ); // Column Set Editor Dialog VOID PhShowColumnSetEditorDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR SettingName ); #endif ================================================ FILE: SystemInformer/include/devprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2023 * */ #ifndef _DEVICEPRV_H_ #define _DEVICEPRV_H_ #include // begin_phapppub extern PPH_OBJECT_TYPE PhDeviceTreeType; extern PPH_OBJECT_TYPE PhDeviceItemType; extern PPH_OBJECT_TYPE PhDeviceNotifyType; typedef enum _PH_DEVICE_PROPERTY_CLASS { PhDevicePropertyName, PhDevicePropertyManufacturer, PhDevicePropertyService, PhDevicePropertyClass, PhDevicePropertyEnumeratorName, PhDevicePropertyInstallDate, PhDevicePropertyFirstInstallDate, PhDevicePropertyLastArrivalDate, PhDevicePropertyLastRemovalDate, PhDevicePropertyDeviceDesc, PhDevicePropertyFriendlyName, PhDevicePropertyInstanceId, PhDevicePropertyParentInstanceId, PhDevicePropertyPDOName, PhDevicePropertyLocationInfo, PhDevicePropertyClassGuid, PhDevicePropertyDriver, PhDevicePropertyDriverVersion, PhDevicePropertyDriverDate, PhDevicePropertyFirmwareDate, PhDevicePropertyFirmwareVersion, PhDevicePropertyFirmwareRevision, PhDevicePropertyHasProblem, PhDevicePropertyProblemCode, PhDevicePropertyProblemStatus, PhDevicePropertyDevNodeStatus, PhDevicePropertyDevCapabilities, PhDevicePropertyUpperFilters, PhDevicePropertyLowerFilters, PhDevicePropertyHardwareIds, PhDevicePropertyCompatibleIds, PhDevicePropertyConfigFlags, PhDevicePropertyUINumber, PhDevicePropertyBusTypeGuid, PhDevicePropertyLegacyBusType, PhDevicePropertyBusNumber, PhDevicePropertySecurity, PhDevicePropertySecuritySDS, PhDevicePropertyDevType, PhDevicePropertyExclusive, PhDevicePropertyCharacteristics, PhDevicePropertyAddress, PhDevicePropertyPowerData, PhDevicePropertyRemovalPolicy, PhDevicePropertyRemovalPolicyDefault, PhDevicePropertyRemovalPolicyOverride, PhDevicePropertyInstallState, PhDevicePropertyLocationPaths, PhDevicePropertyBaseContainerId, PhDevicePropertyEjectionRelations, PhDevicePropertyRemovalRelations, PhDevicePropertyPowerRelations, PhDevicePropertyBusRelations, PhDevicePropertyChildren, PhDevicePropertySiblings, PhDevicePropertyTransportRelations, PhDevicePropertyReported, PhDevicePropertyLegacy, PhDevicePropertyContainerId, PhDevicePropertyInLocalMachineContainer, PhDevicePropertyModel, PhDevicePropertyModelId, PhDevicePropertyFriendlyNameAttributes, PhDevicePropertyManufacturerAttributes, PhDevicePropertyPresenceNotForDevice, PhDevicePropertySignalStrength, PhDevicePropertyIsAssociateableByUserAction, PhDevicePropertyShowInUninstallUI, PhDevicePropertyNumaProximityDomain, PhDevicePropertyDHPRebalancePolicy, PhDevicePropertyNumaNode, PhDevicePropertyBusReportedDeviceDesc, PhDevicePropertyIsPresent, PhDevicePropertyConfigurationId, PhDevicePropertyReportedDeviceIdsHash, PhDevicePropertyPhysicalDeviceLocation, PhDevicePropertyBiosDeviceName, PhDevicePropertyDriverProblemDesc, PhDevicePropertyDebuggerSafe, PhDevicePropertyPostInstallInProgress, PhDevicePropertyStack, PhDevicePropertyExtendedConfigurationIds, PhDevicePropertyIsRebootRequired, PhDevicePropertyDependencyProviders, PhDevicePropertyDependencyDependents, PhDevicePropertySoftRestartSupported, PhDevicePropertyExtendedAddress, PhDevicePropertyAssignedToGuest, PhDevicePropertyCreatorProcessId, PhDevicePropertyFirmwareVendor, PhDevicePropertySessionId, PhDevicePropertyDriverDesc, PhDevicePropertyDriverInfPath, PhDevicePropertyDriverInfSection, PhDevicePropertyDriverInfSectionExt, PhDevicePropertyMatchingDeviceId, PhDevicePropertyDriverProvider, PhDevicePropertyDriverPropPageProvider, PhDevicePropertyDriverCoInstallers, PhDevicePropertyResourcePickerTags, PhDevicePropertyResourcePickerExceptions, PhDevicePropertyDriverRank, PhDevicePropertyDriverLogoLevel, PhDevicePropertyNoConnectSound, PhDevicePropertyGenericDriverInstalled, PhDevicePropertyAdditionalSoftwareRequested, PhDevicePropertySafeRemovalRequired, PhDevicePropertySafeRemovalRequiredOverride, PhDevicePropertyPkgModel, PhDevicePropertyPkgVendorWebSite, PhDevicePropertyPkgDetailedDescription, PhDevicePropertyPkgDocumentationLink, PhDevicePropertyPkgIcon, PhDevicePropertyPkgBrandingIcon, PhDevicePropertyClassUpperFilters, PhDevicePropertyClassLowerFilters, PhDevicePropertyClassSecurity, PhDevicePropertyClassSecuritySDS, PhDevicePropertyClassDevType, PhDevicePropertyClassExclusive, PhDevicePropertyClassCharacteristics, PhDevicePropertyClassName, PhDevicePropertyClassClassName, PhDevicePropertyClassIcon, PhDevicePropertyClassClassInstaller, PhDevicePropertyClassPropPageProvider, PhDevicePropertyClassNoInstallClass, PhDevicePropertyClassNoDisplayClass, PhDevicePropertyClassSilentInstall, PhDevicePropertyClassNoUseClass, PhDevicePropertyClassDefaultService, PhDevicePropertyClassIconPath, PhDevicePropertyClassDHPRebalanceOptOut, PhDevicePropertyClassClassCoInstallers, PhDevicePropertyInterfaceFriendlyName, PhDevicePropertyInterfaceEnabled, PhDevicePropertyInterfaceClassGuid, PhDevicePropertyInterfaceReferenceString, PhDevicePropertyInterfaceRestricted, PhDevicePropertyInterfaceUnrestrictedAppCapabilities, PhDevicePropertyInterfaceSchematicName, PhDevicePropertyInterfaceClassDefaultInterface, PhDevicePropertyInterfaceClassName, PhDevicePropertyContainerAddress, PhDevicePropertyContainerDiscoveryMethod, PhDevicePropertyContainerIsEncrypted, PhDevicePropertyContainerIsAuthenticated, PhDevicePropertyContainerIsConnected, PhDevicePropertyContainerIsPaired, PhDevicePropertyContainerIcon, PhDevicePropertyContainerVersion, PhDevicePropertyContainerLastSeen, PhDevicePropertyContainerLastConnected, PhDevicePropertyContainerIsShowInDisconnectedState, PhDevicePropertyContainerIsLocalMachine, PhDevicePropertyContainerMetadataPath, PhDevicePropertyContainerIsMetadataSearchInProgress, PhDevicePropertyContainerIsMetadataChecksum, PhDevicePropertyContainerIsNotInterestingForDisplay, PhDevicePropertyContainerLaunchDeviceStageOnDeviceConnect, PhDevicePropertyContainerLaunchDeviceStageFromExplorer, PhDevicePropertyContainerBaselineExperienceId, PhDevicePropertyContainerIsDeviceUniquelyIdentifiable, PhDevicePropertyContainerAssociationArray, PhDevicePropertyContainerDeviceDescription1, PhDevicePropertyContainerDeviceDescription2, PhDevicePropertyContainerHasProblem, PhDevicePropertyContainerIsSharedDevice, PhDevicePropertyContainerIsNetworkDevice, PhDevicePropertyContainerIsDefaultDevice, PhDevicePropertyContainerMetadataCabinet, PhDevicePropertyContainerRequiresPairingElevation, PhDevicePropertyContainerExperienceId, PhDevicePropertyContainerCategory, PhDevicePropertyContainerCategoryDescSingular, PhDevicePropertyContainerCategoryDescPlural, PhDevicePropertyContainerCategoryIcon, PhDevicePropertyContainerCategoryGroupDesc, PhDevicePropertyContainerCategoryGroupIcon, PhDevicePropertyContainerPrimaryCategory, PhDevicePropertyContainerUnpairUninstall, PhDevicePropertyContainerRequiresUninstallElevation, PhDevicePropertyContainerDeviceFunctionSubRank, PhDevicePropertyContainerAlwaysShowDeviceAsConnected, PhDevicePropertyContainerConfigFlags, PhDevicePropertyContainerPrivilegedPackageFamilyNames, PhDevicePropertyContainerCustomPrivilegedPackageFamilyNames, PhDevicePropertyContainerIsRebootRequired, PhDevicePropertyContainerFriendlyName, PhDevicePropertyContainerManufacturer, PhDevicePropertyContainerModelName, PhDevicePropertyContainerModelNumber, PhDevicePropertyContainerInstallInProgress, PhDevicePropertyObjectType, PhDevicePropertyPciDeviceType, PhDevicePropertyPciCurrentSpeedAndMode, PhDevicePropertyPciBaseClass, PhDevicePropertyPciSubClass, PhDevicePropertyPciProgIf, PhDevicePropertyPciCurrentPayloadSize, PhDevicePropertyPciMaxPayloadSize, PhDevicePropertyPciMaxReadRequestSize, PhDevicePropertyPciCurrentLinkSpeed, PhDevicePropertyPciCurrentLinkWidth, PhDevicePropertyPciMaxLinkSpeed, PhDevicePropertyPciMaxLinkWidth, PhDevicePropertyPciExpressSpecVersion, PhDevicePropertyPciInterruptSupport, PhDevicePropertyPciInterruptMessageMaximum, PhDevicePropertyPciBarTypes, PhDevicePropertyPciSriovSupport, PhDevicePropertyPciLabel_Id, PhDevicePropertyPciLabel_String, PhDevicePropertyPciSerialNumber, PhDevicePropertyPciExpressCapabilityControl, PhDevicePropertyPciNativeExpressControl, PhDevicePropertyPciSystemMsiSupport, PhDevicePropertyStoragePortable, PhDevicePropertyStorageRemovableMedia, PhDevicePropertyStorageSystemCritical, PhDevicePropertyStorageDiskNumber, PhDevicePropertyStoragePartitionNumber, PhDevicePropertyGpuLuid, PhDevicePropertyGpuPhysicalAdapterIndex, PhMaxDeviceProperty } PH_DEVICE_PROPERTY_CLASS, *PPH_DEVICE_PROPERTY_CLASS; typedef enum _PH_DEVICE_PROPERTY_TYPE { PhDevicePropertyTypeString, PhDevicePropertyTypeUInt64, PhDevicePropertyTypeInt64, PhDevicePropertyTypeUInt32, PhDevicePropertyTypeInt32, PhDevicePropertyTypeNTSTATUS, PhDevicePropertyTypeGUID, PhDevicePropertyTypeBoolean, PhDevicePropertyTypeTimeStamp, PhDevicePropertyTypeStringList, PhDevicePropertyTypeBinary, PhMaxDevicePropertyType } PH_DEVICE_PROPERTY_TYPE, PPH_DEVICE_PROPERTY_TYPE; C_ASSERT(PhMaxDevicePropertyType <= MAXSHORT); typedef struct _PH_DEVICE_PROPERTY { union { struct { ULONG Type : 16; // PH_DEVICE_PROPERTY_TYPE ULONG Spare : 14; ULONG Initialized : 1; ULONG Valid : 1; }; ULONG State; }; union { PPH_STRING String; ULONG64 UInt64; LONG64 Int64; ULONG UInt32; LONG Int32; NTSTATUS Status; GUID Guid; BOOLEAN Boolean; LARGE_INTEGER TimeStamp; PPH_LIST StringList; struct { ULONG Size; PBYTE Buffer; } Binary; }; PPH_STRING AsString; } PH_DEVICE_PROPERTY, *PPH_DEVICE_PROPERTY; // end_phapppub typedef struct _PH_DEVINFO { HDEVINFO Handle; } PH_DEVINFO, *PPH_DEVINFO; typedef struct _PH_DEVINFO_DATA { BOOLEAN Interface; union { SP_DEVINFO_DATA DeviceData; SP_DEVICE_INTERFACE_DATA InterfaceData; }; } PH_DEVINFO_DATA, *PPH_DEVINFO_DATA; // begin_phapppub typedef struct _PH_DEVICE_ITEM { struct _PH_DEVICE_TREE* Tree; struct _PH_DEVICE_ITEM* Parent; struct _PH_DEVICE_ITEM* Sibling; struct _PH_DEVICE_ITEM* Child; GUID ClassGuid; ULONG InstanceIdHash; PPH_STRING InstanceId; PPH_STRING ParentInstanceId; ULONG ProblemCode; ULONG DevNodeStatus; ULONG Capabilities; ULONG ChildrenCount; ULONG InterfaceCount; union { struct { ULONG HasUpperFilters : 1; ULONG HasLowerFilters : 1; ULONG DeviceInterface : 1; ULONG Spare : 29; }; ULONG Flags; }; PH_DEVICE_PROPERTY Properties[PhMaxDeviceProperty]; // end_phapppub PPH_DEVINFO DeviceInfo; PH_DEVINFO_DATA DeviceInfoData; // begin_phapppub } PH_DEVICE_ITEM, *PPH_DEVICE_ITEM; typedef struct _PH_DEVICE_TREE { PPH_DEVICE_ITEM Root; PPH_LIST DeviceList; PPH_LIST DeviceInterfaceList; // end_phapppub PPH_DEVINFO DeviceInfo; // begin_phapppub } PH_DEVICE_TREE, *PPH_DEVICE_TREE; _Function_class_(PH_DEVICE_ENUM_RESOURCES_CALLBACK) typedef BOOLEAN NTAPI PH_DEVICE_ENUM_RESOURCES_CALLBACK( _In_ ULONG LogicalConfig, _In_ ULONG ResourceId, _In_ PVOID Buffer, _In_ ULONG Length, _In_opt_ PVOID Context ); typedef PH_DEVICE_ENUM_RESOURCES_CALLBACK* PPH_DEVICE_ENUM_RESOURCES_CALLBACK; PHAPPAPI BOOLEAN NTAPI PhEnumDeviceResources( _In_ PPH_DEVICE_ITEM Item, _In_ ULONG LogicalConfig, _In_ PPH_DEVICE_ENUM_RESOURCES_CALLBACK Callback, _In_opt_ PVOID Context ); PHAPPAPI PPH_DEVICE_PROPERTY NTAPI PhGetDeviceProperty( _In_ PPH_DEVICE_ITEM Item, _In_ PH_DEVICE_PROPERTY_CLASS Class ); PHAPPAPI BOOLEAN NTAPI PhLookupDevicePropertyClass( _In_ const DEVPROPKEY* Key, _Out_ PPH_DEVICE_PROPERTY_CLASS Class ); PHAPPAPI HICON NTAPI PhGetDeviceIcon( _In_ PPH_DEVICE_ITEM Item, _In_ PPH_INTEGER_PAIR IconSize ); PHAPPAPI PPH_DEVICE_TREE NTAPI PhReferenceDeviceTree( VOID ); PHAPPAPI PPH_DEVICE_TREE NTAPI PhReferenceDeviceTreeEx( _In_ BOOLEAN ForceRefresh ); PHAPPAPI _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM NTAPI PhLookupDeviceItemByHash( _In_ PPH_DEVICE_TREE Tree, _In_ ULONG InstanceIdHash ); PHAPPAPI _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM NTAPI PhLookupDeviceItem( _In_ PPH_DEVICE_TREE Tree, _In_ PPH_STRINGREF InstanceId ); PHAPPAPI _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM NTAPI PhReferenceDeviceItemByHash( _In_ PPH_DEVICE_TREE Tree, _In_ ULONG InstanceIdHash ); PHAPPAPI _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM NTAPI PhReferenceDeviceItem( _In_ PPH_DEVICE_TREE Tree, _In_ PPH_STRINGREF InstanceId ); PHAPPAPI _Success_(return != NULL) _Must_inspect_result_ PPH_DEVICE_ITEM NTAPI PhReferenceDeviceItem2( _In_ PPH_STRINGREF InstanceId ); typedef enum _PH_DEVICE_NOTIFY_ACTION { PhDeviceNotifyInterfaceArrival, PhDeviceNotifyInterfaceRemoval, PhDeviceNotifyInstanceEnumerated, PhDeviceNotifyInstanceStarted, PhDeviceNotifyInstanceRemoved, } PH_DEVICE_NOTIFY_ACTION, *PPH_DEVICE_NOTIFY_ACTION; typedef struct _PH_DEVICE_NOTIFY { PH_DEVICE_NOTIFY_ACTION Action; union { struct { GUID ClassGuid; } DeviceInterface; // PhDeviceNotifyInterface... struct { PPH_STRING InstanceId; } DeviceInstance; // PhDeviceNotifyInstance... }; // end_phapppub SLIST_ENTRY ListEntry; // begin_phapppub } PH_DEVICE_NOTIFY, *PPH_DEVICE_NOTIFY; PHAPPAPI BOOLEAN NTAPI PhDeviceProviderInitialization( VOID ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/extmgr.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2022 * */ #ifndef PH_EXTMGR_H #define PH_EXTMGR_H // begin_phapppub typedef enum _PH_EM_OBJECT_TYPE { EmProcessItemType, EmProcessNodeType, EmServiceItemType, EmServiceNodeType, EmNetworkItemType, EmNetworkNodeType, EmThreadItemType, EmThreadNodeType, EmModuleItemType, EmModuleNodeType, EmHandleItemType, EmHandleNodeType, EmThreadsContextType, EmModulesContextType, EmHandlesContextType, EmThreadProviderType, EmModuleProviderType, EmHandleProviderType, EmMemoryNodeType, EmMemoryContextType, EmMaximumObjectType } PH_EM_OBJECT_TYPE; typedef enum _PH_EM_OBJECT_OPERATION { EmObjectCreate, EmObjectDelete, EmMaximumObjectOperation } PH_EM_OBJECT_OPERATION; typedef VOID (NTAPI *PPH_EM_OBJECT_CALLBACK)( _In_ PVOID Object, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Extension ); // end_phapppub typedef struct _PH_EM_APP_CONTEXT { LIST_ENTRY ListEntry; PH_STRINGREF AppName; struct _PH_EM_OBJECT_EXTENSION *Extensions[EmMaximumObjectType]; } PH_EM_APP_CONTEXT, *PPH_EM_APP_CONTEXT; #endif ================================================ FILE: SystemInformer/include/extmgri.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2013 * dmex 2017-2022 * */ #ifndef PH_EXTMGRI_H #define PH_EXTMGRI_H #include typedef struct _PH_EM_OBJECT_TYPE_STATE { SIZE_T InitialSize; SIZE_T ExtensionOffset; LIST_ENTRY ExtensionListHead; } PH_EM_OBJECT_TYPE_STATE, *PPH_EM_OBJECT_TYPE_STATE; typedef struct _PH_EM_OBJECT_EXTENSION { LIST_ENTRY ListEntry; SIZE_T ExtensionSize; SIZE_T ExtensionOffset; PPH_EM_OBJECT_CALLBACK Callbacks[EmMaximumObjectOperation]; } PH_EM_OBJECT_EXTENSION, *PPH_EM_OBJECT_EXTENSION; VOID PhEmInitialization( VOID ); VOID PhEmInitializeAppContext( _Out_ PPH_EM_APP_CONTEXT AppContext, _In_ PCPH_STRINGREF AppName ); VOID PhEmSetObjectExtension( _Inout_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ SIZE_T ExtensionSize, _In_opt_ PPH_EM_OBJECT_CALLBACK CreateCallback, _In_opt_ PPH_EM_OBJECT_CALLBACK DeleteCallback ); PVOID PhEmGetObject( _In_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Extension ); PVOID PhEmGetObjectExtension( _In_ PPH_EM_APP_CONTEXT AppContext, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Object ); SIZE_T PhEmGetObjectSize( _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ SIZE_T InitialSize ); VOID PhEmCallObjectOperation( _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ PVOID Object, _In_ PH_EM_OBJECT_OPERATION Operation ); _Success_(return) BOOLEAN PhEmParseCompoundId( _In_ PCPH_STRINGREF CompoundId, _Out_ PPH_STRINGREF AppName, _Out_ PULONG SubId ); #endif ================================================ FILE: SystemInformer/include/heapstruct.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2022 * */ #ifndef PH_HEAPSTRUCT_H #define PH_HEAPSTRUCT_H // Not the actual structure, but has the same size. typedef struct _HEAP_ENTRY { PVOID Data1; PVOID Data2; } HEAP_ENTRY, *PHEAP_ENTRY; #define HEAP_SEGMENT_SIGNATURE 0xffeeffee // Windows 7 and above typedef struct _HEAP_SEGMENT { HEAP_ENTRY Entry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY SegmentListEntry; struct _HEAP *Heap; PVOID BaseAddress; ULONG NumberOfPages; PHEAP_ENTRY FirstEntry; PHEAP_ENTRY LastValidEntry; ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; USHORT SegmentAllocatorBackTraceIndex; USHORT Reserved; LIST_ENTRY UCRSegmentList; } HEAP_SEGMENT, *PHEAP_SEGMENT; #define HEAP_SIGNATURE 0xeeffeeff // Windows 7 typedef struct _HEAP_OLD { HEAP_SEGMENT Segment; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; ULONG_PTR PointerKey; // Windows 7 only ULONG Interceptor; ULONG VirtualMemoryThreshold; ULONG Signature; // ... } HEAP_OLD, *PHEAP_OLD; // Windows 8 and above typedef struct _HEAP_WIN8 { HEAP_SEGMENT Segment; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; ULONG Interceptor; ULONG VirtualMemoryThreshold; ULONG Signature; // ... } HEAP_WIN8, *PHEAP_WIN8; // // Windows 10 and above // typedef struct _RTLP_HEAP_COMMIT_LIMIT_DATA { SIZE_T CommitLimitBytes; SIZE_T CommitLimitFailureCode; } RTLP_HEAP_COMMIT_LIMIT_DATA, *PRTLP_HEAP_COMMIT_LIMIT_DATA; typedef struct _HEAP_PSEUDO_TAG_ENTRY { SIZE_T CommitLimitBytes; SIZE_T CommitLimitFailureCode; } HEAP_PSEUDO_TAG_ENTRY, *PHEAP_PSEUDO_TAG_ENTRY; typedef struct _HEAP_TUNING_PARAMETERS { ULONG CommittThresholdShift; SIZE_T MaxPreCommittThreshold; } HEAP_TUNING_PARAMETERS, *PHEAP_TUNING_PARAMETERS; typedef struct _HEAP_COUNTERS { SIZE_T TotalMemoryReserved; SIZE_T TotalMemoryCommitted; SIZE_T TotalMemoryLargeUCR; SIZE_T TotalSizeInVirtualBlocks; ULONG TotalSegments; ULONG TotalUCRs; ULONG CommittOps; ULONG DeCommitOps; ULONG LockAcquires; ULONG LockCollisions; ULONG CommitRate; ULONG DecommittRate; ULONG CommitFailures; ULONG InBlockCommitFailures; ULONG PollIntervalCounter; ULONG DecommitsSinceLastCheck; ULONG HeapPollInterval; ULONG AllocAndFreeOps; ULONG AllocationIndicesActive; ULONG InBlockDeccommits; SIZE_T InBlockDeccomitSize; SIZE_T HighWatermarkSize; SIZE_T LastPolledSize; } HEAP_COUNTERS, *PHEAP_COUNTERS; typedef struct _HEAP { HEAP_SEGMENT Segment; HEAP_ENTRY Entry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY SegmentListEntry; struct _HEAP* Heap; PVOID BaseAddress; ULONG NumberOfPages; PHEAP_ENTRY FirstEntry; PHEAP_ENTRY LastValidEntry; ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; USHORT SegmentAllocatorBackTraceIndex; USHORT Reserved; LIST_ENTRY UCRSegmentList; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; ULONG Interceptor; ULONG VirtualMemoryThreshold; ULONG Signature; SIZE_T SegmentReserve; SIZE_T SegmentCommit; SIZE_T DeCommitFreeBlockThreshold; SIZE_T DeCommitTotalFreeThreshold; SIZE_T TotalFreeSize; SIZE_T MaximumAllocationSize; USHORT ProcessHeapsListIndex; USHORT HeaderValidateLength; PVOID HeaderValidateCopy; USHORT NextAvailableTagIndex; USHORT MaximumTagIndex; struct _HEAP_TAG_ENTRY* TagEntries; LIST_ENTRY UCRList; SIZE_T AlignRound; SIZE_T AlignMask; LIST_ENTRY VirtualAllocdBlocks; LIST_ENTRY SegmentList; USHORT AllocatorBackTraceIndex; ULONG NonDedicatedListLength; PVOID BlocksIndex; PVOID UCRIndex; PHEAP_PSEUDO_TAG_ENTRY PseudoTagEntries; LIST_ENTRY FreeLists; struct _HEAP_LOCK* LockVariable; long (*CommitRoutine)(void); RTL_RUN_ONCE StackTraceInitVar; RTLP_HEAP_COMMIT_LIMIT_DATA CommitLimitData; PVOID UserContext; ULONG_PTR Spare; PVOID FrontEndHeap; USHORT FrontHeapLockCount; UCHAR FrontEndHeapType; UCHAR RequestedFrontEndHeapType; PUSHORT FrontEndHeapUsageData; USHORT FrontEndHeapMaximumIndex; UCHAR FrontEndHeapStatusBitmap[129]; UCHAR ReadOnly : 1; UCHAR InternalFlags; HEAP_COUNTERS Counters; HEAP_TUNING_PARAMETERS TuningParameters; } HEAP; #define SEGMENT_HEAP_SIGNATURE 0xddeeddee // Windows 8.1 and above typedef struct _SEGMENT_HEAP_WIN8 { ULONG_PTR Padding[2]; ULONG Signature; ULONG GlobalFlags; // ... } SEGMENT_HEAP_WIN8, PSEGMENT_HEAP_WIN8; // // Windows 10 and above // typedef struct _RTL_HP_ENV_HANDLE { ULONG_PTR h[2]; } RTL_HP_ENV_HANDLE, PRTL_HP_ENV_HANDLE; typedef struct _HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS { SIZE_T SmallPagesInUseWithinLarge; SIZE_T OpportunisticLargePageCount; } HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS, PHEAP_OPPORTUNISTIC_LARGE_PAGE_STATS; typedef struct _RTL_HP_SEG_ALLOC_POLICY { SIZE_T SmallPagesInUseWithinLarge; SIZE_T OpportunisticLargePageCount; } RTL_HP_SEG_ALLOC_POLICY, PRTL_HP_SEG_ALLOC_POLICY; typedef struct _HEAP_RUNTIME_MEMORY_STATS { SIZE_T TotalReservedPages; SIZE_T TotalCommittedPages; SIZE_T FreeCommittedPages; SIZE_T LfhFreeCommittedPages; SIZE_T VsFreeCommittedPages; HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS LargePageStats[2]; RTL_HP_SEG_ALLOC_POLICY LargePageUtilizationPolicy; } HEAP_RUNTIME_MEMORY_STATS, PHEAP_RUNTIME_MEMORY_STATS; typedef struct _SEGMENT_HEAP { RTL_HP_ENV_HANDLE EnvHandle; ULONG Signature; ULONG GlobalFlags; ULONG Interceptor; USHORT ProcessHeapListIndex; struct { USHORT AllocatedFromMetadata : 1; USHORT ReadOnly : 1; USHORT InternalFlags : 14; }; RTLP_HEAP_COMMIT_LIMIT_DATA CommitLimitData; SIZE_T ReservedMustBeZero; PVOID UserContext; SIZE_T LargeMetadataLock; RTL_RB_TREE LargeAllocMetadata; SIZE_T LargeReservedPages; SIZE_T LargeCommittedPages; SIZE_T Tag; RTL_RUN_ONCE StackTraceInitVar; HEAP_RUNTIME_MEMORY_STATS MemStats; ULONG GlobalLockOwner; SIZE_T ContextExtendLock; PBYTE AllocatedBase; PBYTE UncommittedBase; PBYTE ReservedLimit; PBYTE ReservedRegionEnd; //RTL_HP_HEAP_VA_CALLBACKS_ENCODED CallbacksEncoded; //HEAP_SEG_CONTEXT SegContexts[2]; //HEAP_VS_CONTEXT VsContext; //HEAP_LFH_CONTEXT LfhContext; } SEGMENT_HEAP, PSEGMENT_HEAP; // // 32-bit versions // typedef struct _HEAP_ENTRY32 { WOW64_POINTER(PVOID) Data1; WOW64_POINTER(PVOID) Data2; } HEAP_ENTRY32, *PHEAP_ENTRY32; typedef struct _HEAP_SEGMENT32 { HEAP_ENTRY32 HeapEntry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY32 SegmentListEntry; WOW64_POINTER(struct _HEAP32 *) Heap; WOW64_POINTER(PVOID) BaseAddress; ULONG NumberOfPages; WOW64_POINTER(PHEAP_ENTRY32) FirstEntry; WOW64_POINTER(PHEAP_ENTRY32) LastValidEntry; ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; USHORT SegmentAllocatorBackTraceIndex; USHORT Reserved; LIST_ENTRY32 UCRSegmentList; } HEAP_SEGMENT32, *PHEAP_SEGMENT32; typedef struct _HEAP_OLD32 { HEAP_SEGMENT32 Segment; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY32 Encoding; WOW64_POINTER(ULONG_PTR) PointerKey; ULONG Interceptor; ULONG VirtualMemoryThreshold; ULONG Signature; // ... } HEAP_OLD32, *PHEAP_OLD32; typedef struct _HEAP32 { HEAP_SEGMENT32 Segment; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY32 Encoding; ULONG Interceptor; ULONG VirtualMemoryThreshold; ULONG Signature; // ... } HEAP32, *PHEAP32; typedef struct _SEGMENT_HEAP32 { WOW64_POINTER(ULONG_PTR) Padding[2]; ULONG Signature; ULONG GlobalFlags; // ... } SEGMENT_HEAP32, PSEGMENT_HEAP32; typedef union _PH_ANY_HEAP { HEAP_OLD HeapOld; HEAP_OLD32 HeapOld32; HEAP Heap; HEAP32 Heap32; SEGMENT_HEAP SegmentHeap; SEGMENT_HEAP32 SegmentHeap32; } PH_ANY_HEAP; #define HEAP_SEGMENT_MAX_SIZE \ (max(sizeof(HEAP_SEGMENT), sizeof(HEAP_SEGMENT32))) #endif ================================================ FILE: SystemInformer/include/hidnproc.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2015 * dmex 2017-2024 * */ #ifndef PH_HIDNPROC_H #define PH_HIDNPROC_H typedef enum _PH_ZOMBIE_PROCESS_METHOD { BruteForceScanMethod, CsrHandlesScanMethod, ProcessHandleScanMethod, RegistryScanMethod, EtwGuidScanMethod, NtdllScanMethod, } PH_ZOMBIE_PROCESS_METHOD; typedef enum _PH_ZOMBIE_PROCESS_TYPE { UnknownProcess, NormalProcess, ZombieProcess, TerminatedProcess } PH_ZOMBIE_PROCESS_TYPE; typedef struct _PH_ZOMBIE_PROCESS_ENTRY { HANDLE ProcessId; PPH_STRING FileName; PH_ZOMBIE_PROCESS_TYPE Type; } PH_ZOMBIE_PROCESS_ENTRY, *PPH_ZOMBIE_PROCESS_ENTRY; typedef struct _PH_CSR_HANDLE_INFO { HANDLE CsrProcessHandle; HANDLE Handle; BOOLEAN IsThreadHandle; HANDLE ProcessId; } PH_CSR_HANDLE_INFO, *PPH_CSR_HANDLE_INFO; typedef BOOLEAN (NTAPI *PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK)( _In_ PPH_ZOMBIE_PROCESS_ENTRY Process, _In_opt_ PVOID Context ); NTSTATUS NTAPI PhEnumZombieProcesses( _In_ PH_ZOMBIE_PROCESS_METHOD Method, _In_ PPH_ENUM_ZOMBIE_PROCESSES_CALLBACK Callback, _In_opt_ PVOID Context ); typedef BOOLEAN (NTAPI *PPH_ENUM_CSR_PROCESS_HANDLES_CALLBACK)( _In_ PPH_CSR_HANDLE_INFO Handle, _In_opt_ PVOID Context ); NTSTATUS NTAPI PhEnumCsrProcessHandles( _In_ PPH_ENUM_CSR_PROCESS_HANDLES_CALLBACK Callback, _In_opt_ PVOID Context ); NTSTATUS NTAPI PhOpenProcessByCsrHandle( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_CSR_HANDLE_INFO Handle ); NTSTATUS NTAPI PhOpenProcessByCsrHandles( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ); #endif ================================================ FILE: SystemInformer/include/hndllist.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2016-2023 * */ #ifndef PH_HNDLLIST_H #define PH_HNDLLIST_H #include #include // Columns #define PHHNTLC_TYPE 0 #define PHHNTLC_NAME 1 #define PHHNTLC_HANDLE 2 #define PHHNTLC_OBJECTADDRESS 3 #define PHHNTLC_ATTRIBUTES 4 #define PHHNTLC_GRANTEDACCESS 5 #define PHHNTLC_GRANTEDACCESSSYMBOLIC 6 #define PHHNTLC_ORIGINALNAME 7 #define PHHNTLC_FILESHAREACCESS 8 #define PHHNTLC_HANDLEVALUE 9 #define PHHNTLC_HANDLECOUNT 10 #define PHHNTLC_POINTERCOUNT 11 #define PHHNTLC_PAGEDSIZE 12 #define PHHNTLC_NONPAGEDSIZE 13 #define PHHNTLC_MAXIMUM 14 // begin_phapppub typedef enum _PH_HANDLE_TREE_MENUITEM { PH_HANDLE_TREE_MENUITEM_NONE, PH_HANDLE_TREE_MENUITEM_HIDE_PROTECTED_HANDLES, PH_HANDLE_TREE_MENUITEM_HIDE_INHERIT_HANDLES, PH_HANDLE_TREE_MENUITEM_HIDE_UNNAMED_HANDLES, PH_HANDLE_TREE_MENUITEM_HIDE_ETW_HANDLES, PH_HANDLE_TREE_MENUITEM_HIGHLIGHT_PROTECTED_HANDLES, PH_HANDLE_TREE_MENUITEM_HIGHLIGHT_INHERIT_HANDLES, PH_HANDLE_TREE_MENUITEM_HANDLESTATS, PH_HANDLE_TREE_MENUITEM_MAXIMUM } PH_HANDLE_TREE_MENUITEM; // end_phapppub // begin_phapppub typedef struct _PH_HANDLE_NODE { PH_TREENEW_NODE Node; PH_SH_STATE ShState; HANDLE Handle; PPH_HANDLE_ITEM HandleItem; // end_phapppub PH_STRINGREF TextCache[PHHNTLC_MAXIMUM]; PPH_STRING GrantedAccessSymbolicText; WCHAR FileShareAccessText[4]; PPH_STRING HandleValue; PPH_STRING HandleCountText; PPH_STRING PointerCountText; PPH_STRING PageSizeText; PPH_STRING NonPageSizeText; // begin_phapppub } PH_HANDLE_NODE, *PPH_HANDLE_NODE; // end_phapppub typedef struct _PH_HANDLE_LIST_CONTEXT { HWND ParentWindowHandle; HWND TreeNewHandle; ULONG TreeNewSortColumn; PH_TN_FILTER_SUPPORT TreeFilterSupport; PH_SORT_ORDER TreeNewSortOrder; PH_CM_MANAGER Cm; BOOLEAN EnableStateHighlighting; union { ULONG Flags; struct { ULONG Reserved : 1; ULONG HideUnnamedHandles : 1; ULONG HideEtwHandles : 1; ULONG HideProtectedHandles : 1; ULONG HideInheritHandles : 1; ULONG Spare : 27; }; }; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; PPH_POINTER_LIST NodeStateList; } PH_HANDLE_LIST_CONTEXT, *PPH_HANDLE_LIST_CONTEXT; VOID PhInitializeHandleList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_HANDLE_LIST_CONTEXT Context ); VOID PhDeleteHandleList( _In_ PPH_HANDLE_LIST_CONTEXT Context ); VOID PhLoadSettingsHandleList( _Inout_ PPH_HANDLE_LIST_CONTEXT Context ); VOID PhSaveSettingsHandleList( _Inout_ PPH_HANDLE_LIST_CONTEXT Context ); VOID PhSetOptionsHandleList( _Inout_ PPH_HANDLE_LIST_CONTEXT Context, _In_ ULONG Options ); PPH_HANDLE_NODE PhAddHandleNode( _Inout_ PPH_HANDLE_LIST_CONTEXT Context, _In_ PPH_HANDLE_ITEM HandleItem, _In_ ULONG RunId ); PPH_HANDLE_NODE PhFindHandleNode( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ HANDLE Handle ); VOID PhRemoveHandleNode( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ PPH_HANDLE_NODE HandleNode ); VOID PhUpdateHandleNode( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ PPH_HANDLE_NODE HandleNode ); VOID PhExpandAllHandleNodes( _In_ PPH_HANDLE_LIST_CONTEXT Context, _In_ BOOLEAN Expand ); VOID PhTickHandleNodes( _In_ PPH_HANDLE_LIST_CONTEXT Context ); PPH_HANDLE_ITEM PhGetSelectedHandleItem( _In_ PPH_HANDLE_LIST_CONTEXT Context ); VOID PhGetSelectedHandleItems( _In_ PPH_HANDLE_LIST_CONTEXT Context, _Out_ PPH_HANDLE_ITEM **Handles, _Out_ PULONG NumberOfHandles ); VOID PhDeselectAllHandleNodes( _In_ PPH_HANDLE_LIST_CONTEXT Context ); #endif ================================================ FILE: SystemInformer/include/hndlmenu.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #ifndef PH_HNDLMENU_H #define PH_HNDLMENU_H #define PhaAppendCtrlEnter(Text, Enable) ((Enable) ? PhaConcatStrings2((Text), L"\tCtrl+Enter")->Buffer : (Text)) #define PH_MAX_SECTION_EDIT_SIZE (32 * 1024 * 1024) // 32 MB // begin_phapppub typedef struct _PH_HANDLE_ITEM_INFO { HANDLE ProcessId; HANDLE Handle; PPH_STRING TypeName; PPH_STRING BestObjectName; } PH_HANDLE_ITEM_INFO, *PPH_HANDLE_ITEM_INFO; VOID PhInsertHandleObjectPropertiesEMenuItems( _In_ struct _PH_EMENU_ITEM *Menu, _In_ ULONG InsertBeforeId, _In_ BOOLEAN EnableShortcut, _In_ PPH_HANDLE_ITEM_INFO Info ); VOID PhShowHandleObjectProperties1( _In_ HWND hWnd, _In_ PPH_HANDLE_ITEM_INFO Info ); VOID PhShowHandleObjectProperties2( _In_ HWND hWnd, _In_ PPH_HANDLE_ITEM_INFO Info ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/hndlprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef PH_HNDLPRV_H #define PH_HNDLPRV_H extern PPH_OBJECT_TYPE PhHandleProviderType; extern PPH_OBJECT_TYPE PhHandleItemType; // begin_phapppub #define PH_HANDLE_FILE_SHARED_READ 0x1 #define PH_HANDLE_FILE_SHARED_WRITE 0x2 #define PH_HANDLE_FILE_SHARED_DELETE 0x4 #define PH_HANDLE_FILE_SHARED_MASK 0x7 typedef struct _PH_HANDLE_ITEM { PH_HASH_ENTRY HashEntry; PVOID Object; HANDLE Handle; HANDLE ProcessId; ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG TypeIndex; ULONG FileFlags; ULONG HandleCount; ULONG PointerCount; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; PPH_STRING TypeName; PPH_STRING ObjectName; PPH_STRING BestObjectName; WCHAR HandleString[PH_PTR_STR_LEN_1]; WCHAR GrantedAccessString[PH_PTR_STR_LEN_1]; WCHAR ObjectString[PH_PTR_STR_LEN_1]; } PH_HANDLE_ITEM, *PPH_HANDLE_ITEM; typedef struct _PH_HANDLE_PROVIDER { PPH_HASH_ENTRY *HandleHashSet; ULONG HandleHashSetSize; ULONG HandleHashSetCount; PH_QUEUED_LOCK HandleHashSetLock; PH_CALLBACK HandleAddedEvent; PH_CALLBACK HandleModifiedEvent; PH_CALLBACK HandleRemovedEvent; PH_CALLBACK HandleUpdatedEvent; HANDLE ProcessId; HANDLE ProcessHandle; PPH_HASHTABLE TempListHashtable; NTSTATUS RunStatus; } PH_HANDLE_PROVIDER, *PPH_HANDLE_PROVIDER; PPH_HANDLE_ITEM PhCreateHandleItem( _In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle ); // end_phapppub PPH_HANDLE_PROVIDER PhCreateHandleProvider( _In_ HANDLE ProcessId ); PPH_HANDLE_ITEM PhReferenceHandleItem( _In_ PPH_HANDLE_PROVIDER HandleProvider, _In_ HANDLE Handle ); VOID PhDereferenceAllHandleItems( _In_ PPH_HANDLE_PROVIDER HandleProvider ); _Function_class_(PH_PROVIDER_FUNCTION) VOID PhHandleProviderUpdate( _In_ PVOID Object ); #endif ================================================ FILE: SystemInformer/include/informer.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024 * */ #ifndef PH_KSIMSG_H #define PH_KSIMSG_H typedef struct _PH_INFORMER_CONTEXT { PKPH_MESSAGE Message; ULONG_PTR ReplyToken; BOOLEAN Handled; } PH_INFORMER_CONTEXT, *PPH_INFORMER_CONTEXT; /** * Callback registration for informer messages that can be replied to. Any * processing done by these callbacks **must** be brief as it is blocking * informer message handling on the system. * * Receives PPH_INFORMER_CONTEXT as the callback parameter. The callback * may use PhInformerReply to reply to a message. After a successful call to * PhInformerReply the context is updated with Handled set to TRUE. Callbacks * later in the chain will still be called, but the message should not be * replied to. Callbacks should generally check if the message has already * been handled prior to doing work. */ extern PH_CALLBACK PhInformerCallback; NTSTATUS PhInformerReply( _Inout_ PPH_INFORMER_CONTEXT Context, _In_ PKPH_MESSAGE ReplyMessage ); BOOLEAN PhInformerDispatch( _In_ ULONG_PTR ReplyToken, _In_ PCKPH_MESSAGE Message ); VOID PhInformerInitialize( VOID ); VOID PhInformerActivate( VOID ); PPH_LIST PhInformerDatabaseQuery( _In_ ULONG64 ProcessStartKey, _In_opt_ PLARGE_INTEGER TimeStamp ); #endif ================================================ FILE: SystemInformer/include/ksisup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022 * dmex 2022-2023 * */ #ifndef PH_KSISUP_H #define PH_KSISUP_H VOID PhShowKsiStatus( VOID ); VOID PhInitializeKsi( VOID ); NTSTATUS PhCleanupKsi( VOID ); PPH_STRING PhGetKsiMessage( _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Format, ... ); LONG PhShowKsiMessage2( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Title, _In_ PCWSTR Format, ... ); VOID PhShowKsiMessageEx( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Icon, _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Title, _In_ PCWSTR Format, ... ); VOID PhShowKsiMessage( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Icon, _In_ PCWSTR Title, _In_ PCWSTR Format, ... ); PWSTR PhKsiStandardHelpText( VOID ); FORCEINLINE VOID PhShowKsiNotConnected( _In_opt_ HWND WindowHandle, _In_ PWSTR Message ) { PhShowKsiMessage( WindowHandle, TD_INFORMATION_ICON, L"Kernel driver not connected", L"%s\r\n\r\n" L"System Informer is not connected to the kernel driver or lacks the required state " L"necessary for this feature. Make sure that the \"Enable kernel-mode driver\" option is " L"enabled and that System Informer is running with administrator privileges.", Message ); } FORCEINLINE PPH_STRING PhGetKsiNotConnectedString( _In_ PWSTR Message ) { return PhGetKsiMessage( 0, FALSE, L"%s\r\n\r\n%s\r\n\r\n%s", L"Kernel driver not connected", L"System Informer is not connected to the kernel driver or lacks the required state " L"necessary for this feature. Make sure that the \"Enable kernel-mode driver\" option is " L"enabled and that System Informer is running with administrator privileges.", Message ); } #endif ================================================ FILE: SystemInformer/include/mainwnd.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_MAINWND_H #define PH_MAINWND_H extern HWND PhMainWndHandle; extern BOOLEAN PhMainWndExiting; // begin_phapppub #define WM_PH_FIRST (WM_APP + 99) #define WM_PH_ACTIVATE (WM_APP + 99) #define WM_PH_SHOW_DIALOG (WM_APP + 100) // unused (plugins only) #define WM_PH_UPDATE_DIALOG (WM_APP + 101) // unused (plugins only) #define PH_ACTIVATE_REPLY 0x1119 #define WM_PH_NOTIFY_ICON_MESSAGE (WM_APP + 126) #define WM_PH_UPDATE_FONT (WM_APP + 136) // end_phapppub #define WM_PH_DESTROY (WM_APP + 145) #define WM_PH_INVOKE (WM_APP + 146) #define WM_PH_PREPARE_FOR_EARLY_SHUTDOWN (WM_APP + 147) #define WM_PH_SAVE_ALL_SETTINGS (WM_APP + 148) #define WM_PH_SHOW_PROPERTIES (WM_APP + 149) #define WM_PH_ACTIVATE_WINDOW (WM_APP + 150) #define WM_PH_SELECT_NODE (WM_APP + 151) #define WM_PH_SHOW_EDITOR (WM_APP + 152) #define WM_PH_SHOW_RESULT (WM_APP + 153) #define WM_PH_LAST (WM_APP + 154) // begin_phapppub typedef enum _PH_MAINWINDOW_CALLBACK_TYPE { PH_MAINWINDOW_CALLBACK_TYPE_DESTROY, PH_MAINWINDOW_CALLBACK_TYPE_SHOW_PROPERTIES, PH_MAINWINDOW_CALLBACK_TYPE_SAVE_ALL_SETTINGS, PH_MAINWINDOW_CALLBACK_TYPE_PREPARE_FOR_EARLY_SHUTDOWN, PH_MAINWINDOW_CALLBACK_TYPE_CANCEL_EARLY_SHUTDOWN, PH_MAINWINDOW_CALLBACK_TYPE_TOGGLE_VISIBLE, PH_MAINWINDOW_CALLBACK_TYPE_SHOW_MEMORY_EDITOR, PH_MAINWINDOW_CALLBACK_TYPE_SHOW_MEMORY_RESULTS, PH_MAINWINDOW_CALLBACK_TYPE_SELECT_TAB_PAGE, PH_MAINWINDOW_CALLBACK_TYPE_GET_CALLBACK_LAYOUT_PADDING, PH_MAINWINDOW_CALLBACK_TYPE_INVALIDATE_LAYOUT_PADDING, PH_MAINWINDOW_CALLBACK_TYPE_SELECT_PROCESS_NODE, PH_MAINWINDOW_CALLBACK_TYPE_SELECT_SERVICE_ITEM, PH_MAINWINDOW_CALLBACK_TYPE_SELECT_NETWORK_ITEM, PH_MAINWINDOW_CALLBACK_TYPE_UPDATE_FONT, PH_MAINWINDOW_CALLBACK_TYPE_GET_FONT, PH_MAINWINDOW_CALLBACK_TYPE_INVOKE, PH_MAINWINDOW_CALLBACK_TYPE_POST, PH_MAINWINDOW_CALLBACK_TYPE_REFRESH, PH_MAINWINDOW_CALLBACK_TYPE_CREATE_TAB_PAGE, PH_MAINWINDOW_CALLBACK_TYPE_GET_UPDATE_AUTOMATICALLY, PH_MAINWINDOW_CALLBACK_TYPE_SET_UPDATE_AUTOMATICALLY, PH_MAINWINDOW_CALLBACK_TYPE_ICON_CLICK, PH_MAINWINDOW_CALLBACK_TYPE_WINDOW_BASE, PH_MAINWINDOW_CALLBACK_TYPE_GETWINDOW_PROCEDURE, PH_MAINWINDOW_CALLBACK_TYPE_SETWINDOW_PROCEDURE, PH_MAINWINDOW_CALLBACK_TYPE_WINDOW_HANDLE, PH_MAINWINDOW_CALLBACK_TYPE_VERSION, PH_MAINWINDOW_CALLBACK_TYPE_PORTABLE, PH_MAINWINDOW_CALLBACK_TYPE_PAGEINDEX, PH_MAINWINDOW_CALLBACK_TYPE_WINDOWDPI, PH_MAINWINDOW_CALLBACK_TYPE_WINDOWNAME, PH_MAINWINDOW_CALLBACK_TYPE_GET_MAIN_MENU, PH_MAINWINDOW_CALLBACK_TYPE_GET_MAIN_SUBMENU, PH_MAINWINDOW_CALLBACK_TYPE_SET_MAIN_SUBCMD, PH_MAINWINDOW_CALLBACK_TYPE_MAXIMUM } PH_MAINWINDOW_CALLBACK_TYPE; PHAPPAPI PVOID NTAPI PhPluginInvokeWindowCallback( _In_ PH_MAINWINDOW_CALLBACK_TYPE Event, _In_opt_ PVOID wparam, _In_opt_ PVOID lparam ); #define SystemInformer_Destroy() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_DESTROY, 0, 0) #define SystemInformer_ShowProcessProperties(ProcessItem) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SHOW_PROPERTIES, 0, (PVOID)(ULONG_PTR)(ProcessItem)) #define SystemInformer_SaveAllSettings() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SAVE_ALL_SETTINGS, 0, 0) #define SystemInformer_PrepareForEarlyShutdown() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_PREPARE_FOR_EARLY_SHUTDOWN, 0, 0) #define SystemInformer_CancelEarlyShutdown() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_CANCEL_EARLY_SHUTDOWN, 0, 0) #define SystemInformer_ToggleVisible(AlwaysShow) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_TOGGLE_VISIBLE, (PVOID)(ULONG_PTR)(AlwaysShow), 0) #define SystemInformer_ShowMemoryEditor(ShowMemoryEditor) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SHOW_MEMORY_EDITOR, 0, (PVOID)(ULONG_PTR)(ShowMemoryEditor)) #define SystemInformer_ShowMemoryResults(ShowMemoryResults) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SHOW_MEMORY_RESULTS, 0, (PVOID)(ULONG_PTR)(ShowMemoryResults)) #define SystemInformer_SelectTabPage(Index) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SELECT_TAB_PAGE, 0, (PVOID)(ULONG_PTR)(Index)) #define SystemInformer_GetCallbackLayoutPadding() \ ((PPH_CALLBACK)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_GET_CALLBACK_LAYOUT_PADDING, 0, 0)) #define SystemInformer_InvalidateLayoutPadding() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_INVALIDATE_LAYOUT_PADDING, 0, 0) #define SystemInformer_SelectProcessNode(ProcessNode) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SELECT_PROCESS_NODE, 0, (PVOID)(ULONG_PTR)(ProcessNode)) #define SystemInformer_SelectServiceItem(ServiceItem) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SELECT_SERVICE_ITEM, 0, (PVOID)(ULONG_PTR)(ServiceItem)) #define SystemInformer_SelectNetworkItem(NetworkItem) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SELECT_NETWORK_ITEM, 0, (PVOID)(ULONG_PTR)(NetworkItem)) #define SystemInformer_UpdateFont() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_UPDATE_FONT, 0, 0) #define SystemInformer_GetFont() \ ((HFONT)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_GET_FONT, 0, 0)) #define SystemInformer_Invoke(Function, Parameter) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_INVOKE, (PVOID)(ULONG_PTR)(Parameter), (PVOID)(ULONG_PTR)(Function)) //#define SystemInformer_Post(Function, Parameter) \ // PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_POST, (PVOID)(ULONG_PTR)(Parameter), (PVOID)(ULONG_PTR)(Function)) //#define SystemInformer_CreateTabPage(Template) \ // PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_CREATE_TAB_PAGE, 0, (PVOID)(ULONG_PTR)(Template)) #define SystemInformer_Refresh() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_REFRESH, 0, 0) #define SystemInformer_GetUpdateAutomatically() \ ((BOOLEAN)PtrToUlong(PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_GET_UPDATE_AUTOMATICALLY, 0, 0))) #define SystemInformer_SetUpdateAutomatically(Value) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SET_UPDATE_AUTOMATICALLY, (PVOID)(ULONG_PTR)(Value), 0) #define SystemInformer_IconClick() \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_ICON_CLICK, 0, 0) #define SystemInformer_GetInstanceHandle() \ ((PVOID)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_WINDOW_BASE, 0, 0)) #define SystemInformer_GetWindowProcedure() \ ((WNDPROC)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_GETWINDOW_PROCEDURE, 0, 0)) #define SystemInformer_SetWindowProcedure(Value) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SETWINDOW_PROCEDURE, (PVOID)(ULONG_PTR)(Value), 0) #define SystemInformer_GetWindowHandle() \ ((HWND)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_WINDOW_HANDLE, 0, 0)) #define SystemInformer_GetWindowsVersion() \ (PtrToUlong(PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_VERSION, 0, 0))) #define SystemInformer_IsPortableMode() \ ((BOOLEAN)PtrToUlong(PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_PORTABLE, 0, 0))) #define SystemInformer_GetTabIndex(Value) \ (PtrToUlong(PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_PAGEINDEX, (PVOID)(ULONG_PTR)(Value), 0))) #define SystemInformer_GetWindowDpi() \ (PtrToUlong(PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_WINDOWDPI, 0, 0))) #define SystemInformer_GetWindowName() \ (PWSTR)(PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_WINDOWNAME, 0, 0)) #define SystemInformer_GetMainMenu() \ ((PPH_EMENU)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_GET_MAIN_MENU, 0, 0)) #define SystemInformer_GetMainSubMenu(Index) \ ((PPH_EMENU)PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_GET_MAIN_SUBMENU, (PVOID)(ULONG_PTR)(Index), 0)) #define SystemInformer_SetMainSubCmd(Index, Context) \ PhPluginInvokeWindowCallback(PH_MAINWINDOW_CALLBACK_TYPE_SET_MAIN_SUBCMD, (PVOID)(ULONG_PTR)(Index), (PVOID)Context) #define PhWindowsVersion SystemInformer_GetWindowsVersion() // Temporary backwards compat (dmex) // end_phapppub // begin_phapppub PHAPPAPI PVOID NTAPI PhPluginCreateTabPage( _In_ PVOID Page ); // end_phapppub typedef struct _PH_SHOW_MEMORY_EDITOR { HWND OwnerWindow; HANDLE ProcessId; PVOID BaseAddress; SIZE_T RegionSize; ULONG SelectOffset; ULONG SelectLength; PPH_STRING Title; ULONG Flags; } PH_SHOW_MEMORY_EDITOR, *PPH_SHOW_MEMORY_EDITOR; typedef struct _PH_SHOW_MEMORY_RESULTS { HANDLE ProcessId; PPH_LIST Results; } PH_SHOW_MEMORY_RESULTS, *PPH_SHOW_MEMORY_RESULTS; // begin_phapppub typedef struct _PH_LAYOUT_PADDING_DATA { RECT Padding; } PH_LAYOUT_PADDING_DATA, *PPH_LAYOUT_PADDING_DATA; // end_phapppub // begin_phapppub typedef enum _PH_MAIN_TAB_PAGE_MESSAGE { MainTabPageCreate, MainTabPageDestroy, MainTabPageCreateWindow, // HWND *Parameter1 (WindowHandle), HWND Parameter2 (ParentWindow) MainTabPageSelected, // BOOLEAN Parameter1 (Selected) MainTabPageInitializeSectionMenuItems, // PPH_MAIN_TAB_PAGE_MENU_INFORMATION Parameter1 MainTabPageLoadSettings, MainTabPageSaveSettings, MainTabPageExportContent, // PPH_MAIN_TAB_PAGE_EXPORT_CONTENT Parameter1 MainTabPageFontChanged, // HFONT Parameter1 (Font) MainTabPageUpdateAutomaticallyChanged, // BOOLEAN Parameter1 (UpdateAutomatically) MainTabPageDpiChanged, MaxMainTabPageMessage } PH_MAIN_TAB_PAGE_MESSAGE; typedef struct _PH_MAIN_TAB_PAGE *PPH_MAIN_TAB_PAGE; typedef _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN NTAPI PH_MAIN_TAB_PAGE_CALLBACK( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); typedef PH_MAIN_TAB_PAGE_CALLBACK* PPH_MAIN_TAB_PAGE_CALLBACK; typedef struct _PH_MAIN_TAB_PAGE_EXPORT_CONTENT { PPH_FILE_STREAM FileStream; ULONG Mode; } PH_MAIN_TAB_PAGE_EXPORT_CONTENT, *PPH_MAIN_TAB_PAGE_EXPORT_CONTENT; typedef struct _PH_MAIN_TAB_PAGE_MENU_INFORMATION { PPH_EMENU_ITEM Menu; ULONG StartIndex; } PH_MAIN_TAB_PAGE_MENU_INFORMATION, *PPH_MAIN_TAB_PAGE_MENU_INFORMATION; typedef struct _PH_MAIN_TAB_PAGE { // Public PH_STRINGREF Name; ULONG Flags; PPH_MAIN_TAB_PAGE_CALLBACK Callback; PVOID Context; LONG Index; union { ULONG StateFlags; struct { ULONG Selected : 1; ULONG CreateWindowCalled : 1; ULONG SpareStateFlags : 30; }; }; PVOID Reserved[2]; // end_phapppub // Private HWND WindowHandle; // begin_phapppub } PH_MAIN_TAB_PAGE, *PPH_MAIN_TAB_PAGE; // end_phapppub // begin_phapppub #define PH_NOTIFY_MINIMUM 0x1 #define PH_NOTIFY_PROCESS_CREATE 0x1 #define PH_NOTIFY_PROCESS_DELETE 0x2 #define PH_NOTIFY_SERVICE_CREATE 0x4 #define PH_NOTIFY_SERVICE_DELETE 0x8 #define PH_NOTIFY_SERVICE_START 0x10 #define PH_NOTIFY_SERVICE_STOP 0x20 #define PH_NOTIFY_SERVICE_MODIFIED 0x40 #define PH_NOTIFY_DEVICE_ARRIVED 0x80 #define PH_NOTIFY_DEVICE_REMOVED 0x100 #define PH_NOTIFY_MAXIMUM 0x200 #define PH_NOTIFY_VALID_MASK 0x1ff // end_phapppub BOOLEAN PhMainWndInitialization( _In_ LONG ShowCommand ); VOID PhAddMiniProcessMenuItems( _Inout_ PPH_EMENU_ITEM Menu, _In_ HANDLE ProcessId ); BOOLEAN PhHandleMiniProcessMenuItem( _Inout_ PPH_EMENU_ITEM MenuItem ); VOID PhShowIconContextMenu( _In_ HWND WindowHandle, _In_ PPOINT Location ); // begin_phapppub PHAPPAPI VOID NTAPI PhShowIconNotification( _In_ PCWSTR Title, _In_ PCWSTR Text ); typedef enum _PH_TOAST_REASON { PhToastReasonUserCanceled, PhToastReasonApplicationHidden, PhToastReasonTimedOut, PhToastReasonActivated, PhToastReasonError, PhToastReasonUnknown } PH_TOAST_REASON; typedef _Function_class_(PH_TOAST_CALLBACK) VOID NTAPI PH_TOAST_CALLBACK( _In_ HRESULT Result, _In_ PH_TOAST_REASON Reason, _In_ PVOID Context ); typedef PH_TOAST_CALLBACK* PPH_TOAST_CALLBACK; PHAPPAPI HRESULT NTAPI PhShowIconNotificationEx( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout, _In_opt_ PPH_TOAST_CALLBACK Callback, _In_opt_ PVOID Context ); // end_phapppub VOID PhProcessInvokeQueue( VOID ); VOID PhShowDetailsForIconNotification( VOID ); VOID PhShowOptionsRestartRequired( _In_ HWND WindowHandle ); BOOLEAN PhShowOptionsDefaultInstallLocation( _In_ HWND ParentWindowHandle, _In_ PCWSTR Message ); VOID PhShowProcessContextMenu( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ); VOID PhShowServiceContextMenu( _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ); VOID PhShowNetworkContextMenu( _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ); typedef struct _PH_EMENU_ITEM PH_EMENU, *PPH_EMENU; VOID PhServiceListInsertContextMenu( _In_ HWND ParentWindow, _In_ PPH_EMENU Menu, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ); #endif ================================================ FILE: SystemInformer/include/mainwndp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #ifndef PH_MAINWNDP_H #define PH_MAINWNDP_H #define PH_FLUSH_PROCESS_QUERY_DATA_INTERVAL_1 250 #define PH_FLUSH_PROCESS_QUERY_DATA_INTERVAL_2 750 #define PH_FLUSH_PROCESS_QUERY_DATA_INTERVAL_LONG_TERM 1000 #define TIMER_FLUSH_PROCESS_QUERY_DATA 1 #define TIMER_ICON_CLICK_ACTIVATE 2 #define TIMER_ICON_RESTORE_HOVER 3 #define TIMER_ICON_POPUPOPEN 4 typedef union _PH_MWP_NOTIFICATION_DETAILS { HANDLE ProcessId; PPH_STRING ServiceName; } PH_MWP_NOTIFICATION_DETAILS, *PPH_MWP_NOTIFICATION_DETAILS; extern PH_PROVIDER_REGISTRATION PhMwpProcessProviderRegistration; extern PH_PROVIDER_REGISTRATION PhMwpServiceProviderRegistration; extern PH_PROVIDER_REGISTRATION PhMwpNetworkProviderRegistration; extern BOOLEAN PhMwpUpdateAutomatically; extern ULONG PhMwpNotifyIconNotifyMask; extern ULONG PhMwpLastNotificationType; extern PH_MWP_NOTIFICATION_DETAILS PhMwpLastNotificationDetails; LRESULT CALLBACK PhMwpWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ); // // Initialization // RTL_ATOM PhMwpInitializeWindowClass( VOID ); PPH_STRING PhMwpInitializeWindowTitle( VOID ); VOID PhMwpInitializeProviders( VOID ); VOID PhMwpShowWindow( _In_ LONG ShowCommand ); VOID PhMwpApplyUpdateInterval( _In_ ULONG Interval ); VOID PhMwpInitializeMetrics( _In_ HWND WindowHandle, _In_ LONG WindowDpi ); VOID PhMwpInitializeControls( _In_ HWND WindowHandle ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhMwpLoadStage1Worker( _In_ PVOID Parameter ); VOID PhMwpInvokePrepareEarlyExit( _In_ HWND WindowHandle ); VOID PhMwpInvokeActivateWindow( _In_ BOOLEAN Toggle ); VOID PhMwpInvokeSelectTabPage( _In_ PVOID Parameter ); VOID PhMwpInvokeSelectServiceItem( _In_ PPH_SERVICE_ITEM ServiceItem ); VOID PhMwpInvokeSelectNetworkItem( _In_ PPH_NETWORK_ITEM NetworkItem ); VOID PhMwpInvokeUpdateWindowFont( _In_opt_ PVOID Parameter ); VOID PhMwpInvokeUpdateWindowFontMonospace( _In_ HWND WindowHandle, _In_opt_ PVOID Parameter ); // // Main // LONG PhMainMessageLoop( VOID ); VOID PhInitializePreviousInstance( VOID ); VOID PhActivatePreviousInstance( VOID ); VOID PhInitializeCommonControls( VOID ); VOID PhInitializeSuperclassControls( // delayhook.c VOID ); NTSTATUS PhInitializeAppSystem( VOID ); VOID PhInitializeAppSettings( VOID ); VOID PhpProcessStartupParameters( VOID ); VOID PhpEnablePrivileges( VOID ); VOID PhEnableTerminationPolicy( _In_ BOOLEAN Enabled ); NTSTATUS PhInitializeDirectoryPolicy( VOID ); NTSTATUS PhInitializeExceptionPolicy( VOID ); NTSTATUS PhInitializeExecutionPolicy( VOID ); NTSTATUS PhInitializeNamespacePolicy( VOID ); NTSTATUS PhInitializeMitigationPolicy( VOID ); NTSTATUS PhInitializeComPolicy( VOID ); NTSTATUS PhInitializeTimerPolicy( VOID ); // // Event handlers // VOID PhMwpOnDestroy( _In_ HWND WindowHandle ); VOID PhMwpOnEndSession( _In_ HWND WindowHandle, _In_ BOOLEAN SessionEnding, _In_ ULONG Reason ); VOID PhMwpOnSettingChange( _In_ HWND WindowHandle, _In_opt_ ULONG Action, _In_opt_ PCWSTR Metric ); VOID PhMwpOnCommand( _In_ HWND WindowHandle, _In_ ULONG Id ); VOID PhMwpOnShowWindow( _In_ HWND WindowHandle, _In_ BOOLEAN Showing, _In_ ULONG State ); BOOLEAN PhMwpOnSysCommand( _In_ HWND WindowHandle, _In_ ULONG Type, _In_ LONG CursorScreenX, _In_ LONG CursorScreenY ); VOID PhMwpOnMenuCommand( _In_ HWND WindowHandle, _In_ ULONG Index, _In_ HMENU Menu ); VOID PhMwpOnInitMenuPopup( _In_ HWND WindowHandle, _In_ HMENU Menu, _In_ ULONG Index, _In_ BOOLEAN IsWindowMenu ); VOID PhMwpOnSize( _In_ HWND WindowHandle, _In_ UINT State, _In_ LONG Width, _In_ LONG Height ); VOID PhMwpOnSizing( _In_ ULONG Edge, _In_ PRECT DragRectangle ); VOID PhMwpOnSetFocus( _In_ HWND WindowHandle ); VOID PhMwpOnTimer( _In_ HWND WindowHandle, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Success_(return) BOOLEAN PhMwpOnNotify( _In_ NMHDR *Header, _Out_ LRESULT *Result ); VOID PhMwpOnDeviceChanged( _In_ HWND WindowHandle, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhMwpOnDpiChanged( _In_ HWND WindowHandle, _In_ LONG WindowDpi ); LRESULT PhMwpOnUserMessage( _In_ HWND WindowHandle, _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ); // // Settings // VOID PhMwpLoadSettings( _In_ HWND WindowHandle ); VOID PhMwpSaveSettings( _In_ HWND WindowHandle ); VOID PhMwpSaveWindowState( _In_ HWND WindowHandle ); // // Misc. // VOID PhMwpUpdateLayoutPadding( VOID ); VOID PhMwpApplyLayoutPadding( _Inout_ PRECT Rect, _In_ PRECT Padding ); VOID PhMwpLayout( _Inout_ HDWP *DeferHandle ); VOID PhMwpSetupComputerMenu( _In_ PPH_EMENU_ITEM Root ); BOOLEAN PhMwpExecuteComputerCommand( _In_ HWND WindowHandle, _In_ ULONG Id ); VOID PhMwpActivateWindow( _In_ HWND WindowHandle, _In_ BOOLEAN Toggle ); // // Main menu // PPH_EMENU PhpCreateMainMenu( _In_ ULONG SubMenuIndex ); VOID PhMwpInitializeMainMenu( _In_ HWND WindowHandle ); VOID PhMwpDispatchMenuCommand( _In_ HWND WindowHandle, _In_ ULONG ItemId, _In_ ULONG_PTR ItemData ); VOID PhMwpInitializeSubMenu( _In_ HWND WindowHandle, _In_ PPH_EMENU Menu, _In_ ULONG Index ); VOID PhMwpInitializeSectionMenuItems( _In_ PPH_EMENU Menu, _In_ ULONG StartIndex ); BOOLEAN PhMwpExecuteNotificationMenuCommand( _In_ HWND WindowHandle, _In_ ULONG Id ); BOOLEAN PhMwpExecuteNotificationSettingsMenuCommand( _In_ HWND WindowHandle, _In_ ULONG Id ); PPH_EMENU PhMwpCreateProcessMenu( _In_ BOOLEAN SystemProcess ); // // Tab control // VOID PhMwpLayoutTabControl( _Inout_ HDWP *DeferHandle ); VOID PhMwpNotifyTabControl( _In_ NMHDR *Header ); VOID PhMwpSelectionChangedTabControl( _In_ LONG OldIndex ); PPH_MAIN_TAB_PAGE PhMwpCreatePage( _In_ PPH_MAIN_TAB_PAGE Template ); VOID PhMwpSelectPage( _In_ ULONG Index ); PPH_MAIN_TAB_PAGE PhMwpFindPage( _In_ PPH_STRINGREF Name ); PPH_MAIN_TAB_PAGE PhMwpCreateInternalPage( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MAIN_TAB_PAGE_CALLBACK Callback ); VOID PhMwpNotifyAllPages( _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); // // Notifications // VOID PhMwpAddIconProcesses( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG NumberOfProcesses ); VOID PhMwpClearLastNotificationDetails( VOID ); BOOLEAN PhMwpPluginNotifyEvent( _In_ ULONG Type, _In_ PVOID Parameter ); typedef struct _PH_MAIN_TAB_PAGE *PPH_MAIN_TAB_PAGE; typedef struct _PH_PROVIDER_EVENT_QUEUE PH_PROVIDER_EVENT_QUEUE, *PPH_PROVIDER_EVENT_QUEUE; typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _PH_INVOKE_ENTRY { SLIST_ENTRY ListEntry; PVOID Command; PVOID Parameter; //HANDLE ThreadId; //ULONG64 SubmitTime; } PH_INVOKE_ENTRY, * PPH_INVOKE_ENTRY; extern SLIST_HEADER PhMainThreadInvokeQueue; extern PH_FREE_LIST PhMainThreadInvokeQueueFreeList; extern volatile LONG PhMainThreadInvokePending; // // Processes // extern PPH_MAIN_TAB_PAGE PhMwpProcessesPage; extern HWND PhMwpProcessTreeNewHandle; extern HWND PhMwpSelectedProcessWindowHandle; extern BOOLEAN PhMwpSelectedProcessVirtualizationEnabled; extern PH_PROVIDER_EVENT_QUEUE PhMwpProcessEventQueue; _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN PhMwpProcessesPageCallback( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); VOID PhMwpShowProcessProperties( _In_ PPH_PROCESS_ITEM ProcessItem ); VOID PhMwpToggleCurrentUserProcessTreeFilter( VOID ); _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpCurrentUserProcessTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); VOID PhMwpToggleSignedProcessTreeFilter( _In_ HWND WindowHandle ); VOID PhMwpToggleMicrosoftProcessTreeFilter( VOID ); _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpSignedProcessTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpMicrosoftProcessTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); BOOLEAN PhMwpExecuteProcessPriorityClassCommand( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); BOOLEAN PhMwpExecuteProcessIoPriorityCommand( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); VOID PhMwpSetProcessMenuPriorityChecks( _In_ PPH_EMENU Menu, _In_opt_ HANDLE ProcessId, _In_ BOOLEAN SetPriority, _In_ BOOLEAN SetIoPriority, _In_ BOOLEAN SetPagePriority ); VOID PhMwpInitializeProcessMenu( _In_ PPH_EMENU Menu, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessesUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); VOID PhMwpOnProcessesUpdated( _In_ ULONG RunId ); // // Services // extern PPH_MAIN_TAB_PAGE PhMwpServicesPage; extern HWND PhMwpServiceTreeNewHandle; extern PH_PROVIDER_EVENT_QUEUE PhMwpServiceEventQueue; _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN PhMwpServicesPageCallback( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ); VOID PhMwpNeedServiceTreeList( VOID ); VOID PhMwpToggleDriverServiceTreeFilter( VOID ); VOID PhMwpToggleMicrosoftServiceTreeFilter( VOID ); _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpDriverServiceTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpMicrosoftServiceTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); VOID PhMwpInitializeServiceMenu( _In_ PPH_EMENU Menu, _In_ PPH_SERVICE_ITEM *Services, _In_ ULONG NumberOfServices ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServiceAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServiceModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServiceRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServicesUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); VOID PhMwpOnServicesUpdated( _In_ ULONG RunId ); // // Network // extern PPH_MAIN_TAB_PAGE PhMwpNetworkPage; extern HWND PhMwpNetworkTreeNewHandle; extern PH_PROVIDER_EVENT_QUEUE PhMwpNetworkEventQueue; _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN PhMwpNetworkPageCallback( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ); VOID PhMwpNeedNetworkTreeList( VOID ); VOID PhMwpToggleNetworkWaitingConnectionTreeFilter( VOID ); _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpNetworkTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ); VOID PhMwpInitializeNetworkMenu( _In_ PPH_EMENU Menu, _In_ PPH_NETWORK_ITEM *NetworkItems, _In_ ULONG NumberOfNetworkItems ); _Function_class_(PH_CALLBACK_FUNCTION) VOID PhMwpNetworkItemAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID PhMwpNetworkItemModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID PhMwpNetworkItemRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID PhMwpNetworkItemsUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ); VOID PhMwpOnNetworkItemsUpdated( _In_ ULONG RunId ); // // Devices // VOID PhMwpInitializeDeviceNotifications( VOID ); #endif ================================================ FILE: SystemInformer/include/memlist.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_MEMLIST_H #define PH_MEMLIST_H #include // Columns #define PHMMTLC_BASEADDRESS 0 #define PHMMTLC_TYPE 1 #define PHMMTLC_SIZE 2 #define PHMMTLC_PROTECTION 3 #define PHMMTLC_USE 4 #define PHMMTLC_TOTALWS 5 #define PHMMTLC_PRIVATEWS 6 #define PHMMTLC_SHAREABLEWS 7 #define PHMMTLC_SHAREDWS 8 #define PHMMTLC_LOCKEDWS 9 #define PHMMTLC_COMMITTED 10 #define PHMMTLC_PRIVATE 11 #define PHMMTLC_SIGNING_LEVEL 12 #define PHMMTLC_ORIGINAL_PROTECTION 13 #define PHMMTLC_ORIGINAL_PAGES 14 #define PHMMTLC_REGIONTYPE 15 #define PHMMTLC_PRIORITY 16 #define PHMMTLC_MAXIMUM 17 // begin_phapppub typedef struct _PH_MEMORY_NODE { PH_TREENEW_NODE Node; BOOLEAN IsAllocationBase; BOOLEAN Reserved1; USHORT Reserved2; PPH_MEMORY_ITEM MemoryItem; struct _PH_MEMORY_NODE *Parent; PPH_LIST Children; // end_phapppub PH_STRINGREF TextCache[PHMMTLC_MAXIMUM]; WCHAR TypeText[30]; PPH_STRING SizeText; WCHAR ProtectionText[17]; WCHAR OriginalProtectionText[17]; PPH_STRING UseText; PPH_STRING TotalWsText; PPH_STRING PrivateWsText; PPH_STRING ShareableWsText; PPH_STRING SharedWsText; PPH_STRING LockedWsText; PPH_STRING CommittedText; PPH_STRING PrivateText; PPH_STRING OriginalPagesText; PPH_STRING RegionTypeText; PPH_STRING PriorityText; // begin_phapppub } PH_MEMORY_NODE, *PPH_MEMORY_NODE; // end_phapppub #define PH_MEMORY_FLAGS_FREE_OPTION 1 #define PH_MEMORY_FLAGS_RESERVED_OPTION 2 #define PH_MEMORY_FLAGS_PRIVATE_OPTION 3 #define PH_MEMORY_FLAGS_SYSTEM_OPTION 4 #define PH_MEMORY_FLAGS_CFG_OPTION 5 #define PH_MEMORY_FLAGS_EXECUTE_OPTION 6 #define PH_MEMORY_FLAGS_GUARD_OPTION 7 #define PH_MEMORY_FLAGS_ZERO_PAD_ADDRESSES 8 typedef struct _PH_MEMORY_LIST_CONTEXT { HWND ParentWindowHandle; HWND TreeNewHandle; ULONG TreeNewSortColumn; PH_TN_FILTER_SUPPORT AllocationTreeFilterSupport; PH_TN_FILTER_SUPPORT TreeFilterSupport; PH_SORT_ORDER TreeNewSortOrder; PH_CM_MANAGER Cm; union { ULONG Flags; struct { ULONG HideFreeRegions : 1; ULONG HideReservedRegions : 1; ULONG HighlightPrivatePages : 1; ULONG HighlightSystemPages : 1; ULONG HighlightCfgPages : 1; ULONG HighlightExecutePages : 1; ULONG HideGuardRegions : 1; ULONG ZeroPadAddresses : 1; ULONG Spare : 24; }; }; PPH_LIST AllocationBaseNodeList; // Allocation base nodes (list should always be sorted by base address) PPH_LIST RegionNodeList; // Memory region nodes } PH_MEMORY_LIST_CONTEXT, *PPH_MEMORY_LIST_CONTEXT; VOID PhInitializeMemoryList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhDeleteMemoryList( _In_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhLoadSettingsMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhSaveSettingsMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhSetOptionsMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_ ULONG Options ); VOID PhReplaceMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_opt_ PPH_MEMORY_ITEM_LIST List ); VOID PhRemoveMemoryNode( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_ PPH_MEMORY_ITEM_LIST List, _In_ PPH_MEMORY_NODE MemoryNode ); VOID PhUpdateMemoryNode( _In_ PPH_MEMORY_LIST_CONTEXT Context, _In_ PPH_MEMORY_NODE MemoryNode ); VOID PhInvalidateAllMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhInvalidateAllMemoryBaseAddressNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhExpandAllMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context, _In_ BOOLEAN Expand ); PPH_STRING PhGetMemoryRegionUseText( _In_ PPH_MEMORY_ITEM MemoryItem ); PPH_MEMORY_NODE PhGetSelectedMemoryNode( _In_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhGetSelectedMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context, _Out_ PPH_MEMORY_NODE **MemoryNodes, _Out_ PULONG NumberOfMemoryNodes ); VOID PhDeselectAllMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context ); #endif ================================================ FILE: SystemInformer/include/memprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2018-2023 * */ #ifndef PH_MEMPRV_H #define PH_MEMPRV_H extern PPH_OBJECT_TYPE PhMemoryItemType; // begin_phapppub typedef enum _PH_MEMORY_REGION_TYPE { UnknownRegion, CustomRegion, UnusableRegion, MappedFileRegion, UserSharedDataRegion, PebRegion, Peb32Region, TebRegion, Teb32Region, // Not used StackRegion, Stack32Region, HeapRegion, Heap32Region, HeapSegmentRegion, HeapSegment32Region, CfgBitmapRegion, CfgBitmap32Region, ApiSetMapRegion, HypervisorSharedDataRegion, ReadOnlySharedMemoryRegion, CodePageDataRegion, GdiSharedHandleTableRegion, ShimDataRegion, ActivationContextDataRegion, WerRegistrationDataRegion, SiloSharedDataRegion, TelemetryCoverageRegion, ProcessParametersRegion, LeapSecondDataRegion, DesktopHeapRegion, } PH_MEMORY_REGION_TYPE; typedef enum _PH_ACTIVATION_CONTEXT_DATA_TYPE { CustomActivationContext, ProcessActivationContext, SystemActivationContext } PH_ACTIVATION_CONTEXT_DATA_TYPE; typedef struct _PH_MEMORY_ITEM { LIST_ENTRY ListEntry; PH_AVL_LINKS Links; union { MEMORY_BASIC_INFORMATION BasicInfo; struct { PVOID BaseAddress; PVOID AllocationBase; ULONG AllocationProtect; SIZE_T RegionSize; ULONG State; ULONG Protect; ULONG Type; }; }; union { BOOLEAN Attributes; struct { BOOLEAN Valid : 1; BOOLEAN Bad : 1; BOOLEAN Spare : 6; }; }; union { ULONG RegionTypeEx; struct { ULONG Private : 1; ULONG MappedDataFile : 1; ULONG MappedImage : 1; ULONG MappedPageFile : 1; ULONG MappedPhysical : 1; ULONG DirectMapped : 1; ULONG SoftwareEnclave : 1; // REDSTONE3 ULONG PageSize64K : 1; ULONG PlaceholderReservation : 1; // REDSTONE4 ULONG MappedAwe : 1; // 21H1 ULONG MappedWriteWatch : 1; ULONG PageSizeLarge : 1; ULONG PageSizeHuge : 1; ULONG Reserved : 19; // Sync with MemoryRegionInformationEx (dmex) }; }; WCHAR BaseAddressString[PH_PTR_STR_LEN_1]; struct _PH_MEMORY_ITEM *AllocationBaseItem; SIZE_T CommittedSize; SIZE_T PrivateSize; SIZE_T TotalWorkingSetPages; SIZE_T PrivateWorkingSetPages; SIZE_T SharedWorkingSetPages; SIZE_T ShareableWorkingSetPages; SIZE_T LockedWorkingSetPages; SIZE_T SharedOriginalPages; ULONG_PTR Priority; PH_MEMORY_REGION_TYPE RegionType; union { struct { PPH_STRING Text; BOOLEAN PropertyOfAllocationBase; } Custom; struct { PPH_STRING FileName; BOOLEAN SigningLevelValid; SE_SIGNING_LEVEL SigningLevel; } MappedFile; struct { HANDLE ThreadId; } Teb; struct { HANDLE ThreadId; } Stack; struct { ULONG Index; BOOLEAN ClassValid; ULONG Class; } Heap; struct { struct _PH_MEMORY_ITEM *HeapItem; } HeapSegment; struct { PH_ACTIVATION_CONTEXT_DATA_TYPE Type; } ActivationContextData; } u; } PH_MEMORY_ITEM, *PPH_MEMORY_ITEM; typedef struct _PH_MEMORY_ITEM_LIST { HANDLE ProcessId; PH_AVL_TREE Set; LIST_ENTRY ListHead; } PH_MEMORY_ITEM_LIST, *PPH_MEMORY_ITEM_LIST; // end_phapppub VOID PhGetMemoryProtectionString( _In_ ULONG Protection, _Inout_z_ PWSTR String ); PCPH_STRINGREF PhGetMemoryStateString( _In_ ULONG State ); PCPH_STRINGREF PhGetMemoryTypeString( _In_ ULONG Type ); PCPH_STRINGREF PhGetSigningLevelString( _In_ SE_SIGNING_LEVEL SigningLevel ); PCPH_STRINGREF PhGetMemoryPagePriorityString( _In_ ULONG PagePriority ); PPH_STRING PhGetMemoryRegionTypeExString( _In_ PPH_MEMORY_ITEM MemoryItem ); PPH_MEMORY_ITEM PhCreateMemoryItem( VOID ); // begin_phapppub PHAPPAPI VOID NTAPI PhDeleteMemoryItemList( _In_ PPH_MEMORY_ITEM_LIST List ); PHAPPAPI PPH_MEMORY_ITEM NTAPI PhLookupMemoryItemList( _In_ PPH_MEMORY_ITEM_LIST List, _In_ PVOID Address ); #define PH_QUERY_MEMORY_IGNORE_FREE 0x1 #define PH_QUERY_MEMORY_REGION_TYPE 0x2 #define PH_QUERY_MEMORY_WS_COUNTERS 0x4 #define PH_QUERY_MEMORY_ZERO_PAD_ADDRESSES 0x8 PHAPPAPI NTSTATUS NTAPI PhQueryMemoryItemList( _In_ HANDLE ProcessId, _In_ ULONG Flags, _Out_ PPH_MEMORY_ITEM_LIST List ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/memsrch.h ================================================ #ifndef PH_MEMSRCH_H #define PH_MEMSRCH_H typedef struct _PH_MEMORY_RESULT { LONG RefCount; PVOID Address; PVOID BaseAddress; SIZE_T Length; PH_STRINGREF Display; } PH_MEMORY_RESULT, *PPH_MEMORY_RESULT; typedef VOID (NTAPI *PPH_MEMORY_RESULT_CALLBACK)( _In_ _Assume_refs_(1) PPH_MEMORY_RESULT Result, _In_opt_ PVOID Context ); #define PH_DISPLAY_BUFFER_COUNT (PAGE_SIZE * 2 - 1) typedef struct _PH_MEMORY_SEARCH_OPTIONS { BOOLEAN Cancel; PPH_MEMORY_RESULT_CALLBACK Callback; PVOID Context; } PH_MEMORY_SEARCH_OPTIONS, *PPH_MEMORY_SEARCH_OPTIONS; typedef struct _PH_MEMORY_STRING_OPTIONS { PH_MEMORY_SEARCH_OPTIONS Header; ULONG MinimumLength; ULONG MemoryTypeMask; union { BOOLEAN Flags; struct { BOOLEAN DetectUnicode : 1; BOOLEAN ExtendedUnicode : 1; BOOLEAN Spare : 6; }; }; } PH_MEMORY_STRING_OPTIONS, *PPH_MEMORY_STRING_OPTIONS; PVOID PhAllocateForMemorySearch( _In_ SIZE_T Size ); VOID PhFreeForMemorySearch( _In_ _Post_invalid_ PVOID Memory ); PVOID PhCreateMemoryResult( _In_ PVOID Address, _In_ PVOID BaseAddress, _In_ SIZE_T Length ); VOID PhReferenceMemoryResult( _In_ PPH_MEMORY_RESULT Result ); VOID PhDereferenceMemoryResult( _In_ PPH_MEMORY_RESULT Result ); VOID PhDereferenceMemoryResults( _In_reads_(NumberOfResults) PPH_MEMORY_RESULT *Results, _In_ ULONG NumberOfResults ); #endif ================================================ FILE: SystemInformer/include/miniinfo.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2023 * */ #ifndef PH_MINIINFO_H #define PH_MINIINFO_H #include // begin_phapppub // Section typedef struct _PH_MINIINFO_SECTION PH_MINIINFO_SECTION, *PPH_MINIINFO_SECTION; typedef VOID (NTAPI *PPH_MINIINFO_SET_SECTION_TEXT)( _In_ PPH_MINIINFO_SECTION Section, _In_opt_ PPH_STRING Text ); typedef struct _PH_MINIINFO_PARAMETERS { HWND ContainerWindowHandle; HWND MiniInfoWindowHandle; HFONT Font; HFONT MediumFont; ULONG FontHeight; ULONG FontAverageWidth; ULONG MediumFontHeight; ULONG MediumFontAverageWidth; PPH_MINIINFO_SET_SECTION_TEXT SetSectionText; } PH_MINIINFO_PARAMETERS, *PPH_MINIINFO_PARAMETERS; typedef enum _PH_MINIINFO_SECTION_MESSAGE { MiniInfoCreate, MiniInfoDestroy, MiniInfoTick, MiniInfoSectionChanging, // PPH_MINIINFO_SECTION Parameter1 MiniInfoShowing, // BOOLEAN Parameter1 (Showing) MiniInfoCreateDialog, // PPH_MINIINFO_CREATE_DIALOG Parameter1 MaxMiniInfoMessage } PH_MINIINFO_SECTION_MESSAGE; typedef BOOLEAN (NTAPI *PPH_MINIINFO_SECTION_CALLBACK)( _In_ PPH_MINIINFO_SECTION Section, _In_ PH_MINIINFO_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); typedef struct _PH_MINIINFO_CREATE_DIALOG { BOOLEAN CustomCreate; // Parameters for default create PVOID Instance; PWSTR Template; DLGPROC DialogProc; PVOID Parameter; } PH_MINIINFO_CREATE_DIALOG, *PPH_MINIINFO_CREATE_DIALOG; #define PH_MINIINFO_SECTION_NO_UPPER_MARGINS 0x1 // end_phapppub // begin_phapppub typedef struct _PH_MINIINFO_SECTION { // Public // Initialization PH_STRINGREF Name; ULONG Flags; PPH_MINIINFO_SECTION_CALLBACK Callback; PVOID Context; PVOID Reserved1[3]; PPH_MINIINFO_PARAMETERS Parameters; PVOID Reserved2[3]; // end_phapppub // Private ULONG SpareFlag; HWND DialogHandle; PPH_STRING Text; // begin_phapppub } PH_MINIINFO_SECTION, *PPH_MINIINFO_SECTION; // end_phapppub typedef enum _PH_MINIINFO_PIN_TYPE { MiniInfoManualPinType, // User pin MiniInfoIconPinType, // Notification icon MiniInfoActivePinType, // Window is active MiniInfoHoverPinType, // Cursor is over mini info window MiniInfoChildControlPinType, // Interacting with child control MaxMiniInfoPinType } PH_MINIINFO_PIN_TYPE; #define PH_MINIINFO_ACTIVATE_WINDOW 0x1 #define PH_MINIINFO_LOAD_POSITION 0x2 #define PH_MINIINFO_DONT_CHANGE_SECTION_IF_PINNED 0x4 VOID PhPinMiniInformation( _In_ PH_MINIINFO_PIN_TYPE PinType, _In_ LONG PinCount, _In_opt_ ULONG PinDelayMs, _In_ ULONG Flags, _In_opt_ PCWSTR SectionName, _In_opt_ PPOINT SourcePoint ); // begin_phapppub // List section typedef enum _PH_MINIINFO_LIST_SECTION_MESSAGE { MiListSectionCreate, MiListSectionDestroy, MiListSectionTick, MiListSectionShowing, // BOOLEAN Parameter1 (Showing) MiListSectionDialogCreated, // HWND Parameter1 (DialogHandle) MiListSectionSortProcessList, // PPH_MINIINFO_LIST_SECTION_SORT_LIST Parameter1 MiListSectionAssignSortData, // PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA Parameter1 MiListSectionSortGroupList, // PPH_MINIINFO_LIST_SECTION_SORT_LIST Parameter1 MiListSectionGetTitleText, // PPH_MINIINFO_LIST_SECTION_GET_TITLE_TEXT Parameter1 MiListSectionGetUsageText, // PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT Parameter1 MiListSectionInitializeContextMenu, // PPH_MINIINFO_LIST_SECTION_MENU_INFORMATION Parameter1 MiListSectionHandleContextMenu, // PPH_MINIINFO_LIST_SECTION_MENU_INFORMATION Parameter1 MaxMiListSectionMessage } PH_MINIINFO_LIST_SECTION_MESSAGE; typedef struct _PH_MINIINFO_LIST_SECTION PH_MINIINFO_LIST_SECTION, *PPH_MINIINFO_LIST_SECTION; typedef BOOLEAN (NTAPI *PPH_MINIINFO_LIST_SECTION_CALLBACK)( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); // The list section performs the following steps when constructing the list of process groups: // 1. MiListSectionSortProcessList is sent in order to sort the process list. // 2. A small number of process groups is created from the first few processes in the sorted list (typically high // resource consumers). // 3. MiListSectionAssignSortData is sent for each process group so that the user can assign custom sort data to // each process group. // 4. MiListSectionSortGroupList is sent in order to ensure that the process groups are correctly sorted by resource // usage. // The user also has access to the sort data when handling MiListSectionGetTitleText and MiListSectionGetUsageText. typedef struct _PH_MINIINFO_LIST_SECTION_SORT_DATA { PH_TREENEW_NODE DoNotModify; ULONGLONG UserData[4]; } PH_MINIINFO_LIST_SECTION_SORT_DATA, *PPH_MINIINFO_LIST_SECTION_SORT_DATA; typedef struct _PH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA { PPH_PROCESS_GROUP ProcessGroup; PPH_MINIINFO_LIST_SECTION_SORT_DATA SortData; } PH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA, *PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA; typedef struct _PH_MINIINFO_LIST_SECTION_SORT_LIST { // MiListSectionSortProcessList: List of PPH_PROCESS_NODE // MiListSectionSortGroupList: List of PPH_MINIINFO_LIST_SECTION_SORT_DATA PPH_LIST List; } PH_MINIINFO_LIST_SECTION_SORT_LIST, *PPH_MINIINFO_LIST_SECTION_SORT_LIST; typedef struct _PH_MINIINFO_LIST_SECTION_GET_TITLE_TEXT { PPH_PROCESS_GROUP ProcessGroup; PPH_MINIINFO_LIST_SECTION_SORT_DATA SortData; PPH_STRING Title; // Top line (may already contain a string) PPH_STRING Subtitle; // Bottom line (may already contain a string) COLORREF TitleColor; COLORREF SubtitleColor; } PH_MINIINFO_LIST_SECTION_GET_TITLE_TEXT, *PPH_MINIINFO_LIST_SECTION_GET_TITLE_TEXT; typedef struct _PH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT { PPH_PROCESS_GROUP ProcessGroup; PPH_MINIINFO_LIST_SECTION_SORT_DATA SortData; PPH_STRING Line1; // Top line PPH_STRING Line2; // Bottom line COLORREF Line1Color; COLORREF Line2Color; } PH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT, *PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT; typedef struct _PH_MINIINFO_LIST_SECTION_MENU_INFORMATION { PPH_PROCESS_GROUP ProcessGroup; PPH_MINIINFO_LIST_SECTION_SORT_DATA SortData; PPH_TREENEW_CONTEXT_MENU ContextMenu; PPH_EMENU_ITEM SelectedItem; } PH_MINIINFO_LIST_SECTION_MENU_INFORMATION, *PPH_MINIINFO_LIST_SECTION_MENU_INFORMATION; // end_phapppub // begin_phapppub typedef struct _PH_MINIINFO_LIST_SECTION { // Public PPH_MINIINFO_SECTION Section; // State HWND DialogHandle; // State HWND TreeNewHandle; // State PVOID Context; // Initialization PPH_MINIINFO_LIST_SECTION_CALLBACK Callback; // Initialization // end_phapppub // Private PH_LAYOUT_MANAGER LayoutManager; ULONG RunCount; LONG SuspendUpdate; PPH_LIST ProcessGroupList; PPH_LIST NodeList; HANDLE SelectedRepresentativeProcessId; LARGE_INTEGER SelectedRepresentativeCreateTime; // begin_phapppub } PH_MINIINFO_LIST_SECTION, *PPH_MINIINFO_LIST_SECTION; // end_phapppub #endif ================================================ FILE: SystemInformer/include/miniinfop.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2023 * */ #ifndef PH_MINIINFOP_H #define PH_MINIINFOP_H // Constants #define MIP_TIMER_PIN_FIRST 1 #define MIP_TIMER_PIN_LAST (MIP_TIMER_PIN_FIRST + MaxMiniInfoPinType - 1) #define MIP_MSG_FIRST (WM_APP + 150) #define MIP_MSG_UPDATE (WM_APP + 150) #define MIP_MSG_LAST (WM_APP + 151) #define MIP_UNPIN_CHILD_CONTROL_DELAY 1000 #define MIP_UNPIN_HOVER_DELAY 250 #define MIP_REFRESH_AUTOMATICALLY_PINNED 0x1 #define MIP_REFRESH_AUTOMATICALLY_UNPINNED 0x2 #define MIP_REFRESH_AUTOMATICALLY_FLAG(Pinned) \ ((Pinned) ? MIP_REFRESH_AUTOMATICALLY_PINNED : MIP_REFRESH_AUTOMATICALLY_UNPINNED) // Misc. #define SET_BUTTON_ICON(hwndDlg, Id, Icon) \ SendMessage(GetDlgItem(hwndDlg, (Id)), BM_SETIMAGE, IMAGE_ICON, (LPARAM)(Icon)) // Dialog procedure RTL_ATOM PhMipContainerInitializeWindowClass( VOID ); LRESULT CALLBACK PhMipContainerWndProc( _In_ HWND hWnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhMipMiniInfoDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // Container event handlers VOID PhMipContainerOnShowWindow( _In_ BOOLEAN Showing, _In_ ULONG State ); VOID PhMipContainerOnActivate( _In_ ULONG Type, _In_ BOOLEAN Minimized ); VOID PhMipContainerOnSize( VOID ); VOID PhMipContainerOnSizing( _In_ ULONG Edge, _In_ PRECT DragRectangle ); VOID PhMipContainerOnExitSizeMove( VOID ); BOOLEAN PhMipContainerOnEraseBkgnd( _In_ HDC hdc ); VOID PhMipContainerOnTimer( _In_ ULONG Id ); // Child dialog event handlers VOID PhMipOnInitDialog( VOID ); VOID PhMipOnShowWindow( _In_ BOOLEAN Showing, _In_ ULONG State ); VOID PhMipOnCommand( _In_ ULONG Id, _In_ ULONG Code ); _Success_(return) BOOLEAN PhMipOnNotify( _In_ NMHDR *Header, _Out_ LRESULT *Result ); _Success_(return) BOOLEAN PhMipOnCtlColorXxx( _In_ ULONG Message, _In_ HWND WindowHandle, _In_ HDC hdc, _Out_ HBRUSH *Brush ); BOOLEAN PhMipOnDrawItem( _In_ ULONG_PTR Id, _In_ DRAWITEMSTRUCT *DrawItemStruct ); VOID PhMipOnUserMessage( _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ); // Framework typedef enum _PH_MIP_ADJUST_PIN_RESULT { NoAdjustPinResult, ShowAdjustPinResult, HideAdjustPinResult } PH_MIP_ADJUST_PIN_RESULT; BOOLEAN NTAPI PhMipMessageLoopFilter( _In_ PMSG Message, _In_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMipUpdateHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); PH_MIP_ADJUST_PIN_RESULT PhMipAdjustPin( _In_ PH_MINIINFO_PIN_TYPE PinType, _In_ LONG PinCount ); VOID PhMipCalculateWindowRectangle( _In_ PPOINT SourcePoint, _Out_ PPH_RECTANGLE WindowRectangle ); VOID PhMipInitializeParameters( VOID ); _Function_class_(PH_MINIINFO_CREATE_SECTION) PPH_MINIINFO_SECTION PhMipCreateSection( _In_ PPH_MINIINFO_SECTION Template ); VOID PhMipDestroySection( _In_ PPH_MINIINFO_SECTION Section ); _Function_class_(PH_MINIINFO_FIND_SECTION) PPH_MINIINFO_SECTION PhMipFindSection( _In_ PPH_STRINGREF Name ); PPH_MINIINFO_SECTION PhMipCreateInternalSection( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_SECTION_CALLBACK Callback ); VOID PhMipCreateSectionDialog( _In_ PPH_MINIINFO_SECTION Section ); VOID PhMipChangeSection( _In_ PPH_MINIINFO_SECTION NewSection ); VOID PhMipSetSectionText( _In_ struct _PH_MINIINFO_SECTION *Section, _In_opt_ PPH_STRING Text ); VOID PhMipUpdateSectionText( _In_ PPH_MINIINFO_SECTION Section ); VOID PhMipLayout( VOID ); VOID PhMipBeginChildControlPin( VOID ); VOID PhMipEndChildControlPin( VOID ); VOID PhMipRefresh( VOID ); VOID PhMipToggleRefreshAutomatically( VOID ); VOID PhMipSetPinned( _In_ BOOLEAN Pinned, _In_ BOOLEAN Update ); VOID PhMipShowSectionMenu( VOID ); VOID PhMipShowOptionsMenu( VOID ); LRESULT CALLBACK PhMipSectionControlHookWndProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // List-based section #define MIP_MAX_PROCESS_GROUPS 15 #define MIP_SINGLE_COLUMN_ID 0 #define MIP_CELL_PADDING 5 #define MIP_ICON_PADDING 3 #define MIP_INNER_PADDING 3 typedef struct _PH_MIP_GROUP_NODE { union { PH_TREENEW_NODE Node; PH_MINIINFO_LIST_SECTION_SORT_DATA SortData; }; PPH_PROCESS_GROUP ProcessGroup; HANDLE RepresentativeProcessId; LARGE_INTEGER RepresentativeCreateTime; BOOLEAN RepresentativeIsHung; BOOLEAN RepresentativeIsTerminated; PPH_STRING TooltipText; } PH_MIP_GROUP_NODE, *PPH_MIP_GROUP_NODE; PPH_MINIINFO_LIST_SECTION PhMipCreateListSection( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_LIST_SECTION Template ); PPH_MINIINFO_LIST_SECTION PhMipCreateInternalListSection( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_LIST_SECTION_CALLBACK Callback ); BOOLEAN PhMipListSectionCallback( _In_ PPH_MINIINFO_SECTION Section, _In_ PH_MINIINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ); INT_PTR CALLBACK PhMipListSectionDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhMipListSectionSortFunction( _In_ PPH_LIST List, _In_opt_ PVOID Context ); VOID PhMipTickListSection( _In_ PPH_MINIINFO_LIST_SECTION ListSection ); VOID PhMipClearListSection( _In_ PPH_MINIINFO_LIST_SECTION ListSection ); LONG PhMipCalculateRowHeight( _In_ HWND WindowHandle ); PPH_MIP_GROUP_NODE PhMipAddGroupNode( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_PROCESS_GROUP ProcessGroup ); VOID PhMipDestroyGroupNode( _In_ PPH_MIP_GROUP_NODE Node ); BOOLEAN PhMipListSectionTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ); PPH_STRING PhMipGetGroupNodeTooltip( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_MIP_GROUP_NODE Node ); PPH_MIP_GROUP_NODE PhMipGetSelectedGroupNode( _In_ PPH_MINIINFO_LIST_SECTION ListSection ); VOID PhMipShowListSectionContextMenu( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ); VOID PhMipHandleListSectionCommand( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_PROCESS_GROUP ProcessGroup, _In_ ULONG Id ); // CPU section BOOLEAN PhMipCpuListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); int __cdecl PhMipCpuListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); int __cdecl PhMipCpuListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); // Commit charge section BOOLEAN PhMipCommitListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); int __cdecl PhMipCommitListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); int __cdecl PhMipCommitListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); // Physical memory section BOOLEAN PhMipPhysicalListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); int __cdecl PhMipPhysicalListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); int __cdecl PhMipPhysicalListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); // I/O section BOOLEAN PhMipIoListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); int __cdecl PhMipIoListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); int __cdecl PhMipIoListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ); #endif ================================================ FILE: SystemInformer/include/modlist.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_MODLIST_H #define PH_MODLIST_H #include #include // Columns #define PHMOTLC_NAME 0 #define PHMOTLC_BASEADDRESS 1 #define PHMOTLC_SIZE 2 #define PHMOTLC_DESCRIPTION 3 #define PHMOTLC_COMPANYNAME 4 #define PHMOTLC_VERSION 5 #define PHMOTLC_FILENAME 6 #define PHMOTLC_TYPE 7 #define PHMOTLC_LOADCOUNT 8 #define PHMOTLC_VERIFICATIONSTATUS 9 #define PHMOTLC_VERIFIEDSIGNER 10 #define PHMOTLC_ASLR 11 #define PHMOTLC_TIMESTAMP 12 #define PHMOTLC_CFGUARD 13 #define PHMOTLC_LOADTIME 14 #define PHMOTLC_LOADREASON 15 #define PHMOTLC_FILEMODIFIEDTIME 16 #define PHMOTLC_FILESIZE 17 #define PHMOTLC_ENTRYPOINT 18 #define PHMOTLC_PARENTBASEADDRESS 19 #define PHMOTLC_CET 20 #define PHMOTLC_COHERENCY 21 #define PHMOTLC_TIMELINE 22 #define PHMOTLC_ORIGINALNAME 23 #define PHMOTLC_SERVICE 24 #define PHMOTLC_ENCLAVE_TYPE 25 #define PHMOTLC_ENCLAVE_BASE_ADDRESS 26 #define PHMOTLC_ENCLAVE_SIZE 27 #define PHMOTLC_ARCHITECTURE 28 #define PHMOTLC_MAXIMUM 29 // begin_phapppub typedef struct _PH_MODULE_NODE { PH_TREENEW_NODE Node; PH_SH_STATE ShState; PPH_MODULE_ITEM ModuleItem; // end_phapppub PH_STRINGREF TextCache[PHMOTLC_MAXIMUM]; ULONG ValidMask; PPH_STRING TooltipText; PPH_STRING FileNameWin32; PPH_STRING SizeText; WCHAR LoadCountText[PH_INT32_STR_LEN_1]; PPH_STRING TimeStampText; PPH_STRING LoadTimeText; PPH_STRING FileModifiedTimeText; PPH_STRING FileSizeText; PPH_STRING ImageCoherencyText; PPH_STRING ServiceText; PPH_STRING EnclaveSizeText; struct _PH_MODULE_NODE *Parent; PPH_LIST Children; // begin_phapppub } PH_MODULE_NODE, *PPH_MODULE_NODE; // end_phapppub #define PH_MODULE_FLAGS_DYNAMIC_OPTION 1 #define PH_MODULE_FLAGS_MAPPED_OPTION 2 #define PH_MODULE_FLAGS_STATIC_OPTION 3 #define PH_MODULE_FLAGS_SIGNED_OPTION 4 #define PH_MODULE_FLAGS_HIGHLIGHT_UNSIGNED_OPTION 5 #define PH_MODULE_FLAGS_HIGHLIGHT_DOTNET_OPTION 6 #define PH_MODULE_FLAGS_HIGHLIGHT_IMMERSIVE_OPTION 7 #define PH_MODULE_FLAGS_HIGHLIGHT_RELOCATED_OPTION 8 #define PH_MODULE_FLAGS_LOAD_MODULE_OPTION 9 #define PH_MODULE_FLAGS_MODULE_STRINGS_OPTION 10 #define PH_MODULE_FLAGS_SYSTEM_OPTION 11 #define PH_MODULE_FLAGS_HIGHLIGHT_SYSTEM_OPTION 12 #define PH_MODULE_FLAGS_LOWIMAGECOHERENCY_OPTION 13 #define PH_MODULE_FLAGS_HIGHLIGHT_LOWIMAGECOHERENCY_OPTION 14 #define PH_MODULE_FLAGS_IMAGEKNOWNDLL_OPTION 15 #define PH_MODULE_FLAGS_HIGHLIGHT_IMAGEKNOWNDLL 16 #define PH_MODULE_FLAGS_ZERO_PAD_ADDRESSES 17 #define PH_MODULE_FLAGS_SAVE_OPTION 40 // Always last (dmex) typedef struct _PH_MODULE_LIST_CONTEXT { HWND ParentWindowHandle; HWND TreeNewHandle; ULONG TreeNewSortColumn; PH_TN_FILTER_SUPPORT TreeFilterSupport; PH_SORT_ORDER TreeNewSortOrder; PH_CM_MANAGER Cm; HANDLE ProcessId; LARGE_INTEGER ProcessCreateTime; BOOLEAN HasServices; BOOLEAN EnableStateHighlighting; union { ULONG Flags; struct { ULONG Reserved : 1; ULONG HideDynamicModules : 1; ULONG HideMappedModules : 1; ULONG HideSignedModules : 1; ULONG HideStaticModules : 1; ULONG HighlightUntrustedModules : 1; ULONG HighlightDotNetModules : 1; ULONG HighlightImmersiveModules : 1; ULONG HighlightRelocatedModules : 1; ULONG HideSystemModules : 1; ULONG HighlightSystemModules : 1; ULONG HideLowImageCoherency : 1; ULONG HighlightLowImageCoherency : 1; ULONG HideImageKnownDll : 1; ULONG HighlightImageKnownDll : 1; ULONG ZeroPadAddresses : 1; ULONG Spare : 16; }; }; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; PPH_LIST NodeRootList; PPH_POINTER_LIST NodeStateList; HFONT BoldFont; } PH_MODULE_LIST_CONTEXT, *PPH_MODULE_LIST_CONTEXT; VOID PhInitializeModuleList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhDeleteModuleList( _In_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhLoadSettingsModuleList( _Inout_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhSaveSettingsModuleList( _Inout_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhSetOptionsModuleList( _Inout_ PPH_MODULE_LIST_CONTEXT Context, _In_ ULONG Options ); PPH_MODULE_NODE PhAddModuleNode( _Inout_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_ITEM ModuleItem, _In_ ULONG RunId ); PPH_MODULE_NODE PhFindModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_ITEM ModuleItem ); VOID PhRemoveModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_NODE ModuleNode ); VOID PhUpdateModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_NODE ModuleNode ); VOID PhInvalidateAllModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhInvalidateAllModuleBaseAddressNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhExpandAllModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ BOOLEAN Expand ); VOID PhTickModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ); PPH_MODULE_ITEM PhGetSelectedModuleItem( _In_ PPH_MODULE_LIST_CONTEXT Context ); VOID PhGetSelectedModuleItems( _In_ PPH_MODULE_LIST_CONTEXT Context, _Out_ PPH_MODULE_ITEM **Modules, _Out_ PULONG NumberOfModules ); VOID PhDeselectAllModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ); BOOLEAN PhShouldShowModuleCoherency( _In_ PPH_MODULE_ITEM ModuleItem, _In_ BOOLEAN CheckThreshold ); #endif ================================================ FILE: SystemInformer/include/modprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_MODPRV_H #define PH_MODPRV_H extern PPH_OBJECT_TYPE PhModuleProviderType; extern PPH_OBJECT_TYPE PhModuleItemType; // begin_phapppub typedef struct _PH_MODULE_ITEM { PVOID BaseAddress; PVOID ParentBaseAddress; PVOID EntryPoint; ULONG Size; ULONG Flags; ULONG Type; USHORT LoadReason; USHORT LoadCount; PPH_STRING Name; PPH_STRING FileName; PH_IMAGE_VERSION_INFO VersionInfo; ULONG EnclaveType; PVOID EnclaveBaseAddress; SIZE_T EnclaveSize; union { BOOLEAN StateFlags; struct { BOOLEAN JustProcessed : 1; BOOLEAN IsFirst : 1; BOOLEAN ImageNotAtBase : 1; BOOLEAN ImageKnownDll : 1; BOOLEAN Spare : 4; }; }; ULONG VerifyResult; PPH_STRING VerifySignerName; USHORT ImageMachine; ULONG ImageCHPEVersion; ULONG ImageTimeDateStamp; USHORT ImageCharacteristics; USHORT ImageDllCharacteristics; ULONG ImageDllCharacteristicsEx; ULONG GuardFlags; LARGE_INTEGER LoadTime; LARGE_INTEGER FileLastWriteTime; LARGE_INTEGER FileEndOfFile; NTSTATUS ImageCoherencyStatus; FLOAT ImageCoherency; WCHAR BaseAddressString[PH_PTR_STR_LEN_1]; WCHAR ParentBaseAddressString[PH_PTR_STR_LEN_1]; WCHAR EntryPointAddressString[PH_PTR_STR_LEN_1]; WCHAR EnclaveBaseAddressString[PH_PTR_STR_LEN_1]; } PH_MODULE_ITEM, *PPH_MODULE_ITEM; typedef struct _PH_MODULE_PROVIDER { PPH_HASHTABLE ModuleHashtable; PH_FAST_LOCK ModuleHashtableLock; PH_CALLBACK ModuleAddedEvent; PH_CALLBACK ModuleModifiedEvent; PH_CALLBACK ModuleRemovedEvent; PH_CALLBACK UpdatedEvent; HANDLE ProcessId; HANDLE ProcessHandle; PPH_STRING ProcessFileName; PPH_STRING PackageFullName; SLIST_HEADER QueryListHead; NTSTATUS RunStatus; union { BOOLEAN Flags; struct { BOOLEAN HaveFirst : 1; BOOLEAN IsHandleValid : 1; BOOLEAN IsSubsystemProcess : 1; BOOLEAN ControlFlowGuardEnabled : 1; BOOLEAN CetEnabled : 1; BOOLEAN CetStrictModeEnabled : 1; BOOLEAN ZeroPadAddresses : 1; BOOLEAN Spare : 1; }; }; UCHAR ImageCoherencyScanLevel; } PH_MODULE_PROVIDER, *PPH_MODULE_PROVIDER; // end_phapppub PPH_MODULE_PROVIDER PhCreateModuleProvider( _In_ HANDLE ProcessId ); PPH_MODULE_ITEM PhCreateModuleItem( VOID ); PPH_MODULE_ITEM PhReferenceModuleItemEx( _In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PVOID BaseAddress, _In_opt_ PVOID EnclaveBaseAddress, _In_opt_ PPH_STRING FileName ); PPH_MODULE_ITEM PhReferenceModuleItem( _In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PVOID BaseAddress ); VOID PhDereferenceAllModuleItems( _In_ PPH_MODULE_PROVIDER ModuleProvider ); _Function_class_(PH_PROVIDER_FUNCTION) VOID PhModuleProviderUpdate( _In_ PVOID Object ); PCPH_STRINGREF PhGetModuleTypeName( _In_ ULONG ModuleType ); PCPH_STRINGREF PhGetModuleLoadReasonTypeName( _In_ USHORT LoadReason ); PCPH_STRINGREF PhGetModuleEnclaveTypeName( _In_ ULONG EnclaveType ); #endif ================================================ FILE: SystemInformer/include/netlist.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef PH_NETLIST_H #define PH_NETLIST_H #include // Columns #define PHNETLC_PROCESS 0 #define PHNETLC_PID 1 #define PHNETLC_LOCALADDRESS 2 #define PHNETLC_LOCALPORT 3 #define PHNETLC_REMOTEADDRESS 4 #define PHNETLC_REMOTEPORT 5 #define PHNETLC_PROTOCOL 6 #define PHNETLC_STATE 7 #define PHNETLC_OWNER 8 #define PHNETLC_TIMESTAMP 9 #define PHNETLC_LOCALHOSTNAME 10 #define PHNETLC_REMOTEHOSTNAME 11 #define PHNETLC_TIMELINE 12 #define PHNETLC_HV_SERVICE 13 #define PHNETLC_MAXIMUM 14 // begin_phapppub typedef struct _PH_NETWORK_NODE { PH_TREENEW_NODE Node; PH_SH_STATE ShState; PPH_NETWORK_ITEM NetworkItem; PPH_STRING ProcessNameText; PPH_STRING TimeStampText; WCHAR ProcessIdString[PH_INT32_STR_LEN_1]; // end_phapppub PPH_STRING TooltipText; ULONG64 UniqueId; PH_STRINGREF TextCache[PHNETLC_MAXIMUM]; // begin_phapppub } PH_NETWORK_NODE, *PPH_NETWORK_NODE; // end_phapppub VOID PhNetworkTreeListInitialization( VOID ); VOID PhInitializeNetworkTreeList( _In_ HWND TreeNewHandle ); VOID PhLoadSettingsNetworkTreeList( VOID ); VOID PhSaveSettingsNetworkTreeList( VOID ); // begin_phapppub PHAPPAPI PPH_TN_FILTER_SUPPORT NTAPI PhGetFilterSupportNetworkTreeList( VOID ); // end_phapppub PPH_NETWORK_NODE PhAddNetworkNode( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ ULONG RunId ); // begin_phapppub PHAPPAPI PPH_NETWORK_NODE NTAPI PhFindNetworkNode( _In_ PPH_NETWORK_ITEM NetworkItem ); // end_phapppub VOID PhRemoveNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode ); VOID PhUpdateNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode ); VOID PhTickNetworkNodes( VOID ); PPH_NETWORK_ITEM PhGetSelectedNetworkItem( VOID ); VOID PhGetSelectedNetworkItems( _Out_ PPH_NETWORK_ITEM **NetworkItems, _Out_ PULONG NumberOfNetworkItems ); // begin_phapppub VOID PhDeselectAllNetworkNodes( VOID ); // end_phapppub BOOLEAN PhSelectAndEnsureVisibleNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode ); VOID PhInvalidateAllNetworkNodes( VOID ); VOID PhInvalidateAllNetworkNodesHostnames( VOID ); VOID PhCopyNetworkList( VOID ); VOID PhWriteNetworkList( _Inout_ PPH_FILE_STREAM FileStream, _In_ ULONG Mode ); PPH_LIST PhDuplicateNetworkNodeList( VOID ); #endif ================================================ FILE: SystemInformer/include/netprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_NETPRV_H #define PH_NETPRV_H extern PPH_OBJECT_TYPE PhNetworkItemType; extern BOOLEAN PhEnableNetworkProviderResolve; extern BOOLEAN PhEnableNetworkBoundConnections; typedef enum _PH_NETWORK_PROVIDER_FLAG { PH_NETWORK_PROVIDER_FLAG_HOSTNAME = 0x1, } PH_NETWORK_PROVIDER_FLAG; extern ULONG PhNetworkProviderFlagsMask; // begin_phapppub #define PH_NETWORK_OWNER_INFO_SIZE 16 typedef struct _PH_NETWORK_ITEM { ULONG ProtocolType; PH_IP_ENDPOINT LocalEndpoint; PH_IP_ENDPOINT RemoteEndpoint; MIB_TCP_STATE State; HANDLE ProcessId; PPH_STRING ProcessName; ULONG_PTR ProcessIconIndex; BOOLEAN ProcessIconValid; PPH_STRING OwnerName; volatile LONG JustResolved; PPH_STRING LocalAddressString; WCHAR LocalPortString[PH_INT32_STR_LEN_1]; PPH_STRING RemoteAddressString; WCHAR RemotePortString[PH_INT32_STR_LEN_1]; PPH_STRING LocalHostString; PPH_STRING RemoteHostString; PPH_STRING HvService; LARGE_INTEGER CreateTime; ULONG LocalScopeId; ULONG RemoteScopeId; union { ULONG Flags; struct { ULONG UnknownProcess : 1; ULONG SubsystemProcess : 1; ULONG Spare : 27; ULONG InvalidateHostname : 1; ULONG LocalHostnameResolved : 1; ULONG RemoteHostnameResolved : 1; }; }; PPH_PROCESS_ITEM ProcessItem; } PH_NETWORK_ITEM, *PPH_NETWORK_ITEM; // end_phapppub BOOLEAN PhNetworkProviderInitialization( VOID ); PPH_NETWORK_ITEM PhCreateNetworkItem( VOID ); // begin_phapppub PHAPPAPI PPH_NETWORK_ITEM NTAPI PhReferenceNetworkItem( _In_ ULONG ProtocolType, _In_ PPH_IP_ENDPOINT LocalEndpoint, _In_ PPH_IP_ENDPOINT RemoteEndpoint, _In_ HANDLE ProcessId ); PHAPPAPI VOID NTAPI PhEnumNetworkItems( _Out_opt_ PPH_NETWORK_ITEM** NetworkItems, _Out_ PULONG NumberOfNetworkItems ); PHAPPAPI VOID NTAPI PhEnumNetworkItemsByProcessId( _In_opt_ HANDLE ProcessId, _Out_opt_ PPH_NETWORK_ITEM** NetworkItems, _Out_ PULONG NumberOfNetworkItems ); // end_phapppub VOID PhFlushNetworkItemResolveCache( VOID ); //PPH_STRING PhGetHostNameFromAddress( // _In_ PPH_IP_ADDRESS Address // ); _Function_class_(PH_PROVIDER_FUNCTION) VOID PhNetworkProviderUpdate( _In_ PVOID Object ); // begin_phapppub PHAPPAPI PCPH_STRINGREF NTAPI PhGetProtocolTypeName( _In_ ULONG ProtocolType ); PHAPPAPI PCPH_STRINGREF NTAPI PhGetTcpStateName( _In_ ULONG State ); // end_phapppub // iphlpapi imports typedef ULONG (WINAPI *_GetExtendedTcpTable)( _Out_writes_bytes_opt_(*pdwSize) PVOID pTcpTable, _Inout_ PULONG pdwSize, _In_ BOOL bOrder, _In_ ULONG ulAf, _In_ TCP_TABLE_CLASS TableClass, _In_ ULONG Reserved ); typedef ULONG (WINAPI *_GetExtendedUdpTable)( _Out_writes_bytes_opt_(*pdwSize) PVOID pUdpTable, _Inout_ PULONG pdwSize, _In_ BOOL bOrder, _In_ ULONG ulAf, _In_ UDP_TABLE_CLASS TableClass, _In_ ULONG Reserved ); //DECLSPEC_IMPORT ULONG WINAPI InternalGetTcpTableWithOwnerModule( // _Out_ PVOID* Tcp4Table, // PMIB_TCPTABLE_OWNER_MODULE // _In_ PVOID HeapHandle, // _In_opt_ ULONG HeapFlags // ); //DECLSPEC_IMPORT ULONG WINAPI InternalGetTcp6TableWithOwnerModule( // _Out_ PVOID* Tcp6Table, // PMIB_TCP6TABLE_OWNER_MODULE // _In_ PVOID HeapHandle, // _In_opt_ ULONG HeapFlags // ); //DECLSPEC_IMPORT ULONG WINAPI InternalGetUdpTableWithOwnerModule( // _Out_ PVOID* Udp4Table, // PMIB_UDPTABLE_OWNER_MODULE // _In_ PVOID HeapHandle, // _In_opt_ ULONG HeapFlags // ); //DECLSPEC_IMPORT ULONG WINAPI InternalGetUdp6TableWithOwnerModule( // _Out_ PVOID* Udp6Table, // PMIB_UDP6TABLE_OWNER_MODULE // _In_ PVOID HeapHandle, // _In_opt_ ULONG HeapFlags // ); typedef ULONG (WINAPI *_InternalGetBoundTcpEndpointTable)( _Out_ _When_(return!=0, _Notnull_) PVOID* BoundTcpTable, // PMIB_TCPTABLE2 _In_ PVOID HeapHandle, _In_opt_ ULONG HeapFlags ); typedef ULONG (WINAPI *_InternalGetBoundTcp6EndpointTable)( _Out_ _When_(return!=0, _Notnull_) PVOID* BoundTcpTable, // PMIB_TCP6TABLE2 _In_ PVOID HeapHandle, _In_opt_ ULONG HeapFlags ); // netsup NTSTATUS NTAPI PhSetTcpEntry( _In_ PPH_NETWORK_ITEM NetworkItem ); #endif ================================================ FILE: SystemInformer/include/notifico.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #ifndef PH_NOTIFICO_H #define PH_NOTIFICO_H extern PPH_LIST PhTrayIconItemList; typedef enum _PH_TRAY_ICON_ID { PH_TRAY_ICON_ID_NONE, PH_TRAY_ICON_ID_CPU_USAGE, PH_TRAY_ICON_ID_CPU_HISTORY, PH_TRAY_ICON_ID_IO_HISTORY, PH_TRAY_ICON_ID_COMMIT_HISTORY, PH_TRAY_ICON_ID_PHYSICAL_HISTORY, PH_TRAY_ICON_ID_CPU_TEXT, PH_TRAY_ICON_ID_IO_TEXT, PH_TRAY_ICON_ID_COMMIT_TEXT, PH_TRAY_ICON_ID_PHYSICAL_TEXT, PH_TRAY_ICON_ID_PLAIN_ICON, PH_TRAY_ICON_ID_MAXIMUM } PH_TRAY_ICON_ID; typedef enum _PH_TRAY_ICON_GUID { PH_TRAY_ICON_GUID_CPU_USAGE, PH_TRAY_ICON_GUID_CPU_HISTORY, PH_TRAY_ICON_GUID_IO_HISTORY, PH_TRAY_ICON_GUID_COMMIT_HISTORY, PH_TRAY_ICON_GUID_PHYSICAL_HISTORY, PH_TRAY_ICON_GUID_CPU_TEXT, PH_TRAY_ICON_GUID_IO_TEXT, PH_TRAY_ICON_GUID_COMMIT_TEXT, PH_TRAY_ICON_GUID_PHYSICAL_TEXT, PH_TRAY_ICON_GUID_PLAIN_ICON, PH_TRAY_ICON_GUID_MAXIMUM } PH_TRAY_ICON_GUID; #define PH_TRAY_ICON_ID_PLUGIN 0x80 #define PH_ICON_LIMIT 0x80000000 #define PH_ICON_ALL 0xffffffff // begin_phapppub typedef struct _PH_NF_ICON PH_NF_ICON, *PPH_NF_ICON; typedef _Function_class_(PH_NF_UPDATE_REGISTERED_ICON) VOID NTAPI PH_NF_UPDATE_REGISTERED_ICON( _In_ PPH_NF_ICON Icon ); typedef PH_NF_UPDATE_REGISTERED_ICON* PPH_NF_UPDATE_REGISTERED_ICON; typedef _Function_class_(PH_NF_BEGIN_BITMAP) VOID NTAPI PH_NF_BEGIN_BITMAP( _Out_ PULONG Width, _Out_ PULONG Height, _Out_ HBITMAP *Bitmap, _Out_opt_ PVOID *Bits, _Out_ HDC *Hdc, _Out_ HBITMAP *OldBitmap ); typedef PH_NF_BEGIN_BITMAP* PPH_NF_BEGIN_BITMAP; typedef struct _PH_NF_POINTERS { PPH_NF_BEGIN_BITMAP BeginBitmap; } PH_NF_POINTERS, *PPH_NF_POINTERS; #define PH_NF_UPDATE_IS_BITMAP 0x1 #define PH_NF_UPDATE_DESTROY_RESOURCE 0x2 typedef _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID NTAPI PH_NF_ICON_UPDATE_CALLBACK( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); typedef PH_NF_ICON_UPDATE_CALLBACK* PPH_NF_ICON_UPDATE_CALLBACK; typedef _Function_class_(PH_NF_ICON_MESSAGE_CALLBACK) BOOLEAN NTAPI PH_NF_ICON_MESSAGE_CALLBACK( _In_ PPH_NF_ICON Icon, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam, _In_opt_ PVOID Context ); typedef PH_NF_ICON_MESSAGE_CALLBACK* PPH_NF_ICON_MESSAGE_CALLBACK; // Special messages // The message type is stored in LOWORD(LParam), and the message data is in WParam. #define PH_NF_MSG_SHOWMINIINFOSECTION (WM_APP + 1) typedef struct _PH_NF_MSG_SHOWMINIINFOSECTION_DATA { PWSTR SectionName; // NULL to leave unchanged } PH_NF_MSG_SHOWMINIINFOSECTION_DATA, *PPH_NF_MSG_SHOWMINIINFOSECTION_DATA; // Structures and internal functions #define PH_NF_ICON_ENABLED 0x1 #define PH_NF_ICON_UNAVAILABLE 0x2 #define PH_NF_ICON_NOSHOW_MINIINFO 0x4 // end_phapppub // begin_phapppub typedef struct _PH_PLUGIN PH_PLUGIN, *PPH_PLUGIN; typedef struct _PH_NF_ICON { // Public PPH_PLUGIN Plugin; ULONG SubId; PVOID Context; PPH_NF_POINTERS Pointers; // end_phapppub // Private PCWSTR Text; ULONG Flags; ULONG IconId; GUID IconGuid; PPH_NF_ICON_UPDATE_CALLBACK UpdateCallback; PPH_NF_ICON_MESSAGE_CALLBACK MessageCallback; PPH_STRING TextCache; // begin_phapppub } PH_NF_ICON, *PPH_NF_ICON; // end_phapppub VOID PhNfLoadStage1( VOID ); VOID PhNfLoadStage2( VOID ); VOID PhNfSaveSettings( VOID ); VOID PhNfUninitialization( VOID ); VOID PhNfForwardMessage( _In_ HWND WindowHandle, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ); VOID PhNfSetVisibleIcon( _In_ PPH_NF_ICON Icon, _In_ BOOLEAN Visible ); BOOLEAN PhNfShowBalloonTip( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout ); HRESULT PhNfShowBalloonTipEx( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ); HICON PhNfBitmapToIcon( _In_ HBITMAP Bitmap ); PPH_NF_ICON PhNfRegisterIcon( _In_opt_ PPH_PLUGIN Plugin, _In_ ULONG Id, _In_ GUID Guid, _In_opt_ PVOID Context, _In_ PCWSTR Text, _In_ ULONG Flags, _In_opt_ PPH_NF_ICON_UPDATE_CALLBACK UpdateCallback, _In_opt_ PPH_NF_ICON_MESSAGE_CALLBACK MessageCallback ); PPH_NF_ICON PhNfGetIconById( _In_ ULONG Id ); PPH_NF_ICON PhNfFindIcon( _In_ PPH_STRINGREF PluginName, _In_ ULONG SubId ); BOOLEAN PhNfIconsEnabled( VOID ); VOID PhNfNotifyMiniInfoPinned( _In_ BOOLEAN Pinned ); // begin_phapppub // Public registration data typedef struct _PH_NF_ICON_REGISTRATION_DATA { PPH_NF_ICON_UPDATE_CALLBACK UpdateCallback; PPH_NF_ICON_MESSAGE_CALLBACK MessageCallback; } PH_NF_ICON_REGISTRATION_DATA, *PPH_NF_ICON_REGISTRATION_DATA; VOID PhDrawTrayIconText( _In_ HDC hdc, _In_ PVOID Bits, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ PPH_STRINGREF Text ); HFONT PhNfGetTrayIconFont( _In_opt_ LONG DpiValue ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/notificop.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #ifndef PH_NOTIFICOP_H #define PH_NOTIFICOP_H #define PH_NF_ENABLE_WORKQUEUE 1 typedef struct _PH_NF_WORKQUEUE_DATA { SLIST_ENTRY ListEntry; PPH_NF_ICON Icon; union { ULONG Flags; struct { ULONG Add : 1; ULONG Delete : 1; ULONG Update : 1; ULONG ShowBalloon : 1; ULONG Spare : 28; }; }; PPH_STRING BalloonTitle; PPH_STRING BalloonText; ULONG BalloonTimeout; } PH_NF_WORKQUEUE_DATA, *PPH_NF_WORKQUEUE_DATA; typedef struct _PH_NF_BITMAP { BOOLEAN Initialized; HDC Hdc; HBITMAP Bitmap; LPRGBQUAD Bits; LONG Width; LONG Height; LONG TaskbarDpi; } PH_NF_BITMAP, *PPH_NF_BITMAP; HICON PhNfGetApplicationIcon( _In_opt_ LONG DpiValue ); HICON PhNfpGetBlackIcon( VOID ); BOOLEAN PhNfpAddNotifyIcon( _In_ PPH_NF_ICON Icon ); BOOLEAN PhNfpRemoveNotifyIcon( _In_ PPH_NF_ICON Icon ); BOOLEAN PhNfpModifyNotifyIcon( _In_ PPH_NF_ICON Icon, _In_ ULONG Flags, _In_opt_ PPH_STRING Text, _In_opt_ HICON IconHandle ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhNfpTrayIconUpdateThread( _In_opt_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID PhNfpProcessesUpdatedHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); VOID PhNfpUpdateRegisteredIcon( _In_ PPH_NF_ICON Icon ); _Function_class_(PH_NF_BEGIN_BITMAP) VOID PhNfpBeginBitmap( _Out_ PULONG Width, _Out_ PULONG Height, _Out_ HBITMAP *Bitmap, _Out_opt_ PVOID *Bits, _Out_ HDC *Hdc, _Out_ HBITMAP *OldBitmap ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpBeginBitmap2( _Inout_ PPH_NF_BITMAP Context, _Out_ PULONG Width, _Out_ PULONG Height, _Out_ HBITMAP *Bitmap, _Out_opt_ PVOID *Bits, _Out_ HDC *Hdc, _Out_ HBITMAP *OldBitmap ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCpuHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpIoHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCommitHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpPhysicalHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCpuUsageIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); // Text icons _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCpuUsageTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpIoUsageTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCommitTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpPhysicalUsageTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); // plain icon _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpPlainIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ); _Success_(return) BOOLEAN PhNfpGetShowMiniInfoSectionData( _In_ ULONG IconIndex, _In_ PPH_NF_ICON RegisteredIcon, _Out_ PPH_NF_MSG_SHOWMINIINFOSECTION_DATA Data ); #define NFP_ICON_CLICK_ACTIVATE_DELAY 140 #define NFP_ICON_RESTORE_HOVER_DELAY 1000 VOID PhNfpIconClickActivateTimerProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ UINT_PTR idEvent, _In_ ULONG dwTime ); VOID PhNfpDisableHover( VOID ); VOID PhNfpIconRestoreHoverTimerProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ UINT_PTR idEvent, _In_ ULONG dwTime ); VOID PhNfpIconDisablePopupHoverWin11Workaround( VOID ); VOID PhNfpIconShowPopupHoverTimerProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ UINT_PTR idEvent, _In_ ULONG dwTime ); #endif ================================================ FILE: SystemInformer/include/notiftoast.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2021 * */ #pragma once #ifndef PH_NOTIFTOAST_H #define PH_NOTIFTOAST_H EXTERN_C_START _Must_inspect_result_ HRESULT NTAPI PhInitializeToastRuntime(); VOID NTAPI PhUninitializeToastRuntime(); _Must_inspect_result_ HRESULT NTAPI PhShowToast( _In_ PCWSTR ApplicationId, _In_ PCWSTR ToastXml, _In_opt_ ULONG TimeoutMilliseconds, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ); _Must_inspect_result_ HRESULT NTAPI PhShowToastStringRef( _In_ PPH_STRINGREF ApplicationId, _In_ PPH_STRINGREF ToastXml, _In_opt_ ULONG TimeoutMilliseconds, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ); EXTERN_C_END #endif ================================================ FILE: SystemInformer/include/phapp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2024 * */ #ifndef PHAPP_H #define PHAPP_H #if !defined(_PHAPP_) #define PHAPPAPI __declspec(dllimport) #else #define PHAPPAPI __declspec(dllexport) #endif #include #include #include #include #include #include #include #include #include #include #include "../resource.h" #include #include #include // main typedef struct _PH_STARTUP_PARAMETERS { union { struct { ULONG NoSettings : 1; ULONG ShowVisible : 1; ULONG ShowHidden : 1; ULONG NoKph : 1; ULONG Debug : 1; ULONG ShowOptions : 1; ULONG PhSvc : 1; ULONG NoPlugins : 1; ULONG NewInstance : 1; ULONG Elevate : 1; ULONG Silent : 1; ULONG Help : 1; ULONG KphStartupHigh : 1; ULONG KphStartupMax : 1; ULONG Spare : 18; }; ULONG Flags; }; PPH_STRING SettingsFileName; PPH_STRING RunAsServiceMode; HWND WindowHandle; POINT Point; ULONG SelectPid; ULONG PriorityClass; PPH_LIST PluginParameters; PPH_STRING SelectTab; PPH_STRING SysInfo; PH_RELEASE_CHANNEL UpdateChannel; } PH_STARTUP_PARAMETERS, *PPH_STARTUP_PARAMETERS; extern BOOLEAN PhPluginsEnabled; extern BOOLEAN PhPortableEnabled; extern PPH_STRING PhSettingsFileName; extern PH_STARTUP_PARAMETERS PhStartupParameters; extern PH_PROVIDER_THREAD PhPrimaryProviderThread; extern PH_PROVIDER_THREAD PhSecondaryProviderThread; extern PH_PROVIDER_THREAD PhTertiaryProviderThread; extern RTL_ATOM PhTreeWindowAtom; extern RTL_ATOM PhGraphWindowAtom; extern RTL_ATOM PhHexEditWindowAtom; extern RTL_ATOM PhColorBoxWindowAtom; // begin_phapppub PHAPPAPI VOID NTAPI PhRegisterDialog( _In_ HWND DialogWindowHandle ); PHAPPAPI VOID NTAPI PhUnregisterDialog( _In_ HWND DialogWindowHandle ); typedef BOOLEAN (NTAPI *PPH_MESSAGE_LOOP_FILTER)( _In_ PMSG Message, _In_ PVOID Context ); typedef struct _PH_MESSAGE_LOOP_FILTER_ENTRY { PPH_MESSAGE_LOOP_FILTER Filter; PVOID Context; } PH_MESSAGE_LOOP_FILTER_ENTRY, *PPH_MESSAGE_LOOP_FILTER_ENTRY; PHAPPAPI PPH_MESSAGE_LOOP_FILTER_ENTRY NTAPI PhRegisterMessageLoopFilter( _In_ PPH_MESSAGE_LOOP_FILTER Filter, _In_opt_ PVOID Context ); PHAPPAPI VOID NTAPI PhUnregisterMessageLoopFilter( _In_ PPH_MESSAGE_LOOP_FILTER_ENTRY FilterEntry ); // end_phapppub // plugin extern PH_AVL_TREE PhPluginsByName; VOID PhInitializeCallbacks( VOID ); BOOLEAN PhIsPluginDisabled( _In_ PCPH_STRINGREF BaseName ); VOID PhSetPluginDisabled( _In_ PCPH_STRINGREF BaseName, _In_ BOOLEAN Disable ); VOID PhLoadPlugins( VOID ); VOID PhUnloadPlugins( _In_ BOOLEAN SessionEnding ); // log #define PH_LOG_ENTRY_PROCESS_FIRST 1 #define PH_LOG_ENTRY_PROCESS_CREATE 1 #define PH_LOG_ENTRY_PROCESS_DELETE 2 #define PH_LOG_ENTRY_PROCESS_LAST 2 #define PH_LOG_ENTRY_SERVICE_FIRST 3 #define PH_LOG_ENTRY_SERVICE_CREATE 3 #define PH_LOG_ENTRY_SERVICE_DELETE 4 #define PH_LOG_ENTRY_SERVICE_START 5 #define PH_LOG_ENTRY_SERVICE_STOP 6 #define PH_LOG_ENTRY_SERVICE_CONTINUE 7 #define PH_LOG_ENTRY_SERVICE_PAUSE 8 #define PH_LOG_ENTRY_SERVICE_MODIFIED 9 #define PH_LOG_ENTRY_SERVICE_LAST 10 #define PH_LOG_ENTRY_DEVICE_REMOVED 11 #define PH_LOG_ENTRY_DEVICE_ARRIVED 12 #define PH_LOG_ENTRY_MESSAGE 100 // phapppub typedef struct _PH_LOG_ENTRY *PPH_LOG_ENTRY; // phapppub typedef struct _PH_LOG_ENTRY { UCHAR Type; UCHAR Reserved1; USHORT Flags; LARGE_INTEGER Time; union { struct { HANDLE ProcessId; PPH_STRING Name; HANDLE ParentProcessId; PPH_STRING ParentName; NTSTATUS ExitStatus; } Process; struct { PPH_STRING Name; PPH_STRING DisplayName; } Service; struct { PPH_STRING Classification; PPH_STRING Name; } Device; PPH_STRING Message; }; UCHAR Buffer[1]; } PH_LOG_ENTRY, *PPH_LOG_ENTRY; extern PH_CIRCULAR_BUFFER_PVOID PhLogBuffer; VOID PhLogInitialization( VOID ); VOID PhClearLogEntries( VOID ); VOID PhLogProcessEntry( _In_ UCHAR Type, _In_ HANDLE ProcessId, _In_ PPH_STRING Name, _In_opt_ HANDLE ParentProcessId, _In_opt_ PPH_STRING ParentName, _In_opt_ ULONG Status ); VOID PhLogServiceEntry( _In_ UCHAR Type, _In_ PPH_STRING Name, _In_ PPH_STRING DisplayName ); VOID PhLogDeviceEntry( _In_ UCHAR Type, _In_ PPH_STRING Classification, _In_ PPH_STRING Name ); // begin_phapppub PHAPPAPI VOID NTAPI PhLogMessageEntry( _In_ UCHAR Type, _In_ PPH_STRING Message ); PHAPPAPI PPH_STRING NTAPI PhFormatLogEntry( _In_ PPH_LOG_ENTRY Entry ); PHAPPAPI PCPH_STRINGREF NTAPI PhFormatLogType( _In_ PPH_LOG_ENTRY Entry ); // end_phapppub // dbgcon VOID PhShowDebugConsole( VOID ); // itemtips PPH_STRING PhGetProcessTooltipText( _In_ PPH_PROCESS_ITEM Process, _Out_opt_ PULONG64 ValidToTickCount ); PPH_STRING PhGetServiceTooltipText( _In_ PPH_SERVICE_ITEM Service ); // cmdmode NTSTATUS PhCommandModeStart( VOID ); // anawait VOID PhUiAnalyzeWaitThread( _In_ HWND WindowHandle, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ PPH_SYMBOL_PROVIDER SymbolProvider ); // mdump VOID PhUiCreateDumpFileProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ MINIDUMP_TYPE DumpType ); VOID PhShowCreateDumpFileProcessDialog( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // about VOID PhShowAboutDialog( _In_ HWND ParentWindowHandle ); PPH_STRING PhGetDiagnosticsString( VOID ); PPH_STRING PhGetApplicationVersionString( _In_ BOOLEAN LinkToCommit ); // affinity VOID PhShowProcessAffinityDialog( _In_ HWND ParentWindowHandle, _In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_opt_ PPH_THREAD_ITEM ThreadItem ); // begin_phapppub _Success_(return) PHAPPAPI BOOLEAN NTAPI PhShowProcessAffinityDialog2( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _Out_ PKAFFINITY NewAffinityMask ); PHAPPAPI NTSTATUS NTAPI PhSetProcessItemAffinityMask( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ KAFFINITY AffinityMask ); PHAPPAPI NTSTATUS NTAPI PhSetProcessItemPagePriority( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG PagePriority ); PHAPPAPI NTSTATUS NTAPI PhSetProcessItemIoPriority( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ IO_PRIORITY_HINT IoPriority ); PHAPPAPI NTSTATUS NTAPI PhSetProcessItemPriority( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ UCHAR PriorityClass ); PHAPPAPI NTSTATUS NTAPI PhSetProcessItemPriorityBoost( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN PriorityBoost ); PHAPPAPI NTSTATUS NTAPI PhSetProcessItemThrottlingState( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN ClearThrottlingState ); // end_phapppub PHAPPAPI VOID NTAPI PhShowThreadAffinityDialog( _In_ HWND ParentWindowHandle, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ); // chcol #define PH_CONTROL_TYPE_TREE_NEW 1 VOID PhShowChooseColumnsDialog( _In_ HWND ParentWindowHandle, _In_ HWND ControlHandle, _In_ ULONG Type ); // chdlg // begin_phapppub #define PH_CHOICE_DIALOG_SAVED_CHOICES 10 #define PH_CHOICE_DIALOG_CHOICE 0x0 #define PH_CHOICE_DIALOG_USER_CHOICE 0x1 #define PH_CHOICE_DIALOG_PASSWORD 0x2 #define PH_CHOICE_DIALOG_TYPE_MASK 0x3 PHAPPAPI BOOLEAN NTAPI PhaChoiceDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR Title, _In_ PCWSTR Message, _In_opt_ PCWSTR *Choices, _In_opt_ ULONG NumberOfChoices, _In_opt_ PCWSTR Option, _In_ ULONG Flags, _Inout_ PPH_STRING *SelectedChoice, _Inout_opt_ PBOOLEAN SelectedOption, _In_opt_ PCWSTR SavedChoicesSettingName ); PHAPPAPI BOOLEAN NTAPI PhChoiceDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR Title, _In_ PCWSTR Message, _In_opt_ PCWSTR* Choices, _In_opt_ ULONG NumberOfChoices, _In_opt_ PCWSTR Option, _In_ ULONG Flags, _Inout_ PPH_STRING* SelectedChoice, _Inout_opt_ PBOOLEAN SelectedOption, _In_opt_ PCWSTR SavedChoicesSettingName ); // end_phapppub // chproc // begin_phapppub _Success_(return) PHAPPAPI BOOLEAN NTAPI PhShowChooseProcessDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR Message, _Out_ PHANDLE ProcessId ); // end_phapppub // findobj VOID PhShowFindObjectsDialog( _In_ HWND ParentWindowHandle ); // gdihndl VOID PhShowGdiHandlesDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // heapinfo VOID PhShowProcessHeapsDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); VOID PhShowProcessLocksDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // hidnproc VOID PhShowZombieProcessesDialog( VOID ); // hndlprp VOID PhShowHandleProperties( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM HandleItem ); // hndlstat VOID PhShowHandleStatisticsDialog( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId ); // infodlg VOID PhShowInformationDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR String, _Reserved_ ULONG Flags ); // jobprp VOID PhShowJobProperties( _In_ HWND ParentWindowHandle, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context, _In_opt_ PCWSTR Title ); HPROPSHEETPAGE PhCreateJobPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context, _In_opt_ DLGPROC HookProc ); // kdump typedef union _PH_LIVE_DUMP_OPTIONS { BOOLEAN Flags; struct { BOOLEAN CompressMemoryPages : 1; BOOLEAN IncludeUserSpaceMemory : 1; BOOLEAN IncludeHypervisorPages : 1; BOOLEAN OnlyKernelThreadStacks : 1; BOOLEAN UseDumpStorageStack : 1; BOOLEAN IncludeNonEssentialHypervisorPages : 1; BOOLEAN Spare : 2; }; } PH_LIVE_DUMP_OPTIONS, *PPH_LIVE_DUMP_OPTIONS; VOID PhUiCreateLiveDump( _In_ HWND ParentWindowHandle, _In_ PPH_LIVE_DUMP_OPTIONS Options ); VOID PhShowLiveDumpDialog( _In_ HWND ParentWindowHandle ); // ksyscall PPH_STRING PhGetSystemCallNumberName( _In_ USHORT SystemCallNumber ); // logwnd VOID PhShowLogDialog( VOID ); // memedit #define PH_MEMORY_EDITOR_UNMAP_VIEW_OF_SECTION 0x1 VOID PhShowMemoryEditorDialog( _In_ HWND OwnerWindow, _In_ HANDLE ProcessId, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _In_ ULONG SelectOffset, _In_ ULONG SelectLength, _In_opt_ PPH_STRING Title, _In_ ULONG Flags ); // memlists VOID PhShowMemoryListsDialog( _In_ HWND ParentWindowHandle, _In_opt_ VOID (NTAPI *RegisterDialog)(HWND), _In_opt_ VOID (NTAPI *UnregisterDialog)(HWND) ); // memprot VOID PhShowMemoryProtectDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_MEMORY_ITEM MemoryItem ); // memrslt VOID PhShowMemoryResultsDialog( _In_ HANDLE ProcessId, _In_ PPH_LIST Results ); // memsrch VOID PhShowMemoryStringDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // msmsrcht VOID PhShowMemoryStringTreeDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // memmod VOID PhShowImagePageModifiedDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // mtgndlg VOID PhShowProcessMitigationPolicyDialog( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId ); // ntobjprp HPROPSHEETPAGE PhCreateEventPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ); HPROPSHEETPAGE PhCreateEventPairPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ); HPROPSHEETPAGE PhCreateSemaphorePage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ); HPROPSHEETPAGE PhCreateTimerPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ); HPROPSHEETPAGE PhCreateAfdSocketPage( _In_ HANDLE ProcessId, _In_ HANDLE HandleValue ); HPROPSHEETPAGE PhCreateMappingsPage( _In_ HANDLE ProcessId, _In_ HANDLE SectionHandle ); // options VOID PhShowOptionsDialog( _In_ HWND ParentWindowHandle ); // pagfiles VOID PhShowPagefilesDialog( _In_ HWND ParentWindowHandle ); // plugman INT_PTR CALLBACK PhPluginsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // procrec // begin_phapppub PHAPPAPI VOID NTAPI PhShowProcessRecordDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_RECORD Record ); // end_phapppub // runas typedef struct _PH_RUNAS_SERVICE_PARAMETERS { ULONG ProcessId; PCWSTR UserName; PCWSTR Password; ULONG LogonType; ULONG SessionId; PCWSTR CurrentDirectory; PCWSTR CommandLine; PCWSTR FileName; PCWSTR DesktopName; BOOLEAN UseLinkedToken; PCWSTR ServiceName; BOOLEAN CreateSuspendedProcess; HWND WindowHandle; BOOLEAN CreateUIAccessProcess; } PH_RUNAS_SERVICE_PARAMETERS, *PPH_RUNAS_SERVICE_PARAMETERS; VOID PhShowRunAsDialog( _In_ HWND ParentWindowHandle, _In_opt_ HANDLE ProcessId ); VOID PhShowRunAsPackageDialog( _In_ HWND ParentWindowHandle ); // begin_phapppub PHLIBAPI BOOLEAN NTAPI PhShowRunFileDialog( _In_ HWND ParentWindowHandle ); // end_phapppub NTSTATUS PhExecuteRunAsCommand( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ); // begin_phapppub PHAPPAPI NTSTATUS NTAPI PhExecuteRunAsCommand2( _In_ HWND hWnd, _In_ PCWSTR Program, _In_opt_ PCWSTR UserName, _In_opt_ PCWSTR Password, _In_opt_ ULONG LogonType, _In_opt_ HANDLE ProcessIdWithToken, _In_opt_ ULONG SessionId, _In_opt_ PCWSTR DesktopName, _In_ BOOLEAN UseLinkedToken ); // end_phapppub PHAPPAPI NTSTATUS NTAPI PhExecuteRunAsCommand3( _In_ HWND hWnd, _In_ PCWSTR Program, _In_opt_ PCWSTR UserName, _In_opt_ PCWSTR Password, _In_opt_ ULONG LogonType, _In_opt_ HANDLE ProcessIdWithToken, _In_opt_ ULONG SessionId, _In_opt_ PCWSTR DesktopName, _In_ BOOLEAN UseLinkedToken, _In_ BOOLEAN CreateSuspendedProcess, _In_ BOOLEAN CreateUIAccessProcess ); NTSTATUS PhRunAsServiceStart( _In_ PPH_STRING ServiceName ); NTSTATUS PhInvokeRunAsService( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ); // searchbox // begin_phapppub typedef _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PH_SEARCHCONTROL_CALLBACK( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ); typedef PH_SEARCHCONTROL_CALLBACK* PPH_SEARCHCONTROL_CALLBACK; PHAPPAPI VOID NTAPI PhCreateSearchControl( _In_ HWND ParentWindowHandle, _In_ HWND SearchWindowHandle, _In_opt_ PCWSTR BannerText, _In_ PPH_SEARCHCONTROL_CALLBACK Callback, _In_opt_ PVOID Context ); // end_phapppub // sessmsg VOID PhShowSessionSendMessageDialog( _In_ HWND ParentWindowHandle, _In_ ULONG SessionId ); // sessprp VOID PhShowSessionProperties( _In_ HWND ParentWindowHandle, _In_ ULONG SessionId ); // sessshad VOID PhShowSessionShadowDialog( _In_ HWND ParentWindowHandle, _In_ ULONG SessionId ); // srvcr VOID PhShowCreateServiceDialog( _In_ HWND ParentWindowHandle ); // srvctl // begin_phapppub #define WM_PH_SET_LIST_VIEW_SETTINGS (WM_APP + 701) PHAPPAPI HWND NTAPI PhCreateServiceListControl( _In_ HWND ParentWindowHandle, _In_ PPH_SERVICE_ITEM *Services, _In_ ULONG NumberOfServices ); // end_phapppub // srvprp VOID PhShowServiceProperties( _In_ HWND ParentWindowHandle, _In_ PPH_SERVICE_ITEM ServiceItem ); // thrdstk VOID PhShowThreadStackDialog( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ PPH_THREAD_PROVIDER ThreadProvider ); // thrdstks VOID PhShowThreadStacksDialog( _In_ HWND ParentWindowHandle ); // userslist VOID PhShowUserListDialog( _In_ HWND ParentWindowHandle ); // tokprp PPH_STRING PhGetGroupAttributesString( _In_ ULONG Attributes, _In_ BOOLEAN Restricted ); PCWSTR PhGetPrivilegeAttributesString( _In_ ULONG Attributes ); _Success_(return) BOOLEAN PhGetElevationTypeString( _In_ BOOLEAN IsElevated, _In_ TOKEN_ELEVATION_TYPE ElevationType, _Out_ PCPH_STRINGREF* ElevationTypeString ); VOID PhShowTokenProperties( _In_ HWND ParentWindowHandle, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_ HANDLE ProcessId, _In_ PVOID Context, _In_opt_ PCWSTR Title ); HPROPSHEETPAGE PhCreateTokenPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_ HANDLE ProcessId, _In_opt_ PVOID Context, _In_opt_ DLGPROC HookProc ); #endif ================================================ FILE: SystemInformer/include/phappres.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2024 * */ #ifndef PH_PHAPPRES_H #define PH_PHAPPRES_H #ifndef PHAPP_VERSION_MAJOR #define PHAPP_VERSION_MAJOR 0 #endif #ifndef PHAPP_VERSION_MINOR #define PHAPP_VERSION_MINOR 0 #endif #ifndef PHAPP_VERSION_BUILD #define PHAPP_VERSION_BUILD 0 #endif #ifndef PHAPP_VERSION_REVISION #define PHAPP_VERSION_REVISION 0 #endif #ifndef PHAPP_VERSION_COMMITHASH #define PHAPP_VERSION_COMMITHASH "0000000" #endif #define DO_MAKE_STR(x) #x #define MAKE_STR(x) DO_MAKE_STR(x) #define PHAPP_VERSION_STRING MAKE_STR(PHAPP_VERSION_MAJOR) "." MAKE_STR(PHAPP_VERSION_MINOR) "." MAKE_STR(PHAPP_VERSION_BUILD) "." MAKE_STR(PHAPP_VERSION_REVISION) #define PHAPP_VERSION_NUMBER PHAPP_VERSION_MAJOR,PHAPP_VERSION_MINOR,PHAPP_VERSION_BUILD,PHAPP_VERSION_REVISION #define PHAPP_VERSION_COMMIT MAKE_STR(PHAPP_VERSION_COMMITHASH) #endif // PHAPPRES_H ================================================ FILE: SystemInformer/include/phfwddef.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2022 * */ #ifndef PH_PHFWDDEF_H #define PH_PHFWDDEF_H // begin_phapppub // phlib typedef struct _PH_SYMBOL_PROVIDER *PPH_SYMBOL_PROVIDER; // Providers typedef struct _PH_PROCESS_ITEM *PPH_PROCESS_ITEM; typedef struct _PH_PROCESS_RECORD *PPH_PROCESS_RECORD; typedef struct _PH_SERVICE_ITEM *PPH_SERVICE_ITEM; typedef struct _PH_NETWORK_ITEM *PPH_NETWORK_ITEM; typedef struct _PH_MODULE_ITEM *PPH_MODULE_ITEM; typedef struct _PH_MODULE_PROVIDER *PPH_MODULE_PROVIDER; typedef struct _PH_THREAD_ITEM *PPH_THREAD_ITEM; typedef struct _PH_THREAD_PROVIDER *PPH_THREAD_PROVIDER; typedef struct _PH_HANDLE_ITEM *PPH_HANDLE_ITEM; typedef struct _PH_HANDLE_PROVIDER *PPH_HANDLE_PROVIDER; typedef struct _PH_MEMORY_ITEM *PPH_MEMORY_ITEM; typedef struct _PH_MEMORY_ITEM_LIST *PPH_MEMORY_ITEM_LIST; // uimodels typedef struct _PH_PROCESS_NODE *PPH_PROCESS_NODE; typedef struct _PH_SERVICE_NODE *PPH_SERVICE_NODE; typedef struct _PH_NETWORK_NODE *PPH_NETWORK_NODE; typedef struct _PH_MODULE_NODE *PPH_MODULE_NODE; typedef struct _PH_THREAD_NODE *PPH_THREAD_NODE; typedef struct _PH_HANDLE_NODE *PPH_HANDLE_NODE; typedef struct _PH_MEMORY_NODE *PPH_MEMORY_NODE; // procprv typedef struct _PH_PROCESS_PROPCONTEXT *PPH_PROCESS_PROPCONTEXT; // end_phapppub #endif ================================================ FILE: SystemInformer/include/phplug.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2024 * */ #ifndef PH_PHPLUG_H #define PH_PHPLUG_H #include #include #include // begin_phapppub // Callbacks typedef enum _PH_GENERAL_CALLBACK { GeneralCallbackMainWindowShowing = 0, // INT ShowCommand [main thread] GeneralCallbackProcessesUpdated = 1, // ULONG RunId [main thread] GeneralCallbackGetProcessHighlightingColor = 2, // PPH_PLUGIN_GET_HIGHLIGHTING_COLOR Data [main thread] GeneralCallbackGetProcessTooltipText = 3, // PPH_PLUGIN_GET_TOOLTIP_TEXT Data [main thread] GeneralCallbackProcessPropertiesInitializing = 4, // PPH_PLUGIN_PROCESS_PROPCONTEXT Data [properties thread] GeneralCallbackMainMenuInitializing = 5, // PPH_PLUGIN_MENU_INFORMATION Data [main thread] GeneralCallbackNotifyEvent = 6, // PPH_PLUGIN_NOTIFY_EVENT Data [main thread] GeneralCallbackServicePropertiesInitializing = 7, // PPH_PLUGIN_OBJECT_PROPERTIES Data [properties thread] GeneralCallbackHandlePropertiesInitializing = 8, // PPH_PLUGIN_OBJECT_PROPERTIES Data [properties thread] GeneralCallbackProcessMenuInitializing = 9, // PPH_PLUGIN_MENU_INFORMATION Data [main thread] GeneralCallbackServiceMenuInitializing = 10, // PPH_PLUGIN_MENU_INFORMATION Data [main thread] GeneralCallbackNetworkMenuInitializing = 11, // PPH_PLUGIN_MENU_INFORMATION Data [main thread] GeneralCallbackIconMenuInitializing = 12, // PPH_PLUGIN_MENU_INFORMATION Data [main thread] GeneralCallbackThreadMenuInitializing = 13, // PPH_PLUGIN_MENU_INFORMATION Data [properties thread] GeneralCallbackModuleMenuInitializing = 14, // PPH_PLUGIN_MENU_INFORMATION Data [properties thread] GeneralCallbackMemoryMenuInitializing = 15, // PPH_PLUGIN_MENU_INFORMATION Data [properties thread] GeneralCallbackHandleMenuInitializing = 16, // PPH_PLUGIN_MENU_INFORMATION Data [properties thread] GeneralCallbackProcessTreeNewInitializing = 17, // PPH_PLUGIN_TREENEW_INFORMATION Data [main thread] GeneralCallbackServiceTreeNewInitializing = 18, // PPH_PLUGIN_TREENEW_INFORMATION Data [main thread] GeneralCallbackNetworkTreeNewInitializing = 19, // PPH_PLUGIN_TREENEW_INFORMATION Data [main thread] GeneralCallbackModuleTreeNewInitializing = 20, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackModuleTreeNewUninitializing = 21, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackThreadTreeNewInitializing = 22, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackThreadTreeNewUninitializing = 23, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackHandleTreeNewInitializing = 24, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackHandleTreeNewUninitializing = 25, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackThreadStackControl = 26, // PPH_PLUGIN_THREAD_STACK_CONTROL Data [properties thread] GeneralCallbackSystemInformationInitializing = 27, // PPH_PLUGIN_SYSINFO_POINTERS Data [system information thread] GeneralCallbackMainWindowTabChanged = 28, // INT NewIndex [main thread] GeneralCallbackMemoryTreeNewInitializing = 29, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackMemoryTreeNewUninitializing = 30, // PPH_PLUGIN_TREENEW_INFORMATION Data [properties thread] GeneralCallbackMemoryItemListControl = 31, // PPH_PLUGIN_MEMORY_ITEM_LIST_CONTROL Data [properties thread] GeneralCallbackMiniInformationInitializing = 32, // PPH_PLUGIN_MINIINFO_POINTERS Data [main thread] GeneralCallbackMiListSectionMenuInitializing = 33, // PPH_PLUGIN_MENU_INFORMATION Data [main thread] GeneralCallbackOptionsWindowInitializing = 34, // PH_PLUGIN_OPTIONS_POINTERS Data [main thread] GeneralCallbackHandlePropertiesWindowInitialized = 35, // PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT Data [properties thread] GeneralCallbackHandlePropertiesWindowUninitializing = 36, // PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT Data [properties thread] GeneralCallbackProcessProviderAddedEvent, // [process provider thread] GeneralCallbackProcessProviderModifiedEvent, // [process provider thread] GeneralCallbackProcessProviderRemovedEvent, // [process provider thread] GeneralCallbackProcessProviderUpdatedEvent, // PPH_PROCESS_PROVIDER_UPDATED_EVENT [process provider thread] GeneralCallbackServiceProviderAddedEvent, // [service provider thread] GeneralCallbackServiceProviderModifiedEvent, // [service provider thread] GeneralCallbackServiceProviderRemovedEvent, // [service provider thread] GeneralCallbackServiceProviderUpdatedEvent, // [service provider thread] GeneralCallbackNetworkProviderAddedEvent, // [network provider thread] GeneralCallbackNetworkProviderModifiedEvent, // [network provider thread] GeneralCallbackNetworkProviderRemovedEvent, // [network provider thread] GeneralCallbackNetworkProviderUpdatedEvent, // [network provider thread] GeneralCallbackLoggedEvent, // [multiple provider threads] GeneralCallbackDeviceNotificationEvent, // [device provider thread] GeneralCallbackTrayIconsInitializing, // [work queue thread] GeneralCallbackTrayIconsUpdatedEvent, GeneralCallbackWindowNotifyEvent, GeneralCallbackProcessStatsNotifyEvent, GeneralCallbackSettingsUpdated, GeneralCallbackDangerousProcess, GeneralCallbackUpdateAutomatically, GeneralCallbackMaximum } PH_GENERAL_CALLBACK, *PPH_GENERAL_CALLBACK; typedef enum _PH_PLUGIN_CALLBACK { PluginCallbackLoad = 0, // PPH_LIST Parameters [main thread] // list of strings, might be NULL PluginCallbackUnload = 1, // BOOLEAN SessionEnding [main thread] PluginCallbackShowOptions = 2, // HWND ParentWindowHandle [main thread] PluginCallbackMenuItem = 3, // PPH_PLUGIN_MENU_ITEM MenuItem [main/properties thread] PluginCallbackTreeNewMessage = 4, // PPH_PLUGIN_TREENEW_MESSAGE Message [main/properties thread] PluginCallbackPhSvcRequest = 5, // PPH_PLUGIN_PHSVC_REQUEST Message [phsvc thread] PluginCallbackMenuHook = 6, // PH_PLUGIN_MENU_HOOK_INFORMATION MenuHookInfo [menu thread] PluginCallbackMaximum } PH_PLUGIN_CALLBACK, *PPH_PLUGIN_CALLBACK; // Provider events typedef struct _PH_PROCESS_PROVIDER_UPDATED_EVENT { ULONG RunCount; } PH_PROCESS_PROVIDER_UPDATED_EVENT, *PPH_PROCESS_PROVIDER_UPDATED_EVENT; // Plugin events typedef struct _PH_PLUGIN_GET_HIGHLIGHTING_COLOR { // Parameter is: // PPH_PROCESS_ITEM for GeneralCallbackGetProcessHighlightingColor PVOID Parameter; COLORREF BackColor; COLORREF ForeColor; BOOLEAN Handled; BOOLEAN Cache; } PH_PLUGIN_GET_HIGHLIGHTING_COLOR, *PPH_PLUGIN_GET_HIGHLIGHTING_COLOR; typedef struct _PH_PLUGIN_GET_TOOLTIP_TEXT { // Parameter is: // PPH_PROCESS_ITEM for GeneralCallbackGetProcessTooltipText PVOID Parameter; PPH_STRING_BUILDER StringBuilder; ULONG ValidForMs; } PH_PLUGIN_GET_TOOLTIP_TEXT, *PPH_PLUGIN_GET_TOOLTIP_TEXT; typedef struct _PH_PLUGIN_PROCESS_PROPCONTEXT { PPH_PROCESS_PROPCONTEXT PropContext; PPH_PROCESS_ITEM ProcessItem; } PH_PLUGIN_PROCESS_PROPCONTEXT, *PPH_PLUGIN_PROCESS_PROPCONTEXT; typedef struct _PH_PLUGIN_NOTIFY_EVENT { // Parameter is: // PPH_PROCESS_ITEM for Type = PH_NOTIFY_PROCESS_* // PPH_SERVICE_ITEM for Type = PH_NOTIFY_SERVICE_* // PPH_DEVICE_ITEM for type = PH_NOTIFY_DEVICE_* ULONG Type; BOOLEAN Handled; PVOID Parameter; } PH_PLUGIN_NOTIFY_EVENT, *PPH_PLUGIN_NOTIFY_EVENT; typedef struct _PH_PLUGIN_OBJECT_PROPERTIES { // Parameter is: // PPH_SERVICE_ITEM for GeneralCallbackServicePropertiesInitializing // PPH_PLUGIN_HANDLE_PROPERTIES_CONTEXT for GeneralCallbackHandlePropertiesInitializing PVOID Parameter; ULONG NumberOfPages; ULONG MaximumNumberOfPages; HPROPSHEETPAGE *Pages; } PH_PLUGIN_OBJECT_PROPERTIES, *PPH_PLUGIN_OBJECT_PROPERTIES; typedef struct _PH_PLUGIN_IS_DANGEROUS_PROCESS { HANDLE ProcessId; BOOLEAN DangerousProcess; } PH_PLUGIN_IS_DANGEROUS_PROCESS, *PPH_PLUGIN_IS_DANGEROUS_PROCESS; typedef enum _PH_PLUGIN_HANDLE_GENERAL_CATEGORY { // common PH_PLUGIN_HANDLE_GENERAL_CATEGORY_BASICINFO, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_REFERENCES, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_QUOTA, // extra PH_PLUGIN_HANDLE_GENERAL_CATEGORY_ALPC, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_FILE, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_SECTION, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_MUTANT, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_PROCESSTHREAD, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_ETW, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_SYMBOLICLINK, PH_PLUGIN_HANDLE_GENERAL_CATEGORY_MAXIMUM } PH_PLUGIN_HANDLE_GENERAL_CATEGORY; typedef enum _PH_PLUGIN_HANDLE_GENERAL_INDEX { PH_PLUGIN_HANDLE_GENERAL_INDEX_NAME, PH_PLUGIN_HANDLE_GENERAL_INDEX_TYPE, PH_PLUGIN_HANDLE_GENERAL_INDEX_OBJECT, PH_PLUGIN_HANDLE_GENERAL_INDEX_ACCESSMASK, PH_PLUGIN_HANDLE_GENERAL_INDEX_REFERENCES, PH_PLUGIN_HANDLE_GENERAL_INDEX_HANDLES, PH_PLUGIN_HANDLE_GENERAL_INDEX_PAGED, PH_PLUGIN_HANDLE_GENERAL_INDEX_NONPAGED, PH_PLUGIN_HANDLE_GENERAL_INDEX_FLAGS, PH_PLUGIN_HANDLE_GENERAL_INDEX_SEQUENCENUMBER, PH_PLUGIN_HANDLE_GENERAL_INDEX_PORTCONTEXT, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILETYPE, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILEMODE, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILEPOSITION, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILESIZE, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILEPRIORITY, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILEDRIVER, PH_PLUGIN_HANDLE_GENERAL_INDEX_FILEDRIVERIMAGE, PH_PLUGIN_HANDLE_GENERAL_INDEX_SECTIONTYPE, PH_PLUGIN_HANDLE_GENERAL_INDEX_SECTIONFILE, PH_PLUGIN_HANDLE_GENERAL_INDEX_SECTIONSIZE, PH_PLUGIN_HANDLE_GENERAL_INDEX_MUTANTCOUNT, PH_PLUGIN_HANDLE_GENERAL_INDEX_MUTANTABANDONED, PH_PLUGIN_HANDLE_GENERAL_INDEX_MUTANTOWNER, PH_PLUGIN_HANDLE_GENERAL_INDEX_ALPCCONNECTION, PH_PLUGIN_HANDLE_GENERAL_INDEX_ALPCSERVER, PH_PLUGIN_HANDLE_GENERAL_INDEX_ALPCCLIENT, PH_PLUGIN_HANDLE_GENERAL_INDEX_PROCESSTHREADNAME, PH_PLUGIN_HANDLE_GENERAL_INDEX_PROCESSTHREADCREATETIME, PH_PLUGIN_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITTIME, PH_PLUGIN_HANDLE_GENERAL_INDEX_PROCESSTHREADEXITCODE, PH_PLUGIN_HANDLE_GENERAL_INDEX_ETWORIGINALNAME, PH_PLUGIN_HANDLE_GENERAL_INDEX_ETWGROUPNAME, PH_PLUGIN_HANDLE_GENERAL_INDEX_SYMBOLICLINKLINK, PH_PLUGIN_HANDLE_GENERAL_INDEX_MAXIMUM } PH_PLUGIN_HANDLE_GENERAL_INDEX; typedef struct _PH_PLUGIN PH_PLUGIN, *PPH_PLUGIN; typedef struct _PH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT { HWND ListViewHandle; HWND ParentWindow; HANDLE ProcessId; PVOID ListViewClass; PPH_HANDLE_ITEM HandleItem; PH_LAYOUT_MANAGER LayoutManager; } PH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT, *PPH_PLUGIN_HANDLE_PROPERTIES_WINDOW_CONTEXT; typedef struct _PH_PLUGIN_PROCESS_STATS_EVENT { ULONG Version; ULONG Type; PPH_PROCESS_ITEM ProcessItem; PVOID Parameter; } PH_PLUGIN_PROCESS_STATS_EVENT, *PPH_PLUGIN_PROCESS_STATS_EVENT; typedef struct _PH_PLUGIN_HANDLE_PROPERTIES_CONTEXT { HWND ParentWindowHandle; HANDLE ProcessId; PPH_HANDLE_ITEM HandleItem; } PH_PLUGIN_HANDLE_PROPERTIES_CONTEXT, *PPH_PLUGIN_HANDLE_PROPERTIES_CONTEXT; typedef struct _PH_EMENU_ITEM *PPH_EMENU_ITEM, *PPH_EMENU; #define PH_PLUGIN_MENU_DISALLOW_HOOKS 0x1 typedef struct _PH_PLUGIN_MENU_INFORMATION { PPH_EMENU Menu; HWND OwnerWindow; union { struct { PVOID Reserved[8]; // Reserve space for future expansion of this union } DoNotUse; struct { ULONG SubMenuIndex; } MainMenu; struct { PPH_PROCESS_ITEM *Processes; ULONG NumberOfProcesses; } Process; struct { PPH_SERVICE_ITEM *Services; ULONG NumberOfServices; } Service; struct { PPH_NETWORK_ITEM *NetworkItems; ULONG NumberOfNetworkItems; } Network; struct { HANDLE ProcessId; PPH_THREAD_ITEM *Threads; ULONG NumberOfThreads; } Thread; struct { HANDLE ProcessId; PPH_MODULE_ITEM *Modules; ULONG NumberOfModules; } Module; struct { HANDLE ProcessId; PPH_MEMORY_NODE *MemoryNodes; ULONG NumberOfMemoryNodes; } Memory; struct { HANDLE ProcessId; PPH_HANDLE_ITEM *Handles; ULONG NumberOfHandles; } Handle; struct { PPH_STRINGREF SectionName; PPH_PROCESS_GROUP ProcessGroup; } MiListSection; } u; ULONG Flags; PPH_LIST PluginHookList; } PH_PLUGIN_MENU_INFORMATION, *PPH_PLUGIN_MENU_INFORMATION; C_ASSERT(RTL_FIELD_SIZE(PH_PLUGIN_MENU_INFORMATION, u) == RTL_FIELD_SIZE(PH_PLUGIN_MENU_INFORMATION, u.DoNotUse)); typedef struct _PH_PLUGIN_MENU_HOOK_INFORMATION { PPH_PLUGIN_MENU_INFORMATION MenuInfo; PPH_EMENU SelectedItem; PVOID Context; BOOLEAN Handled; } PH_PLUGIN_MENU_HOOK_INFORMATION, *PPH_PLUGIN_MENU_HOOK_INFORMATION; typedef struct _PH_PLUGIN_TREENEW_INFORMATION { HWND TreeNewHandle; PVOID CmData; PVOID SystemContext; // e.g. PPH_THREADS_CONTEXT } PH_PLUGIN_TREENEW_INFORMATION, *PPH_PLUGIN_TREENEW_INFORMATION; typedef enum _PH_PLUGIN_THREAD_STACK_CONTROL_TYPE { PluginThreadStackInitializing, PluginThreadStackUninitializing, PluginThreadStackResolveSymbol, PluginThreadStackGetTooltip, PluginThreadStackWalkStack, PluginThreadStackBeginDefaultWalkStack, PluginThreadStackEndDefaultWalkStack, PluginThreadStackMaximum } PH_PLUGIN_THREAD_STACK_CONTROL_TYPE; typedef struct _PH_SYMBOL_PROVIDER *PPH_SYMBOL_PROVIDER; typedef struct _PH_THREAD_STACK_FRAME *PPH_THREAD_STACK_FRAME; typedef _Function_class_(PH_PLUGIN_WALK_THREAD_STACK_CALLBACK) BOOLEAN NTAPI PH_PLUGIN_WALK_THREAD_STACK_CALLBACK( _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_opt_ PVOID Context ); typedef PH_PLUGIN_WALK_THREAD_STACK_CALLBACK *PPH_PLUGIN_WALK_THREAD_STACK_CALLBACK; typedef struct _PH_PLUGIN_THREAD_STACK_CONTROL { PH_PLUGIN_THREAD_STACK_CONTROL_TYPE Type; PVOID UniqueKey; union { struct { HANDLE ProcessId; HANDLE ThreadId; HANDLE ThreadHandle; HANDLE ProcessHandle; PPH_SYMBOL_PROVIDER SymbolProvider; BOOLEAN CustomWalk; } Initializing; struct { PPH_THREAD_STACK_FRAME StackFrame; PPH_STRING Symbol; PPH_STRING FileName; } ResolveSymbol; struct { PPH_THREAD_STACK_FRAME StackFrame; PPH_STRING_BUILDER StringBuilder; } GetTooltip; struct { NTSTATUS Status; HANDLE ThreadHandle; HANDLE ProcessHandle; PCLIENT_ID ClientId; ULONG Flags; PPH_PLUGIN_WALK_THREAD_STACK_CALLBACK Callback; PVOID CallbackContext; } WalkStack; } u; } PH_PLUGIN_THREAD_STACK_CONTROL, *PPH_PLUGIN_THREAD_STACK_CONTROL; typedef enum _PH_PLUGIN_MEMORY_ITEM_LIST_CONTROL_TYPE { PluginMemoryItemListInitialized, PluginMemoryItemListMaximum } PH_PLUGIN_MEMORY_ITEM_LIST_CONTROL_TYPE; typedef struct _PH_PLUGIN_MEMORY_ITEM_LIST_CONTROL { PH_PLUGIN_MEMORY_ITEM_LIST_CONTROL_TYPE Type; union { struct { PPH_MEMORY_ITEM_LIST List; } Initialized; } u; } PH_PLUGIN_MEMORY_ITEM_LIST_CONTROL, *PPH_PLUGIN_MEMORY_ITEM_LIST_CONTROL; typedef _Function_class_(PH_SYSINFO_CREATE_SECTION) PPH_SYSINFO_SECTION NTAPI PH_SYSINFO_CREATE_SECTION( _In_ PPH_SYSINFO_SECTION Template ); typedef PH_SYSINFO_CREATE_SECTION *PPH_SYSINFO_CREATE_SECTION; typedef _Function_class_(PH_SYSINFO_FIND_SECTION) PPH_SYSINFO_SECTION NTAPI PH_SYSINFO_FIND_SECTION( _In_ PPH_STRINGREF Name ); typedef PH_SYSINFO_FIND_SECTION *PPH_SYSINFO_FIND_SECTION; typedef _Function_class_(PH_SYSINFO_ENTER_SECTION_VIEW) VOID NTAPI PH_SYSINFO_ENTER_SECTION_VIEW( _In_ PPH_SYSINFO_SECTION NewSection ); typedef PH_SYSINFO_ENTER_SECTION_VIEW *PPH_SYSINFO_ENTER_SECTION_VIEW; typedef _Function_class_(PH_SYSINFO_RESTORE_SUMMARY_VIEW) VOID NTAPI PH_SYSINFO_RESTORE_SUMMARY_VIEW( VOID ); typedef PH_SYSINFO_RESTORE_SUMMARY_VIEW *PPH_SYSINFO_RESTORE_SUMMARY_VIEW; typedef struct _PH_PLUGIN_SYSINFO_POINTERS { HWND WindowHandle; PPH_SYSINFO_CREATE_SECTION CreateSection; PPH_SYSINFO_FIND_SECTION FindSection; PPH_SYSINFO_ENTER_SECTION_VIEW EnterSectionView; PPH_SYSINFO_RESTORE_SUMMARY_VIEW RestoreSummaryView; } PH_PLUGIN_SYSINFO_POINTERS, *PPH_PLUGIN_SYSINFO_POINTERS; typedef _Function_class_(PH_MINIINFO_CREATE_SECTION) PPH_MINIINFO_SECTION NTAPI PH_MINIINFO_CREATE_SECTION( _In_ PPH_MINIINFO_SECTION Template ); typedef PH_MINIINFO_CREATE_SECTION *PPH_MINIINFO_CREATE_SECTION; typedef _Function_class_(PH_MINIINFO_FIND_SECTION) PPH_MINIINFO_SECTION NTAPI PH_MINIINFO_FIND_SECTION( _In_ PPH_STRINGREF Name ); typedef PH_MINIINFO_FIND_SECTION *PPH_MINIINFO_FIND_SECTION; typedef struct _PH_MINIINFO_LIST_SECTION PH_MINIINFO_LIST_SECTION, *PPH_MINIINFO_LIST_SECTION; typedef PPH_MINIINFO_LIST_SECTION (NTAPI *PPH_MINIINFO_CREATE_LIST_SECTION)( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_LIST_SECTION Template ); typedef struct _PH_PLUGIN_MINIINFO_POINTERS { HWND WindowHandle; PPH_MINIINFO_CREATE_SECTION CreateSection; PPH_MINIINFO_FIND_SECTION FindSection; PPH_MINIINFO_CREATE_LIST_SECTION CreateListSection; } PH_PLUGIN_MINIINFO_POINTERS, *PPH_PLUGIN_MINIINFO_POINTERS; // end_phapppub // begin_phapppub typedef struct _PH_NF_ICON_REGISTRATION_DATA *PPH_NF_ICON_REGISTRATION_DATA; /** * Creates a notification icon. * * \param Plugin A plugin instance structure. * \param SubId An identifier for the column. This should be unique within the * plugin. * \param Guid A unique guid for this icon. * \param Context A user-defined value. * \param Text A string describing the notification icon. * \param Flags A combination of flags. * \li \c PH_NF_ICON_UNAVAILABLE The notification icon is currently unavailable. * \param RegistrationData A \ref PH_NF_ICON_REGISTRATION_DATA structure that * contains registration information. */ typedef _Function_class_(PH_REGISTER_TRAY_ICON) PPH_PLUGIN NTAPI PH_REGISTER_TRAY_ICON( _In_ PPH_PLUGIN Plugin, _In_ ULONG SubId, _In_ GUID Guid, _In_opt_ PVOID Context, _In_ PCWSTR Text, _In_ ULONG Flags, _In_ PPH_NF_ICON_REGISTRATION_DATA RegistrationData ); typedef PH_REGISTER_TRAY_ICON *PPH_REGISTER_TRAY_ICON; typedef struct _PH_TRAY_ICON_POINTERS { PPH_REGISTER_TRAY_ICON RegisterTrayIcon; } PH_TRAY_ICON_POINTERS, *PPH_TRAY_ICON_POINTERS; // end_phapppub // begin_phapppub typedef struct _PH_OPTIONS_SECTION { PH_STRINGREF Name; // end_phapppub PVOID Instance; PCWSTR Template; DLGPROC DialogProc; PVOID Parameter; HWND DialogHandle; HTREEITEM TreeItemHandle; // begin_phapppub } PH_OPTIONS_SECTION, *PPH_OPTIONS_SECTION; // end_phapppub // begin_phapppub typedef _Function_class_(PH_OPTIONS_CREATE_SECTION) PPH_OPTIONS_SECTION NTAPI PH_OPTIONS_CREATE_SECTION( _In_ PCWSTR Name, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ); typedef PH_OPTIONS_CREATE_SECTION *PPH_OPTIONS_CREATE_SECTION; typedef _Function_class_(PH_OPTIONS_FIND_SECTION) PPH_OPTIONS_SECTION NTAPI PH_OPTIONS_FIND_SECTION( _In_ PPH_STRINGREF Name ); typedef PH_OPTIONS_FIND_SECTION *PPH_OPTIONS_FIND_SECTION; typedef _Function_class_(PH_OPTIONS_ENTER_SECTION_VIEW) VOID NTAPI PH_OPTIONS_ENTER_SECTION_VIEW( _In_ PPH_OPTIONS_SECTION NewSection ); typedef PH_OPTIONS_ENTER_SECTION_VIEW *PPH_OPTIONS_ENTER_SECTION_VIEW; typedef struct _PH_PLUGIN_OPTIONS_POINTERS { HWND WindowHandle; PPH_OPTIONS_CREATE_SECTION CreateSection; PPH_OPTIONS_FIND_SECTION FindSection; PPH_OPTIONS_ENTER_SECTION_VIEW EnterSectionView; } PH_PLUGIN_OPTIONS_POINTERS, *PPH_PLUGIN_OPTIONS_POINTERS; // end_phapppub // begin_phapppub typedef struct _PH_PLUGIN_TREENEW_MESSAGE { HWND TreeNewHandle; PH_TREENEW_MESSAGE Message; PVOID Parameter1; PVOID Parameter2; ULONG SubId; PVOID Context; } PH_PLUGIN_TREENEW_MESSAGE, *PPH_PLUGIN_TREENEW_MESSAGE; typedef _Function_class_(PH_PLUGIN_TREENEW_SORT_FUNCTION) LONG NTAPI PH_PLUGIN_TREENEW_SORT_FUNCTION( _In_ PVOID Node1, _In_ PVOID Node2, _In_ ULONG SubId, _In_ PH_SORT_ORDER SortOrder, _In_ PVOID Context ); typedef PH_PLUGIN_TREENEW_SORT_FUNCTION *PPH_PLUGIN_TREENEW_SORT_FUNCTION; typedef _Function_class_(PHSVC_SERVER_PROBE_BUFFER) NTSTATUS NTAPI PHSVC_SERVER_PROBE_BUFFER( _In_ PPH_RELATIVE_STRINGREF String, _In_ ULONG Alignment, _In_ BOOLEAN AllowNull, _Out_ PVOID *Pointer ); typedef PHSVC_SERVER_PROBE_BUFFER *PPHSVC_SERVER_PROBE_BUFFER; typedef _Function_class_(PHSVC_SERVER_CAPTURE_BUFFER) NTSTATUS NTAPI PHSVC_SERVER_CAPTURE_BUFFER( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PVOID *CapturedBuffer ); typedef PHSVC_SERVER_CAPTURE_BUFFER *PPHSVC_SERVER_CAPTURE_BUFFER; typedef _Function_class_(PHSVC_SERVER_CAPTURE_STRING) NTSTATUS NTAPI PHSVC_SERVER_CAPTURE_STRING( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PPH_STRING *CapturedString ); typedef PHSVC_SERVER_CAPTURE_STRING *PPHSVC_SERVER_CAPTURE_STRING; typedef struct _PH_PLUGIN_PHSVC_REQUEST { ULONG SubId; NTSTATUS ReturnStatus; PVOID InBuffer; ULONG InLength; PVOID OutBuffer; ULONG OutLength; PPHSVC_SERVER_PROBE_BUFFER ProbeBuffer; PPHSVC_SERVER_CAPTURE_BUFFER CaptureBuffer; PPHSVC_SERVER_CAPTURE_STRING CaptureString; } PH_PLUGIN_PHSVC_REQUEST, *PPH_PLUGIN_PHSVC_REQUEST; typedef _Function_class_(PHSVC_CLIENT_FREE_HEAP) VOID NTAPI PHSVC_CLIENT_FREE_HEAP( _In_ PVOID Memory ); typedef PHSVC_CLIENT_FREE_HEAP *PPHSVC_CLIENT_FREE_HEAP; typedef _Function_class_(PHSVC_CLIENT_CREATE_STRING) PVOID NTAPI PHSVC_CLIENT_CREATE_STRING( _In_opt_ PVOID String, _In_ SIZE_T Length, _Out_ PPH_RELATIVE_STRINGREF StringRef ); typedef PHSVC_CLIENT_CREATE_STRING *PPHSVC_CLIENT_CREATE_STRING; typedef struct _PH_PLUGIN_PHSVC_CLIENT { HANDLE ServerProcessId; PPHSVC_CLIENT_FREE_HEAP FreeHeap; PPHSVC_CLIENT_CREATE_STRING CreateString; } PH_PLUGIN_PHSVC_CLIENT, *PPH_PLUGIN_PHSVC_CLIENT; // Plugin structures typedef struct _PH_PLUGIN_INFORMATION { PCWSTR DisplayName; PCWSTR Author; PCWSTR Description; PCWSTR Url; BOOLEAN HasOptions; BOOLEAN Reserved1[3]; PVOID Interface; } PH_PLUGIN_INFORMATION, *PPH_PLUGIN_INFORMATION; #define PH_PLUGIN_FLAG_RESERVED 0x1 // end_phapppub // begin_phapppub typedef struct _PH_PLUGIN { // Public PH_AVL_LINKS Links; PVOID DllBase; // end_phapppub // Private PH_STRINGREF Name; ULONG Flags; PH_PLUGIN_INFORMATION Information; PH_CALLBACK Callbacks[PluginCallbackMaximum]; PH_EM_APP_CONTEXT AppContext; // begin_phapppub } PH_PLUGIN, *PPH_PLUGIN; // end_phapppub // begin_phapppub // Plugin API PHAPPAPI PPH_PLUGIN NTAPI PhRegisterPluginByName( _In_ PCPH_STRINGREF Name, _In_ PVOID DllBase, _Out_opt_ PPH_PLUGIN_INFORMATION *Information ); FORCEINLINE PPH_PLUGIN NTAPI PhRegisterPlugin( _In_ PCWSTR Name, _In_ PVOID DllBase, _Out_opt_ PPH_PLUGIN_INFORMATION* Information ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhRegisterPluginByName(&name, DllBase, Information); } PHAPPAPI PPH_PLUGIN NTAPI PhFindPlugin2( _In_ PCPH_STRINGREF Name ); /** * Locates a plugin instance structure. * * \param Name The name of the plugin. * * \return A plugin instance structure, or NULL if the plugin was not found. */ FORCEINLINE PPH_PLUGIN NTAPI PhFindPlugin( _In_ PCWSTR Name ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhFindPlugin2(&name); } PHAPPAPI PVOID NTAPI PhGetPluginInterface( _In_ PCPH_STRINGREF Name, _In_opt_ ULONG Version ); FORCEINLINE PVOID NTAPI PhGetPluginInterfaceZ( _In_ PCWSTR Name, _In_opt_ ULONG Version ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhGetPluginInterface(&name, Version); } PHAPPAPI PPH_PLUGIN_INFORMATION NTAPI PhGetPluginInformation( _In_ PPH_PLUGIN Plugin ); PHAPPAPI PPH_CALLBACK NTAPI PhGetPluginCallback( _In_ PPH_PLUGIN Plugin, _In_ PH_PLUGIN_CALLBACK Callback ); PHAPPAPI PPH_CALLBACK NTAPI PhGetGeneralCallback( _In_ PH_GENERAL_CALLBACK Callback ); PHAPPAPI ULONG NTAPI PhPluginReserveIds( _In_ ULONG Count ); typedef struct _PH_PLUGIN_MENU_ITEM *PPH_PLUGIN_MENU_ITEM; _Function_class_(PH_PLUGIN_MENU_ITEM_DELETE_FUNCTION) typedef VOID (NTAPI PH_PLUGIN_MENU_ITEM_DELETE_FUNCTION)( _In_ PPH_PLUGIN_MENU_ITEM MenuItem ); typedef PH_PLUGIN_MENU_ITEM_DELETE_FUNCTION *PPH_PLUGIN_MENU_ITEM_DELETE_FUNCTION; typedef struct _PH_PLUGIN_MENU_ITEM { PPH_PLUGIN Plugin; ULONG Id; ULONG Reserved1; PVOID Context; HWND OwnerWindow; // valid only when the menu item is chosen PVOID Reserved2; PVOID Reserved3; PPH_PLUGIN_MENU_ITEM_DELETE_FUNCTION DeleteFunction; // valid only for EMENU-based menu items } PH_PLUGIN_MENU_ITEM, *PPH_PLUGIN_MENU_ITEM; // Location #define PH_MENU_ITEM_LOCATION_SYSTEM 0 #define PH_MENU_ITEM_LOCATION_VIEW 1 #define PH_MENU_ITEM_LOCATION_TOOLS 2 #define PH_MENU_ITEM_LOCATION_USERS 3 #define PH_MENU_ITEM_LOCATION_HELP 4 typedef struct _PH_PLUGIN_SYSTEM_STATISTICS { PSYSTEM_PERFORMANCE_INFORMATION Performance; ULONG NumberOfProcesses; ULONG NumberOfThreads; ULONG NumberOfHandles; FLOAT CpuKernelUsage; FLOAT CpuUserUsage; PH_UINT64_DELTA IoReadDelta; PH_UINT64_DELTA IoWriteDelta; PH_UINT64_DELTA IoOtherDelta; ULONG CommitPages; ULONG PhysicalPages; HANDLE MaxCpuProcessId; HANDLE MaxIoProcessId; PPH_CIRCULAR_BUFFER_FLOAT CpuKernelHistory; PPH_CIRCULAR_BUFFER_FLOAT CpuUserHistory; PPH_CIRCULAR_BUFFER_FLOAT *CpusKernelHistory; PPH_CIRCULAR_BUFFER_FLOAT *CpusUserHistory; PPH_CIRCULAR_BUFFER_ULONG64 IoReadHistory; PPH_CIRCULAR_BUFFER_ULONG64 IoWriteHistory; PPH_CIRCULAR_BUFFER_ULONG64 IoOtherHistory; PPH_CIRCULAR_BUFFER_ULONG CommitHistory; PPH_CIRCULAR_BUFFER_ULONG PhysicalHistory; PPH_CIRCULAR_BUFFER_ULONG MaxCpuHistory; // ID of max. CPU process PPH_CIRCULAR_BUFFER_ULONG MaxIoHistory; // ID of max. I/O process PPH_CIRCULAR_BUFFER_FLOAT MaxCpuUsageHistory; PPH_CIRCULAR_BUFFER_ULONG64 MaxIoReadOtherHistory; PPH_CIRCULAR_BUFFER_ULONG64 MaxIoWriteHistory; } PH_PLUGIN_SYSTEM_STATISTICS, *PPH_PLUGIN_SYSTEM_STATISTICS; PHAPPAPI VOID NTAPI PhPluginGetSystemStatistics( _Out_ PPH_PLUGIN_SYSTEM_STATISTICS Statistics ); PHAPPAPI PPH_EMENU_ITEM NTAPI PhPluginCreateEMenuItem( _In_ PPH_PLUGIN Plugin, _In_ ULONG Flags, _In_ ULONG Id, _In_ PCWSTR Text, _In_opt_ PVOID Context ); PHAPPAPI BOOLEAN NTAPI PhPluginAddMenuHook( _Inout_ PPH_PLUGIN_MENU_INFORMATION MenuInfo, _In_ PPH_PLUGIN Plugin, _In_opt_ PVOID Context ); // end_phapppub VOID NTAPI PhPluginInitializeMenuInfo( _Out_ PPH_PLUGIN_MENU_INFORMATION MenuInfo, _In_opt_ PPH_EMENU Menu, _In_ HWND OwnerWindow, _In_ ULONG Flags ); BOOLEAN NTAPI PhPluginTriggerEMenuItem( _In_ PPH_PLUGIN_MENU_INFORMATION MenuInfo, _In_ PPH_EMENU_ITEM Item ); // begin_phapppub PHAPPAPI BOOLEAN NTAPI PhPluginAddTreeNewColumn( _In_ PPH_PLUGIN Plugin, _In_ PVOID CmData, _In_ PPH_TREENEW_COLUMN Column, _In_ ULONG SubId, _In_opt_ PVOID Context, _In_opt_ PPH_PLUGIN_TREENEW_SORT_FUNCTION SortFunction ); PHAPPAPI VOID NTAPI PhPluginSetObjectExtension( _In_ PPH_PLUGIN Plugin, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ ULONG ExtensionSize, _In_opt_ PPH_EM_OBJECT_CALLBACK CreateCallback, _In_opt_ PPH_EM_OBJECT_CALLBACK DeleteCallback ); PHAPPAPI PVOID NTAPI PhPluginGetObjectExtension( _In_ PPH_PLUGIN Plugin, _In_ PVOID Object, _In_ PH_EM_OBJECT_TYPE ObjectType ); PHAPPAPI VOID NTAPI PhPluginEnableTreeNewNotify( _In_ PPH_PLUGIN Plugin, _In_ PVOID CmData ); PHAPPAPI NTSTATUS NTAPI PhPluginQueryPhSvc( _Out_ PPH_PLUGIN_PHSVC_CLIENT Client ); PHAPPAPI NTSTATUS NTAPI PhPluginCallPhSvc( _In_ PPH_PLUGIN Plugin, _In_ ULONG SubId, _In_reads_bytes_opt_(InLength) PVOID InBuffer, _In_ ULONG InLength, _Out_writes_bytes_opt_(OutLength) PVOID OutBuffer, _In_ ULONG OutLength ); PHAPPAPI PPH_STRING NTAPI PhGetPluginName( _In_ PPH_PLUGIN Plugin ); PHAPPAPI PPH_STRING NTAPI PhGetPluginFileName( _In_ PPH_PLUGIN Plugin ); _Function_class_(PH_PLUGIN_ENUMERATE) typedef NTSTATUS (NTAPI PH_PLUGIN_ENUMERATE)( _In_ PPH_PLUGIN Information, _In_opt_ PVOID Context ); typedef PH_PLUGIN_ENUMERATE *PPH_PLUGIN_ENUMERATE; PHAPPAPI VOID NTAPI PhEnumeratePlugins( _In_ PPH_PLUGIN_ENUMERATE Callback, _In_opt_ PVOID Context ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/phsettings.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef PH_SETTINGS_H #define PH_SETTINGS_H // // Application Typedefs // EXTERN_C VOID NTAPI PhAddDefaultSettings( VOID ); EXTERN_C VOID NTAPI PhUpdateCachedSettings( VOID ); // // Cached settings // #pragma push_macro("EXT") #undef EXT #ifdef PH_SETTINGS_PRIVATE #define EXT #else #define EXT extern #endif EXT BOOLEAN PhEnableProcessQueryStage2; EXT BOOLEAN PhEnableServiceQueryStage2; EXT BOOLEAN PhEnableWindowText; EXT BOOLEAN PhEnableTooltipSupport; EXT BOOLEAN PhEnableLinuxSubsystemSupport; EXT ULONG PhCsEnableNetworkResolveDoH; EXT ULONG PhCsEnableVersionSupport; EXT BOOLEAN PhEnableDeferredLayout; EXT BOOLEAN PhEnableKsiWarnings; EXT BOOLEAN PhEnableKsiSupport; EXT ULONG PhCsForceNoParent; EXT ULONG PhCsHighlightingDuration; EXT ULONG PhCsPropagateCpuUsage; EXT ULONG PhCsScrollToNewProcesses; EXT ULONG PhCsScrollToRemovedProcesses; EXT ULONG PhCsSortChildProcesses; EXT ULONG PhCsSortRootProcesses; EXT ULONG PhCsShowCpuBelow001; EXT ULONG PhCsUpdateInterval; EXT ULONG PhCsColorNew; EXT ULONG PhCsColorRemoved; EXT ULONG PhCsUseColorOwnProcesses; EXT ULONG PhCsColorOwnProcesses; EXT ULONG PhCsUseColorSystemProcesses; EXT ULONG PhCsColorSystemProcesses; EXT ULONG PhCsUseColorServiceProcesses; EXT ULONG PhCsColorServiceProcesses; EXT ULONG PhCsUseColorBackgroundProcesses; EXT ULONG PhCsColorBackgroundProcesses; EXT ULONG PhCsUseColorJobProcesses; EXT ULONG PhCsColorJobProcesses; EXT ULONG PhCsUseColorWow64Processes; EXT ULONG PhCsColorWow64Processes; EXT ULONG PhCsUseColorDebuggedProcesses; EXT ULONG PhCsColorDebuggedProcesses; EXT ULONG PhCsUseColorElevatedProcesses; EXT ULONG PhCsColorElevatedProcesses; EXT ULONG PhCsUseColorHandleFiltered; EXT ULONG PhCsColorHandleFiltered; EXT ULONG PhCsUseColorImmersiveProcesses; EXT ULONG PhCsColorImmersiveProcesses; EXT ULONG PhCsUseColorUIAccessProcesses; EXT ULONG PhCsColorUIAccessProcesses; EXT ULONG PhCsUseColorPicoProcesses; EXT ULONG PhCsColorPicoProcesses; EXT ULONG PhCsUseColorSuspended; EXT ULONG PhCsColorSuspended; EXT ULONG PhCsUseColorDotNet; EXT ULONG PhCsColorDotNet; EXT ULONG PhCsUseColorPacked; EXT ULONG PhCsColorPacked; EXT ULONG PhCsUseColorLowImageCoherency; EXT ULONG PhCsColorLowImageCoherency; EXT ULONG PhCsUseColorPartiallySuspended; EXT ULONG PhCsColorPartiallySuspended; EXT ULONG PhCsUseColorGuiThreads; EXT ULONG PhCsColorGuiThreads; EXT ULONG PhCsUseColorRelocatedModules; EXT ULONG PhCsColorRelocatedModules; EXT ULONG PhCsUseColorProtectedHandles; EXT ULONG PhCsColorProtectedHandles; EXT ULONG PhCsUseColorProtectedInheritHandles; EXT ULONG PhCsColorProtectedInheritHandles; EXT ULONG PhCsUseColorProtectedProcess; EXT ULONG PhCsColorProtectedProcess; EXT ULONG PhCsUseColorInheritHandles; EXT ULONG PhCsColorInheritHandles; EXT ULONG PhCsUseColorEfficiencyMode; EXT ULONG PhCsColorEfficiencyMode; EXT ULONG PhCsGraphShowText; EXT ULONG PhCsGraphColorMode; EXT ULONG PhCsColorCpuKernel; EXT ULONG PhCsColorCpuUser; EXT ULONG PhCsColorIoReadOther; EXT ULONG PhCsColorIoWrite; EXT ULONG PhCsColorPrivate; EXT ULONG PhCsColorPhysical; EXT ULONG PhCsColorPowerUsage; EXT ULONG PhCsColorTemperature; EXT ULONG PhCsColorFanRpm; EXT ULONG PhCsUseColorUnknown; EXT ULONG PhCsColorUnknown; EXT ULONG PhCsUseColorServiceDisabled; EXT ULONG PhCsColorServiceDisabled; EXT ULONG PhCsUseColorServiceStop; EXT ULONG PhCsColorServiceStop; EXT BOOLEAN PhEnableImageCoherencySupport; EXT ULONG PhCsImageCoherencyScanLevel; EXT ULONG PhCsEnableGraphMaxScale; EXT ULONG PhCsEnableGraphMaxText; EXT ULONG PhCsEnableAvxSupport; EXT ULONG PhCsEnableHandleSnapshot; EXT BOOLEAN PhEnableProcessMonitor; EXT ULONG PhProcessMonitorLookback; EXT ULONG PhProcessMonitorCacheLimit; #pragma pop_macro("EXT") #define PH_GET_INTEGER_CACHED_SETTING(Name) ((PhCs##Name) = PhGetIntegerSetting(TEXT(#Name))) #define PH_SET_INTEGER_CACHED_SETTING(Name, Value) (PhSetIntegerSetting(TEXT(#Name), (PhCs##Name) = (Value))) // begin_phapppub #define SETTING_SCHEMA_FILE L"$schema" #define SETTING_ALLOW_ONLY_ONE_INSTANCE L"AllowOnlyOneInstance" #define SETTING_CLOSE_ON_ESCAPE L"CloseOnEscape" #define SETTING_DBGHELP_SEARCH_PATH L"DbgHelpSearchPath" #define SETTING_DBGHELP_UNDECORATE L"DbgHelpUndecorate" #define SETTING_DBGHELP_VERIFY_MICROSOFT_CHAIN L"DbgHelpVerifyMicrosoftChain" #define SETTING_DISABLED_PLUGINS L"DisabledPlugins" #define SETTING_ELEVATION_LEVEL L"ElevationLevel" #define SETTING_ENABLE_ADVANCED_OPTIONS L"EnableAdvancedOptions" #define SETTING_ENABLE_AVX_SUPPORT L"EnableAvxSupport" #define SETTING_ENABLE_BITMAP_SUPPORT L"EnableBitmapSupport" #define SETTING_ENABLE_BREAK_ON_TERMINATION L"EnableBreakOnTermination" #define SETTING_ENABLE_BOOT_OBJECTS_ENUMERATE L"EnableBootObjectsEnumerate" #define SETTING_ENABLE_COMMAND_LINE_TOOLTIPS L"EnableCommandLineTooltips" #define SETTING_ENABLE_CYCLE_CPU_USAGE L"EnableCycleCpuUsage" #define SETTING_ENABLE_DEFERRED_LAYOUT L"EnableDeferredLayout" #define SETTING_ENABLE_DEVICE_SUPPORT L"EnableDeviceSupport" #define SETTING_ENABLE_DEVICE_NOTIFY_SUPPORT L"EnableDeviceNotifySupport" #define SETTING_ENABLE_IMAGE_COHERENCY_SUPPORT L"EnableImageCoherencySupport" #define SETTING_ENABLE_INSTANT_TOOLTIPS L"EnableInstantTooltips" #define SETTING_ENABLE_HEAP_REFLECTION L"EnableHeapReflection" #define SETTING_ENABLE_HEAP_MEMORY_TAGGING L"EnableHeapMemoryTagging" #define SETTING_ENABLE_LAST_PROCESS_SHUTDOWN L"EnableLastProcessShutdown" #define SETTING_ENABLE_LINUX_SUBSYSTEM_SUPPORT L"EnableLinuxSubsystemSupport" #define SETTING_ENABLE_HANDLE_SNAPSHOT L"EnableHandleSnapshot" #define SETTING_ENABLE_MINIDUMP_KERNEL_MINIDUMP L"EnableMinidumpKernelMinidump" #define SETTING_ENABLE_MINIDUMP_SNAPSHOT L"EnableMinidumpSnapshot" #define SETTING_ENABLE_MONOSPACE_FONT L"EnableMonospaceFont" #define SETTING_ENABLE_NETWORK_BOUND_CONNECTIONS L"EnableNetworkBoundConnections" #define SETTING_ENABLE_NETWORK_RESOLVE L"EnableNetworkResolve" #define SETTING_ENABLE_NETWORK_RESOLVE_DOH L"EnableNetworkResolveDoH" #define SETTING_ENABLE_MEM_STRINGS_TREE_DIALOG L"EnableMemStringsTreeDialog" #define SETTING_ENABLE_PACKAGE_ICON_SUPPORT L"EnablePackageIconSupport" #define SETTING_ENABLE_PROCESS_HANDLE_PNP_DEVICE_NAME_SUPPORT L"EnableProcessHandlePnPDeviceNameSupport" #define SETTING_ENABLE_PLUGINS L"EnablePlugins" #define SETTING_ENABLE_PLUGINS_NATIVE L"EnablePluginsNative" #define SETTING_ENABLE_GRAPH_MAX_SCALE L"EnableGraphMaxScale" #define SETTING_ENABLE_GRAPH_MAX_TEXT L"EnableGraphMaxText" #define SETTING_ENABLE_HIGH_RESOLUTION_PROVIDER_TIMER L"EnableHighResolutionProviderTimer" #define SETTING_ENABLE_SERVICE_NON_POLL L"EnableServiceNonPoll" #define SETTING_ENABLE_SERVICE_NON_POLL_NOTIFY L"EnableServiceNonPollNotify" #define SETTING_ENABLE_SERVICE_STAGE2 L"EnableServiceStage2" #define SETTING_ENABLE_SERVICE_PROGRESS_DIALOG L"EnableServiceProgressDialog" #define SETTING_ENABLE_SHELL_EXECUTE_SKIP_IFEO_DEBUGGER L"EnableShellExecuteSkipIfeoDebugger" #define SETTING_ENABLE_STAGE2 L"EnableStage2" #define SETTING_ENABLE_STREAMER_MODE L"EnableStreamerMode" #define SETTING_ENABLE_START_AS_ADMIN L"EnableStartAsAdmin" #define SETTING_ENABLE_START_AS_ADMIN_ALWAYS_ON_TOP L"EnableStartAsAdminAlwaysOnTop" #define SETTING_ENABLE_DEFAULT_SAFE_PLUGINS L"EnableDefaultSafePlugins" #define SETTING_ENABLE_SECURITY_ADVANCED_DIALOG L"EnableSecurityAdvancedDialog" #define SETTING_ENABLE_SHORT_RELATIVE_START_TIME L"EnableShortRelativeStartTime" #define SETTING_ENABLE_SHUTDOWN_CRITICAL_MENU L"EnableShutdownCriticalMenu" #define SETTING_ENABLE_SHUTDOWN_BOOT_MENU L"EnableShutdownBootMenu" #define SETTING_ENABLE_SILENT_CRASH_NOTIFY L"EnableSilentCrashNotify" #define SETTING_ENABLE_THEME_SUPPORT L"EnableThemeSupport" #define SETTING_ENABLE_THEME_ACRYLIC_SUPPORT L"EnableThemeAcrylicSupport" #define SETTING_ENABLE_THEME_ACRYLIC_WINDOW_SUPPORT L"EnableThemeAcrylicWindowSupport" #define SETTING_ENABLE_THEME_ANIMATION L"EnableThemeAnimation" #define SETTING_ENABLE_THEME_NATIVE_BUTTONS L"EnableThemeNativeButtons" #define SETTING_ENABLE_THREAD_STACK_INLINE_SYMBOLS L"EnableThreadStackInlineSymbols" #define SETTING_ENABLE_THREAD_STACK_LINE_INFORMATION L"EnableThreadStackLineInformation" #define SETTING_ENABLE_TOKEN_REMOVED_PRIVILEGES L"EnableTokenRemovedPrivileges" #define SETTING_ENABLE_TOOLTIP_SUPPORT L"EnableTooltipSupport" #define SETTING_ENABLE_UPDATE_DEFAULT_FIRMWARE_BOOT_ENTRY L"EnableUpdateDefaultFirmwareBootEntry" #define SETTING_ENABLE_VERSION_SUPPORT L"EnableVersionSupport" #define SETTING_ENABLE_WARNINGS L"EnableWarnings" #define SETTING_ENABLE_WARNINGS_RUNAS L"EnableWarningsRunas" #define SETTING_ENABLE_WINDOW_TEXT L"EnableWindowText" #define SETTING_ENVIRONMENT_TREE_LIST_COLUMNS L"EnvironmentTreeListColumns" #define SETTING_ENVIRONMENT_TREE_LIST_SORT L"EnvironmentTreeListSort" #define SETTING_ENVIRONMENT_TREE_LIST_FLAGS L"EnvironmentTreeListFlags" #define SETTING_SEARCH_CONTROL_REGEX L"SearchControlRegex" #define SETTING_SEARCH_CONTROL_CASE_SENSITIVE L"SearchControlCaseSensitive" #define SETTING_FIND_OBJ_TREE_LIST_COLUMNS L"FindObjTreeListColumns" #define SETTING_FIND_OBJ_WINDOW_POSITION L"FindObjWindowPosition" #define SETTING_FIND_OBJ_WINDOW_SIZE L"FindObjWindowSize" #define SETTING_THREAD_STACKS_TREE_LIST_COLUMNS L"ThreadStacksTreeListColumns" #define SETTING_THREAD_STACKS_WINDOW_POSITION L"ThreadStacksWindowPosition" #define SETTING_THREAD_STACKS_WINDOW_SIZE L"ThreadStacksWindowSize" #define SETTING_FILE_BROWSE_EXECUTABLE L"FileBrowseExecutable" #define SETTING_FIRST_RUN L"FirstRun" #define SETTING_FONT L"Font" #define SETTING_FONT_MONOSPACE L"FontMonospace" #define SETTING_FONT_QUALITY L"FontQuality" #define SETTING_FORCE_NO_PARENT L"ForceNoParent" #define SETTING_HANDLE_TREE_LIST_COLUMNS L"HandleTreeListColumns" #define SETTING_HANDLE_TREE_LIST_SORT L"HandleTreeListSort" #define SETTING_HANDLE_TREE_LIST_FLAGS L"HandleTreeListFlags" #define SETTING_HANDLE_PROPERTIES_WINDOW_POSITION L"HandlePropertiesWindowPosition" #define SETTING_HANDLE_PROPERTIES_WINDOW_SIZE L"HandlePropertiesWindowSize" #define SETTING_HANDLE_STATISTICS_LIST_VIEW_COLUMNS L"HandleStatisticsListViewColumns" #define SETTING_HANDLE_STATISTICS_LIST_VIEW_SORT L"HandleStatisticsListViewSort" #define SETTING_HANDLE_STATISTICS_WINDOW_POSITION L"HandleStatisticsWindowPosition" #define SETTING_HANDLE_STATISTICS_WINDOW_SIZE L"HandleStatisticsWindowSize" #define SETTING_HIDE_DEFAULT_SERVICES L"HideDefaultServices" #define SETTING_HIDE_DRIVER_SERVICES L"HideDriverServices" #define SETTING_HIDE_FREE_REGIONS L"HideFreeRegions" #define SETTING_HIDE_ON_CLOSE L"HideOnClose" #define SETTING_HIDE_ON_MINIMIZE L"HideOnMinimize" #define SETTING_HIDE_OTHER_USER_PROCESSES L"HideOtherUserProcesses" #define SETTING_HIDE_SIGNED_PROCESSES L"HideSignedProcesses" #define SETTING_HIDE_MICROSOFT_PROCESSES L"HideMicrosoftProcesses" #define SETTING_HIDE_WAITING_CONNECTIONS L"HideWaitingConnections" #define SETTING_HIGHLIGHTING_DURATION L"HighlightingDuration" #define SETTING_ICON_BALLOON_SHOW_ICON L"IconBalloonShowIcon" #define SETTING_ICON_BALLOON_MUTE_SOUND L"IconBalloonMuteSound" #define SETTING_TOAST_NOTIFY_ENABLED L"ToastNotifyEnabled" #define SETTING_ICON_TRAY_GUIDS L"IconTrayGuids" #define SETTING_ICON_TRAY_PERSIST_GUID_ENABLED L"IconTrayPersistGuidEnabled" #define SETTING_ICON_TRAY_LAZY_START_DELAY L"IconTrayLazyStartDelay" #define SETTING_ICON_IGNORE_BALLOON_CLICK L"IconIgnoreBalloonClick" #define SETTING_ICON_SETTINGS L"IconSettings" #define SETTING_ICON_NOTIFY_MASK L"IconNotifyMask" #define SETTING_ICON_PROCESSES L"IconProcesses" #define SETTING_ICON_SINGLE_CLICK L"IconSingleClick" #define SETTING_ICON_TOGGLES_VISIBILITY L"IconTogglesVisibility" #define SETTING_ICON_TRANSPARENCY_ENABLED L"IconTransparencyEnabled" #define SETTING_INFORMATION_WINDOW_POSITION L"InformationWindowPosition" #define SETTING_INFORMATION_WINDOW_SIZE L"InformationWindowSize" #define SETTING_IMAGE_COHERENCY_SCAN_LEVEL L"ImageCoherencyScanLevel" #define SETTING_JOB_LIST_VIEW_COLUMNS L"JobListViewColumns" #define SETTING_LOG_ENTRIES L"LogEntries" #define SETTING_LOG_LIST_VIEW_COLUMNS L"LogListViewColumns" #define SETTING_LOG_WINDOW_POSITION L"LogWindowPosition" #define SETTING_LOG_WINDOW_SIZE L"LogWindowSize" #define SETTING_MAIN_WINDOW_ALWAYS_ON_TOP L"MainWindowAlwaysOnTop" #define SETTING_MAIN_WINDOW_CLASS_NAME L"MainWindowClassName" #define SETTING_MAIN_WINDOW_OPACITY L"MainWindowOpacity" #define SETTING_MAIN_WINDOW_POSITION L"MainWindowPosition" #define SETTING_MAIN_WINDOW_SIZE L"MainWindowSize" #define SETTING_MAIN_WINDOW_STATE L"MainWindowState" #define SETTING_MAIN_WINDOW_TAB_RESTORE_ENABLED L"MainWindowTabRestoreEnabled" #define SETTING_MAIN_WINDOW_TAB_RESTORE_INDEX L"MainWindowTabRestoreIndex" #define SETTING_MAX_SIZE_UNIT L"MaxSizeUnit" #define SETTING_MAX_PRECISION_UNIT L"MaxPrecisionUnit" #define SETTING_MEM_EDIT_BYTES_PER_ROW L"MemEditBytesPerRow" #define SETTING_MEM_EDIT_GOTO_CHOICES L"MemEditGotoChoices" #define SETTING_MEM_EDIT_POSITION L"MemEditPosition" #define SETTING_MEM_EDIT_SIZE L"MemEditSize" #define SETTING_MEM_FILTER_CHOICES L"MemFilterChoices" #define SETTING_MEM_RESULTS_LIST_VIEW_COLUMNS L"MemResultsListViewColumns" #define SETTING_MEM_RESULTS_POSITION L"MemResultsPosition" #define SETTING_MEM_RESULTS_SIZE L"MemResultsSize" #define SETTING_MEMORY_LIST_FLAGS L"MemoryListFlags" #define SETTING_MEMORY_TREE_LIST_COLUMNS L"MemoryTreeListColumns" #define SETTING_MEMORY_TREE_LIST_SORT L"MemoryTreeListSort" #define SETTING_MEMORY_LISTS_WINDOW_POSITION L"MemoryListsWindowPosition" #define SETTING_MEMORY_READ_WRITE_ADDRESS_CHOICES L"MemoryReadWriteAddressChoices" #define SETTING_MEMORY_MODIFIED_WINDOW_POSITION L"MemoryModifiedWindowPosition" #define SETTING_MEMORY_MODIFIED_WINDOW_SIZE L"MemoryModifiedWindowSize" #define SETTING_MEMORY_MODIFIED_LIST_VIEW_COLUMNS L"MemoryModifiedListViewColumns" #define SETTING_MEMORY_MODIFIED_LIST_VIEW_SORT L"MemoryModifiedListViewSort" #define SETTING_MEM_STRINGS_TREE_LIST_COLUMNS L"MemStringsTreeListColumns" #define SETTING_MEM_STRINGS_TREE_LIST_SORT L"MemStringsTreeListSort" #define SETTING_MEM_STRINGS_TREE_LIST_FLAGS L"MemStringsTreeListFlags" #define SETTING_MEM_STRINGS_MINIMUM_LENGTH L"MemStringsMinimumLength" #define SETTING_MEM_STRINGS_WINDOW_POSITION L"MemStringsWindowPosition" #define SETTING_MEM_STRINGS_WINDOW_SIZE L"MemStringsWindowSize" #define SETTING_MINI_INFO_CONTAINER_CLASS_NAME L"MiniInfoContainerClassName" #define SETTING_MINI_INFO_WINDOW_CLASS_NAME L"MiniInfoWindowClassName" #define SETTING_MINI_INFO_WINDOW_ENABLED L"MiniInfoWindowEnabled" #define SETTING_MINI_INFO_WINDOW_OPACITY L"MiniInfoWindowOpacity" #define SETTING_MINI_INFO_WINDOW_PINNED L"MiniInfoWindowPinned" #define SETTING_MINI_INFO_WINDOW_POSITION L"MiniInfoWindowPosition" #define SETTING_MINI_INFO_WINDOW_REFRESH_AUTOMATICALLY L"MiniInfoWindowRefreshAutomatically" #define SETTING_MINI_INFO_WINDOW_SIZE L"MiniInfoWindowSize" #define SETTING_MODULE_TREE_LIST_FLAGS L"ModuleTreeListFlags" #define SETTING_MODULE_TREE_LIST_COLUMNS L"ModuleTreeListColumns" #define SETTING_MODULE_TREE_LIST_SORT L"ModuleTreeListSort" #define SETTING_NETWORK_TREE_LIST_COLUMNS L"NetworkTreeListColumns" #define SETTING_NETWORK_TREE_LIST_SORT L"NetworkTreeListSort" #define SETTING_NON_POLL_FLUSH_INTERVAL L"NonPollFlushInterval" #define SETTING_NO_PURGE_PROCESS_RECORDS L"NoPurgeProcessRecords" #define SETTING_OPTIONS_CUSTOM_COLOR_LIST L"OptionsCustomColorList" #define SETTING_OPTIONS_WINDOW_ADVANCED_COLUMNS L"OptionsWindowAdvancedColumns" #define SETTING_OPTIONS_WINDOW_ADVANCED_FLAGS L"OptionsWindowAdvancedFlags" #define SETTING_OPTIONS_WINDOW_POSITION L"OptionsWindowPosition" #define SETTING_OPTIONS_WINDOW_SIZE L"OptionsWindowSize" #define SETTING_PAGE_FILE_WINDOW_POSITION L"PageFileWindowPosition" #define SETTING_PAGE_FILE_WINDOW_SIZE L"PageFileWindowSize" #define SETTING_PAGE_FILE_LIST_VIEW_COLUMNS L"PageFileListViewColumns" #define SETTING_PLUGIN_MANAGER_TREE_LIST_COLUMNS L"PluginManagerTreeListColumns" #define SETTING_PROCESS_SERVICE_LIST_VIEW_COLUMNS L"ProcessServiceListViewColumns" #define SETTING_PROCESS_TREE_COLUMN_SET_CONFIG L"ProcessTreeColumnSetConfig" #define SETTING_PROCESS_TREE_LIST_COLUMNS L"ProcessTreeListColumns" #define SETTING_PROCESS_TREE_LIST_SORT L"ProcessTreeListSort" #define SETTING_PROCESS_TREE_LIST_NAME_DEFAULT L"ProcessTreeListNameDefault" #define SETTING_PROC_PROP_PAGE L"ProcPropPage" #define SETTING_PROC_PROP_POSITION L"ProcPropPosition" #define SETTING_PROC_PROP_SIZE L"ProcPropSize" #define SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_COLUMNS L"ProcStatPropPageGroupListViewColumns" #define SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_SORT L"ProcStatPropPageGroupListViewSort" #define SETTING_PROC_STAT_PROP_PAGE_GROUP_STATES L"ProcStatPropPageGroupStates" #define SETTING_PROGRAM_INSPECT_EXECUTABLES L"ProgramInspectExecutables" #define SETTING_PROPAGATE_CPU_USAGE L"PropagateCpuUsage" #define SETTING_RELEASE_CHANNEL L"ReleaseChannel" #define SETTING_RUN_AS_ENABLE_AUTO_COMPLETE L"RunAsEnableAutoComplete" #define SETTING_RUN_AS_PROGRAM L"RunAsProgram" #define SETTING_RUN_AS_USER_NAME L"RunAsUserName" #define SETTING_RUN_AS_WINDOW_POSITION L"RunAsWindowPosition" #define SETTING_RUN_AS_PACKAGE_WINDOW_POSITION L"RunAsPackageWindowPosition" #define SETTING_RUN_AS_PACKAGE_WINDOW_SIZE L"RunAsPackageWindowSize" #define SETTING_RUN_FILE_DLG_STATE L"RunFileDlgState" #define SETTING_SAMPLE_COUNT L"SampleCount" #define SETTING_SAMPLE_COUNT_AUTOMATIC L"SampleCountAutomatic" #define SETTING_SCROLL_TO_NEW_PROCESSES L"ScrollToNewProcesses" #define SETTING_SCROLL_TO_REMOVED_PROCESSES L"ScrollToRemovedProcesses" #define SETTING_SEARCH_ENGINE L"SearchEngine" #define SETTING_SEGMENT_HEAP_LIST_VIEW_COLUMNS L"SegmentHeapListViewColumns" #define SETTING_SEGMENT_HEAP_LIST_VIEW_SORT L"SegmentHeapListViewSort" #define SETTING_SEGMENT_HEAP_WINDOW_POSITION L"SegmentHeapWindowPosition" #define SETTING_SEGMENT_HEAP_WINDOW_SIZE L"SegmentHeapWindowSize" #define SETTING_SEGMENT_LOCKS_LIST_VIEW_COLUMNS L"SegmentLocksListViewColumns" #define SETTING_SEGMENT_LOCKS_LIST_VIEW_SORT L"SegmentLocksListViewSort" #define SETTING_SEGMENT_LOCKS_WINDOW_POSITION L"SegmentLocksWindowPosition" #define SETTING_SEGMENT_LOCKS_WINDOW_SIZE L"SegmentLocksWindowSize" #define SETTING_SERVICE_WINDOW_POSITION L"ServiceWindowPosition" #define SETTING_SERVICE_LIST_VIEW_COLUMNS L"ServiceListViewColumns" #define SETTING_SERVICE_TREE_LIST_COLUMNS L"ServiceTreeListColumns" #define SETTING_SERVICE_TREE_LIST_SORT L"ServiceTreeListSort" #define SETTING_SESSION_SHADOW_HOTKEY L"SessionShadowHotkey" #define SETTING_SHOW_PLUGIN_LOAD_ERRORS L"ShowPluginLoadErrors" #define SETTING_SHOW_COMMIT_IN_SUMMARY L"ShowCommitInSummary" #define SETTING_SHOW_CPU_BELOW_001 L"ShowCpuBelow001" #define SETTING_SHOW_HEX_ID L"ShowHexId" #define SETTING_SORT_CHILD_PROCESSES L"SortChildProcesses" #define SETTING_SORT_ROOT_PROCESSES L"SortRootProcesses" #define SETTING_START_HIDDEN L"StartHidden" #define SETTING_SYSINFO_SHOW_CPU_SPEED_MHZ L"SysInfoShowCpuSpeedMhz" #define SETTING_SYSINFO_SHOW_CPU_SPEED_PER_CPU L"SysInfoShowCpuSpeedPerCpu" #define SETTING_SYSINFO_WINDOW_ALWAYS_ON_TOP L"SysInfoWindowAlwaysOnTop" #define SETTING_SYSINFO_WINDOW_ONE_GRAPH_PER_CPU L"SysInfoWindowOneGraphPerCpu" #define SETTING_SYSINFO_WINDOW_POSITION L"SysInfoWindowPosition" #define SETTING_SYSINFO_WINDOW_SECTION L"SysInfoWindowSection" #define SETTING_SYSINFO_WINDOW_SIZE L"SysInfoWindowSize" #define SETTING_SYSINFO_WINDOW_STATE L"SysInfoWindowState" #define SETTING_TASKMGR_WINDOW_STATE L"TaskmgrWindowState" #define SETTING_THEME_WINDOW_FOREGROUND_COLOR L"ThemeWindowForegroundColor" #define SETTING_THEME_WINDOW_BACKGROUND_COLOR L"ThemeWindowBackgroundColor" #define SETTING_THEME_WINDOW_BACKGROUND2_COLOR L"ThemeWindowBackground2Color" #define SETTING_THEME_WINDOW_HIGHLIGHT_COLOR L"ThemeWindowHighlightColor" #define SETTING_THEME_WINDOW_HIGHLIGHT2_COLOR L"ThemeWindowHighlight2Color" #define SETTING_THEME_WINDOW_TEXT_COLOR L"ThemeWindowTextColor" #define SETTING_THIN_ROWS L"ThinRows" #define SETTING_THREAD_TREE_LIST_COLUMNS L"ThreadTreeListColumns" #define SETTING_THREAD_TREE_LIST_SORT L"ThreadTreeListSort" #define SETTING_THREAD_TREE_LIST_FLAGS L"ThreadTreeListFlags" #define SETTING_THREAD_STACK_TREE_LIST_COLUMNS L"ThreadStackTreeListColumns" #define SETTING_THREAD_STACK_WINDOW_SIZE L"ThreadStackWindowSize" #define SETTING_TOKEN_WINDOW_POSITION L"TokenWindowPosition" #define SETTING_TOKEN_WINDOW_SIZE L"TokenWindowSize" #define SETTING_TOKEN_GROUPS_LIST_VIEW_COLUMNS L"TokenGroupsListViewColumns" #define SETTING_TOKEN_GROUPS_LIST_VIEW_STATES L"TokenGroupsListViewStates" #define SETTING_TOKEN_GROUPS_LIST_VIEW_SORT L"TokenGroupsListViewSort" #define SETTING_TOKEN_PRIVILEGES_LIST_VIEW_COLUMNS L"TokenPrivilegesListViewColumns" #define SETTING_TREE_LIST_BORDER_ENABLE L"TreeListBorderEnable" #define SETTING_TREE_LIST_CUSTOM_COLORS_ENABLE L"TreeListCustomColorsEnable" #define SETTING_TREE_LIST_CUSTOM_COLOR_TEXT L"TreeListCustomColorText" #define SETTING_TREE_LIST_CUSTOM_COLOR_FOCUS L"TreeListCustomColorFocus" #define SETTING_TREE_LIST_CUSTOM_COLOR_SELECTION L"TreeListCustomColorSelection" #define SETTING_TREE_LIST_CUSTOM_ROW_SIZE L"TreeListCustomRowSize" #define SETTING_TREE_LIST_ENABLE_HEADER_TOTALS L"TreeListEnableHeaderTotals" #define SETTING_TREE_LIST_ENABLE_DRAG_REORDER L"TreeListEnableDragReorder" #define SETTING_UPDATE_INTERVAL L"UpdateInterval" #define SETTING_USER_LIST_TREE_LIST_COLUMNS L"UserListTreeListColumns" #define SETTING_USER_LIST_WINDOW_POSITION L"UserListWindowPosition" #define SETTING_USER_LIST_WINDOW_SIZE L"UserListWindowSize" #define SETTING_WMI_PROVIDER_ENABLE_HIDDEN_MENU L"WmiProviderEnableHiddenMenu" #define SETTING_WMI_PROVIDER_ENABLE_TOOLTIP_SUPPORT L"WmiProviderEnableTooltipSupport" #define SETTING_WMI_PROVIDER_TREE_LIST_COLUMNS L"WmiProviderTreeListColumns" #define SETTING_WMI_PROVIDER_TREE_LIST_SORT L"WmiProviderTreeListSort" #define SETTING_WMI_PROVIDER_TREE_LIST_FLAGS L"WmiProviderTreeListFlags" #define SETTING_VDM_HOST_LIST_VIEW_COLUMNS L"VdmHostListViewColumns" #define SETTING_ZOMBIE_PROCESSES_LIST_VIEW_COLUMNS L"ZombieProcessesListViewColumns" #define SETTING_ZOMBIE_PROCESSES_WINDOW_POSITION L"ZombieProcessesWindowPosition" #define SETTING_ZOMBIE_PROCESSES_WINDOW_SIZE L"ZombieProcessesWindowSize" #define SETTING_COLOR_NEW L"ColorNew" #define SETTING_COLOR_REMOVED L"ColorRemoved" #define SETTING_USE_COLOR_OWN_PROCESSES L"UseColorOwnProcesses" #define SETTING_COLOR_OWN_PROCESSES L"ColorOwnProcesses" #define SETTING_USE_COLOR_SYSTEM_PROCESSES L"UseColorSystemProcesses" #define SETTING_COLOR_SYSTEM_PROCESSES L"ColorSystemProcesses" #define SETTING_USE_COLOR_SERVICE_PROCESSES L"UseColorServiceProcesses" #define SETTING_COLOR_SERVICE_PROCESSES L"ColorServiceProcesses" #define SETTING_USE_COLOR_BACKGROUND_PROCESSES L"UseColorBackgroundProcesses" #define SETTING_COLOR_BACKGROUND_PROCESSES L"ColorBackgroundProcesses" #define SETTING_USE_COLOR_JOB_PROCESSES L"UseColorJobProcesses" #define SETTING_COLOR_JOB_PROCESSES L"ColorJobProcesses" #define SETTING_USE_COLOR_WOW64_PROCESSES L"UseColorWow64Processes" #define SETTING_COLOR_WOW64_PROCESSES L"ColorWow64Processes" #define SETTING_USE_COLOR_DEBUGGED_PROCESSES L"UseColorDebuggedProcesses" #define SETTING_COLOR_DEBUGGED_PROCESSES L"ColorDebuggedProcesses" #define SETTING_USE_COLOR_ELEVATED_PROCESSES L"UseColorElevatedProcesses" #define SETTING_COLOR_ELEVATED_PROCESSES L"ColorElevatedProcesses" #define SETTING_USE_COLOR_HANDLE_FILTERED L"UseColorHandleFiltered" #define SETTING_COLOR_HANDLE_FILTERED L"ColorHandleFiltered" #define SETTING_USE_COLOR_IMMERSIVE_PROCESSES L"UseColorImmersiveProcesses" #define SETTING_COLOR_IMMERSIVE_PROCESSES L"ColorImmersiveProcesses" #define SETTING_USE_COLOR_UI_ACCESS_PROCESSES L"UseColorUIAccessProcesses" #define SETTING_COLOR_UI_ACCESS_PROCESSES L"ColorUIAccessProcesses" #define SETTING_USE_COLOR_PICO_PROCESSES L"UseColorPicoProcesses" #define SETTING_COLOR_PICO_PROCESSES L"ColorPicoProcesses" #define SETTING_USE_COLOR_SUSPENDED L"UseColorSuspended" #define SETTING_COLOR_SUSPENDED L"ColorSuspended" #define SETTING_USE_COLOR_DOT_NET L"UseColorDotNet" #define SETTING_COLOR_DOT_NET L"ColorDotNet" #define SETTING_USE_COLOR_PACKED L"UseColorPacked" #define SETTING_COLOR_PACKED L"ColorPacked" #define SETTING_USE_COLOR_LOW_IMAGE_COHERENCY L"UseColorLowImageCoherency" #define SETTING_COLOR_LOW_IMAGE_COHERENCY L"ColorLowImageCoherency" #define SETTING_USE_COLOR_PARTIALLY_SUSPENDED L"UseColorPartiallySuspended" #define SETTING_COLOR_PARTIALLY_SUSPENDED L"ColorPartiallySuspended" #define SETTING_USE_COLOR_GUI_THREADS L"UseColorGuiThreads" #define SETTING_COLOR_GUI_THREADS L"ColorGuiThreads" #define SETTING_USE_COLOR_RELOCATED_MODULES L"UseColorRelocatedModules" #define SETTING_COLOR_RELOCATED_MODULES L"ColorRelocatedModules" #define SETTING_USE_COLOR_PROTECTED_HANDLES L"UseColorProtectedHandles" #define SETTING_COLOR_PROTECTED_HANDLES L"ColorProtectedHandles" #define SETTING_USE_COLOR_PROTECTED_INHERIT_HANDLES L"UseColorProtectedInheritHandles" #define SETTING_COLOR_PROTECTED_INHERIT_HANDLES L"ColorProtectedInheritHandles" #define SETTING_USE_COLOR_PROTECTED_PROCESS L"UseColorProtectedProcess" #define SETTING_COLOR_PROTECTED_PROCESS L"ColorProtectedProcess" #define SETTING_USE_COLOR_INHERIT_HANDLES L"UseColorInheritHandles" #define SETTING_COLOR_INHERIT_HANDLES L"ColorInheritHandles" #define SETTING_USE_COLOR_EFFICIENCY_MODE L"UseColorEfficiencyMode" #define SETTING_COLOR_EFFICIENCY_MODE L"ColorEfficiencyMode" #define SETTING_USE_COLOR_SERVICE_DISABLED L"UseColorServiceDisabled" #define SETTING_COLOR_SERVICE_DISABLED L"ColorServiceDisabled" #define SETTING_USE_COLOR_SERVICE_STOP L"UseColorServiceStop" #define SETTING_COLOR_SERVICE_STOP L"ColorServiceStop" #define SETTING_USE_COLOR_UNKNOWN L"UseColorUnknown" #define SETTING_COLOR_UNKNOWN L"ColorUnknown" #define SETTING_USE_COLOR_SYSTEM_THREAD_STACK L"UseColorSystemThreadStack" #define SETTING_COLOR_SYSTEM_THREAD_STACK L"ColorSystemThreadStack" #define SETTING_USE_COLOR_USER_THREAD_STACK L"UseColorUserThreadStack" #define SETTING_COLOR_USER_THREAD_STACK L"ColorUserThreadStack" #define SETTING_USE_COLOR_INLINE_THREAD_STACK L"UseColorInlineThreadStack" #define SETTING_COLOR_INLINE_THREAD_STACK L"ColorInlineThreadStack" #define SETTING_GRAPH_SHOW_TEXT L"GraphShowText" #define SETTING_GRAPH_COLOR_MODE L"GraphColorMode" #define SETTING_COLOR_CPU_KERNEL L"ColorCpuKernel" #define SETTING_COLOR_CPU_USER L"ColorCpuUser" #define SETTING_COLOR_IO_READ_OTHER L"ColorIoReadOther" #define SETTING_COLOR_IO_WRITE L"ColorIoWrite" #define SETTING_COLOR_PRIVATE L"ColorPrivate" #define SETTING_COLOR_PHYSICAL L"ColorPhysical" #define SETTING_COLOR_POWER_USAGE L"ColorPowerUsage" #define SETTING_COLOR_TEMPERATURE L"ColorTemperature" #define SETTING_COLOR_FAN_RPM L"ColorFanRpm" #define SETTING_KSI_ENABLE L"KsiEnable" #define SETTING_KSI_ENABLE_WARNINGS L"KsiEnableWarnings" #define SETTING_KSI_SERVICE_NAME L"KsiServiceName" #define SETTING_KSI_OBJECT_NAME L"KsiObjectName" #define SETTING_KSI_PORT_NAME L"KsiPortName" #define SETTING_KSI_ALTITUDE L"KsiAltitude" #define SETTING_KSI_SYSTEM_PROCESS_NAME L"KsiSystemProcessName" #define SETTING_KSI_DISABLE_IMAGE_LOAD_PROTECTION L"KsiDisableImageLoadProtection" #define SETTING_KSI_ENABLE_SPLASH_SCREEN L"KsiEnableSplashScreen" #define SETTING_KSI_ENABLE_LOAD_NATIVE L"KsiEnableLoadNative" #define SETTING_KSI_ENABLE_LOAD_FILTER L"KsiEnableLoadFilter" #define SETTING_KSI_UNLOAD_ON_EXIT L"KsiUnloadOnExit" #define SETTING_KSI_RANDOMIZED_POOL_TAG L"KsiRandomizedPoolTag" #define SETTING_KSI_ENABLE_UNLOAD_PROTECTION L"KsiEnableUnloadProtection" #define SETTING_KSI_DYN_DATA_NO_EMBEDDED L"KsiDynDataNoEmbedded" #define SETTING_KSI_DISABLE_SYSTEM_PROCESS L"KsiDisableSystemProcess" #define SETTING_KSI_DISABLE_THREAD_NAMES L"KsiDisableThreadNames" #define SETTING_KSI_CLIENT_PROCESS_PROTECTION_LEVEL L"KsiClientProcessProtectionLevel" #define SETTING_KSI_PREVIOUS_TEMPORARY_DRIVER_FILE L"KsiPreviousTemporaryDriverFile" #define SETTING_KSI_ENABLE_FS_FEATURE_OFFLOAD_READ L"KsiEnableFsFeatureOffloadRead" #define SETTING_KSI_ENABLE_FS_FEATURE_OFFLOAD_WRITE L"KsiEnableFsFeatureOffloadWrite" #define SETTING_KSI_ENABLE_FS_FEATURE_QUERY_OPEN L"KsiEnableFsFeatureQueryOpen" #define SETTING_KSI_ENABLE_FS_FEATURE_BYPASS_IO L"KsiEnableFsFeatureBypassIO" #define SETTING_KSI_RING_BUFFER_LENGTH L"KsiRingBufferLength" #define SETTING_ENABLE_PROCESS_MONITOR L"EnableProcessMonitor" #define SETTING_PROCESS_MONITOR_LOOKBACK L"ProcessMonitorLookback" #define SETTING_PROCESS_MONITOR_CACHE_LIMIT L"ProcessMonitorCacheLimit" // end_phapppub #endif ================================================ FILE: SystemInformer/include/phsvc.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2022 * */ #ifndef PH_PHSVC_H #define PH_PHSVC_H #include #define PHSVC_SHARED_SECTION_SIZE (512 * 1024) // svcmain typedef struct _PHSVC_STOP { BOOLEAN Stop; HANDLE Event1; HANDLE Event2; } PHSVC_STOP, *PPHSVC_STOP; NTSTATUS PhSvcMain( _In_opt_ PPH_STRING PortName, _Inout_opt_ PPHSVC_STOP Stop ); VOID PhSvcStop( _Inout_ PPHSVC_STOP Stop ); // svcclient typedef struct _PHSVC_CLIENT { LIST_ENTRY ListEntry; PH_EVENT ReadyEvent; CLIENT_ID ClientId; HANDLE PortHandle; PVOID ClientViewBase; PVOID ClientViewLimit; } PHSVC_CLIENT, *PPHSVC_CLIENT; PPHSVC_CLIENT PhSvcCreateClient( _In_opt_ PCLIENT_ID ClientId ); PPHSVC_CLIENT PhSvcReferenceClientByClientId( _In_ PCLIENT_ID ClientId ); PPHSVC_CLIENT PhSvcGetCurrentClient( VOID ); BOOLEAN PhSvcAttachClient( _In_ PPHSVC_CLIENT Client ); VOID PhSvcDetachClient( _In_ PPHSVC_CLIENT Client ); // svcapiport typedef struct _PHSVC_THREAD_CONTEXT { PPHSVC_CLIENT CurrentClient; PPHSVC_CLIENT OldClient; } PHSVC_THREAD_CONTEXT, *PPHSVC_THREAD_CONTEXT; NTSTATUS PhSvcApiPortInitialization( _In_ PUNICODE_STRING PortName ); PPHSVC_THREAD_CONTEXT PhSvcGetCurrentThreadContext( VOID ); VOID PhSvcHandleConnectionRequest( _In_ PPORT_MESSAGE PortMessage ); // svcapi typedef _Function_class_(PHSVC_API_PROCEDURE) NTSTATUS NTAPI PHSVC_API_PROCEDURE( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); typedef PHSVC_API_PROCEDURE* PPHSVC_API_PROCEDURE; typedef CONST PPHSVC_API_PROCEDURE PCPHSVC_API_PROCEDURE; VOID PhSvcDispatchApiCall( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload, _Out_ PHANDLE ReplyPortHandle ); PVOID PhSvcValidateString( _In_ PPH_RELATIVE_STRINGREF String, _In_ ULONG Alignment ); _Function_class_(PHSVC_SERVER_PROBE_BUFFER) NTSTATUS PhSvcProbeBuffer( _In_ PPH_RELATIVE_STRINGREF String, _In_ ULONG Alignment, _In_ BOOLEAN AllowNull, _Out_ PVOID *Pointer ); _Function_class_(PHSVC_SERVER_CAPTURE_BUFFER) NTSTATUS PhSvcCaptureBuffer( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PVOID *CapturedBuffer ); NTSTATUS PhSvcCaptureString( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PPH_STRING *CapturedString ); NTSTATUS PhSvcCaptureSid( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PSID *CapturedSid ); NTSTATUS PhSvcCaptureSecurityDescriptor( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _In_ SECURITY_INFORMATION RequiredInformation, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor ); NTSTATUS PhSvcApiDefault( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); _Function_class_(PHSVC_API_PROCEDURE) NTSTATUS PhSvcApiPlugin( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiExecuteRunAsCommand( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiUnloadDriver( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiControlProcess( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiControlService( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiCreateService( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiChangeServiceConfig( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiChangeServiceConfig2( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiSetTcpEntry( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiControlThread( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiAddAccountRight( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiInvokeRunAsService( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiIssueMemoryListCommand( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiPostMessage( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiSendMessage( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiCreateProcessIgnoreIfeoDebugger( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiSetServiceSecurity( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiWriteMiniDumpProcess( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiQueryProcessHeapInformation( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); NTSTATUS PhSvcApiCreateProcessForKsi( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ); #endif ================================================ FILE: SystemInformer/include/phsvcapi.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * dmex 2017-2023 * */ #ifndef PH_PHSVCAPI_H #define PH_PHSVCAPI_H #define PHSVC_PORT_NAME (L"\\BaseNamedObjects\\SiSvcApiPort") #define PHSVC_WOW64_PORT_NAME (L"\\BaseNamedObjects\\SiSvcWow64ApiPort") typedef enum _PHSVC_API_NUMBER { PhSvcInvalidApiNumber = 0, PhSvcPluginApiNumber = 1, PhSvcExecuteRunAsCommandApiNumber = 2, PhSvcUnloadDriverApiNumber = 3, PhSvcControlProcessApiNumber = 4, PhSvcControlServiceApiNumber = 5, PhSvcCreateServiceApiNumber = 6, PhSvcChangeServiceConfigApiNumber = 7, PhSvcChangeServiceConfig2ApiNumber = 8, PhSvcSetTcpEntryApiNumber = 9, PhSvcControlThreadApiNumber = 10, PhSvcAddAccountRightApiNumber = 11, PhSvcInvokeRunAsServiceApiNumber = 12, PhSvcIssueMemoryListCommandApiNumber = 13, PhSvcPostMessageApiNumber = 14, PhSvcSendMessageApiNumber = 15, PhSvcCreateProcessIgnoreIfeoDebuggerApiNumber = 16, PhSvcSetServiceSecurityApiNumber = 17, PhSvcWriteMiniDumpProcessApiNumber = 18, // WOW64 compatible PhSvcQueryProcessDebugInformationApiNumber = 19, // WOW64 compatible PhSvcCreateProcessForKsi = 20, PhSvcMaximumApiNumber } PHSVC_API_NUMBER, *PPHSVC_API_NUMBER; typedef struct _PHSVC_API_CONNECTINFO { ULONG ServerProcessId; } PHSVC_API_CONNECTINFO, *PPHSVC_API_CONNECTINFO; typedef union _PHSVC_API_PLUGIN { struct { PH_RELATIVE_STRINGREF ApiId; ULONG Data[30]; } i; struct { ULONG Data[32]; } o; } PHSVC_API_PLUGIN, *PPHSVC_API_PLUGIN; typedef union _PHSVC_API_EXECUTERUNASCOMMAND { struct { ULONG ProcessId; PH_RELATIVE_STRINGREF UserName; PH_RELATIVE_STRINGREF Password; ULONG LogonType; ULONG SessionId; PH_RELATIVE_STRINGREF CurrentDirectory; PH_RELATIVE_STRINGREF CommandLine; PH_RELATIVE_STRINGREF FileName; PH_RELATIVE_STRINGREF DesktopName; BOOLEAN UseLinkedToken; PH_RELATIVE_STRINGREF ServiceName; BOOLEAN CreateSuspendedProcess; BOOLEAN CreateUIAccessProcess; HWND WindowHandle; } i; } PHSVC_API_EXECUTERUNASCOMMAND, *PPHSVC_API_EXECUTERUNASCOMMAND; typedef union _PHSVC_API_UNLOADDRIVER { struct { PVOID BaseAddress; PH_RELATIVE_STRINGREF Name; PH_RELATIVE_STRINGREF FileName; } i; } PHSVC_API_UNLOADDRIVER, *PPHSVC_API_UNLOADDRIVER; typedef enum _PHSVC_API_CONTROLPROCESS_COMMAND { PhSvcControlProcessTerminate = 1, PhSvcControlProcessSuspend, PhSvcControlProcessResume, PhSvcControlProcessPriority, PhSvcControlProcessIoPriority } PHSVC_API_CONTROLPROCESS_COMMAND; typedef union _PHSVC_API_CONTROLPROCESS { struct { HANDLE ProcessId; PHSVC_API_CONTROLPROCESS_COMMAND Command; ULONG Argument; } i; } PHSVC_API_CONTROLPROCESS, *PPHSVC_API_CONTROLPROCESS; typedef enum _PHSVC_API_CONTROLSERVICE_COMMAND { PhSvcControlServiceStart = 1, PhSvcControlServiceContinue, PhSvcControlServicePause, PhSvcControlServiceStop, PhSvcControlServiceDelete, PhSvcControlServiceRestart } PHSVC_API_CONTROLSERVICE_COMMAND; typedef union _PHSVC_API_CONTROLSERVICE { struct { PH_RELATIVE_STRINGREF ServiceName; PHSVC_API_CONTROLSERVICE_COMMAND Command; } i; } PHSVC_API_CONTROLSERVICE, *PPHSVC_API_CONTROLSERVICE; typedef union _PHSVC_API_CREATESERVICE { struct { // ServiceName is the only required string. PH_RELATIVE_STRINGREF ServiceName; PH_RELATIVE_STRINGREF DisplayName; ULONG ServiceType; ULONG StartType; ULONG ErrorControl; PH_RELATIVE_STRINGREF BinaryPathName; PH_RELATIVE_STRINGREF LoadOrderGroup; PH_RELATIVE_STRINGREF Dependencies; PH_RELATIVE_STRINGREF ServiceStartName; PH_RELATIVE_STRINGREF Password; BOOLEAN TagIdSpecified; } i; struct { ULONG TagId; } o; } PHSVC_API_CREATESERVICE, *PPHSVC_API_CREATESERVICE; typedef union _PHSVC_API_CHANGESERVICECONFIG { struct { PH_RELATIVE_STRINGREF ServiceName; ULONG ServiceType; ULONG StartType; ULONG ErrorControl; PH_RELATIVE_STRINGREF BinaryPathName; PH_RELATIVE_STRINGREF LoadOrderGroup; PH_RELATIVE_STRINGREF Dependencies; PH_RELATIVE_STRINGREF ServiceStartName; PH_RELATIVE_STRINGREF Password; PH_RELATIVE_STRINGREF DisplayName; BOOLEAN TagIdSpecified; } i; struct { ULONG TagId; } o; } PHSVC_API_CHANGESERVICECONFIG, *PPHSVC_API_CHANGESERVICECONFIG; typedef union _PHSVC_API_CHANGESERVICECONFIG2 { struct { PH_RELATIVE_STRINGREF ServiceName; ULONG InfoLevel; PH_RELATIVE_STRINGREF Info; } i; } PHSVC_API_CHANGESERVICECONFIG2, *PPHSVC_API_CHANGESERVICECONFIG2; typedef union _PHSVC_API_SETTCPENTRY { struct { ULONG State; ULONG LocalAddress; ULONG LocalPort; ULONG RemoteAddress; ULONG RemotePort; } i; } PHSVC_API_SETTCPENTRY, *PPHSVC_API_SETTCPENTRY; typedef enum _PHSVC_API_CONTROLTHREAD_COMMAND { PhSvcControlThreadTerminate = 1, PhSvcControlThreadSuspend, PhSvcControlThreadResume, PhSvcControlThreadIoPriority } PHSVC_API_CONTROLTHREAD_COMMAND; typedef union _PHSVC_API_CONTROLTHREAD { struct { HANDLE ThreadId; PHSVC_API_CONTROLTHREAD_COMMAND Command; ULONG Argument; } i; } PHSVC_API_CONTROLTHREAD, *PPHSVC_API_CONTROLTHREAD; typedef union _PHSVC_API_ADDACCOUNTRIGHT { struct { PH_RELATIVE_STRINGREF AccountSid; PH_RELATIVE_STRINGREF UserRight; } i; } PHSVC_API_ADDACCOUNTRIGHT, *PPHSVC_API_ADDACCOUNTRIGHT; typedef union _PHSVC_API_ISSUEMEMORYLISTCOMMAND { struct { SYSTEM_MEMORY_LIST_COMMAND Command; } i; } PHSVC_API_ISSUEMEMORYLISTCOMMAND, *PPHSVC_API_ISSUEMEMORYLISTCOMMAND; typedef union _PHSVC_API_POSTMESSAGE { struct { HWND hWnd; UINT Msg; WPARAM wParam; LPARAM lParam; } i; } PHSVC_API_POSTMESSAGE, *PPHSVC_API_POSTMESSAGE; typedef union _PHSVC_API_CREATEPROCESSIGNOREIFEODEBUGGER { struct { PH_RELATIVE_STRINGREF FileName; PH_RELATIVE_STRINGREF CommandLine; } i; } PHSVC_API_CREATEPROCESSIGNOREIFEODEBUGGER, *PPHSVC_API_CREATEPROCESSIGNOREIFEODEBUGGER; typedef union _PHSVC_API_SETSERVICESECURITY { struct { PH_RELATIVE_STRINGREF ServiceName; SECURITY_INFORMATION SecurityInformation; PH_RELATIVE_STRINGREF SecurityDescriptor; } i; } PHSVC_API_SETSERVICESECURITY, *PPHSVC_API_SETSERVICESECURITY; typedef union _PHSVC_API_WRITEMINIDUMPPROCESS { struct { ULONG LocalProcessHandle; ULONG ProcessId; ULONG LocalFileHandle; ULONG DumpType; } i; } PHSVC_API_WRITEMINIDUMPPROCESS, *PPHSVC_API_WRITEMINIDUMPPROCESS; typedef union _PHSVC_API_PROCESSHEAPINFORMATION { struct { ULONG ProcessId; PH_RELATIVE_STRINGREF Data; // out } i; struct { ULONG DataLength; } o; } PHSVC_API_PROCESSHEAPINFORMATION, *PPHSVC_API_PROCESSHEAPINFORMATION; typedef union _PHSVC_API_CREATEPROCESSFORKSI { struct { PH_RELATIVE_STRINGREF CommandLine; ULONG64 MitigationFlags[2]; } i; } PHSVC_API_CREATEPROCESSFORKSI, *PPHSVC_API_CREATEPROCESSFORKSI; typedef union _PHSVC_API_PAYLOAD { PHSVC_API_CONNECTINFO ConnectInfo; struct { PHSVC_API_NUMBER ApiNumber; NTSTATUS ReturnStatus; union { PHSVC_API_PLUGIN Plugin; PHSVC_API_EXECUTERUNASCOMMAND ExecuteRunAsCommand; PHSVC_API_UNLOADDRIVER UnloadDriver; PHSVC_API_CONTROLPROCESS ControlProcess; PHSVC_API_CONTROLSERVICE ControlService; PHSVC_API_CREATESERVICE CreateService; PHSVC_API_CHANGESERVICECONFIG ChangeServiceConfig; PHSVC_API_CHANGESERVICECONFIG2 ChangeServiceConfig2; PHSVC_API_SETTCPENTRY SetTcpEntry; PHSVC_API_CONTROLTHREAD ControlThread; PHSVC_API_ADDACCOUNTRIGHT AddAccountRight; PHSVC_API_ISSUEMEMORYLISTCOMMAND IssueMemoryListCommand; PHSVC_API_POSTMESSAGE PostMessage; PHSVC_API_CREATEPROCESSIGNOREIFEODEBUGGER CreateProcessIgnoreIfeoDebugger; PHSVC_API_SETSERVICESECURITY SetServiceSecurity; PHSVC_API_WRITEMINIDUMPPROCESS WriteMiniDumpProcess; PHSVC_API_PROCESSHEAPINFORMATION QueryProcessHeap; PHSVC_API_CREATEPROCESSFORKSI CreateProcessForKsi; } u; }; } PHSVC_API_PAYLOAD, *PPHSVC_API_PAYLOAD; typedef struct _PHSVC_API_MSG { PORT_MESSAGE h; PHSVC_API_PAYLOAD p; } PHSVC_API_MSG, *PPHSVC_API_MSG; typedef struct _PHSVC_API_MSG64 { PORT_MESSAGE64 h; PHSVC_API_PAYLOAD p; } PHSVC_API_MSG64, *PPHSVC_API_MSG64; C_ASSERT(FIELD_OFFSET(PHSVC_API_PAYLOAD, u) == 8); C_ASSERT(sizeof(PHSVC_API_MSG) <= PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH); C_ASSERT(sizeof(PHSVC_API_MSG64) <= PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH); #endif ================================================ FILE: SystemInformer/include/phsvccl.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef PH_PHSVCCL_H #define PH_PHSVCCL_H #include extern HANDLE PhSvcClServerProcessId; NTSTATUS PhSvcConnectToServer( _In_ PUNICODE_STRING PortName, _In_opt_ SIZE_T PortSectionSize ); VOID PhSvcDisconnectFromServer( VOID ); VOID PhSvcpFreeHeap( _In_ PVOID Memory ); _Success_(return != NULL) PVOID PhSvcpCreateString( _In_opt_ PCWSTR String, _In_ SIZE_T Length, _Out_ PPH_RELATIVE_STRINGREF StringRef ); NTSTATUS PhSvcCallPlugin( _In_ PPH_STRINGREF ApiId, _In_reads_bytes_opt_(InLength) PVOID InBuffer, _In_ ULONG InLength, _Out_writes_bytes_opt_(OutLength) PVOID OutBuffer, _In_ ULONG OutLength ); NTSTATUS PhSvcCallExecuteRunAsCommand( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ); NTSTATUS PhSvcCallUnloadDriver( _In_opt_ PVOID BaseAddress, _In_opt_ PCWSTR Name, _In_opt_ PCWSTR FileName ); NTSTATUS PhSvcCallControlProcess( _In_opt_ HANDLE ProcessId, _In_ PHSVC_API_CONTROLPROCESS_COMMAND Command, _In_ ULONG Argument ); NTSTATUS PhSvcCallControlService( _In_ PCWSTR ServiceName, _In_ PHSVC_API_CONTROLSERVICE_COMMAND Command ); NTSTATUS PhSvcCallCreateService( _In_ PCWSTR ServiceName, _In_opt_ PCWSTR DisplayName, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR LoadOrderGroup, _Out_opt_ PULONG TagId, _In_opt_ PCWSTR Dependencies, _In_opt_ PCWSTR ServiceStartName, _In_opt_ PCWSTR Password ); // begin_phapppub PHAPPAPI NTSTATUS PhSvcCallChangeServiceConfig( _In_ PCWSTR ServiceName, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR LoadOrderGroup, _Out_opt_ PULONG TagId, _In_opt_ PCWSTR Dependencies, _In_opt_ PCWSTR ServiceStartName, _In_opt_ PCWSTR Password, _In_opt_ PCWSTR DisplayName ); PHAPPAPI NTSTATUS PhSvcCallChangeServiceConfig2( _In_ PCWSTR ServiceName, _In_ ULONG InfoLevel, _In_ PVOID Info ); // end_phapppub NTSTATUS PhSvcCallSetTcpEntry( _In_ PVOID TcpRow ); NTSTATUS PhSvcCallControlThread( _In_ HANDLE ThreadId, _In_ PHSVC_API_CONTROLTHREAD_COMMAND Command, _In_ ULONG Argument ); NTSTATUS PhSvcCallAddAccountRight( _In_ PSID AccountSid, _In_ PUNICODE_STRING UserRight ); NTSTATUS PhSvcCallInvokeRunAsService( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ); NTSTATUS PhSvcCallIssueMemoryListCommand( _In_ SYSTEM_MEMORY_LIST_COMMAND Command ); // begin_phapppub PHAPPAPI NTSTATUS PhSvcCallPostMessage( _In_opt_ HWND hWnd, _In_ UINT Msg, _In_ WPARAM wParam, _In_ LPARAM lParam ); PHAPPAPI NTSTATUS PhSvcCallSendMessage( _In_opt_ HWND hWnd, _In_ UINT Msg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // end_phapppub NTSTATUS PhSvcCallCreateProcessIgnoreIfeoDebugger( _In_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine ); NTSTATUS PhSvcCallSetServiceSecurity( _In_ PCWSTR ServiceName, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); NTSTATUS PhSvcCallWriteMiniDumpProcess( _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId, _In_ HANDLE FileHandle, _In_ ULONG DumpType ); NTSTATUS PhSvcCallQueryProcessHeapInformation( _In_ HANDLE ProcessId, _Out_ PPH_STRING* HeapInformation ); NTSTATUS PhSvcCallCreateProcessForKsi( _In_ PCWSTR CommandLine, _In_ ULONG64 MitigationFlags[2] ); #endif ================================================ FILE: SystemInformer/include/phuisup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #ifndef PH_PHUISUP_H #define PH_PHUISUP_H // begin_phapppub // Common state highlighting support typedef struct _PH_SH_STATE { PH_ITEM_STATE State; HANDLE StateListHandle; ULONG64 TickCount; } PH_SH_STATE, *PPH_SH_STATE; FORCEINLINE VOID PhChangeShStateTn( _Inout_ PPH_TREENEW_NODE Node, _Inout_ PPH_SH_STATE ShState, _Inout_ PPH_POINTER_LIST *StateList, _In_ PH_ITEM_STATE NewState, _In_ COLORREF NewTempBackColor, _In_opt_ HWND TreeNewHandleForUpdate ) { if (!*StateList) *StateList = PhCreatePointerList(4); if (ShState->State == NormalItemState) ShState->StateListHandle = PhAddItemPointerList(*StateList, Node); ShState->TickCount = NtGetTickCount64(); ShState->State = NewState; Node->UseTempBackColor = TRUE; Node->TempBackColor = NewTempBackColor; if (TreeNewHandleForUpdate) TreeNew_InvalidateNode(TreeNewHandleForUpdate, Node); } #define PH_TICK_SH_STATE_TN(NodeType, ShStateFieldName, StateList, RemoveFunction, HighlightingDuration, TreeNewHandleForUpdate, Invalidate, FullyInvalidated, Context) \ do { \ NodeType *node; \ ULONG enumerationKey = 0; \ ULONG64 tickCount; \ BOOLEAN preferFullInvalidate; \ HANDLE stateListHandle; \ BOOLEAN needsFullInvalidate = FALSE; \ \ if (!StateList || StateList->Count == 0) \ break; \ \ tickCount = NtGetTickCount64(); \ preferFullInvalidate = StateList->Count > 8; \ \ while (PhEnumPointerList(StateList, &enumerationKey, &node)) \ { \ if (PhRoundNumber(tickCount - node->ShStateFieldName.TickCount, 100) < (HighlightingDuration)) \ continue; \ \ stateListHandle = node->ShStateFieldName.StateListHandle; \ \ if (node->ShStateFieldName.State == NewItemState) \ { \ node->ShStateFieldName.State = NormalItemState; \ ((PPH_TREENEW_NODE)node)->UseTempBackColor = FALSE; \ if (Invalidate) \ { \ if (preferFullInvalidate) \ { \ needsFullInvalidate = TRUE; \ } \ else \ { \ if (TreeNewHandleForUpdate) \ TreeNew_InvalidateNode((TreeNewHandleForUpdate), node); \ } \ } \ } \ else if (node->ShStateFieldName.State == RemovingItemState) \ { \ RemoveFunction(node, Context); \ needsFullInvalidate = TRUE; \ } \ \ PhRemoveItemPointerList(StateList, stateListHandle); \ } \ \ if (TreeNewHandleForUpdate) \ { \ if (needsFullInvalidate && (FullyInvalidated && !(*(PBOOLEAN)FullyInvalidated))) \ { \ PhInvalidateRect((TreeNewHandleForUpdate), NULL, FALSE); \ if (FullyInvalidated) \ *((PBOOLEAN)FullyInvalidated) = TRUE; \ } \ } \ } while (0) // Provider event queues typedef enum _PH_PROVIDER_EVENT_TYPE { ProviderAddedEvent = 1, ProviderModifiedEvent = 2, ProviderRemovedEvent = 3 } PH_PROVIDER_EVENT_TYPE; typedef struct _PH_PROVIDER_EVENT { ULONG_PTR TypeAndObject; ULONG RunId; } PH_PROVIDER_EVENT, *PPH_PROVIDER_EVENT; #define PH_PROVIDER_EVENT_TYPE_MASK 0x3 #define PH_PROVIDER_EVENT_OBJECT_MASK (~(ULONG_PTR)0x3) #define PH_PROVIDER_EVENT_TYPE(Event) ((ULONG)(Event).TypeAndObject & PH_PROVIDER_EVENT_TYPE_MASK) #define PH_PROVIDER_EVENT_OBJECT(Event) ((PVOID)((Event).TypeAndObject & PH_PROVIDER_EVENT_OBJECT_MASK)) typedef struct _PH_PROVIDER_EVENT_QUEUE { PH_ARRAY Array; PH_QUEUED_LOCK Lock; } PH_PROVIDER_EVENT_QUEUE, *PPH_PROVIDER_EVENT_QUEUE; FORCEINLINE VOID PhInitializeProviderEventQueue( _Out_ PPH_PROVIDER_EVENT_QUEUE EventQueue, _In_ SIZE_T InitialCapacity ) { PhInitializeArray(&EventQueue->Array, sizeof(PH_PROVIDER_EVENT), InitialCapacity); PhInitializeQueuedLock(&EventQueue->Lock); } FORCEINLINE VOID PhDeleteProviderEventQueue( _Inout_ PPH_PROVIDER_EVENT_QUEUE EventQueue ) { PPH_PROVIDER_EVENT events; SIZE_T i; events = (PPH_PROVIDER_EVENT)EventQueue->Array.Items; for (i = 0; i < EventQueue->Array.Count; i++) { if (PH_PROVIDER_EVENT_TYPE(events[i]) == ProviderAddedEvent) PhDereferenceObject(PH_PROVIDER_EVENT_OBJECT(events[i])); } PhDeleteArray(&EventQueue->Array); } FORCEINLINE VOID PhPushProviderEventQueue( _Inout_ PPH_PROVIDER_EVENT_QUEUE EventQueue, _In_ PH_PROVIDER_EVENT_TYPE Type, _In_opt_ PVOID Object, _In_ ULONG RunId ) { PH_PROVIDER_EVENT event; assert(!(PtrToUlong(Object) & PH_PROVIDER_EVENT_TYPE_MASK)); event.TypeAndObject = (ULONG_PTR)Object | Type; event.RunId = RunId; PhAcquireQueuedLockExclusive(&EventQueue->Lock); PhAddItemArray(&EventQueue->Array, &event); PhReleaseQueuedLockExclusive(&EventQueue->Lock); } FORCEINLINE PPH_PROVIDER_EVENT PhFlushProviderEventQueue( _Inout_ PPH_PROVIDER_EVENT_QUEUE EventQueue, _In_ ULONG UpToRunId, _Out_ PULONG Count ) { PPH_PROVIDER_EVENT availableEvents; PPH_PROVIDER_EVENT events = NULL; SIZE_T count; PhAcquireQueuedLockExclusive(&EventQueue->Lock); availableEvents = (PPH_PROVIDER_EVENT)EventQueue->Array.Items; for (count = 0; count < EventQueue->Array.Count; count++) { if ((LONG)(UpToRunId - availableEvents[count].RunId) < 0) break; } if (count != 0) { events = (PPH_PROVIDER_EVENT)PhAllocateCopy(availableEvents, count * sizeof(PH_PROVIDER_EVENT)); PhRemoveItemsArray(&EventQueue->Array, 0, count); } PhReleaseQueuedLockExclusive(&EventQueue->Lock); *Count = (ULONG)count; return events; } // end_phapppub #endif ================================================ FILE: SystemInformer/include/procgrp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2022 * */ #ifndef PH_PROCGRP_H #define PH_PROCGRP_H // begin_phapppub typedef struct _PH_PROCESS_GROUP { PPH_PROCESS_ITEM Representative; // An element of Processes (no extra reference added) PPH_LIST Processes; // List of PPH_PROCESS_ITEM HWND WindowHandle; // Window handle of representative } PH_PROCESS_GROUP, *PPH_PROCESS_GROUP; // end_phapppub typedef VOID (NTAPI *PPH_SORT_LIST_FUNCTION)( _In_ PPH_LIST List, _In_opt_ PVOID Context ); #define PH_GROUP_PROCESSES_DONT_GROUP 0x1 #define PH_GROUP_PROCESSES_FILE_PATH 0x2 PPH_LIST PhCreateProcessGroupList( _In_opt_ PPH_SORT_LIST_FUNCTION SortListFunction, // Sort a list of PPH_PROCESS_NODE _In_opt_ PVOID Context, _In_ ULONG MaximumGroups, _In_ ULONG Flags ); VOID PhFreeProcessGroupList( _In_ PPH_LIST List ); #endif ================================================ FILE: SystemInformer/include/procmtgn.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_PROCMITIGATION_H #define PH_PROCMITIGATION_H typedef struct _PH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION { PVOID Pointers[MaxProcessMitigationPolicy]; PROCESS_MITIGATION_DEP_POLICY DEPPolicy; // ProcessDEPPolicy PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; // ProcessASLRPolicy PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; // ProcessDynamicCodePolicy PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; // ProcessStrictHandleCheckPolicy PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; // ProcessSystemCallDisablePolicy // ProcessMitigationOptionsMask PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; // ProcessExtensionPointDisablePolicy PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; // ProcessControlFlowGuardPolicy PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; // ProcessSignaturePolicy PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; // ProcessFontDisablePolicy PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; // ProcessImageLoadPolicy PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; // ProcessSystemCallFilterPolicy PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; // ProcessPayloadRestrictionPolicy PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; // ProcessChildProcessPolicy PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy; // ProcessSideChannelIsolationPolicy PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY UserShadowStackPolicy; // ProcessUserShadowStackPolicy PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY RedirectionTrustPolicy; // ProcessRedirectionTrustPolicy PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY UserPointerAuthPolicy; // ProcessUserPointerAuthPolicy PROCESS_MITIGATION_SEHOP_POLICY SEHOPPolicy; // ProcessSEHOPPolicy PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2 ActivationContextTrustPolicy; // ProcessActivationContextTrustPolicy2 } PH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION, *PPH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION; NTSTATUS PhGetProcessMitigationPolicyAllInformation( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION Information ); _Success_(return) BOOLEAN PhDescribeProcessMitigationPolicy( _In_ PROCESS_MITIGATION_POLICY Policy, _In_ PVOID Data, _Out_opt_ PPH_STRING *ShortDescription, _Out_opt_ PPH_STRING *LongDescription ); #endif ================================================ FILE: SystemInformer/include/procprp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2008-2016 * dmex 2017-2022 * */ #ifndef PH_PROCPRP_H #define PH_PROCPRP_H typedef struct _PH_PROCESS_WAITPROPCONTEXT { SLIST_ENTRY ListEntry; HWND PropSheetWindowHandle; HANDLE ProcessWaitHandle; HANDLE ProcessHandle; PPH_PROCESS_ITEM ProcessItem; } PH_PROCESS_WAITPROPCONTEXT, *PPH_PROCESS_WAITPROPCONTEXT; #define PH_PROCESS_PROPCONTEXT_MAXPAGES 20 typedef struct _PH_PROCESS_PROPCONTEXT { PPH_PROCESS_ITEM ProcessItem; PPH_STRING Title; PROPSHEETHEADER PropSheetHeader; HPROPSHEETPAGE* PropSheetPages; HANDLE SelectThreadId; PPH_PROCESS_WAITPROPCONTEXT ProcessWaitContext; BOOLEAN WaitInitialized; } PH_PROCESS_PROPCONTEXT, *PPH_PROCESS_PROPCONTEXT; // begin_phapppub typedef struct _PH_PROCESS_PROPPAGECONTEXT { PPH_PROCESS_PROPCONTEXT PropContext; PVOID Context; PROPSHEETPAGE PropSheetPage; BOOLEAN LayoutInitialized; } PH_PROCESS_PROPPAGECONTEXT, *PPH_PROCESS_PROPPAGECONTEXT; // end_phapppub // begin_phapppub PHAPPAPI PPH_PROCESS_PROPCONTEXT NTAPI PhCreateProcessPropContext( _In_opt_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ); // end_phapppub VOID PhRefreshProcessPropContext( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext ); // begin_phapppub PHAPPAPI VOID NTAPI PhSetSelectThreadIdProcessPropContext( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ HANDLE ThreadId ); PHAPPAPI BOOLEAN NTAPI PhAddProcessPropPage( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ _Assume_refs_(1) PPH_PROCESS_PROPPAGECONTEXT PropPageContext ); PHAPPAPI BOOLEAN NTAPI PhAddProcessPropPage2( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ HPROPSHEETPAGE PropSheetPageHandle ); PHAPPAPI PPH_PROCESS_PROPPAGECONTEXT NTAPI PhCreateProcessPropPageContext( _In_ LPCWSTR Template, _In_ DLGPROC DlgProc, _In_opt_ PVOID Context ); PHAPPAPI PPH_PROCESS_PROPPAGECONTEXT NTAPI PhCreateProcessPropPageContextEx( _In_opt_ PVOID InstanceHandle, _In_ LPCWSTR Template, _In_ DLGPROC DlgProc, _In_opt_ PVOID Context ); _Success_(return) PHAPPAPI BOOLEAN NTAPI PhPropPageDlgProcHeader( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam, _Out_opt_ LPPROPSHEETPAGE *PropSheetPage, _Out_opt_ PPH_PROCESS_PROPPAGECONTEXT *PropPageContext, _Out_opt_ PPH_PROCESS_ITEM *ProcessItem ); #define PH_PROP_PAGE_TAB_CONTROL_PARENT ((PPH_LAYOUT_ITEM)0x1) PHAPPAPI PPH_LAYOUT_ITEM NTAPI PhAddPropPageLayoutItem( _In_ HWND WindowHandle, _In_ HWND Handle, _In_ PPH_LAYOUT_ITEM ParentItem, _In_ ULONG Anchor ); PHAPPAPI VOID NTAPI PhDoPropPageLayout( _In_ HWND WindowHandle ); FORCEINLINE PPH_LAYOUT_ITEM PhBeginPropPageLayout( _In_ HWND hwndDlg, _In_ PPH_PROCESS_PROPPAGECONTEXT PropPageContext ) { if (!PropPageContext->LayoutInitialized) { return PhAddPropPageLayoutItem(hwndDlg, hwndDlg, PH_PROP_PAGE_TAB_CONTROL_PARENT, PH_ANCHOR_ALL); } else { return NULL; } } FORCEINLINE VOID PhEndPropPageLayout( _In_ HWND hwndDlg, _In_ PPH_PROCESS_PROPPAGECONTEXT PropPageContext ) { PhDoPropPageLayout(hwndDlg); PropPageContext->LayoutInitialized = TRUE; } PHAPPAPI VOID NTAPI PhShowProcessProperties( _In_ PPH_PROCESS_PROPCONTEXT Context ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/procprpp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef PH_PROCPRPP_H #define PH_PROCPRPP_H #include #include #include #include #include #include #include typedef struct _PH_PROCESS_PROPSHEETCONTEXT { WNDPROC PropSheetWindowHookProc; PH_LAYOUT_MANAGER LayoutManager; PPH_LAYOUT_ITEM TabPageItem; BOOLEAN LayoutInitialized; HFONT PropSheetWindowFont; PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; HWND OptionsButtonWindowHandle; WNDPROC OldOptionsButtonWndProc; //HWND PermissionsButtonWindowHandle; HWND ButtonsLabelWindowHandle; } PH_PROCESS_PROPSHEETCONTEXT, *PPH_PROCESS_PROPSHEETCONTEXT; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessPropContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); INT CALLBACK PhpPropSheetProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam ); PPH_PROCESS_PROPSHEETCONTEXT PhpGetPropSheetContext( _In_ HWND WindowHandle ); LRESULT CALLBACK PhpPropSheetWndProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessPropPageContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); UINT CALLBACK PhpStandardPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessPropPageWaitContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); VOID PhpCreateProcessPropSheetWaitContext( _In_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ HWND WindowHandle ); VOID PhpFlushProcessPropSheetWaitContextData( VOID ); _Function_class_(WAIT_CALLBACK_ROUTINE) VOID NTAPI PhpProcessPropertiesWaitCallback( _In_ PVOID Context, _In_ BOOLEAN TimerOrWaitFired ); #define SET_BUTTON_ICON(Id, Icon) \ SendMessage(GetDlgItem(hwndDlg, (Id)), BM_SETIMAGE, IMAGE_ICON, (LPARAM)(Icon)) INT_PTR CALLBACK PhpProcessGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessStatisticsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessPerformanceDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessThreadsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_OPEN_OBJECT) NTSTATUS NTAPI PhpOpenProcessTokenForPage( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ); _Function_class_(PH_CLOSE_OBJECT) NTSTATUS NTAPI PhpCloseProcessTokenForPage( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ); INT_PTR CALLBACK PhpProcessTokenHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessModulesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessMemoryDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessEnvironmentDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessHandlesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_OPEN_OBJECT) NTSTATUS NTAPI PhpOpenProcessJobForPage( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_ PVOID Context ); _Function_class_(PH_CLOSE_OBJECT) NTSTATUS NTAPI PhpCloseProcessJobForPage( _In_ HANDLE Handle, _In_ BOOLEAN Release, _In_opt_ PVOID Context ); INT_PTR CALLBACK PhpProcessJobHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessServicesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpProcessWmiProvidersDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); #ifdef _M_IX86 INT_PTR CALLBACK PhpProcessVdmHostProcessDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); #endif extern PH_STRINGREF PhProcessPropPageLoadingText; #define WM_PH_THREADS_UPDATED (WM_APP + 200) #define WM_PH_THREAD_SELECTION_CHANGED (WM_APP + 201) // begin_phapppub typedef struct _PH_THREADS_CONTEXT { PPH_THREAD_PROVIDER Provider; PH_CALLBACK_REGISTRATION ProviderRegistration; PH_CALLBACK_REGISTRATION AddedEventRegistration; PH_CALLBACK_REGISTRATION ModifiedEventRegistration; PH_CALLBACK_REGISTRATION RemovedEventRegistration; PH_CALLBACK_REGISTRATION UpdatedEventRegistration; PH_CALLBACK_REGISTRATION LoadingStateChangedEventRegistration; HWND WindowHandle; // end_phapppub HWND TreeNewHandle; HWND StatusHandle; HWND SearchboxHandle; HFONT TreeNewFont; ULONG_PTR SearchMatchHandle; PPH_TN_FILTER_ENTRY FilterEntry; union { PH_THREAD_LIST_CONTEXT ListContext; struct { HWND Private; // phapppub HWND TreeNewHandle; // phapppub } PublicUse; }; PH_PROVIDER_EVENT_QUEUE EventQueue; PH_CALLBACK_REGISTRATION SymbolProviderEventRegistration; // begin_phapppub } PH_THREADS_CONTEXT, *PPH_THREADS_CONTEXT; // end_phapppub #define WM_PH_MODULES_UPDATED (WM_APP + 210) // begin_phapppub typedef struct _PH_MODULES_CONTEXT { PPH_MODULE_PROVIDER Provider; PH_PROVIDER_REGISTRATION ProviderRegistration; PH_CALLBACK_REGISTRATION AddedEventRegistration; PH_CALLBACK_REGISTRATION ModifiedEventRegistration; PH_CALLBACK_REGISTRATION RemovedEventRegistration; PH_CALLBACK_REGISTRATION UpdatedEventRegistration; PH_CALLBACK_REGISTRATION ChangedEventRegistration; HWND WindowHandle; // end_phapppub HWND SearchboxHandle; HWND TreeNewHandle; HFONT TreeNewFont; union { PH_MODULE_LIST_CONTEXT ListContext; struct { HWND Private; // phapppub HWND TreeNewHandle; // phapppub } PublicUse; }; PH_PROVIDER_EVENT_QUEUE EventQueue; NTSTATUS LastRunStatus; PPH_STRING ErrorMessage; ULONG_PTR SearchMatchHandle; PPH_TN_FILTER_ENTRY FilterEntry; // begin_phapppub } PH_MODULES_CONTEXT, *PPH_MODULES_CONTEXT; // end_phapppub #define WM_PH_HANDLES_UPDATED (WM_APP + 220) // begin_phapppub typedef struct _PH_HANDLES_CONTEXT { PPH_HANDLE_PROVIDER Provider; PH_PROVIDER_REGISTRATION ProviderRegistration; PH_CALLBACK_REGISTRATION AddedEventRegistration; PH_CALLBACK_REGISTRATION ModifiedEventRegistration; PH_CALLBACK_REGISTRATION RemovedEventRegistration; PH_CALLBACK_REGISTRATION UpdatedEventRegistration; PH_CALLBACK_REGISTRATION ChangedEventRegistration; HWND WindowHandle; // end_phapppub HWND TreeNewHandle; HWND SearchWindowHandle; HFONT TreeNewFont; union { PH_HANDLE_LIST_CONTEXT ListContext; struct { HWND Private; // phapppub HWND TreeNewHandle; // phapppub } PublicUse; }; PH_PROVIDER_EVENT_QUEUE EventQueue; BOOLEAN SelectedHandleProtected; BOOLEAN SelectedHandleInherit; NTSTATUS LastRunStatus; PPH_STRING ErrorMessage; ULONG_PTR SearchMatchHandle; PPH_TN_FILTER_ENTRY FilterEntry; // begin_phapppub } PH_HANDLES_CONTEXT, *PPH_HANDLES_CONTEXT; // end_phapppub // begin_phapppub typedef struct _PH_MEMORY_CONTEXT { HANDLE ProcessId; HWND WindowHandle; // end_phapppub HWND TreeNewHandle; HWND SearchboxHandle; HFONT TreeNewFont; union { PH_MEMORY_LIST_CONTEXT ListContext; struct { HWND Private; // phapppub HWND TreeNewHandle; // phapppub } PublicUse; }; PH_MEMORY_ITEM_LIST MemoryItemList; BOOLEAN MemoryItemListValid; NTSTATUS LastRunStatus; PPH_STRING ErrorMessage; ULONG_PTR SearchMatchHandle; PPH_TN_FILTER_ENTRY AllocationFilterEntry; PPH_TN_FILTER_ENTRY FilterEntry; // begin_phapppub } PH_MEMORY_CONTEXT, *PPH_MEMORY_CONTEXT; // end_phapppub #define WM_PH_STATISTICS_UPDATE (WM_APP + 231) typedef struct _PH_STATISTICS_CONTEXT { PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; HWND WindowHandle; HWND ListViewHandle; HFONT TreeNewFont; PPH_LISTVIEW_CONTEXT ListViewContext; BOOLEAN Enabled; HANDLE ProcessHandle; PPH_PROCESS_ITEM ProcessItem; BOOLEAN GotCycles; BOOLEAN GotCounters; ULONG PagePriority; IO_PRIORITY_HINT IoPriority; ULONG PeakHandleCount; ULONG HangCount; ULONG GhostCount; ULONGLONG RunningTime; ULONGLONG SuspendedTime; ULONGLONG NetworkTxRxBytes; PH_UINT64_DELTA KeyboardDelta; PH_UINT64_DELTA MouseDelta; //PPH_STRING PrivateWs; //PPH_STRING ShareableWs; //PPH_STRING SharedWs; PPH_STRING PeakHandles; PPH_STRING GdiHandles; PPH_STRING UserHandles; PPH_STRING PeakGdiHandles; PPH_STRING PeakUserHandles; FLOAT CpuUsage; FLOAT CpuUsageMin; FLOAT CpuUsageMax; FLOAT CpuUsageDiff; FLOAT CpuUsageUser; FLOAT CpuUsageUserMin; FLOAT CpuUsageUserMax; FLOAT CpuUsageUserDiff; FLOAT CpuUsageKernel; FLOAT CpuUsageKernelMin; FLOAT CpuUsageKernelMax; FLOAT CpuUsageKernelDiff; FLOAT CpuUsageAverage; FLOAT CpuUsageAverageMin; FLOAT CpuUsageAverageMax; FLOAT CpuUsageAverageDiff; FLOAT CpuUsageRelative; FLOAT CpuUsageRelativeMin; FLOAT CpuUsageRelativeMax; FLOAT CpuUsageRelativeDiff; ULONG64 CycleTime; ULONG64 CycleTimeMin; ULONG64 CycleTimeMax; ULONG64 CycleTimeDiff; ULONG64 CycleTimeDelta; ULONG64 CycleTimeDeltaMin; ULONG64 CycleTimeDeltaMax; ULONG64 CycleTimeDeltaDiff; ULONG64 ContextSwitches; ULONG64 ContextSwitchesMin; ULONG64 ContextSwitchesMax; ULONG64 ContextSwitchesDiff; ULONG64 ContextSwitchesDelta; ULONG64 ContextSwitchesDeltaMin; ULONG64 ContextSwitchesDeltaMax; ULONG64 ContextSwitchesDeltaDiff; ULONG64 KernelTime; ULONG64 KernelTimeMin; ULONG64 KernelTimeMax; ULONG64 KernelTimeDiff; ULONG64 KernelTimeDelta; ULONG64 KernelTimeDeltaMin; ULONG64 KernelTimeDeltaMax; ULONG64 KernelTimeDeltaDiff; ULONG64 UserTime; ULONG64 UserTimeMin; ULONG64 UserTimeMax; ULONG64 UserTimeDiff; ULONG64 UserTimeDelta; ULONG64 UserTimeDeltaMin; ULONG64 UserTimeDeltaMax; ULONG64 UserTimeDeltaDiff; KPRIORITY BasePriority; KPRIORITY BasePriorityMin; KPRIORITY BasePriorityMax; KPRIORITY BasePriorityDiff; ULONG_PTR PagefileUsage; ULONG_PTR PagefileUsageMin; ULONG_PTR PagefileUsageMax; ULONG_PTR PagefileUsageDiff; ULONG_PTR PagefileDelta; ULONG_PTR PagefileDeltaMin; ULONG_PTR PagefileDeltaMax; ULONG_PTR PagefileDeltaDiff; ULONG64 PeakPagefileUsage; ULONG64 PeakPagefileUsageMin; ULONG64 PeakPagefileUsageMax; ULONG64 PeakPagefileUsageDiff; ULONG64 VirtualSize; ULONG64 VirtualSizeMin; ULONG64 VirtualSizeMax; ULONG64 VirtualSizeDiff; ULONG64 PeakVirtualSize; ULONG64 PeakVirtualSizeMin; ULONG64 PeakVirtualSizeMax; ULONG64 PeakVirtualSizeDiff; ULONG64 PageFaultCount; ULONG64 PageFaultCountMin; ULONG64 PageFaultCountMax; ULONG64 PageFaultCountDiff; ULONG64 PageFaultsDelta; ULONG64 PageFaultsDeltaMin; ULONG64 PageFaultsDeltaMax; ULONG64 PageFaultsDeltaDiff; ULONG64 HardFaultCount; ULONG64 HardFaultCountMin; ULONG64 HardFaultCountMax; ULONG64 HardFaultCountDiff; ULONG64 HardFaultsDelta; ULONG64 HardFaultsDeltaMin; ULONG64 HardFaultsDeltaMax; ULONG64 HardFaultsDeltaDiff; ULONG64 WorkingSetSize; ULONG64 WorkingSetSizeMin; ULONG64 WorkingSetSizeMax; ULONG64 WorkingSetSizeDiff; ULONG64 PeakWorkingSetSize; ULONG64 PeakWorkingSetSizeMin; ULONG64 PeakWorkingSetSizeMax; ULONG64 PeakWorkingSetSizeDiff; ULONG64 QuotaPagedPoolUsage; ULONG64 QuotaPagedPoolUsageMin; ULONG64 QuotaPagedPoolUsageMax; ULONG64 QuotaPagedPoolUsageDiff; ULONG64 QuotaPeakPagedPoolUsage; ULONG64 QuotaPeakPagedPoolUsageMin; ULONG64 QuotaPeakPagedPoolUsageMax; ULONG64 QuotaPeakPagedPoolUsageDiff; ULONG64 QuotaNonPagedPoolUsage; ULONG64 QuotaNonPagedPoolUsageMin; ULONG64 QuotaNonPagedPoolUsageMax; ULONG64 QuotaNonPagedPoolUsageDiff; ULONG64 QuotaPeakNonPagedPoolUsage; ULONG64 QuotaPeakNonPagedPoolUsageMin; ULONG64 QuotaPeakNonPagedPoolUsageMax; ULONG64 QuotaPeakNonPagedPoolUsageDiff; ULONG64 NumberOfPrivatePages; ULONG64 NumberOfPrivatePagesMin; ULONG64 NumberOfPrivatePagesMax; ULONG64 NumberOfPrivatePagesDiff; ULONG64 NumberOfShareablePages; ULONG64 NumberOfShareablePagesMin; ULONG64 NumberOfShareablePagesMax; ULONG64 NumberOfShareablePagesDiff; ULONG64 NumberOfSharedPages; ULONG64 NumberOfSharedPagesMin; ULONG64 NumberOfSharedPagesMax; ULONG64 NumberOfSharedPagesDiff; ULONG64 SharedCommitUsage; ULONG64 SharedCommitUsageMin; ULONG64 SharedCommitUsageMax; ULONG64 SharedCommitUsageDiff; ULONG64 PrivateCommitUsage; ULONG64 PrivateCommitUsageMin; ULONG64 PrivateCommitUsageMax; ULONG64 PrivateCommitUsageDiff; ULONG64 PeakPrivateCommitUsage; ULONG64 PeakPrivateCommitUsageMin; ULONG64 PeakPrivateCommitUsageMax; ULONG64 PeakPrivateCommitUsageDiff; ULONG64 ReadOperationCount; ULONG64 ReadOperationCountMin; ULONG64 ReadOperationCountMax; ULONG64 ReadOperationCountDiff; ULONG64 IoReadCountDelta; ULONG64 IoReadCountDeltaMin; ULONG64 IoReadCountDeltaMax; ULONG64 IoReadCountDeltaDiff; ULONG64 ReadTransferCount; ULONG64 ReadTransferCountMin; ULONG64 ReadTransferCountMax; ULONG64 ReadTransferCountDiff; ULONG64 IoReadDelta; ULONG64 IoReadDeltaMin; ULONG64 IoReadDeltaMax; ULONG64 IoReadDeltaDiff; ULONG64 WriteOperationCount; ULONG64 WriteOperationCountMin; ULONG64 WriteOperationCountMax; ULONG64 WriteOperationCountDiff; ULONG64 IoWriteCountDelta; ULONG64 IoWriteCountDeltaMin; ULONG64 IoWriteCountDeltaMax; ULONG64 IoWriteCountDeltaDiff; ULONG64 WriteTransferCount; ULONG64 WriteTransferCountMin; ULONG64 WriteTransferCountMax; ULONG64 WriteTransferCountDiff; ULONG64 IoWriteDelta; ULONG64 IoWriteDeltaMin; ULONG64 IoWriteDeltaMax; ULONG64 IoWriteDeltaDiff; ULONG64 OtherOperationCount; ULONG64 OtherOperationCountMin; ULONG64 OtherOperationCountMax; ULONG64 OtherOperationCountDiff; ULONG64 IoOtherCountDelta; ULONG64 IoOtherCountDeltaMin; ULONG64 IoOtherCountDeltaMax; ULONG64 IoOtherCountDeltaDiff; ULONG64 OtherTransferCount; ULONG64 OtherTransferCountMin; ULONG64 OtherTransferCountMax; ULONG64 OtherTransferCountDiff; ULONG64 IoOtherDelta; ULONG64 IoOtherDeltaMin; ULONG64 IoOtherDeltaMax; ULONG64 IoOtherDeltaDiff; ULONG64 IoTotal; ULONG64 IoTotalMin; ULONG64 IoTotalMax; ULONG64 IoTotalDiff; ULONG64 IoTotalDelta; ULONG64 IoTotalDeltaMin; ULONG64 IoTotalDeltaMax; ULONG64 IoTotalDeltaDiff; } PH_STATISTICS_CONTEXT, *PPH_STATISTICS_CONTEXT; #define WM_PH_PERFORMANCE_UPDATE (WM_APP + 241) typedef struct _PH_PERFORMANCE_CONTEXT { PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; HWND WindowHandle; BOOLEAN Enabled; LONG WindowDpi; PH_GRAPH_STATE CpuGraphState; PH_GRAPH_STATE PrivateGraphState; PH_GRAPH_STATE IoGraphState; HWND CpuGraphHandle; HWND PrivateGraphHandle; HWND IoGraphHandle; HWND CpuGroupBox; HWND PrivateBytesGroupBox; HWND IoGroupBox; } PH_PERFORMANCE_CONTEXT, *PPH_PERFORMANCE_CONTEXT; typedef struct _PH_ENVIRONMENT_ITEM { PPH_STRING Name; PPH_STRING Value; } PH_ENVIRONMENT_ITEM, *PPH_ENVIRONMENT_ITEM; typedef struct _PH_ENVIRONMENT_CONTEXT { HWND WindowHandle; HWND TreeNewHandle; HWND SearchWindowHandle; HFONT TreeNewFont; BOOLEAN EnableStateHighlighting; union { ULONG Flags; struct { ULONG Reserved : 1; ULONG HideProcessEnvironment : 1; ULONG HideUserEnvironment : 1; ULONG HideSystemEnvironment : 1; ULONG HighlightProcessEnvironment : 1; ULONG HighlightUserEnvironment : 1; ULONG HighlightSystemEnvironment : 1; ULONG HideCmdTypeEnvironment : 1; ULONG HighlightCmdEnvironment : 1; ULONG Spare : 23; }; }; PPH_PROCESS_ITEM ProcessItem; ULONG_PTR SearchMatchHandle; PPH_STRING StatusMessage; PPH_LIST NodeList; PPH_LIST NodeRootList; PPH_HASHTABLE NodeHashtable; PPH_TN_FILTER_ENTRY TreeFilterEntry; ULONG TreeNewSortColumn; PH_TN_FILTER_SUPPORT TreeFilterSupport; PH_SORT_ORDER TreeNewSortOrder; PH_CM_MANAGER Cm; PH_ARRAY Items; } PH_ENVIRONMENT_CONTEXT, *PPH_ENVIRONMENT_CONTEXT; #endif ================================================ FILE: SystemInformer/include/procprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2016-2023 * */ #ifndef PH_PROCPRV_H #define PH_PROCPRV_H #define PH_RECORD_MAX_USAGE extern PPH_OBJECT_TYPE PhProcessItemType; extern PPH_LIST PhProcessRecordList; extern PH_QUEUED_LOCK PhProcessRecordListLock; extern ULONG PhStatisticsSampleCount; extern BOOLEAN PhEnablePurgeProcessRecords; extern BOOLEAN PhEnableCycleCpuUsage; extern BOOLEAN PhEnableInterruptCpuUsage; extern BOOLEAN PhEnablePackageIconSupport; typedef enum _PH_PROCESS_PROVIDER_FLAG { PH_PROCESS_PROVIDER_FLAG_WSCOUNTERS = 0x1, PH_PROCESS_PROVIDER_FLAG_GDIUSERHANDLES = 0x2, PH_PROCESS_PROVIDER_FLAG_IOPAGEPRIORITY = 0x4, PH_PROCESS_PROVIDER_FLAG_WINDOW = 0x8, PH_PROCESS_PROVIDER_FLAG_DEPSTATUS = 0x10, PH_PROCESS_PROVIDER_FLAG_TOKEN = 0x20, PH_PROCESS_PROVIDER_FLAG_OSCONTEXT = 0x40, PH_PROCESS_PROVIDER_FLAG_QUOTALIMITS = 0x80, PH_PROCESS_PROVIDER_FLAG_IMAGE = 0x100, PH_PROCESS_PROVIDER_FLAG_APPID = 0x200, PH_PROCESS_PROVIDER_FLAG_DPIAWARENESS = 0x400, PH_PROCESS_PROVIDER_FLAG_FILEATTRIBUTES = 0x800, PH_PROCESS_PROVIDER_FLAG_DESKTOPINFO = 0x1000, PH_PROCESS_PROVIDER_FLAG_USERNAME = 0x2000, PH_PROCESS_PROVIDER_FLAG_CRITICAL = 0x4000, PH_PROCESS_PROVIDER_FLAG_ERRORMODE = 0x8000, PH_PROCESS_PROVIDER_FLAG_CODEPAGE = 0x10000, PH_PROCESS_PROVIDER_FLAG_POWERTHROTTLING = 0x20000, PH_PROCESS_PROVIDER_FLAG_PRIORITYBOOST = 0x40000, PH_PROCESS_PROVIDER_FLAG_CFGUARD = 0x80000, PH_PROCESS_PROVIDER_FLAG_CET = 0x100000, PH_PROCESS_PROVIDER_FLAG_AVERAGE = 0x200000, } PH_PROCESS_PROVIDER_FLAG; extern ULONG PhProcessProviderFlagsMask; extern PVOID PhProcessInformation; // only can be used if running on same thread as process provider extern ULONG PhProcessInformationSequenceNumber; extern SYSTEM_PERFORMANCE_INFORMATION PhPerfInformation; extern PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuInformation; extern SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuTotals; extern ULONG PhTotalProcesses; extern ULONG PhTotalThreads; extern ULONG PhTotalHandles; extern ULONG PhTotalCpuQueueLength; extern ULONG64 PhCpuTotalCycleDelta; extern PSYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION PhCpuIdleCycleTime; // cycle time for Idle extern PSYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION PhCpuSystemCycleTime; // cycle time for DPCs and Interrupts extern PH_UINT64_DELTA PhCpuIdleCycleDelta; extern PH_UINT64_DELTA PhCpuSystemCycleDelta; extern FLOAT PhCpuKernelUsage; extern FLOAT PhCpuUserUsage; extern PFLOAT PhCpusKernelUsage; extern PFLOAT PhCpusUserUsage; extern PH_UINT64_DELTA PhCpuKernelDelta; extern PH_UINT64_DELTA PhCpuUserDelta; extern PH_UINT64_DELTA PhCpuIdleDelta; extern PPH_UINT64_DELTA PhCpusKernelDelta; extern PPH_UINT64_DELTA PhCpusUserDelta; extern PPH_UINT64_DELTA PhCpusIdleDelta; extern PH_UINT64_DELTA PhIoReadDelta; extern PH_UINT64_DELTA PhIoWriteDelta; extern PH_UINT64_DELTA PhIoOtherDelta; extern BOOLEAN PhProcessStatisticsInitialized; extern PH_CIRCULAR_BUFFER_FLOAT PhCpuKernelHistory; extern PH_CIRCULAR_BUFFER_FLOAT PhCpuUserHistory; //extern PH_CIRCULAR_BUFFER_FLOAT PhCpuOtherHistory; extern PPH_CIRCULAR_BUFFER_FLOAT PhCpusKernelHistory; extern PPH_CIRCULAR_BUFFER_FLOAT PhCpusUserHistory; //extern PPH_CIRCULAR_BUFFER_FLOAT PhCpusOtherHistory; extern PH_CIRCULAR_BUFFER_ULONG64 PhIoReadHistory; extern PH_CIRCULAR_BUFFER_ULONG64 PhIoWriteHistory; extern PH_CIRCULAR_BUFFER_ULONG64 PhIoOtherHistory; extern PH_CIRCULAR_BUFFER_ULONG PhCommitHistory; extern PH_CIRCULAR_BUFFER_ULONG PhPhysicalHistory; extern PH_CIRCULAR_BUFFER_ULONG PhMaxCpuHistory; extern PH_CIRCULAR_BUFFER_ULONG PhMaxIoHistory; #ifdef PH_RECORD_MAX_USAGE extern PH_CIRCULAR_BUFFER_FLOAT PhMaxCpuUsageHistory; extern PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoReadOtherHistory; extern PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoWriteHistory; #endif // begin_phapppub // DPCs, Interrupts and System Idle Process are not real. // Non-"real" processes can never be opened. #define PH_IS_REAL_PROCESS_ID(ProcessId) ((LONG_PTR)(ProcessId) > 0) // DPCs and Interrupts are fake, but System Idle Process is not. #define PH_IS_FAKE_PROCESS_ID(ProcessId) ((LONG_PTR)(ProcessId) < 0) // The process item has been removed. #define PH_PROCESS_ITEM_REMOVED 0x1 // end_phapppub // begin_phapppub typedef struct _PH_PROCESS_RECORD *PPH_PROCESS_RECORD; typedef struct _PH_IMAGELIST_ITEM { PPH_STRING FileName; ULONG LargeIconIndex; ULONG SmallIconIndex; } PH_IMAGELIST_ITEM, *PPH_IMAGELIST_ITEM; typedef struct _PH_PROCESS_ITEM { PH_HASH_ENTRY HashEntry; ULONG State; PPH_PROCESS_RECORD Record; // Basic HANDLE ProcessId; HANDLE ParentProcessId; PPH_STRING ProcessName; ULONG SessionId; LARGE_INTEGER CreateTime; // Handles HANDLE QueryHandle; // Parameters PPH_STRING FileName; PPH_STRING CommandLine; // File ULONG_PTR SmallIconIndex; ULONG_PTR LargeIconIndex; PH_IMAGE_VERSION_INFO VersionInfo; // Security PSID Sid; TOKEN_ELEVATION_TYPE ElevationType; PH_INTEGRITY_LEVEL IntegrityLevel; PPH_STRINGREF IntegrityString; PS_PROTECTION Protection; // Other HANDLE ConsoleHostProcessId; ULONGLONG ProcessStartKey; ULONGLONG CreateInterruptTime; ULONGLONG SessionCreateTime; ULONG ImageChecksum; ULONG ImageTimeStamp; // Signature, Packed ULONG VerifyResult; PPH_STRING VerifySignerName; ULONG ImportFunctions; ULONG ImportModules; // Flags union { ULONG Flags; struct { ULONG UpdateIsDotNet : 1; ULONG IsBeingDebugged : 1; ULONG IsDotNet : 1; ULONG IsElevated : 1; ULONG IsInJob : 1; ULONG IsInSignificantJob : 1; ULONG IsPacked : 1; ULONG IsHandleValid : 1; ULONG IsSuspended : 1; ULONG IsWow64Process : 1; ULONG IsImmersive : 1; ULONG IsPartiallySuspended : 1; ULONG IsProtectedHandle : 1; ULONG IsProtectedProcess : 1; ULONG IsSecureProcess : 1; ULONG IsSubsystemProcess : 1; ULONG IsPackagedProcess : 1; ULONG IsBackgroundProcess : 1; ULONG IsCrossSessionProcess : 1; ULONG IsSnapshotProcess : 1; ULONG IsFrozenProcess : 1; ULONG IsUIAccessEnabled : 1; ULONG IsControlFlowGuardEnabled : 1; ULONG IsCetEnabled : 1; ULONG IsXfgEnabled : 1; ULONG IsXfgAuditEnabled : 1; ULONG IsPowerThrottling : 1; ULONG IsSystemProcess : 1; ULONG IsSecureSystem : 1; ULONG Spare : 3; }; }; // Misc. volatile LONG JustProcessed; PH_EVENT Stage1Event; PPH_POINTER_LIST ServiceList; PH_QUEUED_LOCK ServiceListLock; WCHAR ProcessIdString[PH_INT32_STR_LEN_1]; WCHAR ProcessIdHexString[PH_PTR_STR_LEN_1]; //WCHAR ParentProcessIdString[PH_INT32_STR_LEN_1]; //WCHAR SessionIdString[PH_INT32_STR_LEN_1]; // Dynamic KPRIORITY BasePriority; union { KAFFINITY AffinityMaskSingle; // Single processor group PKAFFINITY AffinityMaskGroups; // Multiple processor groups * PhSystemProcessorInformation.NumberOfProcessorGroups }; ULONG AffinityPopulationCount; ULONG PriorityClass; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; ULONG NumberOfHandles; ULONG NumberOfThreads; FLOAT CpuUsage; // Below Windows 7, sum of kernel and user CPU usage; above Windows 7, cycle-based CPU usage. FLOAT CpuKernelUsage; FLOAT CpuUserUsage; FLOAT CpuAverageUsage; PH_UINT64_DELTA CpuKernelDelta; PH_UINT64_DELTA CpuUserDelta; PH_UINT64_DELTA IoReadDelta; PH_UINT64_DELTA IoWriteDelta; PH_UINT64_DELTA IoOtherDelta; PH_UINT64_DELTA IoReadCountDelta; PH_UINT64_DELTA IoWriteCountDelta; PH_UINT64_DELTA IoOtherCountDelta; PH_UINT64_DELTA ContextSwitchesDelta; PH_UINT32_DELTA PageFaultsDelta; PH_UINT32_DELTA HardFaultsDelta; PH_UINT64_DELTA CycleTimeDelta; // since WIN7 VM_COUNTERS_EX VmCounters; IO_COUNTERS IoCounters; ULONGLONG WorkingSetPrivateSize; // since VISTA ULONG PeakNumberOfThreads; // since WIN7 ULONG HardFaultCount; // since WIN7 ULONG TimeSequenceNumber; PH_CIRCULAR_BUFFER_FLOAT CpuKernelHistory; PH_CIRCULAR_BUFFER_FLOAT CpuUserHistory; PH_CIRCULAR_BUFFER_ULONG64 IoReadHistory; PH_CIRCULAR_BUFFER_ULONG64 IoWriteHistory; PH_CIRCULAR_BUFFER_ULONG64 IoOtherHistory; PH_CIRCULAR_BUFFER_SIZE_T PrivateBytesHistory; //PH_CIRCULAR_BUFFER_SIZE_T WorkingSetHistory; // New fields PH_UINTPTR_DELTA PrivateBytesDelta; PPH_STRING PackageFullName; PPH_STRING UserName; PROCESS_DISK_COUNTERS DiskCounters; PROCESS_NETWORK_COUNTERS NetworkCounters; ULONGLONG ContextSwitches; ULONGLONG ProcessSequenceNumber; PH_KNOWN_PROCESS_TYPE KnownProcessType; ULONG JobObjectId; SIZE_T SharedCommitCharge; PPH_IMAGELIST_ITEM IconEntry; NTSTATUS ImageCoherencyStatus; FLOAT ImageCoherency; ULONG LxssProcessId; HANDLE FreezeHandle; PPEB PebBaseAddress; } PH_PROCESS_ITEM, *PPH_PROCESS_ITEM; // end_phapppub // begin_phapppub // The process itself is dead. #define PH_PROCESS_RECORD_DEAD 0x1 // An extra reference has been added to the process record for the statistics system. #define PH_PROCESS_RECORD_STAT_REF 0x2 typedef struct _PH_PROCESS_RECORD { LIST_ENTRY ListEntry; LONG RefCount; ULONG Flags; HANDLE ProcessId; HANDLE ParentProcessId; ULONG SessionId; ULONGLONG ProcessSequenceNumber; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; PPH_STRING ProcessName; PPH_STRING FileName; PPH_STRING CommandLine; /*PPH_STRING UserName;*/ } PH_PROCESS_RECORD, *PPH_PROCESS_RECORD; // end_phapppub BOOLEAN PhProcessProviderInitialization( VOID ); // begin_phapppub PHAPPAPI PPH_STRING NTAPI PhGetClientIdName( _In_ PCLIENT_ID ClientId ); PHAPPAPI PPH_STRING NTAPI PhGetClientIdNameEx( _In_ PCLIENT_ID ClientId, _In_opt_ PPH_STRING ProcessName ); // end_phapppub PPH_PROCESS_ITEM PhCreateProcessItem( _In_ HANDLE ProcessId ); // begin_phapppub PHAPPAPI PPH_PROCESS_ITEM NTAPI PhReferenceProcessItem( _In_opt_ HANDLE ProcessId ); PHAPPAPI VOID NTAPI PhEnumProcessItems( _Out_opt_ PPH_PROCESS_ITEM **ProcessItems, _Out_ PULONG NumberOfProcessItems ); // end_phapppub typedef enum _VERIFY_RESULT VERIFY_RESULT; typedef struct _PH_VERIFY_FILE_INFO *PPH_VERIFY_FILE_INFO; VERIFY_RESULT PhVerifyFileWithAdditionalCatalog( _In_ PPH_VERIFY_FILE_INFO Information, _In_opt_ PPH_STRING PackageFullName, _Out_opt_ PPH_STRING *SignerName ); VERIFY_RESULT PhVerifyFileCached( _In_ PPH_STRING FileName, _In_opt_ PPH_STRING PackageFullName, _Out_opt_ PPH_STRING *SignerName, _In_ BOOLEAN NativeFileName, _In_ BOOLEAN CachedOnly ); VOID PhFlushVerifyCache( VOID ); // begin_phapppub PHAPPAPI _Success_(return) BOOLEAN NTAPI PhGetStatisticsTime( _In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Index, _Out_ PLARGE_INTEGER Time ); PHAPPAPI PPH_STRING NTAPI PhGetStatisticsTimeString( _In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Index ); // end_phapppub VOID PhFlushProcessQueryData( VOID ); _Function_class_(PH_PROVIDER_FUNCTION) VOID PhProcessProviderUpdate( _In_ PVOID Object ); // begin_phapppub PHAPPAPI VOID NTAPI PhReferenceProcessRecord( _In_ PPH_PROCESS_RECORD ProcessRecord ); PHAPPAPI BOOLEAN NTAPI PhReferenceProcessRecordSafe( _In_ PPH_PROCESS_RECORD ProcessRecord ); PHAPPAPI VOID NTAPI PhReferenceProcessRecordForStatistics( _In_ PPH_PROCESS_RECORD ProcessRecord ); PHAPPAPI VOID NTAPI PhDereferenceProcessRecord( _In_ PPH_PROCESS_RECORD ProcessRecord ); PHAPPAPI PPH_PROCESS_RECORD NTAPI PhFindProcessRecord( _In_opt_ HANDLE ProcessId, _In_ PLARGE_INTEGER Time ); // end_phapppub VOID PhPurgeProcessRecords( VOID ); // begin_phapppub PHAPPAPI PPH_PROCESS_ITEM NTAPI PhReferenceProcessItemForParent( _In_ PPH_PROCESS_ITEM ProcessItem ); PHAPPAPI PPH_PROCESS_ITEM NTAPI PhReferenceProcessItemForRecord( _In_ PPH_PROCESS_RECORD Record ); // end_phapppub extern PPH_OBJECT_TYPE PhImageListItemType; extern HIMAGELIST PhProcessLargeImageList; extern HIMAGELIST PhProcessSmallImageList; // begin_phapppub PHAPPAPI VOID NTAPI PhProcessImageListInitialization( _In_ HWND WindowHandle, _In_ LONG WindowDpi ); PHAPPAPI PPH_IMAGELIST_ITEM NTAPI PhImageListExtractIcon( _In_ PPH_STRING FileName, _In_ BOOLEAN NativeFileName, _In_opt_ HANDLE ProcessId, _In_opt_ PPH_STRING PackageFullName, _In_ LONG SystemDpi ); PHAPPAPI VOID NTAPI PhImageListFlushCache( VOID ); PHAPPAPI HICON NTAPI PhGetImageListIcon( _In_ ULONG_PTR Index, _In_ BOOLEAN Large ); PHAPPAPI HIMAGELIST NTAPI PhGetProcessSmallImageList( VOID ); // Note: Can only be called from same thread as process provider. (dmex) _Success_(return) PHAPPAPI BOOLEAN NTAPI PhDuplicateProcessInformation( _Outptr_ PPVOID ProcessInformation ); // end_phapppub PPH_PROCESS_ITEM NTAPI PhCreateProcessItemFromHandle( _In_ HANDLE ProcessId, _In_ HANDLE ProcessHandle, _In_ BOOLEAN TerminatedProcess ); #endif ================================================ FILE: SystemInformer/include/proctree.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef PH_PROCTREE_H #define PH_PROCTREE_H #include // Columns // Default columns should go first #define PHPRTLC_NAME 0 #define PHPRTLC_PID 1 #define PHPRTLC_CPU 2 #define PHPRTLC_IOTOTALRATE 3 #define PHPRTLC_PRIVATEBYTES 4 #define PHPRTLC_USERNAME 5 #define PHPRTLC_DESCRIPTION 6 #define PHPRTLC_COMPANYNAME 7 #define PHPRTLC_VERSION 8 #define PHPRTLC_FILENAME 9 #define PHPRTLC_COMMANDLINE 10 #define PHPRTLC_PEAKPRIVATEBYTES 11 #define PHPRTLC_WORKINGSET 12 #define PHPRTLC_PEAKWORKINGSET 13 #define PHPRTLC_PRIVATEWS 14 #define PHPRTLC_SHAREDWS 15 #define PHPRTLC_SHAREABLEWS 16 #define PHPRTLC_VIRTUALSIZE 17 #define PHPRTLC_PEAKVIRTUALSIZE 18 #define PHPRTLC_PAGEFAULTS 19 #define PHPRTLC_SESSIONID 20 #define PHPRTLC_PRIORITYCLASS 21 #define PHPRTLC_BASEPRIORITY 22 #define PHPRTLC_THREADS 23 #define PHPRTLC_HANDLES 24 #define PHPRTLC_GDIHANDLES 25 #define PHPRTLC_USERHANDLES 26 #define PHPRTLC_IORORATE 27 #define PHPRTLC_IOWRATE 28 #define PHPRTLC_INTEGRITY 29 #define PHPRTLC_IOPRIORITY 30 #define PHPRTLC_PAGEPRIORITY 31 #define PHPRTLC_STARTTIME 32 #define PHPRTLC_TOTALCPUTIME 33 #define PHPRTLC_KERNELCPUTIME 34 #define PHPRTLC_USERCPUTIME 35 #define PHPRTLC_VERIFICATIONSTATUS 36 #define PHPRTLC_VERIFIEDSIGNER 37 #define PHPRTLC_ASLR 38 #define PHPRTLC_RELATIVESTARTTIME 39 #define PHPRTLC_BITS 40 #define PHPRTLC_ELEVATION 41 #define PHPRTLC_WINDOWTITLE 42 #define PHPRTLC_WINDOWSTATUS 43 #define PHPRTLC_CYCLES 44 #define PHPRTLC_CYCLESDELTA 45 #define PHPRTLC_CPUHISTORY 46 #define PHPRTLC_PRIVATEBYTESHISTORY 47 #define PHPRTLC_IOHISTORY 48 #define PHPRTLC_DEP 49 #define PHPRTLC_VIRTUALIZED 50 #define PHPRTLC_CONTEXTSWITCHES 51 #define PHPRTLC_CONTEXTSWITCHESDELTA 52 #define PHPRTLC_PAGEFAULTSDELTA 53 #define PHPRTLC_IOREADS 54 #define PHPRTLC_IOWRITES 55 #define PHPRTLC_IOOTHER 56 #define PHPRTLC_IOREADBYTES 57 #define PHPRTLC_IOWRITEBYTES 58 #define PHPRTLC_IOOTHERBYTES 59 #define PHPRTLC_IOREADSDELTA 60 #define PHPRTLC_IOWRITESDELTA 61 #define PHPRTLC_IOOTHERDELTA 62 #define PHPRTLC_OSCONTEXT 63 #define PHPRTLC_PAGEDPOOL 64 #define PHPRTLC_PEAKPAGEDPOOL 65 #define PHPRTLC_NONPAGEDPOOL 66 #define PHPRTLC_PEAKNONPAGEDPOOL 67 #define PHPRTLC_MINIMUMWORKINGSET 68 #define PHPRTLC_MAXIMUMWORKINGSET 69 #define PHPRTLC_PRIVATEBYTESDELTA 70 #define PHPRTLC_SUBSYSTEM 71 #define PHPRTLC_PACKAGENAME 72 #define PHPRTLC_APPID 73 #define PHPRTLC_DPIAWARENESS 74 #define PHPRTLC_CFGUARD 75 #define PHPRTLC_TIMESTAMP 76 #define PHPRTLC_FILEMODIFIEDTIME 77 #define PHPRTLC_FILESIZE 78 #define PHPRTLC_SUBPROCESSCOUNT 79 #define PHPRTLC_JOBOBJECTID 80 #define PHPRTLC_PROTECTION 81 #define PHPRTLC_DESKTOP 82 #define PHPRTLC_CRITICAL 83 #define PHPRTLC_PIDHEX 84 #define PHPRTLC_CPUCORECYCLES 85 #define PHPRTLC_CET 86 #define PHPRTLC_IMAGE_COHERENCY 87 #define PHPRTLC_ERRORMODE 88 #define PHPRTLC_CODEPAGE 89 #define PHPRTLC_TIMELINE 90 #define PHPRTLC_POWERTHROTTLING 91 #define PHPRTLC_ARCHITECTURE 92 #define PHPRTLC_PARENTPID 93 #define PHPRTLC_PARENTCONSOLEPID 94 #define PHPRTLC_COMMITSIZE 95 #define PHPRTLC_PRIORITYBOOST 96 #define PHPRTLC_CPUAVERAGE 97 #define PHPRTLC_CPUKERNEL 98 #define PHPRTLC_CPUUSER 99 #define PHPRTLC_GRANTEDACCESS 100 #define PHPRTLC_TLSBITMAPDELTA 101 #define PHPRTLC_REFERENCEDELTA 102 #define PHPRTLC_LXSSPID 103 #define PHPRTLC_START_KEY 104 #define PHPRTLC_MITIGATION_POLICIES 105 #define PHPRTLC_SERVICES 106 #define PHPRTLC_MAXIMUM 107 #define PHPRTLC_IOGROUP_COUNT 9 #define PHPN_WSCOUNTERS 0x1 #define PHPN_GDIHANDLES 0x2 #define PHPN_IOPAGEPRIORITY 0x4 #define PHPN_WINDOW 0x8 #define PHPN_DEPSTATUS 0x10 #define PHPN_TOKEN 0x20 #define PHPN_OSCONTEXT 0x40 #define PHPN_QUOTALIMITS 0x80 #define PHPN_IMAGE 0x100 #define PHPN_APPID 0x200 #define PHPN_DPIAWARENESS 0x400 #define PHPN_FILEATTRIBUTES 0x800 #define PHPN_DESKTOPINFO 0x1000 #define PHPN_USERNAME 0x2000 #define PHPN_CRITICAL 0x4000 #define PHPN_ERRORMODE 0x8000 #define PHPN_CODEPAGE 0x10000 #define PHPN_POWERTHROTTLING 0x20000 #define PHPN_MITIGATIONPOLICIES 0x40000 #define PHPN_PRIORITYBOOST 0x80000 #define PHPN_GRANTEDACCESS 0x100000 #define PHPN_TLSBITMAPDELTA 0x200000 #define PHPN_REFERENCEDELTA 0x400000 #define PHPN_STARTKEY 0x800000 #define PHPN_SERVICES 0x1000000 #define PHPN_USERHANDLES 0x2000000 // begin_phapppub typedef struct _PH_PROCESS_NODE { PH_TREENEW_NODE Node; PH_HASH_ENTRY HashEntry; PH_SH_STATE ShState; HANDLE ProcessId; PPH_PROCESS_ITEM ProcessItem; struct _PH_PROCESS_NODE *Parent; PPH_LIST Children; // end_phapppub PH_STRINGREF TextCache[PHPRTLC_MAXIMUM]; // If the user has selected certain columns we need extra information that isn't retrieved by // the process provider. ULONG ValidMask; // WS counters PH_PROCESS_WS_COUNTERS WsCounters; // GDI, USER handles ULONG GdiHandles; ULONG UserHandles; // I/O, page priority IO_PRIORITY_HINT IoPriority; ULONG PagePriority; // Window HWND WindowHandle; PPH_STRING WindowText; // DEP status ULONG DepStatus; BOOLEAN WindowHung; BOOLEAN VirtualizationAllowed; BOOLEAN VirtualizationEnabled; BOOLEAN BreakOnTerminationEnabled; BOOLEAN PowerThrottling; BOOLEAN PriorityBoost; // OS Context GUID OsContextGuid; ULONG OsContextVersion; // Quota limits SIZE_T MinimumWorkingSetSize; SIZE_T MaximumWorkingSetSize; // Image ULONG ImageTimeDateStamp; USHORT ImageCharacteristics; USHORT ImageMachine; USHORT ImageSubsystem; USHORT ImageDllCharacteristics; #ifdef _ARM64_ ULONG ImageCHPEVersion; #endif USHORT Architecture; // App ID PPH_STRING AppIdText; // DPI awareness PH_PROCESS_DPI_AWARENESS DpiAwareness; // File attributes LARGE_INTEGER FileLastWriteTime; LARGE_INTEGER FileEndOfFile; // Code page USHORT CodePage; // TLS bitmap USHORT TlsBitmapCount; // Reference count ULONG ReferenceCount; // Start key ULONGLONG ProcessStartKey; PPH_STRING FileNameWin32; ULONG ServerSiloId; PPH_STRING TooltipText; ULONG64 TooltipTextValidToTickCount; // Text buffers WCHAR CpuUsageText[PH_INT32_STR_LEN_1 + 3]; PPH_STRING IoTotalRateText; PPH_STRING PrivateBytesText; PPH_STRING PeakPrivateBytesText; PPH_STRING WorkingSetText; PPH_STRING PeakWorkingSetText; PPH_STRING PrivateWsText; PPH_STRING SharedWsText; PPH_STRING ShareableWsText; PPH_STRING VirtualSizeText; PPH_STRING PeakVirtualSizeText; PPH_STRING PageFaultsText; PPH_STRING SessionIdText; PPH_STRING BasePriorityText; PPH_STRING ThreadsText; PPH_STRING HandlesText; PPH_STRING GdiHandlesText; PPH_STRING UserHandlesText; PPH_STRING IoRoRateText; PPH_STRING IoWRateText; PPH_STRING StartTimeText; PPH_STRING TotalCpuTimeText; PPH_STRING KernelCpuTimeText; PPH_STRING UserCpuTimeText; PPH_STRING RelativeStartTimeText; PPH_STRING WindowTitleText; PPH_STRING DepStatusText; PPH_STRING CyclesText; PPH_STRING CyclesDeltaText; PPH_STRING ContextSwitchesText; PPH_STRING ContextSwitchesDeltaText; PPH_STRING PageFaultsDeltaText; PPH_STRING IoGroupText[PHPRTLC_IOGROUP_COUNT]; PPH_STRING PagedPoolText; PPH_STRING PeakPagedPoolText; PPH_STRING NonPagedPoolText; PPH_STRING PeakNonPagedPoolText; PPH_STRING MinimumWorkingSetText; PPH_STRING MaximumWorkingSetText; PPH_STRING PrivateBytesDeltaText; PPH_STRING TimeStampText; PPH_STRING FileModifiedTimeText; PPH_STRING FileSizeText; PPH_STRING SubprocessCountText; PPH_STRING JobObjectIdText; PPH_STRING ProtectionText; PPH_STRING DesktopInfoText; PPH_STRING CpuCoreUsageText; PPH_STRING ImageCoherencyText; PPH_STRING ImageCoherencyStatusText; PPH_STRING ErrorModeText; PPH_STRING CodePageText; PPH_STRING ParentPidText; PPH_STRING ParentConsolePidText; PPH_STRING SharedCommitText; PPH_STRING CpuAverageText; PPH_STRING CpuKernelText; PPH_STRING CpuUserText; PPH_STRING GrantedAccessText; PPH_STRING TlsBitmapDeltaText; PPH_STRING ReferenceCountText; PPH_STRING LxssProcessIdText; PPH_STRING ProcessStartKeyText; PPH_STRING MitigationPoliciesText; PPH_STRING ServicesText; PPH_STRING ServerSiloText; // Graph buffers PH_GRAPH_BUFFERS CpuGraphBuffers; PH_GRAPH_BUFFERS PrivateGraphBuffers; PH_GRAPH_BUFFERS IoGraphBuffers; // begin_phapppub } PH_PROCESS_NODE, *PPH_PROCESS_NODE; // end_phapppub VOID PhProcessTreeListInitialization( VOID ); VOID PhInitializeProcessTreeList( _In_ HWND hwnd ); VOID PhLoadSettingsProcessTreeList( VOID ); VOID PhSaveSettingsProcessTreeList( VOID ); VOID PhLoadSettingsProcessTreeListEx( _In_ PPH_STRING TreeListSettings, _In_ PPH_STRING TreeSortSettings ); VOID PhSaveSettingsProcessTreeListEx( _Out_ PPH_STRING *TreeListSettings, _Out_ PPH_STRING *TreeSortSettings ); VOID PhReloadSettingsProcessTreeList( VOID ); // begin_phapppub PHAPPAPI PPH_TN_FILTER_SUPPORT NTAPI PhGetFilterSupportProcessTreeList( VOID ); // end_phapppub PPH_PROCESS_NODE PhAddProcessNode( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG RunId ); // begin_phapppub PHAPPAPI PPH_PROCESS_NODE NTAPI PhFindProcessNode( _In_ HANDLE ProcessId ); // end_phapppub VOID PhRemoveProcessNode( _In_ PPH_PROCESS_NODE ProcessNode ); // begin_phapppub PHAPPAPI VOID NTAPI PhUpdateProcessNode( _In_ PPH_PROCESS_NODE ProcessNode ); // end_phapppub VOID PhTickProcessNodes( VOID ); // begin_phapppub PHAPPAPI PPH_PROCESS_ITEM NTAPI PhGetSelectedProcessItem( VOID ); _Success_(return) PHAPPAPI BOOLEAN NTAPI PhGetSelectedProcessItems( _Out_ PPH_PROCESS_ITEM **Processes, _Out_ PULONG NumberOfProcesses ); PHAPPAPI PPH_PROCESS_NODE NTAPI PhGetSelectedProcessNode( VOID ); _Success_(return) PHAPPAPI BOOLEAN NTAPI PhGetSelectedProcessNodes( _Out_ PPH_PROCESS_NODE** Nodes, _Out_ PULONG NumberOfNodes ); PHAPPAPI VOID NTAPI PhGetSelectedAndPropagateProcessItems( _Out_ PPH_PROCESS_ITEM** Processes, _Out_ PULONG NumberOfProcesses ); PHAPPAPI VOID NTAPI PhDeselectAllProcessNodes( VOID ); PHAPPAPI VOID NTAPI PhExpandAllProcessNodes( _In_ BOOLEAN Expand ); PHAPPAPI VOID NTAPI PhInvalidateAllProcessNodes( VOID ); PHAPPAPI BOOLEAN NTAPI PhSelectAndEnsureVisibleProcessNode( _In_ PPH_PROCESS_NODE ProcessNode ); // end_phapppub BOOLEAN PhSelectAndEnsureVisibleProcessNodes( _In_ PPH_PROCESS_NODE *ProcessNodes, _In_ ULONG NumberOfProcessNodes ); PPH_LIST PhGetProcessTreeListLines( _In_ HWND TreeListHandle, _In_ ULONG NumberOfNodes, _In_ PPH_LIST RootNodes, _In_ ULONG Mode ); VOID PhCopyProcessTree( VOID ); VOID PhWriteProcessTree( _Inout_ PPH_FILE_STREAM FileStream, _In_ ULONG Mode ); // begin_phapppub PHAPPAPI PPH_LIST NTAPI PhDuplicateProcessNodeList( VOID ); // end_phapppub NTSTATUS PhGetProcessItemFileNameWin32( _In_ PPH_PROCESS_ITEM ProcessItem, _Out_ PPH_STRING *FileNameWin32 ); // begin_phapppub typedef enum _PH_AGGREGATE_TYPE { AggregateTypeFloat, AggregateTypeInt32, AggregateTypeInt64, AggregateTypeIntPtr } PH_AGGREGATE_TYPE; typedef enum _PH_AGGREGATE_LOCATION { AggregateProcessItem, AggregateProcessNode, } PH_AGGREGATE_LOCATION; PHAPPAPI VOID NTAPI PhAggregateProcessFieldIfNeeded( _In_ PPH_PROCESS_NODE ProcessNode, _In_ PH_AGGREGATE_TYPE Type, _In_ PH_AGGREGATE_LOCATION Location, _In_ PVOID BaseAddress, _In_ SIZE_T FieldOffset, _Inout_ PVOID AggregatedValue ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/srvlist.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2024 * */ #ifndef PH_SRVLIST_H #define PH_SRVLIST_H #include // Columns #define PHSVTLC_NAME 0 #define PHSVTLC_PID 1 #define PHSVTLC_DISPLAYNAME 2 #define PHSVTLC_TYPE 3 #define PHSVTLC_STATUS 4 #define PHSVTLC_STARTTYPE 5 #define PHSVTLC_BINARYPATH 6 #define PHSVTLC_ERRORCONTROL 7 #define PHSVTLC_GROUP 8 #define PHSVTLC_DESCRIPTION 9 #define PHSVTLC_KEYMODIFIEDTIME 10 #define PHSVTLC_VERIFICATIONSTATUS 11 #define PHSVTLC_VERIFIEDSIGNER 12 #define PHSVTLC_FILENAME 13 #define PHSVTLC_TIMELINE 14 #define PHSVTLC_EXITCODE 15 #define PHSVTLC_MAXIMUM 16 #define PHSN_CONFIG 0x1 #define PHSN_DESCRIPTION 0x2 #define PHSN_KEY 0x4 // begin_phapppub typedef struct _PH_SERVICE_NODE { PH_TREENEW_NODE Node; PH_SH_STATE ShState; PPH_SERVICE_ITEM ServiceItem; WCHAR StartTypeText[12 + 24 + 1]; // Config PPH_STRING BinaryPath; PPH_STRING LoadOrderGroup; // Description PPH_STRING Description; // Key LARGE_INTEGER KeyLastWriteTime; PPH_STRING KeyModifiedTimeText; // Exitcode PPH_STRING ExitCodeText; // end_phapppub PPH_STRING TooltipText; ULONG ValidMask; PH_STRINGREF TextCache[PHSVTLC_MAXIMUM]; // begin_phapppub } PH_SERVICE_NODE, *PPH_SERVICE_NODE; // end_phapppub VOID PhServiceTreeListInitialization( VOID ); VOID PhInitializeServiceTreeList( _In_ HWND WindowHandle ); VOID PhLoadSettingsServiceTreeList( VOID ); VOID PhSaveSettingsServiceTreeList( VOID ); // begin_phapppub PHAPPAPI PPH_TN_FILTER_SUPPORT NTAPI PhGetFilterSupportServiceTreeList( VOID ); // end_phapppub PPH_SERVICE_NODE PhAddServiceNode( _In_ PPH_SERVICE_ITEM ServiceItem, _In_ ULONG RunId ); // begin_phapppub PHAPPAPI PPH_SERVICE_NODE NTAPI PhFindServiceNode( _In_ PPH_SERVICE_ITEM ServiceItem ); // end_phapppub VOID PhRemoveServiceNode( _In_ PPH_SERVICE_NODE ServiceNode ); // begin_phapppub PHAPPAPI VOID NTAPI PhUpdateServiceNode( _In_ PPH_SERVICE_NODE ServiceNode ); // end_phapppub VOID PhTickServiceNodes( VOID ); // begin_phapppub PHAPPAPI PPH_SERVICE_ITEM NTAPI PhGetSelectedServiceItem( VOID ); PHAPPAPI VOID NTAPI PhGetSelectedServiceItems( _Out_ PPH_SERVICE_ITEM **Services, _Out_ PULONG NumberOfServices ); PHAPPAPI VOID NTAPI PhDeselectAllServiceNodes( VOID ); PHAPPAPI BOOLEAN NTAPI PhSelectAndEnsureVisibleServiceNode( _In_ PPH_SERVICE_NODE ServiceNode ); // end_phapppub VOID PhCopyServiceList( VOID ); VOID PhWriteServiceList( _Inout_ PPH_FILE_STREAM FileStream, _In_ ULONG Mode ); #endif ================================================ FILE: SystemInformer/include/srvprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #ifndef PH_SRVPRV_H #define PH_SRVPRV_H extern PPH_OBJECT_TYPE PhServiceItemType; extern BOOLEAN PhEnableServiceNonPoll; extern BOOLEAN PhEnableServiceNonPollNotify; extern ULONG PhServiceNonPollFlushInterval; // begin_phapppub typedef enum _VERIFY_RESULT VERIFY_RESULT; typedef struct _PH_IMAGELIST_ITEM* PPH_IMAGELIST_ITEM; typedef struct _PH_SERVICE_ITEM { PH_STRINGREF Key; // points to Name PPH_STRING Name; PPH_STRING DisplayName; PPH_STRING FileName; PPH_IMAGELIST_ITEM IconEntry; volatile LONG JustProcessed; // State ULONG Type; ULONG State; ULONG ControlsAccepted; ULONG Flags; // e.g. SERVICE_RUNS_IN_SYSTEM_PROCESS HANDLE ProcessId; // Config ULONG StartType; ULONG ErrorControl; // ExitCode ULONG Win32ExitCode; ULONG ServiceSpecificExitCode; // Signature VERIFY_RESULT VerifyResult; PPH_STRING VerifySignerName; WCHAR ProcessIdString[PH_INT32_STR_LEN_1]; // end_phapppub union { BOOLEAN BitFlags; struct { BOOLEAN DelayedStart : 1; BOOLEAN HasTriggers : 1; BOOLEAN PendingProcess : 1; BOOLEAN NeedsConfigUpdate : 1; BOOLEAN MicrosoftService : 1; BOOLEAN Spare : 3; }; }; PSC_NOTIFICATION_REGISTRATION NotifyPropertyRegistration; PSC_NOTIFICATION_REGISTRATION NotifyStatusRegistration; union { BOOLEAN NotifyFlags; struct { BOOLEAN NotifyCreatedPropertyRegistration : 1; BOOLEAN NotifyCreatedStatusRegistration : 1; BOOLEAN NotifySpare : 6; }; }; // begin_phapppub } PH_SERVICE_ITEM, *PPH_SERVICE_ITEM; // end_phapppub // begin_phapppub typedef struct _PH_SERVICE_MODIFIED_DATA { PPH_SERVICE_ITEM ServiceItem; PH_SERVICE_ITEM OldService; } PH_SERVICE_MODIFIED_DATA, *PPH_SERVICE_MODIFIED_DATA; typedef enum _PH_SERVICE_CHANGE { ServiceNone, ServiceStarted, ServiceContinued, ServicePaused, ServiceStopped, ServiceModified, } PH_SERVICE_CHANGE, *PPH_SERVICE_CHANGE; // end_phapppub BOOLEAN PhServiceProviderInitialization( VOID ); PPH_SERVICE_ITEM PhCreateServiceItem( _In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information ); // begin_phapppub PHAPPAPI PPH_SERVICE_ITEM NTAPI PhReferenceServiceItem( _In_ PPH_STRINGREF Name ); FORCEINLINE PPH_SERVICE_ITEM NTAPI PhReferenceServiceItemZ( _In_ PCWSTR Name ) { PH_STRINGREF name; PhInitializeStringRefLongHint(&name, Name); return PhReferenceServiceItem(&name); } // end_phapppub VOID PhMarkNeedsConfigUpdateServiceItem( _In_ PPH_SERVICE_ITEM ServiceItem ); // begin_phapppub PHAPPAPI PH_SERVICE_CHANGE NTAPI PhGetServiceChange( _In_ PPH_SERVICE_MODIFIED_DATA Data ); // end_phapppub VOID PhUpdateProcessItemServices( _In_ PPH_PROCESS_ITEM ProcessItem ); _Function_class_(PH_PROVIDER_FUNCTION) VOID PhServiceProviderUpdate( _In_ PVOID Object ); #endif ================================================ FILE: SystemInformer/include/sysinfo.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2023 * */ #ifndef PH_SYSINFO_H #define PH_SYSINFO_H // begin_phapppub typedef enum _PH_SYSINFO_VIEW_TYPE { SysInfoSummaryView, SysInfoSectionView } PH_SYSINFO_VIEW_TYPE; typedef _Function_class_(PH_SYSINFO_COLOR_SETUP_FUNCTION) VOID NTAPI PH_SYSINFO_COLOR_SETUP_FUNCTION( _Out_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ COLORREF Color1, _In_ COLORREF Color2, _In_ LONG WindowDpi ); typedef PH_SYSINFO_COLOR_SETUP_FUNCTION* PPH_SYSINFO_COLOR_SETUP_FUNCTION; typedef struct _PH_SYSINFO_PARAMETERS { HWND SysInfoWindowHandle; HWND ContainerWindowHandle; PPH_SYSINFO_COLOR_SETUP_FUNCTION ColorSetupFunction; HFONT Font; HFONT MediumFont; HFONT LargeFont; ULONG FontHeight; ULONG FontAverageWidth; ULONG MediumFontHeight; ULONG MediumFontAverageWidth; COLORREF GraphBackColor; COLORREF PanelForeColor; ULONG MinimumGraphHeight; ULONG SectionViewGraphHeight; LONG PanelWidth; LONG WindowDpi; // end_phapppub ULONG PanelPadding; ULONG WindowPadding; ULONG GraphPadding; ULONG SmallGraphWidth; ULONG SmallGraphPadding; ULONG SeparatorWidth; ULONG CpuPadding; ULONG MemoryPadding; // begin_phapppub } PH_SYSINFO_PARAMETERS, *PPH_SYSINFO_PARAMETERS; typedef enum _PH_SYSINFO_SECTION_MESSAGE { SysInfoCreate, SysInfoDestroy, SysInfoTick, SysInfoViewChanging, // PH_SYSINFO_VIEW_TYPE Parameter1, PPH_SYSINFO_SECTION Parameter2 SysInfoCreateDialog, // PPH_SYSINFO_CREATE_DIALOG Parameter1 SysInfoGraphGetDrawInfo, // PPH_GRAPH_DRAW_INFO Parameter1 SysInfoGraphGetTooltipText, // PPH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT Parameter1 SysInfoGraphDrawPanel, // PPH_SYSINFO_DRAW_PANEL Parameter1 SysInfoDpiChanged, // ULONG Parameter1 MaxSysInfoMessage } PH_SYSINFO_SECTION_MESSAGE; typedef struct _PH_SYSINFO_SECTION *PPH_SYSINFO_SECTION; typedef _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN NTAPI PH_SYSINFO_SECTION_CALLBACK( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ); typedef PH_SYSINFO_SECTION_CALLBACK* PPH_SYSINFO_SECTION_CALLBACK; typedef struct _PH_SYSINFO_CREATE_DIALOG { BOOLEAN CustomCreate; // Parameters for default create PVOID Instance; PWSTR Template; DLGPROC DialogProc; PVOID Parameter; } PH_SYSINFO_CREATE_DIALOG, *PPH_SYSINFO_CREATE_DIALOG; typedef struct _PH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT { ULONG Index; PH_STRINGREF Text; } PH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT, *PPH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT; typedef struct _PH_SYSINFO_DRAW_PANEL { HDC hdc; RECT Rect; BOOLEAN CustomDraw; // Parameters for default draw PPH_STRING Title; PPH_STRING SubTitle; PPH_STRING SubTitleOverflow; } PH_SYSINFO_DRAW_PANEL, *PPH_SYSINFO_DRAW_PANEL; // end_phapppub // begin_phapppub typedef struct _PH_SYSINFO_SECTION { // Public // Initialization PH_STRINGREF Name; ULONG Flags; PPH_SYSINFO_SECTION_CALLBACK Callback; PVOID Context; // State HWND GraphHandle; PH_GRAPH_STATE GraphState; PPH_SYSINFO_PARAMETERS Parameters; // end_phapppub // Private struct { ULONG GraphHot : 1; ULONG PanelHot : 1; ULONG HasFocus : 1; ULONG HideFocus : 1; ULONG SpareFlags : 28; }; HWND DialogHandle; HWND PanelHandle; ULONG PanelId; WNDPROC GraphWindowProc; WNDPROC PanelWindowProc; // begin_phapppub } PH_SYSINFO_SECTION, *PPH_SYSINFO_SECTION; // end_phapppub VOID PhSiNotifyChangeSettings( VOID ); // begin_phapppub _Function_class_(PH_SYSINFO_COLOR_SETUP_FUNCTION) PHAPPAPI VOID NTAPI PhSiSetColorsGraphDrawInfo( _Out_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ COLORREF Color1, _In_ COLORREF Color2, _In_ LONG WindowDpi ); _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PHAPPAPI PPH_STRING NTAPI PhSiSizeLabelYFunction( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ); _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PHAPPAPI PPH_STRING NTAPI PhSiDoubleLabelYFunction( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ); _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PHAPPAPI PPH_STRING NTAPI PhSiUInt64LabelYFunction( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ); PHAPPAPI VOID NTAPI PhShowSystemInformationDialog( _In_opt_ PCWSTR SectionName ); // end_phapppub #endif ================================================ FILE: SystemInformer/include/sysinfop.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2016-2024 * */ #ifndef PH_SYSINFOP_H #define PH_SYSINFOP_H // Constants #define PH_SYSINFO_FADE_ADD 50 #define PH_SYSINFO_PANEL_PADDING 3 #define PH_SYSINFO_WINDOW_PADDING 7 #define PH_SYSINFO_GRAPH_PADDING 4 #define PH_SYSINFO_SMALL_GRAPH_WIDTH 48 #define PH_SYSINFO_SMALL_GRAPH_PADDING 5 #define PH_SYSINFO_SEPARATOR_WIDTH 2 #define PH_SYSINFO_CPU_PADDING 5 #define PH_SYSINFO_MEMORY_PADDING 3 #define SI_MSG_SYSINFO_FIRST (WM_APP + 150) #define SI_MSG_SYSINFO_ACTIVATE (WM_APP + 150) #define SI_MSG_SYSINFO_UPDATE (WM_APP + 151) #define SI_MSG_SYSINFO_CHANGE_SETTINGS (WM_APP + 152) #define SI_MSG_SYSINFO_LAST (WM_APP + 152) // Thread & window extern HWND PhSipWindow; _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhSipSysInfoThreadStart( _In_ PVOID Parameter ); _Function_class_(DLGPROC) INT_PTR CALLBACK PhSipSysInfoDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(DLGPROC) INT_PTR CALLBACK PhSipContainerDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // Event handlers VOID PhSipOnInitDialog( VOID ); VOID PhSipOnDestroy( VOID ); VOID PhSipOnNcDestroy( VOID ); BOOLEAN PhSipOnSysCommand( _In_ ULONG Type, _In_ LONG CursorScreenX, _In_ LONG CursorScreenY ); VOID PhSipOnSize( _In_ HWND WindowHandle, _In_ UINT State, _In_ LONG Width, _In_ LONG Height ); VOID PhSipOnSizing( _In_ ULONG Edge, _In_ PRECT DragRectangle ); VOID PhSipOnThemeChanged( VOID ); VOID PhSipOnCommand( _In_ HWND HwndControl, _In_ ULONG Id, _In_ ULONG Code ); _Success_(return) BOOLEAN PhSipOnNotify( _In_ NMHDR *Header, _Out_ LRESULT *Result ); BOOLEAN PhSipOnDrawItem( _In_ ULONG_PTR Id, _In_ PDRAWITEMSTRUCT DrawItemStruct ); VOID PhSipOnUserMessage( _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ); ULONG PhSipGetProcessorRelationshipIndex( _In_ LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType, _In_ ULONG Index ); // Framework VOID PhSipRegisterDialog( _In_ HWND DialogWindowHandle ); VOID PhSipUnregisterDialog( _In_ HWND DialogWindowHandle ); VOID PhSipInitializeParameters( VOID ); VOID PhSipDeleteParameters( VOID ); VOID PhSipUpdateColorParameters( VOID ); _Function_class_(PH_SYSINFO_CREATE_SECTION) PPH_SYSINFO_SECTION PhSipCreateSection( _In_ PPH_SYSINFO_SECTION Template ); VOID PhSipDestroySection( _In_ PPH_SYSINFO_SECTION Section ); _Function_class_(PH_SYSINFO_FIND_SECTION) PPH_SYSINFO_SECTION PhSipFindSection( _In_ PPH_STRINGREF Name ); PPH_SYSINFO_SECTION PhSipCreateInternalSection( _In_ PWSTR Name, _In_ ULONG Flags, _In_ PPH_SYSINFO_SECTION_CALLBACK Callback ); VOID PhSipDrawRestoreSummaryPanel( _In_ PDRAWITEMSTRUCT DrawItemStruct ); VOID PhSipDrawSeparator( _In_ PDRAWITEMSTRUCT DrawItemStruct ); VOID PhSipDrawPanel( _In_ PPH_SYSINFO_SECTION Section, _In_ HDC hdc, _In_ PRECT Rect ); VOID PhSipDefaultDrawPanel( _In_ PPH_SYSINFO_SECTION Section, _In_ PPH_SYSINFO_DRAW_PANEL DrawPanel ); VOID PhSipLayoutSummaryView( VOID ); VOID PhSipLayoutSectionView( VOID ); _Function_class_(PH_SYSINFO_ENTER_SECTION_VIEW) VOID PhSipEnterSectionView( _In_ PPH_SYSINFO_SECTION NewSection ); VOID PhSipEnterSectionViewInner( _In_ PPH_SYSINFO_SECTION Section, _In_ BOOLEAN FromSummaryView, _Inout_ HDWP *DeferHandle, _Inout_ HDWP *ContainerDeferHandle ); _Function_class_(PH_SYSINFO_RESTORE_SUMMARY_VIEW) VOID PhSipRestoreSummaryView( VOID ); VOID PhSipCreateSectionDialog( _In_ PPH_SYSINFO_SECTION Section ); _Function_class_(WNDPROC) LRESULT CALLBACK PhSipGraphHookWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(WNDPROC) LRESULT CALLBACK PhSipPanelHookWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); LRESULT CALLBACK PhSipRestorePanelHookWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // Misc. VOID PhSipUpdateProcessorInformation( VOID ); VOID PhSipUpdateInterruptInformation( _Out_ PULONG64 DpcCount ); VOID PhSipUpdateProcessorFrequency( VOID ); VOID PhSipUpdateTimerResolution( VOID ); VOID PhSipUpdateProcessorPerformanceDistribution( VOID ); VOID PhSipUpdateThemeData( VOID ); VOID PhSipSaveWindowState( VOID ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhSipSysInfoUpdateHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhSipSysInfoSettingsCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); // CPU section _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN PhSipCpuSectionCallback( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ); VOID PhSipInitializeCpuDialog( VOID ); VOID PhSipUninitializeCpuDialog( VOID ); VOID PhSipTickCpuDialog( VOID ); INT_PTR CALLBACK PhSipCpuDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhSipCpuPanelDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhSipCreateCpuGraphs( VOID ); VOID PhSipLayoutCpuGraphs( VOID ); VOID PhSipSetOneGraphPerCpu( VOID ); _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipCpuGraphCallback( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); VOID PhSipUpdateCpuGraphs( VOID ); VOID PhSipUpdateCpuPanel( VOID ); PPH_PROCESS_RECORD PhSipReferenceMaxCpuRecord( _In_ LONG Index ); PPH_STRING PhSipGetMaxCpuString( _In_ LONG Index ); PPH_STRING PhSipGetCpuBrandString( VOID ); _Success_(return) BOOLEAN PhSipGetCpuFrequencyFromDistribution( _Out_ DOUBLE *Frequency ); PCPH_STRINGREF PhGetHybridProcessorType( _In_ ULONG ProcessorIndex ); BOOLEAN PhIsCoreParked( _In_ ULONG ProcessorIndex ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhSipCpuSMBIOSWorkRoutine( _In_ PVOID ThreadParameter ); // Memory section _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN PhSipMemorySectionCallback( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ); VOID PhSipInitializeMemoryDialog( VOID ); VOID PhSipUninitializeMemoryDialog( VOID ); VOID PhSipTickMemoryDialog( VOID ); INT_PTR CALLBACK PhSipMemoryDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhSipMemoryPanelDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhSipCreateMemoryGraphs( VOID ); VOID PhSipLayoutMemoryGraphs( _In_ HWND hwnd ); _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyCommitGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyPhysicalGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); VOID PhSipUpdateMemoryGraphs( VOID ); VOID PhSipUpdateMemoryPanel( VOID ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhSipLoadMmAddresses( _In_ PVOID Parameter ); VOID PhSipGetPoolLimits( _Out_ PSIZE_T Paged, _Out_ PSIZE_T NonPaged ); _Success_(return) BOOLEAN PhSipGetMemoryCompressionLimits( _Out_ FLOAT *CurrentCompressedMemory, _Out_ FLOAT *TotalCompressedMemory, _Out_ FLOAT *TotalSavedMemory ); // I/O section _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN NTAPI PhSipIoSectionCallback( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ); VOID PhSipInitializeIoDialog( VOID ); VOID PhSipUninitializeIoDialog( VOID ); VOID PhSipTickIoDialog( VOID ); INT_PTR CALLBACK PhSipIoDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhSipIoPanelDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhSipCreateIoGraph( VOID ); VOID PhSipLayoutIoGraphs( _In_ HWND WindowHandle ); _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyIoReadGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyIoWriteGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyIoOtherGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); VOID PhSipUpdateIoGraph( VOID ); VOID PhSipUpdateIoPanel( VOID ); PPH_PROCESS_RECORD PhSipReferenceMaxIoRecord( _In_ LONG Index ); PPH_STRING PhSipGetMaxIoString( _In_ LONG Index ); #endif ================================================ FILE: SystemInformer/include/thrdlist.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #ifndef PH_THRDLIST_H #define PH_THRDLIST_H // Columns typedef enum _PH_THREAD_TREELIST_COLUMN { PH_THREAD_TREELIST_COLUMN_TID, PH_THREAD_TREELIST_COLUMN_CPU, PH_THREAD_TREELIST_COLUMN_CYCLESDELTA, PH_THREAD_TREELIST_COLUMN_STARTADDRESSWIN32, PH_THREAD_TREELIST_COLUMN_PRIORITYSYMBOLIC, PH_THREAD_TREELIST_COLUMN_SERVICE, PH_THREAD_TREELIST_COLUMN_NAME, PH_THREAD_TREELIST_COLUMN_STARTED, PH_THREAD_TREELIST_COLUMN_STARTMODULE, PH_THREAD_TREELIST_COLUMN_CONTEXTSWITCHES, PH_THREAD_TREELIST_COLUMN_CONTEXTSWITCHESDELTA, PH_THREAD_TREELIST_COLUMN_PRIORITY, PH_THREAD_TREELIST_COLUMN_BASEPRIORITY, PH_THREAD_TREELIST_COLUMN_PAGEPRIORITY, PH_THREAD_TREELIST_COLUMN_IOPRIORITY, PH_THREAD_TREELIST_COLUMN_CYCLES, PH_THREAD_TREELIST_COLUMN_STATE, PH_THREAD_TREELIST_COLUMN_KERNELTIME, PH_THREAD_TREELIST_COLUMN_USERTIME, PH_THREAD_TREELIST_COLUMN_IDEALPROCESSOR, PH_THREAD_TREELIST_COLUMN_CRITICAL, PH_THREAD_TREELIST_COLUMN_TIDHEX, PH_THREAD_TREELIST_COLUMN_CPUCORECYCLES, PH_THREAD_TREELIST_COLUMN_TOKEN_STATE, PH_THREAD_TREELIST_COLUMN_PENDINGIRP, PH_THREAD_TREELIST_COLUMN_LASTSYSTEMCALL, PH_THREAD_TREELIST_COLUMN_LASTSTATUSCODE, PH_THREAD_TREELIST_COLUMN_TIMELINE, PH_THREAD_TREELIST_COLUMN_APARTMENTTYPE, PH_THREAD_TREELIST_COLUMN_APARTMENTFLAGS, PH_THREAD_TREELIST_COLUMN_FIBER, PH_THREAD_TREELIST_COLUMN_PRIORITYBOOST, PH_THREAD_TREELIST_COLUMN_CPUUSER, PH_THREAD_TREELIST_COLUMN_CPUKERNEL, //PH_THREAD_TREELIST_COLUMN_CPUHISTORY, PH_THREAD_TREELIST_COLUMN_STACKUSAGE, PH_THREAD_TREELIST_COLUMN_WAITTIME, PH_THREAD_TREELIST_COLUMN_IOREADS, PH_THREAD_TREELIST_COLUMN_IOWRITES, PH_THREAD_TREELIST_COLUMN_IOOTHER, PH_THREAD_TREELIST_COLUMN_IOREADBYTES, PH_THREAD_TREELIST_COLUMN_IOWRITEBYTES, PH_THREAD_TREELIST_COLUMN_IOOTHERBYTES, PH_THREAD_TREELIST_COLUMN_LXSSTID, PH_THREAD_TREELIST_COLUMN_POWERTHROTTLING, PH_THREAD_TREELIST_COLUMN_STARTADDRESS, PH_THREAD_TREELIST_COLUMN_KSTACKUSAGE, PH_THREAD_TREELIST_COLUMN_RPC, PH_THREAD_TREELIST_COLUMN_ACTUALBASEPRIORITY, PH_THREAD_TREELIST_COLUMN_MAXIMUM, } PH_THREAD_TREELIST_COLUMN; typedef enum _PH_THREAD_TREELIST_MENUITEM { PH_THREAD_TREELIST_MENUITEM_HIDE_SUSPENDED = 1, PH_THREAD_TREELIST_MENUITEM_HIDE_GUITHREADS, PH_THREAD_TREELIST_MENUITEM_HIDE_UNKNOWNSTARTADDRESS, PH_THREAD_TREELIST_MENUITEM_HIGHLIGHT_SUSPENDED, PH_THREAD_TREELIST_MENUITEM_HIGHLIGHT_GUITHREADS, PH_THREAD_TREELIST_MENUITEM_SAVE, // Always last (dmex) PH_THREAD_TREELIST_MENUITEM_MAXIMUM } PH_THREAD_TREELIST_MENUITEM; typedef enum _PH_THREAD_TOKEN_STATE { PH_THREAD_TOKEN_STATE_UNKNOWN, PH_THREAD_TOKEN_STATE_NOT_PRESENT, PH_THREAD_TOKEN_STATE_ANONYMOUS, PH_THREAD_TOKEN_STATE_PRESENT } PH_THREAD_TOKEN_STATE; // begin_phapppub typedef struct _PH_THREAD_NODE { PH_TREENEW_NODE Node; PH_SH_STATE ShState; HANDLE ThreadId; PPH_THREAD_ITEM ThreadItem; // end_phapppub PH_STRINGREF TextCache[PH_THREAD_TREELIST_COLUMN_MAXIMUM]; ULONG ValidMask; HANDLE ThreadContextHandle; HANDLE ThreadReadVmHandle; BOOLEAN ThreadContextHandleValid; BOOLEAN ThreadReadVmHandleValid; LONG IdealProcessorMask; ULONG PagePriority; IO_PRIORITY_HINT IoPriority; BOOLEAN BreakOnTermination; BOOLEAN PendingIrp; BOOLEAN Fiber; BOOLEAN PriorityBoost; ULONG SuspendCount; FLOAT StackUsageFloat; ULONG_PTR StackUsage; ULONG_PTR StackLimit; FLOAT KernelStackUsageFloat; ULONG_PTR KernelStackUsage; ULONG_PTR KernelStackLimit; PH_THREAD_TOKEN_STATE TokenState; NTSTATUS LastSystemCallStatus; THREAD_LAST_SYSCALL_INFORMATION LastSystemCall; NTSTATUS LastStatusValue; NTSTATUS LastStatusQueryStatus; PH_APARTMENT_INFO ApartmentInfo; BOOLEAN HasRpcState; WCHAR CpuUsageText[PH_INT32_STR_LEN_1]; WCHAR CpuUserUsageText[PH_INT32_STR_LEN_1]; WCHAR CpuKernelUsageText[PH_INT32_STR_LEN_1]; PPH_STRING CyclesDeltaText; // used for Context Switches Delta as well PPH_STRING ContextSwitchesDeltaText; PPH_STRING StartAddressText; PPH_STRING CreatedText; PPH_STRING NameText; PPH_STRING StateText; PPH_STRING LastSystemCallText; PPH_STRING LastErrorCodeText; PPH_STRING ApartmentTypeText; PPH_STRING ApartmentFlagsText; PPH_STRING StackUsageText; PPH_STRING KernelStackUsageText; WCHAR ContextSwitchesText[PH_INT64_STR_LEN_1]; WCHAR PriorityText[PH_INT32_STR_LEN_1]; WCHAR BasePriorityText[PH_INT32_STR_LEN_1]; WCHAR ActualBasePriorityText[PH_INT32_STR_LEN_1]; WCHAR CyclesText[PH_INT64_STR_LEN_1]; PPH_STRING KernelTimeText; PPH_STRING UserTimeText; WCHAR IdealProcessorText[PH_INT32_STR_LEN + 1 + PH_INT32_STR_LEN + 1]; WCHAR ThreadIdHexText[PH_INT32_STR_LEN_1]; WCHAR CpuCoreUsageText[PH_INT32_STR_LEN_1]; PPH_STRING WaitTimeText; PPH_STRING IoReads; PPH_STRING IoWrites; PPH_STRING IoOther; PPH_STRING IoReadBytes; PPH_STRING IoWriteBytes; PPH_STRING IoOtherBytes; // begin_phapppub } PH_THREAD_NODE, *PPH_THREAD_NODE; // end_phapppub typedef struct _PH_THREAD_LIST_CONTEXT { HWND ParentWindowHandle; HWND TreeNewHandle; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; PH_CM_MANAGER Cm; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; PPH_POINTER_LIST NodeStateList; PH_TN_FILTER_SUPPORT TreeFilterSupport; HANDLE ProcessId; LARGE_INTEGER ProcessCreateTime; BOOLEAN EnableStateHighlighting; BOOLEAN UseCycleTime; BOOLEAN HasServices; union { ULONG Flags; struct { ULONG Reserved : 3; ULONG HideSuspended : 1; ULONG HideGuiThreads : 1; ULONG HighlightSuspended : 1; ULONG HighlightGuiThreads : 1; ULONG Spare : 25; }; }; } PH_THREAD_LIST_CONTEXT, *PPH_THREAD_LIST_CONTEXT; VOID PhInitializeThreadList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_THREAD_LIST_CONTEXT Context ); VOID PhDeleteThreadList( _In_ PPH_THREAD_LIST_CONTEXT Context ); VOID PhLoadSettingsThreadList( _Inout_ PPH_THREAD_LIST_CONTEXT Context ); VOID PhSaveSettingsThreadList( _Inout_ PPH_THREAD_LIST_CONTEXT Context ); VOID PhSetOptionsThreadList( _Inout_ PPH_THREAD_LIST_CONTEXT Context, _In_ ULONG Options ); PPH_THREAD_NODE PhAddThreadNode( _Inout_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_ITEM ThreadItem, _In_ BOOLEAN FirstRun ); PPH_THREAD_NODE PhFindThreadNode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ HANDLE ThreadId ); VOID PhRemoveThreadNode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ); VOID PhUpdateThreadNode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ); VOID PhTickThreadNodes( _In_ PPH_THREAD_LIST_CONTEXT Context ); PPH_THREAD_ITEM PhGetSelectedThreadItem( _In_ PPH_THREAD_LIST_CONTEXT Context ); VOID PhGetSelectedThreadItems( _In_ PPH_THREAD_LIST_CONTEXT Context, _Out_ PPH_THREAD_ITEM **Threads, _Out_ PULONG NumberOfThreads ); #endif ================================================ FILE: SystemInformer/include/thrdprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef PH_THRDPRV_H #define PH_THRDPRV_H extern PPH_OBJECT_TYPE PhThreadProviderType; extern PPH_OBJECT_TYPE PhThreadItemType; // begin_phapppub typedef struct _PH_THREAD_ITEM { union { CLIENT_ID ClientId; struct { HANDLE ProcessId; HANDLE ThreadId; }; }; LARGE_INTEGER CreateTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; PH_UINT64_DELTA CpuKernelDelta; PH_UINT64_DELTA CpuUserDelta; PH_UINT32_DELTA ContextSwitchesDelta; PH_UINT64_DELTA CyclesDelta; FLOAT CpuUsage; FLOAT CpuKernelUsage; FLOAT CpuUserUsage; KPRIORITY Priority; KPRIORITY BasePriority; KPRIORITY ActualBasePriority; // KeSetActualBasePriorityThread (jxy-s) union { KAFFINITY AffinityMaskSingle; // Single processor group PKAFFINITY AffinityMaskGroups; // Multiple processor groups * PhSystemProcessorInformation.NumberOfProcessorGroups }; ULONG AffinityPopulationCount; ULONG WaitTime; KTHREAD_STATE State; KWAIT_REASON WaitReason; HANDLE ThreadHandle; PPH_STRING ServiceName; PVOID StartAddressWin32; PVOID StartAddress; NTSTATUS ThreadHandleStatus; NTSTATUS StartAddressStatus; PPH_STRING StartAddressWin32String; PPH_STRING StartAddressWin32FileName; enum _PH_SYMBOL_RESOLVE_LEVEL StartAddressWin32ResolveLevel; PPH_STRING StartAddressString; PPH_STRING StartAddressFileName; enum _PH_SYMBOL_RESOLVE_LEVEL StartAddressResolveLevel; BOOLEAN IsGuiThread; BOOLEAN JustResolved; WCHAR ThreadIdString[PH_INT32_STR_LEN_1]; WCHAR ThreadIdHexString[PH_PTR_STR_LEN_1]; WCHAR LxssThreadIdString[PH_INT32_STR_LEN_1]; IO_COUNTERS IoCounters; ULONG LxssThreadId; BOOLEAN PowerThrottling; } PH_THREAD_ITEM, *PPH_THREAD_ITEM; typedef enum _PH_KNOWN_PROCESS_TYPE PH_KNOWN_PROCESS_TYPE; typedef struct _PH_THREAD_PROVIDER { PPH_HASHTABLE ThreadHashtable; PH_FAST_LOCK ThreadHashtableLock; PH_CALLBACK ThreadAddedEvent; PH_CALLBACK ThreadModifiedEvent; PH_CALLBACK ThreadRemovedEvent; PH_CALLBACK UpdatedEvent; PH_CALLBACK LoadingStateChangedEvent; HANDLE ProcessId; HANDLE ProcessHandle; union { BOOLEAN Flags; struct { BOOLEAN HasServices : 1; BOOLEAN HasServicesKnown : 1; BOOLEAN Terminating : 1; BOOLEAN Spare : 5; }; }; struct _PH_SYMBOL_PROVIDER *SymbolProvider; SLIST_HEADER QueryListHead; PH_QUEUED_LOCK LoadSymbolsLock; LONG SymbolsLoading; ULONG64 RunId; ULONG64 SymbolsLoadedRunId; } PH_THREAD_PROVIDER, *PPH_THREAD_PROVIDER; // end_phapppub PPH_THREAD_PROVIDER PhCreateThreadProvider( _In_ HANDLE ProcessId ); VOID PhRegisterThreadProvider( _In_ PPH_THREAD_PROVIDER ThreadProvider, _Out_ PPH_CALLBACK_REGISTRATION CallbackRegistration ); VOID PhUnregisterThreadProvider( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PPH_CALLBACK_REGISTRATION CallbackRegistration ); VOID PhSetTerminatingThreadProvider( _Inout_ PPH_THREAD_PROVIDER ThreadProvider ); VOID PhLoadSymbolsThreadProvider( _In_ PPH_THREAD_PROVIDER ThreadProvider ); PPH_THREAD_ITEM PhCreateThreadItem( _In_ CLIENT_ID ClientId ); PPH_THREAD_ITEM PhReferenceThreadItem( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ HANDLE ThreadId ); VOID PhDereferenceAllThreadItems( _In_ PPH_THREAD_PROVIDER ThreadProvider ); PCPH_STRINGREF PhGetBasePrioritySymbolicString( _In_ KPRIORITY BasePriority ); VOID PhThreadProviderInitialUpdate( _In_ PPH_THREAD_PROVIDER ThreadProvider ); #endif ================================================ FILE: SystemInformer/infodlg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2016-2023 * */ #include #include #include typedef struct _PH_INFORMATION_CONTEXT { PCWSTR String; ULONG Flags; PH_LAYOUT_MANAGER LayoutManager; RECT MinimumSize; } PH_INFORMATION_CONTEXT, *PPH_INFORMATION_CONTEXT; static INT_PTR CALLBACK PhpInformationDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_INFORMATION_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_INFORMATION_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_TEXT), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (PhValidWindowPlacementFromSetting(SETTING_INFORMATION_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(NULL, SETTING_INFORMATION_WINDOW_SIZE, hwndDlg); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); context->MinimumSize = (RECT){ -1, -1, -1, -1 }; if (context->MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 200; rect.bottom = 140; MapDialogRect(hwndDlg, &rect); context->MinimumSize = rect; context->MinimumSize.left = 0; } PhSetDialogItemText(hwndDlg, IDC_TEXT, context->String); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveWindowPlacementToSetting(SETTING_INFORMATION_WINDOW_POSITION, SETTING_INFORMATION_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; case IDC_COPY: { HWND editControl; LONG selStart; LONG selEnd; PH_STRINGREF string; editControl = GetDlgItem(hwndDlg, IDC_TEXT); SendMessage(editControl, EM_GETSEL, (WPARAM)&selStart, (LPARAM)&selEnd); if (selStart == selEnd) { // Select and copy the entire string. PhInitializeStringRefLongHint(&string, context->String); Edit_SetSel(editControl, 0, -1); } else { string.Buffer = PTR_ADD_OFFSET(context->String, selStart); string.Length = (selEnd - selStart) * sizeof(WCHAR); } PhSetClipboardString(hwndDlg, &string); PhSetDialogFocus(hwndDlg, editControl); } break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt)", L"*.txt" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, L"Information.txt"); if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { PH_STRINGREF string; PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); PhInitializeStringRefLongHint(&string, context->String); PhWriteStringAsUtf8FileStream(fileStream, &string); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowInformationDialog( _In_ HWND ParentWindowHandle, _In_ PCWSTR String, _Reserved_ ULONG Flags ) { PH_INFORMATION_CONTEXT context; memset(&context, 0, sizeof(PH_INFORMATION_CONTEXT)); context.String = String; context.Flags = Flags; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_INFORMATION), ParentWindowHandle, PhpInformationDlgProc, &context ); } ================================================ FILE: SystemInformer/informer.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024-2025 * */ #include #include #include #include #include #include #include #include #include typedef struct _PH_INFORMER_DB_REAP { ULONG64 ProcessStartKey; ULONG64 MaxCount; ULONG Seconds; } PH_INFORMER_DB_REAP, *PPH_INFORMER_DB_REAP; typedef int SQLITE_APICALL sqlite3_open_v2_fn( const char *filename, /* Database filename (UTF-8) */ sqlite3 **ppDb, /* OUT: SQLite db handle */ int flags, /* Flags */ const char *zVfs /* Name of VFS module to use */ ); typedef int SQLITE_APICALL sqlite3_exec_fn( sqlite3*, /* An open database */ const char *sql, /* SQL to be evaluated */ int (SQLITE_CALLBACK *callback)(void*,int,char**,char**), /* Callback function */ void *, /* 1st argument to callback */ char **errmsg /* Error msg written here */ ); typedef int SQLITE_APICALL sqlite3_create_function_v2_fn( sqlite3 *db, const char *zFunctionName, int nArg, int eTextRep, void *pApp, void (SQLITE_CALLBACK *xFunc)(sqlite3_context*,int,sqlite3_value**), void (SQLITE_CALLBACK *xStep)(sqlite3_context*,int,sqlite3_value**), void (SQLITE_CALLBACK *xFinal)(sqlite3_context*), void(SQLITE_CALLBACK *xDestroy)(void*) ); typedef int SQLITE_APICALL sqlite3_prepare_v2_fn( sqlite3 *db, /* Database handle */ const char *zSql, /* SQL statement, UTF-8 encoded */ int nByte, /* Maximum length of zSql in bytes. */ sqlite3_stmt **ppStmt, /* OUT: Statement handle */ const char **pzTail /* OUT: Pointer to unused portion of zSql */ ); typedef int SQLITE_APICALL sqlite3_bind_int64_fn(sqlite3_stmt*, int, sqlite3_int64); typedef int SQLITE_APICALL sqlite3_step_fn(sqlite3_stmt*); typedef int SQLITE_APICALL sqlite3_reset_fn(sqlite3_stmt *pStmt); typedef sqlite3_int64 SQLITE_APICALL sqlite3_value_int64_fn(sqlite3_value*); typedef sqlite3_int64 SQLITE_APICALL sqlite3_column_int64_fn(sqlite3_stmt*, int iCol); static PH_CALLBACK_REGISTRATION PhpInformerProcessesUpdatedRegistration; static PH_CALLBACK_REGISTRATION PhpInformerProcessesRemovedRegistration; static PH_FREE_LIST PhpInformerReapFreeList; static PH_QUEUED_LOCK PhpInformerDatabaseLock = PH_QUEUED_LOCK_INIT; static sqlite3* PhpInformerDB = NULL; static sqlite3_stmt* PhpInformerDBInsert = NULL; static sqlite3_stmt* PhpInformerDBQueryCount = NULL; static sqlite3_stmt* PhpInformerDBReapMax = NULL; static sqlite3_stmt* PhpInformerDBReapTime = NULL; static sqlite3_stmt* PhpInformerDBReapProc = NULL; static sqlite3_stmt* PhpInformerDBQuery = NULL; static sqlite3_stmt* PhpInformerDBQueryProc = NULL; static sqlite3_open_v2_fn* sqlite3_open_v2_I = NULL; static sqlite3_exec_fn* sqlite3_exec_I = NULL; static sqlite3_create_function_v2_fn* sqlite3_create_function_v2_I = NULL; static sqlite3_prepare_v2_fn* sqlite3_prepare_v2_I = NULL; static sqlite3_bind_int64_fn* sqlite3_bind_int64_I = NULL; static sqlite3_step_fn* sqlite3_step_I = NULL; static sqlite3_reset_fn* sqlite3_reset_I = NULL; static sqlite3_value_int64_fn* sqlite3_value_int64_I = NULL; static sqlite3_column_int64_fn* sqlite3_column_int64_I = NULL; PH_CALLBACK_DECLARE(PhInformerCallback); VOID PhpInformerGetKeys( _In_ PKPH_MESSAGE Message, _Out_ PULONG64 ActorKey, _Out_ PULONG64 TargetKey ) { *ActorKey = ULONG64_MAX; *TargetKey = ULONG64_MAX; switch (Message->Header.MessageId) { case KphMsgProcessCreate: *ActorKey = Message->Kernel.ProcessCreate.CreatingProcessStartKey; *TargetKey = Message->Kernel.ProcessCreate.TargetProcessStartKey; return; case KphMsgProcessExit: *ActorKey = Message->Kernel.ProcessExit.ProcessStartKey; return; case KphMsgThreadCreate: *ActorKey = Message->Kernel.ThreadCreate.CreatingProcessStartKey; *TargetKey = Message->Kernel.ThreadCreate.TargetProcessStartKey; return; case KphMsgThreadExecute: *ActorKey = Message->Kernel.ThreadExecute.ProcessStartKey; return; case KphMsgThreadExit: *ActorKey = Message->Kernel.ThreadExit.ProcessStartKey; return; case KphMsgImageLoad: *ActorKey = Message->Kernel.ImageLoad.LoadingProcessStartKey; *TargetKey = Message->Kernel.ImageLoad.TargetProcessStartKey; return; case KphMsgImageVerify: *ActorKey = Message->Kernel.ImageVerify.ProcessStartKey; return; case KphMsgDebugPrint: return; default: break; } if (Message->Header.MessageId >= KphMsgHandlePreCreateProcess && Message->Header.MessageId <= KphMsgHandlePostDuplicateDesktop) { *ActorKey = Message->Kernel.Handle.ContextProcessStartKey; return; } if (Message->Header.MessageId >= KphMsgFilePreCreate && Message->Header.MessageId <= KphMsgFilePostVolumeDismount) { *ActorKey = Message->Kernel.File.ProcessStartKey; return; } if (Message->Header.MessageId >= KphMsgRegPreDeleteKey && Message->Header.MessageId <= KphMsgRegPostSaveMergedKey) { *ActorKey = Message->Kernel.Reg.ProcessStartKey; return; } } ULONG64 PhpInformerDatabaseQueryCountUnsafe( VOID ) { ULONG64 count = 0; if (sqlite3_step_I(PhpInformerDBQueryCount) == SQLITE_ROW) count = sqlite3_column_int64_I(PhpInformerDBQueryCount, 0); sqlite3_reset_I(PhpInformerDBQueryCount); return count; } VOID PhpInformerDatabaseInsert( _In_ PKPH_MESSAGE Message ) { if (PhpInformerDBInsert) { ULONG64 actorKey; ULONG64 targetKey; PhpInformerGetKeys(Message, &actorKey, &targetKey); PhAcquireQueuedLockExclusive(&PhpInformerDatabaseLock); sqlite3_bind_int64_I(PhpInformerDBInsert, 1, Message->Header.TimeStamp.QuadPart); sqlite3_bind_int64_I(PhpInformerDBInsert, 2, actorKey); sqlite3_bind_int64_I(PhpInformerDBInsert, 3, targetKey); sqlite3_bind_int64_I(PhpInformerDBInsert, 4, (LONG64)(LONG_PTR)Message); sqlite3_step_I(PhpInformerDBInsert); sqlite3_reset_I(PhpInformerDBInsert); PhReleaseQueuedLockExclusive(&PhpInformerDatabaseLock); } } VOID PhpInformerDatabaseReap( _In_ PPH_INFORMER_DB_REAP Reap ) { LARGE_INTEGER systemTime; PhAcquireQueuedLockExclusive(&PhpInformerDatabaseLock); if (PhpInformerDBReapProc && Reap->ProcessStartKey) { sqlite3_bind_int64_I(PhpInformerDBReapProc, 1, Reap->ProcessStartKey); sqlite3_step_I(PhpInformerDBReapProc); sqlite3_reset_I(PhpInformerDBReapProc); } if (PhpInformerDBReapTime && Reap->Seconds) { KphMsgQuerySystemTime(&systemTime); systemTime.QuadPart -= (LONG64)Reap->Seconds * 10000000; sqlite3_bind_int64_I(PhpInformerDBReapTime, 1, systemTime.QuadPart); sqlite3_step_I(PhpInformerDBReapTime); sqlite3_reset_I(PhpInformerDBReapTime); } if (PhpInformerDBReapMax && Reap->MaxCount) { if (PhpInformerDatabaseQueryCountUnsafe() > Reap->MaxCount) { sqlite3_bind_int64_I(PhpInformerDBReapMax, 1, Reap->MaxCount); sqlite3_step_I(PhpInformerDBReapMax); sqlite3_reset_I(PhpInformerDBReapMax); } } PhReleaseQueuedLockExclusive(&PhpInformerDatabaseLock); } PPH_LIST PhInformerDatabaseQuery( _In_ ULONG64 ProcessStartKey, _In_opt_ PLARGE_INTEGER TimeStamp ) { LARGE_INTEGER timeStamp; PPH_LIST messages; messages = PhCreateList(10); if (PhpInformerDBQuery && PhpInformerDBQueryProc) { if (TimeStamp) { timeStamp.QuadPart = TimeStamp->QuadPart; } else { timeStamp.QuadPart = 0; } PhAcquireQueuedLockExclusive(&PhpInformerDatabaseLock); if (ProcessStartKey) { sqlite3_bind_int64_I(PhpInformerDBQueryProc, 1, ProcessStartKey); sqlite3_bind_int64_I(PhpInformerDBQueryProc, 2, ProcessStartKey); sqlite3_bind_int64_I(PhpInformerDBQueryProc, 3, timeStamp.QuadPart); while (sqlite3_step_I(PhpInformerDBQueryProc) == SQLITE_ROW) { PKPH_MESSAGE message; message = (PVOID)(LONG_PTR)sqlite3_column_int64_I(PhpInformerDBQueryProc, 0); PhAddItemList(messages, PhReferenceObject(message)); } sqlite3_reset_I(PhpInformerDBQueryProc); } else { sqlite3_bind_int64_I(PhpInformerDBQuery, 1, timeStamp.QuadPart); while (sqlite3_step_I(PhpInformerDBQuery) == SQLITE_ROW) { PKPH_MESSAGE message; message = (PVOID)(LONG_PTR)sqlite3_column_int64_I(PhpInformerDBQuery, 0); PhAddItemList(messages, PhReferenceObject(message)); } sqlite3_reset_I(PhpInformerDBQuery); } PhReleaseQueuedLockExclusive(&PhpInformerDatabaseLock); } return messages; } VOID PhpInformerDatabaseReferenceMessage( sqlite3_context* Context, INT Argc, sqlite3_value** Argv ) { PKPH_MESSAGE message; message = (PVOID)(LONG_PTR)sqlite3_value_int64_I(Argv[0]); PhReferenceObject(message); } VOID PhpInformerDatabaseDereferenceMessage( sqlite3_context* Context, INT Argc, sqlite3_value** Argv ) { PKPH_MESSAGE message; message = (PVOID)(LONG_PTR)sqlite3_value_int64_I(Argv[0]); PhDereferenceObject(message); } BOOLEAN PhpInfomerLoadSQLite( VOID ) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"winsqlite3.dll")) { sqlite3_open_v2_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_open_v2", 0); sqlite3_exec_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_exec", 0); sqlite3_create_function_v2_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_create_function_v2", 0); sqlite3_prepare_v2_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_prepare_v2", 0); sqlite3_bind_int64_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_bind_int64", 0); sqlite3_step_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_step", 0); sqlite3_reset_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_reset", 0); sqlite3_value_int64_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_value_int64", 0); sqlite3_column_int64_I = PhGetDllBaseProcedureAddress(baseAddress, "sqlite3_column_int64", 0); } return ( sqlite3_open_v2_I && sqlite3_exec_I && sqlite3_create_function_v2_I && sqlite3_prepare_v2_I && sqlite3_bind_int64_I && sqlite3_step_I && sqlite3_reset_I && sqlite3_value_int64_I && sqlite3_column_int64_I ); } VOID PhpInitializeInformerDatabase( VOID ) { if (!PhpInfomerLoadSQLite()) return; if (sqlite3_open_v2_I( "informer", &PhpInformerDB, SQLITE_OPEN_MEMORY | SQLITE_OPEN_READWRITE | SQLITE_OPEN_NOMUTEX, NULL ) == SQLITE_OK) { if (sqlite3_exec_I( PhpInformerDB, "PRAGMA synchronous = OFF;" "PRAGMA journal_mode = OFF;" "DROP TABLE IF EXISTS messages;" "CREATE TABLE messages(" "id INTEGER PRIMARY KEY AUTOINCREMENT," "time_stamp INTEGER NOT NULL," "actor_key INTEGER NOT NULL," "target_key INTEGER NOT NULL," "message INTEGER NOT NULL" ");", NULL, NULL, NULL ) == SQLITE_OK) { sqlite3_create_function_v2_I( PhpInformerDB, "reference_message", 1, SQLITE_UTF8, NULL, PhpInformerDatabaseReferenceMessage, NULL, NULL, NULL ); sqlite3_create_function_v2_I( PhpInformerDB, "dereference_message", 1, SQLITE_UTF8, NULL, PhpInformerDatabaseDereferenceMessage, NULL, NULL, NULL ); sqlite3_exec_I( PhpInformerDB, "CREATE TRIGGER before_insert_messages " "BEFORE INSERT ON messages " "FOR EACH ROW " "BEGIN " " SELECT reference_message(NEW.message); " "END;", NULL, NULL, NULL ); sqlite3_exec_I( PhpInformerDB, "CREATE TRIGGER after_delete_messages " "AFTER DELETE ON messages " "FOR EACH ROW " "BEGIN " " SELECT dereference_message(OLD.message); " "END;", NULL, NULL, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "INSERT INTO messages(time_stamp, actor_key, target_key, message)" "VALUES(?, ?, ?, ?);", -1, &PhpInformerDBInsert, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "SELECT COUNT(*) FROM messages;", -1, &PhpInformerDBQueryCount, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "DELETE FROM messages " "WHERE id IN (" " SELECT id FROM messages " " ORDER BY id ASC " " LIMIT (SELECT COUNT(*) - ? FROM messages)" ");", -1, &PhpInformerDBReapMax, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "DELETE FROM messages " "WHERE time_stamp < ?;", -1, &PhpInformerDBReapTime, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "DELETE FROM messages " "WHERE actor_key = ?;", -1, &PhpInformerDBReapProc, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "SELECT message FROM messages " "WHERE time_stamp >= ? " "ORDER BY time_stamp ASC;", -1, &PhpInformerDBQuery, NULL ); sqlite3_prepare_v2_I( PhpInformerDB, "SELECT message FROM messages " "WHERE (actor_key = ? OR target_key = ?) AND time_stamp >= ? " "ORDER BY time_stamp ASC;", -1, &PhpInformerDBQueryProc, NULL ); } } } NTSTATUS PhInformerReply( _Inout_ PPH_INFORMER_CONTEXT Context, _In_ PKPH_MESSAGE ReplyMessage ) { NTSTATUS status; if (Context->Handled) return STATUS_INVALID_PARAMETER_1; if (NT_SUCCESS(status = KphCommsReplyMessage(Context->ReplyToken, ReplyMessage))) Context->Handled = TRUE; return status; } BOOLEAN PhInformerDispatch( _In_ ULONG_PTR ReplyToken, _In_ PCKPH_MESSAGE Message ) { PKPH_MESSAGE message; PH_INFORMER_CONTEXT context; message = KphCreateMessage(Message->Header.Size); memcpy(message, Message, Message->Header.Size); context.Message = message; context.ReplyToken = ReplyToken; context.Handled = FALSE; PhpInformerDatabaseInsert(message); PhInvokeCallback(&PhInformerCallback, &context); PhDereferenceObject(message); return context.Handled; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhpInformerReapWorkItemRoutine( _In_ PVOID Parameter ) { PPH_INFORMER_DB_REAP reap = Parameter; PhpInformerDatabaseReap(reap); PhFreeToFreeList(&PhpInformerReapFreeList, reap); return STATUS_SUCCESS; } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhpInformerProcessUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { ULONG runCount = PtrToUlong(Parameter); PPH_INFORMER_DB_REAP reap; reap = PhAllocateFromFreeList(&PhpInformerReapFreeList); // // We cache the process monitor data for a lookback period so when a user // desires to inspect real time activity for a process we can provide a // reasonable amount of historical data. Here, reap the information that has // expired from the configured lookback period. We also configure a cache // limit which enforces a maximum on the total number of retained messages. // reap->ProcessStartKey = 0; reap->MaxCount = PhProcessMonitorCacheLimit; reap->Seconds = 0; if (PhProcessMonitorLookback && runCount % PhProcessMonitorLookback == 0) reap->Seconds = PhProcessMonitorLookback; if (!NT_SUCCESS(PhQueueUserWorkItem(PhpInformerReapWorkItemRoutine, reap))) PhFreeToFreeList(&PhpInformerReapFreeList, reap); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhpInformerProcessRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Parameter; PPH_INFORMER_DB_REAP reap; if (processItem->ProcessStartKey) { // // This is opportunistic since the provider does not track short-lived // processes. There is also no guarantee that more information about // this process will be added to the database later by the asynchronous // nature of processing informer data and the fact that the operating // system generates activity for a process after it has "exited". That // said, we know at this point that the user can no longer inspect the // process to view activity associated with it so we might as well ask // the database to reap what it can. Anything missed will be reaped by // the periodic lookback reaper. // reap = PhAllocateFromFreeList(&PhpInformerReapFreeList); reap->ProcessStartKey = processItem->ProcessStartKey; reap->MaxCount = 0; reap->Seconds = 0; if (!NT_SUCCESS(PhQueueUserWorkItem(PhpInformerReapWorkItemRoutine, reap))) PhFreeToFreeList(&PhpInformerReapFreeList, reap); } } VOID PhInformerInitialize( VOID ) { PhInitializeFreeList(&PhpInformerReapFreeList, sizeof(PH_INFORMER_DB_REAP), 16); if (!PhEnableProcessMonitor) return; PhpInitializeInformerDatabase(); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhpInformerProcessUpdatedHandler, NULL, &PhpInformerProcessesUpdatedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderRemovedEvent), PhpInformerProcessRemovedHandler, NULL, &PhpInformerProcessesRemovedRegistration ); } VOID PhInformerActivate( VOID ) { KPH_INFORMER_SETTINGS settings; KPH_INFORMER_CLIENT_SETTINGS client; memset(&settings, 0, sizeof(settings)); settings.Policy[KPH_INFORMER_INDEX(RequiredStateFailure)] = (KPH_RATE_LIMIT_POLICY)KPH_RATE_LIMIT_UNLIMITED; KphSetInformerProcessSettings(NtCurrentProcess(), &settings); if (!PhEnableProcessMonitor) { KphSetInformerSettings(&settings); return; } memset(&settings, 0, sizeof(settings)); settings.Options.Flags = ULONG_MAX; settings.Options.EnableStackTraces = FALSE; settings.Options.EnableProcessCreateReply = FALSE; settings.Options.FileEnablePreCreateReply = FALSE; settings.Options.FileEnablePostCreateReply = FALSE; settings.Options.FileEnablePostFileNames = FALSE; settings.Options.FileEnableIoControlBuffers = FALSE; settings.Options.FileEnableFsControlBuffers = FALSE; settings.Options.FileEnableDirControlBuffers = FALSE; settings.Options.RegEnablePostObjectNames = FALSE; settings.Options.RegEnablePostValueNames = FALSE; settings.Options.RegEnableValueBuffers = FALSE; for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) settings.Policy[i] = (KPH_RATE_LIMIT_POLICY)KPH_RATE_LIMIT_UNLIMITED; settings.Policy[KPH_INFORMER_INDEX(DebugPrint)] = (KPH_RATE_LIMIT_POLICY)KPH_RATE_LIMIT_DENY_ALL; KphSetInformerSettings(&settings); memset(&client, 0, sizeof(client)); PhTimeoutFromMilliseconds(&client.MessageTimeouts.AsyncTimeout, 3000); PhTimeoutFromMilliseconds(&client.MessageTimeouts.DefaultTimeout, 3000); PhTimeoutFromMilliseconds(&client.MessageTimeouts.ProcessCreateTimeout, 3000); PhTimeoutFromMilliseconds(&client.MessageTimeouts.FilePreCreateTimeout, 3000); PhTimeoutFromMilliseconds(&client.MessageTimeouts.FilePostCreateTimeout, 3000); //client.AsyncQueuePolicy = (KPH_RATE_LIMIT_POLICY)KPH_RATE_LIMIT_PER_SEC(1000, 30000); client.AsyncQueuePolicy = (KPH_RATE_LIMIT_POLICY)KPH_RATE_LIMIT_DENY_ALL; for (ULONG i = 0; i < KPH_INFORMER_COUNT; i++) client.InformerPolicy[i] = (KPH_RATE_LIMIT_POLICY)KPH_RATE_LIMIT_UNLIMITED; KphSetInformerClientSettings(&client); } ================================================ FILE: SystemInformer/itemtips.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include VOID PhpFillUmdfDrivers( _In_ PPH_PROCESS_ITEM Process, _Inout_ PPH_STRING_BUILDER Drivers ); VOID PhpFillRunningTasks( _In_ PPH_PROCESS_ITEM Process, _Inout_ PPH_STRING_BUILDER Tasks ); VOID PhpFillWmiProviderHost( _In_ PPH_PROCESS_ITEM Process, _Inout_ PPH_STRING_BUILDER Providers ); extern PPH_STRING PhQueryWmiHostProcessString( // prpgwmi.c _In_ PPH_PROCESS_ITEM ProcessItem, _Inout_ PPH_STRING_BUILDER Providers ); extern BOOLEAN PhpShouldShowImageCoherency( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN CheckThreshold ); static CONST PH_STRINGREF StandardIndent = PH_STRINGREF_INIT(L" "); VOID PhpAppendStringWithLineBreaks( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ PPH_STRINGREF String, _In_ ULONG CharactersPerLine, _In_opt_ PPH_STRINGREF IndentAfterFirstLine ) { PH_STRINGREF line; SIZE_T bytesPerLine; BOOLEAN afterFirstLine; SIZE_T bytesToAppend; line = *String; bytesPerLine = CharactersPerLine * sizeof(WCHAR); afterFirstLine = FALSE; while (line.Length != 0) { bytesToAppend = line.Length; if (bytesToAppend > bytesPerLine) bytesToAppend = bytesPerLine; if (afterFirstLine) { PhAppendCharStringBuilder(StringBuilder, L'\n'); if (IndentAfterFirstLine) PhAppendStringBuilder(StringBuilder, IndentAfterFirstLine); } PhAppendStringBuilderEx(StringBuilder, line.Buffer, bytesToAppend); afterFirstLine = TRUE; PhSkipStringRef(&line, bytesToAppend); } } static int __cdecl ServiceForTooltipCompare( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_SERVICE_ITEM serviceItem1 = *(PPH_SERVICE_ITEM *)elem1; PPH_SERVICE_ITEM serviceItem2 = *(PPH_SERVICE_ITEM *)elem2; return PhCompareString(serviceItem1->Name, serviceItem2->Name, TRUE); } PPH_STRING PhGetProcessTooltipText( _In_ PPH_PROCESS_ITEM Process, _Out_opt_ PULONG64 ValidToTickCount ) { PH_STRING_BUILDER stringBuilder; ULONG validForMs = 60 * 60 * 1000; // 1 hour PPH_STRING tempString; PPH_STRING fileName; PhInitializeStringBuilder(&stringBuilder, 200); // Command line if (PhGetIntegerSetting(SETTING_ENABLE_COMMAND_LINE_TOOLTIPS) && Process->CommandLine) { tempString = PhEllipsisString(Process->CommandLine, 100 * 10); // This is necessary because the tooltip control seems to use some kind of O(n^9999) word-wrapping // algorithm. PhpAppendStringWithLineBreaks(&stringBuilder, &tempString->sr, 100, NULL); PhAppendCharStringBuilder(&stringBuilder, L'\n'); PhDereferenceObject(tempString); } // File information fileName = Process->FileName ? PhGetFileName(Process->FileName) : NULL; if (fileName) { tempString = PhFormatImageVersionInfo( fileName, &Process->VersionInfo, &StandardIndent, 0 ); if (!PhIsNullOrEmptyString(tempString)) { PhAppendStringBuilder2(&stringBuilder, L"File:\n"); PhAppendStringBuilder(&stringBuilder, &tempString->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } if (tempString) PhDereferenceObject(tempString); PhDereferenceObject(fileName); } // Known command line information if (Process->CommandLine && Process->QueryHandle) { PH_KNOWN_PROCESS_COMMAND_LINE knownCommandLine; if (Process->KnownProcessType != UnknownProcessType && PhaGetProcessKnownCommandLine( Process->CommandLine, Process->KnownProcessType, &knownCommandLine )) { switch (Process->KnownProcessType & KnownProcessTypeMask) { case ServiceHostProcessType: PhAppendStringBuilder2(&stringBuilder, L"Service group name:\n "); PhAppendStringBuilder(&stringBuilder, &knownCommandLine.ServiceHost.GroupName->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); break; case RunDllAsAppProcessType: { PH_IMAGE_VERSION_INFO versionInfo; if (NT_SUCCESS(PhInitializeImageVersionInfo( &versionInfo, knownCommandLine.RunDllAsApp.FileName->Buffer ))) { tempString = PhFormatImageVersionInfo( knownCommandLine.RunDllAsApp.FileName, &versionInfo, &StandardIndent, 0 ); if (!PhIsNullOrEmptyString(tempString)) { PhAppendStringBuilder2(&stringBuilder, L"Run DLL target file:\n"); PhAppendStringBuilder(&stringBuilder, &tempString->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } if (tempString) PhDereferenceObject(tempString); PhDeleteImageVersionInfo(&versionInfo); } } break; case ComSurrogateProcessType: { PH_IMAGE_VERSION_INFO versionInfo; PPH_STRING guidString; PhAppendStringBuilder2(&stringBuilder, L"COM target:\n"); if (knownCommandLine.ComSurrogate.Name) { PhAppendStringBuilder(&stringBuilder, &StandardIndent); PhAppendStringBuilder(&stringBuilder, &knownCommandLine.ComSurrogate.Name->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } if (guidString = PhFormatGuid(&knownCommandLine.ComSurrogate.Guid)) { PhAppendStringBuilder(&stringBuilder, &StandardIndent); PhAppendStringBuilder(&stringBuilder, &guidString->sr); PhDereferenceObject(guidString); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } if (knownCommandLine.ComSurrogate.FileName && NT_SUCCESS(PhInitializeImageVersionInfo( &versionInfo, knownCommandLine.ComSurrogate.FileName->Buffer ))) { tempString = PhFormatImageVersionInfo( knownCommandLine.ComSurrogate.FileName, &versionInfo, &StandardIndent, 0 ); if (!PhIsNullOrEmptyString(tempString)) { PhAppendStringBuilder2(&stringBuilder, L"COM target file:\n"); PhAppendStringBuilder(&stringBuilder, &tempString->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } if (tempString) PhDereferenceObject(tempString); PhDeleteImageVersionInfo(&versionInfo); } } break; } } } // Services if (Process->ServiceList && Process->ServiceList->Count != 0) { ULONG enumerationKey = 0; PPH_SERVICE_ITEM serviceItem; PPH_LIST serviceList; ULONG i; // Copy the service list into our own list so we can sort it. serviceList = PhCreateList(Process->ServiceList->Count); PhAcquireQueuedLockShared(&Process->ServiceListLock); while (PhEnumPointerList( Process->ServiceList, &enumerationKey, &serviceItem )) { PhReferenceObject(serviceItem); PhAddItemList(serviceList, serviceItem); } PhReleaseQueuedLockShared(&Process->ServiceListLock); qsort(serviceList->Items, serviceList->Count, sizeof(PPH_SERVICE_ITEM), ServiceForTooltipCompare); PhAppendStringBuilder2(&stringBuilder, L"Services:\n"); // Add the services. for (i = 0; i < serviceList->Count; i++) { serviceItem = serviceList->Items[i]; PhAppendStringBuilder(&stringBuilder, &StandardIndent); PhAppendStringBuilder(&stringBuilder, &serviceItem->Name->sr); PhAppendStringBuilder2(&stringBuilder, L" ("); PhAppendStringBuilder(&stringBuilder, &serviceItem->DisplayName->sr); PhAppendStringBuilder2(&stringBuilder, L")\n"); } PhDereferenceObjects(serviceList->Items, serviceList->Count); PhDereferenceObject(serviceList); } // Tasks, Drivers switch (Process->KnownProcessType & KnownProcessTypeMask) { case TaskHostProcessType: { PH_STRING_BUILDER tasks; PhInitializeStringBuilder(&tasks, 40); PhpFillRunningTasks(Process, &tasks); if (tasks.String->Length != 0) { PhAppendStringBuilder2(&stringBuilder, L"Tasks:\n"); PhAppendStringBuilder(&stringBuilder, &tasks.String->sr); } PhDeleteStringBuilder(&tasks); } break; case UmdfHostProcessType: { PH_STRING_BUILDER drivers; PhInitializeStringBuilder(&drivers, 40); PhpFillUmdfDrivers(Process, &drivers); if (drivers.String->Length != 0) { PhAppendStringBuilder2(&stringBuilder, L"Drivers:\n"); PhAppendStringBuilder(&stringBuilder, &drivers.String->sr); } PhDeleteStringBuilder(&drivers); validForMs = 10 * 1000; // 10 seconds } break; //case EdgeProcessType: // { // PH_STRING_BUILDER container; // // PhInitializeStringBuilder(&container, 40); // // PhpFillMicrosoftEdge(Process, &container); // // if (container.String->Length != 0) // { // PhAppendStringBuilder2(&stringBuilder, L"Edge:\n"); // PhAppendStringBuilder(&stringBuilder, &container.String->sr); // } // // PhDeleteStringBuilder(&container); // } // break; case WmiProviderHostType: { PH_STRING_BUILDER provider; PhInitializeStringBuilder(&provider, 40); PhpFillWmiProviderHost(Process, &provider); if (provider.String->Length != 0) { PhAppendStringBuilder2(&stringBuilder, L"WMI Providers:\n"); PhAppendStringBuilder(&stringBuilder, &provider.String->sr); } PhDeleteStringBuilder(&provider); validForMs = 10 * 1000; // 10 seconds } break; } // Plugin if (PhPluginsEnabled) { PH_PLUGIN_GET_TOOLTIP_TEXT getTooltipText; getTooltipText.Parameter = Process; getTooltipText.StringBuilder = &stringBuilder; getTooltipText.ValidForMs = validForMs; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackGetProcessTooltipText), &getTooltipText); validForMs = getTooltipText.ValidForMs; } // Notes { PH_STRING_BUILDER notes; PhInitializeStringBuilder(¬es, 40); if (Process->FileName) { if (Process->VerifyResult == VrTrusted) { if (!PhIsNullOrEmptyString(Process->VerifySignerName)) PhAppendFormatStringBuilder(¬es, L" Signer: %s\n", Process->VerifySignerName->Buffer); else PhAppendStringBuilder2(¬es, L" Signed.\n"); } else if (Process->VerifyResult == VrUnknown) { // Nothing } else if (Process->VerifyResult != VrNoSignature) { PhAppendStringBuilder2(¬es, L" Signature invalid.\n"); } } if (Process->IsPacked) { PhAppendFormatStringBuilder( ¬es, L" Image is probably packed (%lu %ls over %lu %ls).\n", Process->ImportFunctions, Process->ImportFunctions == 1 ? L"import" : L"imports", Process->ImportModules, Process->ImportModules == 1 ? L"module" : L"modules" ); } if (PhEnableImageCoherencySupport && PhpShouldShowImageCoherency(Process, TRUE)) { PhAppendFormatStringBuilder( ¬es, L" Low image coherency: %.2f%%\n", (Process->ImageCoherency * 100.0f) ); } if ((ULONG_PTR)Process->ConsoleHostProcessId & ~3) { CLIENT_ID clientId; PWSTR description; PPH_STRING clientIdString; clientId.UniqueProcess = (HANDLE)((ULONG_PTR)Process->ConsoleHostProcessId & ~3); clientId.UniqueThread = NULL; if ((ULONG_PTR)Process->ConsoleHostProcessId & 2) description = L"Console application"; else description = L"Console host"; clientIdString = PhGetClientIdName(&clientId); PhAppendFormatStringBuilder(¬es, L" %s: %s\n", description, clientIdString->Buffer); PhDereferenceObject(clientIdString); } if (Process->PackageFullName) { PhAppendFormatStringBuilder(¬es, L" Package name: %s\n", Process->PackageFullName->Buffer); } if (notes.String->Length != 0) { PhAppendStringBuilder2(&stringBuilder, L"Notes:\n"); PhAppendStringBuilder(&stringBuilder, ¬es.String->sr); } PhDeleteStringBuilder(¬es); PhInitializeStringBuilder(¬es, 40); if (Process->IsSystemProcess) PhAppendStringBuilder2(¬es, L" Process is a system process (TCB).\n"); if (Process->IsBeingDebugged) PhAppendStringBuilder2(¬es, L" Process is being debugged.\n"); if (Process->IsSuspended) PhAppendStringBuilder2(¬es, L" Process is suspended.\n"); if (Process->IsFrozenProcess) PhAppendStringBuilder2(¬es, L" Process is in deep freeze (suspended).\n"); if (Process->IsDotNet) PhAppendStringBuilder2(¬es, L" Process is managed (.NET).\n"); if (Process->IsElevated) { if (Process->ElevationType == TokenElevationTypeDefault) PhAppendStringBuilder2(¬es, L" Process is default elevated.\n"); else if (Process->ElevationType == TokenElevationTypeFull) PhAppendStringBuilder2(¬es, L" Process is full elevated.\n"); else if (Process->ElevationType == TokenElevationTypeLimited) PhAppendStringBuilder2(¬es, L" Process is limited elevated.\n"); else PhAppendStringBuilder2(¬es, L" Process is elevated.\n"); } if (Process->IsUIAccessEnabled) PhAppendStringBuilder2(¬es, L" Process is UIAccess.\n"); if (Process->IsImmersive) PhAppendStringBuilder2(¬es, L" Process is a Modern UI app.\n"); if (Process->IsInJob) PhAppendStringBuilder2(¬es, L" Process is in a job.\n"); if (Process->IsWow64Process) PhAppendStringBuilder2(¬es, L" Process is 32-bit (WOW64).\n"); if (Process->IsProtectedProcess) PhAppendStringBuilder2(¬es, L" Process is a protected process (PP/PPL).\n"); if (Process->IsSecureProcess) PhAppendStringBuilder2(¬es, L" Process is a secure isolated process (IUM).\n"); if (Process->IsSecureProcess) PhAppendStringBuilder2(¬es, L" Process is a secure virtualization process (HVCI).\n"); if (Process->IsSubsystemProcess) PhAppendStringBuilder2(¬es, L" Process is a subsystem process.\n"); if (Process->IsPackagedProcess) PhAppendStringBuilder2(¬es, L" Process is a packaged process.\n"); if (Process->IsBackgroundProcess) PhAppendStringBuilder2(¬es, L" Process is a background process.\n"); if (Process->IsCrossSessionProcess) PhAppendStringBuilder2(¬es, L" Process is a cross session process.\n"); // // TODO(jxy-s) Find a way to identify reflected processes maybe initial // thread start address (RtlpProcessReflectionStartup)? // //if (Process->IsReflectedProcess) // PhAppendStringBuilder2(¬es, L" Process is a reflected process.\n"); // // TODO(jxy-s) Find a way to identify cloned processes. This is distinct // from snapshot process since it is created with an initial thread. The // PEB address and some initial TEB content is likely to be the same as // the process it originated from. // //if (Process->IsClonedProcess) // PhAppendStringBuilder2(¬es, L" Process is a cloned process.\n"); if (Process->IsSnapshotProcess) PhAppendStringBuilder2(¬es, L" Process is a snapshot process.\n"); if (Process->IsPowerThrottling) PhAppendStringBuilder2(¬es, L" Process is power throttling (efficiency).\n"); if (notes.String->Length != 0) { PhAppendStringBuilder2(&stringBuilder, L"Flags:\n"); PhAppendStringBuilder(&stringBuilder, ¬es.String->sr); } PhDeleteStringBuilder(¬es); } if (ValidToTickCount) *ValidToTickCount = NtGetTickCount64() + validForMs; // Remove the trailing newline. if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); return PhFinalStringBuilderString(&stringBuilder); } VOID PhpFillUmdfDrivers( _In_ PPH_PROCESS_ITEM Process, _Inout_ PPH_STRING_BUILDER Drivers ) { static CONST PH_STRINGREF activeDevices = PH_STRINGREF_INIT(L"ACTIVE_DEVICES"); static CONST PH_STRINGREF currentControlSetEnum = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Enum\\"); HANDLE processHandle; PVOID environment; ULONG environmentLength; ULONG enumerationKey; PH_ENVIRONMENT_VARIABLE variable; if (!NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, Process->ProcessId ))) return; if (NT_SUCCESS(PhGetProcessEnvironment( processHandle, !!Process->IsWow64Process, &environment, &environmentLength ))) { enumerationKey = 0; while (NT_SUCCESS(PhEnumProcessEnvironmentVariables( environment, environmentLength, &enumerationKey, &variable ))) { PH_STRINGREF part; PH_STRINGREF remainingPart; if (!PhEqualStringRef(&variable.Name, &activeDevices, TRUE)) continue; remainingPart = variable.Value; while (remainingPart.Length != 0) { PhSplitStringRefAtChar(&remainingPart, L';', &part, &remainingPart); if (part.Length != 0) { HANDLE driverKeyHandle; PPH_STRING driverKeyPath; driverKeyPath = PhConcatStringRef2(¤tControlSetEnum, &part); if (NT_SUCCESS(PhOpenKey( &driverKeyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &driverKeyPath->sr, 0 ))) { PPH_STRING deviceDesc; PH_STRINGREF deviceName; PPH_STRING hardwareId; if (deviceDesc = PhQueryRegistryStringZ(driverKeyHandle, L"DeviceDesc")) { PH_STRINGREF firstPart; PH_STRINGREF secondPart; if (PhSplitStringRefAtLastChar(&deviceDesc->sr, L';', &firstPart, &secondPart)) deviceName = secondPart; else deviceName = deviceDesc->sr; } else { PhInitializeStringRef(&deviceName, L"Unknown Device"); } PhAppendStringBuilder(Drivers, &StandardIndent); PhAppendStringBuilder(Drivers, &deviceName); if (hardwareId = PhQueryRegistryStringZ(driverKeyHandle, L"HardwareID")) { PhTrimToNullTerminatorString(hardwareId); if (hardwareId->Length != 0) { PhAppendStringBuilder2(Drivers, L" ("); PhAppendStringBuilder(Drivers, &hardwareId->sr); PhAppendCharStringBuilder(Drivers, L')'); } } PhAppendCharStringBuilder(Drivers, L'\n'); PhClearReference(&hardwareId); PhClearReference(&deviceDesc); NtClose(driverKeyHandle); } PhDereferenceObject(driverKeyPath); } } break; } PhFreePage(environment); } NtClose(processHandle); } VOID PhpFillRunningTasks( _In_ PPH_PROCESS_ITEM Process, _Inout_ PPH_STRING_BUILDER Tasks ) { ITaskService *taskService = NULL; if (SUCCEEDED(PhGetClassObject( L"taskschd.dll", &CLSID_TaskScheduler, &IID_ITaskService, &taskService ))) { VARIANT empty = { 0 }; if (SUCCEEDED(ITaskService_Connect(taskService, empty, empty, empty, empty))) { IRunningTaskCollection *runningTasks; if (SUCCEEDED(ITaskService_GetRunningTasks( taskService, TASK_ENUM_HIDDEN, &runningTasks ))) { LONG count; LONG i; VARIANT index; if (SUCCEEDED(IRunningTaskCollection_get_Count(runningTasks, &count))) { for (i = 1; i <= count; i++) // collections are 1-based { IRunningTask *runningTask; V_VT(&index) = VT_INT; V_I4(&index) = i; if (SUCCEEDED(IRunningTaskCollection_get_Item(runningTasks, index, &runningTask))) { ULONG pid; BSTR action = NULL; BSTR path = NULL; if ( SUCCEEDED(IRunningTask_get_EnginePID(runningTask, &pid)) && pid == HandleToUlong(Process->ProcessId) ) { IRunningTask_get_CurrentAction(runningTask, &action); IRunningTask_get_Path(runningTask, &path); PhAppendStringBuilder(Tasks, &StandardIndent); PhAppendStringBuilder2(Tasks, action ? action : L"Unknown action"); PhAppendStringBuilder2(Tasks, L" ("); PhAppendStringBuilder2(Tasks, path ? path : L"Unknown path"); PhAppendStringBuilder2(Tasks, L")\n"); if (action) SysFreeString(action); if (path) SysFreeString(path); } IRunningTask_Release(runningTask); } } } IRunningTaskCollection_Release(runningTasks); } } ITaskService_Release(taskService); } } //VOID PhpFillMicrosoftEdge( // _In_ PPH_PROCESS_ITEM Process, // _Inout_ PPH_STRING_BUILDER Containers // ) //{ // HANDLE tokenHandle; // PSID appContainerInfo; // PPH_STRING appContainerSid = NULL; // // if (NT_SUCCESS(PhOpenProcessToken( // Process->QueryHandle, // TOKEN_QUERY, // &tokenHandle // ))) // { // if (NT_SUCCESS(PhGetTokenAppContainerSid(tokenHandle, &appContainerInfo))) // { // appContainerSid = PhSidToStringSid(appContainerInfo); // PhFree(appContainerInfo); // } // } // // if (appContainerSid) // { // static PH_STRINGREF managerSid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194"); // static PH_STRINGREF extensionsSid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1206159417-1570029349-2913729690-1184509225"); // static PH_STRINGREF serviceUiSid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3513710562-3729412521-1863153555-1462103995"); // static PH_STRINGREF chakraJitSid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1821068571-1793888307-623627345-1529106238"); // static PH_STRINGREF flashSid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3859068477-1314311106-1651661491-1685393560"); // static PH_STRINGREF backgroundTabPool1Sid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4256926629-1688279915-2739229046-3928706915"); // static PH_STRINGREF backgroundTabPool2Sid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-2385269614-3243675-834220592-3047885450"); // static PH_STRINGREF backgroundTabPool3Sid = PH_STRINGREF_INIT(L"S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-355265979-2879959831-980936148-1241729999"); // // if (PhEqualStringRef(&appContainerSid->sr, &managerSid, FALSE)) // { // PhAppendStringBuilder2(Containers, L" Microsoft Edge Manager\n"); // } // else if (PhEqualStringRef(&appContainerSid->sr, &extensionsSid, FALSE)) // { // PhAppendStringBuilder2(Containers, L" Browser Extensions\n"); // } // else if (PhEqualStringRef(&appContainerSid->sr, &serviceUiSid, FALSE)) // { // PhAppendStringBuilder2(Containers, L" User Interface Service\n"); // } // else if (PhEqualStringRef(&appContainerSid->sr, &chakraJitSid, FALSE)) // { // PhAppendStringBuilder2(Containers, L" Chakra Jit Compiler\n"); // } // else if (PhEqualStringRef(&appContainerSid->sr, &flashSid, FALSE)) // { // PhAppendStringBuilder2(Containers, L" Adobe Flash Player\n"); // } // else if ( // PhEqualStringRef(&appContainerSid->sr, &backgroundTabPool1Sid, FALSE) || // PhEqualStringRef(&appContainerSid->sr, &backgroundTabPool2Sid, FALSE) || // PhEqualStringRef(&appContainerSid->sr, &backgroundTabPool3Sid, FALSE) // ) // { // PhAppendStringBuilder2(Containers, L" Background Tab Pool\n"); // } // // PhDereferenceObject(appContainerSid); // } //} VOID PhpFillWmiProviderHost( _In_ PPH_PROCESS_ITEM Process, _Inout_ PPH_STRING_BUILDER Providers ) { if (PhGetIntegerSetting(SETTING_WMI_PROVIDER_ENABLE_TOOLTIP_SUPPORT)) { PhQueryWmiHostProcessString(Process, Providers); } } PPH_STRING PhGetServiceTooltipText( _In_ PPH_SERVICE_ITEM Service ) { PH_STRING_BUILDER stringBuilder; SC_HANDLE serviceHandle; PhInitializeStringBuilder(&stringBuilder, 200); if (NT_SUCCESS(PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(Service->Name)))) { PPH_STRING fileName; PPH_STRING description; // File information if (NT_SUCCESS(PhGetServiceHandleFileName(serviceHandle, &Service->Name->sr, &fileName))) { PH_IMAGE_VERSION_INFO versionInfo; PPH_STRING versionInfoText; if (NT_SUCCESS(PhInitializeImageVersionInfo( &versionInfo, fileName->Buffer ))) { versionInfoText = PhFormatImageVersionInfo( fileName, &versionInfo, &StandardIndent, 0 ); if (!PhIsNullOrEmptyString(versionInfoText)) { PhAppendStringBuilder2(&stringBuilder, L"File:\n"); PhAppendStringBuilder(&stringBuilder, &versionInfoText->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } PhClearReference(&versionInfoText); PhDeleteImageVersionInfo(&versionInfo); } PhDereferenceObject(fileName); } // Description if (description = PhGetServiceDescription(serviceHandle)) { PhAppendStringBuilder2(&stringBuilder, L"Description:\n "); PhAppendStringBuilder(&stringBuilder, &description->sr); PhAppendCharStringBuilder(&stringBuilder, L'\n'); PhDereferenceObject(description); } PhCloseServiceHandle(serviceHandle); } // Remove the trailing newline. if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); return PhFinalStringBuilderString(&stringBuilder); } ================================================ FILE: SystemInformer/jobprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2018-2019 * */ #include #include #include #include #include #include #include #include #define MSG_UPDATE (WM_APP + 1) typedef struct _JOB_PAGE_CONTEXT { PPH_OPEN_OBJECT OpenObject; PPH_CLOSE_OBJECT CloseObject; PVOID Context; DLGPROC HookProc; PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; } JOB_PAGE_CONTEXT, *PJOB_PAGE_CONTEXT; INT CALLBACK PhpJobPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ); INT_PTR CALLBACK PhpJobPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhpShowJobAdvancedProperties( _In_ HWND ParentWindowHandle, _In_ PJOB_PAGE_CONTEXT Context ); INT_PTR CALLBACK PhpJobStatisticsPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT CALLBACK PhpJobStatisticsSheetProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam ); VOID PhShowJobProperties( _In_ HWND ParentWindowHandle, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context, _In_opt_ PCWSTR Title ) { PROPSHEETHEADER propSheetHeader = { sizeof(propSheetHeader) }; HPROPSHEETPAGE pages[1]; propSheetHeader.dwFlags = PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP | PSH_PROPTITLE; propSheetHeader.hInstance = PhInstanceHandle; propSheetHeader.hwndParent = ParentWindowHandle; propSheetHeader.pszCaption = Title ? Title : L"Job"; propSheetHeader.nPages = 1; propSheetHeader.nStartPage = 0; propSheetHeader.phpage = pages; pages[0] = PhCreateJobPage(OpenObject, CloseObject, Context, NULL); PhModalPropertySheet(&propSheetHeader); } HPROPSHEETPAGE PhCreateJobPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context, _In_opt_ DLGPROC HookProc ) { HPROPSHEETPAGE propSheetPageHandle; PROPSHEETPAGE propSheetPage; PJOB_PAGE_CONTEXT jobPageContext; jobPageContext = PhCreateAlloc(sizeof(JOB_PAGE_CONTEXT)); memset(jobPageContext, 0, sizeof(JOB_PAGE_CONTEXT)); jobPageContext->OpenObject = OpenObject; jobPageContext->CloseObject = CloseObject; jobPageContext->Context = Context; jobPageContext->HookProc = HookProc; memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.dwFlags = PSP_USECALLBACK; propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_OBJJOB); propSheetPage.hInstance = PhInstanceHandle; propSheetPage.pfnDlgProc = PhpJobPageProc; propSheetPage.lParam = (LPARAM)jobPageContext; propSheetPage.pfnCallback = PhpJobPropPageProc; propSheetPageHandle = CreatePropertySheetPage(&propSheetPage); // CreatePropertySheetPage would have sent PSPCB_ADDREF (below), // which would have added a reference. PhDereferenceObject(jobPageContext); return propSheetPageHandle; } INT CALLBACK PhpJobPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ) { PJOB_PAGE_CONTEXT jobPageContext; jobPageContext = (PJOB_PAGE_CONTEXT)ppsp->lParam; if (uMsg == PSPCB_ADDREF) { PhReferenceObject(jobPageContext); } else if (uMsg == PSPCB_RELEASE) { PhDereferenceObject(jobPageContext); } return 1; } FORCEINLINE PJOB_PAGE_CONTEXT PhpJobPageHeader( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { return PhpGenericPropertyPageHeader(hwndDlg, uMsg, wParam, lParam, 1); } static VOID PhpAddLimit( _In_ HWND Handle, _In_ PCWSTR Name, _In_ PCWSTR Value ) { LONG lvItemIndex; lvItemIndex = PhAddListViewItem(Handle, MAXINT, Name, NULL); PhSetListViewSubItem(Handle, lvItemIndex, 1, Value); } static VOID PhpAddJobProcesses( _In_ HWND hwndDlg, _In_ HANDLE JobHandle ) { PJOBOBJECT_BASIC_PROCESS_ID_LIST processIdList; HWND processesLv; processesLv = GetDlgItem(hwndDlg, IDC_PROCESSES); if (NT_SUCCESS(PhGetJobProcessIdList(JobHandle, &processIdList))) { ULONG i; CLIENT_ID clientId; PPH_STRING name; clientId.UniqueThread = NULL; for (i = 0; i < processIdList->NumberOfProcessIdsInList; i++) { clientId.UniqueProcess = (HANDLE)processIdList->ProcessIdList[i]; name = PH_AUTO(PhGetClientIdName(&clientId)); PhAddListViewItem(processesLv, MAXINT, PhGetString(name), NULL); } PhFree(processIdList); } } INT_PTR CALLBACK PhpJobPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PJOB_PAGE_CONTEXT jobPageContext; jobPageContext = PhpJobPageHeader(hwndDlg, uMsg, wParam, lParam); if (!jobPageContext) return FALSE; if (jobPageContext->HookProc) { if (jobPageContext->HookProc(hwndDlg, uMsg, wParam, lParam)) return TRUE; } switch (uMsg) { case WM_INITDIALOG: { HANDLE jobHandle; HWND processesLv; HWND limitsLv; processesLv = GetDlgItem(hwndDlg, IDC_PROCESSES); limitsLv = GetDlgItem(hwndDlg, IDC_LIMITS); PhSetListViewStyle(processesLv, FALSE, TRUE); PhSetListViewStyle(limitsLv, FALSE, TRUE); PhSetControlTheme(processesLv, L"explorer"); PhSetControlTheme(limitsLv, L"explorer"); PhSetExtendedListView(processesLv); PhSetExtendedListView(limitsLv); PhAddListViewColumn(processesLv, 0, 0, 0, LVCFMT_LEFT, 240, L"Name"); PhAddListViewColumn(limitsLv, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(limitsLv, 1, 1, 1, LVCFMT_LEFT, 160, L"Value"); PhLoadListViewColumnsFromSetting(SETTING_JOB_LIST_VIEW_COLUMNS, limitsLv); PhSetDialogItemText(hwndDlg, IDC_NAME, L"Unknown"); if (NT_SUCCESS(jobPageContext->OpenObject( &jobHandle, JOB_OBJECT_QUERY, jobPageContext->Context ))) { PPH_STRING jobObjectName = NULL; JOBOBJECT_EXTENDED_LIMIT_INFORMATION extendedLimits; JOBOBJECT_BASIC_UI_RESTRICTIONS basicUiRestrictions; // Name PhGetHandleInformation( NtCurrentProcess(), jobHandle, ULONG_MAX, NULL, NULL, NULL, &jobObjectName ); PH_AUTO(jobObjectName); if (jobObjectName && jobObjectName->Length == 0) jobObjectName = NULL; PhSetDialogItemText(hwndDlg, IDC_NAME, PhGetStringOrDefault(jobObjectName, L"(unnamed job)")); // Processes PhpAddJobProcesses(hwndDlg, jobHandle); // Limits if (NT_SUCCESS(PhGetJobExtendedLimits(jobHandle, &extendedLimits))) { ULONG flags = extendedLimits.BasicLimitInformation.LimitFlags; if (flags & JOB_OBJECT_LIMIT_ACTIVE_PROCESS) { WCHAR value[PH_INT32_STR_LEN_1]; PhPrintUInt32(value, extendedLimits.BasicLimitInformation.ActiveProcessLimit); PhpAddLimit(limitsLv, L"Active processes", value); } if (flags & JOB_OBJECT_LIMIT_AFFINITY) { WCHAR value[PH_PTR_STR_LEN_1]; PhPrintPointer(value, (PVOID)extendedLimits.BasicLimitInformation.Affinity); PhpAddLimit(limitsLv, L"Affinity", value); } if (flags & JOB_OBJECT_LIMIT_BREAKAWAY_OK) { PhpAddLimit(limitsLv, L"Breakaway OK", L"Enabled"); } if (flags & JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION) { PhpAddLimit(limitsLv, L"Die on unhandled exception", L"Enabled"); } if (flags & JOB_OBJECT_LIMIT_JOB_MEMORY) { PPH_STRING value = PhaFormatSize(extendedLimits.JobMemoryLimit, ULONG_MAX); PhpAddLimit(limitsLv, L"Job memory", value->Buffer); } if (flags & JOB_OBJECT_LIMIT_JOB_TIME) { WCHAR value[PH_TIMESPAN_STR_LEN_1]; PhPrintTimeSpan(value, extendedLimits.BasicLimitInformation.PerJobUserTimeLimit.QuadPart, PH_TIMESPAN_DHMS); PhpAddLimit(limitsLv, L"Job time", value); } if (flags & JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE) { PhpAddLimit(limitsLv, L"Kill on job close", L"Enabled"); } if (flags & JOB_OBJECT_LIMIT_PRIORITY_CLASS) { PCPH_STRINGREF value; if (value = PhGetProcessPriorityClassString(extendedLimits.BasicLimitInformation.PriorityClass)) { PhpAddLimit(limitsLv, L"Priority class", value->Buffer); } } if (flags & JOB_OBJECT_LIMIT_PROCESS_MEMORY) { PPH_STRING value = PhaFormatSize(extendedLimits.ProcessMemoryLimit, ULONG_MAX); PhpAddLimit(limitsLv, L"Process memory", value->Buffer); } if (flags & JOB_OBJECT_LIMIT_PROCESS_TIME) { WCHAR value[PH_TIMESPAN_STR_LEN_1]; PhPrintTimeSpan(value, extendedLimits.BasicLimitInformation.PerProcessUserTimeLimit.QuadPart, PH_TIMESPAN_DHMS); PhpAddLimit(limitsLv, L"Process time", value); } if (flags & JOB_OBJECT_LIMIT_SCHEDULING_CLASS) { WCHAR value[PH_INT32_STR_LEN_1]; PhPrintUInt32(value, extendedLimits.BasicLimitInformation.SchedulingClass); PhpAddLimit(limitsLv, L"Scheduling class", value); } if (flags & JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK) { PhpAddLimit(limitsLv, L"Silent breakaway OK", L"Enabled"); } if (flags & JOB_OBJECT_LIMIT_WORKINGSET) { PPH_STRING value; value = PhaFormatSize(extendedLimits.BasicLimitInformation.MinimumWorkingSetSize, ULONG_MAX); PhpAddLimit(limitsLv, L"Working set minimum", value->Buffer); value = PhaFormatSize(extendedLimits.BasicLimitInformation.MaximumWorkingSetSize, ULONG_MAX); PhpAddLimit(limitsLv, L"Working set maximum", value->Buffer); } } if (NT_SUCCESS(PhGetJobBasicUiRestrictions(jobHandle, &basicUiRestrictions))) { ULONG flags = basicUiRestrictions.UIRestrictionsClass; if (flags & JOB_OBJECT_UILIMIT_DESKTOP) PhpAddLimit(limitsLv, L"Desktop", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_DISPLAYSETTINGS) PhpAddLimit(limitsLv, L"Display settings", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_EXITWINDOWS) PhpAddLimit(limitsLv, L"Exit windows", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_GLOBALATOMS) PhpAddLimit(limitsLv, L"Global atoms", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_HANDLES) PhpAddLimit(limitsLv, L"Handles", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_READCLIPBOARD) PhpAddLimit(limitsLv, L"Read clipboard", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS) PhpAddLimit(limitsLv, L"System parameters", L"Limited"); if (flags & JOB_OBJECT_UILIMIT_WRITECLIPBOARD) PhpAddLimit(limitsLv, L"Write clipboard", L"Limited"); } NtClose(jobHandle); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: PhSaveListViewColumnsToSetting(SETTING_JOB_LIST_VIEW_COLUMNS, GetDlgItem(hwndDlg, IDC_LIMITS)); break; case WM_SHOWWINDOW: { ExtendedListView_SetColumnWidth(GetDlgItem(hwndDlg, IDC_PROCESSES), 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_TERMINATE: { if (PhShowConfirmMessage( hwndDlg, L"terminate", L"the job", L"Terminating a job will terminate all processes assigned to it.", TRUE )) { NTSTATUS status; HANDLE jobHandle; if (NT_SUCCESS(status = jobPageContext->OpenObject( &jobHandle, JOB_OBJECT_TERMINATE, jobPageContext->Context ))) { status = NtTerminateJobObject(jobHandle, STATUS_SUCCESS); NtClose(jobHandle); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to terminate the job", status, 0); } } break; case IDC_ADD: { NTSTATUS status; HANDLE processId; HANDLE processHandle; HANDLE jobHandle; while (PhShowChooseProcessDialog( hwndDlg, L"Select a process to add to the job permanently.", &processId )) { if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_TERMINATE | PROCESS_SET_QUOTA, processId ))) { if (NT_SUCCESS(status = jobPageContext->OpenObject( &jobHandle, JOB_OBJECT_ASSIGN_PROCESS | JOB_OBJECT_QUERY, jobPageContext->Context ))) { status = NtAssignProcessToJobObject(jobHandle, processHandle); if (NT_SUCCESS(status)) { ListView_DeleteAllItems(GetDlgItem(hwndDlg, IDC_PROCESSES)); PhpAddJobProcesses(hwndDlg, jobHandle); } NtClose(jobHandle); } NtClose(processHandle); } if (NT_SUCCESS(status)) break; else PhShowStatus(hwndDlg, L"Unable to add the process to the job", status, 0); } } break; case IDC_ADVANCED: { PhpShowJobAdvancedProperties(hwndDlg, jobPageContext); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)GetDlgItem(hwndDlg, IDC_PROCESSES)); return TRUE; } PhHandleListViewNotifyBehaviors(lParam, GetDlgItem(hwndDlg, IDC_PROCESSES), PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); PhHandleListViewNotifyBehaviors(lParam, GetDlgItem(hwndDlg, IDC_LIMITS), PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); } break; case WM_SIZE: { ExtendedListView_SetColumnWidth(GetDlgItem(hwndDlg, IDC_PROCESSES), 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_CONTEXTMENU: { HWND listViewHandle = NULL; if ((HWND)wParam == GetDlgItem(hwndDlg, IDC_PROCESSES)) listViewHandle = GetDlgItem(hwndDlg, IDC_PROCESSES); else if ((HWND)wParam == GetDlgItem(hwndDlg, IDC_LIMITS)) listViewHandle = GetDlgItem(hwndDlg, IDC_LIMITS); if (listViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(listViewHandle, &point); PhGetSelectedListViewItemParams(listViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, listViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(listViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; } return FALSE; } VOID PhpShowJobAdvancedProperties( _In_ HWND ParentWindowHandle, _In_ PJOB_PAGE_CONTEXT Context ) { PROPSHEETHEADER propSheetHeader = { sizeof(propSheetHeader) }; HPROPSHEETPAGE pages[2]; PROPSHEETPAGE statisticsPage; propSheetHeader.dwFlags = PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP | PSH_PROPTITLE | PSH_USECALLBACK; propSheetHeader.hInstance = PhInstanceHandle; propSheetHeader.hwndParent = ParentWindowHandle; propSheetHeader.pszCaption = L"Job"; propSheetHeader.nPages = 2; propSheetHeader.nStartPage = 0; propSheetHeader.phpage = pages; propSheetHeader.pfnCallback = PhpJobStatisticsSheetProc; // General memset(&statisticsPage, 0, sizeof(PROPSHEETPAGE)); statisticsPage.dwSize = sizeof(PROPSHEETPAGE); statisticsPage.pszTemplate = MAKEINTRESOURCE(IDD_JOBSTATISTICS); statisticsPage.hInstance = PhInstanceHandle; statisticsPage.pfnDlgProc = PhpJobStatisticsPageProc; statisticsPage.lParam = (LPARAM)Context; pages[0] = CreatePropertySheetPage(&statisticsPage); // Security pages[1] = PhCreateSecurityPage( L"Job", L"Job", Context->OpenObject, NULL, Context->Context ); PhModalPropertySheet(&propSheetHeader); } static VOID PhpRefreshJobStatisticsInfo( _In_ HWND hwndDlg, _In_ PJOB_PAGE_CONTEXT Context ) { HANDLE jobHandle = NULL; JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION basicAndIo; JOBOBJECT_EXTENDED_LIMIT_INFORMATION extendedLimitInfo; Context->OpenObject( &jobHandle, JOB_OBJECT_QUERY, Context->Context ); if (jobHandle && NT_SUCCESS(PhGetJobBasicAndIoAccounting( jobHandle, &basicAndIo ))) { WCHAR timeSpan[PH_TIMESPAN_STR_LEN_1]; PhSetDialogItemValue(hwndDlg, IDC_ZACTIVEPROCESSES_V, basicAndIo.BasicInfo.ActiveProcesses, FALSE); PhSetDialogItemValue(hwndDlg, IDC_ZTOTALPROCESSES_V, basicAndIo.BasicInfo.TotalProcesses, FALSE); PhSetDialogItemValue(hwndDlg, IDC_ZTERMINATEDPROCESSES_V, basicAndIo.BasicInfo.TotalTerminatedProcesses, FALSE); PhPrintTimeSpan(timeSpan, basicAndIo.BasicInfo.TotalUserTime.QuadPart, PH_TIMESPAN_HMSM); PhSetDialogItemText(hwndDlg, IDC_ZUSERTIME_V, timeSpan); PhPrintTimeSpan(timeSpan, basicAndIo.BasicInfo.TotalKernelTime.QuadPart, PH_TIMESPAN_HMSM); PhSetDialogItemText(hwndDlg, IDC_ZKERNELTIME_V, timeSpan); PhPrintTimeSpan(timeSpan, basicAndIo.BasicInfo.ThisPeriodTotalUserTime.QuadPart, PH_TIMESPAN_HMSM); PhSetDialogItemText(hwndDlg, IDC_ZUSERTIMEPERIOD_V, timeSpan); PhPrintTimeSpan(timeSpan, basicAndIo.BasicInfo.ThisPeriodTotalKernelTime.QuadPart, PH_TIMESPAN_HMSM); PhSetDialogItemText(hwndDlg, IDC_ZKERNELTIMEPERIOD_V, timeSpan); PhSetDialogItemText(hwndDlg, IDC_ZPAGEFAULTS_V, PhaFormatUInt64(basicAndIo.BasicInfo.TotalPageFaultCount, TRUE)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZIOREADS_V, PhaFormatUInt64(basicAndIo.IoInfo.ReadOperationCount, TRUE)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZIOREADBYTES_V, PhaFormatSize(basicAndIo.IoInfo.ReadTransferCount, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZIOWRITES_V, PhaFormatUInt64(basicAndIo.IoInfo.WriteOperationCount, TRUE)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZIOWRITEBYTES_V, PhaFormatSize(basicAndIo.IoInfo.WriteTransferCount, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZIOOTHER_V, PhaFormatUInt64(basicAndIo.IoInfo.OtherOperationCount, TRUE)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZIOOTHERBYTES_V, PhaFormatSize(basicAndIo.IoInfo.OtherTransferCount, ULONG_MAX)->Buffer); } else { PhSetDialogItemText(hwndDlg, IDC_ZACTIVEPROCESSES_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZTOTALPROCESSES_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZTERMINATEDPROCESSES_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZUSERTIME_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZKERNELTIME_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZUSERTIMEPERIOD_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZKERNELTIMEPERIOD_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZPAGEFAULTS_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZIOREADS_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZIOREADBYTES_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZIOWRITES_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZIOWRITEBYTES_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZIOOTHER_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZIOOTHERBYTES_V, L"Unknown"); } if (jobHandle && NT_SUCCESS(PhGetJobExtendedLimits( jobHandle, &extendedLimitInfo ))) { PhSetDialogItemText(hwndDlg, IDC_ZPEAKPROCESSUSAGE_V, PhaFormatSize(extendedLimitInfo.PeakProcessMemoryUsed, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZPEAKJOBUSAGE_V, PhaFormatSize(extendedLimitInfo.PeakJobMemoryUsed, ULONG_MAX)->Buffer); } else { PhSetDialogItemText(hwndDlg, IDC_ZPEAKPROCESSUSAGE_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZPEAKJOBUSAGE_V, L"Unknown"); } if (jobHandle) NtClose(jobHandle); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ProcessesUpdatedCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PostMessage(Context, MSG_UPDATE, 0, 0); } INT_PTR CALLBACK PhpJobStatisticsPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PJOB_PAGE_CONTEXT jobPageContext; jobPageContext = PhpJobPageHeader(hwndDlg, uMsg, wParam, lParam); if (!jobPageContext) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhCenterWindow(GetParent(hwndDlg), GetParent(GetParent(hwndDlg))); // HACK PhpRefreshJobStatisticsInfo(hwndDlg, jobPageContext); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), ProcessesUpdatedCallback, hwndDlg, &jobPageContext->ProcessesUpdatedRegistration ); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &jobPageContext->ProcessesUpdatedRegistration ); } break; case MSG_UPDATE: { PhpRefreshJobStatisticsInfo(hwndDlg, jobPageContext); } break; } return FALSE; } INT CALLBACK PhpJobStatisticsSheetProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam ) { if (uMsg == PSCB_INITIALIZED && PhEnableThemeSupport) { PhInitializeWindowTheme(hwndDlg, TRUE); } return 0; } ================================================ FILE: SystemInformer/kdump.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2019-2022 * */ #include typedef struct _PH_LIVE_DUMP_CONFIG { HWND WindowHandle; PPH_STRING FileName; NTSTATUS LastStatus; BOOLEAN KernelDumpActive; PH_LIVE_DUMP_OPTIONS Options; HANDLE FileHandle; HANDLE EventHandle; } PH_LIVE_DUMP_CONFIG, *PPH_LIVE_DUMP_CONFIG; _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpCreateLiveKernelDump( _In_ PPH_LIVE_DUMP_CONFIG Context ) { NTSTATUS status; SYSDBG_LIVEDUMP_CONTROL liveDumpControl; SYSDBG_LIVEDUMP_CONTROL_FLAGS flags; SYSDBG_LIVEDUMP_CONTROL_ADDPAGES pages; SYSDBG_LIVEDUMP_SELECTIVE_CONTROL selective; ULONG length; memset(&liveDumpControl, 0, sizeof(SYSDBG_LIVEDUMP_CONTROL)); memset(&flags, 0, sizeof(SYSDBG_LIVEDUMP_CONTROL_FLAGS)); memset(&pages, 0, sizeof(SYSDBG_LIVEDUMP_CONTROL_ADDPAGES)); memset(&selective, 0, sizeof(SYSDBG_LIVEDUMP_SELECTIVE_CONTROL)); if (Context->Options.UseDumpStorageStack) flags.UseDumpStorageStack = TRUE; if (Context->Options.CompressMemoryPages) flags.CompressMemoryPagesData = TRUE; if (Context->Options.IncludeUserSpaceMemory) flags.IncludeUserSpaceMemoryPages = TRUE; if (Context->Options.IncludeHypervisorPages) pages.HypervisorPages = TRUE; if (Context->Options.IncludeNonEssentialHypervisorPages) pages.NonEssentialHypervisorPages = TRUE; if (Context->Options.OnlyKernelThreadStacks) { liveDumpControl.Version = SYSDBG_LIVEDUMP_CONTROL_VERSION_2; flags.SelectiveDump = TRUE; length = sizeof(SYSDBG_LIVEDUMP_CONTROL); selective.Version = SYSDBG_LIVEDUMP_SELECTIVE_CONTROL_VERSION; selective.Size = sizeof(SYSDBG_LIVEDUMP_SELECTIVE_CONTROL); selective.ThreadKernelStacks = TRUE; liveDumpControl.SelectiveControl = &selective; } else { liveDumpControl.Version = SYSDBG_LIVEDUMP_CONTROL_VERSION_1; length = sizeof(SYSDBG_LIVEDUMP_CONTROL_V1); } liveDumpControl.DumpFileHandle = Context->FileHandle; liveDumpControl.CancelEventHandle = Context->EventHandle; liveDumpControl.Flags = flags; liveDumpControl.AddPagesControl = pages; status = NtSystemDebugControl( SysDbgGetLiveKernelDump, &liveDumpControl, length, NULL, 0, NULL ); Context->LastStatus = status; Context->KernelDumpActive = FALSE; PostMessage(Context->WindowHandle, TDM_CLICK_BUTTON, IDIGNORE, 0); return status; } HRESULT CALLBACK PhpLiveDumpPageCallbackProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { return S_OK; } HRESULT CALLBACK PhpLiveDumpProgressDialogCallbackProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { PPH_LIVE_DUMP_CONFIG context = (PPH_LIVE_DUMP_CONFIG)dwRefData; switch (uMsg) { case TDN_DIALOG_CONSTRUCTED: { SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); context->WindowHandle = hwndDlg; context->KernelDumpActive = TRUE; context->LastStatus = STATUS_SUCCESS; PhCreateEvent( &context->EventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE ); PhCreateThread2(PhpCreateLiveKernelDump, context); } break; case TDN_TIMER: { LARGE_INTEGER fileSize; if (NT_SUCCESS(PhGetFileSize(context->FileHandle, &fileSize))) { PH_FORMAT format[2]; WCHAR string[MAX_PATH]; if (fileSize.QuadPart) { PhInitFormatS(&format[0], L"Size: "); PhInitFormatSize(&format[1], fileSize.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), string, sizeof(string), NULL)) { SendMessage(context->WindowHandle, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)string); } } else { PhInitFormatS(&format[0], L"Initializing..."); if (PhFormatToBuffer(format, 1, string, sizeof(string), NULL)) { SendMessage(context->WindowHandle, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)string); } } } else { SendMessage(context->WindowHandle, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)L" "); } } break; case TDN_BUTTON_CLICKED: { ULONG buttonId = (ULONG)wParam; if (buttonId == IDIGNORE) { PPH_STRING statusMessage = NULL; TASKDIALOGCONFIG config; if (context->FileHandle) { if (!NT_SUCCESS(context->LastStatus)) PhSetFileDelete(context->FileHandle); NtClose(context->FileHandle); context->FileHandle = NULL; } memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); if (NT_SUCCESS(context->LastStatus)) { config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED; config.hMainIcon = PhGetApplicationIcon(FALSE); config.dwCommonButtons = TDCBF_CLOSE_BUTTON; config.pfCallback = PhpLiveDumpPageCallbackProc; config.lpCallbackData = (LONG_PTR)context; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Live kernel dump has been created."; config.pszContent = PhGetString(context->FileName); } else { config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED; config.hMainIcon = PhGetApplicationIcon(FALSE); config.dwCommonButtons = TDCBF_CLOSE_BUTTON; config.pfCallback = PhpLiveDumpPageCallbackProc; config.lpCallbackData = (LONG_PTR)context; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Unable to save the live kernel dump."; statusMessage = PhGetStatusMessage(context->LastStatus, 0); config.pszContent = PhGetString(statusMessage); } PhTaskDialogNavigatePage(context->WindowHandle, &config); if (statusMessage) PhDereferenceObject(statusMessage); return S_FALSE; } if (context->KernelDumpActive) { if (context->EventHandle) NtSetEvent(context->EventHandle, NULL); return S_FALSE; } } break; } return S_OK; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpLiveDumpTaskDialogThread( _In_ PVOID ThreadParameter ) { PPH_LIVE_DUMP_CONFIG context = (PPH_LIVE_DUMP_CONFIG)ThreadParameter; NTSTATUS status; TASKDIALOGCONFIG config; status = PhCreateFileWin32( &context->FileHandle, PhGetString(context->FileName), FILE_ALL_ACCESS, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) { PhShowStatus(NULL, L"Unable to save the live kernel dump.", status, 0); return status; } memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_SHOW_MARQUEE_PROGRESS_BAR | TDF_CALLBACK_TIMER | TDF_CAN_BE_MINIMIZED; config.hMainIcon = PhGetApplicationIcon(FALSE); config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.pfCallback = PhpLiveDumpProgressDialogCallbackProc; config.lpCallbackData = (LONG_PTR)context; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Processing live kernel dump..."; config.pszContent = L" "; config.cxWidth = 200; PhShowTaskDialog(&config, NULL, NULL, NULL); if (context->EventHandle) NtClose(context->EventHandle); if (context->FileName) PhDereferenceObject(context->FileName); PhFree(context); return STATUS_SUCCESS; } PPH_STRING PhpLiveDumpFileDialogFileName( _In_ HWND WindowHandle ) { static PH_FILETYPE_FILTER filters[] = { { L"Dump files (*.dmp)", L"*.dmp" }, { L"All files (*.*)", L"*.*" } }; PPH_STRING fileName = NULL; PVOID fileDialog; LARGE_INTEGER time; SYSTEMTIME systemTime; PPH_STRING dateString; PPH_STRING timeString; PPH_STRING suggestedFileName; PhQuerySystemTime(&time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); dateString = PH_AUTO_T(PH_STRING, PhFormatDate(&systemTime, L"yyyy-MM-dd")); timeString = PH_AUTO_T(PH_STRING, PhFormatTime(&systemTime, L"HH-mm-ss")); suggestedFileName = PH_AUTO_T(PH_STRING, PhFormatString( L"%s_%s_%s.dmp", L"kerneldump", PhGetString(dateString), PhGetString(timeString) )); if (fileDialog = PhCreateSaveFileDialog()) { PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); PhSetFileDialogFileName(fileDialog, PhGetString(suggestedFileName)); PhSetFileDialogOptions(fileDialog, PH_FILEDIALOG_DONTADDTORECENT); if (PhShowFileDialog(WindowHandle, fileDialog)) { fileName = PhGetFileDialogFileName(fileDialog); } PhFreeFileDialog(fileDialog); } return fileName; } VOID PhUiCreateLiveDump( _In_ HWND ParentWindowHandle, _In_ PPH_LIVE_DUMP_OPTIONS Options ) { PPH_LIVE_DUMP_CONFIG dumpConfig; dumpConfig = PhAllocateZero(sizeof(PH_LIVE_DUMP_CONFIG)); dumpConfig->Options = *Options; dumpConfig->FileName = PhpLiveDumpFileDialogFileName(ParentWindowHandle); if (!PhIsNullOrEmptyString(dumpConfig->FileName)) { PhCreateThread2(PhpLiveDumpTaskDialogThread, dumpConfig); } else { if (dumpConfig->FileName) PhDereferenceObject(dumpConfig->FileName); PhFree(dumpConfig); } } INT_PTR CALLBACK PhpLiveDumpDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, NULL); if (!PhGetOwnTokenAttributes().Elevated) { Button_SetElevationRequiredState(GetDlgItem(hwndDlg, IDOK), TRUE); } PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { PH_LIVE_DUMP_OPTIONS options; if (!PhGetOwnTokenAttributes().Elevated) { PhShowStatus(hwndDlg, L"Unable to create live kernel dump.", 0, ERROR_ELEVATION_REQUIRED); break; } memset(&options, 0, sizeof(PH_LIVE_DUMP_OPTIONS)); options.CompressMemoryPages = Button_GetCheck(GetDlgItem(hwndDlg, IDC_COMPRESS)) == BST_CHECKED; options.IncludeUserSpaceMemory = Button_GetCheck(GetDlgItem(hwndDlg, IDC_USERMODE)) == BST_CHECKED; options.IncludeHypervisorPages = Button_GetCheck(GetDlgItem(hwndDlg, IDC_HYPERVISOR)) == BST_CHECKED; options.OnlyKernelThreadStacks = Button_GetCheck(GetDlgItem(hwndDlg, IDC_ONLYKERNELTHREADSTACKS)) == BST_CHECKED; options.UseDumpStorageStack = Button_GetCheck(GetDlgItem(hwndDlg, IDC_DUMPSTACK)) == BST_CHECKED; options.IncludeNonEssentialHypervisorPages = Button_GetCheck(GetDlgItem(hwndDlg, IDC_HYPERVISORNONESSENTIAL)) == BST_CHECKED; PhUiCreateLiveDump(hwndDlg, &options); EndDialog(hwndDlg, IDCANCEL); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowLiveDumpDialog( _In_ HWND ParentWindowHandle ) { PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_LIVEDUMP), ParentWindowHandle, PhpLiveDumpDlgProc, NULL ); } ================================================ FILE: SystemInformer/ksidbg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023 * */ #include #include #include #include #include #include #include #ifdef DEBUG typedef _Function_class_(KSI_DEBUG_LOG_GET_LOG_STRING) PPH_STRING KSI_DEBUG_LOG_GET_LOG_STRING( _In_ PCKPH_MESSAGE Message ); typedef KSI_DEBUG_LOG_GET_LOG_STRING* PKSI_DEBUG_LOG_GET_LOG_STRING; typedef struct _KSI_DEBUG_LOG_DEF { PH_STRINGREF Name; PKSI_DEBUG_LOG_GET_LOG_STRING GetLogString; } SI_DEBUG_LOG_DEF, *PSI_DEBUG_LOG_DEF; static BOOLEAN KsiDebugLogEnabled = FALSE; static PH_FAST_LOCK KsiDebugLogFileStreamLock = PH_FAST_LOCK_INIT; static PPH_FILE_STREAM KsiDebugLogFileStream = NULL; static CONST PH_STRINGREF KsiDebugLogSuffix = PH_STRINGREF_INIT(L"\\Desktop\\ksidbg.log"); static BOOLEAN KsiDebugRawEnabled = FALSE; static PH_FAST_LOCK KsiDebugRawFileStreamLock = PH_FAST_LOCK_INIT; static PPH_FILE_STREAM KsiDebugRawFileStream = NULL; static CONST PH_STRINGREF KsiDebugRawSuffix = PH_STRINGREF_INIT(L"\\Desktop\\ksidbg.bin"); static PH_CALLBACK_REGISTRATION KsiDebugMessageRegistration = { NULL }; PPH_STRING KsiDebugLogProcessCreate( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING fileName; UNICODE_STRING commandLine; KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); KphMsgDynGetUnicodeString(Message, KphMsgFieldCommandLine, &commandLine); return PhFormatString( L"%04x:%04x:%016llx created process %lu (%016llx)%ls(parent %lu (%016llx)) \"%wZ\" \"%wZ\"", HandleToUlong(Message->Kernel.ProcessCreate.CreatingClientId.UniqueProcess), HandleToUlong(Message->Kernel.ProcessCreate.CreatingClientId.UniqueThread), Message->Kernel.ProcessCreate.CreatingProcessStartKey, HandleToUlong(Message->Kernel.ProcessCreate.TargetProcessId), Message->Kernel.ProcessCreate.TargetProcessStartKey, Message->Kernel.ProcessCreate.IsSubsystemProcess ? L" subsystem process " : L" ", HandleToUlong(Message->Kernel.ProcessCreate.ParentProcessId), Message->Kernel.ProcessCreate.ParentProcessStartKey, &fileName, &commandLine ); } PPH_STRING KsiDebugLogProcessExit( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.ProcessExit.ExitStatus, 0); result = PhFormatString( L"%04x:%04x:%016llx process exited with %ls (0x%08x)", HandleToUlong(Message->Kernel.ProcessExit.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.ProcessExit.ClientId.UniqueThread), Message->Kernel.ProcessExit.ProcessStartKey, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.ProcessExit.ExitStatus ); PhMoveReference(&statusMessage, NULL); return result; } PPH_STRING KsiDebugLogThreadCreate( _In_ PCKPH_MESSAGE Message ) { return PhFormatString( L"%04x:%04x:%016llx thread %lu created in process %lu (%016llx)", HandleToUlong(Message->Kernel.ThreadCreate.CreatingClientId.UniqueProcess), HandleToUlong(Message->Kernel.ThreadCreate.CreatingClientId.UniqueThread), Message->Kernel.ThreadCreate.CreatingProcessStartKey, HandleToUlong(Message->Kernel.ThreadCreate.TargetClientId.UniqueThread), HandleToUlong(Message->Kernel.ThreadCreate.TargetClientId.UniqueProcess), Message->Kernel.ThreadCreate.TargetProcessStartKey ); } PPH_STRING KsiDebugLogThreadExecute( _In_ PCKPH_MESSAGE Message ) { return PhFormatString( L"%04x:%04x:%016llx thread beginning execution", HandleToUlong(Message->Kernel.ThreadExecute.ClientId.UniqueThread), HandleToUlong(Message->Kernel.ThreadExecute.ClientId.UniqueProcess), Message->Kernel.ThreadExecute.ProcessStartKey ); } PPH_STRING KsiDebugLogThreadExit( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.ThreadExit.ExitStatus, 0); result = PhFormatString( L"%04x:%04x:%016llx thread exited with %ls (0x%08x)", HandleToUlong(Message->Kernel.ThreadExit.ClientId.UniqueThread), HandleToUlong(Message->Kernel.ThreadExit.ClientId.UniqueProcess), Message->Kernel.ThreadExit.ProcessStartKey, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.ThreadExit.ExitStatus ); PhMoveReference(&statusMessage, NULL); return result; } PPH_STRING KsiDebugLogImageLoad( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING fileName; KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); return PhFormatString( L"%04x:%04x:%016llx image \"%wZ\" loaded into process %lu (%016llx) at %p", HandleToUlong(Message->Kernel.ImageLoad.LoadingClientId.UniqueProcess), HandleToUlong(Message->Kernel.ImageLoad.LoadingClientId.UniqueThread), Message->Kernel.ImageLoad.LoadingProcessStartKey, &fileName, HandleToUlong(Message->Kernel.ImageLoad.TargetProcessId), Message->Kernel.ImageLoad.TargetProcessStartKey, Message->Kernel.ImageLoad.ImageBase ); } PPH_STRING KsiDebugLogDebugPrint( _In_ PCKPH_MESSAGE Message ) { ANSI_STRING output; KphMsgDynGetAnsiString(Message, KphMsgFieldOutput, &output); while (output.Length > 0) { CHAR c = output.Buffer[output.Length - 1]; if (c != '\r' && c != '\n') break; output.Length--; } return PhFormatString( L"%04x:%04x 0x%08x 0x%08x\r\n%hZ", HandleToUlong(Message->Kernel.DebugPrint.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.DebugPrint.ContextClientId.UniqueThread), Message->Kernel.DebugPrint.ComponentId, Message->Kernel.DebugPrint.Level, &output ); } PPH_STRING KsiDebugLogHandleProcess( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; if (Message->Kernel.Handle.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Handle.Post.ReturnStatus, 0); if (Message->Kernel.Handle.Duplicate) { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu granted 0x%08x (desired 0x%08x, original 0x%08x) to process %lu (duplicate %lu -> %lu) %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Post.GrantedAccess, Message->Kernel.Handle.Post.DesiredAccess, Message->Kernel.Handle.Post.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Post.Duplicate.Process.ProcessId), HandleToUlong(Message->Kernel.Handle.Post.Duplicate.SourceProcessId), HandleToUlong(Message->Kernel.Handle.Post.Duplicate.TargetProcessId), Message->Kernel.Handle.Post.PreSequence, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Handle.Post.PreTimeStamp.QuadPart), PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Handle.Post.ReturnStatus ); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu granted 0x%08x (desired 0x%08x, original 0x%08x) to process %lu %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Post.GrantedAccess, Message->Kernel.Handle.Post.DesiredAccess, Message->Kernel.Handle.Post.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Post.Create.Process.ProcessId), Message->Kernel.Handle.Post.PreSequence, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Handle.Post.PreTimeStamp.QuadPart), PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Handle.Post.ReturnStatus ); } PhClearReference(&statusMessage); } else { if (Message->Kernel.Handle.Duplicate) { result = PhFormatString( L"%04x:%04x:%016llx %c %p desires 0x%08x (original 0x%08x) to process %lu (duplicate %lu -> %lu)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Pre.DesiredAccess, Message->Kernel.Handle.Pre.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.Process.ProcessId), HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.SourceProcessId), HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.TargetProcessId) ); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p desires 0x%08x (original 0x%08x) to process %lu", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Pre.DesiredAccess, Message->Kernel.Handle.Pre.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Pre.Create.Process.ProcessId) ); } } return result; } PPH_STRING KsiDebugLogHandleThread( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; if (Message->Kernel.Handle.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Handle.Post.ReturnStatus, 0); if (Message->Kernel.Handle.Duplicate) { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu granted 0x%08x (desired 0x%08x, original 0x%08x) to thread %lu (process %lu, duplicate %lu -> %lu) %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Post.GrantedAccess, Message->Kernel.Handle.Post.DesiredAccess, Message->Kernel.Handle.Post.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Post.Duplicate.Thread.ClientId.UniqueThread), HandleToUlong(Message->Kernel.Handle.Post.Duplicate.Thread.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.Post.Duplicate.SourceProcessId), HandleToUlong(Message->Kernel.Handle.Post.Duplicate.TargetProcessId), Message->Kernel.Handle.Post.PreSequence, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Handle.Post.PreTimeStamp.QuadPart), PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Handle.Post.ReturnStatus ); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu granted 0x%08x (desired 0x%08x, original 0x%08x) to thread %lu (process %lu) %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Post.GrantedAccess, Message->Kernel.Handle.Post.DesiredAccess, Message->Kernel.Handle.Post.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Post.Create.Thread.ClientId.UniqueThread), HandleToUlong(Message->Kernel.Handle.Post.Create.Thread.ClientId.UniqueProcess), Message->Kernel.Handle.Post.PreSequence, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Handle.Post.PreTimeStamp.QuadPart), PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Handle.Post.ReturnStatus ); } PhClearReference(&statusMessage); } else { if (Message->Kernel.Handle.Duplicate) { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu desires 0x%08x (original 0x%08x) to thread %lu (process %lu, duplicate %lu -> %lu)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Pre.DesiredAccess, Message->Kernel.Handle.Pre.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.Thread.ClientId.UniqueThread), HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.Thread.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.SourceProcessId), HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.TargetProcessId) ); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu desires 0x%08x (original 0x%08x) to thread %lu (process %lu)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Pre.DesiredAccess, Message->Kernel.Handle.Pre.OriginalDesiredAccess, HandleToUlong(Message->Kernel.Handle.Pre.Create.Thread.ClientId.UniqueThread), HandleToUlong(Message->Kernel.Handle.Pre.Create.Thread.ClientId.UniqueProcess) ); } } return result; } PPH_STRING KsiDebugLogHandleDesktop( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; UNICODE_STRING objectName; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); if (Message->Kernel.Handle.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Handle.Post.ReturnStatus, 0); if (Message->Kernel.Handle.Duplicate) { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu granted 0x%08x (desired 0x%08x, original 0x%08x) to desktop \"%wZ\" (duplicate %lu -> %lu) %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Post.GrantedAccess, Message->Kernel.Handle.Post.DesiredAccess, Message->Kernel.Handle.Post.OriginalDesiredAccess, &objectName, HandleToUlong(Message->Kernel.Handle.Post.Duplicate.SourceProcessId), HandleToUlong(Message->Kernel.Handle.Post.Duplicate.TargetProcessId), Message->Kernel.Handle.Post.PreSequence, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Handle.Post.PreTimeStamp.QuadPart), PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Handle.Post.ReturnStatus ); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu granted 0x%08x (desired 0x%08x, original 0x%08x) to desktop \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Post.GrantedAccess, Message->Kernel.Handle.Post.DesiredAccess, Message->Kernel.Handle.Post.OriginalDesiredAccess, &objectName, Message->Kernel.Handle.Post.PreSequence, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Handle.Post.PreTimeStamp.QuadPart), PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Handle.Post.ReturnStatus ); } PhClearReference(&statusMessage); } else { if (Message->Kernel.Handle.Duplicate) { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu desires 0x%08x (original 0x%08x) to desktop \"%wZ\" (duplicate %lu -> %lu)", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Pre.DesiredAccess, Message->Kernel.Handle.Pre.OriginalDesiredAccess, &objectName, HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.SourceProcessId), HandleToUlong(Message->Kernel.Handle.Pre.Duplicate.TargetProcessId) ); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu desires 0x%08x (original 0x%08x) to desktop \"%wZ\"", HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueProcess), HandleToUlong(Message->Kernel.Handle.ContextClientId.UniqueThread), Message->Kernel.Handle.ContextProcessStartKey, (Message->Kernel.Handle.KernelHandle ? 'K' : 'U'), Message->Kernel.Handle.Object, Message->Kernel.Handle.Sequence, Message->Kernel.Handle.Pre.DesiredAccess, Message->Kernel.Handle.Pre.OriginalDesiredAccess, &objectName ); } } return result; } PPH_STRING KsiDebugLogRequiredStateFailure( _In_ PCKPH_MESSAGE Message ) { return PhFormatString( L"%04x:%04x required state failure, message %lu, state 0x%08x, required 0x%08x", HandleToUlong(Message->Kernel.RequiredStateFailure.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.RequiredStateFailure.ClientId.UniqueThread), (ULONG)Message->Kernel.RequiredStateFailure.MessageId, Message->Kernel.RequiredStateFailure.ClientState, Message->Kernel.RequiredStateFailure.RequiredState ); } PPH_STRING KsiDebugLogFileCommon( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING fileName; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); if (FlagOn(Message->Kernel.File.FltFlags, FLTFL_CALLBACK_DATA_POST_OPERATION)) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.File.Post.IoStatus.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %lu %p %llu \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.File.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.File.ClientId.UniqueThread), Message->Kernel.File.ProcessStartKey, (ULONG)Message->Kernel.File.Irql, Message->Kernel.File.FileObject, Message->Kernel.File.Sequence, &fileName, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.File.Post.PreTimeStamp.QuadPart), Message->Kernel.File.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.File.Post.IoStatus.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %lu %p %llu \"%wZ\"", HandleToUlong(Message->Kernel.File.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.File.ClientId.UniqueThread), Message->Kernel.File.ProcessStartKey, (ULONG)Message->Kernel.File.Irql, Message->Kernel.File.FileObject, Message->Kernel.File.Sequence, &fileName ); } if (Message->Kernel.File.IsPagingFile) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", paging file")); if (Message->Kernel.File.IsSystemPagingFile) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", system paging file")); if (Message->Kernel.File.OriginRemote) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", remote origin")); if (Message->Kernel.File.IgnoringSharing) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", ignoring sharing")); if (Message->Kernel.File.InStackFileObject) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", in stack file object")); if (Message->Kernel.File.DeletePending) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", delete pending")); if (!Message->Kernel.File.SharedRead && !Message->Kernel.File.SharedWrite && !Message->Kernel.File.SharedDelete) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", opened exclusively")); if (Message->Kernel.File.Busy) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", busy")); if (Message->Kernel.File.Waiters) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", waiters")); if (Message->Kernel.File.OplockKeyContext.Version) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", oplock key")); if (Message->Kernel.File.Transaction) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", transaction")); if (Message->Kernel.File.DataSectionObject) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", data section")); if (Message->Kernel.File.ImageSectionObject) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", image section")); if (Message->Kernel.File.OpenedAsCopySource) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", copy source")); if (Message->Kernel.File.OpenedAsCopyDestination) PhMoveReference(&result, PhConcatStringRefZ(&result->sr, L", copy destination")); return result; } PPH_STRING KsiDebugLogRegCommon( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING objectName; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); if (Message->Kernel.Reg.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Reg.Post.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Reg.Post.PreTimeStamp.QuadPart), Message->Kernel.Reg.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Reg.Post.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\"", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName ); } return result; } PPH_STRING KsiDebugLogRegCommonWithValue( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING objectName; UNICODE_STRING valueName; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); KphMsgDynGetUnicodeString(Message, KphMsgFieldValueName, &valueName); if (Message->Kernel.Reg.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Reg.Post.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, &valueName, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Reg.Post.PreTimeStamp.QuadPart), Message->Kernel.Reg.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Reg.Post.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" \"%wZ\"", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, &valueName ); } return result; } PPH_STRING KsiDebugLogRegCommonWithMultipleValues( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING objectName; UNICODE_STRING valueNames; PPH_STRING values; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); KphMsgDynGetUnicodeString(Message, KphMsgFieldMultipleValueNames, &valueNames); values = NULL; if (valueNames.Length) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 100); for (;;) { PH_STRINGREF sr; PhInitializeStringRef(&sr, valueNames.Buffer); if (!sr.Length) { break; } PhAppendStringBuilder2(&stringBuilder, L"\""); PhAppendStringBuilder(&stringBuilder, &sr); PhAppendStringBuilder2(&stringBuilder, L"\", "); valueNames.Buffer = PTR_ADD_OFFSET(valueNames.Buffer, sr.Length + sizeof(WCHAR)); valueNames.Length -= (USHORT)(sr.Length + sizeof(WCHAR)); valueNames.MaximumLength -= (USHORT)(sr.Length + sizeof(WCHAR)); } if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); values = PhFinalStringBuilderString(&stringBuilder); } if (Message->Kernel.Reg.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Reg.Post.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" %ls %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, PhGetStringOrDefault(values, L"NULL"), (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Reg.Post.PreTimeStamp.QuadPart), Message->Kernel.Reg.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Reg.Post.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" %ls", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, PhGetStringOrDefault(values, L"NULL") ); } return result; } PPH_STRING KsiDebugLogRegSaveRestoreKey( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING objectName; UNICODE_STRING fileName; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); if (Message->Kernel.Reg.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Reg.Post.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, &fileName, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Reg.Post.PreTimeStamp.QuadPart), Message->Kernel.Reg.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Reg.Post.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" \"%wZ\"", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, &fileName ); } return result; } PPH_STRING KsiDebugLogRegReplaceKey( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING objectName; UNICODE_STRING fileName; UNICODE_STRING destFileName; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); KphMsgDynGetUnicodeString(Message, KphMsgFieldDestinationFileName, &destFileName); if (Message->Kernel.Reg.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Reg.Post.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" -> \"%wZ\" -> \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &fileName, &objectName, &destFileName, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Reg.Post.PreTimeStamp.QuadPart), Message->Kernel.Reg.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Reg.Post.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" -> \"%wZ\" -> \"%wZ\"", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &fileName, &objectName, &destFileName ); } return result; } PPH_STRING KsiDebugLogSaveMergedKey( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING objectName; UNICODE_STRING otherObjectName; UNICODE_STRING fileName; PPH_STRING result; KphMsgDynGetUnicodeString(Message, KphMsgFieldObjectName, &objectName); KphMsgDynGetUnicodeString(Message, KphMsgFieldOtherObjectName, &otherObjectName); KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); if (Message->Kernel.Reg.PostOperation) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Message->Kernel.Reg.Post.Status, 0); result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" + \"%wZ\" -> \"%wZ\" %llu %llu %ls (0x%08x)", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, &otherObjectName, &fileName, (ULONG64)(Message->Header.TimeStamp.QuadPart - Message->Kernel.Reg.Post.PreTimeStamp.QuadPart), Message->Kernel.Reg.Post.PreSequence, PhGetStringOrDefault(statusMessage, L"UNKNOWN"), Message->Kernel.Reg.Post.Status ); PhClearReference(&statusMessage); } else { result = PhFormatString( L"%04x:%04x:%016llx %c %p %llu \"%wZ\" + \"%wZ\" -> \"%wZ\"", HandleToUlong(Message->Kernel.Reg.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.Reg.ClientId.UniqueThread), Message->Kernel.Reg.ProcessStartKey, (Message->Kernel.Reg.PreviousMode ? 'U' : 'K'), Message->Kernel.Reg.Object, Message->Kernel.Reg.Sequence, &objectName, &otherObjectName, &fileName ); } return result; } PPH_STRING KsiDebugLogImageVerify( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; UNICODE_STRING fileName; UNICODE_STRING registryPath; UNICODE_STRING certificatePublisher; UNICODE_STRING certificateIssuer; KPHM_SIZED_BUFFER imageHash; KPHM_SIZED_BUFFER thumbprint; PPH_STRING imageHashString; PPH_STRING thumbprintString; KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName); KphMsgDynGetUnicodeString(Message, KphMsgFieldRegistryPath, ®istryPath); KphMsgDynGetUnicodeString(Message, KphMsgFieldCertificatePublisher, &certificatePublisher); KphMsgDynGetUnicodeString(Message, KphMsgFieldCertificateIssuer, &certificateIssuer); KphMsgDynGetSizedBuffer(Message, KphMsgFieldHash, &imageHash); KphMsgDynGetSizedBuffer(Message, KphMsgFieldCertificateThumbprint, &thumbprint); imageHashString = PhBufferToHexString(imageHash.Buffer, imageHash.Size); thumbprintString = PhBufferToHexString(thumbprint.Buffer, thumbprint.Size); result = PhFormatString( L"%04x:%04x:%016llx %lu %lu 0x%08x %lu %lu \"%wZ\" %ls \"%wZ\" \"%wZ\" \"%wZ\" %ls", HandleToUlong(Message->Kernel.ImageVerify.ClientId.UniqueProcess), HandleToUlong(Message->Kernel.ImageVerify.ClientId.UniqueThread), Message->Kernel.ImageVerify.ProcessStartKey, Message->Kernel.ImageVerify.ImageType, Message->Kernel.ImageVerify.Classification, Message->Kernel.ImageVerify.ImageFlags, Message->Kernel.ImageVerify.ImageHashAlgorithm, Message->Kernel.ImageVerify.ThumbprintHashAlgorithm, &fileName, PhGetString(imageHashString), ®istryPath, &certificatePublisher, &certificateIssuer, PhGetString(thumbprintString) ); PhDereferenceObject(imageHashString); PhDereferenceObject(thumbprintString); return result; } static SI_DEBUG_LOG_DEF KsiDebugLogDefs[] = { { PH_STRINGREF_INIT(L"ProcessCreate "), KsiDebugLogProcessCreate }, { PH_STRINGREF_INIT(L"ProcessExit "), KsiDebugLogProcessExit }, { PH_STRINGREF_INIT(L"ThreadCreate "), KsiDebugLogThreadCreate }, { PH_STRINGREF_INIT(L"ThreadExecute "), KsiDebugLogThreadExecute }, { PH_STRINGREF_INIT(L"ThreadExit "), KsiDebugLogThreadExit }, { PH_STRINGREF_INIT(L"ImageLoad "), KsiDebugLogImageLoad }, { PH_STRINGREF_INIT(L"DebugPrint "), KsiDebugLogDebugPrint }, { PH_STRINGREF_INIT(L"HandlePreCreateProc "), KsiDebugLogHandleProcess }, { PH_STRINGREF_INIT(L"HandlePostCreateProc "), KsiDebugLogHandleProcess }, { PH_STRINGREF_INIT(L"HandlePreDupeProc "), KsiDebugLogHandleProcess }, { PH_STRINGREF_INIT(L"HandlePostDupeProc "), KsiDebugLogHandleProcess }, { PH_STRINGREF_INIT(L"HandlePreCreateThrd "), KsiDebugLogHandleThread }, { PH_STRINGREF_INIT(L"HandlePostCreateThrd "), KsiDebugLogHandleThread }, { PH_STRINGREF_INIT(L"HandlePreDupeThrd "), KsiDebugLogHandleThread }, { PH_STRINGREF_INIT(L"HandlePostDupeThrd "), KsiDebugLogHandleThread }, { PH_STRINGREF_INIT(L"HandlePreCreateDskp "), KsiDebugLogHandleDesktop }, { PH_STRINGREF_INIT(L"HandlePostCreateDskp "), KsiDebugLogHandleDesktop }, { PH_STRINGREF_INIT(L"HandlePreDupeDskp "), KsiDebugLogHandleDesktop }, { PH_STRINGREF_INIT(L"HandlePostDupeDskp "), KsiDebugLogHandleDesktop }, { PH_STRINGREF_INIT(L"ReqiredStateFailure "), KsiDebugLogRequiredStateFailure }, { PH_STRINGREF_INIT(L"PreCreate "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostCreate "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreCreateNamedPipe "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostCreateNamedPipe "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreClose "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostClose "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreRead "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostRead "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreQueryInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostQueryInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreSetInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostSetInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreQueryEa "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostQueryEa "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreSetEa "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostSetEa "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreFlushBuffs "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostFlushBuffs "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreQueryVolumeInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostQueryVolumeInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreSetVolumeInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostSetVolumeInfo "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreDirControl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostDirControl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreFileSystemCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostFileSystemCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreDeviceCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostDeviceCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreItrnlDeviceCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PosItrnlDeviceCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreShutdown "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostShutdown "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreLockCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostLockCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreCleanup "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostCleanup "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreCreateMailslot "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostCreateMailslot "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreQuerySecurity "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostQuerySecurity "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreSetSecurity "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostSetSecurity "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PrePower "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostPower "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreSystemCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostSystemCtrl "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreDeviceChange "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostDeviceChange "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreQueryQuota "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostQueryQuota "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreSetQuota "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostSetQuota "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PrePnp "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostPnp "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreAcqForSecSync "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostAcqForSecSync "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreRelForSecSync "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostRelForSecSync "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreAcqForModWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostAcqForModWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreRelForModWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostRelForModWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreAcqForCcFlush "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostAcqForCcFlush "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreRelForCcFlush "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostRelForCcFlush "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreQueryOpen "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostQueryOpen "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreFastIoCheck "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostFastIoCheck "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreNetworkQueryOpen "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostNetworkQueryOpen "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreMdlRead "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostMdlRead "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreMdlReadComplete "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostMdlReadComplete "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PrePrepareMdlWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostPrepareMdlWrite "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreMdlWriteComplete "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostMdlWriteComplete "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreVolumeMount "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostVolumeMount "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PreVolumeDismount "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"PostVolumeDismount "), KsiDebugLogFileCommon }, { PH_STRINGREF_INIT(L"RegPreDeleteKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostDeleteKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreSetValueKey "), KsiDebugLogRegCommonWithValue }, { PH_STRINGREF_INIT(L"RegPostSetValueKey "), KsiDebugLogRegCommonWithValue }, { PH_STRINGREF_INIT(L"RegPreDeleteValueKey "), KsiDebugLogRegCommonWithValue }, { PH_STRINGREF_INIT(L"RegPostDeleteValueKey"), KsiDebugLogRegCommonWithValue }, { PH_STRINGREF_INIT(L"RegPreSetInfoKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostSetInfoKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreRenameKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostRenameKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreEnumKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostEnumKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreEnumValueKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostEnumValueKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreQueryKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostQueryKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreQueryValueKey "), KsiDebugLogRegCommonWithValue }, { PH_STRINGREF_INIT(L"RegPostQueryValueKey "), KsiDebugLogRegCommonWithValue }, { PH_STRINGREF_INIT(L"RegPreQueryMValueKey "), KsiDebugLogRegCommonWithMultipleValues }, { PH_STRINGREF_INIT(L"RegPostQueryMValueKey"), KsiDebugLogRegCommonWithMultipleValues }, { PH_STRINGREF_INIT(L"RegPreKeyHandleClose "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostKeyHandleClose"), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreCreateKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostCreateKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreOpenKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostOpenKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreFlushKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostFlushKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreLoadKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostLoadKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreUnLoadKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostUnLoadKey "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreQueryKeySec "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostQueryKeySec "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreSetKeySec "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostSetKeySec "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreRestoreKey "), KsiDebugLogRegSaveRestoreKey }, { PH_STRINGREF_INIT(L"RegPostRestoreKey "), KsiDebugLogRegSaveRestoreKey }, { PH_STRINGREF_INIT(L"RegPreSaveKey "), KsiDebugLogRegSaveRestoreKey }, { PH_STRINGREF_INIT(L"RegPostSaveKey "), KsiDebugLogRegSaveRestoreKey }, { PH_STRINGREF_INIT(L"RegPreReplaceKey "), KsiDebugLogRegReplaceKey }, { PH_STRINGREF_INIT(L"RegPostReplaceKey "), KsiDebugLogRegReplaceKey }, { PH_STRINGREF_INIT(L"RegPreQueryKeyName "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPostQueryKeyName "), KsiDebugLogRegCommon }, { PH_STRINGREF_INIT(L"RegPreSaveMergedKey "), KsiDebugLogSaveMergedKey }, { PH_STRINGREF_INIT(L"RegPostSaveMergedKey "), KsiDebugLogSaveMergedKey }, { PH_STRINGREF_INIT(L"ImageVerify "), KsiDebugLogImageVerify }, }; C_ASSERT((RTL_NUMBER_OF(KsiDebugLogDefs) + (MaxKphMsgClientAllowed + 1)) == MaxKphMsg); PPH_STRING KsiDebugLogGetTimeString( _In_ PCKPH_MESSAGE Message ) { PPH_STRING result; SYSTEMTIME systemTime; PPH_STRING date; PPH_STRING time; PhLargeIntegerToSystemTime(&systemTime, (PLARGE_INTEGER)&Message->Header.TimeStamp); date = PhFormatDate(&systemTime, L"yyyy-MM-dd "); time = PhFormatTime(&systemTime, L"hh':'mm':'ss tt"); result = PhConcatStringRef2(&date->sr, &time->sr); PhDereferenceObject(time); PhDereferenceObject(date); return result; } BOOLEAN KsiDebugLogSkip( _In_ PCKPH_MESSAGE Message ) { UNICODE_STRING fileName; if (NT_SUCCESS(KphMsgDynGetUnicodeString(Message, KphMsgFieldFileName, &fileName))) { PH_STRINGREF sr; PhUnicodeStringToStringRef(&fileName, &sr); if (PhEndsWithStringRef(&sr, &KsiDebugLogSuffix, TRUE)) return TRUE; if (PhEndsWithStringRef(&sr, &KsiDebugRawSuffix, TRUE)) return TRUE; } return FALSE; } VOID KsiDebugLogMessageLog( _In_ PCKPH_MESSAGE Message ) { ULONG index; PPH_STRING time; PPH_STRING log; PH_FORMAT format[7]; PPH_STRING line; KPHM_STACK_TRACE stack; if (!KsiDebugLogFileStream || KsiDebugLogSkip(Message)) return; assert(Message->Header.MessageId > MaxKphMsgClientAllowed); assert(Message->Header.MessageId < MaxKphMsg); index = (Message->Header.MessageId - (MaxKphMsgClientAllowed + 1)); assert(index < RTL_NUMBER_OF(KsiDebugLogDefs)); time = KsiDebugLogGetTimeString(Message); if (KsiDebugLogDefs[index].GetLogString) log = KsiDebugLogDefs[index].GetLogString(Message); else log = PhReferenceEmptyString(); PhInitFormatC(&format[0], L'['); PhInitFormatSR(&format[1], time->sr); PhInitFormatS(&format[2], L" - "); PhInitFormatSR(&format[3], KsiDebugLogDefs[index].Name); PhInitFormatS(&format[4], L"] "); PhInitFormatSR(&format[5], log->sr); PhInitFormatS(&format[6], L"\r\n"); line = PhFormat(format, RTL_NUMBER_OF(format), 32); if (NT_SUCCESS(KphMsgDynGetStackTrace(Message, KphMsgFieldStackTrace, &stack))) { PH_STRING_BUILDER stringBuilder; WCHAR buffer[PH_PTR_STR_LEN_1]; PhInitializeStringBuilder(&stringBuilder, line->Length + 100); PhAppendStringBuilder(&stringBuilder, &line->sr); for (ULONG i = 0; i < stack.Count; i++) { // TODO(jxy-s) resolve symbols PhPrintPointerPadZeros(buffer, stack.Frames[i]); PhAppendStringBuilder2(&stringBuilder, buffer); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } PhMoveReference(&line, PhFinalStringBuilderString(&stringBuilder)); } PhAcquireFastLockExclusive(&KsiDebugLogFileStreamLock); PhWriteStringAsUtf8FileStream(KsiDebugLogFileStream, &line->sr); PhReleaseFastLockExclusive(&KsiDebugLogFileStreamLock); PhDereferenceObject(line); PhDereferenceObject(log); PhDereferenceObject(time); } VOID KsiDebugLogMessageRaw( _In_ PCKPH_MESSAGE Message ) { if (!KsiDebugRawFileStream || KsiDebugLogSkip(Message)) return; PhAcquireFastLockExclusive(&KsiDebugRawFileStreamLock); PhWriteFileStream(KsiDebugRawFileStream, (PVOID)Message, Message->Header.Size); PhReleaseFastLockExclusive(&KsiDebugRawFileStreamLock); } volatile ULONG64 KsiMessagesReceived = 0; volatile ULONG64 KsiBytesReceived = 0; _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI KsiDebugLogMessageCallback( _In_ PPH_INFORMER_CONTEXT Informer, _In_opt_ PVOID Context ) { KsiDebugLogMessageRaw(Informer->Message); KsiDebugLogMessageLog(Informer->Message); InterlockedIncrementRelease64(&KsiMessagesReceived); InterlockedAddRelease64(&KsiBytesReceived, Informer->Message->Header.Size); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI KsiDebugMonitorRoutine( _In_ PVOID Parameter ) { ULONG64 lastMessagesReceived = 0; ULONG64 lastBytesReceived = 0; KPH_INFORMER_CLIENT_STATS lastStats; memset(&lastStats, 0, sizeof(lastStats)); for (NOTHING; NOTHING; PhDelayExecution(1000)) { ULONG64 messagesReceived; ULONG64 bytesReceived; KPH_INFORMER_CLIENT_STATS stats; messagesReceived = ReadULong64Acquire(&KsiMessagesReceived); bytesReceived = ReadULong64Acquire(&KsiBytesReceived); KphGetInformerClientStats(&stats); if (lastMessagesReceived) { ULONG64 bytesDiff = (bytesReceived - lastBytesReceived); ULONG64 messagesDiff = (messagesReceived - lastMessagesReceived); ULONG64 droppedDiff = (stats.AsyncQueueRateLimit.Dropped - lastStats.AsyncQueueRateLimit.Dropped); PPH_STRING size; size = PhFormatSize(bytesDiff, ULONG_MAX); PhTrace("KSI: B:%ls M:%llu D:%llu", PhGetString(size), messagesDiff, droppedDiff); PhDereferenceObject(size); } lastMessagesReceived = messagesReceived; lastBytesReceived = bytesReceived; lastStats = stats; } return STATUS_SUCCESS; } VOID KsiDebugLogInitialize( VOID ) { PPH_STRING desktopPath; PPH_STRING fileName; desktopPath = PhExpandEnvironmentStringsZ(L"\\??\\%USERPROFILE%"); if (KsiDebugLogEnabled) { fileName = PhConcatStringRef2(&desktopPath->sr, &KsiDebugLogSuffix); if (fileName) { if (!NT_SUCCESS(PhCreateFileStream( &KsiDebugLogFileStream, PhGetString(fileName), FILE_GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OVERWRITE_IF, 0 ))) { KsiDebugLogFileStream = NULL; } PhDereferenceObject(fileName); } } if (KsiDebugRawEnabled) { fileName = PhConcatStringRef2(&desktopPath->sr, &KsiDebugRawSuffix); if (fileName) { if (!NT_SUCCESS(PhCreateFileStream( &KsiDebugRawFileStream, PhGetString(fileName), FILE_GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OVERWRITE_IF, 0 ))) { KsiDebugRawFileStream = NULL; } PhDereferenceObject(fileName); } } if (KsiDebugLogFileStream || KsiDebugRawFileStream) { KPH_INFORMER_SETTINGS settings; PhCreateThread2(KsiDebugMonitorRoutine, NULL); PhRegisterCallback( &PhInformerCallback, KsiDebugLogMessageCallback, NULL, &KsiDebugMessageRegistration ); if (NT_SUCCESS(KphGetInformerSettings(&settings))) { if (settings.Policy[KPH_INFORMER_INDEX(DebugPrint)].TokensPerPeriod) { NtSetDebugFilterState(ULONG_MAX, ULONG_MAX, TRUE); for (DPFLTR_TYPE i = 0; i <= DPFLTR_ENDOFTABLE_ID; i++) NtSetDebugFilterState(i, ULONG_MAX, TRUE); } } } } VOID KsiDebugLogFinalize( VOID ) { ULONG64 messagesRecieved; ULONG64 bytesReceived; if (KsiDebugLogFileStream || KsiDebugRawFileStream) { PhUnregisterCallback(&PhInformerCallback, &KsiDebugMessageRegistration); } PhClearReference(&KsiDebugRawFileStream); PhClearReference(&KsiDebugLogFileStream); messagesRecieved = ReadULong64Acquire(&KsiMessagesReceived); if (messagesRecieved) { bytesReceived = ReadULong64Acquire(&KsiBytesReceived); PhShowMessage2( NULL, MB_OK, IDI_INFORMATION, L"Debug Log Finalize", L"%llu messages totaling %.4f GB", messagesRecieved, (FLOAT)bytesReceived / (1024 * 1024 * 1024) ); } } #endif ================================================ FILE: SystemInformer/ksisup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2024 * dmex 2022-2026 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include typedef struct _KSI_SUPPORT_DATA { USHORT Class; USHORT Machine; ULONG TimeDateStamp; ULONG SizeOfImage; } KSI_SUPPORT_DATA, *PKSI_SUPPORT_DATA; #if defined(KSI_ONLINE_PLATFORM_SUPPORT) typedef struct _KSI_KERNEL_SUPPORT_CHECK_CONTEXT { HWND WindowHandle; HWND TaskDialogHandle; KSI_SUPPORT_DATA SupportData; BOOLEAN IsCanaryChannel; volatile BOOLEAN CheckComplete; volatile BOOLEAN IsSupported; } KSI_KERNEL_SUPPORT_CHECK_CONTEXT, *PKSI_KERNEL_SUPPORT_CHECK_CONTEXT; VOID KsiShowKernelSupportCheckDialog( _In_opt_ HWND WindowHandle ); #endif static CONST PH_STRINGREF DriverExtension = PH_STRINGREF_INIT(L".sys"); static PPH_STRING KsiKernelVersion = NULL; static KSI_SUPPORT_DATA KsiSupportData = { MAXWORD, 0, 0, 0 }; static PPH_STRING KsiSupportString = NULL; // N.B. These are necessary for consistency between load and unload. static BOOLEAN KsiEnableLoadNative = FALSE; static BOOLEAN KsiEnableLoadFilter = FALSE; static PPH_STRING KsiServiceName = NULL; static PPH_STRING KsiFileName = NULL; static PPH_STRING KsiObjectName = NULL; #ifdef DEBUG //#define KSI_DEBUG_DELAY_SPLASHSCREEN 1 extern // ksidbg.c VOID KsiDebugLogInitialize( VOID ); extern // ksidbg.c VOID KsiDebugLogFinalize( VOID ); #endif /** * Get the kernel file name for the running system. * \return PPH_STRING The kernel file name, or NULL on failure. */ PPH_STRING KsiGetKernelFileName( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_STRING KsiKernelFileName = NULL; if (PhBeginInitOnce(&initOnce)) { KsiKernelFileName = PhGetKernelFileName(); PhEndInitOnce(&initOnce); } if (KsiKernelFileName) return PhReferenceObject(KsiKernelFileName); return NULL; } /** * Maps the WindowsVersion enum to a human readable string. * \return PCWSTR The human readable string for the Windows version. */ PCWSTR KsiGetWindowsVersionString( VOID ) { switch (WindowsVersion) { case WINDOWS_7: return L"Windows 7"; case WINDOWS_8: return L"Windows 8"; case WINDOWS_8_1: return L"Windows 8.1"; case WINDOWS_10: return L"Windows 10 RTM"; case WINDOWS_10_TH2: return L"Windows 10 TH2"; case WINDOWS_10_RS1: return L"Windows 10 RS1"; case WINDOWS_10_RS2: return L"Windows 10 RS2"; case WINDOWS_10_RS3: return L"Windows 10 RS3"; case WINDOWS_10_RS4: return L"Windows 10 RS4"; case WINDOWS_10_RS5: return L"Windows 10 RS5"; case WINDOWS_10_19H1: return L"Windows 10 19H1"; case WINDOWS_10_19H2: return L"Windows 10 19H2"; case WINDOWS_10_20H1: return L"Windows 10 20H1"; case WINDOWS_10_20H2: return L"Windows 10 20H2"; case WINDOWS_10_21H1: return L"Windows 10 21H1"; case WINDOWS_10_21H2: return L"Windows 10 21H2"; case WINDOWS_10_22H2: return L"Windows 10 22H2"; case WINDOWS_11: return L"Windows 11"; case WINDOWS_11_22H2: return L"Windows 11 22H2"; case WINDOWS_11_23H2: return L"Windows 11 23H2"; case WINDOWS_11_24H2: return L"Windows 11 24H2"; case WINDOWS_11_25H2: return L"Windows 11 25H2"; case WINDOWS_11_26H1: return L"Windows 11 26H1"; case WINDOWS_NEW: return L"Windows Insider Preview"; } static_assert(WINDOWS_MAX == WINDOWS_11_26H1, "KsiGetWindowsVersionString must include all versions"); return L"Windows"; } /** * Return a formatted Windows build string derived from PhOsVersion. * \return PPH_STRING The formatted Windows build string "Major.Minor.Build". */ PPH_STRING KsiGetWindowsBuildString( VOID ) { PH_FORMAT format[5]; PhInitFormatU(&format[0], PhOsVersion.MajorVersion); PhInitFormatC(&format[1], L'.'); PhInitFormatU(&format[2], PhOsVersion.MinorVersion); PhInitFormatC(&format[3], L'.'); PhInitFormatU(&format[4], PhOsVersion.BuildNumber); return PhFormat(format, RTL_NUMBER_OF(format), 0); } /** * Get the kernel file version string cached from the kernel image. * * This uses an init-once pattern to load and cache the `FileVersion` field * from the kernel image's version resource. The returned `PPH_STRING` is a * referenced object and must be dereferenced by the caller. * \return Referenced PPH_STRING containing the kernel file version, or NULL. */ PPH_STRING KsiGetKernelVersionString( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { PPH_STRING fileName; PH_IMAGE_VERSION_INFO versionInfo; if (fileName = KsiGetKernelFileName()) { if (NT_SUCCESS(PhInitializeImageVersionInfoEx(&versionInfo, &fileName->sr, FALSE))) { KsiKernelVersion = versionInfo.FileVersion; versionInfo.FileVersion = NULL; PhDeleteImageVersionInfo(&versionInfo); } PhDereferenceObject(fileName); } PhEndInitOnce(&initOnce); } if (KsiKernelVersion) return PhReferenceObject(KsiKernelVersion); return NULL; } /** * Populate `SupportData` with kernel image attributes useful for dynamic configuration lookup. * * This function caches the support data on first call and returns the cached * structure on subsequent calls. It uses the kernel filename to inspect the * mapped image headers and derives the class, machine, timestamp and size of * image used for compatibility lookups. * \param[out] SupportData Pointer to KSI_SUPPORT_DATA that receives the result. */ VOID KsiGetKernelSupportData( _Out_ PKSI_SUPPORT_DATA SupportData ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { PPH_STRING fileName; PH_MAPPED_IMAGE mappedImage; if (fileName = KsiGetKernelFileName()) { if (PhEndsWithString2(fileName, L"ntoskrnl.exe", TRUE)) KsiSupportData.Class = KPH_DYN_CLASS_NTOSKRNL; else if (PhEndsWithString2(fileName, L"ntkrla57.exe", TRUE)) KsiSupportData.Class = KPH_DYN_CLASS_NTKRLA57; if (NT_SUCCESS(PhLoadMappedImageHeaderPageSize(&fileName->sr, NULL, &mappedImage))) { KsiSupportData.Machine = mappedImage.NtHeaders->FileHeader.Machine; KsiSupportData.TimeDateStamp = mappedImage.NtHeaders->FileHeader.TimeDateStamp; KsiSupportData.SizeOfImage = mappedImage.NtHeaders->OptionalHeader.SizeOfImage; PhUnloadMappedImage(&mappedImage); } PhDereferenceObject(fileName); } PhEndInitOnce(&initOnce); } *SupportData = KsiSupportData; } /** * Get a formatted support string that uniquely identifies the kernel image for dynamic data matching. * * The returned object is a referenced `PPH_STRING` and must be dereferenced by * the caller. The string format is "%02x-%04x-%08x-%08x". * \return Referenced `PPH_STRING` containing the kernel support string. */ PPH_STRING KsiGetKernelSupportString( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { KSI_SUPPORT_DATA supportData; KsiGetKernelSupportData(&supportData); KsiSupportString = PhFormatString( L"%02x-%04x-%08x-%08x", (BYTE)supportData.Class, supportData.Machine, supportData.TimeDateStamp, supportData.SizeOfImage ); PhEndInitOnce(&initOnce); } return PhReferenceObject(KsiSupportString); } /** * Show the user a one-time warning if the process does not have full * expected kernel protection capabilities. * * This function checks global settings and the current process state to * determine whether to show a descriptive message. If the user dismisses and * checks "don't show again" the global warning flag is disabled and persisted. */ VOID PhShowKsiStatus( VOID ) { KPH_PROCESS_STATE processState; if (!PhEnableKsiWarnings || PhStartupParameters.PhSvc) return; processState = KphGetCurrentProcessState(); if ((processState != 0) && (processState & KPH_PROCESS_STATE_MAXIMUM) != KPH_PROCESS_STATE_MAXIMUM) { PPH_STRING infoString; PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 100); if (!BooleanFlagOn(processState, KPH_PROCESS_SECURELY_CREATED)) { PhAppendStringBuilder2(&stringBuilder, L" - not securely created\r\n"); } if (!BooleanFlagOn(processState, KPH_PROCESS_VERIFIED_PROCESS)) { PhAppendStringBuilder2(&stringBuilder, L" - unverified primary image\r\n"); } if (!BooleanFlagOn(processState, KPH_PROCESS_PROTECTED_PROCESS)) { PhAppendStringBuilder2(&stringBuilder, L" - inactive protections\r\n"); } if (!BooleanFlagOn(processState, KPH_PROCESS_NO_UNTRUSTED_IMAGES)) { PhAppendStringBuilder2(&stringBuilder, L" - unsigned images (likely an unsigned plugin)\r\n"); } if (!BooleanFlagOn(processState, KPH_PROCESS_NOT_BEING_DEBUGGED)) { PhAppendStringBuilder2(&stringBuilder, L" - process is being debugged\r\n"); } if (!BooleanFlagOn(processState, KPH_PROCESS_CREATE_NOTIFICATION)) { PhAppendStringBuilder2(&stringBuilder, L" - no create notification\r\n"); } if ((processState & KPH_PROCESS_STATE_MINIMUM) != KPH_PROCESS_STATE_MINIMUM) { PhAppendStringBuilder2(&stringBuilder, L" - tampered primary image\r\n"); } if (PhEndsWithString2(stringBuilder.String, L"\r\n", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhAppendStringBuilder2(&stringBuilder, L"\r\n\r\n"); // String interning optimization (dmex) PhAppendStringBuilder2(&stringBuilder, L"You will be unable to use more advanced features, view details about system processes or terminate malicious software."); infoString = PhFinalStringBuilderString(&stringBuilder); PhShowKsiMessageEx( NULL, TD_SHIELD_ERROR_ICON, 0, FALSE, L"Access to the kernel driver is restricted.", L"%s", PhGetString(infoString) ); PhDereferenceObject(infoString); } } /** * Build a long-form diagnostic string containing application and kernel * state and an optional formatted message. * * This helper assembles version, kernel, and process state information along * with the provided format and arguments. The returned `PPH_STRING` is a * referenced object that the caller must free via PhDereferenceObject(). * * \param[in] Status NTSTATUS associated with the message (0 if none). * \param[in] Force If TRUE the message will be shown even if warnings are * disabled; used to control UI behaviour in callers. * \param[in] Format Printf-style format string for the primary message body. * \param[in] ArgPtr va_list of arguments for the Format. * \return Referenced `PPH_STRING` containing the assembled message. */ PPH_STRING PhpGetKsiMessage( _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Format, _In_ va_list ArgPtr ) { PPH_STRING buildString; PPH_STRING versionString; PPH_STRING kernelVersion; PPH_STRING errorMessage; PH_STRING_BUILDER stringBuilder; PPH_STRING supportString; PPH_STRING messageString; ULONG processState; buildString = KsiGetWindowsBuildString(); versionString = PhGetApplicationVersionString(FALSE); kernelVersion = KsiGetKernelVersionString(); errorMessage = NULL; PhInitializeStringBuilder(&stringBuilder, 100); PhAppendFormatStringBuilder_V(&stringBuilder, Format, ArgPtr); PhAppendStringBuilder2(&stringBuilder, L"\r\n\r\n"); if (Status != 0) { if (!(errorMessage = PhGetStatusMessage(Status, 0))) errorMessage = PhGetStatusMessage(0, Status); if (errorMessage) { PH_STRINGREF firstPart; PH_STRINGREF secondPart; // sanitize format specifiers secondPart = errorMessage->sr; while (PhSplitStringRefAtChar(&secondPart, L'%', &firstPart, &secondPart)) { PhAppendStringBuilder(&stringBuilder, &firstPart); PhAppendStringBuilder2(&stringBuilder, L"%%"); } PhAppendStringBuilder(&stringBuilder, &firstPart); } else { PhAppendStringBuilder2(&stringBuilder, L"Unknown error."); } PhAppendFormatStringBuilder(&stringBuilder, L" (0x%08x)", Status); PhAppendStringBuilder2(&stringBuilder, L"\r\n\r\n"); } PhAppendFormatStringBuilder( &stringBuilder, L"%ls %ls\r\n", KsiGetWindowsVersionString(), PhGetString(buildString) ); PhAppendStringBuilder2(&stringBuilder, L"Windows Kernel "); PhAppendStringBuilder2(&stringBuilder, PhGetStringOrDefault(kernelVersion, L"Unknown")); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhAppendStringBuilder(&stringBuilder, &versionString->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); processState = KphGetCurrentProcessState(); if (processState != 0) { PhAppendStringBuilder2(&stringBuilder, L"Process State "); PhAppendFormatStringBuilder(&stringBuilder, L"0x%08x", processState); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } if (!PhEnableKsiWarnings) { PhAppendStringBuilder2(&stringBuilder, L"Driver warnings are disabled."); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } supportString = KsiGetKernelSupportString(); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhAppendStringBuilder(&stringBuilder, &supportString->sr); PhDereferenceObject(supportString); messageString = PhFinalStringBuilderString(&stringBuilder); PhClearReference(&errorMessage); PhClearReference(&kernelVersion); PhClearReference(&versionString); PhClearReference(&buildString); return messageString; } #if defined(KSI_ONLINE_PLATFORM_SUPPORT) PPH_STRING PhpGetKsiMessage2( _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Format, _In_ va_list ArgPtr ) { PPH_STRING buildString; PPH_STRING versionString; PPH_STRING kernelVersion; PPH_STRING errorMessage; PH_STRING_BUILDER stringBuilder; PPH_STRING supportString; PPH_STRING messageString; ULONG processState; buildString = KsiGetWindowsBuildString(); versionString = PhGetApplicationVersionString(FALSE); kernelVersion = KsiGetKernelVersionString(); errorMessage = NULL; PhInitializeStringBuilder(&stringBuilder, 100); if (Status != 0) { if (!(errorMessage = PhGetStatusMessage(Status, 0))) errorMessage = PhGetStatusMessage(0, Status); if (errorMessage) { PH_STRINGREF firstPart; PH_STRINGREF secondPart; // sanitize format specifiers secondPart = errorMessage->sr; while (PhSplitStringRefAtChar(&secondPart, L'%', &firstPart, &secondPart)) { PhAppendStringBuilder(&stringBuilder, &firstPart); PhAppendStringBuilder2(&stringBuilder, L"%%"); } PhAppendStringBuilder(&stringBuilder, &firstPart); } else { PhAppendStringBuilder2(&stringBuilder, L"Unknown error."); } PhAppendFormatStringBuilder(&stringBuilder, L" (0x%08x)", Status); PhAppendStringBuilder2(&stringBuilder, L"\r\n\r\n"); } PhAppendFormatStringBuilder( &stringBuilder, L"%ls %ls\r\n", KsiGetWindowsVersionString(), PhGetString(buildString) ); PhAppendStringBuilder2(&stringBuilder, L"Windows Kernel "); PhAppendStringBuilder2(&stringBuilder, PhGetStringOrDefault(kernelVersion, L"Unknown")); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhAppendStringBuilder(&stringBuilder, &versionString->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); processState = KphGetCurrentProcessState(); if (processState != 0) { PhAppendStringBuilder2(&stringBuilder, L"Process State "); PhAppendFormatStringBuilder(&stringBuilder, L"0x%08x", processState); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } if (!PhEnableKsiWarnings) { PhAppendStringBuilder2(&stringBuilder, L"Driver warnings are disabled."); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } supportString = KsiGetKernelSupportString(); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhAppendStringBuilder(&stringBuilder, &supportString->sr); PhDereferenceObject(supportString); PhAppendStringBuilder2(&stringBuilder, L"\r\n\r\n"); PhAppendFormatStringBuilder_V(&stringBuilder, Format, ArgPtr); messageString = PhFinalStringBuilderString(&stringBuilder); PhClearReference(&errorMessage); PhClearReference(&kernelVersion); PhClearReference(&versionString); PhClearReference(&buildString); return messageString; } #endif /** * Show the composed kernel message to the user either one-time or * forced, depending on parameters. * * This wrapper uses PhpGetKsiMessage to build a detailed message string and * displays it using the appropriate PhShowMessage* helper. If the user opts to * suppress future warnings the global setting is cleared and persisted. * * \param[in] WindowHandle Parent window handle for UI. * \param[in] Buttons Task dialog button flags (e.g., TD_OK_BUTTON). * \param[in] Icon Icon resource id/name for the task dialog. * \param[in] Status Optional NTSTATUS to include in the message. * \param[in] Force Show a modal message; otherwise one-time message. * \param[in] Title Title to display in the dialog. * \param[in] Format Printf-style format string for the message. * \param[in] ArgPtr va_list of arguments for Format. * \return LONG result of the dialog interaction (e.g., IDOK, IDYES, IDNO). */ LONG PhpShowKsiMessage( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Title, _In_ PCWSTR Format, _In_ va_list ArgPtr ) { LONG result; PPH_STRING errorMessage; if (!Force && !PhEnableKsiWarnings || PhStartupParameters.PhSvc) return INT_ERROR; errorMessage = PhpGetKsiMessage(Status, Force, Format, ArgPtr); if (Force) { result = PhShowMessage2( WindowHandle, Buttons, Icon, Title, PhGetString(errorMessage) ); } else { BOOLEAN checked; if (Status != STATUS_SUCCESS) { LONG bufferLength; WCHAR buffer[0x100]; bufferLength = _snwprintf( buffer, ARRAYSIZE(buffer) - sizeof(UNICODE_NULL), L"%s (0x%08x)", Title, Status ); buffer[bufferLength] = UNICODE_NULL; result = PhShowMessageOneTime2( WindowHandle, Buttons, Icon, buffer, &checked, PhGetString(errorMessage) ); } else { result = PhShowMessageOneTime2( WindowHandle, Buttons, Icon, Title, &checked, PhGetString(errorMessage) ); } if (checked) { PhEnableKsiWarnings = FALSE; PhSetIntegerSetting(SETTING_KSI_ENABLE_WARNINGS, FALSE); } } PhClearReference(&errorMessage); return result; } /** * Public wrapper to build a message string via va-args. * * Convenience wrapper around PhpGetKsiMessage that accepts variable arguments. * Caller receives a referenced `PPH_STRING` and must dereference it. * * \param[in] Status Optional NTSTATUS. * \param[in] Force See PhpGetKsiMessage. * \param[in] Format Printf-style format string. * \return Referenced `PPH_STRING` with the assembled message. */ PPH_STRING PhGetKsiMessage( _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Format, ... ) { PPH_STRING message; va_list argptr; va_start(argptr, Format); message = PhpGetKsiMessage(Status, Force, Format, argptr); va_end(argptr); return message; } /** * Public wrapper to display a message to the user with va-args. * * Calls PhpShowKsiMessage with variable argument list and returns dialog result. */ LONG PhShowKsiMessage2( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Title, _In_ PCWSTR Format, ... ) { LONG result; va_list argptr; va_start(argptr, Format); result = PhpShowKsiMessage(WindowHandle, Buttons, Icon, Status, Force, Title, Format, argptr); va_end(argptr); return result; } /** * Convenience function to show an informational message (OK) with va-args. * * This variant always uses TD_OK_BUTTON and forwards to PhpShowKsiMessage. */ VOID PhShowKsiMessageEx( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Icon, _In_opt_ NTSTATUS Status, _In_ BOOLEAN Force, _In_ PCWSTR Title, _In_ PCWSTR Format, ... ) { va_list argptr; va_start(argptr, Format); PhpShowKsiMessage(WindowHandle, TD_OK_BUTTON, Icon, Status, Force, Title, Format, argptr); va_end(argptr); } /** * Convenience function to show a forced OK message (no status, forced). * * Calls PhpShowKsiMessage forcing the message to be shown and using TD_OK_BUTTON. */ VOID PhShowKsiMessage( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Icon, _In_ PCWSTR Title, _In_ PCWSTR Format, ... ) { va_list argptr; va_start(argptr, Format); PhpShowKsiMessage(WindowHandle, TD_OK_BUTTON, Icon, 0, TRUE, Title, Format, argptr); va_end(argptr); } /** * Create a randomized alphanumeric name with the given prefix. * * Generates an 8-12 character random alpha string and concatenates it to the * provided prefix producing a new referenced `PPH_STRING` returned via `Name`. * * \param[in] Prefix Wide string prefix to prepend. * \param[out] Name Receives referenced `PPH_STRING` containing the new name. */ VOID KsiCreateRandomizedName( _In_ PCWSTR Prefix, _Out_ PPH_STRING* Name, _In_ BOOLEAN Numeric ) { ULONG length; WCHAR buffer[13]; length = (PhGenerateRandomNumber64() % 6) + 8; // 8-12 characters if (Numeric) PhGenerateRandomNumericString(buffer, length); else PhGenerateRandomAlphaString(buffer, length); *Name = PhConcatStrings2(Prefix, buffer); } /** * Creates and connects to the System Informer service. * * \return Successful or errant status. */ NTSTATUS KsiSvcConnectToServer( VOID ) { NTSTATUS status; PPH_STRING serviceName; PPH_STRING fileName; PPH_STRING commandLine; SC_HANDLE serviceHandle; PPH_STRING portName; UNICODE_STRING portNameUs; ULONG attempts; if (!(fileName = PhGetApplicationFileNameWin32())) return STATUS_UNSUCCESSFUL; KsiCreateRandomizedName(L"SystemInformer_", &serviceName, FALSE); commandLine = PhFormatString( L"\"%s\" -ras \"%s\"", fileName->Buffer, PhGetString(serviceName) ); status = PhCreateService( &serviceHandle, PhGetString(serviceName), PhGetString(serviceName), SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, PhGetString(commandLine), L"LocalSystem", L"" ); PhDereferenceObject(commandLine); PhDereferenceObject(fileName); if (!NT_SUCCESS(status)) return status; PhStartService(serviceHandle, 0, NULL); PhDeleteService(serviceHandle); portName = PhConcatStrings2(L"\\BaseNamedObjects\\", PhGetString(serviceName)); PhStringRefToUnicodeString(&portName->sr, &portNameUs); attempts = 50; // Try to connect several times because the server may take // a while to initialize. do { status = PhSvcConnectToServer(&portNameUs, 0); if (NT_SUCCESS(status)) break; PhDelayExecution(100); } while (--attempts != 0); PhDereferenceObject(portName); PhCloseServiceHandle(serviceHandle); return status; } /** * Restart the current process with optional additional command-line parameters * and process mitigation attributes set. * * The function obtains the current process command-line, appends the supplied * `AdditionalCommandLine` (if any), and creates a new process using * PhCreateProcessWin32Ex with hardened mitigation attributes where supported. * * \param[in] AdditionalCommandLine Optional additional commandline to append. * \return NTSTATUS of the attempted create; on success the current process * exits via PhExitApplication(STATUS_SUCCESS) after successful spawn. */ NTSTATUS PhRestartSelf( _In_ PCPH_STRINGREF AdditionalCommandLine ) { static ULONG64 mitigationFlags[] = { #ifdef DEBUG 0, 0 #else (PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON), (PROCESS_CREATION_MITIGATION_POLICY2_LOADER_INTEGRITY_CONTINUITY_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY2_STRICT_CONTROL_FLOW_GUARD_ALWAYS_ON | // PROCESS_CREATION_MITIGATION_POLICY2_BLOCK_NON_CET_BINARIES_ALWAYS_ON | // PROCESS_CREATION_MITIGATION_POLICY2_XTENDED_CONTROL_FLOW_GUARD_ALWAYS_ON | PROCESS_CREATION_MITIGATION_POLICY2_MODULE_TAMPERING_PROTECTION_ALWAYS_ON) #endif }; NTSTATUS status; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; PH_STRINGREF commandlineSr; PPH_STRING commandline; STARTUPINFOEX startupInfo; status = PhGetProcessCommandLineStringRef(&commandlineSr); if (!NT_SUCCESS(status)) return status; commandline = PhConcatStringRef2( &commandlineSr, AdditionalCommandLine ); status = KsiSvcConnectToServer(); if (NT_SUCCESS(status)) { status = PhSvcCallCreateProcessForKsi(PhGetString(commandline), mitigationFlags); PhSvcDisconnectFromServer(); } if (NT_SUCCESS(status)) { PhExitApplication(STATUS_SUCCESS); } #ifndef DEBUG status = PhInitializeProcThreadAttributeList(&attributeList, 1); if (!NT_SUCCESS(status)) return status; if (WindowsVersion >= WINDOWS_10_22H2) { status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, mitigationFlags, sizeof(ULONG64) * 2 ); } else { status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, mitigationFlags, sizeof(ULONG64) * 1 ); } #endif if (!NT_SUCCESS(status)) return status; memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.lpAttributeList = attributeList; status = PhCreateProcessWin32Ex( NULL, PhGetString(commandline), NULL, NULL, &startupInfo, PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO, NULL, NULL, NULL, NULL ); if (NT_SUCCESS(status)) { PhExitApplication(STATUS_SUCCESS); } if (attributeList) PhDeleteProcThreadAttributeList(attributeList); PhDereferenceObject(commandline); return status; } /** * Obtain the configured KSI service name, falling back to default. * * \return Referenced `PPH_STRING` containing the service name. */ PPH_STRING PhGetKsiServiceName( VOID ) { PPH_STRING string; string = PhGetStringSetting(SETTING_KSI_SERVICE_NAME); if (PhIsNullOrEmptyString(string)) { PhClearReference(&string); string = PhCreateString(KPH_SERVICE_NAME); } return string; } /** * KPH communication callback used by KsiConnect configuration. * * The callback forwards the message to the informer dispatch and also, * when appropriate, forces a KPH cached required-state refresh when a * RequiredStateFailure message relates to the current process. * * \param[in] ReplyToken Opaque reply token from KphComms. * \param[in] Message Pointer to the KPH message to process. * \return BOOLEAN value expected by KPH_COMMS_CALLBACK (TRUE/ FALSE). */ _Function_class_(KPH_COMMS_CALLBACK) BOOLEAN KsiCommsCallback( _In_ ULONG_PTR ReplyToken, _In_ PCKPH_MESSAGE Message ) { if (Message->Header.MessageId == KphMsgRequiredStateFailure && Message->Kernel.RequiredStateFailure.ClientId.UniqueProcess == NtCurrentProcessId()) { // force the cached value to be updated KphLevelEx(FALSE); } return PhInformerDispatch(ReplyToken, Message); } /** * Read a configuration file located in the application directory. * * This opens and reads the entire file into a buffer allocated by the Ph * memory allocator. The caller receives ownership of `*Data` and must free it * via PhFree(). On success `*Length` receives the byte length of the buffer. * * \param[in] FileName File name relative to application directory. * \param[out] Data Receives pointer to allocated buffer with file contents. * \param[out] Length Receives buffer length in bytes. * \return NTSTATUS Successful or errant status. */ NTSTATUS KsiReadConfiguration( _In_ PCPH_STRINGREF FileName, _Out_ PBYTE* Data, _Out_ PULONG Length ) { NTSTATUS status; PPH_STRING fileName; HANDLE fileHandle; *Data = NULL; *Length = 0; if (fileName = PhGetApplicationDirectoryFileName(FileName, TRUE)) { status = PhCreateFile( &fileHandle, &fileName->sr, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = PhGetFileData(fileHandle, Data, Length); NtClose(fileHandle); } PhDereferenceObject(fileName); } else { status = STATUS_NO_SUCH_FILE; } return status; } /** * Validate dynamic configuration blob against the current kernel version. * * Performs a lookup using KphDynDataLookup matching the runtime kernel support * data (class, machine, timestamp, size) to ensure the provided dynamic * configuration applies to this kernel. * * \param[in] DynData Pointer to dynamic configuration buffer. * \param[in] DynDataLength Buffer length in bytes. * \return NTSTATUS Successful or errant status. */ NTSTATUS KsiValidateDynamicConfiguration( _In_ PBYTE DynData, _In_ ULONG DynDataLength ) { NTSTATUS status; PPH_STRING fileName; KSI_SUPPORT_DATA supportData; if (fileName = KsiGetKernelFileName()) { KsiGetKernelSupportData(&supportData); status = KphDynDataLookup( (PKPH_DYN_CONFIG)DynData, DynDataLength, supportData.Class, supportData.Machine, supportData.TimeDateStamp, supportData.SizeOfImage, NULL, NULL ); PhDereferenceObject(fileName); } else { status = STATUS_NO_SUCH_FILE; } return status; } /** * Retrieve the dynamic configuration and its signature. * * This routine attempts to read a local `ksidyn.bin` and `ksidyn.sig` files, * validate the dynamic configuration for the current kernel and return both * the data and signature buffers to the caller. Caller owns the returned * buffers and must free them using PhFree(). * * \param[out] DynData Receives pointer to allocated dynamic data buffer. * \param[out] DynDataLength Receives the length of the dynamic data buffer. * \param[out] Signature Receives pointer to allocated signature buffer. * \param[out] SignatureLength Receives length of the signature buffer. * \return NTSTATUS Successful or errant status. */ NTSTATUS KsiGetDynData( _Out_ PBYTE* DynData, _Out_ PULONG DynDataLength, _Out_ PBYTE* Signature, _Out_ PULONG SignatureLength ) { static CONST PH_STRINGREF dataFileName = PH_STRINGREF_INIT(L"ksidyn.bin"); static CONST PH_STRINGREF sigFileName = PH_STRINGREF_INIT(L"ksidyn.sig"); NTSTATUS status; PBYTE data = NULL; ULONG dataLength; PBYTE sig = NULL; ULONG sigLength; // TODO download dynamic data from server *DynData = NULL; *DynDataLength = 0; *Signature = NULL; *SignatureLength = 0; status = KsiReadConfiguration(&dataFileName, &data, &dataLength); if (!NT_SUCCESS(status)) goto CleanupExit; status = KsiValidateDynamicConfiguration(data, dataLength); if (!NT_SUCCESS(status)) goto CleanupExit; status = KsiReadConfiguration(&sigFileName, &sig, &sigLength); if (!NT_SUCCESS(status)) goto CleanupExit; if (!sigLength) { status = STATUS_SI_DYNDATA_INVALID_SIGNATURE; goto CleanupExit; } *DynDataLength = dataLength; *DynData = data; data = NULL; *SignatureLength = sigLength; *Signature = sig; sig = NULL; status = STATUS_SUCCESS; CleanupExit: if (data) PhFree(data); if (sig) PhFree(sig); return status; } /** * Retrieves and activates dynamic configuration data. * * \param[in] WindowHandle Optional parent window for UI prompts. * \param[in] Level Current KPH level. */ VOID KsiActivateDynData( _In_opt_ HWND WindowHandle, _In_ KPH_LEVEL Level ) { NTSTATUS status; BOOLEAN showMessage; PBYTE dynData = NULL; ULONG dynDataLength; PBYTE signature = NULL; ULONG signatureLength; showMessage = (Level < KphLevelHigh); status = KsiGetDynData( &dynData, &dynDataLength, &signature, &signatureLength ); if (!showMessage) { NOTHING; } else if (status == STATUS_SI_DYNDATA_UNSUPPORTED_KERNEL) { #if defined(KSI_ONLINE_PLATFORM_SUPPORT) KsiShowKernelSupportCheckDialog(WindowHandle); #else if (PhGetPhReleaseChannel() < PhCanaryChannel) { PhShowKsiMessageEx( WindowHandle, TD_WARNING_ICON, 0, FALSE, L"Reduced driver functionality", L"The kernel driver is not yet supported on this kernel " L"version. For the latest kernel support switch to the Canary " L"update channel (Help > Check for updates > Canary > Check)." ); } else { PhShowKsiMessageEx( WindowHandle, TD_WARNING_ICON, 0, FALSE, L"Reduced driver functionality", L"The kernel driver is not yet supported on this kernel " L"version. Request support by submitting a GitHub issue with " L"the Windows Kernel version." ); } #endif } else if (status == STATUS_NO_SUCH_FILE) { PhShowKsiMessageEx( WindowHandle, TD_WARNING_ICON, 0, FALSE, L"Reduced driver functionality", L"The dynamic configuration was not found." ); } else if (!NT_SUCCESS(status)) { PhShowKsiMessageEx( WindowHandle, TD_WARNING_ICON, status, FALSE, L"Reduced driver functionality", L"Failed to access the dynamic configuration." ); } if (dynData && signature) { status = KphActivateDynData(dynData, dynDataLength, signature, signatureLength); if (showMessage && !NT_SUCCESS(status)) { PhShowKsiMessageEx( WindowHandle, TD_WARNING_ICON, status, FALSE, L"Reduced driver functionality", L"Failed to activate the dynamic configuration." ); } } if (signature) PhFree(signature); if (dynData) PhFree(dynData); } /** * Determine the on-disk kernel driver filename for the current application context. * * \return Referenced `PPH_STRING` containing the full driver filename. */ PPH_STRING PhGetKsiFileName( VOID ) { PPH_STRING applicationDirectory; PPH_STRING fileName; #if defined(PH_BUILD_MSIX) PH_FORMAT format[4]; PhInitFormatS(&format[0], L"\\Drivers"); PhInitFormatS(&format[1], L"\\SystemInformer"); PhInitFormatS(&format[2], L"\\SystemInformer"); PhInitFormatSR(&format[3], DriverExtension); fileName = PhFormat(format, RTL_NUMBER_OF(format), MAX_PATH); applicationDirectory = PhGetSystemDirectoryWin32(&fileName->sr); PhDereferenceObject(fileName); #else fileName = PhGetApplicationFileNameWin32(); applicationDirectory = PhGetBaseNameChangeExtension(&fileName->sr, &DriverExtension); PhDereferenceObject(fileName); #endif return applicationDirectory; } /** * Get a temporary directory suitable for creating temporary files. * * Returns a referenced `PPH_STRING` representing the temporary directory * for the running application context. */ PPH_STRING PhGetTemporaryKsiDirectory( VOID ) { PPH_STRING applicationDirectory; #if defined(PH_BUILD_MSIX) applicationDirectory = PhGetLocalAppDataDirectoryZ(L"temp-drivers\\", FALSE); #else applicationDirectory = PhGetApplicationDirectoryFileNameZ(L"temp-drivers\\", FALSE); #endif return applicationDirectory; } /** * Create a temporary copy of a driver file in the specified temporary directory. * * The function generates a filename based on the current system time, ensures * the directory exists and copies `FileName` into `TempDirectory`. On success * returns a referenced `PPH_STRING` in `*TempFileName` (caller owns reference). * * \param[in] FileName Existing driver filename to copy. * \param[in] TempDirectory Directory to create the temporary file in. * \param[out] TempFileName Receives referenced `PPH_STRING` of the created file. * \return NTSTATUS Successful or errant status. */ NTSTATUS KsiCreateTemporaryDriverFile( _In_ PPH_STRING FileName, _In_ PPH_STRING TempDirectory, _Out_ PPH_STRING* TempFileName ) { NTSTATUS status; PH_FORMAT format[4]; PPH_STRING tempFileName; LARGE_INTEGER timeStamp; *TempFileName = NULL; PhQuerySystemTime(&timeStamp); PhInitFormatSR(&format[0], TempDirectory->sr); PhInitFormatS(&format[1], L"SystemInformer"); PhInitFormatI64X(&format[2], timeStamp.QuadPart); PhInitFormatSR(&format[3], DriverExtension); tempFileName = PhFormat(format, RTL_NUMBER_OF(format), MAX_PATH); if (NT_SUCCESS(status = PhCreateDirectoryWin32(&TempDirectory->sr))) { if (NT_SUCCESS(status = PhCopyFileWin32(PhGetString(FileName), PhGetString(tempFileName), TRUE))) { *TempFileName = tempFileName; tempFileName = NULL; } } PhClearReference(&tempFileName); return status; } /** * Connect to the kernel driver using the configured dynamic configuration. * * This function orchestrates reading dynamic configuration, validating it, * ensuring the driver file exists, and attempting connection with multiple * fallback strategies (temporary copy, service, NtLoadDriver etc...). * * \param[in] WindowHandle Optional parent window for UI prompts. * \return NTSTATUS Successful or errant status. */ NTSTATUS KsiConnect( _In_opt_ HWND WindowHandle ) { NTSTATUS status; PPH_STRING ksiFileName = NULL; KPH_CONFIG_PARAMETERS config = { 0 }; PPH_STRING objectName = NULL; PPH_STRING portName = NULL; PPH_STRING altitude = NULL; PPH_STRING systemProcessName = NULL; PPH_STRING tempDriverDir = NULL; KPH_LEVEL level; if (tempDriverDir = PhGetTemporaryKsiDirectory()) { PhDeleteDirectoryWin32(&tempDriverDir->sr); } if (!PhDoesFileExistWin32(PhGetString(KsiFileName))) { PhShowKsiMessageEx( WindowHandle, TD_SHIELD_ERROR_ICON, 0, FALSE, L"Unable to load kernel driver", L"The kernel driver was not found." ); status = STATUS_NOT_FOUND; goto CleanupExit; } if (PhIsNullOrEmptyString(portName = PhGetStringSetting(SETTING_KSI_PORT_NAME))) PhClearReference(&portName); if (PhIsNullOrEmptyString(altitude = PhGetStringSetting(SETTING_KSI_ALTITUDE))) PhClearReference(&altitude); if (PhIsNullOrEmptyString(systemProcessName = PhGetStringSetting(SETTING_KSI_SYSTEM_PROCESS_NAME))) PhClearReference(&systemProcessName); config.FileName = &KsiFileName->sr; config.ServiceName = &KsiServiceName->sr; config.ObjectName = &KsiObjectName->sr; config.PortName = (portName ? &portName->sr : NULL); config.Altitude = (altitude ? &altitude->sr : NULL); config.SystemProcessName = (systemProcessName ? &systemProcessName->sr : NULL); config.FsSupportedFeatures = 0; if (!!PhGetIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_OFFLOAD_READ)) SetFlag(config.FsSupportedFeatures, SUPPORTED_FS_FEATURES_OFFLOAD_READ); if (!!PhGetIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_OFFLOAD_WRITE)) SetFlag(config.FsSupportedFeatures, SUPPORTED_FS_FEATURES_OFFLOAD_WRITE); if (!!PhGetIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_QUERY_OPEN)) SetFlag(config.FsSupportedFeatures, SUPPORTED_FS_FEATURES_QUERY_OPEN); if (!!PhGetIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_BYPASS_IO)) SetFlag(config.FsSupportedFeatures, SUPPORTED_FS_FEATURES_BYPASS_IO); config.Flags.Flags = 0; config.Flags.DisableImageLoadProtection = !!PhGetIntegerSetting(SETTING_KSI_DISABLE_IMAGE_LOAD_PROTECTION); config.Flags.RandomizedPoolTag = !!PhGetIntegerSetting(SETTING_KSI_RANDOMIZED_POOL_TAG); config.Flags.DynDataNoEmbedded = !!PhGetIntegerSetting(SETTING_KSI_DYN_DATA_NO_EMBEDDED); config.Flags.DisableSystemProcess = !!PhGetIntegerSetting(SETTING_KSI_DISABLE_SYSTEM_PROCESS); config.Flags.DisableThreadNames = !!PhGetIntegerSetting(SETTING_KSI_DISABLE_THREAD_NAMES); config.EnableNativeLoad = KsiEnableLoadNative; config.EnableFilterLoad = KsiEnableLoadFilter; config.RingBufferLength = PhGetIntegerSetting(SETTING_KSI_RING_BUFFER_LENGTH); config.Callback = KsiCommsCallback; status = KphConnect(&config); if (status == STATUS_NO_SUCH_FILE) { PPH_STRING tempFileName; // // N.B. We know the driver file exists from the check above. This // error indicates that the kernel driver is still mapped but // unloaded. // // The chain of calls and resulting return status is this: // IopLoadDriver // -> MmLoadSystemImage -> STATUS_IMAGE_ALREADY_LOADED // -> ObOpenObjectByName -> STATUS_OBJECT_NAME_NOT_FOUND // -> STATUS_DRIVER_FAILED_PRIOR_UNLOAD -> STATUS_NO_SUCH_FILE // // The driver object has been made temporary and the underlying // section will be unmapped by the kernel when it is safe to do so. // This generally happens when the pinned module is holding the // driver in memory until some code finishes executing. This can // also happen if another misbehaving driver is leaking or holding // a reference to the driver object. // // To continue to provide a good user experience, we will attempt copy // the driver to another file and load it again. First, try to use an // existing temporary driver file, if one exists. // tempFileName = PhGetStringSetting(SETTING_KSI_PREVIOUS_TEMPORARY_DRIVER_FILE); if (tempFileName) { if (PhDoesFileExistWin32(PhGetString(tempFileName))) { config.FileName = &tempFileName->sr; status = KphConnect(&config); } PhMoveReference(&KsiFileName, tempFileName); } if (!NT_SUCCESS(status) && tempDriverDir) { if (NT_SUCCESS(status = KsiCreateTemporaryDriverFile(ksiFileName, tempDriverDir, &tempFileName))) { PhSetStringSetting(SETTING_KSI_PREVIOUS_TEMPORARY_DRIVER_FILE, PhGetString(tempFileName)); config.FileName = &tempFileName->sr; status = KphConnect(&config); PhMoveReference(&KsiFileName, tempFileName); } } } if (status == STATUS_SI_KSIDLL_VERSION_MISMATCH) { PhShowKsiMessageEx( NULL, TD_SHIELD_ERROR_ICON, STATUS_SI_KSIDLL_VERSION_MISMATCH, FALSE, L"Unable to load kernel driver", L"The last System Informer update requires a reboot." ); goto CleanupExit; } if (!NT_SUCCESS(status)) { PPH_STRING randomServiceName; PPH_STRING randomPortName; PPH_STRING randomObjectName; PPH_STRING randomAltitude; // // Malware might be blocking the driver load. Offer the user a chance // to try again with a different method. // if (PhShowKsiMessage2( WindowHandle, TD_YES_BUTTON | TD_NO_BUTTON, TD_SHIELD_ERROR_ICON, status, FALSE, L"Unable to load kernel driver", L"Try again with alternate driver load method?" ) != IDYES) { goto CleanupExit; } KsiCreateRandomizedName(L"", &randomServiceName, FALSE); KsiCreateRandomizedName(L"\\", &randomPortName, FALSE); KsiCreateRandomizedName(L"\\Driver\\", &randomObjectName, FALSE); KsiCreateRandomizedName(L"385210.5", &randomAltitude, TRUE); config.EnableNativeLoad = TRUE; config.EnableFilterLoad = FALSE; config.ServiceName = &randomServiceName->sr; config.PortName = &randomPortName->sr; config.ObjectName = &randomObjectName->sr; config.Altitude = &randomAltitude->sr; PhMoveReference(&KsiServiceName, PhReferenceObject(randomServiceName)); PhMoveReference(&KsiObjectName, PhReferenceObject(randomObjectName)); KsiEnableLoadNative = TRUE; KsiEnableLoadFilter = FALSE; status = KphConnect(&config); if (NT_SUCCESS(status)) { // // N.B. These settings **must** be persisted to allow subsequent // clients to successfully connect or unload the natively loaded // driver. // PhSetIntegerSetting(SETTING_KSI_ENABLE_LOAD_NATIVE, TRUE); PhSetIntegerSetting(SETTING_KSI_ENABLE_LOAD_FILTER, FALSE); PhSetStringSetting2(SETTING_KSI_SERVICE_NAME, &randomServiceName->sr); PhSetStringSetting2(SETTING_KSI_PORT_NAME, &randomPortName->sr); PhSetStringSetting2(SETTING_KSI_OBJECT_NAME, &randomObjectName->sr); PhSetStringSetting2(SETTING_KSI_ALTITUDE, &randomAltitude->sr); PhSaveSettings2(PhSettingsFileName); PhShowKsiMessage( WindowHandle, TD_INFORMATION_ICON, L"Kernel driver loaded", L"The kernel driver was successfully loaded using an alternate " L"method. The settings used to load the driver have been saved. " L"You can revert these settings in the advanced options." ); } PhDereferenceObject(randomServiceName); PhDereferenceObject(randomPortName); PhDereferenceObject(randomObjectName); PhDereferenceObject(randomAltitude); } if (!NT_SUCCESS(status)) { PhShowKsiMessageEx( WindowHandle, TD_SHIELD_ERROR_ICON, status, FALSE, L"Unable to load kernel driver", L"Unable to load the kernel driver service." ); goto CleanupExit; } level = KphLevelEx(FALSE); KsiActivateDynData(WindowHandle, level); if (!NtCurrentPeb()->BeingDebugged && (level != KphLevelMax)) { if ((level == KphLevelHigh) && !PhStartupParameters.KphStartupMax) { static CONST PH_STRINGREF commandline = PH_STRINGREF_INIT(L" -kx"); status = PhRestartSelf(&commandline); } if ((level < KphLevelHigh) && !PhStartupParameters.KphStartupMax && !PhStartupParameters.KphStartupHigh) { static CONST PH_STRINGREF commandline = PH_STRINGREF_INIT(L" -kh"); status = PhRestartSelf(&commandline); } if (!NT_SUCCESS(status)) { PhShowKsiMessageEx( WindowHandle, TD_ERROR_ICON, status, FALSE, L"Unable to load kernel driver", L"Unable to restart." ); goto CleanupExit; } } if (level == KphLevelMax) { ACCESS_MASK process = 0; ACCESS_MASK thread = 0; if (PhGetIntegerSetting(SETTING_KSI_ENABLE_UNLOAD_PROTECTION)) KphAcquireDriverUnloadProtection(NULL, NULL); switch (PhGetIntegerSetting(SETTING_KSI_CLIENT_PROCESS_PROTECTION_LEVEL)) { case 2: process |= (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION); thread |= (THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION); __fallthrough; case 1: process |= (PROCESS_TERMINATE | PROCESS_SUSPEND_RESUME); thread |= (THREAD_TERMINATE | THREAD_SUSPEND_RESUME | THREAD_RESUME); __fallthrough; case 0: default: break; } if (process != 0 || thread != 0) KphStripProtectedProcessMasks(NtCurrentProcess(), process, thread); } PhInformerActivate(); status = STATUS_SUCCESS; CleanupExit: PhClearReference(&objectName); PhClearReference(&portName); PhClearReference(&altitude); PhClearReference(&ksiFileName); PhClearReference(&tempDriverDir); #ifdef DEBUG KsiDebugLogInitialize(); #endif return status; } /** * Thread callback routine that initializes KSI and notifies the originating window. * \param[in] CallbackContext Optional HWND passed as a void*; if provided * the routine sends TDM_CLICK_BUTTON to the window when initialization completes. * \return NTSTATUS Successful or errant status. */ _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS KsiInitializeCallbackThread( _In_opt_ PVOID CallbackContext ) { #ifdef KSI_DEBUG_DELAY_SPLASHSCREEN if (CallbackContext) PhDelayExecution(1000); #endif KsiConnect(CallbackContext); if (CallbackContext) { SendMessage(CallbackContext, TDM_CLICK_BUTTON, IDOK, 0); } return STATUS_SUCCESS; } /** * Dialog callback invoked by the splash screen TaskDialogIndirect. * * Handles creation notification by spawning the initialization thread and * updates marquee/timer UI. Also handles cancel button to abort the dialog. * * \param[in] WindowHandle HWND of the task dialog. * \param[in] Notification Task dialog notification code. * \param[in] wParam Notification-specific parameter. * \param[in] lParam Notification-specific parameter. * \param[in] Context User defined context pointer (unused). * \return HRESULT S_OK to continue default processing, S_FALSE to abort dialog. */ static HRESULT CALLBACK KsiSplashScreenDialogCallbackProc( _In_ HWND WindowHandle, _In_ UINT Notification, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { switch (Notification) { case TDN_CREATED: { NTSTATUS status; HANDLE threadHandle; SendMessage(WindowHandle, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(WindowHandle, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); if (NT_SUCCESS(status = PhCreateThreadEx( &threadHandle, KsiInitializeCallbackThread, WindowHandle ))) { NtClose(threadHandle); } else { PhShowStatus(WindowHandle, L"Unable to create the window.", status, 0); } } break; case TDN_BUTTON_CLICKED: { INT buttonId = (INT)wParam; if (buttonId == IDCANCEL) { return S_FALSE; } } break; case TDN_TIMER: { ULONG ticks = (ULONG)wParam; PPH_STRING timeSpan = PhFormatUInt64(ticks, TRUE); PhMoveReference(&timeSpan, PhConcatStringRefZ(&timeSpan->sr, L" ms...")); SendMessage(WindowHandle, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)timeSpan->Buffer); PhDereferenceObject(timeSpan); } break; } return S_OK; } /** * Display a splash screen while the kernel driver initializes. * * This function configures and invokes a TaskDialogIndirect with a marquee * progress bar and callback to spawn the initialization thread. */ VOID KsiShowInitializingSplashScreen( VOID ) { TASKDIALOGCONFIG config; memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_SHOW_MARQUEE_PROGRESS_BAR | TDF_CAN_BE_MINIMIZED | TDF_CALLBACK_TIMER; config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.hMainIcon = PhGetApplicationIcon(FALSE); config.pfCallback = KsiSplashScreenDialogCallbackProc; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Initializing System Informer kernel driver..."; config.pszContent = L"0 ms..."; config.cxWidth = 200; TaskDialogIndirect(&config, NULL, NULL, NULL); } /** * Initialize the KSI subsystem for the application. * * Checks preconditions (elevation, OS version, architecture, old leftover * files) and then initializes underlying Kph and informer subsystems. If the * splash-screen setting is enabled the initialization will be done asynchronously * with a UI; otherwise initialization is performed synchronously. */ VOID PhInitializeKsi( VOID ) { if (!PhGetOwnTokenAttributes().Elevated) return; if (WindowsVersion < WINDOWS_10) { PhShowKsiMessageEx( NULL, TD_SHIELD_ERROR_ICON, 0, FALSE, L"Unable to load kernel driver", L"The kernel driver is not supported on this Windows version, the " L"minimum supported version is Windows 10." ); return; } if (PhIsExecutingInWow64()) { PhShowKsiMessageEx( NULL, TD_SHIELD_ERROR_ICON, 0, FALSE, L"Unable to load kernel driver", L"The kernel driver is not supported under Wow64, use the native " "binary instead." ); return; } if (USER_SHARED_DATA->NativeProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64 && USER_SHARED_DATA->NativeProcessorArchitecture != PROCESSOR_ARCHITECTURE_ARM64) { PhShowKsiMessageEx( NULL, TD_SHIELD_ERROR_ICON, 0, FALSE, L"Unable to load kernel driver", L"The kernel driver is not supported on this architecture." ); return; } KphInitialize(); PhInformerInitialize(); KsiFileName = PhGetKsiFileName(); KsiServiceName = PhGetKsiServiceName(); if (PhIsNullOrEmptyString(KsiObjectName = PhGetStringSetting(SETTING_KSI_OBJECT_NAME))) PhMoveReference(&KsiObjectName, PhCreateString(KPH_OBJECT_NAME)); KsiEnableLoadNative = !!PhGetIntegerSetting(SETTING_KSI_ENABLE_LOAD_NATIVE); KsiEnableLoadFilter = !!PhGetIntegerSetting(SETTING_KSI_ENABLE_LOAD_FILTER); if (PhGetIntegerSetting(SETTING_KSI_ENABLE_SPLASH_SCREEN)) KsiShowInitializingSplashScreen(); else KsiInitializeCallbackThread(NULL); } /** * Cleanup KSI subsystems and optionally unload the driver on exit. * * If the communications channel is connected this will stop communications and, * depending on settings and client count, attempt to stop and unload the * driver service. Returns the NTSTATUS of the unload operation when attempted. * \return STATUS_SUCCESS when no unload required or unload succeeded, otherwise * an NTSTATUS indicating the error encountered during service stop. */ NTSTATUS PhCleanupKsi( VOID ) { NTSTATUS status; KPH_CONFIG_PARAMETERS config = { 0 }; BOOLEAN shouldUnload; if (!KphCommsIsConnected()) return STATUS_SUCCESS; if (PhGetIntegerSetting(SETTING_KSI_ENABLE_UNLOAD_PROTECTION)) KphReleaseDriverUnloadProtection(NULL, NULL); // // N.B. Portable mode doesn't use the updater which will unload the driver // on upgrades. In portable mode updates happen by the user so we should // always unload the driver on exit. It also really doesn't make sense to // keep the driver loaded in a portable configuration. // if (PhPortableEnabled || PhGetIntegerSetting(SETTING_KSI_UNLOAD_ON_EXIT)) { ULONG clientCount; if (!NT_SUCCESS(status = KphGetConnectedClientCount(&clientCount))) return status; shouldUnload = (clientCount == 1); } else { shouldUnload = FALSE; } KphCommsStop(); #ifdef DEBUG KsiDebugLogFinalize(); #endif if (!shouldUnload) return STATUS_SUCCESS; config.FileName = &KsiFileName->sr; config.ServiceName = &KsiServiceName->sr; config.ObjectName = &KsiObjectName->sr; config.EnableNativeLoad = KsiEnableLoadNative; config.EnableFilterLoad = KsiEnableLoadFilter; status = KphServiceStop(&config); return status; } /** * Parse a hex-encoded JSON settings blob to extract KSI settings. * * The function decodes the hex string stored in `KsiSettingsBlob`, parses the * JSON and extracts "KsiDirectory" and "KsiServiceName" entries. If both are * present the function sets `*Directory` and `*ServiceName` to referenced * strings that the caller must dereference. * * \param[in] KsiSettingsBlob Hex-encoded buffer stored as a PPH_STRING. * \param[out] Directory Receives referenced `PPH_STRING` of the directory. * \param[out] ServiceName Receives referenced `PPH_STRING` of the service name. * \return TRUE if both values were found and returned, FALSE otherwise. */ _Success_(return) BOOLEAN PhParseKsiSettingsBlob( _In_ PPH_STRING KsiSettingsBlob, _Out_ PPH_STRING* Directory, _Out_ PPH_STRING* ServiceName ) { PPH_STRING directory = NULL; PPH_STRING serviceName = NULL; PSTR string; ULONG stringLength; PPH_BYTES value; PVOID object; stringLength = (ULONG)KsiSettingsBlob->Length / sizeof(WCHAR) / 2; string = PhAllocateZero(stringLength + sizeof(UNICODE_NULL)); if (PhHexStringToBufferEx(&KsiSettingsBlob->sr, stringLength, string)) { value = PhCreateBytesEx(string, stringLength); if (NT_SUCCESS(PhCreateJsonParserEx(&object, value, FALSE))) { directory = PhGetJsonValueAsString(object, "KsiDirectory"); serviceName = PhGetJsonValueAsString(object, "KsiServiceName"); PhFreeJsonObject(object); } PhDereferenceObject(value); } PhFree(string); if (!PhIsNullOrEmptyString(directory) && !PhIsNullOrEmptyString(serviceName)) { *Directory = directory; *ServiceName = serviceName; return TRUE; } PhClearReference(&serviceName); PhClearReference(&directory); return FALSE; } // Note: Exported from appsup.h (dmex) /** * Create a small configuration blob containing the KSI directory and service name. * * This helper constructs a JSON object containing the current `KsiDirectory` * and `KsiServiceName`, converts it to a UTF-8 JSON string, and returns the * value encoded as a hex string `PPH_STRING`. The returned string is a * referenced object and the caller must free it. * \return Referenced `PPH_STRING` containing the hex-encoded JSON settings. */ PVOID PhCreateKsiSettingsBlob( VOID ) { PVOID object; PPH_BYTES value; PPH_STRING string; PPH_STRING directory; PPH_STRING serviceName; object = PhCreateJsonObject(); #if defined(PH_BUILD_MSIX) PPH_STRING fileName; PH_FORMAT format[4]; PhInitFormatS(&format[0], L"\\Drivers"); PhInitFormatS(&format[1], L"\\SystemInformer"); fileName = PhFormat(format, RTL_NUMBER_OF(format), MAX_PATH); directory = PhGetSystemDirectoryWin32(&fileName->sr); PhDereferenceObject(fileName); #else directory = PhGetApplicationDirectoryWin32(); #endif value = PhConvertStringToUtf8(directory); PhAddJsonObject2(object, "KsiDirectory", value->Buffer, value->Length); PhDereferenceObject(value); PhDereferenceObject(directory); serviceName = PhGetKsiServiceName(); value = PhConvertStringToUtf8(serviceName); PhAddJsonObject2(object, "KsiServiceName", value->Buffer, value->Length); PhDereferenceObject(value); PhDereferenceObject(serviceName); value = PhGetJsonArrayString(object, FALSE); string = PhBufferToHexString((PUCHAR)value->Buffer, (ULONG)value->Length); PhDereferenceObject(value); PhFreeJsonObject(object); return string; } /** * Measures latency of the KPH driver using its performance counter interface. * * If the current KSI level is below KphLevelLow, the function sets all output * values to zero and returns STATUS_UNSUCCESSFUL. Otherwise it queries the KPH * performance counter and measures timestamps before and after the kernel call * to compute: * * - Duration: Total round-trip time (local wall clock) * - DurationDown: Time spent entering the kernel (downstream) * - DurationUp: Time spent returning from the kernel (upstream) * * \param[out] Duration Total measured duration. * \param[out] DurationDown Time spent sending the request to the kernel. * \param[out] DurationUp Time spent recieving the response from the kernel. * \return NTSTATUS from KphQueryPerformanceCounter, or STATUS_UNSUCCESSFUL. * \remarks Use this function when you need a kernel-reported high-resolution * timebase to measure or correlate user/kernel timing. */ NTSTATUS PhQueryKphCounters( _Out_ PULONG64 Duration, _Out_ PULONG64 DurationDown, _Out_ PULONG64 DurationUp ) { NTSTATUS status; LARGE_INTEGER performanceCounterStart; LARGE_INTEGER performanceCounterStop; LARGE_INTEGER performanceCounter; ULONG64 performanceCounterDuration; ULONG64 performanceCounterDown; ULONG64 performanceCounterUp; if (KsiLevel() < KphLevelLow) { *Duration = 0; *DurationDown = 0; *DurationUp = 0; status = STATUS_UNSUCCESSFUL; } else { PhQueryPerformanceCounter(&performanceCounterStart); status = KphQueryPerformanceCounter(&performanceCounter, NULL); PhQueryPerformanceCounter(&performanceCounterStop); performanceCounterDuration = performanceCounterStop.QuadPart - performanceCounterStart.QuadPart; performanceCounterDown = performanceCounter.QuadPart - performanceCounterStart.QuadPart; performanceCounterUp = performanceCounterStop.QuadPart - performanceCounter.QuadPart; *Duration = performanceCounterDuration; *DurationDown = performanceCounterDown; *DurationUp = performanceCounterUp; } return status; } #if defined(KSI_ONLINE_PLATFORM_SUPPORT) PPH_STRING KsiCreateBuildString( VOID ) { static const PH_STRINGREF versionHeader = PH_STRINGREF_INIT(L"KsiBuild: "); ULONG majorVersion; ULONG minorVersion; ULONG buildVersion; ULONG revisionVersion; SIZE_T returnLength; PH_FORMAT format[8]; WCHAR formatBuffer[260]; PhGetPhVersionNumbers(&majorVersion, &minorVersion, &buildVersion, &revisionVersion); PhInitFormatSR(&format[0], versionHeader); PhInitFormatU(&format[1], majorVersion); PhInitFormatC(&format[2], L'.'); PhInitFormatU(&format[3], minorVersion); PhInitFormatC(&format[4], L'.'); PhInitFormatU(&format[5], buildVersion); PhInitFormatC(&format[6], L'.'); PhInitFormatU(&format[7], revisionVersion); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength)) { PH_STRINGREF stringFormat; stringFormat.Buffer = formatBuffer; stringFormat.Length = returnLength - sizeof(UNICODE_NULL); return PhCreateString2(&stringFormat); } else { return PhFormat(format, RTL_NUMBER_OF(format), 0); } } NTSTATUS KsiCreatePlatformSupportInformation( _In_ PCPH_STRINGREF FileName, _Out_ PUSHORT ImageMachine, _Out_ PULONG TimeDateStamp, _Out_ PULONG SizeOfImage, _Out_writes_bytes_to_(OutputLength, *ReturnLength) PWSTR OutputBuffer, _In_ SIZE_T OutputLength, _Out_opt_ PSIZE_T ReturnLength ) { NTSTATUS status; HANDLE fileHandle; USHORT imageMachine; ULONG imageDateStamp; ULONG imageSizeOfImage; PH_MAPPED_IMAGE mappedImage; LARGE_INTEGER fileSize; PH_HASH_CONTEXT hashContext; ULONG64 bytesRemaining; ULONG numberOfBytesRead; ULONG bufferLength; PBYTE buffer; UCHAR hash[PH_HASH_SHA256_LENGTH]; status = PhCreateFile( &fileHandle, FileName, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; status = PhGetFileSize(fileHandle, &fileSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhInitializeHash(&hashContext, Sha256HashAlgorithm); if (!NT_SUCCESS(status)) goto CleanupExit; bufferLength = PAGE_SIZE * 2; buffer = PhAllocateSafe(bufferLength); if (!buffer) { status = STATUS_INSUFFICIENT_RESOURCES; goto CleanupExit; } bytesRemaining = (ULONG64)fileSize.QuadPart; while (bytesRemaining) { status = PhReadFile( fileHandle, buffer, bufferLength, NULL, &numberOfBytesRead ); if (!NT_SUCCESS(status)) break; status = PhUpdateHash( &hashContext, buffer, numberOfBytesRead ); if (!NT_SUCCESS(status)) break; bytesRemaining -= numberOfBytesRead; } PhFree(buffer); status = PhFinalHash( &hashContext, hash, sizeof(hash), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!PhBufferToHexStringBuffer( hash, sizeof(hash), FALSE, OutputBuffer, OutputLength, ReturnLength )) { status = STATUS_FAIL_CHECK; goto CleanupExit; } status = PhLoadMappedImageHeaderPageSize( NULL, fileHandle, &mappedImage ); if (!NT_SUCCESS(status)) goto CleanupExit; __try { imageMachine = mappedImage.NtHeaders->FileHeader.Machine; imageDateStamp = mappedImage.NtHeaders->FileHeader.TimeDateStamp; imageSizeOfImage = mappedImage.NtHeaders->OptionalHeader.SizeOfImage; } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } PhUnloadMappedImage(&mappedImage); if (!NT_SUCCESS(status)) goto CleanupExit; if (NT_SUCCESS(status)) { *ImageMachine = imageMachine; *TimeDateStamp = imageDateStamp; *SizeOfImage = imageSizeOfImage; NtClose(fileHandle); return STATUS_SUCCESS; } CleanupExit: NtClose(fileHandle); return status; } typedef struct _KSI_PLATFORM_BUILD_ENTRY { USHORT Class; PH_STRINGREF FileName; } KSI_PLATFORM_BUILD_ENTRY, *PKSI_PLATFORM_BUILD_ENTRY; PPH_STRING KsiCreatePlatformBuildString( VOID ) { static CONST PH_STRINGREF platformHeader = PH_STRINGREF_INIT(L"KsiPlatformSupport: "); static CONST KSI_PLATFORM_BUILD_ENTRY platformFiles[] = { { KPH_DYN_CLASS_NTOSKRNL, PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\ntoskrnl.exe") }, { KPH_DYN_CLASS_NTKRLA57, PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\ntkrla57.exe") }, { KPH_DYN_CLASS_LXCORE, PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\drivers\\lxcore.sys") }, }; PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 30); PhAppendStringBuilder(&stringBuilder, &platformHeader); PhAppendStringBuilder2(&stringBuilder, L"{\"version\":1,"); PhAppendStringBuilder2(&stringBuilder, L"\"files\":["); for (ULONG i = 0; i < RTL_NUMBER_OF(platformFiles); i++) { USHORT imageMachine; ULONG timeDateStamp; ULONG sizeOfImage; SIZE_T outputLength = 0; WCHAR outputBuffer[PH_HASH_SHA256_LENGTH * 2 + 1]; if (NT_SUCCESS(KsiCreatePlatformSupportInformation( &platformFiles[i].FileName, &imageMachine, &timeDateStamp, &sizeOfImage, outputBuffer, sizeof(outputBuffer), &outputLength ))) { PPH_STRING string; PH_STRINGREF hashString; PH_FORMAT format[11]; hashString.Buffer = outputBuffer; hashString.Length = outputLength; PhInitFormatS(&format[0], L"{\"hash\":\""); PhInitFormatSR(&format[1], hashString); PhInitFormatS(&format[2], L"\",\"file\":"); PhInitFormatU(&format[3], platformFiles[i].Class); PhInitFormatS(&format[4], L",\"machine\":"); PhInitFormatU(&format[5], imageMachine); PhInitFormatS(&format[6], L",\"timestamp\":"); PhInitFormatU(&format[7], timeDateStamp); PhInitFormatS(&format[8], L",\"size\":"); PhInitFormatU(&format[9], sizeOfImage); PhInitFormatS(&format[10], L"},"); string = PhFormat(format, RTL_NUMBER_OF(format), 10); PhAppendStringBuilder(&stringBuilder, &string->sr); PhDereferenceObject(string); } } if (PhEndsWithString2(stringBuilder.String, L",", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 1); PhAppendStringBuilder2(&stringBuilder, L"]}"); return PhFinalStringBuilderString(&stringBuilder); } PPH_STRING KsiCreateUpdateWindowsString( VOID ) { PPH_STRING buildString = NULL; PPH_STRING fileName; PVOID imageBase; ULONG imageSize; PVOID versionInfo; if (NT_SUCCESS(PhGetKernelFileNameEx(&fileName, &imageBase, &imageSize))) { if (NT_SUCCESS(PhGetFileVersionInfoEx(&fileName->sr, &versionInfo))) { VS_FIXEDFILEINFO* rootBlock; if (rootBlock = PhGetFileVersionFixedInfo(versionInfo)) { PH_FORMAT format[5]; PhInitFormatS(&format[0], L"KsiOsBuild: "); PhInitFormatU(&format[1], HIWORD(rootBlock->dwFileVersionLS)); PhInitFormatC(&format[2], '.'); PhInitFormatU(&format[3], LOWORD(rootBlock->dwFileVersionLS)); PhInitFormatS(&format[4], PhIsExecutingInWow64() ? L"_64" : L"_32"); buildString = PhFormat(format, RTL_NUMBER_OF(format), 0); } PhFree(versionInfo); } PhDereferenceObject(fileName); } return buildString; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS KsiCheckKernelSupportThread( _In_ PVOID Parameter ) { PKSI_KERNEL_SUPPORT_CHECK_CONTEXT context = Parameter; NTSTATUS status; PPH_HTTP_CONTEXT httpContext = NULL; PPH_STRING xmlData = NULL; PPH_STRING searchString = NULL; if (!NT_SUCCESS(status = PhHttpInitialize(&httpContext))) goto CleanupExit; if (!NT_SUCCESS(status = PhHttpConnect(httpContext, L"systeminformer.io", PH_HTTP_DEFAULT_HTTPS_PORT))) goto CleanupExit; if (!NT_SUCCESS(status = PhHttpBeginRequest(httpContext, L"POST", L"/ksiver", PH_HTTP_FLAG_SECURE))) goto CleanupExit; { PPH_STRING buildStringHeader; PPH_STRING updateStringHeader; PPH_STRING platformStringHeader; if (buildStringHeader = KsiCreateBuildString()) { PhHttpAddRequestHeadersSR(httpContext, &buildStringHeader->sr); PhDereferenceObject(buildStringHeader); } if (updateStringHeader = KsiCreateUpdateWindowsString()) { PhHttpAddRequestHeadersSR(httpContext, &updateStringHeader->sr); PhDereferenceObject(updateStringHeader); } if (platformStringHeader = KsiCreatePlatformBuildString()) { PhHttpAddRequestHeadersSR(httpContext, &platformStringHeader->sr); PhDereferenceObject(platformStringHeader); } } if (!NT_SUCCESS(status = PhHttpSendRequest(httpContext, NULL, 0, NULL, 0, 0))) goto CleanupExit; if (!NT_SUCCESS(status = PhHttpReceiveResponse(httpContext))) goto CleanupExit; if (!NT_SUCCESS(status = PhHttpQueryResponseStatus(httpContext))) goto CleanupExit; WriteBooleanRelease(&context->IsSupported, TRUE); CleanupExit: if (searchString) PhDereferenceObject(searchString); if (xmlData) PhDereferenceObject(xmlData); if (httpContext) PhHttpDestroy(httpContext); WriteBooleanRelease(&context->CheckComplete, TRUE); return STATUS_SUCCESS; } HRESULT CALLBACK KsiKernelSupportCheckDialogCallbackProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { PKSI_KERNEL_SUPPORT_CHECK_CONTEXT context = (PKSI_KERNEL_SUPPORT_CHECK_CONTEXT)dwRefData; switch (uMsg) { case TDN_CREATED: { context->TaskDialogHandle = hwndDlg; SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); PhCreateThread2(KsiCheckKernelSupportThread, context); } break; case TDN_DESTROYED: { context->TaskDialogHandle = NULL; } break; case TDN_TIMER: { if (ReadBooleanAcquire(&context->CheckComplete)) { WriteBooleanRelease(&context->CheckComplete, TRUE); TASKDIALOGCONFIG config = { sizeof(TASKDIALOGCONFIG) }; config.hwndParent = context->WindowHandle; config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_POSITION_RELATIVE_TO_WINDOW; config.dwCommonButtons = TDCBF_OK_BUTTON; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_SHIELD_WARNING_ICON; config.cxWidth = 200; if (ReadBooleanAcquire(&context->IsSupported)) { config.pszMainInstruction = L"Platform support pending review."; config.pszContent = L"Your kernel version is pending review on the development branch. " L"Your kernel will be supported in the next build!"; } else { if (context->IsCanaryChannel) { config.pszMainInstruction = L"Kernel version not supported"; config.pszContent = L"This kernel version is not yet supported. " L"Your kernel version is pending review review on the development branch."; } else { config.pszMainInstruction = L"Kernel version not supported"; config.pszContent = L"This kernel version is not yet supported. " L"For the latest kernel support switch to the Canary update channel " L"(Help > Check for updates > Canary > Check)."; } } PhTaskDialogNavigatePage(hwndDlg, &config); } } break; } return S_OK; } VOID KsiShowKernelSupportCheckDialog( _In_opt_ HWND WindowHandle ) { KSI_KERNEL_SUPPORT_CHECK_CONTEXT context = { 0 }; PPH_STRING statusMessage; statusMessage = PhpGetKsiMessage2( STATUS_SI_DYNDATA_UNSUPPORTED_KERNEL, FALSE, L"Checking for pending platform update...", NULL ); context.WindowHandle = WindowHandle; context.IsCanaryChannel = (PhGetPhReleaseChannel() >= PhCanaryChannel); KsiGetKernelSupportData(&context.SupportData); TASKDIALOGCONFIG config = { sizeof(TASKDIALOGCONFIG) }; config.hwndParent = WindowHandle; config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_SHOW_PROGRESS_BAR | TDF_POSITION_RELATIVE_TO_WINDOW | TDF_CALLBACK_TIMER; config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_SHIELD_WARNING_ICON; config.pszMainInstruction = L"Checking for pending platform update..."; config.pszContent = PhGetString(statusMessage); config.lpCallbackData = (LONG_PTR)&context; config.pfCallback = KsiKernelSupportCheckDialogCallbackProc; config.cxWidth = 200; PhShowTaskDialog(&config, NULL, NULL, NULL); } #endif ================================================ FILE: SystemInformer/ksyscall.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2019-2023 * */ #include #include #define NTOS_SERVICE_INDEX 0 #define WIN32K_SERVICE_INDEX 1 typedef union _NT_SYSTEMCALL_NUMBER { USHORT SystemCallNumber; struct { USHORT SystemCallIndex : 12; USHORT SystemServiceIndex : 4; }; } NT_SYSTEMCALL_NUMBER, *PNT_SYSTEMCALL_NUMBER; typedef struct _PH_SYSCALL_NAME_ENTRY { ULONG_PTR Address; PPH_STRING Name; } PH_SYSCALL_NAME_ENTRY, *PPH_SYSCALL_NAME_ENTRY; static int __cdecl PhpSystemCallListIndexSort( _In_ void* Context, _In_ const void *elem1, _In_ const void *elem2 ) { PPH_SYSCALL_NAME_ENTRY entry1 = *(PPH_SYSCALL_NAME_ENTRY*)elem1; PPH_SYSCALL_NAME_ENTRY entry2 = *(PPH_SYSCALL_NAME_ENTRY*)elem2; return uintptrcmp(entry1->Address, entry2->Address); } VOID PhGenerateSyscallLists( _Out_ PPH_LIST* NtdllSystemCallList, _Out_ PPH_LIST* Win32kSystemCallList ) { static CONST PH_STRINGREF ntdllFileName = PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\ntdll.dll"); static CONST PH_STRINGREF win32kFileName = PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\win32k.sys"); static CONST PH_STRINGREF win32uFileName = PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\win32u.dll"); PPH_LIST ntdllSystemCallList = NULL; PPH_LIST win32kSystemCallList = NULL; PH_MAPPED_IMAGE mappedImage; PH_MAPPED_IMAGE_EXPORTS exports; PH_MAPPED_IMAGE_EXPORT_ENTRY exportEntry; PH_MAPPED_IMAGE_EXPORT_FUNCTION exportFunction; if (NT_SUCCESS(PhLoadMappedImageEx(&ntdllFileName, NULL, &mappedImage))) { if (NT_SUCCESS(PhGetMappedImageExports(&exports, &mappedImage))) { PPH_LIST list = PhCreateList(exports.NumberOfEntries); for (ULONG i = 0; i < exports.NumberOfEntries; i++) { if (NT_SUCCESS(PhGetMappedImageExportEntry(&exports, i, &exportEntry))) { if (!(exportEntry.Name && strncmp(exportEntry.Name, "Zw", 2) == 0)) continue; if (NT_SUCCESS(PhGetMappedImageExportFunction(&exports, NULL, exportEntry.Ordinal, &exportFunction))) { PPH_SYSCALL_NAME_ENTRY entry; entry = PhAllocate(sizeof(PH_SYSCALL_NAME_ENTRY)); entry->Address = (ULONG_PTR)exportFunction.Function; entry->Name = PhZeroExtendToUtf16(exportEntry.Name); entry->Name->Buffer[0] = L'N'; entry->Name->Buffer[1] = L't'; PhAddItemList(list, entry); } } } qsort_s(list->Items, list->Count, sizeof(PVOID), PhpSystemCallListIndexSort, NULL); if (list->Count) { ntdllSystemCallList = PhCreateList(list->Count); for (ULONG i = 0; i < list->Count; i++) { PPH_SYSCALL_NAME_ENTRY entry = list->Items[i]; PhAddItemList(ntdllSystemCallList, entry->Name); PhFree(entry); } } PhDereferenceObject(list); } PhUnloadMappedImage(&mappedImage); } if (WindowsVersion >= WINDOWS_10_20H1) { if (NT_SUCCESS(PhLoadMappedImageEx(&win32kFileName, NULL, &mappedImage))) { if (NT_SUCCESS(PhGetMappedImageExports(&exports, &mappedImage))) { PPH_LIST list = PhCreateList(exports.NumberOfEntries); for (ULONG i = 0; i < exports.NumberOfEntries; i++) { if (NT_SUCCESS(PhGetMappedImageExportEntry(&exports, i, &exportEntry))) { if (!(exportEntry.Name && strncmp(exportEntry.Name, "__win32kstub_", 13) == 0)) continue; if (NT_SUCCESS(PhGetMappedImageExportFunction(&exports, NULL, exportEntry.Ordinal, &exportFunction))) { PPH_SYSCALL_NAME_ENTRY entry; entry = PhAllocate(sizeof(PH_SYSCALL_NAME_ENTRY)); entry->Address = (ULONG_PTR)exportFunction.Function; entry->Name = PhZeroExtendToUtf16(exportEntry.Name); PhSkipStringRef(&entry->Name->sr, 13 * sizeof(WCHAR)); PhAddItemList(list, entry); } } } qsort_s(list->Items, list->Count, sizeof(PVOID), PhpSystemCallListIndexSort, NULL); if (list->Count) { win32kSystemCallList = PhCreateList(list->Count); for (ULONG i = 0; i < list->Count; i++) { PPH_SYSCALL_NAME_ENTRY entry = list->Items[i]; PhAddItemList(win32kSystemCallList, entry->Name); PhFree(entry); } } PhDereferenceObject(list); } PhUnloadMappedImage(&mappedImage); } } else { if (NT_SUCCESS(PhLoadMappedImageEx(&win32uFileName, NULL, &mappedImage))) { if (NT_SUCCESS(PhGetMappedImageExports(&exports, &mappedImage))) { PPH_LIST list = PhCreateList(exports.NumberOfEntries); for (ULONG i = 0; i < exports.NumberOfEntries; i++) { if (NT_SUCCESS(PhGetMappedImageExportEntry(&exports, i, &exportEntry))) { if (!(exportEntry.Name && strncmp(exportEntry.Name, "Nt", 2) == 0)) continue; if (NT_SUCCESS(PhGetMappedImageExportFunction(&exports, NULL, exportEntry.Ordinal, &exportFunction))) { PPH_SYSCALL_NAME_ENTRY entry; entry = PhAllocate(sizeof(PH_SYSCALL_NAME_ENTRY)); entry->Address = (ULONG_PTR)exportFunction.Function; entry->Name = PhZeroExtendToUtf16(exportEntry.Name); // NOTE: When system calls are deleted from win32k.sys the win32u.dll interface gets // replaced with stubs that call RaiseFailFastException. This breaks the sorting via // RVA based on exports since these exports still exist so we have to check the prologue. (dmex) if (WindowsVersion >= WINDOWS_10_21H1) { PBYTE exportAddress; if (exportAddress = PhMappedImageRvaToVa(&mappedImage, PtrToUlong(exportFunction.Function), NULL)) { PNT_SYSTEMCALL_NUMBER systemCallEntry = NULL; #ifdef _WIN64 const BYTE prologue[4] = { 0x4C, 0x8B, 0xD1, 0xB8 }; if (RtlEqualMemory(exportAddress, prologue, sizeof(prologue))) { systemCallEntry = PTR_ADD_OFFSET(exportAddress, sizeof(prologue)); } #else const BYTE prologue[1] = { 0xB8 }; if (RtlEqualMemory(exportAddress, prologue, sizeof(prologue))) { systemCallEntry = PTR_ADD_OFFSET(exportAddress, sizeof(prologue)); } #endif if (systemCallEntry && systemCallEntry->SystemServiceIndex == WIN32K_SERVICE_INDEX) { entry->Address = systemCallEntry->SystemCallIndex; PhAddItemList(list, entry); } } } else { PhAddItemList(list, entry); } } } } qsort_s(list->Items, list->Count, sizeof(PVOID), PhpSystemCallListIndexSort, NULL); if (list->Count) { win32kSystemCallList = PhCreateList(list->Count); for (ULONG i = 0; i < list->Count; i++) { PPH_SYSCALL_NAME_ENTRY entry = list->Items[i]; PhAddItemList(win32kSystemCallList, entry->Name); PhFree(entry); } } PhDereferenceObject(list); } PhUnloadMappedImage(&mappedImage); } } *NtdllSystemCallList = ntdllSystemCallList; *Win32kSystemCallList = win32kSystemCallList; } PPH_STRING PhGetSystemCallNumberName( _In_ USHORT SystemCallNumber ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_LIST ntdllSystemCallList = NULL; static PPH_LIST win32kSystemCallList = NULL; PNT_SYSTEMCALL_NUMBER systemCallEntry = (PNT_SYSTEMCALL_NUMBER)&SystemCallNumber; if (PhBeginInitOnce(&initOnce)) { PhGenerateSyscallLists(&ntdllSystemCallList, &win32kSystemCallList); PhEndInitOnce(&initOnce); } switch (systemCallEntry->SystemServiceIndex) { case NTOS_SERVICE_INDEX: { if (ntdllSystemCallList && systemCallEntry->SystemCallIndex <= ntdllSystemCallList->Count) { PPH_STRING entry = ntdllSystemCallList->Items[systemCallEntry->SystemCallIndex]; return PhReferenceObject(entry); } } break; case WIN32K_SERVICE_INDEX: { if (win32kSystemCallList && systemCallEntry->SystemCallIndex <= win32kSystemCallList->Count) { PPH_STRING entry = win32kSystemCallList->Items[systemCallEntry->SystemCallIndex]; return PhReferenceObject(entry); } } break; } return NULL; } ================================================ FILE: SystemInformer/log.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2021 * */ #include #include #include #include PH_CIRCULAR_BUFFER_PVOID PhLogBuffer; VOID PhLogInitialization( VOID ) { ULONG entries; entries = PhGetIntegerSetting(SETTING_LOG_ENTRIES); if (entries > 0x1000) entries = 0x1000; PhInitializeCircularBuffer_PVOID(&PhLogBuffer, entries); memset(PhLogBuffer.Data, 0, sizeof(PVOID) * PhLogBuffer.Size); } PPH_LOG_ENTRY PhpCreateLogEntry( _In_ UCHAR Type ) { PPH_LOG_ENTRY entry; entry = PhAllocate(sizeof(PH_LOG_ENTRY)); memset(entry, 0, sizeof(PH_LOG_ENTRY)); entry->Type = Type; PhQuerySystemTime(&entry->Time); return entry; } VOID PhpFreeLogEntry( _In_ _Post_invalid_ PPH_LOG_ENTRY Entry ) { if (Entry->Type >= PH_LOG_ENTRY_PROCESS_FIRST && Entry->Type <= PH_LOG_ENTRY_PROCESS_LAST) { PhDereferenceObject(Entry->Process.Name); if (Entry->Process.ParentName) PhDereferenceObject(Entry->Process.ParentName); } else if (Entry->Type >= PH_LOG_ENTRY_SERVICE_FIRST && Entry->Type <= PH_LOG_ENTRY_SERVICE_LAST) { PhDereferenceObject(Entry->Service.Name); PhDereferenceObject(Entry->Service.DisplayName); } else if (Entry->Type == PH_LOG_ENTRY_MESSAGE) { PhDereferenceObject(Entry->Message); } PhFree(Entry); } PPH_LOG_ENTRY PhpCreateProcessLogEntry( _In_ UCHAR Type, _In_ HANDLE ProcessId, _In_ PPH_STRING Name, _In_opt_ HANDLE ParentProcessId, _In_opt_ PPH_STRING ParentName, _In_opt_ ULONG Status ) { PPH_LOG_ENTRY entry; entry = PhpCreateLogEntry(Type); entry->Process.ProcessId = ProcessId; PhReferenceObject(Name); entry->Process.Name = Name; entry->Process.ParentProcessId = ParentProcessId; if (!PhIsNullOrEmptyString(ParentName)) { PhReferenceObject(ParentName); entry->Process.ParentName = ParentName; } entry->Process.ExitStatus = Status; return entry; } PPH_LOG_ENTRY PhpCreateServiceLogEntry( _In_ UCHAR Type, _In_ PPH_STRING Name, _In_ PPH_STRING DisplayName ) { PPH_LOG_ENTRY entry; entry = PhpCreateLogEntry(Type); PhReferenceObject(Name); entry->Service.Name = Name; PhReferenceObject(DisplayName); entry->Service.DisplayName = DisplayName; return entry; } PPH_LOG_ENTRY PhpCreateDeviceLogEntry( _In_ UCHAR Type, _In_ PPH_STRING Classification, _In_ PPH_STRING Name ) { PPH_LOG_ENTRY entry; entry = PhpCreateLogEntry(Type); PhReferenceObject(Classification); entry->Device.Classification = Classification; PhReferenceObject(Name); entry->Device.Name = Name; return entry; } PPH_LOG_ENTRY PhpCreateMessageLogEntry( _In_ UCHAR Type, _In_ PPH_STRING Message ) { PPH_LOG_ENTRY entry; entry = PhpCreateLogEntry(Type); PhReferenceObject(Message); entry->Message = Message; return entry; } VOID PhpLogEntry( _In_ PPH_LOG_ENTRY Entry ) { PPH_LOG_ENTRY oldEntry; oldEntry = PhAddItemCircularBuffer2_PVOID(&PhLogBuffer, Entry); if (oldEntry) PhpFreeLogEntry(oldEntry); PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackLoggedEvent), Entry); } VOID PhClearLogEntries( VOID ) { ULONG i; for (i = 0; i < PhLogBuffer.Size; i++) { if (PhLogBuffer.Data[i]) PhpFreeLogEntry(PhLogBuffer.Data[i]); } PhClearCircularBuffer_PVOID(&PhLogBuffer); memset(PhLogBuffer.Data, 0, sizeof(PVOID) * PhLogBuffer.Size); } VOID PhLogProcessEntry( _In_ UCHAR Type, _In_ HANDLE ProcessId, _In_ PPH_STRING Name, _In_opt_ HANDLE ParentProcessId, _In_opt_ PPH_STRING ParentName, _In_opt_ ULONG Status ) { PhpLogEntry(PhpCreateProcessLogEntry(Type, ProcessId, Name, ParentProcessId, ParentName, Status)); } VOID PhLogServiceEntry( _In_ UCHAR Type, _In_ PPH_STRING Name, _In_ PPH_STRING DisplayName ) { PhpLogEntry(PhpCreateServiceLogEntry(Type, Name, DisplayName)); } VOID PhLogDeviceEntry( _In_ UCHAR Type, _In_ PPH_STRING Classification, _In_ PPH_STRING Name ) { PhpLogEntry(PhpCreateDeviceLogEntry(Type, Classification, Name)); } VOID PhLogMessageEntry( _In_ UCHAR Type, _In_ PPH_STRING Message ) { PhpLogEntry(PhpCreateMessageLogEntry(Type, Message)); } PPH_STRING PhpFormatLogEntryToBuffer( _In_ PPH_FORMAT Format, _In_ ULONG Count ) { SIZE_T formatLength; WCHAR formatBuffer[0x80]; if (PhFormatToBuffer( Format, Count, formatBuffer, sizeof(formatBuffer), &formatLength )) { PH_STRINGREF text; text.Length = formatLength - sizeof(UNICODE_NULL); text.Buffer = formatBuffer; return PhCreateString2(&text); } return PhFormat(Format, Count, 0x80); } PPH_STRING PhFormatLogEntry( _In_ PPH_LOG_ENTRY Entry ) { switch (Entry->Type) { case PH_LOG_ENTRY_PROCESS_CREATE: { PH_FORMAT format[8]; // Process created: %s (%lu) started by %s (%lu) //PhInitFormatS(&format[0], L"Process created: "); PhInitFormatSR(&format[0], Entry->Process.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatU(&format[2], HandleToUlong(Entry->Process.ProcessId)); PhInitFormatS(&format[3], L") started by "); if (Entry->Process.ParentName) PhInitFormatSR(&format[4], Entry->Process.ParentName->sr); else PhInitFormatS(&format[4], L"Unknown process"); PhInitFormatS(&format[5], L" ("); PhInitFormatU(&format[6], HandleToUlong(Entry->Process.ParentProcessId)); PhInitFormatC(&format[7], L')'); //return PhFormatString( // L"Process created: %s (%lu) started by %s (%lu)", // Entry->Process.Name->Buffer, // HandleToUlong(Entry->Process.ProcessId), // PhGetStringOrDefault(Entry->Process.ParentName, L"Unknown process"), // HandleToUlong(Entry->Process.ParentProcessId) // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_PROCESS_DELETE: { PH_FORMAT format[5]; // Process terminated: %s (%lu); exit status 0x%x //PhInitFormatS(&format[0], L"Process terminated: "); PhInitFormatSR(&format[0], Entry->Process.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatU(&format[2], HandleToUlong(Entry->Process.ProcessId)); PhInitFormatS(&format[3], L"); exit status "); PhInitFormatX(&format[4], Entry->Process.ExitStatus); //return PhFormatString( // L"Process terminated: %s (%lu); exit status 0x%x", // Entry->Process.Name->Buffer, // HandleToUlong(Entry->Process.ProcessId), // Entry->Process.ExitStatus // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_CREATE: { PH_FORMAT format[4]; // Service created: %s (%s) //PhInitFormatS(&format[0], L"Service created: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service created: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_DELETE: { PH_FORMAT format[4]; // Service deleted: %s (%s) //PhInitFormatS(&format[0], L"Service deleted: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service deleted: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_START: { PH_FORMAT format[4]; // Service started: %s (%s) //PhInitFormatS(&format[0], L"Service started: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service started: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_STOP: { PH_FORMAT format[4]; // Service stopped: %s (%s) //PhInitFormatS(&format[0], L"Service stopped: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service stopped: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_CONTINUE: { PH_FORMAT format[4]; // Service continued: %s (%s) //PhInitFormatS(&format[0], L"Service continued: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service continued: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_PAUSE: { PH_FORMAT format[4]; // Service paused: %s (%s) //PhInitFormatS(&format[0], L"Service paused: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service paused: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_SERVICE_MODIFIED: { PH_FORMAT format[4]; // Service modified: %s (%s) //PhInitFormatS(&format[0], L"Service modified: "); PhInitFormatSR(&format[0], Entry->Service.Name->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Service.DisplayName->sr); PhInitFormatC(&format[3], L')'); //return PhFormatString( // L"Service modified: %s (%s)", // Entry->Service.Name->Buffer, // Entry->Service.DisplayName->Buffer // ); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_DEVICE_REMOVED: { PH_FORMAT format[4]; //PhInitFormatS(&format[0], L"Device removed: "); PhInitFormatSR(&format[0], Entry->Device.Classification->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Device.Name->sr); PhInitFormatC(&format[3], L')'); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_DEVICE_ARRIVED: { PH_FORMAT format[4]; //PhInitFormatS(&format[0], L"Device arrived: "); PhInitFormatSR(&format[0], Entry->Device.Classification->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatSR(&format[2], Entry->Device.Name->sr); PhInitFormatC(&format[3], L')'); return PhpFormatLogEntryToBuffer(format, RTL_NUMBER_OF(format)); } case PH_LOG_ENTRY_MESSAGE: PhReferenceObject(Entry->Message); return Entry->Message; default: return PhReferenceEmptyString(); } } static CONST PH_KEY_VALUE_PAIR PhpLogEntryTypePairs[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"Process created"), PH_LOG_ENTRY_PROCESS_CREATE), SIP(SREF(L"Process terminated"), PH_LOG_ENTRY_PROCESS_DELETE), SIP(SREF(L"Service created"), PH_LOG_ENTRY_SERVICE_CREATE), SIP(SREF(L"Service terminated"), PH_LOG_ENTRY_SERVICE_DELETE), SIP(SREF(L"Service started"), PH_LOG_ENTRY_SERVICE_START), SIP(SREF(L"Service terminated"), PH_LOG_ENTRY_SERVICE_STOP), SIP(SREF(L"Service continued"), PH_LOG_ENTRY_SERVICE_CONTINUE), SIP(SREF(L"Service paused"), PH_LOG_ENTRY_SERVICE_PAUSE), SIP(SREF(L"Service modified"), PH_LOG_ENTRY_SERVICE_MODIFIED), SIP(SREF(L"Device removed"), PH_LOG_ENTRY_DEVICE_REMOVED), SIP(SREF(L"Device arrived"), PH_LOG_ENTRY_DEVICE_ARRIVED) }; PCPH_STRINGREF PhFormatLogType( _In_ PPH_LOG_ENTRY Entry ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhpLogEntryTypePairs, sizeof(PhpLogEntryTypePairs), Entry->Type, &string )) { return string; } return NULL; } ================================================ FILE: SystemInformer/logwnd.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2014-2023 * */ #include #include #include #include #include #include #define WM_PH_LOG_UPDATED (WM_APP + 300) INT_PTR CALLBACK PhpLogDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); HWND PhLogWindowHandle = NULL; static PH_LAYOUT_MANAGER WindowLayoutManager; static RECT MinimumSize; static HWND AutoScrollHandle; static HWND ListViewHandle; static PPH_LISTVIEW_CONTEXT ListViewContext; static ULONG ListViewCount; static PH_CALLBACK_REGISTRATION LoggedRegistration; static BOOLEAN ListViewStateInitializing = FALSE; static BOOLEAN ListViewAutoScroll = FALSE; VOID PhShowLogDialog( VOID ) { if (!PhLogWindowHandle) { PhLogWindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_LOG), NULL, PhpLogDlgProc, NULL ); PhRegisterDialog(PhLogWindowHandle); ShowWindow(PhLogWindowHandle, SW_SHOW); } if (IsMinimized(PhLogWindowHandle)) ShowWindow(PhLogWindowHandle, SW_RESTORE); else SetForegroundWindow(PhLogWindowHandle); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI LoggedCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { if (PhLogWindowHandle) { PostMessage(PhLogWindowHandle, WM_PH_LOG_UPDATED, 0, 0); } } static VOID PhpUpdateLogList( VOID ) { ListViewCount = PhLogBuffer.Count; PhListView_SetItemCount(ListViewContext, ListViewCount, LVSICF_NOSCROLL); if (ListViewCount >= 2 && ReadBooleanAcquire(&ListViewAutoScroll)) { BOOLEAN itemVisible; if (PhListView_IsItemVisible(ListViewContext, ListViewCount - 1, &itemVisible) && !itemVisible) { PhListView_EnsureItemVisible(ListViewContext, ListViewCount - 1, FALSE); } } } static PPH_STRING PhpGetStringForSelectedLogEntries( _In_ BOOLEAN All ) { PH_STRING_BUILDER stringBuilder; ULONG i; if (ListViewCount == 0) return PhReferenceEmptyString(); PhInitializeStringBuilder(&stringBuilder, 0x100); i = ListViewCount - 1; while (TRUE) { PPH_LOG_ENTRY entry; SYSTEMTIME systemTime; PCPH_STRINGREF string; PPH_STRING temp; ULONG itemState; if (!All) { // The list view displays the items in reverse order... if (!PhListView_GetItemState(ListViewContext, ListViewCount - i - 1, LVIS_SELECTED, &itemState) && FlagOn(itemState, LVIS_SELECTED)) { goto ContinueLoop; } } entry = PhGetItemCircularBuffer_PVOID(&PhLogBuffer, i); if (!entry) goto ContinueLoop; PhLargeIntegerToLocalSystemTime(&systemTime, &entry->Time); temp = PhFormatDateTime(&systemTime); PhAppendStringBuilder(&stringBuilder, &temp->sr); PhDereferenceObject(temp); PhAppendStringBuilder2(&stringBuilder, L": "); string = PhFormatLogType(entry); PhAppendStringBuilder(&stringBuilder, string); PhAppendStringBuilder2(&stringBuilder, L" "); temp = PhFormatLogEntry(entry); PhAppendStringBuilder(&stringBuilder, &temp->sr); PhDereferenceObject(temp); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); ContinueLoop: if (i == 0) break; i--; } return PhFinalStringBuilderString(&stringBuilder); } INT_PTR CALLBACK PhpLogDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); AutoScrollHandle = GetDlgItem(hwndDlg, IDC_AUTOSCROLL); ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); ListViewContext = PhListView_Initialize(ListViewHandle); PhSetListViewStyle(ListViewHandle, TRUE, TRUE); PhSetControlTheme(ListViewHandle, L"explorer"); PhSetExtendedListView(ListViewHandle); PhListView_AddColumn(ListViewContext, 0, 0, 0, LVCFMT_LEFT, 140, L"Time"); PhListView_AddColumn(ListViewContext, 1, 1, 1, LVCFMT_LEFT, 140, L"Type"); PhListView_AddColumn(ListViewContext, 2, 2, 2, LVCFMT_LEFT, 260, L"Message"); PhLoadListViewColumnsFromSetting(SETTING_LOG_LIST_VIEW_COLUMNS, ListViewHandle); PhInitializeLayoutManager(&WindowLayoutManager, hwndDlg); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, AutoScrollHandle, NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_CLEAR), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); MinimumSize.left = 0; MinimumSize.top = 0; MinimumSize.right = 290; MinimumSize.bottom = 150; MapDialogRect(hwndDlg, &MinimumSize); if (PhValidWindowPlacementFromSetting(SETTING_LOG_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_LOG_WINDOW_POSITION, SETTING_LOG_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, PhMainWndHandle); ListViewStateInitializing = TRUE; WriteBooleanRelease(&ListViewAutoScroll, TRUE); Button_SetCheck(AutoScrollHandle, BST_CHECKED); ListViewStateInitializing = FALSE; PhRegisterCallback(PhGetGeneralCallback(GeneralCallbackLoggedEvent), LoggedCallback, NULL, &LoggedRegistration); PhpUpdateLogList(); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveListViewColumnsToSetting(SETTING_LOG_LIST_VIEW_COLUMNS, ListViewHandle); PhSaveWindowPlacementToSetting(SETTING_LOG_WINDOW_POSITION, SETTING_LOG_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&WindowLayoutManager); PhUnregisterCallback(PhGetGeneralCallback(GeneralCallbackLoggedEvent), &LoggedRegistration); PhUnregisterDialog(PhLogWindowHandle); PhLogWindowHandle = NULL; PhListView_Destroy(ListViewContext); ListViewContext = NULL; } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_CLEAR: { PhClearLogEntries(); PhpUpdateLogList(); } break; case IDC_COPY: { PPH_STRING string; ULONG selectedCount = 0; if (!PhListView_GetSelectedCount(ListViewContext, &selectedCount)) break; if (selectedCount == 0) { // User didn't select anything, so copy all items. string = PhpGetStringForSelectedLogEntries(TRUE); PhListView_SetStateAllItems(ListViewContext, LVIS_SELECTED, LVIS_SELECTED); } else { string = PhpGetStringForSelectedLogEntries(FALSE); } PhSetClipboardString(hwndDlg, &string->sr); PhDereferenceObject(string); } break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt)", L"*.txt" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, L"System Informer Log.txt"); if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; PPH_STRING string; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); PhWritePhTextHeader(fileStream); string = PhpGetStringForSelectedLogEntries(TRUE); PhWriteStringAsUtf8FileStreamEx(fileStream, string->Buffer, string->Length); PhDereferenceObject(string); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; case IDC_AUTOSCROLL: { WriteBooleanRelease(&ListViewAutoScroll, Button_GetCheck(AutoScrollHandle) == BST_CHECKED); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case LVN_GETDISPINFO: { NMLVDISPINFO *dispInfo = (NMLVDISPINFO *)header; PPH_LOG_ENTRY entry; entry = PhGetItemCircularBuffer_PVOID(&PhLogBuffer, ListViewCount - dispInfo->item.iItem - 1); if (dispInfo->item.iSubItem == 0) { if (FlagOn(dispInfo->item.mask, LVIF_TEXT)) { SYSTEMTIME systemTime; PPH_STRING dateTime; PhLargeIntegerToLocalSystemTime(&systemTime, &entry->Time); dateTime = PhFormatDateTime(&systemTime); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, dateTime->Buffer, _TRUNCATE); PhDereferenceObject(dateTime); } } else if (dispInfo->item.iSubItem == 1) { if (FlagOn(dispInfo->item.mask, LVIF_TEXT)) { PCPH_STRINGREF string; string = PhFormatLogType(entry); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, string->Buffer, _TRUNCATE); } } else if (dispInfo->item.iSubItem == 2) { if (FlagOn(dispInfo->item.mask, LVIF_TEXT)) { PPH_STRING string; string = PhFormatLogEntry(entry); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, string->Buffer, _TRUNCATE); PhDereferenceObject(string); } } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&WindowLayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&WindowLayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&WindowLayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_PH_LOG_UPDATED: { PhpUpdateLogList(); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(ListViewHandle, &point); PhGetSelectedListViewItemParams(ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: PhCopyListView(ListViewHandle); break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/main.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include BOOLEAN PhPluginsEnabled = FALSE; BOOLEAN PhPortableEnabled = FALSE; PPH_STRING PhSettingsFileName = NULL; PH_STARTUP_PARAMETERS PhStartupParameters = { .UpdateChannel = PhInvalidChannel }; PH_PROVIDER_THREAD PhPrimaryProviderThread; PH_PROVIDER_THREAD PhSecondaryProviderThread; PH_PROVIDER_THREAD PhTertiaryProviderThread; RTL_ATOM PhTreeWindowAtom = RTL_ATOM_INVALID_ATOM; RTL_ATOM PhGraphWindowAtom = RTL_ATOM_INVALID_ATOM; RTL_ATOM PhHexEditWindowAtom = RTL_ATOM_INVALID_ATOM; RTL_ATOM PhColorBoxWindowAtom = RTL_ATOM_INVALID_ATOM; static PPH_LIST DialogList = NULL; static PPH_LIST FilterList = NULL; static PH_AUTO_POOL BaseAutoPool; INT WINAPI wWinMain( _In_ HINSTANCE Instance, _In_opt_ HINSTANCE PrevInstance, _In_ PWSTR CmdLine, _In_ INT CmdShow ) { LONG result; #ifdef DEBUG PHP_BASE_THREAD_DBG dbg; #endif if (!NT_SUCCESS(PhInitializePhLib(L"System Informer"))) return 1; if (!NT_SUCCESS(PhInitializeDirectoryPolicy())) return 1; if (!NT_SUCCESS(PhInitializeExceptionPolicy())) return 1; if (!NT_SUCCESS(PhInitializeExecutionPolicy())) return 1; if (!NT_SUCCESS(PhInitializeNamespacePolicy())) return 1; if (!NT_SUCCESS(PhInitializeComPolicy())) return 1; PhpProcessStartupParameters(); PhpEnablePrivileges(); if (PhStartupParameters.RunAsServiceMode) { PhExitApplication(PhRunAsServiceStart(PhStartupParameters.RunAsServiceMode)); } PhGuiSupportInitialization(); PhInitializeAppSettings(); PhInitializeCallbacks(); if (PhStartupParameters.Debug) { PhShowDebugConsole(); } PhInitializePreviousInstance(); PhInitializeCallbacks(); if (PhEnableKsiSupport && !PhStartupParameters.ShowOptions) { PhInitializeKsi(); } #ifdef DEBUG dbg.ClientId = NtCurrentTeb()->ClientId; dbg.StartAddress = wWinMain; dbg.Parameter = NULL; InsertTailList(&PhDbgThreadListHead, &dbg.ListEntry); PhTlsSetValue(PhDbgThreadDbgTlsIndex, &dbg); #endif PhInitializeAutoPool(&BaseAutoPool); PhInitializeSuperclassControls(); PhInitializeCommonControls(); PhInitializeAppSystem(); PhEmInitialization(); if (PhStartupParameters.ShowOptions) { PhShowOptionsDialog(PhStartupParameters.WindowHandle); PhExitApplication(STATUS_SUCCESS); } if (PhPluginsEnabled && !PhStartupParameters.NoPlugins) { PhLoadPlugins(); } // N.B. Must be called after loading plugins since we set Microsoft signed only. if (!NT_SUCCESS(PhInitializeMitigationPolicy())) return 1; if (PhStartupParameters.PhSvc) { MSG message; // Turn the feedback cursor off. PostMessage(NULL, WM_NULL, 0, 0); GetMessage(&message, NULL, 0, 0); PhExitApplication(PhSvcMain(NULL, NULL)); } #ifndef DEBUG if (PhIsExecutingInWow64()) { PhShowWarning2( NULL, L"Warning.", L"%s", L"You are attempting to run the 32-bit version of System Informer on 64-bit Windows. " L"Most features will not work correctly.\n\n" L"Please run the 64-bit version of System Informer instead." ); PhExitApplication(STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT); } #endif // Set the default timer resolution. { if (WindowsVersion >= WINDOWS_11_24H2) { PhSetProcessPowerThrottlingState( NtCurrentProcess(), POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION, 0 // Disable synthetic timer resolution. ); } } // Set the default priority. { UCHAR priorityClass = PROCESS_PRIORITY_CLASS_HIGH; if (PhStartupParameters.PriorityClass != 0) priorityClass = (UCHAR)PhStartupParameters.PriorityClass; PhSetProcessPriorityClass(NtCurrentProcess(), priorityClass); } if (PhEnableKsiSupport) { PhShowKsiStatus(); } if (!PhMainWndInitialization(CmdShow)) { PhShowStatus(NULL, L"Unable to create the window.", 0, ERROR_OUTOFMEMORY); return 1; } PhEnableTerminationPolicy(TRUE); PhDrainAutoPool(&BaseAutoPool); result = PhMainMessageLoop(); PhEnableTerminationPolicy(FALSE); if (PhEnableKsiSupport) { PhCleanupKsi(); } PhExitApplication(result); return result; } /** * The main message loop for System Informer. * * Processes Windows messages for the main window, dialogs, and registered message loop filters. * Handles accelerator keys, dialog messages, and dispatches messages to the appropriate handlers. * Drains the auto pool after each message to manage memory efficiently. * \return The exit code of the application, typically the wParam of the WM_QUIT message. */ LONG PhMainMessageLoop( VOID ) { BOOL result; MSG message; HACCEL acceleratorTable; acceleratorTable = LoadAccelerators(NtCurrentImageBase(), MAKEINTRESOURCE(IDR_MAINWND_ACCEL)); while (result = GetMessage(&message, NULL, 0, 0)) { BOOLEAN processed = FALSE; ULONG i; if (result == -1) return 1; if (FilterList) { for (i = 0; i < FilterList->Count; i++) { PPH_MESSAGE_LOOP_FILTER_ENTRY entry = FilterList->Items[i]; if (entry->Filter(&message, entry->Context)) { processed = TRUE; break; } } } if (!processed) { if ( message.hwnd == PhMainWndHandle || IsChild(PhMainWndHandle, message.hwnd) ) { if (TranslateAccelerator(PhMainWndHandle, acceleratorTable, &message)) processed = TRUE; } if (DialogList) { for (i = 0; i < DialogList->Count; i++) { if (IsDialogMessage((HWND)DialogList->Items[i], &message)) { processed = TRUE; break; } } } } if (!processed) { TranslateMessage(&message); DispatchMessage(&message); } PhDrainAutoPool(&BaseAutoPool); } return (LONG)message.wParam; } /** * Registers a dialog window handle with the application's dialog list. * * This function adds the specified dialog window handle to the internal list of dialogs * managed by the application. This allows the main message loop to recognize and process * messages for the dialog, enabling features such as keyboard navigation and message routing. * * \param DialogWindowHandle The handle to the dialog window to register. * \remarks Registered dialogs are processed in the main message loop for dialog-specific messages. */ VOID PhRegisterDialog( _In_ HWND DialogWindowHandle ) { if (!DialogList) DialogList = PhCreateList(2); PhAddItemList(DialogList, (PVOID)DialogWindowHandle); } /** * Unregisters a dialog window handle from the application's dialog list. * * This function removes the specified dialog window handle from the internal list of dialogs * managed by the application. This ensures that the main message loop no longer processes * messages for the dialog, disabling features such as keyboard navigation and message routing * for the unregistered dialog. * * \param DialogWindowHandle The handle to the dialog window to unregister. * \remarks Unregistered dialogs are no longer processed in the main message loop for dialog-specific messages. */ VOID PhUnregisterDialog( _In_ HWND DialogWindowHandle ) { ULONG indexOfDialog; if (!DialogList) return; indexOfDialog = PhFindItemList(DialogList, (PVOID)DialogWindowHandle); if (indexOfDialog != ULONG_MAX) PhRemoveItemList(DialogList, indexOfDialog); } /** * Registers a message loop filter with the application's message loop. * * This function adds a custom filter to the internal list of message loop filters. * Each filter is a callback that can intercept and process Windows messages before * they are handled by the main window or dialogs. Filters are useful for implementing * global hotkeys, custom message handling, or preprocessing messages. * * \param Filter The filter callback function to register. * \param Context Optional context pointer passed to the filter callback. * \return A pointer to the filter entry, which can be used to unregister the filter later. * \remarks The filter will be called for each message in the main message loop. */ PPH_MESSAGE_LOOP_FILTER_ENTRY PhRegisterMessageLoopFilter( _In_ PPH_MESSAGE_LOOP_FILTER Filter, _In_opt_ PVOID Context ) { PPH_MESSAGE_LOOP_FILTER_ENTRY entry; if (!FilterList) FilterList = PhCreateList(2); entry = PhAllocate(sizeof(PH_MESSAGE_LOOP_FILTER_ENTRY)); entry->Filter = Filter; entry->Context = Context; PhAddItemList(FilterList, entry); return entry; } /** * Unregisters a message loop filter from the application's message loop. * * This function removes a previously registered message loop filter, ensuring * it no longer receives messages from the main message loop. * * \param FilterEntry The filter entry returned by PhRegisterMessageLoopFilter. * \remarks The filter entry is freed after removal. */ VOID PhUnregisterMessageLoopFilter( _In_ PPH_MESSAGE_LOOP_FILTER_ENTRY FilterEntry ) { ULONG indexOfFilter; if (!FilterList) return; indexOfFilter = PhFindItemList(FilterList, FilterEntry); if (indexOfFilter != ULONG_MAX) PhRemoveItemList(FilterList, indexOfFilter); PhFree(FilterEntry); } /** * Context structure for tracking a previous main window instance. * * Used during enumeration of windows to identify and interact with a previous * instance of the application, based on process ID and window class name. */ typedef struct _PHP_PREVIOUS_MAIN_WINDOW_CONTEXT { HANDLE ProcessId; PPH_STRING WindowName; } PHP_PREVIOUS_MAIN_WINDOW_CONTEXT, *PPHP_PREVIOUS_MAIN_WINDOW_CONTEXT; /** * Callback function for enumerating windows to find a previous instance. * * Checks if the given window belongs to the specified process and matches the * expected window class name. If found, attempts to activate and bring the window * to the foreground. * * \param WindowHandle The handle to the window being enumerated. * \param Context Pointer to a PHP_PREVIOUS_MAIN_WINDOW_CONTEXT structure. * \return FALSE if the previous instance window was found and activated; TRUE to continue enumeration. */ _Function_class_(PH_WINDOW_ENUM_CALLBACK) static BOOLEAN CALLBACK PhPreviousInstanceWindowEnumProc( _In_ HWND WindowHandle, _In_ PVOID Context ) { PPHP_PREVIOUS_MAIN_WINDOW_CONTEXT context = (PPHP_PREVIOUS_MAIN_WINDOW_CONTEXT)Context; CLIENT_ID clientId; if (!NT_SUCCESS(PhGetWindowClientId(WindowHandle, &clientId))) return TRUE; if (clientId.UniqueProcess == context->ProcessId) { WCHAR className[256]; if (GetClassName(WindowHandle, className, RTL_NUMBER_OF(className))) { if (PhEqualStringZ(className, PhGetString(context->WindowName), FALSE)) { ULONG_PTR result = 0; PhTrace( "Found previous instance window: %ls (%p)", className, WindowHandle ); SendMessageTimeout( WindowHandle, WM_PH_ACTIVATE, PhStartupParameters.SelectPid, 0, SMTO_ABORTIFHUNG | SMTO_BLOCK, 5000, &result ); if (result == PH_ACTIVATE_REPLY) { if (!IsWindowVisible(WindowHandle)) { ShowWindow(WindowHandle, SW_SHOW); } if (IsIconic(WindowHandle)) { ShowWindow(WindowHandle, SW_RESTORE); } if (!SetForegroundWindow(WindowHandle)) { PhBringWindowToTop(WindowHandle); } PhExitApplication(STATUS_SUCCESS); return FALSE; } } } } return TRUE; } /** * Brings a previous instance of the application to the foreground. * * This function attempts to locate the main window of a previous instance of the * application (by process ID and window class name), and brings it to the foreground. * It performs several checks to ensure the process is in the same session and owned * by the same user. The search is retried multiple times to handle race conditions. * \param ProcessId The process ID of the previous instance. */ static VOID PhForegroundPreviousInstance( _In_ HANDLE ProcessId ) { PHP_PREVIOUS_MAIN_WINDOW_CONTEXT context; HANDLE processHandle = NULL; HANDLE tokenHandle = NULL; PH_TOKEN_USER tokenUser; ULONG sessionId = 0; ULONG attempts = 0; PhTraceFuncEnter("Foreground previous instance: %lu", HandleToUlong(ProcessId)); memset(&context, 0, sizeof(PHP_PREVIOUS_MAIN_WINDOW_CONTEXT)); context.ProcessId = ProcessId; context.WindowName = PhGetStringSetting(SETTING_MAIN_WINDOW_CLASS_NAME); if (PhIsNullOrEmptyString(context.WindowName)) goto CleanupExit; if (!NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId))) goto CleanupExit; if (!NT_SUCCESS(PhGetProcessSessionId(processHandle, &sessionId))) goto CleanupExit; if (NtCurrentPeb()->SessionId != sessionId) goto CleanupExit; if (!NT_SUCCESS(PhOpenProcessToken(processHandle, TOKEN_QUERY, &tokenHandle))) goto CleanupExit; if (!NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) goto CleanupExit; if (!PhEqualSid(tokenUser.User.Sid, PhGetOwnTokenAttributes().TokenSid)) goto CleanupExit; // Try to locate the window a few times because some users reported that it might not yet have been created. (dmex) do { PhEnumWindowsEx(NULL, PhPreviousInstanceWindowEnumProc, &context); PhDelayExecution(500); } while (++attempts < 10); CleanupExit: if (tokenHandle) { NtClose(tokenHandle); } if (processHandle) { NtClose(processHandle); } PhClearReference(&context.WindowName); PhTraceFuncExit( "Foreground previous instance: %lu (%lu attempts)", HandleToUlong(ProcessId), attempts ); } /** * Initializes previous instance detection and activation logic. * * This function enforces single-instance behavior and handles elevation scenarios. * If only one instance is allowed, it attempts to activate a previous instance. * If elevation is required, it runs the application as administrator and activates * the previous instance if necessary. */ VOID PhInitializePreviousInstance( VOID ) { if (PhGetIntegerSetting(SETTING_ALLOW_ONLY_ONE_INSTANCE) && !PhStartupParameters.NewInstance && !PhStartupParameters.ShowOptions && !PhStartupParameters.PhSvc && !PhStartupParameters.KphStartupHigh && !PhStartupParameters.KphStartupMax) { PhActivatePreviousInstance(); } if (PhGetIntegerSetting(SETTING_ENABLE_START_AS_ADMIN) && !PhStartupParameters.NewInstance && !PhStartupParameters.ShowOptions && !PhStartupParameters.PhSvc) { if (PhGetOwnTokenAttributes().Elevated) { if (PhGetIntegerSetting(SETTING_ENABLE_START_AS_ADMIN_ALWAYS_ON_TOP)) { if (NT_SUCCESS(PhRunAsAdminTaskUIAccess())) { PhActivatePreviousInstance(); PhExitApplication(STATUS_SUCCESS); } } } else { if (SUCCEEDED(PhRunAsAdminTask(&SI_RUNAS_ADMIN_TASK_NAME))) { PhActivatePreviousInstance(); PhExitApplication(STATUS_SUCCESS); } } } } /** * Callback for enumerating namespace objects to find previous instances. * * This function is called for each object in the namespace directory. It looks for * mutant objects and, if found, checks if they belong to a different process. * If so, it attempts to bring the previous instance to the foreground. * * \param RootDirectory The root directory handle. * \param Name The name of the object. * \param TypeName The type name of the object. * \param Context Optional context pointer. * \return STATUS_NO_MORE_ENTRIES if a previous instance * was found and activated; otherwise STATUS_SUCCESS. */ _Function_class_(PH_ENUM_DIRECTORY_OBJECTS) NTSTATUS NTAPI PhpPreviousInstancesCallback( _In_ HANDLE RootDirectory, _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_ PVOID Context ) { MUTANT_OWNER_INFORMATION objectInfo; HANDLE objectHandle; if (!PhStartsWithStringRef2(Name, L"SiMutant_", FALSE)) return STATUS_NAME_TOO_LONG; if (NT_SUCCESS(PhOpenMutant( &objectHandle, MUTANT_QUERY_STATE, RootDirectory, Name ))) { if (NT_SUCCESS(PhGetMutantOwnerInformation( objectHandle, &objectInfo ))) { if (objectInfo.ClientId.UniqueProcess != NtCurrentProcessId()) { PhForegroundPreviousInstance(objectInfo.ClientId.UniqueProcess); NtClose(objectHandle); return STATUS_NO_MORE_ENTRIES; } } NtClose(objectHandle); } return STATUS_SUCCESS; } /** * Activates a previous instance of the application if one exists. * * This function enumerates namespace objects to find a mutant object representing * a previous instance. If found, it brings the previous instance's window to the * foreground and exits the current process. */ VOID PhActivatePreviousInstance( VOID ) { NTSTATUS status; //HANDLE fileHandle; //PPH_STRING applicationFileName; PhTraceFuncEnter("Activate previous instance"); status = PhEnumDirectoryObjects(PhGetNamespaceHandle(), PhpPreviousInstancesCallback, NULL); //if (applicationFileName = PhGetApplicationFileName()) //{ // if (NT_SUCCESS(status = PhOpenFile( // &fileHandle, // &applicationFileName->sr, // FILE_READ_ATTRIBUTES | SYNCHRONIZE, // NULL, // FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, // FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, // NULL // ))) // // { // PFILE_PROCESS_IDS_USING_FILE_INFORMATION processIds; // // if (NT_SUCCESS(status = PhGetProcessIdsUsingFile( // fileHandle, // &processIds // ))) // // { // for (ULONG i = 0; i < processIds->NumberOfProcessIdsInList; i++) // { // HANDLE processId = processIds->ProcessIdList[i]; // PPH_STRING fileName; // // if (processId == NtCurrentProcessId()) // continue; // // if (NT_SUCCESS(status = PhGetProcessImageFileNameByProcessId(processId, &fileName))) // { // if (PhEqualString(applicationFileName, fileName, TRUE)) // { // PhForegroundPreviousInstance(processId); // } // // PhDereferenceObject(fileName); // } // } // // PhFree(processIds); // } // // NtClose(fileHandle); // } // // PhDereferenceObject(applicationFileName); //} PhTraceFuncExit("Activate previous instance: %!STATUS!", status); } /** * Initializes common controls and custom controls used by the application. * * This function registers standard Windows common controls and initializes * custom controls such as tree views, graphs, hex editors, and color boxes. * It must be called before creating windows that use these controls. */ VOID PhInitializeCommonControls( VOID ) { INITCOMMONCONTROLSEX icex; icex.dwSize = sizeof(INITCOMMONCONTROLSEX); icex.dwICC = ICC_LISTVIEW_CLASSES | ICC_TREEVIEW_CLASSES | ICC_BAR_CLASSES | ICC_TAB_CLASSES | ICC_PROGRESS_CLASS | ICC_COOL_CLASSES | ICC_STANDARD_CLASSES | ICC_LINK_CLASS ; InitCommonControlsEx(&icex); PhTreeWindowAtom = PhTreeNewInitialization(); PhGraphWindowAtom = PhGraphControlInitialization(); PhHexEditWindowAtom = PhHexEditInitialization(); PhColorBoxWindowAtom = PhColorBoxInitialization(); } /** * Ensures the current working directory is set to the application's directory. * * This function checks if the process's current directory matches the application's * directory. If not, it sets the current directory to the application's directory. */ NTSTATUS PhInitializeDirectoryPolicy( VOID ) { PPH_STRING applicationDirectory; UNICODE_STRING applicationDirectoryUs; PH_STRINGREF currentDirectory; if (!(applicationDirectory = PhGetApplicationDirectoryWin32())) return STATUS_UNSUCCESSFUL; PhUnicodeStringToStringRef(&NtCurrentPeb()->ProcessParameters->CurrentDirectory.DosPath, ¤tDirectory); if (PhEqualStringRef(&applicationDirectory->sr, ¤tDirectory, TRUE)) { PhDereferenceObject(applicationDirectory); return STATUS_SUCCESS; } if (!PhStringRefToUnicodeString(&applicationDirectory->sr, &applicationDirectoryUs)) { PhDereferenceObject(applicationDirectory); return STATUS_UNSUCCESSFUL; } if (!NT_SUCCESS(RtlSetCurrentDirectory_U(&applicationDirectoryUs))) { PhDereferenceObject(applicationDirectory); return STATUS_UNSUCCESSFUL; } PhDereferenceObject(applicationDirectory); return STATUS_SUCCESS; } #pragma region Error Reporting #include #include typedef enum _PH_TRIAGE_DUMP_TYPE { PhTriageDumpTypeMinimal, PhTriageDumpTypeNormal, PhTriageDumpTypeFull, } PH_TRIAGE_DUMP_TYPE; /** * Creates a crash dump file for an unhandled exception. * * \param ExceptionInfo Pointer to the exception information. * \param DumpType The type of dump to create (minimal, normal, or full). */ VOID PhpCreateUnhandledExceptionCrashDump( _In_ PEXCEPTION_POINTERS ExceptionInfo, _In_ PH_TRIAGE_DUMP_TYPE DumpType ) { HANDLE fileHandle; PPH_STRING directory; PPH_STRING fileName; WCHAR alphastring[16] = L""; PhGenerateRandomAlphaString(alphastring, RTL_NUMBER_OF(alphastring)); directory = PhExpandEnvironmentStringsZ(L"\\??\\%USERPROFILE%\\Desktop\\"); fileName = PhConcatStrings(5, PhGetString(directory), L"SystemInformer", L"_DumpFile_", alphastring, L".dmp"); PhCreateDirectoryFullPath(&fileName->sr); if (NT_SUCCESS(PhCreateFile( &fileHandle, &fileName->sr, FILE_GENERIC_WRITE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { MINIDUMP_EXCEPTION_INFORMATION exceptionInfo; ULONG dumpType = PhTriageDumpTypeMinimal; exceptionInfo.ThreadId = HandleToUlong(NtCurrentThreadId()); exceptionInfo.ExceptionPointers = ExceptionInfo; exceptionInfo.ClientPointers = TRUE; switch (DumpType) { case PhTriageDumpTypeMinimal: dumpType = MiniDumpWithDataSegs | MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory; break; case PhTriageDumpTypeNormal: dumpType = MiniDumpWithDataSegs | MiniDumpWithHandleData | MiniDumpScanMemory | MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData | MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory | MiniDumpWithTokenInformation; break; case PhTriageDumpTypeFull: dumpType = MiniDumpWithDataSegs | MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithUnloadedModules | MiniDumpWithIndirectlyReferencedMemory | MiniDumpWithProcessThreadData | MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory | MiniDumpWithTokenInformation | MiniDumpWithAvxXStateContext; break; } PhWriteMiniDumpProcess( NtCurrentProcess(), NtCurrentProcessId(), fileHandle, dumpType, &exceptionInfo, NULL, NULL ); NtClose(fileHandle); } PhDereferenceObject(fileName); PhDereferenceObject(directory); } static LPTOP_LEVEL_EXCEPTION_FILTER PhpPreviousUnhandledExceptionFilter = NULL; /** * Unhandled exception filter callback for System Informer. * * This function is called when an unhandled exception occurs. It presents the user * with options to create a crash dump, restart, ignore, or exit. It also generates * a crash dump file on the desktop if requested. * \param ExceptionInfo Pointer to the exception information. * \return An exception disposition value. */ LONG CALLBACK PhpUnhandledExceptionCallback( _In_ PEXCEPTION_POINTERS ExceptionInfo ) { PPH_STRING errorMessage; PPH_STRING message; LONG result; // Let the debugger handle the exception. (dmex) if (PhIsDebuggerPresent()) { // Remove this return to debug the exception callback. (dmex) return EXCEPTION_CONTINUE_SEARCH; } if (NT_SUCCESS(PhIsInteractiveUserSession())) { TASKDIALOGCONFIG config = { sizeof(TASKDIALOGCONFIG) }; TASKDIALOG_BUTTON buttons[6] = { { 101, L"Full\nA complete dump of the process, rarely needed most of the time." }, { 102, L"Normal\nFor most purposes, this dump file is the most useful." }, { 103, L"Minimal\nA very limited dump with limited data." }, { 104, L"Restart\nRestart the application." }, // and hope it doesn't crash again."; { 105, L"Ignore" }, // \nTry ignore the exception and continue."; { 106, L"Exit" }, // \nTerminate the program."; }; if (NT_NTWIN32(ExceptionInfo->ExceptionRecord->ExceptionCode)) errorMessage = PhGetStatusMessage(0, PhNtStatusToDosError(ExceptionInfo->ExceptionRecord->ExceptionCode)); else errorMessage = PhGetStatusMessage(ExceptionInfo->ExceptionRecord->ExceptionCode, 0); message = PhFormatString( L"0x%08X (%s)", ExceptionInfo->ExceptionRecord->ExceptionCode, PhGetStringOrEmpty(errorMessage) ); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | TDF_USE_COMMAND_LINKS | TDF_EXPAND_FOOTER_AREA; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_ERROR_ICON; config.pszMainInstruction = L"System Informer has crashed :("; config.cButtons = RTL_NUMBER_OF(buttons); config.pButtons = buttons; config.nDefaultButton = 106; config.cxWidth = 250; config.pszContent = PhGetString(message); #ifdef DEBUG config.pszExpandedInformation = PhGetString(PhGetStacktraceAsString()); #endif if (PhShowTaskDialog(&config, &result, NULL, NULL)) { switch (result) { case 101: PhpCreateUnhandledExceptionCrashDump(ExceptionInfo, PhTriageDumpTypeFull); break; case 102: PhpCreateUnhandledExceptionCrashDump(ExceptionInfo, PhTriageDumpTypeNormal); break; case 103: PhpCreateUnhandledExceptionCrashDump(ExceptionInfo, PhTriageDumpTypeMinimal); break; case 104: { PhShellProcessHacker( NULL, NULL, SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, NULL ); } break; case 105: { return EXCEPTION_CONTINUE_EXECUTION; } break; } } else { if (PhShowMessage( NULL, MB_YESNO | MB_ICONWARNING | MB_DEFBUTTON2, L"System Informer has crashed :(\r\n\r\n%s", L"Do you want to create a minidump on the Desktop?" ) == IDYES) { PhpCreateUnhandledExceptionCrashDump(ExceptionInfo, PhTriageDumpTypeMinimal); } } } else { ULONG response; PPH_STRING title; if (NT_NTWIN32(ExceptionInfo->ExceptionRecord->ExceptionCode)) errorMessage = PhGetStatusMessage(0, PhNtStatusToDosError(ExceptionInfo->ExceptionRecord->ExceptionCode)); else errorMessage = PhGetStatusMessage(ExceptionInfo->ExceptionRecord->ExceptionCode, 0); title = PhCreateString(L"System Informer has crashed :("); #ifdef DEBUG message = PhFormatString( L"%s\r\n0x%08X (%s)\r\n%s", PhGetStringOrEmpty(title), ExceptionInfo->ExceptionRecord->ExceptionCode, PhGetStringOrEmpty(errorMessage), PhGetString(PhGetStacktraceAsString()) ); #else message = PhFormatString( L"%s\r\n0x%08X (%s)\r\n%s", PhGetStringOrEmpty(title), ExceptionInfo->ExceptionRecord->ExceptionCode, PhGetStringOrEmpty(errorMessage) ); #endif if (WinStationSendMessageW( SERVERNAME_CURRENT, USER_SHARED_DATA->ActiveConsoleId, // RtlGetActiveConsoleId title->Buffer, (ULONG)title->Length, message->Buffer, (ULONG)message->Length, MB_OKCANCEL | MB_ICONERROR, 30, &response, FALSE )) { #ifdef DEBUG if (response == IDOK) { PhpCreateUnhandledExceptionCrashDump(ExceptionInfo, PhTriageDumpTypeFull); } #endif } } return PhpPreviousUnhandledExceptionFilter(ExceptionInfo); } #pragma endregion /** * Initializes the exception policy for the current process. * * This function configures the process error mode to suppress critical error dialogs * and disables the Windows error reporting dialog for unhandled exceptions. It also * installs a custom unhandled exception filter to handle application crashes, generate * crash dumps, and present user-friendly dialogs or messages. */ NTSTATUS PhInitializeExceptionPolicy( VOID ) { #if PHNT_MINIMAL_ERRORMODE ULONG errorMode; if (NT_SUCCESS(PhGetProcessErrorMode(NtCurrentProcess(), &errorMode))) { ClearFlag(errorMode, SEM_FAILCRITICALERRORS | SEM_NOGPFAULTERRORBOX | SEM_NOOPENFILEERRORBOX); PhSetProcessErrorMode(NtCurrentProcess(), errorMode); } #else PhSetProcessErrorMode(NtCurrentProcess(), 0); #endif PhpPreviousUnhandledExceptionFilter = SetUnhandledExceptionFilter(PhpUnhandledExceptionCallback); return STATUS_SUCCESS; } /** * Initializes the namespace policy for the current process. * * This function creates a named mutant object in the process's namespace to enforce * single-instance behavior and activate previous instances of System Informer. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhInitializeNamespacePolicy( VOID ) { HANDLE mutantHandle; SIZE_T returnLength; WCHAR formatBuffer[PH_INT64_STR_LEN_1]; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING objectName; PH_STRINGREF objectNameSr; PH_FORMAT format[2]; PhInitFormatS(&format[0], L"SiMutant_"); PhInitFormatU(&format[1], HandleToUlong(NtCurrentProcessId())); if (!PhFormatToBuffer( format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength )) { return STATUS_BUFFER_TOO_SMALL; } objectNameSr.Length = returnLength - sizeof(UNICODE_NULL); objectNameSr.Buffer = formatBuffer; if (!PhStringRefToUnicodeString(&objectNameSr, &objectName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, PhGetNamespaceHandle(), NULL ); NtCreateMutant( &mutantHandle, MUTANT_QUERY_STATE, &objectAttributes, TRUE ); return STATUS_SUCCESS; } /** * Initializes the default COM options for the current process. * * If PH_COM_SVC is defined, it configures global COM options and sets a custom security descriptor * that allows access to authenticated users, local system, and administrators. Otherwise, it simply * initializes COM with apartment threading and disables OLE1 DDE. */ NTSTATUS PhInitializeComPolicy( VOID ) { #ifdef PH_COM_SVC #include IGlobalOptions* globalOptions; UCHAR securityDescriptorBuffer[SECURITY_DESCRIPTOR_MIN_LENGTH + 0x300]; PSECURITY_DESCRIPTOR securityDescriptor = (PSECURITY_DESCRIPTOR)securityDescriptorBuffer; PSID administratorsSid = PhSeAdministratorsSid(); ULONG securityDescriptorAllocationLength; PACL dacl; if (!SUCCEEDED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE))) return TRUE; // Continue without COM support. (dmex) if (SUCCEEDED(PhGetClassObject(L"combase.dll", &CLSID_GlobalOptions, &IID_IGlobalOptions, &globalOptions))) { #define COMGLB_PROPERTIES_EXPLICIT_WINSTA_DESKTOP COMGLB_PROPERTIES_RESERVED1 #define COMGLB_PROCESS_MITIGATION_POLICY_BLOB COMGLB_PROPERTIES_RESERVED2 #define COMGLB_ENABLE_AGILE_OOP_PROXIES COMGLB_RESERVED1 #define COMGLB_ENABLE_WAKE_ON_RPC_SUPPRESSION COMGLB_RESERVED2 #define COMGLB_ADD_RESTRICTEDCODE_SID_TO_COM_CALLPERMISSIONS COMGLB_RESERVED3 #define HKLM_ONLY_CLASSIC_COM_CATALOG COMGLB_RESERVED5 IGlobalOptions_Set(globalOptions, COMGLB_EXCEPTION_HANDLING, COMGLB_EXCEPTION_DONOT_HANDLE_ANY); IGlobalOptions_Set(globalOptions, COMGLB_RO_SETTINGS, COMGLB_FAST_RUNDOWN | COMGLB_ENABLE_AGILE_OOP_PROXIES | HKLM_ONLY_CLASSIC_COM_CATALOG); IGlobalOptions_Release(globalOptions); } securityDescriptorAllocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH + (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&PhSeAuthenticatedUserSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&PhSeLocalSystemSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&administratorsSid); dacl = PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH); PhCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION); PhCreateAcl(dacl, securityDescriptorAllocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION); PhAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, &PhSeAuthenticatedUserSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, &PhSeLocalSystemSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, administratorsSid); PhSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE); PhSetGroupSecurityDescriptor(securityDescriptor, administratorsSid, FALSE); PhSetOwnerSecurityDescriptor(securityDescriptor, administratorsSid, FALSE); if (!SUCCEEDED(CoInitializeSecurity( securityDescriptor, UINT_MAX, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IDENTIFY, NULL, EOAC_NONE, NULL ))) { NOTHING; } #ifdef DEBUG assert(RtlValidSecurityDescriptor(securityDescriptor)); assert(securityDescriptorAllocationLength < sizeof(securityDescriptorBuffer)); assert(RtlLengthSecurityDescriptor(securityDescriptor) < sizeof(securityDescriptorBuffer)); #endif return TRUE; #else if (!SUCCEEDED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE))) NOTHING; return STATUS_SUCCESS; #endif } /** * Initializes the execution policy for System Informer. * * This function checks if the Shift key is held down during startup. If so, it attempts * to launch Task Manager (`taskmgr.exe`) instead of System Informer. * This provides a quick way for users to access Task Manager if needed, for example, * if System Informer is set as the default Task Manager replacement and the user * wants to access the original Task Manager without changing settings. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhInitializeExecutionPolicy( VOID ) { // Note: GetAsyncKeyState queries the global keyboard bitmask without kernel transitions, blocking, // handles, events or messages etc... The bitmask is also independent of any message loop or window. // We can call it extremely early but only the high bit (0x8000) of the key state is valid without a message loop. if (GetAsyncKeyState(VK_SHIFT) & 0x8000) { if (NT_SUCCESS(PhShellExecuteEx(NULL, L"taskmgr.exe", NULL, NULL, SW_SHOW, 0, 0, NULL))) { PhExitApplication(STATUS_SUCCESS); } } return STATUS_SUCCESS; } /** * Initializes the mitigation policies for the current process. * * This function configures process-level mitigations to prevent crashes by third party software. * * The function uses the Native API to set the mitigation policy. If the operating system does not * support the required mitigation policies, the function performs no action and returns success. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhInitializeMitigationPolicy( VOID ) { #if defined(PH_BUILD_API) if (WindowsVersion >= WINDOWS_10) { PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; //policyInfo.Policy = ProcessDynamicCodePolicy; //policyInfo.DynamicCodePolicy.Flags = 0; //policyInfo.DynamicCodePolicy.ProhibitDynamicCode = TRUE; //NtSetInformationProcess(NtCurrentProcess(), ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION)); policyInfo.Policy = ProcessExtensionPointDisablePolicy; policyInfo.ExtensionPointDisablePolicy.Flags = 0; policyInfo.ExtensionPointDisablePolicy.DisableExtensionPoints = TRUE; NtSetInformationProcess(NtCurrentProcess(), ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION)); policyInfo.Policy = ProcessSignaturePolicy; policyInfo.SignaturePolicy.Flags = 0; policyInfo.SignaturePolicy.MicrosoftSignedOnly = TRUE; NtSetInformationProcess(NtCurrentProcess(), ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION)); //policyInfo.Policy = ProcessRedirectionTrustPolicy; //policyInfo.RedirectionTrustPolicy.Flags = 0; //policyInfo.RedirectionTrustPolicy.EnforceRedirectionTrust = TRUE; //NtSetInformationProcess(NtCurrentProcess(), ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION)); } #endif return STATUS_SUCCESS; } /** * Initializes a temporary desktop policy for process isolation or UI testing. * * This function creates a new random desktop, switches the current thread and input * to that desktop, and launches a new instance of System Informer on it. After the * child process exits, it restores the original desktop and cleans up resources. * * \remarks The function is typically used for scenarios where process isolation or UI testing * is required on a separate desktop, such as security testing or debugging. */ VOID PhInitializeDesktopPolicy( VOID ) { NTSTATUS status; HDESK desktopHandle; WCHAR alphastring[16] = L""; PhGenerateRandomAlphaString(alphastring, RTL_NUMBER_OF(alphastring)); if (desktopHandle = CreateDesktop( alphastring, NULL, NULL, 0, DESKTOP_CREATEWINDOW, NULL )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } if (NT_SUCCESS(status)) { HANDLE processHandle; HDESK processDesktop; processDesktop = GetThreadDesktop(HandleToUlong(NtCurrentThreadId())); SetThreadDesktop(desktopHandle); SwitchDesktop(desktopHandle); if (NT_SUCCESS(PhShellProcessHacker( NULL, NULL, SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, &processHandle ))) { PhWaitForSingleObject(processHandle, INFINITE); NtClose(processHandle); } SwitchDesktop(processDesktop); SetThreadDesktop(processDesktop); CloseDesktop(desktopHandle); } if (!NT_SUCCESS(status)) { PhShowStatus(NULL, L"Unable to initialize desktop policy.", status, 0); } PhExitApplication(status); } /** * Enables or disables the process break-on-termination policy. * * This function configures the process to trigger a system critical break if it is terminated, * based on the specified flag. When enabled, the process is protected from termination by * non-privileged users, and the system will generate a critical error if the process is killed. * This is typically used to prevent accidental or unauthorized termination of critical processes. * The function only applies the policy if the current process is running with elevated privileges * and the "Enable Break On Termination" setting is enabled. * \param Enabled TRUE to enable the break-on-termination policy; FALSE to disable it. */ VOID PhEnableTerminationPolicy( _In_ BOOLEAN Enabled ) { if (PhGetOwnTokenAttributes().Elevated && PhGetIntegerSetting(SETTING_ENABLE_BREAK_ON_TERMINATION)) { NTSTATUS status; status = PhSetProcessBreakOnTermination( NtCurrentProcess(), Enabled ); if (Enabled) SetFlag(NtCurrentPeb()->NtGlobalFlag, FLG_ENABLE_SYSTEM_CRIT_BREAKS); else ClearFlag(NtCurrentPeb()->NtGlobalFlag, FLG_ENABLE_SYSTEM_CRIT_BREAKS); if (!NT_SUCCESS(status)) { PhShowStatus(NULL, L"Unable to configure termination policy.", status, 0); } } } /** * Initializes the timer policy for the system. * * This function sets up and configures the timer policy that will be used * throughout the System Informer application for timing operations and measurements. */ NTSTATUS PhInitializeTimerPolicy( VOID ) { static BOOL timerSuppression = FALSE; SetUserObjectInformation(NtCurrentProcess(), UOI_TIMERPROC_EXCEPTION_SUPPRESSION, &timerSuppression, sizeof(BOOL)); return STATUS_SUCCESS; } /** * Initializes the application system. * * This function performs the necessary initialization of the System Informer * application system, setting up core components and resources required for * the application to function properly. */ NTSTATUS PhInitializeAppSystem( VOID ) { if (!PhProcessProviderInitialization()) return STATUS_UNSUCCESSFUL; if (!PhServiceProviderInitialization()) return STATUS_UNSUCCESSFUL; if (!PhNetworkProviderInitialization()) return STATUS_UNSUCCESSFUL; PhSetHandleClientIdFunction(PhGetClientIdName); return STATUS_SUCCESS; } /** * Initializes the application settings. * * This function sets up and initializes all application-level settings, * including user preferences, configuration values, and default parameters * required for the System Informer application to function properly. */ VOID PhInitializeAppSettings( VOID ) { PhSettingsInitialization(); PhAddDefaultSettings(); if (!PhStartupParameters.NoSettings) { // There are three possible locations for the settings file: // 1. The file name given in the command line. // 2. A file named SystemInformer.exe.settings.json in the program directory. (This changes // based on the executable file name.) // 3. The default location. NTSTATUS status = STATUS_OBJECT_NAME_NOT_FOUND; PPH_STRING settingsPath = NULL; PPH_STRING basePath = NULL; // 1. File specified in command line if (PhStartupParameters.SettingsFileName) { if (PhDetermineDosPathNameType(&PhStartupParameters.SettingsFileName->sr) == RtlPathTypeRooted) { PhSetReference(&PhSettingsFileName, PhStartupParameters.SettingsFileName); } else { PPH_STRING settingsFileName; // Get an absolute path now. if (NT_SUCCESS(PhGetFullPath(PhGetString(PhStartupParameters.SettingsFileName), &settingsFileName, NULL))) { PhMoveReference(&settingsFileName, PhDosPathNameToNtPathName(&settingsFileName->sr)); if (!PhIsNullOrEmptyString(settingsFileName)) { PhMoveReference(&PhSettingsFileName, settingsFileName); } } } if (PhSettingsFileName) { status = PhLoadSettings(&PhSettingsFileName->sr); } } // 2. Default locations (AppData) if (PhIsNullOrEmptyString(PhSettingsFileName) || !NT_SUCCESS(status)) { status = PhLoadSettingsAutoDetect(NULL, L"settings", &settingsPath, NULL, &PhPortableEnabled); if (NT_SUCCESS(status) || status == STATUS_OBJECT_NAME_NOT_FOUND) { PhMoveReference(&PhSettingsFileName, settingsPath); } } // Handle errors if (status == STATUS_FILE_CORRUPT_ERROR) { if (PhShowMessage2( NULL, TD_YES_BUTTON | TD_NO_BUTTON, TD_WARNING_ICON, L"System Informer's settings file is corrupt. Do you want to reset it?", L"If you select No, the settings system will not function properly." ) == IDYES) { if (PhSettingsFileName) PhResetSettingsFile(&PhSettingsFileName->sr); } else { PhDereferenceObject(PhSettingsFileName); PhSettingsFileName = NULL; } } else if (!NT_SUCCESS(status) && status != STATUS_OBJECT_NAME_NOT_FOUND) { PhShowStatus(NULL, L"Unable to load the settings file.", status, 0); } } PhUpdateCachedSettings(); //PhSettingsInitialization(); //PhAddDefaultSettings(); //if (!PhStartupParameters.NoSettings) //{ // // There are three possible locations for the settings file: // // 1. The file name given in the command line. // // 2. A file named SystemInformer.exe.settings.json in the program directory. (This changes // // based on the executable file name.) // // 3. The default location. // // 1. File specified in command line // if (PhStartupParameters.SettingsFileName) // { // if (PhDetermineDosPathNameType(&PhStartupParameters.SettingsFileName->sr) == RtlPathTypeRooted) // { // PhSetReference(&PhSettingsFileName, PhStartupParameters.SettingsFileName); // } // else // { // PPH_STRING settingsFileName; // // Get an absolute path now. // if (NT_SUCCESS(PhGetFullPath(PhGetString(PhStartupParameters.SettingsFileName), &settingsFileName, NULL))) // { // PhMoveReference(&settingsFileName, PhDosPathNameToNtPathName(&settingsFileName->sr)); // if (!PhIsNullOrEmptyString(settingsFileName)) // { // PhMoveReference(&PhSettingsFileName, settingsFileName); // } // } // } // } // // 2. File in program directory (portable mode) // if (PhIsNullOrEmptyString(PhSettingsFileName)) // { // PPH_STRING settingsFileName; // // Try .settings.json first // if (settingsFileName = PhGetApplicationFileNameZ(L".settings.json")) // { // if (PhDoesFileExist(&settingsFileName->sr)) // { // PhMoveReference(&PhSettingsFileName, settingsFileName); // PhPortableEnabled = TRUE; // } // else // { // PhDereferenceObject(settingsFileName); // // Try .settings.xml (legacy) // if (settingsFileName = PhGetApplicationFileNameZ(L".settings.xml")) // { // if (PhDoesFileExist(&settingsFileName->sr)) // { // PPH_STRING jsonFileName = PhGetBaseNameChangeExtensionZ(&settingsFileName->sr, L".json"); // // Convert XML to JSON // NTSTATUS convertStatus = PhConvertSettingsXmlToJson( // &settingsFileName->sr, // &jsonFileName->sr // ); // if (NT_SUCCESS(convertStatus)) // { // PhMoveReference(&PhSettingsFileName, jsonFileName); // PhPortableEnabled = TRUE; // } // else // { // PhShowStatus(NULL, L"Unable to convert settings to json format.", convertStatus, 0); // PhDereferenceObject(jsonFileName); // } // } // else // { // PhDereferenceObject(settingsFileName); // } // } // } // } // } // // 3. Default location // if (PhIsNullOrEmptyString(PhSettingsFileName)) // { // PhSettingsFileName = PhGetKnownLocationZ(PH_FOLDERID_RoamingAppData, L"\\SystemInformer\\settings.json", TRUE); // } // if (!PhIsNullOrEmptyString(PhSettingsFileName)) // { // NTSTATUS status; // status = PhLoadSettings(&PhSettingsFileName->sr); // // If JSON file not found, try to convert from XML // if (status == STATUS_OBJECT_NAME_NOT_FOUND) // { // PPH_STRING xmlFileName = PhGetBaseNameChangeExtensionZ(&PhSettingsFileName->sr, L".xml"); // if (!PhIsNullOrEmptyString(xmlFileName)) // { // if (PhDoesFileExist(&xmlFileName->sr)) // { // // Convert XML to JSON // NTSTATUS convertStatus = PhConvertSettingsXmlToJson( // &xmlFileName->sr, // &PhSettingsFileName->sr // ); // if (NT_SUCCESS(convertStatus)) // { // // Retry loading from newly created JSON file // status = PhLoadSettings(&PhSettingsFileName->sr); // } // else // { // PhShowStatus(NULL, L"Unable to convert settings to json format.", convertStatus, 0); // } // } // PhDereferenceObject(xmlFileName); // } // } // // If we didn't find the file, it will be created. Otherwise, // // there was probably a parsing error and we don't want to // // change anything. // if (status == STATUS_FILE_CORRUPT_ERROR) // { // if (PhShowMessage2( // NULL, // TD_YES_BUTTON | TD_NO_BUTTON, // TD_WARNING_ICON, // L"System Informer's settings file is corrupt. Do you want to reset it?", // L"If you select No, the settings system will not function properly." // ) == IDYES) // { // PhResetSettingsFile(&PhSettingsFileName->sr); // } // else // { // // Pretend we don't have a settings file, the user can resolve the issue // // in this case without resetting the user(s) settings or customization to defaults. // PhDereferenceObject(PhSettingsFileName); // PhSettingsFileName = NULL; // } // } // else if (!NT_SUCCESS(status)) // { // PhShowStatus(NULL, L"Unable to load the settings file.", status, 0); // } // } //} //PhUpdateCachedSettings(); // Apply basic global settings. PhPluginsEnabled = !!PhGetIntegerSetting(SETTING_ENABLE_PLUGINS); PhMaxSizeUnit = PhGetIntegerSetting(SETTING_MAX_SIZE_UNIT); PhMaxPrecisionUnit = (USHORT)PhGetIntegerSetting(SETTING_MAX_PRECISION_UNIT); PhMaxPrecisionLimit = 1.0f; for (ULONG i = 0; i < PhMaxPrecisionUnit; i++) PhMaxPrecisionLimit /= 10; PhEnableWindowText = !!PhGetIntegerSetting(SETTING_ENABLE_WINDOW_TEXT); PhEnableThemeSupport = !!PhGetIntegerSetting(SETTING_ENABLE_THEME_SUPPORT); PhThemeWindowForegroundColor = PhGetIntegerSetting(SETTING_THEME_WINDOW_FOREGROUND_COLOR); PhThemeWindowBackgroundColor = PhGetIntegerSetting(SETTING_THEME_WINDOW_BACKGROUND_COLOR); PhThemeWindowBackground2Color = PhGetIntegerSetting(SETTING_THEME_WINDOW_BACKGROUND2_COLOR); PhThemeWindowHighlightColor = PhGetIntegerSetting(SETTING_THEME_WINDOW_HIGHLIGHT_COLOR); PhThemeWindowHighlight2Color = PhGetIntegerSetting(SETTING_THEME_WINDOW_HIGHLIGHT2_COLOR); PhThemeWindowTextColor = PhGetIntegerSetting(SETTING_THEME_WINDOW_TEXT_COLOR); PhEnableThemeAcrylicSupport = WindowsVersion >= WINDOWS_11 && !!PhGetIntegerSetting(SETTING_ENABLE_THEME_ACRYLIC_SUPPORT); PhEnableThemeAcrylicWindowSupport = WindowsVersion >= WINDOWS_11 && !!PhGetIntegerSetting(SETTING_ENABLE_THEME_ACRYLIC_WINDOW_SUPPORT); PhEnableThemeNativeButtons = !!PhGetIntegerSetting(SETTING_ENABLE_THEME_NATIVE_BUTTONS); PhEnableThemeListviewBorder = !!PhGetIntegerSetting(SETTING_TREE_LIST_BORDER_ENABLE); PhEnableDeferredLayout = !!PhGetIntegerSetting(SETTING_ENABLE_DEFERRED_LAYOUT); PhEnableServiceNonPoll = !!PhGetIntegerSetting(SETTING_ENABLE_SERVICE_NON_POLL); PhEnableServiceNonPollNotify = !!PhGetIntegerSetting(SETTING_ENABLE_SERVICE_NON_POLL_NOTIFY); PhServiceNonPollFlushInterval = PhGetIntegerSetting(SETTING_NON_POLL_FLUSH_INTERVAL); PhEnableKsiSupport = !!PhGetIntegerSetting(SETTING_KSI_ENABLE) && !PhStartupParameters.NoKph && !PhIsExecutingInWow64(); PhEnableKsiWarnings = !!PhGetIntegerSetting(SETTING_KSI_ENABLE_WARNINGS); PhFontQuality = PhGetFontQualitySetting(PhGetIntegerSetting(SETTING_FONT_QUALITY)); if (PhGetIntegerSetting(SETTING_SAMPLE_COUNT_AUTOMATIC)) { ULONG sampleCount; sampleCount = (PhGetSystemMetrics(SM_CXVIRTUALSCREEN, 0) + 1) / 2; if (sampleCount > 4096) sampleCount = 4096; PhSetIntegerSetting(SETTING_SAMPLE_COUNT, sampleCount); } if (PhStartupParameters.UpdateChannel != PhInvalidChannel) { PhSetIntegerSetting(SETTING_RELEASE_CHANNEL, PhStartupParameters.UpdateChannel); } if (PhStartupParameters.ShowHidden && !PhNfIconsEnabled()) { // HACK(jxy-s) The default used to be that system tray icons where enabled, this keeps the // old behavior for automation workflows. If the user specified "-hide" then they want to // start the program hidden to the system tray and not show any main window. If there are no // system tray icons enabled then we need to enable them so the behavior is consistent. PhSetStringSetting(SETTING_ICON_SETTINGS, L"2|1"); } } typedef enum _PH_COMMAND_ARG { PH_ARG_NONE, PH_ARG_SETTINGS, PH_ARG_NOSETTINGS, PH_ARG_SHOWVISIBLE, PH_ARG_SHOWHIDDEN, PH_ARG_RUNASSERVICEMODE, PH_ARG_NOKPH, PH_ARG_DEBUG, PH_ARG_HWND, PH_ARG_POINT, PH_ARG_SHOWOPTIONS, PH_ARG_PHSVC, PH_ARG_NOPLUGINS, PH_ARG_NEWINSTANCE, PH_ARG_ELEVATE, PH_ARG_SILENT, PH_ARG_HELP, PH_ARG_SELECTPID, PH_ARG_PRIORITY, PH_ARG_PLUGIN, PH_ARG_SELECTTAB, PH_ARG_SYSINFO, PH_ARG_KPHSTARTUPHIGH, PH_ARG_KPHSTARTUPMAX, PH_ARG_CHANNEL, } PH_COMMAND_ARG; /** * Callback function for processing command line options. * * This function is invoked for each parsed command line option during application startup. * It updates the global PhStartupParameters structure and related state based on the provided * option and value. Supported options include settings file path, visibility, debug mode, * privilege elevation, plugin parameters, process priority, and more. * * \param Option Pointer to the command line option structure, or NULL for non-option arguments. * \param Value Optional value associated with the option, or NULL if not applicable. * \param Context Optional context pointer (unused). * \return TRUE to continue processing further options, or FALSE to stop. */ _Function_class_(PH_COMMAND_LINE_CALLBACK) BOOLEAN NTAPI PhpCommandLineOptionCallback( _In_opt_ PCPH_COMMAND_LINE_OPTION Option, _In_opt_ PPH_STRING Value, _In_opt_ PVOID Context ) { ULONG64 integer; if (Option) { switch (Option->Id) { case PH_ARG_SETTINGS: PhSwapReference(&PhStartupParameters.SettingsFileName, Value); break; case PH_ARG_NOSETTINGS: PhStartupParameters.NoSettings = TRUE; break; case PH_ARG_SHOWVISIBLE: PhStartupParameters.ShowVisible = TRUE; break; case PH_ARG_SHOWHIDDEN: PhStartupParameters.ShowHidden = TRUE; break; case PH_ARG_RUNASSERVICEMODE: PhSwapReference(&PhStartupParameters.RunAsServiceMode, Value); break; case PH_ARG_NOKPH: PhStartupParameters.NoKph = TRUE; break; case PH_ARG_DEBUG: PhStartupParameters.Debug = TRUE; break; case PH_ARG_HWND: if (Value && PhStringToInteger64(&Value->sr, 16, &integer)) PhStartupParameters.WindowHandle = (HWND)(ULONG_PTR)integer; break; case PH_ARG_POINT: { PH_STRINGREF xString; PH_STRINGREF yString; if (Value && PhSplitStringRefAtChar(&Value->sr, L',', &xString, &yString)) { LONG64 x; LONG64 y; if (PhStringToInteger64(&xString, 10, &x) && PhStringToInteger64(&yString, 10, &y)) { PhStartupParameters.Point.x = (LONG)x; PhStartupParameters.Point.y = (LONG)y; } } } break; case PH_ARG_SHOWOPTIONS: PhStartupParameters.ShowOptions = TRUE; break; case PH_ARG_PHSVC: PhStartupParameters.PhSvc = TRUE; break; case PH_ARG_NOPLUGINS: PhStartupParameters.NoPlugins = TRUE; break; case PH_ARG_NEWINSTANCE: PhStartupParameters.NewInstance = TRUE; break; case PH_ARG_ELEVATE: PhStartupParameters.Elevate = TRUE; break; case PH_ARG_SILENT: PhStartupParameters.Silent = TRUE; break; case PH_ARG_HELP: PhStartupParameters.Help = TRUE; break; case PH_ARG_SELECTPID: if (Value && PhStringToInteger64(&Value->sr, 0, &integer)) PhStartupParameters.SelectPid = (ULONG)integer; break; case PH_ARG_PRIORITY: if (Value && PhEqualString2(Value, L"r", TRUE)) PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_REALTIME; else if (Value && PhEqualString2(Value, L"h", TRUE)) PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_HIGH; else if (Value && PhEqualString2(Value, L"n", TRUE)) PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_NORMAL; else if (Value && PhEqualString2(Value, L"l", TRUE)) PhStartupParameters.PriorityClass = PROCESS_PRIORITY_CLASS_IDLE; break; case PH_ARG_PLUGIN: if (!PhStartupParameters.PluginParameters) PhStartupParameters.PluginParameters = PhCreateList(3); if (Value) PhAddItemList(PhStartupParameters.PluginParameters, PhReferenceObject(Value)); break; case PH_ARG_SELECTTAB: PhSwapReference(&PhStartupParameters.SelectTab, Value); break; case PH_ARG_SYSINFO: PhSwapReference(&PhStartupParameters.SysInfo, Value ? Value : PhReferenceEmptyString()); break; case PH_ARG_KPHSTARTUPHIGH: PhStartupParameters.KphStartupHigh = TRUE; break; case PH_ARG_KPHSTARTUPMAX: PhStartupParameters.KphStartupMax = TRUE; break; case PH_ARG_CHANNEL: { if (Value && PhEqualString2(Value, L"release", FALSE)) PhStartupParameters.UpdateChannel = PhReleaseChannel; else if (Value && PhEqualString2(Value, L"preview", FALSE)) PhStartupParameters.UpdateChannel = PhPreviewChannel; else if (Value && PhEqualString2(Value, L"canary", FALSE)) PhStartupParameters.UpdateChannel = PhCanaryChannel; else if (Value && PhEqualString2(Value, L"developer", FALSE)) PhStartupParameters.UpdateChannel = PhDeveloperChannel; } break; } } else { PPH_STRING upperValue = NULL; if (Value) upperValue = PhUpperString(Value); if (upperValue) { if (PhFindStringInString(upperValue, 0, L"TASKMGR.EXE") != SIZE_MAX) { // User probably has System Informer replacing Task Manager. Force // the main window to start visible. PhStartupParameters.ShowVisible = TRUE; } PhDereferenceObject(upperValue); } } return TRUE; } /** * Parses and processes the application's startup parameters from the command line. * * This function defines and processes all supported command line options for System Informer. * It updates the global PhStartupParameters structure based on the parsed arguments, enabling * or disabling features, setting file paths, and configuring application behavior. */ VOID PhpProcessStartupParameters( VOID ) { CONST PH_COMMAND_LINE_OPTION options[] = { { PH_ARG_SETTINGS, L"settings", MandatoryArgumentType }, { PH_ARG_NOSETTINGS, L"nosettings", NoArgumentType }, { PH_ARG_SHOWVISIBLE, L"v", NoArgumentType }, { PH_ARG_SHOWHIDDEN, L"hide", NoArgumentType }, { PH_ARG_RUNASSERVICEMODE, L"ras", MandatoryArgumentType }, { PH_ARG_NOKPH, L"nokph", NoArgumentType }, { PH_ARG_DEBUG, L"debug", NoArgumentType }, { PH_ARG_HWND, L"hwnd", MandatoryArgumentType }, { PH_ARG_POINT, L"point", MandatoryArgumentType }, { PH_ARG_SHOWOPTIONS, L"showoptions", NoArgumentType }, { PH_ARG_PHSVC, L"phsvc", NoArgumentType }, { PH_ARG_NOPLUGINS, L"noplugins", NoArgumentType }, { PH_ARG_NEWINSTANCE, L"newinstance", NoArgumentType }, { PH_ARG_ELEVATE, L"elevate", NoArgumentType }, { PH_ARG_SILENT, L"s", NoArgumentType }, { PH_ARG_HELP, L"help", NoArgumentType }, { PH_ARG_SELECTPID, L"selectpid", MandatoryArgumentType }, { PH_ARG_PRIORITY, L"priority", MandatoryArgumentType }, { PH_ARG_PLUGIN, L"plugin", MandatoryArgumentType }, { PH_ARG_SELECTTAB, L"selecttab", MandatoryArgumentType }, { PH_ARG_SYSINFO, L"sysinfo", OptionalArgumentType }, { PH_ARG_KPHSTARTUPHIGH, L"kh", NoArgumentType }, { PH_ARG_KPHSTARTUPMAX, L"kx", NoArgumentType }, { PH_ARG_CHANNEL, L"channel", MandatoryArgumentType }, }; PH_STRINGREF commandLine; PhGetProcessCommandLineStringRef(&commandLine); if (!PhParseCommandLine( &commandLine, options, RTL_NUMBER_OF(options), PH_COMMAND_LINE_IGNORE_UNKNOWN_OPTIONS | PH_COMMAND_LINE_IGNORE_FIRST_PART, PhpCommandLineOptionCallback, NULL ) || PhStartupParameters.Help) { PhShowInformation2( NULL, L"Command line options:", L"%s", L"-debug\n" L"-elevate\n" L"-help\n" L"-hide\n" L"-newinstance\n" L"-nokph\n" L"-noplugins\n" L"-nosettings\n" L"-plugin pluginname:value\n" L"-priority r|h|n|l\n" L"-s\n" L"-selectpid pid-to-select\n" L"-selecttab name-of-tab-to-select\n" L"-settings filename\n" L"-sysinfo [section-name]\n" L"-channel [channel-name]\n" L"-v" ); PhExitApplication(STATUS_SUCCESS); } if (PhStartupParameters.Elevate && !PhGetOwnTokenAttributes().Elevated) { PhShellProcessHacker( NULL, NULL, SW_SHOW, PH_SHELL_EXECUTE_ADMIN, PH_SHELL_APP_PROPAGATE_PARAMETERS, 0, NULL ); PhExitApplication(STATUS_SUCCESS); } } /** * Enables a set of privileges for the current process token. * * \remarks This function is called during application startup to ensure * the process has the necessary rights for system-level operations. * If the process lacks sufficient rights to adjust privileges, the function * will silently fail and continue. */ VOID PhpEnablePrivileges( VOID ) { HANDLE tokenHandle; if (NT_SUCCESS(PhOpenProcessToken( NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tokenHandle ))) { const LUID_AND_ATTRIBUTES privileges[] = { { RtlConvertUlongToLuid(SE_DEBUG_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_INC_BASE_PRIORITY_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_INC_WORKING_SET_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_LOAD_DRIVER_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_PROF_SINGLE_PROCESS_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_BACKUP_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_RESTORE_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_SHUTDOWN_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_TAKE_OWNERSHIP_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_SECURITY_PRIVILEGE), SE_PRIVILEGE_ENABLED }, }; UCHAR privilegesBuffer[FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(privileges)]; PTOKEN_PRIVILEGES tokenPrivileges; tokenPrivileges = (PTOKEN_PRIVILEGES)privilegesBuffer; tokenPrivileges->PrivilegeCount = RTL_NUMBER_OF(privileges); memcpy(tokenPrivileges->Privileges, privileges, sizeof(privileges)); NtAdjustPrivilegesToken( tokenHandle, FALSE, tokenPrivileges, 0, NULL, NULL ); NtClose(tokenHandle); } } ================================================ FILE: SystemInformer/mainwnd.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include typedef struct _PH_MWP_KPH { KPH_LEVEL Level; BOOLEAN DynDataActive; } PH_MWP_KPH, *PPH_MWP_KPH; HWND PhMainWndHandle = NULL; BOOLEAN PhMainWndExiting = FALSE; BOOLEAN PhMainWndEarlyExit = FALSE; WNDPROC PhMainWndProc = PhMwpWndProc; PH_MWP_KPH PhMainWndKph = { KphLevelNone, FALSE }; PH_PROVIDER_REGISTRATION PhMwpProcessProviderRegistration; PH_PROVIDER_REGISTRATION PhMwpServiceProviderRegistration; PH_PROVIDER_REGISTRATION PhMwpNetworkProviderRegistration; BOOLEAN PhMwpUpdateAutomatically = TRUE; ULONG PhMwpNotifyIconNotifyMask = 0; ULONG PhMwpLastNotificationType = 0; PH_MWP_NOTIFICATION_DETAILS PhMwpLastNotificationDetails; static BOOLEAN AlwaysOnTop = FALSE; static BOOLEAN NeedsMaximize = FALSE; static BOOLEAN DelayedLoadCompleted = FALSE; static PH_CALLBACK_DECLARE(LayoutPaddingCallback); static RECT LayoutPadding = { 0, 0, 0, 0 }; static BOOLEAN LayoutPaddingValid = TRUE; static LONG LayoutWindowDpi = 96; static LONG LayoutBorderSize = 0; static HWND TabControlHandle = NULL; static PPH_LIST PageList = NULL; static PPH_MAIN_TAB_PAGE CurrentPage = NULL; static LONG OldTabIndex = 0; static HMENU SubMenuHandles[5]; static PPH_EMENU SubMenuObjects[5]; static ULONG SelectedUserSessionId = ULONG_MAX; /** * Initializes the main window and data providers. * * \param ShowCommand The initial show command (e.g., SW_SHOW, SW_HIDE, SW_MAXIMIZE). * \return TRUE if initialization succeeded, FALSE otherwise. * \remarks Delayed initialization tasks are queued for execution after the window is shown. */ BOOLEAN PhMainWndInitialization( _In_ LONG ShowCommand ) { RTL_ATOM windowAtom; PH_RECTANGLE windowRectangle; RECT windowRect; LONG windowDpi; // Set FirstRun default settings. if (PhGetIntegerSetting(SETTING_FIRST_RUN)) PhSetIntegerSetting(SETTING_FIRST_RUN, FALSE); // Initialize the window class. if ((windowAtom = PhMwpInitializeWindowClass()) == INVALID_ATOM) return FALSE; // Initialize the window size and position. memset(&windowRectangle, 0, sizeof(PH_RECTANGLE)); windowRectangle.Position = PhGetIntegerPairSetting(SETTING_MAIN_WINDOW_POSITION); PhRectangleToRect(&windowRect, &windowRectangle); windowDpi = PhGetMonitorDpi(NULL, &windowRect); windowRectangle.Size = PhGetScalableIntegerPairSetting(SETTING_MAIN_WINDOW_SIZE, TRUE, windowDpi)->Pair; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); // Initialize the window. PhMainWndHandle = CreateWindow( MAKEINTATOM(windowAtom), NULL, WS_OVERLAPPEDWINDOW | (PhEnableDeferredLayout ? 0 : WS_CLIPCHILDREN), windowRectangle.Left, windowRectangle.Top, windowRectangle.Width, windowRectangle.Height, NULL, NULL, NULL, NULL ); if (!PhMainWndHandle) return FALSE; // Initialize window metrics. PhMwpInitializeMetrics(PhMainWndHandle, 0); // Initialize window controls. PhMwpInitializeControls(PhMainWndHandle); // Initialize window fonts. PhMwpOnSettingChange(PhMainWndHandle, 0, NULL); // Initialize window settings. PhMwpLoadSettings(PhMainWndHandle); // Initialize window theme. PhInitializeWindowTheme(PhMainWndHandle, PhEnableThemeSupport); // Initialize window menu. PhMwpInitializeMainMenu(PhMainWndHandle); // Initialize providers. PhMwpInitializeProviders(); // Perform window layout. PhMwpSelectionChangedTabControl(INT_ERROR); // Perform main window showing. PhMwpShowWindow(ShowCommand); // Queue delayed init functions. PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), PhMwpLoadStage1Worker, PhMainWndHandle); return TRUE; } /** * Window procedure for the main window. * * \param WindowHandle Handle to the window. * \param uMsg Message identifier. * \param wParam First message parameter. * \param lParam Second message parameter. * \return LRESULT Message result. */ LRESULT CALLBACK PhMwpWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_DESTROY: { PhMwpOnDestroy(WindowHandle); } break; case WM_ENDSESSION: { PhMwpOnEndSession(WindowHandle, !!wParam, (ULONG)lParam); } break; case WM_SETTINGCHANGE: { PhMwpOnSettingChange(WindowHandle, (ULONG)wParam, (PWSTR)lParam); } break; case WM_COMMAND: { PhMwpOnCommand(WindowHandle, GET_WM_COMMAND_ID(wParam, lParam)); } break; case WM_SHOWWINDOW: { PhMwpOnShowWindow(WindowHandle, !!wParam, (ULONG)lParam); } break; case WM_SYSCOMMAND: { if (PhMwpOnSysCommand(WindowHandle, (ULONG)wParam, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam))) return 0; } break; case WM_MENUCOMMAND: { PhMwpOnMenuCommand(WindowHandle, (ULONG)wParam, (HMENU)lParam); } break; case WM_INITMENUPOPUP: { PhMwpOnInitMenuPopup(WindowHandle, (HMENU)wParam, LOWORD(lParam), !!HIWORD(lParam)); } break; case WM_SIZE: { PhMwpOnSize(WindowHandle, (UINT)wParam, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } break; case WM_SIZING: { PhMwpOnSizing((ULONG)wParam, (PRECT)lParam); } break; case WM_SETFOCUS: { PhMwpOnSetFocus(WindowHandle); } break; case WM_TIMER: { PhMwpOnTimer(WindowHandle, wParam, lParam); } break; case WM_NOTIFY: { LRESULT result; if (PhMwpOnNotify((NMHDR *)lParam, &result)) return result; } break; case WM_DEVICECHANGE: { PhMwpOnDeviceChanged(WindowHandle, wParam, lParam); } break; case WM_DPICHANGED: { PhMwpOnDpiChanged(WindowHandle, LOWORD(wParam)); } break; case WM_NCPAINT: case WM_NCACTIVATE: { if (WindowsVersion >= WINDOWS_10 && !PhEnableThemeSupport) { LRESULT result = DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); PhWindowThemeMainMenuBorder(WindowHandle); return result; } } break; } if (WindowMessage >= WM_PH_FIRST && WindowMessage <= WM_PH_LAST) { return PhMwpOnUserMessage(WindowHandle, WindowMessage, wParam, lParam); } return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } /** * Registers the main window class for the main window. * * \return The atom for the registered window class, or INVALID_ATOM on failure. */ RTL_ATOM PhMwpInitializeWindowClass( VOID ) { WNDCLASSEX wcex; PPH_STRING className; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.lpfnWndProc = PhMainWndProc; wcex.hInstance = NtCurrentImageBase(); className = PhaGetStringSetting(SETTING_MAIN_WINDOW_CLASS_NAME); wcex.lpszClassName = PhGetStringOrDefault(className, SETTING_MAIN_WINDOW_CLASS_NAME); wcex.hCursor = PhLoadCursor(NULL, IDC_ARROW); if (PhEnableWindowText) { wcex.hIcon = PhGetApplicationIcon(FALSE); wcex.hIconSm = PhGetApplicationIcon(TRUE); } return RegisterClassEx(&wcex); } /** * Builds the main window title based on application name, user, privilege level, and elevation. * * \return A string containing the window title, or NULL if window text is disabled. */ PPH_STRING PhMwpInitializeWindowTitle( VOID ) { PH_STRING_BUILDER stringBuilder; PPH_STRING currentUserName; if (!PhEnableWindowText) { PhApplicationName = L" "; return NULL; } PhInitializeStringBuilder(&stringBuilder, 100); PhAppendStringBuilder2(&stringBuilder, PhApplicationName); if (currentUserName = PhGetSidFullName(PhGetOwnTokenAttributes().TokenSid, TRUE, NULL)) { PhAppendStringBuilder2(&stringBuilder, L" ["); PhAppendStringBuilder(&stringBuilder, ¤tUserName->sr); PhAppendCharStringBuilder(&stringBuilder, L']'); PhDereferenceObject(currentUserName); } switch (PhMainWndKph.Level) { case KphLevelMax: PhAppendStringBuilder2(&stringBuilder, L"++"); break; case KphLevelHigh: PhAppendStringBuilder2(&stringBuilder, L"+"); break; case KphLevelMed: PhAppendStringBuilder2(&stringBuilder, L"~"); break; case KphLevelLow: PhAppendStringBuilder2(&stringBuilder, L"-"); break; case KphLevelMin: PhAppendStringBuilder2(&stringBuilder, L"--"); break; } if (PhMainWndKph.Level && !PhMainWndKph.DynDataActive) PhAppendStringBuilder2(&stringBuilder, L" (RF)"); // RF = Reduced Functionality if (PhGetOwnTokenAttributes().ElevationType == TokenElevationTypeFull) PhAppendStringBuilder2(&stringBuilder, L" (Administrator)"); return PhFinalStringBuilderString(&stringBuilder); } /** * Initializes provider threads for processes, services, and network. */ VOID PhMwpInitializeProviders( VOID ) { if (PhCsUpdateInterval == 0) { PH_SET_INTEGER_CACHED_SETTING(UpdateInterval, PH_FLUSH_PROCESS_QUERY_DATA_INTERVAL_LONG_TERM); } // See PhMwpLoadStage1Worker for more details. PhInitializeProviderThread(&PhPrimaryProviderThread, PhCsUpdateInterval); PhInitializeProviderThread(&PhSecondaryProviderThread, PhCsUpdateInterval); PhInitializeProviderThread(&PhTertiaryProviderThread, PhCsUpdateInterval); if (PhGetIntegerSetting(SETTING_ENABLE_HIGH_RESOLUTION_PROVIDER_TIMER)) { PhSetHighResolutionProvider(&PhPrimaryProviderThread, TRUE); PhSetHighResolutionProvider(&PhSecondaryProviderThread, TRUE); PhSetHighResolutionProvider(&PhTertiaryProviderThread, TRUE); } PhRegisterProvider(&PhPrimaryProviderThread, PhProcessProviderUpdate, NULL, &PhMwpProcessProviderRegistration); PhRegisterProvider(&PhSecondaryProviderThread, PhServiceProviderUpdate, NULL, &PhMwpServiceProviderRegistration); PhRegisterProvider(&PhSecondaryProviderThread, PhNetworkProviderUpdate, NULL, &PhMwpNetworkProviderRegistration); PhSetEnabledProvider(&PhMwpProcessProviderRegistration, TRUE); PhSetEnabledProvider(&PhMwpServiceProviderRegistration, TRUE); PhStartProviderThread(&PhPrimaryProviderThread); PhStartProviderThread(&PhSecondaryProviderThread); PhStartProviderThread(&PhTertiaryProviderThread); } /** * Shows the main window, Handles startup parameters, tab selection, system info dialog, and window state. * * \param ShowCommand The show command (e.g., SW_SHOW, SW_HIDE, SW_MAXIMIZE). */ VOID PhMwpShowWindow( _In_ LONG ShowCommand ) { if ((PhStartupParameters.ShowHidden || PhGetIntegerSetting(SETTING_START_HIDDEN)) && PhNfIconsEnabled()) ShowCommand = SW_HIDE; if (PhStartupParameters.ShowVisible) ShowCommand = SW_SHOW; if (PhGetIntegerSetting(SETTING_MAIN_WINDOW_STATE) == SW_MAXIMIZE) { if (ShowCommand != SW_HIDE) { ShowCommand = SW_MAXIMIZE; } else { // We can't maximize it while having it hidden. Set it as pending. NeedsMaximize = TRUE; } } if (PhPluginsEnabled) { PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMainWindowShowing), LongToPtr(ShowCommand)); } if (PhStartupParameters.SelectTab) { PPH_MAIN_TAB_PAGE page; if (page = PhMwpFindPage(&PhStartupParameters.SelectTab->sr)) { PhMwpSelectPage(page->Index); } } else { if (PhGetIntegerSetting(SETTING_MAIN_WINDOW_TAB_RESTORE_ENABLED)) { PhMwpSelectPage(PhGetIntegerSetting(SETTING_MAIN_WINDOW_TAB_RESTORE_INDEX)); } } if (PhStartupParameters.SysInfo) { PhShowSystemInformationDialog(PhGetString(PhStartupParameters.SysInfo)); } if (ShowCommand != SW_HIDE) { ShowWindow(PhMainWndHandle, ShowCommand); UpdateWindow(PhMainWndHandle); if (!SetForegroundWindow(PhMainWndHandle)) { PhBringWindowToTop(PhMainWndHandle); } } if (PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED)) { PhPinMiniInformation(MiniInfoManualPinType, 1, 0, PH_MINIINFO_LOAD_POSITION, NULL, NULL); } } /** * Applies the update interval to all provider threads. * * \param Interval The update interval in milliseconds. */ VOID PhMwpApplyUpdateInterval( _In_ ULONG Interval ) { PhSetIntervalProviderThread(&PhPrimaryProviderThread, Interval); PhSetIntervalProviderThread(&PhSecondaryProviderThread, Interval); PhSetIntervalProviderThread(&PhTertiaryProviderThread, Interval); } /** * Initializes window metrics such as DPI and border size. * * \param WindowHandle Handle to the window. * \param WindowDpi The DPI value for the window. */ VOID PhMwpInitializeMetrics( _In_ HWND WindowHandle, _In_ LONG WindowDpi ) { LayoutWindowDpi = PhGetWindowDpi(WindowHandle); LayoutBorderSize = PhGetSystemMetrics(SM_CXBORDER, LayoutWindowDpi); PhProcessImageListInitialization(WindowHandle, LayoutWindowDpi); } /** * Initializes controls for the main window, including tab and tree views. * * \param WindowHandle Handle to the window. */ VOID PhMwpInitializeControls( _In_ HWND WindowHandle ) { ULONG thinRows; ULONG treelistBorder; ULONG treelistCustomColors; ULONG treelistCustomHeaderDraw; ULONG treelistCustomDragReorder; PH_TREENEW_CREATEPARAMS treelistCreateParams = { sizeof(PH_TREENEW_CREATEPARAMS) }; thinRows = PhGetIntegerSetting(SETTING_THIN_ROWS) ? TN_STYLE_THIN_ROWS : 0; treelistBorder = (PhGetIntegerSetting(SETTING_TREE_LIST_BORDER_ENABLE) && !PhEnableThemeSupport) ? WS_BORDER : 0; treelistCustomColors = PhGetIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLORS_ENABLE) ? TN_STYLE_CUSTOM_COLORS : 0; treelistCustomHeaderDraw = PhGetIntegerSetting(SETTING_TREE_LIST_ENABLE_HEADER_TOTALS) ? TN_STYLE_CUSTOM_HEADERDRAW : 0; treelistCustomDragReorder = PhGetIntegerSetting(SETTING_TREE_LIST_ENABLE_DRAG_REORDER) ? TN_STYLE_DRAG_REORDER_ROWS : 0; if (treelistCustomColors) { treelistCreateParams.TextColor = PhGetIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLOR_TEXT); treelistCreateParams.FocusColor = PhGetIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLOR_FOCUS); treelistCreateParams.SelectionColor = PhGetIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLOR_SELECTION); } if (PhGetIntegerSetting(SETTING_TREE_LIST_CUSTOM_ROW_SIZE)) { treelistCreateParams.RowHeight = PhGetIntegerSetting(SETTING_TREE_LIST_CUSTOM_ROW_SIZE); } TabControlHandle = PhCreateWindow( WC_TABCONTROL, NULL, WS_CHILD | WS_VISIBLE | WS_CLIPSIBLINGS | TCS_MULTILINE, 0, 0, 0, 0, WindowHandle, NULL, NULL, NULL ); PhMwpProcessTreeNewHandle = PhCreateWindow( MAKEINTATOM(PhTreeWindowAtom), NULL, WS_CHILD | WS_CLIPCHILDREN | WS_CLIPSIBLINGS | TN_STYLE_ICONS | TN_STYLE_DOUBLE_BUFFERED | TN_STYLE_ANIMATE_DIVIDER | thinRows | treelistBorder | treelistCustomColors | treelistCustomHeaderDraw | treelistCustomDragReorder, 0, 0, 0, 0, WindowHandle, NULL, NULL, &treelistCreateParams ); PhMwpServiceTreeNewHandle = PhCreateWindow( MAKEINTATOM(PhTreeWindowAtom), NULL, WS_CHILD | WS_CLIPCHILDREN | WS_CLIPSIBLINGS | TN_STYLE_ICONS | TN_STYLE_DOUBLE_BUFFERED | thinRows | treelistBorder | treelistCustomColors, 0, 0, 0, 0, WindowHandle, NULL, NULL, &treelistCreateParams ); PhMwpNetworkTreeNewHandle = PhCreateWindow( MAKEINTATOM(PhTreeWindowAtom), NULL, WS_CHILD | WS_CLIPCHILDREN | WS_CLIPSIBLINGS | TN_STYLE_ICONS | TN_STYLE_DOUBLE_BUFFERED | thinRows | treelistBorder | treelistCustomColors, 0, 0, 0, 0, WindowHandle, NULL, NULL, &treelistCreateParams ); PageList = PhCreateList(10); PhMwpCreateInternalPage(L"Processes", 0, PhMwpProcessesPageCallback); PhProcessTreeListInitialization(); PhInitializeProcessTreeList(PhMwpProcessTreeNewHandle); PhMwpCreateInternalPage(L"Services", 0, PhMwpServicesPageCallback); PhServiceTreeListInitialization(); PhInitializeServiceTreeList(PhMwpServiceTreeNewHandle); PhMwpCreateInternalPage(L"Network", 0, PhMwpNetworkPageCallback); PhNetworkTreeListInitialization(); PhInitializeNetworkTreeList(PhMwpNetworkTreeNewHandle); CurrentPage = PageList->Items[0]; } /** * Worker routine for delayed stage 1 initialization. * * Performs additional initialization tasks after the main window is shown. * * \param Parameter The window handle. * \return NTSTATUS Successful or errant status. */ _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhMwpLoadStage1Worker( _In_ PVOID Parameter ) { // Initialize window title (dmex) { PPH_STRING windowTitle; PhMainWndKph.Level = KphLevelEx(FALSE); if (!NT_SUCCESS(KphIsDynDataActive(&PhMainWndKph.DynDataActive))) PhMainWndKph.DynDataActive = FALSE; if (windowTitle = PhMwpInitializeWindowTitle()) { PhSetWindowText((HWND)Parameter, PhGetString(windowTitle)); PhDereferenceObject(windowTitle); } } // If the update interval is too large, the user might have to wait a while before seeing some types of // process-related data. We force an update by boosting the provider shortly after the program // starts up to make things appear more quickly. if (PhCsUpdateInterval > PH_FLUSH_PROCESS_QUERY_DATA_INTERVAL_LONG_TERM) { PhBoostProvider(&PhMwpProcessProviderRegistration, NULL); PhBoostProvider(&PhMwpServiceProviderRegistration, NULL); } PhNfLoadStage2(); if (PhGetIntegerSetting(SETTING_ENABLE_LAST_PROCESS_SHUTDOWN)) { // Make sure we get closed late in the shutdown process. // This is needed for the shutdown cancel debugging scenario included with Task Manager. // Note: Windows excludes system binaries from the shutdown dialog while not excluding // programs registered for late shutdown, so when services delay shutdown they won't be shown // to the user while we are shown and this has caused some users to blame us instead. (dmex) PhSetProcessShutdownParameters(0x1, SHUTDOWN_NORETRY); } // Allow WM_PH_ACTIVATE to pass through UIPI. (wj32) if (PhGetOwnTokenAttributes().Elevated) { ChangeWindowMessageFilterEx((HWND)Parameter, WM_PH_ACTIVATE, MSGFLT_ADD, NULL); } // N.B. Devices tab is handled by the HardwareDevices plug-in. The provider is managed internally // such that we can handle notifications and dispatch them to other plug-ins. Here we initialize // only the device notifications. (jxy-s). PhMwpInitializeDeviceNotifications(); DelayedLoadCompleted = TRUE; //PostMessage((HWND)Parameter, WM_PH_DELAYED_LOAD_COMPLETED, 0, 0); return STATUS_SUCCESS; } /** * Handles cleanup and shutdown when the main window is destroyed. * * \param WindowHandle Handle to the main window being destroyed. */ VOID PhMwpOnDestroy( _In_ HWND WindowHandle ) { PhMainWndExiting = TRUE; // Notify pages and plugins that we are shutting down. PhMwpNotifyAllPages(MainTabPageUpdateAutomaticallyChanged, UlongToPtr(FALSE), NULL); // disable providers (dmex) PhMwpNotifyAllPages(MainTabPageDestroy, NULL, NULL); if (PhPluginsEnabled) PhUnloadPlugins(FALSE); if (!PhMainWndEarlyExit) PhMwpSaveSettings(WindowHandle); PhNfUninitialization(); PostQuitMessage(0); } /** * Handles the end session event for the main window. * * This function is called when the system is ending the current session, * such as during shutdown or user logoff. It allows the application to * perform any necessary cleanup or state saving before the session ends. * * \param WindowHandle Handle to the window receiving the end session event. * \param SessionEnding TRUE if the session is ending, FALSE otherwise. * \param Reason Reason code for the session end (e.g., shutdown, logoff). */ VOID PhMwpOnEndSession( _In_ HWND WindowHandle, _In_ BOOLEAN SessionEnding, _In_ ULONG Reason ) { if (!SessionEnding) return; PhMainWndExiting = TRUE; // Notify pages and plugins that we are shutting down. // This callback must only perform the bare minimum cleanup. (dmex) PhMwpNotifyAllPages(MainTabPageUpdateAutomaticallyChanged, UlongToPtr(FALSE), NULL); // disable providers (dmex) if (PhPluginsEnabled) PhUnloadPlugins(TRUE); PhMwpSaveSettings(WindowHandle); PhExitApplication(STATUS_SUCCESS); } /** * Handles changes to system or application settings. * * \param WindowHandle Handle to the window receiving the setting change notification. * \param Action Optional action code specifying the type of setting change. * \param Metric Optional string specifying the particular metric or setting that changed. */ VOID PhMwpOnSettingChange( _In_ HWND WindowHandle, _In_opt_ ULONG Action, _In_opt_ PCWSTR Metric ) { { HFONT oldFont = PhApplicationFont; PhApplicationFont = PhInitializeFont(LayoutWindowDpi); if (oldFont) DeleteFont(oldFont); } if (PhGetIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT)) { HFONT oldFont = PhMonospaceFont; PhMonospaceFont = PhInitializeMonospaceFont(LayoutWindowDpi); if (oldFont) DeleteFont(oldFont); } if (Action == 0 && Metric) { // Reload dark theme metrics //if (PhEqualStringZ(Metric, L"ImmersiveColorSet", TRUE)) //{ // NOTHING; //} } //if (Action == SPI_SETNONCLIENTMETRICS && Metric && PhEqualStringZ(Metric, L"WindowMetrics", TRUE)) //{ // // Reload non-client metrics //} } /** * Opens a handle to the Service Control Manager (SCM) on the local computer. * * \param Handle Pointer to a variable that receives the SCM handle. * \param DesiredAccess Access mask specifying the desired access rights to the SCM. * \param Context Optional context parameter (can be NULL). * \return NTSTATUS Successful or errant status. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenServiceControlManager( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { SC_HANDLE serviceHandle; if (serviceHandle = OpenSCManager(NULL, NULL, DesiredAccess)) { *Handle = serviceHandle; return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } /** * Closes a handle to the Service Control Manager. * * \param Handle Optional handle to the Service Control Manager to be closed. * \param Release Indicates whether to release associated resources. * \param Context Optional context pointer for additional information. * \return NTSTATUS Successful or errant status. */ _Function_class_(PH_CLOSE_OBJECT) static NTSTATUS PhpCloseServiceControlManager( _In_opt_ HANDLE Handle, _In_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) PhCloseServiceHandle(Handle); return STATUS_SUCCESS; } /** * Opens a dummy security handle used for permission editing operations. * * \param Handle Receives the dummy handle value (implementation-defined). * \param DesiredAccess Requested access mask (unused for dummy handle). * \param Context Optional context pointer (unused). * \return NTSTATUS status code indicating success or failure. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenSecurityDummyHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { return STATUS_SUCCESS; } /** * Returns a dummy handle representing COM Access Permissions. * * This helper is used when displaying or editing COM permissions where a real * handle is not required. *\param Handle Receives a value representing access permissions (SD_ACCESSPERMISSIONS). *\param DesiredAccess Requested access mask (unused). *\param Context Optional context pointer (unused). *\return NTSTATUS success code. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenComDummyAccessPermissionsHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { *Handle = (HANDLE)SD_ACCESSPERMISSIONS; return STATUS_SUCCESS; } /** * Returns a dummy handle representing COM Access Restrictions. * * Used when displaying or editing COM access restriction ACLs. *\param Handle Receives a value representing access restrictions (SD_ACCESSRESTRICTIONS). *\param DesiredAccess Requested access mask (unused). *\param Context Optional context pointer (unused). *\return NTSTATUS success code. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenComDummyAccessRestrictionsHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { *Handle = (HANDLE)SD_ACCESSRESTRICTIONS; return STATUS_SUCCESS; } /** * Returns a dummy handle representing COM Launch Permissions. * * This is a convenience helper used when editing COM launch permissions in * UI dialogs where a real object handle is not necessary. *\param Handle Receives a value representing launch permissions (SD_LAUNCHPERMISSIONS). *\param DesiredAccess Requested access mask (unused). *\param Context Optional context pointer (unused). *\return NTSTATUS success code. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenComDummyLaunchPermissionsHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { *Handle = (HANDLE)SD_LAUNCHPERMISSIONS; return STATUS_SUCCESS; } /** * Returns a dummy handle representing COM Launch Restrictions. * * Used by the UI when presenting COM launch restriction settings without * requiring an actual system handle. *\param Handle Receives a value representing launch restrictions (SD_LAUNCHRESTRICTIONS). *\param DesiredAccess Requested access mask (unused). *\param Context Optional context pointer (unused). *\return NTSTATUS success code. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenComDummyLaunchRestrictionsHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { *Handle = (HANDLE)SD_LAUNCHRESTRICTIONS; return STATUS_SUCCESS; } /** * Opens the current window desktop ("Default") and returns a handle. * * \param Handle Receives the desktop handle on success. * \param DesiredAccess Requested access mask for the desktop. * \param Context Optional context pointer (unused). * \return NTSTATUS success or error code. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenSecurityDesktopHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { HDESK desktopHandle; if (desktopHandle = OpenDesktop( L"Default", 0, FALSE, MAXIMUM_ALLOWED )) { *Handle = desktopHandle; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } /** * Closes a desktop handle previously opened by PhpOpenSecurityDesktopHandle. * * \param Handle The desktop handle to close (may be NULL). * \param Release Reserved; indicates whether associated resources should be released. * \param Context Optional context pointer (unused). * \return NTSTATUS success code. */ _Function_class_(PH_CLOSE_OBJECT) static NTSTATUS PhpCloseSecurityDesktopHandle( _In_opt_ HANDLE Handle, _In_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) CloseDesktop(Handle); return STATUS_SUCCESS; } /** * Opens the interactive window station and returns a handle. * * \param Handle Receives the window station handle on success. * \param DesiredAccess Requested access mask for the window station. * \param Context Optional context pointer (unused). * \return NTSTATUS success or error code. */ _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenSecurityStationHandle( _Inout_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { HWINSTA stationHandle; if (stationHandle = OpenWindowStation( L"WinSta0", FALSE, MAXIMUM_ALLOWED )) { *Handle = stationHandle; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } /** * Closes a window station handle previously opened by PhpOpenSecurityStationHandle. * * \param Handle The window station handle to close (may be NULL). * \param Release Reserved; indicates whether associated resources should be released. * \param Context Optional context pointer (unused). * \return NTSTATUS success code. */ _Function_class_(PH_CLOSE_OBJECT) static NTSTATUS PhpCloseSecurityStationHandle( _In_opt_ HANDLE Handle, _In_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) CloseWindowStation(Handle); return STATUS_SUCCESS; } /** * Handles the dump command for a process in the main window. * * \param WindowHandle Handle to the window receiving the command. * \param Id Identifier of the command. * \param ProcessItem Pointer to the process item to be dumped. */ static VOID PhpMwpOnDumpCommand( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ PPH_PROCESS_ITEM ProcessItem ) { if (ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { PH_LIVE_DUMP_OPTIONS options; if (Id == ID_PROCESS_DUMP_CUSTOM) { PhShowLiveDumpDialog(WindowHandle); return; } memset(&options, 0, sizeof(PH_LIVE_DUMP_OPTIONS)); options.UseDumpStorageStack = TRUE; options.CompressMemoryPages = TRUE; switch (Id) { case ID_PROCESS_DUMP_MINIMAL: options.OnlyKernelThreadStacks = TRUE; break; default: case ID_PROCESS_DUMP_NORMAL: break; case ID_PROCESS_DUMP_FULL: options.IncludeHypervisorPages = TRUE; options.IncludeNonEssentialHypervisorPages = TRUE; break; } PhUiCreateLiveDump(WindowHandle, &options); } else { ULONG dumpType; if (Id == ID_PROCESS_DUMP_CUSTOM) { PhShowCreateDumpFileProcessDialog(WindowHandle, ProcessItem); return; } switch (Id) { case ID_PROCESS_DUMP_MINIMAL: dumpType = MiniDumpWithDataSegs | MiniDumpWithUnloadedModules | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory; break; case ID_PROCESS_DUMP_LIMITED: dumpType = MiniDumpWithFullMemory | MiniDumpWithUnloadedModules | MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory; default: case ID_PROCESS_DUMP_NORMAL: // task manager uses these flags (wj32) dumpType = MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithUnloadedModules | MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory | MiniDumpWithIptTrace; break; case ID_PROCESS_DUMP_FULL: dumpType = MiniDumpWithDataSegs | MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithUnloadedModules | MiniDumpWithIndirectlyReferencedMemory | MiniDumpWithProcessThreadData | MiniDumpWithPrivateReadWriteMemory | MiniDumpWithFullMemoryInfo | MiniDumpWithCodeSegs | MiniDumpWithFullAuxiliaryState | MiniDumpWithPrivateWriteCopyMemory | MiniDumpIgnoreInaccessibleMemory | MiniDumpWithTokenInformation | MiniDumpWithModuleHeaders | MiniDumpWithAvxXStateContext | MiniDumpWithIptTrace; break; } PhUiCreateDumpFileProcess(WindowHandle, ProcessItem, dumpType); } } /** * Handles command messages for the main window. * * \param WindowHandle Handle to the main window receiving the command. * \param Id Identifier of the command to process. */ VOID PhMwpOnCommand( _In_ HWND WindowHandle, _In_ ULONG Id ) { switch (Id) { case ID_ESC_EXIT: { if (PhGetIntegerSetting(SETTING_HIDE_ON_CLOSE)) { if (PhNfIconsEnabled()) ShowWindow(WindowHandle, SW_HIDE); } else if (PhGetIntegerSetting(SETTING_CLOSE_ON_ESCAPE)) { SystemInformer_Destroy(); } } break; case ID_HACKER_RUN: { PhShowRunFileDialog(WindowHandle); } break; case ID_HACKER_RUNAS: { PhShowRunAsDialog(WindowHandle, NULL); } break; case ID_HACKER_RUNASPACKAGE: { PhShowRunAsPackageDialog(WindowHandle); } break; case ID_HACKER_SHOWDETAILSFORALLPROCESSES: { SystemInformer_PrepareForEarlyShutdown(); if (NT_SUCCESS(PhShellProcessHacker( WindowHandle, L"-v -newinstance", SW_SHOW, PH_SHELL_EXECUTE_ADMIN, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, NULL ))) { SystemInformer_Destroy(); } else { SystemInformer_CancelEarlyShutdown(); } } break; case ID_HACKER_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt;*.log)", L"*.txt;*.log" }, { L"Comma-separated values (*.csv)", L"*.csv" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateSaveFileDialog(); PH_FORMAT format[3]; PhInitFormatS(&format[0], L"System Informer "); PhInitFormatSR(&format[1], CurrentPage->Name); PhInitFormatS(&format[2], L".txt"); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, PH_AUTO_T(PH_STRING, PhFormat(format, 3, 60))->Buffer); if (PhShowFileDialog(WindowHandle, fileDialog)) { NTSTATUS status; PPH_STRING fileName; ULONG filterIndex; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); filterIndex = PhGetFileDialogFilterIndex(fileDialog); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { ULONG mode; PH_MAIN_TAB_PAGE_EXPORT_CONTENT exportContent; if (filterIndex == 2) mode = PH_EXPORT_MODE_CSV; else mode = PH_EXPORT_MODE_TABS; PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); if (mode != PH_EXPORT_MODE_CSV) { PhWritePhTextHeader(fileStream); } exportContent.FileStream = fileStream; exportContent.Mode = mode; CurrentPage->Callback(CurrentPage, MainTabPageExportContent, &exportContent, NULL); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(WindowHandle, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; case ID_HACKER_FINDHANDLESORDLLS: { PhShowFindObjectsDialog(WindowHandle); } break; case ID_HACKER_OPTIONS: { PhShowOptionsDialog(WindowHandle); } break; case ID_COMPUTER_LOCK: case ID_COMPUTER_LOGOFF: case ID_COMPUTER_SLEEP: case ID_COMPUTER_HIBERNATE: case ID_COMPUTER_RESTART: case ID_COMPUTER_RESTARTADVOPTIONS: case ID_COMPUTER_RESTARTBOOTOPTIONS: case ID_COMPUTER_RESTARTFWOPTIONS: case ID_COMPUTER_SHUTDOWN: case ID_COMPUTER_SHUTDOWNHYBRID: case ID_COMPUTER_RESTART_NATIVE: case ID_COMPUTER_SHUTDOWN_NATIVE: case ID_COMPUTER_RESTART_CRITICAL: case ID_COMPUTER_SHUTDOWN_CRITICAL: case ID_COMPUTER_RESTART_UPDATE: case ID_COMPUTER_SHUTDOWN_UPDATE: case ID_COMPUTER_RESTARTWDOSCAN: PhMwpExecuteComputerCommand(WindowHandle, Id); break; case ID_HACKER_EXIT: SystemInformer_Destroy(); break; case ID_VIEW_SYSTEMINFORMATION: PhShowSystemInformationDialog(NULL); break; case ID_NOTIFICATIONS_ENABLEALL: case ID_NOTIFICATIONS_DISABLEALL: case ID_NOTIFICATIONS_NEWPROCESSES: case ID_NOTIFICATIONS_TERMINATEDPROCESSES: case ID_NOTIFICATIONS_NEWSERVICES: case ID_NOTIFICATIONS_STARTEDSERVICES: case ID_NOTIFICATIONS_STOPPEDSERVICES: case ID_NOTIFICATIONS_DELETEDSERVICES: case ID_NOTIFICATIONS_MODIFIEDSERVICES: case ID_NOTIFICATIONS_ARRIVEDDEVICES: case ID_NOTIFICATIONS_REMOVEDDEVICES: { PhMwpExecuteNotificationMenuCommand(WindowHandle, Id); } break; case ID_NOTIFICATIONS_RESETPERSISTLAYOUT: case ID_NOTIFICATIONS_ENABLEDELAYSTART: case ID_NOTIFICATIONS_ENABLEPERSISTLAYOUT: case ID_NOTIFICATIONS_ENABLETRANSPARENTICONS: case ID_NOTIFICATIONS_ENABLESINGLECLICKICONS: { PhMwpExecuteNotificationSettingsMenuCommand(WindowHandle, Id); } break; case ID_VIEW_COLLAPSEALL: { PhExpandAllProcessNodes(FALSE); } break; case ID_VIEW_EXPANDALL: { PhExpandAllProcessNodes(TRUE); } break; case ID_VIEW_HIDEPROCESSESFROMOTHERUSERS: { PhMwpToggleCurrentUserProcessTreeFilter(); } break; case ID_VIEW_HIDESIGNEDPROCESSES: { PhMwpToggleSignedProcessTreeFilter(WindowHandle); } break; case ID_VIEW_HIDEMICROSOFTPROCESSES: { PhMwpToggleMicrosoftProcessTreeFilter(); } break; case ID_VIEW_SCROLLTONEWPROCESSES: { PH_SET_INTEGER_CACHED_SETTING(ScrollToNewProcesses, !PhCsScrollToNewProcesses); } break; case ID_VIEW_SORTCHILDPROCESSES: { PH_SET_INTEGER_CACHED_SETTING(SortChildProcesses, !PhCsSortChildProcesses); } break; case ID_VIEW_SORTROOTPROCESSES: { PH_SET_INTEGER_CACHED_SETTING(SortRootProcesses, !PhCsSortRootProcesses); } break; case ID_VIEW_SHOWCPUBELOW001: { PH_SET_INTEGER_CACHED_SETTING(ShowCpuBelow001, !PhCsShowCpuBelow001); PhInvalidateAllProcessNodes(); } break; case ID_VIEW_HIDEDRIVERSERVICES: { PhMwpToggleDriverServiceTreeFilter(); } break; case ID_VIEW_HIDEMICROSOFTSERVICES: { PhMwpToggleMicrosoftServiceTreeFilter(); } break; case ID_VIEW_HIDEWAITINGCONNECTIONS: { PhMwpToggleNetworkWaitingConnectionTreeFilter(); } break; case ID_VIEW_ALWAYSONTOP: { AlwaysOnTop = !AlwaysOnTop; SetWindowPos(WindowHandle, AlwaysOnTop ? HWND_TOPMOST : HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE); PhSetIntegerSetting(SETTING_MAIN_WINDOW_ALWAYS_ON_TOP, AlwaysOnTop); PhWindowNotifyTopMostEvent(AlwaysOnTop); } break; case ID_OPACITY_10: case ID_OPACITY_20: case ID_OPACITY_30: case ID_OPACITY_40: case ID_OPACITY_50: case ID_OPACITY_60: case ID_OPACITY_70: case ID_OPACITY_80: case ID_OPACITY_90: case ID_OPACITY_OPAQUE: { ULONG opacity; opacity = PH_ID_TO_OPACITY(Id); PhSetIntegerSetting(SETTING_MAIN_WINDOW_OPACITY, opacity); PhSetWindowOpacity(WindowHandle, opacity); } break; case ID_VIEW_REFRESH: { PhBoostProvider(&PhMwpProcessProviderRegistration, NULL); PhBoostProvider(&PhMwpServiceProviderRegistration, NULL); // Note: Don't boost the network provider unless it's currently enabled. (dmex) if (PhGetEnabledProvider(&PhMwpNetworkProviderRegistration)) { PhBoostProvider(&PhMwpNetworkProviderRegistration, NULL); } } break; case ID_UPDATEINTERVAL_FAST: case ID_UPDATEINTERVAL_NORMAL: case ID_UPDATEINTERVAL_BELOWNORMAL: case ID_UPDATEINTERVAL_SLOW: case ID_UPDATEINTERVAL_VERYSLOW: { ULONG interval; switch (Id) { case ID_UPDATEINTERVAL_FAST: interval = 500; break; case ID_UPDATEINTERVAL_NORMAL: interval = 1000; break; case ID_UPDATEINTERVAL_BELOWNORMAL: interval = 2000; break; case ID_UPDATEINTERVAL_SLOW: interval = 5000; break; case ID_UPDATEINTERVAL_VERYSLOW: interval = 10000; break; default: interval = 1000; break; } PH_SET_INTEGER_CACHED_SETTING(UpdateInterval, interval); PhMwpApplyUpdateInterval(interval); } break; case ID_VIEW_UPDATEAUTOMATICALLY: { PhMwpUpdateAutomatically = !PhMwpUpdateAutomatically; PhMwpNotifyAllPages(MainTabPageUpdateAutomaticallyChanged, UlongToPtr(PhMwpUpdateAutomatically), NULL); if (PhPluginsEnabled) { PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackUpdateAutomatically), UlongToPtr(PhMwpUpdateAutomatically)); } } break; case ID_TOOLS_USER_LIST: { PhShowUserListDialog(WindowHandle); } break; case ID_TOOLS_THREADSTACKS: { PhShowThreadStacksDialog(WindowHandle); } break; case ID_TOOLS_CREATESERVICE: { PhShowCreateServiceDialog(WindowHandle); } break; case ID_TOOLS_ZOMBIEPROCESSES: { PhShowZombieProcessesDialog(); } break; case ID_TOOLS_INSPECTEXECUTABLEFILE: { static PH_FILETYPE_FILTER filters[] = { { L"Executable files (*.exe;*.dll;*.com;*.ocx;*.sys;*.scr;*.cpl;*.ax;*.acm;*.lib;*.winmd;*.mui;*.mun;*.efi;*.pdb)", L"*.exe;*.dll;*.com;*.ocx;*.sys;*.scr;*.cpl;*.ax;*.acm;*.lib;*.winmd;*.mui;*.mun;*.efi;*.pdb" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); PhSetFileDialogOptions(fileDialog, PH_FILEDIALOG_NOPATHVALIDATE | PH_FILEDIALOG_DONTADDTORECENT); if (PhShowFileDialog(WindowHandle, fileDialog)) { PhShellExecuteUserString( WindowHandle, SETTING_PROGRAM_INSPECT_EXECUTABLES, PH_AUTO_T(PH_STRING, PhGetFileDialogFileName(fileDialog))->Buffer, FALSE, L"Make sure the PE Viewer executable file is present." ); } PhFreeFileDialog(fileDialog); } break; case ID_TOOLS_PAGEFILES: { PhShowPagefilesDialog(WindowHandle); } break; case ID_TOOLS_LIVEDUMP: { PhShowLiveDumpDialog(WindowHandle); } break; case ID_TOOLS_STARTTASKMANAGER: { extern BOOLEAN PhpIsDefaultTaskManager(VOID); // options.c (dmex) PPH_STRING taskmgrFileName; PWSTR taskmgrCommandLine; taskmgrFileName = PH_AUTO(PhGetSystemDirectoryWin32Z(L"\\taskmgr.exe")); taskmgrCommandLine = PhGetIntegerSetting(SETTING_TASKMGR_WINDOW_STATE) ? L" -d" : NULL; if (!PhpIsDefaultTaskManager() && PhGetIntegerSetting(SETTING_ENABLE_SHELL_EXECUTE_SKIP_IFEO_DEBUGGER)) { PhShellExecuteEx( WindowHandle, PhGetString(taskmgrFileName), taskmgrCommandLine, NULL, SW_SHOW, 0, 0, NULL ); } else { if (WindowsVersion >= WINDOWS_8 && !PhGetOwnTokenAttributes().Elevated) { if (PhUiConnectToPhSvc(WindowHandle, FALSE)) { PhSvcCallCreateProcessIgnoreIfeoDebugger(PhGetString(taskmgrFileName), taskmgrCommandLine); PhUiDisconnectFromPhSvc(); } } else { PhCreateProcessIgnoreIfeoDebugger(PhGetString(taskmgrFileName), taskmgrCommandLine); } } } break; case ID_TOOLS_STARTRESOURCEMONITOR: { PPH_STRING perfmonFileName; perfmonFileName = PH_AUTO(PhGetSystemDirectoryWin32Z(L"\\perfmon.exe")); if (PhGetIntegerSetting(SETTING_ENABLE_SHELL_EXECUTE_SKIP_IFEO_DEBUGGER)) { PhShellExecuteEx( WindowHandle, PhGetString(perfmonFileName), L" /res", NULL, SW_SHOW, 0, 0, NULL ); } else { if (!PhGetOwnTokenAttributes().Elevated) { if (PhUiConnectToPhSvc(WindowHandle, FALSE)) { PhSvcCallCreateProcessIgnoreIfeoDebugger(PhGetString(perfmonFileName), L" /res"); PhUiDisconnectFromPhSvc(); } } else { PhCreateProcessIgnoreIfeoDebugger(PhGetString(perfmonFileName), L" /res"); } } } break; case ID_TOOLS_SHUTDOWNWSLPROCESSES: { NTSTATUS status; PPH_STRING perfmonFileName; perfmonFileName = PH_AUTO(PhGetSystemDirectoryWin32Z(L"\\wsl.exe")); status = PhShellExecuteEx( WindowHandle, PhGetString(perfmonFileName), L" --shutdown", NULL, SW_SHOW, 0, 0, NULL ); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to shutdown WSL instances.", status, 0); } } break; case ID_TOOLS_SCM_PERMISSIONS: { PhEditSecurity( NULL, L"Service Control Manager", L"SCManager", PhpOpenServiceControlManager, PhpCloseServiceControlManager, NULL ); } break; case ID_TOOLS_PWR_PERMISSIONS: { PhEditSecurity( NULL, L"Current Power Scheme", L"PowerDefault", PhpOpenSecurityDummyHandle, NULL, NULL ); } break; case ID_TOOLS_RDP_PERMISSIONS: { PhEditSecurity( NULL, L"Terminal Server Listener", L"RdpDefault", PhpOpenSecurityDummyHandle, NULL, NULL ); } break; case ID_TOOLS_COM_ACCESS_PERMISSIONS: { PhEditSecurity( NULL, L"COM Access Permissions", L"ComAccess", PhpOpenComDummyAccessPermissionsHandle, NULL, NULL ); } break; case ID_TOOLS_COM_ACCESS_RESTRICTIONS: { PhEditSecurity( NULL, L"COM Access Restrictions", L"ComAccess", PhpOpenComDummyAccessRestrictionsHandle, NULL, NULL ); } break; case ID_TOOLS_COM_LAUNCH_PERMISSIONS: { PhEditSecurity( NULL, L"COM Launch Permissions", L"ComLaunch", PhpOpenComDummyLaunchPermissionsHandle, NULL, NULL ); } break; case ID_TOOLS_COM_LAUNCH_RESTRICTIONS: { PhEditSecurity( NULL, L"COM Launch Restrictions", L"ComLaunch", PhpOpenComDummyLaunchRestrictionsHandle, NULL, NULL ); } break; case ID_TOOLS_WMI_PERMISSIONS: { PhEditSecurity( NULL, L"WMI Root Namespace", L"WmiDefault", PhpOpenSecurityDummyHandle, NULL, NULL ); } break; case ID_TOOLS_DESKTOP_PERMISSIONS: { PhEditSecurity( NULL, L"Current Window Desktop", L"Desktop", PhpOpenSecurityDesktopHandle, PhpCloseSecurityDesktopHandle, NULL ); } break; case ID_TOOLS_STATION_PERMISSIONS: { PhEditSecurity( NULL, L"Current Window Station", L"WindowStation", PhpOpenSecurityStationHandle, PhpCloseSecurityStationHandle, NULL ); } break; case ID_USER_CONNECT: { PhUiConnectSession(WindowHandle, SelectedUserSessionId); } break; case ID_USER_DISCONNECT: { PhUiDisconnectSession(WindowHandle, SelectedUserSessionId); } break; case ID_USER_LOGOFF: { PhUiLogoffSession(WindowHandle, SelectedUserSessionId); } break; case ID_USER_REMOTECONTROL: { PhShowSessionShadowDialog(WindowHandle, SelectedUserSessionId); } break; case ID_USER_SENDMESSAGE: { PhShowSessionSendMessageDialog(WindowHandle, SelectedUserSessionId); } break; case ID_USER_PROPERTIES: { PhShowSessionProperties(WindowHandle, SelectedUserSessionId); } break; case ID_HELP_LOG: { PhShowLogDialog(); } break; case ID_HELP_DONATE: { //PhShellExecute(WindowHandle, L"https://sourceforge.net/project/project_donations.php?group_id=242527", NULL); } break; case ID_HELP_DEBUGCONSOLE: { PhShowDebugConsole(); } break; case ID_HELP_ABOUT: { PhShowAboutDialog(WindowHandle); } break; case ID_PROCESS_TERMINATE: { PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); if (PhUiTerminateProcesses(WindowHandle, processes, numberOfProcesses)) PhDeselectAllProcessNodes(); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_PROCESS_TERMINATETREE: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); if (PhUiTerminateTreeProcess(WindowHandle, processItem)) PhDeselectAllProcessNodes(); PhDereferenceObject(processItem); } } break; case ID_PROCESS_SUSPEND: { PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); PhUiSuspendProcesses(WindowHandle, processes, numberOfProcesses); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_PROCESS_SUSPENDTREE: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiSuspendTreeProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_PROCESS_RESUME: { PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); PhUiResumeProcesses(WindowHandle, processes, numberOfProcesses); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_PROCESS_RESUMETREE: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiResumeTreeProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_PROCESS_FREEZE: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiFreezeTreeProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_PROCESS_THAW: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiThawTreeProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_PROCESS_RESTART: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); // Note: The current process is a special case (dmex) if (processItem->ProcessId == NtCurrentProcessId()) { SystemInformer_PrepareForEarlyShutdown(); if (NT_SUCCESS(PhShellProcessHacker( WindowHandle, NULL, SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, NULL ))) { SystemInformer_Destroy(); } else { SystemInformer_CancelEarlyShutdown(); } } else { if (PhUiRestartProcess(WindowHandle, processItem)) { PhDeselectAllProcessNodes(); } } PhDereferenceObject(processItem); } } break; case ID_PROCESS_DUMP_MINIMAL: case ID_PROCESS_DUMP_LIMITED: case ID_PROCESS_DUMP_NORMAL: case ID_PROCESS_DUMP_FULL: case ID_PROCESS_DUMP_CUSTOM: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhpMwpOnDumpCommand(WindowHandle, Id, processItem); PhDereferenceObject(processItem); } } break; case ID_PROCESS_DEBUG: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiDebugProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_PROCESS_VIRTUALIZATION: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiSetVirtualizationProcess( WindowHandle, processItem, !PhMwpSelectedProcessVirtualizationEnabled ); PhDereferenceObject(processItem); } } break; case ID_PROCESS_AFFINITY: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhShowProcessAffinityDialog(WindowHandle, processItem, NULL); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_ACTIVITY: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiSetActivityModeration(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_SETCRITICAL: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiSetCriticalProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_DETACHFROMDEBUGGER: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiDetachFromDebuggerProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_GDIHANDLES: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhShowGdiHandlesDialog(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_HEAPS: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhShowProcessHeapsDialog(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_LOCKS: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhShowProcessLocksDialog(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_PAGEPRIORITY_VERYLOW: case ID_PAGEPRIORITY_LOW: case ID_PAGEPRIORITY_MEDIUM: case ID_PAGEPRIORITY_BELOWNORMAL: case ID_PAGEPRIORITY_NORMAL: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { ULONG pagePriority; switch (Id) { case ID_PAGEPRIORITY_VERYLOW: pagePriority = MEMORY_PRIORITY_VERY_LOW; break; case ID_PAGEPRIORITY_LOW: pagePriority = MEMORY_PRIORITY_LOW; break; case ID_PAGEPRIORITY_MEDIUM: pagePriority = MEMORY_PRIORITY_MEDIUM; break; case ID_PAGEPRIORITY_BELOWNORMAL: pagePriority = MEMORY_PRIORITY_BELOW_NORMAL; break; case ID_PAGEPRIORITY_NORMAL: pagePriority = MEMORY_PRIORITY_NORMAL; break; } PhReferenceObject(processItem); PhUiSetPagePriorityProcess(WindowHandle, processItem, pagePriority); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_REDUCEWORKINGSET: { PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); PhUiReduceWorkingSetProcesses(WindowHandle, processes, numberOfProcesses); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_MISCELLANEOUS_RUNAS: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { //PPH_STRING fileNameWin32; // //fileNameWin32 = PhGetFileName(processItem->FileName); // //if (!PhIsNullOrEmptyString(fileNameWin32)) //{ // PhSetStringSetting2(SETTING_RUN_AS_PROGRAM, &fileNameWin32->sr); // PhDereferenceObject(fileNameWin32); // // PhShowRunAsDialog(WindowHandle, NULL); //} //else //{ // PhShowStatus(WindowHandle, L"Unable to locate the file.", STATUS_NOT_FOUND, 0); //} PhShowRunAsDialog(WindowHandle, NULL); } } break; case ID_MISCELLANEOUS_RUNASTHISUSER: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhShowRunAsDialog(WindowHandle, processItem->ProcessId); } } break; case ID_MISCELLANEOUS_PAGESMODIFIED: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhShowImagePageModifiedDialog(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_FLUSHHEAPS: { PPH_PROCESS_ITEM* processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); PhUiFlushHeapProcesses(WindowHandle, processes, numberOfProcesses); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_PRIORITY_REALTIME: case ID_PRIORITY_HIGH: case ID_PRIORITY_ABOVENORMAL: case ID_PRIORITY_NORMAL: case ID_PRIORITY_BELOWNORMAL: case ID_PRIORITY_IDLE: { PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); PhMwpExecuteProcessPriorityClassCommand(WindowHandle, Id, processes, numberOfProcesses); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_IOPRIORITY_VERYLOW: case ID_IOPRIORITY_LOW: case ID_IOPRIORITY_NORMAL: case ID_IOPRIORITY_HIGH: { PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PhReferenceObjects(processes, numberOfProcesses); PhMwpExecuteProcessIoPriorityCommand(WindowHandle, Id, processes, numberOfProcesses); PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); } } break; case ID_MISCELLANEOUS_ECOMODE: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiSetEcoModeProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_MISCELLANEOUS_EXECUTIONREQUIRED: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhReferenceObject(processItem); PhUiSetExecutionRequiredProcess(WindowHandle, processItem); PhDereferenceObject(processItem); } } break; case ID_WINDOW_BRINGTOFRONT: { if (IsWindow(PhMwpSelectedProcessWindowHandle)) { WINDOWPLACEMENT placement = { sizeof(placement) }; GetWindowPlacement(PhMwpSelectedProcessWindowHandle, &placement); if (placement.showCmd == SW_MINIMIZE) ShowWindowAsync(PhMwpSelectedProcessWindowHandle, SW_RESTORE); else ShowWindowAsync(PhMwpSelectedProcessWindowHandle, SW_SHOW); SetForegroundWindow(PhMwpSelectedProcessWindowHandle); } } break; case ID_WINDOW_RESTORE: { if (IsWindow(PhMwpSelectedProcessWindowHandle)) { ShowWindowAsync(PhMwpSelectedProcessWindowHandle, SW_RESTORE); } } break; case ID_WINDOW_MINIMIZE: { if (IsWindow(PhMwpSelectedProcessWindowHandle)) { ShowWindowAsync(PhMwpSelectedProcessWindowHandle, SW_MINIMIZE); } } break; case ID_WINDOW_MAXIMIZE: { if (IsWindow(PhMwpSelectedProcessWindowHandle)) { ShowWindowAsync(PhMwpSelectedProcessWindowHandle, SW_MAXIMIZE); } } break; case ID_WINDOW_CLOSE: { if (IsWindow(PhMwpSelectedProcessWindowHandle)) { NTSTATUS status; status = PhTerminateWindow(PhMwpSelectedProcessWindowHandle, TRUE); //PostMessage(PhMwpSelectedProcessWindowHandle, WM_CLOSE, 0, 0); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to close the window.", status, 0); } } } break; case ID_PROCESS_OPENFILELOCATION: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { NTSTATUS status; PPH_STRING fileName; status = PhGetProcessItemFileNameWin32(processItem, &fileName); if (NT_SUCCESS(status)) { PhShellExecuteUserString( WindowHandle, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(fileName), FALSE, L"Make sure the Explorer executable file is present." ); PhDereferenceObject(fileName); } else { PhShowStatus(WindowHandle, L"Unable to locate the file.", status, 0); } } } break; case ID_PROCESS_SEARCHONLINE: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { PhSearchOnlineString(WindowHandle, PhGetString(processItem->ProcessName)); } } break; case ID_PROCESS_PROPERTIES: { PPH_PROCESS_ITEM processItem = PhGetSelectedProcessItem(); if (processItem) { // No reference needed; no messages pumped. PhMwpShowProcessProperties(processItem); } } break; case ID_PROCESS_COPY: { PhCopyProcessTree(); } break; case ID_SERVICE_GOTOPROCESS: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedServiceItem(); PPH_PROCESS_NODE processNode; if (serviceItem) { if (processNode = PhFindProcessNode(serviceItem->ProcessId)) { PhMwpSelectPage(PhMwpProcessesPage->Index); SetFocus(PhMwpProcessTreeNewHandle); PhSelectAndEnsureVisibleProcessNode(processNode); } else { PhShowStatus(WindowHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } } break; case ID_SERVICE_START: { PPH_SERVICE_ITEM* serviceItems; ULONG numberOfServiceItems; PhGetSelectedServiceItems(&serviceItems, &numberOfServiceItems); PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiStartServices(WindowHandle, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); PhFree(serviceItems); } break; case ID_SERVICE_CONTINUE: { PPH_SERVICE_ITEM* serviceItems; ULONG numberOfServiceItems; PhGetSelectedServiceItems(&serviceItems, &numberOfServiceItems); PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiContinueServices(WindowHandle, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); PhFree(serviceItems); } break; case ID_SERVICE_PAUSE: { PPH_SERVICE_ITEM* serviceItems; ULONG numberOfServiceItems; PhGetSelectedServiceItems(&serviceItems, &numberOfServiceItems); PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiPauseServices(WindowHandle, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); PhFree(serviceItems); } break; case ID_SERVICE_STOP: { PPH_SERVICE_ITEM* serviceItems; ULONG numberOfServiceItems; PhGetSelectedServiceItems(&serviceItems, &numberOfServiceItems); PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiStopServices(WindowHandle, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); PhFree(serviceItems); } break; case ID_SERVICE_DELETE: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedServiceItem(); if (serviceItem) { PhReferenceObject(serviceItem); if (PhUiDeleteService(WindowHandle, serviceItem)) PhDeselectAllServiceNodes(); PhDereferenceObject(serviceItem); } } break; case ID_SERVICE_OPENKEY: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedServiceItem(); if (serviceItem) { HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, &serviceItem->Name->sr ))) { PPH_STRING hklmServiceKeyName; if (NT_SUCCESS(PhQueryObjectName(keyHandle, &hklmServiceKeyName))) { PhMoveReference(&hklmServiceKeyName, PhFormatNativeKeyName(hklmServiceKeyName)); PhShellOpenKey2(WindowHandle, hklmServiceKeyName); PhDereferenceObject(hklmServiceKeyName); } else { PhShowStatus(WindowHandle, L"The service does not exist.", STATUS_OBJECT_NAME_NOT_FOUND, 0); } NtClose(keyHandle); } else { PhShowStatus(WindowHandle, L"The service does not exist.", STATUS_OBJECT_NAME_NOT_FOUND, 0); } } } break; case ID_SERVICE_OPENFILELOCATION: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedServiceItem(); NTSTATUS status; SC_HANDLE serviceHandle; PPH_STRING fileName; if (serviceItem) { status = PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(serviceItem->Name)); if (NT_SUCCESS(status)) { status = PhGetServiceHandleFileName(serviceHandle, &serviceItem->Name->sr, &fileName); if (NT_SUCCESS(status)) { PhShellExecuteUserString( WindowHandle, SETTING_FILE_BROWSE_EXECUTABLE, fileName->Buffer, FALSE, L"Make sure the Explorer executable file is present." ); PhDereferenceObject(fileName); } else { PhShowStatus(WindowHandle, L"Unable to locate the file.", status, 0); } PhCloseServiceHandle(serviceHandle); } else { PhShowStatus(WindowHandle, L"Unable to locate the file.", status, 0); } } } break; case ID_SERVICE_PROPERTIES: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedServiceItem(); if (serviceItem) { // The object relies on the list view reference, which could // disappear if we don't reference the object here. PhReferenceObject(serviceItem); PhShowServiceProperties(WindowHandle, serviceItem); PhDereferenceObject(serviceItem); } } break; case ID_SERVICE_COPY: { PhCopyServiceList(); } break; case ID_NETWORK_GOTOPROCESS: { PPH_NETWORK_ITEM networkItem = PhGetSelectedNetworkItem(); PPH_PROCESS_NODE processNode; if (networkItem) { if (processNode = PhFindProcessNode(networkItem->ProcessId)) { PhMwpSelectPage(PhMwpProcessesPage->Index); SetFocus(PhMwpProcessTreeNewHandle); PhSelectAndEnsureVisibleProcessNode(processNode); } else { PhShowStatus(WindowHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } } break; case ID_NETWORK_GOTOSERVICE: { PPH_NETWORK_ITEM networkItem = PhGetSelectedNetworkItem(); PPH_SERVICE_ITEM serviceItem; if (networkItem && networkItem->OwnerName) { if (serviceItem = PhReferenceServiceItem(&networkItem->OwnerName->sr)) { PhMwpSelectPage(PhMwpServicesPage->Index); SetFocus(PhMwpServiceTreeNewHandle); SystemInformer_SelectServiceItem(serviceItem); PhDereferenceObject(serviceItem); } else { PhShowStatus(WindowHandle, L"The service does not exist.", STATUS_INVALID_CID, 0); } } } break; case ID_NETWORK_CLOSE: { PPH_NETWORK_ITEM *networkItems; ULONG numberOfNetworkItems; PhGetSelectedNetworkItems(&networkItems, &numberOfNetworkItems); PhReferenceObjects(networkItems, numberOfNetworkItems); if (PhUiCloseConnections(WindowHandle, networkItems, numberOfNetworkItems)) PhDeselectAllNetworkNodes(); PhDereferenceObjects(networkItems, numberOfNetworkItems); PhFree(networkItems); } break; case ID_NETWORK_COPY: { PhCopyNetworkList(); } break; case ID_TAB_NEXT: { ULONG selectedIndex = TabCtrl_GetCurSel(TabControlHandle); if (selectedIndex != PageList->Count - 1) selectedIndex++; else selectedIndex = 0; PhMwpSelectPage(selectedIndex); } break; case ID_TAB_PREV: { ULONG selectedIndex = TabCtrl_GetCurSel(TabControlHandle); if (selectedIndex != 0) selectedIndex--; else selectedIndex = PageList->Count - 1; PhMwpSelectPage(selectedIndex); } break; } } /** * Handles the ShowWindow event for the main window. * * \param WindowHandle Handle to the window receiving the event. * \param Showing Indicates whether the window is being shown (TRUE) or hidden (FALSE). * \param State Specifies the state of the window (e.g., minimized, maximized, normal). */ VOID PhMwpOnShowWindow( _In_ HWND WindowHandle, _In_ BOOLEAN Showing, _In_ ULONG State ) { if (NeedsMaximize) { ShowWindow(WindowHandle, SW_MAXIMIZE); NeedsMaximize = FALSE; } } /** * Handles system command messages for the main window. * * \param WindowHandle Handle to the window receiving the system command. * \param Type The type of system command (e.g., SC_CLOSE, SC_MINIMIZE). * \param CursorScreenX The X coordinate of the cursor in screen coordinates. * \param CursorScreenY The Y coordinate of the cursor in screen coordinates. * \return TRUE if the system command was handled; otherwise, FALSE. */ BOOLEAN PhMwpOnSysCommand( _In_ HWND WindowHandle, _In_ ULONG Type, _In_ LONG CursorScreenX, _In_ LONG CursorScreenY ) { switch (Type) { case SC_CLOSE: { if (PhGetIntegerSetting(SETTING_HIDE_ON_CLOSE) && PhNfIconsEnabled()) { ShowWindow(WindowHandle, SW_HIDE); return TRUE; } } break; case SC_MINIMIZE: { // Save the current window state because we may not have a chance to later. PhMwpSaveWindowState(WindowHandle); if (PhGetIntegerSetting(SETTING_HIDE_ON_MINIMIZE) && PhNfIconsEnabled()) { ShowWindow(WindowHandle, SW_HIDE); return TRUE; } } break; } return FALSE; } /** * Handles menu command events for the main window. * * \param WindowHandle Handle to the window receiving the menu command. * \param Index The index of the selected menu item. * \param Menu Handle to the menu from which the command originated. */ VOID PhMwpOnMenuCommand( _In_ HWND WindowHandle, _In_ ULONG Index, _In_ HMENU Menu ) { MENUITEMINFO menuItemInfo; memset(&menuItemInfo, 0, sizeof(MENUITEMINFO)); menuItemInfo.cbSize = sizeof(MENUITEMINFO); menuItemInfo.fMask = MIIM_ID | MIIM_DATA; if (GetMenuItemInfo(Menu, Index, TRUE, &menuItemInfo)) { PhMwpDispatchMenuCommand( WindowHandle, menuItemInfo.wID, menuItemInfo.dwItemData ); } } /** * Handles the initialization of a menu popup. * * This function is called when a menu popup is about to be displayed. It allows for * customization of the menu items based on the current state of the application. * * \param WindowHandle Handle to the window associated with the menu. * \param Menu Handle to the menu being initialized. * \param Index The zero-based index of the menu in the menu bar. * \param IsWindowMenu TRUE if the menu is a window menu; otherwise, FALSE. */ VOID PhMwpOnInitMenuPopup( _In_ HWND WindowHandle, _In_ HMENU Menu, _In_ ULONG Index, _In_ BOOLEAN IsWindowMenu ) { ULONG i; BOOLEAN found; PPH_EMENU menu; found = FALSE; for (i = 0; i < sizeof(SubMenuHandles) / sizeof(HMENU); i++) { if (Menu == SubMenuHandles[i]) { found = TRUE; break; } } if (!found) return; // Delete all items in this submenu. PhDeleteHMenu(Menu); // Delete the previous EMENU for this submenu. if (SubMenuObjects[Index]) PhDestroyEMenu(SubMenuObjects[Index]); // Make sure the menu style is set correctly. PhSetHMenuStyle(Menu, TRUE); menu = PhpCreateMainMenu(Index); PhMwpInitializeSubMenu(WindowHandle, menu, Index); if (PhPluginsEnabled) { PH_PLUGIN_MENU_INFORMATION pluginMenuInfo; PhPluginInitializeMenuInfo(&pluginMenuInfo, menu, WindowHandle, PH_PLUGIN_MENU_DISALLOW_HOOKS); pluginMenuInfo.u.MainMenu.SubMenuIndex = Index; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMainMenuInitializing), &pluginMenuInfo); } PhEMenuToHMenu2(Menu, menu, 0, NULL); SubMenuObjects[Index] = menu; } /** * Handles the WM_SIZE message for the main window. * * This function is called when the main window is resized. It processes the new size and state, * allowing the application to adjust its layout or controls accordingly. * * \param WindowHandle Handle to the window receiving the resize event. * \param State Specifies the type of resizing (e.g., SIZE_MINIMIZED, SIZE_MAXIMIZED, SIZE_RESTORED). * \param Width The new width of the client area, in pixels. * \param Height The new height of the client area, in pixels. */ VOID PhMwpOnSize( _In_ HWND WindowHandle, _In_ UINT State, _In_ LONG Width, _In_ LONG Height ) { //if (!(Width && Height)) // return; if (State != SIZE_MINIMIZED) { HDWP deferHandle; deferHandle = BeginDeferWindowPos(2); PhMwpLayout(&deferHandle); EndDeferWindowPos(deferHandle); } } /** * Handles the window sizing event. * * \param Edge The edge of the window being resized (e.g., left, right, top, bottom). * \param DragRectangle Pointer to a RECT structure that specifies the new size and position. */ VOID PhMwpOnSizing( _In_ ULONG Edge, _In_ PRECT DragRectangle ) { PhResizingMinimumSize(DragRectangle, Edge, 400, 175); } /** * Handles the WM_SETFOCUS message for the main window. * * \param WindowHandle Handle to the window that received focus. */ VOID PhMwpOnSetFocus( _In_ HWND WindowHandle ) { // Update the window focus. if (CurrentPage->WindowHandle) { SetFocus(CurrentPage->WindowHandle); } // Update the window status. { PH_MWP_KPH kph; PPH_STRING windowTitle; kph.Level = KphLevelEx(FALSE); if (!NT_SUCCESS(KphIsDynDataActive(&kph.DynDataActive))) kph.DynDataActive = FALSE; if (DelayedLoadCompleted && (PhMainWndKph.Level != kph.Level || PhMainWndKph.DynDataActive != kph.DynDataActive)) { PhMainWndKph = kph; if (windowTitle = PhMwpInitializeWindowTitle()) { PhSetWindowText(WindowHandle, PhGetString(windowTitle)); PhDereferenceObject(windowTitle); } } } } /** * Handles timer events for the main window. * * \param WindowHandle Handle to the window receiving the timer event. * \param wParam The timer identifier. * \param lParam Additional message information (unused). */ VOID PhMwpOnTimer( _In_ HWND WindowHandle, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LONG timerId = (LONG)(ULONG_PTR)wParam; TIMERPROC timerProc = (TIMERPROC)lParam; } /** * Handles notification messages for the main window. * * \param Header Pointer to an NMHDR structure containing notification information. * \param Result Pointer to a variable that receives the result of the notification processing. * \return Returns TRUE if the notification was handled successfully, otherwise FALSE. */ _Success_(return) BOOLEAN PhMwpOnNotify( _In_ NMHDR *Header, _Out_ LRESULT *Result ) { if (Header->hwndFrom == TabControlHandle) { PhMwpNotifyTabControl(Header); } return FALSE; } /** * Handles device change notifications for the main window. * * This function is called when the system detects a change in the device configuration, * such as when a device is added or removed. It processes the WM_DEVICECHANGE message * and performs any necessary updates or actions in response to the change. * * \param WindowHandle Handle to the window receiving the device change notification. * \param wParam Additional message information. Specifies the event that occurred. * \param lParam Additional message information. Pointer to a structure with event-specific data. */ VOID PhMwpOnDeviceChanged( _In_ HWND WindowHandle, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (wParam) { case DBT_DEVICEARRIVAL: // Drive letter added //case DBT_DEVICEREMOVECOMPLETE: // Drive letter removed { PDEV_BROADCAST_HDR deviceBroadcast = (PDEV_BROADCAST_HDR)lParam; if (deviceBroadcast->dbch_devicetype == DBT_DEVTYP_VOLUME) { PhUpdateDosDevicePrefixes(); } } break; } if (PhPluginsEnabled) { MSG message; memset(&message, 0, sizeof(MSG)); message.hwnd = WindowHandle; message.message = WM_DEVICECHANGE; message.wParam = wParam; message.lParam = lParam; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackWindowNotifyEvent), &message); } } /** * Handles the DPI change event for the specified window. * * \param WindowHandle Handle to the window whose DPI has changed. * \param WindowDpi The new DPI value for the window. */ VOID PhMwpOnDpiChanged( _In_ HWND WindowHandle, _In_ LONG WindowDpi ) { PhGuiSupportUpdateSystemMetrics(WindowHandle, WindowDpi); PhMwpInitializeMetrics(WindowHandle, WindowDpi); if (PhEnableWindowText) PhSetApplicationWindowIconEx(WindowHandle, LayoutWindowDpi); PhMwpOnSettingChange(WindowHandle, 0, NULL); PhMwpInvokeUpdateWindowFont(NULL); if (PhGetIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT)) PhMwpInvokeUpdateWindowFontMonospace(WindowHandle, NULL); PhMwpNotifyAllPages(MainTabPageDpiChanged, NULL, NULL); if (PhPluginsEnabled) { MSG message; memset(&message, 0, sizeof(MSG)); message.hwnd = WindowHandle; message.message = WM_DPICHANGED; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackWindowNotifyEvent), &message); } InvalidateRect(WindowHandle, NULL, TRUE); } /** * Handles custom user messages sent to the main window. * * \param WindowHandle Handle to the window receiving the message. * \param Message The user-defined message identifier. * \param WParam Additional message-specific information. * \param LParam Additional message-specific information. * \return The result of message processing (LRESULT). */ LRESULT PhMwpOnUserMessage( _In_ HWND WindowHandle, _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ) { switch (Message) { case WM_PH_ACTIVATE: { if (!PhMainWndEarlyExit && !PhMainWndExiting) { if (WParam != 0) { PPH_PROCESS_NODE processNode; if (processNode = PhFindProcessNode((HANDLE)WParam)) PhSelectAndEnsureVisibleProcessNode(processNode); } if (!IsWindowVisible(WindowHandle)) { ShowWindow(WindowHandle, SW_SHOW); } if (IsMinimized(WindowHandle)) { ShowWindow(WindowHandle, SW_RESTORE); } return PH_ACTIVATE_REPLY; } else { return 0; } } break; case WM_PH_NOTIFY_ICON_MESSAGE: { PhNfForwardMessage(WindowHandle, WParam, LParam); } break; case WM_PH_DESTROY: { DestroyWindow(PhMainWndHandle); } break; case WM_PH_PREPARE_FOR_EARLY_SHUTDOWN: { PhMwpInvokePrepareEarlyExit(PhMainWndHandle); } break; case WM_PH_SAVE_ALL_SETTINGS: { PhMwpSaveSettings(PhMainWndHandle); } break; case WM_PH_SHOW_PROPERTIES: { PhMwpShowProcessProperties((PPH_PROCESS_ITEM)LParam); } break; case WM_PH_ACTIVATE_WINDOW: { BOOLEAN visibility = (BOOLEAN)(ULONG_PTR)LParam; PhMwpInvokeActivateWindow(visibility); } break; case WM_PH_SELECT_NODE: { switch ((ULONG)WParam) { case 1: PhMwpInvokeSelectTabPage((PVOID)LParam); break; case 2: PhSelectAndEnsureVisibleProcessNode((PVOID)LParam); break; case 3: PhMwpInvokeSelectServiceItem((PVOID)LParam); break; case 4: PhMwpInvokeSelectNetworkItem((PVOID)LParam); break; } } break; case WM_PH_SHOW_EDITOR: { PPH_SHOW_MEMORY_EDITOR showMemoryEditor = (PPH_SHOW_MEMORY_EDITOR)WParam; PhShowMemoryEditorDialog( showMemoryEditor->OwnerWindow, showMemoryEditor->ProcessId, showMemoryEditor->BaseAddress, showMemoryEditor->RegionSize, showMemoryEditor->SelectOffset, showMemoryEditor->SelectLength, showMemoryEditor->Title, showMemoryEditor->Flags ); PhClearReference(&showMemoryEditor->Title); PhFree(showMemoryEditor); } break; case WM_PH_SHOW_RESULT: { PPH_SHOW_MEMORY_RESULTS showMemoryResults = (PPH_SHOW_MEMORY_RESULTS)WParam; PhShowMemoryResultsDialog( showMemoryResults->ProcessId, showMemoryResults->Results ); PhDereferenceMemoryResults( (PPH_MEMORY_RESULT*)showMemoryResults->Results->Items, showMemoryResults->Results->Count ); PhDereferenceObject(showMemoryResults->Results); PhFree(showMemoryResults); } break; case WM_PH_INVOKE: { PhProcessInvokeQueue(); InterlockedExchange(&PhMainThreadInvokePending, 0); } break; case WM_PH_UPDATE_FONT: { PhMwpInvokeUpdateWindowFont((PVOID)LParam); } break; } return 0; } /** * Loads the main window settings for the application. * * \param WindowHandle Handle to the main window for which settings are to be loaded. */ VOID PhMwpLoadSettings( _In_ HWND WindowHandle ) { ULONG opacity; opacity = PhGetIntegerSetting(SETTING_MAIN_WINDOW_OPACITY); PhStatisticsSampleCount = PhGetIntegerSetting(SETTING_SAMPLE_COUNT); PhEnablePurgeProcessRecords = !PhGetIntegerSetting(SETTING_NO_PURGE_PROCESS_RECORDS); PhEnableCycleCpuUsage = !!PhGetIntegerSetting(SETTING_ENABLE_CYCLE_CPU_USAGE); PhEnableNetworkBoundConnections = !!PhGetIntegerSetting(SETTING_ENABLE_NETWORK_BOUND_CONNECTIONS); PhEnableNetworkProviderResolve = !!PhGetIntegerSetting(SETTING_ENABLE_NETWORK_RESOLVE); PhEnableProcessQueryStage2 = !!PhGetIntegerSetting(SETTING_ENABLE_STAGE2); PhEnableServiceQueryStage2 = !!PhGetIntegerSetting(SETTING_ENABLE_SERVICE_STAGE2); PhEnableTooltipSupport = !!PhGetIntegerSetting(SETTING_ENABLE_TOOLTIP_SUPPORT); PhEnableImageCoherencySupport = !!PhGetIntegerSetting(SETTING_ENABLE_IMAGE_COHERENCY_SUPPORT); PhEnableLinuxSubsystemSupport = !!PhGetIntegerSetting(SETTING_ENABLE_LINUX_SUBSYSTEM_SUPPORT); PhEnablePackageIconSupport = !!PhGetIntegerSetting(SETTING_ENABLE_PACKAGE_ICON_SUPPORT); PhEnableSecurityAdvancedDialog = !!PhGetIntegerSetting(SETTING_ENABLE_SECURITY_ADVANCED_DIALOG); PhEnableProcessHandlePnPDeviceNameSupport = !!PhGetIntegerSetting(SETTING_ENABLE_PROCESS_HANDLE_PNP_DEVICE_NAME_SUPPORT); PhMwpNotifyIconNotifyMask = PhGetIntegerSetting(SETTING_ICON_NOTIFY_MASK); if (PhGetIntegerSetting(SETTING_MAIN_WINDOW_ALWAYS_ON_TOP)) { AlwaysOnTop = TRUE; SetWindowPos(WindowHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOREDRAW | SWP_NOSIZE); } if (opacity != 0) PhSetWindowOpacity(WindowHandle, opacity); PhMwpInvokeUpdateWindowFont(NULL); if (PhGetIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT)) { PhMwpInvokeUpdateWindowFontMonospace(WindowHandle, NULL); } PhNfLoadStage1(); PhMwpNotifyAllPages(MainTabPageLoadSettings, NULL, NULL); PhLogInitialization(); } /** * Saves the current settings of the main window. * * \param WindowHandle Handle to the main window whose settings are to be saved. */ VOID PhMwpSaveSettings( _In_ HWND WindowHandle ) { NTSTATUS status; PhMwpNotifyAllPages(MainTabPageSaveSettings, NULL, NULL); PhSaveWindowPlacementToSetting(SETTING_MAIN_WINDOW_POSITION, SETTING_MAIN_WINDOW_SIZE, WindowHandle); PhMwpSaveWindowState(WindowHandle); if (PhIsNullOrEmptyString(PhSettingsFileName)) status = PhSaveSettings(NULL); else status = PhSaveSettings(&PhSettingsFileName->sr); if (!NT_SUCCESS(status)) { PhShowStatus(NULL, L"Unable to save application settings.", status, 0); } } /** * Saves the current state of the main window. * \param WindowHandle Handle to the window whose state is to be saved. */ VOID PhMwpSaveWindowState( _In_ HWND WindowHandle ) { WINDOWPLACEMENT placement = { sizeof(placement) }; GetWindowPlacement(WindowHandle, &placement); if (placement.showCmd == SW_NORMAL) PhSetIntegerSetting(SETTING_MAIN_WINDOW_STATE, SW_NORMAL); else if (placement.showCmd == SW_MAXIMIZE) PhSetIntegerSetting(SETTING_MAIN_WINDOW_STATE, SW_MAXIMIZE); } /** * Updates the layout padding for the main window. * * This function recalculates and applies the necessary padding values * to the main window layout, ensuring proper spacing and alignment * of UI elements. It should be called whenever the window layout * or padding requirements change. */ VOID PhMwpUpdateLayoutPadding( VOID ) { PH_LAYOUT_PADDING_DATA data; memset(&data, 0, sizeof(PH_LAYOUT_PADDING_DATA)); PhInvokeCallback(&LayoutPaddingCallback, &data); LayoutPadding = data.Padding; } /** * Applies padding to the specified rectangle. * * \param Rect A pointer to a RECT structure that will be modified to include the specified padding. * \param Padding A pointer to a RECT structure specifying the padding to apply (left, top, right, bottom). */ VOID PhMwpApplyLayoutPadding( _Inout_ PRECT Rect, _In_ PRECT Padding ) { Rect->left += Padding->left; Rect->top += Padding->top; Rect->right -= Padding->right; Rect->bottom -= Padding->bottom; } /** * Adjusts the layout of the main window using a deferred window positioning handle. * * \param DeferHandle A pointer to an HDWP handle used for batching window position changes. */ VOID PhMwpLayout( _Inout_ HDWP *DeferHandle ) { RECT rect; // Resize the tab control. // Don't defer the resize. The tab control doesn't repaint properly. if (!LayoutPaddingValid) { PhMwpUpdateLayoutPadding(); LayoutPaddingValid = TRUE; } if (!PhGetClientRect(PhMainWndHandle, &rect)) return; PhMwpApplyLayoutPadding(&rect, &LayoutPadding); if (PhEnableDeferredLayout) { *DeferHandle = DeferWindowPos( *DeferHandle, TabControlHandle, HWND_BOTTOM, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER ); } else { SetWindowPos( TabControlHandle, NULL, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER ); UpdateWindow(TabControlHandle); } PhMwpLayoutTabControl(DeferHandle); } /** * Sets up the computer menu for the main window. * * \param Root Pointer to the root menu item to be configured. */ VOID PhMwpSetupComputerMenu( _In_ PPH_EMENU_ITEM Root ) { PPH_EMENU_ITEM menuItem; if (WindowsVersion < WINDOWS_8) { if (menuItem = PhFindEMenuItem(Root, PH_EMENU_FIND_DESCEND, NULL, ID_COMPUTER_RESTARTADVOPTIONS)) PhDestroyEMenuItem(menuItem); if (menuItem = PhFindEMenuItem(Root, PH_EMENU_FIND_DESCEND, NULL, ID_COMPUTER_RESTARTBOOTOPTIONS)) PhDestroyEMenuItem(menuItem); if (menuItem = PhFindEMenuItem(Root, PH_EMENU_FIND_DESCEND, NULL, ID_COMPUTER_SHUTDOWNHYBRID)) PhDestroyEMenuItem(menuItem); if (menuItem = PhFindEMenuItem(Root, PH_EMENU_FIND_DESCEND, NULL, ID_COMPUTER_RESTARTFWDEVICE)) PhDestroyEMenuItem(menuItem); if (menuItem = PhFindEMenuItem(Root, PH_EMENU_FIND_DESCEND, NULL, ID_COMPUTER_RESTARTBOOTDEVICE)) PhDestroyEMenuItem(menuItem); } } /** * Executes a computer-related command based on the specified command ID. * * \param WindowHandle Handle to the window that will receive any notifications or messages. * \param Id Identifier of the computer command to execute. * \return TRUE if the command was executed successfully, FALSE otherwise. */ BOOLEAN PhMwpExecuteComputerCommand( _In_ HWND WindowHandle, _In_ ULONG Id ) { switch (Id) { case ID_COMPUTER_LOCK: PhUiLockComputer(WindowHandle); return TRUE; case ID_COMPUTER_LOGOFF: PhUiLogoffComputer(WindowHandle); return TRUE; case ID_COMPUTER_SLEEP: PhUiSleepComputer(WindowHandle); return TRUE; case ID_COMPUTER_HIBERNATE: PhUiHibernateComputer(WindowHandle); return TRUE; case ID_COMPUTER_RESTART: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_WIN32, 0); return TRUE; case ID_COMPUTER_RESTARTADVOPTIONS: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_ADVANCEDBOOT, 0); return TRUE; case ID_COMPUTER_RESTARTBOOTOPTIONS: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_WIN32, PH_SHUTDOWN_RESTART_BOOTOPTIONS); return TRUE; case ID_COMPUTER_RESTARTFWOPTIONS: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_FIRMWAREBOOT, 0); return TRUE; case ID_COMPUTER_SHUTDOWN: PhUiShutdownComputer(WindowHandle, PH_POWERACTION_TYPE_WIN32, 0); return TRUE; case ID_COMPUTER_SHUTDOWNHYBRID: PhUiShutdownComputer(WindowHandle, PH_POWERACTION_TYPE_WIN32, PH_SHUTDOWN_HYBRID); return TRUE; case ID_COMPUTER_RESTART_NATIVE: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_NATIVE, 0); return TRUE; case ID_COMPUTER_SHUTDOWN_NATIVE: PhUiShutdownComputer(WindowHandle, PH_POWERACTION_TYPE_NATIVE, 0); return TRUE; case ID_COMPUTER_RESTART_CRITICAL: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_CRITICAL, 0); return TRUE; case ID_COMPUTER_SHUTDOWN_CRITICAL: PhUiShutdownComputer(WindowHandle, PH_POWERACTION_TYPE_CRITICAL, 0); return TRUE; case ID_COMPUTER_RESTART_UPDATE: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_UPDATE, 0); return TRUE; case ID_COMPUTER_SHUTDOWN_UPDATE: PhUiShutdownComputer(WindowHandle, PH_POWERACTION_TYPE_UPDATE, 0); return TRUE; case ID_COMPUTER_RESTARTWDOSCAN: PhUiRestartComputer(WindowHandle, PH_POWERACTION_TYPE_WDOSCAN, 0); return TRUE; } return FALSE; } /** * Determines whether the specified window is overlapped by other windows. * * \param WindowHandle Handle to the window to check for overlap. * \return TRUE if the window is overlapped by other windows; FALSE otherwise. */ BOOLEAN PhMwpIsWindowOverlapped( _In_ HWND WindowHandle ) { RECT rectThisWindow = { 0 }; RECT rectOtherWindow = { 0 }; RECT rectIntersection = { 0 }; HWND windowHandle = WindowHandle; if (!PhGetWindowRect(WindowHandle, &rectThisWindow)) return FALSE; while ((windowHandle = GetWindow(windowHandle, GW_HWNDPREV)) && windowHandle != WindowHandle) { if (!(PhGetWindowStyle(windowHandle) & WS_VISIBLE)) continue; if (!PhGetWindowRect(windowHandle, &rectOtherWindow)) continue; if (!(PhGetWindowStyleEx(windowHandle) & WS_EX_TOPMOST) && IntersectRect(&rectIntersection, &rectThisWindow, &rectOtherWindow)) { return TRUE; } } return FALSE; } /** * Activates the specified window. * * \param WindowHandle Handle to the window to be activated. * \param Toggle If TRUE, toggles the activation state; if FALSE, activates the window without toggling. */ VOID PhMwpActivateWindow( _In_ HWND WindowHandle, _In_ BOOLEAN Toggle ) { if (IsMinimized(WindowHandle)) { ShowWindow(WindowHandle, SW_RESTORE); SetForegroundWindow(WindowHandle); } else if (IsWindowVisible(WindowHandle)) { if (Toggle && !PhMwpIsWindowOverlapped(WindowHandle)) ShowWindow(WindowHandle, SW_HIDE); else SetForegroundWindow(WindowHandle); } else { ShowWindow(WindowHandle, SW_SHOW); SetForegroundWindow(WindowHandle); } } /** * Creates a computer menu. * * \param DelayLoadMenu Specifies whether the menu should be loaded with a delay. * \return A pointer to the created PPH_EMENU structure. */ PPH_EMENU PhpCreateComputerMenu( _In_ BOOLEAN DelayLoadMenu ) { PPH_EMENU_ITEM menuItem; menuItem = PhCreateEMenuItem(0, 0, L"&Computer", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_LOCK, L"&Lock", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_LOGOFF, L"Log o&ff", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_SLEEP, L"&Sleep", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_HIBERNATE, L"&Hibernate", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_RESTART_UPDATE, L"Update and restart", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_SHUTDOWN_UPDATE, L"Update and shut down", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_RESTART, L"R&estart", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(PhGetOwnTokenAttributes().Elevated ? 0 : PH_EMENU_DISABLED, ID_COMPUTER_RESTARTADVOPTIONS, L"Restart to advanced options", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_RESTARTBOOTOPTIONS, L"Restart to boot options", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(PhGetOwnTokenAttributes().Elevated ? 0 : PH_EMENU_DISABLED, ID_COMPUTER_RESTARTFWOPTIONS, L"Restart to firmware options", NULL, NULL), ULONG_MAX); if (PhGetIntegerSetting(SETTING_ENABLE_SHUTDOWN_BOOT_MENU)) { PVOID bootApplicationMenu = PhUiCreateComputerBootDeviceMenu(DelayLoadMenu); if (WindowsVersion >= WINDOWS_10 && PhGetOwnTokenAttributes().Elevated) PhInsertEMenuItem(bootApplicationMenu, PhCreateEMenuItem(0, ID_COMPUTER_RESTARTWDOSCAN, L"Windows Defender Offline Scan", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, bootApplicationMenu, ULONG_MAX); PhInsertEMenuItem(menuItem, PhUiCreateComputerFirmwareDeviceMenu(DelayLoadMenu), ULONG_MAX); } PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_SHUTDOWN, L"Shu&t down", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_SHUTDOWNHYBRID, L"H&ybrid shut down", NULL, NULL), ULONG_MAX); if (PhGetIntegerSetting(SETTING_ENABLE_SHUTDOWN_CRITICAL_MENU)) { PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_RESTART_NATIVE, L"R&estart (Native)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_SHUTDOWN_NATIVE, L"Shu&t down (Native)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_RESTART_CRITICAL, L"R&estart (Critical)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_COMPUTER_SHUTDOWN_CRITICAL, L"Shu&t down (Critical)", NULL, NULL), ULONG_MAX); } return menuItem; } /** * Creates the system menu for the application. * * \param HackerMenu A pointer to the base menu structure to be used for creating the system menu. * \param DelayLoadMenu If TRUE, the menu will be loaded with a delay; if FALSE, it will be loaded immediately. * \return A pointer to the newly created system menu (PPH_EMENU). */ PPH_EMENU PhpCreateSystemMenu( _In_ PPH_EMENU HackerMenu, _In_ BOOLEAN DelayLoadMenu ) { PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_RUN, L"&Run...\bCtrl+R", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_RUNAS, L"Run &as...\bCtrl+Shift+R", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_RUNASPACKAGE, L"Run as &package...\bCtrl+Shift+P", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_SHOWDETAILSFORALLPROCESSES, L"Show &details for all processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_SAVE, L"&Save...\bCtrl+S", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_FINDHANDLESORDLLS, L"&Find handles or DLLs...\bCtrl+F", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_OPTIONS, L"&Options...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhpCreateComputerMenu(DelayLoadMenu), ULONG_MAX); PhInsertEMenuItem(HackerMenu, PhCreateEMenuItem(0, ID_HACKER_EXIT, L"E&xit", NULL, NULL), ULONG_MAX); return HackerMenu; } /** * Creates and initializes a view menu. * * \param ViewMenu A pointer to an existing PPH_EMENU structure representing the view menu to be created or modified. * \return A pointer to the newly created or updated PPH_EMENU structure. */ PPH_EMENU PhpCreateViewMenu( _In_ PPH_EMENU ViewMenu ) { PPH_EMENU_ITEM menuItem; PhInsertEMenuItem(ViewMenu, PhCreateEMenuItem(0, ID_VIEW_SYSTEMINFORMATION, L"System &information\bCtrl+I", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuItem(0, ID_VIEW_TRAYICONS, L"&Tray icons", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuItem(0, ID_VIEW_SECTIONPLACEHOLDER, L"
", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuItem(0, ID_VIEW_ALWAYSONTOP, L"&Always on top", NULL, NULL), ULONG_MAX); menuItem = PhCreateEMenuItem(0, 0, L"&Opacity", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_10, L"&10%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_20, L"&20%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_30, L"&30%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_40, L"&40%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_50, L"&50%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_60, L"&60%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_70, L"&70%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_80, L"&80%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_90, L"&90%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_OPAQUE, L"&Opaque", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ViewMenu, menuItem, ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuItem(0, ID_VIEW_REFRESH, L"&Refresh\bF5", NULL, NULL), ULONG_MAX); menuItem = PhCreateEMenuItem(0, 0, L"Refresh i&nterval", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_UPDATEINTERVAL_FAST, L"&Fast (0.5s)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_UPDATEINTERVAL_NORMAL, L"&Normal (1s)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_UPDATEINTERVAL_BELOWNORMAL, L"&Below normal (2s)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_UPDATEINTERVAL_SLOW, L"&Slow (5s)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_UPDATEINTERVAL_VERYSLOW, L"&Very slow (10s)", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ViewMenu, menuItem, ULONG_MAX); PhInsertEMenuItem(ViewMenu, PhCreateEMenuItem(0, ID_VIEW_UPDATEAUTOMATICALLY, L"Refresh a&utomatically\bF6", NULL, NULL), ULONG_MAX); return ViewMenu; } /** * Creates or initializes the Tools menu. * * \param ToolsMenu A pointer to an existing PPH_EMENU structure representing the Tools menu. * \return A pointer to the created or modified PPH_EMENU structure. */ PPH_EMENU PhpCreateToolsMenu( _In_ PPH_EMENU ToolsMenu ) { PPH_EMENU_ITEM menuItem; PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_CREATESERVICE, L"&Create service...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_LIVEDUMP, L"&Create live dump...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_INSPECTEXECUTABLEFILE, L"Inspect e&xecutable file...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_THREADSTACKS, L"&Search thread stacks", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_ZOMBIEPROCESSES, L"&Zombie processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_PAGEFILES, L"&Pagefiles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_STARTTASKMANAGER, L"Start &Task Manager", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_STARTRESOURCEMONITOR, L"Start &Resource Monitor", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuItem(0, ID_TOOLS_SHUTDOWNWSLPROCESSES, L"T&erminate WSL processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, PhCreateEMenuSeparator(), ULONG_MAX); menuItem = PhCreateEMenuItem(0, 0, L"&Permissions", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_PWR_PERMISSIONS, L"Current Power Scheme", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_SCM_PERMISSIONS, L"Service Control Manager", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_RDP_PERMISSIONS, L"Terminal Server Listener", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_WMI_PERMISSIONS, L"WMI Root Namespace", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_COM_ACCESS_PERMISSIONS, L"COM Access Permissions", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_COM_ACCESS_RESTRICTIONS, L"COM Access Restrictions", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_COM_LAUNCH_PERMISSIONS, L"COM Launch Permissions", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_COM_LAUNCH_RESTRICTIONS, L"COM Launch Restrictions", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_DESKTOP_PERMISSIONS, L"Current Window Desktop", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_TOOLS_STATION_PERMISSIONS, L"Current Window Station", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(ToolsMenu, menuItem, ULONG_MAX); return ToolsMenu; } /** * Creates or initializes a users menu. * * \param UsersMenu Pointer to an existing PPH_EMENU structure to be used or modified. * \param DelayLoadMenu If TRUE, the menu will be loaded with a delay; if FALSE, it will be loaded immediately. * \return Pointer to the created or initialized PPH_EMENU structure representing the users menu. */ PPH_EMENU PhpCreateUsersMenu( _In_ PPH_EMENU UsersMenu, _In_ BOOLEAN DelayLoadMenu ) { if (DelayLoadMenu) { // Insert a dummy menu so we're able to receive menu events and delay load winsta.dll functions. (dmex) PhInsertEMenuItem(UsersMenu, PhCreateEMenuItem(0, USHRT_MAX, L" ", NULL, NULL), ULONG_MAX); return UsersMenu; } PhUiCreateSessionMenu(UsersMenu); PhInsertEMenuItem(UsersMenu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(UsersMenu, PhCreateEMenuItem(PhGetOwnTokenAttributes().Elevated ? 0 : PH_EMENU_DISABLED, ID_TOOLS_USER_LIST, L"User list...", NULL, NULL), ULONG_MAX); return UsersMenu; } /** * Creates or initializes a Help menu. * * \param HelpMenu A pointer to a PPH_EMENU structure representing the Help menu to be created or initialized. * \return A pointer to the created or initialized PPH_EMENU structure. */ PPH_EMENU PhpCreateHelpMenu( _In_ PPH_EMENU HelpMenu ) { PhInsertEMenuItem(HelpMenu, PhCreateEMenuItem(0, ID_HELP_LOG, L"&Log\bCtrl+L", NULL, NULL), ULONG_MAX); //PhInsertEMenuItem(HelpMenu, PhCreateEMenuItem(0, ID_HELP_DONATE, L"&Donate", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HelpMenu, PhCreateEMenuItem(0, ID_HELP_DEBUGCONSOLE, L"Debu&g console", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(HelpMenu, PhCreateEMenuItem(0, ID_HELP_ABOUT, L"&About", NULL, NULL), ULONG_MAX); return HelpMenu; } /** * Creates the main menu for the application. * * \param SubMenuIndex The index of the submenu to be created or selected. * \return A pointer to the created PPH_EMENU structure representing the main menu. */ PPH_EMENU PhpCreateMainMenu( _In_ ULONG SubMenuIndex ) { PPH_EMENU menu = PhCreateEMenu(); switch (SubMenuIndex) { case PH_MENU_ITEM_LOCATION_SYSTEM: return PhpCreateSystemMenu(menu, FALSE); case PH_MENU_ITEM_LOCATION_VIEW: return PhpCreateViewMenu(menu); case PH_MENU_ITEM_LOCATION_TOOLS: return PhpCreateToolsMenu(menu); case PH_MENU_ITEM_LOCATION_USERS: return PhpCreateUsersMenu(menu, FALSE); case PH_MENU_ITEM_LOCATION_HELP: return PhpCreateHelpMenu(menu); case ULONG_MAX: { PPH_EMENU_ITEM menuItem; menu->Flags |= PH_EMENU_MAINMENU; menuItem = PhCreateEMenuItem(PH_EMENU_MAINMENU, PH_MENU_ITEM_LOCATION_SYSTEM, L"&System", NULL, NULL); // Insert an empty menuitem so we're able to delay load the submenu. (dmex) PhInsertEMenuItem(menuItem, PhCreateEMenuItemEmpty(), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); //PhInsertEMenuItem(menu, PhpCreateSystemMenu(menuItem, TRUE), ULONG_MAX); menuItem = PhCreateEMenuItem(PH_EMENU_MAINMENU, PH_MENU_ITEM_LOCATION_VIEW, L"&View", NULL, NULL); // Insert an empty menuitem so we're able to delay load the submenu. (dmex) PhInsertEMenuItem(menuItem, PhCreateEMenuItemEmpty(), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); //PhInsertEMenuItem(menu, PhpCreateViewMenu(menuItem), ULONG_MAX); menuItem = PhCreateEMenuItem(PH_EMENU_MAINMENU, PH_MENU_ITEM_LOCATION_TOOLS, L"&Tools", NULL, NULL); // Insert an empty menuitem so we're able to delay load the submenu. (dmex) PhInsertEMenuItem(menuItem, PhCreateEMenuItemEmpty(), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); //PhInsertEMenuItem(menu, PhpCreateToolsMenu(menuItem), ULONG_MAX); menuItem = PhCreateEMenuItem(PH_EMENU_MAINMENU, PH_MENU_ITEM_LOCATION_USERS, L"&Users", NULL, NULL); // Insert an empty menuitem so we're able to delay load the submenu. (dmex) PhInsertEMenuItem(menuItem, PhCreateEMenuItemEmpty(), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); //PhInsertEMenuItem(menu, PhpCreateUsersMenu(menuItem, TRUE), ULONG_MAX); menuItem = PhCreateEMenuItem(PH_EMENU_MAINMENU, PH_MENU_ITEM_LOCATION_HELP, L"&Help", NULL, NULL); // Insert an empty menuitem so we're able to delay load the submenu. (dmex) PhInsertEMenuItem(menuItem, PhCreateEMenuItemEmpty(), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); //PhInsertEMenuItem(menu, PhpCreateHelpMenu(menuItem), ULONG_MAX); } break; } return menu; } /** * Initializes the main menu for the specified window. * * \param WindowHandle Handle to the window for which the main menu is to be initialized. */ VOID PhMwpInitializeMainMenu( _In_ HWND WindowHandle ) { HMENU menuHandle; // Initialize the menu. if (!(menuHandle = CreateMenu())) return; PhEMenuToHMenu2(menuHandle, PhpCreateMainMenu(ULONG_MAX), 0, NULL); PhInitializeWindowThemeMainMenu(menuHandle); PhSetHMenuNotify(menuHandle); SetMenu(WindowHandle, menuHandle); // Initialize the submenu. for (LONG i = 0; i < RTL_NUMBER_OF(SubMenuHandles); i++) { SubMenuHandles[i] = GetSubMenu(menuHandle, i); } } /** * Dispatches a menu command based on the provided parameters. * * \param WindowHandle Handle to the window receiving the menu command. * \param ItemId Identifier of the menu item. * \param ItemData Additional data associated with the menu item. */ VOID PhMwpDispatchMenuCommand( _In_ HWND WindowHandle, _In_ ULONG ItemId, _In_ ULONG_PTR ItemData ) { switch (ItemId) { case ID_PLUGIN_MENU_ITEM: { PPH_EMENU_ITEM menuItem; PH_PLUGIN_MENU_INFORMATION menuInfo; menuItem = (PPH_EMENU_ITEM)ItemData; if (menuItem) { PhPluginInitializeMenuInfo(&menuInfo, NULL, WindowHandle, 0); PhPluginTriggerEMenuItem(&menuInfo, menuItem); } return; } break; case ID_TRAYICONS_REGISTERED: { PPH_EMENU_ITEM menuItem; menuItem = (PPH_EMENU_ITEM)ItemData; if (menuItem) { PPH_NF_ICON icon; icon = menuItem->Context; PhNfSetVisibleIcon(icon, !(icon->Flags & PH_NF_ICON_ENABLED)); PhNfSaveSettings(); } return; } break; case ID_USER_CONNECT: case ID_USER_DISCONNECT: case ID_USER_LOGOFF: case ID_USER_REMOTECONTROL: case ID_USER_SENDMESSAGE: case ID_USER_PROPERTIES: { PPH_EMENU_ITEM menuItem; menuItem = (PPH_EMENU_ITEM)ItemData; if (menuItem && menuItem->Parent) { SelectedUserSessionId = PtrToUlong(menuItem->Parent->Context); } } break; case ID_VIEW_ORGANIZECOLUMNSETS: { PhShowColumnSetEditorDialog(WindowHandle, SETTING_PROCESS_TREE_COLUMN_SET_CONFIG); } return; case ID_VIEW_SAVECOLUMNSET: { PPH_EMENU_ITEM menuItem; PPH_STRING columnSetName = NULL; menuItem = (PPH_EMENU_ITEM)ItemData; while (PhaChoiceDialog( WindowHandle, L"Column Set Name", L"Enter a name for this column set:", NULL, 0, NULL, PH_CHOICE_DIALOG_USER_CHOICE, &columnSetName, NULL, NULL )) { if (!PhIsNullOrEmptyString(columnSetName)) break; } if (!PhIsNullOrEmptyString(columnSetName)) { PPH_STRING treeSettings; PPH_STRING sortSettings; // Query the current column configuration. PhSaveSettingsProcessTreeListEx(&treeSettings, &sortSettings); // Create the column set for this column configuration. PhSaveSettingsColumnSet(SETTING_PROCESS_TREE_COLUMN_SET_CONFIG, columnSetName, treeSettings, sortSettings); PhDereferenceObject(treeSettings); PhDereferenceObject(sortSettings); } } return; case ID_VIEW_LOADCOLUMNSET: { PPH_EMENU_ITEM menuItem; PPH_STRING columnSetName; PPH_STRING treeSettings; PPH_STRING sortSettings; menuItem = (PPH_EMENU_ITEM)ItemData; columnSetName = PhCreateString(menuItem->Text); // Query the selected column set. if (PhLoadSettingsColumnSet(SETTING_PROCESS_TREE_COLUMN_SET_CONFIG, columnSetName, &treeSettings, &sortSettings)) { // Load the column configuration from the selected column set. PhLoadSettingsProcessTreeListEx(treeSettings, sortSettings); PhDereferenceObject(treeSettings); PhDereferenceObject(sortSettings); } PhDereferenceObject(columnSetName); } return; case ID_COMPUTER_RESTARTBOOTDEVICE: { PPH_EMENU_ITEM menuItem = (PPH_EMENU_ITEM)ItemData; PhUiHandleComputerBootApplicationMenu(WindowHandle, PtrToUlong(menuItem->Context)); } return; case ID_COMPUTER_RESTARTFWDEVICE: { PPH_EMENU_ITEM menuItem = (PPH_EMENU_ITEM)ItemData; PhUiHandleComputerFirmwareApplicationMenu(WindowHandle, PtrToUlong(menuItem->Context)); } return; } SendMessage(WindowHandle, WM_COMMAND, ItemId, 0); } /** * Creates and returns a notification menu for the system tray or notification area. * \return A pointer to a PPH_EMENU structure representing the created notification menu. */ PPH_EMENU PhpCreateNotificationMenu( VOID ) { PPH_EMENU_ITEM menuItem; ULONG i; ULONG id = ULONG_MAX; menuItem = PhCreateEMenuItem(0, 0, L"N&otifications", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_ENABLEALL, L"&Enable all", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_DISABLEALL, L"&Disable all", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_NEWPROCESSES, L"New &processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_TERMINATEDPROCESSES, L"T&erminated processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_NEWSERVICES, L"New &services", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_STARTEDSERVICES, L"St&arted services", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_STOPPEDSERVICES, L"St&opped services", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_DELETEDSERVICES, L"&Deleted services", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_MODIFIEDSERVICES, L"&Modified services", NULL, NULL), ULONG_MAX); if (WindowsVersion >= WINDOWS_10) { PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_ARRIVEDDEVICES, L"&Arrived devices", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_REMOVEDDEVICES, L"&Removed devices", NULL, NULL), ULONG_MAX); } for (i = PH_NOTIFY_MINIMUM; i != PH_NOTIFY_MAXIMUM; i <<= 1) { if (PhMwpNotifyIconNotifyMask & i) { switch (i) { case PH_NOTIFY_PROCESS_CREATE: id = ID_NOTIFICATIONS_NEWPROCESSES; break; case PH_NOTIFY_PROCESS_DELETE: id = ID_NOTIFICATIONS_TERMINATEDPROCESSES; break; case PH_NOTIFY_SERVICE_CREATE: id = ID_NOTIFICATIONS_NEWSERVICES; break; case PH_NOTIFY_SERVICE_DELETE: id = ID_NOTIFICATIONS_DELETEDSERVICES; break; case PH_NOTIFY_SERVICE_START: id = ID_NOTIFICATIONS_STARTEDSERVICES; break; case PH_NOTIFY_SERVICE_STOP: id = ID_NOTIFICATIONS_STOPPEDSERVICES; break; case PH_NOTIFY_SERVICE_MODIFIED: id = ID_NOTIFICATIONS_MODIFIEDSERVICES; break; case PH_NOTIFY_DEVICE_ARRIVED: id = ID_NOTIFICATIONS_ARRIVEDDEVICES; break; case PH_NOTIFY_DEVICE_REMOVED: id = ID_NOTIFICATIONS_REMOVEDDEVICES; break; } PhSetFlagsEMenuItem(menuItem, id, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } return menuItem; } BOOLEAN PhMwpExecuteNotificationMenuCommand( _In_ HWND WindowHandle, _In_ ULONG Id ) { switch (Id) { case ID_NOTIFICATIONS_ENABLEALL: SetFlag(PhMwpNotifyIconNotifyMask, PH_NOTIFY_VALID_MASK); PhSetIntegerSetting(SETTING_ICON_NOTIFY_MASK, PhMwpNotifyIconNotifyMask); return TRUE; case ID_NOTIFICATIONS_DISABLEALL: ClearFlag(PhMwpNotifyIconNotifyMask, PH_NOTIFY_VALID_MASK); PhSetIntegerSetting(SETTING_ICON_NOTIFY_MASK, PhMwpNotifyIconNotifyMask); return TRUE; case ID_NOTIFICATIONS_NEWPROCESSES: case ID_NOTIFICATIONS_TERMINATEDPROCESSES: case ID_NOTIFICATIONS_NEWSERVICES: case ID_NOTIFICATIONS_STARTEDSERVICES: case ID_NOTIFICATIONS_STOPPEDSERVICES: case ID_NOTIFICATIONS_DELETEDSERVICES: case ID_NOTIFICATIONS_MODIFIEDSERVICES: case ID_NOTIFICATIONS_ARRIVEDDEVICES: case ID_NOTIFICATIONS_REMOVEDDEVICES: { ULONG bit = 0; switch (Id) { case ID_NOTIFICATIONS_NEWPROCESSES: bit = PH_NOTIFY_PROCESS_CREATE; break; case ID_NOTIFICATIONS_TERMINATEDPROCESSES: bit = PH_NOTIFY_PROCESS_DELETE; break; case ID_NOTIFICATIONS_NEWSERVICES: bit = PH_NOTIFY_SERVICE_CREATE; break; case ID_NOTIFICATIONS_STARTEDSERVICES: bit = PH_NOTIFY_SERVICE_START; break; case ID_NOTIFICATIONS_STOPPEDSERVICES: bit = PH_NOTIFY_SERVICE_STOP; break; case ID_NOTIFICATIONS_DELETEDSERVICES: bit = PH_NOTIFY_SERVICE_DELETE; break; case ID_NOTIFICATIONS_MODIFIEDSERVICES: bit = PH_NOTIFY_SERVICE_MODIFIED; break; case ID_NOTIFICATIONS_ARRIVEDDEVICES: bit = PH_NOTIFY_DEVICE_ARRIVED; break; case ID_NOTIFICATIONS_REMOVEDDEVICES: bit = PH_NOTIFY_DEVICE_REMOVED; break; } PhMwpNotifyIconNotifyMask ^= bit; PhSetIntegerSetting(SETTING_ICON_NOTIFY_MASK, PhMwpNotifyIconNotifyMask); } return TRUE; } return FALSE; } /** * Creates and returns a notification settings menu. * \return A pointer to a PPH_EMENU structure representing the notification settings menu. */ PPH_EMENU PhpCreateNotificationSettingsMenu( VOID ) { PPH_EMENU_ITEM menuItem; menuItem = PhCreateEMenuItem(0, 0, L"Settings", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_ENABLEDELAYSTART, L"Enable initialization delay", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_ENABLEPERSISTLAYOUT, L"Enable persistent layout", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_ENABLETRANSPARENTICONS, L"Enable transparent icons", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_ENABLESINGLECLICKICONS, L"Enable single click icons", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_NOTIFICATIONS_RESETPERSISTLAYOUT, L"Reset persistent layout", NULL, NULL), ULONG_MAX); if (PhGetIntegerSetting(SETTING_ICON_TRAY_LAZY_START_DELAY)) { PhSetFlagsEMenuItem(menuItem, ID_NOTIFICATIONS_ENABLEDELAYSTART, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } if (PhGetIntegerSetting(SETTING_ICON_TRAY_PERSIST_GUID_ENABLED)) { PhSetFlagsEMenuItem(menuItem, ID_NOTIFICATIONS_ENABLEPERSISTLAYOUT, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } if (PhGetIntegerSetting(SETTING_ICON_TRANSPARENCY_ENABLED)) { PhSetFlagsEMenuItem(menuItem, ID_NOTIFICATIONS_ENABLETRANSPARENTICONS, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } if (PhGetIntegerSetting(SETTING_ICON_SINGLE_CLICK)) { PhSetFlagsEMenuItem(menuItem, ID_NOTIFICATIONS_ENABLESINGLECLICKICONS, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } return menuItem; } /** * Executes a command from the notification settings menu. * * \param WindowHandle Handle to the window that receives the command. * \param Id Identifier of the notification menu command to execute. * \return TRUE if the command was executed successfully, FALSE otherwise. */ BOOLEAN PhMwpExecuteNotificationSettingsMenuCommand( _In_ HWND WindowHandle, _In_ ULONG Id ) { switch (Id) { case ID_NOTIFICATIONS_RESETPERSISTLAYOUT: { EXTERN_C VOID PhNfLoadGuids(VOID); PhSetStringSetting(SETTING_ICON_TRAY_GUIDS, L""); PhNfLoadGuids(); PhShowOptionsRestartRequired(WindowHandle); } return TRUE; case ID_NOTIFICATIONS_ENABLEDELAYSTART: { BOOLEAN lazyTrayIconStartDelayEnabled = !!PhGetIntegerSetting(SETTING_ICON_TRAY_LAZY_START_DELAY); PhSetIntegerSetting(SETTING_ICON_TRAY_LAZY_START_DELAY, !lazyTrayIconStartDelayEnabled); PhShowOptionsRestartRequired(WindowHandle); } return TRUE; case ID_NOTIFICATIONS_ENABLEPERSISTLAYOUT: { BOOLEAN persistentTrayIconLayoutEnabled = !!PhGetIntegerSetting(SETTING_ICON_TRAY_PERSIST_GUID_ENABLED); PhSetIntegerSetting(SETTING_ICON_TRAY_PERSIST_GUID_ENABLED, !persistentTrayIconLayoutEnabled); PhShowOptionsRestartRequired(WindowHandle); } return TRUE; case ID_NOTIFICATIONS_ENABLETRANSPARENTICONS: { BOOLEAN transparentTrayIconsEnabled = !!PhGetIntegerSetting(SETTING_ICON_TRANSPARENCY_ENABLED); EXTERN_C BOOLEAN PhNfTransparencyEnabled; PhNfTransparencyEnabled = !transparentTrayIconsEnabled; PhSetIntegerSetting(SETTING_ICON_TRANSPARENCY_ENABLED, !transparentTrayIconsEnabled); PhShowOptionsRestartRequired(WindowHandle); } return TRUE; case ID_NOTIFICATIONS_ENABLESINGLECLICKICONS: { BOOLEAN singleClickTrayIconsEnabled = !!PhGetIntegerSetting(SETTING_ICON_SINGLE_CLICK); PhSetIntegerSetting(SETTING_ICON_SINGLE_CLICK, !singleClickTrayIconsEnabled); } return TRUE; } return FALSE; } /** * Creates and returns a pointer to an icon menu. * \return Pointer to the created PPH_EMENU structure representing the icon menu. */ PPH_EMENU PhpCreateIconMenu( VOID ) { PPH_EMENU menu; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ICON_SHOWHIDEPROCESSHACKER, L"&Show/Hide System Informer", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ICON_SYSTEMINFORMATION, L"System &information", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhpCreateNotificationMenu(), ULONG_MAX); PhInsertEMenuItem(menu, PhpCreateNotificationSettingsMenu(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESSES_DUMMY, L"&Processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhpCreateComputerMenu(FALSE), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ICON_EXIT, L"E&xit", NULL, NULL), ULONG_MAX); return menu; } /** * Initializes a submenu in the main window. * * \param WindowHandle Handle to the window that owns the menu. * \param Menu Pointer to the menu structure to be initialized. * \param Index Index specifying which submenu to initialize. */ VOID PhMwpInitializeSubMenu( _In_ HWND WindowHandle, _In_ PPH_EMENU Menu, _In_ ULONG Index ) { PPH_EMENU_ITEM menuItem; if (Index == PH_MENU_ITEM_LOCATION_SYSTEM) { if (WindowsVersion < WINDOWS_10) { if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_HACKER_RUNASPACKAGE)) PhDestroyEMenuItem(menuItem); } if (PhGetOwnTokenAttributes().Elevated) { if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_HACKER_RUNASADMINISTRATOR)) PhDestroyEMenuItem(menuItem); if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_HACKER_SHOWDETAILSFORALLPROCESSES)) PhDestroyEMenuItem(menuItem); } else { if (PhGetIntegerSetting(SETTING_ENABLE_BITMAP_SUPPORT)) { HBITMAP shieldBitmap; if (shieldBitmap = PhGetShieldBitmap(LayoutWindowDpi, PhSmallIconSize.X, PhSmallIconSize.Y)) { if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_HACKER_SHOWDETAILSFORALLPROCESSES)) menuItem->Bitmap = shieldBitmap; } } } PhMwpSetupComputerMenu(Menu); } else if (Index == PH_MENU_ITEM_LOCATION_VIEW) { PPH_EMENU_ITEM trayIconsMenuItem; ULONG id = ULONG_MAX; ULONG placeholderIndex = ULONG_MAX; if (trayIconsMenuItem = PhFindEMenuItem(Menu, PH_EMENU_FIND_DESCEND, NULL, ID_VIEW_TRAYICONS)) { // Add menu items for the registered tray icons. PhInsertEMenuItem(trayIconsMenuItem, PhpCreateNotificationMenu(), ULONG_MAX); PhInsertEMenuItem(trayIconsMenuItem, PhpCreateNotificationSettingsMenu(), ULONG_MAX); PhInsertEMenuItem(trayIconsMenuItem, PhCreateEMenuSeparator(), ULONG_MAX); for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; menuItem = PhCreateEMenuItem(0, ID_TRAYICONS_REGISTERED, icon->Text, NULL, icon); PhInsertEMenuItem(trayIconsMenuItem, menuItem, ULONG_MAX); // Update the text and check marks on the menu items. if (icon->Flags & PH_NF_ICON_ENABLED) { menuItem->Flags |= PH_EMENU_CHECKED; } if (icon->Flags & PH_NF_ICON_UNAVAILABLE) { PPH_STRING newText; newText = PhaConcatStrings2(icon->Text, L" (Unavailable)"); PhModifyEMenuItem(menuItem, PH_EMENU_MODIFY_TEXT, PH_EMENU_TEXT_OWNED, PhAllocateCopy(newText->Buffer, newText->Length + sizeof(WCHAR)), NULL); } } } if (menuItem = PhFindEMenuItemEx(Menu, 0, NULL, ID_VIEW_SECTIONPLACEHOLDER, NULL, &placeholderIndex)) { PhDestroyEMenuItem(menuItem); PhMwpInitializeSectionMenuItems(Menu, placeholderIndex); } if (AlwaysOnTop && (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_VIEW_ALWAYSONTOP))) menuItem->Flags |= PH_EMENU_CHECKED; id = PH_OPACITY_TO_ID(PhGetIntegerSetting(SETTING_MAIN_WINDOW_OPACITY)); if (menuItem = PhFindEMenuItem(Menu, PH_EMENU_FIND_DESCEND, NULL, id)) menuItem->Flags |= PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK; switch (PhGetIntegerSetting(SETTING_UPDATE_INTERVAL)) { case 500: id = ID_UPDATEINTERVAL_FAST; break; case 1000: id = ID_UPDATEINTERVAL_NORMAL; break; case 2000: id = ID_UPDATEINTERVAL_BELOWNORMAL; break; case 5000: id = ID_UPDATEINTERVAL_SLOW; break; case 10000: id = ID_UPDATEINTERVAL_VERYSLOW; break; default: id = ULONG_MAX; break; } if (id != ULONG_MAX && (menuItem = PhFindEMenuItem(Menu, PH_EMENU_FIND_DESCEND, NULL, id))) menuItem->Flags |= PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK; if (PhMwpUpdateAutomatically && (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_VIEW_UPDATEAUTOMATICALLY))) menuItem->Flags |= PH_EMENU_CHECKED; } else if (Index == PH_MENU_ITEM_LOCATION_TOOLS) { if (WindowsVersion < WINDOWS_8_1) { if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_TOOLS_LIVEDUMP)) PhDestroyEMenuItem(menuItem); } if (PhGetIntegerSetting(SETTING_ENABLE_BITMAP_SUPPORT)) { HBITMAP shieldBitmap; if (shieldBitmap = PhGetShieldBitmap(LayoutWindowDpi, PhSmallIconSize.X, PhSmallIconSize.Y)) { if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_TOOLS_STARTTASKMANAGER)) menuItem->Bitmap = shieldBitmap; if (menuItem = PhFindEMenuItem(Menu, 0, NULL, ID_TOOLS_STARTRESOURCEMONITOR)) menuItem->Bitmap = shieldBitmap; } } } } /** * Initializes section-related menu items in the specified menu. * * \param Menu Pointer to the menu structure where section items will be added. * \param StartIndex The starting index in the menu where section items should be inserted. */ VOID PhMwpInitializeSectionMenuItems( _In_ PPH_EMENU Menu, _In_ ULONG StartIndex ) { BOOLEAN removeSeparator = TRUE; PH_MAIN_TAB_PAGE_MENU_INFORMATION menuInfo; menuInfo.Menu = Menu; menuInfo.StartIndex = StartIndex; for (ULONG i = PageList->Count; i > 0; i--) { PPH_MAIN_TAB_PAGE page = PageList->Items[i - 1]; if (page->Callback(CurrentPage, MainTabPageInitializeSectionMenuItems, &menuInfo, NULL)) removeSeparator = FALSE; } if (removeSeparator) PhRemoveEMenuItem(Menu, NULL, StartIndex); } /** * Adjusts the layout of the tab control in the main window by updating the deferred window positioning handle. * \param DeferHandle Pointer to a handle used for deferred window positioning (HDWP). */ VOID PhMwpLayoutTabControl( _Inout_ HDWP *DeferHandle ) { RECT clientRect; RECT tabRect; if (!LayoutPaddingValid) { PhMwpUpdateLayoutPadding(); LayoutPaddingValid = TRUE; } if (!PhGetClientRect(PhMainWndHandle, &clientRect)) return; PhMwpApplyLayoutPadding(&clientRect, &LayoutPadding); tabRect = clientRect; TabCtrl_AdjustRect(TabControlHandle, FALSE, &tabRect); if (CurrentPage && CurrentPage->WindowHandle) { // Remove the tabctrl padding (dmex) *DeferHandle = DeferWindowPos( *DeferHandle, CurrentPage->WindowHandle, HWND_TOP, clientRect.left, tabRect.top - LayoutBorderSize, clientRect.right - clientRect.left, (tabRect.bottom - tabRect.top) + (clientRect.bottom - tabRect.bottom), SWP_NOACTIVATE | SWP_NOZORDER ); } } /** * Handles notifications from a tab control. * \param Header Pointer to an NMHDR structure containing information about the notification. */ VOID PhMwpNotifyTabControl( _In_ NMHDR *Header ) { if (Header->code == TCN_SELCHANGING) { OldTabIndex = TabCtrl_GetCurSel(TabControlHandle); } else if (Header->code == TCN_SELCHANGE) { PhMwpSelectionChangedTabControl(OldTabIndex); } } /** * Called when the selection in a tab control has changed. * \param OldIndex The index of the previously selected tab. */ VOID PhMwpSelectionChangedTabControl( _In_ LONG OldIndex ) { LONG selectedIndex; HDWP deferHandle; ULONG i; selectedIndex = TabCtrl_GetCurSel(TabControlHandle); if (selectedIndex == OldIndex) return; deferHandle = BeginDeferWindowPos(3); for (i = 0; i < PageList->Count; i++) { PPH_MAIN_TAB_PAGE page = PageList->Items[i]; page->Selected = page->Index == selectedIndex; if (page->Index == selectedIndex) { CurrentPage = page; // Create the tab page window if it doesn't exist. (wj32) if (!page->WindowHandle && !page->CreateWindowCalled) { if (page->Callback(page, MainTabPageCreateWindow, &page->WindowHandle, PhMainWndHandle)) page->CreateWindowCalled = TRUE; if (page->WindowHandle) BringWindowToTop(page->WindowHandle); if (PhTreeWindowFont) page->Callback(page, MainTabPageFontChanged, PhTreeWindowFont, NULL); } page->Callback(page, MainTabPageSelected, UlongToPtr(TRUE), NULL); if (page->WindowHandle) { deferHandle = DeferWindowPos(deferHandle, page->WindowHandle, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY); SetFocus(page->WindowHandle); } } else if (page->Index == OldIndex) { page->Callback(page, MainTabPageSelected, UlongToPtr(FALSE), NULL); if (page->WindowHandle) { deferHandle = DeferWindowPos(deferHandle, page->WindowHandle, NULL, 0, 0, 0, 0, SWP_HIDEWINDOW_ONLY); } } } PhMwpLayoutTabControl(&deferHandle); EndDeferWindowPos(deferHandle); if (OldIndex != INT_ERROR && PhGetIntegerSetting(SETTING_MAIN_WINDOW_TAB_RESTORE_ENABLED) && IsWindowVisible(TabControlHandle)) { PhSetIntegerSetting(SETTING_MAIN_WINDOW_TAB_RESTORE_INDEX, selectedIndex); } if (PhPluginsEnabled) { PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMainWindowTabChanged), LongToPtr(selectedIndex)); } } /** * Creates a new main tab page based on the specified template. * * \param Template Pointer to a PPH_MAIN_TAB_PAGE structure that serves as the template for the new page. * \return Pointer to the newly created PPH_MAIN_TAB_PAGE structure. */ PPH_MAIN_TAB_PAGE PhMwpCreatePage( _In_ PPH_MAIN_TAB_PAGE Template ) { PPH_MAIN_TAB_PAGE page; PPH_STRING name; //HDWP deferHandle; page = PhAllocateZero(sizeof(PH_MAIN_TAB_PAGE)); page->Name = Template->Name; page->Flags = Template->Flags; page->Callback = Template->Callback; page->Context = Template->Context; PhAddItemList(PageList, page); name = PhCreateString2(&page->Name); page->Index = PhAddTabControlTab(TabControlHandle, MAXINT, name->Buffer); PhDereferenceObject(name); page->Callback(page, MainTabPageCreate, NULL, NULL); // The tab control might need multiple lines, so we need to refresh the layout. //deferHandle = BeginDeferWindowPos(1); //PhMwpLayoutTabControl(&deferHandle); //EndDeferWindowPos(deferHandle); return page; } /** * Selects a page in the main window by its index. * \param Index The zero-based index of the page to select. */ VOID PhMwpSelectPage( _In_ ULONG Index ) { LONG oldIndex; oldIndex = TabCtrl_GetCurSel(TabControlHandle); TabCtrl_SetCurSel(TabControlHandle, Index); PhMwpSelectionChangedTabControl(oldIndex); } /** * Finds a main tab page by its name. * * \param Name A pointer to a PPH_STRINGREF structure containing the name of the page to find. * \return A pointer to the PPH_MAIN_TAB_PAGE structure if found, otherwise NULL. */ PPH_MAIN_TAB_PAGE PhMwpFindPage( _In_ PPH_STRINGREF Name ) { ULONG i; for (i = 0; i < PageList->Count; i++) { PPH_MAIN_TAB_PAGE page = PageList->Items[i]; if (PhEqualStringRef(&page->Name, Name, TRUE)) return page; } return NULL; } /** * Creates an internal main tab page. * * \param Name The name of the tab page. * \param Flags Flags that specify options for the tab page. * \param Callback Pointer to a callback function for the tab page. * \return A pointer to the newly created PPH_MAIN_TAB_PAGE structure, or NULL on failure. */ PPH_MAIN_TAB_PAGE PhMwpCreateInternalPage( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MAIN_TAB_PAGE_CALLBACK Callback ) { PH_MAIN_TAB_PAGE page; memset(&page, 0, sizeof(PH_MAIN_TAB_PAGE)); PhInitializeStringRefLongHint(&page.Name, Name); page.Flags = Flags; page.Callback = Callback; return PhMwpCreatePage(&page); } /** * Notifies all main tab pages of a specified message. * * \param Message The message to send to all main tab pages. * \param Parameter1 Optional parameter to pass with the message. * \param Parameter2 Optional parameter to pass with the message. */ VOID PhMwpNotifyAllPages( _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ) { ULONG i; PPH_MAIN_TAB_PAGE page; if (PageList) { for (i = 0; i < PageList->Count; i++) { page = PageList->Items[i]; page->Callback(page, Message, Parameter1, Parameter2); } } } /** * Comparison routine that orders processes by CPU usage (descending). * * \param elem1 Pointer to the first element (pointer to PPH_PROCESS_ITEM). * \param elem2 Pointer to the second element (pointer to PPH_PROCESS_ITEM). * \return Negative, zero, or positive value for qsort-style comparison. */ static int __cdecl IconProcessesCpuUsageCompare( _In_ void const* elem1, _In_ void const* elem2 ) { PPH_PROCESS_ITEM processItem1 = *(PPH_PROCESS_ITEM *)elem1; PPH_PROCESS_ITEM processItem2 = *(PPH_PROCESS_ITEM *)elem2; return -singlecmp(processItem1->CpuUsage, processItem2->CpuUsage); } /** * Comparison routine that orders processes by their (case-insensitive) name. * * \param elem1 Pointer to the first element (pointer to PPH_PROCESS_ITEM). * \param elem2 Pointer to the second element (pointer to PPH_PROCESS_ITEM). * \return Negative, zero, or positive value for qsort-style comparison. */ static int __cdecl IconProcessesNameCompare( _In_ void const* elem1, _In_ void const* elem2 ) { PPH_PROCESS_ITEM processItem1 = *(PPH_PROCESS_ITEM *)elem1; PPH_PROCESS_ITEM processItem2 = *(PPH_PROCESS_ITEM *)elem2; return PhCompareString(processItem1->ProcessName, processItem2->ProcessName, TRUE); } /** * Adds the mini-process submenu items (priority, I/O priority, actions) for a process. * * \param Menu The parent EMENU item to which process items will be appended. * \param ProcessId The process identifier for which menu entries are created. */ VOID PhAddMiniProcessMenuItems( _Inout_ PPH_EMENU_ITEM Menu, _In_ HANDLE ProcessId ) { PPH_EMENU_ITEM priorityMenu; PPH_EMENU_ITEM ioPriorityMenu = NULL; PPH_PROCESS_ITEM processItem; BOOLEAN isSuspended = FALSE; BOOLEAN isPartiallySuspended = TRUE; // Priority priorityMenu = PhCreateEMenuItem(0, ID_PROCESS_PRIORITYCLASS, L"&Priority class", NULL, ProcessId); PhInsertEMenuItem(priorityMenu, PhCreateEMenuItem(0, ID_PRIORITY_REALTIME, L"&Real time", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(priorityMenu, PhCreateEMenuItem(0, ID_PRIORITY_HIGH, L"&High", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(priorityMenu, PhCreateEMenuItem(0, ID_PRIORITY_ABOVENORMAL, L"&Above normal", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(priorityMenu, PhCreateEMenuItem(0, ID_PRIORITY_NORMAL, L"&Normal", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(priorityMenu, PhCreateEMenuItem(0, ID_PRIORITY_BELOWNORMAL, L"&Below normal", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(priorityMenu, PhCreateEMenuItem(0, ID_PRIORITY_IDLE, L"&Idle", NULL, ProcessId), ULONG_MAX); // I/O priority ioPriorityMenu = PhCreateEMenuItem(0, ID_PROCESS_IOPRIORITY, L"&I/O priority", NULL, ProcessId); PhInsertEMenuItem(ioPriorityMenu, PhCreateEMenuItem(0, ID_IOPRIORITY_HIGH, L"&High", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(ioPriorityMenu, PhCreateEMenuItem(0, ID_IOPRIORITY_NORMAL, L"&Normal", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(ioPriorityMenu, PhCreateEMenuItem(0, ID_IOPRIORITY_LOW, L"&Low", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(ioPriorityMenu, PhCreateEMenuItem(0, ID_IOPRIORITY_VERYLOW, L"&Very low", NULL, ProcessId), ULONG_MAX); // Menu PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_PROCESS_TERMINATE, L"T&erminate", NULL, ProcessId), ULONG_MAX); if (processItem = PhReferenceProcessItem(ProcessId)) { isSuspended = (BOOLEAN)processItem->IsSuspended; isPartiallySuspended = (BOOLEAN)processItem->IsPartiallySuspended; PhDereferenceObject(processItem); } if (!isSuspended) PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_PROCESS_SUSPEND, L"&Suspend", NULL, ProcessId), ULONG_MAX); if (isSuspended || isPartiallySuspended) PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_PROCESS_RESUME, L"Res&ume", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_PROCESS_RESTART, L"Res&tart", NULL, ProcessId), ULONG_MAX); PhInsertEMenuItem(Menu, priorityMenu, ULONG_MAX); if (ioPriorityMenu) PhInsertEMenuItem(Menu, ioPriorityMenu, ULONG_MAX); PhMwpSetProcessMenuPriorityChecks(Menu, ProcessId, TRUE, TRUE, FALSE); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_PROCESS_PROPERTIES, L"P&roperties", NULL, ProcessId), ULONG_MAX); } /** * Handles a menu item event for the mini-info-window. * * \param MenuItem Pointer to a PH_EMENU_ITEM structure representing the selected menu item. * \return Returns TRUE if the menu item was handled successfully, otherwise FALSE. */ BOOLEAN PhHandleMiniProcessMenuItem( _Inout_ PPH_EMENU_ITEM MenuItem ) { switch (MenuItem->Id) { case ID_PROCESS_TERMINATE: case ID_PROCESS_SUSPEND: case ID_PROCESS_RESUME: case ID_PROCESS_RESTART: case ID_PROCESS_PROPERTIES: { HANDLE processId = MenuItem->Context; PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(processId)) { switch (MenuItem->Id) { case ID_PROCESS_TERMINATE: PhUiTerminateProcesses(PhMainWndHandle, &processItem, 1); break; case ID_PROCESS_SUSPEND: PhUiSuspendProcesses(PhMainWndHandle, &processItem, 1); break; case ID_PROCESS_RESUME: PhUiResumeProcesses(PhMainWndHandle, &processItem, 1); break; case ID_PROCESS_RESTART: PhUiRestartProcess(PhMainWndHandle, processItem); break; case ID_PROCESS_PROPERTIES: SystemInformer_ShowProcessProperties(processItem); break; } PhDereferenceObject(processItem); } else { PhShowStatus(PhMainWndHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } break; case ID_PRIORITY_REALTIME: case ID_PRIORITY_HIGH: case ID_PRIORITY_ABOVENORMAL: case ID_PRIORITY_NORMAL: case ID_PRIORITY_BELOWNORMAL: case ID_PRIORITY_IDLE: { HANDLE processId = MenuItem->Context; PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(processId)) { PhMwpExecuteProcessPriorityClassCommand(PhMainWndHandle, MenuItem->Id, &processItem, 1); PhDereferenceObject(processItem); } else { PhShowStatus(PhMainWndHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } break; case ID_IOPRIORITY_HIGH: case ID_IOPRIORITY_NORMAL: case ID_IOPRIORITY_LOW: case ID_IOPRIORITY_VERYLOW: { HANDLE processId = MenuItem->Context; PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(processId)) { PhMwpExecuteProcessIoPriorityCommand(PhMainWndHandle, MenuItem->Id, &processItem, 1); PhDereferenceObject(processItem); } else { PhShowStatus(PhMainWndHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } break; } return FALSE; } /** * Adds a specified number of icon processes to the given menu. * * \param Menu Pointer to the menu item where icon processes will be added. * \param NumberOfProcesses The number of icon processes to add. */ VOID PhMwpAddIconProcesses( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG NumberOfProcesses ) { ULONG i; PPH_PROCESS_ITEM *processItems; ULONG numberOfProcessItems; PPH_LIST processList; PPH_PROCESS_ITEM processItem; PhEnumProcessItems(&processItems, &numberOfProcessItems); processList = PhCreateList(numberOfProcessItems); PhAddItemsList(processList, processItems, numberOfProcessItems); // Remove non-real processes. for (i = 0; i < processList->Count; i++) { processItem = processList->Items[i]; if (!PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PhRemoveItemList(processList, i); i--; } } // Remove processes with zero CPU usage and those running as other users. for (i = 0; i < processList->Count && processList->Count > NumberOfProcesses; i++) { processItem = processList->Items[i]; if ( processItem->CpuUsage == 0 || (processItem->Sid && !PhEqualSid(processItem->Sid, PhGetOwnTokenAttributes().TokenSid)) ) { PhRemoveItemList(processList, i); i--; } } // Sort the processes by CPU usage and remove the extra processes at the end of the list. qsort(processList->Items, processList->Count, sizeof(PVOID), IconProcessesCpuUsageCompare); if (processList->Count > NumberOfProcesses) { PhRemoveItemsList(processList, NumberOfProcesses, processList->Count - NumberOfProcesses); } // Lastly, sort by name. qsort(processList->Items, processList->Count, sizeof(PVOID), IconProcessesNameCompare); // Delete all menu items. PhRemoveAllEMenuItems(Menu); // Add the processes. for (i = 0; i < processList->Count; i++) { PPH_EMENU_ITEM subMenu; HBITMAP iconBitmap = NULL; CLIENT_ID clientId; PPH_STRING clientIdName; PPH_STRING escapedName; HICON icon; processItem = processList->Items[i]; // Process clientId.UniqueProcess = processItem->ProcessId; clientId.UniqueThread = NULL; clientIdName = PH_AUTO(PhGetClientIdName(&clientId)); escapedName = PH_AUTO(PhEscapeStringForMenuPrefix(&clientIdName->sr)); subMenu = PhCreateEMenuItem( 0, 0, escapedName->Buffer, NULL, processItem->ProcessId ); if (icon = PhGetImageListIcon(processItem->SmallIconIndex, FALSE)) { iconBitmap = PhIconToBitmap(icon, PhSmallIconSize.X, PhSmallIconSize.Y); DestroyIcon(icon); } subMenu->Bitmap = iconBitmap; subMenu->Flags |= PH_EMENU_BITMAP_OWNED; // automatically destroy the bitmap when necessary PhAddMiniProcessMenuItems(subMenu, processItem->ProcessId); PhInsertEMenuItem(Menu, subMenu, ULONG_MAX); } PhDereferenceObject(processList); PhDereferenceObjects(processItems, numberOfProcessItems); PhFree(processItems); } /** * Displays the context menu for the application's icon at the specified location. * * \param WindowHandle Handle to the window that owns the icon. * \param Location Screen coordinates where the context menu should appear. */ VOID PhShowIconContextMenu( _In_ HWND WindowHandle, _In_ PPOINT Location ) { PPH_EMENU menu; PPH_EMENU_ITEM item; PH_PLUGIN_MENU_INFORMATION menuInfo; ULONG numberOfProcesses; // This function seems to be called recursively under some circumstances. // To reproduce: // 1. Hold right mouse button on tray icon, then left click. // 2. Make the menu disappear by clicking on the menu then clicking somewhere else. // So, don't store any global state or bad things will happen. menu = PhpCreateIconMenu(); // Add processes to the menu. numberOfProcesses = PhGetIntegerSetting(SETTING_ICON_PROCESSES); item = PhFindEMenuItem(menu, 0, 0, ID_PROCESSES_DUMMY); if (item) PhMwpAddIconProcesses(item, numberOfProcesses); // Fix up the Computer menu. PhMwpSetupComputerMenu(menu); // Give plugins a chance to modify the menu. if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, WindowHandle, 0); PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackIconMenuInitializing), &menuInfo); } SetForegroundWindow(WindowHandle); // window must be foregrounded so menu will disappear properly (wj32) item = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, Location->x, Location->y ); if (item) { BOOLEAN handled = FALSE; if (PhPluginsEnabled && !handled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) handled = PhHandleMiniProcessMenuItem(item); if (!handled) handled = PhMwpExecuteComputerCommand(WindowHandle, item->Id); if (!handled) handled = PhMwpExecuteNotificationMenuCommand(WindowHandle, item->Id); if (!handled) handled = PhMwpExecuteNotificationSettingsMenuCommand(WindowHandle, item->Id); if (!handled) { switch (item->Id) { case ID_ICON_SHOWHIDEPROCESSHACKER: SystemInformer_ToggleVisible(FALSE); break; case ID_ICON_SYSTEMINFORMATION: SendMessage(WindowHandle, WM_COMMAND, ID_VIEW_SYSTEMINFORMATION, 0); break; case ID_ICON_EXIT: SendMessage(WindowHandle, WM_COMMAND, ID_HACKER_EXIT, 0); break; } } } PhDestroyEMenu(menu); } /** * Displays a simple notification balloon from the tray icon. * * \param Title The title text of the notification. * \param Text The body text of the notification. */ VOID PhShowIconNotification( _In_ PCWSTR Title, _In_ PCWSTR Text ) { PhNfShowBalloonTip(Title, Text, 10); } /** * Displays an extended notification from the tray icon with callback support. * * \param Title The title text of the notification. * \param Text The body text of the notification. * \param Timeout Duration (seconds) before the notification is dismissed. * \param Callback Optional callback invoked when the notification is dismissed. * \param Context Context pointer passed to the callback. * \return HRESULT result code. */ HRESULT PhShowIconNotificationEx( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout, _In_opt_ PPH_TOAST_CALLBACK Callback, _In_opt_ PVOID Context ) { return PhNfShowBalloonTipEx(Title, Text, Timeout, Callback, Context); } /** * Shows detailed information related to the last tray icon notification. * * This function inspects the last notification type and opens the appropriate * UI (process/service) to display details. */ VOID PhShowDetailsForIconNotification( VOID ) { switch (PhMwpLastNotificationType) { case PH_NOTIFY_PROCESS_CREATE: { PPH_PROCESS_NODE processNode; if (processNode = PhFindProcessNode(PhMwpLastNotificationDetails.ProcessId)) { SystemInformer_SelectTabPage(PhMwpProcessesPage->Index); SystemInformer_SelectProcessNode(processNode); SystemInformer_ToggleVisible(TRUE); } else { PhShowStatus(PhMainWndHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } break; case PH_NOTIFY_SERVICE_CREATE: case PH_NOTIFY_SERVICE_START: case PH_NOTIFY_SERVICE_STOP: { PPH_SERVICE_ITEM serviceItem; if (PhMwpLastNotificationDetails.ServiceName && (serviceItem = PhReferenceServiceItem(&PhMwpLastNotificationDetails.ServiceName->sr))) { SystemInformer_SelectTabPage(PhMwpServicesPage->Index); SystemInformer_SelectServiceItem(serviceItem); SystemInformer_ToggleVisible(TRUE); PhDereferenceObject(serviceItem); } else { PhShowStatus(PhMainWndHandle, L"The service does not exist.", STATUS_INVALID_CID, 0); } } break; } } /** * Clears stored information about the last tray icon notification. * * Frees any referenced strings and resets the notification type/state. */ VOID PhMwpClearLastNotificationDetails( VOID ) { switch (PhMwpLastNotificationType) { case PH_NOTIFY_SERVICE_CREATE: case PH_NOTIFY_SERVICE_START: case PH_NOTIFY_SERVICE_STOP: PhClearReference(&PhMwpLastNotificationDetails.ServiceName); break; } PhMwpLastNotificationType = 0; memset(&PhMwpLastNotificationDetails, 0, sizeof(PhMwpLastNotificationDetails)); } // Window plugin extensions (dmex) /** * Invokes the memory editor dialog from a worker or plugin context. * * \param Parameter Pointer to a PPH_SHOW_MEMORY_EDITOR structure (ownership transferred). */ VOID PhMwpInvokeShowMemoryEditorDialog( _In_ PVOID Parameter ) { PPH_SHOW_MEMORY_EDITOR showMemoryEditor = (PPH_SHOW_MEMORY_EDITOR)Parameter; PhShowMemoryEditorDialog( showMemoryEditor->OwnerWindow, showMemoryEditor->ProcessId, showMemoryEditor->BaseAddress, showMemoryEditor->RegionSize, showMemoryEditor->SelectOffset, showMemoryEditor->SelectLength, showMemoryEditor->Title, showMemoryEditor->Flags ); PhClearReference(&showMemoryEditor->Title); PhFree(showMemoryEditor); } /** * Invokes the memory results dialog from a worker or plugin context. * * \param Parameter Pointer to a PPH_SHOW_MEMORY_RESULTS structure (ownership transferred). */ VOID PhMwpInvokeShowMemoryResultsDialog( _In_ PVOID Parameter ) { PPH_SHOW_MEMORY_RESULTS showMemoryResults = (PPH_SHOW_MEMORY_RESULTS)Parameter; PhShowMemoryResultsDialog( showMemoryResults->ProcessId, showMemoryResults->Results ); PhDereferenceMemoryResults( (PPH_MEMORY_RESULT*)showMemoryResults->Results->Items, showMemoryResults->Results->Count ); PhDereferenceObject(showMemoryResults->Results); PhFree(showMemoryResults); } /** * Updates the main window font based on saved settings and applies it to controls. * * \param Parameter Optional parameter (unused). */ VOID PhMwpInvokeUpdateWindowFont( _In_opt_ PVOID Parameter ) { HFONT oldFont = PhTreeWindowFont; HFONT newFont; PPH_STRING fontHexString; LOGFONT font; fontHexString = PhaGetStringSetting(SETTING_FONT); if ( fontHexString->Length / sizeof(WCHAR) / 2 == sizeof(LOGFONT) && PhHexStringToBuffer(&fontHexString->sr, (PUCHAR)&font) ) { if (!(newFont = CreateFontIndirect(&font))) return; } else { if (!(newFont = PhCreateIconTitleFont(LayoutWindowDpi))) return; } PhTreeWindowFont = newFont; SetWindowFont(TabControlHandle, PhTreeWindowFont, TRUE); PhMwpNotifyAllPages(MainTabPageFontChanged, newFont, NULL); if (oldFont) DeleteFont(oldFont); } /** * Updates the monospace font used by the UI, based on saved settings. * * \param WindowHandle Optional window handle associated with the update (unused in most callers). * \param Parameter Optional parameter (unused). */ VOID PhMwpInvokeUpdateWindowFontMonospace( _In_ HWND WindowHandle, _In_opt_ PVOID Parameter ) { HFONT oldFont = PhMonospaceFont; HFONT newFont; PPH_STRING fontHexString; LOGFONT font; fontHexString = PhaGetStringSetting(SETTING_FONT_MONOSPACE); if ( fontHexString->Length / sizeof(WCHAR) / 2 == sizeof(LOGFONT) && PhHexStringToBuffer(&fontHexString->sr, (PUCHAR)&font) ) { if (!(newFont = CreateFontIndirect(&font))) return; } else { PhMonospaceFont = PhInitializeMonospaceFont(LayoutWindowDpi); if (oldFont) DeleteFont(oldFont); return; } PhMonospaceFont = newFont; if (oldFont) DeleteFont(oldFont); } /** * Prepares the application for an early exit by saving settings and marking state. * * \param WindowHandle The main window handle used when saving state. */ VOID PhMwpInvokePrepareEarlyExit( _In_ HWND WindowHandle ) { PhMwpSaveSettings(WindowHandle); PhMainWndEarlyExit = TRUE; } /** * Invokes activation (or toggling) of the main window. * * \param Toggle If TRUE, toggle visibility when appropriate; otherwise ensure window is active. */ VOID PhMwpInvokeActivateWindow( _In_ BOOLEAN Toggle ) { PhMwpActivateWindow(PhMainWndHandle, Toggle); } /** * Invokes selection of a main tab page on the UI thread. * * \param Parameter Tab index encoded as ULONG via PtrToUlong. */ VOID PhMwpInvokeSelectTabPage( _In_ PVOID Parameter ) { ULONG index = PtrToUlong(Parameter); PhMwpSelectPage(index); if (CurrentPage->WindowHandle) SetFocus(CurrentPage->WindowHandle); } /** * Invokes selection of a service item in the services list (posted to main thread). * * \param ServiceItem Pointer to the service item to select. */ VOID PhMwpInvokeSelectServiceItem( _In_ PPH_SERVICE_ITEM ServiceItem ) { PPH_SERVICE_NODE serviceNode; PhMwpNeedServiceTreeList(); // For compatibility, LParam is a service item, not node. if (serviceNode = PhFindServiceNode(ServiceItem)) { PhSelectAndEnsureVisibleServiceNode(serviceNode); } } /** * Invokes selection of a network item in the network list (posted to main thread). * * \param NetworkItem Pointer to the network item to select. */ VOID PhMwpInvokeSelectNetworkItem( _In_ PPH_NETWORK_ITEM NetworkItem ) { PPH_NETWORK_NODE networkNode; PhMwpNeedNetworkTreeList(); // For compatibility, LParam is a network item, not node. if (networkNode = PhFindNetworkNode(NetworkItem)) { PhSelectAndEnsureVisibleNetworkNode(networkNode); } } /** * Sends a plugin notification event to registered plugin callbacks. * * \param Type Notification event type. * \param Parameter Additional event-specific parameter. * \return TRUE if the event was handled by a plugin, otherwise FALSE. */ BOOLEAN PhMwpPluginNotifyEvent( _In_ ULONG Type, _In_ PVOID Parameter ) { PH_PLUGIN_NOTIFY_EVENT notifyEvent; notifyEvent.Type = Type; notifyEvent.Handled = FALSE; notifyEvent.Parameter = Parameter; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNotifyEvent), ¬ifyEvent); return notifyEvent.Handled; } // // // SLIST_HEADER PhMainThreadInvokeQueue; PH_FREE_LIST PhMainThreadInvokeQueueFreeList; volatile LONG PhMainThreadInvokePending = 0; /** * Queues a command to be executed on the application's main (UI) thread. * * \param Command Function pointer (VOID (NTAPI*)(PVOID)) to invoke on the main thread. * \param Parameter Parameter to pass to the invoked function. * \return NTSTATUS status code (always STATUS_SUCCESS on queueing). */ NTSTATUS PhInvokeOnMainThread( _In_opt_ PVOID Command, _In_opt_ PVOID Parameter ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_INVOKE_ENTRY entry; if (PhBeginInitOnce(&initOnce)) { PhInitializeSListHead(&PhMainThreadInvokeQueue); PhInitializeFreeList(&PhMainThreadInvokeQueueFreeList, sizeof(PH_INVOKE_ENTRY), 5); PhEndInitOnce(&initOnce); } entry = PhAllocateFromFreeList(&PhMainThreadInvokeQueueFreeList); entry->Command = Command; entry->Parameter = Parameter; //entry->ThreadId = NtCurrentThreadId(); //entry->SubmitTime = NtGetTickCount64(); RtlInterlockedPushEntrySList(&PhMainThreadInvokeQueue, &entry->ListEntry); // Only post WM_PH_INVOKE if no message is currently pending. // This prevents flooding the message queue with redundant messages while // still ensuring the queue is processed (one message drains all items). if (InterlockedCompareExchange(&PhMainThreadInvokePending, 1, 0) == 0) { PostMessage(PhMainWndHandle, WM_PH_INVOKE, 0, 0); } return STATUS_SUCCESS; } /** * Processes and dispatches all pending main-thread invoke queue entries. * * This function is called on the main/UI thread to execute callbacks queued * via PhInvokeOnMainThread. */ VOID PhProcessInvokeQueue( VOID ) { PSLIST_ENTRY listEntry; PPH_INVOKE_ENTRY entry; while ((listEntry = RtlInterlockedPopEntrySList(&PhMainThreadInvokeQueue))) { entry = CONTAINING_RECORD(listEntry, PH_INVOKE_ENTRY, ListEntry); { VOID (NTAPI* function)(PVOID); function = entry->Command; function(entry->Parameter); } //PH_PLUGIN_INVOKE_EVENT event; // //memset(&event, 0, sizeof(PH_PLUGIN_INVOKE_EVENT)); //event.Id = entry->Command; //event.Parameter = entry->Parameter; // //PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMainWindowThread), &event); PhFreeToFreeList(&PhMainThreadInvokeQueueFreeList, entry); } } // Exports for plugin support (dmex) /** * Plugin-facing helper to invoke main window callbacks or perform window operations. * * \param Event The callback/event type to perform. * \param wparam First parameter (meaning depends on Event). * \param lparam Second parameter (meaning depends on Event). * \return Optional result depending on Event; NULL if none. */ PVOID PhPluginInvokeWindowCallback( _In_ PH_MAINWINDOW_CALLBACK_TYPE Event, _In_opt_ PVOID wparam, _In_opt_ PVOID lparam ) { switch (Event) { case PH_MAINWINDOW_CALLBACK_TYPE_DESTROY: { SendMessage(PhMainWndHandle, WM_PH_DESTROY, 0, 0); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SHOW_PROPERTIES: { SendMessage(PhMainWndHandle, WM_PH_SHOW_PROPERTIES, 0, (LPARAM)lparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SAVE_ALL_SETTINGS: { SendMessage(PhMainWndHandle, WM_PH_SAVE_ALL_SETTINGS, 0, 0); } break; case PH_MAINWINDOW_CALLBACK_TYPE_PREPARE_FOR_EARLY_SHUTDOWN: { SendMessage(PhMainWndHandle, WM_PH_PREPARE_FOR_EARLY_SHUTDOWN, 0, 0); } break; case PH_MAINWINDOW_CALLBACK_TYPE_CANCEL_EARLY_SHUTDOWN: { PhMainWndEarlyExit = FALSE; } break; case PH_MAINWINDOW_CALLBACK_TYPE_TOGGLE_VISIBLE: { BOOLEAN visibility = !(BOOLEAN)(ULONG_PTR)wparam; SendMessage(PhMainWndHandle, WM_PH_ACTIVATE_WINDOW, 0, (LPARAM)visibility); } break; case PH_MAINWINDOW_CALLBACK_TYPE_ICON_CLICK: { BOOLEAN visibility = !!PhGetIntegerSetting(SETTING_ICON_TOGGLES_VISIBILITY); SendMessage(PhMainWndHandle, WM_PH_ACTIVATE_WINDOW, 0, (LPARAM)visibility); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SHOW_MEMORY_EDITOR: { PPH_SHOW_MEMORY_EDITOR showMemoryEditor = (PPH_SHOW_MEMORY_EDITOR)lparam; PostMessage(PhMainWndHandle, WM_PH_SHOW_EDITOR, (WPARAM)showMemoryEditor, 0); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SHOW_MEMORY_RESULTS: { PPH_SHOW_MEMORY_RESULTS showMemoryResults = (PPH_SHOW_MEMORY_RESULTS)lparam; PostMessage(PhMainWndHandle, WM_PH_SHOW_RESULT, (WPARAM)showMemoryResults, 0); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SELECT_TAB_PAGE: { SendMessage(PhMainWndHandle, WM_PH_SELECT_NODE, (WPARAM)1, (LPARAM)lparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_GET_CALLBACK_LAYOUT_PADDING: { return (PVOID)&LayoutPaddingCallback; } break; case PH_MAINWINDOW_CALLBACK_TYPE_INVALIDATE_LAYOUT_PADDING: { LayoutPaddingValid = FALSE; } break; case PH_MAINWINDOW_CALLBACK_TYPE_SELECT_PROCESS_NODE: { SendMessage(PhMainWndHandle, WM_PH_SELECT_NODE, (WPARAM)2, (LPARAM)lparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SELECT_SERVICE_ITEM: { SendMessage(PhMainWndHandle, WM_PH_SELECT_NODE, (WPARAM)3, (LPARAM)lparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SELECT_NETWORK_ITEM: { SendMessage(PhMainWndHandle, WM_PH_SELECT_NODE, (WPARAM)4, (LPARAM)lparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_UPDATE_FONT: { SendMessage(PhMainWndHandle, WM_PH_UPDATE_FONT, 0, (LPARAM)lparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_GET_FONT: { return PhTreeWindowFont; // (PVOID)GetWindowFont(PhMwpProcessTreeNewHandle); } break; case PH_MAINWINDOW_CALLBACK_TYPE_INVOKE: { PhInvokeOnMainThread((PVOID)(ULONG_PTR)lparam, (PVOID)wparam); } break; case PH_MAINWINDOW_CALLBACK_TYPE_REFRESH: { SendMessage(PhMainWndHandle, WM_COMMAND, ID_VIEW_REFRESH, 0); } break; case PH_MAINWINDOW_CALLBACK_TYPE_CREATE_TAB_PAGE: { return NULL; //(PVOID)SendMessage(PhMainWndHandle, WM_PH_CALLBACK, (WPARAM)lparam, (LPARAM)PhMwpCreatePage); } break; case PH_MAINWINDOW_CALLBACK_TYPE_GET_UPDATE_AUTOMATICALLY: { return (PVOID)UlongToPtr(PhMwpUpdateAutomatically); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SET_UPDATE_AUTOMATICALLY: { BOOLEAN updateAutomatically = !!(BOOLEAN)(ULONG_PTR)wparam; if (updateAutomatically != PhMwpUpdateAutomatically) { SendMessage(PhMainWndHandle, WM_COMMAND, ID_VIEW_UPDATEAUTOMATICALLY, 0); } } break; case PH_MAINWINDOW_CALLBACK_TYPE_WINDOW_BASE: { return (PVOID)NtCurrentImageBase(); } break; case PH_MAINWINDOW_CALLBACK_TYPE_GETWINDOW_PROCEDURE: { return (PVOID)PhMwpWndProc; // (WNDPROC)GetWindowLongPtr(PhMainWndHandle, GWLP_WNDPROC); } break; case PH_MAINWINDOW_CALLBACK_TYPE_SETWINDOW_PROCEDURE: { PhMainWndProc = (WNDPROC)wparam; // (WNDPROC)GetWindowLongPtr(PhMainWndHandle, GWLP_WNDPROC); } break; case PH_MAINWINDOW_CALLBACK_TYPE_WINDOW_HANDLE: { return (PVOID)PhMainWndHandle; } break; case PH_MAINWINDOW_CALLBACK_TYPE_VERSION: { return UlongToPtr(WindowsVersion); } break; case PH_MAINWINDOW_CALLBACK_TYPE_PORTABLE: { return (PVOID)UlongToPtr(PhPortableEnabled); } break; case PH_MAINWINDOW_CALLBACK_TYPE_WINDOWDPI: { return (PVOID)UlongToPtr(LayoutWindowDpi); } break; case PH_MAINWINDOW_CALLBACK_TYPE_WINDOWNAME: { return (PVOID)PhApplicationName; } break; case PH_MAINWINDOW_CALLBACK_TYPE_GET_MAIN_MENU: { return (PVOID)PhpCreateMainMenu(ULONG_MAX); } break; case PH_MAINWINDOW_CALLBACK_TYPE_GET_MAIN_SUBMENU: { PPH_EMENU menu; menu = PhpCreateMainMenu(PtrToUlong(wparam)); PhMwpInitializeSubMenu(PhMainWndHandle, menu, PtrToUlong(wparam)); if (PhPluginsEnabled) { PH_PLUGIN_MENU_INFORMATION pluginMenuInfo; PhPluginInitializeMenuInfo(&pluginMenuInfo, menu, PhMainWndHandle, PH_PLUGIN_MENU_DISALLOW_HOOKS); pluginMenuInfo.u.MainMenu.SubMenuIndex = PtrToUlong(wparam); PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMainMenuInitializing), &pluginMenuInfo); } return (PVOID)menu; } break; case PH_MAINWINDOW_CALLBACK_TYPE_SET_MAIN_SUBCMD: { PhMwpDispatchMenuCommand(PhMainWndHandle, PtrToUlong(wparam), (ULONG_PTR)lparam); } break; } return NULL; } /** * Creates a main tab page on behalf of a plugin. * * \param Page Pointer to a PH_MAIN_TAB_PAGE template structure describing the page. * \return Pointer to the newly created PPH_MAIN_TAB_PAGE. */ PVOID PhPluginCreateTabPage( _In_ PVOID Page ) { return PhMwpCreatePage(Page); } ================================================ FILE: SystemInformer/mdump.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2016-2023 * */ #include #include #include #include #include #include #include #include #include #define WM_PH_MINIDUMP_STATUS_UPDATE (WM_APP + 301) #define WM_PH_MINIDUMP_COMPLETED (WM_APP + 302) #define WM_PH_MINIDUMP_ERROR (WM_APP + 303) typedef struct _PH_PROCESS_MINIDUMP_CONTEXT { HWND WindowHandle; HWND ParentWindowHandle; HANDLE ProcessId; PPH_PROCESS_ITEM ProcessItem; PPH_STRING FileName; PPH_STRING ErrorMessage; ULONG DumpType; HANDLE ProcessHandle; HANDLE FileHandle; HANDLE KernelFileHandle; union { BOOLEAN Flags; struct { BOOLEAN IsWow64Process : 1; BOOLEAN IsProcessSnapshot : 1; BOOLEAN Stop : 1; BOOLEAN Succeeded : 1; BOOLEAN EnableProcessSnapshot : 1; BOOLEAN EnableKernelSnapshot : 1; BOOLEAN Spare : 2; }; }; ULONG64 LastTickCount; WNDPROC DefaultTaskDialogWindowProc; } PH_PROCESS_MINIDUMP_CONTEXT, *PPH_PROCESS_MINIDUMP_CONTEXT; INT_PTR CALLBACK PhpProcessMiniDumpDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpProcessMiniDumpTaskDialogThread( _In_ PVOID ThreadParameter ); PH_INITONCE PhpProcessMiniDumpContextTypeInitOnce = PH_INITONCE_INIT; PPH_OBJECT_TYPE PhpProcessMiniDumpContextType = NULL; PPH_STRING PhpProcessMiniDumpGetFileName( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { static PH_FILETYPE_FILTER filters[] = { { L"Dump files (*.dmp)", L"*.dmp" }, { L"All files (*.*)", L"*.*" } }; PPH_STRING fileName = NULL; PVOID fileDialog; LARGE_INTEGER time; SYSTEMTIME systemTime; PPH_STRING dateString; PPH_STRING timeString; PPH_STRING suggestedFileName; PhQuerySystemTime(&time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); dateString = PH_AUTO_T(PH_STRING, PhFormatDate(&systemTime, L"yyyy-MM-dd")); timeString = PH_AUTO_T(PH_STRING, PhFormatTime(&systemTime, L"HH-mm-ss")); suggestedFileName = PH_AUTO_T(PH_STRING, PhFormatString( L"%s_%s_%s.dmp", PhGetString(ProcessItem->ProcessName), PhGetString(dateString), PhGetString(timeString) )); if (fileDialog = PhCreateSaveFileDialog()) { PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); PhSetFileDialogFileName(fileDialog, PhGetString(suggestedFileName)); PhSetFileDialogOptions(fileDialog, PH_FILEDIALOG_DONTADDTORECENT); if (PhShowFileDialog(WindowHandle, fileDialog)) { fileName = PhGetFileDialogFileName(fileDialog); } PhFreeFileDialog(fileDialog); } return fileName; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpProcessMiniDumpContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_PROCESS_MINIDUMP_CONTEXT context = Object; if (context->KernelFileHandle) { LARGE_INTEGER fileSize; if (NT_SUCCESS(PhGetFileSize(context->KernelFileHandle, &fileSize))) { if (fileSize.QuadPart == 0) { PhSetFileDelete(context->KernelFileHandle); } } NtClose(context->KernelFileHandle); } if (context->FileHandle) NtClose(context->FileHandle); if (context->ProcessHandle) NtClose(context->ProcessHandle); if (context->FileName) PhDereferenceObject(context->FileName); if (context->ErrorMessage) PhDereferenceObject(context->ErrorMessage); if (context->ProcessItem) PhDereferenceObject(context->ProcessItem); } PPH_PROCESS_MINIDUMP_CONTEXT PhpCreateProcessMiniDumpContext( VOID ) { PPH_PROCESS_MINIDUMP_CONTEXT context; if (PhBeginInitOnce(&PhpProcessMiniDumpContextTypeInitOnce)) { PhpProcessMiniDumpContextType = PhCreateObjectType(L"ProcessMiniDumpContextObjectType", 0, PhpProcessMiniDumpContextDeleteProcedure); PhEndInitOnce(&PhpProcessMiniDumpContextTypeInitOnce); } context = PhCreateObject(sizeof(PH_PROCESS_MINIDUMP_CONTEXT), PhpProcessMiniDumpContextType); memset(context, 0, sizeof(PH_PROCESS_MINIDUMP_CONTEXT)); return context; } VOID PhUiCreateDumpFileProcess( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ MINIDUMP_TYPE DumpType ) { static ACCESS_MASK processAccess[] = { PROCESS_ALL_ACCESS, PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE | PROCESS_VM_READ, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, PROCESS_QUERY_INFORMATION }; NTSTATUS status = STATUS_UNSUCCESSFUL; PPH_PROCESS_MINIDUMP_CONTEXT context; PPH_STRING fileName; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif fileName = PhpProcessMiniDumpGetFileName(WindowHandle, ProcessItem); if (PhIsNullOrEmptyString(fileName)) return; context = PhpCreateProcessMiniDumpContext(); context->EnableProcessSnapshot = !!PhGetIntegerSetting(SETTING_ENABLE_MINIDUMP_SNAPSHOT); context->EnableKernelSnapshot = !!PhGetIntegerSetting(SETTING_ENABLE_MINIDUMP_KERNEL_MINIDUMP); context->ParentWindowHandle = WindowHandle; context->ProcessId = ProcessItem->ProcessId; context->ProcessItem = PhReferenceObject(ProcessItem); context->FileName = fileName; context->DumpType = DumpType; for (ULONG i = 0; i < RTL_NUMBER_OF(processAccess); i++) { if (NT_SUCCESS(status = PhOpenProcess( &context->ProcessHandle, processAccess[i], context->ProcessId ))) { break; } } if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to open the process", status, 0); PhDereferenceObject(context); return; } #ifdef _WIN64 PhGetProcessIsWow64(context->ProcessHandle, &isWow64); context->IsWow64Process = !!isWow64; #endif status = PhCreateFileWin32( &context->FileHandle, PhGetString(fileName), FILE_GENERIC_WRITE | DELETE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_DELETE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to access the dump file", status, 0); PhDereferenceObject(context); return; } PhCreateThread2(PhpProcessMiniDumpTaskDialogThread, context); //PhDialogBox( // PhInstanceHandle, // MAKEINTRESOURCE(IDD_PROGRESS), // NULL, // PhpProcessMiniDumpDlgProc, // context // ); } static BOOL CALLBACK PhpProcessMiniDumpCallback( _Inout_ PVOID CallbackParam, _In_ PMINIDUMP_CALLBACK_INPUT CallbackInput, _Inout_ PMINIDUMP_CALLBACK_OUTPUT CallbackOutput ) { PPH_PROCESS_MINIDUMP_CONTEXT context = CallbackParam; PPH_STRING message = NULL; // Don't try to send status updates if we're creating a dump of the current process. if (context->ProcessId == NtCurrentProcessId()) return TRUE; // MiniDumpWriteDump seems to get bored of calling the callback // after it begins dumping the process handles. The code is // still here in case they fix this problem in the future. switch (CallbackInput->CallbackType) { case CancelCallback: { if (context->Stop) CallbackOutput->Cancel = TRUE; CallbackOutput->CheckCancel = TRUE; } break; case IsProcessSnapshotCallback: { if (context->EnableProcessSnapshot && context->IsProcessSnapshot) CallbackOutput->Status = S_FALSE; } break; //case VmStartCallback: // { // CallbackOutput->Status = S_FALSE; // } // break; //case IncludeVmRegionCallback: // { // CallbackOutput->Continue = TRUE; // } // break; case ReadMemoryFailureCallback: { CallbackOutput->Status = S_OK; } break; case ModuleCallback: { PH_FORMAT format[3]; PPH_STRING baseName = NULL; if (CallbackInput->Module.FullPath) { if (baseName = PhCreateString(CallbackInput->Module.FullPath)) { PhMoveReference(&baseName, PhGetBaseName(baseName)); PhMoveReference(&baseName, PhEllipsisStringPath(baseName, 10)); } } // Processing module %s... PhInitFormatS(&format[0], L"Processing module "); if (baseName) PhInitFormatSR(&format[1], baseName->sr); else PhInitFormatS(&format[1], L""); PhInitFormatS(&format[2], L"..."); message = PhFormat(format, RTL_NUMBER_OF(format), 0); PhClearReference(&baseName); } break; case ThreadCallback: case ThreadExCallback: { PH_FORMAT format[3]; // Processing thread %lu... PhInitFormatS(&format[0], L"Processing thread "); PhInitFormatU(&format[1], CallbackInput->Thread.ThreadId); PhInitFormatS(&format[2], L"..."); message = PhFormat(format, RTL_NUMBER_OF(format), 0); } break; case IncludeVmRegionCallback: { PH_FORMAT format[2]; //CallbackOutput->Continue = TRUE; // Processing memory %lu... PhInitFormatS(&format[0], L"Processing memory regions"); //PhInitFormatI64X(&format[1], CallbackOutput->VmRegion.BaseAddress); PhInitFormatS(&format[1], L"..."); message = PhFormat(format, RTL_NUMBER_OF(format), 0); } break; case WriteKernelMinidumpCallback: { static CONST PH_STRINGREF kernelDumpFileExt = PH_STRINGREF_INIT(L".kernel.dmp"); HANDLE kernelDumpFileHandle; PPH_STRING kernelDumpFileName; if (!context->EnableKernelSnapshot) break; if (!PhGetOwnTokenAttributes().Elevated) break; if (kernelDumpFileName = PhGetBaseNameChangeExtension(&context->FileName->sr, &kernelDumpFileExt)) { if (NT_SUCCESS(PhCreateFileWin32( &kernelDumpFileHandle, PhGetString(kernelDumpFileName), FILE_GENERIC_WRITE | DELETE, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { context->KernelFileHandle = kernelDumpFileHandle; CallbackOutput->Handle = kernelDumpFileHandle; } PhDereferenceObject(kernelDumpFileName); } } break; case KernelMinidumpStatusCallback: { PH_FORMAT format[2]; if (!context->EnableKernelSnapshot) break; PhInitFormatS(&format[0], L"Processing kernel minidump"); PhInitFormatS(&format[1], L"..."); message = PhFormat(format, RTL_NUMBER_OF(format), 0); } break; } if (message) { SendMessage(context->WindowHandle, WM_PH_MINIDUMP_STATUS_UPDATE, 0, (LPARAM)message->Buffer); PhDereferenceObject(message); } return TRUE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpProcessMiniDumpThreadStart( _In_ PVOID Parameter ) { PPH_PROCESS_MINIDUMP_CONTEXT context = Parameter; MINIDUMP_CALLBACK_INFORMATION callbackInfo; HANDLE processSnapshotHandle = NULL; HANDLE packageTaskHandle = NULL; HANDLE processHandle = NULL; LONG status; callbackInfo.CallbackRoutine = PhpProcessMiniDumpCallback; callbackInfo.CallbackParam = context; #ifdef _WIN64 if (context->IsWow64Process) { if (PhUiConnectToPhSvcEx(NULL, Wow64PhSvcMode, FALSE)) { if (NT_SUCCESS(status = PhSvcCallWriteMiniDumpProcess( context->ProcessHandle, context->ProcessId, context->FileHandle, context->DumpType ))) { context->Succeeded = TRUE; } else { SendMessage(context->WindowHandle, WM_PH_MINIDUMP_ERROR, 0, (LPARAM)PhNtStatusToDosError(status)); } PhUiDisconnectFromPhSvc(); goto Completed; } else { if (PhShowMessage2( context->WindowHandle, TD_YES_BUTTON | TD_NO_BUTTON, TD_WARNING_ICON, L"The 32-bit version of System Informer could not be located.", L"A 64-bit dump will be created instead. Do you want to continue?" ) == IDNO) { goto Completed; } } } #endif if (context->ProcessItem->IsPackagedProcess) { // Set the task completion notification (based on taskmgr.exe) (dmex) //PhAppResolverPackageStopSessionRedirection(context->ProcessItem->PackageFullName); PhAppResolverBeginCrashDumpTaskByHandle(context->ProcessHandle, &packageTaskHandle); } if (context->EnableKernelSnapshot) { if (!PhGetOwnTokenAttributes().Elevated) { PhShowWarning2( context->WindowHandle, L"Unable to create kernel minidump.", L"%s", L"Kernel minidump of processes require administrative privileges. " L"Make sure System Informer is running with administrative privileges." ); } } else { if (context->EnableProcessSnapshot && context->ProcessId != NtCurrentProcessId()) // Don't use snapshots for the current process (dmex) { HANDLE snapshotHandle; if (NT_SUCCESS(PhCreateProcessSnapshot( &snapshotHandle, context->ProcessHandle ))) { processSnapshotHandle = snapshotHandle; context->IsProcessSnapshot = TRUE; } } } if (context->EnableProcessSnapshot && context->IsProcessSnapshot && processSnapshotHandle) processHandle = processSnapshotHandle; else processHandle = context->ProcessHandle; status = PhWriteMiniDumpProcess( processHandle, context->ProcessId, context->FileHandle, context->DumpType, NULL, NULL, &callbackInfo ); if (HR_SUCCESS(status)) { context->Succeeded = TRUE; } else { SendMessage(context->WindowHandle, WM_PH_MINIDUMP_ERROR, 0, (LPARAM)status); } if (processSnapshotHandle) PhFreeProcessSnapshot(processSnapshotHandle, context->ProcessHandle); if (packageTaskHandle) PhAppResolverEndCrashDumpTask(packageTaskHandle); #ifdef _WIN64 Completed: #endif if (context->Succeeded) { SendMessage(context->WindowHandle, WM_PH_MINIDUMP_COMPLETED, 0, 0); } else { PhSetFileDelete(context->FileHandle); } PhDereferenceObject(context); return STATUS_SUCCESS; } INT_PTR CALLBACK PhpProcessMiniDumpDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_MINIDUMP_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_PROCESS_MINIDUMP_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, context->ParentWindowHandle); PhSetWindowText(hwndDlg, L"Creating the dump file..."); PhSetDialogItemText(hwndDlg, IDC_PROGRESSTEXT, L"Creating the dump file..."); PhSetWindowStyle(GetDlgItem(hwndDlg, IDC_PROGRESS), PBS_MARQUEE, PBS_MARQUEE); SendMessage(GetDlgItem(hwndDlg, IDC_PROGRESS), PBM_SETMARQUEE, TRUE, 75); PhReferenceObject(context); PhCreateThread2(PhpProcessMiniDumpThreadStart, context); PhSetTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT, 500, NULL); } break; case WM_DESTROY: { PhKillTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDereferenceObject(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: { EnableWindow(GetDlgItem(hwndDlg, IDCANCEL), FALSE); context->Stop = TRUE; } break; } } break; case WM_TIMER: { if (wParam == PH_WINDOW_TIMER_DEFAULT) { ULONG64 currentTickCount; currentTickCount = NtGetTickCount64(); if (currentTickCount - context->LastTickCount >= 2000) { // No status message update for 2 seconds. PhSetDialogItemText(hwndDlg, IDC_PROGRESSTEXT, L"Creating the dump file..."); context->LastTickCount = currentTickCount; } } } break; case WM_PH_MINIDUMP_STATUS_UPDATE: PhSetDialogItemText(hwndDlg, IDC_PROGRESSTEXT, (PWSTR)lParam); context->LastTickCount = NtGetTickCount64(); break; case WM_PH_MINIDUMP_ERROR: PhShowStatus(hwndDlg, L"Unable to create the minidump", 0, (ULONG)lParam); break; case WM_PH_MINIDUMP_COMPLETED: EndDialog(hwndDlg, IDOK); break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } HRESULT CALLBACK PhpProcessMiniDumpErrorPageCallbackProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { return S_OK; } LRESULT CALLBACK PhpProcessMiniDumpTaskDialogSubclassProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_MINIDUMP_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(hwndDlg, 0xF))) return 0; oldWndProc = context->DefaultTaskDialogWindowProc; switch (uMsg) { case WM_DESTROY: { PhSetWindowProcedure(hwndDlg, oldWndProc); PhRemoveWindowContext(hwndDlg, 0xF); } break; case WM_PH_MINIDUMP_STATUS_UPDATE: { SendMessage(hwndDlg, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, lParam); context->LastTickCount = NtGetTickCount64(); } break; case WM_PH_MINIDUMP_ERROR: { TASKDIALOGCONFIG config; PPH_STRING statusMessage; if (context->Stop) { SendMessage(hwndDlg, TDM_CLICK_BUTTON, IDOK, 0); break; } if (statusMessage = PhGetStatusMessage(0, (ULONG)lParam)) { PhMoveReference(&context->ErrorMessage, statusMessage); } memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_CAN_BE_MINIMIZED; config.hMainIcon = PhGetApplicationIcon(FALSE); config.dwCommonButtons = TDCBF_CLOSE_BUTTON; config.pfCallback = PhpProcessMiniDumpErrorPageCallbackProc; config.lpCallbackData = (LONG_PTR)context; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Unable to create the minidump."; config.pszContent = PhGetStringOrDefault(context->ErrorMessage, L"Unknown error."); PhTaskDialogNavigatePage(context->WindowHandle, &config); } break; case WM_PH_MINIDUMP_COMPLETED: SendMessage(hwndDlg, TDM_CLICK_BUTTON, IDOK, 0); break; } return CallWindowProc(oldWndProc, hwndDlg, uMsg, wParam, lParam); } HRESULT CALLBACK PhpProcessMiniDumpTaskDialogCallbackProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { PPH_PROCESS_MINIDUMP_CONTEXT context = (PPH_PROCESS_MINIDUMP_CONTEXT)dwRefData; switch (uMsg) { case TDN_DIALOG_CONSTRUCTED: { context->WindowHandle = hwndDlg; PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, context->ParentWindowHandle); context->DefaultTaskDialogWindowProc = PhGetWindowProcedure(hwndDlg); PhSetWindowContext(hwndDlg, 0xF, context); PhSetWindowProcedure(hwndDlg, PhpProcessMiniDumpTaskDialogSubclassProc); SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); PhReferenceObject(context); PhCreateThread2(PhpProcessMiniDumpThreadStart, context); } break; case TDN_TIMER: { ULONG64 currentTickCount; currentTickCount = NtGetTickCount64(); if (currentTickCount - context->LastTickCount >= 2000) { // No status message update for 2 seconds. //SendMessage(hwndDlg, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)L"Creating the minidump file..."); context->LastTickCount = currentTickCount; } } break; case TDN_BUTTON_CLICKED: { ULONG buttonId = (ULONG)wParam; if (buttonId == IDCANCEL) { context->Stop = TRUE; SendMessage(hwndDlg, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)L"Cancelling..."); return S_FALSE; } } break; } return S_OK; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpProcessMiniDumpTaskDialogThread( _In_ PVOID ThreadParameter ) { PPH_PROCESS_MINIDUMP_CONTEXT context = (PPH_PROCESS_MINIDUMP_CONTEXT)ThreadParameter; TASKDIALOGCONFIG config; memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_SHOW_MARQUEE_PROGRESS_BAR | TDF_CALLBACK_TIMER | TDF_CAN_BE_MINIMIZED; config.hMainIcon = PhGetApplicationIcon(FALSE); config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.pfCallback = PhpProcessMiniDumpTaskDialogCallbackProc; config.lpCallbackData = (LONG_PTR)context; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Creating the minidump file..."; config.pszContent = L"Creating the minidump file..."; config.cxWidth = 200; PhShowTaskDialog(&config, NULL, NULL, NULL); PhDereferenceObject(context); return STATUS_SUCCESS; } typedef struct _PH_MINIDUMP_OPTION_ENTRY { ULONG Id; MINIDUMP_TYPE Type; } PH_MINIDUMP_OPTION_ENTRY, *PPH_MINIDUMP_OPTION_ENTRY; INT_PTR CALLBACK PhpProcDumpDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { static CONST PH_MINIDUMP_OPTION_ENTRY options[] = { { IDC_MINIDUMP_NORMAL, MiniDumpNormal }, { IDC_MINIDUMP_WITH_DATA_SEGS, MiniDumpWithDataSegs }, { IDC_MINIDUMP_WITH_FULL_MEM, MiniDumpWithFullMemory }, { IDC_MINIDUMP_WITH_HANDLE_DATA, MiniDumpWithHandleData }, { IDC_MINIDUMP_FILTER_MEMORY, MiniDumpFilterMemory }, { IDC_MINIDUMP_SCAN_MEMORY, MiniDumpScanMemory }, { IDC_MINIDUMP_WITH_UNLOADED_MODULES, MiniDumpWithUnloadedModules }, { IDC_MINIDUMP_WITH_INDIRECT_REFERENCED_MEM, MiniDumpWithIndirectlyReferencedMemory }, { IDC_MINIDUMP_FILTER_MODULE_PATHS, MiniDumpFilterModulePaths }, { IDC_MINIDUMP_WITH_PROC_THRD_DATA, MiniDumpWithProcessThreadData }, { IDC_MINIDUMP_WITH_PRIVATE_RW_MEM, MiniDumpWithPrivateReadWriteMemory }, { IDC_MINIDUMP_WITHOUT_OPTIONAL_DATA, MiniDumpWithoutOptionalData }, { IDC_MINIDUMP_WITH_FULL_MEM_INFO, MiniDumpWithFullMemoryInfo }, { IDC_MINIDUMP_WITH_THRD_INFO, MiniDumpWithThreadInfo }, { IDC_MINIDUMP_WITH_CODE_SEGS, MiniDumpWithCodeSegs }, { IDC_MINIDUMP_WITHOUT_AUXILIARY_STATE, MiniDumpWithoutAuxiliaryState }, { IDC_MINIDUMP_WITH_FULL_AUXILIARY_STATE, MiniDumpWithFullAuxiliaryState }, { IDC_MINIDUMP_WITH_PRIVATE_WRITE_COPY_MEM, MiniDumpWithPrivateWriteCopyMemory }, { IDC_MINIDUMP_IGNORE_INACCESSIBLE_MEM, MiniDumpIgnoreInaccessibleMemory }, { IDC_MINIDUMP_WITH_TOKEN_INFO, MiniDumpWithTokenInformation }, { IDC_MINIDUMP_WITH_MODULE_HEADERS, MiniDumpWithModuleHeaders }, { IDC_MINIDUMP_FILTER_TRIAGE, MiniDumpFilterTriage }, { IDC_MINIDUMP_WITH_AVXX_STATE_CONTEXT, MiniDumpWithAvxXStateContext }, { IDC_MINIDUMP_WITH_IPT_TRACE, MiniDumpWithIptTrace }, { IDC_MINIDUMP_SCAN_INACCESSIBLE_PARTIAL_PAGES, MiniDumpScanInaccessiblePartialPages }, { IDC_MINIDUMP_FILTER_WRITE_COMBINE_MEM, MiniDumpFilterWriteCombinedMemory }, }; PPH_PROCESS_ITEM processItem; if (uMsg == WM_INITDIALOG) { processItem = (PPH_PROCESS_ITEM)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, processItem); } else { processItem = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, NULL); Button_SetCheck(GetDlgItem(hwndDlg, IDC_MINIDUMP_NORMAL), BST_CHECKED); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { MINIDUMP_TYPE dumpType; dumpType = 0; for (ULONG i = 0; i < RTL_NUMBER_OF(options); i++) { if (Button_GetCheck(GetDlgItem(hwndDlg, options[i].Id)) == BST_CHECKED) dumpType |= options[i].Type; } PhUiCreateDumpFileProcess(hwndDlg, processItem, dumpType); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowCreateDumpFileProcessDialog( _In_ HWND WindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_PROCDUMP), WindowHandle, PhpProcDumpDlgProc, ProcessItem ); } ================================================ FILE: SystemInformer/memedit.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #include #include #include #include #include #define WM_PH_SELECT_OFFSET (WM_APP + 300) typedef struct _MEMORY_EDITOR_CONTEXT { PH_AVL_LINKS Links; union { struct { HANDLE ProcessId; PVOID BaseAddress; SIZE_T RegionSize; }; ULONG_PTR Key[3]; }; HWND WindowHandle; HWND OwnerHandle; HWND HexEditHandle; PH_LAYOUT_MANAGER LayoutManager; PUCHAR Buffer; ULONG SelectOffset; PPH_STRING Title; ULONG Flags; BOOLEAN LoadCompleted; } MEMORY_EDITOR_CONTEXT, *PMEMORY_EDITOR_CONTEXT; INT NTAPI PhpMemoryEditorCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ); INT_PTR CALLBACK PhpMemoryEditorDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); PH_AVL_TREE PhMemoryEditorSet = PH_AVL_TREE_INIT(PhpMemoryEditorCompareFunction); static RECT MinimumSize = { -1, -1, -1, -1 }; VOID PhShowMemoryEditorDialog( _In_ HWND OwnerWindow, _In_ HANDLE ProcessId, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _In_ ULONG SelectOffset, _In_ ULONG SelectLength, _In_opt_ PPH_STRING Title, _In_ ULONG Flags ) { PMEMORY_EDITOR_CONTEXT context; MEMORY_EDITOR_CONTEXT lookupContext; PPH_AVL_LINKS links; lookupContext.ProcessId = ProcessId; lookupContext.BaseAddress = BaseAddress; lookupContext.RegionSize = RegionSize; links = PhFindElementAvlTree(&PhMemoryEditorSet, &lookupContext.Links); if (!links) { NTSTATUS status; PVOID buffer; if (RegionSize > 1024ULL * 1024ULL * 1024ULL) // 1 GB { PhShowStatus(OwnerWindow, L"Unable to edit the memory region.", 0, MEM_E_INVALID_SIZE); return; } status = PhAllocateVirtualMemory(NtCurrentProcess(), &buffer, RegionSize, MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(status)) { PhShowStatus(OwnerWindow, L"Unable to edit the memory region.", status, 0); return; } { HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_VM_READ, ProcessId ); if (NT_SUCCESS(status)) { status = PhReadVirtualMemory( processHandle, BaseAddress, buffer, RegionSize, NULL ); NtClose(processHandle); if (!NT_SUCCESS(status)) { PhShowStatus(OwnerWindow, L"Unable to read memory", status, 0); return; } } else { PhShowStatus(OwnerWindow, L"Unable to open the process", status, 0); return; } } context = PhAllocateZero(sizeof(MEMORY_EDITOR_CONTEXT)); context->OwnerHandle = OwnerWindow; context->ProcessId = ProcessId; context->BaseAddress = BaseAddress; context->RegionSize = RegionSize; context->SelectOffset = SelectOffset; PhSwapReference(&context->Title, Title); context->Flags = Flags; context->Buffer = buffer; context->WindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMEDIT), NULL, PhpMemoryEditorDlgProc, context ); if (!context->LoadCompleted) { DestroyWindow(context->WindowHandle); return; } if (SelectOffset != ULONG_MAX) PostMessage(context->WindowHandle, WM_PH_SELECT_OFFSET, SelectOffset, SelectLength); PhRegisterDialog(context->WindowHandle); PhAddElementAvlTree(&PhMemoryEditorSet, &context->Links); ShowWindow(context->WindowHandle, SW_SHOW); SetForegroundWindow(context->WindowHandle); } else { context = CONTAINING_RECORD(links, MEMORY_EDITOR_CONTEXT, Links); if (IsMinimized(context->WindowHandle)) ShowWindow(context->WindowHandle, SW_RESTORE); else SetForegroundWindow(context->WindowHandle); if (SelectOffset != ULONG_MAX) PostMessage(context->WindowHandle, WM_PH_SELECT_OFFSET, SelectOffset, SelectLength); // Just in case. if ((Flags & PH_MEMORY_EDITOR_UNMAP_VIEW_OF_SECTION) && ProcessId == NtCurrentProcessId()) PhUnmapViewOfSection(NtCurrentProcess(), BaseAddress); } } INT NTAPI PhpMemoryEditorCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ) { PMEMORY_EDITOR_CONTEXT context1 = CONTAINING_RECORD(Links1, MEMORY_EDITOR_CONTEXT, Links); PMEMORY_EDITOR_CONTEXT context2 = CONTAINING_RECORD(Links2, MEMORY_EDITOR_CONTEXT, Links); return memcmp(context1->Key, context2->Key, sizeof(context1->Key)); } INT_PTR CALLBACK PhpMemoryEditorDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMEMORY_EDITOR_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PMEMORY_EDITOR_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); if (context->Title) { PhSetWindowText(hwndDlg, context->Title->Buffer); } else { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(context->ProcessId)) { PhSetWindowText(hwndDlg, PhaFormatString(L"%s (%u) (0x%Ix - 0x%Ix)", processItem->ProcessName->Buffer, HandleToUlong(context->ProcessId), (ULONG_PTR)context->BaseAddress, (ULONG_PTR)context->BaseAddress + context->RegionSize)->Buffer); PhDereferenceObject(processItem); } } PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_BYTESPERROW), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_GOTO), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_WRITE), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REREAD), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); if (MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 290; rect.bottom = 140; MapDialogRect(hwndDlg, &rect); MinimumSize = rect; MinimumSize.left = 0; } context->HexEditHandle = GetDlgItem(hwndDlg, IDC_MEMORY); PhAddLayoutItem(&context->LayoutManager, context->HexEditHandle, NULL, PH_ANCHOR_ALL); HexEdit_SetBuffer(context->HexEditHandle, context->Buffer, (ULONG)context->RegionSize); { PH_RECTANGLE windowRectangle = { 0 }; windowRectangle.Position = PhGetIntegerPairSetting(SETTING_MEM_EDIT_POSITION); if (windowRectangle.Position.X == 0) { PhCenterWindow(hwndDlg, context->OwnerHandle); } else { RECT rect; LONG dpiValue; PhRectangleToRect(&rect, &windowRectangle); dpiValue = PhGetMonitorDpi(NULL, &rect); windowRectangle.Size = PhGetScalableIntegerPairSetting(SETTING_MEM_EDIT_SIZE, TRUE, dpiValue)->Pair; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); MoveWindow(hwndDlg, windowRectangle.Left, windowRectangle.Top, windowRectangle.Width, windowRectangle.Height, FALSE); // Implement cascading by saving an offsetted rectangle. windowRectangle.Left += 20; windowRectangle.Top += 20; PhSetIntegerPairSetting(SETTING_MEM_EDIT_POSITION, windowRectangle.Position); PhSetScalableIntegerPairSetting2(SETTING_MEM_EDIT_SIZE, windowRectangle.Size, dpiValue); } } { PWSTR bytesPerRowStrings[7]; ULONG i; ULONG bytesPerRow; for (i = 0; i < sizeof(bytesPerRowStrings) / sizeof(PWSTR); i++) bytesPerRowStrings[i] = PhaFormatString(L"%u bytes per row", 1 << (2 + i))->Buffer; PhAddComboBoxStrings(GetDlgItem(hwndDlg, IDC_BYTESPERROW), bytesPerRowStrings, sizeof(bytesPerRowStrings) / sizeof(PWSTR)); bytesPerRow = PhGetIntegerSetting(SETTING_MEM_EDIT_BYTES_PER_ROW); if (bytesPerRow >= 4) { HexEdit_SetBytesPerRow(context->HexEditHandle, bytesPerRow); PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_BYTESPERROW), PhaFormatString(L"%u bytes per row", bytesPerRow)->Buffer, FALSE); } } PhInitializeWindowTheme(hwndDlg, !!PhGetIntegerSetting(SETTING_ENABLE_THEME_SUPPORT)); context->LoadCompleted = TRUE; } break; case WM_DESTROY: { if (context->LoadCompleted) { PhSaveWindowPlacementToSetting(SETTING_MEM_EDIT_POSITION, SETTING_MEM_EDIT_SIZE, hwndDlg); PhRemoveElementAvlTree(&PhMemoryEditorSet, &context->Links); PhUnregisterDialog(hwndDlg); } PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&context->LayoutManager); if (context->Buffer) PhFreePage(context->Buffer); PhClearReference(&context->Title); if ((context->Flags & PH_MEMORY_EDITOR_UNMAP_VIEW_OF_SECTION) && context->ProcessId == NtCurrentProcessId()) PhUnmapViewOfSection(NtCurrentProcess(), context->BaseAddress); PhFree(context); } break; case WM_SHOWWINDOW: { PhSetDialogFocus(hwndDlg, context->HexEditHandle); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Binary files (*.bin)", L"*.bin" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; PPH_PROCESS_ITEM processItem; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); if (!context->Title && (processItem = PhReferenceProcessItem(context->ProcessId))) { PhSetFileDialogFileName(fileDialog, PhaFormatString(L"%s_0x%Ix-0x%Ix.bin", processItem->ProcessName->Buffer, context->BaseAddress, context->RegionSize)->Buffer); PhDereferenceObject(processItem); } else { PhSetFileDialogFileName(fileDialog, L"Memory.bin"); } if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { status = PhWriteFileStream(fileStream, context->Buffer, (ULONG)context->RegionSize); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; case IDC_GOTO: { PPH_STRING selectedChoice = NULL; while (PhaChoiceDialog( hwndDlg, L"Go to Offset", L"Enter an offset:", NULL, 0, NULL, PH_CHOICE_DIALOG_USER_CHOICE, &selectedChoice, NULL, SETTING_MEM_EDIT_GOTO_CHOICES )) { ULONG64 offset; if (selectedChoice->Length == 0) continue; if (PhStringToInteger64(&selectedChoice->sr, 0, &offset)) { if (offset >= context->RegionSize) { PhShowStatus(hwndDlg, L"Unable to edit the memory region.", 0, MEM_E_INVALID_SIZE); continue; } PhSetDialogFocus(hwndDlg, context->HexEditHandle); HexEdit_SetSel(context->HexEditHandle, (LONG)offset, (LONG)offset); break; } } } break; case IDC_WRITE: { NTSTATUS status; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && !PhShowConfirmMessage( hwndDlg, L"write", L"process memory", L"Some programs may restrict access or ban your account when editing the memory of the process.", FALSE )) { break; } { HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_VM_READ | PROCESS_VM_WRITE, context->ProcessId ); if (NT_SUCCESS(status)) { status = PhWriteVirtualMemory( processHandle, context->BaseAddress, context->Buffer, context->RegionSize, NULL ); NtClose(processHandle); if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to write memory", status, 0); } } else { PhShowStatus(hwndDlg, L"Unable to open the process", status, 0); } } } break; case IDC_REREAD: { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_VM_READ, context->ProcessId ); if (NT_SUCCESS(status)) { status = PhReadVirtualMemory( processHandle, context->BaseAddress, context->Buffer, context->RegionSize, NULL ); NtClose(processHandle); if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to read memory", status, 0); } } else { PhShowStatus(hwndDlg, L"Unable to open the process", status, 0); } InvalidateRect(context->HexEditHandle, NULL, TRUE); } break; case IDC_BYTESPERROW: if (HIWORD(wParam) == CBN_SELCHANGE) { PPH_STRING bytesPerRowString = PhaGetDlgItemText(hwndDlg, IDC_BYTESPERROW); PH_STRINGREF firstPart; PH_STRINGREF secondPart; ULONG64 bytesPerRow64; if (PhSplitStringRefAtChar(&bytesPerRowString->sr, L' ', &firstPart, &secondPart)) { if (PhStringToInteger64(&firstPart, 10, &bytesPerRow64)) { PhSetIntegerSetting(SETTING_MEM_EDIT_BYTES_PER_ROW, (ULONG)bytesPerRow64); HexEdit_SetBytesPerRow(context->HexEditHandle, (ULONG)bytesPerRow64); PhSetDialogFocus(hwndDlg, context->HexEditHandle); } } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_PH_SELECT_OFFSET: { HexEdit_SetEditMode(context->HexEditHandle, EDIT_ASCII); HexEdit_SetSel(context->HexEditHandle, (ULONG)wParam, PtrToUlong(PTR_ADD_OFFSET(wParam, lParam))); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/memlist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include VOID PhpClearMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context ); VOID PhpDestroyMemoryNode( _In_ PPH_MEMORY_NODE MemoryNode ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpMemoryTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpMemoryTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); VOID PhInitializeMemoryList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_MEMORY_LIST_CONTEXT Context ) { BOOLEAN enableMonospaceFont = !!PhGetIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT); memset(Context, 0, sizeof(PH_MEMORY_LIST_CONTEXT)); Context->AllocationBaseNodeList = PhCreateList(100); Context->RegionNodeList = PhCreateList(400); Context->ParentWindowHandle = ParentWindowHandle; Context->TreeNewHandle = TreeNewHandle; PhSetControlTheme(TreeNewHandle, L"explorer"); TreeNew_SetRedraw(TreeNewHandle, FALSE); TreeNew_SetCallback(TreeNewHandle, PhpMemoryTreeNewCallback, Context); // Default columns PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_BASEADDRESS, TRUE, L"Base address", 120, PH_ALIGN_LEFT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), -2, 0); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_TYPE, TRUE, L"Type", 90, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_SIZE, TRUE, L"Size", 80, PH_ALIGN_RIGHT, 1, DT_RIGHT, TRUE); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_PROTECTION, TRUE, L"Protection", 60, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_USE, TRUE, L"Use", 200, PH_ALIGN_LEFT, 3, 0); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_TOTALWS, TRUE, L"Total WS", 80, PH_ALIGN_RIGHT, 4, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_PRIVATEWS, TRUE, L"Private WS", 80, PH_ALIGN_RIGHT, 5, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_SHAREABLEWS, TRUE, L"Shareable WS", 80, PH_ALIGN_RIGHT, 6, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_SHAREDWS, TRUE, L"Shared WS", 80, PH_ALIGN_RIGHT, 7, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_LOCKEDWS, TRUE, L"Locked WS", 80, PH_ALIGN_RIGHT, 8, DT_RIGHT, TRUE); // Customizable columns PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_COMMITTED, FALSE, L"Committed", 80, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PHMMTLC_PRIVATE, FALSE, L"Private", 80, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_SIGNING_LEVEL, FALSE, L"Signing level", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_ORIGINAL_PROTECTION, FALSE, L"Original protection", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_ORIGINAL_PAGES, FALSE, L"Original pages", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_REGIONTYPE, FALSE, L"Region type", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PHMMTLC_PRIORITY, FALSE, L"Priority", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhCmInitializeManager(&Context->Cm, TreeNewHandle, PHMMTLC_MAXIMUM, PhpMemoryTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&Context->AllocationTreeFilterSupport, TreeNewHandle, Context->AllocationBaseNodeList); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, TreeNewHandle, Context->RegionNodeList); TreeNew_SetTriState(TreeNewHandle, TRUE); TreeNew_SetRedraw(TreeNewHandle, TRUE); } VOID PhpClearMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context ) { ULONG i; for (i = 0; i < Context->AllocationBaseNodeList->Count; i++) PhpDestroyMemoryNode(Context->AllocationBaseNodeList->Items[i]); for (i = 0; i < Context->RegionNodeList->Count; i++) PhpDestroyMemoryNode(Context->RegionNodeList->Items[i]); PhClearList(Context->AllocationBaseNodeList); PhClearList(Context->RegionNodeList); } VOID PhDeleteMemoryList( _In_ PPH_MEMORY_LIST_CONTEXT Context ) { PhDeleteTreeNewFilterSupport(&Context->AllocationTreeFilterSupport); PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); PhCmDeleteManager(&Context->Cm); PhpClearMemoryList(Context); PhDereferenceObject(Context->AllocationBaseNodeList); PhDereferenceObject(Context->RegionNodeList); } VOID PhLoadSettingsMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context ) { ULONG flags; PPH_STRING settings; PPH_STRING sortSettings; flags = PhGetIntegerSetting(SETTING_MEMORY_LIST_FLAGS); settings = PhGetStringSetting(SETTING_MEMORY_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_MEMORY_TREE_LIST_SORT); Context->Flags = flags; PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSaveSettingsMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_MEMORY_LIST_FLAGS, Context->Flags); PhSetStringSetting2(SETTING_MEMORY_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_MEMORY_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSetOptionsMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case PH_MEMORY_FLAGS_FREE_OPTION: Context->HideFreeRegions = !Context->HideFreeRegions; break; case PH_MEMORY_FLAGS_RESERVED_OPTION: Context->HideReservedRegions = !Context->HideReservedRegions; break; case PH_MEMORY_FLAGS_PRIVATE_OPTION: Context->HighlightPrivatePages = !Context->HighlightPrivatePages; break; case PH_MEMORY_FLAGS_SYSTEM_OPTION: Context->HighlightSystemPages = !Context->HighlightSystemPages; break; case PH_MEMORY_FLAGS_CFG_OPTION: Context->HighlightCfgPages = !Context->HighlightCfgPages; break; case PH_MEMORY_FLAGS_EXECUTE_OPTION: Context->HighlightExecutePages = !Context->HighlightExecutePages; break; case PH_MEMORY_FLAGS_GUARD_OPTION: Context->HideGuardRegions = !Context->HideGuardRegions; break; case PH_MEMORY_FLAGS_ZERO_PAD_ADDRESSES: Context->ZeroPadAddresses = !Context->ZeroPadAddresses; break; } } VOID PhpDestroyMemoryNode( _In_ PPH_MEMORY_NODE MemoryNode ) { PhEmCallObjectOperation(EmMemoryNodeType, MemoryNode, EmObjectDelete); if (MemoryNode->SizeText) PhDereferenceObject(MemoryNode->SizeText); if (MemoryNode->UseText) PhDereferenceObject(MemoryNode->UseText); if (MemoryNode->TotalWsText) PhDereferenceObject(MemoryNode->TotalWsText); if (MemoryNode->PrivateWsText) PhDereferenceObject(MemoryNode->PrivateWsText); if (MemoryNode->ShareableWsText) PhDereferenceObject(MemoryNode->ShareableWsText); if (MemoryNode->SharedWsText) PhDereferenceObject(MemoryNode->SharedWsText); if (MemoryNode->LockedWsText) PhDereferenceObject(MemoryNode->LockedWsText); if (MemoryNode->CommittedText) PhDereferenceObject(MemoryNode->CommittedText); if (MemoryNode->PrivateText) PhDereferenceObject(MemoryNode->PrivateText); if (MemoryNode->RegionTypeText) PhDereferenceObject(MemoryNode->RegionTypeText); if (MemoryNode->PriorityText) PhDereferenceObject(MemoryNode->PriorityText); if (MemoryNode->Children) PhDereferenceObject(MemoryNode->Children); PhDereferenceObject(MemoryNode->MemoryItem); PhFree(MemoryNode); } PPH_MEMORY_NODE PhpAddAllocationBaseNode( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_ PVOID AllocationBase ) { PPH_MEMORY_NODE memoryNode; PPH_MEMORY_ITEM memoryItem; memoryNode = PhAllocate(PhEmGetObjectSize(EmMemoryNodeType, sizeof(PH_MEMORY_NODE))); memset(memoryNode, 0, sizeof(PH_MEMORY_NODE)); PhInitializeTreeNewNode(&memoryNode->Node); memoryNode->Node.Expanded = FALSE; memoryNode->IsAllocationBase = TRUE; memoryItem = PhCreateMemoryItem(); memoryNode->MemoryItem = memoryItem; memoryItem->BaseAddress = AllocationBase; memoryItem->AllocationBase = AllocationBase; if (Context->ZeroPadAddresses) PhPrintPointerPadZeros(memoryItem->BaseAddressString, memoryItem->BaseAddress); else PhPrintPointer(memoryItem->BaseAddressString, memoryItem->BaseAddress); memoryNode->Children = PhCreateList(1); memset(memoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); memoryNode->Node.TextCache = memoryNode->TextCache; memoryNode->Node.TextCacheSize = PHMMTLC_MAXIMUM; PhAddItemList(Context->AllocationBaseNodeList, memoryNode); if (Context->AllocationTreeFilterSupport.FilterList) memoryNode->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->AllocationTreeFilterSupport, &memoryNode->Node); PhEmCallObjectOperation(EmMemoryNodeType, memoryNode, EmObjectCreate); return memoryNode; } PPH_MEMORY_NODE PhpAddRegionNode( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_ PPH_MEMORY_ITEM MemoryItem ) { PPH_MEMORY_NODE memoryNode; memoryNode = PhAllocate(PhEmGetObjectSize(EmMemoryNodeType, sizeof(PH_MEMORY_NODE))); memset(memoryNode, 0, sizeof(PH_MEMORY_NODE)); PhInitializeTreeNewNode(&memoryNode->Node); memoryNode->IsAllocationBase = FALSE; memoryNode->MemoryItem = MemoryItem; PhReferenceObject(MemoryItem); memset(memoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); memoryNode->Node.TextCache = memoryNode->TextCache; memoryNode->Node.TextCacheSize = PHMMTLC_MAXIMUM; PhAddItemList(Context->RegionNodeList, memoryNode); if (Context->TreeFilterSupport.FilterList) memoryNode->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &memoryNode->Node); PhEmCallObjectOperation(EmMemoryNodeType, memoryNode, EmObjectCreate); return memoryNode; } VOID PhpCopyMemoryRegionTypeInfo( _In_ PPH_MEMORY_ITEM Source, _Inout_ PPH_MEMORY_ITEM Destination ) { if (Destination->RegionType == CustomRegion) PhClearReference(&Destination->u.Custom.Text); else if (Destination->RegionType == MappedFileRegion) PhClearReference(&Destination->u.MappedFile.FileName); Destination->RegionTypeEx = Source->RegionTypeEx; Destination->RegionType = Source->RegionType; Destination->u = Source->u; if (Destination->RegionType == CustomRegion) PhReferenceObject(Destination->u.Custom.Text); else if (Destination->RegionType == MappedFileRegion) PhReferenceObject(Destination->u.MappedFile.FileName); } VOID PhReplaceMemoryList( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_opt_ PPH_MEMORY_ITEM_LIST List ) { PLIST_ENTRY listEntry; PPH_MEMORY_NODE allocationBaseNode = NULL; PhpClearMemoryList(Context); if (!List) { TreeNew_NodesStructured(Context->TreeNewHandle); return; } for (listEntry = List->ListHead.Flink; listEntry != &List->ListHead; listEntry = listEntry->Flink) { PPH_MEMORY_ITEM memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); PPH_MEMORY_NODE memoryNode; if (memoryItem->AllocationBaseItem == memoryItem) allocationBaseNode = PhpAddAllocationBaseNode(Context, memoryItem->AllocationBase); memoryNode = PhpAddRegionNode(Context, memoryItem); if (Context->HideFreeRegions && (memoryItem->State & MEM_FREE)) memoryNode->Node.Visible = FALSE; if (Context->HideGuardRegions && (memoryItem->Protect & PAGE_GUARD)) memoryNode->Node.Visible = FALSE; if (allocationBaseNode && memoryItem->AllocationBase == allocationBaseNode->MemoryItem->BaseAddress) { if (!(memoryItem->State & MEM_FREE)) { memoryNode->Parent = allocationBaseNode; PhAddItemList(allocationBaseNode->Children, memoryNode); } // Aggregate various statistics. allocationBaseNode->MemoryItem->RegionSize += memoryItem->RegionSize; allocationBaseNode->MemoryItem->CommittedSize += memoryItem->CommittedSize; allocationBaseNode->MemoryItem->PrivateSize += memoryItem->PrivateSize; allocationBaseNode->MemoryItem->TotalWorkingSetPages += memoryItem->TotalWorkingSetPages; allocationBaseNode->MemoryItem->PrivateWorkingSetPages += memoryItem->PrivateWorkingSetPages; allocationBaseNode->MemoryItem->SharedWorkingSetPages += memoryItem->SharedWorkingSetPages; allocationBaseNode->MemoryItem->ShareableWorkingSetPages += memoryItem->ShareableWorkingSetPages; allocationBaseNode->MemoryItem->LockedWorkingSetPages += memoryItem->LockedWorkingSetPages; if (memoryItem->AllocationBaseItem == memoryItem) { allocationBaseNode->MemoryItem->Protect = memoryItem->AllocationProtect; allocationBaseNode->MemoryItem->State = memoryItem->State; allocationBaseNode->MemoryItem->Type = memoryItem->Type; PhGetMemoryProtectionString(allocationBaseNode->MemoryItem->Protect, allocationBaseNode->ProtectionText); //PhGetMemoryProtectionString(allocationBaseNode->MemoryItem->AllocationProtect, allocationBaseNode->OriginalProtectionText); if (memoryItem->RegionType != CustomRegion || memoryItem->u.Custom.PropertyOfAllocationBase) PhpCopyMemoryRegionTypeInfo(memoryItem, allocationBaseNode->MemoryItem); if (Context->HideFreeRegions && (allocationBaseNode->MemoryItem->State & MEM_FREE)) allocationBaseNode->Node.Visible = FALSE; if (Context->HideGuardRegions && (allocationBaseNode->MemoryItem->State & PAGE_GUARD)) allocationBaseNode->Node.Visible = FALSE; } else { if (memoryItem->RegionType == UnknownRegion) PhpCopyMemoryRegionTypeInfo(allocationBaseNode->MemoryItem, memoryItem); } } PhGetMemoryProtectionString(memoryItem->Protect, memoryNode->ProtectionText); PhGetMemoryProtectionString(memoryItem->AllocationProtect, memoryNode->OriginalProtectionText); } PhApplyTreeNewFilters(&Context->AllocationTreeFilterSupport); PhApplyTreeNewFilters(&Context->TreeFilterSupport); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhRemoveMemoryNode( _Inout_ PPH_MEMORY_LIST_CONTEXT Context, _In_ PPH_MEMORY_ITEM_LIST List, _In_ PPH_MEMORY_NODE MemoryNode ) { ULONG index; // Remove from list and cleanup. PhRemoveElementAvlTree(&List->Set, &MemoryNode->MemoryItem->Links); RemoveEntryList(&MemoryNode->MemoryItem->ListEntry); if ((index = PhFindItemList(Context->RegionNodeList, MemoryNode)) != ULONG_MAX) PhRemoveItemList(Context->RegionNodeList, index); if (MemoryNode->MemoryItem->AllocationBaseItem == MemoryNode->MemoryItem) { if ((index = PhFindItemList(Context->AllocationBaseNodeList, MemoryNode->Parent)) != ULONG_MAX) PhRemoveItemList(Context->AllocationBaseNodeList, index); } PhpDestroyMemoryNode(MemoryNode); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhUpdateMemoryNode( _In_ PPH_MEMORY_LIST_CONTEXT Context, _In_ PPH_MEMORY_NODE MemoryNode ) { PhGetMemoryProtectionString(MemoryNode->MemoryItem->Protect, MemoryNode->ProtectionText); PhGetMemoryProtectionString(MemoryNode->MemoryItem->AllocationProtect, MemoryNode->OriginalProtectionText); memset(MemoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); TreeNew_InvalidateNode(Context->TreeNewHandle, &MemoryNode->Node); } VOID PhInvalidateAllMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context ) { ULONG i; for (i = 0; i < Context->AllocationBaseNodeList->Count; i++) { PPH_MEMORY_NODE memoryNode = Context->AllocationBaseNodeList->Items[i]; memset(memoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); TreeNew_InvalidateNode(Context->TreeNewHandle, &memoryNode->Node); } for (i = 0; i < Context->RegionNodeList->Count; i++) { PPH_MEMORY_NODE memoryNode = Context->RegionNodeList->Items[i]; memset(memoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); TreeNew_InvalidateNode(Context->TreeNewHandle, &memoryNode->Node); } InvalidateRect(Context->TreeNewHandle, NULL, FALSE); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhInvalidateAllMemoryBaseAddressNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context ) { ULONG i; for (i = 0; i < Context->AllocationBaseNodeList->Count; i++) { PPH_MEMORY_NODE memoryNode = Context->AllocationBaseNodeList->Items[i]; if (Context->ZeroPadAddresses) PhPrintPointerPadZeros(memoryNode->MemoryItem->BaseAddressString, memoryNode->MemoryItem->BaseAddress); else PhPrintPointer(memoryNode->MemoryItem->BaseAddressString, memoryNode->MemoryItem->BaseAddress); memset(memoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); //TreeNew_InvalidateNode(Context->TreeNewHandle, &memoryNode->Node); } for (i = 0; i < Context->RegionNodeList->Count; i++) { PPH_MEMORY_NODE memoryNode = Context->RegionNodeList->Items[i]; if (Context->ZeroPadAddresses) PhPrintPointerPadZeros(memoryNode->MemoryItem->BaseAddressString, memoryNode->MemoryItem->BaseAddress); else PhPrintPointer(memoryNode->MemoryItem->BaseAddressString, memoryNode->MemoryItem->BaseAddress); memset(memoryNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMMTLC_MAXIMUM); //TreeNew_InvalidateNode(Context->TreeNewHandle, &memoryNode->Node); } InvalidateRect(Context->TreeNewHandle, NULL, FALSE); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhExpandAllMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context, _In_ BOOLEAN Expand ) { ULONG i; BOOLEAN needsRestructure = FALSE; for (i = 0; i < Context->AllocationBaseNodeList->Count; i++) { PPH_MEMORY_NODE node = Context->AllocationBaseNodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } for (i = 0; i < Context->RegionNodeList->Count; i++) { PPH_MEMORY_NODE node = Context->RegionNodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(Context->TreeNewHandle); } extern PCWSTR PhGetProcessHeapClassText( _In_ ULONG HeapClass ); PPH_STRING PhGetMemoryRegionUseText( _In_ PPH_MEMORY_ITEM MemoryItem ) { PH_MEMORY_REGION_TYPE type = MemoryItem->RegionType; switch (type) { case UnknownRegion: return NULL; case CustomRegion: PhReferenceObject(MemoryItem->u.Custom.Text); return MemoryItem->u.Custom.Text; case UnusableRegion: return NULL; case MappedFileRegion: PhReferenceObject(MemoryItem->u.MappedFile.FileName); return MemoryItem->u.MappedFile.FileName; case UserSharedDataRegion: return PhCreateString(L"USER_SHARED_DATA"); case HypervisorSharedDataRegion: return PhCreateString(L"HYPERVISOR_SHARED_DATA"); case PebRegion: case Peb32Region: return PhFormatString(L"PEB%s", type == Peb32Region ? L" 32-bit" : L""); case TebRegion: case Teb32Region: return PhFormatString(L"TEB%s (thread %lu)", type == Teb32Region ? L" 32-bit" : L"", HandleToUlong(MemoryItem->u.Teb.ThreadId)); case StackRegion: case Stack32Region: return PhFormatString(L"Stack%s (thread %lu)", type == Stack32Region ? L" 32-bit" : L"", HandleToUlong(MemoryItem->u.Stack.ThreadId)); case HeapRegion: case Heap32Region: return PhFormatString(L"%s%s (ID %lu)", MemoryItem->u.Heap.ClassValid ? PhGetProcessHeapClassText(MemoryItem->u.Heap.Class) : L"Heap", type == Heap32Region ? L" 32-bit" : L"", (ULONG)MemoryItem->u.Heap.Index + 1); case HeapSegmentRegion: case HeapSegment32Region: return PhFormatString(L"%s Segment%s (ID %lu)", MemoryItem->u.HeapSegment.HeapItem->u.Heap.ClassValid ? PhGetProcessHeapClassText(MemoryItem->u.HeapSegment.HeapItem->u.Heap.Class) : L"Heap", type == HeapSegment32Region ? L" 32-bit" : L"", (ULONG)MemoryItem->u.HeapSegment.HeapItem->u.Heap.Index + 1); case CfgBitmapRegion: case CfgBitmap32Region: return PhFormatString(L"CFG Bitmap%s", type == CfgBitmap32Region ? L" 32-bit" : L""); case ApiSetMapRegion: return PhFormatString(L"ApiSetMap"); case ReadOnlySharedMemoryRegion: return PhFormatString(L"CSR shared memory"); case CodePageDataRegion: return PhFormatString(L"CodePage data"); case GdiSharedHandleTableRegion: return PhFormatString(L"GDI shared handle table"); case ShimDataRegion: return PhFormatString(L"Shim data"); case ActivationContextDataRegion: switch (MemoryItem->u.ActivationContextData.Type) { case ProcessActivationContext: return PhFormatString(L"Process activation context data"); case SystemActivationContext: return PhFormatString(L"System activation context data"); default: return PhFormatString(L"Activation context data"); } case WerRegistrationDataRegion: return PhFormatString(L"WER registration data"); case SiloSharedDataRegion: return PhFormatString(L"Silo shared data"); case TelemetryCoverageRegion: return PhFormatString(L"Telemetry coverage map"); case ProcessParametersRegion: return PhFormatString(L"USER_PROCESS_PARAMETERS"); case LeapSecondDataRegion: return PhFormatString(L"LEAP_SECOND_DATA"); case DesktopHeapRegion: return PhFormatString(L"Desktop heap"); default: return NULL; } } VOID PhpUpdateMemoryNodeUseText( _Inout_ PPH_MEMORY_NODE MemoryNode ) { if (!MemoryNode->UseText) MemoryNode->UseText = PhGetMemoryRegionUseText(MemoryNode->MemoryItem); } VOID PhpUpdateMemoryRegionTypeExText( _Inout_ PPH_MEMORY_NODE MemoryNode ) { if (MemoryNode->IsAllocationBase) return; if (!MemoryNode->RegionTypeText) MemoryNode->RegionTypeText = PhGetMemoryRegionTypeExString(MemoryNode->MemoryItem); } PPH_STRING PhpFormatSizeIfNonZero( _In_ ULONG64 Size ) { if (Size != 0) return PhFormatSize(Size, ULONG_MAX); else return NULL; } #define SORT_FUNCTION(Column) PhpMemoryTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpMemoryTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_MEMORY_NODE node1 = *(PPH_MEMORY_NODE *)_elem1; \ PPH_MEMORY_NODE node2 = *(PPH_MEMORY_NODE *)_elem2; \ PPH_MEMORY_ITEM memoryItem1 = node1->MemoryItem; \ PPH_MEMORY_ITEM memoryItem2 = node2->MemoryItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)memoryItem1->BaseAddress, (ULONG_PTR)memoryItem2->BaseAddress); \ \ return PhModifySort(sortResult, ((PPH_MEMORY_LIST_CONTEXT)_context)->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpMemoryTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPH_MEMORY_NODE)Node1)->MemoryItem->BaseAddress, (ULONG_PTR)((PPH_MEMORY_NODE)Node2)->MemoryItem->BaseAddress); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(BaseAddress) { sortResult = uintptrcmp((ULONG_PTR)memoryItem1->BaseAddress, (ULONG_PTR)memoryItem2->BaseAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Type) { sortResult = uintcmp(memoryItem1->Type | memoryItem1->State, memoryItem2->Type | memoryItem2->State); if (sortResult == 0) sortResult = intcmp(memoryItem1->RegionType, memoryItem2->RegionType); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Size) { sortResult = uintptrcmp(memoryItem1->RegionSize, memoryItem2->RegionSize); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Protection) { sortResult = PhCompareStringZ(node1->ProtectionText, node2->ProtectionText, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Use) { PhpUpdateMemoryNodeUseText(node1); PhpUpdateMemoryNodeUseText(node2); sortResult = PhCompareStringWithNull(node1->UseText, node2->UseText, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TotalWs) { sortResult = uintptrcmp(memoryItem1->TotalWorkingSetPages, memoryItem2->TotalWorkingSetPages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PrivateWs) { sortResult = uintptrcmp(memoryItem1->PrivateWorkingSetPages, memoryItem2->PrivateWorkingSetPages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ShareableWs) { sortResult = uintptrcmp(memoryItem1->ShareableWorkingSetPages, memoryItem2->ShareableWorkingSetPages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(SharedWs) { sortResult = uintptrcmp(memoryItem1->SharedWorkingSetPages, memoryItem2->SharedWorkingSetPages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LockedWs) { sortResult = uintptrcmp(memoryItem1->LockedWorkingSetPages, memoryItem2->LockedWorkingSetPages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Committed) { sortResult = uintptrcmp(memoryItem1->CommittedSize, memoryItem2->CommittedSize); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Private) { sortResult = uintptrcmp(memoryItem1->PrivateSize, memoryItem2->PrivateSize); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(SigningLevel) { sortResult = shortcmp( memoryItem1->RegionType == MappedFileRegion && memoryItem1->u.MappedFile.SigningLevelValid ? memoryItem1->u.MappedFile.SigningLevel : -1, memoryItem2->RegionType == MappedFileRegion && memoryItem2->u.MappedFile.SigningLevelValid ? memoryItem2->u.MappedFile.SigningLevel : -1 ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(OriginalProtection) { sortResult = PhCompareStringZ(node1->OriginalProtectionText, node2->OriginalProtectionText, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(OriginalPages) { FLOAT modified1 = memoryItem1->SharedOriginalPages ? (memoryItem1->SharedOriginalPages / (memoryItem1->RegionSize / PAGE_SIZE) * 100.f) : 0.0f; FLOAT modified2 = memoryItem2->SharedOriginalPages ? (memoryItem2->SharedOriginalPages / (memoryItem2->RegionSize / PAGE_SIZE) * 100.f) : 0.0f; sortResult = singlecmp(modified1, modified2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(RegionType) { PhpUpdateMemoryRegionTypeExText(node1); PhpUpdateMemoryRegionTypeExText(node2); sortResult = PhCompareStringWithNull(node1->RegionTypeText, node2->RegionTypeText, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Priority) { sortResult = uintptrcmp(memoryItem1->Priority, memoryItem2->Priority); } END_SORT_FUNCTION BOOLEAN NTAPI PhpMemoryTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_MEMORY_LIST_CONTEXT context = Context; PPH_MEMORY_NODE node; if (PhCmForwardMessage(WindowHandle, Message, Parameter1, Parameter2, &context->Cm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_MEMORY_NODE)getChildren->Node; if (context->TreeNewSortOrder == NoSortOrder) { if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)context->AllocationBaseNodeList->Items; getChildren->NumberOfChildren = context->AllocationBaseNodeList->Count; } else { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; } } else { if (!node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(BaseAddress), SORT_FUNCTION(Type), SORT_FUNCTION(Size), SORT_FUNCTION(Protection), SORT_FUNCTION(Use), SORT_FUNCTION(TotalWs), SORT_FUNCTION(PrivateWs), SORT_FUNCTION(ShareableWs), SORT_FUNCTION(SharedWs), SORT_FUNCTION(LockedWs), SORT_FUNCTION(Committed), SORT_FUNCTION(Private), SORT_FUNCTION(SigningLevel), SORT_FUNCTION(OriginalProtection), SORT_FUNCTION(OriginalPages), SORT_FUNCTION(RegionType), SORT_FUNCTION(Priority), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PHMMTLC_MAXIMUM, "SortFunctions must equal maximum."); if (!PhCmForwardSort( (PPH_TREENEW_NODE *)context->RegionNodeList->Items, context->RegionNodeList->Count, context->TreeNewSortColumn, context->TreeNewSortOrder, &context->Cm )) { if (context->TreeNewSortColumn < PHMMTLC_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; } else { sortFunction = NULL; } if (sortFunction) { qsort_s(context->RegionNodeList->Items, context->RegionNodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->RegionNodeList->Items; getChildren->NumberOfChildren = context->RegionNodeList->Count; } } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPH_MEMORY_NODE)isLeaf->Node; if (context->TreeNewSortOrder == NoSortOrder) isLeaf->IsLeaf = !node->Children || node->Children->Count == 0; else isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_MEMORY_ITEM memoryItem; node = (PPH_MEMORY_NODE)getCellText->Node; memoryItem = node->MemoryItem; switch (getCellText->Id) { case PHMMTLC_BASEADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, memoryItem->BaseAddressString); break; case PHMMTLC_TYPE: { if (FlagOn(memoryItem->State, MEM_FREE)) { if (memoryItem->RegionType == UnusableRegion) PhInitializeStringRef(&getCellText->Text, L"Free (Unusable)"); else PhInitializeStringRef(&getCellText->Text, L"Free"); } else if (node->IsAllocationBase) { PCPH_STRINGREF string; if (string = PhGetMemoryTypeString(memoryItem->Type)) { getCellText->Text.Length = string->Length; getCellText->Text.Buffer = string->Buffer; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } else { PH_FORMAT format[3]; SIZE_T returnLength; PhInitFormatSR(&format[0], *PhGetMemoryTypeString(memoryItem->Type)); PhInitFormatS(&format[1], L": "); PhInitFormatSR(&format[2], *PhGetMemoryStateString(memoryItem->State)); if (PhFormatToBuffer(format, 3, node->TypeText, sizeof(node->TypeText), &returnLength)) { getCellText->Text.Buffer = node->TypeText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PHMMTLC_SIZE: { PhMoveReference(&node->SizeText, PhFormatSize(memoryItem->RegionSize, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->SizeText); } break; case PHMMTLC_PROTECTION: { if (node->ProtectionText[0] != UNICODE_NULL) PhInitializeStringRefLongHint(&getCellText->Text, node->ProtectionText); } break; case PHMMTLC_USE: { PhpUpdateMemoryNodeUseText(node); getCellText->Text = PhGetStringRef(node->UseText); } break; case PHMMTLC_TOTALWS: { PhMoveReference(&node->TotalWsText, PhpFormatSizeIfNonZero((ULONG64)memoryItem->TotalWorkingSetPages * PAGE_SIZE)); getCellText->Text = PhGetStringRef(node->TotalWsText); } break; case PHMMTLC_PRIVATEWS: { PhMoveReference(&node->PrivateWsText, PhpFormatSizeIfNonZero((ULONG64)memoryItem->PrivateWorkingSetPages * PAGE_SIZE)); getCellText->Text = PhGetStringRef(node->PrivateWsText); } break; case PHMMTLC_SHAREABLEWS: { PhMoveReference(&node->ShareableWsText, PhpFormatSizeIfNonZero((ULONG64)memoryItem->ShareableWorkingSetPages * PAGE_SIZE)); getCellText->Text = PhGetStringRef(node->ShareableWsText); } break; case PHMMTLC_SHAREDWS: { PhMoveReference(&node->SharedWsText, PhpFormatSizeIfNonZero((ULONG64)memoryItem->SharedWorkingSetPages * PAGE_SIZE)); getCellText->Text = PhGetStringRef(node->SharedWsText); } break; case PHMMTLC_LOCKEDWS: { PhMoveReference(&node->LockedWsText, PhpFormatSizeIfNonZero((ULONG64)memoryItem->LockedWorkingSetPages * PAGE_SIZE)); getCellText->Text = PhGetStringRef(node->LockedWsText); } break; case PHMMTLC_COMMITTED: { PhMoveReference(&node->CommittedText, PhpFormatSizeIfNonZero(memoryItem->CommittedSize)); getCellText->Text = PhGetStringRef(node->CommittedText); } break; case PHMMTLC_PRIVATE: { PhMoveReference(&node->PrivateText, PhpFormatSizeIfNonZero(memoryItem->PrivateSize)); getCellText->Text = PhGetStringRef(node->PrivateText); } break; case PHMMTLC_SIGNING_LEVEL: { if (memoryItem->RegionType == MappedFileRegion && memoryItem->u.MappedFile.SigningLevelValid) { PCPH_STRINGREF string; if (string = PhGetSigningLevelString(memoryItem->u.MappedFile.SigningLevel)) { getCellText->Text.Length = string->Length; getCellText->Text.Buffer = string->Buffer; } } } break; case PHMMTLC_ORIGINAL_PROTECTION: { if (node->OriginalProtectionText[0] != UNICODE_NULL) PhInitializeStringRefLongHint(&getCellText->Text, node->OriginalProtectionText); } break; case PHMMTLC_ORIGINAL_PAGES: { if (node->IsAllocationBase) break; if (memoryItem->State & MEM_COMMIT && (memoryItem->Type & (MEM_MAPPED | MEM_IMAGE))) { SIZE_T count = memoryItem->SharedOriginalPages; SIZE_T modified = (memoryItem->RegionSize / PAGE_SIZE) - count; PH_FORMAT format[4]; PhInitFormatF(&format[0], count ? (count / (memoryItem->RegionSize / PAGE_SIZE) * 100) : 0.f, 2); if (modified) { PhInitFormatS(&format[1], L"% ("); PhInitFormatI64U(&format[2], modified); PhInitFormatS(&format[3], L")"); PhMoveReference(&node->OriginalPagesText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else { PhInitFormatS(&format[1], L"%"); PhMoveReference(&node->OriginalPagesText, PhFormat(format, 2, 0)); } getCellText->Text = PhGetStringRef(node->OriginalPagesText); } } break; case PHMMTLC_REGIONTYPE: { PhpUpdateMemoryRegionTypeExText(node); getCellText->Text = PhGetStringRef(node->RegionTypeText); } break; case PHMMTLC_PRIORITY: { if (memoryItem->Priority != 0) { PH_FORMAT format[4]; PhInitFormatSR(&format[0], *PhGetMemoryPagePriorityString((ULONG)memoryItem->Priority)); PhInitFormatS(&format[1], L" ("); PhInitFormatU(&format[2], (ULONG)memoryItem->Priority); PhInitFormatS(&format[3], L")"); PhMoveReference(&node->PriorityText, PhFormat(format, RTL_NUMBER_OF(format), 0)); getCellText->Text = PhGetStringRef(node->PriorityText); } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; PPH_MEMORY_ITEM memoryItem; node = (PPH_MEMORY_NODE)getNodeColor->Node; memoryItem = node->MemoryItem; if (!memoryItem) NOTHING; else if ( context->HighlightExecutePages && ( memoryItem->Protect & PAGE_EXECUTE || memoryItem->Protect & PAGE_EXECUTE_READ || memoryItem->Protect & PAGE_EXECUTE_READWRITE || memoryItem->Protect & PAGE_EXECUTE_WRITECOPY )) { getNodeColor->BackColor = PhCsColorPacked; } else if ( context->HighlightCfgPages && ( memoryItem->RegionType == CfgBitmapRegion || memoryItem->RegionType == CfgBitmap32Region )) { getNodeColor->BackColor = PhCsColorElevatedProcesses; } else if ( context->HighlightSystemPages && ( memoryItem->Type & SEC_IMAGE )) { getNodeColor->BackColor = PhCsColorSystemProcesses; } else if (context->HighlightPrivatePages && memoryItem->Type & MEM_PRIVATE) { getNodeColor->BackColor = PhCsColorOwnProcesses; } //else if ( // memoryItem->RegionType == StackRegion || memoryItem->RegionType == Stack32Region || // memoryItem->RegionType == HeapRegion || memoryItem->RegionType == Heap32Region || // memoryItem->RegionType == HeapSegmentRegion || memoryItem->RegionType == HeapSegment32Region // ((memoryItem->Protect & PAGE_EXECUTE_WRITECOPY || memoryItem->Protect & PAGE_EXECUTE_READWRITE || // memoryItem->Protect & PAGE_READWRITE) && !(memoryItem->Type & SEC_IMAGE)) // ) //{ // getNodeColor->BackColor = PhCsColorElevatedProcesses; //} //else if (memoryItem->Type & SEC_IMAGE) // getNodeColor->BackColor = PhCsColorImmersiveProcesses; getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MEMORY_COPY, 0); break; case VK_RETURN: SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MEMORY_READWRITEMEMORY, 0); break; case VK_F5: SendMessage(context->ParentWindowHandle, WM_COMMAND, IDC_REFRESH, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { PPH_TREENEW_MOUSE_EVENT mouseEvent = Parameter1; node = (PPH_MEMORY_NODE)mouseEvent->Node; if (node && node->IsAllocationBase) TreeNew_SetNodeExpanded(WindowHandle, node, !node->Node.Expanded); else SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MEMORY_READWRITEMEMORY, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, (LPARAM)contextMenu); } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_RETURN) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } PPH_MEMORY_NODE PhGetSelectedMemoryNode( _In_ PPH_MEMORY_LIST_CONTEXT Context ) { ULONG i; if (Context->TreeNewSortOrder == NoSortOrder) { for (i = 0; i < Context->AllocationBaseNodeList->Count; i++) { PPH_MEMORY_NODE node = Context->AllocationBaseNodeList->Items[i]; if (node->Node.Selected) return node; } } for (i = 0; i < Context->RegionNodeList->Count; i++) { PPH_MEMORY_NODE node = Context->RegionNodeList->Items[i]; if (node->Node.Selected) return node; } return NULL; } VOID PhGetSelectedMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context, _Out_ PPH_MEMORY_NODE **MemoryNodes, _Out_ PULONG NumberOfMemoryNodes ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); if (Context->TreeNewSortOrder == NoSortOrder) { for (i = 0; i < Context->AllocationBaseNodeList->Count; i++) { PPH_MEMORY_NODE node = Context->AllocationBaseNodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node); } } for (i = 0; i < Context->RegionNodeList->Count; i++) { PPH_MEMORY_NODE node = Context->RegionNodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node); } *NumberOfMemoryNodes = (ULONG)PhFinalArrayCount(&array); *MemoryNodes = PhFinalArrayItems(&array); } VOID PhDeselectAllMemoryNodes( _In_ PPH_MEMORY_LIST_CONTEXT Context ) { TreeNew_DeselectRange(Context->TreeNewHandle, 0, -1); } ================================================ FILE: SystemInformer/memlists.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #define MSG_UPDATE (WM_APP + 1) INT_PTR CALLBACK PhpMemoryListsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); HWND PhMemoryListsWindowHandle = NULL; static VOID (NTAPI *UnregisterDialogFunction)(HWND); static PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; VOID PhShowMemoryListsDialog( _In_ HWND ParentWindowHandle, _In_opt_ VOID (NTAPI *RegisterDialog)(HWND), _In_opt_ VOID (NTAPI *UnregisterDialog)(HWND) ) { if (!PhMemoryListsWindowHandle) { PhMemoryListsWindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMLISTS), ParentWindowHandle, PhpMemoryListsDlgProc, NULL ); if (RegisterDialog) RegisterDialog(PhMemoryListsWindowHandle); UnregisterDialogFunction = UnregisterDialog; } if (!IsWindowVisible(PhMemoryListsWindowHandle)) ShowWindow(PhMemoryListsWindowHandle, SW_SHOW); else if (IsMinimized(PhMemoryListsWindowHandle)) ShowWindow(PhMemoryListsWindowHandle, SW_RESTORE); else SetForegroundWindow(PhMemoryListsWindowHandle); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ProcessesUpdatedCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { if (PhMemoryListsWindowHandle) { PostMessage(PhMemoryListsWindowHandle, MSG_UPDATE, 0, 0); } } static VOID PhpUpdateMemoryListInfo( _In_ HWND hwndDlg ) { SYSTEM_MEMORY_LIST_INFORMATION memoryListInfo; if (NT_SUCCESS(NtQuerySystemInformation( SystemMemoryListInformation, &memoryListInfo, sizeof(SYSTEM_MEMORY_LIST_INFORMATION), NULL ))) { ULONG_PTR standbyPageCount; ULONG_PTR repurposedPageCount; ULONG i; standbyPageCount = 0; repurposedPageCount = 0; for (i = 0; i < 8; i++) { standbyPageCount += memoryListInfo.PageCountByPriority[i]; repurposedPageCount += memoryListInfo.RepurposedPagesByPriority[i]; } PhSetDialogItemText(hwndDlg, IDC_ZLISTZEROED_V, PhaFormatSize((ULONG64)memoryListInfo.ZeroPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTFREE_V, PhaFormatSize((ULONG64)memoryListInfo.FreePageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIED_V, PhaFormatSize((ULONG64)memoryListInfo.ModifiedPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIEDNOWRITE_V, PhaFormatSize((ULONG64)memoryListInfo.ModifiedNoWritePageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTBAD_V, PhaFormatSize((ULONG64)memoryListInfo.BadPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY_V, PhaFormatSize((ULONG64)standbyPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY0_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[0] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY1_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[1] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY2_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[2] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY3_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[3] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY4_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[4] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY5_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[5] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY6_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[6] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY7_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[7] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED_V, PhaFormatSize((ULONG64)repurposedPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED0_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[0] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED1_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[1] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED2_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[2] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED3_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[3] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED4_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[4] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED5_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[5] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED6_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[6] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED7_V, PhaFormatSize((ULONG64)memoryListInfo.RepurposedPagesByPriority[7] * PAGE_SIZE, ULONG_MAX)->Buffer); if (WindowsVersion >= WINDOWS_8) PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIEDPAGEFILE_V, PhaFormatSize((ULONG64)memoryListInfo.ModifiedPageCountPageFile * PAGE_SIZE, ULONG_MAX)->Buffer); else PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIEDPAGEFILE_V, L"N/A"); } else { PhSetDialogItemText(hwndDlg, IDC_ZLISTZEROED_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTFREE_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIED_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIEDNOWRITE_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTMODIFIEDPAGEFILE_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTBAD_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY0_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY1_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY2_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY3_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY4_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY5_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY6_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTSTANDBY7_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED0_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED1_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED2_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED3_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED4_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED5_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED6_V, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_ZLISTREPURPOSED7_V, L"Unknown"); } } typedef _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PH_MEMORY_LIST_COMMAND_CALLBACK( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ); typedef PH_MEMORY_LIST_COMMAND_CALLBACK *PPH_MEMORY_LIST_COMMAND_CALLBACK; PPH_STRING PhpCreateCommandStatusString( _In_ PCWSTR Message, _In_ NTSTATUS Status ) { PPH_STRING string; PPH_STRING statusString; if (statusString = PhGetStatusMessage(Status, 0)) { PH_FORMAT format[3]; PhInitFormatS(&format[0], Message); PhInitFormatC(&format[1], L' '); PhInitFormatSR(&format[2], statusString->sr); string = PhFormat(format, RTL_NUMBER_OF(format), 10); PhDereferenceObject(statusString); } else { string = PhCreateString(Message); } return string; } NTSTATUS PhpMemoryListCommandCommon( _In_ HWND ParentWindow, _In_ SYSTEM_MEMORY_LIST_COMMAND Command ) { NTSTATUS status; PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = NtSetSystemInformation( SystemMemoryListInformation, &Command, sizeof(SYSTEM_MEMORY_LIST_COMMAND) ); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if (status == STATUS_PRIVILEGE_NOT_HELD) { if (!PhGetOwnTokenAttributes().Elevated) { if (PhUiConnectToPhSvc(ParentWindow, FALSE)) { PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = PhSvcCallIssueMemoryListCommand(Command); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); PhUiDisconnectFromPhSvc(); } else { // User cancelled elevation. status = STATUS_SUCCESS; } } } return status; } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpEmptyWorkingSetsCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; status = PhpMemoryListCommandCommon(ParentWindow, MemoryEmptyWorkingSets); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Working sets emptied."); else *Message = PhpCreateCommandStatusString(L"Unable to empty working sets.", status); } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpFlushModifiedListCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; status = PhpMemoryListCommandCommon(ParentWindow, MemoryFlushModifiedList); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Modified page lists emptied."); else *Message = PhpCreateCommandStatusString(L"Unable to empty modified page lists.", status); } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpPurgeStandbyListCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; status = PhpMemoryListCommandCommon(ParentWindow, MemoryPurgeStandbyList); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Standby lists emptied."); else *Message = PhpCreateCommandStatusString(L"Unable to empty standby lists.", status); } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpPurgeLowPriorityStandbyListCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; status = PhpMemoryListCommandCommon(ParentWindow, MemoryPurgeLowPriorityStandbyList); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Priority 0 standby list emptied."); else *Message = PhpCreateCommandStatusString(L"Unable to empty priority 0 standby list.", status); } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpCombineMemoryListsCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; MEMORY_COMBINE_INFORMATION_EX combineInfo = { 0 }; PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = NtSetSystemInformation( SystemCombinePhysicalMemoryInformation, &combineInfo, sizeof(MEMORY_COMBINE_INFORMATION_EX) ); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if (NT_SUCCESS(status)) { PH_FORMAT format[5]; // Memory pages combined: %s (%llu pages) PhInitFormatS(&format[0], L"Memory pages combined: "); PhInitFormatSize(&format[1], combineInfo.PagesCombined * PAGE_SIZE); PhInitFormatS(&format[2], L" ("); PhInitFormatI64U(&format[3], combineInfo.PagesCombined); PhInitFormatS(&format[4], L" pages)"); *Message = PhFormat(format, RTL_NUMBER_OF(format), 0); } else { *Message = PhpCreateCommandStatusString(L"Unable to combine memory pages.", status); } } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpEmptyCompressionStoreCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; if (KsiLevel() < KphLevelMax) { PhShowKsiNotConnected( ParentWindow, L"Emptying the compression store requires a connection to the kernel driver." ); *Message = NULL; return; } PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = KphSystemControl( KphSystemControlEmptyCompressionStore, NULL, 0 ); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Compression stores emptied."); else *Message = PhpCreateCommandStatusString(L"Unable to empty compression stores.", status); } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpEmptyRegistryCacheCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = NtSetSystemInformation(SystemRegistryReconciliationInformation, NULL, 0); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Registry cache emptied."); else *Message = PhpCreateCommandStatusString(L"Unable to empty registry cache.", status); } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpEmptySystemFileCacheCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; SYSTEM_FILECACHE_INFORMATION cacheInfo = { 0 }; PhAdjustPrivilege(NULL, SE_INCREASE_QUOTA_PRIVILEGE, TRUE); PhGetSystemFileCacheSize(&cacheInfo); PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = PhSetSystemFileCacheSize( MAXSIZE_T, MAXSIZE_T, 0 ); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if (NT_SUCCESS(status)) { PH_FORMAT format[5]; // System file cache emptied: %s (%llu pages) PhInitFormatS(&format[0], L"System file cache emptied: "); PhInitFormatSize(&format[1], cacheInfo.CurrentSize); PhInitFormatS(&format[2], L" ("); PhInitFormatI64U(&format[3], cacheInfo.CurrentSize / PAGE_SIZE); PhInitFormatS(&format[4], L" pages)"); *Message = PhFormat(format, RTL_NUMBER_OF(format), 0); } else { *Message = PhpCreateCommandStatusString(L"Unable to empty system file cache.", status); } } _Function_class_(PH_MEMORY_LIST_COMMAND_CALLBACK) VOID NTAPI PhpFlushModifiedFileCacheCommand( _In_ HWND ParentWindow, _Out_ PPH_STRING* Message ) { NTSTATUS status; PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); status = PhFlushVolumeCache(); PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); if (NT_SUCCESS(status)) *Message = PhCreateString(L"Volume file cache flushed to disk."); else *Message = PhpCreateCommandStatusString(L"Unable to flush volume file cache.", status); } typedef struct _PH_MEMORY_LIST_COMMAND_ENTRY { PPH_MEMORY_LIST_COMMAND_CALLBACK Callback; PH_STRINGREF WorkingMessage; } PH_MEMORY_LIST_COMMAND_ENTRY, *PPH_MEMORY_LIST_COMMAND_ENTRY; static const PH_MEMORY_LIST_COMMAND_ENTRY PhMemoryListCommands[] = { { PhpCombineMemoryListsCommand, PH_STRINGREF_INIT(L"Combining memory pages...") }, { PhpEmptyCompressionStoreCommand, PH_STRINGREF_INIT(L"Emptying compression store...") }, { PhpEmptySystemFileCacheCommand, PH_STRINGREF_INIT(L"Emptying system file cache ...") }, { PhpEmptyRegistryCacheCommand, PH_STRINGREF_INIT(L"Emptying registry cache...") }, { PhpEmptyWorkingSetsCommand, PH_STRINGREF_INIT(L"Emptying working sets...") }, { PhpFlushModifiedListCommand, PH_STRINGREF_INIT(L"Emptying modified page list...") }, { PhpFlushModifiedFileCacheCommand, PH_STRINGREF_INIT(L"Emptying modified file cache...") }, { PhpPurgeStandbyListCommand, PH_STRINGREF_INIT(L"Emptying standby list...") }, { PhpPurgeLowPriorityStandbyListCommand, PH_STRINGREF_INIT(L"Emptying priority 0 standby list...") }, }; typedef struct _PH_MEMORY_LIST_COMMAND_CONTEXT { HWND WindowHandle; HANDLE ThreadHandle; BOOLEAN Cancel; BOOLEAN Completed; PH_QUEUED_LOCK MessageLock; PPH_STRING Message; ULONG CommandsComplete; ULONG CommandsCount; PH_MEMORY_LIST_COMMAND_ENTRY Commands[RTL_NUMBER_OF(PhMemoryListCommands)]; } PH_MEMORY_LIST_COMMAND_CONTEXT, *PPH_MEMORY_LIST_COMMAND_CONTEXT; _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhMemoryListCommandThread( _In_ PVOID ThreadParameter ) { static const PH_STRINGREF lineBreak = PH_STRINGREF_INIT(L"\r\n"); PPH_MEMORY_LIST_COMMAND_CONTEXT context = ThreadParameter; for (ULONG i = 0; i < context->CommandsCount; i++) { PPH_MEMORY_LIST_COMMAND_ENTRY entry; PPH_STRING message = NULL; entry = &context->Commands[i]; if (context->Cancel) break; PhAcquireQueuedLockExclusive(&context->MessageLock); if (context->Message) PhMoveReference(&context->Message, PhConcatStringRef3(&context->Message->sr, &lineBreak, &entry->WorkingMessage)); else context->Message = PhCreateString2(&entry->WorkingMessage); PhReleaseQueuedLockExclusive(&context->MessageLock); entry->Callback(context->WindowHandle, &message); context->CommandsComplete++; if (message) { PhAcquireQueuedLockExclusive(&context->MessageLock); PhMoveReference(&context->Message, PhConcatStringRef3(&context->Message->sr, &lineBreak, &message->sr)); PhReleaseQueuedLockExclusive(&context->MessageLock); PhDereferenceObject(message); } } return STATUS_SUCCESS; } HRESULT CALLBACK PhMemoryListCommandDialogCallbackProc( _In_ HWND WindowHandle, _In_ UINT Notification, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR Context ) { PPH_MEMORY_LIST_COMMAND_CONTEXT context = (PPH_MEMORY_LIST_COMMAND_CONTEXT)Context; switch (Notification) { case TDN_CREATED: { NTSTATUS status; HANDLE threadHandle; context->WindowHandle = WindowHandle; PhInitializeQueuedLock(&context->MessageLock); SendMessage(WindowHandle, TDM_ENABLE_BUTTON, IDCLOSE, FALSE); if (context->CommandsCount == 1) { SendMessage(WindowHandle, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(WindowHandle, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); } if (NT_SUCCESS(status = PhCreateThreadEx( &threadHandle, PhMemoryListCommandThread, context ))) { context->ThreadHandle = threadHandle; } else { PhShowStatus(WindowHandle, L"Unable to create the window.", status, 0); } } break; case TDN_BUTTON_CLICKED: { if ((INT)wParam == IDCANCEL) { context->Cancel = TRUE; SendMessage(WindowHandle, TDM_ENABLE_BUTTON, IDCANCEL, FALSE); } } break; case TDN_TIMER: { PPH_STRING string; if (context->Completed) break; PhAcquireQueuedLockExclusive(&context->MessageLock); string = context->Message ? PhReferenceObject(context->Message) : NULL; PhReleaseQueuedLockExclusive(&context->MessageLock); if (string) { SendMessage(WindowHandle, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)string->Buffer); PhDereferenceObject(string); } if (context->CommandsComplete == context->CommandsCount) { if (context->CommandsCount == 1) { SendMessage(WindowHandle, TDM_SET_MARQUEE_PROGRESS_BAR, FALSE, 0); SendMessage(WindowHandle, TDM_SET_PROGRESS_BAR_MARQUEE, FALSE, 0); } SendMessage(WindowHandle, TDM_SET_PROGRESS_BAR_POS, (WPARAM)100, 0); SendMessage(WindowHandle, TDM_ENABLE_BUTTON, IDCLOSE, TRUE); SendMessage(WindowHandle, TDM_ENABLE_BUTTON, IDCANCEL, FALSE); context->Completed = TRUE; } else if (context->CommandsCount > 1) { FLOAT progress = (FLOAT)(context->CommandsComplete + 1) / context->CommandsCount; SendMessage(WindowHandle, TDM_SET_PROGRESS_BAR_POS, (WPARAM)(progress * 100), 0); } } break; } return S_OK; } VOID PhMemoryListCommandDialog( _In_ HWND PrentWindow, _In_ PPH_MEMORY_LIST_COMMAND_CONTEXT Context ) { TASKDIALOGCONFIG config; PPH_MEMORY_LIST_COMMAND_CONTEXT context; context = PhAllocateCopy(Context, sizeof(PH_MEMORY_LIST_COMMAND_CONTEXT)); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_POSITION_RELATIVE_TO_WINDOW | TDF_SHOW_PROGRESS_BAR | TDF_CAN_BE_MINIMIZED | TDF_CALLBACK_TIMER; config.dwCommonButtons = TDCBF_CLOSE_BUTTON | TDCBF_CANCEL_BUTTON; config.hMainIcon = PhGetApplicationIcon(FALSE); config.pfCallback = PhMemoryListCommandDialogCallbackProc; config.hwndParent = PrentWindow; config.lpCallbackData = (LONG_PTR)context; config.pszWindowTitle = PhApplicationName; if (context->CommandsCount > 1) config.pszMainInstruction = L"Executing memory commands..."; else config.pszMainInstruction = L"Executing memory command..."; config.pszContent = L" "; config.cxWidth = 200; TaskDialogIndirect(&config, NULL, NULL, NULL); if (context->ThreadHandle) NtWaitForSingleObject(context->ThreadHandle, FALSE, NULL); PhClearReference(&context->Message); PhFree(context); } VOID PhShowMemoryListCommand( _In_ HWND ParentWindow, _In_ HWND ButtonWindow, _In_ BOOLEAN ShowTopAlign ) { PPH_EMENU menu; RECT buttonRect = { 0 }; PPH_EMENU_ITEM selectedItem; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 0, L"&Combine memory pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"Empty &compression cache", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 2, L"Empty system &file cache", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 3, L"Empty ®istry cache", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 4, L"Empty &working sets", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 5, L"Empty &modified page list", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 6, L"Empty &modified file cache", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 7, L"Empty &standby list", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 8, L"Empty &priority 0 standby list", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, RTL_NUMBER_OF(PhMemoryListCommands), L"Empty &all", NULL, NULL), ULONG_MAX); if (ShowTopAlign) { PhGetWindowRect(ButtonWindow, &buttonRect); selectedItem = PhShowEMenu( menu, ParentWindow, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_BOTTOM, buttonRect.left, buttonRect.top ); } else { POINT point; PhGetClientRect(ButtonWindow, &buttonRect); point.x = 0; point.y = buttonRect.bottom; ClientToScreen(ButtonWindow, &point); selectedItem = PhShowEMenu( menu, ParentWindow, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); } if (selectedItem) { PH_MEMORY_LIST_COMMAND_CONTEXT context; memset(&context, 0, sizeof(PH_MEMORY_LIST_COMMAND_CONTEXT)); if (selectedItem->Id < RTL_NUMBER_OF(PhMemoryListCommands)) { context.CommandsCount = 1; context.Commands[0] = PhMemoryListCommands[selectedItem->Id]; PhMemoryListCommandDialog(ParentWindow, &context); } else if (!PhGetOwnTokenAttributes().Elevated) { PhShowStatus(ParentWindow, L"Unable to empty the memory list.", 0, ERROR_ELEVATION_REQUIRED); } else { context.CommandsCount = RTL_NUMBER_OF(PhMemoryListCommands); memcpy( context.Commands, PhMemoryListCommands, sizeof(PH_MEMORY_LIST_COMMAND_ENTRY) * context.CommandsCount ); PhMemoryListCommandDialog(ParentWindow, &context); } } PhDestroyEMenu(menu); } INT_PTR CALLBACK PhpMemoryListsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhAdjustPrivilege(NULL, SE_PROF_SINGLE_PROCESS_PRIVILEGE, TRUE); PhRegisterCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), ProcessesUpdatedCallback, NULL, &ProcessesUpdatedRegistration); PhpUpdateMemoryListInfo(hwndDlg); PhLoadWindowPlacementFromSetting(SETTING_MEMORY_LISTS_WINDOW_POSITION, NULL, hwndDlg); PhRegisterDialog(hwndDlg); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhUnregisterDialog(hwndDlg); PhSaveWindowPlacementToSetting(SETTING_MEMORY_LISTS_WINDOW_POSITION, NULL, hwndDlg); PhUnregisterCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &ProcessesUpdatedRegistration); if (UnregisterDialogFunction) UnregisterDialogFunction(hwndDlg); PhMemoryListsWindowHandle = NULL; } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_EMPTY: { PhShowMemoryListCommand(hwndDlg, GET_WM_COMMAND_HWND(wParam, lParam), FALSE); } break; } } break; case MSG_UPDATE: { PhpUpdateMemoryListInfo(hwndDlg); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/memmod.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2023 * */ #include #include #include #include #include #include #include typedef struct _PH_IMAGE_MODIFIED_DIALOG_CONTEXT { LONG RefCount; HWND WindowHandle; HWND StatusHandle; HWND ListViewHandle; HWND ParentWindowHandle; PPH_PROCESS_ITEM ProcessItem; PH_LAYOUT_MANAGER LayoutManager; BOOLEAN Destroying; HANDLE ProcessHandle; ULONG ImageQueryFailures; PPH_LIST ImageAddressList; PPH_LIST PageTamperingList; PH_INITONCE SymbolProviderInitOnce; PPH_SYMBOL_PROVIDER SymbolProvider; SINGLE_LIST_ENTRY ResultListHead; PH_QUEUED_LOCK ResultListLock; PH_CALLBACK_REGISTRATION SymbolProviderEventRegistration; } PH_IMAGE_MODIFIED_DIALOG_CONTEXT, *PPH_IMAGE_MODIFIED_DIALOG_CONTEXT; typedef struct _PH_IMAGE_MAPPED_BASE_ENTRY { PVOID ImageBase; SIZE_T SizeOfImage; PPH_STRING FileName; } PH_IMAGE_MAPPED_BASE_ENTRY, *PPH_IMAGE_MAPPED_BASE_ENTRY; typedef struct _PH_IMAGE_MAPPED_FAILURE_ENTRY { PVOID BaseAddress; SIZE_T SizeOfImage; PVOID VirtualAddress; union { ULONG Flags; struct { ULONG Valid : 1; ULONG Unused : 31; }; }; } PH_IMAGE_MAPPED_FAILURE_ENTRY, *PPH_IMAGE_MAPPED_FAILURE_ENTRY; _Function_class_(PH_ENUM_MEMORY_CALLBACK) NTSTATUS NTAPI PhEnumImagesForTamperingCallback( _In_ HANDLE ProcessHandle, _In_ PMEMORY_BASIC_INFORMATION BasicInformation, _In_ PVOID Context ) { PPH_IMAGE_MODIFIED_DIALOG_CONTEXT context = Context; if ( BasicInformation->Type == MEM_IMAGE && BasicInformation->AllocationBase == BasicInformation->BaseAddress ) { PVOID imageBase; SIZE_T imageSize; if (NT_SUCCESS(PhGetProcessMappedImageBaseFromAddress( ProcessHandle, BasicInformation->BaseAddress, &imageBase, &imageSize ))) { BOOLEAN found = FALSE; for (ULONG i = 0; i < context->ImageAddressList->Count; i++) { PPH_IMAGE_MAPPED_BASE_ENTRY entry = context->ImageAddressList->Items[i]; if (entry->ImageBase == imageBase) { found = TRUE; break; } } if (!found) { PPH_IMAGE_MAPPED_BASE_ENTRY entry; PPH_STRING fileName; entry = PhAllocateZero(sizeof(PH_IMAGE_MAPPED_BASE_ENTRY)); entry->ImageBase = imageBase; entry->SizeOfImage = imageSize; if (NT_SUCCESS(PhGetProcessMappedFileName(ProcessHandle, entry->ImageBase, &fileName))) { entry->FileName = fileName; } PhAddItemList(context->ImageAddressList, entry); } } else { context->ImageQueryFailures++; } } return STATUS_SUCCESS; } _Function_class_(PH_ENUM_MEMORY_ATTRIBUTE_CALLBACK) NTSTATUS NTAPI PhpEnumVirtualMemoryAttributesCallback( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T SizeOfImage, _In_ ULONG_PTR NumberOfEntries, _In_ PMEMORY_WORKING_SET_EX_INFORMATION Blocks, _In_ PVOID Context ) { PPH_IMAGE_MODIFIED_DIALOG_CONTEXT context = Context; for (ULONG_PTR i = 0; i < NumberOfEntries; i++) { PMEMORY_WORKING_SET_EX_INFORMATION page = &Blocks[i]; PMEMORY_WORKING_SET_EX_BLOCK block = &page->VirtualAttributes; if (!block->SharedOriginal) { PPH_IMAGE_MAPPED_FAILURE_ENTRY entry; entry = PhAllocateZero(sizeof(PH_IMAGE_MAPPED_FAILURE_ENTRY)); entry->BaseAddress = BaseAddress; entry->SizeOfImage = SizeOfImage; entry->VirtualAddress = page->VirtualAddress; entry->Valid = !!block->Valid; PhAddItemList(context->PageTamperingList, entry); } } return STATUS_SUCCESS; } typedef struct _SYMBOL_LOOKUP_RESULT { SINGLE_LIST_ENTRY ListEntry; PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context; PVOID Address; PPH_STRING Symbol; PPH_STRING FileName; } SYMBOL_LOOKUP_RESULT, *PSYMBOL_LOOKUP_RESULT; VOID PhpCleanupPageModifiedLists( _In_ PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context ) { PSINGLE_LIST_ENTRY listEntry; if (Context->ImageAddressList) { for (ULONG i = 0; i < Context->ImageAddressList->Count; i++) { PPH_IMAGE_MAPPED_BASE_ENTRY entry = Context->ImageAddressList->Items[i]; PhClearReference(&entry->FileName); PhFree(entry); } PhClearReference(&Context->ImageAddressList); } if (Context->PageTamperingList) { for (ULONG i = 0; i < Context->PageTamperingList->Count; i++) PhFree(Context->PageTamperingList->Items[i]); PhClearReference(&Context->PageTamperingList); } // Free all unused results. PhAcquireQueuedLockExclusive(&Context->ResultListLock); listEntry = Context->ResultListHead.Next; while (listEntry) { PSYMBOL_LOOKUP_RESULT result; result = CONTAINING_RECORD(listEntry, SYMBOL_LOOKUP_RESULT, ListEntry); listEntry = listEntry->Next; PhClearReference(&result->Symbol); PhClearReference(&result->FileName); PhFree(result); } PhReleaseQueuedLockExclusive(&Context->ResultListLock); } VOID PhpLimitedSymbolReferenceContext( _In_ PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context ) { _InterlockedIncrement(&Context->RefCount); } VOID PhpLimitedSymbolDereferenceContext( _In_ PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context ) { if (_InterlockedDecrement(&Context->RefCount) == 0) { if (Context->SymbolProvider) PhDereferenceObject(Context->SymbolProvider); if (Context->ProcessHandle) NtClose(Context->ProcessHandle); PhpCleanupPageModifiedLists(Context); PhDereferenceObject(Context->ProcessItem); PhFree(Context); } } static NTSTATUS PhpLimitedSymbolProviderLookupFunction( _In_ PVOID Parameter ) { PSYMBOL_LOOKUP_RESULT result = Parameter; if (PhBeginInitOnce(&result->Context->SymbolProviderInitOnce)) { PhLoadSymbolProviderOptions(result->Context->SymbolProvider); PhLoadModulesForVirtualSymbolProvider( result->Context->SymbolProvider, result->Context->ProcessItem->ProcessId, NULL ); for (ULONG i = 0; i < result->Context->ImageAddressList->Count; i++) { PPH_IMAGE_MAPPED_BASE_ENTRY entry = result->Context->ImageAddressList->Items[i]; if (entry->FileName) { PhLoadFileNameSymbolProvider( result->Context->SymbolProvider, entry->FileName, entry->ImageBase, (ULONG)entry->SizeOfImage ); } else { result->Context->ImageQueryFailures++; } } PhEndInitOnce(&result->Context->SymbolProviderInitOnce); } if (result->Context->Destroying) { PhpLimitedSymbolDereferenceContext(result->Context); PhFree(result); return STATUS_SUCCESS; } result->Symbol = PhGetSymbolFromAddress( result->Context->SymbolProvider, result->Address, NULL, &result->FileName, NULL, NULL ); // Fail if we don't have a symbol. if (!result->Symbol) { PhpLimitedSymbolDereferenceContext(result->Context); PhFree(result); return STATUS_SUCCESS; } PhAcquireQueuedLockExclusive(&result->Context->ResultListLock); PushEntryList(&result->Context->ResultListHead, &result->ListEntry); PhReleaseQueuedLockExclusive(&result->Context->ResultListLock); PhpLimitedSymbolDereferenceContext(result->Context); return STATUS_SUCCESS; } static VOID PhpLimitedSymbolProviderQueueSymbolLookup( _In_ PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context, _In_ PVOID Address ) { PSYMBOL_LOOKUP_RESULT result; if (!Context->SymbolProvider) { Context->SymbolProvider = PhCreateSymbolProvider(NULL); } result = PhAllocateZero(sizeof(SYMBOL_LOOKUP_RESULT)); result->Context = Context; result->Address = Address; PhpLimitedSymbolReferenceContext(Context); PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), PhpLimitedSymbolProviderLookupFunction, result); } static VOID PhpProcessSymbolLookupResults( _In_ PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context ) { PSINGLE_LIST_ENTRY listEntry; // Remove all results. PhAcquireQueuedLockExclusive(&Context->ResultListLock); listEntry = Context->ResultListHead.Next; Context->ResultListHead.Next = NULL; PhReleaseQueuedLockExclusive(&Context->ResultListLock); // Update the list view with the results. while (listEntry) { PSYMBOL_LOOKUP_RESULT result; INT lvItemIndex; result = CONTAINING_RECORD(listEntry, SYMBOL_LOOKUP_RESULT, ListEntry); listEntry = listEntry->Next; lvItemIndex = PhFindListViewItemByParam(Context->ListViewHandle, INT_ERROR, result->Address); if (lvItemIndex != INT_ERROR) { PhSetListViewSubItem( Context->ListViewHandle, lvItemIndex, 5, PhGetString(result->Symbol) ); } PhDereferenceObject(result->Symbol); PhFree(result); } } // Get a basic symbol name (module+offset). static PPH_STRING PhpLimitedSymbolProviderGetBasicSymbol( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address ) { PVOID modBase; PPH_STRING fileName = NULL; PPH_STRING baseName = NULL; PPH_STRING symbol; modBase = PhGetModuleFromAddress(SymbolProvider, Address, &fileName); if (!fileName) { symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); PhPrintPointer(symbol->Buffer, Address); PhTrimToNullTerminatorString(symbol); } else { PH_FORMAT format[3]; baseName = PhGetBaseName(fileName); PhInitFormatSR(&format[0], baseName->sr); PhInitFormatS(&format[1], L"+0x"); PhInitFormatIX(&format[2], (ULONG_PTR)Address - (ULONG_PTR)modBase); symbol = PhFormat(format, 3, baseName->Length + 6 + 32); } if (fileName) PhDereferenceObject(fileName); if (baseName) PhDereferenceObject(baseName); return symbol; } NTSTATUS PhCheckProcessImagesForTampering( _In_ PPH_IMAGE_MODIFIED_DIALOG_CONTEXT Context ) { NTSTATUS status; Context->ImageAddressList = PhCreateList(20); Context->PageTamperingList = PhCreateList(20); status = PhEnumVirtualMemory( Context->ProcessHandle, PhEnumImagesForTamperingCallback, Context ); if (!NT_SUCCESS(status)) return status; for (ULONG i = 0; i < Context->ImageAddressList->Count; i++) { PPH_IMAGE_MAPPED_BASE_ENTRY entry = Context->ImageAddressList->Items[i]; status = PhEnumVirtualMemoryAttributes( // PhCheckImagePagesForTampering Context->ProcessHandle, entry->ImageBase, entry->SizeOfImage, PhpEnumVirtualMemoryAttributesCallback, Context ); if (!NT_SUCCESS(status)) { Context->ImageQueryFailures++; } } for (ULONG i = 0; i < Context->PageTamperingList->Count; i++) { PPH_IMAGE_MAPPED_FAILURE_ENTRY entry = Context->PageTamperingList->Items[i]; WCHAR value[PH_INT64_STR_LEN_1]; INT lvItemIndex; PhPrintUInt32(value, i + 1); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, value, entry->VirtualAddress); for (ULONG j = 0; j < Context->ImageAddressList->Count; j++) { PPH_IMAGE_MAPPED_BASE_ENTRY image = Context->ImageAddressList->Items[j]; if ( !PhIsNullOrEmptyString(image->FileName) && image->ImageBase == entry->BaseAddress && image->SizeOfImage == entry->SizeOfImage ) { PPH_STRING fileNameWin32 = PhGetFileName(image->FileName); PhMoveReference(&fileNameWin32, PhGetBaseName(fileNameWin32)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, PhGetString(fileNameWin32)); PhDereferenceObject(fileNameWin32); break; } } PhPrintPointer(value, entry->BaseAddress); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, value); PhPrintPointer(value, PTR_SUB_OFFSET(entry->VirtualAddress, entry->BaseAddress)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 3, value); PhPrintPointer(value, entry->VirtualAddress); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 4, value); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 5, L"Resolving symbols..."); PhpLimitedSymbolProviderQueueSymbolLookup(Context, entry->VirtualAddress); } PhpProcessSymbolLookupResults(Context); return status; } _Function_class_(PH_CALLBACK_FUNCTION) VOID PhPageModifiedSymbolProviderEventCallback( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SYMBOL_EVENT_DATA event = Parameter; PPH_IMAGE_MODIFIED_DIALOG_CONTEXT context = Context; PPH_STRING statusMessage = NULL; switch (event->EventType) { case PH_SYMBOL_EVENT_TYPE_LOAD_START: statusMessage = PhReferenceObject(event->EventMessage); break; case PH_SYMBOL_EVENT_TYPE_LOAD_END: statusMessage = PhReferenceEmptyString(); break; case PH_SYMBOL_EVENT_TYPE_PROGRESS: statusMessage = PhReferenceObject(event->EventMessage); break; } if (statusMessage) { PhSetWindowText(context->StatusHandle, PhGetStringOrEmpty(statusMessage)); PhDereferenceObject(statusMessage); } } INT_PTR CALLBACK PhPageModifiedDlgProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_IMAGE_MODIFIED_DIALOG_CONTEXT context = NULL; if (WindowMessage == WM_INITDIALOG) { context = (PPH_IMAGE_MODIFIED_DIALOG_CONTEXT)lParam; PhSetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (WindowMessage) { case WM_INITDIALOG: { context->WindowHandle = WindowHandle; context->ListViewHandle = GetDlgItem(WindowHandle, IDC_LIST); context->StatusHandle = GetDlgItem(WindowHandle, IDC_STATE); PhSetApplicationWindowIcon(WindowHandle); PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 50, L"Index"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 100, L"File"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 100, L"ImageBase"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 100, L"Offset"); PhAddListViewColumn(context->ListViewHandle, 4, 4, 4, LVCFMT_LEFT, 100, L"Address"); PhAddListViewColumn(context->ListViewHandle, 5, 5, 5, LVCFMT_LEFT, 100, L"Symbol"); PhSetExtendedListView(context->ListViewHandle); PhLoadListViewColumnsFromSetting(SETTING_MEMORY_MODIFIED_LIST_VIEW_COLUMNS, context->ListViewHandle); PhLoadListViewSortColumnsFromSetting(SETTING_MEMORY_MODIFIED_LIST_VIEW_SORT, context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, WindowHandle); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, context->StatusHandle, NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_LAYOUT_FORCE_INVALIDATE); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDC_REFRESH), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDOK), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); if (PhValidWindowPlacementFromSetting(SETTING_MEMORY_MODIFIED_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_MEMORY_MODIFIED_WINDOW_POSITION, SETTING_MEMORY_MODIFIED_WINDOW_SIZE, WindowHandle); else PhCenterWindow(WindowHandle, context->ParentWindowHandle); { PPH_STRING windowTitle; windowTitle = PhGetWindowText(WindowHandle); PhMoveReference(&windowTitle, PhFormatString( L"%s: %s (%lu)", PhGetStringOrEmpty(windowTitle), PhGetStringOrEmpty(context->ProcessItem->ProcessName), HandleToUlong(context->ProcessItem->ProcessId) )); PhSetWindowText(WindowHandle, PhGetStringOrEmpty(windowTitle)); PhDereferenceObject(windowTitle); } PhSetTimer(WindowHandle, PH_WINDOW_TIMER_DEFAULT, 1000, NULL); PhInitializeWindowTheme(WindowHandle, PhEnableThemeSupport); { NTSTATUS status; status = PhCheckProcessImagesForTampering(context); if (!NT_SUCCESS(status)) { PhShowStatus(context->ParentWindowHandle, L"Unable to perform the scan", status, 0); EndDialog(WindowHandle, IDCANCEL); } } PhSetWindowText(context->StatusHandle, L""); PhRegisterCallback( &PhSymbolEventCallback, PhPageModifiedSymbolProviderEventCallback, context, &context->SymbolProviderEventRegistration ); } break; case WM_DESTROY: { PhSaveListViewSortColumnsToSetting(SETTING_MEMORY_MODIFIED_LIST_VIEW_SORT, context->ListViewHandle); PhSaveListViewColumnsToSetting(SETTING_MEMORY_MODIFIED_LIST_VIEW_COLUMNS, context->ListViewHandle); PhSaveWindowPlacementToSetting(SETTING_MEMORY_MODIFIED_WINDOW_POSITION, SETTING_MEMORY_MODIFIED_WINDOW_SIZE, WindowHandle); context->Destroying = TRUE; PhKillTimer(WindowHandle, PH_WINDOW_TIMER_DEFAULT); PhDeleteLayoutManager(&context->LayoutManager); PhpLimitedSymbolDereferenceContext(context); PhUnregisterCallback( &PhSymbolEventCallback, &context->SymbolProviderEventRegistration ); PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_TIMER: { switch (wParam) { case PH_WINDOW_TIMER_DEFAULT: PhpProcessSymbolLookupResults(context); break; } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(WindowHandle); break; case IDC_REFRESH: { ExtendedListView_SetRedraw(context->ListViewHandle, FALSE); ListView_DeleteAllItems(context->ListViewHandle); ExtendedListView_SetRedraw(context->ListViewHandle, TRUE); PhpCleanupPageModifiedLists(context); { NTSTATUS status; status = PhCheckProcessImagesForTampering(context); if (!NT_SUCCESS(status)) { PhShowStatus(WindowHandle, L"Unable to perform the scan", status, 0); } } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_NOTIFY: { PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { if (!PhHandleCopyListViewEMenuItem(item)) { switch (item->Id) { case IDC_COPY: PhCopyListView(context->ListViewHandle); break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(WindowHandle, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowImagePageModifiedDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_IMAGE_MODIFIED_DIALOG_CONTEXT context; NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION, ProcessItem->ProcessId ); if (!NT_SUCCESS(status)) { PhShowStatus(ParentWindowHandle, L"Unable to open the process.", status, 0); return; } context = PhAllocateZero(sizeof(PH_IMAGE_MODIFIED_DIALOG_CONTEXT)); context->RefCount = 1; context->ProcessItem = PhReferenceObject(ProcessItem); context->ParentWindowHandle = ParentWindowHandle; context->ProcessHandle = processHandle; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_MODIFIEDPAGES), NULL, PhPageModifiedDlgProc, context ); } ================================================ FILE: SystemInformer/memprot.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * */ #include #include #include typedef struct _MEMORY_PROTECT_CONTEXT { PPH_PROCESS_ITEM ProcessItem; PPH_MEMORY_ITEM MemoryItem; } MEMORY_PROTECT_CONTEXT, *PMEMORY_PROTECT_CONTEXT; INT_PTR CALLBACK PhpMemoryProtectDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowMemoryProtectDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_MEMORY_ITEM MemoryItem ) { MEMORY_PROTECT_CONTEXT context; context.ProcessItem = ProcessItem; context.MemoryItem = MemoryItem; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMPROTECT), ParentWindowHandle, PhpMemoryProtectDlgProc, &context ); } INT_PTR CALLBACK PhpMemoryProtectDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, (PVOID)lParam); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetDialogItemText(hwndDlg, IDC_INTRO, L"Possible values:\r\n" L"\r\n" L"0x01 - PAGE_NOACCESS\r\n" L"0x02 - PAGE_READONLY\r\n" L"0x04 - PAGE_READWRITE\r\n" L"0x08 - PAGE_WRITECOPY\r\n" L"0x10 - PAGE_EXECUTE\r\n" L"0x20 - PAGE_EXECUTE_READ\r\n" L"0x40 - PAGE_EXECUTE_READWRITE\r\n" L"0x80 - PAGE_EXECUTE_WRITECOPY\r\n" L"Modifiers:\r\n" L"0x100 - PAGE_GUARD\r\n" L"0x200 - PAGE_NOCACHE\r\n" L"0x400 - PAGE_WRITECOMBINE\r\n" ); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDC_VALUE)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { NTSTATUS status; PMEMORY_PROTECT_CONTEXT context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); HANDLE processHandle; ULONG64 protect; PhStringToUInt64(&PhaGetDlgItemText(hwndDlg, IDC_VALUE)->sr, 0, &protect); if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_VM_OPERATION, context->ProcessItem->ProcessId ))) { PVOID baseAddress; SIZE_T regionSize; ULONG oldProtect; baseAddress = context->MemoryItem->BaseAddress; regionSize = context->MemoryItem->RegionSize; status = PhProtectVirtualMemory( processHandle, baseAddress, regionSize, (ULONG)protect, &oldProtect ); if (NT_SUCCESS(status)) context->MemoryItem->Protect = (ULONG)protect; NtClose(processHandle); } if (NT_SUCCESS(status)) { EndDialog(hwndDlg, IDOK); } else { PhShowStatus(hwndDlg, L"Unable to change memory protection", status, 0); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDC_VALUE)); Edit_SetSel(GetDlgItem(hwndDlg, IDC_VALUE), 0, -1); } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/memprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include #include #define MAX_HEAPS 1000 #define WS_REQUEST_COUNT (PAGE_SIZE / sizeof(MEMORY_WORKING_SET_EX_INFORMATION)) _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpMemoryItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); PPH_OBJECT_TYPE PhMemoryItemType = NULL; VOID PhGetMemoryProtectionString( _In_ ULONG Protection, _Inout_z_ PWSTR String ) { PWSTR string; PH_STRINGREF base; if (!Protection) { String[0] = UNICODE_NULL; return; } if (Protection & PAGE_NOACCESS) PhInitializeStringRef(&base, L"NA"); else if (Protection & PAGE_READONLY) PhInitializeStringRef(&base, L"R"); else if (Protection & PAGE_READWRITE) PhInitializeStringRef(&base, L"RW"); else if (Protection & PAGE_WRITECOPY) PhInitializeStringRef(&base, L"WC"); else if (Protection & PAGE_EXECUTE) PhInitializeStringRef(&base, L"X"); else if (Protection & PAGE_EXECUTE_READ) PhInitializeStringRef(&base, L"RX"); else if (Protection & PAGE_EXECUTE_READWRITE) PhInitializeStringRef(&base, L"RWX"); else if (Protection & PAGE_EXECUTE_WRITECOPY) PhInitializeStringRef(&base, L"WCX"); else PhInitializeStringRef(&base, L"?"); string = String; memcpy(string, base.Buffer, base.Length); string += base.Length / sizeof(WCHAR); if (Protection & PAGE_GUARD) { memcpy(string, L"+G", 2 * sizeof(WCHAR)); string += 2; } if (Protection & PAGE_NOCACHE) { memcpy(string, L"+NC", 3 * sizeof(WCHAR)); string += 3; } if (Protection & PAGE_WRITECOMBINE) { memcpy(string, L"+WCM", 4 * sizeof(WCHAR)); string += 4; } *string = UNICODE_NULL; } PCPH_STRINGREF PhGetMemoryStateString( _In_ ULONG State ) { static CONST PH_STRINGREF MemoryStateString[] = { PH_STRINGREF_INIT(L"Unknown"), PH_STRINGREF_INIT(L"Commit"), PH_STRINGREF_INIT(L"Reserved"), PH_STRINGREF_INIT(L"Free"), }; if (FlagOn(State, MEM_COMMIT)) return &MemoryStateString[1]; else if (FlagOn(State, MEM_RESERVE)) return &MemoryStateString[2]; else if (FlagOn(State, MEM_FREE)) return &MemoryStateString[3]; else return &MemoryStateString[0]; } PCPH_STRINGREF PhGetMemoryTypeString( _In_ ULONG Type ) { static CONST PH_STRINGREF MemoryTypeString[] = { PH_STRINGREF_INIT(L"Unknown"), PH_STRINGREF_INIT(L"Private"), PH_STRINGREF_INIT(L"Mapped"), PH_STRINGREF_INIT(L"Image"), }; if (FlagOn(Type, MEM_PRIVATE)) return &MemoryTypeString[1]; else if (FlagOn(Type, MEM_MAPPED)) return &MemoryTypeString[2]; else if (FlagOn(Type, MEM_IMAGE)) return &MemoryTypeString[3]; else return &MemoryTypeString[0]; } static CONST PH_KEY_VALUE_PAIR SigningLevelString[] = { SIP(SREF(L"Unchecked"), SE_SIGNING_LEVEL_UNCHECKED), SIP(SREF(L"Unsigned"), SE_SIGNING_LEVEL_UNSIGNED), SIP(SREF(L"Enterprise"), SE_SIGNING_LEVEL_ENTERPRISE), SIP(SREF(L"Developer"), SE_SIGNING_LEVEL_DEVELOPER), SIP(SREF(L"Authenticode"), SE_SIGNING_LEVEL_AUTHENTICODE), SIP(SREF(L"Custom 2"), SE_SIGNING_LEVEL_CUSTOM_2), SIP(SREF(L"StoreApp"), SE_SIGNING_LEVEL_STORE), SIP(SREF(L"Antimalware"), SE_SIGNING_LEVEL_ANTIMALWARE), SIP(SREF(L"Microsoft"), SE_SIGNING_LEVEL_MICROSOFT), SIP(SREF(L"Custom 4"), SE_SIGNING_LEVEL_CUSTOM_4), SIP(SREF(L"Custom 5"), SE_SIGNING_LEVEL_CUSTOM_5), SIP(SREF(L"CodeGen"), SE_SIGNING_LEVEL_DYNAMIC_CODEGEN), SIP(SREF(L"Windows"), SE_SIGNING_LEVEL_WINDOWS), SIP(SREF(L"Custom 7"), SE_SIGNING_LEVEL_CUSTOM_7), SIP(SREF(L"WinTcb"), SE_SIGNING_LEVEL_WINDOWS_TCB), SIP(SREF(L"Custom 6"), SE_SIGNING_LEVEL_CUSTOM_6) }; static_assert(ARRAYSIZE(SigningLevelString) == SE_SIGNING_LEVEL_CUSTOM_6 + 1, "SigningLevelString must equal SE_SIGNING_LEVEL_MAX"); PCPH_STRINGREF PhGetSigningLevelString( _In_ SE_SIGNING_LEVEL SigningLevel ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( SigningLevelString, sizeof(SigningLevelString), SigningLevel, &string )) { return string; } return NULL; } static CONST PH_KEY_VALUE_PAIR MemoryPriorityString[] = { SIP(SREF(L"Lowest"), MEMORY_PRIORITY_LOWEST), SIP(SREF(L"Very low"), MEMORY_PRIORITY_VERY_LOW), SIP(SREF(L"Low"), MEMORY_PRIORITY_LOW), SIP(SREF(L"Medium"), MEMORY_PRIORITY_MEDIUM), SIP(SREF(L"Below normal"), MEMORY_PRIORITY_BELOW_NORMAL), SIP(SREF(L"Normal"), MEMORY_PRIORITY_NORMAL), SIP(SREF(L"Above normal"), MEMORY_PRIORITY_ABOVE_NORMAL), SIP(SREF(L"High"), MEMORY_PRIORITY_HIGH), }; static_assert(ARRAYSIZE(MemoryPriorityString) == MEMORY_PRIORITY_HIGH + 1, "MemoryPriorityString must equal MEMORY_PRIORITY_HIGH"); PCPH_STRINGREF PhGetMemoryPagePriorityString( _In_ ULONG PagePriority ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( MemoryPriorityString, sizeof(MemoryPriorityString), PagePriority, &string )) { return string; } return NULL; } PPH_STRING PhGetMemoryRegionTypeExString( _In_ PPH_MEMORY_ITEM MemoryItem ) { PH_STRING_BUILDER stringBuilder; WCHAR pointer[PH_PTR_STR_LEN_1]; if (!MemoryItem->RegionTypeEx) return NULL; PhInitializeStringBuilder(&stringBuilder, 0x50); if (MemoryItem->Private) PhAppendStringBuilder2(&stringBuilder, L"Private, "); if (MemoryItem->MappedDataFile) PhAppendStringBuilder2(&stringBuilder, L"MappedDataFile, "); if (MemoryItem->MappedImage) PhAppendStringBuilder2(&stringBuilder, L"MappedImage, "); if (MemoryItem->MappedPageFile) PhAppendStringBuilder2(&stringBuilder, L"MappedPageFile, "); if (MemoryItem->MappedPhysical) PhAppendStringBuilder2(&stringBuilder, L"MappedPhysical, "); if (MemoryItem->DirectMapped) PhAppendStringBuilder2(&stringBuilder, L"DirectMapped, "); if (MemoryItem->SoftwareEnclave) PhAppendStringBuilder2(&stringBuilder, L"Software enclave, "); if (MemoryItem->PageSize64K) PhAppendStringBuilder2(&stringBuilder, L"PageSize64K, "); if (MemoryItem->PlaceholderReservation) PhAppendStringBuilder2(&stringBuilder, L"Placeholder, "); if (MemoryItem->MappedAwe) PhAppendStringBuilder2(&stringBuilder, L"Mapped AWE, "); if (MemoryItem->MappedWriteWatch) PhAppendStringBuilder2(&stringBuilder, L"MappedWriteWatch, "); if (MemoryItem->PageSizeLarge) PhAppendStringBuilder2(&stringBuilder, L"PageSizeLarge, "); if (MemoryItem->PageSizeHuge) PhAppendStringBuilder2(&stringBuilder, L"PageSizeHuge, "); if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhPrintPointer(pointer, UlongToPtr(MemoryItem->RegionTypeEx)); PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); return PhFinalStringBuilderString(&stringBuilder); } PPH_MEMORY_ITEM PhCreateMemoryItem( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_MEMORY_ITEM memoryItem; if (PhBeginInitOnce(&initOnce)) { PhMemoryItemType = PhCreateObjectType(L"MemoryItem", 0, PhpMemoryItemDeleteProcedure); PhEndInitOnce(&initOnce); } memoryItem = PhCreateObject(sizeof(PH_MEMORY_ITEM), PhMemoryItemType); memset(memoryItem, 0, sizeof(PH_MEMORY_ITEM)); return memoryItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpMemoryItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_MEMORY_ITEM memoryItem = Object; switch (memoryItem->RegionType) { case CustomRegion: PhClearReference(&memoryItem->u.Custom.Text); break; case MappedFileRegion: PhClearReference(&memoryItem->u.MappedFile.FileName); break; } } _Function_class_(PH_AVL_TREE_COMPARE_FUNCTION) static LONG NTAPI PhpMemoryItemCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ) { PPH_MEMORY_ITEM memoryItem1 = CONTAINING_RECORD(Links1, PH_MEMORY_ITEM, Links); PPH_MEMORY_ITEM memoryItem2 = CONTAINING_RECORD(Links2, PH_MEMORY_ITEM, Links); return uintptrcmp((ULONG_PTR)memoryItem1->BaseAddress, (ULONG_PTR)memoryItem2->BaseAddress); } VOID PhDeleteMemoryItemList( _In_ PPH_MEMORY_ITEM_LIST List ) { PLIST_ENTRY listEntry; PPH_MEMORY_ITEM memoryItem; listEntry = List->ListHead.Flink; while (listEntry != &List->ListHead) { memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); listEntry = listEntry->Flink; PhDereferenceObject(memoryItem); } } PPH_MEMORY_ITEM PhLookupMemoryItemList( _In_ PPH_MEMORY_ITEM_LIST List, _In_ PVOID Address ) { PH_MEMORY_ITEM lookupMemoryItem; PPH_AVL_LINKS links; PPH_MEMORY_ITEM memoryItem; // Do an approximate search on the set to locate the memory item with the largest // base address that is still smaller than the given address. lookupMemoryItem.BaseAddress = Address; links = PhUpperDualBoundElementAvlTree(&List->Set, &lookupMemoryItem.Links); if (links) { memoryItem = CONTAINING_RECORD(links, PH_MEMORY_ITEM, Links); if ((ULONG_PTR)Address < (ULONG_PTR)memoryItem->BaseAddress + memoryItem->RegionSize) return memoryItem; } return NULL; } // Split an existing memory item at the specified address and return the new item starting at Address. // The original item is shrunk to end just before Address. The new item inherits metadata and will be // inserted directly after the original in both the list and AVL tree. (dmex) static PPH_MEMORY_ITEM PhpSplitMemoryItem( _In_ PPH_MEMORY_ITEM_LIST List, _Inout_ PPH_MEMORY_ITEM MemoryItem, _In_ PVOID Address ) { PPH_MEMORY_ITEM newItem; ULONG_PTR addr = (ULONG_PTR)Address; ULONG_PTR start = (ULONG_PTR)MemoryItem->BaseAddress; ULONG_PTR end = start + MemoryItem->RegionSize; if (addr <= start || addr >= end) return NULL; // Copy region info newItem = PhCreateMemoryItem(); newItem->BasicInfo = MemoryItem->BasicInfo; newItem->BaseAddress = (PVOID)addr; newItem->BasicInfo.BaseAddress = (PVOID)addr; newItem->RegionSize = end - addr; newItem->BasicInfo.RegionSize = newItem->RegionSize; PhPrintPointer(newItem->BaseAddressString, newItem->BaseAddress); // Adjust current region size. SIZE_T originalRegionSize = MemoryItem->RegionSize; MemoryItem->RegionSize = addr - start; MemoryItem->BasicInfo.RegionSize = MemoryItem->RegionSize; if (MemoryItem->CommittedSize == originalRegionSize) { newItem->CommittedSize = newItem->RegionSize; MemoryItem->CommittedSize = MemoryItem->RegionSize; } if (MemoryItem->PrivateSize == originalRegionSize && (MemoryItem->Type & MEM_PRIVATE)) { newItem->PrivateSize = newItem->RegionSize; MemoryItem->PrivateSize = MemoryItem->RegionSize; } newItem->AllocationBase = MemoryItem->AllocationBase; newItem->AllocationBaseItem = MemoryItem->AllocationBaseItem; newItem->Type = MemoryItem->Type; newItem->State = MemoryItem->State; newItem->AllocationProtect = MemoryItem->AllocationProtect; newItem->Protect = MemoryItem->Protect; newItem->Valid = FALSE; newItem->Bad = FALSE; newItem->RegionTypeEx = MemoryItem->RegionTypeEx; PhAddElementAvlTree(&List->Set, &newItem->Links); newItem->ListEntry.Flink = MemoryItem->ListEntry.Flink; newItem->ListEntry.Blink = &MemoryItem->ListEntry; MemoryItem->ListEntry.Flink->Blink = &newItem->ListEntry; MemoryItem->ListEntry.Flink = &newItem->ListEntry; return newItem; } PPH_MEMORY_ITEM PhpSetMemoryRegionType( _In_ PPH_MEMORY_ITEM_LIST List, _In_ PVOID Address, _In_ BOOLEAN GoToAllocationBase, _In_ PH_MEMORY_REGION_TYPE RegionType ) { PPH_MEMORY_ITEM memoryItem; memoryItem = PhLookupMemoryItemList(List, Address); if (!memoryItem) return NULL; if (GoToAllocationBase && memoryItem->AllocationBaseItem) memoryItem = memoryItem->AllocationBaseItem; // If we are tagging a sub-region inside an already tagged region, split it first. if (!GoToAllocationBase && memoryItem->RegionType != UnknownRegion && memoryItem->BaseAddress != Address) { PPH_MEMORY_ITEM newItem = PhpSplitMemoryItem(List, memoryItem, Address); if (newItem) { newItem->RegionType = RegionType; return newItem; } return NULL; // Could not split; don't overwrite existing tag. } // If region is Unknown but the address is interior and we don't want allocation base, split so the tag is precise. if (!GoToAllocationBase && memoryItem->RegionType == UnknownRegion && memoryItem->BaseAddress != Address) { PPH_MEMORY_ITEM newItem = PhpSplitMemoryItem(List, memoryItem, Address); if (newItem) memoryItem = newItem; // Tag the new split item below. } if (memoryItem->RegionType != UnknownRegion) return NULL; memoryItem->RegionType = RegionType; return memoryItem; } VOID PhpUpdateHeapRegions( _In_ PPH_MEMORY_ITEM_LIST List ) { NTSTATUS status; HANDLE processHandle = NULL; HANDLE clientProcessId = List->ProcessId; PROCESS_REFLECTION_INFORMATION reflectionInfo = { 0 }; PRTL_DEBUG_INFORMATION debugBuffer = NULL; PPH_PROCESS_DEBUG_HEAP_INFORMATION heapDebugInfo = NULL; HANDLE powerRequestHandle = NULL; status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE, List->ProcessId ); if (NT_SUCCESS(status)) { if (WindowsVersion >= WINDOWS_10) PhCreateExecutionRequiredRequest(processHandle, &powerRequestHandle); if (PhGetIntegerSetting(SETTING_ENABLE_HEAP_REFLECTION)) { status = PhCreateProcessReflection( &reflectionInfo, processHandle ); if (NT_SUCCESS(status)) { clientProcessId = reflectionInfo.ReflectionClientId.UniqueProcess; } } } for (ULONG i = 0x10000; ; i *= 2) // based on PhQueryProcessHeapInformation (ge0rdi) { if (!(debugBuffer = RtlCreateQueryDebugBuffer(i, FALSE))) { status = STATUS_UNSUCCESSFUL; break; } status = RtlQueryProcessDebugInformation( clientProcessId, RTL_QUERY_PROCESS_HEAP_SUMMARY | RTL_QUERY_PROCESS_HEAP_SEGMENTS | RTL_QUERY_PROCESS_NONINVASIVE, debugBuffer ); if (!NT_SUCCESS(status)) { RtlDestroyQueryDebugBuffer(debugBuffer); debugBuffer = NULL; } if (NT_SUCCESS(status) || status != STATUS_NO_MEMORY) break; if (2 * i <= i) break; } PhFreeProcessReflection(&reflectionInfo); if (processHandle) NtClose(processHandle); if (powerRequestHandle) PhDestroyExecutionRequiredRequest(powerRequestHandle); if (!NT_SUCCESS(status)) return; if (!debugBuffer->Heaps) { RtlDestroyQueryDebugBuffer(debugBuffer); return; } if (WindowsVersion > WINDOWS_11) { heapDebugInfo = PhAllocateZero(sizeof(PH_PROCESS_DEBUG_HEAP_INFORMATION) + ((PRTL_PROCESS_HEAPS_V2)debugBuffer->Heaps)->NumberOfHeaps * sizeof(PH_PROCESS_DEBUG_HEAP_ENTRY)); heapDebugInfo->NumberOfHeaps = ((PRTL_PROCESS_HEAPS_V2)debugBuffer->Heaps)->NumberOfHeaps; } else { heapDebugInfo = PhAllocateZero(sizeof(PH_PROCESS_DEBUG_HEAP_INFORMATION) + ((PRTL_PROCESS_HEAPS_V1)debugBuffer->Heaps)->NumberOfHeaps * sizeof(PH_PROCESS_DEBUG_HEAP_ENTRY)); heapDebugInfo->NumberOfHeaps = ((PRTL_PROCESS_HEAPS_V1)debugBuffer->Heaps)->NumberOfHeaps; } for (ULONG i = 0; i < heapDebugInfo->NumberOfHeaps; i++) { RTL_HEAP_INFORMATION_V2 heapInfo = { 0 }; PPH_MEMORY_ITEM heapMemoryItem; if (WindowsVersion > WINDOWS_11) { heapInfo = ((PRTL_PROCESS_HEAPS_V2)debugBuffer->Heaps)->Heaps[i]; } else { RTL_HEAP_INFORMATION_V1 heapInfoV1 = ((PRTL_PROCESS_HEAPS_V1)debugBuffer->Heaps)->Heaps[i]; heapInfo.NumberOfEntries = heapInfoV1.NumberOfEntries; heapInfo.Entries = heapInfoV1.Entries; heapInfo.BytesCommitted = heapInfoV1.BytesCommitted; heapInfo.Flags = heapInfoV1.Flags; heapInfo.BaseAddress = heapInfoV1.BaseAddress; } if (!heapInfo.BaseAddress) continue; if (heapMemoryItem = PhpSetMemoryRegionType(List, heapInfo.BaseAddress, TRUE, HeapRegion)) { heapMemoryItem->u.Heap.Index = i; for (ULONG j = 0; j < heapInfo.NumberOfEntries; j++) { PRTL_HEAP_ENTRY heapEntry = &heapInfo.Entries[j]; if (heapEntry->Flags & RTL_HEAP_SEGMENT) { PVOID blockAddress = heapEntry->u.s2.FirstBlock; PPH_MEMORY_ITEM memoryItem = PhLookupMemoryItemList(List, blockAddress); if (memoryItem && memoryItem->BaseAddress == blockAddress && memoryItem->RegionType == UnknownRegion) { memoryItem->RegionType = HeapSegmentRegion; memoryItem->u.HeapSegment.HeapItem = heapMemoryItem; } } } } } RtlDestroyQueryDebugBuffer(debugBuffer); } NTSTATUS PhpUpdateMemoryRegionTypes( _In_ PPH_MEMORY_ITEM_LIST List, _In_ HANDLE ProcessHandle ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; ULONG i; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif PPH_MEMORY_ITEM memoryItem; PLIST_ENTRY listEntry; if (!NT_SUCCESS(status = PhEnumProcessesEx(&processes, SystemExtendedProcessInformation))) return status; process = PhFindProcessInformation(processes, List->ProcessId); if (!process) { PhFree(processes); return STATUS_NOT_FOUND; } // USER_SHARED_DATA PhpSetMemoryRegionType(List, USER_SHARED_DATA, TRUE, UserSharedDataRegion); // HYPERVISOR_SHARED_DATA if (WindowsVersion >= WINDOWS_10_RS4) { static PSYSTEM_HYPERVISOR_USER_SHARED_DATA hypervisorSharedUserData = NULL; static PH_INITONCE hypervisorSharedUserInitOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&hypervisorSharedUserInitOnce)) { PhGetSystemHypervisorSharedPageInformation(&hypervisorSharedUserData); PhEndInitOnce(&hypervisorSharedUserInitOnce); } if (hypervisorSharedUserData) { PhpSetMemoryRegionType(List, hypervisorSharedUserData, TRUE, HypervisorSharedDataRegion); } } // PEB, heap { ULONG numberOfHeaps; PVOID processPeb; PVOID processHeapsPtr; PVOID *processHeaps; PVOID apiSetMap; PVOID processParameters; PVOID readOnlySharedMemory; PVOID codePageData; PVOID gdiSharedHandleTable; PVOID shimData; PVOID activationContextData; PVOID defaultActivationContextData; PVOID werRegistrationData; PVOID siloSharedData; PVOID telemetryCoverageData; PVOID leapSecondData; #ifdef _WIN64 PVOID processPeb32; ULONG processHeapsPtr32; ULONG *processHeaps32; ULONG apiSetMap32; ULONG processParameters32; ULONG readOnlySharedMemory32; ULONG codePageData32; ULONG gdiSharedHandleTable32; ULONG shimData32; ULONG activationContextData32; ULONG defaultActivationContextData32; ULONG werRegistrationData32; ULONG siloSharedData32; ULONG telemetryCoverageData32; ULONG leapSecondData32; #endif if (PhGetIntegerSetting(SETTING_ENABLE_HEAP_MEMORY_TAGGING)) { PhpUpdateHeapRegions(List); } if (NT_SUCCESS(PhGetProcessPeb(ProcessHandle, &processPeb))) { // Windows 10 RS2 and above 'added TEB/PEB sub-VAD segments' (dmex) PhpSetMemoryRegionType(List, processPeb, WindowsVersion < WINDOWS_10_RS2 ? TRUE : FALSE, PebRegion); if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, UFIELD_OFFSET(PEB, NumberOfHeaps)), &numberOfHeaps, sizeof(ULONG), NULL )) && numberOfHeaps > 0 && numberOfHeaps < MAX_HEAPS) { processHeaps = PhAllocate(numberOfHeaps * sizeof(PVOID)); if ( NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, PTR_ADD_OFFSET(processPeb, UFIELD_OFFSET(PEB, ProcessHeaps)), &processHeapsPtr, sizeof(PVOID), NULL)) && NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, processHeapsPtr, processHeaps, numberOfHeaps * sizeof(PVOID), NULL)) ) { for (i = 0; i < numberOfHeaps; i++) { if (memoryItem = PhpSetMemoryRegionType(List, processHeaps[i], TRUE, HeapRegion)) { PH_ANY_HEAP buffer; memoryItem->u.Heap.Index = i; // Try to read heap class from the header if (NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, processHeaps[i], &buffer, sizeof(buffer), NULL))) { if (WindowsVersion >= WINDOWS_8) { if (buffer.Heap.Signature == HEAP_SIGNATURE) { memoryItem->u.Heap.ClassValid = TRUE; memoryItem->u.Heap.Class = buffer.Heap.Flags & HEAP_CLASS_MASK; } else if (buffer.Heap32.Signature == HEAP_SIGNATURE) { memoryItem->u.Heap.ClassValid = TRUE; memoryItem->u.Heap.Class = buffer.Heap32.Flags & HEAP_CLASS_MASK; } else if (WindowsVersion >= WINDOWS_8_1) { // Windows 8.1 and above can use segment heaps if (buffer.SegmentHeap.Signature == SEGMENT_HEAP_SIGNATURE) { memoryItem->u.Heap.ClassValid = TRUE; memoryItem->u.Heap.Class = buffer.SegmentHeap.GlobalFlags & HEAP_CLASS_MASK; } else if (buffer.SegmentHeap32.Signature == SEGMENT_HEAP_SIGNATURE) { memoryItem->u.Heap.ClassValid = TRUE; memoryItem->u.Heap.Class = buffer.SegmentHeap32.GlobalFlags & HEAP_CLASS_MASK; } } } else { if (buffer.HeapOld.Signature == HEAP_SIGNATURE) { memoryItem->u.Heap.ClassValid = TRUE; memoryItem->u.Heap.Class = buffer.HeapOld.Flags & HEAP_CLASS_MASK; } else if (buffer.HeapOld32.Signature == HEAP_SIGNATURE) { memoryItem->u.Heap.ClassValid = TRUE; memoryItem->u.Heap.Class = buffer.HeapOld32.Flags & HEAP_CLASS_MASK; } } } } } } PhFree(processHeaps); } // RTL_USER_PROCESS_PARAMETERS if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, ProcessParameters)), &processParameters, sizeof(PVOID), NULL )) && processParameters) { PhpSetMemoryRegionType(List, processParameters, TRUE, ProcessParametersRegion); } // ApiSet schema map if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, ApiSetMap)), &apiSetMap, sizeof(PVOID), NULL )) && apiSetMap) { PhpSetMemoryRegionType(List, apiSetMap, TRUE, ApiSetMapRegion); } // CSR shared memory if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, ReadOnlySharedMemoryBase)), &readOnlySharedMemory, sizeof(PVOID), NULL )) && readOnlySharedMemory) { PhpSetMemoryRegionType(List, readOnlySharedMemory, TRUE, ReadOnlySharedMemoryRegion); } // CodePage data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, AnsiCodePageData)), &codePageData, sizeof(PVOID), NULL )) && codePageData) { PhpSetMemoryRegionType(List, codePageData, TRUE, CodePageDataRegion); } // GDI shared handle table if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, GdiSharedHandleTable)), &gdiSharedHandleTable, sizeof(PVOID), NULL )) && gdiSharedHandleTable) { PhpSetMemoryRegionType(List, gdiSharedHandleTable, TRUE, GdiSharedHandleTableRegion); } // Shim data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, pShimData)), &shimData, sizeof(PVOID), NULL )) && shimData) { PhpSetMemoryRegionType(List, shimData, TRUE, ShimDataRegion); } // Process activation context data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, ActivationContextData)), &activationContextData, sizeof(PVOID), NULL )) && activationContextData) { if (memoryItem = PhpSetMemoryRegionType(List, activationContextData, TRUE, ActivationContextDataRegion)) { memoryItem->u.ActivationContextData.Type = ProcessActivationContext; } } // System-default activation context data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, SystemDefaultActivationContextData)), &defaultActivationContextData, sizeof(PVOID), NULL )) && defaultActivationContextData) { if (memoryItem = PhpSetMemoryRegionType(List, defaultActivationContextData, TRUE, ActivationContextDataRegion)) { memoryItem->u.ActivationContextData.Type = SystemActivationContext; } } // WER registration data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, WerRegistrationData)), &werRegistrationData, sizeof(PVOID), NULL )) && werRegistrationData) { PhpSetMemoryRegionType(List, werRegistrationData, TRUE, WerRegistrationDataRegion); } // Silo shared data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, SharedData)), &siloSharedData, sizeof(PVOID), NULL )) && siloSharedData) { PhpSetMemoryRegionType(List, siloSharedData, TRUE, SiloSharedDataRegion); } // Telemetry coverage map if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, FIELD_OFFSET(PEB, TelemetryCoverageHeader)), &telemetryCoverageData, sizeof(PVOID), NULL )) && telemetryCoverageData) { PhpSetMemoryRegionType(List, telemetryCoverageData, TRUE, TelemetryCoverageRegion); } // Leap second data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb, UFIELD_OFFSET(PEB, LeapSecondData)), &leapSecondData, sizeof(PVOID), NULL )) && leapSecondData) { PhpSetMemoryRegionType(List, leapSecondData, TRUE, LeapSecondDataRegion); } } #ifdef _WIN64 if (NT_SUCCESS(PhGetProcessPeb32(ProcessHandle, &processPeb32))) { isWow64 = TRUE; PhpSetMemoryRegionType(List, processPeb32, TRUE, Peb32Region); if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, NumberOfHeaps)), &numberOfHeaps, sizeof(ULONG), NULL )) && numberOfHeaps < MAX_HEAPS) { processHeaps32 = PhAllocate(numberOfHeaps * sizeof(ULONG)); if ( NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, ProcessHeaps)), &processHeapsPtr32, sizeof(ULONG), NULL)) && NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, UlongToPtr(processHeapsPtr32), processHeaps32, numberOfHeaps * sizeof(ULONG), NULL)) ) { for (i = 0; i < numberOfHeaps; i++) { if (memoryItem = PhpSetMemoryRegionType(List, UlongToPtr(processHeaps32[i]), TRUE, Heap32Region)) memoryItem->u.Heap.Index = i; } } PhFree(processHeaps32); } // RTL_USER_PROCESS_PARAMETERS if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, FIELD_OFFSET(PEB32, ProcessParameters)), &processParameters32, sizeof(ULONG), NULL )) && processParameters32) { PhpSetMemoryRegionType(List, UlongToPtr(processParameters32), TRUE, ProcessParametersRegion); } // ApiSet schema map if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, ApiSetMap)), &apiSetMap32, sizeof(ULONG), NULL )) && apiSetMap32) { PhpSetMemoryRegionType(List, UlongToPtr(apiSetMap32), TRUE, ApiSetMapRegion); } // CSR shared memory if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, ReadOnlySharedMemoryBase)), &readOnlySharedMemory32, sizeof(ULONG), NULL )) && readOnlySharedMemory32) { PhpSetMemoryRegionType(List, UlongToPtr(readOnlySharedMemory32), TRUE, ReadOnlySharedMemoryRegion); } // CodePage data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, AnsiCodePageData)), &codePageData32, sizeof(ULONG), NULL )) && codePageData32) { PhpSetMemoryRegionType(List, UlongToPtr(codePageData32), TRUE, CodePageDataRegion); } // GDI shared handle table if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, GdiSharedHandleTable)), &gdiSharedHandleTable32, sizeof(ULONG), NULL )) && gdiSharedHandleTable32) { PhpSetMemoryRegionType(List, UlongToPtr(gdiSharedHandleTable32), TRUE, GdiSharedHandleTableRegion); } // Shim data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, pShimData)), &shimData32, sizeof(ULONG), NULL )) && shimData32) { PhpSetMemoryRegionType(List, UlongToPtr(shimData32), TRUE, ShimDataRegion); } // Process activation context data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, ActivationContextData)), &activationContextData32, sizeof(ULONG), NULL )) && activationContextData32) { if (memoryItem = PhpSetMemoryRegionType(List, UlongToPtr(activationContextData32), TRUE, ActivationContextDataRegion)) { memoryItem->u.ActivationContextData.Type = ProcessActivationContext; } } // System-default activation context data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, SystemDefaultActivationContextData)), &defaultActivationContextData32, sizeof(ULONG), NULL )) && defaultActivationContextData32) { if (memoryItem = PhpSetMemoryRegionType(List, UlongToPtr(defaultActivationContextData32), TRUE, ActivationContextDataRegion)) { memoryItem->u.ActivationContextData.Type = SystemActivationContext; } } // WER registration data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, WerRegistrationData)), &werRegistrationData32, sizeof(ULONG), NULL )) && werRegistrationData32) { PhpSetMemoryRegionType(List, UlongToPtr(werRegistrationData32), TRUE, WerRegistrationDataRegion); } // Silo shared data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, SharedData)), &siloSharedData32, sizeof(ULONG), NULL )) && siloSharedData32) { PhpSetMemoryRegionType(List, UlongToPtr(siloSharedData32), TRUE, SiloSharedDataRegion); } // Telemetry coverage map if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, TelemetryCoverageHeader)), &telemetryCoverageData32, sizeof(ULONG), NULL )) && telemetryCoverageData32) { PhpSetMemoryRegionType(List, UlongToPtr(telemetryCoverageData32), TRUE, TelemetryCoverageRegion); } // Leap second data if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processPeb32, UFIELD_OFFSET(PEB32, LeapSecondData)), &leapSecondData32, sizeof(ULONG), NULL )) && leapSecondData32) { PhpSetMemoryRegionType(List, UlongToPtr(leapSecondData32), TRUE, LeapSecondDataRegion); } } #endif } // TEB, stack, desktop heap for (i = 0; i < process->NumberOfThreads; i++) { PSYSTEM_EXTENDED_THREAD_INFORMATION thread = (PSYSTEM_EXTENDED_THREAD_INFORMATION)process->Threads + i; if (thread->TebBaseAddress) { NT_TIB ntTib; PVOID desktopInfo; SIZE_T bytesRead; // HACK: Windows 10 RS2 and above 'added TEB/PEB sub-VAD segments' and we need to tag individual sections. if (memoryItem = PhpSetMemoryRegionType(List, thread->TebBaseAddress, WindowsVersion < WINDOWS_10_RS2 ? TRUE : FALSE, TebRegion)) memoryItem->u.Teb.ThreadId = thread->ThreadInfo.ClientId.UniqueThread; if (NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, thread->TebBaseAddress, &ntTib, sizeof(NT_TIB), &bytesRead)) && bytesRead == sizeof(NT_TIB)) { if ((ULONG_PTR)ntTib.StackLimit < (ULONG_PTR)ntTib.StackBase) { if (memoryItem = PhpSetMemoryRegionType(List, ntTib.StackLimit, TRUE, StackRegion)) memoryItem->u.Stack.ThreadId = thread->ThreadInfo.ClientId.UniqueThread; } #ifdef _WIN64 if (isWow64 && ntTib.ExceptionList) { ULONG teb32 = PtrToUlong(ntTib.ExceptionList); NT_TIB32 ntTib32; // 64-bit and 32-bit TEBs usually share the same memory region, so don't do anything for the 32-bit // TEB. if (NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, UlongToPtr(teb32), &ntTib32, sizeof(NT_TIB32), &bytesRead)) && bytesRead == sizeof(NT_TIB32)) { if (ntTib32.StackLimit < ntTib32.StackBase) { if (memoryItem = PhpSetMemoryRegionType(List, UlongToPtr(ntTib32.StackLimit), TRUE, Stack32Region)) memoryItem->u.Stack.ThreadId = thread->ThreadInfo.ClientId.UniqueThread; } } } #endif } // TEB->Win32ClientInfo.DesktopBase (which nowadays is a pointer to the start of the desktop heap) // used to be called ClientDelta before RS2 and used to store the difference between the kernel and // the user mappings of the desktop heap. TEB->Win32ClientInfo.DeskInfo, on the other hand, has // always been a pointer to a structure on the desktop heap. (diversenok) // Desktop heap if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(thread->TebBaseAddress, FIELD_OFFSET(TEB, Win32ClientInfo.DeskInfo)), &desktopInfo, sizeof(PVOID), NULL )) && desktopInfo) { PhpSetMemoryRegionType(List, desktopInfo, TRUE, DesktopHeapRegion); } } } // Mapped file, heap segment, unusable for (listEntry = List->ListHead.Flink; listEntry != &List->ListHead; listEntry = listEntry->Flink) { memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); if (memoryItem->RegionType != UnknownRegion) continue; if (FlagOn(memoryItem->Type, MEM_MAPPED | MEM_IMAGE) && memoryItem->AllocationBaseItem == memoryItem) { MEMORY_IMAGE_INFORMATION imageInfo; PPH_STRING fileName; if (FlagOn(memoryItem->Type, MEM_IMAGE)) { if (NT_SUCCESS(PhGetProcessMappedImageInformation(ProcessHandle, memoryItem->BaseAddress, &imageInfo))) { memoryItem->u.MappedFile.SigningLevelValid = TRUE; memoryItem->u.MappedFile.SigningLevel = (SE_SIGNING_LEVEL)imageInfo.ImageSigningLevel; } } if (NT_SUCCESS(PhGetProcessMappedFileName(ProcessHandle, memoryItem->BaseAddress, &fileName))) { PPH_STRING newFileName = PhResolveDevicePrefix(&fileName->sr); if (newFileName) PhMoveReference(&fileName, newFileName); memoryItem->RegionType = MappedFileRegion; memoryItem->u.MappedFile.FileName = fileName; continue; } } if (FlagOn(memoryItem->State, MEM_COMMIT) && memoryItem->Valid && !memoryItem->Bad) { UCHAR buffer[HEAP_SEGMENT_MAX_SIZE]; if (NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, memoryItem->BaseAddress, buffer, sizeof(buffer), NULL))) { PVOID candidateHeap = NULL; ULONG candidateHeap32 = 0; PPH_MEMORY_ITEM heapMemoryItem; PHEAP_SEGMENT heapSegment = (PHEAP_SEGMENT)buffer; PHEAP_SEGMENT32 heapSegment32 = (PHEAP_SEGMENT32)buffer; if (heapSegment->SegmentSignature == HEAP_SEGMENT_SIGNATURE) candidateHeap = heapSegment->Heap; if (heapSegment32->SegmentSignature == HEAP_SEGMENT_SIGNATURE) candidateHeap32 = heapSegment32->Heap; if (candidateHeap) { heapMemoryItem = PhLookupMemoryItemList(List, candidateHeap); if (heapMemoryItem && heapMemoryItem->BaseAddress == candidateHeap && heapMemoryItem->RegionType == HeapRegion) { memoryItem->RegionType = HeapSegmentRegion; memoryItem->u.HeapSegment.HeapItem = heapMemoryItem; continue; } } else if (candidateHeap32) { heapMemoryItem = PhLookupMemoryItemList(List, UlongToPtr(candidateHeap32)); if (heapMemoryItem && heapMemoryItem->BaseAddress == UlongToPtr(candidateHeap32) && heapMemoryItem->RegionType == Heap32Region) { memoryItem->RegionType = HeapSegment32Region; memoryItem->u.HeapSegment.HeapItem = heapMemoryItem; continue; } } } } if (FlagOn(memoryItem->Type, MEM_MAPPED) && memoryItem->AllocationProtect == PAGE_READONLY && memoryItem->AllocationBaseItem == memoryItem) { ACTIVATION_CONTEXT_DATA buffer; if (NT_SUCCESS(PhReadVirtualMemory(ProcessHandle, memoryItem->BaseAddress, &buffer, sizeof(buffer), NULL))) { if (buffer.Magic == ACTIVATION_CONTEXT_DATA_MAGIC) { memoryItem->RegionType = ActivationContextDataRegion; memoryItem->u.ActivationContextData.Type = CustomActivationContext; continue; } } } } #ifdef _WIN64 PS_SYSTEM_DLL_INIT_BLOCK ldrInitBlock; PPH_MEMORY_ITEM cfgBitmapMemoryItem; status = PhGetProcessSystemDllInitBlock(ProcessHandle, &ldrInitBlock); if (NT_SUCCESS(status)) { if (RTL_CONTAINS_FIELD(&ldrInitBlock, ldrInitBlock.Size, CfgBitMap) && ldrInitBlock.CfgBitMap && (cfgBitmapMemoryItem = PhLookupMemoryItemList(List, (PVOID)ldrInitBlock.CfgBitMap))) { listEntry = &cfgBitmapMemoryItem->ListEntry; memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); while (memoryItem->AllocationBaseItem == cfgBitmapMemoryItem) { // lucasg: We could do a finer tagging since each MEM_COMMIT memory // map is the CFG bitmap of a loaded module. However that might be // brittle to changes made by Windows dev teams. memoryItem->RegionType = CfgBitmapRegion; listEntry = listEntry->Flink; memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); } } // Note: Wow64 processes on 64bit also have CfgBitmap regions. if (RTL_CONTAINS_FIELD(&ldrInitBlock, ldrInitBlock.Size, Wow64CfgBitMap) && isWow64 && ldrInitBlock.Wow64CfgBitMap && (cfgBitmapMemoryItem = PhLookupMemoryItemList(List, (PVOID)ldrInitBlock.Wow64CfgBitMap))) { listEntry = &cfgBitmapMemoryItem->ListEntry; memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); while (memoryItem->AllocationBaseItem == cfgBitmapMemoryItem) { memoryItem->RegionType = CfgBitmap32Region; listEntry = listEntry->Flink; memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); } } } #endif PhFree(processes); return STATUS_SUCCESS; } NTSTATUS PhpUpdateMemoryWsCounters( _In_ PPH_MEMORY_ITEM_LIST List, _In_ HANDLE ProcessHandle ) { PLIST_ENTRY listEntry; PMEMORY_WORKING_SET_EX_INFORMATION info; info = PhAllocatePage(WS_REQUEST_COUNT * sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL); if (!info) return STATUS_NO_MEMORY; for (listEntry = List->ListHead.Flink; listEntry != &List->ListHead; listEntry = listEntry->Flink) { PPH_MEMORY_ITEM memoryItem = CONTAINING_RECORD(listEntry, PH_MEMORY_ITEM, ListEntry); ULONG_PTR virtualAddress; SIZE_T remainingPages; SIZE_T requestPages; SIZE_T i; if (!(memoryItem->State & MEM_COMMIT)) continue; virtualAddress = (ULONG_PTR)memoryItem->BaseAddress; remainingPages = memoryItem->RegionSize / PAGE_SIZE; while (remainingPages != 0) { requestPages = min(remainingPages, WS_REQUEST_COUNT); for (i = 0; i < requestPages; i++) { info[i].VirtualAddress = (PVOID)virtualAddress; virtualAddress += PAGE_SIZE; } if (NT_SUCCESS(NtQueryVirtualMemory( ProcessHandle, NULL, MemoryWorkingSetExInformation, info, requestPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL ))) { for (i = 0; i < requestPages; i++) { PMEMORY_WORKING_SET_EX_BLOCK block = &info[i].VirtualAttributes; if (block->Valid) { memoryItem->TotalWorkingSetPages++; if (block->ShareCount > 1) memoryItem->SharedWorkingSetPages++; if (block->ShareCount == 0) memoryItem->PrivateWorkingSetPages++; if (block->Shared) memoryItem->ShareableWorkingSetPages++; if (block->Locked) memoryItem->LockedWorkingSetPages++; if (memoryItem->Type & (MEM_MAPPED | MEM_IMAGE) && block->SharedOriginal) memoryItem->SharedOriginalPages++; if (block->Priority > memoryItem->Priority) memoryItem->Priority = block->Priority; } else { if (memoryItem->Type & (MEM_MAPPED | MEM_IMAGE) && block->Invalid.SharedOriginal) memoryItem->SharedOriginalPages++; // VMMap does this, but is it correct? (dmex) if (block->Invalid.Shared) memoryItem->ShareableWorkingSetPages++; } } } remainingPages -= requestPages; } } PhFreePage(info); return STATUS_SUCCESS; } NTSTATUS PhpUpdateMemoryWsCountersOld( _In_ PPH_MEMORY_ITEM_LIST List, _In_ HANDLE ProcessHandle ) { NTSTATUS status; PMEMORY_WORKING_SET_INFORMATION info; PPH_MEMORY_ITEM memoryItem = NULL; ULONG_PTR i; if (!NT_SUCCESS(status = PhGetProcessWorkingSetInformation(ProcessHandle, &info))) return status; for (i = 0; i < info->NumberOfEntries; i++) { PMEMORY_WORKING_SET_BLOCK block = &info->WorkingSetInfo[i]; ULONG_PTR virtualAddress = block->VirtualPage * PAGE_SIZE; if (!memoryItem || virtualAddress < (ULONG_PTR)memoryItem->BaseAddress || virtualAddress >= (ULONG_PTR)memoryItem->BaseAddress + memoryItem->RegionSize) { memoryItem = PhLookupMemoryItemList(List, (PVOID)virtualAddress); } if (memoryItem) { memoryItem->TotalWorkingSetPages++; if (block->ShareCount > 1) memoryItem->SharedWorkingSetPages++; if (block->ShareCount == 0) memoryItem->PrivateWorkingSetPages++; if (block->Shared) memoryItem->ShareableWorkingSetPages++; } } PhFree(info); return STATUS_SUCCESS; } NTSTATUS PhQueryMemoryItemList( _In_ HANDLE ProcessId, _In_ ULONG Flags, _Out_ PPH_MEMORY_ITEM_LIST List ) { NTSTATUS status; HANDLE processHandle; ULONG_PTR allocationGranularity; PVOID baseAddress = (PVOID)0; MEMORY_BASIC_INFORMATION basicInfo; PPH_MEMORY_ITEM allocationBaseItem = NULL; PPH_MEMORY_ITEM previousMemoryItem = NULL; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId ))) { return status; } } List->ProcessId = ProcessId; PhInitializeAvlTree(&List->Set, PhpMemoryItemCompareFunction); InitializeListHead(&List->ListHead); allocationGranularity = PhSystemBasicInformation.AllocationGranularity; while (NT_SUCCESS(NtQueryVirtualMemory( processHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { PPH_MEMORY_ITEM memoryItem; if (basicInfo.State & MEM_FREE) { if (Flags & PH_QUERY_MEMORY_IGNORE_FREE) goto ContinueLoop; basicInfo.AllocationBase = basicInfo.BaseAddress; } memoryItem = PhCreateMemoryItem(); memoryItem->BasicInfo = basicInfo; if (basicInfo.AllocationBase == basicInfo.BaseAddress) allocationBaseItem = memoryItem; if (allocationBaseItem && basicInfo.AllocationBase == allocationBaseItem->BaseAddress) memoryItem->AllocationBaseItem = allocationBaseItem; if (Flags & PH_QUERY_MEMORY_ZERO_PAD_ADDRESSES) PhPrintPointerPadZeros(memoryItem->BaseAddressString, memoryItem->BasicInfo.BaseAddress); else PhPrintPointer(memoryItem->BaseAddressString, memoryItem->BasicInfo.BaseAddress); if (basicInfo.State & MEM_COMMIT) { memoryItem->CommittedSize = memoryItem->RegionSize; if (basicInfo.Type & MEM_PRIVATE) memoryItem->PrivateSize = memoryItem->RegionSize; } if (!FlagOn(basicInfo.State, MEM_FREE)) { MEMORY_WORKING_SET_EX_INFORMATION pageInfo; static_assert(HEAP_SEGMENT_MAX_SIZE < PAGE_SIZE, "Update query attributes for additional pages"); // Query the attributes for the first page (dmex) memset(&pageInfo, 0, sizeof(MEMORY_WORKING_SET_EX_INFORMATION)); pageInfo.VirtualAddress = baseAddress; if (NT_SUCCESS(NtQueryVirtualMemory( processHandle, NULL, MemoryWorkingSetExInformation, &pageInfo, sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL ))) { PMEMORY_WORKING_SET_EX_BLOCK block = &pageInfo.VirtualAttributes; memoryItem->Valid = !!block->Valid; memoryItem->Bad = !!block->Bad; } if (WindowsVersion > WINDOWS_8) { MEMORY_REGION_INFORMATION regionInfo; // Query the region (dmex) memset(®ionInfo, 0, sizeof(MEMORY_REGION_INFORMATION)); if (NT_SUCCESS(NtQueryVirtualMemory( processHandle, baseAddress, MemoryRegionInformationEx, ®ionInfo, sizeof(MEMORY_REGION_INFORMATION), NULL ))) { memoryItem->RegionTypeEx = regionInfo.RegionType; //memoryItem->RegionSize = regionInfo.RegionSize; //memoryItem->CommittedSize = regionInfo.CommitSize; } } } PhAddElementAvlTree(&List->Set, &memoryItem->Links); InsertTailList(&List->ListHead, &memoryItem->ListEntry); if (basicInfo.State & MEM_FREE) { if ((ULONG_PTR)basicInfo.BaseAddress & (allocationGranularity - 1)) { ULONG_PTR nextAllocationBase; ULONG_PTR potentialUnusableSize; // Split this free region into an unusable and a (possibly empty) usable region. nextAllocationBase = ALIGN_UP_BY(basicInfo.BaseAddress, allocationGranularity); potentialUnusableSize = nextAllocationBase - (ULONG_PTR)basicInfo.BaseAddress; memoryItem->RegionType = UnusableRegion; // VMMap does this, but is it correct? //if (previousMemoryItem && (previousMemoryItem->State & MEM_COMMIT)) // memoryItem->CommittedSize = min(potentialUnusableSize, basicInfo.RegionSize); if (nextAllocationBase < (ULONG_PTR)basicInfo.BaseAddress + basicInfo.RegionSize) { PPH_MEMORY_ITEM otherMemoryItem; memoryItem->RegionSize = potentialUnusableSize; otherMemoryItem = PhCreateMemoryItem(); otherMemoryItem->BasicInfo = basicInfo; otherMemoryItem->BaseAddress = (PVOID)nextAllocationBase; otherMemoryItem->AllocationBase = otherMemoryItem->BaseAddress; otherMemoryItem->RegionSize = basicInfo.RegionSize - potentialUnusableSize; otherMemoryItem->AllocationBaseItem = otherMemoryItem; if (Flags & PH_QUERY_MEMORY_ZERO_PAD_ADDRESSES) PhPrintPointerPadZeros(otherMemoryItem->BaseAddressString, otherMemoryItem->BasicInfo.BaseAddress); else PhPrintPointer(otherMemoryItem->BaseAddressString, otherMemoryItem->BasicInfo.BaseAddress); PhAddElementAvlTree(&List->Set, &otherMemoryItem->Links); InsertTailList(&List->ListHead, &otherMemoryItem->ListEntry); previousMemoryItem = otherMemoryItem; goto ContinueLoop; } } } previousMemoryItem = memoryItem; ContinueLoop: baseAddress = PTR_ADD_OFFSET(baseAddress, basicInfo.RegionSize); } if (Flags & PH_QUERY_MEMORY_REGION_TYPE) PhpUpdateMemoryRegionTypes(List, processHandle); if (Flags & PH_QUERY_MEMORY_WS_COUNTERS) PhpUpdateMemoryWsCounters(List, processHandle); NtClose(processHandle); return STATUS_SUCCESS; } ================================================ FILE: SystemInformer/memrslt.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #define FILTER_CONTAINS 1 #define FILTER_CONTAINS_IGNORECASE 2 #define FILTER_REGEX 3 #define FILTER_REGEX_IGNORECASE 4 typedef struct _MEMORY_RESULTS_CONTEXT { HANDLE ProcessId; PPH_LIST Results; PH_LAYOUT_MANAGER LayoutManager; } MEMORY_RESULTS_CONTEXT, *PMEMORY_RESULTS_CONTEXT; static RECT MinimumSize = { -1, -1, -1, -1 }; static PPH_STRING PhpGetStringForSelectedResults( _In_ HWND ListViewHandle, _In_ PPH_LIST Results, _In_ BOOLEAN All ) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 0x100); for (ULONG i = 0; i < Results->Count; i++) { PPH_MEMORY_RESULT result; WCHAR value[PH_PTR_STR_LEN_1]; if (!All) { if (!(ListView_GetItemState(ListViewHandle, i, LVIS_SELECTED) & LVIS_SELECTED)) continue; } result = Results->Items[i]; PhPrintPointer(value, result->Address); PhAppendFormatStringBuilder( &stringBuilder, L"%s (%lu): %s\r\n", value, (ULONG)result->Length, result->Display.Buffer ? result->Display.Buffer : L"" ); } return PhFinalStringBuilderString(&stringBuilder); } static VOID FilterResults( _In_ HWND hwndDlg, _In_ PMEMORY_RESULTS_CONTEXT Context, _In_ ULONG Type ) { PPH_STRING selectedChoice = NULL; PPH_LIST results; pcre2_code *compiledExpression; pcre2_match_data *matchData; results = Context->Results; PhSetCursor(PhLoadCursor(NULL, IDC_WAIT)); while (PhaChoiceDialog( hwndDlg, L"Filter", L"Enter the filter pattern:", NULL, 0, NULL, PH_CHOICE_DIALOG_USER_CHOICE, &selectedChoice, NULL, SETTING_MEM_FILTER_CHOICES )) { PPH_LIST newResults = NULL; ULONG i; if (Type == FILTER_CONTAINS || Type == FILTER_CONTAINS_IGNORECASE) { newResults = PhCreateList(1024); if (Type == FILTER_CONTAINS) { for (i = 0; i < results->Count; i++) { PPH_MEMORY_RESULT result = results->Items[i]; if (wcsstr(result->Display.Buffer, selectedChoice->Buffer)) { PhReferenceMemoryResult(result); PhAddItemList(newResults, result); } } } else { PPH_STRING upperChoice; upperChoice = PhaUpperString(selectedChoice); for (i = 0; i < results->Count; i++) { PPH_MEMORY_RESULT result = results->Items[i]; PWSTR upperDisplay; upperDisplay = PhAllocateForMemorySearch(result->Display.Length + sizeof(WCHAR)); // Copy the null terminator as well. memcpy(upperDisplay, result->Display.Buffer, result->Display.Length + sizeof(WCHAR)); _wcsupr(upperDisplay); if (wcsstr(upperDisplay, upperChoice->Buffer)) { PhReferenceMemoryResult(result); PhAddItemList(newResults, result); } PhFreeForMemorySearch(upperDisplay); } } } else if (Type == FILTER_REGEX || Type == FILTER_REGEX_IGNORECASE) { int errorCode; PCRE2_SIZE errorOffset; compiledExpression = pcre2_compile( selectedChoice->Buffer, selectedChoice->Length / sizeof(WCHAR), (Type == FILTER_REGEX_IGNORECASE ? PCRE2_CASELESS : 0) | PCRE2_DOTALL, &errorCode, &errorOffset, NULL ); if (!compiledExpression) { PhShowError2(hwndDlg, L"Unable to compile the regular expression.", L"\"%s\" at position %zu.", PhGetStringOrDefault(PH_AUTO(PhPcre2GetErrorMessage(errorCode)), L"Unknown error"), errorOffset ); continue; } matchData = pcre2_match_data_create_from_pattern(compiledExpression, NULL); newResults = PhCreateList(1024); for (i = 0; i < results->Count; i++) { PPH_MEMORY_RESULT result = results->Items[i]; if (pcre2_match( compiledExpression, result->Display.Buffer, result->Display.Length / sizeof(WCHAR), 0, 0, matchData, NULL ) >= 0) { PhReferenceMemoryResult(result); PhAddItemList(newResults, result); } } pcre2_match_data_free(matchData); pcre2_code_free(compiledExpression); } if (newResults) { PhShowMemoryResultsDialog(Context->ProcessId, newResults); PhDereferenceMemoryResults((PPH_MEMORY_RESULT *)newResults->Items, newResults->Count); PhDereferenceObject(newResults); break; } } PhSetCursor(PhLoadCursor(NULL, IDC_ARROW)); } INT_PTR CALLBACK PhpMemoryResultsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMEMORY_RESULTS_CONTEXT context; if (uMsg != WM_INITDIALOG) { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } else { context = (PMEMORY_RESULTS_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HWND lvHandle; PhSetApplicationWindowIcon(hwndDlg); PhRegisterDialog(hwndDlg); { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(context->ProcessId)) { PhSetWindowText(hwndDlg, PhaFormatString(L"Results - %s (%u)", processItem->ProcessName->Buffer, HandleToUlong(processItem->ProcessId))->Buffer); PhDereferenceObject(processItem); } } lvHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(lvHandle, TRUE, TRUE); PhSetControlTheme(lvHandle, L"explorer"); PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"Address"); PhAddListViewColumn(lvHandle, 1, 1, 1, LVCFMT_LEFT, 120, L"Base Address"); PhAddListViewColumn(lvHandle, 2, 2, 2, LVCFMT_LEFT, 80, L"Length"); PhAddListViewColumn(lvHandle, 3, 3, 3, LVCFMT_LEFT, 200, L"Result"); PhSetExtendedListView(lvHandle); PhLoadListViewColumnsFromSetting(SETTING_MEM_RESULTS_LIST_VIEW_COLUMNS, lvHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_SAVE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_FILTER), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); if (MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 250; rect.bottom = 180; MapDialogRect(hwndDlg, &rect); MinimumSize = rect; MinimumSize.left = 0; } ListView_SetItemCount(lvHandle, context->Results->Count); PhSetDialogItemText(hwndDlg, IDC_INTRO, PhaFormatString(L"%s results.", PhaFormatUInt64(context->Results->Count, TRUE)->Buffer)->Buffer); { PH_RECTANGLE windowRectangle = {0}; RECT rect; LONG dpiValue; windowRectangle.Position = PhGetIntegerPairSetting(SETTING_MEM_RESULTS_POSITION); PhRectangleToRect(&rect, &windowRectangle); dpiValue = PhGetMonitorDpi(NULL, &rect); windowRectangle.Size = PhGetScalableIntegerPairSetting(SETTING_MEM_RESULTS_SIZE, TRUE, dpiValue)->Pair; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); MoveWindow(hwndDlg, windowRectangle.Left, windowRectangle.Top, windowRectangle.Width, windowRectangle.Height, FALSE); // Implement cascading by saving an offsetted rectangle. windowRectangle.Left += 20; windowRectangle.Top += 20; PhSetIntegerPairSetting(SETTING_MEM_RESULTS_POSITION, windowRectangle.Position); PhSetScalableIntegerPairSetting2(SETTING_MEM_RESULTS_SIZE, windowRectangle.Size, dpiValue); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveWindowPlacementToSetting(SETTING_MEM_RESULTS_POSITION, SETTING_MEM_RESULTS_SIZE, hwndDlg); PhSaveListViewColumnsToSetting(SETTING_MEM_RESULTS_LIST_VIEW_COLUMNS, GetDlgItem(hwndDlg, IDC_LIST)); PhDeleteLayoutManager(&context->LayoutManager); PhUnregisterDialog(hwndDlg); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDereferenceMemoryResults((PPH_MEMORY_RESULT *)context->Results->Items, context->Results->Count); PhDereferenceObject(context->Results); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_COPY: { HWND lvHandle; PPH_STRING string; ULONG selectedCount; lvHandle = GetDlgItem(hwndDlg, IDC_LIST); selectedCount = ListView_GetSelectedCount(lvHandle); if (selectedCount == 0) { // User didn't select anything, so copy all items. string = PhpGetStringForSelectedResults(lvHandle, context->Results, TRUE); PhSetStateAllListViewItems(lvHandle, LVIS_SELECTED, LVIS_SELECTED); } else { string = PhpGetStringForSelectedResults(lvHandle, context->Results, FALSE); } PhSetClipboardString(hwndDlg, &string->sr); PhDereferenceObject(string); PhSetDialogFocus(hwndDlg, lvHandle); } break; case IDC_SAVE: { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt)", L"*.txt" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, L"Search results.txt"); if (PhShowFileDialog(hwndDlg, fileDialog)) { NTSTATUS status; PPH_STRING fileName; PPH_FILE_STREAM fileStream; PPH_STRING string; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); PhWritePhTextHeader(fileStream); string = PhpGetStringForSelectedResults(GetDlgItem(hwndDlg, IDC_LIST), context->Results, TRUE); PhWriteStringAsUtf8FileStreamEx(fileStream, string->Buffer, string->Length); PhDereferenceObject(string); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } break; case IDC_FILTER: { PPH_EMENU menu; RECT buttonRect; POINT point; PPH_EMENU_ITEM selectedItem; ULONG filterType = 0; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_FILTER_CONTAINS, L"Contains...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_FILTER_CONTAINS_CASEINSENSITIVE, L"Contains (case-insensitive)...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_FILTER_REGEX, L"Regex...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_FILTER_REGEX_CASEINSENSITIVE, L"Regex (case-insensitive)...", NULL, NULL), ULONG_MAX); if (!PhGetClientRect(GetDlgItem(hwndDlg, IDC_FILTER), &buttonRect)) break; point.x = 0; point.y = buttonRect.bottom; ClientToScreen(GetDlgItem(hwndDlg, IDC_FILTER), &point); selectedItem = PhShowEMenu(menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y); if (selectedItem) { switch (selectedItem->Id) { case ID_FILTER_CONTAINS: filterType = FILTER_CONTAINS; break; case ID_FILTER_CONTAINS_CASEINSENSITIVE: filterType = FILTER_CONTAINS_IGNORECASE; break; case ID_FILTER_REGEX: filterType = FILTER_REGEX; break; case ID_FILTER_REGEX_CASEINSENSITIVE: filterType = FILTER_REGEX_IGNORECASE; break; } } if (filterType != 0) FilterResults(hwndDlg, context, filterType); PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; HWND lvHandle; lvHandle = GetDlgItem(hwndDlg, IDC_LIST); PhHandleListViewNotifyForCopy(lParam, lvHandle); switch (header->code) { case LVN_GETDISPINFO: { NMLVDISPINFO *dispInfo = (NMLVDISPINFO *)header; if (dispInfo->item.mask & LVIF_TEXT) { PPH_MEMORY_RESULT result = context->Results->Items[dispInfo->item.iItem]; switch (dispInfo->item.iSubItem) { case 0: { WCHAR addressString[PH_PTR_STR_LEN_1]; PhPrintPointer(addressString, result->Address); wcsncpy_s( dispInfo->item.pszText, dispInfo->item.cchTextMax, addressString, _TRUNCATE ); } break; case 1: { WCHAR baseAddressString[PH_PTR_STR_LEN_1]; PhPrintPointer(baseAddressString, result->BaseAddress); wcsncpy_s( dispInfo->item.pszText, dispInfo->item.cchTextMax, baseAddressString, _TRUNCATE ); } break; case 2: { WCHAR lengthString[PH_INT32_STR_LEN_1]; PhPrintUInt32(lengthString, (ULONG)result->Length); wcsncpy_s( dispInfo->item.pszText, dispInfo->item.cchTextMax, lengthString, _TRUNCATE ); } break; case 3: wcsncpy_s( dispInfo->item.pszText, dispInfo->item.cchTextMax, result->Display.Buffer, _TRUNCATE ); break; } } } break; case NM_DBLCLK: { if (header->hwndFrom == lvHandle) { INT index; if ((index = PhFindListViewItemByFlags(lvHandle, INT_ERROR, LVNI_SELECTED)) != INT_ERROR) { NTSTATUS status; PPH_MEMORY_RESULT result = context->Results->Items[index]; HANDLE processHandle; MEMORY_BASIC_INFORMATION basicInfo; PPH_SHOW_MEMORY_EDITOR showMemoryEditor; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, context->ProcessId ))) { if (NT_SUCCESS(status = NtQueryVirtualMemory( processHandle, result->Address, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { showMemoryEditor = PhAllocateZero(sizeof(PH_SHOW_MEMORY_EDITOR)); showMemoryEditor->ProcessId = context->ProcessId; showMemoryEditor->BaseAddress = basicInfo.BaseAddress; showMemoryEditor->RegionSize = basicInfo.RegionSize; showMemoryEditor->SelectOffset = (ULONG)((ULONG_PTR)result->Address - (ULONG_PTR)basicInfo.BaseAddress); showMemoryEditor->SelectLength = (ULONG)result->Length; SystemInformer_ShowMemoryEditor(showMemoryEditor); } NtClose(processHandle); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to edit memory", status, 0); } } } break; case NM_RCLICK: { if (header->hwndFrom == lvHandle) { POINT position; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; if (!PhGetMessagePos(&position)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_READWRITEMEMORY, L"Read/Write memory", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, lvHandle); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, position.x, position.y ); if (selectedItem) { if (!PhHandleCopyListViewEMenuItem(selectedItem)) { switch (selectedItem->Id) { case ID_MEMORY_READWRITEMEMORY: { INT index; if ((index = PhFindListViewItemByFlags(lvHandle, INT_ERROR, LVNI_SELECTED)) != INT_ERROR) { NTSTATUS status; PPH_MEMORY_RESULT result = context->Results->Items[index]; HANDLE processHandle; MEMORY_BASIC_INFORMATION basicInfo; PPH_SHOW_MEMORY_EDITOR showMemoryEditor; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, context->ProcessId ))) { if (NT_SUCCESS(status = NtQueryVirtualMemory( processHandle, result->Address, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { showMemoryEditor = PhAllocateZero(sizeof(PH_SHOW_MEMORY_EDITOR)); showMemoryEditor->ProcessId = context->ProcessId; showMemoryEditor->BaseAddress = basicInfo.BaseAddress; showMemoryEditor->RegionSize = basicInfo.RegionSize; showMemoryEditor->SelectOffset = (ULONG)((ULONG_PTR)result->Address - (ULONG_PTR)basicInfo.BaseAddress); showMemoryEditor->SelectLength = (ULONG)result->Length; SystemInformer_ShowMemoryEditor(showMemoryEditor); } NtClose(processHandle); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to edit memory", status, 0); } } break; case IDC_COPY: { PPH_STRING string; ULONG selectedCount; selectedCount = ListView_GetSelectedCount(lvHandle); if (selectedCount == 0) { // User didn't select anything, so copy all items. string = PhpGetStringForSelectedResults(lvHandle, context->Results, TRUE); PhSetStateAllListViewItems(lvHandle, LVIS_SELECTED, LVIS_SELECTED); } else { string = PhpGetStringForSelectedResults(lvHandle, context->Results, FALSE); } PhSetClipboardString(hwndDlg, &string->sr); PhDereferenceObject(string); PhSetDialogFocus(hwndDlg, lvHandle); } break; } } } PhDestroyEMenu(menu); } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowMemoryResultsDialog( _In_ HANDLE ProcessId, _In_ PPH_LIST Results ) { HWND windowHandle; PMEMORY_RESULTS_CONTEXT context; ULONG i; context = PhAllocateZero(sizeof(MEMORY_RESULTS_CONTEXT)); context->ProcessId = ProcessId; context->Results = Results; PhReferenceObject(Results); for (i = 0; i < Results->Count; i++) PhReferenceMemoryResult(Results->Items[i]); windowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMRESULTS), NULL, PhpMemoryResultsDlgProc, context ); ShowWindow(windowHandle, SW_SHOW); SetForegroundWindow(windowHandle); } ================================================ FILE: SystemInformer/memsrch.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #define WM_PH_MEMORY_STATUS_UPDATE (WM_APP + 301) #define PH_SEARCH_UPDATE 1 #define PH_SEARCH_COMPLETED 2 typedef struct _MEMORY_STRING_CONTEXT { HANDLE ProcessId; HANDLE ProcessHandle; ULONG MinimumLength; union { BOOLEAN Flags; struct { BOOLEAN DetectUnicode : 1; BOOLEAN Private : 1; BOOLEAN Image : 1; BOOLEAN Mapped : 1; BOOLEAN EnableCloseDialog : 1; BOOLEAN ExtendedUnicode : 1; BOOLEAN Spare : 2; }; }; HWND ParentWindowHandle; HWND WindowHandle; WNDPROC DefaultWindowProc; PH_MEMORY_STRING_OPTIONS Options; PPH_LIST Results; } MEMORY_STRING_CONTEXT, *PMEMORY_STRING_CONTEXT; typedef struct _MEMORY_STRING_SEARCH_CONTEXT { PPH_MEMORY_SEARCH_OPTIONS Options; HANDLE ProcessHandle; ULONG TypeMask; BOOLEAN DetectUnicode; MEMORY_BASIC_INFORMATION BasicInfo; PVOID CurrentReadAddress; PVOID NextReadAddress; SIZE_T ReadRemaning; PBYTE Buffer; SIZE_T BufferSize; } MEMORY_STRING_SEARCH_CONTEXT, *PMEMORY_STRING_SEARCH_CONTEXT; INT_PTR CALLBACK PhpMemoryStringDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); BOOLEAN PhpShowMemoryStringProgressDialog( _In_ PMEMORY_STRING_CONTEXT Context ); BOOLEAN PhpShowMemoryStringDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_opt_ PPH_LIST PrevNodeList ); PVOID PhMemorySearchHeap = NULL; LONG PhMemorySearchHeapRefCount = 0; PH_QUEUED_LOCK PhMemorySearchHeapLock = PH_QUEUED_LOCK_INIT; PVOID PhAllocateForMemorySearch( _In_ SIZE_T Size ) { PVOID memory; PhAcquireQueuedLockExclusive(&PhMemorySearchHeapLock); if (!PhMemorySearchHeap) { assert(PhMemorySearchHeapRefCount == 0); PhMemorySearchHeap = RtlCreateHeap( HEAP_GROWABLE | HEAP_CLASS_1, NULL, 8192 * 1024, // 8 MB 2048 * 1024, // 2 MB NULL, NULL ); } if (PhMemorySearchHeap) { const ULONG defaultHeapCompatibilityMode = HEAP_COMPATIBILITY_MODE_LFH; RtlSetHeapInformation( PhMemorySearchHeap, HeapCompatibilityInformation, &defaultHeapCompatibilityMode, sizeof(ULONG) ); // Don't use HEAP_NO_SERIALIZE - it's very slow on Vista and above. memory = RtlAllocateHeap(PhMemorySearchHeap, 0, Size); if (memory) PhMemorySearchHeapRefCount++; } else { memory = NULL; } PhReleaseQueuedLockExclusive(&PhMemorySearchHeapLock); return memory; } VOID PhFreeForMemorySearch( _In_ _Post_invalid_ PVOID Memory ) { PhAcquireQueuedLockExclusive(&PhMemorySearchHeapLock); RtlFreeHeap(PhMemorySearchHeap, 0, Memory); if (--PhMemorySearchHeapRefCount == 0) { RtlDestroyHeap(PhMemorySearchHeap); PhMemorySearchHeap = NULL; } PhReleaseQueuedLockExclusive(&PhMemorySearchHeapLock); } PVOID PhCreateMemoryResult( _In_ PVOID Address, _In_ PVOID BaseAddress, _In_ SIZE_T Length ) { PPH_MEMORY_RESULT result; result = PhAllocateForMemorySearch(sizeof(PH_MEMORY_RESULT)); if (!result) return NULL; result->RefCount = 1; result->Address = Address; result->BaseAddress = BaseAddress; result->Length = Length; result->Display.Length = 0; result->Display.Buffer = NULL; return result; } VOID PhReferenceMemoryResult( _In_ PPH_MEMORY_RESULT Result ) { _InterlockedIncrement(&Result->RefCount); } VOID PhDereferenceMemoryResult( _In_ PPH_MEMORY_RESULT Result ) { if (_InterlockedDecrement(&Result->RefCount) == 0) { if (Result->Display.Buffer) PhFreeForMemorySearch(Result->Display.Buffer); PhFreeForMemorySearch(Result); } } VOID PhDereferenceMemoryResults( _In_reads_(NumberOfResults) PPH_MEMORY_RESULT *Results, _In_ ULONG NumberOfResults ) { for (ULONG i = 0; i < NumberOfResults; i++) PhDereferenceMemoryResult(Results[i]); } _Function_class_(PH_STRING_SEARCH_NEXT_BUFFER) _Must_inspect_result_ NTSTATUS NTAPI PhpMemoryStringSearchNextBuffer( _Inout_bytecount_(*Length) PVOID* Buffer, _Out_ PSIZE_T Length, _In_opt_ PVOID Context ) { NTSTATUS status; PMEMORY_STRING_SEARCH_CONTEXT context; assert(Context); context = Context; *Buffer = NULL; *Length = 0; if (context->ReadRemaning) goto ReadMemory; while (NT_SUCCESS(status = NtQueryVirtualMemory( context->ProcessHandle, PTR_ADD_OFFSET(context->BasicInfo.BaseAddress, context->BasicInfo.RegionSize), MemoryBasicInformation, &context->BasicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { SIZE_T length; if (context->Options->Cancel) break; if (context->BasicInfo.State != MEM_COMMIT) continue; if (FlagOn(context->BasicInfo.Protect, PAGE_NOACCESS | PAGE_GUARD)) continue; if (!FlagOn(context->BasicInfo.Type, context->TypeMask)) continue; context->NextReadAddress = context->BasicInfo.BaseAddress; context->ReadRemaning = context->BasicInfo.RegionSize; // Don't allocate a huge buffer (16 MiB max) length = min(context->BasicInfo.RegionSize, 16 * 1024 * 1024); if (length > context->BufferSize) { context->Buffer = PhReAllocate(context->Buffer, length); context->BufferSize = length; } if (context->ReadRemaning) { ReadMemory: context->CurrentReadAddress = context->NextReadAddress; length = min(context->ReadRemaning, context->BufferSize); if (NT_SUCCESS(status = PhReadVirtualMemory( context->ProcessHandle, context->CurrentReadAddress, context->Buffer, length, &length ))) { *Buffer = context->Buffer; *Length = length; context->ReadRemaning -= length; context->NextReadAddress = PTR_ADD_OFFSET(context->NextReadAddress, length); break; } } context->NextReadAddress = NULL; context->ReadRemaning = 0; } return status; } _Function_class_(PH_STRING_SEARCH_CALLBACK) BOOLEAN NTAPI PhpMemoryStringSearchCallback( _In_ PPH_STRING_SEARCH_RESULT Result, _In_opt_ PVOID Context ) { PMEMORY_STRING_SEARCH_CONTEXT context = Context; PPH_MEMORY_RESULT result; assert(context); if (!context->DetectUnicode && Result->Unicode) return context->Options->Cancel; result = PhCreateMemoryResult(PTR_ADD_OFFSET(context->CurrentReadAddress, PTR_SUB_OFFSET(Result->Address, context->Buffer)), context->BasicInfo.BaseAddress, Result->Length); result->Display.Buffer = PhAllocateForMemorySearch(Result->String->Length + sizeof(WCHAR)); memcpy(result->Display.Buffer, Result->String->Buffer, Result->String->Length); result->Display.Buffer[Result->String->Length / sizeof(WCHAR)] = UNICODE_NULL; result->Display.Length = Result->String->Length; context->Options->Callback(result, context->Options->Context); return context->Options->Cancel; } VOID PhSearchMemoryString( _In_ HANDLE ProcessHandle, _In_ PPH_MEMORY_STRING_OPTIONS Options ) { MEMORY_STRING_SEARCH_CONTEXT context; memset(&context, 0, sizeof(MEMORY_STRING_SEARCH_CONTEXT)); context.Options = &Options->Header; context.ProcessHandle = ProcessHandle; context.TypeMask = Options->MemoryTypeMask; context.DetectUnicode = Options->DetectUnicode; PhSearchStrings( Options->MinimumLength, Options->ExtendedUnicode, PhpMemoryStringSearchNextBuffer, PhpMemoryStringSearchCallback, &context ); } VOID PhShowMemoryStringDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { NTSTATUS status; HANDLE processHandle; MEMORY_STRING_CONTEXT context; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessItem->ProcessId ))) { PhShowStatus(ParentWindowHandle, L"Unable to open the process", status, 0); return; } memset(&context, 0, sizeof(MEMORY_STRING_CONTEXT)); context.ParentWindowHandle = ParentWindowHandle; context.ProcessId = ProcessItem->ProcessId; context.ProcessHandle = processHandle; if (PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMSTRING), ParentWindowHandle, PhpMemoryStringDlgProc, &context ) != IDOK) { NtClose(processHandle); return; } context.Results = PhCreateList(1024); if (PhpShowMemoryStringProgressDialog(&context)) { PPH_SHOW_MEMORY_RESULTS showMemoryResults; showMemoryResults = PhAllocate(sizeof(PH_SHOW_MEMORY_RESULTS)); showMemoryResults->ProcessId = ProcessItem->ProcessId; showMemoryResults->Results = context.Results; PhReferenceObject(context.Results); SystemInformer_ShowMemoryResults(showMemoryResults); } PhDereferenceObject(context.Results); NtClose(processHandle); } INT_PTR CALLBACK PhpMemoryStringDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMEMORY_STRING_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PMEMORY_STRING_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetDialogItemText(hwndDlg, IDC_MINIMUMLENGTH, L"10"); Button_SetCheck(GetDlgItem(hwndDlg, IDC_DETECTUNICODE), BST_CHECKED); Button_SetCheck(GetDlgItem(hwndDlg, IDC_PRIVATE), BST_CHECKED); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { ULONG64 minimumLength = 10; PhStringToInteger64(&PhaGetDlgItemText(hwndDlg, IDC_MINIMUMLENGTH)->sr, 0, &minimumLength); if (minimumLength < 4) { PhShowError2(hwndDlg, L"Unable to search for strings.", L"%s", L"The minimum length must be at least 4."); break; } context->MinimumLength = (ULONG)minimumLength; context->DetectUnicode = Button_GetCheck(GetDlgItem(hwndDlg, IDC_DETECTUNICODE)) == BST_CHECKED; context->ExtendedUnicode = Button_GetCheck(GetDlgItem(hwndDlg, IDC_EXTENDEDUNICODE)) == BST_CHECKED; context->Private = Button_GetCheck(GetDlgItem(hwndDlg, IDC_PRIVATE)) == BST_CHECKED; context->Image = Button_GetCheck(GetDlgItem(hwndDlg, IDC_IMAGE)) == BST_CHECKED; context->Mapped = Button_GetCheck(GetDlgItem(hwndDlg, IDC_MAPPED)) == BST_CHECKED; EndDialog(hwndDlg, IDOK); } break; case IDC_DETECTUNICODE: { if (Button_GetCheck(GetDlgItem(hwndDlg, IDC_DETECTUNICODE)) == BST_UNCHECKED) { Button_SetCheck(GetDlgItem(hwndDlg, IDC_EXTENDEDUNICODE), BST_UNCHECKED); Button_Enable(GetDlgItem(hwndDlg, IDC_EXTENDEDUNICODE), FALSE); } else { Button_Enable(GetDlgItem(hwndDlg, IDC_EXTENDEDUNICODE), TRUE); } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } static VOID NTAPI PhpMemoryStringResultCallback( _In_ _Assume_refs_(1) PPH_MEMORY_RESULT Result, _In_opt_ PVOID Context ) { PMEMORY_STRING_CONTEXT context = Context; if (context) PhAddItemList(context->Results, Result); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpMemoryStringThreadStart( _In_ PVOID Parameter ) { PMEMORY_STRING_CONTEXT context = Parameter; context->Options.Header.Callback = PhpMemoryStringResultCallback; context->Options.Header.Context = context; context->Options.MinimumLength = context->MinimumLength; context->Options.DetectUnicode = context->DetectUnicode; context->Options.ExtendedUnicode = context->ExtendedUnicode; if (context->Private) context->Options.MemoryTypeMask |= MEM_PRIVATE; if (context->Image) context->Options.MemoryTypeMask |= MEM_IMAGE; if (context->Mapped) context->Options.MemoryTypeMask |= MEM_MAPPED; PhSearchMemoryString(context->ProcessHandle, &context->Options); SendMessage( context->WindowHandle, WM_PH_MEMORY_STATUS_UPDATE, PH_SEARCH_COMPLETED, 0 ); return STATUS_SUCCESS; } LRESULT CALLBACK PhpMemoryStringTaskDialogSubclassProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMEMORY_STRING_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(hwndDlg, 0xF))) return 0; oldWndProc = context->DefaultWindowProc; switch (uMsg) { case WM_DESTROY: { PhSetWindowProcedure(hwndDlg, oldWndProc); PhRemoveWindowContext(hwndDlg, 0xF); } break; case WM_PH_MEMORY_STATUS_UPDATE: { switch (wParam) { case PH_SEARCH_COMPLETED: { context->EnableCloseDialog = TRUE; SendMessage(hwndDlg, TDM_CLICK_BUTTON, IDOK, 0); } break; } } break; } return CallWindowProc(oldWndProc, hwndDlg, uMsg, wParam, lParam); } HRESULT CALLBACK PhpMemoryStringTaskDialogCallback( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { PMEMORY_STRING_CONTEXT context = (PMEMORY_STRING_CONTEXT)dwRefData; switch (uMsg) { case TDN_CREATED: { context->WindowHandle = hwndDlg; // Create the Taskdialog icons. PhSetApplicationWindowIcon(hwndDlg); SendMessage(hwndDlg, TDM_UPDATE_ICON, TDIE_ICON_MAIN, (LPARAM)PhGetApplicationIcon(FALSE)); // Set the progress state. SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); // Subclass the Taskdialog. context->DefaultWindowProc = PhGetWindowProcedure(hwndDlg); PhSetWindowContext(hwndDlg, 0xF, context); PhSetWindowProcedure(hwndDlg, PhpMemoryStringTaskDialogSubclassProc); // Create the search thread. PhCreateThread2(PhpMemoryStringThreadStart, context); } break; case TDN_BUTTON_CLICKED: { if ((INT)wParam == IDCANCEL) context->Options.Header.Cancel = TRUE; if (!context->EnableCloseDialog) return S_FALSE; } break; case TDN_TIMER: { PPH_STRING numberText; PPH_STRING progressText; numberText = PhFormatUInt64(context->Results->Count, TRUE); progressText = PhFormatString(L"%s strings found...", numberText->Buffer); SendMessage(hwndDlg, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)progressText->Buffer); PhDereferenceObject(progressText); PhDereferenceObject(numberText); } break; } return S_OK; } BOOLEAN PhpShowMemoryStringProgressDialog( _In_ PMEMORY_STRING_CONTEXT Context ) { TASKDIALOGCONFIG config; INT result = 0; memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_POSITION_RELATIVE_TO_WINDOW | TDF_SHOW_MARQUEE_PROGRESS_BAR | TDF_CALLBACK_TIMER; config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.pfCallback = PhpMemoryStringTaskDialogCallback; config.lpCallbackData = (LONG_PTR)Context; config.hwndParent = Context->ParentWindowHandle; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Searching memory strings..."; config.pszContent = L" "; config.cxWidth = 200; if (SUCCEEDED(TaskDialogIndirect(&config, &result, NULL, NULL)) && result == IDOK) { return TRUE; } return FALSE; } ================================================ FILE: SystemInformer/memsrcht.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024 * */ #include #include #include #include #include #include #include #include #include #include #include #define WM_PH_MEMSEARCH_SHOWMENU (WM_USER + 3000) #define WM_PH_MEMSEARCH_FINISHED (WM_USER + 3001) #define PH_MEMSEARCH_STATE_STOPPED 0 #define PH_MEMSEARCH_STATE_SEARCHING 1 #define PH_MEMSEARCH_STATE_FINISHED 2 static CONST PH_STRINGREF EmptyStringsText = PH_STRINGREF_INIT(L"There are no strings to display."); static CONST PH_STRINGREF LoadingStringsText = PH_STRINGREF_INIT(L"Loading strings..."); typedef struct _PH_MEMSTRINGS_SETTINGS { ULONG MinimumLength; union { struct { ULONG Ansi : 1; ULONG Unicode : 1; ULONG ExtendedCharSet : 1; ULONG Private : 1; ULONG Image : 1; ULONG Mapped : 1; ULONG ZeroPadAddresses : 1; ULONG Spare : 25; }; ULONG Flags; }; } PH_MEMSTRINGS_SETTINGS, *PPH_MEMSTRINGS_SETTINGS; typedef struct _PH_MEMSTRINGS_CONTEXT { PPH_PROCESS_ITEM ProcessItem; HANDLE ProcessHandle; BOOLEAN UseClone; HANDLE CloneHandle; HWND WindowHandle; HWND TreeNewHandle; HWND MessageHandle; HWND SearchHandle; HWND FilterHandle; RECT MinimumSize; ULONG_PTR SearchMatchHandle; PH_LAYOUT_MANAGER LayoutManager; PH_TN_FILTER_SUPPORT FilterSupport; PH_CM_MANAGER Cm; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; ULONG StringsCount; PPH_LIST NodeList; BOOLEAN BackOffActive; ULONG BackOffSearchMatchRequests; ULONG BackOffSearchMatchChecked; ULONG State; BOOLEAN StopSearch; HANDLE SearchThreadHandle; ULONG SearchResultsAddIndex; PPH_LIST SearchResults; PH_QUEUED_LOCK SearchResultsLock; PPH_LIST PrevNodeList; PH_MEMSTRINGS_SETTINGS Settings; } PH_MEMSTRINGS_CONTEXT, *PPH_MEMSTRINGS_CONTEXT; typedef enum _PH_MEMSTRINGS_TREE_COLUMN_ITEM { PH_MEMSTRINGS_TREE_COLUMN_ITEM_INDEX, PH_MEMSTRINGS_TREE_COLUMN_ITEM_BASE_ADDRESS, PH_MEMSTRINGS_TREE_COLUMN_ITEM_ADDRESS, PH_MEMSTRINGS_TREE_COLUMN_ITEM_TYPE, PH_MEMSTRINGS_TREE_COLUMN_ITEM_LENGTH, PH_MEMSTRINGS_TREE_COLUMN_ITEM_STRING, PH_MEMSTRINGS_TREE_COLUMN_ITEM_PROTECTION, PH_MEMSTRINGS_TREE_COLUMN_ITEM_MEMORY_TYPE, PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM } PH_MEMSTRINGS_TREE_COLUMN_ITEM; typedef struct _PH_MEMSTRINGS_NODE { PH_TREENEW_NODE Node; ULONG Index; BOOLEAN Unicode; PVOID BaseAddress; PVOID Address; PPH_STRING String; ULONG Protection; ULONG MemoryType; WCHAR IndexString[PH_INT64_STR_LEN_1]; WCHAR BaseAddressString[PH_PTR_STR_LEN_1]; WCHAR AddressString[PH_PTR_STR_LEN_1]; WCHAR LengthString[PH_INT64_STR_LEN_1]; WCHAR ProtectionText[17]; PH_STRINGREF TextCache[PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM]; } PH_MEMSTRINGS_NODE, *PPH_MEMSTRINGS_NODE; typedef struct _PH_MEMSTRINGS_SEARCH_CONTEXT { PPH_MEMSTRINGS_CONTEXT TreeContext; ULONG TypeMask; MEMORY_BASIC_INFORMATION BasicInfo; PVOID CurrentReadAddress; PVOID NextReadAddress; SIZE_T ReadRemaning; PBYTE Buffer; SIZE_T BufferSize; } PH_MEMSTRINGS_SEARCH_CONTEXT, *PPH_MEMSTRINGS_SEARCH_CONTEXT; BOOLEAN PhpShowMemoryStringTreeDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_opt_ PPH_LIST PrevNodeList, _In_ BOOLEAN UseClone ); VOID PhpShowMemoryEditor( PPH_MEMSTRINGS_CONTEXT context, PPH_MEMSTRINGS_NODE node ); _Function_class_(PH_STRING_SEARCH_NEXT_BUFFER) _Must_inspect_result_ NTSTATUS NTAPI PhpMemoryStringSearchTreeNextBuffer( _Inout_bytecount_(*Length) PVOID* Buffer, _Out_ PSIZE_T Length, _In_opt_ PVOID Context ) { NTSTATUS status; HANDLE handle; PPH_MEMSTRINGS_SEARCH_CONTEXT context; assert(Context); context = Context; if (context->TreeContext->UseClone) handle = context->TreeContext->CloneHandle; else handle = context->TreeContext->ProcessHandle; *Buffer = NULL; *Length = 0; if (context->ReadRemaning) goto ReadMemory; while (NT_SUCCESS(status = NtQueryVirtualMemory( handle, PTR_ADD_OFFSET(context->BasicInfo.BaseAddress, context->BasicInfo.RegionSize), MemoryBasicInformation, &context->BasicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { SIZE_T length; if (context->TreeContext->StopSearch) break; if (context->BasicInfo.State != MEM_COMMIT) continue; if (FlagOn(context->BasicInfo.Protect, PAGE_NOACCESS | PAGE_GUARD)) continue; if (!FlagOn(context->BasicInfo.Type, context->TypeMask)) continue; context->NextReadAddress = context->BasicInfo.BaseAddress; context->ReadRemaning = context->BasicInfo.RegionSize; // Don't allocate a huge buffer (16 MiB max) length = min(context->BasicInfo.RegionSize, 16 * 1024 * 1024); if (length > context->BufferSize) { context->Buffer = PhReAllocate(context->Buffer, length); context->BufferSize = length; } if (context->ReadRemaning) { ReadMemory: context->CurrentReadAddress = context->NextReadAddress; length = min(context->ReadRemaning, context->BufferSize); assert(context->Buffer); if (NT_SUCCESS(status = PhReadVirtualMemory( handle, context->CurrentReadAddress, context->Buffer, length, &length ))) { *Buffer = context->Buffer; *Length = length; context->ReadRemaning -= length; context->NextReadAddress = PTR_ADD_OFFSET(context->NextReadAddress, length); break; } } context->NextReadAddress = NULL; context->ReadRemaning = 0; } return status; } _Function_class_(PH_STRING_SEARCH_CALLBACK) BOOLEAN NTAPI PhpMemoryStringSearchTreeCallback( _In_ PPH_STRING_SEARCH_RESULT Result, _In_opt_ PVOID Context ) { PPH_MEMSTRINGS_SEARCH_CONTEXT context; PPH_MEMSTRINGS_CONTEXT treeContext; PPH_MEMSTRINGS_NODE node; assert(Context); context = Context; treeContext = context->TreeContext; node = PhAllocateZero(sizeof(PH_MEMSTRINGS_NODE)); node->Index = ++treeContext->StringsCount; PhPrintUInt64(node->IndexString, node->Index); node->BaseAddress = context->BasicInfo.BaseAddress; node->Address = PTR_ADD_OFFSET(context->CurrentReadAddress, PTR_SUB_OFFSET(Result->Address, context->Buffer)); if (context->TreeContext->Settings.ZeroPadAddresses) { PhPrintPointerPadZeros(node->BaseAddressString, node->BaseAddress); PhPrintPointerPadZeros(node->AddressString, node->Address); } else { PhPrintPointer(node->BaseAddressString, node->BaseAddress); PhPrintPointer(node->AddressString, node->Address); } node->Unicode = Result->Unicode; node->String = PhReferenceObject(Result->String); PhPrintUInt64(node->LengthString, node->String->Length / 2); node->Protection = context->BasicInfo.Protect; PhGetMemoryProtectionString(node->Protection, node->ProtectionText); node->MemoryType = context->BasicInfo.Type; PhAcquireQueuedLockExclusive(&treeContext->SearchResultsLock); PhAddItemList(treeContext->SearchResults, node); PhReleaseQueuedLockExclusive(&treeContext->SearchResultsLock); return !!treeContext->StopSearch; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpMemorySearchStringsThread( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { PH_MEMSTRINGS_SEARCH_CONTEXT context; memset(&context, 0, sizeof(context)); context.TreeContext = Context; context.TypeMask = 0; if (Context->Settings.Private) SetFlag(context.TypeMask, MEM_PRIVATE); if (Context->Settings.Image) SetFlag(context.TypeMask, MEM_IMAGE); if (Context->Settings.Mapped) SetFlag(context.TypeMask, MEM_MAPPED); if (context.TypeMask) { PhSearchStrings( Context->Settings.MinimumLength, !!Context->Settings.ExtendedCharSet, PhpMemoryStringSearchTreeNextBuffer, PhpMemoryStringSearchTreeCallback, &context ); } if (context.Buffer) PhFree(context.Buffer); if (!Context->StopSearch) PostMessage(Context->WindowHandle, WM_PH_MEMSEARCH_FINISHED, 0, 0); return STATUS_SUCCESS; } VOID PhpMemoryStringsCheckBackOff( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { // Once we reach a very large number of strings back off the updates to the // list and searching else the user input and interface can lag. // // N.B. The updated timer effectively induces a (timer value * 2) on search // filtering updates. Logic elsewhere will check on the delay for the user // to stop typing. Then the next timer trigger the search will be updated // based on the current user input. if (Context->NodeList->Count >= 150000) { Context->BackOffActive = TRUE; PhSetTimer(Context->WindowHandle, PH_WINDOW_TIMER_DEFAULT, 250, NULL); } else if (Context->NodeList->Count >= 500000) { Context->BackOffActive = TRUE; PhSetTimer(Context->WindowHandle, PH_WINDOW_TIMER_DEFAULT, 400, NULL); } } VOID PhpMemoryStringsAddTreeNode( _In_ PPH_MEMSTRINGS_CONTEXT Context, _In_ PPH_MEMSTRINGS_NODE Entry ) { PhInitializeTreeNewNode(&Entry->Node); memset(Entry->TextCache, 0, sizeof(PH_STRINGREF) * PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM); Entry->Node.TextCache = Entry->TextCache; Entry->Node.TextCacheSize = PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM; PhAddItemList(Context->NodeList, Entry); if (Context->FilterSupport.NodeList) { Entry->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->FilterSupport, &Entry->Node); } } VOID PhpAddPendingMemoryStringsNodes( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { ULONG i; BOOLEAN needsFullUpdate = FALSE; TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); PhAcquireQueuedLockExclusive(&Context->SearchResultsLock); for (i = Context->SearchResultsAddIndex; i < Context->SearchResults->Count; i++) { PhpMemoryStringsAddTreeNode(Context, Context->SearchResults->Items[i]); needsFullUpdate = TRUE; } Context->SearchResultsAddIndex = i; PhReleaseQueuedLockExclusive(&Context->SearchResultsLock); PhpMemoryStringsCheckBackOff(Context); if (needsFullUpdate) TreeNew_NodesStructured(Context->TreeNewHandle); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); } VOID PhpLoadSettingsMemoryStrings( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_MEM_STRINGS_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_MEM_STRINGS_TREE_LIST_SORT); Context->Settings.Flags = PhGetIntegerSetting(SETTING_MEM_STRINGS_TREE_LIST_FLAGS); Context->Settings.MinimumLength = PhGetIntegerSetting(SETTING_MEM_STRINGS_MINIMUM_LENGTH); PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhpSaveSettingsMemoryStrings( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_MEM_STRINGS_MINIMUM_LENGTH, Context->Settings.MinimumLength); PhSetIntegerSetting(SETTING_MEM_STRINGS_TREE_LIST_FLAGS, Context->Settings.Flags); PhSetStringSetting2(SETTING_MEM_STRINGS_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_MEM_STRINGS_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhpInvalidateMemoryStringsAddresses( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_MEMSTRINGS_NODE node = (PPH_MEMSTRINGS_NODE)Context->NodeList->Items[i]; if (Context->Settings.ZeroPadAddresses) { PhPrintPointerPadZeros(node->BaseAddressString, node->BaseAddress); PhPrintPointerPadZeros(node->AddressString, node->Address); } else { PhPrintPointer(node->BaseAddressString, node->BaseAddress); PhPrintPointer(node->AddressString, node->Address); } memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM); } InvalidateRect(Context->TreeNewHandle, NULL, FALSE); TreeNew_NodesStructured(Context->TreeNewHandle); } BOOLEAN PhpGetSelectedMemoryStringsNodes( _In_ PPH_MEMSTRINGS_CONTEXT Context, _Out_ PPH_MEMSTRINGS_NODE** Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_MEMSTRINGS_NODE node = (PPH_MEMSTRINGS_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) PhAddItemList(list, node); } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } *Nodes = NULL; *NumberOfNodes = 0; PhDereferenceObject(list); return FALSE; } VOID PhpCopyFilteredMemoryStringsNodes( _In_ PPH_MEMSTRINGS_CONTEXT Context, _Out_ PPH_LIST* NodeList ) { PPH_LIST list = PhCreateList(10); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_MEMSTRINGS_NODE node = (PPH_MEMSTRINGS_NODE)Context->NodeList->Items[i]; if (node->Node.Visible) { PPH_MEMSTRINGS_NODE cloned; cloned = PhAllocateCopy(node, sizeof(PH_MEMSTRINGS_NODE)); PhReferenceObject(cloned->String); PhAddItemList(list, cloned); } } *NodeList = list; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpMemoryStringsTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_MEMSTRINGS_CONTEXT context = Context; PPH_MEMSTRINGS_NODE node = (PPH_MEMSTRINGS_NODE)Node; assert(Context); if (!context->Settings.Ansi && !node->Unicode) return FALSE; if (!context->Settings.Unicode && node->Unicode) return FALSE; if (!context->SearchMatchHandle) return TRUE; return PhSearchControlMatch(context->SearchMatchHandle, &node->String->sr); } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PvpStringsSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_MEMSTRINGS_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; if (context->BackOffActive) context->BackOffSearchMatchRequests++; else PhApplyTreeNewFilters(&context->FilterSupport); } VOID PhpDeleteMemoryStringsNodeList( _In_ PPH_LIST NodeList ) { for (ULONG i = 0; i < NodeList->Count; i++) { PPH_MEMSTRINGS_NODE node = (PPH_MEMSTRINGS_NODE)NodeList->Items[i]; PhClearReference(&node->String); PhFree(node); } } VOID PhpDeleteMemoryStringsTree( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { Context->StopSearch = TRUE; if (Context->SearchThreadHandle) { NtWaitForSingleObject(Context->SearchThreadHandle, FALSE, NULL); NtClose(Context->SearchThreadHandle); Context->SearchThreadHandle = NULL; } Context->StopSearch = FALSE; if (Context->CloneHandle) { NtTerminateProcess(Context->CloneHandle, STATUS_PROCESS_CLONED); NtClose(Context->CloneHandle); Context->CloneHandle = NULL; } PhpAddPendingMemoryStringsNodes(Context); PhpDeleteMemoryStringsNodeList(Context->NodeList); PhDeleteTreeNewFilterSupport(&Context->FilterSupport); PhClearReference(&Context->NodeList); PhClearReference(&Context->SearchResults); Context->SearchResultsAddIndex = 0; Context->StringsCount = 0; } VOID PhpSearchMemoryStrings( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); PhpDeleteMemoryStringsTree(Context); Context->NodeList = PhCreateList(100); Context->SearchResults = PhCreateList(100); PhInitializeTreeNewFilterSupport(&Context->FilterSupport, Context->TreeNewHandle, Context->NodeList); PhAddTreeNewFilter(&Context->FilterSupport, PhpMemoryStringsTreeFilterCallback, Context); TreeNew_SetEmptyText(Context->TreeNewHandle, &LoadingStringsText, 0); TreeNew_NodesStructured(Context->TreeNewHandle); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); if (Context->UseClone) { NTSTATUS status; if (!NT_SUCCESS(status = PhCreateProcessClone( &Context->CloneHandle, Context->ProcessItem->ProcessId ))) { PhShowStatus(Context->WindowHandle, L"Unable to clone the process", status, 0); return; } } Context->State = PH_MEMSEARCH_STATE_SEARCHING; EnableWindow(Context->FilterHandle, FALSE); PhCreateThreadEx(&Context->SearchThreadHandle, PhpMemorySearchStringsThread, Context); } #define SORT_FUNCTION(Column) PvpStringsTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PvpStringsTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_MEMSTRINGS_NODE node1 = *(PPH_MEMSTRINGS_NODE *)_elem1; \ PPH_MEMSTRINGS_NODE node2 = *(PPH_MEMSTRINGS_NODE *)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintcmp(node1->Index, node2->Index); \ \ return PhModifySort(sortResult, ((PPH_MEMSTRINGS_CONTEXT)_context)->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpMemoryStringsTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPH_MEMSTRINGS_NODE)Node1)->Index, (ULONG_PTR)((PPH_MEMSTRINGS_NODE)Node2)->Index); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Index) { NOTHING; } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(BaseAddress) { sortResult = uintptrcmp((ULONG_PTR)node1->BaseAddress, (ULONG_PTR)node2->BaseAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Address) { sortResult = uintptrcmp((ULONG_PTR)node1->Address, (ULONG_PTR)node2->Address); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Type) { sortResult = uintcmp(node1->Unicode, node2->Unicode); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Length) { sortResult = uintptrcmp(node1->String->Length, node2->String->Length); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(String) { sortResult = PhCompareString(node1->String, node2->String, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Protection) { sortResult = uintcmp(node1->Protection, node2->Protection); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(MemoryType) { sortResult = uintcmp(node1->MemoryType, node2->MemoryType); } END_SORT_FUNCTION BOOLEAN NTAPI PhpMemoryStringsTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_MEMSTRINGS_CONTEXT context = Context; PPH_MEMSTRINGS_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_MEMSTRINGS_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Index), SORT_FUNCTION(BaseAddress), SORT_FUNCTION(Address), SORT_FUNCTION(Type), SORT_FUNCTION(Length), SORT_FUNCTION(String), SORT_FUNCTION(Protection), SORT_FUNCTION(MemoryType), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; node = (PPH_MEMSTRINGS_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPH_MEMSTRINGS_NODE)getCellText->Node; switch (getCellText->Id) { case PH_MEMSTRINGS_TREE_COLUMN_ITEM_INDEX: PhInitializeStringRefLongHint(&getCellText->Text, node->IndexString); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_BASE_ADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->BaseAddressString); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_ADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->AddressString); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_PROTECTION: PhInitializeStringRefLongHint(&getCellText->Text, node->ProtectionText); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_MEMORY_TYPE: getCellText->Text = *PhGetMemoryTypeString(node->MemoryType); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_TYPE: PhInitializeStringRef(&getCellText->Text, node->Unicode ? L"Unicode" : L"ANSI"); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_LENGTH: PhInitializeStringRefLongHint(&getCellText->Text, node->LengthString); break; case PH_MEMSTRINGS_TREE_COLUMN_ITEM_STRING: getCellText->Text = node->String->sr; break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = (PPH_TREENEW_GET_NODE_COLOR)Parameter1; node = (PPH_MEMSTRINGS_NODE)getNodeColor->Node; getNodeColor->Flags = TN_CACHE | TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': { if (GetKeyState(VK_CONTROL) < 0) { PPH_STRING text; text = PhGetTreeNewText(WindowHandle, 0); PhSetClipboardString(WindowHandle, &text->sr); PhDereferenceObject(text); } } break; case 'A': if (GetKeyState(VK_CONTROL) < 0) TreeNew_SelectRange(context->TreeNewHandle, 0, -1); break; } } return TRUE; case TreeNewNodeExpanding: return TRUE; case TreeNewLeftDoubleClick: { PPH_TREENEW_MOUSE_EVENT mouseEvent = Parameter1; node = (PPH_MEMSTRINGS_NODE)mouseEvent->Node; PhpShowMemoryEditor(context, node); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; SendMessage(context->WindowHandle, WM_PH_MEMSEARCH_SHOWMENU, 0, (LPARAM)contextMenu); } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; } return FALSE; } VOID PhpInitializeMemoryStringsTree( _In_ PPH_MEMSTRINGS_CONTEXT Context, _In_ HWND WindowHandle, _In_ HWND TreeNewHandle ) { BOOLEAN enableMonospaceFont = !!PhGetIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT); Context->WindowHandle = WindowHandle; Context->TreeNewHandle = TreeNewHandle; Context->NodeList = PhCreateList(1); Context->SearchResults = PhCreateList(1); PhSetControlTheme(TreeNewHandle, L"explorer"); TreeNew_SetCallback(TreeNewHandle, PhpMemoryStringsTreeNewCallback, Context); TreeNew_SetRedraw(TreeNewHandle, FALSE); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_INDEX, TRUE, L"#", 40, PH_ALIGN_LEFT, PH_MEMSTRINGS_TREE_COLUMN_ITEM_INDEX, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_BASE_ADDRESS, TRUE, L"Base address", 80, PH_ALIGN_LEFT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), PH_MEMSTRINGS_TREE_COLUMN_ITEM_BASE_ADDRESS, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_ADDRESS, TRUE, L"Address", 80, PH_ALIGN_LEFT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), PH_MEMSTRINGS_TREE_COLUMN_ITEM_ADDRESS, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_TYPE, TRUE, L"Type", 80, PH_ALIGN_LEFT, PH_MEMSTRINGS_TREE_COLUMN_ITEM_TYPE, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_LENGTH, TRUE, L"Length", 80, PH_ALIGN_LEFT, PH_MEMSTRINGS_TREE_COLUMN_ITEM_LENGTH, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_STRING, TRUE, L"String", 600, PH_ALIGN_LEFT, PH_MEMSTRINGS_TREE_COLUMN_ITEM_STRING, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_PROTECTION, FALSE, L"Protection", 80, PH_ALIGN_LEFT, PH_MEMSTRINGS_TREE_COLUMN_ITEM_PROTECTION, 0, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_MEMORY_TYPE, FALSE, L"Memory type", 80, PH_ALIGN_LEFT, PH_MEMSTRINGS_TREE_COLUMN_ITEM_MEMORY_TYPE, 0, 0); TreeNew_SetRedraw(TreeNewHandle, TRUE); TreeNew_SetSort(TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_INDEX, AscendingSortOrder); PhCmInitializeManager(&Context->Cm, TreeNewHandle, PH_MEMSTRINGS_TREE_COLUMN_ITEM_MAXIMUM, PhpMemoryStringsTreeNewPostSortFunction); PhpLoadSettingsMemoryStrings(Context); } INT_PTR CALLBACK PhpMemoryStringsMinimumLengthDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PULONG length; if (uMsg == WM_INITDIALOG) { length = (PULONG)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, length); } else { length = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!length) return FALSE; switch (uMsg) { case WM_INITDIALOG: { WCHAR lengthString[PH_INT32_STR_LEN_1]; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhPrintUInt32(lengthString, *length); PhSetDialogItemText(hwndDlg, IDC_MINIMUMLENGTH, lengthString); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { ULONG64 minimumLength; PhStringToInteger64(&PhaGetDlgItemText(hwndDlg, IDC_MINIMUMLENGTH)->sr, 0, &minimumLength); if (!minimumLength || minimumLength > MAXULONG32) { PhShowError2(hwndDlg, L"Unable to update the length.", L"%s", L"The minimum length is invalid."); break; } *length = (ULONG)minimumLength; EndDialog(hwndDlg, IDOK); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ULONG PhpMemoryStringsMinimumLengthDialog( _In_ HWND WindowHandle, _In_ ULONG CurrentMinimumLength ) { ULONG length; length = CurrentMinimumLength; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMSTRINGSMINLEN), WindowHandle, PhpMemoryStringsMinimumLengthDlgProc, &length ); return length; } VOID PhpMemoryStringsSetWindowTitle( _In_ PPH_MEMSTRINGS_CONTEXT Context ) { HICON icon; PPH_STRING title; CLIENT_ID clientId; if (Context->ProcessItem->IconEntry && Context->ProcessItem->IconEntry->SmallIconIndex) { icon = PhGetImageListIcon(Context->ProcessItem->IconEntry->SmallIconIndex, FALSE); if (icon) PhSetWindowIcon(Context->WindowHandle, icon, NULL, TRUE); } clientId.UniqueProcess = Context->ProcessItem->ProcessId; clientId.UniqueThread = NULL; title = PhaConcatStrings2(PhGetStringOrEmpty(PH_AUTO(PhGetClientIdName(&clientId))), L" Strings"); SetWindowTextW(Context->WindowHandle, title->Buffer); } VOID PhpShowMemoryEditor( PPH_MEMSTRINGS_CONTEXT context, PPH_MEMSTRINGS_NODE node ) { NTSTATUS status; MEMORY_BASIC_INFORMATION basicInfo; PPH_SHOW_MEMORY_EDITOR showMemoryEditor; PVOID address; SIZE_T length; address = node->Address; if (node->Unicode) length = node->String->Length; else length = node->String->Length / 2; if (NT_SUCCESS(status = NtQueryVirtualMemory( context->ProcessHandle, address, MemoryBasicInformation, &basicInfo, sizeof(basicInfo), NULL ))) { showMemoryEditor = PhAllocateZero(sizeof(PH_SHOW_MEMORY_EDITOR)); showMemoryEditor->ProcessId = context->ProcessItem->ProcessId; showMemoryEditor->BaseAddress = basicInfo.BaseAddress; showMemoryEditor->RegionSize = basicInfo.RegionSize; showMemoryEditor->SelectOffset = (ULONG)((ULONG_PTR)address - (ULONG_PTR)basicInfo.BaseAddress); showMemoryEditor->SelectLength = (ULONG)length; SystemInformer_ShowMemoryEditor(showMemoryEditor); } else { PhShowStatus(context->WindowHandle, L"Unable to edit memory", status, 0); } } INT_PTR CALLBACK PhpMemoryStringsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_MEMSTRINGS_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_MEMSTRINGS_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->MessageHandle = GetDlgItem(hwndDlg, IDC_MESSAGE); context->SearchHandle = GetDlgItem(hwndDlg, IDC_SEARCH); context->FilterHandle = GetDlgItem(hwndDlg, IDC_FILTER); PhpMemoryStringsSetWindowTitle(context); PhRegisterDialog(hwndDlg); PhCreateSearchControl( hwndDlg, context->SearchHandle, L"Search Strings (Ctrl+K)", PvpStringsSearchControlCallback, context ); PhpInitializeMemoryStringsTree(context, hwndDlg, GetDlgItem(hwndDlg, IDC_TREELIST)); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->SearchHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, context->MessageHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); context->MinimumSize.left = 0; context->MinimumSize.top = 0; context->MinimumSize.right = 300; context->MinimumSize.bottom = 100; MapDialogRect(hwndDlg, &context->MinimumSize); if (PhValidWindowPlacementFromSetting(SETTING_MEM_STRINGS_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_MEM_STRINGS_WINDOW_POSITION, SETTING_MEM_STRINGS_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, PhMainWndHandle); PhSetTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT, 200, NULL); if (context->PrevNodeList) { PhInitializeTreeNewFilterSupport(&context->FilterSupport, context->TreeNewHandle, context->NodeList); PhAddTreeNewFilter(&context->FilterSupport, PhpMemoryStringsTreeFilterCallback, context); PhMoveReference(&context->SearchResults, context->PrevNodeList); context->StringsCount = context->PrevNodeList->Count; context->State = PH_MEMSEARCH_STATE_FINISHED; EnableWindow(context->FilterHandle, FALSE); PhpMemoryStringsCheckBackOff(context); } else { PhpSearchMemoryStrings(context); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhpSaveSettingsMemoryStrings(context); PhpDeleteMemoryStringsTree(context); PhSaveWindowPlacementToSetting(SETTING_MEM_STRINGS_WINDOW_POSITION, SETTING_MEM_STRINGS_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDereferenceObject(context->ProcessItem); NtClose(context->ProcessHandle); PhFree(context); PostQuitMessage(0); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)context->TreeNewHandle); return TRUE; } } break; case WM_PH_MEMSEARCH_FINISHED: { PhpAddPendingMemoryStringsNodes(context); context->State = PH_MEMSEARCH_STATE_FINISHED; TreeNew_SetEmptyText(context->TreeNewHandle, &EmptyStringsText, 0); TreeNew_NodesStructured(context->TreeNewHandle); } break; case WM_TIMER: { if (context->State != PH_MEMSEARCH_STATE_STOPPED) { PPH_STRING message; PH_FORMAT format[3]; ULONG count = 0; PhpAddPendingMemoryStringsNodes(context); if (context->State == PH_MEMSEARCH_STATE_SEARCHING) PhInitFormatS(&format[count++], L"Searching... "); PhInitFormatU(&format[count++], context->StringsCount); PhInitFormatS(&format[count++], L" strings"); message = PhFormat(format, count, 80); SetWindowText(context->MessageHandle, message->Buffer); PhDereferenceObject(message); if (context->State == PH_MEMSEARCH_STATE_FINISHED) { context->State = PH_MEMSEARCH_STATE_STOPPED; EnableWindow(context->FilterHandle, TRUE); } } if (context->BackOffActive && context->BackOffSearchMatchRequests) { if (context->BackOffSearchMatchChecked == context->BackOffSearchMatchRequests) { context->BackOffSearchMatchRequests = 0; context->BackOffSearchMatchChecked = 0; PhApplyTreeNewFilters(&context->FilterSupport); TreeNew_NodesStructured(context->TreeNewHandle); } else { // User still typing... context->BackOffSearchMatchChecked = context->BackOffSearchMatchRequests; } } } break; case WM_PH_MEMSEARCH_SHOWMENU: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_MEMSTRINGS_NODE* stringsNodes = NULL; ULONG numberOfNodes = 0; if (!PhpGetSelectedMemoryStringsNodes(context, &stringsNodes, &numberOfNodes)) break; if (numberOfNodes != 0) { PPH_EMENU_ITEM readWrite; menu = PhCreateEMenu(); readWrite = PhCreateEMenuItem(0, IDC_SHOW, L"Read/Write memory", NULL, NULL); readWrite->Flags |= PH_EMENU_DEFAULT; PhInsertEMenuItem(menu, readWrite, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, context->TreeNewHandle, contextMenuEvent->Column); if (numberOfNodes != 1) readWrite->Flags |= PH_EMENU_DISABLED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX && !PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case IDC_SHOW: { assert(numberOfNodes == 1); PhpShowMemoryEditor(context, stringsNodes[0]); } break; case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(context->TreeNewHandle, 0); PhSetClipboardString(context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; } } PhDestroyEMenu(menu); PhFree(stringsNodes); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: DestroyWindow(hwndDlg); break; case IDC_SETTINGS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_EMENU_ITEM ansi; PPH_EMENU_ITEM unicode; PPH_EMENU_ITEM extendedUnicode; PPH_EMENU_ITEM private; PPH_EMENU_ITEM image; PPH_EMENU_ITEM mapped; PPH_EMENU_ITEM minimumLength; PPH_EMENU_ITEM zeroPad; PPH_EMENU_ITEM refresh; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_SETTINGS), &rect)) break; ansi = PhCreateEMenuItem(0, 1, L"ANSI", NULL, NULL); unicode = PhCreateEMenuItem(0, 2, L"Unicode", NULL, NULL); extendedUnicode = PhCreateEMenuItem(0, 3, L"Extended character set", NULL, NULL); private = PhCreateEMenuItem(0, 4, L"Private", NULL, NULL); image = PhCreateEMenuItem(0, 5, L"Image", NULL, NULL); mapped = PhCreateEMenuItem(0, 6, L"Mapped", NULL, NULL); minimumLength = PhCreateEMenuItem(0, 7, L"Minimum length...", NULL, NULL); zeroPad = PhCreateEMenuItem(0, 8, L"Zero pad addresses", NULL, NULL); refresh = PhCreateEMenuItem(0, 9, L"Refresh\bF5", NULL, NULL); menu = PhCreateEMenu(); PhInsertEMenuItem(menu, ansi, ULONG_MAX); PhInsertEMenuItem(menu, unicode, ULONG_MAX); PhInsertEMenuItem(menu, extendedUnicode, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, private, ULONG_MAX); PhInsertEMenuItem(menu, image, ULONG_MAX); PhInsertEMenuItem(menu, mapped, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, minimumLength, ULONG_MAX); PhInsertEMenuItem(menu, zeroPad, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, refresh, ULONG_MAX); if (context->Settings.Ansi) ansi->Flags |= PH_EMENU_CHECKED; if (context->Settings.Unicode) unicode->Flags |= PH_EMENU_CHECKED; if (context->Settings.ExtendedCharSet) extendedUnicode->Flags |= PH_EMENU_CHECKED; if (context->Settings.Private) private->Flags |= PH_EMENU_CHECKED; if (context->Settings.Image) image->Flags |= PH_EMENU_CHECKED; if (context->Settings.Mapped) mapped->Flags |= PH_EMENU_CHECKED; if (context->Settings.ZeroPadAddresses) zeroPad->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (selectedItem == ansi) { context->Settings.Ansi = !context->Settings.Ansi; PhpSaveSettingsMemoryStrings(context); PhApplyTreeNewFilters(&context->FilterSupport); } else if (selectedItem == unicode) { context->Settings.Unicode = !context->Settings.Unicode; PhpSaveSettingsMemoryStrings(context); PhApplyTreeNewFilters(&context->FilterSupport); } else if (selectedItem == extendedUnicode) { context->Settings.ExtendedCharSet = !context->Settings.ExtendedCharSet; PhpSaveSettingsMemoryStrings(context); PhpSearchMemoryStrings(context); } else if (selectedItem == private) { context->Settings.Private = !context->Settings.Private; PhpSaveSettingsMemoryStrings(context); PhpSearchMemoryStrings(context); } else if (selectedItem == image) { context->Settings.Image = !context->Settings.Image; PhpSaveSettingsMemoryStrings(context); PhpSearchMemoryStrings(context); } else if (selectedItem == mapped) { context->Settings.Mapped = !context->Settings.Mapped; PhpSaveSettingsMemoryStrings(context); PhpSearchMemoryStrings(context); } else if (selectedItem == minimumLength) { ULONG length = PhpMemoryStringsMinimumLengthDialog(hwndDlg, context->Settings.MinimumLength); if (length != context->Settings.MinimumLength) { context->Settings.MinimumLength = length; PhpSaveSettingsMemoryStrings(context); PhpSearchMemoryStrings(context); } } else if (selectedItem == zeroPad) { context->Settings.ZeroPadAddresses = !context->Settings.ZeroPadAddresses; PhpSaveSettingsMemoryStrings(context); PhpInvalidateMemoryStringsAddresses(context); } else if (selectedItem == refresh) { PhpSearchMemoryStrings(context); } } PhDestroyEMenu(menu); } break; case IDC_FILTER: { PPH_LIST nodeList; PhpCopyFilteredMemoryStringsNodes(context, &nodeList); if (!PhpShowMemoryStringTreeDialog( hwndDlg, context->ProcessItem, nodeList, context->UseClone )) { PhpDeleteMemoryStringsNodeList(nodeList); PhDereferenceObject(nodeList); } } break; } } break; case WM_KEYDOWN: { switch (wParam) { case VK_F5: PhpSearchMemoryStrings(context); return TRUE; } } break; case WM_CTLCOLORBTN: case WM_CTLCOLORDLG: case WM_CTLCOLORSTATIC: case WM_CTLCOLORLISTBOX: { SetBkMode((HDC)wParam, TRANSPARENT); SetTextColor((HDC)wParam, RGB(0, 0, 0)); SetDCBrushColor((HDC)wParam, RGB(255, 255, 255)); return (INT_PTR)GetStockBrush(DC_BRUSH); } break; } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhpShowMemoryStringDialogThreadStart( _In_ PVOID Parameter ) { HWND windowHandle; BOOL result; MSG message; PH_AUTO_POOL autoPool; PhInitializeAutoPool(&autoPool); windowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_MEMSTRINGS), NULL, PhpMemoryStringsDlgProc, Parameter ); ShowWindow(windowHandle, SW_SHOW); SetForegroundWindow(windowHandle); while (result = GetMessage(&message, NULL, 0, 0)) { if (result == INT_ERROR) break; if (!IsDialogMessage(windowHandle, &message)) { TranslateMessage(&message); DispatchMessage(&message); } PhDrainAutoPool(&autoPool); } PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } BOOLEAN PhpShowMemoryStringTreeDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_opt_ PPH_LIST PrevNodeList, _In_ BOOLEAN UseClone ) { NTSTATUS status; HANDLE processHandle; PPH_MEMSTRINGS_CONTEXT context; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessItem->ProcessId ))) { PhShowStatus(ParentWindowHandle, L"Unable to open the process", status, 0); return FALSE; } context = PhAllocateZero(sizeof(PH_MEMSTRINGS_CONTEXT)); context->ProcessItem = PhReferenceObject(ProcessItem); context->ProcessHandle = processHandle; context->UseClone = UseClone; context->PrevNodeList = PrevNodeList; if (!NT_SUCCESS(status = PhCreateThread2(PhpShowMemoryStringDialogThreadStart, context))) { PhDereferenceObject(context->ProcessItem); NtClose(context->ProcessHandle); PhFree(context); PhShowStatus(ParentWindowHandle, L"Unable to create the window.", status, 0); return FALSE; } return TRUE; } VOID PhShowMemoryStringTreeDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { PhpShowMemoryStringTreeDialog( ParentWindowHandle, ProcessItem, NULL, ProcessItem->ProcessId == NtCurrentProcessId() ); } ================================================ FILE: SystemInformer/miniinfo.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include static HWND PhMipContainerWindow = NULL; static POINT PhMipSourcePoint; static LONG PhMipPinCounts[MaxMiniInfoPinType]; static LONG PhMipMaxPinCounts[] = { 1, // MiniInfoManualPinType 1, // MiniInfoIconPinType 1, // MiniInfoActivePinType 1, // MiniInfoHoverPinType 1, // MiniInfoChildControlPinType }; C_ASSERT(sizeof(PhMipMaxPinCounts) / sizeof(LONG) == MaxMiniInfoPinType); static LONG PhMipDelayedPinAdjustments[MaxMiniInfoPinType]; static PPH_MESSAGE_LOOP_FILTER_ENTRY PhMipMessageLoopFilterEntry; static HWND PhMipLastTrackedWindow; static HWND PhMipLastNcTrackedWindow; static ULONG PhMipRefreshAutomatically; static BOOLEAN PhMipPinned; static HWND PhMipWindow = NULL; static HWND PhMipLayoutWindow = NULL; static PH_LAYOUT_MANAGER PhMipLayoutManager; static RECT MinimumSize; static PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; static CONST PH_STRINGREF DownArrowPrefix = PH_STRINGREF_INIT(L"\u25be "); static PPH_LIST SectionList; static PH_MINIINFO_PARAMETERS CurrentParameters; static PPH_MINIINFO_SECTION CurrentSection; VOID PhPinMiniInformation( _In_ PH_MINIINFO_PIN_TYPE PinType, _In_ LONG PinCount, _In_opt_ ULONG PinDelayMs, _In_ ULONG Flags, _In_opt_ PCWSTR SectionName, _In_opt_ PPOINT SourcePoint ) { PH_MIP_ADJUST_PIN_RESULT adjustPinResult; if (PinDelayMs && PinCount < 0) { PhMipDelayedPinAdjustments[PinType] = PinCount; if (PhMipContainerWindow) { PhSetTimer(PhMipContainerWindow, (UINT_PTR)MIP_TIMER_PIN_FIRST + PinType, PinDelayMs, NULL); } return; } else { PhMipDelayedPinAdjustments[PinType] = 0; if (PhMipContainerWindow) { PhKillTimer(PhMipContainerWindow, (UINT_PTR)MIP_TIMER_PIN_FIRST + PinType); } } adjustPinResult = PhMipAdjustPin(PinType, PinCount); if (adjustPinResult == ShowAdjustPinResult) { PH_RECTANGLE windowRectangle; ULONG opacity; if (SourcePoint) PhMipSourcePoint = *SourcePoint; if (!PhMipContainerWindow) { RTL_ATOM windowAtom; if ((windowAtom = PhMipContainerInitializeWindowClass()) == INVALID_ATOM) return; PhMipContainerWindow = PhCreateWindowEx( MAKEINTATOM(windowAtom), NULL, WS_BORDER | WS_THICKFRAME | WS_POPUP, WS_EX_TOOLWINDOW, 0, 0, 400, 400, NULL, NULL, NULL, NULL ); PhMipWindow = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_MINIINFO), PhMipContainerWindow, PhMipMiniInfoDialogProc, NULL ); ShowWindow(PhMipWindow, SW_SHOW); if (PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED)) PhMipSetPinned(TRUE, TRUE); PhMipRefreshAutomatically = PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_REFRESH_AUTOMATICALLY); opacity = PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_OPACITY); if (opacity != 0) PhSetWindowOpacity(PhMipContainerWindow, opacity); MinimumSize.left = 0; MinimumSize.top = 0; MinimumSize.right = 210; MinimumSize.bottom = 60; MapDialogRect(PhMipWindow, &MinimumSize); } if (!(Flags & PH_MINIINFO_LOAD_POSITION)) { PhMipCalculateWindowRectangle(&PhMipSourcePoint, &windowRectangle); SetWindowPos( PhMipContainerWindow, HWND_TOPMOST, windowRectangle.Left, windowRectangle.Top, windowRectangle.Width, windowRectangle.Height, SWP_NOACTIVATE ); } else { PhLoadWindowPlacementFromSetting(SETTING_MINI_INFO_WINDOW_POSITION, SETTING_MINI_INFO_WINDOW_SIZE, PhMipContainerWindow); SetWindowPos(PhMipContainerWindow, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE); } PhInitializeWindowTheme(PhMipContainerWindow, PhEnableThemeSupport); ShowWindow(PhMipContainerWindow, (Flags & PH_MINIINFO_ACTIVATE_WINDOW) ? SW_SHOW : SW_SHOWNOACTIVATE); } else if (adjustPinResult == HideAdjustPinResult) { if (PhMipContainerWindow) ShowWindow(PhMipContainerWindow, SW_HIDE); } else { if ((Flags & PH_MINIINFO_ACTIVATE_WINDOW) && PhMipContainerWindow && IsWindowVisible(PhMipContainerWindow)) SetActiveWindow(PhMipContainerWindow); } if ((Flags & PH_MINIINFO_ACTIVATE_WINDOW) && PhMipContainerWindow) SetForegroundWindow(PhMipContainerWindow); if (SectionName && (!PhMipPinned || !(Flags & PH_MINIINFO_DONT_CHANGE_SECTION_IF_PINNED))) { PH_STRINGREF sectionName; PPH_MINIINFO_SECTION section; PhInitializeStringRefLongHint(§ionName, SectionName); if (section = PhMipFindSection(§ionName)) PhMipChangeSection(section); } } LRESULT CALLBACK PhMipContainerWndProc( _In_ HWND hWnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_SHOWWINDOW: { PhMipContainerOnShowWindow(!!wParam, (ULONG)lParam); } break; case WM_ACTIVATE: { PhMipContainerOnActivate(GET_WM_COMMAND_ID(wParam, lParam), !!HIWORD(wParam)); } break; case WM_SIZE: { PhMipContainerOnSize(); } break; case WM_SIZING: { PhMipContainerOnSizing((ULONG)wParam, (PRECT)lParam); } break; case WM_EXITSIZEMOVE: { PhMipContainerOnExitSizeMove(); } break; case WM_CLOSE: { // Hide, don't close. ShowWindow(hWnd, SW_HIDE); } return TRUE; case WM_ERASEBKGND: { if (PhMipContainerOnEraseBkgnd((HDC)wParam)) return TRUE; } break; case WM_TIMER: { PhMipContainerOnTimer((ULONG)wParam); } break; } return DefWindowProc(hWnd, uMsg, wParam, lParam); } INT_PTR CALLBACK PhMipMiniInfoDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhMipWindow = hwndDlg; PhMipLayoutWindow = GetDlgItem(hwndDlg, IDC_LAYOUT); PhMipOnInitDialog(); } break; case WM_SHOWWINDOW: { PhMipOnShowWindow(!!wParam, (ULONG)lParam); } break; case WM_COMMAND: { PhMipOnCommand(GET_WM_COMMAND_ID(wParam, lParam), HIWORD(wParam)); } break; case WM_NOTIFY: { LRESULT result; if (PhMipOnNotify((NMHDR *)lParam, &result)) { SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, result); return TRUE; } } break; case WM_CTLCOLORBTN: case WM_CTLCOLORDLG: case WM_CTLCOLORSTATIC: { HBRUSH brush; if (PhMipOnCtlColorXxx(uMsg, (HWND)lParam, (HDC)wParam, &brush)) return (INT_PTR)brush; } break; case WM_DRAWITEM: { if (PhMipOnDrawItem(wParam, (DRAWITEMSTRUCT *)lParam)) return TRUE; } break; } if (uMsg >= MIP_MSG_FIRST && uMsg <= MIP_MSG_LAST) { PhMipOnUserMessage(uMsg, wParam, lParam); } return FALSE; } RTL_ATOM PhMipContainerInitializeWindowClass( VOID ) { WNDCLASSEX wcex; PPH_STRING name; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.style = CS_DBLCLKS | CS_GLOBALCLASS; wcex.lpfnWndProc = PhMipContainerWndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = sizeof(PVOID); wcex.hInstance = NtCurrentImageBase(); wcex.hCursor = PhLoadCursor(NULL, IDC_ARROW); name = PhaGetStringSetting(SETTING_MINI_INFO_CONTAINER_CLASS_NAME); wcex.lpszClassName = PhGetStringOrDefault(name, SETTING_MINI_INFO_CONTAINER_CLASS_NAME); return RegisterClassEx(&wcex); } VOID PhMipContainerOnShowWindow( _In_ BOOLEAN Showing, _In_ ULONG State ) { ULONG i; PPH_MINIINFO_SECTION section; if (Showing) { PostMessage(PhMipWindow, MIP_MSG_UPDATE, 0, 0); PhMipMessageLoopFilterEntry = PhRegisterMessageLoopFilter(PhMipMessageLoopFilter, NULL); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhMipUpdateHandler, NULL, &ProcessesUpdatedRegistration ); } else { for (i = 0; i < MaxMiniInfoPinType; i++) PhMipPinCounts[i] = 0; Button_SetCheck(GetDlgItem(PhMipWindow, IDC_PINWINDOW), BST_UNCHECKED); PhMipSetPinned(FALSE, TRUE); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, FALSE); PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &ProcessesUpdatedRegistration ); if (PhMipMessageLoopFilterEntry) { PhUnregisterMessageLoopFilter(PhMipMessageLoopFilterEntry); PhMipMessageLoopFilterEntry = NULL; } PhSaveWindowPlacementToSetting(SETTING_MINI_INFO_WINDOW_POSITION, SETTING_MINI_INFO_WINDOW_SIZE, PhMipContainerWindow); } if (SectionList) { for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; section->Callback(section, MiniInfoShowing, UlongToPtr(Showing), NULL); } } } VOID PhMipContainerOnActivate( _In_ ULONG Type, _In_ BOOLEAN Minimized ) { if (Type == WA_ACTIVE || Type == WA_CLICKACTIVE) { PhPinMiniInformation(MiniInfoActivePinType, 1, 0, 0, NULL, NULL); } else if (Type == WA_INACTIVE) { PhPinMiniInformation(MiniInfoActivePinType, -1, 0, 0, NULL, NULL); } } VOID PhMipContainerOnSize( VOID ) { if (PhMipWindow) { InvalidateRect(PhMipContainerWindow, NULL, FALSE); PhMipLayout(); } } VOID PhMipContainerOnSizing( _In_ ULONG Edge, _In_ PRECT DragRectangle ) { PhResizingMinimumSize(DragRectangle, Edge, MinimumSize.right, MinimumSize.bottom); } VOID PhMipContainerOnExitSizeMove( VOID ) { PhSaveWindowPlacementToSetting(SETTING_MINI_INFO_WINDOW_POSITION, SETTING_MINI_INFO_WINDOW_SIZE, PhMipContainerWindow); } BOOLEAN PhMipContainerOnEraseBkgnd( _In_ HDC hdc ) { return FALSE; } VOID PhMipContainerOnTimer( _In_ ULONG Id ) { if (Id >= MIP_TIMER_PIN_FIRST && Id <= MIP_TIMER_PIN_LAST) { PH_MINIINFO_PIN_TYPE pinType = Id - MIP_TIMER_PIN_FIRST; // PhPinMiniInformation kills the timer for us. PhPinMiniInformation(pinType, PhMipDelayedPinAdjustments[pinType], 0, 0, NULL, NULL); } } VOID PhMipOnInitDialog( VOID ) { HICON cog; HICON pin; LONG dpiValue; HWND sectionWindow; WNDPROC oldWndProc; dpiValue = PhGetWindowDpi(PhMipWindow); sectionWindow = GetDlgItem(PhMipWindow, IDC_SECTION); cog = PH_LOAD_SHARED_ICON_SMALL(PhInstanceHandle, MAKEINTRESOURCE(IDI_COG), dpiValue); SET_BUTTON_ICON(PhMipWindow, IDC_OPTIONS, cog); pin = PH_LOAD_SHARED_ICON_SMALL(PhInstanceHandle, MAKEINTRESOURCE(IDI_PIN), dpiValue); SET_BUTTON_ICON(PhMipWindow, IDC_PINWINDOW, pin); PhInitializeLayoutManager(&PhMipLayoutManager, PhMipWindow); PhAddLayoutItem(&PhMipLayoutManager, PhMipLayoutWindow, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&PhMipLayoutManager, sectionWindow, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM | PH_LAYOUT_FORCE_INVALIDATE); PhAddLayoutItem(&PhMipLayoutManager, GetDlgItem(PhMipWindow, IDC_OPTIONS), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&PhMipLayoutManager, GetDlgItem(PhMipWindow, IDC_PINWINDOW), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); Button_SetCheck(GetDlgItem(PhMipWindow, IDC_PINWINDOW), !!PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED)); // Subclass the window procedure. oldWndProc = PhGetWindowProcedure(sectionWindow); PhSetWindowContext(sectionWindow, 0xF, oldWndProc); PhSetWindowProcedure(sectionWindow, PhMipSectionControlHookWndProc); } VOID PhMipOnShowWindow( _In_ BOOLEAN Showing, _In_ ULONG State ) { if (SectionList) return; SectionList = PhCreateList(8); PhMipInitializeParameters(); SetWindowFont(GetDlgItem(PhMipWindow, IDC_SECTION), CurrentParameters.MediumFont, FALSE); PhMipCreateInternalListSection(L"CPU", 0, PhMipCpuListSectionCallback); PhMipCreateInternalListSection(L"Commit charge", 0, PhMipCommitListSectionCallback); PhMipCreateInternalListSection(L"Physical memory", 0, PhMipPhysicalListSectionCallback); PhMipCreateInternalListSection(L"I/O", 0, PhMipIoListSectionCallback); if (PhPluginsEnabled) { PH_PLUGIN_MINIINFO_POINTERS pointers; pointers.WindowHandle = PhMipContainerWindow; pointers.CreateSection = PhMipCreateSection; pointers.FindSection = PhMipFindSection; pointers.CreateListSection = PhMipCreateListSection; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMiniInformationInitializing), &pointers); } PhMipChangeSection(SectionList->Items[0]); } VOID PhMipOnCommand( _In_ ULONG Id, _In_ ULONG Code ) { switch (Id) { case IDC_SECTION: { switch (Code) { case STN_CLICKED: PhMipShowSectionMenu(); break; } } break; case IDC_OPTIONS: PhMipShowOptionsMenu(); break; case IDC_PINWINDOW: { BOOLEAN pinned; pinned = Button_GetCheck(GetDlgItem(PhMipWindow, IDC_PINWINDOW)) == BST_CHECKED; PhPinMiniInformation(MiniInfoManualPinType, pinned ? 1 : -1, 0, 0, NULL, NULL); PhMipSetPinned(pinned, TRUE); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, pinned); } break; } } _Success_(return) BOOLEAN PhMipOnNotify( _In_ NMHDR *Header, _Out_ LRESULT *Result ) { return FALSE; } _Success_(return) BOOLEAN PhMipOnCtlColorXxx( _In_ ULONG Message, _In_ HWND WindowHandle, _In_ HDC hdc, _Out_ HBRUSH *Brush ) { return FALSE; } BOOLEAN PhMipOnDrawItem( _In_ ULONG_PTR Id, _In_ DRAWITEMSTRUCT *DrawItemStruct ) { return FALSE; } VOID PhMipOnUserMessage( _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ) { switch (Message) { case MIP_MSG_UPDATE: { ULONG i; PPH_MINIINFO_SECTION section; if (SectionList) { for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; section->Callback(section, MiniInfoTick, NULL, NULL); } } } break; } } BOOLEAN PhMipMessageLoopFilter( _In_ PMSG Message, _In_ PVOID Context ) { if (Message->hwnd == PhMipContainerWindow || IsChild(PhMipContainerWindow, Message->hwnd)) { if (Message->message == WM_MOUSEMOVE || Message->message == WM_NCMOUSEMOVE) { TRACKMOUSEEVENT trackMouseEvent; trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); trackMouseEvent.dwFlags = TME_LEAVE | (Message->message == WM_NCMOUSEMOVE ? TME_NONCLIENT : 0); trackMouseEvent.hwndTrack = Message->hwnd; trackMouseEvent.dwHoverTime = 0; TrackMouseEvent(&trackMouseEvent); if (Message->message == WM_MOUSEMOVE) PhMipLastTrackedWindow = Message->hwnd; else PhMipLastNcTrackedWindow = Message->hwnd; PhPinMiniInformation(MiniInfoHoverPinType, 1, 0, 0, NULL, NULL); } else if (Message->message == WM_MOUSELEAVE && Message->hwnd == PhMipLastTrackedWindow) { PhPinMiniInformation(MiniInfoHoverPinType, -1, MIP_UNPIN_HOVER_DELAY, 0, NULL, NULL); } else if (Message->message == WM_NCMOUSELEAVE && Message->hwnd == PhMipLastNcTrackedWindow) { PhPinMiniInformation(MiniInfoHoverPinType, -1, MIP_UNPIN_HOVER_DELAY, 0, NULL, NULL); } else if (Message->message == WM_KEYDOWN) { switch (Message->wParam) { case VK_F5: PhMipRefresh(); break; case VK_F6: case VK_PAUSE: PhMipToggleRefreshAutomatically(); break; } } } return FALSE; } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMipUpdateHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { if (PhMipRefreshAutomatically & MIP_REFRESH_AUTOMATICALLY_FLAG(PhMipPinned)) PostMessage(PhMipWindow, MIP_MSG_UPDATE, 0, 0); } PH_MIP_ADJUST_PIN_RESULT PhMipAdjustPin( _In_ PH_MINIINFO_PIN_TYPE PinType, _In_ LONG PinCount ) { LONG oldTotalPinCount; LONG oldPinCount; LONG newPinCount; ULONG i; oldTotalPinCount = 0; for (i = 0; i < MaxMiniInfoPinType; i++) oldTotalPinCount += PhMipPinCounts[i]; oldPinCount = PhMipPinCounts[PinType]; newPinCount = max(oldPinCount + PinCount, 0); newPinCount = min(newPinCount, PhMipMaxPinCounts[PinType]); PhMipPinCounts[PinType] = newPinCount; if (oldTotalPinCount == 0 && newPinCount > oldPinCount) return ShowAdjustPinResult; else if (oldTotalPinCount > 0 && oldTotalPinCount - oldPinCount + newPinCount == 0) return HideAdjustPinResult; else return NoAdjustPinResult; } VOID PhMipCalculateWindowRectangle( _In_ PPOINT SourcePoint, _Out_ PPH_RECTANGLE WindowRectangle ) { RECT windowRect; PH_RECTANGLE windowRectangle; PH_RECTANGLE point; MONITORINFO monitorInfo = { sizeof(monitorInfo) }; PhLoadWindowPlacementFromSetting(NULL, SETTING_MINI_INFO_WINDOW_SIZE, PhMipContainerWindow); PhGetWindowRect(PhMipContainerWindow, &windowRect); SendMessage(PhMipContainerWindow, WM_SIZING, WMSZ_BOTTOMRIGHT, (LPARAM)&windowRect); // Adjust for the minimum size. PhRectToRectangle(&windowRectangle, &windowRect); point.Left = SourcePoint->x; point.Top = SourcePoint->y; point.Width = 0; point.Height = 0; PhCenterRectangle(&windowRectangle, &point); if (GetMonitorInfo( MonitorFromPoint(*SourcePoint, MONITOR_DEFAULTTOPRIMARY), &monitorInfo )) { PH_RECTANGLE bounds; if (RtlEqualMemory(&monitorInfo.rcWork, &monitorInfo.rcMonitor, sizeof(RECT))) { HWND trayWindow; RECT taskbarRect; // The taskbar probably has auto-hide enabled. We need to adjust for that. if ((trayWindow = FindWindow(L"Shell_TrayWnd", NULL)) && GetMonitorInfo(MonitorFromWindow(trayWindow, MONITOR_DEFAULTTOPRIMARY), &monitorInfo) && // Just in case PhGetWindowRect(trayWindow, &taskbarRect)) { LONG monitorMidX = (monitorInfo.rcMonitor.left + monitorInfo.rcMonitor.right) / 2; LONG monitorMidY = (monitorInfo.rcMonitor.top + monitorInfo.rcMonitor.bottom) / 2; if (taskbarRect.right < monitorMidX) { // Left monitorInfo.rcWork.left += taskbarRect.right - taskbarRect.left; } else if (taskbarRect.bottom < monitorMidY) { // Top monitorInfo.rcWork.top += taskbarRect.bottom - taskbarRect.top; } else if (taskbarRect.left > monitorMidX) { // Right monitorInfo.rcWork.right -= taskbarRect.right - taskbarRect.left; } else if (taskbarRect.top > monitorMidY) { // Bottom monitorInfo.rcWork.bottom -= taskbarRect.bottom - taskbarRect.top; } } } PhRectToRectangle(&bounds, &monitorInfo.rcWork); PhAdjustRectangleToBounds(&windowRectangle, &bounds); } *WindowRectangle = windowRectangle; } VOID PhMipInitializeParameters( VOID ) { LOGFONT logFont; HDC hdc; TEXTMETRIC textMetrics; HFONT originalFont; LONG dpiValue; memset(&CurrentParameters, 0, sizeof(PH_MINIINFO_PARAMETERS)); CurrentParameters.ContainerWindowHandle = PhMipContainerWindow; CurrentParameters.MiniInfoWindowHandle = PhMipWindow; dpiValue = PhGetWindowDpi(PhMipWindow); if (PhGetSystemParametersInfo(SPI_GETICONTITLELOGFONT, sizeof(LOGFONT), &logFont, dpiValue)) { CurrentParameters.Font = CreateFontIndirect(&logFont); } else { CurrentParameters.Font = PhApplicationFont; GetObject(PhApplicationFont, sizeof(LOGFONT), &logFont); } hdc = GetDC(PhMipWindow); logFont.lfHeight -= PhMultiplyDivide(2, dpiValue, 72); CurrentParameters.MediumFont = CreateFontIndirect(&logFont); originalFont = SelectFont(hdc, CurrentParameters.Font); GetTextMetrics(hdc, &textMetrics); CurrentParameters.FontHeight = textMetrics.tmHeight; CurrentParameters.FontAverageWidth = textMetrics.tmAveCharWidth; SelectFont(hdc, CurrentParameters.MediumFont); GetTextMetrics(hdc, &textMetrics); CurrentParameters.MediumFontHeight = textMetrics.tmHeight; CurrentParameters.MediumFontAverageWidth = textMetrics.tmAveCharWidth; CurrentParameters.SetSectionText = PhMipSetSectionText; SelectFont(hdc, originalFont); ReleaseDC(PhMipWindow, hdc); } _Function_class_(PH_MINIINFO_CREATE_SECTION) PPH_MINIINFO_SECTION PhMipCreateSection( _In_ PPH_MINIINFO_SECTION Template ) { PPH_MINIINFO_SECTION section; section = PhAllocateZero(sizeof(PH_MINIINFO_SECTION)); section->Name = Template->Name; section->Flags = Template->Flags; section->Callback = Template->Callback; section->Context = Template->Context; section->Parameters = &CurrentParameters; PhAddItemList(SectionList, section); section->Callback(section, MiniInfoCreate, NULL, NULL); return section; } VOID PhMipDestroySection( _In_ PPH_MINIINFO_SECTION Section ) { Section->Callback(Section, MiniInfoDestroy, NULL, NULL); PhClearReference(&Section->Text); PhFree(Section); } _Function_class_(PH_MINIINFO_FIND_SECTION) PPH_MINIINFO_SECTION PhMipFindSection( _In_ PPH_STRINGREF Name ) { ULONG i; PPH_MINIINFO_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (PhEqualStringRef(§ion->Name, Name, TRUE)) return section; } return NULL; } PPH_MINIINFO_SECTION PhMipCreateInternalSection( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_SECTION_CALLBACK Callback ) { PH_MINIINFO_SECTION section; memset(§ion, 0, sizeof(PH_MINIINFO_SECTION)); PhInitializeStringRefLongHint(§ion.Name, Name); section.Flags = Flags; section.Callback = Callback; return PhMipCreateSection(§ion); } VOID PhMipCreateSectionDialog( _In_ PPH_MINIINFO_SECTION Section ) { PH_MINIINFO_CREATE_DIALOG createDialog; memset(&createDialog, 0, sizeof(PH_MINIINFO_CREATE_DIALOG)); if (Section->Callback(Section, MiniInfoCreateDialog, &createDialog, NULL)) { if (!createDialog.CustomCreate) { Section->DialogHandle = PhCreateDialogFromTemplate( PhMipWindow, DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD, createDialog.Instance, createDialog.Template, createDialog.DialogProc, createDialog.Parameter ); PhInitializeWindowTheme(Section->DialogHandle, PhEnableThemeSupport); } } } VOID PhMipChangeSection( _In_ PPH_MINIINFO_SECTION NewSection ) { PPH_MINIINFO_SECTION oldSection; if (NewSection == CurrentSection) return; oldSection = CurrentSection; CurrentSection = NewSection; if (oldSection) { oldSection->Callback(oldSection, MiniInfoSectionChanging, CurrentSection, NULL); if (oldSection->DialogHandle) ShowWindow(oldSection->DialogHandle, SW_HIDE); } if (!NewSection->DialogHandle) PhMipCreateSectionDialog(NewSection); if (NewSection->DialogHandle) ShowWindow(NewSection->DialogHandle, SW_SHOW); PhMipUpdateSectionText(NewSection); PhMipLayout(); NewSection->Callback(NewSection, MiniInfoTick, NULL, NULL); } VOID PhMipSetSectionText( _In_ struct _PH_MINIINFO_SECTION *Section, _In_opt_ PPH_STRING Text ) { PhSwapReference(&Section->Text, Text); if (Section == CurrentSection) PhMipUpdateSectionText(Section); } VOID PhMipUpdateSectionText( _In_ PPH_MINIINFO_SECTION Section ) { if (Section->Text) { PhSetDialogItemText(PhMipWindow, IDC_SECTION, PH_AUTO_T(PH_STRING, PhConcatStringRef2(&DownArrowPrefix, &Section->Text->sr))->Buffer); } else { PhSetDialogItemText(PhMipWindow, IDC_SECTION, PH_AUTO_T(PH_STRING, PhConcatStringRef2(&DownArrowPrefix, &Section->Name))->Buffer); } } VOID PhMipLayout( VOID ) { RECT clientRect; RECT windowRect; if (!PhGetClientRect(PhMipContainerWindow, &clientRect)) return; MoveWindow( PhMipWindow, clientRect.left, clientRect.top, clientRect.right - clientRect.left, clientRect.bottom - clientRect.top, FALSE ); PhLayoutManagerLayout(&PhMipLayoutManager); if (!PhGetWindowRect(PhMipLayoutWindow, &windowRect)) return; MapWindowRect(NULL, PhMipWindow, &windowRect); if (CurrentSection && CurrentSection->DialogHandle) { if (CurrentSection->Flags & PH_MINIINFO_SECTION_NO_UPPER_MARGINS) { windowRect.left = 0; windowRect.top = 0; windowRect.right = clientRect.right; } else { LONG leftDistance = windowRect.left - clientRect.left; LONG rightDistance = clientRect.right - windowRect.right; LONG minDistance; if (leftDistance != rightDistance) { // HACK: Enforce symmetry. Sometimes these are off by a pixel. minDistance = min(leftDistance, rightDistance); windowRect.left = clientRect.left + minDistance; windowRect.right = clientRect.right - minDistance; } } MoveWindow( CurrentSection->DialogHandle, windowRect.left, windowRect.top, windowRect.right - windowRect.left, windowRect.bottom - windowRect.top, TRUE ); } //GetWindowRect(GetDlgItem(PhMipWindow, IDC_PINWINDOW), &windowRect); //MapWindowPoints(NULL, PhMipWindow, (POINT *)&rect, 2); } VOID PhMipBeginChildControlPin( VOID ) { PhPinMiniInformation(MiniInfoChildControlPinType, 1, 0, 0, NULL, NULL); } VOID PhMipEndChildControlPin( VOID ) { PhPinMiniInformation(MiniInfoChildControlPinType, -1, MIP_UNPIN_CHILD_CONTROL_DELAY, 0, NULL, NULL); PostMessage(PhMipWindow, WM_MOUSEMOVE, 0, 0); // Re-evaluate hover pin } VOID PhMipRefresh( VOID ) { if (PhMipPinned) SystemInformer_Refresh(); PostMessage(PhMipWindow, MIP_MSG_UPDATE, 0, 0); } VOID PhMipToggleRefreshAutomatically( VOID ) { PhMipRefreshAutomatically ^= MIP_REFRESH_AUTOMATICALLY_FLAG(PhMipPinned); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_REFRESH_AUTOMATICALLY, PhMipRefreshAutomatically); } VOID PhMipSetPinned( _In_ BOOLEAN Pinned, _In_ BOOLEAN Update ) { if (Update) { PhSetWindowStyle(PhMipContainerWindow, WS_DLGFRAME | WS_SYSMENU, Pinned ? (WS_DLGFRAME | WS_SYSMENU) : 0); SetWindowPos(PhMipContainerWindow, NULL, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE | SWP_FRAMECHANGED); } PhMipPinned = Pinned; PhNfNotifyMiniInfoPinned(Pinned); } VOID PhMipShowSectionMenu( VOID ) { PPH_EMENU menu; ULONG i; PPH_MINIINFO_SECTION section; PPH_EMENU_ITEM menuItem; POINT point; PhMipBeginChildControlPin(); menu = PhCreateEMenu(); for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; menuItem = PhCreateEMenuItem( (section == CurrentSection ? (PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK) : 0), 0, PH_AUTO_T(PH_STRING, PhCreateString2(§ion->Name))->Buffer, NULL, section ); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); } GetCursorPos(&point); menuItem = PhShowEMenu(menu, PhMipWindow, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y); if (menuItem) { PhMipChangeSection(menuItem->Context); } PhDestroyEMenu(menu); PhMipEndChildControlPin(); } PPH_EMENU PhpMipCreateMenu( VOID ) { PPH_EMENU menu; PPH_EMENU_ITEM menuItem; menu = PhCreateEMenu(); menuItem = PhCreateEMenuItem(0, 0, L"&Opacity", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_10, L"10%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_20, L"20%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_30, L"30%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_40, L"40%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_50, L"50%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_60, L"60%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_70, L"70%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_80, L"80%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_90, L"90%", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_OPACITY_OPAQUE, L"Opaque", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MINIINFO_REFRESH, L"&Refresh\bF5", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MINIINFO_REFRESHAUTOMATICALLY, L"Refresh a&utomatically\bF6", NULL, NULL), ULONG_MAX); return menu; } VOID PhMipShowOptionsMenu( VOID ) { PPH_EMENU menu; PPH_EMENU_ITEM menuItem; ULONG id; RECT rect; PhMipBeginChildControlPin(); // Menu menu = PhpMipCreateMenu(); // Opacity id = PH_OPACITY_TO_ID(PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_OPACITY)); if (menuItem = PhFindEMenuItem(menu, PH_EMENU_FIND_DESCEND, NULL, id)) menuItem->Flags |= PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK; // Refresh Automatically if (PhMipRefreshAutomatically & MIP_REFRESH_AUTOMATICALLY_FLAG(PhMipPinned)) PhSetFlagsEMenuItem(menu, ID_MINIINFO_REFRESHAUTOMATICALLY, PH_EMENU_CHECKED, PH_EMENU_CHECKED); // Show the menu. PhGetWindowRect(GetDlgItem(PhMipWindow, IDC_OPTIONS), &rect); menuItem = PhShowEMenu(menu, PhMipWindow, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_BOTTOM, rect.left, rect.top); if (menuItem) { switch (menuItem->Id) { case ID_OPACITY_10: case ID_OPACITY_20: case ID_OPACITY_30: case ID_OPACITY_40: case ID_OPACITY_50: case ID_OPACITY_60: case ID_OPACITY_70: case ID_OPACITY_80: case ID_OPACITY_90: case ID_OPACITY_OPAQUE: { ULONG opacity; opacity = PH_ID_TO_OPACITY(menuItem->Id); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_OPACITY, opacity); PhSetWindowOpacity(PhMipContainerWindow, opacity); } break; case ID_MINIINFO_REFRESH: PhMipRefresh(); break; case ID_MINIINFO_REFRESHAUTOMATICALLY: PhMipToggleRefreshAutomatically(); break; } } PhDestroyEMenu(menu); PhMipEndChildControlPin(); } LRESULT CALLBACK PhMipSectionControlHookWndProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { WNDPROC oldWndProc; if (!(oldWndProc = PhGetWindowContext(WindowHandle, 0xF))) return DefWindowProc(WindowHandle, uMsg, wParam, lParam); switch (uMsg) { case WM_DESTROY: { PhSetWindowProcedure(WindowHandle, oldWndProc); PhRemoveWindowContext(WindowHandle, 0xF); } break; case WM_SETCURSOR: { PhSetCursor(PhLoadCursor(NULL, IDC_HAND)); } return TRUE; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); } PPH_MINIINFO_LIST_SECTION PhMipCreateListSection( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_LIST_SECTION Template ) { PPH_MINIINFO_LIST_SECTION listSection; PH_MINIINFO_SECTION section; listSection = PhAllocateZero(sizeof(PH_MINIINFO_LIST_SECTION)); listSection->Context = Template->Context; listSection->Callback = Template->Callback; memset(§ion, 0, sizeof(PH_MINIINFO_SECTION)); PhInitializeStringRefLongHint(§ion.Name, Name); section.Flags = PH_MINIINFO_SECTION_NO_UPPER_MARGINS; section.Callback = PhMipListSectionCallback; section.Context = listSection; listSection->Section = PhMipCreateSection(§ion); return listSection; } PPH_MINIINFO_LIST_SECTION PhMipCreateInternalListSection( _In_ PCWSTR Name, _In_ ULONG Flags, _In_ PPH_MINIINFO_LIST_SECTION_CALLBACK Callback ) { PH_MINIINFO_LIST_SECTION listSection; memset(&listSection, 0, sizeof(PH_MINIINFO_LIST_SECTION)); listSection.Callback = Callback; return PhMipCreateListSection(Name, Flags, &listSection); } BOOLEAN PhMipListSectionCallback( _In_ PPH_MINIINFO_SECTION Section, _In_ PH_MINIINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ) { PPH_MINIINFO_LIST_SECTION listSection = Section->Context; switch (Message) { case MiniInfoCreate: { listSection->NodeList = PhCreateList(2); listSection->Callback(listSection, MiListSectionCreate, NULL, NULL); } break; case MiniInfoDestroy: { listSection->Callback(listSection, MiListSectionDestroy, NULL, NULL); PhMipClearListSection(listSection); PhDereferenceObject(listSection->NodeList); PhFree(listSection); } break; case MiniInfoTick: if (listSection->SuspendUpdate == 0) PhMipTickListSection(listSection); break; case MiniInfoShowing: { listSection->Callback(listSection, MiListSectionShowing, Parameter1, Parameter2); if (!Parameter1) // Showing { // We don't want to hold process item references while the mini info window // is hidden. PhMipClearListSection(listSection); if (listSection->TreeNewHandle) { TreeNew_NodesStructured(listSection->TreeNewHandle); } } } break; case MiniInfoCreateDialog: { PPH_MINIINFO_CREATE_DIALOG createDialog = Parameter1; createDialog->Instance = PhInstanceHandle; createDialog->Template = MAKEINTRESOURCE(IDD_MINIINFO_LIST); createDialog->DialogProc = PhMipListSectionDialogProc; createDialog->Parameter = listSection; } return TRUE; } return FALSE; } INT_PTR CALLBACK PhMipListSectionDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_MINIINFO_LIST_SECTION listSection; if (uMsg == WM_INITDIALOG) { listSection = (PPH_MINIINFO_LIST_SECTION)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, listSection); } else { listSection = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!listSection) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PPH_LAYOUT_ITEM layoutItem; listSection->DialogHandle = hwndDlg; listSection->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhInitializeLayoutManager(&listSection->LayoutManager, hwndDlg); layoutItem = PhAddLayoutItem(&listSection->LayoutManager, listSection->TreeNewHandle, NULL, PH_ANCHOR_ALL); // Use negative margins to maximize our use of the window area. layoutItem->Margin.left = -1; layoutItem->Margin.top = -1; layoutItem->Margin.right = -1; PhSetControlTheme(listSection->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(listSection->TreeNewHandle, FALSE); TreeNew_SetCallback(listSection->TreeNewHandle, PhMipListSectionTreeNewCallback, listSection); TreeNew_SetRowHeight(listSection->TreeNewHandle, PhMipCalculateRowHeight(hwndDlg)); PhAddTreeNewColumnEx2(listSection->TreeNewHandle, MIP_SINGLE_COLUMN_ID, TRUE, L"Process", 1, PH_ALIGN_LEFT, 0, 0, TN_COLUMN_FLAG_CUSTOMDRAW); TreeNew_SetRedraw(listSection->TreeNewHandle, TRUE); listSection->Callback(listSection, MiListSectionDialogCreated, hwndDlg, NULL); PhMipTickListSection(listSection); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&listSection->LayoutManager); listSection->TreeNewHandle = NULL; listSection->DialogHandle = NULL; } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&listSection->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&listSection->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&listSection->LayoutManager); TreeNew_AutoSizeColumn(listSection->TreeNewHandle, MIP_SINGLE_COLUMN_ID, TN_AUTOSIZE_REMAINING_SPACE); } break; } return FALSE; } VOID PhMipListSectionSortFunction( _In_ PPH_LIST List, _In_opt_ PVOID Context ) { PPH_MINIINFO_LIST_SECTION listSection = Context; PH_MINIINFO_LIST_SECTION_SORT_LIST sortList; if (!listSection) return; sortList.List = List; listSection->Callback(listSection, MiListSectionSortProcessList, &sortList, NULL); } VOID PhMipTickListSection( _In_ PPH_MINIINFO_LIST_SECTION ListSection ) { ULONG i; PPH_MIP_GROUP_NODE node; PH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA assignSortData; PhMipClearListSection(ListSection); ListSection->ProcessGroupList = PhCreateProcessGroupList( PhMipListSectionSortFunction, ListSection, MIP_MAX_PROCESS_GROUPS, 0 ); if (!ListSection->ProcessGroupList) return; for (i = 0; i < ListSection->ProcessGroupList->Count; i++) { node = PhMipAddGroupNode(ListSection, ListSection->ProcessGroupList->Items[i]); if (node->RepresentativeProcessId == ListSection->SelectedRepresentativeProcessId && node->RepresentativeCreateTime.QuadPart == ListSection->SelectedRepresentativeCreateTime.QuadPart) { node->Node.Selected = TRUE; } assignSortData.ProcessGroup = node->ProcessGroup; assignSortData.SortData = &node->SortData; ListSection->Callback(ListSection, MiListSectionAssignSortData, &assignSortData, NULL); } if (ListSection->TreeNewHandle) { TreeNew_NodesStructured(ListSection->TreeNewHandle); TreeNew_AutoSizeColumn(ListSection->TreeNewHandle, MIP_SINGLE_COLUMN_ID, TN_AUTOSIZE_REMAINING_SPACE); } ListSection->Callback(ListSection, MiListSectionTick, NULL, NULL); } VOID PhMipClearListSection( _In_ PPH_MINIINFO_LIST_SECTION ListSection ) { if (ListSection->ProcessGroupList) { PhFreeProcessGroupList(ListSection->ProcessGroupList); ListSection->ProcessGroupList = NULL; } for (ULONG i = 0; i < ListSection->NodeList->Count; i++) PhMipDestroyGroupNode(ListSection->NodeList->Items[i]); PhClearList(ListSection->NodeList); PhDereferenceObject(ListSection->NodeList); ListSection->NodeList = PhCreateList(2); } LONG PhMipCalculateRowHeight( _In_ HWND WindowHandle ) { LONG iconHeight; LONG titleAndSubtitleHeight; LONG dpiValue; dpiValue = PhGetWindowDpi(WindowHandle); iconHeight = PhGetDpi(MIP_ICON_PADDING + MIP_CELL_PADDING, dpiValue) + PhGetSystemMetrics(SM_CXICON, dpiValue); titleAndSubtitleHeight = PhGetDpi(MIP_CELL_PADDING, dpiValue) * 2 + CurrentParameters.FontHeight + PhGetDpi(MIP_INNER_PADDING, dpiValue) + CurrentParameters.FontHeight; return max(iconHeight, titleAndSubtitleHeight); } PPH_MIP_GROUP_NODE PhMipAddGroupNode( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_PROCESS_GROUP ProcessGroup ) { PPH_MIP_GROUP_NODE node; node = PhAllocate(sizeof(PH_MIP_GROUP_NODE)); memset(node, 0, sizeof(PH_MIP_GROUP_NODE)); PhInitializeTreeNewNode(&node->Node); node->ProcessGroup = ProcessGroup; node->RepresentativeProcessId = ProcessGroup->Representative->ProcessId; node->RepresentativeCreateTime = ProcessGroup->Representative->CreateTime; node->RepresentativeIsHung = ProcessGroup->WindowHandle && IsHungAppWindow(ProcessGroup->WindowHandle); if (node->RepresentativeIsHung) { // Make sure this is a real hung window, not a ghost window. if (PhHungWindowFromGhostWindow(ProcessGroup->WindowHandle)) node->RepresentativeIsHung = FALSE; } if (FlagOn(ProcessGroup->Representative->State, PH_PROCESS_ITEM_REMOVED)) { node->RepresentativeIsTerminated = TRUE; } PhAddItemList(ListSection->NodeList, node); return node; } VOID PhMipDestroyGroupNode( _In_ PPH_MIP_GROUP_NODE Node ) { PhClearReference(&Node->TooltipText); PhFree(Node); } BOOLEAN PhMipListSectionTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ) { PPH_MINIINFO_LIST_SECTION listSection = Context; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; PH_MINIINFO_LIST_SECTION_SORT_LIST sortList; if (!getChildren->Node) { getChildren->Children = (PPH_TREENEW_NODE *)listSection->NodeList->Items; getChildren->NumberOfChildren = listSection->NodeList->Count; sortList.List = listSection->NodeList; listSection->Callback(listSection, MiListSectionSortGroupList, &sortList, NULL); } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_MIP_GROUP_NODE node = (PPH_MIP_GROUP_NODE)customDraw->Node; PPH_PROCESS_ITEM processItem = node->ProcessGroup->Representative; HDC hdc = customDraw->Dc; RECT rect = customDraw->CellRect; ULONG baseTextFlags = DT_NOPREFIX | DT_VCENTER | DT_SINGLELINE; HICON icon; COLORREF originalTextColor; RECT topRect; RECT bottomRect; PH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT getUsageText; ULONG usageTextTopWidth = 0; ULONG usageTextBottomWidth = 0; PH_MINIINFO_LIST_SECTION_GET_TITLE_TEXT getTitleText; LONG dpiValue; LONG width; LONG height; LONG iconPadding; LONG cellPadding; dpiValue = PhGetWindowDpi(WindowHandle); width = PhGetSystemMetrics(SM_CXICON, dpiValue); height = PhGetSystemMetrics(SM_CYICON, dpiValue); iconPadding = PhGetDpi(MIP_ICON_PADDING, dpiValue); cellPadding = PhGetDpi(MIP_CELL_PADDING, dpiValue); rect.left += iconPadding; rect.top += iconPadding; rect.right -= cellPadding; rect.bottom -= cellPadding; icon = PhGetImageListIcon(processItem->LargeIconIndex, TRUE); DrawIconEx(hdc, rect.left, rect.top, icon, width, height, 0, NULL, DI_NORMAL); DestroyIcon(icon); rect.left += (cellPadding - iconPadding) + width + cellPadding; rect.top += cellPadding - iconPadding; SelectFont(hdc, CurrentParameters.Font); // This color changes depending on whether the node is selected, etc. originalTextColor = GetTextColor(hdc); // Usage text topRect = rect; topRect.bottom = topRect.top + CurrentParameters.FontHeight; bottomRect = rect; bottomRect.top = bottomRect.bottom - CurrentParameters.FontHeight; getUsageText.ProcessGroup = node->ProcessGroup; getUsageText.SortData = &node->SortData; getUsageText.Line1 = NULL; getUsageText.Line2 = NULL; getUsageText.Line1Color = originalTextColor; getUsageText.Line2Color = originalTextColor; if (listSection->Callback(listSection, MiListSectionGetUsageText, &getUsageText, NULL)) { PH_STRINGREF text; RECT textRect; SIZE textSize; // Top text = PhGetStringRef(getUsageText.Line1); GetTextExtentPoint32(hdc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textSize); usageTextTopWidth = textSize.cx; textRect = topRect; textRect.left = textRect.right - textSize.cx; SetTextColor(hdc, getUsageText.Line1Color); DrawText(hdc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textRect, baseTextFlags | DT_RIGHT); PhClearReference(&getUsageText.Line1); // Bottom text = PhGetStringRef(getUsageText.Line2); GetTextExtentPoint32(hdc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textSize); usageTextBottomWidth = textSize.cx; textRect = bottomRect; textRect.left = textRect.right - textSize.cx; SetTextColor(hdc, getUsageText.Line2Color); DrawText(hdc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textRect, baseTextFlags | DT_RIGHT); PhClearReference(&getUsageText.Line2); } // Title, subtitle getTitleText.ProcessGroup = node->ProcessGroup; getTitleText.SortData = &node->SortData; if (!PhIsNullOrEmptyString(processItem->VersionInfo.FileDescription)) PhSetReference(&getTitleText.Title, processItem->VersionInfo.FileDescription); else PhSetReference(&getTitleText.Title, processItem->ProcessName); if (node->ProcessGroup->Processes->Count == 1) { PhSetReference(&getTitleText.Subtitle, processItem->ProcessName); } else { getTitleText.Subtitle = PhFormatString( L"%s (%u processes)", processItem->ProcessName->Buffer, node->ProcessGroup->Processes->Count ); } getTitleText.TitleColor = originalTextColor; getTitleText.SubtitleColor = GetSysColor(COLOR_GRAYTEXT); // Special text for hung windows if (node->RepresentativeIsHung) { static CONST PH_STRINGREF hungPrefix = PH_STRINGREF_INIT(L"(Not responding) "); PhMoveReference(&getTitleText.Title, PhConcatStringRef2(&hungPrefix, &getTitleText.Title->sr)); getTitleText.TitleColor = RGB(0xff, 0x00, 0x00); } if (node->RepresentativeIsTerminated) { static CONST PH_STRINGREF terminatedPrefix = PH_STRINGREF_INIT(L"(Terminated) "); PhMoveReference(&getTitleText.Title, PhConcatStringRef2(&terminatedPrefix, &getTitleText.Title->sr)); getTitleText.TitleColor = RGB(0xA9, 0xA9, 0xA9); } listSection->Callback(listSection, MiListSectionGetTitleText, &getTitleText, NULL); if (!PhIsNullOrEmptyString(getTitleText.Title)) { RECT textRect; textRect = topRect; textRect.right -= usageTextTopWidth + MIP_INNER_PADDING; SetTextColor(hdc, getTitleText.TitleColor); DrawText( hdc, getTitleText.Title->Buffer, (ULONG)getTitleText.Title->Length / sizeof(WCHAR), &textRect, baseTextFlags | DT_END_ELLIPSIS ); } if (!PhIsNullOrEmptyString(getTitleText.Subtitle)) { RECT textRect; textRect = bottomRect; textRect.right -= usageTextBottomWidth + MIP_INNER_PADDING; SetTextColor(hdc, getTitleText.SubtitleColor); DrawText( hdc, getTitleText.Subtitle->Buffer, (ULONG)getTitleText.Subtitle->Length / sizeof(WCHAR), &textRect, baseTextFlags | DT_END_ELLIPSIS ); } PhClearReference(&getTitleText.Title); PhClearReference(&getTitleText.Subtitle); } return TRUE; case TreeNewGetCellTooltip: { PPH_TREENEW_GET_CELL_TOOLTIP getCellTooltip = Parameter1; PPH_MIP_GROUP_NODE node = (PPH_MIP_GROUP_NODE)getCellTooltip->Node; // This is useless most of the time because the tooltip doesn't display unless the window is active. // TODO: Find a way to make the tooltip display all the time. if (!node->TooltipText) node->TooltipText = PhMipGetGroupNodeTooltip(listSection, node); if (!PhIsNullOrEmptyString(node->TooltipText)) { getCellTooltip->Text = node->TooltipText->sr; getCellTooltip->Unfolding = FALSE; getCellTooltip->MaximumWidth = ULONG_MAX; } else { return FALSE; } } return TRUE; case TreeNewSelectionChanged: { ULONG i; PPH_MIP_GROUP_NODE node; listSection->SelectedRepresentativeProcessId = NULL; listSection->SelectedRepresentativeCreateTime.QuadPart = 0; for (i = 0; i < listSection->NodeList->Count; i++) { node = listSection->NodeList->Items[i]; if (node->Node.Selected) { listSection->SelectedRepresentativeProcessId = node->RepresentativeProcessId; listSection->SelectedRepresentativeCreateTime = node->RepresentativeCreateTime; break; } } } break; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; listSection->SuspendUpdate++; switch (keyEvent->VirtualKey) { case VK_DELETE: { PPH_MIP_GROUP_NODE node; PPH_PROCESS_ITEM processItem; BOOLEAN pinned; // Prevent the window from changing visibility while displaying a modal dialog. (dmex) { pinned = TRUE; PhPinMiniInformation(MiniInfoManualPinType, pinned ? 1 : -1, 0, 0, NULL, NULL); PhMipSetPinned(pinned, FALSE); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, pinned); } if (node = PhMipGetSelectedGroupNode(listSection)) { processItem = node->ProcessGroup->Representative; PhReferenceObject(processItem); PhUiTerminateProcesses(listSection->DialogHandle, &processItem, 1); PhDereferenceObject(processItem); } SetFocus(listSection->TreeNewHandle); //SystemInformer_Refresh(); //PostMessage(PhMipWindow, MIP_MSG_UPDATE, 0, 0); { pinned = FALSE; PhPinMiniInformation(MiniInfoManualPinType, pinned ? 1 : -1, 0, 0, NULL, NULL); PhMipSetPinned(pinned, FALSE); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, pinned); } } break; case VK_RETURN: { PPH_MIP_GROUP_NODE node; BOOLEAN pinned; // Prevent the window from changing visibility while displaying a modal dialog. (dmex) { pinned = TRUE; PhPinMiniInformation(MiniInfoManualPinType, pinned ? 1 : -1, 0, 0, NULL, NULL); PhMipSetPinned(pinned, FALSE); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, pinned); } if (node = PhMipGetSelectedGroupNode(listSection)) { if (GetKeyState(VK_CONTROL) >= 0) { PhMipHandleListSectionCommand(listSection, node->ProcessGroup, ID_PROCESS_GOTOPROCESS); } else { if (node->ProcessGroup->Representative->FileName) { PhShellExecuteUserString( listSection->DialogHandle, SETTING_FILE_BROWSE_EXECUTABLE, node->ProcessGroup->Representative->FileName->Buffer, FALSE, L"Make sure the Explorer executable file is present." ); } } } SetFocus(listSection->TreeNewHandle); //SystemInformer_Refresh(); //PostMessage(PhMipWindow, MIP_MSG_UPDATE, 0, 0); { pinned = FALSE; PhPinMiniInformation(MiniInfoManualPinType, pinned ? 1 : -1, 0, 0, NULL, NULL); PhMipSetPinned(pinned, FALSE); PhSetIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, pinned); } } break; } listSection->SuspendUpdate--; } return TRUE; case TreeNewLeftDoubleClick: { PPH_TREENEW_MOUSE_EVENT mouseEvent = Parameter1; PPH_MIP_GROUP_NODE node = (PPH_MIP_GROUP_NODE)mouseEvent->Node; if (node) { listSection->SuspendUpdate++; PhMipHandleListSectionCommand(listSection, node->ProcessGroup, ID_PROCESS_GOTOPROCESS); listSection->SuspendUpdate--; } } break; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; // Prevent the node list from being updated (otherwise any nodes we're using might be destroyed while we're // in a modal message loop). listSection->SuspendUpdate++; PhMipBeginChildControlPin(); PhMipShowListSectionContextMenu(listSection, contextMenu); PhMipEndChildControlPin(); listSection->SuspendUpdate--; } break; } return FALSE; } PPH_STRING PhMipGetGroupNodeTooltip( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_MIP_GROUP_NODE Node ) { PH_STRING_BUILDER sb; PhInitializeStringBuilder(&sb, 100); // TODO return PhFinalStringBuilderString(&sb); } PPH_MIP_GROUP_NODE PhMipGetSelectedGroupNode( _In_ PPH_MINIINFO_LIST_SECTION ListSection ) { ULONG i; PPH_MIP_GROUP_NODE node; for (i = 0; i < ListSection->NodeList->Count; i++) { node = ListSection->NodeList->Items[i]; if (node->Node.Selected) return node; } return NULL; } VOID PhMipShowListSectionContextMenu( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PPH_MIP_GROUP_NODE selectedNode; PPH_EMENU menu; PPH_EMENU_ITEM item; PH_MINIINFO_LIST_SECTION_MENU_INFORMATION menuInfo; PH_PLUGIN_MENU_INFORMATION pluginMenuInfo; selectedNode = PhMipGetSelectedGroupNode(ListSection); if (!selectedNode) return; menu = PhCreateEMenu(); // TODO: If there are multiple processes, then create submenus for each process. PhAddMiniProcessMenuItems(menu, ListSection->SelectedRepresentativeProcessId); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_GOTOPROCESS, L"&Go to process", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(menu, ID_PROCESS_GOTOPROCESS, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); if (selectedNode->ProcessGroup->Processes->Count != 1) { if (item = PhFindEMenuItem(menu, 0, NULL, ID_PROCESS_GOTOPROCESS)) PhModifyEMenuItem(item, PH_EMENU_MODIFY_TEXT, 0, L"&Go to processes", NULL); } memset(&menuInfo, 0, sizeof(PH_MINIINFO_LIST_SECTION_MENU_INFORMATION)); menuInfo.ProcessGroup = selectedNode->ProcessGroup; menuInfo.SortData = &selectedNode->SortData; menuInfo.ContextMenu = ContextMenu; ListSection->Callback(ListSection, MiListSectionInitializeContextMenu, &menuInfo, NULL); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&pluginMenuInfo, menu, ListSection->DialogHandle, 0); pluginMenuInfo.Menu = menu; pluginMenuInfo.OwnerWindow = PhMipWindow; pluginMenuInfo.u.MiListSection.SectionName = &ListSection->Section->Name; pluginMenuInfo.u.MiListSection.ProcessGroup = selectedNode->ProcessGroup; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMiListSectionMenuInitializing), &pluginMenuInfo); } item = PhShowEMenu( menu, PhMipWindow, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&pluginMenuInfo, item); if (!handled) { menuInfo.SelectedItem = item; handled = ListSection->Callback(ListSection, MiListSectionHandleContextMenu, &menuInfo, NULL); } if (!handled) PhHandleMiniProcessMenuItem(item); if (!handled) PhMipHandleListSectionCommand(ListSection, selectedNode->ProcessGroup, item->Id); } PhDestroyEMenu(menu); } VOID PhMipHandleListSectionCommand( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PPH_PROCESS_GROUP ProcessGroup, _In_ ULONG Id ) { switch (Id) { case ID_PROCESS_GOTOPROCESS: { PPH_LIST nodes; ULONG i; BOOLEAN invalid; nodes = PhCreateList(ProcessGroup->Processes->Count); for (i = 0; i < ProcessGroup->Processes->Count; i++) { PPH_PROCESS_NODE node; if (node = PhFindProcessNode(((PPH_PROCESS_ITEM)ProcessGroup->Processes->Items[i])->ProcessId)) PhAddItemList(nodes, node); } invalid = ProcessGroup->Processes->Count == 1 && nodes->Count == 0; PhPinMiniInformation(MiniInfoIconPinType, -1, 0, 0, NULL, NULL); PhPinMiniInformation(MiniInfoActivePinType, -1, 0, 0, NULL, NULL); PhPinMiniInformation(MiniInfoHoverPinType, -1, 0, 0, NULL, NULL); SystemInformer_ToggleVisible(TRUE); SystemInformer_SelectTabPage(0); PhSelectAndEnsureVisibleProcessNodes((PPH_PROCESS_NODE*)nodes->Items, nodes->Count); PhDereferenceObject(nodes); if (invalid) { PhShowStatus(PhMainWndHandle, L"The process does not exist.", STATUS_INVALID_CID, 0); } } break; } } BOOLEAN PhMipCpuListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ) { switch (Message) { case MiListSectionTick: { PH_FORMAT format[3]; // CPU %.2f%% PhInitFormatS(&format[0], L"CPU "); PhInitFormatF(&format[1], (PhCpuUserUsage + PhCpuKernelUsage) * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[2], L'%'); ListSection->Section->Parameters->SetSectionText(ListSection->Section, PH_AUTO(PhFormat(format, RTL_NUMBER_OF(format), 16))); } break; case MiListSectionSortProcessList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_PROCESS_NODE), PhMipCpuListSectionProcessCompareFunction); } return TRUE; case MiListSectionAssignSortData: { PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA assignSortData = Parameter1; PPH_LIST processes; FLOAT cpuUsage; ULONG i; if (!assignSortData) break; processes = assignSortData->ProcessGroup->Processes; cpuUsage = 0; for (i = 0; i < processes->Count; i++) cpuUsage += ((PPH_PROCESS_ITEM)processes->Items[i])->CpuUsage; *(PFLOAT)assignSortData->SortData->UserData = cpuUsage; } return TRUE; case MiListSectionSortGroupList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_MINIINFO_LIST_SECTION_SORT_DATA), PhMipCpuListSectionNodeCompareFunction); } return TRUE; case MiListSectionGetUsageText: { PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT getUsageText = Parameter1; PPH_LIST processes; FLOAT cpuUsage; PPH_STRING cpuUsageText; PH_FORMAT format[3]; if (!getUsageText) break; processes = getUsageText->ProcessGroup->Processes; cpuUsage = *(PFLOAT)getUsageText->SortData->UserData * 100; if (cpuUsage >= PhMaxPrecisionLimit) { // %.2f%% PhInitFormatF(&format[0], cpuUsage, PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); cpuUsageText = PhFormat(format, 2, 16); } else if (cpuUsage != 0) { PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); PhInitFormatC(&format[2], L'%'); cpuUsageText = PhFormat(format, 3, 16); } else cpuUsageText = NULL; PhMoveReference(&getUsageText->Line1, cpuUsageText); } return TRUE; } return FALSE; } int __cdecl PhMipCpuListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { int result; PPH_PROCESS_NODE node1 = *(PPH_PROCESS_NODE *)elem1; PPH_PROCESS_NODE node2 = *(PPH_PROCESS_NODE *)elem2; result = singlecmp(node2->ProcessItem->CpuUsage, node1->ProcessItem->CpuUsage); if (result == 0) result = uint64cmp(node2->ProcessItem->UserTime.QuadPart, node1->ProcessItem->UserTime.QuadPart); return result; } int __cdecl PhMipCpuListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_MINIINFO_LIST_SECTION_SORT_DATA data1 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem1; PPH_MINIINFO_LIST_SECTION_SORT_DATA data2 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem2; return singlecmp(*(PFLOAT)data2->UserData, *(PFLOAT)data1->UserData); } BOOLEAN PhMipCommitListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ) { switch (Message) { case MiListSectionTick: { FLOAT commitFraction = (FLOAT)PhPerfInformation.CommittedPages / PhPerfInformation.CommitLimit; PH_FORMAT format[5]; PhInitFormatS(&format[0], L"Commit "); PhInitFormatSize(&format[1], UInt32x32To64(PhPerfInformation.CommittedPages, PAGE_SIZE)); PhInitFormatS(&format[2], L" ("); PhInitFormatF(&format[3], commitFraction * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[4], L"%)"); ListSection->Section->Parameters->SetSectionText(ListSection->Section, PH_AUTO(PhFormat(format, RTL_NUMBER_OF(format), 96))); } break; case MiListSectionSortProcessList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_PROCESS_NODE), PhMipCommitListSectionProcessCompareFunction); } return TRUE; case MiListSectionAssignSortData: { PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA assignSortData = Parameter1; PPH_LIST processes; ULONG64 privateBytes; ULONG i; if (!assignSortData) break; processes = assignSortData->ProcessGroup->Processes; privateBytes = 0; for (i = 0; i < processes->Count; i++) privateBytes += ((PPH_PROCESS_ITEM)processes->Items[i])->VmCounters.PagefileUsage; *(PULONG64)assignSortData->SortData->UserData = privateBytes; } return TRUE; case MiListSectionSortGroupList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_MINIINFO_LIST_SECTION_SORT_DATA), PhMipCommitListSectionNodeCompareFunction); } return TRUE; case MiListSectionGetUsageText: { PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT getUsageText = Parameter1; PPH_LIST processes; ULONG64 privateBytes; if (!getUsageText) break; processes = getUsageText->ProcessGroup->Processes; privateBytes = *(PULONG64)getUsageText->SortData->UserData; PhMoveReference(&getUsageText->Line1, PhFormatSize(privateBytes, ULONG_MAX)); PhMoveReference(&getUsageText->Line2, PhCreateString(L"Private bytes")); getUsageText->Line2Color = GetSysColor(COLOR_GRAYTEXT); } return TRUE; } return FALSE; } int __cdecl PhMipCommitListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_PROCESS_NODE node1 = *(PPH_PROCESS_NODE *)elem1; PPH_PROCESS_NODE node2 = *(PPH_PROCESS_NODE *)elem2; return uintptrcmp(node2->ProcessItem->VmCounters.PagefileUsage, node1->ProcessItem->VmCounters.PagefileUsage); } int __cdecl PhMipCommitListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_MINIINFO_LIST_SECTION_SORT_DATA data1 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem1; PPH_MINIINFO_LIST_SECTION_SORT_DATA data2 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem2; return uint64cmp(*(PULONG64)data2->UserData, *(PULONG64)data1->UserData); } BOOLEAN PhMipPhysicalListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ) { switch (Message) { case MiListSectionTick: { ULONG_PTR physicalUsage = PhSystemBasicInformation.NumberOfPhysicalPages - PhPerfInformation.AvailablePages; FLOAT physicalFraction = (FLOAT)physicalUsage / PhSystemBasicInformation.NumberOfPhysicalPages; FLOAT physicalPercent = physicalFraction * 100; PH_FORMAT format[5]; PhInitFormatS(&format[0], L"Physical "); PhInitFormatSize(&format[1], UInt32x32To64(physicalUsage, PAGE_SIZE)); PhInitFormatS(&format[2], L" ("); PhInitFormatF(&format[3], physicalPercent, PhMaxPrecisionUnit); PhInitFormatS(&format[4], L"%)"); ListSection->Section->Parameters->SetSectionText(ListSection->Section, PH_AUTO(PhFormat(format, RTL_NUMBER_OF(format), 96))); } break; case MiListSectionSortProcessList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_PROCESS_NODE), PhMipPhysicalListSectionProcessCompareFunction); } return TRUE; case MiListSectionAssignSortData: { PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA assignSortData = Parameter1; PPH_LIST processes; ULONG64 workingSet; ULONG i; if (!assignSortData) break; processes = assignSortData->ProcessGroup->Processes; workingSet = 0; for (i = 0; i < processes->Count; i++) workingSet += ((PPH_PROCESS_ITEM)processes->Items[i])->VmCounters.WorkingSetSize; *(PULONG64)assignSortData->SortData->UserData = workingSet; } return TRUE; case MiListSectionSortGroupList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_MINIINFO_LIST_SECTION_SORT_DATA), PhMipPhysicalListSectionNodeCompareFunction); } return TRUE; case MiListSectionGetUsageText: { PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT getUsageText = Parameter1; PPH_LIST processes; ULONG64 privateBytes; if (!getUsageText) break; processes = getUsageText->ProcessGroup->Processes; privateBytes = *(PULONG64)getUsageText->SortData->UserData; PhMoveReference(&getUsageText->Line1, PhFormatSize(privateBytes, ULONG_MAX)); PhMoveReference(&getUsageText->Line2, PhCreateString(L"Working set")); getUsageText->Line2Color = GetSysColor(COLOR_GRAYTEXT); } return TRUE; } return FALSE; } int __cdecl PhMipPhysicalListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_PROCESS_NODE node1 = *(PPH_PROCESS_NODE *)elem1; PPH_PROCESS_NODE node2 = *(PPH_PROCESS_NODE *)elem2; return uintptrcmp(node2->ProcessItem->VmCounters.WorkingSetSize, node1->ProcessItem->VmCounters.WorkingSetSize); } int __cdecl PhMipPhysicalListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_MINIINFO_LIST_SECTION_SORT_DATA data1 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem1; PPH_MINIINFO_LIST_SECTION_SORT_DATA data2 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem2; return uint64cmp(*(PULONG64)data2->UserData, *(PULONG64)data1->UserData); } BOOLEAN PhMipIoListSectionCallback( _In_ PPH_MINIINFO_LIST_SECTION ListSection, _In_ PH_MINIINFO_LIST_SECTION_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ) { switch (Message) { case MiListSectionTick: { PH_FORMAT format[6]; PhInitFormatS(&format[0], L"I/O R: "); PhInitFormatSizeWithPrecision(&format[1], PhIoReadDelta.Delta, 0); PhInitFormatS(&format[2], L" W: "); PhInitFormatSizeWithPrecision(&format[3], PhIoWriteDelta.Delta, 0); PhInitFormatS(&format[4], L" O: "); PhInitFormatSizeWithPrecision(&format[5], PhIoOtherDelta.Delta, 0); ListSection->Section->Parameters->SetSectionText(ListSection->Section, PH_AUTO(PhFormat(format, RTL_NUMBER_OF(format), 80))); } break; case MiListSectionSortProcessList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_PROCESS_NODE), PhMipIoListSectionProcessCompareFunction); } return TRUE; case MiListSectionAssignSortData: { PPH_MINIINFO_LIST_SECTION_ASSIGN_SORT_DATA assignSortData = Parameter1; PPH_LIST processes; ULONG64 ioReadOtherDelta; ULONG64 ioWriteDelta; ULONG i; if (!assignSortData) break; processes = assignSortData->ProcessGroup->Processes; ioReadOtherDelta = 0; ioWriteDelta = 0; for (i = 0; i < processes->Count; i++) { PPH_PROCESS_ITEM processItem = processes->Items[i]; ioReadOtherDelta += processItem->IoReadDelta.Delta; ioWriteDelta += processItem->IoWriteDelta.Delta; ioReadOtherDelta += processItem->IoOtherDelta.Delta; } assignSortData->SortData->UserData[0] = ioReadOtherDelta; assignSortData->SortData->UserData[1] = ioWriteDelta; } return TRUE; case MiListSectionSortGroupList: { PPH_MINIINFO_LIST_SECTION_SORT_LIST sortList = Parameter1; if (!sortList) break; qsort(sortList->List->Items, sortList->List->Count, sizeof(PPH_MINIINFO_LIST_SECTION_SORT_DATA), PhMipIoListSectionNodeCompareFunction); } return TRUE; case MiListSectionGetUsageText: { PPH_MINIINFO_LIST_SECTION_GET_USAGE_TEXT getUsageText = Parameter1; PPH_LIST processes; ULONG64 ioReadOtherDelta; ULONG64 ioWriteDelta; PH_FORMAT format[1]; if (!getUsageText) break; processes = getUsageText->ProcessGroup->Processes; ioReadOtherDelta = getUsageText->SortData->UserData[0]; ioWriteDelta = getUsageText->SortData->UserData[1]; PhInitFormatSize(&format[0], ioReadOtherDelta + ioWriteDelta); PhMoveReference(&getUsageText->Line1, PhFormat(format, 1, 16)); } return TRUE; } return FALSE; } int __cdecl PhMipIoListSectionProcessCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { int result; PPH_PROCESS_NODE node1 = *(PPH_PROCESS_NODE *)elem1; PPH_PROCESS_NODE node2 = *(PPH_PROCESS_NODE *)elem2; ULONG64 delta1 = node1->ProcessItem->IoReadDelta.Delta + node1->ProcessItem->IoWriteDelta.Delta + node1->ProcessItem->IoOtherDelta.Delta; ULONG64 delta2 = node2->ProcessItem->IoReadDelta.Delta + node2->ProcessItem->IoWriteDelta.Delta + node2->ProcessItem->IoOtherDelta.Delta; ULONG64 value1 = node1->ProcessItem->IoReadDelta.Value + node1->ProcessItem->IoWriteDelta.Value + node1->ProcessItem->IoOtherDelta.Value; ULONG64 value2 = node2->ProcessItem->IoReadDelta.Value + node2->ProcessItem->IoWriteDelta.Value + node2->ProcessItem->IoOtherDelta.Value; result = uint64cmp(delta2, delta1); if (result == 0) result = uint64cmp(value2, value1); return result; } int __cdecl PhMipIoListSectionNodeCompareFunction( _In_ const void *elem1, _In_ const void *elem2 ) { PPH_MINIINFO_LIST_SECTION_SORT_DATA data1 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem1; PPH_MINIINFO_LIST_SECTION_SORT_DATA data2 = *(PPH_MINIINFO_LIST_SECTION_SORT_DATA *)elem2; return uint64cmp(data2->UserData[0] + data2->UserData[1], data1->UserData[0] + data1->UserData[1]); } ================================================ FILE: SystemInformer/modlist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpModuleNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpModuleNodeHashtableHashFunction( _In_ PVOID Entry ); VOID PhpDestroyModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_NODE ModuleNode ); VOID PhpRemoveModuleNode( _In_ PPH_MODULE_NODE ModuleNode, _In_ PPH_MODULE_LIST_CONTEXT Context ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpModuleTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpModuleTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); VOID PhInitializeModuleList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_MODULE_LIST_CONTEXT Context ) { BOOLEAN enableMonospaceFont = !!PhGetIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT); memset(Context, 0, sizeof(PH_MODULE_LIST_CONTEXT)); Context->EnableStateHighlighting = TRUE; Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_MODULE_NODE), PhpModuleNodeHashtableEqualFunction, PhpModuleNodeHashtableHashFunction, 100 ); Context->NodeList = PhCreateList(100); Context->NodeRootList = PhCreateList(2); Context->ParentWindowHandle = ParentWindowHandle; Context->TreeNewHandle = TreeNewHandle; PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); TreeNew_SetCallback(Context->TreeNewHandle, PhpModuleTreeNewCallback, Context); // Default columns PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_NAME, TRUE, L"Name", 100, PH_ALIGN_LEFT, -2, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_BASEADDRESS, TRUE, L"Base address", 80, PH_ALIGN_LEFT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), 0, 0); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_SIZE, TRUE, L"Size", 60, PH_ALIGN_RIGHT, 1, DT_RIGHT, TRUE); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_DESCRIPTION, TRUE, L"Description", 160, PH_ALIGN_LEFT, 2, 0); // Available columns PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_COMPANYNAME, FALSE, L"Company name", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_VERSION, FALSE, L"Version", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_FILENAME, FALSE, L"File name", 180, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_TYPE, FALSE, L"Type", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_LOADCOUNT, FALSE, L"Load count", 40, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_VERIFICATIONSTATUS, FALSE, L"Verification status", 70, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_VERIFIEDSIGNER, FALSE, L"Verified signer", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_ASLR, FALSE, L"ASLR", 50, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_TIMESTAMP, FALSE, L"Time stamp", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_CFGUARD, FALSE, L"CF Guard", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_LOADTIME, FALSE, L"Load time", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_LOADREASON, FALSE, L"Load reason", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_FILEMODIFIEDTIME, FALSE, L"File modified time", 140, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_FILESIZE, FALSE, L"File size", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_ENTRYPOINT, FALSE, L"Entry point", 70, PH_ALIGN_RIGHT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_PARENTBASEADDRESS, FALSE, L"Parent base address", 70, PH_ALIGN_RIGHT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_CET, FALSE, L"CET", 50, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_COHERENCY, FALSE, L"Image coherency", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx2(Context->TreeNewHandle, PHMOTLC_TIMELINE, FALSE, L"Timeline", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_ORIGINALNAME, FALSE, L"Original name", 200, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_SERVICE, FALSE, L"Service", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PHMOTLC_ENCLAVE_TYPE, FALSE, L"Enclave type", 40, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_ENCLAVE_BASE_ADDRESS, FALSE, L"Enclave base address", 80, PH_ALIGN_LEFT | (enableMonospaceFont ? PH_ALIGN_MONOSPACE_FONT : 0), ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_ENCLAVE_SIZE, FALSE, L"Enclave size", 80, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PHMOTLC_ARCHITECTURE, FALSE, L"Architecture", 80, PH_ALIGN_LEFT, ULONG_MAX, DT_RIGHT, TRUE); PhCmInitializeManager(&Context->Cm, Context->TreeNewHandle, PHMOTLC_MAXIMUM, PhpModuleTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); } VOID PhDeleteModuleList( _In_ PPH_MODULE_LIST_CONTEXT Context ) { ULONG i; PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); PhCmDeleteManager(&Context->Cm); for (i = 0; i < Context->NodeList->Count; i++) PhpDestroyModuleNode(Context, Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); PhDereferenceObject(Context->NodeRootList); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpModuleNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_MODULE_NODE moduleNode1 = *(PPH_MODULE_NODE *)Entry1; PPH_MODULE_NODE moduleNode2 = *(PPH_MODULE_NODE *)Entry2; return moduleNode1->ModuleItem == moduleNode2->ModuleItem; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpModuleNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashIntPtr((ULONG_PTR)(*(PPH_MODULE_NODE *)Entry)->ModuleItem); } VOID PhLoadSettingsModuleList( _Inout_ PPH_MODULE_LIST_CONTEXT Context ) { ULONG flags; PPH_STRING settings; PPH_STRING sortSettings; flags = PhGetIntegerSetting(SETTING_MODULE_TREE_LIST_FLAGS); settings = PhGetStringSetting(SETTING_MODULE_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_MODULE_TREE_LIST_SORT); Context->Flags = flags; PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSaveSettingsModuleList( _Inout_ PPH_MODULE_LIST_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_MODULE_TREE_LIST_FLAGS, Context->Flags); PhSetStringSetting2(SETTING_MODULE_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_MODULE_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSetOptionsModuleList( _Inout_ PPH_MODULE_LIST_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case PH_MODULE_FLAGS_DYNAMIC_OPTION: Context->HideDynamicModules = !Context->HideDynamicModules; break; case PH_MODULE_FLAGS_MAPPED_OPTION: Context->HideMappedModules = !Context->HideMappedModules; break; case PH_MODULE_FLAGS_STATIC_OPTION: Context->HideStaticModules = !Context->HideStaticModules; break; case PH_MODULE_FLAGS_SIGNED_OPTION: Context->HideSignedModules = !Context->HideSignedModules; break; case PH_MODULE_FLAGS_HIGHLIGHT_UNSIGNED_OPTION: Context->HighlightUntrustedModules = !Context->HighlightUntrustedModules; break; case PH_MODULE_FLAGS_HIGHLIGHT_DOTNET_OPTION: Context->HighlightDotNetModules = !Context->HighlightDotNetModules; break; case PH_MODULE_FLAGS_HIGHLIGHT_IMMERSIVE_OPTION: Context->HighlightImmersiveModules = !Context->HighlightImmersiveModules; break; case PH_MODULE_FLAGS_HIGHLIGHT_RELOCATED_OPTION: Context->HighlightRelocatedModules = !Context->HighlightRelocatedModules; break; case PH_MODULE_FLAGS_SYSTEM_OPTION: Context->HideSystemModules = !Context->HideSystemModules; break; case PH_MODULE_FLAGS_HIGHLIGHT_SYSTEM_OPTION: Context->HighlightSystemModules = !Context->HighlightSystemModules; break; case PH_MODULE_FLAGS_LOWIMAGECOHERENCY_OPTION: Context->HideLowImageCoherency = !Context->HideLowImageCoherency; break; case PH_MODULE_FLAGS_HIGHLIGHT_LOWIMAGECOHERENCY_OPTION: Context->HighlightLowImageCoherency = !Context->HighlightLowImageCoherency; break; case PH_MODULE_FLAGS_IMAGEKNOWNDLL_OPTION: Context->HideImageKnownDll = !Context->HideImageKnownDll; break; case PH_MODULE_FLAGS_HIGHLIGHT_IMAGEKNOWNDLL: Context->HighlightImageKnownDll = !Context->HighlightImageKnownDll; break; case PH_MODULE_FLAGS_ZERO_PAD_ADDRESSES: Context->ZeroPadAddresses = !Context->ZeroPadAddresses; break; } } PPH_MODULE_NODE PhCreateModuleNode( _Inout_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_ITEM ModuleItem, _In_ ULONG RunId ) { PPH_MODULE_NODE moduleNode; moduleNode = PhAllocate(PhEmGetObjectSize(EmModuleNodeType, sizeof(PH_MODULE_NODE))); memset(moduleNode, 0, sizeof(PH_MODULE_NODE)); PhInitializeTreeNewNode(&moduleNode->Node); moduleNode->Children = PhCreateList(1); if (Context->EnableStateHighlighting && RunId != 1) { PhChangeShStateTn( &moduleNode->Node, &moduleNode->ShState, &Context->NodeStateList, NewItemState, PhCsColorNew, NULL ); } moduleNode->ModuleItem = PhReferenceObject(ModuleItem); memset(moduleNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMOTLC_MAXIMUM); moduleNode->Node.TextCache = moduleNode->TextCache; moduleNode->Node.TextCacheSize = PHMOTLC_MAXIMUM; PhAddEntryHashtable(Context->NodeHashtable, &moduleNode); PhAddItemList(Context->NodeList, moduleNode); if (Context->TreeFilterSupport.FilterList) moduleNode->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &moduleNode->Node); PhEmCallObjectOperation(EmModuleNodeType, moduleNode, EmObjectCreate); TreeNew_NodesStructured(Context->TreeNewHandle); return moduleNode; } PPH_MODULE_NODE PhAddModuleNode( _Inout_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_ITEM ModuleItem, _In_ ULONG RunId ) { PPH_MODULE_NODE moduleNode; PPH_MODULE_NODE parentNode; ULONG i; moduleNode = PhCreateModuleNode(Context, ModuleItem, RunId); for (i = 0; i < Context->NodeList->Count; i++) { parentNode = Context->NodeList->Items[i]; if (parentNode != moduleNode && parentNode->ModuleItem->BaseAddress == ModuleItem->ParentBaseAddress) { moduleNode->Parent = parentNode; PhAddItemList(parentNode->Children, moduleNode); break; } } if (!moduleNode->Parent) { moduleNode->Node.Expanded = TRUE; PhAddItemList(Context->NodeRootList, moduleNode); } return moduleNode; } PPH_MODULE_NODE PhFindModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_ITEM ModuleItem ) { PH_MODULE_NODE lookupModuleNode; PPH_MODULE_NODE lookupModuleNodePtr = &lookupModuleNode; PPH_MODULE_NODE *moduleNode; lookupModuleNode.ModuleItem = ModuleItem; moduleNode = (PPH_MODULE_NODE *)PhFindEntryHashtable( Context->NodeHashtable, &lookupModuleNodePtr ); if (moduleNode) return *moduleNode; else return NULL; } VOID PhRemoveModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_NODE ModuleNode ) { // Remove from the hashtable here to avoid problems in case the key is re-used. PhRemoveEntryHashtable(Context->NodeHashtable, &ModuleNode); if (Context->EnableStateHighlighting) { PhChangeShStateTn( &ModuleNode->Node, &ModuleNode->ShState, &Context->NodeStateList, RemovingItemState, PhCsColorRemoved, Context->TreeNewHandle ); } else { PhpRemoveModuleNode(ModuleNode, Context); } } VOID PhpDestroyModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_NODE ModuleNode ) { ULONG index; PhEmCallObjectOperation(EmModuleNodeType, ModuleNode, EmObjectDelete); if (ModuleNode->Parent) { // Remove the node from its parent. if ((index = PhFindItemList(ModuleNode->Parent->Children, ModuleNode)) != ULONG_MAX) PhRemoveItemList(ModuleNode->Parent->Children, index); } else { // Remove the node from the root list. if ((index = PhFindItemList(Context->NodeRootList, ModuleNode)) != ULONG_MAX) PhRemoveItemList(Context->NodeRootList, index); } // Move the node's children to the root list. for (index = 0; index < ModuleNode->Children->Count; index++) { PPH_MODULE_NODE node = ModuleNode->Children->Items[index]; node->Parent = NULL; PhAddItemList(Context->NodeRootList, node); } PhClearReference(&ModuleNode->TooltipText); if (ModuleNode->FileNameWin32) PhDereferenceObject(ModuleNode->FileNameWin32); if (ModuleNode->SizeText) PhDereferenceObject(ModuleNode->SizeText); if (ModuleNode->TimeStampText) PhDereferenceObject(ModuleNode->TimeStampText); if (ModuleNode->LoadTimeText) PhDereferenceObject(ModuleNode->LoadTimeText); if (ModuleNode->FileModifiedTimeText) PhDereferenceObject(ModuleNode->FileModifiedTimeText); if (ModuleNode->FileSizeText) PhDereferenceObject(ModuleNode->FileSizeText); if (ModuleNode->ImageCoherencyText) PhDereferenceObject(ModuleNode->ImageCoherencyText); if (ModuleNode->ServiceText) PhDereferenceObject(ModuleNode->ServiceText); if (ModuleNode->EnclaveSizeText) PhDereferenceObject(ModuleNode->EnclaveSizeText); PhDereferenceObject(ModuleNode->ModuleItem); PhFree(ModuleNode); } VOID PhpRemoveModuleNode( _In_ PPH_MODULE_NODE ModuleNode, _In_ PPH_MODULE_LIST_CONTEXT Context // PH_TICK_SH_STATE requires this parameter to be after ModuleNode ) { ULONG index; // Remove from list and cleanup. if ((index = PhFindItemList(Context->NodeList, ModuleNode)) != ULONG_MAX) PhRemoveItemList(Context->NodeList, index); PhpDestroyModuleNode(Context, ModuleNode); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhUpdateModuleNode( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ PPH_MODULE_NODE ModuleNode ) { memset(ModuleNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMOTLC_MAXIMUM); PhClearReference(&ModuleNode->TooltipText); ModuleNode->ValidMask = 0; PhInvalidateTreeNewNode(&ModuleNode->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhInvalidateAllModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE moduleNode = Context->NodeList->Items[i]; memset(moduleNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMOTLC_MAXIMUM); moduleNode->ValidMask = 0; PhInvalidateTreeNewNode(&moduleNode->Node, TN_CACHE_COLOR | TN_CACHE_FONT); } InvalidateRect(Context->TreeNewHandle, NULL, FALSE); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhInvalidateAllModuleBaseAddressNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE moduleNode = Context->NodeList->Items[i]; if (Context->ZeroPadAddresses) { PhPrintPointerPadZeros(moduleNode->ModuleItem->BaseAddressString, moduleNode->ModuleItem->BaseAddress); PhPrintPointerPadZeros(moduleNode->ModuleItem->EntryPointAddressString, moduleNode->ModuleItem->EntryPoint); PhPrintPointerPadZeros(moduleNode->ModuleItem->ParentBaseAddressString, moduleNode->ModuleItem->ParentBaseAddress); PhPrintPointerPadZeros(moduleNode->ModuleItem->EnclaveBaseAddressString, moduleNode->ModuleItem->EnclaveBaseAddress); } else { PhPrintPointer(moduleNode->ModuleItem->BaseAddressString, moduleNode->ModuleItem->BaseAddress); PhPrintPointer(moduleNode->ModuleItem->EntryPointAddressString, moduleNode->ModuleItem->EntryPoint); PhPrintPointer(moduleNode->ModuleItem->ParentBaseAddressString, moduleNode->ModuleItem->ParentBaseAddress); PhPrintPointer(moduleNode->ModuleItem->EnclaveBaseAddressString, moduleNode->ModuleItem->EnclaveBaseAddress); } memset(moduleNode->TextCache, 0, sizeof(PH_STRINGREF) * PHMOTLC_MAXIMUM); moduleNode->ValidMask = 0; PhInvalidateTreeNewNode(&moduleNode->Node, TN_CACHE_COLOR); } InvalidateRect(Context->TreeNewHandle, NULL, FALSE); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhExpandAllModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context, _In_ BOOLEAN Expand ) { ULONG i; BOOLEAN needsRestructure = FALSE; for (i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE node = Context->NodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhTickModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ) { PH_TICK_SH_STATE_TN(PH_MODULE_NODE, ShState, Context->NodeStateList, PhpRemoveModuleNode, PhCsHighlightingDuration, Context->TreeNewHandle, TRUE, NULL, Context); } #define SORT_FUNCTION(Column) PhpModuleTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpModuleTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_MODULE_LIST_CONTEXT context = ((PPH_MODULE_LIST_CONTEXT)_context); \ PPH_MODULE_NODE node1 = *(PPH_MODULE_NODE *)_elem1; \ PPH_MODULE_NODE node2 = *(PPH_MODULE_NODE *)_elem2; \ PPH_MODULE_ITEM moduleItem1 = node1->ModuleItem; \ PPH_MODULE_ITEM moduleItem2 = node2->ModuleItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)moduleItem1->BaseAddress, (ULONG_PTR)moduleItem2->BaseAddress); \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)moduleItem1->EnclaveBaseAddress, (ULONG_PTR)moduleItem2->EnclaveBaseAddress); \ if (sortResult == 0) \ sortResult = PhCompareStringWithNullSortOrder(moduleItem1->FileName, moduleItem2->FileName, context->TreeNewSortOrder, FALSE); \ \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpModuleTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPH_MODULE_NODE)Node1)->ModuleItem->BaseAddress, (ULONG_PTR)((PPH_MODULE_NODE)Node2)->ModuleItem->BaseAddress); if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPH_MODULE_NODE)Node1)->ModuleItem->EnclaveBaseAddress, (ULONG_PTR)((PPH_MODULE_NODE)Node2)->ModuleItem->EnclaveBaseAddress); if (Result == 0) Result = PhCompareStringWithNullSortOrder(((PPH_MODULE_NODE)Node1)->ModuleItem->FileName, ((PPH_MODULE_NODE)Node2)->ModuleItem->FileName, SortOrder, FALSE); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(TriState) { if (moduleItem1->IsFirst) { sortResult = -1; } else if (moduleItem2->IsFirst) { sortResult = 1; } else { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->Name, moduleItem2->Name, context->TreeNewSortOrder, TRUE); // fall back to sorting by name } } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->Name, moduleItem2->Name, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(BaseAddress) { sortResult = uintptrcmp((ULONG_PTR)moduleItem1->BaseAddress, (ULONG_PTR)moduleItem2->BaseAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Size) { sortResult = uintcmp(moduleItem1->Size, moduleItem2->Size); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Description) { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->VersionInfo.FileDescription, moduleItem2->VersionInfo.FileDescription, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CompanyName) { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->VersionInfo.CompanyName, moduleItem2->VersionInfo.CompanyName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Version) { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->VersionInfo.FileVersion, moduleItem2->VersionInfo.FileVersion, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileName) { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->FileName, moduleItem2->FileName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Type) { sortResult = uintcmp(moduleItem1->Type, moduleItem2->Type); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LoadCount) { sortResult = uintcmp(moduleItem1->LoadCount, moduleItem2->LoadCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VerificationStatus) { sortResult = intcmp(moduleItem1->VerifyResult, moduleItem2->VerifyResult); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VerifiedSigner) { sortResult = PhCompareStringWithNullSortOrder( moduleItem1->VerifySignerName, moduleItem2->VerifySignerName, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Aslr) { sortResult = intcmp( moduleItem1->ImageDllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, moduleItem2->ImageDllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TimeStamp) { sortResult = uintcmp(moduleItem1->ImageTimeDateStamp, moduleItem2->ImageTimeDateStamp); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CfGuard) { // prefer XFG over CFG sortResult = uintcmp( moduleItem1->GuardFlags & IMAGE_GUARD_XFG_ENABLED, moduleItem2->GuardFlags & IMAGE_GUARD_XFG_ENABLED ); if (sortResult == 0) { sortResult = uintcmp( moduleItem1->ImageDllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF, moduleItem2->ImageDllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF ); } } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LoadTime) { sortResult = uint64cmp(moduleItem1->LoadTime.QuadPart, moduleItem2->LoadTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LoadReason) { sortResult = uintcmp(moduleItem1->LoadReason, moduleItem2->LoadReason); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileModifiedTime) { sortResult = int64cmp(moduleItem1->FileLastWriteTime.QuadPart, moduleItem2->FileLastWriteTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileSize) { sortResult = int64cmp(moduleItem1->FileEndOfFile.QuadPart, moduleItem2->FileEndOfFile.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(EntryPoint) { sortResult = uintptrcmp((ULONG_PTR)moduleItem1->EntryPoint, (ULONG_PTR)moduleItem2->EntryPoint); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ParentBaseAddress) { sortResult = uintptrcmp((ULONG_PTR)moduleItem1->ParentBaseAddress, (ULONG_PTR)moduleItem2->ParentBaseAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Cet) { sortResult = uintcmp( moduleItem1->ImageDllCharacteristicsEx & IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT, moduleItem2->ImageDllCharacteristicsEx & IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ImageCoherency) { sortResult = singlecmp(moduleItem1->ImageCoherency, moduleItem2->ImageCoherency); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(OriginalName) { sortResult = PhCompareStringWithNullSortOrder(moduleItem1->FileName, moduleItem2->FileName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ServiceName) { sortResult = PhCompareStringWithNullSortOrder(node1->ServiceText, node2->ServiceText, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(EnclaveType) { sortResult = uintcmp(moduleItem1->EnclaveType, moduleItem2->EnclaveType); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(EnclaveBaseAddress) { sortResult = uintptrcmp((ULONG_PTR)moduleItem1->EnclaveBaseAddress, (ULONG_PTR)moduleItem2->EnclaveBaseAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(EnclaveSize) { sortResult = uintptrcmp((ULONG_PTR)moduleItem1->EnclaveSize, (ULONG_PTR)moduleItem2->EnclaveSize); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Architecture) { sortResult = uintcmp(moduleItem1->ImageMachine, moduleItem2->ImageMachine); if (sortResult == 0) sortResult = uintcmp(moduleItem1->ImageCHPEVersion, moduleItem2->ImageCHPEVersion); } END_SORT_FUNCTION BOOLEAN NTAPI PhpModuleTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_MODULE_LIST_CONTEXT context = Context; PPH_MODULE_NODE node; if (PhCmForwardMessage(WindowHandle, Message, Parameter1, Parameter2, &context->Cm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_MODULE_NODE)getChildren->Node; if (context->TreeNewSortOrder == NoSortOrder) { if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)context->NodeRootList->Items; getChildren->NumberOfChildren = context->NodeRootList->Count; } else { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; } qsort_s(getChildren->Children, getChildren->NumberOfChildren, sizeof(PVOID), SORT_FUNCTION(TriState), context); } else { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(BaseAddress), SORT_FUNCTION(Size), SORT_FUNCTION(Description), SORT_FUNCTION(CompanyName), SORT_FUNCTION(Version), SORT_FUNCTION(FileName), SORT_FUNCTION(Type), SORT_FUNCTION(LoadCount), SORT_FUNCTION(VerificationStatus), SORT_FUNCTION(VerifiedSigner), SORT_FUNCTION(Aslr), SORT_FUNCTION(TimeStamp), SORT_FUNCTION(CfGuard), SORT_FUNCTION(LoadTime), SORT_FUNCTION(LoadReason), SORT_FUNCTION(FileModifiedTime), SORT_FUNCTION(FileSize), SORT_FUNCTION(EntryPoint), SORT_FUNCTION(ParentBaseAddress), SORT_FUNCTION(Cet), SORT_FUNCTION(ImageCoherency), SORT_FUNCTION(LoadTime), // Timeline SORT_FUNCTION(OriginalName), SORT_FUNCTION(ServiceName), SORT_FUNCTION(EnclaveType), SORT_FUNCTION(EnclaveBaseAddress), SORT_FUNCTION(EnclaveSize), SORT_FUNCTION(Architecture), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PHMOTLC_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortOrder == NoSortOrder) { sortFunction = SORT_FUNCTION(TriState); } else { if (!PhCmForwardSort( (PPH_TREENEW_NODE *)context->NodeList->Items, context->NodeList->Count, context->TreeNewSortColumn, context->TreeNewSortOrder, &context->Cm )) { if (context->TreeNewSortColumn < PHMOTLC_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; } else { sortFunction = NULL; } } if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPH_MODULE_NODE)isLeaf->Node; if (context->TreeNewSortOrder == NoSortOrder) isLeaf->IsLeaf = node->Children->Count == 0; else isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_MODULE_ITEM moduleItem; node = (PPH_MODULE_NODE)getCellText->Node; moduleItem = node->ModuleItem; switch (getCellText->Id) { case PHMOTLC_NAME: { getCellText->Text = PhGetStringRef(moduleItem->Name); } break; case PHMOTLC_BASEADDRESS: { PhInitializeStringRefLongHint(&getCellText->Text, moduleItem->BaseAddressString); } break; case PHMOTLC_SIZE: { PhMoveReference(&node->SizeText, PhFormatSize(moduleItem->Size, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->SizeText); } break; case PHMOTLC_DESCRIPTION: getCellText->Text = PhGetStringRef(moduleItem->VersionInfo.FileDescription); break; case PHMOTLC_COMPANYNAME: getCellText->Text = PhGetStringRef(moduleItem->VersionInfo.CompanyName); break; case PHMOTLC_VERSION: getCellText->Text = PhGetStringRef(moduleItem->VersionInfo.FileVersion); break; case PHMOTLC_FILENAME: { if (PhIsNullOrEmptyString(node->FileNameWin32)) { PhMoveReference(&node->FileNameWin32, PhGetFileName(moduleItem->FileName)); } getCellText->Text = PhGetStringRef(node->FileNameWin32); } break; case PHMOTLC_TYPE: { PCPH_STRINGREF string; if (string = PhGetModuleTypeName(moduleItem->Type)) { getCellText->Text.Buffer = string->Buffer; getCellText->Text.Length = string->Length; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_LOADCOUNT: { if (moduleItem->Type == PH_MODULE_TYPE_MODULE || moduleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE || moduleItem->Type == PH_MODULE_TYPE_WOW64_MODULE) { if (moduleItem->LoadCount != USHRT_MAX) { PhPrintUInt32(node->LoadCountText, moduleItem->LoadCount); PhInitializeStringRefLongHint(&getCellText->Text, node->LoadCountText); } else { PhInitializeStringRef(&getCellText->Text, L"Static"); } } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_VERIFICATIONSTATUS: { if (PhEnableProcessQueryStage2) { if (moduleItem->Type != PH_MODULE_TYPE_ELF_MAPPED_IMAGE) getCellText->Text = PhVerifyResultToStringRef(moduleItem->VerifyResult); else PhInitializeEmptyStringRef(&getCellText->Text); } else { PhInitializeStringRef(&getCellText->Text, L"Image digital signature support disabled."); } } break; case PHMOTLC_VERIFIEDSIGNER: { if (PhEnableProcessQueryStage2) getCellText->Text = PhGetStringRef(moduleItem->VerifySignerName); else PhInitializeStringRef(&getCellText->Text, L"Image digital signature support disabled."); } break; case PHMOTLC_ASLR: { if (FlagOn(moduleItem->ImageDllCharacteristics, IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) { PhInitializeStringRef(&getCellText->Text, L"ASLR"); } } break; case PHMOTLC_TIMESTAMP: { LARGE_INTEGER time; SYSTEMTIME systemTime; if (moduleItem->ImageTimeDateStamp != 0) { PhSecondsSince1970ToTime(moduleItem->ImageTimeDateStamp, &time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); PhMoveReference(&node->TimeStampText, PhFormatDateTime(&systemTime)); getCellText->Text = node->TimeStampText->sr; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_CFGUARD: { if (FlagOn(moduleItem->ImageDllCharacteristics, IMAGE_DLLCHARACTERISTICS_GUARD_CF)) { if (FlagOn(moduleItem->GuardFlags, IMAGE_GUARD_XFG_ENABLED)) PhInitializeStringRef(&getCellText->Text, L"XF Guard"); else PhInitializeStringRef(&getCellText->Text, L"CF Guard"); } } break; case PHMOTLC_LOADTIME: { SYSTEMTIME systemTime; if (moduleItem->LoadTime.QuadPart != 0) { PhLargeIntegerToLocalSystemTime(&systemTime, &moduleItem->LoadTime); PhMoveReference(&node->LoadTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = node->LoadTimeText->sr; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_LOADREASON: { if (moduleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE) { PhInitializeStringRef(&getCellText->Text, L"Dynamic"); } else if (moduleItem->Type == PH_MODULE_TYPE_MODULE || moduleItem->Type == PH_MODULE_TYPE_WOW64_MODULE || moduleItem->Type == PH_MODULE_TYPE_ENCLAVE_MODULE) { PCPH_STRINGREF string; if (string = PhGetModuleLoadReasonTypeName(moduleItem->LoadReason)) { getCellText->Text.Buffer = string->Buffer; getCellText->Text.Length = string->Length; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_FILEMODIFIEDTIME: { if (moduleItem->FileLastWriteTime.QuadPart != 0 && moduleItem->FileLastWriteTime.QuadPart != -1) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &moduleItem->FileLastWriteTime); PhMoveReference(&node->FileModifiedTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = node->FileModifiedTimeText->sr; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_FILESIZE: { if (moduleItem->FileEndOfFile.QuadPart != 0 && moduleItem->FileEndOfFile.QuadPart != -1) { PhMoveReference(&node->FileSizeText, PhFormatSize(moduleItem->FileEndOfFile.QuadPart, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->FileSizeText); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_ENTRYPOINT: { if (moduleItem->EntryPoint) { PhInitializeStringRefLongHint(&getCellText->Text, moduleItem->EntryPointAddressString); } } break; case PHMOTLC_PARENTBASEADDRESS: { if (moduleItem->ParentBaseAddress) { PhInitializeStringRefLongHint(&getCellText->Text, moduleItem->ParentBaseAddressString); } } break; case PHMOTLC_CET: { if (FlagOn(moduleItem->ImageDllCharacteristicsEx, IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT)) { PhInitializeStringRef(&getCellText->Text, L"CET"); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_COHERENCY: { if (!PhEnableImageCoherencySupport) { PhInitializeStringRef(&getCellText->Text, L"Image coherency support is disabled."); break; } if (moduleItem->Type == PH_MODULE_TYPE_MODULE || moduleItem->Type == PH_MODULE_TYPE_WOW64_MODULE || moduleItem->Type == PH_MODULE_TYPE_MAPPED_IMAGE || moduleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE) { PH_FORMAT format[2]; if (moduleItem->ImageCoherencyStatus == LONG_MAX) break; if (moduleItem->ImageCoherencyStatus == STATUS_PENDING) { PhInitializeStringRef(&getCellText->Text, L"Scanning...."); break; } if (!PhShouldShowModuleCoherency(moduleItem, FALSE)) { if (moduleItem->ImageCoherencyStatus != STATUS_SUCCESS) { PhMoveReference(&node->ImageCoherencyText, PhGetStatusMessage(moduleItem->ImageCoherencyStatus, 0)); getCellText->Text = PhGetStringRef(node->ImageCoherencyText); } break; } if (moduleItem->ImageCoherency == 1.0f) { PhInitializeStringRef(&getCellText->Text, L"100%"); break; } if (moduleItem->ImageCoherency > 0.9999f) { PhInitializeStringRef(&getCellText->Text, L">99.99%"); break; } PhInitFormatF(&format[0], moduleItem->ImageCoherency * 100.0f, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"%"); PhMoveReference(&node->ImageCoherencyText, PhFormat(format, RTL_NUMBER_OF(format), 0)); getCellText->Text = PhGetStringRef(node->ImageCoherencyText); } } break; case PHMOTLC_ORIGINALNAME: { getCellText->Text = PhGetStringRef(moduleItem->FileName); } break; case PHMOTLC_SERVICE: { if (PhIsNullOrEmptyString(node->FileNameWin32)) { PhMoveReference(&node->FileNameWin32, PhGetFileName(moduleItem->FileName)); } if (node->FileNameWin32 && context->HasServices) { PhMoveReference(&node->ServiceText, PhGetServiceNameForModuleReference( context->ProcessId, PhGetString(node->FileNameWin32) )); getCellText->Text = PhGetStringRef(node->ServiceText); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHMOTLC_ENCLAVE_TYPE: { if (moduleItem->EnclaveBaseAddress) { PCPH_STRINGREF string; if (string = PhGetModuleEnclaveTypeName(moduleItem->EnclaveType)) { getCellText->Text.Buffer = string->Buffer; getCellText->Text.Length = string->Length; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } } break; case PHMOTLC_ENCLAVE_BASE_ADDRESS: { if (moduleItem->EnclaveBaseAddress) { PhInitializeStringRefLongHint(&getCellText->Text, moduleItem->EnclaveBaseAddressString); } } break; case PHMOTLC_ENCLAVE_SIZE: { if (moduleItem->EnclaveBaseAddress) { if (PhIsNullOrEmptyString(node->EnclaveSizeText)) { PhMoveReference(&node->EnclaveSizeText, PhFormatSize(moduleItem->EnclaveSize, ULONG_MAX)); } getCellText->Text = PhGetStringRef(node->EnclaveSizeText); } } break; case PHMOTLC_ARCHITECTURE: { // We read the remote process memory for ImageMachine when possible. For // ARM64X/CHPE the OS will fix up the image header in the process, this // should generally reflect the module machine correctly (unless we can't // read the remote process address space). switch (node->ModuleItem->ImageMachine) { case IMAGE_FILE_MACHINE_I386: PhInitializeStringRef(&getCellText->Text, node->ModuleItem->ImageCHPEVersion ? L"x86 (CHPE)" : L"x86"); break; case IMAGE_FILE_MACHINE_AMD64: PhInitializeStringRef(&getCellText->Text, node->ModuleItem->ImageCHPEVersion ? L"x64 (ARM64X)" : L"x64"); break; case IMAGE_FILE_MACHINE_ARMNT: PhInitializeStringRef(&getCellText->Text, L"ARM"); break; case IMAGE_FILE_MACHINE_ARM64: PhInitializeStringRef(&getCellText->Text, node->ModuleItem->ImageCHPEVersion ? L"ARM64 (ARM64X)" : L"ARM64"); break; default: break; } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; PPH_MODULE_ITEM moduleItem; node = (PPH_MODULE_NODE)getNodeColor->Node; moduleItem = node->ModuleItem; if (!moduleItem) ; // Dummy else if (PhEnableProcessQueryStage2 && context->HighlightUntrustedModules && PH_VERIFY_UNTRUSTED(moduleItem->VerifyResult) && (moduleItem->Type == PH_MODULE_TYPE_MODULE || moduleItem->Type == PH_MODULE_TYPE_WOW64_MODULE || moduleItem->Type == PH_MODULE_TYPE_MAPPED_IMAGE || moduleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE)) { getNodeColor->BackColor = PhCsColorUnknown; } else if (PhEnableImageCoherencySupport && context->HighlightLowImageCoherency && PhShouldShowModuleCoherency(moduleItem, TRUE)) getNodeColor->BackColor = PhCsColorLowImageCoherency; else if (context->HighlightDotNetModules && FlagOn(moduleItem->Flags, LDRP_COR_IMAGE)) getNodeColor->BackColor = PhCsColorDotNet; else if (context->HighlightImmersiveModules && FlagOn(moduleItem->ImageDllCharacteristics, IMAGE_DLLCHARACTERISTICS_APPCONTAINER)) getNodeColor->BackColor = PhCsColorImmersiveProcesses; else if (context->HighlightRelocatedModules && moduleItem->ImageNotAtBase) getNodeColor->BackColor = PhCsColorRelocatedModules; else if (context->HighlightImageKnownDll && moduleItem->ImageKnownDll) getNodeColor->BackColor = PhCsColorElevatedProcesses; else if (PhEnableProcessQueryStage2 && context->HighlightSystemModules && moduleItem->VerifyResult == VrTrusted && PhEqualStringRef2(&moduleItem->VerifySignerName->sr, L"Microsoft Windows", TRUE) ) { getNodeColor->BackColor = PhCsColorSystemProcesses; } getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewGetNodeFont: { PPH_TREENEW_GET_NODE_FONT getNodeFont = Parameter1; node = (PPH_MODULE_NODE)getNodeFont->Node; // Make the executable file module item bold. if (node->ModuleItem->IsFirst) { getNodeFont->Font = context->BoldFont ? context->BoldFont : NULL; getNodeFont->Flags = TN_CACHE; return TRUE; } } break; case TreeNewGetCellTooltip: { PPH_TREENEW_GET_CELL_TOOLTIP getCellTooltip = Parameter1; node = (PPH_MODULE_NODE)getCellTooltip->Node; if (getCellTooltip->Column->Id != 0) return FALSE; if (!node->TooltipText) { if (PhIsNullOrEmptyString(node->FileNameWin32)) { PhMoveReference(&node->FileNameWin32, PhGetFileName(node->ModuleItem->FileName)); } node->TooltipText = PhFormatImageVersionInfo( node->FileNameWin32, &node->ModuleItem->VersionInfo, NULL, 0 ); // Make sure we don't try to create the tooltip text again. if (!node->TooltipText) node->TooltipText = PhReferenceEmptyString(); } if (!PhIsNullOrEmptyString(node->TooltipText)) { getCellTooltip->Text = node->TooltipText->sr; getCellTooltip->Unfolding = FALSE; getCellTooltip->Font = NULL; // use default font getCellTooltip->MaximumWidth = 550; } else { return FALSE; } } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_MODULE_ITEM moduleItem; RECT rect; node = (PPH_MODULE_NODE)customDraw->Node; moduleItem = node->ModuleItem; rect = customDraw->CellRect; if (rect.right - rect.left <= 1) break; // nothing to draw switch (customDraw->Column->Id) { case PHMOTLC_TIMELINE: { if (moduleItem->LoadTime.QuadPart == 0) break; // nothing to draw PhCustomDrawTreeTimeLine( customDraw->Dc, &customDraw->CellRect, PhEnableThemeSupport ? PH_DRAW_TIMELINE_DARKTHEME : 0, &context->ProcessCreateTime, &moduleItem->LoadTime ); } break; } } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MODULE_COPY, 0); break; case VK_DELETE: SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MODULE_UNLOAD, 0); break; case VK_RETURN: if (GetKeyState(VK_CONTROL) >= 0) SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MODULE_PROPERTIES, 0); else SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MODULE_OPENFILELOCATION, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_MODULE_PROPERTIES, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, (LPARAM)contextMenu); } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_RETURN) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } PPH_MODULE_ITEM PhGetSelectedModuleItem( _In_ PPH_MODULE_LIST_CONTEXT Context ) { PPH_MODULE_ITEM moduleItem = NULL; ULONG i; for (i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) { moduleItem = node->ModuleItem; break; } } return moduleItem; } VOID PhGetSelectedModuleItems( _In_ PPH_MODULE_LIST_CONTEXT Context, _Out_ PPH_MODULE_ITEM **Modules, _Out_ PULONG NumberOfModules ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node->ModuleItem); } *NumberOfModules = (ULONG)PhFinalArrayCount(&array); *Modules = PhFinalArrayItems(&array); } VOID PhDeselectAllModuleNodes( _In_ PPH_MODULE_LIST_CONTEXT Context ) { TreeNew_DeselectRange(Context->TreeNewHandle, 0, -1); } // Copied from proctree.c (dmex) const FLOAT LowImageCoherencyThreshold = 0.5f; BOOLEAN PhShouldShowModuleCoherency( _In_ PPH_MODULE_ITEM ModuleItem, _In_ BOOLEAN CheckThreshold ) { if (PhCsImageCoherencyScanLevel == 0) { // // The advanced option for the image coherency scan level is 0. // This disables the scanning and we should not show the image // coherency. // return FALSE; } if (ModuleItem->ImageCoherencyStatus == STATUS_PENDING || ModuleItem->ImageCoherencyStatus == LONG_MAX || PhIsNullOrEmptyString(ModuleItem->FileName)) { // // The image coherency status is pending, uninitialized, or we don't // have a file name for the module. We have not completed/attempted // the calculation yet, don't show the coherency. // return FALSE; } if (!(ModuleItem->Type == PH_MODULE_TYPE_MODULE || ModuleItem->Type == PH_MODULE_TYPE_WOW64_MODULE || ModuleItem->Type == PH_MODULE_TYPE_MAPPED_IMAGE || ModuleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE)) { // // We special case these modules types and opt not to show/calculate // the coherency for them. // return FALSE; } if (NT_SUCCESS(ModuleItem->ImageCoherencyStatus) || ModuleItem->ImageCoherencyStatus == STATUS_INVALID_IMAGE_NOT_MZ || ModuleItem->ImageCoherencyStatus == STATUS_INVALID_IMAGE_FORMAT || ModuleItem->ImageCoherencyStatus == STATUS_INVALID_IMAGE_HASH || ModuleItem->ImageCoherencyStatus == STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT) { // // The coherency status is a success code or a known "valid" error // from the coherency calculation (PhGetProcessModuleImageCoherency). // We should show the coherency value. // if (CheckThreshold) { // // A threshold check is requested. This is generally used for // checking if we should highlight an entry. If the coherency // is below a given threshold return true. Otherwise false. // if (ModuleItem->ImageCoherency <= LowImageCoherencyThreshold) { return TRUE; } else { return FALSE; } } // // No special handling, return true. // return TRUE; } // // Any other error NTSTATUS we don't show the coherency value, we'll // show the reason why we failed the calculation (a string representation // of the status code). // return FALSE; } ================================================ FILE: SystemInformer/modprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _PH_MODULE_QUERY_DATA { SLIST_ENTRY ListEntry; PPH_MODULE_PROVIDER ModuleProvider; PPH_MODULE_ITEM ModuleItem; VERIFY_RESULT VerifyResult; PPH_STRING VerifySignerName; ULONG ImageFlags; ULONG GuardFlags; BOOLEAN ImageKnownDll; NTSTATUS ImageCoherencyStatus; FLOAT ImageCoherency; } PH_MODULE_QUERY_DATA, *PPH_MODULE_QUERY_DATA; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpModuleProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpModuleItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpModuleHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpModuleHashtableHashFunction( _In_ PVOID Entry ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhModuleEnclaveListInitialize( _In_ PVOID ThreadParameter ); NTSTATUS PhEnumGenericEnclaveModules( _In_ HANDLE ProcessHandle, _In_ PVOID Context ); PPH_OBJECT_TYPE PhModuleProviderType = NULL; PPH_OBJECT_TYPE PhModuleItemType = NULL; PVOID PhLdrEnclaveList = NULL; PPH_MODULE_PROVIDER PhCreateModuleProvider( _In_ HANDLE ProcessId ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_MODULE_PROVIDER moduleProvider; PPH_PROCESS_ITEM processItem; if (PhBeginInitOnce(&initOnce)) { PhModuleProviderType = PhCreateObjectType(L"ModuleProvider", 0, PhpModuleProviderDeleteProcedure); PhModuleItemType = PhCreateObjectType(L"ModuleItem", 0, PhpModuleItemDeleteProcedure); if (WindowsVersion >= WINDOWS_10) { PhQueueUserWorkItem(PhModuleEnclaveListInitialize, NULL); } PhEndInitOnce(&initOnce); } moduleProvider = PhCreateObject( PhEmGetObjectSize(EmModuleProviderType, sizeof(PH_MODULE_PROVIDER)), PhModuleProviderType ); memset(moduleProvider, 0, sizeof(PH_MODULE_PROVIDER)); moduleProvider->ModuleHashtable = PhCreateHashtable( sizeof(PPH_MODULE_ITEM), PhpModuleHashtableEqualFunction, PhpModuleHashtableHashFunction, 20 ); PhInitializeFastLock(&moduleProvider->ModuleHashtableLock); PhInitializeCallback(&moduleProvider->ModuleAddedEvent); PhInitializeCallback(&moduleProvider->ModuleModifiedEvent); PhInitializeCallback(&moduleProvider->ModuleRemovedEvent); PhInitializeCallback(&moduleProvider->UpdatedEvent); moduleProvider->ProcessId = ProcessId; moduleProvider->ProcessHandle = NULL; moduleProvider->ProcessFileName = NULL; moduleProvider->PackageFullName = NULL; moduleProvider->RunStatus = STATUS_SUCCESS; if (PH_IS_REAL_PROCESS_ID(ProcessId)) { static const ACCESS_MASK accesses[] = { PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, // Try to get a handle with query information + vm read access. (wj32) PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, // Try to get a handle with query limited information + vm read access. (wj32) PROCESS_QUERY_LIMITED_INFORMATION, // Try to get a handle with query limited information (required for WSL) (dmex) }; // It doesn't matter if we can't get a process handle. for (ULONG i = 0; i < RTL_NUMBER_OF(accesses); i++) { moduleProvider->RunStatus = PhOpenProcess( &moduleProvider->ProcessHandle, accesses[i], ProcessId ); if (NT_SUCCESS(moduleProvider->RunStatus)) { moduleProvider->IsHandleValid = TRUE; break; } } } if (processItem = PhReferenceProcessItem(ProcessId)) { PhSetReference(&moduleProvider->ProcessFileName, processItem->FileName); PhSetReference(&moduleProvider->PackageFullName, processItem->PackageFullName); moduleProvider->IsSubsystemProcess = !!processItem->IsSubsystemProcess; PhDereferenceObject(processItem); } if (WindowsVersion >= WINDOWS_8_1 && moduleProvider->ProcessHandle) { BOOLEAN cfguardEnabled; if (NT_SUCCESS(PhGetProcessIsCFGuardEnabled(moduleProvider->ProcessHandle, &cfguardEnabled))) { moduleProvider->ControlFlowGuardEnabled = cfguardEnabled; } } if (WindowsVersion >= WINDOWS_10_20H1 && moduleProvider->ProcessHandle) { if (moduleProvider->ProcessId == SYSTEM_PROCESS_ID) { SYSTEM_SHADOW_STACK_INFORMATION shadowStackInformation; if (NT_SUCCESS(PhGetSystemShadowStackInformation(&shadowStackInformation))) { moduleProvider->CetEnabled = !!shadowStackInformation.KernelCetEnabled; moduleProvider->CetStrictModeEnabled = TRUE; // Kernel CET is always strict (TheEragon) } } else { BOOLEAN cetEnabled; BOOLEAN cetStrictModeEnabled; if (NT_SUCCESS(PhGetProcessIsCetEnabled(moduleProvider->ProcessHandle, &cetEnabled, &cetStrictModeEnabled))) { moduleProvider->CetEnabled = cetEnabled; moduleProvider->CetStrictModeEnabled = cetStrictModeEnabled; } } } switch (PhCsImageCoherencyScanLevel) { case 1: moduleProvider->ImageCoherencyScanLevel = PhImageCoherencyQuick; break; case 2: moduleProvider->ImageCoherencyScanLevel = PhImageCoherencyNormal; break; case 3: default: moduleProvider->ImageCoherencyScanLevel = PhImageCoherencyFull; break; case 4: moduleProvider->ImageCoherencyScanLevel = PhImageCoherencySharedOriginal; break; } PhInitializeSListHead(&moduleProvider->QueryListHead); PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectCreate); return moduleProvider; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpModuleProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_MODULE_PROVIDER moduleProvider = (PPH_MODULE_PROVIDER)Object; PhEmCallObjectOperation(EmModuleProviderType, moduleProvider, EmObjectDelete); // Dereference all module items (we referenced them // when we added them to the hashtable). PhDereferenceAllModuleItems(moduleProvider); PhDereferenceObject(moduleProvider->ModuleHashtable); PhDeleteFastLock(&moduleProvider->ModuleHashtableLock); PhDeleteCallback(&moduleProvider->ModuleAddedEvent); PhDeleteCallback(&moduleProvider->ModuleModifiedEvent); PhDeleteCallback(&moduleProvider->ModuleRemovedEvent); PhDeleteCallback(&moduleProvider->UpdatedEvent); // Destroy all queue items. { PSLIST_ENTRY entry; PPH_MODULE_QUERY_DATA data; entry = RtlInterlockedFlushSList(&moduleProvider->QueryListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_MODULE_QUERY_DATA, ListEntry); entry = entry->Next; if (data->VerifySignerName) PhDereferenceObject(data->VerifySignerName); PhDereferenceObject(data->ModuleItem); PhFree(data); } } if (moduleProvider->ProcessFileName) PhDereferenceObject(moduleProvider->ProcessFileName); if (moduleProvider->PackageFullName) PhDereferenceObject(moduleProvider->PackageFullName); if (moduleProvider->ProcessHandle) NtClose(moduleProvider->ProcessHandle); } PPH_MODULE_ITEM PhCreateModuleItem( VOID ) { PPH_MODULE_ITEM moduleItem; moduleItem = PhCreateObject( PhEmGetObjectSize(EmModuleItemType, sizeof(PH_MODULE_ITEM)), PhModuleItemType ); memset(moduleItem, 0, sizeof(PH_MODULE_ITEM)); PhEmCallObjectOperation(EmModuleItemType, moduleItem, EmObjectCreate); // // Initialize ImageCoherencyStatus to STATUS_PENDING this notes that the // image coherency hasn't been done yet. This prevents the module items // from being noted as "Low Image Coherency" or being highlighted until // the analysis runs. See: PhShouldShowModuleCoherency // moduleItem->ImageCoherencyStatus = STATUS_PENDING; return moduleItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpModuleItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_MODULE_ITEM moduleItem = (PPH_MODULE_ITEM)Object; PhEmCallObjectOperation(EmModuleItemType, moduleItem, EmObjectDelete); if (moduleItem->Name) PhDereferenceObject(moduleItem->Name); if (moduleItem->FileName) PhDereferenceObject(moduleItem->FileName); if (moduleItem->VerifySignerName) PhDereferenceObject(moduleItem->VerifySignerName); PhDeleteImageVersionInfo(&moduleItem->VersionInfo); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpModuleHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_MODULE_ITEM entry1 = *(PPH_MODULE_ITEM *)Entry1; PPH_MODULE_ITEM entry2 = *(PPH_MODULE_ITEM *)Entry2; if (entry1->FileName && entry2->FileName) { return ((entry1->BaseAddress == entry2->BaseAddress) && (entry1->EnclaveBaseAddress == entry2->EnclaveBaseAddress) && PhEqualString(entry1->FileName, entry2->FileName, FALSE)); } else { return ((entry1->BaseAddress == entry2->BaseAddress) && (entry1->EnclaveBaseAddress == entry2->EnclaveBaseAddress)); } } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpModuleHashtableHashFunction( _In_ PVOID Entry ) { PPH_MODULE_ITEM entry = *(PPH_MODULE_ITEM *)Entry; ULONG baseAddressHash = PhHashIntPtr((ULONG_PTR)entry->BaseAddress); ULONG enclaveBaseAddressHash = PhHashIntPtr((ULONG_PTR)entry->EnclaveBaseAddress); return baseAddressHash ^ (enclaveBaseAddressHash << 1); } PPH_MODULE_ITEM PhReferenceModuleItemEx( _In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PVOID BaseAddress, _In_opt_ PVOID EnclaveBaseAddress, _In_opt_ PPH_STRING FileName ) { PH_MODULE_ITEM lookupModuleItem; PPH_MODULE_ITEM lookupModuleItemPtr = &lookupModuleItem; PPH_MODULE_ITEM *moduleItemPtr; PPH_MODULE_ITEM moduleItem; lookupModuleItem.BaseAddress = BaseAddress; lookupModuleItem.EnclaveBaseAddress = EnclaveBaseAddress; lookupModuleItem.FileName = FileName; PhAcquireFastLockShared(&ModuleProvider->ModuleHashtableLock); moduleItemPtr = (PPH_MODULE_ITEM *)PhFindEntryHashtable( ModuleProvider->ModuleHashtable, &lookupModuleItemPtr ); if (moduleItemPtr) { moduleItem = *moduleItemPtr; PhReferenceObject(moduleItem); } else { moduleItem = NULL; } PhReleaseFastLockShared(&ModuleProvider->ModuleHashtableLock); return moduleItem; } PPH_MODULE_ITEM PhReferenceModuleItem( _In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PVOID BaseAddress ) { return PhReferenceModuleItemEx( ModuleProvider, BaseAddress, NULL, NULL ); } VOID PhDereferenceAllModuleItems( _In_ PPH_MODULE_PROVIDER ModuleProvider ) { ULONG enumerationKey = 0; PPH_MODULE_ITEM *moduleItem; PhAcquireFastLockExclusive(&ModuleProvider->ModuleHashtableLock); while (PhEnumHashtable(ModuleProvider->ModuleHashtable, (PVOID *)&moduleItem, &enumerationKey)) { PhDereferenceObject(*moduleItem); } PhReleaseFastLockExclusive(&ModuleProvider->ModuleHashtableLock); } VOID PhpRemoveModuleItem( _In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PPH_MODULE_ITEM ModuleItem ) { PhRemoveEntryHashtable(ModuleProvider->ModuleHashtable, &ModuleItem); PhDereferenceObject(ModuleItem); } _Function_class_(PH_READ_VIRTUAL_MEMORY_CALLBACK) static NTSTATUS PhModuleItemReadVirtualMemoryCallback( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead, _In_opt_ PVOID Context ) { PPH_MODULE_ITEM moduleItem = (PPH_MODULE_ITEM)Context; if (!moduleItem) return STATUS_INVALID_PARAMETER_6; if (moduleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE) return KphReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesRead); return PhReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesRead); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpModuleQueryWorker( _In_ PVOID Parameter ) { PPH_MODULE_QUERY_DATA data = (PPH_MODULE_QUERY_DATA)Parameter; PPH_MODULE_PROVIDER moduleProvider = data->ModuleProvider; PPH_MODULE_ITEM moduleItem = data->ModuleItem; if (PhEnableProcessQueryStage2) { data->VerifyResult = PhVerifyFileCached( moduleItem->FileName, moduleProvider->PackageFullName, &data->VerifySignerName, TRUE, FALSE ); } if (moduleProvider->IsHandleValid && !moduleProvider->IsSubsystemProcess) { if ( moduleItem->Type == PH_MODULE_TYPE_MODULE || moduleItem->Type == PH_MODULE_TYPE_WOW64_MODULE || moduleItem->Type == PH_MODULE_TYPE_MAPPED_IMAGE || moduleItem->Type == PH_MODULE_TYPE_ENCLAVE_MODULE || (moduleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE && (KsiLevel() == KphLevelMax))) { PH_REMOTE_MAPPED_IMAGE remoteMappedImage; PhInitializeRemoteMappedImage( &remoteMappedImage, PhModuleItemReadVirtualMemoryCallback, moduleItem ); // Note: // On Windows 7 the LDRP_IMAGE_NOT_AT_BASE flag doesn't appear to be used // anymore. Instead we'll check ImageBase in the image headers. We read this in // from the process' memory because: // // 1. It (should be) faster than opening the file and mapping it in, and // 2. It contains the correct original image base relocated by ASLR, if present. if (NT_SUCCESS(PhLoadRemoteMappedImage( &remoteMappedImage, moduleProvider->ProcessHandle, moduleItem->BaseAddress, moduleItem->Size ))) { PIMAGE_DATA_DIRECTORY dataDirectory; PVOID imageBase = 0; ULONG entryPoint = 0; ULONG debugEntryLength; PVOID debugEntry; __try { if (remoteMappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_OPTIONAL_HEADER32 optionalHeader = (PIMAGE_OPTIONAL_HEADER32)&remoteMappedImage.NtHeaders32->OptionalHeader; imageBase = UlongToPtr(optionalHeader->ImageBase); entryPoint = optionalHeader->AddressOfEntryPoint; moduleItem->ImageDllCharacteristics = optionalHeader->DllCharacteristics; moduleItem->ImageMachine = remoteMappedImage.NtHeaders32->FileHeader.Machine; moduleItem->ImageTimeDateStamp = remoteMappedImage.NtHeaders32->FileHeader.TimeDateStamp; moduleItem->ImageCharacteristics = remoteMappedImage.NtHeaders32->FileHeader.Characteristics; } else if (remoteMappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_OPTIONAL_HEADER64 optionalHeader = (PIMAGE_OPTIONAL_HEADER64)&remoteMappedImage.NtHeaders64->OptionalHeader; imageBase = (PVOID)optionalHeader->ImageBase; entryPoint = optionalHeader->AddressOfEntryPoint; moduleItem->ImageDllCharacteristics = optionalHeader->DllCharacteristics; moduleItem->ImageMachine = remoteMappedImage.NtHeaders64->FileHeader.Machine; moduleItem->ImageTimeDateStamp = remoteMappedImage.NtHeaders64->FileHeader.TimeDateStamp; moduleItem->ImageCharacteristics = remoteMappedImage.NtHeaders64->FileHeader.Characteristics; } if (moduleItem->BaseAddress != imageBase) moduleItem->ImageNotAtBase = TRUE; if (entryPoint != 0) moduleItem->EntryPoint = PTR_ADD_OFFSET(moduleItem->BaseAddress, entryPoint); if (NT_SUCCESS(PhGetRemoteMappedImageDataEntry( &remoteMappedImage, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &dataDirectory ))) { SetFlag(data->ImageFlags, LDRP_COR_IMAGE); } if (moduleProvider->CetEnabled && NT_SUCCESS(PhGetRemoteMappedImageDebugEntryByType( &remoteMappedImage, IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS, &debugEntryLength, &debugEntry ))) { ULONG characteristics = ULONG_MAX; if (debugEntryLength == sizeof(ULONG)) characteristics = *(PULONG)debugEntry; if (characteristics != ULONG_MAX) moduleItem->ImageDllCharacteristicsEx = characteristics; PhFreePage(debugEntry); } if (!NT_SUCCESS(PhGetRemoteMappedImageCHPEVersion( &remoteMappedImage, &moduleItem->ImageCHPEVersion ))) { moduleItem->ImageCHPEVersion = 0; } if (!NT_SUCCESS(PhGetRemoteMappedImageGuardFlags( &remoteMappedImage, &moduleItem->GuardFlags ))) { moduleItem->GuardFlags = 0; } } __except (EXCEPTION_EXECUTE_HANDLER) { NOTHING; } PhUnloadRemoteMappedImage(&remoteMappedImage); } else { PH_MAPPED_IMAGE mappedImage; // Query the file since we're unable to query memory. (dmex) if (NT_SUCCESS(PhLoadMappedImageEx(&data->ModuleItem->FileName->sr, NULL, &mappedImage))) { ULONG entryPoint = 0; USHORT characteristics = 0; PIMAGE_DATA_DIRECTORY dataDirectory; PH_MAPPED_IMAGE_CFG cfgConfig = { NULL }; __try { moduleItem->ImageMachine = mappedImage.NtHeaders->FileHeader.Machine; moduleItem->ImageCHPEVersion = PhGetMappedImageCHPEVersion(&mappedImage); if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_OPTIONAL_HEADER32 optionalHeader = (PIMAGE_OPTIONAL_HEADER32)&mappedImage.NtHeaders32->OptionalHeader; entryPoint = optionalHeader->AddressOfEntryPoint; characteristics = optionalHeader->DllCharacteristics; } else if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_OPTIONAL_HEADER64 optionalHeader = (PIMAGE_OPTIONAL_HEADER64)&mappedImage.NtHeaders64->OptionalHeader; entryPoint = optionalHeader->AddressOfEntryPoint; characteristics = optionalHeader->DllCharacteristics; } if (entryPoint != 0) moduleItem->EntryPoint = PTR_ADD_OFFSET(moduleItem->BaseAddress, entryPoint); if (characteristics != 0) moduleItem->ImageDllCharacteristics = characteristics; if (NT_SUCCESS(PhGetMappedImageDataDirectory( &mappedImage, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &dataDirectory ))) { SetFlag(data->ImageFlags, LDRP_COR_IMAGE); } if (NT_SUCCESS(PhGetMappedImageCfg(&cfgConfig, &mappedImage))) { data->GuardFlags = cfgConfig.GuardFlags; } } __except (EXCEPTION_EXECUTE_HANDLER) { NOTHING; } PhUnloadMappedImage(&mappedImage); } } } // Remove CF Guard flag when CFG mitigation is not enabled for the process. if (!moduleProvider->ControlFlowGuardEnabled) ClearFlag(moduleItem->ImageDllCharacteristics, IMAGE_DLLCHARACTERISTICS_GUARD_CF); // Add CET flag when strict mode is enabled for the process. if (moduleProvider->CetStrictModeEnabled) SetFlag(moduleItem->ImageDllCharacteristicsEx, IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT); // Remove CET flag when CET is not enabled for the process. if (!moduleProvider->CetEnabled) ClearFlag(moduleItem->ImageDllCharacteristicsEx, IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT); } if (PhEnableImageCoherencySupport && moduleProvider->IsHandleValid && !data->ModuleProvider->IsSubsystemProcess) { if (data->ModuleItem->Type == PH_MODULE_TYPE_MODULE || data->ModuleItem->Type == PH_MODULE_TYPE_WOW64_MODULE || data->ModuleItem->Type == PH_MODULE_TYPE_MAPPED_IMAGE || data->ModuleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE) { if (data->ModuleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE && (KsiLevel() < KphLevelMax)) { // The driver wasn't available or we failed verification preventing // us from checking driver coherency. Pass a special value so we // don't highlight incorrect entries by default. (dmex) data->ImageCoherencyStatus = LONG_MAX; } else { data->ImageCoherencyStatus = PhGetProcessModuleImageCoherency( data->ModuleItem->FileName, data->ModuleProvider->ProcessHandle, data->ModuleItem->BaseAddress, data->ModuleItem->Size, data->ModuleItem->Type == PH_MODULE_TYPE_KERNEL_MODULE, data->ModuleProvider->ImageCoherencyScanLevel, &data->ImageCoherency ); } } } if (data->ModuleItem->FileName) { data->ImageKnownDll = PhIsKnownDllFileName(data->ModuleItem->FileName); } RtlInterlockedPushEntrySList(&data->ModuleProvider->QueryListHead, &data->ListEntry); PhDereferenceObject(data->ModuleProvider); return STATUS_SUCCESS; } VOID PhpQueueModuleQuery( _In_ PPH_MODULE_PROVIDER ModuleProvider, _In_ PPH_MODULE_ITEM ModuleItem ) { PPH_MODULE_QUERY_DATA data; PH_WORK_QUEUE_ENVIRONMENT environment; data = PhAllocate(sizeof(PH_MODULE_QUERY_DATA)); memset(data, 0, sizeof(PH_MODULE_QUERY_DATA)); data->ModuleProvider = ModuleProvider; data->ModuleItem = ModuleItem; PhReferenceObject(ModuleProvider); PhReferenceObject(ModuleItem); PhInitializeWorkQueueEnvironment(&environment); environment.BasePriority = THREAD_PRIORITY_BELOW_NORMAL; environment.IoPriority = IoPriorityLow; environment.PagePriority = MEMORY_PRIORITY_LOW; PhQueueItemWorkQueueEx(PhGetGlobalWorkQueue(), PhpModuleQueryWorker, data, NULL, &environment); } _Function_class_(PH_ENUM_GENERIC_MODULES_CALLBACK) static BOOLEAN NTAPI PhpEnumModulesCallback( _In_ PPH_MODULE_INFO Module, _In_ PVOID Context ) { PPH_MODULE_INFO copy; copy = PhAllocateCopy(Module, sizeof(PH_MODULE_INFO)); PhReferenceObject(copy->Name); PhReferenceObject(copy->FileName); PhAddItemList((PPH_LIST)Context, copy); return TRUE; } _Function_class_(PH_PROVIDER_FUNCTION) VOID PhModuleProviderUpdate( _In_ PVOID Object ) { PPH_MODULE_PROVIDER moduleProvider = (PPH_MODULE_PROVIDER)Object; PPH_LIST modules; ULONG i; // If we didn't get a handle when we created the provider, // abort (unless this is the System process - in that case // we don't need a handle). if (!moduleProvider->ProcessHandle && moduleProvider->ProcessId != SYSTEM_PROCESS_ID) goto UpdateExit; modules = PhCreateList(100); moduleProvider->RunStatus = PhEnumGenericModules( moduleProvider->ProcessId, moduleProvider->ProcessHandle, PH_ENUM_GENERIC_MAPPED_FILES | PH_ENUM_GENERIC_MAPPED_IMAGES, PhpEnumModulesCallback, modules ); PhEnumGenericEnclaveModules( moduleProvider->ProcessHandle, modules ); // Look for removed modules. { PPH_LIST modulesToRemove = NULL; ULONG enumerationKey = 0; PPH_MODULE_ITEM *moduleItem; while (PhEnumHashtable(moduleProvider->ModuleHashtable, (PVOID *)&moduleItem, &enumerationKey)) { BOOLEAN found = FALSE; // Check if the module still exists. for (i = 0; i < modules->Count; i++) { PPH_MODULE_INFO module = modules->Items[i]; if ((*moduleItem)->BaseAddress == module->BaseAddress && (*moduleItem)->EnclaveBaseAddress == module->EnclaveBaseAddress && PhEqualString((*moduleItem)->FileName, module->FileName, FALSE)) { found = TRUE; break; } } if (!found) { // Raise the module removed event. PhInvokeCallback(&moduleProvider->ModuleRemovedEvent, *moduleItem); if (!modulesToRemove) modulesToRemove = PhCreateList(2); PhAddItemList(modulesToRemove, *moduleItem); } } if (modulesToRemove) { PhAcquireFastLockExclusive(&moduleProvider->ModuleHashtableLock); for (i = 0; i < modulesToRemove->Count; i++) { PhpRemoveModuleItem( moduleProvider, (PPH_MODULE_ITEM)modulesToRemove->Items[i] ); } PhReleaseFastLockExclusive(&moduleProvider->ModuleHashtableLock); PhDereferenceObject(modulesToRemove); } } // Go through the queued thread query data. { PSLIST_ENTRY entry; PPH_MODULE_QUERY_DATA data; entry = RtlInterlockedFlushSList(&moduleProvider->QueryListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_MODULE_QUERY_DATA, ListEntry); entry = entry->Next; data->ModuleItem->VerifyResult = data->VerifyResult; data->ModuleItem->VerifySignerName = data->VerifySignerName; data->ModuleItem->Flags |= data->ImageFlags; data->ModuleItem->GuardFlags = data->GuardFlags; data->ModuleItem->ImageCoherencyStatus = data->ImageCoherencyStatus; data->ModuleItem->ImageCoherency = data->ImageCoherency; data->ModuleItem->ImageKnownDll = data->ImageKnownDll; data->ModuleItem->JustProcessed = TRUE; PhDereferenceObject(data->ModuleItem); PhFree(data); } } // Look for new modules. for (i = 0; i < modules->Count; i++) { PPH_MODULE_INFO module = modules->Items[i]; PPH_MODULE_ITEM moduleItem; FILE_NETWORK_OPEN_INFORMATION networkOpenInfo; moduleItem = PhReferenceModuleItemEx( moduleProvider, module->BaseAddress, module->EnclaveBaseAddress, module->FileName ); if (!moduleItem) { PhReferenceObject(module->Name); PhReferenceObject(module->FileName); moduleItem = PhCreateModuleItem(); moduleItem->BaseAddress = module->BaseAddress; moduleItem->EntryPoint = module->EntryPoint; moduleItem->Size = module->Size; moduleItem->Flags = module->Flags; moduleItem->Type = module->Type; moduleItem->LoadReason = module->LoadReason; moduleItem->LoadCount = module->LoadCount; moduleItem->LoadTime = module->LoadTime; moduleItem->Name = module->Name; moduleItem->FileName = module->FileName; moduleItem->ParentBaseAddress = module->ParentBaseAddress; moduleItem->EnclaveType = module->EnclaveType; moduleItem->EnclaveBaseAddress = module->EnclaveBaseAddress; moduleItem->EnclaveSize = module->EnclaveSize; if (module->OriginalBaseAddress && module->OriginalBaseAddress != module->BaseAddress) moduleItem->ImageNotAtBase = TRUE; if (moduleProvider->ZeroPadAddresses) { PhPrintPointerPadZeros(moduleItem->BaseAddressString, moduleItem->BaseAddress); PhPrintPointerPadZeros(moduleItem->EntryPointAddressString, moduleItem->EntryPoint); PhPrintPointerPadZeros(moduleItem->ParentBaseAddressString, moduleItem->ParentBaseAddress); PhPrintPointerPadZeros(moduleItem->EnclaveBaseAddressString, moduleItem->EnclaveBaseAddress); } else { PhPrintPointer(moduleItem->BaseAddressString, moduleItem->BaseAddress); PhPrintPointer(moduleItem->EntryPointAddressString, moduleItem->EntryPoint); PhPrintPointer(moduleItem->ParentBaseAddressString, moduleItem->ParentBaseAddress); PhPrintPointer(moduleItem->EnclaveBaseAddressString, moduleItem->EnclaveBaseAddress); } PhInitializeImageVersionInfoEx(&moduleItem->VersionInfo, &moduleItem->FileName->sr, !!PhCsEnableVersionSupport); if (moduleProvider->IsSubsystemProcess) { // HACK: Update the module type. (TODO: Move into PhEnumGenericModules) (dmex) moduleItem->Type = PH_MODULE_TYPE_ELF_MAPPED_IMAGE; } else { // Fix up the load count. If this is not an ordinary DLL or kernel module, set the load count to 0. if (moduleItem->Type != PH_MODULE_TYPE_MODULE && moduleItem->Type != PH_MODULE_TYPE_WOW64_MODULE && moduleItem->Type != PH_MODULE_TYPE_KERNEL_MODULE) { moduleItem->LoadCount = 0; } } if (!moduleProvider->HaveFirst) { if (WindowsVersion < WINDOWS_8) { moduleItem->IsFirst = i == 0; moduleProvider->HaveFirst = TRUE; } else { // Windows loads the PE image first and WSL loads the ELF image last (dmex) if (moduleProvider->ProcessFileName && PhEqualString(moduleProvider->ProcessFileName, moduleItem->FileName, FALSE)) { moduleItem->IsFirst = TRUE; moduleProvider->HaveFirst = TRUE; } } } if (NT_SUCCESS(PhQueryFullAttributesFile(&moduleItem->FileName->sr, &networkOpenInfo))) { moduleItem->FileLastWriteTime = networkOpenInfo.LastWriteTime; moduleItem->FileEndOfFile = networkOpenInfo.EndOfFile; } if (moduleItem->Type != PH_MODULE_TYPE_ELF_MAPPED_IMAGE) { // See if the file has already been verified; if not, queue for verification. moduleItem->VerifyResult = PhVerifyFileCached(moduleItem->FileName, NULL, &moduleItem->VerifySignerName, TRUE, TRUE); //if (moduleItem->VerifyResult == VrUnknown) // (dmex) PhpQueueModuleQuery(moduleProvider, moduleItem); } // Add the module item to the hashtable. PhAcquireFastLockExclusive(&moduleProvider->ModuleHashtableLock); PhAddEntryHashtable(moduleProvider->ModuleHashtable, &moduleItem); PhReleaseFastLockExclusive(&moduleProvider->ModuleHashtableLock); // Raise the module added event. PhInvokeCallback(&moduleProvider->ModuleAddedEvent, moduleItem); } else { BOOLEAN modified = FALSE; if (moduleItem->JustProcessed) modified = TRUE; moduleItem->JustProcessed = FALSE; if (moduleItem->LoadCount != module->LoadCount) { moduleItem->LoadCount = module->LoadCount; modified = TRUE; } if (NT_SUCCESS(PhQueryFullAttributesFile(&moduleItem->FileName->sr, &networkOpenInfo))) { if (moduleItem->FileLastWriteTime.QuadPart != networkOpenInfo.LastWriteTime.QuadPart) { moduleItem->FileLastWriteTime.QuadPart = networkOpenInfo.LastWriteTime.QuadPart; modified = TRUE; } if (moduleItem->FileEndOfFile.QuadPart != networkOpenInfo.EndOfFile.QuadPart) { moduleItem->FileEndOfFile.QuadPart = networkOpenInfo.EndOfFile.QuadPart; modified = TRUE; } } else { if (moduleItem->FileLastWriteTime.QuadPart != 0) { moduleItem->FileLastWriteTime.QuadPart = 0; modified = TRUE; } if (moduleItem->FileEndOfFile.QuadPart != 0) { moduleItem->FileEndOfFile.QuadPart = 0; modified = TRUE; } } if (modified) PhInvokeCallback(&moduleProvider->ModuleModifiedEvent, moduleItem); PhDereferenceObject(moduleItem); } } if (!moduleProvider->HaveFirst) // Some processes don't have a primary image (e.g. System/Registry/Secure System) (dmex) moduleProvider->HaveFirst = TRUE; // Free the modules list. for (i = 0; i < modules->Count; i++) { PPH_MODULE_INFO module = modules->Items[i]; PhDereferenceObject(module->Name); PhDereferenceObject(module->FileName); PhFree(module); } PhDereferenceObject(modules); UpdateExit: PhInvokeCallback(&moduleProvider->UpdatedEvent, NULL); } static CONST PH_KEY_VALUE_PAIR PhModuleTypePairs[] = { SIP(SREF(L"Unknown"), PH_MODULE_TYPE_UNKNOWN), SIP(SREF(L"DLL"), PH_MODULE_TYPE_MODULE), SIP(SREF(L"Mapped file"), PH_MODULE_TYPE_MAPPED_FILE), SIP(SREF(L"WOW64 DLL"), PH_MODULE_TYPE_WOW64_MODULE), SIP(SREF(L"Kernel module"), PH_MODULE_TYPE_KERNEL_MODULE), SIP(SREF(L"Mapped image"), PH_MODULE_TYPE_MAPPED_IMAGE), SIP(SREF(L"Mapped image"), PH_MODULE_TYPE_ELF_MAPPED_IMAGE), SIP(SREF(L"Enclave module"), PH_MODULE_TYPE_ENCLAVE_MODULE), }; PCPH_STRINGREF PhGetModuleTypeName( _In_ ULONG ModuleType ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhModuleTypePairs, sizeof(PhModuleTypePairs), ModuleType, &string )) { return string; } return NULL; } static CONST PH_KEY_VALUE_PAIR PhModuleLoadReasonTypePairs[] = { SIP(SREF(L"Static dependency"), LoadReasonStaticDependency), SIP(SREF(L"Static forwarder dependency"), LoadReasonStaticForwarderDependency), SIP(SREF(L"Dynamic forwarder dependency"), LoadReasonDynamicForwarderDependency), SIP(SREF(L"Delay load dependency"), LoadReasonDelayloadDependency), SIP(SREF(L"Dynamic"), LoadReasonDynamicLoad), SIP(SREF(L"As image"), LoadReasonAsImageLoad), SIP(SREF(L"As data"), LoadReasonAsDataLoad), SIP(SREF(L"Enclave primary"), LoadReasonEnclavePrimary), SIP(SREF(L"Enclave dependency"), LoadReasonEnclaveDependency), SIP(SREF(L"Patch image"), LoadReasonPatchImage), SIP(SREF(L"Unknown"), LoadReasonUnknown), }; PCPH_STRINGREF PhGetModuleLoadReasonTypeName( _In_ USHORT LoadReason ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhModuleLoadReasonTypePairs, sizeof(PhModuleLoadReasonTypePairs), LoadReason, &string )) { return string; } return (PCPH_STRINGREF)PhModuleLoadReasonTypePairs[10].Key; } static CONST PH_KEY_VALUE_PAIR PhModuleEnclaveTypePairs[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"SGX"), ENCLAVE_TYPE_SGX), SIP(SREF(L"SGX2"), ENCLAVE_TYPE_SGX2), SIP(SREF(L"VBS"), ENCLAVE_TYPE_VBS) }; PCPH_STRINGREF PhGetModuleEnclaveTypeName( _In_ ULONG EnclaveType ) { PCPH_STRINGREF string; if (PhFindStringRefSiKeyValuePairs( PhModuleEnclaveTypePairs, sizeof(PhModuleEnclaveTypePairs), EnclaveType, &string )) { return string; } return NULL; } static VOID PhModuleAddEnclaveModule( _In_ HANDLE ProcessHandle, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ USHORT LoadOrderIndex, _Inout_ PPH_LIST Modules ) { PPH_MODULE_INFO info; info = PhAllocateZero(sizeof(PH_MODULE_INFO)); if (!NT_SUCCESS(PhGetProcessLdrTableEntryNames( ProcessHandle, Entry, &info->Name, &info->FileName ))) { info->Name = PhReferenceEmptyString(); info->FileName = PhReferenceEmptyString(); } info->Type = PH_MODULE_TYPE_ENCLAVE_MODULE; info->BaseAddress = Entry->DllBase; info->ParentBaseAddress = Entry->ParentDllBase; info->OriginalBaseAddress = (PVOID)Entry->OriginalBase; info->Size = Entry->SizeOfImage; info->EntryPoint = Entry->EntryPoint; info->Flags = Entry->Flags; info->LoadOrderIndex = LoadOrderIndex; info->LoadCount = USHRT_MAX; info->LoadReason = (USHORT)Entry->LoadReason; info->LoadTime = Entry->LoadTime; info->EnclaveType = Enclave->EnclaveType; info->EnclaveBaseAddress = Enclave->BaseAddress; info->EnclaveSize = Enclave->Size; PhAddItemList(Modules, info); } typedef struct _PHP_ENUM_ENCLAVE_MODULES_CONTEXT { PPH_LIST Modules; USHORT LoadOrderIndex; } PHP_ENUM_ENCLAVE_MODULES_CONTEXT, *PPHP_ENUM_ENCLAVE_MODULES_CONTEXT; static BOOLEAN NTAPI PhModuleEnumEnclaveModulesCallback( _In_ HANDLE ProcessHandle, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_ PVOID EntryAddress, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID Context ) { PPHP_ENUM_ENCLAVE_MODULES_CONTEXT context; context = (PPHP_ENUM_ENCLAVE_MODULES_CONTEXT)Context; PhModuleAddEnclaveModule( ProcessHandle, Enclave, Entry, context->LoadOrderIndex++, context->Modules ); return TRUE; } static BOOLEAN NTAPI PhModuleEnumEnclavesCallback( _In_ HANDLE ProcessHandle, _In_ PVOID EnclaveAddress, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_ PVOID Context ) { PHP_ENUM_ENCLAVE_MODULES_CONTEXT context; context.Modules = (PPH_LIST)Context; context.LoadOrderIndex = 0; PhEnumProcessEnclaveModules( ProcessHandle, EnclaveAddress, Enclave, PhModuleEnumEnclaveModulesCallback, &context ); return TRUE; } NTSTATUS PhEnumGenericEnclaveModules( _In_ HANDLE ProcessHandle, _In_ PVOID Context ) { NTSTATUS status; PVOID ntLdrEnclaveList; if (ntLdrEnclaveList = ReadPointerAcquire(&PhLdrEnclaveList)) { status = PhEnumProcessEnclaves( ProcessHandle, ntLdrEnclaveList, PhModuleEnumEnclavesCallback, Context ); } else { status = STATUS_PROCEDURE_NOT_FOUND; } return status; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhModuleEnclaveListInitialize( _In_ PVOID ThreadParameter ) { PPH_SYMBOL_PROVIDER symbolProvider; PH_SYMBOL_INFORMATION symbolInfo; PVOID baseAddress; ULONG sizeOfImage; PPH_STRING fileName; symbolProvider = PhCreateSymbolProvider(NULL); PhLoadSymbolProviderOptions(symbolProvider); if (PhGetLoaderEntryDataZ(L"ntdll.dll", &baseAddress, &sizeOfImage, &fileName)) { PhLoadModuleSymbolProvider(symbolProvider, fileName, baseAddress, sizeOfImage); PhDereferenceObject(fileName); } if (PhGetSymbolFromName(symbolProvider, L"LdrpEnclaveList", &symbolInfo)) { InterlockedExchangePointer(&PhLdrEnclaveList, (PLIST_ENTRY)symbolInfo.Address); } PhDereferenceObject(symbolProvider); return STATUS_SUCCESS; } ================================================ FILE: SystemInformer/mtgndlg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2016-2023 * */ #include #include #include typedef struct _MITIGATION_POLICY_ENTRY { BOOLEAN NonStandard; PPH_STRING ShortDescription; PPH_STRING LongDescription; } MITIGATION_POLICY_ENTRY, *PMITIGATION_POLICY_ENTRY; typedef struct _MITIGATION_POLICY_CONTEXT { HWND ListViewHandle; PS_SYSTEM_DLL_INIT_BLOCK SystemDllInitBlock; MITIGATION_POLICY_ENTRY Entries[MaxProcessMitigationPolicy]; } MITIGATION_POLICY_CONTEXT, *PMITIGATION_POLICY_CONTEXT; INT_PTR CALLBACK PhpProcessMitigationPolicyDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowProcessMitigationPolicyDialog( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle; PH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION information; MITIGATION_POLICY_CONTEXT context; PROCESS_MITIGATION_POLICY policy; PPH_STRING shortDescription; PPH_STRING longDescription; memset(&context, 0, sizeof(MITIGATION_POLICY_CONTEXT)); memset(&context.Entries, 0, sizeof(context.Entries)); // Try to get a handle with query information + vm read access. if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { // Try to get a handle with query information. status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION, ProcessId ); } if (NT_SUCCESS(status)) { PS_SYSTEM_DLL_INIT_BLOCK dllInitBlock; if (NT_SUCCESS(PhGetProcessSystemDllInitBlock(processHandle, &dllInitBlock))) { context.SystemDllInitBlock = dllInitBlock; } if (NT_SUCCESS(PhGetProcessMitigationPolicyAllInformation(processHandle, &information))) { for (policy = 0; policy < MaxProcessMitigationPolicy; policy++) { if (information.Pointers[policy] && PhDescribeProcessMitigationPolicy( policy, information.Pointers[policy], &shortDescription, &longDescription )) { context.Entries[policy].ShortDescription = shortDescription; context.Entries[policy].LongDescription = longDescription; } } // HACK: Show System process CET mitigations (dmex) if (ProcessId == SYSTEM_PROCESS_ID) { SYSTEM_SHADOW_STACK_INFORMATION shadowStackInformation; if (NT_SUCCESS(PhGetSystemShadowStackInformation(&shadowStackInformation))) { PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY policyData; memset(&policyData, 0, sizeof(PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY)); policyData.EnableUserShadowStack = shadowStackInformation.KernelCetEnabled; policyData.EnableUserShadowStackStrictMode = shadowStackInformation.KernelCetEnabled; policyData.AuditUserShadowStack = shadowStackInformation.KernelCetAuditModeEnabled; if (PhDescribeProcessMitigationPolicy( ProcessUserShadowStackPolicy, &policyData, &shortDescription, &longDescription )) { context.Entries[ProcessUserShadowStackPolicy].ShortDescription = shortDescription; context.Entries[ProcessUserShadowStackPolicy].LongDescription = longDescription; } } } PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_MITIGATION), ParentWindowHandle, PhpProcessMitigationPolicyDlgProc, &context ); for (policy = 0; policy < MaxProcessMitigationPolicy; policy++) { PhClearReference(&context.Entries[policy].ShortDescription); PhClearReference(&context.Entries[policy].LongDescription); } } NtClose(processHandle); } else { PhShowStatus(ParentWindowHandle, L"Unable to open the process.", status, 0); } } INT_PTR CALLBACK PhpProcessMitigationPolicyDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMITIGATION_POLICY_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PMITIGATION_POLICY_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (uMsg == WM_DESTROY) { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } } if (context == NULL) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HWND lvHandle; PROCESS_MITIGATION_POLICY policy; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); context->ListViewHandle = lvHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(lvHandle, FALSE, TRUE); PhSetControlTheme(lvHandle, L"explorer"); PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 350, L"Policy"); PhSetExtendedListView(lvHandle); for (policy = 0; policy < MaxProcessMitigationPolicy; policy++) { PMITIGATION_POLICY_ENTRY entry = &context->Entries[policy]; if (!entry->ShortDescription) continue; PhAddListViewItem(lvHandle, MAXINT, entry->ShortDescription->Buffer, entry); } if (RTL_CONTAINS_FIELD(&context->SystemDllInitBlock, context->SystemDllInitBlock.Size, MitigationOptionsMap)) { // TODO: Windows doesn't propagate these flags into the MitigationOptionsMap array. (dmex) //if (context->SystemDllInitBlock->MitigationOptionsMap.Map[0] & PROCESS_CREATION_MITIGATION_POLICY2_LOADER_INTEGRITY_CONTINUITY_ALWAYS_ON) //{ // PMITIGATION_POLICY_ENTRY entry; // // entry = PhAllocate(sizeof(MITIGATION_POLICY_ENTRY)); // entry->NonStandard = TRUE; // entry->ShortDescription = PhCreateString(L"Loader Integrity"); // entry->LongDescription = PhCreateString(L"OS signing levels for dependent module loads are enabled."); // // PhAddListViewItem(lvHandle, MAXINT, entry->ShortDescription->Buffer, entry); //} //if (context->SystemDllInitBlock->MitigationOptionsMap.Map[0] & PROCESS_CREATION_MITIGATION_POLICY2_MODULE_TAMPERING_PROTECTION_ALWAYS_ON) //{ // PMITIGATION_POLICY_ENTRY entry; // // entry = PhAllocate(sizeof(MITIGATION_POLICY_ENTRY)); // entry->NonStandard = TRUE; // entry->ShortDescription = PhCreateString(L"Module Tampering"); // entry->LongDescription = PhCreateString(L"Module Tampering protection is enabled."); // // PhAddListViewItem(lvHandle, MAXINT, entry->ShortDescription->Buffer, entry); //} if (context->SystemDllInitBlock.MitigationOptionsMap.Map[0] & PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON) { PMITIGATION_POLICY_ENTRY entry; entry = PhAllocate(sizeof(MITIGATION_POLICY_ENTRY)); entry->NonStandard = TRUE; entry->ShortDescription = PhCreateString(L"Indirect branch prediction"); entry->LongDescription = PhCreateString(L"Protects against sibling hardware threads (hyperthreads) from interfering with indirect branch predictions."); PhAddListViewItem(lvHandle, MAXINT, entry->ShortDescription->Buffer, entry); } if (context->SystemDllInitBlock.MitigationOptionsMap.Map[0] & PROCESS_CREATION_MITIGATION_POLICY2_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY_ALWAYS_ON) { PMITIGATION_POLICY_ENTRY entry; entry = PhAllocate(sizeof(MITIGATION_POLICY_ENTRY)); entry->NonStandard = TRUE; entry->ShortDescription = PhCreateString(L"Dynamic code (downgrade)"); entry->LongDescription = PhCreateString(L"Allows a broker to downgrade the dynamic code policy for a process."); PhAddListViewItem(lvHandle, MAXINT, entry->ShortDescription->Buffer, entry); } if (context->SystemDllInitBlock.MitigationOptionsMap.Map[0] & PROCESS_CREATION_MITIGATION_POLICY2_SPECULATIVE_STORE_BYPASS_DISABLE_ALWAYS_ON) { PMITIGATION_POLICY_ENTRY entry; entry = PhAllocate(sizeof(MITIGATION_POLICY_ENTRY)); entry->NonStandard = TRUE; entry->ShortDescription = PhCreateString(L"Speculative store bypass"); entry->LongDescription = PhCreateString(L"Disables spectre mitigations for the process."); PhAddListViewItem(lvHandle, MAXINT, entry->ShortDescription->Buffer, entry); } } ExtendedListView_SortItems(lvHandle); ExtendedListView_SetColumnWidth(lvHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); ListView_SetItemState(lvHandle, 0, LVIS_FOCUSED | LVIS_SELECTED, LVIS_FOCUSED | LVIS_SELECTED); PhSetDialogFocus(hwndDlg, lvHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { INT index = INT_ERROR; while ((index = PhFindListViewItemByFlags( context->ListViewHandle, index, LVNI_ALL )) != INT_ERROR) { PMITIGATION_POLICY_ENTRY entry; if (PhGetListViewItemParam(context->ListViewHandle, index, &entry)) { if (entry->NonStandard) { PhClearReference(&entry->ShortDescription); PhClearReference(&entry->LongDescription); PhFree(entry); } } } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; HWND lvHandle = GetDlgItem(hwndDlg, IDC_LIST); switch (header->code) { case LVN_ITEMCHANGED: { if (header->hwndFrom == lvHandle) { PWSTR description; if (ListView_GetSelectedCount(lvHandle) == 1) description = ((PMITIGATION_POLICY_ENTRY)PhGetSelectedListViewItemParam(lvHandle))->LongDescription->Buffer; else description = L""; PhSetDialogItemText(hwndDlg, IDC_DESCRIPTION, description); } } break; } PhHandleListViewNotifyForCopy(lParam, lvHandle); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/mwpgdev.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023 * */ #include #include #include #include #include #include #include #include static PH_CALLBACK_REGISTRATION PhpDeviceNotifyRegistration = { 0 }; static CONST PH_STRINGREF PhpDeviceString = PH_STRINGREF_INIT(L"Device"); BOOLEAN PhpShouldNotifyForDevice( _In_ PPH_DEVICE_ITEM Item, _In_ ULONG Type ) { if (Item->ChildrenCount) return FALSE; if (IsEqualGUID(&Item->ClassGuid, &GUID_DEVCLASS_HIDCLASS)) return FALSE; if (PhPluginsEnabled && PhMwpPluginNotifyEvent(Type, Item)) return FALSE; return TRUE; } PPH_STRING PhpNotifyDeviceGetString( _In_ PPH_DEVICE_ITEM Node, _In_ PH_DEVICE_PROPERTY_CLASS Class, _In_ BOOLEAN TrimDevice ) { PH_STRINGREF sr; PPH_STRING string; string = PhGetDeviceProperty(Node, Class)->AsString; if (PhIsNullOrEmptyString(string)) return NULL; sr = string->sr; if (TrimDevice && PhEndsWithStringRef(&sr, &PhpDeviceString, TRUE)) sr.Length -= PhpDeviceString.Length; return PhCreateString2(&sr); } VOID PhpNotifyForDevice( _In_ PPH_DEVICE_ITEM Item, _In_ ULONG Type ) { PPH_STRING classification; PPH_STRING name; PPH_STRING title; classification = PhpNotifyDeviceGetString(Item, PhDevicePropertyClass, TRUE); if (!classification) classification = PhCreateString(L"Unclassified"); name = PhpNotifyDeviceGetString(Item, PhDevicePropertyName, FALSE); if (!name) name = PhCreateString(L"Unnamed"); if (Type == PH_NOTIFY_DEVICE_REMOVED) { PhLogDeviceEntry(PH_LOG_ENTRY_DEVICE_REMOVED, classification, name); title = PhConcatStringRefZ(&classification->sr, L" Device Removed"); } else { PhLogDeviceEntry(PH_LOG_ENTRY_DEVICE_ARRIVED, classification, name); title = PhConcatStringRefZ(&classification->sr, L" Device Arrived"); } if ((PhMwpNotifyIconNotifyMask & Type)) PhShowIconNotification(PhGetString(title), PhGetString(name)); PhDereferenceObject(title); PhDereferenceObject(name); PhDereferenceObject(classification); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhpDeviceProviderCallbackHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { ULONG type = 0; PPH_DEVICE_NOTIFY notify = Parameter; PPH_DEVICE_TREE tree; PPH_DEVICE_ITEM item; if (notify->Action == PhDeviceNotifyInstanceStarted) type = PH_NOTIFY_DEVICE_ARRIVED; else if (notify->Action == PhDeviceNotifyInstanceRemoved) type = PH_NOTIFY_DEVICE_REMOVED; else return; if (tree = PhReferenceDeviceTree()) { item = PhLookupDeviceItem(tree, ¬ify->DeviceInstance.InstanceId->sr); if (item && PhpShouldNotifyForDevice(item, type)) { PhpNotifyForDevice(item, type); } PhClearReference(&tree); } } VOID PhMwpInitializeDeviceNotifications( VOID ) { if (!PhGetIntegerSetting(SETTING_ENABLE_DEVICE_NOTIFY_SUPPORT)) // EnableDeviceNotificationSupport return; if (!PhDeviceProviderInitialization()) return; PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackDeviceNotificationEvent), PhpDeviceProviderCallbackHandler, NULL, &PhpDeviceNotifyRegistration ); } ================================================ FILE: SystemInformer/mwpgnet.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include PPH_MAIN_TAB_PAGE PhMwpNetworkPage; HWND PhMwpNetworkTreeNewHandle; PH_PROVIDER_EVENT_QUEUE PhMwpNetworkEventQueue; static PH_CALLBACK_REGISTRATION NetworkItemAddedRegistration; static PH_CALLBACK_REGISTRATION NetworkItemModifiedRegistration; static PH_CALLBACK_REGISTRATION NetworkItemRemovedRegistration; static PH_CALLBACK_REGISTRATION NetworkItemsUpdatedRegistration; static BOOLEAN NetworkFirstTime = TRUE; static BOOLEAN NetworkTreeListLoaded = FALSE; static PPH_TN_FILTER_ENTRY NetworkFilterEntry = NULL; _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN PhMwpNetworkPageCallback( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ) { switch (Message) { case MainTabPageCreate: { PhMwpNetworkPage = Page; PhInitializeProviderEventQueue(&PhMwpNetworkEventQueue, 100); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackNetworkProviderAddedEvent), PhMwpNetworkItemAddedHandler, NULL, &NetworkItemAddedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackNetworkProviderModifiedEvent), PhMwpNetworkItemModifiedHandler, NULL, &NetworkItemModifiedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackNetworkProviderRemovedEvent), PhMwpNetworkItemRemovedHandler, NULL, &NetworkItemRemovedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackNetworkProviderUpdatedEvent), PhMwpNetworkItemsUpdatedHandler, NULL, &NetworkItemsUpdatedRegistration ); } break; case MainTabPageCreateWindow: { if (Parameter1) { *(HWND*)Parameter1 = PhMwpNetworkTreeNewHandle; } } return TRUE; case MainTabPageSelected: { BOOLEAN selected = (BOOLEAN)PtrToUlong(Parameter1); if (selected) { PhMwpNeedNetworkTreeList(); PhSetEnabledProvider(&PhMwpNetworkProviderRegistration, PhMwpUpdateAutomatically); if (PhMwpUpdateAutomatically || NetworkFirstTime) { PhBoostProvider(&PhMwpNetworkProviderRegistration, NULL); NetworkFirstTime = FALSE; } } else { PhSetEnabledProvider(&PhMwpNetworkProviderRegistration, FALSE); } } break; case MainTabPageInitializeSectionMenuItems: { PPH_MAIN_TAB_PAGE_MENU_INFORMATION menuInfo = Parameter1; PPH_EMENU menu; PPH_EMENU_ITEM menuItem; menu = PhCreateEMenuItem(0, 0, L"Network", NULL, NULL); PhInsertEMenuItem(menuInfo->Menu, menu, menuInfo->StartIndex); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_HIDEWAITINGCONNECTIONS, L"&Hide waiting connections", NULL, NULL), ULONG_MAX); if (NetworkFilterEntry && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_HIDEWAITINGCONNECTIONS))) menuItem->Flags |= PH_EMENU_CHECKED; } return TRUE; case MainTabPageLoadSettings: { if (PhGetIntegerSetting(SETTING_HIDE_WAITING_CONNECTIONS)) NetworkFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportNetworkTreeList(), PhMwpNetworkTreeFilter, NULL); } return TRUE; case MainTabPageSaveSettings: { if (NetworkTreeListLoaded) PhSaveSettingsNetworkTreeList(); } return TRUE; case MainTabPageExportContent: { PPH_MAIN_TAB_PAGE_EXPORT_CONTENT exportContent = Parameter1; PhWriteNetworkList(exportContent->FileStream, exportContent->Mode); } return TRUE; case MainTabPageFontChanged: { HFONT font = (HFONT)Parameter1; SetWindowFont(PhMwpNetworkTreeNewHandle, font, TRUE); } break; case MainTabPageUpdateAutomaticallyChanged: { BOOLEAN updateAutomatically = (BOOLEAN)PtrToUlong(Parameter1); if (PhMwpNetworkPage->Selected) PhSetEnabledProvider(&PhMwpNetworkProviderRegistration, updateAutomatically); } break; } return FALSE; } VOID PhMwpNeedNetworkTreeList( VOID ) { if (!NetworkTreeListLoaded) { NetworkTreeListLoaded = TRUE; PhLoadSettingsNetworkTreeList(); } } VOID PhMwpToggleNetworkWaitingConnectionTreeFilter( VOID ) { if (NetworkFilterEntry) { PhRemoveTreeNewFilter(PhGetFilterSupportNetworkTreeList(), NetworkFilterEntry); NetworkFilterEntry = NULL; } else { NetworkFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportNetworkTreeList(), PhMwpNetworkTreeFilter, NULL); } PhApplyTreeNewFilters(PhGetFilterSupportNetworkTreeList()); PhSetIntegerSetting(SETTING_HIDE_WAITING_CONNECTIONS, !!NetworkFilterEntry); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpNetworkTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_NETWORK_NODE networkNode = (PPH_NETWORK_NODE)Node; if (!networkNode->NetworkItem->ProcessId) return FALSE; if (networkNode->NetworkItem->State == MIB_TCP_STATE_CLOSE_WAIT) return FALSE; return TRUE; } VOID PhMwpInitializeNetworkMenu( _In_ PPH_EMENU Menu, _In_ PPH_NETWORK_ITEM *NetworkItems, _In_ ULONG NumberOfNetworkItems ) { //ULONG i; PPH_EMENU_ITEM item; if (NumberOfNetworkItems == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfNetworkItems == 1) { if (!NetworkItems[0]->ProcessId) PhEnableEMenuItem(Menu, ID_NETWORK_GOTOPROCESS, FALSE); } else { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_NETWORK_CLOSE, TRUE); PhEnableEMenuItem(Menu, ID_NETWORK_COPY, TRUE); } // Go to Service if (NumberOfNetworkItems != 1 || !NetworkItems[0]->OwnerName) { if (item = PhFindEMenuItem(Menu, 0, NULL, ID_NETWORK_GOTOSERVICE)) PhDestroyEMenuItem(item); } // Close //if (NumberOfNetworkItems != 0) //{ // BOOLEAN closeOk = TRUE; // // for (i = 0; i < NumberOfNetworkItems; i++) // { // if ( // NetworkItems[i]->ProtocolType != PH_NETWORK_PROTOCOL_TCP4 || // NetworkItems[i]->State != MIB_TCP_STATE_ESTAB // ) // { // closeOk = FALSE; // break; // } // } // // if (!closeOk) // PhEnableEMenuItem(Menu, ID_NETWORK_CLOSE, FALSE); //} } VOID PhShowNetworkContextMenu( _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PH_PLUGIN_MENU_INFORMATION menuInfo; PPH_NETWORK_ITEM *networkItems; ULONG numberOfNetworkItems; PhGetSelectedNetworkItems(&networkItems, &numberOfNetworkItems); if (numberOfNetworkItems != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_NETWORK_GOTOPROCESS, L"&Go to process\bEnter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_NETWORK_GOTOSERVICE, L"Go to service", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_NETWORK_CLOSE, L"C&lose", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_NETWORK_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(menu, ID_NETWORK_GOTOPROCESS, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhMwpInitializeNetworkMenu(menu, networkItems, numberOfNetworkItems); PhInsertCopyCellEMenuItem(menu, ID_NETWORK_COPY, PhMwpNetworkTreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, PhMainWndHandle, 0); menuInfo.u.Network.NetworkItems = networkItems; menuInfo.u.Network.NumberOfNetworkItems = numberOfNetworkItems; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNetworkMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, PhMainWndHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(PhMainWndHandle, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); } PhFree(networkItems); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpNetworkItemAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_NETWORK_ITEM networkItem = (PPH_NETWORK_ITEM)Parameter; PhReferenceObject(networkItem); PhPushProviderEventQueue(&PhMwpNetworkEventQueue, ProviderAddedEvent, Parameter, PhGetRunIdProvider(&PhMwpNetworkProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpNetworkItemModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_NETWORK_ITEM networkItem = (PPH_NETWORK_ITEM)Parameter; PhPushProviderEventQueue(&PhMwpNetworkEventQueue, ProviderModifiedEvent, Parameter, PhGetRunIdProvider(&PhMwpNetworkProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpNetworkItemRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_NETWORK_ITEM networkItem = (PPH_NETWORK_ITEM)Parameter; PhPushProviderEventQueue(&PhMwpNetworkEventQueue, ProviderRemovedEvent, Parameter, PhGetRunIdProvider(&PhMwpNetworkProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpNetworkItemsUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { SystemInformer_Invoke(PhMwpOnNetworkItemsUpdated, PhGetRunIdProvider(&PhMwpProcessProviderRegistration)); } VOID PhMwpOnNetworkItemsUpdated( _In_ ULONG RunId ) { PPH_PROVIDER_EVENT events; ULONG count; ULONG i; events = PhFlushProviderEventQueue(&PhMwpNetworkEventQueue, RunId, &count); if (events) { TreeNew_SetRedraw(PhMwpNetworkTreeNewHandle, FALSE); for (i = 0; i < count; i++) { PH_PROVIDER_EVENT_TYPE type = PH_PROVIDER_EVENT_TYPE(events[i]); PPH_NETWORK_ITEM networkItem = PH_PROVIDER_EVENT_OBJECT(events[i]); switch (type) { case ProviderAddedEvent: PhAddNetworkNode(networkItem, events[i].RunId); PhDereferenceObject(networkItem); break; case ProviderModifiedEvent: PhUpdateNetworkNode(PhFindNetworkNode(networkItem)); break; case ProviderRemovedEvent: PhRemoveNetworkNode(PhFindNetworkNode(networkItem)); break; } } PhFree(events); } PhTickNetworkNodes(); if (count != 0) TreeNew_SetRedraw(PhMwpNetworkTreeNewHandle, TRUE); } ================================================ FILE: SystemInformer/mwpgproc.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include PPH_MAIN_TAB_PAGE PhMwpProcessesPage; HWND PhMwpProcessTreeNewHandle; HWND PhMwpSelectedProcessWindowHandle; BOOLEAN PhMwpSelectedProcessVirtualizationEnabled; PH_PROVIDER_EVENT_QUEUE PhMwpProcessEventQueue; static PH_CALLBACK_REGISTRATION ProcessAddedRegistration; static PH_CALLBACK_REGISTRATION ProcessModifiedRegistration; static PH_CALLBACK_REGISTRATION ProcessRemovedRegistration; static PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; static ULONG NeedsSelectPid = 0; static ULONG ProcessEndToScrollTo = 0; static PPH_PROCESS_NODE ProcessToScrollTo = NULL; static PPH_TN_FILTER_ENTRY CurrentUserFilterEntry = NULL; static PPH_TN_FILTER_ENTRY SignedFilterEntry = NULL; static PPH_TN_FILTER_ENTRY MicrosoftSignedFilterEntry = NULL; _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN PhMwpProcessesPageCallback( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2 ) { switch (Message) { case MainTabPageCreate: { PhMwpProcessesPage = Page; PhInitializeProviderEventQueue(&PhMwpProcessEventQueue, 100); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderAddedEvent), PhMwpProcessAddedHandler, NULL, &ProcessAddedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderModifiedEvent), PhMwpProcessModifiedHandler, NULL, &ProcessModifiedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderRemovedEvent), PhMwpProcessRemovedHandler, NULL, &ProcessRemovedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhMwpProcessesUpdatedHandler, NULL, &ProcessesUpdatedRegistration ); NeedsSelectPid = PhStartupParameters.SelectPid; } break; case MainTabPageCreateWindow: { *(HWND *)Parameter1 = PhMwpProcessTreeNewHandle; } return TRUE; case MainTabPageInitializeSectionMenuItems: { PPH_MAIN_TAB_PAGE_MENU_INFORMATION menuInfo = Parameter1; PPH_EMENU menu; PPH_EMENU_ITEM menuItem; PPH_EMENU_ITEM columnSetMenuItem; menu = PhCreateEMenuItem(0, 0, L"Processes", NULL, NULL); PhInsertEMenuItem(menuInfo->Menu, menu, menuInfo->StartIndex); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_COLLAPSEALL, L"&Collapse all", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_EXPANDALL, L"&Expand all", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_HIDEPROCESSESFROMOTHERUSERS, L"&Hide processes from other users", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_HIDESIGNEDPROCESSES, L"Hide si&gned processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_HIDEMICROSOFTPROCESSES, L"Hide &system processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_SCROLLTONEWPROCESSES, L"Scrol&l to new processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_SORTCHILDPROCESSES, L"Sort &child processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_SORTROOTPROCESSES, L"Sort &root processes", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_SHOWCPUBELOW001, L"Show CPU &below 0.01", NULL, NULL), ULONG_MAX); if (PhGetIntegerSetting(SETTING_HIDE_OTHER_USER_PROCESSES) && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_HIDEPROCESSESFROMOTHERUSERS))) menuItem->Flags |= PH_EMENU_CHECKED; if (PhGetIntegerSetting(SETTING_HIDE_SIGNED_PROCESSES) && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_HIDESIGNEDPROCESSES))) menuItem->Flags |= PH_EMENU_CHECKED; if (PhGetIntegerSetting(SETTING_HIDE_MICROSOFT_PROCESSES) && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_HIDEMICROSOFTPROCESSES))) menuItem->Flags |= PH_EMENU_CHECKED; if (PhCsScrollToNewProcesses && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_SCROLLTONEWPROCESSES))) menuItem->Flags |= PH_EMENU_CHECKED; if (PhCsSortChildProcesses && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_SORTCHILDPROCESSES))) menuItem->Flags |= PH_EMENU_CHECKED; if (PhCsSortRootProcesses && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_SORTROOTPROCESSES))) menuItem->Flags |= PH_EMENU_CHECKED; if (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_SHOWCPUBELOW001)) { if (PhEnableCycleCpuUsage) { if (PhCsShowCpuBelow001) menuItem->Flags |= PH_EMENU_CHECKED; } else { menuItem->Flags |= PH_EMENU_DISABLED; } } PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, menuItem = PhCreateEMenuItem(0, ID_VIEW_ORGANIZECOLUMNSETS, L"Organi&ze column sets...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_SAVECOLUMNSET, L"Sa&ve column set...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, columnSetMenuItem = PhCreateEMenuItem(0, 0, L"Loa&d column set", NULL, NULL), ULONG_MAX); // Add column set sub menu entries. { ULONG index; PPH_LIST columnSetList; columnSetList = PhInitializeColumnSetList(SETTING_PROCESS_TREE_COLUMN_SET_CONFIG); if (!columnSetList->Count) { menuItem->Flags |= PH_EMENU_DISABLED; columnSetMenuItem->Flags |= PH_EMENU_DISABLED; } else { for (index = 0; index < columnSetList->Count; index++) { PPH_COLUMN_SET_ENTRY entry = columnSetList->Items[index]; menuItem = PhCreateEMenuItem(PH_EMENU_TEXT_OWNED, ID_VIEW_LOADCOLUMNSET, PhAllocateCopy(entry->Name->Buffer, entry->Name->Length + sizeof(UNICODE_NULL)), NULL, NULL); PhInsertEMenuItem(columnSetMenuItem, menuItem, ULONG_MAX); } } PhDeleteColumnSetList(columnSetList); } } return TRUE; case MainTabPageLoadSettings: { PhLoadSettingsProcessTreeList(); if (PhGetIntegerSetting(SETTING_HIDE_OTHER_USER_PROCESSES)) CurrentUserFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportProcessTreeList(), PhMwpCurrentUserProcessTreeFilter, NULL); if (PhGetIntegerSetting(SETTING_HIDE_SIGNED_PROCESSES)) SignedFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportProcessTreeList(), PhMwpSignedProcessTreeFilter, NULL); if (PhGetIntegerSetting(SETTING_HIDE_MICROSOFT_PROCESSES)) MicrosoftSignedFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportProcessTreeList(), PhMwpMicrosoftProcessTreeFilter, NULL); } return TRUE; case MainTabPageSaveSettings: { PhSaveSettingsProcessTreeList(); } return TRUE; case MainTabPageExportContent: { PPH_MAIN_TAB_PAGE_EXPORT_CONTENT exportContent = Parameter1; PhWriteProcessTree(exportContent->FileStream, exportContent->Mode); } return TRUE; case MainTabPageFontChanged: { HFONT font = (HFONT)Parameter1; SetWindowFont(PhMwpProcessTreeNewHandle, font, TRUE); } break; case MainTabPageUpdateAutomaticallyChanged: { BOOLEAN updateAutomatically = (BOOLEAN)PtrToUlong(Parameter1); PhSetEnabledProvider(&PhMwpProcessProviderRegistration, updateAutomatically); } break; } return FALSE; } VOID PhMwpShowProcessProperties( _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_PROCESS_PROPCONTEXT propContext; propContext = PhCreateProcessPropContext( NULL, ProcessItem ); if (propContext) { PhShowProcessProperties(propContext); PhDereferenceObject(propContext); } } VOID PhMwpToggleCurrentUserProcessTreeFilter( VOID ) { if (!CurrentUserFilterEntry) { CurrentUserFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportProcessTreeList(), PhMwpCurrentUserProcessTreeFilter, NULL); } else { PhRemoveTreeNewFilter(PhGetFilterSupportProcessTreeList(), CurrentUserFilterEntry); CurrentUserFilterEntry = NULL; // Expand the nodes to ensure that they will be visible to the user. (dmex) PhExpandAllProcessNodes(TRUE); PhDeselectAllProcessNodes(); } PhApplyTreeNewFilters(PhGetFilterSupportProcessTreeList()); PhSetIntegerSetting(SETTING_HIDE_OTHER_USER_PROCESSES, !!CurrentUserFilterEntry); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpCurrentUserProcessTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node; if (!processNode->ProcessItem->Sid) return FALSE; if (!PhEqualSid(processNode->ProcessItem->Sid, PhGetOwnTokenAttributes().TokenSid)) return FALSE; return TRUE; } VOID PhMwpToggleSignedProcessTreeFilter( _In_ HWND WindowHandle ) { if (!SignedFilterEntry) { if (!PhEnableProcessQueryStage2) { PhShowInformation2( WindowHandle, NULL, L"This filter cannot function because digital signature checking is not enabled.\r\n%s", L"Enable it in Options > General and restart System Informer." ); return; } SignedFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportProcessTreeList(), PhMwpSignedProcessTreeFilter, NULL); } else { PhRemoveTreeNewFilter(PhGetFilterSupportProcessTreeList(), SignedFilterEntry); SignedFilterEntry = NULL; // Expand the nodes to ensure that they will be visible to the user. (dmex) PhExpandAllProcessNodes(TRUE); PhDeselectAllProcessNodes(); } PhApplyTreeNewFilters(PhGetFilterSupportProcessTreeList()); PhSetIntegerSetting(SETTING_HIDE_SIGNED_PROCESSES, !!SignedFilterEntry); } VOID PhMwpToggleMicrosoftProcessTreeFilter( VOID ) { if (!MicrosoftSignedFilterEntry) { MicrosoftSignedFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportProcessTreeList(), PhMwpMicrosoftProcessTreeFilter, NULL); } else { PhRemoveTreeNewFilter(PhGetFilterSupportProcessTreeList(), MicrosoftSignedFilterEntry); MicrosoftSignedFilterEntry = NULL; // Expand the nodes to ensure that they will be visible to the user. (dmex) PhExpandAllProcessNodes(TRUE); PhDeselectAllProcessNodes(); } PhApplyTreeNewFilters(PhGetFilterSupportProcessTreeList()); PhSetIntegerSetting(SETTING_HIDE_MICROSOFT_PROCESSES, !!MicrosoftSignedFilterEntry); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpSignedProcessTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node; if (processNode->ProcessItem->VerifyResult == VrTrusted) return FALSE; return TRUE; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpMicrosoftProcessTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_PROCESS_NODE processNode = (PPH_PROCESS_NODE)Node; if (PhEnableProcessQueryStage2) { if (!PhIsNullOrEmptyString(processNode->ProcessItem->VerifySignerName)) { static CONST PH_STRINGREF microsoftSignerNameSr = PH_STRINGREF_INIT(L"Microsoft Windows"); if (PhEqualStringRef(&processNode->ProcessItem->VerifySignerName->sr, µsoftSignerNameSr, TRUE)) return FALSE; } } else { if (!PhIsNullOrEmptyString(processNode->ProcessItem->VersionInfo.CompanyName)) { static CONST PH_STRINGREF microsoftCompanyNameSr = PH_STRINGREF_INIT(L"Microsoft"); if (PhStartsWithStringRef(&processNode->ProcessItem->VersionInfo.CompanyName->sr, µsoftCompanyNameSr, TRUE)) return FALSE; } } return TRUE; } BOOLEAN PhMwpExecuteProcessPriorityClassCommand( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { ULONG priorityClass; switch (Id) { case ID_PRIORITY_REALTIME: priorityClass = PROCESS_PRIORITY_CLASS_REALTIME; break; case ID_PRIORITY_HIGH: priorityClass = PROCESS_PRIORITY_CLASS_HIGH; break; case ID_PRIORITY_ABOVENORMAL: priorityClass = PROCESS_PRIORITY_CLASS_ABOVE_NORMAL; break; case ID_PRIORITY_NORMAL: priorityClass = PROCESS_PRIORITY_CLASS_NORMAL; break; case ID_PRIORITY_BELOWNORMAL: priorityClass = PROCESS_PRIORITY_CLASS_BELOW_NORMAL; break; case ID_PRIORITY_IDLE: priorityClass = PROCESS_PRIORITY_CLASS_IDLE; break; default: return FALSE; } PhUiSetPriorityClassProcesses(WindowHandle, Processes, NumberOfProcesses, priorityClass); return TRUE; } BOOLEAN PhMwpExecuteProcessIoPriorityCommand( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { IO_PRIORITY_HINT ioPriority; switch (Id) { case ID_IOPRIORITY_VERYLOW: ioPriority = IoPriorityVeryLow; break; case ID_IOPRIORITY_LOW: ioPriority = IoPriorityLow; break; case ID_IOPRIORITY_NORMAL: ioPriority = IoPriorityNormal; break; case ID_IOPRIORITY_HIGH: ioPriority = IoPriorityHigh; break; default: return FALSE; } PhUiSetIoPriorityProcesses(WindowHandle, Processes, NumberOfProcesses, ioPriority); return TRUE; } VOID PhMwpSetProcessMenuPriorityChecks( _In_ PPH_EMENU Menu, _In_opt_ HANDLE ProcessId, _In_ BOOLEAN SetPriority, _In_ BOOLEAN SetIoPriority, _In_ BOOLEAN SetPagePriority ) { HANDLE processHandle; UCHAR priorityClass = PROCESS_PRIORITY_CLASS_UNKNOWN; IO_PRIORITY_HINT ioPriority = ULONG_MAX; ULONG pagePriority = ULONG_MAX; ULONG id = 0; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId ))) { if (SetPriority) { if (!NT_SUCCESS(PhGetProcessPriorityClass( processHandle, &priorityClass ))) { priorityClass = PROCESS_PRIORITY_CLASS_UNKNOWN; } } if (SetIoPriority) { if (!NT_SUCCESS(PhGetProcessIoPriority( processHandle, &ioPriority ))) { ioPriority = ULONG_MAX; } } if (SetPagePriority) { if (!NT_SUCCESS(PhGetProcessPagePriority( processHandle, &pagePriority ))) { pagePriority = ULONG_MAX; } } NtClose(processHandle); } if (SetPriority && priorityClass != PROCESS_PRIORITY_CLASS_UNKNOWN) { switch (priorityClass) { case PROCESS_PRIORITY_CLASS_REALTIME: id = ID_PRIORITY_REALTIME; break; case PROCESS_PRIORITY_CLASS_HIGH: id = ID_PRIORITY_HIGH; break; case PROCESS_PRIORITY_CLASS_ABOVE_NORMAL: id = ID_PRIORITY_ABOVENORMAL; break; case PROCESS_PRIORITY_CLASS_NORMAL: id = ID_PRIORITY_NORMAL; break; case PROCESS_PRIORITY_CLASS_BELOW_NORMAL: id = ID_PRIORITY_BELOWNORMAL; break; case PROCESS_PRIORITY_CLASS_IDLE: id = ID_PRIORITY_IDLE; break; } if (id != 0) { PhSetFlagsEMenuItem(Menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK); } } if (SetIoPriority && ioPriority != ULONG_MAX) { id = 0; switch (ioPriority) { case IoPriorityVeryLow: id = ID_IOPRIORITY_VERYLOW; break; case IoPriorityLow: id = ID_IOPRIORITY_LOW; break; case IoPriorityNormal: id = ID_IOPRIORITY_NORMAL; break; case IoPriorityHigh: id = ID_IOPRIORITY_HIGH; break; } if (id != 0) { PhSetFlagsEMenuItem(Menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK); } } if (SetPagePriority && pagePriority != ULONG_MAX) { id = 0; switch (pagePriority) { case MEMORY_PRIORITY_VERY_LOW: id = ID_PAGEPRIORITY_VERYLOW; break; case MEMORY_PRIORITY_LOW: id = ID_PAGEPRIORITY_LOW; break; case MEMORY_PRIORITY_MEDIUM: id = ID_PAGEPRIORITY_MEDIUM; break; case MEMORY_PRIORITY_BELOW_NORMAL: id = ID_PAGEPRIORITY_BELOWNORMAL; break; case MEMORY_PRIORITY_NORMAL: id = ID_PAGEPRIORITY_NORMAL; break; } if (id != 0) { PhSetFlagsEMenuItem(Menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK); } } } VOID PhMwpInitializeProcessMenu( _In_ PPH_EMENU Menu, _In_ PPH_PROCESS_ITEM *Processes, _In_ ULONG NumberOfProcesses ) { PPH_EMENU_ITEM item; if (NumberOfProcesses == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfProcesses == 1) { // All menu items are enabled by default. // If the user selected a fake process, disable all but a few menu items. if ( PH_IS_FAKE_PROCESS_ID(Processes[0]->ProcessId) || Processes[0]->ProcessId == SYSTEM_IDLE_PROCESS_ID //Processes[0]->ProcessId == SYSTEM_PROCESS_ID // (dmex) ) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_PROCESS_PROPERTIES, TRUE); PhEnableEMenuItem(Menu, ID_PROCESS_SEARCHONLINE, TRUE); // Enable the Miscellaneous menu item but disable its children. if (item = PhFindEMenuItem(Menu, 0, 0, ID_PROCESS_MISCELLANEOUS)) { PhSetEnabledEMenuItem(item, TRUE); PhSetFlagsAllEMenuItems(item, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } } // Disable the restart menu for service host processes. (dmex) if ( Processes[0]->ServiceList && Processes[0]->ServiceList->Count != 0 ) { PhEnableEMenuItem(Menu, ID_PROCESS_RESTART, FALSE); } if ( PhIsNullOrEmptyString(Processes[0]->FileName) || !PhDoesFileExist(&Processes[0]->FileName->sr) ) { PhEnableEMenuItem(Menu, ID_PROCESS_OPENFILELOCATION, FALSE); } // Critical if (Processes[0]->QueryHandle) { BOOLEAN breakOnTermination; if (NT_SUCCESS(PhGetProcessBreakOnTermination( Processes[0]->QueryHandle, &breakOnTermination ))) { if (breakOnTermination) { PhSetFlagsEMenuItem(Menu, ID_MISCELLANEOUS_SETCRITICAL, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } } // Disable Terminate/Suspend/Resume tree when the process has no children. { PPH_PROCESS_NODE node = PhFindProcessNode(Processes[0]->ProcessId); if (node && !(node->Children && node->Children->Count)) { PhEnableEMenuItem(Menu, ID_PROCESS_TERMINATETREE, FALSE); PhEnableEMenuItem(Menu, ID_PROCESS_SUSPENDTREE, FALSE); PhEnableEMenuItem(Menu, ID_PROCESS_RESUMETREE, FALSE); } } // Eco mode if (WindowsVersion < WINDOWS_10_RS4) { PhEnableEMenuItem(Menu, ID_MISCELLANEOUS_ECOMODE, FALSE); } else { if (Processes[0]->QueryHandle) { POWER_THROTTLING_PROCESS_STATE powerThrottlingState; if (NT_SUCCESS(PhGetProcessPowerThrottlingState( Processes[0]->QueryHandle, &powerThrottlingState ))) { if ( powerThrottlingState.ControlMask & POWER_THROTTLING_PROCESS_EXECUTION_SPEED && powerThrottlingState.StateMask & POWER_THROTTLING_PROCESS_EXECUTION_SPEED ) { PhSetFlagsEMenuItem(Menu, ID_MISCELLANEOUS_ECOMODE, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } } } // Execution Required requests if (WindowsVersion < WINDOWS_8) { PhEnableEMenuItem(Menu, ID_MISCELLANEOUS_EXECUTIONREQUIRED, FALSE); } else { if (PhIsProcessExecutionRequired(Processes[0]->ProcessId)) { PhSetFlagsEMenuItem(Menu, ID_MISCELLANEOUS_EXECUTIONREQUIRED, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } if (WindowsVersion < WINDOWS_11) { if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_FREEZE)) PhDestroyEMenuItem(item); if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_THAW)) PhDestroyEMenuItem(item); } } else { ULONG menuItemsMultiEnabled[] = { ID_PROCESS_TERMINATE, ID_PROCESS_SUSPEND, ID_PROCESS_RESUME, //ID_PROCESS_THAW, //ID_PROCESS_FREEZE, ID_MISCELLANEOUS_REDUCEWORKINGSET, ID_PROCESS_COPY }; ULONG i; PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); // Enable the Miscellaneous menu item but disable its children. if (item = PhFindEMenuItem(Menu, 0, 0, ID_PROCESS_MISCELLANEOUS)) { item->Flags &= ~PH_EMENU_DISABLED; PhSetFlagsAllEMenuItems(item, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } // Enable the Priority menu item. if (item = PhFindEMenuItem(Menu, 0, 0, ID_PROCESS_PRIORITYCLASS)) item->Flags &= ~PH_EMENU_DISABLED; // Enable the I/O Priority menu item. if (item = PhFindEMenuItem(Menu, 0, 0, ID_PROCESS_IOPRIORITY)) item->Flags &= ~PH_EMENU_DISABLED; // These menu items are capable of manipulating // multiple processes. for (i = 0; i < sizeof(menuItemsMultiEnabled) / sizeof(ULONG); i++) { PhSetFlagsEMenuItem(Menu, menuItemsMultiEnabled[i], PH_EMENU_DISABLED, 0); } } // Suspend/Resume if (NumberOfProcesses == 1) { if (Processes[0]->IsSuspended) { if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_SUSPEND)) PhDestroyEMenuItem(item); if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_SUSPENDTREE)) PhDestroyEMenuItem(item); } else { if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_RESUME)) PhDestroyEMenuItem(item); if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_RESUMETREE)) PhDestroyEMenuItem(item); } if (WindowsVersion >= WINDOWS_11 && PH_IS_REAL_PROCESS_ID(Processes[0]->ProcessId)) { if (!PhIsNullOrInvalidHandle(Processes[0]->FreezeHandle)) { if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_FREEZE)) PhDestroyEMenuItem(item); } else { if (item = PhFindEMenuItem(Menu, 0, NULL, ID_PROCESS_THAW)) PhDestroyEMenuItem(item); } } } // Virtualization if (NumberOfProcesses == 1) { HANDLE tokenHandle; BOOLEAN allowed = FALSE; BOOLEAN enabled = FALSE; if (Processes[0]->QueryHandle) { if (NT_SUCCESS(PhOpenProcessToken( Processes[0]->QueryHandle, TOKEN_QUERY, &tokenHandle ))) { PhGetTokenIsVirtualizationAllowed(tokenHandle, &allowed); PhGetTokenIsVirtualizationEnabled(tokenHandle, &enabled); PhMwpSelectedProcessVirtualizationEnabled = enabled; NtClose(tokenHandle); } } if (!allowed) PhSetFlagsEMenuItem(Menu, ID_PROCESS_VIRTUALIZATION, PH_EMENU_DISABLED, PH_EMENU_DISABLED); else if (enabled) PhSetFlagsEMenuItem(Menu, ID_PROCESS_VIRTUALIZATION, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } // Priority if (NumberOfProcesses == 1) { PhMwpSetProcessMenuPriorityChecks(Menu, Processes[0]->ProcessId, TRUE, TRUE, TRUE); } item = PhFindEMenuItem(Menu, 0, 0, ID_PROCESS_WINDOW); if (item) { // Window menu if (NumberOfProcesses == 1) { // Get a handle to the process' top-level window (if any). PhMwpSelectedProcessWindowHandle = PhGetProcessMainWindow(Processes[0]->ProcessId, Processes[0]->QueryHandle); if (!PhMwpSelectedProcessWindowHandle) item->Flags |= PH_EMENU_DISABLED; if (PhMwpSelectedProcessWindowHandle) { WINDOWPLACEMENT placement = { sizeof(placement) }; GetWindowPlacement(PhMwpSelectedProcessWindowHandle, &placement); if (placement.showCmd == SW_MINIMIZE) PhEnableEMenuItem(item, ID_WINDOW_MINIMIZE, FALSE); else if (placement.showCmd == SW_MAXIMIZE) PhEnableEMenuItem(item, ID_WINDOW_MAXIMIZE, FALSE); else if (placement.showCmd == SW_NORMAL) PhEnableEMenuItem(item, ID_WINDOW_RESTORE, FALSE); } } else { item->Flags |= PH_EMENU_DISABLED; } } } PPH_EMENU PhpCreateProcessMenu( _In_ BOOLEAN SystemProcess ) { PPH_EMENU menu; PPH_EMENU_ITEM menuItem; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_TERMINATE, L"T&erminate\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_TERMINATETREE, L"Terminate tree\bShift+Del", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_SUSPEND, L"&Suspend", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_SUSPENDTREE, L"Suspend tree", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_RESUME, L"Res&ume", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_RESUMETREE, L"Resume tree", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_FREEZE, L"Freeze", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_THAW, L"Thaw", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_RESTART, L"Res&tart", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); if (SystemProcess) { PPH_EMENU kernelMinimal; menuItem = PhCreateEMenuItem(0, ID_PROCESS_CREATEDUMPFILE, L"Create live kernel dump fi&le", NULL, NULL); PhInsertEMenuItem(menuItem, kernelMinimal = PhCreateEMenuItem(0, ID_PROCESS_DUMP_MINIMAL, L"&Minimal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_NORMAL, L"&Normal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_FULL, L"&Full...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_CUSTOM, L"&Custom...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); if (!PhGetOwnTokenAttributes().Elevated) { menuItem->Flags |= PH_EMENU_DISABLED; } else if (WindowsVersion < WINDOWS_11) { // Minimal only captures thread stacks, not supported before Windows 11 PhSetDisabledEMenuItem(kernelMinimal); } } else { menuItem = PhCreateEMenuItem(0, ID_PROCESS_CREATEDUMPFILE, L"Create dump fi&le", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_MINIMAL, L"&Minimal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_LIMITED, L"&Limited...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_NORMAL, L"&Normal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_FULL, L"&Full...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_CUSTOM, L"&Custom...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); } PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_DEBUG, L"De&bug", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_AFFINITY, L"&Affinity", NULL, NULL), ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_PRIORITYCLASS, L"&Priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_REALTIME, L"&Real time", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_HIGH, L"&High", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_ABOVENORMAL, L"&Above normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_BELOWNORMAL, L"&Below normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_IDLE, L"&Idle", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_IOPRIORITY, L"&I/O priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_HIGH, L"&High", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_LOW, L"&Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_VERYLOW, L"&Very low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_PAGEPRIORITY, L"Pa&ge priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_BELOWNORMAL, L"&Below normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_MEDIUM, L"&Medium", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_LOW, L"&Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_VERYLOW, L"&Very low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_MISCELLANEOUS, L"&Miscellaneous", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_ACTIVITY, L"Activity moderation", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_SETCRITICAL, L"&Critical", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_DETACHFROMDEBUGGER, L"&Detach from debugger", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_ECOMODE, L"Efficiency mode", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_EXECUTIONREQUIRED, L"Execution required", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_GDIHANDLES, L"GDI &handles...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_HEAPS, L"Heaps...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_LOCKS, L"Locks...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_FLUSHHEAPS, L"Flush heaps", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_PAGESMODIFIED, L"Modified pages...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_REDUCEWORKINGSET, L"Reduce working &set", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_RUNAS, L"&Run as...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_RUNASTHISUSER, L"Run &as this user...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_VIRTUALIZATION, L"Virtuali&zation", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_WINDOW, L"&Window", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_WINDOW_BRINGTOFRONT, L"Bring to &front", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_WINDOW_RESTORE, L"&Restore", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_WINDOW_MINIMIZE, L"M&inimize", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_WINDOW_MAXIMIZE, L"M&aximize", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_WINDOW_CLOSE, L"&Close", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_SEARCHONLINE, L"Search &online\bCtrl+M", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_OPENFILELOCATION, L"Open &file location\bCtrl+Enter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_PROPERTIES, L"P&roperties\bEnter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); return menu; } VOID PhShowProcessContextMenu( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PH_PLUGIN_MENU_INFORMATION menuInfo; PPH_PROCESS_ITEM *processes; ULONG numberOfProcesses; if (PhGetSelectedProcessItems(&processes, &numberOfProcesses)) { PPH_EMENU menu; PPH_EMENU_ITEM item; if (numberOfProcesses == 1 && processes[0]->ProcessId == SYSTEM_PROCESS_ID) menu = PhpCreateProcessMenu(TRUE); else menu = PhpCreateProcessMenu(FALSE); PhSetFlagsEMenuItem(menu, ID_PROCESS_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhMwpInitializeProcessMenu(menu, processes, numberOfProcesses); PhInsertCopyCellEMenuItem(menu, ID_PROCESS_COPY, PhMwpProcessTreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, WindowHandle, 0); menuInfo.u.Process.Processes = processes; menuInfo.u.Process.NumberOfProcesses = numberOfProcesses; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(WindowHandle, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); PhFree(processes); } } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Parameter; // Reference the process item so it doesn't get deleted before // we handle the event in the main thread. PhReferenceObject(processItem); PhPushProviderEventQueue(&PhMwpProcessEventQueue, ProviderAddedEvent, Parameter, PhGetRunIdProvider(&PhMwpProcessProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Parameter; PhPushProviderEventQueue(&PhMwpProcessEventQueue, ProviderModifiedEvent, Parameter, PhGetRunIdProvider(&PhMwpProcessProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Parameter; // We already have a reference to the process item, so we don't need to // reference it here. PhPushProviderEventQueue(&PhMwpProcessEventQueue, ProviderRemovedEvent, Parameter, PhGetRunIdProvider(&PhMwpProcessProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpProcessesUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { SystemInformer_Invoke(PhMwpOnProcessesUpdated, PhGetRunIdProvider(&PhMwpProcessProviderRegistration)); } VOID PhMwpOnProcessAdded( _In_ _Assume_refs_(1) PPH_PROCESS_ITEM ProcessItem, _In_ ULONG RunId ) { PPH_PROCESS_NODE processNode; processNode = PhAddProcessNode(ProcessItem, RunId); if (RunId != 1) { PPH_PROCESS_ITEM parentProcess; HANDLE parentProcessId = NULL; PPH_STRING parentName = NULL; if (parentProcess = PhReferenceProcessItemForParent(ProcessItem)) { parentProcessId = parentProcess->ProcessId; parentName = parentProcess->ProcessName; } PhLogProcessEntry( PH_LOG_ENTRY_PROCESS_CREATE, ProcessItem->ProcessId, ProcessItem->ProcessName, parentProcessId, parentName, 0 ); if (PhMwpNotifyIconNotifyMask & PH_NOTIFY_PROCESS_CREATE) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_PROCESS_CREATE, ProcessItem)) { PH_FORMAT format[9]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_PROCESS_CREATE; PhMwpLastNotificationDetails.ProcessId = ProcessItem->ProcessId; // The process %s (%lu) was created by %s (%lu) PhInitFormatS(&format[0], L"The process "); PhInitFormatSR(&format[1], ProcessItem->ProcessName->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(ProcessItem->ProcessId)); PhInitFormatS(&format[4], L") was created by "); PhInitFormatS(&format[5], PhGetStringOrDefault(parentName, L"Unknown process")); // todo: SR type (dmex) PhInitFormatS(&format[6], L" ("); PhInitFormatU(&format[7], HandleToUlong(ProcessItem->ParentProcessId)); PhInitFormatC(&format[8], L')'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Process Created", formatBuffer); } else { PhShowIconNotification(L"Process Created", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } if (parentProcess) PhDereferenceObject(parentProcess); if (PhCsScrollToNewProcesses) ProcessToScrollTo = processNode; } else { if (NeedsSelectPid != 0) { if (processNode->ProcessId == UlongToHandle(NeedsSelectPid)) ProcessToScrollTo = processNode; } } // PhCreateProcessNode has its own reference. PhDereferenceObject(ProcessItem); } VOID PhMwpOnProcessModified( _In_ PPH_PROCESS_ITEM ProcessItem ) { PhUpdateProcessNode(PhFindProcessNode(ProcessItem->ProcessId)); if (SignedFilterEntry || MicrosoftSignedFilterEntry) // HACK: Invalidate filters when modified (dmex) PhApplyTreeNewFilters(PhGetFilterSupportProcessTreeList()); } VOID PhMwpOnProcessRemoved( _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_PROCESS_NODE processNode; ULONG processNodeIndex = 0; ULONG exitStatus = 0; if (ProcessItem->QueryHandle) { PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetProcessBasicInformation(ProcessItem->QueryHandle, &basicInfo))) { exitStatus = basicInfo.ExitStatus; } } PhLogProcessEntry(PH_LOG_ENTRY_PROCESS_DELETE, ProcessItem->ProcessId, ProcessItem->ProcessName, NULL, NULL, exitStatus); if (PhMwpNotifyIconNotifyMask & PH_NOTIFY_PROCESS_DELETE) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_PROCESS_DELETE, ProcessItem)) { PH_FORMAT format[6]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_PROCESS_DELETE; PhMwpLastNotificationDetails.ProcessId = ProcessItem->ProcessId; // The process %s (%lu) was terminated with status 0x%x PhInitFormatS(&format[0], L"The process "); PhInitFormatSR(&format[1], ProcessItem->ProcessName->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(ProcessItem->ProcessId)); PhInitFormatS(&format[4], L") was terminated with status 0x"); PhInitFormatX(&format[5], exitStatus); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Process Terminated", formatBuffer); } else { PhShowIconNotification(L"Process Terminated", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } processNode = PhFindProcessNode(ProcessItem->ProcessId); processNodeIndex = processNode->Node.Index; PhRemoveProcessNode(processNode); if (ProcessToScrollTo == processNode) // shouldn't happen, but just in case ProcessToScrollTo = NULL; if (PhCsScrollToRemovedProcesses) { ProcessEndToScrollTo = processNodeIndex; } } VOID PhMwpOnProcessesUpdated( _In_ ULONG RunId ) { PPH_PROVIDER_EVENT events; ULONG count; ULONG i; events = PhFlushProviderEventQueue(&PhMwpProcessEventQueue, RunId, &count); if (events) { TreeNew_SetRedraw(PhMwpProcessTreeNewHandle, FALSE); for (i = 0; i < count; i++) { PH_PROVIDER_EVENT_TYPE type = PH_PROVIDER_EVENT_TYPE(events[i]); PPH_PROCESS_ITEM processItem = PH_PROVIDER_EVENT_OBJECT(events[i]); switch (type) { case ProviderAddedEvent: PhMwpOnProcessAdded(processItem, events[i].RunId); break; case ProviderModifiedEvent: PhMwpOnProcessModified(processItem); break; case ProviderRemovedEvent: PhMwpOnProcessRemoved(processItem); break; } } PhFree(events); } // The modified notification is only sent for special cases. // We have to invalidate the text on each update. PhTickProcessNodes(); if (count != 0) { TreeNew_SetRedraw(PhMwpProcessTreeNewHandle, TRUE); } if (PhPluginsEnabled) { PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessesUpdated), UlongToPtr(RunId)); } if (NeedsSelectPid != 0) { if (ProcessToScrollTo) { PhSelectAndEnsureVisibleProcessNode(ProcessToScrollTo); ProcessToScrollTo = NULL; } NeedsSelectPid = 0; } if (ProcessToScrollTo) { TreeNew_EnsureVisible(PhMwpProcessTreeNewHandle, &ProcessToScrollTo->Node); ProcessToScrollTo = NULL; } if (ProcessEndToScrollTo) { count = TreeNew_GetFlatNodeCount(PhMwpProcessTreeNewHandle); if (ProcessEndToScrollTo > count) ProcessEndToScrollTo = count; TreeNew_EnsureVisibleIndex(PhMwpProcessTreeNewHandle, ProcessEndToScrollTo); ProcessEndToScrollTo = 0; } } ================================================ FILE: SystemInformer/mwpgsrv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include PPH_MAIN_TAB_PAGE PhMwpServicesPage; HWND PhMwpServiceTreeNewHandle; PH_PROVIDER_EVENT_QUEUE PhMwpServiceEventQueue; static PH_CALLBACK_REGISTRATION ServiceAddedRegistration; static PH_CALLBACK_REGISTRATION ServiceModifiedRegistration; static PH_CALLBACK_REGISTRATION ServiceRemovedRegistration; static PH_CALLBACK_REGISTRATION ServicesUpdatedRegistration; static BOOLEAN ServiceTreeListLoaded = FALSE; static PPH_TN_FILTER_ENTRY DriverFilterEntry = NULL; static PPH_TN_FILTER_ENTRY MicrosoftFilterEntry = NULL; _Function_class_(PH_MAIN_TAB_PAGE_CALLBACK) BOOLEAN PhMwpServicesPageCallback( _In_ PPH_MAIN_TAB_PAGE Page, _In_ PH_MAIN_TAB_PAGE_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ) { switch (Message) { case MainTabPageCreate: { PhMwpServicesPage = Page; PhInitializeProviderEventQueue(&PhMwpServiceEventQueue, 100); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderAddedEvent), PhMwpServiceAddedHandler, NULL, &ServiceAddedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderModifiedEvent), PhMwpServiceModifiedHandler, NULL, &ServiceModifiedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderRemovedEvent), PhMwpServiceRemovedHandler, NULL, &ServiceRemovedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderUpdatedEvent), PhMwpServicesUpdatedHandler, NULL, &ServicesUpdatedRegistration ); } break; case MainTabPageCreateWindow: { if (Parameter1) { *(HWND*)Parameter1 = PhMwpServiceTreeNewHandle; } } return TRUE; case MainTabPageSelected: { BOOLEAN selected = (BOOLEAN)PtrToUlong(Parameter1); if (selected) PhMwpNeedServiceTreeList(); } break; case MainTabPageInitializeSectionMenuItems: { PPH_MAIN_TAB_PAGE_MENU_INFORMATION menuInfo = Parameter1; PPH_EMENU menu; PPH_EMENU_ITEM menuItem; menu = PhCreateEMenuItem(0, 0, L"Services", NULL, NULL); PhInsertEMenuItem(menuInfo->Menu, menu, menuInfo->StartIndex); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_HIDEMICROSOFTSERVICES, L"Hide default services", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_VIEW_HIDEDRIVERSERVICES, L"&Hide driver services", NULL, NULL), ULONG_MAX); if (DriverFilterEntry && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_HIDEDRIVERSERVICES))) menuItem->Flags |= PH_EMENU_CHECKED; if (MicrosoftFilterEntry && (menuItem = PhFindEMenuItem(menu, 0, NULL, ID_VIEW_HIDEMICROSOFTSERVICES))) menuItem->Flags |= PH_EMENU_CHECKED; } return TRUE; case MainTabPageLoadSettings: { if (PhGetIntegerSetting(SETTING_HIDE_DRIVER_SERVICES)) DriverFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportServiceTreeList(), PhMwpDriverServiceTreeFilter, NULL); if (PhGetIntegerSetting(SETTING_HIDE_DEFAULT_SERVICES)) MicrosoftFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportServiceTreeList(), PhMwpMicrosoftServiceTreeFilter, NULL); } return TRUE; case MainTabPageSaveSettings: { if (ServiceTreeListLoaded) PhSaveSettingsServiceTreeList(); } return TRUE; case MainTabPageExportContent: { PPH_MAIN_TAB_PAGE_EXPORT_CONTENT exportContent = Parameter1; PhWriteServiceList(exportContent->FileStream, exportContent->Mode); } return TRUE; case MainTabPageFontChanged: { HFONT font = (HFONT)Parameter1; SetWindowFont(PhMwpServiceTreeNewHandle, font, TRUE); } break; case MainTabPageUpdateAutomaticallyChanged: { BOOLEAN updateAutomatically = (BOOLEAN)PtrToUlong(Parameter1); PhSetEnabledProvider(&PhMwpServiceProviderRegistration, updateAutomatically); } break; } return FALSE; } VOID PhMwpNeedServiceTreeList( VOID ) { if (!ServiceTreeListLoaded) { ServiceTreeListLoaded = TRUE; PhLoadSettingsServiceTreeList(); } } VOID PhMwpToggleDriverServiceTreeFilter( VOID ) { if (!DriverFilterEntry) { DriverFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportServiceTreeList(), PhMwpDriverServiceTreeFilter, NULL); } else { PhRemoveTreeNewFilter(PhGetFilterSupportServiceTreeList(), DriverFilterEntry); DriverFilterEntry = NULL; } PhApplyTreeNewFilters(PhGetFilterSupportServiceTreeList()); PhSetIntegerSetting(SETTING_HIDE_DRIVER_SERVICES, !!DriverFilterEntry); } VOID PhMwpToggleMicrosoftServiceTreeFilter( VOID ) { if (MicrosoftFilterEntry) { PhRemoveTreeNewFilter(PhGetFilterSupportServiceTreeList(), MicrosoftFilterEntry); MicrosoftFilterEntry = NULL; } else { MicrosoftFilterEntry = PhAddTreeNewFilter(PhGetFilterSupportServiceTreeList(), PhMwpMicrosoftServiceTreeFilter, NULL); } PhApplyTreeNewFilters(PhGetFilterSupportServiceTreeList()); PhSetIntegerSetting(SETTING_HIDE_DEFAULT_SERVICES, !!MicrosoftFilterEntry); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpDriverServiceTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node; if (FlagOn(serviceNode->ServiceItem->Type, SERVICE_DRIVER)) return FALSE; return TRUE; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhMwpMicrosoftServiceTreeFilter( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_SERVICE_NODE serviceNode = (PPH_SERVICE_NODE)Node; if (serviceNode->ServiceItem->MicrosoftService) return FALSE; return TRUE; } VOID PhMwpInitializeServiceMenu( _In_ PPH_EMENU Menu, _In_ PPH_SERVICE_ITEM *Services, _In_ ULONG NumberOfServices ) { if (NumberOfServices == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfServices == 1) { if (!Services[0]->ProcessId) PhEnableEMenuItem(Menu, ID_SERVICE_GOTOPROCESS, FALSE); } else { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_SERVICE_START, TRUE); PhEnableEMenuItem(Menu, ID_SERVICE_CONTINUE, TRUE); PhEnableEMenuItem(Menu, ID_SERVICE_PAUSE, TRUE); PhEnableEMenuItem(Menu, ID_SERVICE_STOP, TRUE); PhEnableEMenuItem(Menu, ID_SERVICE_COPY, TRUE); } if (NumberOfServices == 1) { switch (Services[0]->State) { case SERVICE_RUNNING: { PhEnableEMenuItem(Menu, ID_SERVICE_START, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_CONTINUE, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_PAUSE, FlagOn(Services[0]->ControlsAccepted, SERVICE_ACCEPT_PAUSE_CONTINUE)); PhEnableEMenuItem(Menu, ID_SERVICE_STOP, FlagOn(Services[0]->ControlsAccepted, SERVICE_ACCEPT_STOP)); } break; case SERVICE_PAUSED: { PhEnableEMenuItem(Menu, ID_SERVICE_START, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_CONTINUE, FlagOn(Services[0]->ControlsAccepted, SERVICE_ACCEPT_PAUSE_CONTINUE)); PhEnableEMenuItem(Menu, ID_SERVICE_PAUSE, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_STOP, FlagOn(Services[0]->ControlsAccepted, SERVICE_ACCEPT_STOP)); } break; case SERVICE_STOPPED: { PhEnableEMenuItem(Menu, ID_SERVICE_CONTINUE, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_PAUSE, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_STOP, FALSE); } break; case SERVICE_START_PENDING: case SERVICE_CONTINUE_PENDING: case SERVICE_PAUSE_PENDING: case SERVICE_STOP_PENDING: { PhEnableEMenuItem(Menu, ID_SERVICE_START, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_CONTINUE, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_PAUSE, FALSE); PhEnableEMenuItem(Menu, ID_SERVICE_STOP, FALSE); } break; } if (!FlagOn(Services[0]->ControlsAccepted, SERVICE_ACCEPT_PAUSE_CONTINUE)) { PPH_EMENU_ITEM item; if (item = PhFindEMenuItem(Menu, 0, NULL, ID_SERVICE_CONTINUE)) PhDestroyEMenuItem(item); if (item = PhFindEMenuItem(Menu, 0, NULL, ID_SERVICE_PAUSE)) PhDestroyEMenuItem(item); } } } VOID PhShowServiceContextMenu( _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PH_PLUGIN_MENU_INFORMATION menuInfo; PPH_SERVICE_ITEM *services; ULONG numberOfServices; PhGetSelectedServiceItems(&services, &numberOfServices); if (numberOfServices != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_START, L"&Start", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_CONTINUE, L"C&ontinue", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_PAUSE, L"&Pause", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_STOP, L"S&top", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_DELETE, L"&Delete\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_GOTOPROCESS, L"&Go to process", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_OPENKEY, L"Open &key", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_OPENFILELOCATION, L"Open &file location\bCtrl+Enter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_PROPERTIES, L"P&roperties\bEnter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_SERVICE_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(menu, ID_SERVICE_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhMwpInitializeServiceMenu(menu, services, numberOfServices); PhInsertCopyCellEMenuItem(menu, ID_SERVICE_COPY, PhMwpServiceTreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, PhMainWndHandle, 0); menuInfo.u.Service.Services = services; menuInfo.u.Service.NumberOfServices = numberOfServices; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, PhMainWndHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(PhMainWndHandle, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); } PhFree(services); } VOID PhServiceListInsertContextMenu( _In_ HWND ParentWindow, _In_ PPH_EMENU Menu, _In_ PPH_SERVICE_ITEM* Services, _In_ ULONG NumberOfServices ) { PH_PLUGIN_MENU_INFORMATION menuInfo; PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_START, L"&Start", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_CONTINUE, L"C&ontinue", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_PAUSE, L"&Pause", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_STOP, L"S&top", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_DELETE, L"&Delete\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_GOTOPROCESS, L"&Go to process", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_OPENKEY, L"Open &key", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_OPENFILELOCATION, L"Open &file location\bCtrl+Enter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_PROPERTIES, L"P&roperties\bEnter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(Menu, PhCreateEMenuItem(0, ID_SERVICE_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(Menu, ID_SERVICE_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhMwpInitializeServiceMenu(Menu, Services, NumberOfServices); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, Menu, ParentWindow, 0); menuInfo.u.Service.Services = Services; menuInfo.u.Service.NumberOfServices = NumberOfServices; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceMenuInitializing), &menuInfo); } } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServiceAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)Parameter; PhReferenceObject(serviceItem); PhPushProviderEventQueue(&PhMwpServiceEventQueue, ProviderAddedEvent, Parameter, PhGetRunIdProvider(&PhMwpServiceProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServiceModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SERVICE_MODIFIED_DATA serviceModifiedData = (PPH_SERVICE_MODIFIED_DATA)Parameter; PPH_SERVICE_MODIFIED_DATA copy; copy = PhAllocateCopy(serviceModifiedData, sizeof(PH_SERVICE_MODIFIED_DATA)); PhPushProviderEventQueue(&PhMwpServiceEventQueue, ProviderModifiedEvent, copy, PhGetRunIdProvider(&PhMwpServiceProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServiceRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)Parameter; PhPushProviderEventQueue(&PhMwpServiceEventQueue, ProviderRemovedEvent, Parameter, PhGetRunIdProvider(&PhMwpServiceProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhMwpServicesUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { SystemInformer_Invoke(PhMwpOnServicesUpdated, PhGetRunIdProvider(&PhMwpServiceProviderRegistration)); } VOID PhMwpOnServiceAdded( _In_ _Assume_refs_(1) PPH_SERVICE_ITEM ServiceItem, _In_ ULONG RunId ) { PPH_SERVICE_NODE serviceNode; serviceNode = PhAddServiceNode(ServiceItem, RunId); // ServiceItem dereferenced below if (RunId != 1) { PhLogServiceEntry(PH_LOG_ENTRY_SERVICE_CREATE, ServiceItem->Name, ServiceItem->DisplayName); if (FlagOn(PhMwpNotifyIconNotifyMask, PH_NOTIFY_SERVICE_CREATE)) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_SERVICE_CREATE, ServiceItem)) { PH_FORMAT format[5]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_SERVICE_CREATE; PhSwapReference(&PhMwpLastNotificationDetails.ServiceName, ServiceItem->Name); // The service %s (%s) has been created. PhInitFormatS(&format[0], L"The service "); PhInitFormatSR(&format[1], ServiceItem->Name->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], ServiceItem->DisplayName->sr); PhInitFormatS(&format[4], L") was created"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Service Created", formatBuffer); } else { PhShowIconNotification(L"Service Created", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } } PhDereferenceObject(ServiceItem); } VOID PhMwpOnServiceModified( _In_ PPH_SERVICE_MODIFIED_DATA ServiceModifiedData, _In_ ULONG RunId ) { PH_SERVICE_CHANGE serviceChange; UCHAR logEntryType; PhUpdateServiceNode(PhFindServiceNode(ServiceModifiedData->ServiceItem)); serviceChange = PhGetServiceChange(ServiceModifiedData); switch (serviceChange) { case ServiceStarted: logEntryType = PH_LOG_ENTRY_SERVICE_START; break; case ServiceStopped: logEntryType = PH_LOG_ENTRY_SERVICE_STOP; break; case ServiceContinued: logEntryType = PH_LOG_ENTRY_SERVICE_CONTINUE; break; case ServicePaused: logEntryType = PH_LOG_ENTRY_SERVICE_PAUSE; break; case ServiceModified: logEntryType = PH_LOG_ENTRY_SERVICE_MODIFIED; break; default: logEntryType = 0; break; } if (logEntryType != 0) PhLogServiceEntry(logEntryType, ServiceModifiedData->ServiceItem->Name, ServiceModifiedData->ServiceItem->DisplayName); if (FlagOn(PhMwpNotifyIconNotifyMask, PH_NOTIFY_SERVICE_START | PH_NOTIFY_SERVICE_STOP | PH_NOTIFY_SERVICE_MODIFIED)) { PPH_SERVICE_ITEM serviceItem; serviceItem = ServiceModifiedData->ServiceItem; if (serviceChange == ServiceStarted && FlagOn(PhMwpNotifyIconNotifyMask, PH_NOTIFY_SERVICE_START)) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_SERVICE_START, serviceItem)) { PH_FORMAT format[5]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_SERVICE_START; PhSwapReference(&PhMwpLastNotificationDetails.ServiceName, serviceItem->Name); // The service %s (%s) has been started. PhInitFormatS(&format[0], L"The service "); PhInitFormatSR(&format[1], serviceItem->Name->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], serviceItem->DisplayName->sr); PhInitFormatS(&format[4], L") was started"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Service Started", formatBuffer); } else { PhShowIconNotification(L"Service Started", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } else if (serviceChange == ServiceStopped && FlagOn(PhMwpNotifyIconNotifyMask, PH_NOTIFY_SERVICE_STOP)) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_SERVICE_STOP, serviceItem)) { PH_FORMAT format[5]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_SERVICE_STOP; PhSwapReference(&PhMwpLastNotificationDetails.ServiceName, serviceItem->Name); // The service %s (%s) has been stopped. PhInitFormatS(&format[0], L"The service "); PhInitFormatSR(&format[1], serviceItem->Name->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], serviceItem->DisplayName->sr); PhInitFormatS(&format[4], L") was stopped"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Service Stopped", formatBuffer); } else { PhShowIconNotification(L"Service Stopped", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } else if (serviceChange == ServiceModified && FlagOn(PhMwpNotifyIconNotifyMask, PH_NOTIFY_SERVICE_MODIFIED)) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_SERVICE_MODIFIED, serviceItem)) { PH_FORMAT format[5]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_SERVICE_MODIFIED; PhSwapReference(&PhMwpLastNotificationDetails.ServiceName, serviceItem->Name); // The service %s (%s) has been modified. PhInitFormatS(&format[0], L"The service "); PhInitFormatSR(&format[1], serviceItem->Name->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], serviceItem->DisplayName->sr); PhInitFormatS(&format[4], L") was modified"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Service Modified", formatBuffer); } else { PhShowIconNotification(L"Service Modified", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } } PhFree(ServiceModifiedData); } VOID PhMwpOnServiceRemoved( _In_ PPH_SERVICE_ITEM ServiceItem ) { PhLogServiceEntry(PH_LOG_ENTRY_SERVICE_DELETE, ServiceItem->Name, ServiceItem->DisplayName); if (FlagOn(PhMwpNotifyIconNotifyMask, PH_NOTIFY_SERVICE_DELETE)) { if (!PhPluginsEnabled || !PhMwpPluginNotifyEvent(PH_NOTIFY_SERVICE_DELETE, ServiceItem)) { PH_FORMAT format[5]; WCHAR formatBuffer[260]; PhMwpClearLastNotificationDetails(); PhMwpLastNotificationType = PH_NOTIFY_SERVICE_DELETE; PhSwapReference(&PhMwpLastNotificationDetails.ServiceName, ServiceItem->Name); // The service %s (%s) has been deleted. PhInitFormatS(&format[0], L"The service "); PhInitFormatSR(&format[1], ServiceItem->Name->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], ServiceItem->DisplayName->sr); PhInitFormatS(&format[4], L") was deleted"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) { PhShowIconNotification(L"Service Deleted", formatBuffer); } else { PhShowIconNotification(L"Service Deleted", PH_AUTO_T(PH_STRING, PhFormat(format, RTL_NUMBER_OF(format), 0))->Buffer); } } } PhRemoveServiceNode(PhFindServiceNode(ServiceItem)); } VOID PhMwpOnServicesUpdated( _In_ ULONG RunId ) { PPH_PROVIDER_EVENT events; ULONG count; ULONG i; events = PhFlushProviderEventQueue(&PhMwpServiceEventQueue, RunId, &count); if (events) { TreeNew_SetRedraw(PhMwpServiceTreeNewHandle, FALSE); for (i = 0; i < count; i++) { PH_PROVIDER_EVENT_TYPE type = PH_PROVIDER_EVENT_TYPE(events[i]); PPH_SERVICE_ITEM serviceItem = PH_PROVIDER_EVENT_OBJECT(events[i]); switch (type) { case ProviderAddedEvent: PhMwpOnServiceAdded(serviceItem, events[i].RunId); break; case ProviderModifiedEvent: PhMwpOnServiceModified((PPH_SERVICE_MODIFIED_DATA)serviceItem, events[i].RunId); break; case ProviderRemovedEvent: PhMwpOnServiceRemoved(serviceItem); break; } } PhFree(events); } PhTickServiceNodes(); if (DriverFilterEntry || MicrosoftFilterEntry) PhApplyTreeNewFilters(PhGetFilterSupportServiceTreeList()); if (count != 0) TreeNew_SetRedraw(PhMwpServiceTreeNewHandle, TRUE); } ================================================ FILE: SystemInformer/netlist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpNetworkNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpNetworkNodeHashtableHashFunction( _In_ PVOID Entry ); VOID PhpRemoveNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode, _In_opt_ PVOID Context ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpNetworkTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpNetworkTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_opt_ PVOID Context ); VOID PhpUpdateNetworkItemProcessName( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ PPH_NETWORK_NODE NetworkNode ); VOID PhpUpdateNetworkItemProcessId( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ PPH_NETWORK_NODE NetworkNode ); static HWND NetworkTreeListHandle; static ULONG NetworkTreeListSortColumn; static PH_SORT_ORDER NetworkTreeListSortOrder; static PH_CM_MANAGER NetworkTreeListCm; static PPH_HASHTABLE NetworkNodeHashtable; // hashtable of all nodes static PPH_LIST NetworkNodeList; // list of all nodes static ULONG64 NextUniqueId = 0; BOOLEAN PhNetworkTreeListStateHighlighting = TRUE; static PPH_POINTER_LIST NetworkNodeStateList = NULL; // list of nodes which need to be processed static PH_TN_FILTER_SUPPORT FilterSupport; VOID PhNetworkTreeListInitialization( VOID ) { NetworkNodeHashtable = PhCreateHashtable( sizeof(PPH_NETWORK_NODE), PhpNetworkNodeHashtableEqualFunction, PhpNetworkNodeHashtableHashFunction, 100 ); NetworkNodeList = PhCreateList(100); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpNetworkNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_NETWORK_NODE networkNode1 = *(PPH_NETWORK_NODE *)Entry1; PPH_NETWORK_NODE networkNode2 = *(PPH_NETWORK_NODE *)Entry2; return networkNode1->NetworkItem == networkNode2->NetworkItem; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpNetworkNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashIntPtr((ULONG_PTR)(*(PPH_NETWORK_NODE *)Entry)->NetworkItem); } VOID PhInitializeNetworkTreeList( _In_ HWND TreeNewHandle ) { NetworkTreeListHandle = TreeNewHandle; PhSetControlTheme(NetworkTreeListHandle, L"explorer"); TreeNew_SetRedraw(TreeNewHandle, FALSE); TreeNew_SetCallback(TreeNewHandle, PhpNetworkTreeNewCallback, NULL); TreeNew_SetImageList(TreeNewHandle, PhProcessSmallImageList); // Default columns PhAddTreeNewColumn(TreeNewHandle, PHNETLC_PROCESS, TRUE, L"Name", 100, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_PID, TRUE, L"PID", 50, PH_ALIGN_RIGHT, 1, DT_RIGHT); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_LOCALADDRESS, TRUE, L"Local address", 120, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_LOCALPORT, TRUE, L"Local port", 50, PH_ALIGN_RIGHT, 3, DT_RIGHT); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_REMOTEADDRESS, TRUE, L"Remote address", 120, PH_ALIGN_LEFT, 4, 0); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_REMOTEPORT, TRUE, L"Remote port", 50, PH_ALIGN_RIGHT, 5, DT_RIGHT); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_PROTOCOL, TRUE, L"Protocol", 45, PH_ALIGN_LEFT, 6, 0); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_STATE, TRUE, L"State", 70, PH_ALIGN_LEFT, 7, 0); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_OWNER, TRUE, L"Owner", 80, PH_ALIGN_LEFT, 8, 0); PhAddTreeNewColumnEx(TreeNewHandle, PHNETLC_TIMESTAMP, FALSE, L"Time stamp", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_LOCALHOSTNAME, FALSE, L"Local hostname", 120, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_REMOTEHOSTNAME, FALSE, L"Remote hostname", 120, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PHNETLC_TIMELINE, FALSE, L"Timeline", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumn(TreeNewHandle, PHNETLC_HV_SERVICE, FALSE, L"Hyper-V service", 120, PH_ALIGN_LEFT, ULONG_MAX, 0); PhCmInitializeManager(&NetworkTreeListCm, TreeNewHandle, PHNETLC_MAXIMUM, PhpNetworkTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&FilterSupport, TreeNewHandle, NetworkNodeList); TreeNew_SetTriState(TreeNewHandle, TRUE); TreeNew_SetRedraw(TreeNewHandle, TRUE); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = TreeNewHandle; treeNewInfo.CmData = &NetworkTreeListCm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNetworkTreeNewInitializing), &treeNewInfo); } } VOID PhLoadSettingsNetworkTreeUpdateMask( VOID ) { PH_TREENEW_COLUMN column; BOOLEAN current; current = BooleanFlagOn(PhNetworkProviderFlagsMask, PH_NETWORK_PROVIDER_FLAG_HOSTNAME); if ( (TreeNew_GetColumn(NetworkTreeListHandle, PHNETLC_LOCALHOSTNAME, &column) && column.Visible) || (TreeNew_GetColumn(NetworkTreeListHandle, PHNETLC_REMOTEHOSTNAME, &column) && column.Visible) ) { SetFlag(PhNetworkProviderFlagsMask, PH_NETWORK_PROVIDER_FLAG_HOSTNAME); } else { ClearFlag(PhNetworkProviderFlagsMask, PH_NETWORK_PROVIDER_FLAG_HOSTNAME); } if (NextUniqueId != 0 && current != BooleanFlagOn(PhNetworkProviderFlagsMask, PH_NETWORK_PROVIDER_FLAG_HOSTNAME)) { PhInvalidateAllNetworkNodesHostnames(); } } VOID PhLoadSettingsNetworkTreeList( VOID ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_NETWORK_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_NETWORK_TREE_LIST_SORT); PhCmLoadSettingsEx(NetworkTreeListHandle, &NetworkTreeListCm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); if (PhGetIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS)) SendMessage(TreeNew_GetTooltips(NetworkTreeListHandle), TTM_SETDELAYTIME, TTDT_INITIAL, 0); else SendMessage(TreeNew_GetTooltips(NetworkTreeListHandle), TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); PhLoadSettingsNetworkTreeUpdateMask(); } VOID PhSaveSettingsNetworkTreeList( VOID ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(NetworkTreeListHandle, &NetworkTreeListCm, 0, &sortSettings); PhSetStringSetting2(SETTING_NETWORK_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_NETWORK_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhReloadSettingsNetworkTreeList( VOID ) { if (PhGetIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS)) SendMessage(TreeNew_GetTooltips(NetworkTreeListHandle), TTM_SETDELAYTIME, TTDT_INITIAL, 0); else SendMessage(TreeNew_GetTooltips(NetworkTreeListHandle), TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); PhLoadSettingsNetworkTreeUpdateMask(); } PPH_TN_FILTER_SUPPORT PhGetFilterSupportNetworkTreeList( VOID ) { return &FilterSupport; } PPH_NETWORK_NODE PhAddNetworkNode( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ ULONG RunId ) { PPH_NETWORK_NODE networkNode; networkNode = PhAllocate(PhEmGetObjectSize(EmNetworkNodeType, sizeof(PH_NETWORK_NODE))); memset(networkNode, 0, sizeof(PH_NETWORK_NODE)); PhInitializeTreeNewNode(&networkNode->Node); if (PhNetworkTreeListStateHighlighting && RunId != 1) { PhChangeShStateTn( &networkNode->Node, &networkNode->ShState, &NetworkNodeStateList, NewItemState, PhCsColorNew, NULL ); } networkNode->NetworkItem = NetworkItem; PhReferenceObject(NetworkItem); networkNode->UniqueId = ++NextUniqueId; // used to stabilize sorting memset(networkNode->TextCache, 0, sizeof(PH_STRINGREF) * PHNETLC_MAXIMUM); networkNode->Node.TextCache = networkNode->TextCache; networkNode->Node.TextCacheSize = PHNETLC_MAXIMUM; PhpUpdateNetworkItemProcessName(NetworkItem, networkNode); PhpUpdateNetworkItemProcessId(NetworkItem, networkNode); PhAddEntryHashtable(NetworkNodeHashtable, &networkNode); PhAddItemList(NetworkNodeList, networkNode); if (FilterSupport.NodeList) networkNode->Node.Visible = PhApplyTreeNewFiltersToNode(&FilterSupport, &networkNode->Node); PhEmCallObjectOperation(EmNetworkNodeType, networkNode, EmObjectCreate); TreeNew_NodesStructured(NetworkTreeListHandle); return networkNode; } PPH_NETWORK_NODE PhFindNetworkNode( _In_ PPH_NETWORK_ITEM NetworkItem ) { PH_NETWORK_NODE lookupNetworkNode; PPH_NETWORK_NODE lookupNetworkNodePtr = &lookupNetworkNode; PPH_NETWORK_NODE *networkNode; lookupNetworkNode.NetworkItem = NetworkItem; networkNode = (PPH_NETWORK_NODE *)PhFindEntryHashtable( NetworkNodeHashtable, &lookupNetworkNodePtr ); if (networkNode) return *networkNode; else return NULL; } VOID PhRemoveNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode ) { // Remove from the hashtable here to avoid problems in case the key is re-used. PhRemoveEntryHashtable(NetworkNodeHashtable, &NetworkNode); if (PhNetworkTreeListStateHighlighting) { PhChangeShStateTn( &NetworkNode->Node, &NetworkNode->ShState, &NetworkNodeStateList, RemovingItemState, PhCsColorRemoved, NetworkTreeListHandle ); } else { PhpRemoveNetworkNode(NetworkNode, NULL); } } VOID PhpRemoveNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode, _In_opt_ PVOID Context ) { ULONG index; PhEmCallObjectOperation(EmNetworkNodeType, NetworkNode, EmObjectDelete); // Remove from list and cleanup. if ((index = PhFindItemList(NetworkNodeList, NetworkNode)) != ULONG_MAX) PhRemoveItemList(NetworkNodeList, index); if (NetworkNode->ProcessNameText) PhDereferenceObject(NetworkNode->ProcessNameText); if (NetworkNode->TimeStampText) PhDereferenceObject(NetworkNode->TimeStampText); if (NetworkNode->TooltipText) PhDereferenceObject(NetworkNode->TooltipText); PhDereferenceObject(NetworkNode->NetworkItem); PhFree(NetworkNode); TreeNew_NodesStructured(NetworkTreeListHandle); } VOID PhUpdateNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode ) { memset(NetworkNode->TextCache, 0, sizeof(PH_STRINGREF) * PHNETLC_MAXIMUM); PhClearReference(&NetworkNode->TooltipText); PhInvalidateTreeNewNode(&NetworkNode->Node, TN_CACHE_ICON); TreeNew_InvalidateNode(NetworkTreeListHandle, &NetworkNode->Node); } VOID PhTickNetworkNodes( VOID ) { if (NetworkTreeListSortOrder != NoSortOrder) { // Sorting is on, but it's not one of our columns. Force a rebuild. (If it was one of our // columns, the restructure would have been handled in PhUpdateNetworkNode.) TreeNew_NodesStructured(NetworkTreeListHandle); } PH_TICK_SH_STATE_TN(PH_NETWORK_NODE, ShState, NetworkNodeStateList, PhpRemoveNetworkNode, PhCsHighlightingDuration, NetworkTreeListHandle, TRUE, NULL, NULL); } #define SORT_FUNCTION(Column) PhpNetworkTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpNetworkTreeNewCompare##Column( \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_NETWORK_NODE node1 = *(PPH_NETWORK_NODE *)_elem1; \ PPH_NETWORK_NODE node2 = *(PPH_NETWORK_NODE *)_elem2; \ PPH_NETWORK_ITEM networkItem1 = node1->NetworkItem; \ PPH_NETWORK_ITEM networkItem2 = node2->NetworkItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uint64cmp(node1->UniqueId, node2->UniqueId); \ \ return PhModifySort(sortResult, NetworkTreeListSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpNetworkTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uint64cmp(((PPH_NETWORK_NODE)Node1)->UniqueId, ((PPH_NETWORK_NODE)Node2)->UniqueId); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Process) { sortResult = PhCompareString(node1->ProcessNameText, node2->ProcessNameText, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Pid) { sortResult = intptrcmp((LONG_PTR)networkItem1->ProcessId, (LONG_PTR)networkItem2->ProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LocalAddress) { SOCKADDR_IN6 localAddress1; SOCKADDR_IN6 localAddress2; SCOPE_ID scopeId1; SCOPE_ID scopeId2; memset(&localAddress1, 0, sizeof(SOCKADDR_IN6)); // memset for zero padding (dmex) memset(&localAddress2, 0, sizeof(SOCKADDR_IN6)); if (networkItem1->LocalEndpoint.Address.Type == PH_NETWORK_TYPE_IPV4) { localAddress1.sin6_family = AF_INET6; IN6_SET_ADDR_V4COMPAT(&localAddress1.sin6_addr, &networkItem1->LocalEndpoint.Address.InAddr); IN4_UNCANONICALIZE_SCOPE_ID(&networkItem1->LocalEndpoint.Address.InAddr, &localAddress1.sin6_scope_struct); //IN6ADDR_SETV4MAPPED(&localAddress1, &networkItem1->LocalEndpoint.Address.InAddr, (SCOPE_ID)SCOPEID_UNSPECIFIED_INIT, 0); } else if (networkItem1->LocalEndpoint.Address.Type == PH_NETWORK_TYPE_IPV6) { scopeId1.Value = networkItem1->LocalScopeId; IN6ADDR_SETSOCKADDR(&localAddress1, &networkItem1->LocalEndpoint.Address.In6Addr, scopeId1, 0); } if (networkItem2->LocalEndpoint.Address.Type == PH_NETWORK_TYPE_IPV4) { localAddress2.sin6_family = AF_INET6; IN6_SET_ADDR_V4COMPAT(&localAddress2.sin6_addr, &networkItem2->LocalEndpoint.Address.InAddr); IN4_UNCANONICALIZE_SCOPE_ID(&networkItem2->LocalEndpoint.Address.InAddr, &localAddress2.sin6_scope_struct); //IN6ADDR_SETV4MAPPED(&localAddress2, &networkItem2->LocalEndpoint.Address.InAddr, (SCOPE_ID)SCOPEID_UNSPECIFIED_INIT, 0); } else if (networkItem2->LocalEndpoint.Address.Type == PH_NETWORK_TYPE_IPV6) { scopeId2.Value = networkItem2->LocalScopeId; IN6ADDR_SETSOCKADDR(&localAddress2, &networkItem2->LocalEndpoint.Address.In6Addr, scopeId2, 0); } sortResult = memcmp(&localAddress1, &localAddress2, sizeof(SOCKADDR_IN6)); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LocalHostname) { sortResult = PhCompareStringWithNullSortOrder(networkItem1->LocalHostString, networkItem2->LocalHostString, NetworkTreeListSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LocalPort) { sortResult = uintcmp(networkItem1->LocalEndpoint.Port, networkItem2->LocalEndpoint.Port); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(RemoteAddress) { SOCKADDR_IN6 remoteAddress1; SOCKADDR_IN6 remoteAddress2; SCOPE_ID scopeId1; SCOPE_ID scopeId2; memset(&remoteAddress1, 0, sizeof(SOCKADDR_IN6)); // memset for zero padding (dmex) memset(&remoteAddress2, 0, sizeof(SOCKADDR_IN6)); if (networkItem1->RemoteEndpoint.Address.Type == PH_NETWORK_TYPE_IPV4) { remoteAddress1.sin6_family = AF_INET6; IN6_SET_ADDR_V4COMPAT(&remoteAddress1.sin6_addr, &networkItem1->RemoteEndpoint.Address.InAddr); IN4_UNCANONICALIZE_SCOPE_ID(&networkItem1->RemoteEndpoint.Address.InAddr, &remoteAddress1.sin6_scope_struct); //IN6ADDR_SETV4MAPPED(&remoteAddress1, &networkItem1->RemoteEndpoint.Address.InAddr, (SCOPE_ID)SCOPEID_UNSPECIFIED_INIT, 0); } else if (networkItem1->RemoteEndpoint.Address.Type == PH_NETWORK_TYPE_IPV6) { scopeId1.Value = networkItem1->RemoteScopeId; IN6ADDR_SETSOCKADDR(&remoteAddress1, &networkItem1->RemoteEndpoint.Address.In6Addr, scopeId1, 0); } if (networkItem2->RemoteEndpoint.Address.Type == PH_NETWORK_TYPE_IPV4) { remoteAddress2.sin6_family = AF_INET6; IN6_SET_ADDR_V4COMPAT(&remoteAddress2.sin6_addr, &networkItem2->RemoteEndpoint.Address.InAddr); IN4_UNCANONICALIZE_SCOPE_ID(&networkItem2->RemoteEndpoint.Address.InAddr, &remoteAddress2.sin6_scope_struct); //IN6ADDR_SETV4MAPPED(&remoteAddress2, &networkItem2->RemoteEndpoint.Address.InAddr, (SCOPE_ID)SCOPEID_UNSPECIFIED_INIT, 0); } else if (networkItem2->RemoteEndpoint.Address.Type == PH_NETWORK_TYPE_IPV6) { scopeId2.Value = networkItem2->RemoteScopeId; IN6ADDR_SETSOCKADDR(&remoteAddress2, &networkItem2->RemoteEndpoint.Address.In6Addr, scopeId2, 0); } sortResult = memcmp(&remoteAddress1, &remoteAddress2, sizeof(SOCKADDR_IN6)); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(RemoteHostname) { sortResult = PhCompareStringWithNullSortOrder(networkItem1->RemoteHostString, networkItem2->RemoteHostString, NetworkTreeListSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(RemotePort) { sortResult = uintcmp(networkItem1->RemoteEndpoint.Port, networkItem2->RemoteEndpoint.Port); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Protocol) { sortResult = uintcmp(networkItem1->ProtocolType, networkItem2->ProtocolType); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(State) { sortResult = uintcmp(networkItem1->State, networkItem2->State); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Owner) { sortResult = PhCompareStringWithNullSortOrder(networkItem1->OwnerName, networkItem2->OwnerName, NetworkTreeListSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TimeStamp) { sortResult = uint64cmp(networkItem1->CreateTime.QuadPart, networkItem2->CreateTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(HvService) { sortResult = PhCompareStringWithNullSortOrder(networkItem1->HvService, networkItem2->HvService, NetworkTreeListSortOrder, TRUE); } END_SORT_FUNCTION BOOLEAN NTAPI PhpNetworkTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_opt_ PVOID Context ) { PPH_NETWORK_NODE node; if (PhCmForwardMessage(WindowHandle, Message, Parameter1, Parameter2, &NetworkTreeListCm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; if (!getChildren->Node) { static _CoreCrtNonSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Process), SORT_FUNCTION(Pid), SORT_FUNCTION(LocalAddress), SORT_FUNCTION(LocalPort), SORT_FUNCTION(RemoteAddress), SORT_FUNCTION(RemotePort), SORT_FUNCTION(Protocol), SORT_FUNCTION(State), SORT_FUNCTION(Owner), SORT_FUNCTION(TimeStamp), SORT_FUNCTION(LocalHostname), SORT_FUNCTION(RemoteHostname), SORT_FUNCTION(TimeStamp), SORT_FUNCTION(HvService), }; _CoreCrtNonSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PHNETLC_MAXIMUM, "SortFunctions must equal maximum."); if (!PhCmForwardSort( (PPH_TREENEW_NODE *)NetworkNodeList->Items, NetworkNodeList->Count, NetworkTreeListSortColumn, NetworkTreeListSortOrder, &NetworkTreeListCm )) { if (NetworkTreeListSortColumn < PHNETLC_MAXIMUM) sortFunction = sortFunctions[NetworkTreeListSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort(NetworkNodeList->Items, NetworkNodeList->Count, sizeof(PVOID), sortFunction); } } getChildren->Children = (PPH_TREENEW_NODE *)NetworkNodeList->Items; getChildren->NumberOfChildren = NetworkNodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_NETWORK_ITEM networkItem; node = (PPH_NETWORK_NODE)getCellText->Node; networkItem = node->NetworkItem; switch (getCellText->Id) { case PHNETLC_PROCESS: { getCellText->Text = PhGetStringRef(node->ProcessNameText); } break; case PHNETLC_PID: { PhInitializeStringRefLongHint(&getCellText->Text, node->ProcessIdString); } break; case PHNETLC_LOCALADDRESS: { getCellText->Text = PhGetStringRef(networkItem->LocalAddressString); } break; case PHNETLC_LOCALHOSTNAME: { if (networkItem->LocalHostnameResolved) getCellText->Text = PhGetStringRef(networkItem->LocalHostString); else PhInitializeStringRef(&getCellText->Text, L"Resolving...."); } break; case PHNETLC_LOCALPORT: { PhInitializeStringRefLongHint(&getCellText->Text, networkItem->LocalPortString); } break; case PHNETLC_REMOTEADDRESS: { getCellText->Text = PhGetStringRef(networkItem->RemoteAddressString); } break; case PHNETLC_REMOTEHOSTNAME: { if (networkItem->RemoteHostnameResolved) getCellText->Text = PhGetStringRef(networkItem->RemoteHostString); else PhInitializeStringRef(&getCellText->Text, L"Resolving...."); } break; case PHNETLC_REMOTEPORT: { PhInitializeStringRefLongHint(&getCellText->Text, networkItem->RemotePortString); } break; case PHNETLC_PROTOCOL: { PCPH_STRINGREF protocolType; if (protocolType = PhGetProtocolTypeName(networkItem->ProtocolType)) { getCellText->Text.Buffer = protocolType->Buffer; getCellText->Text.Length = protocolType->Length; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHNETLC_STATE: { if (FlagOn(networkItem->ProtocolType, PH_PROTOCOL_TYPE_TCP)) { PCPH_STRINGREF stateName; if (stateName = PhGetTcpStateName(networkItem->State)) { getCellText->Text.Buffer = stateName->Buffer; getCellText->Text.Length = stateName->Length; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } else if (networkItem->ProtocolType == PH_NETWORK_PROTOCOL_HYPERV) { if (networkItem->State) { PhInitializeStringRef(&getCellText->Text, L"Connected"); } else { PhInitializeStringRef(&getCellText->Text, L"Listen"); } } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHNETLC_OWNER: getCellText->Text = PhGetStringRef(networkItem->OwnerName); break; case PHNETLC_TIMESTAMP: { SYSTEMTIME systemTime; if (networkItem->CreateTime.QuadPart != 0) { PhLargeIntegerToLocalSystemTime(&systemTime, &networkItem->CreateTime); PhMoveReference(&node->TimeStampText, PhFormatDateTime(&systemTime)); getCellText->Text = node->TimeStampText->sr; } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PHNETLC_HV_SERVICE: getCellText->Text = PhGetStringRef(networkItem->HvService); break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeIcon: { PPH_TREENEW_GET_NODE_ICON getNodeIcon = Parameter1; node = (PPH_NETWORK_NODE)getNodeIcon->Node; getNodeIcon->Icon = (HICON)(ULONG_PTR)node->NetworkItem->ProcessIconIndex; //getNodeIcon->Flags = TN_CACHE; } return TRUE; case TreeNewGetCellTooltip: { PPH_TREENEW_GET_CELL_TOOLTIP getCellTooltip = Parameter1; PPH_PROCESS_ITEM processItem; node = (PPH_NETWORK_NODE)getCellTooltip->Node; if (getCellTooltip->Column->Id != 0) return FALSE; if (!node->TooltipText) { if (processItem = PhReferenceProcessItem(node->NetworkItem->ProcessId)) { node->TooltipText = PhGetProcessTooltipText(processItem, NULL); PhDereferenceObject(processItem); } } if (!PhIsNullOrEmptyString(node->TooltipText)) { getCellTooltip->Text = PhGetStringRef(node->TooltipText); getCellTooltip->Unfolding = FALSE; getCellTooltip->MaximumWidth = ULONG_MAX; } else { return FALSE; } } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_NETWORK_ITEM networkItem; RECT rect; node = (PPH_NETWORK_NODE)customDraw->Node; networkItem = node->NetworkItem; rect = customDraw->CellRect; if (rect.right - rect.left <= 1) break; // nothing to draw switch (customDraw->Column->Id) { case PHNETLC_TIMELINE: { if (networkItem->CreateTime.QuadPart == 0) break; // nothing to draw PhCustomDrawTreeTimeLine( customDraw->Dc, &customDraw->CellRect, PhEnableThemeSupport ? PH_DRAW_TIMELINE_DARKTHEME : 0, NULL, &networkItem->CreateTime ); } break; } } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; NetworkTreeListSortColumn = sorting->SortColumn; NetworkTreeListSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(PhMainWndHandle, WM_COMMAND, ID_NETWORK_COPY, 0); break; case VK_RETURN: SendMessage(PhMainWndHandle, WM_COMMAND, ID_NETWORK_GOTOPROCESS, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; memset(&data, 0, sizeof(PH_TN_COLUMN_MENU_DATA)); data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = PHNETLC_PROCESS; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu( data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y ); PhHandleTreeNewColumnMenu(&data); if (data.Selection) { if (data.Selection->Id == PH_TN_COLUMN_MENU_HIDE_COLUMN_ID || data.Selection->Id == PH_TN_COLUMN_MENU_CHOOSE_COLUMNS_ID) { // TODO: Reset flags for enabled/disabled columns. (dmex) PhReloadSettingsNetworkTreeList(); } } PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(PhMainWndHandle, WM_COMMAND, ID_NETWORK_GOTOPROCESS, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; PhShowNetworkContextMenu(contextMenu); } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_NETWORK_NODE)getNodeColor->Node; if (!node->NetworkItem) { NOTHING; } else if (!node->NetworkItem->ProcessId) { NOTHING; } else if (PhCsUseColorPacked && node->NetworkItem->UnknownProcess) { getNodeColor->BackColor = PhCsColorPacked; } else if (PhCsUseColorPicoProcesses && node->NetworkItem->SubsystemProcess) { getNodeColor->BackColor = PhCsColorPicoProcesses; } getNodeColor->Flags |= TN_AUTO_FORECOLOR; } return TRUE; } return FALSE; } VOID PhpUpdateNetworkItemProcessName( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ PPH_NETWORK_NODE NetworkNode ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static CONST PH_STRINGREF processNameUnknown = PH_STRINGREF_INIT(L"Unknown process"); static CONST PH_STRINGREF processNameWaiting = PH_STRINGREF_INIT(L"Waiting connections"); static PPH_STRING cachedNameUnknown = NULL; static PPH_STRING cachedNameWaiting = NULL; if (PhBeginInitOnce(&initOnce)) { cachedNameUnknown = PhCreateString2(&processNameUnknown); cachedNameWaiting = PhCreateString2(&processNameWaiting); PhEndInitOnce(&initOnce); } if (NetworkItem->ProcessId) { if (NetworkItem->ProcessName) PhSetReference(&NetworkNode->ProcessNameText, NetworkItem->ProcessName); else PhSetReference(&NetworkNode->ProcessNameText, cachedNameUnknown); } else { PhSetReference(&NetworkNode->ProcessNameText, cachedNameWaiting); } } VOID PhpUpdateNetworkItemProcessId( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ PPH_NETWORK_NODE NetworkNode ) { if (NetworkItem->ProcessId) { if (NetworkItem->ProcessItem) { memcpy( NetworkNode->ProcessIdString, NetworkItem->ProcessItem->ProcessIdString, sizeof(NetworkNode->ProcessIdString) ); } else { PhPrintUInt32(NetworkNode->ProcessIdString, HandleToUlong(NetworkItem->ProcessId)); } } else { PhPrintUInt32(NetworkNode->ProcessIdString, HandleToUlong(SYSTEM_PROCESS_ID)); } } PPH_NETWORK_ITEM PhGetSelectedNetworkItem( VOID ) { PPH_NETWORK_ITEM networkItem = NULL; ULONG i; for (i = 0; i < NetworkNodeList->Count; i++) { PPH_NETWORK_NODE node = NetworkNodeList->Items[i]; if (node->Node.Selected) { networkItem = node->NetworkItem; break; } } return networkItem; } VOID PhGetSelectedNetworkItems( _Out_ PPH_NETWORK_ITEM **NetworkItems, _Out_ PULONG NumberOfNetworkItems ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < NetworkNodeList->Count; i++) { PPH_NETWORK_NODE node = NetworkNodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node->NetworkItem); } *NumberOfNetworkItems = (ULONG)PhFinalArrayCount(&array); *NetworkItems = PhFinalArrayItems(&array); } VOID PhDeselectAllNetworkNodes( VOID ) { TreeNew_DeselectRange(NetworkTreeListHandle, 0, -1); } BOOLEAN PhSelectAndEnsureVisibleNetworkNode( _In_ PPH_NETWORK_NODE NetworkNode ) { PhDeselectAllNetworkNodes(); if (NetworkNode->Node.Visible) { TreeNew_FocusMarkSelectNode(NetworkTreeListHandle, &NetworkNode->Node); return TRUE; } else { PhShowInformation2( PhMainWndHandle, L"Unable to perform the operation.", L"%s", L"This node cannot be displayed because it is currently hidden by your active filter settings or preferences." ); return FALSE; } } VOID PhInvalidateAllNetworkNodes( VOID ) { for (ULONG i = 0; i < NetworkNodeList->Count; i++) { PPH_NETWORK_NODE node = NetworkNodeList->Items[i]; memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PHNETLC_MAXIMUM); PhInvalidateTreeNewNode(&node->Node, TN_CACHE_COLOR); } InvalidateRect(NetworkTreeListHandle, NULL, FALSE); } VOID PhInvalidateAllNetworkNodesHostnames( VOID ) { PhFlushNetworkItemResolveCache(); for (ULONG i = 0; i < NetworkNodeList->Count; i++) { PPH_NETWORK_NODE node = NetworkNodeList->Items[i]; node->NetworkItem->InvalidateHostname = TRUE; memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PHNETLC_MAXIMUM); PhInvalidateTreeNewNode(&node->Node, TN_CACHE_COLOR); } //PPH_NETWORK_ITEM* networkItems; //ULONG numberOfNetworkItems; // //PhEnumNetworkItems(&networkItems, &numberOfNetworkItems); // //for (ULONG j = 0; j < numberOfNetworkItems; j++) //{ // PPH_NETWORK_ITEM networkItem = networkItems[j]; // // networkItem->InvalidateHostname = TRUE; //} // //PhDereferenceObjects(networkItems, numberOfNetworkItems); //PhFree(networkItems); } VOID PhCopyNetworkList( VOID ) { PPH_STRING text; text = PhGetTreeNewText(NetworkTreeListHandle, 0); PhSetClipboardString(NetworkTreeListHandle, &text->sr); PhDereferenceObject(text); } VOID PhWriteNetworkList( _Inout_ PPH_FILE_STREAM FileStream, _In_ ULONG Mode ) { PPH_LIST lines; ULONG i; lines = PhGetGenericTreeNewLines(NetworkTreeListHandle, Mode); for (i = 0; i < lines->Count; i++) { PPH_STRING line; line = lines->Items[i]; PhWriteStringAsUtf8FileStream(FileStream, &line->sr); PhDereferenceObject(line); PhWriteStringAsUtf8FileStream2(FileStream, L"\r\n"); } PhDereferenceObject(lines); } PPH_LIST PhDuplicateNetworkNodeList( VOID ) { PPH_LIST newList; newList = PhCreateList(NetworkNodeList->Count); PhInsertItemsList(newList, 0, NetworkNodeList->Items, NetworkNodeList->Count); return newList; } ================================================ FILE: SystemInformer/netprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * evilpie 2010 * dmex 2016-2023 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _PH_NETWORK_CONNECTION { ULONG ProtocolType; PH_IP_ENDPOINT LocalEndpoint; PH_IP_ENDPOINT RemoteEndpoint; MIB_TCP_STATE State; HANDLE ProcessId; LARGE_INTEGER CreateTime; ULONGLONG OwnerInfo[PH_NETWORK_OWNER_INFO_SIZE]; ULONG LocalScopeId; // Ipv6 ULONG RemoteScopeId; // Ipv6 } PH_NETWORK_CONNECTION, *PPH_NETWORK_CONNECTION; typedef struct _PH_NETWORK_ITEM_QUERY_DATA { SLIST_ENTRY ListEntry; PPH_NETWORK_ITEM NetworkItem; PH_IP_ADDRESS Address; BOOLEAN Remote; PPH_STRING HostString; } PH_NETWORK_ITEM_QUERY_DATA, *PPH_NETWORK_ITEM_QUERY_DATA; typedef struct _PHP_RESOLVE_CACHE_ITEM { PH_IP_ADDRESS Address; PPH_STRING HostString; } PHP_RESOLVE_CACHE_ITEM, *PPHP_RESOLVE_CACHE_ITEM; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpNetworkItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpNetworkHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpNetworkHashtableHashFunction( _In_ PVOID Entry ); _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpResolveCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpResolveCacheHashtableHashFunction( _In_ PVOID Entry ); BOOLEAN PhGetNetworkConnections( _Out_ PPH_NETWORK_CONNECTION *Connections, _Out_ PULONG NumberOfConnections ); PPH_OBJECT_TYPE PhNetworkItemType = NULL; PPH_HASHTABLE PhNetworkHashtable = NULL; PH_QUEUED_LOCK PhNetworkHashtableLock = PH_QUEUED_LOCK_INIT; PH_INITONCE PhNetworkProviderWorkQueueInitOnce = PH_INITONCE_INIT; PH_WORK_QUEUE PhNetworkProviderWorkQueue; SLIST_HEADER PhNetworkItemQueryListHead; BOOLEAN PhEnableNetworkProviderResolve = TRUE; BOOLEAN PhEnableNetworkBoundConnections = TRUE; ULONG PhNetworkProviderFlagsMask = 0; static PPH_HASHTABLE PhpResolveCacheHashtable = NULL; static PH_QUEUED_LOCK PhpResolveCacheHashtableLock = PH_QUEUED_LOCK_INIT; static BOOLEAN NetworkImportDone = FALSE; static _GetExtendedTcpTable GetExtendedTcpTable_I = NULL; static _GetExtendedUdpTable GetExtendedUdpTable_I = NULL; static _InternalGetBoundTcpEndpointTable GetBoundTcpEndpointTable_I = NULL; static _InternalGetBoundTcp6EndpointTable GetBoundTcp6EndpointTable_I = NULL; BOOLEAN PhNetworkProviderInitialization( VOID ) { PhNetworkItemType = PhCreateObjectType(L"NetworkItem", 0, PhpNetworkItemDeleteProcedure); PhNetworkHashtable = PhCreateHashtable( sizeof(PPH_NETWORK_ITEM), PhpNetworkHashtableEqualFunction, PhpNetworkHashtableHashFunction, 40 ); PhInitializeSListHead(&PhNetworkItemQueryListHead); PhpResolveCacheHashtable = PhCreateHashtable( sizeof(PPHP_RESOLVE_CACHE_ITEM), PhpResolveCacheHashtableEqualFunction, PhpResolveCacheHashtableHashFunction, 20 ); return TRUE; } PPH_NETWORK_ITEM PhCreateNetworkItem( VOID ) { PPH_NETWORK_ITEM networkItem; networkItem = PhCreateObject( PhEmGetObjectSize(EmNetworkItemType, sizeof(PH_NETWORK_ITEM)), PhNetworkItemType ); memset(networkItem, 0, sizeof(PH_NETWORK_ITEM)); PhEmCallObjectOperation(EmNetworkItemType, networkItem, EmObjectCreate); return networkItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpNetworkItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_NETWORK_ITEM networkItem = (PPH_NETWORK_ITEM)Object; PhEmCallObjectOperation(EmNetworkItemType, networkItem, EmObjectDelete); if (networkItem->LocalAddressString) PhDereferenceObject(networkItem->LocalAddressString); if (networkItem->RemoteAddressString) PhDereferenceObject(networkItem->RemoteAddressString); if (networkItem->ProcessName) PhDereferenceObject(networkItem->ProcessName); if (networkItem->OwnerName) PhDereferenceObject(networkItem->OwnerName); if (networkItem->LocalHostString) PhDereferenceObject(networkItem->LocalHostString); if (networkItem->RemoteHostString) PhDereferenceObject(networkItem->RemoteHostString); if (networkItem->HvService) PhDereferenceObject(networkItem->HvService); // NOTE: Dereferencing the ProcessItem will destroy the NetworkItem->ProcessIcon handle. if (networkItem->ProcessItem) PhDereferenceObject(networkItem->ProcessItem); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpNetworkHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_NETWORK_ITEM networkItem1 = *(PPH_NETWORK_ITEM *)Entry1; PPH_NETWORK_ITEM networkItem2 = *(PPH_NETWORK_ITEM *)Entry2; return networkItem1->ProtocolType == networkItem2->ProtocolType && PhEqualIpEndpoint(&networkItem1->LocalEndpoint, &networkItem2->LocalEndpoint) && PhEqualIpEndpoint(&networkItem1->RemoteEndpoint, &networkItem2->RemoteEndpoint) && networkItem1->ProcessId == networkItem2->ProcessId; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpNetworkHashtableHashFunction( _In_ PVOID Entry ) { PPH_NETWORK_ITEM networkItem = *(PPH_NETWORK_ITEM *)Entry; return networkItem->ProtocolType ^ PhHashIpEndpoint(&networkItem->LocalEndpoint) ^ PhHashIpEndpoint(&networkItem->RemoteEndpoint) ^ (HandleToUlong(networkItem->ProcessId) / 4); } PPH_NETWORK_ITEM PhReferenceNetworkItem( _In_ ULONG ProtocolType, _In_ PPH_IP_ENDPOINT LocalEndpoint, _In_ PPH_IP_ENDPOINT RemoteEndpoint, _In_ HANDLE ProcessId ) { PH_NETWORK_ITEM lookupNetworkItem; PPH_NETWORK_ITEM lookupNetworkItemPtr = &lookupNetworkItem; PPH_NETWORK_ITEM *networkItemPtr; PPH_NETWORK_ITEM networkItem; lookupNetworkItem.ProtocolType = ProtocolType; lookupNetworkItem.LocalEndpoint = *LocalEndpoint; lookupNetworkItem.RemoteEndpoint = *RemoteEndpoint; lookupNetworkItem.ProcessId = ProcessId; PhAcquireQueuedLockShared(&PhNetworkHashtableLock); networkItemPtr = (PPH_NETWORK_ITEM *)PhFindEntryHashtable( PhNetworkHashtable, &lookupNetworkItemPtr ); if (networkItemPtr) { networkItem = *networkItemPtr; PhReferenceObject(networkItem); } else { networkItem = NULL; } PhReleaseQueuedLockShared(&PhNetworkHashtableLock); return networkItem; } /** * Enumerates the network items. * * \param NetworkItems A variable which receives an array of pointers to network items. You must * free the buffer with PhFree() when you no longer need it. * \param NumberOfNetworkItems A variable which receives the number of network items returned in * \a ProcessItems. */ VOID PhEnumNetworkItems( _Out_opt_ PPH_NETWORK_ITEM **NetworkItems, _Out_ PULONG NumberOfNetworkItems ) { PPH_NETWORK_ITEM* networkItems; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_NETWORK_ITEM* networkItem; ULONG numberOfNetworkItems; ULONG count = 0; PhAcquireQueuedLockShared(&PhNetworkHashtableLock); PhBeginEnumHashtable(PhNetworkHashtable, &enumContext); while (networkItem = PhNextEnumHashtable(&enumContext)) { count++; } if (count == 0) { PhReleaseQueuedLockShared(&PhNetworkHashtableLock); if (NetworkItems) *NetworkItems = NULL; *NumberOfNetworkItems = count; return; } numberOfNetworkItems = count; networkItems = PhAllocate(sizeof(PPH_NETWORK_ITEM) * numberOfNetworkItems); count = 0; PhBeginEnumHashtable(PhNetworkHashtable, &enumContext); while (networkItem = PhNextEnumHashtable(&enumContext)) { PhReferenceObject((*networkItem)); networkItems[count++] = (*networkItem); } PhReleaseQueuedLockShared(&PhNetworkHashtableLock); *NetworkItems = networkItems; *NumberOfNetworkItems = numberOfNetworkItems; } VOID PhEnumNetworkItemsByProcessId( _In_opt_ HANDLE ProcessId, _Out_opt_ PPH_NETWORK_ITEM** NetworkItems, _Out_ PULONG NumberOfNetworkItems ) { PPH_NETWORK_ITEM* networkItems; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_NETWORK_ITEM* networkItem; ULONG numberOfNetworkItems; ULONG count = 0; PhAcquireQueuedLockShared(&PhNetworkHashtableLock); PhBeginEnumHashtable(PhNetworkHashtable, &enumContext); while (networkItem = PhNextEnumHashtable(&enumContext)) { if ((*networkItem)->ProcessId == ProcessId) { count++; } } if (count == 0) { PhReleaseQueuedLockShared(&PhNetworkHashtableLock); if (NetworkItems) *NetworkItems = NULL; *NumberOfNetworkItems = count; return; } numberOfNetworkItems = count; networkItems = PhAllocate(sizeof(PPH_NETWORK_ITEM) * numberOfNetworkItems); count = 0; PhBeginEnumHashtable(PhNetworkHashtable, &enumContext); while (networkItem = PhNextEnumHashtable(&enumContext)) { if ((*networkItem)->ProcessId == ProcessId) { PhReferenceObject((*networkItem)); networkItems[count++] = (*networkItem); } } PhReleaseQueuedLockShared(&PhNetworkHashtableLock); *NetworkItems = networkItems; *NumberOfNetworkItems = numberOfNetworkItems; } VOID PhpRemoveNetworkItem( _In_ PPH_NETWORK_ITEM NetworkItem ) { PhRemoveEntryHashtable(PhNetworkHashtable, &NetworkItem); PhDereferenceObject(NetworkItem); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpResolveCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPHP_RESOLVE_CACHE_ITEM cacheItem1 = *(PPHP_RESOLVE_CACHE_ITEM *)Entry1; PPHP_RESOLVE_CACHE_ITEM cacheItem2 = *(PPHP_RESOLVE_CACHE_ITEM *)Entry2; return PhEqualIpAddress(&cacheItem1->Address, &cacheItem2->Address); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpResolveCacheHashtableHashFunction( _In_ PVOID Entry ) { PPHP_RESOLVE_CACHE_ITEM cacheItem = *(PPHP_RESOLVE_CACHE_ITEM *)Entry; return PhHashIpAddress(&cacheItem->Address); } PPHP_RESOLVE_CACHE_ITEM PhpLookupResolveCacheItem( _In_ PPH_IP_ADDRESS Address ) { PHP_RESOLVE_CACHE_ITEM lookupCacheItem; PPHP_RESOLVE_CACHE_ITEM lookupCacheItemPtr = &lookupCacheItem; PPHP_RESOLVE_CACHE_ITEM *cacheItemPtr; // Construct a temporary cache item for the lookup. lookupCacheItem.Address = *Address; cacheItemPtr = (PPHP_RESOLVE_CACHE_ITEM *)PhFindEntryHashtable( PhpResolveCacheHashtable, &lookupCacheItemPtr ); if (cacheItemPtr) return *cacheItemPtr; else return NULL; } //PPH_STRING PhGetHostNameFromAddress( // _In_ PPH_IP_ADDRESS Address // ) //{ // SOCKADDR_IN ipv4Address; // SOCKADDR_IN6 ipv6Address; // PSOCKADDR address; // socklen_t length; // PPH_STRING hostName; // // if (Address->Type == PH_NETWORK_TYPE_IPV4) // { // ipv4Address.sin_family = AF_INET; // ipv4Address.sin_port = 0; // ipv4Address.sin_addr = Address->InAddr; // address = (PSOCKADDR)&ipv4Address; // length = sizeof(ipv4Address); // } // else if (Address->Type == PH_NETWORK_TYPE_IPV6) // { // ipv6Address.sin6_family = AF_INET6; // ipv6Address.sin6_port = 0; // ipv6Address.sin6_flowinfo = 0; // ipv6Address.sin6_addr = Address->In6Addr; // ipv6Address.sin6_scope_id = 0; // address = (PSOCKADDR)&ipv6Address; // length = sizeof(ipv6Address); // } // else // { // return NULL; // } // // hostName = PhCreateStringEx(NULL, 128); // // if (GetNameInfo( // address, // length, // hostName->Buffer, // (ULONG)hostName->Length / sizeof(WCHAR) + 1, // NULL, // 0, // NI_NAMEREQD // ) != 0) // { // // Try with the maximum host name size. // PhDereferenceObject(hostName); // hostName = PhCreateStringEx(NULL, NI_MAXHOST * sizeof(WCHAR)); // // if (GetNameInfo( // address, // length, // hostName->Buffer, // (ULONG)hostName->Length / sizeof(WCHAR) + 1, // NULL, // 0, // NI_NAMEREQD // ) != 0) // { // PhDereferenceObject(hostName); // // return NULL; // } // } // // PhTrimToNullTerminatorString(hostName); // // return hostName; //} PPH_STRING PhpGetDnsReverseNameFromAddress( _In_ PPH_IP_ADDRESS Address ) { #define IP4_REVERSE_DOMAIN_STRING_LENGTH (IP4_ADDRESS_STRING_LENGTH + sizeof(DNS_IP4_REVERSE_DOMAIN_STRING_W) + 1) #define IP6_REVERSE_DOMAIN_STRING_LENGTH (IP6_ADDRESS_STRING_LENGTH + sizeof(DNS_IP6_REVERSE_DOMAIN_STRING_W) + 1) switch (Address->Type) { case PH_NETWORK_TYPE_IPV4: { static CONST PH_STRINGREF reverseLookupDomainNameSr = PH_STRINGREF_INIT(DNS_IP4_REVERSE_DOMAIN_STRING); PH_FORMAT format[9]; SIZE_T returnLength; WCHAR reverseNameBuffer[IP4_REVERSE_DOMAIN_STRING_LENGTH]; PhInitFormatU(&format[0], Address->InAddr.s_impno); PhInitFormatC(&format[1], L'.'); PhInitFormatU(&format[2], Address->InAddr.s_lh); PhInitFormatC(&format[3], L'.'); PhInitFormatU(&format[4], Address->InAddr.s_host); PhInitFormatC(&format[5], L'.'); PhInitFormatU(&format[6], Address->InAddr.s_net); PhInitFormatC(&format[7], L'.'); PhInitFormatSR(&format[8], reverseLookupDomainNameSr); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), reverseNameBuffer, sizeof(reverseNameBuffer), &returnLength )) { PH_STRINGREF reverseNameString; reverseNameString.Buffer = reverseNameBuffer; reverseNameString.Length = returnLength - sizeof(UNICODE_NULL); return PhCreateString2(&reverseNameString); } else { return PhFormat(format, RTL_NUMBER_OF(format), IP4_REVERSE_DOMAIN_STRING_LENGTH); } } break; case PH_NETWORK_TYPE_IPV6: { static CONST PH_STRINGREF reverseLookupDomainNameSr = PH_STRINGREF_INIT(DNS_IP6_REVERSE_DOMAIN_STRING); PH_STRING_BUILDER stringBuilder; // DNS_MAX_IP6_REVERSE_NAME_LENGTH PhInitializeStringBuilder(&stringBuilder, IP6_REVERSE_DOMAIN_STRING_LENGTH); for (LONG i = sizeof(IN6_ADDR) - 1; i >= 0; i--) { PH_FORMAT format[4]; SIZE_T returnLength; WCHAR reverseNameBuffer[PH_INT64_STR_LEN_1]; PhInitFormatX(&format[0], Address->In6Addr.s6_addr[i] & 0xF); PhInitFormatC(&format[1], L'.'); PhInitFormatX(&format[2], (Address->In6Addr.s6_addr[i] >> 4) & 0xF); PhInitFormatC(&format[3], L'.'); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), reverseNameBuffer, sizeof(reverseNameBuffer), &returnLength )) { PH_STRINGREF reverseNameString; reverseNameString.Buffer = reverseNameBuffer; reverseNameString.Length = returnLength - sizeof(UNICODE_NULL); PhAppendStringBuilder(&stringBuilder, &reverseNameString); } else { PhAppendFormatStringBuilder( &stringBuilder, L"%hhx.%hhx.", Address->In6Addr.s6_addr[i] & 0xF, (Address->In6Addr.s6_addr[i] >> 4) & 0xF ); } } PhAppendStringBuilder(&stringBuilder, &reverseLookupDomainNameSr); return PhFinalStringBuilderString(&stringBuilder); } break; } return NULL; } PPH_STRING PhGetHostNameFromAddressEx( _In_ PPH_IP_ADDRESS Address ) { BOOLEAN dnsLocalQuery = FALSE; PPH_STRING dnsHostNameString = NULL; PPH_STRING dnsReverseNameString = NULL; PDNS_RECORD dnsRecordList; switch (Address->Type) { case PH_NETWORK_TYPE_IPV4: { if (IN4_IS_ADDR_UNSPECIFIED(&Address->InAddr)) return NULL; if (IN4_IS_ADDR_LOOPBACK(&Address->InAddr) || IN4_IS_ADDR_BROADCAST(&Address->InAddr) || IN4_IS_ADDR_MULTICAST(&Address->InAddr) || IN4_IS_ADDR_LINKLOCAL(&Address->InAddr) || IN4_IS_ADDR_MC_LINKLOCAL(&Address->InAddr) || IN4_IS_ADDR_RFC1918(&Address->InAddr)) { dnsLocalQuery = TRUE; } dnsReverseNameString = PhDnsReverseLookupNameFromAddress(PH_NETWORK_TYPE_IPV4, &Address->InAddr); } break; case PH_NETWORK_TYPE_IPV6: { if (IN6_IS_ADDR_UNSPECIFIED(&Address->In6Addr)) return NULL; if (IN6_IS_ADDR_LOOPBACK(&Address->In6Addr) || IN6_IS_ADDR_MULTICAST(&Address->In6Addr) || IN6_IS_ADDR_LINKLOCAL(&Address->In6Addr) || IN6_IS_ADDR_MC_LINKLOCAL(&Address->In6Addr)) { dnsLocalQuery = TRUE; } dnsReverseNameString = PhDnsReverseLookupNameFromAddress(PH_NETWORK_TYPE_IPV6, &Address->In6Addr); } break; case PH_NETWORK_TYPE_HYPERV: return PhHvSocketGetVmName(&Address->HvAddr); } if (PhIsNullOrEmptyString(dnsReverseNameString)) return NULL; if (!!PhCsEnableNetworkResolveDoH && !dnsLocalQuery) { dnsRecordList = PhDnsQuery( NULL, dnsReverseNameString->Buffer, DNS_TYPE_PTR ); } else { dnsRecordList = PhDnsQuery2( NULL, dnsReverseNameString->Buffer, DNS_TYPE_PTR, DNS_QUERY_NO_HOSTS_FILE // DNS_QUERY_BYPASS_CACHE ); } if (dnsRecordList) { for (PDNS_RECORD dnsRecord = dnsRecordList; dnsRecord; dnsRecord = dnsRecord->pNext) { if (dnsRecord->wType == DNS_TYPE_PTR) { dnsHostNameString = PhCreateString(dnsRecord->Data.PTR.pNameHost); // Return the first result (dmex) break; } } PhDnsFree(dnsRecordList); } PhDereferenceObject(dnsReverseNameString); return dnsHostNameString; } VOID PhFlushNetworkItemResolveCache( VOID ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPHP_RESOLVE_CACHE_ITEM* entry; if (!PhpResolveCacheHashtable) return; PhAcquireQueuedLockExclusive(&PhpResolveCacheHashtableLock); PhBeginEnumHashtable(PhpResolveCacheHashtable, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { if ((*entry)->HostString) { PhDereferenceObject((*entry)->HostString); } PhFree((*entry)); } PhDereferenceObject(PhpResolveCacheHashtable); PhpResolveCacheHashtable = PhCreateHashtable( sizeof(PPHP_RESOLVE_CACHE_ITEM), PhpResolveCacheHashtableEqualFunction, PhpResolveCacheHashtableHashFunction, 20 ); PhReleaseQueuedLockExclusive(&PhpResolveCacheHashtableLock); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpNetworkItemQueryWorker( _In_ PVOID Parameter ) { PPH_NETWORK_ITEM_QUERY_DATA data = (PPH_NETWORK_ITEM_QUERY_DATA)Parameter; PPH_STRING hostString; PPHP_RESOLVE_CACHE_ITEM cacheItem; // Last minute check of the cache. PhAcquireQueuedLockShared(&PhpResolveCacheHashtableLock); cacheItem = PhpLookupResolveCacheItem(&data->Address); PhReleaseQueuedLockShared(&PhpResolveCacheHashtableLock); if (!cacheItem) { hostString = PhGetHostNameFromAddressEx(&data->Address); if (hostString) { data->HostString = hostString; // Update the cache. PhAcquireQueuedLockExclusive(&PhpResolveCacheHashtableLock); cacheItem = PhpLookupResolveCacheItem(&data->Address); if (!cacheItem) { cacheItem = PhAllocate(sizeof(PHP_RESOLVE_CACHE_ITEM)); cacheItem->Address = data->Address; cacheItem->HostString = hostString; PhReferenceObject(hostString); PhAddEntryHashtable(PhpResolveCacheHashtable, &cacheItem); } PhReleaseQueuedLockExclusive(&PhpResolveCacheHashtableLock); } } else { PhReferenceObject(cacheItem->HostString); data->HostString = cacheItem->HostString; } RtlInterlockedPushEntrySList(&PhNetworkItemQueryListHead, &data->ListEntry); return STATUS_SUCCESS; } VOID PhpQueueNetworkItemQuery( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ BOOLEAN Remote ) { PPH_NETWORK_ITEM_QUERY_DATA data; if (!PhEnableNetworkProviderResolve) { if (Remote) NetworkItem->RemoteHostnameResolved = TRUE; else NetworkItem->LocalHostnameResolved = TRUE; return; } data = PhAllocateZero(sizeof(PH_NETWORK_ITEM_QUERY_DATA)); data->NetworkItem = NetworkItem; data->Remote = Remote; if (Remote) data->Address = NetworkItem->RemoteEndpoint.Address; else data->Address = NetworkItem->LocalEndpoint.Address; PhReferenceObject(NetworkItem); if (PhBeginInitOnce(&PhNetworkProviderWorkQueueInitOnce)) { PhInitializeWorkQueue(&PhNetworkProviderWorkQueue, 0, 3, 500); PhEndInitOnce(&PhNetworkProviderWorkQueueInitOnce); } PhQueueItemWorkQueue(&PhNetworkProviderWorkQueue, PhpNetworkItemQueryWorker, data); } VOID PhNetworkItemResolveHostname( _In_ PPH_NETWORK_ITEM NetworkItem ) { PPHP_RESOLVE_CACHE_ITEM cacheItem; if (!FlagOn(PhNetworkProviderFlagsMask, PH_NETWORK_PROVIDER_FLAG_HOSTNAME)) return; // Local if (!PhIsNullIpAddress(&NetworkItem->LocalEndpoint.Address)) { PhAcquireQueuedLockShared(&PhpResolveCacheHashtableLock); cacheItem = PhpLookupResolveCacheItem(&NetworkItem->LocalEndpoint.Address); PhReleaseQueuedLockShared(&PhpResolveCacheHashtableLock); if (cacheItem) { PhReferenceObject(cacheItem->HostString); NetworkItem->LocalHostString = cacheItem->HostString; NetworkItem->LocalHostnameResolved = TRUE; } else { PhpQueueNetworkItemQuery(NetworkItem, FALSE); } } else { NetworkItem->LocalHostnameResolved = TRUE; } // Remote if (!PhIsNullIpAddress(&NetworkItem->RemoteEndpoint.Address)) { PhAcquireQueuedLockShared(&PhpResolveCacheHashtableLock); cacheItem = PhpLookupResolveCacheItem(&NetworkItem->RemoteEndpoint.Address); PhReleaseQueuedLockShared(&PhpResolveCacheHashtableLock); if (cacheItem) { PhReferenceObject(cacheItem->HostString); NetworkItem->RemoteHostString = cacheItem->HostString; NetworkItem->RemoteHostnameResolved = TRUE; } else { PhpQueueNetworkItemQuery(NetworkItem, TRUE); } } else { NetworkItem->RemoteHostnameResolved = TRUE; } } VOID PhNetworkItemInvalidateHostname( _In_ PPH_NETWORK_ITEM NetworkItem ) { if (NetworkItem->LocalHostString) { PhDereferenceObject(NetworkItem->LocalHostString); NetworkItem->LocalHostString = NULL; } if (NetworkItem->RemoteHostString) { PhDereferenceObject(NetworkItem->RemoteHostString); NetworkItem->RemoteHostString = NULL; } NetworkItem->LocalHostnameResolved = FALSE; NetworkItem->RemoteHostnameResolved = FALSE; PhNetworkItemResolveHostname(NetworkItem); } VOID PhpUpdateNetworkItemOwner( _In_ PPH_NETWORK_ITEM NetworkItem, _In_ ULONGLONG ServiceTag ) { if (ServiceTag) { PPH_STRING serviceName; serviceName = PhGetServiceNameFromTag(NetworkItem->ProcessId, (PVOID)ServiceTag); if (serviceName) PhMoveReference(&NetworkItem->OwnerName, serviceName); } } VOID PhFlushNetworkQueryData( VOID ) { PSLIST_ENTRY entry; PPH_NETWORK_ITEM_QUERY_DATA data; if (!FlagOn(PhNetworkProviderFlagsMask, PH_NETWORK_PROVIDER_FLAG_HOSTNAME)) return; //if (!RtlFirstEntrySList(&PhNetworkItemQueryListHead)) // return; entry = RtlInterlockedFlushSList(&PhNetworkItemQueryListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_NETWORK_ITEM_QUERY_DATA, ListEntry); entry = entry->Next; if (data->Remote) { PhMoveReference(&data->NetworkItem->RemoteHostString, data->HostString); data->NetworkItem->RemoteHostnameResolved = TRUE; } else { PhMoveReference(&data->NetworkItem->LocalHostString, data->HostString); data->NetworkItem->LocalHostnameResolved = TRUE; } InterlockedExchange(&data->NetworkItem->JustResolved, TRUE); PhDereferenceObject(data->NetworkItem); PhFree(data); } } _Function_class_(PH_PROVIDER_FUNCTION) VOID PhNetworkProviderUpdate( _In_ PVOID Object ) { static ULONG runCount = 0; PPH_NETWORK_CONNECTION connections; ULONG numberOfConnections; ULONG i; PhTraceFuncEnter("Network provider run count: %lu", runCount); if (!NetworkImportDone) { PVOID iphlpapi; if (iphlpapi = PhLoadLibrary(L"iphlpapi.dll")) { GetExtendedTcpTable_I = PhGetDllBaseProcedureAddress(iphlpapi, "GetExtendedTcpTable", 0); GetExtendedUdpTable_I = PhGetDllBaseProcedureAddress(iphlpapi, "GetExtendedUdpTable", 0); GetBoundTcpEndpointTable_I = PhGetDllBaseProcedureAddress(iphlpapi, "InternalGetBoundTcpEndpointTable", 0); GetBoundTcp6EndpointTable_I = PhGetDllBaseProcedureAddress(iphlpapi, "InternalGetBoundTcp6EndpointTable", 0); } NetworkImportDone = TRUE; } if (!PhGetNetworkConnections(&connections, &numberOfConnections)) { PhTraceFuncExit("Failed to get network connections: %lu", runCount); return; } // Look for closed connections. { PPH_LIST connectionsToRemove = NULL; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_NETWORK_ITEM *networkItem; PhBeginEnumHashtable(PhNetworkHashtable, &enumContext); while (networkItem = PhNextEnumHashtable(&enumContext)) { BOOLEAN found = FALSE; for (i = 0; i < numberOfConnections; i++) { if ( (*networkItem)->ProtocolType == connections[i].ProtocolType && PhEqualIpEndpoint(&(*networkItem)->LocalEndpoint, &connections[i].LocalEndpoint) && PhEqualIpEndpoint(&(*networkItem)->RemoteEndpoint, &connections[i].RemoteEndpoint) && (*networkItem)->ProcessId == connections[i].ProcessId && (*networkItem)->CreateTime.QuadPart == connections[i].CreateTime.QuadPart ) { found = TRUE; break; } } if (!found) { PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNetworkProviderRemovedEvent), *networkItem); if (!connectionsToRemove) connectionsToRemove = PhCreateList(2); PhAddItemList(connectionsToRemove, *networkItem); } } if (connectionsToRemove) { PhAcquireQueuedLockExclusive(&PhNetworkHashtableLock); for (i = 0; i < connectionsToRemove->Count; i++) { PhpRemoveNetworkItem(connectionsToRemove->Items[i]); } PhReleaseQueuedLockExclusive(&PhNetworkHashtableLock); PhDereferenceObject(connectionsToRemove); } } // Go through the queued network item query data. PhFlushNetworkQueryData(); // Look for new network connections and update existing ones. for (i = 0; i < numberOfConnections; i++) { PPH_NETWORK_ITEM networkItem; // Try to find the connection in our hashtable. networkItem = PhReferenceNetworkItem( connections[i].ProtocolType, &connections[i].LocalEndpoint, &connections[i].RemoteEndpoint, connections[i].ProcessId ); if (!networkItem) { PPH_PROCESS_ITEM processItem; // Network item not found, create it. networkItem = PhCreateNetworkItem(); // Fill in basic information. networkItem->ProtocolType = connections[i].ProtocolType; networkItem->LocalEndpoint = connections[i].LocalEndpoint; networkItem->RemoteEndpoint = connections[i].RemoteEndpoint; networkItem->State = connections[i].State; networkItem->ProcessId = connections[i].ProcessId; networkItem->CreateTime = connections[i].CreateTime; networkItem->LocalScopeId = connections[i].LocalScopeId; networkItem->RemoteScopeId = connections[i].RemoteScopeId; PhpUpdateNetworkItemOwner(networkItem, connections[i].OwnerInfo[0]); // Format various strings. switch (networkItem->LocalEndpoint.Address.Type) { case PH_NETWORK_TYPE_IPV4: { WCHAR localAddressString[IP4_ADDRESS_STRING_LENGTH]; ULONG localAddressStringLength = RTL_NUMBER_OF(localAddressString); if (NT_SUCCESS(RtlIpv4AddressToStringEx( &networkItem->LocalEndpoint.Address.InAddr, 0, localAddressString, &localAddressStringLength ))) { networkItem->LocalAddressString = PhCreateStringEx( localAddressString, (localAddressStringLength - 1) * sizeof(WCHAR) ); } } break; case PH_NETWORK_TYPE_IPV6: { WCHAR localAddressString[IP6_ADDRESS_STRING_LENGTH]; ULONG localAddressStringLength = RTL_NUMBER_OF(localAddressString); if (NT_SUCCESS(RtlIpv6AddressToStringEx( &networkItem->LocalEndpoint.Address.In6Addr, networkItem->LocalScopeId, 0, localAddressString, &localAddressStringLength ))) { networkItem->LocalAddressString = PhCreateStringEx( localAddressString, (localAddressStringLength - 1) * sizeof(WCHAR) ); } } break; case PH_NETWORK_TYPE_HYPERV: { networkItem->LocalAddressString = PhHvSocketAddressString( &networkItem->LocalEndpoint.Address.HvAddr ); networkItem->HvService = PhHvSocketGetServiceName( &networkItem->LocalEndpoint.Address.HvAddr ); } break; } switch (networkItem->RemoteEndpoint.Address.Type) { case PH_NETWORK_TYPE_IPV4: { if (!PhIsNullIpAddress(&networkItem->RemoteEndpoint.Address)) { WCHAR remoteAddressString[IP4_ADDRESS_STRING_LENGTH]; ULONG remoteAddressStringLength = RTL_NUMBER_OF(remoteAddressString); if (NT_SUCCESS(RtlIpv4AddressToStringEx( &networkItem->RemoteEndpoint.Address.InAddr, 0, remoteAddressString, &remoteAddressStringLength ))) { networkItem->RemoteAddressString = PhCreateStringEx( remoteAddressString, (remoteAddressStringLength - 1) * sizeof(WCHAR) ); } } } break; case PH_NETWORK_TYPE_IPV6: { if (!PhIsNullIpAddress(&networkItem->RemoteEndpoint.Address)) { WCHAR remoteAddressString[IP6_ADDRESS_STRING_LENGTH]; ULONG remoteAddressStringLength = RTL_NUMBER_OF(remoteAddressString); if (NT_SUCCESS(RtlIpv6AddressToStringEx( &networkItem->RemoteEndpoint.Address.In6Addr, networkItem->RemoteScopeId, 0, remoteAddressString, &remoteAddressStringLength ))) { networkItem->RemoteAddressString = PhCreateStringEx( remoteAddressString, (remoteAddressStringLength - 1) * sizeof(WCHAR) ); } } } break; case PH_NETWORK_TYPE_HYPERV: { networkItem->RemoteAddressString = PhHvSocketAddressString( &networkItem->RemoteEndpoint.Address.HvAddr ); } break; } if (networkItem->LocalEndpoint.Port != 0) PhPrintUInt32(networkItem->LocalPortString, networkItem->LocalEndpoint.Port); if (networkItem->RemoteEndpoint.Port != 0) PhPrintUInt32(networkItem->RemotePortString, networkItem->RemoteEndpoint.Port); // Get host names. PhNetworkItemResolveHostname(networkItem); // Get process information. if (processItem = PhReferenceProcessItem(networkItem->ProcessId)) { networkItem->ProcessItem = processItem; PhSetReference(&networkItem->ProcessName, processItem->ProcessName); networkItem->SubsystemProcess = !!processItem->IsSubsystemProcess; if (PhTestEvent(&processItem->Stage1Event)) { networkItem->ProcessIconIndex = processItem->SmallIconIndex; networkItem->ProcessIconValid = TRUE; } // NOTE: We dereference processItem in PhpNetworkItemDeleteProcedure. (dmex) } else { HANDLE processHandle; PPH_STRING fileName; PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; // HACK HACK HACK // WSL subsystem processes (e.g. apache/nginx) create sockets, clone/fork themselves, duplicate the socket into the child process and then terminate. // The socket handle remains valid and in-use by the child process BUT the socket continues returning the PID of the exited process??? // Fixing this causes a major performance problem; If we have 100,000 sockets then on previous versions of Windows we would only need 2 system calls maximum // (for the process list) to identify the owner of every socket but now we need to make 4 system calls for every_last_socket totaling 400,000 system calls... great. (dmex) if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, networkItem->ProcessId))) { if (NT_SUCCESS(PhGetProcessExtendedBasicInformation(processHandle, &basicInfo))) { networkItem->SubsystemProcess = !!basicInfo.IsSubsystemProcess; } if (NT_SUCCESS(PhGetProcessImageFileName(processHandle, &fileName))) { PhMoveReference(&networkItem->ProcessName, PhGetBaseName(fileName)); } NtClose(processHandle); } networkItem->UnknownProcess = TRUE; } // Add the network item to the hashtable. PhAcquireQueuedLockExclusive(&PhNetworkHashtableLock); PhAddEntryHashtable(PhNetworkHashtable, &networkItem); PhReleaseQueuedLockExclusive(&PhNetworkHashtableLock); // Raise the network item added event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNetworkProviderAddedEvent), networkItem); } else { BOOLEAN modified = FALSE; if (InterlockedExchange(&networkItem->JustResolved, 0) != 0) modified = TRUE; if (networkItem->State != connections[i].State) { networkItem->State = connections[i].State; modified = TRUE; } if (!networkItem->ProcessItem) { networkItem->ProcessItem = PhReferenceProcessItem(networkItem->ProcessId); // NOTE: We dereference processItem in PhpNetworkItemDeleteProcedure. (dmex) } if (networkItem->ProcessItem) { if (PhIsNullOrEmptyString(networkItem->ProcessName)) { PhSetReference(&networkItem->ProcessName, &networkItem->ProcessItem->ProcessName); modified = TRUE; } if (!networkItem->ProcessIconValid && PhTestEvent(&networkItem->ProcessItem->Stage1Event)) { networkItem->ProcessIconIndex = networkItem->ProcessItem->SmallIconIndex; networkItem->ProcessIconValid = TRUE; modified = TRUE; } } if (networkItem->InvalidateHostname) { networkItem->InvalidateHostname = FALSE; PhNetworkItemInvalidateHostname(networkItem); modified = TRUE; } if (modified) { // Raise the network item modified event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNetworkProviderModifiedEvent), networkItem); } PhDereferenceObject(networkItem); } } PhFree(connections); PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackNetworkProviderUpdatedEvent), UlongToPtr(runCount)); PhTraceFuncExit("Network provider run count: %lu", runCount); runCount++; } #ifdef _WIN64 PHVSOCKET_LISTENERS PhpGetHvSocketListeners( _In_ HANDLE SystemHandle, _In_ const GUID* VmId ) { NTSTATUS status; ULONG length; PHVSOCKET_LISTENERS listeners; length = PAGE_SIZE; listeners = PhAllocate(length); for (;;) { status = PhHvSocketGetListeners(SystemHandle, VmId, listeners, length, &length); if (status != STATUS_BUFFER_TOO_SMALL) { break; } length *= 2; listeners = PhReAllocate(listeners, length); } if (!NT_SUCCESS(status)) { PhFree(listeners); listeners = NULL; } return listeners; } PHVSOCKET_CONNECTIONS PhpGetHvSocketConnections( _In_ HANDLE SystemHandle, _In_ const GUID* VmId ) { NTSTATUS status; ULONG length; PHVSOCKET_CONNECTIONS connections; length = PAGE_SIZE; connections = PhAllocate(length); for (;;) { status = PhHvSocketGetConnections(SystemHandle, VmId, connections, length, &length); if (status != STATUS_BUFFER_TOO_SMALL || length == 0) { break; } length *= 2; connections = PhReAllocate(connections, length); } if (!NT_SUCCESS(status)) { PhFree(connections); connections = NULL; } return connections; } VOID PhpCollectHvSocket( _In_ PGUID VmIds, _In_ SIZE_T Count, _Out_ PHVSOCKET_LISTENERS* Listeners, _Out_ PHVSOCKET_CONNECTIONS* Connections ) { HANDLE systemHandle; PHVSOCKET_LISTENERS listeners; PHVSOCKET_CONNECTIONS connections; ULONG listenersCount; ULONG connectionsCount; PPH_LIST listenersList; PPH_LIST connectionsList; if (!NT_SUCCESS(PhHvSocketOpenSystemControl(&systemHandle, NULL))) { *Listeners = NULL; *Connections = NULL; return; } listenersCount = 0; connectionsCount = 0; listenersList = PhCreateList(1); connectionsList = PhCreateList(1); for (ULONG i = 0; i < Count; i++) { if (listeners = PhpGetHvSocketListeners(systemHandle, &VmIds[i])) { PhAddItemList(listenersList, listeners); listenersCount += listeners->Count; } if (connections = PhpGetHvSocketConnections(systemHandle, &VmIds[i])) { PhAddItemList(connectionsList, connections); connectionsCount += connections->Count; } } listeners = NULL; connections = NULL; if (listenersCount) { listeners = PhAllocate( RTL_SIZEOF_THROUGH_FIELD(HVSOCKET_LISTENERS, Listener) + (sizeof(HVSOCKET_LISTENER) * listenersCount) ); listeners->Count = 0; } for (ULONG i = 0; i < listenersList->Count; i++) { PHVSOCKET_LISTENERS l; l = listenersList->Items[i]; if (listeners) { RtlCopyMemory( &listeners->Listener[listeners->Count], l->Listener, sizeof(HVSOCKET_LISTENER) * l->Count ); listeners->Count += l->Count; } PhFree(l); } if (connectionsCount) { connections = PhAllocate( RTL_SIZEOF_THROUGH_FIELD(HVSOCKET_CONNECTIONS, Connection) + (sizeof(HVSOCKET_CONNECTION) * connectionsCount) ); connections->Count = 0; } for (ULONG i = 0; i < connectionsList->Count; i++) { PHVSOCKET_CONNECTIONS c; c = connectionsList->Items[i]; if (connections) { RtlCopyMemory( &connections->Connection[connections->Count], c->Connection, sizeof(HVSOCKET_CONNECTION) * c->Count ); connections->Count += c->Count; } PhFree(c); } PhDereferenceObject(listenersList); PhDereferenceObject(connectionsList); *Listeners = listeners; *Connections = connections; NtClose(systemHandle); } static BOOLEAN NTAPI PhpHvEnumComputeSystemCallback( _In_ HANDLE RootDirectory, _In_ PKEY_BASIC_INFORMATION Information, _In_ PVOID Context ) { PPH_ARRAY guidArray = Context; PH_STRINGREF name; PH_FORMAT format[3]; PPH_STRING string; GUID guid; name.Buffer = Information->Name; name.Length = Information->NameLength; PhInitFormatC(&format[0], L'{'); PhInitFormatSR(&format[1], name); PhInitFormatC(&format[2], L'}'); string = PhFormat(format, 3, 10); if (NT_SUCCESS(PhStringToGuid(&string->sr, &guid))) PhAddItemArray(guidArray, &guid); PhDereferenceObject(string); return TRUE; } VOID PhpGetHvSocket( _Out_ PHVSOCKET_LISTENERS* Listeners, _Out_ PHVSOCKET_CONNECTIONS* Connections ) { static const PH_STRINGREF hvComputeSystemKey = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\HostComputeService\\VolatileStore\\ComputeSystem"); PH_ARRAY guidArray; HANDLE keyHandle; PhInitializeArray(&guidArray, sizeof(GUID), 10); PhAddItemArray(&guidArray, (PVOID)&HV_GUID_WILDCARD); PhAddItemArray(&guidArray, (PVOID)&HV_GUID_BROADCAST); PhAddItemArray(&guidArray, (PVOID)&HV_GUID_CHILDREN); PhAddItemArray(&guidArray, (PVOID)&HV_GUID_LOOPBACK); PhAddItemArray(&guidArray, (PVOID)&HV_GUID_PARENT); PhAddItemArray(&guidArray, (PVOID)&HV_GUID_SILOHOST); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_ENUMERATE_SUB_KEYS, PH_KEY_LOCAL_MACHINE, &hvComputeSystemKey, 0 ))) { PhEnumerateKey(keyHandle, KeyBasicInformation, PhpHvEnumComputeSystemCallback, &guidArray); NtClose(keyHandle); } PhpCollectHvSocket( PhFinalArrayItems(&guidArray), PhFinalArrayCount(&guidArray), Listeners, Connections ); PhDeleteArray(&guidArray); } #endif // _WIN64 _Success_(return) BOOLEAN PhGetNetworkConnections( _Out_ PPH_NETWORK_CONNECTION *Connections, _Out_ PULONG NumberOfConnections ) { PVOID table; ULONG tableSize; PMIB_TCPTABLE_OWNER_MODULE tcp4Table; PMIB_TCP6TABLE_OWNER_MODULE tcp6Table; PMIB_UDPTABLE_OWNER_MODULE udp4Table; PMIB_UDP6TABLE_OWNER_MODULE udp6Table; PMIB_TCPTABLE2 boundTcpTable; PMIB_TCP6TABLE2 boundTcp6Table; #ifdef _WIN64 PHVSOCKET_LISTENERS hvListeners; PHVSOCKET_CONNECTIONS hvConnections; #endif ULONG i; ULONG count = 0; ULONG index = 0; PPH_NETWORK_CONNECTION connections; // TCP IPv4 tableSize = 0; GetExtendedTcpTable_I(NULL, &tableSize, FALSE, AF_INET, TCP_TABLE_OWNER_MODULE_ALL, 0); table = PhAllocate(tableSize); if (GetExtendedTcpTable_I(table, &tableSize, FALSE, AF_INET, TCP_TABLE_OWNER_MODULE_ALL, 0) == NO_ERROR) { tcp4Table = table; count += tcp4Table->dwNumEntries; } else { PhFree(table); tcp4Table = NULL; } // TCP IPv6 tableSize = 0; GetExtendedTcpTable_I(NULL, &tableSize, FALSE, AF_INET6, TCP_TABLE_OWNER_MODULE_ALL, 0); table = PhAllocate(tableSize); if (GetExtendedTcpTable_I(table, &tableSize, FALSE, AF_INET6, TCP_TABLE_OWNER_MODULE_ALL, 0) == NO_ERROR) { tcp6Table = table; count += tcp6Table->dwNumEntries; } else { PhFree(table); tcp6Table = NULL; } // UDP IPv4 tableSize = 0; GetExtendedUdpTable_I(NULL, &tableSize, FALSE, AF_INET, UDP_TABLE_OWNER_MODULE, 0); table = PhAllocate(tableSize); if (GetExtendedUdpTable_I(table, &tableSize, FALSE, AF_INET, UDP_TABLE_OWNER_MODULE, 0) == NO_ERROR) { udp4Table = table; count += udp4Table->dwNumEntries; } else { PhFree(table); udp4Table = NULL; } // UDP IPv6 tableSize = 0; GetExtendedUdpTable_I(NULL, &tableSize, FALSE, AF_INET6, UDP_TABLE_OWNER_MODULE, 0); table = PhAllocate(tableSize); if (GetExtendedUdpTable_I(table, &tableSize, FALSE, AF_INET6, UDP_TABLE_OWNER_MODULE, 0) == NO_ERROR) { udp6Table = table; count += udp6Table->dwNumEntries; } else { PhFree(table); udp6Table = NULL; } #ifdef _WIN64 // Hyper-V PhpGetHvSocket(&hvListeners, &hvConnections); if (hvListeners) { count += hvListeners->Count; } if (hvConnections) { count += hvConnections->Count; } #endif if (PhEnableNetworkBoundConnections && WindowsVersion >= WINDOWS_10_RS5 && GetBoundTcpEndpointTable_I && GetBoundTcp6EndpointTable_I) { // Bound TCP IPv4 if (GetBoundTcpEndpointTable_I(&table, PhHeapHandle, 0) == NO_ERROR) { boundTcpTable = table; count += boundTcpTable->dwNumEntries; } else { boundTcpTable = NULL; } // Bound TCP IPv6 if (GetBoundTcp6EndpointTable_I(&table, PhHeapHandle, 0) == NO_ERROR) { boundTcp6Table = table; count += boundTcp6Table->dwNumEntries; } else { boundTcp6Table = NULL; } } else { boundTcpTable = NULL; boundTcp6Table = NULL; } connections = PhAllocate(sizeof(PH_NETWORK_CONNECTION) * count); memset(connections, 0, sizeof(PH_NETWORK_CONNECTION) * count); if (tcp4Table) { for (i = 0; i < tcp4Table->dwNumEntries; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_TCP4; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_IPV4; memcpy(connections[index].LocalEndpoint.Address.Ipv4, &tcp4Table->table[i].dwLocalAddr, sizeof(IN_ADDR)); connections[index].LocalEndpoint.Port = _byteswap_ushort((USHORT)tcp4Table->table[i].dwLocalPort); connections[index].RemoteEndpoint.Address.Type = PH_NETWORK_TYPE_IPV4; memcpy(connections[index].RemoteEndpoint.Address.Ipv4, &tcp4Table->table[i].dwRemoteAddr, sizeof(IN_ADDR)); connections[index].RemoteEndpoint.Port = _byteswap_ushort((USHORT)tcp4Table->table[i].dwRemotePort); connections[index].State = tcp4Table->table[i].dwState; connections[index].ProcessId = UlongToHandle(tcp4Table->table[i].dwOwningPid); connections[index].CreateTime = tcp4Table->table[i].liCreateTimestamp; memcpy( connections[index].OwnerInfo, tcp4Table->table[i].OwningModuleInfo, sizeof(ULONGLONG) * min(PH_NETWORK_OWNER_INFO_SIZE, TCPIP_OWNING_MODULE_SIZE) ); index++; } PhFree(tcp4Table); } if (tcp6Table) { for (i = 0; i < tcp6Table->dwNumEntries; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_TCP6; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_IPV6; memcpy(connections[index].LocalEndpoint.Address.Ipv6, tcp6Table->table[i].ucLocalAddr, 16); connections[index].LocalEndpoint.Port = _byteswap_ushort((USHORT)tcp6Table->table[i].dwLocalPort); connections[index].RemoteEndpoint.Address.Type = PH_NETWORK_TYPE_IPV6; memcpy(connections[index].RemoteEndpoint.Address.Ipv6, tcp6Table->table[i].ucRemoteAddr, 16); connections[index].RemoteEndpoint.Port = _byteswap_ushort((USHORT)tcp6Table->table[i].dwRemotePort); connections[index].State = tcp6Table->table[i].dwState; connections[index].ProcessId = UlongToHandle(tcp6Table->table[i].dwOwningPid); connections[index].CreateTime = tcp6Table->table[i].liCreateTimestamp; memcpy( connections[index].OwnerInfo, tcp6Table->table[i].OwningModuleInfo, sizeof(ULONGLONG) * min(PH_NETWORK_OWNER_INFO_SIZE, TCPIP_OWNING_MODULE_SIZE) ); connections[index].LocalScopeId = tcp6Table->table[i].dwLocalScopeId; connections[index].RemoteScopeId = tcp6Table->table[i].dwRemoteScopeId; index++; } PhFree(tcp6Table); } if (udp4Table) { for (i = 0; i < udp4Table->dwNumEntries; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_UDP4; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_IPV4; memcpy(connections[index].LocalEndpoint.Address.Ipv4, &udp4Table->table[i].dwLocalAddr, sizeof(IN_ADDR)); connections[index].LocalEndpoint.Port = _byteswap_ushort((USHORT)udp4Table->table[i].dwLocalPort); connections[index].RemoteEndpoint.Address.Type = 0; connections[index].State = 0; connections[index].ProcessId = UlongToHandle(udp4Table->table[i].dwOwningPid); connections[index].CreateTime = udp4Table->table[i].liCreateTimestamp; memcpy( connections[index].OwnerInfo, udp4Table->table[i].OwningModuleInfo, sizeof(ULONGLONG) * min(PH_NETWORK_OWNER_INFO_SIZE, TCPIP_OWNING_MODULE_SIZE) ); index++; } PhFree(udp4Table); } if (udp6Table) { for (i = 0; i < udp6Table->dwNumEntries; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_UDP6; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_IPV6; memcpy(connections[index].LocalEndpoint.Address.Ipv6, udp6Table->table[i].ucLocalAddr, sizeof(IN6_ADDR)); connections[index].LocalEndpoint.Port = _byteswap_ushort((USHORT)udp6Table->table[i].dwLocalPort); connections[index].RemoteEndpoint.Address.Type = 0; connections[index].State = 0; connections[index].ProcessId = UlongToHandle(udp6Table->table[i].dwOwningPid); connections[index].CreateTime = udp6Table->table[i].liCreateTimestamp; memcpy( connections[index].OwnerInfo, udp6Table->table[i].OwningModuleInfo, sizeof(ULONGLONG) * min(PH_NETWORK_OWNER_INFO_SIZE, TCPIP_OWNING_MODULE_SIZE) ); connections[index].LocalScopeId = udp6Table->table[i].dwLocalScopeId; connections[index].RemoteScopeId = 0; index++; } PhFree(udp6Table); } if (PhEnableNetworkBoundConnections && WindowsVersion >= WINDOWS_10_RS5) { if (boundTcpTable) { for (i = 0; i < boundTcpTable->dwNumEntries; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_TCP4; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_IPV4; memcpy(connections[index].LocalEndpoint.Address.Ipv4, &boundTcpTable->table[i].dwLocalAddr, sizeof(IN_ADDR)); connections[index].LocalEndpoint.Port = _byteswap_ushort((USHORT)boundTcpTable->table[i].dwLocalPort); connections[index].RemoteEndpoint.Address.Type = PH_NETWORK_TYPE_IPV4; memcpy(connections[index].RemoteEndpoint.Address.Ipv4, &boundTcpTable->table[i].dwRemoteAddr, sizeof(IN_ADDR)); connections[index].RemoteEndpoint.Port = _byteswap_ushort((USHORT)boundTcpTable->table[i].dwRemotePort); connections[index].State = boundTcpTable->table[i].dwState; connections[index].ProcessId = UlongToHandle(boundTcpTable->table[i].dwOwningPid); index++; } RtlFreeHeap(PhHeapHandle, 0, boundTcpTable); } if (boundTcp6Table) { for (i = 0; i < boundTcp6Table->dwNumEntries; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_TCP6; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_IPV6; memcpy(connections[index].LocalEndpoint.Address.Ipv6, boundTcp6Table->table[i].LocalAddr.s6_addr, sizeof(IN6_ADDR)); connections[index].LocalEndpoint.Port = _byteswap_ushort((USHORT)boundTcp6Table->table[i].dwLocalPort); connections[index].RemoteEndpoint.Address.Type = PH_NETWORK_TYPE_IPV6; memcpy(connections[index].RemoteEndpoint.Address.Ipv6, boundTcp6Table->table[i].RemoteAddr.s6_addr, sizeof(IN6_ADDR)); connections[index].RemoteEndpoint.Port = _byteswap_ushort((USHORT)boundTcp6Table->table[i].dwRemotePort); connections[index].State = boundTcp6Table->table[i].State; connections[index].ProcessId = UlongToHandle(boundTcp6Table->table[i].dwOwningPid); connections[index].LocalScopeId = boundTcp6Table->table[i].dwLocalScopeId; connections[index].RemoteScopeId = boundTcp6Table->table[i].dwRemoteScopeId; index++; } RtlFreeHeap(PhHeapHandle, 0, boundTcp6Table); } } #ifdef _WIN64 if (hvListeners) { for (i = 0; i < hvListeners->Count; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_HYPERV; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_HYPERV; connections[index].LocalEndpoint.Address.HvAddr = hvListeners->Listener[i].ServiceId; if (PhHvSocketIsVSockTemplate(&connections[index].LocalEndpoint.Address.HvAddr)) connections[index].LocalEndpoint.Port = hvListeners->Listener[i].Port; else connections[index].LocalEndpoint.Port = 0; connections[index].RemoteEndpoint.Address.Type = PH_NETWORK_TYPE_HYPERV; connections[index].RemoteEndpoint.Address.HvAddr = hvListeners->Listener[i].VmId; connections[index].ProcessId = UlongToHandle(hvListeners->Listener[i].ProcessId); connections[index].CreateTime = hvListeners->Listener[i].TimeStamp; connections[index].State = 0; // HACK index++; } PhFree(hvListeners); } if (hvConnections) { for (i = 0; i < hvConnections->Count; i++) { connections[index].ProtocolType = PH_NETWORK_PROTOCOL_HYPERV; connections[index].LocalEndpoint.Address.Type = PH_NETWORK_TYPE_HYPERV; connections[index].LocalEndpoint.Address.HvAddr = hvConnections->Connection[i].ServiceId; if (PhHvSocketIsVSockTemplate(&connections[index].LocalEndpoint.Address.HvAddr)) connections[index].LocalEndpoint.Port = hvConnections->Connection[i].Port; else connections[index].LocalEndpoint.Port = 0; connections[index].RemoteEndpoint.Address.Type = PH_NETWORK_TYPE_HYPERV; connections[index].RemoteEndpoint.Address.HvAddr = hvConnections->Connection[i].VmId; connections[index].ProcessId = UlongToHandle(hvConnections->Connection[i].ProcessId); connections[index].CreateTime = hvConnections->Connection[i].TimeStamp; connections[index].State = 1; // HACK index++; } PhFree(hvConnections); } #endif *NumberOfConnections = count; *Connections = connections; return TRUE; } static CONST PH_KEY_VALUE_PAIR PhProtocolTypeStrings[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"TCP"), PH_NETWORK_PROTOCOL_TCP4), SIP(SREF(L"TCP6"), PH_NETWORK_PROTOCOL_TCP6), SIP(SREF(L"UDP"), PH_NETWORK_PROTOCOL_UDP4), SIP(SREF(L"UDP6"), PH_NETWORK_PROTOCOL_UDP6), SIP(SREF(L"HYPERV"), PH_NETWORK_PROTOCOL_HYPERV), }; static CONST PH_KEY_VALUE_PAIR PhTcpStateStrings[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"Closed"), MIB_TCP_STATE_CLOSED), SIP(SREF(L"Listen"), MIB_TCP_STATE_LISTEN), SIP(SREF(L"SYN sent"), MIB_TCP_STATE_SYN_SENT), SIP(SREF(L"SYN received"), MIB_TCP_STATE_SYN_RCVD), SIP(SREF(L"Established"), MIB_TCP_STATE_ESTAB), SIP(SREF(L"FIN wait 1"), MIB_TCP_STATE_FIN_WAIT1), SIP(SREF(L"FIN wait 2"), MIB_TCP_STATE_FIN_WAIT2), SIP(SREF(L"Close wait"), MIB_TCP_STATE_CLOSE_WAIT), SIP(SREF(L"Closing"), MIB_TCP_STATE_CLOSING), SIP(SREF(L"Last ACK"), MIB_TCP_STATE_LAST_ACK), SIP(SREF(L"Time wait"), MIB_TCP_STATE_TIME_WAIT), SIP(SREF(L"Delete TCB"), MIB_TCP_STATE_DELETE_TCB), SIP(SREF(L"Bound"), MIB_TCP_STATE_RESERVED), }; PCPH_STRINGREF PhGetProtocolTypeName( _In_ ULONG ProtocolType ) { PCPH_STRINGREF string; if (PhFindStringRefSiKeyValuePairs( PhProtocolTypeStrings, sizeof(PhProtocolTypeStrings), ProtocolType, &string )) { return string; } return PhProtocolTypeStrings[0].Key; } PCPH_STRINGREF PhGetTcpStateName( _In_ ULONG State ) { switch (State) { case MIB_TCP_STATE_CLOSED: case MIB_TCP_STATE_LISTEN: case MIB_TCP_STATE_SYN_SENT: case MIB_TCP_STATE_SYN_RCVD: case MIB_TCP_STATE_ESTAB: case MIB_TCP_STATE_FIN_WAIT1: case MIB_TCP_STATE_FIN_WAIT2: case MIB_TCP_STATE_CLOSE_WAIT: case MIB_TCP_STATE_CLOSING: case MIB_TCP_STATE_LAST_ACK: case MIB_TCP_STATE_TIME_WAIT: case MIB_TCP_STATE_DELETE_TCB: return PhTcpStateStrings[State].Key; case MIB_TCP_STATE_RESERVED: return PhTcpStateStrings[13].Key; } // TODO: We can't index the string from MIB_TCP_STATE_RESERVED (dmex) //if (PhIndexStringRefSiKeyValuePairs( // PhTcpStateStrings, // sizeof(PhTcpStateStrings), // State, // &string // )) //{ // return string; //} return PhTcpStateStrings[0].Key; } ================================================ FILE: SystemInformer/netstk.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * */ #include #include #include typedef struct NETWORK_STACK_CONTEXT { HWND ListViewHandle; PH_LAYOUT_MANAGER LayoutManager; PPH_NETWORK_ITEM NetworkItem; PPH_SYMBOL_PROVIDER SymbolProvider; HANDLE LoadingProcessId; } NETWORK_STACK_CONTEXT, *PNETWORK_STACK_CONTEXT; INT_PTR CALLBACK PhpNetworkStackDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); static RECT MinimumSize = { -1, -1, -1, -1 }; static BOOLEAN LoadSymbolsEnumGenericModulesCallback( _In_ PPH_MODULE_INFO Module, _In_opt_ PVOID Context ) { PNETWORK_STACK_CONTEXT context = Context; PPH_SYMBOL_PROVIDER symbolProvider = context->SymbolProvider; // If we're loading kernel module symbols for a process other than // System, ignore modules which are in user space. This may happen // in Windows 7. if ( context->LoadingProcessId == SYSTEM_PROCESS_ID && context->NetworkItem->ProcessId != SYSTEM_PROCESS_ID && (ULONG_PTR)Module->BaseAddress <= PhSystemBasicInformation.MaximumUserModeAddress ) return TRUE; PhLoadModuleSymbolProvider( symbolProvider, Module->FileName, (ULONG64)Module->BaseAddress, Module->Size ); return TRUE; } VOID PhShowNetworkStackDialog( _In_ HWND ParentWindowHandle, _In_ PPH_NETWORK_ITEM NetworkItem ) { NETWORK_STACK_CONTEXT networkStackContext; networkStackContext.NetworkItem = NetworkItem; networkStackContext.SymbolProvider = PhCreateSymbolProvider(NetworkItem->ProcessId); if (networkStackContext.SymbolProvider->IsRealHandle) { // Load symbols for the process. networkStackContext.LoadingProcessId = NetworkItem->ProcessId; PhEnumGenericModules( NetworkItem->ProcessId, networkStackContext.SymbolProvider->ProcessHandle, 0, LoadSymbolsEnumGenericModulesCallback, &networkStackContext ); // Load symbols for kernel-mode. networkStackContext.LoadingProcessId = SYSTEM_PROCESS_ID; PhEnumGenericModules( SYSTEM_PROCESS_ID, NULL, 0, LoadSymbolsEnumGenericModulesCallback, &networkStackContext ); } else { PhDereferenceObject(networkStackContext.SymbolProvider); PhShowError(ParentWindowHandle, L"%s", L"Unable to open the process."); return; } PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_NETSTACK), ParentWindowHandle, PhpNetworkStackDlgProc, &networkStackContext ); PhDereferenceObject(networkStackContext.SymbolProvider); } INT_PTR CALLBACK PhpNetworkStackDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PNETWORK_STACK_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PNETWORK_STACK_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (uMsg == WM_DESTROY) { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HWND lvHandle; PVOID address; ULONG i; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); context->ListViewHandle = lvHandle = GetDlgItem(hwndDlg, IDC_LIST); PhAddListViewColumn(lvHandle, 0, 0, 0, LVCFMT_LEFT, 350, L"Name"); PhSetListViewStyle(lvHandle, FALSE, TRUE); PhSetControlTheme(lvHandle, L"explorer"); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, lvHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 190; rect.bottom = 120; MapDialogRect(hwndDlg, &rect); MinimumSize = rect; MinimumSize.left = 0; } for (i = 0; i < PH_NETWORK_OWNER_INFO_SIZE; i++) { PPH_STRING name; address = *(PVOID *)&context->NetworkItem->OwnerInfo[i]; if ((ULONG_PTR)address < PAGE_SIZE) // stop at an invalid address break; name = PhGetSymbolFromAddress( context->SymbolProvider, (ULONG64)address, NULL, NULL, NULL, NULL ); PhAddListViewItem(lvHandle, MAXINT, name->Buffer, NULL); PhDereferenceObject(name); } } break; case WM_DESTROY: { PhDeleteLayoutManager(&context->LayoutManager); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: // Esc and X button to close case IDOK: EndDialog(hwndDlg, IDOK); break; } } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; } return FALSE; } ================================================ FILE: SystemInformer/netsup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2025 * */ #include #include #include CONST NPI_MODULEID NPI_MS_IPV4_MODULEID = { 2, MIT_GUID, .Guid = { 0xeb004a00, 0x9b1a, 0x11d4, { 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0xbc } } }; CONST NPI_MODULEID NPI_MS_IPV6_MODULEID = { 2, MIT_GUID, .Guid = { 0xeb004a01, 0x9b1a, 0x11d4, { 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0xbc } } }; CONST NPI_MODULEID NPI_MS_UDP_MODULEID = { 2, MIT_GUID, .Guid = { 0xeb004a02, 0x9b1a, 0x11d4, { 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0xbc } } }; CONST NPI_MODULEID NPI_MS_TCP_MODULEID = { 2, MIT_GUID, .Guid = { 0xeb004a03, 0x9b1a, 0x11d4, { 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0xbc } } }; CONST NPI_MODULEID NPI_MS_NDIS_MODULEID = { 2, MIT_GUID, .Guid = { 0xeb004a11, 0x9b1a, 0x11d4, { 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0xbc } } }; CONST NPI_MODULEID NPI_MS_FL6T_MODULEID = { 2, MIT_GUID, .Guid = { 0xeb004a1C, 0x9b1a, 0x11d4, { 0x91, 0x23, 0x00, 0x50, 0x04, 0x77, 0x59, 0xbc } } }; // Teredo typedef enum _NSI_STORE { NsiPersistent, NsiActive, NsiBoth, NsiCurrent, NsiBootFirmwareTable } NSI_STORE; typedef enum _NSI_SET_ACTION { NsiSetDefault = 0, NsiSetCreateOnly = 1, NsiSetCreateOrSet = 2, NsiSetDelete = 3, NsiSetReset = 4, NsiSetClear = 5, NsiSetCreateOrSetWithReference = 6, NsiSetDeleteWithReference = 7, } NSI_SET_ACTION; typedef enum _NSI_TCP_INFORMATION_CLASS { NsiTcpTableOwnerPidAll = 3, // NSI_TCP_ALL_TABLE // TCP_TABLE_OWNER_PID_ALL and TCP_TABLE_OWNER_MODULE_ALL NsiTcpTableOwnerPidAllConnected = 4, // NSI_TCP_ESTAB_TABLE // TCP_TABLE_OWNER_PID_CONNECTIONS and TCP_TABLE_OWNER_MODULE_CONNECTIONS NsiTcpTableOwnerPidAllListener = 5, // NSI_TCP_LISTEN_TABLE // TCP_TABLE_OWNER_PID_LISTENER and TCP_TABLE_OWNER_MODULE_LISTENER //NsiTcpConnectionTable, // TCP_TABLE_OWNER_PID_ALL and TCP_TABLE_OWNER_MODULE_ALL //NsiTcpListenerTable, // TCP_TABLE_OWNER_PID_LISTENER and TCP_TABLE_OWNER_MODULE_LISTENER //NsiTcpStats, // MIB_TCPSTATS //NsiTcp6ConnectionTable, // TCP_TABLE_OWNER_PID_ALL and TCP_TABLE_OWNER_MODULE_ALL (IPv6) //NsiTcp6ListenerTable, // TCP_TABLE_OWNER_PID_LISTENER and TCP_TABLE_OWNER_MODULE_LISTENER (IPv6) //NsiTcp6Stats, // MIB_TCP6STATS //NsiTcpGlobalStats, // MIB_TCPSTATS_EX //NsiTcp6GlobalStats, // MIB_TCP6STATS_EX //NsiTcpConnectionTableEx, // TCP_TABLE_OWNER_PID_CONNECTIONS and TCP_TABLE_OWNER_MODULE_CONNECTIONS //NsiTcp6ConnectionTableEx, // TCP_TABLE_OWNER_PID_CONNECTIONS and TCP_TABLE_OWNER_MODULE_CONNECTIONS (IPv6) //NsiTcpFineGrainStats, // MIB_TCPSTATS_FINE //NsiTcp6FineGrainStats, // MIB_TCP6STATS_FINE //NsiTcpConnectionOffloadState, // TCP_OFFLOAD_STATE //NsiTcp6ConnectionOffloadState, // TCP_OFFLOAD_STATE (IPv6) //NsiTcpConnectionOffloadParameters, // TCP_OFFLOAD_PARAMETERS //NsiTcp6ConnectionOffloadParameters, // TCP_OFFLOAD_PARAMETERS (IPv6) NsiTcpSetIfEntry = 16, // input: NSI_SET_TCP_ENTRY //NsiTcpCongestionProvider, // TCP_CONGESTION_PROVIDER //NsiTcpCongestionProviderEx, // TCP_CONGESTION_PROVIDER_EX //NsiTcpMaxConnections, // ULONG //NsiTcpMaxHalfOpenConnections, // ULONG //NsiTcpConnectionOffloadStateEx, // TCP_OFFLOAD_STATE_EX //NsiTcp6ConnectionOffloadStateEx, // TCP_OFFLOAD_STATE_EX (IPv6) //NsiTcpMaxInfoClass } NSI_TCP_INFORMATION_CLASS; //typedef enum _NSI_UDP_INFORMATION_CLASS //{ // NsiUdpEndpointTable, // UDP_TABLE_OWNER_PID // NsiUdp6EndpointTable, // UDP6_TABLE_OWNER_PID // NsiUdpStats, // MIB_UDPSTATS // NsiUdp6Stats, // MIB_UDP6STATS // NsiUdpGlobalStats, // MIB_UDPSTATS_EX // NsiUdp6GlobalStats, // MIB_UDP6STATS_EX // NsiUdpMaxInfoClass //} NSI_UDP_INFORMATION_CLASS; typedef enum _NSI_IF_INFORMATION_CLASS { NsiInterfaceLuidToGuid = 0, NsiInterfaceGuidToLuid = 1, NsiInterfaceIndexToLuid = 2, //NsiInterfaceMaxInfoClass } NSI_IF_INFORMATION_CLASS; typedef struct _NSI_SET_TCP_ENTRY { union { union { SOCKADDR_IN LocalTcpEntryIpV4; SOCKADDR_IN6 LocalTcpEntryIpV6; }; struct { ADDRESS_FAMILY LocalFamily; USHORT LocalPort; IN_ADDR LocalAddressIPv4; IN6_ADDR LocalAddressIPv6; ULONG LocalScopeID; }; }; union { union { SOCKADDR_IN RemoteTcpEntryIpV4; SOCKADDR_IN6 RemoteTcpEntryIpV6; }; struct { ADDRESS_FAMILY RemoteFamily; USHORT RemotePort; IN_ADDR RemoteAddressIPv4; IN6_ADDR RemoteAddressIPv6; ULONG RemoteScopeID; }; }; } NSI_SET_TCP_ENTRY, *PNSI_SET_TCP_ENTRY; #if defined(PH_INLINE_NSI) NTSYSAPI NTSTATUS NTAPI NsiGetParameter( _In_ NSI_STORE Store, _In_ PNPI_MODULEID Module, _In_ ULONG Class, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _In_ ULONG InputControlCode, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _In_ ULONG OutputControlCode ); NTSYSAPI NTSTATUS NTAPI NsiSetAllParameters( _In_ NSI_STORE Store, _In_ NSI_SET_ACTION Action, _In_ PNPI_MODULEID Module, _In_ ULONG Class, _In_ PVOID InputBuffer, _In_ ULONG InputBufferLength, _In_ PVOID OptionalBuffer, _In_ ULONG OptionalBufferLength ); #else #define NSI_DEVICE_NAME L"\\Device\\Nsi" #define IOCTL_NSI_GET_PARAMETER \ CTL_CODE(FILE_DEVICE_NETWORK, 0x1, METHOD_NEITHER, FILE_ANY_ACCESS) // 0x120007 #define IOCTL_NSI_SET_ALL_PARAMETERS \ CTL_CODE(FILE_DEVICE_NETWORK, 0x4, METHOD_NEITHER, FILE_ANY_ACCESS) // 0x120013 #define IOCTL_NSI_GET_ALL_PARAMETERS \ CTL_CODE(FILE_DEVICE_NETWORK, 0x6, METHOD_NEITHER, FILE_ANY_ACCESS) // 0x12001B typedef struct _NSI_IOCTL_GET_PARAMETER { ULONGLONG Zero0; ULONGLONG Zero1; PNPI_MODULEID Module; ULONG Class; ULONG Reserved0; NSI_STORE Store; NSI_SET_ACTION Action; PVOID InputBuffer; ULONG InputBufferLength; ULONG Reserved1; ULONG InputControlCode; ULONG Reserved2; PVOID OutputBuffer; ULONG OutputBufferLength; ULONG Reserved3; } NSI_IOCTL_GET_PARAMETER, *PNSI_IOCTL_GET_PARAMETER; typedef struct _NSI_IOCTL_SET_ALL_PARAMETERS { ULONGLONG Zero0; ULONGLONG Zero1; PNPI_MODULEID Module; ULONG Class; ULONG Reserved0; NSI_STORE Store; NSI_SET_ACTION Action; PVOID InputBuffer; ULONG InputBufferLength; ULONG Reserved1; PVOID OutputBuffer; ULONG OutputBufferLength; ULONG Reserved2; } NSI_IOCTL_SET_ALL_PARAMETERS, *PNSI_IOCTL_SET_ALL_PARAMETERS; #endif NTSTATUS PhNsiGetParameter( _In_ NSI_STORE Store, _In_ PNPI_MODULEID Module, _In_ ULONG Class, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _In_ ULONG InputControlCode, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ) { #if defined(PH_INLINE_NSI) static typeof(&NsiGetParameter) NsiGetParameter_I = NULL; if (!NsiGetParameter_I) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"nsi.dll")) { NsiGetParameter_I = PhGetDllBaseProcedureAddress(baseAddress, "NsiGetParameter", 0); } } if (!NsiGetParameter_I) return STATUS_PROCEDURE_NOT_FOUND; return NsiGetParameter_I( Store, Module, Class, InputBuffer, InputBufferLength, InputControlCode, OutputBuffer, OutputBufferLength, 0 ); #else NTSTATUS status; HANDLE deviceHandle; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; NSI_IOCTL_GET_PARAMETER nsiGetParameter; RtlInitUnicodeString(&objectName, NSI_DEVICE_NAME); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &deviceHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) return status; RtlZeroMemory(&nsiGetParameter, sizeof(nsiGetParameter)); nsiGetParameter.Module = Module; nsiGetParameter.Class = Class; nsiGetParameter.Store = Store; nsiGetParameter.InputBuffer = InputBuffer; nsiGetParameter.InputBufferLength = InputBufferLength; nsiGetParameter.InputControlCode = InputControlCode; nsiGetParameter.OutputBuffer = OutputBuffer; nsiGetParameter.OutputBufferLength = OutputBufferLength; status = NtDeviceIoControlFile( deviceHandle, NULL, NULL, NULL, &ioStatusBlock, IOCTL_NSI_GET_PARAMETER, &nsiGetParameter, sizeof(nsiGetParameter), &nsiGetParameter, sizeof(nsiGetParameter) ); NtClose(deviceHandle); return status; #endif } NTSTATUS PhNsiSetAllParameters( _In_ NSI_STORE Store, _In_ NSI_SET_ACTION Action, _In_ PNPI_MODULEID Module, _In_ ULONG Class, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ) { #if defined(PH_INLINE_NSI) static typeof(&NsiSetAllParameters) NsiSetAllParameters_I = NULL; if (!NsiSetAllParameters_I) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"nsi.dll")) { NsiSetAllParameters_I = PhGetDllBaseProcedureAddress(baseAddress, "NsiSetAllParameters", 0); } } if (!NsiSetAllParameters_I) return STATUS_PROCEDURE_NOT_FOUND; return NsiSetAllParameters_I( Store, Action, Module, Class, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); #else NTSTATUS status; HANDLE deviceHandle; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; NSI_IOCTL_SET_ALL_PARAMETERS nsiSetAllParameters; RtlInitUnicodeString(&objectName, NSI_DEVICE_NAME); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &deviceHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) return status; RtlZeroMemory(&nsiSetAllParameters, sizeof(nsiSetAllParameters)); nsiSetAllParameters.Module = Module; nsiSetAllParameters.Class = Class; nsiSetAllParameters.Store = Store; nsiSetAllParameters.Action = Action; nsiSetAllParameters.InputBuffer = InputBuffer; nsiSetAllParameters.InputBufferLength = InputBufferLength; nsiSetAllParameters.OutputBuffer = OutputBuffer; nsiSetAllParameters.OutputBufferLength = OutputBufferLength; status = NtDeviceIoControlFile( deviceHandle, NULL, NULL, NULL, &ioStatusBlock, IOCTL_NSI_SET_ALL_PARAMETERS, &nsiSetAllParameters, sizeof(nsiSetAllParameters), &nsiSetAllParameters, sizeof(nsiSetAllParameters) ); NtClose(deviceHandle); return status; #endif } NTSTATUS PhSetTcpEntry( _In_ PPH_NETWORK_ITEM NetworkItem ) { NTSTATUS status; NSI_SET_TCP_ENTRY NsiSetTcpEntryData; RtlZeroMemory(&NsiSetTcpEntryData, sizeof(NsiSetTcpEntryData)); if (NetworkItem->ProtocolType == PH_NETWORK_PROTOCOL_TCP4) { NsiSetTcpEntryData.LocalFamily = AF_INET; NsiSetTcpEntryData.LocalPort = _byteswap_ushort((USHORT)NetworkItem->LocalEndpoint.Port); memcpy(&NsiSetTcpEntryData.LocalAddressIPv4, &NetworkItem->LocalEndpoint.Address.InAddr, sizeof(NsiSetTcpEntryData.LocalAddressIPv4)); NsiSetTcpEntryData.RemoteFamily = AF_INET; NsiSetTcpEntryData.RemotePort = _byteswap_ushort((USHORT)NetworkItem->RemoteEndpoint.Port); memcpy(&NsiSetTcpEntryData.RemoteAddressIPv4, &NetworkItem->RemoteEndpoint.Address.InAddr, sizeof(NsiSetTcpEntryData.LocalAddressIPv4)); } else if (NetworkItem->ProtocolType == PH_NETWORK_PROTOCOL_TCP6) { NsiSetTcpEntryData.LocalFamily = AF_INET6; NsiSetTcpEntryData.LocalPort = _byteswap_ushort((USHORT)NetworkItem->LocalEndpoint.Port); memcpy(&NsiSetTcpEntryData.LocalAddressIPv6, &NetworkItem->LocalEndpoint.Address.In6Addr, sizeof(NsiSetTcpEntryData.LocalAddressIPv6)); NsiSetTcpEntryData.LocalScopeID = NetworkItem->LocalScopeId; NsiSetTcpEntryData.RemoteFamily = AF_INET6; NsiSetTcpEntryData.RemotePort = _byteswap_ushort((USHORT)NetworkItem->RemoteEndpoint.Port); memcpy(&NsiSetTcpEntryData.RemoteAddressIPv6, &NetworkItem->RemoteEndpoint.Address.In6Addr, sizeof(NsiSetTcpEntryData.RemoteAddressIPv6)); NsiSetTcpEntryData.RemoteScopeID = NetworkItem->RemoteScopeId; } status = PhNsiSetAllParameters( NsiActive, NsiSetCreateOrSet, &NPI_MS_TCP_MODULEID, NsiTcpSetIfEntry, &NsiSetTcpEntryData, sizeof(NSI_SET_TCP_ENTRY), NULL, 0 ); return status; } NTSTATUS PhConvertInterfaceIndexToLuid( _In_ NET_IFINDEX InterfaceIndex, _Out_ PNET_LUID InterfaceLuid ) { NET_IFINDEX index = InterfaceIndex; return PhNsiGetParameter( NsiActive, &NPI_MS_NDIS_MODULEID, NsiInterfaceIndexToLuid, &index, sizeof(NET_IFINDEX), 2, InterfaceLuid, sizeof(NET_LUID) ); } ================================================ FILE: SystemInformer/notifico.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #include #include #include BOOLEAN PhNfMiniInfoEnabled = FALSE; BOOLEAN PhNfMiniInfoPinned = FALSE; BOOLEAN PhNfTransparencyEnabled = FALSE; BOOLEAN PhNfPersistTrayIconPositionEnabled = FALSE; PPH_LIST PhTrayIconItemList = NULL; PH_NF_POINTERS PhNfpPointers; PH_CALLBACK_REGISTRATION PhNfpProcessesUpdatedRegistration; PH_NF_BITMAP PhNfpDefaultBitmapContext = { 0 }; PH_NF_BITMAP PhNfpBlackBitmapContext = { 0 }; HBITMAP PhNfpBlackBitmap = NULL; HICON PhNfpBlackIcon = NULL; HICON PhNfAppTrayIcon = NULL; HFONT PhNfTrayIconFont = NULL; GUID PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_MAXIMUM]; static POINT IconClickLocation; static PH_NF_MSG_SHOWMINIINFOSECTION_DATA IconClickShowMiniInfoSectionData; static BOOLEAN IconClickUpDueToDown = FALSE; static BOOLEAN IconDisableHover = FALSE; static HANDLE PhpTrayIconThreadHandle = NULL; static HANDLE PhpTrayIconEventHandle = NULL; #ifdef PH_NF_ENABLE_WORKQUEUE static SLIST_HEADER PhpTrayIconWorkQueueListHead; #endif static ULONG PopupIconIndex = ULONG_MAX; // Win11 workaround (dmex) static PPH_NF_ICON PopupRegisteredIcon = NULL; // Win11 workaround (dmex) VOID PhNfLoadStage1( VOID ) { PhTrayIconItemList = PhCreateList(20); PhNfpPointers.BeginBitmap = PhNfpBeginBitmap; #ifdef PH_NF_ENABLE_WORKQUEUE PhInitializeSListHead(&PhpTrayIconWorkQueueListHead); #endif } VOID PhNfLoadSettings( VOID ) { PPH_STRING settingsString; PH_STRINGREF remaining; settingsString = PhGetStringSetting(SETTING_ICON_SETTINGS); if (PhIsNullOrEmptyString(settingsString)) return; remaining = PhGetStringRef(settingsString); while (remaining.Length != 0) { PH_STRINGREF idPart; PH_STRINGREF flagsPart; PH_STRINGREF pluginNamePart; ULONG64 idInteger; ULONG64 flagsInteger; PhSplitStringRefAtChar(&remaining, L'|', &idPart, &remaining); PhSplitStringRefAtChar(&remaining, L'|', &flagsPart, &remaining); PhSplitStringRefAtChar(&remaining, L'|', &pluginNamePart, &remaining); if (!PhStringToUInt64(&idPart, 10, &idInteger)) break; if (!PhStringToUInt64(&flagsPart, 10, &flagsInteger)) break; if (flagsInteger) { PPH_NF_ICON icon; if (pluginNamePart.Length) { if (icon = PhNfFindIcon(&pluginNamePart, (ULONG)idInteger)) { RtlInterlockedSetBits(&icon->Flags, PH_NF_ICON_ENABLED); } } else { if (icon = PhNfGetIconById((ULONG)idInteger)) { RtlInterlockedSetBits(&icon->Flags, PH_NF_ICON_ENABLED); } } } } PhDereferenceObject(settingsString); } VOID PhNfSaveSettings( VOID ) { PPH_STRING settingsString; PH_STRING_BUILDER iconListBuilder; PhInitializeStringBuilder(&iconListBuilder, 200); for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) { PH_FORMAT format[6]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // %lu|%lu|%s| PhInitFormatU(&format[0], icon->SubId); PhInitFormatC(&format[1], L'|'); PhInitFormatU(&format[2], TRUE); PhInitFormatC(&format[3], L'|'); if (icon->Plugin) PhInitFormatSR(&format[4], icon->Plugin->Name); else PhInitFormatS(&format[4], L""); PhInitFormatC(&format[5], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&iconListBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &iconListBuilder, L"%lu|%lu|%s|", icon->SubId, TRUE, icon->Plugin ? PhGetStringRefZ(&icon->Plugin->Name) : L"" ); } } } if (iconListBuilder.String->Length != 0) PhRemoveEndStringBuilder(&iconListBuilder, 1); settingsString = PhFinalStringBuilderString(&iconListBuilder); PhSetStringSetting2(SETTING_ICON_SETTINGS, &settingsString->sr); PhDereferenceObject(settingsString); } VOID PhNfLoadGuids( VOID ) { PPH_STRING settingsString; PH_STRINGREF remaining; ULONG i; settingsString = PhGetStringSetting(SETTING_ICON_TRAY_GUIDS); if (PhIsNullOrEmptyString(settingsString)) { PH_STRING_BUILDER iconListBuilder; PPH_STRING iconGuid; PhInitializeStringBuilder(&iconListBuilder, 100); for (i = 0; i < RTL_NUMBER_OF(PhNfpTrayIconItemGuids); i++) { PhGenerateGuid(&PhNfpTrayIconItemGuids[i]); if (iconGuid = PhFormatGuid(&PhNfpTrayIconItemGuids[i])) { PhAppendFormatStringBuilder( &iconListBuilder, L"%s|", iconGuid->Buffer ); PhDereferenceObject(iconGuid); } } if (iconListBuilder.String->Length != 0) PhRemoveEndStringBuilder(&iconListBuilder, 1); PhMoveReference(&settingsString, PhFinalStringBuilderString(&iconListBuilder)); PhSetStringSetting2(SETTING_ICON_TRAY_GUIDS, &settingsString->sr); PhDereferenceObject(settingsString); } else { remaining = PhGetStringRef(settingsString); for (i = 0; i < RTL_NUMBER_OF(PhNfpTrayIconItemGuids); i++) { PH_STRINGREF guidPart; GUID guid; if (remaining.Length == 0) continue; PhSplitStringRefAtChar(&remaining, L'|', &guidPart, &remaining); if (guidPart.Length == 0) continue; if (!NT_SUCCESS(PhStringToGuid(&guidPart, &guid))) PhGenerateGuid(&PhNfpTrayIconItemGuids[i]); else PhNfpTrayIconItemGuids[i] = guid; } PhDereferenceObject(settingsString); } } VOID PhNfCreateIconThreadDelayed( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_NF_ICON staticIcon = NULL; ULONG iconCount = 0; for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (!BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) continue; if (icon->SubId == PH_TRAY_ICON_ID_PLAIN_ICON) staticIcon = icon; iconCount++; } if (iconCount && PhBeginInitOnce(&initOnce)) { if (NT_SUCCESS(PhCreateEvent( &PhpTrayIconEventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, !PhGetIntegerSetting(SETTING_ICON_TRAY_LAZY_START_DELAY) ))) { // Set the event when the only icon is the static icon. (dmex) if (iconCount == 1 && staticIcon) { NtSetEvent(PhpTrayIconEventHandle, NULL); } // Use a separate thread so we don't block the main GUI or // the provider threads when explorer is not responding. (dmex) if (NT_SUCCESS(PhCreateThreadEx(&PhpTrayIconThreadHandle, PhNfpTrayIconUpdateThread, NULL))) { NtClose(PhpTrayIconThreadHandle); PhpTrayIconThreadHandle = NULL; } } PhEndInitOnce(&initOnce); } } PPH_NF_ICON PhNfRegisterIcon( _In_opt_ PPH_PLUGIN Plugin, _In_ ULONG Id, _In_ GUID Guid, _In_opt_ PVOID Context, _In_ PCWSTR Text, _In_ ULONG Flags, _In_opt_ PPH_NF_ICON_UPDATE_CALLBACK UpdateCallback, _In_opt_ PPH_NF_ICON_MESSAGE_CALLBACK MessageCallback ) { PPH_NF_ICON icon; icon = PhAllocateZero(sizeof(PH_NF_ICON)); icon->Plugin = Plugin; icon->SubId = Id; icon->Context = Context; icon->Pointers = &PhNfpPointers; icon->Text = Text; icon->Flags = Flags; icon->UpdateCallback = UpdateCallback; icon->MessageCallback = MessageCallback; icon->TextCache = PhReferenceEmptyString(); icon->IconId = PhTrayIconItemList->Count + 1; // HACK icon->IconGuid = Guid; PhAddItemList(PhTrayIconItemList, icon); return icon; } PPH_NF_ICON PhNfPluginRegisterIcon( _In_ PPH_PLUGIN Plugin, _In_ ULONG SubId, _In_ GUID Guid, _In_opt_ PVOID Context, _In_ PCWSTR Text, _In_ ULONG Flags, _In_ PPH_NF_ICON_REGISTRATION_DATA RegistrationData ) { return PhNfRegisterIcon( Plugin, SubId, Guid, Context, Text, Flags, RegistrationData->UpdateCallback, RegistrationData->MessageCallback ); } VOID PhNfLoadStage2( VOID ) { PhNfMiniInfoEnabled = !!PhGetIntegerSetting(SETTING_MINI_INFO_WINDOW_ENABLED); PhNfTransparencyEnabled = !!PhGetIntegerSetting(SETTING_ICON_TRANSPARENCY_ENABLED); PhNfPersistTrayIconPositionEnabled = !!PhGetIntegerSetting(SETTING_ICON_TRAY_PERSIST_GUID_ENABLED); if (PhNfPersistTrayIconPositionEnabled) { PhNfLoadGuids(); } PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_CPU_USAGE, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_CPU_USAGE], NULL, L"CPU &usage", 0, PhNfpCpuUsageIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_CPU_HISTORY, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_CPU_HISTORY], NULL, L"CPU &history", 0, PhNfpCpuHistoryIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_IO_HISTORY, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_IO_HISTORY], NULL, L"&I/O history", 0, PhNfpIoHistoryIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_COMMIT_HISTORY, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_COMMIT_HISTORY], NULL, L"&Commit charge history", 0, PhNfpCommitHistoryIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_PHYSICAL_HISTORY, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_PHYSICAL_HISTORY], NULL, L"&Physical memory history", 0, PhNfpPhysicalHistoryIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_CPU_TEXT, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_CPU_TEXT], NULL, L"CPU usage (text)", 0, PhNfpCpuUsageTextIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_IO_TEXT, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_IO_TEXT], NULL, L"IO usage (text)", 0, PhNfpIoUsageTextIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_COMMIT_TEXT, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_COMMIT_TEXT], NULL, L"Commit usage (text)", 0, PhNfpCommitTextIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_PHYSICAL_TEXT, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_PHYSICAL_TEXT], NULL, L"Physical usage (text)", 0, PhNfpPhysicalUsageTextIconUpdateCallback, NULL); PhNfRegisterIcon(NULL, PH_TRAY_ICON_ID_PLAIN_ICON, PhNfpTrayIconItemGuids[PH_TRAY_ICON_GUID_PLAIN_ICON], NULL, L"System Informer icon (static)", 0, PhNfpPlainIconUpdateCallback, NULL); if (PhPluginsEnabled) { PH_TRAY_ICON_POINTERS pointers; pointers.RegisterTrayIcon = (PPH_REGISTER_TRAY_ICON)PhNfPluginRegisterIcon; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackTrayIconsInitializing), &pointers); } // Load tray icon settings. PhNfLoadSettings(); //for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) //{ // PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; // // if (!BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) // continue; // // PhNfpAddNotifyIcon(icon); //} PhNfCreateIconThreadDelayed(); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhNfpProcessesUpdatedHandler, NULL, &PhNfpProcessesUpdatedRegistration ); } VOID PhNfUninitialization( VOID ) { #ifdef PH_NF_ENABLE_WORKQUEUE //LARGE_INTEGER timeout; if (PhpTrayIconEventHandle) NtSetEvent(PhpTrayIconEventHandle, NULL); #endif // Remove all icons to prevent them hanging around after we exit. for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (RtlInterlockedClearBits(&icon->Flags, PH_NF_ICON_ENABLED) == PH_NF_ICON_ENABLED) { PhNfpRemoveNotifyIcon(icon); } } //#ifdef PH_NF_ENABLE_WORKQUEUE // if (PhpTrayIconThreadHandle) // { // NtWaitForSingleObject(PhpTrayIconThreadHandle, FALSE, PhTimeoutFromMilliseconds(&timeout, 1000)); // } //#endif } VOID PhNfForwardMessage( _In_ HWND WindowHandle, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ) { ULONG iconIndex = HIWORD(LParam); PPH_NF_ICON registeredIcon = NULL; if (iconIndex == 0) return; for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (icon->IconId == iconIndex) { registeredIcon = icon; break; } } if (!registeredIcon) return; if (registeredIcon->MessageCallback) { if (registeredIcon->MessageCallback( registeredIcon, WParam, LParam, registeredIcon->Context )) { return; } } switch (LOWORD(LParam)) { case WM_LBUTTONDOWN: { if (PhGetIntegerSetting(SETTING_ICON_SINGLE_CLICK)) { SystemInformer_IconClick(); PhNfpDisableHover(); } else { IconClickUpDueToDown = TRUE; } } break; case WM_LBUTTONUP: { if (!PhGetIntegerSetting(SETTING_ICON_SINGLE_CLICK) && PhNfMiniInfoEnabled && IconClickUpDueToDown) { PH_NF_MSG_SHOWMINIINFOSECTION_DATA showMiniInfoSectionData; if (PhNfpGetShowMiniInfoSectionData(iconIndex, registeredIcon, &showMiniInfoSectionData)) { GetCursorPos(&IconClickLocation); if (IconClickShowMiniInfoSectionData.SectionName) { PhFree(IconClickShowMiniInfoSectionData.SectionName); IconClickShowMiniInfoSectionData.SectionName = NULL; } if (showMiniInfoSectionData.SectionName) { IconClickShowMiniInfoSectionData.SectionName = PhDuplicateStringZ(showMiniInfoSectionData.SectionName); } PhSetTimer(WindowHandle, TIMER_ICON_CLICK_ACTIVATE, GetDoubleClickTime() + NFP_ICON_CLICK_ACTIVATE_DELAY, PhNfpIconClickActivateTimerProc); } else { PhKillTimer(WindowHandle, TIMER_ICON_CLICK_ACTIVATE); } } } break; case WM_LBUTTONDBLCLK: { if (!PhGetIntegerSetting(SETTING_ICON_SINGLE_CLICK)) { if (PhNfMiniInfoEnabled) { // We will get another WM_LBUTTONUP message corresponding to the double-click, // and we need to make sure that it doesn't start the activation timer again. PhKillTimer(WindowHandle, TIMER_ICON_CLICK_ACTIVATE); IconClickUpDueToDown = FALSE; PhNfpDisableHover(); } SystemInformer_IconClick(); } } break; case WM_RBUTTONUP: case WM_CONTEXTMENU: { POINT location; if (!PhGetIntegerSetting(SETTING_ICON_SINGLE_CLICK) && PhNfMiniInfoEnabled) PhKillTimer(WindowHandle, TIMER_ICON_CLICK_ACTIVATE); PhNfpIconDisablePopupHoverWin11Workaround(); PhPinMiniInformation(MiniInfoIconPinType, -1, 0, 0, NULL, NULL); GetCursorPos(&location); PhShowIconContextMenu(WindowHandle, &location); } break; case NIN_KEYSELECT: { // HACK: explorer seems to send two NIN_KEYSELECT messages when the user selects the icon and presses ENTER. if (GetForegroundWindow() != WindowHandle) SystemInformer_IconClick(); } break; case NIN_BALLOONUSERCLICK: { if (!PhGetIntegerSetting(SETTING_ICON_IGNORE_BALLOON_CLICK)) PhShowDetailsForIconNotification(); } break; case NIN_POPUPOPEN: { if (WindowsVersion >= WINDOWS_11_22H2) { // NIN_POPUPOPEN is sent when the user hovers the cursor over an icon BUT Windows 11 either blocks the notification // or ignores the hover time and displays the popup instantly. We try and workaround the missing hover time by using // a timer to delay the popup for 1 second. If we get a NIN_POPUPCLOSE then cancel the timer and the popup. // Note: We only workaround the missing hover time not the blocked/missing NIN_POPUPOPEN notifications. If we want to workaround // the broken NIN_POPUPOPEN notifications on Win11 the tray icons also send WM_MOUSEMOSE and before NIN_POPUPOPEN existed // XP applications would compare the cursor position in a timer callback to show or hide the popup. (dmex) PopupIconIndex = iconIndex; PopupRegisteredIcon = registeredIcon; PhSetTimer(PhMainWndHandle, TIMER_ICON_POPUPOPEN, NFP_ICON_RESTORE_HOVER_DELAY, PhNfpIconShowPopupHoverTimerProc); } else { PH_NF_MSG_SHOWMINIINFOSECTION_DATA showMiniInfoSectionData; POINT location; if (PhNfMiniInfoEnabled && !IconDisableHover && PhNfpGetShowMiniInfoSectionData(iconIndex, registeredIcon, &showMiniInfoSectionData)) { GetCursorPos(&location); PhPinMiniInformation(MiniInfoIconPinType, 1, 0, PH_MINIINFO_DONT_CHANGE_SECTION_IF_PINNED, showMiniInfoSectionData.SectionName, &location); } } } break; case NIN_POPUPCLOSE: { PhNfpIconDisablePopupHoverWin11Workaround(); PhPinMiniInformation(MiniInfoIconPinType, -1, 350, 0, NULL, NULL); } break; } } VOID PhNfSetVisibleIcon( _In_ PPH_NF_ICON Icon, _In_ BOOLEAN Visible ) { if (Visible) { RtlInterlockedSetBits(&Icon->Flags, PH_NF_ICON_ENABLED); #ifndef PH_NF_ENABLE_WORKQUEUE PhNfpAddNotifyIcon(Icon); #else PPH_NF_WORKQUEUE_DATA data; data = PhAllocateZero(sizeof(PH_NF_WORKQUEUE_DATA)); data->Add = TRUE; data->Icon = Icon; RtlInterlockedPushEntrySList(&PhpTrayIconWorkQueueListHead, &data->ListEntry); #endif } else { RtlInterlockedClearBits(&Icon->Flags, PH_NF_ICON_ENABLED); #ifndef PH_NF_ENABLE_WORKQUEUE PhNfpRemoveNotifyIcon(Icon); #else PPH_NF_WORKQUEUE_DATA data; data = PhAllocateZero(sizeof(PH_NF_WORKQUEUE_DATA)); data->Delete = TRUE; data->Icon = Icon; RtlInterlockedPushEntrySList(&PhpTrayIconWorkQueueListHead, &data->ListEntry); #endif } #ifdef PH_NF_ENABLE_WORKQUEUE PhNfCreateIconThreadDelayed(); if (PhpTrayIconEventHandle) NtSetEvent(PhpTrayIconEventHandle, NULL); #endif } VOID NTAPI PhpToastCallback( _In_ HRESULT Result, _In_ PH_TOAST_REASON Reason, _In_ PVOID Context ) { if (Reason == PhToastReasonActivated) PhShowDetailsForIconNotification(); } HRESULT PhpShowToastNotification( _In_ PPH_STRING Title, _In_ PPH_STRING Text, _In_ ULONG Timeout, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context, _In_opt_ BOOLEAN Force ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_STRING iconFileName = NULL; PH_STRINGREF iconAppId = PH_STRINGREF_INIT(L""); PPH_STRING processAppId = NULL; HRESULT result; PPH_STRING toastXml; PH_FORMAT format[7]; if (!Force && !PhGetIntegerSetting(SETTING_TOAST_NOTIFY_ENABLED)) return E_FAIL; if (PhBeginInitOnce(&initOnce)) { iconFileName = PhGetApplicationDirectoryFileNameZ(L"Resources\\icon.png", FALSE); if (!PhDoesFileExistWin32(PhGetString(iconFileName))) PhClearReference(&iconFileName); PhEndInitOnce(&initOnce); } if (!iconFileName) return E_FAIL; if (HR_SUCCESS(PhAppResolverGetAppIdForProcess(NtCurrentProcessId(), &processAppId))) iconAppId = processAppId->sr; else { if (HR_SUCCESS(PhAppResolverGetAppIdForWindow(PhMainWndHandle, &processAppId))) iconAppId = processAppId->sr; else { PhInitializeStringRefLongHint(&iconAppId, PhApplicationName); } } result = PhInitializeToastRuntime(); if (HR_FAILED(result)) return result; //toastXml = PhFormatString( // L"\r\n" // L" \r\n" // L" \r\n" // L" \"red\r\n" // L" %ls\r\n" // L" %ls\r\n" // L" \r\n" // L" \r\n" // L"", // PhGetString(iconFileName), // Title, // Text // ); PhInitFormatS(&format[0], L"sr); PhInitFormatS(&format[2], L"\" alt=\"red graphic\"/>"); PhInitFormatSR(&format[3], Title->sr); PhInitFormatS(&format[4], L""); PhInitFormatSR(&format[5], Text->sr); PhInitFormatS(&format[6], L""); toastXml = PhFormat(format, RTL_NUMBER_OF(format), 0); result = PhShowToastStringRef( &iconAppId, &toastXml->sr, Timeout * 1000, ToastCallback, Context ); PhClearReference(&toastXml); PhClearReference(&processAppId); return result; } BOOLEAN PhNfpShowBalloonTip( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout ) { NOTIFYICONDATA notifyIcon; PPH_NF_ICON registeredIcon = NULL; for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (!BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) continue; registeredIcon = icon; break; } if (!registeredIcon) return FALSE; memset(¬ifyIcon, 0, sizeof(NOTIFYICONDATA)); notifyIcon.cbSize = sizeof(NOTIFYICONDATA); notifyIcon.uFlags = NIF_INFO; notifyIcon.hWnd = PhMainWndHandle; notifyIcon.uID = registeredIcon->IconId; if (PhNfPersistTrayIconPositionEnabled) { SetFlag(notifyIcon.uFlags, NIF_GUID); notifyIcon.guidItem = registeredIcon->IconGuid; } wcsncpy_s(notifyIcon.szInfoTitle, RTL_NUMBER_OF(notifyIcon.szInfoTitle), Title, _TRUNCATE); wcsncpy_s(notifyIcon.szInfo, RTL_NUMBER_OF(notifyIcon.szInfo), Text, _TRUNCATE); notifyIcon.uTimeout = Timeout; if (PhGetIntegerSetting(SETTING_ICON_BALLOON_SHOW_ICON) || WindowsVersion < WINDOWS_11) SetFlag(notifyIcon.dwInfoFlags, NIIF_INFO); if (PhGetIntegerSetting(SETTING_ICON_BALLOON_MUTE_SOUND)) SetFlag(notifyIcon.dwInfoFlags, NIIF_NOSOUND); PhShellNotifyIcon(NIM_MODIFY, ¬ifyIcon); return TRUE; } BOOLEAN PhNfShowBalloonTip( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout ) { if (!PhNfIconsEnabled()) { return FALSE; } #ifndef PH_NF_ENABLE_WORKQUEUE return PhNfpShowBalloonTip(Title, Text, Timeout); #else PPH_NF_WORKQUEUE_DATA data; data = PhAllocateZero(sizeof(PH_NF_WORKQUEUE_DATA)); data->ShowBalloon = TRUE; data->BalloonTitle = Title ? PhCreateString(Title) : NULL; data->BalloonText = Text ? PhCreateString(Text) : NULL; data->BalloonTimeout = Timeout; RtlInterlockedPushEntrySList(&PhpTrayIconWorkQueueListHead, &data->ListEntry); #endif return TRUE; } HRESULT PhNfShowBalloonTipEx( _In_ PCWSTR Title, _In_ PCWSTR Text, _In_ ULONG Timeout, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ) { PPH_STRING BalloonTitle; PPH_STRING BalloonText; BalloonTitle = Title ? PhCreateString(Title) : NULL; BalloonText = Text ? PhCreateString(Text) : NULL; return PhpShowToastNotification( BalloonTitle, BalloonText, Timeout, ToastCallback, Context, TRUE ); } HICON PhNfBitmapToIcon( _In_ HBITMAP Bitmap ) { HICON iconHandle; HBITMAP mask; ICONINFO iconInfo; // Create a monochrome mask bitmap for the icon. { BITMAP bitmapInfo; memset(&bitmapInfo, 0, sizeof(BITMAP)); if (GetObject(Bitmap, sizeof(BITMAP), &bitmapInfo) == 0) return NULL; if (!(mask = CreateBitmap(bitmapInfo.bmWidth, bitmapInfo.bmHeight, 1, 1, NULL))) return NULL; } memset(&iconInfo, 0, sizeof(ICONINFO)); iconInfo.fIcon = TRUE; iconInfo.xHotspot = 0; iconInfo.yHotspot = 0; iconInfo.hbmMask = mask; iconInfo.hbmColor = Bitmap; iconHandle = CreateIconIndirect(&iconInfo); DeleteBitmap(mask); return iconHandle; } PPH_NF_ICON PhNfGetIconById( _In_ ULONG SubId ) { for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (icon->SubId == SubId) return icon; } return NULL; } PPH_NF_ICON PhNfFindIcon( _In_ PPH_STRINGREF PluginName, _In_ ULONG SubId ) { for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (icon->Plugin) { if (icon->SubId == SubId && PhEqualStringRef(PluginName, &icon->Plugin->Name, TRUE)) { return icon; } } } return NULL; } BOOLEAN PhNfIconsEnabled( VOID ) { // Note: We can't check the list because delayed initialization (dmex) //BOOLEAN enabled = FALSE; // //for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) //{ // PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; // // if (BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) // { // enabled = TRUE; // break; // } //} // //return enabled; PPH_STRING settingsString; settingsString = PhGetStringSetting(SETTING_ICON_SETTINGS); if (PhIsNullOrEmptyString(settingsString)) { PhClearReference(&settingsString); return FALSE; } PhClearReference(&settingsString); return TRUE; } VOID PhNfNotifyMiniInfoPinned( _In_ BOOLEAN Pinned ) { if (PhNfMiniInfoPinned != Pinned) { PhNfMiniInfoPinned = Pinned; // Go through every icon and set/clear the NIF_SHOWTIP flag depending on whether the mini info window is // pinned. If it's pinned then we want to show normal tooltips, because the section doesn't change // automatically when the cursor hovers over an icon. for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (!BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) continue; PhNfpModifyNotifyIcon(icon, NIF_TIP, icon->TextCache, NULL); } } } HICON PhNfGetApplicationIcon( _In_opt_ LONG DpiValue ) { if (DpiValue != 0 && PhNfAppTrayIcon) { DestroyIcon(PhNfAppTrayIcon); PhNfAppTrayIcon = NULL; } if (!PhNfAppTrayIcon) { if (DpiValue == 0) { DpiValue = PhGetTaskbarDpi(); } PhNfAppTrayIcon = PhGetApplicationIconEx(FALSE, DpiValue); } return PhNfAppTrayIcon; } HICON PhNfpGetBlackIcon( VOID ) { if (!PhNfpBlackIcon) { ULONG width; ULONG height; PVOID bits; HDC hdc; HBITMAP mask; HBITMAP oldBitmap; ICONINFO iconInfo; PhNfpBeginBitmap2(&PhNfpBlackBitmapContext, &width, &height, &PhNfpBlackBitmap, &bits, &hdc, &oldBitmap); memset(bits, PhNfTransparencyEnabled ? 1 : 0, width * height * sizeof(RGBQUAD)); // Create a monochrome mask bitmap for the icon. if (!(mask = CreateBitmap(width, height, 1, 1, NULL))) return NULL; iconInfo.fIcon = TRUE; iconInfo.xHotspot = 0; iconInfo.yHotspot = 0; iconInfo.hbmMask = mask; iconInfo.hbmColor = PhNfpBlackBitmap; PhNfpBlackIcon = CreateIconIndirect(&iconInfo); SelectBitmap(hdc, oldBitmap); DeleteBitmap(mask); } return PhNfpBlackIcon; } #define COLORREF_TO_BITS(Color) (_byteswap_ulong(Color) >> 8) VOID PhDrawTrayIconText( _In_ HDC hdc, _In_ PVOID Bits, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ PPH_STRINGREF Text ) { PULONG bits = Bits; LONG width = DrawInfo->Width; LONG height = DrawInfo->Height; LONG numberOfPixels = width * height; ULONG flags = DrawInfo->Flags; HFONT oldFont = NULL; SIZE textSize; PH_RECTANGLE boxRectangle; PH_RECTANGLE textRectangle; if (DrawInfo->BackColor == 0) { memset(bits, 0, numberOfPixels * sizeof(RGBQUAD)); } else { PhFillMemoryUlong(bits, COLORREF_TO_BITS(DrawInfo->BackColor), numberOfPixels); } if (DrawInfo->TextFont) oldFont = SelectFont(hdc, DrawInfo->TextFont); DrawInfo->Text = *Text; GetTextExtentPoint32(hdc, Text->Buffer, (ULONG)Text->Length / sizeof(WCHAR), &textSize); // Calculate the box rectangle. boxRectangle.Width = textSize.cx; boxRectangle.Height = textSize.cy; boxRectangle.Left = (DrawInfo->Width - boxRectangle.Width) / (LONG)sizeof(WCHAR); boxRectangle.Top = (DrawInfo->Height - boxRectangle.Height) / (LONG)sizeof(WCHAR); // Calculate the text rectangle. textRectangle.Left = boxRectangle.Left; textRectangle.Top = boxRectangle.Top; textRectangle.Width = textSize.cx; textRectangle.Height = textSize.cy; // Save the rectangles. PhRectangleToRect(&DrawInfo->TextRect, &textRectangle); PhRectangleToRect(&DrawInfo->TextBoxRect, &boxRectangle); SetBkMode(hdc, TRANSPARENT); // Fill in the text box. //SetDCBrushColor(hdc, DrawInfo->TextBoxColor); //FillRect(hdc, &DrawInfo->TextBoxRect, GetStockBrush(DC_BRUSH)); // Draw the text. SetTextColor(hdc, DrawInfo->TextColor); DrawText(hdc, DrawInfo->Text.Buffer, (ULONG)DrawInfo->Text.Length / sizeof(WCHAR), &DrawInfo->TextRect, DT_NOCLIP | DT_SINGLELINE); if (oldFont) SelectFont(hdc, oldFont); } HFONT PhNfGetTrayIconFont( _In_opt_ LONG DpiValue ) { if (DpiValue != 0 && PhNfTrayIconFont) { DeleteFont(PhNfTrayIconFont); PhNfTrayIconFont = NULL; } if (!PhNfTrayIconFont) { if (DpiValue == 0) { DpiValue = PhGetTaskbarDpi(); } PhNfTrayIconFont = CreateFont( PhGetDpi(-11, DpiValue), 0, 0, 0, FW_NORMAL, FALSE, FALSE, FALSE, ANSI_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, ANTIALIASED_QUALITY, DEFAULT_PITCH, L"Tahoma" ); } return PhNfTrayIconFont; } BOOLEAN PhNfpAddNotifyIcon( _In_ PPH_NF_ICON Icon ) { NOTIFYICONDATA notifyIcon; if (PhMainWndExiting) return FALSE; memset(¬ifyIcon, 0, sizeof(NOTIFYICONDATA)); notifyIcon.cbSize = sizeof(NOTIFYICONDATA); notifyIcon.hWnd = PhMainWndHandle; notifyIcon.uID = Icon->IconId; notifyIcon.uFlags = NIF_ICON | NIF_MESSAGE | NIF_TIP; notifyIcon.uCallbackMessage = WM_PH_NOTIFY_ICON_MESSAGE; if (PhNfPersistTrayIconPositionEnabled) { SetFlag(notifyIcon.uFlags, NIF_GUID); notifyIcon.guidItem = Icon->IconGuid; } wcsncpy_s( notifyIcon.szTip, RTL_NUMBER_OF(notifyIcon.szTip), PhGetStringOrDefault(Icon->TextCache, PhApplicationName), _TRUNCATE ); //notifyIcon.hIcon = PhNfpGetBlackIcon(); notifyIcon.hIcon = PhGetApplicationIcon(TRUE); // Fixes GH#1845 (dmex) if (!PhNfMiniInfoEnabled || PhNfMiniInfoPinned || FlagOn(Icon->Flags, PH_NF_ICON_NOSHOW_MINIINFO)) SetFlag(notifyIcon.uFlags, NIF_SHOWTIP); PhShellNotifyIcon(NIM_ADD, ¬ifyIcon); notifyIcon.uVersion = NOTIFYICON_VERSION_4; PhShellNotifyIcon(NIM_SETVERSION, ¬ifyIcon); return TRUE; } BOOLEAN PhNfpRemoveNotifyIcon( _In_ PPH_NF_ICON Icon ) { NOTIFYICONDATA notifyIcon; memset(¬ifyIcon, 0, sizeof(NOTIFYICONDATA)); notifyIcon.cbSize = sizeof(NOTIFYICONDATA); notifyIcon.hWnd = PhMainWndHandle; notifyIcon.uID = Icon->IconId; if (PhNfPersistTrayIconPositionEnabled) { SetFlag(notifyIcon.uFlags, NIF_GUID); notifyIcon.guidItem = Icon->IconGuid; } PhShellNotifyIcon(NIM_DELETE, ¬ifyIcon); return TRUE; } BOOLEAN PhNfpModifyNotifyIcon( _In_ PPH_NF_ICON Icon, _In_ ULONG Flags, _In_opt_ PPH_STRING Text, _In_opt_ HICON IconHandle ) { NOTIFYICONDATA notifyIcon; if (PhMainWndExiting) return FALSE; if (BooleanFlagOn(Icon->Flags, PH_NF_ICON_UNAVAILABLE)) return FALSE; memset(¬ifyIcon, 0, sizeof(NOTIFYICONDATA)); notifyIcon.cbSize = sizeof(NOTIFYICONDATA); notifyIcon.uFlags = Flags; notifyIcon.hWnd = PhMainWndHandle; notifyIcon.uID = Icon->IconId; notifyIcon.hIcon = IconHandle; if (PhNfPersistTrayIconPositionEnabled) { SetFlag(notifyIcon.uFlags, NIF_GUID); notifyIcon.guidItem = Icon->IconGuid; } if (!PhNfMiniInfoEnabled || PhNfMiniInfoPinned || FlagOn(Icon->Flags, PH_NF_ICON_NOSHOW_MINIINFO)) SetFlag(notifyIcon.uFlags, NIF_SHOWTIP); if (FlagOn(Flags, NIF_TIP)) { PhSwapReference(&Icon->TextCache, Text); wcsncpy_s(notifyIcon.szTip, RTL_NUMBER_OF(notifyIcon.szTip), PhGetStringOrDefault(Text, PhApplicationName), _TRUNCATE); } if (!PhShellNotifyIcon(NIM_MODIFY, ¬ifyIcon)) { // Explorer probably died and we lost our icon. Try to add the icon, and try again. PhNfpAddNotifyIcon(Icon); PhShellNotifyIcon(NIM_MODIFY, ¬ifyIcon); } return TRUE; } //BOOLEAN PhNfpGetNotifyIconRect( // _In_ ULONG Id, // _In_opt_ PPH_RECTANGLE IconRectangle // ) //{ // NOTIFYICONIDENTIFIER notifyIconId = { sizeof(NOTIFYICONIDENTIFIER) }; // PPH_NF_ICON icon; // RECT notifyRect; // // if (PhMainWndExiting) // return FALSE; // if ((icon = PhNfGetIconById(Id)) && (icon->Flags & PH_NF_ICON_UNAVAILABLE)) // return FALSE; // // notifyIconId.hWnd = PhMainWndHandle; // notifyIconId.uID = Id; // // if (SUCCEEDED(Shell_NotifyIconGetRect(¬ifyIconId, ¬ifyRect))) // { // *IconRectangle = PhRectToRectangle(notifyRect); // return TRUE; // } // // return FALSE; //} #ifdef PH_NF_ENABLE_WORKQUEUE VOID PhNfTrayIconFlushWorkQueueData( VOID ) { PSLIST_ENTRY entry; PPH_NF_WORKQUEUE_DATA data; entry = RtlInterlockedFlushSList(&PhpTrayIconWorkQueueListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_NF_WORKQUEUE_DATA, ListEntry); entry = entry->Next; if (PhMainWndExiting) break; if (data->Add) { PhNfpAddNotifyIcon(data->Icon); } if (data->Delete) { PhNfpRemoveNotifyIcon(data->Icon); } if (data->ShowBalloon) { if (!HR_SUCCESS(PhpShowToastNotification( data->BalloonTitle, data->BalloonText, data->BalloonTimeout, PhpToastCallback, NULL, FALSE ))) { PhNfpShowBalloonTip( PhGetString(data->BalloonTitle), PhGetString(data->BalloonText), data->BalloonTimeout ); } PhClearReference(&data->BalloonTitle); PhClearReference(&data->BalloonText); } PhFree(data); } } #endif _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhNfpTrayIconUpdateThread( _In_opt_ PVOID Context ) { PhSetThreadName(NtCurrentThread(), L"TrayIconUpdateThread"); for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (!BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) continue; PhNfpAddNotifyIcon(icon); } while (TRUE) { if (PhMainWndExiting) break; if (!(PhpTrayIconEventHandle && PhNfIconsEnabled())) { PhDelayExecution(1000); continue; } if (NT_SUCCESS(NtWaitForSingleObject(PhpTrayIconEventHandle, FALSE, NULL))) { #ifdef PH_NF_ENABLE_WORKQUEUE PhNfTrayIconFlushWorkQueueData(); #endif for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (!BooleanFlagOn(icon->Flags, PH_NF_ICON_ENABLED)) continue; if (PhMainWndExiting) break; PhNfpUpdateRegisteredIcon(icon); } } } #ifdef PH_NF_ENABLE_WORKQUEUE // Remove all icons to prevent them hanging around after we exit. for (ULONG i = 0; i < PhTrayIconItemList->Count; i++) { PPH_NF_ICON icon = PhTrayIconItemList->Items[i]; if (RtlInterlockedClearBits(&icon->Flags, PH_NF_ICON_ENABLED) == PH_NF_ICON_ENABLED) { PhNfpRemoveNotifyIcon(icon); } } #endif return STATUS_SUCCESS; } _Function_class_(PH_CALLBACK_FUNCTION) VOID PhNfpProcessesUpdatedHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { ULONG runCount = PtrToUlong(Parameter); // Update the icons on a separate thread so we don't block the main window // or provider threads when explorer is not responding. (dmex) if (runCount < 3) return; if (PhpTrayIconEventHandle)// && PhNfIconsEnabled()) { NtSetEvent(PhpTrayIconEventHandle, NULL); } } VOID PhNfpUpdateRegisteredIcon( _In_ PPH_NF_ICON Icon ) { PVOID newIconOrBitmap; ULONG updateFlags; PPH_STRING newText; HICON newIcon; ULONG flags; if (!Icon->UpdateCallback) return; newIconOrBitmap = NULL; newText = NULL; newIcon = NULL; flags = 0; Icon->UpdateCallback( Icon, &newIconOrBitmap, &updateFlags, &newText, Icon->Context ); if (newIconOrBitmap) { if (FlagOn(updateFlags, PH_NF_UPDATE_IS_BITMAP)) newIcon = PhNfBitmapToIcon(newIconOrBitmap); else newIcon = newIconOrBitmap; SetFlag(flags, NIF_ICON); } if (newText) SetFlag(flags, NIF_TIP); if (flags != 0) PhNfpModifyNotifyIcon(Icon, flags, newText, newIcon); if (newIcon && FlagOn(updateFlags, PH_NF_UPDATE_IS_BITMAP)) DestroyIcon(newIcon); if (newIconOrBitmap && FlagOn(updateFlags, PH_NF_UPDATE_DESTROY_RESOURCE)) { if (FlagOn(updateFlags, PH_NF_UPDATE_IS_BITMAP)) DeleteBitmap(newIconOrBitmap); else DestroyIcon(newIconOrBitmap); } if (newText) PhDereferenceObject(newText); } _Function_class_(PH_NF_BEGIN_BITMAP) VOID PhNfpBeginBitmap( _Out_ PULONG Width, _Out_ PULONG Height, _Out_ HBITMAP *Bitmap, _Out_opt_ PVOID *Bits, _Out_ HDC *Hdc, _Out_ HBITMAP *OldBitmap ) { PhNfpBeginBitmap2(&PhNfpDefaultBitmapContext, Width, Height, Bitmap, Bits, Hdc, OldBitmap); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpBeginBitmap2( _Inout_ PPH_NF_BITMAP Context, _Out_ PULONG Width, _Out_ PULONG Height, _Out_ HBITMAP *Bitmap, _Out_opt_ PVOID *Bits, _Out_ HDC *Hdc, _Out_ HBITMAP *OldBitmap ) { LONG dpiValue = PhGetTaskbarDpi(); // Initialize and cache the current system metrics. (dmex) if (Context->TaskbarDpi == 0 || Context->TaskbarDpi != dpiValue) { Context->Width = PhGetSystemMetrics(SM_CXSMICON, dpiValue); Context->Height = PhGetSystemMetrics(SM_CXSMICON, dpiValue); // Re-initialize fonts with updated DPI (only when there's an existing handle). (dmex) //PhNfGetTrayIconFont(dpiValue); //PhNfGetApplicationIcon(dpiValue); } // Cleanup existing resources when the DPI changes so we're able to re-initialize with updated DPI. (dmex) if (Context->TaskbarDpi != 0 && Context->TaskbarDpi != dpiValue) { if (PhNfpBlackIcon) { DestroyIcon(PhNfpBlackIcon); PhNfpBlackIcon = NULL; } if (Context->Hdc) { DeleteDC(Context->Hdc); Context->Hdc = NULL; } if (Context->Bitmap) { DeleteBitmap(Context->Bitmap); Context->Bitmap = NULL; } Context->Initialized = FALSE; } if (!Context->Initialized) { BITMAPINFO bitmapInfo; memset(&bitmapInfo, 0, sizeof(BITMAPINFO)); bitmapInfo.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); bitmapInfo.bmiHeader.biPlanes = 1; bitmapInfo.bmiHeader.biCompression = BI_RGB; bitmapInfo.bmiHeader.biWidth = Context->Width; bitmapInfo.bmiHeader.biHeight = Context->Height; bitmapInfo.bmiHeader.biBitCount = 32; Context->Hdc = CreateCompatibleDC(NULL); Context->Bitmap = CreateDIBSection(Context->Hdc, &bitmapInfo, DIB_RGB_COLORS, &Context->Bits, NULL, 0); Context->TaskbarDpi = dpiValue; Context->Initialized = TRUE; } *Width = Context->Width; *Height = Context->Height; *Bitmap = Context->Bitmap; if (Bits) *Bits = Context->Bits; *Hdc = Context->Hdc; if (Context->Bitmap) *OldBitmap = SelectBitmap(Context->Hdc, Context->Bitmap); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCpuHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, PH_GRAPH_USE_LINE_2, 2, RGB(0x00, 0x00, 0x00), 16, NULL, NULL, 0, 0, 0, 0 }; ULONG maxDataCount; ULONG lineDataCount; PFLOAT lineData1; PFLOAT lineData2; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; HANDLE maxCpuProcessId; PPH_PROCESS_ITEM maxCpuProcessItem; PH_FORMAT format[8]; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); maxDataCount = drawInfo.Width / 2 + 1; lineData1 = _malloca(maxDataCount * sizeof(FLOAT)); lineData2 = _malloca(maxDataCount * sizeof(FLOAT)); if (!(lineData1 && lineData2)) return; lineDataCount = min(maxDataCount, PhCpuKernelHistory.Count); PhCopyCircularBuffer_FLOAT(&PhCpuKernelHistory, lineData1, lineDataCount); PhCopyCircularBuffer_FLOAT(&PhCpuUserHistory, lineData2, lineDataCount); drawInfo.LineDataCount = lineDataCount; drawInfo.LineData1 = lineData1; drawInfo.LineData2 = lineData2; drawInfo.LineColor1 = PhCsColorCpuKernel; drawInfo.LineColor2 = PhCsColorCpuUser; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorCpuKernel); drawInfo.LineBackColor2 = PhHalveColorBrightness(PhCsColorCpuUser); PhDrawGraphDirect(hdc, bits, &drawInfo); if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text if (PhMaxCpuHistory.Count != 0) maxCpuProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxCpuHistory, 0)); else maxCpuProcessId = NULL; if (maxCpuProcessId) maxCpuProcessItem = PhReferenceProcessItem(maxCpuProcessId); else maxCpuProcessItem = NULL; PhInitFormatS(&format[0], L"CPU history: "); PhInitFormatF(&format[1], (PhCpuKernelUsage + PhCpuUserUsage) * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[2], '%'); if (maxCpuProcessItem) { PhInitFormatC(&format[3], '\n'); PhInitFormatSR(&format[4], maxCpuProcessItem->ProcessName->sr); PhInitFormatS(&format[5], L": "); PhInitFormatF(&format[6], maxCpuProcessItem->CpuUsage * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[7], '%'); } *NewText = PhFormat(format, maxCpuProcessItem ? 8 : 3, 0); if (maxCpuProcessItem) PhDereferenceObject(maxCpuProcessItem); _freea(lineData2); _freea(lineData1); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpIoHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, PH_GRAPH_USE_LINE_2, 2, RGB(0x00, 0x00, 0x00), 16, NULL, NULL, 0, 0, 0, 0 }; ULONG maxDataCount; ULONG lineDataCount; PFLOAT lineData1; PFLOAT lineData2; FLOAT max; ULONG i; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; HANDLE maxIoProcessId; PPH_PROCESS_ITEM maxIoProcessItem; PH_FORMAT format[8]; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); maxDataCount = drawInfo.Width / 2 + 1; lineData1 = _malloca(maxDataCount * sizeof(FLOAT)); lineData2 = _malloca(maxDataCount * sizeof(FLOAT)); if (!(lineData1 && lineData2)) return; lineDataCount = min(maxDataCount, PhIoReadHistory.Count); max = 1024 * 1024; // minimum scaling of 1 MB. for (i = 0; i < lineDataCount; i++) { lineData1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoReadHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoOtherHistory, i); lineData2[i] = (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoWriteHistory, i); if (max < lineData1[i] + lineData2[i]) max = lineData1[i] + lineData2[i]; } PhDivideSinglesBySingle(lineData1, max, lineDataCount); PhDivideSinglesBySingle(lineData2, max, lineDataCount); drawInfo.LineDataCount = lineDataCount; drawInfo.LineData1 = lineData1; drawInfo.LineData2 = lineData2; drawInfo.LineColor1 = PhCsColorIoReadOther; drawInfo.LineColor2 = PhCsColorIoWrite; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorIoReadOther); drawInfo.LineBackColor2 = PhHalveColorBrightness(PhCsColorIoWrite); PhDrawGraphDirect(hdc, bits, &drawInfo); if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text if (PhMaxIoHistory.Count != 0) maxIoProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxIoHistory, 0)); else maxIoProcessId = NULL; if (maxIoProcessId) maxIoProcessItem = PhReferenceProcessItem(maxIoProcessId); else maxIoProcessItem = NULL; PhInitFormatS(&format[0], L"I/O\nR: "); PhInitFormatSize(&format[1], PhIoReadDelta.Delta); PhInitFormatS(&format[2], L"\nW: "); PhInitFormatSize(&format[3], PhIoWriteDelta.Delta); PhInitFormatS(&format[4], L"\nO: "); PhInitFormatSize(&format[5], PhIoOtherDelta.Delta); if (maxIoProcessItem) { PhInitFormatC(&format[6], '\n'); PhInitFormatSR(&format[7], maxIoProcessItem->ProcessName->sr); } *NewText = PhFormat(format, maxIoProcessItem ? 8 : 6, 0); if (maxIoProcessItem) PhDereferenceObject(maxIoProcessItem); _freea(lineData2); _freea(lineData1); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCommitHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, 0, 2, RGB(0x00, 0x00, 0x00), 16, NULL, NULL, 0, 0, 0, 0 }; ULONG maxDataCount; ULONG lineDataCount; PFLOAT lineData1; ULONG i; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; FLOAT commitFraction; PH_FORMAT format[5]; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); maxDataCount = drawInfo.Width / 2 + 1; lineData1 = _malloca(maxDataCount * sizeof(FLOAT)); if (!lineData1) return; lineDataCount = min(maxDataCount, PhCommitHistory.Count); for (i = 0; i < lineDataCount; i++) lineData1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&PhCommitHistory, i); PhDivideSinglesBySingle(lineData1, (FLOAT)PhPerfInformation.CommitLimit, lineDataCount); drawInfo.LineDataCount = lineDataCount; drawInfo.LineData1 = lineData1; drawInfo.LineColor1 = PhCsColorPrivate; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorPrivate); PhDrawGraphDirect(hdc, bits, &drawInfo); if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text commitFraction = (FLOAT)PhPerfInformation.CommittedPages / (FLOAT)PhPerfInformation.CommitLimit; PhInitFormatS(&format[0], L"Commit: "); PhInitFormatSize(&format[1], UInt32x32To64(PhPerfInformation.CommittedPages, PAGE_SIZE)); PhInitFormatS(&format[2], L" ("); PhInitFormatF(&format[3], commitFraction * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[4], L"%)"); *NewText = PhFormat(format, 5, 0); _freea(lineData1); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpPhysicalHistoryIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, 0, 2, RGB(0x00, 0x00, 0x00), 16, NULL, NULL, 0, 0, 0, 0 }; ULONG maxDataCount; ULONG lineDataCount; PFLOAT lineData1; ULONG i; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; ULONG_PTR physicalUsage; FLOAT physicalFraction; PH_FORMAT format[5]; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); maxDataCount = drawInfo.Width / 2 + 1; lineData1 = _malloca(maxDataCount * sizeof(FLOAT)); if (!lineData1) return; lineDataCount = min(maxDataCount, PhPhysicalHistory.Count); for (i = 0; i < lineDataCount; i++) lineData1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, i); PhDivideSinglesBySingle(lineData1, (FLOAT)PhSystemBasicInformation.NumberOfPhysicalPages, lineDataCount); drawInfo.LineDataCount = lineDataCount; drawInfo.LineData1 = lineData1; drawInfo.LineColor1 = PhCsColorPhysical; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorPhysical); PhDrawGraphDirect(hdc, bits, &drawInfo); if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text physicalUsage = PhSystemBasicInformation.NumberOfPhysicalPages - PhPerfInformation.AvailablePages; physicalFraction = (FLOAT)physicalUsage / (FLOAT)PhSystemBasicInformation.NumberOfPhysicalPages; PhInitFormatS(&format[0], L"Physical memory: "); PhInitFormatSize(&format[1], UInt32x32To64(physicalUsage, PAGE_SIZE)); PhInitFormatS(&format[2], L" ("); PhInitFormatF(&format[3], physicalFraction * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[4], L"%)"); *NewText = PhFormat(format, 5, 0); _freea(lineData1); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCpuUsageIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { LONG width; LONG height; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; PH_FORMAT format[5]; HANDLE maxCpuProcessId; PPH_PROCESS_ITEM maxCpuProcessItem; PPH_STRING maxCpuText = NULL; // Icon Icon->Pointers->BeginBitmap(&width, &height, &bitmap, &bits, &hdc, &oldBitmap); // This stuff is copied from CpuUsageIcon.cs (PH 1.x). { COLORREF kColor = PhCsColorCpuKernel; COLORREF uColor = PhCsColorCpuUser; COLORREF kbColor = PhHalveColorBrightness(PhCsColorCpuKernel); COLORREF ubColor = PhHalveColorBrightness(PhCsColorCpuUser); FLOAT k = PhCpuKernelUsage; FLOAT u = PhCpuUserUsage; LONG kl = (LONG)(k * height); LONG ul = (LONG)(u * height); RECT rect; HBRUSH dcBrush; HPEN dcPen; POINT points[2]; dcBrush = PhGetStockBrush(DC_BRUSH); dcPen = PhGetStockPen(DC_PEN); rect.left = 0; rect.top = 0; rect.right = width; rect.bottom = height; SetDCBrushColor(hdc, RGB(0x00, 0x00, 0x00)); FillRect(hdc, &rect, dcBrush); // Draw the base line. if (kl + ul == 0) { SelectPen(hdc, dcPen); SetDCPenColor(hdc, uColor); points[0].x = 0; points[0].y = height - 1; points[1].x = width; points[1].y = height - 1; Polyline(hdc, points, 2); } else { rect.left = 0; rect.top = height - ul - kl; rect.right = width; rect.bottom = height - kl; SetDCBrushColor(hdc, ubColor); FillRect(hdc, &rect, dcBrush); points[0].x = 0; points[0].y = height - 1 - ul - kl; if (points[0].y < 0) points[0].y = 0; points[1].x = width; points[1].y = points[0].y; SelectPen(hdc, dcPen); SetDCPenColor(hdc, uColor); Polyline(hdc, points, 2); if (kl != 0) { rect.left = 0; rect.top = height - kl; rect.right = width; rect.bottom = height; SetDCBrushColor(hdc, kbColor); FillRect(hdc, &rect, dcBrush); points[0].x = 0; points[0].y = height - 1 - kl; if (points[0].y < 0) points[0].y = 0; points[1].x = width; points[1].y = points[0].y; SelectPen(hdc, dcPen); SetDCPenColor(hdc, kColor); Polyline(hdc, points, 2); } } } if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, width, height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text if (PhMaxCpuHistory.Count != 0) maxCpuProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxCpuHistory, 0)); else maxCpuProcessId = NULL; if (maxCpuProcessId) { if (maxCpuProcessItem = PhReferenceProcessItem(maxCpuProcessId)) { // \n%s: %.2f%% PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxCpuProcessItem->ProcessName->sr); PhInitFormatS(&format[2], L": "); PhInitFormatF(&format[3], maxCpuProcessItem->CpuUsage * 100.f, PhMaxPrecisionUnit); PhInitFormatC(&format[4], L'%'); maxCpuText = PhFormat(format, 5, 0); //maxCpuText = PhFormatString( // L"\n%s: %.2f%%", // maxCpuProcessItem->ProcessName->Buffer, // maxCpuProcessItem->CpuUsage * 100 // ); PhDereferenceObject(maxCpuProcessItem); } } PhInitFormatS(&format[0], L"CPU usage: "); PhInitFormatF(&format[1], (PhCpuKernelUsage + PhCpuUserUsage) * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[2], L'%'); if (maxCpuText) PhInitFormatSR(&format[3], maxCpuText->sr); else PhInitFormatC(&format[3], L' '); *NewText = PhFormat(format, 4, 0); //*NewText = PhFormatString(L"CPU usage: %.2f%%%s", (PhCpuKernelUsage + PhCpuUserUsage) * 100, PhGetStringOrEmpty(maxCpuText)); if (maxCpuText) PhDereferenceObject(maxCpuText); } // Text icons _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCpuUsageTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, 0, 2, RGB(0x00, 0x00, 0x00), 16, NULL, NULL, 0, 0, 0, 0 }; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; PH_FORMAT format[5]; HANDLE maxCpuProcessId; PPH_PROCESS_ITEM maxCpuProcessItem; PPH_STRING maxCpuText = NULL; PPH_STRING text; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); PhInitFormatF(&format[0], (PhCpuKernelUsage + PhCpuUserUsage) * 100.f, 0); text = PhFormat(format, 1, 0); drawInfo.TextFont = PhNfGetTrayIconFont(0); drawInfo.TextColor = PhCsColorCpuKernel; PhDrawTrayIconText(hdc, bits, &drawInfo, &text->sr); PhDereferenceObject(text); if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text if (PhMaxCpuHistory.Count != 0) maxCpuProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxCpuHistory, 0)); else maxCpuProcessId = NULL; if (maxCpuProcessId) { if (maxCpuProcessItem = PhReferenceProcessItem(maxCpuProcessId)) { PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxCpuProcessItem->ProcessName->sr); PhInitFormatS(&format[2], L": "); PhInitFormatF(&format[3], maxCpuProcessItem->CpuUsage * 100.f, PhMaxPrecisionUnit); PhInitFormatC(&format[4], L'%'); maxCpuText = PhFormat(format, 5, 0); //maxCpuText = PhFormatString( // L"\n%s: %.2f%%", // maxCpuProcessItem->ProcessName->Buffer, // maxCpuProcessItem->CpuUsage * 100 // ); PhDereferenceObject(maxCpuProcessItem); } } PhInitFormatS(&format[0], L"CPU usage: "); PhInitFormatF(&format[1], (PhCpuKernelUsage + PhCpuUserUsage) * 100.f, PhMaxPrecisionUnit); PhInitFormatC(&format[2], L'%'); if (maxCpuText) PhInitFormatSR(&format[3], maxCpuText->sr); else PhInitFormatC(&format[3], L' '); *NewText = PhFormat(format, 4, 0); //*NewText = PhFormatString(L"CPU usage: %.2f%%%s", (PhCpuKernelUsage + PhCpuUserUsage) * 100, PhGetStringOrEmpty(maxCpuText)); if (maxCpuText) PhDereferenceObject(maxCpuText); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpIoUsageTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, 0, 0, RGB(0x00, 0x00, 0x00), 0, NULL, NULL, 0, 0, 0, 0 }; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; HANDLE maxIoProcessId; PPH_PROCESS_ITEM maxIoProcessItem; PH_FORMAT format[8]; PPH_STRING text; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; static ULONG64 maxValue = UInt32x32To64(100000, 1024); // minimum scaling of 100 MB. // TODO: Reset maxValue every X amount of time. // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); drawInfo.TextFont = PhNfGetTrayIconFont(0); drawInfo.TextColor = PhCsColorIoReadOther; if (maxValue < (PhIoReadDelta.Delta + PhIoWriteDelta.Delta + PhIoOtherDelta.Delta)) maxValue = (PhIoReadDelta.Delta + PhIoWriteDelta.Delta + PhIoOtherDelta.Delta); PhInitFormatF(&format[0], (PhIoReadDelta.Delta + PhIoWriteDelta.Delta + PhIoOtherDelta.Delta) / maxValue * 100.f, 0); if (PhFormatToBuffer(format, 1, buffer, sizeof(buffer), &returnLength)) { PH_STRINGREF string; string.Buffer = buffer; string.Length = returnLength - sizeof(UNICODE_NULL); PhDrawTrayIconText(hdc, bits, &drawInfo, &string); } else { text = PhFormat(format, 1, 0); PhDrawTrayIconText(hdc, bits, &drawInfo, &text->sr); PhDereferenceObject(text); } if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text if (PhMaxIoHistory.Count != 0) maxIoProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxIoHistory, 0)); else maxIoProcessId = NULL; if (maxIoProcessId) maxIoProcessItem = PhReferenceProcessItem(maxIoProcessId); else maxIoProcessItem = NULL; PhInitFormatS(&format[0], L"I/O\nR: "); PhInitFormatSize(&format[1], PhIoReadDelta.Delta); PhInitFormatS(&format[2], L"\nW: "); PhInitFormatSize(&format[3], PhIoWriteDelta.Delta); PhInitFormatS(&format[4], L"\nO: "); PhInitFormatSize(&format[5], PhIoOtherDelta.Delta); if (maxIoProcessItem) { PhInitFormatC(&format[6], '\n'); PhInitFormatSR(&format[7], maxIoProcessItem->ProcessName->sr); } *NewText = PhFormat(format, maxIoProcessItem ? 8 : 6, 128); if (maxIoProcessItem) PhDereferenceObject(maxIoProcessItem); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpCommitTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, 0, 0, RGB(0x00, 0x00, 0x00), 0, NULL, NULL, 0, 0, 0, 0 }; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; FLOAT commitFraction; PH_FORMAT format[5]; PPH_STRING text; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; commitFraction = (FLOAT)PhPerfInformation.CommittedPages / PhPerfInformation.CommitLimit * 100.f; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); drawInfo.TextFont = PhNfGetTrayIconFont(0); drawInfo.TextColor = PhCsColorPrivate; PhInitFormatF(&format[0], commitFraction, 0); if (PhFormatToBuffer(format, 1, buffer, sizeof(buffer), &returnLength)) { PH_STRINGREF string; string.Buffer = buffer; string.Length = returnLength - sizeof(UNICODE_NULL); PhDrawTrayIconText(hdc, bits, &drawInfo, &string); } else { text = PhFormat(format, 1, 0); PhDrawTrayIconText(hdc, bits, &drawInfo, &text->sr); PhDereferenceObject(text); } if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text PhInitFormatS(&format[0], L"Commit: "); PhInitFormatSize(&format[1], UInt32x32To64(PhPerfInformation.CommittedPages, PAGE_SIZE)); PhInitFormatS(&format[2], L" ("); PhInitFormatF(&format[3], commitFraction, PhMaxPrecisionUnit); PhInitFormatS(&format[4], L"%)"); *NewText = PhFormat(format, 5, 0); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpPhysicalUsageTextIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PH_GRAPH_DRAW_INFO drawInfo = { 16, 16, 0, 0, RGB(0x00, 0x00, 0x00), 0, NULL, NULL, 0, 0, 0, 0 }; HBITMAP bitmap; PVOID bits; HDC hdc; HBITMAP oldBitmap; ULONG_PTR physicalUsage; FLOAT physicalFraction; PH_FORMAT format[5]; PPH_STRING text; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // Icon Icon->Pointers->BeginBitmap(&drawInfo.Width, &drawInfo.Height, &bitmap, &bits, &hdc, &oldBitmap); drawInfo.TextFont = PhNfGetTrayIconFont(0); drawInfo.TextColor = PhCsColorPhysical; physicalUsage = PhSystemBasicInformation.NumberOfPhysicalPages - PhPerfInformation.AvailablePages; physicalFraction = (FLOAT)physicalUsage / PhSystemBasicInformation.NumberOfPhysicalPages; PhInitFormatF(&format[0], physicalFraction * 100.f, 0); if (PhFormatToBuffer(format, 1, buffer, sizeof(buffer), &returnLength)) { PH_STRINGREF string; string.Buffer = buffer; string.Length = returnLength - sizeof(UNICODE_NULL); PhDrawTrayIconText(hdc, bits, &drawInfo, &string); } else { text = PhFormat(format, 1, 0); PhDrawTrayIconText(hdc, bits, &drawInfo, &text->sr); PhDereferenceObject(text); } if (PhNfTransparencyEnabled) { PhBitmapSetAlpha(bits, drawInfo.Width, drawInfo.Height); } SelectBitmap(hdc, oldBitmap); *NewIconOrBitmap = bitmap; *Flags = PH_NF_UPDATE_IS_BITMAP; // Text PhInitFormatS(&format[0], L"Physical memory: "); PhInitFormatSize(&format[1], UInt32x32To64(physicalUsage, PAGE_SIZE)); PhInitFormatS(&format[2], L" ("); PhInitFormatF(&format[3], physicalFraction * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[4], L"%)"); *NewText = PhFormat(format, 5, 96); *NewText = PhFormat(format, 5, 0); } _Function_class_(PH_NF_ICON_UPDATE_CALLBACK) VOID PhNfpPlainIconUpdateCallback( _In_ PPH_NF_ICON Icon, _Out_ PVOID *NewIconOrBitmap, _Out_ PULONG Flags, _Out_ PPH_STRING *NewText, _In_opt_ PVOID Context ) { static PPH_STRING string = NULL; if (!string) { PH_STRINGREF text = PH_STRINGREF_INIT(L"System Informer"); string = PhCreateString2(&text); } *NewIconOrBitmap = PhNfGetApplicationIcon(0); *NewText = PhReferenceObject(string); *Flags = 0; } _Success_(return) BOOLEAN PhNfpGetShowMiniInfoSectionData( _In_ ULONG IconIndex, _In_ PPH_NF_ICON RegisteredIcon, _Out_ PPH_NF_MSG_SHOWMINIINFOSECTION_DATA Data ) { BOOLEAN showMiniInfo = FALSE; if (RegisteredIcon && RegisteredIcon->MessageCallback) { Data->SectionName = NULL; if (!FlagOn(RegisteredIcon->Flags, PH_NF_ICON_NOSHOW_MINIINFO)) { if (RegisteredIcon->MessageCallback) { RegisteredIcon->MessageCallback( RegisteredIcon, (ULONG_PTR)Data, MAKELPARAM(PH_NF_MSG_SHOWMINIINFOSECTION, 0), RegisteredIcon->Context ); } showMiniInfo = TRUE; } } else { showMiniInfo = TRUE; switch (IconIndex) { case PH_TRAY_ICON_ID_CPU_HISTORY: case PH_TRAY_ICON_ID_CPU_USAGE: case PH_TRAY_ICON_ID_CPU_TEXT: case PH_TRAY_ICON_ID_PLAIN_ICON: Data->SectionName = L"CPU"; break; case PH_TRAY_ICON_ID_IO_HISTORY: case PH_TRAY_ICON_ID_IO_TEXT: Data->SectionName = L"I/O"; break; case PH_TRAY_ICON_ID_COMMIT_HISTORY: case PH_TRAY_ICON_ID_COMMIT_TEXT: Data->SectionName = L"Commit charge"; break; case PH_TRAY_ICON_ID_PHYSICAL_HISTORY: case PH_TRAY_ICON_ID_PHYSICAL_TEXT: Data->SectionName = L"Physical memory"; break; default: showMiniInfo = FALSE; break; } } return showMiniInfo; } VOID PhNfpIconClickActivateTimerProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ UINT_PTR idEvent, _In_ ULONG dwTime ) { PhPinMiniInformation(MiniInfoActivePinType, 1, 0, PH_MINIINFO_ACTIVATE_WINDOW | PH_MINIINFO_DONT_CHANGE_SECTION_IF_PINNED, IconClickShowMiniInfoSectionData.SectionName, &IconClickLocation); PhKillTimer(PhMainWndHandle, TIMER_ICON_CLICK_ACTIVATE); } VOID PhNfpDisableHover( VOID ) { IconDisableHover = TRUE; PhSetTimer(PhMainWndHandle, TIMER_ICON_RESTORE_HOVER, NFP_ICON_RESTORE_HOVER_DELAY, PhNfpIconRestoreHoverTimerProc); } VOID PhNfpIconRestoreHoverTimerProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ UINT_PTR idEvent, _In_ ULONG dwTime ) { IconDisableHover = FALSE; PhKillTimer(PhMainWndHandle, TIMER_ICON_RESTORE_HOVER); } VOID PhNfpIconDisablePopupHoverWin11Workaround( VOID ) { if (WindowsVersion >= WINDOWS_11_22H2) { PopupIconIndex = ULONG_MAX; PopupRegisteredIcon = NULL; PhKillTimer(PhMainWndHandle, TIMER_ICON_POPUPOPEN); } } VOID PhNfpIconShowPopupHoverTimerProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ UINT_PTR idEvent, _In_ ULONG dwTime ) { PH_NF_MSG_SHOWMINIINFOSECTION_DATA showMiniInfoSectionData; POINT location; if ( PhNfMiniInfoEnabled && !IconDisableHover && PopupIconIndex != ULONG_MAX && PopupRegisteredIcon && PhNfpGetShowMiniInfoSectionData(PopupIconIndex, PopupRegisteredIcon, &showMiniInfoSectionData) ) { GetCursorPos(&location); PhPinMiniInformation(MiniInfoIconPinType, 1, 0, PH_MINIINFO_DONT_CHANGE_SECTION_IF_PINNED, showMiniInfoSectionData.SectionName, &location); } } ================================================ FILE: SystemInformer/notiftoast.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2021 * */ #include #include #include #include #include #include #include #include #include #include #include #include #ifndef RETURN_IF_FAILED #define RETURN_IF_FAILED(_HR_) do { const auto __hr = _HR_; if (HR_FAILED(__hr)) { return __hr; }} while (false) #endif using namespace Microsoft::WRL; using namespace Microsoft::WRL::Wrappers; using namespace ABI::Windows::Foundation; using namespace ABI::Windows::UI::Notifications; using namespace ABI::Windows::Data::Xml::Dom; namespace PH { /*! @brief Simple template wrapper around PhGetModuleProcAddress @tparam T - Function pointer type. @param[out] FunctionPointer - On success set to the address of the function. @param[in] Module - Module name to look up the function from. @param[in] Function - Function name. @return True when the function pointer container the address of the function, false otherwise. */ template bool GetModuleProcAddress( _Out_ T* FunctionPointer, _In_ const wchar_t* Module, _In_ const char* Function ) { *FunctionPointer = static_cast(PhGetModuleProcAddress(Module, Function)); return (*FunctionPointer != nullptr); } /*! @brief Wrapper around RoGetActivationFactory to make it a little less clunky to use. @details PhActivateToastRuntime must be called prior to this else the function returns R_NOTIMPL. @tparam I - Interface to retrieve. @tparam t_SizeDestName - Length of the name string to use. @tparam t_SizeDestClass - Length of the class string to use. @param[in] ActivatableClassId - Activatable class ID to look up the interface from. @param[out] Interface - On success, set to a referenced interface of type T. @return Appropriate result status. */ template _Must_inspect_result_ HRESULT RoGetActivationFactory( _In_ wchar_t const (&DllName)[t_SizeDestName], _In_ wchar_t const (&ActivatableClassId)[t_SizeDestClass], _COM_Outptr_ I** Interface ) { HRESULT hr = PhGetActivationFactory( DllName, ActivatableClassId, __uuidof(I), reinterpret_cast(Interface) ); if (HR_FAILED(hr)) { *Interface = nullptr; } return hr; } using IToastActivatedHandler = ITypedEventHandler; using IToastDismissedHandler = ITypedEventHandler; using IToastFailedHandler = ITypedEventHandler; /*! @brief System Informer toast event handler, this class implements the handler interfaces for IToastNotification and store the callback and context from the C interface. */ class ToastEventHandler final : public RuntimeClass, IToastActivatedHandler, IToastDismissedHandler, IToastFailedHandler> { public: HRESULT RuntimeClassInitialize( PPH_TOAST_CALLBACK ToastCallback, PVOID Context ) { m_ToastCallback = ToastCallback; m_Context = Context; return S_OK; } HRESULT STDMETHODCALLTYPE Invoke( _In_ IToastNotification* Sender, _In_ IInspectable* Args ) override; HRESULT STDMETHODCALLTYPE Invoke( _In_ IToastNotification* Sender, _In_ IToastDismissedEventArgs* Args ) override; HRESULT STDMETHODCALLTYPE Invoke( _In_ IToastNotification* Sender, _In_ IToastFailedEventArgs* Args ) override; void SetActivatedToken(const EventRegistrationToken& Token) { m_ActivatedToken = Token; } void SetDismissedToken(const EventRegistrationToken& Token) { m_DismissedToken = Token; } void SetFailedToken(const EventRegistrationToken& Token) { m_FailedToken = Token; } private: PPH_TOAST_CALLBACK m_ToastCallback{ nullptr }; PVOID m_Context{ nullptr }; EventRegistrationToken m_ActivatedToken{}; EventRegistrationToken m_DismissedToken{}; EventRegistrationToken m_FailedToken{}; }; /*! @brief System Informer toast object. */ class Toast { public: ~Toast() = default; Toast() = default; _Must_inspect_result_ HRESULT Initialize( _In_ PPH_STRINGREF ApplicationId, _In_ PPH_STRINGREF ToastXml, _In_opt_ ULONG TimeoutMilliseconds, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ); [[nodiscard]] HRESULT Show() const; private: ComPtr m_Notifier{ nullptr }; ComPtr m_Toast{ nullptr }; }; } _Must_inspect_result_ HRESULT PH::Toast::Initialize( _In_ PPH_STRINGREF ApplicationId, _In_ PPH_STRINGREF ToastXml, _In_opt_ ULONG TimeoutMilliseconds, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ) { HSTRING_REFERENCE stringAppIdRef; HSTRING_REFERENCE stringToastXmlRef; ComPtr manager; RETURN_IF_FAILED(PH::RoGetActivationFactory( L"WpnApps.dll", L"Windows.UI.Notifications.ToastNotificationManager", &manager)); ComPtr factory; RETURN_IF_FAILED(PH::RoGetActivationFactory( L"WpnApps.dll", L"Windows.UI.Notifications.ToastNotification", &factory)); ComPtr notifier; RETURN_IF_FAILED(PhCreateWindowsRuntimeStringRef(ApplicationId, &stringAppIdRef)); RETURN_IF_FAILED(manager->CreateToastNotifierWithId(HSTRING_FROM_STRING(stringAppIdRef), ¬ifier)); // // Couldn't find a nice way to just create a IXmlDocument... There is // probably a way to but I guess I'm lazy. I'm just going to grab a // template one from the manager interface then overwrite it with the // input. // ComPtr xmlDocument; RETURN_IF_FAILED(manager->GetTemplateContent( ToastTemplateType::ToastTemplateType_ToastImageAndText02, &xmlDocument)); // // The IXmlDocument we get here implements IXmlDocumentIO thankfully so // just query for it, we'll replace the content using this interface. // ComPtr xmlIo; RETURN_IF_FAILED(xmlDocument.As(&xmlIo)); // // Load the supplied XML, if it's invalid this will return an error. // // Note, if it's valid XAML but you include an image file that is not // found we will end up returning success but the callback will never // get invoked. So if you allocated the context through to the C interface // it will leak... We could solve this by requiring a context cleanup // callback from the C interface. Honestly, that's kind of overkill, don't // include an image that can't be found. // RETURN_IF_FAILED(PhCreateWindowsRuntimeStringRef(ToastXml, &stringToastXmlRef)); RETURN_IF_FAILED(xmlIo->LoadXml(HSTRING_FROM_STRING(stringToastXmlRef))); ComPtr toast; RETURN_IF_FAILED(factory->CreateToastNotification(xmlDocument.Get(), &toast)); if (TimeoutMilliseconds > 0) { // // We have a timeout, set it. // ComPtr propertyStats; RETURN_IF_FAILED(PH::RoGetActivationFactory( L"WinTypes.dll", L"Windows.Foundation.PropertyValue", &propertyStats)); LARGE_INTEGER sysTime; PhQuerySystemTime(&sysTime); sysTime.QuadPart += UInt32x32To64(TimeoutMilliseconds, PH_TIMEOUT_MS); DateTime time; time.UniversalTime = sysTime.QuadPart; ComPtr inspectable; RETURN_IF_FAILED(propertyStats->CreateDateTime(time, &inspectable)); ComPtr> dateTime; RETURN_IF_FAILED(inspectable.As(&dateTime)); RETURN_IF_FAILED(toast->put_ExpirationTime(dateTime.Get())); } if (ToastCallback) { // // We have a timeout callback. Create the handler with the callback // and context, then shove it into the toast notification. // ComPtr callbacks; ComPtr activatedNotif; ComPtr dismissedNotif; ComPtr failedNotif; RETURN_IF_FAILED(MakeAndInitialize( &callbacks, ToastCallback, Context)); RETURN_IF_FAILED(callbacks.As(&activatedNotif)); RETURN_IF_FAILED(callbacks.As(&dismissedNotif)); RETURN_IF_FAILED(callbacks.As(&failedNotif)); EventRegistrationToken token; RETURN_IF_FAILED(toast->add_Activated(activatedNotif.Get(), &token)); callbacks->SetActivatedToken(token); RETURN_IF_FAILED(toast->add_Dismissed(dismissedNotif.Get(), &token)); callbacks->SetDismissedToken(token); RETURN_IF_FAILED(toast->add_Failed(failedNotif.Get(), &token)); callbacks->SetFailedToken(token); } m_Notifier = notifier; m_Toast = toast; return S_OK; } HRESULT PH::Toast::Show() const { if ((m_Notifier == nullptr) || (m_Toast == nullptr)) { return E_NOT_VALID_STATE; } return m_Notifier->Show(m_Toast.Get()); } HRESULT STDMETHODCALLTYPE PH::ToastEventHandler::Invoke( _In_ IToastNotification* Sender, _In_ IToastDismissedEventArgs* Args ) { PH_TOAST_REASON phReason = PhToastReasonUnknown; ToastDismissalReason reason; HRESULT result; result = Args->get_Reason(&reason); if (HR_SUCCESS(result)) { switch (reason) { case ToastDismissalReason_UserCanceled: phReason = PhToastReasonUserCanceled; break; case ToastDismissalReason_ApplicationHidden: phReason = PhToastReasonApplicationHidden; break; case ToastDismissalReason_TimedOut: phReason = PhToastReasonTimedOut; break; } } m_ToastCallback(result, phReason, m_Context); // // Without this the ref is never decremented and the runtime leaks... // We fire to the callback once anyway, so remove the callback from // processing. // Sender->remove_Dismissed(m_DismissedToken); Sender->remove_Activated(m_ActivatedToken); Sender->remove_Failed(m_FailedToken); return S_OK; } HRESULT STDMETHODCALLTYPE PH::ToastEventHandler::Invoke( _In_ IToastNotification* Sender, _In_ IInspectable* Args ) { m_ToastCallback(S_OK, PhToastReasonActivated, m_Context); // // Without this the ref is never decremented and the runtime leaks... // We fire to the callback once anyway, so remove the callback from // processing. // Sender->remove_Dismissed(m_DismissedToken); Sender->remove_Activated(m_ActivatedToken); Sender->remove_Failed(m_FailedToken); return S_OK; } HRESULT STDMETHODCALLTYPE PH::ToastEventHandler::Invoke( _In_ IToastNotification* Sender, _In_ IToastFailedEventArgs* Args ) { HRESULT err; HRESULT hr = Args->get_ErrorCode(&err); if (HR_FAILED(hr)) { // // You wut? I doubt this could realistically fail... if so give // the callback this error, I guess... // err = hr; } m_ToastCallback(err, PhToastReasonError, m_Context); // // Without this the ref is never decremented and the runtime leaks... // We fire to the callback once anyway, so remove the callback from // processing. // Sender->remove_Dismissed(m_DismissedToken); Sender->remove_Activated(m_ActivatedToken); Sender->remove_Failed(m_FailedToken); return S_OK; } /*! @brief Initializes the required functionality for toast notifications. @details Each successful call to PhInitializeToastRuntime should be paired with a call to PhUninitializeToastRuntime (including S_FALSE). This function must be called prior to a call to PhShowToast. Generally, this should be called once during start of the process. @return Appropriate result status. On success (including S_FALSE) this call must be paired with a call to PhUninitializeToastRuntime. */ _Must_inspect_result_ HRESULT PhInitializeToastRuntime() { // HRESULT res; // // res = g_RoInitialize(RO_INIT_MULTITHREADED); // if (res == RPC_E_CHANGED_MODE) // res = g_RoInitialize(RO_INIT_SINGLETHREADED); // if (res == S_FALSE) // already initialized // res = S_OK; // // return res; return S_OK; } /*! @brief This is a wrapper to call RoUninitialize. This should only be called when PhInitializeToastRuntime return a success (including S_FALSE). */ VOID PhUninitializeToastRuntime() { //if (g_RoInitialize) //{ // g_RoUninitialize(); //} } /*! @brief Shows a toast notification. @details PhInitializeToastRuntime must be called prior. This is an asynchronous operation. If the caller supplies a context and the function returns a success, the context is owned by the toast object, any allocated memory should be freed when the toast callback is invoked. On failure, the caller should free any memory allocated for the toast callback context, callback will not be invoked. Note, if you ToastXml is valid but contains something like an image that can't be located by the runtime this function will still return success, don't write . See comments in PH::Toast::Initialize. @code hr = PhShowToast(L"System Informer", L"" L" " L" " L" \"red" L" Example Title" L" This is an example toast notification, hello world!" L" " L" " L"", 30 * 1000, ToastCallback, NULL); @endcode @param[in] ApplicationId - Name for the application showing the toast. @param[in] ToastXml - XAML formatted \ to display. @param[in] TimeoutMilliseconds - Optional, when elapsed the toast is considered timed out. If 0 is passed the default system defined timeout for toast notifications is used.. @param[in] ToastCallback - Optional, if supplied the toast registers handlers for toast interaction and the callback is invoked with the relevant PH_TOAST_REASON. @param[in] Context - Option, context passed to the toast notification callback. @return Appropriate result status. On S_OK the toast is dispatched and the callback will be invoked when the interaction occurs. On failure the callback will not be invoked the caller should free any context. */ _Must_inspect_result_ HRESULT PhShowToastStringRef( _In_ PPH_STRINGREF ApplicationId, _In_ PPH_STRINGREF ToastXml, _In_opt_ ULONG TimeoutMilliseconds, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ) { auto toast = std::make_unique(); RETURN_IF_FAILED(toast->Initialize(ApplicationId, ToastXml, TimeoutMilliseconds, ToastCallback, Context)); return toast->Show(); } _Must_inspect_result_ HRESULT PhShowToast( _In_ PCWSTR ApplicationId, _In_ PCWSTR ToastXml, _In_opt_ ULONG TimeoutMilliseconds, _In_opt_ PPH_TOAST_CALLBACK ToastCallback, _In_opt_ PVOID Context ) { PH_STRINGREF applicationIdStringRef; PH_STRINGREF toastXmlStringRef; PhInitializeStringRefLongHint(&applicationIdStringRef, ApplicationId); PhInitializeStringRefLongHint(&toastXmlStringRef, ToastXml); return PhShowToastStringRef(&applicationIdStringRef, &toastXmlStringRef, TimeoutMilliseconds, ToastCallback, Context); } ================================================ FILE: SystemInformer/ntobjprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * */ #include #include #include #include #include #include #include #include #include typedef struct _COMMON_PAGE_CONTEXT { PPH_OPEN_OBJECT OpenObject; PPH_CLOSE_OBJECT CloseObject; PVOID Context; } COMMON_PAGE_CONTEXT, *PCOMMON_PAGE_CONTEXT; HPROPSHEETPAGE PhpCommonCreatePage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context, _In_ PCWSTR Template, _In_ DLGPROC DlgProc ); INT CALLBACK PhpCommonPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ); INT_PTR CALLBACK PhpEventPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpEventPairPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpSemaphorePageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpTimerPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpAfdSocketPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); HPROPSHEETPAGE PhpCommonCreatePage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context, _In_ PCWSTR Template, _In_ DLGPROC DlgProc ) { HPROPSHEETPAGE propSheetPageHandle; PROPSHEETPAGE propSheetPage; PCOMMON_PAGE_CONTEXT pageContext; pageContext = PhCreateAlloc(sizeof(COMMON_PAGE_CONTEXT)); memset(pageContext, 0, sizeof(COMMON_PAGE_CONTEXT)); pageContext->OpenObject = OpenObject; pageContext->CloseObject = CloseObject; pageContext->Context = Context; memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.dwFlags = PSP_USECALLBACK; propSheetPage.pszTemplate = Template; propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = DlgProc; propSheetPage.lParam = (LPARAM)pageContext; propSheetPage.pfnCallback = PhpCommonPropPageProc; propSheetPageHandle = CreatePropertySheetPage(&propSheetPage); // CreatePropertySheetPage would have sent PSPCB_ADDREF (below), // which would have added a reference. PhDereferenceObject(pageContext); return propSheetPageHandle; } INT CALLBACK PhpCommonPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ) { PCOMMON_PAGE_CONTEXT pageContext; pageContext = (PCOMMON_PAGE_CONTEXT)ppsp->lParam; if (uMsg == PSPCB_ADDREF) { PhReferenceObject(pageContext); } else if (uMsg == PSPCB_RELEASE) { PhDereferenceObject(pageContext); } return 1; } FORCEINLINE PCOMMON_PAGE_CONTEXT PhpCommonPageHeader( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { return PhpGenericPropertyPageHeader(hwndDlg, uMsg, wParam, lParam, 2); } HPROPSHEETPAGE PhCreateEventPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ) { return PhpCommonCreatePage( OpenObject, CloseObject, Context, MAKEINTRESOURCE(IDD_OBJEVENT), PhpEventPageProc ); } static VOID PhpRefreshEventPageInfo( _In_ HWND hwndDlg, _In_ PCOMMON_PAGE_CONTEXT PageContext ) { HANDLE eventHandle; if (NT_SUCCESS(PageContext->OpenObject( &eventHandle, EVENT_QUERY_STATE, PageContext->Context ))) { EVENT_BASIC_INFORMATION basicInfo; PWSTR eventType = L"Unknown"; PWSTR eventState = L"Unknown"; if (NT_SUCCESS(PhGetEventBasicInformation(eventHandle, &basicInfo))) { switch (basicInfo.EventType) { case NotificationEvent: eventType = L"Notification"; break; case SynchronizationEvent: eventType = L"Synchronization"; break; } eventState = basicInfo.EventState > 0 ? L"True" : L"False"; } PhSetDialogItemText(hwndDlg, IDC_TYPE, eventType); PhSetDialogItemText(hwndDlg, IDC_SIGNALED, eventState); NtClose(eventHandle); } } INT_PTR CALLBACK PhpEventPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PCOMMON_PAGE_CONTEXT pageContext; pageContext = PhpCommonPageHeader(hwndDlg, uMsg, wParam, lParam); if (!pageContext) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhpRefreshEventPageInfo(hwndDlg, pageContext); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_SET: case IDC_RESET: case IDC_PULSE: { NTSTATUS status; HANDLE eventHandle; if (NT_SUCCESS(status = pageContext->OpenObject( &eventHandle, EVENT_MODIFY_STATE, pageContext->Context ))) { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_SET: NtSetEvent(eventHandle, NULL); break; case IDC_RESET: NtResetEvent(eventHandle, NULL); break; case IDC_PULSE: NtPulseEvent(eventHandle, NULL); break; } NtClose(eventHandle); } PhpRefreshEventPageInfo(hwndDlg, pageContext); if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to open the event", status, 0); } break; } } break; } return FALSE; } HPROPSHEETPAGE PhCreateEventPairPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ) { return PhpCommonCreatePage( OpenObject, CloseObject, Context, MAKEINTRESOURCE(IDD_OBJEVENTPAIR), PhpEventPairPageProc ); } INT_PTR CALLBACK PhpEventPairPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PCOMMON_PAGE_CONTEXT pageContext; pageContext = PhpCommonPageHeader(hwndDlg, uMsg, wParam, lParam); if (!pageContext) return FALSE; switch (uMsg) { case WM_INITDIALOG: { // Nothing } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_SETLOW: case IDC_SETHIGH: { NTSTATUS status; HANDLE eventPairHandle; if (NT_SUCCESS(status = pageContext->OpenObject( &eventPairHandle, EVENT_PAIR_ALL_ACCESS, pageContext->Context ))) { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_SETLOW: NtSetLowEventPair(eventPairHandle); break; case IDC_SETHIGH: NtSetHighEventPair(eventPairHandle); break; } NtClose(eventPairHandle); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to open the event pair", status, 0); } break; } } break; } return FALSE; } HPROPSHEETPAGE PhCreateSemaphorePage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ) { return PhpCommonCreatePage( OpenObject, CloseObject, Context, MAKEINTRESOURCE(IDD_OBJSEMAPHORE), PhpSemaphorePageProc ); } static VOID PhpRefreshSemaphorePageInfo( _In_ HWND hwndDlg, _In_ PCOMMON_PAGE_CONTEXT PageContext ) { HANDLE semaphoreHandle; if (NT_SUCCESS(PageContext->OpenObject( &semaphoreHandle, SEMAPHORE_QUERY_STATE, PageContext->Context ))) { SEMAPHORE_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetSemaphoreBasicInformation(semaphoreHandle, &basicInfo))) { PhSetDialogItemValue(hwndDlg, IDC_CURRENTCOUNT, basicInfo.CurrentCount, TRUE); PhSetDialogItemValue(hwndDlg, IDC_MAXIMUMCOUNT, basicInfo.MaximumCount, TRUE); } else { PhSetDialogItemText(hwndDlg, IDC_CURRENTCOUNT, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_MAXIMUMCOUNT, L"Unknown"); } NtClose(semaphoreHandle); } } INT_PTR CALLBACK PhpSemaphorePageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PCOMMON_PAGE_CONTEXT pageContext; pageContext = PhpCommonPageHeader(hwndDlg, uMsg, wParam, lParam); if (!pageContext) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhpRefreshSemaphorePageInfo(hwndDlg, pageContext); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_ACQUIRE: case IDC_RELEASE: { NTSTATUS status; HANDLE semaphoreHandle; if (NT_SUCCESS(status = pageContext->OpenObject( &semaphoreHandle, GET_WM_COMMAND_ID(wParam, lParam) == IDC_ACQUIRE ? SYNCHRONIZE : SEMAPHORE_MODIFY_STATE, pageContext->Context ))) { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_ACQUIRE: { LARGE_INTEGER timeout; timeout.QuadPart = 0; NtWaitForSingleObject(semaphoreHandle, FALSE, &timeout); } break; case IDC_RELEASE: NtReleaseSemaphore(semaphoreHandle, 1, NULL); break; } NtClose(semaphoreHandle); } PhpRefreshSemaphorePageInfo(hwndDlg, pageContext); if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to open the semaphore", status, 0); } break; } } break; } return FALSE; } HPROPSHEETPAGE PhCreateTimerPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ) { return PhpCommonCreatePage( OpenObject, CloseObject, Context, MAKEINTRESOURCE(IDD_OBJTIMER), PhpTimerPageProc ); } static VOID PhpRefreshTimerPageInfo( _In_ HWND hwndDlg, _In_ PCOMMON_PAGE_CONTEXT PageContext ) { HANDLE timerHandle; if (NT_SUCCESS(PageContext->OpenObject( &timerHandle, TIMER_QUERY_STATE, PageContext->Context ))) { TIMER_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetTimerBasicInformation(timerHandle, &basicInfo))) { PhSetDialogItemText(hwndDlg, IDC_SIGNALED, basicInfo.TimerState ? L"True" : L"False"); } else { PhSetDialogItemText(hwndDlg, IDC_SIGNALED, L"Unknown"); } NtClose(timerHandle); } } INT_PTR CALLBACK PhpTimerPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PCOMMON_PAGE_CONTEXT pageContext; pageContext = PhpCommonPageHeader(hwndDlg, uMsg, wParam, lParam); if (!pageContext) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhpRefreshTimerPageInfo(hwndDlg, pageContext); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_CANCEL: { NTSTATUS status; HANDLE timerHandle; if (NT_SUCCESS(status = pageContext->OpenObject( &timerHandle, TIMER_MODIFY_STATE, pageContext->Context ))) { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_CANCEL: NtCancelTimer(timerHandle, NULL); break; } NtClose(timerHandle); } PhpRefreshTimerPageInfo(hwndDlg, pageContext); if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to open the timer", status, 0); } break; } } break; } return FALSE; } typedef struct _MAPPINGS_PAGE_CONTEXT { HANDLE ProcessId; HANDLE SectionHandle; DLGPROC HookProc; HWND WindowHandle; HWND ListViewHandle; PKPH_SECTION_MAPPINGS_INFORMATION SectionInfo; } MAPPINGS_PAGE_CONTEXT, *PMAPPINGS_PAGE_CONTEXT; VOID PhpEnumerateMappingsEntries( _In_ PMAPPINGS_PAGE_CONTEXT Context ) { NTSTATUS status; HANDLE processHandle; CLIENT_ID clientId; if (KsiLevel() < KphLevelMed) { PPH_STRING statusText; HWND statusWindow; statusWindow = GetDlgItem(Context->WindowHandle, IDC_TEXT); ShowWindow(Context->ListViewHandle, SW_HIDE); ShowWindow(statusWindow, SW_SHOW); statusText = PhGetKsiNotConnectedString( L"Viewing active mappings requires a connection to the kernel driver." ); PhSetWindowText(statusWindow, PhGetString(statusText)); //SendMessage(statusWindow, EM_SETSEL, (WPARAM)-1, (LPARAM)-1); PhSetDialogFocus(GetParent(Context->WindowHandle), GetDlgItem(GetParent(Context->WindowHandle), IDCANCEL)); PhDereferenceObject(statusText); return; } clientId.UniqueProcess = Context->ProcessId; clientId.UniqueThread = NULL; status = KphOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, &clientId); if (!NT_SUCCESS(status)) return; status = KphQueryObjectSectionMappingsInfo( processHandle, Context->SectionHandle, &Context->SectionInfo ); NtClose(processHandle); if (!NT_SUCCESS(status)) return; for (ULONG i = 0; i < Context->SectionInfo->NumberOfMappings; i++) { PKPH_SECTION_MAP_ENTRY info = &Context->SectionInfo->Mappings[i]; INT lvItemIndex; WCHAR value[PH_INT64_STR_LEN_1]; if (info->ViewMapType == VIEW_MAP_TYPE_PROCESS) { PPH_STRING string = NULL; clientId.UniqueProcess = info->ProcessId; clientId.UniqueThread = NULL; string = PhStdGetClientIdName(&clientId); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, string->Buffer, info); PhDereferenceObject(string); } else if (info->ViewMapType == VIEW_MAP_TYPE_SESSION) { lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, L"Session", info); } else if (info->ViewMapType == VIEW_MAP_TYPE_SYSTEM_CACHE) { lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, L"System", info); } else { lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, L"Unknown", info); } PhPrintPointer(value, info->StartVa); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, value); PhPrintPointer(value, info->EndVa); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, value); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 3, PhaFormatSize((ULONG64)info->EndVa - (ULONG64)info->StartVa, ULONG_MAX)->Buffer); } } VOID PhpShowProcessForMapping( _In_ HWND hwndDlg, _In_ PKPH_SECTION_MAP_ENTRY Entry ) { PPH_PROCESS_ITEM processItem; assert(Entry->ViewMapType == VIEW_MAP_TYPE_PROCESS); if (processItem = PhReferenceProcessItem(Entry->ProcessId)) { // // TODO would like this to show the process properties // memory tab and select the info->StartVa // SystemInformer_ShowProcessProperties(processItem); PhDereferenceObject(processItem); } else { PhShowStatus(hwndDlg, L"The process does not exist.", STATUS_INVALID_CID, 0); } } INT_PTR CALLBACK PhpMappingsPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PMAPPINGS_PAGE_CONTEXT context; context = PhpGenericPropertyPageHeader(hwndDlg, uMsg, wParam, lParam, 3); if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"View"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 100, L"Start"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 100, L"End"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_RIGHT, 60, L"Size"); PhSetExtendedListView(context->ListViewHandle); PhpEnumerateMappingsEntries(context); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { if (context->SectionInfo) PhFree(context->SectionInfo); PhFree(context); } break; case WM_CONTEXTMENU: { PKPH_SECTION_MAP_ENTRY info = NULL; if (ListView_GetSelectedCount(context->ListViewHandle) == 1) info = PhGetSelectedListViewItemParam(context->ListViewHandle); POINT point; PPH_EMENU menu; PPH_EMENU item; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); menu = PhCreateEMenu(); if (info && info->ViewMapType == VIEW_MAP_TYPE_PROCESS) { PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"&Go to process", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); } PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item && item->Id != ULONG_MAX && !PhHandleCopyListViewEMenuItem(item)) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; case 1: { assert(info); PhpShowProcessForMapping(hwndDlg, info); } break; } PhDestroyEMenu(menu); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } HPROPSHEETPAGE PhCreateMappingsPage( _In_ HANDLE ProcessId, _In_ HANDLE SectionHandle ) { HPROPSHEETPAGE propSheetPageHandle; PROPSHEETPAGE propSheetPage; PMAPPINGS_PAGE_CONTEXT mappingsPageContext; mappingsPageContext = PhAllocateZero(sizeof(MAPPINGS_PAGE_CONTEXT)); mappingsPageContext->ProcessId = ProcessId; mappingsPageContext->SectionHandle = SectionHandle; memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.dwFlags = PSP_DEFAULT; propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_OBJMAPPINGS); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpMappingsPageProc; propSheetPage.lParam = (LPARAM)mappingsPageContext; propSheetPageHandle = CreatePropertySheetPage(&propSheetPage); return propSheetPageHandle; } typedef struct _PHP_AFD_SOCKET_PAGE_CONTEXT { HANDLE ProcessId; HANDLE HandleValue; HWND ListViewHandle; PPH_LISTVIEW_CONTEXT ListViewContext; PH_LAYOUT_MANAGER LayoutManager; } PHP_AFD_SOCKET_PAGE_CONTEXT, *PPHP_AFD_SOCKET_PAGE_CONTEXT; typedef enum _PHP_AFD_SOCKET_GROUP { PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_GROUP_ADDRESSES, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_GROUP_TDI, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_GROUP_UDP, PH_AFD_SOCKET_GROUP_HVSOCKET, } PHP_AFD_SOCKET_GROUP; typedef enum _PHP_AFD_SOCKET_ITEM { PH_AFD_SOCKET_ITEM_STATE, PH_AFD_SOCKET_ITEM_TYPE, PH_AFD_SOCKET_ITEM_ADDRESS_FAMILY, PH_AFD_SOCKET_ITEM_PROTOCOL, PH_AFD_SOCKET_ITEM_CATALOG_ENTRY_ID, PH_AFD_SOCKET_ITEM_PROVIDER_ID, PH_AFD_SOCKET_ITEM_PROVIDER_FLAGS, PH_AFD_SOCKET_ITEM_SERVICE_FLAGS, PH_AFD_SOCKET_ITEM_SEND_TIMEOUT, PH_AFD_SOCKET_ITEM_RECEIVE_TIMEOUT, PH_AFD_SOCKET_ITEM_SEND_BUFFER_SIZE, PH_AFD_SOCKET_ITEM_RECEIVE_BUFFER_SIZE, PH_AFD_SOCKET_ITEM_CREATION_FLAGS, PH_AFD_SOCKET_ITEM_FLAGS, PH_AFD_SOCKET_ITEM_ADDRESS, PH_AFD_SOCKET_ITEM_REMOTE_ADDRESS, PH_AFD_SOCKET_ITEM_CONNECT_TIME, PH_AFD_SOCKET_ITEM_DELIVERY_AVAILABLE, PH_AFD_SOCKET_ITEM_PENDED_RECEIVE_REQUESTS, PH_AFD_SOCKET_ITEM_SENDS_PENDING, PH_AFD_SOCKET_ITEM_RECEIVE_WINDOW_SIZE, PH_AFD_SOCKET_ITEM_SEND_WINDOW_SIZE, PH_AFD_SOCKET_ITEM_MAX_SEND_SIZE, PH_AFD_SOCKET_ITEM_GROUP_ID, PH_AFD_SOCKET_ITEM_GROUP_TYPE, PH_AFD_SOCKET_ITEM_TDI_ADDRESS_DEVICE, PH_AFD_SOCKET_ITEM_TDI_CONNECTION_DEVICE, PH_AFD_SOCKET_ITEM_SO_REUSEADDR, PH_AFD_SOCKET_ITEM_SO_KEEPALIVE, PH_AFD_SOCKET_ITEM_SO_DONTROUTE, PH_AFD_SOCKET_ITEM_SO_BROADCAST, PH_AFD_SOCKET_ITEM_SO_OOBINLINE, PH_AFD_SOCKET_ITEM_SO_RCVBUF, PH_AFD_SOCKET_ITEM_SO_MAX_MSG_SIZE, PH_AFD_SOCKET_ITEM_SO_CONDITIONAL_ACCEPT, PH_AFD_SOCKET_ITEM_SO_PAUSE_ACCEPT, PH_AFD_SOCKET_ITEM_SO_COMPARTMENT_ID, PH_AFD_SOCKET_ITEM_SO_RANDOMIZE_PORT, PH_AFD_SOCKET_ITEM_SO_PORT_SCALABILITY, PH_AFD_SOCKET_ITEM_SO_REUSE_UNICASTPORT, PH_AFD_SOCKET_ITEM_SO_EXCLUSIVEADDRUSE, PH_AFD_SOCKET_ITEM_IP_HDRINCL, PH_AFD_SOCKET_ITEM_IP_TOS, PH_AFD_SOCKET_ITEM_IP_TTL, PH_AFD_SOCKET_ITEM_IP_MULTICAST_IF, PH_AFD_SOCKET_ITEM_IP_MULTICAST_TTL, PH_AFD_SOCKET_ITEM_IP_MULTICAST_LOOP, PH_AFD_SOCKET_ITEM_IP_DONTFRAGMENT, PH_AFD_SOCKET_ITEM_IP_PKTINFO, PH_AFD_SOCKET_ITEM_IP_RECVTTL, PH_AFD_SOCKET_ITEM_IP_RECEIVE_BROADCAST, PH_AFD_SOCKET_ITEM_IP_PROTECTION_LEVEL, PH_AFD_SOCKET_ITEM_IP_RECVIF, PH_AFD_SOCKET_ITEM_IP_RECVDSTADDR, PH_AFD_SOCKET_ITEM_IP_V6ONLY, PH_AFD_SOCKET_ITEM_IP_IFLIST, PH_AFD_SOCKET_ITEM_IP_UNICAST_IF, PH_AFD_SOCKET_ITEM_IP_RECVRTHDR, PH_AFD_SOCKET_ITEM_IP_RECVTOS, PH_AFD_SOCKET_ITEM_IP_ORIGINAL_ARRIVAL_IF, PH_AFD_SOCKET_ITEM_IP_RECVECN, PH_AFD_SOCKET_ITEM_IP_PKTINFO_EX, PH_AFD_SOCKET_ITEM_IP_WFP_REDIRECT_RECORDS, PH_AFD_SOCKET_ITEM_IP_WFP_REDIRECT_CONTEXT, PH_AFD_SOCKET_ITEM_IP_MTU_DISCOVER, PH_AFD_SOCKET_ITEM_IP_MTU, PH_AFD_SOCKET_ITEM_IP_RECVERR, PH_AFD_SOCKET_ITEM_IP_USER_MTU, PH_AFD_SOCKET_ITEM_TCP_NODELAY, PH_AFD_SOCKET_ITEM_TCP_EXPEDITED, PH_AFD_SOCKET_ITEM_TCP_KEEPALIVE, PH_AFD_SOCKET_ITEM_TCP_MAXSEG, PH_AFD_SOCKET_ITEM_TCP_MAXRT, PH_AFD_SOCKET_ITEM_TCP_STDURG, PH_AFD_SOCKET_ITEM_TCP_NOURG, PH_AFD_SOCKET_ITEM_TCP_ATMARK, PH_AFD_SOCKET_ITEM_TCP_NOSYNRETRIES, PH_AFD_SOCKET_ITEM_TCP_TIMESTAMPS, PH_AFD_SOCKET_ITEM_TCP_CONGESTION_ALGORITHM, PH_AFD_SOCKET_ITEM_TCP_DELAY_FIN_ACK, PH_AFD_SOCKET_ITEM_TCP_MAXRTMS, PH_AFD_SOCKET_ITEM_TCP_FASTOPEN, PH_AFD_SOCKET_ITEM_TCP_KEEPCNT, PH_AFD_SOCKET_ITEM_TCP_KEEPINTVL, PH_AFD_SOCKET_ITEM_TCP_FAIL_CONNECT_ON_ICMP_ERROR, PH_AFD_SOCKET_ITEM_TCP_INFO_STATE, PH_AFD_SOCKET_ITEM_TCP_INFO_MSS, PH_AFD_SOCKET_ITEM_TCP_INFO_CONNECTION_TIME, PH_AFD_SOCKET_ITEM_TCP_INFO_TIMESTAMPS_ENABLED, PH_AFD_SOCKET_ITEM_TCP_INFO_RTT, PH_AFD_SOCKET_ITEM_TCP_INFO_MINRTT, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_IN_FLIGHT, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_WINDOW, PH_AFD_SOCKET_ITEM_TCP_INFO_SEND_WINDOW, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVE_WINDOW, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVE_BUFFER, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_OUT, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_IN, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_REORDERED, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_RETRANSMITTED, PH_AFD_SOCKET_ITEM_TCP_INFO_FAST_RETRANSMIT, PH_AFD_SOCKET_ITEM_TCP_INFO_DUPLICATE_ACKS_IN, PH_AFD_SOCKET_ITEM_TCP_INFO_TIMEOUT_EPISODES, PH_AFD_SOCKET_ITEM_TCP_INFO_SYN_RETRANSMITS, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_TRANSITIONS, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_TIME, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_BYTES, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_TRANSITIONS, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_TIME, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_BYTES, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_TRANSITIONS, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_TIME, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_BYTES, PH_AFD_SOCKET_ITEM_TCP_INFO_OUT_OF_ORDER_PACKETS, PH_AFD_SOCKET_ITEM_TCP_INFO_ECN_NEGOTIATED, PH_AFD_SOCKET_ITEM_TCP_INFO_ECE_ACKS_IN, PH_AFD_SOCKET_ITEM_TCP_INFO_PTO_EPISODES, PH_AFD_SOCKET_ITEM_UDP_NOCHECKSUM, PH_AFD_SOCKET_ITEM_UDP_SEND_MSG_SIZE, PH_AFD_SOCKET_ITEM_UDP_RECV_MAX_COALESCED_SIZE, PH_AFD_SOCKET_ITEM_HVSOCKET_CONNECT_TIMEOUT, PH_AFD_SOCKET_ITEM_HVSOCKET_CONTAINER_PASSTHRU, PH_AFD_SOCKET_ITEM_HVSOCKET_CONNECTED_SUSPEND, PH_AFD_SOCKET_ITEM_HVSOCKET_HIGH_VTL, } PHP_AFD_SOCKET_ITEM; VOID PhAddSocketListViewItem( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text ) { PhListView_AddGroupItem(Context->ListViewContext, GroupId, Index, Text, UlongToPtr(Index)); } VOID PhSetSocketListViewItem( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG Index, _In_ PCWSTR Text ) { LONG index = PhFindListViewItemByParam(Context->ListViewHandle, INT_ERROR, UlongToPtr(Index)); if (index != INT_ERROR) { PhListView_SetSubItem(Context->ListViewContext, index, 1, Text); } } VOID PhSetSocketListViewItemBoolean( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG Index, _In_ ULONG Value ) { PhSetSocketListViewItem(Context, Index, Value ? L"True" : L"False"); } VOID PhSetSocketListViewItemBytes( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG Index, _In_ ULONG64 Value ) { PPH_STRING itemString; itemString = PhFormatSize(Value, -1); PhSetSocketListViewItem(Context, Index, PhGetString(itemString)); PhDereferenceObject(itemString); } VOID PhSetSocketListViewItemDecimal( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG Index, _In_ ULONG Value ) { PPH_STRING itemString; itemString = PhFormatString(L"%d", Value); PhSetSocketListViewItem(Context, Index, PhGetString(itemString)); PhDereferenceObject(itemString); } VOID PhSetSocketListViewItemTimeSpan( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG Index, _In_ ULONG64 TimeSpan ) { PPH_STRING itemString; if (TimeSpan == 0) { PhSetSocketListViewItem(Context, Index, L"None"); return; } itemString = PhFormatTimeSpanRelative(TimeSpan); PhSetSocketListViewItem(Context, Index, PhGetString(itemString)); PhDereferenceObject(itemString); } VOID PhSetSocketListViewItemTimeAgo( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context, _In_ LONG Index, _In_ ULONG64 Duration ) { LARGE_INTEGER absoluteTime; SYSTEMTIME absoluteTimeFields; PPH_STRING absoluteTimeString; PPH_STRING relativeTimeString; PPH_STRING itemString; PhQuerySystemTime(&absoluteTime); absoluteTime.QuadPart -= Duration; PhLargeIntegerToLocalSystemTime(&absoluteTimeFields, &absoluteTime); relativeTimeString = PhFormatTimeSpanRelative(Duration); absoluteTimeString = PhFormatDateTime(&absoluteTimeFields); itemString = PhFormatString(L"%s ago (%s)", PhGetString(relativeTimeString), PhGetString(absoluteTimeString)); PhDereferenceObject(relativeTimeString); PhDereferenceObject(absoluteTimeString); PhSetSocketListViewItem(Context, Index, PhGetString(itemString)); PhDereferenceObject(itemString); } HPROPSHEETPAGE PhCreateAfdSocketPage( _In_ HANDLE ProcessId, _In_ HANDLE HandleValue ) { HPROPSHEETPAGE propSheetPageHandle; PROPSHEETPAGE propSheetPage; PPHP_AFD_SOCKET_PAGE_CONTEXT socketPageContext; socketPageContext = PhAllocateZero(sizeof(PHP_AFD_SOCKET_PAGE_CONTEXT)); socketPageContext->ProcessId = ProcessId; socketPageContext->HandleValue = HandleValue; memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.dwFlags = PSP_DEFAULT; propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_OBJAFDSOCKET); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpAfdSocketPageProc; propSheetPage.lParam = (LPARAM)socketPageContext; propSheetPageHandle = CreatePropertySheetPage(&propSheetPage); return propSheetPageHandle; } static VOID PhpRefreshAfdSocketPageInfo( _In_ PPHP_AFD_SOCKET_PAGE_CONTEXT Context ) { NTSTATUS status; HANDLE processHandle; HANDLE socketHandle = NULL; PPH_STRING itemString; SOCK_SHARED_INFO sharedInfo; AFD_INFORMATION simpleInfo; ULONG optionValue; TCP_INFO_v2 tcpInfo; ULONG tcpInfoVersion; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, Context->ProcessId ))) { status = NtDuplicateObject( processHandle, Context->HandleValue, NtCurrentProcess(), &socketHandle, 0, 0, DUPLICATE_SAME_ACCESS ); NtClose(processHandle); } if (!NT_SUCCESS(status)) return; // // Shared Winsock context // if (NT_SUCCESS(PhAfdQuerySharedInfo(socketHandle, &sharedInfo))) { // State itemString = PhAfdFormatSocketState(sharedInfo.State); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_STATE, PhGetString(itemString)); PhDereferenceObject(itemString); // Type itemString = PhAfdFormatSocketType(sharedInfo.SocketType); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_TYPE, PhGetString(itemString)); PhDereferenceObject(itemString); // Address family itemString = PhAfdFormatAddressFamily(sharedInfo.AddressFamily); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_ADDRESS_FAMILY, PhGetString(itemString)); PhDereferenceObject(itemString); // Protocol itemString = PhAfdFormatProtocol(sharedInfo.AddressFamily, sharedInfo.Protocol); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_PROTOCOL, PhGetString(itemString)); PhDereferenceObject(itemString); // Catalog entry ID PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_CATALOG_ENTRY_ID, sharedInfo.CatalogEntryId); // Provider ID itemString = PhFormatGuid(&sharedInfo.ProviderId); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_PROVIDER_ID, PhGetString(itemString)); PhDereferenceObject(itemString); // Provider flags itemString = PhAfdFormatProviderFlags(sharedInfo.ProviderFlags); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_PROVIDER_FLAGS, PhGetString(itemString)); PhDereferenceObject(itemString); // Service flags itemString = PhAfdFormatServiceFlags(sharedInfo.ServiceFlags1); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_SERVICE_FLAGS, PhGetString(itemString)); PhDereferenceObject(itemString); // Send timeout switch (sharedInfo.SendTimeout) { case 0: PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_SEND_TIMEOUT, L"Unlimited"); break; default: PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_SEND_TIMEOUT, PH_TICKS_PER_MS * sharedInfo.SendTimeout); } // Receive timeout switch (sharedInfo.ReceiveTimeout) { case 0: PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_RECEIVE_TIMEOUT, L"Unlimited"); break; default: PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_RECEIVE_TIMEOUT, PH_TICKS_PER_MS * sharedInfo.ReceiveTimeout); } // Send buffer size PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_SEND_BUFFER_SIZE, sharedInfo.SendBufferSize); // Receive buffer size PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_RECEIVE_BUFFER_SIZE, sharedInfo.ReceiveBufferSize); // Creation flags itemString = PhAfdFormatCreationFlags(sharedInfo.CreationFlags); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_CREATION_FLAGS, PhGetString(itemString)); PhDereferenceObject(itemString); // Flags itemString = PhAfdFormatSharedInfoFlags(&sharedInfo); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_FLAGS, PhGetString(itemString)); PhDereferenceObject(itemString); } // // Addresses // // Address if (NT_SUCCESS(PhAfdQueryFormatAddress(socketHandle, FALSE, &itemString, 0))) { PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_ADDRESS, PhGetString(itemString)); PhDereferenceObject(itemString); } // Remote address if (NT_SUCCESS(PhAfdQueryFormatAddress(socketHandle, TRUE, &itemString, 0))) { PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_REMOTE_ADDRESS, PhGetString(itemString)); PhDereferenceObject(itemString); } // // AFD info classes // // Connect time if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_CONNECT_TIME, &simpleInfo))) { switch (simpleInfo.Information.Ulong) { case ULONG_MAX: PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_CONNECT_TIME, L"N/A (not connected)"); break; default: PhSetSocketListViewItemTimeAgo(Context, PH_AFD_SOCKET_ITEM_CONNECT_TIME, PH_TICKS_PER_SEC * simpleInfo.Information.Ulong); } } if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_DELIVERY_STATUS, &simpleInfo))) { // Delivery available PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_DELIVERY_AVAILABLE, simpleInfo.Information.DeliveryStatus.DeliveryAvailable); // Pendeding recveives PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_PENDED_RECEIVE_REQUESTS, simpleInfo.Information.DeliveryStatus.PendedReceiveRequests); } // Pending sends if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_SENDS_PENDING, &simpleInfo))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_SENDS_PENDING, simpleInfo.Information.Ulong); } // Receive window size if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_RECEIVE_WINDOW_SIZE, &simpleInfo))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_RECEIVE_WINDOW_SIZE, simpleInfo.Information.Ulong); } // Send window size if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_SEND_WINDOW_SIZE, &simpleInfo))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_SEND_WINDOW_SIZE, simpleInfo.Information.Ulong); } // Maximum send size if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_MAX_SEND_SIZE, &simpleInfo))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_MAX_SEND_SIZE, simpleInfo.Information.Ulong); } if (NT_SUCCESS(PhAfdQuerySimpleInfo(socketHandle, AFD_GROUP_ID_AND_TYPE, &simpleInfo))) { // Group ID PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_GROUP_ID, simpleInfo.Information.GroupInfo.GroupID); // Group type itemString = PhAfdFormatGroupType(simpleInfo.Information.GroupInfo.GroupType); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_GROUP_TYPE, PhGetString(itemString)); PhDereferenceObject(itemString); } // // TDI devices // // TDI address device if (NT_SUCCESS(PhAfdQueryFormatTdiDeviceName(socketHandle, AFD_QUERY_ADDRESS_HANDLE, &itemString))) { PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_TDI_ADDRESS_DEVICE, PhGetString(itemString)); PhDereferenceObject(itemString); } // TDI connection device if (NT_SUCCESS(PhAfdQueryFormatTdiDeviceName(socketHandle, AFD_QUERY_CONNECTION_HANDLE, &itemString))) { PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_TDI_CONNECTION_DEVICE, PhGetString(itemString)); PhDereferenceObject(itemString); } // HACK: hvsocket.sys has a bug that makes connected Hyper-V sockets return // STATUS_SUCCESS for all option-querying request. We detect it by issuing a // deliberately invalid query. If it succeeds, we know we've hit the bug and // cannot display any meaningful option information about the socket. (diversenok) if (!NT_SUCCESS(PhAfdQueryOption(socketHandle, 0xDEAD, 0xDEAD, &optionValue))) { // // Socket-level options // // Reuse address if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_REUSEADDR, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_REUSEADDR, optionValue); } // Keep alive if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_KEEPALIVE, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_KEEPALIVE, optionValue); } // Don't route if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_DONTROUTE, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_DONTROUTE, optionValue); } // Broadcast if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_BROADCAST, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_BROADCAST, optionValue); } // OOB in line if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_OOBINLINE, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_OOBINLINE, optionValue); } // Receive buffer size if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_RCVBUF, &optionValue))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_SO_RCVBUF, optionValue); } // Maximum message size if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_MAX_MSG_SIZE, &optionValue))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_SO_MAX_MSG_SIZE, optionValue); } // Conditional accept if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_CONDITIONAL_ACCEPT, optionValue); } // Pause accept if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_PAUSE_ACCEPT, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_PAUSE_ACCEPT, optionValue); } // Compartment ID if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_COMPARTMENT_ID, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_SO_COMPARTMENT_ID, optionValue); } // Randomize port if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_RANDOMIZE_PORT, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_RANDOMIZE_PORT, optionValue); } // Port scalability if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_PORT_SCALABILITY, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_PORT_SCALABILITY, optionValue); } // Reuse unicast port if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_REUSE_UNICASTPORT, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_REUSE_UNICASTPORT, optionValue); } // Exclusive address use if (NT_SUCCESS(PhAfdQueryOption(socketHandle, SOL_SOCKET, SO_EXCLUSIVEADDRUSE, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_SO_EXCLUSIVEADDRUSE, optionValue); } // // IP-level options // // Header included if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_HDRINCL, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_HDRINCL, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_HDRINCL, optionValue); } // Type-of-service if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_TOS, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_IP_TOS, optionValue); } // Unicast TTL if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_TTL, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_IP_TTL, optionValue); } // Multicast interface if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_MULTICAST_IF, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_MULTICAST_IF, &optionValue))) { itemString = PhAfdFormatInterfaceOption(optionValue); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_IP_MULTICAST_IF, PhGetString(itemString)); PhDereferenceObject(itemString); } // Multicast TTL if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_MULTICAST_TTL, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_MULTICAST_HOPS, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_IP_MULTICAST_TTL, optionValue); } // Multicast loopback if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_MULTICAST_LOOP, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_MULTICAST_LOOP, optionValue); } // Don't fragment if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_DONTFRAGMENT, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_DONTFRAG, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_DONTFRAGMENT, optionValue); } // Receive packet info if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_PKTINFO, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_PKTINFO, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_PKTINFO, optionValue); } // Receive TTL if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVTTL, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IP_HOPLIMIT, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVTTL, optionValue); } // Broadcast reception if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECEIVE_BROADCAST, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECEIVE_BROADCAST, optionValue); } // IPv6 protection level if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_PROTECTION_LEVEL, &optionValue))) { itemString = PhAfdFormatProtectionLevel(optionValue); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_IP_PROTECTION_LEVEL, PhGetString(itemString)); PhDereferenceObject(itemString); } // Receive arrival interface if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVIF, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_RECVIF, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVIF, optionValue); } // Receive destination address if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVDSTADDR, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_RECVDSTADDR, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVDSTADDR, optionValue); } // IPv6-only if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_V6ONLY, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_V6ONLY, optionValue); } // Interface list if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_IFLIST, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_IFLIST, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_IFLIST, optionValue); } // Unicast interface if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_UNICAST_IF, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_UNICAST_IF, &optionValue))) { itemString = PhAfdFormatInterfaceOption(optionValue); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_IP_UNICAST_IF, PhGetString(itemString)); PhDereferenceObject(itemString); } // Receive routing header if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVRTHDR, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_RECVRTHDR, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVRTHDR, optionValue); } // Receive type-of-service if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVTCLASS, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_RECVTCLASS, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVTOS, optionValue); } // Original arrival interface if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_ORIGINAL_ARRIVAL_IF, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_ORIGINAL_ARRIVAL_IF, optionValue); } // Receive ECN if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVECN, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_RECVECN, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVECN, optionValue); } // Receive extended packet info if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_PKTINFO_EX, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_PKTINFO_EX, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_PKTINFO_EX, optionValue); } // WFP redirect records if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_WFP_REDIRECT_RECORDS, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_WFP_REDIRECT_RECORDS, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_WFP_REDIRECT_RECORDS, optionValue); } // WFP redirect context if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_WFP_REDIRECT_CONTEXT, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_WFP_REDIRECT_CONTEXT, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_WFP_REDIRECT_CONTEXT, optionValue); } // MTU discovery if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_MTU_DISCOVER, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_MTU_DISCOVER, &optionValue))) { itemString = PhAfdFormatMtuDiscoveryMode(optionValue); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_IP_MTU_DISCOVER, PhGetString(itemString)); PhDereferenceObject(itemString); } // Path MTU if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_MTU, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_MTU, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_IP_MTU, optionValue); } // Receive ICMP errors if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_RECVERR, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_RECVERR, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_IP_RECVERR, optionValue); } // Upper MTU bound if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IP, IP_USER_MTU, &optionValue)) || NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_IPV6, IPV6_USER_MTU, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_IP_USER_MTU, optionValue); } // // TCP-level options // // No delay if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_NODELAY, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_NODELAY, optionValue); } // Expedited data if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_EXPEDITED_1122, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_EXPEDITED, optionValue); } // Keep alive if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_KEEPALIVE, &optionValue))) { PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_KEEPALIVE, PH_TICKS_PER_SEC * optionValue); } // Maximum segment size if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_MAXSEG, &optionValue))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_MAXSEG, optionValue); } // Retry timeout if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_MAXRT, &optionValue))) { switch (optionValue) { case ULONG_MAX: PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_TCP_MAXRT, L"Unlimited"); break; default: PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_MAXRT, PH_TICKS_PER_SEC * optionValue); } } // URG interpretation if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_STDURG, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_STDURG, optionValue); } // No URG if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_NOURG, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_NOURG, optionValue); } // At mark if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_ATMARK, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_ATMARK, optionValue); } // No SYN retries if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_NOSYNRETRIES, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_NOSYNRETRIES, optionValue); } // Timestamps if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_TIMESTAMPS, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_TIMESTAMPS, optionValue); } // Congestion algorithm if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_CONGESTION_ALGORITHM, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_CONGESTION_ALGORITHM, optionValue); } // Delay FIN ACK if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_DELAY_FIN_ACK, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_DELAY_FIN_ACK, optionValue); } // Retry timeout (precise) if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_MAXRTMS, &optionValue))) { switch (optionValue) { case ULONG_MAX: PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_TCP_MAXRTMS, L"Unlimited"); break; default: PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_MAXRTMS, PH_TICKS_PER_MS * optionValue); } } // Fast open if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_FASTOPEN, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_FASTOPEN, optionValue); } // Keep alive count if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_KEEPCNT, &optionValue))) { PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_KEEPCNT, optionValue); } // Keep alive interval if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_KEEPINTVL, &optionValue))) { PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_KEEPINTVL, PH_TICKS_PER_SEC * optionValue); } // Fail on ICMP error if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_TCP, TCP_FAIL_CONNECT_ON_ICMP_ERROR, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_FAIL_CONNECT_ON_ICMP_ERROR, optionValue); } // // TCP information // if (NT_SUCCESS(PhAfdQueryTcpInfo(socketHandle, &tcpInfo, &tcpInfoVersion))) { // TCP state itemString = PhAfdFormatTcpState(tcpInfo.State); PhSetSocketListViewItem(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_STATE, PhGetString(itemString)); PhDereferenceObject(itemString); // Maximum segment size PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_MSS, tcpInfo.Mss); // Connection time PhSetSocketListViewItemTimeAgo(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_CONNECTION_TIME, PH_TICKS_PER_MS * tcpInfo.ConnectionTimeMs); // Timestamps enabled PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_TIMESTAMPS_ENABLED, tcpInfo.TimestampsEnabled); // Estimated round-trip PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_RTT, RTL_TICKS_PER_MICROSEC * tcpInfo.RttUs); // Minimal round-trip PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_MINRTT, RTL_TICKS_PER_MICROSEC * tcpInfo.MinRttUs); // Bytes in flight PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_IN_FLIGHT, tcpInfo.BytesInFlight); // Congestion window PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_WINDOW, tcpInfo.Cwnd); // Send window PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_SEND_WINDOW, tcpInfo.SndWnd); // Receive window PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVE_WINDOW, tcpInfo.RcvWnd); // Receive buffer PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVE_BUFFER, tcpInfo.RcvBuf); // Bytes sent PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_OUT, tcpInfo.BytesOut); // Bytes received PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_IN, tcpInfo.BytesIn); // Bytes reordered PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_REORDERED, tcpInfo.BytesReordered); // Bytes retransmitted PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_RETRANSMITTED, tcpInfo.BytesRetrans); // Fast retransmits PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_FAST_RETRANSMIT, tcpInfo.FastRetrans); // Duplicate ACKs PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_DUPLICATE_ACKS_IN, tcpInfo.DupAcksIn); // Timeout episodes PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_TIMEOUT_EPISODES, tcpInfo.TimeoutEpisodes); // SYN retransmits PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_SYN_RETRANSMITS, tcpInfo.SynRetrans); if (tcpInfoVersion >= 1) { // Receiver-limited episodes PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_TRANSITIONS, tcpInfo.SndLimTransRwin); // Receiver-limited time PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_TIME, PH_TICKS_PER_MS * tcpInfo.SndLimTimeRwin); // Receiver-limited bytes PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_BYTES, tcpInfo.SndLimBytesRwin); // Congestion-limited episodes PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_TRANSITIONS, tcpInfo.SndLimTransCwnd); // Congestion-limited time PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_TIME, PH_TICKS_PER_MS * tcpInfo.SndLimTimeCwnd); // Congestion-limited bytes PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_BYTES, tcpInfo.SndLimBytesCwnd); // Sender-limited episodes PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_TRANSITIONS, tcpInfo.SndLimTransSnd); // Sender-limited time PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_TIME, PH_TICKS_PER_MS * tcpInfo.SndLimTimeSnd); // Sender-limited bytes PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_BYTES, tcpInfo.SndLimBytesSnd); } if (tcpInfoVersion >= 2) { // Out-of-order packets PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_OUT_OF_ORDER_PACKETS, tcpInfo.OutOfOrderPktsIn); // ECN negotiated PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_ECN_NEGOTIATED, tcpInfo.EcnNegotiated); // ECE ACKs PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_ECE_ACKS_IN, tcpInfo.EceAcksIn); // Probe timeout episodes PhSetSocketListViewItemDecimal(Context, PH_AFD_SOCKET_ITEM_TCP_INFO_PTO_EPISODES, tcpInfo.PtoEpisodes); } } // // UDP-level options // // No checksum if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_UDP, UDP_NOCHECKSUM, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_UDP_NOCHECKSUM, optionValue); } // Maximum message size if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_UDP, UDP_SEND_MSG_SIZE, &optionValue))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_UDP_SEND_MSG_SIZE, optionValue); } // Maximum coalesced size if (NT_SUCCESS(PhAfdQueryOption(socketHandle, IPPROTO_UDP, UDP_RECV_MAX_COALESCED_SIZE, &optionValue))) { PhSetSocketListViewItemBytes(Context, PH_AFD_SOCKET_ITEM_UDP_RECV_MAX_COALESCED_SIZE, optionValue); } // // Hyper-V-level options // // Connect timeout if (NT_SUCCESS(PhAfdQueryOption(socketHandle, HV_PROTOCOL_RAW, HVSOCKET_CONNECT_TIMEOUT, &optionValue))) { PhSetSocketListViewItemTimeSpan(Context, PH_AFD_SOCKET_ITEM_HVSOCKET_CONNECT_TIMEOUT, PH_TICKS_PER_MS * optionValue); } // Container passthru if (NT_SUCCESS(PhAfdQueryOption(socketHandle, HV_PROTOCOL_RAW, HVSOCKET_CONTAINER_PASSTHRU, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_HVSOCKET_CONTAINER_PASSTHRU, optionValue); } // Connected suspend if (NT_SUCCESS(PhAfdQueryOption(socketHandle, HV_PROTOCOL_RAW, HVSOCKET_CONNECTED_SUSPEND, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_HVSOCKET_CONNECTED_SUSPEND, optionValue); } // High VTL if (NT_SUCCESS(PhAfdQueryOption(socketHandle, HV_PROTOCOL_RAW, HVSOCKET_HIGH_VTL, &optionValue))) { PhSetSocketListViewItemBoolean(Context, PH_AFD_SOCKET_ITEM_HVSOCKET_HIGH_VTL, optionValue); } } NtClose(socketHandle); } INT_PTR CALLBACK PhpAfdSocketPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_AFD_SOCKET_PAGE_CONTEXT context; context = PhpGenericPropertyPageHeader(hwndDlg, uMsg, wParam, lParam, 4); if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->ListViewContext = PhListView_Initialize(context->ListViewHandle); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhSetExtendedListView(context->ListViewHandle); PhListView_AddColumn(context->ListViewContext, 0, 0, 0, LVCFMT_LEFT, 145, L"Name"); PhListView_AddColumn(context->ListViewContext, 1, 1, 1, LVCFMT_LEFT, 225, L"Value"); PhListView_EnableGroupView(context->ListViewContext, TRUE); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_SHARED, L"Shared Winsock context"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_STATE, L"Socket state"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_TYPE, L"Socket type"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_ADDRESS_FAMILY, L"Address family"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_PROTOCOL, L"Protocol"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_CATALOG_ENTRY_ID, L"Catalog entry ID"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_PROVIDER_ID, L"Provider ID"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_PROVIDER_FLAGS, L"Provider flags"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_SERVICE_FLAGS, L"Service flags"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_SEND_TIMEOUT, L"Send timeout"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_RECEIVE_TIMEOUT, L"Receive timeout"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_SEND_BUFFER_SIZE, L"Send buffer size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_RECEIVE_BUFFER_SIZE, L"Receive buffer size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_CREATION_FLAGS, L"Creation flags"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SHARED, PH_AFD_SOCKET_ITEM_FLAGS, L"Flags"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_ADDRESSES, L"Addresses"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_ADDRESSES, PH_AFD_SOCKET_ITEM_ADDRESS, L"Local address"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_ADDRESSES, PH_AFD_SOCKET_ITEM_REMOTE_ADDRESS, L"Remote address"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_INFOCLASS, L"AFD info classes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_CONNECT_TIME, L"Connect time"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_DELIVERY_AVAILABLE, L"Delivery available"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_PENDED_RECEIVE_REQUESTS, L"Pending receive requests"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_SENDS_PENDING, L"Pending sends"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_RECEIVE_WINDOW_SIZE, L"Receive window size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_SEND_WINDOW_SIZE, L"Send window size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_MAX_SEND_SIZE, L"Maximum send size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_GROUP_ID, L"Group ID"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_INFOCLASS, PH_AFD_SOCKET_ITEM_GROUP_TYPE, L"Group type"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_TDI, L"TDI devices"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TDI, PH_AFD_SOCKET_ITEM_TDI_ADDRESS_DEVICE, L"TDI address device"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TDI, PH_AFD_SOCKET_ITEM_TDI_CONNECTION_DEVICE, L"TDI connection device"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_SO, L"Socket-level options"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_REUSEADDR, L"Reuse address"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_KEEPALIVE, L"Keep alive"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_DONTROUTE, L"Don't route"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_BROADCAST, L"Broadcast"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_OOBINLINE, L"OOB in line"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_RCVBUF, L"Receive buffer size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_MAX_MSG_SIZE, L"Maximum message size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_PAUSE_ACCEPT, L"Pause accept"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_COMPARTMENT_ID, L"Compartment ID"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_RANDOMIZE_PORT, L"Randomize port"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_PORT_SCALABILITY, L"Port scalability"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_REUSE_UNICASTPORT, L"Reuse unicast port"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_SO, PH_AFD_SOCKET_ITEM_SO_EXCLUSIVEADDRUSE, L"Exclusive address use"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_IP, L"IP-level options"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_HDRINCL, L"Header included"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_TOS, L"Type-of-service"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_TTL, L"Unicast TTL"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_MULTICAST_IF, L"Multicast interface"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_MULTICAST_TTL, L"Multicast TTL"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_MULTICAST_LOOP, L"Multicast loopback"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_DONTFRAGMENT, L"Don't fragment"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_PKTINFO, L"Receive packet info"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVTTL, L"Receive TTL"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECEIVE_BROADCAST, L"Broadcast reception"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_PROTECTION_LEVEL, L"IPv6 protection level"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVIF, L"Receive arrival interface"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVDSTADDR, L"Receive dest. address"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_V6ONLY, L"IPv6-only"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_IFLIST, L"Interface list"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_UNICAST_IF, L"Unicast interface"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVRTHDR, L"Receive routing header"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVTOS, L"Receive type-of-service"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_ORIGINAL_ARRIVAL_IF, L"Original arrival interface"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVECN, L"Receive ECN"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_PKTINFO_EX, L"Recveive ext. packet info"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_WFP_REDIRECT_RECORDS, L"WFP redirect records"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_WFP_REDIRECT_CONTEXT, L"WFP redirect context"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_MTU_DISCOVER, L"MTU discovery"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_MTU, L"Path MTU"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_RECVERR, L"Receive ICMP errors"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_IP, PH_AFD_SOCKET_ITEM_IP_USER_MTU, L"Upper MTU bound"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_TCP, L"TCP-level options"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_NODELAY, L"No delay"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_EXPEDITED, L"Expedited data"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_KEEPALIVE, L"Keep alive"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_MAXSEG, L"Maximum segment size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_MAXRT, L"Retry timeout"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_STDURG, L"URG interpretation"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_NOURG, L"No URG"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_ATMARK, L"At mark"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_NOSYNRETRIES, L"No SYN retries"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_TIMESTAMPS, L"Timestamps"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_CONGESTION_ALGORITHM, L"Congestion algorithm"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_DELAY_FIN_ACK, L"Delay FIN ACK"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_MAXRTMS, L"Retry timeout (precise)"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_FASTOPEN, L"Fast open"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_KEEPCNT, L"Keep alive count"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_KEEPINTVL, L"Keep alive interval"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP, PH_AFD_SOCKET_ITEM_TCP_FAIL_CONNECT_ON_ICMP_ERROR, L"Fail on ICMP error"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_TCP_INFO, L"TCP information"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_STATE, L"TCP state"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_MSS, L"Maximum segment size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_CONNECTION_TIME, L"Connection time"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_TIMESTAMPS_ENABLED, L"Timestamps enabled"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_RTT, L"Estimated round-trip"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_MINRTT, L"Minimal round-trip"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_IN_FLIGHT, L"Bytes in flight"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_WINDOW, L"Congestion window"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_SEND_WINDOW, L"Send window"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVE_WINDOW, L"Receive window"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVE_BUFFER, L"Receive buffer"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_OUT, L"Bytes sent"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_IN, L"Bytes received"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_REORDERED, L"Bytes reordered"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_BYTES_RETRANSMITTED, L"Bytes retransmitted"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_FAST_RETRANSMIT, L"Fast retransmits"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_DUPLICATE_ACKS_IN, L"Duplicate ACKs"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_TIMEOUT_EPISODES, L"Timeout episodes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_SYN_RETRANSMITS, L"SYN retransmits"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_TRANSITIONS, L"Receiver-limited episodes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_TIME, L"Receiver-limited time"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_RECEIVER_LIMITED_BYTES, L"Receiver-limited bytes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_TRANSITIONS, L"Congestion-limited episodes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_TIME, L"Congestion-limited time"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_CONGESTION_LIMITED_BYTES, L"Congestion-limited bytes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_TRANSITIONS, L"Sender-limited episodes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_TIME, L"Sender-limited time"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_SENDER_LIMITED_BYTES, L"Sender-limited bytes"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_OUT_OF_ORDER_PACKETS, L"Out-of-order packets"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_ECN_NEGOTIATED, L"ECN negotiated"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_ECE_ACKS_IN, L"ECE ACKs"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_TCP_INFO, PH_AFD_SOCKET_ITEM_TCP_INFO_PTO_EPISODES, L"Probe timeout episodes"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_UDP, L"UDP-level options"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_UDP, PH_AFD_SOCKET_ITEM_UDP_NOCHECKSUM, L"No checksum"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_UDP, PH_AFD_SOCKET_ITEM_UDP_SEND_MSG_SIZE, L"Maximum message size"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_UDP, PH_AFD_SOCKET_ITEM_UDP_RECV_MAX_COALESCED_SIZE, L"Maximum coalesced size"); PhListView_AddGroup(context->ListViewContext, PH_AFD_SOCKET_GROUP_HVSOCKET, L"Hyper-V-level options"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_HVSOCKET, PH_AFD_SOCKET_ITEM_HVSOCKET_CONNECT_TIMEOUT, L"Connect timeout"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_HVSOCKET, PH_AFD_SOCKET_ITEM_HVSOCKET_CONTAINER_PASSTHRU, L"Container passthru"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_HVSOCKET, PH_AFD_SOCKET_ITEM_HVSOCKET_CONNECTED_SUSPEND, L"Connected suspend"); PhAddSocketListViewItem(context, PH_AFD_SOCKET_GROUP_HVSOCKET, PH_AFD_SOCKET_ITEM_HVSOCKET_HIGH_VTL, L"High VTL"); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhpRefreshAfdSocketPageInfo(context); } break; case WM_DESTROY: { PhDeleteLayoutManager(&context->LayoutManager); PhListView_Destroy(context->ListViewContext); PhFree(context); } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { if (!PhHandleCopyListViewEMenuItem(item)) { switch (item->Id) { case IDC_COPY: PhCopyListView(context->ListViewHandle); break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/options.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #define WM_PH_CHILD_EXIT (WM_APP + 301) INT_PTR CALLBACK PhpOptionsGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpOptionsAdvancedDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpOptionsHighlightingDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpOptionsGraphsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhOptionsDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhOptionsDestroySection( _In_ PPH_OPTIONS_SECTION Section ); _Function_class_(PH_OPTIONS_ENTER_SECTION_VIEW) VOID PhOptionsEnterSectionView( _In_ PPH_OPTIONS_SECTION NewSection ); VOID PhOptionsLayoutSectionView( VOID ); VOID PhOptionsEnterSectionViewInner( _In_ PPH_OPTIONS_SECTION Section, _Inout_ HDWP *ContainerDeferHandle ); VOID PhOptionsCreateSectionDialog( _In_ PPH_OPTIONS_SECTION Section ); _Function_class_(PH_OPTIONS_FIND_SECTION) PPH_OPTIONS_SECTION PhOptionsFindSection( _In_ PCPH_STRINGREF Name ); VOID PhOptionsOnSize( VOID ); _Function_class_(PH_OPTIONS_CREATE_SECTION) PPH_OPTIONS_SECTION PhOptionsCreateSection( _In_ PCWSTR Name, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ); PPH_OPTIONS_SECTION PhOptionsCreateSectionAdvanced( _In_ PCWSTR Name, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ); BOOLEAN PhpIsDefaultTaskManager( VOID ); VOID PhpSetDefaultTaskManager( _In_ HWND ParentWindowHandle ); static HWND PhOptionsWindowHandle = NULL; static PH_LAYOUT_MANAGER WindowLayoutManager; static PPH_LIST SectionList = NULL; static PPH_OPTIONS_SECTION CurrentSection = NULL; static HWND OptionsTreeControl = NULL; static HWND ContainerControl = NULL; // All static BOOLEAN RestartRequired = FALSE; // General static BOOLEAN GeneralListViewStateInitializing = FALSE; static CONST PH_STRINGREF CurrentUserRunKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\Run"); static BOOLEAN CurrentUserRunPresent = FALSE; static HFONT CurrentFontInstance = NULL; static HFONT CurrentFontMonospaceInstance = NULL; static PPH_STRING NewFontSelection = NULL; static PPH_STRING NewFontMonospaceSelection = NULL; // Advanced static CONST PH_STRINGREF TaskMgrImageOptionsKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe"); static PPH_STRING OldTaskMgrDebugger = NULL; static HWND WindowHandleForElevate = NULL; // Highlighting static HWND HighlightingListViewHandle = NULL; VOID PhShowOptionsDialog( _In_ HWND ParentWindowHandle ) { if (PhStartupParameters.ShowOptions) { PhpSetDefaultTaskManager(ParentWindowHandle); } else { if (!PhOptionsWindowHandle) { PhOptionsWindowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_OPTIONS), NULL, PhOptionsDialogProc, NULL ); PhRegisterDialog(PhOptionsWindowHandle); ShowWindow(PhOptionsWindowHandle, SW_SHOW); } if (IsMinimized(PhOptionsWindowHandle)) ShowWindow(PhOptionsWindowHandle, SW_RESTORE); else SetForegroundWindow(PhOptionsWindowHandle); } } static HTREEITEM PhpTreeViewInsertItem( _In_opt_ HTREEITEM HandleInsertAfter, _In_ PCWSTR Text, _In_ PVOID Context ) { TV_INSERTSTRUCT insert; memset(&insert, 0, sizeof(TV_INSERTSTRUCT)); insert.hParent = TVI_ROOT; insert.hInsertAfter = HandleInsertAfter; insert.item.mask = TVIF_TEXT | TVIF_PARAM; insert.item.pszText = (PWSTR)Text; insert.item.lParam = (LPARAM)Context; return TreeView_InsertItem(OptionsTreeControl, &insert); } static VOID PhpOptionsShowHideTreeViewItem( _In_ BOOLEAN Hide ) { static CONST PH_STRINGREF generalName = PH_STRINGREF_INIT(L"General"); static CONST PH_STRINGREF advancedName = PH_STRINGREF_INIT(L"Advanced"); if (Hide) { PPH_OPTIONS_SECTION advancedSection; if (advancedSection = PhOptionsFindSection(&advancedName)) { if (advancedSection->TreeItemHandle) { TreeView_DeleteItem(OptionsTreeControl, advancedSection->TreeItemHandle); advancedSection->TreeItemHandle = NULL; } } } else { PPH_OPTIONS_SECTION generalSection; PPH_OPTIONS_SECTION advancedSection; generalSection = PhOptionsFindSection(&generalName); advancedSection = PhOptionsFindSection(&advancedName); if (generalSection && advancedSection && !advancedSection->TreeItemHandle) { advancedSection->TreeItemHandle = PhpTreeViewInsertItem( generalSection->TreeItemHandle, advancedName.Buffer, advancedSection ); } } } VOID PhpAdvancedPageSave( _In_ HWND hwndDlg ); VOID PhpAdvancedPageLoad( _In_ HWND hwndDlg, _In_ BOOLEAN ReloadOnly ); static VOID PhReloadGeneralSection( VOID ) { static PH_STRINGREF generalName = PH_STRINGREF_INIT(L"General"); GeneralListViewStateInitializing = TRUE; PhpAdvancedPageLoad(PhOptionsFindSection(&generalName)->DialogHandle, TRUE); GeneralListViewStateInitializing = FALSE; } static VOID PhpOptionsSetImageList( _In_ HWND WindowHandle, _In_ BOOLEAN Treeview ) { HIMAGELIST imageListHandle; LONG dpiValue = PhGetWindowDpi(WindowHandle); if (Treeview) imageListHandle = TreeView_GetImageList(WindowHandle, TVSIL_NORMAL); else imageListHandle = ListView_GetImageList(WindowHandle, LVSIL_SMALL); if (imageListHandle) { PhImageListSetIconSize(imageListHandle, 2, PhGetDpi(24, dpiValue)); if (Treeview) TreeView_SetImageList(WindowHandle, imageListHandle, TVSIL_NORMAL); else ListView_SetImageList(WindowHandle, imageListHandle, LVSIL_SMALL); } else { if (imageListHandle = PhImageListCreate(2, PhGetDpi(24, dpiValue), ILC_MASK | ILC_COLOR32, 1, 1)) { if (Treeview) TreeView_SetImageList(WindowHandle, imageListHandle, TVSIL_NORMAL); else ListView_SetImageList(WindowHandle, imageListHandle, LVSIL_SMALL); } } } INT_PTR CALLBACK PhOptionsDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { OptionsTreeControl = GetDlgItem(hwndDlg, IDC_SECTIONTREE); ContainerControl = GetDlgItem(hwndDlg, IDD_CONTAINER); PhSetApplicationWindowIcon(hwndDlg); PhpOptionsSetImageList(OptionsTreeControl, TRUE); //PhSetWindowStyle(GetDlgItem(hwndDlg, IDC_SEPARATOR), SS_OWNERDRAW, SS_OWNERDRAW); PhSetControlTheme(OptionsTreeControl, L"explorer"); TreeView_SetExtendedStyle(OptionsTreeControl, TVS_EX_DOUBLEBUFFER, TVS_EX_DOUBLEBUFFER); TreeView_SetBkColor(OptionsTreeControl, GetSysColor(COLOR_3DFACE)); PhInitializeLayoutManager(&WindowLayoutManager, hwndDlg); PhAddLayoutItem(&WindowLayoutManager, OptionsTreeControl, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_BOTTOM); //PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_SEPARATOR), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, ContainerControl, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_RESET), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_CLEANUP), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); //PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDC_APPLY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&WindowLayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhRegisterWindowCallback(hwndDlg, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); if (PhEnableThemeSupport) // TODO: fix options dialog theme (dmex) PhInitializeWindowTheme(hwndDlg, TRUE); { PPH_OPTIONS_SECTION section; SectionList = PhCreateList(8); CurrentSection = NULL; section = PhOptionsCreateSection(L"General", PhInstanceHandle, MAKEINTRESOURCE(IDD_OPTGENERAL), PhpOptionsGeneralDlgProc, NULL); PhOptionsCreateSectionAdvanced(L"Advanced", PhInstanceHandle, MAKEINTRESOURCE(IDD_OPTADVANCED), PhpOptionsAdvancedDlgProc, NULL); PhOptionsCreateSection(L"Highlighting", PhInstanceHandle, MAKEINTRESOURCE(IDD_OPTHIGHLIGHTING), PhpOptionsHighlightingDlgProc, NULL); PhOptionsCreateSection(L"Graphs", PhInstanceHandle, MAKEINTRESOURCE(IDD_OPTGRAPHS), PhpOptionsGraphsDlgProc, NULL); PhOptionsCreateSection(L"Plugins", PhInstanceHandle, MAKEINTRESOURCE(IDD_PLUGINS), PhPluginsDlgProc, NULL); if (PhPluginsEnabled) { PH_PLUGIN_OPTIONS_POINTERS pointers; pointers.WindowHandle = hwndDlg; pointers.CreateSection = PhOptionsCreateSection; pointers.FindSection = PhOptionsFindSection; pointers.EnterSectionView = PhOptionsEnterSectionView; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackOptionsWindowInitializing), &pointers); } TreeView_SelectItem(OptionsTreeControl, section->TreeItemHandle); SetFocus(OptionsTreeControl); //PhOptionsEnterSectionView(section); PhOptionsOnSize(); } if (PhValidWindowPlacementFromSetting(SETTING_OPTIONS_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_OPTIONS_WINDOW_POSITION, SETTING_OPTIONS_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, PhMainWndHandle); } break; case WM_DESTROY: { ULONG i; PPH_OPTIONS_SECTION section; PhSaveWindowPlacementToSetting(SETTING_OPTIONS_WINDOW_POSITION, SETTING_OPTIONS_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&WindowLayoutManager); for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (PhEqualStringRef2(§ion->Name, L"General", TRUE)) { PhpAdvancedPageSave(section->DialogHandle); } PhOptionsDestroySection(section); } PhDereferenceObject(SectionList); SectionList = NULL; PhUnregisterWindowCallback(hwndDlg); PhUnregisterDialog(PhOptionsWindowHandle); PhOptionsWindowHandle = NULL; } break; case WM_DPICHANGED: { PhpOptionsSetImageList(OptionsTreeControl, TRUE); PhLayoutManagerUpdate(&WindowLayoutManager, LOWORD(wParam)); PhOptionsOnSize(); } break; case WM_SIZE: { PhOptionsOnSize(); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: { DestroyWindow(hwndDlg); } break; case IDC_RESET: { if (PhShowMessage2( hwndDlg, TD_YES_BUTTON | TD_NO_BUTTON, TD_WARNING_ICON, L"Do you want to reset all settings and restart System Informer?", L"" ) == IDYES) { SystemInformer_PrepareForEarlyShutdown(); PhResetSettings(PhMainWndHandle); PhSaveSettings2(PhSettingsFileName); if (NT_SUCCESS(PhShellProcessHacker( PhMainWndHandle, L"-v -newinstance", SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, NULL ))) { SystemInformer_Destroy(); } else { SystemInformer_CancelEarlyShutdown(); } } } break; case IDC_CLEANUP: { if (PhShowMessage2( hwndDlg, TD_YES_BUTTON | TD_NO_BUTTON, TD_INFORMATION_ICON, L"Do you want to clean up unused settings?", L"" ) == IDYES) { PhClearIgnoredSettings(); } } break; } } break; case WM_DRAWITEM: { PDRAWITEMSTRUCT drawInfo = (PDRAWITEMSTRUCT)lParam; //if (drawInfo->CtlID == IDC_SEPARATOR) //{ // RECT rect; // // rect = drawInfo->rcItem; // rect.right = 2; // // if (PhEnableThemeSupport) // { // switch (PhCsGraphColorMode) // { // case 0: // New colors // { // FillRect(drawInfo->hDC, &rect, GetSysColorBrush(COLOR_3DHIGHLIGHT)); // rect.left += 1; // FillRect(drawInfo->hDC, &rect, GetSysColorBrush(COLOR_3DSHADOW)); // } // break; // case 1: // Old colors // { // SetDCBrushColor(drawInfo->hDC, RGB(0, 0, 0)); // FillRect(drawInfo->hDC, &rect, PhGetStockBrush(DC_BRUSH)); // } // break; // } // } // else // { // FillRect(drawInfo->hDC, &rect, GetSysColorBrush(COLOR_3DHIGHLIGHT)); // rect.left += 1; // FillRect(drawInfo->hDC, &rect, GetSysColorBrush(COLOR_3DSHADOW)); // } // // return TRUE; //} } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case TVN_SELCHANGED: { LPNMTREEVIEW treeview = (LPNMTREEVIEW)lParam; PPH_OPTIONS_SECTION section = (PPH_OPTIONS_SECTION)treeview->itemNew.lParam; if (section) { PhOptionsEnterSectionView(section); } } break; case NM_SETCURSOR: { if (header->hwndFrom == OptionsTreeControl) { PhSetCursor(PhLoadArrowCursor()); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); return TRUE; } } break; } } break; } return FALSE; } VOID PhOptionsOnSize( VOID ) { PhLayoutManagerLayout(&WindowLayoutManager); if (SectionList && SectionList->Count != 0) { PhOptionsLayoutSectionView(); } } _Function_class_(PH_OPTIONS_CREATE_SECTION) PPH_OPTIONS_SECTION PhOptionsCreateSection( _In_ PCWSTR Name, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ) { PPH_OPTIONS_SECTION section; section = PhAllocateZero(sizeof(PH_OPTIONS_SECTION)); PhInitializeStringRefLongHint(§ion->Name, Name); section->Instance = Instance; section->Template = Template; section->DialogProc = DialogProc; section->Parameter = Parameter; section->TreeItemHandle = PhpTreeViewInsertItem(TVI_LAST, Name, section); PhAddItemList(SectionList, section); return section; } PPH_OPTIONS_SECTION PhOptionsCreateSectionAdvanced( _In_ PCWSTR Name, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ) { PPH_OPTIONS_SECTION section; section = PhAllocateZero(sizeof(PH_OPTIONS_SECTION)); PhInitializeStringRefLongHint(§ion->Name, Name); section->Instance = Instance; section->Template = Template; section->DialogProc = DialogProc; section->Parameter = Parameter; PhAddItemList(SectionList, section); return section; } VOID PhOptionsDestroySection( _In_ PPH_OPTIONS_SECTION Section ) { PhFree(Section); } _Function_class_(PH_OPTIONS_FIND_SECTION) PPH_OPTIONS_SECTION PhOptionsFindSection( _In_ PCPH_STRINGREF Name ) { ULONG i; PPH_OPTIONS_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (PhEqualStringRef(§ion->Name, Name, TRUE)) return section; } return NULL; } VOID PhOptionsLayoutSectionView( VOID ) { if (CurrentSection && CurrentSection->DialogHandle) { RECT clientRect; if (!PhGetClientRect(ContainerControl, &clientRect)) return; SetWindowPos( CurrentSection->DialogHandle, NULL, 0, 0, clientRect.right - clientRect.left, clientRect.bottom - clientRect.top, SWP_NOACTIVATE | SWP_NOZORDER ); } } _Function_class_(PH_OPTIONS_ENTER_SECTION_VIEW) VOID PhOptionsEnterSectionView( _In_ PPH_OPTIONS_SECTION NewSection ) { ULONG i; PPH_OPTIONS_SECTION section; PPH_OPTIONS_SECTION oldSection; HDWP containerDeferHandle; if (CurrentSection == NewSection) return; oldSection = CurrentSection; CurrentSection = NewSection; containerDeferHandle = BeginDeferWindowPos(SectionList->Count); PhOptionsEnterSectionViewInner(NewSection, &containerDeferHandle); PhOptionsLayoutSectionView(); for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (section != NewSection) PhOptionsEnterSectionViewInner(section, &containerDeferHandle); } EndDeferWindowPos(containerDeferHandle); if (NewSection->DialogHandle) RedrawWindow(NewSection->DialogHandle, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_ALLCHILDREN | RDW_UPDATENOW); } VOID PhOptionsEnterSectionViewInner( _In_ PPH_OPTIONS_SECTION Section, _Inout_ HDWP *ContainerDeferHandle ) { if (Section == CurrentSection && !Section->DialogHandle) PhOptionsCreateSectionDialog(Section); if (Section->DialogHandle) { if (Section == CurrentSection) *ContainerDeferHandle = DeferWindowPos(*ContainerDeferHandle, Section->DialogHandle, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY | SWP_NOREDRAW); else *ContainerDeferHandle = DeferWindowPos(*ContainerDeferHandle, Section->DialogHandle, NULL, 0, 0, 0, 0, SWP_HIDEWINDOW_ONLY | SWP_NOREDRAW); } } VOID PhOptionsCreateSectionDialog( _In_ PPH_OPTIONS_SECTION Section ) { Section->DialogHandle = PhCreateDialogFromTemplate( ContainerControl, DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD, Section->Instance, Section->Template, Section->DialogProc, Section->Parameter ); PhInitializeWindowTheme(Section->DialogHandle, PhEnableThemeSupport); } #define SetDlgItemCheckForSetting(hwndDlg, Id, Name) \ Button_SetCheck(GetDlgItem(hwndDlg, Id), PhGetIntegerSetting(Name) ? BST_CHECKED : BST_UNCHECKED) #define SetSettingForDlgItemCheck(hwndDlg, Id, Name) \ PhSetIntegerSetting(Name, Button_GetCheck(GetDlgItem(hwndDlg, Id)) == BST_CHECKED) #define SetSettingForDlgItemCheckRestartRequired(hwndDlg, Id, Name) \ { \ BOOLEAN __oldValue = !!PhGetIntegerSetting(Name); \ BOOLEAN __newValue = Button_GetCheck(GetDlgItem(hwndDlg, Id)) == BST_CHECKED; \ if (__newValue != __oldValue) \ RestartRequired = TRUE; \ PhSetIntegerSetting(Name, __newValue); \ } #define SetLvItemCheckForSetting(ListViewHandle, Index, Name) \ ListView_SetCheckState(ListViewHandle, Index, !!PhGetIntegerSetting(Name)); #define SetSettingForLvItemCheck(ListViewHandle, Index, Name) \ PhSetIntegerSetting(Name, ListView_GetCheckState(ListViewHandle, Index) == BST_CHECKED) #define SetSettingForLvItemCheckRestartRequired(ListViewHandle, Index, Name) \ { \ BOOLEAN __oldValue = !!PhGetIntegerSetting(Name); \ BOOLEAN __newValue = ListView_GetCheckState(ListViewHandle, Index) == BST_CHECKED; \ if (__newValue != __oldValue) \ RestartRequired = TRUE; \ PhSetIntegerSetting(Name, __newValue); \ } _Success_(return) static BOOLEAN GetCurrentFont( _Out_ PLOGFONT Font ) { BOOLEAN result; PPH_STRING fontHexString; if (NewFontSelection) fontHexString = NewFontSelection; else fontHexString = PhaGetStringSetting(SETTING_FONT); if (fontHexString->Length / sizeof(WCHAR) / 2 == sizeof(LOGFONT)) result = PhHexStringToBuffer(&fontHexString->sr, (PUCHAR)Font); else result = FALSE; return result; } _Success_(return) static BOOLEAN GetCurrentFontMonospace( _Out_ PLOGFONT Font ) { BOOLEAN result; PPH_STRING fontHexString; if (NewFontMonospaceSelection) fontHexString = NewFontMonospaceSelection; else fontHexString = PhaGetStringSetting(SETTING_FONT_MONOSPACE); if (fontHexString->Length / sizeof(WCHAR) / 2 == sizeof(LOGFONT)) result = PhHexStringToBuffer(&fontHexString->sr, (PUCHAR)Font); else result = FALSE; return result; } typedef struct _PHP_HKURUN_ENTRY { PPH_STRING Value; //PPH_STRING Name; } PHP_HKURUN_ENTRY, *PPHP_HKURUN_ENTRY; _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PhpReadCurrentRunCallback( _In_ HANDLE RootDirectory, _In_ PKEY_VALUE_FULL_INFORMATION Information, _In_opt_ PVOID Context ) { if (Context && Information->Type == REG_SZ) { PHP_HKURUN_ENTRY entry; if (Information->DataLength > sizeof(UNICODE_NULL)) entry.Value = PhCreateStringEx(PTR_ADD_OFFSET(Information, Information->DataOffset), Information->DataLength); else entry.Value = PhReferenceEmptyString(); //entry.Name = PhCreateStringEx(Information->Name, Information->NameLength); PhAddItemArray(Context, &entry); } return TRUE; } static VOID ReadCurrentUserRun( VOID ) { HANDLE keyHandle; CurrentUserRunPresent = FALSE; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &CurrentUserRunKeyName, 0 ))) { PH_ARRAY keyEntryArray; PhInitializeArray(&keyEntryArray, sizeof(PHP_HKURUN_ENTRY), 20); PhEnumerateValueKey(keyHandle, KeyValueFullInformation, PhpReadCurrentRunCallback, &keyEntryArray); for (SIZE_T i = 0; i < PhFinalArrayCount(&keyEntryArray); i++) { PPHP_HKURUN_ENTRY entry = PhItemArray(&keyEntryArray, i); PH_STRINGREF fileName; PH_STRINGREF arguments; PPH_STRING fullFileName; PPH_STRING applicationFileName; if (PhParseCommandLineFuzzy(&entry->Value->sr, &fileName, &arguments, &fullFileName)) { if (applicationFileName = PhGetApplicationFileNameWin32()) { PhMoveReference(&applicationFileName, PhGetBaseName(applicationFileName)); if (fullFileName && PhEndsWithString(fullFileName, applicationFileName, TRUE)) { CurrentUserRunPresent = TRUE; } PhDereferenceObject(applicationFileName); } if (fullFileName) PhDereferenceObject(fullFileName); } PhDereferenceObject(entry->Value); } PhDeleteArray(&keyEntryArray); NtClose(keyHandle); } } static VOID WriteCurrentUserRun( _In_ BOOLEAN Present, _In_ BOOLEAN StartHidden ) { HANDLE keyHandle; if (CurrentUserRunPresent == Present) return; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_WRITE, PH_KEY_CURRENT_USER, &CurrentUserRunKeyName, 0 ))) { static CONST PH_STRINGREF valueName = PH_STRINGREF_INIT(L"System Informer"); static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); if (Present) { PPH_STRING value; PPH_STRING fileName; if (fileName = PhGetApplicationFileNameWin32()) { value = PH_AUTO(PhConcatStringRef3(&separator, &fileName->sr, &separator)); if (StartHidden) value = PH_AUTO(PhConcatStringRefZ(&value->sr, L" -hide")); PhSetValueKey( keyHandle, &valueName, REG_SZ, value->Buffer, (ULONG)value->Length + sizeof(UNICODE_NULL) ); PhDereferenceObject(fileName); } } else { PhDeleteValueKey(keyHandle, &valueName); } NtClose(keyHandle); } } static BOOLEAN PathMatchesPh( _In_ PPH_STRING Path ) { BOOLEAN match = FALSE; PPH_STRING fileName; if (!(fileName = PhGetApplicationFileNameWin32())) return FALSE; if (PhEqualString(OldTaskMgrDebugger, fileName, TRUE)) { match = TRUE; } // Allow for a quoted value. else if ( OldTaskMgrDebugger->Length == fileName->Length + 4 && OldTaskMgrDebugger->Buffer[0] == L'"' && OldTaskMgrDebugger->Buffer[OldTaskMgrDebugger->Length / sizeof(WCHAR) - 1] == L'"' ) { PH_STRINGREF partInside; partInside.Buffer = &OldTaskMgrDebugger->Buffer[1]; partInside.Length = OldTaskMgrDebugger->Length - 2 * sizeof(WCHAR); if (PhEqualStringRef(&partInside, &fileName->sr, TRUE)) match = TRUE; } PhDereferenceObject(fileName); return match; } BOOLEAN PhpIsDefaultTaskManager( VOID ) { HANDLE taskmgrKeyHandle; BOOLEAN alreadyReplaced = FALSE; if (NT_SUCCESS(PhOpenKey( &taskmgrKeyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &TaskMgrImageOptionsKeyName, 0 ))) { PhClearReference(&OldTaskMgrDebugger); if (OldTaskMgrDebugger = PhQueryRegistryStringZ(taskmgrKeyHandle, L"Debugger")) { alreadyReplaced = PathMatchesPh(OldTaskMgrDebugger); } NtClose(taskmgrKeyHandle); } return alreadyReplaced; } VOID PhpSetDefaultTaskManager( _In_ HWND ParentWindowHandle ) { PWSTR message; if (PhpIsDefaultTaskManager()) { message = L"Do you want to restore the default Windows Task Manager?"; } else { message = L"Do you want to make System Informer the default Windows Task Manager?"; // Warn the user when we're not installed into secure location. (dmex) if (!PhShowOptionsDefaultInstallLocation(ParentWindowHandle, L"Changing the default Task Manager")) { return; } } if (PhShowMessage2( ParentWindowHandle, TD_YES_BUTTON | TD_NO_BUTTON, TD_INFORMATION_ICON, L"", message ) == IDYES) { NTSTATUS status; HANDLE taskmgrKeyHandle; status = PhCreateKey( &taskmgrKeyHandle, KEY_READ | KEY_WRITE, PH_KEY_LOCAL_MACHINE, &TaskMgrImageOptionsKeyName, OBJ_OPENIF, 0, NULL ); if (NT_SUCCESS(status)) { static CONST PH_STRINGREF valueName = PH_STRINGREF_INIT(L"Debugger"); static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); if (PhpIsDefaultTaskManager()) { status = PhDeleteValueKey(taskmgrKeyHandle, &valueName); } else { PPH_STRING quotedFileName; PPH_STRING applicationFileName; if (applicationFileName = PhGetApplicationFileNameWin32()) { quotedFileName = PH_AUTO(PhConcatStringRef3(&separator, &applicationFileName->sr, &separator)); status = PhSetValueKey( taskmgrKeyHandle, &valueName, REG_SZ, quotedFileName->Buffer, (ULONG)quotedFileName->Length + sizeof(UNICODE_NULL) ); PhDereferenceObject(applicationFileName); } } NtClose(taskmgrKeyHandle); } if (!NT_SUCCESS(status)) PhShowStatus(ParentWindowHandle, L"Unable to replace Task Manager", status, 0); //PhSaveSettings2(PhSettingsFileName); } } //BOOLEAN PhpIsExploitProtectionEnabled( // VOID // ) //{ // BOOLEAN enabled = FALSE; // HANDLE keyHandle; // PPH_STRING directory = NULL; // PPH_STRING fileName = NULL; // PPH_STRING keyName; // // PhMoveReference(&directory, PhCreateString2(&TaskMgrImageOptionsKeyName)); // PhMoveReference(&directory, PhGetBaseDirectory(directory)); // PhMoveReference(&fileName, PhGetApplicationFileNameWin32()); // PhMoveReference(&fileName, PhGetBaseName(fileName)); // keyName = PhConcatStringRef3(&directory->sr, &PhNtPathSeparatorString, &fileName->sr); // // if (NT_SUCCESS(PhOpenKey( // &keyHandle, // KEY_READ, // PH_KEY_LOCAL_MACHINE, // &keyName->sr, // 0 // ))) // { // PH_STRINGREF valueName; // PKEY_VALUE_PARTIAL_INFORMATION buffer; // // enabled = !(PhQueryRegistryUlong64(keyHandle, L"MitigationOptions") == ULLONG_MAX); // PhInitializeStringRef(&valueName, L"MitigationOptions"); // // if (NT_SUCCESS(PhQueryValueKey(keyHandle, &valueName, KeyValuePartialInformation, &buffer))) // { // if (buffer->Type == REG_BINARY && buffer->DataLength) // { // enabled = TRUE; // } // // PhFree(buffer); // } // // NtClose(keyHandle); // } // // PhDereferenceObject(keyName); // PhDereferenceObject(fileName); // PhDereferenceObject(directory); // // return enabled; //} // //NTSTATUS PhpSetExploitProtectionEnabled( // _In_ BOOLEAN Enabled) //{ // static PH_STRINGREF replacementToken = PH_STRINGREF_INIT(L"Software\\"); // static PH_STRINGREF wow6432Token = PH_STRINGREF_INIT(L"Software\\WOW6432Node\\"); // static PH_STRINGREF valueName = PH_STRINGREF_INIT(L"MitigationOptions"); // NTSTATUS status = STATUS_UNSUCCESSFUL; // HANDLE keyHandle; // PPH_STRING directory; // PPH_STRING fileName; // PPH_STRING keyName; // // directory = PhCreateString2(&TaskMgrImageOptionsKeyName); // PhMoveReference(&directory, PhGetBaseDirectory(directory)); // fileName = PhGetApplicationFileNameWin32(); // PhMoveReference(&fileName, PhGetBaseName(fileName)); // keyName = PhConcatStringRef3(&directory->sr, &PhNtPathSeparatorString, &fileName->sr); // // //if (Enabled) // //{ // // status = PhCreateKey( // // &keyHandle, // // KEY_WRITE, // // PH_KEY_LOCAL_MACHINE, // // &keyName->sr, // // OBJ_OPENIF, // // 0, // // NULL // // ); // // // // if (NT_SUCCESS(status)) // // { // // status = PhSetValueKey(keyHandle, &valueName, REG_QWORD, &(ULONG64) // // { // // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON | // // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON, // // }, sizeof(ULONG64)); // // // // NtClose(keyHandle); // // } // //} // //else // { // status = PhOpenKey( // &keyHandle, // KEY_WRITE, // PH_KEY_LOCAL_MACHINE, // &keyName->sr, // OBJ_OPENIF // ); // // if (NT_SUCCESS(status)) // { // status = PhDeleteValueKey(keyHandle, &valueName); // NtClose(keyHandle); // } // // if (status == STATUS_OBJECT_NAME_NOT_FOUND) // status = STATUS_SUCCESS; // //#ifdef _WIN64 // if (NT_SUCCESS(status)) // { // PH_STRINGREF stringBefore; // PH_STRINGREF stringAfter; // // if (PhSplitStringRefAtString(&keyName->sr, &replacementToken, TRUE, &stringBefore, &stringAfter)) // { // PhMoveReference(&keyName, PhConcatStringRef3(&stringBefore, &wow6432Token, &stringAfter)); // // status = PhOpenKey( // &keyHandle, // DELETE, // PH_KEY_LOCAL_MACHINE, // &keyName->sr, // OBJ_OPENIF // ); // // if (NT_SUCCESS(status)) // { // status = NtDeleteKey(keyHandle); // NtClose(keyHandle); // } // } // } //#endif // } // // if (status == STATUS_OBJECT_NAME_NOT_FOUND) // status = STATUS_SUCCESS; // // PhDereferenceObject(keyName); // PhDereferenceObject(fileName); // PhDereferenceObject(directory); // // return status; //} NTSTATUS PhpSetSilentProcessNotifyEnabled( _In_ BOOLEAN Enabled) { static CONST PH_STRINGREF processExitKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit"); static CONST PH_STRINGREF valueModeName = PH_STRINGREF_INIT(L"ReportingMode"); static ULONG valueMode = 4; //static CONST PH_STRINGREF valueSelfName = PH_STRINGREF_INIT(L"IgnoreSelfExits"); //static ULONG valueSelf = 1; //static CONST PH_STRINGREF valueMonitorName = PH_STRINGREF_INIT(L"MonitorProcess"); static CONST PH_STRINGREF valueGlobalName = PH_STRINGREF_INIT(L"GlobalFlag"); NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE keyDirectoryHandle = NULL; HANDLE keyFilenameHandle = NULL; PPH_STRING filename; PPH_STRING baseName; filename = PH_AUTO(PhGetApplicationFileNameWin32()); baseName = PH_AUTO(PhGetBaseName(filename)); if (Enabled) { status = PhCreateKey( &keyDirectoryHandle, KEY_WRITE, PH_KEY_LOCAL_MACHINE, &processExitKeyName, OBJ_OPENIF, 0, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateKey( &keyFilenameHandle, KEY_WRITE, keyDirectoryHandle, &baseName->sr, OBJ_OPENIF, 0, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhSetValueKey( keyFilenameHandle, &valueModeName, REG_DWORD, &valueMode, sizeof(ULONG) ); if (!NT_SUCCESS(status)) goto CleanupExit; //PhSetValueKey(keyFilenameHandle, &valueSelfName, REG_DWORD, &valueSelf, sizeof(ULONG)); //PhSetValueKey(keyFilenameHandle, &valueMonitorName, REG_SZ, filename->Buffer, (ULONG)filename->Length + sizeof(UNICODE_NULL)); if (NT_SUCCESS(status)) { HANDLE keyHandle; PPH_STRING directory; PPH_STRING fileName; PPH_STRING keyName; directory = PH_AUTO(PhCreateString2(&TaskMgrImageOptionsKeyName)); directory = PH_AUTO(PhGetBaseDirectory(directory)); fileName = PH_AUTO(PhGetApplicationFileNameWin32()); fileName = PH_AUTO(PhGetBaseName(fileName)); keyName = PH_AUTO(PhConcatStringRef3(&directory->sr, &PhNtPathSeparatorString, &fileName->sr)); status = PhCreateKey( &keyHandle, KEY_WRITE, PH_KEY_LOCAL_MACHINE, &keyName->sr, OBJ_OPENIF, 0, NULL ); if (NT_SUCCESS(status)) { ULONG globalFlags = PhQueryRegistryUlongZ(keyHandle, L"GlobalFlag"); if (globalFlags == ULONG_MAX) globalFlags = 0; globalFlags = globalFlags | FLG_MONITOR_SILENT_PROCESS_EXIT; status = PhSetValueKey(keyHandle, &valueGlobalName, REG_DWORD, &globalFlags, sizeof(ULONG)); NtClose(keyHandle); } } } else { if (NT_SUCCESS(PhOpenKey( &keyDirectoryHandle, DELETE, PH_KEY_LOCAL_MACHINE, &processExitKeyName, 0 ))) { if (NT_SUCCESS(PhOpenKey( &keyFilenameHandle, DELETE, keyDirectoryHandle, &baseName->sr, 0 ))) { NtDeleteKey(keyFilenameHandle); } } { HANDLE keyHandle; PPH_STRING directory; PPH_STRING fileName; PPH_STRING keyName; directory = PH_AUTO(PhCreateString2(&TaskMgrImageOptionsKeyName)); directory = PH_AUTO(PhGetBaseDirectory(directory)); fileName = PH_AUTO(PhGetApplicationFileNameWin32()); fileName = PH_AUTO(PhGetBaseName(fileName)); keyName = PH_AUTO(PhConcatStringRef3(&directory->sr, &PhNtPathSeparatorString, &fileName->sr)); status = PhOpenKey( &keyHandle, KEY_WRITE, PH_KEY_LOCAL_MACHINE, &keyName->sr, 0 ); if (NT_SUCCESS(status)) { status = PhDeleteValueKey(keyHandle, &valueGlobalName); NtClose(keyHandle); } } } CleanupExit: if (keyDirectoryHandle) NtClose(keyDirectoryHandle); if (keyFilenameHandle) NtClose(keyFilenameHandle); return status; } VOID PhpRefreshTaskManagerState( _In_ HWND WindowHandle ) { if (!PhGetOwnTokenAttributes().Elevated) { Button_SetElevationRequiredState(GetDlgItem(WindowHandle, IDC_REPLACETASKMANAGER), TRUE); } if (PhpIsDefaultTaskManager()) { PhSetWindowText(GetDlgItem(WindowHandle, IDC_DEFSTATE), L"System Informer is the default Task Manager:"); PhSetWindowText(GetDlgItem(WindowHandle, IDC_REPLACETASKMANAGER), L"Restore default..."); } else { PhSetWindowText(GetDlgItem(WindowHandle, IDC_DEFSTATE), L"System Informer is not the default Task Manager:"); PhSetWindowText(GetDlgItem(WindowHandle, IDC_REPLACETASKMANAGER), L"Make default..."); } } typedef enum _PHP_OPTIONS_INDEX { PHP_OPTIONS_INDEX_SINGLE_INSTANCE, PHP_OPTIONS_INDEX_HIDE_WHENCLOSED, PHP_OPTIONS_INDEX_HIDE_WHENMINIMIZED, PHP_OPTIONS_INDEX_START_ATLOGON, PHP_OPTIONS_INDEX_START_HIDDEN, PHP_OPTIONS_INDEX_ENABLE_WARNINGS, PHP_OPTIONS_INDEX_ENABLE_DRIVER, PHP_OPTIONS_INDEX_ENABLE_MONOSPACE, PHP_OPTIONS_INDEX_ENABLE_PLUGINS, PHP_OPTIONS_INDEX_ENABLE_AVX_EXTENSIONS, PHP_OPTIONS_INDEX_ENABLE_UNDECORATE_SYMBOLS, PHP_OPTIONS_INDEX_ENABLE_COLUMN_HEADER_TOTALS, PHP_OPTIONS_INDEX_ENABLE_CYCLE_CPU_USAGE, PHP_OPTIONS_INDEX_ENABLE_LOW_LATENCY_MODE, PHP_OPTIONS_INDEX_ENABLE_GRAPH_SCALING, PHP_OPTIONS_INDEX_ENABLE_MINIINFO_WINDOW, PHP_OPTIONS_INDEX_ENABLE_MEMSTRINGS_TREE, PHP_OPTIONS_INDEX_ENABLE_LASTTAB_SUPPORT, PHP_OPTIONS_INDEX_ENABLE_THEME_SUPPORT, PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN, PHP_OPTIONS_INDEX_ENABLE_STREAM_MODE, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE_DOH, PHP_OPTIONS_INDEX_ENABLE_INSTANT_TOOLTIPS, PHP_OPTIONS_INDEX_ENABLE_IMAGE_COHERENCY, PHP_OPTIONS_INDEX_ENABLE_STAGE2, PHP_OPTIONS_INDEX_ENABLE_SERVICE_STAGE2, PHP_OPTIONS_INDEX_ICON_SINGLE_CLICK, PHP_OPTIONS_INDEX_ICON_TOGGLE_VISIBILITY, PHP_OPTIONS_INDEX_PROPAGATE_CPU_USAGE, PHP_OPTIONS_INDEX_PROCESS_MONITOR, PHP_OPTIONS_INDEX_SHOW_ADVANCED_OPTIONS } PHP_OPTIONS_GENERAL_INDEX; static VOID PhpAdvancedPageLoad( _In_ HWND hwndDlg, _In_ BOOLEAN ReloadOnly ) { HWND listViewHandle; listViewHandle = GetDlgItem(hwndDlg, IDC_SETTINGS); PhSetDialogItemValue(hwndDlg, IDC_SAMPLECOUNT, PhGetIntegerSetting(SETTING_SAMPLE_COUNT), FALSE); SetDlgItemCheckForSetting(hwndDlg, IDC_SAMPLECOUNTAUTOMATIC, SETTING_SAMPLE_COUNT_AUTOMATIC); if (PhGetIntegerSetting(SETTING_SAMPLE_COUNT_AUTOMATIC)) EnableWindow(GetDlgItem(hwndDlg, IDC_SAMPLECOUNT), FALSE); if (!ReloadOnly) { PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_SINGLE_INSTANCE, L"Allow only one instance", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_HIDE_WHENCLOSED, L"Hide when closed", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_HIDE_WHENMINIMIZED, L"Hide when minimized", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_START_ATLOGON, L"Start when I log on", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_START_HIDDEN, L"Start hidden", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_WARNINGS, L"Enable warnings", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_DRIVER, L"Enable kernel-mode driver", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MONOSPACE, L"Enable monospace fonts", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_PLUGINS, L"Enable plugins", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_UNDECORATE_SYMBOLS, L"Enable undecorated symbols", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_AVX_EXTENSIONS, L"Enable AVX extensions (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_COLUMN_HEADER_TOTALS, L"Enable column header totals (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_CYCLE_CPU_USAGE, L"Enable cycle-based CPU usage", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LOW_LATENCY_MODE, L"Enable low-latency mode (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_GRAPH_SCALING, L"Enable fixed graph scaling (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MINIINFO_WINDOW, L"Enable tray information window", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MEMSTRINGS_TREE, L"Enable new memory strings dialog", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LASTTAB_SUPPORT, L"Remember last selected window", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_THEME_SUPPORT, L"Enable theme support (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN, L"Enable start as admin (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_STREAM_MODE, L"Enable streamer mode (disable window capture) (experimental)", NULL); //PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LINUX_SUPPORT, L"Enable Windows subsystem for Linux support", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE, L"Resolve network addresses", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE_DOH, L"Resolve DNS over HTTPS (DoH)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_INSTANT_TOOLTIPS, L"Show tooltips instantly", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_IMAGE_COHERENCY, L"Check images for coherency", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_STAGE2, L"Check images for digital signatures", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_SERVICE_STAGE2, L"Check services for digital signatures", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ICON_SINGLE_CLICK, L"Single-click tray icons", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_ICON_TOGGLE_VISIBILITY, L"Icon click toggles visibility", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_PROPAGATE_CPU_USAGE, L"Include usage of collapsed processes", NULL); if (WindowsVersion >= WINDOWS_10) PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_PROCESS_MONITOR, L"Enable process monitor (experimental)", NULL); PhAddListViewItem(listViewHandle, PHP_OPTIONS_INDEX_SHOW_ADVANCED_OPTIONS, L"Show advanced options", NULL); } SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_SINGLE_INSTANCE, SETTING_ALLOW_ONLY_ONE_INSTANCE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_HIDE_WHENCLOSED, SETTING_HIDE_ON_CLOSE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_HIDE_WHENMINIMIZED, SETTING_HIDE_ON_MINIMIZE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_START_HIDDEN, SETTING_START_HIDDEN); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MINIINFO_WINDOW, SETTING_MINI_INFO_WINDOW_ENABLED); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MEMSTRINGS_TREE, SETTING_ENABLE_MEM_STRINGS_TREE_DIALOG); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LASTTAB_SUPPORT, SETTING_MAIN_WINDOW_TAB_RESTORE_ENABLED); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_DRIVER, SETTING_KSI_ENABLE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_WARNINGS, SETTING_ENABLE_WARNINGS); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_PLUGINS, SETTING_ENABLE_PLUGINS); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_UNDECORATE_SYMBOLS, SETTING_DBGHELP_UNDECORATE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_AVX_EXTENSIONS, SETTING_ENABLE_AVX_SUPPORT); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_COLUMN_HEADER_TOTALS, SETTING_TREE_LIST_ENABLE_HEADER_TOTALS); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_GRAPH_SCALING, SETTING_ENABLE_GRAPH_MAX_SCALE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_CYCLE_CPU_USAGE, SETTING_ENABLE_CYCLE_CPU_USAGE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LOW_LATENCY_MODE, SETTING_ENABLE_HIGH_RESOLUTION_PROVIDER_TIMER); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_THEME_SUPPORT, SETTING_ENABLE_THEME_SUPPORT); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN, SETTING_ENABLE_START_AS_ADMIN); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_STREAM_MODE, SETTING_ENABLE_STREAMER_MODE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MONOSPACE, SETTING_ENABLE_MONOSPACE_FONT); //SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LINUX_SUPPORT, SETTING_ENABLE_LINUX_SUBSYSTEM_SUPPORT); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE, SETTING_ENABLE_NETWORK_RESOLVE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE_DOH, SETTING_ENABLE_NETWORK_RESOLVE_DOH); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_INSTANT_TOOLTIPS, SETTING_ENABLE_INSTANT_TOOLTIPS); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_IMAGE_COHERENCY, SETTING_ENABLE_IMAGE_COHERENCY_SUPPORT); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_STAGE2, SETTING_ENABLE_STAGE2); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_SERVICE_STAGE2, SETTING_ENABLE_SERVICE_STAGE2); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ICON_SINGLE_CLICK, SETTING_ICON_SINGLE_CLICK); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_ICON_TOGGLE_VISIBILITY, SETTING_ICON_TOGGLES_VISIBILITY); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_PROPAGATE_CPU_USAGE, SETTING_PROPAGATE_CPU_USAGE); SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_SHOW_ADVANCED_OPTIONS, SETTING_ENABLE_ADVANCED_OPTIONS); if (WindowsVersion >= WINDOWS_10) SetLvItemCheckForSetting(listViewHandle, PHP_OPTIONS_INDEX_PROCESS_MONITOR, SETTING_ENABLE_PROCESS_MONITOR); if (CurrentUserRunPresent) ListView_SetCheckState(listViewHandle, PHP_OPTIONS_INDEX_START_ATLOGON, TRUE); if (PhGetIntegerSetting(SETTING_ENABLE_ADVANCED_OPTIONS)) PhpOptionsShowHideTreeViewItem(FALSE); } static VOID PhpOptionsNotifyChangeCallback( _In_ PVOID Context ) { PhUpdateCachedSettings(); SystemInformer_SaveAllSettings(); PhInvalidateAllProcessNodes(); PhReloadSettingsProcessTreeList(); PhSiNotifyChangeSettings(); //PhReInitializeWindowTheme(PhMainWndHandle); PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackSettingsUpdated), NULL); if (RestartRequired) { if (PhShowMessage2( PhMainWndHandle, TD_YES_BUTTON | TD_NO_BUTTON, TD_INFORMATION_ICON, L"One or more options you have changed requires a restart of System Informer.", L"Do you want to restart System Informer now?" ) == IDYES) { SystemInformer_PrepareForEarlyShutdown(); if (NT_SUCCESS(PhShellProcessHacker( PhMainWndHandle, L"-v -newinstance", SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, NULL ))) { SystemInformer_Destroy(); } else { SystemInformer_CancelEarlyShutdown(); } } } } VOID PhShowOptionsRestartRequired( _In_ HWND WindowHandle ) { if (PhShowMessage2( PhMainWndHandle, TD_YES_BUTTON | TD_NO_BUTTON, TD_INFORMATION_ICON, L"One or more options you have changed requires a restart of System Informer.", L"Do you want to restart System Informer now?" ) == IDYES) { SystemInformer_PrepareForEarlyShutdown(); if (NT_SUCCESS(PhShellProcessHacker( WindowHandle, L"-v -newinstance", SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, PH_SHELL_APP_PROPAGATE_PARAMETERS | PH_SHELL_APP_PROPAGATE_PARAMETERS_IGNORE_VISIBILITY, 0, NULL ))) { SystemInformer_Destroy(); } else { SystemInformer_CancelEarlyShutdown(); } } } BOOLEAN PhShowOptionsDefaultInstallLocation( _In_ HWND ParentWindowHandle, _In_ PCWSTR Message ) { RTL_ELEVATION_FLAGS flags; // Warn the user when we're not installed into secure location. (dmex) if (NT_SUCCESS(RtlQueryElevationFlags(&flags)) && flags.ElevationEnabled) { PPH_STRING applicationFileName; PPH_STRING programFilesPath; if (applicationFileName = PhGetApplicationFileNameWin32()) { if (programFilesPath = PhExpandEnvironmentStringsZ(L"%ProgramFiles%\\")) { if (!PhStartsWithString(applicationFileName, programFilesPath, TRUE)) { if (PhShowMessage2( ParentWindowHandle, TD_YES_BUTTON | TD_NO_BUTTON, TD_WARNING_ICON, L"WARNING: You have not installed System Informer into a secure location.", L"%s is not recommended when running System Informer from outside a secure location (e.g. Program Files).\r\n\r\nAre you sure you want to continue?", Message ) == IDNO) { PhDereferenceObject(programFilesPath); PhDereferenceObject(applicationFileName); return FALSE; } } PhDereferenceObject(programFilesPath); } PhDereferenceObject(applicationFileName); } } return TRUE; } static VOID PhpAdvancedPageSave( _In_ HWND hwndDlg ) { HWND listViewHandle; ULONG sampleCount; listViewHandle = GetDlgItem(hwndDlg, IDC_SETTINGS); sampleCount = PhGetDialogItemValue(hwndDlg, IDC_SAMPLECOUNT); SetSettingForDlgItemCheckRestartRequired(hwndDlg, IDC_SAMPLECOUNTAUTOMATIC, SETTING_SAMPLE_COUNT_AUTOMATIC); if (sampleCount == 0) sampleCount = 1; if (sampleCount != PhGetIntegerSetting(SETTING_SAMPLE_COUNT)) RestartRequired = TRUE; PhSetIntegerSetting(SETTING_SAMPLE_COUNT, sampleCount); PhSetStringSetting2(SETTING_SEARCH_ENGINE, &PhaGetDlgItemText(hwndDlg, IDC_SEARCHENGINE)->sr); PhSetStringSetting2(SETTING_PROGRAM_INSPECT_EXECUTABLES, &PhaGetDlgItemText(hwndDlg, IDC_PEVIEWER)->sr); PhSetIntegerSetting(SETTING_MAX_SIZE_UNIT, PhMaxSizeUnit = ComboBox_GetCurSel(GetDlgItem(hwndDlg, IDC_MAXSIZEUNIT))); PhSetIntegerSetting(SETTING_ICON_PROCESSES, PhGetDialogItemValue(hwndDlg, IDC_ICONPROCESSES)); if (!PhEqualString(PhaGetDlgItemText(hwndDlg, IDC_DBGHELPSEARCHPATH), PhaGetStringSetting(SETTING_DBGHELP_SEARCH_PATH), TRUE)) { PhSetStringSetting2(SETTING_DBGHELP_SEARCH_PATH, &PhaGetDlgItemText(hwndDlg, IDC_DBGHELPSEARCHPATH)->sr); RestartRequired = TRUE; } // When changing driver enabled setting, it only makes sense to require a restart if we're // already elevated. If we're not elevated and asked to restart, we would not connect to the // driver and the user has to elevate (restart) again anyway. (jxy-s) if (PhGetOwnTokenAttributes().Elevated) { SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_DRIVER, SETTING_KSI_ENABLE); } else { SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_DRIVER, SETTING_KSI_ENABLE); } SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_SINGLE_INSTANCE, SETTING_ALLOW_ONLY_ONE_INSTANCE); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_HIDE_WHENCLOSED, SETTING_HIDE_ON_CLOSE); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_HIDE_WHENMINIMIZED, SETTING_HIDE_ON_MINIMIZE); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_START_HIDDEN, SETTING_START_HIDDEN); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MINIINFO_WINDOW, SETTING_MINI_INFO_WINDOW_ENABLED); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MEMSTRINGS_TREE, SETTING_ENABLE_MEM_STRINGS_TREE_DIALOG); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LASTTAB_SUPPORT, SETTING_MAIN_WINDOW_TAB_RESTORE_ENABLED); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_WARNINGS, SETTING_ENABLE_WARNINGS); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_PLUGINS, SETTING_ENABLE_PLUGINS); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_UNDECORATE_SYMBOLS, SETTING_DBGHELP_UNDECORATE); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_AVX_EXTENSIONS, SETTING_ENABLE_AVX_SUPPORT); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_COLUMN_HEADER_TOTALS, SETTING_TREE_LIST_ENABLE_HEADER_TOTALS); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_GRAPH_SCALING, SETTING_ENABLE_GRAPH_MAX_SCALE); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_CYCLE_CPU_USAGE, SETTING_ENABLE_CYCLE_CPU_USAGE); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LOW_LATENCY_MODE, SETTING_ENABLE_HIGH_RESOLUTION_PROVIDER_TIMER); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_THEME_SUPPORT, SETTING_ENABLE_THEME_SUPPORT); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN, SETTING_ENABLE_START_AS_ADMIN); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_STREAM_MODE, SETTING_ENABLE_STREAMER_MODE); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_MONOSPACE, SETTING_ENABLE_MONOSPACE_FONT); //SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_LINUX_SUPPORT, SETTING_ENABLE_LINUX_SUBSYSTEM_SUPPORT); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE, SETTING_ENABLE_NETWORK_RESOLVE); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_NETWORK_RESOLVE_DOH, SETTING_ENABLE_NETWORK_RESOLVE_DOH); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_INSTANT_TOOLTIPS, SETTING_ENABLE_INSTANT_TOOLTIPS); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_IMAGE_COHERENCY, SETTING_ENABLE_IMAGE_COHERENCY_SUPPORT); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_STAGE2, SETTING_ENABLE_STAGE2); SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_ENABLE_SERVICE_STAGE2, SETTING_ENABLE_SERVICE_STAGE2); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ICON_SINGLE_CLICK, SETTING_ICON_SINGLE_CLICK); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_ICON_TOGGLE_VISIBILITY, SETTING_ICON_TOGGLES_VISIBILITY); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_PROPAGATE_CPU_USAGE, SETTING_PROPAGATE_CPU_USAGE); SetSettingForLvItemCheck(listViewHandle, PHP_OPTIONS_INDEX_SHOW_ADVANCED_OPTIONS, SETTING_ENABLE_ADVANCED_OPTIONS); if (WindowsVersion >= WINDOWS_10) SetSettingForLvItemCheckRestartRequired(listViewHandle, PHP_OPTIONS_INDEX_PROCESS_MONITOR, SETTING_ENABLE_PROCESS_MONITOR); if (PhGetIntegerSetting(SETTING_ENABLE_THEME_SUPPORT)) // PhGetIntegerSetting required (dmex) { PhSetIntegerSetting(SETTING_GRAPH_COLOR_MODE, 1); // HACK switch to dark theme. (dmex) } WriteCurrentUserRun( ListView_GetCheckState(listViewHandle, PHP_OPTIONS_INDEX_START_ATLOGON) == BST_CHECKED, ListView_GetCheckState(listViewHandle, PHP_OPTIONS_INDEX_START_HIDDEN) == BST_CHECKED ); SystemInformer_Invoke(PhpOptionsNotifyChangeCallback, NULL); } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhpElevateAdvancedThreadStart( _In_ PVOID Parameter ) { PPH_STRING arguments; arguments = Parameter; PhShellProcessHacker( WindowHandleForElevate, arguments->Buffer, SW_SHOW, PH_SHELL_EXECUTE_ADMIN, PH_SHELL_APP_PROPAGATE_PARAMETERS, INFINITE, NULL ); PhDereferenceObject(arguments); PostMessage(WindowHandleForElevate, WM_PH_CHILD_EXIT, 0, 0); return STATUS_SUCCESS; } UINT_PTR CALLBACK PhpChooseFontDlgHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhCenterWindow(hwndDlg, PhOptionsWindowHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhpOptionsGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { static PH_LAYOUT_MANAGER LayoutManager; static HWND ListViewHandle = NULL; switch (uMsg) { case WM_INITDIALOG: { HWND comboBoxHandle; ULONG i; LOGFONT font; comboBoxHandle = GetDlgItem(hwndDlg, IDC_MAXSIZEUNIT); ListViewHandle = GetDlgItem(hwndDlg, IDC_SETTINGS); PhpOptionsSetImageList(ListViewHandle, FALSE); PhInitializeLayoutManager(&LayoutManager, hwndDlg); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_SEARCHENGINE), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_PEVIEWER), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&LayoutManager, ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_DBGHELPSEARCHPATH), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhSetListViewStyle(ListViewHandle, FALSE, TRUE); ListView_SetExtendedListViewStyleEx(ListViewHandle, LVS_EX_CHECKBOXES, LVS_EX_CHECKBOXES); PhSetControlTheme(ListViewHandle, L"explorer"); PhAddListViewColumn(ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 250, L"Name"); PhSetExtendedListView(ListViewHandle); for (i = 0; i < RTL_NUMBER_OF(PhSizeUnitNames); i++) ComboBox_AddString(comboBoxHandle, PhSizeUnitNames[i]); if (PhMaxSizeUnit != ULONG_MAX) ComboBox_SetCurSel(comboBoxHandle, PhMaxSizeUnit); else ComboBox_SetCurSel(comboBoxHandle, RTL_NUMBER_OF(PhSizeUnitNames) - 1); PhSetDialogItemText(hwndDlg, IDC_SEARCHENGINE, PhaGetStringSetting(SETTING_SEARCH_ENGINE)->Buffer); PhSetDialogItemText(hwndDlg, IDC_PEVIEWER, PhaGetStringSetting(SETTING_PROGRAM_INSPECT_EXECUTABLES)->Buffer); PhSetDialogItemValue(hwndDlg, IDC_ICONPROCESSES, PhGetIntegerSetting(SETTING_ICON_PROCESSES), FALSE); PhSetDialogItemText(hwndDlg, IDC_DBGHELPSEARCHPATH, PhaGetStringSetting(SETTING_DBGHELP_SEARCH_PATH)->Buffer); ReadCurrentUserRun(); // Set the font of the button for a nice preview. if (GetCurrentFont(&font)) { CurrentFontInstance = CreateFontIndirect(&font); if (CurrentFontInstance) { SetWindowFont(OptionsTreeControl, CurrentFontInstance, TRUE); // HACK SetWindowFont(ListViewHandle, CurrentFontInstance, TRUE); SetWindowFont(GetDlgItem(hwndDlg, IDC_FONT), CurrentFontInstance, TRUE); } } if (GetCurrentFontMonospace(&font)) { CurrentFontMonospaceInstance = CreateFontIndirect(&font); if (CurrentFontMonospaceInstance) { SetWindowFont(GetDlgItem(hwndDlg, IDC_FONTMONOSPACE), CurrentFontMonospaceInstance, TRUE); } } GeneralListViewStateInitializing = TRUE; PhpAdvancedPageLoad(hwndDlg, FALSE); PhpRefreshTaskManagerState(hwndDlg); GeneralListViewStateInitializing = FALSE; } break; case WM_DESTROY: { if (NewFontSelection) { PhSetStringSetting2(SETTING_FONT, &NewFontSelection->sr); } if (NewFontMonospaceSelection) { PhSetStringSetting2(SETTING_FONT_MONOSPACE, &NewFontMonospaceSelection->sr); } if (NewFontSelection || NewFontMonospaceSelection) { SystemInformer_UpdateFont(); } if (CurrentFontInstance) DeleteFont(CurrentFontInstance); if (CurrentFontMonospaceInstance) DeleteFont(CurrentFontMonospaceInstance); PhClearReference(&NewFontSelection); PhClearReference(&NewFontMonospaceSelection); PhClearReference(&OldTaskMgrDebugger); PhDeleteLayoutManager(&LayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { PhLayoutManagerUpdate(&LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&LayoutManager); PhpOptionsSetImageList(ListViewHandle, FALSE); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_FONT: { LOGFONT font; CHOOSEFONT chooseFont; if (!GetCurrentFont(&font)) { // Can't get LOGFONT from the existing setting, probably // because the user hasn't ever chosen a font before. // Set the font to something familiar. GetObject(SystemInformer_GetFont(), sizeof(LOGFONT), &font); } memset(&chooseFont, 0, sizeof(CHOOSEFONT)); chooseFont.lStructSize = sizeof(CHOOSEFONT); chooseFont.hwndOwner = hwndDlg; chooseFont.lpfnHook = PhpChooseFontDlgHookProc; chooseFont.lpLogFont = &font; chooseFont.Flags = CF_FORCEFONTEXIST | CF_INITTOLOGFONTSTRUCT | CF_ENABLEHOOK | CF_SCREENFONTS; if (ChooseFont(&chooseFont)) { PhMoveReference(&NewFontSelection, PhBufferToHexString((PUCHAR)&font, sizeof(LOGFONT))); // Update the button's font. if (CurrentFontInstance) DeleteFont(CurrentFontInstance); CurrentFontInstance = CreateFontIndirect(&font); SetWindowFont(OptionsTreeControl, CurrentFontInstance, TRUE); // HACK SetWindowFont(GetDlgItem(hwndDlg, IDC_SETTINGS), CurrentFontInstance, TRUE); SetWindowFont(GetDlgItem(hwndDlg, IDC_FONT), CurrentFontInstance, TRUE); // Re-add the listview items for the new font (dmex) GeneralListViewStateInitializing = TRUE; ExtendedListView_SetRedraw(ListViewHandle, FALSE); ListView_DeleteAllItems(ListViewHandle); PhpAdvancedPageLoad(hwndDlg, FALSE); ExtendedListView_SetRedraw(ListViewHandle, TRUE); GeneralListViewStateInitializing = FALSE; RestartRequired = TRUE; // HACK: Fix ToolStatus plugin toolbar resize on font change } } break; case IDC_FONTMONOSPACE: { LOGFONT font; CHOOSEFONT chooseFont; if (!GetCurrentFontMonospace(&font)) { // Can't get LOGFONT from the existing setting, probably // because the user hasn't ever chosen a font before. // Set the font to something familiar. //GetObject(SystemInformer_GetFont(), sizeof(LOGFONT), &font); GetObject(PhMonospaceFont, sizeof(LOGFONT), &font); } memset(&chooseFont, 0, sizeof(CHOOSEFONT)); chooseFont.lStructSize = sizeof(CHOOSEFONT); chooseFont.hwndOwner = hwndDlg; chooseFont.lpfnHook = PhpChooseFontDlgHookProc; chooseFont.lpLogFont = &font; chooseFont.Flags = CF_FORCEFONTEXIST | CF_INITTOLOGFONTSTRUCT | CF_ENABLEHOOK | CF_SCREENFONTS | CF_FIXEDPITCHONLY; if (ChooseFont(&chooseFont)) { PhMoveReference(&NewFontMonospaceSelection, PhBufferToHexString((PUCHAR)&font, sizeof(LOGFONT))); // Update the button's font. if (CurrentFontMonospaceInstance) DeleteFont(CurrentFontMonospaceInstance); CurrentFontMonospaceInstance = CreateFontIndirect(&font); SetWindowFont(GetDlgItem(hwndDlg, IDC_FONTMONOSPACE), CurrentFontMonospaceInstance, TRUE); // Re-add the listview items for the new font (dmex) GeneralListViewStateInitializing = TRUE; ExtendedListView_SetRedraw(ListViewHandle, FALSE); ListView_DeleteAllItems(ListViewHandle); PhpAdvancedPageLoad(hwndDlg, FALSE); ExtendedListView_SetRedraw(ListViewHandle, TRUE); GeneralListViewStateInitializing = FALSE; RestartRequired = TRUE; // HACK: Fix ToolStatus plugin toolbar resize on font change } } break; case IDC_REPLACETASKMANAGER: { WindowHandleForElevate = hwndDlg; PhCreateThread2(PhpElevateAdvancedThreadStart, PhFormatString( L"-showoptions -hwnd %Ix", (ULONG_PTR)PhOptionsWindowHandle // GetParent(GetParent(hwndDlg)) )); } break; case IDC_SAMPLECOUNTAUTOMATIC: { EnableWindow(GetDlgItem(hwndDlg, IDC_SAMPLECOUNT), Button_GetCheck(GetDlgItem(hwndDlg, IDC_SAMPLECOUNTAUTOMATIC)) != BST_CHECKED); } break; } } break; case WM_PH_CHILD_EXIT: { PhpRefreshTaskManagerState(hwndDlg); } break; case WM_SIZE: { PhLayoutManagerLayout(&LayoutManager); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_CLICK: case NM_DBLCLK: { LPNMITEMACTIVATE itemActivate = (LPNMITEMACTIVATE)header; LVHITTESTINFO lvHitInfo; lvHitInfo.pt = itemActivate->ptAction; if (ListView_HitTest(ListViewHandle, &lvHitInfo) != -1) { // Ignore click notifications for the listview checkbox region. if (!(lvHitInfo.flags & LVHT_ONITEMSTATEICON)) { BOOLEAN itemChecked; // Emulate the checkbox control label click behavior and check/uncheck the checkbox when the listview item is clicked. itemChecked = ListView_GetCheckState(ListViewHandle, itemActivate->iItem) == BST_CHECKED; ListView_SetCheckState(ListViewHandle, itemActivate->iItem, !itemChecked); } } } break; case LVN_ITEMCHANGING: { LPNM_LISTVIEW listView = (LPNM_LISTVIEW)lParam; if (listView->uChanged & LVIF_STATE) { if (GeneralListViewStateInitializing) break; switch (listView->uNewState & LVIS_STATEIMAGEMASK) { case INDEXTOSTATEIMAGEMASK(2): // checked { switch (listView->iItem) { case PHP_OPTIONS_INDEX_HIDE_WHENCLOSED: case PHP_OPTIONS_INDEX_HIDE_WHENMINIMIZED: case PHP_OPTIONS_INDEX_START_HIDDEN: { if (!PhNfIconsEnabled()) { PhShowInformation2( PhOptionsWindowHandle, L"Unable to configure this option.", L"%s", L"You need to enable at minimum one tray icon (View menu > Tray Icons) before enabling the hide option." ); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); return TRUE; } } break; case PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN: { PPH_STRING applicationFileName; if (!PhGetOwnTokenAttributes().Elevated) { PhShowInformation2( PhOptionsWindowHandle, L"Unable to enable option start as admin.", L"%s", L"You need to enable this option with administrative privileges." ); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); return TRUE; } if (applicationFileName = PhGetApplicationFileNameWin32()) { static const PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); HRESULT status; PPH_STRING quotedFileName; if (!PhShowOptionsDefaultInstallLocation(PhOptionsWindowHandle, L"Enabling the 'start as admin' option")) { SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); return TRUE; } quotedFileName = PH_AUTO(PhConcatStringRef3( &separator, &applicationFileName->sr, &separator )); status = PhCreateAdminTask( &SI_RUNAS_ADMIN_TASK_NAME, "edFileName->sr ); if (FAILED(status)) { PhShowStatus( PhOptionsWindowHandle, L"Unable to enable start as admin.", 0, HRESULT_CODE(status) ); PhDereferenceObject(applicationFileName); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); return TRUE; } PhDereferenceObject(applicationFileName); } } break; } } break; } } } break; case LVN_ITEMCHANGED: { LPNM_LISTVIEW listView = (LPNM_LISTVIEW)lParam; if (listView->uChanged & LVIF_STATE) { if (GeneralListViewStateInitializing) break; switch (listView->uNewState & LVIS_STATEIMAGEMASK) { case INDEXTOSTATEIMAGEMASK(2): // checked { switch (listView->iItem) { case PHP_OPTIONS_INDEX_SHOW_ADVANCED_OPTIONS: { PhSetIntegerSetting(SETTING_ENABLE_ADVANCED_OPTIONS, TRUE); PhpOptionsShowHideTreeViewItem(FALSE); } break; case PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN: break; } } break; case INDEXTOSTATEIMAGEMASK(1): // unchecked { switch (listView->iItem) { case PHP_OPTIONS_INDEX_SHOW_ADVANCED_OPTIONS: { PhSetIntegerSetting(SETTING_ENABLE_ADVANCED_OPTIONS, FALSE); PhpOptionsShowHideTreeViewItem(TRUE); } break; case PHP_OPTIONS_INDEX_ENABLE_START_ASADMIN: { if (PhGetIntegerSetting(SETTING_ENABLE_START_AS_ADMIN)) { PhDeleteAdminTask(&SI_RUNAS_ADMIN_TASK_NAME); } } break; } } break; } } } break; } } break; //case WM_CTLCOLORSTATIC: // { // static HFONT BoldFont = NULL; // leak // HWND control = (HWND)lParam; // HDC hdc = (HDC)wParam; // // if (GetDlgCtrlID(control) == IDC_DEFSTATE) // { // if (!BoldFont) // BoldFont = PhDuplicateFontWithNewWeight(GetWindowFont(control), FW_BOLD); // // SetBkMode(hdc, TRANSPARENT); // // if (!PhpIsDefaultTaskManager()) // { // SelectFont(hdc, BoldFont); // } // } // } // break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } static INT_PTR CALLBACK PhpOptionsAdvancedEditDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { static PH_LAYOUT_MANAGER LayoutManager; switch (uMsg) { case WM_INITDIALOG: { PPH_SETTING setting = (PPH_SETTING)lParam; PhSetApplicationWindowIcon(hwndDlg); PhSetWindowText(hwndDlg, L"Setting Editor"); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, setting); PhInitializeLayoutManager(&LayoutManager, hwndDlg); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_NAME), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_VALUE), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhSetDialogItemText(hwndDlg, IDC_NAME, setting->Name.Buffer); PhSetDialogItemText(hwndDlg, IDC_VALUE, PH_AUTO_T(PH_STRING, PhSettingToString(setting->Type, setting))->Buffer); EnableWindow(GetDlgItem(hwndDlg, IDC_NAME), FALSE); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDCANCEL)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&LayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { PhLayoutManagerUpdate(&LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&LayoutManager); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { PPH_SETTING setting = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PPH_STRING settingValue = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_VALUE))); if (!PhSettingFromString( setting->Type, &settingValue->sr, settingValue, setting )) { PhSettingFromString( setting->Type, &setting->DefaultValue, NULL, setting ); } PhReloadGeneralSection(); EndDialog(hwndDlg, IDOK); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } #pragma region Plugin TreeList #define WM_PH_OPTIONS_ADVANCED (WM_APP + 451) typedef struct _PH_OPTIONS_ADVANCED_CONTEXT { PH_LAYOUT_MANAGER LayoutManager; HWND WindowHandle; HWND TreeNewHandle; HWND SearchBoxHandle; union { ULONG Flags; struct { ULONG HideModified : 1; ULONG HideDefault : 1; ULONG HighlightModified : 1; ULONG HighlightDefault : 1; ULONG Spare : 28; }; }; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; PH_TN_FILTER_SUPPORT TreeFilterSupport; PPH_TN_FILTER_ENTRY TreeFilterEntry; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; ULONG_PTR SearchMatchHandle; } PH_OPTIONS_ADVANCED_CONTEXT, *PPH_OPTIONS_ADVANCED_CONTEXT; typedef enum _PH_OPTIONS_ADVANCED_TREE_ITEM_MENU { PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIDE_MODIFIED = 1, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIDE_DEFAULT, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIGHLIGHT_MODIFIED, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIGHLIGHT_DEFAULT, } PH_OPTIONS_ADVANCED_ITEM_MENU; typedef enum _PH_OPTIONS_ADVANCED_COLUMN_ITEM { PH_OPTIONS_ADVANCED_COLUMN_ITEM_NAME, PH_OPTIONS_ADVANCED_COLUMN_ITEM_TYPE, PH_OPTIONS_ADVANCED_COLUMN_ITEM_VALUE, PH_OPTIONS_ADVANCED_COLUMN_ITEM_DEFAULT, PH_OPTIONS_ADVANCED_COLUMN_ITEM_MAXIMUM } PH_OPTIONS_ADVANCED_COLUMN_ITEM; typedef struct _PH_OPTIONS_ADVANCED_ROOT_NODE { PH_TREENEW_NODE Node; PH_SETTING_TYPE Type; PPH_SETTING Setting; PPH_STRING Name; PPH_STRING ValueString; PPH_STRING DefaultString; PH_STRINGREF TextCache[PH_OPTIONS_ADVANCED_COLUMN_ITEM_MAXIMUM]; } PH_OPTIONS_ADVANCED_ROOT_NODE, *PPH_OPTIONS_ADVANCED_ROOT_NODE; #define SORT_FUNCTION(Column) OptionsAdvancedTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static long __cdecl OptionsAdvancedTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_OPTIONS_ADVANCED_ROOT_NODE node1 = *(PPH_OPTIONS_ADVANCED_ROOT_NODE*)_elem1; \ PPH_OPTIONS_ADVANCED_ROOT_NODE node2 = *(PPH_OPTIONS_ADVANCED_ROOT_NODE*)_elem2; \ LONG sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, ((PPH_OPTIONS_ADVANCED_CONTEXT)_context)->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareString(node1->Name, node2->Name, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Type) { sortResult = uintcmp(node1->Type, node2->Type); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Value) { sortResult = PhCompareString(node1->ValueString, node2->ValueString, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Default) { sortResult = PhCompareString(node1->DefaultString, node2->DefaultString, TRUE); } END_SORT_FUNCTION VOID OptionsAdvancedLoadSettingsTreeList( _Inout_ PPH_OPTIONS_ADVANCED_CONTEXT Context ) { PPH_STRING settings; settings = PhGetStringSetting(SETTING_OPTIONS_WINDOW_ADVANCED_COLUMNS); Context->Flags = PhGetIntegerSetting(SETTING_OPTIONS_WINDOW_ADVANCED_FLAGS); PhCmLoadSettings(Context->TreeNewHandle, &settings->sr); PhDereferenceObject(settings); } VOID OptionsAdvancedSaveSettingsTreeList( _Inout_ PPH_OPTIONS_ADVANCED_CONTEXT Context ) { PPH_STRING settings; settings = PhCmSaveSettings(Context->TreeNewHandle); PhSetStringSetting2(SETTING_OPTIONS_WINDOW_ADVANCED_COLUMNS, &settings->sr); PhSetIntegerSetting(SETTING_OPTIONS_WINDOW_ADVANCED_FLAGS, Context->Flags); PhDereferenceObject(settings); } VOID OptionsAdvancedSetOptionsTreeList( _Inout_ PPH_OPTIONS_ADVANCED_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIDE_MODIFIED: Context->HideModified = !Context->HideModified; break; case PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIDE_DEFAULT: Context->HideDefault = !Context->HideDefault; break; case PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIGHLIGHT_MODIFIED: Context->HighlightModified = !Context->HighlightModified; break; case PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIGHLIGHT_DEFAULT: Context->HighlightDefault = !Context->HighlightDefault; break; } } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN OptionsAdvancedNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_OPTIONS_ADVANCED_ROOT_NODE node1 = *(PPH_OPTIONS_ADVANCED_ROOT_NODE*)Entry1; PPH_OPTIONS_ADVANCED_ROOT_NODE node2 = *(PPH_OPTIONS_ADVANCED_ROOT_NODE*)Entry2; return PhEqualStringRef(&node1->Name->sr, &node2->Name->sr, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG OptionsAdvancedNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashStringRefEx(&(*(PPH_OPTIONS_ADVANCED_ROOT_NODE*)Entry)->Name->sr, TRUE, PH_STRING_HASH_X65599); } VOID DestroyOptionsAdvancedNode( _In_ PPH_OPTIONS_ADVANCED_ROOT_NODE Node ) { PhClearReference(&Node->Name); PhClearReference(&Node->ValueString); PhClearReference(&Node->DefaultString); PhFree(Node); } PPH_OPTIONS_ADVANCED_ROOT_NODE AddOptionsAdvancedNode( _Inout_ PPH_OPTIONS_ADVANCED_CONTEXT Context, _In_ PPH_SETTING Setting ) { PPH_OPTIONS_ADVANCED_ROOT_NODE node; node = PhAllocate(sizeof(PH_OPTIONS_ADVANCED_ROOT_NODE)); memset(node, 0, sizeof(PH_OPTIONS_ADVANCED_ROOT_NODE)); PhInitializeTreeNewNode(&node->Node); memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PH_OPTIONS_ADVANCED_COLUMN_ITEM_MAXIMUM); node->Node.TextCache = node->TextCache; node->Node.TextCacheSize = PH_OPTIONS_ADVANCED_COLUMN_ITEM_MAXIMUM; node->Setting = Setting; node->Type = Setting->Type; node->Name = PhCreateString2(&Setting->Name); node->ValueString = PhSettingToString(Setting->Type, Setting); node->DefaultString = PhCreateString2(&Setting->DefaultValue); PhAddEntryHashtable(Context->NodeHashtable, &node); PhAddItemList(Context->NodeList, node); if (Context->TreeFilterSupport.FilterList) node->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &node->Node); return node; } PPH_OPTIONS_ADVANCED_ROOT_NODE FindOptionsAdvancedNode( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context, _In_ PPH_STRING Name ) { PH_OPTIONS_ADVANCED_ROOT_NODE lookupPluginsNode; PPH_OPTIONS_ADVANCED_ROOT_NODE lookupPluginsNodePtr = &lookupPluginsNode; PPH_OPTIONS_ADVANCED_ROOT_NODE* pluginsNode; lookupPluginsNode.Name = Name; pluginsNode = (PPH_OPTIONS_ADVANCED_ROOT_NODE*)PhFindEntryHashtable( Context->NodeHashtable, &lookupPluginsNodePtr ); if (pluginsNode) return *pluginsNode; else return NULL; } VOID RemoveOptionsAdvancedNode( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context, _In_ PPH_OPTIONS_ADVANCED_ROOT_NODE Node ) { ULONG index = 0; PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } DestroyOptionsAdvancedNode(Node); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID UpdateOptionsAdvancedNode( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context, _In_ PPH_OPTIONS_ADVANCED_ROOT_NODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * PH_OPTIONS_ADVANCED_COLUMN_ITEM_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } BOOLEAN NTAPI OptionsAdvancedTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_OPTIONS_ADVANCED_CONTEXT context = Context; PPH_OPTIONS_ADVANCED_ROOT_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_OPTIONS_ADVANCED_ROOT_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(Type), SORT_FUNCTION(Value), SORT_FUNCTION(Default), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; if (context->TreeNewSortColumn < PH_OPTIONS_ADVANCED_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE*)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; node = (PPH_OPTIONS_ADVANCED_ROOT_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPH_OPTIONS_ADVANCED_ROOT_NODE)getCellText->Node; switch (getCellText->Id) { case PH_OPTIONS_ADVANCED_COLUMN_ITEM_NAME: getCellText->Text = PhGetStringRef(node->Name); break; case PH_OPTIONS_ADVANCED_COLUMN_ITEM_TYPE: { switch (node->Type) { case StringSettingType: PhInitializeStringRef(&getCellText->Text, L"String"); break; case IntegerSettingType: PhInitializeStringRef(&getCellText->Text, L"Integer"); break; case IntegerPairSettingType: PhInitializeStringRef(&getCellText->Text, L"IntegerPair"); break; case ScalableIntegerPairSettingType: PhInitializeStringRef(&getCellText->Text, L"ScalableIntegerPair"); break; } } break; case PH_OPTIONS_ADVANCED_COLUMN_ITEM_VALUE: getCellText->Text = PhGetStringRef(node->ValueString); break; case PH_OPTIONS_ADVANCED_COLUMN_ITEM_DEFAULT: getCellText->Text = PhGetStringRef(node->DefaultString); break; default: return FALSE; } //getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_OPTIONS_ADVANCED_ROOT_NODE)getNodeColor->Node; switch (node->Type) { case StringSettingType: case IntegerPairSettingType: case ScalableIntegerPairSettingType: { if (PhEqualString(node->DefaultString, node->ValueString, TRUE)) { if (context->HighlightDefault) { getNodeColor->BackColor = PhCsColorServiceProcesses; } } else { if (context->HighlightModified) { getNodeColor->BackColor = PhCsColorSystemProcesses; } } } break; case IntegerSettingType: { ULONG64 integer; if (PhStringToInteger64(&node->DefaultString->sr, 16, &integer)) { if (node->Setting->u.Integer == (ULONG)integer) { if (context->HighlightDefault) { getNodeColor->BackColor = PhCsColorServiceProcesses; } } else { if (context->HighlightModified) { getNodeColor->BackColor = PhCsColorSystemProcesses; } } } } break; } getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(hwnd); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, IDC_COPY, 0); break; } } return TRUE; case TreeNewLeftDoubleClick: { PPH_TREENEW_MOUSE_EVENT mouseEvent = Parameter1; SendMessage(context->WindowHandle, WM_COMMAND, WM_PH_OPTIONS_ADVANCED, (LPARAM)mouseEvent); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage(context->WindowHandle, WM_CONTEXTMENU, (WPARAM)hwnd, (LPARAM)contextMenuEvent); } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = hwnd; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, hwnd, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; } return FALSE; } VOID ClearOptionsAdvancedTree( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) DestroyOptionsAdvancedNode(Context->NodeList->Items[i]); PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); TreeNew_NodesStructured(Context->TreeNewHandle); } PPH_OPTIONS_ADVANCED_ROOT_NODE GetSelectedOptionsAdvancedNode( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context ) { PPH_OPTIONS_ADVANCED_ROOT_NODE optionsNode = NULL; for (ULONG i = 0; i < Context->NodeList->Count; i++) { optionsNode = Context->NodeList->Items[i]; if (optionsNode->Node.Selected) return optionsNode; } return NULL; } _Success_(return) BOOLEAN GetSelectedOptionsAdvancedNodes( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context, _Out_ PPH_OPTIONS_ADVANCED_ROOT_NODE** Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_OPTIONS_ADVANCED_ROOT_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } VOID InitializeOptionsAdvancedTree( _Inout_ PPH_OPTIONS_ADVANCED_CONTEXT Context ) { Context->NodeList = PhCreateList(100); Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_OPTIONS_ADVANCED_ROOT_NODE), OptionsAdvancedNodeHashtableEqualFunction, OptionsAdvancedNodeHashtableHashFunction, 100 ); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); TreeNew_SetCallback(Context->TreeNewHandle, OptionsAdvancedTreeNewCallback, Context); PhAddTreeNewColumnEx(Context->TreeNewHandle, PH_OPTIONS_ADVANCED_COLUMN_ITEM_NAME, TRUE, L"Name", 200, PH_ALIGN_LEFT, 0, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PH_OPTIONS_ADVANCED_COLUMN_ITEM_TYPE, TRUE, L"Type", 100, PH_ALIGN_LEFT, 1, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PH_OPTIONS_ADVANCED_COLUMN_ITEM_VALUE, TRUE, L"Value", 200, PH_ALIGN_LEFT, 2, 0, TRUE); PhAddTreeNewColumnEx(Context->TreeNewHandle, PH_OPTIONS_ADVANCED_COLUMN_ITEM_DEFAULT, TRUE, L"Default", 200, PH_ALIGN_LEFT, 3, 0, TRUE); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); OptionsAdvancedLoadSettingsTreeList(Context); } VOID DeleteOptionsAdvancedTree( _In_ PPH_OPTIONS_ADVANCED_CONTEXT Context ) { PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); OptionsAdvancedSaveSettingsTreeList(Context); for (ULONG i = 0; i < Context->NodeList->Count; i++) DestroyOptionsAdvancedNode(Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } #pragma endregion _Function_class_(PH_SETTINGS_ENUM_CALLBACK) static BOOLEAN PhpOptionsSettingsCallback( _In_ PPH_SETTING Setting, _In_ PVOID Context ) { PPH_OPTIONS_ADVANCED_CONTEXT context = Context; AddOptionsAdvancedNode(context, Setting); return TRUE; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpOptionsAdvancedTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_ PVOID Context ) { PPH_OPTIONS_ADVANCED_ROOT_NODE node = (PPH_OPTIONS_ADVANCED_ROOT_NODE)Node; PPH_OPTIONS_ADVANCED_CONTEXT context = Context; if (context->HideModified) { switch (node->Type) { case StringSettingType: case IntegerPairSettingType: case ScalableIntegerPairSettingType: { if (PhEqualString(node->DefaultString, node->ValueString, TRUE)) { if (context->HideDefault) { return FALSE; } } else { if (context->HideModified) { return FALSE; } } } break; case IntegerSettingType: { ULONG64 integer; if (PhStringToInteger64(&node->DefaultString->sr, 16, &integer)) { if (node->Setting->u.Integer == (ULONG)integer) { if (context->HideDefault) { return FALSE; } } else { if (context->HideModified) { return FALSE; } } } } break; } } if (context->HideDefault) { switch (node->Type) { case StringSettingType: case IntegerPairSettingType: case ScalableIntegerPairSettingType: { if (PhEqualString(node->DefaultString, node->ValueString, TRUE)) { if (context->HideDefault) { return FALSE; } } else { if (context->HideModified) { return FALSE; } } } break; case IntegerSettingType: { ULONG64 integer; if (PhStringToInteger64(&node->DefaultString->sr, 16, &integer)) { if (node->Setting->u.Integer == (ULONG)integer) { if (context->HideDefault) { return FALSE; } } else { if (context->HideModified) { return FALSE; } } } } break; } } if (!context->SearchMatchHandle) return TRUE; if (PhSearchControlMatch(context->SearchMatchHandle, &node->Name->sr)) return TRUE; if (PhSearchControlMatch(context->SearchMatchHandle, &node->DefaultString->sr)) return TRUE; if (PhSearchControlMatch(context->SearchMatchHandle, &node->ValueString->sr)) return TRUE; return FALSE; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpOptionsAdvancedSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_OPTIONS_ADVANCED_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; if (!context->SearchMatchHandle) { // Expand the nodes? } PhApplyTreeNewFilters(&context->TreeFilterSupport); } INT_PTR CALLBACK PhpOptionsAdvancedDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_OPTIONS_ADVANCED_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PH_OPTIONS_ADVANCED_CONTEXT)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_SETTINGS); context->SearchBoxHandle = GetDlgItem(hwndDlg, IDC_SEARCH); PhCreateSearchControl( hwndDlg, context->SearchBoxHandle, L"Search settings...", PhpOptionsAdvancedSearchControlCallback, context ); InitializeOptionsAdvancedTree(context); context->TreeFilterEntry = PhAddTreeNewFilter(&context->TreeFilterSupport, PhpOptionsAdvancedTreeFilterCallback, context); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->SearchBoxHandle, NULL, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhEnumSettings(PhpOptionsSettingsCallback, context); TreeNew_NodesStructured(context->TreeNewHandle); } break; case WM_DESTROY: { PhDeleteLayoutManager(&context->LayoutManager); PhRemoveTreeNewFilter(&context->TreeFilterSupport, context->TreeFilterEntry); DeleteOptionsAdvancedTree(context); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_DPICHANGED_AFTERPARENT: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDOK: case IDCANCEL: { DestroyWindow(hwndDlg); } break; case IDC_FILTEROPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM hidemodifiedMenuItem; PPH_EMENU_ITEM hidedefaultMenuItem; PPH_EMENU_ITEM highlightmodifiedMenuItem; PPH_EMENU_ITEM highlightdefaultMenuItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_FILTEROPTIONS), &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, hidemodifiedMenuItem = PhCreateEMenuItem(0, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIDE_MODIFIED, L"Hide modified", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, hidedefaultMenuItem = PhCreateEMenuItem(0, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIDE_DEFAULT, L"Hide default", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, highlightmodifiedMenuItem = PhCreateEMenuItem(0, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIGHLIGHT_MODIFIED, L"Highlight modified", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, highlightdefaultMenuItem = PhCreateEMenuItem(0, PH_OPTIONS_ADVANCED_TREE_ITEM_MENU_HIGHLIGHT_DEFAULT, L"Highlight default", NULL, NULL), ULONG_MAX); if (context->HideModified) hidemodifiedMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HideDefault) hidedefaultMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightModified) highlightmodifiedMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightDefault) highlightdefaultMenuItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { OptionsAdvancedSetOptionsTreeList(context, selectedItem->Id); PhApplyTreeNewFilters(&context->TreeFilterSupport); } PhDestroyEMenu(menu); } break; case IDC_REFRESH: { ClearOptionsAdvancedTree(context); PhEnumSettings(PhpOptionsSettingsCallback, context); TreeNew_NodesStructured(context->TreeNewHandle); PhApplyTreeNewFilters(&context->TreeFilterSupport); } break; case WM_PH_OPTIONS_ADVANCED: { PPH_OPTIONS_ADVANCED_ROOT_NODE node; if (node = GetSelectedOptionsAdvancedNode(context)) { PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_EDITENV), hwndDlg, PhpOptionsAdvancedEditDlgProc, node->Setting ); PhMoveReference( &node->ValueString, PhSettingToString(node->Setting->Type, node->Setting) ); TreeNew_NodesStructured(context->TreeNewHandle); } } break; case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(context->TreeNewHandle, 0); PhSetClipboardString(context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; case IDC_RESET: { PPH_OPTIONS_ADVANCED_ROOT_NODE* nodes; ULONG numberOfNodes; if (!GetSelectedOptionsAdvancedNodes(context, &nodes, &numberOfNodes)) break; for (ULONG i = 0; i < numberOfNodes; i++) { PhSettingFromString( nodes[i]->Setting->Type, &nodes[i]->Setting->DefaultValue, NULL, nodes[i]->Setting ); PhMoveReference( &nodes[i]->ValueString, PhSettingToString(nodes[i]->Setting->Type, nodes[i]->Setting) ); } TreeNew_NodesStructured(context->TreeNewHandle); PhApplyTreeNewFilters(&context->TreeFilterSupport); PhReloadGeneralSection(); } break; } } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->TreeNewHandle) { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_OPTIONS_ADVANCED_ROOT_NODE* nodes; ULONG numberOfNodes; if (!GetSelectedOptionsAdvancedNodes(context, &nodes, &numberOfNodes)) break; if (numberOfNodes != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_RESET, L"&Reset", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, context->TreeNewHandle, contextMenuEvent->Column); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (item) { if (!PhHandleCopyCellEMenuItem(item)) { SendMessage(hwndDlg, WM_COMMAND, item->Id, 0); } } PhDestroyEMenu(menu); } PhFree(nodes); } } break; case WM_NOTIFY: { REFLECT_MESSAGE_DLG(hwndDlg, context->TreeNewHandle, uMsg, wParam, lParam); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } typedef struct _COLOR_ITEM { PCWSTR SettingName; PCWSTR UseSettingName; PCWSTR Name; PCWSTR Description; BOOLEAN CurrentUse; COLORREF CurrentColor; } COLOR_ITEM, *PCOLOR_ITEM; #define COLOR_ITEM(SettingName, Name, Description) { SettingName, L"Use" SettingName, Name, Description } static COLOR_ITEM ColorItems[] = { COLOR_ITEM(SETTING_COLOR_OWN_PROCESSES, L"Own processes", L"Processes running under the same user account as System Informer."), COLOR_ITEM(SETTING_COLOR_SYSTEM_PROCESSES, L"System processes", L"Processes running under the NT AUTHORITY\\SYSTEM user account."), COLOR_ITEM(SETTING_COLOR_SERVICE_PROCESSES, L"Service processes", L"Processes which host one or more services."), COLOR_ITEM(SETTING_COLOR_BACKGROUND_PROCESSES, L"Background processes", L"Processes with a background scheduling priority."), COLOR_ITEM(SETTING_COLOR_JOB_PROCESSES, L"Job processes", L"Processes associated with a job."), #ifdef _WIN64 COLOR_ITEM(SETTING_COLOR_WOW64_PROCESSES, L"32-bit processes", L"Processes running under WOW64, i.e. 32-bit."), #endif COLOR_ITEM(SETTING_COLOR_DEBUGGED_PROCESSES, L"Debugged processes", L"Processes that are currently being debugged."), COLOR_ITEM(SETTING_COLOR_ELEVATED_PROCESSES, L"Elevated processes", L"Processes with full privileges on a system with UAC enabled."), COLOR_ITEM(SETTING_COLOR_UI_ACCESS_PROCESSES, L"UIAccess processes", L"Processes with UIAccess privileges."), COLOR_ITEM(SETTING_COLOR_PICO_PROCESSES, L"Pico processes", L"Processes that belong to the Windows subsystem for Linux."), COLOR_ITEM(SETTING_COLOR_IMMERSIVE_PROCESSES, L"Immersive processes and DLLs", L"Processes and DLLs that belong to a Modern UI app."), COLOR_ITEM(SETTING_COLOR_SUSPENDED, L"Suspended processes and threads", L"Processes and threads that are suspended from execution."), COLOR_ITEM(SETTING_COLOR_PARTIALLY_SUSPENDED, L"Partially suspended processes and threads", L"Processes and threads that are partially suspended from execution."), COLOR_ITEM(SETTING_COLOR_DOT_NET, L".NET processes and DLLs", L".NET (i.e. managed) processes and DLLs."), COLOR_ITEM(SETTING_COLOR_PACKED, L"Packed processes", L"Executables are sometimes \"packed\" to reduce their size."), COLOR_ITEM(SETTING_COLOR_LOW_IMAGE_COHERENCY, L"Low process image coherency", L"The image file backing the process has low coherency when compared to the mapped image."), COLOR_ITEM(SETTING_COLOR_GUI_THREADS, L"GUI threads", L"Threads that have made at least one GUI-related system call."), COLOR_ITEM(SETTING_COLOR_RELOCATED_MODULES, L"Relocated DLLs", L"DLLs that were not loaded at their preferred image bases."), COLOR_ITEM(SETTING_COLOR_PROTECTED_HANDLES, L"Protected handles", L"Handles that are protected from being closed."), COLOR_ITEM(SETTING_COLOR_PROTECTED_PROCESS, L"Protected processes", L"Processes with built-in protection levels."), COLOR_ITEM(SETTING_COLOR_INHERIT_HANDLES, L"Inheritable handles", L"Handles that can be inherited by child processes."), COLOR_ITEM(SETTING_COLOR_HANDLE_FILTERED, L"Filtered processes", L"Processes that are protected by handle object callbacks."), COLOR_ITEM(SETTING_COLOR_UNKNOWN, L"Untrusted DLLs and Services", L"Services and DLLs which are not digitally signed."), COLOR_ITEM(SETTING_COLOR_SERVICE_DISABLED, L"Disabled Services", L"Services which have been disabled."), //COLOR_ITEM(SETTING_COLOR_SERVICE_STOP, L"Stopped Services", L"Services that are not running.") COLOR_ITEM(SETTING_COLOR_EFFICIENCY_MODE, L"Power efficiency", L"Processes and threads with power efficiency."), }; COLORREF NTAPI PhpColorItemColorFunction( _In_ INT Index, _In_ PVOID Param, _In_opt_ PVOID Context ) { PCOLOR_ITEM item = Param; return item->CurrentColor; } UINT_PTR CALLBACK PhpColorDlgHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhCenterWindow(hwndDlg, PhOptionsWindowHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhpOptionsHighlightingDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { static PH_LAYOUT_MANAGER LayoutManager; switch (uMsg) { case WM_INITDIALOG: { // Highlighting Duration PhSetDialogItemValue(hwndDlg, IDC_HIGHLIGHTINGDURATION, PhCsHighlightingDuration, FALSE); // New Objects ColorBox_SetColor(GetDlgItem(hwndDlg, IDC_NEWOBJECTS), PhCsColorNew); ColorBox_ThemeSupport(GetDlgItem(hwndDlg, IDC_NEWOBJECTS), PhEnableThemeSupport); // Removed Objects ColorBox_SetColor(GetDlgItem(hwndDlg, IDC_REMOVEDOBJECTS), PhCsColorRemoved); ColorBox_ThemeSupport(GetDlgItem(hwndDlg, IDC_REMOVEDOBJECTS), PhEnableThemeSupport); // Highlighting HighlightingListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(HighlightingListViewHandle, FALSE, TRUE); ListView_SetExtendedListViewStyleEx(HighlightingListViewHandle, LVS_EX_CHECKBOXES, LVS_EX_CHECKBOXES); PhAddListViewColumn(HighlightingListViewHandle, 0, 0, 0, LVCFMT_LEFT, 240, L"Name"); PhSetExtendedListView(HighlightingListViewHandle); ExtendedListView_SetItemColorFunction(HighlightingListViewHandle, PhpColorItemColorFunction); for (ULONG i = 0; i < RTL_NUMBER_OF(ColorItems); i++) { INT lvItemIndex; lvItemIndex = PhAddListViewItem(HighlightingListViewHandle, MAXINT, ColorItems[i].Name, &ColorItems[i]); ColorItems[i].CurrentColor = PhGetIntegerSetting(ColorItems[i].SettingName); ColorItems[i].CurrentUse = !!PhGetIntegerSetting(ColorItems[i].UseSettingName); ListView_SetCheckState(HighlightingListViewHandle, lvItemIndex, ColorItems[i].CurrentUse); } PhInitializeLayoutManager(&LayoutManager, hwndDlg); PhAddLayoutItem(&LayoutManager, HighlightingListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_INFO), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT | PH_LAYOUT_FORCE_INVALIDATE); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_ENABLEALL), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); PhAddLayoutItem(&LayoutManager, GetDlgItem(hwndDlg, IDC_DISABLEALL), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); } break; case WM_DESTROY: { PH_SET_INTEGER_CACHED_SETTING(HighlightingDuration, PhGetDialogItemValue(hwndDlg, IDC_HIGHLIGHTINGDURATION)); PH_SET_INTEGER_CACHED_SETTING(ColorNew, ColorBox_GetColor(GetDlgItem(hwndDlg, IDC_NEWOBJECTS))); PH_SET_INTEGER_CACHED_SETTING(ColorRemoved, ColorBox_GetColor(GetDlgItem(hwndDlg, IDC_REMOVEDOBJECTS))); for (ULONG i = 0; i < RTL_NUMBER_OF(ColorItems); i++) { ColorItems[i].CurrentUse = !!ListView_GetCheckState(HighlightingListViewHandle, i); PhSetIntegerSetting(ColorItems[i].SettingName, ColorItems[i].CurrentColor); PhSetIntegerSetting(ColorItems[i].UseSettingName, ColorItems[i].CurrentUse); } PhDeleteLayoutManager(&LayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { PhLayoutManagerUpdate(&LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&LayoutManager); ExtendedListView_SetColumnWidth(HighlightingListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_ENABLEALL: { for (ULONG i = 0; i < RTL_NUMBER_OF(ColorItems); i++) ListView_SetCheckState(HighlightingListViewHandle, i, TRUE); } break; case IDC_DISABLEALL: { for (ULONG i = 0; i < RTL_NUMBER_OF(ColorItems); i++) ListView_SetCheckState(HighlightingListViewHandle, i, FALSE); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_DBLCLK: { if (header->hwndFrom == HighlightingListViewHandle) { PCOLOR_ITEM item; if (item = PhGetSelectedListViewItemParam(HighlightingListViewHandle)) { CHOOSECOLOR chooseColor; COLORREF customColors[16] = { 0 }; PhLoadCustomColorList(SETTING_OPTIONS_CUSTOM_COLOR_LIST, customColors, RTL_NUMBER_OF(customColors)); memset(&chooseColor, 0, sizeof(CHOOSECOLOR)); chooseColor.lStructSize = sizeof(CHOOSECOLOR); chooseColor.hwndOwner = hwndDlg; chooseColor.rgbResult = item->CurrentColor; chooseColor.lpCustColors = customColors; chooseColor.lpfnHook = PhpColorDlgHookProc; chooseColor.Flags = CC_ANYCOLOR | CC_FULLOPEN | CC_SOLIDCOLOR | CC_ENABLEHOOK | CC_RGBINIT; if (ChooseColor(&chooseColor)) { item->CurrentColor = chooseColor.rgbResult; InvalidateRect(HighlightingListViewHandle, NULL, TRUE); } PhSaveCustomColorList(SETTING_OPTIONS_CUSTOM_COLOR_LIST, customColors, RTL_NUMBER_OF(customColors)); ListView_SetItemState(HighlightingListViewHandle, -1, 0, LVIS_SELECTED); } } } break; case LVN_GETINFOTIP: { if (header->hwndFrom == HighlightingListViewHandle) { NMLVGETINFOTIP *getInfoTip = (NMLVGETINFOTIP *)lParam; PH_STRINGREF tip; PhInitializeStringRefLongHint(&tip, ColorItems[getInfoTip->iItem].Description); PhCopyListViewInfoTip(getInfoTip, &tip); } } break; } REFLECT_MESSAGE_DLG(hwndDlg, HighlightingListViewHandle, uMsg, wParam, lParam); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == HighlightingListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PCOLOR_ITEM ColorItem; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(HighlightingListViewHandle, &point); if (ColorItem = PhGetSelectedListViewItemParam(HighlightingListViewHandle)) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_RESET, L"&Reset", NULL, NULL), ULONG_MAX); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item && item->Id == IDC_RESET) { PH_STRINGREF SettingName; PH_STRINGREF UseSettingName; PPH_SETTING Color; PPH_SETTING UseColor; PhInitializeStringRef(&SettingName, ColorItem->SettingName); PhInitializeStringRef(&UseSettingName, ColorItem->UseSettingName); Color = PhGetSetting(&SettingName); UseColor = PhGetSetting(&UseSettingName); PhSettingFromString(Color->Type, &Color->DefaultValue, NULL, Color); PhSettingFromString(UseColor->Type, &UseColor->DefaultValue, NULL, UseColor); ColorItem->CurrentColor = Color->u.Integer; ColorItem->CurrentUse = !!UseColor->u.Integer; INT index = PhFindListViewItemByParam(HighlightingListViewHandle, INT_ERROR, ColorItem); ListView_SetCheckState(HighlightingListViewHandle, index, ColorItem->CurrentUse); ListView_SetItemState(HighlightingListViewHandle, index, 0, LVIS_SELECTED); } PhDestroyEMenu(menu); } } else if ((HWND)wParam == GetDlgItem(hwndDlg, IDC_NEWOBJECTS) || (HWND)wParam == GetDlgItem(hwndDlg, IDC_REMOVEDOBJECTS)) { POINT point; PPH_EMENU menu; PPH_EMENU item; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_RESET, L"&Reset", NULL, NULL), ULONG_MAX); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item && item->Id == IDC_RESET) { PH_STRINGREF SettingName; PPH_SETTING Color; BOOLEAN setNew = (HWND)wParam == GetDlgItem(hwndDlg, IDC_NEWOBJECTS); PhInitializeStringRef(&SettingName, setNew ? SETTING_COLOR_NEW : SETTING_COLOR_REMOVED); Color = PhGetSetting(&SettingName); PhSettingFromString(Color->Type, &Color->DefaultValue, NULL, Color); ColorBox_SetColor(GetDlgItem(hwndDlg, setNew ? IDC_NEWOBJECTS : IDC_REMOVEDOBJECTS), Color->u.Integer); InvalidateRect(GetDlgItem(hwndDlg, setNew ? IDC_NEWOBJECTS : IDC_REMOVEDOBJECTS), NULL, TRUE); } PhDestroyEMenu(menu); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } static COLOR_ITEM PhpOptionsGraphColorItems[] = { COLOR_ITEM(SETTING_COLOR_CPU_KERNEL, L"CPU kernel", L"CPU kernel"), COLOR_ITEM(SETTING_COLOR_CPU_USER, L"CPU user", L"CPU user"), COLOR_ITEM(SETTING_COLOR_IO_READ_OTHER, L"I/O R+O", L"I/O R+O"), COLOR_ITEM(SETTING_COLOR_IO_WRITE, L"I/O W", L"I/O W"), COLOR_ITEM(SETTING_COLOR_PRIVATE, L"Private bytes", L"Private bytes"), COLOR_ITEM(SETTING_COLOR_PHYSICAL, L"Physical memory", L"Physical memory"), COLOR_ITEM(SETTING_COLOR_POWER_USAGE, L"Power usage", L"Power usage"), COLOR_ITEM(SETTING_COLOR_TEMPERATURE, L"Temperature", L"Temperature"), COLOR_ITEM(SETTING_COLOR_FAN_RPM, L"Fan RPM", L"Fan RPM"), }; static HWND PhpGraphListViewHandle = NULL; INT_PTR CALLBACK PhpOptionsGraphsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { static PH_LAYOUT_MANAGER LayoutManager; switch (uMsg) { case WM_INITDIALOG: { // Show Text SetDlgItemCheckForSetting(hwndDlg, IDC_SHOWTEXT, SETTING_GRAPH_SHOW_TEXT); SetDlgItemCheckForSetting(hwndDlg, IDC_USEOLDCOLORS, SETTING_GRAPH_COLOR_MODE); SetDlgItemCheckForSetting(hwndDlg, IDC_SHOWCOMMITINSUMMARY, SETTING_SHOW_COMMIT_IN_SUMMARY); // Highlighting PhpGraphListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(PhpGraphListViewHandle, FALSE, TRUE); PhAddListViewColumn(PhpGraphListViewHandle, 0, 0, 0, LVCFMT_LEFT, 240, L"Name"); PhSetExtendedListView(PhpGraphListViewHandle); ExtendedListView_SetItemColorFunction(PhpGraphListViewHandle, PhpColorItemColorFunction); for (ULONG i = 0; i < RTL_NUMBER_OF(PhpOptionsGraphColorItems); i++) { INT lvItemIndex = PhAddListViewItem(PhpGraphListViewHandle, MAXINT, PhpOptionsGraphColorItems[i].Name, &PhpOptionsGraphColorItems[i]); PhpOptionsGraphColorItems[i].CurrentColor = PhGetIntegerSetting(PhpOptionsGraphColorItems[i].SettingName); } PhInitializeLayoutManager(&LayoutManager, hwndDlg); PhAddLayoutItem(&LayoutManager, PhpGraphListViewHandle, NULL, PH_ANCHOR_ALL); if (PhGetIntegerSetting(SETTING_GRAPH_COLOR_MODE)) EnableWindow(PhpGraphListViewHandle, TRUE); else if (PhEnableThemeSupport) { ShowWindow(PhpGraphListViewHandle, SW_HIDE); EnableWindow(PhpGraphListViewHandle, TRUE); } } break; case WM_DESTROY: { SetSettingForDlgItemCheck(hwndDlg, IDC_SHOWTEXT, SETTING_GRAPH_SHOW_TEXT); SetSettingForDlgItemCheck(hwndDlg, IDC_USEOLDCOLORS, SETTING_GRAPH_COLOR_MODE); SetSettingForDlgItemCheck(hwndDlg, IDC_SHOWCOMMITINSUMMARY, SETTING_SHOW_COMMIT_IN_SUMMARY); for (ULONG i = 0; i < RTL_NUMBER_OF(PhpOptionsGraphColorItems); i++) { PhSetIntegerSetting(PhpOptionsGraphColorItems[i].SettingName, PhpOptionsGraphColorItems[i].CurrentColor); } PhDeleteLayoutManager(&LayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { PhLayoutManagerUpdate(&LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&LayoutManager); ExtendedListView_SetColumnWidth(PhpGraphListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_USEOLDCOLORS: { ListView_SetItemState(PhpGraphListViewHandle, -1, 0, LVIS_SELECTED); // deselect all items if (PhEnableThemeSupport) ShowWindow(PhpGraphListViewHandle, Button_GetCheck(GET_WM_COMMAND_HWND(wParam, lParam)) == BST_CHECKED ? SW_SHOW : SW_HIDE); else EnableWindow(PhpGraphListViewHandle, Button_GetCheck(GET_WM_COMMAND_HWND(wParam, lParam)) == BST_CHECKED); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_DBLCLK: { if (header->hwndFrom == PhpGraphListViewHandle) { PCOLOR_ITEM item; if (item = PhGetSelectedListViewItemParam(PhpGraphListViewHandle)) { CHOOSECOLOR chooseColor; COLORREF customColors[16] = { 0 }; PhLoadCustomColorList(SETTING_OPTIONS_CUSTOM_COLOR_LIST, customColors, RTL_NUMBER_OF(customColors)); memset(&chooseColor, 0, sizeof(CHOOSECOLOR)); chooseColor.lStructSize = sizeof(CHOOSECOLOR); chooseColor.hwndOwner = hwndDlg; chooseColor.rgbResult = item->CurrentColor; chooseColor.lpCustColors = customColors; chooseColor.lpfnHook = PhpColorDlgHookProc; chooseColor.Flags = CC_ANYCOLOR | CC_FULLOPEN | CC_SOLIDCOLOR | CC_ENABLEHOOK | CC_RGBINIT; if (ChooseColor(&chooseColor)) { item->CurrentColor = chooseColor.rgbResult; InvalidateRect(PhpGraphListViewHandle, NULL, TRUE); } PhSaveCustomColorList(SETTING_OPTIONS_CUSTOM_COLOR_LIST, customColors, RTL_NUMBER_OF(customColors)); ListView_SetItemState(PhpGraphListViewHandle, -1, 0, LVIS_SELECTED); } } } break; case LVN_GETINFOTIP: { if (header->hwndFrom == PhpGraphListViewHandle) { NMLVGETINFOTIP* getInfoTip = (NMLVGETINFOTIP*)lParam; PH_STRINGREF tip; PhInitializeStringRefLongHint(&tip, ColorItems[getInfoTip->iItem].Description); PhCopyListViewInfoTip(getInfoTip, &tip); } } break; } if (IsWindowEnabled(PhpGraphListViewHandle)) // HACK: Move to WM_COMMAND (dmex) { REFLECT_MESSAGE_DLG(hwndDlg, PhpGraphListViewHandle, uMsg, wParam, lParam); } } break; case WM_CONTEXTMENU: { if ((HWND)wParam == PhpGraphListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PCOLOR_ITEM ColorItem; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(PhpGraphListViewHandle, &point); if (ColorItem = PhGetSelectedListViewItemParam(PhpGraphListViewHandle)) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_RESET, L"&Reset", NULL, NULL), ULONG_MAX); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item && item->Id == IDC_RESET) { PH_STRINGREF SettingName; PPH_SETTING Color; PhInitializeStringRef(&SettingName, ColorItem->SettingName); Color = PhGetSetting(&SettingName); PhSettingFromString(Color->Type, &Color->DefaultValue, NULL, Color); ColorItem->CurrentColor = Color->u.Integer; ListView_SetItemState(PhpGraphListViewHandle, -1, 0, LVIS_SELECTED); } PhDestroyEMenu(menu); } } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/pagfiles.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2020-2023 * */ #include #include #include #include HWND PhPageFileWindowHandle = NULL; typedef struct _PHP_PAGEFILE_PROPERTIES_CONTEXT { HWND WindowHandle; HWND ListViewHandle; PH_LAYOUT_MANAGER LayoutManager; } PHP_PAGEFILE_PROPERTIES_CONTEXT, *PPHP_PAGEFILE_PROPERTIES_CONTEXT; INT_PTR CALLBACK PhpPagefilesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowPagefilesDialog( _In_ HWND ParentWindowHandle ) { if (!PhPageFileWindowHandle) { PhPageFileWindowHandle = PhCreateDialog( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_PAGEFILES), PhCsForceNoParent ? NULL : ParentWindowHandle, PhpPagefilesDlgProc, NULL ); PhRegisterDialog(PhPageFileWindowHandle); ShowWindow(PhPageFileWindowHandle, SW_SHOW); } if (IsMinimized(PhPageFileWindowHandle)) ShowWindow(PhPageFileWindowHandle, SW_RESTORE); else SetForegroundWindow(PhPageFileWindowHandle); } VOID PhpAddPagefileItems( _In_ HWND ListViewHandle, _In_ PVOID Pagefiles ) { PSYSTEM_PAGEFILE_INFORMATION pagefile; pagefile = PH_FIRST_PAGEFILE(Pagefiles); while (pagefile) { INT lvItemIndex; PPH_STRING fileName; PPH_STRING newFileName; PPH_STRING usage; fileName = PhCreateStringFromUnicodeString(&pagefile->PageFileName); newFileName = PhGetFileName(fileName); PhDereferenceObject(fileName); lvItemIndex = PhAddListViewItem(ListViewHandle, MAXINT, newFileName->Buffer, NULL); PhDereferenceObject(newFileName); // Usage usage = PhFormatSize(UInt32x32To64(pagefile->TotalInUse, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, usage->Buffer); PhDereferenceObject(usage); // Peak usage usage = PhFormatSize(UInt32x32To64(pagefile->PeakUsage, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, usage->Buffer); PhDereferenceObject(usage); // Total usage = PhFormatSize(UInt32x32To64(pagefile->TotalSize, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 3, usage->Buffer); PhDereferenceObject(usage); pagefile = PH_NEXT_PAGEFILE(pagefile); } } VOID PhpAddPagefileItemsEx( _In_ HWND ListViewHandle, _In_ PVOID Pagefiles ) { PSYSTEM_PAGEFILE_INFORMATION_EX pagefile; pagefile = PH_FIRST_PAGEFILE_EX(Pagefiles); while (pagefile) { INT lvItemIndex; PPH_STRING fileName; PPH_STRING newFileName; PPH_STRING usage; fileName = PhCreateStringFromUnicodeString(&pagefile->Info.PageFileName); newFileName = PhGetFileName(fileName); PhDereferenceObject(fileName); lvItemIndex = PhAddListViewItem(ListViewHandle, MAXINT, newFileName->Buffer, NULL); PhDereferenceObject(newFileName); // Usage usage = PhFormatSize(UInt32x32To64(pagefile->Info.TotalInUse, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, usage->Buffer); PhDereferenceObject(usage); // Peak usage usage = PhFormatSize(UInt32x32To64(pagefile->Info.PeakUsage, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, usage->Buffer); PhDereferenceObject(usage); // Total usage = PhFormatSize(UInt32x32To64(pagefile->Info.TotalSize, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 3, usage->Buffer); PhDereferenceObject(usage); // Minimum usage = PhFormatSize(UInt32x32To64(pagefile->MinimumSize, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 4, usage->Buffer); PhDereferenceObject(usage); // Maximum usage = PhFormatSize(UInt32x32To64(pagefile->MaximumSize, PAGE_SIZE), ULONG_MAX); PhSetListViewSubItem(ListViewHandle, lvItemIndex, 5, usage->Buffer); PhDereferenceObject(usage); pagefile = PH_NEXT_PAGEFILE_EX(pagefile); } } INT_PTR CALLBACK PhpPagefilesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_PAGEFILE_PROPERTIES_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PHP_PAGEFILE_PROPERTIES_CONTEXT)); context->WindowHandle = hwndDlg; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { NTSTATUS status; PVOID pagefiles; context->WindowHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetApplicationWindowIcon(hwndDlg); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"File name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 100, L"Usage"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 100, L"Peak usage"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 100, L"Total"); if (WindowsVersion > WINDOWS_8) { PhAddListViewColumn(context->ListViewHandle, 4, 4, 4, LVCFMT_LEFT, 100, L"Minimum"); PhAddListViewColumn(context->ListViewHandle, 5, 5, 5, LVCFMT_LEFT, 100, L"Maximum"); } PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhSetExtendedListView(context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhLoadListViewColumnsFromSetting(SETTING_PAGE_FILE_LIST_VIEW_COLUMNS, context->ListViewHandle); ExtendedListView_SetRedraw(context->ListViewHandle, FALSE); ListView_DeleteAllItems(context->ListViewHandle); if (WindowsVersion > WINDOWS_8) { if (NT_SUCCESS(status = PhEnumPagefilesEx(&pagefiles))) { PhpAddPagefileItemsEx(context->ListViewHandle, pagefiles); PhFree(pagefiles); } } else { if (NT_SUCCESS(status = PhEnumPagefiles(&pagefiles))) { PhpAddPagefileItems(context->ListViewHandle, pagefiles); PhFree(pagefiles); } } ExtendedListView_SetRedraw(context->ListViewHandle, TRUE); if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to query pagefile information.", status, 0); DestroyWindow(hwndDlg); } if (PhValidWindowPlacementFromSetting(SETTING_PAGE_FILE_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_PAGE_FILE_WINDOW_POSITION, SETTING_PAGE_FILE_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveListViewColumnsToSetting(SETTING_PAGE_FILE_LIST_VIEW_COLUMNS, context->ListViewHandle); PhSaveWindowPlacementToSetting(SETTING_PAGE_FILE_WINDOW_POSITION, SETTING_PAGE_FILE_WINDOW_SIZE, hwndDlg); PhUnregisterDialog(PhPageFileWindowHandle); PhPageFileWindowHandle = NULL; PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&context->LayoutManager); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: DestroyWindow(hwndDlg); break; case IDC_REFRESH: { NTSTATUS status; PVOID pagefiles; ExtendedListView_SetRedraw(context->ListViewHandle, FALSE); ListView_DeleteAllItems(context->ListViewHandle); if (WindowsVersion > WINDOWS_8) { if (NT_SUCCESS(status = PhEnumPagefilesEx(&pagefiles))) { PhpAddPagefileItemsEx(context->ListViewHandle, pagefiles); PhFree(pagefiles); } } else { if (NT_SUCCESS(status = PhEnumPagefiles(&pagefiles))) { PhpAddPagefileItems(context->ListViewHandle, pagefiles); PhFree(pagefiles); } } ExtendedListView_SetRedraw(context->ListViewHandle, TRUE); if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to query pagefile information.", status, 0); } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: PhCopyListView(context->ListViewHandle); break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/phsvc/clapi.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * dmex 2017-2023 * */ #include #include HANDLE PhSvcClPortHandle = NULL; PVOID PhSvcClPortHeap = NULL; HANDLE PhSvcClServerProcessId = NULL; NTSTATUS PhSvcConnectToServer( _In_ PUNICODE_STRING PortName, _In_opt_ SIZE_T PortSectionSize ) { NTSTATUS status; HANDLE sectionHandle; LARGE_INTEGER sectionSize; PORT_VIEW clientView; REMOTE_PORT_VIEW serverView; SECURITY_QUALITY_OF_SERVICE securityQos; ULONG maxMessageLength; PHSVC_API_CONNECTINFO connectInfo; ULONG connectInfoLength; if (PhSvcClPortHandle) return STATUS_ADDRESS_ALREADY_EXISTS; if (PortSectionSize == 0) PortSectionSize = UInt32x32To64(8, 1024 * 1024); // 8 MB sectionSize.QuadPart = PortSectionSize; // Create the port section and connect to the port. status = PhCreateSection( §ionHandle, SECTION_ALL_ACCESS, §ionSize, PAGE_READWRITE, SEC_COMMIT, NULL ); if (!NT_SUCCESS(status)) return status; clientView.Length = sizeof(PORT_VIEW); clientView.SectionHandle = sectionHandle; clientView.SectionOffset = 0; clientView.ViewSize = PortSectionSize; clientView.ViewBase = NULL; clientView.ViewRemoteBase = NULL; serverView.Length = sizeof(REMOTE_PORT_VIEW); serverView.ViewSize = 0; serverView.ViewBase = NULL; securityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); securityQos.ImpersonationLevel = SecurityImpersonation; securityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; securityQos.EffectiveOnly = TRUE; connectInfoLength = sizeof(PHSVC_API_CONNECTINFO); connectInfo.ServerProcessId = 0; status = NtConnectPort( &PhSvcClPortHandle, PortName, &securityQos, &clientView, &serverView, &maxMessageLength, &connectInfo, &connectInfoLength ); NtClose(sectionHandle); if (!NT_SUCCESS(status)) return status; PhSvcClServerProcessId = UlongToHandle(connectInfo.ServerProcessId); // // Create the port heap. // PhSvcClPortHeap = RtlCreateHeap( HEAP_CLASS_1, clientView.ViewBase, clientView.ViewSize, PAGE_SIZE, NULL, NULL ); if (!PhSvcClPortHeap) { NtClose(PhSvcClPortHandle); return STATUS_INSUFFICIENT_RESOURCES; } // // Enable the low-fragmentation heap (LFH). // const ULONG defaultHeapCompatibilityMode = HEAP_COMPATIBILITY_MODE_LFH; RtlSetHeapInformation( PhSvcClPortHeap, HeapCompatibilityInformation, &defaultHeapCompatibilityMode, sizeof(ULONG) ); return status; } VOID PhSvcDisconnectFromServer( VOID ) { if (PhSvcClPortHeap) { RtlDestroyHeap(PhSvcClPortHeap); PhSvcClPortHeap = NULL; } if (PhSvcClPortHandle) { NtClose(PhSvcClPortHandle); PhSvcClPortHandle = NULL; } PhSvcClServerProcessId = 0; } _Success_(return != NULL) PVOID PhSvcpAllocateHeap( _In_ SIZE_T Size, _Out_ PULONG Offset ) { PVOID memory; if (!PhSvcClPortHeap) return NULL; memory = RtlAllocateHeap(PhSvcClPortHeap, HEAP_ZERO_MEMORY, Size); if (!memory) return NULL; *Offset = PtrToUlong(PTR_SUB_OFFSET(memory, PhSvcClPortHeap)); return memory; } VOID PhSvcpFreeHeap( _In_ PVOID Memory ) { if (!PhSvcClPortHeap) return; RtlFreeHeap(PhSvcClPortHeap, 0, Memory); } _Success_(return != NULL) PVOID PhSvcpCreateString( _In_opt_ PCWSTR String, _In_ SIZE_T Length, _Out_ PPH_RELATIVE_STRINGREF StringRef ) { PVOID memory; SIZE_T length; ULONG offset; if (Length != SIZE_MAX) length = Length; else length = PhCountStringZ(String) * sizeof(WCHAR); if (length > ULONG_MAX) return NULL; memory = PhSvcpAllocateHeap(length, &offset); if (!memory) return NULL; if (String) memcpy(memory, String, length); StringRef->Length = (ULONG)length; StringRef->Offset = offset; return memory; } NTSTATUS PhSvcpCallServer( _Inout_ PPHSVC_API_MSG Message ) { NTSTATUS status; Message->h.u1.s1.DataLength = sizeof(PHSVC_API_MSG) - FIELD_OFFSET(PHSVC_API_MSG, p); Message->h.u1.s1.TotalLength = sizeof(PHSVC_API_MSG); Message->h.u2.ZeroInit = 0; status = NtRequestWaitReplyPort(PhSvcClPortHandle, &Message->h, &Message->h); if (!NT_SUCCESS(status)) return status; return Message->p.ReturnStatus; } NTSTATUS PhSvcCallPlugin( _In_ PPH_STRINGREF ApiId, _In_reads_bytes_opt_(InLength) PVOID InBuffer, _In_ ULONG InLength, _Out_writes_bytes_opt_(OutLength) PVOID OutBuffer, _In_ ULONG OutLength ) { NTSTATUS status; PHSVC_API_MSG m; PVOID apiId = NULL; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; if (InLength > sizeof(m.p.u.Plugin.i.Data)) return STATUS_BUFFER_OVERFLOW; m.p.ApiNumber = PhSvcPluginApiNumber; if (!(apiId = PhSvcpCreateString(ApiId->Buffer, ApiId->Length, &m.p.u.Plugin.i.ApiId))) return STATUS_NO_MEMORY; if (InLength != 0) memcpy(m.p.u.Plugin.i.Data, InBuffer, InLength); status = PhSvcpCallServer(&m); if (OutLength != 0) memcpy(OutBuffer, m.p.u.Plugin.o.Data, min(OutLength, sizeof(m.p.u.Plugin.o.Data))); if (apiId) PhSvcpFreeHeap(apiId); return status; } NTSTATUS PhSvcpCallExecuteRunAsCommand( _In_ PHSVC_API_NUMBER ApiNumber, _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { NTSTATUS status; PHSVC_API_MSG m; PVOID userName = NULL; PVOID password = NULL; ULONG passwordLength = 0; PVOID currentDirectory = NULL; PVOID commandLine = NULL; PVOID fileName = NULL; PVOID desktopName = NULL; PVOID serviceName = NULL; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = ApiNumber; m.p.u.ExecuteRunAsCommand.i.ProcessId = Parameters->ProcessId; m.p.u.ExecuteRunAsCommand.i.LogonType = Parameters->LogonType; m.p.u.ExecuteRunAsCommand.i.SessionId = Parameters->SessionId; m.p.u.ExecuteRunAsCommand.i.UseLinkedToken = Parameters->UseLinkedToken; m.p.u.ExecuteRunAsCommand.i.CreateSuspendedProcess = Parameters->CreateSuspendedProcess; m.p.u.ExecuteRunAsCommand.i.CreateUIAccessProcess = Parameters->CreateUIAccessProcess; m.p.u.ExecuteRunAsCommand.i.WindowHandle = Parameters->WindowHandle; status = STATUS_NO_MEMORY; if (Parameters->UserName && !(userName = PhSvcpCreateString(Parameters->UserName, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.UserName))) goto CleanupExit; if (Parameters->Password) { if (!(password = PhSvcpCreateString(Parameters->Password, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.Password))) goto CleanupExit; passwordLength = m.p.u.ExecuteRunAsCommand.i.Password.Length; } if (Parameters->CurrentDirectory && !(currentDirectory = PhSvcpCreateString(Parameters->CurrentDirectory, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.CurrentDirectory))) goto CleanupExit; if (Parameters->CommandLine && !(commandLine = PhSvcpCreateString(Parameters->CommandLine, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.CommandLine))) goto CleanupExit; if (Parameters->FileName && !(fileName = PhSvcpCreateString(Parameters->FileName, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.FileName))) goto CleanupExit; if (Parameters->DesktopName && !(desktopName = PhSvcpCreateString(Parameters->DesktopName, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.DesktopName))) goto CleanupExit; if (Parameters->ServiceName && !(serviceName = PhSvcpCreateString(Parameters->ServiceName, SIZE_MAX, &m.p.u.ExecuteRunAsCommand.i.ServiceName))) goto CleanupExit; status = PhSvcpCallServer(&m); CleanupExit: if (serviceName) PhSvcpFreeHeap(serviceName); if (desktopName) PhSvcpFreeHeap(desktopName); if (fileName) PhSvcpFreeHeap(fileName); if (commandLine) PhSvcpFreeHeap(commandLine); if (currentDirectory) PhSvcpFreeHeap(currentDirectory); if (password) { RtlSecureZeroMemory(password, passwordLength); PhSvcpFreeHeap(password); } if (userName) PhSvcpFreeHeap(userName); return status; } NTSTATUS PhSvcCallExecuteRunAsCommand( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { return PhSvcpCallExecuteRunAsCommand(PhSvcExecuteRunAsCommandApiNumber, Parameters); } NTSTATUS PhSvcCallUnloadDriver( _In_opt_ PVOID BaseAddress, _In_opt_ PCWSTR Name, _In_opt_ PCWSTR FileName ) { NTSTATUS status; PHSVC_API_MSG m; PVOID name = NULL; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcUnloadDriverApiNumber; m.p.u.UnloadDriver.i.BaseAddress = BaseAddress; if (Name) { name = PhSvcpCreateString(Name, SIZE_MAX, &m.p.u.UnloadDriver.i.Name); if (!name) return STATUS_NO_MEMORY; } if (FileName) { name = PhSvcpCreateString(FileName, SIZE_MAX, &m.p.u.UnloadDriver.i.FileName); if (!name) return STATUS_NO_MEMORY; } status = PhSvcpCallServer(&m); if (name) PhSvcpFreeHeap(name); return status; } NTSTATUS PhSvcCallControlProcess( _In_opt_ HANDLE ProcessId, _In_ PHSVC_API_CONTROLPROCESS_COMMAND Command, _In_ ULONG Argument ) { PHSVC_API_MSG m; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcControlProcessApiNumber; m.p.u.ControlProcess.i.ProcessId = ProcessId; m.p.u.ControlProcess.i.Command = Command; m.p.u.ControlProcess.i.Argument = Argument; return PhSvcpCallServer(&m); } NTSTATUS PhSvcCallControlService( _In_ PCWSTR ServiceName, _In_ PHSVC_API_CONTROLSERVICE_COMMAND Command ) { NTSTATUS status; PHSVC_API_MSG m; PVOID serviceName; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcControlServiceApiNumber; serviceName = PhSvcpCreateString(ServiceName, SIZE_MAX, &m.p.u.ControlService.i.ServiceName); m.p.u.ControlService.i.Command = Command; if (serviceName) { status = PhSvcpCallServer(&m); } else { status = STATUS_NO_MEMORY; } if (serviceName) PhSvcpFreeHeap(serviceName); return status; } NTSTATUS PhSvcCallCreateService( _In_ PCWSTR ServiceName, _In_opt_ PCWSTR DisplayName, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR LoadOrderGroup, _Out_opt_ PULONG TagId, _In_opt_ PCWSTR Dependencies, _In_opt_ PCWSTR ServiceStartName, _In_opt_ PCWSTR Password ) { NTSTATUS status; PHSVC_API_MSG m; PVOID serviceName = NULL; PVOID displayName = NULL; PVOID binaryPathName = NULL; PVOID loadOrderGroup = NULL; PVOID dependencies = NULL; PVOID serviceStartName = NULL; PVOID password = NULL; ULONG passwordLength = 0; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcCreateServiceApiNumber; m.p.u.CreateService.i.ServiceType = ServiceType; m.p.u.CreateService.i.StartType = StartType; m.p.u.CreateService.i.ErrorControl = ErrorControl; m.p.u.CreateService.i.TagIdSpecified = TagId != NULL; status = STATUS_NO_MEMORY; if (!(serviceName = PhSvcpCreateString(ServiceName, SIZE_MAX, &m.p.u.CreateService.i.ServiceName))) goto CleanupExit; if (DisplayName && !(displayName = PhSvcpCreateString(DisplayName, SIZE_MAX, &m.p.u.CreateService.i.DisplayName))) goto CleanupExit; if (BinaryPathName && !(binaryPathName = PhSvcpCreateString(BinaryPathName, SIZE_MAX, &m.p.u.CreateService.i.BinaryPathName))) goto CleanupExit; if (LoadOrderGroup && !(loadOrderGroup = PhSvcpCreateString(LoadOrderGroup, SIZE_MAX, &m.p.u.CreateService.i.LoadOrderGroup))) goto CleanupExit; if (Dependencies) { SIZE_T dependenciesLength; SIZE_T partCount; PCWSTR part; dependenciesLength = sizeof(WCHAR); part = Dependencies; do { partCount = PhCountStringZ(part) + 1; part += partCount; dependenciesLength += partCount * sizeof(WCHAR); } while (partCount != 1); // stop at empty dependency part if (!(dependencies = PhSvcpCreateString(Dependencies, dependenciesLength, &m.p.u.CreateService.i.Dependencies))) goto CleanupExit; } if (ServiceStartName && !(serviceStartName = PhSvcpCreateString(ServiceStartName, SIZE_MAX, &m.p.u.CreateService.i.ServiceStartName))) goto CleanupExit; if (Password) { if (!(password = PhSvcpCreateString(Password, SIZE_MAX, &m.p.u.CreateService.i.Password))) goto CleanupExit; passwordLength = m.p.u.CreateService.i.Password.Length; } status = PhSvcpCallServer(&m); if (NT_SUCCESS(status)) { if (TagId) *TagId = m.p.u.CreateService.o.TagId; } CleanupExit: if (password) { RtlSecureZeroMemory(password, passwordLength); PhSvcpFreeHeap(password); } if (serviceStartName) PhSvcpFreeHeap(serviceStartName); if (dependencies) PhSvcpFreeHeap(dependencies); if (loadOrderGroup) PhSvcpFreeHeap(loadOrderGroup); if (binaryPathName) PhSvcpFreeHeap(binaryPathName); if (displayName) PhSvcpFreeHeap(displayName); if (serviceName) PhSvcpFreeHeap(serviceName); return status; } NTSTATUS PhSvcCallChangeServiceConfig( _In_ PCWSTR ServiceName, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR LoadOrderGroup, _Out_opt_ PULONG TagId, _In_opt_ PCWSTR Dependencies, _In_opt_ PCWSTR ServiceStartName, _In_opt_ PCWSTR Password, _In_opt_ PCWSTR DisplayName ) { NTSTATUS status; PHSVC_API_MSG m; PVOID serviceName = NULL; PVOID binaryPathName = NULL; PVOID loadOrderGroup = NULL; PVOID dependencies = NULL; PVOID serviceStartName = NULL; PVOID password = NULL; ULONG passwordLength = 0; PVOID displayName = NULL; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcChangeServiceConfigApiNumber; m.p.u.ChangeServiceConfig.i.ServiceType = ServiceType; m.p.u.ChangeServiceConfig.i.StartType = StartType; m.p.u.ChangeServiceConfig.i.ErrorControl = ErrorControl; m.p.u.ChangeServiceConfig.i.TagIdSpecified = TagId != NULL; status = STATUS_NO_MEMORY; if (!(serviceName = PhSvcpCreateString(ServiceName, SIZE_MAX, &m.p.u.ChangeServiceConfig.i.ServiceName))) goto CleanupExit; if (BinaryPathName && !(binaryPathName = PhSvcpCreateString(BinaryPathName, SIZE_MAX, &m.p.u.ChangeServiceConfig.i.BinaryPathName))) goto CleanupExit; if (LoadOrderGroup && !(loadOrderGroup = PhSvcpCreateString(LoadOrderGroup, SIZE_MAX, &m.p.u.ChangeServiceConfig.i.LoadOrderGroup))) goto CleanupExit; if (Dependencies) { SIZE_T dependenciesLength; SIZE_T partCount; PCWSTR part; dependenciesLength = sizeof(WCHAR); part = Dependencies; do { partCount = PhCountStringZ(part) + 1; part += partCount; dependenciesLength += partCount * sizeof(WCHAR); } while (partCount != 1); // stop at empty dependency part if (!(dependencies = PhSvcpCreateString(Dependencies, dependenciesLength, &m.p.u.ChangeServiceConfig.i.Dependencies))) goto CleanupExit; } if (ServiceStartName && !(serviceStartName = PhSvcpCreateString(ServiceStartName, SIZE_MAX, &m.p.u.ChangeServiceConfig.i.ServiceStartName))) goto CleanupExit; if (Password) { if (!(password = PhSvcpCreateString(Password, SIZE_MAX, &m.p.u.ChangeServiceConfig.i.Password))) goto CleanupExit; passwordLength = m.p.u.ChangeServiceConfig.i.Password.Length; } if (DisplayName && !(displayName = PhSvcpCreateString(DisplayName, SIZE_MAX, &m.p.u.ChangeServiceConfig.i.DisplayName))) goto CleanupExit; status = PhSvcpCallServer(&m); if (NT_SUCCESS(status)) { if (TagId) *TagId = m.p.u.ChangeServiceConfig.o.TagId; } CleanupExit: if (displayName) PhSvcpFreeHeap(displayName); if (password) { RtlSecureZeroMemory(password, passwordLength); PhSvcpFreeHeap(password); } if (serviceStartName) PhSvcpFreeHeap(serviceStartName); if (dependencies) PhSvcpFreeHeap(dependencies); if (loadOrderGroup) PhSvcpFreeHeap(loadOrderGroup); if (binaryPathName) PhSvcpFreeHeap(binaryPathName); if (serviceName) PhSvcpFreeHeap(serviceName); return status; } PVOID PhSvcpPackRoot( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ PVOID Buffer, _In_ SIZE_T Length ) { return PhAppendBytesBuilderEx(BytesBuilder, Buffer, Length, sizeof(ULONG_PTR), NULL); } VOID PhSvcpPackBuffer_V( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _Inout_ PVOID *PointerInBytesBuilder, _In_ SIZE_T Length, _In_ SIZE_T Alignment, _In_ ULONG NumberOfPointersToRebase, _In_ va_list ArgPtr ) { va_list argptr; ULONG_PTR oldBase; SIZE_T oldLength; ULONG_PTR newBase; SIZE_T offset; ULONG i; PVOID *pointer; oldBase = (ULONG_PTR)BytesBuilder->Bytes->Buffer; oldLength = BytesBuilder->Bytes->Length; assert((ULONG_PTR)PointerInBytesBuilder >= oldBase && (ULONG_PTR)PointerInBytesBuilder + sizeof(PVOID) <= oldBase + oldLength); if (!*PointerInBytesBuilder) return; PhAppendBytesBuilderEx(BytesBuilder, *PointerInBytesBuilder, Length, Alignment, &offset); newBase = (ULONG_PTR)BytesBuilder->Bytes->Buffer; PointerInBytesBuilder = (PVOID *)((ULONG_PTR)PointerInBytesBuilder - oldBase + newBase); *PointerInBytesBuilder = (PVOID)offset; argptr = ArgPtr; for (i = 0; i < NumberOfPointersToRebase; i++) { pointer = va_arg(argptr, PVOID *); assert(!*pointer || ((ULONG_PTR)*pointer >= oldBase && (ULONG_PTR)*pointer + sizeof(PVOID) <= oldBase + oldLength)); if (*pointer) *pointer = (PVOID)((ULONG_PTR)*pointer - oldBase + newBase); } } VOID PhSvcpPackBuffer( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _Inout_ PVOID *PointerInBytesBuilder, _In_ SIZE_T Length, _In_ SIZE_T Alignment, _In_ ULONG NumberOfPointersToRebase, ... ) { va_list argptr; va_start(argptr, NumberOfPointersToRebase); PhSvcpPackBuffer_V(BytesBuilder, PointerInBytesBuilder, Length, Alignment, NumberOfPointersToRebase, argptr); va_end(argptr); } SIZE_T PhSvcpBufferLengthStringZ( _In_opt_ PCWSTR String, _In_ BOOLEAN Multi ) { SIZE_T length = 0; if (String) { if (Multi) { PCWSTR part = String; SIZE_T partCount; while (TRUE) { partCount = PhCountStringZ(part); length += (partCount + 1) * sizeof(WCHAR); if (partCount == 0) break; part += partCount + 1; } } else { length = (PhCountStringZ(String) + 1) * sizeof(WCHAR); } } return length; } NTSTATUS PhSvcCallChangeServiceConfig2( _In_ PCWSTR ServiceName, _In_ ULONG InfoLevel, _In_ PVOID Info ) { NTSTATUS status; PHSVC_API_MSG m; PVOID serviceName = NULL; PVOID info = NULL; PH_BYTES_BUILDER bb; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcChangeServiceConfig2ApiNumber; m.p.u.ChangeServiceConfig2.i.InfoLevel = InfoLevel; if (serviceName = PhSvcpCreateString(ServiceName, SIZE_MAX, &m.p.u.ChangeServiceConfig2.i.ServiceName)) { switch (InfoLevel) { case SERVICE_CONFIG_FAILURE_ACTIONS: { LPSERVICE_FAILURE_ACTIONS failureActions = Info; LPSERVICE_FAILURE_ACTIONS packedFailureActions; PhInitializeBytesBuilder(&bb, 200); packedFailureActions = PhSvcpPackRoot(&bb, failureActions, sizeof(SERVICE_FAILURE_ACTIONS)); PhSvcpPackBuffer(&bb, &packedFailureActions->lpRebootMsg, PhSvcpBufferLengthStringZ(failureActions->lpRebootMsg, FALSE), sizeof(WCHAR), 1, &packedFailureActions); PhSvcpPackBuffer(&bb, &packedFailureActions->lpCommand, PhSvcpBufferLengthStringZ(failureActions->lpCommand, FALSE), sizeof(WCHAR), 1, &packedFailureActions); if (failureActions->cActions != 0 && failureActions->lpsaActions) { PhSvcpPackBuffer(&bb, &packedFailureActions->lpsaActions, failureActions->cActions * sizeof(SC_ACTION), __alignof(SC_ACTION), 1, &packedFailureActions); } info = PhSvcpCreateString((PCWSTR)bb.Bytes->Buffer, bb.Bytes->Length, &m.p.u.ChangeServiceConfig2.i.Info); PhDeleteBytesBuilder(&bb); } break; case SERVICE_CONFIG_DELAYED_AUTO_START_INFO: info = PhSvcpCreateString(Info, sizeof(SERVICE_DELAYED_AUTO_START_INFO), &m.p.u.ChangeServiceConfig2.i.Info); break; case SERVICE_CONFIG_FAILURE_ACTIONS_FLAG: info = PhSvcpCreateString(Info, sizeof(SERVICE_FAILURE_ACTIONS_FLAG), &m.p.u.ChangeServiceConfig2.i.Info); break; case SERVICE_CONFIG_SERVICE_SID_INFO: info = PhSvcpCreateString(Info, sizeof(SERVICE_SID_INFO), &m.p.u.ChangeServiceConfig2.i.Info); break; case SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO: { LPSERVICE_REQUIRED_PRIVILEGES_INFO requiredPrivilegesInfo = Info; LPSERVICE_REQUIRED_PRIVILEGES_INFO packedRequiredPrivilegesInfo; PhInitializeBytesBuilder(&bb, 100); packedRequiredPrivilegesInfo = PhSvcpPackRoot(&bb, requiredPrivilegesInfo, sizeof(SERVICE_REQUIRED_PRIVILEGES_INFO)); PhSvcpPackBuffer(&bb, &packedRequiredPrivilegesInfo->pmszRequiredPrivileges, PhSvcpBufferLengthStringZ(requiredPrivilegesInfo->pmszRequiredPrivileges, TRUE), sizeof(WCHAR), 1, &packedRequiredPrivilegesInfo); info = PhSvcpCreateString((PCWSTR)bb.Bytes->Buffer, bb.Bytes->Length, &m.p.u.ChangeServiceConfig2.i.Info); PhDeleteBytesBuilder(&bb); } break; case SERVICE_CONFIG_PRESHUTDOWN_INFO: info = PhSvcpCreateString(Info, sizeof(SERVICE_PRESHUTDOWN_INFO), &m.p.u.ChangeServiceConfig2.i.Info); break; case SERVICE_CONFIG_TRIGGER_INFO: { PSERVICE_TRIGGER_INFO triggerInfo = Info; PSERVICE_TRIGGER_INFO packedTriggerInfo; ULONG i; PSERVICE_TRIGGER packedTrigger; ULONG j; PSERVICE_TRIGGER_SPECIFIC_DATA_ITEM packedDataItem; ULONG alignment; PhInitializeBytesBuilder(&bb, 400); packedTriggerInfo = PhSvcpPackRoot(&bb, triggerInfo, sizeof(SERVICE_TRIGGER_INFO)); if (triggerInfo->cTriggers != 0 && triggerInfo->pTriggers) { PhSvcpPackBuffer(&bb, &packedTriggerInfo->pTriggers, triggerInfo->cTriggers * sizeof(SERVICE_TRIGGER), __alignof(SERVICE_TRIGGER), 1, &packedTriggerInfo); for (i = 0; i < triggerInfo->cTriggers; i++) { packedTrigger = PhOffsetBytesBuilder(&bb, (SIZE_T)packedTriggerInfo->pTriggers + i * sizeof(SERVICE_TRIGGER)); PhSvcpPackBuffer(&bb, &packedTrigger->pTriggerSubtype, sizeof(GUID), __alignof(GUID), 2, &packedTriggerInfo, &packedTrigger); if (packedTrigger->cDataItems != 0 && packedTrigger->pDataItems) { PhSvcpPackBuffer(&bb, &packedTrigger->pDataItems, packedTrigger->cDataItems * sizeof(SERVICE_TRIGGER_SPECIFIC_DATA_ITEM), __alignof(SERVICE_TRIGGER_SPECIFIC_DATA_ITEM), 2, &packedTriggerInfo, &packedTrigger); for (j = 0; j < packedTrigger->cDataItems; j++) { packedDataItem = PhOffsetBytesBuilder(&bb, (SIZE_T)packedTrigger->pDataItems + j * sizeof(SERVICE_TRIGGER_SPECIFIC_DATA_ITEM)); alignment = 1; switch (packedDataItem->dwDataType) { case SERVICE_TRIGGER_DATA_TYPE_BINARY: case SERVICE_TRIGGER_DATA_TYPE_LEVEL: alignment = sizeof(CHAR); break; case SERVICE_TRIGGER_DATA_TYPE_STRING: alignment = sizeof(WCHAR); break; case SERVICE_TRIGGER_DATA_TYPE_KEYWORD_ANY: case SERVICE_TRIGGER_DATA_TYPE_KEYWORD_ALL: alignment = sizeof(ULONG64); break; } PhSvcpPackBuffer(&bb, &packedDataItem->pData, packedDataItem->cbData, alignment, 3, &packedTriggerInfo, &packedTrigger, &packedDataItem); } } } } info = PhSvcpCreateString((PCWSTR)bb.Bytes->Buffer, bb.Bytes->Length, &m.p.u.ChangeServiceConfig2.i.Info); PhDeleteBytesBuilder(&bb); } break; case SERVICE_CONFIG_LAUNCH_PROTECTED: info = PhSvcpCreateString(Info, sizeof(SERVICE_LAUNCH_PROTECTED_INFO), &m.p.u.ChangeServiceConfig2.i.Info); break; default: status = STATUS_INVALID_PARAMETER; break; } } if (serviceName && info) { status = PhSvcpCallServer(&m); } else { status = STATUS_NO_MEMORY; } if (info) PhSvcpFreeHeap(info); if (serviceName) PhSvcpFreeHeap(serviceName); return status; } NTSTATUS PhSvcCallSetTcpEntry( _In_ PVOID TcpRow ) { PHSVC_API_MSG m; struct { ULONG dwState; ULONG dwLocalAddr; ULONG dwLocalPort; ULONG dwRemoteAddr; ULONG dwRemotePort; } *tcpRow = TcpRow; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcSetTcpEntryApiNumber; m.p.u.SetTcpEntry.i.State = tcpRow->dwState; m.p.u.SetTcpEntry.i.LocalAddress = tcpRow->dwLocalAddr; m.p.u.SetTcpEntry.i.LocalPort = tcpRow->dwLocalPort; m.p.u.SetTcpEntry.i.RemoteAddress = tcpRow->dwRemoteAddr; m.p.u.SetTcpEntry.i.RemotePort = tcpRow->dwRemotePort; return PhSvcpCallServer(&m); } NTSTATUS PhSvcCallControlThread( _In_ HANDLE ThreadId, _In_ PHSVC_API_CONTROLTHREAD_COMMAND Command, _In_ ULONG Argument ) { PHSVC_API_MSG m; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcControlThreadApiNumber; m.p.u.ControlThread.i.ThreadId = ThreadId; m.p.u.ControlThread.i.Command = Command; m.p.u.ControlThread.i.Argument = Argument; return PhSvcpCallServer(&m); } NTSTATUS PhSvcCallAddAccountRight( _In_ PSID AccountSid, _In_ PUNICODE_STRING UserRight ) { NTSTATUS status; PHSVC_API_MSG m; PVOID accountSid = NULL; PVOID userRight = NULL; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcAddAccountRightApiNumber; status = STATUS_NO_MEMORY; if (!(accountSid = PhSvcpCreateString(AccountSid, PhLengthSid(AccountSid), &m.p.u.AddAccountRight.i.AccountSid))) goto CleanupExit; if (!(userRight = PhSvcpCreateString(UserRight->Buffer, UserRight->Length, &m.p.u.AddAccountRight.i.UserRight))) goto CleanupExit; status = PhSvcpCallServer(&m); CleanupExit: if (userRight) PhSvcpFreeHeap(userRight); if (accountSid) PhSvcpFreeHeap(accountSid); return status; } NTSTATUS PhSvcCallInvokeRunAsService( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { return PhSvcpCallExecuteRunAsCommand(PhSvcInvokeRunAsServiceApiNumber, Parameters); } NTSTATUS PhSvcCallIssueMemoryListCommand( _In_ SYSTEM_MEMORY_LIST_COMMAND Command ) { PHSVC_API_MSG m; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcIssueMemoryListCommandApiNumber; m.p.u.IssueMemoryListCommand.i.Command = Command; return PhSvcpCallServer(&m); } NTSTATUS PhSvcCallPostMessage( _In_opt_ HWND hWnd, _In_ UINT Msg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PHSVC_API_MSG m; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcPostMessageApiNumber; m.p.u.PostMessage.i.hWnd = hWnd; m.p.u.PostMessage.i.Msg = Msg; m.p.u.PostMessage.i.wParam = wParam; m.p.u.PostMessage.i.lParam = lParam; return PhSvcpCallServer(&m); } NTSTATUS PhSvcCallSendMessage( _In_opt_ HWND hWnd, _In_ UINT Msg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PHSVC_API_MSG m; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcSendMessageApiNumber; m.p.u.PostMessage.i.hWnd = hWnd; m.p.u.PostMessage.i.Msg = Msg; m.p.u.PostMessage.i.wParam = wParam; m.p.u.PostMessage.i.lParam = lParam; return PhSvcpCallServer(&m); } NTSTATUS PhSvcCallCreateProcessIgnoreIfeoDebugger( _In_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine ) { NTSTATUS status; PHSVC_API_MSG m; PVOID fileName = NULL; PVOID commandLine = NULL; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; m.p.ApiNumber = PhSvcCreateProcessIgnoreIfeoDebuggerApiNumber; fileName = PhSvcpCreateString(FileName, SIZE_MAX, &m.p.u.CreateProcessIgnoreIfeoDebugger.i.FileName); if (!fileName) return STATUS_NO_MEMORY; if (CommandLine) { commandLine = PhSvcpCreateString(CommandLine, SIZE_MAX, &m.p.u.CreateProcessIgnoreIfeoDebugger.i.CommandLine); if (!commandLine) return STATUS_NO_MEMORY; } status = PhSvcpCallServer(&m); if (commandLine) PhSvcpFreeHeap(commandLine); if (fileName) PhSvcpFreeHeap(fileName); return status; } _Success_(return != NULL) PSECURITY_DESCRIPTOR PhpAbsoluteToSelfRelativeSD( _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, _Out_ PULONG BufferSize ) { NTSTATUS status; ULONG bufferSize = 0; PSECURITY_DESCRIPTOR selfRelativeSecurityDescriptor; status = RtlAbsoluteToSelfRelativeSD(AbsoluteSecurityDescriptor, NULL, &bufferSize); if (status != STATUS_BUFFER_TOO_SMALL) return NULL; selfRelativeSecurityDescriptor = PhAllocate(bufferSize); status = RtlAbsoluteToSelfRelativeSD(AbsoluteSecurityDescriptor, selfRelativeSecurityDescriptor, &bufferSize); if (!NT_SUCCESS(status)) { PhFree(selfRelativeSecurityDescriptor); return NULL; } *BufferSize = bufferSize; return selfRelativeSecurityDescriptor; } NTSTATUS PhSvcCallSetServiceSecurity( _In_ PCWSTR ServiceName, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { NTSTATUS status; PHSVC_API_MSG m; PSECURITY_DESCRIPTOR selfRelativeSecurityDescriptor = NULL; ULONG bufferSize; PVOID serviceName = NULL; PVOID copiedSelfRelativeSecurityDescriptor = NULL; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; selfRelativeSecurityDescriptor = PhpAbsoluteToSelfRelativeSD(SecurityDescriptor, &bufferSize); if (!selfRelativeSecurityDescriptor) { status = STATUS_BAD_DESCRIPTOR_FORMAT; goto CleanupExit; } m.p.ApiNumber = PhSvcSetServiceSecurityApiNumber; m.p.u.SetServiceSecurity.i.SecurityInformation = SecurityInformation; status = STATUS_NO_MEMORY; if (!(serviceName = PhSvcpCreateString(ServiceName, SIZE_MAX, &m.p.u.SetServiceSecurity.i.ServiceName))) goto CleanupExit; if (!(copiedSelfRelativeSecurityDescriptor = PhSvcpCreateString(selfRelativeSecurityDescriptor, bufferSize, &m.p.u.SetServiceSecurity.i.SecurityDescriptor))) goto CleanupExit; status = PhSvcpCallServer(&m); CleanupExit: if (selfRelativeSecurityDescriptor) PhFree(selfRelativeSecurityDescriptor); if (serviceName) PhSvcpFreeHeap(serviceName); if (copiedSelfRelativeSecurityDescriptor) PhSvcpFreeHeap(copiedSelfRelativeSecurityDescriptor); return status; } NTSTATUS PhSvcCallWriteMiniDumpProcess( _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId, _In_ HANDLE FileHandle, _In_ ULONG DumpType ) { NTSTATUS status; PHSVC_API_MSG m; HANDLE serverHandle = NULL; HANDLE remoteProcessHandle = NULL; HANDLE remoteFileHandle = NULL; memset(&m, 0, sizeof(PHSVC_API_MSG)); if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; // For typical uses of this function, the client has more privileges than the server. // We therefore duplicate our handles into the server's process. m.p.ApiNumber = PhSvcWriteMiniDumpProcessApiNumber; status = PhOpenProcess( &serverHandle, PROCESS_DUP_HANDLE, PhSvcClServerProcessId ); if (!NT_SUCCESS(status)) goto CleanupExit; status = NtDuplicateObject( NtCurrentProcess(), ProcessHandle, serverHandle, &remoteProcessHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (!NT_SUCCESS(status)) goto CleanupExit; status = NtDuplicateObject( NtCurrentProcess(), FileHandle, serverHandle, &remoteFileHandle, FILE_GENERIC_WRITE, 0, 0 ); if (!NT_SUCCESS(status)) goto CleanupExit; m.p.u.WriteMiniDumpProcess.i.LocalProcessHandle = HandleToUlong(remoteProcessHandle); m.p.u.WriteMiniDumpProcess.i.ProcessId = HandleToUlong(ProcessId); m.p.u.WriteMiniDumpProcess.i.LocalFileHandle = HandleToUlong(remoteFileHandle); m.p.u.WriteMiniDumpProcess.i.DumpType = DumpType; status = PhSvcpCallServer(&m); CleanupExit: if (serverHandle) { if (remoteProcessHandle) NtDuplicateObject(serverHandle, remoteProcessHandle, NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); if (remoteFileHandle) NtDuplicateObject(serverHandle, remoteFileHandle, NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE); NtClose(serverHandle); } return status; } NTSTATUS PhSvcCallQueryProcessHeapInformation( _In_ HANDLE ProcessId, _Out_ PPH_STRING* HeapInformation ) { NTSTATUS status; PHSVC_API_MSG m; ULONG bufferSize; PVOID buffer; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; memset(&m, 0, sizeof(PHSVC_API_MSG)); m.p.ApiNumber = PhSvcQueryProcessDebugInformationApiNumber; m.p.u.QueryProcessHeap.i.ProcessId = HandleToUlong(ProcessId); bufferSize = 0x1000; if (!(buffer = PhSvcpCreateString(NULL, bufferSize, &m.p.u.QueryProcessHeap.i.Data))) return STATUS_FAIL_CHECK; status = PhSvcpCallServer(&m); if (status == STATUS_BUFFER_OVERFLOW) { PhSvcpFreeHeap(buffer); bufferSize = m.p.u.QueryProcessHeap.o.DataLength; if (!(buffer = PhSvcpCreateString(NULL, bufferSize, &m.p.u.QueryProcessHeap.i.Data))) return STATUS_FAIL_CHECK; status = PhSvcpCallServer(&m); } if (NT_SUCCESS(status)) { if (HeapInformation) *HeapInformation = PhCreateStringEx(buffer, m.p.u.QueryProcessHeap.o.DataLength); } PhSvcpFreeHeap(buffer); return status; } NTSTATUS PhSvcCallCreateProcessForKsi( _In_ PCWSTR CommandLine, _In_ ULONG64 MitigationFlags[2] ) { NTSTATUS status; PHSVC_API_MSG m; PVOID commandLine; if (!PhSvcClPortHandle) return STATUS_PORT_DISCONNECTED; memset(&m, 0, sizeof(PHSVC_API_MSG)); m.p.ApiNumber = PhSvcCreateProcessForKsi; if (!(commandLine = PhSvcpCreateString(CommandLine, SIZE_MAX, &m.p.u.CreateProcessForKsi.i.CommandLine))) return STATUS_NO_MEMORY; m.p.u.CreateProcessForKsi.i.MitigationFlags[0] = MitigationFlags[0]; m.p.u.CreateProcessForKsi.i.MitigationFlags[1] = MitigationFlags[1]; status = PhSvcpCallServer(&m); PhSvcpFreeHeap(commandLine); return status; } ================================================ FILE: SystemInformer/phsvc/svcapi.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * dmex 2019-2023 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _PHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS { PPH_STRING UserName; PPH_STRING Password; PPH_STRING CurrentDirectory; PPH_STRING CommandLine; PPH_STRING FileName; PPH_STRING DesktopName; PPH_STRING ServiceName; } PHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS, *PPHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS; static CONST PPHSVC_API_PROCEDURE PhSvcApiCallTable[] = { PhSvcApiPlugin, PhSvcApiExecuteRunAsCommand, PhSvcApiUnloadDriver, PhSvcApiControlProcess, PhSvcApiControlService, PhSvcApiCreateService, PhSvcApiChangeServiceConfig, PhSvcApiChangeServiceConfig2, PhSvcApiSetTcpEntry, PhSvcApiControlThread, PhSvcApiAddAccountRight, PhSvcApiInvokeRunAsService, PhSvcApiIssueMemoryListCommand, PhSvcApiPostMessage, PhSvcApiSendMessage, PhSvcApiCreateProcessIgnoreIfeoDebugger, PhSvcApiSetServiceSecurity, PhSvcApiWriteMiniDumpProcess, PhSvcApiQueryProcessHeapInformation, PhSvcApiCreateProcessForKsi, }; static_assert(RTL_NUMBER_OF(PhSvcApiCallTable) == PhSvcMaximumApiNumber - 1, "SvcApiCallTable must equal MaximumApiNumber"); NTSTATUS PhSvcApiInitialization( VOID ) { return STATUS_SUCCESS; } VOID PhSvcDispatchApiCall( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload, _Out_ PHANDLE ReplyPortHandle ) { NTSTATUS status; if ( Payload->ApiNumber == 0 || (ULONG)Payload->ApiNumber >= (ULONG)PhSvcMaximumApiNumber || !PhSvcApiCallTable[Payload->ApiNumber - 1] ) { Payload->ReturnStatus = STATUS_INVALID_SYSTEM_SERVICE; *ReplyPortHandle = Client->PortHandle; return; } status = PhSvcApiCallTable[Payload->ApiNumber - 1](Client, Payload); Payload->ReturnStatus = status; *ReplyPortHandle = Client->PortHandle; } PVOID PhSvcValidateString( _In_ PPH_RELATIVE_STRINGREF String, _In_ ULONG Alignment ) { PPHSVC_CLIENT client = PhSvcGetCurrentClient(); PVOID address; address = PTR_ADD_OFFSET(client->ClientViewBase, String->Offset); if ((ULONG_PTR)address + String->Length < (ULONG_PTR)address || (ULONG_PTR)address < (ULONG_PTR)client->ClientViewBase || (ULONG_PTR)address + String->Length > (ULONG_PTR)client->ClientViewLimit) { return NULL; } if ((ULONG_PTR)address & (Alignment - 1)) { return NULL; } return address; } _Function_class_(PHSVC_SERVER_PROBE_BUFFER) NTSTATUS PhSvcProbeBuffer( _In_ PPH_RELATIVE_STRINGREF String, _In_ ULONG Alignment, _In_ BOOLEAN AllowNull, _Out_ PVOID *Pointer ) { PVOID address; if (String->Offset != 0) { address = PhSvcValidateString(String, Alignment); if (!address) return STATUS_ACCESS_VIOLATION; *Pointer = address; } else { if (!AllowNull) return STATUS_ACCESS_VIOLATION; *Pointer = NULL; } return STATUS_SUCCESS; } _Function_class_(PHSVC_SERVER_CAPTURE_BUFFER) NTSTATUS PhSvcCaptureBuffer( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PVOID *CapturedBuffer ) { PVOID address; PVOID buffer; if (String->Offset != 0) { address = PhSvcValidateString(String, 1); if (!address) return STATUS_ACCESS_VIOLATION; buffer = PhAllocateSafe(String->Length); if (!buffer) return STATUS_NO_MEMORY; memcpy(buffer, address, String->Length); *CapturedBuffer = buffer; } else { if (!AllowNull) return STATUS_ACCESS_VIOLATION; *CapturedBuffer = NULL; } return STATUS_SUCCESS; } NTSTATUS PhSvcCaptureString( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PPH_STRING *CapturedString ) { PVOID address; if (String->Length & 1) return STATUS_INVALID_BUFFER_SIZE; if (String->Length > 0xfffe) return STATUS_INVALID_BUFFER_SIZE; if (String->Offset != 0) { address = PhSvcValidateString(String, sizeof(WCHAR)); if (!address) return STATUS_ACCESS_VIOLATION; if (String->Length != 0) *CapturedString = PhCreateStringEx(address, String->Length); else *CapturedString = PhReferenceEmptyString(); } else { if (!AllowNull) return STATUS_ACCESS_VIOLATION; *CapturedString = NULL; } return STATUS_SUCCESS; } NTSTATUS PhSvcCaptureSid( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _Out_ PSID *CapturedSid ) { NTSTATUS status; PSID sid; if (!NT_SUCCESS(status = PhSvcCaptureBuffer(String, AllowNull, &sid))) return status; if (sid) { if (String->Length < UFIELD_OFFSET(struct _SID, IdentifierAuthority) || String->Length < PhLengthRequiredSid(((struct _SID *)sid)->SubAuthorityCount) || !PhValidSid(sid)) { PhFree(sid); return STATUS_INVALID_SID; } *CapturedSid = sid; } else { *CapturedSid = NULL; } return STATUS_SUCCESS; } NTSTATUS PhSvcCaptureSecurityDescriptor( _In_ PPH_RELATIVE_STRINGREF String, _In_ BOOLEAN AllowNull, _In_ SECURITY_INFORMATION RequiredInformation, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor ) { NTSTATUS status; PSECURITY_DESCRIPTOR securityDescriptor; ULONG bufferSize; if (!NT_SUCCESS(status = PhSvcCaptureBuffer(String, AllowNull, &securityDescriptor))) return status; if (securityDescriptor) { if (!RtlValidRelativeSecurityDescriptor(securityDescriptor, String->Length, RequiredInformation)) { PhFree(securityDescriptor); return STATUS_INVALID_SECURITY_DESCR; } bufferSize = String->Length; status = RtlSelfRelativeToAbsoluteSD2(securityDescriptor, &bufferSize); if (status == STATUS_BUFFER_TOO_SMALL) { PVOID newBuffer; newBuffer = PhAllocate(bufferSize); memcpy(newBuffer, securityDescriptor, String->Length); PhFree(securityDescriptor); securityDescriptor = newBuffer; status = RtlSelfRelativeToAbsoluteSD2(securityDescriptor, &bufferSize); } if (!NT_SUCCESS(status)) { PhFree(securityDescriptor); return status; } *CapturedSecurityDescriptor = securityDescriptor; } else { *CapturedSecurityDescriptor = NULL; } return STATUS_SUCCESS; } NTSTATUS PhSvcApiDefault( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { return STATUS_NOT_IMPLEMENTED; } _Function_class_(PHSVC_API_PROCEDURE) NTSTATUS PhSvcApiPlugin( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING apiId; PPH_PLUGIN plugin; PH_STRINGREF pluginName; PH_PLUGIN_PHSVC_REQUEST request; if (NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.Plugin.i.ApiId, FALSE, &apiId))) { PH_AUTO(apiId); if (PhPluginsEnabled && PhEmParseCompoundId(&apiId->sr, &pluginName, &request.SubId) && (plugin = PhFindPlugin2(&pluginName))) { request.ReturnStatus = STATUS_NOT_IMPLEMENTED; request.InBuffer = Payload->u.Plugin.i.Data; request.InLength = sizeof(Payload->u.Plugin.i.Data); request.OutBuffer = Payload->u.Plugin.o.Data; request.OutLength = sizeof(Payload->u.Plugin.o.Data); request.ProbeBuffer = PhSvcProbeBuffer; request.CaptureBuffer = PhSvcCaptureBuffer; request.CaptureString = PhSvcCaptureString; PhInvokeCallback(PhGetPluginCallback(plugin, PluginCallbackPhSvcRequest), &request); status = request.ReturnStatus; } else { status = STATUS_NOT_FOUND; } } return status; } NTSTATUS PhSvcpCaptureRunAsServiceParameters( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload, _Out_ PPH_RUNAS_SERVICE_PARAMETERS Parameters, _Out_ PPHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS CapturedParameters ) { NTSTATUS status; memset(CapturedParameters, 0, sizeof(PHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS)); if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.UserName, TRUE, &CapturedParameters->UserName))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.Password, TRUE, &CapturedParameters->Password))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.CurrentDirectory, TRUE, &CapturedParameters->CurrentDirectory))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.CommandLine, TRUE, &CapturedParameters->CommandLine))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.FileName, TRUE, &CapturedParameters->FileName))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.DesktopName, TRUE, &CapturedParameters->DesktopName))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ExecuteRunAsCommand.i.ServiceName, TRUE, &CapturedParameters->ServiceName))) return status; Parameters->ProcessId = Payload->u.ExecuteRunAsCommand.i.ProcessId; Parameters->UserName = PhGetString(CapturedParameters->UserName); Parameters->Password = PhGetString(CapturedParameters->Password); Parameters->LogonType = Payload->u.ExecuteRunAsCommand.i.LogonType; Parameters->SessionId = Payload->u.ExecuteRunAsCommand.i.SessionId; Parameters->CurrentDirectory = PhGetString(CapturedParameters->CurrentDirectory); Parameters->CommandLine = PhGetString(CapturedParameters->CommandLine); Parameters->FileName = PhGetString(CapturedParameters->FileName); Parameters->DesktopName = PhGetString(CapturedParameters->DesktopName); Parameters->UseLinkedToken = Payload->u.ExecuteRunAsCommand.i.UseLinkedToken; Parameters->ServiceName = PhGetString(CapturedParameters->ServiceName); Parameters->CreateSuspendedProcess = Payload->u.ExecuteRunAsCommand.i.CreateSuspendedProcess; Parameters->CreateUIAccessProcess = Payload->u.ExecuteRunAsCommand.i.CreateUIAccessProcess; Parameters->WindowHandle = Payload->u.ExecuteRunAsCommand.i.WindowHandle; return status; } VOID PhSvcpReleaseRunAsServiceParameters( _In_ PPHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS CapturedParameters ) { if (CapturedParameters->UserName) PhDereferenceObject(CapturedParameters->UserName); if (CapturedParameters->Password) { RtlSecureZeroMemory(CapturedParameters->Password->Buffer, CapturedParameters->Password->Length); PhDereferenceObject(CapturedParameters->Password); } if (CapturedParameters->CurrentDirectory) PhDereferenceObject(CapturedParameters->CurrentDirectory); if (CapturedParameters->CommandLine) PhDereferenceObject(CapturedParameters->CommandLine); if (CapturedParameters->FileName) PhDereferenceObject(CapturedParameters->FileName); if (CapturedParameters->DesktopName) PhDereferenceObject(CapturedParameters->DesktopName); if (CapturedParameters->ServiceName) PhDereferenceObject(CapturedParameters->ServiceName); } NTSTATUS PhSvcpValidateRunAsServiceParameters( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { if ((!Parameters->UserName || !Parameters->Password) && !Parameters->ProcessId) return STATUS_INVALID_PARAMETER_MIX; if (!Parameters->FileName && !Parameters->CommandLine) return STATUS_INVALID_PARAMETER_MIX; if (!Parameters->ServiceName) return STATUS_INVALID_PARAMETER; return STATUS_SUCCESS; } NTSTATUS PhSvcApiExecuteRunAsCommand( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PH_RUNAS_SERVICE_PARAMETERS parameters; PHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS capturedParameters; if (NT_SUCCESS(status = PhSvcpCaptureRunAsServiceParameters(Client, Payload, ¶meters, &capturedParameters))) { if (NT_SUCCESS(status = PhSvcpValidateRunAsServiceParameters(¶meters))) { status = PhExecuteRunAsCommand(¶meters); } } PhSvcpReleaseRunAsServiceParameters(&capturedParameters); return status; } NTSTATUS PhSvcApiUnloadDriver( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING name; PPH_STRING file; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.UnloadDriver.i.Name, TRUE, &name))) return status; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.UnloadDriver.i.FileName, TRUE, &file))) return status; if (!(PhIsNullOrEmptyString(name) && PhIsNullOrEmptyString(file))) { status = PhUnloadDriver(Payload->u.UnloadDriver.i.BaseAddress, &name->sr, &file->sr); } else { status = STATUS_DATA_ERROR; } PhClearReference(&name); PhClearReference(&file); return status; } NTSTATUS PhSvcApiControlProcess( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; HANDLE processId; HANDLE processHandle; processId = Payload->u.ControlProcess.i.ProcessId; switch (Payload->u.ControlProcess.i.Command) { case PhSvcControlProcessTerminate: if (NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_TERMINATE, processId))) { status = PhTerminateProcess(processHandle, 1); // see notes in PhUiTerminateProcesses if (status == STATUS_SUCCESS || status == STATUS_PROCESS_IS_TERMINATING) PhTerminateProcess(processHandle, DBG_TERMINATE_PROCESS); // debug terminate (dmex) NtClose(processHandle); } break; case PhSvcControlProcessSuspend: if (NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_SUSPEND_RESUME, processId))) { status = NtSuspendProcess(processHandle); NtClose(processHandle); } break; case PhSvcControlProcessResume: if (NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_SUSPEND_RESUME, processId))) { status = NtResumeProcess(processHandle); NtClose(processHandle); } break; case PhSvcControlProcessPriority: if (processId != SYSTEM_PROCESS_ID) { if (NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_SET_INFORMATION, processId))) { UCHAR priorityClass; priorityClass = (UCHAR)Payload->u.ControlProcess.i.Argument; status = PhSetProcessPriorityClass(processHandle, priorityClass); NtClose(processHandle); } } else { status = STATUS_UNSUCCESSFUL; } break; case PhSvcControlProcessIoPriority: if (processId != SYSTEM_PROCESS_ID) { if (NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_SET_INFORMATION, processId))) { status = PhSetProcessIoPriority(processHandle, Payload->u.ControlProcess.i.Argument); NtClose(processHandle); } } else { status = STATUS_UNSUCCESSFUL; } break; default: status = STATUS_INVALID_PARAMETER; break; } return status; } NTSTATUS PhSvcApiControlService( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING serviceName; SC_HANDLE serviceHandle; if (NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ControlService.i.ServiceName, FALSE, &serviceName))) { switch (Payload->u.ControlService.i.Command) { case PhSvcControlServiceStart: { if (NT_SUCCESS(status = PhOpenService( &serviceHandle, SERVICE_START, PhGetString(serviceName) ))) { status = PhStartService(serviceHandle, 0, NULL); PhCloseServiceHandle(serviceHandle); } } break; case PhSvcControlServiceContinue: { if (NT_SUCCESS(status = PhOpenService( &serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(serviceName) ))) { status = PhContinueService(serviceHandle); PhCloseServiceHandle(serviceHandle); } } break; case PhSvcControlServicePause: { if (NT_SUCCESS(status = PhOpenService( &serviceHandle, SERVICE_PAUSE_CONTINUE, PhGetString(serviceName) ))) { status = PhPauseService(serviceHandle); PhCloseServiceHandle(serviceHandle); } } break; case PhSvcControlServiceStop: { if (NT_SUCCESS(status = PhOpenService( &serviceHandle, SERVICE_STOP, PhGetString(serviceName) ))) { status = PhStopService(serviceHandle); PhCloseServiceHandle(serviceHandle); } } break; case PhSvcControlServiceDelete: { if (NT_SUCCESS(status = PhOpenService( &serviceHandle, DELETE, PhGetString(serviceName) ))) { status = PhDeleteService(serviceHandle); PhCloseServiceHandle(serviceHandle); } } break; case PhSvcControlServiceRestart: { if (NT_SUCCESS(status = PhOpenService( &serviceHandle, SERVICE_QUERY_STATUS | SERVICE_STOP | SERVICE_START, PhGetString(serviceName) ))) { status = PhStopService(serviceHandle); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus( serviceHandle, SERVICE_STOPPED, 60 * 1000 ); if (NT_SUCCESS(status)) { status = PhStartService( serviceHandle, 0, NULL ); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus( serviceHandle, SERVICE_RUNNING, 60 * 1000 ); } } } PhCloseServiceHandle(serviceHandle); } } break; default: status = STATUS_INVALID_PARAMETER; break; } PhDereferenceObject(serviceName); } return status; } NTSTATUS PhSvcApiCreateService( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING serviceName = NULL; PPH_STRING displayName = NULL; PPH_STRING binaryPathName = NULL; PPH_STRING loadOrderGroup = NULL; PPH_STRING dependencies = NULL; PPH_STRING serviceStartName = NULL; PPH_STRING password = NULL; ULONG tagId = 0; SC_HANDLE scManagerHandle; SC_HANDLE serviceHandle; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.ServiceName, FALSE, &serviceName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.DisplayName, TRUE, &displayName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.BinaryPathName, TRUE, &binaryPathName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.LoadOrderGroup, TRUE, &loadOrderGroup))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.Dependencies, TRUE, &dependencies))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.ServiceStartName, TRUE, &serviceStartName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateService.i.Password, TRUE, &password))) goto CleanupExit; if (scManagerHandle = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE)) { if (serviceHandle = CreateService( scManagerHandle, serviceName->Buffer, PhGetString(displayName), SERVICE_CHANGE_CONFIG, Payload->u.CreateService.i.ServiceType, Payload->u.CreateService.i.StartType, Payload->u.CreateService.i.ErrorControl, PhGetString(binaryPathName), PhGetString(loadOrderGroup), Payload->u.CreateService.i.TagIdSpecified ? &tagId : NULL, PhGetString(dependencies), PhGetString(serviceStartName), PhGetString(password) )) { Payload->u.CreateService.o.TagId = tagId; PhCloseServiceHandle(serviceHandle); } else { status = PhGetLastWin32ErrorAsNtStatus(); } PhCloseServiceHandle(scManagerHandle); } else { status = PhGetLastWin32ErrorAsNtStatus(); } CleanupExit: if (password) { RtlSecureZeroMemory(password->Buffer, password->Length); PhDereferenceObject(password); } PhClearReference(&serviceStartName); PhClearReference(&dependencies); PhClearReference(&loadOrderGroup); PhClearReference(&binaryPathName); PhClearReference(&displayName); PhClearReference(&serviceName); return status; } NTSTATUS PhSvcApiChangeServiceConfig( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING serviceName = NULL; PPH_STRING binaryPathName = NULL; PPH_STRING loadOrderGroup = NULL; PPH_STRING dependencies = NULL; PPH_STRING serviceStartName = NULL; PPH_STRING password = NULL; PPH_STRING displayName = NULL; ULONG tagId = 0; SC_HANDLE serviceHandle; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.ServiceName, FALSE, &serviceName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.BinaryPathName, TRUE, &binaryPathName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.LoadOrderGroup, TRUE, &loadOrderGroup))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.Dependencies, TRUE, &dependencies))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.ServiceStartName, TRUE, &serviceStartName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.Password, TRUE, &password))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig.i.DisplayName, TRUE, &displayName))) goto CleanupExit; status = PhOpenService(&serviceHandle, SERVICE_CHANGE_CONFIG, PhGetString(serviceName)); if (NT_SUCCESS(status)) { status = PhChangeServiceConfig( serviceHandle, Payload->u.ChangeServiceConfig.i.ServiceType, Payload->u.ChangeServiceConfig.i.StartType, Payload->u.ChangeServiceConfig.i.ErrorControl, PhGetString(binaryPathName), PhGetString(loadOrderGroup), Payload->u.ChangeServiceConfig.i.TagIdSpecified ? &tagId : NULL, PhGetString(dependencies), PhGetString(serviceStartName), PhGetString(password), PhGetString(displayName) ); if (NT_SUCCESS(status)) { Payload->u.ChangeServiceConfig.o.TagId = tagId; } PhCloseServiceHandle(serviceHandle); } CleanupExit: PhClearReference(&displayName); if (password) { RtlSecureZeroMemory(password->Buffer, password->Length); PhDereferenceObject(password); } PhClearReference(&serviceStartName); PhClearReference(&dependencies); PhClearReference(&loadOrderGroup); PhClearReference(&binaryPathName); PhClearReference(&serviceName); return status; } NTSTATUS PhSvcpUnpackRoot( _In_ PPH_RELATIVE_STRINGREF PackedData, _In_ PVOID CapturedBuffer, _In_ SIZE_T Length, _Out_ PVOID *ValidatedBuffer ) { if (Length > PackedData->Length) return STATUS_ACCESS_VIOLATION; *ValidatedBuffer = CapturedBuffer; return STATUS_SUCCESS; } NTSTATUS PhSvcpUnpackBuffer( _In_ PPH_RELATIVE_STRINGREF PackedData, _In_ PVOID CapturedBuffer, _In_ PVOID *OffsetInBuffer, _In_ SIZE_T Length, _In_ ULONG Alignment, _In_ BOOLEAN AllowNull ) { SIZE_T offset; offset = (SIZE_T)*OffsetInBuffer; if (offset == 0) { if (AllowNull) return STATUS_SUCCESS; else return STATUS_ACCESS_VIOLATION; } if (offset + Length < offset) return STATUS_ACCESS_VIOLATION; if (offset + Length > PackedData->Length) return STATUS_ACCESS_VIOLATION; if (offset & (Alignment - 1)) return STATUS_DATATYPE_MISALIGNMENT; *OffsetInBuffer = PTR_ADD_OFFSET(CapturedBuffer, offset); return STATUS_SUCCESS; } NTSTATUS PhSvcpUnpackStringZ( _In_ PPH_RELATIVE_STRINGREF PackedData, _In_ PVOID CapturedBuffer, _In_ PVOID *OffsetInBuffer, _In_ BOOLEAN Multi, _In_ BOOLEAN AllowNull ) { SIZE_T offset; PWCHAR start; PWCHAR end; PH_STRINGREF remainingPart; PH_STRINGREF firstPart; offset = (SIZE_T)*OffsetInBuffer; if (offset == 0) { if (AllowNull) return STATUS_SUCCESS; else return STATUS_ACCESS_VIOLATION; } if (offset >= PackedData->Length) return STATUS_ACCESS_VIOLATION; if (offset & 1) return STATUS_DATATYPE_MISALIGNMENT; start = (PWCHAR)PTR_ADD_OFFSET(CapturedBuffer, offset); end = (PWCHAR)PTR_ADD_OFFSET(CapturedBuffer, (PackedData->Length & -2)); remainingPart.Buffer = start; remainingPart.Length = (end - start) * sizeof(WCHAR); if (Multi) { SIZE_T validatedLength = 0; while (PhSplitStringRefAtChar(&remainingPart, UNICODE_NULL, &firstPart, &remainingPart)) { validatedLength += firstPart.Length + sizeof(WCHAR); if (firstPart.Length == 0) { *OffsetInBuffer = start; return STATUS_SUCCESS; } } } else { if (PhSplitStringRefAtChar(&remainingPart, UNICODE_NULL, &firstPart, &remainingPart)) { *OffsetInBuffer = start; return STATUS_SUCCESS; } } return STATUS_ACCESS_VIOLATION; } NTSTATUS PhSvcApiChangeServiceConfig2( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING serviceName = NULL; PVOID info = NULL; SC_HANDLE serviceHandle; PH_RELATIVE_STRINGREF packedData; PVOID unpackedInfo = NULL; ACCESS_MASK desiredAccess = SERVICE_CHANGE_CONFIG; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.ChangeServiceConfig2.i.ServiceName, FALSE, &serviceName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureBuffer(&Payload->u.ChangeServiceConfig2.i.Info, FALSE, &info))) goto CleanupExit; packedData = Payload->u.ChangeServiceConfig2.i.Info; switch (Payload->u.ChangeServiceConfig2.i.InfoLevel) { case SERVICE_CONFIG_FAILURE_ACTIONS: { LPSERVICE_FAILURE_ACTIONS failureActions; if (!NT_SUCCESS(status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_FAILURE_ACTIONS), &failureActions))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcpUnpackStringZ(&packedData, info, &failureActions->lpRebootMsg, FALSE, TRUE))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcpUnpackStringZ(&packedData, info, &failureActions->lpCommand, FALSE, TRUE))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcpUnpackBuffer(&packedData, info, &failureActions->lpsaActions, failureActions->cActions * sizeof(SC_ACTION), __alignof(SC_ACTION), TRUE))) goto CleanupExit; if (failureActions->lpsaActions) { ULONG i; for (i = 0; i < failureActions->cActions; i++) { if (failureActions->lpsaActions[i].Type == SC_ACTION_RESTART) { desiredAccess |= SERVICE_START; break; } } } unpackedInfo = failureActions; } break; case SERVICE_CONFIG_DELAYED_AUTO_START_INFO: status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_DELAYED_AUTO_START_INFO), &unpackedInfo); break; case SERVICE_CONFIG_FAILURE_ACTIONS_FLAG: status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_FAILURE_ACTIONS_FLAG), &unpackedInfo); break; case SERVICE_CONFIG_SERVICE_SID_INFO: status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_SID_INFO), &unpackedInfo); break; case SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO: { LPSERVICE_REQUIRED_PRIVILEGES_INFO requiredPrivilegesInfo; if (!NT_SUCCESS(status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_REQUIRED_PRIVILEGES_INFO), &requiredPrivilegesInfo))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcpUnpackStringZ(&packedData, info, &requiredPrivilegesInfo->pmszRequiredPrivileges, TRUE, FALSE))) goto CleanupExit; unpackedInfo = requiredPrivilegesInfo; } break; case SERVICE_CONFIG_PRESHUTDOWN_INFO: status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_PRESHUTDOWN_INFO), &unpackedInfo); break; case SERVICE_CONFIG_TRIGGER_INFO: { PSERVICE_TRIGGER_INFO triggerInfo; ULONG i; PSERVICE_TRIGGER trigger; ULONG j; PSERVICE_TRIGGER_SPECIFIC_DATA_ITEM dataItem; ULONG alignment; if (!NT_SUCCESS(status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_TRIGGER_INFO), &triggerInfo))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcpUnpackBuffer(&packedData, info, &triggerInfo->pTriggers, triggerInfo->cTriggers * sizeof(SERVICE_TRIGGER), __alignof(SERVICE_TRIGGER), TRUE))) goto CleanupExit; if (triggerInfo->pTriggers) { for (i = 0; i < triggerInfo->cTriggers; i++) { trigger = &triggerInfo->pTriggers[i]; if (!NT_SUCCESS(status = PhSvcpUnpackBuffer(&packedData, info, &trigger->pTriggerSubtype, sizeof(GUID), __alignof(GUID), TRUE))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcpUnpackBuffer(&packedData, info, &trigger->pDataItems, trigger->cDataItems * sizeof(SERVICE_TRIGGER_SPECIFIC_DATA_ITEM), __alignof(SERVICE_TRIGGER_SPECIFIC_DATA_ITEM), TRUE))) goto CleanupExit; if (trigger->pDataItems) { for (j = 0; j < trigger->cDataItems; j++) { dataItem = &trigger->pDataItems[j]; alignment = 1; switch (dataItem->dwDataType) { case SERVICE_TRIGGER_DATA_TYPE_BINARY: case SERVICE_TRIGGER_DATA_TYPE_LEVEL: alignment = sizeof(CHAR); break; case SERVICE_TRIGGER_DATA_TYPE_STRING: alignment = sizeof(WCHAR); break; case SERVICE_TRIGGER_DATA_TYPE_KEYWORD_ANY: case SERVICE_TRIGGER_DATA_TYPE_KEYWORD_ALL: alignment = sizeof(ULONG64); break; } if (!NT_SUCCESS(status = PhSvcpUnpackBuffer(&packedData, info, &dataItem->pData, dataItem->cbData, alignment, FALSE))) goto CleanupExit; } } } } unpackedInfo = triggerInfo; } break; case SERVICE_CONFIG_LAUNCH_PROTECTED: status = PhSvcpUnpackRoot(&packedData, info, sizeof(SERVICE_LAUNCH_PROTECTED_INFO), &unpackedInfo); break; default: status = STATUS_INVALID_PARAMETER; break; } if (NT_SUCCESS(status)) { assert(unpackedInfo); status = PhOpenService(&serviceHandle, desiredAccess, PhGetString(serviceName)); if (NT_SUCCESS(status)) { status = PhChangeServiceConfig2( serviceHandle, Payload->u.ChangeServiceConfig2.i.InfoLevel, unpackedInfo ); PhCloseServiceHandle(serviceHandle); } } CleanupExit: if (info) PhFree(info); if (serviceName) PhDereferenceObject(serviceName); return status; } NTSTATUS PhSvcApiSetTcpEntry( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { static PVOID setTcpEntry = NULL; ULONG (__stdcall *localSetTcpEntry)(PVOID TcpRow); struct { ULONG dwState; ULONG dwLocalAddr; ULONG dwLocalPort; ULONG dwRemoteAddr; ULONG dwRemotePort; } tcpRow; ULONG result; localSetTcpEntry = ReadPointerAcquire(&setTcpEntry); if (!localSetTcpEntry) { PVOID iphlpapiModule; iphlpapiModule = PhLoadLibrary(L"iphlpapi.dll"); if (iphlpapiModule) { localSetTcpEntry = PhGetDllBaseProcedureAddress(iphlpapiModule, "SetTcpEntry", 0); if (localSetTcpEntry) { if (_InterlockedExchangePointer(&setTcpEntry, localSetTcpEntry) != NULL) { // Another thread got the address of SetTcpEntry already. // Decrement the reference count of iphlpapi.dll. PhFreeLibrary(iphlpapiModule); } } } } if (!localSetTcpEntry) return STATUS_NOT_SUPPORTED; tcpRow.dwState = Payload->u.SetTcpEntry.i.State; tcpRow.dwLocalAddr = Payload->u.SetTcpEntry.i.LocalAddress; tcpRow.dwLocalPort = Payload->u.SetTcpEntry.i.LocalPort; tcpRow.dwRemoteAddr = Payload->u.SetTcpEntry.i.RemoteAddress; tcpRow.dwRemotePort = Payload->u.SetTcpEntry.i.RemotePort; result = localSetTcpEntry(&tcpRow); return PhDosErrorToNtStatus(result); } NTSTATUS PhSvcApiControlThread( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; HANDLE threadId; HANDLE threadHandle; threadId = Payload->u.ControlThread.i.ThreadId; switch (Payload->u.ControlThread.i.Command) { case PhSvcControlThreadTerminate: if (NT_SUCCESS(status = PhOpenThread(&threadHandle, THREAD_TERMINATE, threadId))) { status = PhTerminateThread(threadHandle, STATUS_SUCCESS); NtClose(threadHandle); } break; case PhSvcControlThreadSuspend: if (NT_SUCCESS(status = PhOpenThread(&threadHandle, THREAD_SUSPEND_RESUME, threadId))) { status = NtSuspendThread(threadHandle, NULL); NtClose(threadHandle); } break; case PhSvcControlThreadResume: if (NT_SUCCESS(status = PhOpenThread(&threadHandle, THREAD_SUSPEND_RESUME, threadId))) { status = NtResumeThread(threadHandle, NULL); NtClose(threadHandle); } break; case PhSvcControlThreadIoPriority: if (NT_SUCCESS(status = PhOpenThread(&threadHandle, THREAD_SET_INFORMATION, threadId))) { status = PhSetThreadIoPriority(threadHandle, Payload->u.ControlThread.i.Argument); NtClose(threadHandle); } break; default: status = STATUS_INVALID_PARAMETER; break; } return status; } NTSTATUS PhSvcApiAddAccountRight( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PSID accountSid; PPH_STRING userRight; LSA_HANDLE policyHandle; UNICODE_STRING userRightUs; if (NT_SUCCESS(status = PhSvcCaptureSid(&Payload->u.AddAccountRight.i.AccountSid, FALSE, &accountSid))) { if (NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.AddAccountRight.i.UserRight, FALSE, &userRight))) { PH_AUTO(userRight); if (NT_SUCCESS(status = PhOpenLsaPolicy(&policyHandle, POLICY_LOOKUP_NAMES | POLICY_CREATE_ACCOUNT, NULL))) { PhStringRefToUnicodeString(&userRight->sr, &userRightUs); status = LsaAddAccountRights(policyHandle, accountSid, &userRightUs, 1); LsaClose(policyHandle); } } PhFree(accountSid); } return status; } NTSTATUS PhSvcApiInvokeRunAsService( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PH_RUNAS_SERVICE_PARAMETERS parameters; PHSVCP_CAPTURED_RUNAS_SERVICE_PARAMETERS capturedParameters; if (NT_SUCCESS(status = PhSvcpCaptureRunAsServiceParameters(Client, Payload, ¶meters, &capturedParameters))) { if (NT_SUCCESS(status = PhSvcpValidateRunAsServiceParameters(¶meters))) { status = PhInvokeRunAsService(¶meters); } } PhSvcpReleaseRunAsServiceParameters(&capturedParameters); return status; } NTSTATUS PhSvcApiIssueMemoryListCommand( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; status = NtSetSystemInformation( SystemMemoryListInformation, &Payload->u.IssueMemoryListCommand.i.Command, sizeof(SYSTEM_MEMORY_LIST_COMMAND) ); return status; } NTSTATUS PhSvcApiPostMessage( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { if (PostMessage( Payload->u.PostMessage.i.hWnd, Payload->u.PostMessage.i.Msg, Payload->u.PostMessage.i.wParam, Payload->u.PostMessage.i.lParam )) { return STATUS_SUCCESS; } else { return PhGetLastWin32ErrorAsNtStatus(); } } NTSTATUS PhSvcApiSendMessage( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { ULONG_PTR result = 0; if (PhSendMessageTimeout( Payload->u.PostMessage.i.hWnd, Payload->u.PostMessage.i.Msg, Payload->u.PostMessage.i.wParam, Payload->u.PostMessage.i.lParam, 5000, &result ) && result > 0) { return STATUS_SUCCESS; } else { return STATUS_UNSUCCESSFUL; } } NTSTATUS PhSvcApiCreateProcessIgnoreIfeoDebugger( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING fileName = NULL; PPH_STRING commandLine = NULL; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateProcessIgnoreIfeoDebugger.i.FileName, FALSE, &fileName))) goto CleanupExit; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateProcessIgnoreIfeoDebugger.i.CommandLine, TRUE, &commandLine))) goto CleanupExit; if (!PhCreateProcessIgnoreIfeoDebugger(PhGetString(fileName), PhGetString(commandLine))) status = STATUS_UNSUCCESSFUL; CleanupExit: if (fileName) PhDereferenceObject(fileName); if (commandLine) PhDereferenceObject(commandLine); return status; } NTSTATUS PhSvcApiSetServiceSecurity( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING serviceName; PSECURITY_DESCRIPTOR securityDescriptor; ACCESS_MASK desiredAccess; SC_HANDLE serviceHandle; if (NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.SetServiceSecurity.i.ServiceName, FALSE, &serviceName))) { PH_AUTO(serviceName); if (NT_SUCCESS(status = PhSvcCaptureSecurityDescriptor(&Payload->u.SetServiceSecurity.i.SecurityDescriptor, FALSE, 0, &securityDescriptor))) { desiredAccess = 0; if ((Payload->u.SetServiceSecurity.i.SecurityInformation & OWNER_SECURITY_INFORMATION) || (Payload->u.SetServiceSecurity.i.SecurityInformation & GROUP_SECURITY_INFORMATION)) { desiredAccess |= WRITE_OWNER; } if (Payload->u.SetServiceSecurity.i.SecurityInformation & DACL_SECURITY_INFORMATION) { desiredAccess |= WRITE_DAC; } if (Payload->u.SetServiceSecurity.i.SecurityInformation & SACL_SECURITY_INFORMATION) { desiredAccess |= ACCESS_SYSTEM_SECURITY; } status = PhOpenService(&serviceHandle, desiredAccess, PhGetString(serviceName)); if (NT_SUCCESS(status)) { status = PhSetSeObjectSecurity( serviceHandle, SE_SERVICE, Payload->u.SetServiceSecurity.i.SecurityInformation, securityDescriptor ); PhCloseServiceHandle(serviceHandle); } PhFree(securityDescriptor); } } return status; } static BOOL CALLBACK PhpProcessMiniDumpCallback( _In_ PVOID CallbackParam, _In_ const PMINIDUMP_CALLBACK_INPUT CallbackInput, _Inout_ PMINIDUMP_CALLBACK_OUTPUT CallbackOutput ) { switch (CallbackInput->CallbackType) { case IsProcessSnapshotCallback: if (CallbackParam) CallbackOutput->Status = S_FALSE; break; case ReadMemoryFailureCallback: CallbackOutput->Status = S_OK; break; } return TRUE; } NTSTATUS PhSvcApiWriteMiniDumpProcess( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { MINIDUMP_CALLBACK_INFORMATION callbackInfo; HANDLE processHandle = UlongToHandle(Payload->u.WriteMiniDumpProcess.i.LocalProcessHandle); ULONG processDumpType = Payload->u.WriteMiniDumpProcess.i.DumpType; HRESULT status = E_UNEXPECTED; HANDLE snapshotHandle = NULL; if (NT_SUCCESS(PhCreateProcessSnapshot(&snapshotHandle, processHandle))) { processDumpType = MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithUnloadedModules | MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | MiniDumpIgnoreInaccessibleMemory | MiniDumpWithIptTrace; } memset(&callbackInfo, 0, sizeof(callbackInfo)); callbackInfo.CallbackRoutine = PhpProcessMiniDumpCallback; callbackInfo.CallbackParam = snapshotHandle; status = PhWriteMiniDumpProcess( snapshotHandle ? snapshotHandle : processHandle, UlongToHandle(Payload->u.WriteMiniDumpProcess.i.ProcessId), UlongToHandle(Payload->u.WriteMiniDumpProcess.i.LocalFileHandle), processDumpType, NULL, NULL, &callbackInfo ); if (HR_SUCCESS(status)) { if (snapshotHandle) { PhFreeProcessSnapshot(snapshotHandle, processHandle); } return STATUS_SUCCESS; } else { if (snapshotHandle) { PhFreeProcessSnapshot(snapshotHandle, processHandle); } if (status == HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER)) return STATUS_INVALID_PARAMETER; else return STATUS_UNSUCCESSFUL; } } NTSTATUS PhSvcApiQueryProcessHeapInformation( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PVOID dataBuffer; PPH_PROCESS_DEBUG_HEAP_INFORMATION heapInfo; PPH_STRING heapInfoHexBuffer; if (!NT_SUCCESS(status = PhSvcProbeBuffer(&Payload->u.QueryProcessHeap.i.Data, sizeof(WCHAR), FALSE, &dataBuffer))) return status; if (!NT_SUCCESS(status = PhQueryProcessHeapInformation(UlongToHandle(Payload->u.QueryProcessHeap.i.ProcessId), &heapInfo))) return status; heapInfoHexBuffer = PhBufferToHexString( (PUCHAR)heapInfo, sizeof(PH_PROCESS_DEBUG_HEAP_INFORMATION) + heapInfo->NumberOfHeaps * sizeof(PH_PROCESS_DEBUG_HEAP_ENTRY) ); if (Payload->u.QueryProcessHeap.i.Data.Length < heapInfoHexBuffer->Length) { status = STATUS_BUFFER_OVERFLOW; goto CleanupExit; } memcpy(dataBuffer, heapInfoHexBuffer->Buffer, min(heapInfoHexBuffer->Length, Payload->u.QueryProcessHeap.i.Data.Length)); Payload->u.QueryProcessHeap.o.DataLength = (ULONG)heapInfoHexBuffer->Length; CleanupExit: if (heapInfoHexBuffer) PhDereferenceObject(heapInfoHexBuffer); if (heapInfo) PhFree(heapInfo); return status; } NTSTATUS PhSvcApiCreateProcessForKsi( _In_ PPHSVC_CLIENT Client, _Inout_ PPHSVC_API_PAYLOAD Payload ) { NTSTATUS status; PPH_STRING commandLine = NULL; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; STARTUPINFOEX startupInfoEx; HANDLE processHandle = NULL; HANDLE tokenHandle = NULL; PVOID environment = NULL; if (!NT_SUCCESS(status = PhSvcCaptureString(&Payload->u.CreateProcessForKsi.i.CommandLine, TRUE, &commandLine))) goto CleanupExit; if (Payload->u.CreateProcessForKsi.i.MitigationFlags[0] || Payload->u.CreateProcessForKsi.i.MitigationFlags[1]) { status = PhInitializeProcThreadAttributeList(&attributeList, 1); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_10_22H2) { status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, Payload->u.CreateProcessForKsi.i.MitigationFlags, sizeof(ULONG64) * 2 ); } else { status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, Payload->u.CreateProcessForKsi.i.MitigationFlags, sizeof(ULONG64) * 1 ); } } memset(&startupInfoEx, 0, sizeof(STARTUPINFOEX)); startupInfoEx.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfoEx.lpAttributeList = attributeList; // ClientId is verified to be System Informer, see: PhSvcHandleConnectionRequest if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Client->ClientId.UniqueProcess ))) goto CleanupExit; if (!NT_SUCCESS(status = PhOpenProcessToken( processHandle, TOKEN_ALL_ACCESS, &tokenHandle ))) goto CleanupExit; if (!NT_SUCCESS(status = PhCreateEnvironmentBlock(&environment, tokenHandle, FALSE))) goto CleanupExit; status = PhCreateProcessWin32Ex( NULL, PhGetString(commandLine), environment, NULL, &startupInfoEx, (PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO | PH_CREATE_PROCESS_UNICODE_ENVIRONMENT), tokenHandle, NULL, NULL, NULL ); CleanupExit: if (environment) PhDestroyEnvironmentBlock(environment); if (tokenHandle) NtClose(tokenHandle); if (processHandle) NtClose(processHandle); if (attributeList) PhDeleteProcThreadAttributeList(attributeList); PhClearReference(&commandLine); return status; } ================================================ FILE: SystemInformer/phsvc/svcapiport.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * dmex 2017-2023 * */ #include #include #include _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhSvcApiRequestThreadStart( _In_ PVOID Parameter ); extern HANDLE PhSvcTimeoutStandbyEventHandle; extern HANDLE PhSvcTimeoutCancelEventHandle; ULONG PhSvcApiThreadContextTlsIndex; HANDLE PhSvcApiPortHandle; volatile LONG PhSvcApiNumberOfClients = 0; NTSTATUS PhSvcApiPortInitialization( _In_ PUNICODE_STRING PortName ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; PSECURITY_DESCRIPTOR securityDescriptor; ULONG sdAllocationLength; PSID administratorsSid; PACL dacl; ULONG i; // Create the API port. administratorsSid = PhSeAdministratorsSid(); sdAllocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH + (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(administratorsSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid((PSID)&PhSeEveryoneSid); securityDescriptor = PhAllocateZero(sdAllocationLength); dacl = (PACL)PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH); PhCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION); PhCreateAcl(dacl, sdAllocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION); PhAddAccessAllowedAce(dacl, ACL_REVISION, PORT_ALL_ACCESS, administratorsSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, PORT_CONNECT, (PSID)&PhSeEveryoneSid); PhSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE); assert(RtlValidSecurityDescriptor(securityDescriptor)); InitializeObjectAttributes( &objectAttributes, PortName, OBJ_CASE_INSENSITIVE, NULL, securityDescriptor ); status = NtCreatePort( &PhSvcApiPortHandle, &objectAttributes, sizeof(PHSVC_API_CONNECTINFO), PhIsExecutingInWow64() ? sizeof(PHSVC_API_MSG64) : sizeof(PHSVC_API_MSG), 0 ); PhFree(securityDescriptor); if (!NT_SUCCESS(status)) return status; // Start the API threads. PhSvcApiThreadContextTlsIndex = PhTlsAlloc(); if (PhSvcApiThreadContextTlsIndex == TLS_OUT_OF_INDEXES) return STATUS_NO_MEMORY; for (i = 0; i < 2; i++) { PhCreateThread2(PhSvcApiRequestThreadStart, NULL); } return status; } PPHSVC_THREAD_CONTEXT PhSvcGetCurrentThreadContext( VOID ) { return (PPHSVC_THREAD_CONTEXT)PhTlsGetValue(PhSvcApiThreadContextTlsIndex); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhSvcApiRequestThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; NTSTATUS status; PHSVC_THREAD_CONTEXT threadContext; HANDLE portHandle; PVOID portContext; SIZE_T messageSize; PPORT_MESSAGE receiveMessage; PPORT_MESSAGE replyMessage; CSHORT messageType; PPHSVC_CLIENT client; PPHSVC_API_PAYLOAD payload; PhInitializeAutoPool(&autoPool); threadContext.CurrentClient = NULL; threadContext.OldClient = NULL; status = PhTlsSetValue(PhSvcApiThreadContextTlsIndex, &threadContext); if (!NT_SUCCESS(status)) { PhDeleteAutoPool(&autoPool); return status; } portHandle = PhSvcApiPortHandle; messageSize = PhIsExecutingInWow64() ? sizeof(PHSVC_API_MSG64) : sizeof(PHSVC_API_MSG); receiveMessage = PhAllocatePageZero(messageSize); replyMessage = NULL; if (!receiveMessage) { PhDeleteAutoPool(&autoPool); return STATUS_NO_MEMORY; } while (TRUE) { status = NtReplyWaitReceivePort( portHandle, &portContext, replyMessage, receiveMessage ); portHandle = PhSvcApiPortHandle; replyMessage = NULL; if (!NT_SUCCESS(status)) { // Client probably died. continue; } messageType = receiveMessage->u2.s2.Type; if (messageType == LPC_CONNECTION_REQUEST) { PhSvcHandleConnectionRequest(receiveMessage); continue; } if (!portContext) continue; client = portContext; threadContext.CurrentClient = client; PhWaitForEvent(&client->ReadyEvent, NULL); if (messageType == LPC_REQUEST) { if (PhIsExecutingInWow64()) payload = &((PPHSVC_API_MSG64)receiveMessage)->p; else payload = &((PPHSVC_API_MSG)receiveMessage)->p; PhSvcDispatchApiCall(client, payload, &portHandle); replyMessage = receiveMessage; } else if (messageType == LPC_PORT_CLOSED) { PhDereferenceObject(client); if (_InterlockedDecrement(&PhSvcApiNumberOfClients) == 0) { NtSetEvent(PhSvcTimeoutStandbyEventHandle, NULL); } } assert(!threadContext.OldClient); PhDrainAutoPool(&autoPool); } PhDeleteAutoPool(&autoPool); } BOOLEAN PhSvcHandleVerify( _In_ PCPH_STRINGREF FileName ) { BOOLEAN status = FALSE; HANDLE fileHandle; if (NT_SUCCESS(PhCreateFile( &fileHandle, FileName, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE | DELETE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { VERIFY_RESULT result; PH_VERIFY_FILE_INFO info; memset(&info, 0, sizeof(PH_VERIFY_FILE_INFO)); info.Flags = PH_VERIFY_PREVENT_NETWORK_ACCESS; info.FileHandle = fileHandle; if (NT_SUCCESS(PhVerifyFileEx(&info, &result, NULL, NULL))) { if (result == VrTrusted) { status = TRUE; } } NtClose(fileHandle); } return status; } VOID PhSvcHandleConnectionRequest( _In_ PPORT_MESSAGE PortMessage ) { NTSTATUS status; PPHSVC_API_MSG message; PPHSVC_API_MSG64 message64; CLIENT_ID clientId; PPHSVC_CLIENT client; HANDLE portHandle; REMOTE_PORT_VIEW clientView; REMOTE_PORT_VIEW64 clientView64; PREMOTE_PORT_VIEW actualClientView; message = (PPHSVC_API_MSG)PortMessage; message64 = (PPHSVC_API_MSG64)PortMessage; if (PhIsExecutingInWow64()) { clientId.UniqueProcess = (HANDLE)message64->h.ClientId.UniqueProcess; clientId.UniqueThread = (HANDLE)message64->h.ClientId.UniqueThread; #if defined(PH_BUILD_API) PPH_STRING remoteFileName; remoteFileName = NULL; PhGetProcessImageFileNameByProcessId(clientId.UniqueProcess, &remoteFileName); PH_AUTO(remoteFileName); if (PhIsNullOrEmptyString(remoteFileName) || !PhSvcHandleVerify(&remoteFileName->sr)) { NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL); return; } #endif // PH_BUILD_API } else { clientId = message->h.ClientId; #if defined(DEBUG) || defined(PH_BUILD_API) PPH_STRING remoteFileName; #endif #if defined(DEBUG) PPH_STRING referenceFileName; // Make sure that the remote process is System Informer and not some other program. referenceFileName = NULL; PhGetProcessImageFileNameByProcessId(NtCurrentProcessId(), &referenceFileName); PH_AUTO(referenceFileName); remoteFileName = NULL; PhGetProcessImageFileNameByProcessId(clientId.UniqueProcess, &remoteFileName); PH_AUTO(remoteFileName); if (PhIsNullOrEmptyString(referenceFileName) || PhIsNullOrEmptyString(remoteFileName) || !PhEqualString(referenceFileName, remoteFileName, FALSE)) { NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL); return; } #endif // DEBUG #if defined(PH_BUILD_API) remoteFileName = NULL; clientId = message->h.ClientId; PhGetProcessImageFileNameByProcessId(clientId.UniqueProcess, &remoteFileName); PH_AUTO(remoteFileName); if (PhIsNullOrEmptyString(remoteFileName) || !PhSvcHandleVerify(&remoteFileName->sr)) { NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL); return; } #endif // PH_BUILD_API } client = PhSvcCreateClient(&clientId); if (!client) { NtAcceptConnectPort(&portHandle, NULL, PortMessage, FALSE, NULL, NULL); return; } if (PhIsExecutingInWow64()) { message64->p.ConnectInfo.ServerProcessId = HandleToUlong(NtCurrentProcessId()); memset(&clientView64, 0, sizeof(REMOTE_PORT_VIEW64)); clientView64.Length = sizeof(REMOTE_PORT_VIEW64); clientView64.ViewSize = 0; clientView64.ViewBase = 0; actualClientView = (PREMOTE_PORT_VIEW)&clientView64; } else { message->p.ConnectInfo.ServerProcessId = HandleToUlong(NtCurrentProcessId()); memset(&clientView, 0, sizeof(REMOTE_PORT_VIEW)); clientView.Length = sizeof(REMOTE_PORT_VIEW); clientView.ViewSize = 0; clientView.ViewBase = NULL; actualClientView = &clientView; } status = NtAcceptConnectPort( &portHandle, client, PortMessage, TRUE, NULL, actualClientView ); if (!NT_SUCCESS(status)) { PhDereferenceObject(client); return; } // IMPORTANT: Since Vista, NtCompleteConnectPort does not do anything and simply returns STATUS_SUCCESS. // We will call it anyway (for completeness), but we need to use an event to ensure that other threads don't try // to process requests before we have finished setting up the client object. client->PortHandle = portHandle; if (PhIsExecutingInWow64()) { client->ClientViewBase = (PVOID)clientView64.ViewBase; client->ClientViewLimit = PTR_ADD_OFFSET(clientView64.ViewBase, clientView64.ViewSize); } else { client->ClientViewBase = clientView.ViewBase; client->ClientViewLimit = PTR_ADD_OFFSET(clientView.ViewBase, clientView.ViewSize); } //NtCompleteConnectPort(portHandle); // (dmex) PhSetEvent(&client->ReadyEvent); if (_InterlockedIncrement(&PhSvcApiNumberOfClients) == 1) { NtSetEvent(PhSvcTimeoutCancelEventHandle, NULL); } } ================================================ FILE: SystemInformer/phsvc/svcclient.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2015 * */ #include #include _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhSvcpClientDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); PPH_OBJECT_TYPE PhSvcClientType = NULL; RTL_STATIC_LIST_HEAD(PhSvcClientListHead); PH_QUEUED_LOCK PhSvcClientListLock = PH_QUEUED_LOCK_INIT; PPHSVC_CLIENT PhSvcCreateClient( _In_opt_ PCLIENT_ID ClientId ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPHSVC_CLIENT client; if (PhBeginInitOnce(&initOnce)) { PhSvcClientType = PhCreateObjectType(L"PhSvcClient", 0, PhSvcpClientDeleteProcedure); PhEndInitOnce(&initOnce); } client = PhCreateObject(sizeof(PHSVC_CLIENT), PhSvcClientType); memset(client, 0, sizeof(PHSVC_CLIENT)); PhInitializeEvent(&client->ReadyEvent); if (ClientId) client->ClientId = *ClientId; PhAcquireQueuedLockExclusive(&PhSvcClientListLock); InsertTailList(&PhSvcClientListHead, &client->ListEntry); PhReleaseQueuedLockExclusive(&PhSvcClientListLock); return client; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhSvcpClientDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPHSVC_CLIENT client = Object; PhAcquireQueuedLockExclusive(&PhSvcClientListLock); RemoveEntryList(&client->ListEntry); PhReleaseQueuedLockExclusive(&PhSvcClientListLock); if (client->PortHandle) NtClose(client->PortHandle); } PPHSVC_CLIENT PhSvcReferenceClientByClientId( _In_ PCLIENT_ID ClientId ) { PLIST_ENTRY listEntry; PPHSVC_CLIENT client = NULL; PhAcquireQueuedLockShared(&PhSvcClientListLock); listEntry = PhSvcClientListHead.Flink; while (listEntry != &PhSvcClientListHead) { client = CONTAINING_RECORD(listEntry, PHSVC_CLIENT, ListEntry); if (ClientId->UniqueThread) { if ( client->ClientId.UniqueProcess == ClientId->UniqueProcess && client->ClientId.UniqueThread == ClientId->UniqueThread ) { break; } } else { if (client->ClientId.UniqueProcess == ClientId->UniqueProcess) break; } client = NULL; listEntry = listEntry->Flink; } if (client) { if (!PhReferenceObjectSafe(client)) client = NULL; } PhReleaseQueuedLockShared(&PhSvcClientListLock); return client; } PPHSVC_CLIENT PhSvcGetCurrentClient( VOID ) { return PhSvcGetCurrentThreadContext()->CurrentClient; } BOOLEAN PhSvcAttachClient( _In_ PPHSVC_CLIENT Client ) { PPHSVC_THREAD_CONTEXT threadContext = PhSvcGetCurrentThreadContext(); if (threadContext->OldClient) return FALSE; PhReferenceObject(Client); threadContext->OldClient = threadContext->CurrentClient; threadContext->CurrentClient = Client; return TRUE; } VOID PhSvcDetachClient( _In_ PPHSVC_CLIENT Client ) { PPHSVC_THREAD_CONTEXT threadContext = PhSvcGetCurrentThreadContext(); PhDereferenceObject(threadContext->CurrentClient); threadContext->CurrentClient = threadContext->OldClient; threadContext->OldClient = NULL; } ================================================ FILE: SystemInformer/phsvc/svcmain.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011 * dmex 2018 * */ #include #include HANDLE PhSvcTimeoutStandbyEventHandle = NULL; HANDLE PhSvcTimeoutCancelEventHandle = NULL; NTSTATUS PhSvcMain( _In_opt_ PPH_STRING PortName, _Inout_opt_ PPHSVC_STOP Stop ) { NTSTATUS status; UNICODE_STRING portName; LARGE_INTEGER timeout; if (PortName) { PhStringRefToUnicodeString(&PortName->sr, &portName); } else { if (PhIsExecutingInWow64()) RtlInitUnicodeString(&portName, PHSVC_WOW64_PORT_NAME); else RtlInitUnicodeString(&portName, PHSVC_PORT_NAME); } if (!NT_SUCCESS(status = PhSvcApiPortInitialization(&portName))) return status; if (!NT_SUCCESS(status = PhCreateEvent(&PhSvcTimeoutStandbyEventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, TRUE))) return status; if (!NT_SUCCESS(status = PhCreateEvent(&PhSvcTimeoutCancelEventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE))) { NtClose(PhSvcTimeoutStandbyEventHandle); return status; } if (Stop) { Stop->Event1 = PhSvcTimeoutStandbyEventHandle; Stop->Event2 = PhSvcTimeoutCancelEventHandle; MemoryBarrier(); if (Stop->Stop) return STATUS_SUCCESS; } while (TRUE) { NtWaitForSingleObject(PhSvcTimeoutStandbyEventHandle, FALSE, NULL); if (Stop && Stop->Stop) break; status = NtWaitForSingleObject(PhSvcTimeoutCancelEventHandle, FALSE, PhTimeoutFromMilliseconds(&timeout, 10 * 1000)); if (Stop && Stop->Stop) break; if (status == STATUS_TIMEOUT) break; // A client connected, so we wait on the standby event again. } return status; } VOID PhSvcStop( _Inout_ PPHSVC_STOP Stop ) { Stop->Stop = TRUE; if (Stop->Event1) NtSetEvent(Stop->Event1, NULL); if (Stop->Event2) NtSetEvent(Stop->Event2, NULL); } ================================================ FILE: SystemInformer/plugin.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _PHP_PLUGIN_LOAD_ERROR { PPH_STRING FileName; PPH_STRING ErrorMessage; } PHP_PLUGIN_LOAD_ERROR, *PPHP_PLUGIN_LOAD_ERROR; typedef struct _PHP_PLUGIN_MENU_HOOK { PPH_PLUGIN Plugin; PVOID Context; } PHP_PLUGIN_MENU_HOOK, *PPHP_PLUGIN_MENU_HOOK; typedef struct _PH_LOADPLUGIN_CONTEXT { BOOLEAN LoadNative; BOOLEAN LoadDefault; PPH_STRING PluginsDirectory; PPH_LIST LoadErrors; } PH_LOADPLUGIN_CONTEXT, *PPH_LOADPLUGIN_CONTEXT; LONG NTAPI PhpPluginsCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ); NTSTATUS PhLoadPlugin( _In_ PCPH_STRINGREF FileName ); VOID PhLoadPluginErrorMessage( _In_ PPH_LOADPLUGIN_CONTEXT Context, _In_ PPH_STRING FileName, _In_ NTSTATUS Status ); VOID PhInvokeCallbackForAllPlugins( _In_ PH_PLUGIN_CALLBACK Callback, _In_opt_ PVOID Parameters ); VOID PhpExecuteCallbackForAllPlugins( _In_ PH_PLUGIN_CALLBACK Callback, _In_ BOOLEAN StartupParameters ); PH_AVL_TREE PhPluginsByName = PH_AVL_TREE_INIT(PhpPluginsCompareFunction); static PH_CALLBACK GeneralCallbacks[GeneralCallbackMaximum]; static ULONG NextPluginId = IDPLUGINS + 1; static CONST PH_STRINGREF DefaultPluginName[] = { PH_STRINGREF_INIT(L"DotNetTools.dll"), PH_STRINGREF_INIT(L"ExtendedNotifications.dll"), PH_STRINGREF_INIT(L"ExtendedServices.dll"), PH_STRINGREF_INIT(L"ExtendedTools.dll"), PH_STRINGREF_INIT(L"HardwareDevices.dll"), PH_STRINGREF_INIT(L"NetworkTools.dll"), PH_STRINGREF_INIT(L"OnlineChecks.dll"), PH_STRINGREF_INIT(L"ToolStatus.dll"), PH_STRINGREF_INIT(L"Updater.dll"), PH_STRINGREF_INIT(L"UserNotes.dll"), PH_STRINGREF_INIT(L"WindowExplorer.dll"), }; LONG NTAPI PhpPluginsCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ) { PPH_PLUGIN plugin1 = CONTAINING_RECORD(Links1, PH_PLUGIN, Links); PPH_PLUGIN plugin2 = CONTAINING_RECORD(Links2, PH_PLUGIN, Links); return PhCompareStringRef(&plugin1->Name, &plugin2->Name, FALSE); } _Success_(return) BOOLEAN PhpLocateDisabledPlugin( _In_ PPH_STRING List, _In_ PCPH_STRINGREF BaseName, _Out_opt_ PULONG_PTR FoundIndex ) { PH_STRINGREF namePart; PH_STRINGREF remainingPart; remainingPart = PhGetStringRef(List); while (remainingPart.Length != 0) { PhSplitStringRefAtChar(&remainingPart, L'|', &namePart, &remainingPart); if (PhEqualStringRef(&namePart, BaseName, TRUE)) { if (FoundIndex) *FoundIndex = (ULONG_PTR)(namePart.Buffer - List->Buffer); return TRUE; } } return FALSE; } BOOLEAN PhIsPluginDisabled( _In_ PCPH_STRINGREF BaseName ) { BOOLEAN found; PPH_STRING disabled; disabled = PhGetStringSetting(SETTING_DISABLED_PLUGINS); found = PhpLocateDisabledPlugin(disabled, BaseName, NULL); PhDereferenceObject(disabled); return found; } VOID PhSetPluginDisabled( _In_ PCPH_STRINGREF BaseName, _In_ BOOLEAN Disable ) { BOOLEAN found; PPH_STRING disabled; ULONG_PTR foundIndex; PPH_STRING newDisabled; disabled = PhGetStringSetting(SETTING_DISABLED_PLUGINS); found = PhpLocateDisabledPlugin(disabled, BaseName, &foundIndex); if (Disable && !found) { // We need to add the plugin to the disabled list. if (disabled->Length != 0) { // We have other disabled plugins. Append a pipe character followed by the plugin name. newDisabled = PhCreateStringEx(NULL, disabled->Length + sizeof(WCHAR) + BaseName->Length); memcpy(newDisabled->Buffer, disabled->Buffer, disabled->Length); newDisabled->Buffer[disabled->Length / sizeof(WCHAR)] = L'|'; memcpy(&newDisabled->Buffer[disabled->Length / sizeof(WCHAR) + 1], BaseName->Buffer, BaseName->Length); PhSetStringSetting2(SETTING_DISABLED_PLUGINS, &newDisabled->sr); PhDereferenceObject(newDisabled); } else { // This is the first disabled plugin. PhSetStringSetting2(SETTING_DISABLED_PLUGINS, BaseName); } } else if (!Disable && found) { SIZE_T removeCount; // We need to remove the plugin from the disabled list. removeCount = BaseName->Length / sizeof(WCHAR); if (foundIndex + BaseName->Length / sizeof(WCHAR) < disabled->Length / sizeof(WCHAR)) { // Remove the following pipe character as well. removeCount++; } else if (foundIndex != 0) { // Remove the preceding pipe character as well. foundIndex--; removeCount++; } newDisabled = PhCreateStringEx(NULL, disabled->Length - removeCount * sizeof(WCHAR)); memmove(newDisabled->Buffer, disabled->Buffer, foundIndex * sizeof(WCHAR)); memmove(&newDisabled->Buffer[foundIndex], &disabled->Buffer[foundIndex + removeCount], disabled->Length - removeCount * sizeof(WCHAR) - foundIndex * sizeof(WCHAR)); PhSetStringSetting2(SETTING_DISABLED_PLUGINS, &newDisabled->sr); PhDereferenceObject(newDisabled); } PhDereferenceObject(disabled); } //PPH_STRING PhGetPluginDirectoryPath( // _In_ BOOLEAN NativeFileName // ) //{ // static CONST PH_STRINGREF pluginsDirectory = PH_STRINGREF_INIT(L"plugins\\"); // // return PhGetApplicationDirectoryFileName(&pluginsDirectory, NativeFileName); //} // //PPH_STRING PhpGetPluginDirectoryPath( // VOID // ) //{ // static PPH_STRING cachedPluginDirectory = NULL; // PPH_STRING pluginsDirectory; // SIZE_T returnLength; // WCHAR pluginsDirectoryName[MAX_PATH]; // PH_FORMAT format[3]; // // if (pluginsDirectory = InterlockedCompareExchangePointer( // &cachedPluginDirectory, // NULL, // NULL // )) // { // return PhReferenceObject(pluginsDirectory); // } // // pluginsDirectory = PhGetStringSetting(L"PluginsDirectory"); // // if (RtlDetermineDosPathNameType_U(pluginsDirectory->Buffer) == RtlPathTypeRelative) // { // PPH_STRING applicationDirectory; // // if (applicationDirectory = PhGetApplicationDirectoryWin32()) // { // PH_STRINGREF pluginsDirectoryNameSr; // // // Not absolute. Make sure it is. // PhInitFormatSR(&format[0], applicationDirectory->sr); // PhInitFormatSR(&format[1], pluginsDirectory->sr); // PhInitFormatC(&format[2], OBJ_NAME_PATH_SEPARATOR); // // if (PhFormatToBuffer( // format, // RTL_NUMBER_OF(format), // pluginsDirectoryName, // sizeof(pluginsDirectoryName), // &returnLength // )) // { // pluginsDirectoryNameSr.Buffer = pluginsDirectoryName; // pluginsDirectoryNameSr.Length = returnLength - sizeof(UNICODE_NULL); // // PhMoveReference(&pluginsDirectory, PhCreateString2(&pluginsDirectoryNameSr)); // } // // PhDereferenceObject(applicationDirectory); // } // } // // if (!InterlockedCompareExchangePointer( // &cachedPluginDirectory, // pluginsDirectory, // NULL // )) // { // PhReferenceObject(pluginsDirectory); // } // // return pluginsDirectory; //} _Function_class_(PH_ENUM_DIRECTORY_FILE) static BOOLEAN EnumPluginsDirectoryCallback( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_opt_ PVOID Context ) { PFILE_NAMES_INFORMATION fileNamesInfo = (PFILE_NAMES_INFORMATION)Information; PPH_LOADPLUGIN_CONTEXT context = (PPH_LOADPLUGIN_CONTEXT)Context; NTSTATUS status; PPH_STRING fileName; PH_STRINGREF baseName; baseName.Buffer = fileNamesInfo->FileName; baseName.Length = fileNamesInfo->FileNameLength; if (!PhIsPluginDisabled(&baseName)) { if (context->LoadNative) { status = PhLoadPluginImage(&baseName, RootDirectory, NULL); } else { if (fileName = PhConcatStringRef2(&context->PluginsDirectory->sr, &baseName)) { status = PhLoadPlugin(&fileName->sr); PhDereferenceObject(fileName); } else { status = STATUS_NO_MEMORY; } } if (!NT_SUCCESS(status)) { fileName = PhCreateString2(&baseName); PhLoadPluginErrorMessage(context, fileName, status); PhDereferenceObject(fileName); } } return TRUE; } VOID PhpShowPluginErrorMessage( _Inout_ PPH_LIST PluginLoadErrors ) { TASKDIALOGCONFIG config; PH_STRING_BUILDER stringBuilder; PPHP_PLUGIN_LOAD_ERROR loadError; PPH_STRING baseName; INT result; PhInitializeStringBuilder(&stringBuilder, 100); for (ULONG i = 0; i < PluginLoadErrors->Count; i++) { loadError = PluginLoadErrors->Items[i]; baseName = PhGetBaseName(loadError->FileName); PhAppendFormatStringBuilder( &stringBuilder, L"%s: %s\n", baseName->Buffer, PhGetStringOrDefault(loadError->ErrorMessage, L"An unknown error occurred.") ); PhDereferenceObject(baseName); } if (PhEndsWithStringRef2(&stringBuilder.String->sr, L"\n", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION; config.dwCommonButtons = TDCBF_OK_BUTTON; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = TD_INFORMATION_ICON; config.pszMainInstruction = L"Unable to load the following plugin(s)"; config.pszContent = PhGetString(PhFinalStringBuilderString(&stringBuilder)); config.nDefaultButton = IDOK; if (PhShowTaskDialog( &config, &result, NULL, NULL )) { //switch (result) //{ //case IDNO: // for (i = 0; i < pluginLoadErrors->Count; i++) // { // loadError = pluginLoadErrors->Items[i]; // baseName = PhGetBaseName(loadError->FileName); // PhSetPluginDisabled(&baseName->sr, TRUE); // PhDereferenceObject(baseName); // } // break; //case IDYES: // for (i = 0; i < pluginLoadErrors->Count; i++) // { // loadError = pluginLoadErrors->Items[i]; // PhDeleteFileWin32(loadError->FileName->Buffer); // } // break; //} } PhDeleteStringBuilder(&stringBuilder); } NTSTATUS PhLoadPluginsEnumDirectory( _In_ PPH_STRINGREF PluginsDirectory, _In_ PPH_LOADPLUGIN_CONTEXT Context ) { static CONST PH_STRINGREF pluginsSearchPattern = PH_STRINGREF_INIT(L"*.dll"); NTSTATUS status; HANDLE directoryHandle; if (Context->LoadNative) { status = PhCreateFile( &directoryHandle, PluginsDirectory, FILE_LIST_DIRECTORY | SYNCHRONIZE, FILE_ATTRIBUTE_DIRECTORY, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); } else { status = PhCreateFileWin32( &directoryHandle, PhGetStringRefZ(PluginsDirectory), FILE_LIST_DIRECTORY | SYNCHRONIZE, FILE_ATTRIBUTE_DIRECTORY, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); } if (!NT_SUCCESS(status)) return status; status = PhEnumDirectoryFileEx( directoryHandle, FileNamesInformation, FALSE, &pluginsSearchPattern, EnumPluginsDirectoryCallback, Context ); if (!NT_SUCCESS(status)) { status = PhEnumDirectoryFileEx( directoryHandle, FileNamesInformation, TRUE, &pluginsSearchPattern, EnumPluginsDirectoryCallback, Context ); } NtClose(directoryHandle); return status; } /** * Loads plugins from the default plugins directory. */ VOID PhLoadPlugins( VOID ) { static CONST PH_STRINGREF pluginsDirectory = PH_STRINGREF_INIT(L"plugins\\"); NTSTATUS status; BOOLEAN pluginLoadNative; BOOLEAN pluginLoadDefault; PPH_STRING pluginFileName; PPH_STRING pluginDirectoryPath; PH_LOADPLUGIN_CONTEXT pluginLoadContext; pluginLoadNative = !!PhGetIntegerSetting(SETTING_ENABLE_PLUGINS_NATIVE); pluginLoadDefault = !!PhGetIntegerSetting(SETTING_ENABLE_DEFAULT_SAFE_PLUGINS); pluginDirectoryPath = PhGetApplicationDirectoryFileName(&pluginsDirectory, pluginLoadNative); if (PhIsNullOrEmptyString(pluginDirectoryPath)) return; memset(&pluginLoadContext, 0, sizeof(PH_LOADPLUGIN_CONTEXT)); pluginLoadContext.LoadNative = pluginLoadNative; pluginLoadContext.LoadDefault = pluginLoadDefault; pluginLoadContext.PluginsDirectory = pluginDirectoryPath; if (pluginLoadDefault) { if (pluginLoadNative) { HANDLE directoryHandle; status = PhCreateFile( &directoryHandle, &pluginDirectoryPath->sr, FILE_LIST_DIRECTORY | SYNCHRONIZE, FILE_ATTRIBUTE_DIRECTORY, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { for (ULONG i = 0; i < RTL_NUMBER_OF(DefaultPluginName); i++) { if (PhIsPluginDisabled(&DefaultPluginName[i])) continue; status = PhLoadPluginImage(&DefaultPluginName[i], directoryHandle, NULL); if (!NT_SUCCESS(status)) { pluginFileName = PhCreateString2(&DefaultPluginName[i]); PhLoadPluginErrorMessage(&pluginLoadContext, pluginFileName, status); PhDereferenceObject(pluginFileName); } } NtClose(directoryHandle); } } else { for (ULONG i = 0; i < RTL_NUMBER_OF(DefaultPluginName); i++) { if (PhIsPluginDisabled(&DefaultPluginName[i])) continue; if (pluginFileName = PhConcatStringRef2(&pluginDirectoryPath->sr, &DefaultPluginName[i])) { status = PhLoadPlugin(&pluginFileName->sr); if (!NT_SUCCESS(status)) { PhLoadPluginErrorMessage(&pluginLoadContext, pluginFileName, status); } PhDereferenceObject(pluginFileName); } } } } else { // Load non-default plugins PhLoadPluginsEnumDirectory(&pluginDirectoryPath->sr, &pluginLoadContext); } // Handle load errors. // In certain startup modes we want to ignore all plugin load errors. if ( pluginLoadContext.LoadErrors && pluginLoadContext.LoadErrors->Count != 0 && PhGetIntegerSetting(SETTING_SHOW_PLUGIN_LOAD_ERRORS) && !PhStartupParameters.PhSvc ) { PhpShowPluginErrorMessage(pluginLoadContext.LoadErrors); } // When we loaded settings before, we didn't know about plugin settings, so they // went into the ignored settings list. Now that they've had a chance to add // settings, we should scan the ignored settings list and move the settings to // the right places. PhConvertIgnoredSettings(); PhpExecuteCallbackForAllPlugins(PluginCallbackLoad, TRUE); if (pluginLoadContext.LoadErrors) { for (ULONG i = 0; i < pluginLoadContext.LoadErrors->Count; i++) { PPHP_PLUGIN_LOAD_ERROR loadError; loadError = pluginLoadContext.LoadErrors->Items[i]; if (loadError->FileName) PhDereferenceObject(loadError->FileName); if (loadError->ErrorMessage) PhDereferenceObject(loadError->ErrorMessage); PhFree(loadError); } PhDereferenceObject(pluginLoadContext.LoadErrors); } PhDereferenceObject(pluginDirectoryPath); } /** * Notifies all plugins that the program is shutting down. * * \param SessionEnding TRUE if the user ends the Windows session by logging off * or shutting down the operating system. otherwise, FALSE. */ VOID PhUnloadPlugins( _In_ BOOLEAN SessionEnding ) { PhInvokeCallbackForAllPlugins(PluginCallbackUnload, UlongToPtr(SessionEnding)); } /** * Loads a plugin. * * \param FileName The file name of the plugin. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLoadPlugin( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; if (LoadLibraryEx(PhGetStringRefZ(FileName), NULL, LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR | LOAD_LIBRARY_SEARCH_SYSTEM32)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } VOID PhLoadPluginErrorMessage( _In_ PPH_LOADPLUGIN_CONTEXT Context, _In_ PPH_STRING FileName, _In_ NTSTATUS Status ) { PPHP_PLUGIN_LOAD_ERROR loadError; PPH_STRING errorMessage; loadError = PhAllocateZero(sizeof(PHP_PLUGIN_LOAD_ERROR)); PhSetReference(&loadError->FileName, FileName); if (errorMessage = PhGetNtMessage(Status)) { PhSetReference(&loadError->ErrorMessage, errorMessage); PhDereferenceObject(errorMessage); } if (!Context->LoadErrors) { Context->LoadErrors = PhCreateList(1); } if (Context->LoadErrors) { PhAddItemList(Context->LoadErrors, loadError); } } VOID PhInvokeCallbackForAllPlugins( _In_ PH_PLUGIN_CALLBACK Callback, _In_opt_ PVOID Parameters ) { PPH_AVL_LINKS links; for (links = PhMinimumElementAvlTree(&PhPluginsByName); links; links = PhSuccessorElementAvlTree(links)) { PPH_PLUGIN plugin = CONTAINING_RECORD(links, PH_PLUGIN, Links); PhInvokeCallback(PhGetPluginCallback(plugin, Callback), Parameters); } } VOID PhpExecuteCallbackForAllPlugins( _In_ PH_PLUGIN_CALLBACK Callback, _In_ BOOLEAN StartupParameters ) { PPH_AVL_LINKS links; for (links = PhMinimumElementAvlTree(&PhPluginsByName); links; links = PhSuccessorElementAvlTree(links)) { PPH_PLUGIN plugin = CONTAINING_RECORD(links, PH_PLUGIN, Links); PPH_LIST parameters = NULL; // Find relevant startup parameters for this plugin. if (StartupParameters && PhStartupParameters.PluginParameters) { ULONG i; for (i = 0; i < PhStartupParameters.PluginParameters->Count; i++) { PPH_STRING string = PhStartupParameters.PluginParameters->Items[i]; PH_STRINGREF pluginName; PH_STRINGREF parameter; if (PhSplitStringRefAtChar(&string->sr, L':', &pluginName, ¶meter) && PhEqualStringRef(&pluginName, &plugin->Name, FALSE) && parameter.Length != 0) { if (!parameters) parameters = PhCreateList(3); if (parameters) PhAddItemList(parameters, PhCreateString2(¶meter)); } } } PhInvokeCallback(PhGetPluginCallback(plugin, Callback), parameters); if (parameters) { PhDereferenceObjects(parameters->Items, parameters->Count); PhDereferenceObject(parameters); } } } /** * Validate the plugin name contains only valid characters. * Valid characters are alphanumeric characters, spaces, dots, and underscores. * * \param Name A pointer to a PH_STRINGREF structure that contains the plugin name to validate. * \return TRUE if the name is valid; otherwise, FALSE. */ BOOLEAN PhpValidatePluginName( _In_ PCPH_STRINGREF Name ) { SIZE_T i; PWSTR buffer; SIZE_T count; buffer = Name->Buffer; count = Name->Length / sizeof(WCHAR); for (i = 0; i < count; i++) { if (!iswalnum(buffer[i]) && buffer[i] != L' ' && buffer[i] != L'.' && buffer[i] != L'_') { return FALSE; } } return TRUE; } /** * Registers a plugin with the host. * * \param Name A unique identifier for the plugin. The function fails * if another plugin has already been registered with the same name. The * name must only contain alphanumeric characters, spaces, dots and * underscores. * \param DllBase The base address of the plugin DLL. This is passed * to the DllMain function. * \param Information A variable which receives a pointer to the * plugin's additional information block. This should be filled in after * the function returns. * \return A pointer to the plugin instance structure, or NULL if the * function failed. */ PPH_PLUGIN PhRegisterPluginByName( _In_ PCPH_STRINGREF Name, _In_ PVOID DllBase, _Out_opt_ PPH_PLUGIN_INFORMATION *Information ) { PPH_PLUGIN plugin; PPH_AVL_LINKS existingLinks; ULONG i; PhTraceInfo("%ls plugin registering", PhGetStringRefZ(Name)); if (!PhpValidatePluginName(Name)) return NULL; plugin = PhAllocateZero(sizeof(PH_PLUGIN)); plugin->Name = *Name; plugin->DllBase = DllBase; existingLinks = PhAddElementAvlTree(&PhPluginsByName, &plugin->Links); if (existingLinks) { // Another plugin has already been registered with the same name. PhFree(plugin); return NULL; } for (i = 0; i < PluginCallbackMaximum; i++) PhInitializeCallback(&plugin->Callbacks[i]); PhEmInitializeAppContext(&plugin->AppContext, Name); if (Information) *Information = &plugin->Information; return plugin; } /** * Locates a plugin instance structure. * * \param Name The name of the plugin. * \return A plugin instance structure, or NULL if the plugin was not found. */ PPH_PLUGIN PhFindPlugin2( _In_ PCPH_STRINGREF Name ) { PPH_AVL_LINKS links; PH_PLUGIN lookupPlugin; lookupPlugin.Name = *Name; links = PhFindElementAvlTree(&PhPluginsByName, &lookupPlugin.Links); if (links) return CONTAINING_RECORD(links, PH_PLUGIN, Links); else return NULL; } /** * Gets a pointer to a plugin's additional information block. * * \param Name The name of the plugin. * \param Version The version of the interface. * \return The plugin's internal interface. */ PVOID PhGetPluginInterface( _In_ PCPH_STRINGREF Name, _In_opt_ ULONG Version ) { PPH_PLUGIN plugin; PVOID iface; if (plugin = PhFindPlugin2(Name)) { if (!(iface = PhGetPluginInformation(plugin)->Interface)) return NULL; if (Version == 0) { return iface; } struct { ULONG Version; } *Interface = iface; if (Interface->Version >= Version) { return iface; } } return NULL; } /** * Gets a pointer to a plugin's additional information block. * * \param Plugin The plugin instance structure. * \return The plugin's additional information block. */ PPH_PLUGIN_INFORMATION PhGetPluginInformation( _In_ PPH_PLUGIN Plugin ) { return &Plugin->Information; } /** * Retrieves a pointer to a plugin callback. * * \param Plugin A plugin instance structure. * \param Callback The type of callback. * \remarks The program invokes plugin callbacks for notifications * specific to a plugin. */ PPH_CALLBACK PhGetPluginCallback( _In_ PPH_PLUGIN Plugin, _In_ PH_PLUGIN_CALLBACK Callback ) { if (Callback >= PluginCallbackMaximum) PhRaiseStatus(STATUS_INVALID_PARAMETER_2); return &Plugin->Callbacks[Callback]; } VOID PhInitializeCallbacks( VOID ) { for (ULONG i = 0; i < GeneralCallbackMaximum; i++) PhInitializeCallback(&GeneralCallbacks[i]); } /** * Retrieves a pointer to a general callback. * * \param Callback The type of callback. * \remarks The program invokes general callbacks for system-wide * notifications. */ PPH_CALLBACK PhGetGeneralCallback( _In_ PH_GENERAL_CALLBACK Callback ) { if (Callback >= GeneralCallbackMaximum) PhRaiseStatus(STATUS_INVALID_PARAMETER_2); return &GeneralCallbacks[Callback]; } /** * Reserves unique GUI identifiers. * * \param Count The number of identifiers to reserve. * * \return The start of the reserved range. * * \remarks The identifiers reserved by this function are * guaranteed to be unique throughout the program. */ ULONG PhPluginReserveIds( _In_ ULONG Count ) { ULONG nextPluginId; nextPluginId = NextPluginId; NextPluginId += Count; return nextPluginId; } /** * Retrieves current system statistics. */ VOID PhPluginGetSystemStatistics( _Out_ PPH_PLUGIN_SYSTEM_STATISTICS Statistics ) { if (!PhProcessStatisticsInitialized) { memset(Statistics, 0, sizeof(PH_PLUGIN_SYSTEM_STATISTICS)); return; } Statistics->Performance = &PhPerfInformation; Statistics->NumberOfProcesses = PhTotalProcesses; Statistics->NumberOfThreads = PhTotalThreads; Statistics->NumberOfHandles = PhTotalHandles; Statistics->CpuKernelUsage = PhCpuKernelUsage; Statistics->CpuUserUsage = PhCpuUserUsage; Statistics->IoReadDelta = PhIoReadDelta; Statistics->IoWriteDelta = PhIoWriteDelta; Statistics->IoOtherDelta = PhIoOtherDelta; Statistics->CommitPages = PhGetItemCircularBuffer_ULONG(&PhCommitHistory, 0); Statistics->PhysicalPages = PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, 0); Statistics->MaxCpuProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxCpuHistory, 0)); Statistics->MaxIoProcessId = UlongToHandle(PhGetItemCircularBuffer_ULONG(&PhMaxIoHistory, 0)); Statistics->CpuKernelHistory = &PhCpuKernelHistory; Statistics->CpuUserHistory = &PhCpuUserHistory; Statistics->CpusKernelHistory = &PhCpusKernelHistory; Statistics->CpusUserHistory = &PhCpusUserHistory; Statistics->IoReadHistory = &PhIoReadHistory; Statistics->IoWriteHistory = &PhIoWriteHistory; Statistics->IoOtherHistory = &PhIoOtherHistory; Statistics->CommitHistory = &PhCommitHistory; Statistics->PhysicalHistory = &PhPhysicalHistory; Statistics->MaxCpuHistory = &PhMaxCpuHistory; Statistics->MaxIoHistory = &PhMaxIoHistory; #ifdef PH_RECORD_MAX_USAGE Statistics->MaxCpuUsageHistory = &PhMaxCpuUsageHistory; Statistics->MaxIoReadOtherHistory = &PhMaxIoReadOtherHistory; Statistics->MaxIoWriteHistory = &PhMaxIoWriteHistory; #else Statistics->MaxCpuUsageHistory = NULL; Statistics->MaxIoReadOtherHistory = NULL; Statistics->MaxIoWriteHistory = NULL; #endif } _Function_class_(PH_EMENU_ITEM_DELETE_FUNCTION) static VOID NTAPI PhpPluginEMenuItemDeleteFunction( _In_ PPH_EMENU_ITEM Item ) { PPH_PLUGIN_MENU_ITEM pluginMenuItem; pluginMenuItem = Item->Context; if (pluginMenuItem->DeleteFunction) pluginMenuItem->DeleteFunction(pluginMenuItem); PhFree(pluginMenuItem); } /** * Creates a menu item. * * \param Plugin A plugin instance structure. * \param Flags A combination of flags. * \param Id An identifier for the menu item. This should be unique * within the plugin. * \param Text The text of the menu item. * \param Context A user-defined value for the menu item. * * \return A menu item object. This can then be inserted into another * menu using PhInsertEMenuItem(). * * \remarks The \ref PluginCallbackMenuItem callback is invoked when * the menu item is chosen, and the \ref PH_PLUGIN_MENU_ITEM structure * will contain the \a Id and \a Context values passed to this function. */ PPH_EMENU_ITEM PhPluginCreateEMenuItem( _In_ PPH_PLUGIN Plugin, _In_ ULONG Flags, _In_ ULONG Id, _In_ PCWSTR Text, _In_opt_ PVOID Context ) { PPH_PLUGIN_MENU_ITEM pluginMenuItem; PPH_EMENU_ITEM item; pluginMenuItem = PhAllocateZero(sizeof(PH_PLUGIN_MENU_ITEM)); pluginMenuItem->Plugin = Plugin; pluginMenuItem->Id = Id; pluginMenuItem->Context = Context; item = PhCreateEMenuItem(Flags, ID_PLUGIN_MENU_ITEM, Text, NULL, pluginMenuItem); item->DeleteFunction = PhpPluginEMenuItemDeleteFunction; return item; } /** * Adds a menu hook. * * \param MenuInfo The plugin menu information structure. * \param Plugin A plugin instance structure. * \param Context A user-defined value that is later accessible from the callback. * * \remarks The \ref PluginCallbackMenuHook callback is invoked when any menu item * from the menu is chosen. */ BOOLEAN PhPluginAddMenuHook( _Inout_ PPH_PLUGIN_MENU_INFORMATION MenuInfo, _In_ PPH_PLUGIN Plugin, _In_opt_ PVOID Context ) { PPHP_PLUGIN_MENU_HOOK hook; if (MenuInfo->Flags & PH_PLUGIN_MENU_DISALLOW_HOOKS) return FALSE; if (!MenuInfo->PluginHookList) MenuInfo->PluginHookList = PH_AUTO(PhCreateList(2)); hook = PH_AUTO(PhCreateAlloc(sizeof(PHP_PLUGIN_MENU_HOOK))); hook->Plugin = Plugin; hook->Context = Context; PhAddItemList(MenuInfo->PluginHookList, hook); return TRUE; } /** * Initializes a plugin menu information structure. * * \param MenuInfo The structure to initialize. * \param Menu The menu being shown. * \param OwnerWindow The window that owns the menu. * \param Flags Additional flags. * * \remarks This function is reserved for internal use. */ VOID PhPluginInitializeMenuInfo( _Out_ PPH_PLUGIN_MENU_INFORMATION MenuInfo, _In_opt_ PPH_EMENU Menu, _In_ HWND OwnerWindow, _In_ ULONG Flags ) { memset(MenuInfo, 0, sizeof(PH_PLUGIN_MENU_INFORMATION)); MenuInfo->Menu = Menu; MenuInfo->OwnerWindow = OwnerWindow; MenuInfo->Flags = Flags; } /** * Triggers a plugin menu item. * * \param MenuInfo The plugin menu information structure. * \param Item The menu item chosen by the user. * * \remarks This function is reserved for internal use. */ BOOLEAN PhPluginTriggerEMenuItem( _In_ PPH_PLUGIN_MENU_INFORMATION MenuInfo, _In_ PPH_EMENU_ITEM Item ) { PPH_PLUGIN_MENU_ITEM pluginMenuItem; ULONG i; PPHP_PLUGIN_MENU_HOOK hook; PH_PLUGIN_MENU_HOOK_INFORMATION menuHookInfo; if (MenuInfo->PluginHookList) { for (i = 0; i < MenuInfo->PluginHookList->Count; i++) { hook = MenuInfo->PluginHookList->Items[i]; menuHookInfo.MenuInfo = MenuInfo; menuHookInfo.SelectedItem = Item; menuHookInfo.Context = hook->Context; menuHookInfo.Handled = FALSE; PhInvokeCallback(PhGetPluginCallback(hook->Plugin, PluginCallbackMenuHook), &menuHookInfo); if (menuHookInfo.Handled) return TRUE; } } if (Item->Id != ID_PLUGIN_MENU_ITEM) return FALSE; pluginMenuItem = Item->Context; pluginMenuItem->OwnerWindow = MenuInfo->OwnerWindow; PhInvokeCallback(PhGetPluginCallback(pluginMenuItem->Plugin, PluginCallbackMenuItem), pluginMenuItem); return TRUE; } /** * Adds a column to a tree new control. * * \param Plugin A plugin instance structure. * \param CmData The CmData value from the \ref PH_PLUGIN_TREENEW_INFORMATION * structure. * \param Column The column properties. * \param SubId An identifier for the column. This should be unique within the * plugin. * \param Context A user-defined value. * \param SortFunction The sort function for the column. */ BOOLEAN PhPluginAddTreeNewColumn( _In_ PPH_PLUGIN Plugin, _In_ PVOID CmData, _In_ PPH_TREENEW_COLUMN Column, _In_ ULONG SubId, _In_opt_ PVOID Context, _In_opt_ PPH_PLUGIN_TREENEW_SORT_FUNCTION SortFunction ) { return !!PhCmCreateColumn( CmData, Column, Plugin, SubId, Context, SortFunction ); } /** * Sets the object extension size and callbacks for an object type. * * \param Plugin A plugin instance structure. * \param ObjectType The type of object for which the extension is being registered. * \param ExtensionSize The size of the extension, in bytes. * \param CreateCallback The object creation callback. * \param DeleteCallback The object deletion callback. */ VOID PhPluginSetObjectExtension( _In_ PPH_PLUGIN Plugin, _In_ PH_EM_OBJECT_TYPE ObjectType, _In_ ULONG ExtensionSize, _In_opt_ PPH_EM_OBJECT_CALLBACK CreateCallback, _In_opt_ PPH_EM_OBJECT_CALLBACK DeleteCallback ) { PhEmSetObjectExtension( &Plugin->AppContext, ObjectType, ExtensionSize, CreateCallback, DeleteCallback ); } /** * Gets the object extension for an object. * * \param Plugin A plugin instance structure. * \param Object The object. * \param ObjectType The type of object for which an extension has been registered. */ PVOID PhPluginGetObjectExtension( _In_ PPH_PLUGIN Plugin, _In_ PVOID Object, _In_ PH_EM_OBJECT_TYPE ObjectType ) { return PhEmGetObjectExtension( &Plugin->AppContext, ObjectType, Object ); } /** * Allows a plugin to receive all treenew messages, not just column-related ones. * * \param Plugin A plugin instance structure. * \param CmData The CmData value from the \ref PH_PLUGIN_TREENEW_INFORMATION * structure. */ VOID PhPluginEnableTreeNewNotify( _In_ PPH_PLUGIN Plugin, _In_ PVOID CmData ) { PhCmSetNotifyPlugin(CmData, Plugin); } NTSTATUS PhPluginQueryPhSvc( _Out_ PPH_PLUGIN_PHSVC_CLIENT Client ) { if (!PhSvcClServerProcessId) return STATUS_INVALID_CID; Client->ServerProcessId = PhSvcClServerProcessId; Client->FreeHeap = PhSvcpFreeHeap; Client->CreateString = PhSvcpCreateString; return STATUS_SUCCESS; } NTSTATUS PhPluginCallPhSvc( _In_ PPH_PLUGIN Plugin, _In_ ULONG SubId, _In_reads_bytes_opt_(InLength) PVOID InBuffer, _In_ ULONG InLength, _Out_writes_bytes_opt_(OutLength) PVOID OutBuffer, _In_ ULONG OutLength ) { NTSTATUS status; PPH_STRING apiId; PH_FORMAT format[4]; PhInitFormatC(&format[0], L'+'); PhInitFormatSR(&format[1], Plugin->Name); PhInitFormatC(&format[2], L'+'); PhInitFormatU(&format[3], SubId); apiId = PhFormat(format, 4, 50); status = PhSvcCallPlugin(&apiId->sr, InBuffer, InLength, OutBuffer, OutLength); PhDereferenceObject(apiId); return status; } PPH_STRING PhGetPluginName( _In_ PPH_PLUGIN Plugin ) { return PhCreateString2(&Plugin->Name); } PPH_STRING PhGetPluginFileName( _In_ PPH_PLUGIN Plugin ) { PPH_STRING fileName = NULL; if (!NT_SUCCESS(PhGetProcessMappedFileName(NtCurrentProcess(), Plugin->DllBase, &fileName))) return NULL; return fileName; } VOID PhEnumeratePlugins( _In_ PPH_PLUGIN_ENUMERATE Callback, _In_opt_ PVOID Context ) { PPH_AVL_LINKS links; for (links = PhMinimumElementAvlTree(&PhPluginsByName); links; links = PhSuccessorElementAvlTree(links)) { PPH_PLUGIN plugin = CONTAINING_RECORD(links, PH_PLUGIN, Links); if (!NT_SUCCESS(Callback(plugin, Context))) break; } } ================================================ FILE: SystemInformer/plugman.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2017-2023 * */ #include #include #include #include #include #include #define WM_PH_PLUGINS_SHOWPROPERTIES (WM_APP + 401) typedef struct _PH_PLUGMAN_CONTEXT { HWND WindowHandle; HWND TreeNewHandle; HFONT NormalFontHandle; HFONT TitleFontHandle; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; PH_LAYOUT_MANAGER LayoutManager; } PH_PLUGMAN_CONTEXT, *PPH_PLUGMAN_CONTEXT; typedef enum _PH_PLUGIN_TREE_ITEM_MENU { PH_PLUGIN_TREE_ITEM_MENU_UNINSTALL, PH_PLUGIN_TREE_ITEM_MENU_DISABLE, PH_PLUGIN_TREE_ITEM_MENU_PROPERTIES } PH_PLUGIN_TREE_ITEM_MENU; typedef enum _PH_PLUGIN_TREE_COLUMN_ITEM { PH_PLUGIN_TREE_COLUMN_ITEM_NAME, PH_PLUGIN_TREE_COLUMN_ITEM_VERSION, PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM } PH_PLUGIN_TREE_COLUMN_ITEM; typedef struct _PH_PLUGIN_TREE_ROOT_NODE { PH_TREENEW_NODE Node; BOOLEAN PluginOptions; PPH_PLUGIN PluginInstance; PPH_STRING InternalName; PPH_STRING Name; PPH_STRING Version; PPH_STRING Description; PH_STRINGREF TextCache[PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM]; } PH_PLUGIN_TREE_ROOT_NODE, *PPH_PLUGIN_TREE_ROOT_NODE; INT_PTR CALLBACK PhpPluginPropertiesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); ULONG PhpDisabledPluginsCount( VOID ); INT_PTR CALLBACK PhpPluginsDisabledDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); #pragma region Plugin TreeList #define SORT_FUNCTION(Column) PluginsTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PluginsTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_PLUGIN_TREE_ROOT_NODE node1 = *(PPH_PLUGIN_TREE_ROOT_NODE*)_elem1; \ PPH_PLUGIN_TREE_ROOT_NODE node2 = *(PPH_PLUGIN_TREE_ROOT_NODE*)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, ((PPH_PLUGMAN_CONTEXT)_context)->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNull(node1->Name, node2->Name, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Version) { sortResult = PhCompareStringWithNull(node1->Version, node2->Version, TRUE); } END_SORT_FUNCTION VOID PluginsLoadSettingsTreeList( _Inout_ PPH_PLUGMAN_CONTEXT Context ) { PPH_STRING settings; settings = PhGetStringSetting(SETTING_PLUGIN_MANAGER_TREE_LIST_COLUMNS); PhCmLoadSettings(Context->TreeNewHandle, &settings->sr); PhDereferenceObject(settings); } VOID PluginsSaveSettingsTreeList( _Inout_ PPH_PLUGMAN_CONTEXT Context ) { PPH_STRING settings; settings = PhCmSaveSettings(Context->TreeNewHandle); PhSetStringSetting2(SETTING_PLUGIN_MANAGER_TREE_LIST_COLUMNS, &settings->sr); PhDereferenceObject(settings); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PluginsNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_PLUGIN_TREE_ROOT_NODE node1 = *(PPH_PLUGIN_TREE_ROOT_NODE *)Entry1; PPH_PLUGIN_TREE_ROOT_NODE node2 = *(PPH_PLUGIN_TREE_ROOT_NODE *)Entry2; return PhEqualString(node1->InternalName, node2->InternalName, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PluginsNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashStringRef(&(*(PPH_PLUGIN_TREE_ROOT_NODE*)Entry)->InternalName->sr, TRUE); } VOID DestroyPluginsNode( _In_ PPH_PLUGIN_TREE_ROOT_NODE Node ) { PhClearReference(&Node->InternalName); PhClearReference(&Node->Name); PhClearReference(&Node->Version); PhClearReference(&Node->Description); PhFree(Node); } PPH_PLUGIN_TREE_ROOT_NODE AddPluginsNode( _Inout_ PPH_PLUGMAN_CONTEXT Context, _In_ PPH_PLUGIN Plugin ) { PPH_PLUGIN_TREE_ROOT_NODE pluginNode; PH_IMAGE_VERSION_INFO versionInfo; PPH_STRING fileName; pluginNode = PhAllocate(sizeof(PH_PLUGIN_TREE_ROOT_NODE)); memset(pluginNode, 0, sizeof(PH_PLUGIN_TREE_ROOT_NODE)); PhInitializeTreeNewNode(&pluginNode->Node); memset(pluginNode->TextCache, 0, sizeof(PH_STRINGREF) * PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM); pluginNode->Node.TextCache = pluginNode->TextCache; pluginNode->Node.TextCacheSize = PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM; pluginNode->PluginInstance = Plugin; pluginNode->PluginOptions = Plugin->Information.HasOptions; pluginNode->InternalName = PhCreateString2(&Plugin->Name); if (Plugin->Information.DisplayName) pluginNode->Name = PhCreateString(Plugin->Information.DisplayName); if (Plugin->Information.Description) pluginNode->Description = PhCreateString(Plugin->Information.Description); if (fileName = PhGetPluginFileName(Plugin)) { if (NT_SUCCESS(PhInitializeImageVersionInfoEx(&versionInfo, &fileName->sr, FALSE))) { pluginNode->Version = PhReferenceObject(versionInfo.FileVersion); PhDeleteImageVersionInfo(&versionInfo); } PhDereferenceObject(fileName); } PhAddEntryHashtable(Context->NodeHashtable, &pluginNode); PhAddItemList(Context->NodeList, pluginNode); TreeNew_NodesStructured(Context->TreeNewHandle); return pluginNode; } PPH_PLUGIN_TREE_ROOT_NODE FindPluginsNode( _In_ PPH_PLUGMAN_CONTEXT Context, _In_ PPH_STRING InternalName ) { PH_PLUGIN_TREE_ROOT_NODE lookupPluginsNode; PPH_PLUGIN_TREE_ROOT_NODE lookupPluginsNodePtr = &lookupPluginsNode; PPH_PLUGIN_TREE_ROOT_NODE *pluginsNode; lookupPluginsNode.InternalName = InternalName; pluginsNode = (PPH_PLUGIN_TREE_ROOT_NODE*)PhFindEntryHashtable( Context->NodeHashtable, &lookupPluginsNodePtr ); if (pluginsNode) return *pluginsNode; else return NULL; } VOID RemovePluginsNode( _In_ PPH_PLUGMAN_CONTEXT Context, _In_ PPH_PLUGIN_TREE_ROOT_NODE Node ) { ULONG index = 0; PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } DestroyPluginsNode(Node); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID UpdatePluginsNode( _In_ PPH_PLUGMAN_CONTEXT Context, _In_ PPH_PLUGIN_TREE_ROOT_NODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } BOOLEAN NTAPI PluginsTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_PLUGMAN_CONTEXT context = Context; PPH_PLUGIN_TREE_ROOT_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_PLUGIN_TREE_ROOT_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Name), //SORT_FUNCTION(Author), SORT_FUNCTION(Version) }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < PH_PLUGIN_TREE_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; node = (PPH_PLUGIN_TREE_ROOT_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPH_PLUGIN_TREE_ROOT_NODE)getCellText->Node; switch (getCellText->Id) { case PH_PLUGIN_TREE_COLUMN_ITEM_NAME: getCellText->Text = PhGetStringRef(node->Name); break; case PH_PLUGIN_TREE_COLUMN_ITEM_VERSION: getCellText->Text = PhGetStringRef(node->Version); break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_PLUGIN_TREE_ROOT_NODE)getNodeColor->Node; getNodeColor->Flags = TN_CACHE | TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_COPY, 0); break; case VK_DELETE: SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_CLOSE, 0); break; } } return TRUE; case TreeNewLeftDoubleClick: { PPH_TREENEW_MOUSE_EVENT mouseEvent = Parameter1; SendMessage(context->WindowHandle, WM_COMMAND, WM_PH_PLUGINS_SHOWPROPERTIES, (LPARAM)mouseEvent); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage(context->WindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, (LPARAM)contextMenuEvent); } return TRUE; //case TreeNewHeaderRightClick: // { // PH_TN_COLUMN_MENU_DATA data; // // data.TreeNewHandle = WindowHandle; // data.MouseEvent = Parameter1; // data.DefaultSortColumn = 0; // data.DefaultSortOrder = AscendingSortOrder; // PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); // // data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, // PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); // PhHandleTreeNewColumnMenu(&data); // PhDeleteTreeNewColumnMenu(&data); // } // return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; RECT rect; rect = customDraw->CellRect; node = (PPH_PLUGIN_TREE_ROOT_NODE)customDraw->Node; switch (customDraw->Column->Id) { case PH_PLUGIN_TREE_COLUMN_ITEM_NAME: { PH_STRINGREF text; SIZE nameSize; SIZE textSize; LONG dpiValue; dpiValue = PhGetWindowDpi(WindowHandle); rect.left += PhGetDpi(15, dpiValue); rect.top += PhGetDpi(5, dpiValue); rect.right -= PhGetDpi(5, dpiValue); rect.bottom -= PhGetDpi(8, dpiValue); // top if (PhEnableThemeSupport) SetTextColor(customDraw->Dc, GetSysColor(COLOR_HIGHLIGHTTEXT)); else SetTextColor(customDraw->Dc, RGB(0x0, 0x0, 0x0)); SelectFont(customDraw->Dc, context->TitleFontHandle); text = PhIsNullOrEmptyString(node->Name) ? PhGetStringRef(node->InternalName) : PhGetStringRef(node->Name); GetTextExtentPoint32(customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &nameSize); DrawText(customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &rect, DT_TOP | DT_LEFT | DT_END_ELLIPSIS | DT_SINGLELINE); // bottom if (PhEnableThemeSupport) SetTextColor(customDraw->Dc, RGB(0x90, 0x90, 0x90)); else SetTextColor(customDraw->Dc, RGB(0x64, 0x64, 0x64)); SelectFont(customDraw->Dc, context->NormalFontHandle); text = PhGetStringRef(node->Description); GetTextExtentPoint32(customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textSize); DrawText( customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &rect, DT_BOTTOM | DT_LEFT | DT_END_ELLIPSIS | DT_SINGLELINE ); } break; } } return TRUE; } return FALSE; } VOID ClearPluginsTree( _In_ PPH_PLUGMAN_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) DestroyPluginsNode(Context->NodeList->Items[i]); PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); TreeNew_NodesStructured(Context->TreeNewHandle); } PPH_PLUGIN_TREE_ROOT_NODE GetSelectedPluginsNode( _In_ PPH_PLUGMAN_CONTEXT Context ) { PPH_PLUGIN_TREE_ROOT_NODE pluginNode = NULL; for (ULONG i = 0; i < Context->NodeList->Count; i++) { pluginNode = Context->NodeList->Items[i]; if (pluginNode->Node.Selected) return pluginNode; } return NULL; } _Success_(return) BOOLEAN GetSelectedPluginsNodes( _In_ PPH_PLUGMAN_CONTEXT Context, _Out_ PPH_PLUGIN_TREE_ROOT_NODE **Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_PLUGIN_TREE_ROOT_NODE node = (PPH_PLUGIN_TREE_ROOT_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } VOID InitializePluginsTree( _Inout_ PPH_PLUGMAN_CONTEXT Context ) { LONG dpiValue; dpiValue = PhGetWindowDpi(Context->WindowHandle); Context->NodeList = PhCreateList(20); Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_PLUGIN_TREE_ROOT_NODE), PluginsNodeHashtableEqualFunction, PluginsNodeHashtableHashFunction, 20 ); Context->NormalFontHandle = PhCreateCommonFont(-10, FW_NORMAL, NULL, dpiValue); Context->TitleFontHandle = PhCreateCommonFont(-14, FW_BOLD, NULL, dpiValue); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetCallback(Context->TreeNewHandle, PluginsTreeNewCallback, Context); TreeNew_SetRowHeight(Context->TreeNewHandle, PhGetDpi(48, dpiValue)); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); PhAddTreeNewColumnEx2(Context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_NAME, TRUE, L"Plugin", 80, PH_ALIGN_LEFT, 0, 0, TN_COLUMN_FLAG_CUSTOMDRAW); //PhAddTreeNewColumnEx2(Context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_AUTHOR, TRUE, L"Author", 80, PH_ALIGN_LEFT, 1, 0, 0); //PhAddTreeNewColumnEx2(Context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_VERSION, TRUE, L"Version", 80, PH_ALIGN_CENTER, 2, DT_CENTER, 0); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); PluginsLoadSettingsTreeList(Context); } VOID DeletePluginsTree( _In_ PPH_PLUGMAN_CONTEXT Context ) { if (Context->TitleFontHandle) DeleteFont(Context->TitleFontHandle); if (Context->NormalFontHandle) DeleteFont(Context->NormalFontHandle); PluginsSaveSettingsTreeList(Context); for (ULONG i = 0; i < Context->NodeList->Count; i++) DestroyPluginsNode(Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } #pragma endregion PPH_STRING PhpGetPluginBaseName( _In_ PPH_PLUGIN Plugin ) { PPH_STRING fileName; PPH_STRING baseName; if (fileName = PhGetPluginFileName(Plugin)) { PH_STRINGREF pathNamePart; PH_STRINGREF baseNamePart; if (PhSplitStringRefAtLastChar(&fileName->sr, OBJ_NAME_PATH_SEPARATOR, &pathNamePart, &baseNamePart)) { baseName = PhCreateString2(&baseNamePart); PhDereferenceObject(fileName); return baseName; } baseName = PhCreateString2(&Plugin->Name); PhDereferenceObject(fileName); return baseName; } else { // Fake disabled plugin. baseName = PhCreateString2(&Plugin->Name); return baseName; } } _Function_class_(PH_PLUGIN_ENUMERATE) NTSTATUS NTAPI PhpEnumeratePluginCallback( _In_ PPH_PLUGIN Information, _In_ PVOID Context ) { PPH_STRING pluginBaseName; pluginBaseName = PhpGetPluginBaseName(Information); if (!PhIsPluginDisabled(&pluginBaseName->sr)) { AddPluginsNode(Context, Information); } PhDereferenceObject(pluginBaseName); return STATUS_SUCCESS; } INT_PTR CALLBACK PhPluginsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PLUGMAN_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PH_PLUGMAN_CONTEXT)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_PLUGINTREE); InitializePluginsTree(context); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_INSTRUCTION), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_LEFT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_DISABLED), NULL, PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); PhEnumeratePlugins(PhpEnumeratePluginCallback, context); TreeNew_AutoSizeColumn(context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_NAME, TN_AUTOSIZE_REMAINING_SPACE); PhSetWindowText(GetDlgItem(hwndDlg, IDC_DISABLED), PhaFormatString(L"Disabled Plugins (%lu)", PhpDisabledPluginsCount())->Buffer); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhDeleteLayoutManager(&context->LayoutManager); DeletePluginsTree(context); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_DISABLED: { PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_PLUGINSDISABLED), hwndDlg, PhpPluginsDisabledDlgProc, NULL ); ClearPluginsTree(context); PhEnumeratePlugins(PhpEnumeratePluginCallback, context); TreeNew_AutoSizeColumn(context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_NAME, TN_AUTOSIZE_REMAINING_SPACE); PhSetWindowText(GetDlgItem(hwndDlg, IDC_DISABLED), PhaFormatString(L"Disabled Plugins (%lu)", PhpDisabledPluginsCount())->Buffer); } break; case ID_SHOWCONTEXTMENU: { PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; //PPH_EMENU_ITEM uninstallItem; PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_PLUGIN_TREE_ROOT_NODE selectedNode = (PPH_PLUGIN_TREE_ROOT_NODE)contextMenuEvent->Node; if (!selectedNode) break; menu = PhCreateEMenu(); //PhInsertEMenuItem(menu, uninstallItem = PhCreateEMenuItem(0, PH_PLUGIN_TREE_ITEM_MENU_UNINSTALL, L"Uninstall", NULL, NULL), ULONG_MAX); //PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_PLUGIN_TREE_ITEM_MENU_DISABLE, L"Disable", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_PLUGIN_TREE_ITEM_MENU_PROPERTIES, L"Properties", NULL, NULL), ULONG_MAX); //if (!PhGetOwnTokenAttributes().Elevated) //{ // HBITMAP shieldBitmap; // // if (shieldBitmap = PhGetShieldBitmap()) // uninstallItem->Bitmap = shieldBitmap; //} selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { switch (selectedItem->Id) { case PH_PLUGIN_TREE_ITEM_MENU_UNINSTALL: { //if (PhShowConfirmMessage( // hwndDlg, // L"Uninstall", // PhGetString(selectedNode->Name), // L"Changes may require a restart to take effect...", // TRUE // )) //{ // //} } break; case PH_PLUGIN_TREE_ITEM_MENU_DISABLE: { PPH_STRING baseName = PhpGetPluginBaseName(selectedNode->PluginInstance); PhSetPluginDisabled(&baseName->sr, TRUE); RemovePluginsNode(context, selectedNode); PhSetWindowText(GetDlgItem(hwndDlg, IDC_DISABLED), PhaFormatString(L"Disabled Plugins (%lu)", PhpDisabledPluginsCount())->Buffer); PhDereferenceObject(baseName); } break; case PH_PLUGIN_TREE_ITEM_MENU_PROPERTIES: { PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_PLUGINPROPERTIES), hwndDlg, PhpPluginPropertiesDlgProc, selectedNode->PluginInstance ); } break; } } } break; case WM_PH_PLUGINS_SHOWPROPERTIES: { PPH_TREENEW_MOUSE_EVENT mouseEvent = (PPH_TREENEW_MOUSE_EVENT)lParam; PPH_PLUGIN_TREE_ROOT_NODE selectedNode = (PPH_PLUGIN_TREE_ROOT_NODE)mouseEvent->Node; if (!selectedNode) break; PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_PLUGINPROPERTIES), hwndDlg, PhpPluginPropertiesDlgProc, selectedNode->PluginInstance ); } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); TreeNew_AutoSizeColumn(context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_NAME, TN_AUTOSIZE_REMAINING_SPACE); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } //NTSTATUS PhpPluginsDialogThreadStart( // _In_ PVOID Parameter // ) //{ // BOOL result; // MSG message; // PH_AUTO_POOL autoPool; // // PhInitializeAutoPool(&autoPool); // // PhPluginsWindowHandle = PhCreateDialog( // PhInstanceHandle, // MAKEINTRESOURCE(IDD_PLUGINS), // NULL, // PhPluginsDlgProc, // NULL // ); // // PhSetEvent(&PhPluginsInitializedEvent); // // while (result = GetMessage(&message, NULL, 0, 0)) // { // if (result == -1) // break; // // if (!IsDialogMessage(PhPluginsWindowHandle, &message)) // { // TranslateMessage(&message); // DispatchMessage(&message); // } // // PhDrainAutoPool(&autoPool); // } // // PhDeleteAutoPool(&autoPool); // PhResetEvent(&PhPluginsInitializedEvent); // // if (PhPluginsThreadHandle) // { // NtClose(PhPluginsThreadHandle); // PhPluginsThreadHandle = NULL; // } // // return STATUS_SUCCESS; //} // //VOID PhShowPluginsDialog( // _In_ HWND ParentWindowHandle // ) //{ // if (PhPluginsEnabled) // { // if (!PhPluginsThreadHandle) // { // if (!NT_SUCCESS(PhCreateThreadEx(&PhPluginsThreadHandle, PhpPluginsDialogThreadStart, NULL))) // { // PhShowError(PhMainWndHandle, L"%s", L"Unable to create the window."); // return; // } // // PhWaitForEvent(&PhPluginsInitializedEvent, NULL); // } // // PostMessage(PhPluginsWindowHandle, WM_PH_PLUGINS_SHOWDIALOG, 0, 0); // } // else // { // PhShowInformation2( // ParentWindowHandle, // L"Plugins are not enabled.", // L"%s", // L"To use plugins enable them in Options and restart System Informer." // ); // } //} VOID PhpRefreshPluginDetails( _In_ HWND hwndDlg, _In_ PPH_PLUGIN SelectedPlugin ) { PPH_STRING fileName = NULL; PPH_STRING baseName = NULL; PH_IMAGE_VERSION_INFO versionInfo; if (fileName = PhGetPluginFileName(SelectedPlugin)) baseName = PH_AUTO(PhGetBaseName(fileName)); PhSetDialogItemText(hwndDlg, IDC_NAME, SelectedPlugin->Information.DisplayName ? SelectedPlugin->Information.DisplayName : L"(unnamed)"); PhSetDialogItemText(hwndDlg, IDC_INTERNALNAME, SelectedPlugin->Name.Buffer); PhSetDialogItemText(hwndDlg, IDC_AUTHOR, SelectedPlugin->Information.Author); PhSetDialogItemText(hwndDlg, IDC_FILENAME, PhGetStringOrEmpty(baseName)); PhSetDialogItemText(hwndDlg, IDC_DESCRIPTION, SelectedPlugin->Information.Description); PhSetDialogItemText(hwndDlg, IDC_URL, SelectedPlugin->Information.Url); if (fileName && NT_SUCCESS(PhInitializeImageVersionInfoEx(&versionInfo, &fileName->sr, FALSE))) { PhSetDialogItemText(hwndDlg, IDC_VERSION, PhGetStringOrDefault(versionInfo.FileVersion, L"Unknown")); PhDeleteImageVersionInfo(&versionInfo); } else { PhSetDialogItemText(hwndDlg, IDC_VERSION, L"Unknown"); } ShowWindow(GetDlgItem(hwndDlg, IDC_OPENURL), SelectedPlugin->Information.Url ? SW_SHOW : SW_HIDE); EnableWindow(GetDlgItem(hwndDlg, IDC_OPTIONS), SelectedPlugin->Information.HasOptions); PhClearReference(&fileName); } INT_PTR CALLBACK PhpPluginPropertiesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PLUGIN selectedPlugin = NULL; if (uMsg == WM_INITDIALOG) { selectedPlugin = (PPH_PLUGIN)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, selectedPlugin); } else { selectedPlugin = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (uMsg == WM_DESTROY) { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } } if (selectedPlugin == NULL) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhpRefreshPluginDetails(hwndDlg, selectedPlugin); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; case IDC_OPTIONS: { PhInvokeCallback(PhGetPluginCallback(selectedPlugin, PluginCallbackShowOptions), hwndDlg); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_CLICK: { if (header->hwndFrom == GetDlgItem(hwndDlg, IDC_OPENURL)) { PhShellExecute(hwndDlg, selectedPlugin->Information.Url, NULL); } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } typedef struct _PLUGIN_DISABLED_CONTEXT { PH_QUEUED_LOCK ListLock; HWND DialogHandle; HWND ListViewHandle; } PLUGIN_DISABLED_CONTEXT, *PPLUGIN_DISABLED_CONTEXT; VOID PhpAddDisabledPlugins( _In_ PPLUGIN_DISABLED_CONTEXT Context ) { PPH_STRING disabled; PH_STRINGREF remainingPart; PH_STRINGREF part; PPH_STRING displayText; INT lvItemIndex; disabled = PhGetStringSetting(SETTING_DISABLED_PLUGINS); remainingPart = disabled->sr; while (remainingPart.Length) { PhSplitStringRefAtChar(&remainingPart, L'|', &part, &remainingPart); if (part.Length) { displayText = PhCreateString2(&part); PhAcquireQueuedLockExclusive(&Context->ListLock); lvItemIndex = PhAddListViewItem(Context->ListViewHandle, MAXINT, PhGetString(displayText), displayText); PhReleaseQueuedLockExclusive(&Context->ListLock); ListView_SetCheckState(Context->ListViewHandle, lvItemIndex, TRUE); } } PhDereferenceObject(disabled); } ULONG PhpDisabledPluginsCount( VOID ) { PPH_STRING disabled; PH_STRINGREF remainingPart; PH_STRINGREF part; ULONG count = 0; disabled = PhGetStringSetting(SETTING_DISABLED_PLUGINS); remainingPart = disabled->sr; while (remainingPart.Length) { PhSplitStringRefAtChar(&remainingPart, L'|', &part, &remainingPart); if (part.Length) count++; } PhDereferenceObject(disabled); return count; } INT_PTR CALLBACK PhpPluginsDisabledDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPLUGIN_DISABLED_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = PhAllocate(sizeof(PLUGIN_DISABLED_CONTEXT)); memset(context, 0, sizeof(PLUGIN_DISABLED_CONTEXT)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (uMsg == WM_DESTROY) { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhFree(context); context = NULL; } } if (context == NULL) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->DialogHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST_DISABLED); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); ListView_SetExtendedListViewStyleEx(context->ListViewHandle, LVS_EX_CHECKBOXES | LVS_EX_FULLROWSELECT | LVS_EX_DOUBLEBUFFER, LVS_EX_CHECKBOXES | LVS_EX_FULLROWSELECT | LVS_EX_DOUBLEBUFFER); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 400, L"Property"); PhSetExtendedListView(context->ListViewHandle); PhpAddDisabledPlugins(context); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; if (header->code == LVN_ITEMCHANGED) { LPNM_LISTVIEW listView = (LPNM_LISTVIEW)lParam; if (!PhTryAcquireReleaseQueuedLockExclusive(&context->ListLock)) break; if (listView->uChanged & LVIF_STATE) { switch (listView->uNewState & LVIS_STATEIMAGEMASK) { case INDEXTOSTATEIMAGEMASK(2): // checked { PPH_STRING param = (PPH_STRING)listView->lParam; PhSetPluginDisabled(¶m->sr, TRUE); } break; case INDEXTOSTATEIMAGEMASK(1): // unchecked { PPH_STRING param = (PPH_STRING)listView->lParam; PhSetPluginDisabled(¶m->sr, FALSE); } break; } } } } break; } return FALSE; } ================================================ FILE: SystemInformer/procgrp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015 * */ #include #include #include #include typedef struct _PHP_PROCESS_DATA { PPH_PROCESS_NODE Process; LIST_ENTRY ListEntry; HWND WindowHandle; } PHP_PROCESS_DATA, *PPHP_PROCESS_DATA; PPH_LIST PhpCreateProcessDataList( _In_ PPH_LIST Processes ) { PPH_LIST processDataList; ULONG i; processDataList = PhCreateList(Processes->Count); for (i = 0; i < Processes->Count; i++) { PPH_PROCESS_NODE process = Processes->Items[i]; PPHP_PROCESS_DATA processData; if (PH_IS_FAKE_PROCESS_ID(process->ProcessId) || process->ProcessId == SYSTEM_IDLE_PROCESS_ID) continue; processData = PhAllocate(sizeof(PHP_PROCESS_DATA)); memset(processData, 0, sizeof(PHP_PROCESS_DATA)); processData->Process = process; PhAddItemList(processDataList, processData); } return processDataList; } VOID PhpDestroyProcessDataList( _In_ PPH_LIST List ) { ULONG i; for (i = 0; i < List->Count; i++) { PPHP_PROCESS_DATA processData = List->Items[i]; PhFree(processData); } PhDereferenceObject(List); } VOID PhpProcessDataListToLinkedList( _In_ PPH_LIST List, _Out_ PLIST_ENTRY ListHead ) { ULONG i; InitializeListHead(ListHead); for (i = 0; i < List->Count; i++) { PPHP_PROCESS_DATA processData = List->Items[i]; InsertTailList(ListHead, &processData->ListEntry); } } VOID PhpProcessDataListToHashtable( _In_ PPH_LIST List, _Out_ PPH_HASHTABLE *Hashtable ) { PPH_HASHTABLE hashtable; ULONG i; hashtable = PhCreateSimpleHashtable(List->Count); for (i = 0; i < List->Count; i++) { PPHP_PROCESS_DATA processData = List->Items[i]; PhAddItemSimpleHashtable(hashtable, processData->Process->ProcessId, processData); } *Hashtable = hashtable; } typedef struct _QUERY_WINDOWS_CONTEXT { PPH_HASHTABLE ProcessDataHashtable; } QUERY_WINDOWS_CONTEXT, *PQUERY_WINDOWS_CONTEXT; _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhpQueryWindowsEnumWindowsProc( _In_ HWND WindowHandle, _In_opt_ PVOID Context ) { PQUERY_WINDOWS_CONTEXT context = (PQUERY_WINDOWS_CONTEXT)Context; CLIENT_ID clientId; PPHP_PROCESS_DATA processData; HWND parentWindow; if (!IsWindowVisible(WindowHandle)) return TRUE; if (!NT_SUCCESS(PhGetWindowClientId(WindowHandle, &clientId))) return TRUE; processData = PhFindItemSimpleHashtable2(context->ProcessDataHashtable, clientId.UniqueProcess); if (!processData || processData->WindowHandle) return TRUE; parentWindow = GetParent(WindowHandle); if (!(parentWindow && IsWindowVisible(parentWindow)) && // Skip windows with a visible parent PhGetWindowTextEx(WindowHandle, PH_GET_WINDOW_TEXT_INTERNAL | PH_GET_WINDOW_TEXT_LENGTH_ONLY, NULL) != 0) // Skip windows with no title { processData->WindowHandle = WindowHandle; } return TRUE; } PPH_STRING PhpGetRelevantFileName( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Flags ) { if (Flags & PH_GROUP_PROCESSES_FILE_PATH) return ProcessItem->FileName; else return ProcessItem->ProcessName; } BOOLEAN PhpEqualFileNameAndUserName( _In_ PPH_STRING FileName, _In_ PSID UserSid, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Flags ) { PPH_STRING otherFileName; PSID otherUserSid; otherFileName = PhpGetRelevantFileName(ProcessItem, Flags); otherUserSid = ProcessItem->Sid; return otherFileName && PhEqualString(otherFileName, FileName, TRUE) && otherUserSid && PhEqualSid(otherUserSid, UserSid); } PPHP_PROCESS_DATA PhpFindGroupRoot( _In_ PPHP_PROCESS_DATA ProcessData, _In_ PPH_HASHTABLE ProcessDataHashtable, _In_ ULONG Flags ) { PPH_PROCESS_NODE root; PPHP_PROCESS_DATA rootProcessData; PPH_PROCESS_NODE parent; PPHP_PROCESS_DATA processData; PPH_STRING fileName; PPH_STRING userSid; root = ProcessData->Process; rootProcessData = ProcessData; fileName = PhpGetRelevantFileName(ProcessData->Process->ProcessItem, Flags); userSid = ProcessData->Process->ProcessItem->Sid; if (ProcessData->WindowHandle) return rootProcessData; while (parent = root->Parent) { if ((processData = PhFindItemSimpleHashtable2(ProcessDataHashtable, parent->ProcessId)) && PhpEqualFileNameAndUserName(fileName, userSid, parent->ProcessItem, Flags)) { root = parent; rootProcessData = processData; if (processData->WindowHandle) break; } else { break; } } return rootProcessData; } VOID PhpAddGroupMember( _In_ PPHP_PROCESS_DATA ProcessData, _Inout_ PPH_LIST List ) { PhReferenceObject(ProcessData->Process->ProcessItem); PhAddItemList(List, ProcessData->Process->ProcessItem); RemoveEntryList(&ProcessData->ListEntry); } VOID PhpAddGroupMembersFromRoot( _In_ PPHP_PROCESS_DATA ProcessData, _Inout_ PPH_LIST List, _In_ PPH_HASHTABLE ProcessDataHashtable, _In_ ULONG Flags ) { PPH_STRING fileName; PSID userSid; ULONG i; PhpAddGroupMember(ProcessData, List); fileName = PhpGetRelevantFileName(ProcessData->Process->ProcessItem, Flags); userSid = ProcessData->Process->ProcessItem->Sid; for (i = 0; i < ProcessData->Process->Children->Count; i++) { PPH_PROCESS_NODE node = ProcessData->Process->Children->Items[i]; PPHP_PROCESS_DATA processData; if ((processData = PhFindItemSimpleHashtable2(ProcessDataHashtable, node->ProcessId)) && PhpEqualFileNameAndUserName(fileName, userSid, node->ProcessItem, Flags) && node->ProcessItem->Sid && PhEqualSid(node->ProcessItem->Sid, userSid) && !processData->WindowHandle) { PhpAddGroupMembersFromRoot(processData, List, ProcessDataHashtable, Flags); } } } PPH_LIST PhCreateProcessGroupList( _In_opt_ PPH_SORT_LIST_FUNCTION SortListFunction, _In_opt_ PVOID Context, _In_ ULONG MaximumGroups, _In_ ULONG Flags ) { PPH_LIST processList; PPH_LIST processDataList; LIST_ENTRY processDataListHead; // We will be removing things from this list as we group processes together PPH_HASHTABLE processDataHashtable; // Process ID to process data hashtable QUERY_WINDOWS_CONTEXT queryWindowsContext; PPH_LIST processGroupList; // We group together processes that share a common ancestor and have the same file name, where // the ancestor must have a visible window and all other processes in the group do not have a // visible window. All processes in the group must have the same user name. All ancestors up to // the lowest common ancestor must have the same file name and user name. // // The current algorithm is greedy and may not detect groups that have many processes, each with // a small usage amount. processList = PhDuplicateProcessNodeList(); if (SortListFunction) SortListFunction(processList, Context); processDataList = PhpCreateProcessDataList(processList); PhDereferenceObject(processList); PhpProcessDataListToLinkedList(processDataList, &processDataListHead); PhpProcessDataListToHashtable(processDataList, &processDataHashtable); queryWindowsContext.ProcessDataHashtable = processDataHashtable; PhEnumChildWindows(NULL, PhpQueryWindowsEnumWindowsProc, &queryWindowsContext); processGroupList = PhCreateList(10); while (processDataListHead.Flink != &processDataListHead && processGroupList->Count < MaximumGroups) { PPHP_PROCESS_DATA processData = CONTAINING_RECORD(processDataListHead.Flink, PHP_PROCESS_DATA, ListEntry); PPH_PROCESS_GROUP processGroup; PPH_STRING fileName; PSID userSid; processGroup = PhAllocateZero(sizeof(PH_PROCESS_GROUP)); processGroup->Processes = PhCreateList(4); fileName = PhpGetRelevantFileName(processData->Process->ProcessItem, Flags); userSid = processData->Process->ProcessItem->Sid; if (PhIsNullOrEmptyString(fileName) || !PhValidSid(userSid) || (Flags & PH_GROUP_PROCESSES_DONT_GROUP)) { processGroup->Representative = processData->Process->ProcessItem; PhpAddGroupMember(processData, processGroup->Processes); } else { processData = PhpFindGroupRoot(processData, processDataHashtable, Flags); processGroup->Representative = processData->Process->ProcessItem; PhpAddGroupMembersFromRoot(processData, processGroup->Processes, processDataHashtable, Flags); } processGroup->WindowHandle = processData->WindowHandle; PhAddItemList(processGroupList, processGroup); } PhDereferenceObject(processDataHashtable); PhpDestroyProcessDataList(processDataList); return processGroupList; } VOID PhFreeProcessGroupList( _In_ PPH_LIST List ) { for (ULONG i = 0; i < List->Count; i++) { PPH_PROCESS_GROUP processGroup = List->Items[i]; PhDereferenceObjects(processGroup->Processes->Items, processGroup->Processes->Count); PhClearReference(&processGroup->Processes); PhFree(processGroup); } PhClearList(List); PhDereferenceObject(List); } ================================================ FILE: SystemInformer/procmtgn.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * */ #include #include NTSTATUS PhpCopyProcessMitigationPolicy( _Inout_ PNTSTATUS Status, _In_ HANDLE ProcessHandle, _In_ PROCESS_MITIGATION_POLICY Policy, _In_ SIZE_T Offset, _In_ SIZE_T Size, _Out_writes_bytes_(Size) PVOID Destination ) { NTSTATUS status; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; policyInfo.Policy = Policy; status = NtQueryInformationProcess( ProcessHandle, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL ); if (!NT_SUCCESS(status)) { if (*Status == STATUS_NONE_MAPPED) *Status = status; return status; } memcpy(Destination, PTR_ADD_OFFSET(&policyInfo, Offset), Size); *Status = STATUS_SUCCESS; return status; } NTSTATUS PhGetProcessMitigationPolicyAllInformation( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION Information ) { NTSTATUS status = STATUS_NONE_MAPPED; NTSTATUS subStatus; #ifdef _WIN64 BOOLEAN isWow64; #endif ULONG depStatus; memset(Information, 0, sizeof(PH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION)); #ifdef _WIN64 if (NT_SUCCESS(subStatus = PhGetProcessIsWow64(ProcessHandle, &isWow64)) && !isWow64) { depStatus = PH_PROCESS_DEP_ENABLED | PH_PROCESS_DEP_PERMANENT; } else { #endif subStatus = PhGetProcessDepStatus(ProcessHandle, &depStatus); #ifdef _WIN64 } #endif if (NT_SUCCESS(subStatus)) { status = STATUS_SUCCESS; Information->DEPPolicy.Enable = !!(depStatus & PH_PROCESS_DEP_ENABLED); Information->DEPPolicy.DisableAtlThunkEmulation = !!(depStatus & PH_PROCESS_DEP_ATL_THUNK_EMULATION_DISABLED); Information->DEPPolicy.Permanent = !!(depStatus & PH_PROCESS_DEP_PERMANENT); Information->Pointers[ProcessDEPPolicy] = &Information->DEPPolicy; } else if (status == STATUS_NONE_MAPPED) { status = subStatus; } #define COPY_PROCESS_MITIGATION_POLICY(PolicyName, StructName) \ if (NT_SUCCESS(PhpCopyProcessMitigationPolicy(&status, ProcessHandle, Process##PolicyName##Policy, \ UFIELD_OFFSET(PROCESS_MITIGATION_POLICY_INFORMATION, PolicyName##Policy), \ sizeof(StructName), \ &Information->PolicyName##Policy))) \ { \ Information->Pointers[Process##PolicyName##Policy] = &Information->PolicyName##Policy; \ } COPY_PROCESS_MITIGATION_POLICY(ASLR, PROCESS_MITIGATION_ASLR_POLICY); COPY_PROCESS_MITIGATION_POLICY(DynamicCode, PROCESS_MITIGATION_DYNAMIC_CODE_POLICY); COPY_PROCESS_MITIGATION_POLICY(StrictHandleCheck, PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY); COPY_PROCESS_MITIGATION_POLICY(SystemCallDisable, PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY); COPY_PROCESS_MITIGATION_POLICY(ExtensionPointDisable, PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY); COPY_PROCESS_MITIGATION_POLICY(ControlFlowGuard, PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY); COPY_PROCESS_MITIGATION_POLICY(Signature, PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY); COPY_PROCESS_MITIGATION_POLICY(FontDisable, PROCESS_MITIGATION_FONT_DISABLE_POLICY); COPY_PROCESS_MITIGATION_POLICY(ImageLoad, PROCESS_MITIGATION_IMAGE_LOAD_POLICY); COPY_PROCESS_MITIGATION_POLICY(SystemCallFilter, PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY); // REDSTONE3 COPY_PROCESS_MITIGATION_POLICY(PayloadRestriction, PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY); COPY_PROCESS_MITIGATION_POLICY(ChildProcess, PROCESS_MITIGATION_CHILD_PROCESS_POLICY); COPY_PROCESS_MITIGATION_POLICY(SideChannelIsolation, PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY); // 19H1 COPY_PROCESS_MITIGATION_POLICY(UserShadowStack, PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY); // 20H1 COPY_PROCESS_MITIGATION_POLICY(RedirectionTrust, PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY); // 22H1 COPY_PROCESS_MITIGATION_POLICY(UserPointerAuth, PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY); COPY_PROCESS_MITIGATION_POLICY(SEHOP, PROCESS_MITIGATION_SEHOP_POLICY); COPY_PROCESS_MITIGATION_POLICY(ActivationContextTrust, PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2); return status; } _Success_(return) BOOLEAN PhDescribeProcessMitigationPolicy( _In_ PROCESS_MITIGATION_POLICY Policy, _In_ PVOID Data, _Out_opt_ PPH_STRING *ShortDescription, _Out_opt_ PPH_STRING *LongDescription ) { BOOLEAN result = FALSE; PH_STRING_BUILDER sb; switch (Policy) { case ProcessDEPPolicy: { PPROCESS_MITIGATION_DEP_POLICY data = Data; if (data->Enable) { if (ShortDescription) { PhInitializeStringBuilder(&sb, 20); PhAppendStringBuilder2(&sb, L"DEP"); if (data->Permanent) PhAppendStringBuilder2(&sb, L" (permanent)"); *ShortDescription = PhFinalStringBuilderString(&sb); } if (LongDescription) { PhInitializeStringBuilder(&sb, 50); PhAppendFormatStringBuilder(&sb, L"Data Execution Prevention (DEP) is%s enabled for this process.\r\n", data->Permanent ? L" permanently" : L""); if (data->DisableAtlThunkEmulation) PhAppendStringBuilder2(&sb, L"ATL thunk emulation is disabled.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessASLRPolicy: { PPROCESS_MITIGATION_ASLR_POLICY data = Data; if (data->EnableBottomUpRandomization || data->EnableForceRelocateImages || data->EnableHighEntropy) { if (ShortDescription) { PhInitializeStringBuilder(&sb, 20); PhAppendStringBuilder2(&sb, L"ASLR"); if (data->EnableHighEntropy || data->EnableForceRelocateImages) { PhAppendStringBuilder2(&sb, L" ("); if (data->EnableHighEntropy) PhAppendStringBuilder2(&sb, L"high entropy, "); if (data->EnableForceRelocateImages) PhAppendStringBuilder2(&sb, L"force relocate, "); if (data->DisallowStrippedImages) PhAppendStringBuilder2(&sb, L"disallow stripped, "); if (PhEndsWithStringRef2(&sb.String->sr, L", ", FALSE)) PhRemoveEndStringBuilder(&sb, 2); PhAppendCharStringBuilder(&sb, L')'); } *ShortDescription = PhFinalStringBuilderString(&sb); } if (LongDescription) { PhInitializeStringBuilder(&sb, 100); PhAppendStringBuilder2(&sb, L"Address Space Layout Randomization is enabled for this process.\r\n"); if (data->EnableHighEntropy) PhAppendStringBuilder2(&sb, L"High entropy randomization is enabled.\r\n"); if (data->EnableForceRelocateImages) PhAppendStringBuilder2(&sb, L"All images are being forcibly relocated (regardless of whether they support ASLR).\r\n"); if (data->DisallowStrippedImages) PhAppendStringBuilder2(&sb, L"Images with stripped relocation data are disallowed.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessDynamicCodePolicy: { PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY data = Data; if (data->ProhibitDynamicCode) { if (ShortDescription) *ShortDescription = PhCreateString(L"Dynamic code prohibited"); if (LongDescription) *LongDescription = PhCreateString(L"Dynamically loaded code is not allowed to execute.\r\n"); result = TRUE; } if (data->AllowThreadOptOut) { if (ShortDescription) *ShortDescription = PhCreateString(L"Dynamic code prohibited (per-thread)"); if (LongDescription) *LongDescription = PhCreateString(L"Allows individual threads to opt out of the restrictions on dynamic code generation.\r\n"); result = TRUE; } if (data->AllowRemoteDowngrade) { if (ShortDescription) *ShortDescription = PhCreateString(L"Dynamic code downgradable"); if (LongDescription) *LongDescription = PhCreateString(L"Allow non-AppContainer processes to modify all of the dynamic code settings for the calling process, including relaxing dynamic code restrictions after they have been set.\r\n"); result = TRUE; } } break; case ProcessStrictHandleCheckPolicy: { PPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY data = Data; if (data->RaiseExceptionOnInvalidHandleReference) { if (ShortDescription) *ShortDescription = PhCreateString(L"Strict handle checks"); if (LongDescription) *LongDescription = PhCreateString(L"An exception is raised when an invalid handle is used by the process.\r\n"); result = TRUE; } } break; case ProcessSystemCallDisablePolicy: { PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY data = Data; if (data->DisallowWin32kSystemCalls) { if (ShortDescription) *ShortDescription = PhCreateString(L"Win32k system calls disabled"); if (LongDescription) *LongDescription = PhCreateString(L"Win32k (GDI/USER) system calls are not allowed.\r\n"); result = TRUE; } if (data->AuditDisallowWin32kSystemCalls) { if (ShortDescription) *ShortDescription = PhCreateString(L"Win32k system calls (Audit)"); if (LongDescription) *LongDescription = PhCreateString(L"Win32k (GDI/USER) system calls will trigger an ETW event.\r\n"); result = TRUE; } } break; case ProcessExtensionPointDisablePolicy: { PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY data = Data; if (data->DisableExtensionPoints) { if (ShortDescription) *ShortDescription = PhCreateString(L"Extension points disabled"); if (LongDescription) *LongDescription = PhCreateString(L"Legacy extension point DLLs cannot be loaded into the process. NOTE: Processes with uiAccess=true will automatically bypass this policy and inject legacy extension point DLLs regardless.\r\n"); result = TRUE; } } break; case ProcessControlFlowGuardPolicy: { PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY data = Data; if (data->EnableControlFlowGuard) { if (ShortDescription) { PhInitializeStringBuilder(&sb, 50); if (data->StrictMode) PhAppendStringBuilder2(&sb, L"Strict "); #if !defined(NTDDI_WIN10_CO) || (NTDDI_VERSION < NTDDI_WIN10_CO) if (_bittest((const PLONG)&data->Flags, 4)) #else if (data->EnableXfgAuditMode) #endif PhAppendStringBuilder2(&sb, L"Audit "); #if !defined(NTDDI_WIN10_CO) || (NTDDI_VERSION < NTDDI_WIN10_CO) PhAppendStringBuilder2(&sb, _bittest((const PLONG)&data->Flags, 3) ? L"XF Guard" : L"CF Guard"); #else PhAppendStringBuilder2(&sb, data->EnableXfg ? L"XF Guard" : L"CF Guard"); #endif *ShortDescription = PhFinalStringBuilderString(&sb); } if (LongDescription) { PhInitializeStringBuilder(&sb, 100); #if !defined(NTDDI_WIN10_CO) || (NTDDI_VERSION < NTDDI_WIN10_CO) if (_bittest((const PLONG)&data->Flags, 3)) #else if (data->EnableXfg) #endif { PhAppendStringBuilder2(&sb, L"Extended Control Flow Guard (XFG) is enabled for the process.\r\n"); if (data->EnableXfgAuditMode) PhAppendStringBuilder2(&sb, L"Audit XFG : XFG is running in audit mode.\r\n"); if (data->StrictMode) PhAppendStringBuilder2(&sb, L"Strict XFG : only XFG modules can be loaded.\r\n"); if (data->EnableExportSuppression) PhAppendStringBuilder2(&sb, L"Dll Exports can be marked as XFG invalid targets.\r\n"); } else { PhAppendStringBuilder2(&sb, L"Control Flow Guard (CFG) is enabled for the process.\r\n"); if (data->StrictMode) PhAppendStringBuilder2(&sb, L"Strict CFG : only CFG modules can be loaded.\r\n"); if (data->EnableExportSuppression) PhAppendStringBuilder2(&sb, L"Dll Exports can be marked as CFG invalid targets.\r\n"); } *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessSignaturePolicy: { PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY data = Data; if (data->MicrosoftSignedOnly || data->StoreSignedOnly) { if (ShortDescription) { PhInitializeStringBuilder(&sb, 50); PhAppendStringBuilder2(&sb, L"Signatures restricted ("); if (data->MicrosoftSignedOnly) PhAppendStringBuilder2(&sb, L"Microsoft only, "); if (data->StoreSignedOnly) PhAppendStringBuilder2(&sb, L"Store only, "); if (PhEndsWithStringRef2(&sb.String->sr, L", ", FALSE)) PhRemoveEndStringBuilder(&sb, 2); PhAppendCharStringBuilder(&sb, L')'); *ShortDescription = PhFinalStringBuilderString(&sb); } if (LongDescription) { PhInitializeStringBuilder(&sb, 100); PhAppendStringBuilder2(&sb, L"Image signature restrictions are enabled for this process.\r\n"); if (data->MicrosoftSignedOnly) PhAppendStringBuilder2(&sb, L"Only Microsoft signatures are allowed.\r\n"); if (data->StoreSignedOnly) PhAppendStringBuilder2(&sb, L"Only Windows Store signatures are allowed.\r\n"); if (data->MitigationOptIn) PhAppendStringBuilder2(&sb, L"This is an opt-in restriction.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessFontDisablePolicy: { PPROCESS_MITIGATION_FONT_DISABLE_POLICY data = Data; if (data->DisableNonSystemFonts) { if (ShortDescription) *ShortDescription = PhCreateString(L"Non-system fonts disabled"); if (LongDescription) { PhInitializeStringBuilder(&sb, 100); PhAppendStringBuilder2(&sb, L"Non-system fonts cannot be used in this process.\r\n"); if (data->AuditNonSystemFontLoading) PhAppendStringBuilder2(&sb, L"Loading a non-system font in this process will trigger an ETW event.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessImageLoadPolicy: { PPROCESS_MITIGATION_IMAGE_LOAD_POLICY data = Data; if (data->NoRemoteImages || data->NoLowMandatoryLabelImages) { if (ShortDescription) { PhInitializeStringBuilder(&sb, 50); PhAppendStringBuilder2(&sb, L"Images restricted ("); if (data->NoRemoteImages) PhAppendStringBuilder2(&sb, L"remote images, "); if (data->NoLowMandatoryLabelImages) PhAppendStringBuilder2(&sb, L"low mandatory label images, "); if (PhEndsWithStringRef2(&sb.String->sr, L", ", FALSE)) PhRemoveEndStringBuilder(&sb, 2); PhAppendCharStringBuilder(&sb, L')'); *ShortDescription = PhFinalStringBuilderString(&sb); } if (LongDescription) { PhInitializeStringBuilder(&sb, 50); if (data->NoRemoteImages) PhAppendStringBuilder2(&sb, L"Remotely located images cannot be loaded into the process.\r\n"); if (data->NoLowMandatoryLabelImages) PhAppendStringBuilder2(&sb, L"Images with a Low mandatory label cannot be loaded into the process.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } if (data->PreferSystem32Images) { if (ShortDescription) *ShortDescription = PhCreateString(L"Prefer system32 images"); if (LongDescription) *LongDescription = PhCreateString(L"Forces images to load from the System32 folder in which Windows is installed first, then from the application directory before the standard DLL search order.\r\n"); result = TRUE; } } break; case ProcessSystemCallFilterPolicy: { PPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY data = Data; if (data->FilterId) { if (ShortDescription) *ShortDescription = PhCreateString(L"System call filtering"); if (LongDescription) *LongDescription = PhCreateString(L"System call filtering is active.\r\n"); result = TRUE; } } break; case ProcessPayloadRestrictionPolicy: { PPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY data = Data; if (data->EnableExportAddressFilter || data->EnableExportAddressFilterPlus || data->EnableImportAddressFilter || data->EnableRopStackPivot || data->EnableRopCallerCheck || data->EnableRopSimExec) { if (ShortDescription) *ShortDescription = PhCreateString(L"Payload restrictions"); if (LongDescription) { PhInitializeStringBuilder(&sb, 100); PhAppendStringBuilder2(&sb, L"Payload restrictions are enabled for this process.\r\n"); if (data->EnableExportAddressFilter) PhAppendStringBuilder2(&sb, L"Export Address Filtering is enabled.\r\n"); if (data->EnableExportAddressFilterPlus) PhAppendStringBuilder2(&sb, L"Export Address Filtering (Plus) is enabled.\r\n"); if (data->EnableImportAddressFilter) PhAppendStringBuilder2(&sb, L"Import Address Filtering is enabled.\r\n"); if (data->EnableRopStackPivot) PhAppendStringBuilder2(&sb, L"StackPivot is enabled.\r\n"); if (data->EnableRopCallerCheck) PhAppendStringBuilder2(&sb, L"CallerCheck is enabled.\r\n"); if (data->EnableRopSimExec) PhAppendStringBuilder2(&sb, L"SimExec is enabled.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessChildProcessPolicy: { PPROCESS_MITIGATION_CHILD_PROCESS_POLICY data = Data; if (data->NoChildProcessCreation) { if (ShortDescription) *ShortDescription = PhCreateString(L"Child process creation disabled"); if (LongDescription) *LongDescription = PhCreateString(L"Child processes cannot be created by this process.\r\n"); result = TRUE; } } break; case ProcessSideChannelIsolationPolicy: { PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY data = Data; if (data->SmtBranchTargetIsolation) { if (ShortDescription) *ShortDescription = PhCreateString(L"SMT-thread branch target isolation"); if (LongDescription) *LongDescription = PhCreateString(L"Branch target pollution cross-SMT-thread in user mode is enabled.\r\n"); result = TRUE; } if (data->IsolateSecurityDomain) { if (ShortDescription) *ShortDescription = PhCreateString(L"Distinct security domain"); if (LongDescription) *LongDescription = PhCreateString(L"Isolated security domain is enabled.\r\n"); result = TRUE; } if (data->DisablePageCombine) { if (ShortDescription) *ShortDescription = PhCreateString(L"Restricted page combining"); if (LongDescription) *LongDescription = PhCreateString(L"Disables all page combining for this process.\r\n"); result = TRUE; } if (data->SpeculativeStoreBypassDisable) { if (ShortDescription) *ShortDescription = PhCreateString(L"Memory disambiguation (SSBD)"); if (LongDescription) *LongDescription = PhCreateString(L"Memory disambiguation is enabled for this process.\r\n"); result = TRUE; } } break; case ProcessUserShadowStackPolicy: { PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY data = Data; if (data->EnableUserShadowStack || data->AuditUserShadowStack) { if (ShortDescription) { PhInitializeStringBuilder(&sb, 50); if (data->AuditUserShadowStack) PhAppendStringBuilder2(&sb, L"Audit "); if (data->EnableUserShadowStackStrictMode) PhAppendStringBuilder2(&sb, L"Strict "); PhAppendStringBuilder2(&sb, L"Stack protection"); *ShortDescription = PhFinalStringBuilderString(&sb); } if (LongDescription) { PhInitializeStringBuilder(&sb, 100); PhAppendStringBuilder2(&sb, L"The CPU verifies function return addresses at runtime by employing a hardware-enforced shadow stack.\r\n"); if (data->AuditUserShadowStack) PhAppendStringBuilder2(&sb, L"Audit Stack protection : log ROP failures to event log.\r\n"); if (data->EnableUserShadowStackStrictMode) PhAppendStringBuilder2(&sb, L"Strict Stack protection : any detected ROP will cause the process to terminate.\r\n"); if (data->AuditSetContextIpValidation) PhAppendStringBuilder2(&sb, L"Audit Set Context IP validation : log modifications of context IP to event log.\r\n"); if (data->SetContextIpValidation) PhAppendStringBuilder2(&sb, L"Set Context IP validation : any detected modification of context IP will cause the process to terminate.\r\n"); if (data->AuditBlockNonCetBinaries) PhAppendStringBuilder2(&sb, L"Audit Block non CET binaries : log attempts to load binaries without CET support.\r\n"); if (data->BlockNonCetBinaries) PhAppendStringBuilder2(&sb, L"Block binaries without CET support\r\n"); if (data->BlockNonCetBinariesNonEhcont) PhAppendStringBuilder2(&sb, L"Block binaries without CET support or without EH continuation metadata.\r\n"); *LongDescription = PhFinalStringBuilderString(&sb); } result = TRUE; } } break; case ProcessRedirectionTrustPolicy: { PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY data = Data; // Ensure data is not NULL if (data) { // Handle Enforce Redirection Trust Policy if (data->EnforceRedirectionTrust && data->AuditRedirectionTrust) { if (ShortDescription) *ShortDescription = PhCreateString(L"Junction redirection protection / Audit"); if (LongDescription) *LongDescription = PhCreateString(L"Prevents the process from following filesystem junctions created by non-admin users and logs the attempt.\r\nLogs attempts by the process to follow filesystem junctions created by non-admin users.\r\n"); result = TRUE; } else if (data->EnforceRedirectionTrust) { if (ShortDescription) *ShortDescription = PhCreateString(L"Junction redirection protection"); if (LongDescription) *LongDescription = PhCreateString(L"Prevents the process from following filesystem junctions created by non-admin users and logs the attempt.\r\n"); result = TRUE; } else if (data->AuditRedirectionTrust) { if (ShortDescription) *ShortDescription = PhCreateString(L"Junction redirection protection (Audit)"); if (LongDescription) *LongDescription = PhCreateString(L"Logs attempts by the process to follow filesystem junctions created by non-admin users.\r\n"); result = TRUE; } } } break; case ProcessUserPointerAuthPolicy: { PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY data = Data; if (data->EnablePointerAuthUserIp) { if (ShortDescription) *ShortDescription = PhCreateString(L"ARM pointer authentication"); if (LongDescription) *LongDescription = PhCreateString(L"Pointer authentication (PAC) prevents unexpected changes to pointers.\r\n"); result = TRUE; } } break; case ProcessSEHOPPolicy: { PPROCESS_MITIGATION_SEHOP_POLICY data = Data; if (data->EnableSehop) { if (ShortDescription) *ShortDescription = PhCreateString(L"Structured exception handling overwrite protection (SEHOP)"); if (LongDescription) *LongDescription = PhCreateString(L"SEHOP prevents Structured Exception Handler (SEH) overwrites.\r\n"); result = TRUE; } } break; default: result = FALSE; } return result; } ================================================ FILE: SystemInformer/procprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2016-2026 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include PPH_OBJECT_TYPE PhpProcessPropContextType = NULL; PPH_OBJECT_TYPE PhpProcessPropPageContextType = NULL; PPH_OBJECT_TYPE PhpProcessPropPageWaitContextType = NULL; PH_STRINGREF PhProcessPropPageLoadingText = PH_STRINGREF_INIT(L"Loading..."); static RECT MinimumSize = { -1, -1, -1, -1 }; SLIST_HEADER WaitContextQueryListHead; PPH_PROCESS_PROPCONTEXT PhCreateProcessPropContext( _In_opt_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_PROCESS_PROPCONTEXT propContext; PROPSHEETHEADER propSheetHeader; if (PhBeginInitOnce(&initOnce)) { PhpProcessPropContextType = PhCreateObjectType(L"ProcessPropContext", 0, PhpProcessPropContextDeleteProcedure); PhpProcessPropPageContextType = PhCreateObjectType(L"ProcessPropPageContext", 0, PhpProcessPropPageContextDeleteProcedure); PhpProcessPropPageWaitContextType = PhCreateObjectType(L"ProcessPropPageWaitContext", 0, PhpProcessPropPageWaitContextDeleteProcedure); PhInitializeSListHead(&WaitContextQueryListHead); PhEndInitOnce(&initOnce); } propContext = PhCreateObjectZero(sizeof(PH_PROCESS_PROPCONTEXT), PhpProcessPropContextType); propContext->PropSheetPages = PhAllocateZero(sizeof(HPROPSHEETPAGE) * PH_PROCESS_PROPCONTEXT_MAXPAGES); if (!PH_IS_FAKE_PROCESS_ID(ProcessItem->ProcessId)) { PH_FORMAT format[4]; PhInitFormatSR(&format[0], ProcessItem->ProcessName->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatU(&format[2], HandleToUlong(ProcessItem->ProcessId)); PhInitFormatC(&format[3], L')'); propContext->Title = PhFormat(format, RTL_NUMBER_OF(format), 64); } else { PhSetReference(&propContext->Title, ProcessItem->ProcessName); } memset(&propSheetHeader, 0, sizeof(PROPSHEETHEADER)); propSheetHeader.dwSize = sizeof(PROPSHEETHEADER); propSheetHeader.dwFlags = PSH_MODELESS | PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP | PSH_PROPTITLE | PSH_USECALLBACK | PSH_USEHICON; propSheetHeader.hInstance = PhInstanceHandle; propSheetHeader.hwndParent = ParentWindowHandle; propSheetHeader.hIcon = PhGetImageListIcon(ProcessItem->SmallIconIndex, FALSE); propSheetHeader.pszCaption = PhGetString(propContext->Title); propSheetHeader.pfnCallback = PhpPropSheetProc; propSheetHeader.nPages = 0; propSheetHeader.nStartPage = 0; propSheetHeader.phpage = propContext->PropSheetPages; if (PhCsForceNoParent) propSheetHeader.hwndParent = NULL; memcpy(&propContext->PropSheetHeader, &propSheetHeader, sizeof(PROPSHEETHEADER)); PhSetReference(&propContext->ProcessItem, ProcessItem); return propContext; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessPropContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_PROCESS_PROPCONTEXT propContext = (PPH_PROCESS_PROPCONTEXT)Object; PhFree(propContext->PropSheetPages); PhDereferenceObject(propContext->Title); PhDereferenceObject(propContext->ProcessItem); } VOID PhRefreshProcessPropContext( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext ) { PropContext->PropSheetHeader.hIcon = PhGetImageListIcon(PropContext->ProcessItem->SmallIconIndex, FALSE); } VOID PhSetSelectThreadIdProcessPropContext( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ HANDLE ThreadId ) { PropContext->SelectThreadId = ThreadId; } INT CALLBACK PhpPropSheetProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam ) { #define PROPSHEET_ADD_STYLE (WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_THICKFRAME); switch (uMsg) { case PSCB_PRECREATE: { if (lParam) { if (((DLGTEMPLATEEX *)lParam)->signature == USHRT_MAX) { ((DLGTEMPLATEEX *)lParam)->style |= PROPSHEET_ADD_STYLE; } else { ((DLGTEMPLATE *)lParam)->style |= PROPSHEET_ADD_STYLE; } } } break; case PSCB_INITIALIZED: { PPH_PROCESS_PROPSHEETCONTEXT propSheetContext; propSheetContext = PhAllocate(sizeof(PH_PROCESS_PROPSHEETCONTEXT)); memset(propSheetContext, 0, sizeof(PH_PROCESS_PROPSHEETCONTEXT)); PhInitializeLayoutManager(&propSheetContext->LayoutManager, hwndDlg); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, propSheetContext); propSheetContext->PropSheetWindowHookProc = PhGetWindowProcedure(hwndDlg); PhSetWindowContext(hwndDlg, 0xF, propSheetContext); PhSetWindowProcedure(hwndDlg, PhpPropSheetWndProc); if (PhEnableThemeSupport) // NOTE: Required for compatibility. (dmex) PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); PhRegisterWindowCallback(hwndDlg, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); if (MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 290; rect.bottom = 320; MapDialogRect(hwndDlg, &rect); MinimumSize = rect; MinimumSize.left = 0; } PhSetTimer(hwndDlg, 2000, 2000, NULL); } break; } return 0; } PPH_PROCESS_PROPSHEETCONTEXT PhpGetPropSheetContext( _In_ HWND WindowHandle ) { return PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } LRESULT CALLBACK PhpPropSheetWndProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_PROPSHEETCONTEXT propSheetContext; WNDPROC oldWndProc; propSheetContext = PhGetWindowContext(WindowHandle, 0xF); if (!propSheetContext) return 0; oldWndProc = propSheetContext->PropSheetWindowHookProc; switch (uMsg) { case WM_DESTROY: { HWND tabControl; TCITEM tabItem; WCHAR text[128] = L""; PhKillTimer(WindowHandle, 2000); // Save the window position and size. PhSaveWindowPlacementToSetting(SETTING_PROC_PROP_POSITION, SETTING_PROC_PROP_SIZE, WindowHandle); // Save the selected tab. tabControl = PropSheet_GetTabControl(WindowHandle); tabItem.mask = TCIF_TEXT; tabItem.pszText = text; tabItem.cchTextMax = RTL_NUMBER_OF(text) - 1; if (TabCtrl_GetItem(tabControl, TabCtrl_GetCurSel(tabControl), &tabItem)) { PhSetStringSetting(SETTING_PROC_PROP_PAGE, text); } } break; case WM_NCDESTROY: { PhUnregisterWindowCallback(WindowHandle); PhSetWindowProcedure(WindowHandle, oldWndProc); PhRemoveWindowContext(WindowHandle, 0xF); PhDeleteLayoutManager(&propSheetContext->LayoutManager); PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); PhFree(propSheetContext); } break; case WM_SYSCOMMAND: { // Note: Clicking the X on the taskbar window thumbnail preview doesn't close modeless property sheets // when there are more than 1 window and the window doesn't have focus. (dmex) switch (wParam & 0xFFF0) { case SC_CLOSE: { PostQuitMessage(0); //SetWindowLongPtr(WindowHandle, DWLP_MSGRESULT, TRUE); //return TRUE; } break; } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDOK: // Prevent the OK button from working (even though // it's already hidden). This prevents the Enter // key from closing the dialog box. return 0; } } break; case WM_SIZE: { if (!IsMinimized(WindowHandle)) { PhLayoutManagerLayout(&propSheetContext->LayoutManager); } } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_TIMER: { UINT id = (UINT)wParam; if (id == 2000) { PhpFlushProcessPropSheetWaitContextData(); } } break; case PSM_ISDIALOGMESSAGE: { PMSG dialog = (PMSG)lParam; if (dialog->message == WM_KEYDOWN) { switch (dialog->wParam) { case VK_F5: SystemInformer_Refresh(); break; case VK_F6: case VK_PAUSE: SystemInformer_SetUpdateAutomatically(!SystemInformer_GetUpdateAutomatically()); break; } } } break; case WM_DPICHANGED: { USHORT newDpi = HIWORD(wParam); PRECT CONST newRect = (PRECT)lParam; CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); PhLayoutManagerUpdate(&propSheetContext->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&propSheetContext->LayoutManager); { SetWindowPos( WindowHandle, NULL, newRect->left, newRect->top, newRect->right - newRect->left, newRect->bottom - newRect->top, SWP_NOZORDER | SWP_NOACTIVATE ); } { RECT rect; rect.left = 0; rect.top = 0; rect.right = 290; rect.bottom = 320; MapDialogRect(WindowHandle, &rect); MinimumSize = rect; MinimumSize.left = 0; } return 0; } break; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); } _Function_class_(PH_OPEN_OBJECT) NTSTATUS PhOptionsButtonGeneralOpenProcess( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { if (Context) { return PhOpenProcess(Handle, DesiredAccess, (HANDLE)Context); } return STATUS_UNSUCCESSFUL; } _Function_class_(PH_CLOSE_OBJECT) NTSTATUS PhOptionsButtonGeneralCloseHandle( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) { NtClose(Handle); } return STATUS_SUCCESS; } LRESULT CALLBACK PhpOptionsButtonWndProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_PROPSHEETCONTEXT propSheetContext; WNDPROC oldWndProc; if (!(propSheetContext = PhGetWindowContext(WindowHandle, SCHAR_MAX))) return DefWindowProc(WindowHandle, uMsg, wParam, lParam); oldWndProc = propSheetContext->OldOptionsButtonWndProc; switch (uMsg) { case WM_DESTROY: { PhRemoveWindowContext(WindowHandle, SCHAR_MAX); PhSetWindowProcedure(WindowHandle, oldWndProc); } break; case WM_COMMAND: { if (GET_WM_COMMAND_HWND(wParam, lParam) == propSheetContext->OptionsButtonWindowHandle) { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_EMENU_ITEM menuItem; HWND pageWindow; LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_PROPCONTEXT propContext; if (!(pageWindow = PropSheet_GetCurrentPageHwnd(WindowHandle))) break; if (!(propSheetPage = PhGetWindowContext(pageWindow, PH_WINDOW_CONTEXT_DEFAULT))) break; if (!(propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)propSheetPage->lParam)) break; if (!(propContext = propPageContext->PropContext)) break; if (!PhGetWindowRect(propSheetContext->OptionsButtonWindowHandle, &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_TERMINATE, L"T&erminate\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_TERMINATETREE, L"Terminate tree\bShift+Del", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_SUSPEND, L"&Suspend", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_SUSPENDTREE, L"Suspend tree", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_RESUME, L"Res&ume", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_RESUMETREE, L"Resume tree", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_FREEZE, L"Freeze", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_THAW, L"Thaw", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_RESTART, L"Res&tart", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); if (propContext->ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { PPH_EMENU_ITEM kernelMinimal; menuItem = PhCreateEMenuItem(0, ID_PROCESS_CREATEDUMPFILE, L"Create live kernel dump fi&le", NULL, NULL); PhInsertEMenuItem(menuItem, kernelMinimal = PhCreateEMenuItem(0, ID_PROCESS_DUMP_MINIMAL, L"&Minimal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_NORMAL, L"&Normal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_FULL, L"&Full...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_CUSTOM, L"&Custom...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); if (!PhGetOwnTokenAttributes().Elevated) { menuItem->Flags |= PH_EMENU_DISABLED; } else if (WindowsVersion < WINDOWS_11) { // Minimal only captures thread stacks, not supported before Windows 11 PhSetDisabledEMenuItem(kernelMinimal); } } else { menuItem = PhCreateEMenuItem(0, ID_PROCESS_CREATEDUMPFILE, L"Create dump fi&le", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_MINIMAL, L"&Minimal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_LIMITED, L"&Limited...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_NORMAL, L"&Normal...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_FULL, L"&Full...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_DUMP_CUSTOM, L"&Custom...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); } PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_DEBUG, L"De&bug", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_AFFINITY, L"&Affinity", NULL, NULL), ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_PRIORITYCLASS, L"&Priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_REALTIME, L"&Real time", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_HIGH, L"&High", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_ABOVENORMAL, L"&Above normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_BELOWNORMAL, L"&Below normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_IDLE, L"&Idle", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_IOPRIORITY, L"&I/O priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_HIGH, L"&High", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_LOW, L"&Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_VERYLOW, L"&Very low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_PAGEPRIORITY, L"Pa&ge priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_BELOWNORMAL, L"&Below normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_MEDIUM, L"&Medium", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_LOW, L"&Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_VERYLOW, L"&Very low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, ID_PROCESS_MISCELLANEOUS, L"&Miscellaneous", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_ACTIVITY, L"Activity moderation", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_SETCRITICAL, L"&Critical", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_DETACHFROMDEBUGGER, L"&Detach from debugger", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_ECOMODE, L"Efficiency mode", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_EXECUTIONREQUIRED, L"Execution required", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_GDIHANDLES, L"GDI &handles...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_HEAPS, L"Heaps...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_LOCKS, L"Locks...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_FLUSHHEAPS, L"Flush heaps", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_PAGESMODIFIED, L"Modified pages...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_REDUCEWORKINGSET, L"Reduce working &set", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_RUNAS, L"&Run as...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_MISCELLANEOUS_RUNASTHISUSER, L"Run &as this user...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PROCESS_VIRTUALIZATION, L"Virtuali&zation", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_SEARCHONLINE, L"Search &online\bCtrl+M", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PROCESS_OPENFILELOCATION, L"Open &file location\bCtrl+Enter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_SECURITY, L"Security", NULL, NULL), ULONG_MAX); PhMwpInitializeProcessMenu(menu, &propContext->ProcessItem, 1); selectedItem = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_BOTTOM, rect.left, rect.top ); if (selectedItem && selectedItem->Id) { PPH_PROCESS_ITEM processItem = propContext->ProcessItem; PhReferenceObject(processItem); switch (selectedItem->Id) { case ID_PROCESS_TERMINATE: PhUiTerminateProcesses(WindowHandle, &processItem, 1); break; case ID_PROCESS_TERMINATETREE: PhUiTerminateTreeProcess(WindowHandle, processItem); break; case ID_PROCESS_SUSPEND: PhUiSuspendProcesses(WindowHandle, &processItem, 1); break; case ID_PROCESS_SUSPENDTREE: PhUiSuspendTreeProcess(WindowHandle, processItem); break; case ID_PROCESS_RESUME: PhUiResumeProcesses(WindowHandle, &processItem, 1); break; case ID_PROCESS_RESUMETREE: PhUiResumeTreeProcess(WindowHandle, processItem); break; case ID_PROCESS_FREEZE: PhUiFreezeTreeProcess(WindowHandle, processItem); break; case ID_PROCESS_THAW: PhUiThawTreeProcess(WindowHandle, processItem); break; case ID_PROCESS_RESTART: PhUiRestartProcess(WindowHandle, processItem); break; case ID_PROCESS_AFFINITY: PhShowProcessAffinityDialog(WindowHandle, processItem, NULL); break; case ID_PRIORITY_REALTIME: case ID_PRIORITY_HIGH: case ID_PRIORITY_ABOVENORMAL: case ID_PRIORITY_NORMAL: case ID_PRIORITY_BELOWNORMAL: case ID_PRIORITY_IDLE: PhMwpExecuteProcessPriorityClassCommand(WindowHandle, selectedItem->Id, &processItem, 1); break; case ID_IOPRIORITY_VERYLOW: case ID_IOPRIORITY_LOW: case ID_IOPRIORITY_NORMAL: case ID_IOPRIORITY_HIGH: PhMwpExecuteProcessIoPriorityCommand(WindowHandle, selectedItem->Id, &processItem, 1); break; case ID_PAGEPRIORITY_VERYLOW: case ID_PAGEPRIORITY_LOW: case ID_PAGEPRIORITY_MEDIUM: case ID_PAGEPRIORITY_BELOWNORMAL: case ID_PAGEPRIORITY_NORMAL: { ULONG pagePriority; switch (selectedItem->Id) { case ID_PAGEPRIORITY_VERYLOW: pagePriority = MEMORY_PRIORITY_VERY_LOW; break; case ID_PAGEPRIORITY_LOW: pagePriority = MEMORY_PRIORITY_LOW; break; case ID_PAGEPRIORITY_MEDIUM: pagePriority = MEMORY_PRIORITY_MEDIUM; break; case ID_PAGEPRIORITY_BELOWNORMAL: pagePriority = MEMORY_PRIORITY_BELOW_NORMAL; break; case ID_PAGEPRIORITY_NORMAL: pagePriority = MEMORY_PRIORITY_NORMAL; break; } PhUiSetPagePriorityProcess(WindowHandle, processItem, pagePriority); } break; case ID_MISCELLANEOUS_ACTIVITY: PhUiSetActivityModeration(WindowHandle, processItem); break; case ID_MISCELLANEOUS_SETCRITICAL: PhUiSetCriticalProcess(WindowHandle, processItem); break; case ID_MISCELLANEOUS_DETACHFROMDEBUGGER: PhUiDetachFromDebuggerProcess(WindowHandle, processItem); break; case ID_MISCELLANEOUS_ECOMODE: PhUiSetEcoModeProcess(WindowHandle, processItem); break; case ID_MISCELLANEOUS_EXECUTIONREQUIRED: PhUiSetExecutionRequiredProcess(WindowHandle, processItem); break; case ID_MISCELLANEOUS_GDIHANDLES: PhShowGdiHandlesDialog(WindowHandle, processItem); break; case ID_MISCELLANEOUS_HEAPS: PhShowProcessHeapsDialog(WindowHandle, processItem); break; case ID_MISCELLANEOUS_LOCKS: PhShowProcessLocksDialog(WindowHandle, processItem); break; case ID_MISCELLANEOUS_REDUCEWORKINGSET: PhUiReduceWorkingSetProcesses(WindowHandle, &processItem, 1); break; case ID_MISCELLANEOUS_RUNAS: PhShowRunAsDialog(WindowHandle, NULL); break; case ID_MISCELLANEOUS_RUNASTHISUSER: PhShowRunAsDialog(WindowHandle, processItem->ProcessId); break; case ID_MISCELLANEOUS_FLUSHHEAPS: PhUiFlushHeapProcesses(WindowHandle, &processItem, 1); break; case ID_PROCESS_DUMP_MINIMAL: case ID_PROCESS_DUMP_LIMITED: case ID_PROCESS_DUMP_NORMAL: case ID_PROCESS_DUMP_FULL: case ID_PROCESS_DUMP_CUSTOM: PhUiCreateDumpFileProcess(WindowHandle, processItem, selectedItem->Id); break; case ID_PROCESS_DEBUG: PhUiDebugProcess(WindowHandle, processItem); break; case ID_PROCESS_SEARCHONLINE: PhSearchOnlineString(WindowHandle, processItem->ProcessName->Buffer); break; case ID_PROCESS_OPENFILELOCATION: { NTSTATUS status; PPH_STRING fileName; status = PhGetProcessItemFileNameWin32(processItem, &fileName); if (NT_SUCCESS(status)) { PhShellExecuteUserString( WindowHandle, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(fileName), FALSE, L"Make sure the Explorer executable file is present." ); PhDereferenceObject(fileName); } else { PhShowStatus(WindowHandle, L"Unable to locate the file.", status, 0); } } break; case ID_HANDLE_SECURITY: { PhEditSecurity( PhCsForceNoParent ? NULL : pageWindow, PhGetStringOrEmpty(propContext->ProcessItem->ProcessName), L"Process", PhOptionsButtonGeneralOpenProcess, PhOptionsButtonGeneralCloseHandle, propContext->ProcessItem->ProcessId ); } break; } PhDereferenceObject(processItem); } PhDestroyEMenu(menu); } //else if (GET_WM_COMMAND_HWND(wParam, lParam) == propSheetContext->PermissionsButtonWindowHandle) //{ // HWND pageWindow; // LPPROPSHEETPAGE propSheetPage; // PPH_PROCESS_PROPPAGECONTEXT propPageContext; // PPH_PROCESS_PROPCONTEXT propContext; // // if (!(pageWindow = PropSheet_GetCurrentPageHwnd(WindowHandle))) // break; // if (!(propSheetPage = PhGetWindowContext(pageWindow, PH_WINDOW_CONTEXT_DEFAULT))) // break; // if (!(propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)propSheetPage->lParam)) // break; // if (!(propContext = propPageContext->PropContext)) // break; // // NOTHING; //} } break; case WM_PH_UPDATE_DIALOG: { if (propSheetContext->ButtonsLabelWindowHandle) { static CONST PH_STRINGREF text = PH_STRINGREF_INIT(L"Protection"); static CONST PH_STRINGREF seperator = PH_STRINGREF_INIT(L": "); static CONST PH_STRINGREF natext = PH_STRINGREF_INIT(L"N/A"); HWND pageWindow; LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_PROPCONTEXT propContext; if (!(pageWindow = PropSheet_GetCurrentPageHwnd(WindowHandle))) break; if (!(propSheetPage = PhGetWindowContext(pageWindow, PH_WINDOW_CONTEXT_DEFAULT))) break; if (!(propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)propSheetPage->lParam)) break; if (!(propContext = propPageContext->PropContext)) break; PPH_STRING string = PhGetProcessProtectionString(propContext->ProcessItem->Protection, (BOOLEAN)propContext->ProcessItem->IsSecureProcess); if (string) { PhMoveReference(&string, PhConcatStringRef3(&text, &seperator, &string->sr)); } else { PhMoveReference(&string, PhConcatStringRef3(&text, &seperator, &natext)); } PhSetWindowText(propSheetContext->ButtonsLabelWindowHandle, string->Buffer); PhClearReference(&string); } } break; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); } VOID PhpCreateProcessPropButtons( _In_ PPH_PROCESS_PROPSHEETCONTEXT PropSheetContext, _In_ HWND PropSheetWindow ) { if (!PropSheetContext->OptionsButtonWindowHandle) { RECT clientRect; RECT rect; LONG buttonWidth; LONG buttonHeight; LONG buttonSpacing = 6; LONG labelWidth = 250; HFONT windowFont; windowFont = GetWindowFont(GetDlgItem(PropSheetWindow, IDCANCEL)); PropSheetContext->OldOptionsButtonWndProc = PhGetWindowProcedure(PropSheetWindow); PhSetWindowContext(PropSheetWindow, SCHAR_MAX, PropSheetContext); PhSetWindowProcedure(PropSheetWindow, PhpOptionsButtonWndProc); PhGetClientRect(PropSheetWindow, &clientRect); PhGetWindowRect(GetDlgItem(PropSheetWindow, IDCANCEL), &rect); MapWindowRect(NULL, PropSheetWindow, &rect); buttonWidth = rect.right - rect.left; buttonHeight = rect.bottom - rect.top; // Create the Options button PropSheetContext->OptionsButtonWindowHandle = CreateWindowEx( WS_EX_NOPARENTNOTIFY, WC_BUTTON, L"Options", WS_CHILD | WS_VISIBLE | WS_TABSTOP, clientRect.right - rect.right, rect.top, buttonWidth, buttonHeight, PropSheetWindow, NULL, PhInstanceHandle, NULL ); SetWindowFont(PropSheetContext->OptionsButtonWindowHandle, windowFont, TRUE); // Create the Permissions button //PropSheetContext->PermissionsButtonWindowHandle = CreateWindowEx( // WS_EX_NOPARENTNOTIFY, // WC_BUTTON, // L"Permissions", // WS_CHILD | WS_VISIBLE | WS_TABSTOP, // clientRect.right - rect.right + buttonWidth + buttonSpacing, // rect.top, // buttonWidth, // buttonHeight, // PropSheetWindow, // NULL, // PhInstanceHandle, // NULL // ); //SetWindowFont(PropSheetContext->PermissionsButtonWindowHandle, windowFont, TRUE); // Create the label PropSheetContext->ButtonsLabelWindowHandle = CreateWindowEx( WS_EX_NOPARENTNOTIFY, WC_STATIC, L"Protection", WS_CHILD | WS_VISIBLE | SS_LEFT, clientRect.right - rect.right + (buttonWidth + buttonSpacing) + 5, rect.top + 7, labelWidth, buttonHeight, PropSheetWindow, NULL, PhInstanceHandle, NULL ); SetWindowFont(PropSheetContext->ButtonsLabelWindowHandle, windowFont, TRUE); PostMessage(PropSheetWindow, WM_PH_UPDATE_DIALOG, 0, 0); } } BOOLEAN PhpInitializePropSheetLayoutStage1( _In_ PPH_PROCESS_PROPSHEETCONTEXT Context, _In_ HWND WindowHandle ) { if (!Context->LayoutInitialized) { HWND tabControlHandle; PPH_LAYOUT_ITEM tabControlItem; PPH_LAYOUT_ITEM tabPageItem; tabControlHandle = PropSheet_GetTabControl(WindowHandle); tabControlItem = PhAddLayoutItem(&Context->LayoutManager, tabControlHandle, NULL, PH_ANCHOR_ALL | PH_LAYOUT_IMMEDIATE_RESIZE); tabPageItem = PhAddLayoutItem(&Context->LayoutManager, tabControlHandle, NULL, PH_LAYOUT_TAB_CONTROL); // dummy item to fix multiline tab control PhAddLayoutItem(&Context->LayoutManager, GetDlgItem(WindowHandle, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); // Create and add the buttons to the layout PhpCreateProcessPropButtons(Context, WindowHandle); PhAddLayoutItem(&Context->LayoutManager, Context->OptionsButtonWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&Context->LayoutManager, Context->ButtonsLabelWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); //PhAddLayoutItem(&Context->LayoutManager, Context->PermissionsButtonWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); // Hide the OK button. ShowWindow(GetDlgItem(WindowHandle, IDOK), SW_HIDE); // Set the Cancel button's text to "Close". PhSetDialogItemText(WindowHandle, IDCANCEL, L"Close"); Context->TabPageItem = tabPageItem; Context->LayoutInitialized = TRUE; return TRUE; } return FALSE; } VOID PhpInitializePropSheetLayoutStage2( _In_ HWND WindowHandle ) { PH_RECTANGLE windowRectangle = {0}; RECT rect; LONG dpiValue; PhLoadWindowPlacementFromSetting(SETTING_PROC_PROP_POSITION, SETTING_PROC_PROP_SIZE, WindowHandle); windowRectangle.Position = PhGetIntegerPairSetting(SETTING_PROC_PROP_POSITION); PhRectangleToRect(&rect, &windowRectangle); dpiValue = PhGetMonitorDpi(NULL, &rect); windowRectangle.Size = PhGetScalableIntegerPairSetting(SETTING_PROC_PROP_SIZE, TRUE, dpiValue)->Pair; if (windowRectangle.Size.X < MinimumSize.right) windowRectangle.Size.X = MinimumSize.right; if (windowRectangle.Size.Y < MinimumSize.bottom) windowRectangle.Size.Y = MinimumSize.bottom; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); // Implement cascading by saving an offsetted rectangle. windowRectangle.Left += 20; windowRectangle.Top += 20; PhSetIntegerPairSetting(SETTING_PROC_PROP_POSITION, windowRectangle.Position); } BOOLEAN PhAddProcessPropPage( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ _Assume_refs_(1) PPH_PROCESS_PROPPAGECONTEXT PropPageContext ) { HPROPSHEETPAGE propSheetPageHandle; if (PropContext->PropSheetHeader.nPages == PH_PROCESS_PROPCONTEXT_MAXPAGES) return FALSE; propSheetPageHandle = CreatePropertySheetPage( &PropPageContext->PropSheetPage ); // CreatePropertySheetPage would have sent PSPCB_ADDREF, // which would have added a reference. PhDereferenceObject(PropPageContext); PhSetReference(&PropPageContext->PropContext, PropContext); PropContext->PropSheetPages[PropContext->PropSheetHeader.nPages] = propSheetPageHandle; PropContext->PropSheetHeader.nPages++; return TRUE; } BOOLEAN PhAddProcessPropPage2( _Inout_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ HPROPSHEETPAGE PropSheetPageHandle ) { if (PropContext->PropSheetHeader.nPages == PH_PROCESS_PROPCONTEXT_MAXPAGES) return FALSE; PropContext->PropSheetPages[PropContext->PropSheetHeader.nPages] = PropSheetPageHandle; PropContext->PropSheetHeader.nPages++; return TRUE; } PPH_PROCESS_PROPPAGECONTEXT PhCreateProcessPropPageContext( _In_ LPCWSTR Template, _In_ DLGPROC DlgProc, _In_opt_ PVOID Context ) { return PhCreateProcessPropPageContextEx(PhInstanceHandle, Template, DlgProc, Context); } PPH_PROCESS_PROPPAGECONTEXT PhCreateProcessPropPageContextEx( _In_opt_ PVOID InstanceHandle, _In_ LPCWSTR Template, _In_ DLGPROC DlgProc, _In_opt_ PVOID Context ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext; propPageContext = PhCreateObjectZero(sizeof(PH_PROCESS_PROPPAGECONTEXT), PhpProcessPropPageContextType); propPageContext->PropSheetPage.dwSize = sizeof(PROPSHEETPAGE); propPageContext->PropSheetPage.dwFlags = PSP_USECALLBACK; propPageContext->PropSheetPage.hInstance = InstanceHandle; propPageContext->PropSheetPage.pszTemplate = Template; propPageContext->PropSheetPage.pfnDlgProc = DlgProc; propPageContext->PropSheetPage.lParam = (LPARAM)propPageContext; propPageContext->PropSheetPage.pfnCallback = PhpStandardPropPageProc; propPageContext->Context = Context; return propPageContext; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessPropPageContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)Object; if (propPageContext->PropContext) PhDereferenceObject(propPageContext->PropContext); } UINT CALLBACK PhpStandardPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext; propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)ppsp->lParam; if (uMsg == PSPCB_ADDREF) PhReferenceObject(propPageContext); else if (uMsg == PSPCB_RELEASE) PhDereferenceObject(propPageContext); return 1; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessPropPageWaitContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_PROCESS_WAITPROPCONTEXT context = (PPH_PROCESS_WAITPROPCONTEXT)Object; PhpFlushProcessPropSheetWaitContextData(); if (context->ProcessWaitHandle) { RtlDeregisterWaitEx(context->ProcessWaitHandle, RTL_WAITER_DEREGISTER_WAIT_FOR_COMPLETION); context->ProcessWaitHandle = NULL; } if (context->ProcessHandle) { NtClose(context->ProcessHandle); context->ProcessHandle = NULL; } if (context->ProcessItem) { PhDereferenceObject(context->ProcessItem); context->ProcessItem = NULL; } } VOID PhpCreateProcessPropSheetWaitContext( _In_ PPH_PROCESS_PROPCONTEXT PropContext, _In_ HWND WindowHandle ) { PPH_PROCESS_ITEM processItem = PropContext->ProcessItem; PPH_PROCESS_WAITPROPCONTEXT waitContext; HANDLE processHandle; if (!processItem->QueryHandle || processItem->ProcessId == NtCurrentProcessId()) return; if (!NT_SUCCESS(PhOpenProcess( &processHandle, SYNCHRONIZE, processItem->ProcessId ))) { return; } waitContext = PhCreateObjectZero(sizeof(PH_PROCESS_WAITPROPCONTEXT), PhpProcessPropPageWaitContextType); waitContext->ProcessItem = PhReferenceObject(processItem); waitContext->PropSheetWindowHandle = GetParent(WindowHandle); waitContext->ProcessHandle = processHandle; if (NT_SUCCESS(RtlRegisterWait( &waitContext->ProcessWaitHandle, processHandle, PhpProcessPropertiesWaitCallback, waitContext, INFINITE, WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD ))) { PropContext->ProcessWaitContext = waitContext; } else { PhDereferenceObject(waitContext->ProcessItem); waitContext->ProcessItem = NULL; NtClose(waitContext->ProcessHandle); waitContext->ProcessHandle = NULL; PhDereferenceObject(waitContext); } } VOID PhpFlushProcessPropSheetWaitContextData( VOID ) { PSLIST_ENTRY entry = NULL; PPH_PROCESS_WAITPROPCONTEXT data; PROCESS_BASIC_INFORMATION basicInfo; //if (!PhQueryDepthSList(&WaitContextQueryListHead)) // return; //if (!RtlFirstEntrySList(&WaitContextQueryListHead)) // return; entry = RtlInterlockedFlushSList(&WaitContextQueryListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_PROCESS_WAITPROPCONTEXT, ListEntry); entry = entry->Next; if (NT_SUCCESS(PhGetProcessBasicInformation(data->ProcessItem->QueryHandle, &basicInfo))) { PPH_STRING statusMessage = NULL; PPH_STRING errorMessage; PH_FORMAT format[5]; PhInitFormatSR(&format[0], data->ProcessItem->ProcessName->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatU(&format[2], HandleToUlong(data->ProcessItem->ProcessId)); if (basicInfo.ExitStatus < STATUS_WAIT_1 || basicInfo.ExitStatus > STATUS_WAIT_63) { if (errorMessage = PhGetStatusMessage(basicInfo.ExitStatus, 0)) { PhInitFormatS(&format[3], L") exited with "); PhInitFormatSR(&format[4], errorMessage->sr); statusMessage = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(errorMessage); } } if (PhIsNullOrEmptyString(statusMessage)) { PhInitFormatS(&format[3], L") exited with 0x"); PhInitFormatX(&format[4], basicInfo.ExitStatus); //format[4].Type |= FormatPadZeros; format[4].Width = 8; statusMessage = PhFormat(format, RTL_NUMBER_OF(format), 0); } if (statusMessage) { PhSetWindowText(data->PropSheetWindowHandle, PhGetString(statusMessage)); PhDereferenceObject(statusMessage); } } //PostMessage(data->PropSheetWindowHandle, WM_PH_PROPPAGE_EXITSTATUS, 0, (LPARAM)data); } } _Function_class_(WAIT_CALLBACK_ROUTINE) VOID NTAPI PhpProcessPropertiesWaitCallback( _In_ PVOID Context, _In_ BOOLEAN TimerOrWaitFired ) { PPH_PROCESS_WAITPROPCONTEXT waitContext = Context; // This avoids blocking the workqueue and avoids converting the workqueue to GUI threads. (dmex) RtlInterlockedPushEntrySList(&WaitContextQueryListHead, &waitContext->ListEntry); } _Success_(return) BOOLEAN PhPropPageDlgProcHeader( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam, _Out_opt_ LPPROPSHEETPAGE *PropSheetPage, _Out_opt_ PPH_PROCESS_PROPPAGECONTEXT *PropPageContext, _Out_opt_ PPH_PROCESS_ITEM *ProcessItem ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; if (uMsg == WM_INITDIALOG) { PPH_PROCESS_PROPCONTEXT propContext; propSheetPage = (LPPROPSHEETPAGE)lParam; propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)propSheetPage->lParam; propContext = propPageContext->PropContext; if (!propContext->WaitInitialized) { PhpCreateProcessPropSheetWaitContext(propContext, hwndDlg); propContext->WaitInitialized = TRUE; } PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, propSheetPage); } else { propSheetPage = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!propSheetPage) return FALSE; propPageContext = (PPH_PROCESS_PROPPAGECONTEXT)propSheetPage->lParam; if (PropSheetPage) *PropSheetPage = propSheetPage; if (PropPageContext) *PropPageContext = propPageContext; if (ProcessItem) *ProcessItem = propPageContext->PropContext->ProcessItem; if (uMsg == WM_NCDESTROY) { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (propPageContext->PropContext->ProcessWaitContext) { PhDereferenceObject(propPageContext->PropContext->ProcessWaitContext); propPageContext->PropContext->ProcessWaitContext = NULL; } } return TRUE; } #ifdef DEBUG static VOID ASSERT_DIALOGRECT( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ SHORT Width, _In_ USHORT Height ) { PDLGTEMPLATEEX dialogTemplate = NULL; PhLoadResource(DllBase, Name, RT_DIALOG, NULL, &dialogTemplate); assert(dialogTemplate && dialogTemplate->cx == Width && dialogTemplate->cy == Height); } #endif PPH_LAYOUT_ITEM PhAddPropPageLayoutItem( _In_ HWND WindowHandle, _In_ HWND Handle, _In_ PPH_LAYOUT_ITEM ParentItem, _In_ ULONG Anchor ) { HWND parent; PPH_PROCESS_PROPSHEETCONTEXT propSheetContext; PPH_LAYOUT_MANAGER layoutManager; PPH_LAYOUT_ITEM realParentItem; BOOLEAN doLayoutStage2; PPH_LAYOUT_ITEM item; parent = GetParent(WindowHandle); propSheetContext = PhpGetPropSheetContext(parent); layoutManager = &propSheetContext->LayoutManager; doLayoutStage2 = PhpInitializePropSheetLayoutStage1(propSheetContext, parent); if (ParentItem != PH_PROP_PAGE_TAB_CONTROL_PARENT) realParentItem = ParentItem; else realParentItem = propSheetContext->TabPageItem; // Use the HACK if the control is a direct child of the dialog. if (ParentItem && ParentItem != PH_PROP_PAGE_TAB_CONTROL_PARENT && // We detect if ParentItem is the layout item for the dialog // by looking at its parent. (ParentItem->ParentItem == &layoutManager->RootItem || (ParentItem->ParentItem->Anchor & PH_LAYOUT_TAB_CONTROL))) { RECT dialogRect; RECT dialogSize; RECT margin; #ifdef DEBUG ASSERT_DIALOGRECT(PhInstanceHandle, MAKEINTRESOURCE(IDD_PROCGENERAL), 260, 260); #endif // MAKE SURE THESE NUMBERS ARE CORRECT. dialogSize.right = 260; dialogSize.bottom = 260; MapDialogRect(WindowHandle, &dialogSize); // Get the original dialog rectangle. PhGetWindowRect(WindowHandle, &dialogRect); dialogRect.right = dialogRect.left + dialogSize.right; dialogRect.bottom = dialogRect.top + dialogSize.bottom; // Calculate the margin from the original rectangle. PhGetWindowRect(Handle, &margin); PhMapRect(&margin, &margin, &dialogRect); PhConvertRect(&margin, &dialogRect); item = PhAddLayoutItemEx(layoutManager, Handle, realParentItem, Anchor, &margin); } else { item = PhAddLayoutItem(layoutManager, Handle, realParentItem, Anchor); } if (doLayoutStage2) PhpInitializePropSheetLayoutStage2(parent); return item; } VOID PhDoPropPageLayout( _In_ HWND WindowHandle ) { HWND parent; PPH_PROCESS_PROPSHEETCONTEXT propSheetContext; parent = GetParent(WindowHandle); propSheetContext = PhpGetPropSheetContext(parent); PhLayoutManagerLayout(&propSheetContext->LayoutManager); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpProcessPropertiesThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; PPH_PROCESS_PROPCONTEXT PropContext = (PPH_PROCESS_PROPCONTEXT)Parameter; PPH_PROCESS_PROPPAGECONTEXT newPage; PPH_STRING startPage; PhInitializeAutoPool(&autoPool); // Wait for stage 1 to be processed. PhWaitForEvent(&PropContext->ProcessItem->Stage1Event, NULL); // Refresh the icon which may have been updated due to // stage 1. PhRefreshProcessPropContext(PropContext); // Add the pages... // General newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCGENERAL), PhpProcessGeneralDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Statistics newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCSTATISTICS), PhpProcessStatisticsDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Performance newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCPERFORMANCE), PhpProcessPerformanceDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Threads newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCTHREADS), PhpProcessThreadsDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Token PhAddProcessPropPage2( PropContext, PhCreateTokenPage(PhpOpenProcessTokenForPage, PhpCloseProcessTokenForPage, PropContext->ProcessItem->ProcessId, (PVOID)PropContext->ProcessItem->ProcessId, PhpProcessTokenHookProc) ); // Modules newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCMODULES), PhpProcessModulesDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Memory newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCMEMORY), PhpProcessMemoryDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Environment newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCENVIRONMENT), PhpProcessEnvironmentDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Handles newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCHANDLES), PhpProcessHandlesDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); // Job if ( PropContext->ProcessItem->IsInJob && // There's no way the job page can function without KPH since it needs // to open a handle to the job. (KsiLevel() >= KphLevelMed) ) { PhAddProcessPropPage2( PropContext, PhCreateJobPage(PhpOpenProcessJobForPage, PhpCloseProcessJobForPage, (PVOID)PropContext->ProcessItem->ProcessId, PhpProcessJobHookProc) ); } // Services if (PropContext->ProcessItem->ServiceList && PropContext->ProcessItem->ServiceList->Count != 0) { newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCSERVICES), PhpProcessServicesDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); } // WMI Provider Host // Note: The Winmgmt service has WMI providers but doesn't get tagged with WmiProviderHostType. (dmex) if ( (PropContext->ProcessItem->KnownProcessType & KnownProcessTypeMask) == WmiProviderHostType || (PropContext->ProcessItem->KnownProcessType & KnownProcessTypeMask) == ServiceHostProcessType ) { newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCWMIPROVIDERS), PhpProcessWmiProvidersDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); } #ifdef _M_IX86 if ((PropContext->ProcessItem->KnownProcessType & KnownProcessTypeMask) == NtVdmHostProcessType) { newPage = PhCreateProcessPropPageContext( MAKEINTRESOURCE(IDD_PROCVDMHOST), PhpProcessVdmHostProcessDlgProc, NULL ); PhAddProcessPropPage(PropContext, newPage); } #endif // Plugin-supplied pages if (PhPluginsEnabled) { PH_PLUGIN_PROCESS_PROPCONTEXT pluginProcessPropContext; pluginProcessPropContext.PropContext = PropContext; pluginProcessPropContext.ProcessItem = PropContext->ProcessItem; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessPropertiesInitializing), &pluginProcessPropContext); } // Create the property sheet if (PropContext->SelectThreadId) { PhSetStringSetting(SETTING_PROC_PROP_PAGE, L"Threads"); } startPage = PhGetStringSetting(SETTING_PROC_PROP_PAGE); PropContext->PropSheetHeader.dwFlags |= PSH_USEPSTARTPAGE; PropContext->PropSheetHeader.pStartPage = PhGetString(startPage); PhModalPropertySheet(&PropContext->PropSheetHeader); PhDereferenceObject(startPage); PhDereferenceObject(PropContext); PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } VOID PhShowProcessProperties( _In_ PPH_PROCESS_PROPCONTEXT Context ) { PhReferenceObject(Context); PhCreateThread2(PhpProcessPropertiesThreadStart, Context); } ================================================ FILE: SystemInformer/procprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * jxy-s 2020-2021 * */ /* * This provider module handles the collection of process information and system-wide statistics. A * list of all running processes is kept and periodically scanned to detect new and terminated * processes. * * The retrieval of certain information is delayed in order to improve performance. This includes * things such as file icons, version information, digital signature verification, and packed * executable detection. These requests are handed to worker threads which then post back * information to a S-list. * * Also contained in this module is the storage of process records, which contain static information * about processes. Unlike process items which are removed as soon as their corresponding process * exits, process records remain as long as they are needed by the statistics system, and more * specifically the max. CPU and I/O history buffers. In PH 1.x, a new formatted string was created * at each update containing information about the maximum-usage process within that interval. Here * we use a much more storage-efficient method, where the raw maximum-usage PIDs are stored for each * interval, and the process record list is searched when the name of a process is needed. * * The process record list is stored as a list of records sorted by process creation time. If two or * more processes have the same creation time, they are added to a doubly-linked list. This * structure allows for fast searching in the typical scenario where we know the PID of a process * and a specific time in which the process was running. In this case a binary search is used and * then the list is traversed backwards until the process is found. Binary search is similarly used * for insertion and removal. * * On Windows 7 and above, CPU usage can be calculated from cycle time. However, cycle time cannot * be split into kernel/user components, and cycle time is not available for DPCs and Interrupts * separately (only a "system" cycle time). */ #include #include #include #include #include #include #include #include #include #include #include #include #define PROCESS_ID_BUCKETS 64 #define PROCESS_ID_TO_BUCKET_INDEX(ProcessId) ((HandleToUlong(ProcessId) / 4) & (PROCESS_ID_BUCKETS - 1)) typedef struct _PH_PROCESS_QUERY_DATA { SLIST_ENTRY ListEntry; ULONG Stage; PPH_PROCESS_ITEM ProcessItem; } PH_PROCESS_QUERY_DATA, *PPH_PROCESS_QUERY_DATA; typedef struct _PH_PROCESS_QUERY_S1_DATA { PH_PROCESS_QUERY_DATA Header; PPH_STRING CommandLine; PPH_IMAGELIST_ITEM IconEntry; PH_IMAGE_VERSION_INFO VersionInfo; HANDLE ConsoleHostProcessId; PPH_STRING UserName; union { ULONG Flags; struct { ULONG IsDotNet : 1; ULONG Spare1 : 1; ULONG IsInJob : 1; ULONG IsInSignificantJob : 1; ULONG IsBeingDebugged : 1; ULONG IsImmersive : 1; ULONG IsFilteredHandle : 1; ULONG PowerThrottling : 1; ULONG Spare : 24; }; }; } PH_PROCESS_QUERY_S1_DATA, *PPH_PROCESS_QUERY_S1_DATA; typedef struct _PH_PROCESS_QUERY_S2_DATA { PH_PROCESS_QUERY_DATA Header; VERIFY_RESULT VerifyResult; PPH_STRING VerifySignerName; BOOLEAN IsPacked; ULONG ImportFunctions; ULONG ImportModules; PH_IMAGE_VERSION_INFO VersionInfo; // LXSS only NTSTATUS ImageCoherencyStatus; FLOAT ImageCoherency; } PH_PROCESS_QUERY_S2_DATA, *PPH_PROCESS_QUERY_S2_DATA; typedef struct _PH_SID_FULL_NAME_CACHE_ENTRY { PCSID Sid; PPH_STRING FullName; } PH_SID_FULL_NAME_CACHE_ENTRY, *PPH_SID_FULL_NAME_CACHE_ENTRY; typedef struct _PH_SID_RESOLVE_QUEUE_ENTRY { PSID Sid; ULONG SidLength; } PH_SID_RESOLVE_QUEUE_ENTRY, *PPH_SID_RESOLVE_QUEUE_ENTRY; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpProcessItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); VOID PhpQueueProcessQueryStage1( _In_ PPH_PROCESS_ITEM ProcessItem ); VOID PhpQueueProcessQueryStage2( _In_ PPH_PROCESS_ITEM ProcessItem ); PPH_PROCESS_RECORD PhpCreateProcessRecord( _In_ PPH_PROCESS_ITEM ProcessItem ); VOID PhpAddProcessRecord( _Inout_ PPH_PROCESS_RECORD ProcessRecord ); VOID PhpRemoveProcessRecord( _Inout_ PPH_PROCESS_RECORD ProcessRecord ); PPH_STRING PhpGetSidFullNameCached( _In_ PCSID Sid ); PPH_STRING PhpGetSidFullNameCachedSlow( _In_ PSID Sid ); VOID PhpQueueSidForBulkResolution( _In_ PSID Sid ); VOID PhpBulkResolveSidsToCache( _In_ PSID* Sids, _In_ ULONG Count ); VOID PhpProcessBulkSidResolution( VOID ); VOID PhpRemoveProcessRecord( _Inout_ PPH_PROCESS_RECORD ProcessRecord ); PPH_OBJECT_TYPE PhProcessItemType = NULL; PPH_HASH_ENTRY PhProcessHashSet[256] = PH_HASH_SET_INIT; ULONG PhProcessHashSetCount = 0; PH_QUEUED_LOCK PhProcessHashSetLock = PH_QUEUED_LOCK_INIT; SLIST_HEADER PhProcessQueryDataListHead; PPH_LIST PhProcessRecordList = NULL; PH_QUEUED_LOCK PhProcessRecordListLock = PH_QUEUED_LOCK_INIT; static PPH_HASHTABLE PhpSidFullNameCacheHashtable = NULL; static PPH_HASHTABLE PhpSidResolveQueue = NULL; static PH_QUEUED_LOCK PhpSidResolveQueueLock = PH_QUEUED_LOCK_INIT; ULONG PhStatisticsSampleCount = 512; BOOLEAN PhEnableProcessExtension = TRUE; BOOLEAN PhEnablePurgeProcessRecords = TRUE; BOOLEAN PhEnableCycleCpuUsage = TRUE; BOOLEAN PhEnablePackageIconSupport = FALSE; ULONG PhProcessProviderFlagsMask = 0; LONG PhProcessImageListWindowDpi = 96; PVOID PhProcessInformation = NULL; // only can be used if running on same thread as process provider SYSTEM_PERFORMANCE_INFORMATION PhPerfInformation; PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuInformation = NULL; SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuTotals; ULONG PhTotalProcesses = 0; ULONG PhTotalThreads = 0; ULONG PhTotalHandles = 0; ULONG PhTotalCpuQueueLength = 0; UCHAR PhDpcsProcessInformationBuffer[sizeof(SYSTEM_PROCESS_INFORMATION) + sizeof(SYSTEM_PROCESS_INFORMATION_EXTENSION)] = { 0 }; // HACK (dmex) UCHAR PhInterruptsProcessInformationBuffer[sizeof(SYSTEM_PROCESS_INFORMATION) + sizeof(SYSTEM_PROCESS_INFORMATION_EXTENSION)] = { 0 }; PSYSTEM_PROCESS_INFORMATION PhDpcsProcessInformation = (PSYSTEM_PROCESS_INFORMATION)PhDpcsProcessInformationBuffer; PSYSTEM_PROCESS_INFORMATION PhInterruptsProcessInformation = (PSYSTEM_PROCESS_INFORMATION)PhInterruptsProcessInformationBuffer; ULONG64 PhCpuTotalCycleDelta = 0; // real cycle time delta for this period PSYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION PhCpuIdleCycleTime = NULL; // cycle time for Idle PSYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION PhCpuSystemCycleTime = NULL; // cycle time for DPCs and Interrupts PH_UINT64_DELTA PhCpuIdleCycleDelta; PH_UINT64_DELTA PhCpuSystemCycleDelta; //PPH_UINT64_DELTA PhCpusIdleCycleDelta; FLOAT PhCpuKernelUsage = 0.0f; FLOAT PhCpuUserUsage = 0.0f; PFLOAT PhCpusKernelUsage = NULL; PFLOAT PhCpusUserUsage = NULL; PH_UINT64_DELTA PhCpuKernelDelta; PH_UINT64_DELTA PhCpuUserDelta; PH_UINT64_DELTA PhCpuIdleDelta; PPH_UINT64_DELTA PhCpusKernelDelta = NULL; PPH_UINT64_DELTA PhCpusUserDelta = NULL; PPH_UINT64_DELTA PhCpusIdleDelta = NULL; PH_UINT64_DELTA PhIoReadDelta; PH_UINT64_DELTA PhIoWriteDelta; PH_UINT64_DELTA PhIoOtherDelta; BOOLEAN PhProcessStatisticsInitialized = FALSE; static ULONG PhTimeSequenceNumber = 0; static PH_CIRCULAR_BUFFER_ULONG PhTimeHistory; PH_CIRCULAR_BUFFER_FLOAT PhCpuKernelHistory; PH_CIRCULAR_BUFFER_FLOAT PhCpuUserHistory; //PH_CIRCULAR_BUFFER_FLOAT PhCpuOtherHistory; PPH_CIRCULAR_BUFFER_FLOAT PhCpusKernelHistory; PPH_CIRCULAR_BUFFER_FLOAT PhCpusUserHistory; //PPH_CIRCULAR_BUFFER_FLOAT PhCpusOtherHistory; PH_CIRCULAR_BUFFER_ULONG64 PhIoReadHistory; PH_CIRCULAR_BUFFER_ULONG64 PhIoWriteHistory; PH_CIRCULAR_BUFFER_ULONG64 PhIoOtherHistory; PH_CIRCULAR_BUFFER_ULONG PhCommitHistory; PH_CIRCULAR_BUFFER_ULONG PhPhysicalHistory; PH_CIRCULAR_BUFFER_ULONG PhMaxCpuHistory; // ID of max. CPU process PH_CIRCULAR_BUFFER_ULONG PhMaxIoHistory; // ID of max. I/O process #ifdef PH_RECORD_MAX_USAGE PH_CIRCULAR_BUFFER_FLOAT PhMaxCpuUsageHistory; PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoReadOtherHistory; PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoWriteHistory; #endif BOOLEAN PhProcessProviderInitialization( VOID ) { PFLOAT usageBuffer; PPH_UINT64_DELTA deltaBuffer; PPH_CIRCULAR_BUFFER_FLOAT historyBuffer; PhProcessItemType = PhCreateObjectType(L"ProcessItem", 0, PhpProcessItemDeleteProcedure); PhProcessRecordList = PhCreateList(512); PhEnableProcessExtension = WindowsVersion >= WINDOWS_10_RS3 && !PhIsExecutingInWow64(); PhInitializeSListHead(&PhProcessQueryDataListHead); RtlInitUnicodeString(&PhDpcsProcessInformation->ImageName, L"DPCs"); PhDpcsProcessInformation->UniqueProcessId = DPCS_PROCESS_ID; PhDpcsProcessInformation->InheritedFromUniqueProcessId = SYSTEM_IDLE_PROCESS_ID; RtlInitUnicodeString(&PhInterruptsProcessInformation->ImageName, L"Interrupts"); PhInterruptsProcessInformation->UniqueProcessId = INTERRUPTS_PROCESS_ID; PhInterruptsProcessInformation->InheritedFromUniqueProcessId = SYSTEM_IDLE_PROCESS_ID; PhCpuInformation = PhAllocateZero( sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors ); PhCpuIdleCycleTime = PhAllocateZero( sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors ); PhCpuSystemCycleTime = PhAllocateZero( sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors ); usageBuffer = PhAllocateZero( sizeof(FLOAT) * PhSystemProcessorInformation.NumberOfProcessors * 2 ); deltaBuffer = PhAllocateZero( sizeof(PH_UINT64_DELTA) * PhSystemProcessorInformation.NumberOfProcessors * 3 // 4 for PhCpusIdleCycleDelta ); historyBuffer = PhAllocateZero( sizeof(PH_CIRCULAR_BUFFER_FLOAT) * PhSystemProcessorInformation.NumberOfProcessors * 2 ); PhCpusKernelUsage = usageBuffer; PhCpusUserUsage = PhCpusKernelUsage + PhSystemProcessorInformation.NumberOfProcessors; PhCpusKernelDelta = deltaBuffer; PhCpusUserDelta = PhCpusKernelDelta + PhSystemProcessorInformation.NumberOfProcessors; PhCpusIdleDelta = PhCpusUserDelta + PhSystemProcessorInformation.NumberOfProcessors; //PhCpusIdleCycleDelta = PhCpusIdleDelta + PhGetSystemInformation.NumberOfProcessors; PhCpusKernelHistory = historyBuffer; PhCpusUserHistory = PhCpusKernelHistory + PhSystemProcessorInformation.NumberOfProcessors; return TRUE; } PPH_STRING PhGetClientIdName( _In_ PCLIENT_ID ClientId ) { return PhGetClientIdNameEx(ClientId, NULL); } PPH_STRING PhGetClientIdNameEx( _In_ PCLIENT_ID ClientId, _In_opt_ PPH_STRING ProcessName ) { PPH_STRING name; PPH_PROCESS_ITEM processItem = NULL; // Lookup the name in the process snapshot if necessary if (PhIsNullOrEmptyString(ProcessName)) { processItem = PhReferenceProcessItem(ClientId->UniqueProcess); if (processItem) ProcessName = processItem->ProcessName; } name = PhStdGetClientIdNameEx(ClientId, ProcessName); if (processItem) PhDereferenceObject(processItem); return name; } /** * Creates a process item. */ PPH_PROCESS_ITEM PhCreateProcessItem( _In_ HANDLE ProcessId ) { PPH_PROCESS_ITEM processItem; processItem = PhCreateObject( PhEmGetObjectSize(EmProcessItemType, sizeof(PH_PROCESS_ITEM)), PhProcessItemType ); memset(processItem, 0, sizeof(PH_PROCESS_ITEM)); PhInitializeEvent(&processItem->Stage1Event); PhInitializeQueuedLock(&processItem->ServiceListLock); processItem->ProcessId = ProcessId; // Create the statistics buffers. PhInitializeCircularBuffer_FLOAT(&processItem->CpuKernelHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_FLOAT(&processItem->CpuUserHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&processItem->IoReadHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&processItem->IoWriteHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&processItem->IoOtherHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_SIZE_T(&processItem->PrivateBytesHistory, PhStatisticsSampleCount); //PhInitializeCircularBuffer_SIZE_T(&processItem->WorkingSetHistory, PhStatisticsSampleCount); // // Initialize ImageCoherencyStatus to STATUS_PENDING and prevent items // from being noted as "Low Image Coherency" or highlighted until the // analysis runs. See: PhpShouldShowImageCoherency (jxy-s) // processItem->ImageCoherencyStatus = STATUS_PENDING; // // Notify object operations of object creation. Note: This must be the last // call after all other methods, otherwise extensions that rely on the // object being initialized might crash or have undefined behavior. (dmex) // PhEmCallObjectOperation(EmProcessItemType, processItem, EmObjectCreate); return processItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpProcessItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Object; ULONG i; PhEmCallObjectOperation(EmProcessItemType, processItem, EmObjectDelete); PhDeleteCircularBuffer_FLOAT(&processItem->CpuKernelHistory); PhDeleteCircularBuffer_FLOAT(&processItem->CpuUserHistory); PhDeleteCircularBuffer_ULONG64(&processItem->IoReadHistory); PhDeleteCircularBuffer_ULONG64(&processItem->IoWriteHistory); PhDeleteCircularBuffer_ULONG64(&processItem->IoOtherHistory); PhDeleteCircularBuffer_SIZE_T(&processItem->PrivateBytesHistory); //PhDeleteCircularBuffer_SIZE_T(&processItem->WorkingSetHistory); if (processItem->ServiceList) { PPH_SERVICE_ITEM serviceItem; i = 0; while (PhEnumPointerList(processItem->ServiceList, &i, &serviceItem)) PhDereferenceObject(serviceItem); PhDereferenceObject(processItem->ServiceList); } if (processItem->ProcessName) PhDereferenceObject(processItem->ProcessName); if (processItem->FileName) PhDereferenceObject(processItem->FileName); if (processItem->CommandLine) PhDereferenceObject(processItem->CommandLine); PhDeleteImageVersionInfo(&processItem->VersionInfo); if (processItem->Sid) PhFree(processItem->Sid); if (processItem->VerifySignerName) PhDereferenceObject(processItem->VerifySignerName); if (processItem->PackageFullName) PhDereferenceObject(processItem->PackageFullName); if (processItem->UserName) PhDereferenceObject(processItem->UserName); if (!PhSystemProcessorInformation.SingleProcessorGroup) { if (processItem->AffinityMaskGroups) PhFree(processItem->AffinityMaskGroups); } if (processItem->FreezeHandle) NtClose(processItem->FreezeHandle); if (processItem->QueryHandle) NtClose(processItem->QueryHandle); if (processItem->Record) PhDereferenceProcessRecord(processItem->Record); if (processItem->IconEntry) PhDereferenceObject(processItem->IconEntry); } FORCEINLINE BOOLEAN PhCompareProcessItem( _In_ PPH_PROCESS_ITEM Value1, _In_ PPH_PROCESS_ITEM Value2 ) { return Value1->ProcessId == Value2->ProcessId; } FORCEINLINE ULONG PhHashProcessItem( _In_ PPH_PROCESS_ITEM Value ) { return HandleToUlong(Value->ProcessId) / 4; } /** * Finds a process item in the hash set. * * \param ProcessId The process ID of the process item. * * \remarks The hash set must be locked before calling this function. The reference count of the * found process item is not incremented. */ PPH_PROCESS_ITEM PhpLookupProcessItem( _In_opt_ HANDLE ProcessId ) { PH_PROCESS_ITEM lookupProcessItem; PPH_HASH_ENTRY entry; PPH_PROCESS_ITEM processItem; lookupProcessItem.ProcessId = ProcessId; entry = PhFindEntryHashSet( PhProcessHashSet, PH_HASH_SET_SIZE(PhProcessHashSet), PhHashProcessItem(&lookupProcessItem) ); for (; entry; entry = entry->Next) { processItem = CONTAINING_RECORD(entry, PH_PROCESS_ITEM, HashEntry); if (PhCompareProcessItem(&lookupProcessItem, processItem)) return processItem; } return NULL; } /** * Finds and references a process item. * * \param ProcessId The process ID of the process item. * * \return The found process item. */ PPH_PROCESS_ITEM PhReferenceProcessItem( _In_opt_ HANDLE ProcessId ) { PPH_PROCESS_ITEM processItem; PhAcquireQueuedLockShared(&PhProcessHashSetLock); processItem = PhpLookupProcessItem(ProcessId); if (processItem) PhReferenceObject(processItem); PhReleaseQueuedLockShared(&PhProcessHashSetLock); return processItem; } /** * Enumerates the process items. * * \param ProcessItems A variable which receives an array of pointers to process items. You must * free the buffer with PhFree() when you no longer need it. * \param NumberOfProcessItems A variable which receives the number of process items returned in * \a ProcessItems. */ VOID PhEnumProcessItems( _Out_opt_ PPH_PROCESS_ITEM **ProcessItems, _Out_ PULONG NumberOfProcessItems ) { PPH_PROCESS_ITEM *processItems; ULONG numberOfProcessItems; ULONG count = 0; ULONG i; PPH_HASH_ENTRY entry; PPH_PROCESS_ITEM processItem; if (!ProcessItems) { *NumberOfProcessItems = PhProcessHashSetCount; return; } PhAcquireQueuedLockShared(&PhProcessHashSetLock); numberOfProcessItems = PhProcessHashSetCount; processItems = PhAllocate(sizeof(PPH_PROCESS_ITEM) * numberOfProcessItems); for (i = 0; i < PH_HASH_SET_SIZE(PhProcessHashSet); i++) { for (entry = PhProcessHashSet[i]; entry; entry = entry->Next) { processItem = CONTAINING_RECORD(entry, PH_PROCESS_ITEM, HashEntry); PhReferenceObject(processItem); processItems[count++] = processItem; } } PhReleaseQueuedLockShared(&PhProcessHashSetLock); *ProcessItems = processItems; *NumberOfProcessItems = numberOfProcessItems; } VOID PhpAddProcessItem( _In_ _Assume_refs_(1) PPH_PROCESS_ITEM ProcessItem ) { PhTrace( "Adding process item: %ls (%lu)", PhGetString(ProcessItem->ProcessName), HandleToUlong(ProcessItem->ProcessId) ); PhAddEntryHashSet( PhProcessHashSet, PH_HASH_SET_SIZE(PhProcessHashSet), &ProcessItem->HashEntry, PhHashProcessItem(ProcessItem) ); PhProcessHashSetCount++; } VOID PhpRemoveProcessItem( _In_ PPH_PROCESS_ITEM ProcessItem ) { PhTrace( "Removing process item: %ls (%lu)", PhGetString(ProcessItem->ProcessName), HandleToUlong(ProcessItem->ProcessId) ); PhRemoveEntryHashSet(PhProcessHashSet, PH_HASH_SET_SIZE(PhProcessHashSet), &ProcessItem->HashEntry); PhProcessHashSetCount--; PhDereferenceObject(ProcessItem); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN PhpSidFullNameCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_SID_FULL_NAME_CACHE_ENTRY entry1 = Entry1; PPH_SID_FULL_NAME_CACHE_ENTRY entry2 = Entry2; return PhEqualSid(entry1->Sid, entry2->Sid); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG PhpSidFullNameCacheHashtableHashFunction( _In_ PVOID Entry ) { PPH_SID_FULL_NAME_CACHE_ENTRY entry = Entry; return PhHashBytes((PUCHAR)entry->Sid, PhLengthSid(entry->Sid)); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN PhpSidResolveQueueHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_SID_RESOLVE_QUEUE_ENTRY entry1 = Entry1; PPH_SID_RESOLVE_QUEUE_ENTRY entry2 = Entry2; return PhEqualSid(entry1->Sid, entry2->Sid); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG PhpSidResolveQueueHashtableHashFunction( _In_ PVOID Entry ) { PPH_SID_RESOLVE_QUEUE_ENTRY entry = Entry; return PhHashBytes((PUCHAR)entry->Sid, PhLengthSid(entry->Sid)); } VOID PhpQueueSidForBulkResolution( _In_ PSID Sid ) { PH_SID_RESOLVE_QUEUE_ENTRY lookupEntry; PPH_SID_RESOLVE_QUEUE_ENTRY entry; PhAcquireQueuedLockExclusive(&PhpSidResolveQueueLock); if (!PhpSidResolveQueue) { PhpSidResolveQueue = PhCreateHashtable( sizeof(PH_SID_RESOLVE_QUEUE_ENTRY), PhpSidResolveQueueHashtableEqualFunction, PhpSidResolveQueueHashtableHashFunction, 64 ); } lookupEntry.Sid = Sid; entry = PhFindEntryHashtable(PhpSidResolveQueue, &lookupEntry); if (!entry) { PH_SID_RESOLVE_QUEUE_ENTRY newEntry; newEntry.SidLength = PhLengthSid(Sid); newEntry.Sid = PhAllocateCopy(Sid, newEntry.SidLength); PhAddEntryHashtable(PhpSidResolveQueue, &newEntry); } PhReleaseQueuedLockExclusive(&PhpSidResolveQueueLock); } VOID PhpBulkResolveSidsToCache( _In_ PSID* Sids, _In_ ULONG Count ) { NTSTATUS status; PPH_STRING* fullNames = NULL; if (Count == 0) return; status = PhLookupSids( Count, Sids, &fullNames ); if (NT_SUCCESS(status)) { if (!PhpSidFullNameCacheHashtable) { PhpSidFullNameCacheHashtable = PhCreateHashtable( sizeof(PH_SID_FULL_NAME_CACHE_ENTRY), PhpSidFullNameCacheHashtableEqualFunction, PhpSidFullNameCacheHashtableHashFunction, 128 ); } for (ULONG i = 0; i < Count; i++) { if (fullNames[i]) { PH_SID_FULL_NAME_CACHE_ENTRY newEntry; newEntry.Sid = PhAllocateCopy(Sids[i], PhLengthSid(Sids[i])); newEntry.FullName = fullNames[i]; PhAddEntryHashtable(PhpSidFullNameCacheHashtable, &newEntry); } } PhFree(fullNames); } } VOID PhpProcessBulkSidResolution( VOID ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SID_RESOLVE_QUEUE_ENTRY entry; PPH_LIST sidArray = NULL; ULONG sidCount = 0; PhAcquireQueuedLockExclusive(&PhpSidResolveQueueLock); if (!PhpSidResolveQueue || PhpSidResolveQueue->Count == 0) { PhReleaseQueuedLockExclusive(&PhpSidResolveQueueLock); return; } sidCount = PhpSidResolveQueue->Count; sidArray = PhCreateList(sidCount); PhBeginEnumHashtable(PhpSidResolveQueue, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { PhAddItemList(sidArray, entry->Sid); } PhReleaseQueuedLockExclusive(&PhpSidResolveQueueLock); PhpBulkResolveSidsToCache(sidArray->Items, sidCount); PhAcquireQueuedLockExclusive(&PhpSidResolveQueueLock); PhBeginEnumHashtable(PhpSidResolveQueue, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { PhFree(entry->Sid); } PhClearHashtable(PhpSidResolveQueue); PhReleaseQueuedLockExclusive(&PhpSidResolveQueueLock); PhDereferenceObject(sidArray); } PPH_STRING PhpGetSidFullNameCachedSlow( _In_ PSID Sid ) { PPH_STRING fullName; PH_SID_FULL_NAME_CACHE_ENTRY newEntry; if (PhpSidFullNameCacheHashtable) { PPH_SID_FULL_NAME_CACHE_ENTRY entry; PH_SID_FULL_NAME_CACHE_ENTRY lookupEntry; lookupEntry.Sid = Sid; entry = PhFindEntryHashtable(PhpSidFullNameCacheHashtable, &lookupEntry); if (entry) return PhReferenceObject(entry->FullName); } fullName = PhGetSidFullName(Sid, TRUE, NULL); if (!fullName) return NULL; if (!PhpSidFullNameCacheHashtable) { PhpSidFullNameCacheHashtable = PhCreateHashtable( sizeof(PH_SID_FULL_NAME_CACHE_ENTRY), PhpSidFullNameCacheHashtableEqualFunction, PhpSidFullNameCacheHashtableHashFunction, 16 ); } newEntry.Sid = PhAllocateCopy(Sid, PhLengthSid(Sid)); newEntry.FullName = PhReferenceObject(fullName); PhAddEntryHashtable(PhpSidFullNameCacheHashtable, &newEntry); return fullName; } PPH_STRING PhpGetSidFullNameCached( _In_ PCSID Sid ) { if (PhpSidFullNameCacheHashtable) { PPH_SID_FULL_NAME_CACHE_ENTRY entry; PH_SID_FULL_NAME_CACHE_ENTRY lookupEntry; lookupEntry.Sid = Sid; entry = PhFindEntryHashtable(PhpSidFullNameCacheHashtable, &lookupEntry); if (entry) return PhReferenceObject(entry->FullName); } return NULL; } VOID PhpFlushSidFullNameCache( VOID ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SID_FULL_NAME_CACHE_ENTRY entry; if (!PhpSidFullNameCacheHashtable) return; PhBeginEnumHashtable(PhpSidFullNameCacheHashtable, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { PhFree((PVOID)entry->Sid); PhDereferenceObject(entry->FullName); } PhClearReference(&PhpSidFullNameCacheHashtable); } VOID PhpProcessQueryStage1( _Inout_ PPH_PROCESS_QUERY_S1_DATA Data ) { NTSTATUS status; PPH_PROCESS_ITEM processItem = Data->Header.ProcessItem; HANDLE processId = processItem->ProcessId; HANDLE processHandleLimited = processItem->QueryHandle; PhTrace( "Process query stage 1: %ls (%lu)", PhGetString(processItem->ProcessName), HandleToUlong(processId) ); // Version info if (!processItem->IsSubsystemProcess) { if (!PhIsNullOrEmptyString(processItem->FileName)) { Data->IconEntry = PhImageListExtractIcon( processItem->FileName, TRUE, processItem->ProcessId, processItem->PackageFullName, PhProcessImageListWindowDpi ); PhInitializeImageVersionInfoCached( &Data->VersionInfo, processItem->FileName, FALSE, !!PhCsEnableVersionSupport ); } if (PhEnableCycleCpuUsage && processId == INTERRUPTS_PROCESS_ID) { static CONST PH_STRINGREF descriptionText = PH_STRINGREF_INIT(L"Interrupts and DPCs"); PhMoveReference(&Data->VersionInfo.FileDescription, PhCreateString2(&descriptionText)); } } // Command line, .NET if (processHandleLimited && !processItem->IsSubsystemProcess) { BOOLEAN isDotNet = FALSE; HANDLE processHandle = NULL; ULONG processQueryFlags = 0; if (WindowsVersion >= WINDOWS_8_1) { processHandle = processHandleLimited; processQueryFlags |= PH_CLR_USE_SECTION_CHECK; status = STATUS_SUCCESS; } else { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, processId ); } if (NT_SUCCESS(status)) { PPH_STRING commandLine; if (NT_SUCCESS(PhGetProcessCommandLine(processHandle, &commandLine))) { // Some command lines (e.g. from taskeng.exe) have nulls in them. Since Windows // can't display them, we'll replace them with spaces. for (SIZE_T i = 0; i < commandLine->Length / sizeof(WCHAR); i++) { if (commandLine->Buffer[i] == UNICODE_NULL) commandLine->Buffer[i] = L' '; } Data->CommandLine = commandLine; } } if (NT_SUCCESS(status)) { PhGetProcessIsDotNetEx( processId, processHandle, #ifdef _WIN64 processQueryFlags | PH_CLR_NO_WOW64_CHECK | (processItem->IsWow64Process ? PH_CLR_KNOWN_IS_WOW64 : 0), #else processQueryFlags, #endif &isDotNet, NULL ); Data->IsDotNet = isDotNet; } if (!(processQueryFlags & PH_CLR_USE_SECTION_CHECK) && processHandle) NtClose(processHandle); } // Job if (processHandleLimited) { if (KsiLevel() >= KphLevelMed) { HANDLE jobHandle = NULL; status = KphOpenProcessJob( processHandleLimited, JOB_OBJECT_QUERY, &jobHandle ); if (NT_SUCCESS(status) && status != STATUS_PROCESS_NOT_IN_JOB) { JOBOBJECT_BASIC_LIMIT_INFORMATION basicLimits; Data->IsInJob = TRUE; // Process Explorer only recognizes processes as being in jobs if they don't have // the silent-breakaway-OK limit as their only limit. Emulate this behaviour. if (NT_SUCCESS(PhGetJobBasicLimits(jobHandle, &basicLimits))) { Data->IsInSignificantJob = basicLimits.LimitFlags != JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK; } } if (jobHandle) NtClose(jobHandle); } else { // KSystemInformer is not available. We can determine if the process is in a job, but we // can't get a handle to the job. status = NtIsProcessInJob(processHandleLimited, NULL); if (NT_SUCCESS(status)) Data->IsInJob = status == STATUS_PROCESS_IN_JOB; } } // Console host process if (processHandleLimited) { PhGetProcessConsoleHostProcessId(processHandleLimited, &Data->ConsoleHostProcessId); } // Immersive if (processHandleLimited && WindowsVersion >= WINDOWS_8 && processItem->IsPackagedProcess) { Data->IsImmersive = !!PhIsImmersiveProcess(processHandleLimited); } // Filtered if (processHandleLimited && processItem->IsHandleValid) { OBJECT_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhQueryObjectBasicInformation(processHandleLimited, &basicInfo))) { if (!RtlAreAllAccessesGranted(basicInfo.GrantedAccess, PROCESS_QUERY_INFORMATION)) Data->IsFilteredHandle = TRUE; } else { Data->IsFilteredHandle = TRUE; } } // Debugged if ( processHandleLimited && !processItem->IsSubsystemProcess && !Data->IsFilteredHandle && // Don't query the debug object if the handle was filtered (dmex) processItem->ProcessId != SYSTEM_PROCESS_ID // Ignore the system process on 20H2 (dmex) ) { BOOLEAN isBeingDebugged; if (NT_SUCCESS(PhGetProcessIsBeingDebugged(processHandleLimited, &isBeingDebugged))) { Data->IsBeingDebugged = isBeingDebugged; } } // Process Throttling State { if (processHandleLimited && !processItem->IsSubsystemProcess) { POWER_THROTTLING_PROCESS_STATE powerThrottlingState; if (NT_SUCCESS(PhGetProcessPowerThrottlingState(processHandleLimited, &powerThrottlingState))) { if (FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_EXECUTION_SPEED) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_EXECUTION_SPEED)) { Data->PowerThrottling = TRUE; } if (FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_DELAYTIMERS) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_DELAYTIMERS)) { Data->PowerThrottling = TRUE; } if (FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION)) { Data->PowerThrottling = TRUE; } } } } } VOID PhpProcessQueryStage2( _Inout_ PPH_PROCESS_QUERY_S2_DATA Data ) { PPH_PROCESS_ITEM processItem = Data->Header.ProcessItem; PhTrace( "Process query stage 2: %ls (%lu)", PhGetString(processItem->ProcessName), HandleToUlong(processItem->ProcessId) ); if (PhEnableProcessQueryStage2 && processItem->FileName && !processItem->IsSubsystemProcess) { NTSTATUS status; Data->VerifyResult = PhVerifyFileCached( processItem->FileName, processItem->PackageFullName, &Data->VerifySignerName, TRUE, FALSE ); status = PhIsExecutablePacked( processItem->FileName, &Data->IsPacked, &Data->ImportModules, &Data->ImportFunctions ); // If we got an image-related error, the image is packed. if ( status == STATUS_INVALID_IMAGE_NOT_MZ || status == STATUS_INVALID_IMAGE_FORMAT || status == STATUS_ACCESS_VIOLATION ) { Data->IsPacked = TRUE; Data->ImportModules = ULONG_MAX; Data->ImportFunctions = ULONG_MAX; } } if (PhEnableImageCoherencySupport && processItem->FileName && !processItem->IsSubsystemProcess) { if (PhCsImageCoherencyScanLevel == 0) { // // If the user changes the configuration from 0 to >0 they will // need to re-run stage 2 analysis otherwise all images will show // low coherency. // [ENHANCEMENT] re-run stage 2 when this advanced option changes // processItem->ImageCoherencyStatus = STATUS_SUCCESS; } else { PH_IMAGE_COHERENCY_SCAN_TYPE type; switch (PhCsImageCoherencyScanLevel) { case 1: type = PhImageCoherencyQuick; break; case 2: type = PhImageCoherencyNormal; break; case 3: default: type = PhImageCoherencyFull; break; case 4: type = PhImageCoherencySharedOriginal; break; } Data->ImageCoherencyStatus = PhGetProcessImageCoherency( processItem->FileName, processItem->ProcessId, type, &Data->ImageCoherency ); } } if (PhEnableLinuxSubsystemSupport && processItem->FileName && processItem->IsSubsystemProcess) { PhInitializeImageVersionInfoCached(&Data->VersionInfo, processItem->FileName, TRUE, !!PhCsEnableVersionSupport); } } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpProcessQueryStage1Worker( _In_ PVOID Parameter ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Parameter; PPH_PROCESS_QUERY_S1_DATA data; data = PhAllocateZero(sizeof(PH_PROCESS_QUERY_S1_DATA)); data->Header.Stage = 1; data->Header.ProcessItem = processItem; PhpProcessQueryStage1(data); RtlInterlockedPushEntrySList(&PhProcessQueryDataListHead, &data->Header.ListEntry); return STATUS_SUCCESS; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpProcessQueryStage2Worker( _In_ PVOID Parameter ) { PPH_PROCESS_ITEM processItem = (PPH_PROCESS_ITEM)Parameter; PPH_PROCESS_QUERY_S2_DATA data; data = PhAllocateZero(sizeof(PH_PROCESS_QUERY_S2_DATA)); data->Header.Stage = 2; data->Header.ProcessItem = processItem; PhpProcessQueryStage2(data); RtlInterlockedPushEntrySList(&PhProcessQueryDataListHead, &data->Header.ListEntry); return STATUS_SUCCESS; } VOID PhpQueueProcessQueryStage1( _In_ PPH_PROCESS_ITEM ProcessItem ) { PH_WORK_QUEUE_ENVIRONMENT environment; // Ref: dereferenced when the provider update function removes the item from the queue. PhReferenceObject(ProcessItem); PhInitializeWorkQueueEnvironment(&environment); environment.BasePriority = THREAD_PRIORITY_BELOW_NORMAL; environment.IoPriority = IoPriorityLow; environment.PagePriority = MEMORY_PRIORITY_LOW; PhQueueItemWorkQueueEx(PhGetGlobalWorkQueue(), PhpProcessQueryStage1Worker, ProcessItem, NULL, &environment); } VOID PhpQueueProcessQueryStage2( _In_ PPH_PROCESS_ITEM ProcessItem ) { PH_WORK_QUEUE_ENVIRONMENT environment; PhReferenceObject(ProcessItem); PhInitializeWorkQueueEnvironment(&environment); environment.BasePriority = THREAD_PRIORITY_LOWEST; environment.IoPriority = IoPriorityVeryLow; environment.PagePriority = MEMORY_PRIORITY_VERY_LOW; PhQueueItemWorkQueueEx(PhGetGlobalWorkQueue(), PhpProcessQueryStage2Worker, ProcessItem, NULL, &environment); } VOID PhpFillProcessItemStage1( _In_ PPH_PROCESS_QUERY_S1_DATA Data ) { PPH_PROCESS_ITEM processItem = Data->Header.ProcessItem; processItem->CommandLine = Data->CommandLine; if (Data->IconEntry) { processItem->SmallIconIndex = Data->IconEntry->SmallIconIndex; processItem->LargeIconIndex = Data->IconEntry->LargeIconIndex; } processItem->IconEntry = Data->IconEntry; memcpy(&processItem->VersionInfo, &Data->VersionInfo, sizeof(PH_IMAGE_VERSION_INFO)); processItem->ConsoleHostProcessId = Data->ConsoleHostProcessId; processItem->IsDotNet = Data->IsDotNet; processItem->IsInJob = Data->IsInJob; processItem->IsInSignificantJob = Data->IsInSignificantJob; processItem->IsBeingDebugged = Data->IsBeingDebugged; processItem->IsImmersive = Data->IsImmersive; processItem->IsProtectedHandle = Data->IsFilteredHandle; processItem->IsPowerThrottling = Data->PowerThrottling; PhSwapReference(&processItem->Record->CommandLine, processItem->CommandLine); // Note: We might have referenced the cached username so don't overwrite the previous data. (dmex) if (!processItem->UserName) processItem->UserName = Data->UserName; else if (Data->UserName) PhDereferenceObject(Data->UserName); // Note: Queue stage 2 processing after filling stage1 process data. if ( PhEnableProcessQueryStage2 || PhEnableImageCoherencySupport || PhEnableLinuxSubsystemSupport ) { PhpQueueProcessQueryStage2(processItem); } } VOID PhpFillProcessItemStage2( _In_ PPH_PROCESS_QUERY_S2_DATA Data ) { PPH_PROCESS_ITEM processItem = Data->Header.ProcessItem; processItem->VerifyResult = Data->VerifyResult; processItem->VerifySignerName = Data->VerifySignerName; processItem->IsPacked = Data->IsPacked; processItem->ImportFunctions = Data->ImportFunctions; processItem->ImportModules = Data->ImportModules; processItem->ImageCoherencyStatus = Data->ImageCoherencyStatus; processItem->ImageCoherency = Data->ImageCoherency; // Note: We query Win32 processes in stage1 so don't overwrite the previous data. (dmex) if (processItem->IsSubsystemProcess) { memcpy(&processItem->VersionInfo, &Data->VersionInfo, sizeof(PH_IMAGE_VERSION_INFO)); } } VOID PhpFillProcessItemExtension( _Inout_ PPH_PROCESS_ITEM ProcessItem, _In_ PSYSTEM_PROCESS_INFORMATION Process ) { PSYSTEM_PROCESS_INFORMATION_EXTENSION processExtension; if (!PhEnableProcessExtension) return; processExtension = PH_PROCESS_EXTENSION(Process); ProcessItem->DiskCounters = processExtension->DiskCounters; ProcessItem->ContextSwitches = processExtension->ContextSwitches; ProcessItem->JobObjectId = processExtension->JobObjectId; ProcessItem->SharedCommitCharge = processExtension->SharedCommitCharge; ProcessItem->ProcessSequenceNumber = processExtension->ProcessSequenceNumber; ProcessItem->IsSystemProcess = processExtension->Classification != SystemProcessClassificationNormal; ProcessItem->IsSecureSystem = processExtension->Classification == SystemProcessClassificationSecureSystem; } VOID PhpFillProcessItem( _Inout_ PPH_PROCESS_ITEM ProcessItem, _In_ PSYSTEM_PROCESS_INFORMATION Process ) { ProcessItem->ParentProcessId = Process->InheritedFromUniqueProcessId; ProcessItem->SessionId = Process->SessionId; ProcessItem->CreateTime = Process->CreateTime; ProcessItem->IntegrityLevel.Level = MAXUSHORT; if (ProcessItem->ProcessId != SYSTEM_IDLE_PROCESS_ID) ProcessItem->ProcessName = PhCreateStringFromUnicodeString(&Process->ImageName); else ProcessItem->ProcessName = PhCreateStringFromUnicodeString(&SYSTEM_IDLE_PROCESS_NAME); if (PH_IS_REAL_PROCESS_ID(ProcessItem->ProcessId)) { PhPrintUInt32(ProcessItem->ProcessIdString, HandleToUlong(ProcessItem->ProcessId)); PhPrintUInt32IX(ProcessItem->ProcessIdHexString, HandleToUlong(ProcessItem->ProcessId)); //PhPrintUInt32(ProcessItem->ParentProcessIdString, HandleToUlong(ProcessItem->ParentProcessId)); //PhPrintUInt32(ProcessItem->SessionIdString, ProcessItem->SessionId); } // Open a handle to the process for later usage. if (PH_IS_REAL_PROCESS_ID(ProcessItem->ProcessId)) { if (NT_SUCCESS(PhOpenProcess(&ProcessItem->QueryHandle, PROCESS_QUERY_INFORMATION, ProcessItem->ProcessId))) { ProcessItem->IsHandleValid = TRUE; } if (!ProcessItem->QueryHandle) { PhOpenProcess(&ProcessItem->QueryHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessItem->ProcessId); } } // Process basic information { PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; if (ProcessItem->QueryHandle && NT_SUCCESS(PhGetProcessExtendedBasicInformation(ProcessItem->QueryHandle, &basicInfo))) { ProcessItem->PebBaseAddress = basicInfo.PebBaseAddress; ProcessItem->IsProtectedProcess = basicInfo.IsProtectedProcess; ProcessItem->IsSecureProcess = basicInfo.IsSecureProcess; ProcessItem->IsSubsystemProcess = basicInfo.IsSubsystemProcess; ProcessItem->IsWow64Process = basicInfo.IsWow64Process; ProcessItem->IsPackagedProcess = basicInfo.IsStronglyNamed; ProcessItem->IsCrossSessionProcess = basicInfo.IsCrossSessionCreate; ProcessItem->IsFrozenProcess = basicInfo.IsFrozen; ProcessItem->IsBackgroundProcess = basicInfo.IsBackground; } } // Affinity { if (PhSystemProcessorInformation.SingleProcessorGroup) { KAFFINITY affinityMask; if (ProcessItem->QueryHandle && NT_SUCCESS(PhGetProcessAffinityMask(ProcessItem->QueryHandle, &affinityMask))) { ProcessItem->AffinityMaskSingle = affinityMask; ProcessItem->AffinityPopulationCount = PhCountBitsUlongPtr(ProcessItem->AffinityMaskSingle); } else { ProcessItem->AffinityMaskSingle = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[0]; ProcessItem->AffinityPopulationCount = PhCountBitsUlongPtr(ProcessItem->AffinityMaskSingle); } } else { GROUP_AFFINITY affinity; ProcessItem->AffinityMaskGroups = PhAllocateZero(sizeof(KAFFINITY) * PhSystemProcessorInformation.NumberOfProcessorGroups); for (USHORT i = 0; i < PhSystemProcessorInformation.NumberOfProcessorGroups; i++) { RtlZeroMemory(&affinity, sizeof(GROUP_AFFINITY)); affinity.Group = i; if (ProcessItem->QueryHandle && NT_SUCCESS(PhGetProcessGroupAffinity(ProcessItem->QueryHandle, &affinity))) ProcessItem->AffinityMaskGroups[i] = affinity.Mask; else ProcessItem->AffinityMaskGroups[i] = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[i]; ProcessItem->AffinityPopulationCount += PhCountBitsUlongPtr(ProcessItem->AffinityMaskGroups[i]); } } } // Process information { // If we're dealing with System (PID 4), we need to get the // kernel file name. Otherwise, get the image file name. (wj32) if (ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { ProcessItem->FileName = PhGetKernelFileName(); } else if (ProcessItem->IsSecureSystem) { ProcessItem->FileName = PhGetSecureKernelFileName(); } else { if (PH_IS_REAL_PROCESS_ID(ProcessItem->ProcessId)) { PPH_STRING fileName; if (NT_SUCCESS(PhGetProcessImageFileNameByProcessId(ProcessItem->ProcessId, &fileName))) { ProcessItem->FileName = fileName; } //if (ProcessItem->QueryHandle) //{ // if (NT_SUCCESS(PhGetProcessImageFileName(ProcessItem->QueryHandle, &fileName))) // ProcessItem->FileName = fileName; // if (NT_SUCCESS(PhGetProcessImageFileNameWin32(ProcessItem->QueryHandle, &fileName))) // ProcessItem->FileNameWin32 = fileName; //} } } } // Token information { HANDLE tokenHandle; if (ProcessItem->QueryHandle && NT_SUCCESS(PhOpenProcessToken( ProcessItem->QueryHandle, TOKEN_QUERY, &tokenHandle ))) { PH_TOKEN_USER tokenUser; TOKEN_ELEVATION_TYPE elevationType; BOOLEAN isElevated; BOOLEAN tokenIsUIAccessEnabled; PH_INTEGRITY_LEVEL integrityLevel; PPH_STRINGREF integrityString; PPH_STRING packageFullName; // User if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) { ProcessItem->Sid = PhAllocateCopy(tokenUser.User.Sid, PhLengthSid(tokenUser.User.Sid)); ProcessItem->UserName = PhpGetSidFullNameCached(tokenUser.User.Sid); } // Elevation if (NT_SUCCESS(PhGetTokenElevationType(tokenHandle, &elevationType))) { ProcessItem->ElevationType = elevationType; } if (NT_SUCCESS(PhGetTokenElevation(tokenHandle, &isElevated))) { ProcessItem->IsElevated = isElevated; } // Integrity if (NT_SUCCESS(PhGetTokenIntegrityLevelEx(tokenHandle, &integrityLevel, &integrityString))) { ProcessItem->IntegrityLevel = integrityLevel; ProcessItem->IntegrityString = integrityString; } // UIAccess if (NT_SUCCESS(PhGetTokenUIAccess(tokenHandle, &tokenIsUIAccessEnabled))) { ProcessItem->IsUIAccessEnabled = !!tokenIsUIAccessEnabled; } // Package name if ( WindowsVersion >= WINDOWS_8 && ProcessItem->IsPackagedProcess && NT_SUCCESS(PhGetTokenPackageFullName(tokenHandle, &packageFullName)) ) { ProcessItem->PackageFullName = packageFullName; } NtClose(tokenHandle); } } // Token information { if (ProcessItem->ProcessId == SYSTEM_IDLE_PROCESS_ID || ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { if (!ProcessItem->Sid) ProcessItem->Sid = PhAllocateCopy((PSID)&PhSeLocalSystemSid, PhLengthSid(&PhSeLocalSystemSid)); if (!ProcessItem->UserName) ProcessItem->UserName = PhpGetSidFullNameCached(&PhSeLocalSystemSid); ProcessItem->IsSystemProcess = TRUE; } } // Extended Process Information if (WindowsVersion >= WINDOWS_10 && ProcessItem->QueryHandle) { PPROCESS_TELEMETRY_ID_INFORMATION telemetryInfo; ULONG telemetryInfoLength; if (NT_SUCCESS(PhGetProcessTelemetryIdInformation(ProcessItem->QueryHandle, &telemetryInfo, &telemetryInfoLength))) { SIZE_T UserSidLength = telemetryInfo->ImagePathOffset - telemetryInfo->UserSidOffset; PSID UserSidBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->UserSidOffset); SIZE_T ImagePathLength = telemetryInfo->PackageNameOffset - telemetryInfo->ImagePathOffset; PWSTR ImagePathBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->ImagePathOffset); SIZE_T PackageNameLength = telemetryInfo->RelativeAppNameOffset - telemetryInfo->PackageNameOffset; PWSTR PackageNameBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->PackageNameOffset); SIZE_T RelativeAppNameLength = telemetryInfo->CommandLineOffset - telemetryInfo->RelativeAppNameOffset; PWSTR RelativeAppNameBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->RelativeAppNameOffset); SIZE_T CommandLineLength = telemetryInfoLength - telemetryInfo->CommandLineOffset; PWSTR CommandLineBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->CommandLineOffset); ProcessItem->ProcessStartKey = telemetryInfo->ProcessStartKey; ProcessItem->CreateInterruptTime = telemetryInfo->CreateInterruptTime; ProcessItem->ProcessSequenceNumber = telemetryInfo->ProcessSequenceNumber; ProcessItem->SessionCreateTime = telemetryInfo->SessionCreateTime; ProcessItem->ImageChecksum = telemetryInfo->ImageChecksum; ProcessItem->ImageTimeStamp = telemetryInfo->ImageTimeDateStamp; if (!ProcessItem->Sid && PhValidSid(UserSidBuffer)) { ProcessItem->Sid = PhAllocateCopy(UserSidBuffer, UserSidLength); ProcessItem->UserName = PhpGetSidFullNameCached(UserSidBuffer); } if (PhIsNullOrEmptyString(ProcessItem->FileName) && ImagePathLength > sizeof(UNICODE_NULL)) { ProcessItem->FileName = PhCreateStringEx(ImagePathBuffer, ImagePathLength - sizeof(UNICODE_NULL)); } if (PhIsNullOrEmptyString(ProcessItem->PackageFullName) && PackageNameLength > sizeof(UNICODE_NULL)) { ProcessItem->PackageFullName = PhCreateStringEx(PackageNameBuffer, PackageNameLength - sizeof(UNICODE_NULL)); } if (PhIsNullOrEmptyString(ProcessItem->CommandLine) && CommandLineLength > sizeof(UNICODE_NULL)) { PH_STRINGREF commandLine; commandLine.Buffer = CommandLineBuffer; commandLine.Length = CommandLineLength - sizeof(UNICODE_NULL); // Some command lines (e.g. from taskeng.exe) have nulls in them. Since Windows // can't display them, we'll replace them with spaces. (wj32) for (SIZE_T i = 0; i < commandLine.Length / sizeof(WCHAR); i++) { if (commandLine.Buffer[i] == UNICODE_NULL) commandLine.Buffer[i] = L' '; } ProcessItem->CommandLine = PhCreateString2(&commandLine); } } } // Known Process Type if (ProcessItem->FileName) { ProcessItem->KnownProcessType = PhGetProcessKnownTypeEx( ProcessItem->ProcessId, ProcessItem->FileName ); } // Protection { if (WindowsVersion >= WINDOWS_8_1) { if (ProcessItem->QueryHandle) { PS_PROTECTION protection; if (NT_SUCCESS(PhGetProcessProtection(ProcessItem->QueryHandle, &protection))) { ProcessItem->Protection.Level = protection.Level; } } else { // System, DPCs, Interrupts and Idle processes are always protected. (dmex) if (PH_IS_FAKE_PROCESS_ID(ProcessItem->ProcessId) || ProcessItem->IsSystemProcess) { ProcessItem->Protection.Level = PsProtectedValue(PsProtectedSignerWinSystem, FALSE, PsProtectedTypeProtected); ProcessItem->IsProtectedProcess = ProcessItem->IsSecureProcess = ProcessItem->IsSystemProcess = TRUE; } } } } // Control Flow Guard if (WindowsVersion >= WINDOWS_8_1 && ProcessItem->QueryHandle && FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CFGUARD)) { BOOLEAN cfguardEnabled; if (NT_SUCCESS(PhGetProcessIsCFGuardEnabled(ProcessItem->QueryHandle, &cfguardEnabled))) { ProcessItem->IsControlFlowGuardEnabled = cfguardEnabled; } if (WindowsVersion >= WINDOWS_11) { BOOLEAN xfguardEnabled; BOOLEAN xfguardAuditEnabled; if (NT_SUCCESS(PhGetProcessIsXFGuardEnabled(ProcessItem->QueryHandle, &xfguardEnabled, &xfguardAuditEnabled))) { ProcessItem->IsXfgEnabled = xfguardEnabled; ProcessItem->IsXfgAuditEnabled = xfguardAuditEnabled; } } } // CET if (WindowsVersion >= WINDOWS_10_20H1 && FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CET)) { if (ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { SYSTEM_SHADOW_STACK_INFORMATION shadowStackInformation; if (NT_SUCCESS(PhGetSystemShadowStackInformation(&shadowStackInformation))) { ProcessItem->IsCetEnabled = shadowStackInformation.KernelCetEnabled; // Kernel CET is always strict (TheEragon) } } else { if (ProcessItem->QueryHandle) { BOOLEAN cetEnabled; BOOLEAN cetStrictModeEnabled; if (NT_SUCCESS(PhGetProcessIsCetEnabled(ProcessItem->QueryHandle, &cetEnabled, &cetStrictModeEnabled))) { ProcessItem->IsCetEnabled = cetEnabled; } } } } // WSL if (WindowsVersion >= WINDOWS_10_22H2 && ProcessItem->QueryHandle) { if (ProcessItem->IsSubsystemProcess && KsiLevel() >= KphLevelMed) { ULONG lxssProcessId; if (NT_SUCCESS(KphQueryInformationProcess( ProcessItem->QueryHandle, KphProcessWSLProcessId, &lxssProcessId, sizeof(ULONG), NULL ))) { ProcessItem->LxssProcessId = lxssProcessId; } } } // // Snapshot processes are created via NtCreateProcessEx by providing null or // empty object attributes and a parent process handle for what process to // snapshot. They are normally used when inspecting or dumping a process // address space. // // These processes do not have an initial thread and can never have a thread // created within them. They will have a PEB from the originating process. // The PEB check ensures we do not incorrectly designate processes that are // actually valid container processes such as "Secure System". (jxy-s) // if (Process->NumberOfThreads == 0 && ProcessItem->PebBaseAddress) { ProcessItem->IsSnapshotProcess = TRUE; if (ProcessItem->QueryHandle) { // // Snapshot processes will not terminate if we have a handle open. // Close it here or else process objects will leak. (wj32, jxy-s) // NtClose(ProcessItem->QueryHandle); ProcessItem->QueryHandle = NULL; } } } VOID PhpUpdateDynamicInfoProcessItem( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PSYSTEM_PROCESS_INFORMATION Process ) { ProcessItem->BasePriority = Process->BasePriority; if (ProcessItem->QueryHandle) { UCHAR priorityClass; if (NT_SUCCESS(PhGetProcessPriorityClass(ProcessItem->QueryHandle, &priorityClass))) { ProcessItem->PriorityClass = priorityClass; } if (WindowsVersion >= WINDOWS_11_24H2) { PROCESS_NETWORK_COUNTERS networkCounters; if (NT_SUCCESS(PhGetProcessNetworkIoCounters(ProcessItem->QueryHandle, &networkCounters))) { ProcessItem->NetworkCounters = networkCounters; } } } else { ProcessItem->PriorityClass = PROCESS_PRIORITY_CLASS_UNKNOWN; } ProcessItem->KernelTime = Process->KernelTime; ProcessItem->UserTime = Process->UserTime; ProcessItem->NumberOfHandles = Process->HandleCount; ProcessItem->NumberOfThreads = Process->NumberOfThreads; ProcessItem->WorkingSetPrivateSize = Process->WorkingSetPrivateSize; ProcessItem->PeakNumberOfThreads = Process->NumberOfThreadsHighWatermark; ProcessItem->HardFaultCount = Process->HardFaultCount; // Update VM and I/O counters. ProcessItem->VmCounters = *(PVM_COUNTERS_EX)&Process->PeakVirtualSize; ProcessItem->IoCounters = *(PIO_COUNTERS)&Process->ReadOperationCount; } VOID PhpUpdatePerfInformation( VOID ) { if (!NT_SUCCESS(NtQuerySystemInformation( SystemPerformanceInformation, &PhPerfInformation, sizeof(SYSTEM_PERFORMANCE_INFORMATION), NULL ))) { memset(&PhPerfInformation, 0, sizeof(SYSTEM_PERFORMANCE_INFORMATION)); } PhUpdateDelta(&PhIoReadDelta, PhPerfInformation.IoReadTransferCount.QuadPart); PhUpdateDelta(&PhIoWriteDelta, PhPerfInformation.IoWriteTransferCount.QuadPart); PhUpdateDelta(&PhIoOtherDelta, PhPerfInformation.IoOtherTransferCount.QuadPart); } VOID PhpUpdateCpuInformation( _In_ BOOLEAN SetCpuUsage, _Out_ PULONG64 TotalTime ) { ULONG i; ULONG64 totalTime; if (PhSystemProcessorInformation.SingleProcessorGroup) { if (!NT_SUCCESS(NtQuerySystemInformation( SystemProcessorPerformanceInformation, PhCpuInformation, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors, NULL ))) { memset( PhCpuInformation, 0, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors ); } } else { USHORT processorCount = 0; for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT activeProcessorCount = PhGetActiveProcessorCount(processorGroup); if (!NT_SUCCESS(NtQuerySystemInformationEx( SystemProcessorPerformanceInformation, &processorGroup, sizeof(USHORT), PTR_ADD_OFFSET(PhCpuInformation, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * processorCount), sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * activeProcessorCount, NULL ))) { memset( PTR_ADD_OFFSET(PhCpuInformation, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * processorCount), 0, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) * activeProcessorCount ); } processorCount += activeProcessorCount; } } // Zero the CPU totals. memset(&PhCpuTotals, 0, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION)); for (i = 0; i < PhSystemProcessorInformation.NumberOfProcessors; i++) { PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION cpuInfo = &PhCpuInformation[i]; // KernelTime includes IdleTime. cpuInfo->KernelTime.QuadPart -= cpuInfo->IdleTime.QuadPart; PhCpuTotals.DpcTime.QuadPart += cpuInfo->DpcTime.QuadPart; PhCpuTotals.IdleTime.QuadPart += cpuInfo->IdleTime.QuadPart; PhCpuTotals.InterruptCount += cpuInfo->InterruptCount; PhCpuTotals.InterruptTime.QuadPart += cpuInfo->InterruptTime.QuadPart; PhCpuTotals.KernelTime.QuadPart += cpuInfo->KernelTime.QuadPart; PhCpuTotals.UserTime.QuadPart += cpuInfo->UserTime.QuadPart; PhUpdateDelta(&PhCpusKernelDelta[i], cpuInfo->KernelTime.QuadPart); PhUpdateDelta(&PhCpusUserDelta[i], cpuInfo->UserTime.QuadPart); PhUpdateDelta(&PhCpusIdleDelta[i], cpuInfo->IdleTime.QuadPart); if (SetCpuUsage) { totalTime = PhCpusKernelDelta[i].Delta + PhCpusUserDelta[i].Delta + PhCpusIdleDelta[i].Delta; if (totalTime != 0) { PhCpusKernelUsage[i] = (FLOAT)PhCpusKernelDelta[i].Delta / totalTime; PhCpusUserUsage[i] = (FLOAT)PhCpusUserDelta[i].Delta / totalTime; } else { PhCpusKernelUsage[i] = 0.0f; PhCpusUserUsage[i] = 0.0f; } } } PhUpdateDelta(&PhCpuKernelDelta, PhCpuTotals.KernelTime.QuadPart); PhUpdateDelta(&PhCpuUserDelta, PhCpuTotals.UserTime.QuadPart); PhUpdateDelta(&PhCpuIdleDelta, PhCpuTotals.IdleTime.QuadPart); totalTime = PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta + PhCpuIdleDelta.Delta; if (SetCpuUsage) { if (totalTime != 0) { PhCpuKernelUsage = (FLOAT)PhCpuKernelDelta.Delta / totalTime; PhCpuUserUsage = (FLOAT)PhCpuUserDelta.Delta / totalTime; } else { PhCpuKernelUsage = 0.0f; PhCpuUserUsage = 0.0f; } } *TotalTime = totalTime; } VOID PhpUpdateCpuCycleInformation( _Out_ PULONG64 IdleCycleTime ) { ULONG i; ULONG64 total; // Idle // We need to query this separately because the idle cycle time in SYSTEM_PROCESS_INFORMATION // doesn't give us data for individual processors. if (PhSystemProcessorInformation.SingleProcessorGroup) { if (!NT_SUCCESS(NtQuerySystemInformation( SystemProcessorIdleCycleTimeInformation, PhCpuIdleCycleTime, sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors, NULL ))) { memset( PhCpuIdleCycleTime, 0, sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors ); } } else { USHORT processorCount = 0; for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT activeProcessorCount = PhGetActiveProcessorCount(processorGroup); if (!NT_SUCCESS(NtQuerySystemInformationEx( SystemProcessorIdleCycleTimeInformation, &processorGroup, sizeof(USHORT), PTR_ADD_OFFSET(PhCpuIdleCycleTime, sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * processorCount), sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * activeProcessorCount, NULL ))) { memset( PTR_ADD_OFFSET(PhCpuIdleCycleTime, sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * processorCount), 0, sizeof(SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION) * activeProcessorCount ); } processorCount += activeProcessorCount; } } total = 0; for (i = 0; i < PhSystemProcessorInformation.NumberOfProcessors; i++) { //PhUpdateDelta(&PhCpusIdleCycleDelta[i], PhCpuIdleCycleTime[i].CycleTime); total += PhCpuIdleCycleTime[i].CycleTime; } PhUpdateDelta(&PhCpuIdleCycleDelta, total); *IdleCycleTime = PhCpuIdleCycleDelta.Delta; // System if (PhSystemProcessorInformation.SingleProcessorGroup) { if (!NT_SUCCESS(NtQuerySystemInformation( SystemProcessorCycleTimeInformation, PhCpuSystemCycleTime, sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors, NULL ))) { memset( PhCpuSystemCycleTime, 0, sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * PhSystemProcessorInformation.NumberOfProcessors ); } } else { USHORT processorCount = 0; for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT activeProcessorCount = PhGetActiveProcessorCount(processorGroup); if (!NT_SUCCESS(NtQuerySystemInformationEx( SystemProcessorCycleTimeInformation, &processorGroup, sizeof(USHORT), PTR_ADD_OFFSET(PhCpuSystemCycleTime, sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * processorCount), sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * activeProcessorCount, NULL ))) { memset( PTR_ADD_OFFSET(PhCpuSystemCycleTime, sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * processorCount), 0, sizeof(SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION) * activeProcessorCount ); } processorCount += activeProcessorCount; } } total = 0; for (i = 0; i < PhSystemProcessorInformation.NumberOfProcessors; i++) { total += PhCpuSystemCycleTime[i].CycleTime; } PhUpdateDelta(&PhCpuSystemCycleDelta, total); } VOID PhpUpdateCpuCycleUsageInformation( _In_ ULONG64 TotalCycleTime, _In_ ULONG64 IdleCycleTime ) { ULONG i; FLOAT baseCpuUsage; ULONG64 totalTimeDelta; ULONG64 totalTime; // Cycle time is not only lacking for kernel/user components, but also for individual // processors. We can get the total idle cycle time for individual processors but // without knowing the total cycle time for individual processors, this information // is useless. // // We'll start by calculating the total CPU usage, then we'll calculate the kernel/user // components. In the event that the corresponding CPU time deltas are zero, we'll split // the CPU usage evenly across the kernel/user components. CPU usage for individual // processors is left untouched, because it's too difficult to provide an estimate. // // Let I_1, I_2, ..., I_n be the idle cycle times and T_1, T_2, ..., T_n be the // total cycle times. Let I'_1, I'_2, ..., I'_n be the idle CPU times and T'_1, T'_2, ..., // T'_n be the total CPU times. // We know all I'_n, T'_n and I_n, but we only know sigma(T). The "real" total CPU usage is // sigma(I)/sigma(T), and the "real" individual CPU usage is I_n/T_n. The problem is that // we don't know T_n; we only know sigma(T). Hence we need to find values i_1, i_2, ..., i_n // and t_1, t_2, ..., t_n such that: // sigma(i)/sigma(t) ~= sigma(I)/sigma(T), and // i_n/t_n ~= I_n/T_n // // Solution 1: Set i_n = I_n and t_n = sigma(T)*T'_n/sigma(T'). Then: // sigma(i)/sigma(t) = sigma(I)/(sigma(T)*sigma(T')/sigma(T')) = sigma(I)/sigma(T), and // i_n/t_n = I_n/T'_n*sigma(T')/sigma(T) ~= I_n/T_n since I_n/T'_n ~= I_n/T_n and sigma(T')/sigma(T) ~= 1. // However, it is not guaranteed that i_n/t_n <= 1, which may lead to CPU usages over 100% being displayed. // // Solution 2: Set i_n = I'_n and t_n = T'_n. Then: // sigma(i)/sigma(t) = sigma(I')/sigma(T') ~= sigma(I)/sigma(T) since I'_n ~= I_n and T'_n ~= T_n. // i_n/t_n = I'_n/T'_n ~= I_n/T_n as above. // Not scaling at all is currently the best solution, since it's fast, simple and guarantees that i_n/t_n <= 1. baseCpuUsage = 1 - (FLOAT)IdleCycleTime / TotalCycleTime; totalTimeDelta = PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta; if (totalTimeDelta != 0) { PhCpuKernelUsage = baseCpuUsage * ((FLOAT)PhCpuKernelDelta.Delta / totalTimeDelta); PhCpuUserUsage = baseCpuUsage * ((FLOAT)PhCpuUserDelta.Delta / totalTimeDelta); } else { PhCpuKernelUsage = baseCpuUsage / 2; PhCpuUserUsage = baseCpuUsage / 2; } for (i = 0; i < PhSystemProcessorInformation.NumberOfProcessors; i++) { totalTime = PhCpusKernelDelta[i].Delta + PhCpusUserDelta[i].Delta + PhCpusIdleDelta[i].Delta; if (totalTime != 0) { PhCpusKernelUsage[i] = (FLOAT)PhCpusKernelDelta[i].Delta / totalTime; PhCpusUserUsage[i] = (FLOAT)PhCpusUserDelta[i].Delta / totalTime; } else { PhCpusKernelUsage[i] = 0; PhCpusUserUsage[i] = 0; } } } VOID PhpInitializeProcessStatistics( VOID ) { ULONG i; PhInitializeCircularBuffer_ULONG(&PhTimeHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_FLOAT(&PhCpuKernelHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_FLOAT(&PhCpuUserHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&PhIoReadHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&PhIoWriteHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&PhIoOtherHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG(&PhCommitHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG(&PhPhysicalHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG(&PhMaxCpuHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG(&PhMaxIoHistory, PhStatisticsSampleCount); #ifdef PH_RECORD_MAX_USAGE PhInitializeCircularBuffer_FLOAT(&PhMaxCpuUsageHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&PhMaxIoReadOtherHistory, PhStatisticsSampleCount); PhInitializeCircularBuffer_ULONG64(&PhMaxIoWriteHistory, PhStatisticsSampleCount); #endif for (i = 0; i < PhSystemProcessorInformation.NumberOfProcessors; i++) { PhInitializeCircularBuffer_FLOAT(&PhCpusKernelHistory[i], PhStatisticsSampleCount); PhInitializeCircularBuffer_FLOAT(&PhCpusUserHistory[i], PhStatisticsSampleCount); } } VOID PhpUpdateSystemHistory( VOID ) { ULONG i; LARGE_INTEGER systemTime; ULONG secondsSince1980; // CPU PhAddItemCircularBuffer_FLOAT(&PhCpuKernelHistory, PhCpuKernelUsage); PhAddItemCircularBuffer_FLOAT(&PhCpuUserHistory, PhCpuUserUsage); // CPUs for (i = 0; i < PhSystemProcessorInformation.NumberOfProcessors; i++) { PhAddItemCircularBuffer_FLOAT(&PhCpusKernelHistory[i], PhCpusKernelUsage[i]); PhAddItemCircularBuffer_FLOAT(&PhCpusUserHistory[i], PhCpusUserUsage[i]); } // I/O PhAddItemCircularBuffer_ULONG64(&PhIoReadHistory, PhIoReadDelta.Delta); PhAddItemCircularBuffer_ULONG64(&PhIoWriteHistory, PhIoWriteDelta.Delta); PhAddItemCircularBuffer_ULONG64(&PhIoOtherHistory, PhIoOtherDelta.Delta); // Memory PhAddItemCircularBuffer_ULONG(&PhCommitHistory, PhPerfInformation.CommittedPages); PhAddItemCircularBuffer_ULONG(&PhPhysicalHistory, PhSystemBasicInformation.NumberOfPhysicalPages - PhPerfInformation.AvailablePages ); // Time PhQuerySystemTime(&systemTime); PhTimeToSecondsSince1980(&systemTime, &secondsSince1980); PhAddItemCircularBuffer_ULONG(&PhTimeHistory, secondsSince1980); } /** * Retrieves a time value recorded by the statistics system. * * \param ProcessItem A process item to synchronize with, or NULL if no synchronization is * necessary. * \param Index The history index. * \param Time A variable which receives the time at \a Index. * * \return TRUE if the function succeeded, otherwise FALSE if \a ProcessItem was specified and * \a Index is too far into the past for that process item. */ _Success_(return) BOOLEAN PhGetStatisticsTime( _In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Index, _Out_ PLARGE_INTEGER Time ) { ULONG secondsSince1980; ULONG index; LARGE_INTEGER time; if (ProcessItem) { // The sequence number is used to synchronize statistics when a process exits, since that // process' history is not updated anymore. index = PhTimeSequenceNumber - ProcessItem->TimeSequenceNumber + Index; if (index >= PhTimeHistory.Count) { // The data point is too far into the past. return FALSE; } } else { // Assume the index is valid. index = Index; } secondsSince1980 = PhGetItemCircularBuffer_ULONG(&PhTimeHistory, index); PhSecondsSince1980ToTime(secondsSince1980, &time); *Time = time; return TRUE; } PPH_STRING PhGetStatisticsTimeString( _In_opt_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG Index ) { LARGE_INTEGER time; SYSTEMTIME systemTime; if (PhGetStatisticsTime(ProcessItem, Index, &time)) { PhLargeIntegerToLocalSystemTime(&systemTime, &time); return PhFormatDateTime(&systemTime); } else { return PhCreateString(L"Unknown time"); } } VOID PhFlushProcessQueryData( VOID ) { PSLIST_ENTRY entry; PPH_PROCESS_QUERY_DATA data; //if (!RtlFirstEntrySList(&PhProcessQueryDataListHead)) // return; entry = RtlInterlockedFlushSList(&PhProcessQueryDataListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_PROCESS_QUERY_DATA, ListEntry); entry = entry->Next; if (data->Stage == 1) { PhpFillProcessItemStage1((PPH_PROCESS_QUERY_S1_DATA)data); PhSetEvent(&data->ProcessItem->Stage1Event); } else if (data->Stage == 2) { PhpFillProcessItemStage2((PPH_PROCESS_QUERY_S2_DATA)data); } InterlockedExchange(&data->ProcessItem->JustProcessed, TRUE); PhDereferenceObject(data->ProcessItem); PhFree(data); } } VOID PhpGetProcessThreadInformation( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PSYSTEM_PROCESS_INFORMATION Process, _Out_opt_ PBOOLEAN IsSuspended, _Out_opt_ PBOOLEAN IsPartiallySuspended, _Out_opt_ PULONG64 ContextSwitches, _Out_opt_ PULONG ProcessorQueueLength ) { ULONG i; BOOLEAN isSuspended; BOOLEAN isPartiallySuspended; ULONG64 contextSwitches; ULONG processorQueueLength; ULONG suspendedCount; ULONG workqueueCount; isSuspended = FALSE; isPartiallySuspended = FALSE; contextSwitches = 0; processorQueueLength = 0; suspendedCount = 0; workqueueCount = 0; for (i = 0; i < Process->NumberOfThreads; i++) { PSYSTEM_THREAD_INFORMATION thread = &Process->Threads[i]; switch (thread->ThreadState) { case Ready: processorQueueLength++; break; case Waiting: { switch (thread->WaitReason) { case Suspended: suspendedCount++; break; case WrQueue: workqueueCount++; break; } } break; } contextSwitches += thread->ContextSwitches; } if (PH_IS_REAL_PROCESS_ID(Process->UniqueProcessId) && !ProcessItem->IsSystemProcess) { if (suspendedCount) { if ( suspendedCount == Process->NumberOfThreads || (suspendedCount + workqueueCount) == Process->NumberOfThreads // (NumberOfThreads - workQueueLength) ) { isSuspended = TRUE; } else { isPartiallySuspended = TRUE; } } } if (IsSuspended) *IsSuspended = isSuspended; if (IsPartiallySuspended) *IsPartiallySuspended = isPartiallySuspended; if (ContextSwitches) *ContextSwitches = contextSwitches; if (ProcessorQueueLength) *ProcessorQueueLength = processorQueueLength; } /** * Computes CPU utilization percentage from processor cycles during a measurement interval, normalized by a scaling factor using the number of logical processors. * * Cycles = ProcessorCycleCounterStop - ProcessorCycleCounterStart * Cycles per Tick = Cycles / PerformanceCounterTickDelta * Normalized Cycles per Tick = (Cycles / PerformanceCounterTickDelta) / LogicalProcessorCount * CPU Usage % = DeltaCycles / (DeltaTicks x LogicalProcessorCount) x 100 * * \param ProcessorCycleCountStart The number of CPU cycles at the start of the measurement interval. * \param ProcessorCycleCountStop The number of CPU cycles at the end of the measurement interval. Must be greater than ProcessorCycleCounterStart for a valid calculation. * \param PerformanceCounterDelta The elapsed ticks from a high-resolution performance counter (e.g., QueryPerformanceCounter) during the measurement interval, in performance counter ticks. * \param NumberOfProcessors The number of logical processors in the system, used to normalize the usage percentage. * \return The utilization percentage of processor cycles during the interval. * \remarks This method is used by Windows Task Manager to estimate CPU usage from TSC deltas. */ DOUBLE PhComputeCpuUtilizationPercentFromCycles( _In_ ULONGLONG ProcessorCycleCounterStart, _In_ ULONGLONG ProcessorCycleCounterStop, _In_ LONGLONG PerformanceCounterDelta, _In_ ULONG LogicalProcessorCount ) { if (ProcessorCycleCounterStop <= ProcessorCycleCounterStart || PerformanceCounterDelta == 0 || LogicalProcessorCount == 0) { return 0.0; } const DOUBLE DeltaCycles = (DOUBLE)(ProcessorCycleCounterStop - ProcessorCycleCounterStart); const DOUBLE DeltaTicks = (DOUBLE)PerformanceCounterDelta; const DOUBLE CyclesPerQpcTick = DeltaCycles / DeltaTicks; const DOUBLE UtilizationPercent = (CyclesPerQpcTick / (DOUBLE)LogicalProcessorCount) * 100.0; return UtilizationPercent; } /* * Computes CPU utilization percentage from processor cycles during a measurement interval, normalized by logical processors and calibrated by counter frequencies. * * Utilization% = ObservedCycles / (ElapsedSeconds * CycleCounterFrequencyHz * LogicalProcessorCount) * 100 * * \param ProcessorCycleCountStart The number of CPU cycles at the start of the measurement interval. * \param ProcessorCycleCountStop The number of CPU cycles at the end of the measurement interval. Must be greater than ProcessorCycleCounterStart for a valid calculation. * \param PerformanceCounterDelta The elapsed ticks from a high-resolution performance counter (e.g., QueryPerformanceCounter) during the measurement interval, in performance counter ticks. * \param NumberOfProcessors The number of logical processors in the system, used to normalize the usage percentage. * \return The precise utilization percentage of processor cycles during the interval. * \remarks This method produces a true CPU utilization percentage by incorporating counter frequencies. * \remarks ProcessorCycleCounterFrequency must correspond to the SAME source as ProcessorCycleCounterStart/Stop. * If cycles are from TSC, pass TSC frequency. If cycles are from a PMU (e.g., Unhalted Core Cycles), pass that * counter's effective frequency at 100%, not the invariant TSC frequency. */ DOUBLE PhComputeCpuUtilizationPercentFromCyclesPrecise( _In_ ULONGLONG ProcessorCycleCounterStart, _In_ ULONGLONG ProcessorCycleCounterStop, _In_ ULONGLONG ProcessorCycleCounterFrequency, _In_ LONGLONG PerformanceCounterDelta, _In_ ULONGLONG PerformanceCounterFrequency, _In_ ULONG LogicalProcessorCount ) { if (ProcessorCycleCounterStop <= ProcessorCycleCounterStart || PerformanceCounterDelta <= 0 || PerformanceCounterFrequency == 0 || ProcessorCycleCounterFrequency == 0 || LogicalProcessorCount == 0) { return 0.0; } const DOUBLE ObservedCycles = (DOUBLE)(ProcessorCycleCounterStop - ProcessorCycleCounterStart); const DOUBLE ElapsedSeconds = (DOUBLE)PerformanceCounterDelta / (DOUBLE)PerformanceCounterFrequency; const DOUBLE CapacityCycles = ElapsedSeconds * (DOUBLE)ProcessorCycleCounterFrequency * (DOUBLE)LogicalProcessorCount; if (!(CapacityCycles > 0.0)) return 0.0; const DOUBLE UtilizationPercent = (ObservedCycles / CapacityCycles) * 100.0; return UtilizationPercent; } #ifdef _ARM64_ VOID PhpEstimateIdleCyclesForARM( _Inout_ PULONG64 TotalCycles, _Inout_ PULONG64 IdleCycles ) { // EXPERIMENTAL (jxy-s) // // Update (2024-09-29) - 24H2 is now estimating the cycle counts for idle threads in the kernel // making this routine obsolete. However, this means that the idle thread cycle counts returned // from the kernel is not a reflection of the actual CPU effort of the idle threads. In other // words the idle threads now represent the percentage of the CPU *not* being used by other // processes, as it does on other architectures. The kernel has also broadly changed the cycle // accounting across the entire system to no longer use PMCCNTR_EL0 and instead it uses // KeQueryPerformanceCounter. This means it is currently impossible to represent the cycle // accounting in a way best suited for the ARM architecture. The kernel appears to have opted // for more consistency between architectures instead of accuracy for ARM. // assert(WindowsVersion < WINDOWS_11_24H2); // // The kernel uses PMCCNTR_EL0 for CycleTime in threads and the processor control blocks. // Here is a snippet from ntoskrnl!KiIdleLoop: /* 00000001`404f45a0 d53b9d0b mrs x11,PMCCNTR_EL0 // x11 gets current cycle count 00000001`404f45a4 f947a668 ldr x8,[x19,#0xF48] // x8 gets _KPRCB.StartCycles 00000001`404f45a8 cb08016a sub x10,x11,x8 // x10 gets relative cycles from StartCycle to current cycle count 00000001`404f45ac f94026a9 ldr x9,[x21,#0x48] // x9 gets _KPRCB.IdleThread.CycleTime 00000001`404f45b0 8b0a0128 add x8,x9,x10 // x8 gets idle thread cycle time (x9) plus cycle increment (x10) 00000001`404f45b4 f90026a8 str x8,[x21,#0x48] // stores new idle thread cycle time in _KPRCB.IdleThread.CycleTime 00000001`404f45b8 f907a66b str x11,[x19,#0xF48] // stores the last cycle time fetch in the _KPRCB.StartCycles */ // The idle logic in the HAL is here: /* ntoskrnl!HalProcessorIdle: 00000001`4048fbf0 d503237f pacibsp 00000001`4048fbf4 a9bf7bfd stp fp,lr,[sp,#-0x10]! 00000001`4048fbf8 910003fd mov fp,sp 00000001`4048fbfc 940013df bl ntoskrnl!HalpTimerResetProfileAdjustment (00000001`40494b78) 00000001`4048fc00 d5033f9f dsb sy 00000001`4048fc04 d503207f wfi 00000001`4048fc08 a8c17bfd ldp fp,lr,[sp],#0x10 00000001`4048fc0c d50323ff autibsp 00000001`4048fc10 d65f03c0 ret */ // This dictates that the CPU should enter WFI (Wait For Interrupt) mode. In this mode the // CPU clock is disabled and the PMCCNTR register is not being updated, from the docs: /* All counters are subject to any changes in clock frequency, including clock stopping caused by the WFI and WFE instructions. This means that it is CONSTRAINED UNPREDICTABLE regardless of whether PMCCNTR_EL0 continues to increment when clocks are stopped by WFI and WFE instructions. */ // Arguably, the kernel is doing the right thing here, the idle threads are taking less cycle // time and the KTHREAD reflects this accurately. However, due to the way cycle-based CPU // usage is implemented for other architectures it assumes on the idle thread cycles are // the cycles *not* spent using the CPU, this assumption is incorrect for ARM. // // The most accurate representation of the utilization of the CPU for ARM would show // the idle process CPU usage *below* what is "not being used" by other processes. Since // this would indicate the idle thread being in the WFI state and not using CPU cycles. // For cycle-based CPU to make sense for ARM, we need a way to get or estimate the amount // of cycles the CPU would have used by the idle threads if WFI was mode was not entered. // // This experimental estimate achieves that. It will show the idle process utilization // accurately (given the estimate and what the kernel tracks/reports), and generally retain // the cycle-based CPU benefits. Arguably, we are in some capacity reverting to the // time-based CPU usage calculation by relying on the time to generate the estimate, but // again it comes with the benefit of more realistically reporting the idle threads given // what is tracked/reported by the kernel. // // let x = Unknown Idle Cycles // let y = "Total" Cycles (missing idle cycles) // let a = Time Idle // let b = Time Kernel // let c = Time User // // x / (y + x) = CycleUsage // a / (a + b + c) = TimeUsage // // Assume: CycleUsage ~= TimeUsage // Then: x / (y + x) ~= a / (a + b + c) // // We know y, a, b, and c. So we need to solve for x. // // x / (y + x) ~= a / (a + b + c) // // x ~= a * (y + x) / (a + b + c) // x * (a + b + c) ~= a * (y + x) // x * (a + b + c) ~= (a * y) + (a * x) // x * (a + b + c) - (a * x) ~= (a * y) // x * ((a + b + c) - a) ~= (a * y) // x ~= (a * y) / ((a + b + c) - a) // // x ~= (a * y) / (b + c) // ULONG64 delta = PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta; if (delta != 0) *IdleCycles = (PhCpuIdleCycleDelta.Delta * *TotalCycles) / delta; else *IdleCycles = (PhCpuIdleCycleDelta.Delta * *TotalCycles); // We still need to add in the idle cycle time to the "total" since it wasn't complete yet. *TotalCycles += *IdleCycles; } #endif _Function_class_(PH_PROVIDER_FUNCTION) VOID PhProcessProviderUpdate( _In_ PVOID Object ) { static ULONG runCount = 0; static PSYSTEM_PROCESS_INFORMATION pidBuckets[PROCESS_ID_BUCKETS]; // Note about locking: // // Since this is the only function that is allowed to modify the process hashtable, locking is // not needed for shared accesses. However, exclusive accesses need locking. NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; ULONG bucketIndex; ULONG64 sysTotalTime; // total time for this update period ULONG64 sysTotalCycleTime = 0; // total cycle time for this update period ULONG64 sysIdleCycleTime = 0; // total idle cycle time for this update period FLOAT maxCpuValue = 0; PPH_PROCESS_ITEM maxCpuProcessItem = NULL; ULONG64 maxIoValue = 0; PPH_PROCESS_ITEM maxIoProcessItem = NULL; // Pre-update tasks PhTraceFuncEnter("Process provider run count: %lu", runCount); if (runCount > 0) { PhpProcessBulkSidResolution(); } if (runCount % 512 == 0) // yes, a very long time { if (PhEnablePurgeProcessRecords) PhPurgeProcessRecords(); PhpFlushSidFullNameCache(); PhImageListFlushCache(); PhFlushImageVersionInfoCache(); PhFlushVerifyCache(); } if (!PhProcessStatisticsInitialized) { PhpInitializeProcessStatistics(); PhProcessStatisticsInitialized = TRUE; } PhpUpdatePerfInformation(); if (PhEnableCycleCpuUsage) { PhpUpdateCpuInformation(FALSE, &sysTotalTime); PhpUpdateCpuCycleInformation(&sysIdleCycleTime); } else { PhpUpdateCpuInformation(TRUE, &sysTotalTime); } if (runCount != 0) { PhTimeSequenceNumber++; } // Get the process list. PhTotalProcesses = 0; PhTotalThreads = 0; PhTotalHandles = 0; PhTotalCpuQueueLength = 0; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) { PhTraceFuncExit("Failed to enumerate processes: %lu %!STATUS!", runCount, status); return; } // Notes on cycle-based CPU usage: // // Cycle-based CPU usage is a bit tricky to calculate because we cannot get the total number of // cycles consumed by all processes since system startup - we can only get total number of // cycles per process. This means there are two ways to calculate the system-wide cycle time // delta: // // 1. Each update, sum the cycle times of all processes, and calculate the system-wide delta // from this. Process Explorer seems to do this. // 2. Each update, calculate the cycle time delta for each individual process, and sum these // deltas to create the system-wide delta. We use this here. // // The first method is simpler but has a problem when a process exits and its cycle time is no // longer counted in the system-wide total. This may cause the delta to be negative and all // other calculations to become invalid. Process Explorer simply ignored this fact and treated // the system-wide delta as unsigned (and therefore huge when negative), leading to all CPU // usages being displayed as "< 0.01". // // The second method is used here, but the adjustments must be done before the main new/modified // pass. We need take into account new, existing and terminated processes. // Create the PID hash set. This contains the process information structures returned by // PhEnumProcesses, distinct from the process item hash set. Note that we use the // UniqueProcessKey field as the next node pointer to avoid having to allocate extra memory. memset(pidBuckets, 0, sizeof(pidBuckets)); process = PH_FIRST_PROCESS(processes); do { PhTotalProcesses++; PhTotalThreads += process->NumberOfThreads; PhTotalHandles += process->HandleCount; if (process->UniqueProcessId == SYSTEM_IDLE_PROCESS_ID) { process->CycleTime = PhCpuIdleCycleDelta.Value; process->KernelTime = PhCpuTotals.IdleTime; } bucketIndex = PROCESS_ID_TO_BUCKET_INDEX(process->UniqueProcessId); process->UniqueProcessKey = (ULONG_PTR)pidBuckets[bucketIndex]; pidBuckets[bucketIndex] = process; #ifdef _ARM64_ // see: PhpEstimateIdleCyclesForARM (jxy-s) if (PhEnableCycleCpuUsage && (WindowsVersion >= WINDOWS_11_24H2 || process->UniqueProcessId != SYSTEM_IDLE_PROCESS_ID)) #else if (PhEnableCycleCpuUsage) #endif { PPH_PROCESS_ITEM processItem; if (PhEnableProcessExtension) { if ((processItem = PhpLookupProcessItem(process->UniqueProcessId)) && processItem->ProcessSequenceNumber == PH_PROCESS_EXTENSION(process)->ProcessSequenceNumber) sysTotalCycleTime += process->CycleTime - processItem->CycleTimeDelta.Value; // existing process else sysTotalCycleTime += process->CycleTime; // new process } else { if ((processItem = PhpLookupProcessItem(process->UniqueProcessId)) && processItem->CreateTime.QuadPart == process->CreateTime.QuadPart) sysTotalCycleTime += process->CycleTime - processItem->CycleTimeDelta.Value; // existing process else sysTotalCycleTime += process->CycleTime; // new process } } } while (process = PH_NEXT_PROCESS(process)); // Add the fake processes to the PID list. // // On Windows 7 the two fake processes are merged into "Interrupts" since we can only get cycle // time information both DPCs and Interrupts combined. if (PhEnableCycleCpuUsage) { PhInterruptsProcessInformation->KernelTime.QuadPart = PhCpuTotals.DpcTime.QuadPart + PhCpuTotals.InterruptTime.QuadPart; PhInterruptsProcessInformation->CycleTime = PhCpuSystemCycleDelta.Value; sysTotalCycleTime += PhCpuSystemCycleDelta.Delta; } else { PhDpcsProcessInformation->KernelTime = PhCpuTotals.DpcTime; PhInterruptsProcessInformation->KernelTime = PhCpuTotals.InterruptTime; } // Look for dead processes. { PPH_LIST processesToRemove = NULL; ULONG i; PPH_HASH_ENTRY entry; PPH_PROCESS_ITEM processItem; PSYSTEM_PROCESS_INFORMATION processEntry; for (i = 0; i < PH_HASH_SET_SIZE(PhProcessHashSet); i++) { for (entry = PhProcessHashSet[i]; entry; entry = entry->Next) { BOOLEAN processRemoved = FALSE; processItem = CONTAINING_RECORD(entry, PH_PROCESS_ITEM, HashEntry); // Check if the process still exists. Note that we take into account PID re-use by // checking CreateTime as well. if (processItem->ProcessId == DPCS_PROCESS_ID) { processEntry = PhDpcsProcessInformation; } else if (processItem->ProcessId == INTERRUPTS_PROCESS_ID) { processEntry = PhInterruptsProcessInformation; } else { processEntry = pidBuckets[PROCESS_ID_TO_BUCKET_INDEX(processItem->ProcessId)]; while (processEntry && processEntry->UniqueProcessId != processItem->ProcessId) processEntry = (PSYSTEM_PROCESS_INFORMATION)processEntry->UniqueProcessKey; } if (PhEnableProcessExtension) { if (!processEntry || PH_PROCESS_EXTENSION(processEntry)->ProcessSequenceNumber != processItem->ProcessSequenceNumber) processRemoved = TRUE; } else { if (!processEntry || processEntry->CreateTime.QuadPart != processItem->CreateTime.QuadPart) processRemoved = TRUE; } if (processRemoved) { LARGE_INTEGER exitTime; processItem->State |= PH_PROCESS_ITEM_REMOVED; exitTime.QuadPart = 0; if (processItem->QueryHandle) { KERNEL_USER_TIMES times; ULONG64 finalCycleTime; if (NT_SUCCESS(PhGetProcessTimes(processItem->QueryHandle, ×))) { exitTime = times.ExitTime; } if (PhEnableCycleCpuUsage) { if (NT_SUCCESS(PhGetProcessCycleTime(processItem->QueryHandle, &finalCycleTime))) { // Adjust deltas for the terminated process because this doesn't get // picked up anywhere else. // // Note that if we don't have sufficient access to the process, the // worst that will happen is that the CPU usages of other processes // will get inflated. (See above; if we were using the first // technique, we could get negative deltas, which is much worse.) sysTotalCycleTime += finalCycleTime - processItem->CycleTimeDelta.Value; } } } // If we don't have a valid exit time, use the current time. if (exitTime.QuadPart == 0) PhQuerySystemTime(&exitTime); processItem->Record->Flags |= PH_PROCESS_RECORD_DEAD; processItem->Record->ExitTime = exitTime; // Raise the process removed event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderRemovedEvent), processItem); if (!processesToRemove) processesToRemove = PhCreateList(2); ASSUME_ASSERT(processesToRemove); PhAddItemList(processesToRemove, processItem); } } } // Lock only if we have something to do. if (processesToRemove) { PhAcquireQueuedLockExclusive(&PhProcessHashSetLock); for (i = 0; i < processesToRemove->Count; i++) { PhpRemoveProcessItem((PPH_PROCESS_ITEM)processesToRemove->Items[i]); } PhReleaseQueuedLockExclusive(&PhProcessHashSetLock); PhDereferenceObject(processesToRemove); } } #ifdef _ARM64_ if (PhEnableCycleCpuUsage && WindowsVersion < WINDOWS_11_24H2) PhpEstimateIdleCyclesForARM(&sysTotalCycleTime, &sysIdleCycleTime); #endif // Go through the queued process query data. PhFlushProcessQueryData(); if (sysTotalTime == 0) sysTotalTime = ULONG64_MAX; // max. value if (sysTotalCycleTime == 0) sysTotalCycleTime = ULONG64_MAX; PhCpuTotalCycleDelta = sysTotalCycleTime; // Look for new processes and update existing ones. process = PH_FIRST_PROCESS(processes); while (process) { PPH_PROCESS_ITEM processItem; processItem = PhpLookupProcessItem(process->UniqueProcessId); if (!processItem) { PPH_PROCESS_RECORD processRecord; BOOLEAN isSuspended; BOOLEAN isPartiallySuspended; ULONG64 contextSwitches; ULONG processorQueueLength; // Create the process item and fill in basic information. processItem = PhCreateProcessItem(process->UniqueProcessId); PhpFillProcessItemExtension(processItem, process); PhpFillProcessItem(processItem, process); processItem->TimeSequenceNumber = PhTimeSequenceNumber; processRecord = PhpCreateProcessRecord(processItem); PhpAddProcessRecord(processRecord); processItem->Record = processRecord; PhpUpdateDynamicInfoProcessItem(processItem, process); PhpGetProcessThreadInformation(processItem, process, &isSuspended, &isPartiallySuspended, &contextSwitches, &processorQueueLength); PhTotalCpuQueueLength += processorQueueLength; // Initialize the deltas. PhUpdateDelta(&processItem->CpuKernelDelta, process->KernelTime.QuadPart); PhUpdateDelta(&processItem->CpuUserDelta, process->UserTime.QuadPart); PhUpdateDelta(&processItem->IoReadDelta, process->ReadTransferCount.QuadPart); PhUpdateDelta(&processItem->IoWriteDelta, process->WriteTransferCount.QuadPart); PhUpdateDelta(&processItem->IoOtherDelta, process->OtherTransferCount.QuadPart); PhUpdateDelta(&processItem->IoReadCountDelta, process->ReadOperationCount.QuadPart); PhUpdateDelta(&processItem->IoWriteCountDelta, process->WriteOperationCount.QuadPart); PhUpdateDelta(&processItem->IoOtherCountDelta, process->OtherOperationCount.QuadPart); PhUpdateDelta(&processItem->ContextSwitchesDelta, PhEnableProcessExtension ? processItem->ContextSwitches : contextSwitches); PhUpdateDelta(&processItem->PageFaultsDelta, process->PageFaultCount); PhUpdateDelta(&processItem->HardFaultsDelta, process->HardFaultCount); PhUpdateDelta(&processItem->CycleTimeDelta, process->CycleTime); PhUpdateDelta(&processItem->PrivateBytesDelta, process->PagefileUsage); processItem->IsSuspended = isSuspended; processItem->IsPartiallySuspended = isPartiallySuspended; // If this is the first run of the provider, queue the // process query tasks. Otherwise, perform stage 1 // processing now and queue stage 2 processing. if (runCount > 0) { PH_PROCESS_QUERY_S1_DATA data; memset(&data, 0, sizeof(PH_PROCESS_QUERY_S1_DATA)); data.Header.Stage = 1; data.Header.ProcessItem = processItem; PhpProcessQueryStage1(&data); PhpFillProcessItemStage1(&data); PhSetEvent(&processItem->Stage1Event); } else { PhpQueueProcessQueryStage1(processItem); } // Add pending service items to the process item. PhUpdateProcessItemServices(processItem); // Add the process item to the hashtable. PhAcquireQueuedLockExclusive(&PhProcessHashSetLock); PhpAddProcessItem(processItem); PhReleaseQueuedLockExclusive(&PhProcessHashSetLock); // Raise the process added event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderAddedEvent), processItem); // (Ref: for the process item being in the hashtable.) // Instead of referencing then dereferencing we simply don't do anything. // Dereferenced in PhpRemoveProcessItem. } else { BOOLEAN modified = FALSE; BOOLEAN isSuspended; BOOLEAN isPartiallySuspended; ULONG64 contextSwitches; ULONG processorQueueLength; FLOAT newCpuUsage; FLOAT kernelCpuUsage; FLOAT userCpuUsage; PhpUpdateDynamicInfoProcessItem(processItem, process); PhpGetProcessThreadInformation(processItem, process, &isSuspended, &isPartiallySuspended, &contextSwitches, &processorQueueLength); PhpFillProcessItemExtension(processItem, process); PhTotalCpuQueueLength += processorQueueLength; // Update the deltas. PhUpdateDelta(&processItem->CpuKernelDelta, process->KernelTime.QuadPart); PhUpdateDelta(&processItem->CpuUserDelta, process->UserTime.QuadPart); PhUpdateDelta(&processItem->IoReadDelta, process->ReadTransferCount.QuadPart); PhUpdateDelta(&processItem->IoWriteDelta, process->WriteTransferCount.QuadPart); PhUpdateDelta(&processItem->IoOtherDelta, process->OtherTransferCount.QuadPart); PhUpdateDelta(&processItem->IoReadCountDelta, process->ReadOperationCount.QuadPart); PhUpdateDelta(&processItem->IoWriteCountDelta, process->WriteOperationCount.QuadPart); PhUpdateDelta(&processItem->IoOtherCountDelta, process->OtherOperationCount.QuadPart); PhUpdateDelta(&processItem->ContextSwitchesDelta, PhEnableProcessExtension ? processItem->ContextSwitches : contextSwitches); PhUpdateDelta(&processItem->PageFaultsDelta, process->PageFaultCount); PhUpdateDelta(&processItem->HardFaultsDelta, process->HardFaultCount); PhUpdateDelta(&processItem->CycleTimeDelta, process->CycleTime); PhUpdateDelta(&processItem->PrivateBytesDelta, process->PagefileUsage); processItem->TimeSequenceNumber++; PhAddItemCircularBuffer_ULONG64(&processItem->IoReadHistory, processItem->IoReadDelta.Delta); PhAddItemCircularBuffer_ULONG64(&processItem->IoWriteHistory, processItem->IoWriteDelta.Delta); PhAddItemCircularBuffer_ULONG64(&processItem->IoOtherHistory, processItem->IoOtherDelta.Delta); PhAddItemCircularBuffer_SIZE_T(&processItem->PrivateBytesHistory, processItem->VmCounters.PagefileUsage); //PhAddItemCircularBuffer_SIZE_T(&processItem->WorkingSetHistory, processItem->VmCounters.WorkingSetSize); if (InterlockedExchange(&processItem->JustProcessed, 0) != 0) modified = TRUE; if (PhEnableCycleCpuUsage) { ULONG64 totalDelta; newCpuUsage = (FLOAT)processItem->CycleTimeDelta.Delta / sysTotalCycleTime; // Calculate the kernel/user CPU usage based on the kernel/user time. If the kernel // and user deltas are both zero, we'll just have to use an estimate. Currently, we // split the CPU usage evenly across the kernel and user components, except when the // total user time is zero, in which case we assign it all to the kernel component. totalDelta = processItem->CpuKernelDelta.Delta + processItem->CpuUserDelta.Delta; if (totalDelta != 0) { kernelCpuUsage = newCpuUsage * ((FLOAT)processItem->CpuKernelDelta.Delta / totalDelta); userCpuUsage = newCpuUsage * ((FLOAT)processItem->CpuUserDelta.Delta / totalDelta); } else { if (processItem->UserTime.QuadPart != 0) { kernelCpuUsage = newCpuUsage / 2; userCpuUsage = newCpuUsage / 2; } else { kernelCpuUsage = newCpuUsage; userCpuUsage = 0; } } } else { kernelCpuUsage = (FLOAT)processItem->CpuKernelDelta.Delta / sysTotalTime; userCpuUsage = (FLOAT)processItem->CpuUserDelta.Delta / sysTotalTime; newCpuUsage = kernelCpuUsage + userCpuUsage; } processItem->CpuUsage = newCpuUsage; processItem->CpuKernelUsage = kernelCpuUsage; processItem->CpuUserUsage = userCpuUsage; PhAddItemCircularBuffer_FLOAT(&processItem->CpuKernelHistory, kernelCpuUsage); PhAddItemCircularBuffer_FLOAT(&processItem->CpuUserHistory, userCpuUsage); // Process basic information { PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; if (processItem->QueryHandle && NT_SUCCESS(PhGetProcessExtendedBasicInformation(processItem->QueryHandle, &basicInfo))) { if (processItem->IsProtectedProcess != basicInfo.IsProtectedProcess) { processItem->IsProtectedProcess = basicInfo.IsProtectedProcess; modified = TRUE; } if (processItem->IsSecureProcess != basicInfo.IsSecureProcess) { processItem->IsSecureProcess = basicInfo.IsSecureProcess; modified = TRUE; } if (processItem->IsSubsystemProcess != basicInfo.IsSubsystemProcess) { processItem->IsSubsystemProcess = basicInfo.IsSubsystemProcess; modified = TRUE; } if (processItem->IsWow64Process != basicInfo.IsWow64Process) { processItem->IsWow64Process = basicInfo.IsWow64Process; modified = TRUE; } if (processItem->IsPackagedProcess != basicInfo.IsStronglyNamed) { processItem->IsPackagedProcess = basicInfo.IsStronglyNamed; modified = TRUE; } if (processItem->IsCrossSessionProcess != basicInfo.IsCrossSessionCreate) { processItem->IsCrossSessionProcess = basicInfo.IsCrossSessionCreate; modified = TRUE; } if (processItem->IsFrozenProcess != basicInfo.IsFrozen) { processItem->IsFrozenProcess = basicInfo.IsFrozen; modified = TRUE; } if (processItem->IsBackgroundProcess != basicInfo.IsBackground) { processItem->IsBackgroundProcess = basicInfo.IsBackground; modified = TRUE; } } else { if (processItem->IsProtectedProcess) { processItem->IsProtectedProcess = FALSE; modified = TRUE; } if (processItem->IsSecureProcess) { processItem->IsSecureProcess = FALSE; modified = TRUE; } if (processItem->IsSubsystemProcess) { processItem->IsSubsystemProcess = FALSE; modified = TRUE; } if (processItem->IsWow64Process) { processItem->IsWow64Process = FALSE; modified = TRUE; } if (processItem->IsPackagedProcess) { processItem->IsPackagedProcess = FALSE; modified = TRUE; } if (processItem->IsCrossSessionProcess) { processItem->IsCrossSessionProcess = FALSE; modified = TRUE; } if (processItem->IsFrozenProcess) { processItem->IsFrozenProcess = FALSE; modified = TRUE; } if (processItem->IsBackgroundProcess) { processItem->IsBackgroundProcess = FALSE; modified = TRUE; } } } // Affinity, usually not frequently changed, do so lazily. if (runCount % 5 == 0) { ULONG affinityPopulationCount = 0; if (PhSystemProcessorInformation.SingleProcessorGroup) { KAFFINITY affinityMask; if (processItem->QueryHandle && NT_SUCCESS(PhGetProcessAffinityMask(processItem->QueryHandle, &affinityMask))) { processItem->AffinityMaskSingle = affinityMask; affinityPopulationCount = PhCountBitsUlongPtr(processItem->AffinityMaskSingle); } else { processItem->AffinityMaskSingle = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[0]; affinityPopulationCount = PhCountBitsUlongPtr(processItem->AffinityMaskSingle); } } else { for (USHORT i = 0; i < PhSystemProcessorInformation.NumberOfProcessorGroups; i++) { GROUP_AFFINITY affinity; RtlZeroMemory(&affinity, sizeof(GROUP_AFFINITY)); affinity.Group = i; if (processItem->QueryHandle && NT_SUCCESS(PhGetProcessGroupAffinity(processItem->QueryHandle, &affinity))) processItem->AffinityMaskGroups[i] = affinity.Mask; else processItem->AffinityMaskGroups[i] = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[i]; affinityPopulationCount += PhCountBitsUlongPtr(processItem->AffinityMaskGroups[i]); } } if (processItem->AffinityPopulationCount != affinityPopulationCount) { processItem->AffinityPopulationCount = affinityPopulationCount; modified = TRUE; } } // Average if (FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_AVERAGE)) { FLOAT value = 0.0f; for (ULONG i = 0; i < processItem->CpuKernelHistory.Count; i++) { value += PhGetItemCircularBuffer_FLOAT(&processItem->CpuKernelHistory, i) + PhGetItemCircularBuffer_FLOAT(&processItem->CpuUserHistory, i); } if (processItem->CpuKernelHistory.Count) processItem->CpuAverageUsage = (FLOAT)value / (FLOAT)processItem->CpuKernelHistory.Count; else processItem->CpuAverageUsage = 0.0f; } // Max. values if (processItem->ProcessId) { if (maxCpuValue < newCpuUsage) { maxCpuValue = newCpuUsage; maxCpuProcessItem = processItem; } // I/O for Other is not included because it is too generic. if (maxIoValue < processItem->IoReadDelta.Delta + processItem->IoWriteDelta.Delta) { maxIoValue = processItem->IoReadDelta.Delta + processItem->IoWriteDelta.Delta; maxIoProcessItem = processItem; } } // Token information if ( processItem->QueryHandle && processItem->ProcessId != SYSTEM_PROCESS_ID // System token can't be opened on XP (wj32) ) { HANDLE tokenHandle; if (NT_SUCCESS(PhOpenProcessToken( processItem->QueryHandle, TOKEN_QUERY, &tokenHandle ))) { PH_TOKEN_USER tokenUser; //BOOLEAN isElevated; //TOKEN_ELEVATION_TYPE elevationType; PH_INTEGRITY_LEVEL integrityLevel; PPH_STRINGREF integrityString; if (FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_USERNAME)) { // User if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) { if (!processItem->Sid || !PhEqualSid(processItem->Sid, tokenUser.User.Sid)) { PSID processSid; // HACK (dmex) processSid = processItem->Sid; processItem->Sid = PhAllocateCopy(tokenUser.User.Sid, PhLengthSid(tokenUser.User.Sid)); if (processSid) PhFree(processSid); if (processItem->Sid) { PPH_STRING resolvedName; // Try cache if (resolvedName = PhpGetSidFullNameCached(processItem->Sid)) { PhMoveReference(&processItem->UserName, resolvedName); } else { // Queue for bulk resolution PhpQueueSidForBulkResolution(processItem->Sid); } } modified = TRUE; } else { if (processItem->Sid && PhIsNullOrEmptyString(processItem->UserName)) { PPH_STRING resolvedName; // Try cache if (resolvedName = PhpGetSidFullNameCached(processItem->Sid)) { PhMoveReference(&processItem->UserName, resolvedName); modified = TRUE; } else { // Queue for bulk resolution PhpQueueSidForBulkResolution(processItem->Sid); } } } } } // Elevation //if (NT_SUCCESS(PhGetTokenElevation(tokenHandle, &isElevated))) //{ // if (processItem->IsElevated != isElevated) // { // processItem->IsElevated = isElevated; // modified = TRUE; // } //} // //if (NT_SUCCESS(PhGetTokenElevationType(tokenHandle, &elevationType))) //{ // if (processItem->ElevationType != elevationType) // { // processItem->ElevationType = elevationType; // modified = TRUE; // } //} // Integrity if (NT_SUCCESS(PhGetTokenIntegrityLevelEx(tokenHandle, &integrityLevel, &integrityString))) { if (processItem->IntegrityLevel.Level != integrityLevel.Level) { processItem->IntegrityLevel = integrityLevel; processItem->IntegrityString = integrityString; modified = TRUE; } } NtClose(tokenHandle); } } else { if (FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_USERNAME)) { if (processItem->ProcessId == SYSTEM_IDLE_PROCESS_ID || processItem->ProcessId == SYSTEM_PROCESS_ID) { if (PhIsNullOrEmptyString(processItem->UserName)) { PPH_STRING resolvedName; // Try cache or fallback to slow lookup if (resolvedName = PhpGetSidFullNameCached((PSID)&PhSeLocalSystemSid)) { PhMoveReference(&processItem->UserName, resolvedName); } else { PhMoveReference(&processItem->UserName, PhpGetSidFullNameCachedSlow((PSID)&PhSeLocalSystemSid)); } modified = TRUE; } } } } // Control Flow Guard if (WindowsVersion >= WINDOWS_8_1 && processItem->QueryHandle && FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CFGUARD)) { BOOLEAN cfguardEnabled; if (NT_SUCCESS(PhGetProcessIsCFGuardEnabled(processItem->QueryHandle, &cfguardEnabled))) { if (processItem->IsControlFlowGuardEnabled != cfguardEnabled) { processItem->IsControlFlowGuardEnabled = cfguardEnabled; modified = TRUE; } } if (WindowsVersion >= WINDOWS_11) { BOOLEAN xfguardEnabled; BOOLEAN xfguardAuditEnabled; if (NT_SUCCESS(PhGetProcessIsXFGuardEnabled(processItem->QueryHandle, &xfguardEnabled, &xfguardAuditEnabled))) { if (processItem->IsXfgEnabled != xfguardEnabled) { processItem->IsXfgEnabled = xfguardEnabled; modified = TRUE; } if (processItem->IsXfgAuditEnabled != xfguardAuditEnabled) { processItem->IsXfgAuditEnabled = xfguardAuditEnabled; modified = TRUE; } } } } // CET if (WindowsVersion >= WINDOWS_10_20H1 && FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CET)) { if (processItem->ProcessId == SYSTEM_PROCESS_ID) { SYSTEM_SHADOW_STACK_INFORMATION shadowStackInformation; if (NT_SUCCESS(PhGetSystemShadowStackInformation(&shadowStackInformation))) { if (processItem->IsCetEnabled != shadowStackInformation.KernelCetEnabled) { processItem->IsCetEnabled = shadowStackInformation.KernelCetEnabled; modified = TRUE; } } } else { if (processItem->QueryHandle) { BOOLEAN cetEnabled; BOOLEAN cetStrictModeEnabled; if (NT_SUCCESS(PhGetProcessIsCetEnabled(processItem->QueryHandle, &cetEnabled, &cetStrictModeEnabled))) { if (processItem->IsCetEnabled != cetEnabled) { processItem->IsCetEnabled = cetEnabled; modified = TRUE; } } } } } // Job if (processItem->QueryHandle) { BOOLEAN isInSignificantJob = FALSE; BOOLEAN isInJob = FALSE; if (KsiLevel() >= KphLevelMed) { HANDLE jobHandle = NULL; status = KphOpenProcessJob( processItem->QueryHandle, JOB_OBJECT_QUERY, &jobHandle ); if (NT_SUCCESS(status) && status != STATUS_PROCESS_NOT_IN_JOB) { JOBOBJECT_BASIC_LIMIT_INFORMATION basicLimits; isInJob = TRUE; if (NT_SUCCESS(PhGetJobBasicLimits(jobHandle, &basicLimits))) { isInSignificantJob = basicLimits.LimitFlags != JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK; } } if (jobHandle) NtClose(jobHandle); } else { status = NtIsProcessInJob(processItem->QueryHandle, NULL); if (NT_SUCCESS(status)) isInJob = status == STATUS_PROCESS_IN_JOB; } if (processItem->IsInSignificantJob != isInSignificantJob) { processItem->IsInSignificantJob = isInSignificantJob; modified = TRUE; } if (processItem->IsInJob != isInJob) { processItem->IsInJob = isInJob; modified = TRUE; } } // Debugged if ( processItem->QueryHandle && !processItem->IsSubsystemProcess && !processItem->IsProtectedHandle && // Don't query the debug object if the handle was filtered (dmex) processItem->ProcessId != SYSTEM_PROCESS_ID // Ignore the system process on 20H2 (dmex) ) { BOOLEAN isBeingDebugged = FALSE; PhGetProcessIsBeingDebugged(processItem->QueryHandle, &isBeingDebugged); if (processItem->IsBeingDebugged != isBeingDebugged) { processItem->IsBeingDebugged = isBeingDebugged; modified = TRUE; } } // Process Throttling State { BOOLEAN isPowerThrottling = FALSE; if (processItem->QueryHandle && !processItem->IsSubsystemProcess) { POWER_THROTTLING_PROCESS_STATE powerThrottlingState; if (NT_SUCCESS(PhGetProcessPowerThrottlingState(processItem->QueryHandle, &powerThrottlingState))) { if (FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_EXECUTION_SPEED) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_EXECUTION_SPEED)) { isPowerThrottling = TRUE; } if (FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_DELAYTIMERS) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_DELAYTIMERS)) { isPowerThrottling = TRUE; } if (FlagOn(powerThrottlingState.ControlMask, POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION) && FlagOn(powerThrottlingState.StateMask, POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION)) { isPowerThrottling = TRUE; } } } if (processItem->IsPowerThrottling != isPowerThrottling) { processItem->IsPowerThrottling = isPowerThrottling; modified = TRUE; } } // Suspended if (processItem->IsSuspended != isSuspended) { processItem->IsSuspended = isSuspended; modified = TRUE; } if (PhCsUseColorPartiallySuspended) // HACK // Don't invalidate for partially suspended unless enabled (dmex) { if (processItem->IsPartiallySuspended != isPartiallySuspended) { processItem->IsPartiallySuspended = isPartiallySuspended; modified = TRUE; } } else { processItem->IsPartiallySuspended = isPartiallySuspended; } // .NET if (processItem->UpdateIsDotNet) { BOOLEAN isDotNet; ULONG flags = 0; if (NT_SUCCESS(PhGetProcessIsDotNetEx(processItem->ProcessId, NULL, 0, &isDotNet, &flags))) { processItem->IsDotNet = isDotNet; modified = TRUE; } processItem->UpdateIsDotNet = FALSE; } // Immersive // if (processItem->QueryHandle && WindowsVersion >= WINDOWS_8 && !processItem->IsSubsystemProcess) // { // BOOLEAN isImmersive; // // isImmersive = PhIsImmersiveProcess(processItem->QueryHandle); // // if (processItem->IsImmersive != isImmersive) // { // processItem->IsImmersive = isImmersive; // modified = TRUE; // } // } if (processItem->QueryHandle && processItem->IsHandleValid) { OBJECT_BASIC_INFORMATION basicInfo; BOOLEAN filteredHandle = FALSE; if (NT_SUCCESS(PhQueryObjectBasicInformation(processItem->QueryHandle, &basicInfo))) { if (!RtlAreAllAccessesGranted(basicInfo.GrantedAccess, PROCESS_QUERY_INFORMATION)) { filteredHandle = TRUE; } } else { filteredHandle = TRUE; } if (processItem->IsProtectedHandle != filteredHandle) { processItem->IsProtectedHandle = filteredHandle; modified = TRUE; } } if (modified) { PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderModifiedEvent), processItem); } // No reference added by PhpLookupProcessItem. } // Trick ourselves into thinking that the fake processes // are on the list. if (process == PhInterruptsProcessInformation) { process = NULL; } else if (process == PhDpcsProcessInformation) { process = PhInterruptsProcessInformation; } else { process = PH_NEXT_PROCESS(process); if (process == NULL) { if (PhEnableCycleCpuUsage) process = PhInterruptsProcessInformation; else process = PhDpcsProcessInformation; } } } if (PhProcessInformation) PhFree(PhProcessInformation); PhProcessInformation = processes; // History cannot be updated on the first run because the deltas are invalid. For example, the // I/O "deltas" will be huge because they are currently the raw accumulated values. if (runCount != 0) { if (PhEnableCycleCpuUsage) PhpUpdateCpuCycleUsageInformation(sysTotalCycleTime, sysIdleCycleTime); PhpUpdateSystemHistory(); // Note that we need to add a reference to the records of these processes, to make it // possible for others to get the name of a max. CPU or I/O process. if (maxCpuProcessItem) { PhAddItemCircularBuffer_ULONG(&PhMaxCpuHistory, HandleToUlong(maxCpuProcessItem->ProcessId)); #ifdef PH_RECORD_MAX_USAGE PhAddItemCircularBuffer_FLOAT(&PhMaxCpuUsageHistory, maxCpuProcessItem->CpuUsage); #endif if (!(maxCpuProcessItem->Record->Flags & PH_PROCESS_RECORD_STAT_REF)) { PhReferenceProcessRecord(maxCpuProcessItem->Record); maxCpuProcessItem->Record->Flags |= PH_PROCESS_RECORD_STAT_REF; } } else { PhAddItemCircularBuffer_ULONG(&PhMaxCpuHistory, PtrToUlong(NULL)); #ifdef PH_RECORD_MAX_USAGE PhAddItemCircularBuffer_FLOAT(&PhMaxCpuUsageHistory, 0); #endif } if (maxIoProcessItem) { PhAddItemCircularBuffer_ULONG(&PhMaxIoHistory, HandleToUlong(maxIoProcessItem->ProcessId)); #ifdef PH_RECORD_MAX_USAGE PhAddItemCircularBuffer_ULONG64(&PhMaxIoReadOtherHistory, maxIoProcessItem->IoReadDelta.Delta + maxIoProcessItem->IoOtherDelta.Delta); PhAddItemCircularBuffer_ULONG64(&PhMaxIoWriteHistory, maxIoProcessItem->IoWriteDelta.Delta); #endif if (!(maxIoProcessItem->Record->Flags & PH_PROCESS_RECORD_STAT_REF)) { PhReferenceProcessRecord(maxIoProcessItem->Record); maxIoProcessItem->Record->Flags |= PH_PROCESS_RECORD_STAT_REF; } } else { PhAddItemCircularBuffer_ULONG(&PhMaxIoHistory, PtrToUlong(NULL)); #ifdef PH_RECORD_MAX_USAGE PhAddItemCircularBuffer_ULONG64(&PhMaxIoReadOtherHistory, 0); PhAddItemCircularBuffer_ULONG64(&PhMaxIoWriteHistory, 0); #endif } } PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), UlongToPtr(runCount)); PhTraceFuncExit("Process provider run count: %lu", runCount); runCount++; } PPH_PROCESS_RECORD PhpCreateProcessRecord( _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_PROCESS_RECORD processRecord; processRecord = PhAllocate(sizeof(PH_PROCESS_RECORD)); memset(processRecord, 0, sizeof(PH_PROCESS_RECORD)); InitializeListHead(&processRecord->ListEntry); processRecord->RefCount = 1; processRecord->ProcessId = ProcessItem->ProcessId; processRecord->ParentProcessId = ProcessItem->ParentProcessId; processRecord->SessionId = ProcessItem->SessionId; processRecord->ProcessSequenceNumber = ProcessItem->ProcessSequenceNumber; processRecord->CreateTime = ProcessItem->CreateTime; PhSetReference(&processRecord->ProcessName, ProcessItem->ProcessName); PhSetReference(&processRecord->FileName, ProcessItem->FileName); PhSetReference(&processRecord->CommandLine, ProcessItem->CommandLine); //PhSetReference(&processRecord->UserName, ProcessItem->UserName); return processRecord; } PPH_PROCESS_RECORD PhpSearchProcessRecordList( _In_ PLARGE_INTEGER Time, _Out_opt_ PULONG Index, _Out_opt_ PULONG InsertIndex ) { PPH_PROCESS_RECORD processRecord; LONG low; LONG high; LONG i; BOOLEAN found = FALSE; INT comparison; if (PhProcessRecordList->Count == 0) { if (Index) *Index = 0; if (InsertIndex) *InsertIndex = 0; return NULL; } low = 0; high = PhProcessRecordList->Count - 1; // Do a binary search. do { i = (low + high) / 2; processRecord = (PPH_PROCESS_RECORD)PhProcessRecordList->Items[i]; comparison = uint64cmp(Time->QuadPart, processRecord->CreateTime.QuadPart); if (comparison == 0) { found = TRUE; break; } else if (comparison < 0) { high = i - 1; } else { low = i + 1; } } while (low <= high); if (Index) *Index = i; if (found) { if (InsertIndex) *InsertIndex = 0; return processRecord; } else { if (InsertIndex) *InsertIndex = i + (comparison > 0); return NULL; } } VOID PhpAddProcessRecord( _Inout_ PPH_PROCESS_RECORD ProcessRecord ) { PPH_PROCESS_RECORD processRecord; ULONG insertIndex; PhAcquireQueuedLockExclusive(&PhProcessRecordListLock); processRecord = PhpSearchProcessRecordList(&ProcessRecord->CreateTime, NULL, &insertIndex); if (!processRecord) { // Insert the process record, keeping the list sorted. PhInsertItemList(PhProcessRecordList, insertIndex, ProcessRecord); } else { // Link the process record with the existing one that we found. InsertTailList(&processRecord->ListEntry, &ProcessRecord->ListEntry); } PhReleaseQueuedLockExclusive(&PhProcessRecordListLock); } VOID PhpRemoveProcessRecord( _Inout_ PPH_PROCESS_RECORD ProcessRecord ) { ULONG i; PPH_PROCESS_RECORD headProcessRecord; PhAcquireQueuedLockExclusive(&PhProcessRecordListLock); headProcessRecord = PhpSearchProcessRecordList(&ProcessRecord->CreateTime, &i, NULL); assert(headProcessRecord); // Unlink the record from the list. RemoveEntryList(&ProcessRecord->ListEntry); if (ProcessRecord == headProcessRecord) { // Remove the slot completely, or choose a new head record. if (IsListEmpty(&headProcessRecord->ListEntry)) PhRemoveItemList(PhProcessRecordList, i); else PhProcessRecordList->Items[i] = CONTAINING_RECORD(headProcessRecord->ListEntry.Flink, PH_PROCESS_RECORD, ListEntry); } PhReleaseQueuedLockExclusive(&PhProcessRecordListLock); } VOID PhReferenceProcessRecord( _In_ PPH_PROCESS_RECORD ProcessRecord ) { _InterlockedIncrement(&ProcessRecord->RefCount); } BOOLEAN PhReferenceProcessRecordSafe( _In_ PPH_PROCESS_RECORD ProcessRecord ) { return _InterlockedIncrementNoZero(&ProcessRecord->RefCount); } VOID PhReferenceProcessRecordForStatistics( _In_ PPH_PROCESS_RECORD ProcessRecord ) { if (!(ProcessRecord->Flags & PH_PROCESS_RECORD_STAT_REF)) { PhReferenceProcessRecord(ProcessRecord); ProcessRecord->Flags |= PH_PROCESS_RECORD_STAT_REF; } } VOID PhDereferenceProcessRecord( _In_ PPH_PROCESS_RECORD ProcessRecord ) { if (_InterlockedDecrement(&ProcessRecord->RefCount) == 0) { PhpRemoveProcessRecord(ProcessRecord); PhDereferenceObject(ProcessRecord->ProcessName); if (ProcessRecord->FileName) PhDereferenceObject(ProcessRecord->FileName); if (ProcessRecord->CommandLine) PhDereferenceObject(ProcessRecord->CommandLine); /*if (ProcessRecord->UserName) PhDereferenceObject(ProcessRecord->UserName);*/ PhFree(ProcessRecord); } } PPH_PROCESS_RECORD PhpFindProcessRecord( _In_ PPH_PROCESS_RECORD ProcessRecord, _In_ HANDLE ProcessId ) { PPH_PROCESS_RECORD startProcessRecord; startProcessRecord = ProcessRecord; do { if (ProcessRecord->ProcessId == ProcessId) return ProcessRecord; ProcessRecord = CONTAINING_RECORD(ProcessRecord->ListEntry.Flink, PH_PROCESS_RECORD, ListEntry); } while (ProcessRecord != startProcessRecord); return NULL; } /** * Finds a process record. * * \param ProcessId The ID of the process. * \param Time A time in which the process was active. * * \return The newest record older than \a Time, or NULL * if the record could not be found. You must call * PhDereferenceProcessRecord() when you no longer need * the record. */ PPH_PROCESS_RECORD PhFindProcessRecord( _In_opt_ HANDLE ProcessId, _In_ PLARGE_INTEGER Time ) { PPH_PROCESS_RECORD processRecord; ULONG i; BOOLEAN found; if (PhProcessRecordList->Count == 0) return NULL; PhAcquireQueuedLockShared(&PhProcessRecordListLock); processRecord = PhpSearchProcessRecordList(Time, &i, NULL); if (!processRecord) { // This is expected. Now we search backwards to find the newest matching element older than // the given time. found = FALSE; while (TRUE) { processRecord = (PPH_PROCESS_RECORD)PhProcessRecordList->Items[i]; if (processRecord->CreateTime.QuadPart < Time->QuadPart) { if (ProcessId) { processRecord = PhpFindProcessRecord(processRecord, ProcessId); if (processRecord) found = TRUE; } else { found = TRUE; } if (found) break; } if (i == 0) break; i--; } } else { if (ProcessId) { processRecord = PhpFindProcessRecord(processRecord, ProcessId); if (processRecord) found = TRUE; else found = FALSE; } else { found = TRUE; } } if (found) { // The record might have had its last reference just cleared but it hasn't been removed from // the list yet. if (!PhReferenceProcessRecordSafe(processRecord)) found = FALSE; } PhReleaseQueuedLockShared(&PhProcessRecordListLock); if (found) return processRecord; else return NULL; } /** * Deletes unused process records. */ VOID PhPurgeProcessRecords( VOID ) { PPH_PROCESS_RECORD processRecord; PPH_PROCESS_RECORD startProcessRecord; ULONG i; LARGE_INTEGER threshold; PPH_LIST derefList = NULL; if (PhProcessRecordList->Count == 0) return; // Get the oldest statistics time. PhGetStatisticsTime(NULL, PhTimeHistory.Count - 1, &threshold); PhAcquireQueuedLockShared(&PhProcessRecordListLock); for (i = 0; i < PhProcessRecordList->Count; i++) { processRecord = PhProcessRecordList->Items[i]; startProcessRecord = processRecord; do { ULONG requiredFlags; requiredFlags = PH_PROCESS_RECORD_DEAD | PH_PROCESS_RECORD_STAT_REF; if ((processRecord->Flags & requiredFlags) == requiredFlags) { // Check if the process exit time is before the oldest statistics time. If so we can // dereference the process record. if (processRecord->ExitTime.QuadPart < threshold.QuadPart) { // Clear the stat ref bit; this is to make sure we don't try to dereference the // record twice (e.g. if someone else currently holds a reference to the record // and it doesn't get removed immediately). processRecord->Flags &= ~PH_PROCESS_RECORD_STAT_REF; if (!derefList) derefList = PhCreateList(2); if (derefList) { PhAddItemList(derefList, processRecord); } } } processRecord = CONTAINING_RECORD(processRecord->ListEntry.Flink, PH_PROCESS_RECORD, ListEntry); } while (processRecord != startProcessRecord); } PhReleaseQueuedLockShared(&PhProcessRecordListLock); if (derefList) { for (i = 0; i < derefList->Count; i++) { PhDereferenceProcessRecord(derefList->Items[i]); } PhDereferenceObject(derefList); } } PPH_PROCESS_ITEM PhReferenceProcessItemForParent( _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_PROCESS_ITEM parentProcessItem; if (ProcessItem->ParentProcessId == ProcessItem->ProcessId) // for cases where the parent PID = PID (e.g. System Idle Process) return NULL; PhAcquireQueuedLockShared(&PhProcessHashSetLock); parentProcessItem = PhpLookupProcessItem(ProcessItem->ParentProcessId); if (PhEnableProcessExtension) { // We make sure that the process item we found is actually the parent process - its sequence number // must not be higher than the supplied sequence. if (parentProcessItem && parentProcessItem->ProcessSequenceNumber <= ProcessItem->ProcessSequenceNumber) PhReferenceObject(parentProcessItem); else parentProcessItem = NULL; } else { // We make sure that the process item we found is actually the parent process - its start time // must not be larger than the supplied time. if (parentProcessItem && parentProcessItem->CreateTime.QuadPart <= ProcessItem->CreateTime.QuadPart) PhReferenceObject(parentProcessItem); else parentProcessItem = NULL; } PhReleaseQueuedLockShared(&PhProcessHashSetLock); return parentProcessItem; } PPH_PROCESS_ITEM PhReferenceProcessItemForRecord( _In_ PPH_PROCESS_RECORD Record ) { PPH_PROCESS_ITEM processItem; PhAcquireQueuedLockShared(&PhProcessHashSetLock); processItem = PhpLookupProcessItem(Record->ProcessId); if (PhEnableProcessExtension) { if (processItem && processItem->ProcessSequenceNumber == Record->ProcessSequenceNumber) PhReferenceObject(processItem); else processItem = NULL; } else { if (processItem && processItem->CreateTime.QuadPart == Record->CreateTime.QuadPart) PhReferenceObject(processItem); else processItem = NULL; } PhReleaseQueuedLockShared(&PhProcessHashSetLock); return processItem; } PPH_HASHTABLE PhImageListCacheHashtable = NULL; PH_QUEUED_LOCK PhImageListCacheHashtableLock = PH_QUEUED_LOCK_INIT; HIMAGELIST PhProcessLargeImageList = NULL; HIMAGELIST PhProcessSmallImageList = NULL; PPH_OBJECT_TYPE PhImageListItemType = NULL; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpImageListItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_IMAGELIST_ITEM entry = (PPH_IMAGELIST_ITEM)Object; // TODO: Remove TN_CACHE from TreeNewGetNodeIcon so we're // able to sync the updated image index after ImageList_Remove. (dmex) //ULONG LargeIconIndex = entry->LargeIconIndex; //ULONG SmallIconIndex = entry->SmallIconIndex; //PPH_PROCESS_ITEM* processes; //ULONG numberOfProcesses; // //PhEnumProcessItems(&processes, &numberOfProcesses); // //for (ULONG i = 0; i < numberOfProcesses; i++) //{ // PPH_PROCESS_ITEM process = processes[i]; // // if ( // process->LargeIconIndex > LargeIconIndex && // process->SmallIconIndex > SmallIconIndex // ) // { // process->LargeIconIndex -= 1; // process->SmallIconIndex -= 1; // } //} // //PhFree(processes); // //ImageList_Remove(PhProcessLargeImageList, LargeIconIndex); //ImageList_Remove(PhProcessSmallImageList, SmallIconIndex); // PhDereferenceObject(entry->FileName); } VOID PhProcessImageListInitialization( _In_ HWND WindowHandle, _In_ LONG WindowDpi ) { HICON iconSmall; HICON iconLarge; PPH_LIST fileNames = NULL; PhAcquireQueuedLockExclusive(&PhImageListCacheHashtableLock); if (!PhImageListItemType) PhImageListItemType = PhCreateObjectType(L"ImageListItem", 0, PhpImageListItemDeleteProcedure); PhProcessImageListWindowDpi = WindowDpi; { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_IMAGELIST_ITEM* entry; if (PhImageListCacheHashtable) { fileNames = PhCreateList(PhImageListCacheHashtable->Count); PhBeginEnumHashtable(PhImageListCacheHashtable, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { PPH_IMAGELIST_ITEM item = *entry; PhAddItemList(fileNames, PhReferenceObject(item->FileName)); PhDereferenceObject(item); } PhDereferenceObject(PhImageListCacheHashtable); PhImageListCacheHashtable = NULL; } } if (PhProcessLargeImageList) { PhImageListSetIconSize( PhProcessLargeImageList, PhGetSystemMetrics(SM_CXICON, PhProcessImageListWindowDpi), PhGetSystemMetrics(SM_CYICON, PhProcessImageListWindowDpi) ); } else { PhProcessLargeImageList = PhImageListCreate( PhGetSystemMetrics(SM_CXICON, PhProcessImageListWindowDpi), PhGetSystemMetrics(SM_CYICON, PhProcessImageListWindowDpi), ILC_MASK | ILC_COLOR32, 100, 100); } if (PhProcessSmallImageList) { PhImageListSetIconSize( PhProcessSmallImageList, PhGetSystemMetrics(SM_CXSMICON, PhProcessImageListWindowDpi), PhGetSystemMetrics(SM_CYSMICON, PhProcessImageListWindowDpi) ); } else { PhProcessSmallImageList = PhImageListCreate( PhGetSystemMetrics(SM_CXSMICON, PhProcessImageListWindowDpi), PhGetSystemMetrics(SM_CYSMICON, PhProcessImageListWindowDpi), ILC_MASK | ILC_COLOR32, 100, 100); } //PhImageListSetBkColor(PhProcessLargeImageList, CLR_NONE); //PhImageListSetBkColor(PhProcessSmallImageList, CLR_NONE); PhGetStockApplicationIcon(&iconSmall, &iconLarge); PhImageListAddIcon(PhProcessLargeImageList, iconLarge); PhImageListAddIcon(PhProcessSmallImageList, iconSmall); iconLarge = PhLoadIcon(PhInstanceHandle, MAKEINTRESOURCE(IDI_COG), PH_LOAD_ICON_SIZE_LARGE, 0, 0, PhProcessImageListWindowDpi); iconSmall = PhLoadIcon(PhInstanceHandle, MAKEINTRESOURCE(IDI_COG), PH_LOAD_ICON_SIZE_SMALL, 0, 0, PhProcessImageListWindowDpi); PhImageListAddIcon(PhProcessLargeImageList, iconLarge); PhImageListAddIcon(PhProcessSmallImageList, iconSmall); DestroyIcon(iconLarge); DestroyIcon(iconSmall); if (fileNames) { for (ULONG i = 0; i < fileNames->Count; i++) { PPH_STRING filename = fileNames->Items[i]; PPH_IMAGELIST_ITEM iconEntry; PhReleaseQueuedLockExclusive(&PhImageListCacheHashtableLock); iconEntry = PhImageListExtractIcon(filename, TRUE, 0, NULL, PhProcessImageListWindowDpi); PhAcquireQueuedLockExclusive(&PhImageListCacheHashtableLock); if (iconEntry) { PPH_PROCESS_ITEM* processes; ULONG numberOfProcesses; PhEnumProcessItems(&processes, &numberOfProcesses); for (ULONG j = 0; j < numberOfProcesses; j++) { PPH_PROCESS_ITEM process = processes[j]; if (process->FileName && PhEqualString(process->FileName, filename, FALSE)) { process->IconEntry = PhReferenceObject(iconEntry); process->SmallIconIndex = iconEntry->SmallIconIndex; process->LargeIconIndex = iconEntry->LargeIconIndex; } } PhDereferenceObjects(processes, numberOfProcesses); PhFree(processes); PhDereferenceObject(iconEntry); } } PhDereferenceObjects(fileNames->Items, fileNames->Count); PhDereferenceObject(fileNames); } PhReleaseQueuedLockExclusive(&PhImageListCacheHashtableLock); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhImageListCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_IMAGELIST_ITEM entry1 = *(PPH_IMAGELIST_ITEM*)Entry1; PPH_IMAGELIST_ITEM entry2 = *(PPH_IMAGELIST_ITEM*)Entry2; return PhEqualStringRef(&entry1->FileName->sr, &entry2->FileName->sr, FALSE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhImageListCacheHashtableHashFunction( _In_ PVOID Entry ) { PPH_IMAGELIST_ITEM entry = *(PPH_IMAGELIST_ITEM*)Entry; return PhHashStringRefEx(&entry->FileName->sr, FALSE, PH_STRING_HASH_XXH32); } PPH_IMAGELIST_ITEM PhImageListExtractIcon( _In_ PPH_STRING FileName, _In_ BOOLEAN NativeFileName, _In_opt_ HANDLE ProcessId, _In_opt_ PPH_STRING PackageFullName, _In_ LONG SystemDpi ) { HICON largeIcon = NULL; HICON smallIcon = NULL; PPH_IMAGELIST_ITEM newentry; PhAcquireQueuedLockShared(&PhImageListCacheHashtableLock); if (PhImageListCacheHashtable) { PH_IMAGELIST_ITEM lookupEntry; PPH_IMAGELIST_ITEM lookupEntryPtr = &lookupEntry; PPH_IMAGELIST_ITEM* entry; lookupEntry.FileName = FileName; entry = (PPH_IMAGELIST_ITEM*)PhFindEntryHashtable(PhImageListCacheHashtable, &lookupEntryPtr); if (entry) { PPH_IMAGELIST_ITEM foundEntry = *entry; PhReferenceObject(foundEntry); PhReleaseQueuedLockShared(&PhImageListCacheHashtableLock); return foundEntry; } } PhReleaseQueuedLockShared(&PhImageListCacheHashtableLock); if (PhEnablePackageIconSupport && ProcessId && PackageFullName) { if (!PhAppResolverGetPackageIcon( ProcessId, PackageFullName, &largeIcon, &smallIcon, SystemDpi )) { PhExtractIconEx( &FileName->sr, NativeFileName, 0, PhGetSystemMetrics(SM_CXICON, SystemDpi), PhGetSystemMetrics(SM_CYICON, SystemDpi), PhGetSystemMetrics(SM_CXSMICON, SystemDpi), PhGetSystemMetrics(SM_CYSMICON, SystemDpi), &largeIcon, &smallIcon ); } } else { PhExtractIconEx( &FileName->sr, NativeFileName, 0, PhGetSystemMetrics(SM_CXICON, SystemDpi), PhGetSystemMetrics(SM_CYICON, SystemDpi), PhGetSystemMetrics(SM_CXSMICON, SystemDpi), PhGetSystemMetrics(SM_CYSMICON, SystemDpi), &largeIcon, &smallIcon ); } PhAcquireQueuedLockExclusive(&PhImageListCacheHashtableLock); if (!PhImageListCacheHashtable) { PhImageListCacheHashtable = PhCreateHashtable( sizeof(PPH_IMAGELIST_ITEM), PhImageListCacheHashtableEqualFunction, PhImageListCacheHashtableHashFunction, 32 ); } newentry = PhCreateObject(sizeof(PH_IMAGELIST_ITEM), PhImageListItemType); newentry->FileName = PhReferenceObject(FileName); if (largeIcon && smallIcon) { newentry->LargeIconIndex = PhImageListAddIcon(PhProcessLargeImageList, largeIcon); newentry->SmallIconIndex = PhImageListAddIcon(PhProcessSmallImageList, smallIcon); } else { newentry->LargeIconIndex = 0; newentry->SmallIconIndex = 0; } PhReferenceObject(newentry); PhAddEntryHashtable(PhImageListCacheHashtable, &newentry); PhReleaseQueuedLockExclusive(&PhImageListCacheHashtableLock); if (smallIcon) DestroyIcon(smallIcon); if (largeIcon) DestroyIcon(smallIcon); return newentry; } VOID PhImageListFlushCache( VOID ) { //PH_HASHTABLE_ENUM_CONTEXT enumContext; //PPH_IMAGELIST_ITEM* entry; // //if (!PhImageListCacheHashtable) // return; // //PhAcquireQueuedLockExclusive(&PhImageListCacheHashtableLock); // //PhBeginEnumHashtable(PhImageListCacheHashtable, &enumContext); // //while (entry = PhNextEnumHashtable(&enumContext)) //{ // PPH_IMAGELIST_ITEM item = *entry; // // PhDereferenceObject(item); //} // //PhClearReference(&PhImageListCacheHashtable); //PhImageListCacheHashtable = PhCreateHashtable( // sizeof(PPH_IMAGELIST_ITEM), // PhImageListCacheHashtableEqualFunction, // PhImageListCacheHashtableHashFunction, // 32 // ); // //PhReleaseQueuedLockExclusive(&PhImageListCacheHashtableLock); } VOID PhDrawProcessIcon( _In_ HDC hdc, _In_ PRECT rect, _In_ ULONG Index, _In_ BOOLEAN Large) { if (Large) { if (PhProcessLargeImageList) { PhImageListDrawIcon( PhProcessLargeImageList, Index, hdc, rect->left, rect->top, ILD_NORMAL | ILD_TRANSPARENT, FALSE ); } } else { if (PhProcessSmallImageList) { PhImageListDrawIcon( PhProcessSmallImageList, Index, hdc, rect->left, rect->top, ILD_NORMAL | ILD_TRANSPARENT, FALSE ); } } } HICON PhGetImageListIcon( _In_ ULONG_PTR Index, _In_ BOOLEAN Large ) { if (Large) { if (PhProcessLargeImageList) { return PhImageListGetIcon( PhProcessLargeImageList, (ULONG)Index, ILD_NORMAL | ILD_TRANSPARENT ); } } else { if (PhProcessSmallImageList) { return PhImageListGetIcon( PhProcessSmallImageList, (ULONG)Index, ILD_NORMAL | ILD_TRANSPARENT ); } } return NULL; } HIMAGELIST PhGetProcessSmallImageList( VOID) { return PhProcessSmallImageList; } _Success_(return) BOOLEAN PhDuplicateProcessInformation( _Outptr_ PPVOID ProcessInformation ) { SIZE_T infoLength; if (!PhProcessInformation) return FALSE; infoLength = PhSizeHeap(PhProcessInformation); if (!infoLength) return FALSE; *ProcessInformation = PhAllocateCopy(PhProcessInformation, infoLength); return TRUE; } PPH_PROCESS_ITEM PhCreateProcessItemFromHandle( _In_ HANDLE ProcessId, _In_ HANDLE ProcessHandle, _In_ BOOLEAN TerminatedProcess ) { NTSTATUS status; PPH_STRING fileName; PPH_PROCESS_ITEM processItem; PPH_PROCESS_ITEM idleProcessItem; PROCESS_BASIC_INFORMATION basicInfo; PROCESS_HANDLE_INFORMATION handleInfo; KERNEL_USER_TIMES times; UCHAR priorityClass; if (processItem = PhReferenceProcessItem(ProcessId)) return processItem; processItem = PhCreateProcessItem(ProcessId); processItem->QueryHandle = ProcessHandle; if (TerminatedProcess) { SetFlag(processItem->State, PH_PROCESS_ITEM_REMOVED); } // We need a process record. Just use the record of System Idle Process. if (idleProcessItem = PhReferenceProcessItem(SYSTEM_IDLE_PROCESS_ID)) { processItem->Record = idleProcessItem->Record; PhReferenceProcessRecord(processItem->Record); } else { assert(idleProcessItem); PhDereferenceObject(processItem); return NULL; } // Set up the file name and process name. if (NT_SUCCESS(PhGetProcessImageFileName(processItem->QueryHandle, &fileName))) { processItem->FileName = fileName; } if (processItem->FileName) processItem->ProcessName = PhGetBaseName(processItem->FileName); else processItem->ProcessName = PhCreateString(L"Unknown"); // Basic process information and not-so-dynamic information. { if (NT_SUCCESS(PhGetProcessBasicInformation(processItem->QueryHandle, &basicInfo))) { processItem->ParentProcessId = basicInfo.InheritedFromUniqueProcessId; processItem->BasePriority = basicInfo.BasePriority; } PhGetProcessSessionId(processItem->QueryHandle, &processItem->SessionId); //PhPrintUInt32(processItem->ParentProcessIdString, HandleToUlong(processItem->ParentProcessId)); //PhPrintUInt32(processItem->SessionIdString, processItem->SessionId); if (NT_SUCCESS(PhGetProcessTimes(processItem->QueryHandle, ×))) { processItem->CreateTime = times.CreateTime; processItem->KernelTime = times.KernelTime; processItem->UserTime = times.UserTime; } // TODO: Token information? if (NT_SUCCESS(PhGetProcessPriorityClass(processItem->QueryHandle, &priorityClass))) { processItem->PriorityClass = priorityClass; } if (NT_SUCCESS(PhGetProcessHandleCount(processItem->QueryHandle, &handleInfo))) { processItem->NumberOfHandles = handleInfo.HandleCount; } } // // Extended process information // if (WindowsVersion >= WINDOWS_10) { PPROCESS_TELEMETRY_ID_INFORMATION telemetryInfo; ULONG telemetryInfoLength; if (NT_SUCCESS(PhGetProcessTelemetryIdInformation(processItem->QueryHandle, &telemetryInfo, &telemetryInfoLength))) { SIZE_T UserSidLength = telemetryInfo->ImagePathOffset - telemetryInfo->UserSidOffset; PSID UserSidBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->UserSidOffset); SIZE_T ImagePathLength = telemetryInfo->PackageNameOffset - telemetryInfo->ImagePathOffset; PWSTR ImagePathBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->ImagePathOffset); SIZE_T PackageNameLength = telemetryInfo->RelativeAppNameOffset - telemetryInfo->PackageNameOffset; PWSTR PackageNameBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->PackageNameOffset); SIZE_T RelativeAppNameLength = telemetryInfo->CommandLineOffset - telemetryInfo->RelativeAppNameOffset; PWSTR RelativeAppNameBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->RelativeAppNameOffset); SIZE_T CommandLineLength = telemetryInfoLength - telemetryInfo->CommandLineOffset; PWSTR CommandLineBuffer = PTR_ADD_OFFSET(telemetryInfo, telemetryInfo->CommandLineOffset); processItem->ProcessStartKey = telemetryInfo->ProcessStartKey; processItem->CreateInterruptTime = telemetryInfo->CreateInterruptTime; processItem->ProcessSequenceNumber = telemetryInfo->ProcessSequenceNumber; processItem->SessionCreateTime = telemetryInfo->SessionCreateTime; processItem->ImageChecksum = telemetryInfo->ImageChecksum; processItem->ImageTimeStamp = telemetryInfo->ImageTimeDateStamp; if (!processItem->Sid && PhValidSid(UserSidBuffer)) { processItem->Sid = PhAllocateCopy(UserSidBuffer, UserSidLength); processItem->UserName = PhpGetSidFullNameCached(UserSidBuffer); } if (PhIsNullOrEmptyString(processItem->FileName) && ImagePathLength > sizeof(UNICODE_NULL)) { processItem->FileName = PhCreateStringEx(ImagePathBuffer, ImagePathLength - sizeof(UNICODE_NULL)); } if (PhIsNullOrEmptyString(processItem->PackageFullName) && PackageNameLength > sizeof(UNICODE_NULL)) { processItem->PackageFullName = PhCreateStringEx(PackageNameBuffer, PackageNameLength - sizeof(UNICODE_NULL)); } if (PhIsNullOrEmptyString(processItem->CommandLine) && CommandLineLength > sizeof(UNICODE_NULL)) { processItem->CommandLine = PhCreateStringEx(CommandLineBuffer, CommandLineLength - sizeof(UNICODE_NULL)); } } } // Stage 1 // Some copy and paste magic here... if (processItem->FileName) { // Small icon, large icon. if (processItem->IconEntry = PhImageListExtractIcon(processItem->FileName, TRUE, processItem->ProcessId, processItem->PackageFullName, PhProcessImageListWindowDpi)) { processItem->SmallIconIndex = processItem->IconEntry->SmallIconIndex; processItem->LargeIconIndex = processItem->IconEntry->LargeIconIndex; } // Version info. PhInitializeImageVersionInfoEx(&processItem->VersionInfo, &processItem->FileName->sr, !!PhCsEnableVersionSupport); } // Command line if (PhIsNullOrEmptyString(processItem->CommandLine)) { PPH_STRING commandLine; SIZE_T i; if (NT_SUCCESS(status = PhGetProcessCommandLine(processItem->QueryHandle, &commandLine))) { // Some command lines (e.g. from taskeng.exe) have nulls in them. // Since Windows can't display them, we'll replace them with // spaces. for (i = 0; i < commandLine->Length / sizeof(WCHAR); i++) { if (commandLine->Buffer[i] == UNICODE_NULL) commandLine->Buffer[i] = ' '; } } if (NT_SUCCESS(status)) { processItem->CommandLine = commandLine; } } PhSetEvent(&processItem->Stage1Event); return processItem; } ================================================ FILE: SystemInformer/procrec.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2020-2023 * */ #include #include #include #include typedef struct _PROCESS_RECORD_CONTEXT { PPH_PROCESS_RECORD Record; HICON FileIcon; } PROCESS_RECORD_CONTEXT, *PPROCESS_RECORD_CONTEXT; INT_PTR CALLBACK PhpProcessRecordDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowProcessRecordDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_RECORD Record ) { PROCESS_RECORD_CONTEXT context; memset(&context, 0, sizeof(PROCESS_RECORD_CONTEXT)); context.Record = Record; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_PROCRECORD), ParentWindowHandle, PhpProcessRecordDlgProc, &context ); } PPH_STRING PhpaGetRelativeTimeString( _In_ PLARGE_INTEGER Time ) { LARGE_INTEGER time; LARGE_INTEGER currentTime; SYSTEMTIME timeFields; PPH_STRING timeRelativeString; PPH_STRING timeString; time = *Time; PhQuerySystemTime(¤tTime); timeRelativeString = PH_AUTO(PhFormatTimeSpanRelative(currentTime.QuadPart - time.QuadPart)); PhLargeIntegerToLocalSystemTime(&timeFields, &time); timeString = PhaFormatDateTime(&timeFields); return PhaFormatString(L"%s ago (%s)", timeRelativeString->Buffer, timeString->Buffer); } INT_PTR CALLBACK PhpProcessRecordDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPROCESS_RECORD_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PPROCESS_RECORD_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PPH_STRING fileName = NULL; PH_IMAGE_VERSION_INFO versionInfo; BOOLEAN versionInfoInitialized; PPH_STRING processNameString; PPH_PROCESS_ITEM processItem; LONG dpiValue; if (!PH_IS_FAKE_PROCESS_ID(context->Record->ProcessId)) { processNameString = PhaFormatString(L"%s (%u)", context->Record->ProcessName->Buffer, HandleToUlong(context->Record->ProcessId)); } else { processNameString = context->Record->ProcessName; } if (context->Record->FileName) fileName = PhGetFileName(context->Record->FileName); if (!fileName) fileName = context->Record->FileName; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhSetWindowText(hwndDlg, processNameString->Buffer); PhSetDialogItemText(hwndDlg, IDC_PROCESSNAME, processNameString->Buffer); if (processItem = PhReferenceProcessItemForRecord(context->Record)) { PPH_PROCESS_ITEM parentProcess; if (parentProcess = PhReferenceProcessItemForParent(processItem)) { CLIENT_ID clientId; clientId.UniqueProcess = parentProcess->ProcessId; clientId.UniqueThread = NULL; PhSetDialogItemText(hwndDlg, IDC_PARENT, PH_AUTO_T(PH_STRING, PhGetClientIdNameEx(&clientId, parentProcess->ProcessName))->Buffer); PhDereferenceObject(parentProcess); } else { PhSetDialogItemText(hwndDlg, IDC_PARENT, PhaFormatString(L"Non-existent process (%u)", HandleToUlong(context->Record->ParentProcessId))->Buffer); } PhDereferenceObject(processItem); } else { PhSetDialogItemText(hwndDlg, IDC_PARENT, PhaFormatString(L"Unknown process (%u)", HandleToUlong(context->Record->ParentProcessId))->Buffer); EnableWindow(GetDlgItem(hwndDlg, IDC_PROPERTIES), FALSE); } memset(&versionInfo, 0, sizeof(PH_IMAGE_VERSION_INFO)); versionInfoInitialized = FALSE; if (fileName) { PhExtractIcon( fileName->Buffer, &context->FileIcon, NULL ); if (NT_SUCCESS(PhInitializeImageVersionInfo(&versionInfo, fileName->Buffer))) { versionInfoInitialized = TRUE; } } if (context->FileIcon) { SendMessage(GetDlgItem(hwndDlg, IDC_FILEICON), STM_SETICON, (WPARAM)context->FileIcon, 0); } else { HICON largeIcon; PhGetStockApplicationIcon(NULL, &largeIcon); SendMessage(GetDlgItem(hwndDlg, IDC_FILEICON), STM_SETICON, (WPARAM)largeIcon, 0); } dpiValue = PhGetWindowDpi(hwndDlg); SendMessage(GetDlgItem(hwndDlg, IDC_OPENFILENAME), BM_SETIMAGE, IMAGE_ICON, (LPARAM)PH_LOAD_SHARED_ICON_SMALL(PhInstanceHandle, MAKEINTRESOURCE(IDI_FOLDER), dpiValue)); PhSetDialogItemText(hwndDlg, IDC_NAME, PhGetStringOrDefault(versionInfo.FileDescription, L"N/A")); PhSetDialogItemText(hwndDlg, IDC_COMPANYNAME, PhGetStringOrDefault(versionInfo.CompanyName, L"N/A")); PhSetDialogItemText(hwndDlg, IDC_VERSION, PhGetStringOrDefault(versionInfo.FileVersion, L"N/A")); PhSetDialogItemText(hwndDlg, IDC_FILENAME, PhGetStringOrDefault(fileName, L"N/A")); if (versionInfoInitialized) PhDeleteImageVersionInfo(&versionInfo); if (!fileName) EnableWindow(GetDlgItem(hwndDlg, IDC_OPENFILENAME), FALSE); PhSetDialogItemText(hwndDlg, IDC_CMDLINE, PhGetStringOrDefault(context->Record->CommandLine, L"N/A")); if (context->Record->CreateTime.QuadPart != 0) PhSetDialogItemText(hwndDlg, IDC_STARTED, PhpaGetRelativeTimeString(&context->Record->CreateTime)->Buffer); else PhSetDialogItemText(hwndDlg, IDC_STARTED, L"N/A"); if (context->Record->ExitTime.QuadPart != 0) PhSetDialogItemText(hwndDlg, IDC_TERMINATED, PhpaGetRelativeTimeString(&context->Record->ExitTime)->Buffer); else PhSetDialogItemText(hwndDlg, IDC_TERMINATED, L"N/A"); PhSetDialogItemValue(hwndDlg, IDC_SESSIONID, context->Record->SessionId, FALSE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); if (fileName && fileName != context->Record->FileName) PhDereferenceObject(fileName); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); if (context->FileIcon) DestroyIcon(context->FileIcon); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: { EndDialog(hwndDlg, IDOK); } break; case IDC_OPENFILENAME: { if (context->Record->FileName) { PhShellExecuteUserString( hwndDlg, SETTING_FILE_BROWSE_EXECUTABLE, context->Record->FileName->Buffer, FALSE, L"Make sure the Explorer executable file is present." ); } } break; case IDC_PROPERTIES: { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItemForRecord(context->Record)) { SystemInformer_ShowProcessProperties(processItem); PhDereferenceObject(processItem); } else { PhShowError2( hwndDlg, L"Unable to show the process properties.", L"%s", L"The process has already terminated; only the process record is available." ); } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/proctree.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2023 * jxy-s 2021 * */ /* * The process tree list manages a list of tree nodes and handles callback events generated by the * underlying treenew control. Retrieval of certain types of process information is also performed * here, on the GUI thread (see PH_PROCESS_NODE.ValidMask). This is done for columns that require * data not supplied by the process provider. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include VOID PhpRemoveProcessNode( _In_ PPH_PROCESS_NODE ProcessNode, _In_opt_ PVOID Context ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpProcessTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpProcessTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ); BOOLEAN PhpShouldShowImageCoherency( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN CheckThreshold ); static HWND ProcessTreeListHandle; static ULONG ProcessTreeListSortColumn; static PH_SORT_ORDER ProcessTreeListSortOrder; static PH_CM_MANAGER ProcessTreeListCm; static PPH_HASH_ENTRY ProcessNodeHashSet[256] = PH_HASH_SET_INIT; // hashtable of all nodes static PPH_LIST ProcessNodeList; // list of all nodes, used when sorting is enabled static PPH_LIST ProcessNodeRootList; // list of root nodes static PH_TN_FILTER_SUPPORT FilterSupport; CONST BOOLEAN PhProcessTreeListStateHighlighting = TRUE; static PPH_POINTER_LIST ProcessNodeStateList = NULL; // list of nodes which need to be processed static ULONG PhProcessTreeColumnHeaderCacheLength = 0; static PVOID PhProcessTreeColumnHeaderCache = NULL; static ULONG PhProcessTreeColumnHeaderTextCacheLength = 0; static PVOID PhProcessTreeColumnHeaderTextCache = NULL; static HDC GraphContext = NULL; static LONG GraphContextWidth = 0; static LONG GraphContextHeight = 0; static HBITMAP GraphOldBitmap = NULL; static HBITMAP GraphBitmap = NULL; static PVOID GraphBits = NULL; /** * Initializes the process tree list. * * This function sets up any necessary data structures or state required * for displaying or managing the process tree within the application. */ VOID PhProcessTreeListInitialization( VOID ) { ProcessNodeList = PhCreateList(40); ProcessNodeRootList = PhCreateList(10); } VOID PhInitializeProcessTreeList( _In_ HWND hwnd ) { ProcessTreeListHandle = hwnd; PhSetControlTheme(ProcessTreeListHandle, L"explorer"); TreeNew_SetRedraw(hwnd, FALSE); TreeNew_SetExtendedFlags(hwnd, TN_FLAG_ITEM_DRAG_SELECT, TN_FLAG_ITEM_DRAG_SELECT); TreeNew_SetCallback(hwnd, PhpProcessTreeNewCallback, NULL); TreeNew_SetImageList(hwnd, PhProcessSmallImageList); TreeNew_SetMaxId(hwnd, PHPRTLC_MAXIMUM - 1); // Default columns PhAddTreeNewColumn(hwnd, PHPRTLC_NAME, TRUE, L"Name", 200, PH_ALIGN_LEFT, (PhGetIntegerSetting(SETTING_PROCESS_TREE_LIST_NAME_DEFAULT) ? TN_COLUMN_FIXED : 0), 0); // HACK (dmex) PhAddTreeNewColumn(hwnd, PHPRTLC_PID, TRUE, L"PID", 50, PH_ALIGN_RIGHT, 0, DT_RIGHT); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CPU, TRUE, L"CPU", 45, PH_ALIGN_RIGHT, 1, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOTOTALRATE, TRUE, L"I/O total rate", 70, PH_ALIGN_RIGHT, 2, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PRIVATEBYTES, TRUE, L"Private bytes", 70, PH_ALIGN_RIGHT, 3, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_USERNAME, TRUE, L"User name", 140, PH_ALIGN_LEFT, 4, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(hwnd, PHPRTLC_DESCRIPTION, TRUE, L"Description", 180, PH_ALIGN_LEFT, 5, 0); // Customizable columns (1) PhAddTreeNewColumn(hwnd, PHPRTLC_COMPANYNAME, FALSE, L"Company name", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_VERSION, FALSE, L"Version", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_FILENAME, FALSE, L"File name", 180, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(hwnd, PHPRTLC_COMMANDLINE, FALSE, L"Command line", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PEAKPRIVATEBYTES, FALSE, L"Peak private bytes", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_WORKINGSET, FALSE, L"Working set", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PEAKWORKINGSET, FALSE, L"Peak working set", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PRIVATEWS, FALSE, L"Private WS", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_SHAREDWS, FALSE, L"Shared WS", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_SHAREABLEWS, FALSE, L"Shareable WS", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_VIRTUALSIZE, FALSE, L"Virtual size", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PEAKVIRTUALSIZE, FALSE, L"Peak virtual size", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PAGEFAULTS, FALSE, L"Page faults", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_SESSIONID, FALSE, L"Session ID", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PRIORITYCLASS, FALSE, L"Priority class", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_BASEPRIORITY, FALSE, L"Base priority", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); // Customizable columns (2) PhAddTreeNewColumnEx(hwnd, PHPRTLC_THREADS, FALSE, L"Threads", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_HANDLES, FALSE, L"Handles", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_GDIHANDLES, FALSE, L"GDI handles", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_USERHANDLES, FALSE, L"USER handles", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IORORATE, FALSE, L"I/O read+other rate", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOWRATE, FALSE, L"I/O write rate", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_INTEGRITY, FALSE, L"Integrity", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOPRIORITY, FALSE, L"I/O priority", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PAGEPRIORITY, FALSE, L"Page priority", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_STARTTIME, FALSE, L"Start time", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_TOTALCPUTIME, FALSE, L"Total CPU time", 90, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_KERNELCPUTIME, FALSE, L"Kernel CPU time", 90, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_USERCPUTIME, FALSE, L"User CPU time", 90, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_VERIFICATIONSTATUS, FALSE, L"Verification status", 70, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_VERIFIEDSIGNER, FALSE, L"Verified signer", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_ASLR, FALSE, L"ASLR", 50, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_RELATIVESTARTTIME, FALSE, L"Relative start time", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_BITS, FALSE, L"Bits", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_ELEVATION, FALSE, L"Elevation", 60, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_WINDOWTITLE, FALSE, L"Window title", 120, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_WINDOWSTATUS, FALSE, L"Window status", 60, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CYCLES, FALSE, L"Cycles", 110, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CYCLESDELTA, FALSE, L"Cycles delta", 90, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx2(hwnd, PHPRTLC_CPUHISTORY, FALSE, L"CPU history", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumnEx2(hwnd, PHPRTLC_PRIVATEBYTESHISTORY, FALSE, L"Private bytes history", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumnEx2(hwnd, PHPRTLC_IOHISTORY, FALSE, L"I/O history", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumn(hwnd, PHPRTLC_DEP, FALSE, L"DEP", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_VIRTUALIZED, FALSE, L"Virtualized", 80, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CONTEXTSWITCHES, FALSE, L"Context switches", 100, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CONTEXTSWITCHESDELTA, FALSE, L"Context switches delta", 80, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PAGEFAULTSDELTA, FALSE, L"Page faults delta", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); // I/O group columns PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOREADS, FALSE, L"I/O reads", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOWRITES, FALSE, L"I/O writes", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOOTHER, FALSE, L"I/O other", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOREADBYTES, FALSE, L"I/O read bytes", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOWRITEBYTES, FALSE, L"I/O write bytes", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOOTHERBYTES, FALSE, L"I/O other bytes", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOREADSDELTA, FALSE, L"I/O reads delta", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOWRITESDELTA, FALSE, L"I/O writes delta", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IOOTHERDELTA, FALSE, L"I/O other delta", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); // Customizable columns (3) PhAddTreeNewColumn(hwnd, PHPRTLC_OSCONTEXT, FALSE, L"OS context", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PAGEDPOOL, FALSE, L"Paged pool", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PEAKPAGEDPOOL, FALSE, L"Peak paged pool", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_NONPAGEDPOOL, FALSE, L"Non-paged pool", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PEAKNONPAGEDPOOL, FALSE, L"Peak non-paged pool", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_MINIMUMWORKINGSET, FALSE, L"Minimum working set", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_MAXIMUMWORKINGSET, FALSE, L"Maximum working set", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PRIVATEBYTESDELTA, FALSE, L"Private bytes delta", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_SUBSYSTEM, FALSE, L"Subsystem", 110, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_PACKAGENAME, FALSE, L"Package name", 160, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_APPID, FALSE, L"App ID", 160, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_DPIAWARENESS, FALSE, L"DPI awareness", 110, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CFGUARD, FALSE, L"CF Guard", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_TIMESTAMP, FALSE, L"Time stamp", 140, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_FILEMODIFIEDTIME, FALSE, L"File modified time", 140, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_FILESIZE, FALSE, L"File size", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_SUBPROCESSCOUNT, FALSE, L"Subprocesses", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_JOBOBJECTID, FALSE, L"Job Object ID", 50, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PROTECTION, FALSE, L"Protection", 105, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_DESKTOP, FALSE, L"Desktop", 80, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CRITICAL, FALSE, L"Critical", 80, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PIDHEX, FALSE, L"PID (Hex)", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CPUCORECYCLES, FALSE, L"CPU (relative)", 45, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CET, FALSE, L"CET", 45, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_IMAGE_COHERENCY, FALSE, L"Image coherency", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_ERRORMODE, FALSE, L"Error mode", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CODEPAGE, FALSE, L"Code page", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx2(hwnd, PHPRTLC_TIMELINE, FALSE, L"Timeline", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumnEx(hwnd, PHPRTLC_POWERTHROTTLING, FALSE, L"Power throttling", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_ARCHITECTURE, FALSE, L"Architecture", 70, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_PARENTPID, FALSE, L"Parent PID", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT); PhAddTreeNewColumn(hwnd, PHPRTLC_PARENTCONSOLEPID, FALSE, L"Parent console PID", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT); PhAddTreeNewColumnEx(hwnd, PHPRTLC_COMMITSIZE, FALSE, L"Shared commit", 70, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_PRIORITYBOOST, FALSE, L"Priority boost", 45, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CPUAVERAGE, FALSE, L"CPU (average)", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CPUKERNEL, FALSE, L"CPU (kernel)", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(hwnd, PHPRTLC_CPUUSER, FALSE, L"CPU (user)", 50, PH_ALIGN_LEFT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_GRANTEDACCESS, FALSE, L"Granted access (symbolic)", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_TLSBITMAPDELTA, FALSE, L"Thread local storage", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHPRTLC_REFERENCEDELTA, FALSE, L"References", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(hwnd, PHPRTLC_LXSSPID, FALSE, L"PID (LXSS)", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_START_KEY, FALSE, L"Start key", 120, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_MITIGATION_POLICIES, FALSE, L"Mitigation policies", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHPRTLC_SERVICES, FALSE, L"Services", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhCmInitializeManager(&ProcessTreeListCm, hwnd, PHPRTLC_MAXIMUM, PhpProcessTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&FilterSupport, hwnd, ProcessNodeList); TreeNew_SetTriState(hwnd, TRUE); TreeNew_SetRedraw(hwnd, TRUE); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = hwnd; treeNewInfo.CmData = &ProcessTreeListCm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessTreeNewInitializing), &treeNewInfo); } } VOID PhInitializeProcessTreeColumnHeaderCache( VOID ) { PH_TREENEW_SET_HEADER_CACHE processTreeColumnHeaderCache; ULONG columnCount = TreeNew_GetColumnCount(ProcessTreeListHandle); // TODO: This creates a text cache for all columns wasting space since // only some provide header text support. We should switch to the same treenode // caching where nodes provide the cache instead of the control. (dmex) PhProcessTreeColumnHeaderCacheLength = columnCount * sizeof(PH_STRINGREF); PhProcessTreeColumnHeaderCache = PhAllocateZero(PhProcessTreeColumnHeaderCacheLength); PhProcessTreeColumnHeaderTextCacheLength = columnCount * (PH_TREENEW_HEADER_TEXT_SIZE_MAX * sizeof(WCHAR)); PhProcessTreeColumnHeaderTextCache = PhAllocateZero(PhProcessTreeColumnHeaderTextCacheLength); processTreeColumnHeaderCache.HeaderTreeColumnMax = columnCount; processTreeColumnHeaderCache.HeaderTreeColumnStringCache = PhProcessTreeColumnHeaderCache; processTreeColumnHeaderCache.HeaderTreeColumnTextCache = PhProcessTreeColumnHeaderTextCache; TreeNew_SetColumnTextCache(ProcessTreeListHandle, &processTreeColumnHeaderCache); } VOID PhLoadSettingsProcessTreeUpdateMask( VOID ) { #ifdef PH_TREELIST_COLUMN_ARRAY PH_TREENEW_COLUMN column; if (TreeNew_GetColumn(ProcessTreeListHandle, PHPRTLC_USERNAME, &column) && column.Visible) SetFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_AVERAGE); else ClearFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_AVERAGE); #else ULONG columnVisible[4] = { PHPRTLC_USERNAME, PHPRTLC_CFGUARD, PHPRTLC_CET, PHPRTLC_CPUAVERAGE }; if (!TreeNew_GetVisibleColumnArray(ProcessTreeListHandle, RTL_NUMBER_OF(columnVisible), columnVisible)) return; if (columnVisible[0]) SetFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_USERNAME); else ClearFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_USERNAME); if (columnVisible[1]) SetFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CFGUARD); else ClearFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CFGUARD); if (columnVisible[2]) SetFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CET); else ClearFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_CET); if (columnVisible[3]) SetFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_AVERAGE); else ClearFlag(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_AVERAGE); #endif PhInitializeProcessTreeColumnHeaderCache(); } VOID PhLoadSettingsProcessTreeList( VOID ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_PROCESS_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_PROCESS_TREE_LIST_SORT); PhCmLoadSettingsEx(ProcessTreeListHandle, &ProcessTreeListCm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); if (PhGetIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS)) SendMessage(TreeNew_GetTooltips(ProcessTreeListHandle), TTM_SETDELAYTIME, TTDT_INITIAL, 0); else SendMessage(TreeNew_GetTooltips(ProcessTreeListHandle), TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); PhLoadSettingsProcessTreeUpdateMask(); } VOID PhSaveSettingsProcessTreeList( VOID ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(ProcessTreeListHandle, &ProcessTreeListCm, 0, &sortSettings); PhSetStringSetting2(SETTING_PROCESS_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_PROCESS_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhLoadSettingsProcessTreeListEx( _In_ PPH_STRING TreeListSettings, _In_ PPH_STRING TreeSortSettings ) { PhCmLoadSettingsEx(ProcessTreeListHandle, &ProcessTreeListCm, 0, &TreeListSettings->sr, &TreeSortSettings->sr); if (PhGetIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS)) SendMessage(TreeNew_GetTooltips(ProcessTreeListHandle), TTM_SETDELAYTIME, TTDT_INITIAL, 0); else SendMessage(TreeNew_GetTooltips(ProcessTreeListHandle), TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); PhLoadSettingsProcessTreeUpdateMask(); } VOID PhSaveSettingsProcessTreeListEx( _Out_ PPH_STRING *TreeListSettings, _Out_ PPH_STRING *TreeSortSettings ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(ProcessTreeListHandle, &ProcessTreeListCm, 0, &sortSettings); *TreeListSettings = settings; *TreeSortSettings = sortSettings; } VOID PhReloadSettingsProcessTreeList( VOID ) { if (PhGetIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS)) SendMessage(TreeNew_GetTooltips(ProcessTreeListHandle), TTM_SETDELAYTIME, TTDT_INITIAL, 0); else SendMessage(TreeNew_GetTooltips(ProcessTreeListHandle), TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); PhLoadSettingsProcessTreeUpdateMask(); } PPH_TN_FILTER_SUPPORT PhGetFilterSupportProcessTreeList( VOID ) { return &FilterSupport; } FORCEINLINE BOOLEAN PhCompareProcessNode( _In_ PPH_PROCESS_NODE Value1, _In_ PPH_PROCESS_NODE Value2 ) { return Value1->ProcessId == Value2->ProcessId; } FORCEINLINE ULONG PhHashProcessNode( _In_ PPH_PROCESS_NODE Value ) { return HandleToUlong(Value->ProcessId) / 4; } FORCEINLINE BOOLEAN PhpValidateParentProcessNode( _In_ PPH_PROCESS_NODE Child, _In_ PPH_PROCESS_NODE Parent ) { if (WindowsVersion >= WINDOWS_10_RS3) { return PH_IS_FAKE_PROCESS_ID(Child->ProcessId) || Parent->ProcessItem->ProcessSequenceNumber <= Child->ProcessItem->ProcessSequenceNumber; } else { return PH_IS_FAKE_PROCESS_ID(Child->ProcessId) || Parent->ProcessItem->CreateTime.QuadPart <= Child->ProcessItem->CreateTime.QuadPart; } } PPH_PROCESS_NODE PhAddProcessNode( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ ULONG RunId ) { PPH_PROCESS_NODE processNode; PPH_PROCESS_NODE parentNode; ULONG i; processNode = PhAllocate(PhEmGetObjectSize(EmProcessNodeType, sizeof(PH_PROCESS_NODE))); memset(processNode, 0, sizeof(PH_PROCESS_NODE)); PhInitializeTreeNewNode(&processNode->Node); if (PhProcessTreeListStateHighlighting && RunId != 1) { PhChangeShStateTn( &processNode->Node, &processNode->ShState, &ProcessNodeStateList, NewItemState, PhCsColorNew, NULL ); } processNode->ProcessId = ProcessItem->ProcessId; processNode->ProcessItem = ProcessItem; PhReferenceObject(ProcessItem); memset(processNode->TextCache, 0, sizeof(PH_STRINGREF) * PHPRTLC_MAXIMUM); processNode->Node.TextCache = processNode->TextCache; processNode->Node.TextCacheSize = PHPRTLC_MAXIMUM; processNode->Children = PhCreateList(1); // Find this process' parent and add the process to it if we found it. if ( (parentNode = PhFindProcessNode(ProcessItem->ParentProcessId)) && PhpValidateParentProcessNode(processNode, parentNode) ) { PhAddItemList(parentNode->Children, processNode); processNode->Parent = parentNode; } else { // No parent, add to root list. processNode->Parent = NULL; PhAddItemList(ProcessNodeRootList, processNode); } // Find this process' children and move them to this node. for (i = 0; i < ProcessNodeRootList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeRootList->Items[i]; if ( node != processNode && // for cases where the parent PID = PID (e.g. System Idle Process) node->ProcessItem->ParentProcessId == ProcessItem->ProcessId && PhpValidateParentProcessNode(node, processNode) ) { node->Parent = processNode; PhAddItemList(processNode->Children, node); } } for (i = 0; i < processNode->Children->Count; i++) { PhRemoveItemList( ProcessNodeRootList, PhFindItemList(ProcessNodeRootList, processNode->Children->Items[i]) ); } PhAddEntryHashSet( ProcessNodeHashSet, PH_HASH_SET_SIZE(ProcessNodeHashSet), &processNode->HashEntry, PhHashProcessNode(processNode) ); PhAddItemList(ProcessNodeList, processNode); if (FilterSupport.FilterList) processNode->Node.Visible = PhApplyTreeNewFiltersToNode(&FilterSupport, &processNode->Node); PhEmCallObjectOperation(EmProcessNodeType, processNode, EmObjectCreate); TreeNew_NodesStructured(ProcessTreeListHandle); return processNode; } PPH_PROCESS_NODE PhFindProcessNode( _In_ HANDLE ProcessId ) { PH_PROCESS_NODE lookupNode; PPH_HASH_ENTRY entry; PPH_PROCESS_NODE node; lookupNode.ProcessId = ProcessId; entry = PhFindEntryHashSet( ProcessNodeHashSet, PH_HASH_SET_SIZE(ProcessNodeHashSet), PhHashProcessNode(&lookupNode) ); for (; entry; entry = entry->Next) { node = CONTAINING_RECORD(entry, PH_PROCESS_NODE, HashEntry); if (PhCompareProcessNode(&lookupNode, node)) return node; } return NULL; } VOID PhRemoveProcessNode( _In_ PPH_PROCESS_NODE ProcessNode ) { // Remove from the hashtable here to avoid problems in case the key is re-used. PhRemoveEntryHashSet(ProcessNodeHashSet, PH_HASH_SET_SIZE(ProcessNodeHashSet), &ProcessNode->HashEntry); if (PhProcessTreeListStateHighlighting) { PhChangeShStateTn( &ProcessNode->Node, &ProcessNode->ShState, &ProcessNodeStateList, RemovingItemState, PhCsColorRemoved, ProcessTreeListHandle ); } else { PhpRemoveProcessNode(ProcessNode, NULL); } } VOID PhpRemoveProcessNode( _In_ PPH_PROCESS_NODE ProcessNode, _In_opt_ PVOID Context ) { ULONG index; ULONG i; PhEmCallObjectOperation(EmProcessNodeType, ProcessNode, EmObjectDelete); if (ProcessNode->Parent) { // Remove the node from its parent. if ((index = PhFindItemList(ProcessNode->Parent->Children, ProcessNode)) != ULONG_MAX) PhRemoveItemList(ProcessNode->Parent->Children, index); } else { // Remove the node from the root list. if ((index = PhFindItemList(ProcessNodeRootList, ProcessNode)) != ULONG_MAX) PhRemoveItemList(ProcessNodeRootList, index); } // Move the node's children to the root list. for (i = 0; i < ProcessNode->Children->Count; i++) { PPH_PROCESS_NODE node = ProcessNode->Children->Items[i]; node->Parent = NULL; PhAddItemList(ProcessNodeRootList, node); } // Remove from list and cleanup. if ((index = PhFindItemList(ProcessNodeList, ProcessNode)) != ULONG_MAX) PhRemoveItemList(ProcessNodeList, index); PhDereferenceObject(ProcessNode->Children); PhClearReference(&ProcessNode->WindowText); PhClearReference(&ProcessNode->AppIdText); PhClearReference(&ProcessNode->TooltipText); PhClearReference(&ProcessNode->FileNameWin32); PhClearReference(&ProcessNode->IoTotalRateText); PhClearReference(&ProcessNode->PrivateBytesText); PhClearReference(&ProcessNode->PeakPrivateBytesText); PhClearReference(&ProcessNode->WorkingSetText); PhClearReference(&ProcessNode->PeakWorkingSetText); PhClearReference(&ProcessNode->PrivateWsText); PhClearReference(&ProcessNode->SharedWsText); PhClearReference(&ProcessNode->ShareableWsText); PhClearReference(&ProcessNode->VirtualSizeText); PhClearReference(&ProcessNode->PeakVirtualSizeText); PhClearReference(&ProcessNode->PageFaultsText); PhClearReference(&ProcessNode->SessionIdText); PhClearReference(&ProcessNode->BasePriorityText); PhClearReference(&ProcessNode->ThreadsText); PhClearReference(&ProcessNode->HandlesText); PhClearReference(&ProcessNode->GdiHandlesText); PhClearReference(&ProcessNode->UserHandlesText); PhClearReference(&ProcessNode->IoRoRateText); PhClearReference(&ProcessNode->IoWRateText); PhClearReference(&ProcessNode->StartTimeText); PhClearReference(&ProcessNode->TotalCpuTimeText); PhClearReference(&ProcessNode->KernelCpuTimeText); PhClearReference(&ProcessNode->UserCpuTimeText); PhClearReference(&ProcessNode->RelativeStartTimeText); PhClearReference(&ProcessNode->WindowTitleText); PhClearReference(&ProcessNode->DepStatusText); PhClearReference(&ProcessNode->CyclesText); PhClearReference(&ProcessNode->CyclesDeltaText); PhClearReference(&ProcessNode->ContextSwitchesText); PhClearReference(&ProcessNode->ContextSwitchesDeltaText); PhClearReference(&ProcessNode->PageFaultsDeltaText); for (i = 0; i < PHPRTLC_IOGROUP_COUNT; i++) PhClearReference(&ProcessNode->IoGroupText[i]); PhClearReference(&ProcessNode->PagedPoolText); PhClearReference(&ProcessNode->PeakPagedPoolText); PhClearReference(&ProcessNode->NonPagedPoolText); PhClearReference(&ProcessNode->PeakNonPagedPoolText); PhClearReference(&ProcessNode->MinimumWorkingSetText); PhClearReference(&ProcessNode->MaximumWorkingSetText); PhClearReference(&ProcessNode->PrivateBytesDeltaText); PhClearReference(&ProcessNode->TimeStampText); PhClearReference(&ProcessNode->FileModifiedTimeText); PhClearReference(&ProcessNode->FileSizeText); PhClearReference(&ProcessNode->SubprocessCountText); PhClearReference(&ProcessNode->JobObjectIdText); PhClearReference(&ProcessNode->ProtectionText); PhClearReference(&ProcessNode->DesktopInfoText); PhClearReference(&ProcessNode->CpuCoreUsageText); PhClearReference(&ProcessNode->ImageCoherencyText); PhClearReference(&ProcessNode->ImageCoherencyStatusText); PhClearReference(&ProcessNode->ErrorModeText); PhClearReference(&ProcessNode->CodePageText); PhClearReference(&ProcessNode->ParentPidText); PhClearReference(&ProcessNode->ParentConsolePidText); PhClearReference(&ProcessNode->SharedCommitText); PhClearReference(&ProcessNode->CpuAverageText); PhClearReference(&ProcessNode->CpuKernelText); PhClearReference(&ProcessNode->CpuUserText); PhClearReference(&ProcessNode->GrantedAccessText); PhClearReference(&ProcessNode->TlsBitmapDeltaText); PhClearReference(&ProcessNode->ReferenceCountText); PhClearReference(&ProcessNode->LxssProcessIdText); PhClearReference(&ProcessNode->ProcessStartKeyText); PhClearReference(&ProcessNode->MitigationPoliciesText); PhClearReference(&ProcessNode->ServicesText); PhDeleteGraphBuffers(&ProcessNode->CpuGraphBuffers); PhDeleteGraphBuffers(&ProcessNode->PrivateGraphBuffers); PhDeleteGraphBuffers(&ProcessNode->IoGraphBuffers); PhDereferenceObject(ProcessNode->ProcessItem); PhFree(ProcessNode); TreeNew_NodesStructured(ProcessTreeListHandle); } VOID PhUpdateProcessNode( _In_ PPH_PROCESS_NODE ProcessNode ) { memset(ProcessNode->TextCache, 0, sizeof(PH_STRINGREF) * PHPRTLC_MAXIMUM); PhClearReference(&ProcessNode->TooltipText); PhInvalidateTreeNewNode(&ProcessNode->Node, TN_CACHE_COLOR | TN_CACHE_ICON); TreeNew_InvalidateNode(ProcessTreeListHandle, &ProcessNode->Node); } VOID PhTickProcessNodes( VOID ) { ULONG i; PH_TREENEW_VIEW_PARTS viewParts; BOOLEAN fullyInvalidated; RECT rect; // Header text invalidation (dmex) if (PhProcessTreeColumnHeaderCache) { memset(PhProcessTreeColumnHeaderCache, 0, PhProcessTreeColumnHeaderCacheLength); } // Node text invalidation, node updates for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; // The name and PID never change, so we don't invalidate that. memset(&node->TextCache[2], 0, sizeof(PH_STRINGREF) * (PHPRTLC_MAXIMUM - 2)); node->ValidMask &= PHPN_OSCONTEXT | PHPN_IMAGE | PHPN_DPIAWARENESS | PHPN_APPID | PHPN_DESKTOPINFO | PHPN_CODEPAGE | PHPN_GRANTEDACCESS; // Items that always remain valid // The DPI awareness defaults to unaware if not set or declared in the manifest in which case // it can be changed once, so we can only be sure that it won't be changed again if it is different // from Unaware (poizan42). if (node->DpiAwareness != PH_PROCESS_DPI_AWARENESS_UNAWARE + 1) node->ValidMask &= ~PHPN_DPIAWARENESS; // Invalidate graph buffers. node->CpuGraphBuffers.Valid = FALSE; node->PrivateGraphBuffers.Valid = FALSE; node->IoGraphBuffers.Valid = FALSE; } fullyInvalidated = FALSE; if (PhCsSortRootProcesses || PhCsSortChildProcesses || ProcessTreeListSortOrder != NoSortOrder) { // Force a rebuild to sort the items. TreeNew_NodesStructured(ProcessTreeListHandle); fullyInvalidated = TRUE; } // State highlighting PH_TICK_SH_STATE_TN(PH_PROCESS_NODE, ShState, ProcessNodeStateList, PhpRemoveProcessNode, PhCsHighlightingDuration, ProcessTreeListHandle, TRUE, &fullyInvalidated, NULL); if (ProcessTreeListHandle && !fullyInvalidated) { // The first column doesn't need to be invalidated because the process name never changes, and // icon changes are handled by the modified event. This small optimization can save more than // 10 million cycles per update (on my machine). (wj32) TreeNew_GetViewParts(ProcessTreeListHandle, &viewParts); rect.left = viewParts.NormalLeft; rect.top = viewParts.HeaderHeight; rect.right = viewParts.ClientRect.right - viewParts.VScrollWidth; rect.bottom = viewParts.ClientRect.bottom; // Excluding the first column causes some visual tearing of the client area while scrolling the window // because the region is excluded from the initial repainting, then included and painted a half second later // by scrolling the window. Don't exclude the region during scrolling events, simply invalidate the entire window. // This prevents multiple paint events accumulating in the update region, if the treelist repaints // the client area then our InvalidateRect is a noop and we avoid the visual tearing. (dmex) if (viewParts.ScrollTickCount > 2000) InvalidateRect(ProcessTreeListHandle, &rect, FALSE); else InvalidateRect(ProcessTreeListHandle, NULL, FALSE); } } static VOID PhpNeedGraphContext( _In_ HDC hdc, _In_ LONG Width, _In_ LONG Height ) { // If we already have a graph context and it's the right size, then return immediately. if (GraphContextWidth == Width && GraphContextHeight == Height) return; if (GraphContext) { // The original bitmap must be selected back into the context, otherwise // the bitmap can't be deleted. (wj32) if (GraphOldBitmap) { SelectBitmap(GraphContext, GraphOldBitmap); GraphOldBitmap = NULL; } if (GraphBitmap) { DeleteBitmap(GraphBitmap); GraphBitmap = NULL; } DeleteDC(GraphContext); GraphContext = NULL; } GraphContextWidth = Width; GraphContextHeight = Height; GraphContext = CreateCompatibleDC(hdc); if (!GraphContext) return; GraphBitmap = PhCreateDIBSection(hdc, PHBF_DIB, Width, Height, &GraphBits); if (!GraphBitmap) return; GraphOldBitmap = SelectBitmap(GraphContext, GraphBitmap); } _Success_(return) static BOOLEAN PhpFormatInt32GroupDigits( _In_ ULONG Value, _Out_writes_bytes_(BufferLength) PWCHAR Buffer, _In_ ULONG BufferLength, _Out_opt_ PPH_STRINGREF String ) { PH_FORMAT format; SIZE_T returnLength; PhInitFormatU(&format, Value); format.Type |= FormatGroupDigits; if (PhFormatToBuffer(&format, 1, Buffer, BufferLength, &returnLength)) { if (String) { String->Buffer = Buffer; String->Length = returnLength - sizeof(UNICODE_NULL); } return TRUE; } else { return FALSE; } } FORCEINLINE VOID PhpAccumulateField( _Inout_ PVOID Accumulator, _In_ PVOID Value, _In_ PH_AGGREGATE_TYPE Type ) { switch (Type) { case AggregateTypeFloat: *(PFLOAT)Accumulator += *(PFLOAT)Value; break; case AggregateTypeInt32: *(PULONG)Accumulator += *(PULONG)Value; break; case AggregateTypeInt64: *(PULONG64)Accumulator += *(PULONG64)Value; break; case AggregateTypeIntPtr: *(PULONG_PTR)Accumulator += *(PULONG_PTR)Value; break; } } static VOID PhpAggregateField( _In_ PPH_PROCESS_NODE ProcessNode, _In_ PH_AGGREGATE_TYPE Type, _In_ PH_AGGREGATE_LOCATION Location, _In_ PVOID BaseAddress, _In_ SIZE_T FieldOffset, _Inout_ PVOID AggregatedValue ) { ULONG i; ULONG_PTR offset; PhpAccumulateField(AggregatedValue, PTR_ADD_OFFSET(BaseAddress, FieldOffset), Type); switch (Location) { case AggregateProcessItem: offset = (ULONG_PTR)BaseAddress - (ULONG_PTR)ProcessNode->ProcessItem; break; case AggregateProcessNode: offset = (ULONG_PTR)BaseAddress - (ULONG_PTR)ProcessNode; break; default: PhRaiseStatus(STATUS_INVALID_PARAMETER); } for (i = 0; i < ProcessNode->Children->Count; i++) { PPH_PROCESS_NODE node; PVOID baseAddress; node = ProcessNode->Children->Items[i]; switch (Location) { case AggregateProcessItem: baseAddress = PTR_ADD_OFFSET(node->ProcessItem, offset); break; case AggregateProcessNode: baseAddress = PTR_ADD_OFFSET(node, offset); break; DEFAULT_UNREACHABLE; } PhpAggregateField(node, Type, Location, baseAddress, FieldOffset, AggregatedValue); } } VOID PhAggregateProcessFieldIfNeeded( _In_ PPH_PROCESS_NODE ProcessNode, _In_ PH_AGGREGATE_TYPE Type, _In_ PH_AGGREGATE_LOCATION Location, _In_ PVOID BaseAddress, _In_ SIZE_T FieldOffset, _Inout_ PVOID AggregatedValue ) { if (!PhCsPropagateCpuUsage || ProcessNode->Node.Expanded || (!PhCsSortChildProcesses && ProcessTreeListSortOrder != NoSortOrder)) { PhpAccumulateField(AggregatedValue, PTR_ADD_OFFSET(BaseAddress, FieldOffset), Type); } else { PhpAggregateField(ProcessNode, Type, Location, BaseAddress, FieldOffset, AggregatedValue); } } static VOID PhpAggregateFieldIfNeeded( _In_ PPH_PROCESS_NODE ProcessNode, _In_ PH_AGGREGATE_TYPE Type, _In_ PH_AGGREGATE_LOCATION Location, _In_ PVOID BaseAddress, _In_ SIZE_T FieldOffset, _Inout_ PVOID AggregatedValue ) { PhAggregateProcessFieldIfNeeded(ProcessNode, Type, Location, BaseAddress, FieldOffset, AggregatedValue); } static VOID PhpAggregateFieldTotal( _In_ PPH_PROCESS_NODE ProcessNode, _In_ PH_AGGREGATE_TYPE Type, _In_ PVOID BaseAddress, _In_ SIZE_T FieldOffset, _Inout_ PVOID AggregatedValue ) { PhpAccumulateField(AggregatedValue, PTR_ADD_OFFSET(BaseAddress, FieldOffset), Type); } static VOID PhpUpdateProcessNodeWsCounters( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_WSCOUNTERS)) { BOOLEAN success = FALSE; if ( ProcessNode->ProcessItem->QueryHandle && PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessItem->ProcessId) && ProcessNode->ProcessItem->IsHandleValid // PROCESS_QUERY_INFORMATION ) { if (NT_SUCCESS(PhGetProcessWsCounters(ProcessNode->ProcessItem->QueryHandle, &ProcessNode->WsCounters))) success = TRUE; } if (!success) memset(&ProcessNode->WsCounters, 0, sizeof(PH_PROCESS_WS_COUNTERS)); SetFlag(ProcessNode->ValidMask, PHPN_WSCOUNTERS); } } static VOID PhpUpdateProcessNodeGdiHandles( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_GDIHANDLES)) { if (ProcessNode->ProcessId == SYSTEM_PROCESS_ID) { if (!NT_SUCCESS(PhGetSessionGuiResources(GR_GDIOBJECTS, &ProcessNode->GdiHandles))) ProcessNode->GdiHandles = 0; } else if (ProcessNode->ProcessItem->QueryHandle) { if (!NT_SUCCESS(PhGetProcessGuiResources(ProcessNode->ProcessItem->QueryHandle, GR_GDIOBJECTS, &ProcessNode->GdiHandles))) ProcessNode->GdiHandles = 0; } else { ProcessNode->GdiHandles = 0; } SetFlag(ProcessNode->ValidMask, PHPN_GDIHANDLES); } } static VOID PhpUpdateProcessNodeUserHandles( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_USERHANDLES)) { if (ProcessNode->ProcessId == SYSTEM_PROCESS_ID) { if (!NT_SUCCESS(PhGetSessionGuiResources(GR_USEROBJECTS, &ProcessNode->UserHandles))) ProcessNode->UserHandles = 0; } else if (ProcessNode->ProcessItem->QueryHandle) { if (!NT_SUCCESS(PhGetProcessGuiResources(ProcessNode->ProcessItem->QueryHandle, GR_USEROBJECTS, &ProcessNode->UserHandles))) ProcessNode->UserHandles = 0; } else { ProcessNode->UserHandles = 0; } SetFlag(ProcessNode->ValidMask, PHPN_USERHANDLES); } } static VOID PhpUpdateProcessNodeIoPagePriority( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_IOPAGEPRIORITY)) { if (ProcessNode->ProcessItem->QueryHandle) { if (!NT_SUCCESS(PhGetProcessIoPriority(ProcessNode->ProcessItem->QueryHandle, &ProcessNode->IoPriority))) ProcessNode->IoPriority = ULONG_MAX; if (!NT_SUCCESS(PhGetProcessPagePriority(ProcessNode->ProcessItem->QueryHandle, &ProcessNode->PagePriority))) ProcessNode->PagePriority = ULONG_MAX; } else { ProcessNode->IoPriority = ULONG_MAX; ProcessNode->PagePriority = ULONG_MAX; } SetFlag(ProcessNode->ValidMask, PHPN_IOPAGEPRIORITY); } } static VOID PhpUpdateProcessNodeWindow( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_WINDOW)) { PhClearReference(&ProcessNode->WindowText); if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { if (!ProcessNode->WindowHandle) { ProcessNode->WindowHandle = PhGetProcessMainWindow( ProcessNode->ProcessId, ProcessNode->ProcessItem->QueryHandle ); } if (ProcessNode->WindowHandle) { PhGetWindowTextEx( ProcessNode->WindowHandle, PH_GET_WINDOW_TEXT_INTERNAL, &ProcessNode->WindowText ); ProcessNode->WindowHung = !!PhIsHungAppWindow(ProcessNode->WindowHandle); } } SetFlag(ProcessNode->ValidMask, PHPN_WINDOW); } } static VOID PhpUpdateProcessNodeDepStatus( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_DEPSTATUS)) { ULONG depStatus = 0; #ifdef _WIN64 if ( ProcessNode->ProcessItem->QueryHandle && PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessItem->ProcessId) && ProcessNode->ProcessItem->IsWow64Process && ProcessNode->ProcessItem->IsHandleValid // PROCESS_QUERY_INFORMATION ) #else if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessItem->ProcessId) && ProcessNode->ProcessItem->QueryHandle) #endif { PhGetProcessDepStatus(ProcessNode->ProcessItem->QueryHandle, &depStatus); } else { if (ProcessNode->ProcessItem->QueryHandle) { depStatus = PH_PROCESS_DEP_ENABLED | PH_PROCESS_DEP_PERMANENT; } } ProcessNode->DepStatus = depStatus; SetFlag(ProcessNode->ValidMask, PHPN_DEPSTATUS); } } static VOID PhpUpdateProcessNodeToken( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_TOKEN)) { HANDLE tokenHandle; ProcessNode->VirtualizationAllowed = FALSE; ProcessNode->VirtualizationEnabled = FALSE; if (ProcessNode->ProcessItem->QueryHandle) { if (NT_SUCCESS(PhOpenProcessToken( ProcessNode->ProcessItem->QueryHandle, TOKEN_QUERY, &tokenHandle ))) { if (NT_SUCCESS(PhGetTokenIsVirtualizationAllowed(tokenHandle, &ProcessNode->VirtualizationAllowed)) && ProcessNode->VirtualizationAllowed) { if (!NT_SUCCESS(PhGetTokenIsVirtualizationEnabled(tokenHandle, &ProcessNode->VirtualizationEnabled))) { ProcessNode->VirtualizationAllowed = FALSE; // display N/A on error } } NtClose(tokenHandle); } } SetFlag(ProcessNode->ValidMask, PHPN_TOKEN); } } static VOID PhpUpdateProcessOsContext( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_OSCONTEXT)) { HANDLE processHandle; if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessItem->ProcessId) && !ProcessNode->ProcessItem->IsSubsystemProcess) { if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessNode->ProcessId))) { if (NT_SUCCESS(PhGetProcessSwitchContext(processHandle, &ProcessNode->OsContextGuid))) { if (IsEqualGUID(&ProcessNode->OsContextGuid, &WIN10_CONTEXT_GUID)) ProcessNode->OsContextVersion = WINDOWS_10; else if (IsEqualGUID(&ProcessNode->OsContextGuid, &WINBLUE_CONTEXT_GUID)) ProcessNode->OsContextVersion = WINDOWS_8_1; else if (IsEqualGUID(&ProcessNode->OsContextGuid, &WIN8_CONTEXT_GUID)) ProcessNode->OsContextVersion = WINDOWS_8; else if (IsEqualGUID(&ProcessNode->OsContextGuid, &WIN7_CONTEXT_GUID)) ProcessNode->OsContextVersion = WINDOWS_7; else if (IsEqualGUID(&ProcessNode->OsContextGuid, &VISTA_CONTEXT_GUID)) ProcessNode->OsContextVersion = WINDOWS_VISTA; else if (IsEqualGUID(&ProcessNode->OsContextGuid, &XP_CONTEXT_GUID)) ProcessNode->OsContextVersion = WINDOWS_XP; } NtClose(processHandle); } } SetFlag(ProcessNode->ValidMask, PHPN_OSCONTEXT); } } static VOID PhpUpdateProcessNodeQuotaLimits( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_QUOTALIMITS)) { QUOTA_LIMITS quotaLimits; if (ProcessNode->ProcessItem->QueryHandle && NT_SUCCESS(PhGetProcessQuotaLimits( ProcessNode->ProcessItem->QueryHandle, "aLimits ))) { ProcessNode->MinimumWorkingSetSize = quotaLimits.MinimumWorkingSetSize; ProcessNode->MaximumWorkingSetSize = quotaLimits.MaximumWorkingSetSize; } else { ProcessNode->MinimumWorkingSetSize = 0; ProcessNode->MaximumWorkingSetSize = 0; } SetFlag(ProcessNode->ValidMask, PHPN_QUOTALIMITS); } } static VOID PhpUpdateProcessNodeImage( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_IMAGE)) { ProcessNode->Architecture = IMAGE_FILE_MACHINE_UNKNOWN; ProcessNode->ImageMachine = IMAGE_FILE_MACHINE_UNKNOWN; ProcessNode->ImageSubsystem = IMAGE_SUBSYSTEM_UNKNOWN; if (ProcessNode->ProcessItem->IsSubsystemProcess) { ProcessNode->ImageSubsystem = IMAGE_SUBSYSTEM_POSIX_CUI; } else if (ProcessNode->ProcessItem->FileName) { PH_MAPPED_IMAGE mappedImage; #ifdef _ARM64_ if (NT_SUCCESS(PhLoadMappedImageEx(&ProcessNode->ProcessItem->FileName->sr, NULL, &mappedImage))) #else if (NT_SUCCESS(PhLoadMappedImageHeaderPageSize(&ProcessNode->ProcessItem->FileName->sr, NULL, &mappedImage))) #endif { ProcessNode->ImageMachine = mappedImage.NtHeaders->FileHeader.Machine; ProcessNode->ImageTimeDateStamp = mappedImage.NtHeaders->FileHeader.TimeDateStamp; ProcessNode->ImageCharacteristics = mappedImage.NtHeaders->FileHeader.Characteristics; if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { ProcessNode->ImageSubsystem = ((PIMAGE_OPTIONAL_HEADER32)&mappedImage.NtHeaders->OptionalHeader)->Subsystem; ProcessNode->ImageDllCharacteristics = ((PIMAGE_OPTIONAL_HEADER32)&mappedImage.NtHeaders->OptionalHeader)->DllCharacteristics; } else if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { ProcessNode->ImageSubsystem = ((PIMAGE_OPTIONAL_HEADER64)&mappedImage.NtHeaders->OptionalHeader)->Subsystem; ProcessNode->ImageDllCharacteristics = ((PIMAGE_OPTIONAL_HEADER64)&mappedImage.NtHeaders->OptionalHeader)->DllCharacteristics; } #ifdef _ARM64_ if (ProcessNode->ImageMachine == IMAGE_FILE_MACHINE_AMD64 || ProcessNode->ImageMachine == IMAGE_FILE_MACHINE_ARM64) ProcessNode->ImageCHPEVersion = PhGetMappedImageCHPEVersion(&mappedImage); #endif PhUnloadMappedImage(&mappedImage); } } if (ProcessNode->ProcessItem->QueryHandle) { USHORT processArchitecture; if (NT_SUCCESS(PhGetProcessArchitecture(ProcessNode->ProcessItem->QueryHandle, &processArchitecture))) { ProcessNode->Architecture = processArchitecture; } } //if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessItem->ProcessId)) //{ // HANDLE processHandle; // PVOID imageBaseAddress; // PH_REMOTE_MAPPED_IMAGE mappedImage; // // if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessNode->ProcessId))) // { // if (NT_SUCCESS(PhGetProcessImageBaseAddress(processHandle, &imageBaseAddress))) // { // if (NT_SUCCESS(PhLoadRemoteMappedImage(processHandle, imageBaseAddress, &mappedImage))) // { // ProcessNode->ImageTimeDateStamp = mappedImage.NtHeaders->FileHeader.TimeDateStamp; // ProcessNode->ImageCharacteristics = mappedImage.NtHeaders->FileHeader.Characteristics; // // if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) // { // ProcessNode->ImageSubsystem = ((PIMAGE_OPTIONAL_HEADER32)&mappedImage.NtHeaders->OptionalHeader)->Subsystem; // ProcessNode->ImageDllCharacteristics = ((PIMAGE_OPTIONAL_HEADER32)&mappedImage.NtHeaders->OptionalHeader)->DllCharacteristics; // } // else if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) // { // ProcessNode->ImageSubsystem = ((PIMAGE_OPTIONAL_HEADER64)&mappedImage.NtHeaders->OptionalHeader)->Subsystem; // ProcessNode->ImageDllCharacteristics = ((PIMAGE_OPTIONAL_HEADER64)&mappedImage.NtHeaders->OptionalHeader)->DllCharacteristics; // } // // PhUnloadRemoteMappedImage(&mappedImage); // } // } // // NtClose(processHandle); // } //} SetFlag(ProcessNode->ValidMask, PHPN_IMAGE); } } static VOID PhpUpdateProcessNodeAppId( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_APPID)) { ULONG windowFlags; PPH_STRING applicationUserModelId; PhClearReference(&ProcessNode->AppIdText); if ( PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessItem->ProcessId) && HR_SUCCESS(PhAppResolverGetAppIdForProcess(ProcessNode->ProcessId, &applicationUserModelId)) ) { ProcessNode->AppIdText = applicationUserModelId; } else { if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { if (NT_SUCCESS(PhGetProcessWindowTitle( ProcessNode->ProcessItem->QueryHandle, &windowFlags, &applicationUserModelId ))) { if (windowFlags & STARTF_TITLEISAPPID) ProcessNode->AppIdText = applicationUserModelId; else PhDereferenceObject(applicationUserModelId); } //if (WindowsVersion >= WINDOWS_8 && ProcessNode->ProcessItem->IsImmersive) //{ // HANDLE tokenHandle; // // if (NT_SUCCESS(PhOpenProcessToken( // ProcessNode->ProcessItem->QueryHandle, // TOKEN_QUERY, // &tokenHandle // ))) // { // ProcessNode->AppIdText = PhGetTokenPackageApplicationUserModelId(tokenHandle); // NtClose(tokenHandle); // } //} } } SetFlag(ProcessNode->ValidMask, PHPN_APPID); } } static VOID PhpUpdateProcessNodeDpiAwareness( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_DPIAWARENESS)) { if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { PH_PROCESS_DPI_AWARENESS dpiAwareness; if (PhGetProcessDpiAwareness(ProcessNode->ProcessItem->QueryHandle, &dpiAwareness)) ProcessNode->DpiAwareness = dpiAwareness + 1; } SetFlag(ProcessNode->ValidMask, PHPN_DPIAWARENESS); } } static VOID PhpUpdateProcessNodeFileAttributes( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_FILEATTRIBUTES)) { FILE_NETWORK_OPEN_INFORMATION networkOpenInfo; if (ProcessNode->ProcessItem->FileName && NT_SUCCESS(PhQueryFullAttributesFile( &ProcessNode->ProcessItem->FileName->sr, &networkOpenInfo ))) { ProcessNode->FileLastWriteTime = networkOpenInfo.LastWriteTime; ProcessNode->FileEndOfFile = networkOpenInfo.EndOfFile; } else { ProcessNode->FileLastWriteTime.QuadPart = 0; ProcessNode->FileEndOfFile.QuadPart = 0; } SetFlag(ProcessNode->ValidMask, PHPN_FILEATTRIBUTES); } } static VOID PhpUpdateProcessNodeDesktopInfo( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_DESKTOPINFO)) { HANDLE processHandle; PhClearReference(&ProcessNode->DesktopInfoText); if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessId) && !ProcessNode->ProcessItem->IsSubsystemProcess) { if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessNode->ProcessId ))) { PPH_STRING desktopinfo; if (NT_SUCCESS(PhGetProcessDesktopInfo(processHandle, &desktopinfo))) { ProcessNode->DesktopInfoText = desktopinfo; } NtClose(processHandle); } } SetFlag(ProcessNode->ValidMask, PHPN_DESKTOPINFO); } } static VOID PhpUpdateProcessBreakOnTermination( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_CRITICAL)) { ProcessNode->BreakOnTerminationEnabled = FALSE; if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { BOOLEAN breakOnTermination; if (NT_SUCCESS(PhGetProcessBreakOnTermination( ProcessNode->ProcessItem->QueryHandle, &breakOnTermination ))) { ProcessNode->BreakOnTerminationEnabled = breakOnTermination; } } SetFlag(ProcessNode->ValidMask, PHPN_CRITICAL); } } static VOID PhpUpdateProcessNodeErrorMode( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_ERRORMODE)) { PhClearReference(&ProcessNode->ErrorModeText); if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { ULONG errorMode; if (NT_SUCCESS(PhGetProcessErrorMode( ProcessNode->ProcessItem->QueryHandle, &errorMode )) && errorMode > 0) { PH_STRING_BUILDER stringBuilder; WCHAR pointer[PH_PTR_STR_LEN_1]; PhInitializeStringBuilder(&stringBuilder, 0x50); if (errorMode & SEM_FAILCRITICALERRORS) { PhAppendStringBuilder2(&stringBuilder, L"Fail critical, "); } if (errorMode & SEM_NOGPFAULTERRORBOX) { PhAppendStringBuilder2(&stringBuilder, L"GP faults, "); } if (errorMode & SEM_NOALIGNMENTFAULTEXCEPT) { PhAppendStringBuilder2(&stringBuilder, L"Alignment faults, "); } if (errorMode & SEM_NOOPENFILEERRORBOX) { PhAppendStringBuilder2(&stringBuilder, L"Openfile faults, "); } if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhPrintPointer(pointer, UlongToPtr(errorMode)); PhAppendFormatStringBuilder(&stringBuilder, L" (%s)", pointer); ProcessNode->ErrorModeText = PhFinalStringBuilderString(&stringBuilder); } } SetFlag(ProcessNode->ValidMask, PHPN_ERRORMODE); } } static VOID PhpUpdateProcessNodeCodePage( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_CODEPAGE)) { if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessId) && !ProcessNode->ProcessItem->IsSubsystemProcess) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessNode->ProcessId ))) { USHORT codePage; if (NT_SUCCESS(PhGetProcessCodePage(processHandle, &codePage))) { ProcessNode->CodePage = codePage; } NtClose(processHandle); } } SetFlag(ProcessNode->ValidMask, PHPN_CODEPAGE); } } static VOID PhpUpdateProcessNodePowerThrottling( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_POWERTHROTTLING)) { ProcessNode->PowerThrottling = FALSE; if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { POWER_THROTTLING_PROCESS_STATE powerThrottlingState; if (NT_SUCCESS(PhGetProcessPowerThrottlingState(ProcessNode->ProcessItem->QueryHandle, &powerThrottlingState))) { if (powerThrottlingState.ControlMask & POWER_THROTTLING_PROCESS_EXECUTION_SPEED && powerThrottlingState.StateMask & POWER_THROTTLING_PROCESS_EXECUTION_SPEED) { ProcessNode->PowerThrottling = TRUE; } } } SetFlag(ProcessNode->ValidMask, PHPN_POWERTHROTTLING); } } static VOID PhpUpdateProcessNodePriorityBoost( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_PRIORITYBOOST)) { ProcessNode->PriorityBoost = FALSE; if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { BOOLEAN priorityBoostDisabled; if (NT_SUCCESS(PhGetProcessPriorityBoost(ProcessNode->ProcessItem->QueryHandle, &priorityBoostDisabled))) { ProcessNode->PriorityBoost = !priorityBoostDisabled; } } SetFlag(ProcessNode->ValidMask, PHPN_PRIORITYBOOST); } } static VOID PhpUpdateProcessNodeGrantedAccess( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_GRANTEDACCESS)) { PhClearReference(&ProcessNode->GrantedAccessText); if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessId)) { NTSTATUS status; HANDLE processHandle; ACCESS_MASK processAccess; if (ProcessNode->ProcessItem->IsProtectedProcess && ProcessNode->ProcessItem->Protection.Type == PsProtectedTypeProtectedLight) processAccess = PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION; else if (ProcessNode->ProcessItem->IsProtectedProcess && ProcessNode->ProcessItem->Protection.Type == PsProtectedTypeProtected) processAccess = PROCESS_QUERY_LIMITED_INFORMATION; else if (ProcessNode->ProcessItem->IsSubsystemProcess && KsiLevel() != KphLevelMax) processAccess = PROCESS_QUERY_LIMITED_INFORMATION; else processAccess = MAXIMUM_ALLOWED; status = PhOpenProcess( &processHandle, processAccess, ProcessNode->ProcessId ); if (NT_SUCCESS(status)) { OBJECT_BASIC_INFORMATION basicInfo; status = PhQueryObjectBasicInformation(processHandle, &basicInfo); if (NT_SUCCESS(status)) { PPH_ACCESS_ENTRY accessEntries; ULONG numberOfAccessEntries; if (PhGetAccessEntries(L"Process", &accessEntries, &numberOfAccessEntries)) { ProcessNode->GrantedAccessText = PhGetAccessString(basicInfo.GrantedAccess, accessEntries, numberOfAccessEntries); PhFree(accessEntries); } if (ProcessNode->GrantedAccessText) { WCHAR grantedAccessString[PH_PTR_STR_LEN_1]; PhPrintPointer(grantedAccessString, UlongToPtr(basicInfo.GrantedAccess)); PhMoveReference(&ProcessNode->GrantedAccessText, PhFormatString( L"%s (%s)", PhGetString(ProcessNode->GrantedAccessText), grantedAccessString )); } } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhMoveReference(&ProcessNode->GrantedAccessText, PhGetStatusMessage(status, 0)); } } SetFlag(ProcessNode->ValidMask, PHPN_GRANTEDACCESS); } } static VOID PhpUpdateProcessNodeTlsBitmapDelta( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_TLSBITMAPDELTA)) { if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessId) && !ProcessNode->ProcessItem->IsSubsystemProcess) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessNode->ProcessId ))) { ULONG bitmapCount; ULONG bitmapExpansionCount; if (NT_SUCCESS(PhGetProcessTlsBitMapCounters(processHandle, &bitmapCount, &bitmapExpansionCount))) { ProcessNode->TlsBitmapCount = (USHORT)(bitmapCount + bitmapExpansionCount); } NtClose(processHandle); } } SetFlag(ProcessNode->ValidMask, PHPN_TLSBITMAPDELTA); } } static VOID PhpUpdateProcessNodeObjectReferences( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_REFERENCEDELTA)) { if (PH_IS_REAL_PROCESS_ID(ProcessNode->ProcessId)) { ProcessNode->ReferenceCount = 0; if (ProcessNode->ProcessItem->QueryHandle) { OBJECT_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhQueryObjectBasicInformation(ProcessNode->ProcessItem->QueryHandle, &basicInfo))) { ProcessNode->ReferenceCount = basicInfo.HandleCount; } } } SetFlag(ProcessNode->ValidMask, PHPN_REFERENCEDELTA); } } static VOID PhpUpdateProcessNodeStartKey( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_STARTKEY)) { ProcessNode->ProcessStartKey = 0; if (ProcessNode->ProcessItem->QueryHandle) { ULONGLONG processStartKey; if (NT_SUCCESS(PhGetProcessStartKey(ProcessNode->ProcessItem->QueryHandle, &processStartKey))) { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"0x"); PhInitFormatI64X(&format[1], processStartKey); PhMoveReference(&ProcessNode->ProcessStartKeyText, PhFormat(format, 2, 0)); ProcessNode->ProcessStartKey = processStartKey; } } SetFlag(ProcessNode->ValidMask, PHPN_STARTKEY); } } static VOID PhpUpdateProcessNodeMitigationPolicies( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_MITIGATIONPOLICIES)) { PhClearReference(&ProcessNode->MitigationPoliciesText); if (ProcessNode->ProcessItem->QueryHandle && !ProcessNode->ProcessItem->IsSubsystemProcess) { NTSTATUS status; PH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION information; status = PhGetProcessMitigationPolicyAllInformation(ProcessNode->ProcessItem->QueryHandle, &information); if (NT_SUCCESS(status)) { PH_STRING_BUILDER sb; PROCESS_MITIGATION_POLICY policy; PPH_STRING shortDescription; PhInitializeStringBuilder(&sb, 100); for (policy = 0; policy < MaxProcessMitigationPolicy; policy++) { if (information.Pointers[policy] && PhDescribeProcessMitigationPolicy( policy, information.Pointers[policy], &shortDescription, NULL )) { PhAppendStringBuilder(&sb, &shortDescription->sr); PhAppendStringBuilder2(&sb, L"; "); PhDereferenceObject(shortDescription); } } // HACK: Show System process CET mitigation (dmex) if (ProcessNode->ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { SYSTEM_SHADOW_STACK_INFORMATION shadowStackInformation; if (NT_SUCCESS(PhGetSystemShadowStackInformation(&shadowStackInformation))) { PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY policyData; memset(&policyData, 0, sizeof(PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY)); policyData.EnableUserShadowStack = shadowStackInformation.KernelCetEnabled; policyData.EnableUserShadowStackStrictMode = shadowStackInformation.KernelCetEnabled; policyData.AuditUserShadowStack = shadowStackInformation.KernelCetAuditModeEnabled; if (PhDescribeProcessMitigationPolicy( ProcessUserShadowStackPolicy, &policyData, &shortDescription, NULL )) { PhAppendStringBuilder(&sb, &shortDescription->sr); PhAppendStringBuilder2(&sb, L"; "); PhDereferenceObject(shortDescription); } } } if (sb.String->Length != 0) PhRemoveEndStringBuilder(&sb, 2); ProcessNode->MitigationPoliciesText = PhFinalStringBuilderString(&sb); } } SetFlag(ProcessNode->ValidMask, PHPN_MITIGATIONPOLICIES); } } static VOID PhpUpdateProcessNodeServices( _Inout_ PPH_PROCESS_NODE ProcessNode ) { if (!FlagOn(ProcessNode->ValidMask, PHPN_SERVICES)) { PhClearReference(&ProcessNode->ServicesText); if (ProcessNode->ProcessItem->ServiceList && ProcessNode->ProcessItem->ServiceList->Count != 0) { ULONG enumerationKey = 0; PPH_SERVICE_ITEM serviceItem; PH_STRING_BUILDER stringBuilder; PhAcquireQueuedLockShared(&ProcessNode->ProcessItem->ServiceListLock); PhInitializeStringBuilder(&stringBuilder, 0x100); while (PhEnumPointerList( ProcessNode->ProcessItem->ServiceList, &enumerationKey, &serviceItem )) { PhAppendStringBuilder(&stringBuilder, &serviceItem->Name->sr); PhAppendStringBuilder2(&stringBuilder, L", "); //PhAppendStringBuilder2(&stringBuilder, L" ("); //PhAppendStringBuilder(&stringBuilder, &serviceItem->DisplayName->sr); //PhAppendStringBuilder2(&stringBuilder, L"), "); } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 2); ProcessNode->ServicesText = PhFinalStringBuilderString(&stringBuilder); PhReleaseQueuedLockShared(&ProcessNode->ProcessItem->ServiceListLock); } SetFlag(ProcessNode->ValidMask, PHPN_SERVICES); } } #define SORT_FUNCTION(Column) PhpProcessTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpProcessTreeNewCompare##Column( \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_PROCESS_NODE node1 = *(PPH_PROCESS_NODE *)_elem1; \ PPH_PROCESS_NODE node2 = *(PPH_PROCESS_NODE *)_elem2; \ PPH_PROCESS_ITEM processItem1 = node1->ProcessItem; \ PPH_PROCESS_ITEM processItem2 = node2->ProcessItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = intptrcmp((LONG_PTR)processItem1->ProcessId, (LONG_PTR)processItem2->ProcessId); \ \ return PhModifySort(sortResult, ProcessTreeListSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpProcessTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = intptrcmp((LONG_PTR)((PPH_PROCESS_NODE)Node1)->ProcessItem->ProcessId, (LONG_PTR)((PPH_PROCESS_NODE)Node2)->ProcessItem->ProcessId); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNullSortOrder( processItem1->ProcessName, processItem2->ProcessName, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Pid) { // Use signed int so DPCs and Interrupts are placed above System Idle Process. sortResult = intptrcmp((LONG_PTR)processItem1->ProcessId, (LONG_PTR)processItem2->ProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Cpu) { FLOAT number1 = 0; FLOAT number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeFloat, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUsage), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeFloat, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUsage), &number2); sortResult = singlecmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoTotalRate) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number2); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number2); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PrivateBytes) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PagefileUsage), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PagefileUsage), &number2); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserName) { sortResult = PhCompareStringWithNullSortOrder( processItem1->UserName, processItem2->UserName, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Description) { sortResult = PhCompareStringWithNullSortOrder( processItem1->VersionInfo.FileDescription, processItem2->VersionInfo.FileDescription, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CompanyName) { sortResult = PhCompareStringWithNullSortOrder( processItem1->VersionInfo.CompanyName, processItem2->VersionInfo.CompanyName, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Version) { sortResult = PhCompareStringWithNullSortOrder( processItem1->VersionInfo.FileVersion, processItem2->VersionInfo.FileVersion, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileName) { sortResult = PhCompareStringWithNullSortOrder( processItem1->FileName, processItem2->FileName, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CommandLine) { sortResult = PhCompareStringWithNullSortOrder( processItem1->CommandLine, processItem2->CommandLine, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PeakPrivateBytes) { sortResult = uintptrcmp(processItem1->VmCounters.PeakPagefileUsage, processItem2->VmCounters.PeakPagefileUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(WorkingSet) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.WorkingSetSize), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.WorkingSetSize), &number2); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PeakWorkingSet) { sortResult = uintptrcmp(processItem1->VmCounters.PeakWorkingSetSize, processItem2->VmCounters.PeakWorkingSetSize); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PrivateWs) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, WorkingSetPrivateSize), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, WorkingSetPrivateSize), &number2); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(SharedWs) { PhpUpdateProcessNodeWsCounters(node1); PhpUpdateProcessNodeWsCounters(node2); sortResult = uintptrcmp(node1->WsCounters.NumberOfSharedPages, node2->WsCounters.NumberOfSharedPages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ShareableWs) { PhpUpdateProcessNodeWsCounters(node1); PhpUpdateProcessNodeWsCounters(node2); sortResult = uintptrcmp(node1->WsCounters.NumberOfShareablePages, node2->WsCounters.NumberOfShareablePages); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VirtualSize) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.VirtualSize), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.VirtualSize), &number2); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PeakVirtualSize) { sortResult = uintptrcmp(processItem1->VmCounters.PeakVirtualSize, processItem2->VmCounters.PeakVirtualSize); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PageFaults) { ULONG number1 = 0; ULONG number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PageFaultCount), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PageFaultCount), &number2); sortResult = uintcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(SessionId) { sortResult = uintcmp(processItem1->SessionId, processItem2->SessionId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(BasePriority) { sortResult = intcmp(processItem1->BasePriority, processItem2->BasePriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Threads) { ULONG number1 = 0; ULONG number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfThreads), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfThreads), &number2); sortResult = uintcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Handles) { ULONG number1 = 0; ULONG number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfHandles), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfHandles), &number2); sortResult = uintcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(GdiHandles) { ULONG number1 = 0; ULONG number2 = 0; PhpUpdateProcessNodeGdiHandles(node1); PhpUpdateProcessNodeGdiHandles(node2); PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessNode, node1, FIELD_OFFSET(PH_PROCESS_NODE, GdiHandles), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessNode, node2, FIELD_OFFSET(PH_PROCESS_NODE, GdiHandles), &number2); sortResult = uintcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserHandles) { ULONG number1 = 0; ULONG number2 = 0; PhpUpdateProcessNodeUserHandles(node1); PhpUpdateProcessNodeUserHandles(node2); PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessNode, node1, FIELD_OFFSET(PH_PROCESS_NODE, UserHandles), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessNode, node2, FIELD_OFFSET(PH_PROCESS_NODE, UserHandles), &number2); sortResult = uintcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoRoRate) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number2); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoWRate) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Integrity) { sortResult = uintcmp(processItem1->IntegrityLevel.Level, processItem2->IntegrityLevel.Level); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoPriority) { sortResult = uintcmp(node1->IoPriority, node2->IoPriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PagePriority) { sortResult = uintcmp(node1->PagePriority, node2->PagePriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StartTime) { sortResult = int64cmp(processItem1->CreateTime.QuadPart, processItem2->CreateTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TotalCpuTime) { sortResult = uint64cmp( processItem1->KernelTime.QuadPart + processItem1->UserTime.QuadPart, processItem2->KernelTime.QuadPart + processItem2->UserTime.QuadPart ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(KernelCpuTime) { sortResult = uint64cmp(processItem1->KernelTime.QuadPart, processItem2->KernelTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserCpuTime) { sortResult = uint64cmp(processItem1->UserTime.QuadPart, processItem2->UserTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VerificationStatus) { sortResult = uintcmp(processItem1->VerifyResult, processItem2->VerifyResult); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VerifiedSigner) { sortResult = PhCompareStringWithNullSortOrder( processItem1->VerifySignerName, processItem2->VerifySignerName, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Aslr) { PhpUpdateProcessNodeImage(node1); PhpUpdateProcessNodeImage(node2); sortResult = intcmp( node1->ImageDllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, node2->ImageDllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(RelativeStartTime) { sortResult = -int64cmp(processItem1->CreateTime.QuadPart, processItem2->CreateTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Bits) { sortResult = uintcmp(processItem1->IsWow64Process, processItem2->IsWow64Process); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Elevation) { ULONG key1 = (ULONG)processItem1->ElevationType + (processItem1->IsElevated ? 4 : 0); ULONG key2 = (ULONG)processItem2->ElevationType + (processItem2->IsElevated ? 4 : 0); sortResult = uintcmp(key1, key2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(WindowTitle) { PhpUpdateProcessNodeWindow(node1); PhpUpdateProcessNodeWindow(node2); sortResult = PhCompareStringWithNullSortOrder( node1->WindowText, node2->WindowText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(WindowStatus) { PhpUpdateProcessNodeWindow(node1); PhpUpdateProcessNodeWindow(node2); sortResult = ucharcmp(node1->WindowHung, node2->WindowHung); // Make sure all processes with windows get grouped together. if (sortResult == 0) sortResult = intcmp(!!node1->WindowHandle, !!node2->WindowHandle); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Cycles) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CyclesDelta) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Delta), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Dep) { PhpUpdateProcessNodeDepStatus(node1); PhpUpdateProcessNodeDepStatus(node2); sortResult = uintcmp(node1->DepStatus, node2->DepStatus); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Virtualized) { PhpUpdateProcessNodeToken(node1); PhpUpdateProcessNodeToken(node2); sortResult = ucharcmp(node1->VirtualizationEnabled, node2->VirtualizationEnabled); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ContextSwitches) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ContextSwitchesDelta) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Delta), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PageFaultsDelta) { ULONG number1 = 0; ULONG number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt32, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, PageFaultsDelta.Delta), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt32, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, PageFaultsDelta.Delta), &number2); sortResult = uintcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoReads) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoWrites) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoOther) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoReadBytes) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoWriteBytes) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoOtherBytes) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoReadsDelta) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoWritesDelta) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoOtherDelta) { ULONG64 number1 = 0; ULONG64 number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeInt64, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Value), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeInt64, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Value), &number2); sortResult = uint64cmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(OsContext) { PhpUpdateProcessOsContext(node1); PhpUpdateProcessOsContext(node2); sortResult = uintcmp(node1->OsContextVersion, node2->OsContextVersion); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PagedPool) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaPagedPoolUsage), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaPagedPoolUsage), &number2); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PeakPagedPool) { sortResult = uintptrcmp(processItem1->VmCounters.QuotaPeakPagedPoolUsage, processItem2->VmCounters.QuotaPeakPagedPoolUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(NonPagedPool) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaNonPagedPoolUsage), &number1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaNonPagedPoolUsage), &number2); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PeakNonPagedPool) { sortResult = uintptrcmp(processItem1->VmCounters.QuotaPeakNonPagedPoolUsage, processItem2->VmCounters.QuotaPeakNonPagedPoolUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(MinimumWorkingSet) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpUpdateProcessNodeQuotaLimits(node1); PhpUpdateProcessNodeQuotaLimits(node2); PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessNode, node1, FIELD_OFFSET(PH_PROCESS_NODE, MinimumWorkingSetSize), &number1); PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessNode, node1, FIELD_OFFSET(PH_PROCESS_NODE, MinimumWorkingSetSize), &number1); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(MaximumWorkingSet) { ULONG_PTR number1 = 0; ULONG_PTR number2 = 0; PhpUpdateProcessNodeQuotaLimits(node1); PhpUpdateProcessNodeQuotaLimits(node2); PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessNode, node1, FIELD_OFFSET(PH_PROCESS_NODE, MaximumWorkingSetSize), &number1); PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessNode, node1, FIELD_OFFSET(PH_PROCESS_NODE, MaximumWorkingSetSize), &number1); sortResult = uintptrcmp(number1, number2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PrivateBytesDelta) { LONG_PTR value1 = 0; LONG_PTR value2 = 0; PhpAggregateFieldIfNeeded(node1, AggregateTypeIntPtr, AggregateProcessItem, processItem1, FIELD_OFFSET(PH_PROCESS_ITEM, PrivateBytesDelta.Delta), &value1); PhpAggregateFieldIfNeeded(node2, AggregateTypeIntPtr, AggregateProcessItem, processItem2, FIELD_OFFSET(PH_PROCESS_ITEM, PrivateBytesDelta.Delta), &value2); // Ignore zero when sorting (dmex) if (value1 != 0 && value2 != 0) { if (value1 > value2) return -1; else if (value1 < value2) return 1; return 0; } else if (value1 == 0) { return value2 == 0 ? 0 : (ProcessTreeListSortOrder == AscendingSortOrder ? -1 : 1); } else { return (ProcessTreeListSortOrder == AscendingSortOrder ? 1 : -1); } } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Subsystem) { PhpUpdateProcessNodeImage(node1); PhpUpdateProcessNodeImage(node2); sortResult = ushortcmp(node1->ImageSubsystem, node2->ImageSubsystem); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PackageName) { sortResult = PhCompareStringWithNullSortOrder( processItem1->PackageFullName, processItem2->PackageFullName, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(AppId) { PhpUpdateProcessNodeAppId(node1); PhpUpdateProcessNodeAppId(node2); sortResult = PhCompareStringWithNullSortOrder( node1->AppIdText, node2->AppIdText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(DpiAwareness) { PhpUpdateProcessNodeDpiAwareness(node1); PhpUpdateProcessNodeDpiAwareness(node2); sortResult = uintcmp(node1->DpiAwareness, node2->DpiAwareness); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CfGuard) { // prefer XFG over CFG sortResult = uintcmp(node1->ProcessItem->IsXfgEnabled, node2->ProcessItem->IsXfgEnabled); if (sortResult == 0) { // prefer XFG audit over CFG sortResult = uintcmp(node1->ProcessItem->IsXfgAuditEnabled, node2->ProcessItem->IsXfgAuditEnabled); if (sortResult == 0) { sortResult = uintcmp(node1->ProcessItem->IsControlFlowGuardEnabled, node2->ProcessItem->IsControlFlowGuardEnabled); } } } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TimeStamp) { PhpUpdateProcessNodeImage(node1); PhpUpdateProcessNodeImage(node2); sortResult = uintcmp(node1->ImageTimeDateStamp, node2->ImageTimeDateStamp); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileModifiedTime) { PhpUpdateProcessNodeFileAttributes(node1); PhpUpdateProcessNodeFileAttributes(node2); sortResult = int64cmp(node1->FileLastWriteTime.QuadPart, node2->FileLastWriteTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileSize) { PhpUpdateProcessNodeFileAttributes(node1); PhpUpdateProcessNodeFileAttributes(node2); sortResult = int64cmp(node1->FileEndOfFile.QuadPart, node2->FileEndOfFile.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Subprocesses) { sortResult = uint64cmp(node1->Children->Count, node2->Children->Count); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(JobObjectId) { sortResult = uint64cmp(processItem1->JobObjectId, processItem2->JobObjectId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Protection) { sortResult = ucharcmp((BOOLEAN)processItem1->IsSecureSystem, (BOOLEAN)processItem2->IsSecureSystem); if (sortResult == 0) { sortResult = ucharcmp((BOOLEAN)processItem1->IsSecureProcess, (BOOLEAN)processItem2->IsSecureProcess); if (sortResult == 0) { sortResult = ucharcmp((BOOLEAN)processItem1->IsProtectedProcess, (BOOLEAN)processItem2->IsProtectedProcess); if (sortResult == 0) { sortResult = ucharcmp(processItem1->Protection.Level, processItem2->Protection.Level); } } } } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(DesktopInfo) { PhpUpdateProcessNodeDesktopInfo(node1); PhpUpdateProcessNodeDesktopInfo(node2); sortResult = PhCompareStringWithNullSortOrder( node1->DesktopInfoText, node2->DesktopInfoText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Critical) { PhpUpdateProcessBreakOnTermination(node1); PhpUpdateProcessBreakOnTermination(node2); sortResult = ucharcmp(node1->BreakOnTerminationEnabled, node2->BreakOnTerminationEnabled); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(HexPid) { sortResult = intptrcmp((LONG_PTR)processItem1->ProcessId, (LONG_PTR)processItem2->ProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuCore) { sortResult = singlecmp(processItem1->CpuUsage, processItem2->CpuUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Cet) { sortResult = uintcmp(node1->ProcessItem->IsCetEnabled, node2->ProcessItem->IsCetEnabled); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ImageCoherency) { sortResult = singlecmp(processItem1->ImageCoherency, processItem2->ImageCoherency); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Architecture) { USHORT architecture1; USHORT architecture2; PhpUpdateProcessNodeImage(node1); PhpUpdateProcessNodeImage(node2); if (node1->Architecture != IMAGE_FILE_MACHINE_UNKNOWN) architecture1 = node1->Architecture; else architecture1 = node1->ImageMachine; if (node2->Architecture != IMAGE_FILE_MACHINE_UNKNOWN) architecture2 = node2->Architecture; else architecture2 = node2->ImageMachine; sortResult = ushortcmp(architecture1, architecture2); #ifdef _ARM64_ if (sortResult == 0) sortResult = uintcmp(node1->ImageCHPEVersion, node2->ImageCHPEVersion); #endif } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ErrorMode) { PhpUpdateProcessNodeErrorMode(node1); PhpUpdateProcessNodeErrorMode(node2); sortResult = PhCompareStringWithNullSortOrder( node1->ErrorModeText, node2->ErrorModeText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CodePage) { PhpUpdateProcessNodeCodePage(node1); PhpUpdateProcessNodeCodePage(node2); sortResult = ushortcmp(node1->CodePage, node2->CodePage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PowerThrottling) { PhpUpdateProcessNodePowerThrottling(node1); PhpUpdateProcessNodePowerThrottling(node2); sortResult = ucharcmp(node1->PowerThrottling, node2->PowerThrottling); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ParentPid) { sortResult = intptrcmp((LONG_PTR)processItem1->ParentProcessId, (LONG_PTR)processItem2->ParentProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ParentConsolePid) { sortResult = intptrcmp((LONG_PTR)processItem1->ConsoleHostProcessId, (LONG_PTR)processItem2->ConsoleHostProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(SharedCommit) { sortResult = uint64cmp(processItem1->SharedCommitCharge, processItem2->SharedCommitCharge); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PriorityBoost) { PhpUpdateProcessNodePriorityBoost(node1); PhpUpdateProcessNodePriorityBoost(node2); sortResult = ucharcmp(node1->PriorityBoost, node2->PriorityBoost); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuAverage) { sortResult = singlecmp(processItem1->CpuAverageUsage, processItem2->CpuAverageUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuKernel) { sortResult = singlecmp(processItem1->CpuKernelUsage, processItem2->CpuKernelUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuUser) { sortResult = singlecmp(processItem1->CpuUserUsage, processItem2->CpuUserUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(GrantedAccess) { PhpUpdateProcessNodeGrantedAccess(node1); PhpUpdateProcessNodeGrantedAccess(node2); sortResult = PhCompareStringWithNullSortOrder( node1->GrantedAccessText, node2->GrantedAccessText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TlsBitmapDelta) { PhpUpdateProcessNodeTlsBitmapDelta(node1); PhpUpdateProcessNodeTlsBitmapDelta(node2); sortResult = ushortcmp(node1->TlsBitmapCount, node2->TlsBitmapCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ReferenceDelta) { PhpUpdateProcessNodeObjectReferences(node1); PhpUpdateProcessNodeObjectReferences(node2); sortResult = uintcmp(node1->ReferenceCount, node2->ReferenceCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LxssPid) { sortResult = uintcmp(node1->ProcessItem->LxssProcessId, node2->ProcessItem->LxssProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StartKey) { PhpUpdateProcessNodeStartKey(node1); PhpUpdateProcessNodeStartKey(node2); sortResult = uint64cmp(node1->ProcessStartKey, node2->ProcessStartKey); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(MitigationPolicies) { PhpUpdateProcessNodeMitigationPolicies(node1); PhpUpdateProcessNodeMitigationPolicies(node2); sortResult = PhCompareStringWithNullSortOrder( node1->MitigationPoliciesText, node2->MitigationPoliciesText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Services) { PhpUpdateProcessNodeServices(node1); PhpUpdateProcessNodeServices(node2); sortResult = PhCompareStringWithNullSortOrder( node1->ServicesText, node2->ServicesText, ProcessTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BOOLEAN NTAPI PhpProcessTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ) { PPH_PROCESS_NODE node; if (PhCmForwardMessage(hwnd, Message, Parameter1, Parameter2, &ProcessTreeListCm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; PPH_LIST sortList; ULONG sortColumn; PH_SORT_ORDER sortOrder; node = (PPH_PROCESS_NODE)getChildren->Node; sortList = NULL; sortColumn = ProcessTreeListSortColumn; sortOrder = ProcessTreeListSortOrder; if (PhCsSortChildProcesses) { if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)ProcessNodeRootList->Items; getChildren->NumberOfChildren = ProcessNodeRootList->Count; if (PhCsSortRootProcesses) sortList = ProcessNodeRootList; } else if (sortOrder == NoSortOrder) { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; sortList = node->Children; sortColumn = PHPRTLC_PID; sortOrder = AscendingSortOrder; } else { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; sortList = node->Children; } } else { if (sortOrder == NoSortOrder) { if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)ProcessNodeRootList->Items; getChildren->NumberOfChildren = ProcessNodeRootList->Count; if (PhCsSortRootProcesses) sortList = ProcessNodeRootList; } else { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; } } else if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)ProcessNodeList->Items; getChildren->NumberOfChildren = ProcessNodeList->Count; sortList = ProcessNodeList; } } if (sortList) { static PVOID sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(Pid), SORT_FUNCTION(Cpu), SORT_FUNCTION(IoTotalRate), SORT_FUNCTION(PrivateBytes), SORT_FUNCTION(UserName), SORT_FUNCTION(Description), SORT_FUNCTION(CompanyName), SORT_FUNCTION(Version), SORT_FUNCTION(FileName), SORT_FUNCTION(CommandLine), SORT_FUNCTION(PeakPrivateBytes), SORT_FUNCTION(WorkingSet), SORT_FUNCTION(PeakWorkingSet), SORT_FUNCTION(PrivateWs), SORT_FUNCTION(SharedWs), SORT_FUNCTION(ShareableWs), SORT_FUNCTION(VirtualSize), SORT_FUNCTION(PeakVirtualSize), SORT_FUNCTION(PageFaults), SORT_FUNCTION(SessionId), SORT_FUNCTION(BasePriority), // Priority Class SORT_FUNCTION(BasePriority), SORT_FUNCTION(Threads), SORT_FUNCTION(Handles), SORT_FUNCTION(GdiHandles), SORT_FUNCTION(UserHandles), SORT_FUNCTION(IoRoRate), SORT_FUNCTION(IoWRate), SORT_FUNCTION(Integrity), SORT_FUNCTION(IoPriority), SORT_FUNCTION(PagePriority), SORT_FUNCTION(StartTime), SORT_FUNCTION(TotalCpuTime), SORT_FUNCTION(KernelCpuTime), SORT_FUNCTION(UserCpuTime), SORT_FUNCTION(VerificationStatus), SORT_FUNCTION(VerifiedSigner), SORT_FUNCTION(Aslr), SORT_FUNCTION(RelativeStartTime), SORT_FUNCTION(Bits), SORT_FUNCTION(Elevation), SORT_FUNCTION(WindowTitle), SORT_FUNCTION(WindowStatus), SORT_FUNCTION(Cycles), SORT_FUNCTION(CyclesDelta), SORT_FUNCTION(Cpu), // CPU History SORT_FUNCTION(PrivateBytes), // Private Bytes History SORT_FUNCTION(IoTotalRate), // I/O History SORT_FUNCTION(Dep), SORT_FUNCTION(Virtualized), SORT_FUNCTION(ContextSwitches), SORT_FUNCTION(ContextSwitchesDelta), SORT_FUNCTION(PageFaultsDelta), SORT_FUNCTION(IoReads), SORT_FUNCTION(IoWrites), SORT_FUNCTION(IoOther), SORT_FUNCTION(IoReadBytes), SORT_FUNCTION(IoWriteBytes), SORT_FUNCTION(IoOtherBytes), SORT_FUNCTION(IoReadsDelta), SORT_FUNCTION(IoWritesDelta), SORT_FUNCTION(IoOtherDelta), SORT_FUNCTION(OsContext), SORT_FUNCTION(PagedPool), SORT_FUNCTION(PeakPagedPool), SORT_FUNCTION(NonPagedPool), SORT_FUNCTION(PeakNonPagedPool), SORT_FUNCTION(MinimumWorkingSet), SORT_FUNCTION(MaximumWorkingSet), SORT_FUNCTION(PrivateBytesDelta), SORT_FUNCTION(Subsystem), SORT_FUNCTION(PackageName), SORT_FUNCTION(AppId), SORT_FUNCTION(DpiAwareness), SORT_FUNCTION(CfGuard), SORT_FUNCTION(TimeStamp), SORT_FUNCTION(FileModifiedTime), SORT_FUNCTION(FileSize), SORT_FUNCTION(Subprocesses), SORT_FUNCTION(JobObjectId), SORT_FUNCTION(Protection), SORT_FUNCTION(DesktopInfo), SORT_FUNCTION(Critical), SORT_FUNCTION(HexPid), SORT_FUNCTION(CpuCore), SORT_FUNCTION(Cet), SORT_FUNCTION(ImageCoherency), SORT_FUNCTION(ErrorMode), SORT_FUNCTION(CodePage), SORT_FUNCTION(StartTime), // Timeline SORT_FUNCTION(PowerThrottling), SORT_FUNCTION(Architecture), SORT_FUNCTION(ParentPid), SORT_FUNCTION(ParentConsolePid), SORT_FUNCTION(SharedCommit), SORT_FUNCTION(PriorityBoost), SORT_FUNCTION(CpuAverage), SORT_FUNCTION(CpuKernel), SORT_FUNCTION(CpuUser), SORT_FUNCTION(GrantedAccess), SORT_FUNCTION(TlsBitmapDelta), SORT_FUNCTION(ReferenceDelta), SORT_FUNCTION(LxssPid), SORT_FUNCTION(StartKey), SORT_FUNCTION(MitigationPolicies), SORT_FUNCTION(Services), }; int (__cdecl *sortFunction)(const void *, const void *); static_assert(RTL_NUMBER_OF(sortFunctions) == PHPRTLC_MAXIMUM, "SortFunctions must equal maximum."); if (!PhCmForwardSort( (PPH_TREENEW_NODE *)sortList->Items, sortList->Count, sortColumn, sortOrder, &ProcessTreeListCm )) { if (sortColumn < PHPRTLC_MAXIMUM) sortFunction = sortFunctions[sortColumn]; else sortFunction = NULL; if (sortFunction) { qsort(sortList->Items, sortList->Count, sizeof(PVOID), sortFunction); } } } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPH_PROCESS_NODE)isLeaf->Node; if (PhCsSortChildProcesses || ProcessTreeListSortOrder == NoSortOrder) isLeaf->IsLeaf = node->Children->Count == 0; else isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_PROCESS_ITEM processItem; node = (PPH_PROCESS_NODE)getCellText->Node; processItem = node->ProcessItem; switch (getCellText->Id) { case PHPRTLC_NAME: getCellText->Text = PhGetStringRef(processItem->ProcessName); break; case PHPRTLC_PID: { if (PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PhInitializeStringRefLongHint(&getCellText->Text, processItem->ProcessIdString); } } break; case PHPRTLC_CPU: { FLOAT cpuUsage = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeFloat, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUsage), &cpuUsage); cpuUsage *= 100; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; SIZE_T returnLength; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(&format, 1, node->CpuUsageText, sizeof(node->CpuUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); // minus null terminator } } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; SIZE_T returnLength; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(format, 2, node->CpuUsageText, sizeof(node->CpuUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PHPRTLC_IOTOTALRATE: { ULONG64 number = 0; if (processItem->IoReadDelta.Delta != processItem->IoReadDelta.Value) // delta is wrong on first run of process provider { PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number); PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number); PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number); number *= 1000; number /= PhCsUpdateInterval; } if (number != 0) { PH_FORMAT format[2]; PhInitFormatSize(&format[0], number); PhInitFormatS(&format[1], L"/s"); PhMoveReference(&node->IoTotalRateText, PhFormat(format, 2, 0)); getCellText->Text = node->IoTotalRateText->sr; } } break; case PHPRTLC_PRIVATEBYTES: { SIZE_T value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PagefileUsage), &value); if (value != 0) { PhMoveReference(&node->PrivateBytesText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->PrivateBytesText); } } break; case PHPRTLC_USERNAME: { getCellText->Text = PhGetStringRef(processItem->UserName); } break; case PHPRTLC_DESCRIPTION: { getCellText->Text = PhGetStringRef(processItem->VersionInfo.FileDescription); } break; case PHPRTLC_COMPANYNAME: { getCellText->Text = PhGetStringRef(processItem->VersionInfo.CompanyName); } break; case PHPRTLC_VERSION: { getCellText->Text = PhGetStringRef(processItem->VersionInfo.FileVersion); } break; case PHPRTLC_FILENAME: { if (processItem->FileName) { PhMoveReference(&node->FileNameWin32, PhGetFileName(processItem->FileName)); } if (node->FileNameWin32) getCellText->Text = PhGetStringRef(node->FileNameWin32); else getCellText->Text = PhGetStringRef(processItem->FileName); } break; case PHPRTLC_COMMANDLINE: { getCellText->Text = PhGetStringRef(processItem->CommandLine); } break; case PHPRTLC_PEAKPRIVATEBYTES: { if (processItem->VmCounters.PeakPagefileUsage != 0) { PhMoveReference(&node->PeakPrivateBytesText, PhFormatSize(processItem->VmCounters.PeakPagefileUsage, ULONG_MAX)); getCellText->Text = node->PeakPrivateBytesText->sr; } } break; case PHPRTLC_WORKINGSET: { SIZE_T value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.WorkingSetSize), &value); if (value != 0) { PhMoveReference(&node->WorkingSetText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->WorkingSetText->sr; } } break; case PHPRTLC_PEAKWORKINGSET: { PhMoveReference(&node->PeakWorkingSetText, PhFormatSize(processItem->VmCounters.PeakWorkingSetSize, ULONG_MAX)); getCellText->Text = node->PeakWorkingSetText->sr; } break; case PHPRTLC_PRIVATEWS: { SIZE_T value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, WorkingSetPrivateSize), &value); if (value != 0) { PhMoveReference(&node->PrivateWsText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->PrivateWsText->sr; } } break; case PHPRTLC_SHAREDWS: { PhpUpdateProcessNodeWsCounters(node); PhMoveReference(&node->SharedWsText, PhFormatSize((ULONG64)node->WsCounters.NumberOfSharedPages * PAGE_SIZE, ULONG_MAX)); getCellText->Text = node->SharedWsText->sr; } break; case PHPRTLC_SHAREABLEWS: { PhpUpdateProcessNodeWsCounters(node); PhMoveReference(&node->ShareableWsText, PhFormatSize((ULONG64)node->WsCounters.NumberOfShareablePages * PAGE_SIZE, ULONG_MAX)); getCellText->Text = node->ShareableWsText->sr; } break; case PHPRTLC_VIRTUALSIZE: { SIZE_T value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.VirtualSize), &value); if (value != 0) { PhMoveReference(&node->VirtualSizeText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->VirtualSizeText->sr; } } break; case PHPRTLC_PEAKVIRTUALSIZE: { PhMoveReference(&node->PeakVirtualSizeText, PhFormatSize(processItem->VmCounters.PeakVirtualSize, ULONG_MAX)); getCellText->Text = node->PeakVirtualSizeText->sr; } break; case PHPRTLC_PAGEFAULTS: { ULONG value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PageFaultCount), &value); if (value != 0) { PhMoveReference(&node->PageFaultsText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->PageFaultsText->sr; } } break; case PHPRTLC_SESSIONID: { PhMoveReference(&node->SessionIdText, PhFormatUInt64(processItem->SessionId, TRUE)); getCellText->Text = node->SessionIdText->sr; } break; case PHPRTLC_PRIORITYCLASS: { if (processItem->PriorityClass != PROCESS_PRIORITY_CLASS_UNKNOWN) { PCPH_STRINGREF string; if (string = PhGetProcessPriorityClassString(processItem->PriorityClass)) { getCellText->Text.Length = string->Length; getCellText->Text.Buffer = string->Buffer; } } } break; case PHPRTLC_BASEPRIORITY: { PhMoveReference(&node->BasePriorityText, PhFormatUInt64(processItem->BasePriority, TRUE)); getCellText->Text = node->BasePriorityText->sr; } break; case PHPRTLC_THREADS: { ULONG value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfThreads), &value); //PhpFormatInt32GroupDigits(value, node->ThreadsText, sizeof(node->ThreadsText), &getCellText->Text); if (value != 0) { PhMoveReference(&node->ThreadsText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->ThreadsText->sr; } } break; case PHPRTLC_HANDLES: { ULONG value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfHandles), &value); //PhpFormatInt32GroupDigits(value, node->HandlesText, sizeof(node->HandlesText), &getCellText->Text); if (value != 0) { PhMoveReference(&node->HandlesText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->HandlesText->sr; } } break; case PHPRTLC_GDIHANDLES: { ULONG value = 0; PhpUpdateProcessNodeGdiHandles(node); PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessNode, node, FIELD_OFFSET(PH_PROCESS_NODE, GdiHandles), &value); //PhpFormatInt32GroupDigits(value, node->GdiHandlesText, sizeof(node->GdiHandlesText), &getCellText->Text); if (value != 0) { PhMoveReference(&node->GdiHandlesText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->GdiHandlesText->sr; } } break; case PHPRTLC_USERHANDLES: { ULONG value = 0; PhpUpdateProcessNodeUserHandles(node); PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessNode, node, FIELD_OFFSET(PH_PROCESS_NODE, UserHandles), &value); //PhpFormatInt32GroupDigits(value, node->UserHandlesText, sizeof(node->UserHandlesText), &getCellText->Text); if (value != 0) { PhMoveReference(&node->UserHandlesText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->UserHandlesText->sr; } } break; case PHPRTLC_IORORATE: { ULONG64 number = 0; if (processItem->IoReadDelta.Delta != processItem->IoReadDelta.Value) { PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number); PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number); number *= 1000; number /= PhCsUpdateInterval; } if (number != 0) { PH_FORMAT format[2]; PhInitFormatSize(&format[0], number); PhInitFormatS(&format[1], L"/s"); PhMoveReference(&node->IoRoRateText, PhFormat(format, 2, 0)); getCellText->Text = node->IoRoRateText->sr; } } break; case PHPRTLC_IOWRATE: { ULONG64 number = 0; if (processItem->IoReadDelta.Delta != processItem->IoReadDelta.Value) { PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number); number *= 1000; number /= PhCsUpdateInterval; } if (number != 0) { PH_FORMAT format[2]; PhInitFormatSize(&format[0], number); PhInitFormatS(&format[1], L"/s"); PhMoveReference(&node->IoWRateText, PhFormat(format, 2, 0)); getCellText->Text = node->IoWRateText->sr; } } break; case PHPRTLC_INTEGRITY: { if (processItem->IntegrityString) { getCellText->Text.Buffer = processItem->IntegrityString->Buffer; getCellText->Text.Length = processItem->IntegrityString->Length; } else { if (!PH_IS_REAL_PROCESS_ID(processItem->ProcessId) || processItem->ProcessId == SYSTEM_PROCESS_ID) { static CONST PH_STRINGREF integrityLevelSystemString = PH_STRINGREF_INIT(L"System"); getCellText->Text.Buffer = integrityLevelSystemString.Buffer; getCellText->Text.Length = integrityLevelSystemString.Length; } } } break; case PHPRTLC_IOPRIORITY: { PhpUpdateProcessNodeIoPagePriority(node); if (node->IoPriority != ULONG_MAX && node->IoPriority >= IoPriorityVeryLow && node->IoPriority < MaxIoPriorityTypes) { const PH_STRINGREF ioPriority = PhIoPriorityHintNames[node->IoPriority]; getCellText->Text.Buffer = ioPriority.Buffer; getCellText->Text.Length = ioPriority.Length; } } break; case PHPRTLC_PAGEPRIORITY: { PhpUpdateProcessNodeIoPagePriority(node); if (node->PagePriority != ULONG_MAX && node->PagePriority <= MEMORY_PRIORITY_NORMAL) { const PH_STRINGREF pagePriority = PhPagePriorityNames[node->PagePriority]; getCellText->Text.Buffer = pagePriority.Buffer; getCellText->Text.Length = pagePriority.Length; } } break; case PHPRTLC_STARTTIME: { if (processItem->CreateTime.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &processItem->CreateTime); PhMoveReference(&node->StartTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = node->StartTimeText->sr; } } break; case PHPRTLC_TOTALCPUTIME: { SIZE_T returnLength; WCHAR totalCpuTimeText[PH_TIMESPAN_STR_LEN_1]; if (PhPrintTimeSpanToBuffer( processItem->KernelTime.QuadPart + processItem->UserTime.QuadPart, PH_TIMESPAN_DHMSM, totalCpuTimeText, sizeof(totalCpuTimeText), &returnLength )) { PH_STRINGREF string = { .Buffer = totalCpuTimeText, .Length = returnLength - sizeof(UNICODE_NULL) }; PhMoveReference(&node->TotalCpuTimeText, PhCreateString2(&string)); getCellText->Text = node->TotalCpuTimeText->sr; } } break; case PHPRTLC_KERNELCPUTIME: { SIZE_T returnLength; WCHAR kernelCpuTimeText[PH_TIMESPAN_STR_LEN_1]; if (PhPrintTimeSpanToBuffer( processItem->KernelTime.QuadPart, PH_TIMESPAN_DHMSM, kernelCpuTimeText, sizeof(kernelCpuTimeText), &returnLength )) { PH_STRINGREF string = { .Buffer = kernelCpuTimeText, .Length = returnLength - sizeof(UNICODE_NULL) }; PhMoveReference(&node->KernelCpuTimeText, PhCreateString2(&string)); getCellText->Text = node->KernelCpuTimeText->sr; } } break; case PHPRTLC_USERCPUTIME: { SIZE_T returnLength; WCHAR userCpuTimeText[PH_TIMESPAN_STR_LEN_1]; if (PhPrintTimeSpanToBuffer( processItem->UserTime.QuadPart, PH_TIMESPAN_DHMSM, userCpuTimeText, sizeof(userCpuTimeText), &returnLength )) { PH_STRINGREF string = { .Buffer = userCpuTimeText, .Length = returnLength - sizeof(UNICODE_NULL) }; PhMoveReference(&node->UserCpuTimeText, PhCreateString2(&string)); getCellText->Text = node->UserCpuTimeText->sr; } } break; case PHPRTLC_VERIFICATIONSTATUS: { if (PhEnableProcessQueryStage2) getCellText->Text = PhVerifyResultToStringRef(processItem->VerifyResult); else PhInitializeStringRef(&getCellText->Text, L"Image digital signature support disabled."); } break; case PHPRTLC_VERIFIEDSIGNER: { if (PhEnableProcessQueryStage2) getCellText->Text = PhGetStringRef(processItem->VerifySignerName); else PhInitializeStringRef(&getCellText->Text, L"Image digital signature support disabled."); } break; case PHPRTLC_ASLR: { PhpUpdateProcessNodeImage(node); if (FlagOn(node->ImageDllCharacteristics, IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) PhInitializeStringRef(&getCellText->Text, L"ASLR"); else PhInitializeEmptyStringRef(&getCellText->Text); } break; case PHPRTLC_RELATIVESTARTTIME: { if (processItem->CreateTime.QuadPart != 0) { LARGE_INTEGER currentTime; PhQuerySystemTime(¤tTime); if (PhGetIntegerSetting(SETTING_ENABLE_SHORT_RELATIVE_START_TIME)) { if (processItem->CreateTime.QuadPart < currentTime.QuadPart) { ULONG64 relativeCreateTime = currentTime.QuadPart - processItem->CreateTime.QuadPart; PhMoveReference(&node->RelativeStartTimeText, PhFormatTimeSpan(relativeCreateTime, PH_TIMESPAN_DHMS)); } else { PhMoveReference(&node->RelativeStartTimeText, PhCreateString(L"\u221E")); } } else { PPH_STRING startTimeString; if (processItem->CreateTime.QuadPart < currentTime.QuadPart) { startTimeString = PhFormatTimeSpanRelative(currentTime.QuadPart - processItem->CreateTime.QuadPart); PhMoveReference(&node->RelativeStartTimeText, PhConcatStringRefZ(&startTimeString->sr, L" ago")); PhDereferenceObject(startTimeString); } else { PhMoveReference(&node->RelativeStartTimeText, PhCreateString(L"\u221E")); } } getCellText->Text = node->RelativeStartTimeText->sr; } } break; case PHPRTLC_BITS: { #ifdef _WIN64 PhInitializeStringRef(&getCellText->Text, processItem->IsWow64Process ? L"32" : L"64"); #else PhInitializeStringRef(&getCellText->Text, L"32"); #endif } break; case PHPRTLC_ELEVATION: { PCPH_STRINGREF elevationType; if (PhGetElevationTypeString(!!processItem->IsElevated, processItem->ElevationType, &elevationType)) { getCellText->Text.Buffer = elevationType->Buffer; getCellText->Text.Length = elevationType->Length; } } break; case PHPRTLC_WINDOWTITLE: { PhpUpdateProcessNodeWindow(node); PhSwapReference(&node->WindowTitleText, node->WindowText); getCellText->Text = PhGetStringRef(node->WindowTitleText); } break; case PHPRTLC_WINDOWSTATUS: { PhpUpdateProcessNodeWindow(node); if (node->WindowHandle) { PhInitializeStringRef(&getCellText->Text, node->WindowHung ? L"Not responding" : L"Running"); } } break; case PHPRTLC_CYCLES: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Value), &value); if (value != 0) { PhMoveReference(&node->CyclesText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->CyclesText->sr; } } break; case PHPRTLC_CYCLESDELTA: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Delta), &value); if (value != 0) { PhMoveReference(&node->CyclesDeltaText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->CyclesDeltaText->sr; } } break; case PHPRTLC_DEP: { PH_STRING_BUILDER sb; PhpUpdateProcessNodeDepStatus(node); PhInitializeStringBuilder(&sb, 20); if (FlagOn(node->DepStatus, PH_PROCESS_DEP_ENABLED)) { if (FlagOn(node->DepStatus, PH_PROCESS_DEP_PERMANENT)) PhAppendStringBuilder2(&sb, L"DEP (permanent), "); else PhAppendStringBuilder2(&sb, L"DEP, "); } if (FlagOn(node->DepStatus, PH_PROCESS_DEP_ATL_THUNK_EMULATION_DISABLED)) PhAppendStringBuilder2(&sb, L"ATL emulation, "); if (FlagOn(node->DepStatus, PH_PROCESS_DEP_EXECUTE_ENABLED)) PhAppendStringBuilder2(&sb, L"Execute enabled, "); if (FlagOn(node->DepStatus, PH_PROCESS_DEP_IMAGE_ENABLED)) PhAppendStringBuilder2(&sb, L"Image enabled, "); if (FlagOn(node->DepStatus, PH_PROCESS_DEP_DISABLE_EXCEPTION_CHAIN)) PhAppendStringBuilder2(&sb, L"Chain disabled, "); if (PhEndsWithString2(sb.String, L", ", FALSE)) PhRemoveEndStringBuilder(&sb, 2); PhMoveReference(&node->DepStatusText, PhFinalStringBuilderString(&sb)); getCellText->Text = node->DepStatusText->sr; } break; case PHPRTLC_VIRTUALIZED: { PhpUpdateProcessNodeToken(node); if (node->VirtualizationEnabled) PhInitializeStringRef(&getCellText->Text, L"Virtualized"); else PhInitializeEmptyStringRef(&getCellText->Text); } break; case PHPRTLC_CONTEXTSWITCHES: { ULONG value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Value), &value); if (value != 0) { PhMoveReference(&node->ContextSwitchesText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->ContextSwitchesText->sr; } } break; case PHPRTLC_CONTEXTSWITCHESDELTA: { if ((LONG)processItem->ContextSwitchesDelta.Delta >= 0) // the delta may be negative if a thread exits - just don't show anything { ULONG value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Delta), &value); if (value != 0) { PhMoveReference(&node->ContextSwitchesDeltaText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->ContextSwitchesDeltaText->sr; } } } break; case PHPRTLC_PAGEFAULTSDELTA: { ULONG value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt32, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, PageFaultsDelta.Delta), &value); if (value != 0) { PhMoveReference(&node->PageFaultsDeltaText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->PageFaultsDeltaText->sr; } } break; case PHPRTLC_IOREADS: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Value), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[0], PhFormatUInt64(value, TRUE)); getCellText->Text = node->IoGroupText[0]->sr; } } break; case PHPRTLC_IOWRITES: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Value), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[1], PhFormatUInt64(value, TRUE)); getCellText->Text = node->IoGroupText[1]->sr; } } break; case PHPRTLC_IOOTHER: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Value), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[2], PhFormatUInt64(value, TRUE)); getCellText->Text = node->IoGroupText[2]->sr; } } break; case PHPRTLC_IOREADBYTES: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Value), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[3], PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->IoGroupText[3]->sr; } } break; case PHPRTLC_IOWRITEBYTES: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Value), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[4], PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->IoGroupText[4]->sr; } } break; case PHPRTLC_IOOTHERBYTES: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Value), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[5], PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->IoGroupText[5]->sr; } } break; case PHPRTLC_IOREADSDELTA: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Delta), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[6], PhFormatUInt64(value, TRUE)); getCellText->Text = node->IoGroupText[6]->sr; } } break; case PHPRTLC_IOWRITESDELTA: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Delta), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[7], PhFormatUInt64(value, TRUE)); getCellText->Text = node->IoGroupText[7]->sr; } } break; case PHPRTLC_IOOTHERDELTA: { ULONG64 value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeInt64, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Delta), &value); if (value != 0) { PhMoveReference(&node->IoGroupText[8], PhFormatUInt64(value, TRUE)); getCellText->Text = node->IoGroupText[8]->sr; } } break; case PHPRTLC_OSCONTEXT: { PhpUpdateProcessOsContext(node); switch (node->OsContextVersion) { case WINDOWS_10: PhInitializeStringRef(&getCellText->Text, L"Windows 10"); break; case WINDOWS_8_1: PhInitializeStringRef(&getCellText->Text, L"Windows 8.1"); break; case WINDOWS_8: PhInitializeStringRef(&getCellText->Text, L"Windows 8"); break; case WINDOWS_7: PhInitializeStringRef(&getCellText->Text, L"Windows 7"); break; case WINDOWS_VISTA: PhInitializeStringRef(&getCellText->Text, L"Windows Vista"); break; case WINDOWS_XP: PhInitializeStringRef(&getCellText->Text, L"Windows XP"); break; } } break; case PHPRTLC_PAGEDPOOL: { SIZE_T value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaPagedPoolUsage), &value); if (value != 0) { PhMoveReference(&node->PagedPoolText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->PagedPoolText->sr; } } break; case PHPRTLC_PEAKPAGEDPOOL: { PhMoveReference(&node->PeakPagedPoolText, PhFormatSize(processItem->VmCounters.QuotaPeakPagedPoolUsage, ULONG_MAX)); getCellText->Text = node->PeakPagedPoolText->sr; } break; case PHPRTLC_NONPAGEDPOOL: { SIZE_T value = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaNonPagedPoolUsage), &value); if (value != 0) { PhMoveReference(&node->NonPagedPoolText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->NonPagedPoolText->sr; } } break; case PHPRTLC_PEAKNONPAGEDPOOL: { if (processItem->VmCounters.QuotaPeakNonPagedPoolUsage != 0) { PhMoveReference(&node->PeakNonPagedPoolText, PhFormatSize(processItem->VmCounters.QuotaPeakNonPagedPoolUsage, ULONG_MAX)); getCellText->Text = node->PeakNonPagedPoolText->sr; } } break; case PHPRTLC_MINIMUMWORKINGSET: { SIZE_T value = 0; PhpUpdateProcessNodeQuotaLimits(node); PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessNode, node, FIELD_OFFSET(PH_PROCESS_NODE, MinimumWorkingSetSize), &value); if (value != 0) { PhMoveReference(&node->MinimumWorkingSetText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->MinimumWorkingSetText->sr; } } break; case PHPRTLC_MAXIMUMWORKINGSET: { SIZE_T value = 0; PhpUpdateProcessNodeQuotaLimits(node); PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessNode, node, FIELD_OFFSET(PH_PROCESS_NODE, MaximumWorkingSetSize), &value); if (value != 0) { PhMoveReference(&node->MaximumWorkingSetText, PhFormatSize(value, ULONG_MAX)); getCellText->Text = node->MaximumWorkingSetText->sr; } } break; case PHPRTLC_PRIVATEBYTESDELTA: { LONG_PTR delta = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeIntPtr, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, PrivateBytesDelta.Delta), &delta); if (delta != 0) { PH_FORMAT format[2]; if (delta > 0) { PhInitFormatC(&format[0], L'+'); } else { PhInitFormatC(&format[0], L'-'); delta = -delta; } format[1].Type = SizeFormatType | FormatUseRadix; format[1].Radix = (UCHAR)PhMaxSizeUnit; format[1].u.Size = delta; PhMoveReference(&node->PrivateBytesDeltaText, PhFormat(format, 2, 0)); getCellText->Text = node->PrivateBytesDeltaText->sr; } } break; case PHPRTLC_SUBSYSTEM: { PhpUpdateProcessNodeImage(node); switch (node->ImageSubsystem) { case 0: break; case IMAGE_SUBSYSTEM_NATIVE: PhInitializeStringRef(&getCellText->Text, L"Native"); break; case IMAGE_SUBSYSTEM_WINDOWS_GUI: PhInitializeStringRef(&getCellText->Text, L"Windows"); break; case IMAGE_SUBSYSTEM_WINDOWS_CUI: PhInitializeStringRef(&getCellText->Text, L"Console"); break; case IMAGE_SUBSYSTEM_OS2_CUI: PhInitializeStringRef(&getCellText->Text, L"OS/2"); break; case IMAGE_SUBSYSTEM_POSIX_CUI: PhInitializeStringRef(&getCellText->Text, L"POSIX"); break; default: PhInitializeStringRef(&getCellText->Text, L"Unknown"); break; } } break; case PHPRTLC_PACKAGENAME: { getCellText->Text = PhGetStringRef(processItem->PackageFullName); } break; case PHPRTLC_APPID: { PhpUpdateProcessNodeAppId(node); getCellText->Text = PhGetStringRef(node->AppIdText); } break; case PHPRTLC_DPIAWARENESS: { PhpUpdateProcessNodeDpiAwareness(node); switch (node->DpiAwareness) { case PH_PROCESS_DPI_AWARENESS_UNAWARE + 1: PhInitializeStringRef(&getCellText->Text, L"Unaware"); break; case PH_PROCESS_DPI_AWARENESS_SYSTEM_DPI_AWARE + 1: PhInitializeStringRef(&getCellText->Text, L"System aware"); break; case PH_PROCESS_DPI_AWARENESS_PER_MONITOR_DPI_AWARE + 1: PhInitializeStringRef(&getCellText->Text, L"Per-monitor aware"); break; case PH_PROCESS_DPI_AWARENESS_PER_MONITOR_AWARE_V2 + 1: PhInitializeStringRef(&getCellText->Text, L"Per-monitor V2"); break; case PH_PROCESS_DPI_AWARENESS_UNAWARE_GDISCALED + 1: PhInitializeStringRef(&getCellText->Text, L"Unaware (GDI scaled)"); break; } } break; case PHPRTLC_CFGUARD: { if (processItem->IsXfgAuditEnabled) PhInitializeStringRef(&getCellText->Text, L"XF Guard (audit)"); else if (processItem->IsXfgEnabled) PhInitializeStringRef(&getCellText->Text, L"XF Guard"); else if (processItem->IsControlFlowGuardEnabled) PhInitializeStringRef(&getCellText->Text, L"CF Guard"); else PhInitializeEmptyStringRef(&getCellText->Text); } break; case PHPRTLC_TIMESTAMP: { PhpUpdateProcessNodeImage(node); if (node->ImageTimeDateStamp != 0) { LARGE_INTEGER time; SYSTEMTIME systemTime; PhSecondsSince1970ToTime(node->ImageTimeDateStamp, &time); PhLargeIntegerToLocalSystemTime(&systemTime, &time); PhMoveReference(&node->TimeStampText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(node->TimeStampText); } } break; case PHPRTLC_FILEMODIFIEDTIME: { PhpUpdateProcessNodeFileAttributes(node); if (node->FileLastWriteTime.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &node->FileLastWriteTime); PhMoveReference(&node->FileModifiedTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(node->FileModifiedTimeText); } } break; case PHPRTLC_FILESIZE: { PhpUpdateProcessNodeFileAttributes(node); if (node->FileEndOfFile.QuadPart != 0) { PhMoveReference(&node->FileSizeText, PhFormatSize(node->FileEndOfFile.QuadPart, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->FileSizeText); } } break; case PHPRTLC_SUBPROCESSCOUNT: { if (node->Children && node->Children->Count != 0) { PhMoveReference(&node->SubprocessCountText, PhFormatUInt64(node->Children->Count, TRUE)); getCellText->Text = PhGetStringRef(node->SubprocessCountText); } } break; case PHPRTLC_JOBOBJECTID: { if (processItem->JobObjectId != 0) { PhMoveReference(&node->JobObjectIdText, PhFormatUInt64(processItem->JobObjectId, TRUE)); getCellText->Text = PhGetStringRef(node->JobObjectIdText); } } break; case PHPRTLC_PROTECTION: { if (processItem->Protection.Level || processItem->IsSecureProcess || processItem->IsProtectedProcess) { PhMoveReference(&node->ProtectionText, PhGetProcessProtectionString( processItem->Protection, (BOOLEAN)processItem->IsSecureProcess )); getCellText->Text = PhGetStringRef(node->ProtectionText); } } break; case PHPRTLC_DESKTOP: { PhpUpdateProcessNodeDesktopInfo(node); getCellText->Text = PhGetStringRef(node->DesktopInfoText); } break; case PHPRTLC_CRITICAL: { PhpUpdateProcessBreakOnTermination(node); if (node->BreakOnTerminationEnabled) { PhInitializeStringRef(&getCellText->Text, L"Critical"); } } break; case PHPRTLC_PIDHEX: { if (PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PhInitializeStringRefLongHint(&getCellText->Text, processItem->ProcessIdHexString); } } break; case PHPRTLC_CPUCORECYCLES: { FLOAT cpuUsage = 0; PhpAggregateFieldIfNeeded(node, AggregateTypeFloat, AggregateProcessItem, processItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUsage), &cpuUsage); cpuUsage *= 100; cpuUsage *= processItem->AffinityPopulationCount; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuCoreUsageText, PhFormat(&format, 1, 0)); getCellText->Text = node->CpuCoreUsageText->sr; } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuCoreUsageText, PhFormat(format, RTL_NUMBER_OF(format), 0)); getCellText->Text = node->CpuCoreUsageText->sr; } } break; case PHPRTLC_CET: { if (processItem->IsCetEnabled) { PhInitializeStringRef(&getCellText->Text, L"CET"); } } break; case PHPRTLC_IMAGE_COHERENCY: { PH_FORMAT format[2]; if (!PhEnableImageCoherencySupport) { PhInitializeStringRef(&getCellText->Text, L"Image coherency support is disabled."); break; } if (processItem->ImageCoherencyStatus == STATUS_PENDING) { PhInitializeStringRef(&getCellText->Text, L"Scanning...."); break; } if (!PhpShouldShowImageCoherency(processItem, FALSE)) { if (processItem->ImageCoherencyStatus != STATUS_SUCCESS) { PhMoveReference( &node->ImageCoherencyStatusText, PhGetStatusMessage(processItem->ImageCoherencyStatus, 0) ); getCellText->Text = PhGetStringRef(node->ImageCoherencyStatusText); } break; } if (processItem->ImageCoherency == 1.0f) { PhInitializeStringRef(&getCellText->Text, L"100%"); break; } if (processItem->ImageCoherency > 0.9999f) { PhInitializeStringRef(&getCellText->Text, L">99.99%"); break; } PhInitFormatF(&format[0], (processItem->ImageCoherency * 100.f), PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"%"); PhMoveReference(&node->ImageCoherencyText, PhFormat(format, RTL_NUMBER_OF(format), 0)); getCellText->Text = node->ImageCoherencyText->sr; } break; case PHPRTLC_ERRORMODE: { PhpUpdateProcessNodeErrorMode(node); getCellText->Text = PhGetStringRef(node->ErrorModeText); } break; case PHPRTLC_CODEPAGE: { PhpUpdateProcessNodeCodePage(node); if (node->CodePage != 0) { PhMoveReference(&node->CodePageText, PhFormatUInt64(node->CodePage, FALSE)); getCellText->Text = node->CodePageText->sr; } } break; case PHPRTLC_POWERTHROTTLING: { PhpUpdateProcessNodePowerThrottling(node); if (node->PowerThrottling) { PhInitializeStringRef(&getCellText->Text, L"Yes"); } } break; case PHPRTLC_ARCHITECTURE: { PhpUpdateProcessNodeImage(node); // Use Architecture from PhGetProcessArchitecture if we have it, this supports // cases where the process is executing as a different architecture than the // image it was loaded from (ARM64X or .NET). if (node->Architecture != IMAGE_FILE_MACHINE_UNKNOWN) { switch (node->Architecture) { case IMAGE_FILE_MACHINE_I386: PhInitializeStringRef(&getCellText->Text, L"x86"); break; case IMAGE_FILE_MACHINE_AMD64: #ifdef _ARM64_ PhInitializeStringRef(&getCellText->Text, node->ImageCHPEVersion ? L"x64 (ARM64X)" : L"x64"); #else PhInitializeStringRef(&getCellText->Text, L"x64"); #endif break; case IMAGE_FILE_MACHINE_ARMNT: PhInitializeStringRef(&getCellText->Text, L"ARM"); break; case IMAGE_FILE_MACHINE_ARM64: #ifdef _ARM64_ PhInitializeStringRef(&getCellText->Text, node->ImageCHPEVersion ? L"ARM64 (ARM64X)" : L"ARM64"); #else PhInitializeStringRef(&getCellText->Text, L"ARM64"); #endif break; } } else { switch (node->ImageMachine) { case IMAGE_FILE_MACHINE_I386: PhInitializeStringRef(&getCellText->Text, L"x86"); break; case IMAGE_FILE_MACHINE_AMD64: #ifdef _ARM64_ PhInitializeStringRef(&getCellText->Text, node->ImageCHPEVersion ? L"x64 (ARM64X)" : L"x64"); #else PhInitializeStringRef(&getCellText->Text, L"x64"); #endif break; case IMAGE_FILE_MACHINE_ARMNT: PhInitializeStringRef(&getCellText->Text, L"ARM"); break; case IMAGE_FILE_MACHINE_ARM64: #ifdef _ARM64_ PhInitializeStringRef(&getCellText->Text, node->ImageCHPEVersion ? L"ARM64 (ARM64X)" : L"ARM64"); #else PhInitializeStringRef(&getCellText->Text, L"ARM64"); #endif break; } } break; } break; case PHPRTLC_PARENTPID: { if (PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PH_FORMAT format; PhInitFormatU(&format, HandleToUlong(processItem->ParentProcessId)); PhMoveReference(&node->ParentPidText, PhFormat(&format, 1, 0)); getCellText->Text = node->ParentPidText->sr; } } break; case PHPRTLC_PARENTCONSOLEPID: { PH_FORMAT format; PhInitFormatU(&format, HandleToUlong((HANDLE)((ULONG_PTR)processItem->ConsoleHostProcessId & ~3))); PhMoveReference(&node->ParentConsolePidText, PhFormat(&format, 1, 0)); getCellText->Text = node->ParentConsolePidText->sr; } break; case PHPRTLC_COMMITSIZE: { if (processItem->SharedCommitCharge != 0) { PhMoveReference(&node->SharedCommitText, PhFormatSize(processItem->SharedCommitCharge, ULONG_MAX)); getCellText->Text = node->SharedCommitText->sr; } } break; case PHPRTLC_PRIORITYBOOST: { PhpUpdateProcessNodePriorityBoost(node); if (node->PriorityBoost) { PhInitializeStringRef(&getCellText->Text, L"Yes"); } } break; case PHPRTLC_CPUAVERAGE: { FLOAT cpuUsage; cpuUsage = processItem->CpuAverageUsage * 100; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuAverageText, PhFormat(&format, 1, 0)); getCellText->Text = node->CpuAverageText->sr; } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuAverageText, PhFormat(format, 2, 0)); getCellText->Text = node->CpuAverageText->sr; } } break; case PHPRTLC_CPUKERNEL: { FLOAT cpuUsage; cpuUsage = processItem->CpuKernelUsage * 100; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuKernelText, PhFormat(&format, 1, 0)); getCellText->Text = node->CpuKernelText->sr; } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuKernelText, PhFormat(format, RTL_NUMBER_OF(format), 0)); getCellText->Text = node->CpuKernelText->sr; } } break; case PHPRTLC_CPUUSER: { FLOAT cpuUsage; cpuUsage = processItem->CpuUserUsage * 100; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuUserText, PhFormat(&format, 1, 0)); getCellText->Text = node->CpuUserText->sr; } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); PhMoveReference(&node->CpuUserText, PhFormat(format, RTL_NUMBER_OF(format), 0)); getCellText->Text = node->CpuUserText->sr; } } break; case PHPRTLC_GRANTEDACCESS: { PhpUpdateProcessNodeGrantedAccess(node); getCellText->Text = PhGetStringRef(node->GrantedAccessText); } break; case PHPRTLC_TLSBITMAPDELTA: { PhpUpdateProcessNodeTlsBitmapDelta(node); if (node->TlsBitmapCount != 0) { if (node->TlsBitmapCount > TLS_MINIMUM_AVAILABLE) { PH_FORMAT format[8]; // 64 (100%) | 1024 (100%) PhInitFormatU(&format[0], 64); PhInitFormatS(&format[1], L" ("); PhInitFormatF(&format[2], 100.0f, 2); PhInitFormatS(&format[3], L"%) | "); PhInitFormatU(&format[4], node->TlsBitmapCount - TLS_MINIMUM_AVAILABLE); PhInitFormatS(&format[5], L" ("); PhInitFormatF(&format[6], (node->TlsBitmapCount - TLS_MINIMUM_AVAILABLE) * 100.f / TLS_EXPANSION_SLOTS, 2); PhInitFormatS(&format[7], L"%)"); PhMoveReference(&node->TlsBitmapDeltaText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else { PH_FORMAT format[8]; // 64 (100%) | 0 (0%) PhInitFormatU(&format[0], node->TlsBitmapCount); PhInitFormatS(&format[1], L" ("); PhInitFormatF(&format[2], node->TlsBitmapCount * 100.f / TLS_MINIMUM_AVAILABLE, 2); PhInitFormatS(&format[3], L"%) | "); PhInitFormatU(&format[4], 0); PhInitFormatS(&format[5], L" ("); PhInitFormatF(&format[6], 0.0f, 2); PhInitFormatS(&format[7], L"%)"); PhMoveReference(&node->TlsBitmapDeltaText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } getCellText->Text = PhGetStringRef(node->TlsBitmapDeltaText); } } break; case PHPRTLC_REFERENCEDELTA: { PhpUpdateProcessNodeObjectReferences(node); if (node->ReferenceCount != 0) { PhMoveReference(&node->ReferenceCountText, PhFormatUInt64(node->ReferenceCount, FALSE)); getCellText->Text = PhGetStringRef(node->ReferenceCountText); } } break; case PHPRTLC_LXSSPID: { if (processItem->LxssProcessId != 0) { PhMoveReference(&node->LxssProcessIdText, PhFormatUInt64(processItem->LxssProcessId, FALSE)); getCellText->Text = PhGetStringRef(node->LxssProcessIdText); } } break; case PHPRTLC_START_KEY: { PhpUpdateProcessNodeStartKey(node); if (node->ProcessStartKey != 0) { getCellText->Text = PhGetStringRef(node->ProcessStartKeyText); } } break; case PHPRTLC_MITIGATION_POLICIES: { PhpUpdateProcessNodeMitigationPolicies(node); if (node->MitigationPoliciesText) { getCellText->Text = PhGetStringRef(node->MitigationPoliciesText); } } break; case PHPRTLC_SERVICES: { PhpUpdateProcessNodeServices(node); if (node->ServicesText) { getCellText->Text = PhGetStringRef(node->ServicesText); } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; PPH_PROCESS_ITEM processItem; node = (PPH_PROCESS_NODE)getNodeColor->Node; processItem = node->ProcessItem; if (PhPluginsEnabled) { PH_PLUGIN_GET_HIGHLIGHTING_COLOR getHighlightingColor; getHighlightingColor.Parameter = processItem; getHighlightingColor.BackColor = RGB(0xff, 0xff, 0xff); getHighlightingColor.ForeColor = RGB(0x00, 0x00, 0x00); getHighlightingColor.Handled = FALSE; getHighlightingColor.Cache = FALSE; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackGetProcessHighlightingColor), &getHighlightingColor); if (getHighlightingColor.Handled) { getNodeColor->BackColor = getHighlightingColor.BackColor; getNodeColor->ForeColor = getHighlightingColor.ForeColor; if (!getNodeColor->ForeColor) getNodeColor->Flags |= TN_AUTO_FORECOLOR; if (getHighlightingColor.Cache) getNodeColor->Flags |= TN_CACHE; return TRUE; } } getNodeColor->Flags = TN_CACHE | TN_AUTO_FORECOLOR; if (!processItem) ; // Dummy else if (PhCsUseColorDebuggedProcesses && processItem->IsBeingDebugged) getNodeColor->BackColor = PhCsColorDebuggedProcesses; else if (PhCsUseColorSuspended && (processItem->IsSuspended || processItem->IsFrozenProcess)) getNodeColor->BackColor = PhCsColorSuspended; else if (PhCsUseColorPartiallySuspended && processItem->ProcessId != SYSTEM_PROCESS_ID && processItem->IsPartiallySuspended) getNodeColor->BackColor = PhCsColorPartiallySuspended; else if (PhCsUseColorEfficiencyMode && processItem->IsPowerThrottling) getNodeColor->BackColor = PhCsColorEfficiencyMode; else if (PhCsUseColorBackgroundProcesses && PhIsProcessBackground(processItem->PriorityClass)) getNodeColor->BackColor = PhCsColorBackgroundProcesses; else if (PhCsUseColorLowImageCoherency && PhEnableImageCoherencySupport && PhpShouldShowImageCoherency(processItem, TRUE)) getNodeColor->BackColor = PhCsColorLowImageCoherency; else if (PhCsUseColorPacked && processItem->IsPacked) getNodeColor->BackColor = PhCsColorPacked; else if (PhCsUseColorProtectedProcess && processItem->Protection.Level != 0 && processItem->Protection.Level != UCHAR_MAX) getNodeColor->BackColor = PhCsColorProtectedProcess; else if (PhCsUseColorHandleFiltered && (processItem->IsProtectedHandle || processItem->ProcessId == NtCurrentProcessId())) getNodeColor->BackColor = PhCsColorHandleFiltered; else if (PhCsUseColorElevatedProcesses && processItem->IsElevated && processItem->ElevationType == TokenElevationTypeFull) getNodeColor->BackColor = PhCsColorElevatedProcesses; else if (PhCsUseColorUIAccessProcesses && processItem->IsUIAccessEnabled) getNodeColor->BackColor = PhCsColorUIAccessProcesses; else if (PhCsUseColorPicoProcesses && processItem->IsSubsystemProcess) getNodeColor->BackColor = PhCsColorPicoProcesses; else if (PhCsUseColorImmersiveProcesses && processItem->IsImmersive) getNodeColor->BackColor = PhCsColorImmersiveProcesses; else if (PhCsUseColorDotNet && processItem->IsDotNet) getNodeColor->BackColor = PhCsColorDotNet; else if (PhCsUseColorWow64Processes && processItem->IsWow64Process) getNodeColor->BackColor = PhCsColorWow64Processes; else if (PhCsUseColorJobProcesses && processItem->IsInSignificantJob) getNodeColor->BackColor = PhCsColorJobProcesses; else if ( PhCsUseColorSystemProcesses && (processItem->IsSystemProcess || (processItem->Sid && PhEqualSid(processItem->Sid, (PSID)&PhSeLocalSystemSid)) || PH_IS_FAKE_PROCESS_ID(processItem->ProcessId) || processItem->ProcessId == SYSTEM_PROCESS_ID )) getNodeColor->BackColor = PhCsColorSystemProcesses; else if ( PhCsUseColorOwnProcesses && processItem->Sid && PhEqualSid(processItem->Sid, PhGetOwnTokenAttributes().TokenSid) ) getNodeColor->BackColor = PhCsColorOwnProcesses; else if ( PhCsUseColorServiceProcesses && ((processItem->ServiceList && processItem->ServiceList->Count != 0) || (processItem->Sid && PhEqualSid(processItem->Sid, (PSID)&PhSeServiceSid)) || (processItem->Sid && PhEqualSid(processItem->Sid, (PSID)&PhSeLocalServiceSid)) || (processItem->Sid && PhEqualSid(processItem->Sid, (PSID)&PhSeNetworkServiceSid)) )) getNodeColor->BackColor = PhCsColorServiceProcesses; } return TRUE; case TreeNewGetNodeIcon: { PPH_TREENEW_GET_NODE_ICON getNodeIcon = Parameter1; node = (PPH_PROCESS_NODE)getNodeIcon->Node; getNodeIcon->Icon = (HICON)(ULONG_PTR)node->ProcessItem->SmallIconIndex; //getNodeIcon->Flags = TN_CACHE; } return TRUE; case TreeNewGetCellTooltip: { PPH_TREENEW_GET_CELL_TOOLTIP getCellTooltip = Parameter1; ULONG64 tickCount; node = (PPH_PROCESS_NODE)getCellTooltip->Node; if (getCellTooltip->Column->Id != 0) return FALSE; tickCount = NtGetTickCount64(); if ((LONG64)(node->TooltipTextValidToTickCount - tickCount) < 0) PhClearReference(&node->TooltipText); if (PhEnableTooltipSupport && !node->TooltipText) node->TooltipText = PhGetProcessTooltipText(node->ProcessItem, &node->TooltipTextValidToTickCount); if (!PhIsNullOrEmptyString(node->TooltipText)) { getCellTooltip->Text = node->TooltipText->sr; getCellTooltip->Unfolding = FALSE; getCellTooltip->MaximumWidth = ULONG_MAX; } else { return FALSE; } } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_PROCESS_ITEM processItem; RECT rect; PH_GRAPH_DRAW_INFO drawInfo; node = (PPH_PROCESS_NODE)customDraw->Node; processItem = node->ProcessItem; rect = customDraw->CellRect; if (rect.right - rect.left <= 1) break; // nothing to draw // Generic graph pre-processing switch (customDraw->Column->Id) { case PHPRTLC_CPUHISTORY: case PHPRTLC_PRIVATEBYTESHISTORY: case PHPRTLC_IOHISTORY: memset(&drawInfo, 0, sizeof(PH_GRAPH_DRAW_INFO)); drawInfo.Width = rect.right - rect.left - 1; // leave a small gap drawInfo.Height = rect.bottom - rect.top - 1; // leave a small gap drawInfo.Step = 2; drawInfo.BackColor = RGB(0x00, 0x00, 0x00); break; } // Specific graph processing switch (customDraw->Column->Id) { case PHPRTLC_CPUHISTORY: { drawInfo.Flags = PH_GRAPH_USE_LINE_2; drawInfo.LineColor1 = PhCsColorCpuKernel; drawInfo.LineColor2 = PhCsColorCpuUser; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorCpuKernel); drawInfo.LineBackColor2 = PhHalveColorBrightness(PhCsColorCpuUser); PhGetDrawInfoGraphBuffers( &node->CpuGraphBuffers, &drawInfo, processItem->CpuKernelHistory.Count ); if (!node->CpuGraphBuffers.Valid) { PhCopyCircularBuffer_FLOAT(&processItem->CpuKernelHistory, node->CpuGraphBuffers.Data1, drawInfo.LineDataCount); PhCopyCircularBuffer_FLOAT(&processItem->CpuUserHistory, node->CpuGraphBuffers.Data2, drawInfo.LineDataCount); if (PhCsEnableGraphMaxScale) { FLOAT max = 0; if (PhCsEnableAvxSupport && drawInfo.LineDataCount > 128) { max = PhAddPlusMaxMemorySingles( node->CpuGraphBuffers.Data1, node->CpuGraphBuffers.Data2, drawInfo.LineDataCount ); } else { for (ULONG i = 0; i < drawInfo.LineDataCount; i++) { FLOAT data = node->CpuGraphBuffers.Data1[i] + node->CpuGraphBuffers.Data2[i]; if (max < data) max = data; } } if (max != 0) { PhDivideSinglesBySingle( node->CpuGraphBuffers.Data1, max, drawInfo.LineDataCount ); PhDivideSinglesBySingle( node->CpuGraphBuffers.Data2, max, drawInfo.LineDataCount ); } } node->CpuGraphBuffers.Valid = TRUE; } } break; case PHPRTLC_PRIVATEBYTESHISTORY: { drawInfo.Flags = 0; drawInfo.LineColor1 = PhCsColorPrivate; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorPrivate); PhGetDrawInfoGraphBuffers( &node->PrivateGraphBuffers, &drawInfo, processItem->PrivateBytesHistory.Count ); if (!node->PrivateGraphBuffers.Valid) { FLOAT total; FLOAT max; for (ULONG i = 0; i < drawInfo.LineDataCount; i++) { node->PrivateGraphBuffers.Data1[i] = (FLOAT)PhGetItemCircularBuffer_SIZE_T(&processItem->PrivateBytesHistory, i); } // This makes it easier for the user to see what processes are hogging memory. // Scaling is still *not* consistent across all graphs. total = (FLOAT)PhPerfInformation.CommittedPages * PAGE_SIZE / 4; // divide by 4 to make the scaling a bit better max = (FLOAT)processItem->VmCounters.PeakPagefileUsage; if (max < total) max = total; if (max != 0) { // Scale the data. PhDivideSinglesBySingle( node->PrivateGraphBuffers.Data1, max, drawInfo.LineDataCount ); } node->PrivateGraphBuffers.Valid = TRUE; } } break; case PHPRTLC_IOHISTORY: { drawInfo.Flags = PH_GRAPH_USE_LINE_2; drawInfo.LineColor1 = PhCsColorIoReadOther; drawInfo.LineColor2 = PhCsColorIoWrite; drawInfo.LineBackColor1 = PhHalveColorBrightness(PhCsColorIoReadOther); drawInfo.LineBackColor2 = PhHalveColorBrightness(PhCsColorIoWrite); PhGetDrawInfoGraphBuffers( &node->IoGraphBuffers, &drawInfo, processItem->IoReadHistory.Count ); if (!node->IoGraphBuffers.Valid) { FLOAT total; FLOAT max = 0; for (ULONG i = 0; i < drawInfo.LineDataCount; i++) { FLOAT data1; FLOAT data2; node->IoGraphBuffers.Data1[i] = data1 = (FLOAT)PhGetItemCircularBuffer_ULONG64(&processItem->IoReadHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&processItem->IoOtherHistory, i); node->IoGraphBuffers.Data2[i] = data2 = (FLOAT)PhGetItemCircularBuffer_ULONG64(&processItem->IoWriteHistory, i); if (max < data1 + data2) max = data1 + data2; } // Make the scaling a bit more consistent across the processes. // It does *not* scale all graphs using the same maximum. total = (FLOAT)(PhIoReadDelta.Delta + PhIoWriteDelta.Delta + PhIoOtherDelta.Delta); if (max < total) max = total; if (max != 0) { // Scale the data. PhDivideSinglesBySingle( node->IoGraphBuffers.Data1, max, drawInfo.LineDataCount ); PhDivideSinglesBySingle( node->IoGraphBuffers.Data2, max, drawInfo.LineDataCount ); } node->IoGraphBuffers.Valid = TRUE; } } break; } // Draw the graph. switch (customDraw->Column->Id) { case PHPRTLC_CPUHISTORY: case PHPRTLC_PRIVATEBYTESHISTORY: case PHPRTLC_IOHISTORY: PhpNeedGraphContext(customDraw->Dc, drawInfo.Width, drawInfo.Height); if (GraphBits) { PhDrawGraphDirect(GraphContext, GraphBits, &drawInfo); BitBlt( customDraw->Dc, rect.left, rect.top + 1, // + 1 for small gap drawInfo.Width, drawInfo.Height, GraphContext, 0, 0, SRCCOPY ); } break; case PHPRTLC_TIMELINE: { if (PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PhCustomDrawTreeTimeLine( customDraw->Dc, &customDraw->CellRect, PhEnableThemeSupport ? PH_DRAW_TIMELINE_DARKTHEME : 0, NULL, &processItem->CreateTime ); } else { LARGE_INTEGER createTime; // DPCs, Interrupts and System Idle Process are always 100% createTime.QuadPart = 0; PhCustomDrawTreeTimeLine( customDraw->Dc, &customDraw->CellRect, PhEnableThemeSupport ? PH_DRAW_TIMELINE_DARKTHEME : 0, NULL, &createTime ); } } break; } } return TRUE; case TreeNewColumnResized: { PPH_TREENEW_COLUMN column = Parameter1; ULONG i; if (column->Id == PHPRTLC_CPUHISTORY || column->Id == PHPRTLC_IOHISTORY || column->Id == PHPRTLC_PRIVATEBYTESHISTORY) { for (i = 0; i < ProcessNodeList->Count; i++) { node = ProcessNodeList->Items[i]; if (column->Id == PHPRTLC_CPUHISTORY) node->CpuGraphBuffers.Valid = FALSE; if (column->Id == PHPRTLC_IOHISTORY) node->IoGraphBuffers.Valid = FALSE; if (column->Id == PHPRTLC_PRIVATEBYTESHISTORY) node->PrivateGraphBuffers.Valid = FALSE; } } } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; ProcessTreeListSortColumn = sorting->SortColumn; ProcessTreeListSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(hwnd); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(PhMainWndHandle, WM_COMMAND, ID_PROCESS_COPY, 0); break; case VK_DELETE: if (GetKeyState(VK_SHIFT) >= 0) SendMessage(PhMainWndHandle, WM_COMMAND, ID_PROCESS_TERMINATE, 0); else SendMessage(PhMainWndHandle, WM_COMMAND, ID_PROCESS_TERMINATETREE, 0); break; case VK_RETURN: if (GetKeyState(VK_CONTROL) >= 0) SendMessage(PhMainWndHandle, WM_COMMAND, ID_PROCESS_PROPERTIES, 0); else SendMessage(PhMainWndHandle, WM_COMMAND, ID_PROCESS_OPENFILELOCATION, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = hwnd; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu( data.Menu, hwnd, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y ); PhHandleTreeNewColumnMenu(&data); if (data.Selection) { if (data.Selection->Id == PH_TN_COLUMN_MENU_HIDE_COLUMN_ID || data.Selection->Id == PH_TN_COLUMN_MENU_CHOOSE_COLUMNS_ID) { PhReloadSettingsProcessTreeList(); } } PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(PhMainWndHandle, WM_COMMAND, ID_PROCESS_PROPERTIES, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; PhShowProcessContextMenu(PhMainWndHandle, contextMenu); } return TRUE; case TreeNewNodeExpanding: { node = Parameter1; if (PhCsPropagateCpuUsage) PhUpdateProcessNode(node); } return TRUE; case TreeNewGetHeaderText: { PPH_TREENEW_GET_HEADER_TEXT getHeaderText = Parameter1; PPH_TREENEW_COLUMN column = getHeaderText->Column; SIZE_T returnLength; FLOAT decimal = 0; ULONG64 number = 0; switch (column->Id) { case PHPRTLC_CPU: case PHPRTLC_IOTOTALRATE: case PHPRTLC_PRIVATEBYTES: case PHPRTLC_PEAKPRIVATEBYTES: case PHPRTLC_WORKINGSET: case PHPRTLC_PEAKWORKINGSET: case PHPRTLC_PRIVATEWS: case PHPRTLC_VIRTUALSIZE: case PHPRTLC_PEAKVIRTUALSIZE: case PHPRTLC_PAGEFAULTS: case PHPRTLC_THREADS: case PHPRTLC_HANDLES: case PHPRTLC_GDIHANDLES: case PHPRTLC_USERHANDLES: case PHPRTLC_IORORATE: case PHPRTLC_IOWRATE: case PHPRTLC_CYCLES: case PHPRTLC_CYCLESDELTA: case PHPRTLC_CONTEXTSWITCHES: case PHPRTLC_CONTEXTSWITCHESDELTA: case PHPRTLC_IOREADS: case PHPRTLC_IOWRITES: case PHPRTLC_IOOTHER: case PHPRTLC_IOREADBYTES: case PHPRTLC_IOWRITEBYTES: case PHPRTLC_IOOTHERBYTES: case PHPRTLC_IOREADSDELTA: case PHPRTLC_IOWRITESDELTA: case PHPRTLC_IOOTHERDELTA: case PHPRTLC_PAGEDPOOL: case PHPRTLC_PEAKPAGEDPOOL: case PHPRTLC_NONPAGEDPOOL: case PHPRTLC_PEAKNONPAGEDPOOL: case PHPRTLC_PRIVATEBYTESDELTA: case PHPRTLC_CPUCORECYCLES: case PHPRTLC_COMMITSIZE: case PHPRTLC_CPUAVERAGE: case PHPRTLC_CPUKERNEL: case PHPRTLC_CPUUSER: break; default: return FALSE; } // NOTE: Windows Task Manager doesn't loop subitems when summing the totals but instead just returns the system totals. // We should do the same for some columns like CPU when/if the below loop/aggregate fields becomes a performance issue. (dmex) for (ULONG i = 0; i < ProcessNodeList->Count; i++) { node = ProcessNodeList->Items[i]; if (!node->Node.Visible) continue; // Skip filtered. if (node->ProcessItem->State & PH_PROCESS_ITEM_REMOVED) continue; // Skip terminated. if (!PhTestEvent(&node->ProcessItem->Stage1Event)) continue; // Skip unprocessed. switch (column->Id) { case PHPRTLC_CPU: { if (node->ProcessId == SYSTEM_IDLE_PROCESS_ID) continue; PhpAggregateFieldTotal(node, AggregateTypeFloat, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUsage), &decimal); } break; case PHPRTLC_IOTOTALRATE: { if (node->ProcessItem->IoReadDelta.Delta != node->ProcessItem->IoReadDelta.Value) // delta is wrong on first run of process provider { PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number); PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number); PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number); } } break; case PHPRTLC_PRIVATEBYTES: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PagefileUsage), &number); break; case PHPRTLC_PEAKPRIVATEBYTES: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PeakPagefileUsage), &number); break; case PHPRTLC_WORKINGSET: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.WorkingSetSize), &number); break; case PHPRTLC_PEAKWORKINGSET: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PeakWorkingSetSize), &number); break; case PHPRTLC_PRIVATEWS: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, WorkingSetPrivateSize), &number); break; //case PHPRTLC_SHAREDWS: // node->WsCounters.NumberOfSharedPages // break; //case PHPRTLC_SHAREABLEWS: // node->WsCounters.NumberOfShareablePages // break; case PHPRTLC_VIRTUALSIZE: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.VirtualSize), &number); break; case PHPRTLC_PEAKVIRTUALSIZE: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PeakVirtualSize), &number); break; case PHPRTLC_PAGEFAULTS: PhpAggregateFieldTotal(node, AggregateTypeInt32, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.PageFaultCount), &number); break; case PHPRTLC_THREADS: PhpAggregateFieldTotal(node, AggregateTypeInt32, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfThreads), &number); break; case PHPRTLC_HANDLES: PhpAggregateFieldTotal(node, AggregateTypeInt32, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, NumberOfHandles), &number); break; case PHPRTLC_GDIHANDLES: PhpAggregateFieldTotal(node, AggregateTypeInt32, node, FIELD_OFFSET(PH_PROCESS_NODE, GdiHandles), &number); break; case PHPRTLC_USERHANDLES: PhpAggregateFieldTotal(node, AggregateTypeInt32, node, FIELD_OFFSET(PH_PROCESS_NODE, UserHandles), &number); break; case PHPRTLC_IORORATE: { if (node->ProcessItem->IoReadDelta.Delta != node->ProcessItem->IoReadDelta.Value) { PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Delta), &number); PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Delta), &number); } } break; case PHPRTLC_IOWRATE: { if (node->ProcessItem->IoReadDelta.Delta != node->ProcessItem->IoReadDelta.Value) { PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Delta), &number); } } break; case PHPRTLC_CYCLES: { if (node->ProcessId == SYSTEM_IDLE_PROCESS_ID) continue; PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Value), &number); } break; case PHPRTLC_CYCLESDELTA: { if (node->ProcessId == SYSTEM_IDLE_PROCESS_ID) continue; PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CycleTimeDelta.Delta), &number); } break; case PHPRTLC_CONTEXTSWITCHES: { if (node->ProcessId == SYSTEM_IDLE_PROCESS_ID) continue; PhpAggregateFieldTotal(node, AggregateTypeInt32, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Value), &number); } break; case PHPRTLC_CONTEXTSWITCHESDELTA: { if ((LONG)node->ProcessItem->ContextSwitchesDelta.Delta >= 0) // the delta may be negative if a thread exits - just don't show anything { PhpAggregateFieldTotal(node, AggregateTypeInt32, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, ContextSwitchesDelta.Delta), &number); } } break; case PHPRTLC_IOREADS: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Value), &number); break; case PHPRTLC_IOWRITES: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Value), &number); break; case PHPRTLC_IOOTHER: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Value), &number); break; case PHPRTLC_IOREADBYTES: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadDelta.Value), &number); break; case PHPRTLC_IOWRITEBYTES: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteDelta.Value), &number); break; case PHPRTLC_IOOTHERBYTES: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherDelta.Value), &number); break; case PHPRTLC_IOREADSDELTA: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoReadCountDelta.Delta), &number); break; case PHPRTLC_IOWRITESDELTA: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoWriteCountDelta.Delta), &number); break; case PHPRTLC_IOOTHERDELTA: PhpAggregateFieldTotal(node, AggregateTypeInt64, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, IoOtherCountDelta.Delta), &number); break; case PHPRTLC_PAGEDPOOL: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaPagedPoolUsage), &number); break; case PHPRTLC_PEAKPAGEDPOOL: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaPeakPagedPoolUsage), &number); break; case PHPRTLC_NONPAGEDPOOL: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaNonPagedPoolUsage), &number); break; case PHPRTLC_PEAKNONPAGEDPOOL: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, VmCounters.QuotaPeakNonPagedPoolUsage), &number); break; case PHPRTLC_PRIVATEBYTESDELTA: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, PrivateBytesDelta.Delta), &number); break; case PHPRTLC_CPUCORECYCLES: { if (node->ProcessId == SYSTEM_IDLE_PROCESS_ID) continue; PhpAggregateFieldIfNeeded(node, AggregateTypeFloat, AggregateProcessItem, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUsage), &decimal); } break; case PHPRTLC_COMMITSIZE: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, SharedCommitCharge), &number); break; case PHPRTLC_CPUAVERAGE: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuAverageUsage), &number); break; case PHPRTLC_CPUKERNEL: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuKernelUsage), &number); break; case PHPRTLC_CPUUSER: PhpAggregateFieldTotal(node, AggregateTypeIntPtr, node->ProcessItem, FIELD_OFFSET(PH_PROCESS_ITEM, CpuUserUsage), &number); break; } } switch (column->Id) { case PHPRTLC_CPU: { PH_FORMAT format[2]; if (decimal == 0.0) break; decimal *= 100; PhInitFormatF(&format[0], decimal, PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), getHeaderText->TextCache, getHeaderText->TextCacheSize, &returnLength)) { getHeaderText->Text.Buffer = getHeaderText->TextCache; getHeaderText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } return TRUE; case PHPRTLC_IOTOTALRATE: case PHPRTLC_IORORATE: case PHPRTLC_IOWRATE: { PH_FORMAT format[2]; if (number == 0) break; number *= 1000; number /= PhCsUpdateInterval; PhInitFormatSize(&format[0], number); PhInitFormatS(&format[1], L"/s"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), getHeaderText->TextCache, getHeaderText->TextCacheSize, &returnLength)) { getHeaderText->Text.Buffer = getHeaderText->TextCache; getHeaderText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } return TRUE; case PHPRTLC_PEAKPRIVATEBYTES: case PHPRTLC_PRIVATEBYTES: case PHPRTLC_WORKINGSET: case PHPRTLC_PEAKWORKINGSET: case PHPRTLC_PRIVATEWS: case PHPRTLC_VIRTUALSIZE: case PHPRTLC_PEAKVIRTUALSIZE: case PHPRTLC_IOREADBYTES: case PHPRTLC_IOWRITEBYTES: case PHPRTLC_IOOTHERBYTES: case PHPRTLC_PAGEDPOOL: case PHPRTLC_PEAKPAGEDPOOL: case PHPRTLC_NONPAGEDPOOL: case PHPRTLC_PEAKNONPAGEDPOOL: case PHPRTLC_COMMITSIZE: { PH_FORMAT format[1]; if (number == 0) break; PhInitFormatSize(&format[0], number); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), getHeaderText->TextCache, getHeaderText->TextCacheSize, &returnLength)) { getHeaderText->Text.Buffer = getHeaderText->TextCache; getHeaderText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } return TRUE; case PHPRTLC_PAGEFAULTS: case PHPRTLC_THREADS: case PHPRTLC_HANDLES: case PHPRTLC_GDIHANDLES: case PHPRTLC_USERHANDLES: case PHPRTLC_CYCLES: case PHPRTLC_CYCLESDELTA: case PHPRTLC_CONTEXTSWITCHES: case PHPRTLC_CONTEXTSWITCHESDELTA: case PHPRTLC_IOREADS: case PHPRTLC_IOWRITES: case PHPRTLC_IOOTHER: case PHPRTLC_IOREADSDELTA: case PHPRTLC_IOWRITESDELTA: case PHPRTLC_IOOTHERDELTA: { PH_FORMAT format[1]; if (number == 0) break; PhInitFormatI64UGroupDigits(&format[0], number); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), getHeaderText->TextCache, getHeaderText->TextCacheSize, &returnLength)) { getHeaderText->Text.Buffer = getHeaderText->TextCache; getHeaderText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } return TRUE; case PHPRTLC_PRIVATEBYTESDELTA: { if ((LONG_PTR)number != 0) { PH_FORMAT format[2]; if ((LONG_PTR)number > 0) { PhInitFormatC(&format[0], L'+'); } else { PhInitFormatC(&format[0], L'-'); number = -(LONG_PTR)number; } format[1].Type = SizeFormatType | FormatUseRadix; format[1].Radix = (UCHAR)PhMaxSizeUnit; format[1].u.Size = (LONG_PTR)number; if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), getHeaderText->TextCache, getHeaderText->TextCacheSize, &returnLength)) { getHeaderText->Text.Buffer = getHeaderText->TextCache; getHeaderText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } return TRUE; case PHPRTLC_CPUCORECYCLES: { PH_FORMAT format[2]; if (decimal == 0) break; decimal *= 100; decimal *= PhSystemProcessorInformation.NumberOfProcessors; PhInitFormatF(&format[0], decimal, PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), getHeaderText->TextCache, getHeaderText->TextCacheSize, &returnLength)) { getHeaderText->Text.Buffer = getHeaderText->TextCache; getHeaderText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } return TRUE; } } return FALSE; case TreeNewMiddleClick: { PPH_TREENEW_MOUSE_EVENT mouseEvent = Parameter1; node = (PPH_PROCESS_NODE)mouseEvent->Node; if (GetKeyState(VK_CONTROL) >= 0) { PhDeselectAllProcessNodes(); } if (!node) break; if (PhCsSortChildProcesses || ProcessTreeListSortOrder == NoSortOrder) { // in NoSortOrder we select subtree (TheEragon) // init last index to self, this way we select only the process if there are no children (TheEragon) ULONG lastChildIndex = mouseEvent->Node->Index; if (node->Children->Count) { // get index of last child PPH_PROCESS_NODE lastChild = (PPH_PROCESS_NODE)node->Children->Items[node->Children->Count - 1]; lastChildIndex = lastChild->Node.Index; } TreeNew_SelectRange(ProcessTreeListHandle, mouseEvent->Node->Index, lastChildIndex); } else { // in sorted order we select all processes with same name (TheEragon) ULONG first = ULONG_MAX; ULONG last = 0; for (ULONG i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE item = ProcessNodeList->Items[i]; if (PhEqualString(node->ProcessItem->ProcessName, item->ProcessItem->ProcessName, TRUE)) { if (first > item->Node.Index) first = item->Node.Index; if (last < item->Node.Index) last = item->Node.Index; } else if (first != ULONG_MAX) { // select found range and reset indexes (TheEragon) TreeNew_SelectRange(ProcessTreeListHandle, first, last); first = ULONG_MAX; last = 0; } } // select last found range, if any (TheEragon) if (first != ULONG_MAX) TreeNew_SelectRange(ProcessTreeListHandle, first, last); } } return TRUE; case TreeNewReorderBegin: { PPH_TREENEW_REORDER_EVENT reorderEvent = Parameter1; node = (PPH_PROCESS_NODE)reorderEvent->Source; reorderEvent->Allow = TRUE; } return TRUE; case TreeNewReorderOver: { PPH_TREENEW_REORDER_EVENT reorderEvent = Parameter1; node = (PPH_PROCESS_NODE)reorderEvent->Source; reorderEvent->Allow = TRUE; } return TRUE; case TreeNewReorderCommit: { PPH_TREENEW_REORDER_EVENT reorderEvent = Parameter1; PPH_PROCESS_NODE sourceNode = (PPH_PROCESS_NODE)reorderEvent->Source; PPH_PROCESS_NODE targetNode = (PPH_PROCESS_NODE)reorderEvent->Target; BOOLEAN targetIsDescendant = FALSE; ULONG oldIndex, newIndex; if (sourceNode && targetNode) { PPH_PROCESS_NODE current = targetNode; while (current) { if (current == sourceNode) { targetIsDescendant = TRUE; break; } current = current->Parent; } } // Remove sourceNode from its current parent or root list (dmex) if (sourceNode->Parent) { oldIndex = PhFindItemList(sourceNode->Parent->Children, sourceNode); if (oldIndex != ULONG_MAX) PhRemoveItemList(sourceNode->Parent->Children, oldIndex); } else { oldIndex = PhFindItemList(ProcessNodeRootList, sourceNode); if (oldIndex != ULONG_MAX) PhRemoveItemList(ProcessNodeRootList, oldIndex); } if (targetNode && !targetIsDescendant) { BOOLEAN droppedIntoTargetAsChild = FALSE; // If DropAfter is TRUE and the target is a parent (expanded or already has children), // append as the last child of the target (instead of inserting after the parent). (dmex) if (reorderEvent->DropAfter && (targetNode->Node.Expanded || (targetNode->Children && targetNode->Children->Count > 0))) { newIndex = targetNode->Children->Count; PhInsertItemList(targetNode->Children, newIndex, sourceNode); sourceNode->Parent = targetNode; droppedIntoTargetAsChild = TRUE; } if (!droppedIntoTargetAsChild) { // Default behavior: insert as sibling before/after the target (dmex) if (targetNode->Parent) { // Insert as sibling in parent's children list PPH_PROCESS_NODE parent = targetNode->Parent; newIndex = PhFindItemList(parent->Children, targetNode); if (newIndex > parent->Children->Count) newIndex = parent->Children->Count; if (reorderEvent->DropAfter && newIndex < parent->Children->Count) newIndex++; PhInsertItemList(parent->Children, newIndex, sourceNode); sourceNode->Parent = parent; } else { // Insert as root node (sibling of target in root list) (dmex) newIndex = PhFindItemList(ProcessNodeRootList, targetNode); if (newIndex > ProcessNodeRootList->Count) newIndex = ProcessNodeRootList->Count; if (reorderEvent->DropAfter && newIndex < ProcessNodeRootList->Count) newIndex++; PhInsertItemList(ProcessNodeRootList, newIndex, sourceNode); sourceNode->Parent = NULL; } } } else if (!targetNode) { // No target, insert at the end of the root list (dmex) PhInsertItemList(ProcessNodeRootList, ProcessNodeRootList->Count, sourceNode); sourceNode->Parent = NULL; } else { // Invalid move (would create a cycle) - restore original placement at end of root list. (dmex) PhInsertItemList(ProcessNodeRootList, ProcessNodeRootList->Count, sourceNode); sourceNode->Parent = NULL; } TreeNew_NodesStructured(hwnd); } return TRUE; case TreeNewReorderCancel: return TRUE; } return FALSE; } PPH_PROCESS_ITEM PhGetSelectedProcessItem( VOID ) { PPH_PROCESS_ITEM processItem = NULL; ULONG i; for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; if (node->Node.Selected) { processItem = node->ProcessItem; break; } } return processItem; } _Success_(return) BOOLEAN PhGetSelectedProcessItems( _Out_ PPH_PROCESS_ITEM **Processes, _Out_ PULONG NumberOfProcesses ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; if (node->Node.Visible && node->Node.Selected) { PhAddItemArray(&array, &node->ProcessItem); } } if (PhFinalArrayCount(&array)) { *NumberOfProcesses = (ULONG)PhFinalArrayCount(&array); *Processes = PhFinalArrayItems(&array); return TRUE; } else { *NumberOfProcesses = 0; *Processes = NULL; PhDeleteArray(&array); return FALSE; } } PPH_PROCESS_NODE PhGetSelectedProcessNode( VOID ) { PPH_PROCESS_NODE processNode = NULL; ULONG i; for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; if (node->Node.Visible && node->Node.Selected) { processNode = node; break; } } return processNode; } _Success_(return) BOOLEAN PhGetSelectedProcessNodes( _Out_ PPH_PROCESS_NODE **Nodes, _Out_ PULONG NumberOfNodes ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; if (node->Node.Visible && node->Node.Selected) PhAddItemArray(&array, &node); } if (PhFinalArrayCount(&array)) { *NumberOfNodes = (ULONG)PhFinalArrayCount(&array); *Nodes = PhFinalArrayItems(&array); return TRUE; } else { *NumberOfNodes = 0; *Nodes = NULL; PhDeleteArray(&array); return FALSE; } } _Success_(return) BOOLEAN PhGetProcessItemServices( _In_ PPH_PROCESS_ITEM ProcessItem, _Out_ PPH_SERVICE_ITEM** Services, _Out_ PULONG NumberOfServices ) { PH_ARRAY array; ULONG enumerationKey = 0; PPH_SERVICE_ITEM serviceItem; if (!(ProcessItem->ServiceList && ProcessItem->ServiceList->Count != 0)) return FALSE; PhInitializeArray(&array, sizeof(PVOID), 2); PhAcquireQueuedLockShared(&ProcessItem->ServiceListLock); while (PhEnumPointerList( ProcessItem->ServiceList, &enumerationKey, &serviceItem )) { PhReferenceObject(serviceItem); PhAddItemArray(&array, &serviceItem); } PhReleaseQueuedLockShared(&ProcessItem->ServiceListLock); *NumberOfServices = (ULONG)PhFinalArrayCount(&array); *Services = PhFinalArrayItems(&array); return TRUE; } static VOID PhpAddAndPropagateProcessItems( _In_ PPH_ARRAY ProcessesArray, _In_ PPH_PROCESS_NODE ProcessNode ) { for (ULONG i = 0; i < ProcessNode->Children->Count; i++) { PPH_PROCESS_NODE child = ProcessNode->Children->Items[i]; if (child->Children) { PhpAddAndPropagateProcessItems(ProcessesArray, child); } } PhAddItemArray(ProcessesArray, &ProcessNode->ProcessItem); } VOID PhGetSelectedAndPropagateProcessItems( _Out_ PPH_PROCESS_ITEM **Processes, _Out_ PULONG NumberOfProcesses ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; if (node->Node.Visible && node->Node.Selected) { if (PhCsPropagateCpuUsage && !node->Node.Expanded) { PhpAddAndPropagateProcessItems(&array, node); } else { PhAddItemArray(&array, &node->ProcessItem); } } } *NumberOfProcesses = (ULONG)PhFinalArrayCount(&array); *Processes = PhFinalArrayItems(&array); } VOID PhDeselectAllProcessNodes( VOID ) { TreeNew_DeselectRange(ProcessTreeListHandle, 0, -1); } VOID PhExpandAllProcessNodes( _In_ BOOLEAN Expand ) { ULONG i; BOOLEAN needsRestructure = FALSE; for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; if (node->Children->Count != 0 && node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(ProcessTreeListHandle); } VOID PhInvalidateAllProcessNodes( VOID ) { ULONG i; for (i = 0; i < ProcessNodeList->Count; i++) { PPH_PROCESS_NODE node = ProcessNodeList->Items[i]; memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PHPRTLC_MAXIMUM); PhInvalidateTreeNewNode(&node->Node, TN_CACHE_COLOR); node->ValidMask = 0; // Invalidate graph buffers. node->CpuGraphBuffers.Valid = FALSE; node->PrivateGraphBuffers.Valid = FALSE; node->IoGraphBuffers.Valid = FALSE; } InvalidateRect(ProcessTreeListHandle, NULL, FALSE); } BOOLEAN PhSelectAndEnsureVisibleProcessNode( _In_ PPH_PROCESS_NODE ProcessNode ) { return PhSelectAndEnsureVisibleProcessNodes(&ProcessNode, 1); } BOOLEAN PhSelectAndEnsureVisibleProcessNodes( _In_ PPH_PROCESS_NODE *ProcessNodes, _In_ ULONG NumberOfProcessNodes ) { ULONG i; PPH_PROCESS_NODE leader = NULL; PPH_PROCESS_NODE node; BOOLEAN needsRestructure = FALSE; PhDeselectAllProcessNodes(); for (i = 0; i < NumberOfProcessNodes; i++) { if (ProcessNodes[i]->Node.Visible) { leader = ProcessNodes[i]; break; } } if (!leader) { PhShowInformation2( PhMainWndHandle, L"Unable to perform the operation.", L"%s", L"This node cannot be displayed because it is currently hidden by your active filter settings or preferences." ); return FALSE; } // Expand recursively upwards, and select the nodes. for (i = 0; i < NumberOfProcessNodes; i++) { if (!ProcessNodes[i]->Node.Visible) continue; node = ProcessNodes[i]->Parent; while (node) { if (!node->Node.Expanded) needsRestructure = TRUE; node->Node.Expanded = TRUE; node = node->Parent; } ProcessNodes[i]->Node.Selected = TRUE; } if (needsRestructure) TreeNew_NodesStructured(ProcessTreeListHandle); TreeNew_FocusMarkSelectNode(ProcessTreeListHandle, &leader->Node); return TRUE; } VOID PhpPopulateTableWithProcessNodes( _In_ HWND TreeListHandle, _In_ PPH_PROCESS_NODE Node, _In_ ULONG Level, _In_ PPH_STRING **Table, _Inout_ PULONG Index, _In_ PULONG DisplayToId, _In_ ULONG Columns ) { ULONG i; for (i = 0; i < Columns; i++) { PH_TREENEW_GET_CELL_TEXT getCellText; PPH_STRING text; getCellText.Node = &Node->Node; getCellText.Id = DisplayToId[i]; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(TreeListHandle, &getCellText); if (i != 0) { if (getCellText.Text.Length == 0) text = PhReferenceEmptyString(); else text = PhaCreateStringEx(getCellText.Text.Buffer, getCellText.Text.Length); } else { // If this is the first column in the row, add some indentation. text = PhaCreateStringEx( NULL, getCellText.Text.Length + UInt32x32To64(Level, 2) * sizeof(WCHAR) ); wmemset(text->Buffer, L' ', UInt32x32To64(Level, 2)); memcpy(&text->Buffer[UInt32x32To64(Level, 2)], getCellText.Text.Buffer, getCellText.Text.Length); } Table[*Index][i] = text; } (*Index)++; // Process the children. for (i = 0; i < Node->Children->Count; i++) { PhpPopulateTableWithProcessNodes( TreeListHandle, Node->Children->Items[i], Level + 1, Table, Index, DisplayToId, Columns ); } } PPH_LIST PhGetProcessTreeListLines( _In_ HWND TreeListHandle, _In_ ULONG NumberOfNodes, _In_ PPH_LIST RootNodes, _In_ ULONG Mode ) { PH_AUTO_POOL autoPool; PPH_LIST lines; // The number of rows in the table (including +1 for the column headers). ULONG rows; // The number of columns. ULONG columns; // A column display index to ID map. PULONG displayToId; // A column display index to text map. PWSTR *displayToText; // The actual string table. PPH_STRING **table; ULONG i; ULONG j; // Use a local auto-pool to make memory management a bit less painful. PhInitializeAutoPool(&autoPool); rows = NumberOfNodes + 1; // Create the display index to ID map. PhMapDisplayIndexTreeNew(TreeListHandle, &displayToId, &displayToText, &columns); PhaCreateTextTable(&table, rows, columns); // Populate the first row with the column headers. for (i = 0; i < columns; i++) { table[0][i] = PhaCreateString(displayToText[i]); } // Go through the nodes in the process tree and populate each cell of the table. j = 1; // index starts at one because the first row contains the column headers. for (i = 0; i < RootNodes->Count; i++) { PhpPopulateTableWithProcessNodes( TreeListHandle, RootNodes->Items[i], 0, table, &j, displayToId, columns ); } PhFree(displayToId); PhFree(displayToText); lines = PhaFormatTextTable(table, rows, columns, Mode); PhDeleteAutoPool(&autoPool); return lines; } VOID PhCopyProcessTree( VOID ) { PPH_STRING text; text = PhGetTreeNewText(ProcessTreeListHandle, 0); PhSetClipboardString(ProcessTreeListHandle, &text->sr); PhDereferenceObject(text); } VOID PhWriteProcessTree( _Inout_ PPH_FILE_STREAM FileStream, _In_ ULONG Mode ) { PPH_LIST lines; ULONG i; lines = PhGetProcessTreeListLines( ProcessTreeListHandle, ProcessNodeList->Count, ProcessNodeRootList, Mode ); for (i = 0; i < lines->Count; i++) { PPH_STRING line; line = lines->Items[i]; PhWriteStringAsUtf8FileStream(FileStream, &line->sr); PhDereferenceObject(line); PhWriteStringAsUtf8FileStream2(FileStream, L"\r\n"); } PhDereferenceObject(lines); } PPH_LIST PhDuplicateProcessNodeList( VOID ) { PPH_LIST newList; newList = PhCreateList(ProcessNodeList->Count); PhInsertItemsList(newList, 0, ProcessNodeList->Items, ProcessNodeList->Count); return newList; } /** * Determines if the process item should show the image coherency in the UI. * * \param[in] ProcessItem - Process item to check. * \param[in] CheckThreshold - If TRUE the image low coherency threshold is * checked, see: LowImageCoherencyThreshold. * \return TRUE if the image coherency should be shown, FALSE otherwise. */ BOOLEAN PhpShouldShowImageCoherency( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ BOOLEAN CheckThreshold ) { const FLOAT LowImageCoherencyThreshold = 0.5f; /**< Limit for displaying "low image coherency" */ if (PhCsImageCoherencyScanLevel == 0) { // // The advanced option for the image coherency scan level is 0. // This disables the scanning and we should not show the image // coherency. // return FALSE; } // // If we haven't done the image coherency check yet, don't show. We // initialize the process item with STATUS_PENDING to denote this. // See: PhCreateProcessItem // if (ProcessItem->ImageCoherencyStatus == STATUS_PENDING) { return FALSE; } // // Exclude the fake processes and system idle PID // if (!PH_IS_REAL_PROCESS_ID(ProcessItem->ProcessId)) { return FALSE; } // // Do not show if the process has no image file name (Secure System) // if (PhIsNullOrEmptyString(ProcessItem->FileName)) { return FALSE; } // // We don't do the coherency check if the created process is WSL // if (ProcessItem->IsSubsystemProcess) { return FALSE; } if (NT_SUCCESS(ProcessItem->ImageCoherencyStatus) || (ProcessItem->ImageCoherencyStatus == STATUS_INVALID_IMAGE_NOT_MZ) || (ProcessItem->ImageCoherencyStatus == STATUS_INVALID_IMAGE_FORMAT) || (ProcessItem->ImageCoherencyStatus == STATUS_INVALID_IMAGE_HASH) || (ProcessItem->ImageCoherencyStatus == STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT)) { // // The coherency status is a success code or a known "valid" error // from the coherency calculation (PhGetProcessImageCoherency). // We should show the coherency value. // if (CheckThreshold) { // // A threshold check is requested. This is generally used for // checking if we should highlight an entry. If the coherency // is below a given threshold return true. Otherwise false. // if (ProcessItem->ImageCoherency <= LowImageCoherencyThreshold) { return TRUE; } else { return FALSE; } } // // No special handling, return true. // return TRUE; } // // Any other error NTSTATUS we don't show the coherency value, we'll // show the reason why we failed the calculation (a string representation // of the status code). // return FALSE; } /** * Retrieves the Win32 file name of the process associated with the specified process item. * * \param ProcessItem A pointer to a PPH_PROCESS_ITEM structure representing the process. * \param FileNameWin32 A pointer to a variable that receives a pointer to a PPH_STRING containing the Win32 file name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessItemFileNameWin32( _In_ PPH_PROCESS_ITEM ProcessItem, _Out_ PPH_STRING* FileNameWin32 ) { if (ProcessItem->QueryHandle) { PPH_STRING fileName; if (NT_SUCCESS(PhGetProcessImageFileNameWin32(ProcessItem->QueryHandle, &fileName))) { *FileNameWin32 = fileName; return STATUS_SUCCESS; } } if (ProcessItem->FileName) { *FileNameWin32 = PhGetFileName(ProcessItem->FileName); return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } ================================================ FILE: SystemInformer/prpgenv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2018-2023 * */ #include #include #include #include #include #include #include #include #include #include typedef enum _ENVIRONMENT_TREE_MENU_ITEM { ENVIRONMENT_TREE_MENU_ITEM_HIDE_PROCESS_TYPE = 1, ENVIRONMENT_TREE_MENU_ITEM_HIDE_USER_TYPE, ENVIRONMENT_TREE_MENU_ITEM_HIDE_SYSTEM_TYPE, ENVIRONMENT_TREE_MENU_ITEM_HIDE_CMD_TYPE, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_PROCESS_TYPE, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_USER_TYPE, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_SYSTEM_TYPE, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_CMD_TYPE, ENVIRONMENT_TREE_MENU_ITEM_NEW_ENVIRONMENT_VARIABLE, ENVIRONMENT_TREE_MENU_ITEM_MAXIMUM } ENVIRONMENT_TREE_MENU_ITEM; typedef enum _ENVIRONMENT_TREE_COLUMN_ITEM { ENVIRONMENT_COLUMN_ITEM_NAME, ENVIRONMENT_COLUMN_ITEM_VALUE, ENVIRONMENT_COLUMN_ITEM_MAXIMUM } ENVIRONMENT_TREE_COLUMN_ITEM; typedef enum _PROCESS_ENVIRONMENT_TREENODE_TYPE { PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP = 0x1, PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS = 0x2, PROCESS_ENVIRONMENT_TREENODE_TYPE_USER = 0x4, PROCESS_ENVIRONMENT_TREENODE_TYPE_SYSTEM = 0x8 } PROCESS_ENVIRONMENT_TREENODE_TYPE; typedef struct _PHP_PROCESS_ENVIRONMENT_TREENODE { PH_TREENEW_NODE Node; PH_STRINGREF TextCache[ENVIRONMENT_COLUMN_ITEM_MAXIMUM]; struct _PHP_PROCESS_ENVIRONMENT_TREENODE* Parent; PPH_LIST Children; BOOLEAN HasChildren; ULONG Id; PROCESS_ENVIRONMENT_TREENODE_TYPE Type; PPH_STRING NameText; PPH_STRING ValueText; union { BOOLEAN Flags; struct { BOOLEAN IsCmdVariable : 1; BOOLEAN Spare : 7; }; }; } PHP_PROCESS_ENVIRONMENT_TREENODE, *PPHP_PROCESS_ENVIRONMENT_TREENODE; PPHP_PROCESS_ENVIRONMENT_TREENODE PhpAddEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_opt_ PPHP_PROCESS_ENVIRONMENT_TREENODE ParentNode, _In_ PROCESS_ENVIRONMENT_TREENODE_TYPE Type, _In_ PPH_STRING Name, _In_opt_ PPH_STRING Value ); PPHP_PROCESS_ENVIRONMENT_TREENODE PhpFindEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPH_STRING Name ); VOID PhpClearEnvironmentTree( _In_ PPH_ENVIRONMENT_CONTEXT Context ); PPHP_PROCESS_ENVIRONMENT_TREENODE PhpGetSelectedEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context ); _Success_(return) BOOLEAN PhpGetSelectedEnvironmentNodes( _In_ PPH_ENVIRONMENT_CONTEXT Context, _Out_ PPHP_PROCESS_ENVIRONMENT_TREENODE * *Nodes, _Out_ PULONG NumberOfNodes ); BOOLEAN PhpHasSelectedEnvironmentGroupNode( _In_ PPHP_PROCESS_ENVIRONMENT_TREENODE* Nodes, _In_ ULONG NumberOfNodes ); #define ID_ENV_EDIT 50001 #define ID_ENV_DELETE 50002 #define ID_ENV_COPY 50003 typedef struct _EDIT_ENV_DIALOG_CONTEXT { PPH_PROCESS_ITEM ProcessItem; PWSTR Name; PWSTR Value; BOOLEAN Refresh; PH_LAYOUT_MANAGER LayoutManager; RECT MinimumSize; } EDIT_ENV_DIALOG_CONTEXT, *PEDIT_ENV_DIALOG_CONTEXT; INT_PTR PhpShowEditEnvDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PWSTR Name, _In_opt_ PWSTR Value, _Out_opt_ PBOOLEAN Refresh ); INT_PTR CALLBACK PhpEditEnvDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhpClearEnvironmentItems( _Inout_ PPH_ENVIRONMENT_CONTEXT Context ) { SIZE_T i; PPH_ENVIRONMENT_ITEM item; for (i = 0; i < Context->Items.Count; i++) { item = PhItemArray(&Context->Items, i); if (item->Name) PhDereferenceObject(item->Name); if (item->Value) PhDereferenceObject(item->Value); } PhClearArray(&Context->Items); } VOID PhpSetEnvironmentListStatusMessage( _Inout_ PPH_ENVIRONMENT_CONTEXT Context, _In_ NTSTATUS Status ) { if (Context->ProcessItem->State & PH_PROCESS_ITEM_REMOVED || Status == STATUS_PARTIAL_COPY) { PhMoveReference(&Context->StatusMessage, PhCreateString(L"There are no environment variables to display.")); TreeNew_SetEmptyText(Context->TreeNewHandle, &Context->StatusMessage->sr, 0); } else { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(Status, 0); PhMoveReference(&Context->StatusMessage, PhConcatStrings2( L"Unable to query environment information:\n", PhGetStringOrDefault(statusMessage, L"Unknown error.") )); TreeNew_SetEmptyText(Context->TreeNewHandle, &Context->StatusMessage->sr, 0); //TreeNew_NodesStructured(Context->TreeNewHandle); PhClearReference(&statusMessage); } } _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PhEnumEnvironmentKeyValueCallback( _In_ HANDLE RootDirectory, _In_ PKEY_VALUE_FULL_INFORMATION Information, _In_ PPH_ENVIRONMENT_CONTEXT Context ) { if (Context && Information->Type == REG_SZ) { PH_ENVIRONMENT_ITEM entry; entry.Name = PhCreateStringEx(Information->Name, Information->NameLength); entry.Value = PhCreateStringEx(PTR_ADD_OFFSET(Information, Information->DataOffset), Information->DataLength); PhAddItemArray(&Context->Items, &entry); } return TRUE; } VOID PhpRefreshEnvironmentList( _Inout_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPH_PROCESS_ITEM ProcessItem ) { NTSTATUS status; PVOID environment; ULONG environmentLength; ULONG enumerationKey; PH_ENVIRONMENT_VARIABLE variable; PPH_ENVIRONMENT_ITEM item; PPHP_PROCESS_ENVIRONMENT_TREENODE processRootNode; PPHP_PROCESS_ENVIRONMENT_TREENODE userRootNode; PPHP_PROCESS_ENVIRONMENT_TREENODE systemRootNode; PVOID systemDefaultEnvironment = NULL; PVOID userDefaultEnvironment = NULL; SIZE_T i; PhpClearEnvironmentTree(Context); processRootNode = PhpAddEnvironmentNode(Context, NULL, PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP | PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS, PhaCreateString(L"Process"), NULL); userRootNode = PhpAddEnvironmentNode(Context, NULL, PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP | PROCESS_ENVIRONMENT_TREENODE_TYPE_USER, PhaCreateString(L"User"), NULL); systemRootNode = PhpAddEnvironmentNode(Context, NULL, PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP | PROCESS_ENVIRONMENT_TREENODE_TYPE_SYSTEM, PhaCreateString(L"System"), NULL); if (ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { static CONST PH_STRINGREF environmentKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control\\Session Manager\\Environment"); HANDLE keyHandle; PhCreateEnvironmentBlock(&systemDefaultEnvironment, NULL, FALSE); SIZE_T variableLength = 0; PWSTR variableName = systemDefaultEnvironment; while (*variableName) { variableLength += PhCountStringZ(variableName); variableName += variableLength + 1; } enumerationKey = 0; while (NT_SUCCESS(PhEnumProcessEnvironmentVariables( systemDefaultEnvironment, (ULONG)variableLength * sizeof(WCHAR), &enumerationKey, &variable ))) { PH_ENVIRONMENT_ITEM entry; entry.Name = PhCreateString2(&variable.Name); entry.Value = PhCreateString2(&variable.Value); PhAddItemArray(&Context->Items, &entry); } status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &environmentKeyName, 0 ); if (NT_SUCCESS(status)) { status = PhEnumerateValueKey( keyHandle, KeyValueFullInformation, PhEnumEnvironmentKeyValueCallback, Context ); NtClose(keyHandle); } if (!NT_SUCCESS(status)) { PhpSetEnvironmentListStatusMessage(Context, status); TreeNew_NodesStructured(Context->TreeNewHandle); return; } } else { HANDLE processHandle = NULL; if (PH_IS_REAL_PROCESS_ID(ProcessItem->ProcessId)) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessItem->ProcessId ); } else { status = STATUS_INVALID_CID; } if (!NT_SUCCESS(status)) { PhpSetEnvironmentListStatusMessage(Context, status); TreeNew_NodesStructured(Context->TreeNewHandle); return; } if (NT_SUCCESS(status)) { HANDLE tokenHandle; PhCreateEnvironmentBlock(&systemDefaultEnvironment, NULL, FALSE); if (NT_SUCCESS(PhOpenProcessToken( processHandle, TOKEN_QUERY | TOKEN_DUPLICATE, &tokenHandle ))) { PhCreateEnvironmentBlock(&userDefaultEnvironment, tokenHandle, FALSE); NtClose(tokenHandle); } status = PhGetProcessEnvironment( processHandle, !!ProcessItem->IsWow64Process, &environment, &environmentLength ); if (NT_SUCCESS(status)) { enumerationKey = 0; while (NT_SUCCESS(PhEnumProcessEnvironmentVariables( environment, environmentLength, &enumerationKey, &variable ))) { PH_ENVIRONMENT_ITEM entry; entry.Name = PhCreateString2(&variable.Name); entry.Value = PhCreateString2(&variable.Value); PhAddItemArray(&Context->Items, &entry); } PhFreePage(environment); } else { PhpSetEnvironmentListStatusMessage(Context, status); } NtClose(processHandle); } } for (i = 0; i < Context->Items.Count; i++) { PPHP_PROCESS_ENVIRONMENT_TREENODE node; PPHP_PROCESS_ENVIRONMENT_TREENODE parentNode; PROCESS_ENVIRONMENT_TREENODE_TYPE nodeType; PPH_STRING variableValue; item = PhItemArray(&Context->Items, i); if (!item->Name) continue; if (systemDefaultEnvironment && PhQueryEnvironmentVariable( systemDefaultEnvironment, &item->Name->sr, NULL ) == STATUS_BUFFER_TOO_SMALL) { nodeType = PROCESS_ENVIRONMENT_TREENODE_TYPE_SYSTEM; parentNode = systemRootNode; if (NT_SUCCESS(PhQueryEnvironmentVariable( systemDefaultEnvironment, &item->Name->sr, &variableValue ))) { if (!PhEqualString(variableValue, item->Value, FALSE)) { nodeType = PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS; parentNode = processRootNode; } PhDereferenceObject(variableValue); } } else if (userDefaultEnvironment && PhQueryEnvironmentVariable( userDefaultEnvironment, &item->Name->sr, NULL ) == STATUS_BUFFER_TOO_SMALL) { nodeType = PROCESS_ENVIRONMENT_TREENODE_TYPE_USER; parentNode = userRootNode; if (NT_SUCCESS(PhQueryEnvironmentVariable( userDefaultEnvironment, &item->Name->sr, &variableValue ))) { if (!PhEqualString(variableValue, item->Value, FALSE)) { nodeType = PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS; parentNode = processRootNode; } PhDereferenceObject(variableValue); } } else { nodeType = PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS; parentNode = processRootNode; } node = PhpAddEnvironmentNode( Context, parentNode, nodeType, item->Name, item->Value ); if (item->Name && item->Name->Buffer[0] == L'=') // HACK (dmex) { node->IsCmdVariable = TRUE; } } TreeNew_NodesStructured(Context->TreeNewHandle); if (systemDefaultEnvironment) PhDestroyEnvironmentBlock(systemDefaultEnvironment); if (userDefaultEnvironment) PhDestroyEnvironmentBlock(userDefaultEnvironment); } VOID PhpRefreshWslEnvironmentList( _Inout_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_STRING environment; ULONG enumerationKey; PH_ENVIRONMENT_VARIABLE variable; PPH_ENVIRONMENT_ITEM item; PPHP_PROCESS_ENVIRONMENT_TREENODE processRootNode; SIZE_T i; PhpClearEnvironmentTree(Context); processRootNode = PhpAddEnvironmentNode(Context, NULL, PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP | PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS, PhaCreateString(L"Process"), NULL); PhpAddEnvironmentNode(Context, NULL, PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP | PROCESS_ENVIRONMENT_TREENODE_TYPE_USER, PhaCreateString(L"User"), NULL); PhpAddEnvironmentNode(Context, NULL, PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP | PROCESS_ENVIRONMENT_TREENODE_TYPE_SYSTEM, PhaCreateString(L"System"), NULL); if (!ProcessItem->LxssProcessId) { PhpSetEnvironmentListStatusMessage(Context, STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT); TreeNew_NodesStructured(Context->TreeNewHandle); return; } if (PhIsNullOrEmptyString(ProcessItem->FileName)) { PhpSetEnvironmentListStatusMessage(Context, STATUS_OBJECT_NAME_INVALID); TreeNew_NodesStructured(Context->TreeNewHandle); return; } if (!NT_SUCCESS(PhWslQueryDistroProcessEnvironment( &ProcessItem->FileName->sr, ProcessItem->LxssProcessId, &environment ))) { PhpSetEnvironmentListStatusMessage(Context, STATUS_PARTIAL_COPY); TreeNew_NodesStructured(Context->TreeNewHandle); return; } enumerationKey = 0; while (NT_SUCCESS(PhEnumProcessEnvironmentVariables( PhGetString(environment), (ULONG)environment->Length, &enumerationKey, &variable ))) { PH_ENVIRONMENT_ITEM entry; entry.Name = PhCreateString2(&variable.Name); entry.Value = PhCreateString2(&variable.Value); PhAddItemArray(&Context->Items, &entry); } for (i = 0; i < Context->Items.Count; i++) { item = PhItemArray(&Context->Items, i); if (!item->Name) continue; PhpAddEnvironmentNode( Context, processRootNode, PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS, item->Name, item->Value ); } PhApplyTreeNewFilters(&Context->TreeFilterSupport); TreeNew_NodesStructured(Context->TreeNewHandle); PhClearReference(&environment); } NTSTATUS PhpEditDlgSetEnvironment( _Inout_ PEDIT_ENV_DIALOG_CONTEXT Context, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_STRING Name, _In_ PPH_STRING Value ) { NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE processHandle = NULL; LARGE_INTEGER timeout; // Windows 8 requires ALL_ACCESS for PLM execution requests. (dmex) if (WindowsVersion >= WINDOWS_8 && WindowsVersion <= WINDOWS_8_1) { status = PhOpenProcess( &processHandle, PROCESS_ALL_ACCESS, ProcessItem->ProcessId ); } // Windows 10 and above require SET_LIMITED for PLM execution requests. (dmex) if (!NT_SUCCESS(status)) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, ProcessItem->ProcessId ); } if (NT_SUCCESS(status)) { timeout.QuadPart = -(LONGLONG)UInt32x32To64(10, PH_TIMEOUT_SEC); // Delete the old environment variable if necessary. if (!PhEqualStringZ(Context->Name, L"", FALSE) && !PhEqualString2(Name, Context->Name, FALSE)) { PH_STRINGREF nameSr; PhInitializeStringRefLongHint(&nameSr, Context->Name); PhSetEnvironmentVariableRemote( processHandle, &nameSr, NULL, &timeout ); } status = PhSetEnvironmentVariableRemote( processHandle, &Name->sr, &Value->sr, &timeout ); NtClose(processHandle); } return status; } NTSTATUS PhpEditDeleteEnvironment( _Inout_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_STRING Name ) { NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE processHandle = NULL; LARGE_INTEGER timeout; // Windows 8 requires ALL_ACCESS for PLM execution requests. (dmex) if (WindowsVersion >= WINDOWS_8 && WindowsVersion <= WINDOWS_8_1) { status = PhOpenProcess( &processHandle, PROCESS_ALL_ACCESS, ProcessItem->ProcessId ); } // Windows 10 and above require SET_LIMITED for PLM execution requests. (dmex) if (!NT_SUCCESS(status)) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, ProcessItem->ProcessId ); } if (NT_SUCCESS(status)) { timeout.QuadPart = -(LONGLONG)UInt32x32To64(10, PH_TIMEOUT_SEC); status = PhSetEnvironmentVariableRemote( processHandle, &Name->sr, NULL, &timeout ); NtClose(processHandle); } return status; } ULONG_PTR CALLBACK PhpEditEnvSubclassProc( _In_ HWND WindowHandle, _In_ ULONG WindowMessage, _In_ ULONG_PTR wParam, _In_ ULONG_PTR lParam ) { WNDPROC oldWndProc; if (!(oldWndProc = PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT))) return FALSE; switch (WindowMessage) { case WM_DESTROY: { PhSetWindowProcedure(WindowHandle, oldWndProc); PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_GETDLGCODE: { if (wParam != VK_ESCAPE) { if (wParam == VK_RETURN) { return DLGC_WANTMESSAGE; } return DLGC_WANTALLKEYS; } } break; } return CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); } INT_PTR CALLBACK PhpEditEnvDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PEDIT_ENV_DIALOG_CONTEXT context = NULL; if (uMsg == WM_INITDIALOG) { context = (PEDIT_ENV_DIALOG_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HWND windowhandle; windowhandle = GetDlgItem(hwndDlg, IDC_VALUE); PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_NAME), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, windowhandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhLayoutManagerLayout(&context->LayoutManager); context->MinimumSize.left = 0; context->MinimumSize.top = 0; context->MinimumSize.right = 200; context->MinimumSize.bottom = 140; MapDialogRect(hwndDlg, &context->MinimumSize); PhSetDialogItemText(hwndDlg, IDC_NAME, context->Name); PhSetDialogItemText(hwndDlg, IDC_VALUE, context->Value ? context->Value : L""); PhSetWindowContext(windowhandle, PH_WINDOW_CONTEXT_DEFAULT, PhGetWindowProcedure(windowhandle)); PhSetWindowProcedure(windowhandle, (WNDPROC)PhpEditEnvSubclassProc); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDCANCEL)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhDeleteLayoutManager(&context->LayoutManager); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: { EndDialog(hwndDlg, IDCANCEL); } break; case IDOK: { NTSTATUS status = STATUS_UNSUCCESSFUL; PPH_STRING name; PPH_STRING value; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && !PhShowConfirmMessage( hwndDlg, L"edit", L"the selected environment variable", L"Some programs may restrict access or ban your account when editing the environment variable(s) of the process.", FALSE )) { break; } name = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_NAME))); value = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_VALUE))); if (!PhIsNullOrEmptyString(name)) { if (!PhEqualString2(name, context->Name, FALSE) || !context->Value || !PhEqualString2(value, context->Value, FALSE)) { status = PhpEditDlgSetEnvironment( context, context->ProcessItem, name, value ); if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to set the environment variable.", status, 0); break; } else if (status == STATUS_TIMEOUT) { PhShowStatus(hwndDlg, L"Unable to delete the environment variable.", 0, WAIT_TIMEOUT); break; } context->Refresh = TRUE; } EndDialog(hwndDlg, IDOK); } } break; case IDC_NAME: { if (GET_WM_COMMAND_CMD(wParam, lParam) == EN_CHANGE) { EnableWindow(GetDlgItem(hwndDlg, IDOK), PhGetWindowTextLength(GetDlgItem(hwndDlg, IDC_NAME)) > 0); } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR PhpShowEditEnvDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PWSTR Name, _In_opt_ PWSTR Value, _Out_opt_ PBOOLEAN Refresh ) { INT_PTR result; EDIT_ENV_DIALOG_CONTEXT context; memset(&context, 0, sizeof(EDIT_ENV_DIALOG_CONTEXT)); context.ProcessItem = ProcessItem; context.Name = Name; context.Value = Value; result = PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_EDITENV), ParentWindowHandle, PhpEditEnvDlgProc, &context ); if (Refresh) *Refresh = context.Refresh; return result; } VOID PhpShowEnvironmentNodeContextMenu( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenuEvent ) { PPHP_PROCESS_ENVIRONMENT_TREENODE* nodes; ULONG numberOfNodes; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; if (!PhpGetSelectedEnvironmentNodes(Context, &nodes, &numberOfNodes)) return; if (numberOfNodes == 0) return; menu = PhCreateEMenu(); if (!PhpHasSelectedEnvironmentGroupNode(nodes, numberOfNodes)) { PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ENV_EDIT, L"Edit", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ENV_DELETE, L"Delete", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); } PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ENV_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, ID_ENV_COPY, Context->TreeNewHandle, ContextMenuEvent->Column); selectedItem = PhShowEMenu( menu, Context->WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenuEvent->Location.x, ContextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (!PhHandleCopyCellEMenuItem(selectedItem)) { SendMessage(Context->WindowHandle, WM_COMMAND, selectedItem->Id, 0); } } PhDestroyEMenu(menu); } VOID PhLoadSettingsEnvironmentList( _Inout_ PPH_ENVIRONMENT_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_ENVIRONMENT_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_ENVIRONMENT_TREE_LIST_SORT); Context->Flags = PhGetIntegerSetting(SETTING_ENVIRONMENT_TREE_LIST_FLAGS); PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSaveSettingsEnvironmentList( _Inout_ PPH_ENVIRONMENT_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_ENVIRONMENT_TREE_LIST_FLAGS, Context->Flags); PhSetStringSetting2(SETTING_ENVIRONMENT_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_ENVIRONMENT_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSetOptionsEnvironmentList( _Inout_ PPH_ENVIRONMENT_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case ENVIRONMENT_TREE_MENU_ITEM_HIDE_PROCESS_TYPE: Context->HideProcessEnvironment = !Context->HideProcessEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIDE_USER_TYPE: Context->HideUserEnvironment = !Context->HideUserEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIDE_SYSTEM_TYPE: Context->HideSystemEnvironment = !Context->HideSystemEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIDE_CMD_TYPE: Context->HideCmdTypeEnvironment = !Context->HideCmdTypeEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_PROCESS_TYPE: Context->HighlightProcessEnvironment = !Context->HighlightProcessEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_USER_TYPE: Context->HighlightUserEnvironment = !Context->HighlightUserEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_SYSTEM_TYPE: Context->HighlightSystemEnvironment = !Context->HighlightSystemEnvironment; break; case ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_CMD_TYPE: Context->HighlightCmdEnvironment = !Context->HighlightCmdEnvironment; break; } } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpEnvironmentNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPHP_PROCESS_ENVIRONMENT_TREENODE node1 = *(PPHP_PROCESS_ENVIRONMENT_TREENODE *)Entry1; PPHP_PROCESS_ENVIRONMENT_TREENODE node2 = *(PPHP_PROCESS_ENVIRONMENT_TREENODE *)Entry2; return PhEqualStringRef(&node1->NameText->sr, &node2->NameText->sr, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpEnvironmentNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashStringRefEx(&(*(PPHP_PROCESS_ENVIRONMENT_TREENODE*)Entry)->NameText->sr, TRUE, PH_STRING_HASH_X65599); } VOID PhpDestroyEnvironmentNode( _In_ PPHP_PROCESS_ENVIRONMENT_TREENODE Node ) { if (Node->NameText) PhDereferenceObject(Node->NameText); if (Node->ValueText) PhDereferenceObject(Node->ValueText); PhFree(Node); } PPHP_PROCESS_ENVIRONMENT_TREENODE PhpAddEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_opt_ PPHP_PROCESS_ENVIRONMENT_TREENODE ParentNode, _In_ PROCESS_ENVIRONMENT_TREENODE_TYPE Type, _In_ PPH_STRING Name, _In_opt_ PPH_STRING Value ) { PPHP_PROCESS_ENVIRONMENT_TREENODE node; node = PhAllocateZero(sizeof(PHP_PROCESS_ENVIRONMENT_TREENODE)); PhInitializeTreeNewNode(&node->Node); memset(node->TextCache, 0, sizeof(PH_STRINGREF) * ENVIRONMENT_COLUMN_ITEM_MAXIMUM); node->Node.TextCache = node->TextCache; node->Node.TextCacheSize = ENVIRONMENT_COLUMN_ITEM_MAXIMUM; node->Children = PhCreateList(1); node->Type = Type; PhSetReference(&node->NameText, Name); if (Value) PhSetReference(&node->ValueText, Value); PhAddEntryHashtable(Context->NodeHashtable, &node); PhAddItemList(Context->NodeList, node); //if (Context->TreeFilterSupport.FilterList) // node->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &node->Node); if (ParentNode) { node->HasChildren = FALSE; // This is a child node. node->Parent = ParentNode; PhAddItemList(ParentNode->Children, node); } else { node->HasChildren = TRUE; node->Node.Expanded = TRUE; // This is a root node. PhAddItemList(Context->NodeRootList, node); } //TreeNew_NodesStructured(Context->TreeNewHandle); return node; } PPHP_PROCESS_ENVIRONMENT_TREENODE PhpFindEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPH_STRING Name ) { PHP_PROCESS_ENVIRONMENT_TREENODE lookupEnvironmentNode; PPHP_PROCESS_ENVIRONMENT_TREENODE lookupEnvironmentNodePtr = &lookupEnvironmentNode; PPHP_PROCESS_ENVIRONMENT_TREENODE *environmentNode; lookupEnvironmentNode.NameText = Name; environmentNode = (PPHP_PROCESS_ENVIRONMENT_TREENODE*)PhFindEntryHashtable( Context->NodeHashtable, &lookupEnvironmentNodePtr ); if (environmentNode) return *environmentNode; else return NULL; } VOID PhpRemoveEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPHP_PROCESS_ENVIRONMENT_TREENODE Node ) { ULONG index = 0; // Remove from hashtable/list and cleanup. PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } PhpDestroyEnvironmentNode(Node); //TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpUpdateEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_ PPHP_PROCESS_ENVIRONMENT_TREENODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * ENVIRONMENT_COLUMN_ITEM_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); //TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpExpandAllEnvironmentNodes( _In_ PPH_ENVIRONMENT_CONTEXT Context, _In_ BOOLEAN Expand ) { ULONG i; BOOLEAN needsRestructure = FALSE; for (i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE node = Context->NodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(Context->TreeNewHandle); } #define SORT_FUNCTION(Column) PhpEnvironmentTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpEnvironmentTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_ENVIRONMENT_CONTEXT context = (PPH_ENVIRONMENT_CONTEXT)_context; \ PPHP_PROCESS_ENVIRONMENT_TREENODE node1 = *(PPHP_PROCESS_ENVIRONMENT_TREENODE*)_elem1; \ PPHP_PROCESS_ENVIRONMENT_TREENODE node2 = *(PPHP_PROCESS_ENVIRONMENT_TREENODE*)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpEnvironmentTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintcmp(((PPHP_PROCESS_ENVIRONMENT_TREENODE)Node1)->Node.Index, ((PPHP_PROCESS_ENVIRONMENT_TREENODE)Node2)->Node.Index); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNullSortOrder(node1->NameText, node2->NameText, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Value) { sortResult = PhCompareStringWithNullSortOrder(node1->ValueText, node2->ValueText, context->TreeNewSortOrder, FALSE); } END_SORT_FUNCTION BOOLEAN NTAPI PhpEnvironmentTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_ENVIRONMENT_CONTEXT context = Context; PPHP_PROCESS_ENVIRONMENT_TREENODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPHP_PROCESS_ENVIRONMENT_TREENODE)getChildren->Node; if (context->TreeNewSortOrder == NoSortOrder) { if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)context->NodeRootList->Items; getChildren->NumberOfChildren = context->NodeRootList->Count; } else { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; } } else { if (!node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(Value) }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == ENVIRONMENT_COLUMN_ITEM_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < ENVIRONMENT_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPHP_PROCESS_ENVIRONMENT_TREENODE)isLeaf->Node; if (context->TreeNewSortOrder == NoSortOrder) isLeaf->IsLeaf = !node->HasChildren; else isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPHP_PROCESS_ENVIRONMENT_TREENODE)getCellText->Node; switch (getCellText->Id) { case ENVIRONMENT_COLUMN_ITEM_NAME: getCellText->Text = PhGetStringRef(node->NameText); break; case ENVIRONMENT_COLUMN_ITEM_VALUE: getCellText->Text = PhGetStringRef(node->ValueText); break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = (PPH_TREENEW_GET_NODE_COLOR)Parameter1; node = (PPHP_PROCESS_ENVIRONMENT_TREENODE)getNodeColor->Node; //if (node->HasChildren) //{ // NOTHING; //} //else { if (context->HighlightCmdEnvironment && node->IsCmdVariable) getNodeColor->BackColor = PhCsColorDebuggedProcesses; else if (context->HighlightProcessEnvironment && node->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS) getNodeColor->BackColor = PhCsColorServiceProcesses; else if (context->HighlightUserEnvironment && node->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_USER) getNodeColor->BackColor = PhCsColorOwnProcesses; else if (context->HighlightSystemEnvironment && node->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_SYSTEM) getNodeColor->BackColor = PhCsColorSystemProcesses; } getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // HACK if (context->TreeFilterSupport.FilterList) PhApplyTreeNewFilters(&context->TreeFilterSupport); // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; if (!contextMenuEvent) break; PhpShowEnvironmentNodeContextMenu(context, contextMenuEvent); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, ID_ENV_COPY, 0); break; case VK_DELETE: SendMessage(context->WindowHandle, WM_COMMAND, ID_ENV_DELETE, 0); break; case VK_RETURN: SendMessage(context->WindowHandle, WM_COMMAND, ID_ENV_EDIT, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu( data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y ); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(context->WindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, 0); // HACK } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_RETURN) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } VOID PhpClearEnvironmentTree( _In_ PPH_ENVIRONMENT_CONTEXT Context ) { ULONG i; for (i = 0; i < Context->NodeList->Count; i++) PhpDestroyEnvironmentNode(Context->NodeList->Items[i]); PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); PhClearList(Context->NodeRootList); PhpClearEnvironmentItems(Context); //TreeNew_NodesStructured(Context->TreeNewHandle); } PPHP_PROCESS_ENVIRONMENT_TREENODE PhpGetSelectedEnvironmentNode( _In_ PPH_ENVIRONMENT_CONTEXT Context ) { PPHP_PROCESS_ENVIRONMENT_TREENODE environmentNode = NULL; ULONG i; for (i = 0; i < Context->NodeList->Count; i++) { environmentNode = Context->NodeList->Items[i]; if (environmentNode->Node.Selected) return environmentNode; } return NULL; } _Success_(return) BOOLEAN PhpGetSelectedEnvironmentNodes( _In_ PPH_ENVIRONMENT_CONTEXT Context, _Out_ PPHP_PROCESS_ENVIRONMENT_TREENODE **Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPHP_PROCESS_ENVIRONMENT_TREENODE node = (PPHP_PROCESS_ENVIRONMENT_TREENODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } BOOLEAN PhpHasSelectedEnvironmentGroupNode( _In_ PPHP_PROCESS_ENVIRONMENT_TREENODE* Nodes, _In_ ULONG NumberOfNodes ) { for (ULONG i = 0; i < NumberOfNodes; i++) { if (Nodes[i]->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP) return TRUE; } return FALSE; } VOID PhpInitializeEnvironmentTree( _Inout_ PPH_ENVIRONMENT_CONTEXT Context ) { Context->NodeList = PhCreateList(100); Context->NodeRootList = PhCreateList(30); Context->NodeHashtable = PhCreateHashtable( sizeof(PPHP_PROCESS_ENVIRONMENT_TREENODE), PhpEnvironmentNodeHashtableEqualFunction, PhpEnvironmentNodeHashtableHashFunction, 100 ); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); TreeNew_SetCallback(Context->TreeNewHandle, PhpEnvironmentTreeNewCallback, Context); // Default columns PhAddTreeNewColumn(Context->TreeNewHandle, ENVIRONMENT_COLUMN_ITEM_NAME, TRUE, L"Name", 250, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(Context->TreeNewHandle, ENVIRONMENT_COLUMN_ITEM_VALUE, TRUE, L"Value", 250, PH_ALIGN_LEFT, 1, 0); // Customizable columns // ... // Search filters PhCmInitializeManager(&Context->Cm, Context->TreeNewHandle, PHMOTLC_MAXIMUM, PhpEnvironmentTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); } VOID PhpDeleteEnvironmentTree( _In_ PPH_ENVIRONMENT_CONTEXT Context ) { PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PhpDestroyEnvironmentNode(Context->NodeList->Items[i]); } PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpProcessEnvironmentTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_ PVOID Context ) { PPH_ENVIRONMENT_CONTEXT context = Context; PPHP_PROCESS_ENVIRONMENT_TREENODE environmentNode = (PPHP_PROCESS_ENVIRONMENT_TREENODE)Node; if (!environmentNode->Parent && environmentNode->Children && environmentNode->Children->Count == 0) return FALSE; if (context->TreeNewSortOrder != NoSortOrder && environmentNode->HasChildren) return FALSE; if (context->HideProcessEnvironment && environmentNode->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_PROCESS) return FALSE; if (context->HideUserEnvironment && environmentNode->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_USER) return FALSE; if (context->HideSystemEnvironment && environmentNode->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_SYSTEM) return FALSE; if (context->HideCmdTypeEnvironment && environmentNode->IsCmdVariable) return FALSE; if (!context->SearchMatchHandle) return TRUE; if (!PhIsNullOrEmptyString(environmentNode->NameText)) { if (PhSearchControlMatch(context->SearchMatchHandle, &environmentNode->NameText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(environmentNode->ValueText)) { if (PhSearchControlMatch(context->SearchMatchHandle, &environmentNode->ValueText->sr)) return TRUE; } return FALSE; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) static VOID NTAPI PhpProcessEnvironmentSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_ENVIRONMENT_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; // Expand any hidden nodes to make search results visible. PhpExpandAllEnvironmentNodes(context, TRUE); PhApplyTreeNewFilters(&context->TreeFilterSupport); } INT_PTR CALLBACK PhpProcessEnvironmentDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_ENVIRONMENT_CONTEXT context; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, NULL, &propPageContext, &processItem)) { context = propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { context = propPageContext->Context = PhAllocateZero(sizeof(PH_ENVIRONMENT_CONTEXT)); context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->SearchWindowHandle = GetDlgItem(hwndDlg, IDC_SEARCH); context->ProcessItem = processItem; PhCreateSearchControl( hwndDlg, context->SearchWindowHandle, L"Search Environment (Ctrl+K)", PhpProcessEnvironmentSearchControlCallback, context ); Edit_SetSel(context->SearchWindowHandle, 0, -1); PhpInitializeEnvironmentTree(context); if (PhTreeWindowFont) { context->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(context->TreeNewHandle, context->TreeNewFont, FALSE); } PhInitializeArray(&context->Items, sizeof(PH_ENVIRONMENT_ITEM), 100); context->TreeFilterEntry = PhAddTreeNewFilter(&context->TreeFilterSupport, PhpProcessEnvironmentTreeFilterCallback, context); PhMoveReference(&context->StatusMessage, PhCreateString(L"There are no environment variables to display.")); TreeNew_SetEmptyText(context->TreeNewHandle, &context->StatusMessage->sr, 0); PhLoadSettingsEnvironmentList(context); if (processItem->IsSubsystemProcess) { PhpRefreshWslEnvironmentList(context, processItem); } else { PhpRefreshEnvironmentList(context, processItem); } PhApplyTreeNewFilters(&context->TreeFilterSupport); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveTreeNewFilter(&context->TreeFilterSupport, context->TreeFilterEntry); PhSaveSettingsEnvironmentList(context); PhpDeleteEnvironmentTree(context); PhpClearEnvironmentItems(context); PhDeleteArray(&context->Items); PhClearReference(&context->StatusMessage); if (context->TreeNewFont) DeleteFont(context->TreeNewFont); PhFree(context); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, context->SearchWindowHandle, dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_TOP); PhAddPropPageLayoutItem(hwndDlg, context->TreeNewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_OPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM processMenuItem; PPH_EMENU_ITEM userMenuItem; PPH_EMENU_ITEM systemMenuItem; PPH_EMENU_ITEM cmdMenuItem; PPH_EMENU_ITEM highlightProcessMenuItem; PPH_EMENU_ITEM highlightUserMenuItem; PPH_EMENU_ITEM highlightSystemMenuItem; PPH_EMENU_ITEM highlightCmdMenuItem; PPH_EMENU_ITEM newProcessMenuItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_OPTIONS), &rect)) break; processMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIDE_PROCESS_TYPE, L"Hide process", NULL, NULL); userMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIDE_USER_TYPE, L"Hide user", NULL, NULL); systemMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIDE_SYSTEM_TYPE, L"Hide system", NULL, NULL); cmdMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIDE_CMD_TYPE, L"Hide cmd", NULL, NULL); highlightProcessMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_PROCESS_TYPE, L"Highlight process", NULL, NULL); highlightUserMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_USER_TYPE, L"Highlight user", NULL, NULL); highlightSystemMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_SYSTEM_TYPE, L"Highlight system", NULL, NULL); highlightCmdMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_HIGHLIGHT_CMD_TYPE, L"Highlight cmd", NULL, NULL); newProcessMenuItem = PhCreateEMenuItem(0, ENVIRONMENT_TREE_MENU_ITEM_NEW_ENVIRONMENT_VARIABLE, L"New variable...", NULL, NULL); menu = PhCreateEMenu(); PhInsertEMenuItem(menu, processMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, userMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, systemMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, cmdMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, highlightProcessMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, highlightUserMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, highlightSystemMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, highlightCmdMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, newProcessMenuItem, ULONG_MAX); if (context->HideProcessEnvironment) processMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HideUserEnvironment) userMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HideSystemEnvironment) systemMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HideCmdTypeEnvironment) cmdMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightProcessEnvironment) highlightProcessMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightUserEnvironment) highlightUserMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightSystemEnvironment) highlightSystemMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightCmdEnvironment) highlightCmdMenuItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { if (selectedItem->Id == ENVIRONMENT_TREE_MENU_ITEM_NEW_ENVIRONMENT_VARIABLE) { BOOLEAN refresh; if (PhpShowEditEnvDialog(hwndDlg, processItem, L"", NULL, &refresh) == IDOK && refresh) { if (processItem->IsSubsystemProcess) { PhpRefreshWslEnvironmentList(context, processItem); } else { PhpRefreshEnvironmentList(context, processItem); } } } else { PhSetOptionsEnvironmentList(context, selectedItem->Id); PhSaveSettingsEnvironmentList(context); PhApplyTreeNewFilters(&context->TreeFilterSupport); } } PhDestroyEMenu(menu); } break; case IDC_REFRESH: { if (processItem->IsSubsystemProcess) { PhpRefreshWslEnvironmentList(context, processItem); } else { PhpRefreshEnvironmentList(context, processItem); } } break; case ID_SHOWCONTEXTMENU: { PPHP_PROCESS_ENVIRONMENT_TREENODE item = PhpGetSelectedEnvironmentNode(context); BOOLEAN refresh; if (!item || item->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP) break; if (PhpShowEditEnvDialog( hwndDlg, context->ProcessItem, item->NameText->Buffer, item->ValueText->Buffer, &refresh ) == IDOK && refresh) { if (processItem->IsSubsystemProcess) { PhpRefreshWslEnvironmentList(context, processItem); } else { PhpRefreshEnvironmentList(context, processItem); } } } break; case ID_ENV_EDIT: { PPHP_PROCESS_ENVIRONMENT_TREENODE item = PhpGetSelectedEnvironmentNode(context); BOOLEAN refresh; if (!item || item->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP) break; if (PhpShowEditEnvDialog( context->WindowHandle, context->ProcessItem, item->NameText->Buffer, item->ValueText->Buffer, &refresh ) == IDOK && refresh) { if (processItem->IsSubsystemProcess) { PhpRefreshWslEnvironmentList(context, processItem); } else { PhpRefreshEnvironmentList(context, processItem); } } } break; case ID_ENV_DELETE: { PPHP_PROCESS_ENVIRONMENT_TREENODE item = PhpGetSelectedEnvironmentNode(context); NTSTATUS status = STATUS_UNSUCCESSFUL; if (!item || item->Type & PROCESS_ENVIRONMENT_TREENODE_TYPE_GROUP) break; if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && !PhShowConfirmMessage( context->WindowHandle, L"delete", L"the selected environment variable", L"Some programs may restrict access or ban your account when editing the environment variable(s) of the process.", FALSE )) { break; } status = PhpEditDeleteEnvironment( context, context->ProcessItem, item->NameText ); if (processItem->IsSubsystemProcess) { PhpRefreshWslEnvironmentList(context, processItem); } else { PhpRefreshEnvironmentList(context, processItem); } if (status == STATUS_TIMEOUT) { PhShowStatus(hwndDlg, L"Unable to delete the environment variable.", 0, WAIT_TIMEOUT); } else if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to delete the environment variable.", status, 0); } } break; case ID_ENV_COPY: { PPH_STRING text; text = PhGetTreeNewText(context->TreeNewHandle, 0); PhSetClipboardString(context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)context->TreeNewHandle); return TRUE; } } break; case WM_KEYDOWN: { if (LOWORD(wParam) == 'K') { if (GetKeyState(VK_CONTROL) < 0) { SetFocus(context->SearchWindowHandle); return TRUE; } } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpggen.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2016-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include static CONST PH_KEY_VALUE_PAIR PhProtectedTypeStrings[] = { SIP(L"None", PsProtectedTypeNone), SIP(L"Light", PsProtectedTypeProtectedLight), SIP(L"Full", PsProtectedTypeProtected), }; static CONST PH_KEY_VALUE_PAIR PhProtectedSignerStrings[] = { SIP(L" ", PsProtectedSignerNone), SIP(L" (Authenticode)", PsProtectedSignerAuthenticode), SIP(L" (CodeGen)", PsProtectedSignerCodeGen), SIP(L" (Antimalware)", PsProtectedSignerAntimalware), SIP(L" (Lsa)", PsProtectedSignerLsa), SIP(L" (Windows)", PsProtectedSignerWindows), SIP(L" (WinTcb)", PsProtectedSignerWinTcb), SIP(L" (WinSystem)", PsProtectedSignerWinSystem), SIP(L" (StoreApp)", PsProtectedSignerApp), }; PPH_STRING PhGetProcessItemProtectionText( _In_ PPH_PROCESS_ITEM ProcessItem ) { if (ProcessItem->Protection.Level != UCHAR_MAX) { if (WindowsVersion >= WINDOWS_8_1) { PWSTR type = L"Unknown"; PWSTR signer = L""; PhFindStringSiKeyValuePairs(PhProtectedTypeStrings, sizeof(PhProtectedTypeStrings), ProcessItem->Protection.Type, &type); PhFindStringSiKeyValuePairs(PhProtectedSignerStrings, sizeof(PhProtectedSignerStrings), ProcessItem->Protection.Signer, &signer); // Isolated User Mode (IUM) (dmex) if (ProcessItem->Protection.Type == PsProtectedTypeNone && ProcessItem->IsSecureProcess) return PhConcatStrings2(L"Secure (IUM)", signer); return PhConcatStrings2(type, signer); } else { if (ProcessItem->IsSecureProcess) return PhCreateString(L"Secure (IUM)"); if (ProcessItem->IsProtectedProcess) return PhCreateString(L"Yes"); return PhCreateString(L"None"); } } return PhCreateString(L"N/A"); } PPH_STRING PhGetProcessItemImageTypeText( _In_ PPH_PROCESS_ITEM ProcessItem ) { USHORT architecture = IMAGE_FILE_MACHINE_UNKNOWN; ULONG chpeVersion = 0; PWSTR arch = L""; PWSTR bits = L""; if (ProcessItem->FileName) { PH_MAPPED_IMAGE mappedImage; #ifdef _ARM64_ if (NT_SUCCESS(PhLoadMappedImageEx(&ProcessItem->FileName->sr, NULL, &mappedImage))) { architecture = mappedImage.NtHeaders->FileHeader.Machine; if (architecture == IMAGE_FILE_MACHINE_AMD64 || architecture == IMAGE_FILE_MACHINE_ARM64) chpeVersion = PhGetMappedImageCHPEVersion(&mappedImage); PhUnloadMappedImage(&mappedImage); } #else if (NT_SUCCESS(PhLoadMappedImageHeaderPageSize(&ProcessItem->FileName->sr, NULL, &mappedImage))) { architecture = mappedImage.NtHeaders->FileHeader.Machine; PhUnloadMappedImage(&mappedImage); } #endif } switch (architecture) { case IMAGE_FILE_MACHINE_I386: arch = L"i386 "; break; case IMAGE_FILE_MACHINE_AMD64: arch = chpeVersion ? L"AMD64 (ARM64X) " : L"AMD64 "; break; case IMAGE_FILE_MACHINE_ARMNT: arch = L"ARM "; break; case IMAGE_FILE_MACHINE_ARM64: arch = chpeVersion ? L"ARM64 (ARM64X) " : L"ARM64 "; break; default: arch = L"N/A "; } #if _WIN64 bits = ProcessItem->IsWow64Process ? L"(32-bit)" : L"(64-bit)"; #else bits = L"(32-bit)"; #endif return PhConcatStrings2(arch, bits); } _Function_class_(PH_OPEN_OBJECT) NTSTATUS PhpProcessGeneralOpenProcess( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { if (Context) return PhOpenProcess(Handle, DesiredAccess, (HANDLE)Context); return STATUS_UNSUCCESSFUL; } _Function_class_(PH_CLOSE_OBJECT) NTSTATUS PhpProcessGeneralCloseHandle( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) NtClose(Handle); return STATUS_SUCCESS; } FORCEINLINE PWSTR PhpGetStringOrNa( _In_opt_ _Maybenull_ PPH_STRING String ) { if (String) return String->Buffer; else return L"N/A"; } VOID PhpUpdateProcessMitigationPolicies( _In_ HWND hwndDlg, _In_ PPH_PROCESS_ITEM ProcessItem ) { NTSTATUS status; HANDLE processHandle; PH_PROCESS_MITIGATION_POLICY_ALL_INFORMATION information; PhSetDialogItemText(hwndDlg, IDC_MITIGATION, L"N/A"); if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION, ProcessItem->ProcessId ))) { if (NT_SUCCESS(status = PhGetProcessMitigationPolicyAllInformation(processHandle, &information))) { PH_STRING_BUILDER sb; PROCESS_MITIGATION_POLICY policy; PPH_STRING shortDescription; PhInitializeStringBuilder(&sb, 100); for (policy = 0; policy < MaxProcessMitigationPolicy; policy++) { if (information.Pointers[policy] && PhDescribeProcessMitigationPolicy( policy, information.Pointers[policy], &shortDescription, NULL )) { PhAppendStringBuilder(&sb, &shortDescription->sr); PhAppendStringBuilder2(&sb, L"; "); PhDereferenceObject(shortDescription); } } // HACK: Show System process CET mitigation (dmex) if (ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { SYSTEM_SHADOW_STACK_INFORMATION shadowStackInformation; if (NT_SUCCESS(PhGetSystemShadowStackInformation(&shadowStackInformation))) { PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY policyData; memset(&policyData, 0, sizeof(PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY)); policyData.EnableUserShadowStack = shadowStackInformation.KernelCetEnabled; policyData.EnableUserShadowStackStrictMode = shadowStackInformation.KernelCetEnabled; policyData.AuditUserShadowStack = shadowStackInformation.KernelCetAuditModeEnabled; if (PhDescribeProcessMitigationPolicy( ProcessUserShadowStackPolicy, &policyData, &shortDescription, NULL )) { PhAppendStringBuilder(&sb, &shortDescription->sr); PhAppendStringBuilder2(&sb, L"; "); PhDereferenceObject(shortDescription); } } } if (sb.String->Length != 0) { PhRemoveEndStringBuilder(&sb, 2); PhSetDialogItemText(hwndDlg, IDC_MITIGATION, PhFinalStringBuilderString(&sb)->Buffer); } else { PhSetDialogItemText(hwndDlg, IDC_MITIGATION, L"None"); } PhDeleteStringBuilder(&sb); } NtClose(processHandle); } if (!NT_SUCCESS(status)) EnableWindow(GetDlgItem(hwndDlg, IDC_VIEWMITIGATION), FALSE); } typedef struct _PH_PROCGENERAL_CONTEXT { HWND WindowHandle; HWND StartedLabelHandle; BOOLEAN Enabled; HICON ProgramIcon; } PH_PROCGENERAL_CONTEXT, *PPH_PROCGENERAL_CONTEXT; VOID PphProcessGeneralDlgUpdateIcons( _In_ HWND hwndDlg ) { HICON folder; HICON magnifier; LONG dpiValue; dpiValue = PhGetWindowDpi(hwndDlg); folder = PH_LOAD_SHARED_ICON_SMALL(PhInstanceHandle, MAKEINTRESOURCE(IDI_FOLDER), dpiValue); magnifier = PH_LOAD_SHARED_ICON_SMALL(PhInstanceHandle, MAKEINTRESOURCE(IDI_MAGNIFIER), dpiValue); SET_BUTTON_ICON(IDC_INSPECT, magnifier); SET_BUTTON_ICON(IDC_OPENFILENAME, folder); SET_BUTTON_ICON(IDC_INSPECT2, magnifier); SET_BUTTON_ICON(IDC_OPENFILENAME2, folder); SET_BUTTON_ICON(IDC_VIEWCOMMANDLINE, magnifier); SET_BUTTON_ICON(IDC_VIEWPARENTPROCESS, magnifier); } INT_PTR CALLBACK PhpProcessGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_PROCGENERAL_CONTEXT context; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { context = (PPH_PROCGENERAL_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { HANDLE processHandle = NULL; PPH_STRING curDir = NULL; PPH_PROCESS_ITEM parentProcess; CLIENT_ID clientId; PPH_STRING fileNameWin32 = NULL; context = propPageContext->Context = PhAllocateZero(sizeof(PH_PROCGENERAL_CONTEXT)); context->WindowHandle = hwndDlg; context->StartedLabelHandle = GetDlgItem(hwndDlg, IDC_STARTED); context->Enabled = TRUE; PphProcessGeneralDlgUpdateIcons(hwndDlg); // File context->ProgramIcon = PhGetImageListIcon(processItem->LargeIconIndex, TRUE); Static_SetIcon(GetDlgItem(hwndDlg, IDC_FILEICON), context->ProgramIcon); if (PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PhSetDialogItemText(hwndDlg, IDC_NAME, PhpGetStringOrNa(processItem->VersionInfo.FileDescription)); } else { PhSetDialogItemText(hwndDlg, IDC_NAME, PhpGetStringOrNa(processItem->ProcessName)); } if (processItem->QueryHandle) { if (NT_SUCCESS(PhGetProcessImageFileNameWin32(processItem->QueryHandle, &fileNameWin32))) { PH_AUTO(fileNameWin32); } } if (PhIsNullOrEmptyString(fileNameWin32)) { fileNameWin32 = processItem->FileName ? PhGetFileName(processItem->FileName) : NULL; PH_AUTO(fileNameWin32); } PhSetDialogItemText(hwndDlg, IDC_VERSION, PhpGetStringOrNa(processItem->VersionInfo.FileVersion)); PhSetDialogItemText(hwndDlg, IDC_FILENAME, PhpGetStringOrNa(fileNameWin32)); PhSetDialogItemText(hwndDlg, IDC_FILENAMEWIN32, PhpGetStringOrNa(processItem->FileName)); { PPH_STRING inspectExecutables; if (PhIsNullOrEmptyString(processItem->FileName)) { EnableWindow(GetDlgItem(hwndDlg, IDC_OPENFILENAME), FALSE); EnableWindow(GetDlgItem(hwndDlg, IDC_INSPECT), FALSE); } else { if (!PhDoesFileExist(&processItem->FileName->sr)) { EnableWindow(GetDlgItem(hwndDlg, IDC_OPENFILENAME), FALSE); EnableWindow(GetDlgItem(hwndDlg, IDC_INSPECT), FALSE); } } inspectExecutables = PhaGetStringSetting(SETTING_PROGRAM_INSPECT_EXECUTABLES); if (PhIsNullOrEmptyString(inspectExecutables)) { EnableWindow(GetDlgItem(hwndDlg, IDC_INSPECT), FALSE); } } if (processItem->VerifyResult == VrTrusted) { if (processItem->VerifySignerName) { PhSetDialogItemText(hwndDlg, IDC_COMPANYNAME_LINK, PhaFormatString(L"(Verified) %s", processItem->VerifySignerName->Buffer)->Buffer); ShowWindow(GetDlgItem(hwndDlg, IDC_COMPANYNAME), SW_HIDE); ShowWindow(GetDlgItem(hwndDlg, IDC_COMPANYNAME_LINK), SW_SHOW); } else { PhSetDialogItemText(hwndDlg, IDC_COMPANYNAME, PhaConcatStrings2( L"(Verified) ", PhGetStringOrEmpty(processItem->VersionInfo.CompanyName) )->Buffer); } } else if (processItem->VerifyResult != VrUnknown) { PhSetDialogItemText(hwndDlg, IDC_COMPANYNAME, PhaConcatStrings2( L"(UNVERIFIED) ", PhGetStringOrEmpty(processItem->VersionInfo.CompanyName) )->Buffer); } else { PhSetDialogItemText(hwndDlg, IDC_COMPANYNAME, PhpGetStringOrNa(processItem->VersionInfo.CompanyName)); } // Command Line PhSetDialogItemText(hwndDlg, IDC_CMDLINE, PhpGetStringOrNa(processItem->CommandLine)); if (!processItem->CommandLine) EnableWindow(GetDlgItem(hwndDlg, IDC_VIEWCOMMANDLINE), FALSE); // Current Directory if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, processItem->ProcessId ))) { // Tell the function to get the WOW64 current directory, because that's the one that actually gets updated. if (NT_SUCCESS(PhGetProcessCurrentDirectory( processHandle, !!processItem->IsWow64Process, &curDir ))) { PH_AUTO(curDir); } NtClose(processHandle); processHandle = NULL; } PhSetDialogItemText(hwndDlg, IDC_CURDIR, PhpGetStringOrNa(curDir)); // Started if (processItem->CreateTime.QuadPart != 0) { LARGE_INTEGER startTime; LARGE_INTEGER currentTime; SYSTEMTIME startTimeFields; PPH_STRING startTimeRelativeString; PPH_STRING startTimeString; PhQuerySystemTime(¤tTime); if (processItem->CreateTime.QuadPart < currentTime.QuadPart) { startTime = processItem->CreateTime; startTimeRelativeString = PH_AUTO(PhFormatTimeSpanRelative(currentTime.QuadPart - startTime.QuadPart)); PhLargeIntegerToLocalSystemTime(&startTimeFields, &startTime); startTimeString = PhaFormatDateTime(&startTimeFields); PhSetWindowText(context->StartedLabelHandle, PhaFormatString( L"%s ago (%s)", startTimeRelativeString->Buffer, startTimeString->Buffer )->Buffer); } else { PhSetWindowText(context->StartedLabelHandle, L"N/A"); } } else { PhSetWindowText(context->StartedLabelHandle, L"N/A"); } // Parent if (parentProcess = PhReferenceProcessItemForParent(processItem)) { clientId.UniqueProcess = parentProcess->ProcessId; clientId.UniqueThread = NULL; PhSetDialogItemText(hwndDlg, IDC_PARENTPROCESS, PH_AUTO_T(PH_STRING, PhGetClientIdNameEx(&clientId, parentProcess->ProcessName))->Buffer); PhDereferenceObject(parentProcess); } else { if (processItem->ProcessId == SYSTEM_IDLE_PROCESS_ID) { PhSetDialogItemText(hwndDlg, IDC_PARENTPROCESS, L"N/A"); } else { PhSetDialogItemText(hwndDlg, IDC_PARENTPROCESS, PhaFormatString( L"Non-existent process (%lu)", HandleToUlong(processItem->ParentProcessId))->Buffer); } EnableWindow(GetDlgItem(hwndDlg, IDC_VIEWPARENTPROCESS), FALSE); } // Parent console //if (NT_SUCCESS(PhGetProcessConsoleHostProcessId(processItem->QueryHandle, &consoleParentProcessId))) //{ // ProcessItem->ParentProcessId = consoleParentProcessId; // PhPrintUInt32(ProcessItem->ParentProcessIdString, HandleToUlong(consoleParentProcessId)); //} if (parentProcess = PhReferenceProcessItem((HANDLE)((ULONG_PTR)processItem->ConsoleHostProcessId & ~3))) { if (parentProcess->ProcessId == SYSTEM_IDLE_PROCESS_ID) { PhSetDialogItemText(hwndDlg, IDC_PARENTCONSOLE, L"N/A"); } else { clientId.UniqueProcess = parentProcess->ProcessId; clientId.UniqueThread = NULL; PhSetDialogItemText( hwndDlg, IDC_PARENTCONSOLE, PH_AUTO_T(PH_STRING, PhGetClientIdNameEx(&clientId, parentProcess->ProcessName))->Buffer ); } PhDereferenceObject(parentProcess); } else { PhSetDialogItemText(hwndDlg, IDC_PARENTCONSOLE, L"N/A"); } // Mitigation policies PhpUpdateProcessMitigationPolicies(hwndDlg, processItem); // Protection PPH_STRING string = PhGetProcessProtectionString(processItem->Protection, (BOOLEAN)processItem->IsSecureProcess); PhSetDialogItemText(hwndDlg, IDC_PROTECTION, PhpGetStringOrNa(string)); PhClearReference(&string); // Image type PhSetDialogItemText(hwndDlg, IDC_PROCESSTYPETEXT, PH_AUTO_T(PH_STRING, PhGetProcessItemImageTypeText(processItem))->Buffer); if (PhEnableThemeSupport) { PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } PhSetTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT, 1000, NULL); } break; case WM_DESTROY: { PhKillTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT); if (context->ProgramIcon) { DestroyIcon(context->ProgramIcon); } } break; case WM_NCDESTROY: { PhFree(context); } break; case WM_DPICHANGED_AFTERPARENT: { PphProcessGeneralDlgUpdateIcons(hwndDlg); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_FILE), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_NAME), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_COMPANYNAME), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_COMPANYNAME_LINK), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_VERSION), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_FILENAME), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_INSPECT), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_OPENFILENAME), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_FILENAMEWIN32), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_INSPECT2), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_OPENFILENAME2), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_CMDLINE), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_VIEWCOMMANDLINE), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_CURDIR), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, context->StartedLabelHandle, dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_PARENTCONSOLE), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_PARENTPROCESS), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_VIEWPARENTPROCESS), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_MITIGATION), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_VIEWMITIGATION), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_INTEGRITY), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_TOP); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_TERMINATE), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_TOP); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_PERMISSIONS), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_TOP); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_PROCESS), dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_INSPECT: case IDC_INSPECT2: { if (processItem->FileName) { if ( !PhIsNullOrEmptyString(processItem->FileName) && PhDoesFileExist(&processItem->FileName->sr) ) { PhShellExecuteUserString( hwndDlg, SETTING_PROGRAM_INSPECT_EXECUTABLES, PhGetString(processItem->FileName), FALSE, L"Make sure the PE Viewer executable file is present." ); } else { PhShowStatus(hwndDlg, L"Unable to locate the file.", STATUS_NOT_FOUND, 0); } } } break; case IDC_OPENFILENAME: case IDC_OPENFILENAME2: { if (processItem->FileName) { if ( !PhIsNullOrEmptyString(processItem->FileName) && PhDoesFileExist(&processItem->FileName->sr) ) { PhShellExecuteUserString( hwndDlg, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(processItem->FileName), FALSE, L"Make sure the Explorer executable file is present." ); } else { PhShowStatus(hwndDlg, L"Unable to locate the file.", STATUS_NOT_FOUND, 0); } } } break; case IDC_VIEWCOMMANDLINE: { if (processItem->CommandLine) { PPH_STRING commandLineString; PPH_LIST commandLineList; if (commandLineList = PhCommandLineToList(PhGetString(processItem->CommandLine))) { PH_STRING_BUILDER sb; PhInitializeStringBuilder(&sb, 260); for (ULONG i = 0; i < commandLineList->Count; i++) { PhAppendFormatStringBuilder(&sb, L"[%d] %s\r\n\r\n", i, PhGetString(commandLineList->Items[i])); } PhAppendFormatStringBuilder(&sb, L"[FULL] %s\r\n", PhGetString(processItem->CommandLine)); commandLineString = PhFinalStringBuilderString(&sb); PhDereferenceObjects(commandLineList->Items, commandLineList->Count); PhDereferenceObject(commandLineList); } else { commandLineString = PhReferenceObject(processItem->CommandLine); } PhShowInformationDialog(hwndDlg, PhGetString(commandLineString), 0); PhDereferenceObject(commandLineString); } } break; case IDC_VIEWPARENTPROCESS: { PPH_PROCESS_ITEM parentProcessItem; if (parentProcessItem = PhReferenceProcessItem(processItem->ParentProcessId)) { SystemInformer_ShowProcessProperties(parentProcessItem); PhDereferenceObject(parentProcessItem); } else { PhShowStatus(hwndDlg, L"The process does not exist.", STATUS_NOT_FOUND, 0); } } break; case IDC_VIEWMITIGATION: { PhShowProcessMitigationPolicyDialog(hwndDlg, processItem->ProcessId); } break; case IDC_TERMINATE: { PhUiTerminateProcesses( hwndDlg, &processItem, 1 ); } break; case IDC_PERMISSIONS: { PhEditSecurity( PhCsForceNoParent ? NULL : hwndDlg, PhGetStringOrEmpty(processItem->ProcessName), L"Process", PhpProcessGeneralOpenProcess, PhpProcessGeneralCloseHandle, processItem->ProcessId ); } break; case IDC_INTEGRITY: { NTSTATUS status; HANDLE processHandle = NULL; ACCESS_MASK mandatoryPolicy = 0; PPH_EMENU_ITEM selectedItem; PPH_EMENU menu; RECT rect; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_INTEGRITY), &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"No-Write-Up", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 2, L"No-Read-Up", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 3, L"No-Execute-Up", NULL, NULL), ULONG_MAX); status = PhOpenProcess( &processHandle, READ_CONTROL | WRITE_OWNER, processItem->ProcessId ); if (!NT_SUCCESS(status)) { status = PhOpenProcess( &processHandle, READ_CONTROL, processItem->ProcessId ); } if (NT_SUCCESS(status)) { status = PhGetProcessMandatoryPolicy(processHandle, &mandatoryPolicy); if (NT_SUCCESS(status)) { if (FlagOn(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP)) { PhSetFlagsEMenuItem(menu, 1, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } if (FlagOn(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_READ_UP)) { PhSetFlagsEMenuItem(menu, 2, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } if (FlagOn(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)) { PhSetFlagsEMenuItem(menu, 3, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } } if (!NT_SUCCESS(status)) { for (ULONG i = 0; i < menu->Items->Count; i++) { PhSetDisabledEMenuItem(menu->Items->Items[i]); } } selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (PhShowConfirmMessage( hwndDlg, L"update", L"the integrity label", L"Altering the integrity label for a process may produce undesirable results, instability or data corruption.", FALSE )) { switch (selectedItem->Id) { case 1: { if (BooleanFlagOn(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP)) ClearFlag(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP); else SetFlag(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP); status = PhSetProcessMandatoryPolicy(processHandle, mandatoryPolicy); } break; case 2: { if (BooleanFlagOn(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_READ_UP)) ClearFlag(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_READ_UP); else SetFlag(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_READ_UP); status = PhSetProcessMandatoryPolicy(processHandle, mandatoryPolicy); } break; case 3: { if (BooleanFlagOn(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)) ClearFlag(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP); else SetFlag(mandatoryPolicy, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP); status = PhSetProcessMandatoryPolicy(processHandle, mandatoryPolicy); } break; } } if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to set the integrity label", status, 0); } } if (processHandle) { NtClose(processHandle); } PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_SETACTIVE: context->Enabled = TRUE; break; case PSN_KILLACTIVE: context->Enabled = FALSE; break; case NM_CLICK: { switch (header->idFrom) { case IDC_COMPANYNAME_LINK: { if (processItem->FileName) { NTSTATUS status; HANDLE fileHandle; status = PhCreateFile( &fileHandle, &processItem->FileName->sr, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { PH_VERIFY_FILE_INFO info; memset(&info, 0, sizeof(PH_VERIFY_FILE_INFO)); info.FileHandle = fileHandle; info.Flags = PH_VERIFY_VIEW_PROPERTIES; info.hWnd = hwndDlg; PhVerifyFileWithAdditionalCatalog( &info, processItem->PackageFullName, NULL ); NtClose(fileHandle); } else { PhShowStatus(hwndDlg, L"Unable to perform the operation.", status, 0); } } } break; } } break; } } break; case WM_TIMER: { switch (wParam) { case PH_WINDOW_TIMER_DEFAULT: { if (!(context->Enabled && GetFocus() != context->StartedLabelHandle)) break; if (processItem->CreateTime.QuadPart != 0) { LARGE_INTEGER startTime; LARGE_INTEGER currentTime; SYSTEMTIME startTimeFields; PPH_STRING startTimeRelativeString; PPH_STRING startTimeString; PhQuerySystemTime(¤tTime); if (processItem->CreateTime.QuadPart < currentTime.QuadPart) { startTime = processItem->CreateTime; startTimeRelativeString = PH_AUTO(PhFormatTimeSpanRelative(currentTime.QuadPart - startTime.QuadPart)); PhLargeIntegerToLocalSystemTime(&startTimeFields, &startTime); startTimeString = PhaFormatDateTime(&startTimeFields); PhSetWindowText(context->StartedLabelHandle, PhaFormatString( L"%s ago (%s)", PhGetString(startTimeRelativeString), PhGetString(startTimeString) )->Buffer); } else { PhSetWindowText(context->StartedLabelHandle, L"\u221E"); } } else { PhSetWindowText(context->StartedLabelHandle, L"N/A"); } } break; } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpghndl.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static CONST PH_STRINGREF EmptyHandlesText = PH_STRINGREF_INIT(L"There are no handles to display."); _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI HandleAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = (PPH_HANDLES_CONTEXT)Context; // Parameter contains a pointer to the added handle item. PhReferenceObject(Parameter); PhPushProviderEventQueue(&handlesContext->EventQueue, ProviderAddedEvent, Parameter, PhGetRunIdProvider(&handlesContext->ProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI HandleModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = (PPH_HANDLES_CONTEXT)Context; PhPushProviderEventQueue(&handlesContext->EventQueue, ProviderModifiedEvent, Parameter, PhGetRunIdProvider(&handlesContext->ProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI HandleRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = (PPH_HANDLES_CONTEXT)Context; PhPushProviderEventQueue(&handlesContext->EventQueue, ProviderRemovedEvent, Parameter, PhGetRunIdProvider(&handlesContext->ProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI HandlesUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = (PPH_HANDLES_CONTEXT)Context; PostMessage(handlesContext->WindowHandle, WM_PH_HANDLES_UPDATED, PhGetRunIdProvider(&handlesContext->ProviderRegistration), 0); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI HandlesUpdateAutomaticallyHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = (PPH_HANDLES_CONTEXT)Context; PhSetEnabledProvider(&handlesContext->ProviderRegistration, (BOOLEAN)PtrToUlong(Parameter)); } VOID PhpInitializeHandleMenu( _In_ PPH_EMENU Menu, _In_ HANDLE ProcessId, _In_ PPH_HANDLE_ITEM *Handles, _In_ ULONG NumberOfHandles, _Inout_ PPH_HANDLES_CONTEXT HandlesContext ) { if (NumberOfHandles == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfHandles == 1) { PH_HANDLE_ITEM_INFO info; info.ProcessId = ProcessId; info.Handle = Handles[0]->Handle; info.TypeName = Handles[0]->TypeName; info.BestObjectName = Handles[0]->BestObjectName; PhInsertHandleObjectPropertiesEMenuItems(Menu, ID_HANDLE_PROPERTIES, TRUE, &info); } else { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_HANDLE_CLOSE, TRUE); PhEnableEMenuItem(Menu, ID_HANDLE_COPY, TRUE); } // Protected, Inherit if (NumberOfHandles == 1) { HandlesContext->SelectedHandleProtected = FALSE; HandlesContext->SelectedHandleInherit = FALSE; if (Handles[0]->Attributes & OBJ_PROTECT_CLOSE) { HandlesContext->SelectedHandleProtected = TRUE; PhSetFlagsEMenuItem(Menu, ID_HANDLE_PROTECTED, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } if (Handles[0]->Attributes & OBJ_INHERIT) { HandlesContext->SelectedHandleInherit = TRUE; PhSetFlagsEMenuItem(Menu, ID_HANDLE_INHERIT, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } } VOID PhShowHandleContextMenu( _In_ HWND hwndDlg, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_HANDLES_CONTEXT Context, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PPH_HANDLE_ITEM *handles; ULONG numberOfHandles; PhGetSelectedHandleItems(&Context->ListContext, &handles, &numberOfHandles); if (numberOfHandles != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; PH_PLUGIN_MENU_INFORMATION menuInfo; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_CLOSE, L"C&lose\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_PROTECTED, L"&Protected", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_INHERIT, L"&Inherit", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_SECURITY, L"Secu&rity", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_PROPERTIES, L"Prope&rties\bEnter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_HANDLE_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(menu, ID_HANDLE_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhpInitializeHandleMenu(menu, ProcessItem->ProcessId, handles, numberOfHandles, Context); PhInsertCopyCellEMenuItem(menu, ID_HANDLE_COPY, Context->ListContext.TreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, hwndDlg, 0); menuInfo.u.Handle.ProcessId = ProcessItem->ProcessId; menuInfo.u.Handle.Handles = handles; menuInfo.u.Handle.NumberOfHandles = numberOfHandles; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackHandleMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(hwndDlg, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); } PhFree(handles); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpHandleTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = Context; PPH_HANDLE_NODE handleNode = (PPH_HANDLE_NODE)Node; PPH_HANDLE_ITEM handleItem = handleNode->HandleItem; if (handlesContext->ListContext.HideProtectedHandles && handleItem->Attributes & OBJ_PROTECT_CLOSE) return FALSE; if (handlesContext->ListContext.HideInheritHandles && handleItem->Attributes & OBJ_INHERIT) return FALSE; if (handlesContext->ListContext.HideUnnamedHandles && PhIsNullOrEmptyString(handleItem->BestObjectName)) return FALSE; if (handlesContext->ListContext.HideEtwHandles) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static ULONG eventTraceTypeIndex = ULONG_MAX; if (PhBeginInitOnce(&initOnce)) { eventTraceTypeIndex = PhGetObjectTypeNumberZ(L"EtwRegistration"); PhEndInitOnce(&initOnce); } if (handleItem->TypeIndex == eventTraceTypeIndex) return FALSE; } if (!handlesContext->SearchMatchHandle) return TRUE; // handle properties if (PhSearchControlMatchPointer(handlesContext->SearchMatchHandle, handleItem->Handle)) return TRUE; if (!PhIsNullOrEmptyString(handleItem->TypeName)) { if (PhSearchControlMatch(handlesContext->SearchMatchHandle, &handleItem->TypeName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(handleItem->ObjectName)) { if (PhSearchControlMatch(handlesContext->SearchMatchHandle, &handleItem->ObjectName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(handleItem->BestObjectName)) { if (PhSearchControlMatch(handlesContext->SearchMatchHandle, &handleItem->BestObjectName->sr)) return TRUE; } if (handleItem->HandleString[0]) { if (PhSearchControlMatchLongHintZ(handlesContext->SearchMatchHandle, handleItem->HandleString)) return TRUE; } if (handleItem->GrantedAccessString[0]) { if (PhSearchControlMatchLongHintZ(handlesContext->SearchMatchHandle, handleItem->GrantedAccessString)) return TRUE; } if (handleItem->ObjectString[0]) { if (PhSearchControlMatchLongHintZ(handlesContext->SearchMatchHandle, handleItem->ObjectString)) return TRUE; } if (handleNode->HandleItem->Attributes & OBJ_PROTECT_CLOSE && PhSearchControlMatchZ(handlesContext->SearchMatchHandle, L"Protected")) { return TRUE; } if (handleNode->HandleItem->Attributes & OBJ_INHERIT && PhSearchControlMatchZ(handlesContext->SearchMatchHandle, L"Inherit")) { return TRUE; } // node properties if (!PhIsNullOrEmptyString(handleNode->GrantedAccessSymbolicText)) { if (PhSearchControlMatch(handlesContext->SearchMatchHandle, &handleNode->GrantedAccessSymbolicText->sr)) return TRUE; } if (handleNode->FileShareAccessText[0]) { if (PhSearchControlMatchLongHintZ(handlesContext->SearchMatchHandle, handleNode->FileShareAccessText)) return TRUE; } return FALSE; } typedef struct _HANDLE_OPEN_CONTEXT { HANDLE ProcessId; PPH_HANDLE_ITEM HandleItem; } HANDLE_OPEN_CONTEXT, *PHANDLE_OPEN_CONTEXT; _Function_class_(PH_OPEN_OBJECT) NTSTATUS PhpProcessHandleOpenCallback( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_ PVOID Context ) { PHANDLE_OPEN_CONTEXT context = Context; NTSTATUS status; HANDLE processHandle; *Handle = NULL; if (KsiLevel() >= KphLevelMax) { // Try limited-information first when allowed by KSI. if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, context->ProcessId ))) { status = NtDuplicateObject( processHandle, context->HandleItem->Handle, NtCurrentProcess(), Handle, DesiredAccess, 0, 0 ); NtClose(processHandle); if (NT_SUCCESS(status)) return status; } } if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, context->ProcessId ))) { status = NtDuplicateObject( processHandle, context->HandleItem->Handle, NtCurrentProcess(), Handle, DesiredAccess, 0, 0 ); NtClose(processHandle); } return status; } _Function_class_(PH_CLOSE_OBJECT) NTSTATUS PhpProcessHandleCloseCallback( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { PHANDLE_OPEN_CONTEXT context = Context; if (Handle) { NtClose(Handle); } if (Release && context) { PhDereferenceObject(context->HandleItem); PhFree(context); } return STATUS_SUCCESS; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpProcessHandlessSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_HANDLES_CONTEXT handlesContext = Context; assert(handlesContext); handlesContext->SearchMatchHandle = MatchHandle; if (!handlesContext->SearchMatchHandle) { // Expand any hidden nodes to make search results visible. PhExpandAllHandleNodes(&handlesContext->ListContext, TRUE); } PhApplyTreeNewFilters(&handlesContext->ListContext.TreeFilterSupport); } INT_PTR CALLBACK PhpProcessHandlesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_HANDLES_CONTEXT handlesContext; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, NULL, &propPageContext, &processItem)) { handlesContext = propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { handlesContext = propPageContext->Context = PhAllocate(PhEmGetObjectSize(EmHandlesContextType, sizeof(PH_HANDLES_CONTEXT))); memset(handlesContext, 0, sizeof(PH_HANDLES_CONTEXT)); handlesContext->WindowHandle = hwndDlg; handlesContext->SearchWindowHandle = GetDlgItem(hwndDlg, IDC_HANDLESEARCH); handlesContext->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); handlesContext->Provider = PhCreateHandleProvider( processItem->ProcessId ); PhRegisterProvider( &PhTertiaryProviderThread, PhHandleProviderUpdate, handlesContext->Provider, &handlesContext->ProviderRegistration ); PhRegisterCallback( &handlesContext->Provider->HandleAddedEvent, HandleAddedHandler, handlesContext, &handlesContext->AddedEventRegistration ); PhRegisterCallback( &handlesContext->Provider->HandleModifiedEvent, HandleModifiedHandler, handlesContext, &handlesContext->ModifiedEventRegistration ); PhRegisterCallback( &handlesContext->Provider->HandleRemovedEvent, HandleRemovedHandler, handlesContext, &handlesContext->RemovedEventRegistration ); PhRegisterCallback( &handlesContext->Provider->HandleUpdatedEvent, HandlesUpdatedHandler, handlesContext, &handlesContext->UpdatedEventRegistration ); // Initialize the list. PhInitializeHandleList(hwndDlg, handlesContext->TreeNewHandle, &handlesContext->ListContext); if (PhTreeWindowFont) { handlesContext->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(handlesContext->TreeNewHandle, handlesContext->TreeNewFont, FALSE); } TreeNew_SetEmptyText(handlesContext->TreeNewHandle, &PhProcessPropPageLoadingText, 0); PhInitializeProviderEventQueue(&handlesContext->EventQueue, 100); handlesContext->LastRunStatus = -1; handlesContext->ErrorMessage = NULL; handlesContext->FilterEntry = PhAddTreeNewFilter(&handlesContext->ListContext.TreeFilterSupport, PhpHandleTreeFilterCallback, handlesContext); PhCreateSearchControl( hwndDlg, handlesContext->SearchWindowHandle, L"Search Handles (Ctrl+K)", PhpProcessHandlessSearchControlCallback, handlesContext ); PhEmCallObjectOperation(EmHandlesContextType, handlesContext, EmObjectCreate); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = handlesContext->TreeNewHandle; treeNewInfo.CmData = &handlesContext->ListContext.Cm; treeNewInfo.SystemContext = handlesContext; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackHandleTreeNewInitializing), &treeNewInfo); } PhLoadSettingsHandleList(&handlesContext->ListContext); PhSetEnabledProvider(&handlesContext->ProviderRegistration, TRUE); PhBoostProvider(&handlesContext->ProviderRegistration, NULL); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackUpdateAutomatically), HandlesUpdateAutomaticallyHandler, handlesContext, &handlesContext->ChangedEventRegistration ); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveTreeNewFilter(&handlesContext->ListContext.TreeFilterSupport, handlesContext->FilterEntry); PhEmCallObjectOperation(EmHandlesContextType, handlesContext, EmObjectDelete); PhUnregisterCallback( &handlesContext->Provider->HandleAddedEvent, &handlesContext->AddedEventRegistration ); PhUnregisterCallback( &handlesContext->Provider->HandleModifiedEvent, &handlesContext->ModifiedEventRegistration ); PhUnregisterCallback( &handlesContext->Provider->HandleRemovedEvent, &handlesContext->RemovedEventRegistration ); PhUnregisterCallback( &handlesContext->Provider->HandleUpdatedEvent, &handlesContext->UpdatedEventRegistration ); PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackUpdateAutomatically), &handlesContext->ChangedEventRegistration ); PhUnregisterProvider(&handlesContext->ProviderRegistration); PhDereferenceObject(handlesContext->Provider); PhDeleteProviderEventQueue(&handlesContext->EventQueue); if (handlesContext->TreeNewFont) DeleteFont(handlesContext->TreeNewFont); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = handlesContext->TreeNewHandle; treeNewInfo.CmData = &handlesContext->ListContext.Cm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackHandleTreeNewUninitializing), &treeNewInfo); } PhSaveSettingsHandleList(&handlesContext->ListContext); PhDeleteHandleList(&handlesContext->ListContext); PhFree(handlesContext); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, handlesContext->SearchWindowHandle, dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, handlesContext->TreeNewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_SHOWCONTEXTMENU: { PhShowHandleContextMenu(hwndDlg, processItem, handlesContext, (PPH_TREENEW_CONTEXT_MENU)lParam); } break; case ID_HANDLE_CLOSE: { PPH_HANDLE_ITEM *handles; ULONG numberOfHandles; PhGetSelectedHandleItems(&handlesContext->ListContext, &handles, &numberOfHandles); PhReferenceObjects(handles, numberOfHandles); if (PhUiCloseHandles(hwndDlg, processItem->ProcessId, handles, numberOfHandles, !!lParam)) PhDeselectAllHandleNodes(&handlesContext->ListContext); PhDereferenceObjects(handles, numberOfHandles); PhFree(handles); } break; case ID_HANDLE_PROTECTED: case ID_HANDLE_INHERIT: { PPH_HANDLE_ITEM handleItem = PhGetSelectedHandleItem(&handlesContext->ListContext); if (handleItem) { ULONG attributes = 0; // Re-create the attributes. if (handlesContext->SelectedHandleProtected) attributes |= OBJ_PROTECT_CLOSE; if (handlesContext->SelectedHandleInherit) attributes |= OBJ_INHERIT; // Toggle the appropriate bit. if (GET_WM_COMMAND_ID(wParam, lParam) == ID_HANDLE_PROTECTED) attributes ^= OBJ_PROTECT_CLOSE; else if (GET_WM_COMMAND_ID(wParam, lParam) == ID_HANDLE_INHERIT) attributes ^= OBJ_INHERIT; PhReferenceObject(handleItem); PhUiSetAttributesHandle(hwndDlg, processItem->ProcessId, handleItem, attributes); PhDereferenceObject(handleItem); } } break; case ID_HANDLE_SECURITY: { PPH_HANDLE_ITEM handleItem = PhGetSelectedHandleItem(&handlesContext->ListContext); if (handleItem) { PHANDLE_OPEN_CONTEXT context; context = PhAllocateZero(sizeof(HANDLE_OPEN_CONTEXT)); context->HandleItem = PhReferenceObject(handleItem); context->ProcessId = processItem->ProcessId; PhEditSecurity( PhCsForceNoParent ? NULL : hwndDlg, PhGetString(handleItem->ObjectName), PhGetString(handleItem->TypeName), PhpProcessHandleOpenCallback, PhpProcessHandleCloseCallback, context ); } } break; case ID_HANDLE_GOTOOWNINGPROCESS: { PPH_HANDLE_ITEM handleItem = PhGetSelectedHandleItem(&handlesContext->ListContext); if (handleItem) { HANDLE processHandle; HANDLE objectHHandle; PPH_PROCESS_NODE processNode; NTSTATUS status; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_DUP_HANDLE, handleItem->ProcessId ))) { if (NT_SUCCESS(status = NtDuplicateObject( processHandle, handleItem->Handle, NtCurrentProcess(), &objectHHandle, PROCESS_QUERY_LIMITED_INFORMATION, 0, 0 ))) { PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(status = PhGetProcessBasicInformation(objectHHandle, &basicInfo))) { if (processNode = PhFindProcessNode(basicInfo.UniqueProcessId)) { SystemInformer_SelectTabPage(0); SystemInformer_SelectProcessNode(processNode); SystemInformer_ToggleVisible(TRUE); } else { PhShowStatus(hwndDlg, L"The process does not exist.", STATUS_INVALID_CID, 0); } } NtClose(objectHHandle); } NtClose(processHandle); } if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to query the process.", status, 0); } } } break; case ID_HANDLE_OBJECTPROPERTIES1: case ID_HANDLE_OBJECTPROPERTIES2: { PPH_HANDLE_ITEM handleItem = PhGetSelectedHandleItem(&handlesContext->ListContext); if (handleItem) { PH_HANDLE_ITEM_INFO info; info.ProcessId = processItem->ProcessId; info.Handle = handleItem->Handle; info.TypeName = handleItem->TypeName; info.BestObjectName = handleItem->BestObjectName; if (GET_WM_COMMAND_ID(wParam, lParam) == ID_HANDLE_OBJECTPROPERTIES1) PhShowHandleObjectProperties1(hwndDlg, &info); else PhShowHandleObjectProperties2(hwndDlg, &info); } } break; case ID_HANDLE_PROPERTIES: { PPH_HANDLE_ITEM handleItem = PhGetSelectedHandleItem(&handlesContext->ListContext); if (handleItem) { PhReferenceObject(handleItem); PhShowHandleProperties(hwndDlg, processItem->ProcessId, handleItem); PhDereferenceObject(handleItem); } } break; case ID_HANDLE_COPY: { PPH_STRING text; text = PhGetTreeNewText(handlesContext->TreeNewHandle, 0); PhSetClipboardString(handlesContext->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; case IDC_OPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM protectedMenuItem; PPH_EMENU_ITEM inheritMenuItem; PPH_EMENU_ITEM unnamedMenuItem; PPH_EMENU_ITEM etwMenuItem; PPH_EMENU_ITEM protectedHighlightMenuItem; PPH_EMENU_ITEM inheritHighlightMenuItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_OPTIONS), &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, protectedMenuItem = PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HIDE_PROTECTED_HANDLES, L"Hide protected handles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, inheritMenuItem = PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HIDE_INHERIT_HANDLES, L"Hide inherit handles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, unnamedMenuItem = PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HIDE_UNNAMED_HANDLES, L"Hide unnamed handles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, etwMenuItem = PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HIDE_ETW_HANDLES, L"Hide etw handles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, protectedHighlightMenuItem = PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HIGHLIGHT_PROTECTED_HANDLES, L"Highlight protected handles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, inheritHighlightMenuItem = PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HIGHLIGHT_INHERIT_HANDLES, L"Highlight inherit handles", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_HANDLE_TREE_MENUITEM_HANDLESTATS, L"Statistics", NULL, NULL), ULONG_MAX); if (handlesContext->ListContext.HideProtectedHandles) protectedMenuItem->Flags |= PH_EMENU_CHECKED; if (handlesContext->ListContext.HideInheritHandles) inheritMenuItem->Flags |= PH_EMENU_CHECKED; if (handlesContext->ListContext.HideUnnamedHandles) unnamedMenuItem->Flags |= PH_EMENU_CHECKED; if (handlesContext->ListContext.HideEtwHandles) etwMenuItem->Flags |= PH_EMENU_CHECKED; if (PhCsUseColorProtectedHandles) protectedHighlightMenuItem->Flags |= PH_EMENU_CHECKED; if (PhCsUseColorInheritHandles) inheritHighlightMenuItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { if (selectedItem->Id == PH_HANDLE_TREE_MENUITEM_HIGHLIGHT_PROTECTED_HANDLES) { // HACK (dmex) PhSetIntegerSetting(SETTING_USE_COLOR_PROTECTED_HANDLES, !PhCsUseColorProtectedHandles); PhCsUseColorProtectedHandles = !PhCsUseColorProtectedHandles; TreeNew_NodesStructured(handlesContext->TreeNewHandle); } else if (selectedItem->Id == PH_HANDLE_TREE_MENUITEM_HIGHLIGHT_INHERIT_HANDLES) { // HACK (dmex) PhSetIntegerSetting(SETTING_USE_COLOR_INHERIT_HANDLES, !PhCsUseColorInheritHandles); PhCsUseColorInheritHandles = !PhCsUseColorInheritHandles; TreeNew_NodesStructured(handlesContext->TreeNewHandle); } else if (selectedItem->Id == PH_HANDLE_TREE_MENUITEM_HANDLESTATS) { PhShowHandleStatisticsDialog(hwndDlg, handlesContext->Provider->ProcessId); } else { PhSetOptionsHandleList(&handlesContext->ListContext, selectedItem->Id); PhSaveSettingsHandleList(&handlesContext->ListContext); PhApplyTreeNewFilters(&handlesContext->ListContext.TreeFilterSupport); } } PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_SETACTIVE: PhSetEnabledProvider(&handlesContext->ProviderRegistration, TRUE); break; case PSN_KILLACTIVE: PhSetEnabledProvider(&handlesContext->ProviderRegistration, FALSE); break; case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)handlesContext->TreeNewHandle); return TRUE; } } break; case WM_KEYDOWN: { if (LOWORD(wParam) == 'K') { if (GetKeyState(VK_CONTROL) < 0) { SetFocus(handlesContext->SearchWindowHandle); return TRUE; } } } break; case WM_PH_HANDLES_UPDATED: { ULONG upToRunId = (ULONG)wParam; PPH_PROVIDER_EVENT events; ULONG count; ULONG i; events = PhFlushProviderEventQueue(&handlesContext->EventQueue, upToRunId, &count); if (events) { TreeNew_SetRedraw(handlesContext->TreeNewHandle, FALSE); for (i = 0; i < count; i++) { PH_PROVIDER_EVENT_TYPE type = PH_PROVIDER_EVENT_TYPE(events[i]); PPH_HANDLE_ITEM handleItem = PH_PROVIDER_EVENT_OBJECT(events[i]); switch (type) { case ProviderAddedEvent: PhAddHandleNode(&handlesContext->ListContext, handleItem, events[i].RunId); PhDereferenceObject(handleItem); break; case ProviderModifiedEvent: PhUpdateHandleNode(&handlesContext->ListContext, PhFindHandleNode(&handlesContext->ListContext, handleItem->Handle)); break; case ProviderRemovedEvent: PhRemoveHandleNode(&handlesContext->ListContext, PhFindHandleNode(&handlesContext->ListContext, handleItem->Handle)); break; } } PhFree(events); } PhTickHandleNodes(&handlesContext->ListContext); if (handlesContext->LastRunStatus != handlesContext->Provider->RunStatus) { NTSTATUS status; PPH_STRING message; status = handlesContext->Provider->RunStatus; handlesContext->LastRunStatus = status; if (!PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) status = STATUS_SUCCESS; if (NT_SUCCESS(status)) { TreeNew_SetEmptyText(handlesContext->TreeNewHandle, &EmptyHandlesText, 0); } else { message = PhGetStatusMessage(status, 0); PhMoveReference(&handlesContext->ErrorMessage, PhFormatString(L"Unable to query handle information:\n%s", PhGetStringOrDefault(message, L"Unknown error."))); PhClearReference(&message); TreeNew_SetEmptyText(handlesContext->TreeNewHandle, &handlesContext->ErrorMessage->sr, 0); } InvalidateRect(handlesContext->TreeNewHandle, NULL, FALSE); } if (count != 0) { // Refresh the visible nodes. PhApplyTreeNewFilters(&handlesContext->ListContext.TreeFilterSupport); TreeNew_SetRedraw(handlesContext->TreeNewHandle, TRUE); } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgjob.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #include #include #include _Function_class_(PH_OPEN_OBJECT) NTSTATUS NTAPI PhpOpenProcessJobForPage( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_ PVOID Context ) { NTSTATUS status; HANDLE processHandle; HANDLE jobHandle = NULL; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, (HANDLE)Context ))) return status; status = KphOpenProcessJob(processHandle, DesiredAccess, &jobHandle); NtClose(processHandle); if (NT_SUCCESS(status) && status != STATUS_PROCESS_NOT_IN_JOB && jobHandle) { *Handle = jobHandle; } else if (NT_SUCCESS(status)) { status = STATUS_UNSUCCESSFUL; } return status; } _Function_class_(PH_CLOSE_OBJECT) NTSTATUS NTAPI PhpCloseProcessJobForPage( _In_ HANDLE Handle, _In_ BOOLEAN Release, _In_opt_ PVOID Context ) { return NtClose(Handle); } INT_PTR CALLBACK PhpProcessJobHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_SHOWWINDOW: { if (!PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT)) // LayoutInitialized { PPH_LAYOUT_ITEM dialogItem; // This is a big violation of abstraction... dialogItem = PhAddPropPageLayoutItem(hwndDlg, hwndDlg, PH_PROP_PAGE_TAB_CONTROL_PARENT, PH_ANCHOR_ALL); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_NAME), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_TERMINATE), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_PROCESSES), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_ADD), dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_LIMITS), dialogItem, PH_ANCHOR_ALL); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_ADVANCED), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhDoPropPageLayout(hwndDlg); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, UlongToPtr(TRUE)); } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgmem.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include static PPH_OBJECT_TYPE PhMemoryContextType = NULL; static PH_STRINGREF EmptyMemoryText = PH_STRINGREF_INIT(L"There are no memory regions to display."); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpRefreshProcessMemoryThread( _In_ PVOID Context ) { PPH_MEMORY_CONTEXT memoryContext = Context; ULONG flags = PH_QUERY_MEMORY_REGION_TYPE | PH_QUERY_MEMORY_WS_COUNTERS; if (memoryContext->ListContext.ZeroPadAddresses) flags |= PH_QUERY_MEMORY_ZERO_PAD_ADDRESSES; if (PH_IS_REAL_PROCESS_ID(memoryContext->ProcessId)) { memoryContext->LastRunStatus = PhQueryMemoryItemList( memoryContext->ProcessId, flags, &memoryContext->MemoryItemList ); } if (NT_SUCCESS(memoryContext->LastRunStatus)) { if (PhPluginsEnabled) { PH_PLUGIN_MEMORY_ITEM_LIST_CONTROL control; control.Type = PluginMemoryItemListInitialized; control.u.Initialized.List = &memoryContext->MemoryItemList; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMemoryItemListControl), &control); } memoryContext->MemoryItemListValid = TRUE; } PostMessage(memoryContext->WindowHandle, WM_PH_INVOKE, 0, 0); PhDereferenceObject(memoryContext); return STATUS_SUCCESS; } VOID PhpRefreshProcessMemoryList( _In_ PPH_PROCESS_PROPPAGECONTEXT PropPageContext ) { PPH_MEMORY_CONTEXT memoryContext = PropPageContext->Context; if (memoryContext->MemoryItemListValid) { PhDeleteMemoryItemList(&memoryContext->MemoryItemList); memoryContext->MemoryItemListValid = FALSE; } PhReferenceObject(memoryContext); PhCreateThread2(PhpRefreshProcessMemoryThread, memoryContext); } VOID PhpInitializeMemoryMenu( _In_ PPH_EMENU Menu, _In_ HANDLE ProcessId, _In_ PPH_MEMORY_NODE *MemoryNodes, _In_ ULONG NumberOfMemoryNodes ) { if (NumberOfMemoryNodes == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfMemoryNodes == 1 && !MemoryNodes[0]->IsAllocationBase) { if (MemoryNodes[0]->MemoryItem->State & MEM_FREE) { PhEnableEMenuItem(Menu, ID_MEMORY_CHANGEPROTECTION, FALSE); PhEnableEMenuItem(Menu, ID_MEMORY_FREE, FALSE); PhEnableEMenuItem(Menu, ID_MEMORY_DECOMMIT, FALSE); } else if (MemoryNodes[0]->MemoryItem->Type & (MEM_MAPPED | MEM_IMAGE)) { PhEnableEMenuItem(Menu, ID_MEMORY_DECOMMIT, FALSE); } } else { ULONG i; ULONG numberOfAllocationBase = 0; PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_MEMORY_COPY, TRUE); for (i = 0; i < NumberOfMemoryNodes; i++) { if (MemoryNodes[i]->IsAllocationBase) numberOfAllocationBase++; } if (numberOfAllocationBase == 0 || numberOfAllocationBase == NumberOfMemoryNodes) PhEnableEMenuItem(Menu, ID_MEMORY_SAVE, TRUE); } } VOID PhShowMemoryContextMenu( _In_ HWND hwndDlg, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_MEMORY_CONTEXT Context, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PPH_MEMORY_NODE *memoryNodes; ULONG numberOfMemoryNodes; PhGetSelectedMemoryNodes(&Context->ListContext, &memoryNodes, &numberOfMemoryNodes); if (numberOfMemoryNodes != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; PH_PLUGIN_MENU_INFORMATION menuInfo; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_READWRITEMEMORY, L"&Read/Write memory...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_CHANGEPROTECTION, L"Change &protection...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_EMPTYWORKINGSET, L"&Empty working set...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_FREE, L"&Free", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_DECOMMIT, L"&Decommit", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_SAVE, L"&Save...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MEMORY_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(menu, ID_MEMORY_READWRITEMEMORY, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhpInitializeMemoryMenu(menu, ProcessItem->ProcessId, memoryNodes, numberOfMemoryNodes); PhInsertCopyCellEMenuItem(menu, ID_MEMORY_COPY, Context->ListContext.TreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, hwndDlg, 0); menuInfo.u.Memory.ProcessId = ProcessItem->ProcessId; menuInfo.u.Memory.MemoryNodes = memoryNodes; menuInfo.u.Memory.NumberOfMemoryNodes = numberOfMemoryNodes; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMemoryMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(hwndDlg, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); } PhFree(memoryNodes); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpMemoryTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_MEMORY_CONTEXT memoryContext = Context; PPH_MEMORY_NODE memoryNode = (PPH_MEMORY_NODE)Node; PPH_MEMORY_ITEM memoryItem = memoryNode->MemoryItem; PCPH_STRINGREF string; PPH_STRING useText; if (memoryContext->ListContext.HideFreeRegions && FlagOn(memoryItem->State, MEM_FREE)) return FALSE; if (memoryContext->ListContext.HideGuardRegions && FlagOn(memoryItem->Protect, PAGE_GUARD)) return FALSE; if ( memoryContext->ListContext.HideReservedRegions && (FlagOn(memoryItem->Type, MEM_PRIVATE) || FlagOn(memoryItem->Type, MEM_MAPPED) || FlagOn(memoryItem->Type, MEM_IMAGE)) && FlagOn(memoryItem->State, MEM_RESERVE) && memoryItem->AllocationBaseItem // Ignore root nodes ) { return FALSE; } if (!memoryContext->SearchMatchHandle) return TRUE; if (PhSearchControlMatchPointer(memoryContext->SearchMatchHandle, memoryNode->MemoryItem->AllocationBase)) return TRUE; if (PhSearchControlMatchPointerRange( memoryContext->SearchMatchHandle, memoryNode->MemoryItem->AllocationBase, memoryNode->MemoryItem->RegionSize )) return TRUE; if (PhSearchControlMatchPointerRange( memoryContext->SearchMatchHandle, memoryNode->MemoryItem->BaseAddress, memoryNode->MemoryItem->RegionSize )) return TRUE; if (memoryItem->BaseAddressString[0]) { if (PhSearchControlMatchLongHintZ(memoryContext->SearchMatchHandle, memoryItem->BaseAddressString)) return TRUE; } string = PhGetMemoryTypeString(memoryItem->Type); if (string && string->Length) { if (PhSearchControlMatch(memoryContext->SearchMatchHandle, string)) return TRUE; } string = PhGetMemoryStateString(memoryItem->State); if (string && string->Length) { if (PhSearchControlMatch(memoryContext->SearchMatchHandle, string)) return TRUE; } useText = PH_AUTO(PhGetMemoryRegionUseText(memoryItem)); if (!PhIsNullOrEmptyString(useText)) { if (PhSearchControlMatch(memoryContext->SearchMatchHandle, &useText->sr)) return TRUE; } return FALSE; } VOID PhpPopulateTableWithProcessMemoryNodes( _In_ HWND TreeListHandle, _In_ PPH_MEMORY_NODE Node, _In_ ULONG Level, _In_ PPH_STRING **Table, _Inout_ PULONG Index, _In_ PULONG DisplayToId, _In_ ULONG Columns ) { for (ULONG i = 0; i < Columns; i++) { PH_TREENEW_GET_CELL_TEXT getCellText; PPH_STRING text; getCellText.Node = &Node->Node; getCellText.Id = DisplayToId[i]; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(TreeListHandle, &getCellText); if (i != 0) { if (getCellText.Text.Length == 0) text = PhReferenceEmptyString(); else text = PhaCreateStringEx(getCellText.Text.Buffer, getCellText.Text.Length); } else { // If this is the first column in the row, add some indentation. text = PhaCreateStringEx( NULL, getCellText.Text.Length + UInt32x32To64(Level, 2) * sizeof(WCHAR) ); wmemset(text->Buffer, L' ', UInt32x32To64(Level, 2)); memcpy(&text->Buffer[UInt32x32To64(Level, 2)], getCellText.Text.Buffer, getCellText.Text.Length); } Table[*Index][i] = text; } (*Index)++; // Process the children. if (!Node->Children) return; for (ULONG i = 0; i < Node->Children->Count; i++) { PhpPopulateTableWithProcessMemoryNodes( TreeListHandle, Node->Children->Items[i], Level + 1, Table, Index, DisplayToId, Columns ); } } PPH_LIST PhpGetProcessMemoryTreeListLines( _In_ HWND TreeListHandle, _In_ ULONG NumberOfNodes, _In_ PPH_LIST RootNodes, _In_ ULONG Mode ) { PH_AUTO_POOL autoPool; PPH_LIST lines; // The number of rows in the table (including +1 for the column headers). ULONG rows; // The number of columns. ULONG columns; // A column display index to ID map. PULONG displayToId; // A column display index to text map. PWSTR *displayToText; // The actual string table. PPH_STRING **table; ULONG i; ULONG j; // Use a local auto-pool to make memory management a bit less painful. PhInitializeAutoPool(&autoPool); rows = NumberOfNodes + 1; // Create the display index to ID map. PhMapDisplayIndexTreeNew(TreeListHandle, &displayToId, &displayToText, &columns); PhaCreateTextTable(&table, rows, columns); // Populate the first row with the column headers. for (i = 0; i < columns; i++) { table[0][i] = PhaCreateString(displayToText[i]); } // Go through the nodes in the process tree and populate each cell of the table. j = 1; // index starts at one because the first row contains the column headers. for (i = 0; i < RootNodes->Count; i++) { PhpPopulateTableWithProcessMemoryNodes( TreeListHandle, RootNodes->Items[i], 0, table, &j, displayToId, columns ); } PhFree(displayToId); PhFree(displayToText); lines = PhaFormatTextTable(table, rows, columns, Mode); PhDeleteAutoPool(&autoPool); return lines; } VOID PhpProcessMemorySave( _In_ PPH_MEMORY_CONTEXT MemoryContext ) { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt;*.log)", L"*.txt;*.log" }, { L"Comma-separated values (*.csv)", L"*.csv" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateSaveFileDialog(); PH_FORMAT format[4]; PPH_PROCESS_ITEM processItem; processItem = PhReferenceProcessItem(MemoryContext->ProcessId); PhInitFormatS(&format[0], L"System Informer ("); PhInitFormatS(&format[1], processItem ? PhGetStringOrDefault(processItem->ProcessName, L"Unknown process") : L"Unknown process"); PhInitFormatS(&format[2], L") Memory"); PhInitFormatS(&format[3], L".txt"); if (processItem) PhDereferenceObject(processItem); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, PH_AUTO_T(PH_STRING, PhFormat(format, 3, 60))->Buffer); if (PhShowFileDialog(MemoryContext->WindowHandle, fileDialog)) { NTSTATUS status; PPH_STRING fileName; ULONG filterIndex; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); filterIndex = PhGetFileDialogFilterIndex(fileDialog); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { ULONG mode; PPH_LIST lines; if (filterIndex == 2) mode = PH_EXPORT_MODE_CSV; else mode = PH_EXPORT_MODE_TABS; PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); if (mode != PH_EXPORT_MODE_CSV) { PhWritePhTextHeader(fileStream); } lines = PhpGetProcessMemoryTreeListLines( MemoryContext->TreeNewHandle, MemoryContext->ListContext.RegionNodeList->Count, MemoryContext->ListContext.RegionNodeList, mode ); for (ULONG i = 0; i < lines->Count; i++) { PPH_STRING line; line = lines->Items[i]; PhWriteStringAsUtf8FileStream(fileStream, &line->sr); PhDereferenceObject(line); PhWriteStringAsUtf8FileStream2(fileStream, L"\r\n"); } PhDereferenceObject(lines); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(MemoryContext->WindowHandle, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpMemoryContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_MEMORY_CONTEXT memoryContext = (PPH_MEMORY_CONTEXT)Object; PhDeleteMemoryList(&memoryContext->ListContext); if (memoryContext->MemoryItemListValid) PhDeleteMemoryItemList(&memoryContext->MemoryItemList); PhClearReference(&memoryContext->ErrorMessage); } PPH_MEMORY_CONTEXT PhCreateMemoryContext( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_MEMORY_CONTEXT memoryContext; if (PhBeginInitOnce(&initOnce)) { PhMemoryContextType = PhCreateObjectType(L"ProcessMemoryContext", 0, PhpMemoryContextDeleteProcedure); PhEndInitOnce(&initOnce); } memoryContext = PhCreateObject( PhEmGetObjectSize(EmMemoryContextType, sizeof(PH_MEMORY_CONTEXT)), PhMemoryContextType ); memset(memoryContext, 0, sizeof(PH_MEMORY_CONTEXT)); return memoryContext; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpProcessMemorySearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_MEMORY_CONTEXT memoryContext = Context; assert(memoryContext); memoryContext->SearchMatchHandle = MatchHandle; // Expand any hidden nodes to make search results visible. PhExpandAllMemoryNodes(&memoryContext->ListContext, TRUE); PhApplyTreeNewFilters(&memoryContext->ListContext.AllocationTreeFilterSupport); PhApplyTreeNewFilters(&memoryContext->ListContext.TreeFilterSupport); } INT_PTR CALLBACK PhpProcessMemoryDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_MEMORY_CONTEXT memoryContext; LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { memoryContext = (PPH_MEMORY_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { memoryContext = propPageContext->Context = PhCreateMemoryContext(); memoryContext->WindowHandle = hwndDlg; memoryContext->ProcessId = processItem->ProcessId; memoryContext->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); memoryContext->SearchboxHandle = GetDlgItem(hwndDlg, IDC_SEARCH); memoryContext->LastRunStatus = ULONG_MAX; memoryContext->ErrorMessage = NULL; // Initialize the list. PhInitializeMemoryList(hwndDlg, memoryContext->TreeNewHandle, &memoryContext->ListContext); if (PhTreeWindowFont) { memoryContext->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(memoryContext->TreeNewHandle, memoryContext->TreeNewFont, FALSE); } TreeNew_SetEmptyText(memoryContext->TreeNewHandle, &PhProcessPropPageLoadingText, 0); memoryContext->AllocationFilterEntry = PhAddTreeNewFilter(&memoryContext->ListContext.AllocationTreeFilterSupport, PhpMemoryTreeFilterCallback, memoryContext); memoryContext->FilterEntry = PhAddTreeNewFilter(&memoryContext->ListContext.TreeFilterSupport, PhpMemoryTreeFilterCallback, memoryContext); PhCreateSearchControl( hwndDlg, memoryContext->SearchboxHandle, L"Search Memory (Ctrl+K)", PhpProcessMemorySearchControlCallback, memoryContext ); PhEmCallObjectOperation(EmMemoryContextType, memoryContext, EmObjectCreate); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = memoryContext->TreeNewHandle; treeNewInfo.CmData = &memoryContext->ListContext.Cm; treeNewInfo.SystemContext = memoryContext; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMemoryTreeNewInitializing), &treeNewInfo); } PhLoadSettingsMemoryList(&memoryContext->ListContext); PhpRefreshProcessMemoryList(propPageContext); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveTreeNewFilter(&memoryContext->ListContext.TreeFilterSupport, memoryContext->FilterEntry); PhRemoveTreeNewFilter(&memoryContext->ListContext.TreeFilterSupport, memoryContext->AllocationFilterEntry); PhEmCallObjectOperation(EmMemoryContextType, memoryContext, EmObjectDelete); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = memoryContext->TreeNewHandle; treeNewInfo.CmData = &memoryContext->ListContext.Cm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackMemoryTreeNewUninitializing), &treeNewInfo); } PhSaveSettingsMemoryList(&memoryContext->ListContext); if (memoryContext->TreeNewFont) DeleteFont(memoryContext->TreeNewFont); PhDereferenceObject(memoryContext); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, memoryContext->SearchboxHandle, dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, memoryContext->ListContext.TreeNewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_SHOWCONTEXTMENU: { PhShowMemoryContextMenu(hwndDlg, processItem, memoryContext, (PPH_TREENEW_CONTEXT_MENU)lParam); } break; case ID_MEMORY_READWRITEMEMORY: { PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext); if (memoryNode && !memoryNode->IsAllocationBase) { PPH_SHOW_MEMORY_EDITOR showMemoryEditor; showMemoryEditor = PhAllocateZero(sizeof(PH_SHOW_MEMORY_EDITOR)); showMemoryEditor->OwnerWindow = hwndDlg; showMemoryEditor->ProcessId = processItem->ProcessId; showMemoryEditor->BaseAddress = memoryNode->MemoryItem->BaseAddress; showMemoryEditor->RegionSize = memoryNode->MemoryItem->RegionSize; showMemoryEditor->SelectOffset = ULONG_MAX; showMemoryEditor->SelectLength = 0; SystemInformer_ShowMemoryEditor(showMemoryEditor); } } break; case ID_MEMORY_SAVE: { NTSTATUS status; HANDLE processHandle; PPH_MEMORY_NODE *memoryNodes; ULONG numberOfMemoryNodes; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_VM_READ, processItem->ProcessId ))) { PhShowStatus(hwndDlg, L"Unable to open the process", status, 0); break; } PhGetSelectedMemoryNodes(&memoryContext->ListContext, &memoryNodes, &numberOfMemoryNodes); if (numberOfMemoryNodes != 0) { static PH_FILETYPE_FILTER filters[] = { { L"Binary files (*.bin)", L"*.bin" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateSaveFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, PhaConcatStrings2(processItem->ProcessName->Buffer, L".bin")->Buffer); if (PhShowFileDialog(hwndDlg, fileDialog)) { PPH_STRING fileName; PPH_FILE_STREAM fileStream; PVOID buffer; ULONG i; ULONG_PTR offset; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { if (buffer = PhAllocatePage(PAGE_SIZE, NULL)) { // Go through each selected memory item and append the region contents // to the file. for (i = 0; i < numberOfMemoryNodes; i++) { PPH_MEMORY_NODE memoryNode = memoryNodes[i]; PPH_MEMORY_ITEM memoryItem = memoryNode->MemoryItem; if (!memoryNode->IsAllocationBase && !(memoryItem->State & MEM_COMMIT)) continue; for (offset = 0; offset < memoryItem->RegionSize; offset += PAGE_SIZE) { if (NT_SUCCESS(PhReadVirtualMemory( processHandle, PTR_ADD_OFFSET(memoryItem->BaseAddress, offset), buffer, PAGE_SIZE, NULL ))) { PhWriteFileStream(fileStream, buffer, PAGE_SIZE); } } } PhFreePage(buffer); } PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } PhFree(memoryNodes); NtClose(processHandle); } break; case ID_MEMORY_CHANGEPROTECTION: { PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext); if (memoryNode) { PhReferenceObject(memoryNode->MemoryItem); PhShowMemoryProtectDialog(hwndDlg, processItem, memoryNode->MemoryItem); PhUpdateMemoryNode(&memoryContext->ListContext, memoryNode); PhDereferenceObject(memoryNode->MemoryItem); } } break; case ID_MEMORY_FREE: { PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext); if (memoryNode) { PhReferenceObject(memoryNode->MemoryItem); if (PhUiFreeMemory(hwndDlg, processItem->ProcessId, memoryNode->MemoryItem, TRUE)) { PhRemoveMemoryNode(&memoryContext->ListContext, &memoryContext->MemoryItemList, memoryNode); } PhDereferenceObject(memoryNode->MemoryItem); } } break; case ID_MEMORY_DECOMMIT: { PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext); if (memoryNode) { PhReferenceObject(memoryNode->MemoryItem); if (PhUiFreeMemory(hwndDlg, processItem->ProcessId, memoryNode->MemoryItem, FALSE)) { PhRemoveMemoryNode(&memoryContext->ListContext, &memoryContext->MemoryItemList, memoryNode); } PhDereferenceObject(memoryNode->MemoryItem); } } break; case ID_MEMORY_EMPTYWORKINGSET: { PPH_MEMORY_NODE memoryNode = PhGetSelectedMemoryNode(&memoryContext->ListContext); if (memoryNode) { PhReferenceObject(memoryNode->MemoryItem); if (PhUiEmptyProcessMemoryWorkingSet(hwndDlg, processItem->ProcessId, memoryNode->MemoryItem)) { // Refresh counters or statistics. } PhDereferenceObject(memoryNode->MemoryItem); } } break; case ID_MEMORY_COPY: { PPH_STRING text; text = PhGetTreeNewText(memoryContext->TreeNewHandle, 0); PhSetClipboardString(memoryContext->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; case IDC_REFRESH: PhpRefreshProcessMemoryList(propPageContext); break; case IDC_FILTEROPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM freeItem; PPH_EMENU_ITEM reservedItem; PPH_EMENU_ITEM guardItem; PPH_EMENU_ITEM privateItem; PPH_EMENU_ITEM systemItem; PPH_EMENU_ITEM cfgItem; PPH_EMENU_ITEM typeItem; PPH_EMENU_ITEM zeroPadItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_FILTEROPTIONS), &rect)) break; typedef enum _PH_MEMORY_FILTER_MENU_ITEM { PH_MEMORY_FILTER_MENU_HIDE_FREE = 1, PH_MEMORY_FILTER_MENU_HIDE_RESERVED, PH_MEMORY_FILTER_MENU_HIGHLIGHT_PRIVATE, PH_MEMORY_FILTER_MENU_HIGHLIGHT_SYSTEM, PH_MEMORY_FILTER_MENU_HIGHLIGHT_CFG, PH_MEMORY_FILTER_MENU_HIGHLIGHT_EXECUTE, PH_MEMORY_FILTER_MENU_HIDE_GUARD, // Non-standard PH_MEMORY_FLAG options. PH_MEMORY_FILTER_MENU_READ_ADDRESS, PH_MEMORY_FILTER_MENU_HEAPS, PH_MEMORY_FILTER_MENU_MODIFIED, PH_MEMORY_FILTER_MENU_STRINGS, PH_MEMORY_FILTER_MENU_SAVE, PH_MEMORY_FILTER_MENU_ZERO_PAD_ADDRESSES } PH_MEMORY_FILTER_MENU_ITEM; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, freeItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIDE_FREE, L"Hide free pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, reservedItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIDE_RESERVED, L"Hide reserved pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, guardItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIDE_GUARD, L"Hide guard pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, privateItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIGHLIGHT_PRIVATE, L"Highlight private pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, systemItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIGHLIGHT_SYSTEM, L"Highlight system pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, cfgItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIGHLIGHT_CFG, L"Highlight CFG pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, typeItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HIGHLIGHT_EXECUTE, L"Highlight executable pages", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, zeroPadItem = PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_ZERO_PAD_ADDRESSES, L"Zero pad addresses", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_READ_ADDRESS, L"Read/Write &address...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_HEAPS, L"Heaps...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_MODIFIED, L"Modified...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_STRINGS, L"Strings...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MEMORY_FILTER_MENU_SAVE, L"Save...", NULL, NULL), ULONG_MAX); if (memoryContext->ListContext.HideFreeRegions) freeItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.HideReservedRegions) reservedItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.HideGuardRegions) guardItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.HighlightPrivatePages) privateItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.HighlightSystemPages) systemItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.HighlightCfgPages) cfgItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.HighlightExecutePages) typeItem->Flags |= PH_EMENU_CHECKED; if (memoryContext->ListContext.ZeroPadAddresses) zeroPadItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { if (selectedItem->Id == PH_MEMORY_FILTER_MENU_HIDE_FREE || selectedItem->Id == PH_MEMORY_FILTER_MENU_HIDE_RESERVED || selectedItem->Id == PH_MEMORY_FILTER_MENU_HIDE_GUARD || selectedItem->Id == PH_MEMORY_FILTER_MENU_HIGHLIGHT_PRIVATE || selectedItem->Id == PH_MEMORY_FILTER_MENU_HIGHLIGHT_SYSTEM || selectedItem->Id == PH_MEMORY_FILTER_MENU_HIGHLIGHT_CFG || selectedItem->Id == PH_MEMORY_FILTER_MENU_HIGHLIGHT_EXECUTE) { ULONG id = ULONG_MAX; switch (selectedItem->Id) { case PH_MEMORY_FILTER_MENU_HIDE_FREE: id = PH_MEMORY_FLAGS_FREE_OPTION; break; case PH_MEMORY_FILTER_MENU_HIDE_RESERVED: id = PH_MEMORY_FLAGS_RESERVED_OPTION; break; case PH_MEMORY_FILTER_MENU_HIDE_GUARD: id = PH_MEMORY_FLAGS_GUARD_OPTION; break; case PH_MEMORY_FILTER_MENU_HIGHLIGHT_PRIVATE: id = PH_MEMORY_FLAGS_PRIVATE_OPTION; break; case PH_MEMORY_FILTER_MENU_HIGHLIGHT_SYSTEM: id = PH_MEMORY_FLAGS_SYSTEM_OPTION; break; case PH_MEMORY_FILTER_MENU_HIGHLIGHT_CFG: id = PH_MEMORY_FLAGS_CFG_OPTION; break; case PH_MEMORY_FILTER_MENU_HIGHLIGHT_EXECUTE: id = PH_MEMORY_FLAGS_EXECUTE_OPTION; break; } if (id != ULONG_MAX) { PhSetOptionsMemoryList(&memoryContext->ListContext, selectedItem->Id); PhSaveSettingsMemoryList(&memoryContext->ListContext); PhApplyTreeNewFilters(&memoryContext->ListContext.AllocationTreeFilterSupport); PhApplyTreeNewFilters(&memoryContext->ListContext.TreeFilterSupport); } } else if (selectedItem->Id == PH_MEMORY_FILTER_MENU_ZERO_PAD_ADDRESSES) { PhSetOptionsMemoryList(&memoryContext->ListContext, PH_MEMORY_FLAGS_ZERO_PAD_ADDRESSES); PhSaveSettingsMemoryList(&memoryContext->ListContext); PhInvalidateAllMemoryBaseAddressNodes(&memoryContext->ListContext); } else if (selectedItem->Id == PH_MEMORY_FILTER_MENU_HEAPS) { PhShowProcessHeapsDialog(hwndDlg, processItem); } else if (selectedItem->Id == PH_MEMORY_FILTER_MENU_MODIFIED) { PhShowImagePageModifiedDialog(hwndDlg, processItem); } else if (selectedItem->Id == PH_MEMORY_FILTER_MENU_STRINGS) { if (PhGetIntegerSetting(SETTING_ENABLE_MEM_STRINGS_TREE_DIALOG)) PhShowMemoryStringTreeDialog(hwndDlg, processItem); else PhShowMemoryStringDialog(hwndDlg, processItem); } else if (selectedItem->Id == PH_MEMORY_FILTER_MENU_SAVE) { PhpProcessMemorySave(memoryContext); } else if (selectedItem->Id == PH_MEMORY_FILTER_MENU_READ_ADDRESS) { PPH_STRING selectedChoice = NULL; if (!memoryContext->MemoryItemListValid) break; while (PhaChoiceDialog( hwndDlg, L"Read/Write Address", L"Enter an address:", NULL, 0, NULL, PH_CHOICE_DIALOG_USER_CHOICE, &selectedChoice, NULL, SETTING_MEMORY_READ_WRITE_ADDRESS_CHOICES )) { ULONG64 address64; PVOID address; if (selectedChoice->Length == 0) continue; if (PhStringToInteger64(&selectedChoice->sr, 0, &address64)) { PPH_MEMORY_ITEM memoryItem; address = (PVOID)address64; memoryItem = PhLookupMemoryItemList(&memoryContext->MemoryItemList, address); if (memoryItem) { PPH_SHOW_MEMORY_EDITOR showMemoryEditor; showMemoryEditor = PhAllocateZero(sizeof(PH_SHOW_MEMORY_EDITOR)); showMemoryEditor->ProcessId = processItem->ProcessId; showMemoryEditor->BaseAddress = memoryItem->BaseAddress; showMemoryEditor->RegionSize = memoryItem->RegionSize; showMemoryEditor->SelectOffset = (ULONG)((ULONG_PTR)address - (ULONG_PTR)memoryItem->BaseAddress); showMemoryEditor->SelectLength = 0; SystemInformer_ShowMemoryEditor(showMemoryEditor); break; } else { PhShowStatus(hwndDlg, L"Unable to find the memory region for the selected address.", STATUS_UNSUCCESSFUL, 0); } } } } } PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)memoryContext->TreeNewHandle); return TRUE; } } break; case WM_KEYDOWN: { if (LOWORD(wParam) == 'K') { if (GetKeyState(VK_CONTROL) < 0) { SetFocus(memoryContext->SearchboxHandle); return TRUE; } } } break; case WM_PH_INVOKE: { if (memoryContext->MemoryItemListValid) { TreeNew_SetEmptyText(memoryContext->ListContext.TreeNewHandle, &EmptyMemoryText, 0); PhReplaceMemoryList(&memoryContext->ListContext, &memoryContext->MemoryItemList); } else if (memoryContext->LastRunStatus == ULONG_MAX) { TreeNew_SetEmptyText(memoryContext->ListContext.TreeNewHandle, &EmptyMemoryText, 0); TreeNew_NodesStructured(memoryContext->ListContext.TreeNewHandle); } else { PPH_STRING message; message = PhGetStatusMessage(memoryContext->LastRunStatus, 0); PhMoveReference(&memoryContext->ErrorMessage, PhFormatString(L"Unable to query memory information:\n%s", PhGetStringOrDefault(message, L"Unknown error."))); TreeNew_SetEmptyText(memoryContext->ListContext.TreeNewHandle, &memoryContext->ErrorMessage->sr, 0); PhReplaceMemoryList(&memoryContext->ListContext, NULL); PhClearReference(&message); } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgmod.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include static CONST PH_STRINGREF EmptyModulesText = PH_STRINGREF_INIT(L"There are no modules to display."); _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ModuleAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_MODULES_CONTEXT modulesContext = (PPH_MODULES_CONTEXT)Context; // Parameter contains a pointer to the added module item. PhReferenceObject(Parameter); PhPushProviderEventQueue(&modulesContext->EventQueue, ProviderAddedEvent, Parameter, PhGetRunIdProvider(&modulesContext->ProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ModuleModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_MODULES_CONTEXT modulesContext = (PPH_MODULES_CONTEXT)Context; PhPushProviderEventQueue(&modulesContext->EventQueue, ProviderModifiedEvent, Parameter, PhGetRunIdProvider(&modulesContext->ProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ModuleRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_MODULES_CONTEXT modulesContext = (PPH_MODULES_CONTEXT)Context; PhPushProviderEventQueue(&modulesContext->EventQueue, ProviderRemovedEvent, Parameter, PhGetRunIdProvider(&modulesContext->ProviderRegistration)); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ModulesUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_MODULES_CONTEXT modulesContext = (PPH_MODULES_CONTEXT)Context; PostMessage(modulesContext->WindowHandle, WM_PH_MODULES_UPDATED, PhGetRunIdProvider(&modulesContext->ProviderRegistration), 0); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ModulesUpdateAutomaticallyHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_MODULES_CONTEXT modulesContext = (PPH_MODULES_CONTEXT)Context; PhSetEnabledProvider(&modulesContext->ProviderRegistration, (BOOLEAN)PtrToUlong(Parameter)); } VOID PhpInitializeModuleMenu( _In_ PPH_EMENU Menu, _In_ HANDLE ProcessId, _In_ PPH_MODULE_ITEM *Modules, _In_ ULONG NumberOfModules ) { if (NumberOfModules == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfModules == 1) { // Nothing } else { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); PhEnableEMenuItem(Menu, ID_MODULE_COPY, TRUE); } } VOID PhShowModuleContextMenu( _In_ HWND hwndDlg, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_MODULES_CONTEXT Context, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PPH_MODULE_ITEM *modules; ULONG numberOfModules; PhGetSelectedModuleItems(&Context->ListContext, &modules, &numberOfModules); if (numberOfModules != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; PH_PLUGIN_MENU_INFORMATION menuInfo; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MODULE_UNLOAD, L"&Unload\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MODULE_OPENFILELOCATION, L"Open &file location\bCtrl+Enter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MODULE_PROPERTIES, L"P&roperties", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_MODULE_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); PhSetFlagsEMenuItem(menu, ID_MODULE_PROPERTIES, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhpInitializeModuleMenu(menu, ProcessItem->ProcessId, modules, numberOfModules); PhInsertCopyCellEMenuItem(menu, ID_MODULE_COPY, Context->ListContext.TreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, hwndDlg, 0); menuInfo.u.Module.ProcessId = ProcessItem->ProcessId; menuInfo.u.Module.Modules = modules; menuInfo.u.Module.NumberOfModules = numberOfModules; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackModuleMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(hwndDlg, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); } PhFree(modules); } BOOLEAN PhpModulesTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PPH_MODULES_CONTEXT Context ) { PPH_MODULE_NODE moduleNode = (PPH_MODULE_NODE)Node; PPH_MODULE_ITEM moduleItem = moduleNode->ModuleItem; switch (moduleItem->LoadReason) { case LoadReasonStaticDependency: case LoadReasonStaticForwarderDependency: { if (Context->ListContext.HideStaticModules) return FALSE; } break; case LoadReasonDynamicForwarderDependency: case LoadReasonDynamicLoad: { if (Context->ListContext.HideDynamicModules) return FALSE; } break; } switch (moduleItem->Type) { case PH_MODULE_TYPE_MAPPED_FILE: case PH_MODULE_TYPE_MAPPED_IMAGE: { if (Context->ListContext.HideMappedModules) return FALSE; } break; } if (Context->ListContext.HideSignedModules && moduleItem->VerifyResult == VrTrusted) return FALSE; if ( PhEnableImageCoherencySupport && Context->ListContext.HideLowImageCoherency && PhShouldShowModuleCoherency(moduleItem, TRUE) ) { return FALSE; } if ( PhEnableProcessQueryStage2 && Context->ListContext.HideSystemModules && moduleItem->VerifyResult == VrTrusted && PhEqualStringRef2(&moduleItem->VerifySignerName->sr, L"Microsoft Windows", TRUE) ) { return FALSE; } if (Context->ListContext.HideImageKnownDll && moduleItem->ImageKnownDll) return FALSE; if (!Context->SearchMatchHandle) return TRUE; // module node if (!PhIsNullOrEmptyString(moduleNode->FileNameWin32)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->FileNameWin32->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->SizeText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->SizeText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->TimeStampText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->TimeStampText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->LoadTimeText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->LoadTimeText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->FileModifiedTimeText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->FileModifiedTimeText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->ImageCoherencyText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->ImageCoherencyText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->ServiceText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->ServiceText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleNode->EnclaveSizeText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleNode->EnclaveSizeText->sr)) return TRUE; } // (dmex) TODO: Add search support for the following fields: //ULONG Flags; //ULONG Type; //USHORT ImageCharacteristics; //USHORT ImageDllCharacteristics; // module properties if (moduleItem->BaseAddressString[0]) { if (PhSearchControlMatchZ(Context->SearchMatchHandle, moduleItem->BaseAddressString)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->Name)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->Name->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->FileName)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->FileName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->VersionInfo.CompanyName)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->VersionInfo.CompanyName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->VersionInfo.FileDescription)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->VersionInfo.FileDescription->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->VersionInfo.FileVersion)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->VersionInfo.FileVersion->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->VersionInfo.ProductName)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->VersionInfo.ProductName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(moduleItem->VerifySignerName)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &moduleItem->VerifySignerName->sr)) return TRUE; } if (moduleItem->EntryPointAddressString[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, moduleItem->EntryPointAddressString)) return TRUE; } if (moduleItem->ParentBaseAddressString[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, moduleItem->ParentBaseAddressString)) return TRUE; } switch (moduleItem->LoadReason) { case LoadReasonStaticDependency: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Static dependency")) return TRUE; break; case LoadReasonStaticForwarderDependency: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Static forwarder dependency")) return TRUE; break; case LoadReasonDynamicForwarderDependency: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Dynamic forwarder dependency")) return TRUE; break; case LoadReasonDelayloadDependency: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Delay load dependency")) return TRUE; break; case LoadReasonDynamicLoad: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Dynamic")) return TRUE; break; case LoadReasonAsImageLoad: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Image")) return TRUE; break; case LoadReasonAsDataLoad: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Data")) return TRUE; break; } switch (moduleItem->VerifyResult) { case VrNoSignature: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"No Signature")) return TRUE; break; case VrExpired: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Expired")) return TRUE; break; case VrRevoked: case VrDistrust: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Revoked")) return TRUE; break; } switch (moduleItem->VerifyResult) { case VrTrusted: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Trusted")) return TRUE; break; case VrNoSignature: case VrExpired: case VrRevoked: case VrDistrust: case VrUnknown: case VrBadSignature: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"Bad")) return TRUE; break; } if (moduleItem->EnclaveBaseAddress) { if (moduleItem->EnclaveBaseAddressString[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, moduleItem->EnclaveBaseAddressString)) return TRUE; } switch (moduleItem->EnclaveType) { case ENCLAVE_TYPE_SGX: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"SGX")) return TRUE; break; case ENCLAVE_TYPE_SGX2: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"SGX2")) return TRUE; break; case ENCLAVE_TYPE_VBS: if (PhSearchControlMatchZ(Context->SearchMatchHandle, L"VBS")) return TRUE; break; } } return FALSE; } VOID PhpPopulateTableWithProcessModuleNodes( _In_ HWND TreeListHandle, _In_ PPH_MODULE_NODE Node, _In_ ULONG Level, _In_ PPH_STRING **Table, _Inout_ PULONG Index, _In_ PULONG DisplayToId, _In_ ULONG Columns ) { for (ULONG i = 0; i < Columns; i++) { PH_TREENEW_GET_CELL_TEXT getCellText; PPH_STRING text; getCellText.Node = &Node->Node; getCellText.Id = DisplayToId[i]; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(TreeListHandle, &getCellText); if (i != 0) { if (getCellText.Text.Length == 0) text = PhReferenceEmptyString(); else text = PhaCreateStringEx(getCellText.Text.Buffer, getCellText.Text.Length); } else { // If this is the first column in the row, add some indentation. text = PhaCreateStringEx( NULL, getCellText.Text.Length + UInt32x32To64(Level, 2) * sizeof(WCHAR) ); wmemset(text->Buffer, L' ', UInt32x32To64(Level, 2)); memcpy(&text->Buffer[UInt32x32To64(Level, 2)], getCellText.Text.Buffer, getCellText.Text.Length); } Table[*Index][i] = text; } (*Index)++; // Process the children. for (ULONG i = 0; i < Node->Children->Count; i++) { PhpPopulateTableWithProcessModuleNodes( TreeListHandle, Node->Children->Items[i], Level + 1, Table, Index, DisplayToId, Columns ); } } PPH_LIST PhpGetProcessModuleTreeListLines( _In_ HWND TreeListHandle, _In_ ULONG NumberOfNodes, _In_ PPH_LIST RootNodes, _In_ ULONG Mode ) { PH_AUTO_POOL autoPool; PPH_LIST lines; // The number of rows in the table (including +1 for the column headers). ULONG rows; // The number of columns. ULONG columns; // A column display index to ID map. PULONG displayToId; // A column display index to text map. PWSTR *displayToText; // The actual string table. PPH_STRING **table; ULONG i; ULONG j; // Use a local auto-pool to make memory management a bit less painful. PhInitializeAutoPool(&autoPool); rows = NumberOfNodes + 1; // Create the display index to ID map. PhMapDisplayIndexTreeNew(TreeListHandle, &displayToId, &displayToText, &columns); PhaCreateTextTable(&table, rows, columns); // Populate the first row with the column headers. for (i = 0; i < columns; i++) { table[0][i] = PhaCreateString(displayToText[i]); } // Go through the nodes in the process tree and populate each cell of the table. j = 1; // index starts at one because the first row contains the column headers. for (i = 0; i < RootNodes->Count; i++) { PhpPopulateTableWithProcessModuleNodes( TreeListHandle, RootNodes->Items[i], 0, table, &j, displayToId, columns ); } PhFree(displayToId); PhFree(displayToText); lines = PhaFormatTextTable(table, rows, columns, Mode); PhDeleteAutoPool(&autoPool); return lines; } VOID PhpProcessModulesSave( _In_ PPH_MODULES_CONTEXT ModulesContext ) { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt;*.log)", L"*.txt;*.log" }, { L"Comma-separated values (*.csv)", L"*.csv" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateSaveFileDialog(); PH_FORMAT format[4]; PPH_PROCESS_ITEM processItem; processItem = PhReferenceProcessItem(ModulesContext->Provider->ProcessId); PhInitFormatS(&format[0], L"System Informer ("); PhInitFormatS(&format[1], processItem ? PhGetStringOrDefault(processItem->ProcessName, L"Unknown process") : L"Unknown process"); PhInitFormatS(&format[2], L") Modules"); PhInitFormatS(&format[3], L".txt"); if (processItem) PhDereferenceObject(processItem); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, PH_AUTO_T(PH_STRING, PhFormat(format, 3, 60))->Buffer); if (PhShowFileDialog(ModulesContext->WindowHandle, fileDialog)) { NTSTATUS status; PPH_STRING fileName; ULONG filterIndex; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); filterIndex = PhGetFileDialogFilterIndex(fileDialog); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { ULONG mode; PPH_LIST lines; if (filterIndex == 2) mode = PH_EXPORT_MODE_CSV; else mode = PH_EXPORT_MODE_TABS; PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); if (mode != PH_EXPORT_MODE_CSV) { PhWritePhTextHeader(fileStream); } lines = PhpGetProcessModuleTreeListLines( ModulesContext->TreeNewHandle, ModulesContext->ListContext.NodeList->Count, ModulesContext->ListContext.NodeRootList, mode ); for (ULONG i = 0; i < lines->Count; i++) { PPH_STRING line; line = lines->Items[i]; PhWriteStringAsUtf8FileStream(fileStream, &line->sr); PhDereferenceObject(line); PhWriteStringAsUtf8FileStream2(fileStream, L"\r\n"); } PhDereferenceObject(lines); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(ModulesContext->WindowHandle, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } VOID NTAPI PhpProcessModulesSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_MODULES_CONTEXT modulesContext = Context; assert(modulesContext); modulesContext->SearchMatchHandle = MatchHandle; // Expand any hidden nodes to make search results visible. PhExpandAllModuleNodes(&modulesContext->ListContext, TRUE); PhApplyTreeNewFilters(&modulesContext->ListContext.TreeFilterSupport); } INT_PTR CALLBACK PhpProcessModulesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_MODULES_CONTEXT modulesContext; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { modulesContext = (PPH_MODULES_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { modulesContext = propPageContext->Context = PhAllocate(PhEmGetObjectSize(EmModulesContextType, sizeof(PH_MODULES_CONTEXT))); memset(modulesContext, 0, sizeof(PH_MODULES_CONTEXT)); modulesContext->WindowHandle = hwndDlg; modulesContext->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); modulesContext->SearchboxHandle = GetDlgItem(hwndDlg, IDC_SEARCH); modulesContext->Provider = PhCreateModuleProvider( processItem->ProcessId ); PhRegisterProvider( &PhTertiaryProviderThread, PhModuleProviderUpdate, modulesContext->Provider, &modulesContext->ProviderRegistration ); PhRegisterCallback( &modulesContext->Provider->ModuleAddedEvent, ModuleAddedHandler, modulesContext, &modulesContext->AddedEventRegistration ); PhRegisterCallback( &modulesContext->Provider->ModuleModifiedEvent, ModuleModifiedHandler, modulesContext, &modulesContext->ModifiedEventRegistration ); PhRegisterCallback( &modulesContext->Provider->ModuleRemovedEvent, ModuleRemovedHandler, modulesContext, &modulesContext->RemovedEventRegistration ); PhRegisterCallback( &modulesContext->Provider->UpdatedEvent, ModulesUpdatedHandler, modulesContext, &modulesContext->UpdatedEventRegistration ); // Initialize the list. PhInitializeModuleList(hwndDlg, modulesContext->TreeNewHandle, &modulesContext->ListContext); if (PhTreeWindowFont) { modulesContext->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(modulesContext->TreeNewHandle, modulesContext->TreeNewFont, FALSE); } TreeNew_SetEmptyText(modulesContext->TreeNewHandle, &PhProcessPropPageLoadingText, 0); PhInitializeProviderEventQueue(&modulesContext->EventQueue, 100); modulesContext->LastRunStatus = -1; modulesContext->ErrorMessage = NULL; modulesContext->FilterEntry = PhAddTreeNewFilter(&modulesContext->ListContext.TreeFilterSupport, PhpModulesTreeFilterCallback, modulesContext); // Initialize the CreateTime for the module timeline. (dmex) modulesContext->ListContext.ProcessId = processItem->ProcessId; modulesContext->ListContext.ProcessCreateTime = processItem->CreateTime; modulesContext->ListContext.HasServices = processItem->ServiceList && processItem->ServiceList->Count != 0; modulesContext->ListContext.BoldFont = PhDuplicateFontWithNewWeight(GetWindowFont(modulesContext->TreeNewHandle), FW_BOLD); // Initialize the search box. (dmex) PhCreateSearchControl( hwndDlg, modulesContext->SearchboxHandle, L"Search Modules (Ctrl+K)", PhpProcessModulesSearchControlCallback, modulesContext ); PhEmCallObjectOperation(EmModulesContextType, modulesContext, EmObjectCreate); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = modulesContext->TreeNewHandle; treeNewInfo.CmData = &modulesContext->ListContext.Cm; treeNewInfo.SystemContext = modulesContext; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackModuleTreeNewInitializing), &treeNewInfo); } PhLoadSettingsModuleList(&modulesContext->ListContext); if (modulesContext->ListContext.ZeroPadAddresses) modulesContext->Provider->ZeroPadAddresses = TRUE; PhSetEnabledProvider(&modulesContext->ProviderRegistration, TRUE); PhBoostProvider(&modulesContext->ProviderRegistration, NULL); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackUpdateAutomatically), ModulesUpdateAutomaticallyHandler, modulesContext, &modulesContext->ChangedEventRegistration ); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveTreeNewFilter(&modulesContext->ListContext.TreeFilterSupport, modulesContext->FilterEntry); PhEmCallObjectOperation(EmModulesContextType, modulesContext, EmObjectDelete); PhUnregisterCallback( &modulesContext->Provider->ModuleAddedEvent, &modulesContext->AddedEventRegistration ); PhUnregisterCallback( &modulesContext->Provider->ModuleModifiedEvent, &modulesContext->ModifiedEventRegistration ); PhUnregisterCallback( &modulesContext->Provider->ModuleRemovedEvent, &modulesContext->RemovedEventRegistration ); PhUnregisterCallback( &modulesContext->Provider->UpdatedEvent, &modulesContext->UpdatedEventRegistration ); PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackUpdateAutomatically), &modulesContext->ChangedEventRegistration ); PhUnregisterProvider(&modulesContext->ProviderRegistration); PhDereferenceObject(modulesContext->Provider); PhDeleteProviderEventQueue(&modulesContext->EventQueue); if (modulesContext->TreeNewFont) DeleteFont(modulesContext->TreeNewFont); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = modulesContext->TreeNewHandle; treeNewInfo.CmData = &modulesContext->ListContext.Cm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackModuleTreeNewUninitializing), &treeNewInfo); } PhSaveSettingsModuleList(&modulesContext->ListContext); PhDeleteModuleList(&modulesContext->ListContext); if (modulesContext->ListContext.BoldFont) { DeleteFont(modulesContext->ListContext.BoldFont); } PhClearReference(&modulesContext->ErrorMessage); PhFree(modulesContext); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, modulesContext->SearchboxHandle, dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, modulesContext->TreeNewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_DPICHANGED_AFTERPARENT: { HFONT fontHandle = modulesContext->ListContext.BoldFont; modulesContext->ListContext.BoldFont = PhDuplicateFontWithNewWeight(GetWindowFont(modulesContext->TreeNewHandle), FW_BOLD); if (fontHandle) DeleteFont(fontHandle); PhInvalidateAllModuleNodes(&modulesContext->ListContext); } break; case WM_COMMAND: { switch (LOWORD(wParam)) { case ID_SHOWCONTEXTMENU: { PhShowModuleContextMenu(hwndDlg, processItem, modulesContext, (PPH_TREENEW_CONTEXT_MENU)lParam); } break; case ID_MODULE_UNLOAD: { PPH_MODULE_ITEM moduleItem = PhGetSelectedModuleItem(&modulesContext->ListContext); if (moduleItem) { PhReferenceObject(moduleItem); if (PhUiUnloadModule(hwndDlg, processItem->ProcessId, moduleItem)) PhDeselectAllModuleNodes(&modulesContext->ListContext); PhDereferenceObject(moduleItem); } } break; case ID_MODULE_OPENFILELOCATION: { PPH_MODULE_ITEM moduleItem = PhGetSelectedModuleItem(&modulesContext->ListContext); if (moduleItem) { PPH_STRING fileNameWin32 = PH_AUTO(PhGetFileName(moduleItem->FileName)); PhShellExecuteUserString( hwndDlg, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(fileNameWin32), FALSE, L"Make sure the Explorer executable file is present." ); } } break; case ID_MODULE_PROPERTIES: { PPH_MODULE_ITEM moduleItem = PhGetSelectedModuleItem(&modulesContext->ListContext); if (moduleItem) { PPH_STRING fileNameWin32 = PH_AUTO(PhGetFileName(moduleItem->FileName)); PhShellExecuteUserString( hwndDlg, SETTING_PROGRAM_INSPECT_EXECUTABLES, PhGetString(fileNameWin32), FALSE, L"Make sure the PE Viewer executable file is present." ); } } break; case ID_MODULE_COPY: { PPH_STRING text; text = PhGetTreeNewText(modulesContext->TreeNewHandle, 0); PhSetClipboardString(modulesContext->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; case IDC_FILTEROPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM dynamicItem; PPH_EMENU_ITEM mappedItem; PPH_EMENU_ITEM staticItem; PPH_EMENU_ITEM verifiedItem; PPH_EMENU_ITEM systemItem; PPH_EMENU_ITEM coherencyItem; PPH_EMENU_ITEM knowndllsItem; PPH_EMENU_ITEM dotnetItem; PPH_EMENU_ITEM immersiveItem; PPH_EMENU_ITEM relocatedItem; PPH_EMENU_ITEM untrustedItem; PPH_EMENU_ITEM systemHighlightItem; PPH_EMENU_ITEM coherencyHighlightItem; PPH_EMENU_ITEM knowndllsHighlightItem; PPH_EMENU_ITEM zeroPadItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_FILTEROPTIONS), &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, dynamicItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_DYNAMIC_OPTION, L"Hide dynamic", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, mappedItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_MAPPED_OPTION, L"Hide mapped", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, staticItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_STATIC_OPTION, L"Hide static", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, verifiedItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_SIGNED_OPTION, L"Hide verified", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, systemItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_SYSTEM_OPTION, L"Hide system", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, coherencyItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_LOWIMAGECOHERENCY_OPTION, L"Hide low image coherency", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, knowndllsItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_IMAGEKNOWNDLL_OPTION, L"Hide knowndlls images", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, dotnetItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_DOTNET_OPTION, L"Highlight .NET modules", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, immersiveItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_IMMERSIVE_OPTION, L"Highlight immersive modules", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, relocatedItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_RELOCATED_OPTION, L"Highlight relocated modules", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, untrustedItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_UNSIGNED_OPTION, L"Highlight untrusted modules", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, systemHighlightItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_SYSTEM_OPTION, L"Highlight system modules", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, coherencyHighlightItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_LOWIMAGECOHERENCY_OPTION, L"Highlight low image coherency", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, knowndllsHighlightItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_HIGHLIGHT_IMAGEKNOWNDLL, L"Highlight knowndlls images", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, zeroPadItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_ZERO_PAD_ADDRESSES, L"Zero pad addresses", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MODULE_FLAGS_LOAD_MODULE_OPTION, L"Load module...", NULL, NULL), ULONG_MAX); //PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); //PhInsertEMenuItem(menu, stringsItem = PhCreateEMenuItem(0, PH_MODULE_FLAGS_MODULE_STRINGS_OPTION, L"Strings...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_MODULE_FLAGS_SAVE_OPTION, L"Save...", NULL, NULL), ULONG_MAX); if (modulesContext->ListContext.HideDynamicModules) dynamicItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HideMappedModules) mappedItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HideStaticModules) staticItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HideSignedModules) verifiedItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HideSystemModules) systemItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HideLowImageCoherency) coherencyItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HideImageKnownDll) knowndllsItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightDotNetModules) dotnetItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightImmersiveModules) immersiveItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightRelocatedModules) relocatedItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightUntrustedModules) untrustedItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightSystemModules) systemHighlightItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightLowImageCoherency) coherencyHighlightItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.HighlightImageKnownDll) knowndllsHighlightItem->Flags |= PH_EMENU_CHECKED; if (modulesContext->ListContext.ZeroPadAddresses) zeroPadItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { if (selectedItem->Id == PH_MODULE_FLAGS_LOAD_MODULE_OPTION) { if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) && !PhShowConfirmMessage( hwndDlg, L"load", L"a module", L"Some programs may restrict access or ban your account when loading modules into the process.", FALSE )) { break; } PhReferenceObject(processItem); PhUiLoadDllProcess(hwndDlg, processItem); PhDereferenceObject(processItem); } else if (selectedItem->Id == PH_MODULE_FLAGS_MODULE_STRINGS_OPTION) { // TODO } else if (selectedItem->Id == PH_MODULE_FLAGS_SAVE_OPTION) { PhpProcessModulesSave(modulesContext); } else if (selectedItem->Id == PH_MODULE_FLAGS_ZERO_PAD_ADDRESSES) { PhSetOptionsModuleList(&modulesContext->ListContext, selectedItem->Id); PhSaveSettingsModuleList(&modulesContext->ListContext); PhInvalidateAllModuleBaseAddressNodes(&modulesContext->ListContext); } else { PhSetOptionsModuleList(&modulesContext->ListContext, selectedItem->Id); PhSaveSettingsModuleList(&modulesContext->ListContext); PhApplyTreeNewFilters(&modulesContext->ListContext.TreeFilterSupport); } } PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_SETACTIVE: PhSetEnabledProvider(&modulesContext->ProviderRegistration, TRUE); break; case PSN_KILLACTIVE: PhSetEnabledProvider(&modulesContext->ProviderRegistration, FALSE); break; case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)modulesContext->TreeNewHandle); return TRUE; } } break; case WM_KEYDOWN: { if (LOWORD(wParam) == 'K') { if (GetKeyState(VK_CONTROL) < 0) { SetFocus(modulesContext->SearchboxHandle); return TRUE; } } } break; case WM_PH_MODULES_UPDATED: { ULONG upToRunId = (ULONG)wParam; PPH_PROVIDER_EVENT events; ULONG count; ULONG i; events = PhFlushProviderEventQueue(&modulesContext->EventQueue, upToRunId, &count); if (events) { TreeNew_SetRedraw(modulesContext->TreeNewHandle, FALSE); for (i = 0; i < count; i++) { PH_PROVIDER_EVENT_TYPE type = PH_PROVIDER_EVENT_TYPE(events[i]); PPH_MODULE_ITEM moduleItem = PH_PROVIDER_EVENT_OBJECT(events[i]); switch (type) { case ProviderAddedEvent: PhAddModuleNode(&modulesContext->ListContext, moduleItem, events[i].RunId); PhDereferenceObject(moduleItem); break; case ProviderModifiedEvent: PhUpdateModuleNode(&modulesContext->ListContext, PhFindModuleNode(&modulesContext->ListContext, moduleItem)); break; case ProviderRemovedEvent: PhRemoveModuleNode(&modulesContext->ListContext, PhFindModuleNode(&modulesContext->ListContext, moduleItem)); break; } } PhFree(events); } PhTickModuleNodes(&modulesContext->ListContext); if (count != 0) TreeNew_SetRedraw(modulesContext->TreeNewHandle, TRUE); // Refresh the visible nodes. PhApplyTreeNewFilters(&modulesContext->ListContext.TreeFilterSupport); if (modulesContext->LastRunStatus != modulesContext->Provider->RunStatus) { NTSTATUS status; PPH_STRING message; status = modulesContext->Provider->RunStatus; modulesContext->LastRunStatus = status; if (!PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) status = STATUS_SUCCESS; if (NT_SUCCESS(status) || status == STATUS_PARTIAL_COPY) // partial when process exits (dmex) { TreeNew_SetEmptyText(modulesContext->TreeNewHandle, &EmptyModulesText, 0); } else { message = PhGetStatusMessage(status, 0); PhMoveReference(&modulesContext->ErrorMessage, PhFormatString(L"Unable to query module information:\n%s", PhGetStringOrDefault(message, L"Unknown error."))); PhClearReference(&message); TreeNew_SetEmptyText(modulesContext->TreeNewHandle, &modulesContext->ErrorMessage->sr, 0); } InvalidateRect(modulesContext->TreeNewHandle, NULL, FALSE); } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgperf.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2019-2023 * */ #include #include #include #include #include #include _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhProcessPerformanceUpdateHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PPH_PERFORMANCE_CONTEXT performanceContext = (PPH_PERFORMANCE_CONTEXT)Context; if (performanceContext && performanceContext->Enabled) { PostMessage(performanceContext->WindowHandle, WM_PH_PERFORMANCE_UPDATE, 0, 0); } } INT_PTR CALLBACK PhpProcessPerformanceDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_PERFORMANCE_CONTEXT performanceContext; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { performanceContext = (PPH_PERFORMANCE_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { performanceContext = propPageContext->Context = PhAllocateZero(sizeof(PH_PERFORMANCE_CONTEXT)); performanceContext->WindowHandle = hwndDlg; performanceContext->Enabled = TRUE; performanceContext->WindowDpi = PhGetWindowDpi(hwndDlg); // We have already set the group boxes to have WS_EX_TRANSPARENT to fix // the drawing issue that arises when using WS_CLIPCHILDREN. However // in removing the flicker from the graphs the group boxes will now flicker. // It's a good tradeoff since no one stares at the group boxes. PhSetWindowStyle(hwndDlg, WS_CLIPCHILDREN, WS_CLIPCHILDREN); performanceContext->CpuGroupBox = GetDlgItem(hwndDlg, IDC_GROUPCPU); performanceContext->PrivateBytesGroupBox = GetDlgItem(hwndDlg, IDC_GROUPPRIVATEBYTES); performanceContext->IoGroupBox = GetDlgItem(hwndDlg, IDC_GROUPIO); PhInitializeGraphState(&performanceContext->CpuGraphState); PhInitializeGraphState(&performanceContext->PrivateGraphState); PhInitializeGraphState(&performanceContext->IoGraphState); performanceContext->CpuGraphHandle = GetDlgItem(hwndDlg, IDC_CPU); PhSetWindowStyle(performanceContext->CpuGraphHandle, WS_BORDER, WS_BORDER); Graph_SetTooltip(performanceContext->CpuGraphHandle, TRUE); BringWindowToTop(performanceContext->CpuGraphHandle); performanceContext->PrivateGraphHandle = GetDlgItem(hwndDlg, IDC_PRIVATEBYTES); PhSetWindowStyle(performanceContext->PrivateGraphHandle, WS_BORDER, WS_BORDER); Graph_SetTooltip(performanceContext->PrivateGraphHandle, TRUE); BringWindowToTop(performanceContext->PrivateGraphHandle); performanceContext->IoGraphHandle = GetDlgItem(hwndDlg, IDC_IO); PhSetWindowStyle(performanceContext->IoGraphHandle, WS_BORDER, WS_BORDER); Graph_SetTooltip(performanceContext->IoGraphHandle, TRUE); BringWindowToTop(performanceContext->IoGraphHandle); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhProcessPerformanceUpdateHandler, performanceContext, &performanceContext->ProcessesUpdatedRegistration ); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &performanceContext->ProcessesUpdatedRegistration ); PhDeleteGraphState(&performanceContext->CpuGraphState); PhDeleteGraphState(&performanceContext->PrivateGraphState); PhDeleteGraphState(&performanceContext->IoGraphState); PhFree(performanceContext); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_SETACTIVE: { performanceContext->Enabled = TRUE; performanceContext->CpuGraphState.Valid = FALSE; performanceContext->CpuGraphState.TooltipIndex = ULONG_MAX; performanceContext->PrivateGraphState.Valid = FALSE; performanceContext->PrivateGraphState.TooltipIndex = ULONG_MAX; performanceContext->IoGraphState.Valid = FALSE; performanceContext->IoGraphState.TooltipIndex = ULONG_MAX; if (performanceContext->CpuGraphHandle) Graph_Draw(performanceContext->CpuGraphHandle); if (performanceContext->PrivateGraphHandle) Graph_Draw(performanceContext->PrivateGraphHandle); if (performanceContext->IoGraphHandle) Graph_Draw(performanceContext->IoGraphHandle); } break; case PSN_KILLACTIVE: performanceContext->Enabled = FALSE; break; case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)header; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; if (header->hwndFrom == performanceContext->CpuGraphHandle) { drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_USE_LINE_2 | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorCpuKernel, PhCsColorCpuUser, performanceContext->WindowDpi); PhGraphStateGetDrawInfo( &performanceContext->CpuGraphState, getDrawInfo, processItem->CpuKernelHistory.Count ); if (!performanceContext->CpuGraphState.Valid) { PhCopyCircularBuffer_FLOAT(&processItem->CpuKernelHistory, performanceContext->CpuGraphState.Data1, drawInfo->LineDataCount); PhCopyCircularBuffer_FLOAT(&processItem->CpuUserHistory, performanceContext->CpuGraphState.Data2, drawInfo->LineDataCount); if (PhCsEnableGraphMaxScale) { FLOAT max = 0; if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 128) { max = PhAddPlusMaxMemorySingles( performanceContext->CpuGraphState.Data1, performanceContext->CpuGraphState.Data2, drawInfo->LineDataCount ); } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data = performanceContext->CpuGraphState.Data1[i] + performanceContext->CpuGraphState.Data2[i]; if (max < data) max = data; } } if (max != 0) { PhDivideSinglesBySingle( performanceContext->CpuGraphState.Data1, max, drawInfo->LineDataCount ); PhDivideSinglesBySingle( performanceContext->CpuGraphState.Data2, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = max; } else { drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = 1.0f; } performanceContext->CpuGraphState.Valid = TRUE; } if (PhCsGraphShowText) { HDC hdc; PH_FORMAT format[6]; // %.2f%% (K: %.2f%%, U: %.2f%%) PhInitFormatF(&format[0], (processItem->CpuKernelUsage + processItem->CpuUserUsage) * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"% (K: "); PhInitFormatF(&format[2], processItem->CpuKernelUsage * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[3], L"%, U: "); PhInitFormatF(&format[4], processItem->CpuUserUsage * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[5], L"%)"); PhMoveReference(&performanceContext->CpuGraphState.Text, PhFormat(format, RTL_NUMBER_OF(format), 16)); hdc = Graph_GetBufferedContext(performanceContext->CpuGraphHandle); PhSetGraphText(hdc, drawInfo, &performanceContext->CpuGraphState.Text->sr, &PhNormalGraphTextMargin, &PhNormalGraphTextPadding, PH_ALIGN_TOP | PH_ALIGN_LEFT); } else { drawInfo->Text.Buffer = NULL; } } else if (header->hwndFrom == performanceContext->PrivateGraphHandle) { drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorPrivate, 0, performanceContext->WindowDpi); PhGraphStateGetDrawInfo( &performanceContext->PrivateGraphState, getDrawInfo, processItem->PrivateBytesHistory.Count ); if (!performanceContext->PrivateGraphState.Valid) { FLOAT max = PhCsEnableGraphMaxScale ? 0.f : (FLOAT)processItem->VmCounters.PeakPagefileUsage; for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data = performanceContext->PrivateGraphState.Data1[i] = (FLOAT)PhGetItemCircularBuffer_SIZE_T(&processItem->PrivateBytesHistory, i); if (max < data) max = data; } if (max != 0) { // Scale the data. PhDivideSinglesBySingle( performanceContext->PrivateGraphState.Data1, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = max; performanceContext->PrivateGraphState.Valid = TRUE; } if (PhCsGraphShowText) { HDC hdc; PH_FORMAT format[1]; PhInitFormatSize(&format[0], processItem->VmCounters.PagefileUsage); PhMoveReference(&performanceContext->PrivateGraphState.Text, PhFormat(format, RTL_NUMBER_OF(format), 0)); hdc = Graph_GetBufferedContext(performanceContext->PrivateGraphHandle); PhSetGraphText(hdc, drawInfo, &performanceContext->PrivateGraphState.Text->sr, &PhNormalGraphTextMargin, &PhNormalGraphTextPadding, PH_ALIGN_TOP | PH_ALIGN_LEFT); } else { drawInfo->Text.Buffer = NULL; } } else if (header->hwndFrom == performanceContext->IoGraphHandle) { drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y | PH_GRAPH_USE_LINE_2; PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorIoReadOther, PhCsColorIoWrite, performanceContext->WindowDpi); PhGraphStateGetDrawInfo( &performanceContext->IoGraphState, getDrawInfo, processItem->IoReadHistory.Count ); if (!performanceContext->IoGraphState.Valid) { ULONG i; FLOAT max = 0; for (i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data1; FLOAT data2; performanceContext->IoGraphState.Data1[i] = data1 = (FLOAT)PhGetItemCircularBuffer_ULONG64(&processItem->IoReadHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&processItem->IoOtherHistory, i); performanceContext->IoGraphState.Data2[i] = data2 = (FLOAT)PhGetItemCircularBuffer_ULONG64(&processItem->IoWriteHistory, i); if (max < data1 + data2) max = data1 + data2; } if (max != 0) { // Scale the data. PhDivideSinglesBySingle( performanceContext->IoGraphState.Data1, max, drawInfo->LineDataCount ); PhDivideSinglesBySingle( performanceContext->IoGraphState.Data2, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = max; performanceContext->IoGraphState.Valid = TRUE; } if (PhCsGraphShowText) { HDC hdc; PH_FORMAT format[4]; // R+O: %s, W: %s PhInitFormatS(&format[0], L"R+O: "); PhInitFormatSize(&format[1], processItem->IoReadDelta.Delta + processItem->IoOtherDelta.Delta); PhInitFormatS(&format[2], L", W: "); PhInitFormatSize(&format[3], processItem->IoWriteDelta.Delta); PhMoveReference(&performanceContext->IoGraphState.Text, PhFormat(format, RTL_NUMBER_OF(format), 64)); hdc = Graph_GetBufferedContext(performanceContext->IoGraphHandle); PhSetGraphText(hdc, drawInfo, &performanceContext->IoGraphState.Text->sr, &PhNormalGraphTextMargin, &PhNormalGraphTextPadding, PH_ALIGN_TOP | PH_ALIGN_LEFT); } else { drawInfo->Text.Buffer = NULL; } } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)lParam; if ( header->hwndFrom == performanceContext->CpuGraphHandle && getTooltipText->Index < getTooltipText->TotalCount ) { if (performanceContext->CpuGraphState.TooltipIndex != getTooltipText->Index) { FLOAT cpuKernel; FLOAT cpuUser; PH_FORMAT format[7]; cpuKernel = PhGetItemCircularBuffer_FLOAT(&processItem->CpuKernelHistory, getTooltipText->Index); cpuUser = PhGetItemCircularBuffer_FLOAT(&processItem->CpuUserHistory, getTooltipText->Index); // %.2f%% (K: %.2f%%, U: %.2f%%)%s\n%s PhInitFormatF(&format[0], (cpuKernel + cpuUser) * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"% (K: "); PhInitFormatF(&format[2], cpuKernel * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[3], L"%, U: "); PhInitFormatF(&format[4], cpuUser * 100.f, PhMaxPrecisionUnit); PhInitFormatS(&format[5], L"%)\n"); PhInitFormatSR(&format[6], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(processItem, getTooltipText->Index))->sr); PhMoveReference(&performanceContext->CpuGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); } getTooltipText->Text = performanceContext->CpuGraphState.TooltipText->sr; } else if ( header->hwndFrom == performanceContext->PrivateGraphHandle && getTooltipText->Index < getTooltipText->TotalCount ) { if (performanceContext->PrivateGraphState.TooltipIndex != getTooltipText->Index) { SIZE_T privateBytes; PH_FORMAT format[3]; privateBytes = PhGetItemCircularBuffer_SIZE_T(&processItem->PrivateBytesHistory, getTooltipText->Index); // %s\n%s PhInitFormatSize(&format[0], privateBytes); PhInitFormatC(&format[1], L'\n'); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(processItem, getTooltipText->Index))->sr); PhMoveReference(&performanceContext->PrivateGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 64)); } getTooltipText->Text = performanceContext->PrivateGraphState.TooltipText->sr; } else if ( header->hwndFrom == performanceContext->IoGraphHandle && getTooltipText->Index < getTooltipText->TotalCount ) { if (performanceContext->IoGraphState.TooltipIndex != getTooltipText->Index) { ULONG64 ioRead; ULONG64 ioWrite; ULONG64 ioOther; PH_FORMAT format[8]; ioRead = PhGetItemCircularBuffer_ULONG64(&processItem->IoReadHistory, getTooltipText->Index); ioWrite = PhGetItemCircularBuffer_ULONG64(&processItem->IoWriteHistory, getTooltipText->Index); ioOther = PhGetItemCircularBuffer_ULONG64(&processItem->IoOtherHistory, getTooltipText->Index); // R: %s\nW: %s\nO: %s\n%s PhInitFormatS(&format[0], L"R: "); PhInitFormatSize(&format[1], ioRead); PhInitFormatS(&format[2], L"\nW: "); PhInitFormatSize(&format[3], ioWrite); PhInitFormatS(&format[4], L"\nO: "); PhInitFormatSize(&format[5], ioOther); PhInitFormatC(&format[6], L'\n'); PhInitFormatSR(&format[7], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(processItem, getTooltipText->Index))->sr); PhMoveReference(&performanceContext->IoGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 64)); } getTooltipText->Text = performanceContext->IoGraphState.TooltipText->sr; } } break; } } break; case WM_SIZE: { HDWP deferHandle; RECT clientRect; RECT margin; RECT innerMargin; LONG between; LONG width; LONG height; margin.left = margin.top = margin.right = margin.bottom = PhGetDpi(13, performanceContext->WindowDpi); innerMargin.top = PhGetDpi(20, performanceContext->WindowDpi); innerMargin.left = innerMargin.right = innerMargin.bottom = PhGetDpi(10, performanceContext->WindowDpi); between = PhGetDpi(3, performanceContext->WindowDpi); performanceContext->CpuGraphState.Valid = FALSE; performanceContext->CpuGraphState.TooltipIndex = ULONG_MAX; performanceContext->PrivateGraphState.Valid = FALSE; performanceContext->PrivateGraphState.TooltipIndex = ULONG_MAX; performanceContext->IoGraphState.Valid = FALSE; performanceContext->IoGraphState.TooltipIndex = ULONG_MAX; if (!PhGetClientRect(hwndDlg, &clientRect)) break; width = clientRect.right - margin.left - margin.right; height = (clientRect.bottom - margin.top - margin.bottom - between * 2) / 3; deferHandle = BeginDeferWindowPos(6); deferHandle = DeferWindowPos(deferHandle, performanceContext->CpuGroupBox, NULL, margin.left, margin.top, width, height, SWP_NOACTIVATE | SWP_NOZORDER); deferHandle = DeferWindowPos( deferHandle, performanceContext->CpuGraphHandle, NULL, margin.left + innerMargin.left, margin.top + innerMargin.top, width - innerMargin.left - innerMargin.right, height - innerMargin.top - innerMargin.bottom, SWP_NOACTIVATE | SWP_NOZORDER ); deferHandle = DeferWindowPos(deferHandle, performanceContext->PrivateBytesGroupBox, NULL, margin.left, margin.top + height + between, width, height, SWP_NOACTIVATE | SWP_NOZORDER); deferHandle = DeferWindowPos( deferHandle, performanceContext->PrivateGraphHandle, NULL, margin.left + innerMargin.left, margin.top + height + between + innerMargin.top, width - innerMargin.left - innerMargin.right, height - innerMargin.top - innerMargin.bottom, SWP_NOACTIVATE | SWP_NOZORDER ); deferHandle = DeferWindowPos(deferHandle, performanceContext->IoGroupBox, NULL, margin.left, margin.top + (height + between) * 2, width, height, SWP_NOACTIVATE | SWP_NOZORDER); deferHandle = DeferWindowPos( deferHandle, performanceContext->IoGraphHandle, NULL, margin.left + innerMargin.left, margin.top + (height + between) * 2 + innerMargin.top, width - innerMargin.left - innerMargin.right, height - innerMargin.top - innerMargin.bottom, SWP_NOACTIVATE | SWP_NOZORDER ); EndDeferWindowPos(deferHandle); } break; case WM_PH_PERFORMANCE_UPDATE: { if (!(processItem->State & PH_PROCESS_ITEM_REMOVED)) { performanceContext->CpuGraphState.Valid = FALSE; Graph_Update(performanceContext->CpuGraphHandle); performanceContext->PrivateGraphState.Valid = FALSE; Graph_Update(performanceContext->PrivateGraphHandle); performanceContext->IoGraphState.Valid = FALSE; Graph_Update(performanceContext->IoGraphHandle); } } break; case WM_DPICHANGED_BEFOREPARENT: { performanceContext->WindowDpi = PhGetWindowDpi(hwndDlg); } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgsrv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #include #include #include #include static VOID PhpLayoutServiceListControl( _In_ HWND hwndDlg, _In_ HWND ServiceListHandle ) { RECT rect; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_SERVICES_LAYOUT), &rect)) return; MapWindowRect(NULL, hwndDlg, &rect); MoveWindow( ServiceListHandle, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, TRUE ); } INT_PTR CALLBACK PhpProcessServicesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; if (!PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, NULL, &propPageContext, &processItem)) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PPH_SERVICE_ITEM *services; ULONG numberOfServices; ULONG i; HWND serviceListHandle; // Get a copy of the process' service list. PhAcquireQueuedLockShared(&processItem->ServiceListLock); numberOfServices = processItem->ServiceList->Count; services = PhAllocate(numberOfServices * sizeof(PPH_SERVICE_ITEM)); { ULONG enumerationKey = 0; PPH_SERVICE_ITEM serviceItem; i = 0; while (PhEnumPointerList(processItem->ServiceList, &enumerationKey, &serviceItem)) { PhReferenceObject(serviceItem); services[i++] = serviceItem; } } PhReleaseQueuedLockShared(&processItem->ServiceListLock); serviceListHandle = PhCreateServiceListControl( hwndDlg, services, numberOfServices ); SendMessage(serviceListHandle, WM_PH_SET_LIST_VIEW_SETTINGS, 0, (LPARAM)SETTING_PROCESS_SERVICE_LIST_VIEW_COLUMNS); ShowWindow(serviceListHandle, SW_SHOW); propPageContext->Context = serviceListHandle; PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_SERVICES_LAYOUT), dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); PhpLayoutServiceListControl(hwndDlg, (HWND)propPageContext->Context); } } break; case WM_SIZE: { PhpLayoutServiceListControl(hwndDlg, (HWND)propPageContext->Context); } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgstat.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include typedef enum _PH_PROCESS_STATISTICS_CATEGORY { PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_CATEGORY_OTHER, } PH_PROCESS_STATISTICS_CATEGORY; typedef enum _PH_PROCESS_STATISTICS_INDEX { PH_PROCESS_STATISTICS_INDEX_CPU, PH_PROCESS_STATISTICS_INDEX_CPUUSER, PH_PROCESS_STATISTICS_INDEX_CPUKERNEL, PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE, PH_PROCESS_STATISTICS_INDEX_CPURELATIVE, PH_PROCESS_STATISTICS_INDEX_CYCLES, PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA, PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES, PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA, PH_PROCESS_STATISTICS_INDEX_KERNELTIME, PH_PROCESS_STATISTICS_INDEX_KERNELDELTA, PH_PROCESS_STATISTICS_INDEX_USERTIME, PH_PROCESS_STATISTICS_INDEX_USERDELTA, PH_PROCESS_STATISTICS_INDEX_TOTALTIME, PH_PROCESS_STATISTICS_INDEX_TOTALDELTA, PH_PROCESS_STATISTICS_INDEX_PRIORITY, PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES, PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA, PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES, PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE, PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE, PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS, PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA, PH_PROCESS_STATISTICS_INDEX_HARDFAULTS, PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA, PH_PROCESS_STATISTICS_INDEX_WORKINGSET, PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET, PH_PROCESS_STATISTICS_INDEX_PRIVATEWS, PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS, PH_PROCESS_STATISTICS_INDEX_SHAREDWS, PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT, PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT, PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT, //PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMITLIMIT, //PH_PROCESS_STATISTICS_INDEX_TOTALCOMMITLIMIT, PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY, PH_PROCESS_STATISTICS_INDEX_READS, PH_PROCESS_STATISTICS_INDEX_READSDELTA, PH_PROCESS_STATISTICS_INDEX_READBYTES, PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA, PH_PROCESS_STATISTICS_INDEX_WRITES, PH_PROCESS_STATISTICS_INDEX_WRITESDELTA, PH_PROCESS_STATISTICS_INDEX_WRITEBYTES, PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA, PH_PROCESS_STATISTICS_INDEX_OTHER, PH_PROCESS_STATISTICS_INDEX_OTHERDELTA, PH_PROCESS_STATISTICS_INDEX_OTHERBYTES, PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA, PH_PROCESS_STATISTICS_INDEX_IOTOTAL, PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA, PH_PROCESS_STATISTICS_INDEX_IOAVERAGE, PH_PROCESS_STATISTICS_INDEX_IOPRIORITY, PH_PROCESS_STATISTICS_INDEX_HANDLES, PH_PROCESS_STATISTICS_INDEX_PEAKHANDLES, PH_PROCESS_STATISTICS_INDEX_GDIHANDLES, PH_PROCESS_STATISTICS_INDEX_PEAKGDIHANDLES, PH_PROCESS_STATISTICS_INDEX_USERHANDLES, PH_PROCESS_STATISTICS_INDEX_PEAKUSERHANDLES, PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL, PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL, PH_PROCESS_STATISTICS_INDEX_NONPAGED, PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED, PH_PROCESS_STATISTICS_INDEX_RUNNINGTIME, PH_PROCESS_STATISTICS_INDEX_SUSPENDEDTIME, PH_PROCESS_STATISTICS_INDEX_HANGCOUNT, PH_PROCESS_STATISTICS_INDEX_GHOSTCOUNT, PH_PROCESS_STATISTICS_INDEX_NETWORKTXRXBYTES, PH_PROCESS_STATISTICS_INDEX_MOUSE, PH_PROCESS_STATISTICS_INDEX_KEYBOARD, PH_PROCESS_STATISTICS_INDEX_MAX, } PH_PROCESS_STATISTICS_INDEX; VOID PhpUpdateStatisticsAddListViewGroups( _In_ PPH_STATISTICS_CONTEXT Context ) { PhListView_EnableGroupView(Context->ListViewContext, TRUE); PhListView_AddGroup(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, L"CPU"); PhListView_AddGroup(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, L"Memory"); PhListView_AddGroup(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, L"I/O"); PhListView_AddGroup(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, L"Other"); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CPU, L"CPU", (PVOID)PH_PROCESS_STATISTICS_INDEX_CPU); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CPUUSER, L"CPU (user)", (PVOID)PH_PROCESS_STATISTICS_INDEX_CPUUSER); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CPUKERNEL, L"CPU (kernel)", (PVOID)PH_PROCESS_STATISTICS_INDEX_CPUKERNEL); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE, L"CPU (average)", (PVOID)PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CPURELATIVE, L"CPU (relative)", (PVOID)PH_PROCESS_STATISTICS_INDEX_CPURELATIVE); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CYCLES, L"Cycles", (PVOID)PH_PROCESS_STATISTICS_INDEX_CYCLES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA, L"Cycles delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES, L"Context switches", (PVOID)PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA, L"Context switches delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_KERNELTIME, L"Kernel time", (PVOID)PH_PROCESS_STATISTICS_INDEX_KERNELTIME); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_KERNELDELTA, L"Kernel delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_KERNELDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_USERTIME, L"User time", (PVOID)PH_PROCESS_STATISTICS_INDEX_USERTIME); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_USERDELTA, L"User delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_USERDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_TOTALTIME, L"Total time", (PVOID)PH_PROCESS_STATISTICS_INDEX_TOTALTIME); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_TOTALDELTA, L"Total delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_TOTALDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_CPU, PH_PROCESS_STATISTICS_INDEX_PRIORITY, L"Priority", (PVOID)PH_PROCESS_STATISTICS_INDEX_PRIORITY); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES, L"Private bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA, L"Private bytes delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES, L"Peak private bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE, L"Virtual size", (PVOID)PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE, L"Peak virtual size", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS, L"Page faults", (PVOID)PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA, L"Page faults delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_HARDFAULTS, L"Hard faults", (PVOID)PH_PROCESS_STATISTICS_INDEX_HARDFAULTS); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA, L"Hard faults delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_WORKINGSET, L"Working set", (PVOID)PH_PROCESS_STATISTICS_INDEX_WORKINGSET); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET, L"Peak working set", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PRIVATEWS, L"Private WS", (PVOID)PH_PROCESS_STATISTICS_INDEX_PRIVATEWS); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS, L"Shareable WS", (PVOID)PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_SHAREDWS, L"Shared WS", (PVOID)PH_PROCESS_STATISTICS_INDEX_SHAREDWS); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL, L"Paged pool bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL, L"Peak paged pool bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_NONPAGED, L"Nonpaged pool bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_NONPAGED); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED, L"Peak nonpaged pool bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT, L"Shared commit", (PVOID)PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT, L"Private commit", (PVOID)PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT, L"Peak private commit", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT); //PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMITLIMIT, L"Private commit limit", (PVOID)PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMITLIMIT); //PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_TOTALCOMMITLIMIT, L"Total commit limit", (PVOID)PH_PROCESS_STATISTICS_INDEX_TOTALCOMMITLIMIT); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_MEMORY, PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY, L"Page priority", (PVOID)PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_READS, L"Reads", (PVOID)PH_PROCESS_STATISTICS_INDEX_READS); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_READSDELTA, L"Reads delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_READSDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_READBYTES, L"Read bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_READBYTES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA, L"Read bytes delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_WRITES, L"Writes", (PVOID)PH_PROCESS_STATISTICS_INDEX_WRITES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_WRITESDELTA, L"Writes delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_WRITESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_WRITEBYTES, L"Write bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_WRITEBYTES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA, L"Write bytes delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_OTHER, L"Other", (PVOID)PH_PROCESS_STATISTICS_INDEX_OTHER); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_OTHERDELTA, L"Other delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_OTHERDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_OTHERBYTES, L"Other bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_OTHERBYTES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA, L"Other bytes delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_IOTOTAL, L"Total bytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_IOTOTAL); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA, L"Total bytes delta", (PVOID)PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_IOAVERAGE, L"Total bytes (average)", (PVOID)PH_PROCESS_STATISTICS_INDEX_IOAVERAGE); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_IO, PH_PROCESS_STATISTICS_INDEX_IOPRIORITY, L"I/O priority", (PVOID)PH_PROCESS_STATISTICS_INDEX_IOPRIORITY); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_HANDLES, L"Handles", (PVOID)PH_PROCESS_STATISTICS_INDEX_HANDLES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_PEAKHANDLES, L"Peak handles", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKHANDLES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_GDIHANDLES, L"GDI handles", (PVOID)PH_PROCESS_STATISTICS_INDEX_GDIHANDLES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_PEAKGDIHANDLES, L"Peak GDI handles", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKGDIHANDLES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_USERHANDLES, L"USER handles", (PVOID)PH_PROCESS_STATISTICS_INDEX_USERHANDLES); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_PEAKUSERHANDLES, L"Peak USER handles", (PVOID)PH_PROCESS_STATISTICS_INDEX_PEAKUSERHANDLES); if (WindowsVersion >= WINDOWS_10_RS3) { PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_RUNNINGTIME, L"Running time", (PVOID)PH_PROCESS_STATISTICS_INDEX_RUNNINGTIME); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_SUSPENDEDTIME, L"Suspended time", (PVOID)PH_PROCESS_STATISTICS_INDEX_SUSPENDEDTIME); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_HANGCOUNT, L"Hang count", (PVOID)PH_PROCESS_STATISTICS_INDEX_HANGCOUNT); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_GHOSTCOUNT, L"Ghost count", (PVOID)PH_PROCESS_STATISTICS_INDEX_GHOSTCOUNT); //PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_DISKREAD, L"BytesRead", NULL); //PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_DISKWRITE, L"BytesWritten", NULL); PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_NETWORKTXRXBYTES, L"NetworkTxRxBytes", (PVOID)PH_PROCESS_STATISTICS_INDEX_NETWORKTXRXBYTES); //PhListView_AddGroupItem(Context->ListViewContext, PH_PROCESS_STATISTICS_CATEGORY_OTHER, PH_PROCESS_STATISTICS_INDEX_MBBTXRXBYTES, L"MBBTxRxBytes", NULL); } if (PhPluginsEnabled) { PH_PLUGIN_PROCESS_STATS_EVENT notifyEvent; notifyEvent.Version = 0; notifyEvent.Type = 1; notifyEvent.ProcessItem = Context->ProcessItem; notifyEvent.Parameter = Context->ListViewHandle; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessStatsNotifyEvent), ¬ifyEvent); } } VOID PhpUpdateProcessStatisticDelta( _In_ NMLVDISPINFO* Entry, _In_ ULONG_PTR Delta ) { LONG_PTR delta = (LONG_PTR)Delta; if (delta != 0) { PPH_STRING value; PH_FORMAT format[2]; if (delta > 0) { PhInitFormatC(&format[0], L'+'); } else { PhInitFormatC(&format[0], L'-'); delta = -delta; } format[1].Type = SizeFormatType | FormatUseRadix; format[1].Radix = (UCHAR)PhMaxSizeUnit; format[1].u.Size = delta; value = PhFormat(format, 2, 0); wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, value->Buffer, _TRUNCATE); PhDereferenceObject(value); } else { wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, L"0", _TRUNCATE); } } VOID PhpUpdateProcessStatisticDeltaBytes( _In_ NMLVDISPINFO* Entry, _In_ PH_UINT64_DELTA DeltaBuffer ) { ULONG64 number = 0; if (DeltaBuffer.Delta != DeltaBuffer.Value) { number = DeltaBuffer.Delta; number *= 1000; number /= PhCsUpdateInterval; } if (number != 0) { PPH_STRING value; PH_FORMAT format[2]; PhInitFormatSize(&format[0], number); PhInitFormatS(&format[1], L"/s"); value = PhFormat(format, 2, 0); wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, value->Buffer, _TRUNCATE); PhDereferenceObject(value); } else { wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, L"0", _TRUNCATE); } } VOID PH_PROCESS_STATISTICS_FORMAT_F( _In_ NMLVDISPINFO* Entry, _In_ FLOAT Value ) { PH_FORMAT format[2]; WCHAR buffer[PH_INT64_STR_LEN_1]; // %.2f%% PhInitFormatF(&format[0], (Value), PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, buffer, _TRUNCATE); } } VOID PH_PROCESS_STATISTICS_FORMAT_I64U( _In_ NMLVDISPINFO* Entry, _In_ ULONG64 Value ) { PH_FORMAT format[1]; WCHAR buffer[PH_INT64_STR_LEN_1]; PhInitFormatI64UGroupDigits(&format[0], Value); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, buffer, _TRUNCATE); } } VOID PH_PROCESS_STATISTICS_FORMAT_SIZE( _In_ NMLVDISPINFO* Entry, _In_ ULONG64 Value ) { PH_FORMAT format[1]; WCHAR buffer[PH_INT64_STR_LEN_1]; PhInitFormatSize(&format[0], Value); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, buffer, _TRUNCATE); } } VOID PH_PROCESS_STATISTICS_FORMAT_TIME( _In_ NMLVDISPINFO* Entry, _In_ ULONG64 Value ) { WCHAR buffer[PH_TIMESPAN_STR_LEN_1] = L""; if (PhPrintTimeSpanToBuffer(Value, PH_TIMESPAN_DHMSM, buffer, sizeof(buffer), NULL)) { wcsncpy_s(Entry->item.pszText, Entry->item.cchTextMax, buffer, _TRUNCATE); } } #define PH_PROCESS_STATISTICS_UPDATE_MINMAX(Minimum, Maximum, Difference, Value) \ if ((Value) != 0 && ((Minimum) == 0 || (Value) < (Minimum))) \ (Minimum) = (Value); \ if ((Value) != 0 && ((Maximum) == 0 || (Value) > (Maximum))) \ (Maximum) = (Value); \ (Difference) = (Maximum)-(Minimum); #define PH_PROCESS_STATISTICS_UPDATE_INCREMENTALMINMAX(Context, Type, Last, Minimum, Maximum, NewValue) \ if ((Last).Value) \ { \ Type delta = (NewValue) - (Last).Value; \ if (delta != 0 && ((Minimum) == 0 || delta < (Minimum))) \ (Minimum) = delta; \ if (delta != 0 && ((Maximum) == 0 || delta > (Maximum))) \ (Maximum) = delta; \ } PhUpdateDelta(&(Last), (NewValue)); VOID PhUpdateProcessStatisticsValue( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_STATISTICS_CONTEXT Context ) { Context->CpuUsage = ProcessItem->CpuUsage * 100; Context->CpuUsageUser = ProcessItem->CpuUserUsage * 100; Context->CpuUsageKernel = ProcessItem->CpuKernelUsage * 100; if (FlagOn(PhProcessProviderFlagsMask, PH_PROCESS_PROVIDER_FLAG_AVERAGE)) { Context->CpuUsageAverage = ProcessItem->CpuAverageUsage * 100; } else { FLOAT cpuSumValue = 0; FLOAT cpuAverageValue = 0; for (ULONG i = 0; i < ProcessItem->CpuKernelHistory.Count; i++) { cpuSumValue += PhGetItemCircularBuffer_FLOAT(&ProcessItem->CpuKernelHistory, i) + PhGetItemCircularBuffer_FLOAT(&ProcessItem->CpuUserHistory, i); } if (ProcessItem->CpuKernelHistory.Count) { cpuAverageValue = (FLOAT)cpuSumValue / ProcessItem->CpuKernelHistory.Count; } Context->CpuUsageAverage = cpuAverageValue * 100; } Context->CpuUsageRelative = (FLOAT)(ProcessItem->CpuUsage * 100) * ProcessItem->AffinityPopulationCount; { ULONG64 cycleTime; if (ProcessItem->QueryHandle && NT_SUCCESS(PhGetProcessCycleTime(ProcessItem->QueryHandle, &cycleTime))) { Context->CycleTime = cycleTime; Context->GotCycles = TRUE; } else { Context->CycleTime = 0; Context->GotCycles = FALSE; } } Context->CycleTimeDelta = ProcessItem->CycleTimeDelta.Delta; Context->ContextSwitches = ProcessItem->ContextSwitches; Context->ContextSwitchesDelta = ProcessItem->ContextSwitchesDelta.Delta; Context->KernelTime = ProcessItem->KernelTime.QuadPart; Context->KernelTimeDelta = ProcessItem->CpuKernelDelta.Delta; Context->UserTime = ProcessItem->UserTime.QuadPart; Context->UserTimeDelta = ProcessItem->CpuUserDelta.Delta; Context->BasePriority = ProcessItem->BasePriority; Context->PagefileUsage = ProcessItem->PrivateBytesDelta.Value; // ProcessItem->VmCounters.PagefileUsage Context->PagefileDelta = ProcessItem->PrivateBytesDelta.Delta; Context->PeakPagefileUsage = ProcessItem->VmCounters.PeakPagefileUsage; Context->VirtualSize = ProcessItem->VmCounters.VirtualSize; Context->PeakVirtualSize = ProcessItem->VmCounters.PeakVirtualSize; Context->PageFaultCount = ProcessItem->PageFaultsDelta.Value; // ProcessItem->VmCounters.PageFaultCount Context->PageFaultsDelta = ProcessItem->PageFaultsDelta.Delta; Context->HardFaultCount = ProcessItem->HardFaultsDelta.Value; // ProcessItem->HardFaultCount Context->HardFaultsDelta = ProcessItem->HardFaultsDelta.Delta; Context->WorkingSetSize = ProcessItem->VmCounters.WorkingSetSize; Context->PeakWorkingSetSize = ProcessItem->VmCounters.PeakWorkingSetSize; { PH_PROCESS_WS_COUNTERS wsCounters; PROCESS_JOB_MEMORY_INFO appMemoryInfo; PROCESS_EXTENDED_ENERGY_VALUES processExtendedValues; if (Context->ProcessHandle && NT_SUCCESS(PhGetProcessWsCounters(Context->ProcessHandle, &wsCounters))) { Context->NumberOfPrivatePages = wsCounters.NumberOfPrivatePages * PAGE_SIZE; Context->NumberOfShareablePages = wsCounters.NumberOfShareablePages * PAGE_SIZE; Context->NumberOfSharedPages = wsCounters.NumberOfSharedPages * PAGE_SIZE; } else { Context->NumberOfPrivatePages = ProcessItem->WorkingSetPrivateSize; Context->NumberOfShareablePages = 0; Context->NumberOfSharedPages = 0; } if (Context->ProcessHandle && NT_SUCCESS(PhGetProcessAppMemoryInformation(Context->ProcessHandle, &appMemoryInfo))) { Context->SharedCommitUsage = appMemoryInfo.SharedCommitUsage; Context->PrivateCommitUsage = appMemoryInfo.PrivateCommitUsage; Context->PeakPrivateCommitUsage = appMemoryInfo.PeakPrivateCommitUsage; } else { Context->SharedCommitUsage = 0; Context->PrivateCommitUsage = 0; Context->PeakPrivateCommitUsage = 0; } if (Context->ProcessHandle && NT_SUCCESS(PhGetProcessEnergyValues(Context->ProcessHandle, &processExtendedValues))) { PhUpdateDelta(&Context->MouseDelta, processExtendedValues.Extension.MouseInput); PhUpdateDelta(&Context->KeyboardDelta, processExtendedValues.Extension.KeyboardInput); } else { //PhUpdateDelta(&Context->MouseDelta, 0); //PhUpdateDelta(&Context->KeyboardDelta, 0); } } Context->QuotaPagedPoolUsage = ProcessItem->VmCounters.QuotaPagedPoolUsage; Context->QuotaPeakPagedPoolUsage = ProcessItem->VmCounters.QuotaPeakPagedPoolUsage; Context->QuotaNonPagedPoolUsage = ProcessItem->VmCounters.QuotaNonPagedPoolUsage; Context->QuotaPeakNonPagedPoolUsage = ProcessItem->VmCounters.QuotaPeakNonPagedPoolUsage; //wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PrivateWs, L"N/A"), _TRUNCATE); //wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->ShareableWs, L"N/A"), _TRUNCATE); //wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->SharedWs, L"N/A"), _TRUNCATE); //wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->SharedCommitUsage, L"N/A"), _TRUNCATE); //wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PrivateCommitUsage, L"N/A"), _TRUNCATE); //wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PeakPrivateCommitUsage, L"N/A"), _TRUNCATE); Context->ReadOperationCount = ProcessItem->IoCounters.ReadOperationCount; Context->IoReadCountDelta = ProcessItem->IoReadCountDelta.Delta; Context->ReadTransferCount = ProcessItem->IoCounters.ReadTransferCount; Context->IoReadDelta = ProcessItem->IoReadDelta.Delta; Context->WriteOperationCount = ProcessItem->IoCounters.WriteOperationCount; Context->IoWriteCountDelta = ProcessItem->IoWriteCountDelta.Delta; Context->WriteTransferCount = ProcessItem->IoCounters.WriteTransferCount; Context->IoWriteDelta = ProcessItem->IoWriteDelta.Delta; Context->OtherOperationCount = ProcessItem->IoCounters.OtherOperationCount; Context->IoOtherCountDelta = ProcessItem->IoOtherCountDelta.Delta; Context->OtherTransferCount = ProcessItem->IoCounters.OtherTransferCount; Context->IoOtherDelta = ProcessItem->IoOtherDelta.Delta; Context->IoTotalDelta = ProcessItem->IoReadDelta.Value + ProcessItem->IoWriteDelta.Value + ProcessItem->IoOtherDelta.Value; } VOID PhUpdateProcessStatisticsMinMax( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_STATISTICS_CONTEXT Context ) { PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CpuUsageMin, Context->CpuUsageMax, Context->CpuUsageDiff, Context->CpuUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CpuUsageUserMin, Context->CpuUsageUserMax, Context->CpuUsageUserDiff, Context->CpuUsageUser); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CpuUsageKernelMin, Context->CpuUsageKernelMax, Context->CpuUsageKernelDiff, Context->CpuUsageKernel); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CpuUsageAverageMin, Context->CpuUsageAverageMax, Context->CpuUsageAverageDiff, Context->CpuUsageAverage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CpuUsageRelativeMin, Context->CpuUsageRelativeMax, Context->CpuUsageRelativeDiff, Context->CpuUsageRelative); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CycleTimeMin, Context->CycleTimeMax, Context->CycleTimeDiff, Context->CycleTime); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->CycleTimeDeltaMin, Context->CycleTimeDeltaMax, Context->CycleTimeDeltaDiff, Context->CycleTimeDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->ContextSwitchesMin, Context->ContextSwitchesMax, Context->ContextSwitchesDiff, Context->ContextSwitches); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->ContextSwitchesDeltaMin, Context->ContextSwitchesDeltaMax, Context->ContextSwitchesDeltaDiff, Context->ContextSwitchesDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->KernelTimeMin, Context->KernelTimeMax, Context->KernelTimeDiff, Context->KernelTime); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->KernelTimeDeltaMin, Context->KernelTimeDeltaMax, Context->KernelTimeDeltaDiff, Context->KernelTimeDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->UserTimeMin, Context->UserTimeMax, Context->UserTimeDiff, Context->UserTime); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->UserTimeDeltaMin, Context->UserTimeDeltaMax, Context->UserTimeDeltaDiff, Context->UserTimeDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->QuotaPagedPoolUsageMin, Context->QuotaPagedPoolUsageMax, Context->QuotaPagedPoolUsageDiff, Context->QuotaPagedPoolUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->QuotaPeakPagedPoolUsageMin, Context->QuotaPeakPagedPoolUsageMax, Context->QuotaPeakPagedPoolUsageDiff, Context->QuotaPeakPagedPoolUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->QuotaNonPagedPoolUsageMin, Context->QuotaNonPagedPoolUsageMax, Context->QuotaNonPagedPoolUsageDiff, Context->QuotaNonPagedPoolUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->QuotaPeakNonPagedPoolUsageMin, Context->QuotaPeakNonPagedPoolUsageMax, Context->QuotaPeakNonPagedPoolUsageDiff, Context->QuotaPeakNonPagedPoolUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PagefileUsageMin, Context->PagefileUsageMax, Context->PagefileUsageDiff, Context->PagefileUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PagefileDeltaMin, Context->PagefileDeltaMax, Context->PagefileDeltaDiff, Context->PagefileDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PeakPagefileUsageMin, Context->PeakPagefileUsageMax, Context->PeakPagefileUsageDiff, Context->PeakPagefileUsage); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->VirtualSizeMin, Context->VirtualSizeMax, Context->VirtualSizeDiff, Context->VirtualSize); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PeakVirtualSizeMin, Context->PeakVirtualSizeMax, Context->PeakVirtualSizeDiff, Context->PeakVirtualSize); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PageFaultCountMin, Context->PageFaultCountMax, Context->PageFaultCountDiff, Context->PageFaultCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PageFaultsDeltaMin, Context->PageFaultsDeltaMax, Context->PageFaultsDeltaDiff, Context->PageFaultsDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->HardFaultCountMin, Context->HardFaultCountMax, Context->HardFaultCountDiff, Context->HardFaultCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->HardFaultsDeltaMin, Context->HardFaultsDeltaMax, Context->HardFaultsDeltaDiff, Context->HardFaultsDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->WorkingSetSizeMin, Context->WorkingSetSizeMax, Context->WorkingSetSizeDiff, Context->WorkingSetSize); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->PeakWorkingSetSizeMin, Context->PeakWorkingSetSizeMax, Context->PeakWorkingSetSizeDiff, Context->PeakWorkingSetSize); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->ReadOperationCountMin, Context->ReadOperationCountMax, Context->ReadOperationCountDiff, Context->ReadOperationCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoReadCountDeltaMin, Context->IoReadCountDeltaMax, Context->IoReadCountDeltaDiff, Context->IoReadCountDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->ReadTransferCountMin, Context->ReadTransferCountMax, Context->ReadTransferCountDiff, Context->ReadTransferCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoReadDeltaMin, Context->IoReadDeltaMax, Context->IoReadDeltaDiff, Context->IoReadDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->WriteOperationCountMin, Context->WriteOperationCountMax, Context->WriteOperationCountDiff, Context->WriteOperationCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoWriteCountDeltaMin, Context->IoWriteCountDeltaMax, Context->IoWriteCountDeltaDiff, Context->IoWriteCountDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->WriteTransferCountMin, Context->WriteTransferCountMax, Context->WriteTransferCountDiff, Context->WriteTransferCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoWriteDeltaMin, Context->IoWriteDeltaMax, Context->IoWriteDeltaDiff, Context->IoWriteDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->OtherOperationCountMin, Context->OtherOperationCountMax, Context->OtherOperationCountDiff, Context->OtherOperationCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoOtherCountDeltaMin, Context->IoOtherCountDeltaMax, Context->IoOtherCountDeltaDiff, Context->IoOtherCountDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->OtherTransferCountMin, Context->OtherTransferCountMax, Context->OtherTransferCountDiff, Context->OtherTransferCount); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoOtherDeltaMin, Context->IoOtherDeltaMax, Context->IoOtherDeltaDiff, Context->IoOtherDelta); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoTotalMin, Context->IoTotalMax, Context->IoTotalDiff, Context->IoTotal); PH_PROCESS_STATISTICS_UPDATE_MINMAX(Context->IoTotalDeltaMin, Context->IoTotalDeltaMax, Context->IoTotalDeltaDiff, Context->IoTotalDelta); } VOID PhpUpdateProcessStatistics( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_STATISTICS_CONTEXT Context ) { PhUpdateProcessStatisticsValue(ProcessItem, Context); PhUpdateProcessStatisticsMinMax(ProcessItem, Context); if (ProcessItem->ProcessId == SYSTEM_PROCESS_ID) { PROCESS_HANDLE_INFORMATION handleInfo; PROCESS_UPTIME_INFORMATION uptimeInfo; ULONG objects; if (NT_SUCCESS(PhGetSessionGuiResources(GR_GDIOBJECTS, &objects))) // GDI handles { PhMoveReference(&Context->GdiHandles, PhFormatUInt64(objects, TRUE)); } if (NT_SUCCESS(PhGetSessionGuiResources(GR_USEROBJECTS, &objects))) // USER handles { PhMoveReference(&Context->UserHandles, PhFormatUInt64(objects, TRUE)); } if (NT_SUCCESS(PhGetSessionGuiResources(GR_GDIOBJECTS_PEAK, &objects))) // GDI handles (Peak) { PhMoveReference(&Context->PeakGdiHandles, PhFormatUInt64(objects, TRUE)); } if (NT_SUCCESS(PhGetSessionGuiResources(GR_USEROBJECTS_PEAK, &objects))) // USER handles (Peak) { PhMoveReference(&Context->PeakUserHandles, PhFormatUInt64(objects, TRUE)); } if (ProcessItem->QueryHandle) { if (NT_SUCCESS(PhGetProcessHandleCount(ProcessItem->QueryHandle, &handleInfo))) { // The HighWatermark changed on Windows 10 and doesn't track the peak handle count, // instead the value is now the maximum count of the handle freelist which decreases // when deallocating. So we'll track and cache the highest value where possible. (dmex) if (handleInfo.HandleCountHighWatermark > Context->PeakHandleCount) Context->PeakHandleCount = handleInfo.HandleCountHighWatermark; PhMoveReference(&Context->PeakHandles, PhFormatUInt64(Context->PeakHandleCount, TRUE)); } PhGetProcessPagePriority(ProcessItem->QueryHandle, &Context->PagePriority); PhGetProcessIoPriority(ProcessItem->QueryHandle, &Context->IoPriority); if (WindowsVersion >= WINDOWS_10_RS3 && NT_SUCCESS(PhGetProcessUptime(ProcessItem->QueryHandle, &uptimeInfo))) { Context->RunningTime = uptimeInfo.Uptime; Context->SuspendedTime = uptimeInfo.SuspendedTime; Context->HangCount = uptimeInfo.HangCount; Context->GhostCount = uptimeInfo.GhostCount; } } } else if (ProcessItem->QueryHandle) { PROCESS_HANDLE_INFORMATION handleInfo; PROCESS_UPTIME_INFORMATION uptimeInfo; ULONG objects; ULONG objectsTotal; if (NT_SUCCESS(PhGetProcessHandleCount(ProcessItem->QueryHandle, &handleInfo))) { // The HighWatermark changed on Windows 10 and doesn't track the peak handle count, // instead the value is now the maximum count of the handle freelist which decreases // when deallocating. So we'll track and cache the highest value where possible. (dmex) if (handleInfo.HandleCountHighWatermark > Context->PeakHandleCount) Context->PeakHandleCount = handleInfo.HandleCountHighWatermark; PhMoveReference(&Context->PeakHandles, PhFormatUInt64(Context->PeakHandleCount, TRUE)); } if (NT_SUCCESS(PhGetProcessGuiResources(ProcessItem->QueryHandle, GR_GDIOBJECTS, &objects))) // GDI handles { if (!NT_SUCCESS(PhGetSessionGuiResources(GR_GDIOBJECTS, &objectsTotal))) objectsTotal = 1; PPH_STRING string = PhFormatUInt64(objects, TRUE); PhMoveReference(&string, PhFormatString(L"%s (%.2f%%)", PhGetString(string), (FLOAT)objects / (FLOAT)objectsTotal * 100.0f)); PhMoveReference(&Context->GdiHandles, string); } if (NT_SUCCESS(PhGetProcessGuiResources(ProcessItem->QueryHandle, GR_USEROBJECTS, &objects))) // USER handles { if (!NT_SUCCESS(PhGetSessionGuiResources(GR_USEROBJECTS, &objectsTotal))) objectsTotal = 1; PPH_STRING string = PhFormatUInt64(objects, TRUE); PhMoveReference(&string, PhFormatString(L"%s (%.2f%%)", PhGetString(string), (FLOAT)objects / (FLOAT)objectsTotal * 100.0f)); PhMoveReference(&Context->UserHandles, string); } if (NT_SUCCESS(PhGetProcessGuiResources(ProcessItem->QueryHandle, GR_GDIOBJECTS_PEAK, &objects))) // GDI handles (Peak) { if (!NT_SUCCESS(PhGetSessionGuiResources(GR_GDIOBJECTS_PEAK, &objectsTotal))) objectsTotal = 1; PPH_STRING string = PhFormatUInt64(objects, TRUE); PhMoveReference(&string, PhFormatString(L"%s (%.2f%%)", PhGetString(string), (FLOAT)objects / (FLOAT)objectsTotal * 100.0f)); PhMoveReference(&Context->PeakGdiHandles, string); } if (NT_SUCCESS(PhGetProcessGuiResources(ProcessItem->QueryHandle, GR_USEROBJECTS_PEAK, &objects))) // USER handles (Peak) { if (!NT_SUCCESS(PhGetSessionGuiResources(GR_USEROBJECTS_PEAK, &objectsTotal))) objectsTotal = 1; PPH_STRING string = PhFormatUInt64(objects, TRUE); PhMoveReference(&string, PhFormatString(L"%s (%.2f%%)", PhGetString(string), (FLOAT)objects / (FLOAT)objectsTotal * 100.0f)); PhMoveReference(&Context->PeakUserHandles, string); } PhGetProcessPagePriority(ProcessItem->QueryHandle, &Context->PagePriority); PhGetProcessIoPriority(ProcessItem->QueryHandle, &Context->IoPriority); if (WindowsVersion >= WINDOWS_10_RS3 && NT_SUCCESS(PhGetProcessUptime(ProcessItem->QueryHandle, &uptimeInfo))) { Context->RunningTime = uptimeInfo.Uptime; Context->SuspendedTime = uptimeInfo.SuspendedTime; Context->HangCount = uptimeInfo.HangCount; Context->GhostCount = uptimeInfo.GhostCount; } } if (WindowsVersion >= WINDOWS_10_RS3 && !PhIsExecutingInWow64()) { PVOID processes; PSYSTEM_PROCESS_INFORMATION processInfo; PSYSTEM_PROCESS_INFORMATION_EXTENSION processExtension; if (NT_SUCCESS(PhEnumProcesses(&processes))) { processInfo = PhFindProcessInformation(processes, ProcessItem->ProcessId); if (processInfo && (processExtension = PH_PROCESS_EXTENSION(processInfo))) { //Context->ContextSwitches = processExtension->ContextSwitches; Context->NetworkTxRxBytes = processExtension->EnergyValues.NetworkTxRxBytes; } PhFree(processes); } } PhRedrawListViewItems(Context->ListViewHandle); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI PhpStatisticsUpdateHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_STATISTICS_CONTEXT statisticsContext = (PPH_STATISTICS_CONTEXT)Context; if (statisticsContext->Enabled) { PostMessage(statisticsContext->WindowHandle, WM_PH_STATISTICS_UPDATE, 0, 0); } } INT_PTR CALLBACK PhpProcessStatisticsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_STATISTICS_CONTEXT statisticsContext; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { statisticsContext = (PPH_STATISTICS_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { statisticsContext = propPageContext->Context = PhAllocateZero(sizeof(PH_STATISTICS_CONTEXT)); statisticsContext->WindowHandle = hwndDlg; statisticsContext->ListViewHandle = GetDlgItem(hwndDlg, IDC_STATISTICS_LIST); if (PhTreeWindowFont) { statisticsContext->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(statisticsContext->ListViewHandle, statisticsContext->TreeNewFont, FALSE); } statisticsContext->ListViewContext = PhListView_Initialize(statisticsContext->ListViewHandle); statisticsContext->ProcessItem = processItem; statisticsContext->Enabled = TRUE; statisticsContext->PagePriority = ULONG_MAX; statisticsContext->IoPriority = LONG_MAX; // Try to open a process handle with PROCESS_QUERY_INFORMATION access for WS information. if (PH_IS_REAL_PROCESS_ID(processItem->ProcessId)) { PhOpenProcess( &statisticsContext->ProcessHandle, PROCESS_QUERY_INFORMATION, processItem->ProcessId ); } PhSetListViewStyle(statisticsContext->ListViewHandle, TRUE, TRUE); PhSetControlTheme(statisticsContext->ListViewHandle, L"explorer"); PhSetExtendedListView(statisticsContext->ListViewHandle); PhListView_AddColumn(statisticsContext->ListViewContext, 0, 0, 0, LVCFMT_LEFT, 135, L"Property"); PhListView_AddColumn(statisticsContext->ListViewContext, 1, 1, 1, LVCFMT_LEFT, 150, L"Value"); PhListView_AddColumn(statisticsContext->ListViewContext, 2, 2, 2, LVCFMT_LEFT, 150, L"Min"); PhListView_AddColumn(statisticsContext->ListViewContext, 3, 3, 3, LVCFMT_LEFT, 150, L"Max"); PhListView_AddColumn(statisticsContext->ListViewContext, 4, 4, 4, LVCFMT_LEFT, 150, L"Difference"); ExtendedListView_SetTriState(statisticsContext->ListViewHandle, TRUE); PhpUpdateStatisticsAddListViewGroups(statisticsContext); PhLoadListViewColumnsFromSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_COLUMNS, statisticsContext->ListViewHandle); PhLoadListViewSortColumnsFromSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_SORT, statisticsContext->ListViewHandle); PhLoadListViewGroupStatesFromSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_STATES, statisticsContext->ListViewHandle); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhpStatisticsUpdateHandler, statisticsContext, &statisticsContext->ProcessesUpdatedRegistration ); PhpUpdateProcessStatistics(processItem, statisticsContext); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveListViewSortColumnsToSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_SORT, statisticsContext->ListViewHandle); PhSaveListViewColumnsToSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_COLUMNS, statisticsContext->ListViewHandle); PhSaveListViewGroupStatesToSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_STATES, statisticsContext->ListViewHandle); PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &statisticsContext->ProcessesUpdatedRegistration ); if (statisticsContext->ListViewContext) { PhListView_Destroy(statisticsContext->ListViewContext); statisticsContext->ListViewContext = NULL; } if (statisticsContext->TreeNewFont) DeleteFont(statisticsContext->TreeNewFont); } break; case WM_NCDESTROY: { if (statisticsContext->ProcessHandle) NtClose(statisticsContext->ProcessHandle); PhFree(statisticsContext); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, statisticsContext->ListViewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } //ExtendedListView_SetColumnWidth(statisticsContext->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; PhHandleListViewNotifyBehaviors(lParam, statisticsContext->ListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); switch (header->code) { case PSN_SETACTIVE: statisticsContext->Enabled = TRUE; break; case PSN_KILLACTIVE: statisticsContext->Enabled = FALSE; break; case LVN_GETDISPINFO: { NMLVDISPINFO* dispInfo = (NMLVDISPINFO*)header; if (dispInfo->item.iSubItem == 1) { if (FlagOn(dispInfo->item.mask, LVIF_TEXT)) { switch (PtrToUlong((PVOID)dispInfo->item.lParam)) { case PH_PROCESS_STATISTICS_INDEX_CPU: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsage); break; case PH_PROCESS_STATISTICS_INDEX_CPUUSER: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageUser); break; case PH_PROCESS_STATISTICS_INDEX_CPUKERNEL: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageKernel); break; case PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageAverage); break; case PH_PROCESS_STATISTICS_INDEX_CPURELATIVE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageRelative); break; case PH_PROCESS_STATISTICS_INDEX_CYCLES: { PH_FORMAT format[1]; WCHAR buffer[PH_INT64_STR_LEN_1]; if (statisticsContext->GotCycles) { PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTime); } //else if (statisticsContext->CycleTimeDelta) //{ // PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeDelta); //} else { PhInitFormatS(&format[0], L"N/A"); } if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, buffer, _TRUNCATE); } } break; case PH_PROCESS_STATISTICS_INDEX_KERNELTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTime); break; case PH_PROCESS_STATISTICS_INDEX_USERTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->UserTime); break; case PH_PROCESS_STATISTICS_INDEX_TOTALTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTime + statisticsContext->UserTime); break; case PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->CycleTimeDelta); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitches); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesDelta); break; case PH_PROCESS_STATISTICS_INDEX_KERNELDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDelta); break; case PH_PROCESS_STATISTICS_INDEX_USERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->UserTimeDelta); break; case PH_PROCESS_STATISTICS_INDEX_TOTALDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDelta + statisticsContext->UserTimeDelta); break; case PH_PROCESS_STATISTICS_INDEX_PRIORITY: { WCHAR priority[PH_INT32_STR_LEN_1] = L""; PhPrintInt32(priority, statisticsContext->ProcessItem->BasePriority); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, priority, _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ProcessItem->VmCounters.PagefileUsage); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA: PhpUpdateProcessStatisticDelta(dispInfo, statisticsContext->ProcessItem->PrivateBytesDelta.Delta); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ProcessItem->VmCounters.PeakPagefileUsage); break; case PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ProcessItem->VmCounters.VirtualSize); break; case PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ProcessItem->VmCounters.PeakVirtualSize); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ProcessItem->VmCounters.PageFaultCount); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ProcessItem->PageFaultsDelta.Delta); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ProcessItem->HardFaultCount); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ProcessItem->HardFaultsDelta.Delta); break; case PH_PROCESS_STATISTICS_INDEX_WORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ProcessItem->VmCounters.WorkingSetSize); break; case PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ProcessItem->VmCounters.PeakWorkingSetSize); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEWS: { if (statisticsContext->NumberOfPrivatePages) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfPrivatePages); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS: { if (statisticsContext->NumberOfShareablePages) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfShareablePages); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREDWS: { if (statisticsContext->NumberOfSharedPages) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfSharedPages); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPagedPoolUsage); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakPagedPoolUsage); break; case PH_PROCESS_STATISTICS_INDEX_NONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaNonPagedPoolUsage); break; case PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakNonPagedPoolUsage); break; case PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT: { if (statisticsContext->SharedCommitUsage) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->SharedCommitUsage); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT: { if (statisticsContext->PrivateCommitUsage) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PrivateCommitUsage); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT: { if (statisticsContext->PeakPrivateCommitUsage) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPrivateCommitUsage); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY: { if (statisticsContext->PagePriority != ULONG_MAX && statisticsContext->PagePriority <= MEMORY_PRIORITY_NORMAL) { const PH_STRINGREF pagePriority = PhPagePriorityNames[statisticsContext->PagePriority]; wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, pagePriority.Buffer, _TRUNCATE); } else { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } } break; //case PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMITLIMIT: // { // wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PrivateCommitLimit, L"N/A"), _TRUNCATE); // } // break; //case PH_PROCESS_STATISTICS_INDEX_TOTALCOMMITLIMIT: // { // wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->TotalCommitLimit, L"N/A"), _TRUNCATE); // } // break; case PH_PROCESS_STATISTICS_INDEX_READS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ReadOperationCount); break; case PH_PROCESS_STATISTICS_INDEX_READSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadCountDelta); break; case PH_PROCESS_STATISTICS_INDEX_READBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ReadTransferCount); break; case PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadDelta); break; case PH_PROCESS_STATISTICS_INDEX_WRITES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->WriteOperationCount); break; case PH_PROCESS_STATISTICS_INDEX_WRITESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteCountDelta); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WriteTransferCount); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->IoWriteDelta); break; case PH_PROCESS_STATISTICS_INDEX_OTHER: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->OtherOperationCount); break; case PH_PROCESS_STATISTICS_INDEX_OTHERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherCountDelta); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->OtherTransferCount); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA: PhpUpdateProcessStatisticDeltaBytes(dispInfo, statisticsContext->ProcessItem->IoOtherDelta); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTAL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->IoTotalDelta); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA: { PH_PROCESS_STATISTICS_FORMAT_SIZE( dispInfo, statisticsContext->ProcessItem->IoReadDelta.Delta + statisticsContext->ProcessItem->IoWriteDelta.Delta + statisticsContext->ProcessItem->IoOtherDelta.Delta ); } break; case PH_PROCESS_STATISTICS_INDEX_IOAVERAGE: { PH_FORMAT format[2]; SIZE_T returnLength; FLOAT cpuSumValue = 0; FLOAT cpuAverageValue = 0; WCHAR buffer[PH_INT64_STR_LEN_1]; for (ULONG i = 0; i < statisticsContext->ProcessItem->IoReadHistory.Count; i++) { cpuSumValue += (FLOAT)PhGetItemCircularBuffer_ULONG64(&statisticsContext->ProcessItem->IoReadHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&statisticsContext->ProcessItem->IoWriteHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&statisticsContext->ProcessItem->IoOtherHistory, i); } if (statisticsContext->ProcessItem->IoReadHistory.Count) { cpuAverageValue = (FLOAT)cpuSumValue / statisticsContext->ProcessItem->IoReadHistory.Count; } PhInitFormatSize(&format[0], (ULONG64)cpuAverageValue); PhInitFormatS(&format[1], L"/s"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, buffer, _TRUNCATE); } } break; case PH_PROCESS_STATISTICS_INDEX_IOPRIORITY: { if (statisticsContext->IoPriority != LONG_MAX && statisticsContext->IoPriority >= IoPriorityVeryLow && statisticsContext->IoPriority <= MaxIoPriorityTypes) { const PH_STRINGREF ioPriority = PhIoPriorityHintNames[statisticsContext->IoPriority]; wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, ioPriority.Buffer, _TRUNCATE); } else { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } } break; case PH_PROCESS_STATISTICS_INDEX_HANDLES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ProcessItem->NumberOfHandles); break; case PH_PROCESS_STATISTICS_INDEX_PEAKHANDLES: { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PeakHandles, L"N/A"), _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_GDIHANDLES: { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->GdiHandles, L"N/A"), _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PEAKGDIHANDLES: { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PeakGdiHandles, L"N/A"), _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_USERHANDLES: { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->UserHandles, L"N/A"), _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PEAKUSERHANDLES: { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, PhGetStringOrDefault(statisticsContext->PeakUserHandles, L"N/A"), _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_RUNNINGTIME: { WCHAR timeSpan[PH_TIMESPAN_STR_LEN_1] = L""; PhPrintTimeSpan(timeSpan, statisticsContext->RunningTime, PH_TIMESPAN_HMSM); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, timeSpan, _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SUSPENDEDTIME: { WCHAR timeSpan[PH_TIMESPAN_STR_LEN_1] = L""; PhPrintTimeSpan(timeSpan, statisticsContext->SuspendedTime, PH_TIMESPAN_HMSM); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, timeSpan, _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_HANGCOUNT: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HangCount); break; case PH_PROCESS_STATISTICS_INDEX_GHOSTCOUNT: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->GhostCount); break; //case PH_PROCESS_STATISTICS_INDEX_DISKREAD: // { // PPH_STRING value; // // if (!statisticsContext->ProcessExtension) // break; // // value = PhFormatUInt64(statisticsContext->ProcessExtension->DiskCounters.BytesRead, TRUE); // wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, value->Buffer, _TRUNCATE); // PhDereferenceObject(value); // } // break; //case PH_PROCESS_STATISTICS_INDEX_DISKWRITE: // { // PPH_STRING value; // // if (!statisticsContext->ProcessExtension) // break; // // value = PhFormatSize(statisticsContext->ProcessExtension->DiskCounters.BytesWritten, ULONG_MAX); // wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, value->Buffer, _TRUNCATE); // PhDereferenceObject(value); // } // break; case PH_PROCESS_STATISTICS_INDEX_NETWORKTXRXBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NetworkTxRxBytes); break; //case PH_PROCESS_STATISTICS_INDEX_MBBTXRXBYTES: // { // PPH_STRING value; // // if (!statisticsContext->ProcessExtension) // break; // // value = PhFormatSize(statisticsContext->ProcessExtension->EnergyValues.MBBTxRxBytes, ULONG_MAX); // wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, value->Buffer, _TRUNCATE); // PhDereferenceObject(value); // } // break; case PH_PROCESS_STATISTICS_INDEX_MOUSE: { PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->MouseDelta.Value); } break; case PH_PROCESS_STATISTICS_INDEX_KEYBOARD: { PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KeyboardDelta.Value); } break; default: { if (PhPluginsEnabled) { PH_PLUGIN_PROCESS_STATS_EVENT notifyEvent; notifyEvent.Version = 0; notifyEvent.Type = 2; notifyEvent.ProcessItem = statisticsContext->ProcessItem; notifyEvent.Parameter = dispInfo; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackProcessStatsNotifyEvent), ¬ifyEvent); } } break; } } } if (FlagOn(dispInfo->item.mask, LVIF_TEXT)) { if (dispInfo->item.iSubItem == 2) { switch (PtrToUlong((PVOID)dispInfo->item.lParam)) { case PH_PROCESS_STATISTICS_INDEX_CPU: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_CPUUSER: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageUserMin); break; case PH_PROCESS_STATISTICS_INDEX_CPUKERNEL: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageKernelMin); break; case PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageAverageMin); break; case PH_PROCESS_STATISTICS_INDEX_CPURELATIVE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageRelativeMin); break; case PH_PROCESS_STATISTICS_INDEX_CYCLES: { PH_FORMAT format[1]; WCHAR buffer[PH_INT64_STR_LEN_1]; if (statisticsContext->GotCycles) { PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeMin); } //else if (statisticsContext->CycleTimeDeltaMin) //{ // PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeDeltaMin); //} else { PhInitFormatS(&format[0], L"N/A"); } if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, buffer, _TRUNCATE); } } break; case PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->CycleTimeDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesMin); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_KERNELTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTimeMin); break; case PH_PROCESS_STATISTICS_INDEX_USERTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->UserTimeMin); break; case PH_PROCESS_STATISTICS_INDEX_TOTALTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTimeMin + statisticsContext->UserTimeMin); break; case PH_PROCESS_STATISTICS_INDEX_KERNELDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_USERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->UserTimeDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_TOTALDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDeltaMin + statisticsContext->UserTimeDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_PRIORITY: { WCHAR priority[PH_INT32_STR_LEN_1] = L""; PhPrintInt32(priority, statisticsContext->BasePriorityMin); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, priority, _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PagefileUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA: PhpUpdateProcessStatisticDelta(dispInfo, statisticsContext->PagefileDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPagefileUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->VirtualSizeMin); break; case PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakVirtualSizeMin); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->PageFaultCountMin); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->PageFaultsDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HardFaultCountMin); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HardFaultsDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_WORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WorkingSetSizeMin); break; case PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakWorkingSetSizeMin); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEWS: { if (statisticsContext->NumberOfPrivatePagesMin) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfPrivatePagesMin); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS: { if (statisticsContext->NumberOfShareablePagesMin) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfShareablePagesMin); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREDWS: { if (statisticsContext->NumberOfSharedPagesMin) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfSharedPagesMin); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPagedPoolUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakPagedPoolUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_NONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaNonPagedPoolUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakNonPagedPoolUsageMin); break; case PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT: { if (statisticsContext->SharedCommitUsageMin) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->SharedCommitUsageMin); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT: { if (statisticsContext->PrivateCommitUsageMin) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PrivateCommitUsageMin); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT: { if (statisticsContext->PeakPrivateCommitUsageMin) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPrivateCommitUsageMin); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY: { } break; case PH_PROCESS_STATISTICS_INDEX_READS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ReadOperationCountMin); break; case PH_PROCESS_STATISTICS_INDEX_READSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadCountDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_READBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ReadTransferCountMin); break; case PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_WRITES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->WriteOperationCountMin); break; case PH_PROCESS_STATISTICS_INDEX_WRITESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteCountDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WriteTransferCountMin); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_OTHER: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->OtherOperationCountMin); break; case PH_PROCESS_STATISTICS_INDEX_OTHERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherCountDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->OtherTransferCountMin); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTAL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->IoTotalDeltaMin); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA: { PH_PROCESS_STATISTICS_FORMAT_SIZE( dispInfo, statisticsContext->ProcessItem->IoReadDelta.Delta + statisticsContext->ProcessItem->IoWriteDelta.Delta + statisticsContext->ProcessItem->IoOtherDelta.Delta ); } break; } } else if (dispInfo->item.iSubItem == 3) { switch (PtrToUlong((PVOID)dispInfo->item.lParam)) { case PH_PROCESS_STATISTICS_INDEX_CPU: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_CPUUSER: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageUserMax); break; case PH_PROCESS_STATISTICS_INDEX_CPUKERNEL: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageKernelMax); break; case PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageAverageMax); break; case PH_PROCESS_STATISTICS_INDEX_CPURELATIVE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageRelativeMax); break; case PH_PROCESS_STATISTICS_INDEX_CYCLES: { PH_FORMAT format[1]; WCHAR buffer[PH_INT64_STR_LEN_1]; if (statisticsContext->GotCycles) { PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeMax); } //else if (statisticsContext->CycleTimeDeltaMax) //{ // PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeDeltaMax); //} else { PhInitFormatS(&format[0], L"N/A"); } if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, buffer, _TRUNCATE); } } break; case PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->CycleTimeDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesMax); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_KERNELTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTimeMax); break; case PH_PROCESS_STATISTICS_INDEX_USERTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->UserTimeMax); break; case PH_PROCESS_STATISTICS_INDEX_TOTALTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTimeMax + statisticsContext->UserTimeMax); break; case PH_PROCESS_STATISTICS_INDEX_KERNELDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_USERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->UserTimeDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_TOTALDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDeltaMax + statisticsContext->UserTimeDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_PRIORITY: { WCHAR priority[PH_INT32_STR_LEN_1] = L""; PhPrintInt32(priority, statisticsContext->BasePriorityMax); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, priority, _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PagefileUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA: PhpUpdateProcessStatisticDelta(dispInfo, statisticsContext->PagefileDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPagefileUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->VirtualSizeMax); break; case PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakVirtualSizeMax); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->PageFaultCountMax); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->PageFaultsDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HardFaultCountMax); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HardFaultsDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_WORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WorkingSetSizeMax); break; case PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakWorkingSetSizeMax); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEWS: { if (statisticsContext->NumberOfPrivatePagesMax) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfPrivatePagesMax); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS: { if (statisticsContext->NumberOfShareablePagesMax) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfShareablePagesMax); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREDWS: { if (statisticsContext->NumberOfSharedPagesMax) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfSharedPagesMax); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPagedPoolUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakPagedPoolUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_NONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaNonPagedPoolUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakNonPagedPoolUsageMax); break; case PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT: { if (statisticsContext->SharedCommitUsageMax) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->SharedCommitUsageMax); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT: { if (statisticsContext->PrivateCommitUsageMax) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PrivateCommitUsageMax); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT: { if (statisticsContext->PeakPrivateCommitUsageMax) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPrivateCommitUsageMax); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY: { } break; case PH_PROCESS_STATISTICS_INDEX_READS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ReadOperationCountMax); break; case PH_PROCESS_STATISTICS_INDEX_READSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadCountDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_READBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ReadTransferCountMax); break; case PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_WRITES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->WriteOperationCountMax); break; case PH_PROCESS_STATISTICS_INDEX_WRITESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteCountDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WriteTransferCountMax); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_OTHER: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->OtherOperationCountMax); break; case PH_PROCESS_STATISTICS_INDEX_OTHERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherCountDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->OtherTransferCountMax); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTAL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->IoTotalDeltaMax); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA: break; } } else if (dispInfo->item.iSubItem == 4) { switch (PtrToUlong((PVOID)dispInfo->item.lParam)) { case PH_PROCESS_STATISTICS_INDEX_CPU: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_CPUUSER: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageUserDiff); break; case PH_PROCESS_STATISTICS_INDEX_CPUKERNEL: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageKernelDiff); break; case PH_PROCESS_STATISTICS_INDEX_CPUAVERAGE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageAverageDiff); break; case PH_PROCESS_STATISTICS_INDEX_CPURELATIVE: PH_PROCESS_STATISTICS_FORMAT_F(dispInfo, statisticsContext->CpuUsageRelativeDiff); break; case PH_PROCESS_STATISTICS_INDEX_CYCLES: { PH_FORMAT format[1]; WCHAR buffer[PH_INT64_STR_LEN_1]; if (statisticsContext->GotCycles) { PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeDiff); } //else if (statisticsContext->CycleTimeDeltaDiff) //{ // PhInitFormatI64UGroupDigits(&format[0], statisticsContext->CycleTimeDeltaDiff); //} else { PhInitFormatS(&format[0], L"N/A"); } if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), NULL)) { wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, buffer, _TRUNCATE); } } break; case PH_PROCESS_STATISTICS_INDEX_CYCLESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->CycleTimeDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesDiff); break; case PH_PROCESS_STATISTICS_INDEX_CONTEXTSWITCHESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ContextSwitchesDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_KERNELTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTimeDiff); break; case PH_PROCESS_STATISTICS_INDEX_USERTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->UserTimeDiff); break; case PH_PROCESS_STATISTICS_INDEX_TOTALTIME: PH_PROCESS_STATISTICS_FORMAT_TIME(dispInfo, statisticsContext->KernelTimeDiff + statisticsContext->UserTimeDiff); break; case PH_PROCESS_STATISTICS_INDEX_KERNELDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_USERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->UserTimeDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_TOTALDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->KernelTimeDeltaDiff + statisticsContext->UserTimeDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_PRIORITY: { WCHAR priority[PH_INT32_STR_LEN_1] = L""; PhPrintInt32(priority, statisticsContext->BasePriorityDiff); wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, priority, _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PagefileUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEBYTESDELTA: PhpUpdateProcessStatisticDelta(dispInfo, statisticsContext->PagefileDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPagefileUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_VIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->VirtualSizeDiff); break; case PH_PROCESS_STATISTICS_INDEX_PEAKVIRTUALSIZE: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakVirtualSizeDiff); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->PageFaultCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_PAGEFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->PageFaultsDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HardFaultCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_HARDFAULTSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->HardFaultsDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_WORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WorkingSetSizeDiff); break; case PH_PROCESS_STATISTICS_INDEX_PEAKWORKINGSET: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakWorkingSetSizeDiff); break; case PH_PROCESS_STATISTICS_INDEX_PRIVATEWS: { if (statisticsContext->NumberOfPrivatePagesDiff) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfPrivatePagesDiff); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREABLEWS: { if (statisticsContext->NumberOfShareablePagesDiff) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfShareablePagesDiff); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_SHAREDWS: { if (statisticsContext->NumberOfSharedPagesDiff) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->NumberOfSharedPagesDiff); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPagedPoolUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_PEAKPAGEDPOOL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakPagedPoolUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_NONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaNonPagedPoolUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_PEAKNONPAGED: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->QuotaPeakNonPagedPoolUsageDiff); break; case PH_PROCESS_STATISTICS_INDEX_SHAREDCOMMIT: { if (statisticsContext->SharedCommitUsageDiff) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->SharedCommitUsageDiff); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PRIVATECOMMIT: { if (statisticsContext->PrivateCommitUsageDiff) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PrivateCommitUsageDiff); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PEAKPRIVATECOMMIT: { if (statisticsContext->PeakPrivateCommitUsageDiff) PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->PeakPrivateCommitUsageDiff); else wcsncpy_s(dispInfo->item.pszText, dispInfo->item.cchTextMax, L"N/A", _TRUNCATE); } break; case PH_PROCESS_STATISTICS_INDEX_PAGEPRIORITY: { } break; case PH_PROCESS_STATISTICS_INDEX_READS: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->ReadOperationCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_READSDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadCountDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_READBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->ReadTransferCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_READBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoReadDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_WRITES: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->WriteOperationCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_WRITESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteCountDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->WriteTransferCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_WRITEBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoWriteDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_OTHER: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->OtherOperationCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_OTHERDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherCountDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTES: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->OtherTransferCountDiff); break; case PH_PROCESS_STATISTICS_INDEX_OTHERBYTESDELTA: PH_PROCESS_STATISTICS_FORMAT_I64U(dispInfo, statisticsContext->IoOtherDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTAL: PH_PROCESS_STATISTICS_FORMAT_SIZE(dispInfo, statisticsContext->IoTotalDeltaDiff); break; case PH_PROCESS_STATISTICS_INDEX_IOTOTALDELTA: break; } } } } break; } } break; case WM_PH_STATISTICS_UPDATE: { PhpUpdateProcessStatistics(processItem, statisticsContext); } break; case WM_SIZE: { //ExtendedListView_SetColumnWidth(statisticsContext->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == statisticsContext->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint((HWND)wParam, &point); PhGetSelectedListViewItemParams(statisticsContext->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, statisticsContext->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(statisticsContext->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/prpgthrd.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2018-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include static PH_STRINGREF EmptyThreadsText = PH_STRINGREF_INIT(L"There are no threads to display."); _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ThreadAddedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_THREADS_CONTEXT threadsContext = (PPH_THREADS_CONTEXT)Context; // Parameter contains a pointer to the added thread item. PhReferenceObject(Parameter); PhPushProviderEventQueue(&threadsContext->EventQueue, ProviderAddedEvent, Parameter, (ULONG)threadsContext->Provider->RunId); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ThreadModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_THREADS_CONTEXT threadsContext = (PPH_THREADS_CONTEXT)Context; PhPushProviderEventQueue(&threadsContext->EventQueue, ProviderModifiedEvent, Parameter, (ULONG)threadsContext->Provider->RunId); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ThreadRemovedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_THREADS_CONTEXT threadsContext = (PPH_THREADS_CONTEXT)Context; PhPushProviderEventQueue(&threadsContext->EventQueue, ProviderRemovedEvent, Parameter, (ULONG)threadsContext->Provider->RunId); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ThreadsUpdatedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_THREADS_CONTEXT threadsContext = (PPH_THREADS_CONTEXT)Context; PostMessage(threadsContext->WindowHandle, WM_PH_THREADS_UPDATED, (ULONG)threadsContext->Provider->RunId, threadsContext->Provider->RunId == 1); } _Function_class_(PH_CALLBACK_FUNCTION) static VOID NTAPI ThreadsLoadingStateChangedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_THREADS_CONTEXT threadsContext = (PPH_THREADS_CONTEXT)Context; //PostMessage( // threadsContext->ListContext.TreeNewHandle, // TNM_SETCURSOR, // 0, // // Parameter contains TRUE if loading symbols // (LPARAM)(Parameter ? PhLoadCursor(NULL, IDC_APPSTARTING) : NULL) // ); } VOID PhpInitializeThreadMenu( _In_ PPH_EMENU Menu, _In_ HANDLE ProcessId, _In_ PPH_THREAD_ITEM *Threads, _In_ ULONG NumberOfThreads ) { if (NumberOfThreads == 0) { PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } else if (NumberOfThreads == 1) { // All menu items are enabled by default. } else { ULONG menuItemsMultiEnabled[] = { ID_THREAD_TERMINATE, ID_THREAD_SUSPEND, ID_THREAD_RESUME, ID_THREAD_COPY, ID_THREAD_AFFINITY, }; ULONG i; PPH_EMENU_ITEM menuItem; PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); // These menu items are capable of manipulating // multiple threads. for (i = 0; i < sizeof(menuItemsMultiEnabled) / sizeof(ULONG); i++) { PhEnableEMenuItem(Menu, menuItemsMultiEnabled[i], TRUE); } if (menuItem = PhFindEMenuItem(Menu, PH_EMENU_FIND_DESCEND, L"&Priority", 0)) { PhSetEnabledEMenuItem(menuItem, TRUE); } } PhEnableEMenuItem(Menu, ID_THREAD_TOKEN, FALSE); // Critical if (NumberOfThreads == 1) { HANDLE threadHandle; if (NT_SUCCESS(PhOpenThread( &threadHandle, THREAD_QUERY_INFORMATION, Threads[0]->ThreadId ))) { BOOLEAN breakOnTermination; if (NT_SUCCESS(PhGetThreadBreakOnTermination( threadHandle, &breakOnTermination ))) { if (breakOnTermination) { PhSetFlagsEMenuItem(Menu, ID_THREAD_CRITICAL, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } NtClose(threadHandle); } } // Priority if (NumberOfThreads == 1) { HANDLE threadHandle; KPRIORITY threadPriority = THREAD_PRIORITY_ERROR_RETURN; IO_PRIORITY_HINT ioPriority = ULONG_MAX; ULONG pagePriority = ULONG_MAX; BOOLEAN threadPriorityBoost = FALSE; ULONG id = 0; if (NT_SUCCESS(PhOpenThread( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, Threads[0]->ThreadId ))) { HANDLE tokenHandle; PhGetThreadBasePriority(threadHandle, &threadPriority); PhGetThreadIoPriority(threadHandle, &ioPriority); PhGetThreadPagePriority(threadHandle, &pagePriority); PhGetThreadPriorityBoost(threadHandle, &threadPriorityBoost); if (NT_SUCCESS(PhOpenThreadToken( threadHandle, TOKEN_QUERY, TRUE, &tokenHandle ))) { PhEnableEMenuItem(Menu, ID_THREAD_TOKEN, TRUE); NtClose(tokenHandle); } NtClose(threadHandle); } // See PhGetBasePrioritySymbolicString if (threadPriority == THREAD_PRIORITY_ERROR_RETURN) NOTHING; else if (threadPriority > LOW_REALTIME_PRIORITY) // 16 NOTHING; else if (threadPriority <= THREAD_BASE_PRIORITY_IDLE) // -15 id = ID_PRIORITY_IDLE; else if (threadPriority < THREAD_BASE_PRIORITY_MIN) // -2 NOTHING; else if (threadPriority > THREAD_BASE_PRIORITY_MAX) // 2 id = ID_PRIORITY_TIMECRITICAL; else { switch (threadPriority) { case THREAD_PRIORITY_HIGHEST: // 2 id = ID_PRIORITY_HIGHEST; break; case THREAD_PRIORITY_ABOVE_NORMAL: // 1 id = ID_PRIORITY_ABOVENORMAL; break; case THREAD_PRIORITY_NORMAL: // 0 id = ID_PRIORITY_NORMAL; break; case THREAD_PRIORITY_BELOW_NORMAL: // -1 id = ID_PRIORITY_BELOWNORMAL; break; case THREAD_PRIORITY_LOWEST: // -2 id = ID_PRIORITY_LOWEST; break; DEFAULT_UNREACHABLE; } } if (id != 0) { PhSetFlagsEMenuItem(Menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK); } if (ioPriority != ULONG_MAX) { id = 0; switch (ioPriority) { case IoPriorityVeryLow: id = ID_IOPRIORITY_VERYLOW; break; case IoPriorityLow: id = ID_IOPRIORITY_LOW; break; case IoPriorityNormal: id = ID_IOPRIORITY_NORMAL; break; case IoPriorityHigh: id = ID_IOPRIORITY_HIGH; break; } if (id != 0) { PhSetFlagsEMenuItem(Menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK); } } if (pagePriority != ULONG_MAX) { id = 0; switch (pagePriority) { case MEMORY_PRIORITY_VERY_LOW: id = ID_PAGEPRIORITY_VERYLOW; break; case MEMORY_PRIORITY_LOW: id = ID_PAGEPRIORITY_LOW; break; case MEMORY_PRIORITY_MEDIUM: id = ID_PAGEPRIORITY_MEDIUM; break; case MEMORY_PRIORITY_BELOW_NORMAL: id = ID_PAGEPRIORITY_BELOWNORMAL; break; case MEMORY_PRIORITY_NORMAL: id = ID_PAGEPRIORITY_NORMAL; break; } if (id != 0) { PhSetFlagsEMenuItem(Menu, id, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK, PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK); } } if (threadPriorityBoost) { PhSetFlagsEMenuItem(Menu, ID_THREAD_BOOST, PH_EMENU_CHECKED, PH_EMENU_CHECKED); } } } static NTSTATUS NTAPI PhpThreadPermissionsOpenThread( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { if (Context) return PhOpenThread(Handle, DesiredAccess, (HANDLE)Context); return STATUS_UNSUCCESSFUL; } static NTSTATUS PhpThreadPermissionsCloseHandle( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) NtClose(Handle); return STATUS_SUCCESS; } static NTSTATUS NTAPI PhpOpenThreadTokenObject( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { if (Context) return PhOpenThreadToken((HANDLE)Context, DesiredAccess, TRUE, Handle); return STATUS_UNSUCCESSFUL; } static NTSTATUS PhpCloseThreadTokenObject( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) NtClose(Handle); return STATUS_SUCCESS; } BOOLEAN PhpThreadTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PPH_THREADS_CONTEXT Context ) { PPH_THREAD_NODE threadNode = (PPH_THREAD_NODE)Node; PPH_THREAD_ITEM threadItem = threadNode->ThreadItem; if (Context->ListContext.HideSuspended && threadItem->WaitReason == Suspended) return FALSE; if (Context->ListContext.HideGuiThreads && threadItem->IsGuiThread) return FALSE; if (!Context->SearchMatchHandle) return TRUE; // thread properties if (threadItem->ThreadIdString[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadItem->ThreadIdString)) return TRUE; } if (threadItem->ThreadIdHexString[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadItem->ThreadIdHexString)) return TRUE; } if (threadItem->LxssThreadIdString[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadItem->LxssThreadIdString)) return TRUE; } if (threadNode->PriorityText[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadNode->PriorityText)) return TRUE; } if (threadNode->BasePriorityText[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadNode->BasePriorityText)) return TRUE; } if (threadNode->IdealProcessorText[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadNode->IdealProcessorText)) return TRUE; } if (threadNode->ThreadIdHexText[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadNode->ThreadIdHexText)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->StartAddressText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->StartAddressText->sr)) return TRUE; } if (threadItem->BasePriority != THREAD_PRIORITY_ERROR_RETURN) { if (PhSearchControlMatch(Context->SearchMatchHandle, PhGetBasePrioritySymbolicString(threadItem->BasePriority))) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->CreatedText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->CreatedText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->NameText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->NameText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->StateText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->StateText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->LastSystemCallText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->LastSystemCallText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->LastErrorCodeText)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->LastErrorCodeText->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->ThreadItem->ServiceName)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->ThreadItem->ServiceName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->ThreadItem->StartAddressWin32String)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->ThreadItem->StartAddressWin32String->sr)) return TRUE; } if (!PhIsNullOrEmptyString(threadNode->ThreadItem->StartAddressWin32FileName)) { if (PhSearchControlMatch(Context->SearchMatchHandle, &threadNode->ThreadItem->StartAddressWin32FileName->sr)) return TRUE; } if (threadNode->ActualBasePriorityText[0]) { if (PhSearchControlMatchLongHintZ(Context->SearchMatchHandle, threadNode->ActualBasePriorityText)) return TRUE; } return FALSE; } PPH_EMENU PhpCreateThreadMenu( VOID ) { PPH_EMENU menu; PPH_EMENU_ITEM menuItem; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_INSPECT, L"&Inspect\bEnter", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_TERMINATE, L"T&erminate\bDel", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_SUSPEND, L"&Suspend", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_RESUME, L"Res&ume", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_ANALYZE_WAIT, L"Analy&ze", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_AFFINITY, L"&Affinity", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_BOOST, L"&Boost", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_CRITICAL, L"Critical", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_PERMISSIONS, L"Per&missions", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_TOKEN, L"&Token", NULL, NULL), ULONG_MAX); menuItem = PhCreateEMenuItem(0, 0, L"&Priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_TIMECRITICAL, L"Time &critical", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_HIGHEST, L"&Highest", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_ABOVENORMAL, L"&Above normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_BELOWNORMAL, L"&Below normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_LOWEST, L"&Lowest", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PRIORITY_IDLE, L"&Idle", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, 0, L"&I/O priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_HIGH, L"&High", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_LOW, L"&Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_IOPRIORITY_VERYLOW, L"&Very low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); menuItem = PhCreateEMenuItem(0, 0, L"Pa&ge priority", NULL, NULL); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_NORMAL, L"&Normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_BELOWNORMAL, L"&Below normal", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_MEDIUM, L"&Medium", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_LOW, L"&Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menuItem, PhCreateEMenuItem(0, ID_PAGEPRIORITY_VERYLOW, L"&Very low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, menuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_THREAD_COPY, L"&Copy\bCtrl+C", NULL, NULL), ULONG_MAX); return menu; } VOID PhShowThreadContextMenu( _In_ HWND hwndDlg, _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_THREADS_CONTEXT Context, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenu ) { PPH_THREAD_ITEM *threads; ULONG numberOfThreads; PhGetSelectedThreadItems(&Context->ListContext, &threads, &numberOfThreads); if (numberOfThreads != 0) { PPH_EMENU menu; PPH_EMENU_ITEM item; PH_PLUGIN_MENU_INFORMATION menuInfo; menu = PhpCreateThreadMenu(); PhSetFlagsEMenuItem(menu, ID_THREAD_INSPECT, PH_EMENU_DEFAULT, PH_EMENU_DEFAULT); PhpInitializeThreadMenu(menu, ProcessItem->ProcessId, threads, numberOfThreads); PhInsertCopyCellEMenuItem(menu, ID_THREAD_COPY, Context->ListContext.TreeNewHandle, ContextMenu->Column); if (PhPluginsEnabled) { PhPluginInitializeMenuInfo(&menuInfo, menu, hwndDlg, 0); menuInfo.u.Thread.ProcessId = ProcessItem->ProcessId; menuInfo.u.Thread.Threads = threads; menuInfo.u.Thread.NumberOfThreads = numberOfThreads; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadMenuInitializing), &menuInfo); } item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenu->Location.x, ContextMenu->Location.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(item); if (!handled && PhPluginsEnabled) handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) SendMessage(hwndDlg, WM_COMMAND, item->Id, 0); } PhDestroyEMenu(menu); } PhFree(threads); } VOID PhpPopulateTableWithProcessThreadNodes( _In_ HWND TreeListHandle, _In_ PPH_THREAD_NODE Node, _In_ ULONG Level, _In_ PPH_STRING **Table, _Inout_ PULONG Index, _In_ PULONG DisplayToId, _In_ ULONG Columns ) { for (ULONG i = 0; i < Columns; i++) { PH_TREENEW_GET_CELL_TEXT getCellText; PPH_STRING text; getCellText.Node = &Node->Node; getCellText.Id = DisplayToId[i]; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(TreeListHandle, &getCellText); if (i != 0) { if (getCellText.Text.Length == 0) text = PhReferenceEmptyString(); else text = PhaCreateStringEx(getCellText.Text.Buffer, getCellText.Text.Length); } else { // If this is the first column in the row, add some indentation. text = PhaCreateStringEx( NULL, getCellText.Text.Length + UInt32x32To64(Level, 2) * sizeof(WCHAR) ); wmemset(text->Buffer, L' ', UInt32x32To64(Level, 2)); memcpy(&text->Buffer[UInt32x32To64(Level, 2)], getCellText.Text.Buffer, getCellText.Text.Length); } Table[*Index][i] = text; } (*Index)++; } VOID PhExpandAllThreadNodes( _In_ PPH_THREADS_CONTEXT ThreadsContext, _In_ BOOLEAN Expand ) { BOOLEAN needsRestructure = FALSE; for (ULONG i = 0; i < ThreadsContext->ListContext.NodeList->Count; i++) { PPH_THREAD_NODE node = ThreadsContext->ListContext.NodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(ThreadsContext->TreeNewHandle); } VOID PhInvalidateAllThreadNodes( _In_ PPH_THREADS_CONTEXT ThreadsContext ) { for (ULONG i = 0; i < ThreadsContext->ListContext.NodeList->Count; i++) { PPH_THREAD_NODE node = ThreadsContext->ListContext.NodeList->Items[i]; memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PH_THREAD_TREELIST_COLUMN_MAXIMUM); PhInvalidateTreeNewNode(&node->Node, TN_CACHE_COLOR); node->ValidMask = 0; } InvalidateRect(ThreadsContext->TreeNewHandle, NULL, FALSE); } static VOID PhDeselectAllThreadNodes( _In_ PPH_THREAD_LIST_CONTEXT Context ) { TreeNew_DeselectRange(Context->TreeNewHandle, 0, -1); } VOID PhSelectAndEnsureVisibleThreadNodes( _In_ PPH_THREADS_CONTEXT ThreadsContext, _In_ PPH_THREAD_NODE *ThreadNodes, _In_ ULONG NumberOfThreadNodes ) { ULONG i; PPH_THREAD_NODE leader = NULL; PPH_THREAD_NODE node; BOOLEAN needsRestructure = FALSE; PhDeselectAllThreadNodes(&ThreadsContext->ListContext); for (i = 0; i < NumberOfThreadNodes; i++) { if (ThreadNodes[i]->Node.Visible) { leader = ThreadNodes[i]; break; } } if (!leader) return; for (i = 0; i < NumberOfThreadNodes; i++) { node = ThreadNodes[i]; if (!node->Node.Visible) continue; node->Node.Selected = TRUE; } if (needsRestructure) TreeNew_NodesStructured(ThreadsContext->TreeNewHandle); TreeNew_FocusMarkSelectNode(ThreadsContext->TreeNewHandle, &leader->Node); } VOID PhSelectAndEnsureVisibleThreadNode( _In_ PPH_THREADS_CONTEXT ThreadsContext, _In_ PPH_THREAD_NODE ThreadNode ) { PhSelectAndEnsureVisibleThreadNodes(ThreadsContext, &ThreadNode, 1); } PPH_LIST PhpGetProcessThreadTreeListLines( _In_ HWND TreeListHandle, _In_ ULONG NumberOfNodes, _In_ PPH_LIST RootNodes, _In_ ULONG Mode ) { PH_AUTO_POOL autoPool; PPH_LIST lines; // The number of rows in the table (including +1 for the column headers). ULONG rows; // The number of columns. ULONG columns; // A column display index to ID map. PULONG displayToId; // A column display index to text map. PWSTR *displayToText; // The actual string table. PPH_STRING **table; ULONG i; ULONG j; // Use a local auto-pool to make memory management a bit less painful. PhInitializeAutoPool(&autoPool); rows = NumberOfNodes + 1; // Create the display index to ID map. PhMapDisplayIndexTreeNew(TreeListHandle, &displayToId, &displayToText, &columns); PhaCreateTextTable(&table, rows, columns); // Populate the first row with the column headers. for (i = 0; i < columns; i++) { table[0][i] = PhaCreateString(displayToText[i]); } // Go through the nodes in the process tree and populate each cell of the table. j = 1; // index starts at one because the first row contains the column headers. for (i = 0; i < RootNodes->Count; i++) { PhpPopulateTableWithProcessThreadNodes( TreeListHandle, RootNodes->Items[i], 0, table, &j, displayToId, columns ); } PhFree(displayToId); PhFree(displayToText); lines = PhaFormatTextTable(table, rows, columns, Mode); PhDeleteAutoPool(&autoPool); return lines; } VOID PhpProcessThreadsSave( _In_ PPH_THREADS_CONTEXT ThreadsContext ) { static PH_FILETYPE_FILTER filters[] = { { L"Text files (*.txt;*.log)", L"*.txt;*.log" }, { L"Comma-separated values (*.csv)", L"*.csv" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateSaveFileDialog(); PH_FORMAT format[4]; PPH_PROCESS_ITEM processItem; processItem = PhReferenceProcessItem(ThreadsContext->Provider->ProcessId); PhInitFormatS(&format[0], L"System Informer ("); PhInitFormatS(&format[1], PhGetStringOrDefault(processItem->ProcessName, L"Unknown process")); PhInitFormatS(&format[2], L") Threads"); PhInitFormatS(&format[3], L".txt"); if (processItem) PhDereferenceObject(processItem); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, PH_AUTO_T(PH_STRING, PhFormat(format, 3, 60))->Buffer); if (PhShowFileDialog(ThreadsContext->WindowHandle, fileDialog)) { NTSTATUS status; PPH_STRING fileName; ULONG filterIndex; PPH_FILE_STREAM fileStream; fileName = PH_AUTO(PhGetFileDialogFileName(fileDialog)); filterIndex = PhGetFileDialogFilterIndex(fileDialog); if (NT_SUCCESS(status = PhCreateFileStream( &fileStream, fileName->Buffer, FILE_GENERIC_WRITE, FILE_SHARE_READ, FILE_OVERWRITE_IF, 0 ))) { ULONG mode; PPH_LIST lines; if (filterIndex == 2) mode = PH_EXPORT_MODE_CSV; else mode = PH_EXPORT_MODE_TABS; PhWriteStringAsUtf8FileStream(fileStream, (PPH_STRINGREF)&PhUnicodeByteOrderMark); if (mode != PH_EXPORT_MODE_CSV) { PhWritePhTextHeader(fileStream); } lines = PhpGetProcessThreadTreeListLines( ThreadsContext->TreeNewHandle, ThreadsContext->ListContext.NodeList->Count, ThreadsContext->ListContext.NodeList, mode ); for (ULONG i = 0; i < lines->Count; i++) { PPH_STRING line; line = lines->Items[i]; PhWriteStringAsUtf8FileStream(fileStream, &line->sr); PhDereferenceObject(line); PhWriteStringAsUtf8FileStream2(fileStream, L"\r\n"); } PhDereferenceObject(lines); PhDereferenceObject(fileStream); } if (!NT_SUCCESS(status)) PhShowStatus(ThreadsContext->WindowHandle, L"Unable to create the file", status, 0); } PhFreeFileDialog(fileDialog); } VOID PhpSymbolProviderEventCallbackThreadStatus( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SYMBOL_EVENT_DATA event = Parameter; PPH_THREADS_CONTEXT context = Context; PPH_STRING statusMessage = NULL; switch (event->EventType) { case PH_SYMBOL_EVENT_TYPE_LOAD_START: statusMessage = PhReferenceObject(event->EventMessage); break; case PH_SYMBOL_EVENT_TYPE_LOAD_END: statusMessage = PhReferenceEmptyString(); break; case PH_SYMBOL_EVENT_TYPE_PROGRESS: statusMessage = PhReferenceObject(event->EventMessage); break; } if (statusMessage) { PhSetWindowText(context->StatusHandle, PhGetStringOrEmpty(statusMessage)); PhDereferenceObject(statusMessage); } } VOID NTAPI PhpProcessThreadsSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_THREADS_CONTEXT threadsContext = Context; assert(threadsContext); threadsContext->SearchMatchHandle = MatchHandle; PhApplyTreeNewFilters(&threadsContext->ListContext.TreeFilterSupport); } INT_PTR CALLBACK PhpProcessThreadsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_THREADS_CONTEXT threadsContext; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { threadsContext = (PPH_THREADS_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { threadsContext = propPageContext->Context = PhAllocate(PhEmGetObjectSize(EmThreadsContextType, sizeof(PH_THREADS_CONTEXT))); memset(threadsContext, 0, sizeof(PH_THREADS_CONTEXT)); threadsContext->WindowHandle = hwndDlg; threadsContext->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); threadsContext->SearchboxHandle = GetDlgItem(hwndDlg, IDC_SEARCH); threadsContext->StatusHandle = GetDlgItem(hwndDlg, IDC_STATE); // The thread provider has a special registration mechanism. threadsContext->Provider = PhCreateThreadProvider( processItem->ProcessId ); PhRegisterCallback( &threadsContext->Provider->ThreadAddedEvent, ThreadAddedHandler, threadsContext, &threadsContext->AddedEventRegistration ); PhRegisterCallback( &threadsContext->Provider->ThreadModifiedEvent, ThreadModifiedHandler, threadsContext, &threadsContext->ModifiedEventRegistration ); PhRegisterCallback( &threadsContext->Provider->ThreadRemovedEvent, ThreadRemovedHandler, threadsContext, &threadsContext->RemovedEventRegistration ); PhRegisterCallback( &threadsContext->Provider->UpdatedEvent, ThreadsUpdatedHandler, threadsContext, &threadsContext->UpdatedEventRegistration ); PhRegisterCallback( &threadsContext->Provider->LoadingStateChangedEvent, ThreadsLoadingStateChangedHandler, threadsContext, &threadsContext->LoadingStateChangedEventRegistration ); // Initialize the list. (wj32) PhInitializeThreadList(hwndDlg, threadsContext->TreeNewHandle, &threadsContext->ListContext); if (PhTreeWindowFont) { threadsContext->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(threadsContext->TreeNewHandle, threadsContext->TreeNewFont, FALSE); } TreeNew_SetEmptyText(threadsContext->TreeNewHandle, &EmptyThreadsText, 0); PhInitializeProviderEventQueue(&threadsContext->EventQueue, 100); threadsContext->FilterEntry = PhAddTreeNewFilter(&threadsContext->ListContext.TreeFilterSupport, PhpThreadTreeFilterCallback, threadsContext); threadsContext->ListContext.ProcessId = processItem->ProcessId; threadsContext->ListContext.ProcessCreateTime = processItem->CreateTime; // Initialize the search box. (dmex) PhCreateSearchControl( hwndDlg, threadsContext->SearchboxHandle, L"Search Threads (Ctrl+K)", PhpProcessThreadsSearchControlCallback, threadsContext ); // Use Cycles instead of Context Switches on Vista and above, but only when we can // open the process, since cycle time information requires sufficient access to the // threads. (wj32) { HANDLE processHandle; // We make a distinction between PROCESS_QUERY_INFORMATION and PROCESS_QUERY_LIMITED_INFORMATION since // the latter can be used when opening audiodg.exe even though we can't access its threads using // THREAD_QUERY_LIMITED_INFORMATION. (wj32) if (processItem->ProcessId == SYSTEM_IDLE_PROCESS_ID) { threadsContext->ListContext.UseCycleTime = TRUE; } else if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_INFORMATION, processItem->ProcessId))) { threadsContext->ListContext.UseCycleTime = TRUE; NtClose(processHandle); } else if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, processItem->ProcessId))) { threadsContext->ListContext.UseCycleTime = TRUE; // We can't use cycle time for protected processes (without KSystemInformer). (wj32) if (processItem->IsProtectedProcess) { // Windows 10 allows elevated processes to query cycle time for protected processes (dmex) if (WindowsVersion < WINDOWS_10 || !PhGetOwnTokenAttributes().Elevated) { threadsContext->ListContext.UseCycleTime = FALSE; } } NtClose(processHandle); } } if (processItem->ServiceList && processItem->ServiceList->Count != 0) threadsContext->ListContext.HasServices = TRUE; PhEmCallObjectOperation(EmThreadsContextType, threadsContext, EmObjectCreate); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = threadsContext->TreeNewHandle; treeNewInfo.CmData = &threadsContext->ListContext.Cm; treeNewInfo.SystemContext = threadsContext; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadTreeNewInitializing), &treeNewInfo); } PhLoadSettingsThreadList(&threadsContext->ListContext); PhThreadProviderInitialUpdate(threadsContext->Provider); PhRegisterThreadProvider(threadsContext->Provider, &threadsContext->ProviderRegistration); if (threadsContext->Provider->SymbolProvider) { PhRegisterCallback( &PhSymbolEventCallback, PhpSymbolProviderEventCallbackThreadStatus, threadsContext, &threadsContext->SymbolProviderEventRegistration ); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { if (threadsContext->Provider->SymbolProvider) { PhUnregisterCallback( &PhSymbolEventCallback, &threadsContext->SymbolProviderEventRegistration ); } PhRemoveTreeNewFilter(&threadsContext->ListContext.TreeFilterSupport, threadsContext->FilterEntry); PhEmCallObjectOperation(EmThreadsContextType, threadsContext, EmObjectDelete); PhUnregisterCallback( &threadsContext->Provider->ThreadAddedEvent, &threadsContext->AddedEventRegistration ); PhUnregisterCallback( &threadsContext->Provider->ThreadModifiedEvent, &threadsContext->ModifiedEventRegistration ); PhUnregisterCallback( &threadsContext->Provider->ThreadRemovedEvent, &threadsContext->RemovedEventRegistration ); PhUnregisterCallback( &threadsContext->Provider->UpdatedEvent, &threadsContext->UpdatedEventRegistration ); PhUnregisterCallback( &threadsContext->Provider->LoadingStateChangedEvent, &threadsContext->LoadingStateChangedEventRegistration ); PhUnregisterThreadProvider(threadsContext->Provider, &threadsContext->ProviderRegistration); PhSetTerminatingThreadProvider(threadsContext->Provider); PhDereferenceObject(threadsContext->Provider); PhDeleteProviderEventQueue(&threadsContext->EventQueue); if (threadsContext->TreeNewFont) DeleteFont(threadsContext->TreeNewFont); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = threadsContext->TreeNewHandle; treeNewInfo.CmData = &threadsContext->ListContext.Cm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadTreeNewUninitializing), &treeNewInfo); } PhSaveSettingsThreadList(&threadsContext->ListContext); PhDeleteThreadList(&threadsContext->ListContext); PhFree(threadsContext); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, threadsContext->StatusHandle, dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT | PH_LAYOUT_FORCE_INVALIDATE); PhAddPropPageLayoutItem(hwndDlg, threadsContext->SearchboxHandle, dialogItem, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, threadsContext->TreeNewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_SHOWCONTEXTMENU: { PhShowThreadContextMenu(hwndDlg, processItem, threadsContext, (PPH_TREENEW_CONTEXT_MENU)lParam); } break; case ID_THREAD_INSPECT: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { PhReferenceObject(threadsContext->Provider); PhShowThreadStackDialog( hwndDlg, threadsContext->Provider->ProcessId, threadItem->ThreadId, threadsContext->Provider ); PhDereferenceObject(threadsContext->Provider); } } break; case ID_THREAD_TERMINATE: { PPH_THREAD_ITEM *threads; ULONG numberOfThreads; PhGetSelectedThreadItems(&threadsContext->ListContext, &threads, &numberOfThreads); PhReferenceObjects(threads, numberOfThreads); if (PhUiTerminateThreads(hwndDlg, threads, numberOfThreads)) PhDeselectAllThreadNodes(&threadsContext->ListContext); PhDereferenceObjects(threads, numberOfThreads); PhFree(threads); } break; case ID_THREAD_SUSPEND: { PPH_THREAD_ITEM *threads; ULONG numberOfThreads; PhGetSelectedThreadItems(&threadsContext->ListContext, &threads, &numberOfThreads); PhReferenceObjects(threads, numberOfThreads); PhUiSuspendThreads(hwndDlg, threads, numberOfThreads); PhDereferenceObjects(threads, numberOfThreads); PhFree(threads); } break; case ID_THREAD_RESUME: { PPH_THREAD_ITEM *threads; ULONG numberOfThreads; PhGetSelectedThreadItems(&threadsContext->ListContext, &threads, &numberOfThreads); PhReferenceObjects(threads, numberOfThreads); PhUiResumeThreads(hwndDlg, threads, numberOfThreads); PhDereferenceObjects(threads, numberOfThreads); PhFree(threads); } break; case ID_THREAD_AFFINITY: { ULONG numberOfThreads; PPH_THREAD_ITEM* threads; PhGetSelectedThreadItems(&threadsContext->ListContext, &threads, &numberOfThreads); PhReferenceObjects(threads, numberOfThreads); if (numberOfThreads == 1) // HACK { PhShowProcessAffinityDialog(hwndDlg, NULL, threads[0]); } else { PhShowThreadAffinityDialog(hwndDlg, threads, numberOfThreads); } PhDereferenceObjects(threads, numberOfThreads); PhFree(threads); } break; case ID_THREAD_BOOST: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { NTSTATUS status; HANDLE threadHandle; if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, threadItem->ThreadId ))) { BOOLEAN threadPriorityBoostDisabled = FALSE; ULONG numberOfThreads; PPH_THREAD_ITEM* threads; PhGetThreadPriorityBoost(threadHandle, &threadPriorityBoostDisabled); PhGetSelectedThreadItems(&threadsContext->ListContext, &threads, &numberOfThreads); PhReferenceObjects(threads, numberOfThreads); PhUiSetBoostPriorityThreads(hwndDlg, threads, numberOfThreads, !threadPriorityBoostDisabled); PhDereferenceObjects(threads, numberOfThreads); PhFree(threads); NtClose(threadHandle); } else { PhShowStatus(hwndDlg, PhaFormatString( L"Unable to %s thread %lu", // string pooling optimization (dmex) L"set the boost priority of", HandleToUlong(threadItem->ThreadId) )->Buffer, status, 0); } } } break; case ID_THREAD_CRITICAL: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { NTSTATUS status; HANDLE threadHandle; BOOLEAN breakOnTermination; status = PhOpenThread( &threadHandle, THREAD_QUERY_INFORMATION | THREAD_SET_INFORMATION, threadItem->ThreadId ); if (NT_SUCCESS(status)) { status = PhGetThreadBreakOnTermination( threadHandle, &breakOnTermination ); if (NT_SUCCESS(status)) { if (!breakOnTermination && (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( hwndDlg, L"enable", L"critical status on the thread", L"If the process ends, the operating system will shut down immediately.", TRUE ))) { status = PhSetThreadBreakOnTermination(threadHandle, TRUE); } else if (breakOnTermination && (!PhGetIntegerSetting(SETTING_ENABLE_WARNINGS) || PhShowConfirmMessage( hwndDlg, L"disable", L"critical status on the thread", NULL, FALSE ))) { status = PhSetThreadBreakOnTermination(threadHandle, FALSE); } } NtClose(threadHandle); } if (!NT_SUCCESS(status)) { PhShowStatus(hwndDlg, L"Unable to change the thread critical status.", status, 0); } } } break; case ID_THREAD_PERMISSIONS: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { PhEditSecurity( PhCsForceNoParent ? NULL : hwndDlg, PhaFormatString(L"Thread %u", HandleToUlong(threadItem->ThreadId))->Buffer, L"Thread", PhpThreadPermissionsOpenThread, PhpThreadPermissionsCloseHandle, threadItem->ThreadId ); } } break; case ID_THREAD_TOKEN: { NTSTATUS status; PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); HANDLE threadHandle; if (threadItem) { if (NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, threadItem->ThreadId ))) { PhShowTokenProperties( hwndDlg, PhpOpenThreadTokenObject, PhpCloseThreadTokenObject, threadsContext->Provider->ProcessId, (PVOID)threadHandle, NULL ); NtClose(threadHandle); } else { PhShowStatus(hwndDlg, L"Unable to open the thread", status, 0); } } } break; case ID_ANALYZE_WAIT: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { PhReferenceObject(threadsContext->Provider->SymbolProvider); PhUiAnalyzeWaitThread( hwndDlg, processItem->ProcessId, threadItem->ThreadId, threadsContext->Provider->SymbolProvider ); PhDereferenceObject(threadsContext->Provider->SymbolProvider); } } break; case ID_PRIORITY_TIMECRITICAL: case ID_PRIORITY_HIGHEST: case ID_PRIORITY_ABOVENORMAL: case ID_PRIORITY_NORMAL: case ID_PRIORITY_BELOWNORMAL: case ID_PRIORITY_LOWEST: case ID_PRIORITY_IDLE: { LONG threadPriorityWin32 = LONG_MAX; switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_PRIORITY_TIMECRITICAL: threadPriorityWin32 = THREAD_PRIORITY_TIME_CRITICAL; break; case ID_PRIORITY_HIGHEST: threadPriorityWin32 = THREAD_PRIORITY_HIGHEST; break; case ID_PRIORITY_ABOVENORMAL: threadPriorityWin32 = THREAD_PRIORITY_ABOVE_NORMAL; break; case ID_PRIORITY_NORMAL: threadPriorityWin32 = THREAD_PRIORITY_NORMAL; break; case ID_PRIORITY_BELOWNORMAL: threadPriorityWin32 = THREAD_PRIORITY_BELOW_NORMAL; break; case ID_PRIORITY_LOWEST: threadPriorityWin32 = THREAD_PRIORITY_LOWEST; break; case ID_PRIORITY_IDLE: threadPriorityWin32 = THREAD_PRIORITY_IDLE; break; // TODO(jxy-s) Implement support for forcing thread to background // see KernelBase!SetThreadPriority THREAD_PRIORITY_BACKGROUND_BEGIN // calls NtSetInformationThread with ThreadActualBasePriority to force // the base priority increment below what is normally possible. } if (threadPriorityWin32 != LONG_MAX) { ULONG numberOfThreads; PPH_THREAD_ITEM* threads; PhGetSelectedThreadItems(&threadsContext->ListContext, &threads, &numberOfThreads); PhReferenceObjects(threads, numberOfThreads); PhUiSetPriorityThreads(hwndDlg, threads, numberOfThreads, threadPriorityWin32); PhDereferenceObjects(threads, numberOfThreads); PhFree(threads); } } break; case ID_IOPRIORITY_VERYLOW: case ID_IOPRIORITY_LOW: case ID_IOPRIORITY_NORMAL: case ID_IOPRIORITY_HIGH: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { IO_PRIORITY_HINT ioPriority = ULONG_MAX; switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_IOPRIORITY_VERYLOW: ioPriority = IoPriorityVeryLow; break; case ID_IOPRIORITY_LOW: ioPriority = IoPriorityLow; break; case ID_IOPRIORITY_NORMAL: ioPriority = IoPriorityNormal; break; case ID_IOPRIORITY_HIGH: ioPriority = IoPriorityHigh; break; } if (ioPriority != ULONG_MAX) { PhReferenceObject(threadItem); PhUiSetIoPriorityThread(hwndDlg, threadItem, ioPriority); PhDereferenceObject(threadItem); } } } break; case ID_PAGEPRIORITY_VERYLOW: case ID_PAGEPRIORITY_LOW: case ID_PAGEPRIORITY_MEDIUM: case ID_PAGEPRIORITY_BELOWNORMAL: case ID_PAGEPRIORITY_NORMAL: { PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); if (threadItem) { ULONG pagePriority = ULONG_MAX; switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_PAGEPRIORITY_VERYLOW: pagePriority = MEMORY_PRIORITY_VERY_LOW; break; case ID_PAGEPRIORITY_LOW: pagePriority = MEMORY_PRIORITY_LOW; break; case ID_PAGEPRIORITY_MEDIUM: pagePriority = MEMORY_PRIORITY_MEDIUM; break; case ID_PAGEPRIORITY_BELOWNORMAL: pagePriority = MEMORY_PRIORITY_BELOW_NORMAL; break; case ID_PAGEPRIORITY_NORMAL: pagePriority = MEMORY_PRIORITY_NORMAL; break; } if (pagePriority != ULONG_MAX) { PhReferenceObject(threadItem); PhUiSetPagePriorityThread(hwndDlg, threadItem, pagePriority); PhDereferenceObject(threadItem); } } } break; case ID_THREAD_COPY: { PPH_STRING text; text = PhGetTreeNewText(threadsContext->TreeNewHandle, 0); PhSetClipboardString(threadsContext->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; //case IDC_OPENSTARTMODULE: // { // PPH_THREAD_ITEM threadItem = PhGetSelectedThreadItem(&threadsContext->ListContext); // // if (threadItem && threadItem->StartAddressWin32FileName) // { // PhShellExecuteUserString( // hwndDlg, // SETTING_FILE_BROWSE_EXECUTABLE, // threadItem->StartAddressWin32FileName->Buffer, // FALSE, // L"Make sure the Explorer executable file is present." // ); // } // } // break; case IDC_OPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM hideSuspendedMenuItem; PPH_EMENU_ITEM hideGuiMenuItem; PPH_EMENU_ITEM highlightSuspendedMenuItem; PPH_EMENU_ITEM highlightGuiMenuItem; PPH_EMENU_ITEM saveMenuItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_OPTIONS), &rect)) break; hideSuspendedMenuItem = PhCreateEMenuItem(0, PH_THREAD_TREELIST_MENUITEM_HIDE_SUSPENDED, L"Hide suspended", NULL, NULL); hideGuiMenuItem = PhCreateEMenuItem(0, PH_THREAD_TREELIST_MENUITEM_HIDE_GUITHREADS, L"Hide gui", NULL, NULL); highlightSuspendedMenuItem = PhCreateEMenuItem(0, PH_THREAD_TREELIST_MENUITEM_HIGHLIGHT_SUSPENDED, L"Highlight suspended", NULL, NULL); highlightGuiMenuItem = PhCreateEMenuItem(0, PH_THREAD_TREELIST_MENUITEM_HIGHLIGHT_GUITHREADS, L"Highlight gui", NULL, NULL); saveMenuItem = PhCreateEMenuItem(0, PH_THREAD_TREELIST_MENUITEM_SAVE, L"Save...", NULL, NULL); menu = PhCreateEMenu(); PhInsertEMenuItem(menu, hideSuspendedMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, hideGuiMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, highlightSuspendedMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, highlightGuiMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, saveMenuItem, ULONG_MAX); if (threadsContext->ListContext.HideSuspended) hideSuspendedMenuItem->Flags |= PH_EMENU_CHECKED; if (threadsContext->ListContext.HideGuiThreads) hideGuiMenuItem->Flags |= PH_EMENU_CHECKED; if (threadsContext->ListContext.HighlightSuspended) highlightSuspendedMenuItem->Flags |= PH_EMENU_CHECKED; if (threadsContext->ListContext.HighlightGuiThreads) highlightGuiMenuItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { if (selectedItem->Id == PH_THREAD_TREELIST_MENUITEM_SAVE) { PhpProcessThreadsSave(threadsContext); } else { PhSetOptionsThreadList(&threadsContext->ListContext, selectedItem->Id); PhSaveSettingsThreadList(&threadsContext->ListContext); PhApplyTreeNewFilters(&threadsContext->ListContext.TreeFilterSupport); } } PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_SETACTIVE: break; case PSN_KILLACTIVE: // Can't disable, it screws up the deltas. break; case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)threadsContext->TreeNewHandle); return TRUE; } } break; case WM_KEYDOWN: { if (LOWORD(wParam) == 'K') { if (GetKeyState(VK_CONTROL) < 0) { SetFocus(threadsContext->SearchboxHandle); return TRUE; } } } break; case WM_PH_THREADS_UPDATED: { ULONG upToRunId = (ULONG)wParam; BOOLEAN firstRun = !!lParam; PPH_PROVIDER_EVENT events; ULONG count; ULONG i; events = PhFlushProviderEventQueue(&threadsContext->EventQueue, upToRunId, &count); if (events) { TreeNew_SetRedraw(threadsContext->TreeNewHandle, FALSE); for (i = 0; i < count; i++) { PH_PROVIDER_EVENT_TYPE type = PH_PROVIDER_EVENT_TYPE(events[i]); PPH_THREAD_ITEM threadItem = PH_PROVIDER_EVENT_OBJECT(events[i]); switch (type) { case ProviderAddedEvent: PhAddThreadNode(&threadsContext->ListContext, threadItem, firstRun); PhDereferenceObject(threadItem); break; case ProviderModifiedEvent: PhUpdateThreadNode(&threadsContext->ListContext, PhFindThreadNode(&threadsContext->ListContext, threadItem->ThreadId)); break; case ProviderRemovedEvent: PhRemoveThreadNode(&threadsContext->ListContext, PhFindThreadNode(&threadsContext->ListContext, threadItem->ThreadId)); break; } } PhFree(events); } PhTickThreadNodes(&threadsContext->ListContext); // Refresh the visible nodes. PhApplyTreeNewFilters(&threadsContext->ListContext.TreeFilterSupport); if (count != 0) TreeNew_SetRedraw(threadsContext->TreeNewHandle, TRUE); if (propPageContext->PropContext->SelectThreadId) { PPH_THREAD_NODE threadNode; if (threadNode = PhFindThreadNode(&threadsContext->ListContext, propPageContext->PropContext->SelectThreadId)) { if (threadNode->Node.Visible) { TreeNew_FocusMarkSelectNode(threadsContext->TreeNewHandle, &threadNode->Node); } } propPageContext->PropContext->SelectThreadId = NULL; } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgtok.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2018-2022 * */ #include #include #include _Function_class_(PH_OPEN_OBJECT) NTSTATUS NTAPI PhpOpenProcessTokenForPage( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_ PVOID Context ) { NTSTATUS status; HANDLE processHandle; if (!PH_IS_REAL_PROCESS_ID(Context)) return STATUS_UNSUCCESSFUL; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, (HANDLE)Context ))) return status; if (!NT_SUCCESS(status = PhOpenProcessToken( processHandle, DesiredAccess | TOKEN_READ | TOKEN_ADJUST_DEFAULT | READ_CONTROL, Handle ))) { if (!NT_SUCCESS(status = PhOpenProcessToken( processHandle, DesiredAccess | TOKEN_READ | TOKEN_ADJUST_DEFAULT, Handle ))) { status = PhOpenProcessToken( processHandle, DesiredAccess, Handle ); } } NtClose(processHandle); return status; } _Function_class_(PH_CLOSE_OBJECT) NTSTATUS PhpCloseProcessTokenForPage( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) NtClose(Handle); return STATUS_SUCCESS; } INT_PTR CALLBACK PhpProcessTokenHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_DESTROY: { if (PhGetWindowContext(hwndDlg, 0xD)) PhRemoveWindowContext(hwndDlg, 0xD); } break; case WM_SHOWWINDOW: { if (!PhGetWindowContext(hwndDlg, 0xD)) // LayoutInitialized { PPH_LAYOUT_ITEM dialogItem; // This is a big violation of abstraction... dialogItem = PhAddPropPageLayoutItem(hwndDlg, hwndDlg, PH_PROP_PAGE_TAB_CONTROL_PARENT, PH_ANCHOR_ALL); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_USER), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_USERSID), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_VIRTUALIZED), dialogItem, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_GROUPS), dialogItem, PH_ANCHOR_ALL); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_DEFAULTPERM), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_PERMISSIONS), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_INTEGRITY), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddPropPageLayoutItem(hwndDlg, GetDlgItem(hwndDlg, IDC_ADVANCED), dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhDoPropPageLayout(hwndDlg); PhSetWindowContext(hwndDlg, 0xD, UlongToPtr(TRUE)); } } break; } return FALSE; } ================================================ FILE: SystemInformer/prpgvdm.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2021-2023 * */ #ifdef _M_IX86 #include #include #include #include #include #include #include #include #include #define WM_PH_VDMDBG_UPDATE (WM_APP + 251) typedef struct _PH_NTVDM_CONTEXT { PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; HWND WindowHandle; HWND ListViewHandle; BOOLEAN Enabled; PPH_LIST VdmHostProcessList; } PH_NTVDM_CONTEXT, *PPH_NTVDM_CONTEXT; typedef struct _PH_NTVDM_ENTRY { ULONG ThreadId; USHORT Mod16; USHORT Task16; PPH_STRING ModuleName; PPH_STRING FileName; } PH_NTVDM_ENTRY, *PPH_NTVDM_ENTRY; static INT (WINAPI* VDMEnumTaskWOWEx_I)( _In_ ULONG ProcessId, _In_ TASKENUMPROCEX fp, _In_ LPARAM lparam ) = NULL; static BOOL (WINAPI* VDMTerminateTaskWOW_I)( _In_ ULONG ProcessId, _In_ USHORT TaskId ) = NULL; PVOID PhpGetVdmDbgDllBase( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID imageBaseAddress = NULL; if (PhBeginInitOnce(&initOnce)) { PPH_STRING systemFileName; if (systemFileName = PhGetSystemDirectoryWin32Z(L"\\vdmdbg.dll")) { if (!(imageBaseAddress = PhGetLoaderEntryDllBase(&systemFileName->sr, NULL))) imageBaseAddress = PhLoadLibrary(PhGetString(systemFileName)); PhDereferenceObject(systemFileName); } PhEndInitOnce(&initOnce); } return imageBaseAddress; } BOOL WINAPI PhpVDMEnumTaskWOWCallback( _In_ ULONG ThreadId, _In_ USHORT Mod16, _In_ USHORT Task16, _In_ PCSTR ModName, _In_ PCSTR FileName, _In_ LPARAM Context ) { PPH_LIST vdmTaskList = (PPH_LIST)Context; PPH_NTVDM_ENTRY entry; entry = PhAllocateZero(sizeof(PH_NTVDM_ENTRY)); entry->ThreadId = ThreadId; entry->Mod16 = Mod16; entry->Task16 = Task16; entry->ModuleName = PhZeroExtendToUtf16(ModName); entry->FileName = PhZeroExtendToUtf16(FileName); PhAddItemList(vdmTaskList, entry); return FALSE; } PPH_LIST PhpQueryVdmHostProcess( _In_ PPH_PROCESS_ITEM ProcessItem ) { PPH_LIST vdmTaskList; if (!VDMEnumTaskWOWEx_I) { PVOID imageBaseAddress; if (imageBaseAddress = PhpGetVdmDbgDllBase()) { VDMEnumTaskWOWEx_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "VDMEnumTaskWOWEx", 0); } } if (!VDMEnumTaskWOWEx_I) return NULL; vdmTaskList = PhCreateList(1); VDMEnumTaskWOWEx_I( HandleToUlong(ProcessItem->ProcessId), PhpVDMEnumTaskWOWCallback, (LPARAM)vdmTaskList ); return vdmTaskList; } // This method is a rough equivalent to TerminateProcess() in Win32. // It should be avoided, if possible. It does not give the task a chance to cleanly exit, so data may be lost. // Unlike Win32, the WowExec is not guaranteed to clean up after a terminated task. // This can leave the VDM corrupt and unusable. // To terminate the task cleanly, send a WM_CLOSE to its top-level window. BOOLEAN PhpTerminateVdmTask( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ USHORT TaskId ) { if (!VDMTerminateTaskWOW_I) { PVOID imageBaseAddress; if (imageBaseAddress = PhpGetVdmDbgDllBase()) { VDMTerminateTaskWOW_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "VDMTerminateTaskWOW", 0); } } if (!VDMTerminateTaskWOW_I) return FALSE; return !!VDMTerminateTaskWOW_I(HandleToUlong(ProcessItem->ProcessId), TaskId); } static VOID NTAPI PhpVdmHostProcessUpdateHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PPH_NTVDM_CONTEXT context = (PPH_NTVDM_CONTEXT)Context; if (context && context->Enabled) { PostMessage(context->WindowHandle, WM_PH_VDMDBG_UPDATE, 0, 0); } } VOID PhpClearVdmHostProcessItems( _Inout_ PPH_NTVDM_CONTEXT Context ) { ULONG i; PPH_NTVDM_ENTRY entry; for (i = 0; i < Context->VdmHostProcessList->Count; i++) { entry = Context->VdmHostProcessList->Items[i]; if (entry->FileName) PhDereferenceObject(entry->FileName); if (entry->ModuleName) PhDereferenceObject(entry->ModuleName); PhFree(entry); } PhClearList(Context->VdmHostProcessList); } VOID PhpRefreshVdmHostProcess( _In_ HWND hwndDlg, _Inout_ PPH_NTVDM_CONTEXT Context, _In_ PPH_PROCESS_ITEM ProcessItem ) { PVOID selectedIndex; PPH_LIST providerList; ExtendedListView_SetRedraw(Context->ListViewHandle, FALSE); selectedIndex = PhGetSelectedListViewItemParam(Context->ListViewHandle); ListView_DeleteAllItems(Context->ListViewHandle); PhpClearVdmHostProcessItems(Context); if (providerList = PhpQueryVdmHostProcess(ProcessItem)) { for (ULONG i = 0; i < providerList->Count; i++) { PPH_NTVDM_ENTRY entry = providerList->Items[i]; INT lvItemIndex; lvItemIndex = PhAddListViewItem( Context->ListViewHandle, MAXINT, PhGetStringOrEmpty(entry->ModuleName), UlongToPtr(Context->VdmHostProcessList->Count + 1) ); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 1, PhGetStringOrEmpty(entry->FileName)); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 2, PhaFormatUInt64(entry->ThreadId, FALSE)->Buffer); PhSetListViewSubItem(Context->ListViewHandle, lvItemIndex, 3, PhaFormatUInt64(entry->Task16, FALSE)->Buffer); PhAddItemList(Context->VdmHostProcessList, entry); } PhDereferenceObject(providerList); } if (selectedIndex) { ListView_SetItemState(Context->ListViewHandle, PtrToUlong(selectedIndex) - 1, LVIS_FOCUSED | LVIS_SELECTED, LVIS_FOCUSED | LVIS_SELECTED); ListView_EnsureVisible(Context->ListViewHandle, PtrToUlong(selectedIndex) - 1, FALSE); } ExtendedListView_SetRedraw(Context->ListViewHandle, TRUE); } INT_PTR CALLBACK PhpProcessVdmHostProcessDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { LPPROPSHEETPAGE propSheetPage; PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_NTVDM_CONTEXT context; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, &propSheetPage, &propPageContext, &processItem)) { context = (PPH_NTVDM_CONTEXT)propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { context = propPageContext->Context = PhAllocateZero(sizeof(PH_NTVDM_CONTEXT)); context->WindowHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->Enabled = TRUE; context->VdmHostProcessList = PhCreateList(1); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 140, L"Module name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 180, L"File name"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 80, L"Thread Id"); PhAddListViewColumn(context->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 80, L"Task Id"); PhSetExtendedListView(context->ListViewHandle); PhLoadListViewColumnsFromSetting(SETTING_VDM_HOST_LIST_VIEW_COLUMNS, context->ListViewHandle); PhpRefreshVdmHostProcess(hwndDlg, context, processItem); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhpVdmHostProcessUpdateHandler, context, &context->ProcessesUpdatedRegistration ); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhUnregisterCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &context->ProcessesUpdatedRegistration); PhSaveListViewColumnsToSetting(SETTING_VDM_HOST_LIST_VIEW_COLUMNS, context->ListViewHandle); } break; case WM_NCDESTROY: { PhpClearVdmHostProcessItems(context); PhDereferenceObject(context->VdmHostProcessList); PhFree(context); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, context->ListViewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_SETACTIVE: context->Enabled = TRUE; break; case PSN_KILLACTIVE: context->Enabled = FALSE; break; } PhHandleListViewNotifyForCopy(lParam, context->ListViewHandle); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PVOID index; PPH_EMENU_ITEM selectedItem; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); if (index = PhGetSelectedListViewItemParam(context->ListViewHandle)) { PPH_EMENU menu; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"Terminate", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 4, L"Open &file location", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 5, L"&Inspect", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); PhDestroyEMenu(menu); if (selectedItem && selectedItem->Id != ULONG_MAX) { PPH_NTVDM_ENTRY entry; BOOLEAN handled; handled = PhHandleCopyListViewEMenuItem(selectedItem); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (handled) break; entry = context->VdmHostProcessList->Items[PtrToUlong(index) - 1]; switch (selectedItem->Id) { case 1: { if (!PhpTerminateVdmTask(processItem, entry->Task16)) { PhShowStatus(hwndDlg, L"Unable to terminate the task.", 0, PhGetLastError()); } } break; case 4: { if (!PhIsNullOrEmptyString(entry->FileName) && PhDoesFileExistWin32(PhGetString(entry->FileName))) { PhShellExecuteUserString( hwndDlg, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(entry->FileName), FALSE, L"Make sure the Explorer executable file is present." ); } } break; case 5: { if (!PhIsNullOrEmptyString(entry->FileName) && PhDoesFileExistWin32(PhGetString(entry->FileName))) { PhShellExecuteUserString( hwndDlg, SETTING_PROGRAM_INSPECT_EXECUTABLES, PhGetString(entry->FileName), FALSE, L"Make sure the PE Viewer executable file is present." ); } } break; case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } } } break; case WM_PH_VDMDBG_UPDATE: { PhpRefreshVdmHostProcess(hwndDlg, context, processItem); } break; } return FALSE; } #endif ================================================ FILE: SystemInformer/prpgwmi.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _PH_PROCESS_WMI_CONTEXT { HWND WindowHandle; HWND TreeNewHandle; HWND SearchWindowHandle; HFONT TreeNewFont; PPH_PROCESS_ITEM ProcessItem; PPH_STRING DefaultNamespace; ULONG_PTR SearchMatchHandle; PPH_STRING StatusMessage; union { ULONG Flags; struct { ULONG HideDefaultNamespace : 1; ULONG HighlightDefaultNamespace : 1; ULONG Spare : 30; }; }; PPH_LIST NodeList; PPH_HASHTABLE NodeHashtable; PPH_TN_FILTER_ENTRY TreeFilterEntry; ULONG TreeNewSortColumn; PH_TN_FILTER_SUPPORT TreeFilterSupport; PH_SORT_ORDER TreeNewSortOrder; PH_CM_MANAGER Cm; } PH_PROCESS_WMI_CONTEXT, *PPH_PROCESS_WMI_CONTEXT; typedef struct _PH_WMI_ENTRY { //PPH_STRING InstancePath; PPH_STRING RelativePath; PPH_STRING ProviderName; PPH_STRING ProviderNamespace; PPH_STRING FileName; PPH_STRING UserName; } PH_WMI_ENTRY, *PPH_WMI_ENTRY; typedef enum _PROCESS_WMI_TREE_MENU_ITEM { PROCESS_WMI_TREE_MENU_ITEM_HIDE_DEFAULT_NAMESPACE = 1, PROCESS_WMI_TREE_MENU_ITEM_HIGHLIGHT_DEFAULT_NAMESPACE, PROCESS_WMI_TREE_MENU_ITEM_MAXIMUM } WMI_TREE_MENU_ITEM; typedef enum _PROCESS_WMI_TREE_COLUMN_ITEM { PROCESS_WMI_COLUMN_ITEM_PROVIDER, PROCESS_WMI_COLUMN_ITEM_NAMESPACE, PROCESS_WMI_COLUMN_ITEM_FILENAME, PROCESS_WMI_COLUMN_ITEM_USER, PROCESS_WMI_COLUMN_ITEM_MAXIMUM } WMI_TREE_COLUMN_ITEM; typedef struct _PHP_PROCESS_WMI_TREENODE { PH_TREENEW_NODE Node; ULONG Id; PPH_WMI_ENTRY Provider; PH_STRINGREF TextCache[PROCESS_WMI_COLUMN_ITEM_MAXIMUM]; } PHP_PROCESS_WMI_TREENODE, *PPHP_PROCESS_WMI_TREENODE; PPHP_PROCESS_WMI_TREENODE PhpAddWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPH_WMI_ENTRY Entry ); PPHP_PROCESS_WMI_TREENODE PhpFindWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPH_STRING RelativePath ); VOID PhpClearWmiProviderTree( _In_ PPH_PROCESS_WMI_CONTEXT Context ); PPHP_PROCESS_WMI_TREENODE PhpGetSelectedWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context ); _Success_(return) BOOLEAN PhpGetSelectedWmiProviderNodes( _In_ PPH_PROCESS_WMI_CONTEXT Context, _Out_ PPHP_PROCESS_WMI_TREENODE * *Nodes, _Out_ PULONG NumberOfNodes ); PVOID PhGetWmiUtilsDllBase( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID imageBaseAddress = NULL; if (PhBeginInitOnce(&initOnce)) { PPH_STRING fileName; if (fileName = PhGetSystemDirectoryWin32Z(L"\\wbem\\wmiutils.dll")) { imageBaseAddress = PhLoadLibrary(PhGetString(fileName)); PhDereferenceObject(fileName); } { typedef void (WINAPI* _SetOaNoCache)(void); _SetOaNoCache SetOaNoCache_I; if (SetOaNoCache_I = PhGetModuleProcAddress(L"oleaut32.dll", "SetOaNoCache")) { SetOaNoCache_I(); } } PhEndInitOnce(&initOnce); } return imageBaseAddress; } HRESULT PhpWmiProviderExecMethod( _In_ PPH_STRINGREF Method, _In_ PWSTR ProcessIdString, _In_ PPH_WMI_ENTRY Entry ) { static CONST PH_STRINGREF wbemResource = PH_STRINGREF_INIT(L"Root\\CIMV2"); static CONST PH_STRINGREF wbemLanguage = PH_STRINGREF_INIT(L"WQL"); HRESULT status; PPH_STRING querySelectString = NULL; BSTR wbemResourceString = NULL; BSTR wbemLanguageString = NULL; BSTR wbemQueryString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IEnumWbemClassObject* wbemEnumerator = NULL; IWbemClassObject* wbemClassObject; status = PhGetWbemLocatorClass( &wbemLocator ); if (FAILED(status)) goto CleanupExit; wbemResourceString = PhStringRefToBSTR(&wbemResource); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; querySelectString = PhFormatString( L"%s %s %s %s %s %s = %s", L"SELECT", L"Namespace,Provider,User,__RELPATH", L"FROM", L"Msft_Providers", L"WHERE", L"HostProcessIdentifier", ProcessIdString ); wbemLanguageString = PhStringRefToBSTR(&wbemLanguage); wbemQueryString = PhStringRefToBSTR(&querySelectString->sr); if (FAILED(status = IWbemServices_ExecQuery( wbemServices, wbemLanguageString, wbemQueryString, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &wbemEnumerator ))) { goto CleanupExit; } while (TRUE) { PPH_STRING namespacePath = NULL; PPH_STRING providerName = NULL; PPH_STRING userName = NULL; PPH_STRING relativePath = NULL; ULONG count = 0; IEnumWbemClassObject_Next(wbemEnumerator, WBEM_INFINITE, 1, &wbemClassObject, &count); if (count == 0) break; namespacePath = PhGetWbemClassObjectString(wbemClassObject, L"Namespace"); providerName = PhGetWbemClassObjectString(wbemClassObject, L"Provider"); userName = PhGetWbemClassObjectString(wbemClassObject, L"User"); relativePath = PhGetWbemClassObjectString(wbemClassObject, L"__RELPATH"); if (namespacePath && providerName && userName && relativePath) { if ( PhEqualString(Entry->ProviderNamespace, namespacePath, FALSE) && PhEqualString(Entry->ProviderName, providerName, FALSE) && PhEqualString(Entry->UserName, userName, FALSE) ) { BSTR wbemPathString = PhStringRefToBSTR(&relativePath->sr); BSTR wbemMethodString = PhStringRefToBSTR(Method); status = IWbemServices_ExecMethod( wbemServices, wbemPathString, wbemMethodString, 0, NULL, wbemClassObject, NULL, NULL ); SysFreeString(wbemMethodString); SysFreeString(wbemPathString); } } if (relativePath) PhDereferenceObject(relativePath); if (userName) PhDereferenceObject(userName); if (providerName) PhDereferenceObject(providerName); if (namespacePath) PhDereferenceObject(namespacePath); IWbemClassObject_Release(wbemClassObject); } CleanupExit: if (wbemQueryString) SysFreeString(wbemQueryString); if (wbemLanguageString) SysFreeString(wbemLanguageString); if (wbemResourceString) SysFreeString(wbemResourceString); if (querySelectString) PhDereferenceObject(querySelectString); if (wbemEnumerator) IEnumWbemClassObject_Release(wbemEnumerator); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemLocator) IWbemLocator_Release(wbemLocator); return status; } HRESULT PhpQueryWmiProviderFileName( _In_ PPH_STRING ProviderNameSpace, _In_ PPH_STRING ProviderName, _Out_ PPH_STRING *FileName ) { static CONST PH_STRINGREF wbemLanguage = PH_STRINGREF_INIT(L"WQL"); HRESULT status; PPH_STRING fileName = NULL; PPH_STRING clsidString = NULL; PPH_STRING querySelectString = NULL; BSTR wbemResourceString = NULL; BSTR wbemLanguageString = NULL; BSTR wbemQueryString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IEnumWbemClassObject* wbemEnumerator = NULL; IWbemClassObject *wbemClassObject = NULL; ULONG count = 0; status = PhGetWbemLocatorClass( &wbemLocator ); if (FAILED(status)) goto CleanupExit; wbemResourceString = PhStringRefToBSTR(&ProviderNameSpace->sr); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; querySelectString = PhFormatString( L"%s %s %s %s %s %s = '%s'", L"SELECT", L"clsid", L"FROM", L"__Win32Provider", L"WHERE", L"Name", PhGetString(ProviderName) ); wbemLanguageString = PhStringRefToBSTR(&wbemLanguage); wbemQueryString = PhStringRefToBSTR(&querySelectString->sr); if (FAILED(status = IWbemServices_ExecQuery( wbemServices, wbemLanguageString, wbemQueryString, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &wbemEnumerator ))) { goto CleanupExit; } if (SUCCEEDED(status = IEnumWbemClassObject_Next( wbemEnumerator, WBEM_INFINITE, 1, &wbemClassObject, &count ))) { clsidString = PhGetWbemClassObjectString(wbemClassObject, L"CLSID"); IWbemClassObject_Release(wbemClassObject); } // Lookup the GUID in the registry to determine the name and file name. if (clsidString) { HANDLE keyHandle; PPH_STRING keyPath; keyPath = PhConcatStrings( 4, L"CLSID\\", PhGetString(clsidString), L"\\", L"InprocServer32" ); if (SUCCEEDED(status = HRESULT_FROM_NT(PhOpenKey( &keyHandle, KEY_QUERY_VALUE, PH_KEY_CLASSES_ROOT, &keyPath->sr, 0 )))) { if (fileName = PhQueryRegistryString(keyHandle, NULL)) { PPH_STRING expandedString; if (expandedString = PhExpandEnvironmentStrings(&fileName->sr)) { PhMoveReference(&fileName, expandedString); } } NtClose(keyHandle); } PhDereferenceObject(keyPath); } CleanupExit: if (wbemQueryString) SysFreeString(wbemQueryString); if (wbemLanguageString) SysFreeString(wbemLanguageString); if (wbemResourceString) SysFreeString(wbemResourceString); if (clsidString) PhDereferenceObject(clsidString); if (querySelectString) PhDereferenceObject(querySelectString); if (wbemEnumerator) IEnumWbemClassObject_Release(wbemEnumerator); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemLocator) IWbemLocator_Release(wbemLocator); if (SUCCEEDED(status)) { *FileName = fileName; } return status; } HRESULT PhpQueryWmiProviderHostProcess( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ LONG Timeout, _Out_ PPH_LIST* ProviderList ) { static CONST PH_STRINGREF wbemResource = PH_STRINGREF_INIT(L"Root\\CIMV2"); static CONST PH_STRINGREF wbemLanguage = PH_STRINGREF_INIT(L"WQL"); HRESULT status; PPH_LIST providerList = NULL; PPH_STRING querySelectString = NULL; BSTR wbemResourceString = NULL; BSTR wbemLanguageString = NULL; BSTR wbemQueryString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IEnumWbemClassObject* wbemEnumerator = NULL; IWbemClassObject *wbemClassObject; status = PhGetWbemLocatorClass( &wbemLocator ); if (FAILED(status)) goto CleanupExit; wbemResourceString = PhStringRefToBSTR(&wbemResource); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; querySelectString = PhFormatString( L"%s %s %s %s %s %s = %s", L"SELECT", L"Namespace,Provider,User,__RELPATH", L"FROM", L"Msft_Providers", L"WHERE", L"HostProcessIdentifier", ProcessItem->ProcessIdString ); wbemLanguageString = PhStringRefToBSTR(&wbemLanguage); wbemQueryString = PhStringRefToBSTR(&querySelectString->sr); if (FAILED(status = IWbemServices_ExecQuery( wbemServices, wbemLanguageString, wbemQueryString, WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &wbemEnumerator ))) { goto CleanupExit; } providerList = PhCreateList(1); while (TRUE) { ULONG count = 0; PPH_WMI_ENTRY entry; IEnumWbemClassObject_Next(wbemEnumerator, Timeout, 1, &wbemClassObject, &count); if (count == 0) break; entry = PhAllocateZero(sizeof(PH_WMI_ENTRY)); entry->ProviderNamespace = PhGetWbemClassObjectString(wbemClassObject, L"Namespace"); entry->ProviderName = PhGetWbemClassObjectString(wbemClassObject, L"Provider"); entry->UserName = PhGetWbemClassObjectString(wbemClassObject, L"User"); //entry->InstancePath = PhGetWbemClassObjectString(wbemClassObject, L"__PATH"); entry->RelativePath = PhGetWbemClassObjectString(wbemClassObject, L"__RELPATH"); IWbemClassObject_Release(wbemClassObject); if (entry->ProviderNamespace && entry->ProviderName) { PPH_STRING fileName = NULL; if (SUCCEEDED(PhpQueryWmiProviderFileName(entry->ProviderNamespace, entry->ProviderName, &fileName))) { entry->FileName = fileName; } } PhAddItemList(providerList, entry); } CleanupExit: if (wbemQueryString) SysFreeString(wbemQueryString); if (wbemLanguageString) SysFreeString(wbemLanguageString); if (wbemResourceString) SysFreeString(wbemResourceString); if (querySelectString) PhDereferenceObject(querySelectString); if (wbemEnumerator) IEnumWbemClassObject_Release(wbemEnumerator); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemLocator) IWbemLocator_Release(wbemLocator); if (SUCCEEDED(status)) { *ProviderList = providerList; } return status; } PPH_STRING PhpQueryWmiProviderStatistics( _In_ PPH_WMI_ENTRY Entry ) { static CONST PH_STRINGREF wbemResource = PH_STRINGREF_INIT(L"Root\\CIMV2"); HRESULT status; PPH_STRING wbemProviderString = NULL; BSTR wbemResourceString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IEnumWbemClassObject* wbemEnumerator = NULL; IWbemClassObject *wbemClassObject; status = PhGetWbemLocatorClass( &wbemLocator ); if (FAILED(status)) goto CleanupExit; wbemResourceString = PhStringRefToBSTR(&wbemResource); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; status = IWbemServices_GetObject( wbemServices, PhGetString(Entry->RelativePath), WBEM_FLAG_RETURN_WBEM_COMPLETE, NULL, &wbemClassObject, NULL ); if (SUCCEEDED(status)) { PPH_STRING string; PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 0x100); PhAppendFormatStringBuilder(&stringBuilder, L"Statistics for %s: \r\n\r\n", PhGetString(Entry->ProviderName)); // Note: Strings optimized for string pooling (dmex) if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_AccessCheck")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_AccessCheck", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_CancelQuery")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_CancelQuery", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_CreateClassEnumAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_CreateClassEnumAsync", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_CreateInstanceEnumAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_CreateInstanceEnumAsync", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_CreateRefreshableEnum")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_CreateRefreshableEnum", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_CreateRefreshableObject")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_CreateRefreshableObject", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_CreateRefresher")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_CreateRefresher", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_DeleteClassAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_DeleteClassAsync", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_DeleteInstanceAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_DeleteInstanceAsync", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_ExecMethodAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_ExecMethodAsync", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_ExecQueryAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_ExecQueryAsync", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_FindConsumer")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_FindConsumer", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_GetObjectAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_GetObjectAsync", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_GetObjects")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_GetObjects", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_GetProperty")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_GetProperty", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_NewQuery")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_NewQuery", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_ProvideEvents")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_ProvideEvents", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_PutClassAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_PutClassAsync", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_PutInstanceAsync")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_PutInstanceAsync", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_PutProperty")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_PutProperty", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_QueryInstances")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_QueryInstances", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_SetRegistrationObject")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_SetRegistrationObject", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_StopRefreshing")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_StopRefreshing", L" \t\t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } if (string = PhGetWbemClassObjectString(wbemClassObject, L"ProviderOperation_ValidateSubscription")) { PhAppendFormatStringBuilder(&stringBuilder, L"%s:%s", L"ProviderOperation_ValidateSubscription", L" \t"); PhAppendStringBuilder(&stringBuilder, &string->sr); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); PhDereferenceObject(string); } IWbemClassObject_Release(wbemClassObject); wbemProviderString = PhFinalStringBuilderString(&stringBuilder); } CleanupExit: if (wbemResourceString) SysFreeString(wbemResourceString); if (wbemEnumerator) IEnumWbemClassObject_Release(wbemEnumerator); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemLocator) IWbemLocator_Release(wbemLocator); return wbemProviderString; } PPH_STRING PhpQueryWmiDefaultNamespace( VOID ) { static CONST PH_STRINGREF wbemKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Wbem\\Scripting"); PPH_STRING defaultNameSpace = NULL; HANDLE keyHandle; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_QUERY_VALUE, PH_KEY_LOCAL_MACHINE, &wbemKeyName, 0 ))) { defaultNameSpace = PhQueryRegistryStringZ(keyHandle, L"Default Namespace"); NtClose(keyHandle); } return defaultNameSpace; } VOID PhQueryWmiHostProcessString( _In_ PPH_PROCESS_ITEM ProcessItem, _Inout_ PPH_STRING_BUILDER Providers ) { PPH_LIST providerList; // Note: We use a timeout value of 1 to avoid deadlocks when // the wmiprvse.exe process is suspended. Fixes GH#713 (dmex) if (SUCCEEDED(PhpQueryWmiProviderHostProcess(ProcessItem, 1, &providerList))) { for (ULONG i = 0; i < providerList->Count; i++) { PPH_WMI_ENTRY entry = providerList->Items[i]; PhAppendFormatStringBuilder( Providers, L" %s (%s)\n", PhGetStringOrEmpty(entry->ProviderName), PhGetStringOrEmpty(entry->FileName) ); //if (entry->InstancePath) // PhDereferenceObject(entry->InstancePath); if (entry->RelativePath) PhDereferenceObject(entry->RelativePath); if (entry->ProviderName) PhDereferenceObject(entry->ProviderName); if (entry->ProviderNamespace) PhDereferenceObject(entry->ProviderNamespace); if (entry->FileName) PhDereferenceObject(entry->FileName); if (entry->UserName) PhDereferenceObject(entry->UserName); PhFree(entry); } PhDereferenceObject(providerList); } } VOID PhpSetWmiProviderListStatusMessage( _Inout_ PPH_PROCESS_WMI_CONTEXT Context, _In_ HRESULT Status ) { PPH_STRING statusMessage; statusMessage = PhGetStatusMessage(0, HRESULT_CODE(Status)); // HACK PhMoveReference(&Context->StatusMessage, PhConcatStrings2( L"Unable to query provider information:\n", PhGetStringOrDefault(statusMessage, L"Unknown error.") )); TreeNew_SetEmptyText(Context->TreeNewHandle, &Context->StatusMessage->sr, 0); //TreeNew_NodesStructured(Context->TreeNewHandle); PhClearReference(&statusMessage); } VOID PhpRefreshWmiProvidersList( _Inout_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPH_PROCESS_ITEM ProcessItem ) { HRESULT status; PPH_LIST providerList; PhpClearWmiProviderTree(Context); // Note: We should use a timeout value of 1 to avoid deadlocks when the // wmiprvse.exe process is suspended but infinite guarantees a result. (dmex) status = PhpQueryWmiProviderHostProcess( ProcessItem, WBEM_INFINITE, &providerList ); if (SUCCEEDED(status)) { for (ULONG i = 0; i < providerList->Count; i++) { PhpAddWmiProviderNode(Context, providerList->Items[i]); } PhDereferenceObject(providerList); } else { PhpSetWmiProviderListStatusMessage(Context, status); } PhApplyTreeNewFilters(&Context->TreeFilterSupport); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpShowWmiProviderStatus( _In_opt_ HWND hWnd, _In_opt_ PWSTR Message, _In_ HRESULT Win32Result ) { PPH_STRING statusMessage; statusMessage = PhGetMessage( PhGetWmiUtilsDllBase(), 0xb, PhGetUserDefaultLangID(), Win32Result ); if (PhIsNullOrEmptyString(statusMessage)) { PhMoveReference(&statusMessage, PhGetStatusMessage(0, HRESULT_CODE(Win32Result))); } if (statusMessage) { if (Message) { PhShowError2(hWnd, Message, L"%s", PhGetString(statusMessage)); } else { PhShowError2(hWnd, L"Unable to perform the operation.", L"%s", PhGetString(statusMessage)); } PhDereferenceObject(statusMessage); } else { if (Message) { PhShowError2(hWnd, L"Unable to perform the operation.", L"%s", Message); } else { PhShowStatus(hWnd, L"Unable to perform the operation.", STATUS_UNSUCCESSFUL, 0); } } } VOID PhpShowWmiProviderNodeContextMenu( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPH_TREENEW_CONTEXT_MENU ContextMenuEvent ) { PPHP_PROCESS_WMI_TREENODE* nodes; ULONG numberOfNodes; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; if (!PhpGetSelectedWmiProviderNodes(Context, &nodes, &numberOfNodes)) return; if (numberOfNodes == 0) return; menu = PhCreateEMenu(); if (PhGetIntegerSetting(SETTING_WMI_PROVIDER_ENABLE_HIDDEN_MENU)) { PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"&Suspend", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 2, L"Res&ume", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 3, L"Un&load", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); } PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 4, L"&Inspect", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 5, L"S&tatistics", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 6, L"Open &file location", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, Context->TreeNewHandle, ContextMenuEvent->Column); selectedItem = PhShowEMenu( menu, Context->WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, ContextMenuEvent->Location.x, ContextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (!PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case 1: { HRESULT status; status = PhpWmiProviderExecMethod(&(PH_STRINGREF)PH_STRINGREF_INIT(L"Suspend"), Context->ProcessItem->ProcessIdString, nodes[0]->Provider); if (FAILED(status)) { PhpShowWmiProviderStatus(Context->WindowHandle, L"Unable to perform the operation.", status); } } break; case 2: { HRESULT status; status = PhpWmiProviderExecMethod(&(PH_STRINGREF)PH_STRINGREF_INIT(L"Resume"), Context->ProcessItem->ProcessIdString, nodes[0]->Provider); if (FAILED(status)) { PhpShowWmiProviderStatus(Context->WindowHandle, L"Unable to perform the operation.", status); } } break; case 3: { HRESULT status; status = PhpWmiProviderExecMethod(&(PH_STRINGREF)PH_STRINGREF_INIT(L"Unload"), Context->ProcessItem->ProcessIdString, nodes[0]->Provider); if (FAILED(status)) { PhpShowWmiProviderStatus(Context->WindowHandle, L"Unable to perform the operation.", status); } } break; case 4: { if (!PhIsNullOrEmptyString(nodes[0]->Provider->FileName) && PhDoesFileExistWin32(PhGetString(nodes[0]->Provider->FileName))) { PhShellExecuteUserString( Context->WindowHandle, SETTING_PROGRAM_INSPECT_EXECUTABLES, PhGetString(nodes[0]->Provider->FileName), FALSE, L"Make sure the PE Viewer executable file is present." ); } } break; case 5: { PPH_STRING string; if (string = PhpQueryWmiProviderStatistics(nodes[0]->Provider)) { PhShowInformationDialog(Context->WindowHandle, PhGetString(string), 0); PhDereferenceObject(string); } } break; case 6: { if (!PhIsNullOrEmptyString(nodes[0]->Provider->FileName) && PhDoesFileExistWin32(PhGetString(nodes[0]->Provider->FileName))) { PhShellExecuteUserString( Context->WindowHandle, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(nodes[0]->Provider->FileName), FALSE, L"Make sure the Explorer executable file is present." ); } } break; case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(Context->TreeNewHandle, 0); PhSetClipboardString(Context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; } } } PhDestroyEMenu(menu); } VOID PhLoadSettingsWmiProviderList( _Inout_ PPH_PROCESS_WMI_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_WMI_PROVIDER_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_WMI_PROVIDER_TREE_LIST_SORT); Context->Flags = PhGetIntegerSetting(SETTING_WMI_PROVIDER_TREE_LIST_FLAGS); PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSaveSettingsWmiProviderList( _Inout_ PPH_PROCESS_WMI_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_WMI_PROVIDER_TREE_LIST_FLAGS, Context->Flags); PhSetStringSetting2(SETTING_WMI_PROVIDER_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_WMI_PROVIDER_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSetOptionsWmiProviderList( _Inout_ PPH_PROCESS_WMI_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case PROCESS_WMI_TREE_MENU_ITEM_HIDE_DEFAULT_NAMESPACE: Context->HideDefaultNamespace = !Context->HideDefaultNamespace; break; case PROCESS_WMI_TREE_MENU_ITEM_HIGHLIGHT_DEFAULT_NAMESPACE: Context->HighlightDefaultNamespace = !Context->HighlightDefaultNamespace; break; } } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpWmiProviderNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPHP_PROCESS_WMI_TREENODE node1 = *(PPHP_PROCESS_WMI_TREENODE*)Entry1; PPHP_PROCESS_WMI_TREENODE node2 = *(PPHP_PROCESS_WMI_TREENODE*)Entry2; return PhEqualStringRef(&node1->Provider->RelativePath->sr, &node2->Provider->RelativePath->sr, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpWmiProviderNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashStringRefEx(&(*(PPHP_PROCESS_WMI_TREENODE*)Entry)->Provider->RelativePath->sr, TRUE, PH_STRING_HASH_X65599); } VOID PhpDestroyWmiProviderNode( _In_ PPHP_PROCESS_WMI_TREENODE Node ) { if (Node->Provider) { if (Node->Provider->RelativePath) PhDereferenceObject(Node->Provider->RelativePath); if (Node->Provider->ProviderName) PhDereferenceObject(Node->Provider->ProviderName); if (Node->Provider->ProviderNamespace) PhDereferenceObject(Node->Provider->ProviderNamespace); if (Node->Provider->FileName) PhDereferenceObject(Node->Provider->FileName); if (Node->Provider->UserName) PhDereferenceObject(Node->Provider->UserName); PhFree(Node->Provider); } PhFree(Node); } PPHP_PROCESS_WMI_TREENODE PhpAddWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPH_WMI_ENTRY Entry ) { PPHP_PROCESS_WMI_TREENODE node; node = PhAllocateZero(sizeof(PHP_PROCESS_WMI_TREENODE)); PhInitializeTreeNewNode(&node->Node); memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PROCESS_WMI_COLUMN_ITEM_MAXIMUM); node->Node.TextCache = node->TextCache; node->Node.TextCacheSize = PROCESS_WMI_COLUMN_ITEM_MAXIMUM; node->Provider = Entry; PhAddEntryHashtable(Context->NodeHashtable, &node); PhAddItemList(Context->NodeList, node); if (Context->TreeFilterSupport.FilterList) node->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &node->Node); return node; } PPHP_PROCESS_WMI_TREENODE PhpFindWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPH_STRING RelativePath ) { PHP_PROCESS_WMI_TREENODE lookupNode; PPHP_PROCESS_WMI_TREENODE lookupNodePtr = &lookupNode; PPHP_PROCESS_WMI_TREENODE *node; lookupNode.Provider->RelativePath = RelativePath; node = (PPHP_PROCESS_WMI_TREENODE*)PhFindEntryHashtable( Context->NodeHashtable, &lookupNodePtr ); if (node) return *node; else return NULL; } VOID PhpRemoveWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPHP_PROCESS_WMI_TREENODE Node ) { ULONG index = 0; PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } PhpDestroyWmiProviderNode(Node); //TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpUpdateWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ PPHP_PROCESS_WMI_TREENODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * PROCESS_WMI_COLUMN_ITEM_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); //TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpExpandAllWmiProviderNodes( _In_ PPH_PROCESS_WMI_CONTEXT Context, _In_ BOOLEAN Expand ) { ULONG i; BOOLEAN needsRestructure = FALSE; for (i = 0; i < Context->NodeList->Count; i++) { PPH_MODULE_NODE node = Context->NodeList->Items[i]; if (node->Node.Expanded != Expand) { node->Node.Expanded = Expand; needsRestructure = TRUE; } } if (needsRestructure) TreeNew_NodesStructured(Context->TreeNewHandle); } #define SORT_FUNCTION(Column) PhpWmiProviderTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpWmiProviderTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPHP_PROCESS_WMI_TREENODE node1 = *(PPHP_PROCESS_WMI_TREENODE*)_elem1; \ PPHP_PROCESS_WMI_TREENODE node2 = *(PPHP_PROCESS_WMI_TREENODE*)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, ((PPH_PROCESS_WMI_CONTEXT)_context)->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpWmiProviderTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPHP_PROCESS_WMI_TREENODE)Node1)->Node.Index, (ULONG_PTR)((PPHP_PROCESS_WMI_TREENODE)Node2)->Node.Index); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(ProviderName) { sortResult = PhCompareStringWithNull(node1->Provider->ProviderName, node2->Provider->ProviderName, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ProviderNamespace) { sortResult = PhCompareStringWithNull(node1->Provider->ProviderNamespace, node2->Provider->ProviderNamespace, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileName) { sortResult = PhCompareStringWithNull(node1->Provider->FileName, node2->Provider->FileName, FALSE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserName) { sortResult = PhCompareStringWithNull(node1->Provider->UserName, node2->Provider->UserName, FALSE); } END_SORT_FUNCTION BOOLEAN NTAPI PhpWmiProviderTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_PROCESS_WMI_CONTEXT context = Context; PPHP_PROCESS_WMI_TREENODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPHP_PROCESS_WMI_TREENODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(ProviderName), SORT_FUNCTION(ProviderNamespace), SORT_FUNCTION(FileName), SORT_FUNCTION(UserName), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PROCESS_WMI_COLUMN_ITEM_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < PROCESS_WMI_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE*)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPHP_PROCESS_WMI_TREENODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPHP_PROCESS_WMI_TREENODE)getCellText->Node; switch (getCellText->Id) { case PROCESS_WMI_COLUMN_ITEM_PROVIDER: getCellText->Text = PhGetStringRef(node->Provider->ProviderName); break; case PROCESS_WMI_COLUMN_ITEM_NAMESPACE: getCellText->Text = PhGetStringRef(node->Provider->ProviderNamespace); break; case PROCESS_WMI_COLUMN_ITEM_FILENAME: getCellText->Text = PhGetStringRef(node->Provider->FileName); break; case PROCESS_WMI_COLUMN_ITEM_USER: getCellText->Text = PhGetStringRef(node->Provider->UserName); break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = (PPH_TREENEW_GET_NODE_COLOR)Parameter1; node = (PPHP_PROCESS_WMI_TREENODE)getNodeColor->Node; if ( context->HighlightDefaultNamespace && context->DefaultNamespace && node->Provider->ProviderNamespace && PhEqualString(context->DefaultNamespace, node->Provider->ProviderNamespace, TRUE) ) { getNodeColor->BackColor = PhCsColorElevatedProcesses; } getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // HACK if (context->TreeFilterSupport.FilterList) PhApplyTreeNewFilters(&context->TreeFilterSupport); // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage(context->WindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, (LPARAM)contextMenuEvent); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, IDC_COPY, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = PROCESS_WMI_COLUMN_ITEM_PROVIDER; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu( data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y ); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_RETURN) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } VOID PhpClearWmiProviderTree( _In_ PPH_PROCESS_WMI_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) PhpDestroyWmiProviderNode(Context->NodeList->Items[i]); PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); //TreeNew_NodesStructured(Context->TreeNewHandle); } PPHP_PROCESS_WMI_TREENODE PhpGetSelectedWmiProviderNode( _In_ PPH_PROCESS_WMI_CONTEXT Context ) { PPHP_PROCESS_WMI_TREENODE node = NULL; for (ULONG i = 0; i < Context->NodeList->Count; i++) { node = Context->NodeList->Items[i]; if (node->Node.Selected) return node; } return NULL; } _Success_(return) BOOLEAN PhpGetSelectedWmiProviderNodes( _In_ PPH_PROCESS_WMI_CONTEXT Context, _Out_ PPHP_PROCESS_WMI_TREENODE **Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPHP_PROCESS_WMI_TREENODE node = (PPHP_PROCESS_WMI_TREENODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } VOID PhpInitializeWmiProviderTree( _Inout_ PPH_PROCESS_WMI_CONTEXT Context ) { LONG dpiValue; dpiValue = PhGetWindowDpi(Context->WindowHandle); Context->NodeList = PhCreateList(10); Context->NodeHashtable = PhCreateHashtable( sizeof(PPHP_PROCESS_WMI_TREENODE), PhpWmiProviderNodeHashtableEqualFunction, PhpWmiProviderNodeHashtableHashFunction, 10 ); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetCallback(Context->TreeNewHandle, PhpWmiProviderTreeNewCallback, Context); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); // Default columns PhAddTreeNewColumn(Context->TreeNewHandle, PROCESS_WMI_COLUMN_ITEM_PROVIDER, TRUE, L"Provider", 140, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PROCESS_WMI_COLUMN_ITEM_NAMESPACE, TRUE, L"Namespace", 180, PH_ALIGN_LEFT, 1, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PROCESS_WMI_COLUMN_ITEM_FILENAME, TRUE, L"File name", 260, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PROCESS_WMI_COLUMN_ITEM_USER, TRUE, L"User", 80, PH_ALIGN_LEFT, 3, 0); PhCmInitializeManager(&Context->Cm, Context->TreeNewHandle, PHMOTLC_MAXIMUM, PhpWmiProviderTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); TreeNew_SetSort(Context->TreeNewHandle, PROCESS_WMI_COLUMN_ITEM_PROVIDER, NoSortOrder); TreeNew_SetRowHeight(Context->TreeNewHandle, PhGetDpi(22, dpiValue)); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); } VOID PhpDeleteWmiProviderTree( _In_ PPH_PROCESS_WMI_CONTEXT Context ) { PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PhpDestroyWmiProviderNode(Context->NodeList->Items[i]); } PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpProcessWmiProviderTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_PROCESS_WMI_CONTEXT context = Context; PPHP_PROCESS_WMI_TREENODE node = (PPHP_PROCESS_WMI_TREENODE)Node; if (!context) return FALSE; if ( context->HideDefaultNamespace && context->DefaultNamespace && node->Provider->ProviderNamespace && PhEqualString(context->DefaultNamespace, node->Provider->ProviderNamespace, TRUE) ) { return FALSE; } if (!context->SearchMatchHandle) return TRUE; if (!PhIsNullOrEmptyString(node->Provider->ProviderName)) { if (PhSearchControlMatch(context->SearchMatchHandle, &node->Provider->ProviderName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(node->Provider->ProviderNamespace)) { if (PhSearchControlMatch(context->SearchMatchHandle, &node->Provider->ProviderNamespace->sr)) return TRUE; } if (!PhIsNullOrEmptyString(node->Provider->FileName)) { if (PhSearchControlMatch(context->SearchMatchHandle, &node->Provider->FileName->sr)) return TRUE; } if (!PhIsNullOrEmptyString(node->Provider->UserName)) { if (PhSearchControlMatch(context->SearchMatchHandle, &node->Provider->UserName->sr)) return TRUE; } return FALSE; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpProcessWmiProvidersSearchControlCallback( _In_ ULONG_PTR MatcHandle, _In_opt_ PVOID Context ) { PPH_PROCESS_WMI_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatcHandle; // Expand any hidden nodes to make search results visible. PhpExpandAllWmiProviderNodes(context, TRUE); PhApplyTreeNewFilters(&context->TreeFilterSupport); } INT_PTR CALLBACK PhpProcessWmiProvidersDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_PROCESS_PROPPAGECONTEXT propPageContext; PPH_PROCESS_ITEM processItem; PPH_PROCESS_WMI_CONTEXT context; if (PhPropPageDlgProcHeader(hwndDlg, uMsg, lParam, NULL, &propPageContext, &processItem)) { context = propPageContext->Context; } else { return FALSE; } switch (uMsg) { case WM_INITDIALOG: { context = propPageContext->Context = PhAllocateZero(sizeof(PH_PROCESS_WMI_CONTEXT)); context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_LIST); context->SearchWindowHandle = GetDlgItem(hwndDlg, IDC_SEARCH); context->ProcessItem = processItem; context->DefaultNamespace = PhpQueryWmiDefaultNamespace(); PhCreateSearchControl( hwndDlg, context->SearchWindowHandle, L"Search WMI Providers (Ctrl+K)", PhpProcessWmiProvidersSearchControlCallback, context ); Edit_SetSel(context->SearchWindowHandle, 0, -1); PhpInitializeWmiProviderTree(context); if (PhTreeWindowFont) { context->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(context->TreeNewHandle, context->TreeNewFont, FALSE); } context->TreeFilterEntry = PhAddTreeNewFilter(&context->TreeFilterSupport, PhpProcessWmiProviderTreeFilterCallback, context); PhMoveReference(&context->StatusMessage, PhCreateString(L"There are no providers to display.")); TreeNew_SetEmptyText(context->TreeNewHandle, &context->StatusMessage->sr, 0); PhLoadSettingsWmiProviderList(context); PhpRefreshWmiProvidersList(context, processItem); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveTreeNewFilter(&context->TreeFilterSupport, context->TreeFilterEntry); PhSaveSettingsWmiProviderList(context); PhpDeleteWmiProviderTree(context); if (context->StatusMessage) PhDereferenceObject(context->StatusMessage); if (context->DefaultNamespace) PhDereferenceObject(context->DefaultNamespace); if (context->TreeNewFont) DeleteFont(context->TreeNewFont); PhFree(context); } break; case WM_DPICHANGED_AFTERPARENT: { TreeNew_SetRowHeight(context->TreeNewHandle, PhGetDpi(22, LOWORD(wParam))); } break; case WM_SHOWWINDOW: { PPH_LAYOUT_ITEM dialogItem; if (dialogItem = PhBeginPropPageLayout(hwndDlg, propPageContext)) { PhAddPropPageLayoutItem(hwndDlg, context->SearchWindowHandle, dialogItem, PH_ANCHOR_RIGHT | PH_ANCHOR_TOP); PhAddPropPageLayoutItem(hwndDlg, context->TreeNewHandle, dialogItem, PH_ANCHOR_ALL); PhEndPropPageLayout(hwndDlg, propPageContext); } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_SHOWCONTEXTMENU: { PhpShowWmiProviderNodeContextMenu(context, (PPH_TREENEW_CONTEXT_MENU)lParam); } break; case IDC_REFRESH: { PhpRefreshWmiProvidersList(context, processItem); } break; case IDC_OPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM namespaceMenuItem; PPH_EMENU_ITEM highlightNamespaceMenuItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_OPTIONS), &rect)) break; namespaceMenuItem = PhCreateEMenuItem(0, PROCESS_WMI_TREE_MENU_ITEM_HIDE_DEFAULT_NAMESPACE, L"Hide default namespace", NULL, NULL); highlightNamespaceMenuItem = PhCreateEMenuItem(0, PROCESS_WMI_TREE_MENU_ITEM_HIGHLIGHT_DEFAULT_NAMESPACE, L"Highlight default namespace", NULL, NULL); menu = PhCreateEMenu(); PhInsertEMenuItem(menu, namespaceMenuItem, ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, highlightNamespaceMenuItem, ULONG_MAX); if (context->HideDefaultNamespace) namespaceMenuItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightDefaultNamespace) highlightNamespaceMenuItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, rect.left, rect.bottom ); if (selectedItem && selectedItem->Id) { PhSetOptionsWmiProviderList(context, selectedItem->Id); PhSaveSettingsWmiProviderList(context); PhApplyTreeNewFilters(&context->TreeFilterSupport); } PhDestroyEMenu(menu); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LPARAM)context->TreeNewHandle); return TRUE; } } break; case WM_KEYDOWN: { if (LOWORD(wParam) == 'K') { if (GetKeyState(VK_CONTROL) < 0) { SetFocus(context->SearchWindowHandle); return TRUE; } } } break; } return FALSE; } ================================================ FILE: SystemInformer/resource.h ================================================ //{{NO_DEPENDENCIES}} // Microsoft Visual C++ generated include file. // Used by SystemInformer.rc // #define IDR_RT_MANIFEST 1 #define IDI_PROCESSHACKER 101 #define IDR_MAINWND_ACCEL 102 #define IDD_PROCGENERAL 103 #define IDD_PROCMODULES 104 #define IDD_PROCTHREADS 105 #define IDD_PROCHANDLES 106 #define IDD_PROCENVIRONMENT 107 #define IDD_THRDSTACK 108 #define IDD_THRDSTACKS 109 #define IDD_USRLIST 110 #define IDC_CPU 112 #define IDC_PRIVATEBYTES 113 #define IDC_IO 114 #define IDC_MEMORY 120 #define IDD_ABOUT 121 #define IDC_NEWOBJECTS 121 #define IDC_REMOVEDOBJECTS 122 #define IDD_SRVLIST 125 #define IDD_SRVGENERAL 126 #define IDD_HNDLGENERAL 128 #define IDD_INFORMATION 129 #define IDD_FINDOBJECTS 130 #define IDD_OBJTOKEN 131 #define ID_PLUGIN_MENU_ITEM 131 #define ID_CALLBACK_MENU_ITEM 132 #define IDD_ZOMBIEPROCESSES 135 #define ID_TRAYICONS_REGISTERED 135 #define IDD_RUNAS 136 #define ID_COPY_CELL 136 #define IDD_PROGRESS 137 #define IDD_PAGEFILES 138 #define IDD_TOKGENERAL 139 #define IDD_TOKADVANCED 140 #define IDD_OBJJOB 141 #define IDD_OBJEVENT 142 #define IDD_OBJMUTANT 143 #define IDD_OBJSEMAPHORE 144 #define IDD_OBJTIMER 145 #define IDD_JOBSTATISTICS 146 #define IDD_OBJEVENTPAIR 147 #define IDD_OBJSECTION 148 #define IDD_AFFINITY 149 #define IDD_SYSINFO 150 #define IDD_HNDLSECURITY 151 #define IDD_EDITMESSAGE 152 #define IDD_SESSION 153 #define IDD_PROCMEMORY 154 #define IDD_CHOOSE 155 #define IDD_OPTGENERAL 162 #define IDD_OPTHIGHLIGHTING 163 #define IDD_CHOOSECOLUMNS 166 #define IDD_NETSTACK 167 #define IDD_CREATESERVICE 168 #define IDD_PROCPERFORMANCE 169 #define ID_SHOWCONTEXTMENU 169 #define IDD_PROCSTATISTICS 170 #define IDD_OPTADVANCED 171 #define IDD_GDIHANDLES 175 #define IDD_LOG 178 #define IDD_MEMEDIT 180 #define IDD_MEMPROTECT 182 #define IDD_MEMRESULTS 183 #define IDD_MEMSTRING 185 #define IDD_OPTGRAPHS 186 #define IDD_PLUGINS 187 #define IDD_PLUGINMANAGER 187 #define IDD_HANDLESTATS 188 #define IDD_PROCRECORD 189 #define IDD_CHOOSEPROCESS 190 #define IDD_PROCSERVICES 191 #define IDI_PHAPPLICATION 191 #define IDI_COG 192 #define IDD_SHADOWSESSION 193 #define IDI_PHAPPLICATIONGO 194 #define IDD_TOKCAPABILITIES 194 #define IDI_COGGO 195 #define IDD_TOKATTRIBUTES 195 #define IDD_SYSINFO_CPU 196 #define IDD_SYSINFO_CPUPANEL 197 #define IDD_SYSINFO_MEMPANEL 198 #define IDR_SYSINFO_ACCEL 198 #define IDD_SYSINFO_MEM 199 #define IDD_SYSINFO_IO 200 #define IDD_SYSINFO_IOPANEL 201 #define IDD_MEMLISTS 202 #define IDD_CONTAINER 205 #define IDD_MINIINFO 207 #define IDD_MINIINFO_LIST 210 #define IDD_MITIGATION 215 #define IDD_TOKAPPPOLICY 216 #define IDI_PIN 216 #define IDI_FOLDER 217 #define IDI_MAGNIFIER 219 #define IDD_EDITENV 221 #define IDB_SEARCH_ACTIVE 223 #define IDB_SEARCH_INACTIVE 224 #define IDB_SEARCH_ACTIVE_BMP 225 #define IDB_SEARCH_INACTIVE_BMP 226 #define IDD_OPTIONS 227 #define IDD_PLUGINPROPERTIES 228 #define IDD_PLUGINSDISABLED 241 #define IDD_PROCWMIPROVIDERS 242 #define IDD_COLUMNSETS 243 #define ID_VIEW_TRAYICONS 244 #define IDD_OBJFILE 249 #define IDD_RUNFILEDLG 253 #define IDD_LIVEDUMP 254 #define IDD_HEAPS 255 #define IDD_PROCDUMP 256 #define IDD_PROCVDMHOST 257 #define IDD_OPTSYMBOLS 258 #define IDD_OBJMAPPINGS 258 #define IDI_UACSHIELD 261 #define IDD_RUNPACKAGE 263 #define IDD_MODIFIEDPAGES 264 #define IDB_SEARCH_ACTIVE_SMALL 265 #define IDB_SEARCH_INACTIVE_SMALL 266 #define IDB_SEARCH_REGEX_MODERN_DARK 267 #define IDB_SEARCH_REGEX_MODERN_LIGHT 268 #define IDB_SEARCH_CASE_MODERN_DARK 269 #define IDB_SEARCH_CASE_MODERN_LIGHT 270 #define IDB_SEARCH_ACTIVE_MODERN_DARK 271 #define IDB_SEARCH_ACTIVE_MODERN_LIGHT 272 #define IDB_SEARCH_INACTIVE_MODERN_DARK 273 #define IDB_SEARCH_INACTIVE_MODERN_LIGHT 274 #define IDD_INPUT 275 #define IDD_CHOOSENEW 275 #define IDD_MEMSTRINGSMINLEN 276 #define IDD_MEMSTRINGS 277 #define IDD_HNDLAUDITING 278 #define IDD_HNDLSECAUDIT 278 #define IDC_TERMINATE 1003 #define IDC_FILEICON 1005 #define IDC_FILE 1006 #define IDC_PROCESS 1007 #define IDC_COMPANYNAME 1009 #define IDC_VERSION 1010 #define IDC_REFRESH 1015 #define IDC_PERMISSIONS 1018 #define IDC_FILENAME 1020 #define IDC_CMDLINE 1021 #define IDC_URL 1021 #define IDC_RUNSELECTED 1021 #define IDC_CURDIR 1022 #define IDC_STARTED 1023 #define IDC_ABOUT_NAME 1024 #define IDC_TERMINATED 1024 #define IDC_PARENTCONSOLE 1024 #define IDC_PARENTPROCESS 1025 #define IDC_MITIGATION 1026 #define IDC_PAUSE 1027 #define IDC_PROTECTION 1027 #define IDC_START 1028 #define IDC_FILENAMEWIN32 1028 #define IDC_DESCRIPTION 1029 #define IDC_TYPE 1032 #define IDC_STARTTYPE 1033 #define IDC_ADDRESS 1033 #define IDC_IMPERSONATIONLEVEL 1033 #define IDC_ERRORCONTROL 1034 #define IDC_GRANTED_ACCESS 1034 #define IDC_TOKENLUID 1034 #define IDC_GROUP 1035 #define IDC_AUTHENTICATIONLUID 1035 #define IDC_BINARYPATH 1036 #define IDC_MEMORYUSED 1036 #define IDC_USERACCOUNT 1037 #define IDC_MEMORYAVAILABLE 1037 #define IDC_PASSWORD 1040 #define IDC_PASSWORDCHECK 1041 #define IDC_SERVICEDLL 1042 #define IDC_NAME 1044 #define IDC_REFERENCES 1045 #define IDC_INTERNALNAME 1045 #define IDC_HANDLES 1046 #define IDC_AUTHOR 1046 #define IDC_PAGED 1047 #define IDC_PROCESSTYPETEXT 1047 #define IDC_NONPAGED 1048 #define IDC_TEXT 1048 #define IDC_DIAGNOSTICS 1049 #define IDC_FILTER 1050 #define IDC_RESULTS 1051 #define IDC_USER 1052 #define IDC_USERSID 1053 #define IDC_ADVANCED 1054 #define IDC_OWNER 1054 #define IDC_GROUPS 1055 #define IDC_PRIMARYGROUP 1055 #define IDC_VIRTUALIZATION 1056 #define IDC_SESSIONID 1057 #define IDC_ELEVATED 1058 #define IDC_VIRTUALIZED 1059 #define IDC_SOURCENAME 1059 #define IDC_PROPERTIES 1060 #define IDC_SOURCELUID 1060 #define IDC_APPCONTAINERSID 1060 #define IDC_LIST 1061 #define IDC_TOKENUSER 1061 #define IDC_UIACCESS 1061 #define IDC_TOKENSID 1062 #define IDC_PROCESSES 1063 #define IDC_SCAN 1064 #define IDC_SAVE 1065 #define IDC_METHOD 1067 #define IDC_INTRO 1068 #define IDC_PROGRAM 1069 #define IDC_BROWSE 1070 #define IDC_USERNAME 1071 #define IDC_SESSIONCOMBO 1072 #define IDC_DESKTOPCOMBO 1073 #define IDC_SESSIONS 1074 #define IDC_PROGRAMCOMBO 1074 #define IDC_DESKTOPS 1075 #define IDC_PROGRESS 1076 #define IDC_PROGRESSTEXT 1077 #define IDC_LINKEDTOKEN 1079 #define IDC_DISABLEALL 1079 #define IDC_MOVEUP 1079 #define IDC_CLEAR 1079 #define IDC_GOTO 1079 #define IDC_OPTIONS 1079 #define IDC_DETAILS 1079 #define IDC_ADD 1079 #define IDC_FONT 1079 #define IDC_INTEGRITY 1079 #define IDC_MORE 1079 #define IDC_VIEWMITIGATION 1080 #define IDC_REPLACETASKMANAGER 1080 #define IDC_RENAME 1080 #define IDC_VIEWPARENTPROCESS 1081 #define IDC_OPENFILENAME 1082 #define IDC_LIMITS 1083 #define IDC_OPENFILENAME2 1083 #define IDC_SIGNALED 1084 #define IDC_SET 1085 #define IDC_RESET 1086 #define IDC_PULSE 1087 #define IDC_APPLY 1087 #define IDC_COUNT 1088 #define IDC_ABANDONED 1089 #define IDC_CURRENTCOUNT 1090 #define IDC_MAXIMUMCOUNT 1091 #define IDC_ACQUIRE 1092 #define IDC_RELEASE 1093 #define IDC_CANCEL 1094 #define IDC_OWNERLABEL 1095 #define IDC_SETLOW 1096 #define IDC_SETHIGH 1097 #define IDC_SIZE_ 1098 #define IDC_CPU0 1099 #define IDC_CPU1 1100 #define IDC_CPU2 1101 #define IDC_CPU3 1102 #define IDC_CPU4 1103 #define IDC_CPU5 1104 #define IDC_CPU6 1105 #define IDC_CPU7 1106 #define IDC_CPU8 1107 #define IDC_TITLE 1107 #define IDC_CPU9 1108 #define IDC_CPU10 1109 #define IDC_TIMEOUT 1109 #define IDC_CPU11 1110 #define IDC_CPU12 1111 #define IDC_STATE 1111 #define IDC_CPU13 1112 #define IDC_CLIENTNAME 1112 #define IDC_CPU14 1113 #define IDC_CLIENTADDRESS 1113 #define IDC_CPU15 1114 #define IDC_CLIENTDISPLAY 1114 #define IDC_CPU16 1115 #define IDC_CHOICE 1115 #define IDC_CPU17 1116 #define IDC_OPTION 1116 #define IDC_CPU18 1117 #define IDC_CHOICEUSER 1117 #define IDC_CPU19 1118 #define IDC_HIDEUNNAMEDHANDLES 1118 #define IDC_CPU20 1119 #define IDC_CPU21 1120 #define IDC_STARTMODULE 1120 #define IDC_CPU22 1121 #define IDC_OPENSTARTMODULE 1121 #define IDC_CPU23 1122 #define IDC_KERNELTIME 1122 #define IDC_CPU24 1123 #define IDC_USERTIME 1123 #define IDC_CPU25 1124 #define IDC_CONTEXTSWITCHES 1124 #define IDC_CPU26 1125 #define IDC_CYCLES 1125 #define IDC_CPU27 1126 #define IDC_PRIORITY 1126 #define IDC_CPU28 1127 #define IDC_BASEPRIORITY 1127 #define IDC_CPU29 1128 #define IDC_IOPRIORITY 1128 #define IDC_CPU30 1129 #define IDC_PAGEPRIORITY 1129 #define IDC_CPU31 1130 #define IDC_STATICBL1 1130 #define IDC_STATICBL2 1131 #define IDC_CPU32 1131 #define IDC_STATICBL3 1132 #define IDC_CPU33 1132 #define IDC_STATICBL4 1133 #define IDC_CPU34 1133 #define IDC_STATICBL5 1134 #define IDC_CPU35 1134 #define IDC_STATICBL6 1135 #define IDC_CPU36 1135 #define IDC_STATICBL7 1136 #define IDC_CPU37 1136 #define IDC_STATICBL8 1137 #define IDC_CPU38 1137 #define IDC_STATICBL9 1138 #define IDC_CPU39 1138 #define IDC_STATICBL10 1139 #define IDC_CPU40 1139 #define IDC_STATICBL11 1140 #define IDC_CPU41 1140 #define IDC_CHOICESIMPLE 1141 #define IDC_CPU42 1141 #define IDC_MESSAGE 1142 #define IDC_CPU43 1142 #define IDC_SEARCHENGINE 1143 #define IDC_CPU44 1143 #define IDC_MAXSIZEUNIT 1144 #define IDC_CPU45 1144 #define IDC_CPU46 1145 #define IDC_CPU47 1146 #define IDC_CPU48 1147 #define IDC_CPU49 1148 #define IDC_CPU50 1149 #define IDC_CPU51 1150 #define IDC_PEVIEWER 1151 #define IDC_CPU52 1151 #define IDC_CPU53 1152 #define IDC_CPU54 1153 #define IDC_CPU55 1154 #define IDC_HIGHLIGHTINGDURATION 1155 #define IDC_CPU56 1155 #define IDC_CPU57 1156 #define IDC_ENABLEALL 1157 #define IDC_CPU58 1157 #define IDC_ZACTIVEPROCESSES_V 1158 #define IDC_CPU59 1158 #define IDC_ZTOTALPROCESSES_V 1159 #define IDC_CPU60 1159 #define IDC_ZTERMINATEDPROCESSES_V 1160 #define IDC_CPU61 1160 #define IDC_ZUSERTIME_V 1161 #define IDC_CPU62 1161 #define IDC_ZKERNELTIME_V 1162 #define IDC_CPU63 1162 #define IDC_ZUSERTIMEPERIOD_V 1163 #define IDC_ZKERNELTIMEPERIOD_V 1164 #define IDC_ZPAGEFAULTS_V 1165 #define IDC_ZPEAKPROCESSUSAGE_V 1166 #define IDC_ZPEAKJOBUSAGE_V 1167 #define IDC_ZIOREADS_V 1168 #define IDC_ZIOREADBYTES_V 1169 #define IDC_ZIOWRITES_V 1170 #define IDC_ZIOWRITEBYTES_V 1171 #define IDC_ZIOOTHER_V 1172 #define IDC_ZIOOTHERBYTES_V 1173 #define IDC_MOVEDOWN 1176 #define IDC_REMOVE 1177 #define IDC_DISPLAYNAME 1179 #define IDC_ZPRIORITY_V 1181 #define IDC_ZCYCLES_V 1182 #define IDC_ZTOTALTIME_V 1185 #define IDC_ZPRIVATEBYTES_V 1186 #define IDC_ZWORKINGSET_V 1187 #define IDC_ZPEAKWORKINGSET_V 1188 #define IDC_ZVIRTUALSIZE_V 1189 #define IDC_ZPEAKVIRTUALSIZE_V 1190 #define IDC_ZPEAKPRIVATEBYTES_V 1191 #define IDC_ZPAGEPRIORITY_V 1192 #define IDC_ZIOPRIORITY_V 1194 #define IDC_ZHANDLES_V 1195 #define IDC_ZGDIHANDLES_V 1196 #define IDC_ZOTHERDELTA_V 1196 #define IDC_ZUSERHANDLES_V 1197 #define IDC_ZOTHER_V 1197 #define IDC_GROUPCPU 1198 #define IDC_GROUPPRIVATEBYTES 1199 #define IDC_GROUPIO 1200 #define IDC_UNDO 1201 #define IDC_ONEGRAPHPERCPU 1202 #define IDC_ALWAYSONTOP 1203 #define IDC_PASTE 1204 #define IDC_CUT 1205 #define IDC_COPY 1206 #define IDC_INACTIVE 1207 #define IDC_ACTIVE 1208 #define IDC_SHOW 1209 #define IDC_HIDE 1210 #define IDC_AUTOSCROLL 1215 #define IDC_UNDECORATESYMBOLS 1216 #define IDC_DBGHELPPATH 1217 #define IDC_DBGHELPSEARCHPATH 1218 #define IDC_DESKTOP 1221 #define IDC_REREAD 1224 #define IDC_WRITE 1225 #define IDC_VALUE 1230 #define IDC_DELAYEDSTART 1234 #define IDC_MINIMUMLENGTH 1236 #define IDC_DETECTUNICODE 1237 #define IDC_PRIVATE 1238 #define IDC_IMAGE 1239 #define IDC_MAPPED 1240 #define IDC_EXTENDEDUNICODE 1241 #define IDC_SHOWTEXT 1245 #define IDC_ICONPROCESSES 1248 #define IDC_CLEANUP 1251 #define IDC_TOGGLEELEVATION 1254 #define IDC_TOGGLESUSPENDED 1255 #define IDC_TRUSTEDINSTALLER 1255 #define IDC_TOGGLEUIACCESS 1256 #define IDC_PARENT 1263 #define IDC_PROCESSNAME 1264 #define IDC_SERVICES_LAYOUT 1266 #define IDC_LINK_SF 1267 #define IDC_CREDITS 1270 #define IDC_LOGONTIME 1272 #define IDC_ZPEAKHANDLES_V 1273 #define IDC_SHIFT 1274 #define IDC_USEOLDCOLORS 1274 #define IDC_OPENURL 1279 #define IDC_COMPANYNAME_LINK 1279 #define IDC_SAMPLECOUNT 1280 #define IDC_SAMPLECOUNTLABEL 1281 #define IDC_VIRTUALKEY 1283 #define IDC_CTRL 1284 #define IDC_ALT 1285 #define IDC_CONNECTTIME 1286 #define IDC_DISCONNECTTIME 1287 #define IDC_LASTINPUTTIME 1288 #define IDC_ZPRIVATEWS_V 1289 #define IDC_ZSHAREABLEWS_V 1290 #define IDC_ZSHAREDWS_V 1291 #define IDC_IDEALPROCESSOR 1294 #define IDC_STATICBL12 1295 #define IDC_BASICINFORMATION 1296 #define IDC_INSTRUCTION 1298 #define IDC_CPUNAME 1299 #define IDC_LAYOUT 1300 #define IDC_UTILIZATION 1301 #define IDC_SPEED 1302 #define IDC_ZPROCESSES_V 1303 #define IDC_ZTHREADS_V 1304 #define IDC_ZCONTEXTSWITCHESDELTA_V 1307 #define IDC_ZINTERRUPTSDELTA_V 1308 #define IDC_ZDPCSDELTA_V 1309 #define IDC_ZSYSTEMCALLSDELTA_V 1310 #define IDC_GRAPH_LAYOUT 1311 #define IDC_ZCORES 1311 #define IDC_TOTALPHYSICAL 1312 #define IDC_ZSOCKETS 1312 #define IDC_ZLOGICAL 1313 #define IDC_ZCOMMITCURRENT_V 1314 #define IDC_ZLATENCY 1314 #define IDC_ZCOMMITPEAK_V 1315 #define IDC_ZCOMMITLIMIT_V 1316 #define IDC_ZPHYSICALCURRENT_V 1317 #define IDC_ZPHYSICALTOTAL_V 1318 #define IDC_ZPHYSICALCACHEWS_V 1319 #define IDC_ZPHYSICALKERNELWS_V 1320 #define IDC_ZPHYSICALDRIVERWS_V 1321 #define IDC_ZPAGEDWORKINGSET_V 1322 #define IDC_ZPAGEDVIRTUALSIZE_V 1323 #define IDC_ZPAGEDLIMIT_V 1324 #define IDC_ZPAGEDALLOCSDELTA_V 1325 #define IDC_ZPAGEDFREESDELTA_V 1326 #define IDC_ZNONPAGEDUSAGE_V 1327 #define IDC_ZNONPAGEDLIMIT_V 1328 #define IDC_ZNONPAGEDALLOCSDELTA_V 1329 #define IDC_ZNONPAGEDFREESDELTA_V 1330 #define IDC_ZPHYSICALRESERVED_V 1331 #define IDC_ZLISTZEROED_V 1332 #define IDC_ZLISTFREE_V 1333 #define IDC_ZLISTMODIFIED_V 1334 #define IDC_ZLISTMODIFIEDNOWRITE_V 1335 #define IDC_ZLISTSTANDBY_V 1337 #define IDC_COMMIT_L 1339 #define IDC_PHYSICAL_L 1340 #define IDC_ZUPTIME_V 1341 #define IDC_ZOTHERBYTESDELTA_V 1342 #define IDC_ZREADSDELTA_V 1343 #define IDC_ZREADBYTESDELTA_V 1344 #define IDC_ZWRITESDELTA_V 1345 #define IDC_ZLISTSTANDBY0_V 1346 #define IDC_ZWRITEBYTESDELTA_V 1346 #define IDC_ZLISTSTANDBY1_V 1347 #define IDC_ZREADS_V 1347 #define IDC_ZLISTSTANDBY2_V 1348 #define IDC_ZREADBYTES_V 1348 #define IDC_ZLISTSTANDBY3_V 1349 #define IDC_ZWRITES_V 1349 #define IDC_ZLISTBAD_V 1350 #define IDC_ZWRITEBYTES_V 1350 #define IDC_ZLISTREPURPOSED_V 1351 #define IDC_ZOTHERBYTES_V 1351 #define IDC_ZLISTREPURPOSED0_V 1352 #define IDC_ZLISTREPURPOSED1_V 1353 #define IDC_ZLISTREPURPOSED2_V 1354 #define IDC_ZLISTREPURPOSED3_V 1355 #define IDC_ZLISTREPURPOSED4_V 1356 #define IDC_ZLISTREPURPOSED5_V 1357 #define IDC_ZLISTREPURPOSED6_V 1358 #define IDC_ZLISTREPURPOSED7_V 1359 #define IDC_EMPTY 1360 #define IDC_SAMPLECOUNTAUTOMATIC 1361 #define IDC_SHOWCOMMITINSUMMARY 1361 #define IDC_ZLISTSTANDBY4_V 1364 #define IDC_ZLISTSTANDBY5_V 1365 #define IDC_SELECTALL 1365 #define IDC_ZLISTSTANDBY6_V 1366 #define IDC_DESELECTALL 1366 #define IDC_ZLISTSTANDBY7_V 1367 #define IDC_INSPECT 1367 #define IDC_ZPAGINGPAGEFAULTSDELTA_V 1368 #define IDC_INSPECT2 1368 #define IDC_ZPAGINGPAGEREADSDELTA_V 1369 #define IDC_BYTESPERROW 1369 #define IDC_ZPAGINGPAGEFILEWRITESDELTA_V 1370 #define IDC_PINWINDOW 1370 #define IDC_ZPAGINGMAPPEDWRITESDELTA_V 1371 #define IDC_ZMAPPEDREADIO 1372 #define IDC_ZLISTMODIFIEDPAGEFILE_V 1373 #define IDC_ZMAPPEDWRITEIO 1374 #define IDC_SECTION 1375 #define IDC_REGEX 1377 #define IDC_DESCRIPTIONLABEL 1378 #define IDC_IOREAD_L 1378 #define IDC_IOWRITE_L 1379 #define IDC_IOOTHER_L 1380 #define IDC_VIEWCOMMANDLINE 1381 #define IDC_DELETE 1382 #define IDC_EDIT 1383 #define IDC_NEW 1384 #define IDC_HANDLESEARCH 1385 #define IDC_SEARCH 1387 #define IDC_FILTEROPTIONS 1389 #define IDC_FILTERTYPE 1390 #define IDC_TREELIST 1391 #define IDC_SECTIONTREE 1393 #define IDC_INFO 1396 #define IDC_DEFSTATE 1398 #define IDC_SETTINGS 1399 #define IDC_PLUGINTREE 1400 #define IDC_DISABLED 1401 #define IDC_LIST_DISABLED 1402 #define IDC_COLUMNSETLIST 1403 #define IDC_STATISTICS_LIST 1404 #define IDC_FLUSH 1406 #define IDC_POSITION 1407 #define IDC_FILESIZE 1408 #define IDC_FILETYPE 1409 #define IDC_FILEMODE 1410 #define IDC_DEFAULTPERM 1410 #define IDC_DUMPSTACK 1411 #define IDC_COMPRESS 1412 #define IDC_USERMODE 1413 #define IDC_HYPERVISOR 1414 #define IDC_SIZESINBYTES 1415 #define IDC_FONTMONOSPACE 1416 #define IDC_ONLYKERNELTHREADSTACKS 1417 #define IDC_HYPERVISORNONESSENTIAL 1418 #define IDC_INPUT 1419 #define IDC_MINIDUMP_NORMAL 1420 #define IDC_MINIDUMP_WITH_DATA_SEGS 1421 #define IDC_MINIDUMP_WITH_FULL_MEM 1422 #define IDC_MINIDUMP_WITH_HANDLE_DATA 1423 #define IDC_MINIDUMP_FILTER_MEMORY 1424 #define IDC_MINIDUMP_SCAN_MEMORY 1425 #define IDC_MINIDUMP_WITH_UNLOADED_MODULES 1426 #define IDC_MINIDUMP_WITH_INDIRECT_REFERENCED_MEM 1427 #define IDC_MINIDUMP_FILTER_MODULE_PATHS 1428 #define IDC_MINIDUMP_WITH_PROC_THRD_DATA 1429 #define IDC_MINIDUMP_WITH_PRIVATE_RW_MEM 1430 #define IDC_MINIDUMP_WITHOUT_OPTIONAL_DATA 1431 #define IDC_MINIDUMP_WITH_FULL_MEM_INFO 1432 #define IDC_MINIDUMP_WITH_THRD_INFO 1433 #define IDC_MINIDUMP_WITH_CODE_SEGS 1434 #define IDC_MINIDUMP_WITHOUT_AUXILIARY_STATE 1435 #define IDC_MINIDUMP_WITH_FULL_AUXILIARY_STATE 1436 #define IDC_MINIDUMP_WITH_PRIVATE_WRITE_COPY_MEM 1437 #define IDC_MINIDUMP_IGNORE_INACCESSIBLE_MEM 1438 #define IDC_MINIDUMP_WITH_TOKEN_INFO 1439 #define IDC_MINIDUMP_WITH_MODULE_HEADERS 1440 #define IDC_MINIDUMP_FILTER_TRIAGE 1441 #define IDC_MINIDUMP_WITH_AVXX_STATE_CONTEXT 1442 #define IDC_MINIDUMP_WITH_IPT_TRACE 1443 #define IDC_MINIDUMP_SCAN_INACCESSIBLE_PARTIAL_PAGES 1444 #define IDC_MINIDUMP_FILTER_WRITE_COMBINE_MEM 1445 #define IDC_ZMEMSLOTS_V 1446 #define IDC_ZMEMFORMFACTOR_V 1447 #define IDC_ZMEMTYPE_V 1448 #define IDC_ZMEMTECHNOLOGY_V 1449 #define IDC_ZMEMSPEED_V 1450 #define IDC_ZL1CACHE_V 1451 #define IDC_ZL2CACHE_V 1452 #define IDC_ZL3CACHE_V 1453 #define ID_HACKER_EXIT 40001 #define ID_PROCESS_DUMP_MINIMAL 40002 #define ID_PROCESS_DUMP_LIMITED 40003 #define ID_PROCESS_DUMP_NORMAL 40004 #define ID_PROCESS_DUMP_FULL 40005 #define ID_PROCESS_PROPERTIES 40006 #define ID_PROCESS_TERMINATE 40007 #define ID_PROCESS_SUSPEND 40008 #define ID_PROCESS_RESUME 40009 #define ID_HACKER_SAVE 40010 #define ID_THREAD_TERMINATE 40011 #define ID_THREAD_SUSPEND 40012 #define ID_THREAD_RESUME 40013 #define ID_THREAD_PERMISSIONS 40015 #define ID_THREAD_TOKEN 40016 #define ID_ANALYZE_WAIT 40018 #define ID_PROCESS_DUMP_CUSTOM 40019 #define ID_PRIORITY_TIMECRITICAL 40020 #define ID_PRIORITY_HIGHEST 40021 #define ID_PRIORITY_ABOVENORMAL 40022 #define ID_PRIORITY_NORMAL 40023 #define ID_PRIORITY_BELOWNORMAL 40024 #define ID_PRIORITY_LOWEST 40025 #define ID_PRIORITY_IDLE 40026 #define ID_IOPRIORITY_VERYLOW 40028 #define ID_IOPRIORITY_LOW 40029 #define ID_IOPRIORITY_NORMAL 40030 #define ID_IOPRIORITY_HIGH 40031 #define ID_PROCESS_RESTART 40032 #define ID_PROCESS_VIRTUALIZATION 40034 #define ID_PROCESS_AFFINITY 40035 #define ID_PROCESS_CREATEDUMPFILE 40036 #define ID_PROCESS_PRIORITYCLASS 40037 #define ID_MISCELLANEOUS_SETCRITICAL 40038 #define ID_MISCELLANEOUS_DETACHFROMDEBUGGER 40039 #define ID_PROCESS_IOPRIORITY 40040 #define ID_PROCESS_MISCELLANEOUS 40041 #define ID_PROCESS_WINDOW 40042 #define ID_PROCESS_PAGEPRIORITY 40043 #define ID_PRIORITY_REALTIME 40048 #define ID_PRIORITY_HIGH 40049 #define ID_MISCELLANEOUS_ACTIVITY 40050 #define ID_MISCELLANEOUS_ECOMODE 40051 #define ID_WINDOW_BRINGTOFRONT 40055 #define ID_WINDOW_RESTORE 40056 #define ID_WINDOW_MINIMIZE 40057 #define ID_WINDOW_MAXIMIZE 40058 #define ID_WINDOW_CLOSE 40059 #define ID_PROCESS_SEARCHONLINE 40060 #define ID_HANDLE_CLOSE 40061 #define ID_HANDLE_PROTECTED 40062 #define ID_HANDLE_INHERIT 40063 #define ID_HANDLE_PROPERTIES 40064 #define ID_HANDLE_SECURITY 40065 #define ID_MODULE_UNLOAD 40066 #define ID_MODULE_PROPERTIES 40068 #define ID_PROCESS_TERMINATETREE 40069 #define ID_PROCESS_SUSPENDTREE 40070 #define ID_PROCESS_RESUMETREE 40071 #define ID_THREAD_INSPECT 40075 #define ID_HACKER_RUN 40076 #define ID_HACKER_RUNASADMINISTRATOR 40077 #define ID_HACKER_RUNAS 40078 #define ID_HACKER_SHOWDETAILSFORALLPROCESSES 40079 #define ID_HACKER_RUNASPACKAGE 40080 #define ID_HACKER_FINDHANDLESORDLLS 40082 #define ID_HACKER_OPTIONS 40083 #define ID_PROCESS_FREEZE 40084 #define ID_PROCESS_THAW 40085 #define ID_VIEW_SYSTEMINFORMATION 40091 #define ID_TRAYICONS_CPUHISTORY 40093 #define ID_TRAYICONS_CPUUSAGE 40094 #define ID_TRAYICONS_COMMITHISTORY 40096 #define ID_TRAYICONS_PHYSICALMEMORYHISTORY 40097 #define ID_VIEW_REFRESH 40098 #define ID_TOOLS_USER_LIST 40099 #define ID_TOOLS_THREADSTACKS 40100 #define ID_TOOLS_CREATESERVICE 40101 #define ID_TOOLS_ZOMBIEPROCESSES 40102 #define ID_TOOLS_INSPECTEXECUTABLEFILE 40103 #define ID_HELP_LOG 40104 #define ID_HELP_DONATE 40105 #define ID_HELP_ABOUT 40106 #define ID_SERVICE_GOTOPROCESS 40107 #define ID_SERVICE_START 40108 #define ID_SERVICE_CONTINUE 40109 #define ID_SERVICE_PAUSE 40110 #define ID_SERVICE_STOP 40111 #define ID_SERVICE_DELETE 40112 #define ID_SERVICE_PROPERTIES 40113 #define ID_SERVICE_OPENKEY 40114 #define ID_PRIVILEGE_ENABLE 40116 #define ID_PRIVILEGE_DISABLE 40117 #define ID_PRIVILEGE_REMOVE 40118 #define ID_OBJECT_CLOSE 40119 #define ID_OBJECT_PROPERTIES 40120 #define ID_HELP_DEBUGCONSOLE 40122 #define ID_TOOLS_PAGEFILES 40126 #define ID_USER_DISCONNECT 40127 #define ID_USER_LOGOFF 40128 #define ID_USER_SENDMESSAGE 40129 #define ID_USER_PROPERTIES 40130 #define ID_USERS_DUMMY 40131 #define ID_PROCESS_DEBUG 40133 #define ID_USER_CONNECT 40138 #define ID_NETWORK_GOTOPROCESS 40139 #define ID_NETWORK_CLOSE 40140 #define ID_OPACITY_10 40142 #define ID_OPACITY_20 40143 #define ID_OPACITY_30 40144 #define ID_OPACITY_40 40145 #define ID_OPACITY_50 40146 #define ID_OPACITY_60 40147 #define ID_OPACITY_70 40148 #define ID_OPACITY_80 40149 #define ID_OPACITY_90 40150 #define ID_OPACITY_OPAQUE 40151 #define ID_VIEW_ALWAYSONTOP 40153 #define ID_UPDATEINTERVAL_FAST 40155 #define ID_UPDATEINTERVAL_NORMAL 40156 #define ID_UPDATEINTERVAL_BELOWNORMAL 40157 #define ID_UPDATEINTERVAL_SLOW 40158 #define ID_UPDATEINTERVAL_VERYSLOW 40159 #define ID_COMPUTER_LOCK 40160 #define ID_COMPUTER_LOGOFF 40161 #define ID_COMPUTER_SLEEP 40162 #define ID_COMPUTER_HIBERNATE 40163 #define ID_COMPUTER_RESTART 40164 #define ID_COMPUTER_SHUTDOWN 40165 #define ID_COMPUTER_RESTART_NATIVE 40166 #define ID_COMPUTER_SHUTDOWN_NATIVE 40167 #define ID_COMPUTER_RESTART_CRITICAL 40168 #define ID_COMPUTER_SHUTDOWN_CRITICAL 40169 #define ID_COMPUTER_RESTART_UPDATE 40170 #define ID_COMPUTER_SHUTDOWN_UPDATE 40171 #define ID_TRAYICONS_IOHISTORY 40172 #define ID_ICON_EXIT 40173 #define ID_ICON_SHOWHIDEPROCESSHACKER 40174 #define ID_ICON_SYSTEMINFORMATION 40175 #define ID_PROCESSES_DUMMY 40177 #define ID_NOTIFICATIONS_ENABLEALL 40178 #define ID_NOTIFICATIONS_DISABLEALL 40179 #define ID_NOTIFICATIONS_NEWPROCESSES 40180 #define ID_NOTIFICATIONS_TERMINATEDPROCESSES 40181 #define ID_NOTIFICATIONS_NEWSERVICES 40182 #define ID_NOTIFICATIONS_STARTEDSERVICES 40183 #define ID_NOTIFICATIONS_STOPPEDSERVICES 40184 #define ID_NOTIFICATIONS_DELETEDSERVICES 40185 #define ID_NOTIFICATIONS_MODIFIEDSERVICES 40186 #define ID_MISCELLANEOUS_LOCKS 40187 #define ID_MISCELLANEOUS_GDIHANDLES 40188 #define ID_MISCELLANEOUS_HEAPS 40189 #define ID_ESC_EXIT 40190 #define ID_NOTIFICATIONS_ARRIVEDDEVICES 40191 #define ID_NOTIFICATIONS_REMOVEDDEVICES 40192 #define ID_PROCESS_COPY 40194 #define ID_THREAD_COPY 40195 #define ID_NETWORK_COPY 40197 #define ID_SERVICE_COPY 40198 #define ID_MODULE_COPY 40199 #define ID_HANDLE_COPY 40200 #define ID_OBJECT_COPY 40201 #define ID_MEMORY_SAVE 40208 #define ID_MEMORY_CHANGEPROTECTION 40209 #define ID_MEMORY_FREE 40210 #define ID_MEMORY_DECOMMIT 40211 #define ID_MEMORY_COPY 40213 #define ID_MEMORY_READWRITEMEMORY 40214 #define ID_MEMORY_EMPTYWORKINGSET 40215 #define ID_FILTER_CONTAINS 40216 #define ID_FILTER_CONTAINS_CASEINSENSITIVE 40218 #define ID_FILTER_REGEX 40219 #define ID_FILTER_REGEX_CASEINSENSITIVE 40221 #define ID_TAB_NEXT 40223 #define ID_TAB_PREV 40224 #define ID_VIEW_COLLAPSEALL 40225 #define ID_VIEW_EXPANDALL 40226 #define ID_MISCELLANEOUS_RUNAS 40229 #define ID_MISCELLANEOUS_RUNASTHISUSER 40230 #define ID_MISCELLANEOUS_PAGESMODIFIED 40231 #define ID_VIEW_HIDEPROCESSESFROMOTHERUSERS 40232 #define ID_MISCELLANEOUS_FLUSHHEAPS 40233 #define ID_THREAD_AFFINITY 40233 #define ID_THREAD_BOOST 40234 #define ID_VIEW_HIDESIGNEDPROCESSES 40234 #define ID_VIEW_UPDATEAUTOMATICALLY 40235 #define ID_HACKER_RUNASLIMITEDUSER 40236 #define ID_USER_REMOTECONTROL 40237 #define ID_VIEW_HIDEMICROSOFTPROCESSES 40238 #define ID_PAGEPRIORITY_NORMAL 40239 #define ID_PAGEPRIORITY_BELOWNORMAL 40240 #define ID_PAGEPRIORITY_MEDIUM 40241 #define ID_PAGEPRIORITY_LOW 40242 #define ID_PAGEPRIORITY_VERYLOW 40243 #define ID_VIEW_SHOWCPUBELOW001 40246 #define ID_MODULE_OPENFILELOCATION 40247 #define ID_PROCESS_OPENFILELOCATION 40248 #define ID_MISCELLANEOUS_REDUCEWORKINGSET 40249 #define IDC_BACK 40255 #define ID_VIEW_ORGANIZECOLUMNSETS 40256 #define ID_VIEW_SAVECOLUMNSET 40257 #define ID_VIEW_LOADCOLUMNSET 40258 #define ID_VIEW_SORTROOTPROCESSES 40262 #define ID_DIGIT1 40263 #define ID_DIGIT2 40264 #define ID_DIGIT3 40265 #define ID_DIGIT4 40266 #define ID_DIGIT5 40267 #define ID_DIGIT6 40268 #define ID_DIGIT7 40269 #define ID_DIGIT8 40270 #define ID_DIGIT9 40271 #define ID_VIEW_HIDEWAITINGCONNECTIONS 40272 #define ID_VIEW_HIDEDRIVERSERVICES 40273 #define ID_VIEW_HIDEMICROSOFTSERVICES 40274 #define ID_VIEW_SECTIONPLACEHOLDER 40274 #define ID_VIEW_SCROLLTONEWPROCESSES 40275 #define ID_VIEW_SORTCHILDPROCESSES 40276 #define ID_TOOLS_STARTTASKMANAGER 40277 #define ID_COMPUTER_SHUTDOWNHYBRID 40278 #define ID_COMPUTER_RESTARTADVOPTIONS 40279 #define ID_COMPUTER_RESTARTBOOTOPTIONS 40280 #define ID_COMPUTER_RESTARTFWOPTIONS 40281 #define ID_COMPUTER_RESTARTFWDEVICE 40282 #define ID_HANDLE_OBJECTPROPERTIES1 40282 #define ID_COMPUTER_RESTARTBOOTDEVICE 40283 #define ID_HANDLE_OBJECTPROPERTIES2 40283 #define ID_OBJECT_GOTOOWNINGPROCESS 40284 #define ID_COMPUTER_RESTARTWDOSCAN 40284 #define ID_NETWORK_GOTOSERVICE 40285 #define ID_SERVICE_OPENFILELOCATION 40286 #define ID_PROCESS_GOTOPROCESS 40287 #define ID_MINIINFO_REFRESH 40288 #define ID_MINIINFO_REFRESHAUTOMATICALLY 40289 #define ID_TOOLS_STARTRESOURCEMONITOR 40290 #define ID_TOOLS_SHUTDOWNWSLPROCESSES 40291 #define ID_HANDLE_GOTOOWNINGPROCESS 40292 #define IDC_MAXSCREEN 40293 #define ID_PRIVILEGE_RESET 40296 #define ID_GROUP_ENABLE 40297 #define ID_THREAD_CRITICAL 40297 #define ID_GROUP_DISABLE 40298 #define ID_GROUP_RESET 40299 #define ID_TOOLS_SCM_PERMISSIONS 40300 #define ID_TOOLS_RDP_PERMISSIONS 40301 #define ID_TOOLS_PWR_PERMISSIONS 40302 #define ID_TOOLS_WMI_PERMISSIONS 40303 #define ID_TOOLS_DESKTOP_PERMISSIONS 40304 #define ID_TOOLS_STATION_PERMISSIONS 40305 #define ID_UIACCESS_REMOVE 40306 #define ID_TOOLS_LIVEDUMP 40307 #define ID_NOTIFICATIONS_ENABLEDELAYSTART 40308 #define ID_NOTIFICATIONS_ENABLEPERSISTLAYOUT 40309 #define ID_NOTIFICATIONS_RESETPERSISTLAYOUT 40310 #define ID_NOTIFICATIONS_ENABLETRANSPARENTICONS 40311 #define ID_NOTIFICATIONS_ENABLESINGLECLICKICONS 40312 #define ID_MISCELLANEOUS_EXECUTIONREQUIRED 40313 #define IDD_OBJAFDSOCKET 40314 #define ID_TOOLS_COM_ACCESS_PERMISSIONS 40315 #define ID_TOOLS_COM_ACCESS_RESTRICTIONS 40316 #define ID_TOOLS_COM_LAUNCH_PERMISSIONS 40317 #define ID_TOOLS_COM_LAUNCH_RESTRICTIONS 40318 #define IDDYNAMIC 50000 #define IDPLUGINS 55000 // Next default values for new objects // #ifdef APSTUDIO_INVOKED #ifndef APSTUDIO_READONLY_SYMBOLS #define _APS_NEXT_RESOURCE_VALUE 273 #define _APS_NEXT_COMMAND_VALUE 40298 #define _APS_NEXT_CONTROL_VALUE 1418 #define _APS_NEXT_SYMED_VALUE 170 #endif #endif ================================================ FILE: SystemInformer/resources/capslist.txt ================================================ ID_CAP_ACCESSIBILITY_CLIENT ID_CAP_ACCESS_FAMILY_NOTES_API ID_CAP_ACCESS_REMINDER_IMAGES ID_CAP_ACC_MGR_ADMIN ID_CAP_ADAPTIVE_BRIGHTNESS_CONTROL ID_CAP_ADVERTISING_CONFIG ID_CAP_AIS_TOKEN_MANAGER ID_CAP_APPCONTAINER_PACKAGE_CERTIFICATES ID_CAP_APPOINTMENTS ID_CAP_APPPREINSTALL_DIRECTORY ID_CAP_APPPREINSTALL_EVENTS ID_CAP_APPRESOLVER ID_CAP_APPX_EXECUTION ID_CAP_APP_STORE_PURCHASE_HISTORY ID_CAP_AUDIO_CALLINJECTION ID_CAP_AUDIO_CALLRECORDING ID_CAP_AUDIO_EVENTSND ID_CAP_AUDIO_INTERNAL ID_CAP_AUDIO_ROUTING_CONTROLLER ID_CAP_AUDIO_SETTINGS ID_CAP_AUTHHOST ID_CAP_BACKGROUND_EXECUTION_MANAGEMENT ID_CAP_BACKGROUND_SETTINGS_MANAGEMENT ID_CAP_BACKGROUND_WORKER ID_CAP_BACKUPROAMRESTORE ID_CAP_BARCODE_POS ID_CAP_BASEOS_ANTI_THEFT ID_CAP_BASEOS_UPDATEAPI ID_CAP_BINGCLIENT_BINGCONFIGURATION ID_CAP_BINGCLIENT_CA_INTERESTEXTRACTION ID_CAP_BINGCLIENT_DDC ID_CAP_BINGCLIENT_IDENTITY ID_CAP_BINGCLIENT_OSS ID_CAP_BINGCLIENT_SUGGESTSHIGHLIGHTS ID_CAP_BINGCLIENT_TEE ID_CAP_BLUETOOTH ID_CAP_BLUETOOTH_ADMIN ID_CAP_BMR2_MONITOR_SERVICE ID_CAP_BMR_CONFIGURATION ID_CAP_BMR_SYNC ID_CAP_BROKER_NAVIGATION ID_CAP_BROWSER_ACCESSIBILITY_SETTINGS ID_CAP_BROWSER_FEATURE_CONTROL_KEYS ID_CAP_BSS_AIM_INTERFACE ID_CAP_BSS_NABSYNC_INTERFACE ID_CAP_BSS_PUSH_INTERFACE ID_CAP_BSS_REMINDER_INTERFACE ID_CAP_BUILTIN_BASEPRIORITY ID_CAP_BUILTIN_CREATEGLOBAL ID_CAP_BUILTIN_CREATEPERMANENT ID_CAP_BUILTIN_DEFAULT ID_CAP_BUILTIN_IMPERSONATE ID_CAP_BUILTIN_PROFILE ID_CAP_BUILTIN_SETTIME ID_CAP_BUILTIN_SHUTDOWN ID_CAP_BUILTIN_SYMBOLICLINK ID_CAP_BUILTIN_TCB ID_CAP_BUTTONS ID_CAP_CALLMESSAGING_FILTER ID_CAP_CAMERA ID_CAP_CA_ACTIONURI_TEST_EVENT ID_CAP_CA_ADMIN ID_CAP_CA_BACKGROUND_PROCESSOR ID_CAP_CA_BACKGROUND_PROCESSOR_ADMIN ID_CAP_CA_CONTEXT ID_CAP_CA_DND_MANAGER ID_CAP_CA_ENABLED ID_CAP_CA_HISTORY ID_CAP_CA_RULES ID_CAP_CA_SIGNALS_GENERIC ID_CAP_CA_SIGNALS_MANAGER ID_CAP_CA_SIGNALS_MANAGER_ADMIN ID_CAP_CA_UPLOAD_FOLDER ID_CAP_CBS_API ID_CAP_CDP_POLICY ID_CAP_CELLUX_CONFIG_READ ID_CAP_CELL_API_ADMIN ID_CAP_CELL_API_COMMON ID_CAP_CELL_API_LOCATION ID_CAP_CELL_API_MESSAGING ID_CAP_CELL_API_MODEMLOGGING ID_CAP_CELL_API_OEM_PASSTHROUGH ID_CAP_CELL_API_TELEPHONY ID_CAP_CELL_API_UICC ID_CAP_CELL_API_UICC_LOWLEVEL ID_CAP_CELL_CELLMGR ID_CAP_CELL_CMCSPWWAN_PLUS ID_CAP_CELL_MSFT_UICC_DATASTORE ID_CAP_CELL_OEM_UICC_DATASTORE ID_CAP_CELL_RCSPRESENCE ID_CAP_CELL_VIDEOTELEPHONY ID_CAP_CELL_WNF ID_CAP_CELL_WNF_ADMIN ID_CAP_CELL_WNF_PII ID_CAP_CHAMBER_PROFILE_CODE_INSTALLTEMP_RWD ID_CAP_CHAMBER_PROFILE_CODE_NITEMP_RW ID_CAP_CHAMBER_PROFILE_CODE_R ID_CAP_CHAMBER_PROFILE_CODE_RW ID_CAP_CHAMBER_PROFILE_DATA_LIVETILES_RWD ID_CAP_CHAMBER_PROFILE_DATA_MEDIA_RWD ID_CAP_CHAMBER_PROFILE_DATA_PLATFORMDATA_ALL ID_CAP_CHAMBER_PROFILE_DATA_R ID_CAP_CHAMBER_PROFILE_DATA_RW ID_CAP_CHAMBER_PROFILE_DATA_SHELLCONTENT_R ID_CAP_CHAMBER_PROFILE_DATA_SHELLCONTENT_RWD ID_CAP_CLIPBOARD ID_CAP_COMMANDCHANNEL ID_CAP_COMMS_APPLICATIONS ID_CAP_COMMS_COMMON ID_CAP_COMMS_SERVICES ID_CAP_COMMS_SETTINGS ID_CAP_CONTACTS ID_CAP_CONTENTSHARING ID_CAP_CORE_SHELL ID_CAP_CORTANA_RULES_DB ID_CAP_CREATE_PROCESS_IN_CHAMBER ID_CAP_CREDENTIAL_COLLECTION_UI ID_CAP_CRITICAL_DATA ID_CAP_CSP_BMR_PROVISION ID_CAP_CSP_DMCLIENT ID_CAP_CSP_FOUNDATION ID_CAP_CSP_LOCATION ID_CAP_CSP_MAIL ID_CAP_CSP_NODECACHE ID_CAP_CSP_OEM ID_CAP_CSP_PHONE ID_CAP_CSP_W4_APPLICATION ID_CAP_CSP_WIFI_HOTSPOT ID_CAP_DATACOLLECTION_ACTIVITY ID_CAP_DATACOLLECTION_COLLECTOR ID_CAP_DATACOLLECTION_RAWETW ID_CAP_DATAPLANUSAGE ID_CAP_DATAPLANUSAGE_ADMIN ID_CAP_DCP ID_CAP_DEBUG ID_CAP_DEBUG_FOLDERS ID_CAP_DEBUG_NAVIGATION ID_CAP_DEVELOPERUNLOCK ID_CAP_DEVELOPERUNLOCK_API ID_CAP_DEVELOPERUNLOCK_CODEDUI ID_CAP_DEVICE_LOCK ID_CAP_DEVICE_LOCK_ADMIN ID_CAP_DEVICE_MANAGEMENT ID_CAP_DEVICE_MANAGEMENT_ADMIN ID_CAP_DEVICE_MANAGEMENT_BOOTSTRAP ID_CAP_DEVICE_MANAGEMENT_SECURITY_POLICIES ID_CAP_DIAGNOSTIC_CLIENT ID_CAP_DISPLAY_CONTROL ID_CAP_DMCLIENT_APPMGMT ID_CAP_DO_NOT_DISTURB ID_CAP_DRIVE_MODE_ADMIN ID_CAP_DUASVC ID_CAP_DU_AGENT ID_CAP_DU_CORE_API ID_CAP_DU_CSP ID_CAP_DU_MIGRATION_MANAGER_STATUS ID_CAP_DU_MIGRATION_WNF_EVENTS ID_CAP_DU_MIGRATOR_PROVISIONING_STATUS_MICROSOFT ID_CAP_DU_MIGRATOR_PROVISIONING_STATUS_OEM ID_CAP_DU_MIGRATOR_STATUS_MICROSOFT ID_CAP_DU_MIGRATOR_STATUS_OEM ID_CAP_DU_PROVISIONING ID_CAP_DU_SHARED_DATA ID_CAP_DU_USS ID_CAP_DU_UX ID_CAP_DU_UX_FEATURE_DISCOVERY ID_CAP_EAS_CREDENTIALS ID_CAP_EDM_CACHE_RWDELETE ID_CAP_EDM_CACHE_WRITE ID_CAP_ENDPOINTDISCOVERY ID_CAP_ENROLLMENT ID_CAP_ENROLLMENT_ADMIN ID_CAP_ENROLLMENT_POLL ID_CAP_ENROLLMENT_RENEW ID_CAP_ENTERPRISERESOURCESTORE ID_CAP_ENTERPRISE_AUTHENTICATION ID_CAP_ENTERPRISE_ENROLLMENT ID_CAP_ENTERPRISE_SERVICE ID_CAP_ENTERPRISE_SHARED_DATA ID_CAP_ETW_PROFILER ID_CAP_EVERYONE ID_CAP_EVERYONE_INROM ID_CAP_EXTERNAL_DISPLAY ID_CAP_FAILURE_REPORT_CONTENT_PROVIDER ID_CAP_FINDMYPHONE ID_CAP_FOREGROUND_TASK_MANAGER ID_CAP_GAMERSERVICES ID_CAP_GLOBALIZATION_SETTINGS ID_CAP_HTTP_ACCEPT_LANGUAGE_HEADER ID_CAP_ICS_RO ID_CAP_ICS_RW ID_CAP_IDENTITY_DEVICE ID_CAP_IDENTITY_DEVICE_1ST_PARTY ID_CAP_IDENTITY_USER ID_CAP_IDENTITY_USER_1ST_PARTY ID_CAP_IDM_IMAGE_CACHE ID_CAP_IMMERSIVE_SHELL ID_CAP_INPUT_CORE ID_CAP_INPUT_FEATURES ID_CAP_INPUT_INJECTION ID_CAP_INPUT_LOCALES ID_CAP_INPUT_SERVICE ID_CAP_INSTALL_CERTIFICATES ID_CAP_INTENTTEXTRACTION_OPTIN ID_CAP_INTERNAL_DEPLOYMENT ID_CAP_INTERNET_EXPLORER_BROWSER_HISTORY ID_CAP_INTERNET_EXPLORER_DATA_OPTIMIZATION ID_CAP_INTERNET_EXPLORER_FAVORITES ID_CAP_INTERNET_EXPLORER_HKCU_WRITE ID_CAP_INTERNET_EXPLORER_HKLM_SECURITY_SETTINGS ID_CAP_INTERNET_EXPLORER_INTRANET_ZONE_SETTINGS ID_CAP_INTERNET_EXPLORER_REMOTEDEBUGGING ID_CAP_INTERNET_EXPLORER_ROAMING ID_CAP_INTERNET_EXPLORER_SEARCH_PROVIDER_KEYS_HKCU ID_CAP_INTEROPSERVICES ID_CAP_ISV_CAMERA ID_CAP_KEYBOARD ID_CAP_KIDZONE_ADMIN ID_CAP_KIDZONE_CUSTOMIZATION ID_CAP_LANGUAGEUNDERSTANDING ID_CAP_LASS_ADMIN ID_CAP_LASS_REMOTELOCK ID_CAP_LEGACY_VOICEMAIL_HANDLER ID_CAP_LEXICONUPDATE ID_CAP_LIVEID ID_CAP_LIVETOKEN_WNF_EVENTS ID_CAP_LOCATION ID_CAP_LOCATION_ADMIN ID_CAP_LOCATION_BTPOLICY ID_CAP_LOCATION_GNSSDRIVER ID_CAP_MAP ID_CAP_MAP_ADMIN ID_CAP_MAP_WRITE ID_CAP_MEDIALIB ID_CAP_MEDIALIB_AUDIO ID_CAP_MEDIALIB_INT ID_CAP_MEDIALIB_PHOTO ID_CAP_MEDIALIB_PHOTO_FULL ID_CAP_MEDIALIB_PLAYBACK ID_CAP_MEDIALIB_VIDEO ID_CAP_MEDIASERVICE_VOLUMELIMIT_INT ID_CAP_MICMUTEPOLICY_BYPASS ID_CAP_MICROPHONE ID_CAP_MONITOR_NAVIGATION ID_CAP_MOUSE ID_CAP_MO_CLOUDMESSAGING ID_CAP_MSS_BYTESTREAM_RPC ID_CAP_MULTIMEDIA_ENCODER_HARDWARE ID_CAP_MULTIVARIANT ID_CAP_MULTIVARIANT_INSTALL_DATA ID_CAP_NARRATOR_SETTINGS ID_CAP_NATIVE_NETWORK_REPLACEMENT ID_CAP_NAVIGATIONBAR_ADMIN ID_CAP_NETWORKING ID_CAP_NETWORKING_ADMIN ID_CAP_NETWORKING_INTERNET_CLIENT ID_CAP_NETWORKING_INTERNET_CLIENT_SERVER ID_CAP_NETWORKING_PRIVATE_NETWORK_CLIENT_SERVER ID_CAP_NETWORKING_VPN_ADMIN ID_CAP_NETWORKING_VPN_PROVIDER ID_CAP_NETWORKING_VPN_SERVICES ID_CAP_NFC_ADMIN ID_CAP_NOCENTER_SOUNDS ID_CAP_NTSERVICES ID_CAP_NVREAD ID_CAP_NVREADWRITE ID_CAP_O365_DISCOVERY ID_CAP_OEMPUBLICDIRECTORY ID_CAP_OEM_ADC ID_CAP_OEM_CUSTOM ID_CAP_OEM_DEPLOYMENT ID_CAP_OFFICE_LAUNCH_URL ID_CAP_OFFICE_MSDRM_HKCU ID_CAP_ONENOTE_EVENTS ID_CAP_OOBE_PRIVATE ID_CAP_ORIENTATION_LOCK ID_CAP_PEOPLE_EXTENSION ID_CAP_PEOPLE_EXTENSION_IM ID_CAP_PEOPLE_EXTENSION_MOBILE ID_CAP_PERSONA ID_CAP_PERSONAL_INFORMATION_IMPORT ID_CAP_PHONEBROKER_INTERFACE ID_CAP_PHONEDIALER ID_CAP_PHONEPROVISIONER_DEVICEUPDATE ID_CAP_PHONEPROVISIONER_EVENTS ID_CAP_PHONE_2ND_PARTY ID_CAP_PHONE_ADMIN ID_CAP_PHONE_INTERNAL ID_CAP_PHOTOS_SETTINGS_R ID_CAP_PHOTOS_SETTINGS_RW ID_CAP_PICKER_CONTRACT_UI ID_CAP_PLATFORM_EXTENSIBILITY ID_CAP_PLAYREADY ID_CAP_PLAYREADY_ADMIN ID_CAP_PM_1ST_PARTY ID_CAP_PM_BSS ID_CAP_PM_INSTALL ID_CAP_POIDATASTORE ID_CAP_POIDATASTORE_ADMIN ID_CAP_POLICY_MANAGER ID_CAP_POLICY_MANAGER_READONLY ID_CAP_POWERNOTIF_USER ID_CAP_PRESERVED_DATA ID_CAP_PRIV_ABOUTCPL ID_CAP_PRIV_ACCESSIBILITYCPL ID_CAP_PRIV_ACCESSORIESCPL ID_CAP_PRIV_ACCESSORYMGRSVC ID_CAP_PRIV_ACCOUNTPROVSVC ID_CAP_PRIV_ACTIONURIHOST ID_CAP_PRIV_ADVERTISINGIDCPL ID_CAP_PRIV_ALARMS ID_CAP_PRIV_APHCHECK ID_CAP_PRIV_APMUX ID_CAP_PRIV_APPCORNER ID_CAP_PRIV_APPPREINSTALLER ID_CAP_PRIV_APPRESOLVERUI ID_CAP_PRIV_APPSDATAMIGRATOR ID_CAP_PRIV_APPXEXECUTIONSVC ID_CAP_PRIV_AUTHHOST_MSA ID_CAP_PRIV_AUTHHOST_WAB_A ID_CAP_PRIV_AUTHHOST_WAB_B ID_CAP_PRIV_AUTHHOST_WAB_C ID_CAP_PRIV_AUTHHOST_WAB_ENTERPRISE ID_CAP_PRIV_AUTHHOST_WAB_SSO ID_CAP_PRIV_AUTHHOST_WAB_SSO_ENTERPRISE ID_CAP_PRIV_AUTOTIMEUPDATE ID_CAP_PRIV_BATTERYSAVERCPL ID_CAP_PRIV_BLUETOOTHPBAPSVC ID_CAP_PRIV_BMR2MONITORSVC ID_CAP_PRIV_BMR2SCHEDULETRIGGER ID_CAP_PRIV_BMRCPL ID_CAP_PRIV_BMRSCHEDULETRIGGER ID_CAP_PRIV_BRIGHTNESSCPL ID_CAP_PRIV_BSSVC ID_CAP_PRIV_BTAGSERVICE ID_CAP_PRIV_BTCONNMGR ID_CAP_PRIV_BTHAVCTPSVC ID_CAP_PRIV_BTSERV ID_CAP_PRIV_BTUXCPL ID_CAP_PRIV_CALC7 ID_CAP_PRIV_CAPTURESVC ID_CAP_PRIV_CASVCSHARED3 ID_CAP_PRIV_CELLMANAGER ID_CAP_PRIV_CELLULARDATACOLLECTOR ID_CAP_PRIV_CELLUX ID_CAP_PRIV_CERTINSTALLER ID_CAP_PRIV_CFMSVC ID_CAP_PRIV_CGSVC ID_CAP_PRIV_CLOUDSTORAGECPL ID_CAP_PRIV_CMSERVICE ID_CAP_PRIV_COMMANDCHANNEL ID_CAP_PRIV_COMMSAPHOST ID_CAP_PRIV_COMMSAPPLICATIONS ID_CAP_PRIV_COMMSCERTINSTSVC ID_CAP_PRIV_COMMSMESSAGESVC ID_CAP_PRIV_COMMSMMSTRANSPORT ID_CAP_PRIV_CONTACTSTOKENSVC ID_CAP_PRIV_CONTENTSHARESVC ID_CAP_PRIV_CONTENTSHARINGAPP ID_CAP_PRIV_COREUIREGISTRAR ID_CAP_PRIV_DACCERTINSTSVC ID_CAP_PRIV_DATACOLLECTION ID_CAP_PRIV_DATASENSESVC ID_CAP_PRIV_DATASMART ID_CAP_PRIV_DATETIMECPL ID_CAP_PRIV_DCPSVC ID_CAP_PRIV_DEBUGGERMUXNOTIFY ID_CAP_PRIV_DIAGNOSTICSVC ID_CAP_PRIV_DMCFGHOST ID_CAP_PRIV_DMOMACPNETWMO ID_CAP_PRIV_DMOMACPUSERMO ID_CAP_PRIV_DMWAPPUSHSVC ID_CAP_PRIV_DRIVINGMODEMANAGER ID_CAP_PRIV_DRIVINGMODESETTINGS ID_CAP_PRIV_DSSVC ID_CAP_PRIV_DSTOKENCLEAN ID_CAP_PRIV_DUACALLBACK ID_CAP_PRIV_DUACLIENT ID_CAP_PRIV_DUCLEANUPMIGRATOR ID_CAP_PRIV_DUFEATUREDISCOVERY ID_CAP_PRIV_DUMIGRATIONMANAGER ID_CAP_PRIV_DUMIGRATIONPROVISIONERMICROSOFT ID_CAP_PRIV_DUMIGRATIONPROVISIONEROEM ID_CAP_PRIV_DUPOSTUPDATEUX ID_CAP_PRIV_DUSTARTINGMIGRATOR ID_CAP_PRIV_DUSVC ID_CAP_PRIV_ENROLLMENTCLIENT ID_CAP_PRIV_ENTAPPSERVICE ID_CAP_PRIV_ENTERPRISEINSTALL ID_CAP_PRIV_ENTERPRISEMGMSVC ID_CAP_PRIV_ENTERPRISERING ID_CAP_PRIV_ENTERPRISEVALIDATION ID_CAP_PRIV_EXECMANSERVICE ID_CAP_PRIV_FINDMYPHONE ID_CAP_PRIV_FLYOUTDATAMIGRATOR ID_CAP_PRIV_GROVELER ID_CAP_PRIV_GWPCENROLLSVC ID_CAP_PRIV_HFA ID_CAP_PRIV_HOTSPOTHOST ID_CAP_PRIV_HUBTILERESTOREHOST ID_CAP_PRIV_ICSENTITLEMENTHOST ID_CAP_PRIV_ICSSVC ID_CAP_PRIV_INPUTSERVICE ID_CAP_PRIV_INSTALLERWORKER ID_CAP_PRIV_INTERNETEXPLORER ID_CAP_PRIV_IPOVERUSB ID_CAP_PRIV_KEYBOARDCPL ID_CAP_PRIV_KIDZONECONFIGURATION ID_CAP_PRIV_KIDZONECUSTOMIZATION ID_CAP_PRIV_LASSCREDENTIALEXPIRATIONCHECK ID_CAP_PRIV_LAUNCHAPPSVC ID_CAP_PRIV_LEXICONUPDATE ID_CAP_PRIV_LFSVC ID_CAP_PRIV_LIVETOKEN ID_CAP_PRIV_LOCATIONUXCPL ID_CAP_PRIV_LOCKANDWALLPAPER ID_CAP_PRIV_MEDIA ID_CAP_PRIV_MEDIASERVICE ID_CAP_PRIV_MIRRORCPL ID_CAP_PRIV_MOBILEUI ID_CAP_PRIV_MOSHOST ID_CAP_PRIV_MSATICKETSVC ID_CAP_PRIV_MSGIMTRANSPORT ID_CAP_PRIV_MSGSMSTRANSPORT ID_CAP_PRIV_MTP ID_CAP_PRIV_MVPROVISIONHOST ID_CAP_PRIV_MVUX ID_CAP_PRIV_NABSYNC ID_CAP_PRIV_NOCENTERSETTINGSCPL ID_CAP_PRIV_NOTIFICATIONPLATFORMMIGRATOR ID_CAP_PRIV_NOTIFSVC ID_CAP_PRIV_OFFICE ID_CAP_PRIV_OMADMCLIENT_ENTERPRISE ID_CAP_PRIV_OMADMCLIENT_MOBILE_OPERATOR ID_CAP_PRIV_OMADMPRC ID_CAP_PRIV_OOBE ID_CAP_PRIV_ORIENTSRV ID_CAP_PRIV_PACMANSERVICE ID_CAP_PRIV_PHONEAUDIOSRV ID_CAP_PRIV_PHONEPROVISIONER ID_CAP_PRIV_PHONEPROVISIONER_OEM ID_CAP_PRIV_PHONESVCSG ID_CAP_PRIV_PHOTOS ID_CAP_PRIV_PHOTOSSVC ID_CAP_PRIV_PIMIDXMAINT ID_CAP_PRIV_PLACESSVC ID_CAP_PRIV_POSTDUAPPMIGRATOR ID_CAP_PRIV_POWERNOTIF ID_CAP_PRIV_PROXIMITYSVC ID_CAP_PRIV_PROXYSVC ID_CAP_PRIV_REALWORLD-BINGCLIENT ID_CAP_PRIV_REALWORLD-INTERESTEXTRACTION ID_CAP_PRIV_REBOOTDEVICE ID_CAP_PRIV_REGIONCPL ID_CAP_PRIV_REMEMBER ID_CAP_PRIV_RETAILDEMO ID_CAP_PRIV_RETAILDEMOERROR ID_CAP_PRIV_RETAILDEMOGLOB ID_CAP_PRIV_RETAILDEMOUI ID_CAP_PRIV_RILADAPTATION ID_CAP_PRIV_RINGTONESANDSOUNDS ID_CAP_PRIV_ROAMINGCPL ID_CAP_PRIV_ROTATIONLOCKCPL ID_CAP_PRIV_SAPISVR ID_CAP_PRIV_SECMIGRATOR ID_CAP_PRIV_SEMGRSVC ID_CAP_PRIV_SETTINGS ID_CAP_PRIV_SHELLDATAMIGRATOR ID_CAP_PRIV_SIREPSVC ID_CAP_PRIV_SOFTAPUX ID_CAP_PRIV_SPEECHCPL ID_CAP_PRIV_SPEECHUPDATE ID_CAP_PRIV_START ID_CAP_PRIV_STORAGESENSE ID_CAP_PRIV_STORAGESVC ID_CAP_PRIV_STOREDATAMIGRATOR ID_CAP_PRIV_TASKSCHEDULERSVC ID_CAP_PRIV_TELCPL ID_CAP_PRIV_TELREPSVC ID_CAP_PRIV_THEMECPL ID_CAP_PRIV_TILEMIGRATOR ID_CAP_PRIV_TIMEBROKER ID_CAP_PRIV_UPDATEMGRSVC ID_CAP_PRIV_USBCPL ID_CAP_PRIV_USERDATASERVICE ID_CAP_PRIV_USSREPORTING ID_CAP_PRIV_UTKSERVICE ID_CAP_PRIV_UTKUX ID_CAP_PRIV_VPNUX ID_CAP_PRIV_WALLET ID_CAP_PRIV_WALLETSVC ID_CAP_PRIV_WEHCSPHELPER ID_CAP_PRIV_WEHSTART ID_CAP_PRIV_WIFICONNSVC ID_CAP_PRIV_WIFICPASSIST ID_CAP_PRIV_WIFICPBROWSERUX ID_CAP_PRIV_WIFIUDPTEST ID_CAP_PRIV_WIFIUXBLUE ID_CAP_PRIV_WLID2MSA ID_CAP_PRIV_WPABSVC ID_CAP_PRIV_WPNARRATOR ID_CAP_PRIV_WPNCERTINSTSVC ID_CAP_PRIV_WPTOOLS ID_CAP_PRIV_WPTPMVSCMGRSVC ID_CAP_PRIV_WPUITESTTOOLS ID_CAP_PRIV_ZMEDIAQUEUESVC ID_CAP_PRIV_ZMF ID_CAP_PRIV_ZMF_SERVICE ID_CAP_PROVISIONING_PACKAGE_API_ADMIN ID_CAP_PROVISIONWPCERTIFICATE ID_CAP_PROXIMITY ID_CAP_PUBLIC_FOLDER_FULL ID_CAP_PUBLISH_ALARM_STATE ID_CAP_PUBLISH_OOBE_STATE ID_CAP_PUSHROUTER ID_CAP_PUSH_NOTIFICATION ID_CAP_PUSH_SERVER ID_CAP_QUICK_SETTINGS ID_CAP_READGWPCERTIFICATE ID_CAP_REBOOT_FLASHING_MODE ID_CAP_REMEMBER_ADMIN ID_CAP_REMEMBER_API ID_CAP_REMOVABLE_STORAGE ID_CAP_RESET_PHONE ID_CAP_RESOURCE_MANAGER ID_CAP_RETAILDEMO_BACKGROUNDIMAGE ID_CAP_RETAILDEMO_CLIENT ID_CAP_RETAILDEMO_GLOB_REGISTRY ID_CAP_RETAILDEMO_OFFLINECONTENT ID_CAP_RINGTONE_ADD ID_CAP_ROAMING_CONFIGURATION ID_CAP_ROTATION_MANAGER ID_CAP_RUNTIME_CONFIG ID_CAP_SCREENCAPTURE ID_CAP_SCREEN_RECORDER ID_CAP_SCREEN_RECORDER_BKG ID_CAP_SEARCHMAPS_SHAREDCONFIG ID_CAP_SEND_TO_ONENOTE ID_CAP_SENSORS ID_CAP_SETDEVICENAME ID_CAP_SETTINGSYNC ID_CAP_SETTINGSYNC_CONFIGURATION ID_CAP_SETTINGS_MANAGEMENT_PROVIDER ID_CAP_SHARED_OBJECT_DIRECTORY ID_CAP_SHARED_USER_CERTIFICATES ID_CAP_SHARE_DELEGATE ID_CAP_SHELL_DEVICE_LOCK_UI_API ID_CAP_SHELL_EXPERIENCE_COMPOSER ID_CAP_SHELL_LAUNCH_SESSION ID_CAP_SHELL_NAVIGATION ID_CAP_SHELL_NOTIFICATION_CLIENT ID_CAP_SHELL_NOTIFICATION_SETTINGS_DB ID_CAP_SHELL_OEM_ADMIN ID_CAP_SHELL_RESET_NAVIGATION ID_CAP_SHELL_TEST_CLIENT ID_CAP_SHOW_VOLUME_CONTROL ID_CAP_SMS ID_CAP_SMS_COMPANION ID_CAP_SMS_INTERCEPT_AGENT ID_CAP_SMS_INTERCEPT_RECIPIENT ID_CAP_SOUND_CONTROL ID_CAP_SPEECH_GRAMMARS ID_CAP_SPEECH_RECOGNITION ID_CAP_SPEECH_RECOGNITION_SYSTEM ID_CAP_SPEECH_SETTINGS ID_CAP_SPEECH_UPDATE ID_CAP_SPLASH_CONFIG ID_CAP_STARTMENU_CONFIG ID_CAP_STARTMENU_WEBLINK_ICONS ID_CAP_STORAGE_MANAGEMENT ID_CAP_SUPPRESS_MSA_CONNECT_ARD ID_CAP_SYNC_EXTENSION ID_CAP_SYSTEMTRAY_ADMIN ID_CAP_SYSTEM_ALLOC_WINDOWID ID_CAP_SYSTEM_COMPOSITOR ID_CAP_SYSTEM_COUNTERS ID_CAP_SYSTEM_REGISTRAR ID_CAP_SYSTEM_WAITCURSOR ID_CAP_TELEMETRY_ADMIN ID_CAP_TELEMETRY_CONFIGURE ID_CAP_TELEMETRY_STUDY ID_CAP_TEST_NAVIGATION ID_CAP_TILERESTOREDATA ID_CAP_TOUCH ID_CAP_TOUCH_TEST ID_CAP_TPM_VSCMANAGER ID_CAP_TS_SCHEDULES_ALL ID_CAP_USB ID_CAP_USER_ACTIVITY ID_CAP_USER_DATA_ACCOUNT_SETUP ID_CAP_VIDEOSINK_INTERNAL ID_CAP_VOICEMAIL ID_CAP_VOIP ID_CAP_VOIP_CALL_CONTROLLER ID_CAP_VSTEST_INSTALL_FOLDER ID_CAP_W32TIME_API ID_CAP_WAB_RESOURCES ID_CAP_WALLET ID_CAP_WALLET_ADMIN ID_CAP_WALLET_DEALS ID_CAP_WALLET_PAYMENTINSTRUMENTS ID_CAP_WALLET_SECUREELEMENT ID_CAP_WALLPAPER_ADMIN ID_CAP_WBOEXT ID_CAP_WEBBROWSERCOMPONENT ID_CAP_WEB_CREDENTIALS ID_CAP_WIFI_ADMIN ID_CAP_WIFI_BASIC ID_CAP_WIFI_BROWSER ID_CAP_WIFI_HOTSPOT_HOST ID_CAP_WIFI_PROFILE_ADMIN ID_CAP_WIFI_TILE_MANAGER ID_CAP_WINDOW_MANAGEMENT_SYSTEM ID_CAP_WPN_PLATFORM ID_CAP_WPN_PLATFORM_REG_KEY ID_CAP_WPTOOLS_INSTALL_FOLDER ID_CAP_ZMFSERVICES ID_CAP_ZTRACE accessoryManager activateAsUser activity activityData activitySystem allAppMods allJoyn allowElevation appBroadcast appBroadcastServices appBroadcastSettings appCaptureServices appCaptureSettings appDiagnostics applicationDefaults applicationDefaultsUserChoice applicationViewActivation appLicensing appManagementSystem appointments appointmentsSystem audioDeviceConfiguration automatedAppLaunch backgroundMediaPlayback backgroundMediaRecording backgroundSpatialPerception backgroundVoIP biometricSystem blockedChatMessages bluetooth bluetooth.genericAttributeProfile bluetooth.rfcomm bluetoothAdapter bluetoothDeviceSettings bluetoothDiagnostics bluetoothSync bootstrapNetworkConnection broadFileSystemAccess browserAppList browserCredentials cameraProcessingExtension capabilityAccessConsentDeviceSettings cellularData cellularDeviceControl cellularDeviceIdentity cellularMessaging chat chatSystem childWebContent chromeInstallFiles cloudExperienceHost cloudStore codeGeneration componentUiInWebContent comPort confirmAppClose constrainedImpersonation contacts contactsSystem contentDeliveryManagerSettings contentRestrictions coreShell cortanaPermissions cortanaSettings cortanaSpeechAccessory cortanaSurface curatedTileCollections customInstallActions dateAndTimeDeviceSettings dependencyTarget delegatedTokenRequests developerSettings developmentModeNetwork deviceEncryptionManagement deviceIdentityManagement deviceLockManagement deviceManagementAdministrator deviceManagementDeclaredConfiguration deviceManagementDeviceLockPolicies deviceManagementDmAccount deviceManagementEmailAccount deviceManagementFoundation deviceManagementRegistration deviceManagementWapSecurityPolicies devicePortalProvider deviceProvisioningAdministrator deviceUnlock diagnostics displayDeviceSettings documentsLibrary downloadsFolder dualSimTiles email emailSystem enterpriseAuthentication enterpriseCloudSSO enterpriseDataPolicy enterpriseDeviceLockdown eraApplication exclusiveResource expandedResources extendedBackgroundTaskTime extendedExecutionBackgroundAudio extendedExecutionCritical extendedExecutionUnconstrained featureStagingInfo feedbackLogCollection firstSignInSettings flashPlayerSupport fullFileSystemAccess gameBarServices gameConfigStoreManagement gameList gameMonitor gamingContainerResources gazeInput globalMediaControl graphicsCapture graphicsCaptureProgrammatic graphicsCaptureWithoutBorder hardwareManagerMocks hevcPlayback hfxSystem hidTelephony holographicCompositor holographicCompositorSystem humanInterfaceDevice humanPresence imeSystem indexedContent inProcessMediaExtension inputForegroundObservation inputInjection inputInjectionBrokered inputObservation inputOverride inputSettings inputSuppression internetClient internetClientServer interopServices isolatedWin32-accessToPublisherDirectory isolatedWin32-dotNetBreadcrumbStore isolatedWin32-print isolatedWin32-profilesRootMinimal isolatedWin32-promptForAccess isolatedWin32-shellExtensionContextMenu isolatedWin32-sysTrayIcon isolatedWin32-userProfileMinimal isolatedWin32-volumeRootMinimal keyboardDeviceSettings kinectAudio kinectExpressions kinectFace kinectGamechat kinectRequired kinectVideo kinectVision languageAndRegionDeviceSettings languageSettings learningModeLogging liveIdService localExperienceCumulativeInternal localExperienceInternal localSystemServices location locationHistory locationSystem lockScreenCreatives lowLevel lowLevelDevices lpacAppExperience lpacChromeInstallFiles lpacChromeNetworkSandbox lpacClipboard lpacCom lpacCryptoServices lpacDeviceAccess lpacEdgeWdagComms lpacEnterprisePolicyChangeNotifications lpacIdentityServices lpacIME lpacInstrumentation lpacMedia lpacMediaFoundationCdmData lpacPackageManagerOperation lpacPayments lpacPnPNotifications lpacPrinting lpacServicesManagement lpacSessionManagement lpacWebPlatform mediaFoundationCdmFiles microphone Microsoft.appCategory.chatAgent_8wekyb3d8bbwe Microsoft.cellularSARConfiguration_8wekyb3d8bbwe Microsoft.classicAppCompat_8wekyb3d8bbwe Microsoft.classicAppCompatElevated_8wekyb3d8bbwe Microsoft.classicAppInstaller_8wekyb3d8bbwe Microsoft.componentUiInWebContentGeneral_8wekyb3d8bbwe Microsoft.coreAppActivation_8wekyb3d8bbwe Microsoft.delegatedWebFeatures_8wekyb3d8bbwe Microsoft.deployFullTrustOnHost_8wekyb3d8bbwe microsoft.eSIMManagement_8wekyb3d8bbwe Microsoft.firmwareRead_cw5n1h2txyewy Microsoft.firmwareWrite_cw5n1h2txyewy Microsoft.mixedRealityExperience_8wekyb3d8bbwe Microsoft.nonUserConfigurableStartupTasks_8wekyb3d8bbwe Microsoft.notSupportedInCoreV1_8wekyb3d8bbwe Microsoft.onDemandHotspotControl_8wekyb3d8bbwe microsoft.penFreControl_8wekyb3d8bbwe Microsoft.requiresNonSMode_8wekyb3d8bbwe microsoft.secondaryAuthenticationFactorForLogon_8wekyb3d8bbwe Microsoft.unsignedPackageManagement_8wekyb3d8bbwe Microsoft.windowsInkInputPreferences_8wekyb3d8bbwe microsoftEdgeRemoteDebugging mixedRealityEnvironmentInternal mmsTransportSystem modifiableApp msaExtension multiplaneOverlay muma musicLibrary networkConnectionManagerProvisioning networkDataPlanProvisioning networkDataUsageManagement networkDeviceAdminSettings networkDeviceSettings networkDiagnostics networkingVpnProvider nfcSystem notificationsDeviceSettings objects3D oemDeployment oemPublicDirectory offlineMapsManagement oneProcessVoIP optical pacJsWorker packageContents packageManagement packagePolicySystem packageQuery packageWriteRedirectionCompatibilityShim packagedServices perceptionMonitoring perceptionSensorsExperimental perceptionSystem permissiveLearningMode personalizationDeviceSettings phoneCall phoneCallHistory phoneCallHistoryPublic phoneCallHistorySystem phoneCallSystem phoneLineTransportManagement picturesLibrary pointOfService polarisService policyManager powerDeviceSettings preemptiveCamera previewHfx previewInkWorkspace previewPenWorkspace previewStore previewUiComposition privateNetworkClientServer projectionDeviceSettings protectedApp proximity radios recordedCallsFolder regionSettings registryRead relatedPackages remoteAutomationHost remoteFileAccess remotePassportAuthentication remoteSystem removableStorage resetPhone runFullTrust screenDuplication searchSettings secondaryAuthenticationFactor secureAssessment Security-System-Capability-dateAndTimeDeviceSettings sensors.custom serialCommunication sessionImpersonation settingSyncConfiguration sharedMachineKeysCapability sharedUserCertificates shellDisplayManagement shellexperience shellExperience shellExperienceComposer slapiQueryLicenseValue smbios sms smsSend smsSystem smsTransportSystem spatialPerception startScreenManagement storeAppInstall storeAppInstallation storeConfiguration storeLicenseManagement storeOptionalPackageInstallManagement systemAllocWindowID systemDialog systemDialogEmergency systemManagement systemRegistrar targetedContent targetedContentSubscription teamEditionDeviceCredential teamEditionExperience teamEditionView telemetryData terminalPowerManagement thumbnailCache timezone uiAccess uiAutomationCrossMachineHostingSystem uiAutomationSystem unvirtualizedResources unzipFile updateAndSecurityDeviceSettings usb userAccountInformation userDataAccountSetup userDataAccountsProvider userDataSystem userDataTasks userDataTasksSystem userManagementSystem userNotificationListener userOnboardingState userPrincipalName userSigninSupport userSystemId userWebAccounts videosLibrary visualElementsSystem visualVoiceMail vmWorkerProcess voipCall walletSystem webcam webPlatformMediaExtension wiFiControl wifiData wiFiDirect windowInfo windowManagement windowManagementSystem windowsHelloCredentialAccess windowsPerformanceCounters xboxAccessoryManagement xboxBroadcaster xboxGameSpeechWindow xboxLiveAuthenticationProvider xboxSystemApplicationClipQuery xboxTrackingStream ================================================ FILE: SystemInformer/resources/etwguids.txt ================================================ [{"guid":"{7708f1bf-4c89-56d2-4ee5-9e18af837488}","name":"Microsoft.Windows.TextInput.InputPersonalizationTraceLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{62a96bde-f419-50a7-23f4-b9ba78881a06}","name":"Microsoft.Windows.TextInput.MathInputControl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa63597d-db0e-53d9-a7d4-e74d1f7773e2}","name":"Microsoft.Windows.TextInput.MathInputPanel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{03b97ec5-9c5a-5ccd-0882-c3f87cd51384}","name":"Microsoft.Windows.Handwriting","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{40e698dd-15d2-5653-ed34-a597f09fac89}","name":"Microsoft.Windows.Shell.LanguageModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{68396f5f-e685-5c1b-3181-a17cf8d96fa6}","name":"Microsoft.Windows.Desktop.TextInput.TouchKeyboard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b76620c0-b616-59bf-39fe-4d9638fd184b}","name":"Microsoft.Windows.Desktop.TextInput.TextInputCanvasUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{864c5689-9310-594c-5cef-000695f5ace8}","name":"Microsoft.Windows.TextInput.LinguisticData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dcef5411-1f98-5ee7-238b-5abd0e078e97}","name":"Microsoft.Windows.Wil.FeatureLogging","group":""},{"guid":"{1cee38b7-233d-443d-b5c2-1d9b3674acc1}","name":"Microsoft.Windows.Desktop.TextInput.TextInputCanvas","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e9264c6-401d-5780-853d-cc4311f28aae}","name":"Microsoft.Windows.TextInput.InkLinguisticData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{87812a22-2691-5a06-ff07-cb6d09f9004d}","name":"Microsoft.Windows.Desktop.TextInput.HandwritingSkin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ebadf775-48aa-4bf3-8f8e-ec68d113c98e}","name":"TextInput","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b896120-2811-50f6-c240-3594f81ff90a}","name":"Microsoft.Windows.Msinfo32","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb7ec0f6-7f9f-4c64-bc1a-68b6c934dec5}","name":"Microsoft.Windows.AddressBook","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f50731a-89cf-4782-b3e0-dce8c90476ba}","name":"Microsoft.CRTProvider","group":""},{"guid":"{0bca4784-8257-51a0-d9ec-24fe1fe4c90d}","name":"Microsoft.Windows.App.Browser","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d1b249d-131b-468a-899b-fb0ad9551772}","name":"TelemetryAssert","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0b47cf8-e776-4ea7-9ec0-93a85b9a7a2b}","name":"TelemetryAssertDiagTrack","group":""},{"guid":"{7af898d7-7e0e-518d-5f96-b1e79239484c}","name":"Microsoft.Windows.Defender","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{39bd9805-3945-4878-aecc-096a23369f68}","name":"Microsoft.Windows.SmartScreen","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{65a1b6fc-4c24-59c9-e3f3-ad11ac510b41}","name":"Microsoft.Windows.Sense.Client","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{1dc742c2-0e76-5490-e1b5-8ddb4982ff77}","name":"Microsoft.Windows.Sense.SensorHub","group":"c5a3a379-e5b9-43da-9175-509abfce2cc7"},{"guid":"{c60418cc-7e07-400f-ae3b-d521c5dbd96f}","name":"Microsoft.Windows.Sense.GeneratedETW","group":"d0b1a44b-5ab3-4ff2-bb52-c2bb980ef8f3"},{"guid":"{cb2ff72d-d4e4-585d-33f9-f3a395c40be7}","name":"Microsoft.Windows.Sense.CyberEvents","group":"541dae91-cc3c-5807-b064-c2561c16d7e8"},{"guid":"{b3861234-4273-58c5-545b-8b3611343471}","name":"Microsoft.Windows.Sense.CyberEvents","group":""},{"guid":"{450bba94-53ce-54e6-d150-9636aceafb86}","name":"Microsoft.Windows.Sense.SenseIR","group":""},{"guid":"{bf4c9654-66d1-5720-7b51-d2ae226735ea}","name":"Microsoft.Windows.ErrorHandling.Fallback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f68c769c-cc20-502e-aee3-115c2eda66f7}","name":"Microsoft.Windows.Sense.CollectionEtw","group":"d0b1a44b-5ab3-4ff2-bb52-c2bb980ef8f3"},{"guid":"{6c9fdb6b-76f8-49db-a55b-c6cf12878bc5}","name":"Microsoft.Windows.AddressBook","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c1b40cda-b118-4f7f-965c-9b0e3bd72b3a}","name":"Microsoft.Windows.Cast.Dlna","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{babcd444-98ea-4279-b6f9-5fa01ac7e009}","name":"Microsoft.Windows.WordPad","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e552c41-40cd-4877-9b60-f243f9a855ab}","name":"Microsoft.AAD.BrowserCore.Provider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b6e66cc9-07ab-535f-034f-92ae45d13f3f}","name":"Microsoft.Windows.WinOCR.TiffFilter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ad05f58e-fc71-40be-9f09-f258111ba160}","name":"DISMCLI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{92cf4545-bb71-4511-a96f-53657f8fb8d9}","name":"DismWimProviderDll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{78267204-1ef8-4199-8e25-3b42000c4b23}","name":"Microsoft-Windows-FileSystem-WOF","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e1bb61e-4170-4220-bb86-fb7bbd3c204b}","name":"Microsoft.EdgeUpdate","group":""},{"guid":"{55242983-b884-47e1-a16a-226ba19bf55b}","name":"SkypeMediaVideoTraceProvider","group":""},{"guid":"{c9ba2a84-d3ca-5e19-2bd6-776a0910cb9d}","name":"Microsoft.Windows.Console.VirtualTerminal.Parser","group":""},{"guid":"{cc0d0409-850f-57b1-83fe-8deb4e1fb60a}","name":"XPerfAddIn.PerfNT","group":""},{"guid":"{a5b9c423-4c21-45c8-8de3-1a59f60d107a}","name":"Microsoft.Windows.DebuggingTools.Imagehlp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f2e3b31b-57b4-5003-4059-470d58646da4}","name":"Microsoft.Windows.DebuggingTools.DebuggerEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{18608e62-a628-49d9-8c02-55972e097d24}","name":"Microsoft.Windows.Compatibility.Asl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{836d9d37-46c1-41be-a956-09b88f964468}","name":"Microsoft.Windows.Inventory.Core","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fe0ab4b4-19b6-485b-89bb-60fd931fdd56}","name":"Microsoft.Windows.AppxPackaging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{51da93e5-a669-4ac5-bd75-78c1e1541671}","name":"Microsoft.Windows.AppxPackaging.PerfLogger","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{950d4eda-1729-47cc-8f1e-d9ed5aa17642}","name":"Windows.Ui.Xaml","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{72d164bf-fd64-4b2b-87a0-62dbcec9ae2a}","name":"AccEventTool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{72d164bf-fd64-4b2b-87a0-62dbcec9ae2a}","name":"InspectTool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9401b890-ed5c-493d-8efd-3f135d7dd797}","name":"Microsoft.Xbox.ConnectedStorage.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5ba5444a-228a-58bb-b6e2-c78adf23828c}","name":"Microsoft.Windows.SshClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{219bc9ac-db43-505d-4dff-507d357163a1}","name":"Microsoft.Windows.Ssh","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f9bc6c5d-4b98-43b5-90a1-1d0c8f45bf5a}","name":"XamlDiagnosticsProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{059a2460-1077-115e-bdeb-5221de48b9e4}","name":"Microsoft.Windows.DriverStore.DriverPackage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bb10f74f-9f91-4a2a-a811-bdd9afcbfa4a}","name":"Microsoft.Windows.DebuggingTools.PlmDebug","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e02b8f11-ae89-4f4c-9217-f9e8c3de2a07}","name":"Microsoft.Windows.DebuggingTools.JsProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ab187b2-799c-4755-a18d-e3b8f8004fbd}","name":"Microsoft.Windows.TestExecution.EtwProcessor","group":""},{"guid":"{70d27130-f2f3-4365-b790-d31223254ef4}","name":"Microsoft.OSGENG.Testing.TaefEngine","group":""},{"guid":"{a920691d-5131-4f34-96bb-1bc9ef264d92}","name":"Microsoft.Windows.TestExecution.WexCommon","group":""},{"guid":"{9464ac97-5473-4241-91ff-3862c43ebe02}","name":"Microsoft.Windows.TestExecution.WexCommunication","group":""},{"guid":"{40c4df8b-00a9-5159-62bc-9bbc5ee78a29}","name":"Microsoft.Windows.TestExecution.WexLogger","group":""},{"guid":"{d0d4f082-7b52-5786-e87b-4bd77db6fff4}","name":"Microsoft.Windows.Kits.DeviceFundamentals","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{703fcc13-b66f-5868-ddd9-e2db7f381ffb}","name":"Microsoft.Windows.TlgAggregateInternal","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{af2ae1c8-cf6d-4268-8159-fcce3c2e67db}","name":"TelemetryAssertDiagTrack","group":""},{"guid":"{23b76a75-ce4f-56ef-f903-c3a2d6ae3f6b}","name":"Microsoft.Windows.Kernel.BootEnvironment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ddd9464f-84f5-4536-9f80-03e9d3254e5b}","name":"MicrosoftWindowsCodeIntegrityTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e1eb30a-c39f-453f-b25f-74e14862f946}","name":"MicrosoftWindowsCodeIntegrityAuditTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f943a83b-cbf3-5eb0-8059-b327ffdf70a5}","name":"Microsoft.Windows.Analog.NUI.SpeechMicDiagnostic","group":""},{"guid":"{df8dab3f-b1c9-58d3-2ea1-4c08592bb71b}","name":"Microsoft.Windows.Shell.Taskbar","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0e6f34b3-0637-55ab-f0bb-8b8fa83eda04}","name":"Microsoft-Windows-Shell-CortanaProactive","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5f1e1b94-a9fe-57d8-abe7-d29a6df9e967}","name":"Microsoft.Windows.Shell.Explorer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2c00a440-76de-4fe3-856f-00557535be83}","name":"Microsoft.Windows.Shell.ControlCenter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{69693006-d82b-5b8f-4cab-490d3ff14106}","name":"Microsoft.Windows.Shell.Desktop.SoftLandingAnaheimPromotion","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9954158f-eaa7-5afe-b990-df3cce23483a}","name":"Microsoft.Windows.Desktop.Shell.SoftLanding","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{653fe5bd-e1d2-5d40-d93c-a551a97cd49a}","name":"Microsoft.Windows.Desktop.Shell.NotificationArea","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{82a0f3c6-c4dc-54fb-f358-354c5026dc61}","name":"Microsoft.Windows.Shell.StateCapture","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4bfe0fde-99d6-5630-8a47-da7bfaefd876}","name":"Microsoft.Windows.Shell.NotificationCenter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7ca6a4dd-dae5-5fb7-ec8e-4a6c648fadf9}","name":"Microsoft.Windows.ShellPlacements","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d6120a6-0986-51c4-213a-e2975903051d}","name":"Microsoft-Windows-Shell-Launcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{273c19b2-6643-5a58-6288-c336d3688b8d}","name":"Microsoft.Windows.ShellExperienceDispatcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ee97cdc4-b095-5c70-6e37-a541eb74c2b5}","name":"Microsoft.Windows.AppLifeCycle.UI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{34d3fca3-41f2-4498-b7a0-58708572b583}","name":"Microsoft.Windows.Shell.TileBadgeProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{753436f5-735d-41fa-b4b7-d68579ac5582}","name":"Microsoft.Windows.Licensing.IUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a51097ad-c000-5ea3-bbd4-863addaedd23}","name":"Microsoft.Windows.Desktop.Shell.ImmersiveIcons","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5afb7971-45e5-4d49-aaeb-1b04d39872cf}","name":"Microsoft.Windows.MobilityExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8cba0f81-8ad7-5395-2125-5703822c822a}","name":"Microsoft.Windows.ContentDeliveryManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{397b9505-a6ba-5951-46ee-84b08fb14812}","name":"Microsoft.Windows.Desktop.Shell.OOBEHealth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{04d28e21-00aa-5228-cfd0-d70863aa5ce9}","name":"Microsoft.Windows.Shell.Desktop.LogonFramework","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8e12dcd2-fe15-5af4-2a6a-e707d9dc7de5}","name":"MicrosoftWindowsFileExplorer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2de4263a-8b3d-5824-1c83-6182d50c5356}","name":"Microsoft.Windows.Shell.Desktop.LogonAnaheimPromotion","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f168d2fa-5642-58bb-361e-127980c64a1b}","name":"Microsoft.Windows.Shell.OpenWith","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{58b09b7d-fd44-5a27-101d-5d2472a7bb42}","name":"Microsoft.Windows.Shell.PrivacyConsentLogging","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{ffe467f7-4f51-4061-82be-c2ed8946a961}","name":"Microsoft.Windows.Shell.CoCreateInstanceAsSystem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a0e768af-d257-40cd-be2b-d019ea50c1bd}","name":"Microsoft.Windows.Help","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b7afa6af-aaab-4f50-b7dc-b61d4ddbe34f}","name":"Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ef00584a-2655-462c-bc24-e7de630e7fbf}","name":"Microsoft.Windows.AppLifeCycle","group":""},{"guid":"{7940d73d-d0fc-5959-d4fe-255caf4c8a64}","name":"Microsoft.Windows.Shell.RadialControllerMenu","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{271aebf7-e83b-580f-7525-5e9563fe161a}","name":"Microsoft.Windows.AppMan.AppV","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e29eb67a-714d-4d58-a598-46dee87e620b}","name":"Microsoft.Notepad","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b0f40491-9ea6-5fd5-ccb1-0ec63be8b674}","name":"Microsoft.Windows.Shell.PrintDialog","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{464163b4-a2f3-5bc9-cf0f-fc55f1cb3f0b}","name":"WindowsInternal.ComposableShell.Experiences.TaskFlow.Timeline","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{65ca0ac0-98af-4642-bd0e-c22cce6d5a0c}","name":"Microsoft.Windows.ComposableShell.Experiences.DragDrop","group":""},{"guid":"{c7a697f6-69bc-5777-297f-1c77b8189f1c}","name":"Microsoft.Windows.Shell.Switcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2791965a-1f38-4bb1-8530-46e655b0faa2}","name":"Microsoft.Windows.ShellExperienceHost.BatteryFlyoutTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{05dc16d6-5fe6-4b7f-8864-2b300d7f207a}","name":"Microsoft.Windows.ShellExperienceHost.BatteryFlyout","group":""},{"guid":"{cbc427d6-f93e-5bcf-3137-d22fe2305d1f}","name":"Microsoft.Windows.Shell.ClockCalendar","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9f30c07c-57ce-5ec3-bb5e-476dd25c2742}","name":"Microsoft-Windows-DevicesFlowUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dae4b0d4-cc23-508b-f041-48e5097a0907}","name":"Microsoft.Windows.Shell.InputDialTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{75aac4ae-65a6-5166-57c7-6fc29eb7753b}","name":"Microsoft.Windows.Shell.Insights","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f6148764-178d-4a19-b984-14b90f352c9c}","name":"Microsoft.Windows.Shell.JumpView","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9493aaa3-34b7-5b53-daf1-cb9b80c7e772}","name":"Microsoft.Windows.Shell.DesktopUvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d9370a15-0e6a-4dcb-a475-35340cc49bf3}","name":"MicrosoftWindowsNetworkFlyout","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{90bbbabb-255b-4fe3-a06f-685a15e93a4c}","name":"NetworkUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0adaf93d-4c15-502d-449a-9445aae0d781}","name":"Microsoft.Windows.PlatformExtensions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{85d89d49-96bc-4d5f-a3e6-3a363687a137}","name":"Microsoft.Windows.Shell.PenWorkspaceTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6ba71ae-668c-5a9b-94f5-b2026280198a}","name":"Microsoft.Windows.Shell.PenWorkspace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{723d94e4-de55-46d4-bf9a-9d0e98d95775}","name":"Microsoft.Windows.Shell.PenWorkspaceMoveBelowLock","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b4c55a0d-b40e-4dc4-b2b7-51184e19a8e2}","name":"Microsoft.Windows.Shell.PenWorkspaceError","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{22e1bc8f-7da8-54ff-598a-379d6400c0c8}","name":"Microsoft.Windows.Shell.PenWorkspaceSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e31e40d6-25c0-5ca4-d1c7-6a1037cda4f6}","name":"Microsoft.Windows.Shell.People","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{569cf830-214c-5629-79a8-4e9b58ea24bc}","name":"Microsoft.Windows.Shell.ShareUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6ba71ae-658c-5a9b-94f5-b2026290198a}","name":"Microsoft.Windows.Desktop.Shell.QuickActions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{10522462-4b7c-5a67-3863-c71dfc264c83}","name":"Microsoft.Apps.QuickConnect.Relationships","group":""},{"guid":"{93efa482-84a2-5a52-520c-3adcf4aa635d}","name":"Microsoft.Windows.Apps.People.ContactCardData","group":""},{"guid":"{1b5e76ec-566e-5d08-9dfc-5ac8602bb1b7}","name":"Microsoft.Windows.Shell.QuickConnect","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9848367-c9fe-5b01-861e-94d350d016c8}","name":"Microsoft.Windows.Shell.ScreenClipping","group":""},{"guid":"{c8416d9b-12d3-41f8-9a4c-c8d7033f4d30}","name":"Microsoft-Windows-Shell-Launcher-Curation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{baa05370-7451-48d2-8f38-778380946ce9}","name":"Microsoft.Windows.SharedStartModel.NotificationQueueManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4690f625-1ceb-402e-acef-db8f00f3a446}","name":"Microsoft.Windows.Shell.TileControl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ce410840-f2d5-57f0-0e4b-cb833a32be88}","name":"Microsoft.Windows.Shell.VirtualTouchpad","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45b1da9d-13a2-5b76-0bc9-9b4b784afe6a}","name":"Microsoft.People.PeoplePicker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80da39c2-20e0-558e-d91d-985405faaf42}","name":"Microsoft.Windows.Apps.Models.ContactList","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec1d179a-2636-59d2-c915-370b8a31143a}","name":"Microsoft.People.Relevance","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9eba02af-a8ad-508e-2a59-525c55d2f975}","name":"Microsoft.People.Relevance.QueryClient","group":""},{"guid":"{e27b8548-e13c-4821-bea4-bf1268e14448}","name":"Microsoft.Windows.Compression.DeltaPackageExpander","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{53cb6537-bec2-5efe-054f-12441f10155d}","name":"Mitigation360Telemetry","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{6a5ccfd4-cf02-5640-0b5f-d2e031258f16}","name":"Microsoft.Windows.UpdateReserveManager","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{057597df-6fd8-438b-bf6d-190cbf0a914c}","name":"Microsoft.Windows.Storage.StorageReserve","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4aeee6ec-cefe-4c43-b460-909bd707260c}","name":"Update360Telemetry","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{f41b08b4-f479-55ce-1ebc-ee7a3bb757c4}","name":"Microsoft.Windows.CbsLite","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{696ac247-4e85-42e8-b0d2-fec2475c76ad}","name":"AdvancedInstallerPlatform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{146273bc-a4bd-4565-ab02-63eb97a7eb20}","name":"Microsoft.AAD.AuthHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{74d91ec4-4680-40d2-a213-45e2d2b95f50}","name":"Microsoft.AAD.CloudAp.Provider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{724a3824-7387-449a-825e-b135f2ca4c57}","name":"Microsoft.Windows.Shell.AADJCSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bfed9100-35d7-45d4-bfea-6c1d341d4c6b}","name":"Microsoft.AAD.TokenBrokerPlugin.Provider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b1ae42d-b4f2-414d-9c97-913f19049964}","name":"Microsoft.AAD.WamExtension","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5487f421-e4de-41d4-bff3-72a4d6584898}","name":"Microsoft.Windows.Shell.SystemSettings.SettingHandlersSystem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1915117c-a61c-54d4-6548-56cac6dbfede}","name":"Microsoft.Windows.Shell.AboveLockActivationManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e58f5f9c-3abb-5fc1-5ae5-dbe956bdbd33}","name":"Microsoft.Windows.Shell.AboveLockShellComponent","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{65bd0639-95d9-4bc3-812a-0465a91bcb67}","name":"Microsoft.Windows.Shell.EaseOfAccess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{79c43bcd-08ea-5914-1e38-9e3008863a0c}","name":"Microsoft.Windows.Settings.Accessibility","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fcc174d3-8890-434a-812d-bded72ede356}","name":"Microsoft.Windows.Unistack.FailureTrigger","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7ac5eb71-3c51-5089-1b4e-87a46bd6b4df}","name":"Microsoft.Windows.OneSync.DiagWarning","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{37ec0f35-026e-5e7e-d3d4-80f32547bfff}","name":"Microsoft.Windows.OneSync.DiagError","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b738411f-062a-505a-9ab3-df11c892082c}","name":"Microsoft.Windows.OneSync.DiagCritical","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c74c337-f6a0-575c-d1d9-549cdb2a64c5}","name":"Microsoft.Windows.OneSync.AccountsRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d687d51-6bc8-4896-9628-5ca67550697e}","name":"Microsoft.Windows.AppCompat.ASGShim","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb65a492-86c0-406a-bace-9912d595bd69}","name":"Microsoft.Windows.BackgroundManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ac01ece8-0b79-5cdb-9615-1b6a4c5fc871}","name":"Microsoft.Windows.Application.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f5647876-050d-4cf0-ba2f-c498b41c152a}","name":"Microsoft.Windows.AppCompat.CompatTab","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3e136d0e-beca-59e4-2ccc-010f2426947c}","name":"Microsoft.Windows.ControlPanel.HealthCenter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{88bcd62d-f7ae-45b7-b578-4bf2b8ab867b}","name":"Microsoft-Windows-Shell-CortanaTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf7f94b3-08dc-5257-422f-497d7dc86ab3}","name":"ActivationManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5526aed1-f6e5-5896-cbf0-27d9f59b6be7}","name":"Microsoft.Windows.ApplicationModel.DesktopAppx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{afa71204-ca19-516e-3b0b-97016857d3d7}","name":"Microsoft.Windows.OneSync.ActiveSyncEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bc44ffcd-964b-5b85-8662-0ba87edaf07a}","name":"Microsoft.Windows.PerfLib","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b3e1c8a5-2552-4cfb-90ab-03d44f7e217c}","name":"Microsoft.Windows.AgentActivationRuntime.AgentInfo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{07807c21-adcc-4884-a34d-3623c990f229}","name":"Microsoft.Windows.AgentActivationRuntime.Settings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e4dda0af-d7b4-5d40-4174-4d0be05ae338}","name":"Microsoft.Windows.AppMan.UEV","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86d873db-e2ff-5de7-cbb1-92581b4e70a1}","name":"Microsoft.Windows.AllJoyn.RouterService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7a01e7fb-b6a4-4585-b1a8-ea2094ecb4c5}","name":"Microsoft.Antimalware.Scan.Interface","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{042ea214-830c-5979-86f5-28fd92c80f30}","name":"Microsoft.Windows.OneSync.DiagTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d853cf0f-d9fa-55f6-d916-2b3dbbae132a}","name":"Microsoft.Windows.DynamicApi.Data","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e73d49d6-9eda-5059-74d1-b879b18cf9ae}","name":"Microsoft.Windows.Print.APMon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bc2dab59-ac78-487a-903e-db3c343c0be3}","name":"Microsoft.Windows.Print.WSDMon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6fb61ac3-3455-4da4-8313-c1a855ee64c5}","name":"Microsoft.Windows.Print.IppMon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{acf1e4a7-9241-4fbf-9555-c27638434f8d}","name":"Microsoft.Windows.Print.IppCommon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{49868e3d-77fb-5083-9e09-61e3f37e0309}","name":"Microsoft.Windows.Print.HttpRest","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44050ea2-419d-5526-923b-b038e0f1e715}","name":"Microsoft.Windows.Print.CloudPrintHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fbfbd628-251d-551d-c4dd-c7820af723e4}","name":"Microsoft.Windows.Print.IppAdapterCommon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6184bc1f-417e-4443-bcce-9f65bf844aa7}","name":"Microsoft.Windows.Print.IppConfigConverter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8ccca27d-f1d8-4dda-b5dd-339aee937731}","name":"Microsoft.Windows.Compatibility.Apphelp","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{40dbe1ab-6f3b-57cf-ee15-a1f3b1370ec6}","name":"Microsoft.Windows.Compatibility.Encapsulation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0bc7f044-74be-445d-82e4-65c087118975}","name":"Microsoft.Windows.AppModel.AppUriHandlerRegistrationVerifier","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{77fe4532-3f5c-5786-632b-fb3201bce29b}","name":"Microsoft.Windows.Security.AppIdLogger","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c4588082-5072-4d81-bb2e-575950eaf2cb}","name":"Microsoft.Windows.Security.AppIDSvcProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{be928fd4-50ba-57ca-b6b8-925dab19c3bf}","name":"Microsoft.Windows.Security.LUA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1c0ce30f-122d-5a39-2bef-b176b05d65e2}","name":"Microsoft.Windows.Security.DeviceGuard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{678e492b-5de1-50c5-7219-ae4aa7d6a141}","name":"Microsoft-Windows-Desktop-ApplicationFrame","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{639c1a81-14a8-55bf-bb3f-800c3fa0581b}","name":"Microsoft.Windows.Desktop.Shell.AppClosingTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b997e40d-0880-4ed6-b7df-84df3305fe2b}","name":"Microsoft.Windows.Security.AppLockerCSP","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{cf84da43-f447-42de-ad48-4feeea03247d}","name":"Microsoft.Windows.Security.EDPPolicyMgrApplockerTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fe762fb1-341a-4dd4-b399-be1868b3d918}","name":"Microsoft.Windows.AppXDeploymentServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa1b41d3-d193-4660-9b47-dd701ba55841}","name":"Microsoft.Windows.AppxDeploymentFallback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{746622e1-9381-4507-be68-2e6b55f81070}","name":"Microsoft.Windows.StateRepository.Core","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{551ff9b3-0b7e-4408-b008-0068c8da2ff1}","name":"Microsoft.Windows.StateRepository.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{582c6a21-f5b4-4e52-b592-0e8229bf1737}","name":"Microsoft.Windows.AppMan.Shared.Logging","group":""},{"guid":"{a94f431e-5460-465f-bf2e-6245b56d6ce9}","name":"Microsoft.Windows.UserDataAccess.AppointmentApis","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0a0a7808-8dda-4ba0-a656-b2c740ab9108}","name":"Microsoft.Windows.UserDataAccess.UserDataApisBase","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{03a70c9d-084b-4905-b341-f6377e734858}","name":"Microsoft.Windows.Appraiser.Instrumentation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dd17fa14-cda6-7191-9b61-37a28f7a10da}","name":"Microsoft.Windows.Appraiser.General","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45d5ccd7-6e27-4318-82dd-69bd83a8f672}","name":"Microsoft.Windows.Inventory.Indicators","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{71032084-57e9-4b2f-b367-28801de960ab}","name":"PackageInfo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c567e5d7-a908-49c0-8c2c-a8dc3e8f0cf6}","name":"Microsoft.Windows.ARS.Tiles","group":""},{"guid":"{39ddcb8d-ef82-5c84-89ca-09580bf0a947}","name":"Microsoft-Windows-Shell-AppResolver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bc6a63f5-2da6-5394-8657-e7b5efad1315}","name":"Microsoft.FamilySafety.Monitor","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{02db1e80-8296-5d13-91b2-3d6bdf0bc162}","name":"Microsoft.FamilySafety","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d8f29c0d-526c-5148-2167-9be755ad812d}","name":"Microsoft.FamilySafety.Dev","group":""},{"guid":"{6ecb0bf3-c4d3-52e5-81df-704c4a8686ac}","name":"Microsoft.Windows.FamilySafety.Reliability","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{509d9518-eae5-4c53-ae47-271ba6b7ef53}","name":"Microsoft.Windows.Memory","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{635d9d84-4106-4f3a-a5c2-7fda784ae6fc}","name":"Microsoft.Windows.CpuTrigger","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c38b082f-bb3b-4eff-a29e-421194554038}","name":"Microsoft.Windows.DiskTrigger","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f8d370cb-a3c9-54e9-c9cd-8cc49964a8f6}","name":"Microsoft.Windows.Shell.AddRemovePrograms","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4dab1c21-6842-4376-b7aa-6629aa5e0d2c}","name":"Microsoft.Windows.AppXAllUserStore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b89fa39d-0d71-41c6-ba55-effb40eb2098}","name":"Microsoft.Windows.AppXDeploymentClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d9e5f8fb-06b1-4796-8fa8-abb07f4fc662}","name":"Microsoft.Windows.AppXDeploymentExtensions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{67b0f5f8-7f9b-4716-b314-954df536e966}","name":"Microsoft.Windows.Print.AppMon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{71eb58e7-a040-4c3d-9577-2d1c3289a065}","name":"Microsoft.Windows.Shell.CentennialDefaultAssoc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a66a8706-ae1e-4a26-a15b-27d924c43063}","name":"Microsoft.Windows.BackgroundAccessManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eee2c45d-a762-4930-a1ca-bb07f7bd10b6}","name":"Microsoft.Windows.Networking.ModernApps.LoopbackAccess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{98ccaad9-6464-48d7-9a66-c13718226668}","name":"Microsoft.Windows.AppModel.Tiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f9f7f27c-5e5d-5273-468f-038e61965660}","name":"Microsoft.Windows.AssignedAccess.Csp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{94097d3d-2a5a-5b8a-cdbd-194dd2e51a00}","name":"Microsoft.Windows.AssignedAccess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{355d4f62-3d5b-5372-213f-6d9d804c75df}","name":"Microsoft.Windows.AssignedAccess.MdmAlert","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{72d164bf-fd64-4b2b-87a0-62dbcec9ae2a}","name":"Microsoft.Windows.Narrator.Asimov","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{64788b34-e8e5-5664-af50-45afb294a1dc}","name":"Microsoft.Windows.Audio.DeviceGraph","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2c2677bd-bc9a-5a88-4772-6f17de82b2c7}","name":"Microsoft.Windows.Audio.AudioEngineUtil","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d375f14e-9624-5a18-f53e-5bce2043a97f}","name":"Microsoft.Windows.Audio.CrossProcess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ac9593a-8e9e-5c4c-6407-43c56769851b}","name":"Microsoft.Windows.Audio.Spatial.CrossProcess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0e7e8596-d648-5c94-adbd-3d780faa58e8}","name":"Microsoft.Windows.Audio.EndpointBuilder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec6ede49-f40f-5f93-8651-a4edc18afe06}","name":"Microsoft.Windows.Audio.EndpointCharacteristics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c9f9ecd3-6d24-46d8-b23f-37b53fa6447b}","name":"Microsoft.Windows.Audio.Spatial.Metadata","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{030fa765-f1ae-448e-955b-44d76073e1dc}","name":"Microsoft.Windows.Audio.License","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b223e190-8559-5089-47f7-282d429805fe}","name":"Microsoft.Windows.AudioUnderstanding.Capture","group":""},{"guid":"{46df03df-beab-5f0b-7eb2-e471c1bea993}","name":"Microsoft.Windows.Audio.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3b11f303-2e4f-4856-9a63-1de8c1baebfb}","name":"Microsoft.Windows.Audio.Spatial.Renderer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d37b4a3-2c54-560f-7b2e-b992d023682a}","name":"Microsoft.Windows.Audio.Pump","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{53cc8a8b-3182-5101-7405-8dfc7e5f313e}","name":"Microsoft.Windows.MediaFoundation.CallStack","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fccfb92c-645c-56b2-6bc8-f58018445737}","name":"Microsoft.Windows.Audio.AcousticEchoCancellation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f16d809a-f345-5246-a9ce-c530856782b9}","name":"Microsoft.Windows.Analog.NUI.Audio","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{90492ff4-7bb3-5781-5bd5-7ba3e09568a7}","name":"Microsoft.Windows.Audio.Processor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d01d40c-b008-4770-a0ef-14d91395a423}","name":"Microsoft.Windows.Media.Settings.Audio","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f0d933d3-6ff1-4de9-8f8d-7a4142c8faf9}","name":"Microsoft.Windows.SystemSettings.AudioSettingsHandlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{553ca39b-c608-566d-18ae-7b9a03a39acd}","name":"Microsoft.Windows.Audio.KernelStreamingEndpoint","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e7b1892-5288-5fe5-8f34-e3b0dc671fd2}","name":"Microsoft.Windows.Audio.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{767166e4-869c-5cc7-4f54-b13d12274111}","name":"Microsoft.Windows.Audio.PolicyConfig","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f286958a-866b-4cb4-b442-bbe01acb0d30}","name":"Microsoft.Windows.Audio.LoopbackMixer","group":""},{"guid":"{3d2b6366-47a4-5e10-6974-e5f7de0d3f28}","name":"Microsoft.Windows.Audio.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2266b8d6-11dd-5bfe-d5f2-067e37b194b8}","name":"Microsoft.Windows.Audio.Spatial.ResourceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9dd93434-0865-5629-c753-70c27ff40dc7}","name":"Microsoft.Windows.Audio.Service.PolicyManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b1a37fe6-6431-56aa-33fd-cdb90c3b695e}","name":"Microsoft.Windows.Security.WebAuth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3859e38-9269-4a33-af9c-bc7082c62930}","name":"Microsoft.Windows.Shell.WebAuthBridge","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9a7b2945-e29a-5477-e857-794ae72a85d9}","name":"Microsoft.Windows.AuthExt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5a43f100-b5f3-53bf-6291-035b4f51f2f8}","name":"Microsoft.Windows.Desktop.Shell.Authentication.AuthUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8db3086d-116f-5bed-cfd5-9afda80d28ea}","name":"Microsoft.OSG.OSS.CredProvFramework","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a3a38aaa-2521-4849-9b65-ae781b455984}","name":"Microsoft.Windows.FileSystem.Chkdsk","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{31dbfd53-87c6-4370-afb0-7263cd9a49a8}","name":"Microsoft.Windows.AutoTime.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06ee5c69-51c7-5ebe-0c8f-a049cc071d3f}","name":"Microsoft.Windows.BackupAndRoaming.AzureWilProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{885735da-efa7-4042-b9bc-195bdfa8b7e7}","name":"Microsoft.Windows.BackupAndRoaming.AzureSyncEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{95ea8eb8-6f34-45bc-8fa3-bafeaf6c9915}","name":"Microsoft.Windows.BackupAndRoaming.SyncEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{49b5ed52-d5a9-47a6-9bfb-4c6c6aa200ce}","name":"Microsoft.Windows.BackupAndRoaming.Diagnostics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c1be35c-79fd-55ec-2d51-2d7b19e1d377}","name":"Microsoft.Windows.BackupAndRoaming.WilProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f0372af2-cc46-56c0-2bb9-db2e31b2423d}","name":"Microsoft.Windows.Audio.BackgroundAudioPolicy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4efe0d37-de22-547a-8e83-cecf39daf889}","name":"Microsoft.Windows.Provisioning.Plugin.Barcode","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab74fbe2-37ef-48c4-b9ba-91ae7804a0b7}","name":"Microsoft.Windows.Media.Capture","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b518d5bd-106c-4f6f-9b2f-1972f5968bdd}","name":"Microsoft.Windows.Media.Capture.AppCaptureMetadataWriter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b2235af2-251a-4d6e-beb0-db27bd29eb45}","name":"Microsoft.Windows.BcastDVR","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c77b0b58-fac1-5614-4523-86a46166ab49}","name":"Microsoft.Windows.BootFileServicing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{932a397d-97ed-50f9-29ab-051457f7af3e}","name":"Microsoft.Windows.Desktop.LanguageBCP47","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f3a71a4b-6118-4257-8ccb-39a33ba059d4}","name":"Microsoft.Windows.Security.BCrypt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c106be38-921e-4100-880a-4a3b41b1c95f}","name":"Microsoft.Windows.Security.BitLocker.CSP.State.Update","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1aa8a014-a347-4bdf-b21a-593f2ab62de8}","name":"Microsoft.Windows.Security.BitLocker.EncryptionDelay","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{497abd62-6fdf-46c9-a972-9d68cb71c335}","name":"Microsoft.Windows.Security.BitLocker.BcdUpdate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2c801909-d66e-4ae6-abb5-c92e19681aab}","name":"BdeSvcTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5899bc23-6d04-4919-a3a3-5611c4dad2ab}","name":"Microsoft.Windows.Security.BitLocker.KeyRolling.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{00a85728-5a3d-4b9e-b24b-9a14cce5f322}","name":"FveEnableLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ae48220d-cfeb-46dc-9d61-0b01e8ed0058}","name":"Microsoft.Windows.Networking.BFE.SubLayer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{698b9d1f-e09e-4e7c-b97d-647bc6969bf2}","name":"Microsoft.Windows.Networking.BFE.Provider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec75076d-5e9c-4448-83f8-57870e2e7a6d}","name":"Microsoft.Windows.Networking.BFE.Filter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f53a23be-ea7d-54ac-d7ab-dd541e945ae8}","name":"Microsoft.Windows.Networking.BFE.Rundown","group":""},{"guid":"{db909c62-75e6-5440-fa0d-c303473cb35f}","name":"Microsoft.Windows.Networking.BFE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{386c9353-4a64-4fec-b360-7d832d775cde}","name":"Microsoft.Windows.Shell.MTF.BingAutoSuggestionDS.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d40c54dc-b476-53e2-5456-13d838d243e9}","name":"Microsoft.Windows.Shell.MTF.BingAutoSuggestionDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44ce5c1c-1693-4997-b700-ca1b696e4b54}","name":"Microsoft.Windows.Shell.MTF.BingAutoSuggestionDS.Perf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a1b5139a-6ff8-5136-90bb-d1ce46943037}","name":"Microsoft.Windows.Shell.MTF.BingFilterDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5c027701-c399-4141-8899-2dc7acb56cec}","name":"Microsoft.Windows.Shell.MTF.BingFilterDS.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b9be465b-1e6b-5741-ccc8-74c6f96944c7}","name":"Microsoft.Windows.Maps.Services.Copyright","group":""},{"guid":"{9dadd79b-d556-53f2-67c4-129fa62b7512}","name":"Microsoft.Windows.Security.Biometrics.BioCredProv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9df19cfa-e122-5343-284b-f3945ccd65b2}","name":"Microsoft.Windows.Security.Biometrics.Trustlet","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63b6c2d2-0440-44de-a674-aa51a251b123}","name":"Microsoft.Windows.BrokerInfrastructure","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ecd5374a-5fd1-4fed-9f53-e38d4897abd4}","name":"Microsoft.Windows.BackgroundManagerAggregated","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{42f0d420-f794-4d69-9369-6fd2387e157e}","name":"Microsoft.Windows.BitLocker.CSPProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dbd4a8cd-17a1-46a1-9ec8-ce9e6d253a97}","name":"Microsoft.Windows.RecEnv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf00ce14-243a-572e-b740-b27009b128e3}","name":"Microsoft.Windows.StartRepairCore","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{a2c85772-f6bc-5e43-7aeb-2f7db8a80b7f}","name":"Microsoft.Windows.Kernel.BootTools","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6966fe51-e224-4baa-99bc-897b3ed3b823}","name":"Microsoft.Windows.BrokerBase","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e3f60ef-a60f-45a9-84ae-e224f761baa3}","name":"Microsoft.Windows.HVSI.Manager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1d571ab7-c34d-41c5-b141-42d76317c7c5}","name":"Microsoft.Windows.Bluetooth.Hfp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d951cb3f-2cba-4a1c-9436-6cf2e904dde8}","name":"Microsoft.Windows.Bluetooth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e415226-9161-583e-161b-f0798225ff40}","name":"Microsoft.Windows.WpdMtp.BthMtpContextHandler","group":""},{"guid":"{b2f2a380-149b-4a35-8016-cfe4a5a9b893}","name":"MicrosoftWindowsNetworkLegacyUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed7432ee-0f83-5083-030b-39f66ba307c5}","name":"Microsoft.Windows.Desktop.ScreenSaver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0905ca09-610e-401e-b650-2f212980b9e0}","name":"MicrosoftCalculator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6990d440-4050-4975-8007-c166ddd0941d}","name":"Microsoft.Windows.Bluetooth.CallControl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c50f8ea2-c7bb-5c95-164e-bb7f9cad095a}","name":"Microsoft.Windows.CapabilityAccessManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{237b580a-2421-5bc2-1ac0-36f148384fa8}","name":"Microsoft-Windows-Cast-Launcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0be2aaa-b6c3-5f17-4e86-1cde27b51ac1}","name":"Microsoft.Windows.ClipboardHistory.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a29339ad-b137-486c-a8f3-88c9738e5379}","name":"Microsoft.Windows.ApplicationModel.DataTransfer.CloudClipboard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3bbf44c9-f0b7-4f46-977b-b4536ca99b8d}","name":"Microsoft.Windows.ApplicationModel.DataTransfer.CloudClipboard.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed6842ae-0e4b-4fd5-9a6a-1206dc8810f7}","name":"Microsoft.Windows.ApplicationModel.DataTransfer.DataPackageSerializer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8aa41f62-e9cd-4291-bae1-94daa9a3ac26}","name":"Microsoft.Windows.Graphics.Cdd","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dfa6e32a-095f-5f57-d025-0887d33507a1}","name":"Microsoft.Windows.CDP.CDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5fe36556-c4cd-509a-8c3e-2a547ea568ae}","name":"Microsoft.Windows.CDP.AFS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bc1826c8-369c-5b0b-4cd1-3c6ae5bfe2e7}","name":"Microsoft.Windows.CDP.Aggr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9f4cc6dc-1bab-5772-0c71-a89954718d66}","name":"Microsoft.Windows.CDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{abb10a7f-67b4-480c-8834-8b049c428715}","name":"Microsoft.Windows.CDP.Core","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a1ea5efc-402e-5285-3898-22a5acce1b76}","name":"Microsoft.Windows.CDP.Core.Error","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a48e7274-bb8f-520d-7e6f-1737e9d68491}","name":"Microsoft.Windows.System.RemoteSystem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d229987f-edc3-5274-26bf-82be01d6d97e}","name":"Microsoft.Windows.System.RemoteSystemSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{633383cb-d7a9-4964-876a-66b7dc98c0fe}","name":"Microsoft.Windows.RemoteSystems.CDPRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{833e7812-d1e2-5172-66fd-4dd4b255a3bb}","name":"Microsoft.Windows.ApplicationModel.UserActivities","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f06690ca-9325-5dcf-65bc-fc3164fa8acc}","name":"Microsoft.Windows.Application.NearSharePlatform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4a16abff-346d-56dc-fa87-eb1e29fe670a}","name":"Microsoft.Windows.CDP.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{30ad9f59-ec19-54b2-4bdf-76dbfc7404a6}","name":"Microsoft.Windows.CDP.Session","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed1640e7-9dc0-45b5-a1ef-88b70cf1742c}","name":"Microsoft.Windows.CDP.UserService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{41d006be-1a11-4121-a0eb-0ea2ae688044}","name":"Microsoft.Windows.Cellcore.Cellularapinew","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{412f73f7-ebf9-466f-90e7-606accdbcd15}","name":"Microsoft.Windows.UserDataAccess.Cemapi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7d265c9d-2276-4606-95f0-fd113c05065e}","name":"Microsoft.Windows.Security.CertEnroll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{483804c3-f8a7-5d61-bf21-2de8db1a4e53}","name":"Microsoft.Windows.Security.SmartCards.CertPropSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0d3ce46-1e48-42aa-a5e3-d0f18ec9a48b}","name":"Microsoft.Windows.CellCore.Provisioning","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{02ad713f-20d4-414f-89d0-da5a6f3470a9}","name":"Microsoft.Windows.Security.CFL.API","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fc7ba620-eb50-483d-97a0-72d8268a14b5}","name":"Microsoft.Web.Platform.Chakra","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b3000b4-3fa3-44ec-91b4-8903c331543e}","name":"Microsoft.Windows.Licensing.ChangePK","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8fe8ebd4-0f51-5f91-9481-cd2cfefdf96e}","name":"Microsoft.Windows.Desktop.Shell.Charmap","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0a18f5c-07f3-4a44-b149-0f8f13ef6887}","name":"Microsoft.Windows.ApplicationModel.Chat.ChatMessageBlocking","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6fdfa2fd-23c7-5152-1a51-618729d0e93d}","name":"Microsoft.Windows.FileSystem.CloudFiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ce790967-ff23-464c-a976-1389674e3972}","name":"Microsoft.Windows.CleanupMgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3970f9cd-2c0c-4f11-b1cc-e3a1e9958833}","name":"CleanPCCSPTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{28d62fb0-2131-41d6-84e8-e2325867964c}","name":"Microsoft.Windows.AppModel.Clipboard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed0c10a5-5396-4a96-9ee3-6f4aa0d1120d}","name":"Microsoft.ClipC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{466f3b39-9929-45e6-b891-d867bd20b738}","name":"Microsoft.Windows.Licensing.UpgradeSubscription","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b94d76c5-9d56-454a-8d1b-6ca30898160e}","name":"Microsoft.ClipSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cfbea673-bf20-4bd8-b595-29b82d43df39}","name":"Microsoft.ClipUp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4266a3c6-72dc-4e46-8e7c-5a91a55b93b1}","name":"Microsoft.Windows.Licensing.ClipWinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7fad10b2-2f44-5bb2-1fd5-65d92f9c7290}","name":"Microsoft.Windows.Security.CloudAp.Critical","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bb8dd8e5-3650-5ca7-4fea-46f75f152414}","name":"Microsoft.Windows.Security.CloudAp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa02d1a4-72d8-5f50-d425-7402ea09253a}","name":"Microsoft.Windows.Shell.CloudDomainJoin.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8999952b-d9ca-491c-ab5b-6ad70835f0f2}","name":"Microsoft.Windows.Shell.UnifiedEnrollment.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e586678-8171-5406-e113-c6fbd31535db}","name":"Microsoft.Windows.Shell.CloudExperienceHostClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99eb7b56-f3c6-558c-b9f6-09a33abb4c83}","name":"Microsoft.Windows.Shell.CloudExperienceHost.Common","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2dbd0b99-c886-5c44-9fc2-7220ddf5aaf6}","name":"Microsoft.Windows.Shell.ScalingCompat","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{05f02597-fe85-4e67-8542-69567ab8fd4f}","name":"MSAClientTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f385e1a5-0346-5411-11a2-e8c8afe3b6ca}","name":"Microsoft.Windows.Desktop.Shell.CloudExperienceHostSpeech","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ff91e668-f7be-577e-14a3-44d801cccfa0}","name":"Microsoft.Windows.Shell.CloudExperienceHostCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3122168f-2432-45f0-b91c-3af363c14999}","name":"ClusApiTraceLogProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c94ea80-4530-40be-9b66-a79d8f60aa9b}","name":"Microsoft.Windows.COM.ComTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1aff6089-e863-4d36-bdfd-3581f07440be}","name":"CombaseTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c7e09e2a-c663-5399-af79-2fccd321d19a}","name":"Microsoft.Windows.Com.PoFAggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f0558438-f56a-5987-47da-040ca75aef05}","name":"Microsoft.Windows.WinRTClassActivation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc749491-822a-4043-9789-2c68d3a477d9}","name":"Microsoft.Windows.COM.MetadataBasedMarshaler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1fc037f9-b857-5bd2-cbd2-4d8c01b0d9d8}","name":"Microsoft.Windows.Shell.CommonPrintDialog","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc459d2f-f4bd-4e6c-901e-08bea752a7d3}","name":"Microsoft.Windows.ComposableShell.Framework.Composer","group":""},{"guid":"{4cde77ee-0109-57d3-e6f0-86365c0cfdb3}","name":"Microsoft.Windows.ComposableShell.Framework.Composer.DragDrop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80ce50de-d264-4581-950d-abadeee0d340}","name":"Microsoft.Windows.HyperV.Compute","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86625c04-72e1-4d36-9c86-ca142fd0a946}","name":"Microsoft.Windows.DeviceManagement.OmaDmApiProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f3b5bc3c-a182-4f7d-806d-070012d8d16d}","name":"Microsoft.Windows.DeviceManagement.SessionManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0ec685cd-64e4-4375-92ad-4086b6af5f1d}","name":"Microsoft.Windows.DeviceManagement.OmaDmClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{797c5746-634f-4c59-8ae9-93f900670dcc}","name":"Microsoft.Windows.DeviceManagement.OMADMPRC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6b865228-defa-455a-9e25-27d71e8fe5fa}","name":"Microsoft.Windows.EnterpriseManagement.ResourceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6222f3f1-237e-4b0f-8d12-c20072d42197}","name":"Microsoft.Windows.EnterpriseManagement.ResourceManagerUnenrollHook","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e1a8d70d-11f0-420e-a170-29c6b686342d}","name":"Microsoft.Windows.DeviceManagement.DmAccCsp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fe5a93cc-0b38-424a-83b0-3c3fe2acb8c9}","name":"Microsoft.Windows.DeviceManagement.DevInfo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f5123688-4272-436c-afe1-f8dfa7ab39a8}","name":"Microsoft.Windows.DeviceManagement.DevDetailCsp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{33466aa0-09a2-4c47-9b7b-1b8a4dc3a9c9}","name":"Microsoft-Windows-DeviceManagement-W7NodeProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f058515f-dbb8-4c0d-9e21-a6bc2c422eab}","name":"Microsoft.Windows.DeviceManagement.SecurityPolicyCsp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5afba129-d6b7-4a6f-8fc0-b92ec134c86c}","name":"Microsoft.Windows.EnterpriseManagement.DeclaredConfiguration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ffdb0cfd-833c-4f16-ad3f-ec4be3cc1af5}","name":"Microsoft.Windows.EnterpriseManagement.PolicyManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{76fa08a3-6807-48db-855d-2c12702630ef}","name":"Microsoft.Windows.EnterpriseManagement.ConfigManagerHook","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0ba3fb88-9af5-4d80-b3b3-a94ac136b6c5}","name":"Microsoft.Windows.DeviceManagement.ConfigManager2","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e74efd1a-b62d-4b83-ab00-66f4a166a2d3}","name":"Microsoft.Windows.EMPS.Enrollment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f9e3b648-9af1-4dc3-9a8e-bf42c0fbce9a}","name":"Microsoft.Windows.EnterpriseManagement.Enrollment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c15421a9-1a99-474e-9e1b-f16ac98e173d}","name":"Microsoft.Windows.EnterpriseManagement.Dynamo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63bf67fd-7d57-4dea-987f-f26d1ed62691}","name":"Microsoft.Windows.DeviceManagement.MDMWinsOverGPDictionary","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fe1ff234-1f09-50a8-d38d-c44fab43e818}","name":"Microsoft.Windows.Console.Host","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{770aa552-671a-5e97-579b-151709ec0dbd}","name":"Microsoft.Windows.Console.Launcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c9ba2a95-d3ca-5e19-2bd6-776a0910cb9d}","name":"Microsoft.Windows.Console.Render.VtEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{de73b5e0-ebd8-5bf1-5f0a-eb2613358e9b}","name":"Microsoft.Windows.PlatformExtensions.ConsentExperienceCommon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4ed93eb9-c197-582f-ada9-4939ec475c92}","name":"Microsoft.Windows.DeviceConsentUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6cb6fe45-2c1c-5d4c-b440-ff7aefe9f457}","name":"Microsoft.Windows.ConsentUx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e34441d9-5bcf-4958-b787-3bf824f362d7}","name":"Microsoft.Windows.Shell.CortanaSearch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3f7fafe6-1dd2-4720-b75b-e3268a0e6120}","name":"Microsoft.Windows.UserDataAccess.ContactApis","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ee5d800-84e9-5917-a448-dcf4cb6096d8}","name":"Microsoft.Windows.Shell.MTF.ContactHarvesterDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{67eb0417-9297-42ae-a1d9-98bfeb359059}","name":"Microsoft.Windows.Containers.Library","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fd1c8ea7-81fb-5865-0291-2226d3c883ca}","name":"Microsoft.Windows.ContentDeliveryManager.Utils.UnlockActionHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fadd8651-7b42-423f-b37d-3b98b9e81560}","name":"Microsoft.Windows.DeviceManagement.SyncMLDpu","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{18f2ab69-92b9-47e4-b9db-b4ac2e4c7115}","name":"Microsoft.Windows.DeviceManagement.WAPDpu","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{48dcc4b8-1a33-4625-b042-95ce02602863}","name":"Microsoft.Windows.ComposableShell.CoreShell","group":""},{"guid":"{07f43d42-ac34-545b-338d-b5fde66f440d}","name":"Microsoft.Windows.Shell.ProjectionManager.DisplayPickerHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e282e7b-2134-4e30-a089-218cf7ddc553}","name":"Microsoft.Windows.ComposableShell.Framework.CoreShellAPI.TerminalManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2c4c4cfc-bd5f-5171-3607-c54987b8e0a3}","name":"Microsoft.Windows.ComposableShell.SessionManagement.Session","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0c8ef845-83f1-4a15-9988-6e1630db4d32}","name":"Microsoft.Windows.ComposableShell.Core.CoreShellExtFramework","group":""},{"guid":"{3720dda7-caea-4af3-a138-375aafc3f1d6}","name":"Microsoft.Windows.CoreUIComponents","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3fc749d8-ca25-5de0-2ca5-2fbd6c3612cb}","name":"CortanaPersona","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8e6931a7-4c49-5fb7-a500-65b951d7652f}","name":"Microsoft.Windows.Shell.CortanaPersonality","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1aea69ee-2cfc-5eb1-f1f6-18f99a528b11}","name":"Microsoft-Windows-Shell-Cortana-IntentExtraction","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d221a3b-e981-4e91-ae7c-f1de3e7746ee}","name":"Microsoft.Windows.Fundamentals.Partner.SystemInitiatedUserFeedback","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{ee818f02-698c-48be-8ff2-326c6dd34db1}","name":"Microsoft.Windows.Fundamentals.SystemInitiatedUserFeedback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{290437a7-8178-4f08-a567-583ced6a1d8a}","name":"Microsoft.Windows.Fundamentals.UserInitiatedFeedback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bd59a9a8-cafb-4503-845e-d85fb72ae2e1}","name":"WindowsFlightingSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3bb1472f-46dc-5a12-4916-25706f703352}","name":"Microsoft.Windows.CredDialogBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d30325be-5b5e-508c-d76a-2d5e5fe60a5c}","name":"Microsoft.Windows.CredentialEnrollmentManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4c88af3d-5d47-458a-8624-515c122b7188}","name":"Microsoft.Windows.OneCoreUap.Shell.Auth.CredUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55f422c8-0aa0-529d-95f5-8e69b6a29c98}","name":"Microsoft.Windows.Shell.SystemSettings.SignInOptionsPage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{462a094c-fc89-4378-b250-de552c6872fd}","name":"Microsoft.Windows.Shell.Auth.CredUIBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d9f478bb-0f85-4e9b-ae0c-9343f302f9ad}","name":"Microsoft.Windows.Security.Cred2FAHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fb3cd94d-95ef-5a73-b35c-6c78451095ef}","name":"Microsoft.Windows.CredProvDataModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a181320d-0993-4510-aece-690ff14512c2}","name":"Microsoft.Windows.Security.CredHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f8523a36-f90b-553f-3dfa-5b84da6dae96}","name":"Microsoft.Windows.Security.CandidateAccountManagerPolicy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc3b5bcf-bf7b-42ce-803c-71af48f0f546}","name":"Microsoft.Windows.CredProviders.PasswordProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c430b0a-397a-4e1d-9a83-9c388405c00c}","name":"Microsoft.Windows.Security.Certificates","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d7051a0-9c83-5e52-cf8f-0ecaf5d5f6fd}","name":"Microsoft.Windows.Security.NGC.CryptNgc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{786396cd-2ff3-53d3-d1ca-43e41d9fb73b}","name":"Microsoft.Windows.Security.CryptoWinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d4211df0-de55-11e4-be84-0024e814a5e2}","name":"Microsoft.Windows.OfflineFiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{24241768-581f-4239-9994-ed874701a2f5}","name":"CustomInstall","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5a9b1f0-a9cb-41c8-87bd-e5878c6bf66d}","name":"Microsoft.Windows.Security.CX.CredProv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7067398c-bae7-4191-bf16-c436de658baf}","name":"Microsoft.Windows.Graphics.Direct2D","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{923330f1-00dc-4e4a-9cab-1dfb0af719f7}","name":"Microsoft.Windows.Graphics.D3D10","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d704adfe-95cc-44f0-b98f-bb72677e55a9}","name":"Microsoft.Windows.Graphics.D3D10Level9","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2f50c5d0-e25e-4f89-ab4a-31c63b518d7a}","name":"Microsoft.Windows.Graphics.D3D12WARP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{77ab313b-93da-4aa5-a20f-9339ff5ae1e3}","name":"Microsoft.Windows.Graphics.D3D10_1","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86cc27ea-6f87-47f7-8b43-3473527d4a87}","name":"Microsoft.Windows.Graphics.D3D11","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a0ab5aac-e0a4-4f10-83c6-31939c604fd9}","name":"Microsoft.Windows.Graphics.D3D11On12","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ba8f81e9-adce-5d41-51df-bcc78df51081}","name":"Microsoft.Windows.Graphics.D3D11SDKLayers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1f132a04-5c61-573f-d2ed-35a7e77c281c}","name":"Microsoft.Windows.Graphics.D3D12Dred","group":""},{"guid":"{82fe78cc-ff52-4e2f-a7bb-5c90636d14ba}","name":"Microsoft.Windows.Graphics.D3D12","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2fa581f7-7d27-5e1a-cd42-2f823376482d}","name":"Microsoft.Windows.Graphics.D3D12SDKLayers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{125e88d9-1d91-5dd1-fbdf-34c1e67c00da}","name":"Microsoft.Windows.Graphics.DirectXDatabaseHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b0f726cb-ca9c-4c11-b5b4-8c65aae214e9}","name":"Microsoft.Windows.Graphics.D3D9","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0c418c5-1f3c-4ee0-93a2-a0bb8f417f9a}","name":"Microsoft.Windows.Graphics.D3D9ON12","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{88924b19-f26c-47b9-9539-cda8aa93c643}","name":"MicrosoftWindowsShellVanNetworkUx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{714239f2-e296-5ae6-73e1-d44774265044}","name":"Microsoft.Windows.Networking.Docking","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d5ca4bb-df8e-41bc-b554-8aeab241f206}","name":"Microsoft.Windows.Print.DafIpp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bf3eac2a-65ca-5ecc-2076-e23c6420a687}","name":"Microsoft.Windows.Print.DAFMCP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c27a357-a925-4040-87e4-82e74ef8731e}","name":"Microsoft.IoT.POS.DafProvider","group":""},{"guid":"{9f6d9c99-619c-4a03-80de-1172fbdb147e}","name":"Microsoft.Windows.Print.DafProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{30965aee-2a17-4c9e-b1f0-7b0a0df530bb}","name":"Microsoft.Windows.UPnP.DafProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0636723-7994-4285-87bb-fa682a87531f}","name":"Microsoft.Windows.WiProv.DafProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e4d412ab-4c22-49ef-83ca-eafb90768512}","name":"Microsoft.Windows.WSD.DafProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e146863-2aae-5fe7-89e0-a17ffae83a14}","name":"Microsoft.Windows.WSD.WFD","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0879871c-e412-4c6a-87a6-74581b0afac5}","name":"MicrosoftWindowsShellNetworkUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab4d9355-341e-435d-b3d2-4b0e46354e2c}","name":"Microsoft.Windows.Das","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2383d505-afdd-4705-85c6-ceb91179929c}","name":"Microsoft.Windows.DataExchange","group":""},{"guid":"{21f26f8c-36e3-4f01-8b35-3c1bd45c69b8}","name":"Microsoft.Windows.DataExchange.DragDrop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ea893635-5ab7-562b-75a2-a22107d8058f}","name":"Microsoft.Windows.Shell.SystemSettings.DataUsageHandlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{94d6de7d-513b-5ebe-9cba-1faf26f6fda6}","name":"Microsoft.Windows.OneSync.WebDavEngineProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9efcb348-d13c-4b3a-8ab1-869aab424c34}","name":"Microsoft.Windows.Inventory.General","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{262cde7a-5c84-46cf-9420-94963791ef69}","name":"Census","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b142eb8c-3426-11e7-b687-92ebcb67fe33}","name":"FveDetectTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fb7fcbc6-7156-5a5b-eabd-0be47b14f453}","name":"Microsoft.Windows.ApiTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5fb75eac-9f0b-550c-339f-fc21fde966cd}","name":"InputCore","group":""},{"guid":"{93112de2-0aa3-4ed7-91e3-4264555220c1}","name":"Microsoft.Windows.Dwm.DComp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a2fb673d-d90b-49f3-96e6-30d9babb7d31}","name":"Microsoft.Windows.DeviceDirectoryClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a18828ed-9e14-598a-427d-23725d46ed04}","name":"Microsoft.Windows.Shell.MTF.DynamicDictionaryDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a5ccf697-9bcd-4cb8-8083-be8facaf4280}","name":"Microsoft.Windows.Shell.MTF.ContactDDDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f57021fb-b93d-59ba-4807-03397f6e89c3}","name":"Microsoft-Windows-Graphics-DDisplay","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d479cbb9-0cf0-494c-b98f-684c33849782}","name":"Microsoft.Windows.Graphics.DDRAW","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9f7780a0-cc4f-4bbd-b888-1c4c2ff78280}","name":"Microsoft.Windows.Storage.Defrag","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aed4297d-5aa8-43ff-843d-a3a20672d9ae}","name":"Microsoft.Windows.Deployment.OptionalFeaturesCSP","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{22111816-32de-5f2f-7260-2e7c4a7899ce}","name":"Microsoft.Windows.Shell.Personalization.CSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{451ceb17-c9c0-596d-78a3-df866a3867fb}","name":"Microsoft.Windows.Desktop.DesktopShellHostExtensions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7123e686-8e52-5dd4-0313-ba3e74213984}","name":"Microsoft.Windows.Holographic.DesktopView","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{60d6e217-d25b-504f-83d5-c2deb6a854e5}","name":"Microsoft.Windows.Holographic.MixedRealityMode","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6cd9d548-4f28-5e7c-503d-86e3cd9db63d}","name":"Microsoft.Windows.DeveloperPlatform.DeveloperOptions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8a36782f-4949-4980-ba6e-acadf0fe679a}","name":"Microsoft.Windows.DeviceBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a5247bf8-45ad-554e-afdf-994fedf2ddef}","name":"Microsoft.Windows.Shell.DeviceCenter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{78983c7d-917f-58da-e8d4-f393decf4ec0}","name":"Microsoft.Windows.Security.DevCredClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86d5fe65-0564-4618-b90b-e146049debf4}","name":"Microsoft.Windows.Security.DevCredTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e7d2591-6d94-5b84-02a1-c74c54de1719}","name":"Microsoft.Windows.EnterpriseManagement.MDMPush","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c280a7fd-e32e-4594-a073-c29658bea931}","name":"Microsoft.Windows.DeviceManagement.CDNDownloader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d8f910a-17c3-5c99-d7ad-87f5021fb160}","name":"Microsoft.Windows.Shell.ProximityConnect","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7955d36a-450b-5e2a-a079-95876bca450a}","name":"Microsoft.Windows.Security.DevCredProv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a5247bf8-45ad-554e-afdf-994fedf2ddef}","name":"Microsoft.Windows.Shell.DevicePairing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab11a476-79f6-5026-7d54-2e9b9e539a2d}","name":"Microsoft.Windows.DeviceSetupManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80a3bcff-2f89-4e33-aa39-73930ccba351}","name":"Microsoft-Windows-DevicesFlowBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d7abca3e-b535-5d3d-1bd8-c958d320602e}","name":"Microsoft-Windows-DevicesFlow-Connection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc8e3f7b-79a5-574c-19e3-84daa421645e}","name":"Microsoft.Windows.Update.DeviceUpdateAgent","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{6a529040-a3b6-4b87-ad33-85793de42c95}","name":"Microsoft.Windows.DeviceUpdateCenter.Csp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e5950b2-1f5d-4a52-8d1f-4e656c915f57}","name":"Microsoft.Windows.PNP.DeviceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15a7a4f8-0072-4eab-abab-f98a4d666aed}","name":"Microsoft.Windows.Networking.DHCP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3440e16d-c661-5dca-d41d-b05c08b0efbb}","name":"Microsoft.Windows.Networking.DHCPv6","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{19d9d739-da0a-41a0-b97f-24ed27abc9fb}","name":"Microsoft.DHD1","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0a3e80a6-75a7-53ab-12ad-e29648d69fb4}","name":"Microsoft.DHD1.SequencedEventProcessor","group":""},{"guid":"{0504eb02-3a16-54e4-a2ff-3d85fa2f13e6}","name":"Microsoft.Windows.Analog.HolographicDriverClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{092da0c3-6935-5a0c-4034-d9bddce5708f}","name":"Microsoft.Windows.Analog.HolographicDriverClientContinuous","group":""},{"guid":"{fce08599-28a6-4874-9d54-3aa8ed5412fa}","name":"Microsoft.System.Diagnostics.DiagnosticInvoker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45fcedc4-fdf6-4915-a7ed-985855bba40f}","name":"Microsoft.Windows.DeviceManagement.DiagnosticLogCSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{16c6ba99-2310-4237-9250-02eada41ceab}","name":"Microsoft.DiagSvc.Engine.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{319fdc69-a626-5289-be4d-1f508a8c9a3b}","name":"Microsoft.Windows.Utc.WatchdogProvider","group":""},{"guid":"{1b9d8490-0675-4a63-8733-ba2a2ed24827}","name":"Microsoft.Windows.TelemetryViewer","group":""},{"guid":"{306bbad7-3eab-4f5d-91ca-cf42d7699c2c}","name":"Microsoft.Windows.Utc.ManagedHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{43ac453b-97cd-4b51-4376-db7c9bb963ac}","name":"Microsoft.Windows.DiagTrack","group":""},{"guid":"{da995380-18dc-5612-a0db-161c5db2c2c1}","name":"Microsoft.Windows.DiagTrack.XML","group":""},{"guid":"{dbf307fb-02e9-4935-b062-f63f05d58dc8}","name":"Microsoft.Windows.Sentinels","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1f930301-f484-4e01-a8a7-264354c4b8e3}","name":"Microsoft.Windows.Cast.Dial","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c31e3c2c-0867-5334-34af-93b3dfdee3b8}","name":"Microsoft-Windows-Shell-DictationTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b89baa4-0253-5e71-26d5-182a4e690463}","name":"Microsoft.Windows.TextInput.DictationManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{292ce2f8-099a-5710-ef2e-18921c50346f}","name":"Microsoft.Windows.Analog.Speech","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63ec1c5f-7672-4db1-9db0-98a4531cc134}","name":"Microsoft.Windows.DirectInput8","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b731656c-8c57-47c0-b21e-63c341841e3f}","name":"Microsoft.Windows.AI.MachineLearning.Dml","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{21c69d00-5ac3-5d7a-fc1f-0bf37cbce500}","name":"Microsoft.Windows.Graphics.DirectXDatabaseUpdater","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4d460463-66bc-45f5-9ed5-84ed88f15cdb}","name":"Microsoft.Windows.Storage.DataIntegrityScan","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ead10f56-e9d4-4b29-a44f-c97299de5088}","name":"Microsoft.Windows.Storage.DiskRaid","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{115e5164-6bc3-49f7-ab99-a91d6a4c9cee}","name":"Microsoft.Windows.DiskSnapshot","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e1acab4c-f008-48de-965b-a2f1bd9e1fe0}","name":"Microsoft.Windows.Dism.AppxProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{393f5655-4cba-40fd-9c19-1910b6965d01}","name":"Microsoft.Windows.Sysprep","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b3854706-6d90-58a4-415d-d86cd54f35f5}","name":"Microsoft-Windows-DispBroker-Desktop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b6a7fe4-d8bc-503d-c1db-142892d7da9b}","name":"Microsoft-Windows-DispBroker-DesktopSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d188b459-c26b-40ef-8ecc-009cc0ed6ed6}","name":"Microsoft.Windows.Graphics.WindowsColorSystemGammaDiagnostics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2b1bbe78-bf8d-57c1-007a-e8628f64e8b3}","name":"Microsoft-Windows-DispBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a3c04083-ce38-52ef-617f-a04362490425}","name":"Microsoft.Windows.Shell.DesktopDisplaySettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7d76b731-d927-5737-81c5-ae3d3733c0ab}","name":"OneCoreDisplayManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1d6a5020-c697-53bf-0f85-ae99be728db3}","name":"Microsoft.Windows.Shell.Display","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e74efd1a-b62d-4b83-ab00-66f4a166a2d3}","name":"Microsoft.EMPS.Enrollment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d5a5b540-c580-4dee-8bb4-185e34aa00c5}","name":"Microsoft.Windows.DeviceManagement.SCEP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d749112a-a5cf-4a2b-86b3-6abb29edd8e2}","name":"Microsoft.Windows.Fundamentals.SiufDeployMgrClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0a8e17fd-ed19-4c54-a1e7-5a2829bf507f}","name":"Microsoft.Windows.DeviceManagement.DmCmnUtils","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{12a9c970-7843-482a-9c1b-fd39d4f3533a}","name":"Microsoft.Windows.HVSI.PolicyEvaluator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ff036693-0480-41dd-ac12-ed3c6a936a5f}","name":"Microsoft.Windows.DeviceManagement.OmaCpClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{83afaf72-df00-4584-8f4c-aded166f72b1}","name":"Microsoft.Windows.DeviceManagement.PushRouterProxy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{455fefe7-5b3d-485a-bcbb-d0f09a47d1ae}","name":"Microsoft.Windows.DeviceManagement.PushRouterAuth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0e316aa7-3b31-4d58-9b8b-10b3b2c0f2ed}","name":"Microsoft.Windows.DeviceManagement.PushRouterCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a109a7c6-d975-46cc-b593-2b079b604e34}","name":"Microsoft.Windows.DeviceManagement.ConfigManager2LockService","group":""},{"guid":"{ead10f56-e9d4-4b29-a44f-c97299de5086}","name":"Microsoft.Windows.Storage.DiskManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8cc7d9c9-09af-45ca-86ce-4cecf680f2b7}","name":"Microsoft-Windows-DeviceManagement-DmSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c37bb754-dc5c-45ad-9d00-a42cfcf137a8}","name":"Microsoft.Windows.DeviceManagement.WmiCsp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ca335ed-c0a6-4b4d-b084-9c9b5143aff0}","name":"Microsoft.Windows.Networking.DNS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0c75de2-8263-595f-cd27-04f99c135a45}","name":"Microsoft-Windows-DockingControllerHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5828b13b-49ca-4017-9455-7e6c0c36eb6a}","name":"Microsoft.Windows.MediaFoundation.DolbyAtmosDecoder","group":""},{"guid":"{cb729f91-4e9b-4698-a6c6-587faa6eaf4a}","name":"Microsoft.Windows.Audio.DapEncoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d1f8b4f-1d23-4f48-89fb-fb76e1be10bd}","name":"Microsoft.Windows.Audio.MatEncoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8933ec62-e2b1-449f-ab2e-9e8688b847fb}","name":"domgmt","group":""},{"guid":"{efb251e4-d454-4a02-b126-7fbb9d3991c3}","name":"dosvc","group":""},{"guid":"{f13cd440-a9b2-4d51-8b09-62dc6ad60194}","name":"Microsoft.OSG.DU.DeliveryOptClient","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{9d2a53b2-1411-5c1c-d88c-f2bf057645bb}","name":"Microsoft.Windows.Security.Dpapi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{27c42567-1daf-5166-7339-ea10942a0aa1}","name":"Microsoft.Windows.PlatformExtensions.DragDropExperienceCommon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8e7bbeca-b5bb-5d8a-7089-1d2af3085cdc}","name":"Microsoft.Windows.PlatformExtensions.DragDropExperienceDataExchange","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c42bbfdb-4140-4ada-81df-2b9a18ac6a7b}","name":"Microsoft.Windows.Kernel.Acpi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{153db56c-64b0-50c1-7d97-8fe95de8bf45}","name":"Microsoft.Windows.Kernel.Acpi.IrqArb","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa3a221d-9a6f-4cf9-904e-897100ce8915}","name":"Microsoft-Windows-AFD","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f3909f63-e473-4db7-b0f3-458b80b23843}","name":"Microsoft.Windows.Socket.Afunix","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6895c41e-e36b-4a72-8ba3-df3255d17a55}","name":"Microsoft.Windows.Processor.Driver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d82215e3-bddf-54fa-895b-685099453b1c}","name":"Microsoft.Windows.BackgroundActivityModerator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bdf49c6c-ed22-442b-bf90-68cdd1808e2e}","name":"Microsoft.Windows.Battery","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3dc72b1-b3d9-4ca0-a066-d35241eeabbb}","name":"Brcm","group":""},{"guid":"{8776ad1e-5022-4451-a566-f47e708b9075}","name":"Microsoft.Windows.Bluetooth.BthA2dp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a8dd90af-85f0-40b1-b022-4f54961e8ae5}","name":"Microsoft.Windows.Bluetooth.BthPort","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{07785021-a524-4ded-8137-8ab5c9390fa8}","name":"TelemetryAssertDiagTrack_KM","group":""},{"guid":"{4caad201-c882-42c1-ae13-5408e834517b}","name":"Microsoft.Windows.Power.CAD","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{592fd58a-ad33-4288-bf88-fb9039d9e391}","name":"Microsoft-Windows-FileSystem-Cdfs","group":""},{"guid":"{29043218-3029-4be2-a6c1-b6763cecb3cc}","name":"EventAggregation","group":""},{"guid":"{5590bf8b-9781-5d78-961f-5bb8b21fbaf6}","name":"Microsoft.Windows.Storage.Classpnp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b4b126de-32fe-4591-9ac5-b0778d79a0e7}","name":"Microsoft.ClipSp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf38994b-91c9-4583-aca1-b5638ac732c4}","name":"Microsoft.Windows.CmBatt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{af2114e4-cb29-4a94-b24b-6a27bb43ed83}","name":"Microsoft.Windows.Storage.Crashdmp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{60ae66d1-1c8c-5461-5284-fe74dd01096e}","name":"Microsoft.Windows.DesktopActivityModerator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8cebf433-4842-449e-9fa0-99c6b14a7126}","name":"Microsoft.Windows.Storage.SDBus","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d8551e8-55df-4f9e-b8cc-c6ee1653f004}","name":"Microsoft.Windows.Graphics.DriverDiagnosticsProgressions","group":""},{"guid":"{8d8551e7-55df-4f9e-b8cc-c6ee1653f004}","name":"Microsoft.Windows.Graphics.DriverDiagnosticsNotifications","group":""},{"guid":"{deb96c0a-d2d9-5868-a5d5-50ee13513c8b}","name":"Microsoft.Windows.Graphics.Display","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{221d444c-d07e-4fde-b425-15b746cf535b}","name":"Microsoft.Windows.Graphics.DxgDiagnostics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6998471-62cd-424d-a9a3-fe4c1fa378a4}","name":"DxgKrnlTelemetry","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{705511ba-c1e6-41aa-8c36-daff03852409}","name":"Microsoft.Windows.FileSystem.Exfat","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7a688f0e-f39b-4a7a-bbbb-066e2c1fcb04}","name":"Microsoft.Windows.Security.EFS.EfsLib","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b3b9d0a-ac64-4cbd-b658-e1ec8b4cb416}","name":"Microsoft.Windows.EFS.EFSRPC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d1d28b1-73f5-5937-3446-0de4df173ff5}","name":"Microsoft.Windows.EDP.Enforcement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ced8d3d1-c760-49a7-a709-0de39da17de8}","name":"Microsoft.Windows.FileSystem.Fat","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fd66a680-c052-4375-8cc9-225f923cef88}","name":"Microsoft.Windows.FileSystem.FltMgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1491f89f-c57d-4135-8e05-76f0f68124a8}","name":"FveVolTraceLogProvKM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{19aa5291-c1aa-4f3c-b0d5-1126f1faf3a5}","name":"Microsoft.Windows.Networking.WFP.Kernel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{653880c0-4e64-56c1-5503-c1a609292702}","name":"Microsoft.Windows.Audio.HdAudBus","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0575a639-1f8c-510e-8aaa-0af5e54229ab}","name":"Microsoft.Windows.Bluetooth.HidBth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b2a2afc4-fd0b-5a85-9eef-0ce26805cb02}","name":"Microsoft.Windows.Input.HidClass","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b7651cf4-92fb-5e12-fd62-6dffda250e97}","name":"Microsoft.Windows.Input.HidI2c","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bb34a62f-9160-4ae7-8d17-311006d248c9}","name":"Microsoft.Windows.Input.HidSpi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb16899e-ae38-517e-294d-b82dc8a04c74}","name":"Microsoft.Windows.Input.HidUsb","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b1945e15-4933-460f-8103-aa611ddb663a}","name":"Microsoft.OSG.Web.HTTPSys","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f542162-e9cf-5eca-7f74-1fb63a59a6c2}","name":"Microsoft.Windows.HyperV.GuestCrashDump","group":""},{"guid":"{6c5f119b-5b29-46a7-8e4a-282f8d935ae6}","name":"Microsoft.Windows.HyperV.Hypervisor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f1c134a0-5523-5865-1aff-b9f82e911cc3}","name":"Microsoft.Windows.HyperV.Hypervisor.Diagnostics","group":""},{"guid":"{b2ed3bdb-cd74-5b2c-f660-85079ca074b3}","name":"Microsoft.Windows.HyperV.Socket","group":""},{"guid":"{ddb15654-924f-42de-8be1-2f8bf4946be1}","name":"Microsoft.Windows.I8042Port","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b82887e-0d74-4a2e-85ff-521f93c9d4a0}","name":"IntelPepTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fa93663e-d1d9-5e9c-24a0-c2040a13062f}","name":"Microsoft.Windows.IoRate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{084aa0de-35a2-57d4-21db-48c0514ca3ef}","name":"Microsoft.Windows.Input.KbdClass","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{05fa9b62-4be5-4911-a12b-1303aa9c3a81}","name":"Microsoft.Windows.Input.KbdHid","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dac64ab5-e0b2-46aa-9835-0ebd68f57024}","name":"Microsoft.Windows.Net.ImsBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5bc69579-c5e2-4bc8-9a9b-b2795c6b9cbb}","name":"Microsoft.Windows.Security.KsecSspi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a868cf57-6875-4ef9-8b42-c3cb590ca756}","name":"Microsoft.Windows.Compatibility.Luafv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f12d26c-64f3-5126-9306-3f16cbe62046}","name":"mausbhost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{31463556-e3f6-4ddb-9ece-7bf5b8339c6f}","name":"Microsoft.Windows.CellCore.MobileBroadband.WMBClass","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d6172801-3486-5dba-460b-73564ed30393}","name":"Microsoft.Windows.Input.MouClass","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ee5c44b7-501a-5f89-a347-6629cb302a5f}","name":"Microsoft.Windows.SMB.MRXSMB","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{52134415-75c1-4df9-9118-8b2bd00cc6e2}","name":"Microsoft.Windows.SMB.MRXSMB20","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e2cdbc57-b2a5-570a-969b-ef80adc0b915}","name":"Microsoft.Windows.Sec.Driver","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{cdead503-17f5-4a3e-b7ae-df8cc2902eb9}","name":"Microsoft.Windows.NDIS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{11c5d8ad-756a-42c2-8087-eb1b4a72a846}","name":"Microsoft-Windows-NdisImPlatformEventProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d1f8046b-db4e-48e1-a7a7-d5e03537e8e8}","name":"Microsoft.Windows.RemoteAccess.Ndproxy","group":""},{"guid":"{828a1d06-71b8-5fc5-b237-28ae6aeac7c4}","name":"Microsoft.Windows.Ndis.NetAdapterCx","group":""},{"guid":"{32723328-9a9f-5889-a637-bcc3f77c1324}","name":"Microsoft.Windows.Ndis.NetAdapterCx.Translator","group":""},{"guid":"{5c7051bd-bedc-52df-b54e-f6f2706f346a}","name":"Microsoft.Windows.Networking.WFP.Kfd","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}","name":"Microsoft.Windows.Hyper-V.NetVsc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ffd1d811-6488-4d44-82af-c31d372609a9}","name":"Microsoft.Windows.FileSystem.NTFS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{93f6b8d0-dd30-53db-e16c-8eb93c811cda}","name":"Microsoft.Windows.Storage.Nvdimm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{24b4f621-1022-48ed-8b93-23fa02191d83}","name":"Microsoft.Windows.Networking.Wlan.Nwifi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab67b0f3-ae94-452d-b595-307667142420}","name":"Microsoft.Windows.Storage.Partmgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{69a770dd-1cdb-46c0-91c9-cd2a9b76e061}","name":"PciTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d29624ca-200f-44bb-9471-13b01ea15b9e}","name":"Microsoft.Windows.Pdc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9edc1e34-f571-4374-871c-b87cc742017b}","name":"Microsoft.Windows.Power.SleepstudyHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{655f3490-f423-4868-a87c-7a23707b1550}","name":"Microsoft.Windows.Storage.Pmem0101","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bebd6159-6f76-5a22-366a-7753c2a63c3c}","name":"Microsoft.Windows.Audio.PortClass","group":""},{"guid":"{61d5c496-c69b-5b72-de0a-29248a17cace}","name":"Microsoft.Windows.FileSystem.ReFS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d364aaf-5b49-41a0-9e03-d3cb2aa2e03e}","name":"Realtek.Trace.Provider","group":""},{"guid":"{c000f83a-fc96-4f70-82f9-cdd00abfe098}","name":"Microsoft.Windows.Sdf.KmReflector","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06917f71-ce18-4fb2-80cf-38ddedde08ed}","name":"Microsoft.Windows.Storage.SDStor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e38431e-4f09-5764-b81f-595fa176933f}","name":"Microsoft.Windows.Oct.Driver","group":""},{"guid":"{a33cf311-4e09-4494-a7b8-182a5bec2e29}","name":"Microsoft.Windows.Kernel.SleepStudyHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e7d0ad21-b086-406d-be46-a701a86a5f0a}","name":"Microsoft.Windows.Storage.Spaceport","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06ef64e5-ffa8-441c-bb2d-0c24f0c32d76}","name":"Microsoft.Windows.Analog.SpatialGraphDriver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5f9080bf-b22c-47ea-8b76-1da0cf975419}","name":"SpatialGraphFilterProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{771e7665-3e83-4475-8ae6-8f5384c41408}","name":"Microsoft.Windows.SMB.SRV2","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cbf776fd-5b21-5fbc-e4cd-f19fe9acc193}","name":"Microsoft.Windows.SMB.SRVADMIN","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4eeb8774-6c4c-492f-8f2f-5ee4721b7bf7}","name":"Microsoft.Windows.Storage.Storport","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{61d3c72e-6b1b-454c-a34d-b39eb95b8d99}","name":"Microsoft.Tpm.Tbs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f1ebc88-8917-5ee3-66d9-0570c60676be}","name":"Microsoft.Windows.Networking.WFP.Ale","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2f07e2ee-15db-40f1-90ef-9d7ba282188a}","name":"Microsoft-Windows-TCPIP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8b9b46ca-778f-5cc2-4255-3a6b1e69ae24}","name":"Microsoft.Windows.Networking.WFP.IPsec","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{444943b7-3a0f-45c9-b7cb-d2a2de9eb852}","name":"Microsoft.Windows.Networking.Tunnel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{11434984-9ab6-57f0-fc34-df79ea15c255}","name":"Microsoft.Windows.UCM.ClassExtension","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3babe443-ebd4-4cce-80d7-20f880c7550e}","name":"Microsoft.Windows.UCM.PolicyManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{227449e1-bddc-4e48-a31c-27523bd264f2}","name":"Microsoft.Windows.FileSystem.Udfs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{22eb0808-0b6c-5cd4-5511-6a77e6e73a93}","name":"Microsoft.Windows.Security.Biometrics.Face.TelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63221d5a-4d00-4be3-9d38-de9aaf5d0258}","name":"Microsoft.Windows.Security.Biometrics.Face.DiagnosticsProvider","group":""},{"guid":"{32a214f0-6d7f-4068-9085-862e1385c829}","name":"Microsoft.Windows.HidTelephony","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{257d541d-16d8-433c-b421-9ae2255df475}","name":"Microsoft.Windows.Bluetooth.Telephony.AsyncPhoneController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e5e33e9-ca19-5357-8628-06f39ea522f5}","name":"Microsoft.Windows.Graphics.IddCx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e6bacf6-5635-4670-bedf-93f55a822f4b}","name":"Microsoft.Windows.Nfc.NfcCx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{13895bc5-e1f8-4144-9f24-4e48868f8220}","name":"Microsoft.Windows.Pos.CX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b7a87d4-6d7c-4c87-8e3d-29f31bff02b8}","name":"Microsoft.Windows.Rdp.Graphics.RdpIdd","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0f0917eb-05ef-4416-87b1-0148718adfec}","name":"Microsoft.Windows.Capture.USBVideo.Trustlet","group":""},{"guid":"{3e52e9c2-0a98-5568-5f7e-87169a98e035}","name":"Microsoft.Windows.SensorsCx.ReadingNotificationSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8971e817-3247-579a-74fb-624214ec10b8}","name":"Microsoft.Windows.Sensors.CX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80863bfb-0974-45c1-88df-e4e9a4b2b7d4}","name":"Microsoft.Windows.Capture.USBVideo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2f125292-522c-4ea9-fda1-1d4b8f45b992}","name":"WindowsDriverVerifierXdv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1111450b-dacc-40a3-84ab-f7dba4a6e63a}","name":"Microsoft.Windows.HyperV.VID","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5931d877-4860-4ee7-a95c-610a5f0d1407}","name":"Microsoft-Windows-Hyper-V-VID","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{96c57851-af06-470f-8635-9c5e463e5f0c}","name":"Microsoft.Windows.Storage.VolumeManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e31f252-a41c-41d7-a9e2-3a20162247ec}","name":"Microsoft.Windows.Containers.Wcifs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{796f452c-2331-45df-9277-520f0788c90a}","name":"Microsoft.Windows.Containers.Wcnfs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec044b58-3d13-4880-936f-7b67dfb3e056}","name":"Microsoft.Wdf.KMDF.Fx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6c6d5103-b4ab-46b1-b4cf-7d330f4c81e6}","name":"Microsoft.Wdf.KMDF.Ldr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1fb5ff90-a110-5110-3fa7-5e54b1e386fe}","name":"Microsoft.Windows.WdiWiFi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{75441f26-c4ed-4585-90bd-1c7b9c6a55f7}","name":"Microsoft.Windows.Networking.WfpLwfs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f40af494-46c8-464a-bdac-47d9bd57e7d1}","name":"Microsoft.Windows.Networking.Quic","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{78267204-1ef8-4199-8e25-3b42000c4b23}","name":"Microsoft.Windows.FileSystem.WOF","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2f294903-5481-4aa0-b4ef-14784cc95ce6}","name":"Microsoft.Windows.Xbox.GIP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{af09b0f9-ae02-4926-8a0f-e90d803063a8}","name":"Microsoft.Windows.Security.Biometrics.Face.PerformanceProvider","group":""},{"guid":"{27acaa3c-09fe-5929-1466-dc5b0a189ffd}","name":"Windows.Media.FaceAnalysis.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9c38133f-6d73-42bf-b92b-3e5ad2d05967}","name":"Windows.Media.FaceAnalysis.PerformanceProvider","group":""},{"guid":"{48cafa6c-73aa-499c-bdd8-c0d36f84813e}","name":"Windows.Media.FaceAnalysis.ApiDiagnostics","group":""},{"guid":"{9eff7abc-d74e-4de6-ac46-2c777e467257}","name":"Microsoft.IoT.PoS.IdTechMagneticStripeReader","group":""},{"guid":"{f5329024-efb9-4af7-9326-e3ee6dadc4f8}","name":"Microsoft.IoT.PoS.MagtekMagneticStripeReader","group":""},{"guid":"{1f930302-f484-4e01-a8a7-264354c4b8e3}","name":"Microsoft.Windows.Cast.MiracastLogging","group":""},{"guid":"{1f930301-f484-4e01-a8a7-264354c4b8e3}","name":"Microsoft.Windows.Cast.Miracast","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f651b84-f358-4486-bf42-a8d60d911dc6}","name":"RealtekWindowsWiFi","group":""},{"guid":"{95c32441-f1ff-4a9d-93ab-26a464a55051}","name":"Microsoft.Windows.Print.PScript","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15fc363b-e2b4-5e55-f1d3-3b0ff726203d}","name":"Microsoft.Windows.Print.PCLmRenderFilter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ac521649-5ec6-5397-d1c5-749cbf5ea79b}","name":"Microsoft.Windows.Print.RenderFilterCommon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63a87ca3-6662-4925-a0a8-f7bb94ef104e}","name":"Microsoft.Windows.Print.PrintToPDF","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e98cb748-3d93-4719-8209-95e0bc46eec7}","name":"Microsoft.Windows.Print.PwgRenderFilter","group":""},{"guid":"{92d9f30a-30dc-592b-b679-ddfa1ba899a5}","name":"Microsoft.Windows.PrintCore.Performance","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{47f16003-0637-4d05-a9da-1fc40bbd0944}","name":"Microsoft.Windows.Analog.PerceptionSimulation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fdcab703-6402-4959-b618-f5c3c279ef3d}","name":"Microsoft.Windows.Print.PrintConfig","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fd6ec121-dc51-42fd-a559-ba984d345e2b}","name":"Microsoft.Windows.Print.PrintDeviceCapabilities","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2974da9a-e1f3-5c5f-2abe-f7f20f6448bc}","name":"Microsoft.Windows.Print.JScriptLib","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1c418091-59f2-529b-8ba6-da40facc1cf3}","name":"Microsoft.OSG.IoT.Pos.RemoteDriver","group":""},{"guid":"{e00465de-86b7-5ef4-7a62-a6eed76ab1ba}","name":"Microsoft.Windows.UEFI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{54dc5472-46e8-5f6d-c555-54eab87bccbf}","name":"Microsoft.Windows.Audio.InboxEffects","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{84bf3402-c117-5308-1df5-370f5ff81bea}","name":"Microsoft.Windows.Usage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{65af3014-367d-4645-b850-77fd014e262a}","name":"Microsoft.Windows.WpdMtp.Driver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{539f3db6-e6f3-43c1-96c1-9e66816e12be}","name":"Microsoft.Windows.Scan.WsdScanDriver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a23bd382-12ab-4f02-a0d7-273153f8b65a}","name":"Microsoft.Windows.DriverInstall","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{42f9500f-081e-4e4a-9a45-9a7a30bf758f}","name":"Microsoft.Windows.DesiredStateConfiguration.Native","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d4b9c90-b835-595e-7125-ec72cbc9334e}","name":"Microsoft.Windows.DirectX.DirectSound","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{acc49822-f0b2-49ff-bff2-1092384822b6}","name":"Microsoft.CAndE.ADFabric.CDJ","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5aa2dc10-e0e7-4bb2-a186-d230d79442d7}","name":"Microsoft.CAndE.ADFabric.CDJ.Recovery","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0c7964f6-0865-4847-b379-1b574381bcb7}","name":"Microsoft.CAndE.ADFabric.AutoJoin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7ae961f7-1262-48e2-b237-acba331cc970}","name":"Microsoft.CAndE.ADFabric.CDJ.AzureSecureVMJoin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{743dd30b-05c4-539e-b558-2ea080527271}","name":"Microsoft.Windows.AppModel.DataSharingService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{69f50e3c-f7d3-4775-8010-9bce0279cddf}","name":"Microsoft.Windows.DirectToUpdate","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{7b9fa392-c92c-5e63-59d9-2442d2304c7a}","name":"Microsoft.Windows.Dui","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{afa03ad9-e63c-59d0-754c-f5a51b7fe33c}","name":"Microsoft.Windows.DusmSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a295305a-b6fa-5023-7486-c04d7b745016}","name":"Microsoft.Windows.Dwm.BlackScreenDiag","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{504665a2-31f7-4b2f-bf1b-9635312e8088}","name":"Microsoft.Windows.Dwm.DwmApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2729be56-b41a-54be-8c2a-8da6127a8e38}","name":"Microsoft.Windows.Dwm.Interaction","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1bf43430-9464-4b83-b7fb-e2638876aeef}","name":"Microsoft.Windows.Dwm.DwmCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{289e2456-ee16-4c81-aaf1-7414d66ca0be}","name":"WindowsDwmCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2bed2d8b-72d4-4d19-b0ac-dc27bf3b24ea}","name":"WindowsDwmCoreTests","group":""},{"guid":"{2331d1f1-6b8e-42c5-897e-2ac4f98e53da}","name":"WindowsDwmCoreInstrumentation","group":""},{"guid":"{2161bf9e-e2a6-4463-b9ab-12faa958d69b}","name":"Microsoft.Windows.Analog.HydrogenCompositor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45ac0c12-fa92-4407-bc96-577642890490}","name":"Microsoft.Windows.Dwm.DwmInit","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1a289bed-9134-4b49-9c10-4f98675cad08}","name":"Microsoft.Windows.Dwm.DwmRedir","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0d481997-5998-51af-4ea5-afefe9651b0f}","name":"Microsoft.Beihai.Core.Canvas","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9091cf64-70bb-42e0-a8a1-5c6913825ac4}","name":"SpectreTraceLoggingProvider","group":""},{"guid":"{364e2beb-6efc-47dc-b8b1-49aae1d83922}","name":"Microsoft.Windows.Graphics.DirectWrite","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d89eda7-2638-483d-9448-1ad7730d9ced}","name":"Microsoft.Windows.GraphicsTools.DXCAP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9fb51033-59f7-4b06-94f0-55b9a73a5b64}","name":"Microsoft.Windows.GraphicsTools.DXCAPTUREREPLAY","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ae9a4436-3e16-40b8-b681-588211243dd6}","name":"Microsoft.Windows.DxDiag","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{03bbe5b8-c788-4d0b-b47e-5b5731398a89}","name":"Microsoft.Windows.Graphics.DXGI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{401b5439-6b0c-45cd-9c08-7080760bd043}","name":"Microsoft.Windows.Graphics.DxilConv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d592c8f4-f305-58fe-d66d-e5d790040d87}","name":"Microsoft.Windows.Shell.DeviceStage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{745976be-5e09-5c76-eabd-76c93c9212d2}","name":"Microsoft.Windows.Networking.EAPPHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06c071f2-6c59-5d55-6b31-1578dd063ddc}","name":"EapCredEvents","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ff32ada1-5a4b-583c-889e-a3c027b201f5}","name":"Microsoft.Web.Platform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{903b9fe3-2cd2-5407-31ca-70c7ace9c26e}","name":"Microsoft.Windows.App.Browser.Diagnostics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{90b23e32-d567-48e1-98d8-61e23bef47a9}","name":"Microsoft.Windows.App.Browser.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{843baf24-ed4d-479c-9e8b-520901959c89}","name":"F12ToolsProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{98a91ff5-590f-58da-f5bf-357430d332ef}","name":"Microsoft.Web.Platform.FetchDiagnostics","group":""},{"guid":"{a806a1b7-e64d-5394-0523-f01f0bd24387}","name":"Microsoft.Windows.TextInput.SpellCheckerEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{692ef39c-05c6-532a-66ff-23d2ab729a21}","name":"Microsoft.Windows.Licensing.ActivationUXLib","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0c017b8d-7629-4ad6-a268-578a14e9dd65}","name":"Microsoft-Windows-Security-EFS-EDPAudit","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6af820a5-6e4f-4558-8d7d-f7d6a2ed7195}","name":"Microsoft-Windows-Security-EFS-EDPAudit-CopyData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{225d7337-6538-4c12-9418-b37c558c50f2}","name":"Microsoft-Windows-Security-EFS-EDPAudit-ApplicationGenerated","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f14d881-64ea-449d-96d7-34e9c966082b}","name":"Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e42598b4-b399-41cd-a67c-a6b1b6007e07}","name":"EDPCleanupTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f453ba5-f19e-531d-071b-72ba1c501406}","name":"Microsoft.Windows.DeviceManagement.MdmPostProcessEvaluator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6be7190d-dba0-5e9c-8b69-c5a9aed40fb9}","name":"Microsoft.Windows.DeviceManagement.EdpConfiguration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9efe4a6a-30bc-4b9c-9d06-f1f3b8e96adc}","name":"Microsoft.Windows.Security.EdpPrecheck","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e04241f-30f8-5111-a04e-df3c9c867433}","name":"Microsoft.Windows.Security.Efs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{04493774-364f-4ea2-84c0-83d477100c8c}","name":"Microsoft.Windows.Security.BitLocker.EncryptionToast","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bec72367-4e13-539e-def4-4b2e04da48ce}","name":"Microsoft.Windows.Print.EduPrintProv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{295b5bba-368e-4a3f-b393-2d0d250b1ad1}","name":"Microsoft.Windows.EnergyEstimation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99a714bf-74fe-4666-8f44-c1c7b85a570e}","name":"Microsoft.Windows.SRUM.ProcessTag","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{82b5ad62-b453-481a-b838-ca1eeae6e472}","name":"Microsoft.Windows.Security.EFS.EfsCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f4f0f15b-6af1-4a58-ad83-a7c21a36b5cc}","name":"BitLockerMDMUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{318bbc33-cdfd-42c0-b5e5-57ed92e8935f}","name":"Microsoft.Windows.Security.EFS.EfsWrt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ee3112cb-4b76-49eb-a73b-712ad05e18cb}","name":"Microsoft.Windows.UserDataAccess.EmailApis","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4c252233-fed2-53ff-0f0e-062dc1b91cc3}","name":"Microsoft.Windows.IoT.Client.ShellExtension","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e94614d1-95aa-4bd6-87f8-b6967917f7af}","name":"Microsoft.Windows.Power.Battery","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{91f575cd-50ca-496a-97e0-11bc7f12c659}","name":"Microsoft.Windows.Power.CpuUtilization","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cdef60fa-5777-4b02-9980-1e2c0df22635}","name":"Microsoft.Windows.Power.DeviceProblems","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{79447bc9-0777-4626-b75d-68d37ec5c820}","name":"Microsoft.Windows.Power.Device","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b87ceb6d-52b1-431b-a19d-e4e559de4d27}","name":"Microsoft.Windows.Power.EnergyWizard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ea44cfb5-807d-41c8-950c-3d24eabcc66e}","name":"Microsoft.Windows.Power.PlatformCapabilities","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{16ff057d-f560-4a1a-9d98-b06ca200b934}","name":"Microsoft.Windows.Power.PpmProfiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eedfe0d7-14c4-4370-ac5d-a97e3849b747}","name":"Microsoft.Windows.Power.PowerPolicy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bcdfff62-2656-4c74-86c3-5605d3a0b634}","name":"Microsoft.Windows.Power.PowerRequest","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c85d27c-5154-47c9-9995-2f3f3671981d}","name":"Microsoft.Windows.Power.SelectiveSuspend","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{30caae83-8eb3-4b59-b67e-e688f6f92e56}","name":"Microsoft.Windows.Power.SleepStudy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46a2d9fa-44da-4ef1-b987-1c95b4584d96}","name":"Microsoft.Windows.Power.ScreenOnStudy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f67958f-7a9c-4dbc-9728-ad3c245646c6}","name":"Microsoft.Windows.Power.SystemInformation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e3cb20a8-05cc-4e9d-ba36-0ee1b3c14dea}","name":"Microsoft.Windows.Power.TimerResolution","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7073707a-0587-4e03-b31f-6443eb1acbcd}","name":"Microsoft.Windows.SRUM.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0e71a49b-ca69-5999-a395-626493eb0cbd}","name":"Microsoft.Windows.EnterpriseModernAppManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{536d7120-a8a4-4a5f-b1f8-1735df9b78d0}","name":"Microsoft.Windows.DeviceManagement.CertificateStore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0f77f82c-2a99-5ed3-eb66-98585f6f4a37}","name":"Microsoft.Windows.Security.RemoteLockCsp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{36a529a2-7cba-4370-8c3d-d113f552b138}","name":"Microsoft.Windows.DeviceManagement.DMClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{24a7f60e-e0cb-5bdc-99a5-0ba8e8c018bd}","name":"Microsoft.Windows.EnterpriseManagement.NodeCache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{72b37bca-13de-4655-b603-1c745f4d8faf}","name":"Microsoft.Windows.DeviceManagement.DeviceManageability","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9966e698-b74b-4ce2-be16-703ef0acaa30}","name":"Microsoft.Windows.EnterpriseManagement.FirstSyncStatus","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{16eaa7bb-5b6e-4615-bf44-b8195b5bf873}","name":"Microsoft.Windows.EnterpriseDesktopAppManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2b6dbadc-ba94-4ba2-b12c-e4b15f73c15b}","name":"Microsoft.Foundation.Diagnostics.ErrorDetails","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{02f42b1b-4b78-48ce-8cdf-d98f8b443b93}","name":"Microsoft.Windows.ESENT.TraceLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{28e9d7c3-908a-5980-90cc-1581dd9d451d}","name":"Microsoft.Windows.Desktop.Shell.EUDCEditor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1e2fc8ac-8d70-471b-89e9-fc2015acf49f}","name":"Microsoft.Windows.Cellcore.MultiSIM.CSP","group":""},{"guid":"{612aa4d1-4c02-424c-ac7e-ee5307277ac8}","name":"Microsoft.Windows.Cellcore.LPA.CSP","group":""},{"guid":"{209814d7-1019-4651-9aaf-794b1bca59d2}","name":"Microsoft.Windows.MediaFoundation.EVROTA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{072665fb-8953-5a85-931d-d06aeab3d109}","name":"Microsoft.Windows.ProcessLifetimeManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e1fa35be-5192-5b1e-f23e-e2a38f6414b9}","name":"Microsoft.Windows.FileExplorerPerf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{08f5d47e-67d3-4ee0-8e0c-cbd309ab5d1b}","name":"Microsoft.Windows.Shell.CloudFiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b87cf16b-0bf8-4492-a510-d5f59626b033}","name":"Microsoft.Windows.FileExplorerErrorFallback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{db8464e8-2a75-50cd-51d7-f712b52a9ba3}","name":"Microsoft.Windows.F12.Chooser","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5002109a-ffdc-407e-8a6a-8d893f7d714f}","name":"XperfCoreProvider","group":""},{"guid":"{e60019f0-b378-42b6-a185-515914d3228c}","name":"Microsoft.Windows.Security.Biometrics.CredentialProvider.FaceDiag","group":""},{"guid":"{1d480c11-3870-4b19-9144-47a53cd973bd}","name":"Microsoft.Windows.Security.Biometrics.CredentialProvider.Face","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9e339f5e-6d0e-5645-22a4-02d76deb3432}","name":"Microsoft.Windows.Shell.Family.Authentication","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{833606fb-390d-5663-d604-5d8e18327bf2}","name":"Microsoft.Windows.Shell.Family.Cache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{750131fe-3dbf-5f00-69f7-20d77122bdae}","name":"Microsoft.Windows.Shell.Family.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{54a0f7de-80ee-48ac-a3c6-a7ef636c82ba}","name":"Microsoft.Windows.Shell.Family.SyncEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc79cf77-70d9-4082-9b52-23f3a3e92fe4}","name":"Microsoft.Windows.WindowsErrorReporting","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1377561d-9312-452c-ad13-c4a1c9c906e0}","name":"Microsoft.Windows.FaultReporting","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{64d9c122-76bd-5efd-a2f7-8f0cd5f7e74e}","name":"Microsoft.Windows.FeatureExperiment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{337b21e4-1d91-42f0-9e88-f77a7fcb045b}","name":"Microsoft.Windows.FolderRedirection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2beb7410-3174-4391-ab8b-cac210cfd6ac}","name":"Microsoft.Windows.Security.DataProtection.FeClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{546c471c-759f-4edb-b4e7-9f91a1a752f1}","name":"Microsoft-Windows-FileHistory-CatalogErrors","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9a39eabf-d3ef-48e9-8326-7175a4db7c73}","name":"Microsoft-Windows-FileHistory-ConfigMgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b2f4280f-936e-49a3-be64-5c0de42368ce}","name":"Microsoft-Windows-OneBackup-TargetDiscovery","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8286677e-24b3-4ef4-a463-ff0efbc54771}","name":"Microsoft.Windows.FileHistory.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{572f10d1-d697-5616-4118-98ec535a9e3f}","name":"Microsoft.Windows.FileHistory.ApiUsage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{08b15ce7-c9ff-5e64-0d16-66589573c50f}","name":"Microsoft.Windows.Security.Fido","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c7c12137-338d-5e64-626f-338d51a1b35c}","name":"Microsoft.Windows.Shell.MTF.FilterDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{225b3fed-0356-59d1-1f82-eed163299fa8}","name":"Microsoft.Windows.Security.Biometrics.FingerprintCredential","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0998dfb7-59d7-4e82-92ce-8a83e7c0bb3e}","name":"Microsoft.Windows.Firewall.API","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a288dc52-4074-4e21-842d-97db6e1e9052}","name":"Microsoft.Windows.CTAC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9384638b-db04-57ed-af12-e492da02d5d6}","name":"Microsoft.Windows.TextInput.FluencyDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8479f1a8-524e-5226-d27e-05636c12b837}","name":"Microsoft.Windows.Desktop.Fonts.FontManagementSystem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45896826-7c5e-5a91-763d-67db83540f1b}","name":"Microsoft.Windows.Desktop.Shell.FontFolder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{37152864-4c08-5745-da4f-65a46a537347}","name":"Microsoft.Windows.Fonts.FontSubsetting","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec50b9c2-b123-4552-931f-c4826f70a67e}","name":"Microsoft.Windows.MediaFoundation.FrameServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0a645885-cc18-4dec-ab0a-8aa890c13d3e}","name":"FsIsoTracelogProvider","group":""},{"guid":"{e548a491-711c-4e50-b77d-e8a6e4397c36}","name":"Microsoft.Windows.Das.Fd","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d0974663-5c08-408f-9445-35bb55075757}","name":"FveAPILoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{00a85728-5a3d-4b9e-b24b-9a14cce5f322}","name":"DESkyBackupProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{89467242-6dcd-4d99-a6ed-55d0c19eec09}","name":"DEUITraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5c86354e-81c8-4138-96e0-f50301ff8648}","name":"DEWizardTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c9e8f9ee-0333-43eb-90b5-d30bd5c5658f}","name":"Microsoft.Windows.Networking.DefenderFirewall.CSP(Aggregate)","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e90cb4c0-c7b6-4f18-a53a-187934ad4b55}","name":"Microsoft.Windows.Firewall.PolicyIoManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7e32a1c4-d502-5b7c-39e8-2b7b0b5f0424}","name":"Microsoft.Windows.Networking.WFP.User","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bd79c6b5-7e6a-4084-a409-d9b8a872fa9b}","name":"Microsoft.Windows.GameBarPresenceWriter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0f014207-837c-4862-8e6d-cc648083466e}","name":"Microsoft.Xbox.GameChatTranscription","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2f669506-de7f-4807-9f05-61ac44ec3465}","name":"ExpandedResourcesAPI","group":""},{"guid":"{95df1e7b-74e0-547f-1f87-dada00554433}","name":"Microsoft.Windows.GameOverlay","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed785a68-905d-4713-96f0-64c443cd9d19}","name":"Microsoft.Windows.GameOverlayTracing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc78b5d4-24c2-4b47-833e-ea9729da1cd4}","name":"XboxLiveGamingUI","group":""},{"guid":"{89dfbde8-86e8-489b-9867-eefdc5e8879b}","name":"Microsoft.Geolocation.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a313af2b-a798-470e-9355-f535c3d45f94}","name":"Microsoft.Geolocation.Verbose","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cb671458-ad15-40e8-a65a-753ea62d853a}","name":"Microsoft.Geolocation.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c1df9318-da0b-4cd1-92bf-59415e6454f7}","name":"Microsoft.Windows.GroupPolicy.CSEs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6fc72ed3-75da-4bc4-8365-c4228ceaedfe}","name":"Microsoft.Windows.GroupPolicy.RegistryCSE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9143e88c-3068-446d-8782-2848cf0034b7}","name":"Microsoft.Windows.Graphics.GPM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99288295-d294-5e94-ca68-18e2fa6cc424}","name":"Microsoft.Windows.Shell.GroupConverter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0f51c5a7-0e76-47a5-bede-7cf62c5822f6}","name":"Microsoft.Windows.Kernel.HAL","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a935c211-645a-5f5a-4527-778da45bbba5}","name":"Microsoft.Tpm.HealthAttestationCSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8e38fc76-5593-4c1b-98b1-a13770b67d98}","name":"Microsoft.Windows.Cast.HdcpHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55a5dc53-e24e-5b53-5b52-ea83a0cc4e0c}","name":"Microsoft.Windows.Heat.HeatCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{54225112-eaa1-5e29-c8f8-1cb9924d6049}","name":"Microsoft.Windows.Heat.HeatCore.Test","group":""},{"guid":"{9211ac87-37d7-5868-092f-010437c37f40}","name":"Microsoft.Windows.Heat.HeatCore.Perf","group":""},{"guid":"{3602a94a-b764-5eca-4257-286887531640}","name":"Microsoft.Windows.Shell.AdvancedSharingSettingsCPL","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{24fd15bb-a367-42b2-9210-e39c6467bf3a}","name":"Microsoft.Windows.Shell.Homegroup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{278491e2-da59-4053-acbf-d2043d476631}","name":"Microsoft.Windows.HtmlHelp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b715ff40-adb2-4a51-a077-90b81d1e0e62}","name":"Microsoft.Windows.Input.Hiddll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e369227c-ee2f-42d0-9734-cec639966d99}","name":"Microsoft.Windows.Analog.Compositor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c4d4d3fc-b8de-5cd2-a0cf-1dfdcc4997c4}","name":"Microsoft.Cognition.MixedRealityCompositor.MetadataGenerator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{356e1338-04ad-420e-8b8a-a2eb678541cf}","name":"Microsoft.Windows.Analog.SpectrumContinuous","group":""},{"guid":"{46fe483a-c057-49e3-9a3e-6661ae69d267}","name":"Microsoft.Windows.HydrogenBaseTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ac6a1be3-fe8c-4c86-a355-6249ca1dbd1d}","name":"Microsoft.Windows.Hydrogen.Engine.NewRPC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eee90ccf-b5cf-5c29-eab2-e8e24257af70}","name":"Microsoft.Windows.Hydrogen.ResourceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3a722c70-188c-575a-09e8-95068c764465}","name":"Microsoft.Windows.Hydrogen.RuntimeProject","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{41258037-fd37-44dc-a4c5-3e814bf9bc08}","name":"Microsoft.Windows.Hydrogen.Engine.NewBase","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d83ff6d-8620-41bd-a209-83c28016db4c}","name":"Microsoft.Windows.Hydrogen.Input","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e8ad9d9-a447-4f60-add9-f88a79ae5d85}","name":"Microsoft.Windows.Hydrogen.Common.Sound","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b0989218-f91b-5303-b8b8-6018bfcb25b7}","name":"Microsoft.Windows.Hydrogen.Renderer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3f159176-af51-44f4-838f-b1268a925924}","name":"Microsoft.Windows.Analog.HoloShell","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{43a82e4f-d4b5-5b44-90c0-4036b52f2b7f}","name":"Microsoft.Windows.Holographic.OasisBenchmark","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{581071af-2a59-5892-e3ba-34ec806f78ef}","name":"Microsoft.Windows.Holographic.HolographicExtensions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{155a4d3f-9e34-547a-16a5-5f25ecf07d3f}","name":"Microsoft.Windows.Holographic.Coordinator","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{1666c918-7923-5cac-899c-f2b448e1a7a4}","name":"Microsoft.Windows.Holographic.InputBanner","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fb9ca694-62b6-5e95-f1d4-fa9e239015e6}","name":"Microsoft.Windows.Holographic.HolographicSessionTracker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5bcbfd6b-0337-56af-43ff-da8a1600fae7}","name":"Microsoft.Windows.Holographic.ViewPorter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1f06148f-cdbf-5e07-7f82-4e4aa0f13b9e}","name":"Microsoft.Windows.Holographic.CrossApartmentBarrier","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a329db5c-f4b7-5ce4-1fd8-f030503f517a}","name":"Microsoft.Windows.Holographic.HolographicLoader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4d4412bd-15ef-52c2-8fee-89fc2e1b0f67}","name":"Microsoft.Windows.Holographic.SlatePositionGuardian","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e4c79dc8-f1d2-5475-4462-6d9908e61420}","name":"Microsoft.Windows.Holographic.SlatePositionGuardianVerbose","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a5b43b76-8698-5fdd-5ed3-5416c5b56d16}","name":"Microsoft.Windows.Holographic.VirtualMonitorPool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{882ec52c-3421-5770-2e47-fa137064d029}","name":"Microsoft.Windows.Holographic.Win32SlateActivationLog","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{69689644-337a-541b-c3f8-55bc750ef76e}","name":"Microsoft.Windows.Holographic.Install","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d8c84585-1f65-5d5f-b0a4-bd4499f0812d}","name":"Microsoft.Windows.Holographic.DesktopFodInstaller","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{05c32102-40e0-4b2b-b778-e5fd577c472b}","name":"Microsoft.Windows.Analog.Spectrum","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c116a72f-3f96-4983-b83e-48f8168610a8}","name":"Microsoft.Windows.Analog.HoloSHExtensionTracing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c116a72f-3f96-4983-b83e-48f8168610a8}","name":"Microsoft.Windows.Analog.HoloShellExtensions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2edb24b0-dab3-4b98-b843-c73cc2c729ee}","name":"Microsoft.Windows.Analog.HoloShellTiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{201a54ec-f956-570a-c003-5f0ccde64705}","name":"Microsoft-Windows-Shell-CriticalResultVerifier","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d1e83a6-bbe3-4844-94c0-0347370b5208}","name":"Microsoft.Windows.Analog.HoloSI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{52000e1d-a0d3-55cd-dd29-631ed05d560e}","name":"Microsoft.Windows.Audio.HrtfApo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d1af2c40-3880-47c9-ade0-0fc1a909be08}","name":"Microsoft.Windows.Audio.Spatial.Audio3D","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b9cb5f6-76f7-5daa-cd46-536646cceb40}","name":"Microsoft.Windows.AppModel.HttpsDataSource","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d7c4072e-0fe3-580c-7ea5-5367644777ba}","name":"Microsoft.Windows.Appx.HttpsTransport","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6cba7043-bf35-5e8c-2a96-033ef9b3ceee}","name":"Microsoft.Windows.Hydrogen.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9f7e92de-9bd1-5b43-9cbd-e332a6ed01e6}","name":"Microsoft.Windows.Hydrogen.RuntimeLoad","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ecc4586-a9b8-421d-8678-4625026f82be}","name":"Microsoft.Windows.HyperV.Heartbeat","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{85a7888c-4ef7-5c56-643f-fbd6dc10febe}","name":"Microsoft.Windows.HyperV.KvpExchanges","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f83552c4-a4e8-50f7-b2d4-a9705c474490}","name":"Microsoft.Windows.HyperV.TimeSync","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d5a95bd-33f7-5997-f727-14dd1f1a93e4}","name":"Microsoft-Windows-Shell-IdControl-Desktop-InMarket-8.1","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{23696c34-d5b3-52e0-739d-b52807876f13}","name":"Microsoft.Windows.Shell.MTF.InputHistoryDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e7ba355a-ec20-5993-dd3b-9215e4d8a23c}","name":"Microsoft.Windows.Networking.Ikeext","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{47a8ea0f-be9f-5a94-1586-5ded19d57c3d}","name":"Microsoft.Windows.Desktop.TextInput.JapaneseIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99d75be6-d696-565a-1c56-25d65942b571}","name":"Microsoft.Windows.Shell.MTF.LMDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2593bdf1-313b-5c29-355c-6065ba331797}","name":"Microsoft.Windows.Desktop.TextInput.ImeCommon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{54cedcd4-5f61-54b3-d8e2-dd26feae36b2}","name":"Microsoft.Windows.Shell.MTF.DesktopInputHistoryDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b2576ddb-209b-52a9-a0d4-6f9386e15e2d}","name":"Microsoft.Windows.Shell.MTF.JpnRankerDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ca8d5125-1b72-5208-5147-0d345b85bd11}","name":"Microsoft.Windows.Desktop.TextInput.KoreanIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06404639-ec4f-56d8-f82e-49bf6ad1b96a}","name":"Microsoft.Windows.Desktop.TextInput.BopomofoIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e3905915-dd2b-5802-062b-85f03eb993d5}","name":"Microsoft.Windows.Desktop.TextInput.OldKoreanIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a703f75d-9c1d-59c0-6b0a-a1251f1c6c55}","name":"Microsoft.Windows.DeskTop.TextInput.ModeIndicator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{68259fff-ce2b-4a91-8df0-9656cdb7a4d6}","name":"Microsoft.Windows.Desktop.TextInput.MSCand20","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a097d80a-cae1-5a27-bdea-58bd574c9901}","name":"Microsoft.Windows.Desktop.TextInput.CloudSuggestionFlyout","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d313c0d7-e20d-5ea5-45f9-82b42e3a77f2}","name":"Microsoft.Windows.Security.SmartCards.TpmVscMgrServerImmersive","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{24c1e9bd-af57-4347-b26b-3af10b256475}","name":"Microsoft.Web.Platform.IDBLegacyServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e7d88397-e955-534f-4caf-d57798656789}","name":"Microsoft.Web.Platform.StorageServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f72e560-ef48-5597-9970-e83a697071ac}","name":"Microsoft.Windows.Desktop.Shell.InputDll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{83bda64c-a52c-4b37-8e61-086c22a4cd15}","name":"Microsoft.Windows.InputStateManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{973c694b-79a6-480e-89a5-c8c20745d461}","name":"Microsoft.OneCore.MinInput","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b01be74-d810-5994-228e-ee8417be3468}","name":"Microsoft.Windows.OneCore.MinInput","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dd62acb1-e73c-453b-b2f8-ac88f785466f}","name":"Windows.UI.Input.Preview.Injection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63bcb611-4446-564a-a4b3-7d65624589ef}","name":"Microsoft.Windows.Input.InputService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b7bd959-bfea-5953-583c-fb7bf825bc92}","name":"Microsoft.Windows.Desktop.TextInput.ChxEm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e426d37-0f80-5235-94c4-3586b385f3d8}","name":"Microsoft.Windows.Desktop.TextInput.ChsIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ff5023d9-8341-5dfb-3c33-17a1ab76a426}","name":"Microsoft.Windows.Shell.CandidateWindow","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2d66bb8d-2a6b-5a2d-a09c-4f57a1776bd1}","name":"Microsoft.Windows.TextInput.ChsIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b7bd959-bfea-5953-583c-fb7bf825bc92}","name":"Microsoft.Windows.Desktop.TextInput.ChtIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9006c590-4dc8-5df7-adbc-21bf29cd284f}","name":"Microsoft.Windows.Shell.MTF.DeprecatedInputHistoryDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f61cc6b7-e935-5591-bb63-27b07edf1d7a}","name":"Microsoft.Windows.Desktop.TextInput.ImeSettingHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc10c74c-f6d9-5656-d77d-ca9047620cb7}","name":"Microsoft.Windows.TextInput.FlipProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c2709ea3-ae58-5742-3c79-9c11f30145ac}","name":"Microsoft.Windows.TextInput.SpellCheckingEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e941009c-7403-48ae-b5b3-df1fcaa62a60}","name":"Microsoft.Windows.TextInput.LITE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{50f52804-951b-5f4a-dbff-b3f131b6ab1a}","name":"Microsoft.Windows.TextInput.JpnProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c5aaed5a-4274-582f-9e34-6c39e00c5d3c}","name":"Microsoft.Windows.TextInput.KorProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b8f790b-f6fc-5278-3d67-7d3250b936b7}","name":"Microsoft.Windows.TextInput.VieProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0730820b-b89b-59a2-e81e-a9338bb8759f}","name":"Microsoft.Windows.Mobile.TextInput.ChsIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{327ed12c-fe8d-5c62-0f13-3f985c85ccf7}","name":"Microsoft.Windows.Mobile.TextInput.ChtIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{05774fd1-2d2f-56fa-1b12-c8f7a231c486}","name":"Microsoft.Windows.TextInput.DictationInputProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{73ae0ec4-37fc-4b10-92c0-7f6d9d0539b9}","name":"Microsoft.Windows.TextInput.ExpressiveInput","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{df4cf2e3-435c-4010-9e05-0f54287cdc31}","name":"Microsoft.Windows.TextInput.InputSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{397fe846-4109-5a9b-f2eb-c1d3b72630fd}","name":"Microsoft.Windows.Desktop.TextInput.InputSwitch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{03e60cf9-4fa0-5ddd-7452-1d05ce7d61bd}","name":"Microsoft.Windows.Desktop.TextInput.UIManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9bfa0c89-0339-4bd1-b631-e8cd1d909c41}","name":"Microsoft.Windows.StoreAgent.Telemetry","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{7c109ac5-8971-4b39-aa88-ecf239827664}","name":"Microsoft.Xbox.WinHttp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e8d3c0f1-e832-56b6-ba8b-99fb106b1390}","name":"Microsoft.Windows.OneSync.InternetMailEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b7a67e9e-2118-5941-38a2-12a16fe4dfef}","name":"Microsoft.Windows.OneSync.InternetMailCSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9a9d6c4e-0c84-5401-7148-5d809fa78018}","name":"Microsoft.Windows.Desktop.Shell.RegionOptions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc3ada53-28c8-571e-d3a1-6e2a3a94978e}","name":"Microsoft.Windows.IoT.Client.AssignedAccessLockdown","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{17b41d83-1719-4224-924f-067fd63c7511}","name":"Microsoft.Windows.Shell.Cortana.IPELogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{70f18147-06e6-497b-bbc4-58d60b4760e2}","name":"Microsoft.Windows.Networking.Teredo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f3c64a5-69c2-4cda-93cb-b1031e362b8f}","name":"Microsoft.Windows.Networking.SharedAccess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5ee38bb-f738-4c2e-985e-b39f2660d86e}","name":"Microsoft.Windows.Input.ControllerProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3317c7e7-7c40-4275-9f7b-d539c10e19ba}","name":"Microsoft.Windows.Analog.RawInputProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45a9f627-567d-449e-bc48-29ee4b2cd3a5}","name":"Microsoft.Windows.Analog.RawInputProvidersContinuous","group":""},{"guid":"{e054d6d0-e9dd-4e99-a366-683078318a47}","name":"Microsoft.Windows.Input.RawInputProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f903db44-149e-4b4e-afe1-2a1096f53dfa}","name":"Microsoft.Windows.Analog.SpatialInteraction","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ce8e4f2-fecb-4013-9d4d-be7f699d438d}","name":"Microsoft.Windows.Analog.SpatialInteractionContinuous","group":""},{"guid":"{8a681f73-36de-5cd8-8833-dcc50fb7a329}","name":"Windows.Shell.IsoBurn","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3841390-5ecf-446a-b936-c8cfc28ad2d2}","name":"Windows.Maps.Platform.JPMapControl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5a82ad4c-9894-50a8-2bc9-617a4c2bef2d}","name":"Microsoft.Windows.Shell.MTF.JpnDecoderDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{989f6d5d-e45a-51eb-b02c-6c48b059f55a}","name":"Microsoft.Windows.Shell.MTF.JpnServiceDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80336d8c-073d-5b46-225c-b7674d0c20f2}","name":"KernelDebuggerData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8a4fc74e-b158-4fc1-a266-f7670c6aa75d}","name":"Microsoft.Windows.Security.Kerberos","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e36c4458-ed80-4ad7-a8be-52dda1eb5f1c}","name":"Microsoft.Windows.Base.Win32.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{58e1853a-3c4e-4bba-9ff8-e1cd088d25a5}","name":"Microsoft.Windows.Base.Win32.Job","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{70caa5b8-a8f0-408a-8b53-563bff7ff2ff}","name":"Microsoft.Windows.NTVDM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{05f95efe-7f75-49c7-a994-60a55cc09571}","name":"Microsoft.Windows.Kernel.KernelBase","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f1ef270a-0d32-4352-ba52-dbab41e1d859}","name":"Microsoft-Windows-AppModel-Runtime","group":""},{"guid":"{3c74afb9-8d82-44e3-b52c-365dbf48382a}","name":"Microsoft.Windows.Kernel.Base","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{41b5f6e6-f53c-4645-a991-135c2011c074}","name":"Microsoft.Windows.AppModel.StateManagerTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{34646397-1635-5d14-4d2c-2febdcccf5e9}","name":"Microsoft.Windows.Security.NGC.KeyCredMgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf69df80-7690-41da-99c9-186e46860e7d}","name":"Microsoft.Windows.Provisioning.Knobs.Core","group":""},{"guid":"{a9f17d57-43d6-498c-94e4-eb0e9e7e19c2}","name":"Microsoft.Windows.Provisioning.Knobs.CSP","group":""},{"guid":"{8b48a132-cbd8-4786-82da-66a4360bcc85}","name":"Microsoft.Windows.DShow.Ksproxy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a245f3c6-c600-5d61-6978-14299db0cb16}","name":"Microsoft.Windows.Shell.LanguageComponentsInstaller","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b9c4496b-b9ba-584b-68f5-ca2a501afcdc}","name":"Microsoft.Windows.Desktop.Shell.CBSWrappers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3a7f381-6040-5d93-64e2-b89cf65ba4c3}","name":"Microsoft.Windows.LanguageOverlay","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4d088be4-bebf-4fe7-aa25-ae1370543847}","name":"Microsoft.Windows.LanguagePackDiskCleanup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{af9f58ec-0c04-4be9-9eb5-55ff6dbe72d7}","name":"Microsoft.Windows.LicenseManager.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{13020f14-3a73-4db1-8be0-679e16ce17c2}","name":"Microsoft.Windows.Store.LicenseManager.UsageAudit","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{961d7772-0a35-4869-89ad-056fbfc0e51f}","name":"Microsoft.Windows.LicensingCSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{319ac5ba-43a9-495f-9905-8216cb896d17}","name":"Microsoft.Windows.Licensing.OA3HWID","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8c67ac58-c137-4ee2-9944-23a0375a6847}","name":"Microsoft.Windows.Licensing.LicensingUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a4c7a3d8-ebce-466d-a9c6-08373fbfcfb8}","name":"Microsoft.Windows.Licensing.LicensingPolicyManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0edfb871-acea-486f-8516-8457701198e0}","name":"Microsoft.Windows.Licensing.Troubleshooter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{522dd632-a132-4ca6-b50a-62279034fd9b}","name":"Microsoft.Windows.ShAcct","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ba4936a1-31db-4edc-89ce-9190e3c0653b}","name":"Microsoft.Windows.Print.LocalSpooler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b7ec0bd7-597d-49f1-9d00-7b1f8ad1612f}","name":"Microsoft.Windows.Print.MS3DLocalSpooler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7981fc8d-605e-4052-87a7-fe07ced4ebaf}","name":"Microsoft.Windows.Print.SplLib","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{97b0ffcd-6217-567e-4fda-e5e0f7f6da54}","name":"Microsoft.Windows.Print.DevmodeSizePatch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f93acd0-1c1c-5637-8860-e38dc9dd1e69}","name":"Microsoft.Windows.Location.Crowdsource","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{31f05ccd-99d9-5674-0e43-36e104f04d22}","name":"Microsoft.Windows.Location.Uploader","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{b93d4107-dc22-5d11-c2e1-afba7a88d694}","name":"Microsoft.Windows.Shell.Tracing.LockAppBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ca921e3-25a4-5d34-39da-a59bd8bdf7a2}","name":"Microsoft.Windows.Shell.LockAppBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2d710779-b24b-4adb-81ef-cd6ded5a9b2a}","name":"Microsoft.Windows.Shell.LockScreenController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{74cc4a0b-f577-5929-abcb-aa4bea374cb3}","name":"Microsoft.Windows.Shell.LockAppHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{75816b5c-ecd1-4dbc-b38a-47a9646e60be}","name":"Microsoft.Windows.Shell.LockScreenExperienceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2ca51213-29c5-564f-fd60-355148e8b47f}","name":"Microsoft.Windows.Shell.SingleViewExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46a55c26-5759-5897-84f4-cbebd1134adc}","name":"Microsoft.Windows.Shell.LockAppHostNoisy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1ef1b3bd-ba20-5fd6-68c1-beb652b5d0c2}","name":"Microsoft.Windows.Shell.LockScreenContent","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d14ca27-6eb2-4789-9b52-33ec88ecf5b0}","name":"Microsoft.Windows.Shell.LockScreenData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f7c073a-65bf-5045-7651-cc53bb272db5}","name":"Microsoft.Windows.LogonController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3ec987dd-90e6-5877-ccb7-f27cdf6a976b}","name":"Microsoft.Windows.LogonUI.WinlogonRPC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b45275fa-3b9c-40f2-aaad-10060f77f0c0}","name":"Microsoft.Windows.Shell.CloudExperienceHost.DatVPrep","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{41d006bf-1a11-4122-a0eb-0ea2ae688045}","name":"Microsoft.Windows.Cellcore.LPA.ServiceTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0ec00dbb-7b5f-5b8d-c1ff-641fc48e8729}","name":"Microsoft.Windows.Cellcore.LPA.Service","group":""},{"guid":"{a4e69072-8572-4669-96b7-8db1520fc93a}","name":"LsaIso TraceLogging Provider","group":""},{"guid":"{f2d27937-6aa6-4e52-bde2-aee097c9095e}","name":"Microsoft.Windows.Security.BCryptIum","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{77811378-e885-4ac2-a580-bc86e4f1bc93}","name":"Microsoft.Windows.Security.Ntlm","group":""},{"guid":"{4d9dfb91-4337-465a-a8b5-05a27d930d48}","name":"Microsoft.Windows.Security.LsaSrv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{557d257b-180e-4aae-8f06-86c4e46e9d00}","name":"LSM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{da539211-d525-422a-8add-bcbe4367159c}","name":"Microsoft.Windows.RemoteDesktop.RDSLSTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a5caeb9d-0457-5ec6-9fb0-ebc4436ae297}","name":"Microsoft.Windows.Cellcore.LPA.Client","group":""},{"guid":"{22bcd1ea-be3d-4933-8a14-06a5a86b29e4}","name":"Microsoft.Windows.Magnifier.Asimov","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa70963a-d6ac-4802-92bb-63ae2d9fd2d0}","name":"ManageBDETraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a078af5a-f530-5054-3028-597b53c15178}","name":"Microsoft.Windows.Security.CodeIntegrityManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1b648321-3416-5266-7387-b58ed4a80d58}","name":"Microsoft.Windows.Maps.Services.Bing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b62d85f-8df3-44a9-9bfa-17493ea7b72a}","name":"Windows.Maps.Platform.MapControlCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8b57f962-881e-44f6-a4c1-08f3d268ce32}","name":"Microsoft.Windows.Maps.MapEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{91d35613-d4e5-5939-03c5-31da88a791f9}","name":"Microsoft.Windows.Shell.Mapi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a35ab2e2-a6cb-4b0f-8989-5c6f41e9708e}","name":"Microsoft.Windows.Maps.BackgroundTransfer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3fbe2230-5b5b-5871-87f5-9b583e56b82f}","name":"Microsoft.Windows.Shell.SystemSettings.Maps","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{767d1a28-b916-5b5e-9bec-5456c827edd5}","name":"MbaeApiLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46dc5dcf-095f-4157-abed-fd6ae23720e0}","name":"Microsoft.Windows.Cellcore.Settings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4d9aa417-945d-40b5-8f4a-9ca69802f825}","name":"Microsoft.Windows.CellCore.Provisioning.ParserTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f3d10d5a-8291-433d-9275-cdd0067a0022}","name":"MBBSettingUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46dc5dcf-095f-4157-cded-fd6ae33720e0}","name":"Microsoft.Windows.Cellcore.MBMediaManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{569a031f-3540-46e0-96d4-fb94164a99c7}","name":"Microsoft.Windows.Cast.MiracastReceiver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{206ba7a1-88e8-4abb-b6b8-28937e82c72b}","name":"Microsoft.Windows.MediaFoundation.HEIFReader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{85e2da35-d4fe-5a85-0874-ed763688fd59}","name":"Microsoft.Windows.MediaFoundation.MPEG4Source","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bf5f1ee5-5dc0-4836-9f23-889294c42a54}","name":"Microsoft.Windows.DeviceManager.DiagnosticsTool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8279ba28-466f-46ac-9bf5-27e97c2a4f95}","name":"Microsoft.Windows.DeviceManagement.Migration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{870ac05a-7777-5c66-c3f0-c1f6b7129ef6}","name":"Microsoft.Windows.Messaging.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{27df94e7-11d1-58e5-885d-f1969b998936}","name":"Microsoft.Windows.MediaFoundation.ASFSource","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c715453b-5d50-4ed1-8304-2ffca01cbd00}","name":"Microsoft.Windows.Capture.MFCaptureEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5100ef35-4747-4d3f-92a1-4ed6d661c3fb}","name":"Microsoft.Windows.MediaFoundation.SAR","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8aef5633-dae7-43e9-bd1d-c620598e56d0}","name":"Microsoft.Windows.MediaFoundation.UVC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{736ec865-856c-4c63-bd9d-15eb85634c42}","name":"Microsoft.Windows.MediaFoundation.DeviceSource","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ee22e19-9672-4625-a9ff-c2b711ad923f}","name":"Microsoft.Windows.CameraDebug","group":""},{"guid":"{6ade59e8-a7c0-53d6-c3e0-8fe89759ca13}","name":"Microsoft.Windows.MediaFoundation.MediaSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4d0b22c3-3b49-5af6-ba09-0a1cda1083c4}","name":"Microsoft.Windows.MediaFoundation.MFDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{deb6de00-a0cb-5689-f9f9-f26cb3970205}","name":"Microsoft.Windows.MediaFoundation.H264Encoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f7e7a5e-6559-4718-9a21-f833e25c2ad1}","name":"Microsoft.Windows.DShow.MFproxy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6f749c6-fbe8-5c8d-f3b1-aca1563d7be3}","name":"Microsoft.Windows.MediaFoundation.MP3Source","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5f30508-38bb-5033-4f81-7de7fe7c4369}","name":"Microsoft.Windows.MediaFoundation.MSE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3e72573a-5c5f-5ed8-d6f1-f1b44db1b81b}","name":"Microsoft.Windows.MediaFoundation.MediaEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f4ac2ca-3a70-5f37-3f2c-2cb11f16b596}","name":"Microsoft.Windows.MediaFoundation.MKVSource","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{645a72a6-1657-53bb-d5e7-d6526033ef20}","name":"Microsoft.Windows.MediaFoundation.SourceResolver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{905a29f8-4571-4926-9be1-cbffce287814}","name":"Microsoft.Windows.MediaFoundation.ContentProtectionDevice","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fbdc4594-a4a9-5f04-af86-7bd18a7938b9}","name":"Microsoft.Windows.MediaFoundation.CodecAppSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6b4e98da-b103-588e-d0db-c7a111582066}","name":"Microsoft.Windows.MediaFoundation.TelemetrySession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86bf288b-fe8c-4174-98aa-0ea625a0bea6}","name":"Microsoft.Windows.MediaFoundation.SourceReader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ca1d0166-619f-4177-a6c5-6faae46b42ef}","name":"Microsoft.Windows.MediaFoundation.SinkWriter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d4356983-5d0d-43c3-84bf-9d2288b7c46b}","name":"Microsoft.Windows.MediaFoundation.SensorGroup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{603bc3ed-ad38-4d30-beb0-36721b0532fe}","name":"Microsoft.Windows.MediaFoundation.AVISource","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d63aebf8-bec4-4e76-8f7c-9565792ac782}","name":"Microsoft.Windows.MediaFoundation.OTA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fc40bb95-722a-5366-9c5e-1a73d989faea}","name":"Microsoft.Windows.MediaFoundation.SVR","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f10f4696-dd8a-40f0-90be-cd013d0db9c7}","name":"Microsoft.Internal.Management.AutoPilot.Reset","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2aee48b8-f498-4f2e-a2a2-898665db5c3e}","name":"Microsoft.Windows.Bluetooth.Gap","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cd40e783-2e71-5f1f-0618-d8bb43779841}","name":"Microsoft.Windows.Bluetooth.GattInterface","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a43eaa00-d8fa-5b2a-afce-1b6dd39164f1}","name":"Microsoft.Windows.Bluetooth.GattServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e35e3be-9005-567f-e2c8-071b4f985b0a}","name":"Microsoft.Windows.Bluetooth.GattClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fa5fd884-8804-4a36-98b8-70bfc46a9fa2}","name":"Microsoft.Windows.Bluetooth.Proximity","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1adab660-a3f8-5f4a-276b-743d455464ee}","name":"Microsoft.Windows.Bluetooth.LooselyCoupledDevices","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7bd2c7f4-6671-474e-bdfc-2d141a0b6b7e}","name":"Microsoft.Windows.Bluetooth.QuickPair","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9eb494cd-1f06-5384-c8d8-98c3377fce89}","name":"Microsoft.Windows.Bluetooth.Battery","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e7c0f27-9cce-4d40-be33-5d2a6e8ac1d7}","name":"Microsoft.Windows.Graphics.Display.DisplayEnhancementService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ae5c851e-b4b0-4f47-9d6a-2b2f02e39a5a}","name":"Microsoft.Windows.Sensors.SensorService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5836994d-a677-53e7-1389-588ad1420cc5}","name":"Microsoft.Windows.MicrosoftAccount.TBProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d758d01c-7402-5923-6a27-44bdcc59a5c5}","name":"Microsoft.Windows.Print.ApMonPortMig","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6c9882ca-4e51-4151-80d6-5ce43f5de6f9}","name":"Microsoft.Windows.AppMan.Migration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{af9fb9df-e373-4653-84ce-01d8857e79fd}","name":"Microsoft.Windows.AppxMigrationPlugin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e915be71-5b71-4085-aa94-c87eacfc9812}","name":"Microsoft.Windows.Das.Migration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59e1d975-a9fd-4346-89b4-393432554a1a}","name":"Microsoft.Windows.Maps.Migration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44e18db2-6cfd-4a07-8fe7-6073794c531a}","name":"Microsoft.Windows.Search.Indexer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1153a52e-8d1c-4e78-b7e3-da3db836bc4c}","name":"Microsoft.Windows.MigrationCore","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{4587e014-39e2-4150-9246-6264f9b719f2}","name":"MigrationCoreTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6f68dc2-8899-4011-b91f-817adad30372}","name":"Microsoft.Windows.Networking.RAS.MediaManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7794a8f9-8482-4396-aa2c-2ab8ef51b6b0}","name":"Microsoft.Windows.Networking.RAS.Manager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45902de3-6d95-4a35-a37e-862215252640}","name":"Microsoft.Windows.Networking.VPNPlugin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{79eebe3e-aab1-4639-94c8-05a1706a6417}","name":"Microsoft.Windows.Networking.RAS.Dialer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{542f2110-2c0f-40d7-aa35-3309fe74b8ae}","name":"Microsoft.Windows.Networking.VPNPlugin.Manager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aba0b84d-4ead-4dc0-84df-08d439679dec}","name":"Microsoft.Windows.Cast.MiracastReceiverConnection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9282168f-2432-45f0-b91c-3af363c149dd}","name":"Microsoft.Windows.Storage.MiSpace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{65ec0768-c3b4-4e64-8df8-690b3715eae4}","name":"Microsoft.Windows.Storage.PmUtil","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{98a749a0-6ab8-473f-b063-cf91708967c0}","name":"Microsoft.Windows.RecommendedTroubleshootingService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{08fd7da7-ef4e-4566-8852-9483e46167e7}","name":"Microsoft.Windows.ExploitGuard.ExploitProtection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a6ace3c3-f77c-4ccd-9251-3253574da413}","name":"Microsoft.Windows.ImageMitigationPolicy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{964912bd-6dbc-45ed-bf5d-e3f1664f1227}","name":"Microsoft.Windows.RecommendedTroubleshootingScanner","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9163b919-4ebc-4a39-ab6a-021eb17d8256}","name":"Microsoft.Windows.Holographic.StageManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cae82c8b-0097-4c53-9d72-f56d14c1284f}","name":"Microsoft.Windows.Shell.HolographicFirstRun","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{35deaa03-7bea-4c77-b07a-8f20d3dfd884}","name":"Microsoft.Windows.Mirage.Capture.Pipeline","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{72e9b8d0-434d-4f50-9dcc-e6dfc9df2b63}","name":"Microsoft.Windows.WinXrProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a076f707-4472-5083-d14f-826d0ef75c78}","name":"Microsoft.Windows.Audio.MultimediaDevice","group":""},{"guid":"{367c9044-75e0-5320-cc3c-8a40ffc6b4f6}","name":"Microsoft.Windows.Mapi.MMGA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{202b7a5a-5a34-566e-c4dd-38bd60ea7aec}","name":"Microsoft.Windows.Audio.MMSysCpl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{84f43c05-a677-41d6-a00e-c74d54fcb5c6}","name":"Microsoft.Windows.Audio.MMSysCpl.APODiagnostics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa6f6a10-8a13-417d-8799-52361684bd76}","name":"Microsoft.Windows.ForegroundManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6eaa8566-66f9-5c32-c995-05cbb0b423ac}","name":"Microsoft.Windows.LifetimeManager.AppStateTransition","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59dd67cc-7ce1-52f8-cf74-fe8a257a2b6b}","name":"Microsoft.Windows.Update.Orchestrator.Worker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f697aea-5499-5c54-ae6e-e1489d0a252f}","name":"Microsoft.Windows.Update.Orchestrator.WuProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5eb60b36-6206-5538-e60a-0a7af8a1e59d}","name":"Microsoft.Windows.Security.Mpr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1e81ad7a-603a-4c44-b3b6-c99bb22f13bf}","name":"Microsoft.Windows.Networking.RAS.Routing.SSTP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{684d8f73-f09d-4163-8797-bc32201c94c1}","name":"Microsoft.Windows.Networking.RAS.RASServer.AgileVPN","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{68f4bcbe-cfe7-4b57-8d58-f18b0145a5bb}","name":"Microsoft.Windows.Networking.RAS.RASServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9fd2b528-8d3d-42d0-8fdf-5b1998004278}","name":"Microsoft.Windows.Networking.RAS.Routing.BGP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{02f64aa0-ebba-4af8-bdf4-196224230dea}","name":"Microsoft.Windows.Networking.RAS.RASServer.Ddm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}","name":"Microsoft.Windows.Firewall","group":""},{"guid":"{d76203c4-8c1b-4e53-afab-c22865594f3f}","name":"Microsoft.Windows.Firewall","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{07b7592c-a848-4520-89da-1ab26bc4629f}","name":"Microsoft.Windows.Networking.EDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{702bb771-f6f6-4b08-adaf-42abe09b4fd1}","name":"Microsoft.Windows.Firewall.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{19c13211-dec8-42d5-885a-c4cfa82ea1ed}","name":"Microsoft.Windows.Mrt.Runtime","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{78f5cb32-81c4-476b-a93b-f5d90226ce9b}","name":"Microsoft.Windows.Print.MS3DPrintShellExtension","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fc9c931e-ac21-5b7d-df8f-00d6bad5a055}","name":"Microsoft.Windows.AllJoyn.MSAJApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4ed997f7-7c3c-5223-fae4-8234d198805c}","name":"Microsoft.Windows.AllJoyn.MSAJDeprecated","group":""},{"guid":"{0410d3ad-d839-4a75-9698-e6a9b4121bdc}","name":"Microsoft.Windows.Graphics.WindowsColorSystemDiagnostics","group":""},{"guid":"{10706d4f-ca0a-47aa-b093-5b5218a6308c}","name":"Microsoft.Windows.Graphics.WindowsColorSystem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1f869e8f-86a0-5e3d-b81b-1100a9a3e9ed}","name":"Microsoft.Windows.Msconfig","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f6a3c95-b86c-59f7-d8ed-d5b0b6a683d6}","name":"Microsoft.Windows.Desktop.TextInput.TextServiceFramework","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f7febf94-a5f7-464b-abbd-84a042681d00}","name":"Microsoft.Windows.Desktop.TextInput.ThreadInputManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86df9ee3-15c5-589d-4355-17cc2371dae1}","name":"Microsoft.Windows.Desktop.TextInput.TabNavigation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{78eba95a-9f43-44b0-8391-6992cb068def}","name":"Microsoft.Windows.Desktop.TextInput.MsCtfIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{85b47a68-9cfa-58dc-2b4b-2f34c92b3f33}","name":"Microsoft.Windows.Diagnostics.Troubleshooter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d1f34f0a-968b-4e6f-bb35-d818ecfebbab}","name":"MsdtcTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6b0310a6-0ff4-47d2-a554-a1bb260f9617}","name":"Microsoft.Windows.MediaFoundation.FlacDecoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5936f777-a7a8-4460-91e1-b430d5aeeb7f}","name":"Microsoft.Windows.Analog.SpeechAudio.IgneousOemDll","group":""},{"guid":"{0dac61c4-db90-49b5-a5a3-b25428fe20ef}","name":"Microsoft.Windows.Shell.StreamLib","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1cba82b8-2b26-4d68-8447-1a3b85805b6a}","name":"Microsoft.Windows.Darwin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b229a04f-29db-496f-97aa-10fa9c5844ba}","name":"Microsoft.Windows.Diagnostics.Resolver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44484773-a039-5c4a-d95c-2c23f586497c}","name":"Microsoft.Windows.MediaFoundation.MPEGDecoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b71ee1de-b092-4737-a55f-ecdf2e70e6be}","name":"Microsoft.Windows.MediaFoundation.H264Decoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63e17c10-2d43-4c42-8fe3-8d8b63e46a6a}","name":"Microsoft.Windows.MediaFoundation.OpusDecoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f9c4d0a2-8a7d-4d66-8f88-5839d7adc35a}","name":"Microsoft.Paint","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2aa2b8df-8a4e-52a7-8cc7-c72f28293393}","name":"Microsoft.Windows.Capture.Photography","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9cac2d9b-e081-4ab7-8c3e-30d117bcef93}","name":"Microsoft.Windows.MediaFoundation.RAWImageDecoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{227c0c3b-d0fd-5d7c-6556-64ef86b2b065}","name":"Microsoft.Windows.Globalization.Spelling","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c000e9ae-71f9-426e-a1c2-c78ff53284bf}","name":"Microsoft.Windows.Search.Indexer.Aggregated","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{76de1e7b-74d9-585f-1f85-affa9242808c}","name":"RDWin32ClientTelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{61dd194a-b8cb-4de5-a018-4c7f6f9e9988}","name":"RDP.MSTSCTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55184039-1cbe-4d35-9f9e-85d0075943df}","name":"Microsoft.RDS.RADC.FeedSubscription","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{660cfa71-2a70-4e80-bdf3-f1424919d01c}","name":"Microsoft.RDS.RdClient.Client.FeedSubscription","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a8f457b8-a2b8-56cc-f3f5-3c00430937bb}","name":"RDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8a633d91-8b07-4aae-9a00-d07e2afd29d6}","name":"RDP.Transport","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d953b8d8-7ea7-44b1-9ef5-c34af653329d}","name":"RDP.Graphics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{76de1e7b-74d5-575e-1f81-4ffe6a42777b}","name":"RDWin32ClientAxTelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7756e5a6-21b2-4c40-855e-88cf2b13c7cb}","name":"RDP.MSTSCAXTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{50134cdd-5fe1-4315-8c8d-50900921acce}","name":"Microsoft.Windows.HVSI.RDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{43471865-f3ee-5dcf-bf8b-193fcbbe0f37}","name":"Microsoft.Windows.RemoteDesktopServices.RailPlugin","group":""},{"guid":"{c371b421-5986-5edc-75b8-bc21c0f8ee81}","name":"Microsoft.Windows.MediaFoundation.VP9Redirect","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d5cc9846-9cd8-5306-dece-438825703e54}","name":"Microsoft.Windows.MediaFoundation.XVP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9418ddd4-7689-5fbd-8ef1-0165d5a465f2}","name":"Microsoft.Windows.Shell.MtcModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e84c7b24-903b-5eff-05b5-7006f2843ceb}","name":"Microsoft.Windows.ShellActivationHelpers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{393ff4cc-f02d-5d0a-4180-b79bf8da529d}","name":"Microsoft.Windows.Shell.MTF.Platform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2d40087a-5ee9-569d-2c30-d2b248a24986}","name":"Microsoft.Windows.TextInput.FuzzyDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d059a021-6947-44fb-976a-b18c9b73d1d8}","name":"Microsoft.Windows.Update.Ux.MusNotification","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3076679b-a75c-4705-aaa4-836903b93875}","name":"Microsoft.Windows.Update.Orchestrator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e77a560c-3696-4ac0-911c-545ceca6be3c}","name":"Microsoft.Windows.Update.NotificationUx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ac7009a2-c62e-471e-ae10-da51e87873b3}","name":"Microsoft.Windows.Update.Ux.NotifyIcon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cee50f59-e321-4691-9bb7-9b75494f6aab}","name":"Microsoft.Windows.Update.Ux.MusUpdateSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e1fdc26-4250-4850-82d8-2aef9eafa3b8}","name":"Microsoft.Windows.Accessibility.NarratorHome","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c632d944-dddb-599f-a131-baf37bf22ef0}","name":"Microsoft.Windows.Security.NaturalAuth.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{26b30c9e-d524-5a0c-8cf2-29989c8175f7}","name":"Microsoft.Windows.Desktop.NaturalLanguage6","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63ac12d9-f21b-402d-bd67-8e415aa896aa}","name":"Microsoft.Windows.Networking.NCA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2ab7abe2-fd6b-49dd-931e-d3339832676a}","name":"NcbService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e85be3ac-efac-4ef3-873b-7b96c0fe4bc2}","name":"Microsoft.Windows.Shell.NcdAutoSetup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1701c7dc-045c-45c0-8cd6-4d42e3bbf387}","name":"NCSI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6a586350-e749-49d6-a5b7-855290398c6b}","name":"Microsoft.Windows.NDF.PushButtonReset","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2f3250c8-5d7e-5c11-2878-e2d179234c10}","name":"Microsoft.Windows.Networking.NetCfgExe","group":""},{"guid":"{3c70d3e6-40c8-5875-67f3-ad429a730a44}","name":"Microsoft.Windows.Diagnostics.Troubleshooter.Networking.NetCoreHC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3192497f-bb99-5aa1-10aa-680f4aa2eee2}","name":"Microsoft.Windows.Diagnostics.Troubleshooter.Networking","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{29f455e5-659d-55c6-175b-0892a5ba91fe}","name":"Microsoft.Windows.Networking.NetSetup.Inf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8ee5c621-4160-5b85-8d78-0979b332de9e}","name":"Microsoft.DotNet","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{30a1cf02-27aa-4ef7-b34c-59c36eaba123}","name":"Microsoft.Windows.Shell.NetworkId","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d9f8d9d-81f1-4173-a667-4c54a4831dba}","name":"Microsoft.Windows.Shell.NetPlWiz","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ea289c62-8c36-4904-9726-15ecd282aed5}","name":"Microsoft.Windows.NetworkListManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{819cf413-40ea-5e76-0bc1-b5f26ebf7075}","name":"Microsoft.Windows.WiFiCloudStore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{205ce500-a543-56a2-7b6a-67ba089f67dc}","name":"Microsoft.Windows.Networking.NetSetup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a111f1c3-5923-47c0-9a68-d0bafb577901}","name":"Microsoft.Windows.Networking.NetworkSetup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a111f1cb-5923-47c0-9a68-d0bafb577901}","name":"Microsoft.Windows.Networking.NetworkSetupShim","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a111f1cc-5923-47c0-9a68-d0bafb577901}","name":"Microsoft.Windows.Networking.NetworkSetupSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab7df27d-f8d1-546b-9ba0-1ecfe7b3fc3a}","name":"Microsoft.Windows.Shell.SystemSettings.HandlersBase","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3eae2ac8-6b77-5d53-4e2c-7ad87c16259b}","name":"Microsoft.Windows.OneSync.NetworkHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{339817cf-d7a8-4114-94b2-a240843d77ee}","name":"Microsoft.Windows.NetworkUx.SettingsHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46dc5dcf-096e-4157-abed-fd6ae23721e1}","name":"Microsoft.Windows.Cell.SettingsHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3a245d5a-f00f-48f6-a94b-c51cdd290f18}","name":"Microsoft-Windows-Desktop-Shell-SystemSettingsV2-Handlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{40983cc0-15bb-4de7-b8c2-391c0528399c}","name":"Microsoft.Windows.Provisioning.Plugin.NFC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45fc65fc-f770-5ad6-c9bf-683f122184a9}","name":"Microsoft.Windows.Provisioning.PluginNFC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cac8d861-7b16-5b6b-5fc0-85014776bdac}","name":"Microsoft.Windows.Security.NGC.CredProv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0aba6892-455b-551d-7da8-3a8f85225e1a}","name":"Microsoft.Windows.Security.NGC.NgcCtnr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9df6a82d-5174-5ebf-842a-39947c48bf2a}","name":"Microsoft.Windows.Security.NGC.NgcCtnrSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0b2937d-e634-56a2-1451-7d678aa3bc53}","name":"Microsoft.Windows.Security.Ngc.Truslet","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cdc6beb9-6d78-5138-d232-d951916ab98f}","name":"Microsoft.Windows.Security.NGC.NgcIsoCtnr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b66b577f-ae49-5ccf-d2d7-8eb96bfd440c}","name":"Microsoft.Windows.Security.NGC.KspSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3b9dbf69-e9f0-5389-d054-a94bc30e33f7}","name":"Microsoft.Windows.Security.NGC.Local","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b223f67-67a1-5b53-9126-4593fe81df25}","name":"Microsoft.Windows.Security.NGC.KeyStaging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{89f392ff-ee7c-56a3-3f61-2d5b31a36935}","name":"Microsoft.Windows.Security.NGC.CSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d4ca978-8a14-545e-c047-a45991f0e92f}","name":"Microsoft.Windows.Security.NGC.Recovery","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3feb5bf-1a8d-53f3-aaa8-44496392bf69}","name":"Microsoft.Windows.Security.DevCredSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a7f923a4-8693-4876-92f4-4ff49791d3cf}","name":"PenTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ff5771a-f64e-473f-a2e8-4654c218ff3a}","name":"NLA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb3540f2-1909-5d51-b72d-a3ecb0b9bf08}","name":"Microsoft.Windows.Shell.NotificationController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{487905a0-9830-4d41-ba68-e3325affa8c2}","name":"Microsoft.Windows.Shell.SystemSettings.AumidNotifications","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f1f31e13-d7aa-438c-ab17-9e435309f5ef}","name":"Microsoft-Windows-Shell-CortanaNotifications","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{883b9247-ab6e-5068-59bb-eeb519d551b6}","name":"Microsoft.Windows.Shell.NowPlayingSessionManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c127316f-7e36-5489-189a-99e57a8e788d}","name":"Microsoft-Windows-Explorer-ThumbnailMTC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b52746e-241b-52c9-8f0b-4e5e25e54507}","name":"Microsoft.Windows.Shell.BaseProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f9fdd5a0-85ea-46bd-a4ba-fbeec97c558c}","name":"CentennialIssueTrackerTraceLogging","group":""},{"guid":"{a99b2eb4-5620-44f5-9b02-f9d2eebf2e96}","name":"Microsoft.Windows.Kernel.LibLoader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0834da2-8abe-478f-848c-1da4cbe18daf}","name":"Microsoft.Windows.Kernel.VsmEnclaveLoader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{540dc156-e9d6-42dc-a225-29794149a495}","name":"MuiResourceLoaderTraceLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{27a8fdf4-9b77-575b-be3b-e7163ef159bb}","name":"Microsoft.Windows.Security.Capabilities","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f0cd5b06-08c0-5ce4-09c2-17ba421985a0}","name":"Microsoft.Windows.Heap","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e9eaf418-0c07-464c-ad14-a7f353349a00}","name":"Microsoft.Windows.Kernel.Registry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{252d9ecc-1c9f-4917-8760-f872a83bf018}","name":"Microsoft.Windows.Containers.RegistryVirtualization","group":""},{"guid":"{73a33ab2-1966-4999-8add-868c41415269}","name":"IumTelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a4d16fc5-d1cf-4d72-a055-25f3eb02a70e}","name":"Microsoft.Windows.Kernel.LiveDump","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9fdf37b-d72d-4051-a3cd-d422103ce079}","name":"Microsoft.Windows.Kernel.SysEnv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c8bde9ff-f31f-59dc-6c27-ca37c516ada5}","name":"Microsoft.Windows.Kernel.DeviceConfig","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{6c0ebbbb-c292-457d-9675-dfcc1c0d58b0}","name":"Microsoft.Windows.Kernel.PnP","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{7e9e8b9c-406c-5d73-e566-0f50ea3ade3e}","name":"Microsoft-Windows-Kernel-Mm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63bca7a1-77ec-4ea7-95d0-98d3f0c0ebf7}","name":"Microsoft.Windows.Kernel.Power","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e753e4d-2b0d-4451-b8f9-0f1253ca0b44}","name":"Microsoft.Windows.Kernel.Ttm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c59673d8-b796-58df-fbf8-a70bad656dca}","name":"Microsoft.Windows.Kernel.ProcessSubsystem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{09a69a38-2680-4bfa-ad01-792ad63a4ff2}","name":"Microsoft.Windows.Kernel.Security","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7614521c-4d0b-4341-bfc9-873082c0f1d3}","name":"KernelGeneral","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2839ff94-8f12-4e1b-82e3-af7af77a450f}","name":"KernelProcess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1dd9b8c9-e078-4075-b9de-4e5125071a18}","name":"MSTelCov","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{47122234-f9f1-54ea-acd0-514d58e00b7f}","name":"WheaProvider","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{70cfefa3-edb1-5f09-aa78-047998973db4}","name":"Microsoft.Windows.Print.ClassInstaller","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2446bc6d-2a96-5948-96ba-db27816dee43}","name":"Microsoft.Windows.Shell.SharingWizard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59a3be04-f025-4585-acfc-34456b550813}","name":"Microsoft.Windows.Shell.Edp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f01756f1-23c4-5663-6e27-5cb7e7942ad2}","name":"Microsoft.Office.Deployment.OfficeCsp","group":""},{"guid":"{86613b65-e02d-4de7-bce3-21e902fd29f7}","name":"OleClipboardAggregateTelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3e0e3a92-b00b-4456-9dee-f40aba77f00e}","name":"Microsoft.Windows.OLE.Clipboard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{60a245d2-73de-4604-9a9c-65ca7a964e8c}","name":"Microsoft.Windows.OLE.DragDrop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{acca0101-ae51-4d60-a32a-552a6b1deabe}","name":"Microsoft-Windows-DeviceManagement-OmaDmAgent","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0616f7dd-722a-4df1-b87a-414fa870d8b7}","name":"Microsoft.Windows.ConnectionManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0db63167-77d2-441d-a793-6e09ba63213b}","name":"Microsoft-Windows-OneBackup-BackupPage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab0d8ef9-866d-4d39-b83f-453f3b8f6325}","name":"Microsoft.Windows.Networking.OneX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5391f591-9ca5-5833-7c1d-ad0ddec652cd}","name":"Microsoft.Windows.Desktop.Shell.MachineOOBE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c88c00d7-79f4-4497-a643-83fcc9919feb}","name":"MicrosoftWindowsNetworkVANUx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2cfa8474-fc39-51c6-c0ac-f08e5da70d91}","name":"Microsoft.Windows.Shell.Desktop.FirstLogonAnim","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{41cdc74d-743f-40b4-aa86-0ad4bc36f48d}","name":"Microsoft.Windows.Setup.SetupCleanupTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{acd8e438-4bfa-430e-90f6-969391cd6bad}","name":"Microsoft.Windows.Setup.FastCleanUp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b169449-0220-55f8-5c6b-ca7a796cf33a}","name":"Microsoft.Windows.Shell.UserOOBE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d960cb7-fb14-5ed4-95fd-4d157414ecdb}","name":"Microsoft.Windows.Desktop.Shell.OOBEMonitor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{51c51397-43c4-5c86-645c-acbd5b2e1038}","name":"Microsoft.Windows.Graphics.OpenGL","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dd838180-d462-534c-0e3a-336e653bbe84}","name":"Microsoft.Windows.Accessibility.Osk","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1a63cde8-f2fe-497c-9624-5a1cd2e950a6}","name":"Microsoft.Windows.PasswordEnrollmentManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{edb51732-0ab7-4b34-a37b-e88724c10e6e}","name":"Microsoft.Windows.ExploitGuard.PayloadRestrictions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{511a5c98-b374-446e-9625-108624a3ccaa}","name":"Microsoft.Windows.Compatibility.PCA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{95abb8af-1790-48bd-85ac-5feed398dd9e}","name":"Microsoft.Windows.PCA.Siuf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{407c75ac-661f-4c74-a4b0-acdd9a643e42}","name":"Microsoft.Windows.PCA.PushApphelp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{21c36b70-7cda-5bc2-09b3-92d7d0459faa}","name":"Microsoft.Windows.Security.PlatformCryptoProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d428fa57-eb61-51ba-460e-d1a6f6b534b5}","name":"MSFT_PCSVDeviceTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b4bb6d4-e2f5-4ec9-9e14-5c55c24aebd1}","name":"Microsoft.Windows.Networking.BranchCache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{104d97cd-836b-5d83-835f-1f2a47ce02c5}","name":"Microsoft.Windows.Analog.PerceptionSimulation.InputHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{22da0a2f-0ccd-4a16-b66b-1fde8362e11b}","name":"Terminal-Services-TestCode","group":""},{"guid":"{6b5ecd17-6287-435f-9f5e-a47e2fc100b1}","name":"Microsoft.Windows.Licensing.PhoneActivate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e08c85f4-c224-499d-b5b3-c1bce960f096}","name":"Microsoft-Windows-Telephony-PhoneOm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7665d4fd-30eb-4ddc-9dc1-4ebab74ed98e}","name":"Microsoft.Windows.Apps.CommsEnhancementRTProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b8020478-a6a8-42bb-9ede-b2d3ebf8da7c}","name":"Microsoft.Windows.Apps.CallsRTProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d7afa934-92e9-4f14-98f2-62f2486c39fb}","name":"Microsoft.Windows.Apps.PhoneProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1db8dad0-7ca6-4f18-b357-43bfdd8c9806}","name":"Microsoft-Windows-Telephony-PhoneProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6892b716-cfea-4c82-9557-9c782e3f8c6c}","name":"Microsoft.Windows.Apps.PhoneService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cbbbc22d-2efe-4eae-9af5-f9c6cf113670}","name":"Microsoft-Windows-Telephony-PhoneService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf82aecb-ffff-4049-bd5b-687734a5d519}","name":"Microsoft.Windows.Apps.PhoneUtilsProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{04a490d4-84c6-4920-9c22-51c80825ff2c}","name":"Microsoft-Windows-Telephony-PhoneUtil","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c306dbfe-1c7d-474a-98f6-4027ad1fb7ef}","name":"Microsoft.Windows.Cast.Source","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2a3c1dcd-ddcb-41de-be16-e72df40ee8dd}","name":"Microsoft.Windows.PrelaunchOptIn","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{521120e3-343e-42a2-bd71-a1b1ff655655}","name":"Microsoft.Windows.Print.PmcSnap","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0a23072-f5b1-4fd0-8e29-6b3d6a53a27b}","name":"Microsoft.Windows.Das.Pnpx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{300284e3-9c2e-48bd-b281-5d80dd057068}","name":"Microsoft.IoT.POS.BarcodeScannerProtocolProvider","group":""},{"guid":"{e3ac6ef2-620d-4ffd-bced-2ff0f4ec7ea6}","name":"Microsoft.IoT.POS.CashDrawerProtocolProvider","group":""},{"guid":"{a1e769b6-694b-46d3-a804-3a5251d9527e}","name":"Microsoft.IoT.POS.PrinterProtocolProvider","group":""},{"guid":"{64e05266-27b6-4f6b-ab9e-ab7cc9497089}","name":"Microsoft.Windows.DeviceManagement.AdmxIngestion","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{981ea2ca-d29e-4ac4-a6c2-d4d3b13c400f}","name":"Microsoft.Windows.WpdMtp.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3880ac9-4776-4776-b48d-0ae270f674ef}","name":"PowerTroubleshooter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5086f75-81ed-4487-8d0a-5e9114afc2e9}","name":"Microsoft.Windows.Power.Troubleshooter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c1160d05-83a4-4285-b67a-cc3ba2e3e05f}","name":"Microsoft.Windows.Power.PowercfgExe","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e3a2768-2abc-5173-b92c-7e9b1cf94f00}","name":"Microsoft.Windows.Shell.ControlPanel.PowerCpl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b793eafa-2323-429c-90d5-7628369be2cb}","name":"Microsoft.Windows.LimitsManagement.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{be5f8487-3a5d-4477-b0c2-020679b81e56}","name":"Microsoft.Windows.Print.Workflow.Source","group":""},{"guid":"{fd6b6ae4-7563-550d-46a4-da9fe46cad57}","name":"Microsoft-Windows-Print-Platform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{82a4ba66-9b2a-44ac-a231-e9f719e1e471}","name":"Microsoft.Windows.Print.Ui","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1bf554be-03c5-4f49-9b57-f3c0cbad589a}","name":"Microsoft.Windows.Print.Workflow.Broker","group":""},{"guid":"{f69d3e6c-298b-466c-b84f-486e1f21e347}","name":"Microsoft.Windows.Print.WorkFlowBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{92228b46-b5ea-5793-a5cb-7df7d97fa674}","name":"Microsoft.Windows.Shell.PrintNotification","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9aed307f-a41d-40e7-9539-b8d2742578f6}","name":"Microsoft.Windows.Shell.ProfAPI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{40654520-7460-5c90-3c10-e8b6c8b430c1}","name":"Microsoft.Windows.ProfExt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9891e0a7-f966-547f-eb21-d98616bf72ee}","name":"Microsoft.Windows.Shell.UserProfiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9959adbd-b5ac-5758-3ffa-ee0da5b8fe4b}","name":"Microsoft.Windows.ProfileService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7f1bd045-965d-4f47-b3a7-acdbcfb11ca6}","name":"Microsoft.Windows.RoamingUserProfiles","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{32980f26-c8f5-5767-6b26-635b3fa83c61}","name":"Microsoft.Windows.Shell.FileExplorer.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b1642597-285e-560a-7f60-7e02f5da22c0}","name":"Microsoft.Windows.Shell.Propsys","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3f220320-4c79-4e44-94ff-20b3ea0fe8a2}","name":"Microsoft.Windows.ConnectionManager.Provisioning.Desktop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{42c60cea-0fe7-4541-a86b-9e11f95bd9bf}","name":"Microsoft.Windows.Mobile.Provisioning.Datastore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a6a847b7-4429-49aa-bba6-2ad8c191ac8c}","name":"Microsoft.Windows.Provisioning.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0383d92c-2337-4f25-a0b5-a51767f04746}","name":"Microsoft.Windows.Provisioning.Handlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{00bb69fc-60bc-4502-9438-25608f375ccb}","name":"Microsoft.Windows.Provisioning.CommandCsp","group":""},{"guid":"{16e12400-a2d8-44b7-9479-004568ec7819}","name":"Microsoft.Windows.Provisioning.CSP","group":""},{"guid":"{26a5fa2c-2e24-4e93-83c8-8146b8fde527}","name":"Microsoft.Windows.Autopilot.ForcedNetworkValue","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a630494a-2e71-4c50-89a4-0d6c09730e03}","name":"Microsoft.Windows.Shell.SystemSettings.PackageProvisioning","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{08faccfa-125d-4ed6-b0b7-b4a1a912e693}","name":"Microsoft.Windows.Provisioning.ProvLaunch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a0af985e-83f9-4e1a-b658-338dcfe27893}","name":"Microsoft.Windows.Provisioning.Migration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7f99598f-b2c1-4371-9911-63dee13b9eb1}","name":"Microsoft.Windows.Provisioning.Operations","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b1f30020-8bc3-4888-bb1b-4dd681f24209}","name":"Microsoft.Windows.Provisioning.Platform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55239d60-0eb6-495b-874e-15de5d5f9a70}","name":"Microsoft.Windows.Provisioning.Plugin.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{34ace569-6bc6-48e5-8e3a-96a6a720c9fb}","name":"Microsoft.Windows.Provisioning.Sysprep","group":""},{"guid":"{2bf4b6ba-556e-4d05-8534-cafedf19fed8}","name":"Microsoft.Windows.Provisioning.ProvTool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{073c75a0-d07d-4203-9501-a91f2a239d55}","name":"Microsoft.Windows.Networking.Proximity.Common","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0d770577-bb34-538f-9c4f-da99fb5df794}","name":"Microsoft.Windows.Networking.Proximity.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f01f0926-8b2c-59e4-2c10-406613ca40e4}","name":"Microsoft.Windows.Shell.Proximity","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4180c4f7-e238-5519-338f-ec214f0b49aa}","name":"Microsoft.Windows.ResourceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f6a774e5-2fc7-5151-6220-e514f1f387b6}","name":"Microsoft.Windows.HostActivityManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8215e965-d26e-548e-af0e-940c1f06f250}","name":"Microsoft.Windows.CentralResourceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0001376b-930d-50cd-2b29-491ca938cd54}","name":"Microsoft.Windows.ProcessStateManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{23218c03-d099-425a-8778-337a4ddc7ba9}","name":"Microsoft.Windows.ProcessStateManager.Refcount","group":""},{"guid":"{f4b9ce38-744d-4916-b645-f1574e19bbaa}","name":"Microsoft.Windows.PushToInstall","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6f85d1f-fb7c-7520-dd4f-de67239f3d46}","name":"Microsoft.Windows.WindowsToGo.Startup.Options","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{54bd41e0-189f-6f3b-b495-1e4aa4975198}","name":"Microsoft.Windows.WindowsToGo.Creator.Tool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1d99a835-42bc-5bef-a10b-caae0d54fd0f}","name":"Microsoft.Windows.MediaFoundation.DVDNav","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e021c29e-7473-4952-b897-618c19a78a41}","name":"Microsoft-Windows-BITS-Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9a010476-792d-57be-6af9-8de32164f021}","name":"Microsoft.Windows.DirectShow.FilterGraph","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c7b89fc6-5c99-56f4-2b2e-c536b212904d}","name":"QuickActionsDataModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5a91f26-4c1e-5ad1-ecd2-9e49e349f773}","name":"Microsoft.Windows.Shell.QuickActionsDataModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{91558f59-b78a-4994-8b64-8067b33bdd71}","name":"Microsoft.RemoteAssistance","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7145abf9-99f5-4ccf-a2b6-c9b2e05ba8b3}","name":"Microsoft.Windows.Shell.NotificationQuietHours","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06c071f2-6c59-5d55-6b31-1578dd063ddc}","name":"EAPRasTlsEvents","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{de441ffa-fafa-4495-977f-2e9d2509746d}","name":"Microsoft-Windows-Sysmain-Prefetch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ca341b3c-b9d2-4d0f-9bd3-d88183596db9}","name":"RDP.ServerStack.Diagnostics","group":""},{"guid":"{78be48bd-5d52-4e39-823d-226cd5551f37}","name":"RDP.ServerStack","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{20928097-faf7-47fb-9e7c-3a251f0936e8}","name":"RDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4a49afe3-776e-467a-aca0-71f9c6c8499f}","name":"Microsoft.Windows.RemoteDesktop.RAIL.RdpInit","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc1a94a6-0a1a-433e-b470-3c72353b7309}","name":"Microsoft.Windows.RemoteDesktop.RAIL.Server.Diagnostics","group":""},{"guid":"{f115ddaf-e07e-4b15-9721-427134b41eba}","name":"RDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{39825ffa-f1b4-41b7-8221-20d4b8dbe57e}","name":"Microsoft.Windows.RemoteDesktop.RAIL.RdpShell","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d2e990da-8504-4702-a5e5-367fc2f823bf}","name":"AUInstallAgent","group":""},{"guid":"{9512fdbc-24e6-44fa-a8a3-af44d3447216}","name":"RDP.Graphics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{37e6b6cc-3f66-5c13-b9f8-574cfb014a9e}","name":"Microsoft.Windows.Audio.Client.Plugin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4263c286-3c4f-56c8-3fe2-cc0331449b53}","name":"Microsoft-Windows-Shell-RetailDemo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e305fb0f-da8e-52b5-a918-7a4f17a2531a}","name":"Microsoft.Windows.Shell.DefaultAssoc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{04e7bad5-f665-4f6e-9678-80646a3201ad}","name":"Microsoft.Windows.WinRE.Agent","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2c2e6508-9c83-4104-a93b-2336375f6932}","name":"Microsoft.Windows.RecoveryDrive","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f9a81f79-369b-443c-9428-fc1dd98316f6}","name":"Microsoft.Windows.FileSystem.ReFSUtil","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3ea8eaef-db33-4f2e-bb7c-ef7ad091a0f2}","name":"Microsoft.Windows.Kernel.Registry.FromApp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{edf12a85-835b-4f0c-9391-e43cb0e4d94a}","name":"Microsoft.Windows.RalmProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fe73c339-a194-4cef-8982-6ac1f094d6e4}","name":"Microsoft.OSG.IoT.Pos.RemotePosWorker","group":""},{"guid":"{b55883e6-6c45-45c2-ab9d-800bb7b66b15}","name":"Microsoft.Windows.Provisioning.Plugin.RemovableMedia","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{39aee73c-51b7-5af1-99f7-96d1e9f3bcad}","name":"Microsoft.Windows.Shell.DeviceCenter.ContextHandlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cfd95a4e-cd5b-4f57-9eeb-fe9683e8e407}","name":"Microsoft.BitLocker.BDERepair","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8af7296e-f7e8-5c1a-24a5-169c7a7e52ce}","name":"Microsoft.Windows.EnterpriseManagement.CSPReporting","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7339c7d7-8f99-4a30-a3b2-fec35ca17d56}","name":"Microsoft.Windows.PBR","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1cfa8219-ba47-4030-8389-15ddbf02cbb7}","name":"Microsoft.Windows.SystemReset","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{febc6d38-edbf-51a7-5e71-a42c0eefec21}","name":"Microsoft.Windows.ResourceMapper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d8e0e0a-54db-46d1-94ba-7ff7209d6a31}","name":"Microsoft.Windows.AppEnergyManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f621a24-8318-4288-9edd-3369d34d4ce9}","name":"Microsoft.Windows.IUIRadioManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5dfe3ad2-b86c-5943-e324-3ebd1e18dcb6}","name":"Microsoft.Windows.Security.SmartCards.TpmVscMgrServerRemote","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{076a2c5c-40e9-5a75-73b0-8d7697c282b2}","name":"Microsoft.Windows.Security.Vault.RoamingSecurity","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ae94e5a2-1f4d-40b5-9caf-9af6e4f492c2}","name":"RotMgrDll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc52107c-5ea2-42f9-bee4-e2cac90f3186}","name":"Microsoft.Windows.Shell.MTF.RuleBasedDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d48533a7-98e4-566d-4956-12474e32a680}","name":"RuntimeBrokerActivations","group":""},{"guid":"{0f1b810e-c19e-48b3-aa52-ee8e840b4f78}","name":"Microsoft.Windows.Security.SmartCards.Bi","group":""},{"guid":"{179f04fd-cf7a-41a6-9587-a3d22d5e39b0}","name":"Microsoft.Windows.Security.SmartCards.SCardSvr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1aebf134-2201-57b6-0edc-a6c064e52ba3}","name":"Microsoft.Windows.Security.SmartCards.DeviceEnumSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44492b72-a8e2-4f20-b0ae-f1d437657c92}","name":"Microsoft.Windows.Security.Schannel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{10ff35f4-901f-493f-b272-67afb81008d4}","name":"Microsoft.Windows.TaskScheduler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8439a2a8-49db-5541-9ad8-c59742126b03}","name":"Microsoft.Windows.Security.SmartCards.Ksp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aa6715c6-f92b-54f7-0cd5-5ed813f0b7d2}","name":"Microsoft.Windows.Shell.MTF.StaticDictionaryDS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dcb243d5-43e4-5b56-a4be-51ae916ab709}","name":"Microsoft.Windows.SafeDocs.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fbfc1d79-5d62-57cf-44a5-87d3b17fc434}","name":"Microsoft.Windows.Storage.Win7Backup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ca967c75-04bf-40b5-9a16-98b5f9332a92}","name":"Microsoft.Windows.Security.MitigationPolicy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b6fd710b-f783-4b1c-ab9c-c68099dcc0c7}","name":"Microsoft.Windows.Security.IsolationApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b16d37f8-5c56-47ca-9ee0-7575347ebe5f}","name":"Microsoft.Internal.Management.SecureAssessment.Logging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e6b5b34f-bd4d-5cdc-8346-ef4dc6cf1927}","name":"Microsoft.Windows.Security.WSC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3a47280f-ef8d-41af-9288-64db7a9890d3}","name":"Microsoft.Windows.Defender.SecurityHealthAgent","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d357dbe-57a2-5317-7970-19192e402ae6}","name":"Microsoft.Windows.Defender.Shield","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7c5f5242-fc39-4bcb-bb09-3c210e2cfef4}","name":"Microsoft.Windows.Security.SysTray","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dda1d007-6e0a-4fb6-83a3-996599b3826e}","name":"Microsoft.Windows.Nfc.SEManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59173412-04cd-5c92-8bed-5c16875e0fa4}","name":"Microsoft.Windows.Payments","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0d08a156-7e7d-55b8-042b-e670378f2318}","name":"Microsoft.Windows.Payments.MediatorService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0279b50e-52bd-4ed6-a7fd-b683d9cdf45d}","name":"Microsoft-Windows-PerceptionSensorDataService-Verbose","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{85be49ea-38f1-4547-a604-80060202fb27}","name":"Microsoft-Windows-PerceptionSensorDataService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{845678bb-25b7-4d81-a3ed-e9890ccfed9b}","name":"Microsoft.Windows.Sensors.SensorsAPI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e5468423-a26c-5d0b-bbd5-24f8a8935c34}","name":"Microsoft.Windows.Sensors.COMLayer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dd685aa3-9e8c-5e0c-819d-a3d24d221af1}","name":"Microsoft.Windows.Sensors.NativeLayer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1936b710-e2e7-53f0-0035-9c44b816977e}","name":"Microsoft.Windows.Sensors.App.ReadingNotificationSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4112d04d-3dd5-517b-8b1c-f4193ccf29bb}","name":"Microsoft.Windows.Sensors.Desktop.AutoRotation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fa47059e-b524-4461-86c1-7fdaafa20f7d}","name":"Microsoft.Windows.ServiceHealth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b8ddcea7-b520-4909-bceb-e0170c9f0e99}","name":"Microsoft.Windows.ServiceControlManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0bb8e5ca-316f-4b0f-9100-debbc6671308}","name":"Microsoft.Wdf.UMDF.Dm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59de359d-ec83-445c-9323-b75e2056d5a5}","name":"SessionEnv","group":""},{"guid":"{fb1a70cc-be28-40c1-bd6a-47671538383a}","name":"Microsoft.Windows.RemoteDesktop.CertManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{997fb36f-0208-4ed7-865b-e19816c3782d}","name":"Microsoft.Windows.RemoteDesktop.SessionConfig","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d9f94c5a-94f8-4cd0-a054-a1ee67a2da6b}","name":"Microsoft.Windows.RemoteDesktop.SessionHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{89d48904-939f-4177-aad4-2fdb26b8329f}","name":"Microsoft.Windows.RemoteDesktop.RDSHFarm.UVhd","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6fdd8e3-770b-4964-9f0c-227457146b49}","name":"RDP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ae8ab061-654e-4d72-9f4b-c799ba919ec8}","name":"sessionmsg","group":""},{"guid":"{047fb417-39e6-4b79-a52c-c436b60011ad}","name":"Microsoft.Windows.Shell.SystemSettings.SettingsEnvironment","group":""},{"guid":"{e3446518-a6ee-4a30-b953-88a4455e2c53}","name":"Microsoft.Windows.Shell.SystemSettings.SettingsEnvironment.Desktop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3e10128-9491-5472-2863-d0dfae01460a}","name":"Microsoft.PPI.Settings.SettingsEnvironment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63461467-e5a3-4814-8123-01265f1c3a64}","name":"Microsoft.Windows.Shell.SystemSettings.Extensibility","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{61bc3baa-c439-5e41-b843-9c2564ed57f6}","name":"Microsoft.Windows.Analog.SystemSettingsHolographicProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3725b437-b9a6-411f-a47a-60c61cdf6d9f}","name":"Microsoft.Windows.Shell.SystemSettings.AppExecutionAlias","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6c9f0ea4-39f0-411d-a3cf-6159f15d1918}","name":"Microsoft.Windows.Shell.SystemSettings.BackgroundApps","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e04d85e2-56a2-5bb7-5dab-6f761366a4c2}","name":"Microsoft.Windows.Shell.SystemSettings.BatterySaver.Desktop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c1e39d03-2172-4638-be89-0fb00978faea}","name":"Microsoft.Windows.Shell.SystemSettings.CapabilityAccess","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a581b958-01d7-5b43-a776-365adf9fc460}","name":"Microsoft.Windows.Shell.SystemSettings.ClosedCaptioningHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{56143dd6-ad65-4fb1-972c-6dfa2bef0916}","name":"Microsoft.Windows.Shell.SystemSettings.BluetoothHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fc27cce8-72b0-5a6f-8fe3-22bfcfefd495}","name":"Microsoft.Windows.Shell.SystemSettings.MediaRadioManagerSink","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{27d5ad5a-66c3-5df2-fc18-1f9f61d46abb}","name":"Microsoft.Windows.Shell.BlueLightReduction","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{23cd8d50-ed49-5a0b-4562-65dff962d5f1}","name":"Microsoft.Windows.Mobile.Shell.DisplaySettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d43920c8-d57d-4e58-9283-f0fddd4afdcb}","name":"WindowsFlightingSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec696ee4-fac7-4df4-9aaa-3862cb16eb4b}","name":"Microsoft.Windows.Shell.SystemSettings.FontPreview","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8b71b3dd-db44-400d-ae29-b4be90b9deb3}","name":"Microsoft.Windows.Xbox.NetworkTroubleshooter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9a35425e-61bc-4d68-8542-568a28963abe}","name":"Microsoft.Windows.Shell.SystemSettings.AdvancedGraphics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d8a54c12-11e8-462b-bdd4-7ad5ccf676b6}","name":"Microsoft.Windows.Analog.Shell.SystemSettings.Handlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c442c41d-98c0-4a33-845d-902ed64f695b}","name":"Microsoft.Windows.TextInput.ImeSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3bd9576d-203c-4b2d-8f1c-2a4574b3be78}","name":"Microsoft.Windows.TextInput.ChsIme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a00d2097-96a9-4889-925e-1298e09460a0}","name":"Microsoft.Windows.SystemSettings.SettingsHandlers.InkingTypingPrivacy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{adbb52ad-4e74-56c1-ecbe-cc4539ac4b2d}","name":"Microsoft.Windows.SpeechPlatform.Settings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{17d6a222-af97-560b-6f18-389900d6ad1e}","name":"Microsoft.Windows.Desktop.Shell.LanguagePackInstallSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e613a5d7-363e-5200-b311-02b426d8a73b}","name":"Microsoft.Windows.Desktop.Shell.LanguageFeaturesOnDemandSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{33b3eaa6-d8dd-5096-8687-6f520d32fc9e}","name":"Microsoft.Windows.Shell.NotificationSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e2a3ad70-42b5-452c-a113-20476e27e37c}","name":"Microsoft.Windows.Desktop.Shell.SystemSettingsThreshold.Handlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fb0a5f93-25eb-493a-a08b-b8cb0325deba}","name":"Microsoft.Windows.Licensing.LicensingRegistration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2535e414-2453-44f0-a14d-87347cc72296}","name":"Microsoft-Windows-EnterpriseManagement-PolicyManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a763f1f4-bda4-4738-8cb7-ea00f684b80e}","name":"Microsoft.Windows.Desktop.TextInput.KeyboardSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1616dd48-db95-4796-a71f-b79485e1b962}","name":"Microsoft.Windows.Analog.Speech.VoiceDownload","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4445fca2-f4ff-4469-9de4-5ac45f690249}","name":"Microsoft.Windows.Shell.SystemSettings.SpeechPlatformSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{89956eca-39e2-598f-a8fa-8cb6382bd306}","name":"Microsoft.Windows.Shell.ThemeSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6bee332c-7ddb-5ec2-dec4-91b8be7612f8}","name":"Microsoft.Windows.Shell.PersonalizeSettingsTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a8fd7a5b-4323-4172-b85b-f5b78c3c0f9c}","name":"Microsoft.Windows.Shell.SystemSettings.CorpDeviceManagementSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f323b60d-51ff-5c64-f7d1-f8149e2b3d81}","name":"Microsoft.Windows.Shell.SystemSettings.Pen","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f84aa759-31d3-59bf-2c89-3748cf17fd7e}","name":"Microsoft-Windows-Desktop-Shell-Windowing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{42d3ead2-4c3d-4a27-a3a4-bd8bc73babc0}","name":"Microsoft.Windows.Defender.PCSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf652bd1-cf2a-5ae4-16a1-b293fa6381cf}","name":"Microsoft.Windows.Shell.SystemSettings.RemoteDesktop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{571ac9d5-12fd-4438-b630-61fb26bbb0ac}","name":"Microsoft.Windows.Shell.SystemSettings.BatterySaver","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{35a6b23c-c542-5414-bc49-b0f81b96a266}","name":"Microsoft.Windows.Shell.SystemSettings.OneDriveBackup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8ff3b6ba-e06f-59b6-82c3-4cf8e3623322}","name":"Microsoft-Windows-Shell-DisplaySettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a810c3ec-3fac-47de-9a75-9135c917ae7f}","name":"Microsoft.Windows.Shell.SystemSettings.PrivacyHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed9c68b1-12e1-4ae7-baab-2b167a66425a}","name":"Microsoft.Windows.Shell.QuickActionSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44f1a90c-4250-5bab-f09b-df45384c6951}","name":"Microsoft.Windows.Shell.SystemSettings.RegionSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{912e9b77-ddd9-4a29-b141-57bd23981cce}","name":"Microsoft.Windows.ErrorHandling.Fallback.SettingsHandlers_SharedExperiences","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{080e197d-7cc1-54a3-e889-27636425992a}","name":"Microsoft.Windows.Shell.ShareUXSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{35437a7a-1330-4383-85e9-d596970932b0}","name":"Microsoft.Windows.Settings.TelemetryPage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{db7bd825-b56f-48c4-8196-22bc145ddb08}","name":"Microsoft.Windows.Shell.SystemSettings.SIUF","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8648e819-0883-4904-b730-d76d8498b521}","name":"Microsoft.Windows.DeviceDelete","group":"5ecb0bac-b930-47f5-a8a4-e8253529edb7"},{"guid":"{196cbdd6-30a9-5a27-827c-3df2debdb688}","name":"Microsoft.Windows.SystemSettings.SettingsHandlers.SpeechPrivacy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ca68509f-ca73-462d-8ca6-39c1b5534ee1}","name":"Microsoft.Windows.SystemSettings.SettingsHandlers.VoiceAgentActivation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{830a1f34-7797-4e31-9b75-c82056330051}","name":"Microsoft.Windows.Shell.SystemSettings.StorageSense","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0ae9ad8e-d4d3-5486-f015-498e0b6860ef}","name":"Microsoft.Windows.Shell.SystemSettings.UserPage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80b3ff7a-bab0-4ed1-958c-e89a6d5557b3}","name":"Microsoft.Windows.Shell.SystemSettings.WorkAccessHandlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e43b858-f3d9-5db1-0070-f99259784399}","name":"Microsoft.Windows.Desktop.Shell.LanguageOptions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d4b08aa-1df6-4549-b479-cf49b47cfcd3}","name":"Microsoft-Windows-BackupAndRoaming-SyncHandlers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{278c595e-310c-5d49-0cca-546ce8745f9e}","name":"Microsoft.Windows.Shell.SyncOperation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{40ba871e-4c49-41bc-a90c-753ff294f160}","name":"Microsoft.Windows.BackupAndRoaming.SyncOperations","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{139299bb-9394-5058-dd33-9422e5903fc3}","name":"Microsoft.Windows.SetupApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0e0fe12b-e926-44d2-8cf1-8a62a6d44036}","name":"Microsoft.Windows.DriverStore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0049e0a6-9b4c-45e9-8d29-c500e7b8d3c4}","name":"Microsoft.Windows.Setup.SetupClnPlugin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3b7c742a-c2d7-5a46-ba41-0671001763db}","name":"Microsoft.Windows.Oct.Broker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c688cf83-9945-5ff6-0e1e-1ff1f8a2ec9a}","name":"Microsoft.Windows.Oct.Enclave","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e04eb256-d603-52d7-7adc-20fb4649e7bf}","name":"Microsoft.Windows.Oct.Lpac","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7a53431e-04d5-5d14-72aa-b8e9714e77db}","name":"Microsoft.Windows.SharedPC.SharedPCCSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d60ed7f-7714-4815-8fe8-1d9e8095fc5b}","name":"Microsoft.Windows.Analog.SharingAndPersistence","group":""},{"guid":"{d95a57f7-0cbf-452e-a874-df7ddff55a51}","name":"Microsoft.Windows.Analog.SurfaceReconStore","group":""},{"guid":"{16bbe284-cdd9-4a5a-953e-a59be6d222c2}","name":"Microsoft.Windows.Analog.SpatialSharing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8cde46fc-ca33-50ff-42b3-c64c1c731037}","name":"Microsoft.Windows.Application.SharePlatform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{810d9efb-88db-54ff-3703-9f5e54cc74fb}","name":"Microsoft.Windows.Launcher.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{25756703-e23b-4647-a3cb-cb24d473c193}","name":"Microsoft.Windows.Application.NearSharePlatform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{76d1c1d6-4cee-5e0c-ee01-cd252eef4036}","name":"Microsoft.Windows.Launcher.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0c4c1871-8b0c-4577-9471-0b45454adf50}","name":"Microsoft.Windows.Shell.SHCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{79172b48-631e-5d2c-9f04-1ad99f6e1046}","name":"Microsoft.Windows.Desktop.Shell.Shell32","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{382b5e24-181e-417f-a8d6-2155f749e724}","name":"Microsoft.Windows.ShellExecute","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4a9fe8c1-cde0-5f0a-f472-69b949097daf}","name":"Microsoft.Windows.Shell.Desktop.IconLayout","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc140d17-88f7-55d0-fcb1-068435d69c4b}","name":"Microsoft.Windows.Shell.RunDialog","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d07cb9d-ca74-44e4-b389-c7068a51393e}","name":"Microsoft.Windows.Shell.IconCache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{75d2b56f-3f9d-5b1c-0792-d243507f67ce}","name":"Microsoft.Windows.Shell.PostBootReminder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59a36fc6-225a-41bf-b1b4-b558a37798cd}","name":"Microsoft.Windows.Shell.CoCreateInstanceAsSystemTaskServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6b2cb30d-2176-5de5-c0f5-65aedfbb1b1f}","name":"Microsoft-Windows-Desktop-Shell-Personalization","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3ec39f17-6102-5c82-eb27-24a2d01672ff}","name":"Microsoft.Windows.Shell.InfraCriticalFailure","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9399df73-403c-5d8f-70c7-25aa3184c6f3}","name":"Microsoft.Windows.Shell.Libraries","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44db9cfe-6db3-4a53-be9a-3057fa778b50}","name":"Microsoft.Windows.Shell.FileExplorer.Banners","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{87c15c64-40a5-54b5-6283-5c35ee4574f8}","name":"ShutdownDotExe","group":""},{"guid":"{bbc9a2c9-eeed-58d4-9483-6c87118f9ec6}","name":"Microsoft-Windows-ShutdownUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{354f4275-62b7-51b3-44c3-a1cb50ca4bc5}","name":"Microsoft-Windows-WebServicesWizard-OPW","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d48679eb-8aa3-4138-be24-f1648c874e49}","name":"SoftwareUpdateClientTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9906081d-e45a-4f41-a53f-2ac2e0225de1}","name":"SIHTraceLogging","group":""},{"guid":"{0b7a6f19-47c4-454e-8c5c-e868d637e4d8}","name":"WUTraceLogging","group":""},{"guid":"{3b3877a1-ae3b-54f1-0101-1e2424f6fcbb}","name":"SIHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b5367d6-ebeb-5e35-cc39-476f46842ddc}","name":"Microsoft.Windows.Security.SmartCards.CredProv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b6f4ae91-7458-5c7f-0ca8-0c7838c7372c}","name":"Microsoft.Windows.SMB.WMIProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d09ba4f-d4d0-49dd-8bdd-deb59a33dfa8}","name":"Microsoft.Windows.Storage.SmpHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46dc5dcf-095f-4157-aaee-dd6ae23720e0}","name":"Microsoft.Windows.Cellcore.SmsRouter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{21063878-2959-42ea-a85a-0da1ab119c03}","name":"Microsoft.Windows.Kernel.Smss.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d947e748-4f27-5873-2d09-d027f5c13d11}","name":"Microsoft.Windows.Audio.SndVolExe","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{988d3214-258a-5407-de36-b2e376de9590}","name":"Microsoft.Windows.Shell.SystemTray.Volume","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{067a3a61-e60d-5614-7fe9-a25b3a4df183}","name":"Microsoft.SnippingTool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9c7961e-96a0-4e3f-9066-7734a13101c1}","name":"Microsoft.Windows.Storage.SpaceControl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0254f21f-4809-477e-ad36-c812a8c631a1}","name":"Microsoft.Windows.Storage.Spaceman","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8610d647-7680-56eb-eebf-91ab889f2dc7}","name":"Microsoft.Windows.Audio.SpatializerApo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bad49e08-45be-4e45-becf-29965aa7d967}","name":"Microsoft.Windows.Analog.SpatialStore","group":""},{"guid":"{fbe1ed0a-6623-5251-70e3-9b6ccbfde8fe}","name":"Microsoft.Windows.Analog.Spectrum.Activity","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{32bd5542-afcb-569e-4d02-ebe0e08bde8e}","name":"Microsoft.Windows.Analog.Spectrum.TrackingDiagnostics","group":""},{"guid":"{96a898de-f347-55bf-0ccc-ae363e62c2cf}","name":"Microsoft.Windows.Analog.SpatialJournal","group":""},{"guid":"{c0d0fe1d-53e4-5b98-71d7-c51fe5c10003}","name":"Microsoft-Windows-Shell-CortanaNL","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3c74ab1-e7fd-5210-ba29-df7355905351}","name":"Microsoft.Windows.Shell.CortanaXDevice","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{94041064-dbc2-4668-a729-b7b82747a0c2}","name":"Microsoft.Windows.Shell.CortanaReminders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{095549db-a97e-5db6-7540-510ebf851697}","name":"Microsoft.Windows.Analog.Speech.CDPDeviceDisambiguation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f433b6cd-9505-5653-36c2-d88a43d980c4}","name":"Microsoft.Windows.Analog.Speech.DeviceDisambiguation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ca176a4a-f27e-51f6-a0f6-8af13b973ef6}","name":"Microsoft.Windows.Analog.NUI.SAPI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bc8b2c32-e484-5ee8-fe64-f7a94cbd4093}","name":"SAPI.Perf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2a8bc2a0-4cf9-5429-c90c-f5cd30dc6dd1}","name":"Microsoft.Windows.Analog.Speech.RecognizerServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{07f283ce-2538-5e77-44d2-04212575a63d}","name":"Microsoft.Windows.Analog.Speech.RecognizerClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e4c4b1db-812b-5e8d-3c9f-1b22eebc1191}","name":"Microsoft.Windows.Analog.Speech.Activity","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1b5d7521-f0c0-5486-84be-4f0e53ce3e50}","name":"Microsoft.Windows.Media.Speech","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d027bc7a-578a-5e9c-e8ec-a3bfcf578ec6}","name":"Microsoft.Windows.Analog.Speech.GrammarServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d97a6378-85a9-507b-850e-902065ea9460}","name":"Microsoft.Windows.Analog.Speech.OxygenOnline","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dafaf5dd-d4ba-5bd5-3e44-d0635b7f8f3f}","name":"bing-speech","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7f02214a-4eb1-50e4-adff-62654d1e42f6}","name":"Microsoft.Windows.Media.Speech.RemoteNaturalLanguage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f01d44cc-b0a2-57ac-f47b-32f3b2fca16d}","name":"Microsoft.Windows.Analog.Speech.OneSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f65b3890-19ba-486e-a5f6-0378b356e0ce}","name":"Microsoft.Windows.UserSpeechPreferences","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{96762235-2159-587d-da30-653f038f1d66}","name":"Microsoft.Windows.Media.SpeechRecognition.SharedRuntime","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{760334d6-b026-527d-1f84-d6c957eb81d4}","name":"Microsoft.Windows.TextInput.DictationCommands","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ce214ea-6d38-5774-ce4d-9bedf62e4ff3}","name":"Microsoft.Windows.Media.Speech.Settings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{663c59e1-bf59-55a4-fcdd-8c93569dcc5b}","name":"Microsoft.Windows.Analog.Speech.VoiceEnabledShell","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{868702a6-6e88-4bf3-b1ae-1b9d0e5c2531}","name":"Microsoft.Windows.Speech.Shell.DictationActivation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e8067960-862a-4370-8585-ee2b1bc4e7d6}","name":"Microsoft.Windows.Print.Brm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b4d2914c-ff23-403b-babf-f0755fb060fe}","name":"Microsoft.Windows.Print.SpoolerService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f4576912-c358-4374-a354-9040d45abcc1}","name":"Microsoft.Windows.Licensing.Sppc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d473d89-8be8-4ac9-a48a-8d2950c9820b}","name":"Microsoft.Windows.Licensing.SppcExt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8c8ebb7e-a4b7-4336-bddb-4a0aea0f535a}","name":"Microsoft.Windows.Sysprep.PnP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0b0f7909-8154-4de2-bdc6-16467e3b2a7a}","name":"Microsoft.Windows.Licensing.SppSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f078bf2-1746-40ce-8a11-6c1fd97b16ec}","name":"Microsoft.Windows.Licensing.SppSvc.WinAgent","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d535875-af13-46c2-a85f-a93caf2c5006}","name":"Microsoft.Windows.Shell.SearchOptions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{045af240-9ba2-4daa-878a-0c641f2de5f0}","name":"Microsoft.Windows.SRUM.ApiUsage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1c58b436-ed03-4184-8b7d-e761a817f345}","name":"Microsoft.Windows.SrumSvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5423b552-86b5-5c32-ab1e-f7f70e8e8a47}","name":"Microsoft.Windows.Audio.Service.SSDM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a6d3c9ac-9128-522a-495a-1821191173c2}","name":"Microsoft.Windows.Security.Sspicli","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f2cdc8a0-af2c-450f-9859-3251cce0d234}","name":"WindowsInternal.Shell.UnifiedTile","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6054c188-3abb-52fc-f71e-2000ed278a2d}","name":"Microsoft.Windows.ShellCommon.AppInstallation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1a554939-2d19-5b10-ceda-ee4dd6910d59}","name":"Microsoft.Windows.ShellCommon.StartLayout","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6cfc5fc0-7e30-51e0-898b-57ac43152695}","name":"Microsoft.Windows.Shell.DataStoreTransformers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c45c91e9-3750-5f9d-63c2-ec9d4991fcda}","name":"Microsoft.Windows.Shell.CloudStore.Internal","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{66feb609-f4b6-4224-bf13-121f8a4829b4}","name":"Microsoft.Windows.Start.SharedStartModel.Cache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a331d81d-2f6f-50de-2461-a5530d0465d7}","name":"Microsoft.Windows.Shell.DataStoreCache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2d069757-4018-5cf0-e4a2-bf70a1a0183c}","name":"Microsoft.Windows.Shell.MRTTransformer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45d87330-ffec-4a95-9f07-206a4452555d}","name":"Microsoft.Windows.Start.ImageQueueManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{71b010ed-e0a3-4c1e-8be2-ba763939e6a0}","name":"Microsoft.Windows.Scan.WiaComApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb35548f-b147-5671-4a59-c008860735bf}","name":"Microsoft.Windows.Scan.ClassInstaller","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9cd954e1-c547-52c4-50c7-1a3f5df69321}","name":"Microsoft.Windows.Shell.SystemTray","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{32397015-9747-409c-98be-b3caa2233bd5}","name":"Microsoft.Windows.DeviceUx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f4236699-b312-4a7a-923b-ad081afd7fbe}","name":"Microsoft.Windows.Storage.StorageUsage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9282168f-2432-45f0-b91c-3af363c149dd}","name":"Microsoft.Windows.Storage.StorageWMI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{88b892c2-fccd-4881-946a-032897f954b0}","name":"SmpPassThru Trace Provider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aea3a1a8-ea43-4802-b750-2dd678910779}","name":"Microsoft.Windows.Storage.StorageService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{778b9d2f-545b-47b0-98e9-28b9b8ca8c6a}","name":"Microsoft.Windows.Storage.StorageHealth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f5273e8b-490f-4008-9416-bc6c72aebfbc}","name":"Microsoft.Windows.Storage.StorageDiskMonitor","group":""},{"guid":"{265551fa-4f81-4678-8afb-497821a795ca}","name":"Microsoft.Windows.Storage.Cleanup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06184c97-5201-480e-92af-3a3626c5b140}","name":"Microsoft.Windows.SvchostTelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b8a83f1e-34c0-4e25-8310-44f46803940c}","name":"Microsoft.Windows.Analog.SVF","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{509b009b-d8eb-4f7d-a12b-a23218bfca84}","name":"Microsoft.Windows.OneSync.SyncController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59421743-e463-513c-497e-61d584e31710}","name":"MicrosoftWindowsDeviceStageSync","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c703213f-16b2-4ed1-b654-4e7bb99b569f}","name":"Microsoft.Windows.OneSync.SyncUtil","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8857cd15-8821-498e-9c38-de67f0e51e1a}","name":"Microsoft.Windows.SystemEventsBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7765ec18-099f-424b-85f0-c639eb677de2}","name":"Microsoft.Windows.CSystemEventsBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bcb6ba09-84a1-48a7-b1c2-42cb89f39007}","name":"Microsoft.Windows.UserPresencePredictor.HistoryPredictor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0cec0fe2-9fb4-11e6-8679-480fcf549e24}","name":"Microsoft.Windows.CleanPC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e6fcf13b-1ab7-4236-823b-0c0cf5c589d5}","name":"Microsoft.Windows.Upgrade.Uninstall","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{2544ba03-ac8c-5025-957d-eb482095bc11}","name":"Microsoft.Windows.Shell.SystemSettings.DataModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e3bfeaae-cb1d-5f12-e2e5-b9d2d7ca7bf0}","name":"Microsoft.Windows.Shell.SystemSettings.Devices","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{62a9c2d5-8b5d-52f9-c99b-bcfc37b606c5}","name":"Microsoft.Windows.Shell.SystemSettings.UserAccountsHandlers","group":""},{"guid":"{2e07964e-7d10-5d8e-761d-99b038f42bb6}","name":"Microsoft.Windows.Shell.SystemSettings.AdminFlow","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a306fcf9-ad27-5c4d-f69a-22506ef908ad}","name":"Microsoft.Windows.Shell.SystemSettings.RemoteDesktopAdminFlow","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3e8fb07b-3e10-5981-01a9-fbd924fd5436}","name":"Microsoft.Windows.Shell.AssignedAccessSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{57d940ae-e2fc-55c3-f31b-253c5b172135}","name":"Microsoft.Windows.Shell.SystemSettings.ManageUser","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e881df47-b77c-48c5-b321-1454b88fdd6b}","name":"Microsoft.Windows.Shell.SystemSettings.ManageOrganization","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{068b0237-1f0a-593a-bc39-5155685f1bef}","name":"Microsoft.PPI.Settings.AdminFlow","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6dd3a4c0-0119-5e7e-8678-76247cd32afc}","name":"Microsoft.Windows.Holographic.Uninstall","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0ae92c9d-6960-566e-221f-5784660d04c3}","name":"Microsoft.Windows.Fonts.FontEmbedding","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d6eac963-c24f-434d-be23-4aa21904148f}","name":"Microsoft.Windows.UserDataAccess.TaskApis","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d87dc85e-1bb8-58b1-1c09-04b89c4cd06d}","name":"Microsoft.Windows.Shell.TaskFlow.DataEngine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4586c77c-f490-5463-f715-465903978476}","name":"Microsoft.Windows.Shell.TaskFlow.DataEngine.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2e635d8e-1107-4555-9319-32eeb895aaae}","name":"Microsoft.Windows.Taskmgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7acf487e-104b-533e-f68a-a7e9b0431edb}","name":"Microsoft.Windows.Security.TokenBroker.BrowserSSO","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{077b8c4a-e425-578d-f1ac-6fdf1220ff68}","name":"Microsoft.Windows.Security.TokenBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{594bf743-ce2e-48ee-83ee-3d50a0add692}","name":"Microsoft.Windows.AppModel.TileDataModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{088a803b-578d-41b1-9402-92b7ceb380c8}","name":"Microsoft-Windows-Telephony-TelephonyInteractiveUser","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1ac684f9-187b-400f-9cec-3ec143cc6610}","name":"Microsoft.Windows.Apps.TelephonyInteractiveUser","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5283d5f6-65b5-425f-a30b-f16c057d6b57}","name":"Termsrv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f8c7b9d6-f389-4656-bc33-877616a01fe5}","name":"TetheringService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{585cab4f-9351-436e-9d99-dc4b41a20de0}","name":"PCTetheringStation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{64aa695c-9c53-58ad-2fe7-9358ab788507}","name":"Microsoft.Windows.Shell.Desktop.Themes","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c11543b0-3a34-4f10-b50b-4ddb76ff2c6e}","name":"Microsoft.Windows.Shell.ThumbnailCache","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6971cad2-d856-417f-b84d-383a6144fb11}","name":"Microsoft.Windows.Storage.Tiering.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0a9a90c8-9417-482d-b517-df1774c8f404}","name":"Microsoft.Windows.TimeBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{feabe86d-d7a7-5e6d-9665-92819bc73768}","name":"Microsoft.Windows.Desktop.Shell.TimeDateOptions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{13f3da1b-c22c-4cb1-8c77-ed37787953e9}","name":"Microsoft.Windows.W32Time.Sync","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{27445658-7f9c-465c-a1e9-894c5cb6cd59}","name":"Microsoft.Windows.Security.TokenBinding","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{470baa67-2d7f-4c9c-8bf4-b1b3226f7b17}","name":"Microsoft.Tpm.ProvisioningTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3a8d6942-b034-48e2-b314-f69c2b4655a3}","name":"Microsoft.Tpm.DebugTracing","group":""},{"guid":"{a935c211-645a-5f5a-4527-778da45bbba5}","name":"Microsoft.Tpm.HealthAttestationCertificateTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d9160d6-2bbe-5a07-45c9-bcea3a8f8e2c}","name":"Microsoft.Windows.Security.SmartCards.TpmVscDll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d89744af-d6b7-5f1d-39bc-0d9796449549}","name":"Microsoft.Windows.Security.SmartCards.TpmVscMgrClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e8549ae1-cd73-5b5a-dc29-d1bc360e66ea}","name":"Microsoft.Windows.Security.SmartCards.TpmVscMgrServerLocal","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2745a526-23f5-4ef1-b1eb-db8932d43330}","name":"Microsoft.Windows.Security.TrustedSignal","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{89db9eac-5750-580c-39d6-6978396822dd}","name":"Microsoft.Windows.TextInput.Gip","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d49f5fdd-c4ab-47bd-bd68-a9a8688a92ab}","name":"Microsoft.Windows.TextInput.Gip.Perf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6be754e7-f231-4db7-a9b6-3720f91a7ad2}","name":"Microsoft.Windows.TextInput.Gip.LegacyBopomofo.Perf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e5d358d3-8e39-5679-3f81-ea85a6397ff7}","name":"Microsoft.Windows.TextInput.GipTypingStatistics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0ac3923-5cb1-5e37-ef8f-ce84d60f1c74}","name":"Microsoft.Windows.TSSessionUX","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ed727c4-4ab6-4b66-92d7-2072e87c9124}","name":"tssrvlic","group":""},{"guid":"{b6dc7658-6074-5509-926b-7d0ca235b8da}","name":"EAPTtlsEvents","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6b70202e-8726-4134-964b-ead79143d203}","name":"Microsoft.Windows.PreviousVersions.UI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bc71577f-76e9-583a-ecd6-62d0250d900f}","name":"Microsoft.Windows.ProcessStateManager.AppLibrary","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{caa8cfe8-7cec-451e-b49f-6e60af56061e}","name":"Microsoft.Windows.ComponentUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55e357f8-ef0d-5ffd-a4dd-50e3d8f707cb}","name":"Microsoft.Windows.Desktop.Shell.CoreApplication.CoreApplicationView","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9da4dcc-e78e-5ce7-4078-411a9928f082}","name":"Microsoft.Windows.CoreApplication","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55e357f8-ef0d-5ffd-a4dd-50e3d8f707cb}","name":"Microsoft.Windows.Desktop.Shell.TwinApi.ApplicationView","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{31442aba-1fd2-5680-a7e1-87bfa73b43a8}","name":"Microsoft.Windows.TWinAPI.MaterialProperties","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf10565a-6a01-587b-3d6e-82f5f7e8d1fb}","name":"Microsoft.Windows.Desktop.TwinApi.ProjectionManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{150d19f3-9557-5d5d-c24b-337ee2251ff6}","name":"Microsoft.Windows.Application.ShareManagerApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{53e167d9-e368-4150-9563-4ed25700ccc7}","name":"Microsoft.Windows.Shell.ExperienceHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1223ad99-9d25-4dd4-9402-b2e665fdce9d}","name":"Microsoft.Windows.Shell.CortanaActionableInsights","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6924642c-34a3-5050-2915-053f31e18534}","name":"Microsoft.Windows.Shell.CoreApplicationBridge","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1ee8ca37-11ae-4815-800e-58d6bae1fef9}","name":"Microsoft.Windows.Shell.SystemSettings.SettingsPane","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fa386406-8e25-47f7-a03f-413635a55dc0}","name":"TwinUITraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8149c640-2f6e-4f26-8cb7-9f9f8476bdab}","name":"Microsoft.Windows.Storage.Pickers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b4b0f6fc-2f02-4a1a-9ef3-22ad06dea7b7}","name":"Microsoft.Windows.Shell.ModernShare","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4e2b1375-f519-50a6-bfae-8c8a1a82d708}","name":"Microsoft.Windows.Shell.BackgroundActivityModerator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8a1618e5-ae3a-41d6-a637-870ea619986a}","name":"Microsoft.Windows.Shell.GameMode","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b0c2561-285f-46bb-9229-09d11947ae28}","name":"Microsoft.Windows.Desktop.Shell.AccessibilityDock","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c17f56cb-764e-5d2d-3b4e-0711ad368aaf}","name":"Microsoft.Windows.Shell.ApplicationHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e3185da8-ecf4-4051-8bf1-8b6602e3577d}","name":"Microsoft.Windows.Launcher.Desktop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1608b891-0406-5011-1238-3e93b292a6ef}","name":"Microsoft.Windows.Shell.Autoplay","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a784a54d-0679-43e5-ab3b-0a45224c357a}","name":"Microsoft.Windows.Desktop.Shell.TwinUI.BroadcastDVR","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{11edfcd0-4920-470f-8e6c-c66dbfe11e98}","name":"Microsoft.Windows.Media.Capture","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{34581546-9f8e-45f4-b73c-1c0ac79f7b20}","name":"Microsoft.Windows.Shell.PenWorkspace.ExperienceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1abbdeea-0cf0-46b1-8ec2-daad6f165f8f}","name":"Microsoft.Windows.Shell.SystemSettings.HotKeyActivation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed576cec-4ed0-4e09-9291-67ead252dde2}","name":"Microsoft.Windows.Desktop.Shell.KeyboardOcclusionMitigation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d81f69fc-478d-4631-ad03-44046980bbfa}","name":"MicrosoftWindowsTwinUISwitcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8bfe6b98-510e-478d-b868-142cd4dedc1a}","name":"Windows.Internal.Shell.ModalExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c7b31b56-af44-540c-15ed-eedc45663ece}","name":"Microsoft.Windows.Shell.Chaining","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{158715e0-18df-56cb-1a2e-d29da8fb9973}","name":"Microsoft.Windows.Desktop.Shell.MonitorManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{08194e35-5511-4c06-9008-8c2ce1fe6b52}","name":"Microsoft.Windows.Shell.MSAWindowManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8911c0ab-6f93-4513-86d5-3de7175dd720}","name":"Microsoft.Windows.Shell.NotesManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{69ecab7c-aa2d-5d2e-e85c-debcf6fc9016}","name":"Microsoft.Windows.Desktop.OverrideScaling","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f71512b7-5d8e-41ee-aad8-4a6aebd29d4e}","name":"Microsoft.Windows.Shell.InkWorkspaceHostedAppsManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3635a139-1289-567e-b0ef-71e7adf3adf2}","name":"Microsoft.Windows.Shell.PlayToReceiverManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d2ff0031-cf02-500b-5898-8af98680cedb}","name":"Microsoft.Windows.Shell.ProjectionManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0a29dc1-075e-49be-b358-41624c99061d}","name":"Microsoft.Windows.Desktop.Shell.TwinUI.QuietHoursService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4cd50c2c-1018-53d5-74a1-4214e0941c20}","name":"Microsoft.Windows.Shell.ClickNote","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{50c2b532-05e6-4616-ae28-2a023fe55216}","name":"Microsoft.Windows.Shell.PenSignalManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ebac44e-6e02-44b9-9b82-e283d0e58521}","name":"Microsoft.Windows.Store.StoreFrontHelperTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4fc2cbef-b755-5b53-94db-8d816ca8c9cd}","name":"Microsoft.Windows.Shell.WindowMessageService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0b1cbf9-f523-51c9-15b0-02351517daf8}","name":"Microsoft-Windows-Explorer-MediaTransportControlsUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc997275-dd8f-5496-5534-35e51b9450e9}","name":"Microsoft.Windows.Shell.Frame.Aggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{35d4a1fa-4036-40dc-a907-e330f3104e24}","name":"Microsoft-Windows-Desktop-ApplicationManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8b5a39e9-7fc8-5ccb-18c9-d410973436a9}","name":"Microsoft.Windows.Shell.TabShell","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{076a5fe9-e0f4-43dc-b246-9ea382b5c69f}","name":"Microsoft.Windows.Desktop.Shell.ViewManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9eea5f6b-c98d-5c42-862b-2f07149d6331}","name":"Microsoft.Windows.Desktop.Shell.FullScreenPositioner","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{36f33387-4ea8-4059-91b0-f01aedb820a2}","name":"Microsoft.Windows.Shell.ShoulderTapExperienceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d3e36643-28fd-5ccd-99b7-3b13c721ee51}","name":"Microsoft.Windows.Shell.StartMenu.Experience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a0cf847c-39d3-5b2f-f2ef-9fe3a78818b2}","name":"Microsoft.Windows.Shell.TouchpadControllerExperienceManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f1aeff7c-f56d-58e0-806f-a7733dc08637}","name":"Microsoft.Windows.Shell.LockScreenService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{90daf745-441f-5ce8-8f21-b0ea9d6ea6d4}","name":"Microsoft.Windows.Shell.PenWorkspaceBroker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e83c4d17-8009-5d9f-0cb4-53584ef324d9}","name":"Microsoft.Windows.Desktop.Shell.PrivilegedOperations","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{467247af-d1bb-5ab6-b8c9-0b056bc16247}","name":"Microsoft.Windows.Holographic.Positioner","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ae72295-6082-555d-994a-c0f69276aca1}","name":"Microsoft.Windows.Holographic.Win32BackedViewHostItem","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{813d08ca-6076-428b-bfe3-7258a067755a}","name":"Microsoft.Windows.Shell.TabCompanion","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15322370-3694-59f5-f979-0c7a918b81da}","name":"Microsoft.Windows.Desktop.Shell.ViewManagerInterop","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5da629ce-0eb8-5967-329d-cd3892edb6bc}","name":"Microsoft.Windows.Shell.XamlSwitcher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c3af4b8a-c24f-56d4-ce67-def9f522a0dd}","name":"Microsoft.Windows.Shell.TouchKeyboardExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9bfec32d-7619-4994-a0eb-4c772392546c}","name":"Microsoft.Windows.Shell.CustomShellHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e68dcb1e-228c-5737-10cb-3668a9d19a5c}","name":"Microsoft.Windows.FamilySafety.AppUsage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bcce86fc-febd-4f2d-8e42-e277ba2b524c}","name":"TzautoupdateProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0c24d94b-8305-4d60-9765-5affd5462872}","name":"Microsoft.Windows.Udwm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c7a6e2fd-24f6-48fd-aad8-03ee14faf5ce}","name":"Microsoft.Windows.Dwm.WindowFrame","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ffdb63bc-4194-5395-03d2-f8c9165e1b94}","name":"Microsoft.Windows.Dwm.AnimationClock","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{53b7f054-68fd-5c77-b92d-e54340f38968}","name":"UiaManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e65c8fc-3cfe-412a-b793-d36d2185a831}","name":"Microsoft.Windows.UIAutomation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a91b83dc-8f8d-533b-c174-1350400a3828}","name":"Microsoft.Windows.Ribbon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{66ba1a86-43c6-41ac-955b-28b520db532a}","name":"Microsoft.Windows.Kernel.Pdc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{55d407f6-b994-49f1-95e7-9a3e4b628f46}","name":"Microsoft.Windows.PowerService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{845d84d3-8996-4508-8688-3fea3a426915}","name":"Microsoft.Windows.Power.EnergyMeter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d50e07bd-fce3-5ad6-a715-cfc122637512}","name":"Microsoft.Windows.Power.Dimming","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{68c97e16-c170-4c1b-bc4b-7cb3a5b04023}","name":"Microsoft.Windows.Power.AdaptiveStandby","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f56280a-220a-441e-84ee-c32e60be65c5}","name":"Microsoft.Windows.Power.Toast","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0506a50c-1b17-486c-80d7-04f7e128e3cc}","name":"Microsoft.Windows.Power.SleepStudy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cb76d769-a1ed-4fb1-98c3-266951610fd8}","name":"Microsoft.Windows.UserDataAccess.Unistore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{969bfdc0-0a9e-550e-1b0b-0b8b3386ba7a}","name":"Microsoft.Windows.UpdateNotificationPipeline","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9eaeed65-78d4-5bf1-16cc-9fda3efa8958}","name":"Microsoft.Windows.UpdateCsp","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{f27df866-c85a-518e-f34a-dc6fddbcd0c9}","name":"UpdateDeploymentProviderTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d6b029ac-41f1-5386-35e4-2de118c26ab6}","name":"UpdateDeploymentProviderTracing","group":""},{"guid":"{46b13027-2dfd-46e1-832d-e41e2810e6e5}","name":"Microsoft.Windows.Upfc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{09b30eb7-9d78-2d64-9274-62b0d5571130}","name":"Microsoft.Windows.WindowsToGo","group":""},{"guid":"{0eb27784-7b75-4b98-90da-7f6bc2668d56}","name":"MicrosoftUsbHidCeipProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3fc887c9-c23f-59cd-88b5-a6086f4bbc9e}","name":"Microsoft.Windows.Print.USBMon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15e77116-7ce1-4a0e-a2b5-4c458d9ad18c}","name":"Microsoft.Windows.Shell.SystemSettings.Usb","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5f057942-9ba1-49f3-a80b-ea7bc27108c0}","name":"Microsoft.Windows.SystemToast.Usb.Notification","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0910e25-6fcc-4f32-8f5e-a42cf7acc5c3}","name":"Microsoft.Windows.OneCoreTransforms","group":""},{"guid":"{f25bcd2e-2690-55dc-3bc4-07b65b1b41c9}","name":"Microsoft.Windows.User32","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c2f1fb96-72f6-40ff-a504-fb0b70bdef24}","name":"Microsoft.Windows.Shell.UserCpl.Cpls","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fe03fa65-4f8d-5008-f5d6-7a21eb5e3d23}","name":"Microsoft.Windows.Shell.UserCpl.Taskflow","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{553ebe04-ceb2-47ee-b394-bb83b97de219}","name":"Microsoft.Windows.UserDataAccess.UserDataAccounts","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15773ad5-aa2f-422a-9129-4a83f4c19db0}","name":"Microsoft.Windows.UserDataAccess.UserDataService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{519b3601-c289-44fb-b3e4-a05841d2790d}","name":"Microsoft.CAndE.ADFabric.WinRT.NGC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d5ee9312-a511-4c0e-8b35-b6d980f6ba25}","name":"Microsoft.Windows.Shell.Userenv","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e85651d-3ff2-4733-b0a2-e83dfa96d757}","name":"UserMgrSvcTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a198ad71-4f5e-4bc2-9a60-7cafb76f4e3c}","name":"Microsoft.Windows.UserMgr.UserModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f0b53a1f-c7eb-41c3-8e61-cea11271858f}","name":"Microsoft.Windows.Security.CandidateAccountManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a8b932c2-51ec-5c22-63fc-0115fd79b9e0}","name":"Microsoft.Windows.Update.Orchestrator.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{43ac453b-97cd-4b51-4376-db7c9bb963ac}","name":"Microsoft.Windows.UtcDecoderHost","group":""},{"guid":"{55c509d7-c517-4078-98e8-6031326b2d6d}","name":"Microsoft.Windows.UvcModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5162d6d9-3723-553e-a74c-7d8f986c5d3d}","name":"Microsoft.Windows.Storage.Uwf","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{673cf800-208a-5327-3f4b-2be44a66627a}","name":"Microsoft.Windows.UxTheme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d50a5002-97cb-46df-93c8-94ce03beed99}","name":"Microsoft.Windows.Audio.Service.VAC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f3647e0d-cb56-4837-a268-981eb18a5b46}","name":"Microsoft.Windows.Audio.ASA.PathFinder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f045463-a602-4891-b732-1b6572d54dbe}","name":"Microsoft.Windows.Audio.Service.ASA.Triton","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f2c1ee5-1dfd-519b-2d55-702756f5964d}","name":"Microsoft.Windows.Security.Vault.Cds","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6cb2326f-8998-539d-fd24-dffe22f9bca3}","name":"Microsoft.Windows.Security.Vault.WebAccount","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e45534fa-fc44-5ee1-4472-7369a4d1ce36}","name":"Microsoft.Windows.Security.Vault.Credentials","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a15c1ac4-a508-59ae-3158-275f96f30cb8}","name":"Microsoft.Windows.Security.Vault.Roaming","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4ca869f9-d720-449f-a322-28d0d1763e50}","name":"Microsoft.Windows.Security.Credlocker.Critical","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1b7da76e-0a98-4e71-a9a5-dfd0a5262c13}","name":"Microsoft.Windows.Security.Credlocker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ead10f56-e9d4-4b29-a44f-c97299de5085}","name":"Microsoft.Windows.Storage.VDS.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ead10f56-e9d4-4b29-a44f-c97299de5090}","name":"Microsoft.Windows.Storage.VDS.BasicDisk","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b698003-2db1-5618-d2e2-a7a137e494be}","name":"Microsoft-Windows-Verifier","group":""},{"guid":"{a9bc635d-4b98-4327-90a1-1d0b8f45bf5a}","name":"WindowsDriverVerifierUi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b95c2fff-e9de-4327-93b1-1d5b8445bf7e}","name":"Microsoft.Windows.DriverVerifier.UiGui","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8e4a203f-3d8a-5e7c-15d5-d1c1f7cd1270}","name":"Microsoft.Windows.Srum.VfuProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f2163a3-12a6-40fa-8719-8bf5b8c3840b}","name":"Microsoft.Windows.Media.Settings.Video","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{719a808e-e4d8-55f1-1b63-5dd599d0030d}","name":"Microsoft.Windows.Shell.SystemSettings.VideoPlaybackHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dcadf22a-dbc1-5e55-467b-1c7f36cc46cc}","name":"Microsoft.Windows.TextInput.VocabRoamingHandler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b8efdc71-988b-50be-86bb-0f97b0a3a7c8}","name":"Microsoft.Windows.Audio.VoiceActivationManager","group":""},{"guid":"{6fc36b25-61ac-5e62-b785-94b344e0702b}","name":"Microsoft.Windows.Audio.VoiceActivationManager2","group":""},{"guid":"{6f63aefb-2229-5444-c3b1-519681ab0654}","name":"Microsoft.Windows.Apps.VoipRTProviders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bd1a62ed-263b-4a66-a574-1f43c79c64be}","name":"Microsoft-Windows-Telephony-VoipRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{efd89d89-6b12-4467-bbfa-8122c589e066}","name":"Microsoft.Windows.Networking.VpnCsp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{13185d0b-b630-41fe-8489-9c6dd63d487d}","name":"Microsoft.Windows.DxCapture.Trace","group":""},{"guid":"{9122168f-2432-45f0-b91c-3af363c149dd}","name":"Microsoft.Windows.Storage.VSSTraceLogProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8ee3a3bf-9379-4dac-b376-038f498b19a4}","name":"Microsoft.Windows.W32Time","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec4ba041-1dfe-5f76-ef6d-0251da19d178}","name":"Microsoft.Windows.WaaSAssessment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{76ad4308-df7c-5f43-e668-fcea4fa1179d}","name":"Microsoft.Windows.WaaSMedic","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{30d25124-a468-505c-de82-8411646eb8b5}","name":"Microsoft.Windows.WaaSMedic.Local","group":""},{"guid":"{3c3e4665-d776-516b-4898-7c276dc36fc3}","name":"Microsoft-Windows-Mobile-Shell-Wallet","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a76dba2c-9683-4ba7-8fe4-c82601e117bb}","name":"Microsoft.Windows.DeviceManagement.WmiBridge","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab84611c-2678-5cd7-d292-c940f9be6c6d}","name":"Microsoft.Windows.AssignedAccess.Wmi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{81462b17-77ef-4541-a5dc-437d78893faa}","name":"Microsoft.Windows.Print.Powershell","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d091993-4dcf-426e-95c4-1c398ccfba04}","name":"Microsoft.Windows.WMIC.UsageStats","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{864d2d93-276f-4a88-8bce-d8d174e39c4d}","name":"Microsoft.Windows.SystemImageBackup.Engine","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{39a5aa08-031d-4777-a32d-ed386bf03470}","name":"Microsoft.Windows.Security.Biometrics.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8ce2286c-3705-4a2a-8e36-134eae9ca147}","name":"Microsoft.Windows.Containers.DynamicImage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b6a9c8ba-70de-42e4-88de-001a041b0768}","name":"Microsoft.Windows.ConnectionManager.WcmApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2551390d-5927-5c84-6f0a-027a7e78d38d}","name":"Microsoft.Windows.Containers.Storage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{08f93b14-1608-4a72-9cfa-457eecedbba7}","name":"WebIo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{db5afa36-72be-5ee9-fb28-349ccdfc00ad}","name":"Microsoft.Web.Platform.IDBServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{49d0c8d6-b62d-4dd3-a746-19f23dccd082}","name":"Microsoft.Windows.App.Browser.Scenarios","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{68431dca-6bcf-5940-0c0b-aab1138dc054}","name":"Microsoft.Windows.Shell.ControlPanel.ProblemReportsAndSolutions","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2b87e57e-7bd0-43a3-a278-02e62d59b2b1}","name":"Microsoft.Windows.WERVertical","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{97945555-b04c-47c0-b399-e453d509a5f0}","name":"Microsoft.Windows.WERSecureVertical","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3e0d88de-ae5c-438a-bb1c-c2e627f8aecb}","name":"Microsoft.Windows.HangReporting","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{bf30465b-e93c-46fd-9cdf-f41c8904a01f}","name":"EventLogEvents","group":""},{"guid":"{1248334e-ac1e-4c8e-b439-e619bd6d0a27}","name":"EventLogActivityTracing","group":""},{"guid":"{359bb287-a373-4385-a69f-6a2f1bb6583b}","name":"Microsoft.Windows.Networking.Wlan.Wfdprov","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d7387e51-2d09-56cb-7e90-2383a30dcdee}","name":"Microsoft.Windows.Networking.WFDSConMgr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d48bd25-8b17-5235-b9f5-bf81f943fe74}","name":"Microsoft.Windows.Shell.FaxScanApp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{91dfdc3a-0eda-40d4-8c40-6b2c20b3c4bd}","name":"Microsoft.Windows.Scan.WiaAutomation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{357f3153-b5a1-43d7-a119-52ddfa837ccb}","name":"Microsoft.Windows.Scan.WiaTwainCompat","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b9b6ce1a-9ce4-4ec8-8e0a-b6db33722c61}","name":"Microsoft.Windows.Scan.WiaRpc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63760752-3037-421e-8858-f4e83a65da68}","name":"Microsoft.Windows.Scan.WiaService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99d849fb-d0e5-499d-91da-7081193a11b1}","name":"WirelessDisplay","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8b7650e3-0bd4-458f-b678-34ac4e348b7c}","name":"Microsoft.Windows.WiFiNetworkManager.HotSpotProvisioning","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7a0db36b-2dca-4b50-ab37-b4b15bf8dad7}","name":"WiFiNetworkManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{68d02507-e1b0-4f0b-aa38-3453c19f757a}","name":"Microsoft.Windows.WiFiNetworkManager.WiFiTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7e6b69b9-2aec-4fb3-9426-69a0f2b61a86}","name":"Microsoft.Windows.Win32kBase.Input","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{72a4952f-db5c-4d90-8f9d-0ed3465b315e}","name":"Win32kDeadzonePalmTelemetryProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ce20d1cc-faee-4ef6-9bf2-2837cef71258}","name":"Win32kSyscallLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e75a83ec-ef30-4e3c-a5fb-1e7626e48f43}","name":"Win32kPalmMetrics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{487d6e37-1b9d-46d3-a8fd-54ce8bdf8a53}","name":"Win32kTraceLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aad8d3a1-0ce4-4c7e-bf32-15b2836659b7}","name":"Microsoft.Windows.WER.MTT","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{de5a9d0a-c195-504d-0175-039ac1243837}","name":"Microsoft.Windows.CoreMessaging.CoreMessagingK","group":""},{"guid":"{3ebcc356-dd7c-4ca7-8cd1-3c86c1fe14f5}","name":"Win32kClipboardAggregateProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7b56217d-0850-4170-a032-58d76eed3a6a}","name":"Microsoft.Windows.InkProcessor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{befe1a6f-c0e1-5083-bb46-0d608594a923}","name":"Microsoft.Windows.SimpleHapticsCtrl","group":""},{"guid":"{3a97f069-0082-5b29-e2fc-e0d4773bd777}","name":"Microsoft.Windows.InteractiveCtrl","group":""},{"guid":"{6485849f-3372-4d65-9187-3dc6b28c49cc}","name":"Microsoft.Windows.Print.Win32spl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1b5106b1-7622-4740-ad81-d9c6ee74f124}","name":"Microsoft.Windows.Security.Biometrics.Client","group":""},{"guid":"{4b8b1947-ae4d-54e2-826a-1aee78ef05b2}","name":"Microsoft.Windows.WinBioDataModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fb7f6a77-48d9-5776-fb2e-e0a84d01d993}","name":"Microsoft.Windows.Analog.NUI.Audio.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8a89bb02-e559-57dc-a64b-c12234b7572f}","name":"Microsoft.Windows.Security.Biometrics.StorageAdapter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{beb1a719-40d1-54e5-c207-232d48ac6dea}","name":"Microsoft.Windows.Security.Biometrics.VsmStorageAdapter","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6287d456-dcf1-46a6-b3c4-c57e9461d137}","name":"Microsoft.Windows.WinCorLib.Usage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c11d96bf-1615-4d64-ada3-5803cdbac698}","name":"Microsoft.Windows.Shell.Auth.CredUI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cf5838d7-9fdc-5907-a62c-abd41de9d862}","name":"Microsoft.OneCore.WindowManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{687ae510-1c00-4108-a958-acfa78ecccd5}","name":"Microsoft.Windows.Shell.AccountsControl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6fe0c47-96ef-5d29-c249-c3cecc6f9930}","name":"Microsoft.Windows.Shell.SyncPartnership.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0f51cf13-b9db-47b8-9517-3521db0b2951}","name":"Microsoft.Windows.Shell.AccountsControl.API","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bcad6aee-c08d-4f66-828c-4c43461a033d}","name":"Microsoft.Windows.AI.MachineLearning","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3889f5d8-66b1-44d9-b52c-48ca283ac5d8}","name":"Microsoft.Windows.DataPackage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eadb8f1b-577d-4d09-8104-b61a3d9036e5}","name":"Microsoft.Windows.AppModelRuntimeWinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c5b9724a-38ef-47a0-b2dd-c8b1a4934c38}","name":"StartupTask","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{96319132-2f52-5969-f14c-0d0a171b357a}","name":"Microsoft.Windows.Shell.LockFrameworkUAP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dd2e708d-f725-5c93-d0d1-91c985457612}","name":"Microsoft.Windows.ApplicationModel.Store.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fba941fa-dbd7-4956-96ac-b999b2a0cd4a}","name":"Microsoft.Windows.Cortana.Analog.BrokeredAPI","group":""},{"guid":"{bd0d25d5-698b-4c32-b13a-82827c28217d}","name":"Microsoft.Windows.Cortana.PAL","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{94afb82b-3e13-586e-3bdb-64bb9628ff2f}","name":"Windows.Data.Activities","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{79374c5b-f272-4bd8-99c2-5b6f53fa2ce1}","name":"Windows.PdfApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f5c966d9-a294-5bc4-4bbe-3d37e9b4fe53}","name":"Microsoft.Windows.AllJoyn.WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c2b1f6c2-adcf-5fb7-dfc1-5ed87be9dfb3}","name":"Microsoft.Windows.Devices.Haptics.Vibration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1964d316-5ec7-496f-82a8-a62c8b164b1a}","name":"Microsoft.Windows.Devices.Lights","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1b136618-e32d-4b3d-839b-73ac494a33fd}","name":"Microsoft.Windows.IoT.Devices","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{aadd3984-67ee-4354-94a1-18f762026c86}","name":"Microsoft.Windows.Devices.Midi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e92355c0-41e4-4aed-8d67-df6b2058f090}","name":"Microsoft-Windows-PerceptionRuntime-Verbose","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{add0de40-32b0-4b58-9d5e-938b2f5c1d1f}","name":"Microsoft-Windows-PerceptionRuntime","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3c27a357-a925-4040-87e4-82e74ef8731e}","name":"Microsoft.IoT.POS.DafDiscovery","group":""},{"guid":"{b069f900-e50f-487e-8bdc-63a6de76e993}","name":"Microsoft.Windows.PointOfService.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d76a5792-ec7e-4bba-9da0-daf32ee61c04}","name":"Microsoft.OSG.IoT.PosRt.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5ab780c8-6398-4497-aecc-cee44dba87d0}","name":"Microsoft.Windows.Print.MS3DDeviceAPI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{df6dca70-9918-455f-86fe-983adc74fa0d}","name":"Microsoft.Windows.Scan.Runtime","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{49d5f264-500b-54ec-0549-b61dbb42265d}","name":"Microsoft.Windows.Sensors.WinRTLayer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f9e3c95-12d4-07ff-c826-3be57c0bc90d}","name":"Microsoft.Windows.Devices.SerialCommunication","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7ba6910b-016f-43e1-97de-8a0f761e7c23}","name":"Microsoft.Windows.Security.SmartCards.WindowsDevicesSmartCardsDll","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{448ea390-e468-4973-9bbd-3caa4f031209}","name":"Microsoft.Windows.Nfc.SmartCard","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3b36be75-d30a-4dca-ad28-d9d162e03a6a}","name":"Microsoft.Windows.Power.RtApi","group":""},{"guid":"{221a8b88-4fb1-4d57-8027-3b148b43c8b9}","name":"Windows.Gaming.Input","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc54214a-50dd-486a-b176-abea2423b4d8}","name":"Microsoft.Windows.Gaming.Preview.GamesEnumeration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2427eb68-ae18-445a-bb44-5be928a4b621}","name":"Microsoft.Windows.GameBarApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e775a461-8a31-5f40-a05f-f014fc161eb4}","name":"Microsoft.Windows.Globalization.Language","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{85e12ac1-9112-55d4-6469-58455c1126fd}","name":"Microsoft.Windows.Shell.TextSuggestionApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{613e8728-f1cd-5604-c71c-32ab60d68b11}","name":"Microsoft-Windows-Graphics-WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{643b8711-d1fe-4daa-8c47-8d2118e2beae}","name":"Microsoft.Windows.Print.MS3DPrintAPI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c6dba857-03f1-5c5b-350c-ef08dbd04572}","name":"Microsoft.Windows.Shell.PrintManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{744372de-ba26-443b-ba10-712c1a041234}","name":"Microsoft.Windows.Print.Workflow.API","group":""},{"guid":"{cae6f32b-2553-5c24-f999-e63dde138b9f}","name":"Microsoft.Windows.Print.WorkFlowRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15584c9b-7d86-5fe0-a123-4a0f438a82c0}","name":"Microsoft.Windows.Shell.ServiceProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dce1d33d-853d-55d5-1a55-20ad7ca1d403}","name":"Microsoft.Windows.AdaptiveCards.InternalRenderer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb827eda-87da-59ae-35d0-b28b32815af0}","name":"Microsoft.Windows.Shell.Desktop.CapturePickerItemProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7e9ced67-c799-5bdd-a487-e5eb6df70088}","name":"Microsoft.Windows.Shell.CapturePicker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6d52b4f9-62b0-47dc-b4df-8229cf874503}","name":"Windows.Internal.Feedback.Analog.BrokeredApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec1cdef8-3813-41eb-9e19-7bbfe6c5a145}","name":"HeadTracker","group":""},{"guid":"{f8056f5c-6c6f-4727-9f29-efdf39520c0f}","name":"Microsoft.Windows.DeviceManagement.dmEnrollment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{82add491-01d7-4b85-9ead-192c3caaca23}","name":"Microsoft-Windows-Provisioning-API","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99caa292-62e0-4e8a-889e-fe3a3b2ac2e8}","name":"Microsoft.Windows.Management.ConfigurationSession","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{60f735be-c2f1-4b42-8b19-c48c8bf7f6a7}","name":"Microsoft.Windows.Management.MdmSync","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5003f994-2f1d-51dc-20ca-653248c90a6a}","name":"Microsoft.Windows.PlatformExtensions.DevicePickerExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{26d3a140-5bf3-4079-b2dd-75072f83a5ba}","name":"Microsoft.Windows.PlatformExtensions.MiracastBannerExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6e3ac38e-955e-5467-492b-dc045c9743a9}","name":"Microsoft.Windows.Internal.PredictionUnit","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{28715ca3-c574-50cb-9af0-b2ee8b3802ee}","name":"Microsoft.Windows.Oct.Api","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{36f1d421-d446-43ae-8aa7-a4f85cb176d3}","name":"Microsoft.Windows.UI.Shell.StartUI.WinRTHelpers","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c0f1d44d-efea-4cc3-a68b-d7a3af9ec850}","name":"Microsoft.Windows.Shell.JumpView","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0071f61e-71ab-44e1-9d2d-95a46f3ba2be}","name":"Microsoft.Windows.PlatformExtensions.AccountsControlExperience","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{659ec1b4-c023-5e54-9278-d922370ff05e}","name":"Microsoft.Windows.Signals","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{17bc862c-6db8-49a7-945d-9f101535416f}","name":"Microsoft.Windows.Management.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6263bde9-33ae-4c30-b2a1-ed90da5f2295}","name":"Microsoft.Windows.Management.Autopilot","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0d641fb9-a0e3-42e3-9e9d-501d33a6fa79}","name":"Microsoft.Windows.Media.Audio.AudioGraph","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f8942e2-66b4-5650-8cf1-de723ca48565}","name":"Microsoft.Windows.Audio.XAudio2.81","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3a2e5a5c-9cac-5e49-f93a-fbe76451b4ad}","name":"Microsoft.Windows.MediaFoundation.BackgroundMediaPlayback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e529e738-f09e-5226-9f15-b5ec2d9e80be}","name":"Microsoft.Windows.Audio.Effects","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7cffb6e3-de5a-572a-9ece-998321af6e81}","name":"Microsoft.Windows.MediaFoundation.MediaPlaylist","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{afbd9bfb-785c-515d-8ede-c31081bf8872}","name":"Microsoft.Windows.MediaFoundation.MediaTranscode","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3ff44415-ee99-4f03-bc9e-e4a1d1833418}","name":"Microsoft.Windows.MediaFoundation.MediaCapture","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1d988eb8-0133-5903-ae68-4d44ea8abb85}","name":"Microsoft.Windows.MediaFoundation.AdaptiveMediaSource","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1123dc81-0423-4f27-bf57-6619e6bf85cc}","name":"Microsoft.Windows.Media.Editing","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{de6d3d9e-418c-5a5d-e225-c826855cb99b}","name":"Microsoft.Windows.Media.Import.PhotoImport","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7ceded3a-7359-5861-5b43-1959577103e4}","name":"Microsoft.Windows.Smtc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6ee36d33-0d93-4098-8ff9-d8c5635abefd}","name":"Microsoft.Windows.Mirage.MixedRealityCapture","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8f292689-91d4-5127-d122-8b637f9b671b}","name":"Microsoft.Windows.WinOCR.OCR","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9af106fc-dc26-42e1-a0f1-0c538f78f553}","name":"PlayReadyITA","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f84ceeac-399a-598b-bf51-903ed91d881c}","name":"Microsoft.Windows.Media.SpeechRecognition.WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{614f2573-da68-5a1b-c2c6-cba6de5de7f8}","name":"Microsoft.Windows.Media.Speech.Internal.SoundController.WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4331556e-1bcb-5b8f-1fb6-0896d9ab2afb}","name":"Microsoft.Windows.Media.SpeechSynthesis.WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{36947feb-9c1b-569e-1728-bfd47470bbbb}","name":"Windows.Media.Speech.VoiceCommands.Telemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46f27ed9-a8d6-5c0c-8c30-6e846b4c4e46}","name":"Windows.ApplicationModel.VoiceCommands.VoiceCommandServiceConnection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1f930301-f484-4e01-a8a7-264354c4b8e3}","name":"Microsoft.Windows.Cast.Dlna","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d1e82114-4279-58b2-3e8c-4029990a68c6}","name":"Microsoft.Windows.Analog.Perception.RenderingDiagnostics","group":""},{"guid":"{a94b7111-450d-598c-6aa3-6a7619e93e0d}","name":"Microsoft.Windows.Analog.FloorFinder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99c9988d-2185-5021-a21d-7a863b8a1a10}","name":"Microsoft.Windows.Networking.BackgroundTransfer.BackgroundManagerPolicy","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f5fc3591-3651-415b-b8e0-ad0152089992}","name":"Microsoft-Windows-Networking-BackgroundTransfer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5a8a94f3-249f-49f8-86d1-e6527c80622b}","name":"Microsoft.Windows.NetworkInformation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5a5d74f5-4a16-4f3d-93a7-ad82c75de04f}","name":"Microsoft.Windows.Cellcore.Lpa.WinRT","group":""},{"guid":"{7c970fc8-dae6-4b89-8bbf-294ee1c4a79d}","name":"Microsoft.Windows.Networking.VPNPlugin.WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d466dd9-9294-5333-b680-eb4936c47c6e}","name":"Microsoft.Windows.Payments.WinRT","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e6852bc9-a7b6-4127-ac15-8d5c50be9bd7}","name":"Microsoft.Windows.PerceptionApi.Stub","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{36ff4c84-82a2-4b23-8ba5-a25cbdff3410}","name":"Microsoft.Windows.Security.DevCredWinRt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4b812e8e-9dfc-56fc-2dd2-68b683917260}","name":"Microsoft.Windows.Security.CredentialPicker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{507c53ae-af42-5938-aede-4a9d908640ed}","name":"Microsoft.Windows.Security.Credentials.UserConsentVerifier","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f0c781fb-3451-566e-121c-9020159a5306}","name":"Microsoft.Windows.SharedPC.AccountManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e47d4689-eb07-4a9a-9c53-52b967c2b5bd}","name":"Microsoft.Windows.AccountManager.UserModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{369f0950-bf83-53a7-b3f0-771a8926329d}","name":"ServiceHostBuilder","group":""},{"guid":"{312326fa-036d-4888-bc77-c3de2ff9ae06}","name":"Microsoft.Windows.StateRepository.Broker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a89336e8-e6cf-485c-9c6a-ddb6614f278a}","name":"Microsoft.Windows.StateRepository.Client","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{80a49605-87cb-4480-be97-d6ccb3dde5f2}","name":"Microsoft.Windows.StateRepository.Upgrade","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{bff15e13-81bf-45ee-8b16-7cfead00da86}","name":"Microsoft-Windows-AppModel-State","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a40b455c-253c-4311-ac6d-6e667edccefc}","name":"Microsoft.Windows.Shell.CloudFilesAggregate","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{372e8999-7d93-5961-0479-d472d9fe23f7}","name":"Microsoft.Windows.HVSI.AppLauncher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4294747d-ee30-5fa6-a82f-3467fdf6f30f}","name":"Microsoft.Windows.HVSI.FileTrust","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f85b4793-1347-5620-7572-b79d5a28da82}","name":"Microsoft.Windows.Shell.DataLayer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e0142d4f-9e39-5b3b-9deb-8b576025ff5e}","name":"Microsoft.Windows.CentennialActivation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{346d1079-24e3-5e7d-b93b-1806e4774512}","name":"Microsoft.Windows.WindowsStorageOneCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{783f30af-5514-51bc-5b99-5d33b678539b}","name":"Microsoft.Windows.Shell.StorageSearch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1a6e901d-124c-441c-8c8e-bf8c3ae2fe11}","name":"Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient","group":""},{"guid":"{bd0a6a9f-74cf-4117-85b9-dda5f3f73214}","name":"Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions","group":""},{"guid":"{767f708a-096b-4930-b518-313844360af7}","name":"Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings","group":""},{"guid":"{1d0a3e07-4587-52a6-9802-b0e44c2e08a8}","name":"Microsoft.Windows.System.SysAdmin","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{628cd108-ad48-4db0-b286-1a55a14022a7}","name":"Windows.System.UserProfile.DiagnosticsSettings","group":""},{"guid":"{67c7cabc-6a86-4f15-ace8-596cb87f0a72}","name":"Microsoft.Windows.Shell.AppDefaults.PackageIteratorWrapper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{140cb1cd-7160-4d9c-893e-b61ccdcee1c1}","name":"Microsoft.Windows.Shell.SystemSettings.AppsForWebsites","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{df350158-0f8f-555d-7e4f-f1151ed14299}","name":"Microsoft.Windows.BioFeedback","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{41ad72c3-469e-5fcf-cacf-e3d278856c08}","name":"Microsoft.Windows.BlockedShutdown","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ab7e1fbf-4623-5160-7d97-83167cf2bd39}","name":"Microsoft.Windows.Input.Windows_UI_Core_Textinput","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{24532ca4-409f-5d6c-3ded-e11946573f56}","name":"Microsoft.Windows.CredUXController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6526f614-834f-46a9-8f4f-fab6c211888d}","name":"Windows.ApplicationModel.CoreWindow","group":""},{"guid":"{d5369bbd-87fb-490a-8480-12798a2d18fa}","name":"Microsoft.Windows.UI.InteractiveObject","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ee818f02-698c-48be-8ff2-326c6dd34db5}","name":"SystemInitiatedFeedbackLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2888e8eb-2e0d-40db-82de-cef312d84ed4}","name":"Microsoft.Windows.Shell.WindowsUIImmersiveProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{239d82f3-77e1-541b-2cbc-50274c47b5f7}","name":"Microsoft.Windows.Shell.BridgeWindow","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e49b2c1a-1ad0-505c-a11a-73dba0c60f50}","name":"Microsoft.Windows.Shell.Theme","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f8e28969-b1df-57fa-23f6-42260c77135c}","name":"Microsoft.Windows.ImageSanitization","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{46668d11-2db1-5756-2a4b-98fce8b0375f}","name":"Microsoft.Windows.Shell.Windowing.LightDismiss","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9dc9156d-fbd5-5780-bd80-b1fd208442d6}","name":"Windows.UI.Popups","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1941de80-2226-413b-afa4-164fd76914c1}","name":"Microsoft.Windows.Desktop.Shell.WindowsUIImmersive.LockScreen","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d3f64994-cca2-4f97-8622-07d451397c09}","name":"MicrosoftWindowsShellUserInfo","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{fcad1076-c04f-4482-9a03-b5a37be6712d}","name":"InkAnalysisLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2d52a580-4664-556b-972f-afa5b3b9964e}","name":"Microsoft.Windows.Ink.InkManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{63897ce1-289c-4fcc-aff8-cafff43eeaf2}","name":"Microsoft.Windows.Ink.Eraser","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ee8fdba0-14d6-50ec-a17a-33f388f21065}","name":"Microsoft.Windows.UI.Input.Inking.DirectInk","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{89c72269-fb41-5e41-a17a-6595df57dad4}","name":"Microsoft.Windows.UI.Input.Inking.TraceLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ec63acb7-e6ab-4d0e-96f1-13456336a29c}","name":"Microsoft.Windows.Ink.DirectInk.InkPresenterRuler","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{176cd9c5-c90c-5471-38ba-0eeb4f7e0bd0}","name":"Microsoft.Windows.UI.Logon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a6c5c84d-c025-5997-0d82-e608d1abbbee}","name":"Microsoft.Windows.CredentialProvider.PicturePassword","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a75a574d-b3bb-434a-8482-b8f160ae4345}","name":"Microsoft.Windows.NetworkUXController","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5512152d-88f8-5f1e-ed9f-6412175a39dc}","name":"Microsoft.Windows.UI.PicturePassword","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{afe0ae07-66a7-55bb-12ff-01116bc08c1b}","name":"Windows.UI.Xaml.Controls.Debug","group":""},{"guid":"{f55f7011-988d-4674-a724-e01b39dc7af7}","name":"Windows.UI.Xaml.Controls.Perf","group":""},{"guid":"{21e0ae07-56a7-55b5-12f9-011e6bc08ccb}","name":"Windows.UI.Xaml.Controls","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{832fe0f9-2e6f-5ec4-0523-7aab0a32c936}","name":"Microsoft.Windows.UI.XAML.Input","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ddab1a3b-aadc-5f95-964f-d227b08f13c2}","name":"Microsoft.Windows.Ink.InkOnText","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a6f1ccb9-b6b7-40db-a3de-103ea1d38062}","name":"Microsoft.Windows.Ink.InkSamplesData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9813670-eed8-4e92-a2ff-6583c6734c93}","name":"Windows.UI.Xaml.InkControls","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8d5fa2c8-70d1-5495-8f4f-25ba174930bd}","name":"Microsoft.Windows.DXaml.InkControls","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9813670-eed8-4e92-a2ff-6583c6734c93}","name":"Windows.UI.Xaml.Maps","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a9813670-eed8-4e92-a2ff-6583c6734c93}","name":"Windows.UI.Xaml.Phone","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{91fa71ae-c399-5de0-de6f-5b728993ccf1}","name":"Microsoft.Windows.XamlHostLogger","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5361807-6783-4295-a34e-a714865cccee}","name":"Microsoft.Windows.Web.HttpClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7c29709d-3c02-47fb-8a39-d8287522fadb}","name":"Microsoft.Windows.Graphics.WindowsCodecs","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d24afecc-4f90-45f1-b384-d6f960745274}","name":"Microsoft.Windows.CapImg","group":""},{"guid":"{3686a7c1-8c7a-442d-ae1c-b498470968c2}","name":"Microsoft.Windows.HVSI.CSP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{096f44f8-082d-5f73-0bb4-07686ec7a7d2}","name":"Microsoft.Windows.ComposableShell.Framework.ComposerFramework","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3ad911fa-ef91-520f-b592-f81445ff373b}","name":"Microsoft.Windows.ComposableShell.Framework.ComposerFramework.HardwareManagement","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b781b9cc-9bcc-486c-a036-d7bf98040a6b}","name":"Microsoft.Windows.Wpr.Wprc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b5651691-cba4-572d-af20-da83df3573db}","name":"Microsoft.Windows.HypervisorPlatform.Tracing","group":""},{"guid":"{1a211ee8-52db-4af0-bb66-fb8c9f20b0e2}","name":"Microsoft.OSG.Web.WinInet","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{98177d7f-7d3a-51ef-2d41-2414bb2c0bdb}","name":"Microsoft.Windows.Security.Wininit","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9c09afa4-969d-535c-60db-43f0f6de257d}","name":"Microsoft.InformaionProtection.RMS.MSIPC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b39b8cea-eaaa-5a74-5794-4948e222c663}","name":"Microsoft.Windows.Security.Winlogon","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d766d9ff-112c-4dac-9247-241cf99d123f}","name":"Microsoft.Windows.WinML","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c69cb70a-3133-4cca-ab0e-046848effcda}","name":"Microsoft.Windows.Print.Winspool","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6035d7f9-6e24-44bf-b540-3ade030d001a}","name":"Microsoft.Windows.Csrss.WinSrvExt","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d33e545f-59c3-423f-9051-6dc4983393a8}","name":"winsta","group":""},{"guid":"{4e7add1a-6945-435a-82b6-612688ba9f57}","name":"WinTypeTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b57f5bf8-9486-51f5-25d0-81e66ff5ea46}","name":"Microsoft.Windows.MetadataResolution.NamespaceResolution","group":""},{"guid":"{ab9ebce4-fe7f-4dab-ace8-b28af18ec32d}","name":"WlanMSM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f4190f32-f96e-479c-a45d-d485cffe42e6}","name":"Microsoft.Windows.Networking.Wlan.Msmsec","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0b9b891e-ff74-49ac-a582-4c58bdf12d8b}","name":"Wlansvc","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4f28a611-e7f9-4fa6-8bf1-8698d06336e9}","name":"Microsoft.Windows.WiFi.Diag","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9a2edb8f-5883-499f-aced-6e4b69d43ddf}","name":"WldpTraceLoggingProvider","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{596426a4-3a6d-526c-5c63-7ca60db99f8f}","name":"Microsoft.Windows.WindowsMediaPlayer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ed2c1ccc-a5ec-5cea-ef9a-88905c5d4950}","name":"Microsoft.Windows.MediaFoundation.WMVDecoder","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c906ed7b-d3d9-435b-97cd-22f4e7445f2a}","name":"Microsoft.Windows.WorkFolders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ebed161a-909d-4f6b-a368-a28ad2c00051}","name":"Microsoft.Windows.OneSettingsClient","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0eb5d084-6594-56c7-3885-b8841baf9d48}","name":"Microsoft.FamilySafety.UI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1c5db447-7734-42ad-a940-7365dabe0990}","name":"Microsoft.FamilySafety.ActivityEvents","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{11c45211-19ed-589b-547e-0efd9ecedc6d}","name":"Microsoft.Windows.FamilySafety.ScreenTime","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2d617ccf-25cb-5351-d434-82c4dfa19059}","name":"Microsoft.FamilySafety.Sync","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f01e66c7-3939-5ee2-ddb3-399cfeead698}","name":"Microsoft.Windows.Shell.Wpd","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2fdb1f25-8de1-4bc1-bac2-e445e5b38743}","name":"Microsoft.Windows.Notifications.WpnApps","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1870fbb0-2247-44d8-bf46-b02130a8a477}","name":"Microsoft.Windows.Notifications.WpnApis","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c8153845-2370-4820-b07e-416c7806e123}","name":"Microsoft.Windows.TileDeveloperAPIsTelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b92d1ff0-92ec-444d-b7ec-c016f971c000}","name":"Microsoft.Windows.Notifications.WpnCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0fffb788-b827-4730-ad87-f48da61795cd}","name":"Microsoft.Windows.Notifications.WnsCP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ee845016-ebe1-41eb-be52-5e3ae58339f2}","name":"WNSCP","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{833c9bbd-6422-59cb-83bb-c695934a0cf5}","name":"Microsoft.Windows.PerProcessSystemDpi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d0f1a5c6-fc43-48ae-99bf-efb1c38be9d1}","name":"Microsoft-Windows-Winsock2","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{29b47072-00ff-4d9d-852d-0eafc181a9a3}","name":"Microsoft.Windows.WSD.WSDApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{35d62ec7-6419-4d8d-b314-a2441d169fb5}","name":"Microsoft.Windows.WSD.WsdChngr","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a0c4a2e1-ef83-439e-92d6-0e40eabe8b34}","name":"Microsoft.Windows.Storage.FileServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{49f59745-7f56-4082-a01a-83bc089d1add}","name":"Microsoft.Windows.Health","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{97a22197-db89-42de-a77c-7501534729fe}","name":"Microsoft.Wdf.Companion.Host","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{84a5010c-3fd1-499f-885f-7ccb03bfde8d}","name":"Microsoft.Wdf.UMDF.Host","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{15de6eaf-ee08-4de7-9a1c-bc7534ab8465}","name":"Microsoft.Wdf.UMDF.FxV1","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8ad60765-a021-4494-8594-9346970cf50f}","name":"Microsoft.Wdf.UMDF.Fx","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ac865f6d-84b9-4ada-8e46-fd61eb7448da}","name":"WWAHostTraceLogging","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{86b9d85c-edb3-4775-8192-fb78ba22cfc6}","name":"Microsoft.Windows.CellCore.MobileBroadband.MBNApi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45b3ce29-106e-528d-878f-6b34d02e1fc8}","name":"Microsoft-Windows-Desktop-Shell-WWAN-OOBE","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5a454db4-0839-4ee5-8157-1e54f6eef842}","name":"Microsoft.Windows.CellCore.MobileBroadband.Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{af5c9658-6b92-4f83-8b6a-1447549fb878}","name":"Microsoft.Xbox.AuthManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{57a77336-f39e-4fe3-9bd7-ab58696e5000}","name":"Microsoft.Xbox.NetworkTransferManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{514775e1-fa95-459f-b6d4-b86ad1c5b49e}","name":"Microsoft.Windows.Networking.XboxLive.SecureSockets","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1878b8a3-2425-417b-a0c8-7b567652d45c}","name":"Microsoft.Windows.XInput1_4","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a36919e0-4940-4280-bdaf-446877fe5cbe}","name":"Microsoft.XInputUap","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{095da8da-2182-5c9a-53cd-07eca93a04ef}","name":"Microsoft.Windows.Print.XpsDocumentTargetPrint","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0a82e916-4637-4998-83bf-8b0f4792a7c9}","name":"Microsoft.Windows.Print.XGC","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{ddf2cc14-a470-4449-ab03-f8b95fc8294b}","name":"Microsoft.Windows.Print.XpsPrint","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f5ee7f70-d686-479e-a4dd-91433dbf301e}","name":"Microsoft.Windows.Maps.ZTrace","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5c3e3aa8-3ba4-43cd-a7de-3bf5f70f9ca4}","name":"Microsoft.Windows.Shell.TextInput.InputPanel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f917a1ee-0a04-5157-9a8b-9ba716e318cb}","name":"Microsoft.Windows.ClipboardHistory.UI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{7afc2639-a7e9-5fb6-92f0-ef2fe1751103}","name":"Microsoft.Windows.Shell.SyncPartnership","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6f0783ec-d7cd-4f82-bca8-1afb56792c77}","name":"Microsoft.Windows.AsyncTextService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a55d5a23-1a5b-580a-2be5-d7188f43fae1}","name":"Microsoft.Windows.Shell.BioEnrollment","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f2018623-63ac-5837-7cfb-f67ec5c39961}","name":"Microsoft.Windows.Shell.CredDialogHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e7192f96-e81e-4212-af9f-fdebecaab722}","name":"Microsoft.Windows.Input.GazeUITelemetry","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b2149bc3-9dfd-5866-92a7-b556b3a6aed0}","name":"Microsoft.Windows.Shell.DefaultLockApp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cc8b5a2a-297c-5dfd-1eec-c7bcdec2f7ae}","name":"Microsoft.Windows.Shell.MtcViewModel","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{425af0d6-253a-49e6-8e41-c7c9849bb397}","name":"Microsoft.Windows.App.Browser.Analytics","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{8314a32f-6144-4909-949d-91c8bb9eed9e}","name":"Windows.PdfReader","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3b47c115-3006-5621-8599-7c5d8b83a0ec}","name":"Microsoft.Windows.Cast.MiracastReceiverXaml","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{367d1466-64fd-51c2-08d1-d6adaa782549}","name":"Microsoft.Windows.Cast.MiracastReceiverApplication","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9fb2567b-3978-56f3-df3d-ac4c0a60e2a2}","name":"Microsoft.Windows.Cast.MiracastReceiverCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{03eee74c-cacc-56b0-59c7-9e14f162a5d2}","name":"Microsoft.Windows.Cast.MiracastReceiverProjection","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{c1ecefb7-e831-599c-582e-3ddb0b9c1f14}","name":"Microsoft.Windows.Cast.MiracastIngestModule","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9e55bad3-bc33-5597-57f8-4405c0251507}","name":"Microsoft.Windows.Cast.MiracastReceiverInputModule","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{cb205507-3a73-565d-1eea-4ad4fe1a0e22}","name":"Microsoft.Windows.Projection.WiredTouchbackInputManager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2afc7cc8-54f1-5454-e893-053286f909be}","name":"Microsoft.Windows.Cast.MiracastHidInputGenerator","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{32da0980-2f98-5ab9-f93b-67ce6b46a8b8}","name":"Microsoft.Windows.Shell.AddSuggestedFoldersToLibraryDialog","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5d93d94b-7362-47ea-8824-63de1683fc4f}","name":"Microsoft.Windows.Shell.AssignedAccessLockApp","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a5e3b77c-1a36-4f74-918e-9c928f7f0595}","name":"Microsoft.Windows.Shell.Components.Calling","group":""},{"guid":"{a5347b8a-3c9c-4f07-9440-1e0c5cfcc9d0}","name":"Microsoft-Windows-Telephony-CallingShellPresenters","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4be7b04b-179f-47cb-b6d9-b58ceef35be7}","name":"Microsoft.Windows.Apps.PhoneShellUi","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d0034f5e-3686-5a74-dc48-5a22dd4f3d5b}","name":"Microsoft.Windows.Shell.CloudExperienceHost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{236aa069-3998-5ebc-e1ab-255eae1d59c5}","name":"Microsoft.Windows.FeatureConfiguration","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{dc78ea1d-0cc0-59fa-e062-0c4b810ea1cc}","name":"Microsoft.Windows.WilFeatures","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1f61b204-c3df-5f16-8ab9-cfc8d1fdc5f5}","name":"Microsoft.Windows.ContentManagementSDK","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{880e5d98-55d3-50c7-f8b7-b1feafdb7fd2}","name":"Microsoft.Windows.AppTelemetryMetadata","group":""},{"guid":"{f4aafa99-9f2a-53e5-3b32-ad9fb178f27f}","name":"Microsoft-Windows-Shell-CortanaSpeechPlatform","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{70400dee-6c5b-5209-4052-b9f8cf41b7d7}","name":"Microsoft.Windows.ReactiveAgentFramework","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d8caafb9-7211-5dc8-7c1f-8027d50640ec}","name":"Microsoft.Windows.Shell.CortanaSignals","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9b3fe00f-dac4-4437-a77b-de27b87046d4}","name":"Microsoft.Windows.Shell.CortanaSettings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{32d301bb-dc0f-5c78-8787-6f9580648baa}","name":"Microsoft-Windows-Shell-CortanaCSU","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4c330fff-c5a3-4fb2-9d06-8e6d17d870bb}","name":"Microsoft.Windows.Shell.CortanaSpa","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{01848a9c-1c29-5ceb-18d3-b3dd1eb945f2}","name":"Windows.Cortana.NlFacilities","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2aedc292-3fa5-472a-8eb4-33978d449853}","name":"Microsoft.Windows.Shell.CortanaSync","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{92f43f71-2741-40b2-a566-70eebcf2d181}","name":"Microsoft-Windows-Shell-CortanaValidation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1b501233-07e5-4ac3-b3eb-faed7dadd9dc}","name":"Microsoft.Windows.Shell.CortanaBluetooth","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1fcc7068-9055-45c2-b98c-c2261e3b1518}","name":"Microsoft.Windows.Shell.Cortana.PlacesServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6a94aa20-3a78-4af8-9960-97356365ff34}","name":"Microsoft.Windows.Shell.Cortana.PlaceStore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6326ccfb-aa7e-4f3b-8a39-c7e350f8c85c}","name":"Microsoft-Windows-Shell-CortanaVaReminders","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9ab51436-e5a1-54a9-6812-1117a46bc568}","name":"Microsoft.Windows.Cortana.VoiceAgent.VoiceCommand","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{59b03bfe-81f7-5749-0e6a-1f7ad5a0de1a}","name":"Microsoft.Windows.Shell.CortanaVaEmail","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2012017d-3386-5354-d5fd-9d311cfc3a5c}","name":"Microsoft.Windows.Shell.CortanaInkNotes","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{6223d4a4-b778-47cd-964b-c9705edd36fb}","name":"Microsoft.Windows.Shell.Cortana.Rules.WNS","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{e63d07ea-c8cf-4886-9798-a5b2309523ba}","name":"Microsoft.Windows.Shell.CortanaPenLongPress","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{12b1f569-a6b1-5ceb-9f3b-b0d76f569f7f}","name":"Microsoft.Windows.Audio.MicWizHelper","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5b7144a2-f0f6-4f99-a66d-fb2477e4cee6}","name":"Microsoft.Windows.Shell.CortanaPlaces","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b9ca7b47-8bad-5693-9481-028527614d30}","name":"Microsoft.Windows.Shell.CortanaNotebook","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{66f03b1f-1aec-5184-d349-a81761122be4}","name":"Microsoft.Windows.Shell.CortanaHome","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{79216333-1203-4c7b-a9f8-a0a0b69502e2}","name":"Microsoft.Windows.Shell.CortanaVaCaptureAndBroadcast","group":""},{"guid":"{ad0971eb-d60f-4071-a1d7-d08e34a16b4d}","name":"Microsoft.Windows.Shell.CortanaVaGlobalShell","group":""},{"guid":"{4d7e4a1b-197b-42ea-bb14-ca022484286e}","name":"Microsoft.Windows.Shell.CortanaVaMediaControl","group":""},{"guid":"{b66504df-e8df-43af-b316-ac60c23e3430}","name":"Microsoft-TextEntityExtractor","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9c2be007-6b96-59cd-6af0-f35d12c81365}","name":"Microsoft-Windows-Shell-CortanaVaStartMenu","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{d173c6af-d86c-5327-17b8-5dcc03543da5}","name":"Microsoft.Windows.Mobile.Shell.FileExplorer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f401924c-6fb0-5abb-be79-b010fb9ba7d4}","name":"Microsoft.Windows.Shell.FilePicker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4fab096b-c7c1-5e77-c136-7c57122d3163}","name":"Microsoft.Windows.Defender.App","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2ab3a3cd-f771-4530-a065-a846d50a03b5}","name":"Microsoft.Windows.Graphics.D3D8","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{3d7a8e5f-0b44-432c-a0ce-b92f585a2ffe}","name":"Microsoft.Windows.Graphics.D3D7","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{f1c13488-91ac-4350-94de-5f060589c584}","name":"Microsoft.Windows.Shell.LockScreenBoost","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{877ee62a-d19d-4ffd-8f85-6977f1f4cf2a}","name":"Microsoft.OneDrive.Sync.Setup","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{561bf4f9-44e3-5408-d19d-11d5272b125a}","name":"Microsoft.OneDrive.Sync.Client","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{f5168a2d-1104-466a-988a-def1a9ee2863}","name":"Microsoft.Windows.TextInput.CandidateSearch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{287f6c83-0e11-5bcf-1acd-18f7edb17672}","name":"Microsoft.Windows.TextInput.ToolBar","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{99a78d84-d872-50ef-6e7d-10a65338ffd1}","name":"Microsoft.Windows.Shell.InkLinguisticData","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{44fd5187-4cf5-42ed-a830-af0f1f63ece0}","name":"Microsoft.Windows.Scan.InboxTwainDsm","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{45887188-0c92-491c-8754-1781a5f79573}","name":"Microsoft.Windows.WinHlp32","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2ed5c5df-6026-4e25-9fb1-9a08701125f3}","name":"Microsoft.Windows.HyperV.VMBus","group":""},{"guid":"{51ddfa29-d5c8-4803-be4b-2ecb715570fe}","name":"Microsoft-Windows-Hyper-V-Worker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{a572eeb4-c3f7-5b0e-b669-bb200931d134}","name":"Microsoft.Windows.HyperV.Worker.VmbusPipeIO","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{67dc0d66-3695-47c0-9642-33f76f7bd7ad}","name":"Microsoft.Windows.Hyper-V.VmSwitch","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{2174371b-d5f6-422b-bfc4-bb6f97ddaa84}","name":"Microsoft.Windows.HyperV.Storage","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{4ddf50d0-75de-4fbe-8f08-f8936638e7a1}","name":"Microsoft.Windows.HyperV.Management","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{06c601b3-6957-4f8c-a15f-74875b24429d}","name":"Microsoft.Windows.HyperV.Worker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e01db5e-1944-5314-c040-c90b965ea3d3}","name":"Microsoft.Windows.HyperV.Worker.MemoryManager","group":""},{"guid":"{7568b40b-dc66-5a30-55a1-d0ef61b56ac8}","name":"Microsoft.Windows.HyperV.Worker.Intercepts","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{22267b1c-b979-5c81-9e24-0db386a62dd1}","name":"Microsoft.Windows.Containers.Setup","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{35862f23-8c60-473f-a6a2-f1cf722d140c}","name":"Microsoft.Windows.Containers.DisposableVM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{74c975b8-6693-4aef-a440-13a4def639a6}","name":"Microsoft.Windows.Containers.ImageWorker","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{9d911ddb-d45f-41c3-b766-d566d2655c4a}","name":"Microsoft.Windows.Containers.Manager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{1c96fbdb-6ea8-4255-815d-a101ea589b14}","name":"Microsoft.Windows.ShellLauncher","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0c885e0d-6eb6-476c-a048-2457eed3a5c1}","name":"Microsoft-Windows-Host-Network-Service","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{106e9835-2e81-5341-fd84-ab263098e7d3}","name":"Microsoft.Windows.HVSI.Settings","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{31a02453-ca69-48d4-a17e-97d08518f45c}","name":"Microsoft.Windows.HVSI.ContainerService","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{73f342c6-2434-4b8b-82e3-41838ed29f72}","name":"Microsoft.Windows.IIS.FTPServer","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{92c65170-4121-4246-9730-e37c1cc83dc2}","name":"Microsoft.Windows.IIS.WebDAV","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{754e4536-6735-4194-be81-1374bd2e9b0d}","name":"Microsoft.Windows.Subsystem.Adss","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0cd1c309-0878-4515-83db-749843b3f5c9}","name":"Microsoft.Windows.Subsystem.LxCore","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{b99cdb5a-039c-5046-e672-1a0de0a40211}","name":"Microsoft.Windows.Lxss.Manager","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{0451ab4f-f74d-4008-b491-eb2e5f5d8b89}","name":"Microsoft.Windows.Lxss.Heartbeat","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{204ae8f0-42f7-4a13-97cd-b490927cb725}","name":"Microsoft.Windows.VGPU.RDVGM","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{eb22bd6c-fa62-4bff-81c5-baf66338eafc}","name":"Microsoft.Windows.BootFileServicingAI","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5e30c57a-8730-4809-945e-0d5df7aa58e5}","name":"Microsoft.ClientLicensing.InheritedActivation","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{5fc48aed-2eb8-4cd4-9c87-54700c4b7b26}","name":"CbsServicingProvider","group":"c7de053a-0c2e-4a44-91a2-5222ec2ecdf1"},{"guid":"{163624ca-6de7-4614-a43f-dcffa869fb7b}","name":"Microsoft.Windows.SMB.SRV","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"},{"guid":"{535caa1e-5771-5888-887a-15eaab1580e1}","name":"Microsoft.Windows.ComCtl","group":"4f50731a-89cf-4782-b3e0-dce8c90476ba"}] ================================================ FILE: SystemInformer/resources/pooltag.txt ================================================ // // Copyright (C) Microsoft. All rights reserved. // rem rem Pooltag.txt rem rem This file lists the tags used for pool allocations by kernel mode components rem and drivers. rem rem The file has the following format: rem - - rem rem Pooltag.txt is installed with Debugging Tools for Windows (in %windbg%\triage) rem and with the Windows DDK (in %winddk%\tools\other\platform\poolmon, where rem platform is amd64, i386, or arm). rem @GMM - - (Intel video driver) Memory manager @KCH - - (Intel video driver) Chipset specific service @MP - - (Intel video driver) Miniport related memory @SB - - (Intel video driver) Soft BIOS _ATI - - ATI video driver _LCD - monitor.sys - Monitor PDO name buffer 8042 - i8042prt.sys - PS/2 keyboard and mouse AdSv - vmsrvc.sys - Virtual Machines Additions Service ARPC - atmarpc.sys - ATM ARP Client ATMU - atmuni.sys - ATM UNI Call Manager Atom - - Atom Tables Abos - - Abiosdsk AcdM - - TDI AcdObjectInfoG AcdN - - TDI AcdObjectInfoG AcpA - acpi.sys - ACPI arbiter data AcpB - acpi.sys - ACPI buffer data AcpD - acpi.sys - ACPI device data AcpE - acpi.sys - ACPI embedded controller data AcpF - acpi.sys - ACPI interface data Acpg - acpi.sys - ACPI GPE data Acpi - acpi.sys - ACPI generic data AcpI - acpi.sys - ACPI irp data AcpL - acpi.sys - ACPI lock data AcpM - acpi.sys - ACPI miscellaneous data AcpO - acpi.sys - ACPI object data AcpP - acpi.sys - ACPI power data AcpR - acpi.sys - ACPI resource data AcpS - acpi.sys - ACPI string data Acpt - acpi.sys - ACPI table data AcpT - acpi.sys - ACPI thermal data AcpX - acpi.sys - ACPI translation data Adap - - Adapter objects Adbe - - Adobe's font driver ADPT - acpipagr.sys - Processor Aggregator Driver AECi - - filter object interface for MS acoustic echo canceller Afd? - afd.sys - AFD objects AfdA - afd.sys - Afd EA buffer AfdB - afd.sys - Afd data buffer AfdC - afd.sys - Afd connection structure aFDC - afd.sys - Afd WSK client context aFDT - afd.sys - Afd TL provider context AfdD - afd.sys - Afd debug data AfdE - afd.sys - Afd endpoint structure AfdF - afd.sys - Afd TransmitFile info AfdG - afd.sys - Afd group table AfdI - afd.sys - Afd TDI data AfdL - afd.sys - Afd local address buffer AfdP - afd.sys - Afd poll info AfdQ - afd.sys - Afd work queue item AfdR - afd.sys - Afd remote address buffer AfdS - afd.sys - Afd security info AfdT - afd.sys - Afd transport info AfdW - afd.sys - Afd work item AfdX - afd.sys - Afd context buffer Afda - afd.sys - Afd APC buffer (NT 3.51 only) Afdc - afd.sys - Afd connect data buffer Afdd - afd.sys - Afd disconnect data buffer Afdf - afd.sys - Afd TransmitFile debug data Afdh - afd.sys - Afd address list change buffer Afdi - afd.sys - Afd "set inline mode" buffer Afdl - afd.sys - Afd lookaside lists buffer Afdp - afd.sys - Afd transport IRP buffer Afdq - afd.sys - Afd routing query buffer Afdr - afd.sys - Afd ERESOURCE buffer Afdt - afd.sys - Afd transport address buffer Ahca - ahcache.sys - Appcompat kernel cache pool tag AleD - tcpip.sys - ALE remote endpoint Ala4 - tcpip.sys - ALE remote endpoint IPv4 address Ala6 - tcpip.sys - ALE remote endpoint IPv6 address Alei - tcpip.sys - ALE arrival/nexthop interface cache AleU - tcpip.sys - ALE pend context AleE - tcpip.sys - ALE endpoint context AlLl - tcpip.sys - ALE remote endpoint LRU AlCi - tcpip.sys - ALE credential info AlSP - tcpip.sys - ALE secure socket policy AlPU - tcpip.sys - ALE secure socket policy update AlPi - tcpip.sys - ALE peer info AlP4 - tcpip.sys - ALE peer IPv4 address AlP6 - tcpip.sys - ALE peer IPv6 address AlPT - tcpip.sys - ALE peer target Alep - tcpip.sys - ALE process info AleS - tcpip.sys - ALE token info AleP - tcpip.sys - ALE process image path AleK - tcpip.sys - ALE audit AleA - tcpip.sys - ALE connection abort context AlDN - tcpip.sys - ALE endpoint delete notify AleW - tcpip.sys - ALE enum filter array AleN - tcpip.sys - ALE notify context AlSs - tcpip.sys - ALE socket security context AlPF - tcpip.sys - ALE policy filters AleL - tcpip.sys - ALE LRU AleI - tcpip.sys - ALE token ID AlP5 - tcpip.sys - ALE 5-tuple state AlE5 - tcpip.sys - ALE 5-tuple temp entry Aric - tcpip.sys - ALE route inspection context Adnc - tcpip.sys - ALE endpoint deactivation notification context Acrc - tcpip.sys - ALE connect request inspection context Acrl - tcpip.sys - ALE connect redirect layer data Abrc - tcpip.sys - ALE bind request inspection context Abrl - tcpip.sys - ALE bind redirect layer data AlSm - tcpip.sys - ALE Secondary App Meta Data Afp - - SFM File server AlCI - nt!alpc - ALPC communication info AlEv - nt!alpc - ALPC eventlog queue AlIn - nt!alpc - ALPC Internal allocation AlHa - nt!alpc - ALPC port handle table AlMs - nt!alpc - ALPC message ALPC - nt!alpc - ALPC port objects AlRe - nt!alpc - ALPC section region AlRr - nt!Alpc - ALPC resource reserves AlSc - nt!alpc - ALPC section AlSe - nt!alpc - ALPC client security AlVi - nt!alpc - ALPC view ATmp - AppTag mount point ATon - AppTag object name ATub - AppTag user buffer ATgb - AppTag guid buffer ATac - AppTag ATR command buffer ATdi - AppTag cliendata index buffer ATdt - AppTag cliendata temp buffer ATFb - AppTag file id buffer Aml* - - ACPI AMLI Pooltags APIC - pnpapic.sys - I/O APIC Driver ArbA - nt!arb - ARBITER_ALLOCATION_STATE_TAG ArbL - nt!arb - ARBITER_ORDERING_LIST_TAG ArbM - nt!arb - ARBITER_MISC_TAG ArbR - nt!arb - ARBITER_RANGE_LIST_TAG Arp? - - ATM ARP server objects, atmarps.sys ArpA - - AtmArpS address ArpB - - AtmArpS buffer space ArpI - - AtmArpS Interface structure ArpK - - AtmArpS ARP block ArpM - - AtmArpS MARS structure ArpR - - AtmArpS NDIS request ArpS - - AtmArpS SAP structure Asy1 - - ndis / ASYNC_IOCTX_TAG Asy2 - - ndis / ASYNC_INFO_TAG Asy3 - - ndis / ASYNC_ADAPTER_TAG Asy4 - - ndis / ASYNC_FRAME_TAG AtC - - IDE disk configuration AtD - - atdisk.c ATIX - - WDM mini drivers for ATI tuner, xbar, etc. Atk - - Appletalk transport AtmA - - Atoms AtmT - - Atom tables AtvE - cea_km.lib - Event broker aggregation library. AuxL - - EXIFS Auxlist AzAp - HDAudio.sys - HD Audio Class Driver (Datastore: audio path) AzAd - HDAudio.sys - HD Audio Class Driver (AzPcAudDev) AzCd - HDAudio.sys - HD Audio Class Driver (CodecVendor) AzCE - HDAudio.sys - HD Audio Class Driver (CEAAudioRender) AzCm - HDAudio.sys - HD Audio Class Driver (AzCommon) AzFg - HDAudio.sys - HD Audio Class Driver (Audio Function Group) Azfg - HDAudio.sys - HD Audio Class Driver (datastore: function group) AzJd - HDAudio.sys - HD Audio Class Driver (JackDetector) AzMa - HDAudio.sys - HD Audio Class Driver (Main) AzMi - HDAudio.sys - HD Audio Class Driver (micin, MixedCapture) AzMu - HDAudio.sys - HD Audio Class Driver (MuxedCapture) AzMx - HDAudio.sys - HD Audio Class Driver (AzMixerport) AzLd - HDAudio.sys - HD Audio Class Driver (Datastore: logical device) AzLi - HDAudio.sys - HD Audio Class Driver (CDIn,AUXIn, linein) AzLg - HDAudio.sys - HD Audio Class Driver (debug) AzLs - HDAudio.sys - HD Audio Class Driver (DLTest) AzPd - HDAudio.sys - HD Audio Class Driver (AzDma) AzPx - HDAudio.sys - HD Audio Class Driver (AzPower) AzRr - HDAudio.sys - HD Audio Class Driver (RedirectedRender) AzRR - HDAudio.sys - HD Audio Class Driver (SpdifEmbeddedRender, SpdifOut, Headphone, HBDAout) AzSd - HDAudio.sys - HD Audio Class Driver (subdevicegraph) AzSi - HDAudio.sys - HD Audio Class Driver (SpdifIn) AzSt - HDAudio.sys - HD Audio Class Driver (AzWaveCyclicStream, HdaWaveRTstream) AzTs - HDAudio.sys - HD Audio Class Driver (TestSet1000, TestSet1001) AzUT - HDAudio.sys - HD Audio Class Driver (TestSet0004) AzWd - HDAudio.sys - HD Audio Class Driver (AzWidget) AzWp - HDAudio.sys - HD Audio Class Driver (AzWaveport, HdaWaveRTminiport) Bat? - - Battery Class drivers BatC - - Composite battery driver BatM - - Control method battery driver BatS - - Smart battery driver Batt - - Battery class driver BCSP - bthbcsp.sys - Bluetooth BCSP minidriver BCDK - nt!init - Kernel boot configuration data. BDD - BasicDisplay.sys - Microsoft Basic Display Driver BIG - nt!mm - Large session pool allocations (ntos\ex\pool.c) BlCc - blkcache.sys - Block Cache Driver Bmfd - - Font related stuff BT3C - bt3c.sys - Bluetooth 3COM minidriver BT8x - - WDM mini drivers for Brooktree 848,829, etc. BTHP - bthport.sys - Bluetooth port driver (generic) BthS - bthport.sys - Bluetooth port driver (security) BTME - bthenum.sys - Bluetooth enumerator BTMO - bthmodem.sys - Bluetooth modem BTPT - - Bluetooth transport protocol library BTSR - bthser.sys - Bluetooth serial minidriver BTUR - bthuart.sys - Bluetooth UART minidriver WPAD - BasicRender.sys - Basic Render Adapter WPDV - BasicRender.sys - Basic Render DX Device WPCT - BasicRender.sys - Basic Render DX Context WPAL - BasicRender.sys - Basic Render Allocation WPAO - BasicRender.sys - Basic Render Opened Allocation WPRC - BasicRender.sys - Basic Render Rectangles (for Present) Bu* - - burneng.sys from adaptec BvHI - netiobvt.sys - BVT HT Items BvHT - netiobvt.sys - BVT HT Tables Call - nt!ex - kernel callback object signature call - - debugging call tables CBRe - - CallbackRegistration CBSI - cbsi.sys - Common Block Store Cc - nt!cc - Cache Manager allocations (catch-all) CcAs - nt!cc - Cache Manager Async cached read structure CcBc - nt!cc - Cache Manager Bcb from pool CcBm - nt!cc - Cache Manager Bitmap CcBn - nt!cc - Cache Manager Bcb trim notification entry CcBr - nt!cc - Cache Manager Bitmap range CcBz - nt!cc - Cache Manager Bcb Zone CcDw - nt!cc - Cache Manager Deferred Write CcEC - nt!cc - Cache Manager External Cache tracking structure CcEv - nt!cc - Cache Manager Event CcFn - nt!cc - Cache Manager File name for popups CCFF - CCFFilter.sys - Cluster Client Failover Filter Ccfx - nt!cc - Cache Manager Registry value full info structure CcMb - nt!cc - Cache Manager Mbcb CcNu - nt!cc - Cache Manager NUMA structures CcOb - nt!cc - Cache Manager Overlap Bcb CcPB - nt!ccpf - Prefetcher trace buffer CcPC - nt!ccpf - Prefetcher context CcPD - nt!ccpf - Prefetcher trace dump CcPF - nt!ccpf - Prefetcher file name CcPI - nt!ccpf - Prefetcher intermediate table CcPL - nt!ccpf - Prefetcher read list CcPM - nt!ccpf - Prefetcher metadata CcPS - nt!ccpf - Prefetcher scenario CcPT - nt!ccpf - Prefetcher trace CcPV - nt!ccpf - Prefetcher queried volumes CcPW - nt!ccpf - Prefetcher workers CcPa - nt!ccpf - Prefetcher async context CcPc - nt!cc - Cache Manager Private Cache Map CcPf - nt!ccpf - Prefetcher CcPh - nt!ccpf - Prefetcher header preallocation CcPn - nt!ccpf - Prefetcher name info CcPp - nt!ccpf - Prefetcher instructions CcPq - nt!ccpf - Prefetcher query buffer CcPr - nt!ccpf - Cache Manager Partition structures CcPs - nt!ccpf - Prefetcher section table CcPv - nt!ccpf - Prefetcher volume info CcPw - nt!ccpf - Prefetcher enable worker CcSc - nt!cc - Cache Manager Shared Cache Map CcTe - nt!cc - Cache Manager Telemetry allocation CcVa - nt!cc - Cache Manager Initial array of Vacbs CcVl - nt!cc - Cache Manager Vacb Level structures (large streams) CcVp - nt!cc - Cache Manager Array of Vacb pointers for a cached stream CctX - - EXIFX FCB Commit CTX CcWq - nt!cc - Cache Manager Work Queue Item CcWK - nt!cc - Kernel Cache Manager lookaside list CcWk - nt!cc - Kernel Cache Manager lookaside list CcWR - nt!cc - Cache Manager Registry watch structure CcZe - nt!cc - Cache Manager Buffer of Zeros CDmp - crashdmp.sys - Crashdump driver CdA - - CdAudio filter driver Cdcc - cdfs.sys - CDFS Ccb Cddn - cdfs.sys - CDFS CdName in dirent Cdee - cdfs.sys - CDFS Search expression for enumeration Cdfd - cdfs.sys - CDFS Data Fcb Cdfi - cdfs.sys - CDFS Index Fcb Cdfl - cdfs.sys - CDFS Filelock CdFn - cdfs.sys - CDFS Filename buffer Cdfn - cdfs.sys - CDFS Nonpaged Fcb Cdfs - cdfs.sys - CDFS General Allocation Cdft - cdfs.sys - CDFS Fcb Table entry Cdgs - cdfs.sys - CDFS Generated short name Cdic - cdfs.sys - CDFS Irp Context Cdil - cdfs.sys - CDFS Irp Context lite Cdio - cdfs.sys - CDFS Io context for async reads Cdma - cdfs.sys - CDFS Mcb array Cdpe - cdfs.sys - CDFS Prefix Entry CdPn - cdfs.sys - CDFS CdName in path entry Cdpn - cdfs.sys - CDFS Prefix Entry name Cdsp - cdfs.sys - CDFS Buffer for spanning path table Cdtc - cdfs.sys - CDFS TOC Cdun - cdfs.sys - CDFS Buffer for upcased name Cdvd - cdfs.sys - CDFS Buffer for volume descriptor Cdvp - cdfs.sys - CDFS Vpb allocated in filesystem CIcr - ci.dll - Code Integrity allocations for image integrity checking CIsc - ci.dll - Code Integrity core dll CIha - ci.dll - Code Integrity hashes CKRT - - Cluster Kernel RTL library CLb* - clusbflt.sys - Cluster block storage target driver CLB* - clusbflt.sys - Cluster block storage target driver CLd* - clusdflt.sys - Cluster disk filter driver ClfA - clfs.sys - CLFS Log container lookaside list ClfB - clfs.sys - CLFS Log base file lookaside list ClfC - clfs.sys - CLFS Log physical FCB lookaside list ClfD - clfs.sys - CLFS Log virtual FCB lookaside list ClfE - clfs.sys - CLFS Log CCB lookaside list ClfF - clfs.sys - CLFS Log flush element lookaside list ClfG - clfs.sys - CLFS Log I/O Request lookaside list ClfH - clfs.sys - CLFS Log I/O control block lookaside list ClfI - clfs.sys - CLFS Log marshal buffer lookaside list ClfJ - clfs.sys - CLFS Log MDL reference ClfK - clfs.sys - CLFS Log read completion element ClfL - clfs.sys - CLFS Log base file image (obsolete) ClfN - clfs.sys - CLFS Log base file lock ClfO - clfs.sys - CLFS Log zero page ClfP - clfs.sys - CLFS Log request state ClfS - clfs.sys - CLFS Log base file snapshot Clfs - clfs.sys - CLFS General buffer, or owner page lookaside list ClNt - netft.sys - NetFt ClNw - netft.sys - NetFt work items CM - nt!cm - Configuration Manager (registry) CmcD - hal.dll - HAL CMC Driver Log CmcK - hal.dll - HAL CMC Kernel Log CmcT - hal.dll - HAL CMC temporary Log CMCa - nt!cm - Configuration Manager Cache (registry) CMDc - nt!cm - Configuration Manager Cache (registry) CMkb - nt!cm - registry key control blocks CMpb - nt!cm - registry post blocks CMnb - nt!cm - registry notify blocks CMpe - nt!cm - registry post events CMpa - nt!cm - registry post apcs CMsb - nt!cm - registry stash buffer CmVn - nt!cm - captured value name CMVw - nt!cm - registry mapped view of file CMVa - nt!cm - value cache value tag CMVI - nt!cm - value index cache tag CMSc - nt!cm - security cache pooltag CMSb - nt!cm - internal stash buffer pool tag CMNb - nt!cm - Configuration Manager Name Tag CMIn - nt!cm - Configuration Manager Index Hint Tag CMDa - nt!cm - value data cache pool tag CMAl - nt!cm - internal registry memory allocator pool tag CMA1 - nt!cm - Configuration Manager Audit Tag 1 CMA2 - nt!cm - Configuration Manager Audit Tag 2 CMA3 - nt!cm - Configuration Manager Audit Tag 3 CMA4 - nt!cm - Configuration Manager Audit Tag 4 CMIx - nt!cm - Configuration Manager Intent Lock Tag CMUw - nt!cm - Configuration Manager Unit of Work Tag CMTr - nt!cm - Configuration Manager Transaction Tag CMRm - nt!cm - Configuration Manager Resource Manager Tag CM?? - nt!cm - Internal Configuration manager allocations Cngb - ksecdd.sys - CNG kmode crypto pool tag COMX - serial.sys - serial driver allocations Cont - - Contiguous physical memory allocations for device drivers CopW - - EXIFS CopyOnWrite Covr - nt!cov - Code Coverage pool tag CpeD - hal.dll - HAL CPE Driver Log CpeK - hal.dll - HAL CMC Kernel Log CpeT - hal.dll - HAL CPE temporary Log CPnp - classpnp.sys - ClassPnP transfer packets Crsp - ksecdd.sys - CredSSP kernel mode client allocations CrtH - - EXIFS Create Header Cryp - ksecdd.sys - Crypto allocations CSdk - - Cluster Disk Filter driver CSnt - - Cluster Network driver CTE - - Common transport environment (ntos\inc\cxport.h, used by tdi) Cvli - - EXIFS Cached Volume Info D2d - - Device Object to DosName rtns (ntos\rtl\dev2dos.c) D3Dd - - DX D3D driver (embedded in a display driver like s3mvirge.dll) D851 - - 8514a video driver Dacl - - Temp allocations for object DACLs DamK - dam.sys - Desktop Activity Moderator Dati - - ati video driver DbCb - nt!dbg - Debug Print Callbacks DbLo - - Debug logging dcam - - WDM mini driver for IEEE 1394 digital camera DcbA - msdcb.sys - DCB application priority DcbC - msdcb.sys - DCB NMR provider context DcbD - msdcb.sys - DCB NDIS_QOS_CONFIGURATION DcbG - msdcb.sys - DCB string data DcbI - msdcb.sys - DCB interface context DcbL - msdcb.sys - DCB LLDP buffer DcbP - msdcb.sys - DCB NDIS port information DcbR - msdcb.sys - DCB store change record DcbS - msdcb.sys - DCB security object DcbU - msdcb.sys - DCB UQOS_POLICY_DESCRIPTOR DcbX - msdcb.sys - DCB general Dcdd - cdd.dll - Canonical display driver Dcl - - cirrus video driver Ddk - - Default for driver allocated memory (user's of ntddk.h) Devi - - Device objects DEag - devolume.sys - Drive extender disk set array: DEVolume!DEDiskSet * DEbo - devolume.sys - Drive extender bus opener context: DEVolume!DEBusOpenerContext DEbe - devolume.sys - Drive extender extends buffer DEbg - devolume.sys - Drive extender bus opener context global: DEVolume!DEBusOpenerContextGlobal DEbm - devolume.sys - Drive extender bitmap DEbu - devolume.sys - Drive extender generic buffer DEcl - devolume.sys - Drive extender delayed cleaner: DEVolume!DelayedCleaner DEct - devolume.sys - Drive extender chunk table DEda - devolume.sys - Drive extender disk array: DEVolume!DEDisk * DEdb - devolume.sys - Drive extender disk directory information DEdc - devolume.sys - Drive extender disk chunk: DEVolume!DiskChunk DEdg - devolume.sys - Drive extender disk globals: DEVolume!DEDiskGlobals DEdi - devolume.sys - Drive extender disk: DEVolume!DEDisk DEdm - devolume.sys - Drive extender disk mini chunk: DEVolume!DiskMiniChunk DEdn - devolume.sys - Drive extender disk identification info: DEVolume!DiskIdentificationInfo DEdr - devolume.sys - Drive extender device relations DEds - devolume.sys - Drive extender disk set: DEVolume!DEDiskSet DEdt - devolume.sys - Drive extender disk message: DEVolume!DE_DISK_MESSAGE DEdu - devolume.sys - Drive extender disk set message: DEVolume!DE_DISK_SET_MESSAGE DEdv - devolume.sys - Drive extender driver object: DEVolume!DEDriver DEea - devolume.sys - Drive extender expanding array: DEVolume!ExpandingAutoPointerArray DEec - devolume.sys - Drive extender ECC Page: DEVolume!DeEccPage DEfg - devolume.sys - Drive extender filter: DEVolume!DEFilter DEga - devolume.sys - Drive extender guild array DEic - devolume.sys - Drive extender filter instance context DEip - devolume.sys - Drive extender IRP based logical to physical request: DEVolume!IrpBasedLogicalToPhysicalRequest DEir - devolume.sys - Drive extender IRP based read request: DEVolume!IrpBasedReadRequest DEiw - devolume.sys - Drive extender IRP based write request: DEVolume!IrpBasedWriteRequest DEla - devolume.sys - Drive extender log mini chunk array DElb - devolume.sys - Drive extender log buffer DEli - devolume.sys - Drive extender disk set id record: DEVolume!DiskSetIdentificationRecord DElm - devolume.sys - Drive extender log manager: DEVolume!LogManager DElp - devolume.sys - Drive extender logical to physical request: DEVolume!LogicalToPhysicalRequest DElr - devolume.sys - Drive extender log reader: DEVolume!LogReader DElv - devolume.sys - Drive extender disk set volume id record: DEVolume!VolumeIdentificationRecord DElw - devolume.sys - Drive extender log writer buffer: DEVolume!LogWriterBuffer DEmc - devolume.sys - Drive extender volume chunk init mapping manager: DEVolume!VolumeChunkInitializationMappingManager DEml - devolume.sys - Drive extender log mapping manager: DEVolume!LogMappingManager DEms - devolume.sys - Drive extender superblock mapping manager: DEVolume!SuperBlockMappingManager DEmv - devolume.sys - Drive extender volume mapping manager: DEVolume!VolumeMappingManager DEog - devolume.sys - Drive extender old GUID array DEpe - devolume.sys - Drive extender pingable event: DEVolume!PingableEvent DEpg - devolume.sys - Drive extender pingable object globals: DEVolume!PingableObjectGlobals DEpm - devolume.sys - Drive extender physical map: DEVolume!PhysicalMap DEqm - devolume.sys - Drive extender queued message: DEVolume!QueuedMessage DEra - devolume.sys - Drive extender disk event request DErb - devolume.sys - Drive extender become dirty request: DEVolume!VolumeChunk::BecomeDirtyRequest DErc - devolume.sys - Drive extender commit request: DEVolume!VolumeChunk::CommitRequest DErd - devolume.sys - Drive extender decommit request: DEVolume!VolumeChunk::DecommitRequest DEre - devolume.sys - Drive extender decommit all request: DEVolume!DiskSetVolume::DecommitAllRequest DErg - devolume.sys - Drive extender registry: DEVolume!DERegistry DErh - devolume.sys - Drive extender replicate chunk: DEVolume!ReplicateChunk DErl - devolume.sys - Drive extender long and notify request: DEVolume!DiskSetVolume::LogAndNotifyRequest DErm - devolume.sys - Drive extender range lock manager: DEVolume!RangeLockManager DErn - devolume.sys - Drive extender new epoch request: DEVolume!DEDiskSet::NewEpochRequest DEro - devolume.sys - Drive extender become out of date request: DEVolume!VolumeChunk::BecomeOutOfDateRequest DErp - devolume.sys - Drive extender replicator: DEVolume!Replicator DErr - devolume.sys - Drive extender read request: DEVolume!ReadRequest DErs - devolume.sys - Drive extender delete or shutdown request: DEVolume!DiskSetVolume::DeleteOrShutdownRequest DErt - devolume.sys - Drive extender start request: DEVolume!DEDiskSet::StartRequest DEru - devolume.sys - Drive extender shutdown request: DEVolume!DEDiskSet::ShutdownRequest DErv - devolume.sys - Drive extender repair volume request: DEVolume!DiskSetVolume::RepairVolumeDamageRequest DErw - devolume.sys - Drive extender read write target: DEVolume!ReadWriteTarget DErx - devolume.sys - Drive extender shutdown system request: DEVolume!DiskSetVolume::ShutdownRequest DEry - devolume.sys - Drive extender start or create request: DEVolume!DiskSetVolume::StartOrCreateRequest DErz - devolume.sys - Drive extender write super blocks request: DEVolume!DEDiskSet::WriteSuperBlocksRequest DEsb - devolume.sys - Drive extender super block buffer DEsd - devolume.sys - Drive extender disk set disk: DEVolume!DiskSetDisk DEsg - devolume.sys - Drive extender disk set globals: DEVolume!DEDiskSetGlobals DEsh - devolume.sys - Drive extender space holder operation: DEVolume!SpaceHolderOperation DEte - devolume.sys - Drive extender data error message: DEVolume!DE_DATA_ERROR_MESSAGE DEtr - devolume.sys - Drive extender trace message DEtn - devolume.sys - Drive extender range lock test node DEtx - devolume.sys - Drive extender range lock test DEts - devolume.sys - Drive extender splay tree test DEtw - devolume.sys - Drive extender trim worker pauser: DEVolume!AutoPauseTrimWorker DEub - devolume.sys - Drive extender unaligned EccPage temp buffer: DEVolume!DeEccPage DEus - devolume.sys - Drive extender unicode string DEva - devolume.sys - Drive extender volume chunk array: DEVolume!AutoVolumeChunkPtr * DEvc - devolume.sys - Drive extender volume chunk: DEVolume!VolumeChunk DEvg - devolume.sys - Drive extender volume globals: DEVolume!DEVolumeGlobals DEvh - devolume.sys - Drive extender volume device globals: DEVolume!DEVolumeDeviceGlobals DEvm - devolume.sys - Drive extender volume message: DEVolume!DE_VOLUME_MESSAGE DEvo - devolume.sys - Drive extender volume message: DEVolume!DEVolume DEvs - devolume.sys - Drive extender disk set volume: DEVolume!DiskSetVolume DEwi - devolume.sys - Drive extender work item: DEVolume!AutoWorkItem DEze - devolume.sys - Drive extender cluster of zeros Dh 0 - - DirectDraw/3D default object Dh 1 - - DirectDraw/3D DirectDraw object Dh 2 - - DirectDraw/3D Surface object Dh 3 - - DirectDraw/3D Direct3D context object Dh 4 - - DirectDraw/3D VideoPort object Dh 5 - - DirectDraw/3D MotionComp object Dfb - - framebuf video driver DfC? - dfsc.sys - DFS Client allocations DfCa - dfsc.sys - DFS Client PERUSERTABLE DfCb - dfsc.sys - DFS Client REFCONTEXT DfCc - dfsc.sys - DFS Client CONNECTION DfCd - dfsc.sys - DFS Client CURRENTDC DfCe - dfsc.sys - DFS Client CSCEA DfCf - dfsc.sys - DFS Client FILENAME DfCg - dfsc.sys - DFS Client PREFIXCACHE DfCh - dfsc.sys - DFS Client HASH DfCi - dfsc.sys - DFS Client INPUTBUFFER DfCj - dfsc.sys - DFS Client REFERRALNAME DfCj - dfsc.sys - DFS Client REWRITTENNAME DfCl - dfsc.sys - DFS Client DCLIST DfCm - dfsc.sys - DFS Client CMCONTEXT DfCn - dfsc.sys - DFS Client DOMAINNAME DfCp - dfsc.sys - DFS Client PATH DfCq - dfsc.sys - DFS Client REGSTRING DfCr - dfsc.sys - DFS Client REFERRAL DfCs - dfsc.sys - DFS Client SHARENAME DfCt - dfsc.sys - DFS Client TREECONNECT DfCu - dfsc.sys - DFS Client USETABLE DfCv - dfsc.sys - DFS Client SERVERNAME DfCw - dfsc.sys - DFS Client TARGETINFO DfCx - dfsc.sys - DFS Client CREDENTIALS DfCy - dfsc.sys - DFS Client REMOTEENTRY DfCz - dfsc.sys - DFS Client DOMAINREFERRAL Dfs - - Distributed File System dfsr - - RDBSS IRP allocation Dfsm - - Eng event allocation (ENG_KEVENTALLOC,ENG_ALLOC) in ntgdi\gre dFVE - dumpfve.sys - Full Volume Encryption crash dump filter (Bitlocker Drive Encryption) Dict - storport.sys - StorCreateDictionary storport!_STOR_DICTIONARY.Entries Dire - - Directory objects Dlck - - deadlock verifier (part of driver verifier) structures Dlmp - - Video utility library for Vista display drivers Dmga - - mga (matrox) video driver DmH? - - DirectMusic hardware synthesizer DmpS - dumpsvc.sys - Crashdump Service Driver DmS? - - DirectMusic kernel software synthesizer Dndt - - Device node Dnod - - Device node structure DNSk - netio.sys - DNS RPC Transactions DOPE - - Device Object Power Extension (po component) DpDc - FsDepends.sys - FsDepends Dependency Context Block DpDl - FsDepends.sys - FsDepends Dependency List Block DpPl - FsDepends.sys - FsDepends Parent Link Block DPrf - - Disk performance filter driver DPwr - nt!pnp - PnP power management Dprt - dxgkrnl.sys - Video port for Vista display drivers Dps5 - - NT5 PostScript printer driver Dpsh - - Postcript driver heap memory Dpsi - - psidisp video driver Dpsm - - Postcript driver memory Dqv - - qv (qvision) video driver DpVc - FsDepends.sys - FsDepends Volume Context Block DrDr - rdpdr.sys - Global object DrEx - rdpdr.sys - Exchange object DrIC - rdpdr.sys - I/O context object Driv - - Driver objects Drsd - - Rasdd Printer Driver Pool Tag. Dtga - - tga video driver Dump - - Bugcheck dump allocations Dun5 - - NT5 Universal printer driver DUQD - mpsdrv.sys - MPSDRV upcall user request DV?? - - RDR2 DAV MiniRedir Tags DVCx - - AsyncEngineContext, DAV MiniRedir DVEx - - Exchange, DAV MiniRedir DVFi - - FileInfo, DAV MiniRedir DVFn - - FileName, DAV MiniRedir DVRw - - ReadWrite, DAV MiniRedir DVSc - - SrvCall, DAV MiniRedir DVSh - - SharedHeap, DAV MiniRedir Dvga - - vga 16 color video driver Dvg2 - - vga 256 color video driver Dvg6 - - vga 64K color video driver Dvgr - - vga for risc video driver DW32 - - W32 video driver Dwd - - wd90c24a video driver Dwp9 - - weitekp9 video driver Dxga - - XGA video driver DxgK - dxgkrnl.sys - Vista display driver support Efsm - - EFS driver Efsc - - EFS driver Efst - - EXIFS FS Statistics Envr - - Environment strings EQAn - tcpip.sys - EQoS application name EQCc - tcpip.sys - EQoS counters EQHb - tcpip.sys - EQoS HKE binding EQHp - tcpip.sys - EQoS HKE parameters EQOw - tcpip.sys - EQoS policy owner EQPn - tcpip.sys - EQoS policy net entry EQPp - tcpip.sys - EQoS policy profile entry EQPs - tcpip.sys - EQoS policy scratch data EQPt - tcpip.sys - EQoS policy table EQQu - tcpip.sys - EQoS flow unit EQSc - tcpip.sys - EQoS pacer client EQSe - tcpip.sys - EQoS QIM endpoint EQSp - tcpip.sys - EQoS generic policy data EQSt - tcpip.sys - EQoS policy trim scratch EQSx - tcpip.sys - EQoS security object EQSy - tcpip.sys - EQoS proxy data EQUn - tcpip.sys - EQoS uQoS NPI client data EQUr - tcpip.sys - EQoS URL string EQUp - tcpip.sys - EQoS URL policy section EQUQ - tcpip.sys - UQoS generic allocation Err - - Error strings Etwa - nt!etw - Etw server silo state EtwA - nt!etw - Etw APC Etwb - nt!etw - Etw provider tracking EtwB - nt!etw - Etw Buffer Etwc - nt!etw - Etw rundown reference counters EtwC - nt!etw - Etw Realtime Consumer Etwd - nt!etw - Etw Disallow List Entry EtwD - nt!etw - Etw DataBlock EtwF - nt!etw - Etw Filter EtwG - nt!etw - Etw Guid EtwH - nt!etw - Etw Private Handle Demuxing Etwi - nt!etw - Etw IPT support EtwK - nt!etw - Etw SoftRestart support Etwl - nt!etw - Etw stack look-aside list entry EtwL - nt!etw - Etw LoggerContext Etwm - nt!etw - Etw BitMap Etwo - nt!etw - Etw memory partition reference EtwO - nt!etw - Etw memory partition MDL Etwp - nt!etw - Etw TracingBlock EtwP - nt!etw - Etw Pool Etwq - nt!etw - Etw ReplyQueue Etwr - nt!etw - Etw ReplyQueue entry EtwR - nt!etw - Etw KM RegEntry Etws - nt!etw - Etw stack cache EtwS - nt!etw - Etw DataSource Etwt - nt!etw - Etw temporary buffer EtwT - nt!etw - Etw provider traits EtwU - nt!etw - Etw Periodic Capture State EtwV - nt!etw - Etw Coverage Sampling EtwW - nt!etw - Etw WorkItem Etwx - nt!etw - Etw LBR support EtwX - nt!etw - Etw profiling support EtwZ - nt!etw - Etw compression support Evel - - EFS file system filter driver lookaside list Even - - Event objects Evid - - Rtl Event ID's ExWl - - Executive worker list entry Fat - fastfat.sys - Fat File System allocations FatB - fastfat.sys - Fat allocation bitmaps FatC - fastfat.sys - Fat Ccbs FatD - fastfat.sys - Fat pool dirents FatE - fastfat.sys - Fat EResources FatF - fastfat.sys - Fat Fcbs FatI - fastfat.sys - Fat IrpContexts FatL - fastfat.sys - Fat FAT entry lookup buffer on verify FatN - fastfat.sys - Fat Nonpaged Fcbs FatO - fastfat.sys - Fat I/O buffer FatP - fastfat.sys - Fat output for query retrieval pointers (caller frees) FatQ - fastfat.sys - Fat buffered user buffer FatR - fastfat.sys - Fat repinned Bcb FatS - fastfat.sys - Fat stashed Bpb FatT - fastfat.sys - Fat directory allocation bitmaps FatV - fastfat.sys - Fat Vcb stat bucket Fatv - fastfat.sys - Fat events FatW - fastfat.sys - Fat FAT windowing structure FatX - fastfat.sys - Fat IO contexts Fatb - fastfat.sys - Fat Bcb arrays Fatd - fastfat.sys - Fat EA data Fate - fastfat.sys - Fat EA set headers Fatf - fastfat.sys - Fat deferred flush contexts Fati - fastfat.sys - Fat IO run descriptor Fatn - fastfat.sys - Fat filename buffer Fatr - fastfat.sys - Fat verification-time rootdir snapshot Fats - fastfat.sys - Fat verification-time boot sector Fatv - fastfat.sys - Fat backpocket Vpb Fatx - fastfat.sys - Fat delayed close contexts FbCx - tcpip.sys - Inet feature fallback contexts REM FsLib allocations. FsLib is a static library linked in both NTFS and ReFS FDEl - FsLib - FsLib DAX Extent Array FDEd - FsLib - FsLib DAX Extent Descriptor FDDb - FsLib - FsLib DAX DSM Buffer FsIT - FsLib - FsLib IO Trace FsLd - FsLib - FsLib Livedump fboX - - EXIFS FOBXVF List Fcbl - - EXIFS FCBlock Fcon - nt!RtlpFc - Feature Configuration Management Feiv - netio.sys - WFP filter engine incoming values Fecc - netio.sys - WFP filter engine classify context Fecf - netio.sys - WFP filter engine callout context File - - File objects FIcn - fileinfo.sys - FileInfo FS-filter Create Retry Path FIcp - fileinfo.sys - FileInfo FS-filter Extra Create Parameter FIcs - fileinfo.sys - FileInfo FS-filter Stream Context FIcv - fileinfo.sys - FileInfo FS-filter Volume Context FIOc - fileinfo.sys - FileInfo FS-filter Prefetch Open Context FIou - fileinfo.sys - FileInfo FS-filter User Open Context FIof - fileinfo.sys - FileInfo FS-filter File Object Context FIPc - fileinfo.sys - FileInfo FS-filter Prefetch Context FIvn - fileinfo.sys - FileInfo FS-filter Volume Name FIvp - fileinfo.sys - FileInfo FS-filter Volume Properties FlmC - tcpip.sys - Framing Layer Client Contexts FlmP - tcpip.sys - Framing Layer Provider Contexts Flng - tcpip.sys - Framing Layer Generic Buffers (Tunnel/Port change notifications, ACLs) FlpC - tcpip.sys - Framing Layer Client Contexts FlpI - tcpip.sys - Framing Layer Interfaces FlpL - tcpip.sys - Framing Layer Client Interface Contexts FlpM - tcpip.sys - Framing Layer Multicast Groups FlpS - tcpip.sys - Framing Layer Serialized Requests Fl6D - tcpip.sys - FL6t DataLink Addresses Fl4D - tcpip.sys - FL4t DataLink Addresses FltD - tcpip.sys - FLt DataLink Addresses FlSB - tcpip.sys - Framing Layer Stack Block Flop - - floppy driver FLSk - nt!ps - Kernel TLS metadata Flst - - EXIFS Freelist Fltt - nt!Vf - Log of Driver Verifier fault injection stack traces. FLex - - exclusive file lock FLfl - - exported (non-private) file lock FLli - - per-file lock information FLln - - shared lock tree node FLsh - - shared file lock FLwl - - waiting lock FM?? - fltmgr.sys - Unrecognized FltMgr tag (update pooltag.w) FMac - fltmgr.sys - ASCII String buffers FMas - fltmgr.sys - ASYNC_IO_COMPLETION_CONTEXT structure FMcb - fltmgr.sys - FLT_CCB structure FMcn - fltmgr.sys - Non paged context extension structures FMcp - fltmgr.sys - Client port wrapper structure FMcr - fltmgr.sys - Context registration structures FMct - fltmgr.sys - TRACK_COMPLETION_NODES structure FMdh - fltmgr.sys - Paged ECP context for targeted create reparse FMdl - fltmgr.sys - Array of DEVICE_OBJECT pointers FMea - fltmgr.sys - EA buffer for create FMfc - fltmgr.sys - FLTMGR_FILE_OBJECT_CONTEXT structure FMfi - fltmgr.sys - Fast IO dispatch table FMfk - fltmgr.sys - Byte Range Lock structure FMfl - fltmgr.sys - FLT_FILTER structure FMfn - fltmgr.sys - NAME_CACHE_NODE structure FMfr - fltmgr.sys - FLT_FRAME structure FMfz - fltmgr.sys - FILE_LIST_CTRL structure FMib - fltmgr.sys - Irp SYSTEM buffers FMic - fltmgr.sys - IRP_CTRL structure FMil - fltmgr.sys - IRP_CTRL completion node stack FMin - fltmgr.sys - FLT_INSTANCE name FMis - fltmgr.sys - FLT_INSTANCE structure FMla - fltmgr.sys - Per-processor IRPCTRL lookaside lists FMlp - fltmgr.sys - Paged stream list control entry structures FMnc - fltmgr.sys - NAME_CACHE_CREATE_CTRL structure FMng - fltmgr.sys - NAME_GENERATION_CONTEXT structure FMol - fltmgr.sys - OPLOCK_CONTEXT structure FMor - fltmgr.sys - OpenReparse ECP structure FMos - fltmgr.sys - Operation status ctrl structure FMpl - fltmgr.sys - Cache aware pushLock FMpr - fltmgr.sys - FLT_PRCB structure FMQc - fltmgr.sys - QueryOnCreate ECP structure FMrl - fltmgr.sys - FLT_OBJECT rundown logs FMrp - fltmgr.sys - Reparse point data buffer FMrr - fltmgr.sys - Per-processor Cache-aware rundown ref structure FMrs - fltmgr.sys - Registry string FMrw - fltmgr.sys - FLT_REGISTRY_WATCH_CONTEXT structure FMsc - fltmgr.sys - SECTION_CONTEXT structure FMsd - fltmgr.sys - Security descriptors FMsl - fltmgr.sys - STREAM_LIST_CTRL structure FMtb - fltmgr.sys - TXN_PARAMETER_BLOCK structure FMtn - fltmgr.sys - Temporary file names FMtp - fltmgr.sys - Non Paged TxVol context structures FMtr - fltmgr.sys - Temporary Registry information FMts - fltmgr.sys - Tree Stack FMus - fltmgr.sys - Unicode string FMvf - fltmgr.sys - FLT_VERIFIER_EXTENSION structure FMvj - fltmgr.sys - FLT_VERIFIER_OBJECT structure FMvl - fltmgr.sys - Array of FLT_VERIFIER_OBJECT structures FMvo - fltmgr.sys - FLT_VOLUME structure FMwi - fltmgr.sys - Work item structures Fsb - netio.sys - Fixed-Size Block pool Fsrc - fsrec.sys - Filesystem recognizer (fsrec.sys) Fstb - - ntos\fstub FstB - - ntos\fstub FsVg - fsvga.sys - International VGA support flnk - - font link tag used in ntgdi\gre FLpc - netio.sys - IPv6 Framing Layer Client context fpct - wof.sys - Compressed file chunk table fpcx - wof.sys - Compressed file IO context fpdw - wof.sys - Compressed file decompression workspace fpgn - wof.sys - Compressed file general fppm - wof.sys - Compressed file IO parameters fprd - wof.sys - Compressed file small read buffer fpRD - wof.sys - Compressed file large read buffer fpwi - wof.sys - Compressed file work item fpxp - wof.sys - Compressed file xpress context FS?? - nt!fsrtl - Unrecoginzed File System Run Time allocations (update pooltag.w) FSeh - nt!fsrtl - File System Run Time Extra Create Parameter Entry FSel - nt!fsrtl - File System Run Time Extra Create Parameter List FSfm - nt!fsrtl - File System Run Time Fast Mutex Lookaside List FSim - nt!fsrtl - File System Run Time Mcb allocations FSrt - nt!fsrtl - File System Run Time allocations (DO NOT USE!) FSmg - nt!fsrtl - File System Run Time FSrd - nt!fsrtl - File System Run Time FSrm - nt!fsrtl - File System Run Time FSrn - nt!fsrtl - File System Run Time FSrN - nt!fsrtl - File System Run Time FSro - nt!fsrtl - File System Run Time FSrs - nt!fsrtl - File System Run Time Work Item for low-stack posting FSun - nt!fsrtl - File System Run Time FOCX - nt!fsrtl - File System Run Time File Object Context structure FsCo - fse.sys - FSE_CORE_CONTEXT_OBJECT_POOL_TAG Fsbi - fse.sys - FSE_CORE_NBLCHAIN_INDICATION_CONTEXT_POOL_TAG FsGo - fse.sys - FSE_CORE_NDIS_GENERIC_OBJECT_POOL_TAG Fspe - fse.sys - FSE_CORE_NIC_PAIR_ENTRY_POOL_TAG FsDC - fse.sys - FSE_DEVICE_CONTEXT_TAG Fsed - fse.sys - FSE_DIAGNOSTICS_SCRATCH_TAG FseB - fse.sys - FSE_EXPANDABLE_BUFFER_SIGNATURE FsIP - fse.sys - FSE_IPS_CLIENT_TAG FsIf - fse.sys - FSE_IPS_CLIENT_INTERFACE_TAG Fsgo - fse.sys - FSE_NDIS_GENERIC_OBJECT_POOL_TAG FsLS - fse.sys - FSE_NMR_CLIENT_POOLTAG FseV - fse.sys - FSE_PARTITION_SIGNATURE FseT - fse.sys - FSE_PATCH_SIGNATURE FseC - fse.sys - FSE_PORT_CACHE_SIGNATURE FsPp - fse.sys - FSE_PORT_POLICY_TAG FseP - fse.sys - FSE_PORT_POOL_SIGNATURE FseR - fse.sys - FSE_PORT_RESERVATION_SIGNATURE FsGl - fse.sys - FSE_SERVER_TAG_GLOBAL FsMt - fse.sys - FSE_SERVER_TAG_MESSAGE FsMl - fse.sys - FSE_SERVER_TAG_MIDL FsPd - fse.sys - FSE_SERVER_TAG_PARTITION FsSt - fse.sys - FSE_SERVER_TAG_SOCKET FsSc - fse.sys - FSE_SERVER_TAG_SOCKET_CONTEXT FsWi - fse.sys - FSE_SERVER_TAG_WORKITEM FseS - fse.sys - FSE_SHIMS_TAG FseW - fse.sys - FSE_WORKSHEET_POOLTAG FsTd - fse.sys - FSE_PT_TEST_DRIVER_TAG FTrc - - Fault tolerance Slist tag. FtC - - Fault tolerance driver FtM - - Fault tolerance driver FtS - - Fault tolerance driver FtT - - Fault tolerance driver FtU - - Fault tolerance driver FtV - - Fault tolerance driver FtpA - mpsdrv.sys - MPSDRV FTP protocol analyzer FwfD - mpsdrv.sys - MPSDRV driver buffer for flattening NET_BUFFFER FwSD - tcpip.sys - WFP security descriptor FVE? - fvevol.sys - Full Volume Encryption Filter Driver (Bitlocker Drive Encryption) FVE0 - fvevol.sys - General allocations FVEc - fvevol.sys - Cryptographic allocations FVEl - fvevol.sys - FVELIB allocations FVEp - fvevol.sys - Write buffers FVEr - fvevol.sys - Reserved mapping addresses FVEv - fvevol.sys - Conversion allocations FVEw - fvevol.sys - Worker threads FVEx - fvevol.sys - Read/write control structures FxDr - wdf01000.sys - KMDF driver globals/generic pool allocation tag. Fallback tag in case driver tag is unusable. FxLg - wdf01000.sys - KMDF IFR log tag FxL? - wdfldr.sys - KMDF Loader Pool allocation Fwpp - fwpkclnt.sys - Windows Filtering Platform export driver. Fwpn - fwpkclnt.sys - WFP NBL info Fwpi - fwpkclnt.sys - WFP injector info Fwpx - fwpkclnt.sys - WFP NBL tagged context Fwpd - fwpkclnt.sys - WFP delayed injection context Fwpc - fwpkclnt.sys - WFP injection call context G??? - - Gdi Objects G - - Gdi Generic allocations Gcac - - Gdi glyph cache Gcap - - Gdi capture buffer Gcsl - - Gdi string resource script names Gdbr - - Gdi driver brush realization Gdd - - Gdi ddraw PKEY_VALUE_FULL_INFORMATION Gdda - - Gdi ddraw attach list GddD - - Gdi ddraw dummy page Gdde - - Gdi ddraw event Gddf - - Gdi ddraw driver heaps Gddp - - Gdi ddraw driver caps Gddv - - Gdi ddraw driver video memory list Gdxd - - Gdi ddraw VPE directdraw object Gdxs - - Gdi ddraw VPE surface, videoport, capture object Gdxx - - Gdi ddraw VPE DXAPI object Gdev - - Gdi GDITAG_DEVMODE GDev - - Gdi pdev Gdrs - - Gdi GDITAG_DRVSUP Gebr - - Gdi ENGBRUSH gEdg - - Gdi gradient fill triangle Gffv - - Gdi FONTFILEVIEW gFil - - Gdi FILEVIEW GFil - - Gdi engine descriptor list Gfsb - - Gdi font sustitution list Gfsm - - Gdi Fast mutex Ggdv - - Gdi GDITAG_GDEVICE Gglb - - Gdi temp buffer Ggls - - Gdi glyphset Ggb - - Gdi glyph bits Ggbl - - Gdi look aside buffers Ghmg - - Gdi handle manager objects Gini - - Gdi fast mutex Gldv - - Gdi Ldev Glnk - - Gdi PFELINK Gmap - - Gdi font map signature table Gpff - - Gdi physical font file Gpft - - Gdi font table Gsem - - Gdi Semaphores Gsp - - Gdi sprite Gspr - - Gdi sprite grow range Gtmp - - Gdi temporary allocations Gtmw - - Gdi TMW_INTERNAL Gxlt - - Gdi Xlate Gfcb - - EXIFS Grow FCB Hal - hal.dll - Hardware Abstraction Layer Hal2 - hal.dll - Hardware Abstraction Layer: Secondary Interrupts HalA - hal.dll - Hardware Abstraction Layer: ACPI Hala - hal.dll - Hardware Abstraction Layer: HSA HalB - hal.dll - Hardware Abstraction Layer: MM Buffer Halb - hal.dll - Hardware Abstraction Layer: MM Metadata HalC - hal.dll - Hardware Abstraction Layer: Dynamic Partitioning Halc - hal.dll - Hardware Abstraction Layer: Processors HalD - hal.dll - Hardware Abstraction Layer: DMA Hald - hal.dll - Hardware Abstraction Layer: Kernel Debug HalE - hal.dll - Hardware Abstraction Layer: Errata Management HalF - hal.dll - Hardware Abstraction Layer: Firmware HalH - hal.dll - Hardware Abstraction Layer: Hypervisor HalI - hal.dll - Hardware Abstraction Layer: IOMMU Hali - hal.dll - Hardware Abstraction Layer: Interrupts HalK - hal.dll - Hardware Abstraction Layer: KINTERUPT objects HalM - hal.dll - Hardware Abstraction Layer: Memory Management Halm - hal.dll - Hardware Abstraction Layer: Misc HalP - hal.dll - Hardware Abstraction Layer: PCI Halp - hal.dll - Hardware Abstraction Layer: PNP Halo - hal.dll - Hardware Abstraction Layer: Power HalV - ntoskrnl.exe - Driver Verifier DMA checking HalW - hal.dll - Hardware Abstraction Layer: WHEA Hpfs - - Pinball (aka Hpfs) allocations HisC - - histogram filter driver Hist - - histogram filter driver HidP - hidparse.sys - HID Parser HidC - hidclass.sys - HID Class driver HdCl - - HID Client Sample Driver HpMM - pnpmem.sys - HotPlug Memory Driver HCID - bthport.sys - Bluetooth port driver HCI debug HCIT - bthport.sys - Bluetooth port driver (HCI) HcRs - hcaport.sys - HCAPORT_TAG_RESOURCE_LIST HcEv - hcaport.sys - HCAPORT_TAG_EVENT HcdI - hcaport.sys - HCAPORT_TAG_HWID HcEn - hcaport.sys - HCAPORT_TAG_ENUM HcMc - hcaport.sys - HCAPORT_TAG_MISC HcDr - hcaport.sys - HCAPORT_TAG_DEVICE_RELATIONS HcBm - hcaport.sys - HCAPORT_TAG_BITMAP HcOb - hcaport.sys - HCAPORT_TAG_OBJECT HcCq - hcaport.sys - HCAPORT_TAG_CQUEUE HcPr - hcaport.sys - HCAPORT_TAG_PROTD HPmi - hcaport.sys - HCAPORT_TAG_PMI_EXTENSION HcMa - hcaport.sys - HCAPORT_TAG_MAD HcMp - hcaport.sys - HCAPORT_TAG_MINIPORT HcCm - hcaport.sys - HCAPORT_TAG_CM HcUc - hcaport.sys - HCAPORT_TAG_UCONTEXT HcMr - hcaport.sys - HCAPORT_TAG_REMOVE_LOCK Hmgo - hcaport.sys - HCAPORT_TAG_WQ_MG_INFO Hioc - hcaport.sys - HCAPORT_TAG_IOC_SERVICE_TABLE hSVD - mrxdav.sys - Shared Heap Tag HTab - - Hash Table pool HT01 - - GDI Halftone AddCachedDCI() for CurCDCIData HT02 - - GDI Halftone GetCachedDCI() for Threshold HT03 - - GDI Halftone FindCachedSMP() for CurCSMPData HT04 - - GDI Halftone FindCachedSMP() for CurCSMPBmp HT05 - - GDI Halftone HT_CreateDeviceHalftoneInfo() for HT_DHI HT06 - - GDI Halftone pDCIAdjClr() for DEVCLRADJ HT07 - - GDI Halftone ComputeRGB555LUT() for RGBLUT HT08 - - GDI Halftone ColorTriadSrcToDev() for RGB-XYZ HT09 - - GDI Halftone ColorTriadSrcToDev() for CRTX-FD6XYZ Cache HT10 - - GDI Halftone CreateDyesColorMappingTable() for DevPrims HT11 - - GDI Halftone CreateDyesColorMappingTable() for DyeMappingTable HT12 - - GDI Halftone ThresholdsFromYData() for pYData HT13 - - GDI Halftone ComputeHTCellRegress() for pThresholds HT14 - - GDI Halftone CalculateStretch() for InputSI/pSrcMaskLine HT15 - - GDI Halftone CalculateStretch() for PrimColorInfo Hvlm - nt!Hvl - Temporary MDL for the Hvl component. HvlP - nt!Hvl - Hypercall marshalling pages for the Hvl component. IBCM - wibcm.sys - CM_INSTANCE_TAG Windows Infiniband Communications Manager CEP - wibcm.sys - CEP_INSTANCE_TAG CMSH - wibcm.sys - WIBCM_SHARED_TAG CMWK - wibcm.sys - WIBCM_WORK_TAG CMWT - wibcm.sys - WIBCM_TIMER_TAG IBm* - wibms.sys - Windows Infiniband Management Server pool tags IbPm - wibpm.sys - WIBPM_TAG Windows Infiniband Performance Manager IbPS - wibpm.sys - WIBPM_SENT_TAG IbPI - wibpm.sys - WIBPM_ITEM_TAG IbPA - wibpm.sys - WIBPM_SAMPLE_TAG IbW0 - wibwmi.sys - WIBWMI0_TAG Windows Infiniband WMI Manager IbW1 - wibwmi.sys - WIBWMI1_TAG IbW2 - wibwmi.sys - WIBWMI2_TAG Ic4c - tcpip.sys - ICMP IPv4 Control data Ic4h - tcpip.sys - ICMP IPv4 Headers Ic6c - tcpip.sys - ICMP IPv6 Control data Ic6h - tcpip.sys - ICMP IPv6 Headers IBbf - tcpip.sys - IP BVT Buffers Ilom - tcpip.sys - IPsec LBFO offload map Ilog - tcpip.sys - IPsec LBFO offload general InAD - tcpip.sys - Inet Ancillary Data InCo - tcpip.sys - Inet Compartment InCS - tcpip.sys - Inet Compartment Set IneI - tcpip.sys - Inet Inspects InF0 - tcpip.sys - Inet Generic Fixed Size Block pool 0 InF1 - tcpip.sys - Inet Generic Fixed Size Block pool 1 InF2 - tcpip.sys - Inet Generic Fixed Size Block pool 2 InIS - tcpip.sys - Inet Inspect Streams InNA - - Inet Na Clients InNP - tcpip.sys - Inet Nsi Providers InPA - tcpip.sys - Inet Port Assignment Arrays InPa - tcpip.sys - Inet Port Assignments InPE - tcpip.sys - Inet Port Exclusions InPP - tcpip.sys - Inet Port pool InSB - tcpip.sys - Inet stack block InSC - tcpip.sys - Inet Queued Send Contexts InWP - tcpip.sys - Inet Wake Port Record Ipas - tcpip.sys - IP Buffers for Address Sort Ipcr - tcpip.sys - IP Cache-aware Reference Counters IPba - tcpip.sys - IP Batching IPbw - tcpip.sys - IP Path Bandwidth information IPdc - tcpip.sys - IP Destination Cache IPfg - tcpip.sys - IP Fragment Groups IPfp - tcpip.sys - IP PreValidated Receives IPif - tcpip.sys - IP Interfaces IPlc - tcpip.sys - IP Locality IPle - tcpip.sys - IP Loopback execution context IPlo - tcpip.sys - IP Loopback buffers IPlw - tcpip.sys - IP Loopback worker IPmf - tcpip.sys - IP Multicast Forwarding Entry pool IPpo - tcpip.sys - IP Offload buffers IPpa - tcpip.sys - IP Path information IPro - tcpip.sys - IP Router Context IPrq - tcpip.sys - IP Request Control data IPss - tcpip.sys - IP Session State IPsi - tcpip.sys - IP SubInterfaces Ipng - tcpip.sys - IP Generic buffers (Address, Interface, Packetize, Route allocations) IpOl - tcpip.sys - IP Offload Log data Ippp - tcpip.sys - IP Prefix Policy information IPre - tcpip.sys - IP Reassembly buffers Iptt - tcpip.sys - IP Timer Tables Iptc - tcpip.sys - IP Transaction Context information Ipur - tcpip.sys - IP Unicast Routes Ipwi - tcpip.sys - IP Work Item allocations I4ai - tcpip.sys - IPv4 Local Address Identifiers I4ba - tcpip.sys - IPv4 Local Broadcast Addresses I4bf - tcpip.sys - IPv4 Generic Buffers (Source Address List allocations) I4e - tcpip.sys - IPv4 Echo data I4ma - tcpip.sys - IPv4 Local Multicast Addresses I4nb - tcpip.sys - IPv4 Neighbors I4rd - tcpip.sys - IPv4 Receive Datagrams Arguments I4ua - tcpip.sys - IPv4 Local Unicast Addresses I6ai - tcpip.sys - IPv6 Local Address Identifiers I6aa - tcpip.sys - IPv6 Local Anycast Addresses I6bf - tcpip.sys - IPv6 Generic Buffers (Source Address List allocations) I6e - tcpip.sys - IPv6 Echo data I6ma - tcpip.sys - IPv6 Local Multicast Addresses I6nb - tcpip.sys - IPv6 Neighbors I6rd - tcpip.sys - IPv6 Receive Datagrams Arguments I6ua - tcpip.sys - IPv6 Local Unicast Addresses IPX - - Nwlnkipx transport Icp - - I/O completion packets queue on a completion ports IcpP - - NPAGED_LOOKASIDE_LIST I/O completion per processor lookaside pointers IdeP - - atapi IDE IdeX - - PCI IDE idle - - Power Manager idle handler Ifs - - Default file system allocations (user's of ntifs.h) Info - - general system information allocations Io - nt!io - general IO allocations IoAc - nt!io - Io ACLs IoBo - nt!io - Io boot disk information IoCc - nt!io - Io completion context IoCo - nt!io - Io completion IoCp - nt!io - Io copy operation IoDn - nt!io - Io device name info IoEa - nt!io - Io extended attributes IoEr - nt!io - Io error log packets IoEv - nt!io - Io KEVENT IoFc - nt!io - Io name transmogrify operation IoFs - nt!io - Io shutdown packet IoFu - nt!pnp - Io file utils Ioin - - Io interrupts IoKa - nt!io - Io keepalive IoKB - nt!io - Registry basic key block (temp allocation) IoKe - nt!io - Io registry key IoLe - nt!io - Io length IoN1 - nt!io - Io name strings 1 IoN2 - nt!io - Io name strings 2 IoN3 - nt!io - Io name strings 3 IoN4 - nt!io - Io name strings 4 IoNm - nt!io - Io parsing names IoOp - nt!io - I/O subsystem open packet IoRb - nt!io - Io remote boot related IoRe - nt!io - Io reparse IoRi - nt!io - I/O SubSystem Driver Reinitialization Callback Packet IoRN - nt!io - Registry key name (temp allocation) IoSA - nt!io - Io segment array IoSB - nt!io - Io system buffer IoSD - nt!io - Io system device buffer IoSe - nt!io - Io security related IoSh - nt!io - Io shutdown packet IoSi - nt!io - Io Symbolic Links IoSn - nt!io - Io Session Notifications IoSs - nt!io - Io SIDs IoSt - nt!io - Io Stream Identifier Context IoSy - nt!io - Io system environment variables IoTi - nt!io - Io timers IoTt - nt!vf - I/O verifier IRP tracking table IoUs - nt!io - I/O SubSystem completion Context Allocation IoWI - nt!io - Io work items Irp - - Io, IRP packets Irp+ - nt!vf - I/O verifier allocated IRP packets IrpB - nt!vf - I/O verifier direct I/O double buffer allocation Irpd - nt!vf - I/O verifier deferred completion context Irps - nt!vf - I/O verifier per-IRP session tracking data Irpt - nt!vf - I/O verifier per-IRP tracking data IrpC - nt!vf - I/O verifier stack contexts Irpl - nt!io - system large IRP lookaside list Irps - nt!io - system small IRP lookaside list IrpX - nt!io - IRP Extension Isap - - Pnp Isa bus extender II?? - - IP in IP tunneling IIrf - - Free memory IIdt - - Data IITn - - Tunnel IIhd - - Header IIpk - - Packet IIsc - - Send Context IIts - - Transfer Context IIwc - - Work Context Im* - - Imapi.sys from adaptec INTC - - Intel video driver IPm? - - IP Multicasting IPmg - - Group IPms - - Source IPmo - - Outgoing Interface IPmm - - Message IPmf - - Free memory (only in checked builds) Ip?? - ipsec.sys - IP Security (IPsec) IpSI - ipsec.sys - initial allocations IpAT - ipsec.sys - AH headers in transport mode IpAU - ipsec.sys - AH headers in tunnel mode IpET - ipsec.sys - ESP headers in transport mode IpEU - ipsec.sys - ESP headers in tunnel mode IpHT - ipsec.sys - HUGHES headers in transport mode IpHU - ipsec.sys - HUGHES headers in tunnel mode IpAX - ipsec.sys - key acquire contexts IpFI - ipsec.sys - filter blocks IpSA - ipsec.sys - security associations (SA) IpKE - ipsec.sys - keys IpTI - ipsec.sys - timers IpSQ - ipsec.sys - stall queues IpLA - ipsec.sys - lookaside lists IpBP - ipsec.sys - buffer pools IpSC - ipsec.sys - send complete context IpEQ - ipsec.sys - event queue IpHW - ipsec.sys - hardware accleration items IpCO - ipsec.sys - IP compression ItoM - tcpip.sys - IPsec task offload interface ItoD - tcpip.sys - IPsec task offload delete SA ItoS - tcpip.sys - IPsec task offload add SA ItoC - tcpip.sys - IPsec task offload context ItoO - tcpip.sys - IPsec task offload paramters Itht - tcpip.sys - IPsec hashtable ISLe - tcpip.sys - IPsec SA list entry IsRc - tcpip.sys - IPsec rebalance context Ikmb - tcpip.sys - IPsec key module blob Ithp - tcpip.sys - IPsec throttle parameter Ipfl - tcpip.sys - IPsec flow handle Ipap - tcpip.sys - IPsec pend context Inlc - tcpip.sys - IPsec NL complete context Iprc - tcpip.sys - IPsec RPC context Ipis - tcpip.sys - IPsec inbound sequence info Itok - tcpip.sys - IPsec token Iser - tcpip.sys - IPsec inbound sequence range IKeO - tcpip.sys - IPsec key object I4sa - tcpip.sys - IPsec SADB v4 I4s6 - tcpip.sys - IPsec SADB v6 IHaO - tcpip.sys - IPsec hash object Ipnc - tcpip.sys - IPsec negotiation context Icse - tcpip.sys - IPsec NS connection state Itro - tcpip.sys - IPsec outbound session security context Itri - tcpip.sys - IPsec inbound packet security context Ituo - tcpip.sys - IPsec outbound tunnel session security context Itui - tcpip.sys - IPsec inbound packet tunnel security context Ipft - tcpip.sys - IPsec filter Ipwi - tcpip.sys - IPsec work item Idqf - tcpip.sys - IPsec DoS Protection QoS flow Idpc - tcpip.sys - IPsec DoS Protection pacer create Idst - tcpip.sys - IPsec DoS Protection state entry Ifws - tcpip.sys - IPsec forward state ImPl - ndisimplatform.sys - NDIS IM (LBFO) Platform IpFl - mpsdrv.sys - MPSDRV IP Flow IrD? - - IrDA TDI and RAS drivers IU?? - - IIS Utility Driver IUDl - - Lookaside list allocations IUcp - - completion port minipackets KAPC - nt!io - I/O SubSystem HardError APC KbdC - kbdclass.sys - Keyboard Class Driver KbdH - kbdhid.sys - Keyboard HID mapper Driver KCfe - - Kernel COM factory entry KDN_ - kdnic.sys - Network Kernel Debug Adapter KDNT - kdnic.sys - Network Kernel Debug Adapter TCB KDNR - kdnic.sys - Network Kernel Debug Adapter RCB KDNr - kdnic.sys - Network Kernel Debug Adapter RECV-NBL KDNF - kdnic.sys - Network Kernel Debug Adapter FRAME Ke - - Kernel data structures KeIC - - Kernel Interrupt Object Chain Key - - Key objects KMIX - - Kmixer (wdm audio) KNMI - - Kernel NMI Callback object KrbC - ksecdd.sys - Kerberos Client package krpc - nt - NTOS midl_user_allocate KSah - - Ks auxiliary stream headers KSAI - - allocator instance KSai - - default allocator instance header KSbi - - event buffered item KSCI - - clock instance KSce - - create item entry KSch - - create handler entry KSci - - default clock instance header KScp - - object creation parameters auxiliary copy KSda - - default allocator KSdc - - default clock KSdh - - device header Kse0 - ksecdd.sys - Security driver allocs for sec package 0 Kse1 - ksecdd.sys - Security driver allocs for sec package 1 Kse2 - ksecdd.sys - Security driver allocs for sec package 2 Kse3 - ksecdd.sys - Security driver allocs for sec package 3 Kse4 - ksecdd.sys - Security driver allocs for sec package 4 Kse5 - ksecdd.sys - Security driver allocs for sec package 5 Kse6 - ksecdd.sys - Security driver allocs for sec package 6 Kse7 - ksecdd.sys - Security driver allocs for sec package 7 Kse8 - ksecdd.sys - Security driver allocs for sec package 8 Kse9 - ksecdd.sys - Security driver allocs for sec package 9 Ksec - ksecdd.sys - Security device driver KSed - - event dpc item KSee - - event entry KSed - - oneshot event deletion dpc KSep - - irp system buffer event parameter KseS - ksecdd.sys - Security driver allocs for LSA proper KSew - - oneshot event deletion workitem KseZ - ksecdd.sys - Security driver allocs for default sec package KSqr - - QM quality report KSer - - QM error report KSfd - - filter cache data (MSKSSRV) KsFI - - filter instance KSns - - null security object KSnv - - registry name value KSoh - - object header KSop - - object creation parameters KSpc - - port driver instance FsContext KSPI - - pin instance KSpp - - irp system buffer property/method/event parameter KSpt - - pin type list (MSKSSRV) KSqf - - query information file buffer KSsc - - port driver stream FsContext KSsf - - set information file buffer KSsh - - stream headers KSsi - - software bus interface KSsl - - symbolic link buffer (MSKSSRV) KSsp - - serialized property set KsoO - - WDM audio stuff L2CA - bthport.sys - Bluetooth port driver (L2CAP) L2T0 - - ndis\l2tp / MTAG_FREED L2T1 - - ndis\l2tp / MTAG_ADAPTERCB L2T2 - - ndis\l2tp / MTAG_TUNNELCB L2T3 - - ndis\l2tp / MTAG_VCCB L2T4 - - ndis\l2tp / MTAG_VCTABLE L2T5 - - ndis\l2tp / MTAG_WORKITEM L2T6 - - ndis\l2tp / MTAG_TIMERQ L2T7 - - ndis\l2tp / MTAG_TIMERQITEM L2T8 - - ndis\l2tp / MTAG_PACKETPOOL L2T9 - - ndis\l2tp / MTAG_FBUFPOOL L2Ta - - ndis\l2tp / MTAG_HBUFPOOL L2Tb - - ndis\l2tp / MTAG_TDIXRDG L2Tc - - ndis\l2tp / MTAG_TDIXSDG L2Td - - ndis\l2tp / MTAG_CTRLRECD L2Te - - ndis\l2tp / MTAG_CTRLSENT L2Tf - - ndis\l2tp / MTAG_PAYLRECD L2Tg - - ndis\l2tp / MTAG_PAYLSENT L2Th - - ndis\l2tp / MTAG_INCALL L2Ti - - ndis\l2tp / MTAG_UTIL L2Tj - - ndis\l2tp / MTAG_ROUTEQUERY L2Tk - - ndis\l2tp / MTAG_ROUTESET L2Tl - - ndis\l2tp / MTAG_L2TPPARAMS L2Tm - - ndis\l2tp / MTAG_TUNNELWORK L2Tn - - ndis\l2tp / MTAG_TDIXROUTE LANE - atmlane.sys - LAN Emulation Client for ATM LB?? - - LM Datagram receiver allocations LBan - - Server announcement LBvb - - View buffer LBma - - Master announce context LBxp - - Transport LBxn - - TransportName LBxm - - Master name LBtn - - Transport name LBea - - Ea buffer LBdi - - POOL_DOMAIN_INFO LBds - - Send datagram context LBci - - Connection info LBmh - - Mailslot header LBbl - - Backup List LBsl - - Browser server list LBbs - - Browser server LBgb - - GetBackupList request LBbr - - GetBackupList response LBmb - - Mailslot Buffer LBid - - Illegal datagram context LBbn - - Name LBnn - - Name name LBic - - IRP context LBwi - - Work item LBel - - Election context LBbb - - Become backup context LBbr - - Become backup request LBpn - - Paged Name LBpt - - Paged transport LBse - - Browser security Lbuf - - EXIFS Large Buffer Ldmp - nt!io - Live Dump Buffers. Note, these buffers will not be present in the resulting live dump file. LeGe - tcpip.sys - Legacy Registry Mapping Module Buffers LeoC - - Symantec/Norton AntiVirus filter driver List - - kernel utilities list allocation LCam - - WDM mini video capture driver for Logitech camera Lfs - - Lfs allocations LfsI - - Lfs allocations LLDP - mslldp.sys - LLDP protocol driver allocations LogA - clfsapimp.sys - CLFS Kernel API test driver LpcZ - - LPC Zone LpcM - - Local procedure call message blocks Lr?? - - LM redirector allocations Lr - - Generic allocations Lrcx - - Context blocks of various types Lrcl - - ConnectListEntries Lrsl - - ServerListEntries Lrse - - Security entry Lrsc - - Search Control Blocks Lrea - - EA related allocations Lric - - Instance Control Blocks Lrfc - - File Control Blocks Lrfl - - Fcb Locks Lrfp - - Fcb Paging locks Lrcn - - Computer Name Lrdn - - Domain Name Lr?? - - Buffers used for FsControlFile APIs Lrlc - - Lock Control Blocks Lrlb - - Lock Control Block buffers Lrnf - - Non paged FCB Lrnt - - Non paged transport Lrps - - Paged security entry Lrte - - Transport event. Lrxx - - Transceive context blocks Lr!! - - Cancel request context blocks Lrmt - - MPX table Lrme - - MPX table entries Lrsx - - Send contexts Lraw - - Async write context Lrwb - - Write behind buffer header Lrbb - - Write behind buffer Lrwq - - Work queue item Lrac - - ACL for redirector Lrds - - Security Descriptor for redirector Lrsm - - SMB buffer Lrds - - Duplicated ansi string Lrdu - - Duplicated unicode string Lxpt - - Transport Lrtc - - Transport connection Lrna - - Netbios Addresses Lrca - - Temporary storage used in name canonicalization Lr2x - - Transact SMB context Lrpt - - Primary transport server list Lrso - - Operating system name Lref - - Reference history (debug only) LS?? - - LM server allocations LSac - srv.sys - SMB1 BlockTypeAdminCheck LSas - srv.sys - SMB1 BlockTypeAdapterStatus LSbf - srvnet.sys - SMB1 buffer descriptor or srvnet allocation LScd - srv.sys - SMB1 comm device LScn - srv.sys - SMB1 connection LSdb - srv.sys - SMB1 data buffer LSdc - srv.sys - SMB1 BlockTypeDirCache LSdi - srv.sys - SMB1 BlockTypeDirectoryInfo LSep - srv.sys - SMB1 endpoint LSfn - srv.sys - SMB1 BlockTypeFSName LSfR - srv2.sys - SMB2 rfssequence table and rfs64table LShs - srv2.sys - SMB2 lease hash table LSlb - srv2.sys - SRVLIB security descriptor/registry buffer LSlf - srv.sys - SMB1 LFCB LSlr - srv.sys - SMB1 BlockTypeLargeReadX LSmf - srv.sys - SMB1 MFCB LSmi - srv.sys - SMB1 BlockTypeMisc LSnh - srv.sys - SMB1 nonpaged block header LSni - srv.sys - SMB1 BlockTypeNameInfo LSnn - srv2.sys - SMB2 netname LSop - srv.sys - SMB1 oplock break wait LSpc - srv.sys - SMB1 paged connection LSpm - srv.sys - SMB1 paged MFCB LSpr - srv.sys - SMB1 paged RFCB LSrf - srv.sys - SMB1 RFCB LSrp - srvnet.sys - srvnet RPC allocation LSRp - srv2.sys - SRVLIB reparse point LSsc - srv.sys - SMB1 search(core) LSsd - srv.sys - SMB1 BlockTypeShareSecurityDescriptor LSsf - srv.sys - SMB1 BlockTypeDfs LSsh - srv.sys - SMB1 share LSSL - srv2.sys - SMBLIB allocation LSsp - srv.sys - SMB1 search(core complete) LSsr - srv.sys - SMB1 search LSss - srv.sys - SMB1 session LStb - srv.sys - SMB1 table LStc - srv.sys - SMB1 tree connect LSti - srv.sys - SMB1 timer LStr - srv.sys - SMB1 transaction LSvi - srv.sys - SMB1 BlockTypeVolumeInformation LSwi - srv.sys - SMB1 initial work context LSwn - srv.sys - SMB1 normal work context LSwq - srv.sys - SMB1 BlockTypeWorkQueue LSwr - srv.sys - SMB1 raw work context LSws - srv.sys - SMB1 BlockTypeWorkContextSpecial LS2b - srv2.sys - SMB2 buffer LS2c - srv2.sys - SMB2 connection LS2e - srv2.sys - SMB2 endpoint LS2f - srv2.sys - SMB2 file LS2h - srv2.sys - SMB2 share LS2i - srv2.sys - SMB2 client LS2l - srv2.sys - SMB2 lease LS2n - srv2.sys - SMB2 channel LS2o - srv2.sys - SMB2 oplock break LS2p - srv2.sys - SMB2 provider LS2q - srv2.sys - SMB2 queue LS2s - srv2.sys - SMB2 session LS2t - srv2.sys - SMB2 treeconnect LS2W - srv2.sys - SMB2 special workitem LS2w - srv2.sys - SMB2 workitem LS2x - srv2.sys - SMB2 security context LS$S - srv2.sys - SMB2 ecp LS2$ - srv2.sys - SMB2 misc. allocation LS00 - srvnet.sys - SRVNET LookasideList level 0 allocation 256 Bytes LS01 - srvnet.sys - SRVNET LookasideList level 1 allocation 512 Bytes LS02 - srvnet.sys - SRVNET LookasideList level 2 allocation 1K Bytes LS03 - srvnet.sys - SRVNET LookasideList level 3 allocation 2K Bytes LS04 - srvnet.sys - SRVNET LookasideList level 4 allocation 4K Bytes LS05 - srvnet.sys - SRVNET LookasideList level 5 allocation 8K Bytes LS06 - srvnet.sys - SRVNET LookasideList level 6 allocation 16K Bytes LS07 - srvnet.sys - SRVNET LookasideList level 7 allocation 32K Bytes LS08 - srvnet.sys - SRVNET LookasideList level 8 allocation 64K Bytes LS09 - srvnet.sys - SRVNET LookasideList level 9 allocation 128K Bytes LS10 - srvnet.sys - SRVNET LookasideList level 10 allocation 192K Bytes LS11 - srvnet.sys - SRVNET LookasideList level 11 allocation 256K Bytes LS12 - srvnet.sys - SRVNET LookasideList level 12 allocation 320K Bytes LS13 - srvnet.sys - SRVNET LookasideList level 13 allocation 384K Bytes LS14 - srvnet.sys - SRVNET LookasideList level 14 allocation 448K Bytes LS15 - srvnet.sys - SRVNET LookasideList level 15 allocation 512K Bytes LS16 - srvnet.sys - SRVNET LookasideList level 16 allocation 576K Bytes LS17 - srvnet.sys - SRVNET LookasideList level 17 allocation 640K Bytes LS18 - srvnet.sys - SRVNET LookasideList level 18 allocation 704K Bytes LS19 - srvnet.sys - SRVNET LookasideList level 19 allocation 768K Bytes LS20 - srvnet.sys - SRVNET LookasideList level 20 allocation 832K Bytes LSnd - - WDM mini sound driver for Logitech video camera Luaf - luafv.sys - LUA File Virtualization LXMK - - kernel mixer line driver (KMXL - looks like they got their tag backwards) MXF - - DirectMusic (MIDI Transform Filter) MapP - - PNP map Mapr - - arc firmware registry routines McaC - hal.dll - HAL MCA corrected Log McaD - hal.dll - HAL MCA Driver Log McaK - hal.dll - HAL MCA Kernel Log McaP - hal.dll - HAL MCA Log from previous boot McaT - hal.dll - HAL MCA temporary Log Mdp - netio.sys - Memory Descriptor Lists MCAM - - WDM mini driver for Intel USB camera MCDx - - OpenGL MCD server (mcdsrv32.dll) allocations MCDd - - OpenGL MCD driver (embedded in a display driver like s3mvirge.dll) Mdl - - Io, Mdls MdlP - - MDL per processor lookaside list pointers Mem - nt!po - NT Power manager, POP_MEM_TAG MePr - - In-memory print buffer MiCf - nt!mm - Mm compressed Control Flow Guard valid target RVA list MiHa - nt!mm - Mm internal memory ranges MiIo - nt!mm - Mm internal numa node information MiPa - nt!mm - Mm internal partition core Mipb - nt!mm - Mm internal bit buffer MiNi - nt!mm - Mm internal node page information Mipp - nt!mm - Mm internal page node Mipr - nt!mm - Mm internal partition resource information mkup - mpsdrv.sys - MPSDRV upcall request Mm - nt!mm - general Mm Allocations MmAc - nt!mm - Mm access log buffers MmBk - nt!mm - Mm banked sections MmCa - nt!mm - Mm control areas for mapped files MmCd - nt!mm - Mm fork clone descriptors MmCh - nt!mm - Mm fork clone headers MmCi - nt!mm - Mm control areas for images MmCl - nt!mm - Mm fork clone prototype PTEs MmCm - nt!mm - Calls made to MmAllocateContiguousMemory MmCr - nt!mm - Mm fork clone roots MmCt - nt!mm - Mm debug tracing MmDb - nt!mm - NtMapViewOfSection service MmDT - nt!mm - Mm debug MmEx - nt!mm - Mm events MmHi - nt!mm - Mm image entry - allocated per session MmHn - nt!mm - Mm sessionwide address name string entry MmHv - nt!mm - Mm sessionwide address entry MmIn - nt!mm - Mm inpaged io structures MmLd - nt!mm - Mm load module database MmPd - nt!mm - Mm page table commitment bitmaps MmPg - nt!mm - Mm page table pages at init time MmRp - nt!mm - Mm repurpose logging MmRw - nt!mm - Mm read write virtual memory buffers MmSb - nt!mm - Mm subsections MmSe - nt!mm - Mm secured VAD allocation MmSg - nt!mm - Mm segments MmSt - nt!mm - Mm section object prototype ptes MmSy - nt!mm - Mm PTE and IO tracking logs Mmdl - nt!mm - Mm Mdls for flushes Mmpp - nt!mm - Mm prototype PTEs for pool Mmpr - nt!mm - Mm physical VAD roots MmVd - nt!mm - Mm virtual address descriptors for mapped views MmVs - nt!mm - Mm virtual address descriptors short form (private views) Mmxx - nt!mm - Mm temporary allocations MmCx - nt!mm - info for dynamic section extension MmDm - nt!mm - deferred MmUnlock entries MmHt - nt!mm - session space PTE data MmLn - nt!mm - temporary name buffer for driver loads MmMl - nt!mm - physical memory range information MmPa - nt!mm - pagefile space deletion slist entries MmRl - nt!mm - temporary readlists for file prefetch MmSP - nt!mm - SLIST entries for system PTE NB queues MmSi - nt!mm - Control area security image stubs MmSc - nt!mm - subsections used to map data files MmSd - nt!mm - extended subsections used to map data files MmSm - nt!mm - segments used to map data files MmWe - nt!mm - Work entries for writing out modified filesystem pages. MmWw - nt!mm - Write watch VAD info Mmpv - nt!mm - Physical view VAD info Mmww - nt!mm - Write watch bitmap VAD info MmSW - nt!mm - Store write support MmSw - nt!mm - Store write support when prefetching MmCS - nt!mm - Pagefile CRC verification buffer MmCp - nt!mm - Colored page counts for physical memory allocations Mmdi - nt!mm - MDLs for physical memory allocations MmDp - nt!mm - Lost delayed write context MmFl - nt!mm - MDLs for large clusters for flushes MmFr - nt!mm - ASLR fixup records MmId - nt!mm - PFN identity buffer for setting PFN priorities MmIh - nt!mm - Image header allocation for Se validation MmIm - nt!mm - IO space MDL trackers MmIo - nt!mm - IO space mapping trackers Mmlk - nt!mm - ProbeAndLock MDL tracker MmLl - nt!mm - Large page memory run allocation for finding large pages MmNo - nt!mm - Inernal physical memory nodes MmPh - nt!mm - Physical memory nodes for querying memory ranges MmRe - nt!mm - ASLR relocation blocks MmWs - nt!mm - PTE flush list for working set operations MmWS - nt!mm - Working set swap support MmZw - nt!mm - Work items for zeroing pages and pagefiles MmSa - nt!mm - Subsection AVL tree allocations MmVt - nt!mm - Verifier thunk allocations MmLa - nt!mm - Memory list locks MmTp - nt!mm - Store eviction thread params MmPb - nt!mm - Paging file bitmaps Mn01 - monitor.sys - ACPI method evaluation output buffer Mn02 - monitor.sys - Unused Mn03 - monitor.sys - Raw E-EDID v.1.x byte stream including base block + extension blocks (if any) Mn04 - monitor.sys - Cached monitor ID WMI data block Mn05 - monitor.sys - Cached monitor basic display parameters WMI data block Mn06 - monitor.sys - Cached monitor analog video input parameters WMI data block Mn07 - monitor.sys - Cached monitor digitial video input parameters WMI data block Mn08 - monitor.sys - Cached monitor color characteristics WMI data block Mn09 - monitor.sys - Cached supported monitor source modes WMI data block Mn0A - monitor.sys - Registry subkey info buffer Mn0B - monitor.sys - Registry value buffer Mn0C - monitor.sys - Cached supported monitor frequency ranges WMI data block (overrides from registry) Mn0D - monitor.sys - Cached supported monitor frequency ranges WMI data block (from E-EDID v.1.x base block) Mn0E - monitor.sys - Buffer for E-EDID v.1.x base block, if any, populated by miniport Mn0F - monitor.sys - Buffer for E-EDID v.1.x extension block(s), if any, populated by miniport MNFf - msnfsflt.sys - NFS FS Filter, filename buffer MNFi - msnfsflt.sys - NFS FS Filter, instance name buffer MNFr - msnfsflt.sys - NFS FS Filter, registry access buffer MNFs - msnfsflt.sys - NFS FS Filter, general string buffer MNFv - msnfsflt.sys - NFS FS Filter, volume name buffer MNFC - msnfsflt.sys - NFS FS Filter, callback context MNFF - msnfsflt.sys - NFS FS Filter, file context MNFI - msnfsflt.sys - NFS FS Filter, instance context MNFS - msnfsflt.sys - NFS FS Filter, stream context MNFT - msnfsflt.sys - NFS FS Filter, thread array Mp10 - nt!mm - Mm Enumerate address space and reference images MQAA - mqac.sys - MSMQ driver, AVL allocations MQAB - mqac.sys - MSMQ driver, CCursor allocations MQAC - mqac.sys - MSMQ driver, generic allocations MQAD - mqac.sys - MSMQ driver, CDistribution allocations MQAG - mqac.sys - MSMQ driver, CGroup allocations MQAH - mqac.sys - MSMQ driver, Heap allocations MQAP - mqac.sys - MSMQ driver, CPacket allocations MQAQ - mqac.sys - MSMQ driver, CQueue allocations MQAT - mqac.sys - MSMQ driver, CTransaction allocations MRXx - - Client side caching for SMB MSll - refs.sys - MinLog allocated pool REM Minstore (an ReFS component) allocations MSag - refs.sys - Minstore unspecified AVL entries (too big for lookasides; filtered AVL) MSah - refs.sys - Minstore allocator history MSal - refs.sys - Minstore allocator block MSab - refs.sys - Minstore allocator region bitmap MsaE - refs.sys - Minstore AE push lock MSav - refs.sys - Minstore AVL table MSb+ - refs.sys - Minstore B+ table MSba - refs.sys - Minstore blockref cache array MSbe - refs.sys - Minstore blockref cache entry MSca - refs.sys - Minstore read cache object MScc - refs.sys - Minstore tx checksum context MScd - refs.sys - Minstore read cache dirty page array MSch - refs.sys - Minstore read cache hash table MSci - refs.sys - Minstore metadata cache instance MScl - refs.sys - Minstore read cache line MScm - refs.sys - Minstore composite MScn - refs.sys - Minstore container MSco - refs.sys - Minstore compression MScp - refs.sys - Minstore cached pin MScr - refs.sys - Minstore container rotation checksum buffer MScs - refs.sys - Minstore read cache sync set MScu - refs.sys - Minstore cursor MScw - refs.sys - Minstore read cache write range MSdd - refs.sys - Minstore director row data MSde - refs.sys - Minstore dirty table tracking MSdg - refs.sys - Minstore debug MSds - refs.sys - Minstore debug stack logs Msdv - - WDM mini driver for IEEE 1394 DV Camera and VCR MSeb - refs.sys - Minstore embedded factory (B+ and associated) MSeg - nt!mm - segments used to support image files MSer - refs.sys - Minstore reserved CRange map lookaside MSfa - refs.sys - Minstore filtered AVL MSha - refs.sys - Minstore hash table (incl. page tables) MShl - refs.sys - Minstore hash table lite MSho - refs.sys - Minstore hash table overflow (incl. page tables) MSht - refs.sys - Minstore stack hash table MSii - refs.sys - Minstore container initial index cache MSir - refs.sys - Mscallbacks MsKmeAllocateIoRequest MSiz - refs.sys - Mscallbacks RESERVED_IO_RUNS and RESERVED_IO_REQUESTS MSkb - refs.sys - Minstore keys buffer MSkc - refs.sys - Minstore KSR context MSkr - refs.sys - Minstore CmsKeyRules object MSlm - refs.sys - Minstore CRange map list lookaside MSlr - refs.sys - Minstore reserved CRange map list lookaside MSls - refs.sys - Minstore logged stack MSPi - refs.sys - Minstore generic/untagged allocation MSpa - refs.sys - Minstore hash table entries (incl. and primarily SmsPage) MSrc - refs.sys - Minstore tx run cache MSrb - refs.sys - Minstore redo block MSre - refs.sys - Minstore AVL lite entries (incl. and primarily SmsRangeMapEntry) MSrk - refs.sys - Minstore key rules MSrm - refs.sys - Minstore range map MSri - refs.sys - Minstore container rotation init state buffer MSro - refs.sys - Minstore container rotation buffer MSrp - refs.sys - Minstore read cache pages array MSrr - refs.sys - Minstore AVL lite entries (incl. and primarily SmsRCRangeMapEntry) MSrv - refs.sys - Minstore reserved buffers MSst - refs.sys - Minstore stream object MStb - refs.sys - Minstore table object MStu - refs.sys - Minstore tree update filter MStx - refs.sys - Minstore transaction MSur - refs.sys - Minstore undo record MSvc - refs.sys - Minstore volume context MSvs - refs.sys - Minstore valid/invalid checksum debug buffers (debug only) MSvu - refs.sys - Minstore volume/instance object MST? - - MSTEE (mstee.sys) MSTa - - associated stream header MSTc - - filer connection MSTd - - data format MSTf - - filter instance MSTp - - pin instance MSTs - - stream header MouC - mouclass.sys - Mouse Class Driver MouH - mouhid.sys - Mouse HID mapper Driver MsFc - - Mailslot CCB, Client control block. Each client with an opened mailslot has one of these MsFC - - Mailslot root CCB, A client control block for the top level mailslot directory MsFd - - Mailslot data entry write buffer, This is writes buffered inside mailslots MsFD - - Mailslot root DCB and its name buffer MsFf - - Mailslot FCB, File control block, Service side block for each created mailslot. MsFg - - Mailslot global resource MsFn - - Mailslot temporary name buffer MsFN - - Mailslot FCB name buffer, name for each created mailslot MsFr - - Mailslot read buffer, buffer created for pended reads issued. MsFt - - Mailslot query template, used for directory queries. MsFw - - Mailslot work context block, blocks create when we need to timeout reads. MsvC - ksecdd.sys - Msv/Ntlm client package Mup - mup.sys - Multiple UNC provider allocations, generic MupI - mup.sys - Windows Server 2003 and prior versions: DFS Irp Context allocation MuDn - mup.sys - Device name MuFc - mup.sys - File Context MuFn - mup.sys - File name rewrite MuIc - mup.sys - IRP Context MuMc - mup.sys - Master context MuQc - mup.sys - Query context MuSi - mup.sys - Surrogate info MuSf - mup.sys - Surrogate file info MuSr - mup.sys - Surrogate IRP info MuPe - mup.sys - Known prefix entry MuPi - mup.sys - Provider info MuUn - mup.sys - UNC provider Muta - - Mutant objects Nb01 - netbt.sys - NetBT hash table Nb02 - netbt.sys - NetBT remote name address cache Nb03 - netbt.sys - NetBT remote name address cache Nb04 - netbt.sys - NetBT failed address list Nb05 - netbt.sys - NetBT client element Nb06 - netbt.sys - NetBT general buffer allocation Nb07 - netbt.sys - NetBT datagram request tracker Nb08 - netbt.sys - NetBT domain address list Nb09 - netbt.sys - NetBT domain name Nb10 - netbt.sys - NetBT domain address list Nb11 - netbt.sys - NetBT lmhosts path Nb12 - netbt.sys - NetBT lmhosts path Nb13 - netbt.sys - NetBT lmhosts path Nb14 - netbt.sys - NetBT lmhosts path Nb16 - netbt.sys - NetBT timer entry Nb17 - netbt.sys - NetBT registry path Nb18 - netbt.sys - NetBT lmhosts file Nb19 - netbt.sys - NetBT lmhosts data Nb20 - netbt.sys - NetBT lmhosts path Nb21 - netbt.sys - NetBT control object Nb22 - netbt.sys - NetBT work item context Nb23 - netbt.sys - NetBT lmhosts path Nb25 - netbt.sys - NetBT device bindings Nb26 - netbt.sys - NetBT device exports Nb27 - netbt.sys - NetBT bind list cache Nb28 - netbt.sys - NetBT name server addresses Nb29 - netbt.sys - NetBT registry string Nb30 - netbt.sys - NetBT registry string Nb31 - netbt.sys - NetBT configuration entry Nb33 - netbt.sys - NetBT registry data Nb35 - netbt.sys - NetBT registry data Nb36 - netbt.sys - NetBT string Nb37 - netbt.sys - NetBT lmhosts path Nb38 - netbt.sys - NetBT string Nb39 - netbt.sys - NetBT file objects NbL0 - netbt.sys - NetBT lower connection NbL1 - netbt.sys - NetBT lower connection NbL2 - netbt.sys - NetBT lower connection NbL3 - netbt.sys - NetBT lower connection NbL4 - netbt.sys - NetBT lower connection NbTA - netbt.sys - NetBT internal address Nba9 - netbt.sys - NetBT IP request buffer Nbb0 - netbt.sys - NetBT IP request buffer Nbt0 - netbt.sys - NetBT name address Nbt1 - netbt.sys - NetBT name address Nbt2 - netbt.sys - NetBT NetBIOS address Nbt4 - netbt.sys - NetBT client list Nbt5 - netbt.sys - NetBT client list Nbt6 - netbt.sys - NetBT datagram Nbt8 - netbt.sys - NetBT address list Nbt9 - netbt.sys - NetBT temporary allocation NbtA - netbt.sys - NetBT datagram NbtC - netbt.sys - NetBT address element NbtD - netbt.sys - NetBT connection NbtF - netbt.sys - NetBT remote name NbtG - netbt.sys - NetBT datagram NbtH - netbt.sys - NetBT work item context NbtI - netbt.sys - NetBT listen requests NbtJ - netbt.sys - NetBT receive element NbtK - netbt.sys - NetBT name address NbtL - netbt.sys - NetBT datagram NbtM - netbt.sys - NetBT address list NbtN - netbt.sys - NetBT address list NbtO - netbt.sys - NetBT adapter status NbtP - netbt.sys - NetBT connection list NbtQ - netbt.sys - NetBT name stats NbtR - netbt.sys - NetBT name address NbtS - netbt.sys - NetBT datagram NbtV - netbt.sys - NetBT work item context NbtX - netbt.sys - NetBT datagram NbtY - netbt.sys - NetBT datagram NbtZ - netbt.sys - NetBT datagram Nbta - netbt.sys - NetBT DPC Nbtb - netbt.sys - NetBT NetBIOS address Nbtc - netbt.sys - NetBT address info Nbte - netbt.sys - NetBT delayed connect Nbtf - netbt.sys - NetBT DPC Nbtg - netbt.sys - NetBT MDL buffer Nbti - netbt.sys - NetBT device list Nbtj - netbt.sys - NetBT EA buffer Nbtm - netbt.sys - NetBT EA buffer Nbtn - netbt.sys - NetBT device string Nbtk - netbt.sys - NetBT transport address Nbtt - netbt.sys - NetBT MDL buffer Nbtu - netbt.sys - NetBT MDL buffer Nbtv - netbt.sys - NetBT WINS allocation Nbtw - netbt.sys - NetBT device linkage names Nbuf - netio.sys - NetIO Memory Descriptor List allocations NBF - - general NBF allocations NBFa - - NBF address object NBFb - - NBF receive buffer NBFc - - NBF connection object NBFd - - NBF packet pool descriptor NBFe - - NBF bind & export names NBFf - - NBF address file object NBFg - - NBF registry path name NBFi - - NBF tdi connection info NBFk - - NBF loopback buffer NBFl - - NBF link object NBFn - - NBF netbios name NBFo - - NBF config data NBFp - - NBF packet NBFq - - NBF query buffer NBFr - - NBF request NBFs - - NBF provider stats NBFt - - NBF connection table NBFu - - NBF UI frame NBFw - - NBF work item NBI - - NwlnkNb transport NBS - - general NetBIOS allocations NBSa - - address block NBSc - - connection block NBSe - - EA buffer NBSf - - FCB NBSl - - LANA block NBSn - - copy of user NCB NBSr - - registry allocations NBSx - - XNS NETONE address (connect block) NBSy - - NetBIOS address (connect block) NBSz - - NetBIOS address (listen block) NBqh - - Non-blocking queue entries used to carry the real data in the queue. NCSt - - EXIFS NC ND - ndis.sys - general NDIS allocations NDA - ndis.sys - NDIS PacketDirect tag prefix NDAa - ndis.sys - NDIS_PD_ASSOCIATION NDAb - ndis.sys - NDIS_PD_BLOCK NDAc - ndis.sys - NDIS_PD_CLIENT NDAe - ndis.sys - NDIS_PD_EC NDAf - ndis.sys - NDIS_PD_FILTER NDAg - ndis.sys - NDIS_PD_GLOBAL NDAm - ndis.sys - NDIS_PD_MEM_BLOCK NDIS_PD_SGL_BLOCK NDAn - ndis.sys - NDIS_PD_COUNTER NDAo - ndis.sys - NDIS_PD_CONFIG NDAq - ndis.sys - NDIS_PD_PLATFORM_QUEUE NDAt - ndis.sys - NDIS_PD_QUEUE_TRACKER NDDl - ndis.sys - NDIS_TAG_DBG_LOG NDMb - ndis.sys - NDIS_TAG_MAC_BLOCK NDPX - ndis.sys - NDIS Proxy allocations NDPa - ndis.sys - Apple Talk NDPb - ndis.sys - NBF NDPi - ndis.sys - NWLNKIPX NDPn - ndis.sys - NWLNKNB NDPp - ndis.sys - Packet Scheduler. NDPs - ndis.sys - NWLNKSPX NDPt - ndis.sys - TCPIP NDPw - ndis.sys - WAN_PACKET_TAG NDSD - ndis.sys - NDIS_SETUP_DEVICE_EXTENSION NDTr - ndis.sys - NDIS_TAG_TRANSFER_DATA NDam - ndis.sys - NdisAllocateMemory NDan - ndis.sys - adapter name NDar - ndis.sys - NDIS_TAG_ALLOCATED_RESOURCES NDas - ndis.sys - NDIS_TAG_ALLOC_SHARED_MEM_ASYNC NDbi - ndis.sys - NDIS_TAG_BUS_INTERFACE NDca - ndis.sys - NDIS_TAG_NET_CFG_OPS_ACL NDch - ndis.sys - NDIS_TAG_CONFIG_HANDLE NDcm - ndis.sys - NDIS_TAG_CM NDcn - ndis.sys - NDIS_TAG_CANCEL_DEVICE_NAME NDco - ndis.sys - NDIS_TAG_CO NDcs - ndis.sys - NDIS_TAG_NET_CFG_OPS_ID NDcw - ndis.sys - NDIS_TAG_PCW - NDIS Performance Counters NDd - ndis.sys - NDIS_TAG_DBG NDda - ndis.sys - NDIS_TAG_NET_CFG_DACL NDdb - ndis.sys - DMA block NDdc - ndis.sys - NDIS_TAG_DCN - Data Center Networking NDdi - ndis.sys - NDIS_TAG_IM_DEVICE_INSTANCE NDdl - ndis.sys - NDIS_TAG_DBG_L NDdp - ndis.sys - NDIS_TAG_DBG_P NDds - ndis.sys - NDIS_TAG_DBG_S NDdt - ndis.sys - NDIS_TAG_DFRD_TMR NDel - ndis.sys - NDIS debugging event log NDfa - ndis.sys - NDIS_TAG_FILTER_ADDR NDfb - ndis.sys - NDIS_TAG_LWFILTER_BLOCK NDfd - ndis.sys - NDIS_TAG_FILE_DESCRIPTOR NDfi - ndis.sys - NDIS_TAG_FILE_IMAGE NDfm - ndis.sys - NDIS_TAG_FAKE_MAC NDfn - ndis.sys - NDIS_TAG_FILE_NAME NDfv - ndis.sys - NDIS_TAG_LWFILTER_DRIVER NDif - ndis.sys - NDIS_TAG_IF NDio - ndis.sys - NDIS_TAG_IOV - IO Virtualization NDkr - ndis.sys - NDIS_TAG_NDK - Kernel Mode Network Direct (kRDMA) NDlb - ndis.sys - lookahead buffer NDlp - ndis.sys - NDIS_TAG_LOOP_PKT NDmb - ndis.sys - MAC block NDmo - ndis.sys - NDIS_TAG_M_OPEN_BLK NDmr - ndis.sys - map register entry array NDmt - ndis.sys - NDIS_TAG_MEDIA_TYPE_ARRAY NDnc - ndis.sys - NDIS_TAG_NBL_CONTEXT NDnd - ndis.sys - NDIS_TAG_POOL_NDIS NDoa - ndis.sys - NDIS_TAG_OID_ARRAY NDob - ndis.sys - open block NDoc - ndis.sys - NDIS_TAG_OPEN_CONTEXT NDof - ndis.sys - NDIS_TAG_OFFLOAD NDop - ndis.sys - NDIS_TAG_PM_PROT_OFFLOAD NDpb - ndis.sys - protocol block NDpc - ndis.sys - NDIS_TAG_PROTOCOL_CONFIGURATION NDpf - ndis.sys - NDIS_TAG_FILTER NDpk - ndis.sys - NDIS_TAG_PKT_PATTERN NDpl - ndis.sys - NDIS_TAG_PERF_LOG_ID NDpn - ndis.sys - NDIS_TAG_PARAMETER_NODE NDpo - ndis.sys - NDIS_TAG_PORT NDpp - ndis.sys - packet pool NDpr - ndis.sys - NDIS_TAG_PERIODIC_RECEIVES NDpw - ndis.sys - NDIS_TAG_WOL_PATTERN NDqo - ndis.sys - NDIS_TAG_QUERY_OBJECT_WORKITEM NDqs - ndis.sys - NDIS_TAG_QOS NDqu - ndis.sys - NDIS_TAG_QUEUE NDrc - ndis.sys - NDIS_TAG_RWL_REFCOUNT NDrd - ndis.sys - NDIS_TAG_REG_READ_DATA_BUFFER NDre - ndis.sys - NDIS_TAG_OID_REQUEST NDrf - ndis.sys - NDIS_TAG_RECEIVE_FILTER NDrl - ndis.sys - resource list NDrp - ndis.sys - NDIS_TAG_REGISTRY_PATH NDrq - ndis.sys - NDIS_TAG_Q_REQ NDrs - ndis.sys - NDIS_TAG_RSS NDrt - ndis.sys - NDIS_TAG_RST_NBL NDrw - ndis.sys - NDIS_TAG_RWLOCK NDrx - ndis.sys - NDIS debugging refcount NDsd - ndis.sys - NDIS_TAG_NET_CFG_SEC_DESC NDse - ndis.sys - NDIS_TAG_SECURITY NDsg - ndis.sys - NDIS_TAG_DOUBLE_BUFFER_PKT NDsh - ndis.sys - NDIS_TAG_SHARED_MEMORY NDsi - ndis.sys - EISA slot information NDsk - ndis.sys - NDIS debugging stacktrace NDsm - ndis.sys - Cached shared memory descriptor NDss - ndis.sys - NDIS_TAG_SS - Selective Suspend NDst - ndis.sys - NDIS_TAG_STRING NDtk - ndis.sys - NDIS_TAG_NBL_TRACKER - Lost packet diagnostics NDvm - ndis.sys - NDIS_TAG_ALLOC_MEM_VERIFY_ON NDw0 - ndis.sys - NDIS_TAG_WMI_REG_INFO NDw1 - ndis.sys - NDIS_TAG_WMI_GUID_TO_OID NDw2 - ndis.sys - NDIS_TAG_WMI_OID_SUPPORTED_LIST NDw3 - ndis.sys - NDIS_TAG_WMI_EVENT_ITEM NDwh - ndis.sys - NDIS_TAG_WRAPPER_HANDLE NDwi - ndis.sys - NDIS_TAG_WORK_ITEM NDwr - ndis.sys - NDIS_TAG_WMI_REQUEST NDwx - ndis.sys - NDIS_TAG_WOL_XLATE NDxc - ndis.sys - NDIS_TAG_POOL_XLATE Net - tcpip.sys - NetIO Generic Buffers (iBFT Table allocations) NeWQ - tcpip.sys - NetIO WorkQueue Data NEEB - newt_ndis6.sys - NEWT Emulation Bench NEFT - newt_ndis6.sys - NEWT Filter Object NEIM - newt_ndis6.sys - NEWT IM Object NEOD - newt_ndis6.sys - NEWT OID NEPK - newt_ndis6.sys - NEWT Packet NEWI - newt_ndis6.sys - NEWT Work Item Nb?? - - NetBT allocations Nf?? - nfssvr.sys - NFS (Network File System) allocations NfR? - nfsrdr.sys - NFS (Network File System) client re-director Nls - - Nls strings NlsK - nt!ex - Nls data Nmdd - - NetMeeting display driver miniport 1 MB block Nhfs - tcpip.sys - NetIO Hash Function State Data NicT - mslbfoprovider.sys - Microsoft NDIS LBFO Provider (NIC Teaming) Navl - tcpip.sys - Network Layer AVL Tree allocations NLbd - tcpip.sys - Network Layer Buffer Data NLcc - tcpip.sys - Network Layer Client Contexts NLpd - tcpip.sys - Network Layer Client Requests NLcp - tcpip.sys - Network Layer Compartments NLuh - - Network Layer Ul Handles NLap - tcpip.sys - Network Layer Netio Helper Function allocations NLNa - tcpip.sys - Network Layer Network Address Lists NMhf - netio.sys - Handle Factory pool NMpt - - Generic AVL Tree allocations NMRb - tcpip.sys - Network Module Registrar Bindings NMRc - tcpip.sys - Network Module Registrar Arrays NMRf - tcpip.sys - Network Module Registrar Filters NMRg - tcpip.sys - Network Module Registrar Generic Buffers NMRm - tcpip.sys - Network Module Registrar Modules NMRn - tcpip.sys - Network Module Registrar Network Protocol Identifiers Nnbl - netio.sys - NetIO NetBufferLists Nnbf - netio.sys - NetIO NetBuffers Nnnn - netio.sys - NetIO NetBuffers And NetBufferLists Nph1 - netio.sys - NetIO Protocol Header1 Data Nph2 - netio.sys - NetIO Protocol Header2 Data None - nt!Vf - Call to ExAllocatePool without any pool tag NpEv - npfs.sys - Npfs events Npf* - npfs.sys - Npfs Allocations NpFc - npfs.sys - CCB, client control block NpFC - npfs.sys - ROOT_DCB CCB NpFD - npfs.sys - DCB, directory block NpFg - npfs.sys - Global storage NpFi - npfs.sys - NPFS client info buffer. NpFn - npfs.sys - Name block NpFq - npfs.sys - Query template buffer used for directory query NpFr - npfs.sys - DATA_ENTRY records (read/write buffers) NpFs - npfs.sys - Client security context NpFw - npfs.sys - Write block NpFW - npfs.sys - Write block Npta - - NPT Addresses Nptx - - NPT Packets Nptr - - NPT Receive Completes Npts - - NPT Send sCompletes Nrsd - netio.sys - NRT security descriptor Nrtr - netio.sys - NRT record Nrtw - netio.sys - NRT worker NS?? - - Netware server allocations NSIk - nsi.dll - NSI RPC Tansactions NSIr - nsi.dll - NSI Generic Buffers NSpc - nsi.dll - NSI Proxy Contexts NSpg - nsi.dll - NSI Proxy Generic Buffers NSIc - nsi.dll - NSI Containers NMcp - nsi.dll - NSI Modules NAcc - nsi.dll - NSI Access REM NTFS Specific allocation tags Nt?? - ntfs.sys - Unrecognized NTFS tag (update base\published\pooltag.w) NtAR - ntfs.sys - NTFS_ASYNC_CACHED_READ_CONTEXT Ntce - ntfs.sys - CLOSE_ENTRY NtDt - ntfs.sys - Acquired range array temporary buffer NtEA - ntfs.sys - NTFS QueryOnCreate EA Buffer Ntf0 - ntfs.sys - General pool allocation Ntf9 - ntfs.sys - Large Temporary Buffer Ntf5 - ntfs.sys - Shared Security tracking (debug only) Ntfa - ntfs.sys - DELAYED_ALLOCATION NtfA - ntfs.sys - ALIGNED_MDL_CONTEXT Ntfb - ntfs.sys - Reserved map buffer NtfB - ntfs.sys - Bandwidth contracts allocations NtfC - ntfs.sys - CCB Ntfc - ntfs.sys - CCB_DATA Ntfd - ntfs.sys - DEALLOCATED_CLUSTERS NtfD - ntfs.sys - DEALLOCATED_RECORDS NtfE - ntfs.sys - INDEX_CONTEXT Ntff - ntfs.sys - FCB_DATA NtfF - ntfs.sys - FCB_INDEX NtfI - ntfs.sys - IO_CONTEXT Ntfi - ntfs.sys - IRP_CONTEXT NtfK - ntfs.sys - KEVENT NtfsKeventLookasideList Ntfk - ntfs.sys - FILE_LOCK Ntfl - ntfs.sys - LCB NtfM - ntfs.sys - NTFS_MCB_ENTRY Ntfm - ntfs.sys - NTFS_MCB_ARRAY NtfN - ntfs.sys - FILE_RECORDS_TO_DELETE Ntfn - ntfs.sys - SCB_NONPAGED NtfsScbNonpagedLookasideList Ntfo - ntfs.sys - SCB_INDEX normalized named buffer Ntfp - ntfs.sys - COMPRESSION_CONTEXT NtfQ - ntfs.sys - QUOTA_CONTROL_BLOCK Ntfq - ntfs.sys - General Allocation with Quota NtfR - ntfs.sys - READ_AHEAD_THREAD Ntfr - ntfs.sys - ERESOURCE NtfS - ntfs.sys - SCB_INDEX Ntfs - ntfs.sys - SCB_DATA NtfT - ntfs.sys - SCB_SNAPSHOT NtfsScbSnapshotLookasideList Ntft - ntfs.sys - SCB (Prerestart) Ntfu - ntfs.sys - NTFS_MARK_UNUSED_CONTEXT NtfV - ntfs.sys - VPB Ntfv - ntfs.sys - COMPRESSION_SYNC NtfZ - ntfs.sys - POSIX_MAPPED_CLOSE_ITEM Ntfw - ntfs.sys - Workspace NtIO - ntfs.sys - NTFS IO perf NtMC - ntfs.sys - MAPCOUNT_LOG NtOi - ntfs.sys - OFFLOAD_IO_CONTEXT Ntop - ntfs.sys - NTFS_OPLOCK_OWNER_STACK_CAPTURE Ntrk - ntfs.sys - NTFS registry key name structures Ntrs - ntfs.sys - ROLLBACK_STRUCT Ntrt - ntfs.sys - RANGETRACK_LOCAL_STRUCT NtTc - ntfs.sys - FILE_LEVEL_TRIM_CONTEXT NtTf - ntfs.sys - NTFS_DISK_FLUSH_CONTEXT NtfsDiskFlushContextLookasideList NtTr - ntfs.sys - DEVICE_MANAGE_DATA_SET_ATTRIBUTES NtfsDeviceManageDataSetAttributesLookasideList NtTo - ntfs.sys - DEVICE_MANAGE_DATA_SET_ATTRIBUTES NtfsFileOffloadLookasideList NtTe - ntfs.sys - NTFS Telemetry NtTm - ntfs.sys - NtfsTPMapLookasideList NtWR - ntfs.sys - REGISTRY_WATCH_CONTEXT NtxF - ntfs.sys - FCB_NONPAGED NtfsFcbNonpagedDataLookasideList NtxI - ntfs.sys - FCB_NONPAGED_INDEX NtfsFcbNonpagedIndexLookasideList NtxM - ntfs.sys - FAST_MUTEXT NtfsFastMutexNonpagedLookasideList REM NTFS tags based on source module NtFa - ntfs.sys - AllocSup.c NtFA - ntfs.sys - AttrSup.c NtFB - ntfs.sys - BitmpSup.c NtFl - ntfs.sys - Clog.c NtFc - ntfs.sys - Corrupt.c NtFC - ntfs.sys - Create.c NtFD - ntfs.sys - DevioSup.c NtFd - ntfs.sys - DirCtrl.c NtFE - ntfs.sys - Ea.c NtFF - ntfs.sys - FileInfo.c NtFf - ntfs.sys - FsCtrl.c NtFH - ntfs.sys - SelfHeal.c NtFI - ntfs.sys - IndexSup.c / TxfFilterDirectoryQuery (Ccb->IndexEntry) NtFi - ntfs.sys - TxfIdSup.c NtfJ - ntfs.sys - ntfsinit.c NtFL - ntfs.sys - LogSup.c NtFM - ntfs.sys - McbSup.c NtFm - ntfs.sys - Ntfs MFT View Ref Counter Arrays NtFN - ntfs.sys - NtfsData.c NtFO - ntfs.sys - ObjIdSup.c NtFQ - ntfs.sys - QuotaSup.c NtFP - ntfs.sys - Pnp.c / ReparSup.c NtFR - ntfs.sys - RestrSup.c NtFS - ntfs.sys - SecurSup.c NtFs - ntfs.sys - StrucSup.c NtFU - ntfs.sys - usnsup.c NtFV - ntfs.sys - VerfySup.c NtFv - ntfs.sys - ViewSup.c NtFW - ntfs.sys - Write.c NtFX - ntfs.sys - NtfsBlackbox.c NtMo - ntfs.sys - mount.c NtSr - ntfs.sys - srsup.c NulB - tlnull.sys - Null TDI Buffers NulR - tlnull.sys - Null TDI Requests NulS - tlnull.sys - Null TDI Sockets NulE - tlnull.sys - Null Tl Endpoints Null - tlnull.sys - Null TL Generics NulI - tlnull.sys - Null TL Indications Nulr - tlnull.sys - Null Tl Requests NV - - nVidia video driver NvLA - - nVidia video driver NvLa - - nVidia video driver NvLC - - nVidia video driver NvLc - - nVidia video driver NvLD - - nVidia video driver NvLd - - nVidia video driver NvLE - - nVidia video driver NvLH - - nVidia video driver NvLm - - nVidia video driver NvLP - - nVidia video driver NvLp - - nVidia video driver NvLR - - nVidia video driver NvLr - - nVidia video driver NvLS - - nVidia video driver NvLs - - nVidia video driver NvLT - - nVidia video driver Nwcs - - Client Services for NetWare NwFw - - ntos\tdi\fwd ObSq - nt!ob - object security descriptors (query) ObCi - nt!ob - captured information for ObCreateObject ObCI - nt!ob - object creation lookaside list ObDi - nt!ob - object directory ObHd - nt!ob - object handle count data base ObNm - nt!ob - object names ObNM - nt!ob - name buffer per processor lookaside pointers ObRt - nt!ob - object reference stack tracing ObZn - nt!ob - object zone ObjT - nt!ob - object type objects Obtb - nt!ob - object tables via EX handle.c ObTR - nt!ob - object table ERESOURCEs Obeb - nt!ob - object tables extra bit tables via EX handle.c ObDm - nt!ob - object device map ObSc - nt!ob - Object security descriptor cache block ObSt - nt!ob - Object Manager temporary storage ObWm - nt!ob - Object Manager wait blocks ODMg - dxgkrnl.sys - Output Duplication component OHCI - - Open Host Controller Interface for USB ohci - - 1394 OHCI host controller driver OlmC - tcpip.sys - Offload Manager Connections OlmI - tcpip.sys - Offload Manager Interfaces Ovfl - - The internal pool tag table has overflowed - usually this is a result of nontagged allocations being made OvfL - - EXIFS FCBOVF List PaeD - - PAE top level directory allocation blocks ParC - - Parallel class driver ParL - - Parallel link driver ParP - - Parallel port driver ParV - - ParVdm driver for vdm<->parallel port communciation PciB - pci.sys - PnP pci bus enumerator Pccr - pacer.sys - PACER Filter Clone Requests Pcfc - pacer.sys - PACER Filter Contexts Pcfl - pacer.sys - PACER Flows Pcge - pacer.sys - PACER Generic Buffers (DACL, SID allocations) Pcle - pacer.sys - PACER Lines Pclt - pacer.sys - PACER Line Tables Pcna - pacer.sys - PACER Filter Network Addresses Pcnt - pacer.sys - PACER NetBufferTimes Pcop - pacer.sys - PACER Original Packet Contexts Pcpc - pacer.sys - PACER Packet Contexts Pcsb - pacer.sys - PACER Send Buffers Pcta - pacer.sys - PACER Timer Units Pctw - pacer.sys - PACER Timer Wheels Pcwc - pacer.sys - PACER WAN NetworkBufferList CTXs PcCi - - WDM audio port class adapter device object stuff PcCr - - WDM audio stuff PcDi - - WDM audio stuff PcDm - - DirectMusic MXF objects (WDM audio) PcFM - - WDM audio FM synthesizer PcFp - - WDM audio stuff PcIc - - WDM audio stuff PcIl - - WDM audio stuff PcNw - - WDM audio stuff PcPc - - WDM audio stuff PcPr - - WDM audio stuff PcSX - - WDM audio stuff PcSl - - WDM audio stuff PcSt - - WDM audio stuff PcSx - - WDM audio stuff PcUs - - WDM audio stuff Pcmc - pcmcia.sys - Pcmcia bus enumerator, general structures Pcic - - Pcmcia bus enumerator, PCIC/Cardbus controller specific structures Pcdb - - Pcmcia bus enumerator, Databook controller specific structures PdcA - pdc.sys - PDC_ACTIVATION_TAG, ACTIVATOR_CLIENT_TAG PdcC - pdc.sys - PDC_CLIENT_PORT_TAG PdcE - pdc.sys - ACTIVATOR_EVENT_TAG PdcI - pdc.sys - PDC_INCLUSION_LIST_TAG PdcM - pdc.sys - PDC_MESSAGE_TAG PdcN - pdc.sys - PDC_NOTIFICATION_TAG, NOTIFICATION_CLIENT_TAG PdcP - pdc.sys - PDC_PORT_TAG PdcR - pdc.sys - PDC_RESILIENCY_TAG, RESILIENCY_CLIENT_TAG PdcS - pdc.sys - PDC_SUSPRES_TAG PdcT - pdc.sys - PDC_TOKEN_TAG PSwt - pdc.sys - PDC_PSWT_TAG Pdcs - pdc.sys - PDC_SCENARIO_TAG SPMp - nt!po - Kernel Scenario Power Manager Policies. PepT - nt!PopPep - Default Power Engine Plugin Petw - pacer.sys - PACER ETW Pf?? - nt!pf - Pf Allocations PfAL - nt!pf - Pf Application launch event data PfAS - nt!pf - Pf Prefetch support array PfDq - nt!pf - Pf Directory query buffers PfED - nt!pf - Pf Generic event data PfEL - nt!pf - Pf Event logging buffers PfET - nt!pf - Pf Entry info tables PfFH - nt!pf - Pf RpContext FileKeyHash buckets PfFh - nt!pf - Pf Prefetch file handle cache array PfFK - nt!pf - Pf RpContext FileKeyHashEntry PfLB - nt!pf - Pf Log buffers PfMP - nt!pf - Pf Prefetch metadata buffers PfNL - nt!pf - Pf Name logging buffers PfOB - nt!pf - Pf Oplock buffers PfPB - nt!pf - Pf Pfn query buffers PfRL - nt!pf - Pf Prefetch read list PfRQ - nt!pf - Pf Prefetch request buffers PfSA - nt!pf - Pf Prefetch support array PfTD - nt!pf - Pf Trace Dump PfTt - nt!pf - Pf Translation tables PfVA - nt!pf - Pf VA prefetching buffers PfVH - nt!pf - Pf Prefetch volume handles Pfcs - pacer.sys - PACER Flow Counter Sets Pfhc - pacer.sys - PACER File Handle Contexts PFXM - nt!PoFx - Runtime Power Management Framework PcwC - nt!pcw - PCW Counter set PcwR - nt!pcw - PCW provider Registration PcwI - nt!pcw - PCW counter set Instance PcwQ - nt!pcw - PCW Query item PcwS - nt!pcw - PCW System call buffer PcwT - nt!pcw - PCW Temporary (short-lived) buffer Pgm? - - Pgm (Pragmatic General Multicast) protocol: RMCast.sys Plcp - - Cache aware pushlock list (array of puchlock addresses) Plcl - - Cache aware pushlock entry. One per processor PlMp - storport.sys - PortpReadDriverParameterEntry PlRB - storport.sys - PortAllocateRegistryBuffer storport!_PORT_REGISTRY_INFO.Buffer PmpA - portmap.sys - Portmap address list PmpC - portmap.sys - Portmap device context PmpM - portmap.sys - Portmap mapping PmpR - portmap.sys - Portmap RPCB PmAT - partmgr.sys - Partition Manager attributes table cache PmDD - partmgr.sys - Partition Manager device descriptor PmIB - partmgr.sys - Partition Manager buffer for IOCTL processing PmME - partmgr.sys - Partition Manager migration entry PmPE - partmgr.sys - Partition Manager partition entry PmPT - partmgr.sys - Partition Manager partition table cache PmRL - partmgr.sys - Partition Manager remove lock PmRP - partmgr.sys - Partition Manager registry path PmRR - partmgr.sys - Partition Manager removal relations PmSD - partmgr.sys - Partition Manager snapshot data cache PmTE - partmgr.sys - Partition Manager table entry PmVE - partmgr.sys - Partition Manager volume entry PNCH - - Power Notify Channel PNCL - - Power Notify channel list PNDP - - Power Abort Dpc Routine PNI - - Power Notify Instance PoEa - raspppoe.sys - MTAG_ADAPTER PoEb - raspppoe.sys - MTAG_BINDING PoEc - raspppoe.sys - MTAG_BUFFERPOOL PoEd - raspppoe.sys - MTAG_PACKETPOOL PoEe - raspppoe.sys - MTAG_PPPOEPACKET PoEf - raspppoe.sys - MTAG_TAPIPROV PoEg - raspppoe.sys - MTAG_LINE PoEh - raspppoe.sys - MTAG_CALL PoEi - raspppoe.sys - MTAG_HANDLETABLE PoEj - raspppoe.sys - MTAG_HANDLECB PoEk - raspppoe.sys - MTAG_TIMERQ PoEl - raspppoe.sys - MTAG_FREED PoEm - raspppoe.sys - MTAG_LLIST_WORKITEMS PoEu - raspppoe.sys - MTAG_UTIL Pool - - Pool tables, etc. PooL - - Phase 0 initialization of the executive component, paged and nonpaged small pool lookaside structures Port - - Port objects PoSL - - Power shutdown event list PPMd - - Processor Drivers (Processor Power Management). PPMi - nt!po - Kernel Processor Power Management Idle States. PPMp - nt!po - Kernel Processor Power Management Perf States. PPMw - nt!po - Kernel Processor Power Management WMI interface. Prof - - Profile objects POWI - nt!po - Power Work Item (executive worker thread work item entry) PSwt - nt!po - Power switch structure PSTA - nt!po - Po registered system state PDss - nt!po - Po device system state PRTM - nt!po - Power runtime management PCol - nt!po - Thermal cooling requests and extensions PpsP - nt!ps - PSP_PROPERTY_TAG PpTg - mpsdrv.sys - MPSDRV PPTP GRE analyzer PpTt - mpsdrv.sys - MPSDRV PPTP TCP analyzer Prcr - processr.sys - Processr driver allocations Proc - nt!ps - Process objects Ps - nt!ps - general ps allocations Psap - nt!ps - Block used to hold a user mode APC while its queued to a thread PsAp - nt!ps - Process APC queued by user mode process PsCa - nt!ps - APC queued at thread create time. PsCr - nt!ps - Working set change record (temporary allocation) PsEx - nt!ps - Process exit APC PsFn - nt!ps - Captured image file name buffer (temporary allocation) PsHl - nt!ps - Captured list of handles to inherit in child process (temporary allocation) PsIm - nt!ps - Thread impersonation (PS_IMPERSONATE_INFORMATION, pre-Vista) PsJa - nt!ps - Job access control state Psjb - nt!ps - Job set array (temporary allocation) PsLd - nt!ps - Process LDT information blocks PsPb - nt!ps - Captured process parameter block (temporary allocation) PsQb - nt!ps - Process quota block PsRl - nt!ps - Captured memory reserve list (temporary allocation) PsSb - nt!ps - Initial process parameter block (temporary allocation) PsSd - nt!ps - Augmented thread security descriptor (temporary allocation) PsTf - nt!ps - Job object token filter Pstb - nt!ps - Process tables via EX handle.c Psta - nt!ps - Power management system state PsTp - nt!ps - Thread termination port block PsWs - nt!ps - Process working set watch array PSE3 - pse36.sys - Physical Size Extension driver Pnp0 - nt!pnp - PNPMGR rebalance resource request table Pnp1 - nt!pnp - PNPMGR IRP completion context Pnp2 - nt!pnp - PNPMGR device action request Pnp3 - nt!pnp - PNPMGR HW Profile Pnp4 - nt!pnp - PNPMGR CM API Pnp5 - nt!pnp - PNPMGR assign resources context Pnp6 - nt!pnp - PNPMGR resource request Pnp7 - nt!pnp - PNPMGR deferred notify entry Pnp8 - nt!pnp - PNPMGR async target device change notify Pnp9 - nt!pnp - PNPMGR HW profile notify PnpA - nt!pnp - PNPMGR PnpRtl Operations PnpC - nt!pnp - PNPMGR target device notify PnpF - nt!pnp - PNPMGR eject data PnpG - nt!pnp - PNPMGR generic PnpH - nt!pnp - PNPMGR service name PnpI - nt!pnp - PNPMGR instance path PnpJ - nt!pnp - PNPMGR device event list PnpK - nt!pnp - PNPMGR device event entry PnpL - nt!pnp - PNPMGR device event workitem PnpM - nt!pnp - PNPMGR veto buffer PnpN - nt!pnp - PNPMGR PDO array PnpO - nt!pnp - PNPMGR veto process PnpP - nt!pnp - PNPMGR veto device object PnpQ - nt!pnp - PNPMGR partition resource list PnpR - nt!pnp - PNPMGR memory bitmap PnpS - nt!pnp - PNPMGR dependent info PnpT - nt!pnp - PNPMGR provider info PnpU - nt!pnp - PNPMGR async set status control PnpV - nt!pnp - PNPMGR notify entry loc PnpW - nt!pnp - PNPMGR SwDevice PnpX - nt!pnp - PNPMGR DevQuery PnpY - nt!pnp - PNPMGR usermode device notifications PnpZ - nt!pnp - PNPMGR data model PnPb - nt!pnp - PnP BIOS resource manipulation PpEB - nt!pnp - PNP_POOL_EVENT_BUFFER PpEE - nt!pnp - PNP_DEVICE_EVENT_ENTRY_TAG PpEL - nt!pnp - PNP_DEVICE_EVENT_LIST_TAG PpLg - nt!pnp - PnP last good. PpUB - nt!pnp - PNP_USER_BLOCK_TAG PpWI - nt!pnp - PNP_DEVICE_WORK_ITEM_TAG Ppcd - nt!pnp - PnP critical device database Ppcr - nt!pnp - plug-and-play critical allocations Ppdd - nt!pnp - new Plug-And-Play driver entries and IRPs Ppde - nt!pnp - routines to perform device removal Ppei - nt!pnp - Eisa related code Ppen - nt!pnp - routines to perform device enumeration Ppin - nt!pnp - plug-and-play initialization Ppio - nt!pnp - plug-and-play IO system APIs PPMi - nt!po - Processor Power Manager Idle States PPMp - nt!po - Processor Power Manager Perf States PPMw - nt!po - Processor Power Manager WMI Interface Ppre - nt!pnp - resource allocation and translation Pprl - nt!pnp - routines to manipulate relations list Ppsu - nt!pnp - plug-and-play subroutines for the I/O system PPTP - - PPTP_MEMORYPOOL_TAG PPT0 - - PPTP_TDIADDR_TAG PPT1 - - PPTP_TDICONN_TAG PPT2 - - PPTP_CONNINFO_TAG PPT3 - - PPTP_ADDRINFO_TAG PPT4 - - PPTP_TIMEOUT_TAG PPT5 - - PPTP_TIMER_TAG PPT6 - - PPTP_TDICOTS_TAG PPT7 - - PPTP_WRKQUEUE_TAG PPT8 - - PPTP_SEND_CTRLDATA_TAG PPT9 - - PPTP_SEND_ACKDATA_TAG PPTa - - PPTP_SEND_DGRAMDESC_TAG PPTb - - PPTP_TDICLTS_TAG PPTc - - PPTP_RECV_CTRLDESC_TAG PPTd - - PPTP_RECV_CTRLDATA_TAG PPTe - - PPTP_RECV_DGRAMDESC_TAG PPTf - - PPTP_RECV_DGRAMDATA_TAG PPTg - - PPTP_RECVDESC_TAG PPTh - - PPTP_ENGINE_TAG PPTi - - PPTP_RECVDATA_TAG PRF? - nt!wdi - Performance Allocations PRFd - nt!wdi - Performance Diagnostics Structures PSC? - - Packet Scheduler (PSCHED) Tags PSC0 - - NDIS Request PSC1 - - GPC Client Vc PSC2 - - WanLink PSC3 - - Miscellaneous allocations PSC4 - - WMI PSCa - - Adapter PSCb - - CallParameters PSCc - - PipeContext PSCd - - FlowContext PSCe - - ClassMapContext PSCf - - Adapter Profile PSCg - - Component PX1 - - ndis ProviderEventLookaside p2?? - perm2dll.dll - Permedia2 display driver p2d3 - perm2dll.dll - Permedia2 display driver - d3d.c p2d6 - perm2dll.dll - Permedia2 display driver - d3ddx6.c p2de - perm2dll.dll - Permedia2 display driver - debug.c p2ds - perm2dll.dll - Permedia2 display driver - d3dstate.c p2dt - perm2dll.dll - Permedia2 display driver - d3dtxman.c p2su - perm2dll.dll - Permedia2 display driver - ddsurf.c p2en - perm2dll.dll - Permedia2 display driver - enable.c p2fi - perm2dll.dll - Permedia2 display driver - fillpath.c p2he - perm2dll.dll - Permedia2 display driver - heap.c p2hw - perm2dll.dll - Permedia2 display driver - hwinit.c p2cx - perm2dll.dll - Permedia2 display driver - p2ctxt.c p2pa - perm2dll.dll - Permedia2 display driver - palette.c p2pe - perm2dll.dll - Permedia2 display driver - permedia.c p2tx - perm2dll.dll - Permedia2 display driver - textout.c P3D? - perm3dd.dll - Permedia3 display driver - DirectDraw/3D P3G? - perm3dd.dll - Permedia3 display driver ppPT - pvhdparser.sys - Proxy Virtual Machine Storage VHD Parser Driver (parser) ppRT - pvhdparser.sys - Proxy Virtual Machine Storage VHD Parser Driver (parser) PSHD - pshed.dll - PSHED PSPi - pshed.dll - PSHED Plug-in Ppcs - pacer.sys - PACER Pipe Counter Sets Pwff - pacer.sys - PACER WFP Filters Pwmi - pacer.sys - PACER WMI notifications PX1 - ndproxy.sys - PX_EVENT_TAG PX2 - ndproxy.sys - PX_VCTABLE_TAG PX3 - ndproxy.sys - PX_ADAPTER_TAG PX4 - ndproxy.sys - PX_CLSAP_TAG PX5 - ndproxy.sys - PX_CMSAP_TAG PX6 - ndproxy.sys - PX_PARTY_TAG PX7 - ndproxy.sys - PX_COCALLPARAMS_TAG PX8 - ndproxy.sys - PX_REQUEST_TAG PX9 - ndproxy.sys - PX_PROVIDER_TAG PXa - ndproxy.sys - PX_ENUMLINE_TAG PXb - ndproxy.sys - PX_TAPILINE_TAG PXc - ndproxy.sys - PX_ENUMADDR_TAG PXd - ndproxy.sys - PX_TAPIADDR_TAG PXe - ndproxy.sys - PX_TAPICALL_TAG PXf - ndproxy.sys - PX_LINECALLINFO_TAG PXg - ndproxy.sys - PX_CMAF_TAG PXh - ndproxy.sys - PX_CLAF_TAG PXi - ndproxy.sys - PX_VC_TAG PXj - ndproxy.sys - PX_TRANSLATE_CALL_TAG PXk - ndproxy.sys - PX_TRANSLATE_SAP_TAG PXl - ndproxy.sys - PX_LINETABLE_TAG Qnam - - EXIFS Query Name Qp?? - - Generic Packet Classifier (MSGPC) Qppn - - Queued Notifications Qppi - - Pending Irp structures Qpci - - CfInfo Qpct - - Client blocks Qppa - - Pattern blocks Qphf - - HandleFactory Qpph - - PathHash Qprz - - Rhizome Qppd - - GenPatternDb Qpfd - - FragmentDb Qpcf - - ClassificationFamily Qpcd - - CfInfoData Qpcb - - ClassificationBlock Qppt - - Protocol Qpdg - - Debug QUIC Allocation tags are Qc00 through QcFF QUIC - msquic.sys - Generic QUIC allocation Qc00 - msquic.sys - QUIC Silo Qc01 - msquic.sys - QUIC connection Qc02 - msquic.sys - QUIC connection transport parameters Qc03 - msquic.sys - QUIC stream Qc04 - msquic.sys - QUIC stream buffer Qc05 - msquic.sys - QUIC sent frame metadata Qc06 - msquic.sys - QUIC datagram buffer Qc07 - msquic.sys - QUIC test code Qc08 - msquic.sys - QUIC perf code Qc09 - msquic.sys - QUIC tool code Qc0A - msquic.sys - QUIC Worker Qc0B - msquic.sys - QUIC Listener Qc0C - msquic.sys - QUIC CID Qc0D - msquic.sys - QUIC CID Hash Qc0E - msquic.sys - QUIC CID List Entry Qc0F - msquic.sys - QUIC CID Prefix Qc10 - msquic.sys - QUIC ALPN Qc11 - msquic.sys - QUIC Range Qc12 - msquic.sys - QUIC Send Buffer Qc13 - msquic.sys - QUIC Recv Buffer Qc14 - msquic.sys - QUIC Timer Wheel Qc15 - msquic.sys - QUIC Registration Qc16 - msquic.sys - QUIC configuration Qc17 - msquic.sys - QUIC Core binding Qc18 - msquic.sys - QUIC API Table Qc19 - msquic.sys - QUIC Per Proc Context Qc1A - msquic.sys - QUIC Platform Send Context Qc1B - msquic.sys - QUIC Platform TLS ACH Context Qc1C - msquic.sys - QUIC Platform TLS SNI Qc1D - msquic.sys - QUIC Platform TLS Principal Qc1E - msquic.sys - QUIC Platform TLS Context Qc1F - msquic.sys - QUIC Platform TLS Transport Parameters Qc20 - msquic.sys - QUIC Platform TLS Resumption Buffer Qc21 - msquic.sys - QUIC Platform TLS Sec Config Qc22 - msquic.sys - QUIC Platform TLS Packet Key Qc23 - msquic.sys - QUIC Platform TLS Key Qc24 - msquic.sys - QUIC Platform TLS HP Key Qc25 - msquic.sys - QUIC Platform TLS Hash Qc26 - msquic.sys - QUIC Platform TLS Extra Data Qc27 - msquic.sys - QUIC temporary alloc Qc28 - msquic.sys - QUIC Platform temporary alloc Qc29 - msquic.sys - QUIC Platform Processor info Qc2A - msquic.sys - QUIC Platform generic Qc2B - msquic.sys - QUIC Platform datapath Qc2C - msquic.sys - QUIC Platform datapath binding Qc2D - msquic.sys - QUIC Platform storage Qc2E - msquic.sys - QUIC Platform hashtable Qc2F - msquic.sys - QUIC Platform hashtable member lists Qc30 - msquic.sys - QUIC Lookup Hash Table Qc31 - msquic.sys - QUIC Remote Hash Entry Qc32 - msquic.sys - QUIC Server Name Qc33 - msquic.sys - QUIC App Resumption Data Qc34 - msquic.sys - QUIC Initial Token Qc35 - msquic.sys - QUIC Close Reason Qc36 - msquic.sys - QUIC Crypto Server Ticket Buffer Qc37 - msquic.sys - QUIC Crypto Client Ticket Buffer Qc38 - msquic.sys - QUIC Crypto Resumption Ticket Qc39 - msquic.sys - QUIC Tls Buffer Qc3A - msquic.sys - QUIC Send Request Qc3B - msquic.sys - QUIC API Context Qc3C - msquic.sys - QUIC Stateless Context Qc3D - msquic.sys - QUIC Operation Qc3E - msquic.sys - QUIC Event QuU2 - mpsdrv.sys - MPSDRV upcall response RAWb - nt!RAW - RAW file system buffer Ra12 - storport.sys - INQUIRY_TAG RaAM - storport.sys - MAPPED_ADDRESS_TAG RaCD - storport.sys - CRASHDUMP_TAG RaCT - storport.sys - CONCURRENT_TOKEN_TAG RaDI - storport.sys - ID_TAG RaDf - storport.sys - DEFERRED_ITEM_TAG RaDS - storport.sys - STRING_TAG RaDR - storport.sys - DEVICE_RELATIONS_TAG RaDr - storport.sys - DPC_REDIRECTION_TAG RaHI - storport.sys - HWINIT_TAG RaME - storport.sys - MINIPORT_EXT_TAG RaPC - storport.sys - PORTCFG_TAG RaPD - storport.sys - PORT_DATA_TAG RaPL - storport.sys - PENDING_LIST_TAG RaQT - storport.sys - QUERY_TEXT_TAG RaRm - storport.sys - REMLOCK_TAG RaRL - storport.sys - RESOURCE_LIST_TAG RaSr - storport.sys - SRB_TAG RaSE - storport.sys - SRB_EXTENSION_TAG RaTM - storport.sys - TAG_MAP_TAG RaXr - storport.sys - XRB_TAG RaUE - storport.sys - UNIT_EXT_TAG RaSN - storport.sys - SENSE_TAG RaMW - storport.sys - WMI_EVENT_TAG RaRl - storport.sys - REPORT_LUNS_TAG RaSI - storport.sys - SENSE_INFO_TAG RaSR - storport.sys - RESOURCE_TAG RaAE - storport.sys - ADAPTER_EXT_TAG RaVM - storport.sys - VM_BUSES_TAG RaTS - storport.sys - TARGET_RESCAN_TAG RaWI - storport.sys - WORK_ITEM_TAG RaAT - storport.sys - ADDITIONAL_TIMER_TAG RaPO - storport.sys - POFX_TAG RaPW - storport.sys - POWER_TAG RaIB - storport.sys - IRP_BUFFER_TAG RaPQ - storport.sys - PENDING_QUEUE_TAG RaTe - storport.sys - TELEMETRY_TAG RaSH - storport.sys - SHIM_TAG RaCE - storport.sys - COMMAND_EFFECTS_TAG RaCT - storport.sys - PORT_CONTEXT_TAG RaUL - storport.sys - UNIT_LIST_TAG RaZR - storport.sys - ZONE_IO_GROUP_TAG RaCr - storport.sys - CRYPTO_TAG RaET - storport.sys - ETW_TAG RaST - storport.sys - SMART_TAG RaRW - storport.sys - REGISTRY_WATCH_TAG RaWH - storport.sys - WHEA_TAG RaNP - storport.sys - NPEM_TAG RaOP - storport.sys - OPERATION_TAG RaAC - storport.sys - ACPI_TAG RaDQ - storport.sys - DFX_QUEUE_TAG RaGA - storport.sys - GATEWAY_TAG RaCI - storport.sys - NVME_CTRL_IDENTIFY_TAG RaNI - storport.sys - NVME_NS_IDENTIFY_TAG RaNC - storport.sys - NVME_CONFIG_TAG RaEt - storport.sys - ENUM_TAG RaMF - storport.sys - MFND_TAG RaRE - storport.sys - RESET_TAG RaTC - storport.sys - TCG_TAG RaDA - tcpip.sys - Raw Socket Discretionary ACLs RaEW - tcpip.sys - Raw Socket Endpoint Work Queue Contexts RaMI - tcpip.sys - Raw Socket Message Indication Tags RaPM - tcpip.sys - Raw Socket Partial Memory Descriptor List Tag RaSM - tcpip.sys - Raw Socket Send Messages Requests RaSL - tcpip.sys - Raw Socket Send Message Lists RawE - tcpip.sys - Raw Socket Endpoints RawN - tcpip.sys - Raw Socket Nsi RB?? - - RedBook Filter Driver, static allocations RBEv - - RedBook - Thread Events RBRl - - RedBook - Remove lock RBRg - - RedBook - driverExtension->RegistryPath RBSe - - RedBook - Serialization tracking for checked builds RBWa - - RedBook - Wait block for system thread rb?? - - RedBook Filter Driver, dynamic allocations rbBu - - RedBook - Buffer for read/stream rbIr - - RedBook - Irp for read/stream rbIp - - RedBook - Irp pointer block rbMd - - RedBook - Mdl for read/stream rbMp - - RedBook - Mdl pointer block rbRc - - RedBook - Read completion context rbRx - - RedBook - Read Xtra info rbSc - - RedBook - Stream completion context rbSx - - RedBook - Stream Xtra info rbTo - - RedBook - Cached table of contents Rcp? - sacdrv.sys - SAC Driver (Headless) RcpA - sacdrv.sys - Internal memory mgr alloc block RcpI - sacdrv.sys - Internal memory mgr initial heap block RcpS - sacdrv.sys - Security related block RDPD - rdpdr.sys - Device list object ReEv - - Resource Event ReSe - - Resource Semaphore ReTa - - Resource Extended Table ReTr - - Per ETHREAD EXECUTIVE Resource tracking. REM ReFS Specific allocation tags ReAR - refs.sys - Refs Async Cached Read allocation Reai - refs.sys - RefsInsertStreamAttributeLookasideList Ref0 - refs.sys - General pool allocation Ref9 - refs.sys - Large Temporary Buffer RefB - refs.sys - RefsGetSfioReservation Refb - refs.sys - RESERVE_POOL_TAG RefC - refs.sys - CCB Refc - refs.sys - CCB_DATA Refd - refs.sys - DEALLOCATED_CLUSTERS RefD - refs.sys - DEALLOCATED_RECORDS RefE - refs.sys - INDEX_CONTEXT Reff - refs.sys - FCB_DATA RefF - refs.sys - FCB_INDEX RefI - refs.sys - IO_CONTEXT Refi - refs.sys - IRP_CONTEXT RefK - refs.sys - KEVENT Refk - refs.sys - FILE_LOCK Refl - refs.sys - LCB ReFm - refs.sys - MAP_CONTEXT RefsMapContextLookasideList RefN - refs.sys - NUKEM Refn - refs.sys - SCB_NONPAGED Refo - refs.sys - SCB_INDEX normalized named buffer Refp - refs.sys - COMPRESSION_CONTEXT RefsCompressCtxLookasideList Refq - refs.sys - General Allocation with Quota RefR - refs.sys - READ_AHEAD_THREAD Refr - refs.sys - ERESOURCE RefS - refs.sys - SCB_INDEX Refs - refs.sys - SCB_DATA RefH - refs.sys - SCB_SNAPSHOT Reft - refs.sys - SCB (Prerestart) Refu - refs.sys - NTFS_MARK_UNUSED_CONTEXT RefV - refs.sys - VPB Refv - refs.sys - COMPRESSION_SYNC Refw - refs.sys - Workspace Refx - refs.sys - General Allocation Ref? - refs.sys - Unkown allocation ReIO - refs.sys - ReFS IO perf Rers - refs.sys - ROLLBACK_STRUCT RefsRollbackStructLookasideList ReTc - refs.sys - FILE_LEVEL_TRIM_CONTEXT ReTm - refs.sys - DEVICE_MANAGE_DATA_SET_ATTRIBUTES RefsDeviceManageDataSetAttributesLookasideList ReTo - refs.sys - DEVICE_MANAGE_DATA_SET_ATTRIBUTES RefsFileOffloadLookasideList ReTe - refs.sys - ReFS Telemetry Redf - refs.sys - REFS_DISK_FLUSH_CONTEXT allocations ReF_ - refs.sys - FILE_REFERENCE in RefsInsertDebugInfoIrpImplementation ReFT - refs.sys - Stack trace ReRc - refs.sys - Read copy context RKsr - refs.sys - REFS_KSR_POOLTAG REM ReFS tags based on source module ReFa - refs.sys - AllocSup.c ReFA - refs.sys - AttrHelpers.c ReFC - refs.sys - Create.c ReFD - refs.sys - DevioSup.c ReFd - refs.sys - DirCtrl.c ReFE - refs.sys - Ea.c ReFF - refs.sys - FileInfo.c ReFf - refs.sys - FsCtrl.c ReFH - refs.sys - SelfHeal.c RefJ - refs.sys - NtfsInit.c ReFL - refs.sys - TransSup.c ReFN - refs.sys - NtfsData.c ReFP - refs.sys - ReparSup.c ReFS - refs.sys - SecurSup.c ReFs - refs.sys - StrucSup.c ReFU - refs.sys - usnsup.c ReFV - refs.sys - VerfySup.c ReFv - refs.sys - ViewSup.c ReFW - refs.sys - Write.c ReMo - refs.sys - Mount.c ReF? - refs.sys - Unknown ReFS source module RefT - - Bluetooth reference tracking Rf?? - - Bluetooth RFCOMM TDI driver RfAD - rfcomm.sys - RFCOMM Address RfBB - rfcomm.sys - RFCOMM BRB RfBT - rfcomm.sys - RFCOMM (bthport) RfCB - rfcomm.sys - RCOMMM RfCH - rfcomm.sys - RFCOMM channel RfCN - rfcomm.sys - RFCOMM connect RfDA - rfcomm.sys - RFCOMM data RfFR - rfcomm.sys - RFCOMM frame RfRX - rfcomm.sys - RFCOMM receive RfPP - rfcomm.sys - RFCOMM pnp RfWR - rfcomm.sys - RFCOMM worker RhHi - tcpip.sys - Reference History Pool Rind - tcpip.sys - Raw Socket Receive Indications RKRW - mpsdrv.sys - MPSDRV work item RTLF - mpsdrv.sys - MPSDRV filter RLli - FsLib - FsLib Nonopaque Range lock entry RLin - FsLib - FsLib Range lock entry Rtrc - FsLib - FsLib Allocations in RangeTrack.c RmPt - netio.sys - Rtl Mapping Page Table Entries Rnm - rndismp.sys - RNDIS MP driver generic alloc Rnms - rndismp.sys - RNDIS MP driver send frame Rnmr - rndismp.sys - RNDIS MP driver receive frame Rnmt - rndismp.sys - RNDIS MP driver timer RpcL - msrpc.sys - debugging log data - present on checked builds only RpcM - msrpc.sys - all msrpc.sys allocations not covered elsewhere Rpcr - msrpc.sys - not currently used RRle - - RTL_RANGE_LIST_ENTRY_TAG RRlm - - RTL_RANGE_LIST_MISC_TAG RtPi - - Temp allocation for product type key Rpcl - msrpc.sys - MSRpc memory logging - checked build only Rpcm - msrpc.sys - MSRpc memory allocations Rpcr - msrpc.sys - MSRpc resources Rpcs - msrpc.sys - Memory shared b/n MSRpc and caller RPrt - rstorprt.sys - Remote Storage Port Driver Rqrv - - Registry query buffer RS?? - - Remote Storage RSFS - - Recall Queue RSFN - - File Name RSSE - - Security info RSWQ - - Work Queue RSQI - - Queue info RSLT - - Long term data RSIO - - Ioctl Queue RSFO - - File Obj queue RSVO - - Validate Queue RSER - - Error log data RtlT - nt!rtl - Temporary RTL allocation RWan - rawwan.sys - Raw WAN driver R300 - - ATI video driver RX00 - - ATI video driver Rx?? - rdbss.sys - RDBSS allocations RxSc - rdbss.sys - RDBSS SrvCall RxNr - rdbss.sys - RDBSS NetRoot RxVn - rdbss.sys - RDBSS VNetRoot RxLv - rdbss.sys - RDBSS Logical View RxFc - rdbss.sys - RDBSS FCB RxSo - rdbss.sys - RDBSS SrvOpen RxFx - rdbss.sys - RDBSS fobx RxNf - rdbss.sys - RDBSS non paged FCB RxWq - rdbss.sys - RDBSS work queue RxBm - rdbss.sys - RDBSS buffering manager RxCo - rdbss.sys - RDBSS construction context RxMs - rdbss.sys - RDBSS miscellaneous RxM1 - rdbss.sys - RDBSS VNetRoot name RxM2 - rdbss.sys - RDBSS canonical name RxM3 - rdbss.sys - RDBSS querypath name RxM4 - rdbss.sys - RDBSS treeconnect name RxM5 - rdbss.sys - RDBSS reparse buffer name RxM9 - rdbss.sys - RDBSS cloned unicode string RxIr - rdbss.sys - RDBSS RxContext RxTl - rdbss.sys - RDBSS toplevel IRP RxMx - rdbss.sys - RDBSS mini-rdr RxNc - rdbss.sys - RDBSS name cache RxSy - rdbss.sys - RDBSS symlink RxCr - rdbss.sys - RDBSS credential RxEc - rdbss.sys - RDBSS ECP RxCt - mrxsmb.sys - RXCE transport RxCa - mrxsmb.sys - RXCE address RxCc - mrxsmb.sys - RXCE connection RxCv - mrxsmb.sys - RXCE VcEndpoint RxCd - mrxsmb.sys - RXCE TDI S3 - - S3 video driver SAad - srvnet.sys - SrvAdmin buffer SBad - - bad block simulator - simbad.c sbp2 - - Sbp2 1394 storage port driver SC?? - - Smart card driver tags SCLb - - Smart card driver library SCB8 - - Bull CP8 Transac serial reader SCB3 - - Bull SmarTlp PnP SCS4 - - SCM Microsystems pcmcia reader SCl0 - - Litronic 220 Sc?? - - Mass storage driver tags ScB? - classpnp.sys - ClassPnP misc allocations ScB1 - classpnp.sys - Query registry parameters ScB2 - classpnp.sys - Registry path ScB4 - classpnp.sys - Storage descriptor header ScB5 - classpnp.sys - FDO relations ScC? - classpnp.sys - ClassPnP misc allocations ScC1 - classpnp.sys - Registry path buffer ScC2 - classpnp.sys - PDO relations ScC6 - classpnp.sys - START_UNIT completion context ScC7 - classpnp.sys - Sense info buffer ScC8 - classpnp.sys - Registry value name ScC9 - classpnp.sys - Device Control SRB ScC? - cdrom.sys - CdRom ScCA - cdrom.sys - Autorun disable functionality ScCa - cdrom.sys - Media change detection ScSB - cdrom.sys - Scratch buffer (usually 64k) ScCC - cdrom.sys - Ioctl GET_CONFIGURATION ScCc - cdrom.sys - Context of completion routine ScCD - cdrom.sys - Adaptor & Device descriptor buffer ScCd - cdrom.sys - Disc information ScCe - cdrom.sys - Request sync event ScCF - cdrom.sys - Feature descriptor ScCG - cdrom.sys - GESN buffer ScCI - cdrom.sys - Sense info buffers ScCi - cdrom.sys - Cached inquiry buffer ScCM - cdrom.sys - Mode data buffer SCCO - cdrom.sys - Set stream buffer ScCo - cdrom.sys - Device Notification buffer ScCp - cdrom.sys - Play active checks ScCr - cdrom.sys - Registry string ScCS - cdrom.sys - Srb allocation ScCs - cdrom.sys - Assorted string data ScCU - cdrom.sys - Update capacity path ScCu - cdrom.sys - Read buffer for dvd key ScCV - cdrom.sys - Read buffer for dvd/rpc2 check ScCv - cdrom.sys - Read buffer for rpc2 check ScCX - cdrom.sys - Security descriptor ScD? - - Disk ScD - - generic tag ScDa - - SMART ScDA - - Info Exceptions ScDC - - disable cache paths ScDb - classpnp.sys - ClassPnP debug globals buffer ScDc - - disk allocated completion c ScDG - - disk geometry buffer ScDg - - update disk geometry paths ScDI - - sense info buffers ScDp - - pnp ids ScDM - - mode data buffer ScDM - - mbr checksum code ScDN - - disk name code ScDP - - read capacity buffer ScDp - - disk partition lists ScDS - - srb allocation ScDs - - start device paths ScDU - - update capacity path ScDW - - work-item context ScMC - - medium changer allocations ScIO - classpnp.sys - ClassPnP device control ScL? - classpnp.sys - Classpnp ScLA - classpnp.sys - allocation to check for autorun disable ScLF - classpnp.sys - File Object Extension ScLc - classpnp.sys - Cache filters ScLf - classpnp.sys - Fault prediction ScLm - classpnp.sys - Mount ScLM - classpnp.sys - Media Change Detection ScLq - classpnp.sys - Release queue ScLw - classpnp.sys - WMI ScLW - classpnp.sys - Power ScNo - classpnp.sys - ClassPnP notification ScP? - - Scsiport ScPa - - Hold registry data ScPA - - Access Ranges ScPb - - Get Bus Dat Holder ScPB - - Queuetag BitMap ScPc - - Fake common buffer ScPC - - reset bus code ScPd - - Pnp id strings ScPD - - SRB_DATA allocations ScPE - - Scatter gather lists ScPG - - Global memory ScPh - - HwDevice Ext ScPi - - Sense Info ScPI - - Init data chain ScPl - - remove lock tracking ScPL - - scatter gather lists ScPm - - address mapping lists ScPM - - scatter gather lists ScPp - - device & adapter enable ScpP - - scsi PortConfig copies ScPq - - inquiry data ScPQ - - request sense ScPr - - resource list copy ScPS - - registry allocations ScPt - - legacy request rerouting ScPT - - interface mapping ScPu - - device relation structs ScPv - - KEVENT ScPV - - Device map allocations ScPw - - Wmi Events ScPW - - Wmi Requests ScPx - - Report Luns ScPY - - Report Targets ScPZ - - Device name buffer ScR? - - Partition Manager ScRi - - IOCTL buffer ScRp - - Partition entry ScRr - - Remove lock ScRt - - Table entry ScRv - - Dependant volume relations lists ScRV - - Volume entry ScRw - - Power mgmt private work item ScS2 - classpnp.sys - Sense interpretation data ScsC - - non-pnp SCSI CdRom ScsD - - non-pnp SCSI Disk ScsH - - non-pnp SCSI from class.h (class2) ScsI - - non-pnp SCSI port internal ScsL - - non-pnp SCSI class.c driver allocations ScsP - - non-pnp SCSI port.c Scs$ - - Tag for pnp class driver's SRB lookaside list ScUn - - Default Tag for pnp class driver allocations ScV? - - Dvd functionality in cdrom.sys ScVk - - read buffer for DVD keys ScVK - - write buffer for DVD keys ScVS - - buffer for reads of DVD on-disk structures ScWs - classpnp.sys - Working set SdCc - - ObsSecurityDescriptorCache / SECURITY_DESCRIPTOR_CACHE_ENTRIES Sdba - - Application compatibility Sdb* allocations Sdp? - - Bluetooth SDP functionality in BTHPORT.sys SdpC - bthport.sys - Bluetooth SDP client connection SdpD - bthport.sys - Bluetooth SDP database SdpI - bthport.sys - Bluetooth port driver (SDP) SD - smbdirect.sys - SMB Direct allocations SDa - smbdirect.sys - SMB Direct socket objects SDb - smbdirect.sys - SMB Direct adapter objects SDc - smbdirect.sys - SMB Direct MR buffers SDd - smbdirect.sys - SMB Direct connect event contexts SDe - smbdirect.sys - SMB Direct large receive buffers SDf - smbdirect.sys - SMB Direct LAM objects SDg - smbdirect.sys - SMB Direct data transfer packet buffers SDh - smbdirect.sys - SMB Direct FRMR objects SDi - smbdirect.sys - SMB Direct buffer registrations SDj - smbdirect.sys - SMB Direct SQ work requests SDk - smbdirect.sys - SMB Direct operation Se - nt!se - General security allocations SeAc - nt!se - Security ACL SeAi - nt!se - Security Audit Work Item SeAk - nt!se - Security Account Name SeAo - nt!se - Security Attributes and Operations SeAp - nt!se - Security Audit Parameter Record SeAt - nt!se - Security Attributes SeCL - nt!se - Security CONTEXT_TAG SeDb - nt!se - Temp directory query buffer to delete logon session symbolic links SeDt - nt!se - Security Global Singleton attributes table SeFS - nt!se - Security File System Notify Context SeGa - nt!se - Granted Access allocations SeHa - nt!se - Security Handle Array SeHn - nt!se - AppContainer Handles SeIf - nt!se - Security Image Filename SeLa - nt!se - Security Learning Mode ACLs SeLs - nt!se - Security Logon Session SeLu - nt!se - Security LUID and Attributes array SeLS - nt!se - Security Logon Session tracking array SeLw - nt!se - Security LSA Work Item SeOI - nt!se - Security Learning Mode Object Information SeOn - nt!se - Security Captured Object Name information SeON - nt!se - Security Learning Mode Object Name SeOp - nt!se - Security Operation SeOT - nt!se - Security Learning Mode Object Type SeOt - nt!se - Captured object type array, used by access check SePa - nt!se - Process audit image names and captured policy structures SePh - nt!se - Dummy image page hash structure, used when CI is disabled SePr - nt!se - Security Privilege Set SeRO - nt!se - Learning Mode Root Object SeSA - nt!se - Security CAPE Staged Access Array SeSa - nt!se - Security SID and Attributes SeSb - nt!se - Security Secure Boot SeSc - nt!se - Captured Security Descriptor SeSd - nt!se - Security Descriptor SeSi - nt!se - Security SID SeSp - nt!se - Scoped Policy SeSs - nt!se - Shared Sids SeSv - nt!se - Security SID values block SeTa - nt!se - Security Temporary Array SeTd - nt!se - Security Token dynamic part SeTI - ksecdd.sys - Security TargetInfo SeTl - nt!se - Security Token Lock SeTn - nt!se - Security Captured Type Name information SeUs - nt!se - Security Captured Unicode string Sect - - Section objects Sema - - Semaphore objects Senm - - Serenum (RS-232 serial bus enumerator) SimB - - Simbad (bad sector simulation driver) allocations SIfs - - Default tag for user's of ntsrv.h sidg - - GDI spooler events Sis - - Single Instance Store (dd\sis\filter) SisB - - SIS per file object break event SisC - - SIS common store file object SisF - - SIS per file object SisL - - SIS per link object SisS - - SIS SCB Setp - - SETUPDD SpMemAlloc calls SMgk - vmsharedmemoryguestkernel.lib - Virtual Machine Shared Memory Kernel Mode Guest Library SMhk - vmsharedmemoryhostkernel.lib - Virtual Machine Shared Memory Kernel Mode Host Library SRdm - scsirdma.sys - Infiniband SRP driver StCc - netio.sys - WFP stream inspection call context StDa - netio.sys - WFP stream inspection data StFc - netio.sys - WFP stream filter conditions StCx - netio.sys - WFP stream internal callout context Stdq - netio.sys - WFP stream DPC queue SV?? - - Synthetic Video Driver SVXD - synvidxd.dll - WDDM Synthetic Video Display Driver SVXM - synvidxm.sys - WDDM Synthetic Video Miniport Driver SVid - synthvid.sys - LDDM Synthetic Video Miniport Driver SW?? - - Software Bus Enumerator SWbi - - bus ID SWbr - - bus reference SWda - - POOLTAG_DEVICE_ASSOCIATION SWdn - - device name SWdr - - device reference SWdr - - POOLTAG_DEVICE_DRIVER_REGISTRY SWfd - - POOLTAG_DEVICE_FDOEXTENSION SWid - - device ID SWii - - instance ID SWip - - POOLTAG_DEVICE_INTERFACEPATH SWki - - key information SWpd - - POOLTAG_DEVICE_PDOEXTENSION SWre - - relations SWrp - - reparse string SWrs - - reference string Sm?? - mrxsmb.sys - SMB miniredirector allocations SmCe - mrxsmb.sys - SMB connection object SmXc - mrxsmb.sys - SMB exchange SmBf - mrxsmb.sys - SMB exchange buffer SmKy - mrxsmb.sys - SMB compounding key SmMs - mrxsmb.sys - SMB miscellaneous SmTp - mrxsmb.sys - SMB transport SmVc - mrxsmb.sys - SMB VC endpoint SmDg - mrxsmb.sys - SMB datagram endpoint SmWi - mrxsmb.sys - SMB sequence window SmFi - mrxsmb.sys - SMB file SmTh - mrxsmb.sys - SMB thunk SmSh - mrxsmb.sys - SMB shadow file (fast loopback) SmTd - mrxsmb.sys - SMB TDI notify SmDc - mrxsmb.sys - SMB directory cache SmMm - mrxsmb.sys - SMB mm allocated structures. SmAd - mrxsmb10.sys - SMB1 session setup/admin exchange SmRw - mrxsmb10.sys - SMB1 read/write path SmTr - mrxsmb10.sys - SMB1 transact exchange SmRb - mrxsmb10.sys - SMB1 remote boot SmFc - mrxsmb10.sys - SMB1 fsctl structures (special build only) SmDc - mrxsmb10.sys - SMB1 dir query buffer (special build only) SmPi - mrxsmb10.sys - SMB1 pipeinfo buffer (special build only) SmDO - mrxsmb10.sys - SMB1 deferred open context (special build only) SmQP - mrxsmb10.sys - SMB1 params for directory query transact (special build only) SmVr - mrxsmb10.sys - SMB1 VNetroot (special build only) SmSr - mrxsmb10.sys - SMB1 Server (special build only) SmSe - mrxsmb10.sys - SMB1 Session (special build only) SmNr - mrxsmb10.sys - SMB1 NetRoot (special build only) SmMa - mrxsmb10.sys - SMB1 mid atlas (special build only) SmMt - mrxsmb10.sys - SMB1 mailslot buffer (special build only) SmEc - mrxsmb10.sys - SMB1 echo buffer (special build only) SmKs - mrxsmb10.sys - SMB1 Kerberos blob (special build only) sm?? - nt!store or rdyboost.sys - ReadyBoost allocations smCR - nt!store or rdyboost.sys - ReadyBoost encryption allocation smMD - nt!store or rdyboost.sys - ReadyBoost store stats MDL smWi - nt!store or rdyboost.sys - ReadyBoost various work items smSt - nt!store or rdyboost.sys - ReadyBoost various store allocations smBt - nt!store or rdyboost.sys - ReadyBoost various B+Tree allocations smXt - nt!store or rdyboost.sys - ReadyBoost store extents array smAr - nt!store or rdyboost.sys - ReadyBoost generic array allocation smIt - nt!store or rdyboost.sys - ReadyBoost store ETA timers smRg - nt!store or rdyboost.sys - ReadyBoost in-memory store region array smET - nt!store or rdyboost.sys - ReadyBoost ETA check work item smWd - nt!store or rdyboost.sys - ReadyBoost store contents rundown work item smNp - nt!store or rdyboost.sys - ReadyBoost store node pool allocations smDt - nt!store or rdyboost.sys - ReadyBoost store debug trace buffer smDa - nt!store - ReadyBoost cache file DACL smDS - nt!store - ReadyBoost cache file SID smLb - nt!store - ReadyBoost virtual store manager log buffer smCa - nt!store - ReadyBoost cache smEK - nt!store - ReadyBoost encryption key smEd - nt!store - ReadyBoost virtual store manager key descriptor allocation for logging smAc - nt!store - ReadyBoost device arrival context smFh - nt!store - ReadyBoost cache file header smFp - nt!store - ReadyBoost virtual forward progress entry smR? - nt!store - ReadyBoost virtual forward progress resources smKG - nt!store - ReadyBoost encryption key registry path buffer smms - nt!store - ReadyBoost virtual store memory monitor context smCr - nt!store - ReadyBoost store region bitmap smMd - rdyboost.sys - ReadyBoost MDL allocation smMb - rdyboost.sys - ReadyBoost MDL buffer smBP - rdyboost.sys - ReadyBoot boot plan buffer smBD - rdyboost.sys - ReadyBoot decompressed boot plan buffer smBX - rdyboost.sys - ReadyBoot boot plan decompression workspace buffer smMR - rdyboost.sys - ReadyBoot multi-read ranges smRW - rdyboost.sys - ReadyBoot read-after-write ranges smPr - rdyboost.sys - ReadyBoot population ranges smPi - rdyboost.sys - ReadyBoot population ranges index smPl - rdyboost.sys - ReadyBoot pended IRP lists smRT - rdyboost.sys - ReadyBoot thread params smTi - rdyboost.sys - ReadyBoost debug IO trace buffer smPc - rdyboost.sys - ReadyBoost persist log context smPb - rdyboost.sys - ReadyBoost persist log buffer smPm - rdyboost.sys - ReadyBoost persist partial MDL buffer smBR - rdyboost.sys - ReadyBoost volume ranges array smBr - rdyboost.sys - ReadyBoost volume range smVc - rdyboost.sys - ReadyBoost read verification buffer smHB - rdyboost.sys - ReadyBoost Hybrid Drive command buffer SPX - - Nwlnkspx transport SQOS - - Security quality of service in IO SpXX - spaceport.sys - Spaceport generic SpXl - spaceport.sys - Spaceport log SpXp - spaceport.sys - Spaceport parity context SpXr - spaceport.sys - spaceport repair SpXs - spaceport.sys - spaceport parity schedule SpXb - spaceport.sys - spaceport slab SpXa - spaceport.sys - spaceport sparse array SpIc - spaceport.sys - spaceport IO cache SpIl - spaceport.sys - spaceport IO column SpIC - spaceport.sys - spaceport IO counters SpId - spaceport.sys - spaceport IO raid SpIs - spaceport.sys - spaceport IO space SpIt - spaceport.sys - spaceport IO tier SpBc - spaceport.sys - spaceport SDB column SpBd - spaceport.sys - spaceport SDB drive SpBe - spaceport.sys - spaceport SDB extent SpBm - spaceport.sys - spaceport SDB metadata SpBt - spaceport.sys - spaceport SDB path SpBp - spaceport.sys - spaceport SDB pool SpBg - spaceport.sys - spaceport SDB pool config SpBs - spaceport.sys - spaceport SDB space SpBn - spaceport.sys - spaceport SDB space config SpBr - spaceport.sys - spaceport SDB record SpBi - spaceport.sys - spaceport SDB tier SpSs - spaceport.sys - spaceport store SpSk - spaceport.sys - spaceport store block SpSb - spaceport.sys - spaceport store buffer SpSc - spaceport.sys - spaceport store cache SpSr - spaceport.sys - spaceport store record SpAt - spaceport.sys - spaceport attributes SpBf - spaceport.sys - spaceport buffer SpPK - spaceport.sys - spaceport custom packet SpDg - spaceport.sys - spaceport destage context SpDr - spaceport.sys - spaceport drive SpDd - spaceport.sys - spaceport dump data SpEL - spaceport.sys - spaceport enclosure SpLa - spaceport.sys - spaceport lookaside SpMp - spaceport.sys - spaceport mapping SpMl - spaceport.sys - spaceport MDL SpPt - spaceport.sys - spaceport path SpPl - spaceport.sys - spaceport pool SpPm - spaceport.sys - spaceport prm SpRg - spaceport.sys - spaceport regen context SpWk - spaceport.sys - spaceport work Sr?? - sr.sys - System Restore file system filter driver SrCo - sr.sys - SR's control object SrSC - sr.sys - Stream contexts SrDB - sr.sys - Debug information for lookup blob SrDL - sr.sys - Device list SrFE - sr.sys - File information buffer SrFN - sr.sys - File name SrHB - sr.sys - Hash bucket SrHH - sr.sys - Hash header SrHK - sr.sys - Hash key SrLB - sr.sys - Log buffer SrLC - sr.sys - Logging context SrLE - sr.sys - Log entry SrLT - sr.sys - Lookup blob SrMP - sr.sys - Mount point information SrOI - sr.sys - Overwrite information SrPC - sr.sys - Persistant configuration information SrRB - sr.sys - Rename buffer SrRG - sr.sys - Logger context SrRH - sr.sys - Reparse data size SrRR - sr.sys - Registry information SrSD - sr.sys - Security data information SrST - sr.sys - Stream data information SrTI - sr.sys - Directory delete information SrWI - sr.sys - Work queue item SslC - ksecdd.sys - SSL kernel mode client allocations ST* - - New MMC compliant storage drivers Stac - - Stack Trace Database - i386 checked and built with NTNOFPO=1 only StEl - storport.sys - PortpErrorInitRecords storport!_STORAGE_TRACE_CONTEXT_INTERNAL.ErrorLogRecords Strg - - Dynamic Translated strings Strm - - Streams and streams transports allocations StTc - storport.sys - PortTraceInitTracing storport!_STORAGE_TRACE_CONTEXT_INTERNAL svx? - svhdxflt.sys - VHDX sharing among multiple Hyper-V guests svxc - svhdxflt.sys - CDB (SCSI) operations svxC - svhdxflt.sys - Create File processing svxd - svhdxflt.sys - SVHDX communications port svxe - svhdxflt.sys - Stored sense data errors svxf - svhdxflt.sys - File contexts svxI - svhdxflt.sys - Initiator lists svxi - svhdxflt.sys - Instance context svxl - svhdxflt.sys - Shared VHDX RTL svxP - svhdxflt.sys - Persistent Reservation - Registrations svxp - svhdxflt.sys - Persistent Reservation support for shared VHDX files svxQ - svhdxflt.sys - Persistent Reservation - Device context svxq - svhdxflt.sys - Persistent Reservation - Reservation Info svxr - svhdxflt.sys - File read operations svxs - svhdxflt.sys - Stream context svxS - svhdxflt.sys - Stream handle context svxt - svhdxflt.sys - Test Filter svxv - svhdxflt.sys - VHDMP/SVHDX interaction svxw - svhdxflt.sys - File write operations SwMi - - SWMidi KS filter (WDM Audio) Symb - - Symbolic link objects Symt - - Symbolic link target strings SYPK - syspart.lib - Kernel mode system partition detection allocations SYSA - - Sysaudio (wdm audio) TAPI - - ntos\ndis\ndistapi TcAN - tcpip.sys - TCPIP App Name TcAR - tcpip.sys - TCP Abort Requests TcBW - tcpip.sys - TCP Bandwidth Allocations TcCC - tcpip.sys - TCP Create And Connect Tcb Pool TcCM - tcpip.sys - TCP Congestion Control Manager Contexts TcCo - tcpip.sys - TCP Compartment TcCR - tcpip.sys - TCP Connect Requests TcCT - tcpip.sys - TCP Connection Tuples TcDD - tcpip.sys - TCP Debug Delivery Buffers TcDQ - tcpip.sys - TCP Delay Queues TcDR - tcpip.sys - TCP Disconnect Requests TcEW - tcpip.sys - TCP Endpoint Work Queue Contexts TcFC - tcpip.sys - TCP Fastopen Cookies TcFR - tcpip.sys - TCP FineRTT Buffers TcHT - tcpip.sys - TCP Hash Tables TcHo - tcpip.sys - TCPIP Histogram TcIn - tcpip.sys - TCP Inputs TcLS - tcpip.sys - TCP Listener SockAddrs TcLW - tcpip.sys - TCP Listener Work Queue Contexts TcpA - tcpip.sys - TCP DMA buffers TcpB - tcpip.sys - TCP Offload Blocks TcDM - tcpip.sys - TCP Delayed Delivery Memory Descriptor Lists TcDN - tcpip.sys - TCP Delayed Delivery Network Buffer Lists TcPC - tcpip.sys - TCP Listener Pending Connections TcpE - tcpip.sys - TCP Endpoints TTcb - tcpip.sys - TCP Connections TcpI - tcpip.sys - TCP ISN buffers TcpL - tcpip.sys - TCP Listeners TcpM - tcpip.sys - TCP Offload Miscellaneous buffers TcpN - tcpip.sys - TCP Name Service Interfaces TcOD - tcpip.sys - TCP Offload Devices TcpO - tcpip.sys - TCP Offload Requests TcpP - tcpip.sys - TCP Processor Arrays TcPt - tcpip.sys - TCP Partitions Tcpt - tcpip.sys - TCP Timers TcRA - tcpip.sys - TCP Reassembly Data TcRB - tcpip.sys - TCP Reassembly Buffers TcRD - tcpip.sys - TCP Receive DPC Data TcRe - tcpip.sys - TCP Recovery Buffers TcRH - tcpip.sys - TCP Reassembly Headers TcRL - tcpip.sys - TCP Create And Connect Tcb Rate Limit Pool TcRN - tcpip.sys - TCP Random Number Generator Pool TcRR - tcpip.sys - TCP Receive Requests TcRW - tcpip.sys - TCP Receive Window Tuning Blocks TcSa - tcpip.sys - TCP Sack Data TcSR - tcpip.sys - TCP Send Requests TcST - tcpip.sys - TCP Syn TCBs TcTW - tcpip.sys - TCP Time Wait TCBs TcUD - tcpip.sys - TCP Urgent Delivery Buffers TcWQ - tcpip.sys - TCP TCB Work Queue Contexts TcWS - tcpip.sys - TCP Window Scaling Diagnostics TcRF - tcpip.sys - TCP Recent Connection Failure TcTI - tcpip.sys - TCP Traceroute Info TcSk - tcpip.sys - TCP Send Tracker TcTx - tcpip.sys - TCP Transmit TrLB - tcpip.sys - TCP RLedbat TDIc - - TDI resource TDId - - TDI resource TDIe - - TDI resource TDIf - - TDI resource TDIg - - TDI resource TDIk - - TDI resource TDIu - - TDI resource TDIv - - TDI resource Tdat - - NB Data TdxC - tdx.sys - TDX Connections TdCI - tdx.sys - TDX Connection Information Tdxc - tdx.sys - TDX Control Channels Tdxo - tdx.sys - TDX Device Objects Tdx - tdx.sys - TDX Generic Buffers (Address, Entity information, Interface change allocations) TdxI - tdx.sys - TDX IO Control Buffers TdxM - tdx.sys - TDX Message Indication Buffers Tdxn - tdx.sys - TDX Net Addresses TdxR - tdx.sys - TDX Received Data Tdxp - tdx.sys - TDX Reserved Page Tables Entries TdxB - tdx.sys - TDX Transport Layer Buffers Tdxt - tdx.sys - TDX Transport Layer Clients TdxP - tdx.sys - TDX Transport Layer Providers Tdxm - tdx.sys - TDX Transport Layer TDI Mappings TdxA - tdx.sys - TDX Transport Addresses TdxT - tdx.sys - TDX Transport Provider Contexts Tedd - tcpip.sys - TCP/IP Event Data Descriptors thdd - - DirectDraw/3D handle manager table Thre - nt!ps - Thread objects Time - nt!ke - Timer objects TmDn - nt!tm - Tm Dynamic Name TmEn - nt!tm - Tm KENLISTMENT object TmLo - nt!tm - Tm Log Entries TmNo - nt!tm - Tm Notification TmPa - nt!tm - Tm Propagate Argument TmPb - nt!tm - Tm Propagation Buffer TmPe - nt!tm - Tm Enlistment Pointers TmPi - nt!tm - Tm Protocol Information TmPo - nt!tm - Tm Propagation Output TmPp - nt!tm - Tm Protocol Pointers TmPr - nt!tm - Tm Protocol TmPx - nt!tm - Tm Protocol Array TmRi - nt!tm - Tm Recovery Information TmRm - nt!tm - Tm KRESOURCEMANAGER object TmRq - nt!tm - Tm Propagation Request TmRr - nt!tm - Tm KTM_RESTART_RECORD TmTm - nt!tm - Tm KTRANSACTIONMANAGER object TmTx - nt!tm - Tm KTRANSACTION object Tnbl - - NB Lists Tnbt - - NB Pool TNbl - tcpip.sys - TCP Send NetBufferLists Toke - nt!se - Token objects TOBJ - rdpdr.sys - Topology object TpWc - nt!ex - Threadpool minipacket context TpWo - nt!ex - Threadpool worker factory objects TQoS - tcpip.sys - TL QoS Client Data Tran - - EXIFS Translate Trcd - netiobvt.sys - NB Control Data Tslc - tcpip.sys - WFP TL Shim Layer Cache Tscf - netio.sys - WFP Filter Engine Cached Filter Block TSBV - - WDM mini driver for Toshiba 750 capture TSdd - rdpdd.sys - RDPDD - Hydra Display Driver TSch - rdpwd.sys - RDPWD - Hydra char conversion TSic - termdd.sys - Terminal Services - ICA_POOL_TAG TSlc - rdpwd.sys - RDPWD - Hydra Licensing TSmc - - PDMCS - Hydra MCS Protocol Driver Tspk - ksecdd.sys - TS Package kernel mode client allocations TSq - - Terminal Services - Queue - TSQ_TAG TSrp - termdd.sys - Terminal Services - RP_ALLOC_TAG TSwd - rdpwd.sys - RDPWD - Hydra Winstation Driver Ttnc - tcpip.sys - WFP tunnel nexthop context Tsmp - tcpip.sys - TCP Send Memory Descriptor Lists TSNb - tcpip.sys - TCP Send NetBuffers TTsp - tcpip.sys - TCP TCB Sends TtCo - - TTCP Connections TtcC - - TTCP Controllers TtcL - - TTCP Listeners TtcM - - TTCP Mappings TtcN - - TTCP NPIs TtcW - - TTCP Work Items Ttfd - - TrueType Font driver TTFC - - Font file cache Thrm - - Thermal zone structure Tun4 - - Tunnel cache allocation for long file name TunL - - Tunnel cache lookaside-allocated elements TunP - - Tunnel cache oddsized pool-allocated elements TunK - - Tunnel cache temporary key value TuSB - tunnel.sys - Tunnel stack block TWTa - tcpip.sys - Echo Request Timer Table TWTs - netiobvt.sys - BVT TW Generic Buffers Txcl - ntfs.sys - TXF_CLR_RESERVATION_CHUNK Txdl - ntfs.sys - TXF_DELETED_LINK Txdr - ntfs.sys - TXF_DEFAULT_READER_SECTION Txf0 - ntfs.sys - TxfCallbacks.c Txf1 - ntfs.sys - TxfTrans.c Txfa - ntfs.sys - NameForLogging Txfb - ntfs.sys - TXF_FCB_LIST_FOR_WALKUP Txfc - ntfs.sys - TXF_FCB TxfD - ntfs.sys - TxfData.c TxFe - ntfs.sys - TXF_LOGREC_FILE_NAME_OPERATION TxfE - ntfs.sys - TXF_TRANS_REQUEST Txfe - ntfs.sys - TXF_FCB_EXTENSION TxfF - ntfs.sys - TxfAllocateTxfFcbTableEntry Txff - ntfs.sys - TXF_LOGREC_SET_SHORT_NAME Txfg - ntfs.sys - TXF_LOGREC_FILE_NAME_OPERATION file create TxfH - ntfs.sys - TXF_TRANS_REQUEST Txfh - ntfs.sys - TXF_LOGREC_FILE_NAME_OPERATION delete file Txfi - ntfs.sys - TXF_FCB_INFO Txfj - ntfs.sys - TxfBuildIsolatedNormalizedName TxfK - ntfs.sys - LongFileNameAttribute Txfk - ntfs.sys - TxfScb->AttributeName.Buffer Txfl - ntfs.sys - TXF_FCB_CLEANUP TxfM - ntfs.sys - ShortNameAttribute Txfm - ntfs.sys - TXF FAST_MUTEX Txfo - ntfs.sys - TXF_FO Txfq - ntfs.sys - Txf quota block TxfR - ntfs.sys - TxfAllocateFullFilePathForChangeNotify Txfs - ntfs.sys - TXFS_START_RM_INFORMATION RmParameters Txfu - ntfs.sys - CLFS_MGMT_CLIENT_REGISTRATION Txfv - ntfs.sys - CLFS_INFORMATION LogFileInformation TxfW - ntfs.sys - KEVENT in TxfWaitForEnlistmentCompletion Txfw - ntfs.sys - CLFS_INFORMATION LogFileInformation Txfx - ntfs.sys - TXF_STREAM_ISO_INFO Txgd - ntfs.sys - TxfData global structure Txis - ntfs.sys - TXF_ISO_SNAPSHOT Txlf - ntfs.sys - TXF_FCB (large) Txls - ntfs.sys - TXF_CANCEL_LSN Txre - ntfs.sys - TXF_TOPS_RANGE_ENTRY Txrm - ntfs.sys - TXF_RMCB Txrn - ntfs.sys - TXF_NONPAGED_RMCB Txsa - ntfs.sys - Txf sorted array item Txsc - ntfs.sys - TXF_SCB Txsp - ntfs.sys - TXF_SAVEPOINT Txsp - ntfs.sys - TXF_SCB_PTR TxTb - ntfs.sys - Tops Bitmaps Txtc - ntfs.sys - TXF_TRANS_CANCEL_LIST_ENTRY Txte - ntfs.sys - TXF_RMCB_TABLE_ENTRY Txtr - ntfs.sys - TXF_TRANS (Txf transaction context) Txts - ntfs.sys - TXF_TRANS_SYNC Txvc - ntfs.sys - TXF_VCB Txvd - ntfs.sys - TXF_VSCB_TO_DEREF Txvf - ntfs.sys - TXF_VSCB_FILE_SIZES Txvl - ntfs.sys - TXF_VSCB TXCT - ntfs.sys - TxfAllocateTableSpace TXHT - ntfs.sys - TXF_HANDLE_TABLE TXIS - ntfs.sys - TxfAllocateTableSpace Type - - Type objects U802 - usb8023.sys - RNDIS USB 8023 driver UCAM - - USB digital camera library Udf1 - udfs.sys - Udfs file set descriptor buffer Udf2 - udfs.sys - Udfs volmume recognition sequence descriptor buffer Udf3 - udfs.sys - Udfs volume descriptor sequence descriptor buffer Udf4 - udfs.sys - Udfs logical volume integrity descriptor buffer UdfB - udfs.sys - Udfs dynamic name buffer UdfC - udfs.sys - Udfs CRC table UdfD - udfs.sys - Udfs FID buffer for view spanning UdfF - udfs.sys - Udfs nonpaged Fcb UdfI - udfs.sys - Udfs IO context UdfL - udfs.sys - Udfs IRP context lite (delayed close) UdfN - udfs.sys - Udfs normalized full filename UdfS - udfs.sys - Udfs short file name UdfT - udfs.sys - Udfs generic table entry Udfa - udfs.sys - Udfs AD buffer Udfb - udfs.sys - Udfs IO buffer Udfc - udfs.sys - Udfs IRP context Udfd - udfs.sys - Udfs file Scb Udfe - udfs.sys - Udfs enumeration match expression Udff - udfs.sys - Udfs Fcb Udfi - udfs.sys - Udfs directory Scb Udfl - udfs.sys - Udfs Lcb Udfn - udfs.sys - Udfs Nonpaged Scb Udfp - udfs.sys - Udfs Pcb Udfs - udfs.sys - Udfs Sparing Mcb Udft - udfs.sys - Udfs CDROM TOC Udfv - udfs.sys - Udfs Vpb UdfV - udfs.sys - Udfs VMCB dirty sector bitmap Udfx - udfs.sys - Udfs Ccb UdAE - tcpip.sys - UDP Activate Endpoints UdCo - tcpip.sys - UDP Compartment UdEW - tcpip.sys - UDP Endpoint Work Queue Contexts UdMI - tcpip.sys - UDP Message Indications UDNb - tcpip.sys - UDP NetBuffers UdpA - tcpip.sys - UDP Endpoints UdpH - tcpip.sys - UDP Headers UdpI - tcpip.sys - UDP Interface UdPM - tcpip.sys - UDP Partial Memory Descriptor Lists UdpN - tcpip.sys - UDP Name Service Interfaces UdSM - tcpip.sys - UDP Send Messages Requests UNbl - tcpip.sys - UDP NetBufferLists Udp - - Udp protocol (TCP/IP driver) Ufsc - - User FULLSCREEN UHCD - - Universal Host Controller (USB - Intel Controller) UHUB - - Universal Serial Bus Hub Ul?? - http.sys - tags. Note: In-use tags are of the form "Ul??" or "Uc??".and Free tags are of the form "uL??" or "uC??"; Uc?? - http.sys - i.e., the case of the leading "Ul" or "Uc" has been reversed. Ucac - http.sys - Auth Cache Pool UcCO - http.sys - Client Connection Ucmp - http.sys - Multipart String Buffer Ucre - http.sys - Receive Response Ucrp - http.sys - Response App Buffer Ucrq - http.sys - Request Pool UcSc - http.sys - Common Server Information UcSN - http.sys - Server name UcSP - http.sys - Process Server Information UcSp - http.sys - Sspi Pool UcST - http.sys - Server info table Uctd - http.sys - Response Tdi Buffer Ucte - http.sys - Entity Pool Ucto - http.sys - Tdi Objects Pool UlAB - http.sys - Auxiliary Buffer UlAO - http.sys - App Pool Object UlAP - http.sys - App Pool Process UlBL - http.sys - Binary Log File Entry UlBO - http.sys - Outstanding i/o UlCC - http.sys - Control Channel UlCE - http.sys - Config Group Tree Entry UlCH - http.sys - Config Group Tree Header UlCI - http.sys - Config Group URL Info UlCJ - http.sys - Config Group Object Pool UlCK - http.sys - Chunk Tracker UlCL - http.sys - Config Group LogDir UlCl - http.sys - Connection RefTraceLog UlCO - http.sys - Connection UlCT - http.sys - Config Group Timestamp UlCY - http.sys - Connection Count Entry UlDB - http.sys - Debug UlDC - http.sys - Data Chunks array UlDO - http.sys - Disconnect Object UlDR - http.sys - Deferred Remove Item UlDT - http.sys - Debug Thread Pool UlEP - http.sys - Endpoint UlFA - http.sys - Force Abort Work Item UlFC - http.sys - File Cache Entry Ulfc - http.sys - Uri Filter Context UlFD - http.sys - Noncached File Data UlFP - http.sys - Filter Process UlFR - http.sys - Dummy Filter Receive Buffer UlFT - http.sys - Filter Channel UlFU - http.sys - Full Tracker UlFW - http.sys - Filter Write Tracker UlHC - http.sys - Http Connection UlHc - http.sys - Http Connection RefTraceLog UlHL - http.sys - Internal Request RefTraceLog UlHR - http.sys - Internal Request UlHT - http.sys - Hash Table UlHV - http.sys - Header Value UlIC - http.sys - Irp Context UlID - http.sys - Conn ID Table UlIR - http.sys - Internal Response UlLD - http.sys - Log Field UlLF - http.sys - Log File Entry UlLG - http.sys - Log Generic UlLH - http.sys - Log File Handle UlLL - http.sys - Log File Buffer UlLS - http.sys - Ansi Log Data Buffer UlLT - http.sys - Binary Log Data Buffer UlNO - http.sys - NSGO Pool UlNP - http.sys - Non-Paged Data UlOE - http.sys - Endpoint OwnerRefTraceLog PoolTag UlOR - http.sys - Owner RefTrace Signature UlOT - http.sys - Opaque ID Table UlPB - http.sys - APool Proc Binding UlPL - http.sys - Pipeline UlQF - http.sys - TCI Filter UlQG - http.sys - TCI Generic UlQI - http.sys - TCI Interface UlQL - http.sys - TCI Flow UlQT - http.sys - TCI Tracker UlQW - http.sys - TCI WMI UlRB - http.sys - Receive Buffer UlRD - http.sys - Registry Data UlRE - http.sys - Request Body Buffer UlRP - http.sys - Request Buffer UlRR - http.sys - Request Buffer References UlRS - http.sys - Non-Paged Resource UlRT - http.sys - RefTraceLog PoolTag UlSC - http.sys - SSL Cert Data UlSD - http.sys - Security Data UlSl - http.sys - StringLog Buffer PoolTag UlSL - http.sys - StringLog PoolTag UlSO - http.sys - Site Counter Entry UlSS - http.sys - Simple Status Item UlTA - http.sys - Address Pool UlTD - http.sys - UL_TRANSPORT_ADDRESS UlTT - http.sys - Thread Tracker UlUB - http.sys - URL Buffer UlUC - http.sys - Uri Cache Entry UlUH - http.sys - HTTP Unknown Header UlUL - http.sys - URL UlUM - http.sys - URL Map UlVH - http.sys - Virtual Host UlWC - http.sys - Work Context UlWI - http.sys - Work Item UndP - - EXIFS Underlying Path UMD? - WUDFRd.sys - UMDF pool allocation USBB - bthusb.sys - Bluetooth USB minidriver USBD - - Universal Serial Bus Class Driver UsbS - usbser.sys - USB Serial Driver V2ic - vhdmp.sys - VHD2 external I/O allocation V2io - vhdmp.sys - VHD2 internal I/O allocation V2lg - vhdmp.sys - VHD2 core large allocation V2rv - vhdmp.sys - VHD2 reserved VA mapping V2sm - vhdmp.sys - VHD2 core allocation V2sr - vhdmp.sys - VHD2 SRB range allocation V2wi - vhdmp.sys - VHD2 work item V2?? - vhdmp.sys - VHD2 pool allocation Vad - nt!mm - Mm virtual address descriptors VadF - nt!mm - VADs created by a FreeVM splitting Vadl - nt!mm - Mm virtual address descriptors (long) VadS - nt!mm - Mm virtual address descriptors (short) Vbus - vmbus.sys - Virtual Machine Bus Driver VbuW - vmbus.sys - Virtual Machine Bus Driver (WDF) Vbxp - vmbus.sys - Virtual Machine Bus Driver (cross partition) VcCh - rdpdr.sys - Dynamic Virtual channel object VcFl - rdpdr.sys - Dynamic Virtual file object VcMn - rdpdr.sys - Dynamic Virtual manager object VcSn - rdpdr.sys - Dynamic Virtual session object VDM - nt!vdm - ntos\vdm VdDr - Vid.sys - Virtual Machine Virtualization Infrastructure Driver VdMm - Vid.sys - Virtual Machine Virtualization Infrastructure Driver (VSMM service) VdWd - Vid.sys - Virtual Machine Virtualization Infrastructure Driver (WDF) vDMc - dmvsc.sys - Virtual Machine Dynamic Memory VSC Driver vDMW - dmvsc.sys - Virtual Machine Dynamic Memory VSC Driver (WDF) Vflt - vmstorfl.sys - Virtual Machine Storage Filter Driver VflW - vmstorfl.sys - Virtual Machine Storage Filter Driver (WDF) VdPN - dxgkrnl.sys - Video display mode management Vepp - nt!Vf - Verifier Pool Tracking information VfAT - nt!Vf - Verifier AVL trees VfIT - nt!Vf - Verifier Import Address Table information VfPT - nt!Vf - Verifier Allocate/Free Pool stack traces VfUs - nt!Vf - Memory allocated by a call to IoSetCompletionRoutineEx. Vfwi - nt!Vf - IO_WORKITEM allocated by I/O verifier version of IoAllocateWorkItem ViIn - nt!Vf - Verifier Internal Tag for pool tracking VMdl - nt!Vf - MDL allocated by I/O verifier version of IoAllocateMdl VNod - nt!Vf - Deadlock Verifier nodes VRes - nt!Vf - Deadlock Verifier resources VStr - nt!Vf - String buffer allocated by the Driver Verifier version of Rtl String APIs VHDa - vhdmp.sys - VHD generic allocator VHDA - vhdmp.sys - VHD generic allocator pool VHDb - vhdmp.sys - VHD Block Allocation Table VHDf - vhdmp.sys - VHD file entry VHDh - vhdmp.sys - VHD header VHDi - vhdmp.sys - VHD IO Range VHDI - vhdmp.sys - VHD IO Range pool VHDl - vhdmp.sys - VHD LUN VHDm - vhdmp.sys - VHD bitmap VHDn - vhdmp.sys - VHD filename VHDo - vhdmp.sys - VHD footer VHDp - vhdmp.sys - VHD filepath VHDr - vhdmp.sys - VHD read buffer VHDs - vhdmp.sys - VHD sector map VHDS - vhdmp.sys - VHD symbolic link VHDt - vhdmp.sys - VHD tracking information VHDw - vhdmp.sys - VHD work item VHDy - vhdmp.sys - VHD dynamic header VHD? - vhdmp.sys - VHD allocation VHde - vmusbhub.sys - Virtual Machine USB Hub Driver (descriptor) VHif - vmusbhub.sys - Virtual Machine USB Hub Driver (interface) VHps - vmusbhub.sys - Virtual Machine USB Hub Driver (Pnp string) VHrc - vmusbhub.sys - Virtual Machine USB Hub Driver (request context) VHtx - vmusbhub.sys - Virtual Machine USB Hub Driver (text) VHub - vmusbhub.sys - Virtual Machine USB Hub Driver (Bus) VHur - vmusbhub.sys - Virtual Machine USB Hub Driver (URB) VHuW - vmusbhub.sys - Virtual Machine USB Hub Driver (WDF) Vi01 - dxgmms2.sys - Video memory manager global alloc Vi02 - dxgmms2.sys - Video memory manager local alloc Vi03 - dxgmms2.sys - Video memory manager alloc Vi06 - dxgmms2.sys - Video memory manager segment Vi07 - dxgmms2.sys - Video memory manager segment range Vi08 - dxgmms2.sys - Video memory manager device Vi09 - dxgmms2.sys - Video memory manager process Vi0a - dxgmms2.sys - Video memory manager global alloc VGPU Vi10 - dxgmms2.sys - Video memory manager process heap Vi11 - dxgmms2.sys - Video memory manager process heap block Vi12 - dxgmms2.sys - Video memory manager process heap alloc Vi13 - dxgmms2.sys - Video memory manager process adapter info Vi14 - dxgmms2.sys - Video memory manager process commitment info Vi15 - dxgmms2.sys - Video memory manager global state Vi16 - dxgmms2.sys - Video memory manager command state Vi17 - dxgmms2.sys - Video memory manager pool Vi18 - dxgmms2.sys - Video memory manager pool block Vi19 - dxgmms2.sys - Video memory manager pool block array Vi20 - dxgmms2.sys - Video memory manager commitment info Vi21 - dxgmms2.sys - Video memory manager segment descriptor Vi22 - dxgmms2.sys - Video memory manager DMA buffer Vi23 - dxgmms2.sys - Video memory manager DMA buffer allocation table Vi24 - dxgmms2.sys - Video memory manager DMA buffer allocation list Vi25 - dxgmms2.sys - Video memory manager DMA buffer patch location list Vi26 - dxgmms2.sys - Video memory manager protected allocation Vi27 - dxgmms2.sys - Video memory manager resource list Vi28 - dxgmms2.sys - Video memory manager mutex Vi29 - dxgmms2.sys - Video memory manager DMA pool Vi30 - dxgmms2.sys - Video memory manager slot table Vi31 - dxgmms2.sys - Video memory manager dummy page Vi32 - dxgmms2.sys - Video memory manager DMA buffer private data Vi35 - dxgmms2.sys - Video memory manager MDL Vi36 - dxgmms2.sys - Video memory manager pages history Vi37 - dxgmms2.sys - Video memory manager DMA buffer global alloc table Vi38 - dxgmms2.sys - Video memory manager allocation fence array Vi39 - dxgmms2.sys - Video memory manager migration table Vi40 - dxgmms2.sys - Video memory manager migration table lock Vi41 - dxgmms2.sys - Video memory manager process budget info Vi42 - dxgmms2.sys - Video memory manager global alloc nonpaged Vi43 - dxgmms2.sys - Video memory manager async operation Vi44 - dxgmms2.sys - Video memory manager fence storage Vi45 - dxgmms2.sys - Video memory manager CPU host aperture Vi46 - dxgmms2.sys - Video memory manager CPU host aperture page Vi47 - dxgmms2.sys - Video memory manager worker thread Vi48 - dxgmms2.sys - Video memory manager paging queue Vi49 - dxgmms2.sys - Video memory manager GPU VA Vi50 - dxgmms2.sys - Video memory manager physical adapter Vi51 - dxgmms2.sys - Video memory manager set VPR work item Vi52 - dxgmms2.sys - Video memory manager paging history Vi53 - dxgmms2.sys - Video memory manager page table Vi54 - dxgmms2.sys - Video memory manager PTE array Vi55 - dxgmms2.sys - Video memory manager VA range Vi56 - dxgmms2.sys - Video memory manager page directory Vi57 - dxgmms2.sys - Video memory manager PDE array Vi58 - dxgmms2.sys - Video memory manager release resource command Vi59 - dxgmms2.sys - Video memory manager deferred unlock Vi5a - dxgmms2.sys - Video memory manager PTE owner data Vi5b - dxgmms2.sys - Video memory manager partition Vi5c - dxgmms2.sys - Video memory manager partition adapter info Vi5d - dxgmms2.sys - Video memory manager cross adapter alloc Vi5e - dxgmms2.sys - Video memory manager scheduling log Vi5f - dxgmms2.sys - Video scheduler async operation Vi60 - dxgmms2.sys - Video memory manager cross adapter data Vi61 - dxgmms2.sys - Video memory manager context alloc Via0 - dxgmms2.sys - GPU scheduler adapter state Via1 - dxgmms2.sys - GPU scheduler node state Via2 - dxgmms2.sys - GPU scheduler process state Via3 - dxgmms2.sys - GPU scheduler device state Via4 - dxgmms2.sys - GPU scheduler context state Via5 - dxgmms2.sys - GPU scheduler queue packet Via6 - dxgmms2.sys - GPU scheduler DMA packet Via7 - dxgmms2.sys - GPU scheduler VSync cookie Via8 - dxgmms2.sys - GPU scheduler GPU sync object Via9 - dxgmms2.sys - GPU scheduler present info Viaa - dxgmms2.sys - GPU scheduler history buffer Viab - dxgmms2.sys - GPU scheduler periodic frame notification state Viac - dxgmms2.sys - GPU scheduler hardware context Viad - dxgmms2.sys - GPU scheduler hardware queue Viae - dxgmms2.sys - GPU scheduler monitored fence Viaf - dxgmms2.sys - GPU scheduler sync point Vib0 - dxgmms2.sys - GPU scheduler pending IFlip token Vib1 - dxgmms2.sys - GPU scheduler flip queue entry VidL - videoprt.sys - VideoPort Allocation List (FDO_EXTENSION) VidR - videoprt.sys - VideoPort Allocation on behalf of Miniport ViMm - dxgkrnl.sys - Video memory manager virt - vmm.sys - Virtual Machine Manager (VPC/VS) ViSh - dxgkrnl.sys - Video scheduler Vk?? - vmbkmcl.sys - Hyper-V VMBus KMCL driver Vkin - vmbkmcl.sys - Hyper-V VMBus KMCL driver (incoming packets) Vkou - vmbkmcl.sys - Hyper-V VMBus KMCL driver (outgoing packets) VM?? - volmgr.sys - Volume Manager VM - volmgr.sys - General allocations Vm?? - volmgrx.sys - Volume Manager Extension Vm - volmgrx.sys - General allocations VmBl - volmgrx.sys - Raw configuration blocks VmBu - volmgrx.sys - I/O buffers VmCc - volmgrx.sys - Configuration copies VmCo - volmgrx.sys - Configurations VmCp - volmgrx.sys - Copies VmCr - volmgrx.sys - Completion routine contexts VmDc - volmgrx.sys - Device changes VmDd - volmgrx.sys - Disk devices VmDh - volmgrx.sys - Disk headers VmLa - volmgrx.sys - Drive layouts VmLb - volmgrx.sys - Log blocks VmLc - volmgrx.sys - Log copies VmLo - volmgrx.sys - Logs VmLr - volmgrx.sys - Log raw content VmMm - volmgrx.sys - Mirror emergency mappings VmNe - volmgrx.sys - Notification entries VmOb - volmgrx.sys - I/O objects VmP0 - volmgrx.sys - Packets VmP1 - volmgrx.sys - Small packets VmP2 - volmgrx.sys - Large packets VmP3 - volmgrx.sys - Huge packets VmPa - volmgrx.sys - Packs VmPd - volmgrx.sys - Physical disks VmPs - volmgrx.sys - Arrays of packets VmRb - volmgrx.sys - Raw record buffers VmRc - volmgrx.sys - Raw configurations VmRe - volmgrx.sys - Records VmRi - volmgrx.sys - Record information VmRm - volmgrx.sys - RAID-5 emergency mappings VmRr - volmgrx.sys - Raw records VmTa - volmgrx.sys - I/O tasks VmTc - volmgrx.sys - Table of contents VmTe - volmgrx.sys - Table of contents entries VmTx - volmgrx.sys - Transactions VmUe - volmgrx.sys - User entries VmVd - volmgrx.sys - Volume devices VmWi - volmgrx.sys - Work items VmbK - kmcl.lib - Virtual Machine Bus Kernel Mode Client Library VmCh - ChimneyLib.lib - Virtual Machine Network Chimney Library VmFP - vfpext.sys - Virtual Filtering Platform driver VMhd - vmbushid.sys - Virtual Machine Input VSC Driver VMIN - vwifimp.sys - Virtual Wi-Fi miniport Vmsc - storchannel.lib - Virtual Machine Storage VSC Channel Library VNC - netvsc50.sys/netvsc60.sys - Virtual Machine Network VSC Driver VNCm - netvsc50.sys/netvsc60.sys - Virtual Machine Network VSC Driver (RNDIS miniport driver library, message or object) VNCn - netvsc50.sys/netvsc60.sys - Virtual Machine Network VSC Driver (NBL) VNCr - netvsc50.sys/netvsc60.sys - Virtual Machine Network VSC Driver (RNDIS message context signature) VNCW - netvsc50.sys/netvsc60.sys - Virtual Machine Network VSC Driver (WDF) VoS? - volsnap.sys - VolSnap (Volume Snapshot Driver) VoSa - volsnap.sys - Application information allocations VoSb - volsnap.sys - Buffer allocations VoSc - volsnap.sys - Snapshot context allocations VoSd - volsnap.sys - Diff area volume allocations VoSf - volsnap.sys - Diff area file allocations VoSh - volsnap.sys - Bit history allocations VoSi - volsnap.sys - Io status block allocations VoSm - volsnap.sys - Bitmap allocations VoSo - volsnap.sys - Old heap entry allocations VoSp - volsnap.sys - Pnp id allocations VoSr - volsnap.sys - Device relations allocations VoSs - volsnap.sys - Short term allocations VoSt - volsnap.sys - Temp table allocations VoSw - volsnap.sys - Work queue allocations VoSx - volsnap.sys - Dispatch context allocations Vpb - - Io, vpb's VPrs - passthruparser.sys - Virtual Machine Storage Passthrough Parser Driver Vprt - videoprt.sys - Video port for legacy (pre-Vista) display drivers VraP - - parallel class driver Vtfd - - Font file/context Vrdc - netvsc60.sys - Virtual Machine Network VSC Driver (NDIS 6, RNDIS miniport driver library, chimney neighbor or path context) Vrdt - netvsc60.sys - Virtual Machine Network VSC Driver (NDIS 6, RNDIS miniport driver library, chimney TCP context) Vrdi - netvsc60.sys - Virtual Machine Network VSC Driver (NDIS 6, RNDIS miniport driver library, chimney initiate offload) VSAB - utils.lib - Virtual Machine Storage VSP Utility Library VsAT - vmswitch.sys - Virtual Machine Network Switch Driver (address table) VsC4 - vmswitch.sys - Virtual Machine Network Switch Driver (chimney path4 context) VsC6 - vmswitch.sys - Virtual Machine Network Switch Driver (chimney path6 context) VsCH - vmswitch.sys - Virtual Machine Network Switch Driver (chimney handle) VsCN - vmswitch.sys - Virtual Machine Network Switch Driver (chimney neighbor context) VsCP - vmswitch.sys - Virtual Machine Network Switch Driver (chimney NBL context) VsCs - vmswitch.sys - Virtual Machine Network Switch Driver (configuration store) VsCT - vmswitch.sys - Virtual Machine Network Switch Driver (chimney TCP context) VsDI - vmswitch.sys - Virtual Machine Network Switch Driver (direct I/O NIC) VsNb - vmswitch.sys - Virtual Machine Network Switch Driver (NBL) VsOb - vmswitch.sys - Virtual Machine Network Switch Driver (object allocation) VsRD - vmswitch.sys - Virtual Machine Network Switch Driver (RNDIS device) VsRm - vmswitch.sys - Virtual Machine Network Switch Driver (routing) VsRT - vmswitch.sys - Virtual Machine Network Switch Driver (routing table) VssB - vmswitch.sys - Virtual Machine Network Switch Driver (balance) VssM - vmswitch.sys - Virtual Machine Network Switch Driver (miniport NIC) VssP - vmswitch.sys - Virtual Machine Network Switch Driver (protocol NIC) VsSw - vmswitch.sys - Virtual Machine Network Switch Driver VsSW - vmswitch.sys - Virtual Machine Network Switch Driver (WDF) VsVN - vmswitch.sys - Virtual Machine Network Switch Driver (VM NIC) Vsvq - vmswitch.sys - Virtual Machine Network Switch Driver (VMQ) VSt - storvsp.sys - Virtual Machine Storage VSP Driver VSta - storvsp.sys - Virtual Machine Storage VSP Driver (adapter) VStb - storvsp.sys - Virtual Machine Storage VSP Driver (balance) VStd - storvsp.sys - Virtual Machine Storage VSP Driver (device) VStp - storvsp.sys - Virtual Machine Storage VSP Driver (parser) VStu - storvsp.sys - Virtual Machine Storage VSP Driver (authentication) VStW - storvsp.sys - Virtual Machine Storage VSP Driver (WDF) VSVL - VMBusVideoM.sys - Virtual Machine Synthetic Video Display Driver vS3W - vms3cap.sys - Virtual Machine Emulated S3 Device Cap Driver (WDF) vTDR - dxgkrnl.sys - Video timeout detection/recovery VubH - vmusbbus.sys - Virtual Machine USB Bus Driver VubW - vmusbbus.sys - Virtual Machine USB Bus Driver (WDF) VuCH - vuc.sys - Virtual Machine USB Connector Driver (connector handle) VuCP - vuc.sys - Virtual Machine USB Connector Driver (virtual hub ports) VuCU - vuc.sys - Virtual Machine USB Connector Driver (connector URB) VuCW - vuc.sys - Virtual Machine USB Connector Driver (WDF) VusW - vmusbstub.sys - Virtual Machine USB Stub Driver (WDF) VVpc - vhdparser.sys - Virtual Machine Storage VHD Parser Driver (context) VVpp - vhdparser.sys - Virtual Machine Storage VHD Parser Driver (parser) VWFB - vwifibus.sys - Virtual Wi-Fi Bus Driver VWFF - vwififlt.sys - Virtual Wi-Fi Filter Driver (object allocation) VWnd - vwififlt.sys - Virtual Wi-Fi Filter Driver (requests) Wait - nt!io - WaitCompletion Packets Wan? - - NdisWan Tags (PPP Framing module for Remote Access) WanA - - BundleCB WanB - - ProtocolCB/LinkCB WanC - - DataDesc WanD - - WanRequest WanE - - LoopbackDesc WanG - - MiniportCB WanH - - OpenCB WanI - - IoPacket WanJ - - LineUpInfo WanK - - Unicode String Buffer WanL - - Protocol Table WanM - - Connection Table WanN - - NdisPacketPool Desc WanQ - - DataBuffer WanR - - WanPacket WanS - - AfCB/SapCB/VcCB WanT - - Transform Driver WanV - - RC4 Encryption Context WanW - - SHA Encryption WanX - - Send Compression Context WanY - - Recv Compression Context WanZ - - Protocol Specific Info Wdm - - WDM WDMA - - WDM Audio Wdog - watchdog.sys - Watchdog object/context allocation Wfp? - netio.sys - Windows Filtering Platform Tags WfpF - netio.sys - WFP filters WfpM - netio.sys - WFP filter match buffers WfpI - netio.sys - WFP index WfpH - netio.sys - WFP hash WfpR - netio.sys - WFP RPC WfpC - netio.sys - WFP callouts WfpS - netio.sys - WFP startup WfpL - netio.sys - WFP fast cache WfpE - netio.sys - WFP extension Wfpn - netio.sys - WFP NBL info container WfTi - - WFP timer WfSt - - WFP string werk - - WER kernel mode reporting allocation WKSM - werkernel.sys - WER kernel mode reporting allocation of WERSVC message WimF - wimfsf.sys - WIM Boot Filter Wl2l - wfplwfs.sys - WFP L2 LWF context Wl2g - wfplwfs.sys - WFP L2 generic block Wl2c - wfplwfs.sys - WFP L2 classify cache Wl2f - wfplwfs.sys - WFP L2 flow Wl2n - wfplwfs.sys - WFP L2 NBL context WlBs - writelog.sys - Writelog block store WlFc - writelog.sys - Writelog fsd context WlGc - writelog.sys - Writelog global context WlIb - writelog.sys - Writelog I/O buffer WlLb - writelog.sys - Writelog library buffer WlCb - writelog.sys - Writelog checkpoint buffer WlPw - writelog.sys - Writelog planned write WlMh - writelog.sys - Writelog marker header WlMp - writelog.sys - Writelog marker payload WlDt - writelog.sys - Writelog drain target Wmii - - Wmi InstId chunks Wmij - - Wmi GuidMaps Wmim - - Wmi KM to UM Notification Buffers Wmin - - Wmi Notification Slot Chunks Wmip - - Wmi General purpose allocation Wmiq - - Wmi NBQ Blocks Wmis - - Wmi SysId allocations Wmit - - Wmi Trace Wmiw - - Wmi Notification Waiting Buffers, in paged queue waiting for IOCTL Wmiz - - Wmi MCA Insertions debug code WmiA - - Wmi ACPI mapper WmiC - - Wmi Create Pump Thread Work Item WmiD - - Wmi Registration DataSouce WmiG - - Allocation of WMIGUID WmiI - - Wmi Instance Names WmiL - - WmiLIb WmiN - - Wmi Notification Notification Packet WmiR - - Wmi Registration info blocks WmDS - - Wmi DataSource chunks WmGE - - Wmi GuidEntry chunks WmIS - - Wmi InstanceSet chunks WmMR - - Wmi MofResouce chunks WMca - - WMI MCA Handling Wnf - nt!wnf - Windows Notification Facility WofD - wof.sys - Wof directory buffer WofF - wof.sys - Wof file context Woff - wof.sys - Wof extended file context WofG - wof.sys - Wof general allocation WofH - wof.sys - Wof handle context WofI - wof.sys - Wof inflate buffer WofS - wof.sys - Wof stream context Woft - wof.sys - Wof transaction context WofV - wof.sys - Wof volume context wpcf - wof.sys - Wim config file wpci - wof.sys - Wim integrity wpct - wof.sys - Wim chunk table wpcx - wof.sys - Wim IO context wpdw - wof.sys - Wim decompression workspace wpgn - wof.sys - Wim general wppm - wof.sys - Wim IO parameters wprd - wof.sys - Wim small read buffer wpRD - wof.sys - Wim large read buffer wprt - wof.sys - Wim resource table wpvo - wof.sys - Wim volume overlay wpwf - wof.sys - Wim file wpwi - wof.sys - Wim work item wpxp - wof.sys - Wim xpress context Wrp? - - WanArp Tags (ARP module for Remote Access) Wrpa - - WAN_ADAPTER_TAG Wrpi - - WAN_INTERFACE_TAG Wrpr - - WAN_REQUEST_TAG Wrps - - WAN_STRING_TAG Wrpc - - WAN_CONN_TAG Wrpw - - WAN_PACKET_TAG Wrpf - - FREE_TAG (checked builds only) Wrpd - - WAN_DATA_TAG Wrph - - WAN_HEADER_TAG Wrpn - - WAN_NOTIFICATION_TAG WSCD - WFPSamplerCalloutDriver.sys - WFPSampler Callout Driver WSKs - afd.sys - WSK socket WSNP - WFPSamplerCalloutDriver.sys - WFPSampler Callout Driver NDIS Pool WtdA - wtd.sys - WTD ACS implementation WtdE - wtd.sys - WTD event queue WtdF - wtd.sys - WTD chipc implementation WtdJ - wtd.sys - WTD event stats WtdK - wtd.sys - WTD KMDF framework WtdL - wtd.sys - WTD chipc dll scan WtdN - wtd.sys - WTD WFP implementation WvCy - - WDM Audio WaveCyc port WvPc - - WDM Audio WavePCI port xCVD - mrxdav.sys - AsyncEngineContext Tag XDR? - rpcxdr.sys - NFS (Network File System) XDR driver xSMB - smbmrx.sys - IFSKIT sample SMB mini-redirector XWan - - ndis\usrwan allocations Xtra - - EXIFS Extra Create ZsaB - - EXIFS ZeroBlock Adbe - win32k.sys - GDITAG_ATM_FONT Bmfd - win32k.sys - GDITAG_BMP_FONT Dfsm - win32k.sys - GDITAG_ENG_EVENT DwmL - win32k!HwndLookupAllocTableData - GDITAG_DWM_HWND_LOOKUP DWMt - win32k.sys - GDITAG_DWM_SENDTOUCHCONTACTS DWMv - win32k.sys - GDITAG_DWM_VALIDATION Dxdd - win32k!DxLddmSharedPrimaryLockNotification - GDITAG_LOCKED_PRIMARY Gill - win32kbase.sys - GDITAG_ISOLATED_LOOKASIDE_LIST Gila - win32kbase.sys - GDITAG_ISOLATED_LOOKASIDE_LIST_ALLOCATION Gadb - win32k!XDCOBJ::bAddColorTransform - GDITAG_DC_COLOR_TRANSFORM Gadd - win32k.sys - GDITAG_DC_FONT Galp - win32k!AlphaScanLineBlend - GDITAG_ALPHABLEND Gapc - win32kfull!UmfdQueueTryUnzombifyPffApc - GDITAG_UNZOMBIFY_APC Gbaf - win32k.sys - GDITAG_BRUSH_FREELIST Gbdl - win32k!BRUSH::bAddIcmDIB - GDITAG_ICM_DIB_LIST Gcac - win32k.sys - GDITAG_FONTCACHE Gcsl - win32k!InitializeScripts - GDITAG_SCRIPTS Gcwc - win32k!ConvertToAndFromWideChar - GDITAG_CHAR_TO_WIDE_CHAR Gdbr - win32k!BRUSHOBJ_pvAllocRbrush - GDITAG_RBRUSH Gdcf - win32k.sys - GDITAG_DC_FREELIST GDcs - win32k!GreDwmStartup - GDITAG_DWMSTATE Gdev - win32k.sys - GDITAG_DEVMODE Gdfm - win32k!DoFontManagement - GDITAG_HGLYPH_ARRAY Gdrs - win32k.sys - GDITAG_DRVSUP Gdrv - win32k!EngCreateClip - GDITAG_CLIPOBJ Gdtd - win32k!GreAcquireSemaphoreAndValidate - GDITAG_SEMAPHORE_VALIDATE Gdwd - win32k.sys - GDITAG_WATCHDOG Gebr - win32k!EngRealizeBrush - GDITAG_ENGBRUSH Gedd - win32k.sys - GDITAG_ENUM_DISPLAY_DEVICES Gedg - win32k!bFill - GDITAG_EDGE gEdg - win32k!bTriangleMesh - GDITAG_TRIANGLEDATA Geto - win32k.sys - GDITAG_TEXTOUT Gfda - win32k!UmfdAllocation::Create - GDITAG_UMFD_ALLOCATION Gfdf - win32k!InitializeDefaultFamilyFonts - GDITAG_FONT_DEFAULT_FAMILY Gffv - win32k.sys - GDITAG_FONTFILEVIEW Gfid - win32k.sys - GDITAG_UNIVERSAL_FONT_ID GFil - win32k.sys - GDITAG_FILEPATH Gfil - win32k.sys - GDITAG_MAPFILE GFld - win32k.sys - GDITAG_FLOODFILL Gfnt - win32k!RFONTOBJ::bRealizeFont - GDITAG_RFONT Gfsb - win32k.sys - GDITAG_FONT_SUB Gfsf - win32k!bInitStockFontsInternal - GDITAG_FONT_STOCKFONT Gfsm - win32k!GreCreateFastMutex - GDITAG_FAST_MUTEX Gful - win32k.sys - GDITAG_FULLSCREEN Gfvi - win32k!bUnloadAllButPermanentFonts - GDITAG_FONTVICTIM Ggb - win32k!RFONTOBJ::pgbCheckGlyphCache - GDITAG_GLYPHBLOCK Ggdv - win32k.sys - GDITAG_GDEVICE Ggls - win32k.sys - GDITAG_GLYPHSET Ggly - win32k.sys - GDITAG_HGLYPH Gh?: - win32k.sys - GDITAG_HMGR_LFONT_TYPE Gh?; - win32k.sys - GDITAG_HMGR_RFONT_TYPE Gh?@ - win32k.sys - GDITAG_HMGR_BRUSH_TYPE Gh?> - win32k.sys - GDITAG_HMGR_ICMCXF_TYPE Gh?0 - win32k.sys - GDITAG_HMGR_DEF_TYPE Gh?1 - win32k.sys - GDITAG_HMGR_DC_TYPE Gh?4 - win32k.sys - GDITAG_HMGR_RGN_TYPE Gh?5 - win32k.sys - GDITAG_HMGR_SURF_TYPE Gh?6 - win32k.sys - GDITAG_HMGR_CLIENTOBJ_TYPE Gh?7 - win32k.sys - GDITAG_HMGR_PATH_TYPE Gh?8 - win32k.sys - GDITAG_HMGR_PAL_TYPE Gh?9 - win32k.sys - GDITAG_HMGR_ICMLCS_TYPE Gh?A - win32k.sys - GDITAG_HMGR_UMPD_TYPE Gh?B - win32k.sys - GDITAG_HMGR_HLSURF_TYPE Gh?E - win32k.sys - GDITAG_HMGR_META_TYPE Gh?L - win32k.sys - GDITAG_HMGR_DRVOBJ_TYPE Gh?? - win32k.sys - GDITAG_HMGR_SPRITE_TYPE Gh00 - win32k.sys - GDITAG_HMGR_START Ghab - win32k!FHOBJ::bAddPFELink - GDITAG_PFE_HASHBUCKET Ghas - win32k!FHMEMOBJ::FHMEMOBJ - GDITAG_PFE_HASHTABLE Ghml - win32k.sys - GDITAG_HMGR_LOCK Ghtc - win32k!bSetHTSrcSurfInfo - GDITAG_HALFTONE_COLORTRIAD Ghtm - win32k.sys - GDITAG_HMGR_TEMP Gi2c - win32k.sys - GDITAG_DDCCI Gicm - win32k.sys - GDITAG_ICM Giga - win32k.sys - GDITAG_PRIVATEGAMMA Giog - win32k.sys - GDITAG_COMPOSEDGAMMA Gkbm - win32k.sys - GDITAG_KMODE_BITMAP Gla: - win32k.sys - GDITAG_HMGR_LOOKASIDE_LFONT_TYPE Gla; - win32k.sys - GDITAG_HMGR_LOOKASIDE_RFONT_TYPE Gla@ - win32k.sys - GDITAG_HMGR_LOOKASIDE_BRUSH_TYPE Gla0 - win32k.sys - GDITAG_HMGR_LOOKASIDE_START Gla1 - win32k.sys - GDITAG_HMGR_LOOKASIDE_DC_TYPE Gla4 - win32k.sys - GDITAG_HMGR_LOOKASIDE_RGN_TYPE Gla5 - win32k.sys - GDITAG_HMGR_LOOKASIDE_SURF_TYPE Gla8 - win32k.sys - GDITAG_HMGR_LOOKASIDE_PAL_TYPE Glas - win32k.sys - GDITAG_SCAN_LOOKASIDE_LIST Gldv - win32k.sys - GDITAG_LDEV Glid - win32k!GetLanguageID - GDITAG_LOCALEINFO Glnk - win32k!FHOBJ::bAddPFELink - GDITAG_PFE_LINK Gmap - win32k!InitializeFontSignatures - GDITAG_FONT_MAPPER Gmso - win32k!MULTISORTBLTORDER::MULTISORTBLTORDER - GDITAG_DISPURF_SORT Gmul - win32k!MULTIFONT::MULTIFONT - GDITAG_MULTIFONT Gnls - win32k.sys - GDITAG_NLS Gogl - win32k!iOpenGLExtEscape - GDITAG_OPENGL GOPM - win32k.sys - GDITAG_OPM GPal - win32k.sys - GDITAG_PALETTE Gpan - win32k.sys - GDITAG_PANNING_PDEV Gpat - win32k.sys - GDITAG_PATHOBJ Gpfe - win32k!PFFMEMOBJ::bAllocPFEData - GDITAG_PFF_INDEXES Gpff - win32k.sys - GDITAG_PFF Gpft - win32k!pAllocateAndInitializePFT - GDITAG_PFT Gpgb - win32k!EngPlgBlt - GDITAG_PLGBLT_DATA Gpid - win32k!NtGdiSetPUMPDOBJ - GDITAG_PRINTCLIENTID Gppo - win32k!XCLIPOBJ::ppoGetPath - GDITAG_CLIP_PATHOBJ Gppt - win32k!PROXYPORT::PROXYPORT - GDITAG_PROXYPORT Gpre - win32k!pSpCreatePresent - GDITAG_PRESENT Gqnk - win32k!bComputeQuickLookup - GDITAG_LFONT_QUICKLOOKUP Grgb - win32k.sys - GDITAG_PALETTE_RGB_XLATE Grgn - win32k.sys - GDITAG_REGION Gsem - win32k.sys - GDITAG_SEMAPHORE Gsp - win32k!pSpCreateSprite - GDITAG_SPRITE Gspm - win32k.sys - GDITAG_METASPRITE Gspr - win32k.sys - GDITAG_SPRITESCAN Gsta - win32k.sys - GDITAG_STACKTRACE Gsth - win32k.sys - GDITAG_STRETCHBLT Gsty - win32k!GreExtCreatePen - GDITAG_PENSTYLE Gsux - win32k.sys - GDITAG_SFM Gtmp - win32k.sys - GDITAG_TEMP GTmp - win32k!AllocFreeTmpBuffer - GDITAG_TEMP_THREADLOCK Gtmw - win32k!vIFIMetricsToTextMetricW - GDITAG_TEXTMETRICS Gtvp - win32k!PFFOBJ::bAddPvtData - GDITAG_PFF_DATA Gtvt - win32k!bTriangleMesh - GDITAG_TRIANGLE_MESH Gtxt - win32k.sys - GDITAG_TEXT Gubm - win32k.sys - GDITAG_UMODE_BITMAP GUma - win32k!GDIEngUserMemAllocNodeAlloc - GDITAG_ENG_USER_MEM_ALLOC_TABLE Gump - win32k.sys - GDITAG_UMPD Gvds - win32k!MulEnablePDEV - GDITAG_HDEV GVdv - win32k.sys - GDITAG_VDEV GVms - win32k!MulSaveScreenBits - GDITAG_MULTISAVEBITS GVsf - win32k!MulCreateDeviceBitmap - GDITAG_MDSURF Gwnd - win32k.sys - GDITAG_WNDOBJ Gxlt - win32k.sys - GDITAG_PXLATE Gxpd - win32k!XUMPDOBJ::XUMPDOBJ - GDITAG_UMPDOBJ knlf - win32k.sys - GDITAG_FONT_LINK PASf - win32k.sys - GDITAG_PANNING_SURFACE PSlo - win32k.sys - GDITAG_PANNING_SHADOWLOCK Ssrl - win32k.sys - GDITAG_SINGLEREADERLOCK TTFC - win32k.sys - GDITAG_TT_FONT_CACHE Ttfd - win32k.sys - GDITAG_TT_FONT Vtfd - win32k.sys - GDITAG_VF_FONT W32l - win32k!W32PIDLOCK::vInit - GDITAG_W32PIDLOCK SFMb - win32k!SfmTokenArray::EnsureTokenBufferSize - GDITAG_TOKENARRAY Gnff - win32k.sys - GDITAG_NETWORKED_FONT_FILE_TABLE Gtff - win32k.sys - GDITAG_TRUSTED_FONT_FILE_TABLE Gala - win32k.sys - GDITAG_ADAPTER_LUID_ARRAY FDpd - win32k.sys - GDITAG_UMFD_PDEV FDev - win32k.sys - GDITAG_UMFD_EVENT FDUm - win32k.sys - GDITAG_UMFD_UM_BUFFER FDtl - win32k.sys - GDITAG_UMFD_TLS FDrq - win32k.sys - GDITAG_UMFD_REQUEST GFdk - win32k.sys - GDITAG_UMFD_KERNEL_ALLOCATION UHFF - win32k.sys - GDITAG_UMFD_HFF FDat - win32k.sys - GDITAG_UMFD_GLYPHATTRS GMFF - win32k.sys - GDITAG_FONT_MAPPER_FAMILY_FALLBACK GFIC - win32k.sys - GDITAG_FONT_INTENSITY_CORRECTION Ghmc - win32k!GdiHandleManager::Create - GDITAG_HANDLE_MANAGER Getc - win32k!GdiHandleEntryTable::_Create - GDITAG_HANDLE_ENTRY_TABLE Gelt - win32k!EntryDataLookupTable::Create - GDITAG_ENTRY_DATA_LOOKUP_TABLE Gelc - win32k!EntryDataLookupTable::Initialize - GDITAG_ENTRY_DATA_LOOKUP_TABLE_COLUMN Gpbm - win32k.sys - GDITAG_POOL_BITMAP_BITS Gapl - win32k.sys - GDITAG_APAL_TABLE Gscn - win32k.sys - GDITAG_SCAN_ARRAY GGG0 - win32k.sys - GDITAG_CORE_SESSION_GLOBALS GGG1 - win32kbase.sys - GDITAG_BASE_SESSION_GLOBALS GGG2 - win32kmin.sys - GDITAG_MIN_SESSION_GLOBALS GGG3 - win32kfull.sys - GDITAG_FULL_SESSION_GLOBALS GGG4 - win32kfull.sys - GDITAG_HT_SESSION_GLOBALS GGG5 - win32kfull.sys - GDITAG_UMFD_SESSION_GLOBALS GGG6 - win32kfull.sys - GDITAG_TTFD_SESSION_GLOBALS GGG7 - win32kfull.sys - GDITAG_TTS_SESSION_GLOBALS EKmm - win32kbase!EtwTraceAuditApiQueryAddressVADInformation - ETW_MEMORY_MAPPED_NAME_TAG EKsa - win32kbase!CAsyncKeyEventMonitor::operator new - USERTAG_ASYNCKEYEVENT Ucal - win32k!DriverEntry - USERTAG_SERVICE_TABLE Uiso - win32k!TypeIsolation::Create - USERTAG_ISOHEAP Umam - win32k!UpdateDesktopMonitorNavigationOrder - USERTAG_MONITOR_SPATIAL Uman - win32k!NtUserSetManipulationInputTarget - USERTAG_DWM_MANIPULATION Urdr - win32k!SetRedirectionBitmap - USERTAG_REDIRECT Usac - win32k!_CreateAcceleratorTable - USERTAG_ACCEL Usai - win32k!zzzAttachThreadInput - USERTAG_ATTACHINFO Usal - win32k!InitSwitchWndInfo - USERTAG_ALTTAB Usbg - win32k!xxxLogClipData - USERTAG_DEBUG Usbm - win32k!SetGestureConfigSettings - USERTAG_BITMASK Usbr - win32k!NtUserShutdownBlockReasonCreate - USERTAG_BLOCKREASON Usca - win32k!NtUserSetCalibrationData - USERTAG_CALIBRATIONDATA Uscb - win32k!_ConvertMemHandle - USERTAG_CLIPBOARD Uscc - win32k!AllocCallbackMessage - USERTAG_CALLBACK Uscd - win32k!SetWindowCompositionInfo - USERTAG_COMPOSITIONPROP UsCd - win32k!xxxUserChangeDisplaySettings - USERTAG_CDS Usce - win32k!RetrieveLinkCollection - USERTAG_COLLINK Usci - win32k!InitSystemThread - USERTAG_CLIENTTHREADINFO UscI - win32k!CitStart - USERTAG_COMPAT_IMPACT Uscl - win32k!ClassAlloc - USERTAG_CLASS Uscm - win32k!InitScancodeMap - USERTAG_SCANCODEMAP Uscp - win32k!CreateDIBPalette - USERTAG_CLIPBOARDPALETTE Uscr - win32k!NtUserSetSysColors - USERTAG_COLORS Usct - win32k!CkptRestore - USERTAG_CHECKPT Uscu - win32k!_CreateEmptyCursorObject - USERTAG_CURSOR Uscv - win32k!NtUserSetSysColors - USERTAG_COLORVALUES Uscw - win32k!CacheAxisChildIndex - USERTAG_CONTACTRELATIVE UsDI - win32k!CreateDeviceInfo - USERTAG_DEVICEINFO UsDc - win32k!NtUserDisplayConfigSetDeviceInfo - USERTAG_DISPLAYCONFIG UsDt - win32k!NtUserCtxDisplayIOCtl - USERTAG_DISPLAYIOCTL Usd1 - win32k!FreeListAdd - USERTAG_DDE1 Usd2 - win32k!_DdeSetQualityOfService - USERTAG_DDE2 Usd4 - win32k!AddPublicObject - USERTAG_DDE4 Usd5 - win32k!xxxCsEvent - USERTAG_DDE5 Usd6 - win32k!xxxCsEvent - USERTAG_DDE6 Usd7 - win32k!xxxCsEvent - USERTAG_DDE7 Usd8 - win32k!xxxMessageEvent - USERTAG_DDE8 Usd9 - win32k!xxxCsDdeInitialize - USERTAG_DDE9 UsdA - win32k!NewConversation - USERTAG_DDEa UsdB - win32k!Createpxs - USERTAG_DDEb Usdc - win32k!CreateCacheDC - USERTAG_DCE UsdD - win32k!NtUserfnDDEINIT - USERTAG_DDEd UsdE - win32k!xxxClientCopyDDEIn1 - USERTAG_DDE Usdi - win32k!CreateMonitor - USERTAG_DISPLAYINFO Usdm - win32k!CreateDCompositionHwndTargetInfo - USERTAG_DCOMPHWNDTARGETINFO Usdp - win32k!NtUserDelegateCapturePointers - USERTAG_DELEGATEPOINTERSTRUCT Usds - win32k!xxxDragObject - USERTAG_DRAGDROP Usdv - win32k!NtUserfnINDEVICECHANGE - USERTAG_DEVICECHANGE Usdw - win32k!GetProductString - USERTAG_DEVICENAME UsEC - win32k!AddWEFCOMPInvalidateSListEntry - USERTAG_WSEXCOMPINVALID Used - win32k!AddOrUpdateListener - USERTAG_EDGY User - win32k!InitCreateUserCrit - USERTAG_ERESOURCE Usex - win32k!IsDeviceExcluded - USERTAG_EXCLUDEDLIST Usfi - win32k!CreatePointerDeviceInfo - USERTAG_FEATUREIOCTL Usfg - win32k!NtUserSetAdditionalForegroundBoostProcesses - USERTAG_ADDITIONALFGBOOST Usfl - win32k!InitializeWin32KSyscallFilter - USERTAG_SERVICEFILTER Usft - win32k!CreateValidTouchInputInfo - USERTAG_FORWARDTOUCHMESSAGE Usgc - win32k!_StoreGestureConfig - USERTAG_GESTURECONFIG Usgd - win32k!SetGestureConfigSettings - USERTAG_GESTUREDATA Usgh - win32k!NtUserUserHandleGrantAccess - USERTAG_GRANTEDHANDLES Usgi - win32k!NtUserSendGestureInput - USERTAG_GESTUREINFO Usgt - win32k!AddGhost - USERTAG_GHOST Usha - win32k!AllocateHidData - USERTAG_HIDDATA Ushb - win32k!NtUserGetDCompositionHwndBitmap - USERTAG_DCOMPHWNDBITMAP Ushc - win32k!AllocateHidConfigDesc - USERTAG_HIDCONFIG UshD - Win32k!AllocateHidDesc - USERTAG_HIDDESC Ushf - win32k!AllocateHidConfigDesc - USERTAG_HIDFEATURE Ushi - win32k!AllocateHidDesc - USERTAG_HIDINPUT Ushk - win32k!_RegisterHotKey - USERTAG_HOTKEY Ushl - win32k!INLPHLPSTRUCT - USERTAG_HELP UshP - win32k!HidCreateDeviceInfo - USERTAG_HIDPREPARSED Ushr - win32k!AllocateAndLinkHidPageOnlyRequest - USERTAG_HIDPAGEREQUEST UshR - win32k!AllocateHidProcessRequest - USERTAG_HIDPROCREQUEST Usht - win32k!AllocateProcessHidTable - USERTAG_HIDTABLE UshT - win32k!AllocateAndLinkHidTLCInfo - USERTAG_HIDTLC Usih - win32k!SetImeHotKey - USERTAG_IMEHOTKEY Usim - win32k!CreateInputContext - USERTAG_IME Usip - win32k!CreateNode - USERTAG_INPUTPOINTERNODE Usiq - win23k!CInputQueueProp - USERTAG_COMPOSITIONINPUTQUEUE Usit - win32k!InjectTouchInput - USERTAG_INJECT_TOUCH Usim - win32k!InjectMouseInput - USERTAG_INJECT_MOUSE Usik - win32k!InjectKeyboardInput - USERTAG_INJECT_KEYBOARD Usix - win32k!AllocInputTransformEntry - USERTAG_INPUT_TRANSFORM Uisc - win32k!DWMSetInputSystemOutputConfig - USERTAG_INPUT_CONFIG Ucsc - win32k!SetShellCursorClip - USERTAG_SHELL_CURSOR_CLIP Usjb - win32k!CreateW32Job - USERTAG_W32JOB Usjx - win32k!JobCalloutAddProcess - USERTAG_W32JOBEXTRA UsKe - win32k!CreateKernelEvent - USERTAG_KEVENT UsKf - win32k!InitCreateUserCrit - USERTAG_FASTMUTEX UsKm - win32k!DriverEntry - USERTAG_KMUTEX UsKs - win32k!CreateKernelSemaphore - USERTAG_KSEMAPHORE UsKt - win32k!RemoteConnect - USERTAG_KTIMER UsKw - win32k!xxxDesktopThread - USERTAG_KWAITBLOCK UsKv - win32k!ReadTabletButtonConfig - USERTAG_KEYVALUEINFORMATION Uskb - win32k!xxxLoadKeyboardLayoutEx - USERTAG_KBDLAYOUT Uskd - win32k!xxxCreateDesktopEx2 - USERTAG_KERNELDESKTOPINFO Ukdp - win32k!Win32UserInitialize - USERTAG_KERNELDISPLAYINFO Uske - win32k!GetKbdExId - USERTAG_KBDEXID Uskf - win32k!LoadKeyboardLayoutFile - USERTAG_KBDFILE Usks - win32k!PostUpdateKeyStateEvent - USERTAG_KBDSTATE Uskt - win32k!ReadLayoutFile - USERTAG_KBDTABLE Usla - win32k!InitLockRecordLookaside - USERTAG_LOOKASIDE Usld - win32k!GrowLogIfNecessary - USERTAG_LOGDESKTOP Uslr - win32k!InitLockRecordLookaside - USERTAG_LOCKRECORD UsMP - win32k!GeneratePointerMessageFromMouse - USERTAG_MOUSEINPOINTER usmd - win32k!xxxSetModernAppWindow - USERTAG_MODERNDESKTOPAPP Usmg - win32k!Magxxx - USERTAG_MAGNIFICATION Usmi - win32k!MirrorRegion - USERTAG_MIRROR Usml - win32k!MsgLookupTableAlloc - USERTAG_MESSAGE_FILTER Usmo - win32k!_EnableIAMAccess - USERTAG_MOSH Usmp - win32k!AllocMousePromotionEntry - USERTAG_MOUSEPROMOTIONENTRY Usmr - win32k!SnapshotMonitorRects - USERTAG_MONITORRECTS Usms - win32k!xxxMoveSize - USERTAG_MOVESIZE Usmt - win32k!xxxMNAllocMenuState - USERTAG_MENUSTATE Usmx - win32k!InitializeMonitorDpiRectsAndTransforms - USERTAG_MATRIX Usna - win32k!UserPostNKAPC - USERTAG_NKAPC Usny - win32k!CreateNotify - USERTAG_NOTIFY Uspa - win32k!AllocPointerMsgParamsList - USERTAG_POINTERMSGPARAMS Uspb - win32k!fnPOWERBROADCAST - USERTAG_POWERBROADCAST Uspd - win32k!PointerList::AddMsgData - USERTAG_POINTERINPUTMSGDATA Uspc - win32k!CreatePointerDeviceInfo - USERTAG_POINTERDEVICE UspC - win32k!AssignPointerCaptureData - USERTAG_POINTERCAPTUREDATA Uspe - win32k!AllocPointerInfoNodeList - USERTAG_POINTERINPUTEVENT Uspf - win32k!CommitHoldingFrame - USERTAG_POINTERINPUTFRAME Uspg - win32k!GeneratePointerMessage - USERTAG_POINTERINPUTMSG Uspi - win32k!MapDesktop - USERTAG_PROCESSINFO Uspk - win32k!GetProductString - USERTAG_PRODUCTSTRING Uspl - win32k!xxxPollAndWaitForSingleObject - USERTAG_POLLEVENT Uspm - win32k!MNAllocPopup - USERTAG_POPUPMENU Uspn - win32k!CreateProfileUserName - USERTAG_PROFILEUSERNAME Uspo - win32k!QueuePowerRequest - USERTAG_POWER Uspp - win32k!AllocateAndLinkHidTLCInfo - USERTAG_PNP Uspq - win32k!CreatePointerDeviceInfo - USERTAG_PARALLELPROP UspQ - win32k!AllocPointerQFrameList - USERTAG_POINTERQFRAME Uspr - win32k!GetPrivateProfileStruct - USERTAG_PROFILE Usps - win32k!InitPlaySound - USERTAG_PLAYSOUND Uspt - win32k!AllocThreadPointerData - USERTAG_POINTERTHREADDATA Uspv - win32k!ContactVisualization - USERTAG_POINTERVISUALIZATION Uspw - win32k!CDynamicArray::Add - USERTAG_DYNAMICARRAY Uspx - win32k!GetCustomFlickPath - USERTAG_PTRCFG Usph - win32k!CreateProp - USERTAG_PROPLISTHEADER Uspy - win32k!CreateProp - USERTAG_PROPLIST Usql - win32k!EnsureQMsgLog - USERTAG_QMSGLOG Usqm - win32k!InitQEntryLookaside - USERTAG_QMSG Usqu - win32k!InitQEntryLookaside - USERTAG_Q Usrd - win32k!StoreRawDataBlock - USERTAG_POINTERRAWDATA Usri - win32k!NtUserRegisterRawInputDevices - USERTAG_RAWINPUTDEVICE Usrt - win32k!xxxDrawMenuItemText - USERTAG_RTL Ussa - win32k!xxxBroadcastMessage - USERTAG_SMS_ASYNC Ussb - win32k!CreateSpb - USERTAG_SPB Ussc - win32k!xxxInterSendMsgEx - USERTAG_SMS_CAPTURE Ussd - win32k!xxxAddShadow - USERTAG_SHADOW Usse - win32k!SetDisconnectDesktopSecurity - USERTAG_SECURITY Ussi - win32k!NtUserSendInput - USERTAG_SENDINPUT Ussj - win32k!NtUserSendTouchInput - USERTAG_SENDTOUCHINPUT Ussm - win32k!InitSMSLookaside - USERTAG_SMS Usss - win32k!xxxBroadcastMessage - USERTAG_SMS_STRING Ussw - win32k!_BeginDeferWindowPos - USERTAG_SWP Ussh - win32k!zzzSetWindowsHookEx - USERTAG_HOOK Uscd - win32k!GetCPD - USERTAG_CPD Ussr - win32k!xxxDesktopRecalc - USERTAG_ADR Ussy - win32k!xxxDesktopThread - USERTAG_SYSTEM UsTI - win32k!NtUserQueryInformationThread - USERTAG_THREADINFORMATION Usta - win32k!AssociateShellFrameAppThreads - USERTAG_THREADASSOCIATION Ustd - win32k!TrackAddDesktop - USERTAG_TRACKDESKTOP Usti - win32k!AllocateW32Thread - USERTAG_THREADINFO Ustn - win32k!AllocateW32Thread - USERTAG_THREADINFONP Ustk - win32k!HeavyAllocPool - USERTAG_STACK Ustm - win32k!InternalSetTimer - USERTAG_TIMER Ustl - win32k!AllocateW32Thread - USERTAG_TLS Usto - win32k!xxxConnectService - USERTAG_TOKEN Ustp - win32k!FindOrCreateHoldingFrameForDevice - USERTAG_TOUCHPADSTATE Usts - win32k!_Win32CreateSection - USERTAG_SECTION Ustx - win32k!NtUserDrawCaptionTemp - USERTAG_TEXT Usty - win32k!NtUserResolveDesktopForWOW - USERTAG_TEXT2 Ustz - win32k!AllocTouchInputInfo - USERTAG_TOUCHINPUTINFO Usua - win32k!TabletButtonHandler - USERTAG_TABLETBUTTONUSAGE Usub - win32k!NtUserToUnicodeEx - USERTAG_UNICODEBUFFER Usvc - win32k!_GetPointerDeviceProperties - USERTAG_VALUECAP Usvi - win32k!ResizeVisExcludeMemory - USERTAG_VISRGN Usvl - win32k!VWPLAdd - USERTAG_VWPL UsWE - win32k!ReportHungExplorerToWer - USERTAG_WER UsWP - win32k!SetGlobalWallpaperSettings - USERTAG_WALLPAPER Uswc - win32k!SetSwapChainProp - USERTAG_SWAPCHAIN Uswd - win32k!xxxCreateWindowEx - USERTAG_WINDOW Uswe - win32k!_SetWinEventHook - USERTAG_WINEVENT Uswi - win32k!RemoteShadowStart - USERTAG_WIREDATA Uswl - win32k!BuildHwndList - USERTAG_WINDOWLIST Uswo - win32k!zzzInitTask - USERTAG_WOWTDB Uswr - win32k!CoreWindowProp - USERTAG_COREWINDOWPROP Usrr - win32k!TouchTargetingRankForRegion - USERTAG_RANKFORRGN Uslt - win32k!InitializeWin32PoolTracking - USERTAG_LEAKEDTAG UsI0 - win32k!NSInstrumentation::CBackTraceStorageUnit::Create - USERTAG_BACKTRACE_STORAGE_UNIT UsI1 - win32k!NSInstrumentation::CBackTraceBucket::Create - USERTAG_BACKTRACE_BUCKET UsI2 - win32k!NSInstrumentation::CBackTraceBucket::CreateContext - USERTAG_BACKTRACE_BUCKET_CONTEXT UsI3 - win32k!NSInstrumentation::CBackTraceStoreEx::Create - USERTAG_BACKTRACE_STORE UsI4 - win32k!NSInstrumentation::CBloomFilter::Create - USERTAG_BLOOMFILTER UsI5 - win32k!NSInstrumentation::CPlatformSignal::Create - USERTAG_INSTRUMENTATION_EVENT UsI6 - win32k!NSInstrumentation::CLeakTrackingAllocator::Create - USERTAG_LEAK_TRACKING_ALLOCATOR UsI7 - win32k!NSInstrumentation::CPrioritizedWriterLock::Create - USERTAG_PRIORITIZED_WRITER_LOCK UsI8 - win32k!NSInstrumentation::CPointerHashTable::Create - USERTAG_POINTER_HASH_TABLE UsI9 - win32k!NSInstrumentation::CReferenceTracker::Create - USERTAG_REFERENCE_TRACKER UsIa - win32k!NSInstrumentation::CReferenceTracker::CReferenceCountedType::Create - USERTAG_REFERENCE_COUNTED_TYPE_HANDLE UsIb - win32k!NSInstrumentation::CReferenceTracker::CReferenceCountedType::BeginTrack - USERTAG_REFERENCE_COUNTED_OBJECT_HANDLE UsIc - win32k!NSInstrumentation::CSortedVector::Create - USERTAG_SORTED_VECTOR UsId - win32k!NSInstrumentation::CSharedStorage::InitializeCommon - USERTAG_SHARED_STORAGE Udpi - win32k!CreateSystemFontsForDpi - USERTAG_DPIMETRICS Ubwd - win32kbase!NtUserCreateBaseWindow - USERTAG_BASE_WINDOW Ubws - win32kmin!xxxMinSendPointerMessageWorker - USERTAG_BASE_WINDOW_SENTLIST Urtm - win32kfull!InitRotationManager - USERTAG_ROTMGR Usws - win32kfull!xxxCreateWindowEx - USERTAG_WND_SERVER_EXTRA_BYTES Udwp - win32kbase!SetMonitorData - USERTAG_REFCOUNTED_DPI_INFORMATION Uiim - win32kbase!CTouchProcessor::ForwardInputToManipulationThread - USERTAG_INPUT_INTEROP_MESSAGE Usdz - win32kbase!DelayZonePalmRejection::_AddDelayZoneToListInternal - USERTAG_DELAYZONEINFO Uvtp - win32kbase!VirtualTouchpadProcessor::GetInstance - USERTAG_VIRTUALTOUCHPAD Umen - win32kbase!HMAllocObject - USERTAG_MENU Umit - win32kfull!SetLPITEMInfoNoRedraw - USERTAG_MENUITEM Usol - win32kmin!InitSmartObjLookaside - USERTAG_SMOBJ_LOOKASIDE Ugwm - win32kfull!CWindowGroup::operator new - USERTAG_GROUP_WINDOW_MANAGEMENT Ucwp - win32kfull!CloneWindowPosAndArrangementAsync - USERTAG_CLONEWINDOWPOS Usol - win32kbase!InputTraceLogging::PerfRegion::Initialize - USERTAG_PERFREGION_LOOKASIDE Uagm - win32kbase!CActivationObjectManager::operator new - USERTAG_ACTIVATION_GROUP_MANAGEMENT Ucnv - win32kbase!InputObjectMap::AllocateBucket - USERTAG_INPUTOBJECTMAP Uvst - win32kfull!SetVisRgnTrackerProp - USERTAG_VISRGNTRACKER Urav - win32kmin!minPostInputMessage - USERTAG_QMSGVARPAYLOAD Ugcd - win32kbase!NtUserGetInputContainerId - USERTAG_CONTAINERINFO Umid - win32kfull!GetMouseDeviceHardwareId - USERTAG_MOUSE_HARDWARE_ID Uwmc - win32kfull!WindowMargins::CWindowMarginProp::CreateWindowProp - USERTAG_WINDOW_MARGINS_CHANGE Umwm - win32kfull!ShellWindowPos::MigrateWindowAsync - USERTAG_MIGRATE_WINDOW_ASYNC Uttd - win32kfull!_RegisterForTooltipDismissNotification - USERTAG_TOOLTIP_DISMISS DCa0 - win32kbase!DirectComposition::CAtlasedRectsMeshMarshaler::_allocate - DCOMPOSITIONTAG_ATLASEDRECTSMESHMARSHALER DCab - win32kbase!DirectComposition::CAnimationBinding::_allocate - DCOMPOSITIONTAG_ANIMATIONBINDING DCac - win32kbase!DirectComposition::CApplicationChannel::_allocate - DCOMPOSITIONTAG_APPLICATIONCHANNEL DCae - win32kbase!DirectComposition::CAnimationMarshaler::SetBufferProperty - DCOMPOSITIONTAG_ANIMATIONTIMEEVENTDATA DCag - win32kbase!DirectComposition::CAnimationMarshaler::SetBufferProperty - DCOMPOSITIONTAG_ANIMATIONSCENARIOGUID DCah - win32kbase!DirectComposition::CAnimationControllerMarshaler::_allocate - DCOMPOSITIONTAG_ANIMATIONCONTROLLERMARSHALER DCal - win32kbase!DirectComposition::CAnimationTimeList::_allocate - DCOMPOSITIONTAG_ANIMATIONTIMELIST DCam - win32kbase!DirectComposition::CCompositionAmbientLight::_allocate - DCOMPOSITIONTAG_AMBIENTLIGHTMARSHALER DCan - win32kbase!DirectComposition::CAnimationMarshaler::_allocate - DCOMPOSITIONTAG_ANIMATIONMARSHALER DCar - win32kbase!DirectComposition::CResourceMarshaler::_allocate - DCOMPOSITIONTAG_ABSTRACTRESOURCE DCat - win32kbase!DirectComposition::CLegacyAnimationTriggerMarshaler::_allocate - DCOMPOSITIONTAG_LEGACYANIMATIONTRIGGERMARSHALER DCaw - win32kbase!DirectComposition::CAtlasedRectsGroupMarshaler::_allocate - DCOMPOSITIONTAG_ATLASEDRECTSGROUPMARSHALER DCax - win32kbase!DirectComposition::CAnalogExclusiveViewMarshaler::_allocate - DCOMPOSITIONTAG_ANALOGEXCLUSIVEVIEWMARSHALER DCay - win32kbase!DirectComposition::CAnalogTextureTargetMarshaler::_allocate - DCOMPOSITIONTAG_ANALOGTEXTURETARGETMARSHALER DCaz - win32kbase!DirectComposition::CAnalogCompositorMarshaler::_allocate - DCOMPOSITIONTAG_ANALOGCOMPOSITORMARSHALER DCba - win32kbase!DirectComposition::CBatch::_allocate - DCOMPOSITIONTAG_BATCH DCbd - win32kbase!DirectComposition::CBatchDeferralMarshaler::_allocate - DCOMPOSITIONTAG_BATCHDEFERRALMARSHALER DCbc - win32kbase!DirectComposition::CChannel::_allocate - DCOMPOSITIONTAG_CHANNEL DCbf - win32kbase!DirectComposition::Memory::Allocate - DCOMPOSITIONTAG_BUFFER DCbl - win32kbase!DirectComposition::CBackChannelMarshaler::_allocate - DCOMPOSITIONTAG_BACKCHANNELMARSHALER DCbr - win32kbase!DirectComposition::CBatch::CSystemResourceReference::_allocate - DCOMPOSITIONTAG_BATCH_RESOURCEREF DCbs - win32kbase!DirectComposition::CBatchSharedMemoryPool::_allocate - DCOMPOSITIONTAG_BATCH_SHARED_MEMORY_POOL DCc2 - win32kbase!DirectComposition::CComponentTransform2DMarshaler::_allocate - DCOMPOSITIONTAG_COMPONENTTRANSFORM2DMARSHALER DCca - win32kbase!DirectComposition::CConditionalExpressionMarshaler::_allocate - DCOMPOSITIONTAG_CONDITIONALEXPRESSIONMARSHALER DCcb - win32kbase!DirectComposition::CCompositionSurfaceBitmapMarshaler::_allocate - DCOMPOSITIONTAG_HCOMPBITMAPMARSHALER DCcc - win32kbase!DirectComposition::CConnection::_allocate - DCOMPOSITIONTAG_CONNECTION DCcg - win32kbase!DirectComposition::CClipGroupMarshaler::_allocate - DCOMPOSITIONTAG_CLIPGROUPMARSHALER DCch - win32kbase!DirectComposition::CChannelHandleTable::_allocate - DCOMPOSITIONTAG_CHANNELHANDLETABLE DCck - win32kbase!DirectComposition::CBaseExpressionMarshaler::SetBufferProperty - DCOMPOSITIONTAG_DEBUGTAG DCcl - win32kbase!DirectComposition::CCompositionLight::_allocate - DCOMPOSITIONTAG_LIGHTMARSHALER DCcm - win32kbase!DirectComposition::CCompositionCubeMapMarshaler::_allocate - DCOMPOSITIONTAG_CUBEMAPMARSHALER DCco - win32kbase!DirectComposition::CComponentTransform3DMarshaler::_allocate - DCOMPOSITIONTAG_COMPONENTTRANSFORM3DMARSHALER DCcp - win32kbase!DirectComposition::CPushLockCriticalSection::_allocate - DCOMPOSITIONTAG_PUSHLOCKCRITICALSECTION DCcq - win32kbase!DirectComposition::CCaptureControllerMarshaler::_allocate - DCOMPOSITIONTAG_CAPTURECONTROLLERMARSHALER DCcr - win32kbase!DirectComposition::CCaptureRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_CAPTURERENDERTARGETMARSHALER DCcs - win32kbase!DirectComposition::CCriticalSection::_allocate - DCOMPOSITIONTAG_CRITICALSECTION DCct - win32kbase!DirectComposition::CApplicationChannel::AllocateTableEntry - DCOMPOSITIONTAG_CHANNELTABLE DCcv - win32kbase!DirectComposition::CrossChannelVisualData::_allocate - DCOMPOSITIONTAG_CROSSCHANNELVISUALDATA DCcw - win32kbase!DirectComposition::CScreenCursorMarshaler::_allocate - DCOMPOSITIONTAG_SCREENCURSORMARSHALER DCcy - win32kbase!DirectComposition::CCursorVisualMarshaler::_allocate - DCOMPOSITIONTAG_CURSORVISUALMARSHALER DCd2 - win32kbase!DirectComposition::CStructDynamicArray::_allocate - DCOMPOSITIONTAG_STRUCTDYNAMICARRAY DCda - win32kbase!DirectComposition::CDCompDynamicArray::_allocate - DCOMPOSITIONTAG_DYNAMICARRAY DCdb - win32kbase!DirectComposition::CDCompDynamicArrayBase::_allocate - DCOMPOSITIONTAG_DYNAMICARRAYBASE DCdc - win32kbase!DirectComposition::CDwmChannel::_allocate - DCOMPOSITIONTAG_DWMCHANNEL DCdd - win32kbase!DirectComposition::CDDisplayRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_DDISPLAYRENDERTARGETMARSHALER DCde - win32kbase!DirectComposition::CDesktopTreeMarshaler::_allocate - DCOMPOSITIONTAG_DESKTOPTREEMARSHALER DCdj - win32kbase!DirectComposition::CLegacyStereoRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_LEGACYSTEREORENDERTARGETMARSHALER DCdk - win32kbase!DirectComposition::CLegacyRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_LEGACYRENDERTARGETMARSHALER DCdl - win32kbase!DirectComposition::CCompositionDistantLight::_allocate - DCOMPOSITIONTAG_DISTANTLIGHTMARSHALER DCdm - win32kbase!DirectComposition::CRemoteAppRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_REMOTEAPPRENDERTARGETMARSHALER DCdp - win32kbase!DirectComposition::CRemoteRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_REMOTERENDERTARGETMARSHALER DCds - win32kbase!DirectComposition::CDropShadowMarshaler::_allocate - DCOMPOSITIONTAG_DROPSHADOWMARSHALER DCef - win32kbase!DirectComposition::CCompiledEffect::_allocate - DCOMPOSITIONTAG_COMPILEDEFFECTMARSHALER DCeg - win32kbase!DirectComposition::CEffectGroupMarshaler::_allocate - DCOMPOSITIONTAG_EFFECTGROUPMARSHALER DCem - win32kbase!DirectComposition::CBaseExpressionMarshaler::SetBufferProperty - DCOMPOSITIONTAG_EXPRESSIONTARGETMASK DCep - win32kbase!DirectComposition::CCompiledEffectPropertyBag::_allocate - DCOMPOSITIONTAG_COMPILEDEFFECTPROPERTYBAGMARSHALER DCet - win32kbase!DirectComposition::CCompiledEffectTemplate::_allocate - DCOMPOSITIONTAG_COMPILEDEFFECTTEMPLATEMARSHALER DCev - win32kbase!DirectComposition::CEvent::_allocate - DCOMPOSITIONTAG_EVENT DCex - win32kbase!DirectComposition::CExpressionMarshaler::_allocate - DCOMPOSITIONTAG_EXPRESSIONMARSHALER DCey - win32kbase!DirectComposition::CEllipseGeometryMarshaler::_allocate - DCOMPOSITIONTAG_ELLIPSEGEOMETRYMARSHALER DCfb - win32kbase!DirectComposition::CTableTransferEffectMarshaler::SetBufferProperty - DCOMPOSITIONTAG_FILTEREFFECTBUFFER DCfe - win32kbase!DirectComposition::CFilterEffectMarshaler::_allocate - DCOMPOSITIONTAG_FILTEREFFECTMARSHALER DCff - win32kbase!DirectComposition::CFilterEffectMarshaler::Initialize - DCOMPOSITIONTAG_FILTERINPUTFLAGS DCfi - win32kbase!DirectComposition::CFilterEffectMarshaler::Initialize - DCOMPOSITIONTAG_FILTERINPUTS DCfj - win32kbase!DirectComposition::CFilterEffectMarshaler::Initialize - DCOMPOSITIONTAG_SUBRECTINPUTFLAGS DCg3 - win32kbase!DirectComposition::CTransform3DGroupMarshaler::_allocate - DCOMPOSITIONTAG_TRANSFORM3DGROUPMARSHALER DCgb - win32kbase!DirectComposition::CGradientLegacyMilBrushMarshaler::_allocate - DCOMPOSITIONTAG_GRADIENTLEGACYMILBRUSHMARSHALER DCgd - win32kbase!DirectComposition::CGdiSpriteBitmapMarshaler::_allocate - DCOMPOSITIONTAG_GDISPRITEBITMAPMARSHALER DCge - win32kbase!DirectComposition::CGaussianBlurEffectMarshaler::_allocate - DCOMPOSITIONTAG_GAUSSIANBLUREFFECTMARSHALER DCgg - win32kbase!DirectComposition::CGeometry2DGroupMarshaler::_allocate - DCOMPOSITIONTAG_GEOMETRY2DGROUPMARSHALER DCgi - win32kbase!DirectComposition::CGenericInkMarshaler::_allocate - DCOMPOSITIONTAG_GENERICINKMARSHALER DCgm - win32kbase!DirectComposition::CGenericMarshaler::_allocate - DCOMPOSITIONTAG_GENERICMARSHALER DCgr - win32kbase!DirectComposition::CCompositionGlyphRunMarshaler::_allocate - DCOMPOSITIONTAG_COMPOSITIONGLYPHRUNMARSHALER DCgs - win32kbase!DirectComposition::CColorGradientStopMarshaler::_allocate - DCOMPOSITIONTAG_COLORGRADIENTSTOPMARSHALER DCgv - win32kbase!DirectComposition::CGlobalDCompVisualMarshaler::_allocate - DCOMPOSITIONTAG_GLOBALDCOMPVISUALMARSHALER DChc - win32kbase!DirectComposition::CHolographicCompositionMarshaler::_allocate - DCOMPOSITIONTAG_HOLOGRAPHICCOMPOSITIONMARSHALER DChd - win32kbase!DirectComposition::CHolographicDisplayMarshaler::_allocate - DCOMPOSITIONTAG_HOLOGRAPHICDISPLAYMARSHALER DChe - win32kbase!DirectComposition::CHolographicExclusiveViewMarshaler::_allocate - DCOMPOSITIONTAG_HOLOGRAPHICEXCLUSIVEVIEWMARSHALER DChi - win32kbase!DirectComposition::CHolographicInteropTextureMarshaler::_allocate - DCOMPOSITIONTAG_HOLOGRAPHICINTEROPTEXTUREMARSHALER DChm - win32kbase!DirectComposition::CHolographicExclusiveModeMarshaler::_allocate - DCOMPOSITIONTAG_HOLOGRAPHICEXCLUSIVEMODEMARSHALER DChp - win32kbase!DirectComposition::CHoverPointerSourceMarshaler::_allocate - DCOMPOSITIONTAG_HOVERPOINTERSOURCEMARSHALER DCht - win32kbase!DirectComposition::CHwndTargetMarshaler::_allocate - DCOMPOSITIONTAG_HWNDTARGETMARSHALER DChv - win32kbase!DirectComposition::CHostVisualMarshaler::_allocate - DCOMPOSITIONTAG_HOSTVISUALMARSHALER DChx - win32kbase!DirectComposition::CHolographicViewer::_allocate - DCOMPOSITIONTAG_HOLOGRAPHICVIEWERMARSHALER DCia - win32kbase!DirectComposition::CInjectionAnimationMarshaler::_allocate - DCOMPOSITIONTAG_INJECTIONANIMATIONMARSHALER DCib - win32kbase!DirectComposition::CImageLegacyMilBrushMarshaler::_allocate - DCOMPOSITIONTAG_IMAGELEGACYMILBRUSHMARSHALER DCic - win32kbase!DirectComposition::CInteractionConfigurationGroup::_allocate - DCOMPOSITIONTAG_INTERACTIONCONFIGURATIONGROUP DCik - win32kbase!DirectComposition::CInkMarshaler::_allocate - DCOMPOSITIONTAG_INKMARSHALER DCio - win32kbase!DirectComposition::CInteractionMarshaler::_allocate - DCOMPOSITIONTAG_INTERACTIONMARSHALER DCir - win32kbase!DirectComposition::CInteractionTrackerMarshaler::_allocate - DCOMPOSITIONTAG_INTERACTIONTRACKERMARSHALER DCis - win32kbase!DirectComposition::CInteractionTrackerBindingManagerMarshaler::_allocate - DCOMPOSITIONTAG_INTERACTIONTRACKERBINDINGMANAGERMARSHALER DCit - win32kbase!DirectComposition::CInteractionMarshaler::EnsureTouchConfigurationList - DCOMPOSITIONTAG_INTERACTIONTOUCHCONFIGURATION DCjb - win32kbase!DirectComposition::CBackdropBrushMarshaler::_allocate - DCOMPOSITIONTAG_BACKDROPBRUSHMARSHALER DCjc - win32kbase!DirectComposition::CColorBrushMarshaler::_allocate - DCOMPOSITIONTAG_COLORBRUSHMARSHALER DCjd - win32kbase!DirectComposition::CBlurredWallpaperBackdropBrushMarshaler::_allocate - DCOMPOSITIONTAG_BLURREDWALLPAPERBACKDROPBRUSHMARSHALER DCje - win32kbase!DirectComposition::CEffectBrushMarshaler::_allocate - DCOMPOSITIONTAG_EFFECTBRUSHMARSHALER DCjl - win32kbase!DirectComposition::CLinearGradientBrushMarshaler::_allocate - DCOMPOSITIONTAG_LINEARGRADIENTBRUSHMARSHALER DCjm - win32kbase!DirectComposition::CMaskBrushMarshaler::_allocate - DCOMPOSITIONTAG_MASKBRUSHMARSHALER DCjn - win32kbase!DirectComposition::CNineGridBrushMarshaler::_allocate - DCOMPOSITIONTAG_NINEGRIDBRUSHMARSHALER DCjo - win32kbase!DirectComposition::CRadialGradientBrushMarshaler::_allocate - DCOMPOSITIONTAG_RADIALGRADIENTBRUSHMARSHALER DCjs - win32kbase!DirectComposition::CSurfaceBrushMarshaler::_allocate - DCOMPOSITIONTAG_SURFACEBRUSHMARSHALER DCjw - win32kbase!DirectComposition::CWindowBackdropBrushMarshaler::_allocate - DCOMPOSITIONTAG_WINDOWBACKDROPBRUSHMARSHALER DCkf - win32kbase!DirectComposition::CKeyframeAnimationMarshaler::_allocate - DCOMPOSITIONTAG_KEYFRAMEANIMATIONMARSHALER DCks - win32kbase!DirectComposition::CKeyframeAnimationMarshaler::SetBufferProperty - DCOMPOSITIONTAG_KEYFRAMEANIMATIONSCENARIOGUID DCkt - win32kbase!DirectComposition::CSkewTransformMarshaler::_allocate - DCOMPOSITIONTAG_SKEWTRANSFORMMARSHALER DClb - win32kbase!DirectComposition::CLinearGradientLegacyMilBrushMarshaler::_allocate - DCOMPOSITIONTAG_LINEARGRADIENTLEGACYMILBRUSHMARSHALER DClc - win32kbase!DirectComposition::CVisualMarshaler::_allocate - DCOMPOSITIONTAG_LAYOUTCONSTRAINTINFO DClg - win32kbase!DirectComposition::CLineGeometryMarshaler::_allocate - DCOMPOSITIONTAG_LINEGEOMETRYMARSHALER DClm - win32kbase!DirectComposition::CAnimationLoggingManager::_allocate - DCOMPOSITIONTAG_ANIMATIONLOGGINGMANAGERMARSHALER DCls - win32kbase!DirectComposition::CVisualSurfaceMarshaler::_allocate - DCOMPOSITIONTAG_VISUALSURFACEMARSHALER DClt - win32kbase!DirectComposition::CLinearObjectTableBase::_allocate - DCOMPOSITIONTAG_LINEAROBJECTTABLEDATA DClv - win32kbase!DirectComposition::CLayerVisualMarshaler::_allocate - DCOMPOSITIONTAG_LAYERVISUALMARSHALER DCm3 - win32kbase!DirectComposition::CMatrixTransform3DMarshaler::_allocate - DCOMPOSITIONTAG_MATRIXTRANSFORM3DMARSHALER DCma - win32kbase!DirectComposition::CManipulationTransformMarshaler::_allocate - DCOMPOSITIONTAG_MANIPULATIONTRANSFORMMARSHALER DCmg - win32kbase!DirectComposition::CMeshGeometryMarshaler::_allocate - DCOMPOSITIONTAG_MESHGEOMETRY2DMARSHALER DCmh - win32kbase!DirectComposition::CMessageHandleInfo::_allocate - DCOMPOSITIONTAG_MESSAGEHANDLEINFO DCmi - win32kbase!DirectComposition::CManipulationMarshaler::_allocate - DCOMPOSITIONTAG_MANIPULATIONMARSHALER DCmm - win32kbase!DirectComposition::CCompositionMipmapSurfaceMarshaler::_allocate - DCOMPOSITIONTAG_MIPMAPSURFACEMARSHALER DCmn - win32kbase!DirectComposition::CSceneSurfaceMaterialInputMarshaler::_allocate - DCOMPOSITIONTAG_SCENESURFACEMATERIALINPUTMARSHALER DCmr - win32kbase!DirectComposition::CSceneMetallicRoughnessMarshaler::_allocate - DCOMPOSITIONTAG_SCENEMETALLICROUGHNESSMATERIALMARSHALER DCmt - win32kbase!DirectComposition::CMatrixTransformMarshaler::_allocate - DCOMPOSITIONTAG_MATRIXTRANSFORMMARSHALER DCna - win32kbase!DirectComposition::CNaturalAnimationMarshaler::_allocate - DCOMPOSITIONTAG_NATURALANIMATIONMARSHALER DCnb - win32kbase!DirectComposition::CDeletedNotificationList::EnsureTagAllocation - DCOMPOSITIONTAG_DELETEDNOTIFICATIONLISTBUFFER DCnl - win32kbase!DirectComposition::CDeletedNotificationList::_allocate - DCOMPOSITIONTAG_DELETEDNOTIFICATIONLIST DCns - win32kbase!DirectComposition::CNaturalAnimationMarshaler::SetBufferProperty - DCOMPOSITIONTAG_NATURALANIMATIONSCENARIOGUID DCoc - win32kbase!DirectComposition::CContainerShapeMarshaler::_allocate - DCOMPOSITIONTAG_CONTAINERSHAPEMARSHALER DCos - win32kbase!DirectComposition::CSpriteShapeMarshaler::_allocate - DCOMPOSITIONTAG_SPRITESHAPEMARSHALER DCpb - win32kbase!DirectComposition::CPropertySetMarshaler::_allocate - DCOMPOSITIONTAG_PROPERTYSETMARSHALER DCpc - win32kbase!DirectComposition::CPrimitveColorMarshaler::_allocate - DCOMPOSITIONTAG_PRIMITIVECOLORMARSHALER DCpd - win32kbase!DirectComposition::CProcessData::_allocate - DCOMPOSITIONTAG_PROCESSDATA DCpg - win32kbase!DirectComposition::CPrimitiveGroupMarshaler::_allocate - DCOMPOSITIONTAG_PRIMITIVEGROUPMARSHALER DCpl - win32kbase!DirectComposition::PropertySetKernelModeAllocator::AllocateAndClear - DCOMPOSITIONTAG_PROPERTYSETSTORAGE DCpo - win32kbase!DirectComposition::CCompositionPointLight::_allocate - DCOMPOSITIONTAG_POINTLIGHTMARSHALER DCpr - win32kbase!DirectComposition::CPrimitiveMarshaler::_allocate - DCOMPOSITIONTAG_PRIMITIVEMARSHALER DCpy - win32kbase!DirectComposition::CPathGeometryMarshaler::_allocate - DCOMPOSITIONTAG_PATHGEOMETRYMARSHALER DCqa - win32kbase!DirectComposition::CParticleBaseBehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEBASEBEHAVIORMARSHALER DCqb - win32kbase!DirectComposition::CParticleBehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEBEHAVIORSMARSHALER DCqc - win32kbase!DirectComposition::CParticleColorRangeMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLECOLORRANGEMARSHALER DCqd - win32kbase!DirectComposition::CParticleColorBehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLECOLORBEHAVIORMARSHALER DCqe - win32kbase!DirectComposition::CParticleScalarBehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLESCALARBEHAVIORMARSHALER DCqf - win32kbase!DirectComposition::CParticleVector2BehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEVECTOR2BEHAVIORMARSHALER DCqg - win32kbase!DirectComposition::CParticleGeneratorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEGENERATORMARSHALER DCqh - win32kbase!DirectComposition::CParticleVector4BehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEVECTOR4BEHAVIORMARSHALER DCqi - win32kbase!DirectComposition::CParticleVector3BehaviorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEVECTOR3BEHAVIORMARSHALER DCqr - win32kbase!DirectComposition::CParticleAttractorMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEATTRACTORMARSHALER DCqv - win32kbase!DirectComposition::CParticleEmitterVisualMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEEMITTERVISUALMARSHALER DCqw - win32kbase!DirectComposition::CParticleVector4RangeMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEVECTOR4RANGEMARSHALER DCqx - win32kbase!DirectComposition::CParticleScalarRangeMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLESCALARRANGEMARSHALER DCqy - win32kbase!DirectComposition::CParticleSizeRangeMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLESIZERANGEMARSHALER DCqz - win32kbase!DirectComposition::CParticleDirectionRangeMarshaler::_allocate - DCOMPOSITIONTAG_PARTICLEDIRECTIONRANGEMARSHALER DCr3 - win32kbase!DirectComposition::CRotateTransform3DMarshaler::_allocate - DCOMPOSITIONTAG_ROTATETRANSFORM3DMARSHALER DCrc - win32kbase!DirectComposition::CRectangleClipMarshaler::_allocate - DCOMPOSITIONTAG_RECTANGLECLIPMARSHALER DCrf - win32kbase!DirectComposition::CVisualReferenceControllerMarshaler::_allocate - DCOMPOSITIONTAG_VISUALREFERENCECONTROLLERMARSHALER DCrg - win32kbase!DirectComposition::CRegionGeometryMarshaler::_allocate - DCOMPOSITIONTAG_REGIONGEOMETRYMARSHALER DCro - win32kbase!DirectComposition::CRotateTransformMarshaler::_allocate - DCOMPOSITIONTAG_ROTATETRANSFORMMARSHALER DCrt - win32kbase!DirectComposition::CResourceTable::_allocate - DCOMPOSITIONTAG_RESOURCETABLE DCrv - win32kbase!DirectComposition::CRedirectVisualMarshaler::_allocate - DCOMPOSITIONTAG_REDIRECTVISUALMARSHALER DCs0 - win32kbase!DirectComposition::CSharedResourceMarshaler::_allocate - DCOMPOSITIONTAG_SHAREDRESOURCEMARSHALER DCs3 - win32kbase!DirectComposition::CScaleTransform3DMarshaler::_allocate - DCOMPOSITIONTAG_SCALETRANSFORM3DMARSHALER DCsa - win32kbase!DirectComposition::CSnapshotMarshaler::_allocate - DCOMPOSITIONTAG_SNAPSHOTMARSHALER DCsb - win32kbase!DirectComposition::CCompositionSkyBoxBrushMarshaler::_allocate - DCOMPOSITIONTAG_SKYBOXBRUSHMARSHALER DCsc - win32kbase!DirectComposition::CSystemChannel::_allocate - DCOMPOSITIONTAG_SYSTEMCHANNEL DCsd - win32kbase!DirectComposition::CSpriteShapeMarshaler::SetBufferProperty - DCOMPOSITIONTAG_STROKEDASHARRAY DCse - win32kbase!DirectComposition::CSynchronizationManager::_allocate - DCOMPOSITIONTAG_SYNCHRONIZATIONENTRY DCsf - win32kbase!DirectComposition::CCrossContainerGuestReadWriteSharedSectionMarshaler - DCOMPOSITIONTAG_CROSSCONTAINERGUESTREADWRITESHAREDSECTIONMARSHALER DCsg - win32kbase!DirectComposition::CCrossContainerHostReadOnlySharedSectionMarshaler - DCOMPOSITIONTAG_CROSSCONTAINERHOSTREADONLYSHAREDSECTIONMARSHALER DCsh - win32kbase!DirectComposition::CShapeVisualMarshaler::_allocate - DCOMPOSITIONTAG_SHAPEVISUALMARSHALER DCsl - win32kbase!DirectComposition::CScalarMarshaler::_allocate - DCOMPOSITIONTAG_SCALARMARSHALER DCso - win32kbase!DirectComposition::CSemaphore::_allocate - DCOMPOSITIONTAG_SEMAPHORE DCsp - win32kbase!DirectComposition::CCompositionSpotLight::_allocate - DCOMPOSITIONTAG_SPOTLIGHTMARSHALER DCsr - win32kbase!DirectComposition::CDataSourceReaderMarshaler::_allocate - DCOMPOSITIONTAG_DATASOURCEREADERMARSHALER DCss - win32kbase!DirectComposition::CSharedSectionMarshaler - DCOMPOSITIONTAG_SHAREDSECTIONMARSHALER DCst - win32kbase!DirectComposition::CScaleTransformMarshaler::_allocate - DCOMPOSITIONTAG_SCALETRANSFORMMARSHALER DCsu - win32kbase!DirectComposition::CSuperWetInkVisualMarshaler::_allocate - DCOMPOSITIONTAG_SUPERWETINKVISUALMARSHALER DCsv - win32kbase!DirectComposition::CSpriteVisualMarshaler::_allocate - DCOMPOSITIONTAG_SPRITEVISUALMARSHALER DCsw - win32kbase!DirectComposition::CCompositionSurfaceWrapperMarshaler::_allocate - DCOMPOSITIONTAG_SURFACEWRAPPERMARSHALER DCsy - win32kbase!DirectComposition::CSynchronousSuperWetInkMarshaler::_allocate - DCOMPOSITIONTAG_SYNCHRONOUSSUPERWETINKMARSHALER DCsz - win32kbase!DirectComposition::CSolidColorLegacyMilBrushMarshaler::_allocate - DCOMPOSITIONTAG_SOLIDCOLORLEGACYMILBRUSHMARSHALER DCt3 - win32kbase!DirectComposition::CTranslateTransform3DMarshaler::_allocate - DCOMPOSITIONTAG_TRANSLATETRANSFORM3DMARSHALER DCtc - win32kbase!DirectComposition::CTileClumpMarshaler::_allocate - DCOMPOSITIONTAG_TILECLUMPMARSHALER DCtg - win32kbase!DirectComposition::CTransformGroupMarshaler::_allocate - DCOMPOSITIONTAG_TRANSFORMGROUPMARSHALER DCtl - win32kbase!DirectComposition::CCompositionTextLineMarshaler::_allocate - DCOMPOSITIONTAG_COMPOSITIONTEXTLINEMARSHALER DCto - win32kbase!DirectComposition::CTelemetryInfo::_allocate - DCOMPOSITIONTAG_TELEMETRYINFO DCtr - win32kbase!DirectComposition::CAnimationTriggerMarshaler::_allocate - DCOMPOSITIONTAG_ANIMATIONTRIGGERMARSHALER DCts - win32kbase!DirectComposition::_allocate - DCOMPOSITIONTAG_TELEMETRYSTRING DCtt - win32kbase!DirectComposition::CTranslateTransformMarshaler::_allocate - DCOMPOSITIONTAG_TRANSLATETRANSFORMMARSHALER DCtv - win32kbase!DirectComposition::CTextVisualMarshaler::_allocate - DCOMPOSITIONTAG_TEXTVISUALMARSHALER DCvb - win32kbase!DirectComposition::CViewBoxMarshaler::_allocate - DCOMPOSITIONTAG_VIEWBOXMARSHALER DCvc - win32kbase!DirectComposition::CVisualMarshaler::AllocateChildrenArray - DCOMPOSITIONTAG_VISUALMARSHALERCHILDREN DCvg - win32kbase!DirectComposition::CVisualGroupMarshaler::_allocate - DCOMPOSITIONTAG_VISUALGROUPMARSHALER DCvi - win32kbase!DirectComposition::CVisualMarshaler::_allocate - DCOMPOSITIONTAG_VISUALMARSHALER DCvm - win32kbase!DirectComposition::CVirtualMonitorCaptureRenderTargetMarshaler::_allocate - DCOMPOSITIONTAG_VIRTUALMONITORCAPTURERENDERTARGETMARSHALER DCvr - win32kbase!DirectComposition::CVisualCaptureMarshaler::_allocate - DCOMPOSITIONTAG_VISUALCAPTUREMARSHALER DCvs - win32kbase!DirectComposition::CVirtualSurfaceMarshaler::_allocate - DCOMPOSITIONTAG_VIRTUALSURFACEMARSHALER DCvt - win32kbase!DirectComposition::CVisualTargetMarshaler::_allocate - DCOMPOSITIONTAG_VISUALTARGETMARSHALER DCvx - win32kbase!DirectComposition::CVisualBitmapMarshaler::_allocate - DCOMPOSITIONTAG_VISUALBITMAPMARSHALER DCwn - win32kbase!DirectComposition::CWindowNodeMarshaler::_allocate - DCOMPOSITIONTAG_WINDOWNODEMARSHALER DCwr - win32kbase!DirectComposition::CWeakReferenceBase::_allocate - DCOMPOSITIONTAG_WEAKREFERENCE DCwt - win32kbase!DirectComposition::CApplicationChannel::GetWeakReferenceBase - DCOMPOSITIONTAG_WEAKREFERENCETABLEENTRY DCxc - win32kbase!DirectComposition::CCrossChannelChildVisualMarshaler::_allocate - DCOMPOSITIONTAG_CROSSCHANNELCHILDVISUALMARSHALER DCxp - win32kbase!DirectComposition::CCrossChannelParentVisualMarshaler::_allocate - DCOMPOSITIONTAG_CROSSCHANNELPARENTVISUALMARSHALER DCys - win32kbase!DirectComposition::CYCbCrSurfaceMarshaler::_allocate - DCOMPOSITIONTAG_YCBCRSURFACEMARSHALER DCzc - win32kbase!DirectComposition::CProjectedShadowCasterMarshaler::_allocate - DCOMPOSITIONTAG_PROJECTEDSHADOWCASTERMARSHALER DCze - win32kbase!DirectComposition::CSceneMesh::_allocate - DCOMPOSITIONTAG_SCENEMESHMARSHALER DCzg - win32kbase!DirectComposition::CSharedSectionWrapperMarshaler::_allocate - DCOMPOSITIONTAG_SHAREDSECTIONWRAPPERMARSHALER DCzh - win32kbase!DirectComposition::CSceneMeshRendererComponentMarshaler::_allocate - DCOMPOSITIONTAG_SCENEMESHRENDERERCOMPONENTMARSHALER DCzr - win32kbase!DirectComposition::CProjectedShadowReceiverMarshaler::_allocate - DCOMPOSITIONTAG_PROJECTEDSHADOWRECEIVERMARSHALER DCzs - win32kbase!DirectComposition::CProjectedShadowSceneMarshaler::_allocate - DCOMPOSITIONTAG_PROJECTEDSHADOWSCENEMARSHALER DCzt - win32kbase!DirectComposition::CSceneNode::_allocate - DCOMPOSITIONTAG_SCENENODEMARSHALER DCzv - win32kbase!DirectComposition::CSceneVisualMarshaler::_allocate - DCOMPOSITIONTAG_SCENEVISUALMARSHALER DCzx - win32kbase!DirectComposition::CProxyGeometryClipMarshaler::_allocate - DCOMPOSITIONTAG_PROXYGEOMETRYCLIPMARSHALER DCzy - win32kbase!DirectComposition::CSpatialRemarshalerMarshaler::_allocate - DCOMPOSITIONTAG_SPATIALREMARSHALERMARSHALER DCzz - win32kbase!DirectComposition::CSceneModelTransformMarshaler::_allocate - DCOMPOSITIONTAG_SCENEMODELTRANSFORMMARSHALER CSMb - dxgkrnl!CCompositionBuffer::Create - COMPOSITIONSURFACEMANAGER_BUFFER CSMr - dxgkrnl!CBufferRealization::Create - COMPOSITIONSURFACEMANAGER_REALIZATION CSMi - dxgkrnl!NtOpenCompositionSurfaceRealizationInfo - COMPOSITIONSURFACEMANAGER_REALIZATIONINFOBUFFER TMcb - dxgkrnl!CCompositionToken::Initialize - TOKENMANAGER_COMPOSITIONTOKENBUFFER TMcc - dxgkrnl!CCompositionFrameCollection - TOKENMANAGER_COMPOSITIONFRAMECOLLECTION TMce - dxgkrnl!CCompositionFrame::TokenTableEntry::Allocate - TOKENMANAGER_TOKENTABLEENTRY TMcf - dxgkrnl!CCompositionFrame::Create - TOKENMANAGER_COMPOSITIONFRAME TMlt - dxgkrnl!CTokenManager::EnsureLegacyTokenBuffer - TOKENMANAGER_LEGACYTOKENBUFFER TMsg - dxgkrnl!CreateSessionTokenManager - TOKENMANAGER_SESSIONGLOBAL TMtb - dxgkrnl!CLegacyTokenBuffer::TokenBlock::Create - TOKENMANAGER_TOKENBLOCK TMte - dxgkrnl!CTokenManager::TokenQueueTableEntry::Allocate - TOKENMANAGER_TOKENQUEUETABLEENTRY TMto - dxgkrnl!CToken::Create - TOKENMANAGER_TOKENOBJECT TMtq - dxgkrnl!CTokenQueue::Create - TOKENMANAGER_TOKENQUEUE TMac - dxgkrnl!CAdapter::Create - TOKENMANAGER_ADAPTER TMcc - dxgkrnl!CAdapterCollection::Create - TOKENMANAGER_ADAPTERCOLLECTION IMhq - win32k!CInputQueue::Create - INPUTMANAGER_INPUTQUEUE IMsg - win32k!CInputManager::Create - INPUTMANAGER_SESSIONGLOBAL FCai - dxgkrnl!CEndpointResourceStateManager::PrepareTokenInitInfoForDWM - FLIPCONTENT_AUXILIARYPRESENTINFO FCbm - dxgkrnl!CBackchannelManager::CBackchannelManager - FLIPCONTENT_BACKCHANNELMANAGER FCbr - dxgkrnl!CPoolBufferResource::Create - FLIPCONTENT_BUFFERRESOURCE FCbs - dxgkrnl!CPoolBufferResourceState::operator new - FLIPCONTENT_BUFFERRESOURCESTATE FCcr - dxgkrnl!CContentResource::Create - FLIPCONTENT_CONTENTRESOURCE FCcm - dxgkrnl!CFlipConsumerMessage::operator new - FLIPCONTENT_CONSUMERMESSAGE FCii - dxgkrnl!CEndpointResourceStateManager::PrepareTokenInitInfoForDWM - FLIPCONTENT_INDEPENDENTFLIPINFO FCpb - dxgkrnl!CreateFlipPropertySet - FLIPCONTENT_PROPERTYBLOBBUFFER FCpc - dxgkrnl!CFlipPresentCancel::operator new - FLIPCONTENT_PRESENTCANCEL FCph - dxgkrnl!CFlipManager::Initialize - FLIPCONTENT_DEBUG_PRESENTHISTORY FCpi - dxgkrnl!CreateFlipPropertySet - FLIPCONTENT_PROPERTYBLOBINDEXBUFFER FCps - dxgkrnl!CFlipPropertySet::operator new - FLIPCONTENT_PROPERTYSET FCpu - dxgkrnl!CFlipManager::ProcessTokenCreate - FLIPCONTENT_PRESENTUPDATE FCrs - dxgkrnl!CContentResourceState::operator new - FLIPCONTENT_CONTENTRESOURCESTATE FCsb - dxgkrnl!CEndpointResourceStateManager::PrepareBufferSignals - FLIPCONTENT_SIGNAL_BUFFERARRAY FCsi - dxgkrnl!CFlipManagerSignal::operator new - FLIPCONTENT_SIGNAL FCub - dxgkrnl!CEndpointResourceStateManager::PrepareIncrementalUpdateForStateManager - FLIPCONTENT_INCREMENTALRESOURCEUPDATEFORCONSUMER FCuu - dxgkrnl!CEndpointResourceStateManager::PrepareIncrementalUpdateForUser - FLIPCONTENT_INCREMENTALRESOURCEUPDATEFORUSER FCwr - dxgkrnl!CFlipWaitedConsumerReturn::operator new - FLIPCONTENT_WAITEDCONSUMERRETURN  ================================================ FILE: SystemInformer/runas.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2018-2023 * */ /* * The run-as mechanism has three stages: * 1. The user enters the information into the dialog box. Here it is decided whether the run-as * service is needed. If it is not, PhCreateProcessAsUser is called directly. Otherwise, * PhExecuteRunAsCommand2 is called for stage 2. * 2. PhExecuteRunAsCommand2 creates a random service name and tries to create the service and * execute it (using PhExecuteRunAsCommand). If the process has insufficient permissions, an * elevated instance of phsvc is started and PhSvcCallExecuteRunAsCommand is called. * 3. The service is started, and sets up an instance of phsvc with the same random service name as * its port name. Either the original or elevated Process Hacker instance then calls * PhSvcCallInvokeRunAsService to complete the operation. */ /* * * ProcessHacker.exe (user, limited privileges) * * | ^ * | | | phsvc API (LPC) * | | | * | v | * ProcessHacker.exe (user, full privileges) * | ^ | ^ * | | SCM API (RPC) | | * | | | | * v | | | phsvc API (LPC) * services.exe | | * * | | * | | | * | | | * | v | * ProcessHacker.exe (NT AUTHORITY\SYSTEM) * * * | * | * | * program.exe */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include typedef struct _RUNAS_DIALOG_CONTEXT { HWND WindowHandle; HWND ProgramComboBoxWindowHandle; HWND UserComboBoxWindowHandle; HWND TypeComboBoxWindowHandle; HWND PasswordEditWindowHandle; HWND SessionEditWindowHandle; HWND DesktopEditWindowHandle; HANDLE ProcessId; PPH_STRING CurrentWinStaName; } RUNAS_DIALOG_CONTEXT, *PRUNAS_DIALOG_CONTEXT; typedef struct _PH_RUNAS_SESSION_ITEM { ULONG SessionId; PPH_STRING SessionName; } PH_RUNAS_SESSION_ITEM, *PPH_RUNAS_SESSION_ITEM; typedef struct _PH_RUNAS_DESKTOP_ITEM { PPH_STRING DesktopName; } PH_RUNAS_DESKTOP_ITEM, *PPH_RUNAS_DESKTOP_ITEM; INT_PTR CALLBACK PhpRunAsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpRunFileWndProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhRunAsPackageWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ); NTSTATUS PhRunAsUpdateDesktop( _In_ PSID UserSid ); NTSTATUS PhRunAsUpdateWindowStation( _In_opt_ PSID UserSid, _In_opt_ PSID LogonSid ); //NTSTATUS PhSetDesktopWinStaAccess( // _In_ HWND WindowHandle // ); BOOLEAN PhRunAsExecuteCommandPrompt( _In_ HWND WindowHandle ); VOID PhpSplitUserName( _In_ PCWSTR UserName, _Out_opt_ PPH_STRING* DomainPart, _Out_opt_ PPH_STRING* UserPart ); static CONST PH_KEY_VALUE_PAIR PhpLogonTypePairs[] = { SIP(L"Batch", LOGON32_LOGON_BATCH), SIP(L"Interactive", LOGON32_LOGON_INTERACTIVE), SIP(L"Network", LOGON32_LOGON_NETWORK), SIP(L"New credentials", LOGON32_LOGON_NEW_CREDENTIALS), SIP(L"Service", LOGON32_LOGON_SERVICE) }; static WCHAR RunAsOldServiceName[32] = L""; static PH_QUEUED_LOCK RunAsOldServiceLock = PH_QUEUED_LOCK_INIT; static PPH_STRING RunAsServiceName; static SERVICE_STATUS_HANDLE RunAsServiceStatusHandle; static PHSVC_STOP RunAsServiceStop; VOID PhShowRunAsDialog( _In_ HWND ParentWindowHandle, _In_opt_ HANDLE ProcessId ) { PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_RUNAS), PhCsForceNoParent ? NULL : ParentWindowHandle, PhpRunAsDlgProc, ProcessId ); } BOOLEAN PhShowRunFileDialog( _In_ HWND ParentWindowHandle ) { // Note: Task Manager launches the command prompt instead of RunFileDlg // when holding CTRL and selecting the 'Run New Task' menu. (dmex) // Todo: The CTRL key is required for the menu hotkey. (GH #1859) //if (PhGetKeyState(VK_CONTROL)) //{ // if (PhRunAsExecuteCommandPrompt(ParentWindowHandle)) // return TRUE; //} if (PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_RUNFILEDLG), ParentWindowHandle, PhpRunFileWndProc, NULL ) == IDOK) { return TRUE; } return FALSE; // Removed from guisup.c (dmex) //BOOL (WINAPI *RunFileDlg_I)( // _In_ HWND hwndOwner, // _In_opt_ HICON hIcon, // _In_opt_ LPCWSTR lpszDirectory, // _In_opt_ LPCWSTR lpszTitle, // _In_opt_ LPCWSTR lpszDescription, // _In_ ULONG uFlags // ); //PVOID shell32Handle; // //if (shell32Handle = PhLoadLibrary(L"shell32.dll")) //{ // if (RunFileDlg_I = PhGetDllBaseProcedureAddress(shell32Handle, NULL, 61)) // { // result = !!RunFileDlg_I( // WindowHandle, // WindowIcon, // WorkingDirectory, // WindowTitle, // WindowDescription, // Flags // ); // } // // PhFreeLibrary(shell32Handle); //} } VOID PhShowRunAsPackageDialog( _In_ HWND ParentWindowHandle ) { PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_RUNPACKAGE), NULL, PhRunAsPackageWndProc, PhCsForceNoParent ? NULL : ParentWindowHandle ); } BOOLEAN IsServiceAccount( _In_ PPH_STRING UserName ) { BOOLEAN serviceAccount = FALSE; PPH_STRING localSystemSidName; PPH_STRING localServiceSidName; PPH_STRING localNetworkSidName; localSystemSidName = PhGetSidFullName((PSID)&PhSeLocalSystemSid, TRUE, NULL); localServiceSidName = PhGetSidFullName((PSID)&PhSeLocalServiceSid, TRUE, NULL); localNetworkSidName = PhGetSidFullName((PSID)&PhSeNetworkServiceSid, TRUE, NULL); if ( PhEqualString(localSystemSidName, UserName, TRUE) || PhEqualString(localServiceSidName, UserName, TRUE) || PhEqualString(localNetworkSidName, UserName, TRUE) ) { serviceAccount = TRUE; } PhDereferenceObject(localNetworkSidName); PhDereferenceObject(localServiceSidName); PhDereferenceObject(localSystemSidName); return serviceAccount; } BOOLEAN IsCurrentUserAccount( _In_ PPH_STRING UserName ) { PPH_STRING userName; if (userName = PhGetTokenUserString(PhGetOwnTokenAttributes().TokenHandle, TRUE)) { if (PhEndsWithString(userName, UserName, TRUE)) { PhDereferenceObject(userName); return TRUE; } PhDereferenceObject(userName); } return FALSE; } PPH_STRING PhpGetCurrentDesktopInfo( VOID ) { PPH_STRING desktopInfo = NULL; PPH_STRING winstationName = NULL; PPH_STRING desktopName = NULL; winstationName = PhGetCurrentWindowStationName(); desktopName = PhGetCurrentThreadDesktopName(); if (winstationName && desktopName) { desktopInfo = PhConcatStringRef3(&winstationName->sr, &PhNtPathSeparatorString, &desktopName->sr); } if (PhIsNullOrEmptyString(desktopInfo)) { PhMoveReference(&desktopInfo, PhCreateStringFromUnicodeString(&NtCurrentPeb()->ProcessParameters->DesktopInfo)); } if (winstationName) PhDereferenceObject(winstationName); if (desktopName) PhDereferenceObject(desktopName); return desktopInfo; } BOOLEAN PhpEnumerateRecentProgramsToComboBox( _In_ PPH_STRINGREF Command, _In_ PVOID Context ) { ComboBox_AddString(Context, PhGetStringRefZ(Command)); return TRUE; } NTSTATUS PhpEnumerateAccountsToComboBox( _In_ PPH_STRINGREF AccountName, _In_ PVOID Context ) { ComboBox_AddString(Context, PhGetStringRefZ(AccountName)); return STATUS_SUCCESS; } static VOID PhpAddProgramsToComboBox( _In_ HWND ComboBoxHandle ) { PhDeleteComboBoxStrings(ComboBoxHandle, TRUE); PhEnumerateRecentList(PhpEnumerateRecentProgramsToComboBox, ComboBoxHandle); } static VOID PhpAddAccountsToComboBox( _In_ HWND ComboBoxHandle ) { PhDeleteComboBoxStrings(ComboBoxHandle, TRUE); ComboBox_AddString(ComboBoxHandle, PH_AUTO_T(PH_STRING, PhGetSidFullName((PSID)&PhSeLocalSystemSid, TRUE, NULL))->Buffer); ComboBox_AddString(ComboBoxHandle, PH_AUTO_T(PH_STRING, PhGetSidFullName((PSID)&PhSeLocalServiceSid, TRUE, NULL))->Buffer); ComboBox_AddString(ComboBoxHandle, PH_AUTO_T(PH_STRING, PhGetSidFullName((PSID)&PhSeNetworkServiceSid, TRUE, NULL))->Buffer); PhEnumerateAccounts(PhpEnumerateAccountsToComboBox, ComboBoxHandle); } static VOID PhpFreeSessionsComboBox( _In_ HWND ComboBoxHandle ) { PPH_RUNAS_SESSION_ITEM entry; INT total; INT i; if ((total = ComboBox_GetCount(ComboBoxHandle)) == CB_ERR) return; for (i = 0; i < total; i++) { entry = (PPH_RUNAS_SESSION_ITEM)ComboBox_GetItemData(ComboBoxHandle, i); if (entry->SessionName) PhDereferenceObject(entry->SessionName); PhFree(entry); } ComboBox_ResetContent(ComboBoxHandle); } static VOID PhpAddSessionsToComboBox( _In_ HWND ComboBoxHandle ) { PSESSIONIDW sessions; ULONG numberOfSessions; ULONG i; PhpFreeSessionsComboBox(ComboBoxHandle); if (WinStationEnumerateW(WINSTATION_CURRENT_SERVER, &sessions, &numberOfSessions)) { for (i = 0; i < numberOfSessions; i++) { PPH_STRING menuString; WINSTATIONINFORMATION winStationInfo; ULONG returnLength; if (!WinStationQueryInformationW( WINSTATION_CURRENT_SERVER, sessions[i].SessionId, WinStationInformation, &winStationInfo, sizeof(WINSTATIONINFORMATION), &returnLength )) { winStationInfo.Domain[0] = UNICODE_NULL; winStationInfo.UserName[0] = UNICODE_NULL; } if ( winStationInfo.UserName[0] != UNICODE_NULL && sessions[i].WinStationName[0] != UNICODE_NULL ) { SIZE_T formatLength; PH_FORMAT format[8]; WCHAR formatBuffer[0x80]; // %lu: %s (%s\\%s) PhInitFormatU(&format[0], sessions[i].SessionId); PhInitFormatS(&format[1], L": "); PhInitFormatS(&format[2], sessions[i].WinStationName); PhInitFormatS(&format[3], L" ("); PhInitFormatS(&format[4], winStationInfo.Domain); PhInitFormatC(&format[5], L'\\'); PhInitFormatS(&format[6], winStationInfo.UserName); PhInitFormatC(&format[7], L')'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &formatLength)) { PH_STRINGREF text; text.Length = formatLength - sizeof(UNICODE_NULL); text.Buffer = formatBuffer; menuString = PhCreateString2(&text); } else { //menuString = PhFormatString(L"%lu: %s (%s\\%s)", // sessions[i].SessionId, // sessions[i].WinStationName, // winStationInfo.Domain, // winStationInfo.UserName // ); menuString = PhFormat(format, RTL_NUMBER_OF(format), 0); } } else if (winStationInfo.UserName[0] != UNICODE_NULL) { menuString = PhFormatString(L"%lu: %s\\%s", sessions[i].SessionId, winStationInfo.Domain, winStationInfo.UserName ); } else if (sessions[i].WinStationName[0] != UNICODE_NULL) { SIZE_T formatLength; PH_FORMAT format[3]; WCHAR formatBuffer[0x80]; // %lu: %s PhInitFormatU(&format[0], sessions[i].SessionId); PhInitFormatS(&format[1], L": "); PhInitFormatS(&format[2], sessions[i].WinStationName); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &formatLength)) { PH_STRINGREF text; text.Length = formatLength - sizeof(UNICODE_NULL); text.Buffer = formatBuffer; menuString = PhCreateString2(&text); } else { //menuString = PhFormatString(L"%lu: %s", // sessions[i].SessionId, // sessions[i].WinStationName // ); menuString = PhFormat(format, RTL_NUMBER_OF(format), 0); } } else { menuString = PhFormatUInt64(sessions[i].SessionId, FALSE); } { PPH_RUNAS_SESSION_ITEM entry; INT itemIndex; entry = PhAllocate(sizeof(PH_RUNAS_SESSION_ITEM)); entry->SessionId = sessions[i].SessionId; entry->SessionName = menuString; if ((itemIndex = ComboBox_AddString(ComboBoxHandle, menuString->Buffer)) != CB_ERR) { ComboBox_SetItemData(ComboBoxHandle, itemIndex, entry); } } } WinStationFreeMemory(sessions); } } typedef struct _RUNAS_DIALOG_DESKTOP_CALLBACK { PPH_LIST DesktopList; PPH_STRING WinStaName; } RUNAS_DIALOG_DESKTOP_CALLBACK, *PRUNAS_DIALOG_DESKTOP_CALLBACK; static BOOL CALLBACK EnumDesktopsCallback( _In_ PWSTR DesktopName, _In_ LPARAM Context ) { PRUNAS_DIALOG_DESKTOP_CALLBACK context = (PRUNAS_DIALOG_DESKTOP_CALLBACK)Context; PhAddItemList(context->DesktopList, PhConcatStrings( 3, PhGetString(context->WinStaName), L"\\", DesktopName )); return TRUE; } static VOID PhpFreeDesktopsComboBox( _In_ HWND ComboBoxHandle ) { PPH_RUNAS_DESKTOP_ITEM entry; INT total; INT i; if ((total = ComboBox_GetCount(ComboBoxHandle)) == CB_ERR) return; for (i = 0; i < total; i++) { entry = (PPH_RUNAS_DESKTOP_ITEM)ComboBox_GetItemData(ComboBoxHandle, i); if (entry->DesktopName) PhDereferenceObject(entry->DesktopName); PhFree(entry); } ComboBox_ResetContent(ComboBoxHandle); } static VOID PhpAddDesktopsToComboBox( _In_ HWND ComboBoxHandle ) { ULONG i; RUNAS_DIALOG_DESKTOP_CALLBACK callback; PhpFreeDesktopsComboBox(ComboBoxHandle); callback.DesktopList = PhCreateList(10); callback.WinStaName = PhGetCurrentWindowStationName(); EnumDesktops(GetProcessWindowStation(), EnumDesktopsCallback, (LPARAM)&callback); for (i = 0; i < callback.DesktopList->Count; i++) { INT itemIndex = ComboBox_AddString( ComboBoxHandle, PhGetString(callback.DesktopList->Items[i]) ); if (itemIndex != CB_ERR) { PPH_RUNAS_DESKTOP_ITEM entry; entry = PhAllocate(sizeof(PH_RUNAS_DESKTOP_ITEM)); entry->DesktopName = callback.DesktopList->Items[i]; ComboBox_SetItemData(ComboBoxHandle, itemIndex, entry); } } PhDereferenceObject(callback.DesktopList); PhDereferenceObject(callback.WinStaName); } VOID SetDefaultProgramEntry( _In_ HWND ComboBoxHandle ) { //Edit_SetText(ComboBoxHandle, PhaGetStringSetting(SETTING_RUN_AS_PROGRAM)->Buffer); ComboBox_SetCurSel(ComboBoxHandle, 0); } VOID SetDefaultUserEntry( _In_ PRUNAS_DIALOG_CONTEXT Context, _In_ HWND WindowHandle, _In_ HWND ComboBoxHandle ) { if (!Context->ProcessId) { PPH_STRING runAsUserName = PhaGetStringSetting(SETTING_RUN_AS_USER_NAME); INT runAsUserNameIndex = CB_ERR; // Fire the user name changed event so we can fix the logon type. if (!PhIsNullOrEmptyString(runAsUserName)) { runAsUserNameIndex = ComboBox_FindString( ComboBoxHandle, 0, PhGetString(runAsUserName) ); } if (runAsUserNameIndex != CB_ERR) ComboBox_SetCurSel(ComboBoxHandle, runAsUserNameIndex); else ComboBox_SetCurSel(ComboBoxHandle, 0); SendMessage(WindowHandle, WM_COMMAND, MAKEWPARAM(IDC_USERNAME, CBN_EDITCHANGE), 0); } else { HANDLE processHandle; HANDLE tokenHandle; PPH_STRING userName; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Context->ProcessId ))) { if (NT_SUCCESS(PhOpenProcessToken( processHandle, TOKEN_QUERY, &tokenHandle ))) { if (userName = PhGetTokenUserString(tokenHandle, TRUE)) { PhSetWindowText(ComboBoxHandle, userName->Buffer); PhDereferenceObject(userName); } NtClose(tokenHandle); } NtClose(processHandle); } EnableWindow(Context->UserComboBoxWindowHandle, FALSE); EnableWindow(Context->PasswordEditWindowHandle, FALSE); EnableWindow(Context->TypeComboBoxWindowHandle, FALSE); } } VOID SetDefaultSessionEntry( _In_ HWND ComboBoxHandle ) { INT sessionCount; ULONG currentSessionId = 0; if (!NT_SUCCESS(PhGetProcessSessionId(NtCurrentProcess(), ¤tSessionId))) return; if ((sessionCount = ComboBox_GetCount(ComboBoxHandle)) == CB_ERR) return; for (INT i = 0; i < sessionCount; i++) { PPH_RUNAS_SESSION_ITEM entry = (PPH_RUNAS_SESSION_ITEM)ComboBox_GetItemData(ComboBoxHandle, i); if (entry && entry->SessionId == currentSessionId) { ComboBox_SetCurSel(ComboBoxHandle, i); break; } } } VOID SetDefaultDesktopEntry( _In_ PRUNAS_DIALOG_CONTEXT Context, _In_ HWND ComboBoxHandle ) { INT sessionCount; PPH_STRING desktopName; if (!(desktopName = PhpGetCurrentDesktopInfo())) return; if ((sessionCount = ComboBox_GetCount(ComboBoxHandle)) == CB_ERR) { PhClearReference(&desktopName); return; } for (INT i = 0; i < sessionCount; i++) { PPH_RUNAS_DESKTOP_ITEM entry = (PPH_RUNAS_DESKTOP_ITEM)ComboBox_GetItemData(ComboBoxHandle, i); if (PhEqualStringRef(&entry->DesktopName->sr, &desktopName->sr, TRUE)) { ComboBox_SetCurSel(ComboBoxHandle, i); break; } } PhClearReference(&desktopName); } _Success_(return) BOOLEAN PhRunAsGetLogonSid( _In_ HANDLE ProcessHandle, _Out_ PSID* UserSid, _Out_ PSID* LogonSid ) { PSID userSid = NULL; PSID groupSid = NULL; HANDLE tokenHandle; if (NT_SUCCESS(PhOpenProcessToken( ProcessHandle, TOKEN_QUERY, &tokenHandle ))) { PTOKEN_GROUPS tokenGroups = NULL; PH_TOKEN_USER tokenUser; if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) { userSid = PhAllocateCopy(tokenUser.User.Sid, PhLengthSid(tokenUser.User.Sid)); } if (NT_SUCCESS(PhGetTokenGroups( tokenHandle, &tokenGroups ))) { for (ULONG i = 0; i < tokenGroups->GroupCount; i++) { PSID_AND_ATTRIBUTES group = &tokenGroups->Groups[i]; if (FlagOn(group->Attributes, SE_GROUP_LOGON_ID)) { groupSid = PhAllocateCopy(group->Sid, PhLengthSid(group->Sid)); break; } } PhFree(tokenGroups); } } if (userSid && groupSid) { *UserSid = userSid; *LogonSid = groupSid; return TRUE; } if (userSid) PhFree(userSid); if (groupSid) PhFree(groupSid); return FALSE; } NTSTATUS PhRunAsExecutionAlias( _In_ PPH_STRING Command ) { NTSTATUS status = STATUS_NOT_IMPLEMENTED; PPH_STRING fullFileName = NULL; PPH_STRING commandString = NULL; PH_STRINGREF fileName; PH_STRINGREF arguments; commandString = PhExpandEnvironmentStrings(&Command->sr); if (PhIsNullOrEmptyString(commandString)) { PhMoveReference(&fullFileName, PhCreateString2(&Command->sr)); } PhParseCommandLineFuzzy(&commandString->sr, &fileName, &arguments, &fullFileName); if (PhIsNullOrEmptyString(fullFileName)) { PhMoveReference(&fullFileName, PhCreateString2(&fileName)); } if (!PhIsNullOrEmptyString(fullFileName)) { // NOTE: The CreateProcess function will ignore PROC_THREAD_ATTRIBUTE_PARENT_PROCESS when redirecting execution // of the filename via execution alias. The new process incorrectly inherits our elevated process token // instead of using the non-elevated parent process. To work around the issue we execute the alias using the // WdcRunTaskAsInteractiveUser function and also skip resetting the token and current directory. (dmex) if (PhIsAppExecutionAliasTarget(fullFileName)) { status = STATUS_SUCCESS; } } PhClearReference(&fullFileName); PhClearReference(&commandString); return status; } NTSTATUS PhRunAsExecuteParentCommand( _In_ HWND WindowHandle, _In_ PCWSTR CommandLine, _In_ HANDLE ProcessId, _In_ BOOLEAN CreateSuspendedProcess ) { NTSTATUS status; HANDLE processHandle = NULL; HANDLE newProcessHandle = NULL; STARTUPINFOEX startupInfo = { 0 }; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; PSECURITY_DESCRIPTOR processSecurityDescriptor = NULL; PSECURITY_DESCRIPTOR tokenSecurityDescriptor = NULL; PVOID environment = NULL; HANDLE tokenHandle; ULONG flags = 0; status = PhOpenProcess( &processHandle, PROCESS_CREATE_PROCESS | (PhGetOwnTokenAttributes().Elevated ? PROCESS_QUERY_LIMITED_INFORMATION | READ_CONTROL : 0), ProcessId ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhInitializeProcThreadAttributeList(&attributeList, 1); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &processHandle, sizeof(HANDLE) ); if (!NT_SUCCESS(status)) goto CleanupExit; if (PhGetOwnTokenAttributes().Elevated) { PhGetObjectSecurity( processHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, &processSecurityDescriptor ); } if (NT_SUCCESS(PhOpenProcessToken( processHandle, TOKEN_QUERY | (PhGetOwnTokenAttributes().Elevated ? READ_CONTROL : 0), &tokenHandle ))) { if (PhGetOwnTokenAttributes().Elevated) { PhGetObjectSecurity( tokenHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, &tokenSecurityDescriptor ); } if (NT_SUCCESS(PhCreateEnvironmentBlock(&environment, tokenHandle, FALSE))) { flags |= PH_CREATE_PROCESS_UNICODE_ENVIRONMENT; } NtClose(tokenHandle); } memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW; startupInfo.StartupInfo.wShowWindow = SW_SHOWNORMAL; startupInfo.lpAttributeList = attributeList; status = PhCreateProcessWin32Ex( NULL, CommandLine, environment, NULL, &startupInfo, PH_CREATE_PROCESS_SUSPENDED | PH_CREATE_PROCESS_NEW_CONSOLE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | flags, NULL, NULL, &newProcessHandle, NULL ); if (NT_SUCCESS(status)) { PROCESS_BASIC_INFORMATION basicInfo; PSID userSid, logonSid; if (PhRunAsGetLogonSid(newProcessHandle, &userSid, &logonSid)) { status = PhRunAsUpdateDesktop(userSid); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhRunAsUpdateWindowStation(userSid, logonSid); if (!NT_SUCCESS(status)) goto CleanupExit; } if (PhGetOwnTokenAttributes().Elevated) { // Note: This is needed to workaround a severe bug with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS // where the process and token security descriptors are created without an ACE for the current user, // owned by the wrong user and with a High-IL when the process token is Medium-IL // preventing the new process from accessing user/system resources above Low-IL. (dmex) if (processSecurityDescriptor) { PhSetObjectSecurity( newProcessHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, processSecurityDescriptor ); } if (tokenSecurityDescriptor && NT_SUCCESS(PhOpenProcessToken( newProcessHandle, WRITE_DAC | WRITE_OWNER, &tokenHandle ))) { PhSetObjectSecurity( tokenHandle, OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, tokenSecurityDescriptor ); NtClose(tokenHandle); } } if (!CreateSuspendedProcess) { if (NT_SUCCESS(PhGetProcessBasicInformation(newProcessHandle, &basicInfo))) { AllowSetForegroundWindow(HandleToUlong(basicInfo.UniqueProcessId)); } PhConsoleSetForeground(newProcessHandle, TRUE); NtResumeProcess(newProcessHandle); } } CleanupExit: if (newProcessHandle) { NtClose(newProcessHandle); } if (environment) { PhDestroyEnvironmentBlock(environment); } if (tokenSecurityDescriptor) { PhFree(tokenSecurityDescriptor); } if (processSecurityDescriptor) { PhFree(processSecurityDescriptor); } if (attributeList) { PhDeleteProcThreadAttributeList(attributeList); } if (processHandle) { NtClose(processHandle); } return status; } VOID PhRunAsExecuteCommmand( _In_ PRUNAS_DIALOG_CONTEXT Context, _In_ HANDLE ProcessId ) { NTSTATUS status; BOOLEAN useLinkedToken; BOOLEAN createSuspended; BOOLEAN createUIAccess; ULONG currentSessionId = ULONG_MAX; ULONG logonType = ULONG_MAX; ULONG sessionId = ULONG_MAX; PPH_STRING program = NULL; PPH_STRING username = NULL; PPH_STRING password = NULL; PPH_STRING logonTypeString; PPH_STRING desktopName = NULL; INT selectionIndex = CB_ERR; program = PH_AUTO(PhGetWindowText(Context->ProgramComboBoxWindowHandle)); username = PH_AUTO(PhGetWindowText(Context->UserComboBoxWindowHandle)); logonTypeString = PH_AUTO(PhGetWindowText(Context->TypeComboBoxWindowHandle)); useLinkedToken = Button_GetCheck(GetDlgItem(Context->WindowHandle, IDC_TOGGLEELEVATION)) == BST_CHECKED; createSuspended = Button_GetCheck(GetDlgItem(Context->WindowHandle, IDC_TOGGLESUSPENDED)) == BST_CHECKED; createUIAccess = Button_GetCheck(GetDlgItem(Context->WindowHandle, IDC_TOGGLEUIACCESS)) == BST_CHECKED; if (PhIsNullOrEmptyString(program)) return; if ((selectionIndex = ComboBox_GetCurSel(Context->SessionEditWindowHandle)) != CB_ERR) { PPH_RUNAS_SESSION_ITEM sessionEntry; if (sessionEntry = (PPH_RUNAS_SESSION_ITEM)ComboBox_GetItemData(Context->SessionEditWindowHandle, selectionIndex)) { sessionId = sessionEntry->SessionId; } } if ((selectionIndex = ComboBox_GetCurSel(Context->DesktopEditWindowHandle)) != CB_ERR) { PPH_RUNAS_DESKTOP_ITEM desktopEntry; if (desktopEntry = (PPH_RUNAS_DESKTOP_ITEM)ComboBox_GetItemData(Context->DesktopEditWindowHandle, selectionIndex)) { desktopName = desktopEntry->DesktopName; } } if (selectionIndex == CB_ERR) return; if (sessionId == ULONG_MAX) return; // Fix up the user name if it doesn't have a domain. if (PhFindCharInString(username, 0, L'\\') == SIZE_MAX) { PSID sid; PPH_STRING newUserName; if (NT_SUCCESS(PhLookupName(&username->sr, &sid, NULL, NULL))) { if (newUserName = PH_AUTO(PhGetSidFullName(sid, TRUE, NULL))) PhSwapReference(&username, newUserName); PhFree(sid); } } //if (IsCurrentUserAccount(username)) //{ // status = PhCreateProcessWin32( // NULL, // program->Buffer, // NULL, // NULL, // 0, // NULL, // NULL, // NULL // ); //} { PSID userSid; if (NT_SUCCESS(PhLookupName( &username->sr, &userSid, NULL, NULL ))) { status = PhRunAsUpdateDesktop(userSid); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhRunAsUpdateWindowStation(userSid, NULL); if (!NT_SUCCESS(status)) goto CleanupExit; } } if (!PhFindIntegerSiKeyValuePairs( PhpLogonTypePairs, sizeof(PhpLogonTypePairs), logonTypeString->Buffer, &logonType )) { PhShowStatus(Context->WindowHandle, L"Unable to start the program.", STATUS_INVALID_PARAMETER, 0); return; } if (!IsServiceAccount(username)) { password = PhGetWindowText(Context->PasswordEditWindowHandle); PhSetWindowText(Context->PasswordEditWindowHandle, L""); } PhGetProcessSessionId(NtCurrentProcess(), ¤tSessionId); if ( logonType == LOGON32_LOGON_INTERACTIVE && !ProcessId && sessionId == currentSessionId && !useLinkedToken ) { // We are eligible to load the user profile. // This must be done here, not in the service, because // we need to be in the target session. PH_CREATE_PROCESS_AS_USER_INFO createInfo; PPH_STRING domainPart = NULL; PPH_STRING userPart = NULL; HANDLE newProcessHandle; PhpSplitUserName(username->Buffer, &domainPart, &userPart); memset(&createInfo, 0, sizeof(PH_CREATE_PROCESS_AS_USER_INFO)); createInfo.CommandLine = PhGetString(program); createInfo.UserName = PhGetString(userPart); createInfo.DomainName = PhGetString(domainPart); createInfo.Password = PhGetStringOrEmpty(password); // Whenever we can, try not to set the desktop name; it breaks a lot of things. if (!PhIsNullOrEmptyString(desktopName) && !PhEqualString2(desktopName, L"WinSta0\\Default", TRUE)) createInfo.DesktopName = PhGetString(desktopName); status = PhCreateProcessAsUser( &createInfo, PH_CREATE_PROCESS_WITH_PROFILE | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_SUSPENDED, NULL, NULL, &newProcessHandle, NULL ); if (NT_SUCCESS(status)) { PROCESS_BASIC_INFORMATION basicInfo; PSID userSid, logonSid; if (PhRunAsGetLogonSid(newProcessHandle, &userSid, &logonSid)) { status = PhRunAsUpdateDesktop(userSid); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhRunAsUpdateWindowStation(userSid, logonSid); if (!NT_SUCCESS(status)) goto CleanupExit; } if (!createSuspended) { if (NT_SUCCESS(PhGetProcessBasicInformation(newProcessHandle, &basicInfo))) { AllowSetForegroundWindow(HandleToUlong(basicInfo.UniqueProcessId)); } PhConsoleSetForeground(newProcessHandle, TRUE); NtResumeProcess(newProcessHandle); } NtClose(newProcessHandle); } PhClearReference(&domainPart); PhClearReference(&userPart); } else { if (ProcessId) { status = PhRunAsExecutionAlias(program); if (!NT_SUCCESS(status)) { status = PhRunAsExecuteParentCommand( Context->WindowHandle, PhGetString(program), ProcessId, createSuspended ); } } else { status = PhExecuteRunAsCommand3( Context->WindowHandle, PhGetString(program), PhGetString(username), PhGetStringOrEmpty(password), logonType, ProcessId, sessionId, PhGetString(desktopName), useLinkedToken, createSuspended, createUIAccess ); } } CleanupExit: if (password) { RtlSecureZeroMemory(password->Buffer, password->Length); PhDereferenceObject(password); } if (!NT_SUCCESS(status)) { if (status != STATUS_CANCELLED) { if (status == STATUS_NOT_IMPLEMENTED) { PhShowError2( Context->WindowHandle, L"Unable to start the program.", L"%s", L"Unable to start the execution alias with a process token." ); } else { PhShowStatus( Context->WindowHandle, L"Unable to start the program.", status, 0 ); } } } else if (status != STATUS_TIMEOUT) { PhRecentListAddCommand(&program->sr); //PhSetStringSetting2(SETTING_RUN_AS_PROGRAM, &program->sr); PhSetStringSetting2(SETTING_RUN_AS_USER_NAME, &username->sr); EndDialog(Context->WindowHandle, IDOK); } } INT_PTR CALLBACK PhpRunAsDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PRUNAS_DIALOG_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(RUNAS_DIALOG_CONTEXT)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->ProgramComboBoxWindowHandle = GetDlgItem(hwndDlg, IDC_PROGRAMCOMBO); context->SessionEditWindowHandle = GetDlgItem(hwndDlg, IDC_SESSIONCOMBO); context->DesktopEditWindowHandle = GetDlgItem(hwndDlg, IDC_DESKTOPCOMBO); context->TypeComboBoxWindowHandle = GetDlgItem(hwndDlg, IDC_TYPE); context->UserComboBoxWindowHandle = GetDlgItem(hwndDlg, IDC_USERNAME); context->PasswordEditWindowHandle = GetDlgItem(hwndDlg, IDC_PASSWORD); context->ProcessId = (HANDLE)lParam; PhSetApplicationWindowIcon(hwndDlg); if (PhValidWindowPlacementFromSetting(SETTING_RUN_AS_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_RUN_AS_WINDOW_POSITION, NULL, hwndDlg); else PhCenterWindow(hwndDlg, GetParent(hwndDlg)); if (PhGetIntegerSetting(SETTING_RUN_AS_ENABLE_AUTO_COMPLETE)) { COMBOBOXINFO info = { sizeof(COMBOBOXINFO) }; if (SendMessage(context->ProgramComboBoxWindowHandle, CB_GETCOMBOBOXINFO, 0, (LPARAM)&info)) { if (SHAutoComplete_Import()) SHAutoComplete_Import()(info.hwndItem, SHACF_DEFAULT); } } ComboBox_AddString(context->TypeComboBoxWindowHandle, L"Batch"); ComboBox_AddString(context->TypeComboBoxWindowHandle, L"Interactive"); ComboBox_AddString(context->TypeComboBoxWindowHandle, L"Network"); ComboBox_AddString(context->TypeComboBoxWindowHandle, L"New credentials"); ComboBox_AddString(context->TypeComboBoxWindowHandle, L"Service"); PhSelectComboBoxString(context->TypeComboBoxWindowHandle, L"Interactive", FALSE); PhpAddProgramsToComboBox(context->ProgramComboBoxWindowHandle); PhpAddAccountsToComboBox(context->UserComboBoxWindowHandle); PhpAddSessionsToComboBox(context->SessionEditWindowHandle); PhpAddDesktopsToComboBox(context->DesktopEditWindowHandle); SetDefaultProgramEntry(context->ProgramComboBoxWindowHandle); SetDefaultUserEntry(context, hwndDlg, context->UserComboBoxWindowHandle); SetDefaultSessionEntry(context->SessionEditWindowHandle); SetDefaultDesktopEntry(context, context->DesktopEditWindowHandle); PhSetDialogFocus(hwndDlg, context->ProgramComboBoxWindowHandle); Edit_SetSel(context->ProgramComboBoxWindowHandle, -1, -1); //if (!PhGetOwnTokenAttributes().Elevated) // Button_SetElevationRequiredState(GetDlgItem(hwndDlg, IDOK), TRUE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveWindowPlacementToSetting(SETTING_RUN_AS_WINDOW_POSITION, NULL, hwndDlg); PhpFreeDesktopsComboBox(context->DesktopEditWindowHandle); PhpFreeSessionsComboBox(context->SessionEditWindowHandle); PhDeleteComboBoxStrings(context->UserComboBoxWindowHandle, FALSE); PhDeleteComboBoxStrings(context->ProgramComboBoxWindowHandle, FALSE); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_CMD(wParam, lParam)) { case CBN_DROPDOWN: { if (GET_WM_COMMAND_HWND(wParam, lParam) == context->UserComboBoxWindowHandle) { //PhpAddAccountsToComboBox(context->UserComboBoxWindowHandle); } if (GET_WM_COMMAND_HWND(wParam, lParam) == context->SessionEditWindowHandle) { PhpAddSessionsToComboBox(context->SessionEditWindowHandle); SetDefaultSessionEntry(context->SessionEditWindowHandle); } if (GET_WM_COMMAND_HWND(wParam, lParam) == context->DesktopEditWindowHandle) { PhpAddDesktopsToComboBox(context->DesktopEditWindowHandle); SetDefaultDesktopEntry(context, context->DesktopEditWindowHandle); } } break; } switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: PhRunAsExecuteCommmand(context, context->ProcessId); break; case IDC_BROWSE: { static PH_FILETYPE_FILTER filters[] = { { L"Programs (*.exe;*.pif;*.com;*.bat)", L"*.exe;*.pif;*.com;*.bat" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); PhSetFileDialogFileName(fileDialog, PH_AUTO_T(PH_STRING, PhGetWindowText(context->ProgramComboBoxWindowHandle))->Buffer); if (PhShowFileDialog(hwndDlg, fileDialog)) { PPH_STRING fileName; fileName = PhGetFileDialogFileName(fileDialog); PhSetWindowText(context->ProgramComboBoxWindowHandle, fileName->Buffer); PhDereferenceObject(fileName); } PhFreeFileDialog(fileDialog); } break; case IDC_USERNAME: { PPH_STRING username = NULL; if (!context->ProcessId && GET_WM_COMMAND_CMD(wParam, lParam) == CBN_SELCHANGE) { username = PH_AUTO(PhGetComboBoxString(context->UserComboBoxWindowHandle, INT_ERROR)); } else if (!context->ProcessId && ( GET_WM_COMMAND_CMD(wParam, lParam) == CBN_EDITCHANGE || GET_WM_COMMAND_CMD(wParam, lParam) == CBN_CLOSEUP )) { username = PH_AUTO(PhGetWindowText(context->UserComboBoxWindowHandle)); } if (username) { if (IsServiceAccount(username)) { EnableWindow(context->PasswordEditWindowHandle, FALSE); PhSelectComboBoxString(context->TypeComboBoxWindowHandle, L"Service", FALSE); } else { EnableWindow(context->PasswordEditWindowHandle, TRUE); PhSelectComboBoxString(context->TypeComboBoxWindowHandle, L"Interactive", FALSE); } } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } NTSTATUS PhRunAsUpdateDesktop( _In_ PSID UserSid ) { NTSTATUS status; HDESK desktopHandle; if (desktopHandle = OpenDesktop( L"Default", 0, FALSE, READ_CONTROL | WRITE_DAC | DESKTOP_READOBJECTS | DESKTOP_WRITEOBJECTS )) { ULONG i; BOOLEAN currentDaclPresent; BOOLEAN currentDaclDefaulted; PACL currentDacl; PACE_HEADER currentAce; ULONG newDaclLength; PACL newDacl; SECURITY_DESCRIPTOR newSecurityDescriptor; PSECURITY_DESCRIPTOR currentSecurityDescriptor; status = PhGetObjectSecurity( desktopHandle, DACL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { if (!NT_SUCCESS(PhGetDaclSecurityDescriptor( currentSecurityDescriptor, ¤tDaclPresent, ¤tDacl, ¤tDaclDefaulted ))) { currentDaclPresent = FALSE; } newDaclLength = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + PhLengthSid(UserSid); if (currentDaclPresent && currentDacl) newDaclLength += currentDacl->AclSize - sizeof(ACL); newDacl = PhAllocateStack(newDaclLength); if (!newDacl) { status = STATUS_NO_MEMORY; goto CleanupExit; } RtlZeroMemory(newDacl, newDaclLength); status = PhCreateAcl(newDacl, newDaclLength, ACL_REVISION); if (!NT_SUCCESS(status)) goto CleanupExit; // Add the existing DACL entries. if (currentDaclPresent && currentDacl) { for (i = 0; i < currentDacl->AceCount; i++) { if (NT_SUCCESS(PhGetAce(currentDacl, i, ¤tAce))) { if (currentAce->AceType == ACCESS_ALLOWED_ACE_TYPE) { PSID aceSid = (PSID)&((PACCESS_ALLOWED_ACE)currentAce)->SidStart; if (PhEqualSid(aceSid, UserSid)) { if (((PACCESS_ALLOWED_ACE)currentAce)->Mask == DESKTOP_ALL_ACCESS) continue; } } status = PhAddAce( newDacl, ACL_REVISION, ULONG_MAX, currentAce, currentAce->AceSize ); if (!NT_SUCCESS(status)) break; } } } // Allow access for the user. if (NT_SUCCESS(status)) { status = PhAddAccessAllowedAce(newDacl, ACL_REVISION, DESKTOP_ALL_ACCESS, UserSid); } // Set the security descriptor of the new token. if (NT_SUCCESS(status)) { status = PhCreateSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); } if (NT_SUCCESS(status)) { status = PhSetDaclSecurityDescriptor(&newSecurityDescriptor, TRUE, newDacl, FALSE); } if (NT_SUCCESS(status)) { assert(RtlValidSecurityDescriptor(&newSecurityDescriptor)); status = PhSetObjectSecurity(desktopHandle, DACL_SECURITY_INFORMATION, &newSecurityDescriptor); } PhFreeStack(newDacl); } CleanupExit: CloseDesktop(desktopHandle); } else { status = PhGetLastWin32ErrorAsNtStatus(); } return status; } NTSTATUS PhRunAsUpdateWindowStation( _In_opt_ PSID UserSid, _In_opt_ PSID LogonSid ) { NTSTATUS status; HWINSTA wsHandle; if (wsHandle = OpenWindowStation( L"WinSta0", FALSE, READ_CONTROL | WRITE_DAC )) { ULONG i; BOOLEAN currentDaclPresent; BOOLEAN currentDaclDefaulted; PACL currentDacl; PACE_HEADER currentAce; ULONG newDaclLength; PACL newDacl; SECURITY_DESCRIPTOR newSecurityDescriptor; PSECURITY_DESCRIPTOR currentSecurityDescriptor; status = PhGetObjectSecurity( wsHandle, DACL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (NT_SUCCESS(status)) { if (!NT_SUCCESS(PhGetDaclSecurityDescriptor( currentSecurityDescriptor, ¤tDaclPresent, ¤tDacl, ¤tDaclDefaulted ))) { currentDaclPresent = FALSE; } newDaclLength = (sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) * 3) + (UserSid ? PhLengthSid(UserSid) : 0) + (LogonSid ? PhLengthSid(LogonSid) : 0); if (currentDaclPresent && currentDacl) newDaclLength += currentDacl->AclSize - sizeof(ACL); newDacl = PhAllocate(newDaclLength); PhCreateAcl(newDacl, newDaclLength, ACL_REVISION); // Add the existing DACL entries. if (currentDaclPresent && currentDacl) { for (i = 0; i < currentDacl->AceCount; i++) { if (NT_SUCCESS(PhGetAce(currentDacl, i, ¤tAce))) { if (currentAce->AceType == ACCESS_ALLOWED_ACE_TYPE) { PSID aceSid = (PSID)&((PACCESS_ALLOWED_ACE)currentAce)->SidStart; if (UserSid && PhEqualSid(aceSid, UserSid)) { if (((PACCESS_ALLOWED_ACE)currentAce)->Mask == (WINSTA_ACCESSCLIPBOARD | WINSTA_ACCESSGLOBALATOMS)) continue; } if (LogonSid && PhEqualSid(aceSid, LogonSid)) { if (((PACCESS_ALLOWED_ACE)currentAce)->Mask == WINSTA_ALL_ACCESS) continue; } } status = PhAddAce( newDacl, ACL_REVISION, ULONG_MAX, currentAce, currentAce->AceSize ); if (!NT_SUCCESS(status)) break; } } } if (NT_SUCCESS(status)) { if (UserSid) { PhAddAccessAllowedAce( newDacl, ACL_REVISION, WINSTA_ACCESSCLIPBOARD | WINSTA_ACCESSGLOBALATOMS, UserSid ); //PhAddAccessAllowedAce( // newDacl, // ACL_REVISION, // WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | // WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | WINSTA_READSCREEN | READ_CONTROL, // UserSid // ); } if (UserSid) { PhAddAccessAllowedAceEx( newDacl, ACL_REVISION, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE, GENERIC_ALL, LogonSid ); PhAddAccessAllowedAceEx( newDacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, WINSTA_ALL_ACCESS, LogonSid ); } // Set the security descriptor of the new token. status = PhCreateSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); } if (NT_SUCCESS(status)) { status = PhSetDaclSecurityDescriptor(&newSecurityDescriptor, TRUE, newDacl, FALSE); } if (NT_SUCCESS(status)) { assert(RtlValidSecurityDescriptor(&newSecurityDescriptor)); status = PhSetObjectSecurity(wsHandle, DACL_SECURITY_INFORMATION, &newSecurityDescriptor); } } CloseWindowStation(wsHandle); } else { status = PhGetLastWin32ErrorAsNtStatus(); } return status; } /** * Sets the access control lists of the current window station * and desktop to allow all access. */ //NTSTATUS PhSetDesktopWinStaAccess( // _In_ HWND WindowHandle // ) //{ // HWINSTA wsHandle; // HDESK desktopHandle; // ULONG allocationLength; // PSID allAppPackagesSid = PhSeAnyPackageSid(); // UCHAR securityDescriptorBuffer[SECURITY_DESCRIPTOR_MIN_LENGTH + 0x50]; // PSECURITY_DESCRIPTOR securityDescriptor; // PACL dacl; // // if (!PhStartupParameters.RunAsServiceMode && WindowHandle && PhGetIntegerSetting(SETTING_ENABLE_WARNINGS)) // { // if (PhGetIntegerSetting(SETTING_ENABLE_WARNINGS_RUNAS) && PhShowMessageOneTime( // WindowHandle, // TD_YES_BUTTON | TD_NO_BUTTON, // TD_WARNING_ICON, // L"WARNING: This will grant Everyone access to the current window station and desktop.", // L"Are you sure you want to continue?" // ) == IDNO) // { // PhSetIntegerSetting(SETTING_ENABLE_WARNINGS_RUNAS, 0); // return STATUS_ACCESS_DENIED; // } // } // // // TODO: Set security on the correct window station and desktop. // // // We create a DACL that allows everyone to access everything. // // allocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH + // (ULONG)sizeof(ACL) + // (ULONG)sizeof(ACCESS_ALLOWED_ACE) + // PhLengthSid(&PhSeEveryoneSid) + // (ULONG)sizeof(ACCESS_ALLOWED_ACE) + // PhLengthSid(allAppPackagesSid); // // securityDescriptor = (PSECURITY_DESCRIPTOR)securityDescriptorBuffer; // dacl = PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH); // // PhCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION); // PhCreateAcl(dacl, allocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION); // PhAddAccessAllowedAce(dacl, ACL_REVISION, GENERIC_ALL, &PhSeEveryoneSid); // // if (WindowsVersion >= WINDOWS_8) // { // PhAddAccessAllowedAce(dacl, ACL_REVISION, GENERIC_ALL, allAppPackagesSid); // } // // PhSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE); // // if (wsHandle = OpenWindowStation( // L"WinSta0", // FALSE, // WRITE_DAC // )) // { // PhSetObjectSecurity(wsHandle, DACL_SECURITY_INFORMATION, securityDescriptor); // CloseWindowStation(wsHandle); // } // else // { // return PhGetLastWin32ErrorAsNtStatus(); // } // // if (desktopHandle = OpenDesktop( // L"Default", // 0, // FALSE, // WRITE_DAC | DESKTOP_READOBJECTS | DESKTOP_WRITEOBJECTS // )) // { // PhSetObjectSecurity(desktopHandle, DACL_SECURITY_INFORMATION, securityDescriptor); // CloseDesktop(desktopHandle); // } // else // { // return PhGetLastWin32ErrorAsNtStatus(); // } // //#ifdef DEBUG // assert(RtlValidSecurityDescriptor(securityDescriptor)); // assert(allocationLength < sizeof(securityDescriptorBuffer)); // assert(RtlLengthSecurityDescriptor(securityDescriptor) < sizeof(securityDescriptorBuffer)); //#endif // // return STATUS_SUCCESS; //} PPH_STRING PhFormatRunAsCommand( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { PPH_STRING command; PPH_STRING fileName; PH_FORMAT format[5]; if (!(fileName = PhGetApplicationFileNameWin32())) return NULL; // L"\"%s\" -ras \"%s\"" PhInitFormatS(&format[0], L"\""); PhInitFormatSR(&format[1], fileName->sr); PhInitFormatS(&format[2], L"\" -ras \""); PhInitFormatS(&format[3], Parameters->ServiceName); PhInitFormatS(&format[4], L"\""); command = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(fileName); return command; } /** * Executes the run-as service. * * \param Parameters The run-as parameters. * * \remarks This function requires administrator-level access. */ NTSTATUS PhExecuteRunAsCommand( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { NTSTATUS status; PPH_STRING commandLine; SC_HANDLE serviceHandle; PPH_STRING portName; UNICODE_STRING portNameUs; ULONG attempts; if (!(commandLine = PhFormatRunAsCommand(Parameters))) return STATUS_UNSUCCESSFUL; status = PhCreateService( &serviceHandle, Parameters->ServiceName, Parameters->ServiceName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, PhGetString(commandLine), L"LocalSystem", L"" ); PhDereferenceObject(commandLine); if (!NT_SUCCESS(status)) return status; PhStartService(serviceHandle, 0, NULL); PhDeleteService(serviceHandle); portName = PhConcatStrings2(L"\\BaseNamedObjects\\", Parameters->ServiceName); PhStringRefToUnicodeString(&portName->sr, &portNameUs); attempts = 50; // Try to connect several times because the server may take // a while to initialize. do { status = PhSvcConnectToServer(&portNameUs, 0); if (NT_SUCCESS(status)) break; PhDelayExecution(100); } while (--attempts != 0); PhDereferenceObject(portName); if (NT_SUCCESS(status)) { status = PhSvcCallInvokeRunAsService(Parameters); PhSvcDisconnectFromServer(); } PhCloseServiceHandle(serviceHandle); return status; } /** * Starts a program as another user. * * \param WindowHandle A handle to the parent window. * \param CommandLine The command line of the program to start. * \param UserName The user to start the program as. The username should be specified as: domain\\name. * This parameter can be NULL if \a ProcessIdWithToken is specified. * \param Password The password for the specified user. If there is no password, specify an empty string. * This parameter can be NULL if \a ProcessIdWithToken is specified. * \param LogonType The logon type for the specified user. This * parameter can be 0 if \a ProcessIdWithToken is specified. * \param ProcessIdWithToken The ID of a process from which to duplicate the token. * \param SessionId The ID of the session to run the program under. * \param DesktopName The window station and desktop to run the program under. * \param UseLinkedToken Uses the linked token if possible. * * \retval STATUS_CANCELLED The user cancelled the operation. * * \remarks This function will cause another instance of System Informer to be executed if the current security context * does not have sufficient system access. This is done through a UAC elevation prompt. */ NTSTATUS PhExecuteRunAsCommand2( _In_ HWND WindowHandle, _In_ PCWSTR CommandLine, _In_opt_ PCWSTR UserName, _In_opt_ PCWSTR Password, _In_opt_ ULONG LogonType, _In_opt_ HANDLE ProcessIdWithToken, _In_opt_ ULONG SessionId, _In_opt_ PCWSTR DesktopName, _In_ BOOLEAN UseLinkedToken ) { return PhExecuteRunAsCommand3( WindowHandle, CommandLine, UserName, Password, LogonType, ProcessIdWithToken, SessionId, DesktopName, UseLinkedToken, FALSE, FALSE ); } NTSTATUS PhExecuteRunAsCommand3( _In_ HWND WindowHandle, _In_ PCWSTR CommandLine, _In_opt_ PCWSTR UserName, _In_opt_ PCWSTR Password, _In_opt_ ULONG LogonType, _In_opt_ HANDLE ProcessIdWithToken, _In_opt_ ULONG SessionId, _In_opt_ PCWSTR DesktopName, _In_ BOOLEAN UseLinkedToken, _In_ BOOLEAN CreateSuspendedProcess, _In_ BOOLEAN CreateUIAccessProcess ) { NTSTATUS status = STATUS_SUCCESS; PH_RUNAS_SERVICE_PARAMETERS parameters; WCHAR serviceName[32]; PPH_STRING portName; UNICODE_STRING portNameUs; memset(¶meters, 0, sizeof(PH_RUNAS_SERVICE_PARAMETERS)); parameters.ProcessId = HandleToUlong(ProcessIdWithToken); parameters.UserName = UserName; parameters.Password = Password; parameters.LogonType = LogonType; parameters.SessionId = SessionId; parameters.CommandLine = CommandLine; parameters.DesktopName = DesktopName; parameters.UseLinkedToken = UseLinkedToken; parameters.CreateSuspendedProcess = CreateSuspendedProcess; parameters.WindowHandle = WindowHandle; parameters.CreateUIAccessProcess = CreateUIAccessProcess; // Try to use an existing instance of the service if possible. if (RunAsOldServiceName[0] != UNICODE_NULL) { PhAcquireQueuedLockExclusive(&RunAsOldServiceLock); portName = PhConcatStrings2(L"\\BaseNamedObjects\\", RunAsOldServiceName); if (!PhStringRefToUnicodeString(&portName->sr, &portNameUs)) { PhDereferenceObject(portName); PhReleaseQueuedLockExclusive(&RunAsOldServiceLock); return STATUS_NAME_TOO_LONG; } status = PhSvcConnectToServer(&portNameUs, 0); if (NT_SUCCESS(status)) { parameters.ServiceName = RunAsOldServiceName; status = PhSvcCallInvokeRunAsService(¶meters); PhSvcDisconnectFromServer(); PhDereferenceObject(portName); PhReleaseQueuedLockExclusive(&RunAsOldServiceLock); return status; } PhDereferenceObject(portName); PhReleaseQueuedLockExclusive(&RunAsOldServiceLock); } // An existing instance was not available. Proceed normally. memset(serviceName, 0, sizeof(serviceName)); memcpy(serviceName, L"SystemInformer", 14 * sizeof(WCHAR)); PhGenerateRandomAlphaString(&serviceName[14], ARRAYSIZE(serviceName) - 14); PhAcquireQueuedLockExclusive(&RunAsOldServiceLock); memcpy(RunAsOldServiceName, serviceName, sizeof(serviceName) - sizeof(UNICODE_NULL)); PhReleaseQueuedLockExclusive(&RunAsOldServiceLock); parameters.ServiceName = serviceName; if (PhGetOwnTokenAttributes().Elevated) { status = PhExecuteRunAsCommand(¶meters); } else { if (PhUiConnectToPhSvc(WindowHandle, FALSE)) { status = PhSvcCallExecuteRunAsCommand(¶meters); PhUiDisconnectFromPhSvc(); } else { status = STATUS_CANCELLED; } } return status; } VOID PhpSplitUserName( _In_ PCWSTR UserName, _Out_opt_ PPH_STRING *DomainPart, _Out_opt_ PPH_STRING *UserPart ) { PH_STRINGREF userName; PH_STRINGREF domainPart; PH_STRINGREF userPart; PhInitializeStringRefLongHint(&userName, UserName); if (PhSplitStringRefAtChar(&userName, OBJ_NAME_PATH_SEPARATOR, &domainPart, &userPart)) { if (DomainPart) *DomainPart = PhCreateString2(&domainPart); if (UserPart) *UserPart = PhCreateString2(&userPart); } else { if (DomainPart) *DomainPart = NULL; if (UserPart) *UserPart = PhCreateString2(&userName); } } static VOID SetRunAsServiceStatus( _In_ ULONG State ) { SERVICE_STATUS status; memset(&status, 0, sizeof(SERVICE_STATUS)); status.dwServiceType = SERVICE_WIN32_OWN_PROCESS; status.dwCurrentState = State; status.dwControlsAccepted = SERVICE_ACCEPT_STOP; SetServiceStatus(RunAsServiceStatusHandle, &status); } static ULONG WINAPI RunAsServiceHandlerEx( _In_ ULONG dwControl, _In_ ULONG dwEventType, _In_ PVOID lpEventData, _In_ PVOID lpContext ) { switch (dwControl) { case SERVICE_CONTROL_STOP: PhSvcStop(&RunAsServiceStop); return NO_ERROR; case SERVICE_CONTROL_INTERROGATE: return NO_ERROR; } return ERROR_CALL_NOT_IMPLEMENTED; } static VOID WINAPI RunAsServiceMain( _In_ ULONG dwArgc, _In_ PWSTR *lpszArgv ) { PPH_STRING portName; memset(&RunAsServiceStop, 0, sizeof(RunAsServiceStop)); RunAsServiceStatusHandle = RegisterServiceCtrlHandlerEx(RunAsServiceName->Buffer, RunAsServiceHandlerEx, NULL); SetRunAsServiceStatus(SERVICE_RUNNING); portName = PhConcatStrings2( L"\\BaseNamedObjects\\", RunAsServiceName->Buffer ); PhSvcMain(portName, &RunAsServiceStop); SetRunAsServiceStatus(SERVICE_STOPPED); } NTSTATUS PhRunAsServiceStart( _In_ PPH_STRING ServiceName ) { const SERVICE_TABLE_ENTRY serviceDispatchTable[] = { { PhGetString(ServiceName), RunAsServiceMain }, { NULL, NULL } }; HANDLE tokenHandle; // Enable some required privileges. if (NT_SUCCESS(PhOpenProcessToken( NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tokenHandle ))) { const LUID_AND_ATTRIBUTES privileges[] = { { RtlConvertUlongToLuid(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_INCREASE_QUOTA_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_BACKUP_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_RESTORE_PRIVILEGE), SE_PRIVILEGE_ENABLED }, { RtlConvertUlongToLuid(SE_IMPERSONATE_PRIVILEGE), SE_PRIVILEGE_ENABLED }, }; UCHAR privilegesBuffer[FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(privileges)]; PTOKEN_PRIVILEGES tokenPrivileges; tokenPrivileges = (PTOKEN_PRIVILEGES)privilegesBuffer; tokenPrivileges->PrivilegeCount = RTL_NUMBER_OF(privileges); memcpy(tokenPrivileges->Privileges, privileges, sizeof(privileges)); NtAdjustPrivilegesToken( tokenHandle, FALSE, tokenPrivileges, 0, NULL, NULL ); NtClose(tokenHandle); } RunAsServiceName = ServiceName; StartServiceCtrlDispatcher(serviceDispatchTable); return STATUS_SUCCESS; } NTSTATUS PhInvokeRunAsService( _In_ PPH_RUNAS_SERVICE_PARAMETERS Parameters ) { NTSTATUS status; PPH_STRING domainName; PPH_STRING userName; PH_CREATE_PROCESS_AS_USER_INFO createInfo; HANDLE newProcessHandle = NULL; ULONG flags; //status = PhSetDesktopWinStaAccess(Parameters->WindowHandle); //if (!NT_SUCCESS(status)) // return status; if (Parameters->UserName) { PhpSplitUserName(Parameters->UserName, &domainName, &userName); } else { domainName = NULL; userName = NULL; } memset(&createInfo, 0, sizeof(PH_CREATE_PROCESS_AS_USER_INFO)); createInfo.ApplicationName = Parameters->FileName; createInfo.CommandLine = Parameters->CommandLine; createInfo.CurrentDirectory = Parameters->CurrentDirectory; createInfo.DomainName = PhGetString(domainName); createInfo.UserName = PhGetString(userName); createInfo.Password = Parameters->Password; createInfo.LogonType = Parameters->LogonType; createInfo.SessionId = Parameters->SessionId; createInfo.DesktopName = Parameters->DesktopName; flags = PH_CREATE_PROCESS_SET_SESSION_ID | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE; if (Parameters->ProcessId) { createInfo.ProcessIdWithToken = UlongToHandle(Parameters->ProcessId); flags |= PH_CREATE_PROCESS_USE_PROCESS_TOKEN; } if (Parameters->UseLinkedToken) flags |= PH_CREATE_PROCESS_USE_LINKED_TOKEN; //if (Parameters->CreateSuspendedProcess) // flags |= PH_CREATE_PROCESS_SUSPENDED; if (Parameters->CreateUIAccessProcess) flags |= PH_CREATE_PROCESS_SET_UIACCESS; status = PhCreateProcessAsUser( &createInfo, flags | PH_CREATE_PROCESS_SUSPENDED, NULL, NULL, &newProcessHandle, NULL ); if (NT_SUCCESS(status)) { PROCESS_BASIC_INFORMATION basicInfo; PSID userSid, logonSid; if (PhRunAsGetLogonSid(newProcessHandle, &userSid, &logonSid)) { status = PhRunAsUpdateDesktop(userSid); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhRunAsUpdateWindowStation(userSid, logonSid); if (!NT_SUCCESS(status)) goto CleanupExit; } if (!Parameters->CreateSuspendedProcess) { status = PhGetProcessBasicInformation(newProcessHandle, &basicInfo); if (NT_SUCCESS(status)) { AllowSetForegroundWindow(HandleToUlong(basicInfo.UniqueProcessId)); } PhConsoleSetForeground(newProcessHandle, TRUE); PhResumeProcess(newProcessHandle); } } CleanupExit: if (newProcessHandle) NtClose(newProcessHandle); if (domainName) PhDereferenceObject(domainName); if (userName) PhDereferenceObject(userName); return status; } typedef struct _PHP_RUNFILEDLG { HWND WindowHandle; HWND ComboBoxHandle; HWND RunAsCheckboxHandle; HWND RunAsInstallerCheckboxHandle; HIMAGELIST ImageListHandle; BOOLEAN RunAsInstallerCheckboxDisabled; LONG WindowDpi; } PHP_RUNFILEDLG, *PPHP_RUNFILEDLG; PPH_STRING PhpQueryRunFileParentDirectory( _In_ BOOLEAN Elevated ) { // Note: Explorer creates new processes with the parent directory as SystemRoot when elevated or // the below environment variables when not elevated. (dmex) if (!Elevated) { static CONST PH_STRINGREF homeDriveNameSr = PH_STRINGREF_INIT(L"HOMEDRIVE"); static CONST PH_STRINGREF homePathNameSr = PH_STRINGREF_INIT(L"HOMEPATH"); PPH_STRING parentDirectoryString = NULL; PPH_STRING homeDriveNameString = NULL; PPH_STRING homePathNameString = NULL; PhQueryEnvironmentVariable(NULL, &homeDriveNameSr, &homeDriveNameString); PhQueryEnvironmentVariable(NULL, &homePathNameSr, &homePathNameString); if (homeDriveNameString && homePathNameString) { parentDirectoryString = PhConcatStringRef2( &homeDriveNameString->sr, &homePathNameString->sr ); } if (homeDriveNameString) PhDereferenceObject(homeDriveNameString); if (homePathNameString) PhDereferenceObject(homePathNameString); return parentDirectoryString; } else { return PhGetSystemDirectory(); } } BOOLEAN PhRunAsExecuteCommandPrompt( _In_ HWND WindowHandle ) { NTSTATUS status; BOOLEAN elevated; PPH_STRING commandFileName; PPH_STRING commandDirectory; elevated = !!PhGetOwnTokenAttributes().Elevated; commandFileName = PhGetSystemDirectoryWin32Z(L"\\cmd.exe"); commandDirectory = PhpQueryRunFileParentDirectory(elevated); status = PhShellExecuteEx( WindowHandle, PhGetString(commandFileName), NULL, PhGetString(commandDirectory), SW_SHOW, PH_SHELL_EXECUTE_DEFAULT, 0, NULL ); PhClearReference(&commandDirectory); PhClearReference(&commandFileName); return NT_SUCCESS(status); } NTSTATUS PhRunAsShellExecute( _In_ HWND WindowHandle, _In_ PWSTR FileName, _In_opt_ PWSTR Parameters, _In_ BOOLEAN Elevated ) { NTSTATUS status; PPH_STRING parentDirectory; parentDirectory = PhpQueryRunFileParentDirectory(Elevated); status = PhShellExecuteEx( WindowHandle, FileName, Parameters, PhGetString(parentDirectory), SW_SHOW, Elevated ? PH_SHELL_EXECUTE_ADMIN : PH_SHELL_EXECUTE_DEFAULT, 0, NULL ); PhClearReference(&parentDirectory); return status; } BOOLEAN PhpRunFileAsInteractiveUser( _In_ PPHP_RUNFILEDLG Context, _In_ PPH_STRING Command ) { BOOLEAN success = FALSE; PPH_STRING executeString = NULL; PPH_STRING fileName = NULL; PPH_STRING fileArgs = NULL; PPH_LIST cmdlineArgList; // Extract the filename. if (cmdlineArgList = PhCommandLineToList(Command->Buffer)) { fileName = PhReferenceObject(cmdlineArgList->Items[0]); if (cmdlineArgList->Count == 2) { fileArgs = PhReferenceObject(cmdlineArgList->Items[1]); } PhDereferenceObjects(cmdlineArgList->Items, cmdlineArgList->Count); PhDereferenceObject(cmdlineArgList); } if (fileName && !PhDoesFileExistWin32(PhGetString(fileName))) { PPH_STRING filePathString; // The user typed a name without a path so attempt to locate the executable. if (filePathString = PhSearchFilePath(PhGetString(fileName), L".exe")) PhMoveReference(&fileName, filePathString); else PhClearReference(&fileName); } if (fileName) { static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); static CONST PH_STRINGREF space = PH_STRINGREF_INIT(L" "); // Escape the filename. PhMoveReference(&fileName, PhConcatStringRef3(&separator, &fileName->sr, &separator)); if (fileArgs) { // Escape the parameters. PhMoveReference(&fileArgs, PhConcatStringRef3(&separator, &fileArgs->sr, &separator)); // Create the escaped execute string. executeString = PhConcatStringRef3(&fileName->sr, &space, &fileArgs->sr); // Cleanup. PhClearReference(&fileArgs); } else { executeString = fileName; } } if (!PhIsNullOrEmptyString(executeString)) { PPH_STRING parentDirectory = PhpQueryRunFileParentDirectory(FALSE); if (PhCreateProcessAsInteractiveUser(PhGetString(executeString), PhGetString(parentDirectory)) == S_OK) { success = TRUE; } PhClearReference(&parentDirectory); } PhClearReference(&executeString); return success; } NTSTATUS PhpRunFileProgram( _In_ PPHP_RUNFILEDLG Context, _In_ PPH_STRING Command ) { NTSTATUS status; PPH_STRING commandString = NULL; PPH_STRING fullFileName = NULL; PPH_STRING argumentsString = NULL; PH_STRINGREF fileName; PH_STRINGREF arguments; FILE_BASIC_INFORMATION basicInfo; BOOLEAN isDirectory = FALSE; if (PhIsNullOrEmptyString(Command)) return STATUS_UNSUCCESSFUL; if (!(commandString = PhExpandEnvironmentStrings(&Command->sr))) commandString = PhCreateString2(&Command->sr); PhParseCommandLineFuzzy(&commandString->sr, &fileName, &arguments, &fullFileName); if (PhIsNullOrEmptyString(fullFileName)) PhMoveReference(&fullFileName, PhCreateString2(&fileName)); if (PhIsNullOrEmptyString(fullFileName)) { if (fullFileName) PhDereferenceObject(fullFileName); return STATUS_UNSUCCESSFUL; } if (arguments.Length) { argumentsString = PhCreateString2(&arguments); } if (NT_SUCCESS(PhQueryAttributesFileWin32(PhGetString(fullFileName), &basicInfo))) { isDirectory = !!FlagOn(basicInfo.FileAttributes, FILE_ATTRIBUTE_DIRECTORY); } if (isDirectory || !PhDoesFileExistWin32(PhGetString(fullFileName))) { status = PhRunAsShellExecute( Context->WindowHandle, PhGetString(commandString), NULL, FALSE ); } else if (Button_GetCheck(Context->RunAsCheckboxHandle) == BST_CHECKED || // The Windows run dialog executes programs with elevation when // holding the ctrl + shift keys and selecting the OK button. (dmex) (!!(GetKeyState(VK_CONTROL) < 0 && !!(GetKeyState(VK_SHIFT) < 0)))) { status = PhRunAsShellExecute( Context->WindowHandle, PhGetString(fullFileName), PhGetString(argumentsString), TRUE ); } else { status = PhRunAsShellExecute( Context->WindowHandle, PhGetString(fullFileName), PhGetString(argumentsString), FALSE ); if (status == STATUS_ELEVATION_REQUIRED) { status = PhRunAsShellExecute( Context->WindowHandle, PhGetString(fullFileName), PhGetString(argumentsString), TRUE ); } } if (fullFileName) PhDereferenceObject(fullFileName); if (argumentsString) PhDereferenceObject(argumentsString); if (commandString) PhDereferenceObject(commandString); return status; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS RunAsCreateProcessThread( _In_ PVOID Parameter ) { PPH_STRING command = Parameter; NTSTATUS status; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; SERVICE_STATUS_PROCESS serviceStatus = { 0 }; SC_HANDLE serviceHandle = NULL; HANDLE processHandle = NULL; HANDLE newProcessHandle; STARTUPINFOEX startupInfo; PPH_STRING commandLine = NULL; PPH_STRING filePathString; if (filePathString = PhSearchFilePath(command->Buffer, L".exe")) PhMoveReference(&commandLine, filePathString); else PhSetReference(&commandLine, command); if (!NT_SUCCESS(status = PhOpenService(&serviceHandle, SERVICE_QUERY_STATUS | SERVICE_START, L"TrustedInstaller"))) goto CleanupExit; if (!NT_SUCCESS(status = PhQueryServiceStatus(serviceHandle, &serviceStatus))) goto CleanupExit; if (serviceStatus.dwCurrentState == SERVICE_RUNNING) { status = STATUS_SUCCESS; } else { ULONG attempts = 10; PhStartService(serviceHandle, 0, NULL); do { status = PhQueryServiceStatus(serviceHandle, &serviceStatus); if (NT_SUCCESS(status)) { if (serviceStatus.dwCurrentState == SERVICE_RUNNING) { status = STATUS_SUCCESS; break; } } PhDelayExecution(1000); } while (--attempts != 0); } if (!NT_SUCCESS(status)) { status = STATUS_SERVICES_FAILED_AUTOSTART; goto CleanupExit; } if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_CREATE_PROCESS, UlongToHandle(serviceStatus.dwProcessId)))) goto CleanupExit; if (!NT_SUCCESS(status = PhInitializeProcThreadAttributeList(&attributeList, 1))) goto CleanupExit; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &processHandle, sizeof(HANDLE) ); if (!NT_SUCCESS(status)) goto CleanupExit; memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW; startupInfo.StartupInfo.wShowWindow = SW_SHOWNORMAL; startupInfo.lpAttributeList = attributeList; status = PhCreateProcessWin32Ex( NULL, PhGetString(commandLine), NULL, NULL, &startupInfo, PH_CREATE_PROCESS_NEW_CONSOLE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE, NULL, NULL, &newProcessHandle, NULL ); if (NT_SUCCESS(status)) { PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetProcessBasicInformation(newProcessHandle, &basicInfo))) { AllowSetForegroundWindow(HandleToUlong(basicInfo.UniqueProcessId)); } PhConsoleSetForeground(newProcessHandle, TRUE); NtClose(newProcessHandle); } CleanupExit: if (processHandle) NtClose(processHandle); if (serviceHandle) PhCloseServiceHandle(serviceHandle); if (attributeList) { PhDeleteProcThreadAttributeList(attributeList); } if (commandLine) { PhDereferenceObject(commandLine); } if (command) { PhDereferenceObject(command); } return status; } static VOID PhpRunFileSetImageList( _Inout_ PPHP_RUNFILEDLG Context ) { if (Context->ImageListHandle) { PhImageListDestroy(Context->ImageListHandle); Context->ImageListHandle = NULL; } Context->ImageListHandle = PhImageListCreate( PhGetSystemMetrics(SM_CXSMICON, Context->WindowDpi), PhGetSystemMetrics(SM_CYSMICON, Context->WindowDpi), ILC_MASK | ILC_COLOR32, 1, 1 ); if (Context->ImageListHandle) { HBITMAP shieldBitmap; if (shieldBitmap = PhGetShieldBitmap(Context->WindowDpi, PhSmallIconSize.X, PhSmallIconSize.Y)) { PhImageListAddBitmap(Context->ImageListHandle, shieldBitmap, NULL); DeleteBitmap(shieldBitmap); } } } INT_PTR CALLBACK PhpRunFileWndProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_RUNFILEDLG context = NULL; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PHP_RUNFILEDLG)); PhSetDialogContext(hwndDlg, context); } else { context = PhGetDialogContext(hwndDlg); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->ComboBoxHandle = GetDlgItem(hwndDlg, IDC_PROGRAMCOMBO); context->RunAsCheckboxHandle = GetDlgItem(hwndDlg, IDC_TOGGLEELEVATION); context->RunAsInstallerCheckboxHandle = GetDlgItem(hwndDlg, IDC_TRUSTEDINSTALLER); context->WindowDpi = PhGetWindowDpi(hwndDlg); PhSetApplicationWindowIconEx(hwndDlg, context->WindowDpi); PhSetStaticWindowIcon(GetDlgItem(hwndDlg, IDC_FILEICON), context->WindowDpi); PhpAddProgramsToComboBox(context->ComboBoxHandle); ComboBox_SetCurSel(context->ComboBoxHandle, 0); if (PhGetIntegerSetting(SETTING_RUN_AS_ENABLE_AUTO_COMPLETE)) { COMBOBOXINFO info = { sizeof(COMBOBOXINFO) }; if (SendMessage(context->ComboBoxHandle, CB_GETCOMBOBOXINFO, 0, (LPARAM)& info)) { if (SHAutoComplete_Import() && info.hwndItem) SHAutoComplete_Import()(info.hwndItem, SHACF_DEFAULT); } } Button_SetCheck(context->RunAsCheckboxHandle, PhGetIntegerSetting(SETTING_RUN_FILE_DLG_STATE) ? TRUE : FALSE); if (!PhGetOwnTokenAttributes().Elevated) { Button_Enable(context->RunAsInstallerCheckboxHandle, FALSE); context->RunAsInstallerCheckboxDisabled = TRUE; PhpRunFileSetImageList(context); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveDialogContext(hwndDlg); PhSetIntegerSetting(SETTING_RUN_FILE_DLG_STATE, Button_GetCheck(context->RunAsCheckboxHandle) == BST_CHECKED); PhImageListDestroy(context->ImageListHandle); PhDestroyWindowIcon(hwndDlg); PhDeleteStaticWindowIcon(GetDlgItem(hwndDlg, IDC_FILEICON)); PhFree(context); } break; case WM_DPICHANGED: { context->WindowDpi = PhGetWindowDpi(hwndDlg); PhSetApplicationWindowIconEx(hwndDlg, context->WindowDpi); PhSetStaticWindowIcon(GetDlgItem(hwndDlg, IDC_FILEICON), context->WindowDpi); PhpRunFileSetImageList(context); } break; case WM_CTLCOLORSTATIC: { HDC hdc = (HDC)wParam; if (PhEnableThemeSupport) break; SetBkMode(hdc, TRANSPARENT); return (INT_PTR)PhGetStockBrush(WHITE_BRUSH); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { NTSTATUS status; PPH_STRING commandString; if (commandString = PhGetWindowText(context->ComboBoxHandle)) { if (Button_GetCheck(context->RunAsInstallerCheckboxHandle) == BST_CHECKED) { PhReferenceObject(commandString); status = PhCreateThread2(RunAsCreateProcessThread, commandString); } else { status = PhpRunFileProgram(context, commandString); } if (NT_SUCCESS(status)) { PhRecentListAddCommand(&commandString->sr); EndDialog(hwndDlg, IDOK); } else { if (!(NT_NTWIN32(status) && WIN32_FROM_NTSTATUS(status) == ERROR_CANCELLED)) { PhShowStatus(hwndDlg, L"Unable to execute the command.", status, 0); } } PhDereferenceObject(commandString); } } break; case IDC_BROWSE: { PH_FILETYPE_FILTER filters[] = { { L"Executable files (*.exe;*.pif;*.com;*.bat;*.cmd)", L"*.exe;*.pif;*.com;*.bat;*.cmd" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); if (PhShowFileDialog(hwndDlg, fileDialog)) { PPH_STRING fileName; if (fileName = PhGetFileDialogFileName(fileDialog)) { ComboBox_SetText(context->ComboBoxHandle, PhGetString(fileName)); PhDereferenceObject(fileName); } } PhFreeFileDialog(fileDialog); } break; case IDC_TRUSTEDINSTALLER: { EnableWindow(context->RunAsCheckboxHandle, Button_GetCheck(context->RunAsInstallerCheckboxHandle) == BST_UNCHECKED); } break; } } break; case WM_ERASEBKGND: { HDC hdc = (HDC)wParam; RECT clientRect; if (!PhGetClientRect(hwndDlg, &clientRect)) break; SetBkMode(hdc, TRANSPARENT); clientRect.bottom -= PhGetDpi(60, context->WindowDpi); FillRect(hdc, &clientRect, PhEnableThemeSupport ? PhThemeWindowBackgroundBrush : (HBRUSH)(COLOR_WINDOW + 1)); clientRect.top = clientRect.bottom; clientRect.bottom = clientRect.top + PhGetDpi(60, context->WindowDpi); FillRect(hdc, &clientRect, PhEnableThemeSupport ? PhThemeWindowBackgroundBrush : (HBRUSH)(COLOR_3DFACE + 1)); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, TRUE); } return TRUE; case WM_NOTIFY: { LPNMHDR data = (LPNMHDR)lParam; if (data->hwndFrom != context->RunAsInstallerCheckboxHandle || !context->RunAsInstallerCheckboxDisabled) break; switch (data->code) { case NM_CUSTOMDRAW: { LPNMCUSTOMDRAW customDraw = (LPNMCUSTOMDRAW)lParam; WCHAR className[MAX_PATH]; if (!GetClassName(customDraw->hdr.hwndFrom, className, RTL_NUMBER_OF(className))) className[0] = UNICODE_NULL; if (PhEqualStringZ(className, L"Button", FALSE)) { ULONG buttonStyle = PhGetWindowStyle(customDraw->hdr.hwndFrom); if (FlagOn(buttonStyle, BS_CHECKBOX) == BS_CHECKBOX) { switch (customDraw->dwDrawStage) { case CDDS_PREPAINT: { PPH_STRING buttonText; LONG width; SetTextColor(customDraw->hdc, RGB(0, 0, 0)); SetDCBrushColor(customDraw->hdc, RGB(0xff, 0xff, 0xff)); FillRect(customDraw->hdc, &customDraw->rc, PhGetStockBrush(DC_BRUSH)); if (buttonText = PhGetWindowText(customDraw->hdr.hwndFrom)) { width = PhGetSystemMetrics(SM_CXSMICON, context->WindowDpi); customDraw->rc.left += width; DrawText( customDraw->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &customDraw->rc, DT_LEFT | DT_SINGLELINE | DT_VCENTER | DT_HIDEPREFIX ); customDraw->rc.left -= width; PhDereferenceObject(buttonText); } PhImageListDrawIcon( context->ImageListHandle, 0, customDraw->hdc, customDraw->rc.left, customDraw->rc.top + 1, // offset ILD_TRANSPARENT, FALSE ); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, CDRF_SKIPDEFAULT); return TRUE; } break; } SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, CDRF_DODEFAULT); return TRUE; } } } break; } } break; } return FALSE; } typedef struct _PH_RUNAS_PACKAGE_CONTEXT { HWND WindowHandle; HWND ParentWindowHandle; HWND ComboBoxHandle; HWND SearchBoxHandle; HWND TreeNewHandle; HIMAGELIST ImageListHandle; LONG WindowDpi; PH_LAYOUT_MANAGER LayoutManager; PH_TN_FILTER_SUPPORT TreeFilterSupport; PPH_TN_FILTER_ENTRY TreeFilterEntry; ULONG_PTR SearchMatchHandle; HFONT NormalFontHandle; HFONT TitleFontHandle; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; } PH_RUNAS_PACKAGE_CONTEXT, *PPH_RUNAS_PACKAGE_CONTEXT; typedef enum _PH_RUNASPACKAGE_TREE_COLUMN_ITEM { PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME, PH_RUNASPACKAGE_TREE_COLUMN_ITEM_APPID, PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM } PH_RUNASPACKAGE_TREE_COLUMN_ITEM; typedef struct _PH_RUNASPACKAGE_TREE_ROOT_NODE { PH_TREENEW_NODE Node; PPH_STRING AppUserModelId; PPH_STRING DisplayName; PPH_STRING PackageInstallPath; PPH_STRING PackageFullName; PPH_STRING SmallLogoPath; INT IconIndex; PH_STRINGREF TextCache[PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM]; } PH_RUNASPACKAGE_TREE_ROOT_NODE, *PPH_RUNASPACKAGE_TREE_ROOT_NODE; #pragma region RunAsPackage TreeList #define SORT_FUNCTION(Column) PhRunAsPackageTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhRunAsPackageTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_RUNASPACKAGE_TREE_ROOT_NODE node1 = *(PPH_RUNASPACKAGE_TREE_ROOT_NODE*)_elem1; \ PPH_RUNASPACKAGE_TREE_ROOT_NODE node2 = *(PPH_RUNASPACKAGE_TREE_ROOT_NODE*)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, ((PPH_RUNAS_PACKAGE_CONTEXT)_context)->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNull(node1->DisplayName, node2->DisplayName, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Version) { sortResult = PhCompareStringWithNull(node1->AppUserModelId, node2->AppUserModelId, TRUE); } END_SORT_FUNCTION _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhRunAsPackageNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_RUNASPACKAGE_TREE_ROOT_NODE node1 = *(PPH_RUNASPACKAGE_TREE_ROOT_NODE*)Entry1; PPH_RUNASPACKAGE_TREE_ROOT_NODE node2 = *(PPH_RUNASPACKAGE_TREE_ROOT_NODE*)Entry2; return PhEqualString(node1->AppUserModelId, node2->AppUserModelId, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhRunAsPackageNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashStringRef(&(*(PPH_RUNASPACKAGE_TREE_ROOT_NODE*)Entry)->AppUserModelId->sr, TRUE); } VOID PhRunAsPackageDestroyNode( _In_ PPH_RUNASPACKAGE_TREE_ROOT_NODE Node ) { PhClearReference(&Node->AppUserModelId); PhClearReference(&Node->DisplayName); PhClearReference(&Node->PackageInstallPath); PhClearReference(&Node->PackageFullName); PhClearReference(&Node->SmallLogoPath); PhFree(Node); } PPH_RUNASPACKAGE_TREE_ROOT_NODE PhRunAsPackageAddNode( _Inout_ PPH_RUNAS_PACKAGE_CONTEXT Context, _In_ PPH_APPUSERMODELID_ENUM_ENTRY Package ) { PPH_RUNASPACKAGE_TREE_ROOT_NODE node; node = PhAllocate(sizeof(PH_RUNASPACKAGE_TREE_ROOT_NODE)); memset(node, 0, sizeof(PH_RUNASPACKAGE_TREE_ROOT_NODE)); PhInitializeTreeNewNode(&node->Node); memset(node->TextCache, 0, sizeof(PH_STRINGREF) * PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM); node->Node.TextCache = node->TextCache; node->Node.TextCacheSize = PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM; PhSetReference(&node->AppUserModelId, Package->AppUserModelId); PhSetReference(&node->DisplayName, Package->PackageDisplayName); PhSetReference(&node->PackageInstallPath, Package->PackageInstallPath); PhSetReference(&node->PackageFullName, Package->PackageFullName); PhSetReference(&node->SmallLogoPath, Package->SmallLogoPath); if (Package->SmallLogoPath && PhDoesFileExistWin32(Package->SmallLogoPath->Buffer)) { HICON iconHandle = NULL; HBITMAP bitmap; LONG width; LONG height; width = PhGetSystemMetrics(SM_CXICON, Context->WindowDpi); height = PhGetSystemMetrics(SM_CYICON, Context->WindowDpi); if (bitmap = PhLoadImageFromFile(Package->SmallLogoPath->Buffer, width, height)) { iconHandle = PhGdiplusConvertBitmapToIcon(bitmap, width, height, RGB(0, 0, 0)); DeleteBitmap(bitmap); } if (iconHandle) { node->IconIndex = PhImageListAddIcon(Context->ImageListHandle, iconHandle); DestroyIcon(iconHandle); } } PhAddEntryHashtable(Context->NodeHashtable, &node); PhAddItemList(Context->NodeList, node); if (Context->TreeFilterSupport.FilterList) node->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->TreeFilterSupport, &node->Node); TreeNew_NodesStructured(Context->TreeNewHandle); return node; } PPH_RUNASPACKAGE_TREE_ROOT_NODE PhRunAsPackageFindNode( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context, _In_ PPH_STRING AppUserModelId ) { PH_RUNASPACKAGE_TREE_ROOT_NODE lookupNode; PPH_RUNASPACKAGE_TREE_ROOT_NODE lookupNodePtr = &lookupNode; PPH_RUNASPACKAGE_TREE_ROOT_NODE *node; lookupNode.AppUserModelId = AppUserModelId; node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE*)PhFindEntryHashtable( Context->NodeHashtable, &lookupNodePtr ); if (node) return *node; else return NULL; } VOID PhRunAsPackageRemoveNode( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context, _In_ PPH_RUNASPACKAGE_TREE_ROOT_NODE Node ) { ULONG index = 0; PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } PhRunAsPackageDestroyNode(Node); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhRunAsPackageUpdateNode( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context, _In_ PPH_RUNASPACKAGE_TREE_ROOT_NODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } BOOLEAN NTAPI PhRunAsPackageTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_RUNAS_PACKAGE_CONTEXT context = Context; PPH_RUNASPACKAGE_TREE_ROOT_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(Version) }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < PH_RUNASPACKAGE_TREE_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)getCellText->Node; switch (getCellText->Id) { case PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME: getCellText->Text = PhGetStringRef(node->DisplayName); break; case PH_RUNASPACKAGE_TREE_COLUMN_ITEM_APPID: getCellText->Text = PhGetStringRef(node->AppUserModelId); break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)getNodeColor->Node; getNodeColor->Flags = TN_CACHE | TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_COPY, 0); break; case VK_DELETE: SendMessage(context->WindowHandle, WM_COMMAND, ID_OBJECT_CLOSE, 0); break; } } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; RECT rect; rect = customDraw->CellRect; node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)customDraw->Node; switch (customDraw->Column->Id) { case PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME: { PH_STRINGREF text; SIZE nameSize; SIZE textSize; LONG dpiValue; dpiValue = PhGetWindowDpi(WindowHandle); rect.left += PhGetDpi(15, dpiValue); rect.top += PhGetDpi(5, dpiValue); rect.right -= PhGetDpi(5, dpiValue); rect.bottom -= PhGetDpi(8, dpiValue); rect.left += 32; // top if (PhEnableThemeSupport) SetTextColor(customDraw->Dc, GetSysColor(COLOR_HIGHLIGHTTEXT)); else SetTextColor(customDraw->Dc, RGB(0x0, 0x0, 0x0)); SelectFont(customDraw->Dc, context->TitleFontHandle); text = PhIsNullOrEmptyString(node->DisplayName) ? PhGetStringRef(node->AppUserModelId) : PhGetStringRef(node->DisplayName); GetTextExtentPoint32(customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &nameSize); DrawText(customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &rect, DT_TOP | DT_LEFT | DT_END_ELLIPSIS | DT_SINGLELINE); // bottom if (PhEnableThemeSupport) SetTextColor(customDraw->Dc, RGB(0x90, 0x90, 0x90)); else SetTextColor(customDraw->Dc, RGB(0x64, 0x64, 0x64)); SelectFont(customDraw->Dc, context->NormalFontHandle); text = PhGetStringRef(node->AppUserModelId); GetTextExtentPoint32(customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textSize); DrawText( customDraw->Dc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &rect, DT_BOTTOM | DT_LEFT | DT_END_ELLIPSIS | DT_SINGLELINE ); if (context->ImageListHandle) { LONG width; LONG height; width = PhGetSystemMetrics(SM_CXICON, context->WindowDpi); height = PhGetSystemMetrics(SM_CYICON, context->WindowDpi); PhImageListDrawEx( context->ImageListHandle, (ULONG)(ULONG_PTR)node->IconIndex, customDraw->Dc, customDraw->CellRect.left + 5,//((customDraw->CellRect.right - customDraw->CellRect.left) - width) / 2, customDraw->CellRect.top + ((customDraw->CellRect.bottom - customDraw->CellRect.top) - height) / 2, width, height, CLR_DEFAULT, CLR_NONE, ILD_TRANSPARENT, ILS_NORMAL ); } } break; } } return TRUE; } return FALSE; } VOID PhRunAsPackageClearTree( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) PhRunAsPackageDestroyNode(Context->NodeList->Items[i]); PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); TreeNew_NodesStructured(Context->TreeNewHandle); } PPH_RUNASPACKAGE_TREE_ROOT_NODE PhRunAsPackageGetSelectedNode( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context ) { PPH_RUNASPACKAGE_TREE_ROOT_NODE node = NULL; for (ULONG i = 0; i < Context->NodeList->Count; i++) { node = Context->NodeList->Items[i]; if (node->Node.Selected) return node; } return NULL; } _Success_(return) BOOLEAN PhRunAsPackageGetSelectedNodes( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context, _Out_ PPH_RUNASPACKAGE_TREE_ROOT_NODE **Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_RUNASPACKAGE_TREE_ROOT_NODE node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhRunAsPackageTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_ PVOID Context ) { PPH_RUNASPACKAGE_TREE_ROOT_NODE node = (PPH_RUNASPACKAGE_TREE_ROOT_NODE)Node; PPH_RUNAS_PACKAGE_CONTEXT context = Context; if (!context->SearchMatchHandle) return TRUE; if (node->AppUserModelId && PhSearchControlMatch(context->SearchMatchHandle, &node->AppUserModelId->sr)) return TRUE; if (node->DisplayName && PhSearchControlMatch(context->SearchMatchHandle, &node->DisplayName->sr)) return TRUE; if (node->PackageInstallPath && PhSearchControlMatch(context->SearchMatchHandle, &node->PackageInstallPath->sr)) return TRUE; if (node->PackageFullName && PhSearchControlMatch(context->SearchMatchHandle, &node->PackageFullName->sr)) return TRUE; return FALSE; } VOID PhRunAsPackageInitializeTree( _Inout_ PPH_RUNAS_PACKAGE_CONTEXT Context ) { static CONST PH_STRINGREF PhRunAsPackageLoadingText = PH_STRINGREF_INIT(L"Loading package information..."); Context->NodeList = PhCreateList(20); Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_RUNASPACKAGE_TREE_ROOT_NODE), PhRunAsPackageNodeHashtableEqualFunction, PhRunAsPackageNodeHashtableHashFunction, 20 ); Context->NormalFontHandle = PhCreateCommonFont(-10, FW_NORMAL, NULL, Context->WindowDpi); Context->TitleFontHandle = PhCreateCommonFont(-14, FW_BOLD, NULL, Context->WindowDpi); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); TreeNew_SetCallback(Context->TreeNewHandle, PhRunAsPackageTreeNewCallback, Context); TreeNew_SetRowHeight(Context->TreeNewHandle, PhGetDpi(48, Context->WindowDpi)); PhAddTreeNewColumnEx2(Context->TreeNewHandle, PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME, TRUE, L"Package", 80, PH_ALIGN_LEFT, 0, 0, TN_COLUMN_FLAG_CUSTOMDRAW); //PhAddTreeNewColumnEx2(Context->TreeNewHandle, PH_PLUGIN_TREE_COLUMN_ITEM_VERSION, TRUE, L"Version", 80, PH_ALIGN_CENTER, 1, DT_CENTER, 0); //PhRunAsPackageLoadSettingsTreeList(Context); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); Context->TreeFilterEntry = PhAddTreeNewFilter(&Context->TreeFilterSupport, PhRunAsPackageTreeFilterCallback, Context); TreeNew_SetEmptyText(Context->TreeNewHandle, &PhRunAsPackageLoadingText, 0); TreeNew_SetTriState(Context->TreeNewHandle, TRUE); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); } VOID PhRunAsPackageDeleteTree( _In_ PPH_RUNAS_PACKAGE_CONTEXT Context ) { PhRemoveTreeNewFilter(&Context->TreeFilterSupport, Context->TreeFilterEntry); PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); if (Context->TitleFontHandle) DeleteFont(Context->TitleFontHandle); if (Context->NormalFontHandle) DeleteFont(Context->NormalFontHandle); //PhRunAsPackageSaveSettingsTreeList(Context); for (ULONG i = 0; i < Context->NodeList->Count; i++) PhRunAsPackageDestroyNode(Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } #pragma endregion _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhEnumPackageThreadCallback( _In_ PVOID Context ) { PPH_RUNAS_PACKAGE_CONTEXT context = Context; PPH_LIST apps = PhEnumPackageApplicationUserModelIds(); PostMessage(context->WindowHandle, WM_PH_UPDATE_DIALOG, 0, (LPARAM)apps); PhDereferenceObject(context); return STATUS_SUCCESS; } static VOID PhRunAsPackageSetImagelist( _Inout_ PPH_RUNAS_PACKAGE_CONTEXT Context ) { if (Context->ImageListHandle) { PhImageListDestroy(Context->ImageListHandle); Context->ImageListHandle = NULL; } Context->ImageListHandle = PhImageListCreate( PhGetSystemMetrics(SM_CXICON, Context->WindowDpi), PhGetSystemMetrics(SM_CYICON, Context->WindowDpi), ILC_MASK | ILC_COLOR32, 20, 10 ); } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhPackageWindowContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { //PPH_RUNAS_PACKAGE_CONTEXT context = (PPH_RUNAS_PACKAGE_CONTEXT)Object; NOTHING; } PPH_RUNAS_PACKAGE_CONTEXT PhCreatePackageWindowContext( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_OBJECT_TYPE PhPackageWindowContextObjectType; PPH_RUNAS_PACKAGE_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { PhPackageWindowContextObjectType = PhCreateObjectType(L"RunAsPackageWindowContext", 0, PhPackageWindowContextDeleteProcedure); PhEndInitOnce(&initOnce); } context = PhCreateObject(sizeof(PH_RUNAS_PACKAGE_CONTEXT), PhPackageWindowContextObjectType); memset(context, 0, sizeof(PH_RUNAS_PACKAGE_CONTEXT)); return context; } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpRunAsPackageSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_RUNAS_PACKAGE_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; PhApplyTreeNewFilters(&context->TreeFilterSupport); } INT_PTR CALLBACK PhRunAsPackageWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_RUNAS_PACKAGE_CONTEXT context = NULL; if (WindowMessage == WM_INITDIALOG) { context = PhCreatePackageWindowContext(); PhSetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (WindowMessage) { case WM_INITDIALOG: { context->WindowHandle = WindowHandle; context->ParentWindowHandle = (HWND)lParam; context->ComboBoxHandle = GetDlgItem(WindowHandle, IDC_PROGRAMCOMBO); context->SearchBoxHandle = GetDlgItem(WindowHandle, IDC_SEARCH); context->TreeNewHandle = GetDlgItem(WindowHandle, IDC_LIST); context->WindowDpi = PhGetWindowDpi(WindowHandle); PhSetApplicationWindowIconEx(WindowHandle, context->WindowDpi); PhInitializeLayoutManager(&context->LayoutManager, WindowHandle); PhAddLayoutItem(&context->LayoutManager, context->ComboBoxHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDC_BROWSE), NULL, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, context->SearchBoxHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDC_REFRESH), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(WindowHandle, IDCANCEL), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (PhValidWindowPlacementFromSetting(SETTING_RUN_AS_PACKAGE_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_RUN_AS_PACKAGE_WINDOW_POSITION, SETTING_RUN_AS_PACKAGE_WINDOW_SIZE, WindowHandle); else PhCenterWindow(WindowHandle, GetParent(WindowHandle)); TreeNew_AutoSizeColumn(context->TreeNewHandle, PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME, TN_AUTOSIZE_REMAINING_SPACE); PhpAddProgramsToComboBox(context->ComboBoxHandle); ComboBox_SetCurSel(context->ComboBoxHandle, 0); PhRunAsPackageSetImagelist(context); PhRunAsPackageInitializeTree(context); PhCreateSearchControl( WindowHandle, context->SearchBoxHandle, L"Search Packages", PhpRunAsPackageSearchControlCallback, context ); PhInitializeWindowTheme(WindowHandle, PhEnableThemeSupport); PhSetDialogFocus(WindowHandle, GetDlgItem(WindowHandle, IDCANCEL)); EnableWindow(GetDlgItem(WindowHandle, IDC_REFRESH), FALSE); PhReferenceObject(context); PhCreateThread2(PhEnumPackageThreadCallback, context); } break; case WM_DESTROY: { PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); PhSaveWindowPlacementToSetting(SETTING_RUN_AS_PACKAGE_WINDOW_POSITION, SETTING_RUN_AS_PACKAGE_WINDOW_SIZE, WindowHandle); PhRunAsPackageDeleteTree(context); PhImageListDestroy(context->ImageListHandle); PhDestroyWindowIcon(WindowHandle); PhDereferenceObject(context); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); TreeNew_AutoSizeColumn(context->TreeNewHandle, PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME, TN_AUTOSIZE_REMAINING_SPACE); } break; case WM_DPICHANGED: { context->WindowDpi = LOWORD(wParam); PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_PH_UPDATE_DIALOG: { PPH_LIST apps = (PPH_LIST)lParam; EnableWindow(GetDlgItem(WindowHandle, IDC_REFRESH), TRUE); if (apps) { TreeNew_SetRedraw(context->TreeNewHandle, FALSE); for (ULONG i = 0; i < apps->Count; i++) { PhRunAsPackageAddNode(context, apps->Items[i]); } TreeNew_SetRedraw(context->TreeNewHandle, TRUE); TreeNew_AutoSizeColumn(context->TreeNewHandle, PH_RUNASPACKAGE_TREE_COLUMN_ITEM_NAME, TN_AUTOSIZE_REMAINING_SPACE); PhDestroyEnumPackageApplicationUserModelIds(apps); } else { // Error } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(WindowHandle, IDCANCEL); break; case IDC_BROWSE: { PH_FILETYPE_FILTER filters[] = { { L"Executable files (*.exe;*.pif;*.com;*.bat;*.cmd)", L"*.exe;*.pif;*.com;*.bat;*.cmd" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); if (PhShowFileDialog(WindowHandle, fileDialog)) { PPH_STRING fileName; if (fileName = PhGetFileDialogFileName(fileDialog)) { ComboBox_SetText(context->ComboBoxHandle, PhGetString(fileName)); PhDereferenceObject(fileName); } } PhFreeFileDialog(fileDialog); } break; case IDOK: { PPH_RUNASPACKAGE_TREE_ROOT_NODE node; HRESULT status; PPH_STRING windowText; if (node = PhRunAsPackageGetSelectedNode(context)) { if (windowText = PhGetWindowText(context->ComboBoxHandle)) { PPH_STRING argumentsString = NULL; PPH_STRING commandString = NULL; PPH_STRING directoryString = NULL; PPH_STRING fullFileName = NULL; PH_STRINGREF fileName; PH_STRINGREF arguments; if (PhIsNullOrEmptyString(windowText)) break; if (!(commandString = PhExpandEnvironmentStrings(&windowText->sr))) commandString = PhCreateString2(&windowText->sr); PhParseCommandLineFuzzy(&commandString->sr, &fileName, &arguments, &fullFileName); if (PhIsNullOrEmptyString(fullFileName)) PhMoveReference(&fullFileName, PhCreateString2(&fileName)); if (arguments.Length) { argumentsString = PhCreateString2(&arguments); } directoryString = PhpQueryRunFileParentDirectory(!!PhGetOwnTokenAttributes().Elevated); status = PhCreateProcessDesktopPackage( PhGetString(node->AppUserModelId), PhGetString(fullFileName), PhGetString(argumentsString), PhGetString(directoryString), FALSE, NULL, NULL ); if (HR_SUCCESS(status)) { PhRecentListAddCommand(&commandString->sr); EndDialog(WindowHandle, IDOK); } else { PhShowStatus(WindowHandle, L"Unable to execute the command.", 0, status); } PhClearReference(&directoryString); PhClearReference(&argumentsString); PhClearReference(&fullFileName); PhClearReference(&commandString); } } } break; case IDC_REFRESH: { EnableWindow(GetDlgItem(WindowHandle, IDC_REFRESH), FALSE); PhRunAsPackageClearTree(context); PhRunAsPackageSetImagelist(context); PhReferenceObject(context); PhCreateThread2(PhEnumPackageThreadCallback, context); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(WindowHandle, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(WindowHandle, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/searchbox.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2012-2023 * jxy-s 2023-2024 * */ #include #include VOID PhCreateSearchControl( _In_ HWND ParentWindowHandle, _In_ HWND SearchWindowHandle, _In_opt_ PCWSTR BannerText, _In_ PPH_SEARCHCONTROL_CALLBACK Callback, _In_opt_ PVOID Context ) { PhCreateSearchControlEx( ParentWindowHandle, SearchWindowHandle, BannerText, NtCurrentImageBase(), PhEnableThemeSupport ? MAKEINTRESOURCE(IDB_SEARCH_INACTIVE_MODERN_LIGHT) : MAKEINTRESOURCE(IDB_SEARCH_INACTIVE_MODERN_DARK), PhEnableThemeSupport ? MAKEINTRESOURCE(IDB_SEARCH_ACTIVE_MODERN_LIGHT) : MAKEINTRESOURCE(IDB_SEARCH_ACTIVE_MODERN_DARK), PhEnableThemeSupport ? MAKEINTRESOURCE(IDB_SEARCH_REGEX_MODERN_LIGHT) : MAKEINTRESOURCE(IDB_SEARCH_REGEX_MODERN_DARK), PhEnableThemeSupport ? MAKEINTRESOURCE(IDB_SEARCH_CASE_MODERN_LIGHT) : MAKEINTRESOURCE(IDB_SEARCH_CASE_MODERN_DARK), SETTING_SEARCH_CONTROL_REGEX, SETTING_SEARCH_CONTROL_CASE_SENSITIVE, Callback, Context ); } ================================================ FILE: SystemInformer/sessmsg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2019-2023 * */ #include #include #include static CONST PH_KEY_VALUE_PAIR PhpMessageBoxIconPairs[] = { SIP(L"None", MB_OK), SIP(L"Information", MB_ICONINFORMATION), SIP(L"Warning", MB_ICONWARNING), SIP(L"Error", MB_ICONERROR), SIP(L"Question", MB_ICONQUESTION) }; INT_PTR CALLBACK PhpSessionSendMessageDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { HWND iconComboBox; PPH_STRING currentUserName; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, UlongToPtr((ULONG)lParam)); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); iconComboBox = GetDlgItem(hwndDlg, IDC_TYPE); ComboBox_AddString(iconComboBox, L"None"); ComboBox_AddString(iconComboBox, L"Information"); ComboBox_AddString(iconComboBox, L"Warning"); ComboBox_AddString(iconComboBox, L"Error"); ComboBox_AddString(iconComboBox, L"Question"); PhSelectComboBoxString(iconComboBox, L"None", FALSE); if (currentUserName = PhGetTokenUserString(PhGetOwnTokenAttributes().TokenHandle, TRUE)) { PhSetDialogItemText( hwndDlg, IDC_TITLE, PhaFormatString(L"Message from %s", currentUserName->Buffer)->Buffer ); PhDereferenceObject(currentUserName); } PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDC_TEXT)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); // HACK (dmex) } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { ULONG sessionId = PtrToUlong(PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT)); PPH_STRING title; PPH_STRING text; ULONG icon = 0; ULONG64 timeout = 0; ULONG response; title = PhaGetDlgItemText(hwndDlg, IDC_TITLE); text = PhaGetDlgItemText(hwndDlg, IDC_TEXT); PhFindIntegerSiKeyValuePairs( PhpMessageBoxIconPairs, sizeof(PhpMessageBoxIconPairs), PhaGetDlgItemText(hwndDlg, IDC_TYPE)->Buffer, &icon ); PhStringToInteger64( &PhaGetDlgItemText(hwndDlg, IDC_TIMEOUT)->sr, 10, &timeout ); if (WinStationSendMessageW( NULL, sessionId, title->Buffer, (ULONG)title->Length, text->Buffer, (ULONG)text->Length, icon, (ULONG)timeout, &response, TRUE )) { EndDialog(hwndDlg, IDOK); } else { PhShowStatus(hwndDlg, L"Unable to send the message", 0, GetLastError()); } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhShowSessionSendMessageDialog( _In_ HWND ParentWindowHandle, _In_ ULONG SessionId ) { PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_EDITMESSAGE), ParentWindowHandle, PhpSessionSendMessageDlgProc, UlongToPtr(SessionId) ); } ================================================ FILE: SystemInformer/sessprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2018-2024 * */ #include #include #include #include INT_PTR CALLBACK PhpSessionPropertiesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); static CONST PH_KEY_VALUE_PAIR PhpConnectStatePairs[] = { SIP(L"Active", State_Active), SIP(L"Connected", State_Connected), SIP(L"ConnectQuery", State_ConnectQuery), SIP(L"Shadow", State_Shadow), SIP(L"Disconnected", State_Disconnected), SIP(L"Idle", State_Idle), SIP(L"Listen", State_Listen), SIP(L"Reset", State_Reset), SIP(L"Down", State_Down), SIP(L"Init", State_Init) }; VOID PhShowSessionProperties( _In_ HWND ParentWindowHandle, _In_ ULONG SessionId ) { PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_SESSION), PhCsForceNoParent ? NULL : ParentWindowHandle, PhpSessionPropertiesDlgProc, UlongToPtr(SessionId) ); } typedef struct _PHP_SESSION_PROPERTIES_CONTEXT { HWND ListViewHandle; ULONG SessionId; PH_LAYOUT_MANAGER LayoutManager; } PHP_SESSION_PROPERTIES_CONTEXT, *PPHP_SESSION_PROPERTIES_CONTEXT; VOID PhpSessionPropertiesQueryWinStationInfo( _In_ PPHP_SESSION_PROPERTIES_CONTEXT Context, _In_ ULONG SessionId ) { WINSTATIONINFORMATION winStationInfo; BOOLEAN haveWinStationInfo; WINSTATIONCLIENT clientInfo; BOOLEAN haveClientInfo; ULONG returnLength; PWSTR stateString; // Query basic session information haveWinStationInfo = WinStationQueryInformationW( WINSTATION_CURRENT_SERVER, SessionId, WinStationInformation, &winStationInfo, sizeof(WINSTATIONINFORMATION), &returnLength ); // Query client information haveClientInfo = WinStationQueryInformationW( WINSTATION_CURRENT_SERVER, SessionId, WinStationClient, &clientInfo, sizeof(WINSTATIONCLIENT), &returnLength ); if (haveWinStationInfo) { PH_FORMAT format[3]; WCHAR formatBuffer[256]; PhInitFormatS(&format[0], winStationInfo.Domain); PhInitFormatC(&format[1], OBJ_NAME_PATH_SEPARATOR); PhInitFormatS(&format[2], winStationInfo.UserName); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL )) { PhSetListViewSubItem(Context->ListViewHandle, 0, 1, formatBuffer); } } PhSetListViewSubItem(Context->ListViewHandle, 1, 1, PhaFormatUInt64(SessionId, FALSE)->Buffer); if (haveWinStationInfo) { if (PhFindStringSiKeyValuePairs( PhpConnectStatePairs, sizeof(PhpConnectStatePairs), winStationInfo.ConnectState, &stateString )) { PhSetListViewSubItem(Context->ListViewHandle, 2, 1, stateString); } } if (haveWinStationInfo && winStationInfo.LogonTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.LogonTime); time = PhFormatDateTime(&systemTime); PhSetListViewSubItem(Context->ListViewHandle, 3, 1, time->Buffer); PhDereferenceObject(time); } if (haveWinStationInfo && winStationInfo.ConnectTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.ConnectTime); time = PhFormatDateTime(&systemTime); PhSetListViewSubItem(Context->ListViewHandle, 4, 1, time->Buffer); PhDereferenceObject(time); } if (haveWinStationInfo && winStationInfo.DisconnectTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.DisconnectTime); time = PhFormatDateTime(&systemTime); PhSetListViewSubItem(Context->ListViewHandle, 5, 1, time->Buffer); PhDereferenceObject(time); } if (haveWinStationInfo && winStationInfo.LastInputTime.QuadPart != 0) { SYSTEMTIME systemTime; PPH_STRING time; PhLargeIntegerToLocalSystemTime(&systemTime, &winStationInfo.LastInputTime); time = PhFormatDateTime(&systemTime); PhSetListViewSubItem(Context->ListViewHandle, 6, 1, time->Buffer); PhDereferenceObject(time); } if (haveClientInfo && clientInfo.ClientName[0] != UNICODE_NULL) { WCHAR addressString[INET6_ADDRSTRLEN + 1]; PhSetListViewSubItem(Context->ListViewHandle, 7, 1, clientInfo.ClientName); if (clientInfo.ClientAddressFamily == AF_INET6) { ULONG addressLength = RTL_NUMBER_OF(addressString); IN6_ADDR address; ULONG i; PUSHORT in; PUSHORT out; // IPv6 is special - the client address data is a reversed version of // the real address. in = (PUSHORT)clientInfo.ClientAddress; out = (PUSHORT)address.u.Word; for (i = 8; i != 0; i--) { *out = _byteswap_ushort(*in); in++; out++; } RtlIpv6AddressToStringEx(&address, 0, 0, addressString, &addressLength); } else { wcscpy_s(addressString, 65, clientInfo.ClientAddress); } PhSetListViewSubItem(Context->ListViewHandle, 8, 1, addressString); PhSetListViewSubItem(Context->ListViewHandle, 9, 1, PhaFormatString(L"%ux%u@%u", clientInfo.HRes, clientInfo.VRes, clientInfo.ColorDepth)->Buffer ); } } INT_PTR CALLBACK PhpSessionPropertiesDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_SESSION_PROPERTIES_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PHP_SESSION_PROPERTIES_CONTEXT)); context->SessionId = (ULONG)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetApplicationWindowIcon(hwndDlg); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 150, L"Name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 250, L"Value"); PhSetExtendedListView(context->ListViewHandle); ListView_EnableGroupView(context->ListViewHandle, TRUE); PhAddListViewGroup(context->ListViewHandle, 0, L"User"); //PhAddListViewGroup(context->ListViewHandle, 1, L"Profile"); PhAddListViewGroupItem(context->ListViewHandle, 0, 0, L"User name", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 1, L"Session ID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 2, L"State", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 3, L"Logon time", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 4, L"Connect time", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 5, L"Disconnect time", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 6, L"Last input time", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 7, L"Client name", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 8, L"Client address", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, 9, L"Client display", NULL); //PhAddListViewGroupItem(context->ListViewHandle, 1, 10, L"LastLogon", NULL); //PhAddListViewGroupItem(context->ListViewHandle, 1, 11, L"LastLogoff", NULL); //PhAddListViewGroupItem(context->ListViewHandle, 1, 12, L"Home directory", NULL); //PhAddListViewGroupItem(context->ListViewHandle, 1, 13, L"Profile directory", NULL); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_LIST), NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhpSessionPropertiesQueryWinStationInfo(context, context->SessionId); //PhpSessionPropertiesQuerySamAccountInfo(context, context->SessionId); PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDOK)); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); // HACK } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&context->LayoutManager); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; } } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/sessshad.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 */ #include #include #include #include static CONST PH_KEY_VALUE_PAIR VirtualKeyPairs[] = { SIP(L"0", '0'), SIP(L"1", '1'), SIP(L"2", '2'), SIP(L"3", '3'), SIP(L"4", '4'), SIP(L"5", '5'), SIP(L"6", '6'), SIP(L"7", '7'), SIP(L"8", '8'), SIP(L"9", '9'), SIP(L"A", 'A'), SIP(L"B", 'B'), SIP(L"C", 'C'), SIP(L"D", 'D'), SIP(L"E", 'E'), SIP(L"F", 'F'), SIP(L"G", 'G'), SIP(L"H", 'H'), SIP(L"I", 'I'), SIP(L"J", 'J'), SIP(L"K", 'K'), SIP(L"L", 'L'), SIP(L"M", 'M'), SIP(L"N", 'N'), SIP(L"O", 'O'), SIP(L"P", 'P'), SIP(L"Q", 'Q'), SIP(L"R", 'R'), SIP(L"S", 'S'), SIP(L"T", 'T'), SIP(L"U", 'U'), SIP(L"V", 'V'), SIP(L"W", 'W'), SIP(L"X", 'X'), SIP(L"Y", 'Y'), SIP(L"Z", 'Z'), SIP(L"{backspace}", VK_BACK), SIP(L"{delete}", VK_DELETE), SIP(L"{down}", VK_DOWN), SIP(L"{end}", VK_END), SIP(L"{enter}", VK_RETURN), SIP(L"{F2}", VK_F2), SIP(L"{F3}", VK_F3), SIP(L"{F4}", VK_F4), SIP(L"{F5}", VK_F5), SIP(L"{F6}", VK_F6), SIP(L"{F7}", VK_F7), SIP(L"{F8}", VK_F8), SIP(L"{F9}", VK_F9), SIP(L"{F10}", VK_F10), SIP(L"{F11}", VK_F11), SIP(L"{F12}", VK_F12), SIP(L"{home}", VK_HOME), SIP(L"{insert}", VK_INSERT), SIP(L"{left}", VK_LEFT), SIP(L"{-}", VK_SUBTRACT), SIP(L"{pagedown}", VK_NEXT), SIP(L"{pageup}", VK_PRIOR), SIP(L"{+}", VK_ADD), SIP(L"{prtscrn}", VK_SNAPSHOT), SIP(L"{right}", VK_RIGHT), SIP(L"{spacebar}", VK_SPACE), SIP(L"{*}", VK_MULTIPLY), SIP(L"{tab}", VK_TAB), SIP(L"{up}", VK_UP) }; INT_PTR CALLBACK PhpSessionShadowDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowSessionShadowDialog( _In_ HWND ParentWindowHandle, _In_ ULONG SessionId ) { ULONG sessionId = ULONG_MAX; PhGetProcessSessionId(NtCurrentProcess(), &sessionId); if (SessionId == sessionId) { PhShowError2(ParentWindowHandle, L"Unable to shadow session.", L"%s", L"You cannot remote control the current session."); return; } PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_SHADOWSESSION), ParentWindowHandle, PhpSessionShadowDlgProc, UlongToPtr(SessionId) ); } INT_PTR CALLBACK PhpSessionShadowDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { HWND virtualKeyComboBox; PH_INTEGER_PAIR hotkey; ULONG i; PWSTR stringToSelect; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, UlongToPtr((ULONG)lParam)); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); hotkey = PhGetIntegerPairSetting(SETTING_SESSION_SHADOW_HOTKEY); // Set up the hotkeys. virtualKeyComboBox = GetDlgItem(hwndDlg, IDC_VIRTUALKEY); stringToSelect = L"{*}"; for (i = 0; i < sizeof(VirtualKeyPairs) / sizeof(PH_KEY_VALUE_PAIR); i++) { ComboBox_AddString(virtualKeyComboBox, VirtualKeyPairs[i].Key); if (PtrToUlong(VirtualKeyPairs[i].Value) == (ULONG)hotkey.X) { stringToSelect = VirtualKeyPairs[i].Key; } } PhSelectComboBoxString(virtualKeyComboBox, stringToSelect, FALSE); // Set up the modifiers. Button_SetCheck(GetDlgItem(hwndDlg, IDC_SHIFT), hotkey.Y & KBDSHIFT); Button_SetCheck(GetDlgItem(hwndDlg, IDC_CTRL), hotkey.Y & KBDCTRL); Button_SetCheck(GetDlgItem(hwndDlg, IDC_ALT), hotkey.Y & KBDALT); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (LOWORD(wParam)) { case IDCANCEL: EndDialog(hwndDlg, IDCANCEL); break; case IDOK: { ULONG sessionId = PtrToUlong(PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT)); ULONG virtualKey; ULONG modifiers; PPH_STRING computerName; virtualKey = VK_MULTIPLY; PhFindIntegerSiKeyValuePairs( VirtualKeyPairs, sizeof(VirtualKeyPairs), PhaGetDlgItemText(hwndDlg, IDC_VIRTUALKEY)->Buffer, &virtualKey ); modifiers = 0; if (Button_GetCheck(GetDlgItem(hwndDlg, IDC_SHIFT)) == BST_CHECKED) modifiers |= KBDSHIFT; if (Button_GetCheck(GetDlgItem(hwndDlg, IDC_CTRL)) == BST_CHECKED) modifiers |= KBDCTRL; if (Button_GetCheck(GetDlgItem(hwndDlg, IDC_ALT)) == BST_CHECKED) modifiers |= KBDALT; if (computerName = PhGetActiveComputerName()) { if (WinStationShadow(NULL, PhGetString(computerName), sessionId, (UCHAR)virtualKey, (USHORT)modifiers)) { PH_INTEGER_PAIR hotkey; hotkey.X = virtualKey; hotkey.Y = modifiers; PhSetIntegerPairSetting(SETTING_SESSION_SHADOW_HOTKEY, hotkey); EndDialog(hwndDlg, IDOK); } else { PhShowStatus(hwndDlg, L"Unable to remote control the session", 0, GetLastError()); } PhDereferenceObject(computerName); } else { PhShowStatus(hwndDlg, L"Unable to remote control the session", 0, ERROR_DS_NAME_TOO_LONG); } } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/settings.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * jxy-s 2021 * */ #include #include #define PH_SETTINGS_PRIVATE #include VOID PhAddDefaultSettings( VOID ) { PhpAddStringSetting(SETTING_SCHEMA_FILE, L"https://systeminformer.io/settings.schema.json"); PhpAddIntegerSetting(SETTING_ALLOW_ONLY_ONE_INSTANCE, L"1"); PhpAddIntegerSetting(SETTING_CLOSE_ON_ESCAPE, L"0"); PhpAddStringSetting(SETTING_DBGHELP_SEARCH_PATH, L"SRV*C:\\Symbols*https://msdl.microsoft.com/download/symbols"); PhpAddIntegerSetting(SETTING_DBGHELP_UNDECORATE, L"1"); PhpAddIntegerSetting(SETTING_DBGHELP_VERIFY_MICROSOFT_CHAIN, L"1"); PhpAddStringSetting(SETTING_DISABLED_PLUGINS, L""); PhpAddIntegerSetting(SETTING_ELEVATION_LEVEL, L"1"); // PromptElevateAction PhpAddIntegerSetting(SETTING_ENABLE_ADVANCED_OPTIONS, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_AVX_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_BITMAP_SUPPORT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_BREAK_ON_TERMINATION, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_BOOT_OBJECTS_ENUMERATE, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_COMMAND_LINE_TOOLTIPS, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_CYCLE_CPU_USAGE, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_DEFERRED_LAYOUT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_DEVICE_SUPPORT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_DEVICE_NOTIFY_SUPPORT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_IMAGE_COHERENCY_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_HEAP_REFLECTION, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_HEAP_MEMORY_TAGGING, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_LAST_PROCESS_SHUTDOWN, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_LINUX_SUBSYSTEM_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_HANDLE_SNAPSHOT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_MINIDUMP_KERNEL_MINIDUMP, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_MINIDUMP_SNAPSHOT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_MONOSPACE_FONT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_NETWORK_BOUND_CONNECTIONS, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_NETWORK_RESOLVE, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_NETWORK_RESOLVE_DOH, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_MEM_STRINGS_TREE_DIALOG, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_PACKAGE_ICON_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_PROCESS_HANDLE_PNP_DEVICE_NAME_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_PLUGINS, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_PLUGINS_NATIVE, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_GRAPH_MAX_SCALE, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_GRAPH_MAX_TEXT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SERVICE_NON_POLL, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_SERVICE_NON_POLL_NOTIFY, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SERVICE_STAGE2, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_SERVICE_PROGRESS_DIALOG, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SHELL_EXECUTE_SKIP_IFEO_DEBUGGER, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_STAGE2, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_STREAMER_MODE, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_START_AS_ADMIN, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_START_AS_ADMIN_ALWAYS_ON_TOP, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_DEFAULT_SAFE_PLUGINS, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SECURITY_ADVANCED_DIALOG, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SHORT_RELATIVE_START_TIME, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SHUTDOWN_CRITICAL_MENU, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_SHUTDOWN_BOOT_MENU, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_SILENT_CRASH_NOTIFY, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_THEME_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_THEME_ACRYLIC_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_THEME_ACRYLIC_WINDOW_SUPPORT, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_THEME_ANIMATION, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_THEME_NATIVE_BUTTONS, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_THREAD_STACK_INLINE_SYMBOLS, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_THREAD_STACK_LINE_INFORMATION, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_TOKEN_REMOVED_PRIVILEGES, L"0"); PhpAddIntegerSetting(SETTING_ENABLE_TOOLTIP_SUPPORT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_UPDATE_DEFAULT_FIRMWARE_BOOT_ENTRY, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_VERSION_SUPPORT, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_WARNINGS, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_WARNINGS_RUNAS, L"1"); PhpAddIntegerSetting(SETTING_ENABLE_WINDOW_TEXT, L"1"); PhpAddStringSetting(SETTING_ENVIRONMENT_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_ENVIRONMENT_TREE_LIST_SORT, L"0,0"); // 0, NoSortOrder PhpAddIntegerSetting(SETTING_ENVIRONMENT_TREE_LIST_FLAGS, L"0"); PhpAddIntegerSetting(SETTING_SEARCH_CONTROL_REGEX, L"0"); PhpAddIntegerSetting(SETTING_SEARCH_CONTROL_CASE_SENSITIVE, L"0"); PhpAddStringSetting(SETTING_FIND_OBJ_TREE_LIST_COLUMNS, L""); PhpAddIntegerPairSetting(SETTING_FIND_OBJ_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_FIND_OBJ_WINDOW_SIZE, L"@96|550,420"); PhpAddStringSetting(SETTING_THREAD_STACKS_TREE_LIST_COLUMNS, L""); PhpAddIntegerPairSetting(SETTING_THREAD_STACKS_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_THREAD_STACKS_WINDOW_SIZE, L"@96|550,420"); PhpAddStringSetting(SETTING_FILE_BROWSE_EXECUTABLE, L"%SystemRoot%\\explorer.exe /select,\"%s\""); PhpAddIntegerSetting(SETTING_FIRST_RUN, L"1"); PhpAddStringSetting(SETTING_FONT, L""); // null PhpAddStringSetting(SETTING_FONT_MONOSPACE, L""); // null PhpAddIntegerSetting(SETTING_FONT_QUALITY, L"0"); PhpAddIntegerSetting(SETTING_FORCE_NO_PARENT, L"1"); PhpAddStringSetting(SETTING_HANDLE_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_HANDLE_TREE_LIST_SORT, L"0,1"); // 0, AscendingSortOrder PhpAddIntegerSetting(SETTING_HANDLE_TREE_LIST_FLAGS, L"3"); PhpAddIntegerPairSetting(SETTING_HANDLE_PROPERTIES_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_HANDLE_PROPERTIES_WINDOW_SIZE, L"@96|260,260"); PhpAddStringSetting(SETTING_HANDLE_STATISTICS_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_HANDLE_STATISTICS_LIST_VIEW_SORT, L"0,1"); PhpAddIntegerPairSetting(SETTING_HANDLE_STATISTICS_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_HANDLE_STATISTICS_WINDOW_SIZE, L"@96|0,0"); PhpAddIntegerSetting(SETTING_HIDE_DEFAULT_SERVICES, L"0"); PhpAddIntegerSetting(SETTING_HIDE_DRIVER_SERVICES, L"0"); PhpAddIntegerSetting(SETTING_HIDE_FREE_REGIONS, L"1"); PhpAddIntegerSetting(SETTING_HIDE_ON_CLOSE, L"0"); PhpAddIntegerSetting(SETTING_HIDE_ON_MINIMIZE, L"0"); PhpAddIntegerSetting(SETTING_HIDE_OTHER_USER_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_HIDE_SIGNED_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_HIDE_MICROSOFT_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_HIDE_WAITING_CONNECTIONS, L"0"); PhpAddIntegerSetting(SETTING_HIGHLIGHTING_DURATION, L"3e8"); // 1000ms PhpAddIntegerSetting(SETTING_ICON_BALLOON_SHOW_ICON, L"0"); PhpAddIntegerSetting(SETTING_ICON_BALLOON_MUTE_SOUND, L"0"); PhpAddIntegerSetting(SETTING_TOAST_NOTIFY_ENABLED, L"0"); PhpAddStringSetting(SETTING_ICON_TRAY_GUIDS, L""); PhpAddIntegerSetting(SETTING_ICON_TRAY_PERSIST_GUID_ENABLED, L"0"); PhpAddIntegerSetting(SETTING_ICON_TRAY_LAZY_START_DELAY, L"1"); PhpAddIntegerSetting(SETTING_ICON_IGNORE_BALLOON_CLICK, L"0"); PhpAddStringSetting(SETTING_ICON_SETTINGS, L""); PhpAddIntegerSetting(SETTING_ICON_NOTIFY_MASK, L"c"); // PH_NOTIFY_SERVICE_CREATE | PH_NOTIFY_SERVICE_DELETE PhpAddIntegerSetting(SETTING_ICON_PROCESSES, L"f"); // 15 PhpAddIntegerSetting(SETTING_ICON_SINGLE_CLICK, L"0"); PhpAddIntegerSetting(SETTING_ICON_TOGGLES_VISIBILITY, L"1"); PhpAddIntegerSetting(SETTING_ICON_TRANSPARENCY_ENABLED, L"0"); PhpAddIntegerPairSetting(SETTING_INFORMATION_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_INFORMATION_WINDOW_SIZE, L"@96|140,190"); PhpAddIntegerSetting(SETTING_IMAGE_COHERENCY_SCAN_LEVEL, L"1"); PhpAddStringSetting(SETTING_JOB_LIST_VIEW_COLUMNS, L""); PhpAddIntegerSetting(SETTING_LOG_ENTRIES, L"200"); // 512 PhpAddStringSetting(SETTING_LOG_LIST_VIEW_COLUMNS, L""); PhpAddIntegerPairSetting(SETTING_LOG_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_LOG_WINDOW_SIZE, L"@96|450,500"); PhpAddIntegerSetting(SETTING_MAIN_WINDOW_ALWAYS_ON_TOP, L"0"); PhpAddStringSetting(SETTING_MAIN_WINDOW_CLASS_NAME, L"MainWindowClassName"); PhpAddIntegerSetting(SETTING_MAIN_WINDOW_OPACITY, L"0"); // means 100% PhpAddIntegerPairSetting(SETTING_MAIN_WINDOW_POSITION, L"100,100"); PhpAddScalableIntegerPairSetting(SETTING_MAIN_WINDOW_SIZE, L"@96|800,600"); PhpAddIntegerSetting(SETTING_MAIN_WINDOW_STATE, L"1"); PhpAddIntegerSetting(SETTING_MAIN_WINDOW_TAB_RESTORE_ENABLED, L"0"); PhpAddIntegerSetting(SETTING_MAIN_WINDOW_TAB_RESTORE_INDEX, L"0"); PhpAddIntegerSetting(SETTING_MAX_SIZE_UNIT, L"6"); PhpAddIntegerSetting(SETTING_MAX_PRECISION_UNIT, L"2"); PhpAddIntegerSetting(SETTING_MEM_EDIT_BYTES_PER_ROW, L"10"); // 16 PhpAddStringSetting(SETTING_MEM_EDIT_GOTO_CHOICES, L""); PhpAddIntegerPairSetting(SETTING_MEM_EDIT_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_MEM_EDIT_SIZE, L"@96|600,500"); PhpAddStringSetting(SETTING_MEM_FILTER_CHOICES, L""); PhpAddStringSetting(SETTING_MEM_RESULTS_LIST_VIEW_COLUMNS, L""); PhpAddIntegerPairSetting(SETTING_MEM_RESULTS_POSITION, L"300,300"); PhpAddScalableIntegerPairSetting(SETTING_MEM_RESULTS_SIZE, L"@96|500,520"); PhpAddIntegerSetting(SETTING_MEMORY_LIST_FLAGS, L"3"); PhpAddStringSetting(SETTING_MEMORY_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_MEMORY_TREE_LIST_SORT, L"0,0"); // 0, NoSortOrder PhpAddIntegerPairSetting(SETTING_MEMORY_LISTS_WINDOW_POSITION, L"400,400"); PhpAddStringSetting(SETTING_MEMORY_READ_WRITE_ADDRESS_CHOICES, L""); PhpAddIntegerPairSetting(SETTING_MEMORY_MODIFIED_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_MEMORY_MODIFIED_WINDOW_SIZE, L"@96|450,500"); PhpAddStringSetting(SETTING_MEMORY_MODIFIED_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_MEMORY_MODIFIED_LIST_VIEW_SORT, L"0,0"); // 0, NoSortOrder PhpAddStringSetting(SETTING_MEM_STRINGS_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_MEM_STRINGS_TREE_LIST_SORT, L"0,1"); // 0, AscendingSortOrder PhpAddIntegerSetting(SETTING_MEM_STRINGS_TREE_LIST_FLAGS, L"b"); // ANSI, Unicode, Private PhpAddIntegerSetting(SETTING_MEM_STRINGS_MINIMUM_LENGTH, L"a"); // 10 PhpAddIntegerPairSetting(SETTING_MEM_STRINGS_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_MEM_STRINGS_WINDOW_SIZE, L"@96|550,420"); PhpAddStringSetting(SETTING_MINI_INFO_CONTAINER_CLASS_NAME, L"MiniInfoContainerClassName"); PhpAddStringSetting(SETTING_MINI_INFO_WINDOW_CLASS_NAME, L"MiniInfoWindowClassName"); PhpAddIntegerSetting(SETTING_MINI_INFO_WINDOW_ENABLED, L"1"); PhpAddIntegerSetting(SETTING_MINI_INFO_WINDOW_OPACITY, L"0"); // means 100% PhpAddIntegerSetting(SETTING_MINI_INFO_WINDOW_PINNED, L"0"); PhpAddIntegerPairSetting(SETTING_MINI_INFO_WINDOW_POSITION, L"200,200"); PhpAddIntegerSetting(SETTING_MINI_INFO_WINDOW_REFRESH_AUTOMATICALLY, L"3"); PhpAddScalableIntegerPairSetting(SETTING_MINI_INFO_WINDOW_SIZE, L"@96|10,200"); PhpAddIntegerSetting(SETTING_MODULE_TREE_LIST_FLAGS, L"1"); PhpAddStringSetting(SETTING_MODULE_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_MODULE_TREE_LIST_SORT, L"0,0"); // 0, NoSortOrder PhpAddStringSetting(SETTING_NETWORK_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_NETWORK_TREE_LIST_SORT, L"0,1"); // 0, AscendingSortOrder PhpAddIntegerSetting(SETTING_NON_POLL_FLUSH_INTERVAL, L"A"); // % 10 PhpAddIntegerSetting(SETTING_NO_PURGE_PROCESS_RECORDS, L"0"); PhpAddStringSetting(SETTING_OPTIONS_CUSTOM_COLOR_LIST, L""); PhpAddStringSetting(SETTING_OPTIONS_WINDOW_ADVANCED_COLUMNS, L""); PhpAddIntegerSetting(SETTING_OPTIONS_WINDOW_ADVANCED_FLAGS, L"0"); PhpAddIntegerPairSetting(SETTING_OPTIONS_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_OPTIONS_WINDOW_SIZE, L"@96|900,590"); PhpAddIntegerPairSetting(SETTING_PAGE_FILE_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_PAGE_FILE_WINDOW_SIZE, L"@96|500,300"); PhpAddStringSetting(SETTING_PAGE_FILE_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_PLUGIN_MANAGER_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_PROCESS_SERVICE_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_PROCESS_TREE_COLUMN_SET_CONFIG, L""); PhpAddStringSetting(SETTING_PROCESS_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_PROCESS_TREE_LIST_SORT, L"0,0"); // 0, NoSortOrder PhpAddIntegerSetting(SETTING_PROCESS_TREE_LIST_NAME_DEFAULT, L"1"); PhpAddStringSetting(SETTING_PROC_PROP_PAGE, L"General"); PhpAddIntegerPairSetting(SETTING_PROC_PROP_POSITION, L"200,200"); PhpAddScalableIntegerPairSetting(SETTING_PROC_PROP_SIZE, L"@96|460,580"); PhpAddStringSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_LIST_VIEW_SORT, L"0,0"); PhpAddStringSetting(SETTING_PROC_STAT_PROP_PAGE_GROUP_STATES, L""); PhpAddStringSetting(SETTING_PROGRAM_INSPECT_EXECUTABLES, L"peview.exe \"%s\""); PhpAddIntegerSetting(SETTING_PROPAGATE_CPU_USAGE, L"0"); PhpAddIntegerSetting(SETTING_RELEASE_CHANNEL, L"0"); // PhReleaseChannel PhpAddIntegerSetting(SETTING_RUN_AS_ENABLE_AUTO_COMPLETE, L"0"); PhpAddStringSetting(SETTING_RUN_AS_PROGRAM, L""); PhpAddStringSetting(SETTING_RUN_AS_USER_NAME, L""); PhpAddIntegerPairSetting(SETTING_RUN_AS_WINDOW_POSITION, L"0,0"); PhpAddIntegerPairSetting(SETTING_RUN_AS_PACKAGE_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_RUN_AS_PACKAGE_WINDOW_SIZE, L"@96|500,300"); PhpAddIntegerSetting(SETTING_RUN_FILE_DLG_STATE, L"0"); PhpAddIntegerSetting(SETTING_SAMPLE_COUNT, L"200"); // 512 PhpAddIntegerSetting(SETTING_SAMPLE_COUNT_AUTOMATIC, L"1"); PhpAddIntegerSetting(SETTING_SCROLL_TO_NEW_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_SCROLL_TO_REMOVED_PROCESSES, L"0"); PhpAddStringSetting(SETTING_SEARCH_ENGINE, L"https://duckduckgo.com/?q=\"%s\""); PhpAddStringSetting(SETTING_SEGMENT_HEAP_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_SEGMENT_HEAP_LIST_VIEW_SORT, L"0,1"); PhpAddIntegerPairSetting(SETTING_SEGMENT_HEAP_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_SEGMENT_HEAP_WINDOW_SIZE, L"@96|450,500"); PhpAddStringSetting(SETTING_SEGMENT_LOCKS_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_SEGMENT_LOCKS_LIST_VIEW_SORT, L"0,1"); PhpAddIntegerPairSetting(SETTING_SEGMENT_LOCKS_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_SEGMENT_LOCKS_WINDOW_SIZE, L"@96|450,500"); PhpAddIntegerPairSetting(SETTING_SERVICE_WINDOW_POSITION, L"0,0"); PhpAddStringSetting(SETTING_SERVICE_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_SERVICE_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_SERVICE_TREE_LIST_SORT, L"0,1"); // 0, AscendingSortOrder PhpAddIntegerPairSetting(SETTING_SESSION_SHADOW_HOTKEY, L"106,2"); // VK_MULTIPLY,KBDCTRL PhpAddIntegerSetting(SETTING_SHOW_PLUGIN_LOAD_ERRORS, L"1"); PhpAddIntegerSetting(SETTING_SHOW_COMMIT_IN_SUMMARY, L"1"); PhpAddIntegerSetting(SETTING_SHOW_CPU_BELOW_001, L"0"); PhpAddIntegerSetting(SETTING_SHOW_HEX_ID, L"0"); PhpAddIntegerSetting(SETTING_SORT_CHILD_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_SORT_ROOT_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_START_HIDDEN, L"0"); PhpAddIntegerSetting(SETTING_SYSINFO_SHOW_CPU_SPEED_MHZ, L"0"); PhpAddIntegerSetting(SETTING_SYSINFO_SHOW_CPU_SPEED_PER_CPU, L"0"); PhpAddIntegerSetting(SETTING_SYSINFO_WINDOW_ALWAYS_ON_TOP, L"0"); PhpAddIntegerSetting(SETTING_SYSINFO_WINDOW_ONE_GRAPH_PER_CPU, L"0"); PhpAddIntegerPairSetting(SETTING_SYSINFO_WINDOW_POSITION, L"200,200"); PhpAddStringSetting(SETTING_SYSINFO_WINDOW_SECTION, L""); PhpAddScalableIntegerPairSetting(SETTING_SYSINFO_WINDOW_SIZE, L"@96|900,590"); PhpAddIntegerSetting(SETTING_SYSINFO_WINDOW_STATE, L"1"); PhpAddIntegerSetting(SETTING_TASKMGR_WINDOW_STATE, L"0"); PhpAddIntegerSetting(SETTING_THEME_WINDOW_FOREGROUND_COLOR, L"1c1c1c"); // RGB(28, 28, 28) PhpAddIntegerSetting(SETTING_THEME_WINDOW_BACKGROUND_COLOR, L"2b2b2b"); // RGB(43, 43, 43) PhpAddIntegerSetting(SETTING_THEME_WINDOW_BACKGROUND2_COLOR, L"414141"); // RGB(65, 65, 65) PhpAddIntegerSetting(SETTING_THEME_WINDOW_HIGHLIGHT_COLOR, L"808080"); // RGB(128, 128, 128) PhpAddIntegerSetting(SETTING_THEME_WINDOW_HIGHLIGHT2_COLOR, L"8f8f8f"); // RGB(143, 143, 143) PhpAddIntegerSetting(SETTING_THEME_WINDOW_TEXT_COLOR, L"ffffff"); // RGB(255, 255, 255) PhpAddIntegerSetting(SETTING_THIN_ROWS, L"0"); PhpAddStringSetting(SETTING_THREAD_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_THREAD_TREE_LIST_SORT, L"1,2"); // 1, DescendingSortOrder PhpAddIntegerSetting(SETTING_THREAD_TREE_LIST_FLAGS, L"60"); PhpAddStringSetting(SETTING_THREAD_STACK_TREE_LIST_COLUMNS, L""); PhpAddScalableIntegerPairSetting(SETTING_THREAD_STACK_WINDOW_SIZE, L"@96|420,400"); PhpAddIntegerPairSetting(SETTING_TOKEN_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_TOKEN_WINDOW_SIZE, L"@96|0,0"); PhpAddStringSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_STATES, L""); PhpAddStringSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_SORT, L"1,2"); PhpAddStringSetting(SETTING_TOKEN_PRIVILEGES_LIST_VIEW_COLUMNS, L""); PhpAddIntegerSetting(SETTING_TREE_LIST_BORDER_ENABLE, L"0"); PhpAddIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLORS_ENABLE, L"0"); PhpAddIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLOR_TEXT, L"0"); PhpAddIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLOR_FOCUS, L"0"); PhpAddIntegerSetting(SETTING_TREE_LIST_CUSTOM_COLOR_SELECTION, L"0"); PhpAddIntegerSetting(SETTING_TREE_LIST_CUSTOM_ROW_SIZE, L"0"); PhpAddIntegerSetting(SETTING_TREE_LIST_ENABLE_HEADER_TOTALS, L"1"); PhpAddIntegerSetting(SETTING_TREE_LIST_ENABLE_DRAG_REORDER, L"0"); PhpAddIntegerSetting(SETTING_UPDATE_INTERVAL, L"3e8"); // 1000ms PhpAddIntegerSetting(SETTING_ENABLE_HIGH_RESOLUTION_PROVIDER_TIMER, L"1"); PhpAddStringSetting(SETTING_USER_LIST_TREE_LIST_COLUMNS, L""); PhpAddIntegerPairSetting(SETTING_USER_LIST_WINDOW_POSITION, L"0,0"); PhpAddScalableIntegerPairSetting(SETTING_USER_LIST_WINDOW_SIZE, L"@96|550,420"); PhpAddIntegerSetting(SETTING_WMI_PROVIDER_ENABLE_HIDDEN_MENU, L"0"); PhpAddIntegerSetting(SETTING_WMI_PROVIDER_ENABLE_TOOLTIP_SUPPORT, L"0"); PhpAddStringSetting(SETTING_WMI_PROVIDER_TREE_LIST_COLUMNS, L""); PhpAddStringSetting(SETTING_WMI_PROVIDER_TREE_LIST_SORT, L"0,0"); // 0, NoSortOrder PhpAddIntegerSetting(SETTING_WMI_PROVIDER_TREE_LIST_FLAGS, L"0"); PhpAddStringSetting(SETTING_VDM_HOST_LIST_VIEW_COLUMNS, L""); PhpAddStringSetting(SETTING_ZOMBIE_PROCESSES_LIST_VIEW_COLUMNS, L""); PhpAddIntegerPairSetting(SETTING_ZOMBIE_PROCESSES_WINDOW_POSITION, L"400,400"); PhpAddScalableIntegerPairSetting(SETTING_ZOMBIE_PROCESSES_WINDOW_SIZE, L"@96|520,400"); // Colors are specified with R in the lowest byte, then G, then B. So: bbggrr. PhpAddIntegerSetting(SETTING_COLOR_NEW, L"00ff7f"); // Chartreuse PhpAddIntegerSetting(SETTING_COLOR_REMOVED, L"283cff"); PhpAddIntegerSetting(SETTING_USE_COLOR_OWN_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_OWN_PROCESSES, L"aaffff"); PhpAddIntegerSetting(SETTING_USE_COLOR_SYSTEM_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_SYSTEM_PROCESSES, L"ffccaa"); PhpAddIntegerSetting(SETTING_USE_COLOR_SERVICE_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_SERVICE_PROCESSES, L"ffffcc"); PhpAddIntegerSetting(SETTING_USE_COLOR_BACKGROUND_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_COLOR_BACKGROUND_PROCESSES, L"bcbc78"); PhpAddIntegerSetting(SETTING_USE_COLOR_JOB_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_COLOR_JOB_PROCESSES, L"3f85cd"); // Peru PhpAddIntegerSetting(SETTING_USE_COLOR_WOW64_PROCESSES, L"0"); PhpAddIntegerSetting(SETTING_COLOR_WOW64_PROCESSES, L"8f8fbc"); // Rosy Brown PhpAddIntegerSetting(SETTING_USE_COLOR_DEBUGGED_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_DEBUGGED_PROCESSES, L"ffbbcc"); PhpAddIntegerSetting(SETTING_USE_COLOR_ELEVATED_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_ELEVATED_PROCESSES, L"00aaff"); PhpAddIntegerSetting(SETTING_USE_COLOR_HANDLE_FILTERED, L"1"); PhpAddIntegerSetting(SETTING_COLOR_HANDLE_FILTERED, L"000000"); // Black PhpAddIntegerSetting(SETTING_USE_COLOR_IMMERSIVE_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_IMMERSIVE_PROCESSES, L"cbc0ff"); // Pink PhpAddIntegerSetting(SETTING_USE_COLOR_UI_ACCESS_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_UI_ACCESS_PROCESSES, L"00aaff"); // Orange PhpAddIntegerSetting(SETTING_USE_COLOR_PICO_PROCESSES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_PICO_PROCESSES, L"ff8000"); // Blue PhpAddIntegerSetting(SETTING_USE_COLOR_SUSPENDED, L"1"); PhpAddIntegerSetting(SETTING_COLOR_SUSPENDED, L"777777"); PhpAddIntegerSetting(SETTING_USE_COLOR_DOT_NET, L"1"); PhpAddIntegerSetting(SETTING_COLOR_DOT_NET, L"00ffde"); PhpAddIntegerSetting(SETTING_USE_COLOR_PACKED, L"1"); PhpAddIntegerSetting(SETTING_COLOR_PACKED, L"9314ff"); // Deep Pink PhpAddIntegerSetting(SETTING_USE_COLOR_LOW_IMAGE_COHERENCY, L"1"); PhpAddIntegerSetting(SETTING_COLOR_LOW_IMAGE_COHERENCY, L"ff14b9"); // Deep Purple PhpAddIntegerSetting(SETTING_USE_COLOR_PARTIALLY_SUSPENDED, L"0"); PhpAddIntegerSetting(SETTING_COLOR_PARTIALLY_SUSPENDED, L"c0c0c0"); PhpAddIntegerSetting(SETTING_USE_COLOR_GUI_THREADS, L"1"); PhpAddIntegerSetting(SETTING_COLOR_GUI_THREADS, L"77ffff"); PhpAddIntegerSetting(SETTING_USE_COLOR_RELOCATED_MODULES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_RELOCATED_MODULES, L"80c0ff"); PhpAddIntegerSetting(SETTING_USE_COLOR_PROTECTED_HANDLES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_PROTECTED_HANDLES, L"777777"); PhpAddIntegerSetting(SETTING_USE_COLOR_PROTECTED_INHERIT_HANDLES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_PROTECTED_INHERIT_HANDLES, L"c0c0c0"); PhpAddIntegerSetting(SETTING_USE_COLOR_PROTECTED_PROCESS, L"0"); PhpAddIntegerSetting(SETTING_COLOR_PROTECTED_PROCESS, L"ff8080"); PhpAddIntegerSetting(SETTING_USE_COLOR_INHERIT_HANDLES, L"1"); PhpAddIntegerSetting(SETTING_COLOR_INHERIT_HANDLES, L"ffff77"); PhpAddIntegerSetting(SETTING_USE_COLOR_EFFICIENCY_MODE, L"1"); PhpAddIntegerSetting(SETTING_COLOR_EFFICIENCY_MODE, L"80ff00"); PhpAddIntegerSetting(SETTING_USE_COLOR_SERVICE_DISABLED, L"1"); PhpAddIntegerSetting(SETTING_COLOR_SERVICE_DISABLED, L"6d6d6d"); // Dark grey PhpAddIntegerSetting(SETTING_USE_COLOR_SERVICE_STOP, L"1"); PhpAddIntegerSetting(SETTING_COLOR_SERVICE_STOP, L"6d6d6d"); // Dark grey PhpAddIntegerSetting(SETTING_USE_COLOR_UNKNOWN, L"1"); PhpAddIntegerSetting(SETTING_COLOR_UNKNOWN, L"8080ff"); // Light Red PhpAddIntegerSetting(SETTING_USE_COLOR_SYSTEM_THREAD_STACK, L"1"); PhpAddIntegerSetting(SETTING_COLOR_SYSTEM_THREAD_STACK, L"ffccaa"); PhpAddIntegerSetting(SETTING_USE_COLOR_USER_THREAD_STACK, L"1"); PhpAddIntegerSetting(SETTING_COLOR_USER_THREAD_STACK, L"aaffff"); PhpAddIntegerSetting(SETTING_USE_COLOR_INLINE_THREAD_STACK, L"1"); PhpAddIntegerSetting(SETTING_COLOR_INLINE_THREAD_STACK, L"00ffde"); PhpAddIntegerSetting(SETTING_GRAPH_SHOW_TEXT, L"1"); PhpAddIntegerSetting(SETTING_GRAPH_COLOR_MODE, L"0"); PhpAddIntegerSetting(SETTING_COLOR_CPU_KERNEL, L"00ff00"); PhpAddIntegerSetting(SETTING_COLOR_CPU_USER, L"0000ff"); PhpAddIntegerSetting(SETTING_COLOR_IO_READ_OTHER, L"00ffff"); PhpAddIntegerSetting(SETTING_COLOR_IO_WRITE, L"ff0077"); PhpAddIntegerSetting(SETTING_COLOR_PRIVATE, L"0077ff"); PhpAddIntegerSetting(SETTING_COLOR_PHYSICAL, L"ff8000"); // Blue PhpAddIntegerSetting(SETTING_COLOR_POWER_USAGE, L"00ff00"); PhpAddIntegerSetting(SETTING_COLOR_TEMPERATURE, L"0000ff"); PhpAddIntegerSetting(SETTING_COLOR_FAN_RPM, L"ff0077"); PhpAddIntegerSetting(SETTING_KSI_ENABLE, L"0"); PhpAddIntegerSetting(SETTING_KSI_ENABLE_WARNINGS, L"1"); PhpAddStringSetting(SETTING_KSI_SERVICE_NAME, L""); PhpAddStringSetting(SETTING_KSI_OBJECT_NAME, L""); PhpAddStringSetting(SETTING_KSI_PORT_NAME, L""); PhpAddStringSetting(SETTING_KSI_ALTITUDE, L""); PhpAddStringSetting(SETTING_KSI_SYSTEM_PROCESS_NAME, L""); PhpAddIntegerSetting(SETTING_KSI_DISABLE_IMAGE_LOAD_PROTECTION, L"0"); PhpAddIntegerSetting(SETTING_KSI_ENABLE_SPLASH_SCREEN, L"0"); PhpAddIntegerSetting(SETTING_KSI_ENABLE_LOAD_NATIVE, L"0"); PhpAddIntegerSetting(SETTING_KSI_ENABLE_LOAD_FILTER, L"0"); PhpAddIntegerSetting(SETTING_KSI_UNLOAD_ON_EXIT, L"0"); PhpAddIntegerSetting(SETTING_KSI_RANDOMIZED_POOL_TAG, L"0"); PhpAddIntegerSetting(SETTING_KSI_ENABLE_UNLOAD_PROTECTION, L"1"); PhpAddIntegerSetting(SETTING_KSI_DYN_DATA_NO_EMBEDDED, L"0"); PhpAddIntegerSetting(SETTING_KSI_DISABLE_SYSTEM_PROCESS, L"0"); PhpAddIntegerSetting(SETTING_KSI_DISABLE_THREAD_NAMES, L"0"); PhpAddIntegerSetting(SETTING_KSI_CLIENT_PROCESS_PROTECTION_LEVEL, L"0"); PhpAddStringSetting(SETTING_KSI_PREVIOUS_TEMPORARY_DRIVER_FILE, L""); PhpAddIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_OFFLOAD_READ, L"1"); // SUPPORTED_FS_FEATURES_OFFLOAD_READ PhpAddIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_OFFLOAD_WRITE, L"1"); // SUPPORTED_FS_FEATURES_OFFLOAD_WRITE PhpAddIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_QUERY_OPEN, L"1"); // SUPPORTED_FS_FEATURES_QUERY_OPEN PhpAddIntegerSetting(SETTING_KSI_ENABLE_FS_FEATURE_BYPASS_IO, L"1"); // SUPPORTED_FS_FEATURES_BYPASS_IO PhpAddIntegerSetting(SETTING_KSI_RING_BUFFER_LENGTH, L"10000000"); // bytes PhpAddIntegerSetting(SETTING_ENABLE_PROCESS_MONITOR, L"0"); PhpAddIntegerSetting(SETTING_PROCESS_MONITOR_LOOKBACK, L"1e"); PhpAddIntegerSetting(SETTING_PROCESS_MONITOR_CACHE_LIMIT, L"20000"); } VOID PhUpdateCachedSettings( VOID ) { PH_GET_INTEGER_CACHED_SETTING(ForceNoParent); PH_GET_INTEGER_CACHED_SETTING(HighlightingDuration); PH_GET_INTEGER_CACHED_SETTING(PropagateCpuUsage); PH_GET_INTEGER_CACHED_SETTING(ScrollToNewProcesses); PH_GET_INTEGER_CACHED_SETTING(ScrollToRemovedProcesses); PH_GET_INTEGER_CACHED_SETTING(SortChildProcesses); PH_GET_INTEGER_CACHED_SETTING(SortRootProcesses); PH_GET_INTEGER_CACHED_SETTING(ShowCpuBelow001); PH_GET_INTEGER_CACHED_SETTING(UpdateInterval); PH_GET_INTEGER_CACHED_SETTING(ColorNew); PH_GET_INTEGER_CACHED_SETTING(ColorRemoved); PH_GET_INTEGER_CACHED_SETTING(UseColorOwnProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorOwnProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorSystemProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorSystemProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorServiceProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorServiceProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorBackgroundProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorBackgroundProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorJobProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorJobProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorWow64Processes); PH_GET_INTEGER_CACHED_SETTING(ColorWow64Processes); PH_GET_INTEGER_CACHED_SETTING(UseColorDebuggedProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorDebuggedProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorHandleFiltered); PH_GET_INTEGER_CACHED_SETTING(ColorHandleFiltered); PH_GET_INTEGER_CACHED_SETTING(UseColorElevatedProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorElevatedProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorUIAccessProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorUIAccessProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorPicoProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorPicoProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorImmersiveProcesses); PH_GET_INTEGER_CACHED_SETTING(ColorImmersiveProcesses); PH_GET_INTEGER_CACHED_SETTING(UseColorSuspended); PH_GET_INTEGER_CACHED_SETTING(ColorSuspended); PH_GET_INTEGER_CACHED_SETTING(UseColorDotNet); PH_GET_INTEGER_CACHED_SETTING(ColorDotNet); PH_GET_INTEGER_CACHED_SETTING(UseColorPacked); PH_GET_INTEGER_CACHED_SETTING(ColorPacked); PH_GET_INTEGER_CACHED_SETTING(UseColorLowImageCoherency); PH_GET_INTEGER_CACHED_SETTING(ColorLowImageCoherency); PH_GET_INTEGER_CACHED_SETTING(UseColorPartiallySuspended); PH_GET_INTEGER_CACHED_SETTING(ColorPartiallySuspended); PH_GET_INTEGER_CACHED_SETTING(UseColorGuiThreads); PH_GET_INTEGER_CACHED_SETTING(ColorGuiThreads); PH_GET_INTEGER_CACHED_SETTING(UseColorRelocatedModules); PH_GET_INTEGER_CACHED_SETTING(ColorRelocatedModules); PH_GET_INTEGER_CACHED_SETTING(UseColorProtectedHandles); PH_GET_INTEGER_CACHED_SETTING(ColorProtectedHandles); PH_GET_INTEGER_CACHED_SETTING(UseColorProtectedInheritHandles); PH_GET_INTEGER_CACHED_SETTING(ColorProtectedInheritHandles); PH_GET_INTEGER_CACHED_SETTING(UseColorInheritHandles); PH_GET_INTEGER_CACHED_SETTING(ColorInheritHandles); PH_GET_INTEGER_CACHED_SETTING(ColorProtectedProcess); PH_GET_INTEGER_CACHED_SETTING(UseColorProtectedProcess); PH_GET_INTEGER_CACHED_SETTING(ColorEfficiencyMode); PH_GET_INTEGER_CACHED_SETTING(UseColorEfficiencyMode); PH_GET_INTEGER_CACHED_SETTING(UseColorServiceDisabled); PH_GET_INTEGER_CACHED_SETTING(ColorServiceDisabled); PH_GET_INTEGER_CACHED_SETTING(UseColorServiceStop); PH_GET_INTEGER_CACHED_SETTING(ColorServiceStop); PH_GET_INTEGER_CACHED_SETTING(UseColorUnknown); PH_GET_INTEGER_CACHED_SETTING(ColorUnknown); PH_GET_INTEGER_CACHED_SETTING(GraphShowText); PH_GET_INTEGER_CACHED_SETTING(GraphColorMode); PH_GET_INTEGER_CACHED_SETTING(ColorCpuKernel); PH_GET_INTEGER_CACHED_SETTING(ColorCpuUser); PH_GET_INTEGER_CACHED_SETTING(ColorIoReadOther); PH_GET_INTEGER_CACHED_SETTING(ColorIoWrite); PH_GET_INTEGER_CACHED_SETTING(ColorPrivate); PH_GET_INTEGER_CACHED_SETTING(ColorPhysical); PH_GET_INTEGER_CACHED_SETTING(ColorPowerUsage); PH_GET_INTEGER_CACHED_SETTING(ColorTemperature); PH_GET_INTEGER_CACHED_SETTING(ColorFanRpm); PH_GET_INTEGER_CACHED_SETTING(ImageCoherencyScanLevel); PH_GET_INTEGER_CACHED_SETTING(EnableAvxSupport); PH_GET_INTEGER_CACHED_SETTING(EnableGraphMaxScale); PH_GET_INTEGER_CACHED_SETTING(EnableGraphMaxText); PH_GET_INTEGER_CACHED_SETTING(EnableNetworkResolveDoH); PH_GET_INTEGER_CACHED_SETTING(EnableVersionSupport); PH_GET_INTEGER_CACHED_SETTING(EnableHandleSnapshot); PhEnableProcessMonitor = !!PhGetIntegerSetting(SETTING_ENABLE_PROCESS_MONITOR); PhProcessMonitorLookback = PhGetIntegerSetting(SETTING_PROCESS_MONITOR_LOOKBACK); PhProcessMonitorCacheLimit = PhGetIntegerSetting(SETTING_PROCESS_MONITOR_CACHE_LIMIT); } ================================================ FILE: SystemInformer/srvcr.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2019-2023 * */ #include #include #include #include #include INT_PTR CALLBACK PhpCreateServiceDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhShowCreateServiceDialog( _In_ HWND ParentWindowHandle ) { PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_CREATESERVICE), PhCsForceNoParent ? NULL : ParentWindowHandle, PhpCreateServiceDlgProc, NULL ); } INT_PTR CALLBACK PhpCreateServiceDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhSetApplicationWindowIcon(hwndDlg); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhAddComboBoxStringRefs(GetDlgItem(hwndDlg, IDC_TYPE), PhServiceTypeStrings, RTL_NUMBER_OF(PhServiceTypeStrings)); PhAddComboBoxStringRefs(GetDlgItem(hwndDlg, IDC_STARTTYPE), PhServiceStartTypeStrings, RTL_NUMBER_OF(PhServiceStartTypeStrings)); PhAddComboBoxStringRefs(GetDlgItem(hwndDlg, IDC_ERRORCONTROL), PhServiceErrorControlStrings, RTL_NUMBER_OF(PhServiceErrorControlStrings)); PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_TYPE), L"Own Process", FALSE); PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_STARTTYPE), L"Demand Start", FALSE); PhSelectComboBoxString(GetDlgItem(hwndDlg, IDC_ERRORCONTROL), L"Ignore", FALSE); if (!PhGetOwnTokenAttributes().Elevated) { Button_SetElevationRequiredState(GetDlgItem(hwndDlg, IDOK), TRUE); } PhSetDialogFocus(hwndDlg, GetDlgItem(hwndDlg, IDC_NAME)); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: { EndDialog(hwndDlg, IDCANCEL); } break; case IDOK: { NTSTATUS status; SC_HANDLE serviceHandle; PPH_STRING serviceName; PPH_STRING serviceDisplayName; PPH_STRING serviceTypeString; PPH_STRING serviceStartTypeString; PPH_STRING serviceErrorControlString; ULONG serviceType; ULONG serviceStartType; ULONG serviceErrorControl; PPH_STRING serviceBinaryPath; PPH_STRING serviceBinaryEscaped; serviceName = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_NAME))); serviceDisplayName = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_DISPLAYNAME))); serviceTypeString = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_TYPE))); serviceStartTypeString = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_STARTTYPE))); serviceErrorControlString = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_ERRORCONTROL))); serviceBinaryPath = PH_AUTO(PhGetWindowText(GetDlgItem(hwndDlg, IDC_BINARYPATH))); serviceType = PhGetServiceTypeInteger(&serviceTypeString->sr); serviceStartType = PhGetServiceStartTypeInteger(&serviceStartTypeString->sr); serviceErrorControl = PhGetServiceErrorControlInteger(&serviceErrorControlString->sr); if (PhIsNullOrEmptyString(serviceBinaryPath)) { PhShowError2(hwndDlg, L"Unable to create the service.", L"%s", L"The binary path is empty."); break; } if (!FlagOn(serviceType, SERVICE_DRIVER)) { serviceBinaryEscaped = PH_AUTO(PhCommandLineQuoteSpaces(&serviceBinaryPath->sr)); if (!PhIsNullOrEmptyString(serviceBinaryEscaped)) { serviceBinaryPath = serviceBinaryEscaped; } } if (PhGetOwnTokenAttributes().Elevated) { status = PhCreateService( &serviceHandle, PhGetString(serviceName), PhGetString(serviceDisplayName), SERVICE_QUERY_CONFIG, serviceType, serviceStartType, serviceErrorControl, PhGetString(serviceBinaryPath), NULL, L"" ); if (NT_SUCCESS(status)) { EndDialog(hwndDlg, IDOK); PhCloseServiceHandle(serviceHandle); } } else { if (PhUiConnectToPhSvc(hwndDlg, FALSE)) { status = PhSvcCallCreateService( PhGetString(serviceName), PhGetString(serviceDisplayName), serviceType, serviceStartType, serviceErrorControl, PhGetString(serviceBinaryPath), NULL, NULL, NULL, NULL, L"" ); PhUiDisconnectFromPhSvc(); if (NT_SUCCESS(status)) { EndDialog(hwndDlg, IDOK); } } else { // User cancelled elevation. status = STATUS_SUCCESS; } } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to create the service.", status, 0); } break; case IDC_BROWSE: { static PH_FILETYPE_FILTER filters[] = { { L"Executable files (*.exe;*.sys)", L"*.exe;*.sys" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; PPH_STRING fileName; fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogFilter(fileDialog, filters, sizeof(filters) / sizeof(PH_FILETYPE_FILTER)); fileName = PhGetFileName(PhaGetDlgItemText(hwndDlg, IDC_BINARYPATH)); PhSetFileDialogFileName(fileDialog, fileName->Buffer); PhDereferenceObject(fileName); if (PhShowFileDialog(hwndDlg, fileDialog)) { fileName = PhGetFileDialogFileName(fileDialog); PhSetDialogItemText(hwndDlg, IDC_BINARYPATH, fileName->Buffer); PhDereferenceObject(fileName); } PhFreeFileDialog(fileDialog); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } ================================================ FILE: SystemInformer/srvctl.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include typedef struct _PH_SERVICES_CONTEXT { PPH_SERVICE_ITEM *Services; ULONG NumberOfServices; PH_CALLBACK_REGISTRATION ModifiedEventRegistration; PWSTR ListViewSettingName; PH_LAYOUT_MANAGER LayoutManager; HWND WindowHandle; HWND ListViewHandle; HFONT TreeNewFont; } PH_SERVICES_CONTEXT, *PPH_SERVICES_CONTEXT; #define WM_PH_SERVICE_PAGE_MODIFIED (WM_APP + 106) INT_PTR CALLBACK PhpServicesPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); /** * Creates a service list property page. * * \param ParentWindowHandle The parent of the service list. * \param Services An array of service items. Each * service item must have a reference that is transferred * to this function. The array must be allocated using * PhAllocate() and must not be freed by the caller; it * will be freed automatically when no longer needed. * \param NumberOfServices The number of service items * in \a Services. */ HWND PhCreateServiceListControl( _In_ HWND ParentWindowHandle, _In_ PPH_SERVICE_ITEM *Services, _In_ ULONG NumberOfServices ) { HWND windowHandle; PPH_SERVICES_CONTEXT servicesContext; servicesContext = PhAllocateZero(sizeof(PH_SERVICES_CONTEXT)); servicesContext->Services = Services; servicesContext->NumberOfServices = NumberOfServices; windowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_SRVLIST), ParentWindowHandle, PhpServicesPageProc, servicesContext ); if (!windowHandle) { PhFree(servicesContext); return windowHandle; } return windowHandle; } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhServiceListModifiedHandler( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SERVICE_MODIFIED_DATA serviceModifiedData = (PPH_SERVICE_MODIFIED_DATA)Parameter; PPH_SERVICES_CONTEXT servicesContext = (PPH_SERVICES_CONTEXT)Context; PPH_SERVICE_MODIFIED_DATA copy; copy = PhAllocateCopy(serviceModifiedData, sizeof(PH_SERVICE_MODIFIED_DATA)); PostMessage(servicesContext->WindowHandle, WM_PH_SERVICE_PAGE_MODIFIED, 0, (LPARAM)copy); } VOID PhpFixProcessServicesControls( _In_ HWND hWnd, _In_opt_ PPH_SERVICE_ITEM ServiceItem ) { HWND startButton; HWND pauseButton; HWND descriptionLabel; startButton = GetDlgItem(hWnd, IDC_START); pauseButton = GetDlgItem(hWnd, IDC_PAUSE); descriptionLabel = GetDlgItem(hWnd, IDC_DESCRIPTION); if (ServiceItem) { SC_HANDLE serviceHandle; PPH_STRING description; switch (ServiceItem->State) { case SERVICE_RUNNING: { PhSetWindowText(startButton, L"S&top"); PhSetWindowText(pauseButton, L"&Pause"); EnableWindow(startButton, ServiceItem->ControlsAccepted & SERVICE_ACCEPT_STOP); EnableWindow(pauseButton, ServiceItem->ControlsAccepted & SERVICE_ACCEPT_PAUSE_CONTINUE); } break; case SERVICE_PAUSED: { PhSetWindowText(startButton, L"S&top"); PhSetWindowText(pauseButton, L"C&ontinue"); EnableWindow(startButton, ServiceItem->ControlsAccepted & SERVICE_ACCEPT_STOP); EnableWindow(pauseButton, ServiceItem->ControlsAccepted & SERVICE_ACCEPT_PAUSE_CONTINUE); } break; case SERVICE_STOPPED: { PhSetWindowText(startButton, L"&Start"); PhSetWindowText(pauseButton, L"&Pause"); EnableWindow(startButton, TRUE); EnableWindow(pauseButton, FALSE); } break; case SERVICE_START_PENDING: case SERVICE_CONTINUE_PENDING: case SERVICE_PAUSE_PENDING: case SERVICE_STOP_PENDING: { PhSetWindowText(startButton, L"&Start"); PhSetWindowText(pauseButton, L"&Pause"); EnableWindow(startButton, FALSE); EnableWindow(pauseButton, FALSE); } break; } if (NT_SUCCESS(PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(ServiceItem->Name)))) { if (description = PhGetServiceDescription(serviceHandle)) { PhSetWindowText(descriptionLabel, description->Buffer); PhDereferenceObject(description); } PhCloseServiceHandle(serviceHandle); } } else { PhSetWindowText(startButton, L"&Start"); PhSetWindowText(pauseButton, L"&Pause"); EnableWindow(startButton, FALSE); EnableWindow(pauseButton, FALSE); PhSetWindowText(descriptionLabel, L""); } } INT_PTR CALLBACK PhpServicesPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_SERVICES_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_SERVICES_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); if (PhTreeWindowFont) { context->TreeNewFont = PhDuplicateFont(PhTreeWindowFont); SetWindowFont(context->ListViewHandle, context->TreeNewFont, FALSE); } PhSetListViewStyle(context->ListViewHandle, TRUE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 220, L"Display name"); PhAddListViewColumn(context->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 220, L"File name"); PhSetExtendedListView(context->ListViewHandle); for (ULONG i = 0; i < context->NumberOfServices; i++) { SC_HANDLE serviceHandle; PPH_SERVICE_ITEM serviceItem; LONG lvItemIndex; serviceItem = context->Services[i]; lvItemIndex = PhAddListViewItem(context->ListViewHandle, MAXINT, serviceItem->Name->Buffer, serviceItem); PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 1, serviceItem->DisplayName->Buffer); if (NT_SUCCESS(PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(serviceItem->Name)))) { PPH_STRING fileName; if (NT_SUCCESS(PhGetServiceHandleFileName(serviceHandle, &serviceItem->Name->sr, &fileName))) { PhSetListViewSubItem(context->ListViewHandle, lvItemIndex, 2, PhGetStringOrEmpty(fileName)); PhDereferenceObject(fileName); } PhCloseServiceHandle(serviceHandle); } } ExtendedListView_SortItems(context->ListViewHandle); if (context->NumberOfServices > 0) { SetFocus(context->ListViewHandle); ListView_SetItemState(context->ListViewHandle, 0, LVNI_SELECTED, LVNI_SELECTED); ListView_EnsureVisible(context->ListViewHandle, 0, FALSE); PhpFixProcessServicesControls(hwndDlg, context->Services[0]); } else { PhpFixProcessServicesControls(hwndDlg, NULL); } PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_DESCRIPTION), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_START), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_PAUSE), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderModifiedEvent), PhServiceListModifiedHandler, context, &context->ModifiedEventRegistration ); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhUnregisterCallback( PhGetGeneralCallback(GeneralCallbackServiceProviderModifiedEvent), &context->ModifiedEventRegistration ); PhDeleteLayoutManager(&context->LayoutManager); if (context->TreeNewFont) DeleteFont(context->TreeNewFont); if (context->ListViewSettingName) PhSaveListViewColumnsToSetting(context->ListViewSettingName, context->ListViewHandle); for (ULONG i = 0; i < context->NumberOfServices; i++) PhDereferenceObject(context->Services[i]); PhFree(context->Services); PhFree(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_START: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedListViewItemParam(context->ListViewHandle); if (serviceItem) { switch (serviceItem->State) { case SERVICE_RUNNING: PhUiStopService(hwndDlg, serviceItem); break; case SERVICE_PAUSED: PhUiStopService(hwndDlg, serviceItem); break; case SERVICE_STOPPED: PhUiStartService(hwndDlg, serviceItem); break; } } } break; case IDC_PAUSE: { PPH_SERVICE_ITEM serviceItem = PhGetSelectedListViewItemParam(context->ListViewHandle); if (serviceItem) { switch (serviceItem->State) { case SERVICE_RUNNING: PhUiPauseService(hwndDlg, serviceItem); break; case SERVICE_PAUSED: PhUiContinueService(hwndDlg, serviceItem); break; } } } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; PhHandleListViewNotifyBehaviors(lParam, context->ListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); switch (header->code) { case NM_DBLCLK: { if (header->hwndFrom == context->ListViewHandle) { PPH_SERVICE_ITEM serviceItem = PhGetSelectedListViewItemParam(context->ListViewHandle); if (serviceItem) { PhShowServiceProperties(hwndDlg, serviceItem); } } } break; case LVN_ITEMCHANGED: { if (header->hwndFrom == context->ListViewHandle) { //LPNMITEMACTIVATE itemActivate = (LPNMITEMACTIVATE)header; PPH_SERVICE_ITEM serviceItem = NULL; if (ListView_GetSelectedCount(context->ListViewHandle) == 1) serviceItem = PhGetSelectedListViewItemParam(context->ListViewHandle); PhpFixProcessServicesControls(hwndDlg, serviceItem); } } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_PH_SERVICE_PAGE_MODIFIED: { PPH_SERVICE_MODIFIED_DATA serviceModifiedData = (PPH_SERVICE_MODIFIED_DATA)lParam; PPH_SERVICE_ITEM serviceItem = NULL; if (ListView_GetSelectedCount(context->ListViewHandle) == 1) serviceItem = PhGetSelectedListViewItemParam(context->ListViewHandle); if (serviceModifiedData->ServiceItem == serviceItem) { PhpFixProcessServicesControls(hwndDlg, serviceItem); } PhFree(serviceModifiedData); } break; case WM_PH_SET_LIST_VIEW_SETTINGS: { PWSTR settingName = (PWSTR)lParam; context->ListViewSettingName = settingName; PhLoadListViewColumnsFromSetting(settingName, context->ListViewHandle); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"Go to service", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhServiceListInsertContextMenu(hwndDlg, menu, (PPH_SERVICE_ITEM*)listviewItems, numberOfItems); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case 1: { SetForegroundWindow(PhMwpServiceTreeNewHandle); SystemInformer_SelectTabPage(1); SetFocus(PhMwpServiceTreeNewHandle); SystemInformer_SelectServiceItem((PPH_SERVICE_ITEM)listviewItems[0]); } break; case ID_SERVICE_GOTOPROCESS: { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)listviewItems[0]; PPH_PROCESS_NODE processNode; if (serviceItem) { if (processNode = PhFindProcessNode(serviceItem->ProcessId)) { SetForegroundWindow(PhMwpProcessTreeNewHandle); SystemInformer_SelectTabPage(0); SetFocus(PhMwpProcessTreeNewHandle); PhSelectAndEnsureVisibleProcessNode(processNode); } else { PhShowStatus(hwndDlg, L"The process does not exist.", STATUS_INVALID_CID, 0); } } } break; case ID_SERVICE_START: { PPH_SERVICE_ITEM* serviceItems = (PPH_SERVICE_ITEM*)listviewItems; ULONG numberOfServiceItems = numberOfItems; PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiStartServices(hwndDlg, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); } break; case ID_SERVICE_CONTINUE: { PPH_SERVICE_ITEM* serviceItems = (PPH_SERVICE_ITEM*)listviewItems; ULONG numberOfServiceItems = numberOfItems; PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiContinueServices(hwndDlg, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); } break; case ID_SERVICE_PAUSE: { PPH_SERVICE_ITEM* serviceItems = (PPH_SERVICE_ITEM*)listviewItems; ULONG numberOfServiceItems = numberOfItems; PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiPauseServices(hwndDlg, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); } break; case ID_SERVICE_STOP: { PPH_SERVICE_ITEM* serviceItems = (PPH_SERVICE_ITEM*)listviewItems; ULONG numberOfServiceItems = numberOfItems; PhReferenceObjects(serviceItems, numberOfServiceItems); PhUiStopServices(hwndDlg, serviceItems, numberOfServiceItems); PhDereferenceObjects(serviceItems, numberOfServiceItems); } break; case ID_SERVICE_DELETE: { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)listviewItems[0]; if (serviceItem) { PhReferenceObject(serviceItem); if (PhUiDeleteService(hwndDlg, serviceItem)) { LONG lvItemIndex; lvItemIndex = PhFindListViewItemByFlags(context->ListViewHandle, INT_ERROR, LVNI_SELECTED); if (lvItemIndex != INT_ERROR) { PhRemoveListViewItem(context->ListViewHandle, lvItemIndex); } } PhDereferenceObject(serviceItem); } } break; case ID_SERVICE_OPENKEY: { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)listviewItems[0]; if (serviceItem) { HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, &serviceItem->Name->sr ))) { PPH_STRING hklmServiceKeyName; if (NT_SUCCESS(PhQueryObjectName(keyHandle, &hklmServiceKeyName))) { PhMoveReference(&hklmServiceKeyName, PhFormatNativeKeyName(hklmServiceKeyName)); PhShellOpenKey2(hwndDlg, hklmServiceKeyName); PhDereferenceObject(hklmServiceKeyName); } else { PhShowStatus(hwndDlg, L"The service does not exist.", STATUS_OBJECT_NAME_NOT_FOUND, 0); } NtClose(keyHandle); } else { PhShowStatus(hwndDlg, L"The service does not exist.", STATUS_OBJECT_NAME_NOT_FOUND, 0); } } } break; case ID_SERVICE_OPENFILELOCATION: { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)listviewItems[0]; NTSTATUS status; SC_HANDLE serviceHandle; if (serviceItem) { status = PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(serviceItem->Name)); if (NT_SUCCESS(status)) { PPH_STRING fileName; status = PhGetServiceHandleFileName(serviceHandle, &serviceItem->Name->sr, &fileName); if (NT_SUCCESS(status)) { PhShellExecuteUserString( hwndDlg, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(fileName), FALSE, L"Make sure the Explorer executable file is present." ); PhDereferenceObject(fileName); } else { PhShowStatus(hwndDlg, L"Unable to locate the file.", status, 0); } PhCloseServiceHandle(serviceHandle); } else { PhShowStatus(hwndDlg, L"Unable to locate the file.", status, 0); } } } break; case ID_SERVICE_PROPERTIES: { PPH_SERVICE_ITEM serviceItem = listviewItems[0]; if (serviceItem) { // The object relies on the list view reference, which could // disappear if we don't reference the object here. PhReferenceObject(serviceItem); PhShowServiceProperties(hwndDlg, serviceItem); PhDereferenceObject(serviceItem); } } break; case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; } return FALSE; } ================================================ FILE: SystemInformer/srvlist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpServiceNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpServiceNodeHashtableHashFunction( _In_ PVOID Entry ); VOID PhpRemoveServiceNode( _In_ PPH_SERVICE_NODE ServiceNode, _In_opt_ PVOID Context ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpServiceTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpServiceTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_opt_ PVOID Context ); static HWND ServiceTreeListHandle; static ULONG ServiceTreeListSortColumn; static PH_SORT_ORDER ServiceTreeListSortOrder; static PH_CM_MANAGER ServiceTreeListCm; static PPH_HASHTABLE ServiceNodeHashtable; // hashtable of all nodes static PPH_LIST ServiceNodeList; // list of all nodes static PH_TN_FILTER_SUPPORT FilterSupport; BOOLEAN PhServiceTreeListStateHighlighting = TRUE; static PPH_POINTER_LIST ServiceNodeStateList = NULL; // list of nodes which need to be processed VOID PhServiceTreeListInitialization( VOID ) { ServiceNodeHashtable = PhCreateHashtable( sizeof(PPH_SERVICE_NODE), PhpServiceNodeHashtableEqualFunction, PhpServiceNodeHashtableHashFunction, 100 ); ServiceNodeList = PhCreateList(100); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpServiceNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_SERVICE_NODE serviceNode1 = *(PPH_SERVICE_NODE *)Entry1; PPH_SERVICE_NODE serviceNode2 = *(PPH_SERVICE_NODE *)Entry2; return serviceNode1->ServiceItem == serviceNode2->ServiceItem; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpServiceNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashIntPtr((ULONG_PTR)(*(PPH_SERVICE_NODE *)Entry)->ServiceItem); } VOID PhInitializeServiceTreeList( _In_ HWND hwnd ) { ServiceTreeListHandle = hwnd; TreeNew_SetRedraw(hwnd, FALSE); PhSetControlTheme(ServiceTreeListHandle, L"explorer"); TreeNew_SetCallback(hwnd, PhpServiceTreeNewCallback, NULL); TreeNew_SetImageList(hwnd, PhProcessSmallImageList); // Default columns PhAddTreeNewColumn(hwnd, PHSVTLC_NAME, TRUE, L"Name", 140, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_PID, TRUE, L"PID", 50, PH_ALIGN_RIGHT, 1, DT_RIGHT); PhAddTreeNewColumn(hwnd, PHSVTLC_DISPLAYNAME, TRUE, L"Display name", 220, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_TYPE, TRUE, L"Type", 100, PH_ALIGN_LEFT, 3, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_STATUS, TRUE, L"Status", 70, PH_ALIGN_LEFT, 4, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_STARTTYPE, TRUE, L"Start type", 130, PH_ALIGN_LEFT, 5, 0); // Customizable columns PhAddTreeNewColumn(hwnd, PHSVTLC_BINARYPATH, FALSE, L"Binary path", 180, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(hwnd, PHSVTLC_ERRORCONTROL, FALSE, L"Error control", 70, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_GROUP, FALSE, L"Group", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_DESCRIPTION, FALSE, L"Description", 200, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(hwnd, PHSVTLC_KEYMODIFIEDTIME, FALSE, L"Key modified time", 140, PH_ALIGN_LEFT, ULONG_MAX, 0, TRUE); PhAddTreeNewColumn(hwnd, PHSVTLC_VERIFICATIONSTATUS, FALSE, L"Verification status", 70, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_VERIFIEDSIGNER, FALSE, L"Verified signer", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(hwnd, PHSVTLC_FILENAME, FALSE, L"File name", 100, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumnEx2(hwnd, PHSVTLC_TIMELINE, FALSE, L"Timeline", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumn(hwnd, PHSVTLC_EXITCODE, FALSE, L"Exit code", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhCmInitializeManager(&ServiceTreeListCm, hwnd, PHSVTLC_MAXIMUM, PhpServiceTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&FilterSupport, hwnd, ServiceNodeList); TreeNew_SetTriState(hwnd, TRUE); TreeNew_SetRedraw(hwnd, TRUE); if (PhPluginsEnabled) { PH_PLUGIN_TREENEW_INFORMATION treeNewInfo; treeNewInfo.TreeNewHandle = hwnd; treeNewInfo.CmData = &ServiceTreeListCm; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceTreeNewInitializing), &treeNewInfo); } } VOID PhLoadSettingsServiceTreeList( VOID ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhGetStringSetting(SETTING_SERVICE_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_SERVICE_TREE_LIST_SORT); PhCmLoadSettingsEx(ServiceTreeListHandle, &ServiceTreeListCm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); if (PhGetIntegerSetting(SETTING_ENABLE_INSTANT_TOOLTIPS)) SendMessage(TreeNew_GetTooltips(ServiceTreeListHandle), TTM_SETDELAYTIME, TTDT_INITIAL, 0); else SendMessage(TreeNew_GetTooltips(ServiceTreeListHandle), TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); } VOID PhSaveSettingsServiceTreeList( VOID ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(ServiceTreeListHandle, &ServiceTreeListCm, 0, &sortSettings); PhSetStringSetting2(SETTING_SERVICE_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_SERVICE_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } struct _PH_TN_FILTER_SUPPORT *PhGetFilterSupportServiceTreeList( VOID ) { return &FilterSupport; } PPH_SERVICE_NODE PhAddServiceNode( _In_ PPH_SERVICE_ITEM ServiceItem, _In_ ULONG RunId ) { PPH_SERVICE_NODE serviceNode; serviceNode = PhAllocate(PhEmGetObjectSize(EmServiceNodeType, sizeof(PH_SERVICE_NODE))); memset(serviceNode, 0, sizeof(PH_SERVICE_NODE)); PhInitializeTreeNewNode(&serviceNode->Node); if (PhServiceTreeListStateHighlighting && RunId != 1) { PhChangeShStateTn( &serviceNode->Node, &serviceNode->ShState, &ServiceNodeStateList, NewItemState, PhCsColorNew, NULL ); } serviceNode->ServiceItem = ServiceItem; PhReferenceObject(ServiceItem); memset(serviceNode->TextCache, 0, sizeof(PH_STRINGREF) * PHSVTLC_MAXIMUM); serviceNode->Node.TextCache = serviceNode->TextCache; serviceNode->Node.TextCacheSize = PHSVTLC_MAXIMUM; PhAddEntryHashtable(ServiceNodeHashtable, &serviceNode); PhAddItemList(ServiceNodeList, serviceNode); if (FilterSupport.FilterList) serviceNode->Node.Visible = PhApplyTreeNewFiltersToNode(&FilterSupport, &serviceNode->Node); PhEmCallObjectOperation(EmServiceNodeType, serviceNode, EmObjectCreate); TreeNew_NodesStructured(ServiceTreeListHandle); return serviceNode; } PPH_SERVICE_NODE PhFindServiceNode( _In_ PPH_SERVICE_ITEM ServiceItem ) { PH_SERVICE_NODE lookupServiceNode; PPH_SERVICE_NODE lookupServiceNodePtr = &lookupServiceNode; PPH_SERVICE_NODE *serviceNode; lookupServiceNode.ServiceItem = ServiceItem; serviceNode = (PPH_SERVICE_NODE *)PhFindEntryHashtable( ServiceNodeHashtable, &lookupServiceNodePtr ); if (serviceNode) return *serviceNode; else return NULL; } VOID PhRemoveServiceNode( _In_ PPH_SERVICE_NODE ServiceNode ) { // Remove from the hashtable here to avoid problems in case the key is re-used. PhRemoveEntryHashtable(ServiceNodeHashtable, &ServiceNode); if (PhServiceTreeListStateHighlighting) { PhChangeShStateTn( &ServiceNode->Node, &ServiceNode->ShState, &ServiceNodeStateList, RemovingItemState, PhCsColorRemoved, ServiceTreeListHandle ); } else { PhpRemoveServiceNode(ServiceNode, NULL); } } VOID PhpRemoveServiceNode( _In_ PPH_SERVICE_NODE ServiceNode, _In_opt_ PVOID Context ) { ULONG index; PhEmCallObjectOperation(EmServiceNodeType, ServiceNode, EmObjectDelete); // Remove from list and cleanup. if ((index = PhFindItemList(ServiceNodeList, ServiceNode)) != ULONG_MAX) PhRemoveItemList(ServiceNodeList, index); PhClearReference(&ServiceNode->BinaryPath); PhClearReference(&ServiceNode->LoadOrderGroup); PhClearReference(&ServiceNode->Description); PhClearReference(&ServiceNode->TooltipText); PhClearReference(&ServiceNode->KeyModifiedTimeText); PhClearReference(&ServiceNode->ExitCodeText); PhDereferenceObject(ServiceNode->ServiceItem); PhFree(ServiceNode); TreeNew_NodesStructured(ServiceTreeListHandle); } VOID PhUpdateServiceNode( _In_ PPH_SERVICE_NODE ServiceNode ) { memset(ServiceNode->TextCache, 0, sizeof(PH_STRINGREF) * PHSVTLC_MAXIMUM); PhClearReference(&ServiceNode->TooltipText); ServiceNode->ValidMask = 0; PhInvalidateTreeNewNode(&ServiceNode->Node, TN_CACHE_ICON); TreeNew_InvalidateNode(ServiceTreeListHandle, &ServiceNode->Node); } VOID PhTickServiceNodes( VOID ) { if (ServiceTreeListSortOrder != NoSortOrder) { // Force a rebuild to sort the items. TreeNew_NodesStructured(ServiceTreeListHandle); } PH_TICK_SH_STATE_TN(PH_SERVICE_NODE, ShState, ServiceNodeStateList, PhpRemoveServiceNode, PhCsHighlightingDuration, ServiceTreeListHandle, TRUE, NULL, NULL); } static VOID PhpUpdateServiceNodeConfig( _Inout_ PPH_SERVICE_NODE ServiceNode ) { if (!FlagOn(ServiceNode->ValidMask, PHSN_CONFIG)) { SC_HANDLE serviceHandle; LPQUERY_SERVICE_CONFIG serviceConfig; if (NT_SUCCESS(PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(ServiceNode->ServiceItem->Name)))) { if (NT_SUCCESS(PhGetServiceConfig(serviceHandle, &serviceConfig))) { if (serviceConfig->lpBinaryPathName) PhMoveReference(&ServiceNode->BinaryPath, PhCreateString(serviceConfig->lpBinaryPathName)); if (serviceConfig->lpLoadOrderGroup) PhMoveReference(&ServiceNode->LoadOrderGroup, PhCreateString(serviceConfig->lpLoadOrderGroup)); PhFree(serviceConfig); } PhCloseServiceHandle(serviceHandle); } SetFlag(ServiceNode->ValidMask, PHSN_CONFIG); } } static VOID PhpUpdateServiceNodeDescription( _Inout_ PPH_SERVICE_NODE ServiceNode ) { if (!FlagOn(ServiceNode->ValidMask, PHSN_DESCRIPTION)) { PhSwapReference( &ServiceNode->Description, PhGetServiceDescriptionKey(&ServiceNode->ServiceItem->Name->sr) ); SetFlag(ServiceNode->ValidMask, PHSN_DESCRIPTION); } // NOTE: Querying the service description via RPC is extremely slow. (dmex) //SC_HANDLE serviceHandle; // //if (serviceHandle = PhOpenService(ServiceNode->ServiceItem->Name->Buffer, SERVICE_QUERY_CONFIG)) //{ // PhMoveReference(&ServiceNode->Description, PhGetServiceDescription(serviceHandle)); // CloseServiceHandle(serviceHandle); //} } static VOID PhpUpdateServiceNodeKey( _Inout_ PPH_SERVICE_NODE ServiceNode ) { if (!FlagOn(ServiceNode->ValidMask, PHSN_KEY)) { HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_QUERY_VALUE, &ServiceNode->ServiceItem->Name->sr ))) { LARGE_INTEGER lastWriteTime; if (NT_SUCCESS(PhQueryKeyLastWriteTime(keyHandle, &lastWriteTime))) { ServiceNode->KeyLastWriteTime = lastWriteTime; } NtClose(keyHandle); } else { RtlZeroMemory(&ServiceNode->KeyLastWriteTime, sizeof(ServiceNode->KeyLastWriteTime)); } SetFlag(ServiceNode->ValidMask, PHSN_KEY); } } #define SORT_FUNCTION(Column) PhpServiceTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpServiceTreeNewCompare##Column( \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_SERVICE_NODE node1 = *(PPH_SERVICE_NODE *)_elem1; \ PPH_SERVICE_NODE node2 = *(PPH_SERVICE_NODE *)_elem2; \ PPH_SERVICE_ITEM serviceItem1 = node1->ServiceItem; \ PPH_SERVICE_ITEM serviceItem2 = node2->ServiceItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = PhCompareString(serviceItem1->Name, serviceItem2->Name, TRUE); \ \ return PhModifySort(sortResult, ServiceTreeListSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpServiceTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { PPH_SERVICE_NODE node1 = (PPH_SERVICE_NODE)Node1; PPH_SERVICE_NODE node2 = (PPH_SERVICE_NODE)Node2; PPH_SERVICE_ITEM serviceItem1 = node1->ServiceItem; PPH_SERVICE_ITEM serviceItem2 = node2->ServiceItem; if (Result == 0) Result = PhCompareString(serviceItem1->Name, serviceItem2->Name, TRUE); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareString(serviceItem1->Name, serviceItem2->Name, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Pid) { sortResult = uintptrcmp((ULONG_PTR)serviceItem1->ProcessId, (ULONG_PTR)serviceItem2->ProcessId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(DisplayName) { sortResult = PhCompareStringWithNull(serviceItem1->DisplayName, serviceItem2->DisplayName, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Type) { sortResult = uintcmp(serviceItem1->Type, serviceItem2->Type); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Status) { sortResult = uintcmp(serviceItem1->State, serviceItem2->State); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StartType) { sortResult = uintcmp(serviceItem1->StartType, serviceItem2->StartType); if (sortResult == 0) sortResult = ucharcmp(serviceItem1->DelayedStart, serviceItem2->DelayedStart); if (sortResult == 0) sortResult = ucharcmp(serviceItem1->HasTriggers, serviceItem2->HasTriggers); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(BinaryPath) { PhpUpdateServiceNodeConfig(node1); PhpUpdateServiceNodeConfig(node2); sortResult = PhCompareStringWithNullSortOrder(node1->BinaryPath, node2->BinaryPath, ServiceTreeListSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ErrorControl) { sortResult = uintcmp(serviceItem1->ErrorControl, serviceItem2->ErrorControl); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Group) { PhpUpdateServiceNodeConfig(node1); PhpUpdateServiceNodeConfig(node2); sortResult = PhCompareStringWithNullSortOrder(node1->LoadOrderGroup, node2->LoadOrderGroup, ServiceTreeListSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Description) { PhpUpdateServiceNodeDescription(node1); PhpUpdateServiceNodeDescription(node2); sortResult = PhCompareStringWithNullSortOrder(node1->Description, node2->Description, ServiceTreeListSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(KeyModifiedTime) { PhpUpdateServiceNodeKey(node1); PhpUpdateServiceNodeKey(node2); sortResult = int64cmp(node1->KeyLastWriteTime.QuadPart, node2->KeyLastWriteTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VerificationStatus) { sortResult = uintcmp(serviceItem1->VerifyResult, serviceItem2->VerifyResult); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(VerifiedSigner) { sortResult = PhCompareStringWithNullSortOrder( serviceItem1->VerifySignerName, serviceItem2->VerifySignerName, ServiceTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileName) { sortResult = PhCompareStringWithNullSortOrder( serviceItem1->FileName, serviceItem2->FileName, ServiceTreeListSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ExitCode) { sortResult = uintcmp(serviceItem1->Win32ExitCode, serviceItem2->Win32ExitCode); } END_SORT_FUNCTION BOOLEAN NTAPI PhpServiceTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_opt_ PVOID Context ) { PPH_SERVICE_NODE node; if (PhCmForwardMessage(hwnd, Message, Parameter1, Parameter2, &ServiceTreeListCm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; if (!getChildren->Node) { static PVOID sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(Pid), SORT_FUNCTION(DisplayName), SORT_FUNCTION(Type), SORT_FUNCTION(Status), SORT_FUNCTION(StartType), SORT_FUNCTION(BinaryPath), SORT_FUNCTION(ErrorControl), SORT_FUNCTION(Group), SORT_FUNCTION(Description), SORT_FUNCTION(KeyModifiedTime), SORT_FUNCTION(VerificationStatus), SORT_FUNCTION(VerifiedSigner), SORT_FUNCTION(FileName), SORT_FUNCTION(KeyModifiedTime), // Timeline SORT_FUNCTION(ExitCode), }; int (__cdecl *sortFunction)(const void *, const void *); static_assert(RTL_NUMBER_OF(sortFunctions) == PHSVTLC_MAXIMUM, "SortFunctions must equal maximum."); if (!PhCmForwardSort( (PPH_TREENEW_NODE *)ServiceNodeList->Items, ServiceNodeList->Count, ServiceTreeListSortColumn, ServiceTreeListSortOrder, &ServiceTreeListCm )) { if (ServiceTreeListSortColumn < PHSVTLC_MAXIMUM) sortFunction = sortFunctions[ServiceTreeListSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort(ServiceNodeList->Items, ServiceNodeList->Count, sizeof(PVOID), sortFunction); } } getChildren->Children = (PPH_TREENEW_NODE *)ServiceNodeList->Items; getChildren->NumberOfChildren = ServiceNodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_SERVICE_ITEM serviceItem; node = (PPH_SERVICE_NODE)getCellText->Node; serviceItem = node->ServiceItem; switch (getCellText->Id) { case PHSVTLC_NAME: getCellText->Text = PhGetStringRef(serviceItem->Name); break; case PHSVTLC_PID: { if (PH_IS_REAL_PROCESS_ID(serviceItem->ProcessId)) { PhInitializeStringRefLongHint(&getCellText->Text, serviceItem->ProcessIdString); } } break; case PHSVTLC_DISPLAYNAME: getCellText->Text = PhGetStringRef(serviceItem->DisplayName); break; case PHSVTLC_TYPE: { PCPH_STRINGREF string; string = PhGetServiceTypeString(serviceItem->Type); getCellText->Text.Buffer = string->Buffer; getCellText->Text.Length = string->Length; } break; case PHSVTLC_STATUS: { PCPH_STRINGREF string; string = PhGetServiceStateString(serviceItem->State); getCellText->Text.Buffer = string->Buffer; getCellText->Text.Length = string->Length; } break; case PHSVTLC_STARTTYPE: { PH_FORMAT format[2]; PCPH_STRINGREF string; PWSTR additional = NULL; SIZE_T returnLength; string = PhGetServiceStartTypeString(serviceItem->StartType); format[0].Type = StringFormatType; format[0].u.String.Buffer = string->Buffer; format[0].u.String.Length = string->Length; //PhInitFormatSR(&format[0], PhGetServiceStartTypeString(serviceItem->StartType)); if (serviceItem->StartType == SERVICE_DISABLED) additional = NULL; else if (serviceItem->DelayedStart && serviceItem->HasTriggers) additional = L" (delayed, trigger)"; else if (serviceItem->DelayedStart) additional = L" (delayed)"; else if (serviceItem->HasTriggers) additional = L" (trigger)"; if (additional) PhInitFormatS(&format[1], additional); if (PhFormatToBuffer(format, 1 + (additional ? 1 : 0), node->StartTypeText, sizeof(node->StartTypeText), &returnLength)) { getCellText->Text.Buffer = node->StartTypeText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } break; case PHSVTLC_BINARYPATH: { PhpUpdateServiceNodeConfig(node); getCellText->Text = PhGetStringRef(node->BinaryPath); } break; case PHSVTLC_ERRORCONTROL: { PCPH_STRINGREF string; string = PhGetServiceErrorControlString(serviceItem->ErrorControl); getCellText->Text.Buffer = string->Buffer; getCellText->Text.Length = string->Length; } break; case PHSVTLC_GROUP: { PhpUpdateServiceNodeConfig(node); getCellText->Text = PhGetStringRef(node->LoadOrderGroup); } break; case PHSVTLC_DESCRIPTION: { PhpUpdateServiceNodeDescription(node); getCellText->Text = PhGetStringRef(node->Description); } break; case PHSVTLC_KEYMODIFIEDTIME: { PhpUpdateServiceNodeKey(node); if (node->KeyLastWriteTime.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &node->KeyLastWriteTime); PhMoveReference(&node->KeyModifiedTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = node->KeyModifiedTimeText->sr; } } break; case PHSVTLC_VERIFICATIONSTATUS: { if (PhEnableServiceQueryStage2) getCellText->Text = PhVerifyResultToStringRef(serviceItem->VerifyResult); else PhInitializeStringRef(&getCellText->Text, L"Service digital signature support disabled."); } break; case PHSVTLC_VERIFIEDSIGNER: { if (PhEnableServiceQueryStage2) getCellText->Text = PhGetStringRef(serviceItem->VerifySignerName); else PhInitializeStringRef(&getCellText->Text, L"Service digital signature support disabled."); } break; case PHSVTLC_FILENAME: { getCellText->Text = PhGetStringRef(serviceItem->FileName); } break; case PHSVTLC_EXITCODE: { if (serviceItem->Win32ExitCode == ERROR_SERVICE_SPECIFIC_ERROR) { PhMoveReference(&node->ExitCodeText, PhFormatUInt64(serviceItem->ServiceSpecificExitCode, FALSE)); getCellText->Text = node->ExitCodeText->sr; } else { PH_STRING_BUILDER stringBuilder; PPH_STRING statusMessage; PhInitializeStringBuilder(&stringBuilder, 0x50); statusMessage = PhGetStatusMessage(0, serviceItem->Win32ExitCode); PhAppendFormatStringBuilder(&stringBuilder, L"(0x%lx) ", serviceItem->Win32ExitCode); if (!PhIsNullOrEmptyString(statusMessage)) { PhAppendStringBuilder(&stringBuilder, &statusMessage->sr); PhClearReference(&statusMessage); } PhMoveReference(&node->ExitCodeText, PhFinalStringBuilderString(&stringBuilder)); getCellText->Text = node->ExitCodeText->sr; } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeIcon: { PPH_TREENEW_GET_NODE_ICON getNodeIcon = Parameter1; node = (PPH_SERVICE_NODE)getNodeIcon->Node; if (node->ServiceItem->IconEntry) { getNodeIcon->Icon = (HICON)(ULONG_PTR)node->ServiceItem->IconEntry->SmallIconIndex; } else { if (FlagOn(node->ServiceItem->Type, SERVICE_DRIVER)) getNodeIcon->Icon = (HICON)(ULONG_PTR)1; // ServiceCogIcon else getNodeIcon->Icon = (HICON)(ULONG_PTR)0; // ServiceApplicationIcon } //getNodeIcon->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; PPH_SERVICE_ITEM serviceItem; node = (PPH_SERVICE_NODE)getNodeColor->Node; serviceItem = node->ServiceItem; if (!serviceItem) ; // Dummy else if (PhEnableServiceQueryStage2 && PhCsUseColorUnknown && PH_VERIFY_UNTRUSTED(serviceItem->VerifyResult)) { getNodeColor->BackColor = PhCsColorUnknown; getNodeColor->Flags |= TN_AUTO_FORECOLOR; } else if (PhCsUseColorServiceDisabled && serviceItem->State == SERVICE_STOPPED && serviceItem->StartType == SERVICE_DISABLED) { getNodeColor->BackColor = PhCsColorServiceDisabled; getNodeColor->Flags |= TN_AUTO_FORECOLOR; } else if (PhCsUseColorServiceStop && serviceItem->State == SERVICE_STOPPED) { getNodeColor->ForeColor = PhCsColorServiceStop; } else { getNodeColor->Flags |= TN_AUTO_FORECOLOR; } } return TRUE; case TreeNewGetCellTooltip: { PPH_TREENEW_GET_CELL_TOOLTIP getCellTooltip = Parameter1; node = (PPH_SERVICE_NODE)getCellTooltip->Node; if (getCellTooltip->Column->Id != 0) return FALSE; if (!node->TooltipText) node->TooltipText = PhGetServiceTooltipText(node->ServiceItem); if (!PhIsNullOrEmptyString(node->TooltipText)) { getCellTooltip->Text = node->TooltipText->sr; getCellTooltip->Unfolding = FALSE; getCellTooltip->MaximumWidth = 550; } else { return FALSE; } } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_SERVICE_ITEM serviceItem; RECT rect; node = (PPH_SERVICE_NODE)customDraw->Node; serviceItem = node->ServiceItem; rect = customDraw->CellRect; if (rect.right - rect.left <= 1) break; // nothing to draw switch (customDraw->Column->Id) { case PHSVTLC_TIMELINE: { PhpUpdateServiceNodeKey(node); if (node->KeyLastWriteTime.QuadPart == 0) break; // nothing to draw PhCustomDrawTreeTimeLine( customDraw->Dc, &customDraw->CellRect, PhEnableThemeSupport ? PH_DRAW_TIMELINE_DARKTHEME : 0, NULL, &node->KeyLastWriteTime ); } break; } } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; ServiceTreeListSortColumn = sorting->SortColumn; ServiceTreeListSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(hwnd); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(PhMainWndHandle, WM_COMMAND, ID_SERVICE_COPY, 0); break; case VK_DELETE: SendMessage(PhMainWndHandle, WM_COMMAND, ID_SERVICE_DELETE, 0); break; case VK_RETURN: if (GetKeyState(VK_CONTROL) >= 0) SendMessage(PhMainWndHandle, WM_COMMAND, ID_SERVICE_PROPERTIES, 0); else SendMessage(PhMainWndHandle, WM_COMMAND, ID_SERVICE_OPENFILELOCATION, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = hwnd; data.MouseEvent = Parameter1; data.DefaultSortColumn = PHSVTLC_NAME; data.DefaultSortOrder = NoSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, hwnd, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(PhMainWndHandle, WM_COMMAND, ID_SERVICE_PROPERTIES, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; if (!contextMenu) break; PhShowServiceContextMenu(contextMenu); } return TRUE; } return FALSE; } PPH_SERVICE_ITEM PhGetSelectedServiceItem( VOID ) { PPH_SERVICE_ITEM serviceItem = NULL; ULONG i; for (i = 0; i < ServiceNodeList->Count; i++) { PPH_SERVICE_NODE node = ServiceNodeList->Items[i]; if (node->Node.Selected) { serviceItem = node->ServiceItem; break; } } return serviceItem; } VOID PhGetSelectedServiceItems( _Out_ PPH_SERVICE_ITEM **Services, _Out_ PULONG NumberOfServices ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < ServiceNodeList->Count; i++) { PPH_SERVICE_NODE node = ServiceNodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node->ServiceItem); } *NumberOfServices = (ULONG)PhFinalArrayCount(&array); *Services = PhFinalArrayItems(&array); } VOID PhDeselectAllServiceNodes( VOID ) { TreeNew_DeselectRange(ServiceTreeListHandle, 0, -1); } BOOLEAN PhSelectAndEnsureVisibleServiceNode( _In_ PPH_SERVICE_NODE ServiceNode ) { PhDeselectAllServiceNodes(); if (ServiceNode->Node.Visible) { TreeNew_FocusMarkSelectNode(ServiceTreeListHandle, &ServiceNode->Node); return TRUE; } else { PhShowInformation2( PhMainWndHandle, L"Unable to perform the operation.", L"%s", L"This node cannot be displayed because it is currently hidden by your active filter settings or preferences." ); return FALSE; } } VOID PhCopyServiceList( VOID ) { PPH_STRING text; text = PhGetTreeNewText(ServiceTreeListHandle, 0); PhSetClipboardString(ServiceTreeListHandle, &text->sr); PhDereferenceObject(text); } VOID PhWriteServiceList( _Inout_ PPH_FILE_STREAM FileStream, _In_ ULONG Mode ) { PPH_LIST lines; ULONG i; lines = PhGetGenericTreeNewLines(ServiceTreeListHandle, Mode); for (i = 0; i < lines->Count; i++) { PPH_STRING line; line = lines->Items[i]; PhWriteStringAsUtf8FileStream(FileStream, &line->sr); PhDereferenceObject(line); PhWriteStringAsUtf8FileStream2(FileStream, L"\r\n"); } PhDereferenceObject(lines); } ================================================ FILE: SystemInformer/srvprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _SERVICE_PROPERTIES_CONTEXT { PPH_SERVICE_ITEM ServiceItem; union { BOOLEAN Flags; struct { BOOLEAN Ready : 1; BOOLEAN Dirty : 1; BOOLEAN OldDelayedStart : 1; BOOLEAN Spare : 5; }; }; HWND WindowHandle; HWND TypeWindowHandle; HWND StartTypeWindowHandle; HWND ErrorControlWindowHandle; HWND DelayedStartWindowHandle; HWND DescriptionWindowHandle; HWND GroupWindowHandle; HWND BinaryPathWindowHandle; HWND UserNameWindowHandle; HWND PassBoxWindowHandle; HWND PassCheckBoxWindowHandle; HWND ServiceDllWindowHandle; } SERVICE_PROPERTIES_CONTEXT, *PSERVICE_PROPERTIES_CONTEXT; INT_PTR CALLBACK PhpServiceGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenServiceCallback( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_ PVOID Context ) { PPH_SERVICE_ITEM serviceItem = ((PPH_SERVICE_ITEM)Context); NTSTATUS status; SC_HANDLE serviceHandle; status = PhOpenService( &serviceHandle, DesiredAccess, PhGetString(serviceItem->Name) ); if (NT_SUCCESS(status)) { *Handle = serviceHandle; return STATUS_SUCCESS; } *Handle = NULL; return status; } _Function_class_(PH_CLOSE_OBJECT) NTSTATUS PhpCloseServiceCallback( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) { PhCloseServiceHandle(Handle); } if (Release && Context) { PhDereferenceObject(((PPH_SERVICE_ITEM)Context)); } return STATUS_SUCCESS; } _Function_class_(PH_SET_OBJECT_SECURITY) static _Callback_ NTSTATUS PhpSetServiceSecurityCallback( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PVOID Context ) { PPH_STD_OBJECT_SECURITY stdObjectSecurity = ((PPH_STD_OBJECT_SECURITY)Context); PPH_SERVICE_ITEM serviceItem = ((PPH_SERVICE_ITEM)stdObjectSecurity->Context); NTSTATUS status; status = PhStdSetObjectSecurity( SecurityDescriptor, SecurityInformation, stdObjectSecurity->ObjectContext ); if (status == STATUS_ACCESS_DENIED && !PhGetOwnTokenAttributes().Elevated) { // Elevate using phsvc. if (PhUiConnectToPhSvc(NULL, FALSE)) { status = PhSvcCallSetServiceSecurity( PhGetString(serviceItem->Name), SecurityInformation, SecurityDescriptor ); PhUiDisconnectFromPhSvc(); } } return status; } LRESULT CALLBACK PhpPropSheetSrvWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { WNDPROC oldWndProc; oldWndProc = PhGetWindowContext(hwnd, 0xF); if (!oldWndProc) return 0; switch (uMsg) { case WM_NCDESTROY: { PhSetWindowProcedure(hwnd, oldWndProc); PhRemoveWindowContext(hwnd, 0xF); } break; case WM_SYSCOMMAND: { // Note: This fixes closing the window from the taskbar preview window. (dmex) switch (wParam & 0xFFF0) { case SC_CLOSE: { PostQuitMessage(0); //SetWindowLongPtr(hwnd, DWLP_MSGRESULT, TRUE); //return TRUE; } break; } } break; case WM_KEYDOWN: // forward key messages { HWND pageWindowHandle; if (pageWindowHandle = PropSheet_GetCurrentPageHwnd(hwnd)) { if (SendMessage(pageWindowHandle, uMsg, wParam, lParam)) { return TRUE; } } } break; } return CallWindowProc(oldWndProc, hwnd, uMsg, wParam, lParam); } LONG CALLBACK PhpPropSheetSrvProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam ) { switch (uMsg) { case PSCB_INITIALIZED: { PhSetWindowContext(hwndDlg, 0xF, (PVOID)PhGetWindowProcedure(hwndDlg)); PhSetWindowProcedure(hwndDlg, PhpPropSheetSrvWndProc); } break; } return 0; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpShowServicePropertiesThread( _In_ PVOID Context ) { PPH_SERVICE_ITEM serviceItem = ((PPH_SERVICE_ITEM)Context); PROPSHEETHEADER propSheetHeader = { sizeof(propSheetHeader) }; PROPSHEETPAGE propSheetPage; HPROPSHEETPAGE pages[32]; SERVICE_PROPERTIES_CONTEXT context; propSheetHeader.dwFlags = PSH_MODELESS | PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP | PSH_PROPTITLE | PSH_USECALLBACK | PSH_USEHICON; propSheetHeader.hInstance = NtCurrentImageBase(); //propSheetHeader.hwndParent = ParentWindowHandle; propSheetHeader.pszCaption = PhGetString(serviceItem->Name); propSheetHeader.nPages = 0; propSheetHeader.nStartPage = 0; propSheetHeader.phpage = pages; propSheetHeader.pfnCallback = PhpPropSheetSrvProc; // General memset(&context, 0, sizeof(SERVICE_PROPERTIES_CONTEXT)); context.ServiceItem = serviceItem; context.Ready = FALSE; context.Dirty = FALSE; memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_SRVGENERAL); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpServiceGeneralDlgProc; propSheetPage.lParam = (LPARAM)&context; pages[propSheetHeader.nPages++] = CreatePropertySheetPage(&propSheetPage); if (PhPluginsEnabled) { PH_PLUGIN_OBJECT_PROPERTIES objectProperties; objectProperties.Parameter = serviceItem; objectProperties.NumberOfPages = propSheetHeader.nPages; objectProperties.MaximumNumberOfPages = sizeof(pages) / sizeof(HPROPSHEETPAGE); objectProperties.Pages = pages; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServicePropertiesInitializing), &objectProperties); propSheetHeader.nPages = objectProperties.NumberOfPages; } PhModalPropertySheet(&propSheetHeader); PhDereferenceObject(serviceItem); return STATUS_SUCCESS; } VOID PhShowServiceProperties( _In_ HWND ParentWindowHandle, _In_ PPH_SERVICE_ITEM ServiceItem ) { PhReferenceObject(ServiceItem); PhCreateThread2(PhpShowServicePropertiesThread, ServiceItem); } static VOID PhServicePropertiesRefreshIcon( _In_ PSERVICE_PROPERTIES_CONTEXT Context ) { HICON serviceIcon; if (Context->ServiceItem->IconEntry && Context->ServiceItem->IconEntry->SmallIconIndex) serviceIcon = PhGetImageListIcon(Context->ServiceItem->IconEntry->SmallIconIndex, FALSE); else { if (Context->ServiceItem->Type == SERVICE_KERNEL_DRIVER || Context->ServiceItem->Type == SERVICE_FILE_SYSTEM_DRIVER) serviceIcon = PhGetImageListIcon(1, FALSE); // ServiceCogIcon; else serviceIcon = PhGetImageListIcon(0, FALSE); // ServiceApplicationIcon; } if (serviceIcon) { PhSetWindowIcon(GetParent(Context->WindowHandle), serviceIcon, NULL, TRUE); } } static VOID PhServicePropertiesRefreshControls( _In_ PSERVICE_PROPERTIES_CONTEXT Context ) { PPH_STRING serviceStartTypeString; PPH_STRING serviceTypeString; serviceStartTypeString = PH_AUTO(PhGetWindowText(Context->StartTypeWindowHandle)); serviceTypeString = PH_AUTO(PhGetWindowText(Context->TypeWindowHandle)); if (PhEqualString2(serviceStartTypeString, L"Auto start", FALSE)) EnableWindow(Context->DelayedStartWindowHandle, TRUE); else EnableWindow(Context->DelayedStartWindowHandle, FALSE); if (PhEqualString2(serviceTypeString, L"Driver", FALSE) || PhEqualString2(serviceTypeString, L"FS driver", FALSE)) { EnableWindow(Context->UserNameWindowHandle, FALSE); EnableWindow(Context->PassBoxWindowHandle, FALSE); EnableWindow(Context->PassCheckBoxWindowHandle, FALSE); EnableWindow(Context->ServiceDllWindowHandle, FALSE); } else { EnableWindow(Context->UserNameWindowHandle, TRUE); EnableWindow(Context->PassBoxWindowHandle, TRUE); EnableWindow(Context->PassCheckBoxWindowHandle, TRUE); EnableWindow(Context->ServiceDllWindowHandle, TRUE); } } INT_PTR CALLBACK PhpServiceGeneralDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PSERVICE_PROPERTIES_CONTEXT context; if (uMsg == WM_INITDIALOG) { LPPROPSHEETPAGE propSheetPage = (LPPROPSHEETPAGE)lParam; context = (PSERVICE_PROPERTIES_CONTEXT)propSheetPage->lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { PPH_SERVICE_ITEM serviceItem = context->ServiceItem; SC_HANDLE serviceHandle; ULONG startType; ULONG errorControl; PPH_STRING serviceDll; context->WindowHandle = hwndDlg; context->TypeWindowHandle = GetDlgItem(hwndDlg, IDC_TYPE); context->StartTypeWindowHandle = GetDlgItem(hwndDlg, IDC_STARTTYPE); context->ErrorControlWindowHandle = GetDlgItem(hwndDlg, IDC_ERRORCONTROL); context->DelayedStartWindowHandle = GetDlgItem(hwndDlg, IDC_DELAYEDSTART); context->DescriptionWindowHandle = GetDlgItem(hwndDlg, IDC_DESCRIPTION); context->GroupWindowHandle = GetDlgItem(hwndDlg, IDC_GROUP); context->BinaryPathWindowHandle = GetDlgItem(hwndDlg, IDC_BINARYPATH); context->UserNameWindowHandle = GetDlgItem(hwndDlg, IDC_USERACCOUNT); context->PassBoxWindowHandle = GetDlgItem(hwndDlg, IDC_PASSWORD); context->PassCheckBoxWindowHandle = GetDlgItem(hwndDlg, IDC_PASSWORDCHECK); context->ServiceDllWindowHandle = GetDlgItem(hwndDlg, IDC_SERVICEDLL); // HACK if (PhValidWindowPlacementFromSetting(SETTING_SERVICE_WINDOW_POSITION)) PhCenterWindow(GetParent(hwndDlg), PhMainWndHandle); else PhLoadWindowPlacementFromSetting(SETTING_SERVICE_WINDOW_POSITION, NULL, GetParent(hwndDlg)); PhAddComboBoxStringRefs(context->TypeWindowHandle, PhServiceTypeStrings, RTL_NUMBER_OF(PhServiceTypeStrings)); PhAddComboBoxStringRefs(context->StartTypeWindowHandle, PhServiceStartTypeStrings, RTL_NUMBER_OF(PhServiceStartTypeStrings)); PhAddComboBoxStringRefs(context->ErrorControlWindowHandle, PhServiceErrorControlStrings, RTL_NUMBER_OF(PhServiceErrorControlStrings)); PhSetWindowText(context->DescriptionWindowHandle, PhGetStringOrEmpty(serviceItem->DisplayName)); PhSelectComboBoxString(context->TypeWindowHandle, PhGetServiceTypeString(serviceItem->Type)->Buffer, FALSE); startType = serviceItem->StartType; errorControl = serviceItem->ErrorControl; if (NT_SUCCESS(PhOpenService(&serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(serviceItem->Name)))) { LPQUERY_SERVICE_CONFIG config; PPH_STRING description; BOOLEAN delayedStart; if (NT_SUCCESS(PhGetServiceConfig(serviceHandle, &config))) { PhSetWindowText(context->GroupWindowHandle, config->lpLoadOrderGroup); PhSetWindowText(context->BinaryPathWindowHandle, config->lpBinaryPathName); PhSetWindowText(context->UserNameWindowHandle, config->lpServiceStartName); if (startType != config->dwStartType || errorControl != config->dwErrorControl) { startType = config->dwStartType; errorControl = config->dwErrorControl; PhMarkNeedsConfigUpdateServiceItem(serviceItem); } PhFree(config); } if (description = PhGetServiceDescription(serviceHandle)) { PhSetWindowText(context->DescriptionWindowHandle, PhGetString(description)); PhDereferenceObject(description); } if (NT_SUCCESS(PhGetServiceDelayedAutoStart(serviceHandle, &delayedStart))) { context->OldDelayedStart = delayedStart; if (delayedStart) Button_SetCheck(context->DelayedStartWindowHandle, BST_CHECKED); } PhCloseServiceHandle(serviceHandle); } PhSelectComboBoxString(context->StartTypeWindowHandle, PhGetServiceStartTypeString(startType)->Buffer, FALSE); PhSelectComboBoxString(context->ErrorControlWindowHandle, PhGetServiceErrorControlString(errorControl)->Buffer, FALSE); PhSetWindowText(context->PassBoxWindowHandle, L"password"); Button_SetCheck(context->PassCheckBoxWindowHandle, BST_UNCHECKED); if (NT_SUCCESS(PhGetServiceDllParameter(serviceItem->Type, &serviceItem->Name->sr, &serviceDll))) { PhSetDialogItemText(hwndDlg, IDC_SERVICEDLL, PhGetString(serviceDll)); PhDereferenceObject(serviceDll); } else { PhSetDialogItemText(hwndDlg, IDC_SERVICEDLL, L"N/A"); } PhServicePropertiesRefreshIcon(context); PhServicePropertiesRefreshControls(context); context->Ready = TRUE; if (PhEnableThemeSupport) // TODO: Required for compat (dmex) PhInitializeWindowTheme(GetParent(hwndDlg), PhEnableThemeSupport); // HACK (GetParent) else PhInitializeWindowTheme(hwndDlg, FALSE); } break; case WM_DESTROY: { PhSaveWindowPlacementToSetting(SETTING_SERVICE_WINDOW_POSITION, NULL, GetParent(hwndDlg)); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: { // Workaround for property sheet + multiline edit: http://support.microsoft.com/kb/130765 SendMessage(GetParent(hwndDlg), uMsg, wParam, lParam); } break; case IDC_PASSWORD: { if (HIWORD(wParam) == EN_CHANGE) { Button_SetCheck(context->PassCheckBoxWindowHandle, BST_CHECKED); } } break; case IDC_DELAYEDSTART: { context->Dirty = TRUE; } break; case IDC_BROWSE: { static PH_FILETYPE_FILTER filters[] = { { L"Executable files (*.exe;*.sys)", L"*.exe;*.sys" }, { L"All files (*.*)", L"*.*" } }; PVOID fileDialog; PPH_STRING commandLine; PPH_STRING fileName; fileDialog = PhCreateOpenFileDialog(); PhSetFileDialogFilter(fileDialog, filters, RTL_NUMBER_OF(filters)); commandLine = PH_AUTO_T(PH_STRING, PhGetWindowText(context->BinaryPathWindowHandle)); if (context->ServiceItem->Type & SERVICE_WIN32) { PH_STRINGREF dummyFileName; PH_STRINGREF dummyArguments; if (!PhParseCommandLineFuzzy(&commandLine->sr, &dummyFileName, &dummyArguments, &fileName)) fileName = NULL; if (!fileName) PhSwapReference(&fileName, commandLine); } else { fileName = PhGetFileName(commandLine); } PhSetFileDialogFileName(fileDialog, PhGetString(fileName)); PhDereferenceObject(fileName); if (PhShowFileDialog(hwndDlg, fileDialog)) { fileName = PhGetFileDialogFileName(fileDialog); PhSetWindowText(context->BinaryPathWindowHandle, PhGetString(fileName)); PhDereferenceObject(fileName); } PhFreeFileDialog(fileDialog); } break; case IDC_PERMISSIONS: { PhReferenceObject(context->ServiceItem); PhEditSecurityEx( PhCsForceNoParent ? NULL : hwndDlg, PhGetStringOrEmpty(context->ServiceItem->DisplayName), L"Service", PhpOpenServiceCallback, PhpCloseServiceCallback, NULL, PhpSetServiceSecurityCallback, context->ServiceItem ); } break; } switch (GET_WM_COMMAND_CMD(wParam, lParam)) { case EN_CHANGE: case CBN_SELCHANGE: { PhServicePropertiesRefreshControls(context); if (context->Ready) context->Dirty = TRUE; } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: { SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)context->StartTypeWindowHandle); } return TRUE; //case PSN_KILLACTIVE: // { // SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, FALSE); // } // return TRUE; case PSN_APPLY: { NTSTATUS status; PPH_SERVICE_ITEM serviceItem = context->ServiceItem; SC_HANDLE serviceHandle; PPH_STRING newServiceTypeString; PPH_STRING newServiceStartTypeString; PPH_STRING newServiceErrorControlString; ULONG newServiceType; ULONG newServiceStartType; ULONG newServiceErrorControl; PPH_STRING newServiceGroup = NULL; PPH_STRING newServiceBinaryPath = NULL; PPH_STRING newServiceUserAccount = NULL; PPH_STRING newServicePassword = NULL; SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, PSNRET_NOERROR); if (!context->Dirty) { return TRUE; } newServiceTypeString = PH_AUTO(PhGetWindowText(context->TypeWindowHandle)); newServiceStartTypeString = PH_AUTO(PhGetWindowText(context->StartTypeWindowHandle)); newServiceErrorControlString = PH_AUTO(PhGetWindowText(context->ErrorControlWindowHandle)); newServiceType = PhGetServiceTypeInteger(&newServiceTypeString->sr); newServiceStartType = PhGetServiceStartTypeInteger(&newServiceStartTypeString->sr); newServiceErrorControl = PhGetServiceErrorControlInteger(&newServiceErrorControlString->sr); if (PhEqualStringRef(PhGetServiceTypeString(serviceItem->Type), &newServiceTypeString->sr, TRUE)) newServiceType = SERVICE_NO_CHANGE; if (PhEqualStringRef(PhGetServiceStartTypeString(serviceItem->StartType), &newServiceStartTypeString->sr, TRUE)) newServiceStartType = SERVICE_NO_CHANGE; if (PhEqualStringRef(PhGetServiceErrorControlString(serviceItem->ErrorControl), &newServiceErrorControlString->sr, TRUE)) newServiceErrorControl = SERVICE_NO_CHANGE; if (PhGetWindowTextLength(context->GroupWindowHandle)) newServiceGroup = PH_AUTO(PhGetWindowText(context->GroupWindowHandle)); if (PhGetWindowTextLength(context->BinaryPathWindowHandle)) newServiceBinaryPath = PH_AUTO(PhGetWindowText(context->BinaryPathWindowHandle)); if (PhGetWindowTextLength(context->UserNameWindowHandle)) newServiceUserAccount = PH_AUTO(PhGetWindowText(context->UserNameWindowHandle)); if (Button_GetCheck(context->PassCheckBoxWindowHandle) == BST_CHECKED) newServicePassword = PhGetWindowText(context->PassBoxWindowHandle); status = PhOpenService(&serviceHandle, SERVICE_CHANGE_CONFIG, PhGetString(serviceItem->Name)); if (NT_SUCCESS(status)) { status = PhChangeServiceConfig( serviceHandle, newServiceType, newServiceStartType, newServiceErrorControl, PhGetString(newServiceBinaryPath), PhGetString(newServiceGroup), NULL, NULL, PhGetString(newServiceUserAccount), PhGetString(newServicePassword), NULL ); if (NT_SUCCESS(status)) { BOOLEAN newDelayedStart; newDelayedStart = Button_GetCheck(context->DelayedStartWindowHandle) == BST_CHECKED; if (newDelayedStart != context->OldDelayedStart) { PhSetServiceDelayedAutoStart(serviceHandle, newDelayedStart); } PhMarkNeedsConfigUpdateServiceItem(serviceItem); PhCloseServiceHandle(serviceHandle); } else { PhCloseServiceHandle(serviceHandle); goto ErrorCase; } } else { if (status == STATUS_ACCESS_DENIED && !PhGetOwnTokenAttributes().Elevated) { // Elevate using phsvc. if (PhUiConnectToPhSvc(hwndDlg, FALSE)) { status = PhSvcCallChangeServiceConfig( PhGetString(serviceItem->Name), newServiceType, newServiceStartType, newServiceErrorControl, PhGetString(newServiceBinaryPath), PhGetString(newServiceGroup), NULL, NULL, PhGetString(newServiceUserAccount), PhGetString(newServicePassword), NULL ); if (NT_SUCCESS(status)) { BOOLEAN newDelayedStart; newDelayedStart = Button_GetCheck(context->DelayedStartWindowHandle) == BST_CHECKED; if (newDelayedStart != context->OldDelayedStart) { SERVICE_DELAYED_AUTO_START_INFO info; info.fDelayedAutostart = newDelayedStart; PhSvcCallChangeServiceConfig2( PhGetString(serviceItem->Name), SERVICE_CONFIG_DELAYED_AUTO_START_INFO, &info ); } PhMarkNeedsConfigUpdateServiceItem(serviceItem); } PhUiDisconnectFromPhSvc(); if (!NT_SUCCESS(status)) { goto ErrorCase; } } else { // User cancelled elevation. SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, PSNRET_INVALID); } } else { goto ErrorCase; } } goto Cleanup; ErrorCase: PhShowStatus(hwndDlg, L"Unable to change service configuration.", status, 0); SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, PSNRET_INVALID); Cleanup: if (newServicePassword) { RtlSecureZeroMemory(newServicePassword->Buffer, newServicePassword->Length); PhDereferenceObject(newServicePassword); } } return TRUE; } } break; } return FALSE; } ================================================ FILE: SystemInformer/srvprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2015 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #include #include typedef struct _PHP_SERVICE_NAME_ENTRY { PH_HASH_ENTRY HashEntry; PH_STRINGREF Name; ENUM_SERVICE_STATUS_PROCESS *ServiceEntry; } PHP_SERVICE_NAME_ENTRY, *PPHP_SERVICE_NAME_ENTRY; typedef enum _PHP_SERVICE_NOTIFY_STATE { SnNone, SnAdding, SnRemoving, SnNotify } PHP_SERVICE_NOTIFY_STATE; typedef struct _PHP_SERVICE_NOTIFY_CONTEXT { LIST_ENTRY ListEntry; SC_HANDLE ServiceHandle; PPH_STRING ServiceName; union { BOOLEAN Flags; struct { BOOLEAN IsServiceManager : 1; BOOLEAN NonPollDisabled : 1; BOOLEAN Spare : 6; }; }; PHP_SERVICE_NOTIFY_STATE State; SERVICE_NOTIFY Buffer; } PHP_SERVICE_NOTIFY_CONTEXT, *PPHP_SERVICE_NOTIFY_CONTEXT; typedef struct _PH_SERVICE_QUERY_DATA { SLIST_ENTRY ListEntry; ULONG Stage; PPH_SERVICE_ITEM ServiceItem; PPH_STRING FileName; } PH_SERVICE_QUERY_DATA, *PPH_SERVICE_QUERY_DATA; typedef struct _PH_SERVICE_QUERY_S1_DATA { PH_SERVICE_QUERY_DATA Header; PPH_IMAGELIST_ITEM IconEntry; //PH_IMAGE_VERSION_INFO VersionInfo; BOOLEAN MicrosoftService; } PH_SERVICE_QUERY_S1_DATA, *PPH_SERVICE_QUERY_S1_DATA; typedef struct _PH_SERVICE_QUERY_S2_DATA { PH_SERVICE_QUERY_DATA Header; VERIFY_RESULT VerifyResult; PPH_STRING VerifySignerName; BOOLEAN MicrosoftService; } PH_SERVICE_QUERY_S2_DATA, *PPH_SERVICE_QUERY_S2_DATA; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpServiceItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpServiceHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpServiceHashtableHashFunction( _In_ PVOID Entry ); VOID PhAddProcessItemService( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_SERVICE_ITEM ServiceItem ); VOID PhRemoveProcessItemService( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_SERVICE_ITEM ServiceItem ); VOID PhInitializeServiceNonPoll( VOID ); VOID PhCreateServiceNotifyCallback( _In_ PPH_SERVICE_ITEM ServiceItem, _In_ SC_HANDLE ServiceHandle ); VOID PhDestroyServiceNotifyCallback( _In_ PPH_SERVICE_ITEM ServiceItem ); PPH_OBJECT_TYPE PhServiceItemType = NULL; PPH_HASHTABLE PhServiceHashtable = NULL; PH_QUEUED_LOCK PhServiceHashtableLock = PH_QUEUED_LOCK_INIT; BOOLEAN PhEnableServiceNonPoll = FALSE; BOOLEAN PhEnableServiceNonPollNotify = FALSE; ULONG PhServiceNonPollFlushInterval = 10; static BOOLEAN PhNonPollActive = FALSE; static volatile LONG PhNonPollGate = 0; static HANDLE PhNonPollEventHandle = NULL; static RTL_STATIC_LIST_HEAD(PhpNonPollServiceListHead); static RTL_STATIC_LIST_HEAD(PhpNonPollServicePendingListHead); static SLIST_HEADER PhpServiceQueryDataListHead; static typeof(&NotifyServiceStatusChangeW) NotifyServiceStatusChange_I = NULL; static typeof(&SubscribeServiceChangeNotifications) SubscribeServiceChangeNotifications_I = NULL; static typeof(&UnsubscribeServiceChangeNotifications) UnsubscribeServiceChangeNotifications_I = NULL; BOOLEAN PhServiceProviderInitialization( VOID ) { PhServiceItemType = PhCreateObjectType(L"ServiceItem", 0, PhpServiceItemDeleteProcedure); PhServiceHashtable = PhCreateHashtable( sizeof(PPH_SERVICE_ITEM), PhpServiceHashtableEqualFunction, PhpServiceHashtableHashFunction, 40 ); PhInitializeSListHead(&PhpServiceQueryDataListHead); if (PhEnableServiceNonPoll) { PhInitializeServiceNonPoll(); } return TRUE; } PPH_SERVICE_ITEM PhCreateServiceItem( _In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information ) { PPH_SERVICE_ITEM serviceItem; serviceItem = PhCreateObject( PhEmGetObjectSize(EmServiceItemType, sizeof(PH_SERVICE_ITEM)), PhServiceItemType ); memset(serviceItem, 0, sizeof(PH_SERVICE_ITEM)); if (Information) { serviceItem->Name = PhCreateString(Information->lpServiceName); serviceItem->Key = serviceItem->Name->sr; serviceItem->DisplayName = PhCreateString(Information->lpDisplayName); serviceItem->Type = Information->ServiceStatusProcess.dwServiceType; serviceItem->State = Information->ServiceStatusProcess.dwCurrentState; serviceItem->ControlsAccepted = Information->ServiceStatusProcess.dwControlsAccepted; serviceItem->Win32ExitCode = Information->ServiceStatusProcess.dwWin32ExitCode; serviceItem->ServiceSpecificExitCode = Information->ServiceStatusProcess.dwServiceSpecificExitCode; serviceItem->Flags = Information->ServiceStatusProcess.dwServiceFlags; serviceItem->ProcessId = UlongToHandle(Information->ServiceStatusProcess.dwProcessId); if (PH_IS_REAL_PROCESS_ID(serviceItem->ProcessId)) { PhPrintUInt32(serviceItem->ProcessIdString, HandleToUlong(serviceItem->ProcessId)); } } PhEmCallObjectOperation(EmServiceItemType, serviceItem, EmObjectCreate); return serviceItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpServiceItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_SERVICE_ITEM serviceItem = (PPH_SERVICE_ITEM)Object; PhEmCallObjectOperation(EmServiceItemType, serviceItem, EmObjectDelete); if (serviceItem->Name) PhDereferenceObject(serviceItem->Name); if (serviceItem->DisplayName) PhDereferenceObject(serviceItem->DisplayName); if (serviceItem->FileName) PhDereferenceObject(serviceItem->FileName); if (serviceItem->VerifySignerName) PhDereferenceObject(serviceItem->VerifySignerName); if (serviceItem->IconEntry) PhDereferenceObject(serviceItem->IconEntry); //PhDeleteImageVersionInfo(&serviceItem->VersionInfo); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpServiceHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_SERVICE_ITEM serviceItem1 = *(PPH_SERVICE_ITEM *)Entry1; PPH_SERVICE_ITEM serviceItem2 = *(PPH_SERVICE_ITEM *)Entry2; return PhEqualStringRef(&serviceItem1->Key, &serviceItem2->Key, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpServiceHashtableHashFunction( _In_ PVOID Entry ) { PPH_SERVICE_ITEM serviceItem = *(PPH_SERVICE_ITEM *)Entry; return PhHashStringRefEx(&serviceItem->Key, TRUE, PH_STRING_HASH_X65599); } PPH_SERVICE_ITEM PhpLookupServiceItem( _In_ PPH_STRINGREF Name ) { PH_SERVICE_ITEM lookupServiceItem; PPH_SERVICE_ITEM lookupServiceItemPtr = &lookupServiceItem; PPH_SERVICE_ITEM *serviceItem; // Construct a temporary service item for the lookup. lookupServiceItem.Key = *Name; serviceItem = (PPH_SERVICE_ITEM *)PhFindEntryHashtable( PhServiceHashtable, &lookupServiceItemPtr ); if (serviceItem) return *serviceItem; else return NULL; } PPH_SERVICE_ITEM PhReferenceServiceItem( _In_ PPH_STRINGREF Name ) { PPH_SERVICE_ITEM serviceItem; PhAcquireQueuedLockShared(&PhServiceHashtableLock); serviceItem = PhpLookupServiceItem(Name); if (serviceItem) PhReferenceObject(serviceItem); PhReleaseQueuedLockShared(&PhServiceHashtableLock); return serviceItem; } VOID PhpResetServiceNonPollGate( VOID ) { if (PhEnableServiceNonPoll) { InterlockedExchange(&PhNonPollGate, TRUE); } } VOID PhMarkNeedsConfigUpdateServiceItem( _In_ PPH_SERVICE_ITEM ServiceItem ) { ServiceItem->NeedsConfigUpdate = TRUE; PhpResetServiceNonPollGate(); } VOID PhpRemoveServiceItem( _In_ PPH_SERVICE_ITEM ServiceItem ) { PhRemoveEntryHashtable(PhServiceHashtable, &ServiceItem); PhDestroyServiceNotifyCallback(ServiceItem); PhDereferenceObject(ServiceItem); } PH_SERVICE_CHANGE PhGetServiceChange( _In_ PPH_SERVICE_MODIFIED_DATA Data ) { if ( ( Data->OldService.State == SERVICE_STOPPED || Data->OldService.State == SERVICE_START_PENDING ) && Data->ServiceItem->State == SERVICE_RUNNING ) { return ServiceStarted; } if ( ( Data->OldService.State == SERVICE_PAUSED || Data->OldService.State == SERVICE_CONTINUE_PENDING ) && Data->ServiceItem->State == SERVICE_RUNNING ) { return ServiceContinued; } if ( ( Data->OldService.State == SERVICE_RUNNING || Data->OldService.State == SERVICE_PAUSE_PENDING ) && Data->ServiceItem->State == SERVICE_PAUSED ) { return ServicePaused; } if ( ( Data->OldService.State == SERVICE_RUNNING || Data->OldService.State == SERVICE_STOP_PENDING ) && Data->ServiceItem->State == SERVICE_STOPPED ) { return ServiceStopped; } // TODO: ServiceModified (dmex) return ULONG_MAX; } VOID PhUpdateProcessItemServices( _In_ PPH_PROCESS_ITEM ProcessItem ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SERVICE_ITEM *serviceItem; // We don't need to lock as long as the service provider // never runs concurrently with the process provider. This // is currently true. (wj32) // Starting 2022 the service provider runs concurrently with // the process provider and now requires locking. If the service // provider is moved back to the primary provider thread then // remove these locks per the above comments (dmex) PhAcquireQueuedLockShared(&PhServiceHashtableLock); PhBeginEnumHashtable(PhServiceHashtable, &enumContext); while (serviceItem = PhNextEnumHashtable(&enumContext)) { if ( (*serviceItem)->PendingProcess && (*serviceItem)->ProcessId == ProcessItem->ProcessId ) { PhAddProcessItemService(ProcessItem, *serviceItem); } } PhReleaseQueuedLockShared(&PhServiceHashtableLock); } VOID PhAddProcessItemService( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_SERVICE_ITEM ServiceItem ) { PhAcquireQueuedLockExclusive(&ProcessItem->ServiceListLock); if (!ProcessItem->ServiceList) ProcessItem->ServiceList = PhCreatePointerList(2); if (!PhFindItemPointerList(ProcessItem->ServiceList, ServiceItem)) { PhReferenceObject(ServiceItem); PhAddItemPointerList(ProcessItem->ServiceList, ServiceItem); } PhReleaseQueuedLockExclusive(&ProcessItem->ServiceListLock); ServiceItem->PendingProcess = FALSE; InterlockedExchange(&ProcessItem->JustProcessed, TRUE); } VOID PhRemoveProcessItemService( _In_ PPH_PROCESS_ITEM ProcessItem, _In_ PPH_SERVICE_ITEM ServiceItem ) { HANDLE pointerHandle; if (!ProcessItem->ServiceList) return; PhAcquireQueuedLockExclusive(&ProcessItem->ServiceListLock); if (pointerHandle = PhFindItemPointerList(ProcessItem->ServiceList, ServiceItem)) { PhRemoveItemPointerList(ProcessItem->ServiceList, pointerHandle); PhDereferenceObject(ServiceItem); } PhReleaseQueuedLockExclusive(&ProcessItem->ServiceListLock); InterlockedExchange(&ProcessItem->JustProcessed, TRUE); } static BOOLEAN PhCompareServiceNameEntry( _In_ PPHP_SERVICE_NAME_ENTRY Value1, _In_ PPHP_SERVICE_NAME_ENTRY Value2 ) { return PhEqualStringRef(&Value1->Name, &Value2->Name, TRUE); } static ULONG PhHashServiceNameEntry( _In_ PPHP_SERVICE_NAME_ENTRY Value ) { return PhHashStringRefEx(&Value->Name, TRUE, PH_STRING_HASH_XXH32); } VOID PhServiceQueryStage1( _Inout_ PPH_SERVICE_QUERY_S1_DATA Data ) { PPH_SERVICE_ITEM serviceItem = Data->Header.ServiceItem; PPH_STRING fileName = Data->Header.FileName; if (fileName) { if (!FlagOn(serviceItem->Type, SERVICE_DRIVER)) // Skip icons for kernel drivers (dmex) { Data->IconEntry = PhImageListExtractIcon(fileName, FALSE, SYSTEM_IDLE_PROCESS_ID, NULL, PhSystemDpi); } if (!PhEnableProcessQueryStage2) { PH_IMAGE_VERSION_INFO versionInfo; PPH_STRING nativeFilename; if (nativeFilename = PhDosPathNameToNtPathName(&fileName->sr)) { if (NT_SUCCESS(PhInitializeImageVersionInfoCached( &versionInfo, // Data->VersionInfo nativeFilename, FALSE, !!PhCsEnableVersionSupport ))) { // Note: This is how msconfig determines default services. (dmex) if (versionInfo.CompanyName && PhStartsWithStringRef2(&versionInfo.CompanyName->sr, L"Microsoft", TRUE)) { Data->MicrosoftService = TRUE; } PhDeleteImageVersionInfo(&versionInfo); } PhDereferenceObject(nativeFilename); } } } } VOID PhServiceQueryStage2( _Inout_ PPH_SERVICE_QUERY_S2_DATA Data ) { PPH_SERVICE_ITEM serviceItem = Data->Header.ServiceItem; PPH_STRING fileName = Data->Header.FileName; if (fileName) { Data->VerifyResult = PhVerifyFileCached( fileName, NULL, &Data->VerifySignerName, FALSE, FALSE ); if (!PhIsNullOrEmptyString(Data->VerifySignerName)) { static CONST PH_STRINGREF microsoftSignerNameSr = PH_STRINGREF_INIT(L"Microsoft Windows"); if (PhEqualStringRef(&Data->VerifySignerName->sr, µsoftSignerNameSr, TRUE)) { Data->MicrosoftService = TRUE; } } } } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpServiceQueryStage1Worker( _In_ PVOID Parameter ) { PPH_SERVICE_QUERY_S1_DATA data = Parameter; PhServiceQueryStage1(data); RtlInterlockedPushEntrySList(&PhpServiceQueryDataListHead, &data->Header.ListEntry); return STATUS_SUCCESS; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpServiceQueryStage2Worker( _In_ PVOID Parameter ) { PPH_SERVICE_QUERY_S2_DATA data = Parameter; PhServiceQueryStage2(data); RtlInterlockedPushEntrySList(&PhpServiceQueryDataListHead, &data->Header.ListEntry); return STATUS_SUCCESS; } VOID PhQueueServiceQueryStage1( _Inout_ PPH_SERVICE_QUERY_S1_DATA Data ) { PH_WORK_QUEUE_ENVIRONMENT environment; PhInitializeWorkQueueEnvironment(&environment); environment.BasePriority = THREAD_PRIORITY_BELOW_NORMAL; environment.IoPriority = IoPriorityLow; environment.PagePriority = MEMORY_PRIORITY_LOW; PhQueueItemWorkQueueEx(PhGetGlobalWorkQueue(), PhpServiceQueryStage1Worker, Data, NULL, &environment); } VOID PhQueueServiceQueryStage2( _Inout_ PPH_SERVICE_QUERY_S2_DATA Data ) { PH_WORK_QUEUE_ENVIRONMENT environment; PhInitializeWorkQueueEnvironment(&environment); environment.BasePriority = THREAD_PRIORITY_LOWEST; environment.IoPriority = IoPriorityVeryLow; environment.PagePriority = MEMORY_PRIORITY_VERY_LOW; PhQueueItemWorkQueueEx(PhGetGlobalWorkQueue(), PhpServiceQueryStage2Worker, Data, NULL, &environment); } VOID PhCreateQueueServiceQueryStage2( _In_ PPH_SERVICE_ITEM ServiceItem, _In_ PPH_STRING FileName ) { PPH_SERVICE_QUERY_S2_DATA data; ServiceItem->VerifyResult = 0; PhClearReference(&ServiceItem->VerifySignerName); data = PhAllocateZero(sizeof(PH_SERVICE_QUERY_S2_DATA)); data->Header.Stage = 2; PhSetReference(&data->Header.ServiceItem, ServiceItem); PhSetReference(&data->Header.FileName, FileName); PhQueueServiceQueryStage2(data); } VOID PhpFillServiceItemStage1( _In_ PPH_SERVICE_QUERY_S1_DATA Data ) { PPH_SERVICE_ITEM serviceItem = Data->Header.ServiceItem; PPH_STRING fileName = Data->Header.FileName; PhTrace("Service query stage 1: %ls", PhGetString(serviceItem->Name)); serviceItem->IconEntry = Data->IconEntry; //memcpy(&processItem->VersionInfo, &Data->VersionInfo, sizeof(PH_IMAGE_VERSION_INFO)); serviceItem->MicrosoftService = !!Data->MicrosoftService; // Note: Queue stage 2 processing after filling stage1 process data. if (PhEnableServiceQueryStage2) { PhCreateQueueServiceQueryStage2(serviceItem, fileName); } } VOID PhpFillServiceItemStage2( _In_ PPH_SERVICE_QUERY_S2_DATA Data ) { PPH_SERVICE_ITEM serviceItem = Data->Header.ServiceItem; PhTrace("Service query stage 2: %ls", PhGetString(serviceItem->Name)); serviceItem->VerifyResult = Data->VerifyResult; PhMoveReference(&serviceItem->VerifySignerName, Data->VerifySignerName); serviceItem->MicrosoftService = !!Data->MicrosoftService; } VOID PhFlushServiceQueryData( VOID ) { PSLIST_ENTRY entry; PPH_SERVICE_QUERY_DATA data; //if (!RtlFirstEntrySList(&PhpServiceQueryDataListHead)) // return; entry = RtlInterlockedFlushSList(&PhpServiceQueryDataListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_SERVICE_QUERY_DATA, ListEntry); entry = entry->Next; if (data->Stage == 1) { PhpFillServiceItemStage1((PPH_SERVICE_QUERY_S1_DATA)data); } else if (data->Stage == 2) { PhpFillServiceItemStage2((PPH_SERVICE_QUERY_S2_DATA)data); } InterlockedExchange(&data->ServiceItem->JustProcessed, TRUE); if (data->FileName) PhDereferenceObject(data->FileName); PhDereferenceObject(data->ServiceItem); PhFree(data); } } VOID PhUpdateServiceItemConfig( _In_ PPH_SERVICE_ITEM ServiceItem, _In_ BOOLEAN CreateServiceNotifyCallback ) { NTSTATUS status; SC_HANDLE serviceHandle; LPQUERY_SERVICE_CONFIG config; BOOLEAN delayedAutoStartInfo; status = PhOpenService( &serviceHandle, SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG, PhGetString(ServiceItem->Name) ); if (!NT_SUCCESS(status)) { status = PhOpenService( &serviceHandle, SERVICE_QUERY_CONFIG, PhGetString(ServiceItem->Name) ); } if (!NT_SUCCESS(status)) return; if (NT_SUCCESS(PhGetServiceConfig(serviceHandle, &config))) { ServiceItem->StartType = config->dwStartType; ServiceItem->ErrorControl = config->dwErrorControl; { PPH_STRING fileName; fileName = PhGetServiceConfigFileName( config->dwServiceType, config->lpBinaryPathName, &ServiceItem->Name->sr ); if (fileName && ServiceItem->FileName && !PhEqualStringRef(&fileName->sr, &ServiceItem->FileName->sr, TRUE)) { if (PhEnableServiceQueryStage2) { PhCreateQueueServiceQueryStage2(ServiceItem, fileName); } } PhMoveReference(&ServiceItem->FileName, fileName); } PhFree(config); } if (NT_SUCCESS(PhGetServiceDelayedAutoStart(serviceHandle, &delayedAutoStartInfo))) ServiceItem->DelayedStart = delayedAutoStartInfo; else ServiceItem->DelayedStart = FALSE; if (NT_SUCCESS(PhGetServiceTriggerInfo(serviceHandle, NULL))) ServiceItem->HasTriggers = TRUE; else ServiceItem->HasTriggers = FALSE; if (CreateServiceNotifyCallback) { PhCreateServiceNotifyCallback(ServiceItem, serviceHandle); } PhCloseServiceHandle(serviceHandle); } _Function_class_(PH_PROVIDER_FUNCTION) VOID PhServiceProviderUpdate( _In_ PVOID Object ) { static ULONG runCount = 0; static PPH_HASH_ENTRY nameHashSet[256]; static PPHP_SERVICE_NAME_ENTRY nameEntries = NULL; static ULONG nameEntriesCount; static ULONG nameEntriesAllocated = 0; NTSTATUS status; LPENUM_SERVICE_STATUS_PROCESS services; ULONG numberOfServices; ULONG i; PPH_HASH_ENTRY hashEntry; PhTraceFuncEnter("Service provider run count: %lu", runCount); // We always execute the first run, and we only initialize non-polling after the first run. if (PhEnableServiceNonPoll && runCount != 0) { if (PhNonPollActive) { if (InterlockedExchange(&PhNonPollGate, 0) == 0) { // The SCM doesn't generate notifications for drivers. So flush service // information once in a while so we can detect driver events. (dmex) if (runCount % PhServiceNonPollFlushInterval == 0) { // Go through the queued services query data. PhFlushServiceQueryData(); goto UpdateStart; } // Non-poll gate is closed; skip all processing. goto UpdateEnd; } } } UpdateStart: if (!NT_SUCCESS(status = PhEnumServices(&services, &numberOfServices))) { PhTraceFuncExit("Failed to enumerate services: %lu %!STATUS!", runCount, status); return; } // Build a hash set containing the service names. // This has caused a massive decrease in background CPU usage, and // is certainly much better than the quadratic-time string comparisons // we were doing before (in the "Look for dead services" section). (wj32) nameEntriesCount = 0; if (nameEntriesAllocated < numberOfServices) { nameEntriesAllocated = numberOfServices + 32; if (nameEntries) PhFree(nameEntries); nameEntries = PhAllocate(sizeof(PHP_SERVICE_NAME_ENTRY) * nameEntriesAllocated); } PhInitializeHashSet(nameHashSet, PH_HASH_SET_SIZE(nameHashSet)); for (i = 0; i < numberOfServices; i++) { PPHP_SERVICE_NAME_ENTRY entry; entry = &nameEntries[nameEntriesCount++]; PhInitializeStringRefLongHint(&entry->Name, services[i].lpServiceName); entry->ServiceEntry = &services[i]; if (WindowsVersion >= WINDOWS_10_RS2) { PhServiceWorkaroundWindowsServiceTypeBug(entry->ServiceEntry); } PhAddEntryHashSet( nameHashSet, PH_HASH_SET_SIZE(nameHashSet), &entry->HashEntry, PhHashServiceNameEntry(entry) ); } // Go through the queued services query data. PhFlushServiceQueryData(); // Look for dead services. { PPH_LIST servicesToRemove = NULL; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SERVICE_ITEM *serviceItem; PhBeginEnumHashtable(PhServiceHashtable, &enumContext); while (serviceItem = PhNextEnumHashtable(&enumContext)) { BOOLEAN found = FALSE; PHP_SERVICE_NAME_ENTRY lookupNameEntry; // Check if the service still exists. lookupNameEntry.Name = (*serviceItem)->Name->sr; hashEntry = PhFindEntryHashSet( nameHashSet, PH_HASH_SET_SIZE(nameHashSet), PhHashServiceNameEntry(&lookupNameEntry) ); for (; hashEntry; hashEntry = hashEntry->Next) { PPHP_SERVICE_NAME_ENTRY nameEntry; nameEntry = CONTAINING_RECORD(hashEntry, PHP_SERVICE_NAME_ENTRY, HashEntry); if (PhCompareServiceNameEntry(&lookupNameEntry, nameEntry)) { found = TRUE; break; } } if (!found) { // Remove the service from its process. if ((*serviceItem)->ProcessId) { PPH_PROCESS_ITEM processItem; processItem = PhReferenceProcessItem((*serviceItem)->ProcessId); if (processItem) { PhRemoveProcessItemService(processItem, *serviceItem); PhDereferenceObject(processItem); } } // Raise the service removed event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceProviderRemovedEvent), *serviceItem); if (!servicesToRemove) servicesToRemove = PhCreateList(2); PhAddItemList(servicesToRemove, *serviceItem); } } if (servicesToRemove) { PhAcquireQueuedLockExclusive(&PhServiceHashtableLock); for (i = 0; i < servicesToRemove->Count; i++) { PhpRemoveServiceItem((PPH_SERVICE_ITEM)servicesToRemove->Items[i]); } PhReleaseQueuedLockExclusive(&PhServiceHashtableLock); PhDereferenceObject(servicesToRemove); } } // Look for new services and update existing ones. for (i = 0; i < PH_HASH_SET_SIZE(nameHashSet); i++) { for (hashEntry = nameHashSet[i]; hashEntry; hashEntry = hashEntry->Next) { PPH_SERVICE_ITEM serviceItem; PPHP_SERVICE_NAME_ENTRY nameEntry; ENUM_SERVICE_STATUS_PROCESS *serviceEntry; nameEntry = CONTAINING_RECORD(hashEntry, PHP_SERVICE_NAME_ENTRY, HashEntry); serviceEntry = nameEntry->ServiceEntry; serviceItem = PhpLookupServiceItem(&nameEntry->Name); if (!serviceItem) { // Create the service item and fill in basic information. serviceItem = PhCreateServiceItem(serviceEntry); PhUpdateServiceItemConfig(serviceItem, TRUE); // Add the service to its process, if appropriate. if (serviceItem->ProcessId) { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(serviceItem->ProcessId)) { PhAddProcessItemService(processItem, serviceItem); PhDereferenceObject(processItem); } else { // The process doesn't exist yet (to us). Set the pending // flag and when the process is added this will be // fixed. (wj32) serviceItem->PendingProcess = TRUE; } } // If this is the first run of the provider, queue the // process query tasks. Otherwise, perform stage 1 // processing now and queue stage 2 processing. (wj32) if (runCount > 0) { PH_SERVICE_QUERY_S1_DATA data; memset(&data, 0, sizeof(PH_SERVICE_QUERY_S1_DATA)); data.Header.Stage = 1; data.Header.ServiceItem = serviceItem; data.Header.FileName = serviceItem->FileName; PhServiceQueryStage1(&data); PhpFillServiceItemStage1(&data); } else { PPH_SERVICE_QUERY_S1_DATA data; data = PhAllocateZero(sizeof(PH_SERVICE_QUERY_S1_DATA)); data->Header.Stage = 1; PhSetReference(&data->Header.ServiceItem, serviceItem); PhSetReference(&data->Header.FileName, serviceItem->FileName); PhQueueServiceQueryStage1(data); } // Add the service item to the hashtable. PhAcquireQueuedLockExclusive(&PhServiceHashtableLock); PhAddEntryHashtable(PhServiceHashtable, &serviceItem); PhReleaseQueuedLockExclusive(&PhServiceHashtableLock); // Raise the service added event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceProviderAddedEvent), serviceItem); } else { if ( serviceItem->Type != serviceEntry->ServiceStatusProcess.dwServiceType || serviceItem->State != serviceEntry->ServiceStatusProcess.dwCurrentState || serviceItem->ControlsAccepted != serviceEntry->ServiceStatusProcess.dwControlsAccepted || serviceItem->Win32ExitCode != serviceEntry->ServiceStatusProcess.dwWin32ExitCode || serviceItem->ServiceSpecificExitCode != serviceEntry->ServiceStatusProcess.dwServiceSpecificExitCode || serviceItem->ProcessId != UlongToHandle(serviceEntry->ServiceStatusProcess.dwProcessId) || serviceItem->NeedsConfigUpdate || serviceItem->JustProcessed ) { PH_SERVICE_MODIFIED_DATA serviceModifiedData; PH_SERVICE_CHANGE serviceChange; // The service has been "modified". serviceModifiedData.ServiceItem = serviceItem; memset(&serviceModifiedData.OldService, 0, sizeof(PH_SERVICE_ITEM)); serviceModifiedData.OldService.Type = serviceItem->Type; serviceModifiedData.OldService.State = serviceItem->State; serviceModifiedData.OldService.ControlsAccepted = serviceItem->ControlsAccepted; serviceModifiedData.OldService.ProcessId = serviceItem->ProcessId; // Update the service item. serviceItem->Type = serviceEntry->ServiceStatusProcess.dwServiceType; serviceItem->State = serviceEntry->ServiceStatusProcess.dwCurrentState; serviceItem->ControlsAccepted = serviceEntry->ServiceStatusProcess.dwControlsAccepted; serviceItem->Win32ExitCode = serviceEntry->ServiceStatusProcess.dwWin32ExitCode; serviceItem->ServiceSpecificExitCode = serviceEntry->ServiceStatusProcess.dwServiceSpecificExitCode; serviceItem->ProcessId = UlongToHandle(serviceEntry->ServiceStatusProcess.dwProcessId); if (PH_IS_REAL_PROCESS_ID(serviceItem->ProcessId)) PhPrintUInt32(serviceItem->ProcessIdString, HandleToUlong(serviceItem->ProcessId)); else serviceItem->ProcessIdString[0] = UNICODE_NULL; // Add/remove the service from its process. serviceChange = PhGetServiceChange(&serviceModifiedData); if ( (serviceChange == ServiceStarted && serviceItem->ProcessId) || (serviceChange == ServiceStopped && serviceModifiedData.OldService.ProcessId) ) { PPH_PROCESS_ITEM processItem; if (serviceChange == ServiceStarted) processItem = PhReferenceProcessItem(serviceItem->ProcessId); else processItem = PhReferenceProcessItem(serviceModifiedData.OldService.ProcessId); if (processItem) { if (serviceChange == ServiceStarted) PhAddProcessItemService(processItem, serviceItem); else PhRemoveProcessItemService(processItem, serviceItem); PhDereferenceObject(processItem); } else { if (serviceChange == ServiceStarted) serviceItem->PendingProcess = TRUE; else serviceItem->PendingProcess = FALSE; } } else if ( serviceItem->State == SERVICE_RUNNING && serviceItem->ProcessId != serviceModifiedData.OldService.ProcessId && serviceItem->ProcessId ) { PPH_PROCESS_ITEM processItem; // The service stopped and started, and the only change we have detected // is in the process ID. (wj32) if (processItem = PhReferenceProcessItem(serviceModifiedData.OldService.ProcessId)) { PhRemoveProcessItemService(processItem, serviceItem); PhDereferenceObject(processItem); } if (processItem = PhReferenceProcessItem(serviceItem->ProcessId)) { PhAddProcessItemService(processItem, serviceItem); PhDereferenceObject(processItem); } else { serviceItem->PendingProcess = TRUE; } } // Do a config update if necessary. if (serviceItem->NeedsConfigUpdate) { PhUpdateServiceItemConfig(serviceItem, FALSE); serviceItem->NeedsConfigUpdate = FALSE; } InterlockedExchange(&serviceItem->JustProcessed, FALSE); // Raise the service modified event. PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceProviderModifiedEvent), &serviceModifiedData); } } } } PhFree(services); UpdateEnd: PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackServiceProviderUpdatedEvent), UlongToPtr(runCount)); PhTraceFuncExit("Service provider run count: %lu", runCount); runCount++; } VOID CALLBACK PhServiceNotifyNonPollCallback( _In_ PVOID pParameter ) { PSERVICE_NOTIFYW notifyBuffer = pParameter; PPHP_SERVICE_NOTIFY_CONTEXT notifyContext = notifyBuffer->pContext; if (notifyBuffer->dwNotificationStatus == ERROR_SUCCESS) { if (FlagOn(notifyBuffer->dwNotificationTriggered, SERVICE_NOTIFY_CREATED | SERVICE_NOTIFY_DELETED) && notifyBuffer->pszServiceNames) { PWSTR name; SIZE_T nameLength; name = notifyBuffer->pszServiceNames; while (TRUE) { nameLength = PhCountStringZ(name); if (nameLength == 0) break; if (name[0] == L'/') { PPHP_SERVICE_NOTIFY_CONTEXT newNotifyContext; // Service creation newNotifyContext = PhAllocateZero(sizeof(PHP_SERVICE_NOTIFY_CONTEXT)); newNotifyContext->State = SnAdding; newNotifyContext->ServiceName = PhCreateString(name + 1); InsertTailList(&PhpNonPollServicePendingListHead, &newNotifyContext->ListEntry); } name += nameLength + 1; } LocalFree(notifyBuffer->pszServiceNames); } notifyContext->State = SnNotify; RemoveEntryList(¬ifyContext->ListEntry); InsertTailList(&PhpNonPollServicePendingListHead, ¬ifyContext->ListEntry); } else if (notifyBuffer->dwNotificationStatus == ERROR_SERVICE_MARKED_FOR_DELETE) { if (!notifyContext->IsServiceManager) { notifyContext->State = SnRemoving; RemoveEntryList(¬ifyContext->ListEntry); InsertTailList(&PhpNonPollServicePendingListHead, ¬ifyContext->ListEntry); } } else { notifyContext->State = SnNotify; RemoveEntryList(¬ifyContext->ListEntry); InsertTailList(&PhpNonPollServicePendingListHead, ¬ifyContext->ListEntry); } PhpResetServiceNonPollGate(); NtSetEvent(PhNonPollEventHandle, NULL); NtSetEventBoostPriority(PhNonPollEventHandle); } VOID PhDestroyServiceNotifyContext( _In_ PPHP_SERVICE_NOTIFY_CONTEXT NotifyContext ) { if (NotifyContext->Buffer.pszServiceNames) LocalFree(NotifyContext->Buffer.pszServiceNames); PhCloseServiceHandle(NotifyContext->ServiceHandle); PhClearReference(&NotifyContext->ServiceName); PhFree(NotifyContext); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhServiceNonPollThreadStart( _In_ PVOID Parameter ) { ULONG result; LPENUM_SERVICE_STATUS_PROCESS services; ULONG numberOfServices; ULONG i; PLIST_ENTRY listEntry; PPHP_SERVICE_NOTIFY_CONTEXT notifyContext; if (!NT_SUCCESS(PhCreateEvent(&PhNonPollEventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE))) { PhNonPollActive = FALSE; PhpResetServiceNonPollGate(); return STATUS_UNSUCCESSFUL; } while (TRUE) { InitializeListHead(&PhpNonPollServiceListHead); InitializeListHead(&PhpNonPollServicePendingListHead); if (!NT_SUCCESS(PhEnumServices(&services, &numberOfServices))) goto ErrorExit; for (i = 0; i < numberOfServices; i++) { SC_HANDLE serviceHandle; if (NT_SUCCESS(PhOpenService(&serviceHandle, SERVICE_QUERY_STATUS, services[i].lpServiceName))) { notifyContext = PhAllocateZero(sizeof(PHP_SERVICE_NOTIFY_CONTEXT)); notifyContext->ServiceHandle = serviceHandle; notifyContext->State = SnNotify; InsertTailList(&PhpNonPollServicePendingListHead, ¬ifyContext->ListEntry); } } PhFree(services); notifyContext = PhAllocateZero(sizeof(PHP_SERVICE_NOTIFY_CONTEXT)); notifyContext->ServiceHandle = PhGetServiceManagerHandle(); notifyContext->IsServiceManager = TRUE; notifyContext->State = SnNotify; InsertTailList(&PhpNonPollServicePendingListHead, ¬ifyContext->ListEntry); while (TRUE) { BOOLEAN lagging = FALSE; listEntry = PhpNonPollServicePendingListHead.Flink; while (listEntry != &PhpNonPollServicePendingListHead) { notifyContext = CONTAINING_RECORD(listEntry, PHP_SERVICE_NOTIFY_CONTEXT, ListEntry); listEntry = listEntry->Flink; switch (notifyContext->State) { case SnAdding: if (!NT_SUCCESS(PhOpenService(¬ifyContext->ServiceHandle, SERVICE_QUERY_STATUS, PhGetString(notifyContext->ServiceName)))) { RemoveEntryList(¬ifyContext->ListEntry); PhDestroyServiceNotifyContext(notifyContext); continue; } PhClearReference(¬ifyContext->ServiceName); notifyContext->State = SnNotify; goto NotifyCase; case SnRemoving: RemoveEntryList(¬ifyContext->ListEntry); PhDestroyServiceNotifyContext(notifyContext); break; case SnNotify: NotifyCase: memset(¬ifyContext->Buffer, 0, sizeof(SERVICE_NOTIFY)); notifyContext->Buffer.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE; notifyContext->Buffer.pfnNotifyCallback = PhServiceNotifyNonPollCallback; notifyContext->Buffer.pContext = notifyContext; result = NotifyServiceStatusChange_I( notifyContext->ServiceHandle, notifyContext->IsServiceManager ? (SERVICE_NOTIFY_CREATED | SERVICE_NOTIFY_DELETED) : (SERVICE_NOTIFY_STOPPED | SERVICE_NOTIFY_START_PENDING | SERVICE_NOTIFY_STOP_PENDING | SERVICE_NOTIFY_RUNNING | SERVICE_NOTIFY_CONTINUE_PENDING | SERVICE_NOTIFY_PAUSE_PENDING | SERVICE_NOTIFY_PAUSED | SERVICE_NOTIFY_DELETE_PENDING), ¬ifyContext->Buffer ); switch (result) { case ERROR_SUCCESS: notifyContext->State = SnNone; RemoveEntryList(¬ifyContext->ListEntry); InsertTailList(&PhpNonPollServiceListHead, ¬ifyContext->ListEntry); break; case ERROR_SERVICE_NOTIFY_CLIENT_LAGGING: // We are lagging behind. Re-open the handle to the SCM as soon as possible. lagging = TRUE; break; case ERROR_SERVICE_MARKED_FOR_DELETE: default: RemoveEntryList(¬ifyContext->ListEntry); PhDestroyServiceNotifyContext(notifyContext); break; } break; } } while (NtWaitForSingleObject(PhNonPollEventHandle, TRUE, NULL) != STATUS_WAIT_0) NOTHING; if (lagging) break; } // Execute all pending callbacks. NtTestAlert(); listEntry = PhpNonPollServiceListHead.Flink; while (listEntry != &PhpNonPollServiceListHead) { notifyContext = CONTAINING_RECORD(listEntry, PHP_SERVICE_NOTIFY_CONTEXT, ListEntry); listEntry = listEntry->Flink; PhDestroyServiceNotifyContext(notifyContext); } listEntry = PhpNonPollServicePendingListHead.Flink; while (listEntry != &PhpNonPollServicePendingListHead) { notifyContext = CONTAINING_RECORD(listEntry, PHP_SERVICE_NOTIFY_CONTEXT, ListEntry); listEntry = listEntry->Flink; PhDestroyServiceNotifyContext(notifyContext); } } PhNonPollActive = FALSE; PhpResetServiceNonPollGate(); NtClose(PhNonPollEventHandle); return STATUS_SUCCESS; ErrorExit: PhNonPollActive = FALSE; PhpResetServiceNonPollGate(); NtClose(PhNonPollEventHandle); return STATUS_UNSUCCESSFUL; } VOID CALLBACK PhServiceNotifyPropertyChangeCallback( _In_ ULONG ServiceNotifyFlags, _In_ PPH_SERVICE_ITEM ServiceItem ) { if (ServiceItem->NotifyCreatedPropertyRegistration) { ServiceItem->NotifyCreatedPropertyRegistration = FALSE; return; } PhMarkNeedsConfigUpdateServiceItem(ServiceItem); } VOID CALLBACK PhServiceNotifyStatusChangeCallback( _In_ ULONG ServiceNotifyFlags, _In_ PPH_SERVICE_ITEM ServiceItem ) { if (ServiceItem->NotifyCreatedStatusRegistration) { ServiceItem->NotifyCreatedStatusRegistration = FALSE; return; } PhMarkNeedsConfigUpdateServiceItem(ServiceItem); } VOID CALLBACK PhServiceNotifyDatabaseChangeCallback( _In_ ULONG ServiceNotifyFlags, _In_ PVOID Context ) { static BOOLEAN NotifyCreatedDatabaseRegistration = TRUE; if (NotifyCreatedDatabaseRegistration) { NotifyCreatedDatabaseRegistration = FALSE; return; } PhpResetServiceNonPollGate(); } VOID PhCreateServiceNotifyCallback( _In_ PPH_SERVICE_ITEM ServiceItem, _In_ SC_HANDLE ServiceHandle ) { PSC_NOTIFICATION_REGISTRATION servicePropertyRegistration; PSC_NOTIFICATION_REGISTRATION serviceStatusRegistration; if (!SubscribeServiceChangeNotifications_I) return; //if (FlagOn(ServiceItem->Type, SERVICE_DRIVER)) // return; if (!ServiceItem->NotifyCreatedPropertyRegistration) { ServiceItem->NotifyCreatedPropertyRegistration = TRUE; PhReferenceObject(ServiceItem); if (SubscribeServiceChangeNotifications_I( ServiceHandle, SC_EVENT_PROPERTY_CHANGE, PhServiceNotifyPropertyChangeCallback, ServiceItem, &servicePropertyRegistration ) == ERROR_SUCCESS) { ServiceItem->NotifyPropertyRegistration = servicePropertyRegistration; } else { PhDereferenceObject(ServiceItem); } } if (!ServiceItem->NotifyCreatedStatusRegistration) { ServiceItem->NotifyCreatedStatusRegistration = TRUE; PhReferenceObject(ServiceItem); if (SubscribeServiceChangeNotifications_I( ServiceHandle, SC_EVENT_STATUS_CHANGE, PhServiceNotifyStatusChangeCallback, ServiceItem, &serviceStatusRegistration ) == ERROR_SUCCESS) { ServiceItem->NotifyStatusRegistration = serviceStatusRegistration; } else { PhDereferenceObject(ServiceItem); } } } VOID PhDestroyServiceNotifyCallback( _In_ PPH_SERVICE_ITEM ServiceItem ) { if (!UnsubscribeServiceChangeNotifications_I) return; if (ServiceItem->NotifyStatusRegistration) { UnsubscribeServiceChangeNotifications_I(ServiceItem->NotifyStatusRegistration); ServiceItem->NotifyStatusRegistration = NULL; PhDereferenceObject(ServiceItem); } if (ServiceItem->NotifyPropertyRegistration) { UnsubscribeServiceChangeNotifications_I(ServiceItem->NotifyPropertyRegistration); ServiceItem->NotifyPropertyRegistration = NULL; PhDereferenceObject(ServiceItem); } } VOID PhCreateServiceDatabaseNotifyCallback( VOID ) { PSC_NOTIFICATION_REGISTRATION serviceNotifyRegistration; if (!SubscribeServiceChangeNotifications_I) return; SubscribeServiceChangeNotifications_I( PhGetServiceManagerHandle(), SC_EVENT_DATABASE_CHANGE, PhServiceNotifyDatabaseChangeCallback, NULL, &serviceNotifyRegistration ); } VOID PhInitializeServiceNonPoll( VOID ) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"sechost.dll")) { if (PhEnableServiceNonPollNotify && WindowsVersion >= WINDOWS_8) { SubscribeServiceChangeNotifications_I = PhGetDllBaseProcedureAddress(baseAddress, "SubscribeServiceChangeNotifications", 0); UnsubscribeServiceChangeNotifications_I = PhGetDllBaseProcedureAddress(baseAddress, "UnsubscribeServiceChangeNotifications", 0); } else { NotifyServiceStatusChange_I = PhGetDllBaseProcedureAddress(baseAddress, "NotifyServiceStatusChangeW", 0); } } PhNonPollActive = TRUE; InterlockedExchange(&PhNonPollGate, 1); // initially the gate should be open since we only just initialized everything (wj32) if (NotifyServiceStatusChange_I) { PhCreateThread2(PhServiceNonPollThreadStart, NULL); } PhCreateServiceDatabaseNotifyCallback(); } ================================================ FILE: SystemInformer/sysinfo.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ /* * This file contains the System Information framework. The "framework" handles creation, layout and * events for the top-level window itself. It manages the list of sections. * * A section is an object that provides information to the user about a type of system resource. The * CPU, Memory and I/O sections are added automatically to every System Information window. Plugins * can also add sections to the window. There are two views: summary and section. In summary view, * rows of graphs are displayed in the window, one graph for each section. The section is * responsible for providing the graph data and any text to draw on the left-hand side of the graph. * In section view, the graphs become mini-graphs on the left-hand side of the window. The section * displays its own embedded dialog in the remaining space. Any controls contained in this dialog, * including graphs, are the responsibility of the section. * * Users can enter section view by: * * Clicking on a graph or mini-graph. * * Pressing a number from 1 to 9. * * Using the tab or arrow keys to select a graph and pressing space or enter. * * Users can return to summary view by: * * Clicking "Back" on the left-hand side of the window. * * Pressing Backspace. * * Using the tab or arrow keys to select "Back" and pressing space or enter. */ #include #include #include #include #include #include #include #include #include static HANDLE PhSipThread = NULL; HWND PhSipWindow = NULL; static PPH_LIST PhSipDialogList = NULL; static PH_EVENT InitializedEvent = PH_EVENT_INIT; static PCWSTR InitialSectionName; static RECT MinimumSize; static PH_CALLBACK_REGISTRATION ProcessesUpdatedRegistration; static PH_CALLBACK_REGISTRATION SettingsUpdatedRegistration; static PPH_LIST SectionList; static PH_SYSINFO_PARAMETERS CurrentParameters = {0}; static PH_SYSINFO_VIEW_TYPE CurrentView; static PPH_SYSINFO_SECTION CurrentSection; static HWND ContainerControl; static HWND SeparatorControl; static HWND RestoreSummaryControl; static WNDPROC RestoreSummaryControlOldWndProc; static BOOLEAN RestoreSummaryControlHot; static BOOLEAN RestoreSummaryControlHasFocus; static HTHEME ThemeData; static BOOLEAN ThemeHasItemBackground; VOID PhShowSystemInformationDialog( _In_opt_ PCWSTR SectionName ) { InitialSectionName = SectionName; if (!PhSipThread) { if (!NT_SUCCESS(PhCreateThreadEx(&PhSipThread, PhSipSysInfoThreadStart, NULL))) { PhShowStatus(PhMainWndHandle, L"Unable to create the window.", 0, ERROR_OUTOFMEMORY); return; } PhWaitForEvent(&InitializedEvent, NULL); } SendMessage(PhSipWindow, SI_MSG_SYSINFO_ACTIVATE, (WPARAM)SectionName, 0); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhSipSysInfoThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; BOOL result; MSG message; HACCEL acceleratorTable; BOOLEAN processed; PhInitializeAutoPool(&autoPool); PhSipWindow = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_SYSINFO), NULL, PhSipSysInfoDialogProc, NULL ); PhSetEvent(&InitializedEvent); acceleratorTable = LoadAccelerators(PhInstanceHandle, MAKEINTRESOURCE(IDR_SYSINFO_ACCEL)); while (result = GetMessage(&message, NULL, 0, 0)) { if (result == -1) break; processed = FALSE; if ( message.hwnd == PhSipWindow || IsChild(PhSipWindow, message.hwnd) ) { if (TranslateAccelerator(PhSipWindow, acceleratorTable, &message)) processed = TRUE; } if (!processed && PhSipDialogList) { ULONG i; for (i = 0; i < PhSipDialogList->Count; i++) { if (IsDialogMessage((HWND)PhSipDialogList->Items[i], &message)) { processed = TRUE; break; } } } if (!processed) { if (!IsDialogMessage(PhSipWindow, &message)) { TranslateMessage(&message); DispatchMessage(&message); } } PhDrainAutoPool(&autoPool); } PhDeleteAutoPool(&autoPool); PhResetEvent(&InitializedEvent); NtClose(PhSipThread); PhSipWindow = NULL; PhSipThread = NULL; if (PhSipDialogList) { PhDereferenceObject(PhSipDialogList); PhSipDialogList = NULL; } return STATUS_SUCCESS; } INT_PTR CALLBACK PhSipSysInfoDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PhSipWindow = hwndDlg; PhSipOnInitDialog(); } break; case WM_DESTROY: { PhSipOnDestroy(); } break; case WM_NCDESTROY: { PhSipOnNcDestroy(); } break; case WM_SYSCOMMAND: { if (PhSipOnSysCommand((ULONG)wParam, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam))) return 0; } break; case WM_SIZE: { PhSipOnSize(hwndDlg, (UINT)wParam, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } break; case WM_SIZING: { PhSipOnSizing((ULONG)wParam, (PRECT)lParam); } break; case WM_THEMECHANGED: { PhSipOnThemeChanged(); } break; case WM_COMMAND: { PhSipOnCommand((HWND)lParam, LOWORD(wParam), HIWORD(wParam)); } break; case WM_NOTIFY: { LRESULT result; if (PhSipOnNotify((NMHDR *)lParam, &result)) { SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, result); return TRUE; } } break; case WM_DRAWITEM: { if (PhSipOnDrawItem(wParam, (DRAWITEMSTRUCT *)lParam)) return TRUE; } break; case WM_CTLCOLORBTN: case WM_CTLCOLORDLG: case WM_CTLCOLORSTATIC: { SetBkMode((HDC)wParam, TRANSPARENT); if (PhEnableThemeSupport) { switch (PhCsGraphColorMode) { case 0: // New colors SetTextColor((HDC)wParam, RGB(0x0, 0x0, 0x0)); SetDCBrushColor((HDC)wParam, RGB(0xef, 0xef, 0xef)); // GetSysColor(COLOR_WINDOW) break; case 1: // Old colors SetTextColor((HDC)wParam, RGB(0xff, 0xff, 0xff)); SetDCBrushColor((HDC)wParam, PhThemeWindowBackgroundColor); // RGB(30, 30, 30)); break; } } else { SetTextColor((HDC)wParam, GetSysColor(COLOR_WINDOWTEXT)); SetDCBrushColor((HDC)wParam, GetSysColor(COLOR_WINDOW)); } return (INT_PTR)PhGetStockBrush(DC_BRUSH); } break; case WM_DPICHANGED: { PhSipInitializeParameters(); if (SectionList) { for (ULONG i = 0; i < SectionList->Count; i++) { PPH_SYSINFO_SECTION section = SectionList->Items[i]; if (section->DialogHandle) { section->Callback(section, SysInfoDpiChanged, UlongToPtr(LOWORD(wParam)), 0); } } } PhSipOnSize(hwndDlg, 0, 0, 0); } break; } if (uMsg >= SI_MSG_SYSINFO_FIRST && uMsg <= SI_MSG_SYSINFO_LAST) { PhSipOnUserMessage(uMsg, wParam, lParam); } return FALSE; } INT_PTR CALLBACK PhSipContainerDialogProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_INITDIALOG: { //if (WindowsVersion >= WINDOWS_8) //{ // // TODO: The container background is drawn before child controls // // causing slight flickering when switching between sysinfo panels. // // We need to somehow exclude the container background drawing, // // setting the container window as composited works well but has // // slower drawing and should be considered a temporary workaround. (dmex) // PhSetWindowExStyle(hwndDlg, WS_EX_COMPOSITED, WS_EX_COMPOSITED); //} } break; case WM_CTLCOLORBTN: case WM_CTLCOLORDLG: case WM_CTLCOLORSTATIC: { SetBkMode((HDC)wParam, TRANSPARENT); if (PhEnableThemeSupport) { switch (PhCsGraphColorMode) { case 0: // New colors SetTextColor((HDC)wParam, RGB(0x0, 0x0, 0x0)); SetDCBrushColor((HDC)wParam, GetSysColor(COLOR_WINDOW)); break; case 1: // Old colors SetTextColor((HDC)wParam, RGB(0xff, 0xff, 0xff)); SetDCBrushColor((HDC)wParam, PhThemeWindowBackgroundColor); break; } } else { SetTextColor((HDC)wParam, GetSysColor(COLOR_WINDOWTEXT)); SetDCBrushColor((HDC)wParam, GetSysColor(COLOR_WINDOW)); } return (INT_PTR)PhGetStockBrush(DC_BRUSH); } break; } return FALSE; } VOID PhSipOnInitDialog( VOID ) { //RECT clientRect; PH_STRINGREF sectionName; PPH_SYSINFO_SECTION section; PhSetApplicationWindowIcon(PhSipWindow); PhSetControlTheme(PhSipWindow, L"explorer"); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhSipSysInfoUpdateHandler, PhSipWindow, &ProcessesUpdatedRegistration ); PhRegisterCallback( PhGetGeneralCallback(GeneralCallbackSettingsUpdated), PhSipSysInfoSettingsCallback, PhSipWindow, &SettingsUpdatedRegistration ); ContainerControl = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_CONTAINER), PhSipWindow, PhSipContainerDialogProc, NULL ); PhSipUpdateThemeData(); SectionList = PhCreateList(8); PhSipInitializeParameters(); CurrentView = SysInfoSummaryView; CurrentSection = NULL; PhSipCreateInternalSection(L"CPU", 0, PhSipCpuSectionCallback); PhSipCreateInternalSection(L"Memory", 0, PhSipMemorySectionCallback); PhSipCreateInternalSection(L"I/O", 0, PhSipIoSectionCallback); if (PhPluginsEnabled) { PH_PLUGIN_SYSINFO_POINTERS pointers; pointers.WindowHandle = PhSipWindow; pointers.CreateSection = PhSipCreateSection; pointers.FindSection = PhSipFindSection; pointers.EnterSectionView = PhSipEnterSectionView; pointers.RestoreSummaryView = PhSipRestoreSummaryView; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackSystemInformationInitializing), &pointers); } SeparatorControl = PhCreateWindow( WC_STATIC, NULL, WS_CHILD | SS_OWNERDRAW, 0, 0, 0, 0, PhSipWindow, NULL, NULL, NULL ); RestoreSummaryControl = PhCreateWindow( WC_STATIC, NULL, WS_CHILD | WS_TABSTOP | SS_OWNERDRAW | SS_NOTIFY, 0, 0, 0, 0, PhSipWindow, NULL, NULL, NULL ); RestoreSummaryControlOldWndProc = PhGetWindowProcedure(RestoreSummaryControl); PhSetWindowProcedure(RestoreSummaryControl, PhSipPanelHookWndProc); RestoreSummaryControlHot = FALSE; //PhGetClientRect(PhSipWindow, &clientRect); MinimumSize.left = 0; MinimumSize.top = 0; MinimumSize.right = 430; MinimumSize.bottom = 290; MapDialogRect(PhSipWindow, &MinimumSize); MinimumSize.right += CurrentParameters.PanelWidth; MinimumSize.right += PhGetSystemMetrics(SM_CXFRAME, CurrentParameters.WindowDpi) * 2; MinimumSize.bottom += PhGetSystemMetrics(SM_CYFRAME, CurrentParameters.WindowDpi) * 2; if (SectionList->Count != 0) { //ULONG newMinimumHeight; // //newMinimumHeight = // GetSystemMetrics(SM_CYCAPTION) + // CurrentParameters.WindowPadding + // CurrentParameters.MinimumGraphHeight * SectionList->Count + // CurrentParameters.MinimumGraphHeight + // Back button // CurrentParameters.GraphPadding * SectionList->Count + // CurrentParameters.WindowPadding + // clientRect.bottom - buttonRect.top + // GetSystemMetrics(SM_CYFRAME) * 2; // //if (newMinimumHeight > (ULONG)MinimumSize.bottom) // MinimumSize.bottom = newMinimumHeight; } PhLoadWindowPlacementFromSetting(SETTING_SYSINFO_WINDOW_POSITION, SETTING_SYSINFO_WINDOW_SIZE, PhSipWindow); if (PhGetIntegerSetting(SETTING_SYSINFO_WINDOW_STATE) == SW_MAXIMIZE) ShowWindow(PhSipWindow, SW_MAXIMIZE); if (InitialSectionName) PhInitializeStringRefLongHint(§ionName, InitialSectionName); else sectionName = PhaGetStringSetting(SETTING_SYSINFO_WINDOW_SECTION)->sr; if (sectionName.Length != 0 && (section = PhSipFindSection(§ionName))) { PhSipEnterSectionView(section); } PhRegisterWindowCallback(PhSipWindow, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); //PhInitializeWindowTheme(PhSipWindow, PhEnableThemeSupport); PhInitializeThemeWindowFrame(PhSipWindow); PhSipOnSize(PhSipWindow, 0, 0, 0); PhSipOnUserMessage(SI_MSG_SYSINFO_UPDATE, 0, 0); } VOID PhSipOnDestroy( VOID ) { PhUnregisterWindowCallback(PhSipWindow); PhUnregisterCallback(PhGetGeneralCallback(GeneralCallbackSettingsUpdated), &SettingsUpdatedRegistration); PhUnregisterCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), &ProcessesUpdatedRegistration); if (CurrentSection) PhSetStringSetting2(SETTING_SYSINFO_WINDOW_SECTION, &CurrentSection->Name); else PhSetStringSetting(SETTING_SYSINFO_WINDOW_SECTION, L""); PhSaveWindowPlacementToSetting(SETTING_SYSINFO_WINDOW_POSITION, SETTING_SYSINFO_WINDOW_SIZE, PhSipWindow); PhSipSaveWindowState(); PostQuitMessage(0); } VOID PhSipOnNcDestroy( VOID ) { ULONG i; PPH_SYSINFO_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; PhSipDestroySection(section); } PhDereferenceObject(SectionList); SectionList = NULL; PhSipDeleteParameters(); if (ThemeData) { PhCloseThemeData(ThemeData); ThemeData = NULL; } } BOOLEAN PhSipOnSysCommand( _In_ ULONG Type, _In_ LONG CursorScreenX, _In_ LONG CursorScreenY ) { switch (Type) { case SC_MINIMIZE: { // Save the current window state because we may not have a chance to later. PhSipSaveWindowState(); } break; } return FALSE; } VOID PhSipOnSize( _In_ HWND WindowHandle, _In_ UINT State, _In_ LONG Width, _In_ LONG Height ) { if (State != SIZE_MINIMIZED) { if (SectionList && SectionList->Count != 0) { if (CurrentView == SysInfoSummaryView) PhSipLayoutSummaryView(); else if (CurrentView == SysInfoSectionView) PhSipLayoutSectionView(); } } } VOID PhSipOnSizing( _In_ ULONG Edge, _In_ PRECT DragRectangle ) { PhResizingMinimumSize(DragRectangle, Edge, MinimumSize.right, MinimumSize.bottom); } VOID PhSipOnThemeChanged( VOID ) { PhSipUpdateThemeData(); } VOID PhSipOnCommand( _In_ HWND HwndControl, _In_ ULONG Id, _In_ ULONG Code ) { switch (Id) { case IDCANCEL: DestroyWindow(PhSipWindow); break; case IDC_BACK: { PhSipRestoreSummaryView(); } break; case IDC_REFRESH: { SystemInformer_Refresh(); } break; case IDC_PAUSE: { SystemInformer_SetUpdateAutomatically(!SystemInformer_GetUpdateAutomatically()); } break; case IDC_MAXSCREEN: { static WINDOWPLACEMENT windowLayout = { sizeof(WINDOWPLACEMENT) }; ULONG windowStyle = PhGetWindowStyle(PhSipWindow); if (windowStyle & WS_OVERLAPPEDWINDOW) { MONITORINFO info = { sizeof(MONITORINFO) }; if ( GetWindowPlacement(PhSipWindow, &windowLayout) && GetMonitorInfo(MonitorFromWindow(PhSipWindow, MONITOR_DEFAULTTOPRIMARY), &info) ) { PhSetWindowStyle(PhSipWindow, WS_OVERLAPPEDWINDOW, 0); SetWindowPos( PhSipWindow, HWND_TOPMOST, info.rcMonitor.left, info.rcMonitor.top, (info.rcMonitor.right - info.rcMonitor.left), (info.rcMonitor.bottom - info.rcMonitor.top), SWP_NOOWNERZORDER | SWP_FRAMECHANGED ); } } else { PhSetWindowStyle(PhSipWindow, WS_OVERLAPPEDWINDOW, WS_OVERLAPPEDWINDOW); SetWindowPlacement(PhSipWindow, &windowLayout); SetWindowPos(PhSipWindow, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE | SWP_NOOWNERZORDER | SWP_FRAMECHANGED); } } break; } if (SectionList && Id >= ID_DIGIT1 && Id <= ID_DIGIT9) { ULONG index; index = Id - ID_DIGIT1; if (index < SectionList->Count) PhSipEnterSectionView(SectionList->Items[index]); } if (SectionList && Code == STN_CLICKED) { ULONG i; PPH_SYSINFO_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (Id == section->PanelId) { PhSipEnterSectionView(section); break; } } } if (HwndControl == RestoreSummaryControl) { if (Code == STN_CLICKED) { PhSipRestoreSummaryView(); } } } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipGraphCallback( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Context; section->Callback(section, SysInfoGraphGetDrawInfo, drawInfo, NULL); if (CurrentView == SysInfoSectionView) { drawInfo->Flags &= ~(PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y); } else { LONG badWidth = CurrentParameters.PanelWidth; // Try not to draw max data point labels that will get covered by the // fade-out part of the graph. if (badWidth < drawInfo->Width) drawInfo->LabelMaxYIndexLimit = (drawInfo->Width - badWidth) / 2; else drawInfo->LabelMaxYIndexLimit = ULONG_MAX; } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Context; if (getTooltipText->Index < getTooltipText->TotalCount) { PH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT graphGetTooltipText; graphGetTooltipText.Index = getTooltipText->Index; PhInitializeEmptyStringRef(&graphGetTooltipText.Text); section->Callback(section, SysInfoGraphGetTooltipText, &graphGetTooltipText, NULL); getTooltipText->Text = graphGetTooltipText.Text; } } break; case GCN_DRAWPANEL: { PPH_GRAPH_DRAWPANEL drawPanel = (PPH_GRAPH_DRAWPANEL)Parameter1; PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Context; if (CurrentView == SysInfoSummaryView) { PhSipDrawPanel(section, drawPanel->hdc, &drawPanel->Rect); } } break; case GCN_MOUSEEVENT: { PPH_GRAPH_MOUSEEVENT mouseEvent = (PPH_GRAPH_MOUSEEVENT)Parameter1; PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Context; if (mouseEvent->Message == WM_LBUTTONDOWN) { PhSipEnterSectionView(section); } } break; } return TRUE; } _Success_(return) BOOLEAN PhSipOnNotify( _In_ NMHDR *Header, _Out_ LRESULT *Result ) { switch (Header->code) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Header; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; ULONG i; PPH_SYSINFO_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (getDrawInfo->Header.hwndFrom == section->GraphHandle) { section->Callback(section, SysInfoGraphGetDrawInfo, drawInfo, 0); if (CurrentView == SysInfoSectionView) { drawInfo->Flags &= ~(PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y); } else { LONG badWidth = CurrentParameters.PanelWidth; // Try not to draw max data point labels that will get covered by the // fade-out part of the graph. if (badWidth < drawInfo->Width) drawInfo->LabelMaxYIndexLimit = (drawInfo->Width - badWidth) / 2; else drawInfo->LabelMaxYIndexLimit = ULONG_MAX; } break; } } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Header; ULONG i; PPH_SYSINFO_SECTION section; if (getTooltipText->Index < getTooltipText->TotalCount) { for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (getTooltipText->Header.hwndFrom == section->GraphHandle) { PH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT graphGetTooltipText; graphGetTooltipText.Index = getTooltipText->Index; PhInitializeEmptyStringRef(&graphGetTooltipText.Text); section->Callback(section, SysInfoGraphGetTooltipText, &graphGetTooltipText, 0); getTooltipText->Text = graphGetTooltipText.Text; break; } } } } break; case GCN_DRAWPANEL: { PPH_GRAPH_DRAWPANEL drawPanel = (PPH_GRAPH_DRAWPANEL)Header; ULONG i; PPH_SYSINFO_SECTION section; if (CurrentView == SysInfoSummaryView) { for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (drawPanel->Header.hwndFrom == section->GraphHandle) { PhSipDrawPanel(section, drawPanel->hdc, &drawPanel->Rect); break; } } } } break; case GCN_MOUSEEVENT: { PPH_GRAPH_MOUSEEVENT mouseEvent = (PPH_GRAPH_MOUSEEVENT)Header; ULONG i; PPH_SYSINFO_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (mouseEvent->Header.hwndFrom == section->GraphHandle) { if (mouseEvent->Message == WM_LBUTTONDOWN) { PhSipEnterSectionView(section); } break; } } } break; } return FALSE; } BOOLEAN PhSipOnDrawItem( _In_ ULONG_PTR Id, _In_ PDRAWITEMSTRUCT DrawItemStruct ) { ULONG i; PPH_SYSINFO_SECTION section; if (DrawItemStruct->hwndItem == RestoreSummaryControl) { PhSipDrawRestoreSummaryPanel(DrawItemStruct); return TRUE; } else if (DrawItemStruct->hwndItem == SeparatorControl) { PhSipDrawSeparator(DrawItemStruct); return TRUE; } for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (Id == section->PanelId) { PhSipDrawPanel(section, DrawItemStruct->hDC, &DrawItemStruct->rcItem); return TRUE; } } return FALSE; } VOID PhSipOnUserMessage( _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ) { switch (Message) { case SI_MSG_SYSINFO_ACTIVATE: { PWSTR sectionName = (PWSTR)WParam; if (SectionList && sectionName) { PH_STRINGREF sectionNameSr; PPH_SYSINFO_SECTION section; PhInitializeStringRefLongHint(§ionNameSr, sectionName); section = PhSipFindSection(§ionNameSr); if (section) PhSipEnterSectionView(section); else PhSipRestoreSummaryView(); } if (IsMinimized(PhSipWindow)) ShowWindow(PhSipWindow, SW_RESTORE); else ShowWindow(PhSipWindow, SW_SHOW); SetForegroundWindow(PhSipWindow); } break; case SI_MSG_SYSINFO_UPDATE: { ULONG i; PPH_SYSINFO_SECTION section; if (SectionList) { for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; section->Callback(section, SysInfoTick, NULL, NULL); section->GraphState.Valid = FALSE; section->GraphState.TooltipIndex = ULONG_MAX; Graph_Update(section->GraphHandle); InvalidateRect(section->PanelHandle, NULL, FALSE); } } } break; case SI_MSG_SYSINFO_CHANGE_SETTINGS: { ULONG i; PPH_SYSINFO_SECTION section; PH_GRAPH_OPTIONS options; PhSipUpdateColorParameters(); if (SectionList) { for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; Graph_GetOptions(section->GraphHandle, &options); options.FadeOutBackColor = CurrentParameters.GraphBackColor; Graph_SetOptions(section->GraphHandle, &options); } } InvalidateRect(PhSipWindow, NULL, TRUE); } break; } } VOID PhSiNotifyChangeSettings( VOID ) { PhSipUpdateColorParameters(); } _Function_class_(PH_SYSINFO_COLOR_SETUP_FUNCTION) VOID PhSiSetColorsGraphDrawInfo( _Out_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ COLORREF Color1, _In_ COLORREF Color2, _In_ LONG WindowDpi ) { static PH_QUEUED_LOCK lock = PH_QUEUED_LOCK_INIT; static LONG lastDpi = ULONG_MAX; static HFONT iconTitleFont = NULL; // Get the appropriate fonts. if (DrawInfo->Flags & PH_GRAPH_LABEL_MAX_Y) { PhAcquireQueuedLockExclusive(&lock); if (lastDpi != WindowDpi) { LOGFONT logFont; if (PhGetSystemParametersInfo(SPI_GETICONTITLELOGFONT, sizeof(LOGFONT), &logFont, WindowDpi)) { logFont.lfHeight += PhMultiplyDivide(1, WindowDpi, 72); HFONT fontHandle = iconTitleFont; iconTitleFont = CreateFontIndirect(&logFont); if (fontHandle) DeleteFont(fontHandle); } if (!iconTitleFont) iconTitleFont = PhApplicationFont; lastDpi = WindowDpi; } DrawInfo->LabelYFont = iconTitleFont; PhReleaseQueuedLockExclusive(&lock); } DrawInfo->TextFont = PhApplicationFont; // Set up the colors. switch (PhCsGraphColorMode) { case 0: // New colors DrawInfo->BackColor = RGB(0xef, 0xef, 0xef); DrawInfo->LineColor1 = PhHalveColorBrightness(Color1); DrawInfo->LineBackColor1 = PhMakeColorBrighter(Color1, 125); DrawInfo->LineColor2 = PhHalveColorBrightness(Color2); DrawInfo->LineBackColor2 = PhMakeColorBrighter(Color2, 125); DrawInfo->GridColor = RGB(0xc7, 0xc7, 0xc7); DrawInfo->LabelYColor = RGB(0xa0, 0x60, 0x20); DrawInfo->TextColor = RGB(0x00, 0x00, 0x00); DrawInfo->TextBoxColor = RGB(0xe7, 0xe7, 0xe7); break; case 1: // Old colors DrawInfo->BackColor = RGB(0x00, 0x00, 0x00); DrawInfo->LineColor1 = Color1; DrawInfo->LineBackColor1 = PhHalveColorBrightness(Color1); DrawInfo->LineColor2 = Color2; DrawInfo->LineBackColor2 = PhHalveColorBrightness(Color2); DrawInfo->GridColor = RGB(0x00, 0x57, 0x00); DrawInfo->LabelYColor = RGB(0xd0, 0xa0, 0x70); DrawInfo->TextColor = RGB(0x00, 0xff, 0x00); DrawInfo->TextBoxColor = RGB(0x00, 0x22, 0x00); break; } } _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PPH_STRING PhSiSizeLabelYFunction( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ) { ULONG64 size; size = (ULONG64)(Value * Parameter); if (size != 0) { PH_FORMAT format; format.Type = SizeFormatType | FormatUsePrecision | FormatUseRadix; format.Precision = 0; format.Radix = (UCHAR)PhMaxSizeUnit; format.u.Size = size; return PhFormat(&format, 1, 0); } else { return PhReferenceEmptyString(); } } _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PPH_STRING PhSiDoubleLabelYFunction( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ) { FLOAT value; value = (FLOAT)(Value * Parameter); if (value != 0) { PH_FORMAT format[2]; PhInitFormatF(&format[0], value * 100.f, PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); return PhFormat(format, RTL_NUMBER_OF(format), 0); } else { return PhReferenceEmptyString(); } } _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PPH_STRING PhSiUInt64LabelYFunction( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ) { ULONG64 value = (ULONG64)Value * (ULONG64)Parameter; if (value != 0) { return PhFormatUInt64(value, TRUE); } else { return PhReferenceEmptyString(); } } VOID PhSipRegisterDialog( _In_ HWND DialogWindowHandle ) { if (!PhSipDialogList) PhSipDialogList = PhCreateList(4); PhAddItemList(PhSipDialogList, DialogWindowHandle); } VOID PhSipUnregisterDialog( _In_ HWND DialogWindowHandle ) { ULONG index; if ((index = PhFindItemList(PhSipDialogList, DialogWindowHandle)) != ULONG_MAX) PhRemoveItemList(PhSipDialogList, index); } VOID PhSipInitializeParameters( VOID ) { LOGFONT logFont; HDC hdc; TEXTMETRIC textMetrics; HFONT originalFont; PhSipDeleteParameters(); memset(&CurrentParameters, 0, sizeof(PH_SYSINFO_PARAMETERS)); CurrentParameters.WindowDpi = PhGetWindowDpi(PhSipWindow); CurrentParameters.SysInfoWindowHandle = PhSipWindow; CurrentParameters.ContainerWindowHandle = ContainerControl; if (PhGetSystemParametersInfo(SPI_GETICONTITLELOGFONT, sizeof(LOGFONT), &logFont, CurrentParameters.WindowDpi)) { CurrentParameters.Font = CreateFontIndirect(&logFont); } else { CurrentParameters.Font = PhApplicationFont; GetObject(PhApplicationFont, sizeof(LOGFONT), &logFont); } hdc = GetDC(PhSipWindow); logFont.lfHeight -= PhMultiplyDivide(3, CurrentParameters.WindowDpi, 72); CurrentParameters.MediumFont = CreateFontIndirect(&logFont); logFont.lfHeight -= PhMultiplyDivide(3, CurrentParameters.WindowDpi, 72); CurrentParameters.LargeFont = CreateFontIndirect(&logFont); PhSipUpdateColorParameters(); CurrentParameters.ColorSetupFunction = PhSiSetColorsGraphDrawInfo; originalFont = SelectFont(hdc, CurrentParameters.Font); GetTextMetrics(hdc, &textMetrics); CurrentParameters.FontHeight = textMetrics.tmHeight; CurrentParameters.FontAverageWidth = textMetrics.tmAveCharWidth; SelectFont(hdc, CurrentParameters.MediumFont); GetTextMetrics(hdc, &textMetrics); CurrentParameters.MediumFontHeight = textMetrics.tmHeight; CurrentParameters.MediumFontAverageWidth = textMetrics.tmAveCharWidth; SelectFont(hdc, originalFont); // Internal padding and other values CurrentParameters.PanelPadding = PhGetDpi(PH_SYSINFO_PANEL_PADDING, CurrentParameters.WindowDpi); CurrentParameters.WindowPadding = PhGetDpi(PH_SYSINFO_WINDOW_PADDING, CurrentParameters.WindowDpi); CurrentParameters.GraphPadding = PhGetDpi(PH_SYSINFO_GRAPH_PADDING, CurrentParameters.WindowDpi); CurrentParameters.SmallGraphWidth = PhGetDpi(PH_SYSINFO_SMALL_GRAPH_WIDTH, CurrentParameters.WindowDpi); CurrentParameters.SmallGraphPadding = PhGetDpi(PH_SYSINFO_SMALL_GRAPH_PADDING, CurrentParameters.WindowDpi); CurrentParameters.SeparatorWidth = PhGetDpi(PH_SYSINFO_SEPARATOR_WIDTH, CurrentParameters.WindowDpi); CurrentParameters.CpuPadding = PhGetDpi(PH_SYSINFO_CPU_PADDING, CurrentParameters.WindowDpi); CurrentParameters.MemoryPadding = PhGetDpi(PH_SYSINFO_MEMORY_PADDING, CurrentParameters.WindowDpi); CurrentParameters.MinimumGraphHeight = CurrentParameters.PanelPadding + CurrentParameters.MediumFontHeight + CurrentParameters.PanelPadding; CurrentParameters.SectionViewGraphHeight = CurrentParameters.PanelPadding + CurrentParameters.MediumFontHeight + CurrentParameters.PanelPadding + CurrentParameters.FontHeight + 2 + CurrentParameters.FontHeight + CurrentParameters.PanelPadding + 2; CurrentParameters.PanelWidth = CurrentParameters.MediumFontAverageWidth * 10; ReleaseDC(PhSipWindow, hdc); } VOID PhSipDeleteParameters( VOID ) { if (CurrentParameters.Font) DeleteFont(CurrentParameters.Font); if (CurrentParameters.MediumFont) DeleteFont(CurrentParameters.MediumFont); if (CurrentParameters.LargeFont) DeleteFont(CurrentParameters.LargeFont); } VOID PhSipUpdateColorParameters( VOID ) { switch (PhCsGraphColorMode) { case 0: // New colors CurrentParameters.GraphBackColor = RGB(0xef, 0xef, 0xef); CurrentParameters.PanelForeColor = RGB(0x00, 0x00, 0x00); break; case 1: // Old colors CurrentParameters.GraphBackColor = RGB(0x00, 0x00, 0x00); CurrentParameters.PanelForeColor = RGB(0xff, 0xff, 0xff); break; } } _Function_class_(PH_SYSINFO_CREATE_SECTION) PPH_SYSINFO_SECTION PhSipCreateSection( _In_ PPH_SYSINFO_SECTION Template ) { PPH_SYSINFO_SECTION section; PH_GRAPH_OPTIONS options; PH_GRAPH_CREATEPARAMS graphCreateParams; section = PhAllocateZero(sizeof(PH_SYSINFO_SECTION)); section->Name = Template->Name; section->Flags = Template->Flags; section->Callback = Template->Callback; section->Context = Template->Context; memset(&options, 0, sizeof(PH_GRAPH_OPTIONS)); options.FadeOutBackColor = CurrentParameters.GraphBackColor; options.FadeOutWidth = CurrentParameters.PanelWidth + PH_SYSINFO_FADE_ADD; options.DefaultCursor = PhLoadCursor(NULL, IDC_HAND); memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipGraphCallback; graphCreateParams.Options = options; graphCreateParams.Context = section; section->GraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_VISIBLE | WS_CHILD | WS_BORDER | WS_TABSTOP | GC_STYLE_FADEOUT | GC_STYLE_DRAW_PANEL, 0, 0, 0, 0, PhSipWindow, NULL, NULL, &graphCreateParams ); PhInitializeGraphState(§ion->GraphState); if (PhEnableTooltipSupport) Graph_SetTooltip(section->GraphHandle, TRUE); section->Parameters = &CurrentParameters; section->PanelId = IDDYNAMIC + SectionList->Count * 2 + 2; section->PanelHandle = PhCreateWindow( WC_STATIC, NULL, WS_CHILD | SS_OWNERDRAW | SS_NOTIFY, 0, 0, 0, 0, PhSipWindow, UlongToHandle(section->PanelId), NULL, NULL ); section->GraphWindowProc = PhGetWindowProcedure(section->GraphHandle); section->PanelWindowProc = PhGetWindowProcedure(section->PanelHandle); PhSetWindowContext(section->GraphHandle, 0xF, section); PhSetWindowContext(section->PanelHandle, 0xF, section); PhSetWindowProcedure(section->GraphHandle, PhSipGraphHookWndProc); PhSetWindowProcedure(section->PanelHandle, PhSipPanelHookWndProc); PhAddItemList(SectionList, section); section->Callback(section, SysInfoCreate, NULL, NULL); return section; } VOID PhSipDestroySection( _In_ PPH_SYSINFO_SECTION Section ) { Section->Callback(Section, SysInfoDestroy, NULL, NULL); PhDeleteGraphState(&Section->GraphState); PhFree(Section); } _Function_class_(PH_SYSINFO_FIND_SECTION) PPH_SYSINFO_SECTION PhSipFindSection( _In_ PPH_STRINGREF Name ) { ULONG i; PPH_SYSINFO_SECTION section; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (PhEqualStringRef(§ion->Name, Name, TRUE)) return section; } return NULL; } PPH_SYSINFO_SECTION PhSipCreateInternalSection( _In_ PWSTR Name, _In_ ULONG Flags, _In_ PPH_SYSINFO_SECTION_CALLBACK Callback ) { PH_SYSINFO_SECTION section; memset(§ion, 0, sizeof(PH_SYSINFO_SECTION)); PhInitializeStringRefLongHint(§ion.Name, Name); section.Flags = Flags; section.Callback = Callback; return PhSipCreateSection(§ion); } VOID PhSipDrawRestoreSummaryPanel( _In_ PDRAWITEMSTRUCT DrawItemStruct ) { HDC hdc; HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; RECT bufferRect = { 0, 0, DrawItemStruct->rcItem.right - DrawItemStruct->rcItem.left, DrawItemStruct->rcItem.bottom - DrawItemStruct->rcItem.top }; if (!(hdc = GetDC(DrawItemStruct->hwndItem))) return; bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, bufferRect.right, bufferRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); SetBkMode(bufferDc, TRANSPARENT); if (PhEnableThemeSupport) { switch (PhCsGraphColorMode) { case 0: // New colors SetTextColor(bufferDc, RGB(0x00, 0x00, 0x00)); SetDCBrushColor(bufferDc, RGB(0xff, 0xff, 0xff)); FillRect(bufferDc, &bufferRect, PhGetStockBrush(DC_BRUSH)); break; case 1: // Old colors SetTextColor(bufferDc, PhThemeWindowTextColor); SetDCBrushColor(bufferDc, PhThemeWindowBackgroundColor); FillRect(bufferDc, &bufferRect, PhGetStockBrush(DC_BRUSH)); break; } } else { SetTextColor(bufferDc, GetSysColor(COLOR_WINDOWTEXT)); FillRect(bufferDc, &bufferRect, (HBRUSH)(COLOR_WINDOW + 1)); } if (RestoreSummaryControlHot || RestoreSummaryControlHasFocus) { if (ThemeHasItemBackground) { PhDrawThemeBackground( ThemeData, bufferDc, TVP_TREEITEM, TREIS_HOT, &bufferRect, &bufferRect ); } else { FillRect(bufferDc, &bufferRect, (HBRUSH)(COLOR_WINDOW + 1)); } } SelectFont(bufferDc, CurrentParameters.MediumFont); DrawText(bufferDc, L"Back", 4, &bufferRect, DT_CENTER | DT_VCENTER | DT_SINGLELINE); BitBlt( hdc, DrawItemStruct->rcItem.left, DrawItemStruct->rcItem.top, DrawItemStruct->rcItem.right, DrawItemStruct->rcItem.bottom, bufferDc, 0, 0, SRCCOPY ); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); ReleaseDC(DrawItemStruct->hwndItem, hdc); } VOID PhSipDrawSeparator( _In_ PDRAWITEMSTRUCT DrawItemStruct ) { HDC hdc; HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; RECT bufferRect = { 0, 0, DrawItemStruct->rcItem.right - DrawItemStruct->rcItem.left, DrawItemStruct->rcItem.bottom - DrawItemStruct->rcItem.top }; if (!(hdc = GetDC(DrawItemStruct->hwndItem))) return; bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, bufferRect.right, bufferRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); SetBkMode(bufferDc, TRANSPARENT); if (PhEnableThemeSupport) { switch (PhCsGraphColorMode) { case 0: // New colors { //FillRect(bufferDc, &bufferRect, GetSysColorBrush(COLOR_3DFACE)); //bufferRect.left += 1; //FillRect(bufferDc, &bufferRect, GetSysColorBrush(COLOR_3DSHADOW)); //bufferRect.left -= 1; } break; case 1: // Old colors { SetDCBrushColor(bufferDc, PhThemeWindowBackgroundColor); FillRect(bufferDc, &bufferRect, PhGetStockBrush(DC_BRUSH)); } break; } } else { //FillRect(bufferDc, &bufferRect, GetSysColorBrush(COLOR_3DHIGHLIGHT)); //bufferRect.left += 1; //FillRect(bufferDc, &bufferRect, GetSysColorBrush(COLOR_3DSHADOW)); //bufferRect.left -= 1; SetDCBrushColor(bufferDc, RGB(0xff, 0xff, 0xff)); FillRect(bufferDc, &bufferRect, PhGetStockBrush(DC_BRUSH)); } BitBlt( hdc, DrawItemStruct->rcItem.left, DrawItemStruct->rcItem.top, DrawItemStruct->rcItem.right, DrawItemStruct->rcItem.bottom, bufferDc, 0, 0, SRCCOPY ); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); ReleaseDC(DrawItemStruct->hwndItem, hdc); } VOID PhSipDrawPanel( _In_ PPH_SYSINFO_SECTION Section, _In_ HDC hdc, _In_ PRECT Rect ) { PH_SYSINFO_DRAW_PANEL sysInfoDrawPanel; if (CurrentView == SysInfoSectionView) { if (PhEnableThemeSupport) { switch (PhCsGraphColorMode) { case 0: // New colors SetDCBrushColor(hdc, RGB(0xff, 0xff, 0xff)); FillRect(hdc, Rect, PhGetStockBrush(DC_BRUSH)); break; case 1: // Old colors SetDCBrushColor(hdc, PhThemeWindowBackgroundColor); FillRect(hdc, Rect, PhGetStockBrush(DC_BRUSH)); break; } } else { SetDCBrushColor(hdc, RGB(255, 255, 255)); FillRect(hdc, Rect, PhGetStockBrush(DC_BRUSH)); } //if (PhEnableThemeSupport) //{ // switch (PhCsGraphColorMode) // { // case 0: // New colors // FillRect(hdc, Rect, GetSysColorBrush(COLOR_3DFACE)); // break; // case 1: // Old colors // SetDCBrushColor(hdc, RGB(30, 30, 30)); // FillRect(hdc, Rect, PhGetStockBrush(DC_BRUSH)); // break; // } //} //else //{ // FillRect(hdc, Rect, GetSysColorBrush(COLOR_3DFACE)); //} } sysInfoDrawPanel.hdc = hdc; sysInfoDrawPanel.Rect = *Rect; sysInfoDrawPanel.Rect.right = CurrentParameters.PanelWidth; sysInfoDrawPanel.CustomDraw = FALSE; sysInfoDrawPanel.Title = NULL; sysInfoDrawPanel.SubTitle = NULL; sysInfoDrawPanel.SubTitleOverflow = NULL; Section->Callback(Section, SysInfoGraphDrawPanel, &sysInfoDrawPanel, NULL); if (!sysInfoDrawPanel.CustomDraw) { sysInfoDrawPanel.Rect.right = Rect->right; PhSipDefaultDrawPanel(Section, &sysInfoDrawPanel); } PhClearReference(&sysInfoDrawPanel.Title); PhClearReference(&sysInfoDrawPanel.SubTitle); PhClearReference(&sysInfoDrawPanel.SubTitleOverflow); } VOID PhSipDefaultDrawPanel( _In_ PPH_SYSINFO_SECTION Section, _In_ PPH_SYSINFO_DRAW_PANEL DrawPanel ) { HDC hdc; RECT rect; ULONG flags; hdc = DrawPanel->hdc; if (ThemeHasItemBackground) { if (CurrentView == SysInfoSummaryView) { //if (Section->GraphHot) //{ // PhDrawThemeBackground( // ThemeData, // hdc, // TVP_TREEITEM, // TREIS_HOT, // &DrawPanel->Rect, // &DrawPanel->Rect // ); //} } else if (CurrentView == SysInfoSectionView) { INT stateId; stateId = -1; if (Section->GraphHot || Section->PanelHot || (Section->HasFocus && !Section->HideFocus)) { if (Section == CurrentSection) stateId = TREIS_HOTSELECTED; else stateId = TREIS_HOT; } else if (Section == CurrentSection) { stateId = TREIS_SELECTED; } if (stateId != -1) { RECT themeRect; themeRect = DrawPanel->Rect; themeRect.left -= 2; // remove left edge PhDrawThemeBackground( ThemeData, hdc, TVP_TREEITEM, stateId, &themeRect, &DrawPanel->Rect ); } } else if (Section->HasFocus) { PhDrawThemeBackground( ThemeData, hdc, TVP_TREEITEM, TREIS_HOT, &DrawPanel->Rect, &DrawPanel->Rect ); } } else { if (CurrentView == SysInfoSectionView) { HBRUSH brush = NULL; if (Section->GraphHot || Section->PanelHot || Section->HasFocus) { brush = GetSysColorBrush(COLOR_HOTLIGHT); } else if (Section == CurrentSection) { brush = GetSysColorBrush(COLOR_WINDOW); } if (brush) { FillRect(hdc, &DrawPanel->Rect, brush); } } } SetBkMode(hdc, TRANSPARENT); if (PhEnableThemeSupport) { switch (PhCsGraphColorMode) { case 0: // New colors SetTextColor(hdc, RGB(0x00, 0x00, 0x00)); //SetDCBrushColor(hdc, RGB(0xff, 0xff, 0xff)); //FillRect(hdc, Rect, PhGetStockBrush(DC_BRUSH)); break; case 1: // Old colors SetTextColor(hdc, RGB(0xff, 0xff, 0xff)); //SetDCBrushColor(hdc, RGB(0xff, 0xff, 0x00)); //FillRect(hdc, Rect, PhGetStockBrush(DC_BRUSH)); break; } //SetTextColor(hdc, CurrentParameters.PanelForeColor); } else { //SetTextColor(hdc, RGB(0x00, 0x00, 0x00)); if (CurrentView == SysInfoSummaryView) { SetTextColor(hdc, CurrentParameters.PanelForeColor); } else { SetTextColor(hdc, GetSysColor(COLOR_WINDOWTEXT)); } } rect.left = CurrentParameters.SmallGraphPadding + CurrentParameters.PanelPadding; rect.top = CurrentParameters.PanelPadding; rect.right = CurrentParameters.PanelWidth; rect.bottom = DrawPanel->Rect.bottom; flags = DT_NOPREFIX; if (CurrentView == SysInfoSummaryView) rect.right = DrawPanel->Rect.right; // allow the text to overflow else flags |= DT_END_ELLIPSIS; if (DrawPanel->Title) { SelectFont(hdc, CurrentParameters.MediumFont); DrawText(hdc, DrawPanel->Title->Buffer, (ULONG)DrawPanel->Title->Length / sizeof(WCHAR), &rect, flags | DT_SINGLELINE); } if (DrawPanel->SubTitle) { RECT measureRect; SIZE textSize; LONG lineHeight; LONG lineWidth; LONG rectHeight; LONG rectWidth; LONG textHeight; LONG textWidth; rect.top += CurrentParameters.MediumFontHeight + CurrentParameters.PanelPadding; measureRect = rect; SelectFont(hdc, CurrentParameters.Font); GetTextExtentPoint32(hdc, DrawPanel->SubTitle->Buffer, (ULONG)DrawPanel->SubTitle->Length / sizeof(WCHAR), &textSize); DrawText(hdc, DrawPanel->SubTitle->Buffer, (ULONG)DrawPanel->SubTitle->Length / sizeof(WCHAR), &measureRect, flags | DT_CALCRECT); lineHeight = textSize.cy; lineWidth = textSize.cx; rectHeight = rect.bottom - rect.top; rectWidth = rect.right - rect.left; textHeight = measureRect.bottom - measureRect.top; textWidth = measureRect.right - measureRect.left; //dprintf( // "[rectHeight: %u, rectwidth: %u] [lineHeight: %u, lineWidth: %u] [textHeight: %u, textWidth: %u]\n", // rectHeight, rectWidth, // lineHeight, lineWidth, // textHeight, textWidth // ); if (rectHeight > lineHeight) { if (rectHeight > textHeight) { if (lineWidth < rectWidth || !DrawPanel->SubTitleOverflow) { // Text fits; draw normally. DrawText(hdc, DrawPanel->SubTitle->Buffer, (ULONG)DrawPanel->SubTitle->Length / sizeof(WCHAR), &rect, flags); } else { // Text doesn't fit; draw the alternative text. DrawText(hdc, DrawPanel->SubTitleOverflow->Buffer, (ULONG)DrawPanel->SubTitleOverflow->Length / sizeof(WCHAR), &rect, flags); } } else { PH_STRINGREF titlePart; PH_STRINGREF remainingPart; // dmex: Multiline text doesn't fit; split the string and draw the first line. if (DrawPanel->SubTitleOverflow) { if (PhSplitStringRefAtChar(&DrawPanel->SubTitleOverflow->sr, L'\n', &titlePart, &remainingPart)) DrawText(hdc, titlePart.Buffer, (ULONG)titlePart.Length / sizeof(WCHAR), &rect, flags); else DrawText(hdc, DrawPanel->SubTitleOverflow->Buffer, (ULONG)DrawPanel->SubTitleOverflow->Length / sizeof(WCHAR), &rect, flags); } else { if (PhSplitStringRefAtChar(&DrawPanel->SubTitle->sr, L'\n', &titlePart, &remainingPart)) DrawText(hdc, titlePart.Buffer, (ULONG)titlePart.Length / sizeof(WCHAR), &rect, flags); else DrawText(hdc, DrawPanel->SubTitle->Buffer, (ULONG)DrawPanel->SubTitle->Length / sizeof(WCHAR), &rect, flags); } } } } } VOID PhSipLayoutSummaryView( VOID ) { RECT clientRect; ULONG availableHeight; ULONG availableWidth; ULONG graphHeight; ULONG i; PPH_SYSINFO_SECTION section; HDWP deferHandle; ULONG y; if (!PhGetClientRect(PhSipWindow, &clientRect)) return; availableHeight = clientRect.bottom - CurrentParameters.WindowPadding * 2; availableWidth = clientRect.right - CurrentParameters.WindowPadding * 2; graphHeight = (availableHeight - CurrentParameters.GraphPadding * (SectionList->Count - 1)) / SectionList->Count; deferHandle = BeginDeferWindowPos(SectionList->Count); y = CurrentParameters.WindowPadding; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; deferHandle = DeferWindowPos( deferHandle, section->GraphHandle, NULL, CurrentParameters.WindowPadding, y, availableWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); y += graphHeight + CurrentParameters.GraphPadding; section->GraphState.Valid = FALSE; } EndDeferWindowPos(deferHandle); } VOID PhSipLayoutSectionView( VOID ) { RECT clientRect; ULONG availableHeight; ULONG availableWidth; ULONG graphHeight; ULONG i; PPH_SYSINFO_SECTION section; HDWP deferHandle; ULONG y; ULONG containerLeft; if (!PhGetClientRect(PhSipWindow, &clientRect)) return; availableHeight = clientRect.bottom - CurrentParameters.WindowPadding * 2; availableWidth = clientRect.right - CurrentParameters.WindowPadding * 2; graphHeight = (availableHeight - CurrentParameters.SmallGraphPadding * SectionList->Count) / (SectionList->Count + 1); if (graphHeight > CurrentParameters.SectionViewGraphHeight) graphHeight = CurrentParameters.SectionViewGraphHeight; deferHandle = BeginDeferWindowPos(SectionList->Count * 2 + 3); y = CurrentParameters.WindowPadding; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; deferHandle = DeferWindowPos( deferHandle, section->GraphHandle, NULL, CurrentParameters.WindowPadding, y, CurrentParameters.SmallGraphWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); deferHandle = DeferWindowPos( deferHandle, section->PanelHandle, NULL, CurrentParameters.WindowPadding + CurrentParameters.SmallGraphWidth, y, CurrentParameters.SmallGraphPadding + CurrentParameters.PanelWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); InvalidateRect(section->PanelHandle, NULL, TRUE); y += graphHeight + CurrentParameters.SmallGraphPadding; section->GraphState.Valid = FALSE; } deferHandle = DeferWindowPos( deferHandle, RestoreSummaryControl, NULL, CurrentParameters.WindowPadding, y, CurrentParameters.SmallGraphWidth + CurrentParameters.SmallGraphPadding + CurrentParameters.PanelWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); InvalidateRect(RestoreSummaryControl, NULL, TRUE); deferHandle = DeferWindowPos( deferHandle, SeparatorControl, NULL, CurrentParameters.WindowPadding + CurrentParameters.SmallGraphWidth + CurrentParameters.SmallGraphPadding + CurrentParameters.PanelWidth + CurrentParameters.WindowPadding - 7, 0, CurrentParameters.SeparatorWidth, CurrentParameters.WindowPadding + availableHeight, SWP_NOACTIVATE | SWP_NOZORDER ); containerLeft = CurrentParameters.WindowPadding + CurrentParameters.SmallGraphWidth + CurrentParameters.SmallGraphPadding + CurrentParameters.PanelWidth + CurrentParameters.WindowPadding - 7 + CurrentParameters.SeparatorWidth; deferHandle = DeferWindowPos( deferHandle, ContainerControl, NULL, containerLeft, 0, clientRect.right - containerLeft, CurrentParameters.WindowPadding + availableHeight, SWP_NOACTIVATE | SWP_NOZORDER ); EndDeferWindowPos(deferHandle); if (CurrentSection && CurrentSection->DialogHandle) { SetWindowPos( CurrentSection->DialogHandle, NULL, CurrentParameters.WindowPadding, CurrentParameters.WindowPadding, clientRect.right - containerLeft - CurrentParameters.WindowPadding - CurrentParameters.WindowPadding, availableHeight, SWP_NOACTIVATE | SWP_NOZORDER ); } } _Function_class_(PH_SYSINFO_ENTER_SECTION_VIEW) VOID PhSipEnterSectionView( _In_ PPH_SYSINFO_SECTION NewSection ) { ULONG i; PPH_SYSINFO_SECTION section; BOOLEAN fromSummaryView; PPH_SYSINFO_SECTION oldSection; HDWP deferHandle; HDWP containerDeferHandle; if (CurrentSection == NewSection) return; fromSummaryView = CurrentView == SysInfoSummaryView; CurrentView = SysInfoSectionView; oldSection = CurrentSection; CurrentSection = NewSection; deferHandle = BeginDeferWindowPos(SectionList->Count + 3); containerDeferHandle = BeginDeferWindowPos(SectionList->Count); PhSipEnterSectionViewInner(NewSection, fromSummaryView, &deferHandle, &containerDeferHandle); PhSipLayoutSectionView(); for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; if (section != NewSection) PhSipEnterSectionViewInner(section, fromSummaryView, &deferHandle, &containerDeferHandle); } deferHandle = DeferWindowPos(deferHandle, ContainerControl, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY); deferHandle = DeferWindowPos(deferHandle, RestoreSummaryControl, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY); deferHandle = DeferWindowPos(deferHandle, SeparatorControl, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY); EndDeferWindowPos(deferHandle); EndDeferWindowPos(containerDeferHandle); if (oldSection) InvalidateRect(oldSection->PanelHandle, NULL, TRUE); InvalidateRect(NewSection->PanelHandle, NULL, TRUE); if (NewSection->DialogHandle) RedrawWindow(NewSection->DialogHandle, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_ALLCHILDREN | RDW_UPDATENOW); } VOID PhSipEnterSectionViewInner( _In_ PPH_SYSINFO_SECTION Section, _In_ BOOLEAN FromSummaryView, _Inout_ HDWP *DeferHandle, _Inout_ HDWP *ContainerDeferHandle ) { Section->HasFocus = FALSE; Section->Callback(Section, SysInfoViewChanging, UlongToPtr(CurrentView), CurrentSection); if (FromSummaryView) { PhSetWindowStyle(Section->GraphHandle, GC_STYLE_FADEOUT | GC_STYLE_DRAW_PANEL, 0); *DeferHandle = DeferWindowPos(*DeferHandle, Section->PanelHandle, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY); } if (Section == CurrentSection && !Section->DialogHandle) PhSipCreateSectionDialog(Section); if (Section->DialogHandle) { if (Section == CurrentSection) *ContainerDeferHandle = DeferWindowPos(*ContainerDeferHandle, Section->DialogHandle, NULL, 0, 0, 0, 0, SWP_SHOWWINDOW_ONLY | SWP_NOREDRAW); else *ContainerDeferHandle = DeferWindowPos(*ContainerDeferHandle, Section->DialogHandle, NULL, 0, 0, 0, 0, SWP_HIDEWINDOW_ONLY | SWP_NOREDRAW); } } _Function_class_(PH_SYSINFO_RESTORE_SUMMARY_VIEW) VOID PhSipRestoreSummaryView( VOID ) { ULONG i; PPH_SYSINFO_SECTION section; if (CurrentView == SysInfoSummaryView) return; CurrentView = SysInfoSummaryView; CurrentSection = NULL; for (i = 0; i < SectionList->Count; i++) { section = SectionList->Items[i]; section->Callback(section, SysInfoViewChanging, UlongToPtr(CurrentView), NULL); PhSetWindowStyle(section->GraphHandle, GC_STYLE_FADEOUT | GC_STYLE_DRAW_PANEL, GC_STYLE_FADEOUT | GC_STYLE_DRAW_PANEL); ShowWindow(section->PanelHandle, SW_HIDE); if (section->DialogHandle) ShowWindow(section->DialogHandle, SW_HIDE); } ShowWindow(ContainerControl, SW_HIDE); ShowWindow(RestoreSummaryControl, SW_HIDE); ShowWindow(SeparatorControl, SW_HIDE); PhSipLayoutSummaryView(); } VOID PhSipCreateSectionDialog( _In_ PPH_SYSINFO_SECTION Section ) { PH_SYSINFO_CREATE_DIALOG createDialog; memset(&createDialog, 0, sizeof(PH_SYSINFO_CREATE_DIALOG)); if (Section->Callback(Section, SysInfoCreateDialog, &createDialog, NULL)) { if (!createDialog.CustomCreate) { Section->DialogHandle = PhCreateDialogFromTemplate( ContainerControl, DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD, createDialog.Instance, createDialog.Template, createDialog.DialogProc, createDialog.Parameter ); if (PhEnableThemeSupport) { PhInitializeWindowTheme(Section->DialogHandle, PhEnableThemeSupport); } } } } LRESULT CALLBACK PhSipGraphHookWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_SYSINFO_SECTION section; WNDPROC oldWndProc; if (!(section = PhGetWindowContext(hwnd, 0xF))) return 0; oldWndProc = section->GraphWindowProc; switch (uMsg) { case WM_DESTROY: { PhSetWindowProcedure(hwnd, oldWndProc); PhRemoveWindowContext(hwnd, 0xF); } break; case WM_SETFOCUS: { section->HasFocus = TRUE; if (CurrentView == SysInfoSummaryView) { Graph_Draw(section->GraphHandle); InvalidateRect(section->GraphHandle, NULL, FALSE); } else { InvalidateRect(section->PanelHandle, NULL, TRUE); } } break; case WM_KILLFOCUS: { section->HasFocus = FALSE; if (CurrentView == SysInfoSummaryView) { Graph_Draw(section->GraphHandle); InvalidateRect(section->GraphHandle, NULL, FALSE); } else { InvalidateRect(section->PanelHandle, NULL, TRUE); } } break; case WM_GETDLGCODE: if (wParam == VK_SPACE || wParam == VK_RETURN || wParam == VK_UP || wParam == VK_DOWN || wParam == VK_LEFT || wParam == VK_RIGHT) return DLGC_WANTALLKEYS; break; case WM_KEYDOWN: { if (wParam == VK_SPACE || wParam == VK_RETURN) { PhSipEnterSectionView(section); } else if (wParam == VK_UP || wParam == VK_LEFT || wParam == VK_DOWN || wParam == VK_RIGHT) { ULONG i; for (i = 0; i < SectionList->Count; i++) { if (SectionList->Items[i] == section) { if ((wParam == VK_UP || wParam == VK_LEFT) && i > 0) { SetFocus(((PPH_SYSINFO_SECTION)SectionList->Items[i - 1])->GraphHandle); } else if (wParam == VK_DOWN || wParam == VK_RIGHT) { if (i < SectionList->Count - 1) SetFocus(((PPH_SYSINFO_SECTION)SectionList->Items[i + 1])->GraphHandle); else SetFocus(RestoreSummaryControl); } break; } } } } break; case WM_MOUSEMOVE: { TRACKMOUSEEVENT trackMouseEvent; trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); trackMouseEvent.dwFlags = TME_LEAVE; trackMouseEvent.hwndTrack = hwnd; trackMouseEvent.dwHoverTime = 0; TrackMouseEvent(&trackMouseEvent); if (!(section->GraphHot || section->PanelHot)) { section->GraphHot = TRUE; } else { section->GraphHot = TRUE; } Graph_Draw(section->GraphHandle); InvalidateRect(section->GraphHandle, NULL, TRUE); InvalidateRect(section->PanelHandle, NULL, TRUE); } break; case WM_MOUSELEAVE: { if (!section->PanelHot) { section->GraphHot = FALSE; InvalidateRect(section->PanelHandle, NULL, TRUE); } else { section->GraphHot = FALSE; } section->HasFocus = FALSE; if (CurrentView == SysInfoSummaryView) { Graph_Draw(section->GraphHandle); InvalidateRect(section->GraphHandle, NULL, FALSE); } } break; case WM_NCLBUTTONDOWN: { PhSipEnterSectionView(section); } break; case WM_UPDATEUISTATE: { switch (LOWORD(wParam)) { case UIS_SET: if (HIWORD(wParam) & UISF_HIDEFOCUS) section->HideFocus = TRUE; break; case UIS_CLEAR: if (HIWORD(wParam) & UISF_HIDEFOCUS) section->HideFocus = FALSE; break; case UIS_INITIALIZE: section->HideFocus = !!(HIWORD(wParam) & UISF_HIDEFOCUS); break; } } break; } return CallWindowProc(oldWndProc, hwnd, uMsg, wParam, lParam); } LRESULT CALLBACK PhSipPanelHookWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_SYSINFO_SECTION section; WNDPROC oldWndProc; section = PhGetWindowContext(hwnd, 0xF); if (section) oldWndProc = section->PanelWindowProc; else oldWndProc = RestoreSummaryControlOldWndProc; switch (uMsg) { case WM_DESTROY: { PhSetWindowProcedure(hwnd, oldWndProc); PhRemoveWindowContext(hwnd, 0xF); } break; case WM_SETFOCUS: { if (!section) { RestoreSummaryControlHasFocus = TRUE; InvalidateRect(hwnd, NULL, TRUE); } } break; case WM_KILLFOCUS: { if (!section) { RestoreSummaryControlHasFocus = FALSE; InvalidateRect(hwnd, NULL, TRUE); } } break; case WM_SETCURSOR: { PhSetCursor(PhLoadCursor(NULL, IDC_HAND)); } return TRUE; case WM_GETDLGCODE: if (wParam == VK_SPACE || wParam == VK_RETURN || wParam == VK_UP || wParam == VK_DOWN || wParam == VK_LEFT || wParam == VK_RIGHT) return DLGC_WANTALLKEYS; break; case WM_KEYDOWN: { if (wParam == VK_SPACE || wParam == VK_RETURN) { if (section) PhSipEnterSectionView(section); else PhSipRestoreSummaryView(); } else if (wParam == VK_UP || wParam == VK_LEFT) { if (!section && SectionList->Count != 0) { SetFocus(((PPH_SYSINFO_SECTION)SectionList->Items[SectionList->Count - 1])->GraphHandle); } } } break; case WM_MOUSEMOVE: { TRACKMOUSEEVENT trackMouseEvent; trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); trackMouseEvent.dwFlags = TME_LEAVE; trackMouseEvent.hwndTrack = hwnd; trackMouseEvent.dwHoverTime = 0; TrackMouseEvent(&trackMouseEvent); if (section) { if (!(section->GraphHot || section->PanelHot)) { section->PanelHot = TRUE; InvalidateRect(section->PanelHandle, NULL, TRUE); } else { section->PanelHot = TRUE; } } else { RestoreSummaryControlHot = TRUE; InvalidateRect(RestoreSummaryControl, NULL, TRUE); } } break; case WM_MOUSELEAVE: { if (section) { section->HasFocus = FALSE; if (!section->GraphHot) { section->PanelHot = FALSE; InvalidateRect(section->PanelHandle, NULL, TRUE); } else { section->PanelHot = FALSE; } } else { RestoreSummaryControlHasFocus = FALSE; RestoreSummaryControlHot = FALSE; InvalidateRect(RestoreSummaryControl, NULL, TRUE); } } break; } return CallWindowProc(oldWndProc, hwnd, uMsg, wParam, lParam); } VOID PhSipUpdateThemeData( VOID ) { LONG dpi = PhGetWindowDpi(PhSipWindow); if (ThemeData) { PhCloseThemeData(ThemeData); ThemeData = NULL; } ThemeData = PhOpenThemeData(PhSipWindow, VSCLASS_TREEVIEW, dpi); if (ThemeData) { ThemeHasItemBackground = PhIsThemePartDefined(ThemeData, TVP_TREEITEM, 0); } else { ThemeHasItemBackground = FALSE; } } VOID PhSipSaveWindowState( VOID ) { WINDOWPLACEMENT placement = { sizeof(placement) }; GetWindowPlacement(PhSipWindow, &placement); if (placement.showCmd == SW_NORMAL) PhSetIntegerSetting(SETTING_SYSINFO_WINDOW_STATE, SW_NORMAL); else if (placement.showCmd == SW_MAXIMIZE) PhSetIntegerSetting(SETTING_SYSINFO_WINDOW_STATE, SW_MAXIMIZE); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhSipSysInfoUpdateHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PostMessage(PhSipWindow, SI_MSG_SYSINFO_UPDATE, 0, 0); } _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PhSipSysInfoSettingsCallback( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PostMessage(PhSipWindow, SI_MSG_SYSINFO_CHANGE_SETTINGS, 0, 0); } ================================================ FILE: SystemInformer/syssccpu.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include static PPH_SYSINFO_SECTION CpuSection; static HWND CpuDialog; static PH_LAYOUT_MANAGER CpuLayoutManager; static RECT CpuGraphMargin; static HWND CpuGraphHandle; static PH_GRAPH_STATE CpuGraphState; static HWND *CpusGraphHandle; static PPH_GRAPH_STATE CpusGraphState; static BOOLEAN OneGraphPerCpu; static HWND CpuPanel; static ULONG CpuTicked; static ULONG CpuMaxMhz; static ULONG NumberOfProcessors; static FLOAT CpuTimerResolution; static PFLOAT CpuFrequencyInformation; static FLOAT CpuCurrentFrequency; static PSYSTEM_INTERRUPT_INFORMATION InterruptInformation; static PPROCESSOR_POWER_INFORMATION PowerInformation; static PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION CurrentPerformanceDistribution; static PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION PreviousPerformanceDistribution; static PH_LOGICAL_PROCESSOR_INFORMATION LogicalProcessorInformation; static PH_UINT32_DELTA ContextSwitchesDelta; static PH_UINT32_DELTA InterruptsDelta; static PH_UINT64_DELTA DpcsDelta; static PH_UINT32_DELTA SystemCallsDelta; static HWND CpuPanelUtilizationLabel; static HWND CpuPanelSpeedLabel; static HWND CpuVirtualizationLabel; static HWND CpuPanelProcessesLabel; static HWND CpuPanelThreadsLabel; static HWND CpuPanelHandlesLabel; static HWND CpuPanelUptimeLabel; static HWND CpuPanelContextSwitchesLabel; static HWND CpuPanelInterruptDeltaLabel; static HWND CpuPanelDpcDeltaLabel; static HWND CpuPanelSystemCallsDeltaLabel; static HWND CpuPanelCoresLabel; static HWND CpuPanelSocketsLabel; static HWND CpuPanelLogicalLabel; static HWND CpuPanelLatencyLabel; static ULONG64 CpuL1CacheSize; static ULONG64 CpuL2CacheSize; static ULONG64 CpuL3CacheSize; _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN PhSipCpuSectionCallback( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ) { switch (Message) { case SysInfoCreate: { CpuSection = Section; } return TRUE; case SysInfoDestroy: { if (CpuDialog) { PhSipUninitializeCpuDialog(); CpuDialog = NULL; } } return TRUE; case SysInfoTick: { if (CpuDialog) { PhSipTickCpuDialog(); } } return TRUE; case SysInfoViewChanging: { PH_SYSINFO_VIEW_TYPE view = (PH_SYSINFO_VIEW_TYPE)PtrToUlong(Parameter1); PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Parameter2; if (view == SysInfoSummaryView || section != Section) return TRUE; if (OneGraphPerCpu) { for (ULONG i = 0; i < NumberOfProcessors; i++) { if (CpusGraphHandle && CpusGraphHandle[i] && CpusGraphState) { CpusGraphState[i].Valid = FALSE; CpusGraphState[i].TooltipIndex = ULONG_MAX; Graph_Draw(CpusGraphHandle[i]); } } } else { if (CpuGraphHandle) { CpuGraphState.Valid = FALSE; CpuGraphState.TooltipIndex = ULONG_MAX; Graph_Draw(CpuGraphHandle); } } } return TRUE; case SysInfoCreateDialog: { PPH_SYSINFO_CREATE_DIALOG createDialog = Parameter1; createDialog->Instance = PhInstanceHandle; createDialog->Template = MAKEINTRESOURCE(IDD_SYSINFO_CPU); createDialog->DialogProc = PhSipCpuDialogProc; } return TRUE; case SysInfoGraphGetDrawInfo: { PPH_GRAPH_DRAW_INFO drawInfo = Parameter1; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_USE_LINE_2 | PH_GRAPH_LABEL_MAX_Y; Section->Parameters->ColorSetupFunction(drawInfo, PhCsColorCpuKernel, PhCsColorCpuUser, Section->Parameters->WindowDpi); PhGetDrawInfoGraphBuffers(&Section->GraphState.Buffers, drawInfo, PhCpuKernelHistory.Count); if (!Section->GraphState.Valid) { PhCopyCircularBuffer_FLOAT(&PhCpuKernelHistory, Section->GraphState.Data1, drawInfo->LineDataCount); PhCopyCircularBuffer_FLOAT(&PhCpuUserHistory, Section->GraphState.Data2, drawInfo->LineDataCount); if (PhCsEnableGraphMaxScale) { FLOAT max = 0; if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 128) { max = PhAddPlusMaxMemorySingles( Section->GraphState.Data1, Section->GraphState.Data2, drawInfo->LineDataCount ); } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data = Section->GraphState.Data1[i] + Section->GraphState.Data2[i]; if (max < data) max = data; } } if (max != 0) { PhDivideSinglesBySingle(Section->GraphState.Data1, max, drawInfo->LineDataCount); PhDivideSinglesBySingle(Section->GraphState.Data2, max, drawInfo->LineDataCount); } drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = max; } else { drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = 1.0f; } Section->GraphState.Valid = TRUE; } } return TRUE; case SysInfoGraphGetTooltipText: { PPH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT getTooltipText = Parameter1; FLOAT cpuKernel; FLOAT cpuUser; PH_FORMAT format[9]; cpuKernel = PhGetItemCircularBuffer_FLOAT(&PhCpuKernelHistory, getTooltipText->Index); cpuUser = PhGetItemCircularBuffer_FLOAT(&PhCpuUserHistory, getTooltipText->Index); // %.2f%% (K: %.2f%%, U: %.2f%%)\n%s\n%s PhInitFormatF(&format[0], (cpuKernel + cpuUser) * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"% (K: "); PhInitFormatF(&format[2], cpuKernel * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[3], L"%, U: "); PhInitFormatF(&format[4], cpuUser * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[5], L"%)"); PhInitFormatSR(&format[6], PH_AUTO_T(PH_STRING, PhSipGetMaxCpuString(getTooltipText->Index))->sr); PhInitFormatC(&format[7], L'\n'); PhInitFormatSR(&format[8], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&Section->GraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); getTooltipText->Text = Section->GraphState.TooltipText->sr; } return TRUE; case SysInfoGraphDrawPanel: { PPH_SYSINFO_DRAW_PANEL drawPanel = Parameter1; PH_FORMAT format[2]; // %.2f%% PhInitFormatF(&format[0], (PhCpuKernelUsage + PhCpuUserUsage) * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); drawPanel->Title = PhCreateString(L"CPU"); drawPanel->SubTitle = PhFormat(format, RTL_NUMBER_OF(format), 16); } return TRUE; } return FALSE; } VOID PhSipInitializeCpuDialog( VOID ) { PhInitializeDelta(&ContextSwitchesDelta); PhInitializeDelta(&InterruptsDelta); PhInitializeDelta(&DpcsDelta); PhInitializeDelta(&SystemCallsDelta); NumberOfProcessors = PhSystemProcessorInformation.NumberOfProcessors; CpusGraphHandle = PhAllocate(sizeof(HWND) * NumberOfProcessors); CpusGraphState = PhAllocate(sizeof(PH_GRAPH_STATE) * NumberOfProcessors); InterruptInformation = PhAllocate(sizeof(SYSTEM_INTERRUPT_INFORMATION) * NumberOfProcessors); PowerInformation = PhAllocate(sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors); if (PhGetIntegerSetting(SETTING_SYSINFO_SHOW_CPU_SPEED_PER_CPU)) { CpuFrequencyInformation = PhAllocateZero(sizeof(FLOAT) * NumberOfProcessors); } PhInitializeGraphState(&CpuGraphState); for (ULONG i = 0; i < NumberOfProcessors; i++) PhInitializeGraphState(&CpusGraphState[i]); CpuTicked = 0; CpuMaxMhz = 0; PhSipUpdateTimerResolution(); PhSipUpdateProcessorInformation(); PhSipUpdateProcessorFrequency(); CurrentPerformanceDistribution = NULL; PhGetSystemProcessorPerformanceDistribution(&CurrentPerformanceDistribution); PhGetSystemLogicalProcessorRelationInformation(&LogicalProcessorInformation); } VOID PhSipUninitializeCpuDialog( VOID ) { ULONG i; PhDeleteGraphState(&CpuGraphState); for (i = 0; i < NumberOfProcessors; i++) PhDeleteGraphState(&CpusGraphState[i]); PhFree(CpusGraphHandle); PhFree(CpusGraphState); PhFree(InterruptInformation); PhFree(PowerInformation); // Note: Required for SysInfoViewChanging (dmex) NumberOfProcessors = 0; CpuGraphHandle = NULL; CpusGraphHandle = NULL; CpusGraphState = NULL; InterruptInformation = NULL; PowerInformation = NULL; if (CurrentPerformanceDistribution) { PhFree(CurrentPerformanceDistribution); CurrentPerformanceDistribution = NULL; } if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } PhSetIntegerSetting(SETTING_SYSINFO_WINDOW_ONE_GRAPH_PER_CPU, OneGraphPerCpu); } VOID PhSipTickCpuDialog( VOID ) { ULONG64 dpcCount; PhSipUpdateInterruptInformation(&dpcCount); PhUpdateDelta(&ContextSwitchesDelta, PhPerfInformation.ContextSwitches); PhUpdateDelta(&InterruptsDelta, PhCpuTotals.InterruptCount); PhUpdateDelta(&DpcsDelta, dpcCount); PhUpdateDelta(&SystemCallsDelta, PhPerfInformation.SystemCalls); PhSipUpdateTimerResolution(); PhSipUpdateProcessorInformation(); PhSipUpdateProcessorPerformanceDistribution(); //PhGetSystemLogicalProcessorRelationInformation(&LogicalProcessorInformation); if (CpuTicked < 2) CpuTicked++; PhSipUpdateCpuGraphs(); PhSipUpdateCpuPanel(); } INT_PTR CALLBACK PhSipCpuDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PPH_LAYOUT_ITEM graphItem; PPH_LAYOUT_ITEM panelItem; PPH_STRING brandString; HWND labelHandle; PhSipInitializeCpuDialog(); CpuDialog = hwndDlg; labelHandle = GetDlgItem(hwndDlg, IDC_CPUNAME); PhInitializeLayoutManager(&CpuLayoutManager, hwndDlg); PhAddLayoutItem(&CpuLayoutManager, labelHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT | PH_LAYOUT_FORCE_INVALIDATE); graphItem = PhAddLayoutItem(&CpuLayoutManager, GetDlgItem(hwndDlg, IDC_GRAPH_LAYOUT), NULL, PH_ANCHOR_ALL); panelItem = PhAddLayoutItem(&CpuLayoutManager, GetDlgItem(hwndDlg, IDC_LAYOUT), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); CpuGraphMargin = graphItem->Margin; SetWindowFont(GetDlgItem(hwndDlg, IDC_TITLE), CpuSection->Parameters->LargeFont, FALSE); SetWindowFont(labelHandle, CpuSection->Parameters->MediumFont, FALSE); brandString = PhSipGetCpuBrandString(); PhSetWindowText(labelHandle, PhGetStringOrEmpty(brandString)); PhClearReference(&brandString); CpuPanel = PhCreateDialog(PhInstanceHandle, MAKEINTRESOURCE(IDD_SYSINFO_CPUPANEL), hwndDlg, PhSipCpuPanelDialogProc, NULL); ShowWindow(CpuPanel, SW_SHOW); PhAddLayoutItemEx(&CpuLayoutManager, CpuPanel, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM, &panelItem->Margin); PhSipCreateCpuGraphs(); if (NumberOfProcessors != 1) { OneGraphPerCpu = (BOOLEAN)PhGetIntegerSetting(SETTING_SYSINFO_WINDOW_ONE_GRAPH_PER_CPU); Button_SetCheck(GetDlgItem(CpuPanel, IDC_ONEGRAPHPERCPU), OneGraphPerCpu ? BST_CHECKED : BST_UNCHECKED); PhSipSetOneGraphPerCpu(); } else { OneGraphPerCpu = FALSE; EnableWindow(GetDlgItem(CpuPanel, IDC_ONEGRAPHPERCPU), FALSE); PhSipSetOneGraphPerCpu(); } PhSipUpdateCpuGraphs(); PhSipUpdateCpuPanel(); } break; case WM_DESTROY: { PhDeleteLayoutManager(&CpuLayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { if (CpuSection->Parameters->LargeFont) { SetWindowFont(GetDlgItem(hwndDlg, IDC_TITLE), CpuSection->Parameters->LargeFont, FALSE); } if (CpuSection->Parameters->MediumFont) { SetWindowFont(GetDlgItem(hwndDlg, IDC_CPUNAME), CpuSection->Parameters->MediumFont, FALSE); } if (OneGraphPerCpu) { for (ULONG i = 0; i < NumberOfProcessors; i++) { CpusGraphState[i].Valid = FALSE; CpusGraphState[i].TooltipIndex = ULONG_MAX; } } else { CpuGraphState.Valid = FALSE; CpuGraphState.TooltipIndex = ULONG_MAX; } PhLayoutManagerUpdate(&CpuLayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&CpuLayoutManager); PhSipLayoutCpuGraphs(); } break; case WM_SIZE: { if (OneGraphPerCpu) { for (ULONG i = 0; i < NumberOfProcessors; i++) { CpusGraphState[i].Valid = FALSE; CpusGraphState[i].TooltipIndex = ULONG_MAX; } } else { CpuGraphState.Valid = FALSE; CpuGraphState.TooltipIndex = ULONG_MAX; } PhLayoutManagerLayout(&CpuLayoutManager); PhSipLayoutCpuGraphs(); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhSipCpuPanelDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { CpuL1CacheSize = 0; CpuL2CacheSize = 0; CpuL3CacheSize = 0; CpuPanelUtilizationLabel = GetDlgItem(hwndDlg, IDC_UTILIZATION); CpuPanelSpeedLabel = GetDlgItem(hwndDlg, IDC_SPEED); CpuVirtualizationLabel = GetDlgItem(hwndDlg, IDC_VIRTUALIZATION); CpuPanelProcessesLabel = GetDlgItem(hwndDlg, IDC_ZPROCESSES_V); CpuPanelThreadsLabel = GetDlgItem(hwndDlg, IDC_ZTHREADS_V); CpuPanelHandlesLabel = GetDlgItem(hwndDlg, IDC_ZHANDLES_V); CpuPanelUptimeLabel = GetDlgItem(hwndDlg, IDC_ZUPTIME_V); CpuPanelContextSwitchesLabel = GetDlgItem(hwndDlg, IDC_ZCONTEXTSWITCHESDELTA_V); CpuPanelInterruptDeltaLabel = GetDlgItem(hwndDlg, IDC_ZINTERRUPTSDELTA_V); CpuPanelDpcDeltaLabel = GetDlgItem(hwndDlg, IDC_ZDPCSDELTA_V); CpuPanelSystemCallsDeltaLabel = GetDlgItem(hwndDlg, IDC_ZSYSTEMCALLSDELTA_V); CpuPanelCoresLabel = GetDlgItem(hwndDlg, IDC_ZCORES); CpuPanelSocketsLabel = GetDlgItem(hwndDlg, IDC_ZSOCKETS); CpuPanelLogicalLabel = GetDlgItem(hwndDlg, IDC_ZLOGICAL); CpuPanelLatencyLabel = GetDlgItem(hwndDlg, IDC_ZLATENCY); SetWindowFont(CpuPanelUtilizationLabel, CpuSection->Parameters->MediumFont, FALSE); SetWindowFont(CpuPanelSpeedLabel, CpuSection->Parameters->MediumFont, FALSE); SetWindowFont(CpuVirtualizationLabel, CpuSection->Parameters->MediumFont, FALSE); PhQueueUserWorkItem(PhSipCpuSMBIOSWorkRoutine, NULL); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_ONEGRAPHPERCPU: { OneGraphPerCpu = Button_GetCheck(GET_WM_COMMAND_HWND(wParam, lParam)) == BST_CHECKED; PhSipLayoutCpuGraphs(); PhSipSetOneGraphPerCpu(); } break; } } break; case WM_DPICHANGED_AFTERPARENT: { if (CpuSection->Parameters->MediumFont) { SetWindowFont(CpuPanelUtilizationLabel, CpuSection->Parameters->MediumFont, FALSE); } if (CpuSection->Parameters->MediumFont) { SetWindowFont(CpuPanelSpeedLabel, CpuSection->Parameters->MediumFont, FALSE); } PhSipLayoutCpuGraphs(); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhSipCreateCpuGraphs( VOID ) { PH_GRAPH_CREATEPARAMS graphCreateParams; memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipCpuGraphCallback; graphCreateParams.Context = UlongToPtr(ULONG_MAX); CpuGraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_CHILD | WS_BORDER, 0, 0, 0, 0, CpuDialog, NULL, NULL, &graphCreateParams ); if (PhEnableTooltipSupport) { Graph_SetTooltip(CpuGraphHandle, TRUE); } for (ULONG i = 0; i < NumberOfProcessors; i++) { graphCreateParams.Context = UlongToPtr(i); CpusGraphHandle[i] = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_CHILD | WS_BORDER, 0, 0, 0, 0, CpuDialog, NULL, NULL, &graphCreateParams ); if (PhEnableTooltipSupport) { Graph_SetTooltip(CpusGraphHandle[i], TRUE); } } } VOID PhSipLayoutCpuGraphs( VOID ) { RECT clientRect; RECT rect; HDWP deferHandle; rect = CpuGraphMargin; PhGetSizeDpiValue(&rect, CpuSection->Parameters->WindowDpi, TRUE); if (!PhGetClientRect(CpuDialog, &clientRect)) return; deferHandle = BeginDeferWindowPos(OneGraphPerCpu ? NumberOfProcessors : 1); if (!OneGraphPerCpu) { deferHandle = DeferWindowPos( deferHandle, CpuGraphHandle, NULL, rect.left, rect.top, clientRect.right - rect.left - rect.right, clientRect.bottom - rect.top - rect.bottom, SWP_NOACTIVATE | SWP_NOZORDER ); } else { ULONG numberOfRows = 1; ULONG numberOfColumns = NumberOfProcessors; for (ULONG rows = 2; rows <= NumberOfProcessors / rows; rows++) { if (NumberOfProcessors % rows != 0) continue; numberOfRows = rows; numberOfColumns = NumberOfProcessors / rows; } if (numberOfRows == 1) { numberOfRows = (ULONG)sqrt(NumberOfProcessors); numberOfColumns = (NumberOfProcessors + numberOfRows - 1) / numberOfRows; } ULONG numberOfYPaddings = numberOfRows - 1; ULONG numberOfXPaddings = numberOfColumns - 1; ULONG cellHeight = (clientRect.bottom - rect.top - rect.bottom - CpuSection->Parameters->CpuPadding * numberOfYPaddings) / numberOfRows; ULONG y = rect.top; ULONG cellWidth; ULONG x; ULONG i = 0; for (ULONG row = 0; row < numberOfRows; row++) { // Give the last row the remaining space; the height we calculated might be off by a few // pixels due to integer division. if (row == numberOfRows - 1) cellHeight = clientRect.bottom - rect.bottom - y; cellWidth = (clientRect.right - rect.left - rect.right - CpuSection->Parameters->CpuPadding * numberOfXPaddings) / numberOfColumns; x = rect.left; for (ULONG column = 0; column < numberOfColumns; column++) { // Give the last cell the remaining space; the width we calculated might be off by a few // pixels due to integer division. if (column == numberOfColumns - 1) cellWidth = clientRect.right - rect.right - x; if (i < NumberOfProcessors) { deferHandle = DeferWindowPos( deferHandle, CpusGraphHandle[i], NULL, x, y, cellWidth, cellHeight, SWP_NOACTIVATE | SWP_NOZORDER ); i++; } x += cellWidth + CpuSection->Parameters->CpuPadding; } y += cellHeight + CpuSection->Parameters->CpuPadding; } } EndDeferWindowPos(deferHandle); } VOID PhSipSetOneGraphPerCpu( VOID ) { ShowWindow(CpuGraphHandle, !OneGraphPerCpu ? SW_SHOW : SW_HIDE); for (ULONG i = 0; i < NumberOfProcessors; i++) { ShowWindow(CpusGraphHandle[i], OneGraphPerCpu ? SW_SHOW : SW_HIDE); } } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipCpuGraphCallback( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; ULONG index = PtrToUlong(Context); drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_USE_LINE_2 | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorCpuKernel, PhCsColorCpuUser, CpuSection->Parameters->WindowDpi); if (index == ULONG_MAX) { PhGraphStateGetDrawInfo( &CpuGraphState, getDrawInfo, PhCpuKernelHistory.Count ); if (!CpuGraphState.Valid) { PhCopyCircularBuffer_FLOAT(&PhCpuKernelHistory, CpuGraphState.Data1, drawInfo->LineDataCount); PhCopyCircularBuffer_FLOAT(&PhCpuUserHistory, CpuGraphState.Data2, drawInfo->LineDataCount); if (PhCsEnableGraphMaxScale) { FLOAT max = 0; if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 128) { max = PhAddPlusMaxMemorySingles( CpuGraphState.Data1, CpuGraphState.Data2, drawInfo->LineDataCount ); } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data = CpuGraphState.Data1[i] + CpuGraphState.Data2[i]; if (max < data) max = data; } } if (max != 0) { PhDivideSinglesBySingle(CpuGraphState.Data1, max, drawInfo->LineDataCount); PhDivideSinglesBySingle(CpuGraphState.Data2, max, drawInfo->LineDataCount); } drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = max; } else { drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = 1.0f; } CpuGraphState.Valid = TRUE; } } else { PhGraphStateGetDrawInfo( &CpusGraphState[index], getDrawInfo, PhCpuKernelHistory.Count ); if (!CpusGraphState[index].Valid) { PhCopyCircularBuffer_FLOAT(&PhCpusKernelHistory[index], CpusGraphState[index].Data1, drawInfo->LineDataCount); PhCopyCircularBuffer_FLOAT(&PhCpusUserHistory[index], CpusGraphState[index].Data2, drawInfo->LineDataCount); if (PhCsEnableGraphMaxScale) { FLOAT max = 0; if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 128) { max = PhAddPlusMaxMemorySingles( CpusGraphState[index].Data1, CpusGraphState[index].Data2, drawInfo->LineDataCount ); } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data = CpusGraphState[index].Data1[i] + CpusGraphState[index].Data2[i]; if (max < data) max = data; } } if (max != 0) { PhDivideSinglesBySingle(CpusGraphState[index].Data1, max, drawInfo->LineDataCount); PhDivideSinglesBySingle(CpusGraphState[index].Data2, max, drawInfo->LineDataCount); } drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = max; } else { drawInfo->LabelYFunction = PhSiDoubleLabelYFunction; drawInfo->LabelYFunctionParameter = 1.0f; } CpusGraphState[index].Valid = TRUE; } if (PhCsGraphShowText) { HDC hdc; FLOAT cpuKernel; FLOAT cpuUser; PH_FORMAT format[11]; cpuKernel = PhGetItemCircularBuffer_FLOAT(&PhCpusKernelHistory[index], 0); cpuUser = PhGetItemCircularBuffer_FLOAT(&PhCpusUserHistory[index], 0); // %.2f%% (K: %.2f%%, U: %.2f%%) PhInitFormatF(&format[0], (cpuKernel + cpuUser) * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"% (K: "); PhInitFormatF(&format[2], cpuKernel * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[3], L"%, U: "); PhInitFormatF(&format[4], cpuUser * 100, PhMaxPrecisionUnit); if (CpuFrequencyInformation) { PhInitFormatS(&format[5], L"%)\r\n"); PhInitFormatF(&format[6], CpuFrequencyInformation[index] / 1000, PhMaxPrecisionUnit); PhInitFormatS(&format[7], L" GHz"); PhInitFormatS(&format[8], L" ("); PhInitFormatFD(&format[9], 1000 / CpuFrequencyInformation[index], 3); // ns per cycle PhInitFormatS(&format[10], L" \u00B5s)"); PhMoveReference(&CpusGraphState[index].Text, PhFormat(format, RTL_NUMBER_OF(format), 0)); hdc = Graph_GetBufferedContext(CpusGraphHandle[index]); PhSetGraphText2( hdc, drawInfo, &CpusGraphState[index].Text->sr, &PhNormalGraphTextMargin, &PhNormalGraphTextPadding, PH_ALIGN_TOP | PH_ALIGN_LEFT ); } else { PhInitFormatS(&format[5], L"%) "); PhMoveReference(&CpusGraphState[index].Text, PhFormat(format, 6, 0)); hdc = Graph_GetBufferedContext(CpusGraphHandle[index]); PhSetGraphText( hdc, drawInfo, &CpusGraphState[index].Text->sr, &PhNormalGraphTextMargin, &PhNormalGraphTextPadding, PH_ALIGN_TOP | PH_ALIGN_LEFT ); } } else { drawInfo->Text.Buffer = NULL; } } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; ULONG index = PtrToUlong(Context); if (getTooltipText->Index < getTooltipText->TotalCount) { if (index == ULONG_MAX) { if (CpuGraphState.TooltipIndex != getTooltipText->Index) { FLOAT cpuKernel; FLOAT cpuUser; PH_FORMAT format[9]; cpuKernel = PhGetItemCircularBuffer_FLOAT(&PhCpuKernelHistory, getTooltipText->Index); cpuUser = PhGetItemCircularBuffer_FLOAT(&PhCpuUserHistory, getTooltipText->Index); // %.2f%% (K: %.2f%%, U: %.2f%%)\n%s\n%s PhInitFormatF(&format[0], (cpuKernel + cpuUser) * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L"% (K: "); PhInitFormatF(&format[2], cpuKernel * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[3], L"%, U: "); PhInitFormatF(&format[4], cpuUser * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[5], L"%)"); PhInitFormatSR(&format[6], PH_AUTO_T(PH_STRING, PhSipGetMaxCpuString(getTooltipText->Index))->sr); PhInitFormatC(&format[7], L'\n'); PhInitFormatSR(&format[8], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&CpuGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); } getTooltipText->Text = CpuGraphState.TooltipText->sr; } else { if (CpusGraphState[index].TooltipIndex != getTooltipText->Index) { FLOAT cpuKernel; FLOAT cpuUser; PCPH_STRINGREF cpuType; PH_FORMAT format[20]; ULONG count = 0; cpuKernel = PhGetItemCircularBuffer_FLOAT(&PhCpusKernelHistory[index], getTooltipText->Index); cpuUser = PhGetItemCircularBuffer_FLOAT(&PhCpusUserHistory[index], getTooltipText->Index); // %.2f%% (K: %.2f%%, U: %.2f%%)%s\n%s PhInitFormatF(&format[count++], (cpuKernel + cpuUser) * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[count++], L"% (K: "); PhInitFormatF(&format[count++], cpuKernel * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[count++], L"%, U: "); PhInitFormatF(&format[count++], cpuUser * 100, PhMaxPrecisionUnit); PhInitFormatS(&format[count++], L"%)"); PhInitFormatSR(&format[count++], PH_AUTO_T(PH_STRING, PhSipGetMaxCpuString(getTooltipText->Index))->sr); PhInitFormatS(&format[count++], L"\nCPU "); if (PhSystemProcessorInformation.SingleProcessorGroup) { PhInitFormatU(&format[count++], index); PhInitFormatS(&format[count++], L", Core "); PhInitFormatU(&format[count++], PhSipGetProcessorRelationshipIndex(RelationProcessorCore, index)); PhInitFormatS(&format[count++], L", Socket "); PhInitFormatU(&format[count++], PhSipGetProcessorRelationshipIndex(RelationProcessorPackage, index)); } else { PH_PROCESSOR_NUMBER processorNumber; USHORT processorNode; if (NT_SUCCESS(PhGetProcessorNumberFromIndex(index, &processorNumber))) { PhInitFormatU(&format[count++], processorNumber.Number); PhInitFormatS(&format[count++], L", Group "); PhInitFormatU(&format[count++], processorNumber.Group); if (PhGetNumaProcessorNode(&processorNumber, &processorNode)) { PhInitFormatS(&format[count++], L", Node "); PhInitFormatU(&format[count++], processorNode); } else { PhInitFormatS(&format[count++], L", Node "); PhInitFormatU(&format[count++], 0); } } else { PhInitFormatU(&format[count++], index); PhInitFormatS(&format[count++], L", Group "); PhInitFormatU(&format[count++], ULONG_MAX); PhInitFormatS(&format[count++], L", Node "); PhInitFormatU(&format[count++], ULONG_MAX); } } if (cpuType = PhGetHybridProcessorType(index)) { PhInitFormatS(&format[count++], L", "); PhInitFormatSR(&format[count++], *cpuType); PhInitFormatS(&format[count++], L"\n"); if (PhIsCoreParked(index)) PhInitFormatS(&format[count++], L"Parked\n"); } else { PhInitFormatS(&format[count++], L"\n"); if (PhIsCoreParked(index)) PhInitFormatS(&format[count++], L"Parked\n"); } PhInitFormatSR(&format[count++], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&CpusGraphState[index].TooltipText, PhFormat(format, count, 0)); } getTooltipText->Text = CpusGraphState[index].TooltipText->sr; } } } break; case GCN_MOUSEEVENT: { PPH_GRAPH_MOUSEEVENT mouseEvent = (PPH_GRAPH_MOUSEEVENT)Parameter1; PPH_PROCESS_RECORD record; record = NULL; if (mouseEvent->Message == WM_LBUTTONDBLCLK && mouseEvent->Index < mouseEvent->TotalCount) { record = PhSipReferenceMaxCpuRecord(mouseEvent->Index); } if (record) { PhShowProcessRecordDialog(CpuDialog, record); PhDereferenceProcessRecord(record); } } break; } return TRUE; } VOID PhSipUpdateCpuGraphs( VOID ) { CpuGraphState.Valid = FALSE; CpuGraphState.TooltipIndex = ULONG_MAX; Graph_Update(CpuGraphHandle); for (ULONG i = 0; i < NumberOfProcessors; i++) { CpusGraphState[i].Valid = FALSE; CpusGraphState[i].TooltipIndex = ULONG_MAX; Graph_Update(CpusGraphHandle[i]); } } VOID PhSipUpdateCpuPanel( VOID ) { LARGE_INTEGER systemUptime; LARGE_INTEGER performanceCounterStart; LARGE_INTEGER performanceCounterEnd; LARGE_INTEGER performanceCounterTicks; ULONG64 timeStampCounterStart; ULONG64 timeStampCounterEnd; #ifdef _ARM64_ ULONG64 currentExceptionLevel; #else LONG cpubrand[4]; #endif PH_FORMAT format[6]; WCHAR formatBuffer[256]; WCHAR uptimeString[PH_TIMESPAN_STR_LEN_1] = { L"Unknown" }; // Hardware if (CpuTicked == 0) { switch (PhGetVirtualStatus()) { case PhVirtualStatusVirtualMachine: PhSetWindowText(CpuVirtualizationLabel, L"Virtual machine"); break; case PhVirtualStatusEnabledHyperV: case PhVirtualStatusEnabledFirmware: PhSetWindowText(CpuVirtualizationLabel, L"Enabled"); break; case PhVirtualStatusDisabledWithHyperV: PhSetWindowText(CpuVirtualizationLabel, L"Disabled / Hyper-V"); break; case PhVirtualStatusDisabled: PhSetWindowText(CpuVirtualizationLabel, L"Disabled"); break; case PhVirtualStatusNotCapable: default: PhSetWindowText(CpuVirtualizationLabel, L"Not capable"); break; } PhSetDialogItemText(CpuPanel, IDC_ZL1CACHE_V, CpuL1CacheSize ? PhaFormatSize(CpuL1CacheSize, ULONG_MAX)->Buffer : L"N/A"); PhSetDialogItemText(CpuPanel, IDC_ZL2CACHE_V, CpuL2CacheSize ? PhaFormatSize(CpuL2CacheSize, ULONG_MAX)->Buffer : L"N/A"); PhSetDialogItemText(CpuPanel, IDC_ZL3CACHE_V, CpuL3CacheSize ? PhaFormatSize(CpuL3CacheSize, ULONG_MAX)->Buffer : L"N/A"); } // %.2f%% PhInitFormatF(&format[0], (PhCpuUserUsage + PhCpuKernelUsage) * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[1], L'%'); if (PhFormatToBuffer(format, 2, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelUtilizationLabel, formatBuffer); else { PhSetWindowText(CpuPanelUtilizationLabel, PH_AUTO_T(PH_STRING, PhFormat(format, 2, 0))->Buffer); } if (PhGetIntegerSetting(SETTING_SYSINFO_SHOW_CPU_SPEED_MHZ)) { PhInitFormatF(&format[0], CpuCurrentFrequency, 0); PhInitFormatS(&format[1], L" / "); PhInitFormatF(&format[2], (FLOAT)CpuMaxMhz, 0); PhInitFormatS(&format[3], L" MHz"); } else { PhInitFormatF(&format[0], CpuCurrentFrequency / 1000, PhMaxPrecisionUnit); PhInitFormatS(&format[1], L" / "); PhInitFormatF(&format[2], (FLOAT)CpuMaxMhz / 1000, PhMaxPrecisionUnit); PhInitFormatS(&format[3], L" GHz"); } // %.2f / %.2f GHz if (PhFormatToBuffer(format, 4, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelSpeedLabel, formatBuffer); else { PhSetWindowText(CpuPanelSpeedLabel, PH_AUTO_T(PH_STRING, PhFormat(format, 4, 0))->Buffer); } PhInitFormatI64UGroupDigits(&format[0], PhTotalProcesses); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelProcessesLabel, formatBuffer); else PhSetWindowText(CpuPanelProcessesLabel, PhaFormatUInt64(PhTotalProcesses, TRUE)->Buffer); PhInitFormatI64UGroupDigits(&format[0], PhTotalThreads); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelThreadsLabel, formatBuffer); else PhSetWindowText(CpuPanelThreadsLabel, PhaFormatUInt64(PhTotalThreads, TRUE)->Buffer); PhInitFormatI64UGroupDigits(&format[0], PhTotalHandles); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelHandlesLabel, formatBuffer); else PhSetWindowText(CpuPanelHandlesLabel, PhaFormatUInt64(PhTotalHandles, TRUE)->Buffer); if (NT_SUCCESS(PhGetSystemUptime(&systemUptime))) { PhPrintTimeSpan(uptimeString, systemUptime.QuadPart, PH_TIMESPAN_DHMS); } PhSetWindowText(CpuPanelUptimeLabel, uptimeString); if (CpuTicked > 1) { PhInitFormatI64UGroupDigits(&format[0], ContextSwitchesDelta.Delta); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelContextSwitchesLabel, formatBuffer); else PhSetWindowText(CpuPanelContextSwitchesLabel, PhaFormatUInt64(ContextSwitchesDelta.Delta, TRUE)->Buffer); } else { PhSetWindowText(CpuPanelContextSwitchesLabel, L"-"); } if (CpuTicked > 1) { PhInitFormatI64UGroupDigits(&format[0], InterruptsDelta.Delta); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelInterruptDeltaLabel, formatBuffer); else PhSetWindowText(CpuPanelInterruptDeltaLabel, PhaFormatUInt64(InterruptsDelta.Delta, TRUE)->Buffer); } else { PhSetWindowText(CpuPanelInterruptDeltaLabel, L"-"); } if (CpuTicked > 1) { PhInitFormatI64UGroupDigits(&format[0], DpcsDelta.Delta); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelDpcDeltaLabel, formatBuffer); else PhSetWindowText(CpuPanelDpcDeltaLabel, PhaFormatUInt64(DpcsDelta.Delta, TRUE)->Buffer); } else { PhSetWindowText(CpuPanelDpcDeltaLabel, L"-"); } if (CpuTicked > 1) { PhInitFormatI64UGroupDigits(&format[0], SystemCallsDelta.Delta); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelSystemCallsDeltaLabel, formatBuffer); else PhSetWindowText(CpuPanelSystemCallsDeltaLabel, PhaFormatUInt64(SystemCallsDelta.Delta, TRUE)->Buffer); } else { PhSetWindowText(CpuPanelSystemCallsDeltaLabel, L"-"); } { PhInitFormatI64UGroupDigits(&format[0], LogicalProcessorInformation.ProcessorCoreCount); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelCoresLabel, formatBuffer); else PhSetWindowText(CpuPanelCoresLabel, PhaFormatUInt64(LogicalProcessorInformation.ProcessorCoreCount, TRUE)->Buffer); PhInitFormatI64UGroupDigits(&format[0], LogicalProcessorInformation.ProcessorPackageCount); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelSocketsLabel, formatBuffer); else PhSetWindowText(CpuPanelSocketsLabel, PhaFormatUInt64(LogicalProcessorInformation.ProcessorPackageCount, TRUE)->Buffer); PhInitFormatI64UGroupDigits(&format[0], LogicalProcessorInformation.ProcessorLogicalCount); if (PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelLogicalLabel, formatBuffer); else PhSetWindowText(CpuPanelLogicalLabel, PhaFormatUInt64(LogicalProcessorInformation.ProcessorLogicalCount, TRUE)->Buffer); } // Do not optimize (dmex) PhQueryPerformanceCounter(&performanceCounterStart); timeStampCounterStart = PhReadTimeStampCounter(); #ifdef _ARM64_ // 0b11 0b000 0b0100 0b0010 0b010 CurrentEL Current Exception Level currentExceptionLevel = _ReadStatusReg(ARM64_SYSREG(3, 0, 4, 2, 2)); #else CpuIdEx(cpubrand, 0, 0); #endif MemoryBarrier(); timeStampCounterEnd = PhReadTimeStampCounter(); PhQueryPerformanceCounter(&performanceCounterEnd); performanceCounterTicks.QuadPart = performanceCounterEnd.QuadPart - performanceCounterStart.QuadPart; if (timeStampCounterStart == 0 && timeStampCounterEnd == 0 && #ifdef _ARM64_ currentExceptionLevel == MAXULONG64 #else cpubrand[0] == 0 && cpubrand[3] == 0 #endif ) { performanceCounterTicks.QuadPart = 0; } PhInitFormatI64UGroupDigits(&format[0], performanceCounterTicks.QuadPart); PhInitFormatS(&format[1], L" | "); PhInitFormatF(&format[2], CpuTimerResolution, 0); PhInitFormatS(&format[3], L" | "); PhInitFormatI64UGroupDigits(&format[4], PhTotalCpuQueueLength); if (PhFormatToBuffer(format, 5, formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(CpuPanelLatencyLabel, formatBuffer); else PhSetWindowText(CpuPanelLatencyLabel, PhaFormatUInt64(performanceCounterTicks.QuadPart, TRUE)->Buffer); } PPH_PROCESS_RECORD PhSipReferenceMaxCpuRecord( _In_ LONG Index ) { LARGE_INTEGER time; LONG maxProcessIdLong; HANDLE maxProcessId; // Find the process record for the max. CPU process for the particular time. maxProcessIdLong = PhGetItemCircularBuffer_ULONG(&PhMaxCpuHistory, Index); if (!maxProcessIdLong) return NULL; // This must be treated as a signed integer to handle Interrupts correctly. maxProcessId = LongToHandle(maxProcessIdLong); // Note that the time we get has its components beyond seconds cleared. // For example: // * At 2.5 seconds a process is started. // * At 2.75 seconds our process provider is fired, and the process is determined // to have 75% CPU usage, which happens to be the maximum CPU usage. // * However the 2.75 seconds is recorded as 2 seconds due to // RtlTimeToSecondsSince1980. // * If we call PhFindProcessRecord, it cannot find the process because it was // started at 2.5 seconds, not 2 seconds or older. // // This means we must add one second minus one tick (100ns) to the time, giving us // 2.9999999 seconds. This will then make sure we find the process. PhGetStatisticsTime(NULL, Index, &time); time.QuadPart += PH_TICKS_PER_SEC - 1; return PhFindProcessRecord(maxProcessId, &time); } PPH_STRING PhSipGetMaxCpuString( _In_ LONG Index ) { PPH_PROCESS_RECORD maxProcessRecord; #ifdef PH_RECORD_MAX_USAGE FLOAT maxCpuUsage; #endif if (maxProcessRecord = PhSipReferenceMaxCpuRecord(Index)) { PPH_STRING maxUsageString; // We found the process record, so now we construct the max. usage string. #ifdef PH_RECORD_MAX_USAGE maxCpuUsage = PhGetItemCircularBuffer_FLOAT(&PhMaxCpuUsageHistory, Index); // Make sure we don't try to display the PID of DPCs or Interrupts. if (!PH_IS_FAKE_PROCESS_ID(maxProcessRecord->ProcessId)) { PH_FORMAT format[7]; // \n%s (%lu): %.2f%% PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxProcessRecord->ProcessName->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(maxProcessRecord->ProcessId)); PhInitFormatS(&format[4], L"): "); PhInitFormatF(&format[5], maxCpuUsage * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[6], L'%'); maxUsageString = PhFormat(format, RTL_NUMBER_OF(format), 128); } else { PH_FORMAT format[5]; // \n%s: %.2f%% PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxProcessRecord->ProcessName->sr); PhInitFormatS(&format[2], L": "); PhInitFormatF(&format[3], maxCpuUsage * 100, PhMaxPrecisionUnit); PhInitFormatC(&format[4], L'%'); maxUsageString = PhFormat(format, RTL_NUMBER_OF(format), 128); } #else PH_FORMAT format[2]; PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxProcessRecord->ProcessName->sr); maxUsageString = PhFormat(format, RTL_NUMBER_OF(format), 128); #endif PhDereferenceProcessRecord(maxProcessRecord); return maxUsageString; } return PhReferenceEmptyString(); } PPH_STRING PhSipGetCpuBrandString( VOID ) { static CONST PH_STRINGREF whitespace = PH_STRINGREF_INIT(L" "); PPH_STRING brand = NULL; ULONG brandLength; CHAR brandString[49]; if (NT_SUCCESS(NtQuerySystemInformation( SystemProcessorBrandString, brandString, sizeof(brandString), NULL ))) { brandLength = sizeof(brandString) - sizeof(ANSI_NULL); brand = PhConvertUtf8ToUtf16Ex(brandString, brandLength); } else { #ifndef _ARM64_ ULONG cpubrand[4 * 3]; __cpuid(&cpubrand[0], 0x80000002); __cpuid(&cpubrand[4], 0x80000003); __cpuid(&cpubrand[8], 0x80000004); brandLength = sizeof(brandString) - sizeof(ANSI_NULL); brand = PhZeroExtendToUtf16Ex((PCSTR)cpubrand, brandLength); #else ULONG deviceCount = 0; PDEV_OBJECT deviceObjects = NULL; const DEVPROPCOMPKEY deviceProperties[] = { { DEVPKEY_NAME, DEVPROP_STORE_SYSTEM, NULL }, { DEVPKEY_Device_FriendlyName, DEVPROP_STORE_SYSTEM, NULL }, }; const DEVPROP_FILTER_EXPRESSION deviceFilter[] = { { DEVPROP_OPERATOR_EQUALS, { { DEVPKEY_Device_ClassGuid, DEVPROP_STORE_SYSTEM, NULL }, DEVPROP_TYPE_GUID, sizeof(GUID), (PVOID)&GUID_DEVCLASS_PROCESSOR } } }; if (SUCCEEDED(PhDevGetObjects( DevObjectTypeDevice, DevQueryFlagNone, RTL_NUMBER_OF(deviceProperties), deviceProperties, RTL_NUMBER_OF(deviceFilter), deviceFilter, &deviceCount, &deviceObjects ))) { if (deviceCount > 0) { DEV_OBJECT device = deviceObjects[0]; PH_STRINGREF string; string.Buffer = device.pProperties[0].Buffer; string.Length = device.pProperties[0].BufferSize ? device.pProperties[0].BufferSize - sizeof(UNICODE_NULL) : 0; if (string.Length > 0) { brand = PhCreateString2(&string); } else if (device.pProperties[1].BufferSize > 0) { string.Buffer = device.pProperties[1].Buffer; string.Length = device.pProperties[1].BufferSize - sizeof(UNICODE_NULL); brand = PhCreateString2(&string); } } PhDevFreeObjects(deviceCount, deviceObjects); } //static CONST PH_STRINGREF processorKeyName = PH_STRINGREF_INIT(L"Hardware\\Description\\System\\CentralProcessor\\0"); //HANDLE keyHandle; // //if (NT_SUCCESS(PhOpenKey(&keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &processorKeyName, 0))) //{ // brand = PhQueryRegistryStringZ(keyHandle, L"ProcessorNameString"); // NtClose(keyHandle); //} if (PhIsNullOrEmptyString(brand)) PhMoveReference(&brand, PhCreateString(L"N/A")); #endif } PhTrimToNullTerminatorString(brand); // Trim empty space (#611) (dmex) PhMoveReference(&brand, PhCreateString3(&brand->sr, PH_TRIM_END_ONLY, &whitespace)); return brand; } VOID PhSipUpdateProcessorPerformanceDistribution( VOID ) { ULONG i, j; PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION current = NULL; PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION previous = NULL; ULONGLONG totalCount = 0; ULONGLONG totalValue = 0; if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } PreviousPerformanceDistribution = CurrentPerformanceDistribution; CurrentPerformanceDistribution = NULL; PhGetSystemProcessorPerformanceDistribution(&CurrentPerformanceDistribution); if (!CurrentPerformanceDistribution || !PreviousPerformanceDistribution) goto CleanupExit; if (CurrentPerformanceDistribution->ProcessorCount != PreviousPerformanceDistribution->ProcessorCount) goto CleanupExit; if (CurrentPerformanceDistribution->ProcessorCount != NumberOfProcessors) goto CleanupExit; for (i = 0; i < NumberOfProcessors; i++) { ULONGLONG count = 0; ULONGLONG value = 0; current = PTR_ADD_OFFSET(CurrentPerformanceDistribution, CurrentPerformanceDistribution->Offsets[i]); previous = PTR_ADD_OFFSET(PreviousPerformanceDistribution, PreviousPerformanceDistribution->Offsets[i]); if (current->StateCount != previous->StateCount) goto CleanupExit; if (WindowsVersion >= WINDOWS_8_1) { for (j = 0; j < current->StateCount; j++) { PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT hitcountCurrent = PTR_ADD_OFFSET(current->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT) * j); PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT hitcountPrevious = PTR_ADD_OFFSET(previous->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT) * j); ULONGLONG delta = hitcountCurrent->Hits - hitcountPrevious->Hits; if (delta) { count += delta; value += delta * hitcountCurrent->PercentFrequency * CpuMaxMhz; } } } else { for (j = 0; j < current->StateCount; j++) { PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 hitcountOldCurrent = PTR_ADD_OFFSET(current->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8) * j); PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 hitcountOldPrevious = PTR_ADD_OFFSET(previous->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8) * j); ULONGLONG delta = hitcountOldCurrent->Hits - hitcountOldPrevious->Hits; if (delta) { count += delta; value += delta * hitcountOldCurrent->PercentFrequency * CpuMaxMhz; } } } if (CpuFrequencyInformation) { CpuFrequencyInformation[i] = count ? (FLOAT)((DOUBLE)value / (DOUBLE)count / 100.0) : 0.0f; } totalCount += count; totalValue += value; } if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } if (totalCount == 0) CpuCurrentFrequency = (FLOAT)PowerInformation[0].CurrentMhz; else CpuCurrentFrequency = (FLOAT)((DOUBLE)totalValue / (DOUBLE)totalCount / 100.0); return; CleanupExit: if (CurrentPerformanceDistribution) { PhFree(CurrentPerformanceDistribution); CurrentPerformanceDistribution = NULL; } if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } if (CpuFrequencyInformation) { memset(CpuFrequencyInformation, 0, sizeof(FLOAT) * NumberOfProcessors); } CpuCurrentFrequency = (FLOAT)PowerInformation[0].CurrentMhz; } _Success_(return) BOOLEAN PhSipGetCpuFrequencyFromDistributionLegacy( _Out_ DOUBLE *Frequency ) { ULONG stateSize; PVOID differences; PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION stateDistribution; PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION stateDifference; PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 hitcountOld; ULONG i; ULONG j; DOUBLE count; DOUBLE total; // Calculate the differences from the last performance distribution. if (CurrentPerformanceDistribution->ProcessorCount != NumberOfProcessors || PreviousPerformanceDistribution->ProcessorCount != NumberOfProcessors) return FALSE; stateSize = FIELD_OFFSET(SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, States) + sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT) * 2; differences = PhAllocate(UInt32x32To64(stateSize, NumberOfProcessors)); for (i = 0; i < NumberOfProcessors; i++) { stateDistribution = PTR_ADD_OFFSET(CurrentPerformanceDistribution, CurrentPerformanceDistribution->Offsets[i]); stateDifference = PTR_ADD_OFFSET(differences, UInt32x32To64(stateSize, i)); if (stateDistribution->StateCount != 2) { PhFree(differences); return FALSE; } for (j = 0; j < stateDistribution->StateCount; j++) { if (WindowsVersion >= WINDOWS_8_1) { stateDifference->States[j] = stateDistribution->States[j]; } else { hitcountOld = PTR_ADD_OFFSET(stateDistribution->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8) * j); stateDifference->States[j].Hits = hitcountOld->Hits; stateDifference->States[j].PercentFrequency = hitcountOld->PercentFrequency; } } } for (i = 0; i < NumberOfProcessors; i++) { stateDistribution = PTR_ADD_OFFSET(PreviousPerformanceDistribution, PreviousPerformanceDistribution->Offsets[i]); stateDifference = PTR_ADD_OFFSET(differences, UInt32x32To64(stateSize, i)); if (stateDistribution->StateCount != 2) { PhFree(differences); return FALSE; } for (j = 0; j < stateDistribution->StateCount; j++) { if (WindowsVersion >= WINDOWS_8_1) { stateDifference->States[j].Hits -= stateDistribution->States[j].Hits; } else { hitcountOld = PTR_ADD_OFFSET(stateDistribution->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8) * j); stateDifference->States[j].Hits -= hitcountOld->Hits; } } } // Calculate the frequency. count = 0; total = 0; for (i = 0; i < NumberOfProcessors; i++) { stateDifference = PTR_ADD_OFFSET(differences, UInt32x32To64(stateSize, i)); for (j = 0; j < 2; j++) { count += stateDifference->States[j].Hits; total += stateDifference->States[j].Hits * stateDifference->States[j].PercentFrequency * PowerInformation[i].MaxMhz; } } PhFree(differences); if (count == 0) return FALSE; total /= count; total /= 100; *Frequency = total; return TRUE; } _Success_(return) BOOLEAN PhSipGetCpuFrequencyFromDistribution( _Out_ DOUBLE *Frequency ) { ULONG i, j; PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION current = NULL; PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION previous = NULL; ULONGLONG count = 0; ULONGLONG total = 0; PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION tempPrev = NULL; // Free any previous distribution and clear pointer if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } // Move current to previous, then get new current PreviousPerformanceDistribution = CurrentPerformanceDistribution; CurrentPerformanceDistribution = NULL; PhGetSystemProcessorPerformanceDistribution(&CurrentPerformanceDistribution); if (!CurrentPerformanceDistribution || !PreviousPerformanceDistribution) goto CleanupExit; if (CurrentPerformanceDistribution->ProcessorCount != PreviousPerformanceDistribution->ProcessorCount) goto CleanupExit; if (CurrentPerformanceDistribution->ProcessorCount != NumberOfProcessors) goto CleanupExit; for (i = 0; i < NumberOfProcessors; i++) { current = PTR_ADD_OFFSET(CurrentPerformanceDistribution, CurrentPerformanceDistribution->Offsets[i]); previous = PTR_ADD_OFFSET(PreviousPerformanceDistribution, PreviousPerformanceDistribution->Offsets[i]); if (current->StateCount != previous->StateCount) goto CleanupExit; if (WindowsVersion >= WINDOWS_8_1) { PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT hitcountCurrent; PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT hitcountPrevious; ULONGLONG delta; UCHAR percent; for (j = 0; j < current->StateCount; j++) { hitcountCurrent = PTR_ADD_OFFSET(current->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT) * j); hitcountPrevious = PTR_ADD_OFFSET(previous->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT) * j); delta = hitcountCurrent->Hits - hitcountPrevious->Hits; percent = hitcountCurrent->PercentFrequency; if (delta) { count += delta; total += delta * percent * CpuMaxMhz; } } } else { PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 hitcountOldCurrent; PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 hitcountOldPrevious; ULONGLONG delta; UCHAR percent; for (j = 0; j < current->StateCount; j++) { hitcountOldCurrent = PTR_ADD_OFFSET(current->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8) * j); hitcountOldPrevious = PTR_ADD_OFFSET(previous->States, sizeof(SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8) * j); delta = hitcountOldCurrent->Hits - hitcountOldPrevious->Hits; percent = hitcountOldCurrent->PercentFrequency; if (delta) { count += delta; total += delta * percent * CpuMaxMhz; } } } } // Cleanup previous, but keep current for next call if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } if (count == 0) return FALSE; // Total contains sum(delta * percent * maxMhz). // Convert to average frequency (MHz). *Frequency = (DOUBLE)(total / (DOUBLE)count / 100.0); return TRUE; CleanupExit: if (CurrentPerformanceDistribution) { PhFree(CurrentPerformanceDistribution); CurrentPerformanceDistribution = NULL; } if (PreviousPerformanceDistribution) { PhFree(PreviousPerformanceDistribution); PreviousPerformanceDistribution = NULL; } return FALSE; } ULONG PhSipGetProcessorRelationshipIndex( _In_ LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType, _In_ ULONG Index ) { ULONG index; ULONG bufferLength; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX logicalInformation; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX processorInfo; if (!NT_SUCCESS(PhGetSystemLogicalProcessorInformation(RelationshipType, &logicalInformation, &bufferLength))) return ULONG_MAX; index = 0; for ( processorInfo = logicalInformation; (ULONG_PTR)processorInfo < (ULONG_PTR)PTR_ADD_OFFSET(logicalInformation, bufferLength); processorInfo = PTR_ADD_OFFSET(processorInfo, processorInfo->Size) ) { PROCESSOR_RELATIONSHIP processor = processorInfo->Processor; //BOOLEAN hyperThreaded = processor.Flags & LTP_PC_SMT; if (processor.GroupMask[0].Mask & AFFINITY_MASK(Index)) { PhFree(logicalInformation); return index; } //for (USHORT j = 0; j < processor.GroupCount; j++) //{ // if (processor.GroupMask[j].Mask & ((KAFFINITY)1 << (Index % PhGetActiveProcessorCount(j)))) // { // PhFree(logicalInformation); // return index; // } //} index++; } PhFree(logicalInformation); return ULONG_MAX; } #ifndef _ARM64_ // Hybrid CPU detection (dmex) #define CPUID_EXTENDED_FEATURES_FUNCTION 0x07 #define CPUID_HYBRID_INFORMATION_FUNCTION 0x1A #define CPUID_HYBRID_CORETYPE_ECORE 0x20 #define CPUID_HYBRID_CORETYPE_PCORE 0x40 typedef union _CPUID_HYBRID_INFORMATION { struct { INT32 Eax; INT32 Ebx; INT32 Ecx; INT32 Edx; }; INT32 AsINT32[4]; struct { INT32 ModelId : 24; INT32 CoreType : 8; }; } CPUID_HYBRID_INFORMATION; _Success_(return) BOOLEAN PhInitializeHybridProcessorTypeCache( _Out_ PPH_LIST *HybridProcessorTypeList ) { PPH_LIST hybridProcessorTypeList = NULL; GROUP_AFFINITY previousThreadGroupAffinity; INT32 CPUIDInformation[4] = { 0 }; INT32 CPUIDFunctionMax; //INT32 CPUIDExtendedFunctionMax; INT32 CPUIDExtendedFeatureFlags; memset(&CPUIDInformation, 0, sizeof(CPUIDInformation)); CpuIdEx(CPUIDInformation, 0, 0); CPUIDFunctionMax = CPUIDInformation[0]; if (!(CPUIDFunctionMax >= CPUID_HYBRID_INFORMATION_FUNCTION)) return FALSE; //memset(&CPUIDInformation, 0, sizeof(CPUIDInformation)); //CpuIdEx(CPUIDInformation, 0x80000000, 0); //CPUIDExtendedFunctionMax = CPUIDInformation[0] & ~0x80000000; //if (CPUIDExtendedFunctionMax < CPUID_EXTENDED_FEATURES_FUNCTION) // return FALSE; memset(&CPUIDInformation, 0, sizeof(CPUIDInformation)); CpuIdEx(CPUIDInformation, CPUID_EXTENDED_FEATURES_FUNCTION, 0); CPUIDExtendedFeatureFlags = CPUIDInformation[3]; if (!_bittest(&CPUIDExtendedFeatureFlags, 15)) // hybrid return FALSE; if (!NT_SUCCESS(PhGetThreadGroupAffinity(NtCurrentThread(), &previousThreadGroupAffinity))) return FALSE; hybridProcessorTypeList = PhCreateList(PhSystemProcessorInformation.NumberOfProcessors); for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT processorCount = PhGetActiveProcessorCount(processorGroup); for (USHORT i = 0; i < processorCount; i++) { GROUP_AFFINITY threadGroup = { 0 }; CPUID_HYBRID_INFORMATION hybridInfo = { 0 }; threadGroup.Mask = AFFINITY_MASK(i); threadGroup.Group = processorGroup; if (NT_SUCCESS(PhSetThreadGroupAffinity(NtCurrentThread(), threadGroup))) { CpuIdEx(hybridInfo.AsINT32, CPUID_HYBRID_INFORMATION_FUNCTION, 0); } switch (hybridInfo.CoreType) { case CPUID_HYBRID_CORETYPE_ECORE: PhAddItemList(hybridProcessorTypeList, UlongToPtr(CPUID_HYBRID_CORETYPE_ECORE)); break; case CPUID_HYBRID_CORETYPE_PCORE: PhAddItemList(hybridProcessorTypeList, UlongToPtr(CPUID_HYBRID_CORETYPE_PCORE)); break; default: PhAddItemList(hybridProcessorTypeList, UlongToPtr(0)); break; } } } PhSetThreadGroupAffinity(NtCurrentThread(), previousThreadGroupAffinity); *HybridProcessorTypeList = hybridProcessorTypeList; return TRUE; } PCPH_STRINGREF PhGetHybridProcessorType( _In_ ULONG ProcessorIndex ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_LIST hybridProcessorTypeList = NULL; // Hybrid processors are not supported on earlier versions (dmex) if (WindowsVersion < WINDOWS_10) return NULL; // Hybrid processors are not included with multiple groups (for now) (dmex) if (PhSystemProcessorInformation.NumberOfProcessors >= MAXIMUM_PROC_PER_GROUP) return NULL; if (PhBeginInitOnce(&initOnce)) { PhInitializeHybridProcessorTypeCache(&hybridProcessorTypeList); PhEndInitOnce(&initOnce); } if (!hybridProcessorTypeList || ProcessorIndex > hybridProcessorTypeList->Count) return NULL; switch (PtrToUlong(hybridProcessorTypeList->Items[ProcessorIndex])) { case CPUID_HYBRID_CORETYPE_ECORE: { static CONST PH_STRINGREF hybridECoreTypeSr = PH_STRINGREF_INIT(L"E-Core"); return &hybridECoreTypeSr; } case CPUID_HYBRID_CORETYPE_PCORE: { static CONST PH_STRINGREF hybridPCoreTypeSr = PH_STRINGREF_INIT(L"P-Core"); return &hybridPCoreTypeSr; } } return NULL; } #else #define ARM_CORETYPE_LITTLE 0 #define ARM_CORETYPE_BIG 1 _Success_(return) BOOLEAN PhInitializeHybridProcessorTypeCache( _Out_ PPH_LIST *HybridProcessorTypeList ) { ULONG bufferLength; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX logicalInformation; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX processorInfo; PPH_LIST hybridProcessorTypeList = NULL; if (!NT_SUCCESS(PhGetSystemLogicalProcessorInformation(RelationProcessorCore, &logicalInformation, &bufferLength))) return FALSE; hybridProcessorTypeList = PhCreateList(PhSystemProcessorInformation.NumberOfProcessors); for ( processorInfo = logicalInformation; (ULONG_PTR)processorInfo < (ULONG_PTR)PTR_ADD_OFFSET(logicalInformation, bufferLength); processorInfo = PTR_ADD_OFFSET(processorInfo, processorInfo->Size) ) { for (USHORT j = 0; j < processorInfo->Processor.GroupCount; j++) { //One logical processor per bit set in the core mask ULONG logicalProcessorsInGroup = PhCountBitsUlongPtr(processorInfo->Processor.GroupMask[j].Mask); while (logicalProcessorsInGroup--) { PhAddItemList(hybridProcessorTypeList, UlongToPtr(processorInfo->Processor.EfficiencyClass)); } } } PhFree(logicalInformation); *HybridProcessorTypeList = hybridProcessorTypeList; return TRUE; } PCPH_STRINGREF PhGetHybridProcessorType( _In_ ULONG ProcessorIndex ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_LIST hybridProcessorTypeList = NULL; // Hybrid processors are not supported on earlier versions (dmex) if (WindowsVersion < WINDOWS_10) return NULL; // Hybrid processors are not included with multiple groups (for now) (dmex) if (PhSystemProcessorInformation.NumberOfProcessors >= MAXIMUM_PROC_PER_GROUP) return NULL; if (PhBeginInitOnce(&initOnce)) { PhInitializeHybridProcessorTypeCache(&hybridProcessorTypeList); PhEndInitOnce(&initOnce); } if (!hybridProcessorTypeList || ProcessorIndex > hybridProcessorTypeList->Count) return NULL; switch (PtrToUlong(hybridProcessorTypeList->Items[ProcessorIndex])) { case ARM_CORETYPE_LITTLE: { static CONST PH_STRINGREF hybridECoreTypeSr = PH_STRINGREF_INIT(L"E-Core"); return &hybridECoreTypeSr; } case ARM_CORETYPE_BIG: { static CONST PH_STRINGREF hybridPCoreTypeSr = PH_STRINGREF_INIT(L"P-Core"); return &hybridPCoreTypeSr; } } return NULL; } #endif /** * \brief Checks if a specific logical processor (core) in the system is parked. * * This function determines whether a specific logical processor in the system * is parked, meaning it is temporarily unavailable for the thread scheduler. * It utilizes CPU sets functionality available starting with Windows 10. * * \param[in] ProcessorIndex The index of the logical processor to check. * * \return TRUE if the specified logical processor is parked, FALSE otherwise or * in case of failure. */ BOOLEAN PhIsCoreParked( _In_ ULONG ProcessorIndex ) { static ULONG initialBufferSize = 0; static HANDLE processHandle = NULL; NTSTATUS status; ULONG returnLength; BOOLEAN isParked; PSYSTEM_CPU_SET_INFORMATION cpuSetInfo; if (WindowsVersion < WINDOWS_10) return FALSE; // // MSDN: https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_cpu_set_information // This is a variable-sized structure designed for future expansion. When iterating over // this structure, use the size field to determine the offset to the next structure. // // N.B. The kernel returns the size even in the last element, we over-allocate by the // Size offset and check it to minimize instructions (jxy-s). // if (initialBufferSize) { returnLength = initialBufferSize; cpuSetInfo = PhAllocateStack(returnLength); if (!cpuSetInfo) return FALSE; RtlZeroMemory(cpuSetInfo, returnLength); } else { returnLength = 0; cpuSetInfo = NULL; } status = NtQuerySystemInformationEx( SystemCpuSetInformation, &processHandle, sizeof(HANDLE), cpuSetInfo, returnLength, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { returnLength += RTL_SIZEOF_THROUGH_FIELD(SYSTEM_CPU_SET_INFORMATION, Size); PhFreeStack(cpuSetInfo); cpuSetInfo = PhAllocateStack(returnLength); if (!cpuSetInfo) return FALSE; RtlZeroMemory(cpuSetInfo, returnLength); status = NtQuerySystemInformationEx( SystemCpuSetInformation, &processHandle, sizeof(HANDLE), cpuSetInfo, returnLength, NULL ); if (NT_SUCCESS(status) && initialBufferSize <= 0x100000) initialBufferSize = returnLength; } if (!cpuSetInfo) return FALSE; isParked = FALSE; if (NT_SUCCESS(status)) { for (PSYSTEM_CPU_SET_INFORMATION info = cpuSetInfo; RTL_CONTAINS_FIELD(info, info->Size, CpuSet); info = PTR_ADD_OFFSET(info, info->Size)) { if (info->CpuSet.LogicalProcessorIndex == ProcessorIndex) { isParked = info->CpuSet.Parked; break; } } } PhFreeStack(cpuSetInfo); return isParked; } VOID PhSipUpdateProcessorInformation( VOID ) { if (PhSystemProcessorInformation.SingleProcessorGroup) { if (!NT_SUCCESS(NtPowerInformation( ProcessorInformation, NULL, 0, PowerInformation, sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors ))) { memset(PowerInformation, 0, sizeof(PROCESSOR_POWER_INFORMATION) * NumberOfProcessors); } } else { USHORT processorCount = 0; for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT activeProcessorCount = PhGetActiveProcessorCount(processorGroup); if (!NT_SUCCESS(NtPowerInformation( ProcessorInformationEx, &processorGroup, sizeof(USHORT), PTR_ADD_OFFSET(PowerInformation, sizeof(PROCESSOR_POWER_INFORMATION) * processorCount), sizeof(PROCESSOR_POWER_INFORMATION) * activeProcessorCount ))) { memset( PTR_ADD_OFFSET(PowerInformation, sizeof(PROCESSOR_POWER_INFORMATION) * processorCount), 0, sizeof(PROCESSOR_POWER_INFORMATION) * activeProcessorCount ); } processorCount += activeProcessorCount; } } } VOID PhSipUpdateInterruptInformation( _Out_ PULONG64 DpcCount ) { ULONG64 dpcCount; ULONG i; dpcCount = 0; if (PhSystemProcessorInformation.SingleProcessorGroup) { if (!NT_SUCCESS(NtQuerySystemInformation( SystemInterruptInformation, InterruptInformation, sizeof(SYSTEM_INTERRUPT_INFORMATION) * NumberOfProcessors, NULL ))) { memset(InterruptInformation, 0, sizeof(SYSTEM_INTERRUPT_INFORMATION) * NumberOfProcessors); } for (i = 0; i < NumberOfProcessors; i++) dpcCount += InterruptInformation[i].DpcCount; } else { USHORT processorCount = 0; for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT activeProcessorCount = PhGetActiveProcessorCount(processorGroup); if (!NT_SUCCESS(NtQuerySystemInformationEx( SystemInterruptInformation, &processorGroup, sizeof(USHORT), PTR_ADD_OFFSET(InterruptInformation, sizeof(SYSTEM_INTERRUPT_INFORMATION) * processorCount), sizeof(SYSTEM_INTERRUPT_INFORMATION) * activeProcessorCount, NULL ))) { memset( PTR_ADD_OFFSET(InterruptInformation, sizeof(SYSTEM_INTERRUPT_INFORMATION) * processorCount), 0, sizeof(SYSTEM_INTERRUPT_INFORMATION) * activeProcessorCount ); } processorCount += activeProcessorCount; } for (i = 0; i < NumberOfProcessors; i++) dpcCount += InterruptInformation[i].DpcCount; } *DpcCount = dpcCount; } VOID PhSipUpdateProcessorFrequency( VOID ) { POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT input; POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT output; memset(&input, 0, sizeof(POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT)); input.InternalType = PowerInternalProcessorBrandedFrequency; input.ProcessorNumber.Group = USHRT_MAX; input.ProcessorNumber.Number = UCHAR_MAX; input.ProcessorNumber.Reserved = UCHAR_MAX; memset(&output, 0, sizeof(POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT)); output.Version = POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_VERSION; if (NT_SUCCESS(NtPowerInformation( PowerInformationInternal, &input, sizeof(input), &output, sizeof(output) ))) { if (output.Version == POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_VERSION) { CpuMaxMhz = output.NominalFrequency; return; } } for (ULONG i = 0; i < NumberOfProcessors; i++) { if (CpuMaxMhz < PowerInformation[i].MaxMhz) CpuMaxMhz = PowerInformation[i].MaxMhz; } } VOID PhSipUpdateTimerResolution( VOID ) { ULONG maximumTime; ULONG minimumTime; ULONG currentTime; if (NT_SUCCESS(NtQueryTimerResolution(&maximumTime, &minimumTime, ¤tTime))) { CpuTimerResolution = (FLOAT)((DOUBLE)currentTime / 10000.0); } else { CpuTimerResolution = 0.0f; } } _Function_class_(PH_ENUM_SMBIOS_CALLBACK) BOOLEAN NTAPI PhpSipCpuSMBIOSCallback( _In_ ULONG_PTR EnumHandle, _In_ UCHAR MajorVersion, _In_ UCHAR MinorVersion, _In_ PPH_SMBIOS_ENTRY Entry, _In_opt_ PVOID Context ) { ULONG64 size; if (Entry->Header.Type != SMBIOS_CACHE_INFORMATION_TYPE) return FALSE; if (!PH_SMBIOS_CONTAINS_FIELD(Entry, Cache, Configuration) || !Entry->Cache.Configuration.Enabled) { return FALSE; } size = 0; if (PH_SMBIOS_CONTAINS_FIELD(Entry, Cache, InstalledSize)) { if (Entry->Cache.InstalledSize.Value == MAXUSHORT && PH_SMBIOS_CONTAINS_FIELD(Entry, Cache, InstalledSize2)) { if (Entry->Cache.InstalledSize2.Granularity) size = (ULONG64)Entry->Cache.InstalledSize2.Size * 0x10000; else size = (ULONG64)Entry->Cache.InstalledSize2.Size * 0x400; } else { if (Entry->Cache.InstalledSize.Granularity) size = (ULONG64)Entry->Cache.InstalledSize.Size * 0x10000; else size = (ULONG64)Entry->Cache.InstalledSize.Size * 0x400; } } switch (Entry->Cache.Configuration.Level) { case 0: CpuL1CacheSize += size; break; case 1: CpuL2CacheSize += size; break; case 2: CpuL3CacheSize += size; break; } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhSipCpuSMBIOSWorkRoutine( _In_ PVOID ThreadParameter ) { PhEnumSMBIOS(PhpSipCpuSMBIOSCallback, NULL); return STATUS_SUCCESS; } ================================================ FILE: SystemInformer/sysscio.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #include #include #include #include #include static PPH_SYSINFO_SECTION IoSection; static HWND IoDialog; static PH_LAYOUT_MANAGER IoLayoutManager; static RECT IoGraphMargin; static HWND IoReadLabelHandle; static HWND IoReadGraphHandle; static HWND IoWriteLabelHandle; static HWND IoWriteGraphHandle; static HWND IoOtherLabelHandle; static HWND IoOtherGraphHandle; static PH_GRAPH_STATE IoReadGraphState; static PH_GRAPH_STATE IoWriteGraphState; static PH_GRAPH_STATE IoOtherGraphState; static HWND IoPanel; static ULONG IoTicked; static PH_UINT64_DELTA IoReadDelta; static PH_UINT64_DELTA IoWriteDelta; static PH_UINT64_DELTA IoOtherDelta; static HWND IoPanelReadsDeltaLabel; static HWND IoPanelWritesDeltaLabel; static HWND IoPanelOtherDeltaLabel; static HWND IoPanelReadBytesDeltaLabel; static HWND IoPanelWriteBytesDeltaLabel; static HWND IoPanelOtherBytesDeltaLabel; static HWND IoPanelReadsLabel; static HWND IoPanelReadBytesLabel; static HWND IoPanelWritesLabel; static HWND IoPanelWriteBytesLabel; static HWND IoPanelOtherLabel; static HWND IoPanelOtherBytesLabel; _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN PhSipIoSectionCallback( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ) { switch (Message) { case SysInfoCreate: { IoSection = Section; } return TRUE; case SysInfoDestroy: { if (IoDialog) { PhSipUninitializeIoDialog(); IoDialog = NULL; } } break; case SysInfoTick: { if (IoDialog) { PhSipTickIoDialog(); } } break; case SysInfoViewChanging: { PH_SYSINFO_VIEW_TYPE view = (PH_SYSINFO_VIEW_TYPE)PtrToUlong(Parameter1); PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Parameter2; if (view == SysInfoSummaryView || section != Section) return TRUE; if (IoReadGraphHandle) { IoReadGraphState.Valid = FALSE; IoReadGraphState.TooltipIndex = ULONG_MAX; Graph_Draw(IoReadGraphHandle); } if (IoWriteGraphHandle) { IoWriteGraphState.Valid = FALSE; IoWriteGraphState.TooltipIndex = ULONG_MAX; Graph_Draw(IoWriteGraphHandle); } if (IoOtherGraphHandle) { IoOtherGraphState.Valid = FALSE; IoOtherGraphState.TooltipIndex = ULONG_MAX; Graph_Draw(IoOtherGraphHandle); } } return TRUE; case SysInfoCreateDialog: { PPH_SYSINFO_CREATE_DIALOG createDialog = Parameter1; createDialog->Instance = PhInstanceHandle; createDialog->Template = MAKEINTRESOURCE(IDD_SYSINFO_IO); createDialog->DialogProc = PhSipIoDialogProc; } return TRUE; case SysInfoGraphGetDrawInfo: { PPH_GRAPH_DRAW_INFO drawInfo = Parameter1; ULONG i; FLOAT max; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y; Section->Parameters->ColorSetupFunction(drawInfo, PhCsColorIoReadOther, 0, Section->Parameters->WindowDpi); PhGetDrawInfoGraphBuffers(&Section->GraphState.Buffers, drawInfo, PhIoReadHistory.Count); if (!Section->GraphState.Valid) { max = 1024 * 1024; // Minimum scaling of 1 MB for (i = 0; i < drawInfo->LineDataCount; i++) { FLOAT data; Section->GraphState.Data1[i] = data = (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoReadHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoOtherHistory, i) + (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoWriteHistory, i); if (max < data) max = data; } if (max != 0) { // Scale the data. PhDivideSinglesBySingle( Section->GraphState.Data1, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = max; Section->GraphState.Valid = TRUE; } } return TRUE; case SysInfoGraphGetTooltipText: { PPH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT getTooltipText = Parameter1; ULONG64 ioRead; ULONG64 ioWrite; ULONG64 ioOther; PH_FORMAT format[9]; ioRead = PhGetItemCircularBuffer_ULONG64(&PhIoReadHistory, getTooltipText->Index); ioWrite = PhGetItemCircularBuffer_ULONG64(&PhIoWriteHistory, getTooltipText->Index); ioOther = PhGetItemCircularBuffer_ULONG64(&PhIoOtherHistory, getTooltipText->Index); // R: %s\nW: %s\nO: %s%s\n%s PhInitFormatS(&format[0], L"R: "); PhInitFormatSize(&format[1], ioRead); PhInitFormatS(&format[2], L"\nW: "); PhInitFormatSize(&format[3], ioWrite); PhInitFormatS(&format[4], L"\nO: "); PhInitFormatSize(&format[5], ioOther); PhInitFormatSR(&format[6], PH_AUTO_T(PH_STRING, PhSipGetMaxIoString(getTooltipText->Index))->sr); PhInitFormatC(&format[7], L'\n'); PhInitFormatSR(&format[8], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&Section->GraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); getTooltipText->Text = Section->GraphState.TooltipText->sr; } return TRUE; case SysInfoGraphDrawPanel: { PPH_SYSINFO_DRAW_PANEL drawPanel = Parameter1; PH_FORMAT format[4]; drawPanel->Title = PhCreateString(L"I/O"); // R+O: %s\nW: %s PhInitFormatS(&format[0], L"R+O: "); PhInitFormatSizeWithPrecision(&format[1], PhIoReadDelta.Delta + PhIoOtherDelta.Delta, 1); PhInitFormatS(&format[2], L"\nW: "); PhInitFormatSizeWithPrecision(&format[3], PhIoWriteDelta.Delta, 1); drawPanel->SubTitle = PhFormat(format, RTL_NUMBER_OF(format), 64); } return TRUE; } return FALSE; } VOID PhSipInitializeIoDialog( VOID ) { PhInitializeDelta(&IoReadDelta); PhInitializeDelta(&IoWriteDelta); PhInitializeDelta(&IoOtherDelta); PhInitializeGraphState(&IoReadGraphState); PhInitializeGraphState(&IoWriteGraphState); PhInitializeGraphState(&IoOtherGraphState); IoTicked = 0; } VOID PhSipUninitializeIoDialog( VOID ) { PhDeleteGraphState(&IoReadGraphState); PhDeleteGraphState(&IoWriteGraphState); PhDeleteGraphState(&IoOtherGraphState); // Note: Required for SysInfoViewChanging (dmex) IoReadGraphHandle = NULL; IoWriteGraphHandle = NULL; IoOtherGraphHandle = NULL; } VOID PhSipTickIoDialog( VOID ) { PhUpdateDelta(&IoReadDelta, PhPerfInformation.IoReadOperationCount); PhUpdateDelta(&IoWriteDelta, PhPerfInformation.IoWriteOperationCount); PhUpdateDelta(&IoOtherDelta, PhPerfInformation.IoOtherOperationCount); if (IoTicked < 2) IoTicked++; PhSipUpdateIoGraph(); PhSipUpdateIoPanel(); } INT_PTR CALLBACK PhSipIoDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PPH_LAYOUT_ITEM graphItem; PPH_LAYOUT_ITEM panelItem; RECT margin; PhSipInitializeIoDialog(); IoDialog = hwndDlg; IoReadLabelHandle = GetDlgItem(hwndDlg, IDC_IOREAD_L); IoWriteLabelHandle = GetDlgItem(hwndDlg, IDC_IOWRITE_L); IoOtherLabelHandle = GetDlgItem(hwndDlg, IDC_IOOTHER_L); PhInitializeLayoutManager(&IoLayoutManager, hwndDlg); graphItem = PhAddLayoutItem(&IoLayoutManager, GetDlgItem(hwndDlg, IDC_GRAPH_LAYOUT), NULL, PH_ANCHOR_ALL); panelItem = PhAddLayoutItem(&IoLayoutManager, GetDlgItem(hwndDlg, IDC_LAYOUT), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); IoGraphMargin = graphItem->Margin; SetWindowFont(GetDlgItem(hwndDlg, IDC_TITLE), IoSection->Parameters->LargeFont, FALSE); IoPanel = PhCreateDialog(PhInstanceHandle, MAKEINTRESOURCE(IDD_SYSINFO_IOPANEL), hwndDlg, PhSipIoPanelDialogProc, NULL); ShowWindow(IoPanel, SW_SHOW); margin = panelItem->Margin; PhGetSizeDpiValue(&margin, IoSection->Parameters->WindowDpi, TRUE); PhAddLayoutItemEx(&IoLayoutManager, IoPanel, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM, &margin); PhSipCreateIoGraph(); PhSipUpdateIoGraph(); PhSipUpdateIoPanel(); } break; case WM_DESTROY: { PhDeleteLayoutManager(&IoLayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { if (IoSection->Parameters->LargeFont) { SetWindowFont(GetDlgItem(hwndDlg, IDC_TITLE), IoSection->Parameters->LargeFont, FALSE); } IoReadGraphState.Valid = FALSE; IoReadGraphState.TooltipIndex = ULONG_MAX; IoWriteGraphState.Valid = FALSE; IoWriteGraphState.TooltipIndex = ULONG_MAX; IoOtherGraphState.Valid = FALSE; IoOtherGraphState.TooltipIndex = ULONG_MAX; PhLayoutManagerUpdate(&IoLayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&IoLayoutManager); PhSipLayoutIoGraphs(hwndDlg); } break; case WM_SIZE: { IoReadGraphState.Valid = FALSE; IoReadGraphState.TooltipIndex = ULONG_MAX; IoWriteGraphState.Valid = FALSE; IoWriteGraphState.TooltipIndex = ULONG_MAX; IoOtherGraphState.Valid = FALSE; IoOtherGraphState.TooltipIndex = ULONG_MAX; PhLayoutManagerLayout(&IoLayoutManager); PhSipLayoutIoGraphs(hwndDlg); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhSipIoPanelDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { IoPanelReadsDeltaLabel = GetDlgItem(hwndDlg, IDC_ZREADSDELTA_V); IoPanelWritesDeltaLabel = GetDlgItem(hwndDlg, IDC_ZWRITESDELTA_V); IoPanelOtherDeltaLabel = GetDlgItem(hwndDlg, IDC_ZOTHERDELTA_V); IoPanelReadBytesDeltaLabel = GetDlgItem(hwndDlg, IDC_ZREADBYTESDELTA_V); IoPanelWriteBytesDeltaLabel = GetDlgItem(hwndDlg, IDC_ZWRITEBYTESDELTA_V); IoPanelOtherBytesDeltaLabel = GetDlgItem(hwndDlg, IDC_ZOTHERBYTESDELTA_V); IoPanelReadsLabel = GetDlgItem(hwndDlg, IDC_ZREADS_V); IoPanelReadBytesLabel = GetDlgItem(hwndDlg, IDC_ZREADBYTES_V); IoPanelWritesLabel = GetDlgItem(hwndDlg, IDC_ZWRITES_V); IoPanelWriteBytesLabel = GetDlgItem(hwndDlg, IDC_ZWRITEBYTES_V); IoPanelOtherLabel = GetDlgItem(hwndDlg, IDC_ZOTHER_V); IoPanelOtherBytesLabel = GetDlgItem(hwndDlg, IDC_ZOTHERBYTES_V); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhSipCreateIoGraph( VOID ) { PH_GRAPH_CREATEPARAMS graphCreateParams; memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipNotifyIoReadGraph; IoReadGraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_VISIBLE | WS_CHILD | WS_BORDER, 0, 0, 0, 0, IoDialog, NULL, NULL, &graphCreateParams ); Graph_SetTooltip(IoReadGraphHandle, TRUE); memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipNotifyIoWriteGraph; IoWriteGraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_VISIBLE | WS_CHILD | WS_BORDER, 0, 0, 0, 0, IoDialog, NULL, NULL, &graphCreateParams ); Graph_SetTooltip(IoWriteGraphHandle, TRUE); memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipNotifyIoOtherGraph; IoOtherGraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_VISIBLE | WS_CHILD | WS_BORDER, 0, 0, 0, 0, IoDialog, NULL, NULL, &graphCreateParams ); Graph_SetTooltip(IoOtherGraphHandle, TRUE); } VOID PhSipLayoutIoGraphs( _In_ HWND WindowHandle ) { RECT clientRect; RECT labelRect; RECT marginRect; LONG graphWidth; LONG graphHeight; HDWP deferHandle; LONG y; marginRect = IoGraphMargin; PhGetSizeDpiValue(&marginRect, IoSection->Parameters->WindowDpi, TRUE); if (!PhGetClientRect(IoDialog, &clientRect)) return; if (!PhGetClientRect(IoReadLabelHandle, &labelRect)) return; graphWidth = clientRect.right - marginRect.left - marginRect.right; graphHeight = (clientRect.bottom - marginRect.top - marginRect.bottom - labelRect.bottom * 3 - IoSection->Parameters->MemoryPadding * 4) / 3; deferHandle = BeginDeferWindowPos(6); y = marginRect.top; deferHandle = DeferWindowPos( deferHandle, IoReadLabelHandle, NULL, marginRect.left, y, 0, 0, SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOZORDER ); y += labelRect.bottom + IoSection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, IoReadGraphHandle, NULL, marginRect.left, y, graphWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); y += graphHeight + IoSection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, IoWriteLabelHandle, NULL, marginRect.left, y, 0, 0, SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOZORDER ); y += labelRect.bottom + IoSection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, IoWriteGraphHandle, NULL, marginRect.left, y, graphWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); y += graphHeight + IoSection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, IoOtherLabelHandle, NULL, marginRect.left, y, 0, 0, SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOZORDER ); y += labelRect.bottom + IoSection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, IoOtherGraphHandle, NULL, marginRect.left, y, graphWidth, clientRect.bottom - marginRect.bottom - y, SWP_NOACTIVATE | SWP_NOZORDER ); EndDeferWindowPos(deferHandle); } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyIoReadGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y; PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorIoReadOther, 0, IoSection->Parameters->WindowDpi); PhGraphStateGetDrawInfo( &IoReadGraphState, getDrawInfo, PhIoReadHistory.Count ); if (!IoReadGraphState.Valid) { FLOAT max = 1024 * 1024; // Minimum scaling of 1 MB if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 1024) { PhCopyConvertCircularBufferULONG64(&PhIoReadHistory, IoReadGraphState.Data1, drawInfo->LineDataCount); max = PhMaxMemorySingles(IoReadGraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { assert(IoReadGraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoReadHistory, i)); } #endif } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT value; IoReadGraphState.Data1[i] = value = (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoReadHistory, i); if (max < value) max = value; } } if (max != 0) { // Scale the data. PhDivideSinglesBySingle( IoReadGraphState.Data1, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = max; IoReadGraphState.Valid = TRUE; } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; if (getTooltipText->Index < getTooltipText->TotalCount) { if (IoReadGraphState.TooltipIndex != getTooltipText->Index) { ULONG64 ioRead; PH_FORMAT format[5]; ioRead = PhGetItemCircularBuffer_ULONG64(&PhIoReadHistory, getTooltipText->Index); // R: %s\nW: %s\nO: %s%s\n%s PhInitFormatS(&format[0], L"R: "); PhInitFormatSize(&format[1], ioRead); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhSipGetMaxIoString(getTooltipText->Index))->sr); PhInitFormatC(&format[3], L'\n'); PhInitFormatSR(&format[4], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&IoReadGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); } getTooltipText->Text = IoReadGraphState.TooltipText->sr; } } break; case GCN_MOUSEEVENT: { PPH_GRAPH_MOUSEEVENT mouseEvent = (PPH_GRAPH_MOUSEEVENT)Parameter1; PPH_PROCESS_RECORD record; record = NULL; if (mouseEvent->Message == WM_LBUTTONDBLCLK && mouseEvent->Index < mouseEvent->TotalCount) { record = PhSipReferenceMaxIoRecord(mouseEvent->Index); } if (record) { PhShowProcessRecordDialog(IoDialog, record); PhDereferenceProcessRecord(record); } } break; } return TRUE; } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN PhSipNotifyIoWriteGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y; PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorIoWrite, 0, IoSection->Parameters->WindowDpi); PhGraphStateGetDrawInfo( &IoWriteGraphState, getDrawInfo, PhIoWriteHistory.Count ); if (!IoWriteGraphState.Valid) { FLOAT max = 1024 * 1024; // Minimum scaling of 1 MB if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 1024) { PhCopyConvertCircularBufferULONG64(&PhIoWriteHistory, IoWriteGraphState.Data1, drawInfo->LineDataCount); max = PhMaxMemorySingles(IoWriteGraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { assert(IoWriteGraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoWriteHistory, i)); } #endif } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT value; IoWriteGraphState.Data1[i] = value = (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoWriteHistory, i); if (max < value) max = value; } } if (max != 0) { // Scale the data. PhDivideSinglesBySingle( IoWriteGraphState.Data1, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = max; IoWriteGraphState.Valid = TRUE; } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; if (getTooltipText->Index < getTooltipText->TotalCount) { if (IoWriteGraphState.TooltipIndex != getTooltipText->Index) { ULONG64 ioWrite; PH_FORMAT format[5]; ioWrite = PhGetItemCircularBuffer_ULONG64(&PhIoWriteHistory, getTooltipText->Index); // W: %s\n%s PhInitFormatS(&format[0], L"W: "); PhInitFormatSize(&format[1], ioWrite); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhSipGetMaxIoString(getTooltipText->Index))->sr); PhInitFormatC(&format[3], L'\n'); PhInitFormatSR(&format[4], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&IoWriteGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); } getTooltipText->Text = IoWriteGraphState.TooltipText->sr; } } break; case GCN_MOUSEEVENT: { PPH_GRAPH_MOUSEEVENT mouseEvent = (PPH_GRAPH_MOUSEEVENT)Parameter1; PPH_PROCESS_RECORD record; record = NULL; if (mouseEvent->Message == WM_LBUTTONDBLCLK && mouseEvent->Index < mouseEvent->TotalCount) { record = PhSipReferenceMaxIoRecord(mouseEvent->Index); } if (record) { PhShowProcessRecordDialog(IoDialog, record); PhDereferenceProcessRecord(record); } } break; } return TRUE; } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN PhSipNotifyIoOtherGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | PH_GRAPH_LABEL_MAX_Y; PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorIoWrite, 0, IoSection->Parameters->WindowDpi); PhGraphStateGetDrawInfo( &IoOtherGraphState, getDrawInfo, PhIoOtherHistory.Count ); if (!IoOtherGraphState.Valid) { FLOAT max = 1024 * 1024; // Minimum scaling of 1 MB if (PhCsEnableAvxSupport && drawInfo->LineDataCount > 1024) { PhCopyConvertCircularBufferULONG64(&PhIoOtherHistory, IoOtherGraphState.Data1, drawInfo->LineDataCount); max = PhMaxMemorySingles(IoOtherGraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { assert(IoOtherGraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoOtherHistory, i)); } #endif } else { for (ULONG i = 0; i < drawInfo->LineDataCount; i++) { FLOAT value; IoOtherGraphState.Data1[i] = value = (FLOAT)PhGetItemCircularBuffer_ULONG64(&PhIoOtherHistory, i); if (max < value) max = value; } } if (max != 0) { PhDivideSinglesBySingle( IoOtherGraphState.Data1, max, drawInfo->LineDataCount ); } drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = max; IoOtherGraphState.Valid = TRUE; } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; if (getTooltipText->Index < getTooltipText->TotalCount) { if (IoOtherGraphState.TooltipIndex != getTooltipText->Index) { ULONG64 ioOther; PH_FORMAT format[5]; ioOther = PhGetItemCircularBuffer_ULONG64(&PhIoOtherHistory, getTooltipText->Index); // O: %s\n%s PhInitFormatS(&format[0], L"O: "); PhInitFormatSize(&format[1], ioOther); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhSipGetMaxIoString(getTooltipText->Index))->sr); PhInitFormatC(&format[3], L'\n'); PhInitFormatSR(&format[4], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&IoOtherGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 160)); } getTooltipText->Text = IoOtherGraphState.TooltipText->sr; } } break; case GCN_MOUSEEVENT: { PPH_GRAPH_MOUSEEVENT mouseEvent = (PPH_GRAPH_MOUSEEVENT)Parameter1; PPH_PROCESS_RECORD record; record = NULL; if (mouseEvent->Message == WM_LBUTTONDBLCLK && mouseEvent->Index < mouseEvent->TotalCount) { record = PhSipReferenceMaxIoRecord(mouseEvent->Index); } if (record) { PhShowProcessRecordDialog(IoDialog, record); PhDereferenceProcessRecord(record); } } break; } return TRUE; } VOID PhSipUpdateIoGraph( VOID ) { IoReadGraphState.Valid = FALSE; IoReadGraphState.TooltipIndex = ULONG_MAX; Graph_Update(IoReadGraphHandle); IoWriteGraphState.Valid = FALSE; IoWriteGraphState.TooltipIndex = ULONG_MAX; Graph_Update(IoWriteGraphHandle); IoOtherGraphState.Valid = FALSE; IoOtherGraphState.TooltipIndex = ULONG_MAX; Graph_Update(IoOtherGraphHandle); } VOID PhSipUpdateIoPanel( VOID ) { PH_FORMAT format[1]; WCHAR formatBuffer[256]; // I/O Deltas if (IoTicked > 1) { PhInitFormatI64UGroupDigits(&format[0], IoReadDelta.Delta); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelReadsDeltaLabel, formatBuffer); else PhSetWindowText(IoPanelReadsDeltaLabel, PhaFormatUInt64(IoReadDelta.Delta, TRUE)->Buffer); PhInitFormatI64UGroupDigits(&format[0], IoWriteDelta.Delta); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelWritesDeltaLabel, formatBuffer); else PhSetWindowText(IoPanelWritesDeltaLabel, PhaFormatUInt64(IoWriteDelta.Delta, TRUE)->Buffer); PhInitFormatI64UGroupDigits(&format[0], IoOtherDelta.Delta); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelOtherDeltaLabel, formatBuffer); else PhSetWindowText(IoPanelOtherDeltaLabel, PhaFormatUInt64(IoOtherDelta.Delta, TRUE)->Buffer); } else { PhSetWindowText(IoPanelReadsDeltaLabel, L"-"); PhSetWindowText(IoPanelWritesDeltaLabel, L"-"); PhSetWindowText(IoPanelOtherDeltaLabel, L"-"); } if (PhIoReadHistory.Count != 0) { PhInitFormatSize(&format[0], PhIoReadDelta.Delta); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelReadBytesDeltaLabel, formatBuffer); else PhSetWindowText(IoPanelReadBytesDeltaLabel, PhaFormatSize(PhIoReadDelta.Delta, ULONG_MAX)->Buffer); PhInitFormatSize(&format[0], PhIoWriteDelta.Delta); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelWriteBytesDeltaLabel, formatBuffer); else PhSetWindowText(IoPanelWriteBytesDeltaLabel, PhaFormatSize(PhIoWriteDelta.Delta, ULONG_MAX)->Buffer); PhInitFormatSize(&format[0], PhIoOtherDelta.Delta); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelOtherBytesDeltaLabel, formatBuffer); else PhSetWindowText(IoPanelOtherBytesDeltaLabel, PhaFormatSize(PhIoOtherDelta.Delta, ULONG_MAX)->Buffer); } else { PhSetWindowText(IoPanelReadBytesDeltaLabel, L"-"); PhSetWindowText(IoPanelWriteBytesDeltaLabel, L"-"); PhSetWindowText(IoPanelOtherBytesDeltaLabel, L"-"); } // I/O Totals PhInitFormatI64UGroupDigits(&format[0], PhPerfInformation.IoReadOperationCount); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelReadsLabel, formatBuffer); else PhSetWindowText(IoPanelReadsLabel, PhaFormatUInt64(PhPerfInformation.IoReadOperationCount, TRUE)->Buffer); PhInitFormatSize(&format[0], PhPerfInformation.IoReadTransferCount.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelReadBytesLabel, formatBuffer); else PhSetWindowText(IoPanelReadBytesLabel, PhaFormatSize(PhPerfInformation.IoReadTransferCount.QuadPart, ULONG_MAX)->Buffer); PhInitFormatI64UGroupDigits(&format[0], PhPerfInformation.IoWriteOperationCount); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelWritesLabel, formatBuffer); else PhSetWindowText(IoPanelWritesLabel, PhaFormatUInt64(PhPerfInformation.IoWriteOperationCount, TRUE)->Buffer); PhInitFormatSize(&format[0], PhPerfInformation.IoWriteTransferCount.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelWriteBytesLabel, formatBuffer); else PhSetWindowText(IoPanelWriteBytesLabel, PhaFormatSize(PhPerfInformation.IoWriteTransferCount.QuadPart, ULONG_MAX)->Buffer); PhInitFormatI64UGroupDigits(&format[0], PhPerfInformation.IoOtherOperationCount); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelOtherLabel, formatBuffer); else PhSetWindowText(IoPanelOtherLabel, PhaFormatUInt64(PhPerfInformation.IoOtherOperationCount, TRUE)->Buffer); PhInitFormatSize(&format[0], PhPerfInformation.IoOtherTransferCount.QuadPart); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), NULL)) PhSetWindowText(IoPanelOtherBytesLabel, formatBuffer); else PhSetWindowText(IoPanelOtherBytesLabel, PhaFormatSize(PhPerfInformation.IoOtherTransferCount.QuadPart, ULONG_MAX)->Buffer); } PPH_PROCESS_RECORD PhSipReferenceMaxIoRecord( _In_ LONG Index ) { LARGE_INTEGER time; ULONG maxProcessId; // Find the process record for the max. I/O process for the particular time. maxProcessId = PhGetItemCircularBuffer_ULONG(&PhMaxIoHistory, Index); if (!maxProcessId) return NULL; // See above for the explanation. PhGetStatisticsTime(NULL, Index, &time); time.QuadPart += PH_TICKS_PER_SEC - 1; return PhFindProcessRecord(UlongToHandle(maxProcessId), &time); } PPH_STRING PhSipGetMaxIoString( _In_ LONG Index ) { PPH_PROCESS_RECORD maxProcessRecord; #ifdef PH_RECORD_MAX_USAGE ULONG64 maxIoReadOther; ULONG64 maxIoWrite; #endif if (maxProcessRecord = PhSipReferenceMaxIoRecord(Index)) { PPH_STRING maxUsageString; // We found the process record, so now we construct the max. usage string. #ifdef PH_RECORD_MAX_USAGE maxIoReadOther = PhGetItemCircularBuffer_ULONG64(&PhMaxIoReadOtherHistory, Index); maxIoWrite = PhGetItemCircularBuffer_ULONG64(&PhMaxIoWriteHistory, Index); if (!PH_IS_FAKE_PROCESS_ID(maxProcessRecord->ProcessId)) { PH_FORMAT format[8]; // \n%s (%u): R+O: %s, W: %s PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxProcessRecord->ProcessName->sr); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(maxProcessRecord->ProcessId)); PhInitFormatS(&format[4], L"): R+O: "); PhInitFormatSize(&format[5], maxIoReadOther); PhInitFormatS(&format[6], L", W: "); PhInitFormatSize(&format[7], maxIoWrite); maxUsageString = PhFormat(format, RTL_NUMBER_OF(format), 128); } else { PH_FORMAT format[6]; // \n%s: R+O: %s, W: %s PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxProcessRecord->ProcessName->sr); PhInitFormatS(&format[2], L": R+O: "); PhInitFormatSize(&format[3], maxIoReadOther); PhInitFormatS(&format[4], L", W: "); PhInitFormatSize(&format[5], maxIoWrite); maxUsageString = PhFormat(format, RTL_NUMBER_OF(format), 128); } #else PH_FORMAT format[2]; PhInitFormatC(&format[0], L'\n'); PhInitFormatSR(&format[1], maxProcessRecord->ProcessName->sr); maxUsageString = PhFormat(format, RTL_NUMBER_OF(format), 128); #endif PhDereferenceProcessRecord(maxProcessRecord); return maxUsageString; } return PhReferenceEmptyString(); } ================================================ FILE: SystemInformer/sysscmem.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include static CONST PH_KEY_VALUE_PAIR MemoryFormFactors[] = { SIP(L"Other", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_OTHER), SIP(L"Unknown", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_UNKNOWN), SIP(L"SIMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_SIMM), SIP(L"SIP", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_SIP), SIP(L"Chip", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_CHIP), SIP(L"DIP", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_DIP), SIP(L"ZIP", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_ZIP), SIP(L"Proprietary", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_PROPRIETARY), SIP(L"DIMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_DIMM), SIP(L"TOSP", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_TSOP), SIP(L"Row of chips", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_ROW_OF_CHIPS), SIP(L"RIMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_RIMM), SIP(L"SODIMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_SODIMM), SIP(L"SRIMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_SRIMM), SIP(L"FB-DIMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_FB_DIMM), SIP(L"Die", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_DIE), SIP(L"CAMM", SMBIOS_MEMORY_DEVICE_FORM_FACTOR_CAMM), }; static CONST PH_KEY_VALUE_PAIR MemoryTypes[] = { SIP(L"Other", SMBIOS_MEMORY_DEVICE_TYPE_OTHER), SIP(L"Unknown", SMBIOS_MEMORY_DEVICE_TYPE_UNKNOWN), SIP(L"DRAM", SMBIOS_MEMORY_DEVICE_TYPE_DRAM), SIP(L"EDRAM", SMBIOS_MEMORY_DEVICE_TYPE_EDRAM), SIP(L"VRAM", SMBIOS_MEMORY_DEVICE_TYPE_VRAM), SIP(L"SRAM", SMBIOS_MEMORY_DEVICE_TYPE_SRAM), SIP(L"RAM", SMBIOS_MEMORY_DEVICE_TYPE_RAM), SIP(L"ROM", SMBIOS_MEMORY_DEVICE_TYPE_ROM), SIP(L"FLASH", SMBIOS_MEMORY_DEVICE_TYPE_FLASH), SIP(L"EEPROM", SMBIOS_MEMORY_DEVICE_TYPE_EEPROM), SIP(L"FEPROM", SMBIOS_MEMORY_DEVICE_TYPE_FEPROM), SIP(L"EPROM", SMBIOS_MEMORY_DEVICE_TYPE_EPROM), SIP(L"CDRAM", SMBIOS_MEMORY_DEVICE_TYPE_CDRAM), SIP(L"3DRAM", SMBIOS_MEMORY_DEVICE_TYPE_3DRAM), SIP(L"SDRAM", SMBIOS_MEMORY_DEVICE_TYPE_SDRAM), SIP(L"SGRAM", SMBIOS_MEMORY_DEVICE_TYPE_SGRAM), SIP(L"RDRAM", SMBIOS_MEMORY_DEVICE_TYPE_RDRAM), SIP(L"DDR", SMBIOS_MEMORY_DEVICE_TYPE_DDR), SIP(L"DDR2", SMBIOS_MEMORY_DEVICE_TYPE_DDR2), SIP(L"DDR2-FM-DIMM", SMBIOS_MEMORY_DEVICE_TYPE_DDR2_FB_DIMM), SIP(L"DDR3", SMBIOS_MEMORY_DEVICE_TYPE_DDR3), SIP(L"FBD2", SMBIOS_MEMORY_DEVICE_TYPE_FBD2), SIP(L"DDR4", SMBIOS_MEMORY_DEVICE_TYPE_DDR4), SIP(L"LPDDR", SMBIOS_MEMORY_DEVICE_TYPE_LPDDR), SIP(L"LPDDR2", SMBIOS_MEMORY_DEVICE_TYPE_LPDDR2), SIP(L"LPDDR3", SMBIOS_MEMORY_DEVICE_TYPE_LPDDR3), SIP(L"LPDDR4", SMBIOS_MEMORY_DEVICE_TYPE_LPDDR4), SIP(L"Local non-volatile", SMBIOS_MEMORY_DEVICE_TYPE_LOCAL_NON_VOLATILE), SIP(L"HBM", SMBIOS_MEMORY_DEVICE_TYPE_HBM), SIP(L"HBM2", SMBIOS_MEMORY_DEVICE_TYPE_HBM2), SIP(L"DDR5", SMBIOS_MEMORY_DEVICE_TYPE_DDR5), SIP(L"LPDDR5", SMBIOS_MEMORY_DEVICE_TYPE_LPDDR5), SIP(L"HBM3", SMBIOS_MEMORY_DEVICE_TYPE_HBM3), }; static CONST PH_KEY_VALUE_PAIR MemoryTechnologies[] = { SIP(L"Other", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_OTHER), SIP(L"Unknown", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_UNKNOWN), SIP(L"DRAM", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_DRAM), SIP(L"NVDIMM-N", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_NVDIMM_N), SIP(L"NVDIMM-F", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_NVDIMM_F), SIP(L"NVDIMM-P", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_NVDIMM_P), SIP(L"Intel Optane", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_INTEL_OPTANE), SIP(L"MRDIMM", SMBIOS_MEMORY_DEVICE_TECHNOLOGY_MRDIMM), }; static BOOLEAN ShowCommitInSummary; static PPH_SYSINFO_SECTION MemorySection; static HWND MemoryDialog; static PH_LAYOUT_MANAGER MemoryLayoutManager; static RECT MemoryGraphMargin; static HWND CommitGraphHandle; static PH_GRAPH_STATE CommitGraphState; static HWND PhysicalGraphHandle; static PH_GRAPH_STATE PhysicalGraphState; static HWND MemoryPanel; static ULONG MemoryTicked; static PH_UINT32_DELTA PagedAllocsDelta; static PH_UINT32_DELTA PagedFreesDelta; static PH_UINT32_DELTA NonPagedAllocsDelta; static PH_UINT32_DELTA NonPagedFreesDelta; static PH_UINT32_DELTA PageFaultsDelta; static PH_UINT32_DELTA PageReadsDelta; static PH_UINT32_DELTA PagefileWritesDelta; static PH_UINT32_DELTA MappedWritesDelta; static PH_UINT64_DELTA MappedIoReadDelta; static PH_UINT64_DELTA MappedIoWritesDelta; static BOOLEAN MmAddressesInitialized; static PSIZE_T MmSizeOfPagedPoolInBytes; static PSIZE_T MmMaximumNonPagedPoolInBytes; static ULONGLONG InstalledMemory; static ULONGLONG ReservedMemory; static ULONG MemorySlotsTotal; static ULONG MemorySlotsUsed; static UCHAR MemoryFormFactor; static UCHAR MemoryTechnology; static UCHAR MemoryType; static ULONG MemorySpeed; _Function_class_(PH_ENUM_SMBIOS_CALLBACK) BOOLEAN NTAPI PhpSipMemorySMBIOSCallback( _In_ ULONG_PTR EnumHandle, _In_ UCHAR MajorVersion, _In_ UCHAR MinorVersion, _In_ PPH_SMBIOS_ENTRY Entry, _In_opt_ PVOID Context ) { UCHAR formFactor = 0; UCHAR memoryType = 0; UCHAR technology = 0; ULONG speed = 0; if (Entry->Header.Type != SMBIOS_MEMORY_DEVICE_INFORMATION_TYPE) return FALSE; if (PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, Technology)) technology = Entry->MemoryDevice.Technology; if (PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, MemoryType)) memoryType = Entry->MemoryDevice.MemoryType; if (PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, FormFactor)) formFactor = Entry->MemoryDevice.FormFactor; if (PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, ConfiguredSpeed)) speed = Entry->MemoryDevice.ConfiguredSpeed; if (speed == MAXUSHORT && PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, ExtendedConfiguredSpeed)) speed = Entry->MemoryDevice.ExtendedConfiguredSpeed; if (!speed) { if (PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, Speed)) speed = Entry->MemoryDevice.Speed; if (speed == MAXUSHORT && PH_SMBIOS_CONTAINS_FIELD(Entry, MemoryDevice, ExtendedSpeed)) speed = Entry->MemoryDevice.ExtendedSpeed; } MemorySlotsTotal++; if (Entry->MemoryDevice.Size.Value) MemorySlotsUsed++; MemoryFormFactor = max(MemoryFormFactor, formFactor); MemoryType = max(MemoryType, memoryType); MemoryTechnology = max(MemoryTechnology, technology); MemorySpeed = max(MemorySpeed, speed); return FALSE; } _Function_class_(PH_SYSINFO_SECTION_CALLBACK) BOOLEAN PhSipMemorySectionCallback( _In_ PPH_SYSINFO_SECTION Section, _In_ PH_SYSINFO_SECTION_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2 ) { switch (Message) { case SysInfoCreate: { ShowCommitInSummary = !!PhGetIntegerSetting(SETTING_SHOW_COMMIT_IN_SUMMARY); MemorySection = Section; MemorySlotsTotal = 0; MemorySlotsUsed = 0; MemoryFormFactor = 0; MemoryType = 0; MemorySpeed = 0; PhEnumSMBIOS(PhpSipMemorySMBIOSCallback, NULL); } return TRUE; case SysInfoDestroy: { if (MemoryDialog) { PhSipUninitializeMemoryDialog(); MemoryDialog = NULL; } } break; case SysInfoTick: { if (MemoryDialog) { PhSipTickMemoryDialog(); } } return TRUE; case SysInfoViewChanging: { PH_SYSINFO_VIEW_TYPE view = (PH_SYSINFO_VIEW_TYPE)PtrToUlong(Parameter1); PPH_SYSINFO_SECTION section = (PPH_SYSINFO_SECTION)Parameter2; if (view == SysInfoSummaryView || section != Section) return TRUE; if (CommitGraphHandle) { CommitGraphState.Valid = FALSE; CommitGraphState.TooltipIndex = ULONG_MAX; Graph_Draw(CommitGraphHandle); } if (PhysicalGraphHandle) { PhysicalGraphState.Valid = FALSE; PhysicalGraphState.TooltipIndex = ULONG_MAX; Graph_Draw(PhysicalGraphHandle); } } return TRUE; case SysInfoCreateDialog: { PPH_SYSINFO_CREATE_DIALOG createDialog = Parameter1; createDialog->Instance = PhInstanceHandle; createDialog->Template = MAKEINTRESOURCE(IDD_SYSINFO_MEM); createDialog->DialogProc = PhSipMemoryDialogProc; } return TRUE; case SysInfoGraphGetDrawInfo: { PPH_GRAPH_DRAW_INFO drawInfo = Parameter1; ULONG i; if (ShowCommitInSummary) { drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); Section->Parameters->ColorSetupFunction(drawInfo, PhCsColorPrivate, 0, Section->Parameters->WindowDpi); PhGetDrawInfoGraphBuffers(&Section->GraphState.Buffers, drawInfo, PhCommitHistory.Count); if (!Section->GraphState.Valid) { if (PhCsEnableAvxSupport) { PhCopyConvertCircularBufferULONG(&PhCommitHistory, Section->GraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (i = 0; i < drawInfo->LineDataCount; i++) { assert(Section->GraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG(&PhCommitHistory, i)); } #endif } else { for (i = 0; i < drawInfo->LineDataCount; i++) { Section->GraphState.Data1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&PhCommitHistory, i); } } if (PhPerfInformation.CommitLimit != 0) { // Scale the data. PhDivideSinglesBySingle( Section->GraphState.Data1, (FLOAT)PhPerfInformation.CommitLimit, drawInfo->LineDataCount ); } if (PhCsEnableGraphMaxText) { drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = (FLOAT)UInt32x32To64(PhPerfInformation.CommitLimit, PAGE_SIZE); } Section->GraphState.Valid = TRUE; } } else { drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); Section->Parameters->ColorSetupFunction(drawInfo, PhCsColorPhysical, 0, Section->Parameters->WindowDpi); PhGetDrawInfoGraphBuffers(&Section->GraphState.Buffers, drawInfo, PhPhysicalHistory.Count); if (!Section->GraphState.Valid) { if (PhCsEnableAvxSupport) { PhCopyConvertCircularBufferULONG(&PhPhysicalHistory, Section->GraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (i = 0; i < drawInfo->LineDataCount; i++) { assert(Section->GraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, i)); } #endif } else { for (i = 0; i < drawInfo->LineDataCount; i++) { Section->GraphState.Data1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, i); } } if (PhSystemBasicInformation.NumberOfPhysicalPages != 0) { // Scale the data. PhDivideSinglesBySingle( Section->GraphState.Data1, (FLOAT)PhSystemBasicInformation.NumberOfPhysicalPages, drawInfo->LineDataCount ); } if (PhCsEnableGraphMaxText) { drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = (FLOAT)UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE); } Section->GraphState.Valid = TRUE; } } } return TRUE; case SysInfoGraphGetTooltipText: { PPH_SYSINFO_GRAPH_GET_TOOLTIP_TEXT getTooltipText = Parameter1; ULONG usedPages; PH_FORMAT format[3]; if (ShowCommitInSummary) { usedPages = PhGetItemCircularBuffer_ULONG(&PhCommitHistory, getTooltipText->Index); // Commit charge: %s\n%s PhInitFormatSize(&format[0], UInt32x32To64(usedPages, PAGE_SIZE)); PhInitFormatC(&format[1], L'\n'); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&Section->GraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 128)); getTooltipText->Text = Section->GraphState.TooltipText->sr; } else { usedPages = PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, getTooltipText->Index); // Physical memory: %s\n%s PhInitFormatSize(&format[0], UInt32x32To64(usedPages, PAGE_SIZE)); PhInitFormatC(&format[1], L'\n'); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&Section->GraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 128)); getTooltipText->Text = Section->GraphState.TooltipText->sr; } } return TRUE; case SysInfoGraphDrawPanel: { PPH_SYSINFO_DRAW_PANEL drawPanel = Parameter1; ULONG totalPages; ULONG usedPages; PH_FORMAT format[5]; if (ShowCommitInSummary) { totalPages = PhPerfInformation.CommitLimit; usedPages = PhPerfInformation.CommittedPages; } else { totalPages = PhSystemBasicInformation.NumberOfPhysicalPages; usedPages = totalPages - PhPerfInformation.AvailablePages; } drawPanel->Title = PhCreateString(L"Memory"); // %.0f%%\n%s / %s PhInitFormatF(&format[0], ((FLOAT)usedPages / (FLOAT)totalPages) * 100, 0); PhInitFormatS(&format[1], L"%\n"); PhInitFormatSizeWithPrecision(&format[2], UInt32x32To64(usedPages, PAGE_SIZE), 1); PhInitFormatS(&format[3], L" / "); PhInitFormatSizeWithPrecision(&format[4], UInt32x32To64(totalPages, PAGE_SIZE), 1); drawPanel->SubTitle = PhFormat(format, 5, 64); // %.0f%%\n%s PhInitFormatF(&format[0], ((FLOAT)usedPages / (FLOAT)totalPages) * 100, 0); PhInitFormatS(&format[1], L"%\n"); PhInitFormatSizeWithPrecision(&format[2], UInt32x32To64(usedPages, PAGE_SIZE), 1); drawPanel->SubTitleOverflow = PhFormat(format, 3, 0); } return TRUE; } return FALSE; } VOID PhSipInitializeMemoryDialog( VOID ) { PhInitializeDelta(&PagedAllocsDelta); PhInitializeDelta(&PagedFreesDelta); PhInitializeDelta(&NonPagedAllocsDelta); PhInitializeDelta(&NonPagedFreesDelta); PhInitializeDelta(&PageFaultsDelta); PhInitializeDelta(&PageReadsDelta); PhInitializeDelta(&PagefileWritesDelta); PhInitializeDelta(&MappedWritesDelta); PhInitializeDelta(&MappedIoReadDelta); PhInitializeDelta(&MappedIoWritesDelta); PhInitializeGraphState(&CommitGraphState); PhInitializeGraphState(&PhysicalGraphState); MemoryTicked = 0; if (!MmAddressesInitialized) { PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), PhSipLoadMmAddresses, NULL); MmAddressesInitialized = TRUE; } } VOID PhSipUninitializeMemoryDialog( VOID ) { PhDeleteGraphState(&CommitGraphState); PhDeleteGraphState(&PhysicalGraphState); // Note: Required for SysInfoViewChanging (dmex) CommitGraphHandle = NULL; PhysicalGraphHandle = NULL; } VOID PhSipTickMemoryDialog( VOID ) { PhUpdateDelta(&PagedAllocsDelta, PhPerfInformation.PagedPoolAllocs); PhUpdateDelta(&PagedFreesDelta, PhPerfInformation.PagedPoolFrees); PhUpdateDelta(&NonPagedAllocsDelta, PhPerfInformation.NonPagedPoolAllocs); PhUpdateDelta(&NonPagedFreesDelta, PhPerfInformation.NonPagedPoolFrees); PhUpdateDelta(&PageFaultsDelta, PhPerfInformation.PageFaultCount); PhUpdateDelta(&PageReadsDelta, PhPerfInformation.PageReadCount); PhUpdateDelta(&PagefileWritesDelta, PhPerfInformation.DirtyPagesWriteCount); PhUpdateDelta(&MappedWritesDelta, PhPerfInformation.MappedPagesWriteCount); PhUpdateDelta(&MappedIoReadDelta, UInt32x32To64(PhPerfInformation.PageReadCount, PAGE_SIZE)); PhUpdateDelta(&MappedIoWritesDelta, ((ULONG64)PhPerfInformation.MappedPagesWriteCount + PhPerfInformation.DirtyPagesWriteCount + PhPerfInformation.CcLazyWritePages) * PAGE_SIZE); if (MemoryTicked < 2) MemoryTicked++; PhSipUpdateMemoryGraphs(); PhSipUpdateMemoryPanel(); } INT_PTR CALLBACK PhSipMemoryDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { PPH_LAYOUT_ITEM graphItem; PPH_LAYOUT_ITEM panelItem; RECT margin; HWND totalPhysicalLabel; PhSipInitializeMemoryDialog(); MemoryDialog = hwndDlg; totalPhysicalLabel = GetDlgItem(hwndDlg, IDC_TOTALPHYSICAL); PhInitializeLayoutManager(&MemoryLayoutManager, hwndDlg); PhAddLayoutItem(&MemoryLayoutManager, totalPhysicalLabel, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT | PH_LAYOUT_FORCE_INVALIDATE); graphItem = PhAddLayoutItem(&MemoryLayoutManager, GetDlgItem(hwndDlg, IDC_GRAPH_LAYOUT), NULL, PH_ANCHOR_ALL); panelItem = PhAddLayoutItem(&MemoryLayoutManager, GetDlgItem(hwndDlg, IDC_LAYOUT), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); MemoryGraphMargin = graphItem->Margin; SetWindowFont(GetDlgItem(hwndDlg, IDC_TITLE), MemorySection->Parameters->LargeFont, FALSE); SetWindowFont(totalPhysicalLabel, MemorySection->Parameters->MediumFont, FALSE); if (NT_SUCCESS(PhGetPhysicallyInstalledSystemMemory(&InstalledMemory, &ReservedMemory))) { PhSetWindowText(totalPhysicalLabel, PhaConcatStrings2( PhaFormatSize(InstalledMemory, ULONG_MAX)->Buffer, L" installed")->Buffer); } else { PhSetWindowText(totalPhysicalLabel, PhaConcatStrings2( PhaFormatSize(UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE), ULONG_MAX)->Buffer, L" total")->Buffer); } MemoryPanel = PhCreateDialog(PhInstanceHandle, MAKEINTRESOURCE(IDD_SYSINFO_MEMPANEL), hwndDlg, PhSipMemoryPanelDialogProc, NULL); ShowWindow(MemoryPanel, SW_SHOW); margin = panelItem->Margin; PhGetSizeDpiValue(&margin, MemorySection->Parameters->WindowDpi, TRUE); PhAddLayoutItemEx(&MemoryLayoutManager, MemoryPanel, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM, &margin); PhSipCreateMemoryGraphs(); PhSipUpdateMemoryGraphs(); PhSipUpdateMemoryPanel(); } break; case WM_DESTROY: { PhDeleteLayoutManager(&MemoryLayoutManager); } break; case WM_DPICHANGED_AFTERPARENT: { if (MemorySection->Parameters->LargeFont) { SetWindowFont(GetDlgItem(hwndDlg, IDC_TITLE), MemorySection->Parameters->LargeFont, FALSE); } if (MemorySection->Parameters->MediumFont) { SetWindowFont(GetDlgItem(hwndDlg, IDC_TOTALPHYSICAL), MemorySection->Parameters->MediumFont, FALSE); } CommitGraphState.Valid = FALSE; CommitGraphState.TooltipIndex = ULONG_MAX; PhysicalGraphState.Valid = FALSE; PhysicalGraphState.TooltipIndex = ULONG_MAX; PhLayoutManagerUpdate(&MemoryLayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&MemoryLayoutManager); PhSipLayoutMemoryGraphs(hwndDlg); } break; case WM_SIZE: { CommitGraphState.Valid = FALSE; CommitGraphState.TooltipIndex = ULONG_MAX; PhysicalGraphState.Valid = FALSE; PhysicalGraphState.TooltipIndex = ULONG_MAX; PhLayoutManagerLayout(&MemoryLayoutManager); PhSipLayoutMemoryGraphs(hwndDlg); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } INT_PTR CALLBACK PhSipMemoryPanelDialogProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { NOTHING; } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_MORE: { PhShowMemoryListsDialog(PhSipWindow, PhSipRegisterDialog, PhSipUnregisterDialog); } break; case IDC_EMPTY: { extern VOID PhShowMemoryListCommand(_In_ HWND ParentWindow, _In_ HWND ButtonWindow, _In_ BOOLEAN ShowTopAlign); // memlists.c (dmex); PhShowMemoryListCommand(PhSipWindow, GET_WM_COMMAND_HWND(wParam, lParam), TRUE); } break; } } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhSipCreateMemoryGraphs( VOID ) { PH_GRAPH_CREATEPARAMS graphCreateParams; memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipNotifyCommitGraph; CommitGraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_VISIBLE | WS_CHILD | WS_BORDER, 0, 0, 0, 0, MemoryDialog, NULL, PhInstanceHandle, &graphCreateParams ); Graph_SetTooltip(CommitGraphHandle, TRUE); memset(&graphCreateParams, 0, sizeof(PH_GRAPH_CREATEPARAMS)); graphCreateParams.Size = sizeof(PH_GRAPH_CREATEPARAMS); graphCreateParams.Callback = PhSipNotifyPhysicalGraph; PhysicalGraphHandle = PhCreateWindow( PH_GRAPH_CLASSNAME, NULL, WS_VISIBLE | WS_CHILD | WS_BORDER, 0, 0, 0, 0, MemoryDialog, NULL, PhInstanceHandle, &graphCreateParams ); Graph_SetTooltip(PhysicalGraphHandle, TRUE); } VOID PhSipLayoutMemoryGraphs( _In_ HWND hwnd ) { RECT clientRect; RECT labelRect; RECT marginRect; ULONG graphWidth; ULONG graphHeight; HDWP deferHandle; ULONG y; marginRect = MemoryGraphMargin; PhGetSizeDpiValue(&marginRect, MemorySection->Parameters->WindowDpi, TRUE); if (!PhGetClientRect(MemoryDialog, &clientRect)) return; if (!PhGetClientRect(GetDlgItem(MemoryDialog, IDC_COMMIT_L), &labelRect)) return; graphWidth = clientRect.right - marginRect.left - marginRect.right; graphHeight = (clientRect.bottom - marginRect.top - marginRect.bottom - labelRect.bottom * 2 - MemorySection->Parameters->MemoryPadding * 3) / 2; deferHandle = BeginDeferWindowPos(4); y = marginRect.top; deferHandle = DeferWindowPos( deferHandle, GetDlgItem(MemoryDialog, IDC_COMMIT_L), NULL, marginRect.left, y, 0, 0, SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOZORDER ); y += labelRect.bottom + MemorySection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, CommitGraphHandle, NULL, marginRect.left, y, graphWidth, graphHeight, SWP_NOACTIVATE | SWP_NOZORDER ); y += graphHeight + MemorySection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, GetDlgItem(MemoryDialog, IDC_PHYSICAL_L), NULL, marginRect.left, y, 0, 0, SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOZORDER ); y += labelRect.bottom + MemorySection->Parameters->MemoryPadding; deferHandle = DeferWindowPos( deferHandle, PhysicalGraphHandle, NULL, marginRect.left, y, graphWidth, clientRect.bottom - marginRect.bottom - y, SWP_NOACTIVATE | SWP_NOZORDER ); EndDeferWindowPos(deferHandle); } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyCommitGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; ULONG i; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorPrivate, 0, MemorySection->Parameters->WindowDpi); PhGraphStateGetDrawInfo( &CommitGraphState, getDrawInfo, PhCommitHistory.Count ); if (!CommitGraphState.Valid) { if (PhCsEnableAvxSupport) { PhCopyConvertCircularBufferULONG(&PhCommitHistory, CommitGraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (i = 0; i < drawInfo->LineDataCount; i++) { assert(CommitGraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG(&PhCommitHistory, i)); } #endif } else { for (i = 0; i < drawInfo->LineDataCount; i++) { CommitGraphState.Data1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&PhCommitHistory, i); } } if (PhPerfInformation.CommitLimit != 0) { // Scale the data. PhDivideSinglesBySingle( CommitGraphState.Data1, (FLOAT)PhPerfInformation.CommitLimit, drawInfo->LineDataCount ); } if (PhCsEnableGraphMaxText) { drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = (FLOAT)UInt32x32To64(PhPerfInformation.CommitLimit, PAGE_SIZE); } CommitGraphState.Valid = TRUE; } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; if (getTooltipText->Index < getTooltipText->TotalCount) { if (CommitGraphState.TooltipIndex != getTooltipText->Index) { ULONG usedPages; PH_FORMAT format[3]; usedPages = PhGetItemCircularBuffer_ULONG(&PhCommitHistory, getTooltipText->Index); // Commit charge: %s\n%s //PhInitFormatS(&format[0], L"Commit charge: "); PhInitFormatSize(&format[0], UInt32x32To64(usedPages, PAGE_SIZE)); PhInitFormatC(&format[1], L'\n'); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&CommitGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 128)); } getTooltipText->Text = CommitGraphState.TooltipText->sr; } } break; } return TRUE; } _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PhSipNotifyPhysicalGraph( _In_ HWND GraphHandle, _In_ ULONG GraphMessage, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { switch (GraphMessage) { case GCN_GETDRAWINFO: { PPH_GRAPH_GETDRAWINFO getDrawInfo = (PPH_GRAPH_GETDRAWINFO)Parameter1; PPH_GRAPH_DRAW_INFO drawInfo = getDrawInfo->DrawInfo; ULONG i; drawInfo->Flags = PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y | (PhCsEnableGraphMaxText ? PH_GRAPH_LABEL_MAX_Y : 0); PhSiSetColorsGraphDrawInfo(drawInfo, PhCsColorPhysical, 0, MemorySection->Parameters->WindowDpi); PhGraphStateGetDrawInfo( &PhysicalGraphState, getDrawInfo, PhPhysicalHistory.Count ); if (!PhysicalGraphState.Valid) { if (PhCsEnableAvxSupport) { PhCopyConvertCircularBufferULONG(&PhPhysicalHistory, PhysicalGraphState.Data1, drawInfo->LineDataCount); #ifdef DEBUG for (i = 0; i < drawInfo->LineDataCount; i++) { assert(PhysicalGraphState.Data1[i] == (FLOAT)PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, i)); } #endif } else { for (i = 0; i < drawInfo->LineDataCount; i++) { PhysicalGraphState.Data1[i] = (FLOAT)PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, i); } } if (PhSystemBasicInformation.NumberOfPhysicalPages != 0) { // Scale the data. PhDivideSinglesBySingle( PhysicalGraphState.Data1, (FLOAT)PhSystemBasicInformation.NumberOfPhysicalPages, drawInfo->LineDataCount ); } if (PhCsEnableGraphMaxText) { drawInfo->LabelYFunction = PhSiSizeLabelYFunction; drawInfo->LabelYFunctionParameter = (FLOAT)UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE); } PhysicalGraphState.Valid = TRUE; } } break; case GCN_GETTOOLTIPTEXT: { PPH_GRAPH_GETTOOLTIPTEXT getTooltipText = (PPH_GRAPH_GETTOOLTIPTEXT)Parameter1; if (getTooltipText->Index < getTooltipText->TotalCount) { if (PhysicalGraphState.TooltipIndex != getTooltipText->Index) { ULONG usedPages; FLOAT currentCompressedMemory; FLOAT totalCompressedMemory; FLOAT totalSavedMemory; usedPages = PhGetItemCircularBuffer_ULONG(&PhPhysicalHistory, getTooltipText->Index); if (PhSipGetMemoryCompressionLimits(¤tCompressedMemory, &totalCompressedMemory, &totalSavedMemory)) { PH_FORMAT format[13]; PhInitFormatS(&format[0], L"Physical memory: "); PhInitFormatSize(&format[1], UInt32x32To64(usedPages, PAGE_SIZE)); PhInitFormatC(&format[2], L'\n'); PhInitFormatS(&format[3], L"Compressed memory: "); PhInitFormatSize(&format[4], (ULONG64)currentCompressedMemory); PhInitFormatC(&format[5], L'\n'); PhInitFormatS(&format[6], L"Total compressed: "); PhInitFormatSize(&format[7], (ULONG64)totalCompressedMemory); PhInitFormatC(&format[8], L'\n'); PhInitFormatS(&format[9], L"Total memory saved: "); PhInitFormatSize(&format[10], (ULONG64)totalSavedMemory); PhInitFormatC(&format[11], L'\n'); PhInitFormatSR(&format[12], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&PhysicalGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else { PH_FORMAT format[3]; // Physical memory: %s\n%s PhInitFormatSize(&format[0], UInt32x32To64(usedPages, PAGE_SIZE)); PhInitFormatC(&format[1], L'\n'); PhInitFormatSR(&format[2], PH_AUTO_T(PH_STRING, PhGetStatisticsTimeString(NULL, getTooltipText->Index))->sr); PhMoveReference(&PhysicalGraphState.TooltipText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } } getTooltipText->Text = PhysicalGraphState.TooltipText->sr; } } break; } return TRUE; } VOID PhSipUpdateMemoryGraphs( VOID ) { CommitGraphState.Valid = FALSE; CommitGraphState.TooltipIndex = ULONG_MAX; Graph_Update(CommitGraphHandle); PhysicalGraphState.Valid = FALSE; PhysicalGraphState.TooltipIndex = ULONG_MAX; Graph_Update(PhysicalGraphHandle); } VOID PhSipUpdateMemoryPanel( VOID ) { PWSTR pagedLimit; PWSTR nonPagedLimit; SYSTEM_MEMORY_LIST_INFORMATION memoryListInfo; // Hardware if (MemoryTicked == 0) { if (PhGetVirtualStatus() == PhVirtualStatusVirtualMachine) { PhSetDialogItemText(MemoryPanel, IDC_ZMEMSLOTS_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZMEMFORMFACTOR_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZMEMTYPE_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZMEMTECHNOLOGY_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZMEMSPEED_V, L"N/A"); } else { PH_FORMAT format[3]; PCWSTR string; PhInitFormatU(&format[0], MemorySlotsUsed); PhInitFormatS(&format[1], L" of "); PhInitFormatU(&format[2], MemorySlotsTotal); PhSetDialogItemText(MemoryPanel, IDC_ZMEMSLOTS_V, PhaFormat(format, 3, 10)->Buffer); if (PhFindStringSiKeyValuePairs(MemoryFormFactors, sizeof(MemoryFormFactors), MemoryFormFactor, &string)) PhSetDialogItemText(MemoryPanel, IDC_ZMEMFORMFACTOR_V, string); else PhSetDialogItemText(MemoryPanel, IDC_ZMEMFORMFACTOR_V, L"Undefined"); if (PhFindStringSiKeyValuePairs(MemoryTypes, sizeof(MemoryTypes), MemoryType, &string)) PhSetDialogItemText(MemoryPanel, IDC_ZMEMTYPE_V, string); else PhSetDialogItemText(MemoryPanel, IDC_ZMEMTYPE_V, L"Undefined"); if (PhFindStringSiKeyValuePairs(MemoryTechnologies, sizeof(MemoryTechnologies), MemoryTechnology, &string)) PhSetDialogItemText(MemoryPanel, IDC_ZMEMTECHNOLOGY_V, string); else PhSetDialogItemText(MemoryPanel, IDC_ZMEMTECHNOLOGY_V, L"Undefined"); PhInitFormatU(&format[0], MemorySpeed); PhInitFormatS(&format[1], L" MT/s"); PhSetDialogItemText(MemoryPanel, IDC_ZMEMSPEED_V, PhaFormat(format, 2, 10)->Buffer); } } // Commit charge PhSetDialogItemText(MemoryPanel, IDC_ZCOMMITCURRENT_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.CommittedPages, PAGE_SIZE), ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZCOMMITPEAK_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.PeakCommitment, PAGE_SIZE), ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZCOMMITLIMIT_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.CommitLimit, PAGE_SIZE), ULONG_MAX)->Buffer); // Physical memory PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALCURRENT_V, PhaFormatSize(UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages - PhPerfInformation.AvailablePages, PAGE_SIZE), ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALTOTAL_V, PhaFormatSize(UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE), ULONG_MAX)->Buffer); if (ReservedMemory != 0) PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALRESERVED_V, PhaFormatSize(ReservedMemory, ULONG_MAX)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALRESERVED_V, L"-"); PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALCACHEWS_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.ResidentSystemCachePage, PAGE_SIZE), ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALKERNELWS_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.ResidentSystemCodePage, PAGE_SIZE), ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZPHYSICALDRIVERWS_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.ResidentSystemDriverPage, PAGE_SIZE), ULONG_MAX)->Buffer); // Paged pool PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDWORKINGSET_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.ResidentPagedPoolPage, PAGE_SIZE), ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDVIRTUALSIZE_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.PagedPoolPages, PAGE_SIZE), ULONG_MAX)->Buffer); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDALLOCSDELTA_V, PhaFormatUInt64(PagedAllocsDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDALLOCSDELTA_V, L"-"); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDFREESDELTA_V, PhaFormatUInt64(PagedFreesDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDFREESDELTA_V, L"-"); // Non-paged pool PhSetDialogItemText(MemoryPanel, IDC_ZNONPAGEDUSAGE_V, PhaFormatSize(UInt32x32To64(PhPerfInformation.NonPagedPoolPages, PAGE_SIZE), ULONG_MAX)->Buffer); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZNONPAGEDALLOCSDELTA_V, PhaFormatUInt64(NonPagedAllocsDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZNONPAGEDALLOCSDELTA_V, L"-"); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZNONPAGEDFREESDELTA_V, PhaFormatUInt64(NonPagedFreesDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZNONPAGEDFREESDELTA_V, L"-"); // Pools if (MmAddressesInitialized) { SIZE_T paged; SIZE_T nonPaged; PhSipGetPoolLimits(&paged, &nonPaged); if (paged != MAXSIZE_T) pagedLimit = PhaFormatSize(paged, ULONG_MAX)->Buffer; else pagedLimit = KsiLevel() ? L"no symbols" : L"no driver"; if (nonPaged != MAXSIZE_T) nonPagedLimit = PhaFormatSize(nonPaged, ULONG_MAX)->Buffer; else nonPagedLimit = L"N/A"; } else { if (KsiLevel()) { pagedLimit = L"no symbols"; nonPagedLimit = L"N/A"; } else { pagedLimit = L"no driver"; nonPagedLimit = L"N/A"; } } PhSetDialogItemText(MemoryPanel, IDC_ZPAGEDLIMIT_V, pagedLimit); PhSetDialogItemText(MemoryPanel, IDC_ZNONPAGEDLIMIT_V, nonPagedLimit); // Paging if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGPAGEFAULTSDELTA_V, PhaFormatUInt64(PageFaultsDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGPAGEFAULTSDELTA_V, L"-"); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGPAGEREADSDELTA_V, PhaFormatUInt64(PageReadsDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGPAGEREADSDELTA_V, L"-"); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGPAGEFILEWRITESDELTA_V, PhaFormatUInt64(PagefileWritesDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGPAGEFILEWRITESDELTA_V, L"-"); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGMAPPEDWRITESDELTA_V, PhaFormatUInt64(MappedWritesDelta.Delta, TRUE)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZPAGINGMAPPEDWRITESDELTA_V, L"-"); // Mapped if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZMAPPEDREADIO, PhaFormatSize(MappedIoReadDelta.Delta, ULONG_MAX)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZMAPPEDREADIO, L"-"); if (MemoryTicked > 1) PhSetDialogItemText(MemoryPanel, IDC_ZMAPPEDWRITEIO, PhaFormatSize(MappedIoWritesDelta.Delta, ULONG_MAX)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZMAPPEDWRITEIO, L"-"); // Memory lists if (NT_SUCCESS(NtQuerySystemInformation( SystemMemoryListInformation, &memoryListInfo, sizeof(SYSTEM_MEMORY_LIST_INFORMATION), NULL ))) { ULONG_PTR standbyPageCount; ULONG_PTR repurposedPageCount; ULONG i; standbyPageCount = 0; repurposedPageCount = 0; for (i = 0; i < 8; i++) { standbyPageCount += memoryListInfo.PageCountByPriority[i]; repurposedPageCount += memoryListInfo.RepurposedPagesByPriority[i]; } PhSetDialogItemText(MemoryPanel, IDC_ZLISTZEROED_V, PhaFormatSize((ULONG64)memoryListInfo.ZeroPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTFREE_V, PhaFormatSize((ULONG64)memoryListInfo.FreePageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIED_V, PhaFormatSize((ULONG64)memoryListInfo.ModifiedPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIEDNOWRITE_V, PhaFormatSize((ULONG64)memoryListInfo.ModifiedNoWritePageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY_V, PhaFormatSize((ULONG64)standbyPageCount * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY0_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[0] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY1_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[1] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY2_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[2] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY3_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[3] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY4_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[4] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY5_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[5] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY6_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[6] * PAGE_SIZE, ULONG_MAX)->Buffer); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY7_V, PhaFormatSize((ULONG64)memoryListInfo.PageCountByPriority[7] * PAGE_SIZE, ULONG_MAX)->Buffer); if (WindowsVersion >= WINDOWS_8) PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIEDPAGEFILE_V, PhaFormatSize((ULONG64)memoryListInfo.ModifiedPageCountPageFile * PAGE_SIZE, ULONG_MAX)->Buffer); else PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIEDPAGEFILE_V, L"N/A"); } else { PhSetDialogItemText(MemoryPanel, IDC_ZLISTZEROED_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTFREE_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIED_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIEDNOWRITE_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTMODIFIEDPAGEFILE_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY0_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY1_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY2_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY3_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY4_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY5_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY6_V, L"N/A"); PhSetDialogItemText(MemoryPanel, IDC_ZLISTSTANDBY7_V, L"N/A"); } } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhSipLoadMmAddresses( _In_ PVOID Parameter ) { PPH_STRING kernelFileName; PVOID kernelImageBase; ULONG kernelImageSize; PPH_SYMBOL_PROVIDER symbolProvider; PH_SYMBOL_INFORMATION symbolInfo; if (NT_SUCCESS(PhGetKernelFileNameEx(&kernelFileName, &kernelImageBase, &kernelImageSize))) { symbolProvider = PhCreateSymbolProvider(NULL); PhLoadSymbolProviderOptions(symbolProvider); PhLoadModuleSymbolProvider( symbolProvider, kernelFileName, kernelImageBase, kernelImageSize ); if (PhGetSymbolFromName( symbolProvider, L"MmSizeOfPagedPoolInBytes", &symbolInfo )) { MmSizeOfPagedPoolInBytes = (PSIZE_T)symbolInfo.Address; } if (WindowsVersion < WINDOWS_8) { if (PhGetSymbolFromName( symbolProvider, L"MmMaximumNonPagedPoolInBytes", &symbolInfo )) { MmMaximumNonPagedPoolInBytes = (PSIZE_T)symbolInfo.Address; } } PhDereferenceObject(symbolProvider); PhDereferenceObject(kernelFileName); } return STATUS_SUCCESS; } VOID PhSipGetPoolLimits( _Out_ PSIZE_T Paged, _Out_ PSIZE_T NonPaged ) { SIZE_T paged = MAXSIZE_T; SIZE_T nonPaged = MAXSIZE_T; if (MmSizeOfPagedPoolInBytes && (KsiLevel() >= KphLevelMed)) { KphReadVirtualMemory( NtCurrentProcess(), MmSizeOfPagedPoolInBytes, &paged, sizeof(SIZE_T), NULL ); } if (WindowsVersion >= WINDOWS_8) { // The maximum nonpaged pool size was fixed on Windows 8 and above? The kernel does use // a function named MmGetMaximumNonPagedPoolInBytes() but it's not exported. We return // the fixed limit value from the documentation here similar to MS tools. (dmex) // https://learn.microsoft.com/en-us/windows/win32/memory/memory-limits-for-windows-releases#memory-and-address-space-limits // // Windows 8.1 and Windows Server 2012 R2: RAM or 16 TB, whichever is smaller: if (UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE) <= 16ULL * 1024ULL * 1024ULL * 1024ULL) { nonPaged = UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE); } else { nonPaged = (SIZE_T)(16ULL * 1024ULL * 1024ULL * 1024ULL); } } else if (WindowsVersion < WINDOWS_8 && MmMaximumNonPagedPoolInBytes && (KsiLevel() >= KphLevelMed)) { KphReadVirtualMemory( NtCurrentProcess(), MmMaximumNonPagedPoolInBytes, &nonPaged, sizeof(SIZE_T), NULL ); } *Paged = paged; *NonPaged = nonPaged; } _Success_(return) BOOLEAN PhSipGetMemoryCompressionLimits( _Out_ FLOAT *CurrentCompressedMemory, _Out_ FLOAT *TotalCompressedMemory, _Out_ FLOAT *TotalSavedMemory ) { PH_SYSTEM_STORE_COMPRESSION_INFORMATION compressionInfo; FLOAT current; FLOAT total; FLOAT saved; if (!NT_SUCCESS(PhGetSystemCompressionStoreInformation(&compressionInfo))) return FALSE; if (!(compressionInfo.TotalDataCompressed && compressionInfo.TotalCompressedSize)) return FALSE; current = (FLOAT)compressionInfo.WorkingSetSize / (FLOAT)(1024 * 1024); total = current * (FLOAT)compressionInfo.TotalDataCompressed / (FLOAT)compressionInfo.TotalCompressedSize; saved = total - current; *CurrentCompressedMemory = current * 1024 * 1024; *TotalCompressedMemory = total * 1024 * 1024; *TotalSavedMemory = saved * 1024 * 1024; return TRUE; } ================================================ FILE: SystemInformer/thrdlist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2012 * dmex 2018-2023 * */ #include #include #include #include #include #include #include #include #include #include #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpThreadNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpThreadNodeHashtableHashFunction( _In_ PVOID Entry ); VOID PhpDestroyThreadNode( _In_ PPH_THREAD_NODE ThreadNode ); VOID PhpRemoveThreadNode( _In_ PPH_THREAD_NODE ThreadNode, _In_ PPH_THREAD_LIST_CONTEXT Context ); _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpThreadTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ); BOOLEAN NTAPI PhpThreadTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); PPH_STRING PhGetApartmentTypeString( _In_ PPH_APARTMENT_INFO ApartmentInfo ); PPH_STRING PhGetApartmentFlagsString( _In_ ULONG ApartmentState ); VOID PhInitializeThreadList( _In_ HWND ParentWindowHandle, _In_ HWND TreeNewHandle, _Out_ PPH_THREAD_LIST_CONTEXT Context ) { memset(Context, 0, sizeof(PH_THREAD_LIST_CONTEXT)); Context->EnableStateHighlighting = TRUE; Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_THREAD_NODE), PhpThreadNodeHashtableEqualFunction, PhpThreadNodeHashtableHashFunction, 100 ); Context->NodeList = PhCreateList(100); Context->ParentWindowHandle = ParentWindowHandle; Context->TreeNewHandle = TreeNewHandle; PhSetControlTheme(TreeNewHandle, L"explorer"); TreeNew_SetRedraw(TreeNewHandle, FALSE); TreeNew_SetCallback(TreeNewHandle, PhpThreadTreeNewCallback, Context); // Default columns PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_TID, TRUE, L"TID", 50, PH_ALIGN_RIGHT, 0, DT_RIGHT); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CPU, TRUE, L"CPU", 45, PH_ALIGN_RIGHT, 1, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CYCLESDELTA, TRUE, L"Cycles delta", 80, PH_ALIGN_RIGHT, 2, DT_RIGHT, TRUE); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_STARTADDRESSWIN32, TRUE, L"Start address (Win32)", 180, PH_ALIGN_LEFT, 3, 0); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_PRIORITYSYMBOLIC, TRUE, L"Priority (symbolic)", 80, PH_ALIGN_LEFT, 4, 0, TRUE); // Available columns PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_SERVICE, FALSE, L"Service", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_NAME, FALSE, L"Name", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_STARTED, FALSE, L"Created", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_STARTMODULE, FALSE, L"Start module", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CONTEXTSWITCHES, FALSE, L"Context switches", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CONTEXTSWITCHESDELTA, FALSE, L"Context switches delta", 100, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_PRIORITY, FALSE, L"Priority", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_BASEPRIORITY, FALSE, L"Base priority", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_PAGEPRIORITY, FALSE, L"Page priority", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOPRIORITY, FALSE, L"I/O priority", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CYCLES, FALSE, L"Cycles", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_STATE, FALSE, L"State", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_KERNELTIME, FALSE, L"Kernel time", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_USERTIME, FALSE, L"User time", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IDEALPROCESSOR, FALSE, L"Ideal processor", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CRITICAL, FALSE, L"Critical", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_TIDHEX, FALSE, L"TID (hex)", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CPUCORECYCLES, FALSE, L"CPU (relative)", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_TOKEN_STATE, FALSE, L"Impersonation", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_PENDINGIRP, FALSE, L"Pending IRP", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_LASTSYSTEMCALL, FALSE, L"Last system call", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_LASTSTATUSCODE, FALSE, L"Last status code", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx2(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_TIMELINE, FALSE, L"Timeline", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_APARTMENTTYPE, FALSE, L"COM apartment", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_APARTMENTFLAGS, FALSE, L"COM flags", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_FIBER, FALSE, L"Fiber", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_PRIORITYBOOST, FALSE, L"Priority boost", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CPUUSER, FALSE, L"CPU (user)", 50, PH_ALIGN_LEFT, ULONG_MAX, DT_RIGHT, TRUE); PhAddTreeNewColumnEx(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CPUKERNEL, FALSE, L"CPU (kernel)", 50, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT, TRUE); //PhAddTreeNewColumnEx2(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CPUHISTORY, FALSE, L"CPU history", 100, PH_ALIGN_LEFT, ULONG_MAX, 0, TN_COLUMN_FLAG_CUSTOMDRAW | TN_COLUMN_FLAG_SORTDESCENDING); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_STACKUSAGE, FALSE, L"Stack usage", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_WAITTIME, FALSE, L"Wait time", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOREADS, FALSE, L"I/O reads", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOWRITES, FALSE, L"I/O writes", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOOTHER, FALSE, L"I/O other", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOREADBYTES, FALSE, L"I/O read bytes", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOWRITEBYTES, FALSE, L"I/O write bytes", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_IOOTHERBYTES, FALSE, L"I/O other bytes", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_LXSSTID, FALSE, L"TID (LXSS)", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_POWERTHROTTLING, FALSE, L"Power throttling", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); //PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CONTAINERID, FALSE, L"Container ID", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_STARTADDRESS, FALSE, L"Start address (Native)", 180, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_KSTACKUSAGE, FALSE, L"Kernel stack usage", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_RPC, FALSE, L"RPC usage", 50, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_ACTUALBASEPRIORITY, FALSE, L"Base priority (actual)", 80, PH_ALIGN_LEFT, ULONG_MAX, 0); PhCmInitializeManager(&Context->Cm, TreeNewHandle, PH_THREAD_TREELIST_COLUMN_MAXIMUM, PhpThreadTreeNewPostSortFunction); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); TreeNew_SetSort(TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CYCLESDELTA, DescendingSortOrder); TreeNew_SetTriState(TreeNewHandle, TRUE); TreeNew_SetRedraw(TreeNewHandle, TRUE); } VOID PhDeleteThreadList( _In_ PPH_THREAD_LIST_CONTEXT Context ) { ULONG i; PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); PhCmDeleteManager(&Context->Cm); for (i = 0; i < Context->NodeList->Count; i++) PhpDestroyThreadNode(Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpThreadNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_THREAD_NODE threadNode1 = *(PPH_THREAD_NODE *)Entry1; PPH_THREAD_NODE threadNode2 = *(PPH_THREAD_NODE *)Entry2; return threadNode1->ThreadId == threadNode2->ThreadId; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpThreadNodeHashtableHashFunction( _In_ PVOID Entry ) { return HandleToUlong((*(PPH_THREAD_NODE *)Entry)->ThreadId) / 4; } VOID PhLoadSettingsThreadList( _Inout_ PPH_THREAD_LIST_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; PH_TREENEW_COLUMN column; ULONG sortColumn; PH_SORT_ORDER sortOrder; settings = PhGetStringSetting(SETTING_THREAD_TREE_LIST_COLUMNS); sortSettings = PhGetStringSetting(SETTING_THREAD_TREE_LIST_SORT); Context->Flags = PhGetIntegerSetting(SETTING_THREAD_TREE_LIST_FLAGS); PhCmLoadSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &settings->sr, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); TreeNew_GetSort(Context->TreeNewHandle, &sortColumn, &sortOrder); // Make sure we're not sorting by an invisible column. if (sortOrder != NoSortOrder && !(TreeNew_GetColumn(Context->TreeNewHandle, sortColumn, &column) && column.Visible)) { TreeNew_SetSort(Context->TreeNewHandle, PH_THREAD_TREELIST_COLUMN_CYCLESDELTA, DescendingSortOrder); } } VOID PhSaveSettingsThreadList( _Inout_ PPH_THREAD_LIST_CONTEXT Context ) { PPH_STRING settings; PPH_STRING sortSettings; settings = PhCmSaveSettingsEx(Context->TreeNewHandle, &Context->Cm, 0, &sortSettings); PhSetIntegerSetting(SETTING_THREAD_TREE_LIST_FLAGS, Context->Flags); PhSetStringSetting2(SETTING_THREAD_TREE_LIST_COLUMNS, &settings->sr); PhSetStringSetting2(SETTING_THREAD_TREE_LIST_SORT, &sortSettings->sr); PhDereferenceObject(settings); PhDereferenceObject(sortSettings); } VOID PhSetOptionsThreadList( _Inout_ PPH_THREAD_LIST_CONTEXT Context, _In_ ULONG Options ) { switch (Options) { case PH_THREAD_TREELIST_MENUITEM_HIDE_SUSPENDED: Context->HideSuspended = !Context->HideSuspended; break; case PH_THREAD_TREELIST_MENUITEM_HIDE_GUITHREADS: Context->HideGuiThreads = !Context->HideGuiThreads; break; case PH_THREAD_TREELIST_MENUITEM_HIGHLIGHT_SUSPENDED: Context->HighlightSuspended = !Context->HighlightSuspended; break; case PH_THREAD_TREELIST_MENUITEM_HIGHLIGHT_GUITHREADS: Context->HighlightGuiThreads = !Context->HighlightGuiThreads; break; } } PPH_THREAD_NODE PhAddThreadNode( _Inout_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_ITEM ThreadItem, _In_ BOOLEAN FirstRun ) { PPH_THREAD_NODE threadNode; threadNode = PhAllocate(PhEmGetObjectSize(EmThreadNodeType, sizeof(PH_THREAD_NODE))); memset(threadNode, 0, sizeof(PH_THREAD_NODE)); PhInitializeTreeNewNode(&threadNode->Node); if (Context->EnableStateHighlighting && !FirstRun) { PhChangeShStateTn( &threadNode->Node, &threadNode->ShState, &Context->NodeStateList, NewItemState, PhCsColorNew, NULL ); } PhReferenceObject(ThreadItem); threadNode->ThreadId = ThreadItem->ThreadId; threadNode->ThreadItem = ThreadItem; threadNode->PagePriority = MEMORY_PRIORITY_NORMAL + 1; threadNode->IoPriority = MaxIoPriorityTypes; memset(threadNode->TextCache, 0, sizeof(PH_STRINGREF) * PH_THREAD_TREELIST_COLUMN_MAXIMUM); threadNode->Node.TextCache = threadNode->TextCache; threadNode->Node.TextCacheSize = PH_THREAD_TREELIST_COLUMN_MAXIMUM; PhAddEntryHashtable(Context->NodeHashtable, &threadNode); PhAddItemList(Context->NodeList, threadNode); PhEmCallObjectOperation(EmThreadNodeType, threadNode, EmObjectCreate); TreeNew_NodesStructured(Context->TreeNewHandle); return threadNode; } PPH_THREAD_NODE PhFindThreadNode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ HANDLE ThreadId ) { PH_THREAD_NODE lookupThreadNode; PPH_THREAD_NODE lookupThreadNodePtr = &lookupThreadNode; PPH_THREAD_NODE *threadNode; lookupThreadNode.ThreadId = ThreadId; threadNode = (PPH_THREAD_NODE *)PhFindEntryHashtable( Context->NodeHashtable, &lookupThreadNodePtr ); if (threadNode) return *threadNode; else return NULL; } VOID PhRemoveThreadNode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { // Remove from the hashtable here to avoid problems in case the key is re-used. PhRemoveEntryHashtable(Context->NodeHashtable, &ThreadNode); if (Context->EnableStateHighlighting) { PhChangeShStateTn( &ThreadNode->Node, &ThreadNode->ShState, &Context->NodeStateList, RemovingItemState, PhCsColorRemoved, Context->TreeNewHandle ); } else { PhpRemoveThreadNode(ThreadNode, Context); } } VOID PhpDestroyThreadNode( _In_ PPH_THREAD_NODE ThreadNode ) { PhEmCallObjectOperation(EmThreadNodeType, ThreadNode, EmObjectDelete); if (ThreadNode->CyclesDeltaText) PhDereferenceObject(ThreadNode->CyclesDeltaText); if (ThreadNode->ContextSwitchesDeltaText) PhDereferenceObject(ThreadNode->ContextSwitchesDeltaText); if (ThreadNode->StartAddressText) PhDereferenceObject(ThreadNode->StartAddressText); if (ThreadNode->CreatedText) PhDereferenceObject(ThreadNode->CreatedText); if (ThreadNode->NameText) PhDereferenceObject(ThreadNode->NameText); if (ThreadNode->StateText) PhDereferenceObject(ThreadNode->StateText); if (ThreadNode->LastSystemCallText) PhDereferenceObject(ThreadNode->LastSystemCallText); if (ThreadNode->LastErrorCodeText) PhDereferenceObject(ThreadNode->LastErrorCodeText); if (ThreadNode->ApartmentTypeText) PhDereferenceObject(ThreadNode->ApartmentTypeText); if (ThreadNode->ApartmentFlagsText) PhDereferenceObject(ThreadNode->ApartmentFlagsText); if (ThreadNode->StackUsageText) PhDereferenceObject(ThreadNode->StackUsageText); if (ThreadNode->KernelStackUsageText) PhDereferenceObject(ThreadNode->KernelStackUsageText); if (ThreadNode->KernelTimeText) PhDereferenceObject(ThreadNode->KernelTimeText); if (ThreadNode->UserTimeText) PhDereferenceObject(ThreadNode->UserTimeText); if (ThreadNode->WaitTimeText) PhDereferenceObject(ThreadNode->WaitTimeText); if (ThreadNode->IoReads) PhDereferenceObject(ThreadNode->IoReads); if (ThreadNode->IoWrites) PhDereferenceObject(ThreadNode->IoWrites); if (ThreadNode->IoOther) PhDereferenceObject(ThreadNode->IoOther); if (ThreadNode->IoReadBytes) PhDereferenceObject(ThreadNode->IoReadBytes); if (ThreadNode->IoWriteBytes) PhDereferenceObject(ThreadNode->IoWriteBytes); if (ThreadNode->IoOtherBytes) PhDereferenceObject(ThreadNode->IoOtherBytes); if (ThreadNode->ThreadContextHandle) NtClose(ThreadNode->ThreadContextHandle); if (ThreadNode->ThreadReadVmHandle) NtClose(ThreadNode->ThreadReadVmHandle); PhDereferenceObject(ThreadNode->ThreadItem); PhFree(ThreadNode); } VOID PhpRemoveThreadNode( _In_ PPH_THREAD_NODE ThreadNode, _In_ PPH_THREAD_LIST_CONTEXT Context // PH_TICK_SH_STATE requires this parameter to be after ThreadNode ) { ULONG index; // Remove from list and cleanup. if ((index = PhFindItemList(Context->NodeList, ThreadNode)) != ULONG_MAX) PhRemoveItemList(Context->NodeList, index); PhpDestroyThreadNode(ThreadNode); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhUpdateThreadNode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { memset(ThreadNode->TextCache, 0, sizeof(PH_STRINGREF) * PH_THREAD_TREELIST_COLUMN_MAXIMUM); ThreadNode->ValidMask = 0; PhInvalidateTreeNewNode(&ThreadNode->Node, TN_CACHE_COLOR); TreeNew_InvalidateNode(Context->TreeNewHandle, &ThreadNode->Node); } VOID PhTickThreadNodes( _In_ PPH_THREAD_LIST_CONTEXT Context ) { // Text invalidation, node updates for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_THREAD_NODE node = Context->NodeList->Items[i]; // The TID never changes, so we don't invalidate that. memset(&node->TextCache[1], 0, sizeof(PH_STRINGREF) * (PH_THREAD_TREELIST_COLUMN_MAXIMUM - 1)); node->ValidMask = 0; // Items that always remain valid } if (Context->TreeNewSortOrder != NoSortOrder) { // Force a rebuild to sort the items. TreeNew_NodesStructured(Context->TreeNewHandle); } // State highlighting PH_TICK_SH_STATE_TN(PH_THREAD_NODE, ShState, Context->NodeStateList, PhpRemoveThreadNode, PhCsHighlightingDuration, Context->TreeNewHandle, TRUE, NULL, Context); } VOID PhpUpdateThreadNodeNameText( _In_ PPH_THREAD_NODE ThreadNode ) { PhClearReference(&ThreadNode->NameText); if (WindowsVersion >= WINDOWS_10_RS1 && ThreadNode->ThreadItem->ThreadHandle) { PPH_STRING threadName; if (NT_SUCCESS(PhGetThreadName(ThreadNode->ThreadItem->ThreadHandle, &threadName))) { PhMoveReference(&ThreadNode->NameText, threadName); } } } VOID PhpUpdateThreadNodeStartedText( _In_ PPH_THREAD_NODE ThreadNode ) { SYSTEMTIME time; PhLargeIntegerToLocalSystemTime(&time, &ThreadNode->ThreadItem->CreateTime); PhMoveReference(&ThreadNode->CreatedText, PhFormatDateTime(&time)); } VOID PhpUpdateThreadNodePagePriority( _In_ PPH_THREAD_NODE ThreadNode ) { ULONG pagePriorityInteger = MEMORY_PRIORITY_NORMAL + 1; ThreadNode->PagePriority = ULONG_MAX; if (ThreadNode->ThreadItem->ThreadHandle) { if (NT_SUCCESS(PhGetThreadPagePriority(ThreadNode->ThreadItem->ThreadHandle, &pagePriorityInteger)) && pagePriorityInteger <= MEMORY_PRIORITY_NORMAL) { ThreadNode->PagePriority = pagePriorityInteger; } } } VOID PhpUpdateThreadNodeIoPriority( _In_ PPH_THREAD_NODE ThreadNode ) { IO_PRIORITY_HINT ioPriorityInteger = MaxIoPriorityTypes; ThreadNode->IoPriority = ULONG_MAX; if (ThreadNode->ThreadItem->ThreadHandle) { if (NT_SUCCESS(PhGetThreadIoPriority(ThreadNode->ThreadItem->ThreadHandle, &ioPriorityInteger)) && ioPriorityInteger <= MaxIoPriorityTypes) { ThreadNode->IoPriority = ioPriorityInteger; } } } VOID PhpUpdateThreadNodeSuspendCount( _In_ PPH_THREAD_NODE ThreadNode ) { ULONG suspendCount = 0; if (ThreadNode->ThreadItem->ThreadHandle) { if (ThreadNode->ThreadItem->WaitReason == Suspended) { PhGetThreadSuspendCount(ThreadNode->ThreadItem->ThreadHandle, &suspendCount); } } ThreadNode->SuspendCount = suspendCount; } VOID PhpUpdateThreadNodeIdealProcessor( _In_ PPH_THREAD_NODE ThreadNode ) { PROCESSOR_NUMBER idealProcessorNumber; ThreadNode->IdealProcessorMask = 0; if (ThreadNode->ThreadItem->ThreadHandle) { if (NT_SUCCESS(PhGetThreadIdealProcessor(ThreadNode->ThreadItem->ThreadHandle, &idealProcessorNumber))) { ThreadNode->IdealProcessorMask = MAKELONG(idealProcessorNumber.Number, idealProcessorNumber.Group); } } } VOID PhpUpdateThreadNodeBreakOnTermination( _In_ PPH_THREAD_NODE ThreadNode ) { BOOLEAN breakOnTermination = FALSE; if (ThreadNode->ThreadItem->ThreadHandle) { PhGetThreadBreakOnTermination(ThreadNode->ThreadItem->ThreadHandle, &breakOnTermination); } ThreadNode->BreakOnTermination = breakOnTermination; } VOID PhpUpdateThreadNodeTokenState( _In_ PPH_THREAD_NODE ThreadNode ) { PH_THREAD_TOKEN_STATE tokenState = PH_THREAD_TOKEN_STATE_UNKNOWN; if (ThreadNode->ThreadItem->ThreadHandle) { NTSTATUS status; HANDLE tokenHandle; // Since the system must verify that the thread is impersonating before it can perform // an access check on the target token, we can reliably determine the token's presence // even if we fail the subsequent access check. (diversenok) status = PhOpenThreadToken(ThreadNode->ThreadItem->ThreadHandle, 0, TRUE, &tokenHandle); if (status == STATUS_NO_TOKEN) { tokenState = PH_THREAD_TOKEN_STATE_NOT_PRESENT; } else if (status == STATUS_CANT_OPEN_ANONYMOUS) { tokenState = PH_THREAD_TOKEN_STATE_ANONYMOUS; } else { tokenState = PH_THREAD_TOKEN_STATE_PRESENT; } if (NT_SUCCESS(status)) NtClose(tokenHandle); } ThreadNode->TokenState = tokenState; } VOID PhpUpdateThreadNodeIoPending( _In_ PPH_THREAD_NODE ThreadNode ) { BOOLEAN pendingIrp = FALSE; if (ThreadNode->ThreadItem->ThreadHandle) { PhGetThreadIsIoPending(ThreadNode->ThreadItem->ThreadHandle, &pendingIrp); } ThreadNode->PendingIrp = pendingIrp; } VOID PhpUpdateThreadNodeLastSystemCall( _In_ PPH_THREAD_NODE ThreadNode ) { if (!ThreadNode->ThreadContextHandleValid) { if (!ThreadNode->ThreadContextHandle) { HANDLE threadHandle; if (NT_SUCCESS(PhOpenThread( &threadHandle, THREAD_GET_CONTEXT, ThreadNode->ThreadId ))) { ThreadNode->ThreadContextHandle = threadHandle; } } ThreadNode->ThreadContextHandleValid = TRUE; } RtlZeroMemory(&ThreadNode->LastSystemCall, sizeof(THREAD_LAST_SYSCALL_INFORMATION)); if (ThreadNode->ThreadContextHandle) { GUID containerId; PhGetThreadContainerId(ThreadNode->ThreadContextHandle, &containerId); ThreadNode->LastSystemCallStatus = PhGetThreadLastSystemCall( ThreadNode->ThreadContextHandle, &ThreadNode->LastSystemCall ); } else { ThreadNode->LastSystemCallStatus = STATUS_SUCCESS; } } VOID PhpUpdateThreadNodeLastStatusCode( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { NTSTATUS lastStatusValue = STATUS_SUCCESS; if (!ThreadNode->ThreadReadVmHandleValid) { if (!ThreadNode->ThreadReadVmHandle) { if (ThreadNode->ThreadItem->ThreadHandle) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_VM_READ | (WindowsVersion > WINDOWS_7 ? PROCESS_QUERY_LIMITED_INFORMATION : PROCESS_QUERY_INFORMATION), Context->ProcessId ))) { ThreadNode->ThreadReadVmHandle = processHandle; } } } ThreadNode->ThreadReadVmHandleValid = TRUE; } if (ThreadNode->ThreadItem->ThreadHandle && ThreadNode->ThreadReadVmHandle) { ThreadNode->LastStatusQueryStatus = PhGetThreadLastStatusValue( ThreadNode->ThreadItem->ThreadHandle, ThreadNode->ThreadReadVmHandle, &lastStatusValue ); if (NT_SUCCESS(ThreadNode->LastStatusQueryStatus)) { ThreadNode->LastStatusValue = lastStatusValue; } } } VOID PhpUpdateThreadNodeApartmentState( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { NTSTATUS status = STATUS_UNSUCCESSFUL; PH_APARTMENT_INFO apartmentInfo; if (!ThreadNode->ThreadReadVmHandleValid) { if (!ThreadNode->ThreadReadVmHandle) { if (ThreadNode->ThreadItem->ThreadHandle) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_VM_READ | (WindowsVersion > WINDOWS_7 ? PROCESS_QUERY_LIMITED_INFORMATION : PROCESS_QUERY_INFORMATION), Context->ProcessId ))) { ThreadNode->ThreadReadVmHandle = processHandle; } } } ThreadNode->ThreadReadVmHandleValid = TRUE; } if (ThreadNode->ThreadItem->ThreadHandle && ThreadNode->ThreadReadVmHandle) { status = PhGetThreadApartment( ThreadNode->ThreadItem->ThreadHandle, ThreadNode->ThreadReadVmHandle, &apartmentInfo ); } if (NT_SUCCESS(status)) { ThreadNode->ApartmentInfo = apartmentInfo; } else { RtlZeroMemory(&ThreadNode->ApartmentInfo, sizeof(PH_APARTMENT_INFO)); } } VOID PhpUpdateThreadNodeRpc( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { NTSTATUS status = STATUS_UNSUCCESSFUL; BOOLEAN hasRpcState = FALSE; if (!ThreadNode->ThreadReadVmHandleValid) { if (!ThreadNode->ThreadReadVmHandle) { if (ThreadNode->ThreadItem->ThreadHandle) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_VM_READ | (WindowsVersion > WINDOWS_7 ? PROCESS_QUERY_LIMITED_INFORMATION : PROCESS_QUERY_INFORMATION), Context->ProcessId ))) { ThreadNode->ThreadReadVmHandle = processHandle; } } } ThreadNode->ThreadReadVmHandleValid = TRUE; } if (ThreadNode->ThreadItem->ThreadHandle && ThreadNode->ThreadReadVmHandle) { status = PhGetThreadRpcState( ThreadNode->ThreadItem->ThreadHandle, ThreadNode->ThreadReadVmHandle, &hasRpcState ); } ThreadNode->HasRpcState = NT_SUCCESS(status) && hasRpcState; } VOID PhpUpdateThreadNodeFiber( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { BOOLEAN threadIsFiber = FALSE; if (!ThreadNode->ThreadReadVmHandleValid) { if (!ThreadNode->ThreadReadVmHandle) { if (ThreadNode->ThreadItem->ThreadHandle) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_VM_READ | (WindowsVersion > WINDOWS_7 ? PROCESS_QUERY_LIMITED_INFORMATION : PROCESS_QUERY_INFORMATION), Context->ProcessId ))) { ThreadNode->ThreadReadVmHandle = processHandle; } } } ThreadNode->ThreadReadVmHandleValid = TRUE; } if (ThreadNode->ThreadItem->ThreadHandle && ThreadNode->ThreadReadVmHandle) { PhGetThreadIsFiber( ThreadNode->ThreadItem->ThreadHandle, ThreadNode->ThreadReadVmHandle, &threadIsFiber ); } ThreadNode->Fiber = threadIsFiber; } VOID PhpUpdateThreadNodePriorityBoost( _In_ PPH_THREAD_NODE ThreadNode ) { BOOLEAN priorityBoost = FALSE; if (ThreadNode->ThreadItem->ThreadHandle) { PhGetThreadPriorityBoost(ThreadNode->ThreadItem->ThreadHandle, &priorityBoost); } ThreadNode->PriorityBoost = priorityBoost; } VOID PhpUpdateThreadNodeStackUsage( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG_PTR stackUsage = 0; ULONG_PTR stackLimit = 0; if (!ThreadNode->ThreadReadVmHandleValid) { if (!ThreadNode->ThreadReadVmHandle) { if (ThreadNode->ThreadItem->ThreadHandle) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_VM_READ | (WindowsVersion > WINDOWS_7 ? PROCESS_QUERY_LIMITED_INFORMATION : PROCESS_QUERY_INFORMATION), Context->ProcessId ))) { ThreadNode->ThreadReadVmHandle = processHandle; } } } ThreadNode->ThreadReadVmHandleValid = TRUE; } if (ThreadNode->ThreadItem->ThreadHandle && ThreadNode->ThreadReadVmHandle) { status = PhGetThreadStackSize( ThreadNode->ThreadItem->ThreadHandle, ThreadNode->ThreadReadVmHandle, &stackUsage, &stackLimit ); } if (NT_SUCCESS(status) && stackUsage && stackLimit) { FLOAT percent = (FLOAT)stackUsage / stackLimit * 100; ThreadNode->StackUsageFloat = percent; ThreadNode->StackUsage = stackUsage; ThreadNode->StackLimit = stackLimit; } else { ThreadNode->StackUsageFloat = 0; ThreadNode->StackUsage = 0; ThreadNode->StackLimit = 0; } } VOID PhpUpdateThreadNodeKernelStackSize( _In_ PPH_THREAD_LIST_CONTEXT Context, _In_ PPH_THREAD_NODE ThreadNode ) { NTSTATUS status = STATUS_UNSUCCESSFUL; KPH_KERNEL_STACK_INFORMATION info; // This is imperfect because the KernelStack is infrequently updated by the kernel (happens on // context swaps). Additionally, the space between InitialStack and first stack usage is not // accounted for. But generally this is a good enough representation of the kernel stack usage. // (jxy-s) if (ThreadNode->ThreadItem->ThreadHandle && KsiLevel() == KphLevelMax) { status = KphQueryInformationThread( ThreadNode->ThreadItem->ThreadHandle, KphThreadKernelStackInformation, &info, sizeof(info), NULL ); } if (NT_SUCCESS(status)) { ULONG_PTR stackUsage = (ULONG_PTR)PTR_SUB_OFFSET(info.InitialStack, info.KernelStack); ULONG_PTR stackLimit = (ULONG_PTR)PTR_SUB_OFFSET(info.StackBase, info.StackLimit); FLOAT percent = (FLOAT)stackUsage / stackLimit * 100; ThreadNode->KernelStackUsageFloat = percent; ThreadNode->KernelStackUsage = stackUsage; ThreadNode->KernelStackLimit = stackLimit; } else { ThreadNode->KernelStackUsageFloat = 0; ThreadNode->KernelStackUsage = 0; ThreadNode->KernelStackLimit = 0; } } #define SORT_FUNCTION(Column) PhpThreadTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpThreadTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_THREAD_LIST_CONTEXT context = (PPH_THREAD_LIST_CONTEXT)_context; \ PPH_THREAD_NODE node1 = *(PPH_THREAD_NODE *)_elem1; \ PPH_THREAD_NODE node2 = *(PPH_THREAD_NODE *)_elem2; \ PPH_THREAD_ITEM threadItem1 = node1->ThreadItem; \ PPH_THREAD_ITEM threadItem2 = node2->ThreadItem; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->ThreadId, (ULONG_PTR)node2->ThreadId); \ \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } _Function_class_(PH_CM_POST_SORT_FUNCTION) LONG PhpThreadTreeNewPostSortFunction( _In_ LONG Result, _In_ PVOID Node1, _In_ PVOID Node2, _In_ PH_SORT_ORDER SortOrder ) { if (Result == 0) Result = uintptrcmp((ULONG_PTR)((PPH_THREAD_NODE)Node1)->ThreadId, (ULONG_PTR)((PPH_THREAD_NODE)Node2)->ThreadId); return PhModifySort(Result, SortOrder); } BEGIN_SORT_FUNCTION(Tid) { sortResult = uintptrcmp((ULONG_PTR)node1->ThreadId, (ULONG_PTR)node2->ThreadId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Cpu) { sortResult = singlecmp(threadItem1->CpuUsage, threadItem2->CpuUsage); if (sortResult == 0) { if (context->UseCycleTime) sortResult = uint64cmp(threadItem1->CyclesDelta.Delta, threadItem2->CyclesDelta.Delta); else sortResult = uintcmp(threadItem1->ContextSwitchesDelta.Delta, threadItem2->ContextSwitchesDelta.Delta); } } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CyclesDelta) { if (context->UseCycleTime) sortResult = uint64cmp(threadItem1->CyclesDelta.Delta, threadItem2->CyclesDelta.Delta); else sortResult = uintcmp(threadItem1->ContextSwitchesDelta.Delta, threadItem2->ContextSwitchesDelta.Delta); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StartAddressWin32) { sortResult = uint64cmp((ULONG_PTR)threadItem1->StartAddressWin32, (ULONG_PTR)threadItem2->StartAddressWin32); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PrioritySymbolic) { sortResult = intcmp(threadItem1->BasePriority, threadItem2->BasePriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Service) { sortResult = PhCompareStringWithNullSortOrder(threadItem1->ServiceName, threadItem2->ServiceName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Name) { PhpUpdateThreadNodeNameText(node1); PhpUpdateThreadNodeNameText(node2); sortResult = PhCompareStringWithNullSortOrder(node1->NameText, node2->NameText, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Created) { sortResult = uint64cmp(threadItem1->CreateTime.QuadPart, threadItem2->CreateTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StartModule) { sortResult = PhCompareStringWithNullSortOrder(threadItem1->StartAddressWin32FileName, threadItem2->StartAddressWin32FileName, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ContextSwitches) { sortResult = uint64cmp(threadItem1->ContextSwitchesDelta.Value, threadItem2->ContextSwitchesDelta.Value); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ContextSwitchesDelta) { sortResult = uint64cmp(threadItem1->ContextSwitchesDelta.Delta, threadItem2->ContextSwitchesDelta.Delta); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Priority) { sortResult = intcmp(threadItem1->Priority, threadItem2->Priority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(BasePriority) { sortResult = intcmp(threadItem1->BasePriority, threadItem2->BasePriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PagePriority) { PhpUpdateThreadNodePagePriority(node1); PhpUpdateThreadNodePagePriority(node2); sortResult = uintcmp(node1->PagePriority, node2->PagePriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoPriority) { PhpUpdateThreadNodeIoPriority(node1); PhpUpdateThreadNodeIoPriority(node2); sortResult = uintcmp(node1->IoPriority, node2->IoPriority); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Cycles) { sortResult = uint64cmp(threadItem1->CyclesDelta.Value, threadItem2->CyclesDelta.Value); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(State) { ULONG threadState1 = ULONG_MAX; ULONG threadState2 = ULONG_MAX; if (threadItem1->State != Waiting) { if ((ULONG)threadItem1->State < MaximumThreadState) threadState1 = (ULONG)threadItem1->State; else threadState1 = (ULONG)MaximumThreadState; } else { if ((ULONG)threadItem1->WaitReason < MaximumWaitReason) threadState1 = (ULONG)threadItem1->WaitReason; else threadState1 = (ULONG)MaximumWaitReason; } if (threadItem2->State != Waiting) { if ((ULONG)threadItem2->State < MaximumThreadState) threadState2 = (ULONG)threadItem2->State; else threadState2 = (ULONG)MaximumThreadState; } else { if ((ULONG)threadItem2->WaitReason < MaximumWaitReason) threadState2 = (ULONG)threadItem2->WaitReason; else threadState2 = (ULONG)MaximumWaitReason; } sortResult = uintcmp(threadState1, threadState2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(KernelTime) { sortResult = uint64cmp(threadItem1->KernelTime.QuadPart, threadItem2->KernelTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserTime) { sortResult = uint64cmp(threadItem1->UserTime.QuadPart, threadItem2->UserTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IdealProcessor) { PhpUpdateThreadNodeIdealProcessor(node1); PhpUpdateThreadNodeIdealProcessor(node2); sortResult = int64cmp(node1->IdealProcessorMask, node2->IdealProcessorMask); //sortResult = PhCompareStringZ(node1->IdealProcessorText, node2->IdealProcessorText, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Critical) { PhpUpdateThreadNodeBreakOnTermination(node1); PhpUpdateThreadNodeBreakOnTermination(node2); sortResult = ucharcmp(node1->BreakOnTermination, node2->BreakOnTermination); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TidHex) { sortResult = uintptrcmp((ULONG_PTR)node1->ThreadId, (ULONG_PTR)node2->ThreadId); //sortResult = ucharcmp(node1->ThreadIdHexText, node2->ThreadIdHexText, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuCore) { FLOAT cpuUsage1; FLOAT cpuUsage2; cpuUsage1 = threadItem1->CpuUsage * 100; cpuUsage1 *= PhSystemProcessorInformation.NumberOfProcessors; cpuUsage2 = threadItem2->CpuUsage * 100; cpuUsage2 *= PhSystemProcessorInformation.NumberOfProcessors; sortResult = singlecmp(cpuUsage1, cpuUsage2); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(TokenState) { PhpUpdateThreadNodeTokenState(node1); PhpUpdateThreadNodeTokenState(node2); sortResult = uintcmp(node1->TokenState, node2->TokenState); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PendingIrp) { PhpUpdateThreadNodeIoPending(node1); PhpUpdateThreadNodeIoPending(node2); sortResult = ucharcmp(node1->PendingIrp, node2->PendingIrp); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LastSystemCall) { PhpUpdateThreadNodeLastSystemCall(node1); PhpUpdateThreadNodeLastSystemCall(node2); sortResult = ushortcmp(node1->LastSystemCall.SystemCallNumber, node2->LastSystemCall.SystemCallNumber); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LastStatusCode) { PhpUpdateThreadNodeLastStatusCode(context, node1); PhpUpdateThreadNodeLastStatusCode(context, node2); sortResult = uintcmp(node1->LastStatusValue, node2->LastStatusValue); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ApartmentType) { PhpUpdateThreadNodeApartmentState(context, node1); PhpUpdateThreadNodeApartmentState(context, node2); sortResult = uintcmp(node1->ApartmentInfo.Type, node2->ApartmentInfo.Type); if (sortResult == 0) sortResult = uintcmp(node1->ApartmentInfo.ComInits, node2->ApartmentInfo.ComInits); if (sortResult == 0) sortResult = uintcmp(node1->ApartmentInfo.Flags, node2->ApartmentInfo.Flags); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ApartmentFlags) { PhpUpdateThreadNodeApartmentState(context, node1); PhpUpdateThreadNodeApartmentState(context, node2); sortResult = uintcmp(node1->ApartmentInfo.Flags, node2->ApartmentInfo.Flags); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Fiber) { PhpUpdateThreadNodeFiber(context, node1); PhpUpdateThreadNodeFiber(context, node2); sortResult = ucharcmp(node1->Fiber, node2->Fiber); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PriorityBoost) { PhpUpdateThreadNodePriorityBoost(node1); PhpUpdateThreadNodePriorityBoost(node2); sortResult = ucharcmp(node1->PriorityBoost, node2->PriorityBoost); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuUser) { sortResult = singlecmp(threadItem1->CpuUserUsage, threadItem2->CpuUserUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(CpuKernel) { sortResult = singlecmp(threadItem1->CpuKernelUsage, threadItem2->CpuKernelUsage); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StackUsage) { PhpUpdateThreadNodeStackUsage(context, node1); PhpUpdateThreadNodeStackUsage(context, node2); sortResult = singlecmp(node1->StackUsageFloat, node2->StackUsageFloat); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(WaitTime) { sortResult = uintcmp(threadItem1->WaitTime, threadItem2->WaitTime); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoReads) { sortResult = uint64cmp(threadItem1->IoCounters.ReadOperationCount, threadItem2->IoCounters.ReadOperationCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoWrites) { sortResult = uint64cmp(threadItem1->IoCounters.WriteOperationCount, threadItem2->IoCounters.WriteOperationCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoOther) { sortResult = uint64cmp(threadItem1->IoCounters.OtherOperationCount, threadItem2->IoCounters.OtherOperationCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoReadBytes) { sortResult = uint64cmp(threadItem1->IoCounters.ReadTransferCount, threadItem2->IoCounters.ReadTransferCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoWriteBytes) { sortResult = uint64cmp(threadItem1->IoCounters.WriteTransferCount, threadItem2->IoCounters.WriteTransferCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(IoOtherBytes) { sortResult = uint64cmp(threadItem1->IoCounters.OtherTransferCount, threadItem2->IoCounters.OtherTransferCount); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LxssTid) { sortResult = uintcmp(threadItem1->LxssThreadId, threadItem2->LxssThreadId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PowerThrottling) { sortResult = uintcmp(threadItem1->PowerThrottling, threadItem2->PowerThrottling); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StartAddressKernel) { sortResult = uint64cmp((ULONG_PTR)threadItem1->StartAddress, (ULONG_PTR)threadItem2->StartAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(KernelStackUsage) { PhpUpdateThreadNodeKernelStackSize(context, node1); PhpUpdateThreadNodeKernelStackSize(context, node2); sortResult = singlecmp(node1->KernelStackUsageFloat, node2->KernelStackUsageFloat); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(HasRpc) { PhpUpdateThreadNodeRpc(context, node1); PhpUpdateThreadNodeRpc(context, node2); sortResult = ucharcmp(node1->HasRpcState, node2->HasRpcState); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ActualBasePriority) { sortResult = intcmp(threadItem1->ActualBasePriority, threadItem2->ActualBasePriority); } END_SORT_FUNCTION BOOLEAN NTAPI PhpThreadTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_THREAD_LIST_CONTEXT context = Context; PPH_THREAD_NODE node; if (PhCmForwardMessage(WindowHandle, Message, Parameter1, Parameter2, &context->Cm)) return TRUE; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Tid), SORT_FUNCTION(Cpu), SORT_FUNCTION(CyclesDelta), SORT_FUNCTION(StartAddressWin32), SORT_FUNCTION(PrioritySymbolic), SORT_FUNCTION(Service), SORT_FUNCTION(Name), SORT_FUNCTION(Created), SORT_FUNCTION(StartModule), SORT_FUNCTION(ContextSwitches), SORT_FUNCTION(ContextSwitchesDelta), // delta SORT_FUNCTION(Priority), SORT_FUNCTION(BasePriority), SORT_FUNCTION(PagePriority), SORT_FUNCTION(IoPriority), SORT_FUNCTION(Cycles), SORT_FUNCTION(State), SORT_FUNCTION(KernelTime), SORT_FUNCTION(UserTime), SORT_FUNCTION(IdealProcessor), SORT_FUNCTION(Critical), SORT_FUNCTION(TidHex), SORT_FUNCTION(CpuCore), SORT_FUNCTION(TokenState), SORT_FUNCTION(PendingIrp), SORT_FUNCTION(LastSystemCall), SORT_FUNCTION(LastStatusCode), SORT_FUNCTION(Created), // Timeline SORT_FUNCTION(ApartmentType), SORT_FUNCTION(ApartmentFlags), SORT_FUNCTION(Fiber), SORT_FUNCTION(PriorityBoost), SORT_FUNCTION(CpuUser), SORT_FUNCTION(CpuKernel), SORT_FUNCTION(StackUsage), SORT_FUNCTION(WaitTime), SORT_FUNCTION(IoReads), SORT_FUNCTION(IoWrites), SORT_FUNCTION(IoOther), SORT_FUNCTION(IoReadBytes), SORT_FUNCTION(IoWriteBytes), SORT_FUNCTION(IoOtherBytes), SORT_FUNCTION(LxssTid), SORT_FUNCTION(PowerThrottling), SORT_FUNCTION(StartAddressKernel), SORT_FUNCTION(KernelStackUsage), SORT_FUNCTION(HasRpc), SORT_FUNCTION(ActualBasePriority), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PH_THREAD_TREELIST_COLUMN_MAXIMUM, "SortFunctions must equal maximum."); if (!PhCmForwardSort( (PPH_TREENEW_NODE *)context->NodeList->Items, context->NodeList->Count, context->TreeNewSortColumn, context->TreeNewSortOrder, &context->Cm )) { if (context->TreeNewSortColumn < PH_THREAD_TREELIST_COLUMN_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; } else { sortFunction = NULL; } if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; PPH_THREAD_ITEM threadItem; node = (PPH_THREAD_NODE)getCellText->Node; threadItem = node->ThreadItem; switch (getCellText->Id) { case PH_THREAD_TREELIST_COLUMN_TID: { PhInitializeStringRefLongHint(&getCellText->Text, threadItem->ThreadIdString); } break; case PH_THREAD_TREELIST_COLUMN_LXSSTID: { PhInitializeStringRefLongHint(&getCellText->Text, threadItem->LxssThreadIdString); } break; case PH_THREAD_TREELIST_COLUMN_CPU: { FLOAT cpuUsage; cpuUsage = threadItem->CpuUsage * 100; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; SIZE_T returnLength; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(&format, 1, node->CpuUsageText, sizeof(node->CpuUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; SIZE_T returnLength; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(format, 2, node->CpuUsageText, sizeof(node->CpuUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PH_THREAD_TREELIST_COLUMN_CYCLESDELTA: { if (context->UseCycleTime) { if (threadItem->CyclesDelta.Delta != threadItem->CyclesDelta.Value && threadItem->CyclesDelta.Delta != 0) { PhMoveReference(&node->CyclesDeltaText, PhFormatUInt64(threadItem->CyclesDelta.Delta, TRUE)); getCellText->Text = node->CyclesDeltaText->sr; } } else { if (threadItem->ContextSwitchesDelta.Delta != threadItem->ContextSwitchesDelta.Value && threadItem->ContextSwitchesDelta.Delta != 0) { PhMoveReference(&node->CyclesDeltaText, PhFormatUInt64(threadItem->ContextSwitchesDelta.Delta, TRUE)); getCellText->Text = node->CyclesDeltaText->sr; } } } break; case PH_THREAD_TREELIST_COLUMN_STARTADDRESSWIN32: { if (NT_SUCCESS(threadItem->StartAddressStatus)) { getCellText->Text = PhGetStringRef(threadItem->StartAddressWin32String); } else { PPH_STRING errorMessage; PH_FORMAT format[5]; PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], threadItem->StartAddressStatus); if (errorMessage = PhGetStatusMessage(threadItem->StartAddressStatus, 0)) { PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], errorMessage->sr); PhInitFormatC(&format[4], L')'); PhMoveReference(&threadItem->StartAddressWin32String, PhFormat(format, 5, 0)); PhDereferenceObject(errorMessage); } else { PhMoveReference(&threadItem->StartAddressWin32String, PhFormat(format, 2, 0)); } getCellText->Text = PhGetStringRef(threadItem->StartAddressWin32String); } } break; case PH_THREAD_TREELIST_COLUMN_STARTADDRESS: { if (threadItem->StartAddress) { getCellText->Text = PhGetStringRef(threadItem->StartAddressString); } else { NTSTATUS status; PPH_STRING errorMessage; PH_FORMAT format[5]; if (WindowsVersion > WINDOWS_10_22H2) status = STATUS_ACCESS_DENIED; else status = STATUS_BUFFER_ALL_ZEROS; PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], status); if (errorMessage = PhGetStatusMessage(status, 0)) { PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], errorMessage->sr); PhInitFormatC(&format[4], L')'); PhMoveReference(&threadItem->StartAddressString, PhFormat(format, 5, 0)); PhDereferenceObject(errorMessage); } else { PhMoveReference(&threadItem->StartAddressString, PhFormat(format, 2, 0)); } getCellText->Text = PhGetStringRef(threadItem->StartAddressString); } } break; case PH_THREAD_TREELIST_COLUMN_PRIORITYSYMBOLIC: { getCellText->Text = *PhGetBasePrioritySymbolicString(threadItem->BasePriority); } break; case PH_THREAD_TREELIST_COLUMN_SERVICE: { getCellText->Text = PhGetStringRef(threadItem->ServiceName); } break; case PH_THREAD_TREELIST_COLUMN_NAME: { PhpUpdateThreadNodeNameText(node); getCellText->Text = PhGetStringRef(node->NameText); } break; case PH_THREAD_TREELIST_COLUMN_STARTED: { PhpUpdateThreadNodeStartedText(node); getCellText->Text = PhGetStringRef(node->CreatedText); } break; case PH_THREAD_TREELIST_COLUMN_STARTMODULE: { getCellText->Text = PhGetStringRef(threadItem->StartAddressWin32FileName); } break; case PH_THREAD_TREELIST_COLUMN_CONTEXTSWITCHES: { SIZE_T returnLength; PH_FORMAT format[1]; PhInitFormatI64UGroupDigits(&format[0], threadItem->ContextSwitchesDelta.Value); if (PhFormatToBuffer(format, 1, node->ContextSwitchesText, sizeof(node->ContextSwitchesText), &returnLength)) { getCellText->Text.Buffer = node->ContextSwitchesText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } break; case PH_THREAD_TREELIST_COLUMN_CONTEXTSWITCHESDELTA: { if ((LONG)threadItem->ContextSwitchesDelta.Delta >= 0) // the delta may be negative if a thread exits - just don't show anything { ULONG value = threadItem->ContextSwitchesDelta.Delta; if (value != 0) { PhMoveReference(&node->ContextSwitchesDeltaText, PhFormatUInt64(value, TRUE)); getCellText->Text = node->ContextSwitchesDeltaText->sr; } } } break; case PH_THREAD_TREELIST_COLUMN_PRIORITY: { SIZE_T returnLength; PH_FORMAT format[1]; PhInitFormatD(&format[0], threadItem->Priority); if (PhFormatToBuffer(format, 1, node->PriorityText, sizeof(node->PriorityText), &returnLength)) { getCellText->Text.Buffer = node->PriorityText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } break; case PH_THREAD_TREELIST_COLUMN_BASEPRIORITY: { SIZE_T returnLength; PH_FORMAT format[1]; PhInitFormatD(&format[0], threadItem->BasePriority); if (PhFormatToBuffer(format, 1, node->BasePriorityText, sizeof(node->BasePriorityText), &returnLength)) { getCellText->Text.Buffer = node->BasePriorityText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } break; case PH_THREAD_TREELIST_COLUMN_PAGEPRIORITY: { PH_STRINGREF pagePriority = PH_STRINGREF_INIT(L"N/A"); PhpUpdateThreadNodePagePriority(node); if (node->PagePriority != ULONG_MAX && node->PagePriority <= MEMORY_PRIORITY_NORMAL) { pagePriority = PhPagePriorityNames[node->PagePriority]; } getCellText->Text.Buffer = pagePriority.Buffer; getCellText->Text.Length = pagePriority.Length; } break; case PH_THREAD_TREELIST_COLUMN_IOPRIORITY: { PH_STRINGREF ioPriority = PH_STRINGREF_INIT(L"N/A"); PhpUpdateThreadNodeIoPriority(node); if (node->IoPriority != ULONG_MAX && node->IoPriority >= IoPriorityVeryLow && node->IoPriority < MaxIoPriorityTypes) { ioPriority = PhIoPriorityHintNames[node->IoPriority]; } getCellText->Text.Buffer = ioPriority.Buffer; getCellText->Text.Length = ioPriority.Length; } break; case PH_THREAD_TREELIST_COLUMN_CYCLES: { if (threadItem->CyclesDelta.Value != 0) { SIZE_T returnLength; PH_FORMAT format[1]; PhInitFormatI64UGroupDigits(&format[0], threadItem->CyclesDelta.Value); if (PhFormatToBuffer(format, 1, node->CyclesText, sizeof(node->CyclesText), &returnLength)) { getCellText->Text.Buffer = node->CyclesText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PH_THREAD_TREELIST_COLUMN_STATE: { if (threadItem->State != Waiting) { static const PH_STRINGREF stringUnknown = PH_STRINGREF_INIT(L"Unknown"); if ((ULONG)threadItem->State < MaximumThreadState) PhMoveReference(&node->StateText, PhCreateString2((PPH_STRINGREF)&PhKThreadStateNames[(ULONG)threadItem->State])); else PhMoveReference(&node->StateText, PhCreateString2((PPH_STRINGREF)&stringUnknown)); } else { static const PH_STRINGREF stringWait = PH_STRINGREF_INIT(L"Wait:"); static const PH_STRINGREF stringWaiting = PH_STRINGREF_INIT(L"Waiting"); if ((ULONG)threadItem->WaitReason < MaximumWaitReason) PhMoveReference(&node->StateText, PhConcatStringRef2((PPH_STRINGREF)&stringWait, (PPH_STRINGREF)&PhKWaitReasonNames[(ULONG)threadItem->WaitReason])); else PhMoveReference(&node->StateText, PhCreateString2((PPH_STRINGREF)&stringWaiting)); } if (threadItem->ThreadHandle && threadItem->WaitReason == Suspended) { PH_FORMAT format[4]; PhpUpdateThreadNodeSuspendCount(node); PhInitFormatSR(&format[0], node->StateText->sr); PhInitFormatS(&format[1], L" ("); PhInitFormatU(&format[2], node->SuspendCount); PhInitFormatS(&format[3], L")"); PhMoveReference(&node->StateText, PhFormat(format, 4, 30)); } getCellText->Text = PhGetStringRef(node->StateText); } break; case PH_THREAD_TREELIST_COLUMN_KERNELTIME: { if (threadItem->KernelTime.QuadPart != 0) { PhMoveReference(&node->KernelTimeText, PhFormatTimeSpan(threadItem->KernelTime.QuadPart, PH_TIMESPAN_HMSM)); } getCellText->Text = PhGetStringRef(node->KernelTimeText); } break; case PH_THREAD_TREELIST_COLUMN_USERTIME: { if (threadItem->UserTime.QuadPart != 0) { PhMoveReference(&node->UserTimeText, PhFormatTimeSpan(threadItem->UserTime.QuadPart, PH_TIMESPAN_HMSM)); } getCellText->Text = PhGetStringRef(node->UserTimeText); } break; case PH_THREAD_TREELIST_COLUMN_IDEALPROCESSOR: { PROCESSOR_NUMBER idealProcessorNumber; SIZE_T returnLength; PH_FORMAT format[3]; PhpUpdateThreadNodeIdealProcessor(node); memset(&idealProcessorNumber, 0, sizeof(idealProcessorNumber)); idealProcessorNumber.Group = HIWORD(node->IdealProcessorMask); idealProcessorNumber.Number = (BYTE)LOWORD(node->IdealProcessorMask); PhInitFormatU(&format[0], idealProcessorNumber.Group); PhInitFormatC(&format[1], L':'); PhInitFormatU(&format[2], idealProcessorNumber.Number); if (PhFormatToBuffer(format, 3, node->IdealProcessorText, sizeof(node->IdealProcessorText), &returnLength)) { getCellText->Text.Buffer = node->IdealProcessorText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } break; case PH_THREAD_TREELIST_COLUMN_CRITICAL: { PhpUpdateThreadNodeBreakOnTermination(node); if (node->BreakOnTermination) PhInitializeStringRef(&getCellText->Text, L"Critical"); else PhInitializeEmptyStringRef(&getCellText->Text); } break; case PH_THREAD_TREELIST_COLUMN_TIDHEX: { PhInitializeStringRefLongHint(&getCellText->Text, threadItem->ThreadIdHexString); } break; case PH_THREAD_TREELIST_COLUMN_CPUCORECYCLES: { FLOAT cpuUsage; cpuUsage = threadItem->CpuUsage * 100.f; cpuUsage *= threadItem->AffinityPopulationCount; // linux style (dmex) if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; SIZE_T returnLength; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(&format, 1, node->CpuCoreUsageText, sizeof(node->CpuCoreUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuCoreUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; SIZE_T returnLength; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(format, 2, node->CpuCoreUsageText, sizeof(node->CpuCoreUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuCoreUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PH_THREAD_TREELIST_COLUMN_TOKEN_STATE: { PhpUpdateThreadNodeTokenState(node); if (node->TokenState == PH_THREAD_TOKEN_STATE_NOT_PRESENT) { PhInitializeEmptyStringRef(&getCellText->Text); } else if (node->TokenState == PH_THREAD_TOKEN_STATE_ANONYMOUS) { PhInitializeStringRef(&getCellText->Text, L"Anonymous"); } else if (node->TokenState == PH_THREAD_TOKEN_STATE_PRESENT) { PhInitializeStringRef(&getCellText->Text, L"Yes"); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PH_THREAD_TREELIST_COLUMN_PENDINGIRP: { PhpUpdateThreadNodeIoPending(node); if (node->PendingIrp) PhInitializeStringRef(&getCellText->Text, L"Yes"); else PhInitializeEmptyStringRef(&getCellText->Text); } break; case PH_THREAD_TREELIST_COLUMN_LASTSYSTEMCALL: { if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeLastSystemCall(node); if (NT_SUCCESS(node->LastSystemCallStatus)) { PPH_STRING systemCallName; PH_FORMAT format[8]; if (node->LastSystemCall.SystemCallNumber == 0 && !node->LastSystemCall.FirstArgument) { // If the thread was created in a frozen/suspended process and hasn't executed, the // ThreadLastSystemCall returns status_success but the values are invalid. (dmex) PhClearReference(&node->LastSystemCallText); } else { if (systemCallName = PhGetSystemCallNumberName(node->LastSystemCall.SystemCallNumber)) { PhInitFormatSR(&format[0], systemCallName->sr); PhInitFormatS(&format[1], L" (0x"); PhInitFormatX(&format[2], node->LastSystemCall.SystemCallNumber); PhInitFormatS(&format[3], L") (Arg0: 0x"); PhInitFormatI64X(&format[4], (ULONG64)node->LastSystemCall.FirstArgument); if (WindowsVersion < WINDOWS_8) { PhInitFormatC(&format[5], L')'); PhMoveReference(&node->LastSystemCallText, PhFormat(format, 6, 0x40)); } else { PPH_STRING waitTime; waitTime = PhFormatTimeSpanRelative(node->LastSystemCall.WaitTime); PhInitFormatS(&format[5], L") ["); PhInitFormatSR(&format[6], waitTime->sr); PhInitFormatC(&format[7], L']'); PhMoveReference(&node->LastSystemCallText, PhFormat(format, 8, 0x40)); PhDereferenceObject(waitTime); } PhDereferenceObject(systemCallName); } else { PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], node->LastSystemCall.SystemCallNumber); PhInitFormatS(&format[2], L" (Arg0: 0x"); PhInitFormatI64X(&format[3], (ULONG64)node->LastSystemCall.FirstArgument); if (WindowsVersion < WINDOWS_8) { PhInitFormatC(&format[4], L')'); PhMoveReference(&node->LastSystemCallText, PhFormat(format, 5, 0x40)); } else { PPH_STRING waitTime; waitTime = PhFormatTimeSpanRelative(node->LastSystemCall.WaitTime); PhInitFormatS(&format[4], L") ["); PhInitFormatSR(&format[5], waitTime->sr); PhInitFormatC(&format[6], L']'); PhMoveReference(&node->LastSystemCallText, PhFormat(format, 7, 0x40)); } } } } else { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], node->LastSystemCallStatus); PhMoveReference(&node->LastSystemCallText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } getCellText->Text = PhGetStringRef(node->LastSystemCallText); } break; case PH_THREAD_TREELIST_COLUMN_LASTSTATUSCODE: { PPH_STRING errorMessage; if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeLastStatusCode(context, node); if (NT_SUCCESS(node->LastStatusQueryStatus)) { if (node->LastStatusValue == STATUS_SUCCESS) { PhClearReference(&node->LastErrorCodeText); } else { PH_FORMAT format[5]; PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], node->LastStatusValue); if (errorMessage = PhGetStatusMessage(node->LastStatusValue, 0)) { PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], errorMessage->sr); PhInitFormatC(&format[4], L')'); PhMoveReference(&node->LastErrorCodeText, PhFormat(format, 5, 0x40)); PhDereferenceObject(errorMessage); } else { PhMoveReference(&node->LastErrorCodeText, PhFormat(format, 2, 0x40)); } } } else { PH_FORMAT format[2]; PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], node->LastStatusQueryStatus); PhMoveReference(&node->LastErrorCodeText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } getCellText->Text = PhGetStringRef(node->LastErrorCodeText); } break; case PH_THREAD_TREELIST_COLUMN_APARTMENTTYPE: { if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeApartmentState(context, node); if (node->ApartmentInfo.Type) { PPH_STRING apartmentTypeString; if (apartmentTypeString = PhGetApartmentTypeString(&node->ApartmentInfo)) { PhMoveReference(&node->ApartmentTypeText, apartmentTypeString); } else { PhClearReference(&node->ApartmentTypeText); } } else { PhClearReference(&node->ApartmentTypeText); } getCellText->Text = PhGetStringRef(node->ApartmentTypeText); } break; case PH_THREAD_TREELIST_COLUMN_APARTMENTFLAGS: { if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeApartmentState(context, node); if (node->ApartmentInfo.Flags) { PPH_STRING apartmentStateString; if (apartmentStateString = PhGetApartmentFlagsString(node->ApartmentInfo.Flags)) { PhMoveReference(&node->ApartmentFlagsText, apartmentStateString); } else { PhClearReference(&node->ApartmentFlagsText); } } else { PhClearReference(&node->ApartmentFlagsText); } getCellText->Text = PhGetStringRef(node->ApartmentFlagsText); } break; case PH_THREAD_TREELIST_COLUMN_FIBER: { if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeFiber(context, node); if (node->Fiber) { PhInitializeStringRef(&getCellText->Text, L"Yes"); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PH_THREAD_TREELIST_COLUMN_PRIORITYBOOST: { PhpUpdateThreadNodePriorityBoost(node); if (node->PriorityBoost) PhInitializeStringRef(&getCellText->Text, L"Yes"); else PhInitializeEmptyStringRef(&getCellText->Text); } break; case PH_THREAD_TREELIST_COLUMN_CPUUSER: { FLOAT cpuUsage; cpuUsage = threadItem->CpuUserUsage * 100.f; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; SIZE_T returnLength; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(&format, 1, node->CpuUserUsageText, sizeof(node->CpuUserUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuUserUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; SIZE_T returnLength; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(format, 2, node->CpuUserUsageText, sizeof(node->CpuUserUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuUserUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PH_THREAD_TREELIST_COLUMN_CPUKERNEL: { FLOAT cpuUsage; cpuUsage = threadItem->CpuKernelUsage * 100.f; if (cpuUsage >= PhMaxPrecisionLimit) { PH_FORMAT format; SIZE_T returnLength; PhInitFormatF(&format, cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(&format, 1, node->CpuKernelUsageText, sizeof(node->CpuKernelUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuKernelUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } else if (cpuUsage != 0 && PhCsShowCpuBelow001) { PH_FORMAT format[2]; SIZE_T returnLength; PhInitFormatS(&format[0], L"< "); PhInitFormatF(&format[1], cpuUsage, PhMaxPrecisionUnit); if (PhFormatToBuffer(format, 2, node->CpuKernelUsageText, sizeof(node->CpuKernelUsageText), &returnLength)) { getCellText->Text.Buffer = node->CpuKernelUsageText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } } break; case PH_THREAD_TREELIST_COLUMN_STACKUSAGE: { if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeStackUsage(context, node); if (node->StackUsage && node->StackLimit) { PH_FORMAT format[6]; // %s / %s (%.0f%%) PhInitFormatSize(&format[0], node->StackUsage); PhInitFormatS(&format[1], L" | "); PhInitFormatSize(&format[2], node->StackLimit); PhInitFormatS(&format[3], L" ("); PhInitFormatF(&format[4], node->StackUsageFloat, PhMaxPrecisionUnit); PhInitFormatS(&format[5], L"%)"); PhMoveReference(&node->StackUsageText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else { PhClearReference(&node->StackUsageText); } getCellText->Text = PhGetStringRef(node->StackUsageText); } break; case PH_THREAD_TREELIST_COLUMN_KSTACKUSAGE: { PhpUpdateThreadNodeKernelStackSize(context, node); if (node->KernelStackUsage && node->KernelStackLimit) { PH_FORMAT format[6]; // %s / %s (%.0f%%) PhInitFormatSize(&format[0], node->KernelStackUsage); PhInitFormatS(&format[1], L" | "); PhInitFormatSize(&format[2], node->KernelStackLimit); PhInitFormatS(&format[3], L" ("); PhInitFormatF(&format[4], node->KernelStackUsageFloat, PhMaxPrecisionUnit); PhInitFormatS(&format[5], L"%)"); PhMoveReference(&node->KernelStackUsageText, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else { PhClearReference(&node->KernelStackUsageText); } getCellText->Text = PhGetStringRef(node->KernelStackUsageText); } break; case PH_THREAD_TREELIST_COLUMN_WAITTIME: { if (threadItem->WaitTime != 0) { PhMoveReference(&node->WaitTimeText, PhFormatTimeSpan(threadItem->WaitTime, PH_TIMESPAN_HMSM)); } getCellText->Text = PhGetStringRef(node->WaitTimeText); } break; case PH_THREAD_TREELIST_COLUMN_IOREADS: { if (threadItem->IoCounters.ReadOperationCount != 0) { PhMoveReference(&node->IoReads, PhFormatUInt64(threadItem->IoCounters.ReadOperationCount, TRUE)); } getCellText->Text = PhGetStringRef(node->IoReads); } break; case PH_THREAD_TREELIST_COLUMN_IOWRITES: { if (threadItem->IoCounters.WriteOperationCount != 0) { PhMoveReference(&node->IoWrites, PhFormatUInt64(threadItem->IoCounters.WriteOperationCount, TRUE)); } getCellText->Text = PhGetStringRef(node->IoWrites); } break; case PH_THREAD_TREELIST_COLUMN_IOOTHER: { if (threadItem->IoCounters.OtherOperationCount != 0) { PhMoveReference(&node->IoOther, PhFormatUInt64(threadItem->IoCounters.OtherOperationCount, TRUE)); } getCellText->Text = PhGetStringRef(node->IoOther); } break; case PH_THREAD_TREELIST_COLUMN_IOREADBYTES: { if (threadItem->IoCounters.ReadTransferCount != 0) { PhMoveReference(&node->IoReadBytes, PhFormatSize(threadItem->IoCounters.ReadTransferCount, ULONG_MAX)); } getCellText->Text = PhGetStringRef(node->IoReadBytes); } break; case PH_THREAD_TREELIST_COLUMN_IOWRITEBYTES: { if (threadItem->IoCounters.WriteTransferCount != 0) { PhMoveReference(&node->IoWriteBytes, PhFormatSize(threadItem->IoCounters.WriteTransferCount, ULONG_MAX)); } getCellText->Text = PhGetStringRef(node->IoWriteBytes); } break; case PH_THREAD_TREELIST_COLUMN_IOOTHERBYTES: { if (threadItem->IoCounters.OtherTransferCount != 0) { PhMoveReference(&node->IoOtherBytes, PhFormatSize(threadItem->IoCounters.OtherTransferCount, ULONG_MAX)); } getCellText->Text = PhGetStringRef(node->IoOtherBytes); } break; case PH_THREAD_TREELIST_COLUMN_POWERTHROTTLING: { if (threadItem->PowerThrottling) { PhInitializeStringRef(&getCellText->Text, L"Yes"); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PH_THREAD_TREELIST_COLUMN_RPC: { if (context->ProcessId == SYSTEM_IDLE_PROCESS_ID || context->ProcessId == SYSTEM_PROCESS_ID) { PhInitializeEmptyStringRef(&getCellText->Text); break; } PhpUpdateThreadNodeRpc(context, node); if (node->HasRpcState) { PhInitializeStringRef(&getCellText->Text, L"Yes"); } else { PhInitializeEmptyStringRef(&getCellText->Text); } } break; case PH_THREAD_TREELIST_COLUMN_ACTUALBASEPRIORITY: { SIZE_T returnLength; PH_FORMAT format[1]; PhInitFormatD(&format[0], threadItem->ActualBasePriority); if (PhFormatToBuffer(format, 1, node->ActualBasePriorityText, sizeof(node->ActualBasePriorityText), &returnLength)) { getCellText->Text.Buffer = node->ActualBasePriorityText; getCellText->Text.Length = returnLength - sizeof(UNICODE_NULL); } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; PPH_THREAD_ITEM threadItem; node = (PPH_THREAD_NODE)getNodeColor->Node; threadItem = node->ThreadItem; if (!threadItem) NOTHING; //else if (context->HighlightUnknownStartAddress && threadItem->StartAddressWin32ResolveLevel == PhsrlAddress) // getNodeColor->BackColor = PhCsColorUnknown; else if (context->HighlightSuspended && threadItem->WaitReason == Suspended) getNodeColor->BackColor = PhCsColorSuspended; else if (context->HighlightSuspended && threadItem->WaitReason == DelayExecution) // NtDelayExecution getNodeColor->BackColor = PhCsColorImmersiveProcesses; else if (context->HighlightSuspended && threadItem->WaitReason == UserRequest) // NtWaitForSingleObject getNodeColor->BackColor = PhCsColorOwnProcesses; else if (context->HighlightSuspended && threadItem->WaitReason == WrAlertByThreadId) getNodeColor->BackColor = PhCsColorSystemProcesses; else if (context->HighlightSuspended && threadItem->WaitReason == WrQueue) // NtRemoveIoCompletion getNodeColor->BackColor = PhCsColorEfficiencyMode; else if (context->HighlightSuspended && threadItem->WaitReason == Executive) getNodeColor->BackColor = PhCsColorElevatedProcesses; else if (context->HighlightGuiThreads && threadItem->IsGuiThread) getNodeColor->BackColor = PhCsColorGuiThreads; getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewCustomDraw: { PPH_TREENEW_CUSTOM_DRAW customDraw = Parameter1; PPH_THREAD_ITEM threadItem; RECT rect; node = (PPH_THREAD_NODE)customDraw->Node; threadItem = node->ThreadItem; rect = customDraw->CellRect; if (rect.right - rect.left <= 1) break; // nothing to draw switch (customDraw->Column->Id) { case PH_THREAD_TREELIST_COLUMN_TIMELINE: { if (threadItem->CreateTime.QuadPart == 0) break; // nothing to draw PhCustomDrawTreeTimeLine( customDraw->Dc, &customDraw->CellRect, PhEnableThemeSupport ? PH_DRAW_TIMELINE_DARKTHEME : 0, &context->ProcessCreateTime, &threadItem->CreateTime ); } break; } } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_THREAD_COPY, 0); break; case VK_DELETE: SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_THREAD_TERMINATE, 0); break; case VK_RETURN: SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_THREAD_INSPECT, 0); break; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; // Customizable columns are disabled until we can figure out how to make it // co-operate with the column adjustments (e.g. Cycles Delta vs Context Switches Delta, // Service column). data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = PH_THREAD_TREELIST_COLUMN_CYCLESDELTA; data.DefaultSortOrder = DescendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_THREAD_INSPECT, 0); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; SendMessage(context->ParentWindowHandle, WM_COMMAND, ID_SHOWCONTEXTMENU, (LPARAM)contextMenu); } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_RETURN) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } PPH_THREAD_ITEM PhGetSelectedThreadItem( _In_ PPH_THREAD_LIST_CONTEXT Context ) { PPH_THREAD_ITEM threadItem = NULL; ULONG i; for (i = 0; i < Context->NodeList->Count; i++) { PPH_THREAD_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) { threadItem = node->ThreadItem; break; } } return threadItem; } VOID PhGetSelectedThreadItems( _In_ PPH_THREAD_LIST_CONTEXT Context, _Out_ PPH_THREAD_ITEM **Threads, _Out_ PULONG NumberOfThreads ) { PH_ARRAY array; ULONG i; PhInitializeArray(&array, sizeof(PVOID), 2); for (i = 0; i < Context->NodeList->Count; i++) { PPH_THREAD_NODE node = Context->NodeList->Items[i]; if (node->Node.Selected) PhAddItemArray(&array, &node->ThreadItem); } *NumberOfThreads = (ULONG)PhFinalArrayCount(&array); *Threads = PhFinalArrayItems(&array); } PPH_STRING PhGetApartmentTypeString( _In_ PPH_APARTMENT_INFO ApartmentInfo ) { PH_FORMAT format[5]; ULONG count = 0; if (ApartmentInfo->InNeutral) PhInitFormatS(&format[count++], L"NTA on "); switch (ApartmentInfo->Type) { case PH_APARTMENT_TYPE_STA: PhInitFormatS(&format[count++], L"STA"); break; case PH_APARTMENT_TYPE_MAIN_STA: PhInitFormatS(&format[count++], L"Main STA"); break; case PH_APARTMENT_TYPE_APPLICATION_STA: PhInitFormatS(&format[count++], L"ASTA"); break; case PH_APARTMENT_TYPE_MTA: PhInitFormatS(&format[count++], L"MTA"); break; case PH_APARTMENT_TYPE_IMPLICIT_MTA: PhInitFormatS(&format[count++], L"Implicit MTA"); break; default: assert(FALSE); } if (ApartmentInfo->ComInits > 1) { PhInitFormatS(&format[count++], L" (x"); PhInitFormatU(&format[count++], ApartmentInfo->ComInits); PhInitFormatC(&format[count++], L')'); } return PhFormat(format, count, 10); } PPH_STRING PhGetApartmentFlagsString( _In_ ULONG ApartmentState ) { #define PH_OLE_TLS_FLAG(x, n) { TEXT(#x), (x), FALSE, FALSE, (n) } static const PH_ACCESS_ENTRY oleTlsflags[] = { PH_OLE_TLS_FLAG(OLETLS_LOCALTID, L"Local TID"), PH_OLE_TLS_FLAG(OLETLS_UUIDINITIALIZED, L"UUID initialized"), PH_OLE_TLS_FLAG(OLETLS_INTHREADDETACH, L"In thread detach"), PH_OLE_TLS_FLAG(OLETLS_CHANNELTHREADINITIALZED, L"Channel thread initialized"), PH_OLE_TLS_FLAG(OLETLS_WOWTHREAD, L"WoW thread"), PH_OLE_TLS_FLAG(OLETLS_THREADUNINITIALIZING, L"Thread uninitializing"), PH_OLE_TLS_FLAG(OLETLS_DISABLE_OLE1DDE, L"OLE1DDE disabled"), PH_OLE_TLS_FLAG(OLETLS_APARTMENTTHREADED, L"Single threaded (STA)"), PH_OLE_TLS_FLAG(OLETLS_MULTITHREADED, L"Multi threaded (MTA)"), PH_OLE_TLS_FLAG(OLETLS_IMPERSONATING, L"Impersonating"), PH_OLE_TLS_FLAG(OLETLS_DISABLE_EVENTLOGGER, L"Eventlogger disabled"), PH_OLE_TLS_FLAG(OLETLS_INNEUTRALAPT, L"Neutral threaded (NTA)"), PH_OLE_TLS_FLAG(OLETLS_DISPATCHTHREAD, L"Dispatch thread"), PH_OLE_TLS_FLAG(OLETLS_HOSTTHREAD, L"Host thread"), PH_OLE_TLS_FLAG(OLETLS_ALLOWCOINIT, L"Allow CoInit"), PH_OLE_TLS_FLAG(OLETLS_PENDINGUNINIT, L"Pending uninit"), PH_OLE_TLS_FLAG(OLETLS_FIRSTMTAINIT, L"First MTA init"), PH_OLE_TLS_FLAG(OLETLS_FIRSTNTAINIT, L"First NTA init"), PH_OLE_TLS_FLAG(OLETLS_APTINITIALIZING, L"Apartment initializing"), PH_OLE_TLS_FLAG(OLETLS_UIMSGSINMODALLOOP, L"UI messages in modal loop"), PH_OLE_TLS_FLAG(OLETLS_MARSHALING_ERROR_OBJECT, L"Marshaling error object"), PH_OLE_TLS_FLAG(OLETLS_WINRT_INITIALIZE, L"WinRT initialized"), PH_OLE_TLS_FLAG(OLETLS_APPLICATION_STA, L"Application STA"), PH_OLE_TLS_FLAG(OLETLS_IN_SHUTDOWN_CALLBACKS, L"In shutdown callbacks"), PH_OLE_TLS_FLAG(OLETLS_POINTER_INPUT_BLOCKED, L"Pointer input blocked"), PH_OLE_TLS_FLAG(OLETLS_IN_ACTIVATION_FILTER, L"In activation filter"), PH_OLE_TLS_FLAG(OLETLS_ASTATOASTAEXEMPT_QUIRK, L"ASTA-to-ASTA exempt quirk"), PH_OLE_TLS_FLAG(OLETLS_ASTATOASTAEXEMPT_PROXY, L"ASTA-to-ASTA exempt proxy"), PH_OLE_TLS_FLAG(OLETLS_ASTATOASTAEXEMPT_INDOUBT, L"ASTA-to-ASTA exempt in doubt"), PH_OLE_TLS_FLAG(OLETLS_DETECTED_USER_INITIALIZED, L"Detected user initialized"), PH_OLE_TLS_FLAG(OLETLS_BRIDGE_STA, L"Bridge STA"), PH_OLE_TLS_FLAG(OLETLS_NAINITIALIZING, L"NTA initializing"), }; PPH_STRING string; PH_FORMAT format[4]; string = PhGetAccessString( ApartmentState, (PPH_ACCESS_ENTRY)oleTlsflags, RTL_NUMBER_OF(oleTlsflags) ); PhInitFormatSR(&format[0], string->sr); PhInitFormatS(&format[1], L" (0x"); PhInitFormatX(&format[2], ApartmentState); PhInitFormatC(&format[3], L')'); PhMoveReference(&string, PhFormat(format, RTL_NUMBER_OF(format), 10)); return string; } ================================================ FILE: SystemInformer/thrdprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ /* * The thread provider is tied to the process provider, and runs by registering a callback for the * processes-updated event. This is because calculating CPU usage depends on deltas calculated by * the process provider. However, this does increase the complexity of the thread provider system. */ #include #include #include #include #include #include #include #include #include typedef struct _PH_THREAD_QUERY_DATA { SLIST_ENTRY ListEntry; PPH_THREAD_PROVIDER ThreadProvider; PPH_THREAD_ITEM ThreadItem; ULONG64 RunId; PPH_STRING StartAddressWin32String; PPH_STRING StartAddressWin32FileName; PH_SYMBOL_RESOLVE_LEVEL StartAddressWin32ResolveLevel; PPH_STRING StartAddressString; PPH_STRING StartAddressFileName; PH_SYMBOL_RESOLVE_LEVEL StartAddressResolveLevel; PPH_STRING ServiceName; } PH_THREAD_QUERY_DATA, *PPH_THREAD_QUERY_DATA; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpThreadProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpThreadItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpThreadHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpThreadHashtableHashFunction( _In_ PVOID Entry ); _Function_class_(PH_CALLBACK_FUNCTION) VOID PhpThreadProviderCallbackHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); VOID PhpThreadProviderUpdate( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PVOID ProcessInformation ); PPH_OBJECT_TYPE PhThreadProviderType = NULL; PPH_OBJECT_TYPE PhThreadItemType = NULL; PH_WORK_QUEUE PhThreadProviderWorkQueue; PH_INITONCE PhThreadProviderWorkQueueInitOnce = PH_INITONCE_INIT; VOID PhpQueueThreadWorkQueueItem( _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context ) { if (PhBeginInitOnce(&PhThreadProviderWorkQueueInitOnce)) { PhInitializeWorkQueue(&PhThreadProviderWorkQueue, 0, 1, 1000); PhEndInitOnce(&PhThreadProviderWorkQueueInitOnce); } PhQueueItemWorkQueue(&PhThreadProviderWorkQueue, Function, Context); } PPH_THREAD_PROVIDER PhCreateThreadProvider( _In_ HANDLE ProcessId ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_THREAD_PROVIDER threadProvider; if (PhBeginInitOnce(&initOnce)) { PhThreadProviderType = PhCreateObjectType(L"ThreadProvider", 0, PhpThreadProviderDeleteProcedure); PhThreadItemType = PhCreateObjectType(L"ThreadItem", 0, PhpThreadItemDeleteProcedure); PhEndInitOnce(&initOnce); } threadProvider = PhCreateObject( PhEmGetObjectSize(EmThreadProviderType, sizeof(PH_THREAD_PROVIDER)), PhThreadProviderType ); memset(threadProvider, 0, sizeof(PH_THREAD_PROVIDER)); threadProvider->ThreadHashtable = PhCreateHashtable( sizeof(PPH_THREAD_ITEM), PhpThreadHashtableEqualFunction, PhpThreadHashtableHashFunction, 20 ); PhInitializeFastLock(&threadProvider->ThreadHashtableLock); PhInitializeCallback(&threadProvider->ThreadAddedEvent); PhInitializeCallback(&threadProvider->ThreadModifiedEvent); PhInitializeCallback(&threadProvider->ThreadRemovedEvent); PhInitializeCallback(&threadProvider->UpdatedEvent); PhInitializeCallback(&threadProvider->LoadingStateChangedEvent); threadProvider->ProcessId = ProcessId; threadProvider->SymbolProvider = PhCreateSymbolProvider(ProcessId); if (threadProvider->SymbolProvider) { if (threadProvider->SymbolProvider->IsRealHandle) threadProvider->ProcessHandle = threadProvider->SymbolProvider->ProcessHandle; } PhInitializeSListHead(&threadProvider->QueryListHead); PhInitializeQueuedLock(&threadProvider->LoadSymbolsLock); threadProvider->RunId = 1; threadProvider->SymbolsLoadedRunId = 0; // Force symbols to be loaded the first time we try to resolve an address PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectCreate); return threadProvider; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpThreadProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_THREAD_PROVIDER threadProvider = (PPH_THREAD_PROVIDER)Object; PhEmCallObjectOperation(EmThreadProviderType, threadProvider, EmObjectDelete); // Dereference all thread items (we referenced them // when we added them to the hashtable). PhDereferenceAllThreadItems(threadProvider); PhDereferenceObject(threadProvider->ThreadHashtable); PhDeleteFastLock(&threadProvider->ThreadHashtableLock); PhDeleteCallback(&threadProvider->ThreadAddedEvent); PhDeleteCallback(&threadProvider->ThreadModifiedEvent); PhDeleteCallback(&threadProvider->ThreadRemovedEvent); PhDeleteCallback(&threadProvider->UpdatedEvent); PhDeleteCallback(&threadProvider->LoadingStateChangedEvent); // Destroy all queue items. { PSLIST_ENTRY entry; PPH_THREAD_QUERY_DATA data; entry = RtlInterlockedFlushSList(&threadProvider->QueryListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_THREAD_QUERY_DATA, ListEntry); entry = entry->Next; PhClearReference(&data->StartAddressString); PhClearReference(&data->ServiceName); PhDereferenceObject(data->ThreadItem); PhFree(data); } } // We don't close the process handle because it is owned by the symbol provider. if (threadProvider->SymbolProvider) PhDereferenceObject(threadProvider->SymbolProvider); } VOID PhRegisterThreadProvider( _In_ PPH_THREAD_PROVIDER ThreadProvider, _Out_ PPH_CALLBACK_REGISTRATION CallbackRegistration ) { PhReferenceObject(ThreadProvider); PhRegisterCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), PhpThreadProviderCallbackHandler, ThreadProvider, CallbackRegistration); } VOID PhUnregisterThreadProvider( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PPH_CALLBACK_REGISTRATION CallbackRegistration ) { PhUnregisterCallback(PhGetGeneralCallback(GeneralCallbackProcessProviderUpdatedEvent), CallbackRegistration); PhDereferenceObject(ThreadProvider); } VOID PhSetTerminatingThreadProvider( _Inout_ PPH_THREAD_PROVIDER ThreadProvider ) { ThreadProvider->Terminating = TRUE; } VOID PhLoadSymbolsThreadProvider( _In_ PPH_THREAD_PROVIDER ThreadProvider ) { ULONG64 runId; PhAcquireQueuedLockExclusive(&ThreadProvider->LoadSymbolsLock); runId = ThreadProvider->RunId; PhLoadSymbolProviderOptions(ThreadProvider->SymbolProvider); PhLoadSymbolProviderModules( ThreadProvider->SymbolProvider, ThreadProvider->ProcessId ); ThreadProvider->SymbolsLoadedRunId = runId; PhReleaseQueuedLockExclusive(&ThreadProvider->LoadSymbolsLock); } PPH_THREAD_ITEM PhCreateThreadItem( _In_ CLIENT_ID ClientId ) { PPH_THREAD_ITEM threadItem; threadItem = PhCreateObject( PhEmGetObjectSize(EmThreadItemType, sizeof(PH_THREAD_ITEM)), PhThreadItemType ); memset(threadItem, 0, sizeof(PH_THREAD_ITEM)); threadItem->ClientId = ClientId; PhPrintUInt32(threadItem->ThreadIdString, HandleToUlong(ClientId.UniqueThread)); PhPrintUInt32IX(threadItem->ThreadIdHexString, HandleToUlong(ClientId.UniqueThread)); PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectCreate); return threadItem; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID PhpThreadItemDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_THREAD_ITEM threadItem = (PPH_THREAD_ITEM)Object; PhEmCallObjectOperation(EmThreadItemType, threadItem, EmObjectDelete); if (threadItem->ThreadHandle) NtClose(threadItem->ThreadHandle); if (threadItem->StartAddressWin32String) PhDereferenceObject(threadItem->StartAddressWin32String); if (threadItem->StartAddressWin32FileName) PhDereferenceObject(threadItem->StartAddressWin32FileName); if (threadItem->ServiceName) PhDereferenceObject(threadItem->ServiceName); if (!PhSystemProcessorInformation.SingleProcessorGroup) { if (threadItem->AffinityMaskGroups) PhFree(threadItem->AffinityMaskGroups); } } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpThreadHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { return (*(PPH_THREAD_ITEM *)Entry1)->ThreadId == (*(PPH_THREAD_ITEM *)Entry2)->ThreadId; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpThreadHashtableHashFunction( _In_ PVOID Entry ) { return HandleToUlong((*(PPH_THREAD_ITEM *)Entry)->ThreadId) / 4; } PPH_THREAD_ITEM PhReferenceThreadItem( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ HANDLE ThreadId ) { PH_THREAD_ITEM lookupThreadItem; PPH_THREAD_ITEM lookupThreadItemPtr = &lookupThreadItem; PPH_THREAD_ITEM *threadItemPtr; PPH_THREAD_ITEM threadItem; lookupThreadItem.ThreadId = ThreadId; PhAcquireFastLockShared(&ThreadProvider->ThreadHashtableLock); threadItemPtr = (PPH_THREAD_ITEM *)PhFindEntryHashtable( ThreadProvider->ThreadHashtable, &lookupThreadItemPtr ); if (threadItemPtr) { threadItem = *threadItemPtr; PhReferenceObject(threadItem); } else { threadItem = NULL; } PhReleaseFastLockShared(&ThreadProvider->ThreadHashtableLock); return threadItem; } VOID PhDereferenceAllThreadItems( _In_ PPH_THREAD_PROVIDER ThreadProvider ) { ULONG enumerationKey = 0; PPH_THREAD_ITEM *threadItem; PhAcquireFastLockExclusive(&ThreadProvider->ThreadHashtableLock); while (PhEnumHashtable(ThreadProvider->ThreadHashtable, (PVOID *)&threadItem, &enumerationKey)) { PhDereferenceObject(*threadItem); } PhReleaseFastLockExclusive(&ThreadProvider->ThreadHashtableLock); } VOID PhpRemoveThreadItem( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PPH_THREAD_ITEM ThreadItem ) { PhRemoveEntryHashtable(ThreadProvider->ThreadHashtable, &ThreadItem); PhDereferenceObject(ThreadItem); } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpThreadQueryWorker( _In_ PVOID Parameter ) { PPH_THREAD_QUERY_DATA data = (PPH_THREAD_QUERY_DATA)Parameter; LONG newSymbolsLoading; if (data->ThreadProvider->Terminating) goto CleanupExit; newSymbolsLoading = _InterlockedIncrement(&data->ThreadProvider->SymbolsLoading); if (newSymbolsLoading == 1) PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, UlongToPtr(TRUE)); if (data->ThreadProvider->SymbolsLoadedRunId == 0) PhLoadSymbolsThreadProvider(data->ThreadProvider); // Start address { if (data->ThreadItem->StartAddressWin32) { data->StartAddressWin32String = PhGetSymbolFromAddress( data->ThreadProvider->SymbolProvider, data->ThreadItem->StartAddressWin32, &data->StartAddressWin32ResolveLevel, &data->StartAddressWin32FileName, NULL, NULL ); if (data->StartAddressWin32ResolveLevel == PhsrlAddress && data->ThreadProvider->SymbolsLoadedRunId < data->RunId) { // The process may have loaded new modules, so load symbols for those and try again. PhLoadSymbolsThreadProvider(data->ThreadProvider); PhClearReference(&data->StartAddressWin32String); PhClearReference(&data->StartAddressWin32FileName); data->StartAddressWin32String = PhGetSymbolFromAddress( data->ThreadProvider->SymbolProvider, data->ThreadItem->StartAddressWin32, &data->StartAddressWin32ResolveLevel, &data->StartAddressWin32FileName, NULL, NULL ); } } if (data->ThreadItem->StartAddress) { data->StartAddressString = PhGetSymbolFromAddress( data->ThreadProvider->SymbolProvider, data->ThreadItem->StartAddress, &data->StartAddressResolveLevel, &data->StartAddressFileName, NULL, NULL ); if (data->StartAddressResolveLevel == PhsrlAddress && data->ThreadProvider->SymbolsLoadedRunId < data->RunId) { // The process may have loaded new modules, so load symbols for those and try again. PhLoadSymbolsThreadProvider(data->ThreadProvider); PhClearReference(&data->StartAddressString); PhClearReference(&data->StartAddressFileName); data->StartAddressString = PhGetSymbolFromAddress( data->ThreadProvider->SymbolProvider, data->ThreadItem->StartAddress, &data->StartAddressResolveLevel, &data->StartAddressFileName, NULL, NULL ); } } } newSymbolsLoading = _InterlockedDecrement(&data->ThreadProvider->SymbolsLoading); if (newSymbolsLoading == 0) PhInvokeCallback(&data->ThreadProvider->LoadingStateChangedEvent, UlongToPtr(FALSE)); // Check if the process has services - we'll need to know before getting service tag/name // information. if (!data->ThreadProvider->HasServicesKnown) { PPH_PROCESS_ITEM processItem; if (processItem = PhReferenceProcessItem(data->ThreadProvider->ProcessId)) { data->ThreadProvider->HasServices = processItem->ServiceList && processItem->ServiceList->Count != 0; PhDereferenceObject(processItem); } data->ThreadProvider->HasServicesKnown = TRUE; } // Get the service tag, and the service name. if (data->ThreadItem->ThreadHandle) { PVOID serviceTag; if (NT_SUCCESS(PhGetThreadServiceTag( data->ThreadItem->ThreadHandle, data->ThreadProvider->ProcessHandle, &serviceTag ))) { data->ServiceName = PhGetServiceNameFromTag( data->ThreadProvider->ProcessId, serviceTag ); } } CleanupExit: RtlInterlockedPushEntrySList(&data->ThreadProvider->QueryListHead, &data->ListEntry); PhDereferenceObject(data->ThreadProvider); return STATUS_SUCCESS; } VOID PhpQueueThreadQuery( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PPH_THREAD_ITEM ThreadItem ) { PPH_THREAD_QUERY_DATA data; data = PhAllocateZero(sizeof(PH_THREAD_QUERY_DATA)); PhSetReference(&data->ThreadProvider, ThreadProvider); PhSetReference(&data->ThreadItem, ThreadItem); data->RunId = ThreadProvider->RunId; PhpQueueThreadWorkQueueItem(PhpThreadQueryWorker, data); } PPH_STRING PhpGetThreadBasicStartAddress( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PVOID Address, _Out_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel ) { PVOID modBase; PPH_STRING fileName = NULL; PPH_STRING baseName = NULL; PPH_STRING symbol; modBase = PhGetModuleFromAddress( ThreadProvider->SymbolProvider, Address, &fileName ); if (fileName == NULL) { *ResolveLevel = PhsrlAddress; symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); PhPrintPointer(symbol->Buffer, Address); PhTrimToNullTerminatorString(symbol); } else { PH_FORMAT format[3]; baseName = PhGetBaseName(fileName); *ResolveLevel = PhsrlModule; PhInitFormatSR(&format[0], baseName->sr); PhInitFormatS(&format[1], L"+0x"); PhInitFormatIX(&format[2], (ULONG_PTR)Address - (ULONG_PTR)modBase); symbol = PhFormat(format, 3, baseName->Length + 6 + 32); } if (fileName) PhDereferenceObject(fileName); if (baseName) PhDereferenceObject(baseName); return symbol; } static NTSTATUS PhThreadProviderOpenThread( _Out_ PHANDLE ThreadHandle, _In_ PPH_THREAD_ITEM ThreadItem ) { NTSTATUS status; HANDLE threadHandle; if (ThreadItem->ProcessId == SYSTEM_IDLE_PROCESS_ID) { if (HandleToUlong(ThreadItem->ThreadId) < PhSystemProcessorInformation.NumberOfProcessors) return STATUS_UNSUCCESSFUL; } status = PhOpenThreadClientId( &threadHandle, THREAD_QUERY_INFORMATION, &ThreadItem->ClientId ); if (!NT_SUCCESS(status)) { status = PhOpenThreadClientId( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, &ThreadItem->ClientId ); } if (NT_SUCCESS(status)) { *ThreadHandle = threadHandle; } return status; } static NTSTATUS PhpGetThreadCycleTime( _In_ PPH_THREAD_ITEM ThreadItem, _Out_ PULONG64 CycleTime ) { if (ThreadItem->ProcessId == SYSTEM_IDLE_PROCESS_ID) { if (HandleToUlong(ThreadItem->ThreadId) < PhSystemProcessorInformation.NumberOfProcessors) { *CycleTime = PhCpuIdleCycleTime[HandleToUlong(ThreadItem->ThreadId)].CycleTime; return STATUS_SUCCESS; } } if (ThreadItem->ThreadHandle) { return PhGetThreadCycleTime(ThreadItem->ThreadHandle, CycleTime); } return STATUS_INVALID_PARAMETER; } PCPH_STRINGREF PhGetBasePrioritySymbolicString( _In_ KPRIORITY BasePriority ) { static const PH_STRINGREF errorReturn = PH_STRINGREF_INIT(L""); static const PH_STRINGREF realTime = PH_STRINGREF_INIT(L"Real-time"); static const PH_STRINGREF idle = PH_STRINGREF_INIT(L"Idle"); static const PH_STRINGREF background = PH_STRINGREF_INIT(L"Background"); static const PH_STRINGREF timeCritical = PH_STRINGREF_INIT(L"Time critical"); static const PH_STRINGREF highest = PH_STRINGREF_INIT(L"Highest"); static const PH_STRINGREF aboveNormal = PH_STRINGREF_INIT(L"Above normal"); static const PH_STRINGREF normal = PH_STRINGREF_INIT(L"Normal"); static const PH_STRINGREF belowNormal = PH_STRINGREF_INIT(L"Below normal"); static const PH_STRINGREF lowest = PH_STRINGREF_INIT(L"Lowest"); if (BasePriority == THREAD_PRIORITY_ERROR_RETURN) return &errorReturn; // // N.B. This check is > 16 despite 16 being a real-time priority since // requesting THREAD_PRIORITY_TIME_CRITICAL actually sets the base priority // to the saturation value of LOW_REALTIME_PRIORITY. (jxy-s) // if (BasePriority > LOW_REALTIME_PRIORITY) // 16 return &realTime; if (BasePriority <= THREAD_BASE_PRIORITY_IDLE) // -15 return &idle; if (BasePriority < THREAD_BASE_PRIORITY_MIN) // -2 return &background; if (BasePriority > THREAD_BASE_PRIORITY_MAX) // 2 return &timeCritical; switch (BasePriority) { case THREAD_PRIORITY_HIGHEST: // 2 return &highest; case THREAD_PRIORITY_ABOVE_NORMAL: // 1 return &aboveNormal; case THREAD_PRIORITY_NORMAL: // 0 return &normal; case THREAD_PRIORITY_BELOW_NORMAL: // -1 return &belowNormal; case THREAD_PRIORITY_LOWEST: // -2 return &lowest; DEFAULT_UNREACHABLE; } } VOID PhThreadProviderInitialUpdate( _In_ PPH_THREAD_PROVIDER ThreadProvider ) { PVOID processes; if (NT_SUCCESS(PhEnumProcesses(&processes))) { PhpThreadProviderUpdate(ThreadProvider, processes); PhFree(processes); } } _Function_class_(PH_CALLBACK_FUNCTION) VOID PhpThreadProviderCallbackHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { if (Context && PhProcessInformation) { PhpThreadProviderUpdate((PPH_THREAD_PROVIDER)Context, PhProcessInformation); } } VOID PhpThreadProviderUpdate( _In_ PPH_THREAD_PROVIDER ThreadProvider, _In_ PVOID ProcessInformation ) { PPH_THREAD_PROVIDER threadProvider = ThreadProvider; PSYSTEM_PROCESS_INFORMATION process; SYSTEM_PROCESS_INFORMATION localProcess; PSYSTEM_THREAD_INFORMATION threads; ULONG numberOfThreads; ULONG i; process = PhFindProcessInformation(ProcessInformation, threadProvider->ProcessId); if (!process) { // The process doesn't exist anymore. Pretend it does but has no threads. process = &localProcess; process->NumberOfThreads = 0; // // We want dbghelp.dll to release the symbol files so that the exited process symbols can // be rebuilt. This is most common for developers building, inspecting with system informer, // then rebuilding without closing the process properties dialog. // // There are downstream dependencies on the symbol provider and the process handle from it, // so we can't just dereference it immediately here. // // PhUnregisterSymbolProvider will unregister this symbol provider from dbghelp.dll which // will get it to release the symbol files. This gives us the desired result without // breaking downstream logic. The consequence is that symbol resolution downstream will // fail cleanly, but it shouldn't matter in this path as it relies on being able to query // information about the process threads, which no longer exist. // if (threadProvider->SymbolProvider) PhUnregisterSymbolProvider(threadProvider->SymbolProvider); } threads = process->Threads; numberOfThreads = process->NumberOfThreads; // System Idle Process has one thread per CPU. They all have a TID of 0. We can't have duplicate // TIDs, so we'll assign unique TIDs. (wj32) if (threadProvider->ProcessId == SYSTEM_IDLE_PROCESS_ID) { ULONG processorIndex = 0; for (i = 0; i < numberOfThreads; i++) { if (!threads[i].ClientId.UniqueThread) { threads[i].ClientId.UniqueThread = UlongToHandle(processorIndex); processorIndex++; } } } // Look for dead threads. { PPH_LIST threadsToRemove = NULL; ULONG enumerationKey = 0; PPH_THREAD_ITEM *threadItem; while (PhEnumHashtable(threadProvider->ThreadHashtable, (PVOID *)&threadItem, &enumerationKey)) { BOOLEAN found = FALSE; // Check if the thread still exists. for (i = 0; i < numberOfThreads; i++) { PSYSTEM_THREAD_INFORMATION thread = &threads[i]; if ((*threadItem)->ThreadId == thread->ClientId.UniqueThread) { found = TRUE; break; } } if (!found) { // Raise the thread removed event. PhInvokeCallback(&threadProvider->ThreadRemovedEvent, *threadItem); if (!threadsToRemove) threadsToRemove = PhCreateList(2); PhAddItemList(threadsToRemove, *threadItem); } } if (threadsToRemove) { PhAcquireFastLockExclusive(&threadProvider->ThreadHashtableLock); for (i = 0; i < threadsToRemove->Count; i++) { PhpRemoveThreadItem( threadProvider, (PPH_THREAD_ITEM)threadsToRemove->Items[i] ); } PhReleaseFastLockExclusive(&threadProvider->ThreadHashtableLock); PhDereferenceObject(threadsToRemove); } } // Go through the queued thread query data. { PSLIST_ENTRY entry; PPH_THREAD_QUERY_DATA data; entry = RtlInterlockedFlushSList(&threadProvider->QueryListHead); while (entry) { data = CONTAINING_RECORD(entry, PH_THREAD_QUERY_DATA, ListEntry); entry = entry->Next; if (data->StartAddressWin32ResolveLevel == PhsrlFunction && data->StartAddressWin32String) { PhSwapReference(&data->ThreadItem->StartAddressWin32String, data->StartAddressWin32String); PhSwapReference(&data->ThreadItem->StartAddressWin32FileName, data->StartAddressWin32FileName); data->ThreadItem->StartAddressWin32ResolveLevel = data->StartAddressWin32ResolveLevel; } if (data->StartAddressResolveLevel == PhsrlFunction && data->StartAddressString) { PhSwapReference(&data->ThreadItem->StartAddressString, data->StartAddressString); PhSwapReference(&data->ThreadItem->StartAddressFileName, data->StartAddressFileName); data->ThreadItem->StartAddressResolveLevel = data->StartAddressResolveLevel; } PhMoveReference(&data->ThreadItem->ServiceName, data->ServiceName); data->ThreadItem->JustResolved = TRUE; if (data->StartAddressWin32String) PhDereferenceObject(data->StartAddressWin32String); if (data->StartAddressWin32FileName) PhDereferenceObject(data->StartAddressWin32FileName); if (data->StartAddressString) PhDereferenceObject(data->StartAddressString); if (data->StartAddressFileName) PhDereferenceObject(data->StartAddressFileName); PhDereferenceObject(data->ThreadItem); PhFree(data); } } // Look for new threads and update existing ones. for (i = 0; i < numberOfThreads; i++) { PSYSTEM_THREAD_INFORMATION thread = &threads[i]; PPH_THREAD_ITEM threadItem; THREAD_BASIC_INFORMATION basicInfo; threadItem = PhReferenceThreadItem(threadProvider, thread->ClientId.UniqueThread); if (!threadItem) { threadItem = PhCreateThreadItem(thread->ClientId); threadItem->KernelTime = thread->KernelTime; PhUpdateDelta(&threadItem->CpuKernelDelta, threadItem->KernelTime.QuadPart); threadItem->UserTime = thread->UserTime; PhUpdateDelta(&threadItem->CpuUserDelta, threadItem->UserTime.QuadPart); threadItem->CreateTime = thread->CreateTime; threadItem->StartAddress = thread->StartAddress; threadItem->Priority = thread->Priority; threadItem->ActualBasePriority = thread->BasePriority; PhUpdateDelta(&threadItem->ContextSwitchesDelta, thread->ContextSwitches); threadItem->State = thread->ThreadState; threadItem->WaitReason = thread->WaitReason; { NTSTATUS status; HANDLE threadHandle; status = PhThreadProviderOpenThread( &threadHandle, threadItem ); if (NT_SUCCESS(status)) { threadItem->ThreadHandle = threadHandle; } threadItem->ThreadHandleStatus = threadItem->StartAddressStatus = status; } // Get the cycle count. if (threadItem->ThreadHandle) { ULONG64 cycleTime; if (NT_SUCCESS(PhGetThreadCycleTime( threadItem->ThreadHandle, &cycleTime ))) { PhUpdateDelta(&threadItem->CyclesDelta, cycleTime); } } // Get the start address. if (threadItem->ThreadHandle) { NTSTATUS status; ULONG_PTR startAddress; status = PhGetThreadStartAddress( threadItem->ThreadHandle, &startAddress ); if (NT_SUCCESS(status)) { threadItem->StartAddressWin32 = (PVOID)startAddress; } threadItem->StartAddressStatus = status; } // Get the base priority increment (relative to the process priority). if (threadItem->ThreadHandle && NT_SUCCESS(PhGetThreadBasicInformation( threadItem->ThreadHandle, &basicInfo ))) { threadItem->BasePriority = basicInfo.BasePriority; } else { threadItem->BasePriority = THREAD_PRIORITY_ERROR_RETURN; } // Affinity { ULONG affinityPopulationCount = 0; if (PhSystemProcessorInformation.SingleProcessorGroup) { KAFFINITY affinityMask; if (threadItem->ThreadHandle && NT_SUCCESS(PhGetThreadAffinityMask(threadItem->ThreadHandle, &affinityMask))) { threadItem->AffinityMaskSingle = affinityMask; } else { threadItem->AffinityMaskSingle = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[0]; } affinityPopulationCount = PhCountBitsUlongPtr(threadItem->AffinityMaskSingle); } else { GROUP_AFFINITY affinity; threadItem->AffinityMaskGroups = PhAllocateZero(sizeof(KAFFINITY) * PhSystemProcessorInformation.NumberOfProcessorGroups); for (USHORT j = 0; j < PhSystemProcessorInformation.NumberOfProcessorGroups; j++) { RtlZeroMemory(&affinity, sizeof(GROUP_AFFINITY)); affinity.Group = j; if (threadItem->ThreadHandle && NT_SUCCESS(PhGetThreadGroupAffinity(threadItem->ThreadHandle, &affinity))) { threadItem->AffinityMaskGroups[j] = affinity.Mask; } else { threadItem->AffinityMaskGroups[j] = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[j]; } affinityPopulationCount += PhCountBitsUlongPtr(threadItem->AffinityMaskGroups[j]); } } threadItem->AffinityPopulationCount = affinityPopulationCount; } // Start address { // Win32 if (threadProvider->SymbolsLoadedRunId != 0 && threadItem->StartAddressWin32) { threadItem->StartAddressWin32String = PhpGetThreadBasicStartAddress( threadProvider, threadItem->StartAddressWin32, &threadItem->StartAddressWin32ResolveLevel ); } if (PhIsNullOrEmptyString(threadItem->StartAddressWin32String) && threadItem->StartAddressWin32) { threadItem->StartAddressWin32ResolveLevel = PhsrlAddress; threadItem->StartAddressWin32String = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); PhPrintPointer( threadItem->StartAddressWin32String->Buffer, threadItem->StartAddressWin32 ); PhTrimToNullTerminatorString(threadItem->StartAddressWin32String); } // Native if (threadProvider->SymbolsLoadedRunId != 0 && threadItem->StartAddress) { threadItem->StartAddressString = PhpGetThreadBasicStartAddress( threadProvider, threadItem->StartAddress, &threadItem->StartAddressResolveLevel ); } if (PhIsNullOrEmptyString(threadItem->StartAddressString) && threadItem->StartAddress) { threadItem->StartAddressResolveLevel = PhsrlAddress; threadItem->StartAddressString = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); PhPrintPointer( threadItem->StartAddressString->Buffer, threadItem->StartAddress ); PhTrimToNullTerminatorString(threadItem->StartAddressString); } } // Is it a GUI thread? if (threadItem->ThreadId) { threadItem->IsGuiThread = PhGetThreadWin32Thread(threadItem->ThreadId); } if (WindowsVersion >= WINDOWS_10_22H2 && threadItem->ThreadHandle) { if (KsiLevel() >= KphLevelMed) // threadItem->IsSubsystemProcess { ULONG lxssThreadId; if (NT_SUCCESS(KphQueryInformationThread( threadItem->ThreadHandle, KphThreadWSLThreadId, &lxssThreadId, sizeof(ULONG), NULL ))) { threadItem->LxssThreadId = lxssThreadId; PhPrintUInt32(threadItem->LxssThreadIdString, lxssThreadId); } } } if (WindowsVersion >= WINDOWS_11_22H2 && threadItem->ThreadHandle) { POWER_THROTTLING_THREAD_STATE powerThrottlingState; if (NT_SUCCESS(PhGetThreadPowerThrottlingState(threadItem->ThreadHandle, &powerThrottlingState))) { if (powerThrottlingState.ControlMask & POWER_THROTTLING_THREAD_EXECUTION_SPEED && powerThrottlingState.StateMask & POWER_THROTTLING_THREAD_EXECUTION_SPEED) { threadItem->PowerThrottling = TRUE; } } } PhpQueueThreadQuery(threadProvider, threadItem); // Add the thread item to the hashtable. PhAcquireFastLockExclusive(&threadProvider->ThreadHashtableLock); PhAddEntryHashtable(threadProvider->ThreadHashtable, &threadItem); PhReleaseFastLockExclusive(&threadProvider->ThreadHashtableLock); // Raise the thread added event. PhInvokeCallback(&threadProvider->ThreadAddedEvent, threadItem); } else { BOOLEAN modified = FALSE; if (threadItem->JustResolved) modified = TRUE; threadItem->KernelTime = thread->KernelTime; threadItem->UserTime = thread->UserTime; threadItem->State = thread->ThreadState; threadItem->WaitTime = thread->WaitTime; if (threadItem->Priority != thread->Priority) { threadItem->Priority = thread->Priority; modified = TRUE; } if (threadItem->ActualBasePriority != thread->BasePriority) { threadItem->ActualBasePriority = thread->BasePriority; modified = TRUE; } if (threadItem->WaitReason != thread->WaitReason) { threadItem->WaitReason = thread->WaitReason; modified = TRUE; } { // If the resolve level is only at address, it probably // means symbols weren't loaded the last time we // tried to get the start address. Try again. if (threadItem->StartAddressWin32ResolveLevel == PhsrlAddress) { if (threadProvider->SymbolsLoadedRunId != 0 && threadItem->StartAddressWin32) { PPH_STRING newStartAddressString; newStartAddressString = PhpGetThreadBasicStartAddress( threadProvider, threadItem->StartAddressWin32, &threadItem->StartAddressWin32ResolveLevel ); PhMoveReference( &threadItem->StartAddressWin32String, newStartAddressString ); modified = TRUE; } } if (threadItem->StartAddressResolveLevel == PhsrlAddress) { if (threadProvider->SymbolsLoadedRunId != 0 && threadItem->StartAddress) { PPH_STRING newStartAddressString; newStartAddressString = PhpGetThreadBasicStartAddress( threadProvider, threadItem->StartAddress, &threadItem->StartAddressResolveLevel ); PhMoveReference( &threadItem->StartAddressString, newStartAddressString ); modified = TRUE; } } // If we couldn't resolve the start address to a module+offset, use the StartAddress // instead of the Win32StartAddress and try again. Note that we check the resolve level // again because we may have changed it in the previous block. if (threadItem->JustResolved && threadItem->StartAddressResolveLevel == PhsrlAddress) { if (threadItem->StartAddress != thread->StartAddress) { threadItem->StartAddress = thread->StartAddress; PhpQueueThreadQuery(threadProvider, threadItem); } } } // Update the context switch count. { ULONG oldDelta; oldDelta = threadItem->ContextSwitchesDelta.Delta; PhUpdateDelta(&threadItem->ContextSwitchesDelta, thread->ContextSwitches); if (threadItem->ContextSwitchesDelta.Delta != oldDelta) { modified = TRUE; } } // Update the cycle count. { ULONG64 cycles; ULONG64 oldDelta; oldDelta = threadItem->CyclesDelta.Delta; if (NT_SUCCESS(PhpGetThreadCycleTime( threadItem, &cycles ))) { PhUpdateDelta(&threadItem->CyclesDelta, cycles); if (threadItem->CyclesDelta.Delta != oldDelta) { modified = TRUE; } } } // Update the CPU time deltas. PhUpdateDelta(&threadItem->CpuKernelDelta, threadItem->KernelTime.QuadPart); PhUpdateDelta(&threadItem->CpuUserDelta, threadItem->UserTime.QuadPart); // Update the CPU usage. // If the cycle time isn't available, we'll fall back to using the CPU time. //if (PhEnableCycleCpuUsage && (threadProvider->ProcessId == SYSTEM_IDLE_PROCESS_ID || threadItem->ThreadHandle)) //{ // threadItem->CpuUsage = (FLOAT)threadItem->CyclesDelta.Delta / PhCpuTotalCycleDelta; //} //else //{ // threadItem->CpuUsage = (FLOAT)(threadItem->CpuKernelDelta.Delta + threadItem->CpuUserDelta.Delta) / // (PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta + PhCpuIdleDelta.Delta); //} // Update the CPU user/kernel usage (based on the same code from procprv.c) (dmex) { FLOAT newCpuUsage; FLOAT kernelCpuUsage; FLOAT userCpuUsage; ULONG64 totalTime; if (PhEnableCycleCpuUsage) { ULONG64 totalDelta; if (threadProvider->ProcessId == SYSTEM_IDLE_PROCESS_ID || threadItem->ThreadHandle) { newCpuUsage = (FLOAT)threadItem->CyclesDelta.Delta / PhCpuTotalCycleDelta; } else { totalTime = PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta + PhCpuIdleDelta.Delta; newCpuUsage = (FLOAT)(threadItem->CpuKernelDelta.Delta + threadItem->CpuUserDelta.Delta) / totalTime; } totalDelta = (threadItem->CpuKernelDelta.Delta + threadItem->CpuUserDelta.Delta); if (totalDelta != 0) { kernelCpuUsage = newCpuUsage * (FLOAT)threadItem->CpuKernelDelta.Delta / totalDelta; userCpuUsage = newCpuUsage * (FLOAT)threadItem->CpuUserDelta.Delta / totalDelta; } else { if (threadItem->UserTime.QuadPart != 0) { kernelCpuUsage = newCpuUsage / 2; userCpuUsage = newCpuUsage / 2; } else { kernelCpuUsage = newCpuUsage; userCpuUsage = 0; } } } else { totalTime = PhCpuKernelDelta.Delta + PhCpuUserDelta.Delta + PhCpuIdleDelta.Delta; kernelCpuUsage = (FLOAT)threadItem->CpuKernelDelta.Delta / totalTime; userCpuUsage = (FLOAT)threadItem->CpuUserDelta.Delta / totalTime; newCpuUsage = kernelCpuUsage + userCpuUsage; } threadItem->CpuUsage = newCpuUsage; threadItem->CpuKernelUsage = kernelCpuUsage; threadItem->CpuUserUsage = userCpuUsage; } // Update the base priority. { KPRIORITY oldBasePriorityIncrement = threadItem->BasePriority; if (threadItem->ThreadHandle && NT_SUCCESS(PhGetThreadBasicInformation( threadItem->ThreadHandle, &basicInfo ))) { threadItem->BasePriority = basicInfo.BasePriority; } else { threadItem->BasePriority = THREAD_PRIORITY_ERROR_RETURN; } if (threadItem->BasePriority != oldBasePriorityIncrement) { modified = TRUE; } } // Affinity { ULONG affinityPopulationCount = 0; if (PhSystemProcessorInformation.SingleProcessorGroup) { KAFFINITY affinityMask; if (threadItem->ThreadHandle && NT_SUCCESS(PhGetThreadAffinityMask(threadItem->ThreadHandle, &affinityMask))) { threadItem->AffinityMaskSingle = affinityMask; } else { threadItem->AffinityMaskSingle = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[0]; } affinityPopulationCount = PhCountBitsUlongPtr(threadItem->AffinityMaskSingle); } else { for (USHORT j = 0; j < PhSystemProcessorInformation.NumberOfProcessorGroups; j++) { GROUP_AFFINITY affinity; RtlZeroMemory(&affinity, sizeof(GROUP_AFFINITY)); affinity.Group = j; if (threadItem->ThreadHandle && NT_SUCCESS(PhGetThreadGroupAffinity(threadItem->ThreadHandle, &affinity))) { threadItem->AffinityMaskGroups[j] = affinity.Mask; } else { threadItem->AffinityMaskGroups[j] = PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[j]; } affinityPopulationCount += PhCountBitsUlongPtr(threadItem->AffinityMaskGroups[j]); } } if (threadItem->AffinityPopulationCount != affinityPopulationCount) { threadItem->AffinityPopulationCount = affinityPopulationCount; modified = TRUE; } } // Update the GUI thread status. if (threadItem->ThreadId) { GUITHREADINFO info = { sizeof(GUITHREADINFO) }; BOOLEAN oldIsGuiThread = threadItem->IsGuiThread; threadItem->IsGuiThread = !!GetGUIThreadInfo(HandleToUlong(threadItem->ThreadId), &info); if (threadItem->IsGuiThread != oldIsGuiThread) modified = TRUE; } if (!threadItem->ThreadHandle || KsiLevel() < KphLevelMed || !NT_SUCCESS(KphQueryInformationThread( threadItem->ThreadHandle, KphThreadIoCounters, &threadItem->IoCounters, sizeof(IO_COUNTERS), NULL ))) { RtlZeroMemory(&threadItem->IoCounters, sizeof(IO_COUNTERS)); } threadItem->JustResolved = FALSE; if (modified) { // Raise the thread modified event. PhInvokeCallback(&threadProvider->ThreadModifiedEvent, threadItem); } PhDereferenceObject(threadItem); } } PhInvokeCallback(&threadProvider->UpdatedEvent, NULL); threadProvider->RunId++; } ================================================ FILE: SystemInformer/thrdstk.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #include #define WM_PH_COMPLETED (WM_APP + 301) //#define WM_PH_STATUS_UPDATE (WM_APP + 302) #define WM_PH_SHOWSTACKMENU (WM_APP + 303) #define WM_PH_SHOWSTACKDEFAULT (WM_APP + 304) static PPH_OBJECT_TYPE PhThreadStackContextType = NULL; static RECT MinimumSize = { -1, -1, -1, -1 }; typedef struct _PH_THREAD_STACK_CONTEXT { HANDLE ProcessId; HANDLE ThreadId; HANDLE ThreadHandle; PPH_THREAD_PROVIDER ThreadProvider; PPH_SYMBOL_PROVIDER SymbolProvider; union { ULONG Flags; struct { ULONG CustomWalk : 1; ULONG StopWalk : 1; ULONG EnableCloseDialog : 1; ULONG HighlightSystemPages : 1; ULONG HighlightUserPages : 1; ULONG HideSystemPages : 1; ULONG HideUserPages : 1; ULONG HighlightInlineFrames : 1; ULONG HideInlineFrames : 1; ULONG Spare : 23; }; }; PPH_LIST List; PPH_LIST NewList; PH_TN_FILTER_SUPPORT TreeFilterSupport; PPH_TN_FILTER_ENTRY TreeFilterEntry; HWND TaskDialogHandle; NTSTATUS WalkStatus; PPH_STRING StatusMessage; PPH_STRING StatusContent; PH_QUEUED_LOCK StatusLock; BOOLEAN SymbolProgressMarquee; BOOLEAN SymbolProgressReset; ULONG SymbolProgress; PH_LAYOUT_MANAGER LayoutManager; HWND WindowHandle; HWND ParentHandle; HWND TreeNewHandle; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; PPH_HASHTABLE NodeHashtable; PPH_LIST NodeList; PPH_LIST NodeRootList; WNDPROC ThreadStackStatusDefaultWindowProc; PH_CALLBACK_REGISTRATION SymbolProviderEventRegistration; } PH_THREAD_STACK_CONTEXT, *PPH_THREAD_STACK_CONTEXT; typedef struct _THREAD_STACK_ITEM { PH_THREAD_STACK_FRAME StackFrame; ULONG Index; PPH_STRING Symbol; PPH_STRING FileName; PPH_STRING LineText; } THREAD_STACK_ITEM, *PTHREAD_STACK_ITEM; typedef enum _PH_STACK_TREE_COLUMN_ITEM_NAME { PH_STACK_TREE_COLUMN_INDEX, PH_STACK_TREE_COLUMN_SYMBOL, PH_STACK_TREE_COLUMN_STACKADDRESS, PH_STACK_TREE_COLUMN_FRAMEADDRESS, PH_STACK_TREE_COLUMN_PARAMETER1, PH_STACK_TREE_COLUMN_PARAMETER2, PH_STACK_TREE_COLUMN_PARAMETER3, PH_STACK_TREE_COLUMN_PARAMETER4, PH_STACK_TREE_COLUMN_CONTROLADDRESS, PH_STACK_TREE_COLUMN_RETURNADDRESS, PH_STACK_TREE_COLUMN_FILENAME, PH_STACK_TREE_COLUMN_LINETEXT, PH_STACK_TREE_COLUMN_ARCHITECTURE, PH_STACK_TREE_COLUMN_FRAMEDISTANCE, TREE_COLUMN_ITEM_MAXIMUM } PH_STACK_TREE_COLUMN_ITEM_NAME; typedef struct _PH_STACK_TREE_ROOT_NODE { PH_TREENEW_NODE Node; PH_THREAD_STACK_FRAME StackFrame; ULONG Index; ULONG FrameDistance; PPH_STRING TooltipText; PPH_STRING IndexString; PPH_STRING SymbolString; PPH_STRING FileNameString; PPH_STRING LineTextString; WCHAR StackAddressString[PH_PTR_STR_LEN_1]; WCHAR FrameAddressString[PH_PTR_STR_LEN_1]; WCHAR Parameter1String[PH_PTR_STR_LEN_1]; WCHAR Parameter2String[PH_PTR_STR_LEN_1]; WCHAR Parameter3String[PH_PTR_STR_LEN_1]; WCHAR Parameter4String[PH_PTR_STR_LEN_1]; WCHAR PcAddressString[PH_PTR_STR_LEN_1]; WCHAR ReturnAddressString[PH_PTR_STR_LEN_1]; PH_STRINGREF Architecture; PPH_STRING FrameDistanceString; PH_STRINGREF TextCache[TREE_COLUMN_ITEM_MAXIMUM]; } PH_STACK_TREE_ROOT_NODE, *PPH_STACK_TREE_ROOT_NODE; typedef enum _PH_THREAD_STACK_MENUITEM { PH_THREAD_STACK_MENUITEM_INSPECT = 1, PH_THREAD_STACK_MENUITEM_OPENFILELOCATION, } PH_THREAD_STACK_MENUITEM; INT_PTR CALLBACK PhpThreadStackDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhpFreeThreadStackItem( _In_ PTHREAD_STACK_ITEM StackItem ); NTSTATUS PhpRefreshThreadStack( _In_ HWND WindowHandle, _In_ PPH_THREAD_STACK_CONTEXT ThreadStackContext ); #define SORT_FUNCTION(Column) ThreadStackTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl ThreadStackTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_THREAD_STACK_CONTEXT context = ((PPH_THREAD_STACK_CONTEXT)_context); \ PPH_STACK_TREE_ROOT_NODE node1 = *(PPH_STACK_TREE_ROOT_NODE*)_elem1; \ PPH_STACK_TREE_ROOT_NODE node2 = *(PPH_STACK_TREE_ROOT_NODE*)_elem2; \ int sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(Index) { sortResult = uint64cmp(node1->Index, node2->Index); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Symbol) { sortResult = PhCompareStringWithNullSortOrder(node1->SymbolString, node2->SymbolString, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StackAddress) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.StackAddress, (ULONG_PTR)node2->StackFrame.StackAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FrameAddress) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.FrameAddress, (ULONG_PTR)node2->StackFrame.FrameAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StackParameter1) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.Params[0], (ULONG_PTR)node2->StackFrame.Params[0]); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StackParameter2) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.Params[1], (ULONG_PTR)node2->StackFrame.Params[1]); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StackParameter3) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.Params[2], (ULONG_PTR)node2->StackFrame.Params[2]); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(StackParameter4) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.Params[3], (ULONG_PTR)node2->StackFrame.Params[3]); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ControlAddress) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.PcAddress, (ULONG_PTR)node2->StackFrame.PcAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ReturnAddress) { sortResult = uintptrcmp((ULONG_PTR)node1->StackFrame.ReturnAddress, (ULONG_PTR)node2->StackFrame.ReturnAddress); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FileName) { sortResult = PhCompareStringWithNullSortOrder(node1->FileNameString, node2->FileNameString, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LineText) { sortResult = PhCompareStringWithNullSortOrder(node1->LineTextString, node2->LineTextString, context->TreeNewSortOrder, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Architecture) { sortResult = ushortcmp(node1->StackFrame.Machine, node2->StackFrame.Machine); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FrameDistance) { sortResult = uintcmp(node1->FrameDistance, node2->FrameDistance); } END_SORT_FUNCTION VOID ThreadStackLoadSettingsTreeList( _Inout_ PPH_THREAD_STACK_CONTEXT Context ) { PPH_STRING settings; settings = PhGetStringSetting(SETTING_THREAD_STACK_TREE_LIST_COLUMNS); PhCmLoadSettings(Context->TreeNewHandle, &settings->sr); PhDereferenceObject(settings); } VOID ThreadStackSaveSettingsTreeList( _Inout_ PPH_THREAD_STACK_CONTEXT Context ) { PPH_STRING settings; settings = PhCmSaveSettings(Context->TreeNewHandle); PhSetStringSetting2(SETTING_THREAD_STACK_TREE_LIST_COLUMNS, &settings->sr); PhDereferenceObject(settings); } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN ThreadStackNodeHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_STACK_TREE_ROOT_NODE node1 = *(PPH_STACK_TREE_ROOT_NODE *)Entry1; PPH_STACK_TREE_ROOT_NODE node2 = *(PPH_STACK_TREE_ROOT_NODE *)Entry2; return node1->Index == node2->Index; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG ThreadStackNodeHashtableHashFunction( _In_ PVOID Entry ) { return PhHashInt32((*(PPH_STACK_TREE_ROOT_NODE*)Entry)->Index); } VOID DestroyThreadStackNode( _In_ PPH_STACK_TREE_ROOT_NODE Node ) { if (Node->TooltipText) PhDereferenceObject(Node->TooltipText); if (Node->IndexString) PhDereferenceObject(Node->IndexString); if (Node->FrameDistanceString) PhDereferenceObject(Node->FrameDistanceString); PhDereferenceObject(Node); } PPH_STACK_TREE_ROOT_NODE AddThreadStackNode( _Inout_ PPH_THREAD_STACK_CONTEXT Context, _In_ ULONG Index ) { PPH_STACK_TREE_ROOT_NODE threadStackNode; threadStackNode = PhCreateAlloc(sizeof(PH_STACK_TREE_ROOT_NODE)); memset(threadStackNode, 0, sizeof(PH_STACK_TREE_ROOT_NODE)); PhInitializeTreeNewNode(&threadStackNode->Node); memset(threadStackNode->TextCache, 0, sizeof(PH_STRINGREF) * TREE_COLUMN_ITEM_MAXIMUM); threadStackNode->Node.TextCache = threadStackNode->TextCache; threadStackNode->Node.TextCacheSize = TREE_COLUMN_ITEM_MAXIMUM; threadStackNode->Index = Index; PhAddEntryHashtable(Context->NodeHashtable, &threadStackNode); PhAddItemList(Context->NodeList, threadStackNode); // TreeNew_NodesStructured(Context->TreeNewHandle); return threadStackNode; } PPH_STACK_TREE_ROOT_NODE FindThreadStackNode( _In_ PPH_THREAD_STACK_CONTEXT Context, _In_ ULONG Index ) { PH_STACK_TREE_ROOT_NODE lookupThreadStackNode; PPH_STACK_TREE_ROOT_NODE lookupThreadStackNodePtr = &lookupThreadStackNode; PPH_STACK_TREE_ROOT_NODE *threadStackNode; lookupThreadStackNode.Index = Index; threadStackNode = (PPH_STACK_TREE_ROOT_NODE*)PhFindEntryHashtable( Context->NodeHashtable, &lookupThreadStackNodePtr ); if (threadStackNode) return *threadStackNode; else return NULL; } VOID RemoveThreadStackNode( _In_ PPH_THREAD_STACK_CONTEXT Context, _In_ PPH_STACK_TREE_ROOT_NODE Node ) { ULONG index = 0; PhRemoveEntryHashtable(Context->NodeHashtable, &Node); if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) { PhRemoveItemList(Context->NodeList, index); } DestroyThreadStackNode(Node); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID UpdateThreadStackNode( _In_ PPH_THREAD_STACK_CONTEXT Context, _In_ PPH_STACK_TREE_ROOT_NODE Node ) { memset(Node->TextCache, 0, sizeof(PH_STRINGREF) * TREE_COLUMN_ITEM_MAXIMUM); PhInvalidateTreeNewNode(&Node->Node, TN_CACHE_COLOR); TreeNew_NodesStructured(Context->TreeNewHandle); } BOOLEAN NTAPI ThreadStackTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_THREAD_STACK_CONTEXT context = Context; PPH_STACK_TREE_ROOT_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_STACK_TREE_ROOT_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Index), SORT_FUNCTION(Symbol), SORT_FUNCTION(StackAddress), SORT_FUNCTION(FrameAddress), SORT_FUNCTION(StackParameter1), SORT_FUNCTION(StackParameter2), SORT_FUNCTION(StackParameter3), SORT_FUNCTION(StackParameter4), SORT_FUNCTION(ControlAddress), SORT_FUNCTION(ReturnAddress), SORT_FUNCTION(FileName), SORT_FUNCTION(LineText), SORT_FUNCTION(Architecture), SORT_FUNCTION(FrameDistance), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == TREE_COLUMN_ITEM_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < TREE_COLUMN_ITEM_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; node = (PPH_STACK_TREE_ROOT_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; node = (PPH_STACK_TREE_ROOT_NODE)getCellText->Node; switch (getCellText->Id) { case PH_STACK_TREE_COLUMN_INDEX: { PhMoveReference(&node->IndexString, PhFormatUInt64(node->Index, TRUE)); getCellText->Text = PhGetStringRef(node->IndexString); } break; case PH_STACK_TREE_COLUMN_SYMBOL: getCellText->Text = PhGetStringRef(node->SymbolString); break; case PH_STACK_TREE_COLUMN_STACKADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->StackAddressString); break; case PH_STACK_TREE_COLUMN_FRAMEADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->FrameAddressString); break; case PH_STACK_TREE_COLUMN_PARAMETER1: PhInitializeStringRefLongHint(&getCellText->Text, node->Parameter1String); break; case PH_STACK_TREE_COLUMN_PARAMETER2: PhInitializeStringRefLongHint(&getCellText->Text, node->Parameter2String); break; case PH_STACK_TREE_COLUMN_PARAMETER3: PhInitializeStringRefLongHint(&getCellText->Text, node->Parameter3String); break; case PH_STACK_TREE_COLUMN_PARAMETER4: PhInitializeStringRefLongHint(&getCellText->Text, node->Parameter4String); break; case PH_STACK_TREE_COLUMN_CONTROLADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->PcAddressString); break; case PH_STACK_TREE_COLUMN_RETURNADDRESS: PhInitializeStringRefLongHint(&getCellText->Text, node->ReturnAddressString); break; case PH_STACK_TREE_COLUMN_FILENAME: getCellText->Text = PhGetStringRef(node->FileNameString); break; case PH_STACK_TREE_COLUMN_LINETEXT: getCellText->Text = PhGetStringRef(node->LineTextString); break; case PH_STACK_TREE_COLUMN_ARCHITECTURE: getCellText->Text = node->Architecture; break; case PH_STACK_TREE_COLUMN_FRAMEDISTANCE: { if (node->FrameDistance) PhMoveReference(&node->FrameDistanceString, PhFormatSize(node->FrameDistance, ULONG_MAX)); getCellText->Text = PhGetStringRef(node->FrameDistanceString); } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_STACK_TREE_ROOT_NODE)getNodeColor->Node; if (context->HighlightInlineFrames && PhIsStackFrameTypeInline(node->StackFrame.InlineFrameContext)) { getNodeColor->BackColor = PhGetIntegerSetting(SETTING_COLOR_INLINE_THREAD_STACK); } else if (context->HighlightSystemPages && (ULONG_PTR)node->StackFrame.PcAddress > PhSystemBasicInformation.MaximumUserModeAddress) { getNodeColor->BackColor = PhGetIntegerSetting(SETTING_COLOR_SYSTEM_THREAD_STACK); } else if (context->HighlightUserPages && (ULONG_PTR)node->StackFrame.PcAddress <= PhSystemBasicInformation.MaximumUserModeAddress) { getNodeColor->BackColor = PhGetIntegerSetting(L"ColorUserThreadStack"); getNodeColor->BackColor = PhGetIntegerSetting(SETTING_COLOR_USER_THREAD_STACK); } getNodeColor->Flags = TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage( context->WindowHandle, WM_COMMAND, WM_PH_SHOWSTACKMENU, (LPARAM)contextMenuEvent ); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case VK_F5: SendMessage(context->WindowHandle, WM_COMMAND, IDC_REFRESH, 0); break; case 'C': if (GetKeyState(VK_CONTROL) < 0) SendMessage(context->WindowHandle, WM_COMMAND, IDC_COPY, 0); break; } } return TRUE; case TreeNewLeftDoubleClick: { SendMessage(context->WindowHandle, WM_COMMAND, WM_PH_SHOWSTACKDEFAULT, 0); } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewGetCellTooltip: { PPH_TREENEW_GET_CELL_TOOLTIP getCellTooltip = Parameter1; node = (PPH_STACK_TREE_ROOT_NODE)getCellTooltip->Node; if (getCellTooltip->Column->Id != 0) return FALSE; if (!node->TooltipText) { PH_STRING_BUILDER stringBuilder; PPH_STRING fileName; PH_SYMBOL_LINE_INFORMATION lineInfo; PhInitializeStringBuilder(&stringBuilder, 40); if (PhGetLineFromAddress( context->SymbolProvider, node->StackFrame.PcAddress, &fileName, NULL, &lineInfo )) { PH_FORMAT format[5]; SIZE_T returnLength; WCHAR buffer[0x100]; PhMoveReference(&fileName, PhGetFileName(fileName)); // File: %s: line %lu\n PhInitFormatS(&format[0], L"File: "); PhInitFormatSR(&format[1], fileName->sr); PhInitFormatS(&format[2], L": line "); PhInitFormatU(&format[3], lineInfo.LineNumber); PhInitFormatS(&format[4], L"\n"); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &stringBuilder, L"File: %s: line %lu\n", fileName->Buffer, lineInfo.LineNumber ); } PhDereferenceObject(fileName); } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackGetTooltip; control.UniqueKey = context; control.u.GetTooltip.StackFrame = &node->StackFrame; control.u.GetTooltip.StringBuilder = &stringBuilder; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } node->TooltipText = PhFinalStringBuilderString(&stringBuilder); } if (!PhIsNullOrEmptyString(node->TooltipText)) { getCellTooltip->Text = node->TooltipText->sr; getCellTooltip->Unfolding = FALSE; getCellTooltip->Font = NULL; // use default font getCellTooltip->MaximumWidth = 550; } else { return FALSE; } } return TRUE; case TreeNewGetDialogCode: { PULONG code = Parameter2; if (PtrToUlong(Parameter1) == VK_F5) { *code = DLGC_WANTMESSAGE; return TRUE; } } return FALSE; } return FALSE; } VOID ClearThreadStackTree( _In_ PPH_THREAD_STACK_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) DestroyThreadStackNode(Context->NodeList->Items[i]); PhClearHashtable(Context->NodeHashtable); PhClearList(Context->NodeList); } PPH_STACK_TREE_ROOT_NODE GetSelectedThreadStackNode( _In_ PPH_THREAD_STACK_CONTEXT Context ) { PPH_STACK_TREE_ROOT_NODE stackNode = NULL; for (ULONG i = 0; i < Context->NodeList->Count; i++) { stackNode = Context->NodeList->Items[i]; if (stackNode->Node.Selected) return stackNode; } return NULL; } _Success_(return) BOOLEAN GetSelectedThreadStackNodes( _In_ PPH_THREAD_STACK_CONTEXT Context, _Out_ PPH_STACK_TREE_ROOT_NODE **Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_STACK_TREE_ROOT_NODE node = (PPH_STACK_TREE_ROOT_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpThreadStackTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_ PVOID Context ) { PPH_THREAD_STACK_CONTEXT stackContext = Context; PPH_STACK_TREE_ROOT_NODE stackNode = (PPH_STACK_TREE_ROOT_NODE)Node; if (stackContext->HideSystemPages && (ULONG_PTR)stackNode->StackFrame.PcAddress > PhSystemBasicInformation.MaximumUserModeAddress) return FALSE; if (stackContext->HideUserPages && (ULONG_PTR)stackNode->StackFrame.PcAddress <= PhSystemBasicInformation.MaximumUserModeAddress) return FALSE; if (stackContext->HideInlineFrames && PhIsStackFrameTypeInline(stackNode->StackFrame.InlineFrameContext)) return FALSE; return TRUE; } VOID InitializeThreadStackTree( _Inout_ PPH_THREAD_STACK_CONTEXT Context ) { Context->NodeList = PhCreateList(100); Context->NodeHashtable = PhCreateHashtable( sizeof(PPH_STACK_TREE_ROOT_NODE), ThreadStackNodeHashtableEqualFunction, ThreadStackNodeHashtableHashFunction, 100 ); PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); TreeNew_SetCallback(Context->TreeNewHandle, ThreadStackTreeNewCallback, Context); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_INDEX, TRUE, L"#", 30, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_SYMBOL, TRUE, L"Name", 250, PH_ALIGN_LEFT, 1, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_STACKADDRESS, FALSE, L"Stack address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_FRAMEADDRESS, FALSE, L"Frame address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_PARAMETER1, FALSE, L"Stack parameter #1", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_PARAMETER2, FALSE, L"Stack parameter #2", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_PARAMETER3, FALSE, L"Stack parameter #3", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_PARAMETER4, FALSE, L"Stack parameter #4", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_CONTROLADDRESS, FALSE, L"Control address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_RETURNADDRESS, FALSE, L"Return address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_FILENAME, FALSE, L"File name", 100, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_LINETEXT, FALSE, L"Line number", 100, PH_ALIGN_LEFT, ULONG_MAX, DT_PATH_ELLIPSIS); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_ARCHITECTURE, FALSE, L"Architecture", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_FRAMEDISTANCE, FALSE, L"Frame distance", 100, PH_ALIGN_RIGHT, ULONG_MAX, DT_RIGHT); PhInitializeTreeNewFilterSupport(&Context->TreeFilterSupport, Context->TreeNewHandle, Context->NodeList); Context->TreeFilterEntry = PhAddTreeNewFilter(&Context->TreeFilterSupport, PhpThreadStackTreeFilterCallback, Context); TreeNew_SetSort(Context->TreeNewHandle, PH_STACK_TREE_COLUMN_INDEX, AscendingSortOrder); TreeNew_SetTriState(Context->TreeNewHandle, FALSE); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); ThreadStackLoadSettingsTreeList(Context); } VOID DeleteThreadStackTree( _In_ PPH_THREAD_STACK_CONTEXT Context ) { PhRemoveTreeNewFilter(&Context->TreeFilterSupport, Context->TreeFilterEntry); PhDeleteTreeNewFilterSupport(&Context->TreeFilterSupport); ThreadStackSaveSettingsTreeList(Context); for (ULONG i = 0; i < Context->NodeList->Count; i++) { DestroyThreadStackNode(Context->NodeList->Items[i]); } PhDereferenceObject(Context->NodeHashtable); PhDereferenceObject(Context->NodeList); } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpThreadStackContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_THREAD_STACK_CONTEXT context = (PPH_THREAD_STACK_CONTEXT)Object; if (context->StatusMessage) PhDereferenceObject(context->StatusMessage); if (context->StatusContent) PhDereferenceObject(context->StatusContent); if (context->NewList) PhDereferenceObject(context->NewList); if (context->List) PhDereferenceObject(context->List); if (context->ThreadHandle) NtClose(context->ThreadHandle); } VOID PhShowThreadStackDialog( _In_ HWND ParentWindowHandle, _In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ PPH_THREAD_PROVIDER ThreadProvider ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; NTSTATUS status; HANDLE threadHandle; PPH_THREAD_STACK_CONTEXT context; // If the user is trying to view a system thread stack // but KSystemInformer is not loaded, show an error message. if (ProcessId == SYSTEM_PROCESS_ID && (KsiLevel() < KphLevelMed)) { PhShowKsiNotConnected( ParentWindowHandle, L"Inspecting kernel stacks requires a connection to the kernel driver." ); return; } // The idle process has pseudo CIDs (dmex) if (ProcessId == SYSTEM_IDLE_PROCESS_ID && HandleToUlong(ThreadId) < PhSystemProcessorInformation.NumberOfProcessors) { PhShowStatus(ParentWindowHandle, L"Unable to open the thread.", STATUS_UNSUCCESSFUL, 0); return; } if (!NT_SUCCESS(status = PhOpenThread( &threadHandle, THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, ThreadId ))) { status = PhOpenThread( &threadHandle, THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT, ThreadId ); } if (!NT_SUCCESS(status)) { PhShowStatus(ParentWindowHandle, L"Unable to open the thread.", status, 0); return; } if (PhBeginInitOnce(&initOnce)) { PhThreadStackContextType = PhCreateObjectType(L"ThreadStackContext", 0, PhpThreadStackContextDeleteProcedure); PhEndInitOnce(&initOnce); } context = PhCreateObjectZero(sizeof(PH_THREAD_STACK_CONTEXT), PhThreadStackContextType); context->List = PhCreateList(10); context->NewList = PhCreateList(10); PhInitializeQueuedLock(&context->StatusLock); context->ParentHandle = ParentWindowHandle; context->ThreadHandle = threadHandle; context->ProcessId = ProcessId; context->ThreadId = ThreadId; context->ThreadProvider = ThreadProvider; context->SymbolProvider = ThreadProvider->SymbolProvider; PhDialogBox( PhInstanceHandle, MAKEINTRESOURCE(IDD_THRDSTACK), ParentWindowHandle, PhpThreadStackDlgProc, context ); } INT_PTR CALLBACK PhpThreadStackDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_THREAD_STACK_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_THREAD_STACK_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { NTSTATUS status; context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_TREELIST); context->HighlightUserPages = !!PhGetIntegerSetting(SETTING_USE_COLOR_USER_THREAD_STACK); context->HighlightSystemPages = !!PhGetIntegerSetting(SETTING_USE_COLOR_SYSTEM_THREAD_STACK); context->HighlightInlineFrames = !!PhGetIntegerSetting(SETTING_USE_COLOR_INLINE_THREAD_STACK); PhSetWindowExStyle(context->TreeNewHandle, WS_EX_CLIENTEDGE, 0); PhSetApplicationWindowIcon(hwndDlg); PhSetWindowText(hwndDlg, PhaFormatString(L"Stack - thread %lu", HandleToUlong(context->ThreadId))->Buffer); InitializeThreadStackTree(context); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_OPTIONS), NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_COPY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDOK), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (MinimumSize.left == -1) { RECT rect; rect.left = 0; rect.top = 0; rect.right = 190; rect.bottom = 120; MapDialogRect(hwndDlg, &rect); MinimumSize = rect; MinimumSize.left = 0; } PhLoadWindowPlacementFromSetting(NULL, SETTING_THREAD_STACK_WINDOW_SIZE, hwndDlg); PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhSetDialogFocus(hwndDlg, context->TreeNewHandle); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackInitializing; control.UniqueKey = context; control.u.Initializing.ProcessId = context->ProcessId; control.u.Initializing.ThreadId = context->ThreadId; control.u.Initializing.ThreadHandle = context->ThreadHandle; control.u.Initializing.ProcessHandle = context->SymbolProvider->ProcessHandle; control.u.Initializing.SymbolProvider = context->SymbolProvider; control.u.Initializing.CustomWalk = FALSE; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); context->CustomWalk = control.u.Initializing.CustomWalk; } status = PhpRefreshThreadStack(hwndDlg, context); if (status == STATUS_ABANDONED) EndDialog(hwndDlg, IDCANCEL); else if (!NT_SUCCESS(status)) { // HACK: Show error dialog on the parent window. PhShowStatus(GetParent(hwndDlg), L"Unable to load the stack.", status, 0); EndDialog(hwndDlg, IDCANCEL); } } break; case WM_DESTROY: { context->StopWalk = TRUE; DeleteThreadStackTree(context); PhDeleteLayoutManager(&context->LayoutManager); if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackUninitializing; control.UniqueKey = context; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } for (ULONG i = 0; i < context->List->Count; i++) PhpFreeThreadStackItem(context->List->Items[i]); PhSaveWindowPlacementToSetting(NULL, L"ThreadStackWindowSize", hwndDlg); PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDereferenceObject(context); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: EndDialog(hwndDlg, IDOK); break; case IDC_REFRESH: { NTSTATUS status; if (!NT_SUCCESS(status = PhpRefreshThreadStack(hwndDlg, context))) { PhShowStatus(hwndDlg, L"Unable to refresh the stack.", status, 0); } } break; case WM_PH_SHOWSTACKMENU: { PPH_EMENU menu; PPH_STACK_TREE_ROOT_NODE selectedNode; PPH_EMENU_ITEM selectedItem; PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; if (selectedNode = GetSelectedThreadStackNode(context)) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(PH_EMENU_DEFAULT, PH_THREAD_STACK_MENUITEM_INSPECT, L"&Inspect", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, PH_THREAD_STACK_MENUITEM_OPENFILELOCATION, L"Open &file location", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, context->TreeNewHandle, contextMenuEvent->Column); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { BOOLEAN handled = FALSE; handled = PhHandleCopyCellEMenuItem(selectedItem); if (handled) break; switch (selectedItem->Id) { case PH_THREAD_STACK_MENUITEM_INSPECT: { if (!PhIsNullOrEmptyString(selectedNode->FileNameString) && PhDoesFileExistWin32(PhGetString(selectedNode->FileNameString))) { PhShellExecuteUserString( hwndDlg, SETTING_PROGRAM_INSPECT_EXECUTABLES, PhGetString(selectedNode->FileNameString), FALSE, L"Make sure the PE Viewer executable file is present." ); } } break; case PH_THREAD_STACK_MENUITEM_OPENFILELOCATION: { if (!PhIsNullOrEmptyString(selectedNode->FileNameString) && PhDoesFileExistWin32(PhGetString(selectedNode->FileNameString))) { PhShellExecuteUserString( hwndDlg, SETTING_FILE_BROWSE_EXECUTABLE, PhGetString(selectedNode->FileNameString), FALSE, L"Make sure the Explorer executable file is present." ); } } break; case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(context->TreeNewHandle, 0); PhSetClipboardString(context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } break; } } PhDestroyEMenu(menu); } } break; case WM_PH_SHOWSTACKDEFAULT: { PPH_STACK_TREE_ROOT_NODE selectedNode; if (selectedNode = GetSelectedThreadStackNode(context)) { if (!PhIsNullOrEmptyString(selectedNode->FileNameString) && PhDoesFileExistWin32(PhGetString(selectedNode->FileNameString))) { PhShellExecuteUserString( hwndDlg, SETTING_PROGRAM_INSPECT_EXECUTABLES, PhGetString(selectedNode->FileNameString), FALSE, L"Make sure the PE Viewer executable file is present." ); } } } break; case IDC_OPTIONS: { RECT rect; PPH_EMENU menu; PPH_EMENU_ITEM hideUserItem; PPH_EMENU_ITEM hideSystemItem; PPH_EMENU_ITEM hideInlineItem; PPH_EMENU_ITEM userItem; PPH_EMENU_ITEM systemItem; PPH_EMENU_ITEM inlineItem; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GET_WM_COMMAND_HWND(wParam, lParam), &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, hideUserItem = PhCreateEMenuItem(0, 1, L"Hide user frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, hideSystemItem = PhCreateEMenuItem(0, 2, L"Hide system frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, hideInlineItem = PhCreateEMenuItem(0, 3, L"Hide inline frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, userItem = PhCreateEMenuItem(0, 4, L"Highlight user frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, systemItem = PhCreateEMenuItem(0, 5, L"Highlight system frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, inlineItem = PhCreateEMenuItem(0, 6, L"Highlight inline frames", NULL, NULL), ULONG_MAX); if (context->HideUserPages) hideUserItem->Flags |= PH_EMENU_CHECKED; if (context->HideSystemPages) hideSystemItem->Flags |= PH_EMENU_CHECKED; if (context->HideInlineFrames) hideInlineItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightUserPages) userItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightSystemPages) systemItem->Flags |= PH_EMENU_CHECKED; if (context->HighlightInlineFrames) inlineItem->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, GET_WM_COMMAND_HWND(wParam, lParam), PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_BOTTOM, rect.left, rect.top ); if (selectedItem && selectedItem->Id) { if (selectedItem->Id == 1) { context->HideUserPages = !context->HideUserPages; } else if (selectedItem->Id == 2) { context->HideSystemPages = !context->HideSystemPages; } else if (selectedItem->Id == 3) { context->HideInlineFrames = !context->HideInlineFrames; } else if (selectedItem->Id == 4) { context->HighlightUserPages = !context->HighlightUserPages; PhSetIntegerSetting(SETTING_USE_COLOR_USER_THREAD_STACK, context->HighlightUserPages); } else if (selectedItem->Id == 5) { context->HighlightSystemPages = !context->HighlightSystemPages; PhSetIntegerSetting(SETTING_USE_COLOR_SYSTEM_THREAD_STACK, context->HighlightSystemPages); } else if (selectedItem->Id == 6) { context->HighlightInlineFrames = !context->HighlightInlineFrames; PhSetIntegerSetting(SETTING_USE_COLOR_INLINE_THREAD_STACK, context->HighlightInlineFrames); } PhApplyTreeNewFilters(&context->TreeFilterSupport); } PhDestroyEMenu(menu); } break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, MinimumSize.right, MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhpFreeThreadStackItem( _In_ PTHREAD_STACK_ITEM StackItem ) { if (StackItem->Symbol) PhDereferenceObject(StackItem->Symbol); if (StackItem->FileName) PhDereferenceObject(StackItem->FileName); if (StackItem->LineText) PhDereferenceObject(StackItem->LineText); PhFree(StackItem); } BOOLEAN NTAPI PhpWalkThreadStackCallback( _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_ PVOID Context ) { PPH_THREAD_STACK_CONTEXT threadStackContext = (PPH_THREAD_STACK_CONTEXT)Context; PPH_STRING symbol; PPH_STRING fileName = NULL; PPH_STRING lineText = NULL; PTHREAD_STACK_ITEM item; PVOID baseAddress = NULL; BOOLEAN enableStackFrameInlineInfo; BOOLEAN enableStackFrameLineInfo; if (threadStackContext->StopWalk) return FALSE; enableStackFrameInlineInfo = !!PhGetIntegerSetting(SETTING_ENABLE_THREAD_STACK_INLINE_SYMBOLS); enableStackFrameLineInfo = !!PhGetIntegerSetting(SETTING_ENABLE_THREAD_STACK_LINE_INFORMATION); PhAcquireQueuedLockExclusive(&threadStackContext->StatusLock); { if (threadStackContext->NewList->Count) { PH_FORMAT format[3]; PhInitFormatS(&format[0], L"Processing stack frame #"); PhInitFormatU(&format[1], threadStackContext->NewList->Count); PhInitFormatS(&format[2], L"..."); PhMoveReference(&threadStackContext->StatusMessage, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else { PhMoveReference(&threadStackContext->StatusMessage, PhCreateString(L"Processing stack frames...")); } } PhReleaseQueuedLockExclusive(&threadStackContext->StatusLock); if (enableStackFrameInlineInfo && PhSymbolProviderInlineContextSupported()) { symbol = PhGetSymbolFromInlineContext( threadStackContext->SymbolProvider, StackFrame, NULL, &fileName, NULL, NULL, &baseAddress ); if (symbol && (StackFrame->Machine == IMAGE_FILE_MACHINE_I386) && !(StackFrame->Flags & PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT)) { PhMoveReference(&symbol, PhConcatStringRefZ(&symbol->sr, L" (No unwind info)")); } if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackResolveSymbol; control.UniqueKey = threadStackContext; control.u.ResolveSymbol.StackFrame = StackFrame; control.u.ResolveSymbol.Symbol = symbol; control.u.ResolveSymbol.FileName = fileName; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); symbol = control.u.ResolveSymbol.Symbol; fileName = control.u.ResolveSymbol.FileName; } if (enableStackFrameLineInfo) { PPH_STRING lineFileName; PH_SYMBOL_LINE_INFORMATION lineInfo; if (PhGetLineFromInlineContext( threadStackContext->SymbolProvider, StackFrame, baseAddress, &lineFileName, NULL, &lineInfo )) { PH_FORMAT format[3]; PhInitFormatSR(&format[0], lineFileName->sr); PhInitFormatS(&format[1], L" @ "); PhInitFormatU(&format[2], lineInfo.LineNumber); lineText = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(lineFileName); } } if (symbol && PhIsStackFrameTypeInline(StackFrame->InlineFrameContext)) { PhMoveReference(&symbol, PhConcatStringRefZ(&symbol->sr, L" (Inline function)")); } } else { symbol = PhGetSymbolFromAddress( threadStackContext->SymbolProvider, StackFrame->PcAddress, NULL, &fileName, NULL, NULL ); if (symbol && (StackFrame->Machine == IMAGE_FILE_MACHINE_I386) && !(StackFrame->Flags & PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT)) { PhMoveReference(&symbol, PhConcatStringRefZ(&symbol->sr, L" (No unwind info)")); } if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackResolveSymbol; control.UniqueKey = threadStackContext; control.u.ResolveSymbol.StackFrame = StackFrame; control.u.ResolveSymbol.Symbol = symbol; control.u.ResolveSymbol.FileName = fileName; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); symbol = control.u.ResolveSymbol.Symbol; fileName = control.u.ResolveSymbol.FileName; } if (enableStackFrameLineInfo) { PPH_STRING lineFileName; PH_SYMBOL_LINE_INFORMATION lineInfo; if (PhGetLineFromAddress( threadStackContext->SymbolProvider, StackFrame->PcAddress, &lineFileName, NULL, &lineInfo )) { PH_FORMAT format[3]; PhInitFormatSR(&format[0], lineFileName->sr); PhInitFormatS(&format[1], L" @ "); PhInitFormatU(&format[2], lineInfo.LineNumber); lineText = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(lineFileName); } } } item = PhAllocateZero(sizeof(THREAD_STACK_ITEM)); item->StackFrame = *StackFrame; item->Index = threadStackContext->NewList->Count; item->Symbol = symbol; item->FileName = fileName; item->LineText = lineText; PhAddItemList(threadStackContext->NewList, item); if ( // Zero inline frames so the stack matches windbg output. (dmex) PhSymbolProviderInlineContextSupported() && PhIsStackFrameTypeInline(StackFrame->InlineFrameContext) ) { // Note: Only zero the item->StackFrame local copy. (dmex) item->StackFrame.PcAddress = 0; item->StackFrame.ReturnAddress = 0; item->StackFrame.FrameAddress = 0; item->StackFrame.StackAddress = 0; memset(item->StackFrame.Params, 0, sizeof(item->StackFrame.Params)); } return TRUE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpRefreshThreadStackThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; NTSTATUS status; PPH_THREAD_STACK_CONTEXT threadStackContext = Parameter; CLIENT_ID clientId; BOOLEAN defaultWalk; PhInitializeAutoPool(&autoPool); PhLoadSymbolProviderOptions(threadStackContext->SymbolProvider); PhLoadSymbolProviderModules(threadStackContext->SymbolProvider, threadStackContext->ProcessId); clientId.UniqueProcess = threadStackContext->ProcessId; clientId.UniqueThread = threadStackContext->ThreadId; defaultWalk = TRUE; if (threadStackContext->CustomWalk) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackWalkStack; control.UniqueKey = threadStackContext; control.u.WalkStack.Status = STATUS_UNSUCCESSFUL; control.u.WalkStack.ThreadHandle = threadStackContext->ThreadHandle; control.u.WalkStack.ProcessHandle = threadStackContext->SymbolProvider->ProcessHandle; control.u.WalkStack.ClientId = &clientId; control.u.WalkStack.Flags = PH_WALK_USER_WOW64_STACK | PH_WALK_USER_STACK | PH_WALK_KERNEL_STACK; control.u.WalkStack.Callback = PhpWalkThreadStackCallback; control.u.WalkStack.CallbackContext = threadStackContext; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); status = control.u.WalkStack.Status; if (NT_SUCCESS(status)) defaultWalk = FALSE; } if (defaultWalk) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.UniqueKey = threadStackContext; if (PhPluginsEnabled) { control.Type = PluginThreadStackBeginDefaultWalkStack; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } status = PhWalkThreadStack( threadStackContext->ThreadHandle, threadStackContext->SymbolProvider->ProcessHandle, &clientId, threadStackContext->SymbolProvider, PH_WALK_USER_WOW64_STACK | PH_WALK_USER_STACK | PH_WALK_KERNEL_STACK, PhpWalkThreadStackCallback, threadStackContext ); if (PhPluginsEnabled) { control.Type = PluginThreadStackEndDefaultWalkStack; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } } if (threadStackContext->NewList->Count != 0) status = STATUS_SUCCESS; threadStackContext->WalkStatus = status; PostMessage(threadStackContext->TaskDialogHandle, WM_PH_COMPLETED, 0, 0); PhDeleteAutoPool(&autoPool); PhDereferenceObject(threadStackContext); return STATUS_SUCCESS; } LRESULT CALLBACK PhpThreadStackTaskDialogSubclassProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_THREAD_STACK_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(hwndDlg, 0xF))) return 0; oldWndProc = context->ThreadStackStatusDefaultWindowProc; switch (uMsg) { case WM_NCDESTROY: { PhSetWindowProcedure(hwndDlg, oldWndProc); PhRemoveWindowContext(hwndDlg, 0xF); } break; case WM_PH_COMPLETED: { context->EnableCloseDialog = TRUE; SendMessage(hwndDlg, TDM_CLICK_BUTTON, IDOK, 0); } break; } return CallWindowProc(oldWndProc, hwndDlg, uMsg, wParam, lParam); } _Function_class_(PH_CALLBACK_FUNCTION) VOID PhpSymbolProviderEventCallbackHandler( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ) { PPH_SYMBOL_EVENT_DATA event = Parameter; PPH_THREAD_STACK_CONTEXT context = Context; PPH_STRING statusMessage = NULL; ULONG statusProgress = 0; if (!event) return; if (!context) return; switch (event->EventType) { case PH_SYMBOL_EVENT_TYPE_LOAD_START: statusMessage = PhReferenceObject(event->EventMessage); break; case PH_SYMBOL_EVENT_TYPE_LOAD_END: statusMessage = PhCreateString(L"Loading symbols..."); break; case PH_SYMBOL_EVENT_TYPE_PROGRESS: { statusMessage = PhReferenceObject(event->EventMessage); statusProgress = (ULONG)event->EventProgress; } break; } if (statusMessage) { PhAcquireQueuedLockExclusive(&context->StatusLock); PhMoveReference(&context->StatusContent, statusMessage); context->SymbolProgress = statusProgress; PhReleaseQueuedLockExclusive(&context->StatusLock); } } HRESULT CALLBACK PhpThreadStackTaskDialogCallback( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ LONG_PTR dwRefData ) { PPH_THREAD_STACK_CONTEXT context = (PPH_THREAD_STACK_CONTEXT)dwRefData; switch (uMsg) { case TDN_DIALOG_CONSTRUCTED: { context->TaskDialogHandle = hwndDlg; PhSetApplicationWindowIcon(hwndDlg); //SendMessage(hwndDlg, TDM_UPDATE_ICON, TDIE_ICON_MAIN, (LPARAM)PhGetApplicationIcon(FALSE)); SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); InterlockedExchange8(&context->SymbolProgressMarquee, TRUE); context->ThreadStackStatusDefaultWindowProc = PhGetWindowProcedure(hwndDlg); PhSetWindowContext(hwndDlg, 0xF, context); PhSetWindowProcedure(hwndDlg, PhpThreadStackTaskDialogSubclassProc); PhRegisterCallback( &PhSymbolEventCallback, PhpSymbolProviderEventCallbackHandler, context, &context->SymbolProviderEventRegistration ); PhReferenceObject(context); PhCreateThread2(PhpRefreshThreadStackThreadStart, context); } break; case TDN_DESTROYED: { // TDN_DESTROYED can occur without TDN_DIALOG_CONSTRUCTED if (context->TaskDialogHandle) PhUnregisterCallback(&PhSymbolEventCallback, &context->SymbolProviderEventRegistration); } break; case TDN_BUTTON_CLICKED: { if ((INT)wParam == IDCANCEL) { context->StopWalk = TRUE; context->SymbolProvider->Terminating = TRUE; } //if (!context->EnableCloseDialog) // return S_FALSE; } break; case TDN_TIMER: { PPH_STRING message; PPH_STRING content; ULONG progress = 0; PhAcquireQueuedLockShared(&context->StatusLock); PhSetReference(&message, context->StatusMessage); PhSetReference(&content, context->StatusContent); progress = context->SymbolProgress; PhReleaseQueuedLockShared(&context->StatusLock); SendMessage(context->TaskDialogHandle, TDM_SET_ELEMENT_TEXT, TDE_MAIN_INSTRUCTION, (LPARAM)PhGetStringOrDefault(message, L"Processing stack frames...")); SendMessage(context->TaskDialogHandle, TDM_SET_ELEMENT_TEXT, TDE_CONTENT, (LPARAM)PhGetStringOrDefault(content, L"Loading symbols for image...")); PhClearReference(&message); PhClearReference(&content); if (context->SymbolProgressReset) { SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); PhAcquireQueuedLockExclusive(&context->StatusLock); InterlockedExchange8(&context->SymbolProgressMarquee, TRUE); InterlockedExchange8(&context->SymbolProgressReset, FALSE); PhReleaseQueuedLockExclusive(&context->StatusLock); } if (progress) { if (context->SymbolProgressMarquee) { SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, FALSE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, FALSE, 0); PhAcquireQueuedLockExclusive(&context->StatusLock); InterlockedExchange8(&context->SymbolProgressMarquee, FALSE); PhReleaseQueuedLockExclusive(&context->StatusLock); } SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_POS, (WPARAM)progress, 0); } else { if (!context->SymbolProgressMarquee) { SendMessage(hwndDlg, TDM_SET_MARQUEE_PROGRESS_BAR, TRUE, 0); SendMessage(hwndDlg, TDM_SET_PROGRESS_BAR_MARQUEE, TRUE, 1); PhAcquireQueuedLockExclusive(&context->StatusLock); InterlockedExchange8(&context->SymbolProgressMarquee, TRUE); PhReleaseQueuedLockExclusive(&context->StatusLock); } } } break; } return S_OK; } BOOLEAN PhpShowThreadStackWindow( _In_ PPH_THREAD_STACK_CONTEXT Context ) { TASKDIALOGCONFIG config; INT result; { PPH_STRING windowText; HWND control; if (control = GetDlgItem(Context->ParentHandle, IDC_STATE)) { if (windowText = PhGetWindowText(control)) { PhMoveReference(&Context->StatusContent, windowText); } } } memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_USE_HICON_MAIN | TDF_ALLOW_DIALOG_CANCELLATION | TDF_POSITION_RELATIVE_TO_WINDOW | TDF_SHOW_MARQUEE_PROGRESS_BAR | TDF_CALLBACK_TIMER; config.dwCommonButtons = TDCBF_CANCEL_BUTTON; config.hMainIcon = PhGetApplicationIcon(FALSE); config.pfCallback = PhpThreadStackTaskDialogCallback; config.lpCallbackData = (LONG_PTR)Context; config.hwndParent = Context->WindowHandle; config.pszWindowTitle = PhApplicationName; config.pszMainInstruction = L"Processing stack frames..."; config.pszContent = PhGetStringOrDefault(Context->StatusContent, L"Loading symbols for image..."); config.cxWidth = 200; return PhShowTaskDialog(&config, &result, NULL, NULL) && result != IDCANCEL; } NTSTATUS PhpRefreshThreadStack( _In_ HWND hwnd, _In_ PPH_THREAD_STACK_CONTEXT Context ) { ULONG i; Context->StopWalk = FALSE; PhMoveReference(&Context->StatusMessage, PhCreateString(L"Processing stack frames...")); if (!PhpShowThreadStackWindow(Context)) { return STATUS_ABANDONED; } if (!Context->StopWalk && NT_SUCCESS(Context->WalkStatus)) { for (i = 0; i < Context->List->Count; i++) PhpFreeThreadStackItem(Context->List->Items[i]); PhDereferenceObject(Context->List); Context->List = Context->NewList; Context->NewList = PhCreateList(10); ClearThreadStackTree(Context); for (i = 0; i < Context->List->Count; i++) { PTHREAD_STACK_ITEM item = Context->List->Items[i]; PPH_STACK_TREE_ROOT_NODE stackNode; stackNode = AddThreadStackNode(Context, item->Index); stackNode->StackFrame = item->StackFrame; stackNode->SymbolString = item->Symbol; stackNode->FileNameString = item->FileName; stackNode->LineTextString = item->LineText; if (stackNode->FileNameString) stackNode->FileNameString = PhGetFileName(stackNode->FileNameString); if (item->StackFrame.StackAddress) PhPrintPointer(stackNode->StackAddressString, item->StackFrame.StackAddress); if (item->StackFrame.FrameAddress) PhPrintPointer(stackNode->FrameAddressString, item->StackFrame.FrameAddress); // There are no params for kernel-mode stack traces. if ((ULONG_PTR)item->StackFrame.PcAddress <= PhSystemBasicInformation.MaximumUserModeAddress) { if (item->StackFrame.Params[0]) PhPrintPointer(stackNode->Parameter1String, item->StackFrame.Params[0]); if (item->StackFrame.Params[1]) PhPrintPointer(stackNode->Parameter2String, item->StackFrame.Params[1]); if (item->StackFrame.Params[2]) PhPrintPointer(stackNode->Parameter3String, item->StackFrame.Params[2]); if (item->StackFrame.Params[3]) PhPrintPointer(stackNode->Parameter4String, item->StackFrame.Params[3]); } if (item->StackFrame.PcAddress) PhPrintPointer(stackNode->PcAddressString, item->StackFrame.PcAddress); if (item->StackFrame.ReturnAddress) PhPrintPointer(stackNode->ReturnAddressString, item->StackFrame.ReturnAddress); switch (stackNode->StackFrame.Machine) { case IMAGE_FILE_MACHINE_ARM64EC: PhInitializeStringRef(&stackNode->Architecture, L"ARM64EC"); break; case IMAGE_FILE_MACHINE_CHPE_X86: PhInitializeStringRef(&stackNode->Architecture, L"CHPE"); break; case IMAGE_FILE_MACHINE_ARM64: PhInitializeStringRef(&stackNode->Architecture, L"ARM64"); break; case IMAGE_FILE_MACHINE_ARM: PhInitializeStringRef(&stackNode->Architecture, L"ARM"); break; case IMAGE_FILE_MACHINE_AMD64: PhInitializeStringRef(&stackNode->Architecture, L"x64"); break; case IMAGE_FILE_MACHINE_I386: PhInitializeStringRef(&stackNode->Architecture, L"x86"); break; default: PhInitializeStringRef(&stackNode->Architecture, L""); break; } if (i > 0 && item->StackFrame.StackAddress) { PTHREAD_STACK_ITEM previousFrame = Context->List->Items[i - 1]; // Windbg "k f" displays the distance between adjacent frames. (dmex) if (previousFrame->StackFrame.StackAddress) { stackNode->FrameDistance = (ULONG)((ULONG_PTR)item->StackFrame.StackAddress - (ULONG_PTR)previousFrame->StackFrame.StackAddress); } } UpdateThreadStackNode(Context, stackNode); } TreeNew_NodesStructured(Context->TreeNewHandle); } else { for (i = 0; i < Context->NewList->Count; i++) PhpFreeThreadStackItem(Context->NewList->Items[i]); PhClearList(Context->NewList); } if (Context->StopWalk) return STATUS_ABANDONED; return Context->WalkStatus; } ================================================ FILE: SystemInformer/thrdstks.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023 * */ #include #include #include #include #include #include #include #include #include #include #define WM_PH_THREAD_STACKS_PUBLISH (WM_USER + 2000) typedef enum _PH_THREAD_STACKS_COLUMN { PH_THREAD_STACKS_COLUMN_SYMBOL, PH_THREAD_STACKS_COLUMN_PROCESSID, PH_THREAD_STACKS_COLUMN_THREADID, PH_THREAD_STACKS_COLUMN_FRAMENUMBER, PH_THREAD_STACKS_COLUMN_STACKADDRESS, PH_THREAD_STACKS_COLUMN_FRAMEADDRESS, PH_THREAD_STACKS_COLUMN_PARAMETER1, PH_THREAD_STACKS_COLUMN_PARAMETER2, PH_THREAD_STACKS_COLUMN_PARAMETER3, PH_THREAD_STACKS_COLUMN_PARAMETER4, PH_THREAD_STACKS_COLUMN_CONTROLADDRESS, PH_THREAD_STACKS_COLUMN_RETURNADDRESS, PH_THREAD_STACKS_COLUMN_FILENAME, PH_THREAD_STACKS_COLUMN_LINETEXT, PH_THREAD_STACKS_COLUMN_ARCHITECTURE, PH_THREAD_STACKS_COLUMN_FRAMEDISTANCE, PH_THREAD_STACKS_COLUMN_STARTADDRESS, PH_THREAD_STACKS_COLUMN_STARTADDRESSSYMBOL, PH_THREAD_STACKS_COLUMN_PROCESSNAME, PH_THREAD_STACKS_COLUMN_THREADNAME, MAX_PH_THREAD_STACKS_COLUMN, } PH_THREAD_STACKS_COLUMN; typedef enum _PH_THREAD_STACKS_NODE_TYPE { PhThreadStacksNodeTypeProcess, PhThreadStacksNodeTypeThread, PhThreadStacksNodeTypeFrame, } PH_THREAD_STACKS_NODE_TYPE, *PPH_THREAD_STACKS_NODE_TYPE; typedef struct _PH_THREAD_STACKS_PROCESS_NODE { HANDLE ProcessId; PPH_SYMBOL_PROVIDER SymbolProvider; PPH_STRING ProcessName; WCHAR ProcessIdString[PH_INT32_STR_LEN_1]; PPH_STRING FileName; PH_STRINGREF Architecture; PPH_LIST Threads; } PH_THREAD_STACKS_PROCESS_NODE, *PPH_THREAD_STACKS_PROCESS_NODE; typedef struct _PH_THREAD_STACKS_THREAD_NODE { PPH_THREAD_STACKS_PROCESS_NODE Process; HANDLE ThreadId; HANDLE ThreadHandle; PVOID StartAddress; PPH_STRING ThreadName; WCHAR ThreadIdString[PH_INT32_STR_LEN_1]; WCHAR StartAddressString[PH_PTR_STR_LEN_1]; PPH_STRING StartAddressSymbol; PPH_STRING FileName; PPH_LIST Frames; BOOLEAN FramesComplete; } PH_THREAD_STACKS_THREAD_NODE, *PPH_THREAD_STACKS_THREAD_NODE; typedef struct _PH_THREAD_STACKS_FRAME_NODE { PPH_THREAD_STACKS_THREAD_NODE Thread; PH_THREAD_STACK_FRAME StackFrame; ULONG FrameNumber; ULONG FrameDistance; PPH_STRING FileName; PPH_STRING LineText; WCHAR FrameNumberString[PH_INT32_STR_LEN_1]; WCHAR StackAddressString[PH_PTR_STR_LEN_1]; WCHAR FrameAddressString[PH_PTR_STR_LEN_1]; WCHAR Parameter1String[PH_PTR_STR_LEN_1]; WCHAR Parameter2String[PH_PTR_STR_LEN_1]; WCHAR Parameter3String[PH_PTR_STR_LEN_1]; WCHAR Parameter4String[PH_PTR_STR_LEN_1]; WCHAR PcAddressString[PH_PTR_STR_LEN_1]; WCHAR ReturnAddressString[PH_PTR_STR_LEN_1]; PH_STRINGREF Architecture; PPH_STRING FrameDistanceString; PPH_STRING SymbolStatusString; } PH_THREAD_STACKS_FRAME_NODE, *PPH_THREAD_STACKS_FRAME_NODE; typedef struct _PH_THREAD_STACKS_NODE { PH_TREENEW_NODE Node; PH_THREAD_STACKS_NODE_TYPE Type; PPH_STRING Symbol; union { PH_THREAD_STACKS_PROCESS_NODE Process; PH_THREAD_STACKS_THREAD_NODE Thread; PH_THREAD_STACKS_FRAME_NODE Frame; }; PH_STRINGREF TextCache[MAX_PH_THREAD_STACKS_COLUMN]; } PH_THREAD_STACKS_NODE, *PPH_THREAD_STACKS_NODE; typedef struct _PH_THREAD_STACKS_WORKER_CONTEXT { volatile LONG Stop; PVOID Context; ULONG TotalThreads; ULONG WalkedThreads; PPH_LIST NodeList; PPH_LIST NodeRootList; } PH_THREAD_STACKS_WORKER_CONTEXT, *PPH_THREAD_STACKS_WORKER_CONTEXT; typedef struct _PH_THREAD_STACKS_CONTEXT { HWND WindowHandle; HWND ParentWindowHandle; HWND TreeNewHandle; HWND MessageHandle; HWND SearchWindowHandle; ULONG_PTR SearchMatchHandle; PH_LAYOUT_MANAGER LayoutManager; RECT MinimumSize; ULONG MessageCount; ULONG LastMessageCount; PPH_STRING StatusMessage; PPH_STRING SymbolMessage; PH_QUEUED_LOCK MessageLock; PPH_LIST NodeList; PPH_LIST NodeRootList; PPH_THREAD_STACKS_WORKER_CONTEXT WorkerContext; PH_CALLBACK_REGISTRATION SymbolProviderEventRegistration; union { ULONG Flags; struct { ULONG HideSystemFrames : 1; ULONG HideUserFrames : 1; ULONG HideInlineFrames : 1; ULONG HighlightSystemFrames : 1; ULONG HighlightUserFrames : 1; ULONG HighlightInlineFrames : 1; ULONG Spare : 26; }; }; } PH_THREAD_STACKS_CONTEXT, *PPH_THREAD_STACKS_CONTEXT; typedef struct _PH_THREAD_STACKS_WALK_CONTEXT { PPH_THREAD_STACKS_WORKER_CONTEXT Context; PPH_THREAD_STACKS_THREAD_NODE ThreadNode; } PH_THREAD_STACKS_WALK_CONTEXT, *PPH_THREAD_STACKS_WALK_CONTEXT; static PPH_OBJECT_TYPE PhpThreadStacksObjectType = NULL; static PPH_OBJECT_TYPE PhpThreadStacksWorkerObjectType = NULL; static PPH_OBJECT_TYPE PhpThreadStacksNodeObjectType = NULL; const ACCESS_MASK PhpThreadStacksThreadAccessMasks[] = { THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, }; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpThreadStacksNodeDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_THREAD_STACKS_NODE node = Object; PhDereferenceObject(node->Symbol); switch (node->Type) { case PhThreadStacksNodeTypeProcess: { PhClearReference(&node->Process.SymbolProvider); PhDereferenceObject(node->Process.ProcessName); PhClearReference(&node->Process.FileName); PhDereferenceObject(node->Process.Threads); } break; case PhThreadStacksNodeTypeThread: { if (node->Thread.ThreadHandle) NtClose(node->Thread.ThreadHandle); PhClearReference(&node->Thread.ThreadName); PhDereferenceObject(node->Thread.Frames); PhClearReference(&node->Thread.StartAddressSymbol); PhClearReference(&node->Thread.FileName); } break; case PhThreadStacksNodeTypeFrame: { PhClearReference(&node->Frame.FileName); PhClearReference(&node->Frame.LineText); PhClearReference(&node->Frame.FrameDistanceString); } break; } } PPH_THREAD_STACKS_NODE PhpThreadStacksCreateNode( _In_ PH_THREAD_STACKS_NODE_TYPE Type ) { PPH_THREAD_STACKS_NODE node; node = PhCreateObjectZero(sizeof(PH_THREAD_STACKS_NODE), PhpThreadStacksNodeObjectType); PhInitializeTreeNewNode(&node->Node); node->Type = Type; memset(node->TextCache, 0, sizeof(PH_STRINGREF) * MAX_PH_THREAD_STACKS_COLUMN); node->Node.TextCache = node->TextCache; node->Node.TextCacheSize = MAX_PH_THREAD_STACKS_COLUMN; return node; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpThreadStacksWorkerContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_THREAD_STACKS_WORKER_CONTEXT context = Object; for (ULONG i = 0; i < context->NodeList->Count; i++) { PhDereferenceObject(context->NodeList->Items[i]); } PhClearReference(&context->Context); PhDereferenceObject(context->NodeList); PhDereferenceObject(context->NodeRootList); } PPH_THREAD_STACKS_WORKER_CONTEXT PhpThreadStacksCreateWorkerContext( _In_ PPH_THREAD_STACKS_CONTEXT Context ) { PPH_THREAD_STACKS_WORKER_CONTEXT context; context = PhCreateObjectZero(sizeof(PH_THREAD_STACKS_WORKER_CONTEXT), PhpThreadStacksWorkerObjectType); context->Context = Context; PhReferenceObject(context->Context); context->NodeList = PhCreateList(500); context->NodeRootList = PhCreateList(100); return context; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpThreadStacksContextDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_THREAD_STACKS_CONTEXT context = Object; PhClearReference(&context->WorkerContext); for (ULONG i = 0; i < context->NodeList->Count; i++) { PhDereferenceObject(context->NodeList->Items[i]); } PhDereferenceObject(context->NodeList); PhDereferenceObject(context->NodeRootList); PhDereferenceObject(context->StatusMessage); PhDereferenceObject(context->SymbolMessage); } PPH_THREAD_STACKS_CONTEXT PhpThreadStacksCreateContext( VOID ) { PPH_THREAD_STACKS_CONTEXT context; context = PhCreateObjectZero(sizeof(PH_THREAD_STACKS_CONTEXT), PhpThreadStacksObjectType); context->NodeList = PhCreateList(500); context->NodeRootList = PhCreateList(100); context->StatusMessage = PhReferenceEmptyString(); context->SymbolMessage = PhReferenceEmptyString(); PhInitializeQueuedLock(&context->MessageLock); return context; } VOID PhpThreadStacksMessage( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ __format_string PCWSTR Format, ... ) { PPH_THREAD_STACKS_CONTEXT context = Context->Context; PPH_STRING message; va_list args; if (Context->Stop) return; va_start(args, Format); message = PhFormatString_V(Format, args); va_end(args); PhAcquireQueuedLockExclusive(&context->MessageLock); PhMoveReference(&context->StatusMessage, message); context->MessageCount++; PhReleaseQueuedLockExclusive(&context->MessageLock); } VOID PhpThreadStacksPublish( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ BOOLEAN Restructure, _In_opt_ PPH_THREAD_STACKS_NODE Node ) { PPH_THREAD_STACKS_CONTEXT context = Context->Context; if (Context->Stop) return; if (Node) PhReferenceObject(Node); PostMessage(context->WindowHandle, WM_PH_THREAD_STACKS_PUBLISH, (WPARAM)Restructure, (LPARAM)Node); } VOID PhpThreadStacksCreateThreadNode( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ PPH_THREAD_STACKS_PROCESS_NODE ProcessNode, _In_ PSYSTEM_THREAD_INFORMATION ThreadInfo ) { PPH_THREAD_STACKS_NODE node; node = PhpThreadStacksCreateNode(PhThreadStacksNodeTypeThread); PhAddItemList(Context->NodeList, node); PhAddItemList(ProcessNode->Threads, node); node->Thread.Process = ProcessNode; node->Thread.ThreadId = ThreadInfo->ClientId.UniqueThread; PhPrintUInt32(node->Thread.ThreadIdString, HandleToUlong(node->Thread.ThreadId)); for (ULONG i = 0; i < ARRAYSIZE(PhpThreadStacksThreadAccessMasks); i++) { if (NT_SUCCESS(PhOpenThread(&node->Thread.ThreadHandle, PhpThreadStacksThreadAccessMasks[i], node->Thread.ThreadId))) break; } if (node->Thread.ThreadHandle) { ULONG_PTR startAddress; if (NT_SUCCESS(PhGetThreadStartAddress(node->Thread.ThreadHandle, &startAddress))) node->Thread.StartAddress = (PVOID)startAddress; PhGetThreadName(node->Thread.ThreadHandle, &node->Thread.ThreadName); } if (!node->Thread.StartAddress) node->Thread.StartAddress = (PVOID)ThreadInfo->StartAddress; PhPrintPointer(node->Thread.StartAddressString, node->Thread.StartAddress); if (!PhIsNullOrEmptyString(node->Thread.ThreadName)) node->Symbol = PhReferenceObject(node->Thread.ThreadName); else node->Symbol = PhCreateString(node->Thread.StartAddressString); node->Thread.Frames = PhCreateList(10); Context->TotalThreads++; PhpThreadStacksPublish(Context, FALSE, node); } VOID PhpThreadStacksCreateProcessNode( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ PSYSTEM_PROCESS_INFORMATION ProcessInfo ) { PPH_THREAD_STACKS_NODE node; HANDLE processHandle; node = PhpThreadStacksCreateNode(PhThreadStacksNodeTypeProcess); PhAddItemList(Context->NodeList, node); PhAddItemList(Context->NodeRootList, node); node->Process.ProcessId = ProcessInfo->UniqueProcessId; PhPrintUInt32(node->Process.ProcessIdString, HandleToUlong(node->Process.ProcessId)); node->Process.SymbolProvider = PhCreateSymbolProvider(node->Process.ProcessId); PhLoadSymbolProviderOptions(node->Process.SymbolProvider); if (node->Process.ProcessId != SYSTEM_IDLE_PROCESS_ID) node->Process.ProcessName = PhCreateStringFromUnicodeString(&ProcessInfo->ImageName); else node->Process.ProcessName = PhCreateStringFromUnicodeString(&SYSTEM_IDLE_PROCESS_NAME); node->Symbol = PhReferenceObject(node->Process.ProcessName); if (node->Process.ProcessId == SYSTEM_PROCESS_ID) node->Process.FileName = PhGetKernelFileName(); if (NT_SUCCESS(PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, node->Process.ProcessId))) { USHORT machine; if (!node->Process.FileName) PhGetProcessImageFileName(processHandle, &node->Process.FileName); if (NT_SUCCESS(PhGetProcessArchitecture(processHandle, &machine))) { switch (machine) { case IMAGE_FILE_MACHINE_I386: PhInitializeStringRef(&node->Process.Architecture, L"x86"); break; case IMAGE_FILE_MACHINE_AMD64: PhInitializeStringRef(&node->Process.Architecture, L"x64"); break; case IMAGE_FILE_MACHINE_ARMNT: PhInitializeStringRef(&node->Process.Architecture, L"ARM"); break; case IMAGE_FILE_MACHINE_ARM64: PhInitializeStringRef(&node->Process.Architecture, L"ARM64"); break; default: PhInitializeEmptyStringRef(&node->Process.Architecture); break; } } else { PhInitializeEmptyStringRef(&node->Process.Architecture); } NtClose(processHandle); } node->Process.Threads = PhCreateList(ProcessInfo->NumberOfThreads); for (ULONG i = 0; i < ProcessInfo->NumberOfThreads; i++) { PSYSTEM_THREAD_INFORMATION threadInfo; threadInfo = &ProcessInfo->Threads[i]; PhpThreadStacksCreateThreadNode(Context, &node->Process, threadInfo); } PhpThreadStacksPublish(Context, FALSE, node); } PPH_STRING PhpThreadStacksInitFrameNode( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ PPH_THREAD_STACKS_FRAME_NODE FrameNode, _In_ PPH_THREAD_STACK_FRAME StackFrame ) { PPH_STRING symbol = NULL; PPH_STRING fileName = NULL; PPH_STRING lineText = NULL; PVOID baseAddress = NULL; PPH_STRING lineFileName; PH_SYMBOL_LINE_INFORMATION lineInfo; if (PhSymbolProviderInlineContextSupported()) { symbol = PhGetSymbolFromInlineContext( FrameNode->Thread->Process->SymbolProvider, StackFrame, NULL, &fileName, NULL, NULL, &baseAddress ); if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackResolveSymbol; control.UniqueKey = Context; control.u.ResolveSymbol.StackFrame = StackFrame; control.u.ResolveSymbol.Symbol = symbol; control.u.ResolveSymbol.FileName = fileName; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); symbol = control.u.ResolveSymbol.Symbol; fileName = control.u.ResolveSymbol.FileName; } if (PhGetLineFromInlineContext( FrameNode->Thread->Process->SymbolProvider, StackFrame, baseAddress, &lineFileName, NULL, &lineInfo )) { PH_FORMAT format[3]; PhInitFormatSR(&format[0], lineFileName->sr); PhInitFormatS(&format[1], L" @ "); PhInitFormatU(&format[2], lineInfo.LineNumber); lineText = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(lineFileName); } } else { symbol = PhGetSymbolFromAddress( FrameNode->Thread->Process->SymbolProvider, StackFrame->PcAddress, NULL, &fileName, NULL, NULL ); if (PhPluginsEnabled) { PH_PLUGIN_THREAD_STACK_CONTROL control; control.Type = PluginThreadStackResolveSymbol; control.UniqueKey = Context; control.u.ResolveSymbol.StackFrame = StackFrame; control.u.ResolveSymbol.Symbol = symbol; control.u.ResolveSymbol.FileName = fileName; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); symbol = control.u.ResolveSymbol.Symbol; fileName = control.u.ResolveSymbol.FileName; } if (PhGetLineFromAddress( FrameNode->Thread->Process->SymbolProvider, StackFrame->PcAddress, &lineFileName, NULL, &lineInfo )) { PH_FORMAT format[3]; PhInitFormatSR(&format[0], lineFileName->sr); PhInitFormatS(&format[1], L" @ "); PhInitFormatU(&format[2], lineInfo.LineNumber); lineText = PhFormat(format, RTL_NUMBER_OF(format), 0); PhDereferenceObject(lineFileName); } } FrameNode->StackFrame = *StackFrame; if (symbol && (FrameNode->StackFrame.Machine == IMAGE_FILE_MACHINE_I386) && FlagOn(FrameNode->StackFrame.Flags, PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT)) { PhMoveReference(&symbol, PhConcatStringRefZ(&symbol->sr, L" (No unwind info)")); } if (PhSymbolProviderInlineContextSupported() && PhIsStackFrameTypeInline(FrameNode->StackFrame.InlineFrameContext)) { if (symbol) PhMoveReference(&symbol, PhConcatStringRefZ(&symbol->sr, L" (Inline Function)")); // Zero inline frames so the stack matches windbg output. FrameNode->StackFrame.PcAddress = NULL; FrameNode->StackFrame.ReturnAddress = NULL; FrameNode->StackFrame.FrameAddress = NULL; FrameNode->StackFrame.StackAddress = NULL; memset(FrameNode->StackFrame.Params, 0, sizeof(FrameNode->StackFrame.Params)); } if (FrameNode->StackFrame.StackAddress) { PhPrintPointer(FrameNode->StackAddressString, (PVOID)FrameNode->StackFrame.StackAddress); if (FrameNode->FrameNumber > 0) { PPH_THREAD_STACKS_NODE prev = FrameNode->Thread->Frames->Items[FrameNode->FrameNumber - 1]; if (prev->Frame.StackFrame.StackAddress) { FrameNode->FrameDistance = (ULONG)((ULONG_PTR)FrameNode->StackFrame.StackAddress - (ULONG_PTR)prev->Frame.StackFrame.StackAddress); FrameNode->FrameDistanceString = PhFormatSize(FrameNode->FrameDistance, ULONG_MAX); } } } // There are no parameters for kernel-mode frames. if ((ULONG_PTR)FrameNode->StackFrame.PcAddress <= PhSystemBasicInformation.MaximumUserModeAddress) { PhPrintPointer(FrameNode->Parameter1String, FrameNode->StackFrame.Params[0]); PhPrintPointer(FrameNode->Parameter2String, FrameNode->StackFrame.Params[1]); PhPrintPointer(FrameNode->Parameter3String, FrameNode->StackFrame.Params[2]); PhPrintPointer(FrameNode->Parameter4String, FrameNode->StackFrame.Params[3]); } if (FrameNode->StackFrame.PcAddress) PhPrintPointer(FrameNode->PcAddressString, (PVOID)FrameNode->StackFrame.PcAddress); if (FrameNode->StackFrame.ReturnAddress) PhPrintPointer(FrameNode->ReturnAddressString, (PVOID)FrameNode->StackFrame.ReturnAddress); switch (FrameNode->StackFrame.Machine) { case IMAGE_FILE_MACHINE_ARM64EC: PhInitializeStringRef(&FrameNode->Architecture, L"ARM64EC"); break; case IMAGE_FILE_MACHINE_CHPE_X86: PhInitializeStringRef(&FrameNode->Architecture, L"CHPE"); break; case IMAGE_FILE_MACHINE_ARM64: PhInitializeStringRef(&FrameNode->Architecture, L"ARM64"); break; case IMAGE_FILE_MACHINE_ARM: PhInitializeStringRef(&FrameNode->Architecture, L"ARM"); break; case IMAGE_FILE_MACHINE_AMD64: PhInitializeStringRef(&FrameNode->Architecture, L"x64"); break; case IMAGE_FILE_MACHINE_I386: PhInitializeStringRef(&FrameNode->Architecture, L"x86"); break; default: PhInitializeStringRef(&FrameNode->Architecture, L""); break; } PhMoveReference(&FrameNode->FileName, fileName); PhMoveReference(&FrameNode->LineText, lineText); return symbol; } VOID PhpThreadStacksCreateFrameNode( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ PPH_THREAD_STACKS_THREAD_NODE ThreadNode, _In_ PPH_THREAD_STACK_FRAME StackFrame ) { PPH_THREAD_STACKS_NODE node; node = PhpThreadStacksCreateNode(PhThreadStacksNodeTypeFrame); // frame nodes will become visible during publishing node->Node.Visible = FALSE; node->Frame.Thread = ThreadNode; node->Frame.FrameNumber = ThreadNode->Frames->Count; PhAddItemList(Context->NodeList, node); PhAddItemList(ThreadNode->Frames, node); PhPrintUInt32(node->Frame.FrameNumberString, node->Frame.FrameNumber); node->Symbol = PhpThreadStacksInitFrameNode(Context, &node->Frame, StackFrame); PhpThreadStacksPublish(Context, FALSE, node); } VOID PhpThreadStacksWorkerPhase1( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context ) { PVOID processes; PSYSTEM_PROCESS_INFORMATION process; if (!NT_SUCCESS(PhEnumProcesses(&processes))) return; process = PH_FIRST_PROCESS(processes); PhpThreadStacksMessage(Context, L"Enumerating processes..."); do { PhpThreadStacksCreateProcessNode(Context, process); } while (process = PH_NEXT_PROCESS(process)); PhFree(processes); PhpThreadStacksPublish(Context, TRUE, NULL); } BOOLEAN NTAPI PhpThreadStacksWalkCallback( _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_ PVOID Context ) { PPH_THREAD_STACKS_WALK_CONTEXT context = Context; if (context->Context->Stop) return FALSE; PhpThreadStacksCreateFrameNode(context->Context, context->ThreadNode, StackFrame); return TRUE; } VOID PhpThreadStacksThreadPhase2( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ PPH_THREAD_STACKS_THREAD_NODE ThreadNode ) { PH_THREAD_STACKS_WALK_CONTEXT context; CLIENT_ID clientId; if (!ThreadNode->ThreadHandle) return; clientId.UniqueProcess = ThreadNode->Process->ProcessId; clientId.UniqueThread = ThreadNode->ThreadId; context.Context = Context; context.ThreadNode = ThreadNode; PhWalkThreadStack( ThreadNode->ThreadHandle, ThreadNode->Process->SymbolProvider->ProcessHandle, &clientId, ThreadNode->Process->SymbolProvider, PH_WALK_USER_WOW64_STACK | PH_WALK_USER_STACK | PH_WALK_KERNEL_STACK, PhpThreadStacksWalkCallback, &context ); } VOID PhpThreadStacksProcessPhase2( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context, _In_ PPH_THREAD_STACKS_PROCESS_NODE ProcessNode ) { for (ULONG i = 0; i < ProcessNode->Threads->Count; i++) { PPH_THREAD_STACKS_NODE node = ProcessNode->Threads->Items[i]; PhpThreadStacksMessage( Context, L"Walking stacks... %lu%% - %ls (%lu) %lu%%", (ULONG)(((FLOAT)Context->WalkedThreads / (FLOAT)Context->TotalThreads) * 100), ProcessNode->ProcessName->Buffer, HandleToUlong(ProcessNode->ProcessId), (ULONG)(((FLOAT)(i + 1) / ProcessNode->Threads->Count) * 100) ); // Resolve the start address symbol. node->Thread.StartAddressSymbol = PhGetSymbolFromAddress( ProcessNode->SymbolProvider, node->Thread.StartAddress, NULL, &node->Thread.FileName, NULL, NULL ); if (node->Symbol == node->Thread.ThreadName) { // Keep the thread name as the symbol. NOTHING; } else if (node->Thread.StartAddressSymbol) { PhMoveReference(&node->Symbol, PhReferenceObject(node->Thread.StartAddressSymbol)); } PhpThreadStacksThreadPhase2(Context, &node->Thread); Context->WalkedThreads++; node->Thread.FramesComplete = TRUE; PhpThreadStacksPublish(Context, TRUE, NULL); if (Context->Stop) break; } } VOID PhpThreadStacksWorkerPhase2( _In_ PPH_THREAD_STACKS_WORKER_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeRootList->Count; i++) { PPH_THREAD_STACKS_NODE node = Context->NodeRootList->Items[i]; PhpThreadStacksMessage( Context, L"Walking stacks... %lu%% - %ls (%lu)", (ULONG)(((FLOAT)Context->WalkedThreads / (FLOAT)Context->TotalThreads) * 100), node->Process.ProcessName->Buffer, HandleToUlong(node->Process.ProcessId) ); PhLoadSymbolProviderModules(node->Process.SymbolProvider, node->Process.ProcessId); PhpThreadStacksProcessPhase2(Context, &node->Process); // Clean up the symbol provider as soon as possible. PhClearReference(&node->Process.SymbolProvider); if (Context->Stop) break; } } NTSTATUS PhpThreadStacksWorkerThreadStart( _In_ PVOID Parameter ) { PPH_THREAD_STACKS_WORKER_CONTEXT context = Parameter; PH_PLUGIN_THREAD_STACK_CONTROL control; control.UniqueKey = context; if (PhPluginsEnabled) { control.Type = PluginThreadStackBeginDefaultWalkStack; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } // Phase 1 enumerates processes and threads PhpThreadStacksWorkerPhase1(context); // Phase 2 walks stacks, resolves symbols, and creates frame nodes PhpThreadStacksWorkerPhase2(context); if (PhPluginsEnabled) { control.Type = PluginThreadStackEndDefaultWalkStack; PhInvokeCallback(PhGetGeneralCallback(GeneralCallbackThreadStackControl), &control); } PhpThreadStacksMessage(context, L""); PhClearReference(&context->Context); PhDereferenceObject(context); return STATUS_SUCCESS; } VOID PhpThreadStacksRefresh( _In_ PPH_THREAD_STACKS_CONTEXT Context ) { PPH_THREAD_STACKS_WORKER_CONTEXT context; if (Context->WorkerContext) InterlockedIncrement(&Context->WorkerContext->Stop); context = PhpThreadStacksCreateWorkerContext(Context); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); for (ULONG i = 0; i < Context->NodeList->Count; i++) PhDereferenceObject(Context->NodeList->Items[i]); PhClearList(Context->NodeList); PhClearList(Context->NodeRootList); PhMoveReference(&Context->WorkerContext, PhReferenceObject(context)); if (!NT_SUCCESS(PhCreateThread2(PhpThreadStacksWorkerThreadStart, context))) PhDereferenceObject(context); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpThreadStacksExpandNodes( _In_ PPH_THREAD_STACKS_CONTEXT Context, _In_ BOOLEAN Expand ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_THREAD_STACKS_NODE node = Context->NodeList->Items[i]; node->Node.Expanded = Expand; } TreeNew_NodesStructured(Context->TreeNewHandle); } VOID PhpThreadStacksInvalidateNodes( _In_ PPH_THREAD_STACKS_CONTEXT Context ) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_THREAD_STACKS_NODE node = Context->NodeList->Items[i]; PhInvalidateTreeNewNode(&node->Node, TN_CACHE_COLOR); TreeNew_InvalidateNode(Context->TreeNewHandle, &node->Node); } } BOOLEAN PhpThreadStackFrameVisible( _In_ PPH_THREAD_STACKS_CONTEXT Context, _In_ PPH_THREAD_STACKS_FRAME_NODE FrameNode, _In_ BOOLEAN Matched ) { if (Context->HideSystemFrames && (ULONG_PTR)FrameNode->StackFrame.PcAddress > PhSystemBasicInformation.MaximumUserModeAddress) return FALSE; if (Context->HideUserFrames && (ULONG_PTR)FrameNode->StackFrame.PcAddress <= PhSystemBasicInformation.MaximumUserModeAddress) return FALSE; if (Context->HideInlineFrames && PhIsStackFrameTypeInline(FrameNode->StackFrame.InlineFrameContext)) return FALSE; return Matched; } VOID PhpThreadStacksRestructureNodesWithSearch( _In_ PPH_THREAD_STACKS_CONTEXT Context ) { if (!Context->SearchMatchHandle) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_THREAD_STACKS_NODE node = Context->NodeList->Items[i]; if (node->Type == PhThreadStacksNodeTypeFrame) node->Node.Visible = PhpThreadStackFrameVisible(Context, &node->Frame, TRUE); else node->Node.Visible = TRUE; } TreeNew_NodesStructured(Context->TreeNewHandle); return; } // We only search for symbols in stack frames when searching, if any frame // matches the entire ancestry related to the node is made visible. for (ULONG i = 0; i < Context->NodeRootList->Count; i++) { PPH_THREAD_STACKS_NODE processNode = Context->NodeRootList->Items[i]; processNode->Node.Visible = FALSE; for (ULONG j = 0; j < processNode->Process.Threads->Count; j++) { PPH_THREAD_STACKS_NODE threadNode = processNode->Process.Threads->Items[j]; BOOLEAN match; threadNode->Node.Visible = FALSE; if (!threadNode->Thread.FramesComplete) { continue; } match = FALSE; for (ULONG k = 0; k < threadNode->Thread.Frames->Count; k++) { PPH_THREAD_STACKS_NODE frameNode = threadNode->Thread.Frames->Items[k]; frameNode->Node.Visible = PhpThreadStackFrameVisible(Context, &frameNode->Frame, match); if (match || !PhSearchControlMatch(Context->SearchMatchHandle, &frameNode->Symbol->sr)) continue; match = TRUE; threadNode->Node.Visible = TRUE; processNode->Node.Visible = TRUE; for (ULONG l = 0; l <= k; l++) { PPH_THREAD_STACKS_NODE prevFrameNode = threadNode->Thread.Frames->Items[l]; prevFrameNode->Node.Visible = PhpThreadStackFrameVisible(Context, &frameNode->Frame, TRUE); } } } } TreeNew_NodesStructured(Context->TreeNewHandle); } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpThreadStacksSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_THREAD_STACKS_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; PhpThreadStacksRestructureNodesWithSearch(context); } BOOLEAN NTAPI PhpThreadStacksTreeNewCallback( _In_ HWND hwnd, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_THREAD_STACKS_CONTEXT context = Context; PPH_THREAD_STACKS_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_THREAD_STACKS_NODE)getChildren->Node; if (!getChildren->Node) { getChildren->Children = (PPH_TREENEW_NODE*)context->NodeRootList->Items; getChildren->NumberOfChildren = context->NodeRootList->Count; } else { switch (node->Type) { case PhThreadStacksNodeTypeProcess: getChildren->Children = (PPH_TREENEW_NODE*)node->Process.Threads->Items; getChildren->NumberOfChildren = node->Process.Threads->Count; break; case PhThreadStacksNodeTypeThread: getChildren->Children = (PPH_TREENEW_NODE*)node->Thread.Frames->Items; getChildren->NumberOfChildren = node->Thread.Frames->Count; break; case PhThreadStacksNodeTypeFrame: default: getChildren->Children = NULL; getChildren->NumberOfChildren = 0; break; } } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPH_THREAD_STACKS_NODE)isLeaf->Node; isLeaf->IsLeaf = node->Type == PhThreadStacksNodeTypeFrame; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; node = (PPH_THREAD_STACKS_NODE)getCellText->Node; switch (getCellText->Id) { case PH_THREAD_STACKS_COLUMN_SYMBOL: getCellText->Text = PhGetStringRef(node->Symbol); break; case PH_THREAD_STACKS_COLUMN_PROCESSID: { switch (node->Type) { case PhThreadStacksNodeTypeProcess: PhInitializeStringRefLongHint(&getCellText->Text, node->Process.ProcessIdString); break; case PhThreadStacksNodeTypeThread: PhInitializeStringRefLongHint(&getCellText->Text, node->Thread.Process->ProcessIdString); break; case PhThreadStacksNodeTypeFrame: PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Thread->Process->ProcessIdString); break; } } break; case PH_THREAD_STACKS_COLUMN_THREADID: { switch (node->Type) { case PhThreadStacksNodeTypeThread: PhInitializeStringRefLongHint(&getCellText->Text, node->Thread.ThreadIdString); break; case PhThreadStacksNodeTypeFrame: PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Thread->ThreadIdString); break; } } break; case PH_THREAD_STACKS_COLUMN_FRAMENUMBER: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.FrameNumberString); break; case PH_THREAD_STACKS_COLUMN_STACKADDRESS: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.StackAddressString); break; case PH_THREAD_STACKS_COLUMN_FRAMEADDRESS: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.FrameAddressString); break; case PH_THREAD_STACKS_COLUMN_PARAMETER1: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Parameter1String); break; case PH_THREAD_STACKS_COLUMN_PARAMETER2: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Parameter2String); break; case PH_THREAD_STACKS_COLUMN_PARAMETER3: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Parameter3String); break; case PH_THREAD_STACKS_COLUMN_PARAMETER4: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Parameter4String); break; case PH_THREAD_STACKS_COLUMN_CONTROLADDRESS: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.PcAddressString); break; case PH_THREAD_STACKS_COLUMN_RETURNADDRESS: if (node->Type == PhThreadStacksNodeTypeFrame) PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.ReturnAddressString); break; case PH_THREAD_STACKS_COLUMN_FILENAME: { switch (node->Type) { case PhThreadStacksNodeTypeProcess: getCellText->Text = PhGetStringRef(node->Process.FileName); break; case PhThreadStacksNodeTypeThread: getCellText->Text = PhGetStringRef(node->Thread.FileName); break; case PhThreadStacksNodeTypeFrame: getCellText->Text = PhGetStringRef(node->Frame.FileName); break; } } break; case PH_THREAD_STACKS_COLUMN_LINETEXT: if (node->Type == PhThreadStacksNodeTypeFrame) getCellText->Text = PhGetStringRef(node->Frame.LineText); break; case PH_THREAD_STACKS_COLUMN_ARCHITECTURE: { switch (node->Type) { case PhThreadStacksNodeTypeProcess: getCellText->Text = node->Process.Architecture; break; case PhThreadStacksNodeTypeFrame: getCellText->Text = node->Frame.Architecture; break; } } break; case PH_THREAD_STACKS_COLUMN_FRAMEDISTANCE: if (node->Type == PhThreadStacksNodeTypeFrame) getCellText->Text = PhGetStringRef(node->Frame.FrameDistanceString); break; case PH_THREAD_STACKS_COLUMN_STARTADDRESS: { switch (node->Type) { case PhThreadStacksNodeTypeThread: PhInitializeStringRefLongHint(&getCellText->Text, node->Thread.StartAddressString); break; case PhThreadStacksNodeTypeFrame: PhInitializeStringRefLongHint(&getCellText->Text, node->Frame.Thread->StartAddressString); break; } } break; case PH_THREAD_STACKS_COLUMN_STARTADDRESSSYMBOL: { switch (node->Type) { case PhThreadStacksNodeTypeThread: getCellText->Text = PhGetStringRef(node->Thread.StartAddressSymbol); break; case PhThreadStacksNodeTypeFrame: getCellText->Text = PhGetStringRef(node->Frame.Thread->StartAddressSymbol); break; } } break; case PH_THREAD_STACKS_COLUMN_PROCESSNAME: { switch (node->Type) { case PhThreadStacksNodeTypeProcess: getCellText->Text = PhGetStringRef(node->Process.ProcessName); break; case PhThreadStacksNodeTypeThread: getCellText->Text = PhGetStringRef(node->Thread.Process->ProcessName); break; case PhThreadStacksNodeTypeFrame: getCellText->Text = PhGetStringRef(node->Frame.Thread->Process->ProcessName); break; } } break; case PH_THREAD_STACKS_COLUMN_THREADNAME: { switch (node->Type) { case PhThreadStacksNodeTypeThread: getCellText->Text = PhGetStringRef(node->Thread.ThreadName); break; case PhThreadStacksNodeTypeFrame: getCellText->Text = PhGetStringRef(node->Frame.Thread->ThreadName); break; } } break; default: return FALSE; } switch (node->Type) { case PhThreadStacksNodeTypeProcess: getCellText->Flags = TN_CACHE; break; case PhThreadStacksNodeTypeThread: if (node->Thread.FramesComplete) getCellText->Flags = TN_CACHE; break; case PhThreadStacksNodeTypeFrame: if (node->Frame.Thread->FramesComplete) getCellText->Flags = TN_CACHE; break; } } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = Parameter1; node = (PPH_THREAD_STACKS_NODE)getNodeColor->Node; if (node->Type == PhThreadStacksNodeTypeFrame) { if (context->HighlightInlineFrames && PhIsStackFrameTypeInline(node->Frame.StackFrame.InlineFrameContext)) getNodeColor->BackColor = PhGetIntegerSetting(SETTING_COLOR_INLINE_THREAD_STACK); else if (context->HighlightSystemFrames && (ULONG_PTR)node->Frame.StackFrame.PcAddress > PhSystemBasicInformation.MaximumUserModeAddress) getNodeColor->BackColor = PhGetIntegerSetting(SETTING_COLOR_SYSTEM_THREAD_STACK); else if (context->HighlightUserFrames && (ULONG_PTR)node->Frame.StackFrame.PcAddress <= PhSystemBasicInformation.MaximumUserModeAddress) getNodeColor->BackColor = PhGetIntegerSetting(SETTING_COLOR_USER_THREAD_STACK); getNodeColor->Flags = TN_AUTO_FORECOLOR; } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = hwnd; data.MouseEvent = Parameter1; data.DefaultSortOrder = NoSortOrder; data.DefaultSortColumn = 0; PhInitializeTreeNewColumnMenuEx(&data, 0); data.Selection = PhShowEMenu( data.Menu, hwnd, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y ); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_EMENU_ITEM gotoProcess; PPH_EMENU_ITEM gotoThread; PPH_EMENU_ITEM hideUserFrames; PPH_EMENU_ITEM hideSystemFrames; PPH_EMENU_ITEM hideInlineFrames; PPH_EMENU_ITEM highlightUserFrames; PPH_EMENU_ITEM highlightSystemFrames; PPH_EMENU_ITEM highlightInlineFrames; node = (PPH_THREAD_STACKS_NODE)contextMenuEvent->Node; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, gotoProcess = PhCreateEMenuItem(0, 1, L"Go to process...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, gotoThread = PhCreateEMenuItem(0, 2, L"Go to thread...", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, hideUserFrames = PhCreateEMenuItem(0, 3, L"Expand all", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, hideUserFrames = PhCreateEMenuItem(0, 4, L"Collapse all", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, hideUserFrames = PhCreateEMenuItem(0, 5, L"Hide user frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, hideSystemFrames = PhCreateEMenuItem(0, 6, L"Hide system frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, hideInlineFrames = PhCreateEMenuItem(0, 7, L"Hide inline frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, highlightUserFrames = PhCreateEMenuItem(0, 8, L"Highlight user frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, highlightSystemFrames = PhCreateEMenuItem(0, 9, L"Highlight system frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, highlightInlineFrames = PhCreateEMenuItem(0, 10, L"Highlight inline frames", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 100, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, 100, hwnd, contextMenuEvent->Column); if (node) { if (node->Type == PhThreadStacksNodeTypeProcess) PhSetDisabledEMenuItem(gotoThread); } else { PhSetDisabledEMenuItem(gotoProcess); PhSetDisabledEMenuItem(gotoThread); } if (context->HideUserFrames) hideUserFrames->Flags |= PH_EMENU_CHECKED; if (context->HideSystemFrames) hideSystemFrames->Flags |= PH_EMENU_CHECKED; if (context->HideInlineFrames) hideInlineFrames->Flags |= PH_EMENU_CHECKED; if (context->HighlightUserFrames) highlightUserFrames->Flags |= PH_EMENU_CHECKED; if (context->HighlightSystemFrames) highlightSystemFrames->Flags |= PH_EMENU_CHECKED; if (context->HighlightInlineFrames) highlightInlineFrames->Flags |= PH_EMENU_CHECKED; selectedItem = PhShowEMenu( menu, context->WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX && !PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case 1: { PPH_PROCESS_ITEM processItem; HANDLE processId; assert(node); switch (node->Type) { case PhThreadStacksNodeTypeProcess: processId = node->Process.ProcessId; break; case PhThreadStacksNodeTypeThread: processId = node->Thread.Process->ProcessId; break; case PhThreadStacksNodeTypeFrame: processId = node->Frame.Thread->Process->ProcessId; break; DEFAULT_UNREACHABLE; } if (processItem = PhReferenceProcessItem(processId)) { PPH_PROCESS_PROPCONTEXT propContext; if (propContext = PhCreateProcessPropContext(NULL, processItem)) { PhShowProcessProperties(propContext); PhDereferenceObject(propContext); } PhDereferenceObject(processItem); } } break; case 2: { PPH_PROCESS_ITEM processItem; HANDLE processId; HANDLE threadId; assert(node); assert(node->Type == PhThreadStacksNodeTypeThread || node->Type == PhThreadStacksNodeTypeFrame); switch (node->Type) { case PhThreadStacksNodeTypeThread: processId = node->Thread.Process->ProcessId; threadId = node->Thread.ThreadId; break; case PhThreadStacksNodeTypeFrame: processId = node->Frame.Thread->Process->ProcessId; threadId = node->Frame.Thread->ThreadId; break; DEFAULT_UNREACHABLE; } if (processItem = PhReferenceProcessItem(processId)) { PPH_PROCESS_PROPCONTEXT propContext; if (propContext = PhCreateProcessPropContext(NULL, processItem)) { PhSetSelectThreadIdProcessPropContext(propContext, threadId); PhShowProcessProperties(propContext); PhDereferenceObject(propContext); } PhDereferenceObject(processItem); } } break; case 3: PhpThreadStacksExpandNodes(context, TRUE); break; case 4: PhpThreadStacksExpandNodes(context, FALSE); break; case 5: context->HideUserFrames = !context->HideUserFrames; PhpThreadStacksRestructureNodesWithSearch(context); break; case 6: context->HideSystemFrames = !context->HideSystemFrames; PhpThreadStacksRestructureNodesWithSearch(context); break; case 7: context->HideInlineFrames = !context->HideInlineFrames; PhpThreadStacksRestructureNodesWithSearch(context); break; case 8: context->HighlightUserFrames = !context->HighlightUserFrames; PhSetIntegerSetting(SETTING_USE_COLOR_USER_THREAD_STACK, context->HighlightUserFrames); PhpThreadStacksInvalidateNodes(context); break; case 9: context->HighlightSystemFrames = !context->HighlightSystemFrames; PhSetIntegerSetting(SETTING_USE_COLOR_SYSTEM_THREAD_STACK, context->HighlightSystemFrames); PhpThreadStacksInvalidateNodes(context); break; case 10: context->HighlightInlineFrames = !context->HighlightInlineFrames; PhSetIntegerSetting(SETTING_USE_COLOR_INLINE_THREAD_STACK, context->HighlightInlineFrames); PhpThreadStacksInvalidateNodes(context); break; case 100: { PPH_STRING text; text = PhGetTreeNewText(hwnd, 0); PhSetClipboardString(hwnd, &text->sr); PhDereferenceObject(text); } break; } } PhDestroyEMenu(menu); } return TRUE; } return FALSE; } VOID PhpThreadStacksLoadSettingsTreeList( _Inout_ PPH_THREAD_STACKS_CONTEXT Context ) { PPH_STRING settings; settings = PhGetStringSetting(L"ThreadStacksTreeListColumns"); PhCmLoadSettings(Context->TreeNewHandle, &settings->sr); PhDereferenceObject(settings); } VOID PhpThreadStacksSaveSettingsTreeList( _Inout_ PPH_THREAD_STACKS_CONTEXT Context ) { PPH_STRING settings; settings = PhCmSaveSettings(Context->TreeNewHandle); PhSetStringSetting2(SETTING_THREAD_STACKS_TREE_LIST_COLUMNS, &settings->sr); PhDereferenceObject(settings); } VOID PhpInitializeThreadStacksTree( _In_ PPH_THREAD_STACKS_CONTEXT Context ) { PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetCallback(Context->TreeNewHandle, PhpThreadStacksTreeNewCallback, Context); TreeNew_SetExtendedFlags(Context->TreeNewHandle, TN_FLAG_ITEM_DRAG_SELECT, TN_FLAG_ITEM_DRAG_SELECT); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_SYMBOL, TRUE, L"Symbol", 250, PH_ALIGN_LEFT, 0, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_PROCESSID, TRUE, L"PID", 80, PH_ALIGN_LEFT, 1, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_THREADID, TRUE, L"TID", 80, PH_ALIGN_LEFT, 2, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_FRAMENUMBER, TRUE, L"Frame", 80, PH_ALIGN_LEFT, 3, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_ARCHITECTURE, TRUE, L"Architecture", 100, PH_ALIGN_LEFT, 4, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_STACKADDRESS, FALSE, L"Stack address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_FRAMEADDRESS, FALSE, L"Frame address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_PARAMETER1, FALSE, L"Stack parameter #1", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_PARAMETER2, FALSE, L"Stack parameter #2", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_PARAMETER3, FALSE, L"Stack parameter #3", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_PARAMETER4, FALSE, L"Stack parameter #4", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_CONTROLADDRESS, FALSE, L"Control address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_RETURNADDRESS, FALSE, L"Return address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_FILENAME, FALSE, L"File name", 250, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_LINETEXT, FALSE, L"Line number", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_FRAMEDISTANCE, FALSE, L"Frame distance", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_STARTADDRESS, FALSE, L"Start address", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_STARTADDRESSSYMBOL, FALSE, L"Start address (symbolic)", 100, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_PROCESSNAME, FALSE, L"Process name", 250, PH_ALIGN_LEFT, ULONG_MAX, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_THREAD_STACKS_COLUMN_THREADNAME, FALSE, L"Thread name", 250, PH_ALIGN_LEFT, ULONG_MAX, 0); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); //TreeNew_SetTriState(Context->TreeNewHandle, FALSE); PhpThreadStacksLoadSettingsTreeList(Context); } _Function_class_(PH_CALLBACK_FUNCTION) VOID PhpThreadStacksSymbolProviderEventCallback( _In_ PVOID Parameter, _In_ PVOID Context ) { PPH_SYMBOL_EVENT_DATA event = Parameter; PPH_THREAD_STACKS_CONTEXT context = Context; PPH_STRING statusMessage; if (!event || !context) return; switch (event->EventType) { case PH_SYMBOL_EVENT_TYPE_LOAD_START: case PH_SYMBOL_EVENT_TYPE_PROGRESS: statusMessage = PhReferenceObject(event->EventMessage); break; default: statusMessage = PhReferenceEmptyString(); break; } PhAcquireQueuedLockExclusive(&context->MessageLock); PhMoveReference(&context->SymbolMessage, statusMessage); context->MessageCount++; PhReleaseQueuedLockExclusive(&context->MessageLock); } INT_PTR CALLBACK PhpThreadStacksDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_THREAD_STACKS_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_THREAD_STACKS_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_TREELIST); context->MessageHandle = GetDlgItem(hwndDlg, IDC_MESSAGE); context->SearchWindowHandle = GetDlgItem(hwndDlg, IDC_FILTER); context->HighlightUserFrames = !!PhGetIntegerSetting(SETTING_USE_COLOR_USER_THREAD_STACK); context->HighlightSystemFrames = !!PhGetIntegerSetting(SETTING_USE_COLOR_SYSTEM_THREAD_STACK); context->HighlightInlineFrames = !!PhGetIntegerSetting(SETTING_USE_COLOR_INLINE_THREAD_STACK); PhSetApplicationWindowIcon(hwndDlg); PhRegisterDialog(hwndDlg); PhCreateSearchControl( hwndDlg, context->SearchWindowHandle, L"Search Thread Stacks", PhpThreadStacksSearchControlCallback, context ); PhpInitializeThreadStacksTree(context); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->SearchWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, context->MessageHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); context->MinimumSize.left = 0; context->MinimumSize.top = 0; context->MinimumSize.right = 300; context->MinimumSize.bottom = 100; MapDialogRect(hwndDlg, &context->MinimumSize); if (PhValidWindowPlacementFromSetting(SETTING_THREAD_STACKS_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_THREAD_STACKS_WINDOW_POSITION, SETTING_THREAD_STACKS_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, context->ParentWindowHandle); PhRegisterWindowCallback(hwndDlg, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); PhSetTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT, 200, NULL); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); PhpThreadStacksRefresh(context); PhRegisterCallback( &PhSymbolEventCallback, PhpThreadStacksSymbolProviderEventCallback, context, &context->SymbolProviderEventRegistration ); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhUnregisterCallback(&PhSymbolEventCallback, &context->SymbolProviderEventRegistration); PhKillTimer(hwndDlg, PH_WINDOW_TIMER_DEFAULT); PhSaveWindowPlacementToSetting(SETTING_THREAD_STACKS_WINDOW_POSITION, SETTING_THREAD_STACKS_WINDOW_SIZE, hwndDlg); PhUnregisterWindowCallback(hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); PhpThreadStacksSaveSettingsTreeList(context); if (context->WorkerContext) InterlockedIncrement(&context->WorkerContext->Stop); PhDereferenceObject(context); PostQuitMessage(0); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_REFRESH: PhpThreadStacksRefresh(context); break; case IDCANCEL: DestroyWindow(hwndDlg); break; } } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_TIMER: { PPH_STRING statusMessage = NULL; PPH_STRING symbolMessage = NULL; PhAcquireQueuedLockExclusive(&context->MessageLock); if (context->MessageCount != context->LastMessageCount) { context->LastMessageCount = context->MessageCount; statusMessage = PhReferenceObject(context->StatusMessage); symbolMessage = PhReferenceObject(context->SymbolMessage); } PhReleaseQueuedLockExclusive(&context->MessageLock); if (statusMessage) { PPH_STRING message; PH_FORMAT format[3]; ULONG count = 0; assert(symbolMessage); PhInitFormatSR(&format[count++], statusMessage->sr); if (symbolMessage->Length) { PhInitFormatS(&format[count++], L" - "); PhInitFormatSR(&format[count++], symbolMessage->sr); } message = PhFormat(format, count, 80); SetWindowText(context->MessageHandle, message->Buffer); PhDereferenceObject(message); PhDereferenceObject(statusMessage); PhDereferenceObject(symbolMessage); } } break; case WM_PH_THREAD_STACKS_PUBLISH: { BOOLEAN restructure = (BOOLEAN)wParam; PPH_THREAD_STACKS_NODE node = (PPH_THREAD_STACKS_NODE)lParam; if (node) { PhAddItemList(context->NodeList, node); if (node->Type == PhThreadStacksNodeTypeProcess) PhAddItemList(context->NodeRootList, node); } if (restructure) PhpThreadStacksRestructureNodesWithSearch(context); } break; } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpThreadStacksDialogThreadStart( _In_ PVOID Parameter ) { HWND windowHandle; BOOL result; MSG message; PH_AUTO_POOL autoPool; PhInitializeAutoPool(&autoPool); windowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_THRDSTACKS), NULL, PhpThreadStacksDlgProc, Parameter ); ShowWindow(windowHandle, SW_SHOW); SetForegroundWindow(windowHandle); while (result = GetMessage(&message, NULL, 0, 0)) { if (result == INT_ERROR) break; if (!IsDialogMessage(windowHandle, &message)) { TranslateMessage(&message); DispatchMessage(&message); } PhDrainAutoPool(&autoPool); } PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } VOID PhShowThreadStacksDialog( _In_ HWND ParentWindowHandle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_THREAD_STACKS_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { PhpThreadStacksObjectType = PhCreateObjectType(L"ThreadStacks", 0, PhpThreadStacksContextDeleteProcedure); PhpThreadStacksWorkerObjectType = PhCreateObjectType(L"ThreadStacksWorker", 0, PhpThreadStacksWorkerContextDeleteProcedure); PhpThreadStacksNodeObjectType = PhCreateObjectType(L"ThreadStacksNode", 0, PhpThreadStacksNodeDeleteProcedure); PhEndInitOnce(&initOnce); } context = PhpThreadStacksCreateContext(); context->ParentWindowHandle = ParentWindowHandle; if (!NT_SUCCESS(PhCreateThread2(PhpThreadStacksDialogThreadStart, context))) { PhShowStatus(ParentWindowHandle, L"Unable to create the window.", 0, ERROR_OUTOFMEMORY); PhDereferenceObject(context); } } ================================================ FILE: SystemInformer/tokprp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2012 * dmex 2017-2026 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include typedef enum _PH_PROCESS_TOKEN_CATEGORY { PH_PROCESS_TOKEN_CATEGORY_FLAGS, PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES, PH_PROCESS_TOKEN_CATEGORY_RESTRICTED, PH_PROCESS_TOKEN_CATEGORY_GROUPS, PH_PROCESS_TOKEN_CATEGORY_LOGON, PH_PROCESS_TOKEN_CATEGORY_INTEGRITY, } PH_PROCESS_TOKEN_CATEGORY; typedef enum _PH_PROCESS_TOKEN_FLAG { PH_PROCESS_TOKEN_FLAG_NO_WRITE_UP, PH_PROCESS_TOKEN_FLAG_SANDBOX_INERT, PH_PROCESS_TOKEN_FLAG_UIACCESS } PH_PROCESS_TOKEN_FLAG; typedef enum _PH_PROCESS_TOKEN_INDEX { PH_PROCESS_TOKEN_INDEX_NAME, PH_PROCESS_TOKEN_INDEX_STATUS, PH_PROCESS_TOKEN_INDEX_DESCRIPTION, PH_PROCESS_TOKEN_INDEX_SID, PH_PROCESS_TOKEN_INDEX_TYPE, PH_PROCESS_TOKEN_INDEX_USE, } PH_PROCESS_TOKEN_INDEX; typedef struct _PHP_TOKEN_PAGE_LISTVIEW_ITEM { PH_PROCESS_TOKEN_CATEGORY GroupId; PSID_AND_ATTRIBUTES TokenGroup; PLUID_AND_ATTRIBUTES TokenPrivilege; PH_PROCESS_TOKEN_FLAG ItemFlag; BOOLEAN ItemFlagState; } PHP_TOKEN_PAGE_LISTVIEW_ITEM, *PPHP_TOKEN_PAGE_LISTVIEW_ITEM; typedef struct _PHP_TOKEN_USER_RESOLVE_CONTEXT { HWND WindowHandle; PSID TokenUserSid; } PHP_TOKEN_USER_RESOLVE_CONTEXT, *PPHP_TOKEN_USER_RESOLVE_CONTEXT; typedef struct _PHP_TOKEN_GROUP_RESOLVE_CONTEXT { HWND ListViewHandle; PPHP_TOKEN_PAGE_LISTVIEW_ITEM LvItem; LONG GroupId; PSID TokenGroupSid; } PHP_TOKEN_GROUP_RESOLVE_CONTEXT, *PPHP_TOKEN_GROUP_RESOLVE_CONTEXT; typedef struct _PH_TOKEN_ATTRIBUTE_NODE { PH_TREENEW_NODE Node; PPH_LIST Children; PPH_STRING Text; PPH_STRING Value; } PH_TOKEN_ATTRIBUTE_NODE, *PPH_TOKEN_ATTRIBUTE_NODE; typedef struct _PH_TOKEN_ATTRIBUTE_TREE_CONTEXT { HWND WindowHandle; PPH_LIST RootList; PPH_LIST NodeList; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; } PH_TOKEN_ATTRIBUTE_TREE_CONTEXT, *PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT; typedef struct _TOKEN_PAGE_CONTEXT { PPH_OPEN_OBJECT OpenObject; PPH_CLOSE_OBJECT CloseObject; PVOID Context; DLGPROC HookProc; HANDLE ProcessId; HWND ListViewHandle; HIMAGELIST ListViewImageList; PH_LAYOUT_MANAGER LayoutManager; BOOLEAN SinglePageContext; PTOKEN_GROUPS Groups; PTOKEN_GROUPS RestrictedSids; PTOKEN_PRIVILEGES Privileges; PTOKEN_GROUPS Capabilities; PH_TOKEN_ATTRIBUTE_TREE_CONTEXT CapsTreeContext; PH_TOKEN_ATTRIBUTE_TREE_CONTEXT ClaimsTreeContext; PH_TOKEN_ATTRIBUTE_TREE_CONTEXT AuthzTreeContext; PH_TOKEN_ATTRIBUTE_TREE_CONTEXT AppPolicyTreeContext; } TOKEN_PAGE_CONTEXT, *PTOKEN_PAGE_CONTEXT; static CONST PH_KEY_VALUE_PAIR PhElevationTypePairs[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"No (Default)"), TokenElevationTypeDefault), SIP(SREF(L"No (Full)"), TokenElevationTypeFull), SIP(SREF(L"No (Limited)"), TokenElevationTypeLimited), SIP(SREF(L"Yes"), 4), SIP(SREF(L"Yes (Default)"), 4 + TokenElevationTypeDefault), SIP(SREF(L"Yes (Full)"), 4 + TokenElevationTypeFull), SIP(SREF(L"Yes (Limited)"), 4 + TokenElevationTypeLimited), }; static CONST PH_KEY_VALUE_PAIR PhImpersonationLevelPairs[] = { SIP(L"Anonymous", SecurityAnonymous), SIP(L"Identification", SecurityIdentification), SIP(L"Impersonation", SecurityImpersonation), SIP(L"Delegation", SecurityDelegation), }; static CONST PH_KEY_VALUE_PAIR PhTokenTypePairs[] = { SIP(L"Unknown", 0), SIP(L"Primary", TokenPrimary), SIP(L"Impersonation", TokenImpersonation), }; static CONST PH_KEY_VALUE_PAIR PhSidTypePairs[] = { SIP(L"Unknown", 0), SIP(L"User", SidTypeUser), SIP(L"Group", SidTypeGroup), SIP(L"Domain", SidTypeDomain), SIP(L"Alias", SidTypeAlias), SIP(L"WellKnownGroup", SidTypeWellKnownGroup), SIP(L"DeletedAccount", SidTypeDeletedAccount), SIP(L"Yes (Limited)", SidTypeInvalid), SIP(L"Unknown", SidTypeUnknown), SIP(L"Computer", SidTypeComputer), SIP(L"Label", SidTypeLabel), SIP(L"Logon session", SidTypeLogonSession), }; PH_ACCESS_ENTRY CONST PhpGroupDescriptionEntries[6] = { { NULL, SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED, FALSE, FALSE, L"Integrity" }, { NULL, SE_GROUP_LOGON_ID, FALSE, FALSE, L"Logon Id" }, { NULL, SE_GROUP_OWNER, FALSE, FALSE, L"Owner" }, { NULL, SE_GROUP_MANDATORY, FALSE, FALSE, L"Mandatory" }, { NULL, SE_GROUP_USE_FOR_DENY_ONLY, FALSE, FALSE, L"Use for deny only" }, { NULL, SE_GROUP_RESOURCE, FALSE, FALSE, L"Resource" } }; static CONST PH_STRINGREF PhpEmptyTokenAttributesText = PH_STRINGREF_INIT(L"There are no attributes to display."); static CONST PH_STRINGREF PhpEmptyTokenClaimsText = PH_STRINGREF_INIT(L"There are no claims to display."); static CONST PH_STRINGREF PhpEmptyTokenCapabilitiesText = PH_STRINGREF_INIT(L"There are no capabilities to display."); UINT CALLBACK PhpTokenPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ); INT_PTR CALLBACK PhpTokenPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhpShowTokenAdvancedProperties( _In_ HWND ParentWindowHandle, _In_ PTOKEN_PAGE_CONTEXT Context, _In_ BOOLEAN ShowAppContainerPage ); INT_PTR CALLBACK PhpTokenGeneralPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpTokenAdvancedPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpTokenCapabilitiesPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); BOOLEAN NTAPI PhpAttributeTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ); INT_PTR CALLBACK PhpTokenClaimsPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpTokenAttributesPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpTokenContainerPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); INT_PTR CALLBACK PhpTokenAppPolicyPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); PPH_STRING PhpGetTokenFolderPath( _In_ HANDLE TokenHandle ); PPH_STRING PhpGetTokenRegistryPath( _In_ HANDLE TokenHandle ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpTokenDialogThread( _In_ PVOID Context ) { PH_AUTO_POOL autoPool; LPPROPSHEETPAGE propSheetPage; PhInitializeAutoPool(&autoPool); propSheetPage = PhAllocateZero(sizeof(PROPSHEETPAGE)); propSheetPage->lParam = (LPARAM)Context; PhDialogBox( NtCurrentImageBase(), MAKEINTRESOURCE(IDD_OBJTOKEN), NULL, PhpTokenPageProc, propSheetPage ); PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } VOID PhCreateTokenDialog( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_ HANDLE ProcessId, _In_ PVOID Context, _In_opt_ DLGPROC HookProc ) { NTSTATUS status; PTOKEN_PAGE_CONTEXT tokenPageContext; HANDLE tokenHandle = NULL; if (!NT_SUCCESS(status = NtDuplicateObject( NtCurrentProcess(), Context, NtCurrentProcess(), &tokenHandle, 0, 0, DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES ))) { PhShowStatus(NULL, L"Unable to duplicate the token.", status, 0); return; } tokenPageContext = PhCreateAlloc(sizeof(TOKEN_PAGE_CONTEXT)); memset(tokenPageContext, 0, sizeof(TOKEN_PAGE_CONTEXT)); tokenPageContext->OpenObject = OpenObject; tokenPageContext->CloseObject = CloseObject; tokenPageContext->Context = tokenHandle; //tokenPageContext->HookProc = HookProc; tokenPageContext->ProcessId = ProcessId; tokenPageContext->SinglePageContext = TRUE; PhCreateThread2(PhpTokenDialogThread, tokenPageContext); } VOID PhShowTokenProperties( _In_ HWND ParentWindowHandle, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_ HANDLE ProcessId, _In_ PVOID Context, _In_opt_ PCWSTR Title ) { PhCreateTokenDialog(OpenObject, CloseObject, ProcessId, Context, NULL); } HPROPSHEETPAGE PhCreateTokenPage( _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_ HANDLE ProcessId, _In_opt_ PVOID Context, _In_opt_ DLGPROC HookProc ) { HPROPSHEETPAGE propSheetPageHandle; PROPSHEETPAGE propSheetPage; PTOKEN_PAGE_CONTEXT tokenPageContext; tokenPageContext = PhCreateAlloc(sizeof(TOKEN_PAGE_CONTEXT)); memset(tokenPageContext, 0, sizeof(TOKEN_PAGE_CONTEXT)); tokenPageContext->OpenObject = OpenObject; tokenPageContext->CloseObject = CloseObject; tokenPageContext->Context = Context; tokenPageContext->HookProc = HookProc; tokenPageContext->ProcessId = ProcessId; memset(&propSheetPage, 0, sizeof(PROPSHEETPAGE)); propSheetPage.dwSize = sizeof(PROPSHEETPAGE); propSheetPage.dwFlags = PSP_USECALLBACK; propSheetPage.pszTemplate = MAKEINTRESOURCE(IDD_OBJTOKEN); propSheetPage.hInstance = NtCurrentImageBase(); propSheetPage.pfnDlgProc = PhpTokenPageProc; propSheetPage.lParam = (LPARAM)tokenPageContext; propSheetPage.pfnCallback = PhpTokenPropPageProc; propSheetPageHandle = CreatePropertySheetPage(&propSheetPage); // CreatePropertySheetPage would have sent PSPCB_ADDREF (below), // which would have added a reference. PhDereferenceObject(tokenPageContext); return propSheetPageHandle; } UINT CALLBACK PhpTokenPropPageProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ LPPROPSHEETPAGE ppsp ) { PTOKEN_PAGE_CONTEXT tokenPageContext; tokenPageContext = (PTOKEN_PAGE_CONTEXT)ppsp->lParam; if (uMsg == PSPCB_ADDREF) { PhReferenceObject(tokenPageContext); } else if (uMsg == PSPCB_RELEASE) { PhDereferenceObject(tokenPageContext); } return 1; } PPH_STRING PhGetGroupAttributesString( _In_ ULONG Attributes, _In_ BOOLEAN Restricted ) { PPH_STRING string; if (FlagOn(Attributes, SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED)) { if (FlagOn(Attributes, SE_GROUP_ENABLED)) string = PhCreateString(L"Enabled (as a group)"); else string = PhReferenceEmptyString(); } else { if (FlagOn(Attributes, SE_GROUP_ENABLED)) { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) string = PhCreateString(L"Enabled"); else string = PhCreateString(L"Enabled (modified)"); } else { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) string = PhCreateString(L"Disabled (modified)"); else string = PhCreateString(L"Disabled"); } } if (Restricted) { PhMoveReference(&string, PhConcatStringRefZ(&string->sr, L" (restricted)")); } return string; } COLORREF PhGetGroupAttributesColorDark( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED)) { if (!FlagOn(Attributes, SE_GROUP_ENABLED)) return RGB(0, 26, 0); } if (FlagOn(Attributes, SE_GROUP_ENABLED)) { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) return RGB(0, 26, 0); else return RGB(0, 102, 0); } else { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) return RGB(122, 77, 84); else return RGB(43, 12, 15); } } COLORREF PhGetPrivilegeAttributesColorDark( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_PRIVILEGE_REMOVED)) { return RGB(0, 0, 0); } if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED)) { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return RGB(0, 26, 0); else return RGB(0, 102, 0); } else { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return RGB(122, 77, 84); else return RGB(43, 12, 15); } } COLORREF PhGetDangerousFlagColorDark( _In_ BOOLEAN FlagState ) { if (FlagState) return RGB(0xc0, 0xf0, 0xc0); else return RGB(0xf0, 0xc0, 0xc0); } COLORREF PhGetGroupAttributesColor( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED)) { if (!FlagOn(Attributes, SE_GROUP_ENABLED)) return RGB(0xe0, 0xf0, 0xe0); } if (FlagOn(Attributes, SE_GROUP_ENABLED)) { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) return RGB(0xe0, 0xf0, 0xe0); else return RGB(0xc0, 0xf0, 0xc0); } else { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) return RGB(0xf0, 0xc0, 0xc0); else return RGB(0xf0, 0xe0, 0xe0); } } COLORREF PhGetPrivilegeAttributesColor( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_PRIVILEGE_REMOVED)) { return RGB(0xc0, 0xc0, 0xc0); } if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED)) { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return RGB(0xe0, 0xf0, 0xe0); else return RGB(0xc0, 0xf0, 0xc0); } else { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return RGB(0xf0, 0xc0, 0xc0); else return RGB(0xf0, 0xe0, 0xe0); } } COLORREF PhGetDangerousFlagColor( _In_ BOOLEAN FlagState ) { if (FlagState) return RGB(0xc0, 0xf0, 0xc0); else return RGB(0xf0, 0xc0, 0xc0); } static COLORREF NTAPI PhpTokenGroupColorFunction( _In_ LONG Index, _In_ PVOID Param, _In_opt_ PVOID Context ) { PPHP_TOKEN_PAGE_LISTVIEW_ITEM entry = Param; if (PhEnableThemeSupport) { if (entry->GroupId == PH_PROCESS_TOKEN_CATEGORY_FLAGS) return PhGetDangerousFlagColorDark(entry->ItemFlagState); else if (entry->GroupId == PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES) return PhGetPrivilegeAttributesColorDark(entry->TokenPrivilege->Attributes); else return PhGetGroupAttributesColorDark(entry->TokenGroup->Attributes); } else { if (entry->GroupId == PH_PROCESS_TOKEN_CATEGORY_FLAGS) return PhGetDangerousFlagColor(entry->ItemFlagState); else if (entry->GroupId == PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES) return PhGetPrivilegeAttributesColor(entry->TokenPrivilege->Attributes); else return PhGetGroupAttributesColor(entry->TokenGroup->Attributes); } } PCWSTR PhGetPrivilegeAttributesString( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_PRIVILEGE_REMOVED)) { return L"Removed"; } if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED)) { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return L"Enabled"; else return L"Enabled (modified)"; } else { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return L"Disabled (modified)"; else return L"Disabled"; } } _Success_(return) BOOLEAN PhGetElevationTypeString( _In_ BOOLEAN IsElevated, _In_ TOKEN_ELEVATION_TYPE ElevationType, _Out_ PCPH_STRINGREF* ElevationTypeString ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhElevationTypePairs, sizeof(PhElevationTypePairs), (IsElevated ? 4 : 0) + (ULONG)ElevationType, &string )) { *ElevationTypeString = string; return TRUE; } return FALSE; } _Success_(return) BOOLEAN PhGetImpersonationLevelString( _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _Out_ PCWSTR* ImpersonationLevelString ) { if (PhIndexStringSiKeyValuePairs( PhImpersonationLevelPairs, sizeof(PhImpersonationLevelPairs), ImpersonationLevel, ImpersonationLevelString )) { return TRUE; } return FALSE; } _Success_(return) BOOLEAN PhGetTokenTypeString( _In_ TOKEN_TYPE TokenType, _Out_ PCWSTR* TokenTypeString ) { if (PhIndexStringSiKeyValuePairs( PhTokenTypePairs, sizeof(PhTokenTypePairs), TokenType, TokenTypeString )) { return TRUE; } return FALSE; } VOID PhpTokenPageFreeListViewEntries( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext ) { LONG index = INT_ERROR; while ((index = PhFindListViewItemByFlags( TokenPageContext->ListViewHandle, index, LVNI_ALL )) != INT_ERROR) { PPHP_TOKEN_PAGE_LISTVIEW_ITEM entry; if (PhGetListViewItemParam(TokenPageContext->ListViewHandle, index, &entry)) { PhFree(entry); } } } _Success_(return) BOOLEAN PhGetTokenSidTypeString( _In_ SID_NAME_USE TokenNameUse, _Out_ PCWSTR* TokenNameUseString ) { if (PhIndexStringSiKeyValuePairs( PhSidTypePairs, sizeof(PhSidTypePairs), TokenNameUse, TokenNameUseString )) { return TRUE; } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS NTAPI PhpTokenGroupResolveWorker( _In_ PVOID ThreadParameter ) { PPHP_TOKEN_GROUP_RESOLVE_CONTEXT context = ThreadParameter; PPH_STRING sidString; SID_NAME_USE sidUse; LONG ItemIndex; ItemIndex = PhFindListViewItemByParam( context->ListViewHandle, INT_ERROR, context->LvItem ); if (ItemIndex != INT_ERROR) { if (sidString = PhGetSidFullName(context->TokenGroupSid, TRUE, NULL)) { PhMoveReference(&sidString, PhReferenceObject(sidString)); } else if (sidString = PhGetAppContainerPackageName(context->TokenGroupSid)) { PhMoveReference(&sidString, PhConcatStringRefZ(&sidString->sr, L" (APP_PACKAGE)")); } else if (sidString = PhGetAppContainerName(context->TokenGroupSid)) { PhMoveReference(&sidString, PhConcatStringRefZ(&sidString->sr, L" (APP_CONTAINER)")); } else if (sidString = PhGetCapabilitySidName(context->TokenGroupSid)) { PhMoveReference(&sidString, PhConcatStringRefZ(&sidString->sr, L" (APP_CAPABILITY)")); } else { if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(context->TokenGroupSid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_NT_AUTHORITY)) { ULONG subAuthority = *PhSubAuthoritySid(context->TokenGroupSid, 0); switch (subAuthority) { case SECURITY_UMFD_BASE_RID: PhMoveReference(&sidString, PhCreateString(L"Font Driver Host\\UMFD")); break; } } else if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(context->TokenGroupSid), PhIdentifierAuthoritySid(PhSeCloudActiveDirectorySid()))) { ULONG subAuthority = *PhSubAuthoritySid(context->TokenGroupSid, 0); if (subAuthority == 1) { PhMoveReference(&sidString, PhGetAzureDirectoryObjectSid(context->TokenGroupSid)); } } } PhSetListViewSubItem(context->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_NAME, PhGetStringOrDefault(sidString, L"[Unknown SID]")); PhSetListViewSubItem(context->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_TYPE, PhGetSidAccountTypeString(context->TokenGroupSid)); PhClearReference(&sidString); } if (NT_SUCCESS(PhLookupSid(context->TokenGroupSid, NULL, NULL, &sidUse))) { PWSTR tokenSidType; if (PhGetTokenSidTypeString(sidUse, &tokenSidType)) PhSetListViewSubItem(context->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_USE, tokenSidType); else PhSetListViewSubItem(context->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_USE, L"N/A"); } else { PhSetListViewSubItem(context->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_USE, L"N/A"); } PhFree(context->TokenGroupSid); PhFree(context); return STATUS_SUCCESS; } VOID PhpUpdateSidsFromTokenGroups( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ PTOKEN_GROUPS Groups, _In_ BOOLEAN Restricted ) { for (ULONG i = 0; i < Groups->GroupCount; i++) { PPH_STRING stringUserSid; PPH_STRING attributesString; PPH_STRING descriptionString; PPHP_TOKEN_PAGE_LISTVIEW_ITEM lvitem; LONG ItemIndex; lvitem = PhAllocateZero(sizeof(PHP_TOKEN_PAGE_LISTVIEW_ITEM)); lvitem->GroupId = Restricted ? PH_PROCESS_TOKEN_CATEGORY_RESTRICTED : PH_PROCESS_TOKEN_CATEGORY_GROUPS; lvitem->TokenGroup = &Groups->Groups[i]; if (FlagOn(Groups->Groups[i].Attributes, SE_GROUP_LOGON_ID)) { lvitem->GroupId = PH_PROCESS_TOKEN_CATEGORY_LOGON; } else if (FlagOn(Groups->Groups[i].Attributes, SE_GROUP_INTEGRITY)) { lvitem->GroupId = PH_PROCESS_TOKEN_CATEGORY_INTEGRITY; } ItemIndex = PhAddListViewGroupItem( TokenPageContext->ListViewHandle, lvitem->GroupId, MAXINT, L"Resolving...", lvitem ); if (attributesString = PhGetGroupAttributesString(Groups->Groups[i].Attributes, Restricted)) { PhSetListViewSubItem(TokenPageContext->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_STATUS, PhGetString(attributesString)); PhDereferenceObject(attributesString); } descriptionString = PhGetAccessString( Groups->Groups[i].Attributes, (PPH_ACCESS_ENTRY)PhpGroupDescriptionEntries, RTL_NUMBER_OF(PhpGroupDescriptionEntries) ); if (descriptionString) { PhSetListViewSubItem(TokenPageContext->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_DESCRIPTION, PhGetString(descriptionString)); PhDereferenceObject(descriptionString); } if (stringUserSid = PhSidToStringSid(Groups->Groups[i].Sid)) { PhSetListViewSubItem(TokenPageContext->ListViewHandle, ItemIndex, PH_PROCESS_TOKEN_INDEX_SID, PhGetString(stringUserSid)); PhDereferenceObject(stringUserSid); } { PPHP_TOKEN_GROUP_RESOLVE_CONTEXT tokenGroupResolve; tokenGroupResolve = PhAllocateZero(sizeof(PHP_TOKEN_GROUP_RESOLVE_CONTEXT)); tokenGroupResolve->ListViewHandle = TokenPageContext->ListViewHandle; tokenGroupResolve->LvItem = lvitem; tokenGroupResolve->GroupId = lvitem->GroupId; tokenGroupResolve->TokenGroupSid = PhAllocateCopy(Groups->Groups[i].Sid, PhLengthSid(Groups->Groups[i].Sid)); PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), PhpTokenGroupResolveWorker, tokenGroupResolve); } } } BOOLEAN PhpUpdateTokenGroups( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ HANDLE TokenHandle ) { PTOKEN_GROUPS groups = NULL; PTOKEN_GROUPS restrictedSIDs = NULL; if (NT_SUCCESS(PhGetTokenGroups(TokenHandle, &groups))) { PhpUpdateSidsFromTokenGroups(TokenPageContext, groups, FALSE); } if (NT_SUCCESS(PhGetTokenRestrictedSids(TokenHandle, &restrictedSIDs))) { PhpUpdateSidsFromTokenGroups(TokenPageContext, restrictedSIDs, TRUE); } if (TokenPageContext->RestrictedSids) PhFree(TokenPageContext->RestrictedSids); if (TokenPageContext->Groups) PhFree(TokenPageContext->Groups); TokenPageContext->RestrictedSids = restrictedSIDs; TokenPageContext->Groups = groups; return TRUE; } NTSTATUS NTAPI PhpEnumeratePrivilegesCallback( _In_ PPOLICY_PRIVILEGE_DEFINITION Privileges, _In_ ULONG NumberOfPrivileges, _In_ PVOID Context ) { PTOKEN_PAGE_CONTEXT tokenPageContext = Context; if (!tokenPageContext->Privileges) return STATUS_UNSUCCESSFUL; for (ULONG i = 0; i < NumberOfPrivileges; i++) { PPH_STRING privilegeName; PPH_STRING privilegeDisplayName; PPHP_TOKEN_PAGE_LISTVIEW_ITEM lvitem; LONG itemIndex; for (ULONG j = 0; j < tokenPageContext->Privileges->PrivilegeCount; j++) { if (RtlIsEqualLuid(&tokenPageContext->Privileges->Privileges[j].Luid, &Privileges[i].LocalValue)) { continue; } } privilegeName = PhCreateStringFromUnicodeString(&Privileges[i].Name); privilegeDisplayName = NULL; PhLookupPrivilegeDisplayName(&privilegeName->sr, &privilegeDisplayName); lvitem = PhAllocateZero(sizeof(PHP_TOKEN_PAGE_LISTVIEW_ITEM)); lvitem->GroupId = PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES; lvitem->TokenPrivilege = PhAllocateZero(sizeof(LUID_AND_ATTRIBUTES)); lvitem->TokenPrivilege->Luid = Privileges[i].LocalValue; lvitem->TokenPrivilege->Attributes = SE_PRIVILEGE_REMOVED; // Name itemIndex = PhAddListViewGroupItem(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES, MAXINT, PhGetString(privilegeName), lvitem); // Status PhSetListViewSubItem(tokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_STATUS, PhGetPrivilegeAttributesString(lvitem->TokenPrivilege->Attributes)); // Description PhSetListViewSubItem(tokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_DESCRIPTION, PhGetStringOrEmpty(privilegeDisplayName)); // Privilege value PhSetListViewSubItem(tokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_SID, PhaFormatUInt64(Privileges[i].LocalValue.LowPart, FALSE)->Buffer); PhClearReference(&privilegeDisplayName); PhClearReference(&privilegeName); } return STATUS_SUCCESS; } BOOLEAN PhpUpdateTokenPrivileges( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ HANDLE TokenHandle ) { PTOKEN_PRIVILEGES privileges; ULONG i; if (!NT_SUCCESS(PhGetTokenPrivileges(TokenHandle, &privileges))) return FALSE; for (i = 0; i < privileges->PrivilegeCount; i++) { PPH_STRING privilegeName; PPH_STRING privilegeDisplayName; if (NT_SUCCESS(PhLookupPrivilegeName( &privileges->Privileges[i].Luid, &privilegeName ))) { PPHP_TOKEN_PAGE_LISTVIEW_ITEM lvitem; LONG itemIndex; lvitem = PhAllocateZero(sizeof(PHP_TOKEN_PAGE_LISTVIEW_ITEM)); lvitem->GroupId = PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES; lvitem->TokenPrivilege = &privileges->Privileges[i]; privilegeDisplayName = NULL; PhLookupPrivilegeDisplayName(&privilegeName->sr, &privilegeDisplayName); // Name itemIndex = PhAddListViewGroupItem(TokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES, MAXINT, privilegeName->Buffer, lvitem); // Status PhSetListViewSubItem(TokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_STATUS, PhGetPrivilegeAttributesString(privileges->Privileges[i].Attributes)); // Description PhSetListViewSubItem(TokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_DESCRIPTION, PhGetStringOrEmpty(privilegeDisplayName)); // Value PhSetListViewSubItem(TokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_SID, PhaFormatUInt64(privileges->Privileges[i].Luid.LowPart, FALSE)->Buffer); PhClearReference(&privilegeDisplayName); PhClearReference(&privilegeName); } } if (TokenPageContext->Privileges) PhFree(TokenPageContext->Privileges); TokenPageContext->Privileges = privileges; if (PhGetIntegerSetting(SETTING_ENABLE_TOKEN_REMOVED_PRIVILEGES)) { PhEnumeratePrivileges(PhpEnumeratePrivilegesCallback, TokenPageContext); } return TRUE; } VOID PhpUpdateTokenDangerousFlagItem( _In_ HWND ListViewHandle, _In_ PH_PROCESS_TOKEN_FLAG Flag, _In_ BOOLEAN State, _In_ PWSTR Name, _In_ PWSTR Description ) { PPHP_TOKEN_PAGE_LISTVIEW_ITEM lvitem; LONG itemIndex; lvitem = PhAllocateZero(sizeof(PHP_TOKEN_PAGE_LISTVIEW_ITEM)); lvitem->GroupId = PH_PROCESS_TOKEN_CATEGORY_FLAGS; lvitem->ItemFlag = Flag; lvitem->ItemFlagState = State; // Name itemIndex = PhAddListViewGroupItem(ListViewHandle, lvitem->GroupId, MAXINT, Name, lvitem); // Status PhSetListViewSubItem(ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_STATUS, State ? L"Enabled (modified)" : L"Disabled (modified)"); // Description PhSetListViewSubItem(ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_DESCRIPTION, Description); // Value PhSetListViewSubItem(ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_SID, PhaFormatUInt64(Flag, FALSE)->Buffer); } BOOLEAN PhpUpdateTokenDangerousFlags( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ HANDLE TokenHandle ) { TOKEN_MANDATORY_POLICY mandatoryPolicy; BOOLEAN isSandboxInert; BOOLEAN isUIAccess; if (NT_SUCCESS(PhGetTokenMandatoryPolicy(TokenHandle, &mandatoryPolicy))) { // The disabled no-write-up policy is considered to be dangerous (diversenok) if ((mandatoryPolicy.Policy & TOKEN_MANDATORY_POLICY_NO_WRITE_UP) == 0) { PhpUpdateTokenDangerousFlagItem( TokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_FLAG_NO_WRITE_UP, FALSE, L"No-Write-Up Policy", L"Prevents the process from modifying objects with a higher integrity" ); } } if (NT_SUCCESS(PhGetTokenIsSandBoxInert(TokenHandle, &isSandboxInert))) { // The presence of SandboxInert flag is considered dangerous (diversenok) if (isSandboxInert) { PhpUpdateTokenDangerousFlagItem( TokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_FLAG_SANDBOX_INERT, TRUE, L"Sandbox Inert", L"Ignore AppLocker rules and Software Restriction Policies" ); } } if (NT_SUCCESS(PhGetTokenUIAccess(TokenHandle, &isUIAccess))) { // The presence of UIAccess flag is considered dangerous (diversenok) if (isUIAccess) { PhpUpdateTokenDangerousFlagItem( TokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_FLAG_UIACCESS, TRUE, L"UIAccess", L"Ignore User Interface Privilege Isolation" ); } } return TRUE; } FORCEINLINE PTOKEN_PAGE_CONTEXT PhpTokenPageHeader( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { return PhpGenericPropertyPageHeader(hwndDlg, uMsg, wParam, lParam, 3); } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS NTAPI PhpTokenUserResolveWorker( _In_ PVOID ThreadParameter ) { PPHP_TOKEN_USER_RESOLVE_CONTEXT context = ThreadParameter; PPH_STRING fullUserName; if (fullUserName = PhGetSidFullName(context->TokenUserSid, TRUE, NULL)) { PhSetWindowText(context->WindowHandle, PhGetString(fullUserName)); PhDereferenceObject(fullUserName); } else { if (fullUserName = PhGetAzureDirectoryObjectSid(context->TokenUserSid)) { PhSetWindowText(context->WindowHandle, PhGetString(fullUserName)); PhDereferenceObject(fullUserName); } } PhFree(context->TokenUserSid); PhFree(context); return STATUS_SUCCESS; } static VOID PhpTokenSetImageList( _In_ HWND WindowHandle, _Inout_ PTOKEN_PAGE_CONTEXT TokenPageContext ) { LONG dpiValue; dpiValue = PhGetWindowDpi(WindowHandle); if (TokenPageContext->ListViewImageList) { PhImageListSetIconSize( TokenPageContext->ListViewImageList, 2, PhGetDpi(20, dpiValue) ); } else { TokenPageContext->ListViewImageList = PhImageListCreate( 2, PhGetDpi(20, dpiValue), ILC_MASK | ILC_COLOR32, 1, 1 ); } ListView_SetImageList(TokenPageContext->ListViewHandle, TokenPageContext->ListViewImageList, LVSIL_SMALL); } LONG PhpGetTokenPrivilegeSortingIndex( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_PRIVILEGE_REMOVED)) return 4; else { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED)) { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return 0; else return 1; } else { if (FlagOn(Attributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) return 2; else return 3; } } } LONG PhpGetTokenGroupSortingIndex( _In_ ULONG Attributes ) { if (FlagOn(Attributes, SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED)) { if (!FlagOn(Attributes, SE_GROUP_ENABLED)) return 0; } if (FlagOn(Attributes, SE_GROUP_ENABLED)) { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) return 1; else return 2; } else { if (FlagOn(Attributes, SE_GROUP_ENABLED_BY_DEFAULT)) return 3; else return 4; } } LONG NTAPI PhpTokenStatusColumnCompareFunction( _In_ PVOID Item1, _In_ PVOID Item2, _In_opt_ PVOID Context ) { PPHP_TOKEN_PAGE_LISTVIEW_ITEM item1 = Item1; PPHP_TOKEN_PAGE_LISTVIEW_ITEM item2 = Item2; ULONG value1; ULONG value2; if (item1->GroupId == PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES) { value1 = PhpGetTokenPrivilegeSortingIndex(item1->TokenPrivilege->Attributes); } else if ( item1->GroupId == PH_PROCESS_TOKEN_CATEGORY_GROUPS || item1->GroupId == PH_PROCESS_TOKEN_CATEGORY_LOGON || item1->GroupId == PH_PROCESS_TOKEN_CATEGORY_INTEGRITY ) { value1 = PhpGetTokenGroupSortingIndex(item1->TokenGroup->Attributes); } else { value1 = 0; } if (item2->GroupId == PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES) { value2 = PhpGetTokenPrivilegeSortingIndex(item2->TokenPrivilege->Attributes); } else if ( item2->GroupId == PH_PROCESS_TOKEN_CATEGORY_GROUPS || item2->GroupId == PH_PROCESS_TOKEN_CATEGORY_LOGON || item2->GroupId == PH_PROCESS_TOKEN_CATEGORY_INTEGRITY ) { value2 = PhpGetTokenGroupSortingIndex(item2->TokenGroup->Attributes); } else { value2 = 0; } return uintcmp(value1, value2); } INT_PTR CALLBACK PhpTokenPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; if (tokenPageContext->HookProc) { if (tokenPageContext->HookProc(hwndDlg, uMsg, wParam, lParam)) return TRUE; } switch (uMsg) { case WM_INITDIALOG: { HANDLE tokenHandle; tokenPageContext->ListViewHandle = GetDlgItem(hwndDlg, IDC_GROUPS); PhSetListViewStyle(tokenPageContext->ListViewHandle, TRUE, TRUE); PhSetControlTheme(tokenPageContext->ListViewHandle, L"explorer"); PhAddListViewColumn(tokenPageContext->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 100, L"Name"); PhAddListViewColumn(tokenPageContext->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 100, L"Status"); PhAddListViewColumn(tokenPageContext->ListViewHandle, 2, 2, 2, LVCFMT_LEFT, 170, L"Description"); PhAddListViewColumn(tokenPageContext->ListViewHandle, 3, 3, 3, LVCFMT_LEFT, 100, L"SID"); PhAddListViewColumn(tokenPageContext->ListViewHandle, 4, 4, 4, LVCFMT_LEFT, 100, L"Type"); PhAddListViewColumn(tokenPageContext->ListViewHandle, 5, 5, 5, LVCFMT_LEFT, 100, L"Use"); PhSetExtendedListView(tokenPageContext->ListViewHandle); ExtendedListView_SetCompareFunction(tokenPageContext->ListViewHandle, 1, PhpTokenStatusColumnCompareFunction); ExtendedListView_SetItemColorFunction(tokenPageContext->ListViewHandle, PhpTokenGroupColorFunction); ListView_EnableGroupView(tokenPageContext->ListViewHandle, TRUE); PhAddListViewGroup(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_FLAGS, L"Flags"); PhAddListViewGroup(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES, L"Privileges"); PhAddListViewGroup(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_RESTRICTED, L"Restricting SIDs"); PhAddListViewGroup(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_GROUPS, L"Groups"); PhAddListViewGroup(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_LOGON, L"Groups (Logon SID)"); PhAddListViewGroup(tokenPageContext->ListViewHandle, PH_PROCESS_TOKEN_CATEGORY_INTEGRITY, L"Groups (Mandatory label)"); PhLoadListViewColumnsFromSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_COLUMNS, tokenPageContext->ListViewHandle); PhLoadListViewGroupStatesFromSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_STATES, tokenPageContext->ListViewHandle); PhLoadListViewSortColumnsFromSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_SORT, tokenPageContext->ListViewHandle); PhpTokenSetImageList(hwndDlg, tokenPageContext); PhSetDialogItemText(hwndDlg, IDC_USER, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_USERSID, L"Unknown"); if (NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { PH_TOKEN_USER tokenUser; PPH_STRING stringUserSid; ULONG tokenSessionId = ULONG_MAX; BOOLEAN tokenElevation = FALSE; TOKEN_ELEVATION_TYPE tokenElevationType = 0; PPH_STRINGREF tokenElevationTypeString; BOOLEAN isVirtualizationAllowed; BOOLEAN isVirtualizationEnabled; PH_TOKEN_APPCONTAINER tokenAppContainer; PPH_STRING appContainerName; PPH_STRING appContainerSidString; if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) { BOOLEAN tokenIsAppContainer = FALSE; PhGetTokenIsAppContainer(tokenHandle, &tokenIsAppContainer); if (!tokenIsAppContainer) // HACK (dmex) { PPHP_TOKEN_USER_RESOLVE_CONTEXT tokenUserResolve; PhSetDialogItemText(hwndDlg, IDC_USER, L"Resolving..."); tokenUserResolve = PhAllocateZero(sizeof(PHP_TOKEN_USER_RESOLVE_CONTEXT)); tokenUserResolve->WindowHandle = GetDlgItem(hwndDlg, IDC_USER); tokenUserResolve->TokenUserSid = PhAllocateCopy(tokenUser.User.Sid, PhLengthSid(tokenUser.User.Sid)); PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), PhpTokenUserResolveWorker, tokenUserResolve); } if (stringUserSid = PhSidToStringSid(tokenUser.User.Sid)) { PhSetDialogItemText(hwndDlg, IDC_USERSID, stringUserSid->Buffer); PhDereferenceObject(stringUserSid); } } PhGetTokenSessionId(tokenHandle, &tokenSessionId); PhGetTokenElevation(tokenHandle, &tokenElevation); PhGetTokenElevationType(tokenHandle, &tokenElevationType); if (tokenSessionId != ULONG_MAX) PhSetDialogItemValue(hwndDlg, IDC_SESSIONID, tokenSessionId, FALSE); else PhSetDialogItemText(hwndDlg, IDC_SESSIONID, L"Unknown"); if (PhGetElevationTypeString(tokenElevation, tokenElevationType, &tokenElevationTypeString)) PhSetDialogItemText(hwndDlg, IDC_ELEVATED, PhGetStringRefZ(tokenElevationTypeString)); else PhSetDialogItemText(hwndDlg, IDC_ELEVATED, L"Unknown"); if (NT_SUCCESS(PhGetTokenIsVirtualizationAllowed(tokenHandle, &isVirtualizationAllowed))) { if (isVirtualizationAllowed) { if (NT_SUCCESS(PhGetTokenIsVirtualizationEnabled(tokenHandle, &isVirtualizationEnabled))) { PhSetDialogItemText(hwndDlg, IDC_VIRTUALIZED, isVirtualizationEnabled ? L"Yes" : L"No"); } } else { PhSetDialogItemText(hwndDlg, IDC_VIRTUALIZED, L"Not allowed"); } } if (WindowsVersion >= WINDOWS_8) { appContainerName = NULL; appContainerSidString = NULL; if (NT_SUCCESS(PhGetTokenAppContainerSid(tokenHandle, &tokenAppContainer))) { appContainerName = PhGetAppContainerName(tokenAppContainer.AppContainer.Sid); appContainerSidString = PhSidToStringSid(tokenAppContainer.AppContainer.Sid); } if (appContainerName) { PPH_STRING packageFamilyName; packageFamilyName = PhConcatStrings2(appContainerName->Buffer, L" (APP_CONTAINER)"); PhSetDialogItemText(hwndDlg, IDC_USER, PhGetString(packageFamilyName)); PhDereferenceObject(packageFamilyName); PhDereferenceObject(appContainerName); } if (appContainerSidString) { PhSetDialogItemText(hwndDlg, IDC_USERSID, PhGetString(appContainerSidString)); PhDereferenceObject(appContainerSidString); } } { ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, FALSE); PhpTokenPageFreeListViewEntries(tokenPageContext); ListView_DeleteAllItems(tokenPageContext->ListViewHandle); PhpUpdateTokenDangerousFlags(tokenPageContext, tokenHandle); PhpUpdateTokenGroups(tokenPageContext, tokenHandle); PhpUpdateTokenPrivileges(tokenPageContext, tokenHandle); ExtendedListView_SortItems(tokenPageContext->ListViewHandle); ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, TRUE); } tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } if (tokenPageContext->SinglePageContext) { LPPROPSHEETPAGE page = (LPPROPSHEETPAGE)lParam; if (page) PhFree(page); PhSetApplicationWindowIcon(hwndDlg); PhSetWindowText(hwndDlg, L"Linked Token"); PhInitializeLayoutManager(&tokenPageContext->LayoutManager, hwndDlg); PhAddLayoutItem(&tokenPageContext->LayoutManager, tokenPageContext->ListViewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&tokenPageContext->LayoutManager, GetDlgItem(hwndDlg, IDC_DEFAULTPERM), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&tokenPageContext->LayoutManager, GetDlgItem(hwndDlg, IDC_PERMISSIONS), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&tokenPageContext->LayoutManager, GetDlgItem(hwndDlg, IDC_INTEGRITY), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); PhAddLayoutItem(&tokenPageContext->LayoutManager, GetDlgItem(hwndDlg, IDC_ADVANCED), NULL, PH_ANCHOR_RIGHT | PH_ANCHOR_BOTTOM); if (PhValidWindowPlacementFromSetting(SETTING_TOKEN_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_TOKEN_WINDOW_POSITION, SETTING_TOKEN_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, NULL); PhSetDialogFocus(hwndDlg, tokenPageContext->ListViewHandle); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhSaveListViewSortColumnsToSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_SORT, tokenPageContext->ListViewHandle); PhSaveListViewGroupStatesToSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_STATES, tokenPageContext->ListViewHandle); PhSaveListViewColumnsToSetting(SETTING_TOKEN_GROUPS_LIST_VIEW_COLUMNS, tokenPageContext->ListViewHandle); if (tokenPageContext->SinglePageContext) { PhSaveWindowPlacementToSetting(SETTING_TOKEN_WINDOW_POSITION, SETTING_TOKEN_WINDOW_SIZE, hwndDlg); PhDeleteLayoutManager(&tokenPageContext->LayoutManager); if (tokenPageContext->Context) { NtClose(tokenPageContext->Context); tokenPageContext->Context = NULL; } } PhpTokenPageFreeListViewEntries(tokenPageContext); if (tokenPageContext->ListViewImageList) PhImageListDestroy(tokenPageContext->ListViewImageList); if (tokenPageContext->Groups) PhFree(tokenPageContext->Groups); if (tokenPageContext->RestrictedSids) PhFree(tokenPageContext->RestrictedSids); if (tokenPageContext->Privileges) PhFree(tokenPageContext->Privileges); } break; case WM_SIZE: { if (tokenPageContext->SinglePageContext) { PhLayoutManagerLayout(&tokenPageContext->LayoutManager); } } break; case WM_DPICHANGED: case WM_DPICHANGED_AFTERPARENT: { PhpTokenSetImageList(hwndDlg, tokenPageContext); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDCANCEL: case IDOK: { if (tokenPageContext->SinglePageContext) { EndDialog(hwndDlg, IDOK); } } break; case ID_PRIVILEGE_ENABLE: case ID_PRIVILEGE_DISABLE: case ID_PRIVILEGE_RESET: case ID_PRIVILEGE_REMOVE: { NTSTATUS status; BOOLEAN listViewGroupItemsValid = TRUE; PPHP_TOKEN_PAGE_LISTVIEW_ITEM *listViewItems; ULONG numberOfItems; HANDLE tokenHandle; ULONG i; PhGetSelectedListViewItemParams(tokenPageContext->ListViewHandle, &listViewItems, &numberOfItems); for (i = 0; i < numberOfItems; i++) { if (listViewItems[i]->GroupId != PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES) { listViewGroupItemsValid = FALSE; break; } } if (!listViewGroupItemsValid) { PhFree(listViewItems); break; } if (GET_WM_COMMAND_ID(wParam, lParam) == ID_PRIVILEGE_REMOVE) { if (!PhShowConfirmMessage( hwndDlg, L"remove", L"the selected privilege(s)", L"Removing privileges may reduce the functionality of the process, " L"and is permanent for the lifetime of the process.", FALSE )) { PhFree(listViewItems); break; } } status = tokenPageContext->OpenObject( &tokenHandle, TOKEN_ADJUST_PRIVILEGES, tokenPageContext->Context // ProcessId ); if (NT_SUCCESS(status)) { ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, FALSE); for (i = 0; i < numberOfItems; i++) { PPH_STRING privilegeName = NULL; ULONG newAttributes = listViewItems[i]->TokenPrivilege->Attributes; if (NT_SUCCESS(PhLookupPrivilegeName(&listViewItems[i]->TokenPrivilege->Luid, &privilegeName))) { PH_AUTO(privilegeName); } switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_PRIVILEGE_ENABLE: { SetFlag(newAttributes, SE_PRIVILEGE_ENABLED); } break; case ID_PRIVILEGE_DISABLE: { ClearFlag(newAttributes, SE_PRIVILEGE_ENABLED); } break; case ID_PRIVILEGE_RESET: { if (FlagOn(newAttributes, SE_PRIVILEGE_ENABLED_BY_DEFAULT)) SetFlag(newAttributes, SE_PRIVILEGE_ENABLED); else ClearFlag(newAttributes, SE_PRIVILEGE_ENABLED); } break; case ID_PRIVILEGE_REMOVE: { newAttributes = SE_PRIVILEGE_REMOVED; } break; } if (NT_SUCCESS(PhSetTokenPrivilege( tokenHandle, NULL, &listViewItems[i]->TokenPrivilege->Luid, newAttributes ))) { LONG itemIndex; itemIndex = PhFindListViewItemByParam( tokenPageContext->ListViewHandle, INT_ERROR, listViewItems[i] ); if (itemIndex != INT_ERROR) { if (GET_WM_COMMAND_ID(wParam, lParam) != ID_PRIVILEGE_REMOVE) { // Refresh the status text (and background color). listViewItems[i]->TokenPrivilege->Attributes = newAttributes; PhSetListViewSubItem( tokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_STATUS, PhGetPrivilegeAttributesString(newAttributes) ); } else { ListView_DeleteItem(tokenPageContext->ListViewHandle, itemIndex); } } } else { PWSTR action = L"set"; switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_PRIVILEGE_ENABLE: action = L"enable"; break; case ID_PRIVILEGE_DISABLE: action = L"disable"; break; case ID_PRIVILEGE_RESET: action = L"reset"; break; case ID_PRIVILEGE_REMOVE: action = L"remove"; break; } if (!PhShowContinueStatus( hwndDlg, PhaFormatString(L"Unable to %s %s.", action, PhGetStringOrDefault(privilegeName, L"privilege"))->Buffer, STATUS_UNSUCCESSFUL, 0 )) break; } } ExtendedListView_SortItems(tokenPageContext->ListViewHandle); ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, TRUE); tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } else { PhShowStatus(hwndDlg, L"Unable to open the token.", status, 0); } PhFree(listViewItems); } break; case ID_GROUP_ENABLE: case ID_GROUP_DISABLE: case ID_GROUP_RESET: { NTSTATUS status; BOOLEAN listViewGroupItemsValid = TRUE; PPHP_TOKEN_PAGE_LISTVIEW_ITEM *listViewItems; ULONG numberOfItems; HANDLE tokenHandle; ULONG i; PhGetSelectedListViewItemParams( tokenPageContext->ListViewHandle, &listViewItems, &numberOfItems ); for (i = 0; i < numberOfItems; i++) { if (!(listViewItems[i]->GroupId == PH_PROCESS_TOKEN_CATEGORY_GROUPS || listViewItems[i]->GroupId == PH_PROCESS_TOKEN_CATEGORY_LOGON || listViewItems[i]->GroupId == PH_PROCESS_TOKEN_CATEGORY_INTEGRITY)) { listViewGroupItemsValid = FALSE; break; } } if (!listViewGroupItemsValid) { PhFree(listViewItems); break; } status = tokenPageContext->OpenObject( &tokenHandle, TOKEN_ADJUST_GROUPS, tokenPageContext->Context // ProcessId ); if (NT_SUCCESS(status)) { ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, FALSE); for (i = 0; i < numberOfItems; i++) { ULONG newAttributes = listViewItems[i]->TokenGroup->Attributes; switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_GROUP_ENABLE: newAttributes |= SE_GROUP_ENABLED; break; case ID_GROUP_DISABLE: newAttributes &= ~SE_GROUP_ENABLED; break; case ID_GROUP_RESET: { if (newAttributes & SE_GROUP_ENABLED_BY_DEFAULT) newAttributes |= SE_GROUP_ENABLED; else newAttributes &= ~SE_GROUP_ENABLED; } break; } if (NT_SUCCESS(status = PhSetTokenGroups( tokenHandle, NULL, listViewItems[i]->TokenGroup->Sid, newAttributes ))) { PPH_STRING attributesString; if (attributesString = PhGetGroupAttributesString(newAttributes, FALSE)) { LONG itemIndex; itemIndex = PhFindListViewItemByParam( tokenPageContext->ListViewHandle, INT_ERROR, listViewItems[i] ); if (itemIndex != INT_ERROR) { // Refresh the status text (and background color). listViewItems[i]->TokenGroup->Attributes = newAttributes; PhSetListViewSubItem(tokenPageContext->ListViewHandle, itemIndex, PH_PROCESS_TOKEN_INDEX_STATUS, attributesString->Buffer); } PhDereferenceObject(attributesString); } } else { PWSTR action = L"set"; switch (GET_WM_COMMAND_ID(wParam, lParam)) { case ID_GROUP_ENABLE: action = L"enable"; break; case ID_GROUP_DISABLE: action = L"disable"; break; case ID_GROUP_RESET: action = L"reset"; break; } if (!PhShowContinueStatus( hwndDlg, PhaFormatString(L"Unable to %s %s.", action, L"group")->Buffer, status, 0 )) break; } } ExtendedListView_SortItems(tokenPageContext->ListViewHandle); ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, TRUE); tokenPageContext->CloseObject( tokenHandle, FALSE, tokenPageContext->Context ); } else { PhShowStatus(hwndDlg, L"Unable to open the token.", status, 0); } PhFree(listViewItems); } break; case ID_UIACCESS_REMOVE: { NTSTATUS status; PPHP_TOKEN_PAGE_LISTVIEW_ITEM *listViewItems; ULONG numberOfItems; HANDLE tokenHandle; PhGetSelectedListViewItemParams( tokenPageContext->ListViewHandle, &listViewItems, &numberOfItems ); if (numberOfItems != 1) { PhFree(listViewItems); break; } if ((listViewItems[0]->GroupId != PH_PROCESS_TOKEN_CATEGORY_FLAGS) || (listViewItems[0]->ItemFlag != PH_PROCESS_TOKEN_FLAG_UIACCESS)) { PhFree(listViewItems); break; } if (!PhShowConfirmMessage( hwndDlg, L"remove", L"the UIAccess flag", L"Removing this flag may reduce the functionality of the process " L"provided it is an accessibility application.", FALSE )) { PhFree(listViewItems); break; } status = tokenPageContext->OpenObject( &tokenHandle, TOKEN_ADJUST_DEFAULT, tokenPageContext->Context // ProcessId ); if (NT_SUCCESS(status)) { ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, FALSE); status = PhSetTokenUIAccess(tokenHandle, FALSE); if (NT_SUCCESS(status)) { LONG itemIndex; itemIndex = PhFindListViewItemByParam( tokenPageContext->ListViewHandle, INT_ERROR, listViewItems[0] ); if (itemIndex != INT_ERROR) { ListView_DeleteItem(tokenPageContext->ListViewHandle, itemIndex); } } else { PhShowStatus(hwndDlg, L"Unable to disable UIAccess flag.", status, 0); } ExtendedListView_SortItems(tokenPageContext->ListViewHandle); ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, TRUE); tokenPageContext->CloseObject( tokenHandle, FALSE, tokenPageContext->Context ); } else { PhShowStatus(hwndDlg, L"Unable to open the token.", status, 0); } PhFree(listViewItems); } break; case IDC_DEFAULTPERM: { PhEditSecurity( PhCsForceNoParent ? NULL : hwndDlg, L"Default Token", L"TokenDefault", tokenPageContext->OpenObject, tokenPageContext->CloseObject, tokenPageContext->Context // ProcessId ); } break; case IDC_PERMISSIONS: { PhEditSecurity( PhCsForceNoParent ? NULL : hwndDlg, L"Token", L"Token", tokenPageContext->OpenObject, tokenPageContext->CloseObject, tokenPageContext->Context // ProcessId ); } break; case IDC_INTEGRITY: { NTSTATUS status; RECT rect; PPH_EMENU menu; HANDLE tokenHandle; MANDATORY_LEVEL_RID integrityLevelRID; PPH_EMENU_ITEM selectedItem; if (!PhGetWindowRect(GetDlgItem(hwndDlg, IDC_INTEGRITY), &rect)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatorySecureProcessRID, L"Protected", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatorySystemRID, L"System", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatoryHighRID, L"High", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatoryMediumPlusRID, L"Medium +", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatoryMediumRID, L"Medium", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatoryLowRID, L"Low", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, MandatoryUntrustedRID, L"Untrusted", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, USHRT_MAX, L"Custom...", NULL, NULL), ULONG_MAX); integrityLevelRID = ULONG_MAX; // Put a radio check on the menu item that corresponds with the current integrity level. // Also disable menu items which correspond to higher integrity levels since // NtSetInformationToken doesn't allow integrity levels to be raised. if (NT_SUCCESS(status = tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { if (NT_SUCCESS(status = PhGetTokenIntegrityLevelRID( tokenHandle, &integrityLevelRID, NULL ))) { ULONG customLevelPosition = 0; // Processing atypical integrity levels for (ULONG i = 0; i < menu->Items->Count; i++) { PPH_EMENU_ITEM menuItem = menu->Items->Items[i]; if (menuItem->Id == (ULONG)integrityLevelRID) { menuItem->Flags |= PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK; customLevelPosition = 0; // The integrity level is a well-known one. No need to add a new menu item. } else if (menuItem->Id > (ULONG)integrityLevelRID && menuItem->Id != USHRT_MAX) { PhSetDisabledEMenuItem(menuItem); customLevelPosition = i + 1; } } if (customLevelPosition) { PPH_EMENU_ITEM unknownIntegrityItem; unknownIntegrityItem = PhCreateEMenuItem(0, (ULONG)integrityLevelRID, L"Intermediate level", NULL, NULL); unknownIntegrityItem->Flags |= PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK; PhInsertEMenuItem(menu, unknownIntegrityItem, customLevelPosition); } } tokenPageContext->CloseObject( tokenHandle, FALSE, tokenPageContext->Context ); } if (!NT_SUCCESS(status)) { for (ULONG i = 0; i < menu->Items->Count; i++) { PhSetDisabledEMenuItem(menu->Items->Items[i]); } } selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_BOTTOM, rect.left, rect.top ); if (selectedItem && selectedItem->Id != integrityLevelRID) { if (PhShowConfirmMessage( hwndDlg, L"set", L"the integrity level", L"Once lowered, the integrity level of the token cannot be raised again.", FALSE )) { ULONG integrityLevel = ULONG_MAX; if (selectedItem->Id == USHRT_MAX) { PPH_STRING selectedChoice = NULL; ULONG64 integer = 0; while (PhaChoiceDialog( hwndDlg, L"Integrity Level", L"Enter a custom integrity level:", NULL, 0, NULL, PH_CHOICE_DIALOG_USER_CHOICE, &selectedChoice, NULL, NULL )) { if (PhStringToInteger64(&selectedChoice->sr, 0, &integer)) { if ((ULONG)integer < (ULONG)integrityLevelRID) { integrityLevel = (ULONG)integer; break; } } } if (integrityLevel == ULONG_MAX) goto CleanupExit; } else { integrityLevel = selectedItem->Id; } if (NT_SUCCESS(status = tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY | TOKEN_ADJUST_DEFAULT, tokenPageContext->Context // ProcessId ))) { static SID_IDENTIFIER_AUTHORITY mandatoryLabelAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; UCHAR newSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG)]; PSID newSid; TOKEN_MANDATORY_LABEL mandatoryLabel; newSid = (PSID)newSidBuffer; PhInitializeSid(newSid, &mandatoryLabelAuthority, 1); *PhSubAuthoritySid(newSid, 0) = integrityLevel; mandatoryLabel.Label.Sid = newSid; mandatoryLabel.Label.Attributes = SE_GROUP_INTEGRITY; status = NtSetInformationToken( tokenHandle, TokenIntegrityLevel, &mandatoryLabel, sizeof(TOKEN_MANDATORY_LABEL) ); if (NT_SUCCESS(status)) { ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, FALSE); PhpTokenPageFreeListViewEntries(tokenPageContext); ListView_DeleteAllItems(tokenPageContext->ListViewHandle); PhpUpdateTokenGroups(tokenPageContext, tokenHandle); PhpUpdateTokenPrivileges(tokenPageContext, tokenHandle); ExtendedListView_SortItems(tokenPageContext->ListViewHandle); ExtendedListView_SetRedraw(tokenPageContext->ListViewHandle, TRUE); } tokenPageContext->CloseObject( tokenHandle, FALSE, tokenPageContext->Context ); } if (!NT_SUCCESS(status)) PhShowStatus(hwndDlg, L"Unable to set the integrity level", status, 0); } } CleanupExit: PhDestroyEMenu(menu); } break; case IDC_ADVANCED: { HANDLE tokenHandle; BOOLEAN tokenIsAppContainer = FALSE; if (NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { PhGetTokenIsAppContainer(tokenHandle, &tokenIsAppContainer); if (!tokenIsAppContainer) { PPH_STRING packageName; if (NT_SUCCESS(PhGetTokenPackageFullName(tokenHandle, &packageName))) { tokenIsAppContainer = !PhIsNullOrEmptyString(packageName); PhDereferenceObject(packageName); } } tokenPageContext->CloseObject( tokenHandle, FALSE, tokenPageContext->Context ); } PhpShowTokenAdvancedProperties(hwndDlg, tokenPageContext, tokenIsAppContainer); } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: { SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)GetDlgItem(hwndDlg, IDC_SESSIONID)); return TRUE; } break; } PhHandleListViewNotifyBehaviors(lParam, tokenPageContext->ListViewHandle, PH_LIST_VIEW_DEFAULT_1_BEHAVIORS); REFLECT_MESSAGE_DLG(hwndDlg, tokenPageContext->ListViewHandle, uMsg, wParam, lParam); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == tokenPageContext->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PPHP_TOKEN_PAGE_LISTVIEW_ITEM *listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(tokenPageContext->ListViewHandle, &point); PhGetSelectedListViewItemParams(tokenPageContext->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { BOOLEAN hasMixedCategories = FALSE; BOOLEAN hasRemovedItems = FALSE; PH_PROCESS_TOKEN_CATEGORY currentCategory = listviewItems[0]->GroupId; ULONG i; for (i = 0; i < numberOfItems; i++) { if (listviewItems[i]->GroupId != currentCategory) { hasMixedCategories = TRUE; break; } } if (currentCategory == PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES) { for (i = 0; i < numberOfItems; i++) { if (listviewItems[i]->TokenPrivilege && FlagOn(listviewItems[i]->TokenPrivilege->Attributes, SE_PRIVILEGE_REMOVED)) { hasRemovedItems = TRUE; break; } } } menu = PhCreateEMenu(); if (!hasMixedCategories) { switch (currentCategory) { case PH_PROCESS_TOKEN_CATEGORY_PRIVILEGES: { PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PRIVILEGE_ENABLE, L"&Enable", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PRIVILEGE_DISABLE, L"&Disable", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PRIVILEGE_RESET, L"Re&set", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_PRIVILEGE_REMOVE, L"&Remove", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); if (hasRemovedItems) { PhSetFlagsAllEMenuItems(menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED); } } break; case PH_PROCESS_TOKEN_CATEGORY_GROUPS: case PH_PROCESS_TOKEN_CATEGORY_LOGON: case PH_PROCESS_TOKEN_CATEGORY_INTEGRITY: { PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_GROUP_ENABLE, L"&Enable", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_GROUP_DISABLE, L"&Disable", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_GROUP_RESET, L"Re&set", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); } break; case PH_PROCESS_TOKEN_CATEGORY_FLAGS: { if ((numberOfItems == 1) && (listviewItems[0]->ItemFlag == PH_PROCESS_TOKEN_FLAG_UIACCESS)) PhInsertEMenuItem(menu, PhCreateEMenuItem(0, ID_UIACCESS_REMOVE, L"&Remove", NULL, NULL), ULONG_MAX); } break; } } PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, tokenPageContext->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(tokenPageContext->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; case WM_CTLCOLORBTN: { if (tokenPageContext->SinglePageContext) return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } break; case WM_CTLCOLORDLG: { if (tokenPageContext->SinglePageContext) return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } break; case WM_CTLCOLORSTATIC: { if (tokenPageContext->SinglePageContext) return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } break; } return FALSE; } VOID PhpShowTokenAdvancedProperties( _In_ HWND ParentWindowHandle, _In_ PTOKEN_PAGE_CONTEXT Context, _In_ BOOLEAN ShowAppContainerPage ) { PROPSHEETHEADER propSheetHeader = { sizeof(propSheetHeader) }; HPROPSHEETPAGE pages[7]; PROPSHEETPAGE page; ULONG numberOfPages; propSheetHeader.dwFlags = PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP | PSH_PROPTITLE; propSheetHeader.hInstance = NtCurrentImageBase(); propSheetHeader.hwndParent = ParentWindowHandle; propSheetHeader.pszCaption = L"Token"; propSheetHeader.nStartPage = 0; propSheetHeader.phpage = pages; numberOfPages = 0; // General memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.pszTemplate = MAKEINTRESOURCE(IDD_TOKGENERAL); page.hInstance = NtCurrentImageBase(); page.pfnDlgProc = PhpTokenGeneralPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); // Advanced memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.pszTemplate = MAKEINTRESOURCE(IDD_TOKADVANCED); page.hInstance = NtCurrentImageBase(); page.pfnDlgProc = PhpTokenAdvancedPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); if (WindowsVersion >= WINDOWS_8) { if (ShowAppContainerPage) { memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.dwFlags = PSP_USETITLE; page.pszTemplate = MAKEINTRESOURCE(IDD_TOKADVANCED); page.hInstance = NtCurrentImageBase(); page.pszTitle = L"Container"; page.pfnDlgProc = PhpTokenContainerPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); } // Capabilities memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.pszTemplate = MAKEINTRESOURCE(IDD_TOKCAPABILITIES); page.hInstance = NtCurrentImageBase(); page.pfnDlgProc = PhpTokenCapabilitiesPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); // Claims memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.dwFlags = PSP_USETITLE; page.pszTemplate = MAKEINTRESOURCE(IDD_TOKATTRIBUTES); page.hInstance = NtCurrentImageBase(); page.pszTitle = L"Claims"; page.pfnDlgProc = PhpTokenClaimsPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); // AppModel Policy memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.dwFlags = PSP_USETITLE; page.pszTemplate = MAKEINTRESOURCE(IDD_TOKAPPPOLICY); page.hInstance = NtCurrentImageBase(); page.pszTitle = L"Policy"; page.pfnDlgProc = PhpTokenAppPolicyPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); // (Token) Attributes memset(&page, 0, sizeof(PROPSHEETPAGE)); page.dwSize = sizeof(PROPSHEETPAGE); page.dwFlags = PSP_USETITLE; page.pszTemplate = MAKEINTRESOURCE(IDD_TOKATTRIBUTES); page.hInstance = NtCurrentImageBase(); page.pszTitle = L"Attributes"; page.pfnDlgProc = PhpTokenAttributesPageProc; page.lParam = (LPARAM)Context; pages[numberOfPages++] = CreatePropertySheetPage(&page); } propSheetHeader.nPages = numberOfPages; PhModalPropertySheet(&propSheetHeader); } _Function_class_(PH_OPEN_OBJECT) static NTSTATUS PhpOpenLinkedToken( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ) { if (Context) return PhGetTokenLinkedToken((HANDLE)Context, Handle); return STATUS_UNSUCCESSFUL; } _Function_class_(PH_CLOSE_OBJECT) static NTSTATUS PhpCloseLinkedToken( _In_opt_ HANDLE Handle, _In_opt_ BOOLEAN Release, _In_opt_ PVOID Context ) { if (Handle) NtClose(Handle); return STATUS_SUCCESS; } INT_PTR CALLBACK PhpTokenGeneralPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HANDLE tokenHandle; PPH_STRING tokenUserName = NULL; PPH_STRING tokenUserSid = NULL; PPH_STRING tokenOwnerName = NULL; PPH_STRING tokenPrimaryGroupName = NULL; ULONG tokenSessionId = ULONG_MAX; BOOLEAN tokenElevation = FALSE; TOKEN_ELEVATION_TYPE tokenElevationType = 0; PPH_STRINGREF tokenElevationTypeString; BOOLEAN hasLinkedToken = FALSE; PWSTR tokenVirtualization = L"N/A"; PWSTR tokenUIAccess = L"Unknown"; WCHAR tokenSourceName[TOKEN_SOURCE_LENGTH + 1] = { L"Unknown" }; WCHAR tokenSourceLuid[PH_INT64_STR_LEN_1] = { L"Unknown" }; // HACK PhCenterWindow(GetParent(hwndDlg), GetParent(GetParent(hwndDlg))); if (NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { PH_TOKEN_USER tokenUser; PH_TOKEN_OWNER tokenOwner; PTOKEN_PRIMARY_GROUP tokenPrimaryGroup; BOOLEAN isVirtualizationAllowed; BOOLEAN isVirtualizationEnabled; BOOLEAN isUIAccessEnabled; if (NT_SUCCESS(PhGetTokenUser(tokenHandle, &tokenUser))) { tokenUserName = PH_AUTO(PhGetSidFullName(tokenUser.User.Sid, TRUE, NULL)); tokenUserSid = PH_AUTO(PhSidToStringSid(tokenUser.User.Sid)); } if (NT_SUCCESS(PhGetTokenOwner(tokenHandle, &tokenOwner))) { tokenOwnerName = PH_AUTO(PhGetSidFullName(tokenOwner.Owner.Sid, TRUE, NULL)); } if (NT_SUCCESS(PhGetTokenPrimaryGroup(tokenHandle, &tokenPrimaryGroup))) { tokenPrimaryGroupName = PH_AUTO(PhGetSidFullName(tokenPrimaryGroup->PrimaryGroup, TRUE, NULL)); PhFree(tokenPrimaryGroup); } PhGetTokenSessionId(tokenHandle, &tokenSessionId); PhGetTokenElevation(tokenHandle, &tokenElevation); if (NT_SUCCESS(PhGetTokenElevationType(tokenHandle, &tokenElevationType))) { hasLinkedToken = tokenElevationType != TokenElevationTypeDefault; } if (NT_SUCCESS(PhGetTokenIsVirtualizationAllowed(tokenHandle, &isVirtualizationAllowed))) { if (isVirtualizationAllowed) { if (NT_SUCCESS(PhGetTokenIsVirtualizationEnabled(tokenHandle, &isVirtualizationEnabled))) { tokenVirtualization = isVirtualizationEnabled ? L"Enabled" : L"Disabled"; } } else { tokenVirtualization = L"Not Allowed"; } } if (NT_SUCCESS(PhGetTokenUIAccess(tokenHandle, &isUIAccessEnabled))) { tokenUIAccess = isUIAccessEnabled ? L"Enabled": L"Disabled"; } tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } if (NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY_SOURCE, tokenPageContext->Context // ProcessId ))) { TOKEN_SOURCE tokenSource; PCPH_STRINGREF tokenSourceTypeString; if (NT_SUCCESS(PhGetTokenSource(tokenHandle, &tokenSource))) { PhCopyStringZFromBytes( tokenSource.SourceName, TOKEN_SOURCE_LENGTH, tokenSourceName, RTL_NUMBER_OF(tokenSourceName), NULL ); PhPrintPointer(tokenSourceLuid, UlongToPtr(tokenSource.SourceIdentifier.LowPart)); if (tokenSourceTypeString = PhGetLuidKnownTypeToString(&tokenSource.SourceIdentifier)) { wcscat_s(tokenSourceLuid, RTL_NUMBER_OF(tokenSourceLuid), L" ("); wcscat_s(tokenSourceLuid, RTL_NUMBER_OF(tokenSourceLuid), PhGetStringRefZ(tokenSourceTypeString)); wcscat_s(tokenSourceLuid, RTL_NUMBER_OF(tokenSourceLuid), L")"); } } tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } PhSetDialogItemText(hwndDlg, IDC_USER, PhGetStringOrDefault(tokenUserName, L"Unknown")); PhSetDialogItemText(hwndDlg, IDC_USERSID, PhGetStringOrDefault(tokenUserSid, L"Unknown")); PhSetDialogItemText(hwndDlg, IDC_OWNER, PhGetStringOrDefault(tokenOwnerName, L"Unknown")); PhSetDialogItemText(hwndDlg, IDC_PRIMARYGROUP, PhGetStringOrDefault(tokenPrimaryGroupName, L"Unknown")); if (tokenSessionId != ULONG_MAX) PhSetDialogItemValue(hwndDlg, IDC_SESSIONID, tokenSessionId, FALSE); else PhSetDialogItemText(hwndDlg, IDC_SESSIONID, L"Unknown"); if (PhGetElevationTypeString(tokenElevation, tokenElevationType, &tokenElevationTypeString)) PhSetDialogItemText(hwndDlg, IDC_ELEVATED, PhGetStringRefZ(tokenElevationTypeString)); else PhSetDialogItemText(hwndDlg, IDC_ELEVATED, L"Unknown"); PhSetDialogItemText(hwndDlg, IDC_VIRTUALIZATION, tokenVirtualization); PhSetDialogItemText(hwndDlg, IDC_UIACCESS, tokenUIAccess); PhSetDialogItemText(hwndDlg, IDC_SOURCENAME, tokenSourceName); PhSetDialogItemText(hwndDlg, IDC_SOURCELUID, tokenSourceLuid); EnableWindow(GetDlgItem(hwndDlg, IDC_LINKEDTOKEN), !!hasLinkedToken); if (PhEnableThemeSupport) // TODO: Required for compat (dmex) PhInitializeWindowTheme(GetParent(hwndDlg), PhEnableThemeSupport); // HACK (GetParent) else PhInitializeWindowTheme(hwndDlg, FALSE); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_LINKEDTOKEN: { NTSTATUS status; HANDLE tokenHandle; if (NT_SUCCESS(status = tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { PhShowTokenProperties( hwndDlg, PhpOpenLinkedToken, PhpCloseLinkedToken, tokenPageContext->ProcessId, (PVOID)tokenHandle, L"Linked Token" ); tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } else { PhShowStatus(hwndDlg, L"Unable to open the token", status, 0); } } break; } } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case PSN_QUERYINITIALFOCUS: { SetWindowLongPtr(hwndDlg, DWLP_MSGRESULT, (LONG_PTR)GetDlgItem(hwndDlg, IDC_LINKEDTOKEN)); return TRUE; } break; } } break; } return FALSE; } typedef struct _PHP_TOKEN_ADVANCED_CONTEXT { HWND WindowHandle; HWND ListViewHandle; PH_LAYOUT_MANAGER LayoutManager; } PHP_TOKEN_ADVANCED_CONTEXT, *PPHP_TOKEN_ADVANCED_CONTEXT; INT_PTR CALLBACK PhpTokenAdvancedPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; PPHP_TOKEN_ADVANCED_CONTEXT context; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PHP_TOKEN_ADVANCED_CONTEXT)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HANDLE tokenHandle; LONG listViewGroupIndex = 0; PWSTR tokenType = L"Unknown"; PWSTR tokenImpersonationLevel = L"Unknown"; WCHAR tokenLuid[PH_PTR_STR_LEN_1] = { L"Unknown" }; WCHAR authenticationLuid[PH_PTR_STR_LEN_1] = { L"Unknown" }; WCHAR tokenModifiedLuid[PH_PTR_STR_LEN_1] = { L"Unknown" }; WCHAR tokenOriginLogonSession[PH_PTR_STR_LEN_1] = { L"Unknown" }; PPH_STRING memoryUsed = NULL; PPH_STRING memoryAvailable = NULL; PPH_STRING tokenNamedObjectPathString = NULL; PPH_STRING tokenSecurityDescriptorString = NULL; PPH_STRING tokenTrustLevelSidString; PPH_STRING tokenTrustLevelNameString; PPH_STRING tokenProfilePathString; PPH_STRING tokenProfileRegistryString; PPH_STRING tokenSystemIdForPublisher = NULL; PPH_STRING tokenSystemIdForUser = NULL; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 280, L"Value"); PhSetExtendedListView(context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); ListView_EnableGroupView(context->ListViewHandle, TRUE); PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"General"); PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"LUIDs"); PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"Memory"); PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"Properties"); PhAddListViewGroupItem(context->ListViewHandle, 0, MAXINT, L"Type", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, MAXINT, L"Impersonation level", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"Token LUID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"Authentication LUID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"ModifiedId LUID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"Origin LUID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 2, MAXINT, L"Memory used", NULL); PhAddListViewGroupItem(context->ListViewHandle, 2, MAXINT, L"Memory available", NULL); PhAddListViewGroupItem(context->ListViewHandle, 3, MAXINT, L"Token object path", NULL); PhAddListViewGroupItem(context->ListViewHandle, 3, MAXINT, L"Token SDDL", NULL); if (NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { TOKEN_STATISTICS statistics; TOKEN_ORIGIN origin; if (NT_SUCCESS(PhGetTokenStatistics(tokenHandle, &statistics))) { PhGetTokenTypeString(statistics.TokenType, &tokenType); PhGetImpersonationLevelString(statistics.ImpersonationLevel, &tokenImpersonationLevel); PhPrintPointer(tokenLuid, UlongToPtr(statistics.TokenId.LowPart)); PhPrintPointer(authenticationLuid, UlongToPtr(statistics.AuthenticationId.LowPart)); PhPrintPointer(tokenModifiedLuid, UlongToPtr(statistics.ModifiedId.LowPart)); memoryUsed = PhFormatSize(statistics.DynamicCharged - statistics.DynamicAvailable, ULONG_MAX); // DynamicAvailable contains the number of bytes free. memoryAvailable = PhFormatSize(statistics.DynamicCharged, ULONG_MAX); // DynamicCharged contains the number of bytes allocated. } if (NT_SUCCESS(PhGetTokenOrigin(tokenHandle, &origin))) { PhPrintPointer(tokenOriginLogonSession, UlongToPtr(origin.OriginatingLogonSession.LowPart)); } PhGetTokenNamedObjectPath(tokenHandle, NULL, &tokenNamedObjectPathString); PhGetObjectSecurityDescriptorAsString(tokenHandle, &tokenSecurityDescriptorString); if (NT_SUCCESS(PhGetTokenProcessTrustLevelRID( tokenHandle, NULL, NULL, &tokenTrustLevelNameString, &tokenTrustLevelSidString ))) { LONG trustLevelGroupIndex; LONG trustLevelSidIndex; LONG trustLevelNameIndex; trustLevelGroupIndex = PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"TrustLevel"); trustLevelSidIndex = PhAddListViewGroupItem(context->ListViewHandle, trustLevelGroupIndex, MAXINT, L"TrustLevel Sid", NULL); trustLevelNameIndex = PhAddListViewGroupItem(context->ListViewHandle, trustLevelGroupIndex, MAXINT, L"TrustLevel Name", NULL); PhSetListViewSubItem(context->ListViewHandle, trustLevelSidIndex, 1, PhGetStringOrDefault(tokenTrustLevelSidString, L"N/A")); PhSetListViewSubItem(context->ListViewHandle, trustLevelNameIndex, 1, PhGetStringOrDefault(tokenTrustLevelNameString, L"N/A")); PhClearReference(&tokenTrustLevelNameString); PhClearReference(&tokenTrustLevelSidString); } //PTOKEN_GROUPS tokenLogonGroups; //if (NT_SUCCESS(PhQueryTokenVariableSize(tokenHandle, TokenLogonSid, &tokenLogonGroups))) //{ // PPH_STRING tokenLogonName = PhGetSidFullName(tokenLogonGroups->Groups[0].Sid, TRUE, NULL); // PPH_STRING tokenLogonSid = PhSidToStringSid(tokenLogonGroups->Groups[0].Sid); // LONG tokenLogonGroupIndex = PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"Logon"); // LONG tokenLogonNameIndex = PhAddListViewGroupItem(context->ListViewHandle, tokenLogonGroupIndex, MAXINT, L"Token logon SID", NULL); // LONG tokenLogonSidIndex = PhAddListViewGroupItem(context->ListViewHandle, tokenLogonGroupIndex, MAXINT, L"Token logon Name", NULL); // PhSetListViewSubItem(context->ListViewHandle, tokenLogonNameIndex, 1, PhGetStringOrDefault(tokenLogonName, L"Unknown")); // PhSetListViewSubItem(context->ListViewHandle, tokenLogonSidIndex, 1, PhGetStringOrDefault(tokenLogonSid, L"Unknown")); // PhFree(tokenLogonGroups); //} if (tokenProfilePathString = PhpGetTokenFolderPath(tokenHandle)) { LONG profileGroupIndex; LONG profileFolderIndex; LONG profileRegistryIndex; profileGroupIndex = PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"Profile"); profileFolderIndex = PhAddListViewGroupItem(context->ListViewHandle, profileGroupIndex, MAXINT, L"Folder path", NULL); profileRegistryIndex = PhAddListViewGroupItem(context->ListViewHandle, profileGroupIndex, MAXINT, L"Registry path", NULL); PhSetListViewSubItem(context->ListViewHandle, profileFolderIndex, 1, PhGetStringOrDefault(tokenProfilePathString, L"N/A")); if (tokenProfileRegistryString = PhpGetTokenRegistryPath(tokenHandle)) { PhSetListViewSubItem(context->ListViewHandle, profileRegistryIndex, 1, PhGetStringOrDefault(tokenProfileRegistryString, L"N/A")); PhDereferenceObject(tokenProfileRegistryString); } PhDereferenceObject(tokenProfilePathString); } tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } if (SUCCEEDED(PhGetProcessSystemIdentification( tokenPageContext->Context, // ProcessId, &tokenSystemIdForPublisher, &tokenSystemIdForUser ))) { LONG systemIdGroupIndex; LONG systemIdPublisherIndex; LONG systemIdUserIndex; systemIdGroupIndex = PhAddListViewGroup(context->ListViewHandle, listViewGroupIndex++, L"System ID"); systemIdPublisherIndex = PhAddListViewGroupItem(context->ListViewHandle, systemIdGroupIndex, MAXINT, L"HWID (Publisher)", NULL); systemIdUserIndex = PhAddListViewGroupItem(context->ListViewHandle, systemIdGroupIndex, MAXINT, L"HWID (User)", NULL); PhSetListViewSubItem(context->ListViewHandle, systemIdPublisherIndex, 1, PhGetStringOrDefault(tokenSystemIdForPublisher, L"N/A")); PhSetListViewSubItem(context->ListViewHandle, systemIdUserIndex, 1, PhGetStringOrDefault(tokenSystemIdForUser, L"N/A")); PhClearReference(&tokenSystemIdForPublisher); PhClearReference(&tokenSystemIdForUser); } PhSetListViewSubItem(context->ListViewHandle, 0, 1, tokenType); PhSetListViewSubItem(context->ListViewHandle, 1, 1, tokenImpersonationLevel); PhSetListViewSubItem(context->ListViewHandle, 2, 1, tokenLuid); PhSetListViewSubItem(context->ListViewHandle, 3, 1, authenticationLuid); PhSetListViewSubItem(context->ListViewHandle, 4, 1, tokenModifiedLuid); PhSetListViewSubItem(context->ListViewHandle, 5, 1, tokenOriginLogonSession); PhSetListViewSubItem(context->ListViewHandle, 6, 1, PhGetStringOrDefault(memoryUsed, L"Unknown")); PhSetListViewSubItem(context->ListViewHandle, 7, 1, PhGetStringOrDefault(memoryAvailable, L"Unknown")); PhSetListViewSubItem(context->ListViewHandle, 8, 1, PhGetStringOrDefault(tokenNamedObjectPathString, L"Unknown")); PhSetListViewSubItem(context->ListViewHandle, 9, 1, PhGetStringOrDefault(tokenSecurityDescriptorString, L"Unknown")); PhClearReference(&memoryUsed); PhClearReference(&memoryAvailable); PhClearReference(&tokenNamedObjectPathString); PhClearReference(&tokenSecurityDescriptorString); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&context->LayoutManager); PhFree(context); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; } return FALSE; } BOOLEAN NTAPI PhpAttributeTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT context = Context; PPH_TOKEN_ATTRIBUTE_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_TOKEN_ATTRIBUTE_NODE)getChildren->Node; if (!node) { getChildren->Children = (PPH_TREENEW_NODE *)context->RootList->Items; getChildren->NumberOfChildren = context->RootList->Count; } else { getChildren->Children = (PPH_TREENEW_NODE *)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPH_TOKEN_ATTRIBUTE_NODE)isLeaf->Node; isLeaf->IsLeaf = node->Children->Count == 0; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; node = (PPH_TOKEN_ATTRIBUTE_NODE)getCellText->Node; if (getCellText->Id == 0) getCellText->Text = PhGetStringRef(node->Text); else return FALSE; } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) { PPH_STRING text; text = PhGetTreeNewText(WindowHandle, 0); PhSetClipboardString(WindowHandle, &text->sr); PhDereferenceObject(text); } break; } } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage( context->WindowHandle, WM_CONTEXTMENU, 0, (LPARAM)contextMenuEvent ); } return TRUE; } return FALSE; } PPH_TOKEN_ATTRIBUTE_NODE PhpAddAttributeNode( _In_ PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT Context, _In_opt_ PPH_TOKEN_ATTRIBUTE_NODE Parent, _In_opt_ _Assume_refs_(1) PPH_STRING Text ) { PPH_TOKEN_ATTRIBUTE_NODE node; node = PhAllocate(sizeof(PH_TOKEN_ATTRIBUTE_NODE)); memset(node, 0, sizeof(PH_TOKEN_ATTRIBUTE_NODE)); PhInitializeTreeNewNode(&node->Node); node->Children = PhCreateList(2); PhAddItemList(Context->NodeList, node); if (Parent) PhAddItemList(Parent->Children, node); else PhAddItemList(Context->RootList, node); PhMoveReference(&node->Text, Text); return node; } VOID PhpDestroyAttributeNode( _In_ PPH_TOKEN_ATTRIBUTE_NODE Node ) { PhDereferenceObject(Node->Children); PhClearReference(&Node->Text); PhClearReference(&Node->Value); PhFree(Node); } VOID PhpRemoveAttributeNode( _In_ PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT Context, _In_ PPH_TOKEN_ATTRIBUTE_NODE Node ) { ULONG index; if ((index = PhFindItemList(Context->NodeList, Node)) != ULONG_MAX) PhRemoveItemList(Context->NodeList, index); if ((index = PhFindItemList(Context->RootList, Node)) != ULONG_MAX) PhRemoveItemList(Context->RootList, index); PhpDestroyAttributeNode(Node); } _Success_(return) BOOLEAN PhpGetSelectedAttributeTreeNodes( _Inout_ PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT Context, _Out_ PPH_TOKEN_ATTRIBUTE_NODE **Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_TOKEN_ATTRIBUTE_NODE node = (PPH_TOKEN_ATTRIBUTE_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) { PhAddItemList(list, node); } } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } PhDereferenceObject(list); return FALSE; } VOID PhpInitializeAttributeTreeContext( _Out_ PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT Context, _In_ HWND WindowHandle, _In_ HWND TreeNewHandle ) { Context->WindowHandle = WindowHandle; Context->NodeList = PhCreateList(10); Context->RootList = PhCreateList(10); PhSetControlTheme(TreeNewHandle, L"explorer"); TreeNew_SetRedraw(TreeNewHandle, FALSE); TreeNew_SetCallback(TreeNewHandle, PhpAttributeTreeNewCallback, Context); //TreeNew_GetViewParts(TreeNewHandle, &parts); // column width = (parts.ClientRect.right - parts.VScrollWidth) // TODO: VScrollWidth not set during INITDIALOG. (dmex) PhAddTreeNewColumnEx2(TreeNewHandle, 0, TRUE, L"Attributes", 200, PH_ALIGN_LEFT, 0, 0, TN_COLUMN_FLAG_NODPISCALEONADD); TreeNew_SetRedraw(TreeNewHandle, TRUE); } VOID PhpDeleteAttributeTreeContext( _Inout_ PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT Context ) { ULONG i; for (i = 0; i < Context->NodeList->Count; i++) PhpDestroyAttributeNode(Context->NodeList->Items[i]); PhDereferenceObject(Context->NodeList); PhDereferenceObject(Context->RootList); } //static COLORREF NTAPI PhpTokenCapabilitiesColorFunction( // _In_ LONG Index, // _In_ PVOID Param, // _In_opt_ PVOID Context // ) //{ // PSID_AND_ATTRIBUTES sidAndAttributes = Param; // // return PhGetGroupAttributesColor(sidAndAttributes->Attributes); //} BOOLEAN PhpAddTokenCapabilities( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ HWND tnHandle ) { HANDLE tokenHandle; ULONG i; if (!NT_SUCCESS(TokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, TokenPageContext->Context ))) return FALSE; if (NT_SUCCESS(PhQueryTokenVariableSize(tokenHandle, TokenCapabilities, &TokenPageContext->Capabilities))) { for (i = 0; i < TokenPageContext->Capabilities->GroupCount; i++) { PPH_TOKEN_ATTRIBUTE_NODE node; PPH_STRING name; ULONG subAuthoritiesCount; ULONG subAuthority; name = PhSidToStringSid(TokenPageContext->Capabilities->Groups[i].Sid); node = PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, NULL, name); if (name = PhGetSidFullName(TokenPageContext->Capabilities->Groups[i].Sid, TRUE, NULL)) { PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, node, PhFormatString(L"FullName: %s", PhGetString(name))); PhDereferenceObject(name); } if (name = PhGetCapabilitySidName(TokenPageContext->Capabilities->Groups[i].Sid)) { PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, node, PhFormatString(L"Capability: %s", PhGetString(name))); PhDereferenceObject(name); } subAuthoritiesCount = *PhSubAuthorityCountSid(TokenPageContext->Capabilities->Groups[i].Sid); subAuthority = *PhSubAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid, 0); if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_APP_PACKAGE_AUTHORITY)) { if (subAuthority == SECURITY_CAPABILITY_BASE_RID) { if (subAuthoritiesCount == SECURITY_APP_PACKAGE_RID_COUNT) { PH_TOKEN_APPCONTAINER tokenAppContainer; //if (*PhSubAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid, 1) == SECURITY_CAPABILITY_APP_RID) // continue; if (NT_SUCCESS(PhGetTokenAppContainerSid(tokenHandle, &tokenAppContainer))) { if (PhIsPackageCapabilitySid(tokenAppContainer.AppContainer.Sid, TokenPageContext->Capabilities->Groups[i].Sid)) { static CONST PH_STRINGREF packageNameStringRef = PH_STRINGREF_INIT(L"Package: "); if (NT_SUCCESS(PhGetTokenPackageFullName(tokenHandle, &name))) { PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, node, PhConcatStringRef2(&packageNameStringRef, &name->sr)); PhDereferenceObject(name); } else { PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, node, PhCreateString2(&packageNameStringRef)); } } } } else if (subAuthoritiesCount == SECURITY_CAPABILITY_RID_COUNT) { PPH_STRING capabilityName; union { GUID Guid; struct { ULONG Data1; ULONG Data2; ULONG Data3; ULONG Data4; }; } capabilityGuid; capabilityGuid.Data1 = *PhSubAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid, 1); capabilityGuid.Data2 = *PhSubAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid, 2); capabilityGuid.Data3 = *PhSubAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid, 3); capabilityGuid.Data4 = *PhSubAuthoritySid(TokenPageContext->Capabilities->Groups[i].Sid, 4); if (name = PhFormatGuid(&capabilityGuid.Guid)) { static CONST PH_STRINGREF guidNameStringRef = PH_STRINGREF_INIT(L"Guid: "); static CONST PH_STRINGREF capabilityNameStringRef = PH_STRINGREF_INIT(L"Capability: "); PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, node, PhConcatStringRef2(&guidNameStringRef, &name->sr)); if (capabilityName = PhGetCapabilityGuidName(name)) { PhpAddAttributeNode(&TokenPageContext->CapsTreeContext, node, PhConcatStringRef2(&capabilityNameStringRef, &capabilityName->sr)); PhDereferenceObject(capabilityName); } PhDereferenceObject(name); } } } } } } TokenPageContext->CloseObject(tokenHandle, FALSE, TokenPageContext->Context); return TRUE; } INT_PTR CALLBACK PhpTokenCapabilitiesPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; HWND tnHandle; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; tnHandle = GetDlgItem(hwndDlg, IDC_LIST); switch (uMsg) { case WM_INITDIALOG: { tokenPageContext->CapsTreeContext.WindowHandle = hwndDlg; tokenPageContext->CapsTreeContext.NodeList = PhCreateList(10); tokenPageContext->CapsTreeContext.RootList = PhCreateList(10); PhSetControlTheme(tnHandle, L"explorer"); TreeNew_SetRedraw(tnHandle, FALSE); TreeNew_SetEmptyText(tnHandle, &PhpEmptyTokenCapabilitiesText, 0); TreeNew_SetCallback(tnHandle, PhpAttributeTreeNewCallback, &tokenPageContext->CapsTreeContext); PhAddTreeNewColumnEx2(tnHandle, 0, TRUE, L"Capabilities", 200, PH_ALIGN_LEFT, 0, 0, TN_COLUMN_FLAG_NODPISCALEONADD); PhpAddTokenCapabilities(tokenPageContext, tnHandle); TreeNew_NodesStructured(tnHandle); TreeNew_SetRedraw(tnHandle, TRUE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhpDeleteAttributeTreeContext(&tokenPageContext->CapsTreeContext); if (tokenPageContext->Capabilities) { PhFree(tokenPageContext->Capabilities); tokenPageContext->Capabilities = NULL; } } break; case WM_SHOWWINDOW: { TreeNew_AutoSizeColumn(tnHandle, 0, TN_AUTOSIZE_REMAINING_SPACE); } break; case WM_CONTEXTMENU: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_TOKEN_ATTRIBUTE_NODE *attributeObjectNodes = NULL; ULONG numberOfAttributeObjectNodes = 0; if (!PhpGetSelectedAttributeTreeNodes(&tokenPageContext->CapsTreeContext, &attributeObjectNodes, &numberOfAttributeObjectNodes)) break; if (numberOfAttributeObjectNodes != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, tnHandle, contextMenuEvent->Column); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (!PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(tnHandle, 0); PhSetClipboardString(tnHandle, &text->sr); PhDereferenceObject(text); } break; } } } PhDestroyEMenu(menu); } PhFree(attributeObjectNodes); } break; } return FALSE; } PWSTR PhGetSecurityAttributeTypeString( _In_ USHORT Type ) { // These types are shared between CLAIM_* and TOKEN_* security attributes. switch (Type) { case TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID: return L"Invalid"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64: return L"Int64"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64: return L"UInt64"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING: return L"String"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN: return L"FQBN"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_SID: return L"SID"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN: return L"Boolean"; case TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING: return L"Octet string"; default: return L"(Unknown)"; } } PPH_STRING PhGetSecurityAttributeFlagsString( _In_ ULONG Flags ) { PH_STRING_BUILDER sb; // These flags are shared between CLAIM_* and TOKEN_* security attributes. PhInitializeStringBuilder(&sb, 100); if (Flags & TOKEN_SECURITY_ATTRIBUTE_MANDATORY) PhAppendStringBuilder2(&sb, L"Mandatory, "); if (Flags & TOKEN_SECURITY_ATTRIBUTE_DISABLED) PhAppendStringBuilder2(&sb, L"Disabled, "); if (Flags & TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT) PhAppendStringBuilder2(&sb, L"Default disabled, "); if (Flags & TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY) PhAppendStringBuilder2(&sb, L"Use for deny only, "); if (Flags & TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE) PhAppendStringBuilder2(&sb, L"Case-sensitive, "); if (Flags & TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE) PhAppendStringBuilder2(&sb, L"Non-inheritable, "); if (Flags & TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE) PhAppendStringBuilder2(&sb, L"Compare-ignore, "); if (sb.String->Length != 0) PhRemoveEndStringBuilder(&sb, 2); else PhAppendStringBuilder2(&sb, L"(None)"); return PhFinalStringBuilderString(&sb); } PPH_STRING PhFormatClaimSecurityAttributeValue( _In_ PCLAIM_SECURITY_ATTRIBUTE_V1 Attribute, _In_ ULONG ValueIndex ) { PH_FORMAT format[10]; switch (Attribute->ValueType) { case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64: PhInitFormatI64D(&format[0], Attribute->Values.pInt64[ValueIndex]); return PhFormat(format, 1, 0); case CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64: PhInitFormatI64U(&format[0], Attribute->Values.pUint64[ValueIndex]); return PhFormat(format, 1, 0); case CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING: return PhCreateString(Attribute->Values.ppString[ValueIndex]); case CLAIM_SECURITY_ATTRIBUTE_TYPE_FQBN: { PhInitFormatS(&format[0], L"Version "); PhInitFormatU(&format[1], HIWORD(Attribute->Values.pFqbn[ValueIndex].Version >> 32)); PhInitFormatC(&format[2], L'.'); PhInitFormatU(&format[3], LOWORD(Attribute->Values.pFqbn[ValueIndex].Version >> 32)); PhInitFormatC(&format[4], L'.'); PhInitFormatU(&format[5], HIWORD(Attribute->Values.pFqbn[ValueIndex].Version)); PhInitFormatC(&format[6], L'.'); PhInitFormatU(&format[7], LOWORD(Attribute->Values.pFqbn[ValueIndex].Version)); PhInitFormatS(&format[8], L": "); PhInitFormatS(&format[9], Attribute->Values.pFqbn[ValueIndex].Name); return PhFormat(format, 10, 40); } case CLAIM_SECURITY_ATTRIBUTE_TYPE_SID: { if (PhValidSid(Attribute->Values.pOctetString[ValueIndex].pValue)) { PPH_STRING name; name = PhGetSidFullName(Attribute->Values.pOctetString[ValueIndex].pValue, TRUE, NULL); if (name) return name; name = PhSidToStringSid(Attribute->Values.pOctetString[ValueIndex].pValue); if (name) return name; } } return PhCreateString(L"(Invalid SID)"); case CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN: return PhCreateString(Attribute->Values.pInt64[ValueIndex] != 0 ? L"True" : L"False"); case CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING: return PhCreateString(L"(Octet string)"); default: return PhCreateString(L"(Unknown)"); } } PPH_STRING PhFormatTokenSecurityAttributeValue( _In_ PPH_STRINGREF Name, _In_ PTOKEN_SECURITY_ATTRIBUTE_V1 Attribute, _In_ ULONG ValueIndex ) { static CONST PH_STRINGREF winPkg = PH_STRINGREF_INIT(L"WIN://PKG"); static CONST PH_STRINGREF winBgkd = PH_STRINGREF_INIT(L"WIN://BGKD"); static CONST PH_STRINGREF appidSHA1 = PH_STRINGREF_INIT(L"APPID://SHA1HASH"); static CONST PH_STRINGREF appidSHA256 = PH_STRINGREF_INIT(L"APPID://SHA256HASH"); static CONST PH_STRINGREF appidSHA256Flat = PH_STRINGREF_INIT(L"APPID://SHA256FLATHASH"); static CONST PH_STRINGREF originClaim = PH_STRINGREF_INIT(L"SMARTLOCKER://SMARTSCREENORIGINCLAIM"); static CONST PH_STRINGREF originClaimNI = PH_STRINGREF_INIT(L"SMARTLOCKER://SMARTSCREENORIGINCLAIMNOTINHERITED"); PH_FORMAT format[10]; ULONG count = 0; // Special cases for known attributes // WIN://PKG if (ValueIndex == 0 && Attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 && PhEqualStringRef(Name, &winPkg, TRUE)) { #define PH_ACTIVIATION_TOKEN_FLAG(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY activationTokenFlag[] = { PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_PACKAGED_APPLICATION, L"AppX"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_SHARED_ENTITY, L"Shared token"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_FULL_TRUST, L"Trusted"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_NATIVE_SERVICE, L"Service"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_MULTIPLE_INSTANCES_ALLOWED, L"Multiple instances allowed"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_BREAKAWAY_INHIBITED, L"Breakaway inhibited"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_RUNTIME_BROKER, L"Runtime broker"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_UNIVERSAL_CONSOLE, L"Universal console"), PH_ACTIVIATION_TOKEN_FLAG(PSM_ACTIVATION_TOKEN_WIN32ALACARTE_PROCESS, L"Win32 process"), }; ULONG upper = (ULONG)(Attribute->Values.Uint64[0] >> 32); ULONG lower = (ULONG)Attribute->Values.Uint64[0]; PPH_STRING string; switch (upper) { case PackageOrigin_Unknown: PhInitFormatS(&format[count++], L"Unknown"); break; case PackageOrigin_Unsigned: PhInitFormatS(&format[count++], L"Unsigned"); break; case PackageOrigin_Inbox: PhInitFormatS(&format[count++], L"Inbox"); break; case PackageOrigin_Store: PhInitFormatS(&format[count++], L"Store"); break; case PackageOrigin_DeveloperUnsigned: PhInitFormatS(&format[count++], L"Developer unsigned"); break; case PackageOrigin_DeveloperSigned: PhInitFormatS(&format[count++], L"Developer signed"); break; case PackageOrigin_LineOfBusiness: PhInitFormatS(&format[count++], L"Line of business"); break; default: PhInitFormatS(&format[count++], L"Undefined"); break; } string = PhGetAccessString( lower, (PPH_ACCESS_ENTRY)activationTokenFlag, RTL_NUMBER_OF(activationTokenFlag) ); if (string->Length) { PhInitFormatS(&format[count++], L" : "); PhInitFormatSR(&format[count++], string->sr); } PhInitFormatS(&format[count++], L" (0x"); PhInitFormatI64X(&format[count++], Attribute->Values.Uint64[0]); PhInitFormatS(&format[count++], L")"); PhMoveReference(&string, PhFormat(format, count, 0)); return string; } // WIN://BGKD if (ValueIndex == 0 && Attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 && PhEqualStringRef(Name, &winBgkd, TRUE)) { switch (Attribute->Values.Uint64[0]) { case PsmActNotBackground: PhInitFormatS(&format[0], L"Not background"); break; case PsmActMixedHost: PhInitFormatS(&format[0], L"Mixed host"); break; case PsmActPureHost: PhInitFormatS(&format[0], L"Pure host"); break; case PsmActSystemHost: PhInitFormatS(&format[0], L"System host"); break; case PsmActInvalidType: PhInitFormatS(&format[0], L"Invalid"); break; default: PhInitFormatS(&format[0], L"Unknown"); break; } PhInitFormatS(&format[1], L" ("); PhInitFormatI64D(&format[2], Attribute->Values.Uint64[0]); PhInitFormatC(&format[3], L')'); return PhFormat(format, 4, 10); } // APPID://SHA1HASH, APPID://SHA256HASH, APPID://SHA256FLATHASH if (ValueIndex == 0 && Attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING && ((Attribute->Values.OctetString[0].ValueLength == 20 && PhEqualStringRef(Name, &appidSHA1, TRUE)) || (Attribute->Values.OctetString[0].ValueLength == 32 && PhEqualStringRef(Name, &appidSHA256, TRUE)) || (Attribute->Values.OctetString[0].ValueLength == 32 && PhEqualStringRef(Name, &appidSHA256Flat, TRUE)))) { return PhBufferToHexString( Attribute->Values.OctetString[0].Value, Attribute->Values.OctetString[0].ValueLength ); } // SMARTLOCKER://SMARTSCREENORIGINCLAIM, SMARTLOCKER://SMARTSCREENORIGINCLAIMNOTINHERITED if (ValueIndex == 0 && Attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING && Attribute->Values.OctetString[0].ValueLength == sizeof(SE_SAFE_OPEN_PROMPT_RESULTS) && (PhEqualStringRef(Name, &originClaim, TRUE) || PhEqualStringRef(Name, &originClaimNI, TRUE))) { PSE_SAFE_OPEN_PROMPT_RESULTS claimValue = Attribute->Values.OctetString[0].Value; PPH_STRING pathString; PPH_STRING resultsString; PPH_STRING string; #define PH_ORIGIN_CLAIM_RESULT(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY originClaimResults[] = { PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceCalled, L"Called"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceAppRepCalled, L"App reputation called"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperiencePromptDisplayed, L"Prompt displayed"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceUAC, L"UAC"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceUninstaller, L"Uninstaller"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceIgnoreUnknownOrBad, L"Ignore unknown or bad"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceDefenderTrustedInstaller, L"Defender trusted installer"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceMOTWPresent, L"MOTW present"), PH_ORIGIN_CLAIM_RESULT(SeSafeOpenExperienceElevatedNoPropagation, L"Elevated no propagation"), }; resultsString = PhGetAccessString( claimValue->Results, (PPH_ACCESS_ENTRY)originClaimResults, RTL_NUMBER_OF(originClaimResults) ); pathString = PhCreateStringZ2(claimValue->Path, sizeof(claimValue->Path)); PhInitFormatSR(&format[0], resultsString->sr); PhInitFormatS(&format[1], L" (0x"); PhInitFormatX(&format[2], claimValue->Results); PhInitFormatS(&format[3], L") : \""); PhInitFormatSR(&format[4], pathString->sr); PhInitFormatC(&format[5], L'"'); string = PhFormat(format, 6, 10); PhDereferenceObject(pathString); PhDereferenceObject(resultsString); return string; } // Default handling switch (Attribute->ValueType) { case TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64: PhInitFormatI64D(&format[0], Attribute->Values.Int64[ValueIndex]); PhInitFormatS(&format[1], L" (0x"); PhInitFormatI64X(&format[2], Attribute->Values.Int64[ValueIndex]); PhInitFormatS(&format[3], L")"); return PhFormat(format, 4, 0); case TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64: PhInitFormatI64U(&format[0], Attribute->Values.Uint64[ValueIndex]); PhInitFormatS(&format[1], L" (0x"); PhInitFormatI64X(&format[2], Attribute->Values.Uint64[ValueIndex]); PhInitFormatS(&format[3], L")"); return PhFormat(format, 4, 0); case TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING: return PhCreateStringFromUnicodeString(&Attribute->Values.String[ValueIndex]); case TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN: { PhInitFormatS(&format[0], L"Version "); PhInitFormatU(&format[1], HIWORD(Attribute->Values.Fqbn[ValueIndex].Version >> 32)); PhInitFormatC(&format[2], L'.'); PhInitFormatU(&format[3], LOWORD(Attribute->Values.Fqbn[ValueIndex].Version >> 32)); PhInitFormatC(&format[4], L'.'); PhInitFormatU(&format[5], HIWORD(Attribute->Values.Fqbn[ValueIndex].Version)); PhInitFormatC(&format[6], L'.'); PhInitFormatU(&format[7], LOWORD(Attribute->Values.Fqbn[ValueIndex].Version)); PhInitFormatS(&format[8], L": "); PhInitFormatUCS(&format[9], &Attribute->Values.Fqbn[ValueIndex].Name); return PhFormat(format, 10, 40); } case TOKEN_SECURITY_ATTRIBUTE_TYPE_SID: { if (PhValidSid(Attribute->Values.OctetString[ValueIndex].Value)) { PPH_STRING name; name = PhGetSidFullName(Attribute->Values.OctetString[ValueIndex].Value, TRUE, NULL); if (name) return name; name = PhSidToStringSid(Attribute->Values.OctetString[ValueIndex].Value); if (name) return name; } } return PhCreateString(L"(Invalid SID)"); case TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN: return PhCreateString(Attribute->Values.Int64[ValueIndex] != 0 ? L"True" : L"False"); case TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING: PhInitFormatS(&format[0], L"(Octet string of "); PhInitFormatD(&format[1], Attribute->Values.OctetString[ValueIndex].ValueLength); PhInitFormatS(&format[2], L" bytes)"); return PhFormat(format, 3, 10); default: return PhCreateString(L"(Unknown)"); } } BOOLEAN PhpAddTokenClaimAttributes( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ HWND tnHandle, _In_ BOOLEAN DeviceClaims, _In_ PPH_TOKEN_ATTRIBUTE_NODE Parent ) { HANDLE tokenHandle; PCLAIM_SECURITY_ATTRIBUTES_INFORMATION info; ULONG i; ULONG j; if (!NT_SUCCESS(TokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, TokenPageContext->Context // ProcessId ))) return FALSE; if (NT_SUCCESS(PhQueryTokenVariableSize(tokenHandle, DeviceClaims ? TokenDeviceClaimAttributes : TokenUserClaimAttributes, &info))) { for (i = 0; i < info->AttributeCount; i++) { PCLAIM_SECURITY_ATTRIBUTE_V1 attribute = &info->Attribute.pAttributeV1[i]; PPH_TOKEN_ATTRIBUTE_NODE node; PPH_STRING temp; // Attribute node = PhpAddAttributeNode(&TokenPageContext->ClaimsTreeContext, Parent, PhCreateString(attribute->Name)); // Type PhpAddAttributeNode(&TokenPageContext->ClaimsTreeContext, node, PhFormatString(L"Type: %s", PhGetSecurityAttributeTypeString(attribute->ValueType))); // Flags temp = PhGetSecurityAttributeFlagsString(attribute->Flags); PhpAddAttributeNode(&TokenPageContext->ClaimsTreeContext, node, PhFormatString(L"Flags: %s (0x%lx)", temp->Buffer, attribute->Flags)); PhDereferenceObject(temp); // Values for (j = 0; j < attribute->ValueCount; j++) { temp = PhFormatClaimSecurityAttributeValue(attribute, j); PhpAddAttributeNode(&TokenPageContext->ClaimsTreeContext, node, PhFormatString(L"Value %u: %s", j, temp->Buffer)); PhDereferenceObject(temp); } } PhFree(info); } TokenPageContext->CloseObject(tokenHandle, FALSE, TokenPageContext->Context); return TRUE; } INT_PTR CALLBACK PhpTokenClaimsPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; HWND tnHandle; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; tnHandle = GetDlgItem(hwndDlg, IDC_LIST); switch (uMsg) { case WM_INITDIALOG: { PPH_TOKEN_ATTRIBUTE_NODE userNode; PPH_TOKEN_ATTRIBUTE_NODE deviceNode; PhpInitializeAttributeTreeContext(&tokenPageContext->ClaimsTreeContext, hwndDlg, tnHandle); TreeNew_SetEmptyText(tnHandle, &PhpEmptyTokenClaimsText, 0); TreeNew_SetRedraw(tnHandle, FALSE); userNode = PhpAddAttributeNode(&tokenPageContext->ClaimsTreeContext, NULL, PhCreateString(L"User claims")); deviceNode = PhpAddAttributeNode(&tokenPageContext->ClaimsTreeContext, NULL, PhCreateString(L"Device claims")); PhpAddTokenClaimAttributes(tokenPageContext, tnHandle, FALSE, userNode); PhpAddTokenClaimAttributes(tokenPageContext, tnHandle, TRUE, deviceNode); if (userNode->Children->Count == 0 && deviceNode->Children->Count == 0) { PhpRemoveAttributeNode(&tokenPageContext->ClaimsTreeContext, userNode); PhpRemoveAttributeNode(&tokenPageContext->ClaimsTreeContext, deviceNode); } else { if (userNode->Children->Count == 0) PhpAddAttributeNode(&tokenPageContext->ClaimsTreeContext, userNode, PhCreateString(L"(None)")); if (deviceNode->Children->Count == 0) PhpAddAttributeNode(&tokenPageContext->ClaimsTreeContext, deviceNode, PhCreateString(L"(None)")); } TreeNew_NodesStructured(tnHandle); TreeNew_SetRedraw(tnHandle, TRUE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhpDeleteAttributeTreeContext(&tokenPageContext->ClaimsTreeContext); } break; case WM_SHOWWINDOW: { TreeNew_AutoSizeColumn(tnHandle, 0, TN_AUTOSIZE_REMAINING_SPACE); } break; case WM_CONTEXTMENU: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_TOKEN_ATTRIBUTE_NODE *attributeObjectNodes = NULL; ULONG numberOfAttributeObjectNodes = 0; if (!PhpGetSelectedAttributeTreeNodes(&tokenPageContext->ClaimsTreeContext, &attributeObjectNodes, &numberOfAttributeObjectNodes)) break; if (numberOfAttributeObjectNodes != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, tnHandle, contextMenuEvent->Column); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (!PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(tnHandle, 0); PhSetClipboardString(tnHandle, &text->sr); PhDereferenceObject(text); } break; } } } PhDestroyEMenu(menu); } PhFree(attributeObjectNodes); } break; } return FALSE; } BOOLEAN PhpAddTokenAttributes( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext, _In_ HWND tnHandle ) { HANDLE tokenHandle; PTOKEN_SECURITY_ATTRIBUTES_INFORMATION info; ULONG i; ULONG j; if (!NT_SUCCESS(TokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, TokenPageContext->Context // ProcessId ))) return FALSE; if (NT_SUCCESS(PhGetTokenSecurityAttributes(tokenHandle, &info))) { for (i = 0; i < info->AttributeCount; i++) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = &info->AttributeV1[i]; PPH_STRING name; PPH_TOKEN_ATTRIBUTE_NODE node; PPH_STRING temp; name = PhCreateStringFromUnicodeString(&attribute->Name); // Attribute node = PhpAddAttributeNode(&TokenPageContext->AuthzTreeContext, NULL, PhReferenceObject(name)); // Type PhpAddAttributeNode(&TokenPageContext->AuthzTreeContext, node, PhFormatString(L"Type: %s", PhGetSecurityAttributeTypeString(attribute->ValueType))); // Flags temp = PhGetSecurityAttributeFlagsString(attribute->Flags); PhpAddAttributeNode(&TokenPageContext->AuthzTreeContext, node, PhFormatString(L"Flags: %s (0x%lx)", temp->Buffer, attribute->Flags)); PhDereferenceObject(temp); // Values for (j = 0; j < attribute->ValueCount; j++) { temp = PhFormatTokenSecurityAttributeValue(&name->sr, attribute, j); PhpAddAttributeNode(&TokenPageContext->AuthzTreeContext, node, PhFormatString(L"Value %u: %s", j, temp->Buffer)); PhDereferenceObject(temp); } } PhFree(info); } TokenPageContext->CloseObject(tokenHandle, FALSE, TokenPageContext->Context); return TRUE; } INT_PTR CALLBACK PhpTokenAttributesPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; HWND tnHandle; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; tnHandle = GetDlgItem(hwndDlg, IDC_LIST); switch (uMsg) { case WM_INITDIALOG: { PhpInitializeAttributeTreeContext(&tokenPageContext->AuthzTreeContext, hwndDlg, tnHandle); TreeNew_SetEmptyText(tnHandle, &PhpEmptyTokenAttributesText, 0); TreeNew_SetRedraw(tnHandle, FALSE); PhpAddTokenAttributes(tokenPageContext, tnHandle); //if (tokenPageContext->AuthzTreeContext.RootList->Count == 0) // PhpAddAttributeNode(&tokenPageContext->AuthzTreeContext, NULL, PhCreateString(L"(None)")); TreeNew_NodesStructured(tnHandle); TreeNew_SetRedraw(tnHandle, TRUE); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhpDeleteAttributeTreeContext(&tokenPageContext->AuthzTreeContext); } break; case WM_SHOWWINDOW: { TreeNew_AutoSizeColumn(tnHandle, 0, TN_AUTOSIZE_REMAINING_SPACE); } break; case WM_CONTEXTMENU: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_TOKEN_ATTRIBUTE_NODE *attributeObjectNodes = NULL; ULONG numberOfAttributeObjectNodes = 0; if (!PhpGetSelectedAttributeTreeNodes(&tokenPageContext->AuthzTreeContext, &attributeObjectNodes, &numberOfAttributeObjectNodes)) break; if (numberOfAttributeObjectNodes != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, tnHandle, contextMenuEvent->Column); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (!PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(tnHandle, 0); PhSetClipboardString(tnHandle, &text->sr); PhDereferenceObject(text); } break; } } } PhDestroyEMenu(menu); } PhFree(attributeObjectNodes); } break; } return FALSE; } // rev from GetUserProfileDirectory (dmex) PPH_STRING PhpGetTokenFolderPath( _In_ HANDLE TokenHandle ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"); PPH_STRING profileFolderPath = NULL; PPH_STRING profileKeyPath = NULL; PPH_STRING tokenUserSid; PH_TOKEN_USER tokenUser; if (NT_SUCCESS(PhGetTokenUser(TokenHandle, &tokenUser))) { if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(tokenUser.User.Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_NT_AUTHORITY)) { ULONG subAuthority = *PhSubAuthoritySid(tokenUser.User.Sid, 0); if (subAuthority == SECURITY_UMFD_BASE_RID) { if (tokenUserSid = PhSidToStringSid((PSID)&PhSeLocalSystemSid)) { profileKeyPath = PhConcatStringRef2(&servicesKeyName, &tokenUserSid->sr); PhDereferenceObject(tokenUserSid); } } else { if (tokenUserSid = PhSidToStringSid(tokenUser.User.Sid)) { profileKeyPath = PhConcatStringRef2(&servicesKeyName, &tokenUserSid->sr); PhDereferenceObject(tokenUserSid); } } } else { if (tokenUserSid = PhSidToStringSid(tokenUser.User.Sid)) { profileKeyPath = PhConcatStringRef2(&servicesKeyName, &tokenUserSid->sr); PhDereferenceObject(tokenUserSid); } } } if (profileKeyPath) { HANDLE keyHandle; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &profileKeyPath->sr, 0 ))) { PPH_STRING profileImagePath; if (profileFolderPath = PhQueryRegistryStringZ(keyHandle, L"ProfileImagePath")) { if (profileImagePath = PhExpandEnvironmentStrings(&profileFolderPath->sr)) { PhMoveReference(&profileFolderPath, profileImagePath); } } NtClose(keyHandle); } PhDereferenceObject(profileKeyPath); } //ULONG profileFolderLength; //if (GetUserProfileDirectory) //{ // GetUserProfileDirectory(TokenHandle, NULL, &profileFolderLength); // profileFolderPath = PhCreateStringEx(NULL, profileFolderLength * sizeof(WCHAR)); // GetUserProfileDirectory(TokenHandle, profileFolderPath->Buffer, &profileFolderLength); //} return profileFolderPath; } PPH_STRING PhpGetTokenRegistryPath( _In_ HANDLE TokenHandle ) { PPH_STRING profileRegistryPath = NULL; PPH_STRING tokenUserSid = NULL; PH_TOKEN_USER tokenUser; if (NT_SUCCESS(PhGetTokenUser(TokenHandle, &tokenUser))) { tokenUserSid = PhSidToStringSid(tokenUser.User.Sid); } if (tokenUserSid) { NTSTATUS status; HANDLE keyHandle = NULL; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_USERS, &tokenUserSid->sr, 0 ); if (NT_SUCCESS(status) || status == STATUS_ACCESS_DENIED) { profileRegistryPath = PhConcatStrings2(L"HKU\\", tokenUserSid->Buffer); } if (keyHandle) NtClose(keyHandle); PhDereferenceObject(tokenUserSid); } return profileRegistryPath; } PPH_STRING PhpGetTokenAppContainerFolderPath( _In_ HANDLE TokenHandle, _In_opt_ PSID TokenAppContainerSid ) { if (PhGetTokenIsFullTrustPackage(TokenHandle)) { PPH_STRING packageLocalAppData = PhGetKnownFolderPathEx( &FOLDERID_LocalAppData, PH_KF_FLAG_FORCE_PACKAGE_REDIRECTION, TokenHandle, NULL ); PPH_STRING localAppData = PhGetKnownFolderPathEx( &FOLDERID_LocalAppData, 0, NULL, NULL ); if (PhEqualString(packageLocalAppData, localAppData, TRUE)) { PhDereferenceObject(localAppData); PhDereferenceObject(packageLocalAppData); return NULL; } PhDereferenceObject(localAppData); return packageLocalAppData; } else if (TokenAppContainerSid) { PPH_STRING appContainerFolderPath; //PWSTR folderPath = NULL; appContainerFolderPath = PhGetKnownFolderPathEx( &FOLDERID_LocalAppData, PH_KF_FLAG_FORCE_APPCONTAINER_REDIRECTION, TokenHandle, NULL ); //if (PhIsNullOrEmptyString(appContainerFolderPath)) //{ // if (NT_SUCCESS(PhImpersonateToken(NtCurrentThread(), TokenHandle))) // { // if (GetAppContainerFolderPath_Import()) // { // PPH_STRING appContainerSid = PhSidToStringSid(TokenAppContainerSid); // // if (SUCCEEDED(GetAppContainerFolderPath_Import()(appContainerSid->Buffer, &folderPath)) && folderPath) // { // assert(PhEqualString2(appContainerFolderPath, folderPath, TRUE)); // CoTaskMemFree(folderPath); // } // // PhDereferenceObject(appContainerSid); // } // // PhRevertImpersonationToken(NtCurrentThread()); // } //} // Workaround for pseudo Appcontainers created by System processes that default to the \systemprofile path. (dmex) if (PhIsNullOrEmptyString(appContainerFolderPath)) { PH_TOKEN_USER tokenUser; if (NT_SUCCESS(PhGetTokenUser(TokenHandle, &tokenUser))) { ULONG subAuthority; PPH_STRING tokenProfilePathString; PPH_STRING appContainerName; subAuthority = *PhSubAuthoritySid(tokenUser.User.Sid, 0); //PhIdentifierAuthoritySid(tokenUser.User.Sid) == (BYTE[])SECURITY_NT_AUTHORITY if (subAuthority == SECURITY_UMFD_BASE_RID) { if (tokenProfilePathString = PhpGetTokenFolderPath(TokenHandle)) { if (appContainerName = PhGetAppContainerName(TokenAppContainerSid)) { static CONST PH_STRINGREF appDataPackagePath = PH_STRINGREF_INIT(L"\\AppData\\Local\\Packages\\"); PhMoveReference(&appContainerFolderPath, PhConcatStringRef3( &tokenProfilePathString->sr, &appDataPackagePath, &appContainerName->sr )); PhDereferenceObject(appContainerName); } PhDereferenceObject(tokenProfilePathString); } } } } return appContainerFolderPath; } else { return NULL; } } PPH_STRING PhpGetTokenAppContainerRegistryPath( _In_ HANDLE TokenHandle ) { PPH_STRING appContainerRegistryPath = NULL; HKEY registryHandle = NULL; if (NT_SUCCESS(PhImpersonateToken(NtCurrentThread(), TokenHandle))) { if (GetAppContainerRegistryLocation_Import()) GetAppContainerRegistryLocation_Import()(KEY_READ, ®istryHandle); PhRevertImpersonationToken(NtCurrentThread()); } if (registryHandle) { PhQueryObjectName(registryHandle, &appContainerRegistryPath); NtClose(registryHandle); } return appContainerRegistryPath; } INT_PTR CALLBACK PhpTokenContainerPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; PPHP_TOKEN_ADVANCED_CONTEXT context; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; if (uMsg == WM_INITDIALOG) { context = PhAllocateZero(sizeof(PHP_TOKEN_ADVANCED_CONTEXT)); PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { HANDLE tokenHandle; BOOLEAN isLessPrivilegedAppContainer = FALSE; PPH_STRING tokenNamedObjectPathString = NULL; context->ListViewHandle = GetDlgItem(hwndDlg, IDC_LIST); PhSetListViewStyle(context->ListViewHandle, FALSE, TRUE); PhSetControlTheme(context->ListViewHandle, L"explorer"); PhAddListViewColumn(context->ListViewHandle, 0, 0, 0, LVCFMT_LEFT, 120, L"Name"); PhAddListViewColumn(context->ListViewHandle, 1, 1, 1, LVCFMT_LEFT, 280, L"Value"); PhSetExtendedListView(context->ListViewHandle); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->ListViewHandle, NULL, PH_ANCHOR_ALL); ListView_EnableGroupView(context->ListViewHandle, TRUE); PhAddListViewGroup(context->ListViewHandle, 0, L"General"); PhAddListViewGroup(context->ListViewHandle, 1, L"Properties"); PhAddListViewGroup(context->ListViewHandle, 2, L"Parent"); PhAddListViewGroup(context->ListViewHandle, 3, L"Package"); PhAddListViewGroup(context->ListViewHandle, 4, L"Profile"); PhAddListViewGroupItem(context->ListViewHandle, 0, MAXINT, L"Name", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, MAXINT, L"Type", NULL); PhAddListViewGroupItem(context->ListViewHandle, 0, MAXINT, L"SID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"Number", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"LPAC", NULL); PhAddListViewGroupItem(context->ListViewHandle, 1, MAXINT, L"Token object path", NULL); PhAddListViewGroupItem(context->ListViewHandle, 2, MAXINT, L"Name", NULL); PhAddListViewGroupItem(context->ListViewHandle, 2, MAXINT, L"SID", NULL); PhAddListViewGroupItem(context->ListViewHandle, 3, MAXINT, L"Name", NULL); PhAddListViewGroupItem(context->ListViewHandle, 3, MAXINT, L"Path", NULL); PhAddListViewGroupItem(context->ListViewHandle, 4, MAXINT, L"Folder path", NULL); PhAddListViewGroupItem(context->ListViewHandle, 4, MAXINT, L"Registry path", NULL); if (NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ))) { APPCONTAINER_SID_TYPE appContainerSidType = InvalidAppContainerSidType; PH_TOKEN_APPCONTAINER tokenAppContainer; PSID appContainerSidParent = NULL; PPH_STRING appContainerName = NULL; PPH_STRING appContainerSidString = NULL; ULONG appContainerNumber; PPH_STRING packageFullName; PPH_STRING packagePath; if (NT_SUCCESS(PhGetTokenAppContainerSid(tokenHandle, &tokenAppContainer))) { if (RtlGetAppContainerSidType_Import()) RtlGetAppContainerSidType_Import()(tokenAppContainer.AppContainer.Sid, &appContainerSidType); if (RtlGetAppContainerParent_Import()) RtlGetAppContainerParent_Import()(tokenAppContainer.AppContainer.Sid, &appContainerSidParent); appContainerName = PhGetAppContainerName(tokenAppContainer.AppContainer.Sid); appContainerSidString = PhSidToStringSid(tokenAppContainer.AppContainer.Sid); } if (appContainerName) { PhSetListViewSubItem(context->ListViewHandle, 0, 1, appContainerName->Buffer); PhDereferenceObject(appContainerName); } switch (appContainerSidType) { case ChildAppContainerSidType: PhSetListViewSubItem(context->ListViewHandle, 1, 1, L"Child"); break; case ParentAppContainerSidType: PhSetListViewSubItem(context->ListViewHandle, 1, 1, L"Parent"); break; } if (appContainerSidString) { PhSetListViewSubItem(context->ListViewHandle, 2, 1, appContainerSidString->Buffer); PhDereferenceObject(appContainerSidString); } if (!PhGetTokenIsFullTrustPackage(tokenHandle)) { if (NT_SUCCESS(PhGetTokenAppContainerNumber(tokenHandle, &appContainerNumber))) { WCHAR string[PH_INT64_STR_LEN_1] = L"Unknown"; PhPrintUInt32(string, appContainerNumber); PhSetListViewSubItem(context->ListViewHandle, 3, 1, string); } PhGetTokenIsLessPrivilegedAppContainer(tokenHandle, &isLessPrivilegedAppContainer); PhSetListViewSubItem(context->ListViewHandle, 4, 1, isLessPrivilegedAppContainer ? L"True" : L"False"); } if (NT_SUCCESS(PhGetAppContainerNamedObjectPath(tokenHandle, NULL, FALSE, &tokenNamedObjectPathString))) { PhSetListViewSubItem(context->ListViewHandle, 5, 1, PhGetStringOrDefault(tokenNamedObjectPathString, L"Unknown")); PhDereferenceObject(tokenNamedObjectPathString); } if (appContainerSidParent) { if (appContainerName = PhGetAppContainerName(appContainerSidParent)) { PhSetListViewSubItem(context->ListViewHandle, 6, 1, appContainerName->Buffer); PhDereferenceObject(appContainerName); } if (appContainerSidString = PhSidToStringSid(appContainerSidParent)) { PhSetListViewSubItem(context->ListViewHandle, 7, 1, appContainerSidString->Buffer); PhDereferenceObject(appContainerSidString); } RtlFreeSid(appContainerSidParent); } if (NT_SUCCESS(PhGetTokenPackageFullName(tokenHandle, &packageFullName))) { PhSetListViewSubItem(context->ListViewHandle, 8, 1, packageFullName->Buffer); if (packagePath = PhGetPackagePath(packageFullName)) { PhSetListViewSubItem(context->ListViewHandle, 9, 1, packagePath->Buffer); PhDereferenceObject(packagePath); } PhDereferenceObject(packageFullName); } tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } tokenHandle = NULL; if (!NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY | TOKEN_IMPERSONATE | TOKEN_DUPLICATE, tokenPageContext->Context // ProcessId ))) { if (!NT_SUCCESS(tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY | TOKEN_IMPERSONATE, tokenPageContext->Context // ProcessId ))) { tokenPageContext->OpenObject( &tokenHandle, TOKEN_QUERY, tokenPageContext->Context // ProcessId ); } } if (tokenHandle) { PH_TOKEN_APPCONTAINER tokenAppContainer; PPH_STRING appContainerFolderPath; PPH_STRING appContainerRegistryPath; if (NT_SUCCESS(PhGetTokenAppContainerSid(tokenHandle, &tokenAppContainer))) appContainerFolderPath = PhpGetTokenAppContainerFolderPath(tokenHandle, tokenAppContainer.AppContainer.Sid); else appContainerFolderPath = PhpGetTokenAppContainerFolderPath(tokenHandle, NULL); if (appContainerFolderPath) { PhSetListViewSubItem(context->ListViewHandle, 10, 1, appContainerFolderPath->Buffer); PhDereferenceObject(appContainerFolderPath); } if (appContainerRegistryPath = PhpGetTokenAppContainerRegistryPath(tokenHandle)) { PhSetListViewSubItem(context->ListViewHandle, 11, 1, appContainerRegistryPath->Buffer); PhDereferenceObject(appContainerRegistryPath); } tokenPageContext->CloseObject(tokenHandle, FALSE, tokenPageContext->Context); } PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhDeleteLayoutManager(&context->LayoutManager); PhFree(context); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); ExtendedListView_SetColumnWidth(context->ListViewHandle, 0, ELVSCW_AUTOSIZE_REMAININGSPACE); } break; case WM_CONTEXTMENU: { if ((HWND)wParam == context->ListViewHandle) { POINT point; PPH_EMENU menu; PPH_EMENU item; PVOID* listviewItems; ULONG numberOfItems; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); if (point.x == -1 && point.y == -1) PhGetListViewContextMenuPoint(context->ListViewHandle, &point); PhGetSelectedListViewItemParams(context->ListViewHandle, &listviewItems, &numberOfItems); if (numberOfItems != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"&Copy", NULL, NULL), ULONG_MAX); PhInsertCopyListViewEMenuItem(menu, IDC_COPY, context->ListViewHandle); item = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, point.x, point.y ); if (item) { BOOLEAN handled = FALSE; handled = PhHandleCopyListViewEMenuItem(item); //if (!handled && PhPluginsEnabled) // handled = PhPluginTriggerEMenuItem(&menuInfo, item); if (!handled) { switch (item->Id) { case IDC_COPY: { PhCopyListView(context->ListViewHandle); } break; } } } PhDestroyEMenu(menu); } PhFree(listviewItems); } } break; } return FALSE; } typedef enum _AppModelPolicy_Type { AppModelPolicy_Type_LifecycleManager = 1, AppModelPolicy_Type_AppDataAccess = 2, AppModelPolicy_Type_WindowingModel = 3, AppModelPolicy_Type_DllSearchOrder = 4, AppModelPolicy_Type_Fusion = 5, AppModelPolicy_Type_NonWindowsCodecLoading = 6, AppModelPolicy_Type_ProcessEnd = 7, AppModelPolicy_Type_BeginThreadInit = 8, AppModelPolicy_Type_DeveloperInformation = 9, AppModelPolicy_Type_CreateFileAccess = 10, AppModelPolicy_Type_ImplicitPackageBreakaway_Internal = 11, AppModelPolicy_Type_ProcessActivationShim = 12, AppModelPolicy_Type_AppKnownToStateRepository = 13, AppModelPolicy_Type_AudioManagement = 14, AppModelPolicy_Type_PackageMayContainPublicComRegistrations = 15, AppModelPolicy_Type_PackageMayContainPrivateComRegistrations = 16, AppModelPolicy_Type_LaunchCreateProcessExtensions = 17, AppModelPolicy_Type_ClrCompat = 18, AppModelPolicy_Type_LoaderIgnoreAlteredSearchForRelativePath = 19, AppModelPolicy_Type_ImplicitlyActivateClassicAAAServersAsIU = 20, AppModelPolicy_Type_ComClassicCatalog = 21, AppModelPolicy_Type_ComUnmarshaling = 22, AppModelPolicy_Type_ComAppLaunchPerfEnhancements = 23, AppModelPolicy_Type_ComSecurityInitialization = 24, AppModelPolicy_Type_RoInitializeSingleThreadedBehavior = 25, AppModelPolicy_Type_ComDefaultExceptionHandling = 26, AppModelPolicy_Type_ComOopProxyAgility = 27, AppModelPolicy_Type_AppServiceLifetime = 28, AppModelPolicy_Type_WebPlatform = 29, AppModelPolicy_Type_WinInetStoragePartitioning = 30, AppModelPolicy_Type_IndexerProtocolHandlerHost = 31, // since RS2 AppModelPolicy_Type_LoaderIncludeUserDirectories = 32, AppModelPolicy_Type_ConvertAppContainerToRestrictedAppContainer = 33, AppModelPolicy_Type_PackageMayContainPrivateMapiProvider = 34, AppModelPolicy_Type_AdminProcessPackageClaims = 35, // since RS3 AppModelPolicy_Type_RegistryRedirectionBehavior = 36, AppModelPolicy_Type_BypassCreateProcessAppxExtension = 37, AppModelPolicy_Type_KnownFolderRedirection = 38, AppModelPolicy_Type_PrivateActivateAsPackageWinrtClasses = 39, AppModelPolicy_Type_AppPrivateFolderRedirection = 40, AppModelPolicy_Type_GlobalSystemAppDataAccess = 41, AppModelPolicy_Type_ConsoleHandleInheritance = 42, // since RS4 AppModelPolicy_Type_ConsoleBufferAccess = 43, AppModelPolicy_Type_ConvertCallerTokenToUserTokenForDeployment = 44, AppModelPolicy_Type_ShellExecuteRetrieveIdentityFromCurrentProcess = 45, // since RS5 AppModelPolicy_Type_CodeIntegritySigning = 46, // since 19H1 AppModelPolicy_Type_PTCActivation = 47, AppModelPolicy_Type_ComIntraPackageRpcCall = 48, // since 20H1 AppModelPolicy_Type_LoadUser32ShimOnWindowsCoreOS = 49, AppModelPolicy_Type_SecurityCapabilitiesOverride = 50, AppModelPolicy_Type_CurrentDirectoryOverride = 51, AppModelPolicy_Type_ComTokenMatchingForAAAServers = 52, AppModelPolicy_Type_UseOriginalFileNameInTokenFQBNAttribute = 53, AppModelPolicy_Type_LoaderIncludeAlternateForwarders = 54, AppModelPolicy_Type_PullPackageDependencyData = 55, AppModelPolicy_Type_AppInstancingErrorBehavior = 56, // since WIN11 AppModelPolicy_Type_BackgroundTaskRegistrationType = 57, AppModelPolicy_Type_ModsPowerNotification = 58, AppModelPolicy_Type_DamRegistration = 59, // since 24H2 AppModelPolicy_Type_Count = 59, } AppModelPolicy_Type; typedef enum _AppModelPolicy_PolicyValue { AppModelPolicy_LifecycleManager_Unmanaged = 0x10000, AppModelPolicy_LifecycleManager_ManagedByPLM = 0x10001, AppModelPolicy_LifecycleManager_ManagedByEM = 0x10002, AppModelPolicy_AppDataAccess_Allowed = 0x20000, AppModelPolicy_AppDataAccess_Denied = 0x20001, AppModelPolicy_WindowingModel_Hwnd = 0x30000, AppModelPolicy_WindowingModel_CoreWindow = 0x30001, AppModelPolicy_WindowingModel_LegacyPhone = 0x30002, AppModelPolicy_WindowingModel_None = 0x30003, AppModelPolicy_DllSearchOrder_Traditional = 0x40000, AppModelPolicy_DllSearchOrder_PackageGraphBased = 0x40001, AppModelPolicy_Fusion_Full = 0x50000, AppModelPolicy_Fusion_Limited = 0x50001, AppModelPolicy_NonWindowsCodecLoading_Allowed = 0x60000, AppModelPolicy_NonWindowsCodecLoading_Denied = 0x60001, AppModelPolicy_ProcessEnd_TerminateProcess = 0x70000, AppModelPolicy_ProcessEnd_ExitProcess = 0x70001, AppModelPolicy_BeginThreadInit_RoInitialize = 0x80000, AppModelPolicy_BeginThreadInit_None = 0x80001, AppModelPolicy_DeveloperInformation_UI = 0x90000, AppModelPolicy_DeveloperInformation_None = 0x90001, AppModelPolicy_CreateFileAccess_Full = 0xa0000, AppModelPolicy_CreateFileAccess_Limited = 0xa0001, AppModelPolicy_ImplicitPackageBreakaway_Allowed = 0xb0000, AppModelPolicy_ImplicitPackageBreakaway_Denied = 0xb0001, AppModelPolicy_ImplicitPackageBreakaway_DeniedByApp = 0xb0002, AppModelPolicy_ProcessActivationShim_None = 0xc0000, AppModelPolicy_ProcessActivationShim_PackagedCWALauncher = 0xc0001, AppModelPolicy_AppKnownToStateRepository_Known = 0xd0000, AppModelPolicy_AppKnownToStateRepository_Unknown = 0xd0001, AppModelPolicy_AudioManagement_Unmanaged = 0xe0000, AppModelPolicy_AudioManagement_ManagedByPBM = 0xe0001, AppModelPolicy_PackageMayContainPublicComRegistrations_Yes = 0xf0000, AppModelPolicy_PackageMayContainPublicComRegistrations_No = 0xf0001, AppModelPolicy_PackageMayContainPrivateComRegistrations_None = 0x100000, AppModelPolicy_PackageMayContainPrivateComRegistrations_PrivateHive = 0x100001, AppModelPolicy_LaunchCreateProcessExtensions_None = 0x110000, AppModelPolicy_LaunchCreateProcessExtensions_RegisterWithPsm = 0x110001, AppModelPolicy_LaunchCreateProcessExtensions_RegisterWithDesktopAppX = 0x110002, AppModelPolicy_LaunchCreateProcessExtensions_RegisterWithDesktopAppXNoHeliumContainer = 0x110003, AppModelPolicy_ClrCompat_Others = 0x120000, AppModelPolicy_ClrCompat_ClassicDesktop = 0x120001, AppModelPolicy_ClrCompat_Universal = 0x120002, AppModelPolicy_ClrCompat_PackagedDesktop = 0x120003, AppModelPolicy_LoaderIgnoreAlteredSearchForRelativePath_False = 0x130000, AppModelPolicy_LoaderIgnoreAlteredSearchForRelativePath_True = 0x130001, AppModelPolicy_ImplicitlyActivateClassicAAAServersAsIU_Yes = 0x140000, AppModelPolicy_ImplicitlyActivateClassicAAAServersAsIU_No = 0x140001, AppModelPolicy_ComClassicCatalog_MachineHiveAndUserHive = 0x150000, AppModelPolicy_ComClassicCatalog_MachineHiveOnly = 0x150001, AppModelPolicy_ComUnmarshaling_ForceStrongUnmarshaling = 0x160000, AppModelPolicy_ComUnmarshaling_ApplicationManaged = 0x160001, AppModelPolicy_ComAppLaunchPerfEnhancements_Enabled = 0x170000, AppModelPolicy_ComAppLaunchPerfEnhancements_Disabled = 0x170001, AppModelPolicy_ComSecurityInitialization_ApplicationManaged = 0x180000, AppModelPolicy_ComSecurityInitialization_SystemManaged = 0x180001, AppModelPolicy_RoInitializeSingleThreadedBehavior_ASTA = 0x190000, AppModelPolicy_RoInitializeSingleThreadedBehavior_STA = 0x190001, AppModelPolicy_ComDefaultExceptionHandling_HandleAll = 0x1a0000, AppModelPolicy_ComDefaultExceptionHandling_HandleNone = 0x1a0001, AppModelPolicy_ComOopProxyAgility_Agile = 0x1b0000, AppModelPolicy_ComOopProxyAgility_NonAgile = 0x1b0001, AppModelPolicy_AppServiceLifetime_StandardTimeout = 0x1c0000, AppModelPolicy_AppServiceLifetime_ExtensibleTimeout = 0x1c0001, AppModelPolicy_AppServiceLifetime_ExtendedForSamePackage = 0x1c0002, AppModelPolicy_WebPlatform_Edge = 0x1d0000, AppModelPolicy_WebPlatform_Legacy = 0x1d0001, AppModelPolicy_WinInetStoragePartitioning_Isolated = 0x1e0000, AppModelPolicy_WinInetStoragePartitioning_SharedWithAppContainer = 0x1e0001, AppModelPolicy_IndexerProtocolHandlerHost_PerUser = 0x1f0000, AppModelPolicy_IndexerProtocolHandlerHost_PerApp = 0x1f0001, AppModelPolicy_LoaderIncludeUserDirectories_False = 0x200000, AppModelPolicy_LoaderIncludeUserDirectories_True = 0x200001, AppModelPolicy_ConvertAppContainerToRestrictedAppContainer_False = 0x210000, AppModelPolicy_ConvertAppContainerToRestrictedAppContainer_True = 0x210001, AppModelPolicy_PackageMayContainPrivateMapiProvider_None = 0x220000, AppModelPolicy_PackageMayContainPrivateMapiProvider_PrivateHive = 0x220001, AppModelPolicy_AdminProcessPackageClaims_None = 0x230000, AppModelPolicy_AdminProcessPackageClaims_Caller = 0x230001, AppModelPolicy_RegistryRedirectionBehavior_None = 0x240000, AppModelPolicy_RegistryRedirectionBehavior_CopyOnWrite = 0x240001, AppModelPolicy_BypassCreateProcessAppxExtension_False = 0x250000, AppModelPolicy_BypassCreateProcessAppxExtension_True = 0x250001, AppModelPolicy_KnownFolderRedirection_Isolated = 0x260000, AppModelPolicy_KnownFolderRedirection_RedirectToPackage = 0x260001, AppModelPolicy_PrivateActivateAsPackageWinrtClasses_AllowNone = 0x270000, AppModelPolicy_PrivateActivateAsPackageWinrtClasses_AllowFullTrust = 0x270001, AppModelPolicy_PrivateActivateAsPackageWinrtClasses_AllowNonFullTrust = 0x270002, AppModelPolicy_AppPrivateFolderRedirection_None = 0x280000, AppModelPolicy_AppPrivateFolderRedirection_AppPrivate = 0x280001, AppModelPolicy_GlobalSystemAppDataAccess_Normal = 0x290000, AppModelPolicy_GlobalSystemAppDataAccess_Virtualized = 0x290001, AppModelPolicy_ConsoleHandleInheritance_ConsoleOnly = 0x2a0000, AppModelPolicy_ConsoleHandleInheritance_All = 0x2a0001, AppModelPolicy_ConsoleBufferAccess_RestrictedUnidirectional = 0x2b0000, AppModelPolicy_ConsoleBufferAccess_Unrestricted = 0x2b0001, AppModelPolicy_ConvertCallerTokenToUserTokenForDeployment_UserCallerToken = 0x2c0000, AppModelPolicy_ConvertCallerTokenToUserTokenForDeployment_ConvertTokenToUserToken = 0x2c0001, AppModelPolicy_ShellExecuteRetrieveIdentityFromCurrentProcess_False = 0x2d0000, AppModelPolicy_ShellExecuteRetrieveIdentityFromCurrentProcess_True = 0x2d0001, AppModelPolicy_CodeIntegritySigning_Default = 0x2e0000, AppModelPolicy_CodeIntegritySigning_OriginBased = 0x2e0001, AppModelPolicy_CodeIntegritySigning_OriginBasedForDev = 0x2e0002, AppModelPolicy_PTCActivation_Default = 0x2f0000, AppModelPolicy_PTCActivation_AllowActivationInBrokerForMediumILContainer = 0x2f0001, AppModelPolicy_Type_ComIntraPackageRpcCall_NoWake = 0x300000, AppModelPolicy_Type_ComIntraPackageRpcCall_Wake = 0x300001, AppModelPolicy_LoadUser32ShimOnWindowsCoreOS_True = 0x310000, AppModelPolicy_LoadUser32ShimOnWindowsCoreOS_False = 0x310001, AppModelPolicy_SecurityCapabilitiesOverride_None = 0x320000, AppModelPolicy_SecurityCapabilitiesOverride_PackageCapabilities = 0x320001, AppModelPolicy_CurrentDirectoryOverride_None = 0x330000, AppModelPolicy_CurrentDirectoryOverride_PackageInstallDirectory = 0x330001, AppModelPolicy_ComTokenMatchingForAAAServers_DontUseNtCompareTokens = 0x340000, AppModelPolicy_ComTokenMatchingForAAAServers_UseNtCompareTokens = 0x340001, AppModelPolicy_UseOriginalFileNameInTokenFQBNAttribute_False = 0x350000, AppModelPolicy_UseOriginalFileNameInTokenFQBNAttribute_True = 0x350001, AppModelPolicy_LoaderIncludeAlternateForwarders_False = 0x360000, AppModelPolicy_LoaderIncludeAlternateForwarders_True = 0x360001, AppModelPolicy_PullPackageDependencyData_False = 0x370000, AppModelPolicy_PullPackageDependencyData_True = 0x370001, AppModelPolicy_AppInstancingErrorBehavior_SuppressErrors = 0x380000, AppModelPolicy_AppInstancingErrorBehavior_RaiseErrors = 0x380001, AppModelPolicy_BackgroundTaskRegistrationType_Unsupported = 0x390000, AppModelPolicy_BackgroundTaskRegistrationType_Manifested = 0x390001, AppModelPolicy_BackgroundTaskRegistrationType_Win32Clsid = 0x390002, AppModelPolicy_Type_ModsPowerNotification_Disabled = 0x3a0000, AppModelPolicy_Type_ModsPowerNotification_Enabled = 0x3a0001, AppModelPolicy_Type_ModsPowerNotification_QueryDam = 0x3a0002, AppModelPolicy_Type_DamRegistration_DoNotRegister = 0x3B0000, AppModelPolicy_Type_DamRegistration_RegisterAtLaunch = 0x3B0001, } AppModelPolicy_PolicyValue; #define WM_PH_APPMODEL_SYMBOL_RESULT (WM_APP + 101) static NTSTATUS (NTAPI* GetAppModelPolicy_I)( _In_ HANDLE TokenHandle, _In_ AppModelPolicy_Type PolicyType, _Out_ AppModelPolicy_PolicyValue* PolicyValue ) = NULL; DECLSPEC_GUARDNOCF NTSTATUS PhpGetAppModelPolicy( _In_ HANDLE TokenHandle, _In_ AppModelPolicy_Type PolicyType, _Out_ AppModelPolicy_PolicyValue* PolicyValue ) { assert(GetAppModelPolicy_I); // // GetAppModelPolicy is not in the KernelBase CFG bitmap so it can not be // runtime marked as a valid indirect call target when CFG is enabled. Here // we wrap the call in a routine that disables CFG. // return GetAppModelPolicy_I(TokenHandle, PolicyType, PolicyValue); } NTSTATUS PhGetAppModelPolicy( _In_ HANDLE TokenHandle, _In_ AppModelPolicy_Type PolicyType, _Out_ AppModelPolicy_PolicyValue* PolicyValue ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; NTSTATUS status = STATUS_SUCCESS; if (PhBeginInitOnce(&initOnce)) { PPH_SYMBOL_PROVIDER symbolProvider; PH_SYMBOL_INFORMATION symbolInfo; PVOID baseAddress; ULONG sizeOfImage; PPH_STRING fileName; symbolProvider = PhCreateSymbolProvider(NULL); PhLoadSymbolProviderOptions(symbolProvider); if (PhGetLoaderEntryDataZ(L"kernelbase.dll", &baseAddress, &sizeOfImage, &fileName)) { PhLoadModuleSymbolProvider(symbolProvider, fileName, baseAddress, sizeOfImage); PhDereferenceObject(fileName); } if (PhGetSymbolFromName(symbolProvider, L"GetAppModelPolicy", &symbolInfo)) { GetAppModelPolicy_I = symbolInfo.Address; } PhDereferenceObject(symbolProvider); PhEndInitOnce(&initOnce); } if (GetAppModelPolicy_I) { // GetAppModelPolicy doesn't perform range checks and will read out-of-bound // and return garbage if we ask it about a not-yet-supported policy type (diversenok) if ((PolicyType >= AppModelPolicy_Type_AppInstancingErrorBehavior && WindowsVersion < WINDOWS_11) || (PolicyType >= AppModelPolicy_Type_ComIntraPackageRpcCall && WindowsVersion < WINDOWS_10_20H1) || (PolicyType >= AppModelPolicy_Type_CodeIntegritySigning && WindowsVersion < WINDOWS_10_19H1) || (PolicyType >= AppModelPolicy_Type_ShellExecuteRetrieveIdentityFromCurrentProcess && WindowsVersion < WINDOWS_10_RS5) || (PolicyType >= AppModelPolicy_Type_ConsoleHandleInheritance && WindowsVersion < WINDOWS_10_RS4) || (PolicyType >= AppModelPolicy_Type_AdminProcessPackageClaims && WindowsVersion < WINDOWS_10_RS3) || (PolicyType >= AppModelPolicy_Type_IndexerProtocolHandlerHost && WindowsVersion < WINDOWS_10_RS2)) { return STATUS_INVALID_INFO_CLASS; } status = PhpGetAppModelPolicy(TokenHandle, PolicyType, PolicyValue); } else { status = STATUS_PROCEDURE_NOT_FOUND; } return status; } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhGetAppModelPolicySymbolDownloadThread( _In_ PVOID Context ) { AppModelPolicy_PolicyValue result; if (PhGetAppModelPolicy( PhGetOwnTokenAttributes().TokenHandle, AppModelPolicy_Type_DllSearchOrder, &result ) != STATUS_PROCEDURE_NOT_FOUND) { PostMessage(Context, WM_PH_APPMODEL_SYMBOL_RESULT, 0, TRUE); } else { PostMessage(Context, WM_PH_APPMODEL_SYMBOL_RESULT, 0, FALSE); } return STATUS_SUCCESS; } VOID PhEnumTokenAppModelPolicy( _In_ PTOKEN_PAGE_CONTEXT TokenPageContext ) { HANDLE TokenHandle; AppModelPolicy_PolicyValue result; if (!NT_SUCCESS(TokenPageContext->OpenObject( &TokenHandle, TOKEN_QUERY, TokenPageContext->Context // ProcessId ))) { return; } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_LifecycleManager, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"LifecycleManager")); switch (result) { case AppModelPolicy_LifecycleManager_Unmanaged: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Unmanaged")); break; case AppModelPolicy_LifecycleManager_ManagedByPLM: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ManagedByPLM")); break; case AppModelPolicy_LifecycleManager_ManagedByEM: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ManagedByEM")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AppDataAccess, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AppDataAccess")); switch (result) { case AppModelPolicy_AppDataAccess_Allowed: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Allowed")); break; case AppModelPolicy_AppDataAccess_Denied: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Denied")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_WindowingModel, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"WindowingModel")); switch (result) { case AppModelPolicy_WindowingModel_Hwnd: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Hwnd")); break; case AppModelPolicy_WindowingModel_CoreWindow: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"CoreWindow")); break; case AppModelPolicy_WindowingModel_LegacyPhone: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"LegacyPhone")); break; case AppModelPolicy_WindowingModel_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_DllSearchOrder, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"DllSearchOrder")); switch (result) { case AppModelPolicy_DllSearchOrder_Traditional: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Traditional")); break; case AppModelPolicy_DllSearchOrder_PackageGraphBased: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PackageGraphBased")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_Fusion, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"Fusion")); switch (result) { case AppModelPolicy_Fusion_Full: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Full")); break; case AppModelPolicy_Fusion_Limited: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Limited")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_NonWindowsCodecLoading, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"NonWindowsCodecLoading")); switch (result) { case AppModelPolicy_NonWindowsCodecLoading_Allowed: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Allowed")); break; case AppModelPolicy_NonWindowsCodecLoading_Denied: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Denied")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ProcessEnd, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ProcessEnd")); switch (result) { case AppModelPolicy_ProcessEnd_TerminateProcess: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"TerminateProcess")); break; case AppModelPolicy_ProcessEnd_ExitProcess: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ExitProcess")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_BeginThreadInit, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"BeginThreadInit")); switch (result) { case AppModelPolicy_BeginThreadInit_RoInitialize: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RoInitialize")); break; case AppModelPolicy_BeginThreadInit_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_DeveloperInformation, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"DeveloperInformation")); switch (result) { case AppModelPolicy_DeveloperInformation_UI: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"UI")); break; case AppModelPolicy_DeveloperInformation_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_CreateFileAccess, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"CreateFileAccess")); switch (result) { case AppModelPolicy_CreateFileAccess_Full: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Full")); break; case AppModelPolicy_CreateFileAccess_Limited: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Limited")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ImplicitPackageBreakaway_Internal, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ImplicitPackageBreakaway")); switch (result) { case AppModelPolicy_ImplicitPackageBreakaway_Allowed: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Allowed")); break; case AppModelPolicy_ImplicitPackageBreakaway_Denied: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Denied")); break; case AppModelPolicy_ImplicitPackageBreakaway_DeniedByApp: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"DeniedByApp")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ProcessActivationShim, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ProcessActivationShim")); switch (result) { case AppModelPolicy_ProcessActivationShim_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_ProcessActivationShim_PackagedCWALauncher: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PackagedCWALauncher")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AppKnownToStateRepository, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AppKnownToStateRepository")); switch (result) { case AppModelPolicy_AppKnownToStateRepository_Known: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Known")); break; case AppModelPolicy_AppKnownToStateRepository_Unknown: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Unknown")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AudioManagement, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AudioManagement")); switch (result) { case AppModelPolicy_AudioManagement_Unmanaged: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Unmanaged")); break; case AppModelPolicy_AudioManagement_ManagedByPBM: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ManagedByPBM")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_PackageMayContainPublicComRegistrations, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"PackageMayContainPublicComRegistrations")); switch (result) { case AppModelPolicy_PackageMayContainPublicComRegistrations_Yes: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Yes")); break; case AppModelPolicy_PackageMayContainPublicComRegistrations_No: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"No")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_PackageMayContainPrivateComRegistrations, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"PackageMayContainPrivateComRegistrations")); switch (result) { case AppModelPolicy_PackageMayContainPrivateComRegistrations_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_PackageMayContainPrivateComRegistrations_PrivateHive: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PrivateHive")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_LaunchCreateProcessExtensions, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"LaunchCreateProcessExtensions")); switch (result) { case AppModelPolicy_LaunchCreateProcessExtensions_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_LaunchCreateProcessExtensions_RegisterWithPsm: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RegisterWithPsm")); break; case AppModelPolicy_LaunchCreateProcessExtensions_RegisterWithDesktopAppX: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RegisterWithDesktopAppX")); break; case AppModelPolicy_LaunchCreateProcessExtensions_RegisterWithDesktopAppXNoHeliumContainer: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RegisterWithDesktopAppXNoHeliumContainer")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ClrCompat, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ClrCompat")); switch (result) { case AppModelPolicy_ClrCompat_Others: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Others")); break; case AppModelPolicy_ClrCompat_ClassicDesktop: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ClassicDesktop")); break; case AppModelPolicy_ClrCompat_Universal: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Universal")); break; case AppModelPolicy_ClrCompat_PackagedDesktop: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PackagedDesktop")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_LoaderIgnoreAlteredSearchForRelativePath, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"IgnoreAlteredSearchForRelativePath")); switch (result) { case AppModelPolicy_LoaderIgnoreAlteredSearchForRelativePath_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_LoaderIgnoreAlteredSearchForRelativePath_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ImplicitlyActivateClassicAAAServersAsIU, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ImplicitlyActivateClassicAAAServersAsIU")); switch (result) { case AppModelPolicy_ImplicitlyActivateClassicAAAServersAsIU_Yes: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Yes")); break; case AppModelPolicy_ImplicitlyActivateClassicAAAServersAsIU_No: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"No")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComClassicCatalog, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComClassicCatalog")); switch (result) { case AppModelPolicy_ComClassicCatalog_MachineHiveAndUserHive: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"MachineHiveAndUserHive")); break; case AppModelPolicy_ComClassicCatalog_MachineHiveOnly: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"MachineHiveOnly")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComUnmarshaling, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComUnmarshaling")); switch (result) { case AppModelPolicy_ComUnmarshaling_ForceStrongUnmarshaling: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ForceStrongUnmarshaling")); break; case AppModelPolicy_ComUnmarshaling_ApplicationManaged: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ApplicationManaged")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComAppLaunchPerfEnhancements, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComAppLaunchPerfEnhancements")); switch (result) { case AppModelPolicy_ComAppLaunchPerfEnhancements_Enabled: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Enabled")); break; case AppModelPolicy_ComAppLaunchPerfEnhancements_Disabled: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Disabled")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComSecurityInitialization, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComSecurityInitialization")); switch (result) { case AppModelPolicy_ComSecurityInitialization_ApplicationManaged: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ApplicationManaged")); break; case AppModelPolicy_ComSecurityInitialization_SystemManaged: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"SystemManaged")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_RoInitializeSingleThreadedBehavior, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"RoInitializeSingleThreadedBehavior")); switch (result) { case AppModelPolicy_RoInitializeSingleThreadedBehavior_ASTA: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ASTA")); break; case AppModelPolicy_RoInitializeSingleThreadedBehavior_STA: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"STA")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComDefaultExceptionHandling, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComDefaultExceptionHandling")); switch (result) { case AppModelPolicy_ComDefaultExceptionHandling_HandleAll: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"All")); break; case AppModelPolicy_ComDefaultExceptionHandling_HandleNone: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComOopProxyAgility, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComOopProxyAgility")); switch (result) { case AppModelPolicy_ComOopProxyAgility_Agile: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Agile")); break; case AppModelPolicy_ComOopProxyAgility_NonAgile: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"NonAgile")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AppServiceLifetime, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AppServiceLifetime")); switch (result) { case AppModelPolicy_AppServiceLifetime_StandardTimeout: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"StandardTimeout")); break; case AppModelPolicy_AppServiceLifetime_ExtensibleTimeout: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ExtensibleTimeout")); break; case AppModelPolicy_AppServiceLifetime_ExtendedForSamePackage: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ExtendedForSamePackage")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_WebPlatform, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"WebPlatform")); switch (result) { case AppModelPolicy_WebPlatform_Edge: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Edge")); break; case AppModelPolicy_WebPlatform_Legacy: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Legacy")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_WinInetStoragePartitioning, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"WinInetStoragePartitioning")); switch (result) { case AppModelPolicy_WinInetStoragePartitioning_Isolated: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Isolated")); break; case AppModelPolicy_WinInetStoragePartitioning_SharedWithAppContainer: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"SharedWithAppContainer")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_IndexerProtocolHandlerHost, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"IndexerProtocolHandlerHost")); switch (result) { case AppModelPolicy_IndexerProtocolHandlerHost_PerUser: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PerUser")); break; case AppModelPolicy_IndexerProtocolHandlerHost_PerApp: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PerApp")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_LoaderIncludeUserDirectories, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"LoaderIncludeUserDirectories")); switch (result) { case AppModelPolicy_LoaderIncludeUserDirectories_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_LoaderIncludeUserDirectories_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ConvertAppContainerToRestrictedAppContainer, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ConvertAppContainerToRestrictedAppContainer")); switch (result) { case AppModelPolicy_ConvertAppContainerToRestrictedAppContainer_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_ConvertAppContainerToRestrictedAppContainer_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_PackageMayContainPrivateMapiProvider, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"PackageMayContainPrivateMapiProvider")); switch (result) { case AppModelPolicy_PackageMayContainPrivateMapiProvider_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_PackageMayContainPrivateMapiProvider_PrivateHive: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PrivateHive")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AdminProcessPackageClaims, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AdminProcessPackageClaims")); switch (result) { case AppModelPolicy_AdminProcessPackageClaims_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_AdminProcessPackageClaims_Caller: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Caller")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_RegistryRedirectionBehavior, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"RegistryRedirectionBehavior")); switch (result) { case AppModelPolicy_RegistryRedirectionBehavior_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_RegistryRedirectionBehavior_CopyOnWrite: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"CopyOnWrite")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_BypassCreateProcessAppxExtension, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"BypassCreateProcessAppxExtension")); switch (result) { case AppModelPolicy_BypassCreateProcessAppxExtension_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_BypassCreateProcessAppxExtension_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_KnownFolderRedirection, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"KnownFolderRedirection")); switch (result) { case AppModelPolicy_KnownFolderRedirection_Isolated: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Isolated")); break; case AppModelPolicy_KnownFolderRedirection_RedirectToPackage: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RedirectToPackage")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_PrivateActivateAsPackageWinrtClasses, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"PrivateActivateAsPackageWinrtClasses")); switch (result) { case AppModelPolicy_PrivateActivateAsPackageWinrtClasses_AllowNone: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"AllowNone")); break; case AppModelPolicy_PrivateActivateAsPackageWinrtClasses_AllowFullTrust: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"AllowFullTrust")); break; case AppModelPolicy_PrivateActivateAsPackageWinrtClasses_AllowNonFullTrust: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"AllowNonFullTrust")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AppPrivateFolderRedirection, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AppPrivateFolderRedirection")); switch (result) { case AppModelPolicy_AppPrivateFolderRedirection_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_AppPrivateFolderRedirection_AppPrivate: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"AppPrivate")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_GlobalSystemAppDataAccess, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"GlobalSystemAppDataAccess")); switch (result) { case AppModelPolicy_GlobalSystemAppDataAccess_Normal: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Normal")); break; case AppModelPolicy_GlobalSystemAppDataAccess_Virtualized: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Virtualized")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ConsoleHandleInheritance, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ConsoleHandleInheritance")); switch (result) { case AppModelPolicy_ConsoleHandleInheritance_ConsoleOnly: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ConsoleOnly")); break; case AppModelPolicy_ConsoleHandleInheritance_All: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"All")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ConsoleBufferAccess, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ConsoleBufferAccess")); switch (result) { case AppModelPolicy_ConsoleBufferAccess_RestrictedUnidirectional: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RestrictedUnidirectional")); break; case AppModelPolicy_ConsoleBufferAccess_Unrestricted: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Unrestricted")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ConvertCallerTokenToUserTokenForDeployment, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ConvertCallerTokenToUserTokenForDeployment")); switch (result) { case AppModelPolicy_ConvertCallerTokenToUserTokenForDeployment_UserCallerToken: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"UserCallerToken")); break; case AppModelPolicy_ConvertCallerTokenToUserTokenForDeployment_ConvertTokenToUserToken: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"ConvertTokenToUserToken")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ShellExecuteRetrieveIdentityFromCurrentProcess, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ShellExecuteRetrieveIdentityFromCurrentProcess")); switch (result) { case AppModelPolicy_ShellExecuteRetrieveIdentityFromCurrentProcess_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_ShellExecuteRetrieveIdentityFromCurrentProcess_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_CodeIntegritySigning, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"CodeIntegritySigning")); switch (result) { case AppModelPolicy_CodeIntegritySigning_Default: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Default")); break; case AppModelPolicy_CodeIntegritySigning_OriginBased: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"OriginBased")); break; case AppModelPolicy_CodeIntegritySigning_OriginBasedForDev: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"OriginBasedForDev")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_PTCActivation, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"PTCActivation")); switch (result) { case AppModelPolicy_PTCActivation_Default: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Default")); break; case AppModelPolicy_PTCActivation_AllowActivationInBrokerForMediumILContainer: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"AllowActivationInBrokerForMediumIL")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComIntraPackageRpcCall, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComIntraPackageRpcCall")); switch (result) { case AppModelPolicy_Type_ComIntraPackageRpcCall_NoWake: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"NoWake")); break; case AppModelPolicy_Type_ComIntraPackageRpcCall_Wake: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Wake")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_LoadUser32ShimOnWindowsCoreOS, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"LoadUser32ShimOnWindowsCoreOS")); switch (result) { case AppModelPolicy_LoadUser32ShimOnWindowsCoreOS_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; case AppModelPolicy_LoadUser32ShimOnWindowsCoreOS_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_SecurityCapabilitiesOverride, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"SecurityCapabilitiesOverride")); switch (result) { case AppModelPolicy_SecurityCapabilitiesOverride_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_SecurityCapabilitiesOverride_PackageCapabilities: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PackageCapabilities")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_CurrentDirectoryOverride, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"CurrentDirectoryOverride")); switch (result) { case AppModelPolicy_CurrentDirectoryOverride_None: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"None")); break; case AppModelPolicy_CurrentDirectoryOverride_PackageInstallDirectory: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"PackageInstallDirectory")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ComTokenMatchingForAAAServers, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ComTokenMatching")); switch (result) { case AppModelPolicy_ComTokenMatchingForAAAServers_DontUseNtCompareTokens: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"DontUseNtCompareTokens")); break; case AppModelPolicy_ComTokenMatchingForAAAServers_UseNtCompareTokens: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"UseNtCompareTokens")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_UseOriginalFileNameInTokenFQBNAttribute, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"UseOriginalFileNameInTokenFQBN")); switch (result) { case AppModelPolicy_UseOriginalFileNameInTokenFQBNAttribute_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_UseOriginalFileNameInTokenFQBNAttribute_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_LoaderIncludeAlternateForwarders, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"LoaderIncludeAlternateForwarders")); switch (result) { case AppModelPolicy_LoaderIncludeAlternateForwarders_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_LoaderIncludeAlternateForwarders_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_PullPackageDependencyData, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"PullPackageDependencyData")); switch (result) { case AppModelPolicy_PullPackageDependencyData_False: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"False")); break; case AppModelPolicy_PullPackageDependencyData_True: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"True")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_AppInstancingErrorBehavior, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"AppInstancingErrorBehavior")); switch (result) { case AppModelPolicy_AppInstancingErrorBehavior_SuppressErrors: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"SuppressErrors")); break; case AppModelPolicy_AppInstancingErrorBehavior_RaiseErrors: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"RaiseErrors")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_BackgroundTaskRegistrationType, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"BackgroundTaskRegistrationType")); switch (result) { case AppModelPolicy_BackgroundTaskRegistrationType_Unsupported: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Unsupported")); break; case AppModelPolicy_BackgroundTaskRegistrationType_Manifested: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Manifested")); break; case AppModelPolicy_BackgroundTaskRegistrationType_Win32Clsid: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Win32Clsid")); break; } } if (NT_SUCCESS(PhGetAppModelPolicy(TokenHandle, AppModelPolicy_Type_ModsPowerNotification, &result))) { PPH_TOKEN_ATTRIBUTE_NODE node = PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, NULL, PhCreateString(L"ModsPowerNotification")); switch (result) { case AppModelPolicy_Type_ModsPowerNotification_Disabled: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Disabled")); break; case AppModelPolicy_Type_ModsPowerNotification_Enabled: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"Enabled")); break; case AppModelPolicy_Type_ModsPowerNotification_QueryDam: PhpAddAttributeNode(&TokenPageContext->AppPolicyTreeContext, node, PhCreateString(L"QueryDam")); break; } } TokenPageContext->CloseObject(TokenHandle, FALSE, TokenPageContext->Context); } #define SORT_FUNCTION(Column) PhpAppPolicyTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PhpAppPolicyTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_TOKEN_ATTRIBUTE_NODE node1 = *(PPH_TOKEN_ATTRIBUTE_NODE*)_elem1; \ PPH_TOKEN_ATTRIBUTE_NODE node2 = *(PPH_TOKEN_ATTRIBUTE_NODE*)_elem2; \ LONG sortResult = 0; #define END_SORT_FUNCTION \ if (sortResult == 0) \ sortResult = uintptrcmp((ULONG_PTR)node1->Node.Index, (ULONG_PTR)node2->Node.Index); \ \ return PhModifySort(sortResult, ((PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT)_context)->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(Name) { sortResult = PhCompareStringWithNull(node1->Text, node2->Text, TRUE); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Value) { sortResult = PhCompareStringWithNull(node1->Text, node2->Text, TRUE); } END_SORT_FUNCTION BOOLEAN NTAPI PhpAppPolicyTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_TOKEN_ATTRIBUTE_TREE_CONTEXT context = Context; PPH_TOKEN_ATTRIBUTE_NODE node; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; node = (PPH_TOKEN_ATTRIBUTE_NODE)getChildren->Node; if (context->TreeNewSortOrder == NoSortOrder) { if (!node) { getChildren->Children = (PPH_TREENEW_NODE*)context->RootList->Items; getChildren->NumberOfChildren = context->RootList->Count; } else { getChildren->Children = (PPH_TREENEW_NODE*)node->Children->Items; getChildren->NumberOfChildren = node->Children->Count; } } else { if (!node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(Name), SORT_FUNCTION(Value) }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == 2, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < 2) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->RootList->Items, context->RootList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE*)context->RootList->Items; getChildren->NumberOfChildren = context->RootList->Count; } } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = Parameter1; node = (PPH_TOKEN_ATTRIBUTE_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = Parameter1; node = (PPH_TOKEN_ATTRIBUTE_NODE)getCellText->Node; if (getCellText->Id == 0) getCellText->Text = PhGetStringRef(node->Text); else if (getCellText->Id == 1) { if (PhIsNullOrEmptyString(node->Value)) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 64); for (ULONG i = 0; i < node->Children->Count; i++) { PhAppendStringBuilder(&stringBuilder, &((PPH_TOKEN_ATTRIBUTE_NODE)node->Children->Items[i])->Text->sr); PhAppendStringBuilder2(&stringBuilder, L", "); } if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); node->Value = PhFinalStringBuilderString(&stringBuilder); } getCellText->Text = PhGetStringRef(node->Value); } else return FALSE; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; // Force a rebuild to sort the items. TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': if (GetKeyState(VK_CONTROL) < 0) { PPH_STRING text; text = PhGetTreeNewText(WindowHandle, 0); PhSetClipboardString(WindowHandle, &text->sr); PhDereferenceObject(text); } break; } } return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = Parameter1; SendMessage(context->WindowHandle, WM_CONTEXTMENU, 0, (LPARAM)contextMenuEvent); } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; } return FALSE; } static CONST PH_STRINGREF PhAppPolicyLoadingText = PH_STRINGREF_INIT(L"Initializing kernelbase symbols..."); static CONST PH_STRINGREF PhAppPolicyEmptyText = PH_STRINGREF_INIT(L"There are no policies to display."); INT_PTR CALLBACK PhpTokenAppPolicyPageProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PTOKEN_PAGE_CONTEXT tokenPageContext; HWND tnHandle; tokenPageContext = PhpTokenPageHeader(hwndDlg, uMsg, wParam, lParam); if (!tokenPageContext) return FALSE; tnHandle = GetDlgItem(hwndDlg, IDC_LIST); switch (uMsg) { case WM_INITDIALOG: { tokenPageContext->AppPolicyTreeContext.WindowHandle = hwndDlg; tokenPageContext->AppPolicyTreeContext.NodeList = PhCreateList(10); tokenPageContext->AppPolicyTreeContext.RootList = PhCreateList(10); PhSetControlTheme(tnHandle, L"explorer"); TreeNew_SetRedraw(tnHandle, FALSE); TreeNew_SetEmptyText(tnHandle, &PhAppPolicyLoadingText, 0); TreeNew_SetCallback(tnHandle, PhpAppPolicyTreeNewCallback, &tokenPageContext->AppPolicyTreeContext); PhAddTreeNewColumnEx2(tnHandle, 0, TRUE, L"Policy", 220, PH_ALIGN_LEFT, 0, 0, TN_COLUMN_FLAG_NODPISCALEONADD); PhAddTreeNewColumnEx2(tnHandle, 1, TRUE, L"Value", 150, PH_ALIGN_LEFT, 1, 0, TN_COLUMN_FLAG_NODPISCALEONADD); TreeNew_SetTriState(tnHandle, TRUE); TreeNew_SetRedraw(tnHandle, TRUE); PhCreateThread2(PhGetAppModelPolicySymbolDownloadThread, hwndDlg); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); } break; case WM_DESTROY: { PhpDeleteAttributeTreeContext(&tokenPageContext->AppPolicyTreeContext); } break; case WM_PH_APPMODEL_SYMBOL_RESULT: { BOOLEAN result = (BOOLEAN)lParam; if (result) { TreeNew_SetEmptyText(tnHandle, &PhAppPolicyEmptyText, 0); TreeNew_SetRedraw(tnHandle, FALSE); PhEnumTokenAppModelPolicy(tokenPageContext); TreeNew_NodesStructured(tnHandle); TreeNew_SetRedraw(tnHandle, TRUE); } else { TreeNew_SetEmptyText(tnHandle, &PhAppPolicyEmptyText, 0); } } break; case WM_CONTEXTMENU: { PPH_TREENEW_CONTEXT_MENU contextMenuEvent = (PPH_TREENEW_CONTEXT_MENU)lParam; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_TOKEN_ATTRIBUTE_NODE* attributeObjectNodes = NULL; ULONG numberOfAttributeObjectNodes = 0; if (!PhpGetSelectedAttributeTreeNodes(&tokenPageContext->AppPolicyTreeContext, &attributeObjectNodes, &numberOfAttributeObjectNodes)) break; if (numberOfAttributeObjectNodes != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, tnHandle, contextMenuEvent->Column); selectedItem = PhShowEMenu( menu, hwndDlg, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenuEvent->Location.x, contextMenuEvent->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX) { if (!PhHandleCopyCellEMenuItem(selectedItem)) { switch (selectedItem->Id) { case IDC_COPY: { PPH_STRING text; text = PhGetTreeNewText(tnHandle, 0); PhSetClipboardString(tnHandle, &text->sr); PhDereferenceObject(text); } break; } } } PhDestroyEMenu(menu); } PhFree(attributeObjectNodes); } break; } return FALSE; } ================================================ FILE: SystemInformer/usrlist.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025 * */ #include #include #include #include #include #include #include #include #include static NTSTATUS (NTAPI* LsaFreeReturnBuffer_I)( _In_ PVOID Buffer ) = NULL; static NTSTATUS (NTAPI* LsaEnumerateLogonSessions_I)( _Out_ PULONG LogonSessionCount, _Out_ PLUID* LogonSessionList ) = NULL; static NTSTATUS (NTAPI* LsaGetLogonSessionData_I)( _In_ PLUID LogonId, _Out_ PSECURITY_LOGON_SESSION_DATA* ppLogonSessionData ); // // Values for UserFlags. (ntscapi.h) // #define LOGON_GUEST 0x01 #define LOGON_NOENCRYPTION 0x02 #define LOGON_CACHED_ACCOUNT 0x04 #define LOGON_USED_LM_PASSWORD 0x08 #define LOGON_EXTRA_SIDS 0x20 #define LOGON_SUBAUTH_SESSION_KEY 0x40 #define LOGON_SERVER_TRUST_ACCOUNT 0x80 #define LOGON_NTLMV2_ENABLED 0x100 // says DC understands NTLMv2 #define LOGON_RESOURCE_GROUPS 0x200 #define LOGON_PROFILE_PATH_RETURNED 0x400 #define LOGON_NT_V2 0x800 // NT response was used for validation #define LOGON_LM_V2 0x1000 // LM response was used for validation #define LOGON_NTLM_V2 0x2000 // LM response was used to authenticate but NT response was used to derive the session key #define LOGON_OPTIMIZED 0x4000 // this is an optimized logon #define LOGON_WINLOGON 0x8000 // the logon session was created for winlogon #define LOGON_PKINIT 0x10000 // Kerberos PKINIT extension was used to authenticate the user #define LOGON_NO_OPTIMIZED 0x20000 // optimized logon has been disabled for this account #define LOGON_NO_ELEVATION 0x40000 // Do not allow elevation for this logon #define LOGON_MANAGED_SERVICE 0x80000 // Managed service account PPH_STRING PhpFormatUserFlags( _In_ ULONG UserFlags ) { #define PH_LSA_USER_FLAG(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY userFlags[] = { PH_LSA_USER_FLAG(LOGON_GUEST, L"Guest"), PH_LSA_USER_FLAG(LOGON_NOENCRYPTION, L"No encryption"), PH_LSA_USER_FLAG(LOGON_CACHED_ACCOUNT, L"Cached account"), PH_LSA_USER_FLAG(LOGON_USED_LM_PASSWORD, L"Used LM password"), PH_LSA_USER_FLAG(LOGON_EXTRA_SIDS, L"Extra SIDs"), PH_LSA_USER_FLAG(LOGON_SUBAUTH_SESSION_KEY, L"Subauth session key"), PH_LSA_USER_FLAG(LOGON_SERVER_TRUST_ACCOUNT, L"Server trust account"), PH_LSA_USER_FLAG(LOGON_NTLMV2_ENABLED, L"NTLMv2 enabled"), PH_LSA_USER_FLAG(LOGON_RESOURCE_GROUPS, L"Resource groups"), PH_LSA_USER_FLAG(LOGON_PROFILE_PATH_RETURNED, L"Profile path returned"), PH_LSA_USER_FLAG(LOGON_NT_V2, L"NTv2"), PH_LSA_USER_FLAG(LOGON_LM_V2, L"LMv2"), PH_LSA_USER_FLAG(LOGON_NTLM_V2, L"NTLMv2"), PH_LSA_USER_FLAG(LOGON_OPTIMIZED, L"Optimized"), PH_LSA_USER_FLAG(LOGON_WINLOGON, L"WinLogon created"), PH_LSA_USER_FLAG(LOGON_PKINIT, L"Keberos"), PH_LSA_USER_FLAG(LOGON_NO_OPTIMIZED, L"Not optimized"), PH_LSA_USER_FLAG(LOGON_NO_ELEVATION, L"No elevation"), PH_LSA_USER_FLAG(LOGON_MANAGED_SERVICE, L"Managed service"), }; PH_FORMAT format[4]; PPH_STRING string; string = PhGetAccessString(UserFlags, (PPH_ACCESS_ENTRY)userFlags, RTL_NUMBER_OF(userFlags)); PhInitFormatSR(&format[0], string->sr); PhInitFormatS(&format[1], L" (0x"); PhInitFormatX(&format[2], UserFlags); PhInitFormatS(&format[3], L")"); PhMoveReference(&string, PhFormat(format, 4, 10)); return string; } typedef enum _PH_USER_LIST_COLUMN { PH_USER_LIST_COLUMN_LOGON_ID, PH_USER_LIST_COLUMN_USER_NAME, PH_USER_LIST_COLUMN_LOGON_DOMAIN, PH_USER_LIST_COLUMN_AUTHENTICATION_PACKAGE, PH_USER_LIST_COLUMN_LOGON_TYPE, PH_USER_LIST_COLUMN_SESSION_ID, PH_USER_LIST_COLUMN_SID, PH_USER_LIST_COLUMN_LOGON_TIME, PH_USER_LIST_COLUMN_LOGON_SERVER, PH_USER_LIST_COLUMN_DNS_DOMAIN_NAME, PH_USER_LIST_COLUMN_USER_PRINCIPAL_NAME, PH_USER_LIST_COLUMN_USER_FLAGS, PH_USER_LIST_COLUMN_FAILED_ATTEMPTS_SINCE_LAST_SUCCESSFUL_LOGON, PH_USER_LIST_COLUMN_LAST_SUCCESSFUL_LOGON, PH_USER_LIST_COLUMN_LAST_FAILED_LOGON, PH_USER_LIST_COLUMN_LOGON_SCRIPT, PH_USER_LIST_COLUMN_PROFILE_PATH, PH_USER_LIST_COLUMN_HOME_DIRECTORY, PH_USER_LIST_COLUMN_HOME_DIRECTORY_DRIVE, PH_USER_LIST_COLUMN_LOGOFF_TIME, PH_USER_LIST_COLUMN_KICKOFF_TIME, PH_USER_LIST_COLUMN_PASSWORD_LAST_SET, PH_USER_LIST_COLUMN_PASSWORD_CAN_CHANGE, PH_USER_LIST_COLUMN_PASSWORD_MUST_CHANGE, PH_USER_LIST_COLUMN_MAXIMUM, } PH_USER_LIST_COLUMN; typedef struct _PH_USER_NODE { PH_TREENEW_NODE Node; LUID LogonId; PPH_STRING UserName; PPH_STRING LogonDomain; PPH_STRING AuthenticationPackage; SECURITY_LOGON_TYPE LogonType; ULONG SessionId; PPH_STRING Sid; LARGE_INTEGER LogonTime; PPH_STRING LogonServer; PPH_STRING DnsDomainName; PPH_STRING UserPrincipalName; ULONG UserFlags; ULONG FailedAttemptsSinceLastSuccessfulLogon; LARGE_INTEGER LastSuccessfulLogon; LARGE_INTEGER LastFailedLogon; PPH_STRING LogonScript; PPH_STRING ProfilePath; PPH_STRING HomeDirectory; PPH_STRING HomeDirectoryDrive; LARGE_INTEGER LogoffTime; LARGE_INTEGER KickOffTime; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER PasswordCanChange; LARGE_INTEGER PasswordMustChange; WCHAR LogonIdText[PH_PTR_STR_LEN_1]; PPH_STRING SessionIdText; PPH_STRING LogonTimeText; PPH_STRING UserFlagsText; PPH_STRING FailedAttemptsSinceLastSuccessfulLogonText; PPH_STRING LastSuccessfulLogonText; PPH_STRING LastFailedLogonText; PPH_STRING LogoffTimeText; PPH_STRING KickOffTimeText; PPH_STRING PasswordLastSetText; PPH_STRING PasswordCanChangeText; PPH_STRING PasswordMustChangeText; PH_STRINGREF TextCache[PH_USER_LIST_COLUMN_MAXIMUM]; } PH_USER_NODE, *PPH_USER_NODE; typedef struct _PH_USER_LIST_CONTEXT { HWND WindowHandle; HWND ParentWindowHandle; HWND TreeNewHandle; HWND MessageHandle; HWND SearchWindowHandle; ULONG_PTR SearchMatchHandle; PH_LAYOUT_MANAGER LayoutManager; PH_TN_FILTER_SUPPORT FilterSupport; RECT MinimumSize; ULONG TreeNewSortColumn; PH_SORT_ORDER TreeNewSortOrder; PPH_LIST NodeList; } PH_USER_LIST_CONTEXT, *PPH_USER_LIST_CONTEXT; VOID PhpDeleteUserNode( _In_ PPH_USER_NODE User ) { PhClearReference(&User->UserName); PhClearReference(&User->LogonDomain); PhClearReference(&User->AuthenticationPackage); PhClearReference(&User->Sid); PhClearReference(&User->LogonServer); PhClearReference(&User->DnsDomainName); PhClearReference(&User->UserPrincipalName); PhClearReference(&User->LogonScript); PhClearReference(&User->ProfilePath); PhClearReference(&User->HomeDirectory); PhClearReference(&User->HomeDirectoryDrive); PhClearReference(&User->SessionIdText); PhClearReference(&User->LogonTimeText); PhClearReference(&User->UserFlagsText); PhClearReference(&User->FailedAttemptsSinceLastSuccessfulLogonText); PhClearReference(&User->LastSuccessfulLogonText); PhClearReference(&User->LastFailedLogonText); PhClearReference(&User->LogoffTimeText); PhClearReference(&User->KickOffTimeText); PhClearReference(&User->PasswordLastSetText); PhClearReference(&User->PasswordCanChangeText); PhClearReference(&User->PasswordMustChangeText); } PPH_USER_NODE PhpCreateUserNode( _In_ PPH_USER_LIST_CONTEXT Context, _In_ PSECURITY_LOGON_SESSION_DATA LogonSessionData ) { PPH_USER_NODE user; user = PhAllocateZero(sizeof(PH_USER_NODE)); PhInitializeTreeNewNode(&user->Node); memset(user->TextCache, 0, sizeof(PH_STRINGREF) * PH_USER_LIST_COLUMN_MAXIMUM); user->Node.TextCache = user->TextCache; user->Node.TextCacheSize = PH_USER_LIST_COLUMN_MAXIMUM; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogonId)) user->LogonId = LogonSessionData->LogonId; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, UserName)) user->UserName = PhCreateStringFromUnicodeString(&LogonSessionData->UserName); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogonDomain)) user->LogonDomain = PhCreateStringFromUnicodeString(&LogonSessionData->LogonDomain); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, AuthenticationPackage)) user->AuthenticationPackage = PhCreateStringFromUnicodeString(&LogonSessionData->AuthenticationPackage); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogonType)) user->LogonType = LogonSessionData->LogonType; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, Session)) user->SessionId = LogonSessionData->Session; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, Sid)) user->Sid = PhSidToStringSid(LogonSessionData->Sid); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogonTime)) user->LogonTime = LogonSessionData->LogonTime; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogonServer)) user->LogonServer = PhCreateStringFromUnicodeString(&LogonSessionData->LogonServer); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, DnsDomainName)) user->DnsDomainName = PhCreateStringFromUnicodeString(&LogonSessionData->DnsDomainName); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, Upn)) user->UserPrincipalName = PhCreateStringFromUnicodeString(&LogonSessionData->Upn); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, UserFlags)) user->UserFlags = LogonSessionData->UserFlags; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LastLogonInfo)) { user->FailedAttemptsSinceLastSuccessfulLogon = LogonSessionData->LastLogonInfo.FailedAttemptCountSinceLastSuccessfulLogon; user->LastSuccessfulLogon = LogonSessionData->LastLogonInfo.LastSuccessfulLogon; user->LastFailedLogon = LogonSessionData->LastLogonInfo.LastFailedLogon; } if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogonScript)) user->LogonScript = PhCreateStringFromUnicodeString(&LogonSessionData->LogonScript); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, ProfilePath)) user->ProfilePath = PhCreateStringFromUnicodeString(&LogonSessionData->ProfilePath); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, HomeDirectory)) user->HomeDirectory = PhCreateStringFromUnicodeString(&LogonSessionData->HomeDirectory); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, HomeDirectoryDrive)) user->HomeDirectoryDrive = PhCreateStringFromUnicodeString(&LogonSessionData->HomeDirectoryDrive); if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, LogoffTime)) user->LogoffTime = LogonSessionData->LogoffTime; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, KickOffTime)) user->KickOffTime = LogonSessionData->KickOffTime; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, PasswordLastSet)) user->PasswordLastSet = LogonSessionData->PasswordLastSet; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, PasswordCanChange)) user->PasswordCanChange = LogonSessionData->PasswordCanChange; if (RTL_CONTAINS_FIELD(LogonSessionData, LogonSessionData->Size, PasswordMustChange)) user->PasswordMustChange = LogonSessionData->PasswordMustChange; if (Context->FilterSupport.NodeList) user->Node.Visible = PhApplyTreeNewFiltersToNode(&Context->FilterSupport, &user->Node); return user; } _Function_class_(PH_TN_FILTER_FUNCTION) BOOLEAN PhpUserListTreeFilterCallback( _In_ PPH_TREENEW_NODE Node, _In_opt_ PVOID Context ) { PPH_USER_LIST_CONTEXT context = Context; PPH_USER_NODE user = (PPH_USER_NODE)Node; assert(Context); if (!context->SearchMatchHandle) return TRUE; if (PhSearchControlMatchLongHintZ(context->SearchMatchHandle, user->LogonIdText)) return TRUE; if (user->UserName && PhSearchControlMatch(context->SearchMatchHandle, &user->UserName->sr)) return TRUE; if (user->LogonDomain && PhSearchControlMatch(context->SearchMatchHandle, &user->LogonDomain->sr)) return TRUE; if (user->AuthenticationPackage && PhSearchControlMatch(context->SearchMatchHandle, &user->AuthenticationPackage->sr)) return TRUE; if (user->LogonTimeText && PhSearchControlMatch(context->SearchMatchHandle, &user->LogonTimeText->sr)) return TRUE; if (user->SessionIdText && PhSearchControlMatch(context->SearchMatchHandle, &user->SessionIdText->sr)) return TRUE; if (user->Sid && PhSearchControlMatch(context->SearchMatchHandle, &user->Sid->sr)) return TRUE; if (user->LogoffTimeText && PhSearchControlMatch(context->SearchMatchHandle, &user->LogoffTimeText->sr)) return TRUE; if (user->LogonServer && PhSearchControlMatch(context->SearchMatchHandle, &user->LogonServer->sr)) return TRUE; if (user->DnsDomainName && PhSearchControlMatch(context->SearchMatchHandle, &user->DnsDomainName->sr)) return TRUE; if (user->UserPrincipalName && PhSearchControlMatch(context->SearchMatchHandle, &user->UserPrincipalName->sr)) return TRUE; if (user->UserFlagsText && PhSearchControlMatch(context->SearchMatchHandle, &user->UserFlagsText->sr)) return TRUE; if (user->FailedAttemptsSinceLastSuccessfulLogonText && PhSearchControlMatch(context->SearchMatchHandle, &user->FailedAttemptsSinceLastSuccessfulLogonText->sr)) return TRUE; if (user->LastSuccessfulLogonText && PhSearchControlMatch(context->SearchMatchHandle, &user->LastSuccessfulLogonText->sr)) return TRUE; if (user->LastFailedLogonText && PhSearchControlMatch(context->SearchMatchHandle, &user->LastFailedLogonText->sr)) return TRUE; if (user->LogonScript && PhSearchControlMatch(context->SearchMatchHandle, &user->LogonScript->sr)) return TRUE; if (user->ProfilePath && PhSearchControlMatch(context->SearchMatchHandle, &user->ProfilePath->sr)) return TRUE; if (user->HomeDirectory && PhSearchControlMatch(context->SearchMatchHandle, &user->HomeDirectory->sr)) return TRUE; if (user->HomeDirectoryDrive && PhSearchControlMatch(context->SearchMatchHandle, &user->HomeDirectoryDrive->sr)) return TRUE; if (user->LogoffTimeText && PhSearchControlMatch(context->SearchMatchHandle, &user->LogoffTimeText->sr)) return TRUE; if (user->KickOffTimeText && PhSearchControlMatch(context->SearchMatchHandle, &user->KickOffTimeText->sr)) return TRUE; if (user->PasswordLastSetText && PhSearchControlMatch(context->SearchMatchHandle, &user->PasswordLastSetText->sr)) return TRUE; if (user->PasswordCanChangeText && PhSearchControlMatch(context->SearchMatchHandle, &user->PasswordCanChangeText->sr)) return TRUE; if (user->PasswordMustChangeText && PhSearchControlMatch(context->SearchMatchHandle, &user->PasswordMustChangeText->sr)) return TRUE; return FALSE; } VOID PhpDeleteUserListTree( _In_ PPH_USER_LIST_CONTEXT Context ) { if (Context->NodeList) { for (ULONG i = 0; i < Context->NodeList->Count; i++) { PhpDeleteUserNode(Context->NodeList->Items[i]); } PhDereferenceObject(Context->NodeList); Context->NodeList = NULL; } PhDeleteTreeNewFilterSupport(&Context->FilterSupport); } VOID PhpUserListRefresh( _In_ PPH_USER_LIST_CONTEXT Context ) { NTSTATUS status; ULONG logonSessionCount; PLUID logonSessionList; PH_FORMAT format[2]; PPH_STRING message; TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); PhpDeleteUserListTree(Context); Context->NodeList = PhCreateList(1); PhInitializeTreeNewFilterSupport(&Context->FilterSupport, Context->TreeNewHandle, Context->NodeList); PhAddTreeNewFilter(&Context->FilterSupport, PhpUserListTreeFilterCallback, Context); if (NT_SUCCESS(status = LsaEnumerateLogonSessions_I(&logonSessionCount, &logonSessionList))) { for (ULONG i = 0; i < logonSessionCount; i++) { PSECURITY_LOGON_SESSION_DATA logonSessionData; if (NT_SUCCESS(status = LsaGetLogonSessionData_I(&logonSessionList[i], &logonSessionData))) { PhAddItemList(Context->NodeList, PhpCreateUserNode(Context, logonSessionData)); LsaFreeReturnBuffer_I(logonSessionData); } } LsaFreeReturnBuffer_I(logonSessionList); } PhInitFormatS(&format[0], L"Number of users: "); PhInitFormatU(&format[1], Context->NodeList->Count); message = PhFormat(format, 2, 10); SetWindowText(Context->MessageHandle, message->Buffer); PhDereferenceObject(message); TreeNew_NodesStructured(Context->TreeNewHandle); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); } BOOLEAN PhpGetSelectedUserListNodes( _In_ PPH_USER_LIST_CONTEXT Context, _Out_ PPH_USER_NODE** Nodes, _Out_ PULONG NumberOfNodes ) { PPH_LIST list = PhCreateList(2); for (ULONG i = 0; i < Context->NodeList->Count; i++) { PPH_USER_NODE node = (PPH_USER_NODE)Context->NodeList->Items[i]; if (node->Node.Selected) PhAddItemList(list, node); } if (list->Count) { *Nodes = PhAllocateCopy(list->Items, sizeof(PVOID) * list->Count); *NumberOfNodes = list->Count; PhDereferenceObject(list); return TRUE; } *Nodes = NULL; *NumberOfNodes = 0; PhDereferenceObject(list); return FALSE; } #define SORT_FUNCTION(Column) PvpUserListTreeNewCompare##Column #define BEGIN_SORT_FUNCTION(Column) static int __cdecl PvpUserListTreeNewCompare##Column( \ _In_ void *_context, \ _In_ const void *_elem1, \ _In_ const void *_elem2 \ ) \ { \ PPH_USER_NODE node1 = *(PPH_USER_NODE *)_elem1; \ PPH_USER_NODE node2 = *(PPH_USER_NODE *)_elem2; \ PPH_USER_LIST_CONTEXT context = _context; int sortResult = 0; #define END_SORT_FUNCTION \ return PhModifySort(sortResult, context->TreeNewSortOrder); \ } BEGIN_SORT_FUNCTION(LogonId) { sortResult = uintcmp(node1->LogonId.LowPart, node2->LogonId.LowPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserName) { sortResult = PhCompareStringWithNullSortOrder( node1->UserName, node2->UserName, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LogonDomain) { sortResult = PhCompareStringWithNullSortOrder( node1->LogonDomain, node2->LogonDomain, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(AuthenticationPackage) { sortResult = PhCompareStringWithNullSortOrder( node1->AuthenticationPackage, node2->AuthenticationPackage, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LogonType) { sortResult = uintcmp(node1->LogonType, node2->LogonType); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Session) { sortResult = uintcmp(node1->SessionId, node2->SessionId); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(Sid) { sortResult = PhCompareStringWithNullSortOrder( node1->Sid, node2->Sid, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LogonTime) { sortResult = int64cmp(node1->LogonTime.QuadPart, node2->LogonTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LogonServer) { sortResult = PhCompareStringWithNullSortOrder( node1->LogonServer, node2->LogonServer, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(DnsDomainName) { sortResult = PhCompareStringWithNullSortOrder( node1->DnsDomainName, node2->DnsDomainName, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserPrincipalName) { sortResult = PhCompareStringWithNullSortOrder( node1->UserPrincipalName, node2->UserPrincipalName, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(UserFlags) { sortResult = uintcmp(node1->UserFlags, node2->UserFlags); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(FailedAttemptsSinceLastSuccessfulLogon) { sortResult = uintcmp(node1->FailedAttemptsSinceLastSuccessfulLogon, node2->FailedAttemptsSinceLastSuccessfulLogon); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LastSuccessfulLogon) { sortResult = int64cmp(node1->LastSuccessfulLogon.QuadPart, node2->LastSuccessfulLogon.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LastFailedLogon) { sortResult = int64cmp(node1->LastFailedLogon.QuadPart, node2->LastFailedLogon.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LogonScript) { sortResult = PhCompareStringWithNullSortOrder( node1->LogonScript, node2->LogonScript, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(ProfilePath) { sortResult = PhCompareStringWithNullSortOrder( node1->ProfilePath, node2->ProfilePath, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(HomeDirectory) { sortResult = PhCompareStringWithNullSortOrder( node1->HomeDirectory, node2->HomeDirectory, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(HomeDirectoryDrive) { sortResult = PhCompareStringWithNullSortOrder( node1->HomeDirectoryDrive, node2->HomeDirectoryDrive, context->TreeNewSortOrder, TRUE ); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(LogoffTime) { sortResult = int64cmp(node1->LogoffTime.QuadPart, node2->LogoffTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(KickOffTime) { sortResult = int64cmp(node1->KickOffTime.QuadPart, node2->KickOffTime.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PasswordLastSet) { sortResult = int64cmp(node1->PasswordLastSet.QuadPart, node2->PasswordLastSet.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PasswordCanChange) { sortResult = int64cmp(node1->PasswordCanChange.QuadPart, node2->PasswordCanChange.QuadPart); } END_SORT_FUNCTION BEGIN_SORT_FUNCTION(PasswordMustChange) { sortResult = int64cmp(node1->PasswordMustChange.QuadPart, node2->PasswordMustChange.QuadPart); } END_SORT_FUNCTION BOOLEAN NTAPI PhpUserListTreeNewCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_ PVOID Parameter1, _In_ PVOID Parameter2, _In_ PVOID Context ) { PPH_USER_LIST_CONTEXT context = Context; PPH_USER_NODE user; switch (Message) { case TreeNewGetChildren: { PPH_TREENEW_GET_CHILDREN getChildren = Parameter1; user = (PPH_USER_NODE)getChildren->Node; if (!getChildren->Node) { static _CoreCrtSecureSearchSortCompareFunction sortFunctions[] = { SORT_FUNCTION(LogonId), SORT_FUNCTION(UserName), SORT_FUNCTION(LogonDomain), SORT_FUNCTION(AuthenticationPackage), SORT_FUNCTION(LogonType), SORT_FUNCTION(Session), SORT_FUNCTION(Sid), SORT_FUNCTION(LogonTime), SORT_FUNCTION(LogonServer), SORT_FUNCTION(DnsDomainName), SORT_FUNCTION(UserPrincipalName), SORT_FUNCTION(UserFlags), SORT_FUNCTION(FailedAttemptsSinceLastSuccessfulLogon), SORT_FUNCTION(LastSuccessfulLogon), SORT_FUNCTION(LastFailedLogon), SORT_FUNCTION(LogonScript), SORT_FUNCTION(ProfilePath), SORT_FUNCTION(HomeDirectory), SORT_FUNCTION(HomeDirectoryDrive), SORT_FUNCTION(LogoffTime), SORT_FUNCTION(KickOffTime), SORT_FUNCTION(PasswordLastSet), SORT_FUNCTION(PasswordCanChange), SORT_FUNCTION(PasswordMustChange), }; _CoreCrtSecureSearchSortCompareFunction sortFunction; static_assert(RTL_NUMBER_OF(sortFunctions) == PH_USER_LIST_COLUMN_MAXIMUM, "SortFunctions must equal maximum."); if (context->TreeNewSortColumn < PH_USER_LIST_COLUMN_MAXIMUM) sortFunction = sortFunctions[context->TreeNewSortColumn]; else sortFunction = NULL; if (sortFunction) { qsort_s(context->NodeList->Items, context->NodeList->Count, sizeof(PVOID), sortFunction, context); } getChildren->Children = (PPH_TREENEW_NODE *)context->NodeList->Items; getChildren->NumberOfChildren = context->NodeList->Count; } } return TRUE; case TreeNewIsLeaf: { PPH_TREENEW_IS_LEAF isLeaf = (PPH_TREENEW_IS_LEAF)Parameter1; user = (PPH_USER_NODE)isLeaf->Node; isLeaf->IsLeaf = TRUE; } return TRUE; case TreeNewGetCellText: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)Parameter1; user = (PPH_USER_NODE)getCellText->Node; switch (getCellText->Id) { case PH_USER_LIST_COLUMN_LOGON_ID: PhPrintPointer(user->LogonIdText, UlongToPtr(user->LogonId.LowPart)); PhInitializeStringRefLongHint(&getCellText->Text, user->LogonIdText); break; case PH_USER_LIST_COLUMN_USER_NAME: getCellText->Text = PhGetStringRef(user->UserName); break; case PH_USER_LIST_COLUMN_LOGON_DOMAIN: getCellText->Text = PhGetStringRef(user->LogonDomain); break; case PH_USER_LIST_COLUMN_AUTHENTICATION_PACKAGE: getCellText->Text = PhGetStringRef(user->AuthenticationPackage); break; case PH_USER_LIST_COLUMN_LOGON_TYPE: switch (user->LogonType) { case UndefinedLogonType: PhInitializeStringRef(&getCellText->Text, L"Undefined"); break; case Interactive: PhInitializeStringRef(&getCellText->Text, L"Interactive"); break; case Network: PhInitializeStringRef(&getCellText->Text, L"Network"); break; case Batch: PhInitializeStringRef(&getCellText->Text, L"Batch"); break; case Service: PhInitializeStringRef(&getCellText->Text, L"Service"); break; case Proxy: PhInitializeStringRef(&getCellText->Text, L"Proxy"); break; case Unlock: PhInitializeStringRef(&getCellText->Text, L"Unlock"); break; case NetworkCleartext: PhInitializeStringRef(&getCellText->Text, L"Network cleartext"); break; case NewCredentials: PhInitializeStringRef(&getCellText->Text, L"New credentials"); break; case RemoteInteractive: PhInitializeStringRef(&getCellText->Text, L"Remote interactive"); break; case CachedInteractive: PhInitializeStringRef(&getCellText->Text, L"Cached interactive"); break; case CachedRemoteInteractive: PhInitializeStringRef(&getCellText->Text, L"Cached remote interactive"); break; case CachedUnlock: PhInitializeStringRef(&getCellText->Text, L"Cached unlock"); break; default: break; } break; case PH_USER_LIST_COLUMN_SESSION_ID: PhMoveReference(&user->SessionIdText, PhFormatUInt64(user->SessionId, TRUE)); getCellText->Text = user->SessionIdText->sr; break; case PH_USER_LIST_COLUMN_SID: getCellText->Text = PhGetStringRef(user->Sid); break; case PH_USER_LIST_COLUMN_LOGON_TIME: { if (user->LogonTime.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->LogonTime); PhMoveReference(&user->LogonTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->LogonTimeText); } } break; case PH_USER_LIST_COLUMN_LOGON_SERVER: getCellText->Text = PhGetStringRef(user->LogonServer); break; case PH_USER_LIST_COLUMN_DNS_DOMAIN_NAME: getCellText->Text = PhGetStringRef(user->DnsDomainName); break; case PH_USER_LIST_COLUMN_USER_PRINCIPAL_NAME: getCellText->Text = PhGetStringRef(user->UserPrincipalName); break; case PH_USER_LIST_COLUMN_USER_FLAGS: { if (user->UserFlags) { user->UserFlagsText = PhpFormatUserFlags(user->UserFlags); getCellText->Text = user->UserFlagsText->sr; } } break; case PH_USER_LIST_COLUMN_FAILED_ATTEMPTS_SINCE_LAST_SUCCESSFUL_LOGON: PhMoveReference(&user->FailedAttemptsSinceLastSuccessfulLogonText, PhFormatUInt64(user->FailedAttemptsSinceLastSuccessfulLogon, TRUE)); getCellText->Text = user->FailedAttemptsSinceLastSuccessfulLogonText->sr; break; case PH_USER_LIST_COLUMN_LAST_SUCCESSFUL_LOGON: { if (user->LastSuccessfulLogon.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->LastSuccessfulLogon); PhMoveReference(&user->LastSuccessfulLogonText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->LastSuccessfulLogonText); } } break; case PH_USER_LIST_COLUMN_LAST_FAILED_LOGON: { if (user->LastFailedLogon.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->LastFailedLogon); PhMoveReference(&user->LastFailedLogonText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->LastFailedLogonText); } } break; case PH_USER_LIST_COLUMN_LOGON_SCRIPT: getCellText->Text = PhGetStringRef(user->LogonScript); break; case PH_USER_LIST_COLUMN_PROFILE_PATH: getCellText->Text = PhGetStringRef(user->ProfilePath); break; case PH_USER_LIST_COLUMN_HOME_DIRECTORY: getCellText->Text = PhGetStringRef(user->HomeDirectory); break; case PH_USER_LIST_COLUMN_HOME_DIRECTORY_DRIVE: getCellText->Text = PhGetStringRef(user->HomeDirectoryDrive); break; case PH_USER_LIST_COLUMN_LOGOFF_TIME: { if (user->LogoffTime.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->LogoffTime); PhMoveReference(&user->LogoffTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->LogoffTimeText); } } break; case PH_USER_LIST_COLUMN_KICKOFF_TIME: { if (user->KickOffTime.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->KickOffTime); PhMoveReference(&user->KickOffTimeText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->KickOffTimeText); } } break; case PH_USER_LIST_COLUMN_PASSWORD_LAST_SET: { if (user->PasswordLastSet.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->PasswordLastSet); PhMoveReference(&user->PasswordLastSetText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->PasswordLastSetText); } } break; case PH_USER_LIST_COLUMN_PASSWORD_CAN_CHANGE: { if (user->PasswordCanChange.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->PasswordCanChange); PhMoveReference(&user->PasswordCanChangeText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->PasswordCanChangeText); } } break; case PH_USER_LIST_COLUMN_PASSWORD_MUST_CHANGE: { if (user->PasswordMustChange.QuadPart != 0) { SYSTEMTIME systemTime; PhLargeIntegerToLocalSystemTime(&systemTime, &user->PasswordMustChange); PhMoveReference(&user->PasswordMustChangeText, PhFormatDateTime(&systemTime)); getCellText->Text = PhGetStringRef(user->PasswordMustChangeText); } } break; default: return FALSE; } getCellText->Flags = TN_CACHE; } return TRUE; case TreeNewGetNodeColor: { PPH_TREENEW_GET_NODE_COLOR getNodeColor = (PPH_TREENEW_GET_NODE_COLOR)Parameter1; user = (PPH_USER_NODE)getNodeColor->Node; getNodeColor->Flags = TN_CACHE | TN_AUTO_FORECOLOR; } return TRUE; case TreeNewSortChanged: { PPH_TREENEW_SORT_CHANGED_EVENT sorting = Parameter1; context->TreeNewSortColumn = sorting->SortColumn; context->TreeNewSortOrder = sorting->SortOrder; TreeNew_NodesStructured(WindowHandle); } return TRUE; case TreeNewKeyDown: { PPH_TREENEW_KEY_EVENT keyEvent = Parameter1; switch (keyEvent->VirtualKey) { case 'C': { if (GetKeyState(VK_CONTROL) < 0) { PPH_STRING text; text = PhGetTreeNewText(WindowHandle, 0); PhSetClipboardString(WindowHandle, &text->sr); PhDereferenceObject(text); } } break; case 'A': if (GetKeyState(VK_CONTROL) < 0) TreeNew_SelectRange(context->TreeNewHandle, 0, -1); break; } } return TRUE; case TreeNewNodeExpanding: return TRUE; case TreeNewLeftDoubleClick: return TRUE; case TreeNewContextMenu: { PPH_TREENEW_CONTEXT_MENU contextMenu = Parameter1; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; PPH_USER_NODE* userNodes = NULL; ULONG numberOfNodes = 0; if (!PhpGetSelectedUserListNodes(context, &userNodes, &numberOfNodes)) break; if (numberOfNodes != 0) { menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, IDC_COPY, L"Copy", NULL, NULL), ULONG_MAX); PhInsertCopyCellEMenuItem(menu, IDC_COPY, context->TreeNewHandle, contextMenu->Column); selectedItem = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, contextMenu->Location.x, contextMenu->Location.y ); if (selectedItem && selectedItem->Id != ULONG_MAX && !PhHandleCopyCellEMenuItem(selectedItem)) { if (selectedItem->Id == IDC_COPY) { PPH_STRING text; text = PhGetTreeNewText(context->TreeNewHandle, 0); PhSetClipboardString(context->TreeNewHandle, &text->sr); PhDereferenceObject(text); } } PhDestroyEMenu(menu); PhFree(userNodes); } } return TRUE; case TreeNewHeaderRightClick: { PH_TN_COLUMN_MENU_DATA data; data.TreeNewHandle = WindowHandle; data.MouseEvent = Parameter1; data.DefaultSortColumn = 0; data.DefaultSortOrder = AscendingSortOrder; PhInitializeTreeNewColumnMenuEx(&data, PH_TN_COLUMN_MENU_SHOW_RESET_SORT); data.Selection = PhShowEMenu(data.Menu, WindowHandle, PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, data.MouseEvent->ScreenLocation.x, data.MouseEvent->ScreenLocation.y); PhHandleTreeNewColumnMenu(&data); PhDeleteTreeNewColumnMenu(&data); } return TRUE; } return FALSE; } VOID PhpUserListLoadSettingsTreeList( _Inout_ PPH_USER_LIST_CONTEXT Context ) { PPH_STRING settings; settings = PhGetStringSetting(SETTING_USER_LIST_TREE_LIST_COLUMNS); PhCmLoadSettings(Context->TreeNewHandle, &settings->sr); PhDereferenceObject(settings); } VOID PhpUserListSaveSettingsTreeList( _Inout_ PPH_USER_LIST_CONTEXT Context ) { PPH_STRING settings; settings = PhCmSaveSettings(Context->TreeNewHandle); PhSetStringSetting2(SETTING_USER_LIST_TREE_LIST_COLUMNS, &settings->sr); PhDereferenceObject(settings); } VOID PhpInitializeUserListTree( _In_ PPH_USER_LIST_CONTEXT Context ) { ULONG index = 0; PhSetControlTheme(Context->TreeNewHandle, L"explorer"); TreeNew_SetCallback(Context->TreeNewHandle, PhpUserListTreeNewCallback, Context); TreeNew_SetExtendedFlags(Context->TreeNewHandle, TN_FLAG_ITEM_DRAG_SELECT, TN_FLAG_ITEM_DRAG_SELECT); TreeNew_SetRedraw(Context->TreeNewHandle, FALSE); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_USER_NAME, TRUE, L"User name", 250, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGON_DOMAIN, TRUE, L"Logon domain", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_SESSION_ID, TRUE, L"Session ID", 80, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGON_TYPE, TRUE, L"Logon type", 100, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_AUTHENTICATION_PACKAGE, TRUE, L"Authentication package", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_DNS_DOMAIN_NAME, TRUE, L"DNS domain name", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGON_TIME, TRUE, L"Logon time", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_PASSWORD_LAST_SET, TRUE, L"Password last set", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_SID, TRUE, L"SID", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGON_ID, FALSE, L"Logon ID", 80, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGON_SERVER, FALSE, L"Logon server", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_USER_PRINCIPAL_NAME, FALSE, L"User principal name", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_USER_FLAGS, FALSE, L"User flags", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_FAILED_ATTEMPTS_SINCE_LAST_SUCCESSFUL_LOGON, FALSE, L"Failed logon attempts since", 80, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LAST_SUCCESSFUL_LOGON, FALSE, L"Last successful logon", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LAST_FAILED_LOGON, FALSE, L"Last failed logon", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGON_SCRIPT, FALSE, L"Longon script", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_PROFILE_PATH, FALSE, L"Profile path", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_HOME_DIRECTORY, FALSE, L"Home directory", 180, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_HOME_DIRECTORY_DRIVE, FALSE, L"Home directory drive", 80, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_LOGOFF_TIME, FALSE, L"Logoff time", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_KICKOFF_TIME, FALSE, L"Kickoff time", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_PASSWORD_CAN_CHANGE, FALSE, L"Password can set", 140, PH_ALIGN_LEFT, index++, 0); PhAddTreeNewColumn(Context->TreeNewHandle, PH_USER_LIST_COLUMN_PASSWORD_MUST_CHANGE, FALSE, L"Password must set", 140, PH_ALIGN_LEFT, index++, 0); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); //TreeNew_SetTriState(Context->TreeNewHandle, FALSE); PhpUserListLoadSettingsTreeList(Context); } _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PhpUserListSearchControlCallback( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ) { PPH_USER_LIST_CONTEXT context = Context; assert(context); context->SearchMatchHandle = MatchHandle; PhApplyTreeNewFilters(&context->FilterSupport); } INT_PTR CALLBACK PhpUserListDlgProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_USER_LIST_CONTEXT context; if (uMsg == WM_INITDIALOG) { context = (PPH_USER_LIST_CONTEXT)lParam; PhSetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT, context); } else { context = PhGetWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); } if (!context) return FALSE; switch (uMsg) { case WM_INITDIALOG: { context->WindowHandle = hwndDlg; context->TreeNewHandle = GetDlgItem(hwndDlg, IDC_TREELIST); context->MessageHandle = GetDlgItem(hwndDlg, IDC_MESSAGE); context->SearchWindowHandle = GetDlgItem(hwndDlg, IDC_FILTER); PhSetApplicationWindowIcon(hwndDlg); PhRegisterDialog(hwndDlg); PhCreateSearchControl( hwndDlg, context->SearchWindowHandle, L"Search Users", PhpUserListSearchControlCallback, context ); PhpInitializeUserListTree(context); PhInitializeLayoutManager(&context->LayoutManager, hwndDlg); PhAddLayoutItem(&context->LayoutManager, context->SearchWindowHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, GetDlgItem(hwndDlg, IDC_REFRESH), NULL, PH_ANCHOR_TOP | PH_ANCHOR_RIGHT); PhAddLayoutItem(&context->LayoutManager, context->TreeNewHandle, NULL, PH_ANCHOR_ALL); PhAddLayoutItem(&context->LayoutManager, context->MessageHandle, NULL, PH_ANCHOR_LEFT | PH_ANCHOR_BOTTOM | PH_ANCHOR_RIGHT); context->MinimumSize.left = 0; context->MinimumSize.top = 0; context->MinimumSize.right = 300; context->MinimumSize.bottom = 100; MapDialogRect(hwndDlg, &context->MinimumSize); if (PhValidWindowPlacementFromSetting(SETTING_USER_LIST_WINDOW_POSITION)) PhLoadWindowPlacementFromSetting(SETTING_USER_LIST_WINDOW_POSITION, SETTING_USER_LIST_WINDOW_SIZE, hwndDlg); else PhCenterWindow(hwndDlg, context->ParentWindowHandle); PhRegisterWindowCallback(hwndDlg, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, NULL); PhInitializeWindowTheme(hwndDlg, PhEnableThemeSupport); PhpUserListRefresh(context); } break; case WM_DESTROY: { PhRemoveWindowContext(hwndDlg, PH_WINDOW_CONTEXT_DEFAULT); PhSaveWindowPlacementToSetting(SETTING_USER_LIST_WINDOW_POSITION, SETTING_USER_LIST_WINDOW_SIZE, hwndDlg); PhUnregisterWindowCallback(hwndDlg); PhDeleteLayoutManager(&context->LayoutManager); PhpUserListSaveSettingsTreeList(context); PhpDeleteUserListTree(context); PhFree(context); PostQuitMessage(0); } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDC_REFRESH: PhpUserListRefresh(context); break; case IDCANCEL: DestroyWindow(hwndDlg); break; } } break; case WM_DPICHANGED: { PhLayoutManagerUpdate(&context->LayoutManager, LOWORD(wParam)); PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZE: { PhLayoutManagerLayout(&context->LayoutManager); } break; case WM_SIZING: { PhResizingMinimumSize((PRECT)lParam, wParam, context->MinimumSize.right, context->MinimumSize.bottom); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpUserListDialogThreadStart( _In_ PVOID Parameter ) { HWND windowHandle; BOOL result; MSG message; PH_AUTO_POOL autoPool; PhInitializeAutoPool(&autoPool); windowHandle = PhCreateDialog( PhInstanceHandle, MAKEINTRESOURCE(IDD_USRLIST), NULL, PhpUserListDlgProc, Parameter ); ShowWindow(windowHandle, SW_SHOW); SetForegroundWindow(windowHandle); while (result = GetMessage(&message, NULL, 0, 0)) { if (result == INT_ERROR) break; if (!IsDialogMessage(windowHandle, &message)) { TranslateMessage(&message); DispatchMessage(&message); } PhDrainAutoPool(&autoPool); } PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } VOID PhShowUserListDialog( _In_ HWND ParentWindowHandle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_USER_LIST_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"secur32.dll")) { LsaFreeReturnBuffer_I = PhGetDllBaseProcedureAddress(baseAddress, "LsaFreeReturnBuffer", 0); LsaEnumerateLogonSessions_I = PhGetDllBaseProcedureAddress(baseAddress, "LsaEnumerateLogonSessions", 0); LsaGetLogonSessionData_I = PhGetDllBaseProcedureAddress(baseAddress, "LsaGetLogonSessionData", 0); } PhEndInitOnce(&initOnce); } if (!LsaFreeReturnBuffer_I || !LsaEnumerateLogonSessions_I || !LsaGetLogonSessionData_I) { PhShowStatus(ParentWindowHandle, L"Unable to locate routines.", STATUS_NOINTERFACE, 0); return; } context = PhAllocateZero(sizeof(PH_USER_LIST_CONTEXT)); context->ParentWindowHandle = ParentWindowHandle; if (!NT_SUCCESS(PhCreateThread2(PhpUserListDialogThreadStart, context))) { PhShowStatus(ParentWindowHandle, L"Unable to create the window.", 0, ERROR_OUTOFMEMORY); PhFree(context); } } ================================================ FILE: SystemInformer/version.rc ================================================ // Microsoft Visual C++ generated resource script. // #pragma code_page(65001) #include "resource.h" #define APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // // Generated from the TEXTINCLUDE 2 resource. // #include "winres.h" #include "include/phappres.h" ///////////////////////////////////////////////////////////////////////////// #undef APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // English (United States) resources #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US #ifdef APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // TEXTINCLUDE // 1 TEXTINCLUDE BEGIN "resource.h\0" END 2 TEXTINCLUDE BEGIN "#include ""winres.h""\r\n" "#include ""include/phappres.h""\0" END 3 TEXTINCLUDE BEGIN "\r\n" "\0" END #endif // APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // Version // VS_VERSION_INFO VERSIONINFO FILEVERSION PHAPP_VERSION_NUMBER PRODUCTVERSION PHAPP_VERSION_NUMBER FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L #else FILEFLAGS 0x0L #endif FILEOS 0x40004L FILETYPE 0x1L FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904B0" BEGIN VALUE "CompanyName", "Winsider Seminars & Solutions, Inc." VALUE "FileDescription", "System Informer" VALUE "FileVersion", PHAPP_VERSION_STRING VALUE "InternalName", "System Informer" VALUE "LegalCopyright", "Copyright (c) Winsider Seminars & Solutions, Inc. All rights reserved." VALUE "OriginalFilename", "System Informer.exe" VALUE "ProductName", "System Informer" VALUE "ProductVersion", PHAPP_VERSION_STRING VALUE "Comments", PHAPP_VERSION_COMMIT END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x0409, 0x04b0 END END #endif // English (United States) resources ///////////////////////////////////////////////////////////////////////////// ================================================ FILE: SystemInformer.natvis ================================================ {Buffer,[Length / 2]su} Buffer,[Length / 2]su Length Length / 2 wcslen(Buffer) {Buffer,[Length / 2]su} Buffer,[Length / 2]su Length Length / 2 wcslen(Buffer) {{size={Count}}} Count AllocatedCount Count Items ================================================ FILE: SystemInformer.sln ================================================  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.12.35527.113 d17.12 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SystemInformer", "SystemInformer\SystemInformer.vcxproj", "{0271DD27-6707-4290-8DFE-285702B7115D}" ProjectSection(ProjectDependencies) = postProject {477D0215-F252-41A1-874B-F27E3EA1ED17} = {477D0215-F252-41A1-874B-F27E3EA1ED17} {F1757430-8EEE-49DF-A5F1-0999A53BB4A0} = {F1757430-8EEE-49DF-A5F1-0999A53BB4A0} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "phlib", "phlib\phlib.vcxproj", "{477D0215-F252-41A1-874B-F27E3EA1ED17}" ProjectSection(ProjectDependencies) = postProject {F1757430-8EEE-49DF-A5F1-0999A53BB4A0} = {F1757430-8EEE-49DF-A5F1-0999A53BB4A0} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "peview", "tools\peview\peview.vcxproj", "{72C124A2-3C80-41C6-ABA1-C4948B713204}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kphlib", "kphlib\kphlib_um.vcxproj", "{F1757430-8EEE-49DF-A5F1-0999A53BB4A0}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|ARM64 = Debug|ARM64 Debug|Win32 = Debug|Win32 Debug|x64 = Debug|x64 Release|ARM64 = Release|ARM64 Release|Win32 = Release|Win32 Release|x64 = Release|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|ARM64.ActiveCfg = Debug|ARM64 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|ARM64.Build.0 = Debug|ARM64 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|ARM64.Deploy.0 = Debug|ARM64 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|Win32.ActiveCfg = Debug|Win32 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|Win32.Build.0 = Debug|Win32 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|Win32.Deploy.0 = Debug|Win32 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|x64.ActiveCfg = Debug|x64 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|x64.Build.0 = Debug|x64 {0271DD27-6707-4290-8DFE-285702B7115D}.Debug|x64.Deploy.0 = Debug|x64 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|ARM64.ActiveCfg = Release|ARM64 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|ARM64.Build.0 = Release|ARM64 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|ARM64.Deploy.0 = Release|ARM64 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|Win32.ActiveCfg = Release|Win32 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|Win32.Build.0 = Release|Win32 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|Win32.Deploy.0 = Release|Win32 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|x64.ActiveCfg = Release|x64 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|x64.Build.0 = Release|x64 {0271DD27-6707-4290-8DFE-285702B7115D}.Release|x64.Deploy.0 = Release|x64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Debug|ARM64.ActiveCfg = Debug|ARM64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Debug|ARM64.Build.0 = Debug|ARM64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Debug|Win32.ActiveCfg = Debug|Win32 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Debug|Win32.Build.0 = Debug|Win32 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Debug|x64.ActiveCfg = Debug|x64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Debug|x64.Build.0 = Debug|x64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Release|ARM64.ActiveCfg = Release|ARM64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Release|ARM64.Build.0 = Release|ARM64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Release|Win32.ActiveCfg = Release|Win32 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Release|Win32.Build.0 = Release|Win32 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Release|x64.ActiveCfg = Release|x64 {477D0215-F252-41A1-874B-F27E3EA1ED17}.Release|x64.Build.0 = Release|x64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|ARM64.ActiveCfg = Debug|ARM64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|ARM64.Build.0 = Debug|ARM64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|ARM64.Deploy.0 = Debug|ARM64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|Win32.ActiveCfg = Debug|Win32 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|Win32.Build.0 = Debug|Win32 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|Win32.Deploy.0 = Debug|Win32 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|x64.ActiveCfg = Debug|x64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|x64.Build.0 = Debug|x64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Debug|x64.Deploy.0 = Debug|x64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|ARM64.ActiveCfg = Release|ARM64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|ARM64.Build.0 = Release|ARM64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|ARM64.Deploy.0 = Release|ARM64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|Win32.ActiveCfg = Release|Win32 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|Win32.Build.0 = Release|Win32 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|Win32.Deploy.0 = Release|Win32 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|x64.ActiveCfg = Release|x64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|x64.Build.0 = Release|x64 {72C124A2-3C80-41C6-ABA1-C4948B713204}.Release|x64.Deploy.0 = Release|x64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Debug|ARM64.ActiveCfg = Debug|ARM64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Debug|ARM64.Build.0 = Debug|ARM64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Debug|Win32.ActiveCfg = Debug|Win32 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Debug|Win32.Build.0 = Debug|Win32 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Debug|x64.ActiveCfg = Debug|x64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Debug|x64.Build.0 = Debug|x64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Release|ARM64.ActiveCfg = Release|ARM64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Release|ARM64.Build.0 = Release|ARM64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Release|Win32.ActiveCfg = Release|Win32 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Release|Win32.Build.0 = Release|Win32 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Release|x64.ActiveCfg = Release|x64 {F1757430-8EEE-49DF-A5F1-0999A53BB4A0}.Release|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {096726E0-A447-47E3-8E9C-3F2B2C695CFC} EndGlobalSection EndGlobal ================================================ FILE: SystemInformer.slnx ================================================ ================================================ FILE: build/KSystemInformer.ddf ================================================ ; ; Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. ; ; This file is part of System Informer. ; ; Authors: ; ; jxy-s 2022 ; .OPTION EXPLICIT .Set CabinetFileCountThreshold=0 .Set FolderFileCountThreshold=0 .Set FolderSizeThreshold=0 .Set MaxCabinetSize=0 .Set MaxDiskFileCount=0 .Set MaxDiskSize=0 .Set CompressionType=MSZIP .Set Cabinet=on .Set Compress=on .Set CabinetNameTemplate=KSystemInformer.cab .Set DestinationDir=x64 KSystemInformer.inf Release64\systeminformer.sys Release64\systeminformer.pdb Release64\ksi.dll Release64\ksi.pdb .Set DestinationDir=arm64 KSystemInformer.inf ReleaseARM64\systeminformer.sys ReleaseARM64\systeminformer.pdb ReleaseARM64\ksi.dll ReleaseARM64\ksi.pdb ================================================ FILE: build/README.md ================================================ # Building System Informer General rule of thumb is to run `build_init.cmd` then `build_release.cmd` after cloning the repo. After running `build_init.cmd` you generally don't need to run it again unless there are updates to the tools or third party libraries. If you're having trouble, when in doubt, run `build_init.cmd`. You may also build the solutions directly in Visual Studio. ## Errors, Problems, Gotchas This section contains common errors, problems, and gotchas when building System Informer. If you're having trouble building then the information here is likely to resolve your problem. ### LINK : fatal error C1047 (thirdparty.lib) TL;DR - run `build_thirdparty.cmd` This error occurs because `thirdparty.lib` was built using a different compiler than the one in the environment. To resolve this in your environment run `build_thirdparty.cmd`. ### Built plugins not loading with kernel driver enabled It is possible to load built plugins with the driver enabled, but there is an intentional security mitigation to protect the driver from abuse. Please refer to the [kernel driver readme](../KSystemInformer/README.md) for more information. You may also disable the advanced setting for image load denial, but access to the driver will be restricted with unsigned plugins loaded. ================================================ FILE: build/build_clean.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-cleanup" pause ================================================ FILE: build/build_cmake.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" set "TIB=false" if "%GITHUB_ACTIONS%"=="true" ( set "TIB=true" ) else if "%TF_BUILD%"=="true" ( set "TIB=true" ) set GENERATOR=%~1 set CONFIG=%~2 set TOOLCHAIN=%~3 set ACTION=%~4 set TOOLCHAIN_FILE= set BUILD_DIR= for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set "VSINSTALLPATH=%%a" ) if not defined VSINSTALLPATH ( echo No Visual Studio installation detected. goto end ) if /i "%CONFIG%"=="Debug" ( set BUILD_DIR=build-debug ) else if /i "%CONFIG%"=="Release" ( set BUILD_DIR=build-release ) else ( echo Error: Unsupported configuration: %CONFIG% echo Supported configurations: Debug, Release set ERRORLEVEL=1 goto end ) if /i "%TOOLCHAIN%"=="msvc-x86" ( set PLATFORM=Win32 set VCVARS_ARCH=amd64_x86 set BUILD_DIR="%CD%\%BUILD_DIR%-msvc-32" set TOOLCHAIN_FILE="%CD%\cmake\toolchain\msvc-x86.cmake" ) else if /i "%TOOLCHAIN%"=="msvc-amd64" ( set PLATFORM=x64 set VCVARS_ARCH=amd64 set BUILD_DIR="%CD%\%BUILD_DIR%-msvc-64" set TOOLCHAIN_FILE="%CD%\cmake\toolchain\msvc-amd64.cmake" ) else if /i "%TOOLCHAIN%"=="msvc-arm64" ( set PLATFORM=ARM64 set VCVARS_ARCH=amd64_arm64 set BUILD_DIR="%CD%\%BUILD_DIR%-msvc-arm64" set TOOLCHAIN_FILE="%CD%\cmake\toolchain\msvc-arm64.cmake" ) else if /i "%TOOLCHAIN%"=="clang-msvc-x86" ( set PLATFORM=Win32 set VCVARS_ARCH=amd64_x86 set BUILD_DIR="%CD%\%BUILD_DIR%-clang-msvc-32" set TOOLCHAIN_FILE="%CD%\cmake\toolchain\clang-msvc-x86.cmake" ) else if /i "%TOOLCHAIN%"=="clang-msvc-amd64" ( set PLATFORM=x64 set VCVARS_ARCH=amd64 set BUILD_DIR="%CD%\%BUILD_DIR%-clang-msvc-64" set TOOLCHAIN_FILE="%CD%\cmake\toolchain\clang-msvc-amd64.cmake" ) else if /i "%TOOLCHAIN%"=="clang-msvc-arm64" ( set PLATFORM=ARM64 set VCVARS_ARCH=amd64_arm64 set BUILD_DIR="%CD%\%BUILD_DIR%-clang-msvc-arm64" set TOOLCHAIN_FILE="%CD%\cmake\toolchain\clang-msvc-arm64.cmake" ) else ( echo Error: Unsupported toolchain: %TOOLCHAIN% echo Supported toolchains: msvc-x86, msvc-amd64, msvc-arm64, clang-msvc-x86, clang-msvc-amd64, clang-msvc-arm64 set ERRORLEVEL=1 goto end ) set SOURCE_DIR="%CD%" echo =============================================== echo System Informer CMake Build Script echo =============================================== echo Action: %ACTION% echo Generator: %GENERATOR% echo Configuration: %CONFIG% echo Platform: %PLATFORM% echo Toolchain: %TOOLCHAIN% echo VCVARS: %VCVARS_ARCH% echo Source: %SOURCE_DIR% echo Build: %BUILD_DIR% echo =============================================== set CMAKE_GEN_OPTS= if /i "%GENERATOR%"=="Ninja" ( set CMAKE_GEN_OPTS=-DCMAKE_BUILD_TYPE=%CONFIG% ) set CMAKE_BUILD_OPTS= if not "%GENERATOR:Visual Studio=%"=="%GENERATOR%" ( set CMAKE_BUILD_OPTS=-- /m /p:Platform=%PLATFORM% -terminalLogger:auto ) if /i "%ACTION%"=="clean" ( if exist "%BUILD_DIR%" rmdir /s /q "%BUILD_DIR%" ) else if /i "%ACTION%"=="generate" ( echo Setting up Visual Studio environment for %VCVARS_ARCH%... call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_ARCH% if %ERRORLEVEL% neq 0 goto end if not exist "%BUILD_DIR%" mkdir "%BUILD_DIR%" cmake -G "%GENERATOR%" -S %SOURCE_DIR% -B %BUILD_DIR% ^ --toolchain %TOOLCHAIN_FILE% ^ -DCMAKE_EXPORT_COMPILE_COMMANDS=ON ^ -DSI_WITH_CORE=ON ^ -DSI_WITH_PLUGINS=ON ^ %CMAKE_GEN_OPTS% if %ERRORLEVEL% neq 0 goto end ) else if /i "%ACTION%"=="build" ( echo Setting up Visual Studio environment for %VCVARS_ARCH%... call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_ARCH% if %ERRORLEVEL% neq 0 goto end if "%NINJA_STATUS%"=="" ( set "NINJA_STATUS=[%%p][%%w][%%f/%%t][%%o/s] " ) cmake --build %BUILD_DIR% --config %CONFIG% %CMAKE_BUILD_OPTS% if %ERRORLEVEL% neq 0 goto end ) else ( echo Error: Invalid action "%ACTION%". Use "generate", "build", or "clean". set ERRORLEVEL=1 ) :end if "%TIB%"=="false" pause ================================================ FILE: build/build_compile_commands.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set "VSINSTALLPATH=%%a" ) if exist "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" ( if "%PROCESSOR_ARCHITECTURE%"=="ARM64" ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" arm64 dotnet publish tools\CompileCommandsJson\CompileCommandsJson.sln -c Release /p:PublishProfile=Properties\PublishProfiles\arm64.pubxml set COMPILE_COMMANDS_LOGGER=tools\CompileCommandsJson\bin\Release\arm64\CompileCommandsJson.dll set BUILD_PLATFORM=ARM64 ) else ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64 dotnet publish tools\CompileCommandsJson\CompileCommandsJson.sln -c Release /p:PublishProfile=Properties\PublishProfiles\amd64.pubxml set COMPILE_COMMANDS_LOGGER=tools\CompileCommandsJson\bin\Release\amd64\CompileCommandsJson.dll set BUILD_PLATFORM=x64 ) ) else ( goto end ) if not exist %COMPILE_COMMANDS_LOGGER% ( echo CompileCommandsJson.dll not found. goto end ) set BUILD_ARGS=-t:rebuild -p:Configuration=Debug;Platform=%BUILD_PLATFORM% -logger:%COMPILE_COMMANDS_LOGGER% -terminalLogger:auto msbuild /m KSystemInformer\KSystemInformer.sln %BUILD_ARGS% if %ERRORLEVEL% neq 0 goto end echo: msbuild /m SystemInformer.sln %BUILD_ARGS% if %ERRORLEVEL% neq 0 goto end echo: msbuild /m Plugins\Plugins.sln %BUILD_ARGS% if %ERRORLEVEL% neq 0 goto end echo: :end pause ================================================ FILE: build/build_debug.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-debug" pause ================================================ FILE: build/build_devenv.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "tools\thirdparty\thirdparty.sln /Rebuild Debug /Project thirdparty /projectconfig ""Debug|Win32"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "tools\thirdparty\thirdparty.sln /rebuild Debug /Project thirdparty /projectconfig ""Debug|x64"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "tools\thirdparty\thirdparty.sln /Rebuild Release /Project thirdparty /projectconfig ""Release|Win32"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "tools\thirdparty\thirdparty.sln /rebuild Release /Project thirdparty /projectconfig ""Release|x64"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "SystemInformer.sln /Rebuild ""Debug|Win32"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "SystemInformer.sln /Rebuild ""Debug|x64"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "SystemInformer.sln /Rebuild ""Release|Win32"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "SystemInformer.sln /Rebuild ""Release|x64"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "Plugins\Plugins.sln /Rebuild ""Debug|Win32"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "Plugins\Plugins.sln /Rebuild ""Debug|x64"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "Plugins\Plugins.sln /Rebuild ""Release|Win32"" " start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-devenv-build" "Plugins\Plugins.sln /Rebuild ""Release|x64"" " pause ================================================ FILE: build/build_dyndata.cmd ================================================ @echo off @setlocal enableextensions @setlocal enabledelayedexpansion @cd /d "%~dp0\..\" set localerror=1 if "%1"=="" ( echo Usage: build_dyndata.cmd [BUILD_OUTPUT_PATH] goto end ) if exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-dyndata" "%1" set localerror=!errorlevel! ) else ( echo CustomBuildTool.exe not found in tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE% folder. ) :end exit /B %localerror% ================================================ FILE: build/build_header.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" set BUILD_TOOL="tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" if not exist %BUILD_TOOL% ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" %BUILD_TOOL% "-phnt_headers_gen" pause ================================================ FILE: build/build_init.cmd ================================================ @echo off @setlocal enableextensions call "%~dp0build_thirdparty.cmd" INIT call "%~dp0build_tools.cmd" INIT ================================================ FILE: build/build_msix.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-msix-build" pause ================================================ FILE: build/build_release.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-release" pause ================================================ FILE: build/build_sdk.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" set BUILD_TOOL="tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" if not exist %BUILD_TOOL% ( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" %BUILD_TOOL% "-sdk" "-Debug" "-Win32" "-verbose" start /B /W "" %BUILD_TOOL% "-sdk" "-Debug" "-x64" "-verbose" start /B /W "" %BUILD_TOOL% "-sdk" "-Debug" "-arm64" "-verbose" start /B /W "" %BUILD_TOOL% "-sdk" "-Release" "-Win32" "-verbose" start /B /W "" %BUILD_TOOL% "-sdk" "-Release" "-x64" "-verbose" start /B /W "" %BUILD_TOOL% "-sdk" "-Release" "-arm64" "-verbose" pause ================================================ FILE: build/build_sdk_rebuild.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe"( echo CustomBuildTool.exe not found. Run build\build_init.cmd first. exit /b 1 ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-cleansdk" pause ================================================ FILE: build/build_thirdparty.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" REM Check if an argument is provided and if it is "INIT" set "IS_INIT=false" if "%1"=="INIT" ( set "IS_INIT=true" ) REM Check if terminal logging is supported set "TLG=auto" if "%GITHUB_ACTIONS%"=="true" ( set "TLG=off" ) else if "%TF_BUILD%"=="true" ( set "TLG=off" ) for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set "VSINSTALLPATH=%%a" ) if not defined VSINSTALLPATH if defined WindowsSdkDir ( set "VSINSTALLPATH=%WindowsSdkDir%" ) if not defined VSINSTALLPATH if defined EWDK_ROOT ( set "VSINSTALLPATH=%EWDK_ROOT%" ) if not defined VSINSTALLPATH ( echo No Visual Studio installation detected. goto end ) set "VS_ARM64_SUPPORT=false" for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires "Microsoft.VisualStudio.Component.VC.Tools.ARM64" -property installationPath`) do ( set "VS_ARM64_SUPPORT=true" ) if "%PROCESSOR_ARCHITECTURE%"=="ARM64" ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" arm64 ) else ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64 ) if exist "tools\thirdparty\bin" ( rmdir /S /Q "tools\thirdparty\bin" ) if exist "tools\thirdparty\obj" ( rmdir /S /Q "tools\thirdparty\obj" ) echo: echo Building thirdparty.sln [Debug32] msbuild /m tools\thirdparty\thirdparty.sln -property:Configuration=Debug -property:Platform=x86 -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [Release32] msbuild /m tools\thirdparty\thirdparty.sln -property:Configuration=Release -property:Platform=x86 -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [Debug64] msbuild /m tools\thirdparty\thirdparty.sln -property:Configuration=Debug -property:Platform=x64 -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [Release64] msbuild /m tools\thirdparty\thirdparty.sln -property:Configuration=Release -property:Platform=x64 -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: if "%VS_ARM64_SUPPORT%"=="true" ( echo Building thirdparty.sln [DebugARM64] msbuild /m tools\thirdparty\thirdparty.sln -property:Configuration=Debug -property:Platform=ARM64 -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [ReleaseARM64] msbuild /m tools\thirdparty\thirdparty.sln -property:Configuration=Release -property:Platform=ARM64 -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: ) :end REM If IS_INIT is not provided, print a message and exit if /i "%IS_INIT%"=="false" ( REM Avoid pause in non-interactive runs (stdin redirected). set "STDIN_REDIRECTED=False" for /f %%i in ('powershell -NoProfile -Command "[Console]::IsInputRedirected"') do set "STDIN_REDIRECTED=%%i" REM Pause only for interactive console sessions. if /i not "%STDIN_REDIRECTED%"=="True" pause ) else ( REM INIT mode is used by scripts, so return immediately. exit /b 0 ) ================================================ FILE: build/build_tools.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" set "TIB=false" if "%GITHUB_ACTIONS%"=="true" ( set "TIB=true" ) else if "%TF_BUILD%"=="true" ( set "TIB=true" ) for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set "VSINSTALLPATH=%%a" ) if not defined VSINSTALLPATH if defined WindowsSdkDir ( set "VSINSTALLPATH=%WindowsSdkDir%" ) if not defined VSINSTALLPATH if defined EWDK_ROOT ( set "VSINSTALLPATH=%EWDK_ROOT%" ) if not defined VSINSTALLPATH ( echo No Visual Studio installation detected. goto end ) :: Pre-cleanup (required since dotnet doesn't cleanup) if exist "tools\CustomBuildTool\bin\" ( rmdir /S /Q "tools\CustomBuildTool\bin\" ) if exist "tools\CustomBuildTool\obj" ( rmdir /S /Q "tools\CustomBuildTool\obj" ) if exist "tools\CustomBuildTool\.vs" ( rmdir /S /Q "tools\CustomBuildTool\.vs" ) if exist "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" ( if "%PROCESSOR_ARCHITECTURE%"=="ARM64" ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" arm64 dotnet publish tools\CustomBuildTool\CustomBuildTool.sln -c Release /p:PublishProfile=Properties\PublishProfiles\arm64.pubxml /p:ContinuousIntegrationBuild=%TIB% ) else ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64 dotnet publish tools\CustomBuildTool\CustomBuildTool.sln -c Release /p:PublishProfile=Properties\PublishProfiles\amd64.pubxml /p:ContinuousIntegrationBuild=%TIB% ) ) else ( goto end ) :: Post-cleanup (required since dotnet doesn't cleanup) if exist "tools\CustomBuildTool\bin\ARM64" ( rmdir /S /Q "tools\CustomBuildTool\bin\ARM64" ) if exist "tools\CustomBuildTool\bin\x64" ( rmdir /S /Q "tools\CustomBuildTool\bin\x64" ) if exist "tools\CustomBuildTool\bin\Release\net9.0-windows-arm64" ( rmdir /S /Q "tools\CustomBuildTool\bin\Release\net9.0-windows-arm64" ) if exist "tools\CustomBuildTool\bin\Release\net9.0-windows-x64" ( rmdir /S /Q "tools\CustomBuildTool\bin\Release\net9.0-windows-x64" ) if exist "tools\CustomBuildTool\obj" ( rmdir /S /Q "tools\CustomBuildTool\obj" ) if exist "tools\CustomBuildTool\.vs" ( rmdir /S /Q "tools\CustomBuildTool\.vs" ) if exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo: start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-write-tools-id" echo: ) else ( echo: echo CustomBuildTool build failed. echo: ) :end if "%TIB%"=="false" ( REM Avoid pause in non-interactive runs (stdin redirected). set "STDIN_REDIRECTED=False" for /f %%i in ('powershell -NoProfile -Command "[Console]::IsInputRedirected"') do set "STDIN_REDIRECTED=%%i" REM Pause only for interactive console sessions. if /i not "%STDIN_REDIRECTED%"=="True" pause ) ================================================ FILE: build/build_verbose.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" REM Check if terminal logging is supported set "TLG=auto" if "%GITHUB_ACTIONS%"=="true" ( set "TLG=off" ) else if "%TF_BUILD%"=="true" ( set "TLG=off" ) REM Check if diagnostic is supported set "TLV=normal" if not "%~1"=="" ( set "TLV=diagnostic" ) for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set "VSINSTALLPATH=%%a" ) if not defined VSINSTALLPATH ( echo No Visual Studio installation detected. goto end ) set "VS_ARM64_SUPPORT=false" for /f "usebackq tokens=*" %%a in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires "Microsoft.VisualStudio.Component.VC.Tools.ARM64" -property installationPath`) do ( set "VS_ARM64_SUPPORT=true" ) if exist "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" ( if "%VS_ARM64_SUPPORT%"=="true" ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64_arm64 ) else ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64 ) if %ERRORLEVEL% neq 0 goto end ) else ( echo Warning: vcvarsall.bat not found and compilation environment variables are not defined. echo The build may fail if the environment is not properly initialized. goto end ) echo: echo Building thirdparty.sln [Debug32] msbuild /m SystemInformer.sln -t:rebuild -p:Configuration=Debug -p:Platform=Win32 -verbosity:%TLV% -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [Debug64] msbuild /m SystemInformer.sln -t:rebuild -p:Configuration=Debug -p:Platform=x64 -verbosity:%TLV% -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [Release32] msbuild /m Plugins\Plugins.sln -t:rebuild -p:Configuration=Debug -p:Platform=Win32 -verbosity:%TLV% -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [Release64] msbuild /m Plugins\Plugins.sln -t:rebuild -p:Configuration=Debug -p:Platform=x64 -verbosity:%TLV% -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: if "%VS_ARM64_SUPPORT%"=="true" ( echo Building thirdparty.sln [DebugARM64] msbuild /m SystemInformer.sln -t:rebuild -p:Configuration=Debug -p:Platform=ARM64 -verbosity:%TLV% -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: echo Building thirdparty.sln [ReleaseARM64] msbuild /m Plugins\Plugins.sln -t:rebuild -p:Configuration=Debug -p:Platform=ARM64 -verbosity:%TLV% -terminalLogger:%TLG% if %ERRORLEVEL% neq 0 goto end echo: ) :end pause ================================================ FILE: build/build_zdriver.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" REM Check if terminal logging is supported set "TLG=auto" if "%GITHUB_ACTIONS%"=="true" ( set "TLG=off" ) else if "%TF_BUILD%"=="true" ( set "TLG=off" ) if not exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo Build tool not found. Run build\build_init.cmd first. exit /b 1 ) set BUILD_CONFIGURATION=Debug set BUILD_TARGET=Build set PREFAST_ANALYSIS= :argloop if not "%1"=="" ( if "%1"=="debug" ( set BUILD_CONFIGURATION=Debug shift goto :argloop ) if "%1"=="release" ( set BUILD_CONFIGURATION=Release shift goto :argloop ) if "%1"=="build" ( set BUILD_TARGET=Build shift goto :argloop ) if "%1"=="rebuild" ( set BUILD_TARGET=Rebuild shift goto :argloop ) if "%1"=="clean" ( set BUILD_TARGET=Clean shift goto :argloop ) if "%1"=="prefast" ( set PREFAST_ANALYSIS=-p:RunCodeAnalysis=true -p:CodeAnalysisTreatWarningsAsErrors=true shift goto :argloop ) shift goto :argloop ) for /f "usebackq tokens=*" %%A in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set VSINSTALLPATH=%%A ) if not defined VSINSTALLPATH if defined WindowsSdkDir ( set "VSINSTALLPATH=%WindowsSdkDir%" ) if not defined VSINSTALLPATH if defined EWDK_ROOT ( set "VSINSTALLPATH=%EWDK_ROOT%" ) if not defined VSINSTALLPATH ( echo [-] Visual Studio not found goto end ) if exist "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64_arm64 ) else ( if not defined INCLUDE ( if not defined LIB ( echo Warning: vcvarsall.bat not found and compilation environment variables ^(INCLUDE/LIB^) are not defined. echo The build may fail if the environment is not properly initialized. ) ) ) echo [+] Building... [WIN64] %BUILD_CONFIGURATION% %BUILD_TARGET% %PREFAST_ANALYSIS% %LEGACY_BUILD% msbuild KSystemInformer\KSystemInformer.sln -t:%BUILD_TARGET% -p:Configuration=%BUILD_CONFIGURATION%;Platform=x64 -maxCpuCount -terminalLogger:%TLG% -consoleLoggerParameters:Summary;Verbosity=minimal %PREFAST_ANALYSIS% if %ERRORLEVEL% neq 0 goto end echo [+] Building... [ARM64] %BUILD_CONFIGURATION% %BUILD_TARGET% %PREFAST_ANALYSIS% %LEGACY_BUILD% msbuild KSystemInformer\KSystemInformer.sln -t:%BUILD_TARGET% -p:Configuration=%BUILD_CONFIGURATION%;Platform=ARM64 -maxCpuCount -terminalLogger:%TLG% -consoleLoggerParameters:Summary;Verbosity=minimal %PREFAST_ANALYSIS% if %ERRORLEVEL% neq 0 goto end echo [+] Build Complete! %BUILD_CONFIGURATION% %BUILD_TARGET% %PREFAST_ANALYSIS% %LEGACY_BUILD% :end pause ================================================ FILE: build/build_zdriver_cab.cmd ================================================ @echo off @setlocal enableextensions rmdir /q /s %~dp0\output\cab del %~dp0\output\KSystemInformer.cab call %~dp0\build_zdriver.cmd release rebuild if %ERRORLEVEL% neq 0 ( echo [-] Build failed, CAB was not generated. goto end ) mkdir %~dp0\output\cab (robocopy %~dp0\..\KSystemInformer\bin %~dp0\output\cab *.sys *.dll *.pdb /mir) ^& if %ERRORLEVEL% lss 8 set ERRORLEVEL = 0 if %ERRORLEVEL% neq 0 ( echo [-] Failed to copy build artifacts to CAB directory. goto end ) (robocopy %~dp0\..\KSystemInformer %~dp0\output\cab KSystemInformer.inf) ^& if %ERRORLEVEL% lss 8 set ERRORLEVEL = 0 if %ERRORLEVEL% neq 0 ( echo [-] Failed to copy INF to CAB directory. goto end ) pushd %~dp0\output\cab makecab /f %~dp0\KSystemInformer.ddf if %ERRORLEVEL% neq 0 ( echo [-] Failed to generate CAB. popd goto end ) popd (robocopy %~dp0\output\cab\disk1 %~dp0\output KSystemInformer.cab) ^& if %ERRORLEVEL% lss 8 set ERRORLEVEL = 0 if %ERRORLEVEL% neq 0 ( echo [-] Failed to copy CAB to output folder. goto end ) rmdir /q /s %~dp0\output\cab echo [+] CAB Complete! echo [.] Preparing to sign CAB... for /f "usebackq tokens=*" %%A in (`call "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -prerelease -products * -requires Microsoft.Component.MSBuild -property installationPath`) do ( set VSINSTALLPATH=%%A ) if not defined VSINSTALLPATH ( echo [-] Visual Studio not found goto end ) if exist "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" ( call "%VSINSTALLPATH%\VC\Auxiliary\Build\vcvarsall.bat" amd64_arm64 ) else ( echo [-] Failed to set up build environment goto end ) echo [.] Signing: %~dp0\output\KSystemInformer.cab signtool sign /fd sha256 /n "Winsider" %~dp0\output\KSystemInformer.cab if %ERRORLEVEL% neq 0 goto end echo [+] CAB Signed! :end pause ================================================ FILE: build/build_zdriver_sdk.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if "%1"=="" ( echo: echo Usage: build_zdriver_sdk.cmd [FILE_PATH] [CONFIGURATION] [PLATFORM] echo: pause goto end ) if "%2"=="" ( echo: echo Usage: build_zdriver_sdk.cmd [FILE_PATH] [CONFIGURATION] [PLATFORM] echo: pause goto end ) if "%3"=="" ( echo: echo Usage: build_zdriver_sdk.cmd [FILE_PATH] [CONFIGURATION] [PLATFORM] echo: pause goto end ) if exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-kphsign" %1 if %ERRORLEVEL% neq 0 ( echo "[CustomBuildTool] Failed to sign %1" ) start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-sdk" "-verbose" %2 %3 if %ERRORLEVEL% neq 0 ( echo "[CustomBuildTool] SDK Failed %2 %3" ) ) else ( echo CustomBuildTool.exe not found in tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE% folder. ) :end ================================================ FILE: build/build_zsign.cmd ================================================ @echo off @setlocal enableextensions @cd /d "%~dp0\..\" if "%1"=="" ( echo: echo Usage: build_zsign.cmd [FILE_PATH] [CONFIGURATION] [PLATFORM] echo: pause goto end ) if exist "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" ( echo: start /B /W "" "tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE%\CustomBuildTool.exe" "-kphsign" "%1" echo: ) else ( echo CustomBuildTool.exe not found in tools\CustomBuildTool\bin\Release\%PROCESSOR_ARCHITECTURE% folder. ) :end ================================================ FILE: build/build_zwntapi.ps1 ================================================ function InitializeScriptEnvironment() { # Get script start time $global:TimeStart = (Get-Date); # Stop script execution after any errors. $global:ErrorActionPreference = "Stop"; } function CheckSolutionDirectory() { # Check if the current directory contains the main solution if (!(Test-Path "SystemInformer.sln")) { # Change root directory to the \build\internal\ directory (where this script is located). Set-Location $PSScriptRoot; # Set the current location to the base repository directory. Set-Location "..\"; # Re-check if the current directory if (!(Test-Path "SystemInformer.sln")) { Write-Host "Unable to find project directory... Exiting." -ForegroundColor Red exit 5 } } } function GenerateZw() { $BaseDirectory = "phnt\include" $OutputFile = "ntzwapi.h" $Header = "#ifndef _NTZWAPI_H`r`n#define _NTZWAPI_H`r`n`r`n// This file was automatically generated. Do not edit.`r`n`r`n" $Footer = "#endif`r`n" $directoryInfo = Get-Item -Path ".." while ($null -ne $directoryInfo.Parent -and $null -ne $directoryInfo.Parent.Parent) { $directoryInfo = $directoryInfo.Parent if (Test-Path -Path "$($directoryInfo.FullName)\$BaseDirectory") { Set-Location -Path $directoryInfo.FullName break } } $regex = New-Object System.Text.RegularExpressions.RegEx("NTSYSCALLAPI[\w\s_]*NTAPI\s*(Nt(\w)*)\(.*?\);", [System.Text.RegularExpressions.RegexOptions]::Singleline) $definitions = @() $files = Get-ChildItem -Path $BaseDirectory -Filter "*.h" -Exclude "ntuser.h" -Recurse foreach ($file in $files) { $text = Get-Content -Path $file.FullName -Raw if ([String]::IsNullOrEmpty($text)) { continue } $textmatches = $regex.Matches($text) foreach ($match in $textmatches) { $definitions += [PSCustomObject]@{ Name = $match.Groups[1].Value Text = $match.Value NameIndex = $match.Groups[1].Index - $match.Index } } } $defs = $definitions | Sort-Object -Property Name -CaseSensitive -Unique $fileName = New-Item -Name ($BaseDirectory + '\\' + $OutputFile) -ItemType File -Force $fileStream = $fileName.OpenWrite() $sw = [System.IO.StreamWriter]::new($fileStream) $sw.Write($Header) Write-Host "Updating $($fileName)" foreach ($d in $defs) { Write-Host "System service: $($d.Name)" $sw.Write($d.Text.Substring(0, $d.NameIndex) + "Zw" + $d.Text.Substring($d.NameIndex + 2) + "`r`n`r`n") } $sw.Write($Footer) $sw.Dispose() $fileStream.Dispose(); } # Entry point InitializeScriptEnvironment; # Check the current directory CheckSolutionDirectory; # Update the ntzwapi.h exports GenerateZw; ================================================ FILE: cmake/commands.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}) include(tools) include(platform) include(tracewpp) set(SI_UM_CLANG_NO_DIAGNOSTICS -Wno-c23-extensions -Wno-incompatible-pointer-types -Wno-missing-braces -Wno-parentheses -Wno-pointer-sign -Wno-switch -Wno-unused-but-set-variable -Wno-unused-function -Wno-unused-variable -Wno-visibility -Wno-defaulted-function-deleted -Wno-class-conversion -Wno-microsoft-explicit-constructor-call -Wno-nontrivial-memaccess ) # # Helper function for setting up a System Informer target # function(_si_set_target_defaults target) set(options PLUGIN) set(oneValueArgs TYPE) set(multiValueArgs) cmake_parse_arguments(PARSE_ARGV 0 arg "${options}" "${oneValueArgs}" "${multiValueArgs}") if(NOT arg_TYPE MATCHES "^(UM|KM)(_LIB|_BIN)$") message(FATAL_ERROR "Invalid target type: ${arg_TYPE}") endif() target_link_options(${target} PRIVATE /NATVIS:${SI_ROOT}/SystemInformer.natvis) if(NOT SI_OUTPUT_DIR STREQUAL "" AND NOT SI_OUTPUT_DIR STREQUAL "OFF") if(arg_PLUGIN) set_target_properties(${target} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}/plugins" ARCHIVE_OUTPUT_DIRECTORY "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}/plugins" PDB_OUTPUT_DIRECTORY "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}/plugins" ) else() set_target_properties(${target} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}" ARCHIVE_OUTPUT_DIRECTORY "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}" PDB_OUTPUT_DIRECTORY "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}" ) endif() endif() get_target_property(_target_sources ${target} SOURCES) if(NOT _target_sources) set(_target_sources "") endif() if(arg_TYPE STREQUAL "UM_LIB") target_compile_options(${target} PRIVATE /Gz) # __stcall calling convention target_link_options(${target} PRIVATE /SUBSYSTEM:WINDOWS,6.1) if(MSVC_CLANG) target_compile_options(${target} PRIVATE ${SI_UM_CLANG_NO_DIAGNOSTICS}) endif() if(SI_WITH_WPP_USER) si_target_tracewpp(${target} WPP_USER_MODE WPP_EXT ".c.cpp.h.hpp" WPP_PRESERVE_EXT WPP_SCAN "${CMAKE_SOURCE_DIR}/phlib/include/trace.h" ${_target_sources} ) target_link_libraries(${target} PRIVATE advapi32) else() target_compile_definitions(${target} PRIVATE SI_NO_WPP) endif() elseif(arg_TYPE STREQUAL "UM_BIN") target_compile_options(${target} PRIVATE /Gz) # __stcall calling convention target_link_options(${target} PRIVATE /SUBSYSTEM:WINDOWS,6.1) if(MSVC_CLANG) target_compile_options(${target} PRIVATE ${SI_UM_CLANG_NO_DIAGNOSTICS}) endif() if(SI_WITH_WPP_USER) si_target_tracewpp(${target} WPP_USER_MODE WPP_EXT ".c.cpp.h.hpp" WPP_PRESERVE_EXT WPP_SCAN "${CMAKE_SOURCE_DIR}/phlib/include/trace.h" ${_target_sources} ) target_link_libraries(${target} PRIVATE advapi32) else() target_compile_definitions(${target} PRIVATE SI_NO_WPP) endif() si_kphsign(${target}) elseif(arg_TYPE STREQUAL "KM_LIB") if(SI_WITH_WPP_KERNEL) si_target_tracewpp(${target} WPP_KERNEL_MODE WPP_EXT ".c.cpp.h.hpp" WPP_PRESERVE_EXT WPP_SCAN "${CMAKE_SOURCE_DIR}/KSystemInformer/include/trace.h" ${_target_sources} ) else() target_compile_definitions(${target} PRIVATE KSI_NO_WPP) endif() elseif(arg_TYPE STREQUAL "KM_BIN") set_target_properties(${target} PROPERTIES SUFFIX ".sys") if(SI_WITH_WPP_KERNEL) si_target_tracewpp(${target} WPP_KERNEL_MODE WPP_EXT ".c.cpp.h.hpp" WPP_PRESERVE_EXT WPP_SCAN "${CMAKE_SOURCE_DIR}/KSystemInformer/include/trace.h" ${_target_sources} ) else() target_compile_definitions(${target} PRIVATE KSI_NO_WPP) endif() endif() if (arg_PLUGIN) target_link_libraries(${target} PRIVATE SystemInformer thirdparty) target_include_directories(${target} PRIVATE "${SI_ROOT}/plugins/include" "${SI_ROOT}/phnt/include" "${SI_ROOT}/sdk/include" "${SI_ROOT}/kphlib/include" ) target_link_directories(${target} PRIVATE "${SI_ROOT}/sdk/lib/${SI_PLATFORM_SDK_LIB}" "${SI_OUTPUT_DIR}/$${SI_PLATFORM_SHORT}" ) endif() if(SI_WITH_PREFAST) # TODO configure this with the additional analysis options and ruleset # once the kph-staging branch is merged into master. target_compile_options(${target} PRIVATE /analyze) endif() endfunction() # # add_library for user mode System Informer libraries # function(si_add_library target) add_library(${target} ${ARGN}) _si_set_target_defaults(${target} TYPE UM_LIB) endfunction() # # add_executable for user mode System Informer executables # function(si_add_executable target) add_executable(${target} ${ARGN}) _si_set_target_defaults(${target} TYPE UM_BIN) endfunction() # # add_library for System Informer plugins # function(si_add_plugin target) add_library(${target} SHARED ${ARGN}) _si_set_target_defaults(${target} TYPE UM_LIB PLUGIN) endfunction() # # add_library for kernel mode System Informer libraries # function(si_add_kernel_library target) add_library(${target} ${ARGN}) _si_set_target_defaults(${target} TYPE KM_LIB) endfunction() # # add_executable for kernel mode System Informer drivers # function(si_add_kernel_driver target) add_executable(${target} ${ARGN}) _si_set_target_defaults(${target} TYPE KM_BIN) endfunction() ================================================ FILE: cmake/platform.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # if(MSVC AND CMAKE_C_COMPILER_ID STREQUAL "Clang") set(MSVC_CLANG ON) else() set(MSVC_CLANG OFF) endif() if (MSVC AND NOT CMAKE_C_COMPILER_ID STREQUAL "Clang") set(MSVC_NOT_CLANG ON) else() set(MSVC_NOT_CLANG OFF) endif() if(CMAKE_VS_PLATFORM_NAME) set(SI_PLATFORM "${CMAKE_VS_PLATFORM_NAME}") elseif(CMAKE_GENERATOR_PLATFORM) if(CMAKE_GENERATOR_PLATFORM MATCHES "x64|AMD64|x86_64") set(SI_PLATFORM "x64") elseif(CMAKE_GENERATOR_PLATFORM MATCHES "ARM64|aarch64") set(SI_PLATFORM "ARM64") elseif(CMAKE_GENERATOR_PLATFORM MATCHES "i[3-6]86|[xX]86|Win32") set(SI_PLATFORM "Win32") else() message(FATAL_ERROR "Unsupported platform: ${CMAKE_GENERATOR_PLATFORM}") endif() elseif(CMAKE_C_COMPILER_ARCHITECTURE_ID) if(CMAKE_C_COMPILER_ARCHITECTURE_ID MATCHES "x64|AMD64|x86_64") set(SI_PLATFORM "x64") elseif(CMAKE_C_COMPILER_ARCHITECTURE_ID MATCHES "ARM64|aarch64") set(SI_PLATFORM "ARM64") elseif(CMAKE_C_COMPILER_ARCHITECTURE_ID MATCHES "i[3-6]86|[xX]86|Win32") set(SI_PLATFORM "Win32") else() message(FATAL_ERROR "Unsupported platform: ${CMAKE_C_COMPILER_ARCHITECTURE_ID}") endif() else() message(FATAL_ERROR "Unable to detect target platform.") endif() if(SI_PLATFORM STREQUAL "x64") set(SI_PLATFORM_SHORT "64") set(SI_PLATFORM_SDK_LIB "amd64") elseif(SI_PLATFORM STREQUAL "ARM64") set(SI_PLATFORM_SHORT "ARM64") set(SI_PLATFORM_SDK_LIB "arm64") elseif(SI_PLATFORM STREQUAL "Win32") set(SI_PLATFORM_SHORT "32") set(SI_PLATFORM_SDK_LIB "i386") else() message(FATAL_ERROR "Unexpected platform: ${SI_PLATFORM}") endif() ================================================ FILE: cmake/prefast.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # include(commands) # # Enables PREfast analysis using a props file (for VS generators). # function(_si_target_prefast_props target) set(options) set(oneValueArgs RULE_SET STACK_SIZE) set(multiValueArgs EXCLUDE_PATHS) cmake_parse_arguments(PARSE_ARGV 1 arg "${options}" "${oneValueArgs}" "${multiValueArgs}") set(_ruleset) if(DEFINED arg_RULE_SET) if(IS_ABSOLUTE "${arg_RULE_SET}") set(_ruleset "${arg_RULE_SET}") else() set(_ruleset "${CMAKE_CURRENT_SOURCE_DIR}/${arg_RULE_SET}") endif() cmake_path(NATIVE_PATH _ruleset NORMALIZE _ruleset) endif() if(DEFINED arg_STACK_SIZE) set(_stack_size "stacksize${arg_STACK_SIZE}") else() set(_stack_size "stacksize1024") endif() set(_exclude_paths) foreach(_arg ${arg_EXCLUDE_PATHS}) if(IS_ABSOLUTE "${_arg}") set(_exclude_path "${_arg}") else() set(_exclude_path "${CMAKE_CURRENT_SOURCE_DIR}/${_arg}") endif() cmake_path(NATIVE_PATH _exclude_path NORMALIZE _exclude_path) list(APPEND _exclude_paths ${_exclude_path}) endforeach() set(_props_file "${CMAKE_CURRENT_BINARY_DIR}/${target}_prefast.props") string(APPEND _props "\n") string(APPEND _props " \n") string(APPEND _props " true\n") string(APPEND _props " true\n") if(_ruleset) string(APPEND _props " ${_ruleset}\n") endif() foreach(_exclude_path ${_exclude_paths}) string(APPEND _props " ${_exclude_path};$(CAExcludePath)\n") endforeach() string(APPEND _props " ${_stack_size};$(PREfastAdditionalOptions)\n") string(APPEND _props " \n") string(APPEND _props "\n") file(GENERATE OUTPUT "${_props_file}" CONTENT "${_props}") set_target_properties(${target} PROPERTIES VS_USER_PROPS "${_props_file}") endfunction() # # Enables PREfast analysis compiler configuration (for non-VS generators). # function(_si_target_prefast_opts target) set(options) set(oneValueArgs RULE_SET STACK_SIZE) set(multiValueArgs EXCLUDE_PATHS) cmake_parse_arguments(PARSE_ARGV 1 arg "${options}" "${oneValueArgs}" "${multiValueArgs}") # # Doing this without the MSBuild system requires looking up some necessary # parts to pass to the compiler ourself: # 1. The project directory. # 2. The directories which contain predefined rulesets. # 3. Plugins for analysis. # cmake_path(NATIVE_PATH CMAKE_CURRENT_SOURCE_DIR NORMALIZE _project_dir) string(REGEX REPLACE "[\\\\/]+$" "" _project_dir "${_project_dir}") find_path(_rulesets_dir "AllRules.ruleset" PATHS ENV "VSINSTALLDIR" PATH_SUFFIXES "Team Tools/Static Analysis Tools/Rule Sets" REQUIRED ) string(REGEX REPLACE "[\\\\/]+$" "" _rulesets_dir "${_rulesets_dir}") # # Plugins other than EspXEngine are disabled for now. Only EspXEngine is # included by MSBuild for user mode code analysis. Including the others in # user mode causes some interesting analysis errors. If this path ever gets # used for kernel mode builds this section should be revisited. (jxy-s) # set(_plugins) find_program(_plugin "EspXEngine.dll" PATHS "VC/Tools/MSVC" REQUIRED) cmake_path(NATIVE_PATH _plugin NORMALIZE _plugin) list(APPEND _plugins ${_plugin}) #find_program(_plugin "WindowsPrefast.dll" PATHS "Windows Kits/10/bin" REQUIRED) #cmake_path(NATIVE_PATH _plugin NORMALIZE _plugin) #list(APPEND _plugins ${_plugin}) #find_program(_plugin "drivers.dll" PATHS "Windows Kits/10/bin" REQUIRED) #cmake_path(NATIVE_PATH _plugin NORMALIZE _plugin) #list(APPEND _plugins ${_plugin}) # # Handle arguments - N.B. exclude paths will be handled later. # set(_ruleset) if(DEFINED arg_RULE_SET) if(IS_ABSOLUTE "${arg_RULE_SET}") set(_ruleset "${arg_RULE_SET}") else() set(_ruleset "${CMAKE_CURRENT_SOURCE_DIR}/${arg_RULE_SET}") endif() cmake_path(NATIVE_PATH _ruleset NORMALIZE _ruleset) endif() if(DEFINED arg_STACK_SIZE) set(_stack_size "stacksize${arg_STACK_SIZE}") else() set(_stack_size "stacksize1024") endif() # # Create a response file to bypass CMake's automatic escaping. # set(_response_file "${CMAKE_CURRENT_BINARY_DIR}/${target}_prefast.rsp") string(APPEND _analyze "/analyze\n") string(APPEND _analyze "/analyze:projectdirectory\"${_project_dir}\"\n") string(APPEND _analyze "/analyze:rulesetdirectory\";${_rulesets_dir};\"\n") if(_ruleset) string(APPEND _analyze "/analyze:ruleset\"${_ruleset}\"\n") endif() string(APPEND _analyze "/analyze:${_stack_size}\n") foreach(_plugin ${_plugins}) string(APPEND _analyze "/analyze:plugin\"${_plugin}\"\n") endforeach() file(GENERATE OUTPUT "${_response_file}" CONTENT "${_analyze}") cmake_path(NATIVE_PATH _response_file NORMALIZE _response_file) # # Configure the compiler for analysis. # target_compile_definitions(${target} PRIVATE CODE_ANALYSIS) target_compile_options(${target} PRIVATE "@${_response_file}") # # Handle exclude path arguments. # # The analyzer expects the CAExcludePath environment variable to be set to # exclude certain paths from code analysis. So generate a compiler wrapper # script that sets the environment variable to exclude files from analysis # that should be. # set(_exclude_paths) foreach(_arg ${arg_EXCLUDE_PATHS}) if(IS_ABSOLUTE "${_arg}") set(_exclude_path "${_arg}") else() set(_exclude_path "${CMAKE_CURRENT_SOURCE_DIR}/${_arg}") endif() cmake_path(NATIVE_PATH _exclude_path NORMALIZE _exclude_path) list(APPEND _exclude_paths ${_exclude_path}) endforeach() if (_exclude_paths) string(JOIN ";" _exclude_paths ${_exclude_paths}) set(_wrapper_file "${CMAKE_CURRENT_BINARY_DIR}/${target}_prefast_wrapper.cmd") string(APPEND _wrapper "@echo off\n") string(APPEND _wrapper "set \"CAExcludePath=${_exclude_paths}\"\n") string(APPEND _wrapper "%*\n") file(GENERATE OUTPUT "${_wrapper_file}" CONTENT "${_wrapper}") set_target_properties(${target} PROPERTIES CXX_COMPILER_LAUNCHER "${_wrapper_file}" C_COMPILER_LAUNCHER "${_wrapper_file}" ) endif() endfunction() # # Enables PREfast analysis for a given target. # function(si_target_prefast target) set(options) set(oneValueArgs RULE_SET STACK_SIZE) set(multiValueArgs EXCLUDE_PATHS) cmake_parse_arguments(PARSE_ARGV 1 arg "${options}" "${oneValueArgs}" "${multiValueArgs}") if(NOT MSVC_NOT_CLANG) message(NOTICE "PREfast skipped for ${target} because it is not compatible with Clang.") return() endif() # # Append exclude paths that are excluded from PREfast by MSBuild by default. # Note that using EXTERNAL_INCLUDE and INCLUDE is a cheat here, but it's # close enough. See: Microsoft.CodeAnalysis.Targets CAExcludePath # set(_exclude_paths ${arg_EXCLUDE_PATHS}) list(APPEND _exclude_paths $ENV{EXTERNAL_INCLUDE}) list(APPEND _exclude_paths $ENV{INCLUDE}) list(REMOVE_DUPLICATES _exclude_paths) if(CMAKE_GENERATOR MATCHES "Visual Studio") _si_target_prefast_props(${target} RULE_SET ${arg_RULE_SET} STACK_SIZE ${arg_STACK_SIZE} EXCLUDE_PATHS ${_exclude_paths} ) else() _si_target_prefast_opts(${target} RULE_SET ${arg_RULE_SET} STACK_SIZE ${arg_STACK_SIZE} EXCLUDE_PATHS ${_exclude_paths} ) endif() endfunction() ================================================ FILE: cmake/toolchain/clang-msvc-amd64.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_SYSTEM_NAME Windows) set(CMAKE_SYSTEM_PROCESSOR AMD64) if(CMAKE_GENERATOR MATCHES "Visual Studio") set(CMAKE_GENERATOR_PLATFORM x64) endif() set(CMAKE_C_COMPILER clang-cl) set(CMAKE_CXX_COMPILER clang-cl) set(CMAKE_LINKER link) set(CMAKE_AR lib) set(CMAKE_C_COMPILER_AR lib) set(CMAKE_CXX_COMPILER_AR lib) set(CMAKE_NINJA_CMCLDEPS_RC OFF) set(CMAKE_MC_COMPILER mc) set(CMAKE_RC_COMPILER rc) set(CMAKE_C_COMPILER_TARGET "x86_64-pc-windows-msvc") set(CMAKE_CXX_COMPILER_TARGET "x86_64-pc-windows-msvc") set(CMAKE_USER_MAKE_RULES_OVERRIDE ${CMAKE_CURRENT_LIST_DIR}/override-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/clang-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/finalize-msvc.cmake) ================================================ FILE: cmake/toolchain/clang-msvc-arm64.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_SYSTEM_NAME Windows) set(CMAKE_SYSTEM_PROCESSOR ARM64) if(CMAKE_GENERATOR MATCHES "Visual Studio") set(CMAKE_GENERATOR_PLATFORM ARM64) endif() set(CMAKE_C_COMPILER clang-cl) set(CMAKE_CXX_COMPILER clang-cl) set(CMAKE_LINKER link) set(CMAKE_AR lib) set(CMAKE_C_COMPILER_AR lib) set(CMAKE_CXX_COMPILER_AR lib) set(CMAKE_NINJA_CMCLDEPS_RC OFF) set(CMAKE_MC_COMPILER mc) set(CMAKE_RC_COMPILER rc) set(CMAKE_C_COMPILER_TARGET "arm64-pc-windows-msvc") set(CMAKE_CXX_COMPILER_TARGET "arm64-pc-windows-msvc") set(CMAKE_USER_MAKE_RULES_OVERRIDE ${CMAKE_CURRENT_LIST_DIR}/override-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/clang-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/finalize-msvc.cmake) ================================================ FILE: cmake/toolchain/clang-msvc-x86.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_SYSTEM_NAME Windows) set(CMAKE_SYSTEM_PROCESSOR x86) if(CMAKE_GENERATOR MATCHES "Visual Studio") set(CMAKE_GENERATOR_PLATFORM Win32) endif() set(CMAKE_C_COMPILER clang-cl) set(CMAKE_CXX_COMPILER clang-cl) set(CMAKE_LINKER link) set(CMAKE_AR lib) set(CMAKE_C_COMPILER_AR lib) set(CMAKE_CXX_COMPILER_AR lib) set(CMAKE_NINJA_CMCLDEPS_RC OFF) set(CMAKE_MC_COMPILER mc) set(CMAKE_RC_COMPILER rc) set(CMAKE_C_FLAGS "-m32") set(CMAKE_CXX_FLAGS "-m32") set(CMAKE_C_COMPILER_TARGET "i686-pc-windows-msvc") set(CMAKE_CXX_COMPILER_TARGET "i686-pc-windows-msvc") set(CMAKE_USER_MAKE_RULES_OVERRIDE ${CMAKE_CURRENT_LIST_DIR}/override-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/clang-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/finalize-msvc.cmake) ================================================ FILE: cmake/toolchain/clang-msvc.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(_clang_version) execute_process( COMMAND clang-cl --version OUTPUT_VARIABLE _clang_output RESULT_VARIABLE _clang_result ) if(_clang_result EQUAL 0) if(_clang_output MATCHES "clang version ([0-9]+)\\.([0-9]+)\\.([0-9]+)") set(_clang_major ${CMAKE_MATCH_1}) set(_clang_minor ${CMAKE_MATCH_2}) set(_clang_patch ${CMAKE_MATCH_3}) math(EXPR _clang_version "${_clang_major} * 10000 + ${_clang_minor} * 100 + ${_clang_patch}") endif() endif() if(NOT _clang_version) message(FATAL_ERROR "Failed to resolve clang version: ${_clang_result}\n${_clang_output}") endif() include(${CMAKE_CURRENT_LIST_DIR}/msvc.cmake) set(SI_C_STANDARD_FLAG /std:c17) set(SI_CXX_STANDARD_FLAG /std:c++latest) set(CMAKE_RC_FLAGS_INIT "/nologo") set(_remove "__SI_REMOVE") set(SI_CLANG_MSVC_REPLACE_COMPILE_FLAGS /MP ${_remove} /Gm- ${_remove} /Zc:preprocessor ${_remove} /d1nodatetime ${_remove} /guard:xfg ${_remove} /ZI /Z7 # TODO(jxy-s) Investigate failures related to this flag. /Qspectre ${_remove} # -mspeculative-load-hardening /guard:signret -msign-return-address=all ) list(LENGTH SI_CLANG_MSVC_REPLACE_COMPILE_FLAGS _replace_total) math(EXPR _max_idx "${_replace_total} - 1") foreach(_idx RANGE 0 ${_max_idx} 2) math(EXPR _next_idx "${_idx} + 1") list(GET SI_CLANG_MSVC_REPLACE_COMPILE_FLAGS ${_idx} _old_flag) list(GET SI_CLANG_MSVC_REPLACE_COMPILE_FLAGS ${_next_idx} _new_flag) if(_new_flag STREQUAL "${_remove}") message(VERBOSE "clang-msvc removing: ${_old_flag}") list(REMOVE_ITEM SI_COMPILE_FLAGS_INIT ${_old_flag}) list(REMOVE_ITEM SI_COMPILE_FLAGS_DEBUG_INIT ${_old_flag}) list(REMOVE_ITEM SI_COMPILE_FLAGS_RELEASE_INIT ${_old_flag}) else() message(VERBOSE "clang-msvc replacing: ${_old_flag} ${_new_flag}") list(TRANSFORM SI_COMPILE_FLAGS_INIT REPLACE "${_old_flag}" "${_new_flag}") list(TRANSFORM SI_COMPILE_FLAGS_DEBUG_INIT REPLACE "${_old_flag}" "${_new_flag}") list(TRANSFORM SI_COMPILE_FLAGS_RELEASE_INIT REPLACE "${_old_flag}" "${_new_flag}") endif() endforeach() list(APPEND SI_COMPILE_FLAGS_INIT -fcolor-diagnostics # Quality of life compiler output -fansi-escape-codes # Quality of life compiler output ) if(CMAKE_SYSTEM_PROCESSOR STREQUAL "ARM64") list(APPEND SI_COMPILE_FLAGS_INIT -mcrc # Enable ARM64 CRC32 instructions ) else() list(APPEND SI_COMPILE_FLAGS_INIT -mavx # Enable AVX instructions -mavx2 # Enable AVX2 instructions -mavx512vl # Enable AVX512VL instructions -mrdrnd # Enable RDRAND instructions ) endif() # # Only suppress here if Microsoft code ends up needing it. # list(APPEND SI_COMPILE_FLAGS_INIT -fms-compatibility -fms-extensions -Wno-comment -Wno-extern-c-compat -Wno-extern-initializer -Wno-ignored-attributes -Wno-ignored-pragma-intrinsic -Wno-microsoft-anon-tag -Wno-microsoft-enum-forward-reference -Wno-microsoft-include -Wno-overloaded-virtual -Wno-pragma-pack -Wno-unknown-pragmas -Wno-unused-local-typedef -Wno-unused-value -Wno-defaulted-function-deleted -Wno-class-conversion -Wno-microsoft-explicit-constructor-call # TODO(jxy-s) Needs investigation. Works locally, but fails on CI. -Wno-int-to-void-pointer-cast -Wno-void-pointer-to-int-cast ) if(_clang_version LESS 210100) list(APPEND SI_COMPILE_FLAGS_INIT -Wno-microsoft-static-assert ) endif() if(CMAKE_SYSTEM_PROCESSOR STREQUAL "ARM64") list(APPEND SI_COMPILE_FLAGS_INIT -Wno-implicit-function-declaration ) endif() if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86") list(APPEND SI_COMPILE_FLAGS_INIT -Wno-missing-prototype-for-cc ) endif() ================================================ FILE: cmake/toolchain/finalize-msvc.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(SI_C_FLAGS_INIT ${SI_C_STANDARD_FLAG} ${SI_COMPILE_FLAGS_INIT}) set(SI_C_FLAGS_DEBUG_INIT ${SI_COMPILE_FLAGS_DEBUG_INIT}) set(SI_C_FLAGS_RELEASE_INIT ${SI_COMPILE_FLAGS_RELEASE_INIT}) set(SI_CXX_FLAGS_INIT ${SI_CXX_STANDARD_FLAG} ${SI_COMPILE_FLAGS_INIT}) set(SI_CXX_FLAGS_DEBUG_INIT ${SI_COMPILE_FLAGS_DEBUG_INIT}) set(SI_CXX_FLAGS_RELEASE_INIT ${SI_COMPILE_FLAGS_RELEASE_INIT}) set(SI_EXE_LINKER_FLAGS_INIT ${SI_LINK_FLAGS_INIT}) set(SI_EXE_LINKER_FLAGS_DEBUG_INIT ${SI_LINK_FLAGS_DEBUG_INIT}) set(SI_EXE_LINKER_FLAGS_RELEASE_INIT ${SI_LINK_FLAGS_RELEASE_INIT}) set(SI_SHARED_LINKER_FLAGS_INIT ${SI_LINK_FLAGS_INIT}) set(SI_SHARED_LINKER_FLAGS_DEBUG_INIT ${SI_LINK_FLAGS_DEBUG_INIT}) set(SI_SHARED_LINKER_FLAGS_RELEASE_INIT ${SI_LINK_FLAGS_RELEASE_INIT}) set(SI_MODULE_LINKER_FLAGS_INIT ${SI_LINK_FLAGS_INIT}) set(SI_MODULE_LINKER_FLAGS_DEBUG_INIT ${SI_LINK_FLAGS_DEBUG_INIT}) set(SI_MODULE_LINKER_FLAGS_RELEASE_INIT ${SI_LINK_FLAGS_RELEASE_INIT}) set(SI_STATIC_LINKER_FLAGS_INIT ${SI_STATIC_LINK_FLAGS_INIT}) set(SI_STATIC_LINKER_FLAGS_DEBUG_INIT ${SI_STATIC_LINK_FLAGS_DEBUG_INIT}) set(SI_STATIC_LINKER_FLAGS_RELEASE_INIT ${SI_STATIC_LINK_FLAGS_RELEASE_INIT}) macro(_si_set_init _suffix) set(__joined) list(JOIN SI_${_suffix}_INIT " " __joined) set(CMAKE_${_suffix} "${__joined}") endmacro() _si_set_init(C_FLAGS) _si_set_init(C_FLAGS_DEBUG) _si_set_init(C_FLAGS_RELEASE) _si_set_init(CXX_FLAGS) _si_set_init(CXX_FLAGS_DEBUG) _si_set_init(CXX_FLAGS_RELEASE) _si_set_init(EXE_LINKER_FLAGS) _si_set_init(EXE_LINKER_FLAGS_DEBUG) _si_set_init(EXE_LINKER_FLAGS_RELEASE) _si_set_init(SHARED_LINKER_FLAGS) _si_set_init(SHARED_LINKER_FLAGS_DEBUG) _si_set_init(SHARED_LINKER_FLAGS_RELEASE) _si_set_init(MODULE_LINKER_FLAGS) _si_set_init(MODULE_LINKER_FLAGS_DEBUG) _si_set_init(MODULE_LINKER_FLAGS_RELEASE) _si_set_init(STATIC_LINKER_FLAGS) _si_set_init(STATIC_LINKER_FLAGS_DEBUG) _si_set_init(STATIC_LINKER_FLAGS_RELEASE) ================================================ FILE: cmake/toolchain/msvc-amd64.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_SYSTEM_NAME Windows) set(CMAKE_SYSTEM_PROCESSOR AMD64) if(CMAKE_GENERATOR MATCHES "Visual Studio") set(CMAKE_GENERATOR_PLATFORM x64) endif() set(CMAKE_C_COMPILER cl) set(CMAKE_CXX_COMPILER cl) set(CMAKE_LINKER link) set(CMAKE_MC_COMPILER mc) set(CMAKE_RC_COMPILER rc) set(CMAKE_USER_MAKE_RULES_OVERRIDE ${CMAKE_CURRENT_LIST_DIR}/override-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/finalize-msvc.cmake) ================================================ FILE: cmake/toolchain/msvc-arm64.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_SYSTEM_NAME Windows) set(CMAKE_SYSTEM_PROCESSOR ARM64) if(CMAKE_GENERATOR MATCHES "Visual Studio") set(CMAKE_GENERATOR_PLATFORM ARM64) endif() set(CMAKE_C_COMPILER cl) set(CMAKE_CXX_COMPILER cl) set(CMAKE_LINKER link) set(CMAKE_MC_COMPILER mc) set(CMAKE_RC_COMPILER rc) set(CMAKE_USER_MAKE_RULES_OVERRIDE ${CMAKE_CURRENT_LIST_DIR}/override-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/finalize-msvc.cmake) ================================================ FILE: cmake/toolchain/msvc-x86.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_SYSTEM_NAME Windows) set(CMAKE_SYSTEM_PROCESSOR x86) if(CMAKE_GENERATOR MATCHES "Visual Studio") set(CMAKE_GENERATOR_PLATFORM Win32) endif() set(CMAKE_C_COMPILER cl) set(CMAKE_CXX_COMPILER cl) set(CMAKE_LINKER link) set(CMAKE_MC_COMPILER mc) set(CMAKE_RC_COMPILER rc) set(CMAKE_USER_MAKE_RULES_OVERRIDE ${CMAKE_CURRENT_LIST_DIR}/override-msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/msvc.cmake) include(${CMAKE_CURRENT_LIST_DIR}/finalize-msvc.cmake) ================================================ FILE: cmake/toolchain/msvc.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(SI_C_STANDARD_FLAG /std:clatest) set(SI_CXX_STANDARD_FLAG /std:c++latest) # # Compiler flags # set(SI_COMPILE_FLAGS_INIT /diagnostics:caret # Quality of life compiler output /W3 # Warning level 3 /MP # Multi-processor compilation /WX # Treat warnings as errors /Oi # Enable intrinsic functions /GF # Enable string pooling /Gm- # Disable minimal rebuild /GS # Buffer security check /Gy # Enable function-level linking /Zc:wchar_t # wchar_t is native type /Zc:forScope # Force conformance in for loop scope /Zc:inline # Remove unreferenced functions /Zc:rvalueCast # Enforce type conversion rules /Zc:preprocessor # New preprocessor conformance /permissive- # Standards conformance /external:W3 # Warning level for external headers /utf-8 # Set source and execution charsets to UTF-8 /DEBUG # Generate debug info /fp:precise # Precise floating point /EHsc # Exception handling model /sdl # Additional security checks /d1nodatetime # Disable date/time in debug info ) set(SI_COMPILE_FLAGS_DEBUG_INIT /ZI # Debug information format (edit and continue) /MTd # Static runtime library (debug) /Od # Optimizations (disabled) /RTC1 # Run-time error checks ) set(SI_COMPILE_FLAGS_RELEASE_INIT /Z7 # Debug information format (full) /MT # Static runtime library /O2 # Optimizations (maximum speed) /Qspectre # Enable spectre mitigations /guard:cf # Control flow guard ) # # Linker flags # set(SI_STATIC_LINK_FLAGS_INIT /MACHINE:${CMAKE_SYSTEM_PROCESSOR} # Target platform ) set(SI_LINK_FLAGS_INIT /MACHINE:${CMAKE_SYSTEM_PROCESSOR} # Target platform /DEBUG # Generate debug info /DEBUGTYPE:CV,PDATA /DYNAMICBASE # Enable ASLR /NXCOMPAT # Enable DEP /DEPENDENTLOADFLAG:0x800 # LOAD_LIBRARY_SEARCH_SYSTEM32 /FILEALIGN:0x1000 # Align sections to 4K /BREPRO # Reproducible builds /LARGEADDRESSAWARE # Handles addresses larger than 2GB /BASERELOCCLUSTERING # Better relocation compression ) set(SI_LINK_FLAGS_DEBUG_INIT /INCREMENTAL # Incremental linking ) set(SI_LINK_FLAGS_RELEASE_INIT /RELEASE # Set release checksum /INCREMENTAL:NO # Incremental linking off /OPT:REF # Eliminate unreferenced /OPT:ICF # COMDAT folding /LTCG # Link-time code generation /GUARD:CF # Control flow guard ) # # Processor specific options # if(CMAKE_SYSTEM_PROCESSOR STREQUAL "ARM64") list(APPEND SI_COMPILE_FLAGS_RELEASE_INIT /guard:signret # Signed return instruction generation /guard:ehcont # EH continuation guard ) list(APPEND SI_LINK_FLAGS_RELEASE_INIT /GUARD:EHCONT # EH continuation guard ) elseif(CMAKE_SYSTEM_PROCESSOR STREQUAL "AMD64") list(APPEND SI_COMPILE_FLAGS_RELEASE_INIT /guard:xfg # Extended flow guard /guard:ehcont # EH continuation guard /QIntel-jcc-erratum # Intel erratum 1279 ) list(APPEND SI_LINK_FLAGS_RELEASE_INIT /GUARD:XFG # Extended flow guard /GUARD:EHCONT # EH continuation guard /CETCOMPAT # CET compatibility ) elseif(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86") list(APPEND SI_COMPILE_FLAGS_RELEASE_INIT /QIntel-jcc-erratum # Intel erratum 1279 ) list(APPEND SI_LINK_FLAGS_RELEASE_INIT /SAFESEH # EH continuation guard /CETCOMPAT # CET compatibility ) else() message(FATAL_ERROR "Unknown system processor: ${CMAKE_SYSTEM_PROCESSOR}") endif() ================================================ FILE: cmake/toolchain/override-msvc.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(CMAKE_MSVC_RUNTIME_CHECKS "") set(CMAKE_MSVC_RUNTIME_LIBRARY "") set(CMAKE_MSVC_DEBUG_INFORMATION_FORMAT "") set(CMAKE_C_FLAGS_INIT "") set(CMAKE_C_FLAGS_DEBUG_INI "") set(CMAKE_C_FLAGS_RELEASE_INIT "") set(CMAKE_C_STANDARD_LIBRARIES_INIT "") set(CMAKE_CXX_FLAGS_INIT "") set(CMAKE_CXX_FLAGS_DEBUG_INIT "") set(CMAKE_CXX_FLAGS_RELEASE_INIT "") set(CMAKE_CXX_STANDARD_LIBRARIES_INIT "") set(CMAKE_EXE_LINKER_FLAGS_INIT "") set(CMAKE_EXE_LINKER_FLAGS_DEBUG_INIT "") set(CMAKE_EXE_LINKER_FLAGS_RELEASE_INIT "") set(CMAKE_SHARED_LINKER_FLAGS_INIT "") set(CMAKE_SHARED_LINKER_FLAGS_DEBUG_INIT "") set(CMAKE_SHARED_LINKER_FLAGS_RELEASE_INIT "") set(CMAKE_MODULE_LINKER_FLAGS_INIT "") set(CMAKE_MODULE_LINKER_FLAGS_DEBUG_INIT "") set(CMAKE_MODULE_LINKER_FLAGS_RELEASE_INIT "") set(CMAKE_STATIC_LINKER_FLAGS_INIT "") set(CMAKE_STATIC_LINKER_FLAGS_DEBUG_INIT "") set(CMAKE_STATIC_LINKER_FLAGS_RELEASE_INIT "") ================================================ FILE: cmake/tools.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # set(SI_CUSTOM_BUILD_TOOL "${SI_ROOT}/tools/CustomBuildTool/bin/Release/$ENV{PROCESSOR_ARCHITECTURE}/CustomBuildTool.exe") if (NOT EXISTS "${SI_CUSTOM_BUILD_TOOL}") message(FATAL_ERROR "CustomBuildTool.exe not found. Run build\\build_tools.cmd first.") endif() function(si_sdkbuild target) add_custom_command( TARGET ${target} POST_BUILD COMMAND "${SI_CUSTOM_BUILD_TOOL}" -sdk -$ -${SI_PLATFORM} -cmake WORKING_DIRECTORY "${SI_ROOT}" VERBATIM ) endfunction() function(si_kphsign target) add_custom_command( TARGET ${target} POST_BUILD COMMAND "${SI_CUSTOM_BUILD_TOOL}" -kphsign "$>" WORKING_DIRECTORY "${SI_ROOT}" VERBATIM ) endfunction() ================================================ FILE: cmake/tracewpp.cmake ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # # # Helper function for adding WPP trace custom commands. # function(_si_tracewpp_command tmh_files src_files) set(options WPP_KERNEL_MODE WPP_USER_MODE WPP_PRESERVE_EXT) set(oneValueArgs WPP_EXT WPP_SCAN WPP_CONFIG_DIR TMH_OUT_DIR) set(multiValueArgs) cmake_parse_arguments(PARSE_ARGV 2 arg "${options}" "${oneValueArgs}" "${multiValueArgs}") if(arg_WPP_KERNEL_MODE) set(_mode "-km") elseif(arg_WPP_USER_MODE) set(_mode "-um") else() message(FATAL_ERROR "WPP_KERNEL_MODE or WPP_USER_MODE must be provided for wpptrace generation.") endif() if(DEFINED arg_WPP_EXT) set(_ext "-ext:${arg_WPP_EXT}") else() message(FATAL_ERROR "WPP_EXT must be provided for wpptrace generation.") endif() if(arg_WPP_PRESERVE_EXT) set(_preserveext "-preserveext:${arg_WPP_EXT}") else() set(_preserveext "") endif() if(DEFINED arg_WPP_SCAN) cmake_path(NATIVE_PATH arg_WPP_SCAN NORMALIZE _scan_file) set(_scan "-scan:\"${_scan_file}\"") else() set(_scan "") endif() if(DEFINED arg_WPP_CONFIG_DIR) cmake_path(NATIVE_PATH arg_WPP_CONFIG_DIR NORMALIZE _cfg_dir) set(_cfgdir "-cfgdir:\"${_cfg_dir}\"") else() set(_cfgdir "") endif() if(DEFINED arg_TMH_OUT_DIR) cmake_path(NATIVE_PATH arg_TMH_OUT_DIR NORMALIZE _out_dir) else() message(FATAL_ERROR "TMH_OUT_DIR must be provided for wpptrace generation.") endif() set(_tmh_files) set(_src_files) foreach(_source_file ${arg_UNPARSED_ARGUMENTS}) # # Check that the source file has a relevant extension. # cmake_path(GET _source_file EXTENSION _file_ext) string(REPLACE "." "\\." _file_ext_match ${_file_ext}) if(NOT ${arg_WPP_EXT} MATCHES ${_file_ext_match}) continue() endif() cmake_path(GET _source_file FILENAME _file_name) if(NOT arg_WPP_PRESERVE_EXT) cmake_path(REMOVE_EXTENSION _file_name) endif() if(IS_ABSOLUTE "${_source_file}") set(_source_file_abs "${_source_file}") else() set(_source_file_abs "${CMAKE_CURRENT_SOURCE_DIR}/${_source_file}") endif() cmake_path(NATIVE_PATH _source_file_abs NORMALIZE _source_file_abs) # # Build the output directory. To avoid collisions the output directory # is appended with the relative path from the target's current source # directory. Also sanitize the path for insertion into the tracewpp # outdir parameter. # cmake_path(GET _source_file_abs PARENT_PATH _tmf_out_dir) cmake_path(RELATIVE_PATH _tmf_out_dir OUTPUT_VARIABLE _tmf_out_dir) cmake_path(APPEND _out_dir "${_tmf_out_dir}" OUTPUT_VARIABLE _tmf_out_dir) cmake_path(NATIVE_PATH _tmf_out_dir NORMALIZE _tmf_out_dir) file(MAKE_DIRECTORY "${_tmf_out_dir}") string(REGEX REPLACE "[\\\\/]+$" "" _tmf_out_dir "${_tmf_out_dir}") set(_odir "-odir:\"${_tmf_out_dir}\"") cmake_path( APPEND _tmf_out_dir "${_file_name}.tmh" OUTPUT_VARIABLE _tmh_file ) cmake_path( RELATIVE_PATH _tmh_file BASE_DIRECTORY ${CMAKE_BINARY_DIR} OUTPUT_VARIABLE _tmh_comment ) cmake_path(NATIVE_PATH _tmh_file NORMALIZE _tmh_file) add_custom_command( OUTPUT ${_tmh_file} COMMAND tracewpp ${_mode} ${_ext} ${_preserveext} ${_cfgdir} ${_odir} ${_scan} "\"${_source_file_abs}\"" DEPENDS "${_source_file_abs}" "${_scan_file}" COMMENT "Generating WPP trace header ${_tmh_comment}" ) list(APPEND _tmh_files ${_tmh_file}) list(APPEND _src_files ${_source_file}) endforeach() set(${tmh_files} ${_tmh_files} PARENT_SCOPE) set(${src_files} ${_src_files} PARENT_SCOPE) endfunction() # # Configures a target for WPP trace generation. # function(si_target_tracewpp target) set(options WPP_KERNEL_MODE WPP_USER_MODE WPP_PRESERVE_EXT) set(oneValueArgs WPP_EXT WPP_SCAN) set(multiValueArgs) cmake_parse_arguments(PARSE_ARGV 1 arg "${options}" "${oneValueArgs}" "${multiValueArgs}") if(arg_WPP_KERNEL_MODE) set(_mode WPP_KERNEL_MODE) elseif(arg_WPP_USER_MODE) set(_mode WPP_USER_MODE) else() message(FATAL_ERROR "WPP_KERNEL_MODE or WPP_USER_MODE must be provided for wpptrace generation.") endif() set(_preserve_ext) if(arg_WPP_PRESERVE_EXT) set(_preserve_ext WPP_PRESERVE_EXT) endif() # # Try to locate the WPP config directory. # find_path(_config_dir "defaultwpp.ini" PATHS ENV "WDKBinRoot" ENV "WindowsSdkVerBinPath" PATH_SUFFIXES "WppConfig/Rev1" REQUIRED ) get_target_property(_target_binary_dir ${target} BINARY_DIR) set(_tmh_out_dir "${_target_binary_dir}/tmh") _si_tracewpp_command(_tmh_files _src_files ${_mode} ${_preserve_ext} WPP_EXT ${arg_WPP_EXT} WPP_SCAN ${arg_WPP_SCAN} WPP_CONFIG_DIR ${_config_dir} TMH_OUT_DIR ${_tmh_out_dir} ${arg_UNPARSED_ARGUMENTS} ) # # N.B. _si_tracewpp_command guarantees that _tmh_files to _src_files # have the same number of elements. The work in this block is setting the # required TMH_FILE compile definition for the individual source files. # Along the way, gather the include directories to be added to the target. # set(_include_dirs) list(LENGTH _tmh_files _list_length) if(_list_length GREATER 0) math(EXPR _max_index "${_list_length} - 1") foreach(_index RANGE ${_max_index}) list(GET _src_files ${_index} _src_file) list(GET _tmh_files ${_index} _tmh_file) cmake_path(GET _tmh_file PARENT_PATH _tmh_dir) list(APPEND _include_dirs "${_tmh_dir}") cmake_path(GET _tmh_file FILENAME _tmh_file) set_source_files_properties(${_src_file} PROPERTIES TARGET_DIRECTORY ${target} COMPILE_DEFINITIONS "TMH_FILE=${_tmh_file}" ) endforeach() endif() # # This custom target associates the custom commands per source file with # actual target. Here we also set the include paths. # list(REMOVE_DUPLICATES _include_dirs) if(_include_dirs) add_custom_target(${target}_tracewpp DEPENDS ${_tmh_files} COMMENT "Generating WPP trace headers for ${target}" ) add_dependencies(${target} ${target}_tracewpp) target_include_directories(${target} PRIVATE ${_include_dirs}) endif() endfunction() ================================================ FILE: kphlib/CMakeLists.txt ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # project(kphlib) set(HEADERS "include/kphapi.h" "include/kphdyn.h" "include/kphdyndata.h" "include/kphlibbase.h" "include/kphmsg.h" "include/kphmsgdefs.h" "include/kphmsgdyn.h" "include/sistatus.h" ) source_group("Header Files" FILES ${HEADERS}) set(RESOURCES "include/sistatus_MSG00001.bin" "kphdyn.xml" "sistatus.mc" ) source_group("Resource Files" FILES ${RESOURCES}) set(SOURCES "kphdyn.c" "kphdyndata.c" "kphmsg.c" "kphmsgdyn.c" "kphringbuff.c" ) source_group("Source Files" FILES SOURCES) set(ALL_FILES ${HEADERS} ${RESOURCES} ${SOURCES} ) si_add_library(kphlib_um STATIC ${ALL_FILES}) target_include_directories(kphlib_um PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/include" ) target_link_libraries(kphlib_um PRIVATE phnt ) ================================================ FILE: kphlib/Directory.Build.props ================================================ ================================================ FILE: kphlib/include/kphapi.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #ifdef _KERNEL_MODE #define PHNT_MODE PHNT_MODE_KERNEL #endif #pragma warning(push) #pragma warning(disable : 4201) // Process typedef ULONG KPH_PROCESS_STATE; typedef KPH_PROCESS_STATE* PKPH_PROCESS_STATE; #define KPH_PROCESS_SECURELY_CREATED 0x00000001ul #define KPH_PROCESS_VERIFIED_PROCESS 0x00000002ul #define KPH_PROCESS_PROTECTED_PROCESS 0x00000004ul #define KPH_PROCESS_NO_UNTRUSTED_IMAGES 0x00000008ul #define KPH_PROCESS_HAS_FILE_OBJECT 0x00000010ul #define KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS 0x00000020ul #define KPH_PROCESS_NO_USER_WRITABLE_REFERENCES 0x00000040ul #define KPH_PROCESS_NO_FILE_TRANSACTION 0x00000080ul #define KPH_PROCESS_NOT_BEING_DEBUGGED 0x00000100ul #define KPH_PROCESS_NO_WRITABLE_FILE_OBJECT 0x00000200ul #define KPH_PROCESS_CREATE_NOTIFICATION 0x00000400ul #define KPH_PROCESS_STATE_MAXIMUM (KPH_PROCESS_SECURELY_CREATED |\ KPH_PROCESS_VERIFIED_PROCESS |\ KPH_PROCESS_PROTECTED_PROCESS |\ KPH_PROCESS_NO_UNTRUSTED_IMAGES |\ KPH_PROCESS_HAS_FILE_OBJECT |\ KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS |\ KPH_PROCESS_NO_USER_WRITABLE_REFERENCES |\ KPH_PROCESS_NO_FILE_TRANSACTION |\ KPH_PROCESS_NOT_BEING_DEBUGGED |\ KPH_PROCESS_NO_WRITABLE_FILE_OBJECT |\ KPH_PROCESS_CREATE_NOTIFICATION) #define KPH_PROCESS_STATE_HIGH (KPH_PROCESS_VERIFIED_PROCESS |\ KPH_PROCESS_PROTECTED_PROCESS |\ KPH_PROCESS_NO_UNTRUSTED_IMAGES |\ KPH_PROCESS_HAS_FILE_OBJECT |\ KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS |\ KPH_PROCESS_NO_USER_WRITABLE_REFERENCES |\ KPH_PROCESS_NO_FILE_TRANSACTION |\ KPH_PROCESS_NOT_BEING_DEBUGGED |\ KPH_PROCESS_NO_WRITABLE_FILE_OBJECT |\ KPH_PROCESS_CREATE_NOTIFICATION) #define KPH_PROCESS_STATE_MEDIUM (KPH_PROCESS_VERIFIED_PROCESS |\ KPH_PROCESS_PROTECTED_PROCESS |\ KPH_PROCESS_HAS_FILE_OBJECT |\ KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS |\ KPH_PROCESS_NO_USER_WRITABLE_REFERENCES |\ KPH_PROCESS_NO_FILE_TRANSACTION |\ KPH_PROCESS_NO_WRITABLE_FILE_OBJECT) #define KPH_PROCESS_STATE_LOW (KPH_PROCESS_VERIFIED_PROCESS |\ KPH_PROCESS_HAS_FILE_OBJECT |\ KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS |\ KPH_PROCESS_NO_USER_WRITABLE_REFERENCES |\ KPH_PROCESS_NO_FILE_TRANSACTION |\ KPH_PROCESS_NO_WRITABLE_FILE_OBJECT) #define KPH_PROCESS_STATE_MINIMUM (KPH_PROCESS_HAS_FILE_OBJECT |\ KPH_PROCESS_HAS_SECTION_OBJECT_POINTERS |\ KPH_PROCESS_NO_USER_WRITABLE_REFERENCES |\ KPH_PROCESS_NO_FILE_TRANSACTION |\ KPH_PROCESS_NO_WRITABLE_FILE_OBJECT) typedef enum _KPH_PROCESS_INFORMATION_CLASS { KphProcessBasicInformation, // q: KPH_PROCESS_BASIC_INFORMATION KphProcessStateInformation, // q: KPH_PROCESS_STATE KphProcessQuotaLimits, // s: QUOTA_LIMITS KphProcessBasePriority, // s: KPRIORITY KphProcessRaisePriority, // s: ULONG KphProcessPriorityClass, // s: PROCESS_PRIORITY_CLASS KphProcessAffinityMask, // s: KAFFINITY/GROUP_AFFINITY KphProcessPriorityBoost, // s: ULONG KphProcessIoPriority, // s: IO_PRIORITY_HINT KphProcessPagePriority, // s: PAGE_PRIORITY_INFORMATION KphProcessPowerThrottlingState, // s: POWER_THROTTLING_PROCESS_STATE KphProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX KphProcessEmptyWorkingSet, // s KphProcessWSLProcessId, // q: ULONG KphProcessSequenceNumber, // q: ULONG64 KphProcessStartKey, // q: ULONG64 KphProcessImageSection, // q: HANDLE KphProcessImageFileName, // q: UNICODE_STRING } KPH_PROCESS_INFORMATION_CLASS; typedef enum _KPH_THREAD_INFORMATION_CLASS { KphThreadPriority, // s: KPRIORITY KphThreadBasePriority, // s: KPRIORITY KphThreadAffinityMask, // s: KAFFINITY KphThreadIdealProcessor, // s: ULONG KphThreadPriorityBoost, // s: ULONG KphThreadIoPriority, // s: IO_PRIORITY_HINT KphThreadPagePriority, // s: PAGE_PRIORITY_INFORMATION KphThreadActualBasePriority, // s: LONG KphThreadGroupInformation, // s: GROUP_AFFINITY KphThreadIdealProcessorEx, // s: PROCESSOR_NUMBER KphThreadActualGroupAffinity, // s: GROUP_AFFINITY KphThreadPowerThrottlingState, // s: POWER_THROTTLING_THREAD_STATE KphThreadIoCounters, // q: IO_COUNTERS KphThreadWSLThreadId, // q: ULONG KphThreadExplicitCaseSensitivity,// s: ULONG; s: 0 disables, otherwise enables KphThreadKernelStackInformation, // q: KPH_KERNEL_STACK_INFORMATION } KPH_THREAD_INFORMATION_CLASS; typedef struct _KPH_PROCESS_BASIC_INFORMATION { KPH_PROCESS_STATE ProcessState; ULONG64 ProcessStartKey; CLIENT_ID CreatorClientId; ULONG UserWritableReferences; SIZE_T NumberOfImageLoads; union { ULONG Flags; struct { ULONG CreateNotification : 1; ULONG ExitNotification : 1; ULONG VerifiedProcess : 1; ULONG SecurelyCreated : 1; ULONG Protected : 1; ULONG IsWow64 : 1; ULONG IsSubsystemProcess : 1; ULONG AllocatedImageName : 1; ULONG Reserved : 24; }; }; SIZE_T NumberOfThreads; // // Only valid if Protected flag is set. // ACCESS_MASK ProcessAllowedMask; ACCESS_MASK ThreadAllowedMask; // // These are only tracked for verified processes. // SIZE_T NumberOfMicrosoftImageLoads; SIZE_T NumberOfAntimalwareImageLoads; SIZE_T NumberOfVerifiedImageLoads; SIZE_T NumberOfUntrustedImageLoads; } KPH_PROCESS_BASIC_INFORMATION, *PKPH_PROCESS_BASIC_INFORMATION; typedef struct _KPH_KERNEL_STACK_INFORMATION { PVOID InitialStack; PVOID StackLimit; PVOID StackBase; PVOID KernelStack; } KPH_KERNEL_STACK_INFORMATION, *PKPH_KERNEL_STACK_INFORMATION; // Process handle information typedef struct _KPH_PROCESS_HANDLE { HANDLE Handle; PVOID Object; ACCESS_MASK GrantedAccess; USHORT ObjectTypeIndex; USHORT Reserved1; ULONG HandleAttributes; ULONG Reserved2; } KPH_PROCESS_HANDLE, *PKPH_PROCESS_HANDLE; typedef struct _KPH_PROCESS_HANDLE_INFORMATION { ULONG HandleCount; _Field_size_(HandleCount) KPH_PROCESS_HANDLE Handles[1]; } KPH_PROCESS_HANDLE_INFORMATION, *PKPH_PROCESS_HANDLE_INFORMATION; // Object information typedef enum _KPH_OBJECT_INFORMATION_CLASS { KphObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION KphObjectNameInformation, // q: OBJECT_NAME_INFORMATION KphObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION KphObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION KphObjectProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION KphObjectThreadBasicInformation, // q: THREAD_BASIC_INFORMATION KphObjectEtwRegBasicInformation, // q: ETWREG_BASIC_INFORMATION KphObjectFileObjectInformation, // q: KPH_FILE_OBJECT_INFORMATION KphObjectFileObjectDriver, // q: HANDLE KphObjectProcessTimes, // q: KERNEL_USER_TIMES KphObjectThreadTimes, // q: KERNEL_USER_TIMES KphObjectProcessImageFileName, // q: UNICODE_STRING KphObjectThreadNameInformation, // q: THREAD_NAME_INFORMATION KphObjectThreadIsTerminated, // q: ULONG KphObjectSectionBasicInformation, // q: SECTION_BASIC_INFORMATION KphObjectSectionFileName, // q: UNICODE_STRING KphObjectSectionImageInformation, // q; SECTION_IMAGE_INFORMATION KphObjectSectionRelocationInformation, // q; PVOID RelocationAddress KphObjectSectionOriginalBaseInformation, // q: PVOID BaseAddress KphObjectSectionInternalImageInformation, // q: SECTION_INTERNAL_IMAGE_INFORMATION KphObjectSectionMappingsInformation, // q: KPH_SECTION_MAPPINGS_INFORMATION KphObjectAttributesInformation, // q: KPH_OBJECT_ATTRIBUTES_INFORMATION MaxKphObjectInfoClass } KPH_OBJECT_INFORMATION_CLASS; typedef struct _KPH_VPB { CSHORT Type; CSHORT Size; USHORT Flags; USHORT VolumeLabelLength; ULONG SerialNumber; ULONG ReferenceCount; WCHAR VolumeLabel[32]; } KPH_VPB, *PKPH_VPB; typedef struct _KPH_DEVICE_INFO { DEVICE_TYPE Type; ULONG Characteristics; ULONG Flags; KPH_VPB Vpb; } KPH_DEVICE_INFO, *PKPH_DEVICE_INFO; typedef struct _KPH_FILE_OBJECT_INFORMATION { BOOLEAN LockOperation; BOOLEAN DeletePending; BOOLEAN ReadAccess; BOOLEAN WriteAccess; BOOLEAN DeleteAccess; BOOLEAN SharedRead; BOOLEAN SharedWrite; BOOLEAN SharedDelete; LARGE_INTEGER CurrentByteOffset; ULONG Flags; ULONG UserWritableReferences; BOOLEAN HasActiveTransaction; BOOLEAN IsIgnoringSharing; LONG Waiters; LONG Busy; KPH_VPB Vpb; KPH_DEVICE_INFO Device; KPH_DEVICE_INFO AttachedDevice; KPH_DEVICE_INFO RelatedDevice; } KPH_FILE_OBJECT_INFORMATION, *PKPH_FILE_OBJECT_INFORMATION; typedef struct _KPH_OBJECT_ATTRIBUTES_INFORMATION { union { UCHAR Flags; struct { UCHAR NewObject : 1; UCHAR KernelObject : 1; UCHAR KernelOnlyAccess : 1; UCHAR ExclusiveObject : 1; UCHAR PermanentObject : 1; UCHAR DefaultSecurityQuota : 1; UCHAR SingleHandleEntry : 1; UCHAR DeletedInline : 1; }; }; } KPH_OBJECT_ATTRIBUTES_INFORMATION, *PKPH_OBJECT_ATTRIBUTES_INFORMATION; // Driver information typedef enum _KPH_DRIVER_INFORMATION_CLASS { KphDriverBasicInformation, // q: DRIVER_BASIC_INFORMATION KphDriverNameInformation, // q: UNICODE_STRING KphDriverServiceKeyNameInformation, // q: UNICODE_STRING KphDriverImageFileNameInformation, // q: UNICODE_STRING MaxKphDriverInfoClass } KPH_DRIVER_INFORMATION_CLASS; typedef struct _KPH_DRIVER_BASIC_INFORMATION { ULONG Flags; PVOID DriverStart; ULONG DriverSize; } KPH_DRIVER_BASIC_INFORMATION, *PKPH_DRIVER_BASIC_INFORMATION; typedef struct _KPH_DRIVER_NAME_INFORMATION { UNICODE_STRING DriverName; } KPH_DRIVER_NAME_INFORMATION, *PKPH_DRIVER_NAME_INFORMATION; typedef struct _KPH_DRIVER_SERVICE_KEY_NAME_INFORMATION { UNICODE_STRING ServiceKeyName; } KPH_DRIVER_SERVICE_KEY_NAME_INFORMATION, *PKPH_DRIVER_SERVICE_KEY_NAME_INFORMATION; // ETW registration object information typedef struct _KPH_ETWREG_BASIC_INFORMATION { GUID Guid; ULONG_PTR SessionId; } KPH_ETWREG_BASIC_INFORMATION, *PKPH_ETWREG_BASIC_INFORMATION; // ALPC object information typedef enum _KPH_ALPC_INFORMATION_CLASS { KphAlpcBasicInformation, // q: KPH_ALPC_BASIC_INFORMATION KphAlpcCommunicationInformation, // q: KPH_ALPC_COMMUNICATION_INFORMATION KphAlpcCommunicationNamesInformation, // q: KPH_ALPC_COMMUNICATION_NAMES_INFORMATION } KPH_ALPC_INFORMATION_CLASS; typedef struct _KPH_ALPC_BASIC_INFORMATION { HANDLE OwnerProcessId; ULONG Flags; LONG SequenceNo; PVOID PortContext; union { ULONG State; struct { ULONG Initialized : 1; ULONG Type : 2; ULONG ConnectionPending : 1; ULONG ConnectionRefused : 1; ULONG Disconnected : 1; ULONG Closed : 1; ULONG NoFlushOnClose : 1; ULONG ReturnExtendedInfo : 1; ULONG Waitable : 1; ULONG DynamicSecurity : 1; ULONG Wow64CompletionList : 1; ULONG Lpc : 1; ULONG LpcToLpc : 1; ULONG HasCompletionList : 1; ULONG HadCompletionList : 1; ULONG EnableCompletionList : 1; }; }; } KPH_ALPC_BASIC_INFORMATION, *PKPH_ALPC_BASIC_INFORMATION; typedef struct _KPH_ALPC_COMMUNICATION_INFORMATION { KPH_ALPC_BASIC_INFORMATION ConnectionPort; KPH_ALPC_BASIC_INFORMATION ServerCommunicationPort; KPH_ALPC_BASIC_INFORMATION ClientCommunicationPort; } KPH_ALPC_COMMUNICATION_INFORMATION, *PKPH_ALPC_COMMUNICATION_INFORMATION; typedef struct _KPH_ALPC_COMMUNICATION_NAMES_INFORMATION { UNICODE_STRING ConnectionPort; UNICODE_STRING ServerCommunicationPort; UNICODE_STRING ClientCommunicationPort; } KPH_ALPC_COMMUNICATION_NAMES_INFORMATION, *PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION; // System control typedef enum _KPH_SYSTEM_CONTROL_CLASS { KphSystemControlEmptyCompressionStore } KPH_SYSTEM_CONTROL_CLASS; // Section typedef enum _KPH_SECTION_INFORMATION_CLASS { KphSectionMappingsInformation, // q: KPH_SECTION_MAPPINGS_INFORMATION } KPH_SECTION_INFORMATION_CLASS; #define VIEW_MAP_TYPE_PROCESS 1 #define VIEW_MAP_TYPE_SESSION 2 #define VIEW_MAP_TYPE_SYSTEM_CACHE 3 typedef struct _KPH_SECTION_MAP_ENTRY { UCHAR ViewMapType; HANDLE ProcessId; PVOID StartVa; PVOID EndVa; } KPH_SECTION_MAP_ENTRY, *PKPH_SECTION_MAP_ENTRY; typedef struct _KPH_SECTION_MAPPINGS_INFORMATION { ULONG NumberOfMappings; KPH_SECTION_MAP_ENTRY Mappings[ANYSIZE_ARRAY]; } KPH_SECTION_MAPPINGS_INFORMATION, *PKPH_SECTION_MAPPINGS_INFORMATION; // Virtual memory typedef enum _KPH_MEMORY_INFORMATION_CLASS { KphMemoryImageSection, // q: HANDLE KphMemoryDataSection, // q: KPH_MEMORY_DATA_SECTION KphMemoryMappedInformation, // q: KPH_MEMORY_MAPPED_INFORMATION } KPH_MEMORY_INFORMATION_CLASS, *PKPH_MEMORY_INFORMATION_CLASS; typedef struct _KPH_MEMORY_DATA_SECTION { HANDLE SectionHandle; LARGE_INTEGER SectionFileSize; } KPH_MEMORY_DATA_SECTION, *PKPH_MEMORY_DATA_SECTION; typedef struct _KPH_MEMORY_MAPPED_INFORMATION { PVOID FileObject; PVOID SectionObjectPointers; PVOID DataControlArea; PVOID SharedCacheMap; PVOID ImageControlArea; ULONG UserWritableReferences; } KPH_MEMORY_MAPPED_INFORMATION, *PKPH_MEMORY_MAPPED_INFORMATION; // File typedef enum _KPH_HASH_ALGORITHM { KphHashAlgorithmMd5, KphHashAlgorithmSha1, KphHashAlgorithmSha1Authenticode, KphHashAlgorithmSha256, KphHashAlgorithmSha256Authenticode, KphHashAlgorithmSha384, KphHashAlgorithmSha512, MaxKphHashAlgorithm, } KPH_HASH_ALGORITHM, *PKPH_HASH_ALGORITHM; #define KPH_HASH_ALGORITHM_MAX_LENGTH (512 / 8) typedef struct _KPH_HASH_INFORMATION { KPH_HASH_ALGORITHM Algorithm; ULONG Length; BYTE Hash[KPH_HASH_ALGORITHM_MAX_LENGTH]; } KPH_HASH_INFORMATION, *PKPH_HASH_INFORMATION; // Verification #define KPH_PROCESS_READ_ACCESS (STANDARD_RIGHTS_READ |\ SYNCHRONIZE |\ PROCESS_QUERY_INFORMATION |\ PROCESS_QUERY_LIMITED_INFORMATION |\ PROCESS_VM_READ) #define KPH_THREAD_READ_ACCESS (STANDARD_RIGHTS_READ |\ SYNCHRONIZE |\ THREAD_QUERY_INFORMATION |\ THREAD_QUERY_LIMITED_INFORMATION |\ THREAD_GET_CONTEXT) #define KPH_TOKEN_READ_ACCESS (STANDARD_RIGHTS_READ |\ SYNCHRONIZE |\ TOKEN_QUERY |\ TOKEN_QUERY_SOURCE) #define KPH_JOB_READ_ACCESS (STANDARD_RIGHTS_READ |\ SYNCHRONIZE |\ JOB_OBJECT_QUERY) #define KPH_FILE_READ_ACCESS (STANDARD_RIGHTS_READ |\ SYNCHRONIZE |\ FILE_READ_DATA |\ FILE_READ_ATTRIBUTES |\ FILE_READ_EA) #define KPH_FILE_READ_DISPOSITION (FILE_OPEN) #define KPH_SECTION_READ_ACCESS (SECTION_MAP_READ | SECTION_QUERY) // Informer typedef struct _KPH_RATE_LIMIT_POLICY { ULONG TokensPerPeriod; ULONG PeriodInSeconds; ULONG MaxBucketSize; } KPH_RATE_LIMIT_POLICY, *PKPH_RATE_LIMIT_POLICY; typedef const KPH_RATE_LIMIT_POLICY* PCKPH_RATE_LIMIT_POLICY; #define KPH_RATE_LIMIT_UNLIMITED { ULONG_MAX, 0, ULONG_MAX } #define KPH_RATE_LIMIT_DENY_ALL { 0, 0, 0 } #define KPH_RATE_LIMIT_PER_SEC(rate, burst) { rate, 1, burst } #define KPH_RATE_LIMIT_PER_MIN(rate, burst) { rate, 60, burst } #define KPH_RATE_LIMIT_PER_HOUR(rate, burst) { rate, 3600, burst } #define KPH_RATE_LIMIT_PER_DAY(rate, burst) { rate, 86400, burst } #define KPH_INFORMER_COUNT 153 #define KPH_INFORMER_INDEX(name) (KphMsg##name - (MaxKphMsgClientAllowed + 1)) typedef union _KPH_INFORMER_OPTIONS { struct { ULONG EnableStackTraces : 1; ULONG EnableProcessCreateReply : 1; ULONG FileEnablePreCreateReply : 1; ULONG FileEnablePostCreateReply : 1; ULONG FileEnablePostFileNames : 1; ULONG FileEnablePagingIo : 1; ULONG FileEnableSyncPagingIo : 1; ULONG FileEnableIoControlBuffers : 1; ULONG FileEnableFsControlBuffers : 1; ULONG FileEnableDirControlBuffers : 1; ULONG RegEnablePostObjectNames : 1; ULONG RegEnablePostValueNames : 1; ULONG RegEnableValueBuffers : 1; ULONG Spare : 19; }; ULONG Flags; } KPH_INFORMER_OPTIONS, *PKPH_INFORMER_OPTIONS; typedef struct _KPH_INFORMER_SETTINGS { KPH_INFORMER_OPTIONS Options; KPH_RATE_LIMIT_POLICY Policy[KPH_INFORMER_COUNT]; } KPH_INFORMER_SETTINGS, *PKPH_INFORMER_SETTINGS; typedef const KPH_INFORMER_SETTINGS* PCKPH_INFORMER_SETTINGS; typedef struct _KPH_MESSAGE_TIMEOUTS { LARGE_INTEGER AsyncTimeout; LARGE_INTEGER DefaultTimeout; LARGE_INTEGER ProcessCreateTimeout; LARGE_INTEGER FilePreCreateTimeout; LARGE_INTEGER FilePostCreateTimeout; } KPH_MESSAGE_TIMEOUTS, *PKPH_MESSAGE_TIMEOUTS; typedef struct _KPH_INFORMER_CLIENT_SETTINGS { KPH_MESSAGE_TIMEOUTS MessageTimeouts; KPH_RATE_LIMIT_POLICY AsyncQueuePolicy; KPH_RATE_LIMIT_POLICY InformerPolicy[KPH_INFORMER_COUNT]; } KPH_INFORMER_CLIENT_SETTINGS, *PKPH_INFORMER_CLIENT_SETTINGS; typedef struct _KPH_RATE_LIMIT_STATS { KPH_RATE_LIMIT_POLICY Policy; LONG64 Allowed; LONG64 Dropped; LONG64 CasMiss; } KPH_RATE_LIMIT_STATS, *PKPH_RATE_LIMIT_STATS; typedef struct _KPH_INFORMER_CLIENT_STATS { KPH_RATE_LIMIT_STATS AsyncQueueRateLimit; KPH_RATE_LIMIT_STATS InformerRateLimit[KPH_INFORMER_COUNT]; } KPH_INFORMER_CLIENT_STATS, *PKPH_INFORMER_CLIENT_STATS; typedef struct _KPH_INFORMER_STATS { KPH_RATE_LIMIT_STATS RateLimit[KPH_INFORMER_COUNT]; } KPH_INFORMER_STATS, *PKPH_INFORMER_STATS; // Parameters typedef union _KPH_PARAMETER_FLAGS { struct { ULONG DisableImageLoadProtection : 1; ULONG RandomizedPoolTag : 1; ULONG DynDataNoEmbedded : 1; ULONG DisableSystemProcess : 1; ULONG DisableThreadNames : 1; ULONG Reserved : 27; }; ULONG Flags; } KPH_PARAMETER_FLAGS, *PKPH_PARAMETER_FLAGS; // Session Token #define KPH_TOKEN_PRIVILEGE_TERMINATE 0x00000001ul #define KPH_TOKEN_VALID_PRIVILEGES (KPH_TOKEN_PRIVILEGE_TERMINATE) #include typedef struct _KPH_SESSION_ACCESS_TOKEN { LARGE_INTEGER Expiry; ULONG Privileges; LONG Uses; GUID Identifier; BYTE Material[32]; } KPH_SESSION_ACCESS_TOKEN, *PKPH_SESSION_ACCESS_TOKEN; C_ASSERT(sizeof(KPH_SESSION_ACCESS_TOKEN) == 64); #include #pragma warning(pop) ================================================ FILE: kphlib/include/kphdyn.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY * */ #pragma once #include #define KPH_DYN_CONFIGURATION_VERSION ((ULONG)16) #define KPH_DYN_SESSION_TOKEN_PUBLIC_KEY_LENGTH ((ULONG)539) #define KPH_DYN_CLASS_NTOSKRNL ((USHORT)0) #define KPH_DYN_CLASS_NTKRLA57 ((USHORT)1) #define KPH_DYN_CLASS_LXCORE ((USHORT)2) #include typedef struct _KPH_DYN_KERNEL_FIELDS { USHORT EgeGuid; // dt nt!_ETW_GUID_ENTRY Guid USHORT EpObjectTable; // dt nt!_EPROCESS ObjectTable USHORT EreGuidEntry; // dt nt!_ETW_REG_ENTRY GuidEntry USHORT HtHandleContentionEvent; // dt nt!_HANDLE_TABLE HandleContentionEvent USHORT OtName; // dt nt!_OBJECT_TYPE Name USHORT OtIndex; // dt nt!_OBJECT_TYPE Index USHORT ObDecodeShift; // dt nt!_HANDLE_TABLE_ENTRY ObjectPointerBits USHORT ObAttributesShift; // dt nt!_HANDLE_TABLE_ENTRY Attributes USHORT AlpcCommunicationInfo; // dt nt!_ALPC_PORT CommunicationInfo USHORT AlpcOwnerProcess; // dt nt!_ALPC_PORT OwnerProcess USHORT AlpcConnectionPort; // dt nt!_ALPC_COMMUNICATION_INFO ConnectionPort USHORT AlpcServerCommunicationPort; // dt nt!_ALPC_COMMUNICATION_INFO ServerCommunicationPort USHORT AlpcClientCommunicationPort; // dt nt!_ALPC_COMMUNICATION_INFO ClientCommunicationPort USHORT AlpcHandleTable; // dt nt!_ALPC_COMMUNICATION_INFO HandleTable USHORT AlpcHandleTableLock; // dt nt!_ALPC_HANDLE_TABLE Lock USHORT AlpcAttributes; // dt nt!_ALPC_PORT PortAttributes USHORT AlpcAttributesFlags; // dt nt!_ALPC_PORT_ATTRIBUTES Flags USHORT AlpcPortContext; // dt nt!_ALPC_PORT PortContext USHORT AlpcPortObjectLock; // dt nt!_ALPC_PORT PortObjectLock USHORT AlpcSequenceNo; // dt nt!_ALPC_PORT SequenceNo USHORT AlpcState; // dt nt!_ALPC_PORT u1.State USHORT KtInitialStack; // dt nt!_KTHREAD InitialStack USHORT KtStackLimit; // dt nt!_KTHREAD StackLimit USHORT KtStackBase; // dt nt!_KTHREAD StackBase USHORT KtKernelStack; // dt nt!_KTHREAD KernelStack USHORT KtReadOperationCount; // dt nt!_KTHREAD ReadOperationCount USHORT KtWriteOperationCount; // dt nt!_KTHREAD WriteOperationCount USHORT KtOtherOperationCount; // dt nt!_KTHREAD OtherOperationCount USHORT KtReadTransferCount; // dt nt!_KTHREAD ReadTransferCount USHORT KtWriteTransferCount; // dt nt!_KTHREAD WriteTransferCount USHORT KtOtherTransferCount; // dt nt!_KTHREAD OtherTransferCount USHORT MmSectionControlArea; // dt nt!_SECTION u1.ControlArea USHORT MmControlAreaListHead; // dt nt!_CONTROL_AREA ListHead USHORT MmControlAreaLock; // dt nt!_CONTROL_AREA ControlAreaLock USHORT EpSectionObject; // dt nt!_EPROCESS SectionObject } KPH_DYN_KERNEL_FIELDS, *PKPH_DYN_KERNEL_FIELDS; typedef KPH_DYN_KERNEL_FIELDS KPH_DYN_NTOSKRNL_FIELDS; typedef PKPH_DYN_KERNEL_FIELDS PKPH_DYN_NTOSKRNL_FIELDS; typedef KPH_DYN_KERNEL_FIELDS KPH_DYN_NTKRLA57_FIELDS; typedef PKPH_DYN_KERNEL_FIELDS PKPH_DYN_NTKRLA57_FIELDS; typedef struct _KPH_DYN_LXCORE_FIELDS { USHORT LxPicoProc; // uf lxcore!LxpSyscall_GETPID USHORT LxPicoProcInfo; // uf lxcore!LxpSyscall_GETPID USHORT LxPicoProcInfoPID; // uf lxcore!LxpSyscall_GETPID USHORT LxPicoThrdInfo; // uf lxcore!LxpSyscall_GETTID USHORT LxPicoThrdInfoTID; // uf lxcore!LxpSyscall_GETTID } KPH_DYN_LXCORE_FIELDS, *PKPH_DYN_LXCORE_FIELDS; typedef struct _KPH_DYN_FIELDS { ULONG FieldsId; USHORT Length; BYTE Fields[ANYSIZE_ARRAY]; } KPH_DYN_FIELDS, *PKPH_DYN_FIELDS; typedef struct _KPH_DYN_DATA { USHORT Class; USHORT Machine; ULONG TimeDateStamp; ULONG SizeOfImage; ULONG Offset; } KPH_DYN_DATA, *PKPH_DYN_DATA; typedef struct _KPH_DYN_CONFIG { ULONG Version; BYTE SessionTokenPublicKey[KPH_DYN_SESSION_TOKEN_PUBLIC_KEY_LENGTH]; ULONG Count; KPH_DYN_DATA Data[ANYSIZE_ARRAY]; // BYTE Fields[ANYSIZE_ARRAY]; } KPH_DYN_CONFIG, *PKPH_DYN_CONFIG; #include #ifdef _WIN64 extern CONST BYTE KphDynConfig[]; extern CONST ULONG KphDynConfigLength; #endif ================================================ FILE: kphlib/include/kphdyndata.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #pragma once #include _Must_inspect_result_ NTSTATUS KphDynDataLookup( _In_reads_bytes_(Length) PKPH_DYN_CONFIG Config, _In_ ULONG Length, _In_ USHORT Class, _In_ USHORT Machine, _In_ ULONG TimeDateStamp, _In_ ULONG SizeOfImage, _Out_opt_ PKPH_DYN_DATA* Data, _Out_opt_ PVOID* Fields ); ================================================ FILE: kphlib/include/kphlibbase.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #include #ifdef _KERNEL_MODE #pragma warning(push) #pragma warning(disable: 5103) // invalid preprocessing token (/Zc:preprocessor) #include #include #include #include #include #pragma warning(pop) #else #pragma warning(push) #pragma warning(disable : 4201) #pragma warning(disable : 4214) #pragma warning(disable : 4324) #pragma warning(disable : 4115) #include #include #pragma warning(pop) #endif ================================================ FILE: kphlib/include/kphmsg.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #include #pragma warning(push) #pragma warning(disable : 4201) typedef enum _KPH_MESSAGE_ID { InvalidKphMsg, // // PH -> KPH // KphMsgGetInformerSettings, KphMsgSetInformerSettings, KphMsgOpenProcess, KphMsgOpenProcessToken, KphMsgOpenProcessJob, KphMsgTerminateProcess, KphMsgReadVirtualMemory, KphMsgOpenThread, KphMsgOpenThreadProcess, KphMsgCaptureStackBackTraceThread, KphMsgEnumerateProcessHandles, KphMsgQueryInformationObject, KphMsgSetInformationObject, KphMsgOpenDriver, KphMsgQueryInformationDriver, KphMsgQueryInformationProcess, KphMsgSetInformationProcess, KphMsgSetInformationThread, KphMsgSystemControl, KphMsgAlpcQueryInformation, KphMsgQueryInformationFile, KphMsgQueryVolumeInformationFile, KphMsgDuplicateObject, KphMsgQueryPerformanceCounter, KphMsgCreateFile, KphMsgQueryInformationThread, KphMsgQuerySection, KphMsgCompareObjects, KphMsgGetInformerClientSettings, KphMsgSetInformerClientSettings, KphMsgAcquireDriverUnloadProtection, KphMsgReleaseDriverUnloadProtection, KphMsgGetConnectedClientCount, KphMsgActivateDynData, KphMsgIsDynDataActive, KphMsgRequestSessionAccessToken, KphMsgAssignProcessSessionToken, KphMsgAssignThreadSessionToken, KphMsgGetInformerProcessSettings, KphMsgSetInformerProcessSettings, KphMsgStripProtectedProcessMasks, KphMsgQueryVirtualMemory, KphMsgQueryHashInformationFile, KphMsgOpenDevice, KphMsgOpenDeviceDriver, KphMsgOpenDeviceBaseDevice, KphMsgGetInformerStats, KphMsgGetInformerClientStats, MaxKphMsgClient, MaxKphMsgClientAllowed = 0x40000000, // // KPH <-> PH // KphMsgProcessCreate, KphMsgProcessExit, KphMsgThreadCreate, KphMsgThreadExecute, KphMsgThreadExit, KphMsgImageLoad, KphMsgDebugPrint, KphMsgHandlePreCreateProcess, KphMsgHandlePostCreateProcess, KphMsgHandlePreDuplicateProcess, KphMsgHandlePostDuplicateProcess, KphMsgHandlePreCreateThread, KphMsgHandlePostCreateThread, KphMsgHandlePreDuplicateThread, KphMsgHandlePostDuplicateThread, KphMsgHandlePreCreateDesktop, KphMsgHandlePostCreateDesktop, KphMsgHandlePreDuplicateDesktop, KphMsgHandlePostDuplicateDesktop, KphMsgRequiredStateFailure, KphMsgFilePreCreate, KphMsgFilePostCreate, KphMsgFilePreCreateNamedPipe, KphMsgFilePostCreateNamedPipe, KphMsgFilePreClose, KphMsgFilePostClose, KphMsgFilePreRead, KphMsgFilePostRead, KphMsgFilePreWrite, KphMsgFilePostWrite, KphMsgFilePreQueryInformation, KphMsgFilePostQueryInformation, KphMsgFilePreSetInformation, KphMsgFilePostSetInformation, KphMsgFilePreQueryEa, KphMsgFilePostQueryEa, KphMsgFilePreSetEa, KphMsgFilePostSetEa, KphMsgFilePreFlushBuffers, KphMsgFilePostFlushBuffers, KphMsgFilePreQueryVolumeInformation, KphMsgFilePostQueryVolumeInformation, KphMsgFilePreSetVolumeInformation, KphMsgFilePostSetVolumeInformation, KphMsgFilePreDirectoryControl, KphMsgFilePostDirectoryControl, KphMsgFilePreFileSystemControl, KphMsgFilePostFileSystemControl, KphMsgFilePreDeviceControl, KphMsgFilePostDeviceControl, KphMsgFilePreInternalDeviceControl, KphMsgFilePostInternalDeviceControl, KphMsgFilePreShutdown, KphMsgFilePostShutdown, KphMsgFilePreLockControl, KphMsgFilePostLockControl, KphMsgFilePreCleanup, KphMsgFilePostCleanup, KphMsgFilePreCreateMailslot, KphMsgFilePostCreateMailslot, KphMsgFilePreQuerySecurity, KphMsgFilePostQuerySecurity, KphMsgFilePreSetSecurity, KphMsgFilePostSetSecurity, KphMsgFilePrePower, KphMsgFilePostPower, KphMsgFilePreSystemControl, KphMsgFilePostSystemControl, KphMsgFilePreDeviceChange, KphMsgFilePostDeviceChange, KphMsgFilePreQueryQuota, KphMsgFilePostQueryQuota, KphMsgFilePreSetQuota, KphMsgFilePostSetQuota, KphMsgFilePrePnp, KphMsgFilePostPnp, KphMsgFilePreAcquireForSectionSync, KphMsgFilePostAcquireForSectionSync, KphMsgFilePreReleaseForSectionSync, KphMsgFilePostReleaseForSectionSync, KphMsgFilePreAcquireForModWrite, KphMsgFilePostAcquireForModWrite, KphMsgFilePreReleaseForModWrite, KphMsgFilePostReleaseForModWrite, KphMsgFilePreAcquireForCcFlush, KphMsgFilePostAcquireForCcFlush, KphMsgFilePreReleaseForCcFlush, KphMsgFilePostReleaseForCcFlush, KphMsgFilePreQueryOpen, KphMsgFilePostQueryOpen, KphMsgFilePreFastIoCheckIfPossible, KphMsgFilePostFastIoCheckIfPossible, KphMsgFilePreNetworkQueryOpen, KphMsgFilePostNetworkQueryOpen, KphMsgFilePreMdlRead, KphMsgFilePostMdlRead, KphMsgFilePreMdlReadComplete, KphMsgFilePostMdlReadComplete, KphMsgFilePrePrepareMdlWrite, KphMsgFilePostPrepareMdlWrite, KphMsgFilePreMdlWriteComplete, KphMsgFilePostMdlWriteComplete, KphMsgFilePreVolumeMount, KphMsgFilePostVolumeMount, KphMsgFilePreVolumeDismount, KphMsgFilePostVolumeDismount, KphMsgRegPreDeleteKey, KphMsgRegPostDeleteKey, KphMsgRegPreSetValueKey, KphMsgRegPostSetValueKey, KphMsgRegPreDeleteValueKey, KphMsgRegPostDeleteValueKey, KphMsgRegPreSetInformationKey, KphMsgRegPostSetInformationKey, KphMsgRegPreRenameKey, KphMsgRegPostRenameKey, KphMsgRegPreEnumerateKey, KphMsgRegPostEnumerateKey, KphMsgRegPreEnumerateValueKey, KphMsgRegPostEnumerateValueKey, KphMsgRegPreQueryKey, KphMsgRegPostQueryKey, KphMsgRegPreQueryValueKey, KphMsgRegPostQueryValueKey, KphMsgRegPreQueryMultipleValueKey, KphMsgRegPostQueryMultipleValueKey, KphMsgRegPreKeyHandleClose, KphMsgRegPostKeyHandleClose, KphMsgRegPreCreateKey, KphMsgRegPostCreateKey, KphMsgRegPreOpenKey, KphMsgRegPostOpenKey, KphMsgRegPreFlushKey, KphMsgRegPostFlushKey, KphMsgRegPreLoadKey, KphMsgRegPostLoadKey, KphMsgRegPreUnLoadKey, KphMsgRegPostUnLoadKey, KphMsgRegPreQueryKeySecurity, KphMsgRegPostQueryKeySecurity, KphMsgRegPreSetKeySecurity, KphMsgRegPostSetKeySecurity, KphMsgRegPreRestoreKey, KphMsgRegPostRestoreKey, KphMsgRegPreSaveKey, KphMsgRegPostSaveKey, KphMsgRegPreReplaceKey, KphMsgRegPostReplaceKey, KphMsgRegPreQueryKeyName, KphMsgRegPostQueryKeyName, KphMsgRegPreSaveMergedKey, KphMsgRegPostSaveMergedKey, KphMsgImageVerify, MaxKphMsg, KphMsgUnhandled = 0xffffffff, } KPH_MESSAGE_ID, *PKPH_MESSAGE_ID; C_ASSERT(sizeof(KPH_MESSAGE_ID) == 4); C_ASSERT(MaxKphMsg > 0); C_ASSERT(KPH_INFORMER_COUNT == (MaxKphMsg - (MaxKphMsgClientAllowed + 1))); typedef enum _KPH_MESSAGE_FIELD_ID { InvalidKphMsgField, KphMsgFieldFileName, KphMsgFieldCommandLine, KphMsgFieldOutput, KphMsgFieldObjectName, KphMsgFieldStackTrace, KphMsgFieldDestinationFileName, KphMsgFieldEaBuffer, KphMsgFieldInformationBuffer, KphMsgFieldInput, KphMsgFieldValueName, KphMsgFieldValueBuffer, KphMsgFieldMultipleValueNames, KphMsgFieldMultipleValueEntries, KphMsgFieldNewName, KphMsgFieldClass, KphMsgFieldOtherObjectName, KphMsgFieldHash, KphMsgFieldRegistryPath, KphMsgFieldCertificatePublisher, KphMsgFieldCertificateIssuer, KphMsgFieldCertificateThumbprint, MaxKphMsgField } KPH_MESSAGE_FIELD_ID, *PKPH_MESSAGE_FIELD_ID; C_ASSERT(sizeof(KPH_MESSAGE_FIELD_ID) == 4); C_ASSERT(MaxKphMsgField > 0); typedef enum _KPH_MESSAGE_TYPE_ID { InvalidKphMsgType, KphMsgTypeUnicodeString, KphMsgTypeAnsiString, KphMsgTypeStackTrace, KphMsgTypeSizedBuffer, MaxKphMsgType } KPH_MESSAGE_TYPE_ID, *PKPH_MESSAGE_TYPE_ID; C_ASSERT(sizeof(KPH_MESSAGE_TYPE_ID) == 4); C_ASSERT(MaxKphMsgType > 0); typedef struct _KPH_MESSAGE_DYNAMIC_TABLE_ENTRY { KPH_MESSAGE_FIELD_ID FieldId; KPH_MESSAGE_TYPE_ID TypeId; USHORT Offset; USHORT Length; } KPH_MESSAGE_DYNAMIC_TABLE_ENTRY, *PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY; typedef const KPH_MESSAGE_DYNAMIC_TABLE_ENTRY* PCKPH_MESSAGE_DYNAMIC_TABLE_ENTRY; typedef struct _KPH_MESSAGE { struct { USHORT Version; USHORT Size; KPH_MESSAGE_ID MessageId; LARGE_INTEGER TimeStamp; } Header; union { // // Message from user // union { KPHM_GET_INFORMER_SETTINGS GetInformerSettings; KPHM_SET_INFORMER_SETTINGS SetInformerSettings; KPHM_OPEN_PROCESS OpenProcess; KPHM_OPEN_PROCESS_TOKEN OpenProcessToken; KPHM_OPEN_PROCESS_JOB OpenProcessJob; KPHM_TERMINATE_PROCESS TerminateProcess; KPHM_READ_VIRTUAL_MEMORY ReadVirtualMemory; KPHM_OPEN_THREAD OpenThread; KPHM_OPEN_THREAD_PROCESS OpenThreadProcess; KPHM_CAPTURE_STACK_BACKTRACE_THREAD CaptureStackBackTraceThread; KPHM_ENUMERATE_PROCESS_HANDLES EnumerateProcessHandles; KPHM_QUERY_INFORMATION_OBJECT QueryInformationObject; KPHM_SET_INFORMATION_OBJECT SetInformationObject; KPHM_OPEN_DRIVER OpenDriver; KPHM_QUERY_INFORMATION_DRIVER QueryInformationDriver; KPHM_QUERY_INFORMATION_PROCESS QueryInformationProcess; KPHM_SET_INFORMATION_PROCESS SetInformationProcess; KPHM_SET_INFORMATION_THREAD SetInformationThread; KPHM_SYSTEM_CONTROL SystemControl; KPHM_ALPC_QUERY_INFORMATION AlpcQueryInformation; KPHM_QUERY_INFORMATION_FILE QueryInformationFile; KPHM_QUERY_VOLUME_INFORMATION_FILE QueryVolumeInformationFile; KPHM_DUPLICATE_OBJECT DuplicateObject; KPHM_QUERY_PERFORMANCE_COUNTER QueryPerformanceCounter; KPHM_CREATE_FILE CreateFile; KPHM_QUERY_INFORMATION_THREAD QueryInformationThread; KPHM_QUERY_SECTION QuerySection; KPHM_COMPARE_OBJECTS CompareObjects; KPHM_GET_INFORMER_CLIENT_SETTINGS GetInformerClientSettings; KPHM_SET_INFORMER_CLIENT_SETTINGS SetInformerClientSettings; KPHM_ACQUIRE_DRIVER_UNLOAD_PROTECTION AcquireDriverUnloadProtection; KPHM_RELEASE_DRIVER_UNLOAD_PROTECTION ReleaseDriverUnloadProtection; KPHM_GET_CONNECTED_CLIENT_COUNT GetConnectedClientCount; KPHM_ACTIVATE_DYNDATA ActivateDynData; KPHM_IS_DYNDATA_ACTIVE IsDynDataActive; KPHM_REQUEST_SESSION_ACCESS_TOKEN RequestSessionAccessToken; KPHM_ASSIGN_PROCESS_SESSION_TOKEN AssignProcessSessionToken; KPHM_ASSIGN_THREAD_SESSION_TOKEN AssignThreadSessionToken; KPHM_GET_INFORMER_PROCESS_SETTINGS GetInformerProcessSettings; KPHM_SET_INFORMER_PROCESS_SETTINGS SetInformerProcessSettings; KPHM_STRIP_PROTECTED_PROCESS_MASKS StripProtectedProcessMasks; KPHM_QUERY_VIRTUAL_MEMORY QueryVirtualMemory; KPHM_QUERY_HASH_INFORMATION_FILE QueryHashInformationFile; KPHM_OPEN_DEVICE OpenDevice; KPHM_OPEN_DEVICE_DRIVER OpenDeviceDriver; KPHM_OPEN_DEVICE_BASE_DEVICE OpenDeviceBaseDevice; KPHM_GET_INFORMER_STATS GetInformerStats; KPHM_GET_INFORMER_CLIENT_STATS GetInformerClientStats; } User; // // Message from kernel // union { KPHM_PROCESS_CREATE ProcessCreate; KPHM_PROCESS_EXIT ProcessExit; KPHM_THREAD_CREATE ThreadCreate; KPHM_THREAD_EXECUTE ThreadExecute; KPHM_THREAD_EXIT ThreadExit; KPHM_IMAGE_LOAD ImageLoad; KPHM_DEBUG_PRINT DebugPrint; KPHM_HANDLE Handle; KPHM_REQUIRED_STATE_FAILURE RequiredStateFailure; KPHM_FILE File; KPHM_REGISTRY Reg; KPHM_IMAGE_VERIFY ImageVerify; } Kernel; // // Reply to kernel // union { KPHM_PROCESS_CREATE_REPLY ProcessCreate; KPHM_FILE_REPLY File; } Reply; }; // // Dynamic data accessed through KphMsgDyn APIs // struct { UCHAR Count; KPH_MESSAGE_DYNAMIC_TABLE_ENTRY Entries[8]; CHAR Buffer[0x4000 - 380]; } _Dyn; } KPH_MESSAGE, *PKPH_MESSAGE; typedef const KPH_MESSAGE* PCKPH_MESSAGE; #define KPH_MESSAGE_MIN_SIZE RTL_SIZEOF_THROUGH_FIELD(KPH_MESSAGE, _Dyn.Entries) // // ABI breaking asserts. KPH_MESSAGE_VERSION must be updated. // const int value = sizeof(KPH_MESSAGE); // const int value = FIELD_OFFSET(KPH_MESSAGE, _Dyn); // const int value = FIELD_OFFSET(KPH_MESSAGE, _Dyn.Buffer); // const int value = KPH_MESSAGE_MIN_SIZE; // C_ASSERT(sizeof(KPH_MESSAGE) <= 0xffff); #ifdef _WIN64 C_ASSERT(sizeof(KPH_MESSAGE) == 0x4000); C_ASSERT(FIELD_OFFSET(KPH_MESSAGE, _Dyn) == 280); C_ASSERT(FIELD_OFFSET(KPH_MESSAGE, _Dyn.Buffer) == 380); C_ASSERT(KPH_MESSAGE_MIN_SIZE == 380); C_ASSERT(KPH_MESSAGE_MIN_SIZE == FIELD_OFFSET(KPH_MESSAGE, _Dyn.Buffer)); #else // not supported #endif #pragma warning(pop) EXTERN_C_START VOID KphMsgQuerySystemTime( _Out_ PLARGE_INTEGER SystemTime ); VOID KphMsgInit( _Out_writes_bytes_(KPH_MESSAGE_MIN_SIZE) PKPH_MESSAGE Message, _In_ KPH_MESSAGE_ID MessageId ); _Must_inspect_result_ NTSTATUS KphMsgValidate( _In_ PCKPH_MESSAGE Message ); EXTERN_C_END ================================================ FILE: kphlib/include/kphmsgdefs.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #include // // PH -> KPH // #pragma warning(push) #pragma warning(disable : 4201) typedef struct _KPHM_SET_INFORMER_SETTINGS { NTSTATUS Status; PKPH_INFORMER_SETTINGS Settings; } KPHM_SET_INFORMER_SETTINGS, *PKPHM_SET_INFORMER_SETTINGS; typedef struct _KPHM_GET_INFORMER_SETTINGS { NTSTATUS Status; PKPH_INFORMER_SETTINGS Settings; } KPHM_GET_INFORMER_SETTINGS, *PKPHM_GET_INFORMER_SETTINGS; typedef struct _KPHM_OPEN_PROCESS { NTSTATUS Status; PHANDLE ProcessHandle; ACCESS_MASK DesiredAccess; PCLIENT_ID ClientId; } KPHM_OPEN_PROCESS, *PKPHM_OPEN_PROCESS; typedef struct _KPHM_OPEN_PROCESS_TOKEN { NTSTATUS Status; HANDLE ProcessHandle; ACCESS_MASK DesiredAccess; PHANDLE TokenHandle; } KPHM_OPEN_PROCESS_TOKEN, *PKPHM_OPEN_PROCESS_TOKEN; typedef struct _KPHM_OPEN_PROCESS_JOB { NTSTATUS Status; HANDLE ProcessHandle; ACCESS_MASK DesiredAccess; PHANDLE JobHandle; } KPHM_OPEN_PROCESS_JOB, *PKPHM_OPEN_PROCESS_JOB; typedef struct _KPHM_TERMINATE_PROCESS { NTSTATUS Status; HANDLE ProcessHandle; NTSTATUS ExitStatus; } KPHM_TERMINATE_PROCESS, *PKPHM_TERMINATE_PROCESS; typedef struct _KPHM_READ_VIRTUAL_MEMORY { NTSTATUS Status; HANDLE ProcessHandle; PVOID BaseAddress; PVOID Buffer; SIZE_T BufferSize; PSIZE_T NumberOfBytesRead; } KPHM_READ_VIRTUAL_MEMORY, *PKPHM_READ_VIRTUAL_MEMORY; typedef struct _KPHM_OPEN_THREAD { NTSTATUS Status; PHANDLE ThreadHandle; ACCESS_MASK DesiredAccess; PCLIENT_ID ClientId; } KPHM_OPEN_THREAD, *PKPHM_OPEN_THREAD; typedef struct _KPHM_OPEN_THREAD_PROCESS { NTSTATUS Status; HANDLE ThreadHandle; ACCESS_MASK DesiredAccess; PHANDLE ProcessHandle; } KPHM_OPEN_THREAD_PROCESS, *PKPHM_OPEN_THREAD_PROCESS; typedef struct _KPHM_CAPTURE_STACK_BACKTRACE_THREAD { NTSTATUS Status; HANDLE ThreadHandle; ULONG FramesToSkip; ULONG FramesToCapture; PVOID* BackTrace; PULONG CapturedFrames; PULONG BackTraceHash; ULONG Flags; PLARGE_INTEGER Timeout; } KPHM_CAPTURE_STACK_BACKTRACE_THREAD, *PKPHM_CAPTURE_STACK_BACKTRACE_THREAD; typedef struct _KPHM_ENUMERATE_PROCESS_HANDLES { NTSTATUS Status; HANDLE ProcessHandle; PVOID Buffer; ULONG BufferLength; PULONG ReturnLength; } KPHM_ENUMERATE_PROCESS_HANDLES, *PKPHM_ENUMERATE_PROCESS_HANDLES; typedef struct _KPHM_QUERY_INFORMATION_OBJECT { NTSTATUS Status; HANDLE ProcessHandle; HANDLE Handle; KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass; PVOID ObjectInformation; ULONG ObjectInformationLength; PULONG ReturnLength; } KPHM_QUERY_INFORMATION_OBJECT, *PKPHM_QUERY_INFORMATION_OBJECT; typedef struct _KPHM_SET_INFORMATION_OBJECT { NTSTATUS Status; HANDLE ProcessHandle; HANDLE Handle; KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass; PVOID ObjectInformation; ULONG ObjectInformationLength; } KPHM_SET_INFORMATION_OBJECT, *PKPHM_SET_INFORMATION_OBJECT; typedef struct _KPHM_OPEN_DRIVER { NTSTATUS Status; PHANDLE DriverHandle; ACCESS_MASK DesiredAccess; POBJECT_ATTRIBUTES ObjectAttributes; } KPHM_OPEN_DRIVER, *PKPHM_OPEN_DRIVER; typedef struct _KPHM_QUERY_INFORMATION_DRIVER { NTSTATUS Status; HANDLE DriverHandle; KPH_DRIVER_INFORMATION_CLASS DriverInformationClass; PVOID DriverInformation; ULONG DriverInformationLength; PULONG ReturnLength; } KPHM_QUERY_INFORMATION_DRIVER, *PKPHM_QUERY_INFORMATION_DRIVER; typedef struct _KPHM_QUERY_INFORMATION_PROCESS { NTSTATUS Status; HANDLE ProcessHandle; KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass; PVOID ProcessInformation; ULONG ProcessInformationLength; PULONG ReturnLength; } KPHM_QUERY_INFORMATION_PROCESS, *PKPHM_QUERY_INFORMATION_PROCESS; typedef struct _KPHM_SET_INFORMATION_PROCESS { NTSTATUS Status; HANDLE ProcessHandle; KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass; PVOID ProcessInformation; ULONG ProcessInformationLength; } KPHM_SET_INFORMATION_PROCESS, *PKPHM_SET_INFORMATION_PROCESS; typedef struct _KPHM_SET_INFORMATION_THREAD { NTSTATUS Status; HANDLE ThreadHandle; KPH_THREAD_INFORMATION_CLASS ThreadInformationClass; PVOID ThreadInformation; ULONG ThreadInformationLength; } KPHM_SET_INFORMATION_THREAD, *PKPHM_SET_INFORMATION_THREAD; typedef struct _KPHM_SYSTEM_CONTROL { NTSTATUS Status; KPH_SYSTEM_CONTROL_CLASS SystemControlClass; PVOID SystemControlInfo; ULONG SystemControlInfoLength; } KPHM_SYSTEM_CONTROL, *PKPHM_SYSTEM_CONTROL; typedef struct _KPHM_ALPC_QUERY_INFORMATION { NTSTATUS Status; HANDLE ProcessHandle; HANDLE PortHandle; KPH_ALPC_INFORMATION_CLASS AlpcInformationClass; PVOID AlpcInformation; ULONG AlpcInformationLength; PULONG ReturnLength; } KPHM_ALPC_QUERY_INFORMATION, *PKPHM_ALPC_QUERY_INFORMATION; typedef struct _KPHM_QUERY_INFORMATION_FILE { NTSTATUS Status; HANDLE ProcessHandle; HANDLE FileHandle; FILE_INFORMATION_CLASS FileInformationClass; PVOID FileInformation; ULONG FileInformationLength; PIO_STATUS_BLOCK IoStatusBlock; } KPHM_QUERY_INFORMATION_FILE, *PKPHM_QUERY_INFORMATION_FILE; typedef struct _KPHM_QUERY_VOLUME_INFORMATION_FILE { NTSTATUS Status; HANDLE ProcessHandle; HANDLE FileHandle; FS_INFORMATION_CLASS FsInformationClass; PVOID FsInformation; ULONG FsInformationLength; PIO_STATUS_BLOCK IoStatusBlock; } KPHM_QUERY_VOLUME_INFORMATION_FILE, *PKPHM_QUERY_VOLUME_INFORMATION_FILE; typedef struct _KPHM_DUPLICATE_OBJECT { NTSTATUS Status; HANDLE ProcessHandle; HANDLE SourceHandle; ACCESS_MASK DesiredAccess; PHANDLE TargetHandle; } KPHM_DUPLICATE_OBJECT, *PKPHM_DUPLICATE_OBJECT; typedef struct _KPHM_QUERY_PERFORMANCE_COUNTER { LARGE_INTEGER PerformanceCounter; LARGE_INTEGER PerformanceFrequency; } KPHM_QUERY_PERFORMANCE_COUNTER, *PKPHM_QUERY_PERFORMANCE_COUNTER; typedef struct _KPHM_CREATE_FILE { NTSTATUS Status; PHANDLE FileHandle; ACCESS_MASK DesiredAccess; POBJECT_ATTRIBUTES ObjectAttributes; PIO_STATUS_BLOCK IoStatusBlock; PLARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG ShareAccess; ULONG CreateDisposition; ULONG CreateOptions; PVOID EaBuffer; ULONG EaLength; ULONG Options; } KPHM_CREATE_FILE, *PKPHM_CREATE_FILE; typedef struct _KPHM_QUERY_INFORMATION_THREAD { NTSTATUS Status; HANDLE ThreadHandle; KPH_THREAD_INFORMATION_CLASS ThreadInformationClass; PVOID ThreadInformation; ULONG ThreadInformationLength; PULONG ReturnLength; } KPHM_QUERY_INFORMATION_THREAD, *PKPHM_QUERY_INFORMATION_THREAD; typedef struct _KPHM_QUERY_SECTION { NTSTATUS Status; HANDLE SectionHandle; KPH_SECTION_INFORMATION_CLASS SectionInformationClass; PVOID SectionInformation; ULONG SectionInformationLength; PULONG ReturnLength; } KPHM_QUERY_SECTION, *PKPHM_QUERY_SECTION; typedef struct _KPHM_COMPARE_OBJECTS { NTSTATUS Status; HANDLE ProcessHandle; HANDLE FirstObjectHandle; HANDLE SecondObjectHandle; } KPHM_COMPARE_OBJECTS, *PKPHM_COMPARE_OBJECTS; typedef struct _KPHM_GET_INFORMER_CLIENT_SETTINGS { NTSTATUS Status; PKPH_INFORMER_CLIENT_SETTINGS Settings; } KPHM_GET_INFORMER_CLIENT_SETTINGS, *PKPHM_GET_INFORMER_CLIENT_SETTINGS; typedef struct _KPHM_SET_INFORMER_CLIENT_SETTINGS { NTSTATUS Status; PKPH_INFORMER_CLIENT_SETTINGS Settings; } KPHM_SET_INFORMER_CLIENT_SETTINGS, *PKPHM_SET_INFORMER_CLIENT_SETTINGS; typedef struct _KPHM_ACQUIRE_DRIVER_UNLOAD_PROTECTION { NTSTATUS Status; LONG PreviousCount; LONG ClientPreviousCount; } KPHM_ACQUIRE_DRIVER_UNLOAD_PROTECTION, *PKPHM_ACQUIRE_DRIVER_UNLOAD_PROTECTION; typedef struct _KPHM_RELEASE_DRIVER_UNLOAD_PROTECTION { NTSTATUS Status; LONG PreviousCount; LONG ClientPreviousCount; } KPHM_RELEASE_DRIVER_UNLOAD_PROTECTION, *PKPHM_RELEASE_DRIVER_UNLOAD_PROTECTION; typedef struct _KPHM_GET_CONNECTED_CLIENT_COUNT { ULONG Count; } KPHM_GET_CONNECTED_CLIENT_COUNT, *PKPHM_GET_CONNECTED_CLIENT_COUNT; typedef struct _KPHM_ACTIVATE_DYNDATA { NTSTATUS Status; PBYTE DynData; ULONG DynDataLength; PBYTE Signature; ULONG SignatureLength; } KPHM_ACTIVATE_DYNDATA, *PKPHM_ACTIVATE_DYNDATA; typedef struct _KPHM_IS_DYNDATA_ACTIVE { NTSTATUS Status; PBOOLEAN IsActive; } KPHM_IS_DYNDATA_ACTIVE, *PKPHM_IS_DYNDATA_ACTIVE; typedef struct _KPHM_REQUEST_SESSION_ACCESS_TOKEN { NTSTATUS Status; KPH_SESSION_ACCESS_TOKEN AccessToken; LARGE_INTEGER Expiry; ULONG Privileges; LONG Uses; } KPHM_REQUEST_SESSION_ACCESS_TOKEN, *PKPHM_REQUEST_SESSION_ACCESS_TOKEN; typedef struct _KPHM_ASSIGN_PROCESS_SESSION_TOKEN { NTSTATUS Status; HANDLE ProcessHandle; PBYTE Signature; ULONG SignatureLength; } KPHM_ASSIGN_PROCESS_SESSION_TOKEN, *PKPHM_ASSIGN_PROCESS_SESSION_TOKEN; typedef struct _KPHM_ASSIGN_THREAD_SESSION_TOKEN { NTSTATUS Status; HANDLE ThreadHandle; PBYTE Signature; ULONG SignatureLength; } KPHM_ASSIGN_THREAD_SESSION_TOKEN, *PKPHM_ASSIGN_THREAD_SESSION_TOKEN; typedef struct _KPHM_GET_INFORMER_PROCESS_SETTINGS { NTSTATUS Status; HANDLE ProcessHandle; PKPH_INFORMER_SETTINGS Settings; } KPHM_GET_INFORMER_PROCESS_SETTINGS, *PKPHM_GET_INFORMER_PROCESS_SETTINGS; typedef struct _KPHM_SET_INFORMER_PROCESS_SETTINGS { NTSTATUS Status; HANDLE ProcessHandle; PKPH_INFORMER_SETTINGS Settings; } KPHM_SET_INFORMER_PROCESS_SETTINGS, *PKPHM_SET_INFORMER_PROCESS_SETTINGS; typedef struct _KPHM_STRIP_PROTECTED_PROCESS_MASKS { NTSTATUS Status; HANDLE ProcessHandle; ACCESS_MASK ProcessAllowedMask; ACCESS_MASK ThreadAllowedMask; } KPHM_STRIP_PROTECTED_PROCESS_MASKS, *PKPHM_STRIP_PROTECTED_PROCESS_MASKS; typedef struct _KPHM_QUERY_VIRTUAL_MEMORY { NTSTATUS Status; HANDLE ProcessHandle; PVOID BaseAddress; KPH_MEMORY_INFORMATION_CLASS MemoryInformationClass; PVOID MemoryInformation; ULONG MemoryInformationLength; PULONG ReturnLength; } KPHM_QUERY_VIRTUAL_MEMORY, *PKPHM_QUERY_VIRTUAL_MEMORY; typedef struct _KPHM_QUERY_HASH_INFORMATION_FILE { NTSTATUS Status; HANDLE FileHandle; PKPH_HASH_INFORMATION HashingInformation; ULONG HashingInformationLength; } KPHM_QUERY_HASH_INFORMATION_FILE, *PKPHM_QUERY_HASH_INFORMATION_FILE; typedef struct _KPHM_OPEN_DEVICE { NTSTATUS Status; PHANDLE DeviceHandle; ACCESS_MASK DesiredAccess; POBJECT_ATTRIBUTES ObjectAttributes; } KPHM_OPEN_DEVICE, *PKPHM_OPEN_DEVICE; typedef struct _KPHM_OPEN_DEVICE_DRIVER { NTSTATUS Status; HANDLE DeviceHandle; ACCESS_MASK DesiredAccess; PHANDLE DriverHandle; } KPHM_OPEN_DEVICE_DRIVER, *PKPHM_OPEN_DEVICE_DRIVER; typedef struct _KPHM_OPEN_DEVICE_BASE_DEVICE { NTSTATUS Status; HANDLE DeviceHandle; ACCESS_MASK DesiredAccess; PHANDLE BaseDeviceHandle; } KPHM_OPEN_DEVICE_BASE_DEVICE, *PKPHM_OPEN_DEVICE_BASE_DEVICE; typedef struct _KPHM_GET_INFORMER_STATS { NTSTATUS Status; HANDLE ProcessHandle; PKPH_INFORMER_STATS Stats; } KPHM_GET_INFORMER_STATS, *PKPHM_GET_INFORMER_STATS; typedef struct _KPHM_GET_INFORMER_CLIENT_STATS { NTSTATUS Status; PKPH_INFORMER_CLIENT_STATS Stats; } KPHM_GET_INFORMER_CLIENT_STATS, *PKPHM_GET_INFORMER_CLIENT_STATS; // // KPH -> PH // typedef struct _KPHM_PROCESS_CREATE { CLIENT_ID CreatingClientId; ULONG64 CreatingProcessStartKey; PVOID CreatingThreadSubProcessTag; HANDLE TargetProcessId; ULONG64 TargetProcessStartKey; HANDLE ParentProcessId; ULONG64 ParentProcessStartKey; union { ULONG Flags; struct { ULONG FileOpenNameAvailable : 1; ULONG IsSubsystemProcess : 1; ULONG Reserved : 30; }; }; PVOID FileObject; // // Dynamic // // id: KphMsgFieldFileName type: KphMsgTypeUnicodeString // id: KphMsgFieldCommandLine type: KphMsgTypeUnicodeString // } KPHM_PROCESS_CREATE, *PKPHM_PROCESS_CREATE; typedef struct _KPHM_PROCESS_CREATE_REPLY { NTSTATUS CreationStatus; } KPHM_PROCESS_CREATE_REPLY, *PKPHM_PROCESS_CREATE_REPLY; typedef struct _KPHM_PROCESS_EXIT { CLIENT_ID ClientId; ULONG64 ProcessStartKey; PVOID ThreadSubProcessTag; NTSTATUS ExitStatus; } KPHM_PROCESS_EXIT, *PKPHM_PROCESS_EXIT; typedef struct _KPHM_THREAD_CREATE { CLIENT_ID CreatingClientId; ULONG64 CreatingProcessStartKey; PVOID CreatingThreadSubProcessTag; CLIENT_ID TargetClientId; ULONG64 TargetProcessStartKey; } KPHM_THREAD_CREATE, *PKPHM_THREAD_CREATE; typedef struct _KPHM_THREAD_EXECUTE { CLIENT_ID ClientId; ULONG64 ProcessStartKey; PVOID ThreadSubProcessTag; } KPHM_THREAD_EXECUTE, *PKPHM_THREAD_EXECUTE; typedef struct _KPHM_THREAD_EXIT { CLIENT_ID ClientId; ULONG64 ProcessStartKey; PVOID ThreadSubProcessTag; NTSTATUS ExitStatus; } KPHM_THREAD_EXIT, *PKPHM_THREAD_EXIT; typedef struct _KPHM_IMAGE_LOAD { CLIENT_ID LoadingClientId; ULONG64 LoadingProcessStartKey; PVOID LoadingThreadSubProcessTag; HANDLE TargetProcessId; ULONG64 TargetProcessStartKey; union { ULONG Properties; struct { ULONG ImageAddressingMode : 8; ULONG SystemModeImage : 1; ULONG ImageMappedToAllPids : 1; ULONG ExtendedInfoPresent : 1; ULONG MachineTypeMismatch : 1; ULONG ImageSignatureLevel : 4; ULONG ImageSignatureType : 3; ULONG ImagePartialMap : 1; ULONG Reserved : 12; }; }; PVOID ImageBase; ULONG ImageSelector; SIZE_T ImageSize; ULONG ImageSectionNumber; PVOID FileObject; // // Dynamic // // id: KphMsgFieldFileName type: KphMsgTypeUnicodeString // } KPHM_IMAGE_LOAD, *PKPHM_IMAGE_LOAD; typedef struct _KPHM_DEBUG_PRINT { CLIENT_ID ContextClientId; ULONG ComponentId; ULONG Level; // // Dynamic // // id: KphMsgFieldOutput type: KphMsgTypeAnsiString // } KPHM_DEBUG_PRINT, *PKPHM_DEBUG_PRINT; typedef struct _KPHM_HANDLE { CLIENT_ID ContextClientId; ULONG64 ContextProcessStartKey; PVOID ContextThreadSubProcessTag; union { ULONG Flags; struct { ULONG KernelHandle : 1; ULONG Reserved : 31; }; }; PVOID Object; union { USHORT Information; struct { USHORT PostOperation : 1; USHORT Duplicate : 1; // Create = 0, Duplicate = 1 USHORT Spare : 14; }; }; ULONG64 Sequence; union { struct { ACCESS_MASK DesiredAccess; ACCESS_MASK OriginalDesiredAccess; union { struct { union { struct { HANDLE ProcessId; } Process; // KphMsgHandlePreCreateProcess struct { CLIENT_ID ClientId; PVOID SubProcessTag; } Thread; // KphMsgHandlePreCreateThread }; } Create; struct { HANDLE SourceProcessId; HANDLE TargetProcessId; union { struct { HANDLE ProcessId; } Process; // KphMsgHandlePreDuplicateProcess struct { CLIENT_ID ClientId; PVOID SubProcessTag; } Thread; // KphMsgHandlePreDuplicateThread }; } Duplicate; }; } Pre; struct { ULONG64 PreSequence; LARGE_INTEGER PreTimeStamp; NTSTATUS ReturnStatus; ACCESS_MASK GrantedAccess; ACCESS_MASK DesiredAccess; ACCESS_MASK OriginalDesiredAccess; union { struct { union { struct { HANDLE ProcessId; } Process; // KphMsgHandlePostCreateProcess struct { CLIENT_ID ClientId; PVOID SubProcessTag; } Thread; // KphMsgHandlePostCreateThread }; } Create; struct { HANDLE SourceProcessId; HANDLE TargetProcessId; union { struct { HANDLE ProcessId; } Process; // KphMsgHandlePostDuplicateProcess struct { CLIENT_ID ClientId; PVOID SubProcessTag; } Thread; // KphMsgHandlePostDuplicateThread }; } Duplicate; }; } Post; }; // // Dynamic // // id: KphMsgFieldObjectName type: KphMsgTypeUnicodeString // - KphMsgHandlePreCreateDesktop // - KphMsgHandlePostCreateDesktop // - KphMsgHandlePreDuplicateDesktop // - KphMsgHandlePostDuplicateDesktop // } KPHM_HANDLE, *PKPHM_HANDLE; typedef struct _KPHM_REQUIRED_STATE_FAILURE { CLIENT_ID ClientId; enum _KPH_MESSAGE_ID MessageId; KPH_PROCESS_STATE ClientState; KPH_PROCESS_STATE RequiredState; } KPHM_REQUIRED_STATE_FAILURE, *PKPHM_REQUIRED_STATE_FAILURE; // // FLT_PARAMETERS adapted for KPH_MESSAGE, there are some minor renaming of // members to fit with KPH_MESSAGE convention. // #pragma warning(push) #pragma warning(disable : 4324) // structure was padded due to alignment specifier typedef union _KPHM_FILE_PARAMETERS { // FLT_PARAMETERS.Create struct { PVOID SecurityContext; //PIO_SECURITY_CONTEXT ULONG Options; USHORT POINTER_ALIGNMENT FileAttributes; USHORT ShareAccess; ULONG POINTER_ALIGNMENT EaLength; PVOID EaBuffer; LARGE_INTEGER AllocationSize; } Create; // FLT_PARAMETERS.CreatePipe struct { PVOID SecurityContext; //PIO_SECURITY_CONTEXT ULONG Options; USHORT POINTER_ALIGNMENT Reserved; USHORT ShareAccess; PVOID Parameters; } CreateNamedPipe; // FLT_PARAMETERS.CreateMailslot struct { PVOID SecurityContext; // PIO_SECURITY_CONTEXT ULONG Options; USHORT POINTER_ALIGNMENT Reserved; USHORT ShareAccess; PVOID Parameters; } CreateMailslot; // FLT_PARAMETERS.Read struct { ULONG Length; ULONG POINTER_ALIGNMENT Key; LARGE_INTEGER ByteOffset; PVOID ReadBuffer; PVOID MdlAddress; // PMDL } Read; // FLT_PARAMETERS.Write struct { ULONG Length; ULONG POINTER_ALIGNMENT Key; LARGE_INTEGER ByteOffset; PVOID WriteBuffer; PVOID MdlAddress; // PMDL } Write; // FLT_PARAMETERS.QueryFileInformation struct { ULONG Length; FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass; PVOID InfoBuffer; } QueryInformation; // FLT_PARAMETERS.SetFileInformation struct { ULONG Length; FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass; PFILE_OBJECT ParentOfTarget; union { struct { BOOLEAN ReplaceIfExists; BOOLEAN AdvanceOnly; }; ULONG ClusterCount; HANDLE DeleteHandle; }; PVOID InfoBuffer; } SetInformation; // FLT_PARAMETERS.QueryEa struct { ULONG Length; PVOID EaList; ULONG EaListLength; ULONG POINTER_ALIGNMENT EaIndex; PVOID EaBuffer; PVOID MdlAddress; // PMDL } QueryEa; // FLT_PARAMETERS.SetEa struct { ULONG Length; PVOID EaBuffer; PVOID MdlAddress; // PMDL } SetEa; // FLT_PARAMETERS.QueryVolumeInformation struct { ULONG Length; FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass; PVOID VolumeBuffer; } QueryVolumeInformation; // FLT_PARAMETERS.SetVolumeInformation struct { ULONG Length; FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass; PVOID VolumeBuffer; } SetVolumeInformation; // FLT_PARAMETERS.DirectoryControl union { struct { ULONG Length; PUNICODE_STRING FileName; FILE_INFORMATION_CLASS FileInformationClass; ULONG POINTER_ALIGNMENT FileIndex; PVOID DirectoryBuffer; PVOID MdlAddress; // PMDL } QueryDirectory; struct { ULONG Length; ULONG POINTER_ALIGNMENT CompletionFilter; ULONG POINTER_ALIGNMENT Spare1; ULONG POINTER_ALIGNMENT Spare2; PVOID DirectoryBuffer; PVOID MdlAddress; // PMDL } NotifyDirectory; struct { ULONG Length; ULONG POINTER_ALIGNMENT CompletionFilter; DIRECTORY_NOTIFY_INFORMATION_CLASS POINTER_ALIGNMENT DirectoryNotifyInformationClass; ULONG POINTER_ALIGNMENT Spare2; PVOID DirectoryBuffer; PVOID MdlAddress; // PMDL } NotifyDirectoryEx; } DirectoryControl; // FLT_PARAMETERS.FileSystemControl union { struct { PVOID Vpb; // PVPB PDEVICE_OBJECT DeviceObject; } VerifyVolume; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT FsControlCode; } Common; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT FsControlCode; PVOID InputBuffer; PVOID OutputBuffer; PVOID OutputMdlAddress; // PMDL } Neither; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT FsControlCode; PVOID SystemBuffer; } Buffered; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT FsControlCode; PVOID InputSystemBuffer; PVOID OutputBuffer; PVOID OutputMdlAddress; // PMDL } Direct; } FileSystemControl; // FLT_PARAMETERS.DeviceIoControl union { struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; } Common; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; PVOID InputBuffer; PVOID OutputBuffer; PVOID OutputMdlAddress; // PMDL } Neither; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; PVOID SystemBuffer; } Buffered; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; PVOID InputSystemBuffer; PVOID OutputBuffer; PVOID OutputMdlAddress; // PMDL } Direct; struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; PVOID InputBuffer; PVOID OutputBuffer; } FastIo; } DeviceControl; // FLT_PARAMETERS.LockControl struct { PLARGE_INTEGER Length; ULONG POINTER_ALIGNMENT Key; LARGE_INTEGER ByteOffset; PVOID ProcessId; // PEPROCESS BOOLEAN FailImmediately; BOOLEAN ExclusiveLock; } LockControl; // FLT_PARAMETERS.QuerySecurity struct { SECURITY_INFORMATION SecurityInformation; ULONG POINTER_ALIGNMENT Length; PVOID SecurityBuffer; PVOID MdlAddress; // PMDL } QuerySecurity; // FLT_PARAMETERS.SetSecurity struct { SECURITY_INFORMATION SecurityInformation; PSECURITY_DESCRIPTOR SecurityDescriptor; } SetSecurity; // FLT_PARAMETERS.WMI struct { ULONG_PTR ProviderId; PVOID DataPath; ULONG BufferSize; PVOID Buffer; } SystemControl; // FLT_PARAMETERS.QueryQuota struct { ULONG Length; PSID StartSid; PFILE_GET_QUOTA_INFORMATION SidList; ULONG SidListLength; PVOID QuotaBuffer; PVOID MdlAddress; // PMDL } QueryQuota; // FLT_PARAMETERS.SetQuota struct { ULONG Length; PVOID QuotaBuffer; PVOID MdlAddress; // PMDL } SetQuota; // FLT_PARAMETERS.Pnp union { struct { PVOID AllocatedResources; // PCM_RESOURCE_LIST PVOID AllocatedResourcesTranslated; // PCM_RESOURCE_LIST } StartDevice; struct { DEVICE_RELATION_TYPE Type; } QueryDeviceRelations; struct { CONST GUID *InterfaceType; USHORT Size; USHORT Version; PVOID Interface; // PINTERFACE PVOID InterfaceSpecificData; } QueryInterface; struct { PVOID Capabilities; // PDEVICE_CAPABILITIES } DeviceCapabilities; struct { PVOID IoResourceRequirementList; // PIO_RESOURCE_REQUIREMENTS_LIST } FilterResourceRequirements; struct { ULONG WhichSpace; PVOID Buffer; ULONG Offset; ULONG POINTER_ALIGNMENT Length; } ReadWriteConfig; struct { BOOLEAN Lock; } SetLock; struct { BUS_QUERY_ID_TYPE IdType; } QueryId; struct { DEVICE_TEXT_TYPE DeviceTextType; LCID POINTER_ALIGNMENT LocaleId; } QueryDeviceText; struct { BOOLEAN InPath; BOOLEAN Reserved[3]; DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type; } UsageNotification; } Pnp; // FLT_PARAMETERS.AcquireForSectionSynchronization struct { FS_FILTER_SECTION_SYNC_TYPE SyncType; ULONG PageProtection; PVOID OutputInformation; // PFS_FILTER_SECTION_SYNC_OUTPUT ULONG Flags; ULONG AllocationAttributes; } AcquireForSectionSync; // FLT_PARAMETERS.AcquireForModifiedPageWriter struct { PLARGE_INTEGER EndingOffset; PVOID *ResourceToRelease; // PERESOURCE } AcquireForModWrite; // FLT_PARAMETERS.ReleaseForModifiedPageWriter struct { PVOID ResourceToRelease; // PERESOURCE } ReleaseForModWrite; // FLT_PARAMETERS.QueryOpen struct { PIRP Irp; PVOID FileInformation; PULONG Length; FILE_INFORMATION_CLASS FileInformationClass; } QueryOpen; // FLT_PARAMETERS.FastIoCheckIfPossible struct { LARGE_INTEGER FileOffset; ULONG Length; ULONG POINTER_ALIGNMENT LockKey; BOOLEAN POINTER_ALIGNMENT CheckForReadOperation; } FastIoCheckIfPossible; // FLT_PARAMETERS.NetworkQueryOpen struct { PIRP Irp; PFILE_NETWORK_OPEN_INFORMATION NetworkInformation; } NetworkQueryOpen; // FLT_PARAMETERS.MdlRead struct { LARGE_INTEGER FileOffset; ULONG POINTER_ALIGNMENT Length; ULONG POINTER_ALIGNMENT Key; PVOID *MdlChain; // PMDL } MdlRead; // FLT_PARAMETERS.MdlReadComplete struct { PVOID MdlChain; // PMDL } MdlReadComplete; // FLT_PARAMETERS.PrepareMdlWrite struct { LARGE_INTEGER FileOffset; ULONG POINTER_ALIGNMENT Length; ULONG POINTER_ALIGNMENT Key; PVOID *MdlChain; // PMDL } PrepareMdlWrite; // FLT_PARAMETERS.MdlWriteComplete struct { LARGE_INTEGER FileOffset; PVOID MdlChain; // PMDL } MdlWriteComplete; // FLT_PARAMETERS.MountVolume struct { ULONG DeviceType; } VolumeMount; // FLT_PARAMETERS.Others struct { PVOID Argument1; PVOID Argument2; PVOID Argument3; PVOID Argument4; PVOID Argument5; LARGE_INTEGER Argument6; } Others; } KPHM_FILE_PARAMETERS, *PKPHM_FILE_PARAMETERS; #pragma warning(pop) // // COPY_INFORMATION // typedef struct _KPHM_COPY_INFORMATION { PVOID SourceFileObject; ULONG64 SourceFileOffset; } KPHM_COPY_INFORMATION, *PKPHM_COPY_INFORMATION; typedef struct _KPHM_FILE { CLIENT_ID ClientId; ULONG64 ProcessStartKey; PVOID ThreadSubProcessTag; UCHAR MajorFunction; // IRP_MJ_* UCHAR MinorFunction; // IRP_MN_* UCHAR Irql; // KeGetCurrentIrql UCHAR OperationFlags; // SL_* IO_STACK_LOCATION.Flags ULONG FltFlags; // FLTFL_CALLBACK_DATA_* FLT_CALLBACK_DATA.Flags ULONG IrpFlags; // IRP_* IRP.Flags ULONG Flags; // FO_* FILE_OBJECT.Flags union { ULONG Information; struct { ULONG RequestorMode : 1; // KernelMode == 0, UserMode == 1 ULONG IsPagingFile : 1; // FsRtlIsPagingFile ULONG IsSystemPagingFile : 1; // FsRtlIsSystemPagingFile ULONG OriginRemote : 1; // IoIsFileOriginRemote ULONG IgnoringSharing : 1; // IoIsFileObjectIgnoringSharing ULONG InStackFileObject : 1; // IoGetStackLimits FLT_RELATED_OBJECTS.FileObject ULONG LockOperation : 1; // FILE_OBJECT.LockOperation ULONG DeletePending : 1; // FILE_OBJECT.DeletePending ULONG ReadAccess : 1; // FILE_OBJECT.ReadAccess ULONG WriteAccess : 1; // FILE_OBJECT.WriteAccess ULONG DeleteAccess : 1; // FILE_OBJECT.DeleteAccess ULONG SharedRead : 1; // FILE_OBJECT.SharedRead ULONG SharedWrite : 1; // FILE_OBJECT.SharedWrite ULONG SharedDelete : 1; // FILE_OBJECT.SharedDelete ULONG Busy : 1; // FILE_OBJECT.Busy ULONG Spare : 1; ULONG TransactionContext : 16; // FLT_RELATED_OBJECTS.TransactionContext }; }; ULONG Waiters; // FILE_OBJECT.Waiters LARGE_INTEGER CurrentByteOffset; // FILE_OBJECT.CurrentByteOffset OPLOCK_KEY_CONTEXT OplockKeyContext; // IoGetOplockKeyContextEx KPHM_COPY_INFORMATION CopyInformation; // FltGetCopyInformationFromCallbackData union { ULONG64 Information2; struct { ULONG64 OpenedAsCopySource : 1; // IoCheckFileObjectOpenedAsCopySource ULONG64 OpenedAsCopyDestination : 1; // IoCheckFileObjectOpenedAsCopyDestination ULONG64 Spare2 : 62; }; }; PVOID Volume; // FLT_RELATED_OBJECTS.Volume PVOID FileObject; // FLT_RELATED_OBJECTS.FileObject PVOID Transaction; // FLT_RELATED_OBJECTS.Transaction PVOID DataSectionObject; // FILE_OBJECT.SectionObjectPointer.DataSectionObject PVOID ImageSectionObject; // FILE_OBJECT.SectionObjectPointer.ImageSectionObject ULONG64 Sequence; KPHM_FILE_PARAMETERS Parameters; union { struct { union { struct { BOOLEAN MaybeTunneledFileName; } Create; struct { NAMED_PIPE_CREATE_PARAMETERS Parameters; } CreateNamedPipe; struct { BOOLEAN MaybeTunneledFileName; BOOLEAN MaybeTunneledDestinationFileName; } SetInformation; struct { LARGE_INTEGER Length; } LockControl; struct { MAILSLOT_CREATE_PARAMETERS Parameters; } CreateMailslot; struct { LARGE_INTEGER EndingOffset; } AcquireForModWrite; struct { ULONG Length; } QueryOpen; }; } Pre; struct { ULONG64 PreSequence; LARGE_INTEGER PreTimeStamp; IO_STATUS_BLOCK IoStatus; union { struct { BOOLEAN TunneledFileName; } Create; struct { BOOLEAN TunneledFileName; BOOLEAN TunneledDestinationFileName; } SetInformation; }; } Post; }; // // Dynamic // // id: KphMsgFieldFileName type: KphMsgTypeUnicodeString // // id: KphMsgFieldEaBuffer type: KphMsgTypeSizedBuffer // - KphMsgFilePreCreate // // id: KphMsgFieldInformationBuffer type: KphMsgTypeSizedBuffer // - KphMsgFilePreSetInformation // - KphMsgFilePreQueryEa // - KphMsgFilePreSetEa // - KphMsgFilePreSetVolumeInformation // - KphMsgFilePostQueryEa // - KphMsgFilePostQueryVolumeInformation // - KphMsgFilePostDirectoryControl // - KphMsgFilePostQuerySecurity // - KphMsgFilePostQueryOpen // - KphMsgFilePostNetworkQueryOpen // // id: KphMsgFieldDestinationFileName type: KphMsgTypeUnicodeString // - KphMsgFilePreDirectoryControl // - KphMsgFilePreSetInformation // - FileInformationClass == FileRename* || FileLink* // - KphMsgFilePostSetInformation // - FileInformationClass == FileRename* || FileLink* // // id: KphMsgFieldInput type: KphMsgTypeSizedBuffer // - KphMsgFilePreFileSystemControl // - KphMsgFilePreDeviceControl // - KphMsgFilePreInternalDeviceControl // - KphMsgFilePostFileSystemControl // - KphMsgFilePostDeviceControl // - KphMsgFilePostInternalDeviceControl // // id: KphMsgFieldOutput type: KphMsgTypeSizedBuffer // - KphMsgFilePreFileSystemControl // - KphMsgFilePreDeviceControl // - KphMsgFilePreInternalDeviceControl // - KphMsgFilePostFileSystemControl // - KphMsgFilePostDeviceControl // - KphMsgFilePostInternalDeviceControl // } KPHM_FILE, *PKPHM_FILE; typedef struct _KPHM_FILE_REPLY { union { struct { struct { NTSTATUS Status; } Create; } Pre; struct { struct { NTSTATUS Status; } Create; } Post; }; } KPHM_FILE_REPLY, *PKPHM_FILE_REPLY; typedef union _KPHM_REGISTRY_PARAMETERS { struct { PUNICODE_STRING ValueName; ULONG TitleIndex; ULONG Type; PVOID Data; ULONG DataSize; } SetValueKey; struct { PUNICODE_STRING ValueName; } DeleteValueKey; struct { KEY_SET_INFORMATION_CLASS KeySetInformationClass; PVOID KeySetInformation; ULONG KeySetInformationLength; } SetInformationKey; struct { PUNICODE_STRING NewName; } RenameKey; struct { ULONG Index; KEY_INFORMATION_CLASS KeyInformationClass; PVOID KeyInformation; ULONG Length; PULONG ResultLength; } EnumerateKey; struct { ULONG Index; KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass; PVOID KeyValueInformation; ULONG Length; PULONG ResultLength; } EnumerateValueKey; struct { KEY_INFORMATION_CLASS KeyInformationClass; PVOID KeyInformation; ULONG Length; PULONG ResultLength; } QueryKey; struct { PUNICODE_STRING ValueName; KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass; PVOID KeyValueInformation; ULONG Length; PULONG ResultLength; } QueryValueKey; struct { PKEY_VALUE_ENTRY ValueEntries; ULONG EntryCount; PVOID ValueBuffer; PULONG BufferLength; PULONG RequiredBufferLength; } QueryMultipleValueKey; struct { PUNICODE_STRING CompleteName; PVOID RootObject; PVOID ObjectType; ULONG Options; PUNICODE_STRING Class; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; ACCESS_MASK DesiredAccess; ACCESS_MASK GrantedAccess; PULONG Disposition; PUNICODE_STRING RemainingName; ULONG Wow64Flags; ULONG Attributes; UCHAR CheckAccessMode; } CreateKey; struct { PUNICODE_STRING CompleteName; PVOID RootObject; PVOID ObjectType; ULONG Options; PUNICODE_STRING Class; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; ACCESS_MASK DesiredAccess; ACCESS_MASK GrantedAccess; PULONG Disposition; PUNICODE_STRING RemainingName; ULONG Wow64Flags; ULONG Attributes; UCHAR CheckAccessMode; } OpenKey; struct { PVOID RootObject; PUNICODE_STRING KeyName; PUNICODE_STRING SourceFile; ULONG Flags; PVOID TrustClassObject; PVOID UserEvent; ACCESS_MASK DesiredAccess; PHANDLE RootHandle; PVOID FileAccessToken; } LoadKey; struct { PVOID UserEvent; } UnLoadKey; struct { PSECURITY_INFORMATION SecurityInformation; PSECURITY_DESCRIPTOR SecurityDescriptor; PULONG Length; } QueryKeySecurity; struct { PSECURITY_INFORMATION SecurityInformation; PSECURITY_DESCRIPTOR SecurityDescriptor; } SetKeySecurity; struct { HANDLE FileHandle; ULONG Flags; } RestoreKey; struct { HANDLE FileHandle; ULONG Format; } SaveKey; struct { PUNICODE_STRING OldFileName; PUNICODE_STRING NewFileName; } ReplaceKey; struct { POBJECT_NAME_INFORMATION ObjectNameInfo; ULONG Length; PULONG ReturnLength; } QueryKeyName; struct { HANDLE FileHandle; PVOID HighKeyObject; PVOID LowKeyObject; } SaveMergedKey; } KPHM_REGISTRY_PARAMETERS, *PKPHM_REGISTRY_PARAMETERS; typedef struct _KPHM_REGISTRY { CLIENT_ID ClientId; ULONG64 ProcessStartKey; PVOID ThreadSubProcessTag; union { USHORT Information; struct { USHORT PostOperation : 1; USHORT PreviousMode : 1; // KernelMode == 0, UserMode == 1 USHORT Spare : 14; }; }; PVOID Object; ULONG_PTR ObjectId; // CmCallbackGetKeyObjectIDEx PVOID Transaction; // CmGetBoundTransaction ULONG64 Sequence; KPHM_REGISTRY_PARAMETERS Parameters; union { struct { union { struct { ULONG BufferLength; } QueryMultipleValueKey; struct { SECURITY_INFORMATION SecurityInformation; ULONG Length; } QueryKeySecurity; struct { SECURITY_INFORMATION SecurityInformation; } SetKeySecurity; struct { ULONG_PTR LowKeyObjectId; PVOID LowKeyTransaction; } SaveMergedKey; }; } Pre; struct { ULONG64 PreSequence; LARGE_INTEGER PreTimeStamp; NTSTATUS Status; union { struct { ULONG ResultLength; } EnumerateKey; struct { ULONG ResultLength; } EnumerateValueKey; struct { ULONG ResultLength; } QueryKey; struct { ULONG ResultLength; } QueryValueKey; struct { ULONG BufferLength; ULONG RequiredBufferLength; } QueryMultipleValueKey; struct { ULONG Disposition; } CreateKey; struct { ULONG Disposition; } OpenKey; struct { HANDLE RootHandle; } LoadKey; struct { ULONG Length; } QueryKeySecurity; struct { ULONG ReturnLength; } QueryKeyName; struct { ULONG_PTR LowKeyObjectId; PVOID LowKeyTransaction; } SaveMergedKey; }; } Post; }; // // Dynamic // // id: KphMsgFieldObjectName type: KphMsgTypeUnicodeString // // id: KphMsgFieldValueName type: KphMsgTypeUnicodeString // - KphMsgRegPreSetValueKey // - KphMsgRegPreDeleteValueKey // - KphMsgRegPostSetValueKey // - KphMsgRegPostDeleteValueKey // // id: KphMsgFieldValueBuffer type: KphMsgTypeSizedBuffer // - KphMsgRegPreSetValueKey // - KphMsgRegPostQueryValueKey // - KphMsgRegPostQueryMultipleValueKey // // id: KphMsgFieldInformationBuffer type: KphMsgTypeSizedBuffer // - KphMsgRegPreSetInformationKey // - KphMsgRegPostEnumerateKey // - KphMsgRegPostEnumerateValueKey // - KphMsgRegPostQueryKey // // id: KphMsgFieldNewName type: KphMsgTypeSizedBuffer // - KphMsgRegPreRenameKey // // id: KphMsgFieldMultiValueNames type: KphMsgTypeSizedBuffer // - KphMsgRegPreQueryMultipleValueKey // - KphMsgRegPostQueryMultipleValueKey // // id: KphMsgFieldMultiValueEntries type: KphMsgTypeSizedBuffer // - KphMsgRegPostQueryMultipleValueKey // // id: KphMsgFieldClass type: KphMsgTypeUnicodeString // - KphMsgRegPreCreateKey // // id: KphMsgFieldFileName type: KphMsgTypeUnicodeString // - KphMsgRegPreLoadKey // - KphMsgRegPreRestoreKey // - KphMsgRegPreSaveKey // - KphMsgRegPreReplaceKey // - KphMsgRegPreSaveMergedKey // - KphMsgRegPostLoadKey // - KphMsgRegPostRestoreKey // - KphMsgRegPostSaveKey // - KphMsgRegPostReplaceKey // - KphMsgRegPostSaveMergedKey // // id: KphMsgFieldDestinationFileName type: KphMsgTypeUnicodeString // - KphMsgRegPreRenameKey // - KphMsgRegPostRenameKey // // id: KphMsgFieldOtherObjectName type: KphMsgTypeUnicodeString // - KphMsgRegPreSaveMergedKey // - KphMsgRegPostSaveMergedKey // } KPHM_REGISTRY, *PKPHM_REGISTRY; typedef struct _KPHM_IMAGE_VERIFY { CLIENT_ID ClientId; ULONG64 ProcessStartKey; PVOID ThreadSubProcessTag; ULONG ImageType; // SE_IMAGE_TYPE ULONG Classification; // BDCB_CLASSIFICATION ULONG ImageFlags; ULONG ImageHashAlgorithm; ULONG ThumbprintHashAlgorithm; // // Dynamic // // id: KphMsgFieldFileName type: KphMsgTypeUnicodeString // id: KphMsgFieldHash type: KphMsgTypeSizedBuffer // id: KphMsgFieldCertificatePublisher type: KphMsgTypeUnicodeString // id: KphMsgFieldCertificateIssuer type: KphMsgTypeUnicodeString // id: KphMsgFieldCertificateThumbprint type: KphMsgTypeSizedBuffer // id: KphMsgFieldRegistryPath type: KphMsgTypeUnicodeString // } KPHM_IMAGE_VERIFY, *PKPHM_IMAGE_VERIFY; #pragma warning(pop) ================================================ FILE: kphlib/include/kphmsgdyn.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #pragma once #include EXTERN_C_START typedef struct _KPHM_STACK_TRACE { USHORT Count; PVOID* Frames; } KPHM_STACK_TRACE, *PKPHM_STACK_TRACE; typedef struct _KPHM_SIZED_BUFFER { USHORT Size; PBYTE Buffer; } KPHM_SIZED_BUFFER, *PKPHM_SIZED_BUFFER; VOID KphMsgDynClear( _Inout_ PKPH_MESSAGE Message ); VOID KphMsgDynClearLast( _Inout_ PKPH_MESSAGE Message ); USHORT KphMsgDynRemaining( _In_ PCKPH_MESSAGE Message ); _Must_inspect_result_ NTSTATUS KphMsgDynAddUnicodeString( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PCUNICODE_STRING String ); NTSTATUS KphMsgDynGetUnicodeString( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PUNICODE_STRING String ); _Must_inspect_result_ NTSTATUS KphMsgDynAddAnsiString( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PCANSI_STRING String ); NTSTATUS KphMsgDynGetAnsiString( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PANSI_STRING String ); _Must_inspect_result_ NTSTATUS KphMsgDynAddStackTrace( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PKPHM_STACK_TRACE StackTrace ); NTSTATUS KphMsgDynGetStackTrace( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PKPHM_STACK_TRACE StackTrace ); _Must_inspect_result_ NTSTATUS KphMsgDynAddSizedBuffer( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PKPHM_SIZED_BUFFER SizedBuffer ); NTSTATUS KphMsgDynGetSizedBuffer( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PKPHM_SIZED_BUFFER SizedBuffer ); EXTERN_C_END ================================================ FILE: kphlib/include/kphringbuff.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025-2026 * */ #pragma once #pragma warning(push) #pragma warning(disable : 4201) #pragma warning(disable : 4324) typedef struct _KPH_RING_HEADER { union { struct { ULONG64 Length : 30; ULONG64 Busy : 1; ULONG64 Discard : 1; ULONG64 Reset : 1; ULONG64 Alignment : 4; ULONG64 Spare : 27; }; ULONG64 Value; }; #ifdef _WIN64 ULONG64 Padding; #endif } KPH_RING_HEADER, *PKPH_RING_HEADER; C_ASSERT(sizeof(KPH_RING_HEADER) == MEMORY_ALLOCATION_ALIGNMENT); #define KPH_RING_BUFFER_HEADER_SIZE MEMORY_ALLOCATION_ALIGNMENT #define KPH_RING_BUFFER_RESERVE_MAX (((1UL << 30) - 1) - \ (MEMORY_ALLOCATION_ALIGNMENT - 1) - \ (KPH_RING_BUFFER_HEADER_SIZE * 2)) typedef struct _KPH_RING_CONSUMER_BLOCK { ULONG Position; ULONG Processing; } KPH_RING_CONSUMER_BLOCK, *PKPH_RING_CONSUMER_BLOCK; typedef struct _KPH_RING_PRODUCER_BLOCK { ULONG Position; ULONG Length; DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) BYTE Buffer[ANYSIZE_ARRAY]; } KPH_RING_PRODUCER_BLOCK, *PKPH_RING_PRODUCER_BLOCK; typedef struct _KPH_RING_BUFFER_USER { PKPH_RING_CONSUMER_BLOCK Consumer; PKPH_RING_PRODUCER_BLOCK Producer; } KPH_RING_BUFFER_USER, *PKPH_RING_BUFFER_USER; typedef _Function_class_(KPH_RING_CALLBACK) BOOLEAN NTAPI KPH_RING_CALLBACK( _In_opt_ PVOID Context, _In_bytecount_(Length) PVOID Buffer, _In_ ULONG Length ); typedef KPH_RING_CALLBACK* PKPH_RING_CALLBACK; BOOLEAN KphProcessRingBuffer( _In_ PKPH_RING_BUFFER_USER Ring, _In_ PKPH_RING_CALLBACK Callback, _In_opt_ PVOID Context ); typedef struct _KPH_RING_BUFFER_CONNECT { _In_ ULONG Length; _In_opt_ HANDLE EventHandle; _Out_ KPH_RING_BUFFER_USER Ring; } KPH_RING_BUFFER_CONNECT, *PKPH_RING_BUFFER_CONNECT; #pragma warning(pop) ================================================ FILE: kphlib/include/sistatus.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * sistatus.h IS AN AUTOGENERATED FILE, DO NOT MODIFY * * Changes should be made in sistatus.mc * */ #ifndef SI_STATUS_H #define SI_STATUS_H // // Values are 32 bit values laid out as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---+-+-+-----------------------+-------------------------------+ // |Sev|C|R| Facility | Code | // +---+-+-+-----------------------+-------------------------------+ // // where // // Sev - is the severity code // // 00 - Success // 01 - Informational // 10 - Warning // 11 - Error // // C - is the Customer code flag // // R - is a reserved bit // // Facility - is the facility code // // Code - is the facility's status code // // // Define the facility codes // #define FACILITY_SI 0x1 #define FACILITY_SI_DYNDATA 0x2 #define FACILITY_KSI 0x3 // // Define the severity codes // #define STATUS_SEVERITY_SUCCESS 0x0 #define STATUS_SEVERITY_INFORMATIONAL 0x1 #define STATUS_SEVERITY_WARNING 0x2 #define STATUS_SEVERITY_ERROR 0x3 // // MessageId: STATUS_SI_DYNDATA_UNSUPPORTED_KERNEL // // MessageText: // // System Informer dynamic data is not yet supported on this kernel version. // #define STATUS_SI_DYNDATA_UNSUPPORTED_KERNEL ((NTSTATUS)0xE0020001L) // // MessageId: STATUS_SI_DYNDATA_VERSION_MISMATCH // // MessageText: // // System Informer dynamic data version is incompatible. // #define STATUS_SI_DYNDATA_VERSION_MISMATCH ((NTSTATUS)0xE0020002L) // // MessageId: STATUS_SI_DYNDATA_INVALID_LENGTH // // MessageText: // // System Informer dynamic data is an invalid length. // #define STATUS_SI_DYNDATA_INVALID_LENGTH ((NTSTATUS)0xE0020003L) // // MessageId: STATUS_SI_DYNDATA_INVALID_SIGNATURE // // MessageText: // // System Informer dynamic data signature is invalid. // #define STATUS_SI_DYNDATA_INVALID_SIGNATURE ((NTSTATUS)0xE0020004L) // // MessageId: STATUS_SI_KSIDLL_VERSION_MISMATCH // // MessageText: // // System Informer kernel library version is incompatible. // #define STATUS_SI_KSIDLL_VERSION_MISMATCH ((NTSTATUS)0xE0030001L) #endif ================================================ FILE: kphlib/include/sistatus.rc ================================================ LANGUAGE 0x9,0x1 1 11 "sistatus_MSG00001.bin" ================================================ FILE: kphlib/kphdyn.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY * */ #include #ifdef _WIN64 CONST BYTE KphDynConfig[] = { 0x10, 0x00, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31, 0x00, 0x10, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0xde, 0x4c, 0x64, 0xca, 0x4e, 0xea, 0x1c, 0x06, 0xbd, 0x40, 0x42, 0x46, 0x3a, 0x80, 0x2e, 0xb1, 0x13, 0xce, 0x53, 0x6b, 0x00, 0xc0, 0x53, 0x79, 0x54, 0xb2, 0xf3, 0xc2, 0xad, 0x21, 0xfd, 0xb4, 0x06, 0xb2, 0xa7, 0x8f, 0x75, 0xc4, 0xf2, 0xc9, 0x6b, 0x30, 0x7e, 0x46, 0x48, 0x70, 0x58, 0x38, 0x26, 0x14, 0x63, 0xc9, 0xb7, 0xb6, 0x28, 0x90, 0xa5, 0x3e, 0x03, 0xfc, 0x30, 0xd7, 0xe0, 0xf9, 0x06, 0xc1, 0x08, 0x5a, 0x7a, 0x1d, 0x64, 0x2b, 0x2c, 0x21, 0x25, 0x4d, 0x97, 0x22, 0x66, 0xd6, 0x2b, 0x16, 0x4b, 0x83, 0xa7, 0x00, 0x40, 0xff, 0xd4, 0xb3, 0xb9, 0xed, 0x6b, 0x11, 0x89, 0x87, 0x7b, 0xaa, 0xfd, 0x27, 0x9d, 0x9c, 0x2c, 0x2c, 0x6d, 0xad, 0x8e, 0xd7, 0xbc, 0xe2, 0x0a, 0xce, 0x27, 0x08, 0x35, 0xde, 0x32, 0x77, 0xac, 0xc6, 0x21, 0xba, 0x06, 0xeb, 0xd2, 0xce, 0x5b, 0xf2, 0x14, 0x8f, 0x7c, 0x20, 0x99, 0x43, 0x25, 0xd4, 0x3f, 0xdd, 0x7e, 0xbb, 0xe4, 0xf8, 0x3b, 0x3b, 0xb9, 0x2f, 0x74, 0xa5, 0xaf, 0xa4, 0x47, 0x8a, 0x21, 0x83, 0x4d, 0x40, 0x69, 0x55, 0x6f, 0xef, 0x26, 0x9c, 0x76, 0x80, 0xe0, 0x4e, 0x12, 0x95, 0xb6, 0x8c, 0xfa, 0x4b, 0x4d, 0x6d, 0x8a, 0x37, 0xb6, 0xdd, 0x21, 0xd7, 0x99, 0x0f, 0xeb, 0x7b, 0x95, 0xe8, 0xc9, 0x39, 0x58, 0xbb, 0x56, 0x3b, 0x3c, 0x21, 0x63, 0x29, 0xdb, 0x36, 0xe2, 0x81, 0xf2, 0x46, 0x61, 0xb6, 0xec, 0xdb, 0x19, 0x73, 0xe5, 0x25, 0x12, 0xbe, 0x98, 0x99, 0x0f, 0x52, 0x75, 0xfa, 0x8a, 0x12, 0x52, 0xe1, 0x01, 0x82, 0x29, 0x79, 0x69, 0x7b, 0x2b, 0xdb, 0xbd, 0x7f, 0x0a, 0x87, 0xad, 0x9a, 0x1f, 0xc0, 0xc1, 0x6c, 0x96, 0x7d, 0x84, 0x86, 0xad, 0x53, 0x64, 0x7d, 0x88, 0x67, 0xe2, 0x56, 0x7f, 0x89, 0x6c, 0x00, 0x30, 0xc7, 0xeb, 0x93, 0xcf, 0x58, 0xb0, 0xe3, 0xdc, 0x4d, 0x23, 0xad, 0x78, 0x8b, 0xad, 0xfc, 0x1d, 0x09, 0x49, 0x92, 0xcb, 0x7a, 0x0c, 0x6e, 0xca, 0x50, 0xab, 0xdd, 0x0e, 0xba, 0xe4, 0x8b, 0x87, 0x16, 0x94, 0x66, 0x03, 0x0d, 0x07, 0xdc, 0xb8, 0x06, 0xe7, 0x29, 0xc5, 0x57, 0xee, 0x65, 0xf2, 0x7e, 0x85, 0xc2, 0x49, 0x28, 0xa3, 0x4e, 0x69, 0x3e, 0xad, 0x81, 0x2d, 0x47, 0xc8, 0x31, 0xa4, 0xae, 0x3b, 0x23, 0xf6, 0x33, 0x5f, 0xa3, 0xa2, 0xbf, 0x77, 0xfe, 0x98, 0x76, 0xb0, 0x37, 0xd6, 0x08, 0x09, 0x8e, 0x6e, 0x8c, 0xfb, 0x77, 0x87, 0xf2, 0x29, 0xc2, 0x00, 0xb9, 0xad, 0x2a, 0x71, 0x5b, 0x64, 0x1f, 0x06, 0x2b, 0x18, 0x17, 0xb7, 0x90, 0xa4, 0xef, 0xf2, 0x64, 0x26, 0x20, 0xe4, 0x15, 0xe0, 0xec, 0xd6, 0x86, 0xde, 0x70, 0x8a, 0xcd, 0x57, 0xfe, 0xb2, 0xd3, 0x16, 0xbf, 0xd4, 0x72, 0x5b, 0x26, 0xd6, 0x80, 0x84, 0x10, 0xab, 0xd1, 0x12, 0x4d, 0x84, 0xca, 0x99, 0x22, 0x72, 0x7d, 0x95, 0xde, 0x31, 0x0e, 0x01, 0x80, 0x3f, 0xce, 0x5d, 0x11, 0xf8, 0xa1, 0x66, 0x2a, 0xdf, 0x42, 0x24, 0x69, 0x3e, 0x47, 0x8d, 0xb7, 0x96, 0xb2, 0x36, 0x70, 0x41, 0x5f, 0xc8, 0x63, 0x5f, 0xa1, 0x39, 0x2d, 0x2b, 0xdd, 0xe2, 0xf5, 0xb9, 0x8d, 0xe0, 0x91, 0x73, 0xa8, 0xca, 0xbf, 0xa7, 0x77, 0x61, 0x9f, 0xa2, 0x30, 0x18, 0x31, 0xdb, 0x79, 0x89, 0xed, 0xe1, 0x89, 0x45, 0x52, 0x05, 0x7c, 0xd7, 0x11, 0x15, 0x45, 0xd4, 0x19, 0xe1, 0xf4, 0x23, 0xd9, 0x9d, 0xb0, 0x80, 0x19, 0xb8, 0x79, 0x20, 0x8c, 0xcb, 0xa3, 0xe3, 0x53, 0x4e, 0x8b, 0x2e, 0xc1, 0x9c, 0x0a, 0x53, 0x1a, 0x14, 0x65, 0x71, 0xc4, 0x66, 0x4a, 0x82, 0x8a, 0xf3, 0x67, 0x50, 0xfa, 0xb7, 0x3a, 0x25, 0x61, 0x5a, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x00, 0xbe, 0x54, 0x00, 0xb0, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0xd8, 0x3a, 0x55, 0x00, 0x20, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a, 0x3c, 0x9f, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0xd1, 0xa9, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0x9f, 0xb9, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb6, 0xbc, 0xc9, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6b, 0x62, 0xd5, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0x56, 0xfa, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0xa4, 0x0c, 0x56, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0x4f, 0xcc, 0x56, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc8, 0xb3, 0x08, 0x57, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1c, 0x78, 0xa1, 0x57, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x97, 0xcf, 0x57, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6b, 0xe7, 0xed, 0x57, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0x05, 0x0f, 0x58, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0x07, 0x30, 0x58, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa3, 0x50, 0xba, 0x58, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x84, 0xcd, 0x58, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xea, 0x15, 0xda, 0x58, 0x00, 0x10, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7c, 0x9c, 0x02, 0x59, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0x9c, 0x32, 0x59, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0xd8, 0x44, 0x59, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd6, 0xfc, 0x5d, 0x59, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0xe6, 0x81, 0x59, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x38, 0xae, 0x59, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf4, 0xb0, 0xc0, 0x59, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0x7a, 0x20, 0x5a, 0x00, 0xf0, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0xd5, 0x4a, 0x5a, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, 0xc3, 0x5b, 0x5a, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0x8e, 0x7e, 0x5a, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x00, 0xa8, 0x97, 0x5a, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdc, 0xec, 0xb5, 0x5a, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0x12, 0xe4, 0x5a, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0x83, 0x0e, 0x5b, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0x87, 0x34, 0x5b, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0x4d, 0x48, 0x5b, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x92, 0x56, 0x69, 0x5b, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0x5e, 0x90, 0x5b, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0xc7, 0xa9, 0x5b, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0x51, 0xd1, 0x5b, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, 0x22, 0x06, 0x5c, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x0a, 0x2b, 0x5c, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0x59, 0x5a, 0x5c, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0xe9, 0x69, 0x5c, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0x7d, 0x7f, 0x5c, 0x00, 0xb0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xfd, 0xa2, 0x5c, 0x00, 0xb0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x23, 0x7c, 0xad, 0x5c, 0x00, 0xb0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x17, 0xf0, 0xcb, 0x5c, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x16, 0x96, 0x1d, 0x5d, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0xec, 0x3f, 0x5d, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf8, 0x5a, 0x67, 0x5d, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0x4d, 0x91, 0x5d, 0x00, 0xc0, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe8, 0x2e, 0xb1, 0x5d, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0xa6, 0xe7, 0x5d, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0xd9, 0xf1, 0x5d, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0xd5, 0x2f, 0x5e, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0x7a, 0x5f, 0x5e, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0xe9, 0x82, 0x5e, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0xe4, 0xb0, 0x5e, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0x0b, 0xd6, 0x5e, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xbc, 0xe4, 0x5e, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x87, 0x05, 0x5f, 0x00, 0x80, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, 0x58, 0x2b, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x4c, 0x4f, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0x18, 0x74, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0x51, 0x9a, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0xc2, 0xc8, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0xbe, 0xf7, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0x50, 0xfd, 0x5f, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5f, 0x5b, 0x50, 0x60, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0xd8, 0x6e, 0x60, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0xa3, 0x87, 0x60, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x70, 0x29, 0xbb, 0x60, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x72, 0x39, 0xe1, 0x60, 0x00, 0x70, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0x15, 0xe3, 0x60, 0x00, 0x60, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0x03, 0x05, 0x61, 0x00, 0x60, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x7a, 0x3d, 0x61, 0x00, 0x60, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0xfa, 0x5b, 0x61, 0x00, 0x50, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0xca, 0x80, 0x61, 0x00, 0x50, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x74, 0xef, 0xaa, 0x61, 0x00, 0x50, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x3f, 0xd5, 0x61, 0x00, 0x50, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0x4e, 0xe1, 0x61, 0x00, 0x50, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x35, 0xe0, 0xf4, 0x61, 0x00, 0x50, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa6, 0x0e, 0x1f, 0x62, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0d, 0x10, 0x44, 0x62, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x53, 0x83, 0x70, 0x62, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0x55, 0xa0, 0x62, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0xba, 0xba, 0x62, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0x66, 0xeb, 0x62, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x22, 0x18, 0x63, 0x00, 0x60, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0xfe, 0x3a, 0x63, 0x00, 0x50, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0, 0x9e, 0x47, 0x63, 0x00, 0x50, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x9b, 0x64, 0x63, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, 0x43, 0x88, 0x63, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0xc1, 0xb7, 0x63, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0xba, 0xd8, 0x63, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0xbb, 0x09, 0x64, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x55, 0x43, 0x25, 0x64, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0xb7, 0x4c, 0x64, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0x37, 0x78, 0x64, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0x22, 0x92, 0x64, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdb, 0x8f, 0xa4, 0x64, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0xcf, 0xca, 0x64, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7d, 0x19, 0xd3, 0x64, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x32, 0x1f, 0x65, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x3b, 0x46, 0x65, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x36, 0x1c, 0x5c, 0x65, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a, 0x3d, 0x81, 0x65, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x20, 0x62, 0xaf, 0x65, 0x00, 0x70, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x40, 0x90, 0xdd, 0x65, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x35, 0xb0, 0x07, 0x66, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x04, 0xc6, 0x3a, 0x66, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0x93, 0x62, 0x66, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0x1a, 0x7d, 0x66, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaa, 0x97, 0xac, 0x66, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0xa9, 0xbd, 0x66, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x12, 0xbf, 0xeb, 0x66, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0d, 0x47, 0x17, 0x67, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0x47, 0x38, 0x67, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc3, 0x95, 0x5a, 0x67, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd0, 0x87, 0x98, 0x67, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0x00, 0xab, 0x67, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb1, 0x48, 0xde, 0x67, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x51, 0xf7, 0x67, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0x17, 0x2c, 0x68, 0x00, 0x80, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0x8b, 0x63, 0x68, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0xb0, 0x8d, 0x68, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5f, 0x32, 0xb1, 0x68, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc8, 0x7f, 0xe6, 0x68, 0x00, 0x90, 0x85, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0xd2, 0x32, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x70, 0x11, 0x3b, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0x77, 0x45, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x58, 0x1c, 0x8b, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x49, 0xa8, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4e, 0x07, 0xcc, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x44, 0xcd, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x1e, 0xfa, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0xf4, 0x1a, 0x57, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0xf4, 0x3b, 0x57, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0x17, 0x49, 0x57, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, 0xe2, 0x75, 0x57, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0xb6, 0xa1, 0x57, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x94, 0xcf, 0x57, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe9, 0x70, 0xf4, 0x57, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0xf0, 0x0e, 0x58, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xce, 0x3e, 0xba, 0x58, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x6f, 0xcd, 0x58, 0x00, 0xa0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x8f, 0x02, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0x87, 0x32, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa2, 0xc7, 0x44, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xce, 0x32, 0x5f, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x69, 0x7c, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0x2e, 0xae, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x13, 0x16, 0xba, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0xe4, 0xf3, 0x59, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x15, 0x20, 0x5a, 0x00, 0x90, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb5, 0x6f, 0x4a, 0x5a, 0x00, 0xe0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xea, 0xcd, 0x5b, 0x5a, 0x00, 0xe0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbe, 0x7d, 0x7e, 0x5a, 0x00, 0xe0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0x96, 0x97, 0x5a, 0x00, 0xe0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x03, 0xa1, 0xb4, 0x5a, 0x00, 0xe0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0x95, 0x36, 0x57, 0x00, 0x40, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x67, 0x96, 0x36, 0x57, 0x00, 0x00, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf1, 0x98, 0x89, 0x57, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd2, 0x99, 0x89, 0x57, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xbf, 0x53, 0xa0, 0x57, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x58, 0xa5, 0x57, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc6, 0xe3, 0xb7, 0x57, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0x9a, 0xcf, 0x57, 0x00, 0xf0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa7, 0xca, 0xda, 0x57, 0x00, 0xf0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xc8, 0xcb, 0xda, 0x57, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x41, 0xc5, 0xf4, 0x57, 0x00, 0xf0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x3c, 0xc6, 0xf4, 0x57, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbe, 0xa4, 0x01, 0x58, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1f, 0xbd, 0x19, 0x58, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf4, 0x89, 0x25, 0x58, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf6, 0x77, 0x4a, 0x58, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x51, 0x26, 0x5a, 0x58, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe7, 0x57, 0x78, 0x58, 0x00, 0x90, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0xd7, 0x86, 0x58, 0x00, 0x90, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0x5a, 0xba, 0x58, 0x00, 0x80, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0xf0, 0xd9, 0x58, 0x00, 0x80, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0x81, 0x02, 0x59, 0x00, 0x80, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb1, 0x78, 0x32, 0x59, 0x00, 0x80, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x81, 0x29, 0x5f, 0x59, 0x00, 0x70, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0xac, 0x65, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf6, 0x07, 0x80, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0xc8, 0x80, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0x44, 0x89, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0xb6, 0x9b, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x21, 0xd1, 0xb0, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x01, 0xbb, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x68, 0x2c, 0xbf, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc8, 0xd4, 0xda, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x89, 0xf5, 0xf3, 0x59, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x65, 0xa9, 0x0f, 0x5a, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6d, 0xb4, 0x1f, 0x5a, 0x00, 0x60, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0xbb, 0x49, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xa9, 0xbc, 0x49, 0x5a, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0x00, 0x57, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0x6e, 0x7e, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0x0a, 0x82, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc8, 0x07, 0x99, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x86, 0x22, 0x9e, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0x1a, 0xb3, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0xae, 0xbd, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0xf6, 0xc2, 0x5a, 0x00, 0x20, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0xf9, 0xe3, 0x5a, 0x00, 0x10, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0x09, 0xe4, 0x5a, 0x00, 0x10, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdf, 0x16, 0x1a, 0x5b, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x16, 0x1f, 0x5b, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0xad, 0x31, 0x5b, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0x25, 0x48, 0x5b, 0x00, 0x00, 0x82, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0xda, 0x4a, 0x5b, 0x00, 0xf0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0x1a, 0x69, 0x5b, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0x2b, 0x7e, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x16, 0xc5, 0x84, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x54, 0x88, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x8d, 0x56, 0x88, 0x5b, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0x96, 0xb6, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0xad, 0xbd, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x34, 0xd1, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0x7f, 0xda, 0x5b, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x0d, 0x06, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0xf2, 0x2a, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x72, 0x49, 0x30, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0x42, 0x5a, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x31, 0xbf, 0x68, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x63, 0x7f, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0xea, 0x89, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x00, 0xe1, 0xa2, 0x5c, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0x15, 0xcd, 0x5c, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0x6c, 0xe3, 0x5c, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbf, 0xd0, 0x01, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0x7d, 0x1d, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x06, 0x24, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0f, 0x72, 0x3a, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0x90, 0x4a, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0xc6, 0x69, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa6, 0x6c, 0x78, 0x5d, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x34, 0x91, 0x5d, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0xb9, 0x93, 0x5d, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0xfe, 0xa7, 0x5d, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x81, 0xba, 0xdc, 0x5d, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1c, 0x4c, 0xfc, 0x5d, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbd, 0xf8, 0xfa, 0x5d, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0x83, 0x34, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0xe9, 0x4c, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x4d, 0x5f, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0xfb, 0x6a, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0x44, 0x8d, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x41, 0x91, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0xbf, 0xb0, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0xdc, 0xd5, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0x13, 0xe8, 0x5e, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0x6c, 0x05, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x65, 0x7f, 0x2c, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3d, 0x30, 0x4f, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0xfd, 0x77, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x3f, 0x9a, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0xce, 0xb1, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x17, 0x6d, 0xc8, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0x8d, 0xf7, 0x5f, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x75, 0x44, 0x12, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0x68, 0x40, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x70, 0x3c, 0x50, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1c, 0xb0, 0x6e, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0x95, 0x87, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0xfe, 0xba, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3b, 0x66, 0xe2, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x3d, 0xe3, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x36, 0x1d, 0xff, 0x60, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0xd5, 0x04, 0x61, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, 0x5d, 0x3d, 0x61, 0x00, 0xd0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0xdf, 0x5b, 0x61, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x17, 0x89, 0x80, 0x61, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4f, 0x72, 0x8d, 0x61, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbc, 0x8e, 0xa9, 0x61, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5e, 0x9d, 0xce, 0x61, 0x00, 0xb0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0x23, 0xd5, 0x61, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0x51, 0xe2, 0x61, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3, 0x2c, 0xf8, 0x61, 0x00, 0xc0, 0x81, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, 0xf3, 0x1e, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0xcb, 0x47, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0xa9, 0x6c, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0x71, 0x80, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0xf3, 0xa3, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0xb7, 0xbf, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0x02, 0xef, 0x62, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0xbd, 0x17, 0x63, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0x89, 0x36, 0x63, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0xba, 0x47, 0x63, 0x00, 0xd0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0x7a, 0x64, 0x63, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x0f, 0x73, 0x63, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1f, 0x23, 0x88, 0x63, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0x92, 0xb7, 0x63, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x17, 0xda, 0xdd, 0x63, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfa, 0x90, 0x09, 0x64, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6e, 0x3b, 0x25, 0x64, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0x68, 0x54, 0x64, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfd, 0x1d, 0x92, 0x64, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x35, 0x52, 0xa4, 0x64, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0xa5, 0xca, 0x64, 0x00, 0xe0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0x81, 0x02, 0x65, 0x00, 0xe0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0xb4, 0x45, 0x65, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0xf5, 0x52, 0x65, 0x00, 0xe0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xac, 0x15, 0x81, 0x65, 0x00, 0xe0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7c, 0x3a, 0xaf, 0x65, 0x00, 0xe0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0x65, 0xdd, 0x65, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x5f, 0x0f, 0x66, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0xb6, 0x35, 0x66, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x96, 0x6a, 0x62, 0x66, 0x00, 0x00, 0x82, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x37, 0x7a, 0x66, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0x6f, 0xac, 0x66, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0xd3, 0xba, 0x66, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x98, 0xd5, 0xba, 0x66, 0x00, 0x60, 0x0c, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0x01, 0xf6, 0x66, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0x30, 0x17, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x44, 0x19, 0x48, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7d, 0xb7, 0x5b, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0x44, 0x8f, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3e, 0x4d, 0xab, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa4, 0xea, 0xd4, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7c, 0x47, 0xf4, 0x67, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0xe9, 0x13, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0xee, 0x2b, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0x2a, 0x66, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd0, 0x83, 0x8d, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0xcd, 0xb7, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdf, 0x63, 0xe6, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb4, 0xa0, 0xf9, 0x68, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x31, 0x00, 0x31, 0x69, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x92, 0x41, 0x69, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0xbb, 0x4c, 0x69, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x02, 0x6f, 0x69, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0xc2, 0xa2, 0x69, 0x00, 0xf0, 0x81, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0xba, 0xcc, 0x58, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xdc, 0xdd, 0x68, 0xce, 0x00, 0xa0, 0x0d, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7d, 0x8f, 0xdc, 0x58, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf6, 0xe9, 0xde, 0x58, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x47, 0xfd, 0xf6, 0x58, 0x00, 0xa0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3e, 0x84, 0x02, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0xd9, 0x1f, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x79, 0x32, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0xaa, 0x48, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x28, 0xde, 0x47, 0x96, 0x00, 0xa0, 0x0d, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0x24, 0x5f, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0xb8, 0x7a, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0d, 0xd8, 0x7f, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x61, 0x4d, 0xe1, 0xee, 0x00, 0xa0, 0x0d, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0x23, 0xae, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0xf4, 0xcd, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x5b, 0x28, 0x8f, 0xf9, 0x00, 0xa0, 0x0d, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x6a, 0xe3, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x38, 0x9d, 0xfa, 0x59, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0xa2, 0x0e, 0x5a, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0x6e, 0x1f, 0x5a, 0x00, 0x90, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x8e, 0x49, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x3e, 0xa7, 0x87, 0xc4, 0x00, 0xa0, 0x0d, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb1, 0xf0, 0x57, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x74, 0x7e, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0x0d, 0x82, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0xa1, 0x9c, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdf, 0x53, 0x99, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0xb9, 0xbd, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0xfb, 0xc2, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0xf4, 0xe3, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0x28, 0xe2, 0x5a, 0x00, 0x00, 0x89, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0c, 0x13, 0x1a, 0x5b, 0x00, 0xe0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0x1d, 0x1f, 0x5b, 0x00, 0xe0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x58, 0x6c, 0x34, 0x5b, 0x00, 0xe0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6f, 0x27, 0x48, 0x5b, 0x00, 0xe0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6e, 0x7f, 0x4e, 0x5b, 0x00, 0xe0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0xf9, 0x5f, 0x5b, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0xea, 0x60, 0x5b, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0xd3, 0x85, 0x5b, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe9, 0x6c, 0x87, 0x5b, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x58, 0xac, 0x5b, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0xa8, 0xbd, 0x5b, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd6, 0xe1, 0xd7, 0x5b, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x50, 0x63, 0xe3, 0x5b, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x07, 0x06, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9a, 0x09, 0x2b, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe5, 0x68, 0x56, 0xc6, 0x00, 0xa0, 0x0d, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x13, 0x51, 0x30, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0x4c, 0x5a, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0xc0, 0x67, 0x5c, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6f, 0x6c, 0x7f, 0x5c, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0xf1, 0x89, 0x5c, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0xf4, 0xa2, 0x5c, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x35, 0xa8, 0x5c, 0x00, 0xb0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0xe0, 0xcb, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0xc7, 0xe4, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0xef, 0xf9, 0x5c, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0xe2, 0x01, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0xac, 0x1d, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0x0a, 0x24, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0xf5, 0x3f, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0x12, 0x4b, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0xcd, 0x69, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0x40, 0x6f, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0x3a, 0x91, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3e, 0xf4, 0xa7, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0xbf, 0xdc, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x80, 0xfc, 0x5d, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0x34, 0x29, 0x5e, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0x56, 0x5f, 0x5e, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6d, 0x47, 0x8d, 0x5e, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf4, 0xc3, 0xb0, 0x5e, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0xdc, 0xd5, 0x5e, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x2e, 0xe5, 0x5e, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa5, 0x80, 0x05, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa8, 0xaa, 0x2b, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x19, 0x50, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0x04, 0x75, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0x38, 0x9a, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1f, 0x6c, 0xc8, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x8f, 0xf7, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0xae, 0x0f, 0x60, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0xdb, 0x39, 0x60, 0x00, 0xc0, 0x88, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0xce, 0x44, 0x59, 0x00, 0x80, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0xa7, 0xcd, 0x59, 0x00, 0x20, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9d, 0xd9, 0xd9, 0xd8, 0x00, 0x60, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3b, 0x59, 0xdc, 0x59, 0x00, 0x20, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0xff, 0xef, 0x59, 0x00, 0x20, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x40, 0xaa, 0x1a, 0x5a, 0x00, 0x20, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0xb8, 0x29, 0x5a, 0x00, 0x20, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x5f, 0x11, 0xd2, 0xa1, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x16, 0x4a, 0x5a, 0x00, 0x50, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x47, 0xb4, 0x5f, 0x5a, 0x00, 0x60, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xcb, 0xa3, 0xdc, 0x1b, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x76, 0x7e, 0x5a, 0x00, 0x60, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x50, 0x0c, 0x8e, 0x5a, 0x00, 0x60, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x99, 0x7e, 0x3c, 0x45, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0x91, 0x97, 0x5a, 0x00, 0x60, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x73, 0x60, 0xa7, 0x5a, 0x00, 0x60, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x89, 0xad, 0xbd, 0x5a, 0x00, 0x50, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe6, 0x20, 0xef, 0xeb, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0xaf, 0xd3, 0x5a, 0x00, 0x50, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xdf, 0x7f, 0x4c, 0x40, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa2, 0xa6, 0xea, 0x5a, 0x00, 0x50, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0x0d, 0xf6, 0x5a, 0x00, 0x50, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0x1a, 0x1a, 0x5b, 0x00, 0x40, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc8, 0x85, 0x21, 0x5b, 0x00, 0xe0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0xe5, 0x35, 0x5b, 0x00, 0xe0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x29, 0x48, 0x5b, 0x00, 0xe0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0x9d, 0x4e, 0x5b, 0x00, 0xe0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0f, 0x23, 0x69, 0x5b, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0xc1, 0x6b, 0x5b, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0xcc, 0x84, 0x5b, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x98, 0x2f, 0xd4, 0xdb, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0x72, 0x9c, 0x5b, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0x0e, 0xa7, 0x5b, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x69, 0xb2, 0xa9, 0x5b, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x75, 0xbd, 0x5b, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x29, 0xdd, 0xd7, 0x5b, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x71, 0xe2, 0x5b, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0x0f, 0x06, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0xf5, 0x2a, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x71, 0x2c, 0x4d, 0xf7, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3e, 0x52, 0x30, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5f, 0x44, 0x5a, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0xb5, 0x68, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0x8b, 0x7f, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x7c, 0xc0, 0xe4, 0x54, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x03, 0x8a, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1b, 0xe5, 0xa2, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xa6, 0x76, 0xd9, 0x02, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0x34, 0xa8, 0x5c, 0x00, 0xa0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0xda, 0xcb, 0x5c, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x0b, 0xe6, 0x5c, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0xf6, 0xf9, 0x5c, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0xd3, 0x01, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xa8, 0x1e, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0x05, 0x24, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x16, 0x85, 0x4a, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0xab, 0x4b, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x47, 0x6f, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0x1d, 0x7b, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4f, 0x2f, 0x94, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0x28, 0x94, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x16, 0x1a, 0xb1, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x0a, 0xca, 0x18, 0x00, 0x00, 0x70, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9e, 0xeb, 0xe5, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4e, 0xc5, 0xf1, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0xc5, 0xf1, 0x5d, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb7, 0x2c, 0x29, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb4, 0x2d, 0x29, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0xb4, 0x61, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc6, 0xbf, 0x61, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0xd0, 0x7a, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0xc9, 0x82, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x11, 0xb1, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0x0e, 0xd6, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0x8b, 0xe4, 0x5e, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0x6d, 0x05, 0x5f, 0x00, 0xb0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x40, 0x2b, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0x25, 0x4f, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0x3b, 0x74, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x65, 0x5e, 0xdd, 0x59, 0x00, 0x50, 0x8d, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0x8b, 0xb5, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0x89, 0xcd, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb2, 0xe4, 0x69, 0xbd, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0xf1, 0xe3, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd2, 0x18, 0xad, 0x47, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0x5a, 0x01, 0x5b, 0x00, 0x50, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x3e, 0x4a, 0xa3, 0xd7, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xcf, 0x11, 0x5b, 0x00, 0x50, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x45, 0x1a, 0x5b, 0x00, 0x10, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xdc, 0x64, 0x22, 0x8d, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0x43, 0x23, 0x5b, 0x00, 0x10, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x14, 0x2e, 0xb4, 0x50, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf4, 0x12, 0x3f, 0x5b, 0x00, 0x10, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x24, 0x48, 0x5b, 0x00, 0x10, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb7, 0x73, 0x49, 0x5b, 0x00, 0x20, 0x96, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb5, 0xc7, 0x63, 0x5b, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x21, 0xc2, 0x6b, 0x5b, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb5, 0xb2, 0x88, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe5, 0x72, 0x31, 0x02, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0x6b, 0x9c, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0x41, 0x93, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0x68, 0xa4, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0x16, 0xa3, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x7e, 0xed, 0x8c, 0xc3, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0x28, 0xcc, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0xa3, 0xda, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc3, 0xee, 0xe4, 0x5b, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x68, 0x74, 0x0b, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x58, 0x1d, 0xe2, 0x97, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x51, 0x53, 0x13, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3d, 0x0c, 0x2b, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x94, 0xb9, 0x41, 0xfd, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa7, 0xac, 0x35, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0x45, 0x5a, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd9, 0xbb, 0x67, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0x85, 0x7f, 0x5c, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe4, 0xae, 0x49, 0x79, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa8, 0x08, 0x8a, 0x5c, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x5e, 0xe7, 0x28, 0x8a, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0x14, 0xa3, 0x5c, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x4f, 0x49, 0xd6, 0x12, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0x50, 0xb9, 0x5c, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0xd8, 0xcb, 0x5c, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x67, 0x4f, 0xde, 0x5c, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdb, 0x47, 0xde, 0x5c, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0xf4, 0xf9, 0x5c, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5d, 0xe9, 0x01, 0x5d, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0x7f, 0x1d, 0x5d, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0x00, 0x24, 0x5d, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf8, 0x7e, 0x4a, 0x5d, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0x38, 0x52, 0x5d, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x40, 0x6f, 0x5d, 0x00, 0x40, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0x18, 0x7b, 0x5d, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x95, 0x26, 0x94, 0x5d, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x95, 0x24, 0x94, 0x5d, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdb, 0xce, 0xc4, 0x5d, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x8c, 0x31, 0x15, 0xb3, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa0, 0x4f, 0xdf, 0x5d, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0xfa, 0x13, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0xfc, 0x13, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0x66, 0x3a, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf3, 0x5d, 0x4f, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x51, 0x5f, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3b, 0x51, 0x5f, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xff, 0xae, 0x7c, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0xc1, 0x82, 0x5e, 0x00, 0x30, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x23, 0xfe, 0x8c, 0x5e, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x1b, 0xb2, 0x5e, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x65, 0x12, 0x52, 0x63, 0x00, 0xf0, 0x0f, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf1, 0x0f, 0xd6, 0x5e, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x86, 0xe4, 0x5e, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0x87, 0x04, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x4c, 0x2a, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0x22, 0x4f, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0xfc, 0x73, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xef, 0xad, 0x97, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0x34, 0xc8, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0, 0xc0, 0xf6, 0x5f, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x61, 0x4c, 0x12, 0x60, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa8, 0xe6, 0x38, 0x60, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0xf8, 0x4a, 0x60, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0x19, 0x51, 0x60, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0xaf, 0x6e, 0x60, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0xbf, 0x95, 0x60, 0x00, 0x20, 0x95, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0x4f, 0xa4, 0x1f, 0x00, 0x10, 0x9f, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xff, 0x1f, 0x19, 0xb9, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0x43, 0xb4, 0xaf, 0x00, 0x10, 0x9f, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd1, 0xe9, 0x4e, 0xbd, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0x57, 0xb5, 0x8b, 0x00, 0x10, 0x9f, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0xac, 0xea, 0x3e, 0x00, 0x10, 0x9f, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd6, 0xb9, 0xfa, 0x6a, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0x24, 0xdb, 0x3b, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0xae, 0x34, 0xea, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9a, 0xb7, 0x30, 0x11, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb5, 0x56, 0x55, 0x1c, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x58, 0x8f, 0x80, 0xa1, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0xb0, 0x29, 0x82, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xcb, 0x99, 0x7d, 0xd8, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x7e, 0x18, 0x2d, 0x00, 0xf0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x0c, 0x4b, 0xbc, 0x00, 0xf0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0xf0, 0x5b, 0xa4, 0x00, 0xf0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0xb3, 0xac, 0xde, 0x00, 0xf0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0x99, 0xd6, 0xaa, 0x00, 0xf0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb2, 0xce, 0x35, 0x3e, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0x7a, 0x14, 0x5b, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0x25, 0x7e, 0x62, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc3, 0xfe, 0x8f, 0x43, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0x7b, 0x42, 0x92, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0x97, 0x8c, 0x8e, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1f, 0x70, 0x05, 0x61, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, 0x08, 0xc0, 0x99, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0xba, 0xd0, 0x7f, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0xc3, 0xa6, 0x33, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0xad, 0x26, 0xf0, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaf, 0xbf, 0xbe, 0x5e, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0xf9, 0x53, 0xa0, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0xa2, 0x55, 0xe5, 0x00, 0x10, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0xaf, 0x1a, 0xc2, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x5a, 0x8b, 0x2e, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x33, 0x58, 0x01, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb6, 0x60, 0x07, 0x32, 0x00, 0x00, 0xa7, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0x71, 0x9a, 0xe5, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x64, 0x9e, 0xd5, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xbb, 0xde, 0xcf, 0xbf, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0xe7, 0x79, 0xdf, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0x5b, 0xb3, 0x11, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x7b, 0x52, 0xee, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0xed, 0xb6, 0x5f, 0x00, 0xe0, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0x6f, 0x3a, 0x78, 0x00, 0x00, 0xa7, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x3c, 0x74, 0x72, 0x00, 0xf0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5b, 0x43, 0x15, 0xd8, 0x00, 0xf0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x29, 0xa8, 0x23, 0x1c, 0x00, 0xf0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x12, 0xb4, 0xf3, 0x00, 0xf0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0x96, 0xb8, 0x87, 0x00, 0xf0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0xfe, 0xa2, 0xbd, 0x00, 0xf0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xf9, 0x6a, 0x8f, 0xc0, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0x56, 0x56, 0xfd, 0x00, 0x00, 0xa7, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa5, 0x53, 0xde, 0xd9, 0x00, 0x00, 0xa7, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xbe, 0x8f, 0x7f, 0x00, 0x00, 0xa7, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0xff, 0x3d, 0x52, 0x00, 0x00, 0xa7, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdb, 0x77, 0xe2, 0x8d, 0x00, 0x00, 0xa7, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x15, 0xe8, 0x67, 0x00, 0xe0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb7, 0xa0, 0xbb, 0xc2, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0xb0, 0x53, 0xad, 0x00, 0xe0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc6, 0x85, 0xa0, 0x04, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0x4b, 0x58, 0x63, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0x18, 0x6c, 0xee, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0xe1, 0xd0, 0x64, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0xbf, 0xb4, 0x60, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0xd1, 0x14, 0x1a, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4f, 0x4a, 0x6e, 0x75, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xce, 0x2d, 0xea, 0x4c, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x21, 0x0f, 0x30, 0x2b, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0x5e, 0x96, 0x87, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0x07, 0x55, 0x5d, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01, 0xb1, 0x9f, 0x68, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x09, 0x7f, 0x71, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0xf7, 0xce, 0x6d, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x81, 0xdd, 0x2f, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3e, 0x5b, 0x4e, 0x44, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0xf7, 0x39, 0xf2, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0xb3, 0xea, 0xf5, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb6, 0xd9, 0x62, 0x6b, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0x2b, 0xa0, 0xd3, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0x40, 0xde, 0x39, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0xa8, 0xe6, 0xd7, 0x00, 0xc0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0xf2, 0x1c, 0x9a, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x4a, 0x4a, 0xa2, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0xd3, 0x39, 0x45, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0x2d, 0xaf, 0x2f, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0xee, 0x9e, 0x5d, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0x61, 0x2c, 0x4c, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x56, 0x87, 0x8e, 0x57, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, 0x31, 0xbb, 0xe3, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0x4d, 0x83, 0xaf, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0xe0, 0x84, 0x30, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x42, 0x5f, 0x63, 0x2f, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0x62, 0x3a, 0x53, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x49, 0x10, 0x66, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0xa0, 0x63, 0xd2, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0x5f, 0x0a, 0xc4, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x53, 0x13, 0xca, 0xab, 0x00, 0xa0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xec, 0x7c, 0xdf, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x35, 0x9a, 0x89, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0xc8, 0x9b, 0x9f, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x6c, 0x6c, 0x44, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0xbd, 0xd3, 0x70, 0x00, 0xb0, 0xa6, 0x00, 0x22, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x0f, 0xe1, 0x0d, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0x66, 0xd5, 0x3d, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0xd5, 0xd6, 0xef, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xea, 0x04, 0xdf, 0x11, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5e, 0x1e, 0xf9, 0x3b, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa5, 0xe5, 0xf1, 0x99, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb1, 0x96, 0xc2, 0x3f, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0x0f, 0x80, 0x5c, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfa, 0x7c, 0x0f, 0x1a, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0x6e, 0xd2, 0xad, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0xa1, 0x39, 0x39, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xe9, 0x35, 0x46, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0xbe, 0xd5, 0x19, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x52, 0x9b, 0x9c, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0x3a, 0xb3, 0x77, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x7f, 0xc3, 0xe2, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x23, 0x38, 0xcd, 0xb1, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x47, 0x73, 0x1d, 0xc7, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6b, 0xa9, 0x8b, 0x5e, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x4c, 0xba, 0x02, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc1, 0xc8, 0x5d, 0x30, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0xe2, 0xc9, 0xfd, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0xea, 0xf8, 0xb7, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0x2a, 0x7f, 0x7a, 0x00, 0xb0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0xdd, 0x47, 0xd2, 0x00, 0xc0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0xb6, 0xb9, 0x3a, 0x00, 0xc0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1f, 0x4a, 0x33, 0x0b, 0x00, 0xc0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xac, 0x83, 0xe4, 0xb7, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0x0c, 0xb0, 0xc7, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0x28, 0xd2, 0xce, 0x00, 0xc0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0xe4, 0xbe, 0x22, 0x00, 0xc0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9e, 0x5a, 0x97, 0xa7, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x69, 0xeb, 0x30, 0x18, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0xab, 0x47, 0xee, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0xc9, 0x89, 0x3b, 0x00, 0xc0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x03, 0x5c, 0x57, 0x20, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x15, 0xa1, 0xd8, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0x37, 0xc6, 0xc4, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaa, 0x8b, 0x36, 0xb6, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0x46, 0x5b, 0xd6, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0xa4, 0xe9, 0xdc, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0xa5, 0xc3, 0x9b, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x70, 0x69, 0xd2, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfa, 0x53, 0xac, 0x90, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0x51, 0xdb, 0xd6, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0x29, 0x28, 0x6e, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0x42, 0xff, 0x17, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0x95, 0x07, 0x0e, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x86, 0xc1, 0xb4, 0x96, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0x2e, 0x8b, 0xff, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0xb7, 0xab, 0xc9, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfa, 0x74, 0x60, 0xa9, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0xbd, 0xcf, 0x84, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4f, 0x7d, 0x01, 0x90, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5b, 0xfa, 0xae, 0x26, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0xc5, 0x09, 0xc9, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0x61, 0x7c, 0x1f, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd0, 0xca, 0xd5, 0x8e, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x50, 0xaa, 0xed, 0x96, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa2, 0xf9, 0x7a, 0x70, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0x9d, 0x89, 0x88, 0x00, 0xd0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x39, 0x5f, 0x16, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0x2d, 0x16, 0x6c, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd9, 0xaa, 0xa1, 0x1b, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0x18, 0xec, 0x45, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0xc7, 0x1c, 0x5d, 0x00, 0xf0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa5, 0x48, 0x55, 0x4c, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0x5c, 0x60, 0x0e, 0x00, 0xe0, 0xa6, 0x00, 0x68, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0xed, 0xc2, 0xc9, 0x00, 0x00, 0xa6, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x6c, 0xa7, 0x1e, 0x00, 0xb0, 0xa9, 0x00, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0x8e, 0xe7, 0x00, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x77, 0x24, 0xb5, 0xde, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0xa5, 0xf1, 0xe2, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x43, 0xef, 0xf4, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0, 0x99, 0xaa, 0x4d, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0x2a, 0x09, 0xfc, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0xff, 0x52, 0xdd, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb7, 0x74, 0xcf, 0xfe, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x65, 0x91, 0x8c, 0xd4, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x0f, 0xed, 0x03, 0x00, 0x20, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x15, 0xda, 0x74, 0x00, 0x50, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x76, 0x70, 0x35, 0x00, 0x50, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, 0x27, 0xed, 0x72, 0x00, 0x50, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x3c, 0x1a, 0x57, 0x00, 0x50, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, 0x9c, 0x83, 0xa5, 0x00, 0x50, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0x1c, 0xba, 0x02, 0x00, 0x50, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0x72, 0x0e, 0x74, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x42, 0x0c, 0xd5, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf2, 0x70, 0x95, 0xfc, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0x32, 0x26, 0x39, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdb, 0xb2, 0x2d, 0x4d, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0xf7, 0xfc, 0x4e, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xbf, 0x9d, 0x02, 0x95, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x70, 0xb4, 0xdc, 0x12, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa0, 0xeb, 0xf6, 0x04, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, 0x1f, 0x37, 0x29, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0xa7, 0x69, 0x42, 0x00, 0x60, 0xab, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb6, 0xc6, 0xd7, 0x88, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x60, 0x6c, 0xd3, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0xdf, 0x5e, 0xe4, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x04, 0x03, 0x08, 0xcb, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0xe5, 0xb8, 0xdb, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0xd6, 0x29, 0x56, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0xfd, 0xe3, 0x81, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x89, 0xe3, 0x85, 0xb7, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x66, 0x2b, 0xc1, 0xe0, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x57, 0xf7, 0x4f, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0x6c, 0xb3, 0x74, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc1, 0x2a, 0x49, 0xd1, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x40, 0x5b, 0x48, 0xc7, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3, 0xc6, 0x30, 0x75, 0x00, 0x70, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x00, 0xa6, 0xf0, 0x93, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd3, 0x6e, 0xb3, 0x6d, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd7, 0xdf, 0xbe, 0x91, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x8c, 0x68, 0x93, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0x5b, 0x92, 0xd6, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0x32, 0x8a, 0x5d, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x73, 0xb5, 0xfe, 0x15, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5b, 0x52, 0x38, 0x99, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x38, 0x0d, 0x9b, 0xae, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0x0a, 0x5f, 0x9b, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0xbe, 0x0d, 0xd1, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf1, 0x36, 0x8e, 0x88, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0xb5, 0x74, 0xbd, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0x3e, 0xe0, 0x90, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1c, 0x34, 0x5b, 0x23, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0x2e, 0xa8, 0xb5, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb1, 0xb1, 0x61, 0x3e, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0xe9, 0xce, 0x86, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x8f, 0xd3, 0x73, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0xde, 0x91, 0x65, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0xe0, 0x7a, 0x33, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x11, 0x23, 0xbf, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x21, 0xe4, 0x61, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0xd7, 0xce, 0x21, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x46, 0x29, 0xd1, 0xdb, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0x88, 0x0f, 0x1d, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0x48, 0xcb, 0x13, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x19, 0x62, 0x77, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x0e, 0xb0, 0x85, 0x00, 0x50, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x46, 0xf1, 0xd2, 0x46, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa6, 0x08, 0x8d, 0xe0, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x67, 0x3f, 0xee, 0xc7, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1b, 0x5d, 0x2d, 0x81, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0x5b, 0xa9, 0x7c, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0x9d, 0xa9, 0xaf, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0xfb, 0xd4, 0xaf, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf1, 0xce, 0xfd, 0xef, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0x09, 0xdc, 0x04, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0x17, 0x83, 0x48, 0x00, 0x40, 0xab, 0x00, 0x3a, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x23, 0x61, 0x71, 0xa1, 0x00, 0x40, 0xab, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01, 0x9f, 0x78, 0xd7, 0x00, 0x40, 0xab, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x0d, 0x75, 0x42, 0x00, 0x40, 0xab, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0xc5, 0x83, 0xea, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0xde, 0xb9, 0x28, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xef, 0x69, 0x08, 0x8e, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0x0b, 0x17, 0x12, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0xa5, 0x2d, 0x4b, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x40, 0x3f, 0x59, 0x06, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, 0x08, 0xcf, 0x31, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x25, 0xdb, 0x6e, 0x4e, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0x10, 0x95, 0xe5, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0x90, 0x80, 0x6a, 0x00, 0x30, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0xde, 0x5c, 0xbb, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0xfb, 0x63, 0x9c, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x55, 0x9e, 0x4b, 0x92, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0xd8, 0x6d, 0xbf, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0xe4, 0x6c, 0xa1, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbe, 0x70, 0x8e, 0x18, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdc, 0x82, 0x29, 0xce, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0x3e, 0x50, 0x07, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0x18, 0x73, 0xad, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd6, 0x51, 0x66, 0x0d, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xa1, 0x01, 0x3f, 0x5e, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe9, 0xa2, 0x71, 0xa3, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x28, 0x73, 0xbc, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0xa4, 0xe8, 0xf5, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x0e, 0x6e, 0x2e, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x29, 0xee, 0x90, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x80, 0x57, 0x83, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0xcc, 0x50, 0xdc, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0xcc, 0xeb, 0x64, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0xc3, 0x9d, 0xed, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1b, 0xd8, 0xb5, 0xda, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0xb8, 0x29, 0xc1, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0xcd, 0x16, 0xf5, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xba, 0x5e, 0x4d, 0x59, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0xa2, 0xfc, 0xea, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0x33, 0x83, 0x0d, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0xd0, 0xa5, 0x36, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0x46, 0xf6, 0xd3, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x03, 0x41, 0x4e, 0xdb, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0x89, 0xc2, 0xd3, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x72, 0x18, 0xe5, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0x87, 0xa0, 0x0e, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x61, 0xfe, 0x1d, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x9e, 0x1f, 0x41, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6d, 0xea, 0x04, 0xe3, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0xe3, 0xc0, 0x05, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9c, 0x4d, 0xb9, 0xe7, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0xc4, 0x81, 0xab, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0x2a, 0xf2, 0xe9, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x14, 0x0e, 0x15, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0xf9, 0x3d, 0x55, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0x9c, 0x5b, 0xf4, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xde, 0xb6, 0x77, 0x2c, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x41, 0xe6, 0xd5, 0xb8, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0xf7, 0x17, 0x43, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9e, 0x12, 0x14, 0x84, 0x00, 0x80, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0xa6, 0x51, 0x8a, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x6b, 0xb0, 0x37, 0x9a, 0x00, 0x80, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0xbf, 0x04, 0x7a, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x8e, 0xf8, 0xa9, 0xce, 0x00, 0x80, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa7, 0x7a, 0x56, 0x6e, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0x23, 0x0a, 0x2f, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x00, 0xaf, 0x89, 0xc9, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x23, 0x57, 0xf0, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0x03, 0xf2, 0x8d, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x21, 0xfa, 0x45, 0xfa, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa8, 0x15, 0x23, 0x27, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0xdd, 0x88, 0x4e, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x56, 0x2b, 0x96, 0xd2, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0xa6, 0x58, 0x6a, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x50, 0x33, 0xd4, 0x0b, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0x4c, 0xc0, 0x7c, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0x86, 0xbb, 0x1d, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x52, 0xe3, 0x06, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0xf7, 0x40, 0x4a, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x88, 0xdc, 0x01, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x53, 0x8e, 0x8d, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x3c, 0x2b, 0xfa, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0xd7, 0x5f, 0x07, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0x47, 0xc1, 0x79, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0xe6, 0x37, 0xdf, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0xc0, 0xf1, 0x73, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0x3d, 0x26, 0x9a, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd9, 0x46, 0x22, 0xe2, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x92, 0xd7, 0xb8, 0xd5, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0xd7, 0xf0, 0x2f, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0xf7, 0xc6, 0xa7, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0xe0, 0x03, 0xc1, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc3, 0x9d, 0x63, 0xbf, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x87, 0xe5, 0xcb, 0x5d, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x75, 0xab, 0xee, 0x7d, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xcd, 0x89, 0x73, 0xfb, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x28, 0x67, 0xff, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x4d, 0x2e, 0xd3, 0xb9, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0xaf, 0x02, 0x0e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0xe4, 0xc5, 0x33, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0xec, 0xe6, 0x07, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0xfc, 0xed, 0x76, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9e, 0x32, 0xf2, 0xc3, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x1c, 0x79, 0x1f, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x7b, 0xc9, 0xbd, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0xcb, 0xa2, 0xcd, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x4c, 0x67, 0xe8, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x96, 0x3e, 0x95, 0x76, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x41, 0x1f, 0xf7, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0x11, 0xdd, 0x97, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x51, 0xfc, 0xc7, 0x23, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0x44, 0xba, 0x37, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0x1a, 0x2a, 0xa6, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0x20, 0x00, 0x8e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0x45, 0xeb, 0xea, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x25, 0x35, 0xfb, 0xa4, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x8b, 0x59, 0x5f, 0x4d, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaf, 0x68, 0xee, 0xcf, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb5, 0x45, 0x4e, 0x12, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x6f, 0xc8, 0x33, 0x22, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0xf1, 0xe2, 0x66, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x98, 0x36, 0xe5, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xfd, 0xaa, 0x10, 0x53, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0x8b, 0x55, 0x03, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x72, 0xda, 0x0a, 0xe0, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0x1e, 0x94, 0xad, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x89, 0x0a, 0x53, 0x04, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0x2b, 0xee, 0x5d, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x54, 0x4f, 0x46, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6e, 0xe1, 0xfc, 0x92, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x32, 0x3d, 0x0a, 0x46, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdc, 0x64, 0x60, 0xd8, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0x2f, 0x58, 0xe6, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0xf1, 0x4e, 0x3e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0xd1, 0xb9, 0x99, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x29, 0xda, 0x31, 0xac, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xac, 0x8c, 0xd2, 0x46, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x21, 0xa8, 0xfe, 0x68, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0xc9, 0x70, 0xa0, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0xc4, 0x37, 0xb7, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x96, 0x24, 0x3d, 0xa0, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3b, 0x82, 0xc3, 0x1e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x9e, 0x66, 0xc9, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x6b, 0x4f, 0xf8, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7c, 0x09, 0xa9, 0x48, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0xbf, 0x70, 0x5d, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9c, 0x99, 0xec, 0x3f, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0x34, 0xb9, 0x6a, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0x97, 0x0b, 0xbb, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0x68, 0x44, 0xf4, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0x9f, 0xe7, 0xf5, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0x62, 0x2f, 0x6e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x5f, 0xa7, 0x1a, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x88, 0xa9, 0xd9, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, 0x71, 0xe4, 0x10, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xed, 0x7f, 0x12, 0x65, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x81, 0x48, 0x69, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x52, 0x51, 0x89, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0xb3, 0x4d, 0x78, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0x28, 0x69, 0x7e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xc8, 0x5e, 0x5b, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb4, 0xd2, 0x32, 0x35, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0xe1, 0xf3, 0x57, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0x0d, 0x46, 0x0f, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0xdd, 0x07, 0x74, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x25, 0x14, 0x70, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x0a, 0xae, 0x98, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xb8, 0xee, 0x7f, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0xf7, 0xb7, 0x91, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0xb4, 0x4d, 0x11, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0xa8, 0xa5, 0xbc, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0x78, 0x6d, 0xc4, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x73, 0x42, 0x9c, 0xfa, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x67, 0x65, 0xb6, 0x39, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0xa4, 0xd4, 0x1e, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0x5a, 0x9f, 0x62, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0xbe, 0xd0, 0xfc, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, 0xbe, 0x62, 0x1c, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0xf0, 0x2c, 0x27, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0x94, 0xbf, 0xe1, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x87, 0x88, 0x91, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0x18, 0xd4, 0x98, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x58, 0x9d, 0x10, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0x96, 0xbe, 0x2f, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb8, 0xa0, 0x67, 0x59, 0x00, 0x90, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, 0x55, 0xef, 0x50, 0x00, 0x60, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0xd8, 0xaa, 0x7f, 0x00, 0x50, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0x5b, 0x1e, 0xf0, 0x00, 0x50, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0xd5, 0xf4, 0xaf, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3d, 0x51, 0x49, 0x12, 0x00, 0x30, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x32, 0x35, 0xc2, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x76, 0xaf, 0x4d, 0xb4, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0x96, 0x6b, 0xb2, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x43, 0x32, 0x0d, 0x9e, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x69, 0x1d, 0x80, 0x4a, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd8, 0x7e, 0x36, 0x6c, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa4, 0x6c, 0x12, 0x3e, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x35, 0x57, 0xde, 0x94, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbd, 0xf6, 0xe9, 0xc9, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x39, 0xee, 0x81, 0xf1, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x67, 0xb4, 0xdf, 0x0f, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, 0x15, 0x99, 0x7d, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcd, 0xaa, 0xe5, 0xda, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x40, 0x81, 0x2c, 0x93, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7b, 0x1e, 0x2f, 0x1e, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x20, 0x8c, 0x66, 0xcb, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe8, 0x68, 0xcc, 0x0d, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0xe7, 0x70, 0x3c, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, 0x03, 0xac, 0x89, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa7, 0xc1, 0xd5, 0x4b, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xed, 0x0d, 0x10, 0x09, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0x38, 0x50, 0xe8, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd6, 0x8a, 0x70, 0x3a, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0xd8, 0x4d, 0x51, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb1, 0x3d, 0x17, 0x7e, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0xfb, 0x1f, 0x33, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x71, 0xda, 0x45, 0x8e, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0x3d, 0x11, 0xc4, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x39, 0x06, 0x5f, 0x82, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xac, 0xc9, 0xa3, 0x81, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x75, 0x94, 0x74, 0x86, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x86, 0x3f, 0x16, 0x78, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd6, 0xcb, 0xe0, 0x9c, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, 0x00, 0x76, 0x20, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x84, 0x0b, 0xd1, 0x20, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xa9, 0x4d, 0x03, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5a, 0xa5, 0x14, 0x04, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0xf9, 0xbb, 0x87, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x48, 0x1a, 0x14, 0x11, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xae, 0x0e, 0xdc, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0x25, 0xdf, 0x32, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0xc9, 0x14, 0x0d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc2, 0x65, 0x29, 0x1e, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x73, 0x66, 0x82, 0x55, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xea, 0xb7, 0x5e, 0x66, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc1, 0x43, 0x3b, 0xff, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x38, 0x74, 0xa6, 0x81, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0xb4, 0xab, 0xdf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdf, 0xd2, 0xf9, 0x27, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0x7e, 0x31, 0x52, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2d, 0x2f, 0xb0, 0x4f, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0xf2, 0x98, 0x95, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x69, 0x05, 0x98, 0x92, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x52, 0x98, 0x9a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf2, 0xdc, 0x09, 0xb6, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0x22, 0x5d, 0x96, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x36, 0xb0, 0xa7, 0xd0, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x47, 0xd4, 0x49, 0x4a, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0x53, 0x0d, 0xdc, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x63, 0xd3, 0xd9, 0x8e, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa8, 0xab, 0x13, 0xf0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8e, 0x66, 0x99, 0x62, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xac, 0x6a, 0x14, 0x89, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6d, 0xd7, 0x53, 0x26, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x45, 0x5c, 0x4b, 0xd2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9f, 0x29, 0x14, 0x99, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0x6b, 0x01, 0x60, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8f, 0xde, 0x9b, 0x30, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0xc8, 0xcc, 0x2b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x30, 0x3d, 0xf5, 0x75, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x24, 0x2b, 0x44, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6f, 0x9b, 0x12, 0x36, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0x7d, 0x3a, 0x83, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3a, 0x20, 0x06, 0x48, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0x24, 0xad, 0x83, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8f, 0x33, 0x19, 0x7a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x4e, 0x1f, 0x4b, 0x68, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0x82, 0x72, 0x41, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe6, 0xff, 0x88, 0xe4, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x16, 0x6e, 0xc3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x19, 0xf5, 0x91, 0xa9, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0x25, 0x0e, 0x4c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5, 0x2f, 0xc0, 0xe9, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0x7f, 0x8f, 0x8e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8b, 0xef, 0x71, 0x80, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0x7d, 0xfb, 0x72, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5b, 0x0a, 0xf4, 0x5a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0x07, 0xc8, 0x2c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa8, 0xfc, 0x2b, 0xe8, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0xd7, 0x37, 0xe5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x73, 0x6d, 0xa2, 0xdb, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0x2d, 0xaf, 0x3a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc9, 0x10, 0xf6, 0xf5, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0xa8, 0x20, 0xea, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x92, 0xf9, 0x9a, 0x70, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xa9, 0x05, 0xb9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x65, 0x6c, 0x4e, 0x80, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0xd2, 0x1f, 0xf7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x17, 0x3e, 0xb9, 0x95, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0x9d, 0x9f, 0x1d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x46, 0xf5, 0xed, 0x44, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8b, 0x52, 0x29, 0x97, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbd, 0xa2, 0x3e, 0xde, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5d, 0x5e, 0x84, 0x3b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc4, 0xee, 0x1e, 0xf1, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xcc, 0x37, 0x81, 0xcd, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0d, 0x80, 0x90, 0xf2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2b, 0x11, 0x5d, 0x25, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x52, 0x82, 0xc1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfa, 0x53, 0xd4, 0x6c, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0xa8, 0x75, 0x05, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf8, 0x52, 0xc4, 0x41, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x58, 0xf5, 0x55, 0x68, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x58, 0xe6, 0x35, 0xf8, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3, 0xb0, 0x6e, 0x3a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x96, 0x7d, 0x97, 0x60, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0x6e, 0x23, 0x5e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4b, 0x83, 0x66, 0xf0, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x20, 0x83, 0x76, 0xe8, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x3e, 0xa4, 0x3d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1e, 0x02, 0x5e, 0x24, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa3, 0x95, 0x47, 0xbd, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb8, 0xb1, 0x58, 0x6a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0x45, 0x22, 0x10, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0x24, 0x25, 0x7c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x81, 0x56, 0x50, 0xd4, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0xf3, 0x43, 0xc9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x11, 0x82, 0xb1, 0x84, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x46, 0xc9, 0xae, 0xb5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe8, 0x5f, 0xed, 0xb9, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb8, 0x23, 0x68, 0xa5, 0x00, 0x60, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x6d, 0x5b, 0xc0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5, 0x91, 0xad, 0x0b, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0xb1, 0xc8, 0x44, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9e, 0x78, 0x96, 0x63, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0x38, 0xb0, 0x66, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x86, 0x40, 0xc3, 0x58, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0x7e, 0x7b, 0xb4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x96, 0x87, 0x46, 0xdd, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, 0x5e, 0xd8, 0x4d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd3, 0xfc, 0xee, 0x7f, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0xec, 0x67, 0xe3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x10, 0x2a, 0x01, 0x2b, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x57, 0xe3, 0x5c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa1, 0xca, 0x37, 0xb5, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfd, 0x1a, 0xf8, 0x20, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7e, 0x52, 0xc3, 0xbe, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5d, 0x88, 0x91, 0x50, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x33, 0x4b, 0x84, 0x53, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x04, 0x72, 0xec, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x21, 0xeb, 0xbd, 0x97, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0xdf, 0x29, 0xd2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, 0x93, 0xea, 0x65, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0x89, 0x2e, 0x6b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1d, 0x8e, 0xf4, 0xbe, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x46, 0xaa, 0x8a, 0xe4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x52, 0x6d, 0x75, 0x5d, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0x61, 0x5e, 0xf0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x51, 0x38, 0xbf, 0xbd, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4c, 0xfd, 0x62, 0xa4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4f, 0x5f, 0x12, 0xed, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1c, 0x85, 0x5e, 0x78, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xee, 0x5e, 0x3a, 0x0e, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0x77, 0xc0, 0xb1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x18, 0x87, 0x3e, 0xe0, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0x8f, 0x36, 0x73, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x70, 0x64, 0xeb, 0x4a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0x87, 0x89, 0x95, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60, 0x4d, 0x9f, 0xc4, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xe3, 0x4c, 0x3d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcc, 0xce, 0x87, 0xa7, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0xee, 0x8a, 0x3d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc5, 0x71, 0x8b, 0x3f, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0x52, 0x4b, 0xe3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0x44, 0xe6, 0xdf, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xaf, 0x24, 0x09, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x46, 0xaa, 0x0c, 0x8d, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x0c, 0x5c, 0xa2, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x17, 0x2c, 0xf7, 0xa4, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x46, 0x5b, 0x2a, 0xf9, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x25, 0xbb, 0x1a, 0xf6, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbd, 0x57, 0xa0, 0xe4, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0x46, 0x56, 0xcb, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6d, 0x4d, 0x63, 0x17, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc6, 0x33, 0xf5, 0x3e, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x02, 0xd9, 0x99, 0x6f, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0x9d, 0x09, 0x23, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0c, 0xe1, 0x13, 0x88, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x73, 0xb2, 0x3d, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x18, 0xf8, 0x23, 0xf6, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0x8c, 0x32, 0x2d, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x41, 0x15, 0x60, 0xdd, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0xa2, 0xa3, 0x2e, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd2, 0xfb, 0x6c, 0xfc, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0x06, 0x92, 0xfc, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x38, 0xa9, 0xc6, 0x94, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xb8, 0x95, 0x03, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdc, 0x92, 0x0d, 0x20, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x51, 0xbb, 0x39, 0xa3, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0x92, 0xaf, 0x19, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5f, 0x64, 0x71, 0x2c, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x35, 0xd9, 0x58, 0x63, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0x87, 0x62, 0x7c, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x09, 0xec, 0xb6, 0x72, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x58, 0x26, 0xc6, 0x12, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2b, 0xb0, 0x19, 0x39, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0xb9, 0x97, 0xdc, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x88, 0x94, 0xd4, 0xa6, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe7, 0x0b, 0xa4, 0x01, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x90, 0xdb, 0x7f, 0xcb, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5b, 0x36, 0x9f, 0x24, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3d, 0xff, 0x25, 0x32, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0xb7, 0x2a, 0x88, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8b, 0x60, 0x4d, 0x3c, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0xa9, 0x0f, 0xb3, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1d, 0xf4, 0xab, 0xf3, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfd, 0xd3, 0xbb, 0x38, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe7, 0x46, 0x7d, 0x88, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x20, 0x6c, 0x63, 0xed, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x89, 0xef, 0x68, 0xe5, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x9d, 0x6c, 0xb3, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x24, 0xa6, 0x01, 0x8a, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa0, 0xb7, 0x7c, 0xd1, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1c, 0x1a, 0xba, 0x53, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x98, 0x7a, 0x7f, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcd, 0xe6, 0xea, 0x29, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x11, 0x60, 0xc1, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6b, 0x8b, 0x9b, 0x6c, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x70, 0xd2, 0xcc, 0xa7, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcf, 0x7c, 0x92, 0x98, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd7, 0xa2, 0x80, 0x18, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7c, 0xd8, 0xb9, 0xc3, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x53, 0x0f, 0x13, 0xbf, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5e, 0x77, 0xcf, 0xfc, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0xa1, 0x26, 0x82, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0x3c, 0x7a, 0x05, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xce, 0x8f, 0xc8, 0x3c, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4a, 0xcc, 0xa4, 0x91, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0x6c, 0xc6, 0xdd, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xce, 0x9d, 0xc3, 0xd1, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0xd0, 0x9c, 0xe0, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x97, 0xa4, 0x2e, 0xc6, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x8b, 0x8d, 0x8e, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3a, 0xd8, 0x60, 0x2b, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x53, 0xa4, 0x18, 0x05, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x27, 0x60, 0x59, 0x76, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa5, 0x6f, 0xc5, 0x50, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf7, 0x8e, 0xf2, 0xa8, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0x05, 0x7f, 0x9a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4e, 0xf2, 0x08, 0x00, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0x99, 0xb0, 0xc9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdc, 0x17, 0xd4, 0xbc, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0xc8, 0x0e, 0x08, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x78, 0x6d, 0x50, 0xc4, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe3, 0xd2, 0x34, 0xd5, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0x4e, 0xe0, 0xfe, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdf, 0x0f, 0x58, 0x4c, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xee, 0x9f, 0xb1, 0x79, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x1c, 0x86, 0x80, 0x7e, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x01, 0x97, 0x6f, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd3, 0x45, 0x12, 0x53, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0xaa, 0x0d, 0xef, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe5, 0xf0, 0x71, 0x78, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, 0xd4, 0xf9, 0xec, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7c, 0xd7, 0x04, 0x91, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x97, 0x95, 0x1a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf1, 0xc3, 0x9e, 0xbb, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0xb8, 0xe1, 0x06, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x34, 0x2e, 0xb1, 0xb1, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x04, 0x48, 0x60, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xff, 0x66, 0x88, 0xb7, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0xbe, 0x9d, 0x8c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe9, 0x68, 0x4c, 0xaf, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x13, 0xb2, 0x35, 0x8e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9a, 0x3b, 0x8b, 0x21, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6f, 0x97, 0x45, 0xb7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x85, 0xf2, 0x7a, 0x59, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3, 0xc8, 0x30, 0x85, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x34, 0xa1, 0xc0, 0x66, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x76, 0xa9, 0xfb, 0xa9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x66, 0xc2, 0xdc, 0xd1, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfd, 0x30, 0x7c, 0x94, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe0, 0xee, 0x6f, 0xa0, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe9, 0x05, 0xc6, 0x5f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x96, 0x66, 0x7f, 0x4f, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xc4, 0x50, 0x48, 0x9e, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0x6b, 0xe4, 0xd6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6a, 0xce, 0x67, 0x34, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xed, 0x9a, 0x34, 0xac, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xed, 0x45, 0x59, 0xa0, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0xd3, 0x91, 0xa6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdb, 0x43, 0x75, 0x75, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0x7b, 0x33, 0x81, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x17, 0x33, 0x76, 0xf8, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0x7a, 0xf4, 0x6c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb6, 0xe5, 0x9a, 0xc9, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0x64, 0xd8, 0xa6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x19, 0x7a, 0x0d, 0x43, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x2d, 0xea, 0x6d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb5, 0x92, 0xd5, 0xd9, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0xfb, 0x81, 0xd6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8f, 0xaa, 0xfb, 0xab, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbc, 0x24, 0xed, 0xbf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdf, 0x7f, 0x0f, 0xe0, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x17, 0xb6, 0xf4, 0xd1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1f, 0xf6, 0x35, 0x12, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x31, 0x34, 0xc3, 0xf6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8c, 0x97, 0x12, 0x98, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x65, 0xa1, 0x33, 0x5a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf4, 0x6d, 0x4e, 0xa3, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0xd7, 0xfc, 0x40, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9a, 0x7a, 0x19, 0xf5, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0xbb, 0x0d, 0xb3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x82, 0xdc, 0x6b, 0x1f, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0x01, 0xa5, 0x83, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x25, 0x6a, 0xb6, 0xcc, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0x26, 0x7e, 0xdc, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbe, 0x9b, 0x76, 0x6a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0x8a, 0xe8, 0xa5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xde, 0x97, 0xe9, 0x4f, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x04, 0x01, 0x6d, 0xb7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbb, 0x27, 0xa4, 0x56, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xba, 0x97, 0x40, 0x62, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x83, 0x16, 0xeb, 0x52, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6f, 0x0b, 0xb1, 0xde, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd3, 0xa9, 0x9e, 0x48, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9e, 0x1b, 0x5e, 0xbd, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc0, 0x7b, 0x06, 0xdf, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x38, 0x96, 0x51, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x49, 0xf6, 0x65, 0x5c, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x02, 0xf2, 0xdf, 0x9c, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x42, 0xda, 0x9c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc8, 0xc5, 0xbd, 0x3d, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0x76, 0xe6, 0x6d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x80, 0x19, 0x50, 0x7a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe8, 0xb0, 0xae, 0xca, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x14, 0x20, 0xef, 0x81, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0xbb, 0xfb, 0x61, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb6, 0xf0, 0x3a, 0x3b, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0x93, 0x2e, 0x50, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc0, 0xc0, 0x8f, 0x89, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x27, 0xfd, 0x76, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x85, 0xbf, 0x24, 0x4a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0xc0, 0x99, 0x4e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x01, 0x3c, 0x7f, 0x11, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xff, 0x97, 0x21, 0x79, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6e, 0x94, 0xee, 0x90, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0xd2, 0x3e, 0xb2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc4, 0xd9, 0x23, 0x3d, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0x46, 0x4f, 0x2a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xad, 0x40, 0xc5, 0x4a, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0xd9, 0xba, 0x58, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3d, 0x32, 0xba, 0x5c, 0x00, 0x20, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0x62, 0x8c, 0x88, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbd, 0xf5, 0x04, 0xe6, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0xf8, 0xd2, 0xb5, 0x00, 0x70, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0xd5, 0x65, 0x52, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe8, 0x1c, 0xd9, 0x6d, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0x02, 0xc0, 0x60, 0x00, 0x80, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x62, 0x36, 0x9d, 0x78, 0x00, 0x20, 0x04, 0x01, 0x52, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x8e, 0x37, 0x35, 0x00, 0x60, 0x04, 0x01, 0xc6, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xff, 0x83, 0xd7, 0xa9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf2, 0xf7, 0xe5, 0xc2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xab, 0x8b, 0x45, 0x7c, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x75, 0x67, 0xea, 0x5f, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0xbb, 0x51, 0xc5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x74, 0xbc, 0x5c, 0xe9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x38, 0x2a, 0xa1, 0x42, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0xea, 0x82, 0x91, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfe, 0x20, 0x94, 0xd2, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x73, 0xb5, 0xa4, 0x1e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x71, 0x62, 0x69, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x49, 0x05, 0x34, 0xb1, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x49, 0x13, 0x4e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x93, 0xbb, 0xfa, 0x1a, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0xb6, 0xfc, 0x6f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0x7b, 0xf9, 0x11, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x65, 0xeb, 0x72, 0x44, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9a, 0xc0, 0x88, 0x12, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf9, 0x97, 0x36, 0x60, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xc9, 0xf1, 0xd3, 0x1e, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3, 0xd2, 0x5b, 0xc5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0x1a, 0x28, 0xbb, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1c, 0x0c, 0xd2, 0xc9, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd6, 0x90, 0x07, 0xc9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x59, 0x86, 0xfb, 0xc0, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0x0d, 0xd7, 0x2d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0xaf, 0x2e, 0x02, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc2, 0x0c, 0x41, 0x64, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0xf6, 0x28, 0x92, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x65, 0x24, 0x2e, 0x4c, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0xa0, 0x7a, 0xf9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5, 0x2f, 0x7e, 0xeb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe8, 0xb2, 0x34, 0xc9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdf, 0xda, 0xef, 0xc5, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0xc6, 0x55, 0x0e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xea, 0x85, 0xa6, 0xae, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0xfb, 0xbb, 0xd2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5b, 0xb8, 0xcb, 0xdf, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xed, 0xe5, 0xe8, 0x26, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7c, 0x12, 0x6f, 0xdb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0x13, 0xd6, 0x80, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbc, 0x7c, 0x93, 0x0e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x54, 0x82, 0xa8, 0xc9, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9a, 0xdd, 0x65, 0xa6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe6, 0x20, 0x0f, 0xda, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbc, 0x56, 0xb4, 0xe5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1c, 0xbb, 0x60, 0x43, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x36, 0x33, 0x7c, 0xeb, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x43, 0x87, 0xa0, 0x73, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0x5d, 0x68, 0x99, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb2, 0x86, 0x58, 0xb3, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x52, 0x0b, 0xc3, 0x37, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0xdd, 0x7e, 0x6e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x37, 0x02, 0xac, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0x1a, 0xf5, 0xda, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x11, 0xe7, 0x2b, 0x08, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0x97, 0xbf, 0x3c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x44, 0x8b, 0x82, 0x00, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x70, 0x17, 0xdc, 0x08, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x72, 0xf0, 0x3a, 0xa3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0x33, 0x1c, 0x7e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x21, 0x55, 0x24, 0xba, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x94, 0x21, 0x29, 0x72, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x43, 0x31, 0x2e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6a, 0xeb, 0x33, 0x67, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x5a, 0x7b, 0xf5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0x44, 0x64, 0x74, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07, 0xc2, 0x7a, 0x09, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd9, 0x1a, 0x05, 0xd4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6c, 0x19, 0xbc, 0xab, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9b, 0x14, 0x66, 0x87, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x43, 0x6b, 0xdd, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa4, 0x7c, 0x02, 0xac, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x43, 0x11, 0xa5, 0xb4, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xad, 0x87, 0x05, 0x51, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf6, 0xb5, 0x33, 0x62, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xff, 0x0e, 0x96, 0x3f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb7, 0xbc, 0x28, 0xba, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0xe9, 0xe3, 0xba, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x95, 0x2d, 0xdf, 0xc7, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x68, 0x59, 0x7d, 0x64, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc7, 0x28, 0x63, 0x71, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbf, 0x6f, 0xdc, 0x9a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb5, 0x54, 0x6f, 0x20, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf2, 0x45, 0x5f, 0x73, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x1b, 0xe3, 0xf7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcf, 0xcd, 0xe3, 0x94, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdc, 0xf0, 0xb9, 0x0a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0xb7, 0xb6, 0x17, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xca, 0xd1, 0x0b, 0xa4, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0x6e, 0x41, 0xca, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x74, 0x4f, 0x66, 0x7a, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0x45, 0xa3, 0x2a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5, 0xb7, 0x25, 0xfd, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xf5, 0x5e, 0x7a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xf5, 0x5e, 0x7a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbd, 0x21, 0xba, 0x04, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x36, 0xe8, 0x87, 0x7c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb0, 0xc3, 0x78, 0x19, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9c, 0x7e, 0xd0, 0x00, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa9, 0x7e, 0xf4, 0x23, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0xc3, 0x82, 0x99, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x05, 0x2f, 0xf6, 0xad, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x4e, 0x4e, 0x0c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd3, 0x3b, 0x6b, 0x10, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0xc1, 0x85, 0xe5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x38, 0x38, 0x0e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6c, 0x16, 0xaf, 0x01, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0xf5, 0xd9, 0x97, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd3, 0xef, 0xf8, 0x31, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x8c, 0xf1, 0xaf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfd, 0x59, 0x21, 0x43, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0xe8, 0x3c, 0x20, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9b, 0x16, 0x20, 0xe9, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x5b, 0x26, 0x44, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf4, 0x0d, 0xbb, 0x5d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0xa0, 0xe5, 0x3f, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x52, 0x90, 0xc6, 0x13, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0x83, 0xd2, 0xd7, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x26, 0xe6, 0xf1, 0xf1, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb8, 0x2f, 0xbf, 0x9d, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0xd6, 0x23, 0x7f, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3e, 0x01, 0xb8, 0x7f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0xf2, 0x09, 0x77, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x00, 0x24, 0xe3, 0xa8, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x61, 0xbb, 0x2a, 0x4c, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xf3, 0x5a, 0xae, 0xbf, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x04, 0xfd, 0x00, 0xd1, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x00, 0xeb, 0x11, 0x7e, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7c, 0x9d, 0xe0, 0xab, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0x57, 0x61, 0x23, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x6d, 0x73, 0x74, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe3, 0x4b, 0xf1, 0x0f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0xd3, 0x7a, 0xcd, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbd, 0x4e, 0x89, 0x60, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0x30, 0xc2, 0x8c, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x99, 0x63, 0xa4, 0x69, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x33, 0x19, 0x1f, 0x3d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0xaf, 0xfa, 0x35, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9a, 0xc9, 0x99, 0x01, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0xaa, 0x97, 0xd6, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x59, 0x1b, 0x55, 0x44, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x7c, 0x7d, 0x2f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb4, 0xd0, 0x04, 0x0b, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0x88, 0xb6, 0x8d, 0x00, 0x80, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe6, 0xe3, 0xe1, 0x96, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x57, 0x0d, 0xef, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0x0d, 0xcd, 0xaa, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60, 0xc3, 0xc8, 0x75, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0x1b, 0x35, 0x37, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0x7b, 0x75, 0xdf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9b, 0xab, 0xa9, 0x22, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3e, 0x61, 0x02, 0x7d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf7, 0xb4, 0xbf, 0x9a, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0xb3, 0xf5, 0xce, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7b, 0xd6, 0x6d, 0x04, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf1, 0x69, 0x77, 0x4a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd9, 0x36, 0x88, 0x3e, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0x2c, 0x56, 0xb8, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x54, 0xef, 0x80, 0x24, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x24, 0x1c, 0x7a, 0xb7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x20, 0xf6, 0x72, 0x0c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf1, 0x09, 0xae, 0xab, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0c, 0x84, 0x83, 0x25, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x18, 0xe3, 0xb6, 0x84, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0xb9, 0x42, 0x20, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x48, 0x1e, 0xeb, 0xb3, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x11, 0x98, 0x9b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5d, 0x90, 0xe0, 0x45, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3a, 0xa1, 0x7d, 0xf0, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x23, 0x14, 0x7f, 0x92, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x27, 0x2e, 0x79, 0x73, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5e, 0x33, 0x7b, 0x9f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x36, 0xee, 0x9e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe1, 0xc3, 0xc2, 0xae, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x87, 0x44, 0x0e, 0x05, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd1, 0x0a, 0x11, 0x96, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x37, 0xee, 0xb5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0x91, 0x10, 0x74, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0x60, 0xb9, 0x16, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0xd0, 0x85, 0x59, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0xe3, 0x45, 0x2f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5f, 0x2b, 0x9c, 0x52, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0x17, 0xf4, 0xa6, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x54, 0xce, 0x96, 0x91, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0x57, 0x8e, 0x62, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf7, 0xd4, 0x7e, 0x8a, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0xbc, 0x53, 0x26, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x50, 0x2d, 0x84, 0xdb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7a, 0x80, 0x96, 0x31, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd8, 0x02, 0x7f, 0x3d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0x1e, 0x7b, 0xc8, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, 0x6d, 0x91, 0x4f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0xe1, 0x79, 0x64, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd7, 0x48, 0x31, 0x8d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x61, 0x75, 0x0f, 0xc7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, 0xfc, 0xc9, 0xd1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0xff, 0x53, 0xc0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf5, 0x1f, 0x7f, 0xcb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, 0x9b, 0x48, 0x8b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb0, 0xcb, 0x4e, 0x5a, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa3, 0x3a, 0xaf, 0x38, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6a, 0xef, 0xae, 0x40, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0xbc, 0x57, 0x77, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd6, 0x9f, 0xac, 0xad, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0x89, 0x47, 0x4a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7d, 0x8b, 0x1d, 0xdd, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3d, 0xa4, 0x86, 0x9a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x20, 0xb2, 0x98, 0xe4, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0xab, 0xa0, 0x17, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3b, 0xc6, 0x49, 0x8d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0x4d, 0x89, 0x90, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe5, 0x9a, 0x27, 0xd6, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x3f, 0x56, 0x53, 0x4f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0xc9, 0x4d, 0x70, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x89, 0x86, 0x7e, 0x37, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0x65, 0x7c, 0xec, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0x3f, 0x65, 0x0e, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0x18, 0xd6, 0x51, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xde, 0xc6, 0xea, 0x15, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0x76, 0x82, 0xb4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x21, 0xeb, 0x3f, 0x3e, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0xb4, 0xed, 0x5f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x00, 0x77, 0xa3, 0xb7, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x61, 0xac, 0x3f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x64, 0x82, 0x4f, 0x19, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x81, 0xa2, 0x29, 0x9d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x38, 0x95, 0x4c, 0x61, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xab, 0xfa, 0x48, 0x06, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x19, 0x6b, 0xdc, 0x13, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa9, 0x14, 0x41, 0xe2, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x16, 0x5a, 0x3a, 0x8a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1e, 0xe3, 0x3b, 0x40, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6b, 0xcc, 0x77, 0x78, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6e, 0x68, 0xaf, 0x06, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x23, 0xe6, 0x9f, 0x35, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xff, 0xe6, 0x33, 0xbe, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x70, 0x19, 0x52, 0xd3, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0x5a, 0x6b, 0xce, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8d, 0x5d, 0xf6, 0xfb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x5c, 0x8c, 0x86, 0xef, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0x25, 0x02, 0xd0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe8, 0x53, 0x4d, 0x27, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x72, 0x0e, 0x26, 0x3f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x58, 0xa6, 0x5b, 0xd7, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x41, 0x5b, 0x23, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfa, 0x03, 0x5f, 0x5d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0xc1, 0xb1, 0x08, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4e, 0x2f, 0x09, 0xca, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x03, 0xb5, 0xa0, 0x72, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf6, 0xa3, 0xb6, 0xf2, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x29, 0xad, 0x5c, 0xa4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x33, 0x4e, 0x5a, 0xe7, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0xa1, 0x71, 0x6b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xaa, 0x8a, 0x82, 0x11, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0x86, 0xee, 0x36, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe5, 0x66, 0xbc, 0x75, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0xa5, 0xc9, 0x1a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf3, 0x86, 0xa1, 0xc4, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01, 0xc3, 0x67, 0x60, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6a, 0xa7, 0x08, 0x4c, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x22, 0x32, 0x97, 0x19, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x68, 0x5d, 0x4a, 0x48, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4f, 0xef, 0x1b, 0x4f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0x79, 0xc6, 0x7f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x28, 0xf2, 0x64, 0x95, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x46, 0x68, 0xc5, 0x2d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xee, 0x67, 0xdb, 0x98, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0x90, 0x97, 0x45, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x8c, 0x64, 0xce, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd7, 0x4a, 0xfb, 0x48, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x90, 0xcf, 0xcb, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x44, 0x77, 0xf2, 0x6e, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x28, 0x3e, 0xa4, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, 0x86, 0xdc, 0x38, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb2, 0x93, 0xe7, 0xa0, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x99, 0xbc, 0x64, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6a, 0xc8, 0x63, 0x36, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x53, 0xb2, 0x2c, 0x36, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x15, 0xeb, 0x73, 0x7d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xf5, 0xa4, 0xb4, 0x88, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6f, 0x67, 0x80, 0xeb, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x12, 0xd4, 0x3d, 0x42, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0x3d, 0x26, 0x53, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0x75, 0x5a, 0x89, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0x0d, 0x10, 0x41, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xed, 0xa4, 0x54, 0x48, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x08, 0xc5, 0x33, 0x2c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9d, 0xbe, 0x43, 0x72, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0xec, 0x6d, 0xd3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0xc6, 0xce, 0xd4, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0x79, 0x1e, 0xdf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4d, 0x4e, 0x1e, 0xe2, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0xf1, 0x60, 0x75, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf3, 0x11, 0xf7, 0xd0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xeb, 0x31, 0x06, 0x1e, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0xfd, 0xf2, 0x08, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcc, 0xdc, 0x81, 0xe5, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0x29, 0x6b, 0xe9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcf, 0x16, 0x90, 0x8c, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x21, 0x54, 0x14, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe7, 0xfe, 0xc9, 0xa6, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x03, 0xe5, 0x7e, 0xd1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x24, 0x40, 0xa3, 0x0a, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x81, 0x39, 0x70, 0xcd, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcd, 0x76, 0xec, 0x7c, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x81, 0xa2, 0x16, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb4, 0x92, 0x82, 0x6c, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9c, 0x4f, 0x49, 0x95, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60, 0xb7, 0x53, 0x39, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0xcd, 0x08, 0x21, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, 0x37, 0x97, 0x92, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6d, 0x2e, 0xbd, 0x3a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x19, 0xb2, 0xb4, 0xf5, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc7, 0x12, 0xb5, 0x84, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x31, 0x35, 0xdc, 0x8d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0xc1, 0x06, 0x77, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf7, 0x48, 0xda, 0x84, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1c, 0x79, 0x0f, 0xe1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5c, 0x16, 0x07, 0xbc, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x12, 0x7b, 0x7f, 0x07, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1e, 0x81, 0x00, 0x17, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0x82, 0x8c, 0x38, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x35, 0x7f, 0xd0, 0xdd, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x65, 0x6e, 0xc4, 0x62, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x09, 0x24, 0xe7, 0x06, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0xbe, 0x94, 0xe9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0x97, 0x3a, 0x20, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0x6f, 0x31, 0x22, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x14, 0x6e, 0xde, 0x69, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0x02, 0xbe, 0x81, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfd, 0x5d, 0x18, 0x64, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0x35, 0xfb, 0x49, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0x3e, 0x7b, 0xeb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0x81, 0x24, 0xfb, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x73, 0xe2, 0x8a, 0x19, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc6, 0x41, 0x48, 0x2e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x80, 0x14, 0x70, 0xe0, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0xa4, 0xcb, 0xa7, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x93, 0xeb, 0xd9, 0xb3, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0x4a, 0x1b, 0xff, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0e, 0x29, 0x60, 0xec, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x67, 0xee, 0xab, 0xe5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa3, 0x68, 0xe3, 0x09, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb1, 0x7a, 0x8d, 0x09, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x71, 0xcb, 0x60, 0x78, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x98, 0x88, 0x29, 0x9c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2a, 0x48, 0x5b, 0xcd, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6e, 0x93, 0xd0, 0xa1, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0x25, 0x73, 0xcb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0xd6, 0x10, 0x1b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x99, 0x73, 0x04, 0x8f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc1, 0x15, 0xbc, 0x90, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x06, 0x5a, 0x22, 0x08, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x72, 0xdc, 0x23, 0xbd, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x82, 0x55, 0x14, 0x8d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x73, 0x37, 0x40, 0x08, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3b, 0x26, 0x6c, 0xa0, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb3, 0x73, 0xe6, 0x2b, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x93, 0xc3, 0x75, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9b, 0xca, 0x0d, 0xf8, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0xdb, 0xf6, 0x3b, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xed, 0x5f, 0x0a, 0x20, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x1e, 0x8f, 0xee, 0x2b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0x2e, 0x03, 0xeb, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0xa0, 0x67, 0x2f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0xfc, 0x2c, 0x13, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdb, 0x3a, 0x8f, 0x3d, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0xfc, 0x36, 0x8f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x68, 0x8d, 0x53, 0x26, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x29, 0x29, 0x7b, 0xca, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x09, 0x28, 0x63, 0xcc, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x04, 0x3c, 0x59, 0xe3, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x98, 0x2f, 0x73, 0xbb, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x55, 0x38, 0x8e, 0x60, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc6, 0xac, 0x3e, 0xa5, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x90, 0x6e, 0x53, 0x98, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6b, 0xf4, 0x6f, 0xe9, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x95, 0xaa, 0x54, 0xb3, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x1e, 0x48, 0xcb, 0x17, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0x3b, 0xdf, 0x0a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0xc7, 0x4a, 0xd4, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd2, 0xc2, 0x5b, 0xff, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x68, 0xb5, 0xa0, 0x6c, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xef, 0xb1, 0xf8, 0xb5, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x54, 0xde, 0xf2, 0x94, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0x02, 0x4f, 0xc8, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0xb3, 0x1d, 0xe5, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0xb9, 0x97, 0x67, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7f, 0x1e, 0xa1, 0x18, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0x2e, 0x51, 0x21, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x96, 0x7b, 0xf2, 0xc8, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x69, 0x3d, 0xc2, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x26, 0x4a, 0x1d, 0x52, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0x7a, 0x3f, 0x77, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcf, 0x4d, 0xd5, 0xf7, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0xaa, 0x65, 0xaf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x58, 0xcc, 0x50, 0x57, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0x17, 0x23, 0x93, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa8, 0xea, 0xb6, 0x23, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xff, 0x61, 0x1c, 0xdf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc6, 0xb1, 0x41, 0xd9, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa6, 0xb1, 0x6a, 0x6d, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd0, 0x60, 0xa9, 0x3f, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x96, 0x41, 0xd9, 0xfc, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x59, 0xd4, 0x42, 0x0e, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe9, 0x20, 0xd8, 0x5e, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x92, 0xa9, 0xb3, 0x56, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa2, 0x83, 0xeb, 0x04, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x72, 0x16, 0x8b, 0x05, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4f, 0xb8, 0x40, 0x18, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xab, 0xf3, 0x9b, 0x65, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x64, 0x72, 0x31, 0x2c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd0, 0x5a, 0x4f, 0x2b, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0xb9, 0xa1, 0x8c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x85, 0xcb, 0x49, 0x32, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0x15, 0x4e, 0x91, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x57, 0xfe, 0xe6, 0xa7, 0x00, 0x10, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, 0xcb, 0x89, 0x99, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0xb9, 0x02, 0x3c, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0x09, 0x6d, 0x4f, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x17, 0x08, 0xd8, 0x1b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x68, 0x18, 0x31, 0x3f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbf, 0x92, 0xbb, 0xaf, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, 0x66, 0xfe, 0xca, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x38, 0x14, 0x65, 0xfa, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x2a, 0x44, 0x86, 0x93, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7c, 0xf2, 0x63, 0x1a, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a, 0xdd, 0x1b, 0xad, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0xfd, 0xda, 0x71, 0x00, 0x70, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x10, 0x6e, 0x30, 0x2e, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x72, 0x80, 0x2c, 0x0d, 0x00, 0xc0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9c, 0x00, 0x43, 0x70, 0x00, 0x60, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x13, 0x8b, 0x96, 0x2f, 0x00, 0xd0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x5a, 0x3d, 0x1b, 0x52, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x08, 0xb9, 0x6f, 0xbe, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0xd6, 0x75, 0xf7, 0x00, 0xd0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf6, 0x62, 0x69, 0x4d, 0x00, 0xc0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x2c, 0x95, 0xd0, 0x9d, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0x15, 0x84, 0x0c, 0x00, 0xd0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5c, 0x7c, 0x50, 0xd6, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0x82, 0x9c, 0x00, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0c, 0x92, 0x77, 0x98, 0x00, 0xc0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe9, 0x87, 0x04, 0xf8, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3d, 0x5a, 0xc1, 0xc5, 0x00, 0xc0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0x81, 0x8f, 0xd9, 0x00, 0xc0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0xc5, 0xb3, 0xb9, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x34, 0xcd, 0x96, 0xa1, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0x7b, 0xfb, 0xe4, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x09, 0x90, 0xdd, 0x36, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0xf4, 0xe1, 0x86, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x59, 0x7f, 0x0f, 0x3f, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0xcf, 0x1d, 0x6e, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1d, 0x01, 0x35, 0xe1, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xb5, 0x10, 0x5e, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x65, 0x63, 0x97, 0xc6, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0x0e, 0x21, 0x47, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0x46, 0xa5, 0x53, 0x00, 0xd0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbc, 0x5f, 0x61, 0x66, 0x00, 0xc0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1c, 0x11, 0xb2, 0xad, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x68, 0xe1, 0x74, 0x91, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x80, 0x75, 0xc1, 0xf1, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0x53, 0xe0, 0x48, 0x00, 0xc0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0x57, 0xef, 0x12, 0x00, 0xc0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6b, 0xad, 0x7e, 0x00, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0x3b, 0x87, 0x1e, 0x00, 0xc0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x38, 0xb0, 0x12, 0x98, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x0c, 0x68, 0x78, 0x00, 0xc0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0xd4, 0xbb, 0x3a, 0x00, 0xc0, 0x04, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd2, 0x7d, 0x11, 0x09, 0x00, 0x40, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x3e, 0x3b, 0xff, 0xf8, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd7, 0x9e, 0x2f, 0xf2, 0x00, 0x00, 0x05, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe3, 0xc1, 0x52, 0x2c, 0x00, 0x80, 0x04, 0x01, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0x67, 0x46, 0xdb, 0x00, 0xc0, 0x24, 0x01, 0x0c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x74, 0xa2, 0xed, 0x00, 0xc0, 0x24, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x22, 0x08, 0xaf, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe0, 0x3b, 0x95, 0xfe, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0x95, 0xe8, 0xd1, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe7, 0x93, 0xad, 0x79, 0x00, 0x80, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0x1f, 0x5b, 0x34, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd6, 0x37, 0xc4, 0x48, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0x85, 0x60, 0x4e, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7e, 0x7d, 0xfc, 0x14, 0x00, 0x80, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0xe1, 0x00, 0x30, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb8, 0x04, 0x03, 0x4d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0b, 0xca, 0x2a, 0xe0, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x31, 0xb5, 0x48, 0x94, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x1f, 0x39, 0x7c, 0x50, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x03, 0x6e, 0x0a, 0x93, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x53, 0x1a, 0x14, 0xc3, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe5, 0x04, 0x77, 0x98, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9d, 0x90, 0xea, 0x46, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0x4d, 0xbf, 0x4f, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4e, 0x51, 0xf8, 0x6d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x62, 0xb0, 0x29, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x69, 0xe8, 0xaf, 0x15, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x28, 0x79, 0xa8, 0x53, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0x79, 0x09, 0xfc, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x19, 0x62, 0x32, 0x05, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x7a, 0x89, 0xd6, 0x91, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x25, 0x18, 0x43, 0xbe, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8d, 0x83, 0x36, 0x32, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb7, 0x55, 0x2e, 0x9f, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfe, 0x5d, 0xff, 0x1c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x51, 0x38, 0x0f, 0x77, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a, 0x8b, 0x05, 0xbd, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x21, 0x24, 0xa5, 0xc3, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x2e, 0x70, 0x08, 0x98, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0xa7, 0x66, 0x1f, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x16, 0x14, 0x4d, 0x1c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xef, 0x56, 0x68, 0x28, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3e, 0x80, 0x84, 0x68, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x71, 0xe2, 0x8c, 0x64, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb6, 0x27, 0x5d, 0xc0, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x33, 0xd4, 0x86, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc6, 0x57, 0x6d, 0x16, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9b, 0xf8, 0x94, 0x04, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcf, 0x99, 0x2c, 0xf6, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9c, 0x6c, 0xe5, 0x75, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcb, 0x9c, 0x24, 0x1b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc6, 0xfb, 0x3a, 0x6f, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe3, 0xc3, 0x30, 0x7a, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x29, 0xee, 0xa5, 0x9a, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9f, 0x2d, 0x3d, 0x28, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x8c, 0x73, 0x62, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc3, 0xd4, 0x79, 0x7b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0xa4, 0xc9, 0xfb, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcb, 0x54, 0x58, 0xef, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf0, 0x0d, 0x30, 0xa2, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x49, 0xdf, 0x8e, 0xe8, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x9c, 0x25, 0x6e, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb0, 0xd7, 0x9e, 0x94, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x6a, 0x60, 0xa1, 0xe0, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0x57, 0x32, 0x3f, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, 0xad, 0xa3, 0xf3, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe7, 0x8b, 0xd3, 0x87, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5d, 0xde, 0x49, 0x6c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbe, 0xcc, 0x4b, 0x0f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x16, 0x9a, 0xfd, 0x7e, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9d, 0x94, 0x52, 0x3e, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x9d, 0xdd, 0xce, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x93, 0xb2, 0xbd, 0x39, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x18, 0xff, 0x52, 0x2d, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2f, 0xbf, 0x62, 0x15, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x85, 0x5d, 0xbc, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf8, 0x8a, 0x5d, 0x79, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9c, 0xb7, 0x39, 0x17, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x83, 0xc9, 0x07, 0x41, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0x6a, 0xcb, 0x10, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf2, 0x25, 0xd8, 0x6b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa6, 0xb6, 0x8d, 0xd9, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x83, 0xb0, 0xce, 0x12, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0x79, 0x8b, 0xca, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7a, 0xa9, 0x2a, 0x9f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0xaf, 0x2e, 0x00, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb4, 0x92, 0xd3, 0xb7, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xfb, 0xfb, 0x6c, 0xb1, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7e, 0x9c, 0x30, 0x6d, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8f, 0x17, 0x1c, 0x87, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0xa6, 0x92, 0xfb, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x42, 0x57, 0xa2, 0x8c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0xa9, 0x0f, 0xcb, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2c, 0xa9, 0xfb, 0x1d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0xac, 0x5a, 0x14, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb3, 0x6f, 0xa3, 0x3e, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x45, 0x4d, 0x3c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x87, 0xb5, 0x02, 0xc7, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x1a, 0x21, 0xec, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe5, 0x70, 0xcd, 0xda, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0x61, 0xb0, 0x75, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xab, 0xea, 0x27, 0xd5, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfa, 0xc2, 0x5b, 0xe2, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd7, 0x38, 0x30, 0x02, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3d, 0x1c, 0x0d, 0x09, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa1, 0x85, 0xf2, 0x8a, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xde, 0x28, 0x50, 0x3c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x39, 0x6d, 0x8d, 0x8f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x66, 0xd8, 0xfc, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x10, 0x55, 0x66, 0x8a, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x80, 0xfd, 0x7b, 0x5c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5, 0x5a, 0x39, 0xed, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0x05, 0x8b, 0x11, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0a, 0xfc, 0x72, 0x97, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, 0x80, 0xec, 0x47, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x41, 0x45, 0xdb, 0xbe, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x47, 0x6c, 0x4f, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc1, 0xe1, 0x6b, 0x97, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x32, 0xbe, 0x3c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x72, 0xfa, 0x55, 0xcf, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x92, 0x7d, 0xf4, 0x9e, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x38, 0x03, 0xe8, 0x4b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0xf4, 0xba, 0x23, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x03, 0x8c, 0xcd, 0x70, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5e, 0x9a, 0x84, 0x45, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb1, 0x58, 0xd6, 0xcd, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0x2b, 0xa1, 0x69, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x10, 0xaa, 0xd3, 0xf3, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd0, 0xb4, 0x36, 0x35, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa4, 0x3b, 0xec, 0x62, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0x7a, 0xf1, 0x09, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0xed, 0x0d, 0xc5, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa8, 0xc8, 0x65, 0x4e, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0x16, 0x2d, 0x2c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbd, 0xbd, 0x56, 0x4b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0xfb, 0xdf, 0xe0, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x74, 0xdd, 0xd9, 0x7b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0x9a, 0x49, 0x56, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5e, 0x3e, 0xfd, 0xed, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0x37, 0x3d, 0x71, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x87, 0x1f, 0x08, 0x68, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf7, 0xf5, 0x13, 0x12, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, 0x42, 0x46, 0x3a, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x37, 0xac, 0xf4, 0x2b, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa0, 0xc7, 0x29, 0xd5, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe7, 0xd8, 0x02, 0xce, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc5, 0x2d, 0xad, 0xa9, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x06, 0x62, 0xfa, 0x9a, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x49, 0xac, 0xaa, 0xad, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0x7a, 0x3a, 0x78, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0xf6, 0x9b, 0x1c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc6, 0x18, 0xb7, 0xbf, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x81, 0x91, 0x05, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x79, 0xc1, 0x25, 0x23, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x90, 0x6f, 0x43, 0xa3, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4f, 0x1e, 0x57, 0xde, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0xc4, 0x2c, 0x23, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x58, 0x9b, 0x40, 0x56, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0xde, 0x2b, 0x9d, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe6, 0xaa, 0xca, 0x18, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5d, 0xa8, 0xdc, 0x53, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2d, 0x36, 0xe0, 0xa6, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0xe5, 0x63, 0x85, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb2, 0x41, 0x33, 0xe0, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x81, 0x2e, 0x60, 0x8a, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x81, 0xa0, 0x92, 0xb2, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc8, 0x60, 0x36, 0xdb, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xeb, 0x5d, 0x40, 0x89, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9d, 0xab, 0x47, 0xc0, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd7, 0xfa, 0xce, 0xa6, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6a, 0x51, 0x18, 0xdf, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe3, 0x3b, 0x2b, 0x70, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0x82, 0xb5, 0x3e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf9, 0x0a, 0xc0, 0xe1, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x96, 0x6a, 0x67, 0x05, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb6, 0xf1, 0x8d, 0xb3, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb3, 0x44, 0xb8, 0xf7, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0x78, 0x58, 0xe2, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x70, 0x6b, 0x84, 0x63, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0x70, 0xf5, 0xbe, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xed, 0x5c, 0xa7, 0xa1, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x61, 0xee, 0x8f, 0x8c, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x1e, 0xff, 0x62, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x44, 0x60, 0x71, 0xcc, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdd, 0x9c, 0x4b, 0x73, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0xef, 0x1b, 0x2f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x76, 0x12, 0x4c, 0x21, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x58, 0x06, 0x41, 0x1e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x99, 0x59, 0x36, 0x97, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x9b, 0x1f, 0x65, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd9, 0xe0, 0xf1, 0x6d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xef, 0xd0, 0x35, 0x89, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x97, 0x13, 0x41, 0x3e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd9, 0x55, 0xa0, 0xe4, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x30, 0xc4, 0x30, 0xc8, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfd, 0x08, 0xe6, 0x87, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x10, 0x24, 0x6d, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf7, 0x6c, 0xe9, 0x91, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7d, 0x4c, 0x9c, 0xb5, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2a, 0x11, 0x4a, 0x35, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3a, 0x40, 0xf2, 0x2f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3e, 0x33, 0xfd, 0x91, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6e, 0xed, 0xf2, 0xe4, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7e, 0x99, 0xc0, 0xd6, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x31, 0x97, 0xd7, 0xfe, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb5, 0x7f, 0x61, 0x72, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9d, 0xbc, 0x4a, 0x65, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0, 0x8a, 0x8c, 0xdf, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0x3b, 0xca, 0xab, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x4f, 0x9b, 0xa0, 0x96, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x45, 0x67, 0x4e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xed, 0xb8, 0x11, 0x13, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x51, 0xef, 0x40, 0x37, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0xf7, 0x41, 0x34, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf2, 0x15, 0x6c, 0x57, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5a, 0x85, 0xf2, 0xcb, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x72, 0x6a, 0xc8, 0xad, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9a, 0xc7, 0x2c, 0x79, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x57, 0xff, 0x72, 0xad, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb3, 0xda, 0x8a, 0x2f, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2a, 0xb7, 0xe9, 0x96, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9d, 0x9e, 0x83, 0x5d, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaa, 0x6f, 0xee, 0x5e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2e, 0xbd, 0x09, 0x44, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd1, 0x87, 0x62, 0x5e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfc, 0xd2, 0xf0, 0x8b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x25, 0xd1, 0xda, 0x93, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb5, 0x96, 0x0b, 0x5c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x52, 0x87, 0xb2, 0x78, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0x29, 0xfc, 0xaa, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x90, 0x6a, 0x01, 0x7c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5f, 0x8c, 0x5d, 0xc6, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2e, 0x69, 0x5b, 0x63, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xdf, 0xcb, 0x03, 0xd5, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0xf9, 0x11, 0xea, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe3, 0x29, 0xb3, 0x7c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x49, 0x0d, 0x71, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6d, 0x98, 0xe8, 0x63, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9a, 0x56, 0xec, 0xa3, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x45, 0x66, 0x19, 0x89, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0x52, 0xfe, 0x48, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb1, 0xb6, 0x17, 0x62, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x78, 0xc0, 0x8f, 0x8d, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xba, 0xc9, 0x1d, 0x59, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcd, 0x39, 0xf9, 0xde, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x91, 0x97, 0x94, 0x9b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0x73, 0x81, 0x5a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60, 0x30, 0xe3, 0x7a, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0xd7, 0xa0, 0x8b, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0xcd, 0xc1, 0x16, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x01, 0xd3, 0x58, 0xed, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfa, 0xae, 0x69, 0xb9, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x34, 0xeb, 0xb7, 0xc6, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2a, 0x4a, 0x18, 0x56, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbf, 0x12, 0xb9, 0x42, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf3, 0xc1, 0x15, 0x14, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3b, 0xbd, 0xb5, 0xb8, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x44, 0x09, 0xad, 0x7e, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x42, 0x08, 0x52, 0x7d, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa7, 0x89, 0x94, 0x6c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x99, 0x76, 0xbf, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa7, 0x0b, 0x8d, 0x65, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0x89, 0xd0, 0x34, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa2, 0xdf, 0xcf, 0x04, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd7, 0x73, 0x6e, 0x24, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x24, 0xc5, 0x43, 0x11, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2e, 0x04, 0x30, 0x05, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x47, 0xe5, 0xbd, 0xdc, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaa, 0x05, 0x47, 0xd3, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x89, 0xba, 0x70, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1b, 0x11, 0x00, 0xc1, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0xf0, 0x97, 0xcf, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x62, 0x87, 0x99, 0x7d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0xb7, 0x2f, 0xdd, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60, 0x4e, 0x5d, 0x73, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0x71, 0xe9, 0xeb, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7f, 0x07, 0x20, 0x90, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0xda, 0x0b, 0xee, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb8, 0xd3, 0xe2, 0xdb, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa5, 0x42, 0x2c, 0x9a, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0d, 0xe4, 0xc4, 0xea, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x26, 0x20, 0x39, 0x53, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa1, 0x61, 0xf0, 0x1c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x61, 0xf4, 0xa9, 0xd8, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdf, 0x8c, 0x08, 0x2f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0e, 0x4e, 0x21, 0x12, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa8, 0xec, 0xb0, 0xbe, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0x73, 0xa7, 0x6a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe6, 0x3f, 0xe6, 0xd8, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0x9a, 0x22, 0xfe, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xae, 0xf4, 0x2e, 0xac, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdf, 0x9c, 0x38, 0xbb, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa4, 0xe6, 0x1e, 0x79, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0x8d, 0xed, 0x23, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7b, 0x4b, 0x57, 0xd5, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0x34, 0x61, 0xcb, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe3, 0x21, 0xd4, 0x7c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0x96, 0x2b, 0x5f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb5, 0x60, 0xcc, 0xda, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0x99, 0x9d, 0x7a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb5, 0x5f, 0x8a, 0xa4, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x51, 0x79, 0x0f, 0xcf, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4a, 0x03, 0x87, 0x8e, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x04, 0xcf, 0x8d, 0xb8, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0x0b, 0x1e, 0x1c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xff, 0x93, 0xf3, 0x85, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc5, 0x11, 0xf4, 0x34, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbb, 0x09, 0x89, 0xc2, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0xf5, 0x6b, 0x4f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0xba, 0x9b, 0xd5, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0a, 0xd6, 0x9e, 0xa3, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0x10, 0x87, 0xe6, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc9, 0x72, 0x2c, 0xd2, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x07, 0x0f, 0xf2, 0xce, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0xa8, 0x12, 0xee, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf3, 0x7e, 0x7f, 0xc4, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0x9a, 0xe7, 0x62, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe0, 0x64, 0xc8, 0x40, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x57, 0x59, 0xe5, 0x06, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, 0x9a, 0xe1, 0xea, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3f, 0x87, 0xa2, 0x7d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x4e, 0x36, 0x5c, 0x01, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1b, 0xc0, 0x8b, 0x19, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x51, 0x49, 0xb5, 0x71, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0x02, 0x77, 0x05, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0f, 0xd6, 0x88, 0x96, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x08, 0xf3, 0x9a, 0x63, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0x12, 0x2a, 0x6f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1d, 0x28, 0xfc, 0xe2, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1b, 0x2d, 0xf0, 0xde, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1b, 0x35, 0x39, 0x79, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3f, 0x45, 0x53, 0xd4, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, 0x64, 0xa0, 0x97, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x86, 0xd5, 0x03, 0x48, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x96, 0x8f, 0x68, 0x0a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1d, 0x2f, 0x32, 0x2a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcb, 0xcd, 0x75, 0x6c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd7, 0x38, 0xc1, 0x1d, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd7, 0x38, 0xc1, 0x1d, 0x80, 0x45, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xda, 0x78, 0x0f, 0x4e, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x38, 0xde, 0xe5, 0xf9, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x91, 0xc6, 0xb6, 0x9f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x97, 0x27, 0x14, 0x30, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x26, 0x53, 0x56, 0x1f, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0xea, 0xc8, 0xee, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xba, 0x41, 0xb6, 0x9a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x78, 0x2b, 0x5b, 0xae, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9e, 0x99, 0xec, 0x3f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2d, 0xe5, 0x59, 0xb2, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x49, 0xcb, 0x48, 0x9d, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0f, 0x81, 0xef, 0x43, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0xf5, 0x24, 0x91, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8a, 0x47, 0xdd, 0x28, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcf, 0x48, 0x1d, 0x9d, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, 0xe7, 0x0b, 0xe5, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdb, 0x2a, 0x58, 0xe0, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, 0xba, 0x30, 0x4f, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xab, 0x3e, 0x7f, 0xe7, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x05, 0x0e, 0xec, 0xa8, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6f, 0x86, 0x01, 0x55, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0xee, 0x4b, 0x2d, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe0, 0x17, 0xb1, 0x10, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0xf8, 0x70, 0x5c, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8d, 0x12, 0xc7, 0x06, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9f, 0xf5, 0xc7, 0x0b, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x69, 0x3a, 0xcd, 0xa2, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0x30, 0xbf, 0x84, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfb, 0x09, 0xc2, 0x36, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x19, 0xef, 0x70, 0x40, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x51, 0x93, 0x73, 0x9d, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa0, 0x7f, 0x53, 0x41, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x19, 0x29, 0x96, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9e, 0x2e, 0xd7, 0x5a, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0x62, 0x16, 0xff, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x99, 0x29, 0xd7, 0x4a, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0xfa, 0xe3, 0xbc, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xad, 0xbc, 0xfd, 0x43, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0xe2, 0x38, 0xae, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xef, 0xff, 0x4f, 0xf4, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0x0c, 0x29, 0xf0, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc3, 0xc2, 0xe8, 0x86, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0xe1, 0x5c, 0x81, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdb, 0xbd, 0xae, 0x80, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe6, 0x0a, 0xe2, 0xe6, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf2, 0xa0, 0xde, 0xc2, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfb, 0xcb, 0xaa, 0x98, 0x00, 0x00, 0x45, 0x01, 0x6a, 0x04, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x25, 0x94, 0x0d, 0x34, 0x00, 0xa0, 0x24, 0x01, 0xb0, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x18, 0xdb, 0xd4, 0x69, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe1, 0xd1, 0x1a, 0x3c, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x5b, 0x7a, 0x64, 0x52, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdd, 0x71, 0x3f, 0xd1, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x79, 0xd7, 0xd8, 0xe9, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x31, 0xd5, 0xcd, 0x9c, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8a, 0x36, 0xc7, 0xc6, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa1, 0xaf, 0xe3, 0x63, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x44, 0xaa, 0x91, 0xde, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x79, 0xf4, 0x3c, 0xaa, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8d, 0xd7, 0x73, 0x44, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x14, 0xa3, 0x3a, 0xd5, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0xec, 0x7d, 0xa8, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3a, 0xef, 0x20, 0xc9, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xef, 0xb1, 0x72, 0x8a, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4b, 0xdb, 0x0f, 0x8a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x03, 0x72, 0x83, 0x51, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfc, 0x3c, 0x1e, 0x57, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf7, 0x8d, 0x68, 0xcd, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0x0f, 0x04, 0x71, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x22, 0xe1, 0x9b, 0x19, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7f, 0x0b, 0x71, 0xe6, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x19, 0x28, 0x78, 0xea, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0x11, 0x8a, 0xd8, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb0, 0xa1, 0x17, 0xe4, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0x7d, 0x94, 0x0f, 0x00, 0xe0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbc, 0x88, 0x1c, 0x05, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x02, 0x74, 0xa3, 0xf5, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbe, 0xf7, 0x69, 0xc8, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xfd, 0xf2, 0xd8, 0xec, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x81, 0xd1, 0x52, 0x26, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbc, 0x57, 0xe8, 0xb3, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x43, 0x70, 0x16, 0x3b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xde, 0x7b, 0xcf, 0xf7, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8c, 0x96, 0x13, 0xe0, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7b, 0x47, 0x96, 0x3f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x41, 0xa0, 0x31, 0x81, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfd, 0x96, 0x47, 0x64, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa5, 0x1c, 0xcd, 0xe2, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x22, 0x4a, 0x88, 0xfb, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0xa5, 0xed, 0x13, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8a, 0x22, 0x8a, 0xd4, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07, 0xc4, 0x23, 0xb7, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xce, 0x0b, 0x7a, 0xae, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x10, 0xfc, 0x67, 0xdf, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x51, 0xb0, 0x99, 0x7a, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x61, 0x54, 0xa9, 0xcf, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x85, 0x55, 0x9d, 0x0c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb8, 0x36, 0xfc, 0x4a, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe2, 0xd2, 0xf5, 0xc5, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xab, 0xfd, 0x2a, 0x7d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x68, 0x5d, 0xbc, 0x3e, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcb, 0x2d, 0xdf, 0xa9, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x16, 0xb1, 0x4c, 0xf9, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x64, 0xeb, 0x9f, 0x18, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb5, 0x36, 0xb1, 0x6a, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x12, 0xb9, 0x87, 0xcb, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x47, 0xbd, 0x7e, 0x11, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x90, 0x74, 0x27, 0x6f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07, 0xbb, 0xf2, 0xed, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, 0x2f, 0x9e, 0x19, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x4f, 0x1d, 0x99, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0xf7, 0x2d, 0xe9, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xd7, 0x95, 0x48, 0x27, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1f, 0xb4, 0xd1, 0x4d, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf2, 0xba, 0x73, 0x7d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xbb, 0x89, 0x96, 0xee, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0x8f, 0xa5, 0xf6, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x71, 0x9c, 0xf1, 0xcb, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0d, 0x16, 0x23, 0x02, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x31, 0x02, 0xcc, 0x50, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9b, 0xc0, 0x6d, 0xee, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x9f, 0x1c, 0xfd, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe2, 0xdd, 0xb7, 0x0d, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x86, 0xac, 0x6c, 0x51, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x04, 0x13, 0xec, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x57, 0xf1, 0xa1, 0x0e, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x11, 0x1f, 0x9c, 0xa7, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd8, 0xb8, 0x94, 0x86, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xba, 0x1c, 0x2c, 0x94, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb2, 0x26, 0x28, 0x8b, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0a, 0x68, 0xdc, 0xcd, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb9, 0xdf, 0x3f, 0xa5, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd0, 0x06, 0x08, 0x96, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x60, 0x17, 0x1e, 0x7f, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x65, 0xb9, 0x94, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x9a, 0x4b, 0x17, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd3, 0xca, 0xcd, 0x77, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x6b, 0xfd, 0x99, 0x8a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x80, 0x72, 0x3c, 0x8a, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x02, 0x7e, 0xaa, 0x21, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0xd2, 0xfc, 0x1c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc3, 0xa4, 0x30, 0x3a, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x91, 0x1b, 0x97, 0xcc, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x51, 0xd9, 0x55, 0xae, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x53, 0xaf, 0x17, 0xd6, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0b, 0x42, 0x43, 0x1f, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x5f, 0xdc, 0x1b, 0x65, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x89, 0xc3, 0x53, 0x1c, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0x80, 0x32, 0xda, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xf9, 0x9d, 0xf0, 0x5f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa6, 0xcd, 0xd4, 0x72, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdd, 0xc7, 0x00, 0x59, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x92, 0xe3, 0xf1, 0xbb, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7d, 0xd0, 0x09, 0x42, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x16, 0xea, 0xb8, 0x88, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x54, 0x18, 0x42, 0x22, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x62, 0xc8, 0x41, 0xd1, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xe2, 0xe0, 0xd0, 0xae, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe1, 0xaf, 0xe8, 0xd7, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x72, 0xe7, 0xa4, 0x37, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x10, 0x87, 0x89, 0xae, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x01, 0x24, 0x9a, 0x43, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x84, 0x69, 0x94, 0x46, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x57, 0x60, 0x19, 0xdd, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb6, 0x57, 0x87, 0x4b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc1, 0x08, 0xce, 0x89, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x55, 0x5a, 0x5c, 0x72, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x98, 0x23, 0x45, 0x7f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01, 0x16, 0xca, 0xc1, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5f, 0x26, 0xf4, 0x53, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9e, 0xe8, 0x4d, 0x7d, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd4, 0x65, 0x64, 0xe4, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x34, 0x4f, 0x28, 0xde, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe8, 0x2f, 0x21, 0x08, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xab, 0x73, 0xf4, 0xb7, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6b, 0x19, 0xcf, 0x33, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xa4, 0x0d, 0x37, 0x90, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2a, 0xf9, 0xa0, 0x7e, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x91, 0xcd, 0x58, 0x8b, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xb0, 0xf9, 0x87, 0xdb, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x74, 0x2c, 0xc5, 0x30, 0x00, 0xf0, 0x44, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x70, 0x29, 0x84, 0x2d, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x04, 0xa1, 0xef, 0xa0, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf3, 0xbb, 0xcb, 0x94, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0f, 0xcd, 0xd5, 0x0c, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x02, 0x2b, 0x05, 0x88, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xfe, 0xfb, 0x51, 0xd2, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x03, 0x46, 0x97, 0xe2, 0x00, 0xa0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x1f, 0x4c, 0xf5, 0x6d, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0xea, 0x4c, 0xa6, 0x00, 0x00, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdd, 0x31, 0x05, 0x34, 0x00, 0x90, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x00, 0x39, 0x8b, 0xeb, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xdb, 0x8f, 0x1e, 0xd0, 0x00, 0x40, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xce, 0x2e, 0x3b, 0x86, 0x00, 0xf0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x41, 0x91, 0x36, 0x3c, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa0, 0x08, 0x90, 0x27, 0x00, 0x40, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x50, 0x34, 0xf1, 0x21, 0x00, 0xf0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x23, 0xd4, 0x2a, 0x2f, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xee, 0x67, 0xe9, 0x5a, 0x00, 0x40, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x45, 0x47, 0x20, 0x39, 0x00, 0xf0, 0x24, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x60, 0xf0, 0x00, 0x04, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc3, 0xea, 0xa4, 0x38, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x1b, 0x86, 0x01, 0x0f, 0x00, 0x00, 0x25, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xf6, 0xb8, 0x91, 0x88, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x93, 0x60, 0x8e, 0x22, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbb, 0x5b, 0x2d, 0x4c, 0x00, 0x00, 0x25, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x85, 0xa3, 0x01, 0xbf, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x15, 0x90, 0x1e, 0xb4, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbd, 0x56, 0xfb, 0x3f, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5d, 0x28, 0x5d, 0xf3, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe0, 0xe9, 0xca, 0xb2, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x77, 0x8f, 0xdb, 0xad, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf9, 0x49, 0x1f, 0xa7, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xec, 0xa5, 0x08, 0x6a, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe8, 0x5b, 0xde, 0x44, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x85, 0x48, 0x05, 0xf3, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe5, 0x95, 0x57, 0x6a, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x12, 0x3c, 0x5c, 0x61, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7c, 0xd7, 0x26, 0x2e, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xba, 0xf6, 0xca, 0xb7, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc9, 0x7e, 0xfa, 0xfb, 0x00, 0x70, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9d, 0xd0, 0xd2, 0x00, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x50, 0x9c, 0xdc, 0x22, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0x98, 0xfd, 0xa1, 0x00, 0x60, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xa5, 0xec, 0xbc, 0x06, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x55, 0x4b, 0x2e, 0x51, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, 0x28, 0x4f, 0xdf, 0x00, 0x80, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x7b, 0x7d, 0x75, 0x33, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x28, 0x0c, 0xa9, 0xda, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xaf, 0x05, 0x86, 0xb2, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x3c, 0xb4, 0xd3, 0x90, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2d, 0xce, 0x96, 0x40, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xeb, 0xdc, 0xe4, 0xbb, 0x00, 0x80, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf6, 0x18, 0xa6, 0x09, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xaa, 0xbc, 0x2e, 0xec, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcb, 0xd7, 0xb9, 0xf9, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xad, 0x4a, 0xd5, 0xac, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x26, 0xef, 0xdb, 0x49, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01, 0x09, 0x64, 0x5f, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xca, 0x5b, 0xc1, 0xe1, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x88, 0x9d, 0xf0, 0xf5, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x39, 0x38, 0x4d, 0x91, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x2e, 0x37, 0x76, 0xef, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc0, 0x58, 0x02, 0xbe, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x6f, 0x5e, 0xca, 0x74, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xca, 0x55, 0x88, 0x04, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x66, 0x2f, 0x42, 0x4d, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xe6, 0xfe, 0x04, 0x07, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x74, 0x1c, 0xee, 0x89, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x10, 0x36, 0xdd, 0x89, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0xff, 0x58, 0xab, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdb, 0x50, 0xce, 0x94, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x51, 0x62, 0xff, 0x02, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x43, 0xcc, 0x87, 0x6d, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9c, 0x4a, 0xc6, 0xc8, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x9e, 0xd1, 0xb2, 0xfc, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xf6, 0x3f, 0x51, 0x74, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x42, 0x80, 0xf6, 0xfc, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0d, 0x93, 0x40, 0xad, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x67, 0x1e, 0x04, 0x54, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe0, 0x80, 0x3f, 0x10, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd8, 0x06, 0x08, 0x85, 0x00, 0x00, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xff, 0x21, 0xd9, 0xc3, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x81, 0x6b, 0x51, 0x7d, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xcb, 0xe5, 0x9a, 0x02, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb7, 0x8e, 0xc6, 0xa1, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x39, 0xfe, 0x40, 0xf4, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x83, 0x7b, 0x5f, 0x2c, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x47, 0x3e, 0xcf, 0x67, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x94, 0xd0, 0x90, 0x18, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xdc, 0x06, 0x61, 0x43, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2f, 0xf9, 0xbd, 0x22, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x40, 0x7b, 0x19, 0x11, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x02, 0x1c, 0xd4, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb4, 0xee, 0xfa, 0xa8, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xae, 0xc3, 0xe9, 0x07, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xb4, 0x99, 0xae, 0xcb, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x69, 0x3e, 0x23, 0xde, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd6, 0x12, 0xbd, 0xff, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0f, 0x07, 0xa2, 0x42, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x04, 0x87, 0x2b, 0x1e, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0xd7, 0xbc, 0x72, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xc3, 0x45, 0x76, 0xf1, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x67, 0xbb, 0x98, 0x16, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, 0x07, 0x26, 0xe0, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd7, 0x9a, 0xb6, 0x76, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8f, 0x8b, 0x38, 0x31, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x77, 0xeb, 0xc8, 0xc9, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1e, 0x34, 0xfe, 0x7a, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x9f, 0x26, 0x96, 0x63, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbb, 0x2f, 0x00, 0x72, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x82, 0x4c, 0xed, 0x02, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2c, 0xfa, 0x90, 0x2f, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x25, 0xd1, 0x90, 0x5d, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x44, 0xad, 0x58, 0x20, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd9, 0x84, 0x55, 0x0c, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x54, 0xf3, 0xec, 0xb1, 0x00, 0x90, 0x45, 0x01, 0x6a, 0x04, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x66, 0x92, 0x63, 0x5e, 0x00, 0x10, 0x45, 0x01, 0xb0, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4f, 0xee, 0x4f, 0xab, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x2d, 0xf4, 0x1c, 0x5c, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0, 0x13, 0xdf, 0xf1, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x39, 0xb8, 0x1d, 0x43, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x75, 0xd0, 0x62, 0xe8, 0x00, 0x10, 0x45, 0x01, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, 0xf6, 0x62, 0x68, 0x00, 0x90, 0x45, 0x01, 0xde, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x11, 0x2d, 0x76, 0x75, 0x00, 0x90, 0x45, 0x01, 0xf6, 0x04, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x8e, 0xf4, 0xa1, 0xad, 0x00, 0x10, 0x45, 0x01, 0x3c, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x2b, 0xfa, 0xb1, 0xa1, 0x00, 0x90, 0x45, 0x01, 0xf6, 0x04, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x99, 0xcc, 0x42, 0x40, 0x00, 0x10, 0x45, 0x01, 0x3c, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x03, 0xa1, 0xcd, 0x59, 0x00, 0xc0, 0x8c, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76, 0x52, 0xdc, 0x59, 0x00, 0xb0, 0x8c, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2a, 0x00, 0xf0, 0x59, 0x00, 0xb0, 0x8c, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfc, 0xb7, 0x29, 0x5a, 0x00, 0xb0, 0x8c, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0x16, 0x4a, 0x5a, 0x00, 0x00, 0x8a, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x79, 0x73, 0x7e, 0x5a, 0x00, 0xf0, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x21, 0x8f, 0x97, 0x5a, 0x00, 0xe0, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0x4f, 0xa7, 0x5a, 0x00, 0xe0, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3e, 0xad, 0xbd, 0x5a, 0x00, 0xd0, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x69, 0x10, 0x1a, 0x5b, 0x00, 0xa0, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd6, 0xe6, 0x35, 0x5b, 0x00, 0x90, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0x49, 0x48, 0x5b, 0x00, 0x90, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0f, 0x9e, 0x4e, 0x5b, 0x00, 0x90, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0x1b, 0x69, 0x5b, 0x00, 0x60, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xef, 0xbf, 0x6b, 0x5b, 0x00, 0x60, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd0, 0xcd, 0x84, 0x5b, 0x00, 0x60, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x21, 0x74, 0x9c, 0x5b, 0x00, 0x60, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x14, 0x0f, 0xa7, 0x5b, 0x00, 0x60, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x87, 0xad, 0xa9, 0x5b, 0x00, 0x60, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xde, 0x74, 0xbd, 0x5b, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x14, 0xdb, 0xd7, 0x5b, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd7, 0x70, 0xe2, 0x5b, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x0b, 0x06, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0x05, 0x2b, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0x52, 0x30, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x59, 0x55, 0x5a, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xef, 0x9b, 0x68, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbd, 0x65, 0x7f, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x65, 0xee, 0x89, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4d, 0xe5, 0xa2, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x07, 0x34, 0xa8, 0x5c, 0x00, 0x20, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x49, 0xd9, 0xcb, 0x5c, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd5, 0x0a, 0xe6, 0x5c, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xda, 0xd6, 0x01, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xce, 0x05, 0x24, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x03, 0x84, 0x4a, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4f, 0xac, 0x4b, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76, 0x47, 0x6f, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7b, 0x22, 0x7b, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf0, 0x2b, 0x94, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xff, 0x2c, 0x94, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x27, 0xc5, 0xf1, 0x5d, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc0, 0x2d, 0x29, 0x5e, 0x00, 0x30, 0x89, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x12, 0xbe, 0x61, 0x5e, 0x00, 0xb0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xac, 0xcf, 0x7a, 0x5e, 0x00, 0xb0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1b, 0xa7, 0xe4, 0x5e, 0x00, 0xa0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x86, 0x6d, 0x05, 0x5f, 0x00, 0xb0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa5, 0x3f, 0x2b, 0x5f, 0x00, 0xc0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd3, 0x25, 0x4f, 0x5f, 0x00, 0xa0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x25, 0x26, 0x74, 0x5f, 0x00, 0xa0, 0x88, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0x8d, 0xcd, 0x5a, 0x00, 0x50, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4d, 0xf4, 0xe3, 0x5a, 0x00, 0x50, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa3, 0x59, 0x01, 0x5b, 0x00, 0x60, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfe, 0x56, 0x6e, 0x70, 0x00, 0x10, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x60, 0x45, 0x1a, 0x5b, 0x00, 0x10, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc1, 0x45, 0xcd, 0xb5, 0x00, 0x10, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0x45, 0x23, 0x5b, 0x00, 0x20, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x13, 0x14, 0x3f, 0x5b, 0x00, 0x20, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x84, 0x23, 0x48, 0x5b, 0x00, 0x20, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x70, 0x74, 0x49, 0x5b, 0x00, 0x20, 0x91, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x02, 0xc9, 0x63, 0x5b, 0x00, 0xd0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x3a, 0x67, 0x60, 0xdc, 0x00, 0x10, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x88, 0xc3, 0x6b, 0x5b, 0x00, 0xd0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x94, 0xb3, 0x88, 0x5b, 0x00, 0xf0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x39, 0xc7, 0xf2, 0x5f, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x46, 0x6e, 0x9c, 0x5b, 0x00, 0xf0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8a, 0x68, 0xa4, 0x5b, 0x00, 0xd0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x27, 0x2f, 0xa3, 0x5b, 0x00, 0xe0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x7a, 0x8c, 0xbb, 0xff, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb1, 0x25, 0xcc, 0x5b, 0x00, 0xe0, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0c, 0x8c, 0xda, 0x5b, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x42, 0xf4, 0xe4, 0x5b, 0x00, 0x80, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x79, 0x74, 0x0b, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x3d, 0xcd, 0x2f, 0xfd, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6f, 0x69, 0x2d, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x76, 0xf3, 0xb9, 0x03, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7c, 0x88, 0x35, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x26, 0x42, 0x5a, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x07, 0xbc, 0x67, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd4, 0x6d, 0x7f, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x57, 0xdf, 0x64, 0x1f, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7a, 0x10, 0x8a, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xbe, 0x75, 0xb6, 0x36, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9f, 0xe8, 0xa2, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xdc, 0x31, 0x5e, 0xfe, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0x54, 0xb9, 0x5c, 0x00, 0x90, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0x4a, 0xde, 0x5c, 0x00, 0x70, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcd, 0xe7, 0x01, 0x5d, 0x00, 0x70, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd1, 0x00, 0x24, 0x5d, 0x00, 0x70, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf0, 0x3e, 0xdf, 0xf9, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0xb9, 0x53, 0x5d, 0x00, 0x70, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xbf, 0xc1, 0x2a, 0xe4, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x42, 0x6f, 0x5d, 0x00, 0x50, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2a, 0x19, 0x7b, 0x5d, 0x00, 0x40, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x6c, 0x16, 0xf3, 0xc1, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0x28, 0x94, 0x5d, 0x00, 0x40, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe6, 0x25, 0x94, 0x5d, 0x00, 0x40, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x80, 0xc9, 0xc4, 0x5d, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xcc, 0xe4, 0x99, 0xb9, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc5, 0x4f, 0xdf, 0x5d, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0xfd, 0x13, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe3, 0x69, 0x3a, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x35, 0x5e, 0x4f, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x41, 0x0d, 0xd4, 0x47, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x13, 0x52, 0x5f, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc5, 0xae, 0x7c, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x90, 0xfe, 0x8b, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa4, 0x20, 0x23, 0x8a, 0x00, 0x20, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x96, 0xe4, 0x5e, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0x4e, 0x2a, 0x5f, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x20, 0x24, 0x4f, 0x5f, 0x00, 0x20, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x14, 0x49, 0x75, 0x5f, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa2, 0x99, 0x97, 0x5f, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x46, 0x33, 0xc8, 0x5f, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8d, 0xc0, 0xf6, 0x5f, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x06, 0x46, 0x12, 0x60, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0x70, 0x3d, 0x60, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9e, 0xc4, 0x49, 0x60, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdb, 0x9f, 0x50, 0x60, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x80, 0xb5, 0x6e, 0x60, 0x00, 0x00, 0x8f, 0x00, 0x82, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfb, 0x38, 0x9b, 0xf8, 0x00, 0x00, 0x9a, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x93, 0xe5, 0x00, 0xee, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc8, 0x6d, 0xb3, 0x47, 0x00, 0x00, 0x9a, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x8a, 0xa0, 0xe0, 0x65, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7b, 0x59, 0xc7, 0x64, 0x00, 0x00, 0x9a, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaf, 0x38, 0xdf, 0x30, 0x00, 0x00, 0x9a, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x22, 0x88, 0xd4, 0x5a, 0x00, 0xf0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x89, 0xbf, 0xf2, 0xed, 0x00, 0xf0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfa, 0x69, 0xde, 0xe3, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0xfc, 0xe6, 0x0d, 0x00, 0xf0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9b, 0xf7, 0xd3, 0x52, 0x00, 0xf0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x54, 0xa8, 0x5b, 0xd4, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfe, 0xe1, 0x15, 0x22, 0x00, 0xa0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xac, 0x05, 0x41, 0xc1, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x30, 0x78, 0x05, 0xfe, 0x00, 0xa0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd2, 0x95, 0x0f, 0x89, 0x00, 0xa0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xbc, 0xe6, 0xd2, 0x7b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd5, 0x4d, 0x13, 0x22, 0x00, 0xa0, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfa, 0xb6, 0xa9, 0x15, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xca, 0x48, 0xd2, 0x91, 0x00, 0x90, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x3e, 0xba, 0xcb, 0xaf, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb0, 0x9b, 0x16, 0xa6, 0x00, 0x90, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x54, 0x26, 0xcd, 0x20, 0x00, 0x90, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb4, 0x51, 0x82, 0x9b, 0x00, 0x90, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x39, 0xe3, 0xff, 0xbf, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0xe8, 0xfc, 0x04, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0f, 0xbe, 0x0a, 0xac, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9f, 0x5f, 0xa4, 0x83, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf1, 0x9c, 0x44, 0xab, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaf, 0x95, 0x55, 0x7e, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xab, 0x12, 0xdc, 0x73, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x42, 0x49, 0x11, 0xc6, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf1, 0x25, 0x2c, 0x76, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0a, 0x83, 0x21, 0x12, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x79, 0x53, 0xfe, 0xa7, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0x9b, 0xe6, 0xbd, 0x00, 0x70, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x77, 0xd7, 0x67, 0xbb, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3d, 0x33, 0xa6, 0xc2, 0x00, 0x80, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x47, 0x68, 0x54, 0xd8, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf4, 0x6e, 0x03, 0xb0, 0x00, 0x90, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x58, 0x5d, 0x5b, 0x0f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x61, 0x71, 0x86, 0x0c, 0x00, 0x70, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbd, 0xf3, 0xf5, 0x35, 0x00, 0x60, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb3, 0x95, 0x6d, 0x4c, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x13, 0xdc, 0x51, 0x8e, 0x00, 0x60, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x97, 0xe5, 0x45, 0x3b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5c, 0x73, 0xdf, 0xdb, 0x00, 0x60, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa, 0xcd, 0xa1, 0xde, 0x00, 0x60, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0x29, 0x59, 0x00, 0x00, 0x60, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x92, 0x02, 0xa8, 0x39, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xf5, 0x66, 0x68, 0x00, 0x60, 0xa1, 0x00, 0xc8, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x44, 0x9a, 0xc1, 0x59, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb6, 0x4d, 0x69, 0x9f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0x22, 0x1f, 0x4d, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x22, 0xed, 0x7a, 0x0a, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa3, 0x79, 0xb4, 0xa0, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7d, 0x02, 0x1d, 0x6d, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0x5a, 0x8b, 0x35, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xca, 0x86, 0x3a, 0xd1, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb2, 0x8a, 0xd3, 0x9c, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb0, 0x3e, 0xf6, 0x3f, 0x00, 0x70, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x77, 0x03, 0x97, 0x1f, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe6, 0x0b, 0x0c, 0x14, 0x00, 0x60, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x95, 0x3b, 0xc0, 0xa0, 0x00, 0x60, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x71, 0xcb, 0x11, 0x47, 0x00, 0x60, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa9, 0x56, 0xbc, 0xac, 0x00, 0x60, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x04, 0x6e, 0xb2, 0x83, 0x00, 0x60, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0x32, 0x00, 0x35, 0x00, 0x50, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x32, 0x45, 0x4a, 0x7b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4b, 0x2a, 0x3a, 0x0a, 0x00, 0x50, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xed, 0xe7, 0x63, 0x4a, 0x00, 0x50, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x23, 0x0b, 0xe1, 0xba, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x84, 0xa6, 0xfe, 0x5f, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa1, 0xf0, 0xec, 0xca, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7d, 0xd6, 0x22, 0x37, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf8, 0x20, 0x41, 0x9a, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4d, 0x35, 0xc8, 0x66, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x32, 0xfb, 0x8f, 0x9e, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7a, 0x0c, 0xb8, 0x2a, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfe, 0xe0, 0x47, 0xae, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2a, 0x53, 0x55, 0x58, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xba, 0x96, 0xde, 0xaf, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xae, 0x14, 0xcc, 0x82, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x24, 0x66, 0x72, 0xb7, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaf, 0x44, 0x5a, 0xf8, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xae, 0xcc, 0x27, 0xcc, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc0, 0x1c, 0xb2, 0x96, 0x00, 0x40, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x75, 0x9e, 0x18, 0xef, 0x00, 0x50, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0x9a, 0xd1, 0x31, 0x00, 0x50, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x00, 0x7d, 0x7a, 0x34, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcf, 0x55, 0x65, 0xd8, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x90, 0xf9, 0x1d, 0x2c, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xee, 0xef, 0x80, 0x24, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x37, 0xbf, 0x91, 0xce, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa1, 0x44, 0x83, 0x53, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9b, 0x46, 0xaf, 0x01, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfa, 0x17, 0xeb, 0x6b, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xec, 0xf6, 0x0b, 0x00, 0x20, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0xd1, 0xd6, 0xa7, 0x00, 0x10, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbc, 0x97, 0xbe, 0x3e, 0x00, 0x10, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd9, 0x31, 0x9d, 0x5b, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbf, 0xda, 0x3e, 0x7b, 0x00, 0x10, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x12, 0x32, 0xe6, 0xd2, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x50, 0x46, 0x6d, 0xb8, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x68, 0x3f, 0x8e, 0xa9, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa9, 0x18, 0x85, 0x5e, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1b, 0xf0, 0x94, 0x16, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x32, 0xbc, 0x05, 0x3d, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1d, 0x74, 0xd9, 0x68, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9e, 0x39, 0x76, 0x3c, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x16, 0xc9, 0x1e, 0x6f, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3e, 0xa8, 0x19, 0x50, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe4, 0x5b, 0x7a, 0xed, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0xfa, 0xa6, 0x42, 0x00, 0xf0, 0xa0, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0xfc, 0xec, 0x8f, 0x00, 0x00, 0xa1, 0x00, 0x0e, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3c, 0xb1, 0x85, 0x58, 0x00, 0xf0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0xe1, 0x28, 0xc3, 0x00, 0xf0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x14, 0x2c, 0xa4, 0x2a, 0x00, 0xf0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfd, 0xf5, 0x23, 0x22, 0x00, 0xe0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0x27, 0xa4, 0x77, 0x00, 0xe0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0xda, 0xeb, 0xb6, 0x00, 0xe0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2d, 0x6a, 0xca, 0x6a, 0x00, 0xf0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x6b, 0x71, 0x3d, 0xc0, 0x00, 0x00, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4e, 0x36, 0x83, 0xb7, 0x00, 0xf0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x92, 0xb3, 0x09, 0x83, 0x00, 0xd0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x41, 0x48, 0x30, 0x00, 0xe0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, 0xf2, 0xb2, 0x08, 0x00, 0xe0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaf, 0x06, 0x12, 0x3b, 0x00, 0xd0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x54, 0x8c, 0x99, 0xff, 0x00, 0xd0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0x92, 0xd8, 0xa7, 0x00, 0xd0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x21, 0xd0, 0xdd, 0xd2, 0x00, 0xd0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0x82, 0xac, 0x36, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc9, 0x77, 0x10, 0x4c, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0x30, 0x0a, 0x4b, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5c, 0x4a, 0x52, 0x1f, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x74, 0x83, 0x37, 0x8e, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x70, 0x12, 0x32, 0x12, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd2, 0xc5, 0xdd, 0x2a, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x24, 0xf9, 0x25, 0xc6, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf7, 0x4f, 0x97, 0xad, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf2, 0x52, 0xd0, 0x43, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfc, 0xec, 0xb6, 0x0a, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0d, 0xca, 0xc6, 0x74, 0x00, 0xb0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3f, 0x90, 0x38, 0x05, 0x00, 0xc0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8e, 0xee, 0x7c, 0x84, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x87, 0xb7, 0x1c, 0xdd, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x38, 0x69, 0xab, 0x3f, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd0, 0xf5, 0x56, 0xb0, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0x44, 0xf7, 0x7e, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb1, 0x24, 0xfc, 0x07, 0x00, 0x90, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0xa2, 0xdc, 0x3c, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4a, 0x6b, 0x56, 0xc5, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0a, 0xca, 0xce, 0xad, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc2, 0xde, 0x0a, 0xec, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x86, 0x82, 0xc3, 0xeb, 0x00, 0xa0, 0xa0, 0x00, 0x54, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x4b, 0x89, 0xbc, 0x7c, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc7, 0x14, 0xc3, 0xcb, 0x00, 0xa0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdd, 0x1e, 0x53, 0x94, 0x00, 0xa0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x57, 0xa8, 0x77, 0xae, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x70, 0x6a, 0xdc, 0x71, 0x00, 0xa0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd7, 0x51, 0x8f, 0x61, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x71, 0x55, 0x11, 0x7e, 0x00, 0xa0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x22, 0x10, 0x9d, 0xbd, 0x00, 0xd0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x51, 0x6d, 0x8e, 0x91, 0x00, 0xd0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x09, 0xf9, 0xc4, 0xd0, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3d, 0xb3, 0xd5, 0x17, 0x00, 0xd0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa3, 0x93, 0xf7, 0x54, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcf, 0x79, 0x19, 0x5b, 0x00, 0xd0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x67, 0xe2, 0x3e, 0xa7, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8c, 0xef, 0x83, 0xc1, 0x00, 0xd0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0x11, 0xd5, 0x15, 0x00, 0xe0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xdb, 0xa4, 0x06, 0x3f, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x01, 0x5a, 0xb1, 0x87, 0x00, 0xe0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0x05, 0xd7, 0xa8, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x27, 0xfa, 0xce, 0xb3, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x27, 0x10, 0x42, 0x01, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x99, 0x47, 0x3f, 0x47, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa2, 0xa7, 0x21, 0xd9, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x12, 0x86, 0xac, 0x0d, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc5, 0xbe, 0xb3, 0xb1, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9d, 0xc0, 0x91, 0x0a, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfb, 0xf5, 0xd2, 0x1b, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x74, 0x25, 0x34, 0x05, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x49, 0x42, 0x3a, 0xf0, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xed, 0x32, 0xff, 0xb6, 0x00, 0xf0, 0x99, 0x00, 0x9a, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0xd3, 0xcd, 0x0c, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x92, 0x6e, 0x9d, 0x71, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6f, 0x21, 0x13, 0x5a, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8e, 0x6f, 0x07, 0xe5, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xad, 0xc8, 0x3d, 0x46, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe2, 0x05, 0x17, 0xea, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe7, 0xe1, 0x21, 0x40, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc9, 0x8a, 0x2e, 0x18, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd2, 0x72, 0x03, 0xb8, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc9, 0x64, 0xd3, 0x64, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xaf, 0xad, 0x96, 0xc1, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdf, 0xac, 0x8a, 0x5f, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x13, 0x6b, 0x7e, 0x24, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xac, 0x8c, 0x50, 0x1f, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1e, 0x8b, 0x1d, 0xf5, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x8d, 0xe8, 0x02, 0xf7, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x06, 0x3e, 0xab, 0xfb, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x6f, 0xd5, 0xdf, 0xc0, 0x00, 0x30, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x80, 0x95, 0x2f, 0x9f, 0x00, 0x00, 0x9a, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbf, 0x8e, 0x73, 0xad, 0x00, 0xe0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa8, 0x50, 0x2d, 0xf1, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xed, 0x0a, 0xbe, 0x1b, 0x00, 0xe0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x94, 0x94, 0x15, 0x18, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x64, 0x99, 0x12, 0xe2, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1c, 0xad, 0xce, 0x07, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd3, 0x71, 0x38, 0xb9, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x39, 0x22, 0x86, 0x86, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8c, 0x90, 0xb1, 0x44, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x38, 0x6f, 0xdd, 0x4a, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x00, 0xc8, 0x5c, 0x4b, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa, 0xcb, 0x3a, 0x52, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3b, 0x53, 0x53, 0x5f, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8a, 0x80, 0x7a, 0x19, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0xd9, 0x24, 0xee, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6e, 0xec, 0x4e, 0xcd, 0x00, 0xe0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1b, 0x32, 0xbd, 0x68, 0x00, 0xe0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x59, 0x6d, 0x73, 0x4a, 0x00, 0xe0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc5, 0x87, 0x6b, 0x8c, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9b, 0x41, 0x26, 0x71, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9c, 0xfa, 0x9a, 0xae, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x42, 0xbf, 0xd7, 0xe4, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb2, 0x74, 0xfb, 0xc7, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0xd7, 0xe9, 0x57, 0x00, 0xe0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xec, 0x74, 0x79, 0x2e, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb1, 0x35, 0x79, 0x05, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x94, 0xed, 0x4f, 0xe6, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x36, 0x58, 0x09, 0xfa, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x63, 0x3e, 0x0a, 0x33, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0x91, 0x31, 0xd6, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x56, 0xa6, 0x39, 0x65, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x73, 0xc2, 0x06, 0xff, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xab, 0x8e, 0xb0, 0x56, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3e, 0x43, 0xaa, 0x92, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0x75, 0x7f, 0x2e, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x01, 0x41, 0x33, 0xe6, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd8, 0x01, 0x02, 0x5f, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x45, 0x69, 0xc7, 0xe1, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb4, 0x7d, 0xf2, 0xf7, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe7, 0xed, 0x77, 0x33, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x49, 0x3b, 0x0d, 0xba, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x57, 0x3d, 0xd3, 0x70, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4e, 0x9a, 0xde, 0xe4, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x79, 0xd4, 0xb7, 0x1a, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0x57, 0x8a, 0x17, 0x00, 0xf0, 0x99, 0x00, 0xe0, 0x06, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd2, 0x4a, 0xc7, 0x8b, 0x00, 0xf0, 0x99, 0x00, 0x26, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0xfd, 0xb3, 0x3b, 0x00, 0xf0, 0x99, 0x00, 0x26, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4a, 0x4e, 0xcb, 0x12, 0x00, 0xe0, 0x99, 0x00, 0x26, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0x33, 0x27, 0xdc, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x37, 0xd1, 0x84, 0x0a, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x33, 0xf1, 0x44, 0x1e, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xb3, 0xe9, 0x93, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0x53, 0xaf, 0x77, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8a, 0x50, 0xcb, 0x4c, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0x78, 0x00, 0xe8, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x7d, 0x1a, 0xcb, 0x02, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe3, 0xd1, 0xbd, 0x45, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0x77, 0x22, 0xfc, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xdd, 0xa0, 0x7c, 0xaf, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa5, 0xfb, 0xc7, 0x61, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1d, 0x61, 0x92, 0x5d, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe9, 0x14, 0x9d, 0x15, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x97, 0xdb, 0x73, 0xf4, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x54, 0x81, 0xb4, 0x02, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa8, 0x12, 0x12, 0x95, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x81, 0xb4, 0x2a, 0x3f, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x73, 0xe8, 0x8e, 0xcc, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0b, 0xc6, 0x7f, 0xcf, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1a, 0xaa, 0xb5, 0xbc, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2a, 0xd3, 0x38, 0xe1, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x09, 0x77, 0x91, 0x5b, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5e, 0x5f, 0x51, 0xf8, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6b, 0xb5, 0xd2, 0x9f, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xab, 0xeb, 0x77, 0x64, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x00, 0x79, 0x36, 0xf3, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa9, 0x3b, 0x51, 0x5e, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xde, 0x0a, 0x89, 0x50, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0e, 0x17, 0x6b, 0x8f, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x89, 0x9b, 0x7d, 0x6d, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8e, 0x66, 0xcf, 0xe2, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0x46, 0xd3, 0x8c, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcb, 0x3e, 0x3e, 0x70, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe5, 0x31, 0x36, 0xd5, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x26, 0xad, 0xaa, 0x55, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x69, 0x8e, 0x32, 0xd3, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0xa6, 0xd4, 0x30, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0a, 0xef, 0x3a, 0xbe, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa8, 0xe8, 0x41, 0xf6, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1f, 0xb2, 0xb2, 0x94, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0b, 0x5c, 0x6c, 0xd4, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x77, 0x8e, 0x26, 0x97, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfe, 0x75, 0x84, 0x9c, 0x00, 0x10, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5b, 0x61, 0x49, 0xb4, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0x19, 0x3d, 0x6a, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd1, 0xfe, 0x99, 0x92, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfb, 0xdf, 0xbf, 0x72, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9d, 0xcf, 0xde, 0xa2, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3c, 0x0b, 0xea, 0xc7, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd4, 0xaa, 0x10, 0x14, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd2, 0xe7, 0xed, 0xcf, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd2, 0xa7, 0x99, 0xd6, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x04, 0x03, 0x19, 0x0f, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9e, 0xb7, 0xd7, 0x1d, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc9, 0xa2, 0xc4, 0x5b, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa9, 0x3e, 0xf1, 0xb6, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0x5b, 0x38, 0x41, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf0, 0x8d, 0xfe, 0x32, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1e, 0x1c, 0x81, 0x03, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x42, 0x16, 0xe9, 0x0f, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x12, 0xfd, 0x89, 0x76, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x44, 0xfe, 0xa0, 0x2b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6e, 0xb1, 0xfe, 0xb7, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf2, 0xf3, 0x1e, 0x8b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6a, 0xfd, 0x68, 0xd6, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcd, 0x76, 0xb8, 0x59, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa1, 0xe2, 0x8e, 0xd2, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcf, 0x85, 0xa2, 0xe9, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0x76, 0xff, 0x84, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3b, 0xd2, 0x0a, 0x88, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfb, 0x7b, 0x06, 0xde, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb6, 0x60, 0x44, 0x72, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd3, 0xf3, 0xe0, 0xda, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76, 0x30, 0xf5, 0xbd, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1a, 0x33, 0x6a, 0x6f, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x46, 0xdb, 0x79, 0x67, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd6, 0x65, 0x7e, 0x12, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x99, 0x04, 0xea, 0x24, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc2, 0x50, 0x2f, 0x6f, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf4, 0x9c, 0x44, 0x6e, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0x90, 0x6c, 0x8b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xed, 0xc8, 0x2d, 0xb1, 0x00, 0x40, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc3, 0x0a, 0x48, 0xe9, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0x23, 0x2d, 0x38, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5d, 0x99, 0x43, 0xfd, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x7f, 0xef, 0xf3, 0x40, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x34, 0x28, 0xb0, 0x6b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xae, 0xd2, 0xcf, 0x3c, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0x14, 0x82, 0xad, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb6, 0x47, 0x72, 0xd6, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcb, 0xe1, 0xfc, 0x5b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x63, 0x45, 0xfd, 0x6b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2c, 0x1a, 0x60, 0x0e, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x94, 0x9e, 0x27, 0x8b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xeb, 0xa1, 0xb3, 0xa6, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x46, 0x19, 0x96, 0xaf, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc3, 0x06, 0x84, 0xeb, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0d, 0x59, 0x4f, 0xd2, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5b, 0x9b, 0xe8, 0x22, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x22, 0xe8, 0x73, 0x97, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3e, 0xc8, 0x7c, 0xad, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x72, 0x89, 0x62, 0x05, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x4b, 0xa7, 0x2d, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd0, 0x33, 0xc6, 0x32, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x90, 0xdc, 0x14, 0x36, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x75, 0x65, 0xef, 0x38, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xde, 0xa1, 0x01, 0x7f, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xab, 0x12, 0x1c, 0x72, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x50, 0xc0, 0x46, 0x4e, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xcb, 0x5d, 0xa0, 0xed, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x28, 0xae, 0x33, 0xf4, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa0, 0x3f, 0xa4, 0x32, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xff, 0xa2, 0x74, 0xd7, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x82, 0xbc, 0x84, 0xda, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x22, 0x1c, 0xdd, 0xb5, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x3d, 0x94, 0xe6, 0x54, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9b, 0xd5, 0x0a, 0xe4, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfe, 0xdd, 0x0e, 0x20, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x5d, 0x0e, 0x36, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x2e, 0xd4, 0xb6, 0x0c, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0xef, 0xa6, 0x32, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd9, 0x85, 0x5c, 0x17, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe3, 0xd3, 0x04, 0xbb, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa5, 0x59, 0x8e, 0x3a, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc0, 0xc7, 0x9f, 0xf5, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x5a, 0x3b, 0xea, 0x97, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x39, 0xb6, 0x59, 0x56, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x18, 0xf8, 0x0d, 0xb5, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf0, 0x2e, 0x10, 0xc0, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe8, 0xc8, 0xd0, 0xaf, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xae, 0x7d, 0x96, 0x42, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x97, 0xa4, 0x52, 0x2d, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf2, 0x26, 0x20, 0x42, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe8, 0xf1, 0x9a, 0x3f, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x63, 0xc0, 0xdc, 0x43, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xbf, 0x6c, 0x31, 0xb6, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xda, 0xf7, 0x89, 0x01, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x4a, 0xcc, 0x19, 0x21, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0x1e, 0x60, 0x3b, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xca, 0xf9, 0x1c, 0x1d, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9e, 0x2d, 0xbd, 0x77, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5b, 0xe4, 0xa3, 0x76, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x69, 0xe0, 0x9d, 0xe3, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x48, 0xee, 0x53, 0x1d, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x79, 0xd9, 0x6a, 0x82, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0x33, 0xe3, 0xf6, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe9, 0x45, 0x50, 0xfe, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1d, 0x8e, 0x90, 0xe5, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfb, 0x34, 0xc0, 0x23, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0xb3, 0xe3, 0xb8, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x5f, 0x4f, 0xc0, 0x28, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xfb, 0xc9, 0x31, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x45, 0xab, 0x14, 0x28, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x30, 0x5e, 0x5d, 0xa3, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xdf, 0x8c, 0xc0, 0x56, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb8, 0x56, 0xb0, 0x24, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf1, 0x5e, 0x3e, 0x58, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xc1, 0x87, 0x82, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0x97, 0xf0, 0xd5, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x8a, 0xda, 0x2f, 0xe1, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x86, 0x25, 0x97, 0x63, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa4, 0x02, 0xf8, 0x59, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x95, 0xd4, 0xc2, 0x21, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa7, 0x52, 0xcc, 0xe4, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x91, 0xce, 0x5a, 0xd3, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x57, 0x2b, 0x80, 0x5c, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf8, 0x60, 0xfe, 0x5a, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x32, 0x4c, 0xf3, 0xc8, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe0, 0x53, 0x42, 0xb5, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb1, 0xe0, 0xf2, 0x5b, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb4, 0x94, 0xc3, 0x85, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa4, 0x57, 0x5f, 0x0e, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x16, 0x7b, 0xdd, 0x10, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb5, 0x3e, 0x1f, 0xed, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0x0a, 0xd9, 0xcf, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x37, 0x2f, 0x29, 0xcb, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa2, 0xd9, 0x54, 0x00, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x37, 0x24, 0x41, 0x02, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0x3f, 0x67, 0x64, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0xec, 0xea, 0xcd, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa1, 0x35, 0x59, 0xb9, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x96, 0x98, 0xaa, 0x99, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x85, 0xa8, 0x9e, 0x3d, 0x00, 0x50, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbd, 0x73, 0xb5, 0x65, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4d, 0xbd, 0x73, 0x15, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xea, 0x70, 0x1a, 0x6e, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9b, 0xec, 0x73, 0x3e, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd4, 0x4c, 0x7b, 0x51, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x69, 0x3c, 0x6a, 0xc3, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x47, 0x16, 0xd6, 0x37, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbe, 0xb7, 0x11, 0xde, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0x38, 0x59, 0xd3, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x30, 0xf9, 0x7c, 0x45, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x47, 0xae, 0xa6, 0x82, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfe, 0x0d, 0xda, 0xd0, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf9, 0xb3, 0x39, 0x4c, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x55, 0x12, 0x31, 0xea, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0x7a, 0x25, 0x3a, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xab, 0x62, 0x97, 0xfb, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb2, 0xe4, 0x2f, 0x34, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe7, 0xf6, 0x8e, 0x62, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4b, 0xe4, 0x67, 0x4a, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x49, 0x8e, 0xc6, 0xcc, 0x00, 0xd0, 0x43, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x49, 0xf9, 0xbf, 0x8c, 0x00, 0xe0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x41, 0x15, 0x6d, 0x20, 0x00, 0xe0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x56, 0x07, 0x4b, 0x6b, 0x00, 0xd0, 0x43, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, 0x86, 0x89, 0x40, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x46, 0xf9, 0x33, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x79, 0x45, 0xab, 0x49, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x22, 0xfc, 0xf6, 0x3f, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x99, 0x92, 0x74, 0x67, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe0, 0x14, 0xe2, 0xef, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb1, 0x59, 0x3f, 0x8c, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xff, 0xce, 0x68, 0x0e, 0x00, 0xe0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x26, 0x10, 0xd6, 0x01, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6, 0x1c, 0xf7, 0x80, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x55, 0x7f, 0x24, 0x4a, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xab, 0x44, 0x39, 0x3d, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x41, 0x9d, 0x6d, 0x29, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0x85, 0x9d, 0x12, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0xdc, 0xe2, 0xe6, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xba, 0xd0, 0x37, 0x7a, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x81, 0x8a, 0x82, 0x1b, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcc, 0xa6, 0xeb, 0xb3, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x75, 0x77, 0xdd, 0x4f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa2, 0xb6, 0x19, 0xfa, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x56, 0x0b, 0x75, 0xb5, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb9, 0xa4, 0xc2, 0x66, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xce, 0x5e, 0xc9, 0x0b, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6d, 0xed, 0x44, 0x42, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x97, 0x38, 0x68, 0x80, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3d, 0x56, 0xed, 0xbc, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd0, 0xbe, 0x23, 0x76, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa7, 0x2d, 0x0b, 0x3b, 0x00, 0xe0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3f, 0x90, 0x8c, 0xd2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb8, 0xa7, 0x16, 0x78, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x50, 0x67, 0xc7, 0x1a, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf5, 0x01, 0x9c, 0xed, 0x00, 0xe0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5e, 0x16, 0x1e, 0x2d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfd, 0x89, 0x7e, 0xd8, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x38, 0xcd, 0xb6, 0x42, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x32, 0x71, 0x05, 0xb3, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x11, 0x6e, 0x90, 0xd7, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76, 0x55, 0xfa, 0x8d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3a, 0xa3, 0xe8, 0xde, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x98, 0xdc, 0x0c, 0xb8, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x28, 0xfe, 0x00, 0xd9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x88, 0xa3, 0x96, 0xe7, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe9, 0x6a, 0xca, 0x07, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0x32, 0xd7, 0x47, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x55, 0x18, 0xce, 0x8d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8d, 0x07, 0x82, 0xb6, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc7, 0xed, 0x4e, 0x82, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0xd8, 0xe6, 0x70, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6, 0xc5, 0x14, 0xc0, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0x5b, 0x52, 0x3b, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0x7b, 0x3b, 0x90, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x45, 0x67, 0x83, 0xa4, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x31, 0x1e, 0x13, 0xf3, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x75, 0x16, 0x30, 0xfc, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb6, 0x87, 0xa6, 0xf8, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xa1, 0x42, 0x10, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x20, 0x6b, 0x28, 0x84, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xca, 0x0b, 0xde, 0xdd, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0x2f, 0x2e, 0xba, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa6, 0xcc, 0xaa, 0x89, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x03, 0xcc, 0x4b, 0x18, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xec, 0x1f, 0x08, 0x86, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbb, 0x15, 0xbe, 0x30, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x04, 0x45, 0x8a, 0xd6, 0x00, 0x20, 0x11, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6f, 0x3e, 0x08, 0x2f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, 0x75, 0xac, 0xb5, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0xc9, 0xb9, 0x88, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf9, 0x46, 0x9a, 0x6f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf7, 0x07, 0x18, 0x7c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd7, 0x15, 0xf4, 0x76, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfe, 0xa6, 0x21, 0x23, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0x3e, 0x06, 0x7c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7b, 0xd1, 0x33, 0x06, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0xa8, 0xef, 0xb9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x25, 0x44, 0x15, 0x04, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x48, 0x56, 0x87, 0x35, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcd, 0x49, 0x10, 0xcd, 0x00, 0xd0, 0x03, 0x01, 0x6c, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x79, 0x4c, 0x0f, 0xad, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x03, 0x95, 0x95, 0x86, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x16, 0x9a, 0xab, 0x9c, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x3d, 0x81, 0x1b, 0x1a, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb1, 0x22, 0x86, 0x46, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xda, 0xf7, 0xac, 0x6a, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x01, 0x7e, 0x79, 0x48, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc6, 0x03, 0x71, 0x73, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x24, 0xe8, 0x7f, 0x3b, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf1, 0x27, 0xe5, 0x35, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3c, 0x6a, 0x41, 0x3d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbc, 0x51, 0x56, 0xb2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0xd4, 0xe3, 0x8f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x7d, 0x27, 0xe2, 0x0e, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4b, 0xfd, 0xbd, 0xeb, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x70, 0x06, 0xc8, 0x7c, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xde, 0x4b, 0x71, 0x71, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x61, 0x7e, 0xc4, 0x64, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x38, 0x82, 0xcc, 0x14, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x67, 0xe5, 0xed, 0xad, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2c, 0x7f, 0x30, 0x0a, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x49, 0x4c, 0xfa, 0x67, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0b, 0x9a, 0x03, 0xb4, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0x48, 0x44, 0x43, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0x19, 0xc5, 0x4e, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x99, 0x96, 0x32, 0x00, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3e, 0x46, 0xf5, 0x03, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x89, 0xbf, 0xce, 0x85, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe6, 0xe7, 0x01, 0x47, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe2, 0xae, 0x71, 0xc2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x74, 0xb6, 0xc7, 0x2c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc0, 0xf2, 0x42, 0x70, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3d, 0x01, 0xf7, 0x74, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x55, 0xac, 0xcb, 0x5e, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x80, 0xd8, 0xf7, 0x69, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe3, 0xd2, 0x60, 0x10, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9e, 0x72, 0x4c, 0xb6, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0xa5, 0xff, 0x72, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbb, 0x59, 0x8a, 0xab, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x65, 0x0f, 0x35, 0x9a, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd7, 0x67, 0x70, 0x1b, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x96, 0xb2, 0xbe, 0x1f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x98, 0xad, 0x44, 0xbe, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1b, 0x99, 0xe3, 0x20, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x47, 0xa3, 0x97, 0x7c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x13, 0xa3, 0x8c, 0x2d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x94, 0xeb, 0xca, 0x96, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb5, 0xe6, 0x33, 0xd1, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0x69, 0x9e, 0xfc, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd5, 0xd7, 0xde, 0xaf, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x87, 0x8c, 0xa3, 0x65, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0a, 0x4e, 0x8f, 0x5d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5f, 0xd3, 0x0e, 0x44, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb4, 0x36, 0x22, 0x1c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0xe5, 0xce, 0x24, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x5d, 0x9d, 0xff, 0xf1, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x30, 0x09, 0x48, 0x7c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x10, 0x4a, 0xc5, 0x20, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x45, 0xff, 0xc0, 0x07, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x91, 0xe7, 0x4d, 0x5a, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe2, 0x9e, 0xed, 0x16, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xca, 0x85, 0xb2, 0xd1, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe4, 0x4f, 0xb7, 0x97, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbd, 0xf3, 0x3a, 0x00, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6b, 0x93, 0xf4, 0xd2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0xa3, 0xd8, 0x0d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x59, 0x91, 0x7b, 0xf9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x50, 0x6b, 0x76, 0x91, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x09, 0x03, 0x85, 0xe0, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0x98, 0x15, 0x41, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xdf, 0x44, 0x3b, 0x70, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2d, 0x9c, 0x5d, 0xe2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0b, 0x4e, 0x46, 0x13, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa5, 0x08, 0x73, 0x02, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x03, 0x82, 0xb0, 0xdb, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6c, 0xfd, 0x77, 0xfd, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc0, 0x19, 0x5d, 0x83, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc8, 0x79, 0xc1, 0x89, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x7a, 0xeb, 0xe7, 0xd0, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc5, 0xc2, 0x5b, 0x1c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf9, 0x81, 0xad, 0x14, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5d, 0xeb, 0x61, 0xf9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbe, 0x8f, 0xf1, 0x5c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x95, 0xfc, 0x64, 0x6e, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdb, 0x51, 0x15, 0x17, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdc, 0x86, 0x2e, 0x21, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x94, 0x5d, 0x26, 0xb6, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x73, 0xbc, 0x49, 0x48, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbf, 0x9e, 0x88, 0xae, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1e, 0xd9, 0xe4, 0x86, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x39, 0xcb, 0x41, 0xdd, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8c, 0x84, 0xd8, 0xb8, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa9, 0xf8, 0x08, 0x5d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa3, 0x21, 0xfb, 0x54, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0x86, 0x13, 0xb7, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x41, 0x04, 0x6d, 0x4d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x89, 0x08, 0x50, 0xaa, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x56, 0x11, 0x91, 0xd8, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfb, 0x23, 0xbd, 0x79, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0x93, 0xe3, 0x27, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x69, 0x8f, 0x9d, 0x6c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x29, 0x46, 0x4c, 0x17, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb4, 0x46, 0x4b, 0x2f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa, 0xa5, 0x0d, 0x0f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe8, 0xdd, 0xf4, 0xad, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x08, 0x04, 0x80, 0x24, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3a, 0x51, 0x2c, 0xa0, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x83, 0x60, 0x68, 0xcd, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0xce, 0x5a, 0x6f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe9, 0xb6, 0x83, 0xa6, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x54, 0xe9, 0xa9, 0xc9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3e, 0xf8, 0x40, 0xf6, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0xd0, 0xa7, 0x82, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcb, 0x2b, 0x4b, 0x46, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xea, 0x2f, 0xea, 0x53, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x03, 0xc0, 0x9f, 0x43, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, 0xfb, 0xcb, 0xf9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2c, 0x09, 0xe8, 0x23, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x23, 0x2d, 0x80, 0x38, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, 0x81, 0xf2, 0xdf, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa8, 0x88, 0x6e, 0xf4, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf9, 0x72, 0x12, 0xb2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf4, 0x55, 0xdf, 0x9a, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xee, 0x16, 0xba, 0xda, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x12, 0xba, 0x7a, 0xa5, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x36, 0xe7, 0x52, 0x06, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1c, 0x70, 0x28, 0xb8, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf1, 0x9b, 0x28, 0xbc, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0x7b, 0x46, 0xbd, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x52, 0x54, 0xa2, 0xc5, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9a, 0x8b, 0x2f, 0x4f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x75, 0x8c, 0x2a, 0x81, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbc, 0xda, 0xde, 0x6b, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x10, 0xf8, 0x79, 0x42, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc9, 0xcf, 0x0e, 0x77, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x35, 0x54, 0x29, 0x70, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x61, 0x75, 0x50, 0x9a, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xea, 0xaa, 0x63, 0x40, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x89, 0xf8, 0x2e, 0xd6, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9b, 0x89, 0xa2, 0x18, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x87, 0xb4, 0x9d, 0x7d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf1, 0xce, 0x0b, 0xd6, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa4, 0x61, 0x57, 0x0c, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x85, 0x35, 0x80, 0xd4, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x5c, 0x45, 0x61, 0x0e, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa, 0xf5, 0x58, 0x01, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x79, 0xfe, 0x2a, 0x25, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x55, 0x33, 0x93, 0xd0, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0xe7, 0xe6, 0x70, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa4, 0xaa, 0xf2, 0x53, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x87, 0x76, 0x93, 0x43, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xce, 0xb3, 0xdd, 0x61, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x68, 0xaa, 0x1d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd6, 0x62, 0x37, 0x29, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd5, 0x51, 0x32, 0x2d, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xff, 0xf4, 0xe6, 0x01, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc1, 0x46, 0x5b, 0x1d, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1a, 0xba, 0x0b, 0xe1, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x27, 0x7b, 0x3a, 0xc5, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x99, 0x62, 0x92, 0xcb, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4e, 0x4c, 0x63, 0x51, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x02, 0x1d, 0xf2, 0x40, 0x00, 0xf0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd6, 0x68, 0xe2, 0x70, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0x41, 0x81, 0x60, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1e, 0x95, 0x81, 0xb7, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x21, 0xe2, 0xea, 0xbb, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6e, 0xdd, 0xb1, 0xa0, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x70, 0x7e, 0xab, 0xdb, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0xd3, 0x5f, 0xa2, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf7, 0x82, 0xbf, 0x0f, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x90, 0xe4, 0xaa, 0x37, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x16, 0x35, 0x0c, 0xd4, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x03, 0x56, 0x51, 0x69, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdf, 0xd8, 0x38, 0xd1, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe3, 0x4a, 0x0e, 0x46, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x56, 0x65, 0x94, 0x33, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6, 0xaf, 0x60, 0xd6, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x13, 0xb1, 0x79, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x96, 0xa5, 0x27, 0x79, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x01, 0x89, 0x01, 0x48, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa7, 0x9a, 0x36, 0xd5, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb7, 0x4a, 0xd2, 0xc9, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0x52, 0x90, 0x3b, 0x00, 0xd0, 0x03, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa, 0xb0, 0xa4, 0xdb, 0x00, 0x00, 0x04, 0x01, 0xb2, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4f, 0xbd, 0x79, 0x16, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x14, 0x37, 0x6c, 0xfa, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x76, 0x21, 0x6e, 0x07, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x99, 0x07, 0xc8, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb2, 0x6f, 0x61, 0x56, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x74, 0x8a, 0xf1, 0x58, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x62, 0xf1, 0x30, 0x8d, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x86, 0xa8, 0xfe, 0x9e, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0x51, 0x09, 0xf3, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa5, 0xa4, 0xc3, 0x69, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xee, 0x5d, 0x3f, 0x98, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2d, 0xc6, 0x49, 0x11, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb4, 0x7e, 0x34, 0xb0, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x55, 0xa1, 0x1d, 0x2d, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbf, 0x70, 0xf4, 0xff, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x9f, 0x41, 0x9b, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x41, 0x68, 0xb3, 0x87, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x65, 0xa5, 0x34, 0x1a, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x16, 0x98, 0x43, 0xea, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4f, 0xfb, 0xd4, 0x80, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x30, 0xd9, 0x4d, 0x0c, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb4, 0x52, 0x0a, 0x27, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7a, 0xbe, 0x9b, 0x0f, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe6, 0x2e, 0xf9, 0x9d, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xef, 0x36, 0x61, 0x28, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x06, 0x3c, 0x47, 0xf0, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf8, 0xdf, 0xa8, 0xc9, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x12, 0x75, 0xad, 0x5b, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x83, 0xbc, 0x32, 0x20, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe6, 0xe3, 0xfc, 0x0e, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x4c, 0x95, 0xc6, 0x81, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x24, 0x90, 0x39, 0xed, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1f, 0x20, 0x22, 0xca, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6f, 0x4b, 0xf4, 0x71, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5a, 0xc9, 0xbd, 0x6c, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe0, 0x7b, 0x87, 0x4c, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5f, 0xa7, 0x3e, 0x05, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x01, 0x77, 0xad, 0x5a, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4a, 0x44, 0x65, 0x9d, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0xb5, 0xcd, 0xf3, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf8, 0xc2, 0x7d, 0xc2, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x07, 0x7c, 0x31, 0x14, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfe, 0xe7, 0x4b, 0x87, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x74, 0xe6, 0x6b, 0x4b, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x27, 0x6c, 0xf1, 0xf8, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x59, 0xb2, 0x6d, 0xd8, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x8f, 0xbd, 0x0e, 0x64, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfb, 0x88, 0x8f, 0x64, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfa, 0x9f, 0x6c, 0x10, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x81, 0xba, 0xa1, 0xef, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xff, 0xed, 0x29, 0xef, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa2, 0xcf, 0x58, 0x75, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8d, 0xc0, 0x2f, 0xe6, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x4c, 0xaf, 0x67, 0x85, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0e, 0x0e, 0xbf, 0xc9, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1b, 0x3e, 0xc5, 0x78, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe3, 0xc9, 0xcd, 0xe8, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3d, 0xdd, 0x91, 0x52, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x11, 0x23, 0xb0, 0x83, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1f, 0x32, 0x57, 0x74, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x95, 0x03, 0x32, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd4, 0x61, 0x56, 0xaf, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe5, 0xbd, 0x46, 0x06, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x85, 0xe8, 0x68, 0xef, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb5, 0xdf, 0x14, 0xbc, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x61, 0xbe, 0x57, 0xdd, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x4f, 0xaa, 0xca, 0x4b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6b, 0xf8, 0xde, 0x9e, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x74, 0x7f, 0x2d, 0xb3, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x44, 0x36, 0xec, 0x03, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x98, 0x42, 0xea, 0x32, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x68, 0x5c, 0xe6, 0xb6, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf2, 0x88, 0x17, 0x52, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9e, 0x2f, 0x69, 0xfe, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x09, 0x65, 0xa6, 0x13, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0e, 0x8b, 0xa0, 0x3c, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9b, 0xda, 0x84, 0xf7, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb7, 0x58, 0x84, 0xee, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x94, 0x28, 0x67, 0x4f, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcf, 0xdb, 0xc7, 0xbf, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xde, 0x44, 0xdb, 0xcc, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x47, 0x11, 0xf9, 0x0e, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x30, 0xa0, 0x9b, 0x88, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xea, 0x64, 0xc5, 0x2e, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0xd7, 0x44, 0xf2, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x71, 0xd5, 0xa5, 0xb8, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x72, 0x59, 0x69, 0x68, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4e, 0x0d, 0x12, 0x02, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x09, 0xd3, 0xdb, 0x8b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x92, 0x89, 0x2b, 0x08, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x89, 0xce, 0x4c, 0xca, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xda, 0x52, 0x44, 0x1f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc3, 0x9b, 0x1a, 0x53, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x35, 0xd0, 0xb3, 0xf1, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x19, 0x6b, 0x19, 0x27, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa2, 0xca, 0xc0, 0x3e, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd3, 0x2c, 0x81, 0x40, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xaf, 0x96, 0x3e, 0x9b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd6, 0x65, 0x71, 0x59, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf1, 0xf4, 0x9b, 0x83, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x77, 0xaa, 0xa2, 0x0d, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0x1b, 0xa0, 0xd2, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd1, 0x62, 0x0a, 0xbe, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xed, 0x8e, 0x8a, 0xfc, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb1, 0xc5, 0x6c, 0x47, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x27, 0x14, 0xf1, 0x7d, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0x3b, 0xa7, 0x05, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x8b, 0x76, 0xac, 0xf8, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7e, 0x2c, 0xc9, 0xc5, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xad, 0x5d, 0x93, 0x37, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x25, 0x64, 0xe9, 0xeb, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6, 0x82, 0x9b, 0xae, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0c, 0x50, 0x09, 0x51, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x90, 0xca, 0x3e, 0x77, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x63, 0x46, 0x89, 0xeb, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd0, 0x72, 0xf8, 0xd9, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0xbb, 0x2d, 0xee, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x53, 0x9d, 0x66, 0xa7, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x75, 0xfb, 0x42, 0xbc, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcc, 0x64, 0xae, 0x9f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x24, 0xdc, 0x1d, 0x88, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8e, 0xe1, 0x40, 0x1b, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9e, 0x48, 0xba, 0x81, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x82, 0xd2, 0x89, 0x67, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcf, 0x13, 0x87, 0xce, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xed, 0x80, 0x0c, 0x19, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcd, 0xd4, 0xf5, 0x92, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0b, 0x4b, 0x45, 0xd2, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x9e, 0x82, 0x94, 0x16, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0x61, 0x29, 0xd3, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd6, 0xe5, 0x90, 0x86, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1c, 0xa3, 0xa5, 0xaf, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfb, 0xb8, 0x2e, 0x30, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0x21, 0x06, 0x79, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa8, 0x1b, 0x51, 0x98, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0x5c, 0x40, 0x75, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x88, 0x8b, 0xd6, 0x91, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x53, 0x1f, 0x91, 0xa1, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x74, 0x14, 0x1f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9c, 0x86, 0x4a, 0x7a, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdd, 0x43, 0xf8, 0x91, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0c, 0x51, 0xb6, 0x4b, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbb, 0xce, 0x7e, 0xdd, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x49, 0x12, 0xa6, 0x12, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x41, 0x3b, 0xe8, 0x7f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd5, 0xf8, 0xa3, 0x03, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xda, 0x08, 0x39, 0x59, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x01, 0x05, 0x52, 0xf4, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xba, 0xe1, 0xed, 0xb0, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5a, 0x19, 0xc5, 0xa7, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf9, 0xca, 0x4a, 0xf0, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe4, 0x7d, 0xf4, 0xa3, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xee, 0xab, 0xc1, 0x9a, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1a, 0xe7, 0x75, 0x30, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x16, 0xa2, 0xf3, 0x4e, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x25, 0x90, 0x23, 0xf0, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1b, 0xfd, 0x3b, 0xbb, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0a, 0x3c, 0x10, 0x68, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb0, 0x5c, 0xbf, 0x7f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x59, 0xb7, 0x17, 0x6d, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0xd9, 0xdf, 0xba, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbf, 0xaa, 0x8a, 0x5a, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0x03, 0x6c, 0x50, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x08, 0xf7, 0x1f, 0xc1, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xce, 0xfc, 0x6e, 0x66, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd7, 0x45, 0x6d, 0xe3, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x93, 0x74, 0xb6, 0x81, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc4, 0xfa, 0xec, 0x3e, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x35, 0x9c, 0x3d, 0xa5, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x91, 0x83, 0x69, 0x08, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6e, 0x38, 0xb5, 0xe4, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd1, 0x87, 0x3d, 0xfb, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4a, 0x9d, 0x8f, 0x42, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x45, 0x5b, 0x67, 0xe5, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x18, 0x6b, 0x3a, 0xe8, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5a, 0xff, 0x5a, 0xa6, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe3, 0xb6, 0x98, 0xe7, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf0, 0xcb, 0xbd, 0xa6, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc9, 0xc2, 0xb1, 0xe8, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x00, 0xf7, 0x41, 0x1f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7a, 0xb7, 0x28, 0xf5, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0xf9, 0xda, 0xb3, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x26, 0x16, 0xa2, 0x49, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x0e, 0x95, 0x37, 0x7c, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x37, 0x0b, 0xa1, 0x8b, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2c, 0xcd, 0xb1, 0x29, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xee, 0xf1, 0xa2, 0xdb, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd0, 0x75, 0xa9, 0x5c, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x20, 0xc3, 0x5f, 0xff, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd3, 0xf1, 0xb7, 0x68, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcb, 0x63, 0x24, 0x60, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf7, 0xa5, 0x94, 0x5f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc2, 0x03, 0x23, 0x3a, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe6, 0x46, 0x83, 0x3b, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe8, 0x13, 0xcf, 0xdc, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x5b, 0x3f, 0x77, 0x6a, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x36, 0xb4, 0x8b, 0xbe, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0xe6, 0x5e, 0xfd, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x61, 0x3b, 0xca, 0xb3, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0x5a, 0xb3, 0x91, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x35, 0x03, 0x1b, 0xbd, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x53, 0xdd, 0x70, 0x88, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc7, 0xd4, 0x95, 0x55, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd1, 0x8d, 0x90, 0xe5, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6d, 0x10, 0x87, 0x8e, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x36, 0x41, 0xf0, 0x0c, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x08, 0x33, 0xa7, 0x79, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd8, 0x32, 0x0f, 0xe0, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc7, 0xed, 0xb4, 0x16, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1e, 0x2a, 0x7d, 0x5c, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x18, 0xea, 0xb9, 0xa2, 0x00, 0xa0, 0x24, 0x01, 0x3e, 0x08, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, 0x18, 0x0f, 0xb4, 0x00, 0xa0, 0x24, 0x01, 0x3e, 0x08, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x08, 0x26, 0xf4, 0x05, 0x00, 0xa0, 0x24, 0x01, 0x3e, 0x08, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbf, 0x83, 0x31, 0x0a, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1e, 0xc4, 0x2f, 0x1e, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x26, 0x8e, 0x9b, 0xc8, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xda, 0xfe, 0xd0, 0x2f, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x39, 0x88, 0x26, 0x84, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x07, 0x07, 0x94, 0x2d, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xeb, 0xf5, 0x3a, 0x03, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0xa8, 0xa2, 0xce, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0f, 0xd3, 0x13, 0xac, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x19, 0x78, 0xad, 0x95, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd1, 0x1f, 0xa7, 0xcb, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8e, 0xa1, 0x96, 0x69, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xc7, 0xff, 0x2a, 0xaf, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0x1d, 0xf4, 0x9b, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x8d, 0x71, 0x88, 0xf0, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe2, 0x20, 0xbc, 0xad, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd8, 0x22, 0xb5, 0xd9, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xec, 0xe1, 0xb0, 0x44, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfe, 0x90, 0x88, 0x20, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x35, 0x89, 0x8d, 0x8a, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xe1, 0xff, 0x00, 0xf7, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x71, 0xa6, 0x3e, 0x91, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x04, 0x01, 0x29, 0xd0, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xef, 0xf1, 0x42, 0xd2, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x52, 0x09, 0x00, 0xa8, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfc, 0x87, 0x14, 0xcd, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x53, 0x70, 0x02, 0x9b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xab, 0x83, 0xef, 0x9c, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa0, 0x26, 0x7d, 0xb9, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xca, 0x7c, 0xba, 0xa7, 0x00, 0xa0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x60, 0x9c, 0x1f, 0x5f, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x6c, 0xed, 0x01, 0x8c, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd0, 0x3c, 0x82, 0xbe, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x1a, 0x8e, 0xb9, 0xd2, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x97, 0x09, 0xda, 0x43, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x08, 0xf0, 0x92, 0xf3, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x73, 0xc6, 0xdf, 0x5f, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x5d, 0xa6, 0xf3, 0x3c, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0xb0, 0x51, 0x37, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x61, 0x55, 0x0b, 0x8a, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0x8c, 0xf1, 0xba, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xa6, 0xca, 0x24, 0xa3, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2f, 0xe5, 0x07, 0x6d, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xfa, 0x44, 0x40, 0x9b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa4, 0xaf, 0x30, 0xc6, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x15, 0x15, 0xba, 0xc8, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6, 0x93, 0xce, 0x5b, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9f, 0x7b, 0x3b, 0x84, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x06, 0xdb, 0xed, 0x30, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb3, 0x53, 0x17, 0xda, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa7, 0xd9, 0xa4, 0xf2, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x20, 0xeb, 0x20, 0x4c, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe1, 0x34, 0xba, 0x76, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xf6, 0xb8, 0x8f, 0x0b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x43, 0x76, 0x28, 0x3e, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x63, 0xb3, 0x52, 0x09, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x42, 0xd1, 0x68, 0xe4, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0c, 0x98, 0x8a, 0x5f, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x09, 0xa1, 0x5b, 0x27, 0x00, 0x90, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xb2, 0x2f, 0x0a, 0xc6, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x00, 0x8b, 0xdd, 0xba, 0x00, 0xe0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x42, 0x2c, 0x61, 0xa9, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x6f, 0xb7, 0x14, 0xfa, 0x00, 0xe0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x2f, 0x9d, 0x8a, 0xbf, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xe2, 0xff, 0x6e, 0x58, 0x00, 0xe0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x36, 0xc7, 0xaf, 0x53, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7c, 0x24, 0x4c, 0xbe, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd4, 0x6e, 0x60, 0x13, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x96, 0x95, 0xac, 0x47, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x2e, 0x0e, 0xb0, 0x2b, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x81, 0x39, 0x82, 0xda, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x47, 0x57, 0xba, 0xec, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x45, 0x6c, 0xd1, 0x10, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x52, 0x81, 0xca, 0xab, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xd4, 0x45, 0x23, 0x4a, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x35, 0x9d, 0xf9, 0xfe, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xfe, 0x58, 0x24, 0xa9, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0xd1, 0xbd, 0x2f, 0x06, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbb, 0xa4, 0xbb, 0x03, 0x00, 0xf0, 0x24, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x58, 0x46, 0x3f, 0x62, 0x00, 0xe0, 0x10, 0x00, 0xd2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4c, 0xec, 0x6b, 0x9c, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x69, 0xdc, 0x11, 0x3a, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcd, 0x6e, 0xd3, 0xdf, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x73, 0x7d, 0xdd, 0xb8, 0x00, 0xf0, 0x44, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa1, 0x85, 0xd1, 0x98, 0x00, 0xf0, 0x44, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7a, 0x96, 0xe6, 0xff, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xbb, 0x29, 0x6c, 0xaa, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x14, 0x11, 0x02, 0x79, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1f, 0x05, 0x4e, 0x0e, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3f, 0x3f, 0x77, 0x58, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcf, 0x37, 0xab, 0x0f, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, 0xa2, 0x28, 0x83, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdd, 0x14, 0x4c, 0xb6, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x05, 0xfc, 0x2d, 0x18, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x10, 0x7d, 0xe4, 0xe4, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x8b, 0x2e, 0x77, 0x09, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x62, 0xba, 0x18, 0x5f, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x75, 0xaf, 0x6b, 0x3a, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0x40, 0x20, 0x09, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x63, 0xa1, 0x67, 0x6b, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xdd, 0x25, 0x2e, 0xcc, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x3a, 0x2a, 0x35, 0x7c, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x78, 0x55, 0x9e, 0xbb, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x4b, 0xa1, 0x0c, 0xb1, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb3, 0x44, 0x52, 0xa6, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x59, 0xc0, 0x0a, 0xb3, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76, 0x8a, 0xff, 0x5c, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xa4, 0x71, 0x5a, 0xca, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x44, 0xb1, 0x7b, 0xe1, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf3, 0xcb, 0xea, 0x85, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x85, 0x3c, 0xb8, 0x42, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x70, 0x9b, 0x7b, 0x65, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x25, 0x37, 0x4f, 0x59, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x33, 0xa1, 0x82, 0xe4, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x7d, 0xf8, 0x42, 0x4b, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x80, 0x0d, 0x0f, 0x80, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xf9, 0x26, 0xee, 0x6d, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x58, 0x4c, 0x8a, 0x8c, 0x00, 0x00, 0x45, 0x01, 0xf8, 0x07, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x41, 0xd4, 0xb4, 0x23, 0x00, 0x00, 0x45, 0x01, 0x84, 0x08, 0x00, 0x00, 0x18, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa0, 0x05, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xb8, 0x03, 0x18, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa0, 0x05, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xb8, 0x03, 0x18, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xb8, 0x03, 0x80, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x18, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xb8, 0x03, 0x28, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xb8, 0x03, 0x28, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xb8, 0x03, 0x18, 0x00, 0x20, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xc0, 0x03, 0x18, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xc0, 0x03, 0x28, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xc0, 0x03, 0x28, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa8, 0x05, 0xb0, 0x05, 0xb8, 0x05, 0xc0, 0x05, 0xc8, 0x05, 0xd0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xc0, 0x03, 0x28, 0x00, 0x70, 0x05, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x18, 0x05, 0x28, 0x00, 0x70, 0x05, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x18, 0x05, 0x28, 0x00, 0x70, 0x05, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x0b, 0x00, 0x08, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x18, 0x05, 0x28, 0x00, 0x70, 0x05, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x0b, 0x00, 0x08, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x18, 0x05, 0x28, 0x00, 0x00, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xa8, 0x02, 0x28, 0x00, 0x00, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x0b, 0x00, 0x08, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xa8, 0x02, 0x28, 0x00, 0x00, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xa8, 0x02, 0x28, 0x00, 0x00, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x0b, 0x00, 0x08, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xa8, 0x02, 0x28, 0x00, 0x00, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x38, 0x00, 0x48, 0x01, 0x78, 0x01, 0x88, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xa8, 0x02, 0x28, 0x00, 0x00, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x0b, 0x00, 0x08, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x38, 0x00, 0x48, 0x01, 0x78, 0x01, 0x88, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0x80, 0x03, 0x88, 0x03, 0x90, 0x03, 0x98, 0x03, 0xa0, 0x03, 0xa8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xa8, 0x02, 0x18, 0x00, 0xc0, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x68, 0x03, 0x18, 0x00, 0xc8, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x70, 0x03, 0x28, 0x00, 0xc8, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x70, 0x03, 0x28, 0x00, 0xc8, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x70, 0x03, 0x18, 0x00, 0xd0, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x78, 0x03, 0x28, 0x00, 0xd0, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x78, 0x03, 0x28, 0x00, 0xd0, 0x03, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xc8, 0x05, 0xd0, 0x05, 0xd8, 0x05, 0xe0, 0x05, 0xe8, 0x05, 0xf0, 0x05, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x78, 0x03, 0x28, 0x00, 0x28, 0x05, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa0, 0x03, 0xa8, 0x03, 0xb0, 0x03, 0xb8, 0x03, 0xc0, 0x03, 0xc8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xd0, 0x04, 0x28, 0x00, 0x28, 0x05, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa0, 0x03, 0xa8, 0x03, 0xb0, 0x03, 0xb8, 0x03, 0xc0, 0x03, 0xc8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0xd0, 0x04, 0x28, 0x00, 0xf0, 0x02, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa0, 0x03, 0xa8, 0x03, 0xb0, 0x03, 0xb8, 0x03, 0xc0, 0x03, 0xc8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x98, 0x02, 0x28, 0x00, 0xf0, 0x02, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x38, 0x00, 0x60, 0x01, 0x90, 0x01, 0xa0, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xa0, 0x03, 0xa8, 0x03, 0xb0, 0x03, 0xb8, 0x03, 0xc0, 0x03, 0xc8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x98, 0x02, 0x28, 0x00, 0xf0, 0x02, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x10, 0x00, 0x28, 0x00, 0x08, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x38, 0x00, 0x48, 0x01, 0x78, 0x01, 0x88, 0x01, 0x28, 0x00, 0x30, 0x00, 0x38, 0x00, 0x58, 0x00, 0xa0, 0x03, 0xa8, 0x03, 0xb0, 0x03, 0xb8, 0x03, 0xc0, 0x03, 0xc8, 0x03, 0x28, 0x00, 0x08, 0x00, 0x48, 0x00, 0x98, 0x02, }; CONST ULONG KphDynConfigLength = ARRAYSIZE(KphDynConfig); #endif ================================================ FILE: kphlib/kphdyn.xml ================================================ 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 14 2 14 14 2 2 2 2 14 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 14 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 2 14 2 2 2 2 2 2 2 14 2 2 2 14 2 2 14 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 14 2 2 14 2 2 14 2 2 2 14 2 14 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 14 2 2 2 2 14 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 14 2 14 2 2 14 2 14 2 2 2 2 2 2 14 2 2 2 2 14 2 2 2 2 14 2 2 14 2 2 2 2 14 2 14 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 14 2 2 2 2 2 2 14 2 2 14 2 2 2 2 2 14 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 14 2 2 2 2 4 4 4 4 4 4 4 14 4 4 4 4 4 4 14 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 14 4 4 4 14 4 4 4 4 4 4 4 4 4 4 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 2 27 5 14 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 14 5 5 5 5 3 3 3 3 3 3 3 3 14 3 3 3 3 3 3 14 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 14 3 3 3 3 3 3 3 7 7 7 6 6 14 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 14 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 14 6 6 14 6 14 6 14 6 6 6 6 6 6 6 6 6 6 6 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 14 8 14 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 14 8 8 14 8 8 14 8 14 8 8 8 8 8 14 8 8 8 8 8 8 14 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 14 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 14 8 8 8 6 12 6 12 6 12 6 12 6 12 6 12 14 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 6 12 6 12 6 12 6 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 14 6 12 14 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 6 12 8 13 8 13 8 13 8 13 14 8 13 14 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 6 12 6 6 14 6 12 6 8 8 14 14 8 8 13 8 13 8 8 13 8 13 8 8 13 8 13 14 8 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 14 8 8 8 13 8 13 8 8 8 8 13 8 13 8 13 14 8 8 13 8 8 13 14 8 8 13 8 13 8 13 8 13 8 8 13 8 8 13 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 8 13 8 13 8 14 14 8 13 8 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 8 8 13 8 8 13 8 13 8 13 8 13 8 13 8 8 13 8 13 8 13 8 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 8 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 14 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 8 13 8 13 8 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 14 8 13 14 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 13 8 8 8 14 14 8 8 8 14 8 8 8 14 8 13 8 14 14 8 8 14 8 8 8 8 8 8 8 8 14 8 13 8 13 8 13 8 13 8 8 8 13 14 14 8 8 13 8 13 8 8 13 14 8 13 8 25 25 14 25 26 25 14 25 26 25 26 25 26 14 25 26 25 26 25 26 25 26 14 25 26 14 25 26 25 26 14 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 14 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 26 25 26 25 25 26 25 25 26 25 26 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 25 26 25 26 25 25 26 25 26 25 26 25 26 14 25 26 25 26 25 26 25 25 26 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 26 25 26 25 25 26 25 26 25 25 26 25 26 25 25 26 14 25 26 25 25 26 25 26 25 26 25 25 26 25 25 26 14 14 25 25 26 14 14 25 25 26 25 25 26 25 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 31 32 14 25 25 26 25 26 25 26 25 26 25 26 25 26 14 25 26 25 26 25 25 25 26 25 26 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 14 25 26 14 25 25 26 14 25 26 14 25 26 25 26 14 25 26 14 25 26 14 25 26 25 26 25 26 25 25 25 26 25 26 25 26 25 25 26 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 26 14 25 25 26 14 25 26 25 25 26 14 25 26 14 25 26 14 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 14 25 26 25 26 14 25 26 25 26 14 25 26 25 26 14 25 26 25 26 14 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 26 25 25 26 25 26 25 26 25 26 25 26 25 26 31 32 25 26 25 25 26 25 28 29 28 29 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 14 15 14 15 15 15 15 15 14 15 15 14 15 15 15 14 15 15 15 15 14 15 14 15 15 15 15 14 15 14 15 14 15 15 15 15 14 15 14 15 15 14 15 15 15 14 15 15 15 15 14 15 15 15 14 15 15 15 15 15 15 15 15 15 15 15 15 16 14 16 14 16 16 16 16 14 16 16 14 16 14 16 16 14 16 14 16 14 16 16 16 14 16 16 16 14 16 16 16 14 16 14 16 14 16 14 16 14 16 16 14 16 14 16 16 16 14 16 19 14 19 19 14 19 19 19 14 19 14 19 19 19 19 19 19 14 19 19 19 19 14 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 19 14 19 19 19 19 14 19 19 19 14 19 19 19 19 19 19 19 19 19 19 23 23 23 23 23 23 23 14 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 14 17 17 14 17 14 17 17 17 14 17 14 17 14 17 17 14 17 17 17 14 17 14 17 14 17 14 17 14 17 18 14 18 18 18 18 18 14 18 18 14 18 14 18 18 14 18 14 18 18 14 18 14 18 14 18 14 18 14 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 14 18 18 18 14 18 18 18 14 18 18 18 18 21 21 21 20 14 14 20 20 20 20 14 20 20 14 20 20 20 14 20 20 20 20 14 20 20 14 20 20 20 20 20 20 20 20 20 20 20 14 20 20 20 14 20 20 20 20 14 20 20 14 20 14 20 20 20 20 20 20 20 14 20 20 14 20 20 22 22 22 22 22 22 22 22 22 22 14 22 22 14 22 22 22 22 22 22 14 22 22 22 14 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 14 22 22 14 22 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 14 22 22 14 22 22 14 22 14 22 22 14 22 14 22 14 22 14 22 14 22 14 22 22 14 22 14 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 20 20 20 20 20 20 20 20 14 14 20 20 20 20 20 20 20 20 20 20 22 22 22 22 14 22 22 14 22 22 22 22 22 14 22 22 22 22 22 22 22 22 14 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 14 22 22 22 22 22 14 22 22 22 22 22 22 22 22 22 22 22 20 20 22 22 14 14 22 22 22 14 22 22 22 22 22 14 22 14 22 22 14 22 22 22 22 22 22 22 22 22 14 22 22 14 22 22 22 22 14 22 22 14 22 22 14 22 22 22 14 22 22 14 22 22 22 22 22 14 22 14 22 22 22 14 22 22 22 22 22 22 14 22 14 22 14 22 14 22 22 14 14 22 22 22 22 14 22 22 22 22 22 14 22 22 22 22 22 22 22 14 22 22 22 22 22 22 22 22 22 14 22 14 22 22 22 22 22 14 22 22 14 22 22 22 14 22 22 22 14 22 22 14 22 14 22 22 14 22 22 22 22 14 22 22 22 22 14 22 22 14 22 14 22 22 22 22 22 22 14 22 22 22 22 14 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 24 24 14 24 24 24 24 14 24 14 24 24 14 24 24 24 24 24 24 24 24 24 24 14 24 24 14 24 14 24 14 24 14 24 24 24 24 24 24 24 24 24 24 24 14 24 14 24 24 24 24 14 24 14 24 24 14 24 24 24 24 24 14 24 24 24 14 24 24 14 24 14 24 24 24 24 14 24 24 24 24 24 24 24 24 24 14 24 14 24 24 24 24 24 14 24 24 14 24 24 24 24 14 24 24 24 24 14 24 24 24 24 24 14 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 14 24 14 24 24 24 24 14 24 24 24 24 24 24 24 14 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 33 33 33 24 24 24 24 24 24 24 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 24 24 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 14 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 30 ================================================ FILE: kphlib/kphdyndata.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2026 * */ #include #include #ifndef _KERNEL_MODE #include #ifndef Add2Ptr #define Add2Ptr(P,I) ((PVOID)((PUCHAR)(P) + (I))) #endif #endif /** * \brief Searches for a dynamic data configuration. * * \param[in] Config The dynamic data configuration. * \param[in] Length The length of the dynamic data configuration. * \param[in] Class The class to search for. * \param[in] Machine The machine to search for. * \param[in] TimeDateStamp The time date stamp to search for. * \param[in] SizeOfImage The size of image to search for. * \param[out] Data Receives a pointer into the dynamic data configuration if * the requested data is found. * \param[out] Fields Receives a pointer into the dynamic data configuration for * the related fields if the requested data is found. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphDynDataLookup( _In_reads_bytes_(Length) PKPH_DYN_CONFIG Config, _In_ ULONG Length, _In_ USHORT Class, _In_ USHORT Machine, _In_ ULONG TimeDateStamp, _In_ ULONG SizeOfImage, _Out_opt_ PKPH_DYN_DATA* Data, _Out_opt_ PVOID* Fields ) { NTSTATUS status; ULONG dataLength; ULONG length; if (Data) { *Data = NULL; } if (Fields) { *Fields = NULL; } status = RtlULongSub(Length, RTL_SIZEOF_THROUGH_FIELD(KPH_DYN_CONFIG, Count), &length); if (!NT_SUCCESS(status)) { return STATUS_SI_DYNDATA_INVALID_LENGTH; } if (Config->Version != KPH_DYN_CONFIGURATION_VERSION) { return STATUS_SI_DYNDATA_VERSION_MISMATCH; } status = RtlULongMult(sizeof(KPH_DYN_DATA), Config->Count, &dataLength); if (!NT_SUCCESS(status)) { return STATUS_SI_DYNDATA_INVALID_LENGTH; } status = RtlULongSub(length, dataLength, &length); if (!NT_SUCCESS(status)) { return STATUS_SI_DYNDATA_INVALID_LENGTH; } for (ULONG i = 0; i < Config->Count; i++) { PKPH_DYN_DATA data; data = &Config->Data[i]; if ((data->Class != Class) || (data->Machine != Machine) || (data->TimeDateStamp != TimeDateStamp) || (data->SizeOfImage != SizeOfImage)) { continue; } if (data->Offset >= length) { return STATUS_SI_DYNDATA_INVALID_LENGTH; } if (Data) { *Data = data; } if (Fields) { PVOID start; start = &Config->Data[Config->Count]; *Fields = Add2Ptr(start, data->Offset); } return STATUS_SUCCESS; } return STATUS_SI_DYNDATA_UNSUPPORTED_KERNEL; } ================================================ FILE: kphlib/kphlib_km.filters ================================================  {c6f1d7ed-ed5d-4745-9ea8-c0dfaa942906} {545176e3-50a7-46f9-84b8-fbd1e9fec5d8} Header Files Header Files Header Files Header Files Source Files Source Files ================================================ FILE: kphlib/kphlib_km.vcxproj ================================================ Debug x64 Release x64 Debug ARM64 Release ARM64 17.0 {B1863396-A667-42DB-97AC-C5E033CEE321} {dd38f7fc-d7bd-488b-9242-7d8754cde80d} StaticLibrary kphlib_km kphlib $(SystemInformerRoot)KSystemInformer\obj\$(Configuration)$(PlatformArchitecture)\$(ProjectName)\ $(SystemInformerRoot)KSystemInformer\bin\$(Configuration)$(PlatformArchitecture)\ kphlib_km ksecdd.lib;%(AdditionalDependencies) "$(SolutionDir)..\tools\CustomBuildTool\bin\Release\$(PROCESSOR_ARCHITECTURE)\CustomBuildTool.exe" -dyndata "$(SolutionDir)..\bin\$(Configuration)$(PlatformArchitecture)" true $(ProjectDir)include true $(ProjectDir)include true true true true true ================================================ FILE: kphlib/kphlib_km.vcxproj.filters ================================================  {82b195b6-02b5-4bd3-b6be-ef713fcec8aa} {1d7a73eb-3cee-4ae3-82bc-0846578dc715} {2a9e0704-3950-492f-9cf5-ce4b10a57b22} Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Source Files Source Files Source Files Source Files Source Files Resource Files Resource Files ================================================ FILE: kphlib/kphlib_um.vcxproj ================================================ Debug ARM64 Debug Win32 Debug x64 Release ARM64 Release Win32 Release x64 17.0 Win32Proj {f1757430-8eee-49df-a5f1-0999a53bb4a0} kphlib_um kphlib $(LatestTargetPlatformVersion) StaticLibrary v143 false true StaticLibrary v143 true false StaticLibrary v143 false true StaticLibrary v143 false true StaticLibrary v143 true false StaticLibrary v143 true false $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\um\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\um\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\um\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\um\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\um\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\um\$(Configuration)$(PlatformArchitecture)\ kphlib_um kphlib_um kphlib_um kphlib_um kphlib_um kphlib_um $(SolutionDir)phnt\include;include;%(AdditionalIncludeDirectories) DEBUG;_DEBUG;%(PreprocessorDefinitions) Level4 /utf-8 %(AdditionalOptions) MachineX86 %(AdditionalLibraryDirectories) true "$(SolutionDir)build\build_dyndata.cmd" "$(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)" $(SolutionDir)phnt\include;include;%(AdditionalIncludeDirectories) DEBUG;_DEBUG;%(PreprocessorDefinitions) Level4 /utf-8 %(AdditionalOptions) MachineX64 %(AdditionalLibraryDirectories) true "$(SolutionDir)build\build_dyndata.cmd" "$(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)" $(SolutionDir)phnt\include;include;%(AdditionalIncludeDirectories) DEBUG;_DEBUG;%(PreprocessorDefinitions) Level4 /utf-8 %(AdditionalOptions) MachineARM64 %(AdditionalLibraryDirectories) true "$(SolutionDir)build\build_dyndata.cmd" "$(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)" $(SolutionDir)phnt\include;include;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) Level4 /utf-8 /d1nodatetime /guard:xfg %(AdditionalOptions) MachineX86 %(AdditionalLibraryDirectories) true "$(SolutionDir)build\build_dyndata.cmd" "$(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)" $(SolutionDir)phnt\include;include;%(AdditionalIncludeDirectories) WIN64;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) Level4 /utf-8 /d1nodatetime /guard:xfg %(AdditionalOptions) MachineX64 %(AdditionalLibraryDirectories) true "$(SolutionDir)build\build_dyndata.cmd" "$(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)" $(SolutionDir)phnt\include;include;%(AdditionalIncludeDirectories) WIN64;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) Level4 /utf-8 /d1nodatetime %(AdditionalOptions) MachineARM64 %(AdditionalLibraryDirectories) true "$(SolutionDir)build\build_dyndata.cmd" "$(SolutionDir)bin\$(Configuration)$(PlatformArchitecture)" ================================================ FILE: kphlib/kphlib_um.vcxproj.filters ================================================  {d727b7f5-c766-42e2-b006-b57a27838deb} {9cc800b4-95ec-4b5e-8575-80a523f61365} {fa49d35d-f550-434b-b86f-2ee4378bdb63} Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Source Files Source Files Source Files Source Files Source Files Resource Files Resource Files ================================================ FILE: kphlib/kphmsg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * dmex 2022 * */ #include #include #define KPH_MESSAGE_VERSION 6 /** * Gets the current system time (UTC). * * \remarks Use this function instead of NtQuerySystemTime() because no system calls are involved. */ VOID KphMsgQuerySystemTime( _Out_ PLARGE_INTEGER SystemTime ) { #ifdef _KERNEL_MODE KeQuerySystemTime(SystemTime); #else while (TRUE) { SystemTime->HighPart = USER_SHARED_DATA->SystemTime.High1Time; SystemTime->LowPart = USER_SHARED_DATA->SystemTime.LowPart; if (SystemTime->HighPart == USER_SHARED_DATA->SystemTime.High2Time) break; YieldProcessor(); } #endif } /** * \brief Initializes a message. * * \param MessageId Message identifier to initialize with. */ VOID KphMsgInit( _Out_writes_bytes_(KPH_MESSAGE_MIN_SIZE) PKPH_MESSAGE Message, _In_ KPH_MESSAGE_ID MessageId ) { RtlZeroMemory(Message, KPH_MESSAGE_MIN_SIZE); Message->Header.Version = KPH_MESSAGE_VERSION; Message->Header.Size = KPH_MESSAGE_MIN_SIZE; Message->Header.MessageId = MessageId; KphMsgQuerySystemTime(&Message->Header.TimeStamp); } /** * \brief Validates a message. * * \param Message The message to validate. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphMsgValidate( _In_ PCKPH_MESSAGE Message ) { if (Message->Header.Version != KPH_MESSAGE_VERSION) { return STATUS_REVISION_MISMATCH; } if ((Message->Header.Size < KPH_MESSAGE_MIN_SIZE) || (Message->Header.Size > sizeof(KPH_MESSAGE))) { return STATUS_INVALID_MESSAGE; } if (Message->Header.MessageId != KphMsgUnhandled) { if ((Message->Header.MessageId <= InvalidKphMsg) || (Message->Header.MessageId >= MaxKphMsg)) { return STATUS_INVALID_MESSAGE; } } return STATUS_SUCCESS; } ================================================ FILE: kphlib/kphmsgdyn.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2026 * */ #include #include #ifndef _KERNEL_MODE #include #ifndef Add2Ptr #define Add2Ptr(P,I) ((PVOID)((PUCHAR)(P) + (I))) #endif #endif /** * \brief Finds a dynamic message entry in the table. * * \param[in] Message The message to get the table entry from. * \param[in] FieldId Field identifier to look for. * * \return Pointer to table entry on success, null if not found. */ _Must_inspect_result_ PCKPH_MESSAGE_DYNAMIC_TABLE_ENTRY KphpMsgDynFindEntry( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId ) { for (USHORT i = 0; i < Message->_Dyn.Count; i++) { if (Message->_Dyn.Entries[i].FieldId == FieldId) { return &Message->_Dyn.Entries[i]; } } return NULL; } /** * \brief Claims some data in the dynamic message buffer. * * \param[in] Message The message to claim dynamic message in. * \param[in] FieldId Field identifier of the data to be populated. * \param[in] TypeId Type identifier of the data to be populated. * \param[in] Length The length to claim. * \param[out] Entry Set to the claimed entry. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphpMsgDynClaimEntry( _In_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ KPH_MESSAGE_TYPE_ID TypeId, _In_ USHORT Length, _Outptr_ PCKPH_MESSAGE_DYNAMIC_TABLE_ENTRY* Entry ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY claimed; USHORT offset; *Entry = NULL; if ((FieldId <= InvalidKphMsgField) || (FieldId >= MaxKphMsgField)) { return STATUS_INVALID_PARAMETER_2; } if ((TypeId <= InvalidKphMsgType) || (TypeId >= MaxKphMsgType)) { return STATUS_INVALID_PARAMETER_3; } status = KphMsgValidate(Message); if (!NT_SUCCESS(status)) { return status; } if (Message->_Dyn.Count >= ARRAYSIZE(Message->_Dyn.Entries)) { return STATUS_INSUFFICIENT_RESOURCES; } if (KphpMsgDynFindEntry(Message, FieldId)) { return STATUS_ALREADY_COMMITTED; } offset = Message->Header.Size; status = RtlUShortAdd(offset, Length, &offset); if (!NT_SUCCESS(status)) { return status; } if (offset > sizeof(KPH_MESSAGE)) { return STATUS_INSUFFICIENT_RESOURCES; } offset = Message->Header.Size; claimed = &Message->_Dyn.Entries[Message->_Dyn.Count++]; claimed->FieldId = FieldId; claimed->TypeId = TypeId; claimed->Offset = offset; claimed->Length = Length; Message->Header.Size += Length; *Entry = claimed; return STATUS_SUCCESS; } /** * \brief Looks up a dynamic message entry. * * \param[in] Message The message to look up dynamic message entry in. * \param[in] FieldId Field identifier to look up. * \param[in] TypeId Type identifier to look up. * \param[out] DynData Set to point to dynamic message entry. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphpMsgDynLookupEntry( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ KPH_MESSAGE_TYPE_ID TypeId, _Outptr_ PCKPH_MESSAGE_DYNAMIC_TABLE_ENTRY* Entry ) { NTSTATUS status; PCKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; *Entry = NULL; status = KphMsgValidate(Message); if (!NT_SUCCESS(status)) { return status; } entry = KphpMsgDynFindEntry(Message, FieldId); if (!entry) { return STATUS_NOT_FOUND; } if (entry->TypeId != TypeId) { return STATUS_CONTEXT_MISMATCH; } if (entry->Offset >= Message->Header.Size) { return STATUS_HEAP_CORRUPTION; } *Entry = entry; return STATUS_SUCCESS; } /** * \brief Clears the dynamic message table, effectively "freeing" the dynamic * message buffer to be populated with other information. * * \param[in,out] Message The message to clear the dynamic message table of. */ VOID KphMsgDynClear( _Inout_ PKPH_MESSAGE Message ) { Message->Header.Size = KPH_MESSAGE_MIN_SIZE; Message->_Dyn.Count = 0; RtlZeroMemory(&Message->_Dyn.Entries, sizeof(Message->_Dyn.Entries)); } /** * \brief Clears that last added dynamic message entry. * * \param[in,out] Message The message to clear the last dynamic message entry. */ VOID KphMsgDynClearLast( _Inout_ PKPH_MESSAGE Message ) { PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; if (Message->_Dyn.Count) { return; } Message->_Dyn.Count--; entry = &Message->_Dyn.Entries[Message->_Dyn.Count]; Message->Header.Size -= entry->Length; RtlZeroMemory(entry, sizeof(KPH_MESSAGE_DYNAMIC_TABLE_ENTRY)); } /** * \brief Retrieves the remaining size of the dynamic message buffer. * * \param[in] Message The message to retrieve the remaining size of. * * \return Remaining size of the dynamic message buffer. */ USHORT KphMsgDynRemaining( _In_ PCKPH_MESSAGE Message ) { NTSTATUS status; USHORT remaining; remaining = sizeof(KPH_MESSAGE); status = RtlUShortSub(remaining, Message->Header.Size, &remaining); if (!NT_SUCCESS(status)) { return 0; } return remaining; } /** * \brief Adds a Unicode string to the dynamic message buffer. * * \param[in,out] Message The message to populate dynamic message buffer of. * \param[in] FieldId Field identifier for the data. * \param[in] String Unicode string to copy into the dynamic message buffer. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphMsgDynAddUnicodeString( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PCUNICODE_STRING String ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynClaimEntry(Message, FieldId, KphMsgTypeUnicodeString, String->Length, &entry); if (!NT_SUCCESS(status)) { return status; } RtlCopyMemory(Add2Ptr(Message, entry->Offset), String->Buffer, String->Length); return STATUS_SUCCESS; } /** * \brief Retrieves a Unicode string from the dynamic message buffer. * * \param[in] Message The message to retrieve the Unicode string from. * \param[in] FieldId Field identifier for the data. * \param[out] String If found populated with a reference to the string data in * the dynamic message buffer. * * \return Successful or errant status. */ NTSTATUS KphMsgDynGetUnicodeString( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PUNICODE_STRING String ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynLookupEntry(Message, FieldId, KphMsgTypeUnicodeString, &entry); if (!NT_SUCCESS(status)) { String->Length = 0; String->MaximumLength = 0; String->Buffer = NULL; return status; } String->Length = entry->Length; String->MaximumLength = String->Length; String->Buffer = Add2Ptr(Message, entry->Offset); return STATUS_SUCCESS; } /** * \brief Adds an ANSI string to the dynamic message buffer. * * \param[in,out] Message The message to add the string to. * \param[in] FieldId Field identifier for the string. * \param[in] String ANSI string to copy into the dynamic message buffer. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphMsgDynAddAnsiString( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PCANSI_STRING String ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynClaimEntry(Message, FieldId, KphMsgTypeAnsiString, String->Length, &entry); if (!NT_SUCCESS(status)) { return status; } RtlCopyMemory(Add2Ptr(Message, entry->Offset), String->Buffer, String->Length); return STATUS_SUCCESS; } /** * \brief Retrieves an ANSI string from the message. * * \param[in] Message The message to retrieve the string from. * \param[in] FieldId Field identifier of the string. * \param[out] String If found populated with a reference to the string data in * the dynamic message buffer. * * \return Successful or errant status. */ NTSTATUS KphMsgDynGetAnsiString( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PANSI_STRING String ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynLookupEntry(Message, FieldId, KphMsgTypeAnsiString, &entry); if (!NT_SUCCESS(status)) { String->Length = 0; String->MaximumLength = 0; String->Buffer = NULL; return status; } String->Length = entry->Length; String->MaximumLength = String->Length; String->Buffer = Add2Ptr(Message, entry->Offset); return STATUS_SUCCESS; } /** * \brief Adds a stack trace to the dynamic message buffer. * * \param[in,out] Message The message to add the stack trace to. * \param[in] FieldId Field identifier for the stack trace. * \param[in] StackTrace Stack trace to copy into the dynamic message buffer. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphMsgDynAddStackTrace( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PKPHM_STACK_TRACE StackTrace ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynClaimEntry(Message, FieldId, KphMsgTypeStackTrace, (StackTrace->Count * sizeof(PVOID)), &entry); if (!NT_SUCCESS(status)) { return status; } RtlCopyMemory(Add2Ptr(Message, entry->Offset), StackTrace->Frames, (StackTrace->Count * sizeof(PVOID))); return STATUS_SUCCESS; } /** * \brief Retrieves a stack trace from the message. * * \param[in] Message The message to retrieve the stack trace from. * \param[in] FieldId Field identifier of the stack trace. * \param[out] StackTrace If found populated with a reference to the stack * trace data in the dynamic message buffer. * * \return Successful or errant status. */ NTSTATUS KphMsgDynGetStackTrace( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PKPHM_STACK_TRACE StackTrace ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynLookupEntry(Message, FieldId, KphMsgTypeStackTrace, &entry); if (!NT_SUCCESS(status)) { StackTrace->Count = 0; StackTrace->Frames = NULL; return status; } StackTrace->Count = (entry->Length / sizeof(PVOID)); StackTrace->Frames = Add2Ptr(Message, entry->Offset); return STATUS_SUCCESS; } /** * \brief Adds a sized buffer to the dynamic message buffer. * * \param[in,out] Message The message to add the sized buffer to. * \param[in] FieldId Field identifier for the sized buffer. * \param[in] SizedBuffer Sized buffer to copy into the dynamic message buffer. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphMsgDynAddSizedBuffer( _Inout_ PKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _In_ PKPHM_SIZED_BUFFER SizedBuffer ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynClaimEntry(Message, FieldId, KphMsgTypeSizedBuffer, SizedBuffer->Size, &entry); if (!NT_SUCCESS(status)) { return status; } RtlCopyMemory(Add2Ptr(Message, entry->Offset), SizedBuffer->Buffer, SizedBuffer->Size); return STATUS_SUCCESS; } /** * \brief Retrieves a sized buffer from the message. * * \param[in] Message The message to retrieve the sized buffer from. * \param[in] FieldId Field identifier of the sized buffer. * \param[out] SizedBuffer If found populated with a reference to the sized * buffer data in the dynamic message buffer. * * \return Successful or errant status. */ NTSTATUS KphMsgDynGetSizedBuffer( _In_ PCKPH_MESSAGE Message, _In_ KPH_MESSAGE_FIELD_ID FieldId, _Out_ PKPHM_SIZED_BUFFER SizedBuffer ) { NTSTATUS status; PKPH_MESSAGE_DYNAMIC_TABLE_ENTRY entry; status = KphpMsgDynLookupEntry(Message, FieldId, KphMsgTypeSizedBuffer, &entry); if (!NT_SUCCESS(status)) { SizedBuffer->Size = 0; SizedBuffer->Buffer = NULL; return status; } SizedBuffer->Size = entry->Length; SizedBuffer->Buffer = Add2Ptr(Message, entry->Offset); return STATUS_SUCCESS; } ================================================ FILE: kphlib/kphringbuff.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025-2026 * */ #include #include #ifndef _KERNEL_MODE #include #ifndef Add2Ptr #define Add2Ptr(P,I) ((PVOID)((PUCHAR)(P) + (I))) #endif #endif /** * \brief Processes the ring buffer. * * \details The callback routine will continue to be invoked with new buffers * as long as the callback routine returns FALSE. Control is returned to the * caller once the callback routine returns TRUE or if there are no more buffer * to process. * * \param[in] Ring Pointer to the user ring buffer block. * \param[in] Callback Routine to process the ring buffer entries. The routine * should return FALSE to continue to processing, otherwise TRUE to stop. * \param[in] Context The context to pass to the callback routine. * * \return TRUE if there are more buffers to process, FALSE otherwise. */ BOOLEAN KphProcessRingBuffer( _In_ PKPH_RING_BUFFER_USER Ring, _In_ PKPH_RING_CALLBACK Callback, _In_opt_ PVOID Context ) { ULONG consumerPos; WriteULongRelease(&Ring->Consumer->Processing, TRUE); consumerPos = ReadULongAcquire(&Ring->Consumer->Position); for (BOOLEAN done = FALSE; !done; NOTHING) { ULONG producerPos; PKPH_RING_HEADER headerPointer; KPH_RING_HEADER header; PVOID buffer; producerPos = ReadULongAcquire(&Ring->Producer->Position); if (consumerPos == producerPos) { WriteULongRelease(&Ring->Consumer->Processing, FALSE); return FALSE; } headerPointer = Add2Ptr(Ring->Producer->Buffer, consumerPos); header.Value = ReadULong64Acquire(&headerPointer->Value); if (header.Reset) { // // Producer wrapped, reset to start. // WriteULongRelease(&Ring->Consumer->Position, 0); consumerPos = 0; continue; } // // Check if the producer is busy at this position. If it is then it // hasn't committed or discarded this region yet. // if (header.Busy) { WriteULongRelease(&Ring->Consumer->Processing, FALSE); return FALSE; } consumerPos += KPH_RING_BUFFER_HEADER_SIZE; consumerPos += (ULONG)header.Length; consumerPos += (ULONG)header.Alignment; if (!header.Discard) { buffer = Add2Ptr(headerPointer, KPH_RING_BUFFER_HEADER_SIZE); done = Callback(Context, buffer, (ULONG)header.Length); } WriteULongRelease(&Ring->Consumer->Position, consumerPos); } return TRUE; } ================================================ FILE: kphlib/sistatus.mc ================================================ ;/* ; * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. ; * ; * This file is part of System Informer. ; * ; * sistatus.h IS AN AUTOGENERATED FILE, DO NOT MODIFY ; * ; * Changes should be made in sistatus.mc ; * ; */ ; ;#ifndef SI_STATUS_H ;#define SI_STATUS_H MessageIdTypedef=NTSTATUS SeverityNames = ( Success = 0x0:STATUS_SEVERITY_SUCCESS Informational = 0x1:STATUS_SEVERITY_INFORMATIONAL Warning = 0x2:STATUS_SEVERITY_WARNING Error = 0x3:STATUS_SEVERITY_ERROR ) FacilityNames = ( System = 0x0 SystemInformer = 0x1:FACILITY_SI DynamicData = 0x2:FACILITY_SI_DYNDATA KSystemInformer = 0x3:FACILITY_KSI ) MessageId = 0x0001 Facility = DynamicData Severity = Error SymbolicName = STATUS_SI_DYNDATA_UNSUPPORTED_KERNEL Language = English System Informer dynamic data is not yet supported on this kernel version. . MessageId = 0x0002 Facility = DynamicData Severity = Error SymbolicName = STATUS_SI_DYNDATA_VERSION_MISMATCH Language = English System Informer dynamic data version is incompatible. . MessageId = 0x0003 Facility = DynamicData Severity = Error SymbolicName = STATUS_SI_DYNDATA_INVALID_LENGTH Language = English System Informer dynamic data is an invalid length. . MessageId = 0x0004 Facility = DynamicData Severity = Error SymbolicName = STATUS_SI_DYNDATA_INVALID_SIGNATURE Language = English System Informer dynamic data signature is invalid. . MessageId = 0x0001 Facility = KSystemInformer Severity = Error SymbolicName = STATUS_SI_KSIDLL_VERSION_MISMATCH Language = English System Informer kernel library version is incompatible. . ;#endif ================================================ FILE: packages.config ================================================ ================================================ FILE: phlib/CMakeLists.txt ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # project(phlib) set(HEADERS "circbuf_i.h" "format_i.h" "include/apiimport.h" "include/appresolver.h" "include/appresolverp.h" "include/bcd.h" "include/circbuf.h" "include/circbuf_h.h" "include/colorbox.h" "include/cpysave.h" "include/dltmgr.h" "include/dspick.h" "include/emenu.h" "include/exlf.h" "include/exprodid.h" "include/fastlock.h" "include/filepool.h" "include/filepoolp.h" "include/filestream.h" "include/filestreamp.h" "include/graph.h" "include/guisup.h" "include/guisupp.h" "include/guisupview.h" "include/handle.h" "include/handlep.h" "include/hexedit.h" "include/hexeditp.h" "include/hndlinfo.h" "include/hvsocketcontrol.h" "include/json.h" "include/kphcomms.h" "include/kphuser.h" "include/lsamsup.h" "include/lsasup.h" "include/mapimg.h" "include/mapldr.h" "include/ph.h" "include/phafd.h" "include/phbase.h" "include/phbasesup.h" "include/phconfig.h" "include/phconsole.h" "include/phdata.h" "include/phfirmware.h" "include/phintrin.h" "include/phintrnl.h" "include/phnative.h" "include/phnativeinl.h" "include/phnet.h" "include/phsup.h" "include/phutil.h" "include/provider.h" "include/queuedlock.h" "include/ref.h" "include/refp.h" "include/searchbox.h" "include/secedit.h" "include/seceditp.h" "include/secwmi.h" "include/settings.h" "include/strsrch.h" "include/svcsup.h" "include/symprv.h" "include/symprvp.h" "include/templ.h" "include/thirdparty.h" "include/treenew.h" "include/treenewp.h" "include/verify.h" "include/verifyp.h" "include/workqueue.h" "include/workqueuep.h" "include/wslsup.h" ) source_group("Header Files" FILES ${HEADERS}) set(SOURCES "apiimport.c" "appresolver.c" "appruntime.c" "avltree.c" "basestring.c" "basesup.c" "bcd.cpp" "circbuf.c" "colorbox.c" "cpysave.c" "data.c" "directdraw.cpp" "dspick.c" "emenu.c" "error.c" "extlv.c" "fastlock.c" "filepool.c" "filestream.c" "firmware.c" "format.c" "format_std.cpp" "global.c" "graph.c" "guisup.c" "guisuplistview.cpp" "handle.c" "hexedit.c" "hndlinfo.c" "http.c" "hvsocketcontrol.c" "icotobmp.c" "imgcoherency.c" "json.c" "kph.c" "kphcomms.c" "lsamsup.c" "lsasup.c" "mapexlf.c" "mapimg.c" "mapldr.c" "maplib.c" "native.c" "nativefile.c" "nativeflt.c" "nativemodule.c" "nativejob.c" "nativekey.c" "nativetxn.c" "nativeprocess.c" "nativetoken.c" "nativepipe.c" "nativesocket.c" "nativethread.c" "nativeuser.c" "provider.c" "queuedlock.c" "ref.c" "searchbox.c" "secdata.c" "secedit.c" "secwmi.c" "settings.c" "strsrch.c" "svcsup.c" "symprv.c" "symprv_std.cpp" "sync.c" "theme.c" "treenew.c" "util.c" "verify.c" "workqueue.c" "wslsup.c" ) source_group("Source Files" FILES ${SOURCES}) set(ALL_FILES ${HEADERS} ${SOURCES} ) si_add_library(phlib STATIC ${ALL_FILES}) target_include_directories(phlib PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/include" ) target_compile_definitions(phlib PUBLIC _PHLIB_ ) target_link_libraries(phlib PRIVATE phnt kphlib_um thirdparty gdiplus ) add_library(phlib_interface INTERFACE) target_include_directories(phlib_interface INTERFACE "${CMAKE_CURRENT_SOURCE_DIR}/include" ) ================================================ FILE: phlib/Directory.Build.props ================================================ ================================================ FILE: phlib/apiimport.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015 * dmex 2019-2024 * */ #include #include #include #include #include #include #include #include /** * Imports a procedure from a specified module. * * \param InitOnce A pointer to an initialization structure. * \param Cache A pointer to a cache for the procedure address. * \param Cookie A pointer to a cookie for the procedure address. * \param ModuleName The name of the module. * \param ProcedureName The name of the procedure. * \return A pointer to the imported procedure, or NULL if the procedure could not be imported. */ FORCEINLINE PVOID PhpImportProcedure( _Inout_ PPH_INITONCE InitOnce, _Inout_ PVOID *Cache, _Inout_ PULONG_PTR Cookie, _In_ PCWSTR ModuleName, _In_ PCSTR ProcedureName ) { if (PhBeginInitOnce(InitOnce)) { PVOID module; PVOID procedure; module = PhGetLoaderEntryDllBaseZ(ModuleName); if (!module) module = PhLoadLibrary(ModuleName); if (module) { if (procedure = PhGetDllBaseProcedureAddress(module, ProcedureName, 0)) { *Cookie = (ULONG_PTR)PhReadTimeStampCounter(); *Cache = (PVOID)((ULONG_PTR)procedure ^ (ULONG_PTR)*Cookie); } } PhEndInitOnce(InitOnce); } if (*Cache && *Cookie) return (PVOID)((ULONG_PTR)*Cache ^ (ULONG_PTR)*Cookie); return NULL; } /** * Imports a procedure from a specified module using native methods. * * \param InitOnce A pointer to an initialization structure. * \param Cache A pointer to a cache for the procedure address. * \param Cookie A pointer to a cookie for the procedure address. * \param ModuleName The name of the module. * \param ProcedureName The name of the procedure. * \return A pointer to the imported procedure, or NULL if the procedure could not be imported. */ FORCEINLINE PVOID PhpImportProcedureNative( _Inout_ PPH_INITONCE InitOnce, _Inout_ PVOID *Cache, _Inout_ PULONG_PTR Cookie, _In_ PCWSTR ModuleName, _In_ PCSTR ProcedureName ) { if (PhBeginInitOnce(InitOnce)) { PVOID module; PVOID procedure; module = PhGetLoaderEntryDllBaseZ(ModuleName); if (!module) module = PhLoadLibrary(ModuleName); if (module) { ANSI_STRING procedureName; RtlInitAnsiString(&procedureName, ProcedureName); if (NT_SUCCESS(LdrGetProcedureAddress( module, &procedureName, 0, &procedure ))) { *Cookie = (ULONG_PTR)PhReadTimeStampCounter(); *Cache = (PVOID)((ULONG_PTR)procedure ^ (ULONG_PTR)*Cookie); } } PhEndInitOnce(InitOnce); } if (*Cache && *Cookie) return (PVOID)((ULONG_PTR)*Cache ^ (ULONG_PTR)*Cookie); return NULL; } /** * Defines an import function for a specified module and procedure. * * \param Module The name of the module. * \param Name The name of the procedure. */ #define PH_DEFINE_IMPORT(Module, Name) \ typeof(&(Name)) Name##_Import(VOID) \ { \ static PH_INITONCE initOnce = PH_INITONCE_INIT; \ static PVOID cache = NULL; \ static ULONG_PTR cookie = 0; \ \ return (typeof(&(Name)))PhpImportProcedure(&initOnce, &cache, &cookie, (Module), (#Name)); \ } /** * Defines an import function for a specified module and procedure for native loading. * * \param Module The name of the module. * \param Name The name of the procedure. */ #define PH_DEFINE_IMPORT_NATIVE(Module, Name) \ typeof(&(Name)) Name##_Import(VOID) \ { \ static PH_INITONCE initOnce = PH_INITONCE_INIT; \ static PVOID cache = NULL; \ static ULONG_PTR cookie = 0; \ \ return (typeof(&(Name)))PhpImportProcedureNative(&initOnce, &cache, &cookie, (Module), (#Name)); \ } PH_DEFINE_IMPORT(L"ntdll.dll", NtQueryInformationEnlistment); PH_DEFINE_IMPORT(L"ntdll.dll", NtQueryInformationResourceManager); PH_DEFINE_IMPORT(L"ntdll.dll", NtQueryInformationTransaction); PH_DEFINE_IMPORT(L"ntdll.dll", NtQueryInformationTransactionManager); PH_DEFINE_IMPORT(L"ntdll.dll", NtCreateProcessStateChange); PH_DEFINE_IMPORT(L"ntdll.dll", NtChangeProcessState); PH_DEFINE_IMPORT(L"ntdll.dll", NtCreateThreadStateChange); PH_DEFINE_IMPORT(L"ntdll.dll", NtChangeThreadState); PH_DEFINE_IMPORT(L"ntdll.dll", NtCopyFileChunk); PH_DEFINE_IMPORT(L"ntdll.dll", NtCompareObjects); PH_DEFINE_IMPORT(L"ntdll.dll", NtCreateTimer2); PH_DEFINE_IMPORT(L"ntdll.dll", NtSetTimer2); PH_DEFINE_IMPORT_NATIVE(L"ntdll.dll", NtSetInformationVirtualMemory); PH_DEFINE_IMPORT(L"ntdll.dll", LdrSystemDllInitBlock); PH_DEFINE_IMPORT(L"ntdll.dll", LdrResFindResource); PH_DEFINE_IMPORT(L"ntdll.dll", LdrResSearchResource); PH_DEFINE_IMPORT(L"ntdll.dll", RtlDefaultNpAcl); PH_DEFINE_IMPORT(L"ntdll.dll", RtlDelayExecution); PH_DEFINE_IMPORT(L"ntdll.dll", RtlDeriveCapabilitySidsFromName); PH_DEFINE_IMPORT(L"ntdll.dll", RtlDosLongPathNameToNtPathName_U_WithStatus); PH_DEFINE_IMPORT(L"ntdll.dll", RtlGetTokenNamedObjectPath); PH_DEFINE_IMPORT(L"ntdll.dll", RtlGetAppContainerNamedObjectPath); PH_DEFINE_IMPORT(L"ntdll.dll", RtlGetAppContainerSidType); PH_DEFINE_IMPORT(L"ntdll.dll", RtlGetAppContainerParent); PH_DEFINE_IMPORT(L"ntdll.dll", PssNtCaptureSnapshot); PH_DEFINE_IMPORT(L"ntdll.dll", PssNtQuerySnapshot); PH_DEFINE_IMPORT(L"ntdll.dll", PssNtFreeSnapshot); PH_DEFINE_IMPORT(L"ntdll.dll", PssNtFreeRemoteSnapshot); PH_DEFINE_IMPORT(L"ntdll.dll", NtPssCaptureVaSpaceBulk); PH_DEFINE_IMPORT(L"ntdll.dll", TpSetPoolThreadBasePriority); PH_DEFINE_IMPORT(L"advapi32.dll", ConvertSecurityDescriptorToStringSecurityDescriptorW); PH_DEFINE_IMPORT(L"advapi32.dll", ConvertStringSecurityDescriptorToSecurityDescriptorW); PH_DEFINE_IMPORT(L"cfgmgr32.dll", DevGetObjects); PH_DEFINE_IMPORT(L"cfgmgr32.dll", DevFreeObjects); PH_DEFINE_IMPORT(L"cfgmgr32.dll", DevGetObjectProperties); PH_DEFINE_IMPORT(L"cfgmgr32.dll", DevFreeObjectProperties); PH_DEFINE_IMPORT(L"cfgmgr32.dll", DevCreateObjectQuery); PH_DEFINE_IMPORT(L"cfgmgr32.dll", DevCloseObjectQuery); PH_DEFINE_IMPORT(L"shlwapi.dll", SHAutoComplete); PH_DEFINE_IMPORT(L"shlwapi.dll", SHCreateStreamOnFileEx); PH_DEFINE_IMPORT(L"userenv.dll", CreateEnvironmentBlock); PH_DEFINE_IMPORT(L"userenv.dll", DestroyEnvironmentBlock); PH_DEFINE_IMPORT(L"userenv.dll", GetAppContainerRegistryLocation); PH_DEFINE_IMPORT(L"userenv.dll", GetAppContainerFolderPath); PH_DEFINE_IMPORT(L"user32.dll", ConsoleControl); PH_DEFINE_IMPORT(L"user32.dll", GetCurrentInputMessageSource); PH_DEFINE_IMPORT(L"user32.dll", GetCIMSSM); PH_DEFINE_IMPORT(L"win32u.dll", NtUserBuildHwndList); PH_DEFINE_IMPORT(L"xmllite.dll", CreateXmlReader); PH_DEFINE_IMPORT(L"xmllite.dll", CreateXmlWriter); ================================================ FILE: phlib/apistubs.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2019-2024 * */ #include #include #include #include #include #include #include EXTERN_C_START static BOOL WINAPI CloseHandle_Stub( _In_ HANDLE Handle ) { NTSTATUS status; status = NtClose(Handle); PhSetLastError(PhNtStatusToDosError(status)); return NT_SUCCESS(status); } static BOOL WINAPI GetFileSizeEx_Stub( _In_ HANDLE hFile, _Out_ PLARGE_INTEGER lpFileSize ) { NTSTATUS status; status = PhGetFileSize(hFile, lpFileSize); PhSetLastError(PhNtStatusToDosError(status)); return NT_SUCCESS(status); } static FARPROC WINAPI GetProcAddress_Stub( _In_ HMODULE Module, _In_ PCSTR Name ) { NTSTATUS status; PVOID procedureAddress; if (IS_INTRESOURCE(Name)) { status = LdrGetProcedureAddress( Module, nullptr, PtrToUshort(Name), &procedureAddress ); } else { ANSI_STRING procedureName; RtlInitAnsiString(&procedureName, Name); status = LdrGetProcedureAddress( Module, &procedureName, 0, &procedureAddress ); } PhSetLastError(PhNtStatusToDosError(status)); if (NT_SUCCESS(status)) { return reinterpret_cast(procedureAddress); } return nullptr; } static BOOL WINAPI FlushFileBuffers_Stub( _In_ HANDLE hFile ) { NTSTATUS status; status = PhFlushBuffersFile(hFile); PhSetLastError(PhNtStatusToDosError(status)); return NT_SUCCESS(status); } static BOOL WINAPI IsDebuggerPresent_Stub( VOID ) { NTSTATUS status; BOOL result; result = !!NtCurrentPeb()->BeingDebugged; status = STATUS_SUCCESS; PhSetLastError(PhNtStatusToDosError(status)); return result; } static BOOL WINAPI SetEndOfFile_Stub( _In_ HANDLE hFile ) { NTSTATUS status; LARGE_INTEGER position; status = PhGetFilePosition(hFile, &position); if (NT_SUCCESS(status)) { status = PhSetFilePosition(hFile, &position); } PhSetLastError(PhNtStatusToDosError(status)); return NT_SUCCESS(status); } static BOOL WINAPI SetFilePointerEx_Stub( _In_ HANDLE File, _In_ LARGE_INTEGER DistanceToMove, _Out_opt_ PLARGE_INTEGER NewFilePointer, _In_ ULONG MoveMethod ) { NTSTATUS status; LARGE_INTEGER position; LARGE_INTEGER current; LARGE_INTEGER fileSize; switch (MoveMethod) { case FILE_BEGIN: position = DistanceToMove; break; case FILE_CURRENT: { status = PhGetFilePosition(File, ¤t); if (!NT_SUCCESS(status)) { PhSetLastError(PhNtStatusToDosError(status)); return FALSE; } position.QuadPart = current.QuadPart + DistanceToMove.QuadPart; } break; case FILE_END: { status = PhGetFileSize(File, &fileSize); if (!NT_SUCCESS(status)) { PhSetLastError(PhNtStatusToDosError(status)); return FALSE; } position.QuadPart = fileSize.QuadPart + DistanceToMove.QuadPart; } break; default: PhSetLastError(ERROR_INVALID_PARAMETER); return FALSE; } status = PhSetFilePosition(File, &position); PhSetLastError(PhNtStatusToDosError(status)); if (NT_SUCCESS(status)) { if (NewFilePointer) { *NewFilePointer = position; } return TRUE; } return FALSE; } DECLSPEC_NORETURN static VOID WINAPI ExitProcess_Stub( _In_ UINT uExitCode ) { PhExitApplication(PhDosErrorToNtStatus(uExitCode)); } static BOOL WINAPI TerminateProcess_Stub( _In_ HANDLE hProcess, _In_ UINT uExitCode ) { NTSTATUS status; status = NtTerminateProcess(hProcess, PhDosErrorToNtStatus(uExitCode)); PhSetLastError(PhNtStatusToDosError(status)); return NT_SUCCESS(status); } static ULONG WINAPI GetCurrentThreadId_Stub( VOID ) { NTSTATUS status; ULONG result; result = HandleToUlong(NtCurrentThreadId()); status = STATUS_SUCCESS; PhSetLastError(PhNtStatusToDosError(status)); return result; } static ULONG WINAPI GetCurrentProcessId_Stub( VOID ) { NTSTATUS status; ULONG result; result = HandleToUlong(NtCurrentProcessId()); status = STATUS_SUCCESS; PhSetLastError(PhNtStatusToDosError(status)); return result; } static HANDLE WINAPI GetCurrentProcess_Stub( VOID ) { NTSTATUS status; HANDLE result; result = NtCurrentProcess(); status = STATUS_SUCCESS; PhSetLastError(PhNtStatusToDosError(status)); return result; } static HANDLE WINAPI GetProcessHeap_Stub( VOID ) { NTSTATUS status; HANDLE result; result = RtlProcessHeap(); status = STATUS_SUCCESS; PhSetLastError(PhNtStatusToDosError(status)); return result; } static LPSTR WINAPI GetCommandLineA_Stub( VOID ) { return nullptr; } static LPWSTR WINAPI GetCommandLineW_Stub( VOID ) { return nullptr; } static HMODULE WINAPI GetModuleHandleW_Stub( _In_opt_ PCWSTR ModuleName ) { NTSTATUS status; HMODULE result; if (ModuleName) result = static_cast(PhGetDllHandle(ModuleName)); else result = static_cast(NtCurrentPeb()->ImageBaseAddress); if (result) status = STATUS_SUCCESS; else status = STATUS_DLL_NOT_FOUND; PhSetLastError(PhNtStatusToDosError(status)); return result; } static BOOL WINAPI QueryPerformanceCounter_Stub( _Out_ LARGE_INTEGER* PerformanceCount ) { return !!RtlQueryPerformanceCounter(PerformanceCount); } static VOID WINAPI GetSystemTimeAsFileTime_Stub( _Out_ PFILETIME SystemTime ) { LARGE_INTEGER systemTime; PhQuerySystemTime(&systemTime); SystemTime->dwLowDateTime = systemTime.LowPart; SystemTime->dwHighDateTime = systemTime.HighPart; } static BOOL WINAPI VirtualProtect_Stub( _In_ PVOID Address, _In_ SIZE_T Size, _In_ ULONG NewProtect, _Out_opt_ PULONG OldProtect ) { NTSTATUS status; ULONG oldProtect = 0; status = PhProtectVirtualMemory( NtCurrentProcess(), Address, Size, NewProtect, &oldProtect ); PhSetLastError(PhNtStatusToDosError(status)); if (NT_SUCCESS(status)) { if (OldProtect) { *OldProtect = oldProtect; } return TRUE; } return FALSE; } static VOID WINAPI EnterCriticalSection_Stub( _Inout_ LPCRITICAL_SECTION CriticalSection ) { RtlEnterCriticalSection(CriticalSection); } static VOID WINAPI LeaveCriticalSection_Stub( _Inout_ LPCRITICAL_SECTION CriticalSection ) { _Analysis_assume_lock_acquired_(*CriticalSection); RtlLeaveCriticalSection(CriticalSection); } static VOID WINAPI DeleteCriticalSection_Stub( _Inout_ LPCRITICAL_SECTION CriticalSection ) { RtlDeleteCriticalSection(CriticalSection); } static PVOID WINAPI HeapAllocate_Stub( _In_ PVOID HeapHandle, _In_opt_ ULONG Flags, _In_ SIZE_T Size ) { return RtlAllocateHeap(HeapHandle, Flags, Size); } static PVOID WINAPI HeapReAlloc_Stub( _In_ PVOID HeapHandle, _In_ ULONG Flags, _Frees_ptr_opt_ PVOID BaseAddress, _In_ SIZE_T Size ) { return RtlReAllocateHeap(HeapHandle, Flags, BaseAddress, Size); } static SIZE_T WINAPI HeapSize_Stub( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PCVOID BaseAddress ) { return RtlSizeHeap(HeapHandle, Flags, BaseAddress); } static BOOL WINAPI HeapFree_Stub( _In_ PVOID HeapHandle, _In_opt_ ULONG Flags, _Frees_ptr_opt_ _Post_invalid_ PVOID BaseAddress ) { return !!RtlFreeHeap(HeapHandle, Flags, BaseAddress); } #if defined(_M_IX86) #pragma warning(push) #pragma warning(disable: 4483) __declspec(selectany) decltype(&CloseHandle) __identifier("_imp__CloseHandle@4") = CloseHandle_Stub; __declspec(selectany) decltype(&GetFileSizeEx) __identifier("_imp__GetFileSizeEx@4") = GetFileSizeEx_Stub; __declspec(selectany) decltype(&GetProcAddress) __identifier("_imp__GetProcAddress@8") = GetProcAddress_Stub; __declspec(selectany) decltype(&FlushFileBuffers) __identifier("_imp__FlushFileBuffers@4") = FlushFileBuffers_Stub; __declspec(selectany) decltype(&TerminateProcess) __identifier("_imp__TerminateProcess@8") = TerminateProcess_Stub; __declspec(selectany) decltype(&GetCurrentThreadId) __identifier("_imp__GetCurrentThreadId@0") = GetCurrentThreadId_Stub; __declspec(selectany) decltype(&GetCurrentProcessId) __identifier("_imp__GetCurrentProcessId@0") = GetCurrentProcessId_Stub; __declspec(selectany) decltype(&GetCurrentProcess) __identifier("_imp__GetCurrentProcess@0") = GetCurrentProcess_Stub; __declspec(selectany) decltype(&GetProcessHeap) __identifier("_imp__GetProcessHeap@0") = GetProcessHeap_Stub; __declspec(selectany) decltype(&GetCommandLineA) __identifier("_imp__GetCommandLineA@0") = GetCommandLineA_Stub; __declspec(selectany) decltype(&GetCommandLineW) __identifier("_imp__GetCommandLineW@0") = GetCommandLineW_Stub; __declspec(selectany) decltype(&GetModuleHandleW) __identifier("_imp__GetModuleHandleW@4") = GetModuleHandleW_Stub; __declspec(selectany) decltype(&IsDebuggerPresent) __identifier("_imp__IsDebuggerPresent@0") = IsDebuggerPresent_Stub; __declspec(selectany) decltype(&SetEndOfFile) __identifier("_imp__SetEndOfFile@4") = SetEndOfFile_Stub; __declspec(selectany) decltype(&ExitProcess) __identifier("_imp__ExitProcess@4") = ExitProcess_Stub; __declspec(selectany) decltype(&VirtualProtect) __identifier("_imp__VirtualProtect@16") = VirtualProtect_Stub; __declspec(selectany) decltype(&InitializeSListHead) __identifier("_imp__InitializeSListHead@4") = PhInitializeSListHead; __declspec(selectany) decltype(&InterlockedPushEntrySList) __identifier("_imp__InterlockedPushEntrySList@8") = RtlInterlockedPushEntrySList; __declspec(selectany) decltype(&InterlockedFlushSList) __identifier("_imp__InterlockedFlushSList@4") = RtlInterlockedFlushSList; __declspec(selectany) decltype(&QueryPerformanceCounter) __identifier("_imp__QueryPerformanceCounter@4") = QueryPerformanceCounter_Stub; __declspec(selectany) decltype(&GetSystemTimeAsFileTime) __identifier("_imp__GetSystemTimeAsFileTime@4") = GetSystemTimeAsFileTime_Stub; __declspec(selectany) decltype(&SetFilePointerEx) __identifier("_imp__SetFilePointerEx@16") = SetFilePointerEx_Stub; __declspec(selectany) decltype(&EnterCriticalSection) __identifier("_imp__EnterCriticalSection@4") = EnterCriticalSection_Stub; __declspec(selectany) decltype(&LeaveCriticalSection) __identifier("_imp__LeaveCriticalSection@4") = LeaveCriticalSection_Stub; __declspec(selectany) decltype(&DeleteCriticalSection) __identifier("_imp__DeleteCriticalSection@4") = DeleteCriticalSection_Stub; __declspec(selectany) decltype(&AcquireSRWLockExclusive) __identifier("_imp__AcquireSRWLockExclusive@4") = RtlAcquireSRWLockExclusive; __declspec(selectany) decltype(&ReleaseSRWLockExclusive) __identifier("_imp__ReleaseSRWLockExclusive@4") = RtlReleaseSRWLockExclusive; __declspec(selectany) decltype(&HeapAlloc) __identifier("_imp__HeapAlloc@12") = HeapAllocate_Stub; __declspec(selectany) decltype(&HeapReAlloc) __identifier("_imp__HeapReAlloc@16") = HeapReAlloc_Stub; __declspec(selectany) decltype(&HeapSize) __identifier("_imp__HeapSize@12") = HeapSize_Stub; __declspec(selectany) decltype(&HeapFree) __identifier("_imp__HeapFree@12") = HeapFree_Stub; #pragma warning(pop) #else __declspec(selectany) decltype(&CloseHandle) __imp_CloseHandle = CloseHandle_Stub; __declspec(selectany) decltype(&GetFileSizeEx) __imp_GetFileSizeEx = GetFileSizeEx_Stub; __declspec(selectany) decltype(&GetProcAddress) __imp_GetProcAddress = GetProcAddress_Stub; __declspec(selectany) decltype(&FlushFileBuffers) __imp_FlushFileBuffers = FlushFileBuffers_Stub; __declspec(selectany) decltype(&TerminateProcess) __imp_TerminateProcess = TerminateProcess_Stub; __declspec(selectany) decltype(&GetCurrentThreadId) __imp_GetCurrentThreadId = GetCurrentThreadId_Stub; __declspec(selectany) decltype(&GetCurrentProcessId) __imp_GetCurrentProcessId = GetCurrentProcessId_Stub; __declspec(selectany) decltype(&GetCurrentProcess) __imp_GetCurrentProcess = GetCurrentProcess_Stub; __declspec(selectany) decltype(&GetProcessHeap) __imp_GetProcessHeap = GetProcessHeap_Stub; __declspec(selectany) decltype(&GetCommandLineA) __imp_GetCommandLineA = GetCommandLineA_Stub; __declspec(selectany) decltype(&GetCommandLineW) __imp_GetCommandLineW = GetCommandLineW_Stub; __declspec(selectany) decltype(&GetModuleHandleW) __imp_GetModuleHandleW = GetModuleHandleW_Stub; __declspec(selectany) decltype(&IsDebuggerPresent) __imp_IsDebuggerPresent = IsDebuggerPresent_Stub; __declspec(selectany) decltype(&SetEndOfFile) __imp_SetEndOfFile = SetEndOfFile_Stub; __declspec(selectany) decltype(&ExitProcess) __imp_ExitProcess = ExitProcess_Stub; __declspec(selectany) decltype(&VirtualProtect) __imp_VirtualProtect = VirtualProtect_Stub; __declspec(selectany) decltype(&InitializeSListHead) __imp_InitializeSListHead = PhInitializeSListHead; __declspec(selectany) decltype(&InterlockedPushEntrySList) __imp_InterlockedPushEntrySList = RtlInterlockedPushEntrySList; __declspec(selectany) decltype(&InterlockedFlushSList) __imp_InterlockedFlushSList = RtlInterlockedFlushSList; __declspec(selectany) decltype(&QueryPerformanceCounter) __imp_QueryPerformanceCounter = QueryPerformanceCounter_Stub; __declspec(selectany) decltype(&GetSystemTimeAsFileTime) __imp_GetSystemTimeAsFileTime = GetSystemTimeAsFileTime_Stub; __declspec(selectany) decltype(&SetFilePointerEx) __imp_SetFilePointerEx = SetFilePointerEx_Stub; __declspec(selectany) decltype(&EnterCriticalSection) __imp_EnterCriticalSection = EnterCriticalSection_Stub; __declspec(selectany) decltype(&LeaveCriticalSection) __imp_LeaveCriticalSection = LeaveCriticalSection_Stub; __declspec(selectany) decltype(&DeleteCriticalSection) __imp_DeleteCriticalSection = DeleteCriticalSection_Stub; __declspec(selectany) decltype(&AcquireSRWLockExclusive) __imp_AcquireSRWLockExclusive = RtlAcquireSRWLockExclusive; __declspec(selectany) decltype(&ReleaseSRWLockExclusive) __imp_ReleaseSRWLockExclusive = RtlReleaseSRWLockExclusive; __declspec(selectany) decltype(&HeapAlloc) __imp_HeapAlloc = HeapAllocate_Stub; __declspec(selectany) decltype(&HeapReAlloc) __imp_HeapReAlloc = HeapReAlloc_Stub; __declspec(selectany) decltype(&HeapSize) __imp_HeapSize = HeapSize_Stub; __declspec(selectany) decltype(&HeapFree) __imp_HeapFree = HeapFree_Stub; #endif EXTERN_C_END ================================================ FILE: phlib/appresolver.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include static typeof(&AppContainerDeriveSidFromMoniker) AppContainerDeriveSidFromMoniker_I = NULL; static typeof(&AppContainerLookupMoniker) AppContainerLookupMoniker_I = NULL; static typeof(&AppContainerFreeMemory) AppContainerFreeMemory_I = NULL; /** * Queries the AppResolver interface. * * \return A pointer to the AppResolver interface, or NULL if the interface could not be queried. */ static PVOID PhpQueryAppResolverInterface( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID resolverInterface = NULL; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion < WINDOWS_8) PhGetClassObject(L"appresolver.dll", &CLSID_StartMenuCacheAndAppResolver_I, &IID_IApplicationResolver_I, &resolverInterface); else PhGetClassObject(L"appresolver.dll", &CLSID_StartMenuCacheAndAppResolver_I, &IID_IApplicationResolver2_I, &resolverInterface); PhEndInitOnce(&initOnce); } return resolverInterface; } /** * Queries the StartMenuCache interface. * * \return A pointer to the StartMenuCache interface, or NULL if the interface could not be queried. */ static PVOID PhpQueryStartMenuCacheInterface( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID startMenuInterface = NULL; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion < WINDOWS_8) PhGetClassObject(L"appresolver.dll", &CLSID_StartMenuCacheAndAppResolver_I, &IID_IStartMenuAppItems_I, &startMenuInterface); else PhGetClassObject(L"appresolver.dll", &CLSID_StartMenuCacheAndAppResolver_I, &IID_IStartMenuAppItems2_I, &startMenuInterface); PhEndInitOnce(&initOnce); } return startMenuInterface; } /** * Checks if the AppContainer functions are initialized. * * \return TRUE if initialized, FALSE otherwise. */ static BOOLEAN PhpKernelAppCoreInitialized( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN kernelAppCoreInitialized = FALSE; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_8) { PVOID baseAddress; if(baseAddress = PhLoadLibrary(L"kernelbase.dll")) { AppContainerDeriveSidFromMoniker_I = PhGetDllBaseProcedureAddress(baseAddress, "AppContainerDeriveSidFromMoniker", 0); AppContainerLookupMoniker_I = PhGetDllBaseProcedureAddress(baseAddress, "AppContainerLookupMoniker", 0); AppContainerFreeMemory_I = PhGetDllBaseProcedureAddress(baseAddress, "AppContainerFreeMemory", 0); } if ( AppContainerDeriveSidFromMoniker_I && AppContainerLookupMoniker_I && AppContainerFreeMemory_I ) { kernelAppCoreInitialized = TRUE; } } PhEndInitOnce(&initOnce); } return kernelAppCoreInitialized; } /** * Retrieves the Application User Model ID (AppUserModelId) for a specified process. * * \param ProcessId The handle to the process. * \param ApplicationUserModelId A pointer to a string that receives the Application User Model ID. * \return HRESULT indicating success or failure. */ HRESULT PhAppResolverGetAppIdForProcess( _In_ HANDLE ProcessId, _Out_ PPH_STRING *ApplicationUserModelId ) { HRESULT status; PVOID resolverInterface; PWSTR appIdText; if (!(resolverInterface = PhpQueryAppResolverInterface())) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); if (WindowsVersion < WINDOWS_8) { status = IApplicationResolver_GetAppIDForProcess( (IApplicationResolver*)resolverInterface, HandleToUlong(ProcessId), &appIdText, NULL, NULL, NULL ); } else { status = IApplicationResolver2_GetAppIDForProcess( (IApplicationResolver2*)resolverInterface, HandleToUlong(ProcessId), &appIdText, NULL, NULL, NULL ); } if (HR_SUCCESS(status)) { SIZE_T appIdTextLength; appIdTextLength = RtlSizeHeap( RtlProcessHeap(), 0, appIdText ); if ((appIdTextLength % sizeof(WCHAR)) == 0 && appIdTextLength > sizeof(UNICODE_NULL)) { *ApplicationUserModelId = PhCreateStringEx( appIdText, appIdTextLength - sizeof(UNICODE_NULL) ); } else { *ApplicationUserModelId = NULL; status = E_UNEXPECTED; } CoTaskMemFree(appIdText); } else { *ApplicationUserModelId = NULL; } return status; } /** * Retrieves the Application User Model ID (AppUserModelId) for a specified window. * * \param WindowHandle The handle to the window. * \param ApplicationUserModelId A pointer to a string that receives the Application User Model ID. * \return HRESULT indicating success or failure. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-iapplicationactivationmanager-activateapplication */ HRESULT PhAppResolverGetAppIdForWindow( _In_ HWND WindowHandle, _Out_ PPH_STRING *ApplicationUserModelId ) { HRESULT status; PVOID resolverInterface; PWSTR appIdText; if (!(resolverInterface = PhpQueryAppResolverInterface())) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); if (WindowsVersion < WINDOWS_8) { status = IApplicationResolver_GetAppIDForWindow( (IApplicationResolver*)resolverInterface, WindowHandle, &appIdText, NULL, NULL, NULL ); } else { status = IApplicationResolver_GetAppIDForWindow( (IApplicationResolver2*)resolverInterface, WindowHandle, &appIdText, NULL, NULL, NULL ); } if (SUCCEEDED(status)) { SIZE_T appIdTextLength; appIdTextLength = RtlSizeHeap( RtlProcessHeap(), 0, appIdText ); if ((appIdTextLength % sizeof(WCHAR)) == 0 && appIdTextLength > sizeof(UNICODE_NULL)) { *ApplicationUserModelId = PhCreateStringEx( appIdText, appIdTextLength - sizeof(UNICODE_NULL) ); } else { status = E_UNEXPECTED; } CoTaskMemFree(appIdText); } return status; } /** * Activates the specified Windows Store app for the generic launch contract (Windows.Launch) in the current session. * * \param[in] ApplicationUserModelId The application user model ID of the Windows Store app. * \param[in] CommandLine A pointer to an optional, app-specific, argument string. * \param[out] ProcessId The process ID of the new instance. * \return HRESULT Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-iapplicationactivationmanager-activateapplication */ HRESULT PhAppResolverActivateAppId( _In_ PPH_STRING ApplicationUserModelId, _In_opt_ PCWSTR CommandLine, _Out_opt_ HANDLE *ProcessId ) { HRESULT status; ULONG processId = ULONG_MAX; IApplicationActivationManager* applicationActivationManager; status = PhGetClassObject( L"twinui.appcore.dll", &CLSID_ApplicationActivationManager, &IID_IApplicationActivationManager, &applicationActivationManager ); if (SUCCEEDED(status)) { CoAllowSetForegroundWindow((IUnknown*)applicationActivationManager, NULL); status = IApplicationActivationManager_ActivateApplication( applicationActivationManager, PhGetString(ApplicationUserModelId), CommandLine, AO_NONE, &processId ); IApplicationActivationManager_Release(applicationActivationManager); } if (SUCCEEDED(status)) { if (ProcessId) *ProcessId = UlongToHandle(processId); } return status; } /** * Terminates all processes for the specified package. * * \param PackageFullName The package full name. * \return HRESULT Successful or errant status. */ HRESULT PhAppResolverPackageTerminateProcess( _In_ PCWSTR PackageFullName ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { status = IPackageDebugSettings_TerminateAllProcesses( packageDebugSettings, PackageFullName ); IPackageDebugSettings_Release(packageDebugSettings); } return status; } /** * Enables debug mode for the processes of the specified package. * * \param PackageFullName The package full name. * \return HRESULT Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ipackagedebugsettings-enabledebugging */ HRESULT PhAppResolverEnablePackageDebug( _In_ PCWSTR PackageFullName ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { status = IPackageDebugSettings_EnableDebugging( packageDebugSettings, PackageFullName, NULL, NULL ); IPackageDebugSettings_Release(packageDebugSettings); } return status; } /** * Disables debug mode for the processes of the specified package. * * \param PackageFullName The package full name. * \return HRESULT Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ipackagedebugsettings-disabledebugging */ HRESULT PhAppResolverDisablePackageDebug( _In_ PCWSTR PackageFullName ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { status = IPackageDebugSettings_DisableDebugging( packageDebugSettings, PackageFullName ); IPackageDebugSettings_Release(packageDebugSettings); } return status; } /** * Suspends the processes of the package if they are currently running. * * \param PackageFullName The package full name. * \return HRESULT Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ipackagedebugsettings-suspend */ HRESULT PhAppResolverPackageSuspend( _In_ PCWSTR PackageFullName ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { status = IPackageDebugSettings_Suspend( packageDebugSettings, PackageFullName ); IPackageDebugSettings_Release(packageDebugSettings); } return status; } /** * Resumes the processes of the package if they are currently suspended. * * \param PackageFullName The package full name. * \return HRESULT Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ipackagedebugsettings-resume */ HRESULT PhAppResolverPackageResume( _In_ PCWSTR PackageFullName ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { status = IPackageDebugSettings_Resume( packageDebugSettings, PackageFullName ); IPackageDebugSettings_Release(packageDebugSettings); } return status; } /** * Gets the background tasks that are provided by the specified package. * * \param[in] PackageFullName The package full name. * \param[in,out] BackgroundTasks A list of task names. * \return HRESULT Successful or errant status. */ HRESULT PhAppResolverEnumeratePackageBackgroundTasks( _In_ PCWSTR PackageFullName, _Inout_ PPH_LIST BackgroundTasks ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { ULONG taskCount = 0; PCGUID taskIds = NULL; PCWSTR* taskNames = NULL; status = IPackageDebugSettings_EnumerateBackgroundTasks( packageDebugSettings, PackageFullName, &taskCount, &taskIds, &taskNames ); if (SUCCEEDED(status)) { for (ULONG i = 0; i < taskCount; i++) { PPH_PACKAGE_TASK_ENTRY entry; entry = PhAllocateZero(sizeof(PH_PACKAGE_TASK_ENTRY)); entry->TaskGuid = taskIds[i]; entry->TaskName = PhCreateString(taskNames[i]); PhAddItemList(BackgroundTasks, entry); } } IPackageDebugSettings_Release(packageDebugSettings); } return status; } /** * Stops redirection of background tasks for the specified package. * * \param PackageFullName The package full name. * \return HRESULT Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ipackagedebugsettings-stopsessionredirection */ HRESULT PhAppResolverPackageStopSessionRedirection( _In_ PCWSTR PackageFullName ) { HRESULT status; IPackageDebugSettings* packageDebugSettings; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_PackageDebugSettings, &IID_IPackageDebugSettings, &packageDebugSettings ); if (SUCCEEDED(status)) { status = IPackageDebugSettings_StopSessionRedirection( packageDebugSettings, PackageFullName ); IPackageDebugSettings_Release(packageDebugSettings); } return status; } PPH_STRING PhGetAppContainerName( _In_ PSID AppContainerSid ) { HRESULT result; PPH_STRING appContainerName = NULL; PWSTR packageMonikerName; if (!PhpKernelAppCoreInitialized()) return NULL; result = AppContainerLookupMoniker_I( AppContainerSid, &packageMonikerName ); if (HR_SUCCESS(result)) { appContainerName = PhCreateString(packageMonikerName); AppContainerFreeMemory_I(packageMonikerName); } else // Check the local system account appcontainer mappings. (dmex) { static CONST PH_STRINGREF appcontainerMappings = PH_STRINGREF_INIT(L"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Mappings\\"); static CONST PH_STRINGREF appcontainerDefaultMappings = PH_STRINGREF_INIT(L".DEFAULT\\"); HANDLE keyHandle; PPH_STRING keyPath; USHORT sidStringLength = 0; WCHAR sidString[SECURITY_MAX_SID_STRING_CHARACTERS]; if (NT_SUCCESS(PhSidToBuffer( AppContainerSid, sidString, sizeof(sidString), &sidStringLength ))) { PH_STRINGREF string; string.Length = sidStringLength; string.Buffer = sidString; keyPath = PhConcatStringRef3(&appcontainerDefaultMappings, &appcontainerMappings, &string); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_USERS, &keyPath->sr, 0 ))) { PhMoveReference(&appContainerName, PhQueryRegistryStringZ(keyHandle, L"Moniker")); NtClose(keyHandle); } PhDereferenceObject(keyPath); } } return appContainerName; } PPH_STRING PhGetAppContainerSidFromName( _In_ PCWSTR AppContainerName ) { PSID appContainerSid; PPH_STRING packageSidString = NULL; if (!PhpKernelAppCoreInitialized()) return NULL; if (HR_SUCCESS(AppContainerDeriveSidFromMoniker_I( AppContainerName, &appContainerSid ))) { packageSidString = PhSidToStringSid(appContainerSid); RtlFreeSid(appContainerSid); } return packageSidString; } PPH_STRING PhGetAppContainerPackageName( _In_ PSID Sid ) { static CONST PH_STRINGREF appcontainerMappings = PH_STRINGREF_INIT(L"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Mappings\\"); static CONST PH_STRINGREF appcontainerDefaultMappings = PH_STRINGREF_INIT(L".DEFAULT\\"); HANDLE keyHandle; PPH_STRING sidString; PPH_STRING keyPath; PPH_STRING packageName = NULL; if (PhEqualSid(Sid, PhSeInternetExplorerSid())) // S-1-15-3-4096 (dmex) { return PhCreateString(L"InternetExplorer"); } if (!(sidString = PhSidToStringSid(Sid))) return NULL; keyPath = PhConcatStringRef2(&appcontainerMappings, &sidString->sr); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &keyPath->sr, 0 ))) { PhMoveReference(&packageName, PhQueryRegistryStringZ(keyHandle, L"Moniker")); NtClose(keyHandle); } PhDereferenceObject(keyPath); // Check the local system account appcontainer mappings. (dmex) if (PhIsNullOrEmptyString(packageName)) { keyPath = PhConcatStringRef3(&appcontainerDefaultMappings, &appcontainerMappings, &sidString->sr); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_USERS, &keyPath->sr, 0 ))) { PhMoveReference(&packageName, PhQueryRegistryStringZ(keyHandle, L"Moniker")); NtClose(keyHandle); } PhDereferenceObject(keyPath); } PhDereferenceObject(sidString); return packageName; } // rev from GetPackagePath (dmex) PPH_STRING PhGetPackagePath( _In_ PPH_STRING PackageFullName ) { static CONST PH_STRINGREF storeAppPackages = PH_STRINGREF_INIT(L"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\"); HANDLE keyHandle; PPH_STRING keyPath; PPH_STRING packagePath = NULL; keyPath = PhConcatStringRef2(&storeAppPackages, &PackageFullName->sr); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &keyPath->sr, 0 ))) { packagePath = PhQueryRegistryStringZ(keyHandle, L"PackageRootFolder"); NtClose(keyHandle); } PhDereferenceObject(keyPath); return packagePath; } PPH_STRING PhGetPackageAppDataPath( _In_ HANDLE ProcessHandle ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://SYSAPPID"); PPH_STRING packageAppDataPath = NULL; PPH_STRING localAppDataPath; PTOKEN_SECURITY_ATTRIBUTES_INFORMATION info; HANDLE tokenHandle; localAppDataPath = PhGetKnownLocationZ(PH_FOLDERID_LocalAppData, L"\\Packages\\", FALSE); if (PhIsNullOrEmptyString(localAppDataPath)) return NULL; if (NT_SUCCESS(PhOpenProcessToken(ProcessHandle, TOKEN_QUERY, &tokenHandle))) { if (NT_SUCCESS(PhGetTokenSecurityAttribute(tokenHandle, &attributeName, &info))) { for (ULONG i = 0; i < info->AttributeCount; i++) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = &info->AttributeV1[i]; if (attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING) { PH_STRINGREF valueAttributeName; PhUnicodeStringToStringRef(&attribute->Name, &valueAttributeName); if (PhEqualStringRef(&valueAttributeName, &attributeName, FALSE)) { PPH_STRING attributeValue; attributeValue = PhCreateStringFromUnicodeString(&attribute->Values.String[2]); packageAppDataPath = PhConcatStringRef2(&localAppDataPath->sr, &attributeValue->sr); PhDereferenceObject(attributeValue); break; } } } PhFree(info); } NtClose(tokenHandle); } PhDereferenceObject(localAppDataPath); return packageAppDataPath; } BOOLEAN PhIsPackageCapabilitySid( _In_ PSID AppContainerSid, _In_ PSID Sid ) { BOOLEAN isPackageCapability = TRUE; for (ULONG i = 1; i < SECURITY_APP_PACKAGE_RID_COUNT - 1; i++) { if ( *PhSubAuthoritySid(AppContainerSid, i) != *PhSubAuthoritySid(Sid, i) ) { isPackageCapability = FALSE; break; } } return isPackageCapability; } PPH_LIST PhGetPackageAssetsFromResourceFile( _In_ PCWSTR FilePath ) { IMrtResourceManager* resourceManager = NULL; IResourceMap* resourceMap = NULL; PPH_LIST resourceList = NULL; ULONG resourceCount = 0; if (FAILED(PhGetClassObject( L"mrmcorer.dll", &CLSID_MrtResourceManager_I, &IID_IMrtResourceManager_I, &resourceManager ))) { return FALSE; } if (FAILED(IMrtResourceManager_InitializeForFile(resourceManager, FilePath))) goto CleanupExit; if (FAILED(IMrtResourceManager_GetMainResourceMap(resourceManager, &IID_IResourceMap_I, &resourceMap))) goto CleanupExit; if (FAILED(IResourceMap_GetNamedResourceCount(resourceMap, &resourceCount))) goto CleanupExit; resourceList = PhCreateList(10); for (ULONG i = 0; i < resourceCount; i++) { PWSTR resourceName; if (SUCCEEDED(IResourceMap_GetNamedResourceUri(resourceMap, i, &resourceName))) { PhAddItemList(resourceList, PhCreateString(resourceName)); } } CleanupExit: if (resourceMap) IResourceMap_Release(resourceMap); if (resourceManager) IMrtResourceManager_Release(resourceManager); return resourceList; } HRESULT PhAppResolverBeginCrashDumpTask( _In_ HANDLE ProcessId, _Out_ HANDLE *TaskHandle ) { HRESULT status; IOSTaskCompletion* taskCompletion = NULL; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_OSTaskCompletion_I, &IID_IOSTaskCompletion_I, &taskCompletion ); if (SUCCEEDED(status)) { status = IOSTaskCompletion_BeginTask( taskCompletion, HandleToUlong(ProcessId), PT_TC_CRASHDUMP ); } if (SUCCEEDED(status)) { *TaskHandle = taskCompletion; } else if (taskCompletion) { IOSTaskCompletion_Release(taskCompletion); } return status; } HRESULT PhAppResolverBeginCrashDumpTaskByHandle( _In_ HANDLE ProcessHandle, _Out_ HANDLE *TaskHandle ) { HRESULT status; IOSTaskCompletion* taskCompletion = NULL; status = PhGetClassObject( L"twinapi.appcore.dll", &CLSID_OSTaskCompletion_I, &IID_IOSTaskCompletion_I, &taskCompletion ); if (SUCCEEDED(status)) { status = IOSTaskCompletion_BeginTaskByHandle( taskCompletion, ProcessHandle, PT_TC_CRASHDUMP ); } if (SUCCEEDED(status)) { *TaskHandle = taskCompletion; } else if (taskCompletion) { IOSTaskCompletion_Release(taskCompletion); } return status; } HRESULT PhAppResolverEndCrashDumpTask( _In_ HANDLE TaskHandle ) { IOSTaskCompletion* taskCompletionManager = TaskHandle; HRESULT status; status = IOSTaskCompletion_EndTask(taskCompletionManager); IOSTaskCompletion_Release(taskCompletionManager); return status; } HRESULT PhAppResolverGetEdpContextForWindow( _In_ HWND WindowHandle, _Out_ EDP_CONTEXT_STATES* State ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; HRESULT status; PEDP_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_10) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"edputil.dll")) { EdpGetContextForWindow_I = PhGetDllBaseProcedureAddress(baseAddress, "EdpGetContextForWindow", 0); EdpFreeContext_I = PhGetDllBaseProcedureAddress(baseAddress, "EdpFreeContext", 0); } } PhEndInitOnce(&initOnce); } if (!(EdpGetContextForWindow_I && EdpFreeContext_I)) return E_FAIL; status = EdpGetContextForWindow_I( WindowHandle, &context ); if (SUCCEEDED(status)) { *State = context->contextStates; EdpFreeContext_I(context); } return status; } HRESULT PhAppResolverGetEdpContextForProcess( _In_ HANDLE ProcessId, _Out_ EDP_CONTEXT_STATES* State ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; HRESULT status; PEDP_CONTEXT context; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_10) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"edputil.dll")) { EdpGetContextForProcess_I = PhGetDllBaseProcedureAddress(baseAddress, "EdpGetContextForProcess", 0); EdpFreeContext_I = PhGetDllBaseProcedureAddress(baseAddress, "EdpFreeContext", 0); } } PhEndInitOnce(&initOnce); } if (!(EdpGetContextForWindow_I && EdpFreeContext_I)) return E_FAIL; status = EdpGetContextForProcess_I( HandleToUlong(ProcessId), &context ); if (SUCCEEDED(status)) { *State = context->contextStates; EdpFreeContext_I(context); } return status; } // Note: IStartMenuAppItems_EnumItems doesn't return immersive items on Win11 (dmex) //VOID PhEnumerateStartMenuAppUserModelIds(VOID) //{ // PVOID startMenuInterface; // IEnumObjects* startMenuEnumObjects; // ULONG count = 0; // // if (!(startMenuInterface = PhpQueryStartMenuCacheInterface())) // return; // // if (WindowsVersion < WINDOWS_8) // { // IStartMenuAppItems_EnumItems( // (IStartMenuAppItems61*)startMenuInterface, // SMAIF_DEFAULT, // &IID_IEnumObjects, // &startMenuEnumObjects // ); // } // else // { // IStartMenuAppItems_EnumItems( // (IStartMenuAppItems62*)startMenuInterface, // SMAIF_DEFAULT, // &IID_IEnumObjects, // &startMenuEnumObjects // ); // } // // while (TRUE) // { // IPropertyStore* propStoreInterface[10]; // // if (IEnumObjects_Next(startMenuEnumObjects, 10, &IID_IPropertyStore, propStoreInterface, &count) != S_OK) // break; // if (count == 0) // break; // // for (ULONG i = 0; i < count; i++) // { // PROPVARIANT propValue; // // if (SUCCEEDED(IPropertyStore_GetValue(propStoreInterface[i], &PKEY_AppUserModel_ID, &propValue))) // { // PropVariantClear(&propValue); // } // // IPropertyStore_Release(propStoreInterface[i]); // } // } // // IStartMenuAppItems_Release(startMenuEnumObjects); //} DEFINE_GUID(FOLDERID_AppsFolder, 0x1e87508d, 0x89c2, 0x42f0, 0x8a, 0x7e, 0x64, 0x5a, 0x0f, 0x50, 0xca, 0x58); DEFINE_GUID(BHID_EnumItems, 0x94f60519, 0x2850, 0x4924, 0xaa, 0x5a, 0xd1, 0x5e, 0x84, 0x86, 0x80, 0x39); DEFINE_GUID(BHID_PropertyStore, 0x0384e1a4, 0x1523, 0x439c, 0xa4, 0xc8, 0xab, 0x91, 0x10, 0x52, 0xf5, 0x86); static BOOLEAN PhParseStartMenuAppShellItem( _In_ IShellItem2* ShellItem, _In_ PPH_LIST List ) { PROPVARIANT packageHostEnvironment; PWSTR packageAppUserModelID = NULL; PWSTR packageInstallPath = NULL; PWSTR packageFullName = NULL; PWSTR packageSmallLogoPath = NULL; PWSTR packageLongDisplayName = NULL; PropVariantInit(&packageHostEnvironment); if (HR_FAILED(IShellItem2_GetProperty(ShellItem, &PKEY_AppUserModel_HostEnvironment, &packageHostEnvironment))) return FALSE; if (packageHostEnvironment.vt != VT_UI4 && packageHostEnvironment.ulVal) return FALSE; IShellItem2_GetString(ShellItem, &PKEY_AppUserModel_ID, &packageAppUserModelID); IShellItem2_GetString(ShellItem, &PKEY_AppUserModel_PackageInstallPath, &packageInstallPath); IShellItem2_GetString(ShellItem, &PKEY_AppUserModel_PackageFullName, &packageFullName); IShellItem2_GetString(ShellItem, &PKEY_Tile_SmallLogoPath, &packageSmallLogoPath); IShellItem2_GetString(ShellItem, &PKEY_Tile_LongDisplayName, &packageLongDisplayName); if (packageAppUserModelID && packageInstallPath && packageFullName && packageSmallLogoPath && packageLongDisplayName) { PPH_APPUSERMODELID_ENUM_ENTRY entry; PWSTR imagePath = NULL; entry = PhAllocateZero(sizeof(PH_APPUSERMODELID_ENUM_ENTRY)); entry->AppUserModelId = PhCreateString(packageAppUserModelID); entry->PackageDisplayName = PhCreateString(packageLongDisplayName); entry->PackageInstallPath = PhCreateString(packageInstallPath); entry->PackageFullName = PhCreateString(packageFullName); if (HR_SUCCESS(PhAppResolverGetPackageResourceFilePath(packageFullName, packageSmallLogoPath, &imagePath))) { entry->SmallLogoPath = PhCreateString(imagePath); CoTaskMemFree(imagePath); } PhAddItemList(List, entry); return TRUE; } if (packageAppUserModelID) CoTaskMemFree(packageAppUserModelID); if (packageInstallPath) CoTaskMemFree(packageInstallPath); if (packageFullName) CoTaskMemFree(packageFullName); if (packageSmallLogoPath) CoTaskMemFree(packageSmallLogoPath); if (packageLongDisplayName) CoTaskMemFree(packageLongDisplayName); return FALSE; } PPH_LIST PhEnumApplicationUserModelIds( VOID ) { HRESULT status; PPH_LIST list = NULL; IShellItem2* shellKnownFolderItem = NULL; IEnumShellItems* shellEnumFolderItem = NULL; status = PhShellGetKnownFolderItem( &FOLDERID_AppsFolder, KF_FLAG_DONT_VERIFY, NULL, &IID_IShellItem2, &shellKnownFolderItem ); if (HR_FAILED(status)) goto CleanupExit; status = IShellItem2_BindToHandler( shellKnownFolderItem, NULL, &BHID_EnumItems, &IID_IEnumShellItems, &shellEnumFolderItem ); if (HR_FAILED(status)) goto CleanupExit; list = PhCreateList(10); while (TRUE) { ULONG count = 0; IShellItem* itemlist[10]; if (HR_FAILED(IEnumShellItems_Next(shellEnumFolderItem, 10, itemlist, &count))) break; if (count == 0) break; for (ULONG i = 0; i < count; i++) { IShellItem2* item; if (HR_SUCCESS(IShellItem_QueryInterface(itemlist[i], &IID_IShellItem2, &item))) { PhParseStartMenuAppShellItem(item, list); IShellItem2_Release(item); } IShellItem_Release(itemlist[i]); } } CleanupExit: if (shellEnumFolderItem) { IEnumShellItems_Release(shellEnumFolderItem); } if (shellKnownFolderItem) { IShellItem2_Release(shellKnownFolderItem); } return list; } HRESULT PhAppResolverGetPackageResourceFilePath( _In_ PCWSTR PackageFullName, _In_ PCWSTR Key, _Out_ PWSTR* FilePath ) { HRESULT status; IMrtResourceManager* resourceManager = NULL; IResourceMap* resourceMap = NULL; status = PhGetClassObject( L"mrmcorer.dll", &CLSID_MrtResourceManager_I, &IID_IMrtResourceManager_I, &resourceManager ); if (FAILED(status)) goto CleanupExit; status = IMrtResourceManager_InitializeForPackage(resourceManager, PackageFullName); if (FAILED(status)) goto CleanupExit; status = IMrtResourceManager_GetMainResourceMap(resourceManager, &IID_IResourceMap_I, &resourceMap); if (FAILED(status)) goto CleanupExit; status = IResourceMap_GetFilePath(resourceMap, Key, FilePath); CleanupExit: if (resourceMap) IResourceMap_Release(resourceMap); if (resourceManager) IMrtResourceManager_Release(resourceManager); return status; } HRESULT PhAppResolverGetPackageStartMenuPropertyStore( _In_ HANDLE ProcessId, _Out_ IPropertyStore** PropertyStore ) { HRESULT status; PVOID startMenuInterface; PPH_STRING applicationUserModelId; if (!(startMenuInterface = PhpQueryStartMenuCacheInterface())) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); status = PhAppResolverGetAppIdForProcess(ProcessId, &applicationUserModelId); if (FAILED(status)) return status; if (WindowsVersion < WINDOWS_8) { status = IStartMenuAppItems_GetItem( (IStartMenuAppItems*)startMenuInterface, SMAIF_DEFAULT, PhGetString(applicationUserModelId), &IID_IPropertyStore, PropertyStore ); } else { status = IStartMenuAppItems2_GetItem( (IStartMenuAppItems2*)startMenuInterface, SMAIF_DEFAULT, PhGetString(applicationUserModelId), &IID_IPropertyStore, PropertyStore ); } PhDereferenceObject(applicationUserModelId); return status; } _Success_(return) BOOLEAN PhAppResolverGetPackageIcon( _In_ HANDLE ProcessId, _In_ PPH_STRING PackageFullName, _Out_opt_ HICON* IconLarge, _Out_opt_ HICON* IconSmall, _In_ LONG SystemDpi ) { IPropertyStore* propertyStore = NULL; PROPVARIANT propertyPathValue; PROPVARIANT propertyColorValue; PWSTR imagePath = NULL; HICON iconLarge = NULL; HICON iconSmall = NULL; PropVariantInit(&propertyPathValue); PropVariantInit(&propertyColorValue); if (HR_FAILED(PhAppResolverGetPackageStartMenuPropertyStore(ProcessId, &propertyStore))) goto CleanupExit; if (HR_FAILED(IPropertyStore_GetValue(propertyStore, &PKEY_Tile_SmallLogoPath, &propertyPathValue))) goto CleanupExit; if (HR_FAILED(IPropertyStore_GetValue(propertyStore, &PKEY_Tile_Background, &propertyColorValue))) goto CleanupExit; if (HR_FAILED(PhAppResolverGetPackageResourceFilePath(PhGetString(PackageFullName), propertyPathValue.bstrVal, &imagePath))) goto CleanupExit; if (IconLarge) { HBITMAP bitmap; LONG width; LONG height; width = PhGetSystemMetrics(SM_CXICON, SystemDpi); height = PhGetSystemMetrics(SM_CYICON, SystemDpi); if (bitmap = PhLoadImageFromFile(imagePath, width, height)) { iconLarge = PhGdiplusConvertBitmapToIcon(bitmap, width, height, propertyColorValue.ulVal); DeleteBitmap(bitmap); } } if (IconSmall) { HBITMAP bitmap; LONG width; LONG height; width = PhGetSystemMetrics(SM_CXSMICON, SystemDpi); height = PhGetSystemMetrics(SM_CYSMICON, SystemDpi); if (bitmap = PhLoadImageFromFile(imagePath, width, height)) { iconSmall = PhGdiplusConvertBitmapToIcon(bitmap, width, height, propertyColorValue.ulVal); DeleteBitmap(bitmap); } } CleanupExit: if (imagePath) CoTaskMemFree(imagePath); if (propertyPathValue.bstrVal) CoTaskMemFree(propertyPathValue.bstrVal); if (propertyStore) IPropertyStore_Release(propertyStore); if (IconLarge && IconSmall) { if (iconLarge && iconSmall) { *IconLarge = iconLarge; *IconSmall = iconSmall; return TRUE; } if (iconLarge) DestroyIcon(iconLarge); if (iconSmall) DestroyIcon(iconSmall); return FALSE; } if (IconLarge && iconLarge) { *IconLarge = iconLarge; return TRUE; } if (IconSmall && iconSmall) { *IconSmall = iconSmall; return TRUE; } if (iconLarge) DestroyIcon(iconLarge); if (iconSmall) DestroyIcon(iconSmall); return FALSE; } // rev from Invoke-CommandInDesktopPackage (dmex) /** * Creates a new process in the context of the supplied PackageFamilyName and AppId. * * \li \c The created process will have the identity of the provided AppId and will have access to its virtualized file system and registry (if any). * \li \c The new process will have a token that's similar to, but not identical to, a real AppId process. * \li \c The primary use-case of this command is to invoke debugging or troubleshooting tools in the context of the packaged app to access its virtualized resources. * \li \c For example, you can run the Registry Editor to see virtualized registry keys, or Notepad to read virtualized files. * \li \c See the important note that follows on using tools such as the Registry Editor that require elevation. * \li \c No guarantees are made about the behavior of the created process, other than it having the package identity and access to the package's virtualized resources. * \li \c In particular, the new process will not be created in an AppContainer even if an AppId process would normally be created in an AppContainer. * \li \c Features such as Privacy Controls or other App Settings may or may not apply to the new process. * \li \c You shouldn't rely on any specific side-effects of using this command, as they're undefined and subject to change. * \param ApplicationUserModelId The Application ID from the target package's manifest. * \param Executable An executable to invoke. * \param Arguments Optional arguments to be passed to the new process. * \param Directory Optional * \param PreventBreakaway Causes all child processes of the invoked process to also be created in the context of the AppId. By default, child processes are created without any context. This switch is useful for running cmd.exe so that you can launch multiple other tools in the package context. * \param ParentProcessId A process to use instead of the calling process as the parent for the process being created. * \param ProcessHandle A handle to a process. * \return Successful or errant status. * \remarks https://learn.microsoft.com/en-us/powershell/module/appx/invoke-commandindesktoppackage */ HRESULT PhCreateProcessDesktopPackage( _In_ PCWSTR ApplicationUserModelId, _In_ PCWSTR Executable, _In_ PCWSTR Arguments, _In_opt_ PCWSTR Directory, _In_ BOOLEAN PreventBreakaway, _In_opt_ HANDLE ParentProcessId, _Out_opt_ PHANDLE ProcessHandle ) { HRESULT status; IDesktopAppXActivator* desktopAppXActivator; if (WindowsVersion < WINDOWS_11) { status = PhGetClassObject( L"twinui.dll", &CLSID_IDesktopAppXActivator_I, &IID_IDesktopAppXActivator1_I, &desktopAppXActivator ); } else { status = PhGetClassObject( L"twinui.appcore.dll", &CLSID_IDesktopAppXActivator_I, &IID_IDesktopAppXActivator2_I, &desktopAppXActivator ); } if (SUCCEEDED(status)) { ULONG options = DAXAO_CHECK_FOR_APPINSTALLER_UPDATES | DAXAO_CENTENNIAL_PROCESS; SetFlag(options, PreventBreakaway ? DAXAO_NONPACKAGED_EXE_PROCESS_TREE : DAXAO_NONPACKAGED_EXE); status = IDesktopAppXActivator_ActivateWithOptionsArgsWorkingDirectoryShowWindow( desktopAppXActivator, ApplicationUserModelId, Executable, Arguments, options, HandleToUlong(ParentProcessId), NULL, Directory, SW_SHOW, ProcessHandle ); if (HR_FAILED(status)) { status = IDesktopAppXActivator_ActivateWithOptions( desktopAppXActivator, ApplicationUserModelId, Executable, Arguments, options, HandleToUlong(ParentProcessId), ProcessHandle ); } IDesktopAppXActivator_Release(desktopAppXActivator); } return status; } ================================================ FILE: phlib/appruntime.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2023 * */ #include #include #include #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) #pragma comment(lib, "runtimeobject.lib") #include #include #endif #ifdef __hstring_h__ static_assert(sizeof(HSTRING_REFERENCE) == sizeof(HSTRING_HEADER), "HSTRING_REFERENCE must equal WSTRING_HEADER"); #else static_assert(sizeof(HSTRING_REFERENCE) == sizeof(WSTRING_HEADER), "HSTRING_REFERENCE must equal WSTRING_HEADER"); #endif /** * Creates a string from a Windows Runtime string. * * \param String The Windows Runtime string. * * \return A pointer to the created string. */ PPH_STRING PhCreateStringFromWindowsRuntimeString( _In_ HSTRING String ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) UINT32 stringLength; PCWSTR string; if (string = PhGetWindowsRuntimeStringBuffer(String, &stringLength)) { if (stringLength >= sizeof(UNICODE_NULL)) { return PhCreateStringEx(string, stringLength * sizeof(WCHAR)); } } #else HSTRING_INSTANCE* string = (HSTRING_INSTANCE*)String; if (string && string->Length >= sizeof(UNICODE_NULL)) { return PhCreateStringEx(string->Buffer, string->Length * sizeof(WCHAR)); } #endif return PhReferenceEmptyString(); } // rev from WindowsCreateStringReference (dmex) /** * \brief Creates a new string reference based on the specified string. * * \param SourceString A null-terminated string to use as the source for the new string. * \param String A pointer to the newly created string. * * \return Successful or errant status. */ HRESULT PhCreateWindowsRuntimeStringReference( _In_ PCWSTR SourceString, _Out_ PVOID String ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) HSTRING stringHandle; return WindowsCreateStringReference( SourceString, (UINT32)PhCountStringZ(SourceString), String, &stringHandle ); #else HSTRING_REFERENCE* string = (HSTRING_REFERENCE*)String; string->Flags = HSTRING_REFERENCE_FLAG; string->Length = (UINT32)PhCountStringZ(SourceString); string->Buffer = SourceString; return S_OK; #endif } // rev from WindowsCreateStringReference (dmex) /** * \brief Creates a new string reference based on the specified string. * * \param SourceString A null-terminated string to use as the source for the new string. * \param Length The count of characters for the string. * \param String A pointer to the newly created string. * * \return Successful or errant status. */ HRESULT PhCreateWindowsRuntimeStringReferenceEx( _In_ PCWSTR SourceString, _In_ UINT32 Length, _Out_ PVOID String ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) HSTRING stringHandle; return WindowsCreateStringReference( SourceString, (UINT32)PhCountStringZ(SourceString), String, &stringHandle ); #else HSTRING_REFERENCE* string = (HSTRING_REFERENCE*)String; string->Flags = HSTRING_REFERENCE_FLAG; string->Length = Length; string->Buffer = SourceString; return S_OK; #endif } // rev from WindowsCreateString (dmex) /** * \brief Creates a new string based on the specified string. * * \param SourceString A null-terminated string to use as the source for the new string. * \param String A pointer to the newly created string. * * \return Successful or errant status. */ HRESULT PhCreateWindowsRuntimeString( _In_ PCWSTR SourceString, _Out_ HSTRING* String ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) return WindowsCreateString( SourceString, (UINT32)PhCountStringZ(SourceString), String ); #else SIZE_T stringLength; SIZE_T bufferLength; HSTRING_INSTANCE* string; stringLength = PhCountStringZ(SourceString) * sizeof(WCHAR); bufferLength = sizeof(HSTRING_INSTANCE) + stringLength + sizeof(UNICODE_NULL); if (bufferLength > UINT_MAX) return MEM_E_INVALID_SIZE; string = RtlAllocateHeap(RtlProcessHeap(), 0, bufferLength); if (!string) return E_OUTOFMEMORY; assert(!(stringLength & 1)); string->Flags = 0; string->ReferenceCount = 1; string->Buffer = string->Data; string->Length = (UINT32)stringLength / sizeof(WCHAR); memcpy(string->Data, SourceString, stringLength); string->Data[string->Length] = UNICODE_NULL; *String = (HSTRING)string; return S_OK; #endif } // rev from WindowsDeleteString (dmex) /** * \brief Decrements the reference count of a string. * * \param String The string to be deleted. */ VOID PhDeleteWindowsRuntimeString( _In_opt_ HSTRING String ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) WindowsDeleteString(String); #else HSTRING_INSTANCE* string = (HSTRING_INSTANCE*)String; LONG newRefCount; if (!string || BooleanFlagOn(string->Flags, HSTRING_REFERENCE_FLAG)) return; newRefCount = InterlockedDecrement(&string->ReferenceCount); ASSUME_ASSERT(newRefCount >= 0); if (newRefCount == 0) { RtlFreeHeap(RtlProcessHeap(), 0, string); } #endif } // rev from WindowsGetStringLen (dmex) /** * \brief Gets the length, in Unicode characters, of the specified string. * * \param String The string to be counted. * * \return Successful or errant status. */ ULONG PhGetWindowsRuntimeStringLength( _In_opt_ HSTRING String ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) return WindowsGetStringLen(String); #else HSTRING_INSTANCE* string = (HSTRING_INSTANCE*)String; if (string) { return string->Length; } return 0; #endif } // rev from WindowsGetStringRawBuffer (dmex) /** * \brief Retrieves the backing buffer for the specified string. * * \param String An optional string for which the backing buffer is to be retrieved. Can be NULL. * \param Length The number of Unicode characters in the backing buffer for String (including embedded null characters, but excluding the terminating null). * * \return A pointer to the buffer that provides the backing store for string, or the empty string if string is NULL or the empty string. */ PCWSTR PhGetWindowsRuntimeStringBuffer( _In_opt_ HSTRING String, _Out_opt_ PULONG Length ) { #if defined(PH_NATIVE_WINDOWS_RUNTIME_STRING) return WindowsGetStringRawBuffer(String, Length); #else HSTRING_INSTANCE* string = (HSTRING_INSTANCE*)String; if (string) { if (Length) *Length = string->Length; return string->Buffer; } else { if (Length) *Length = 0; return L""; } #endif } #pragma region Cryptographic Buffer #include // 320b7e22-3cb0-4cdf-8663-1d28910065eb DEFINE_GUID(IID_ICryptographicBufferStatics, 0x320b7e22, 0x3cb0, 0x4cdf, 0x86, 0x63, 0x1d, 0x28, 0x91, 0x00, 0x65, 0xeb); PPH_STRING PhCryptographicBufferToHexString( _In_ __x_ABI_CWindows_CStorage_CStreams_CIBuffer* Buffer ) { PPH_STRING string = NULL; __x_ABI_CWindows_CSecurity_CCryptography_CICryptographicBufferStatics* cryptographicBufferStatics; HSTRING cryptographicBufferHandle; if (SUCCEEDED(PhGetActivationFactory( L"CryptoWinRT.dll", RuntimeClass_Windows_Security_Cryptography_CryptographicBuffer, &IID_ICryptographicBufferStatics, &cryptographicBufferStatics ))) { if (SUCCEEDED(__x_ABI_CWindows_CSecurity_CCryptography_CICryptographicBufferStatics_EncodeToHexString( cryptographicBufferStatics, Buffer, &cryptographicBufferHandle ))) { string = PhCreateStringFromWindowsRuntimeString(cryptographicBufferHandle); PhDeleteWindowsRuntimeString(cryptographicBufferHandle); } __x_ABI_CWindows_CSecurity_CCryptography_CICryptographicBufferStatics_Release(cryptographicBufferStatics); } return string; } #pragma endregion #pragma region Data Reader // 11fcbfc8-f93a-471b-b121-f379e349313c DEFINE_GUID(IID_IDataReaderStatics, 0x11fcbfc8, 0xf93a, 0x471b, 0xb1, 0x21, 0xf3, 0x79, 0xe3, 0x49, 0x31, 0x3c); PPH_STRING PhDataReaderBufferToHexString( _In_ __x_ABI_CWindows_CStorage_CStreams_CIBuffer* Buffer ) { PPH_STRING string = NULL; __x_ABI_CWindows_CStorage_CStreams_CIDataReaderStatics* dataReaderStatics; __x_ABI_CWindows_CStorage_CStreams_CIDataReader* dataReader; ULONG dataBufferLength = 0; UCHAR dataBuffer[128] = { 0 }; if (SUCCEEDED(__x_ABI_CWindows_CStorage_CStreams_CIBuffer_get_Length(Buffer, &dataBufferLength)) && dataBufferLength < sizeof(dataBuffer)) { if (SUCCEEDED(PhGetActivationFactory( L"WinTypes.dll", RuntimeClass_Windows_Storage_Streams_DataReader, &IID_IDataReaderStatics, &dataReaderStatics ))) { if (SUCCEEDED(__x_ABI_CWindows_CStorage_CStreams_CIDataReaderStatics_FromBuffer(dataReaderStatics, Buffer, &dataReader))) { if (SUCCEEDED(__x_ABI_CWindows_CStorage_CStreams_CIDataReader_ReadBytes(dataReader, dataBufferLength, dataBuffer))) { string = PhBufferToHexString(dataBuffer, dataBufferLength); } __x_ABI_CWindows_CStorage_CStreams_CIDataReader_Release(dataReader); } __x_ABI_CWindows_CStorage_CStreams_CIDataReaderStatics_Release(dataReaderStatics); } } return string; } #pragma endregion #pragma region System Identification #include // 5581f42a-d3df-4d93-a37d-c41a616c6d01 DEFINE_GUID(IID_ISystemIdentificationStatics, 0x5581f42a, 0xd3df, 0x4d93, 0xa3, 0x7d, 0xc4, 0x1a, 0x61, 0x6c, 0x6d, 0x01); PPH_STRING PhSystemIdentificationToString( _In_ __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo* IdentificationInfo ) { __x_ABI_CWindows_CSystem_CProfile_CSystemIdentificationSource source; __x_ABI_CWindows_CStorage_CStreams_CIBuffer* buffer; PPH_STRING identifier = NULL; PCWSTR string = L"Unknown"; if (SUCCEEDED(__x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo_get_Id(IdentificationInfo, &buffer))) { identifier = PhCryptographicBufferToHexString(buffer); if (PhIsNullOrEmptyString(identifier)) { identifier = PhDataReaderBufferToHexString(buffer); } __x_ABI_CWindows_CStorage_CStreams_CIBuffer_Release(buffer); } if (SUCCEEDED(__x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo_get_Source(IdentificationInfo, &source))) { switch (source) { case SystemIdentificationSource_Tpm: string = L"TPM"; break; case SystemIdentificationSource_Uefi: string = L"UEFI"; break; case SystemIdentificationSource_Registry: string = L"Registry"; break; } } PhMoveReference(&identifier, PhFormatString( L"%s (%s)", PhGetStringOrDefault(identifier, L"Unknown"), string )); return identifier; } typedef struct _PH_APPHWID_QUERY_CONTEXT { HANDLE ProcessId; HANDLE ThreadId; HANDLE ProcessHandle; HANDLE ThreadHandle; } PH_APPHWID_QUERY_CONTEXT, *PPH_APPHWID_QUERY_CONTEXT; static PVOID PhDetoursPackageSystemIdentificationContext( _In_opt_ PPH_APPHWID_QUERY_CONTEXT Buffer, _In_ BOOLEAN Initialize ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static ULONG index = TLS_OUT_OF_INDEXES; if (PhBeginInitOnce(&initOnce)) { index = PhTlsAlloc(); PhEndInitOnce(&initOnce); } if (index != TLS_OUT_OF_INDEXES) { if (Initialize) { if (NT_SUCCESS(PhTlsSetValue(index, Buffer))) return Buffer; } else { return PhTlsGetValue(index); } } return NULL; } static HANDLE WINAPI PhDetoursPackageSystemIdentificationCurrentProcess( VOID ) { PPH_APPHWID_QUERY_CONTEXT context = PhDetoursPackageSystemIdentificationContext(NULL, FALSE); if (context) return context->ProcessHandle; else return NtCurrentProcess(); } static HANDLE WINAPI PhDetoursPackageSystemIdentificationCurrentThread( VOID ) { PPH_APPHWID_QUERY_CONTEXT context = PhDetoursPackageSystemIdentificationContext(NULL, FALSE); if (context) return context->ThreadHandle; else return NtCurrentThread(); } static ULONG WINAPI PhDetoursPackageSystemIdentificationCurrentProcessId( VOID ) { PPH_APPHWID_QUERY_CONTEXT context = PhDetoursPackageSystemIdentificationContext(NULL, FALSE); if (context) return HandleToUlong(context->ProcessId); else return HandleToUlong(NtCurrentProcessId()); } static ULONG WINAPI PhDetoursPackageSystemIdentificationCurrentThreadId( VOID ) { PPH_APPHWID_QUERY_CONTEXT context = PhDetoursPackageSystemIdentificationContext(NULL, FALSE); if (context) return HandleToUlong(context->ThreadId); else return HandleToUlong(NtCurrentThreadId()); } static BOOL WINAPI PhDetoursPackageSystemIdentificationCloseHandle( _In_ _Post_ptr_invalid_ HANDLE hObject ) { return TRUE; } static HRESULT PhDetoursPackageSystemIdentificationInitialize( _In_ PVOID Address, _In_ PPH_APPHWID_QUERY_CONTEXT Context ) { PVOID baseAddress = PhGetLoaderEntryAddressDllBase(Address); if (!baseAddress) return E_FAIL; if (!NT_SUCCESS(PhLoaderEntryDetourImportProcedure( baseAddress, "api-ms-win-core-processthreads-l1-1-0.dll", "GetCurrentProcess", PhDetoursPackageSystemIdentificationCurrentProcess, NULL ))) { return E_FAIL; } if (!NT_SUCCESS(PhLoaderEntryDetourImportProcedure( baseAddress, "api-ms-win-core-processthreads-l1-1-0.dll", "GetCurrentProcessId", PhDetoursPackageSystemIdentificationCurrentProcessId, NULL ))) { return E_FAIL; } if (!NT_SUCCESS(PhLoaderEntryDetourImportProcedure( baseAddress, "api-ms-win-core-processthreads-l1-1-0.dll", "GetCurrentThread", PhDetoursPackageSystemIdentificationCurrentThread, NULL ))) { return E_FAIL; } if (!NT_SUCCESS(PhLoaderEntryDetourImportProcedure( baseAddress, "api-ms-win-core-processthreads-l1-1-0.dll", "GetCurrentThreadId", PhDetoursPackageSystemIdentificationCurrentThreadId, NULL ))) { return E_FAIL; } if (!NT_SUCCESS(PhLoaderEntryDetourImportProcedure( baseAddress, "api-ms-win-core-handle-l1-1-0.dll", "CloseHandle", PhDetoursPackageSystemIdentificationCloseHandle, NULL ))) { return E_FAIL; } if (!PhDetoursPackageSystemIdentificationContext(Context, TRUE)) { return E_FAIL; } return S_OK; } static HRESULT PhDetoursPackageSystemIdentificationDelete( VOID ) { if (!PhDetoursPackageSystemIdentificationContext(NULL, TRUE)) { return E_FAIL; } return S_OK; } static HRESULT PhQueryProcessSystemIdentification( _In_ PPH_APPHWID_QUERY_CONTEXT Context, _Out_ PPH_STRING* SystemIdForPublisher, _Out_ PPH_STRING* SystemIdForUser ) { HRESULT status; __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationStatics* systemIdStatics = NULL; __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo* systemIdPublisher; __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo* systemIdUser; BOOLEAN revertImpersonationToken = FALSE; HANDLE tokenHandle = NULL; HRESULT systemIdForUserStatus = E_FAIL; HRESULT systemIdPublisherStatus = E_FAIL; PPH_STRING systemIdForPublisherString = NULL; PPH_STRING systemIdForUserString = NULL; status = PhGetActivationFactory( L"Windows.System.Profile.SystemId.dll", RuntimeClass_Windows_System_Profile_SystemIdentification, &IID_ISystemIdentificationStatics, &systemIdStatics ); if (FAILED(status)) return status; if (NT_SUCCESS(PhOpenProcessToken( Context->ProcessHandle, TOKEN_QUERY | TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &tokenHandle ))) { revertImpersonationToken = NT_SUCCESS(PhImpersonateToken(NtCurrentThread(), tokenHandle)); } // We've impersonated the package but the SystemIdentification class // gets confused and the package manager queries the impersonated token // and the WinRT class queries our token... Redirect the handle imports // so we can query the correct token. If we can't then unfortunately // developers can't verify their SystemID support returns correct values // or verify their capabilities/sandboxing/token permissions are setup correctly (dmex) status = PhDetoursPackageSystemIdentificationInitialize( systemIdStatics->lpVtbl, Context ); if (FAILED(status)) goto CleanupExit; if ((systemIdPublisherStatus = __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationStatics_GetSystemIdForPublisher( systemIdStatics, &systemIdPublisher )) == S_OK) { systemIdForPublisherString = PhSystemIdentificationToString(systemIdPublisher); __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo_Release(systemIdPublisher); } if ((systemIdForUserStatus = __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationStatics_GetSystemIdForUser( systemIdStatics, NULL, &systemIdUser )) == S_OK) { systemIdForUserString = PhSystemIdentificationToString(systemIdUser); __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationInfo_Release(systemIdUser); } CleanupExit: if (systemIdStatics) { __x_ABI_CWindows_CSystem_CProfile_CISystemIdentificationStatics_Release(systemIdStatics); systemIdStatics = NULL; } if (tokenHandle) { if (revertImpersonationToken) PhRevertImpersonationToken(NtCurrentThread()); NtClose(tokenHandle); tokenHandle = NULL; } PhDetoursPackageSystemIdentificationDelete(); *SystemIdForPublisher = NULL; *SystemIdForUser = NULL; // Note: Load messages after reverting impersonation otherwise the kernel32.dll message table doesn't get mapped. // Errors will be from the process token missing the "userSystemId" capability or limited process token privileges. (dmex) if (HR_SUCCESS(systemIdPublisherStatus)) { *SystemIdForPublisher = systemIdForPublisherString; } else { //if (HRESULT_FACILITY(systemIdPublisherStatus) == FACILITY_NT_BIT >> NT_FACILITY_SHIFT) //{ // ClearFlag(systemIdPublisherStatus, FACILITY_NT_BIT); // 0xD0000022 -> 0xC0000022 //} if (HRESULT_NTSTATUS(systemIdForUserStatus)) { *SystemIdForPublisher = PhGetStatusMessage(PhNtStatusFromHResult(systemIdPublisherStatus), 0); } if (PhIsNullOrEmptyString(*SystemIdForPublisher)) { *SystemIdForPublisher = PhGetStatusMessage(0, HRESULT_CODE(systemIdPublisherStatus)); } } if (HR_SUCCESS(systemIdForUserStatus)) { *SystemIdForUser = systemIdForUserString; } else { //if (HRESULT_FACILITY(systemIdForUserStatus) == FACILITY_NT_BIT >> NT_FACILITY_SHIFT) //{ // ClearFlag(systemIdForUserStatus, FACILITY_NT_BIT); // 0xD0000022 -> 0xC0000022 //} if (HRESULT_NTSTATUS(systemIdForUserStatus)) { *SystemIdForUser = PhGetStatusMessage(PhNtStatusFromHResult(systemIdForUserStatus), 0); } if (PhIsNullOrEmptyString(*SystemIdForUser)) { *SystemIdForUser = PhGetStatusMessage(0, HRESULT_CODE(systemIdForUserStatus)); } } return status; } _Function_class_(PH_ENUM_NEXT_THREAD) static NTSTATUS NTAPI PhEnumNextThreadSystemIdentification( _In_ HANDLE ThreadHandle, _Inout_ HANDLE* Context ) { *Context = ThreadHandle; return STATUS_NO_MORE_ENTRIES; } HRESULT PhGetProcessSystemIdentification( _In_ HANDLE ProcessId, _Out_ PPH_STRING* SystemIdForPublisher, _Out_ PPH_STRING* SystemIdForUser ) { HRESULT status; HANDLE processHandle; HANDLE threadHandle = NULL; HANDLE threadId = NULL; PVOID processes; status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId ); if (!NT_SUCCESS(status)) { *SystemIdForPublisher = NULL; *SystemIdForUser = NULL; return HRESULT_FROM_NT(status); } status = PhEnumNextThread( processHandle, NULL, THREAD_QUERY_LIMITED_INFORMATION, PhEnumNextThreadSystemIdentification, &threadHandle ); if (!NT_SUCCESS(status)) { if (NT_SUCCESS(PhEnumProcesses(&processes))) { PSYSTEM_PROCESS_INFORMATION process; if (process = PhFindProcessInformation(processes, ProcessId)) { for (ULONG i = 0; i < process->NumberOfThreads; i++) { HANDLE tempThreadHandle; threadId = process->Threads[i].ClientId.UniqueThread; if (NT_SUCCESS(PhOpenThread( &tempThreadHandle, THREAD_QUERY_LIMITED_INFORMATION, threadId ))) { threadHandle = tempThreadHandle; break; } } } PhFree(processes); } } if (!threadHandle) { status = HRESULT_FROM_NT(STATUS_UNSUCCESSFUL); goto CleanupExit; } { PH_APPHWID_QUERY_CONTEXT queryContext; memset(&queryContext, 0, sizeof(PH_APPHWID_QUERY_CONTEXT)); queryContext.ProcessId = ProcessId; queryContext.ProcessHandle = processHandle; queryContext.ThreadId = threadId; queryContext.ThreadHandle = threadHandle; status = PhQueryProcessSystemIdentification(&queryContext, SystemIdForPublisher, SystemIdForUser); } CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (processHandle) { NtClose(processHandle); } return status; } #pragma endregion #pragma region Display Information // BED112AE-ADC3-4DC9-AE65-851F4D7D4799 DEFINE_GUID(IID_IDisplayInformation, 0xBED112AE, 0xADC3, 0x4DC9, 0xAE, 0x65, 0x85, 0x1F, 0x4D, 0x7D, 0x47, 0x99); // C6A02A6C-D452-44DC-BA07-96F3C6ADF9D1 DEFINE_GUID(IID_IDisplayInformationStatics, 0xc6a02a6c, 0xd452, 0x44dc, 0xba, 0x07, 0x96, 0xf3, 0xc6, 0xad, 0xf9, 0xd1); // 6937ED8D-30EA-4DED-8271-4553FF02F68A DEFINE_GUID(IID_IDisplayPropertiesStatics, 0x6937ed8d, 0x30ea, 0x4ded, 0x82, 0x71, 0x45, 0x53, 0xff, 0x02, 0xf6, 0x8a); FLOAT PhGetDisplayLogicalDpi( VOID ) { FLOAT displayLogicalDpi = 0; __x_ABI_CWindows_CGraphics_CDisplay_CIDisplayPropertiesStatics* displayProperties; HRESULT status; status = PhGetActivationFactory( L"Windows.Graphics.dll", RuntimeClass_Windows_Graphics_Display_DisplayProperties, &IID_IDisplayPropertiesStatics, &displayProperties ); if (SUCCEEDED(status)) { FLOAT value; status = __x_ABI_CWindows_CGraphics_CDisplay_CIDisplayPropertiesStatics_get_LogicalDpi(displayProperties, &value); if (SUCCEEDED(status)) { displayLogicalDpi = value; } } // Requires IWindowsXamlManagerStatics_InitializeForCurrentThread (dmex) // //__x_ABI_CWindows_CGraphics_CDisplay_CIDisplayInformationStatics* displayInformation; //status = PhGetActivationFactory( // L"Windows.Graphics.dll", // RuntimeClass_Windows_Graphics_Display_DisplayInformation, // &IID_IDisplayInformationStatics, // &displayInformation // ); // //if (SUCCEEDED(status)) //{ // __x_ABI_CWindows_CGraphics_CDisplay_CIDisplayInformation* display_information; // __x_ABI_CWindows_CGraphics_CDisplay_CResolutionScale resolution_scale; // // if (SUCCEEDED(__x_ABI_CWindows_CGraphics_CDisplay_CIDisplayInformationStatics_GetForCurrentView(displayInformation, &display_information))) // { // if (SUCCEEDED(__x_ABI_CWindows_CGraphics_CDisplay_CIDisplayInformation_get_ResolutionScale(display_information, &resolution_scale))) // { // float scale = (float)(resolution_scale / 100.0f); // } // } //} return displayLogicalDpi; } #pragma endregion #pragma region Package Manager #include #include // 9a7d4b65-5e8f-4fc7-a2e5-7f6925cb8b53 DEFINE_GUID(IID_IPackageManager, 0x9A7D4B65, 0x5E8F, 0x4FC7, 0xA2, 0xE5, 0x7F, 0x69, 0x25, 0xCB, 0x8B, 0x53); // a6612fb6-7688-4ace-95fb-359538e7aa01 DEFINE_GUID(IID_IPackage2, 0xA6612FB6, 0x7688, 0x4ACE, 0x95, 0xFB, 0x35, 0x95, 0x38, 0xE7, 0xAA, 0x01); // 2c584f7b-ce2a-4be6-a093-77cfbb2a7ea1 DEFINE_GUID(IID_IPackage8, 0x2c584f7b, 0xce2a, 0x4be6, 0xa0, 0x93, 0x77, 0xcf, 0xbb, 0x2a, 0x7e, 0xa1); // d0a618ad-bf35-42ac-ac06-86eeeb41d04b DEFINE_GUID(IID_IAppListEntry2, 0xd0a618ad, 0xbf35, 0x42ac, 0xac, 0x06, 0x86, 0xee, 0xeb, 0x41, 0xd0, 0x4b); // cf7f59b3-6a09-4de8-a6c0-5792d56880d1 DEFINE_GUID(IID_IAppInfo, 0xcf7f59b3, 0x6a09, 0x4de8, 0xa6, 0xc0, 0x57, 0x92, 0xd5, 0x68, 0x80, 0xd1); // 4207a996-ca2f-42f7-bde8-8b10457a7f30 DEFINE_GUID(IID_IStorageItem, 0x4207a996, 0xca2f, 0x42f7, 0xbd, 0xe8, 0x8b, 0x10, 0x45, 0x7a, 0x7f, 0x30); static typeof(&OpenPackageInfoByFullNameForUser) OpenPackageInfoByFullNameForUser_I = NULL; static typeof(&GetPackageApplicationIds) GetPackageApplicationIds_I = NULL; static typeof(&ClosePackageInfo) ClosePackageInfo_I = NULL; static BOOLEAN PhPackageImportsInitialized( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN initialized = FALSE; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetLoaderEntryDllBaseZ(L"kernelbase.dll")) { OpenPackageInfoByFullNameForUser_I = PhGetDllBaseProcedureAddress(baseAddress, "OpenPackageInfoByFullNameForUser", 0); GetPackageApplicationIds_I = PhGetDllBaseProcedureAddress(baseAddress, "GetPackageApplicationIds", 0); ClosePackageInfo_I = PhGetDllBaseProcedureAddress(baseAddress, "ClosePackageInfo", 0); } if ( OpenPackageInfoByFullNameForUser_I && GetPackageApplicationIds_I && ClosePackageInfo_I ) { initialized = TRUE; } PhEndInitOnce(&initOnce); } return initialized; } _Success_(return) BOOLEAN PhGetPackageApplicationIds( _In_ PCWSTR PackageFullName, _Out_ PWSTR** ApplicationUserModelIds, _Out_ PULONG ApplicationUserModelIdsCount ) { BOOLEAN success = FALSE; ULONG status; PACKAGE_INFO_REFERENCE packageHandle; ULONG bufferCount = 0; ULONG bufferLength = 0; PBYTE buffer = NULL; if (!PhPackageImportsInitialized()) return FALSE; status = OpenPackageInfoByFullNameForUser_I( NULL, PackageFullName, 0, &packageHandle ); if (status != ERROR_SUCCESS) return FALSE; status = GetPackageApplicationIds_I( packageHandle, &bufferLength, NULL, NULL ); if (status != ERROR_INSUFFICIENT_BUFFER) goto CleanupExit; buffer = PhAllocate(bufferLength); memset(buffer, 0, bufferLength); status = GetPackageApplicationIds_I( packageHandle, &bufferLength, buffer, &bufferCount ); if (status != ERROR_SUCCESS) goto CleanupExit; success = TRUE; CleanupExit: ClosePackageInfo_I(packageHandle); if (success) { *ApplicationUserModelIds = (PWSTR*)buffer; *ApplicationUserModelIdsCount = bufferCount; } else { if (buffer) { PhFree(buffer); } } return success; } typedef enum _PH_QUERY_PACKAGE_INFO_TYPE { PH_QUERY_PACKAGE_INFO_NAME = 1, PH_QUERY_PACKAGE_INFO_FULLNAME = 2, PH_QUERY_PACKAGE_INFO_FAMILYNAME = 4, PH_QUERY_PACKAGE_INFO_DISPLAYNAME = 8, PH_QUERY_PACKAGE_INFO_VERSION = 16, PH_QUERY_PACKAGE_INFO_LOGO = 32, PH_QUERY_PACKAGE_INFO_LOCATION = 64, } PH_QUERY_PACKAGE_INFO_TYPE; BOOLEAN PhQueryApplicationModelPackageInformation( _In_ PPH_LIST PackageList, _In_ __x_ABI_CWindows_CApplicationModel_CIPackage* AppPackage, _In_ __x_ABI_CWindows_CApplicationModel_CIPackage2* AppPackage2, _In_ PH_QUERY_PACKAGE_INFO_TYPE FilterType ) { __x_ABI_CWindows_CStorage_CIStorageFolder* appPackageFolder; __x_ABI_CWindows_CStorage_CIStorageItem* appPackageFolderItem; __x_ABI_CWindows_CApplicationModel_CIPackageId* appPackageID; __x_ABI_CWindows_CFoundation_CIUriRuntimeClass* appPackageLogo; PPH_STRING packageInstallLocationString = NULL; PPH_STRING packageNameString = NULL; PPH_STRING packageFullNameString = NULL; PPH_STRING packageFamilyNameString = NULL; PPH_STRING packageDisplayNameString = NULL; PPH_STRING packageLogoString = NULL; PPH_STRING packageVersionString = NULL; HSTRING stringHandle = NULL; if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackage_get_Id(AppPackage, &appPackageID))) { if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_NAME)) { if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackageId_get_Name(appPackageID, &stringHandle))) { if (PhGetWindowsRuntimeStringLength(stringHandle)) { packageNameString = PhCreateStringFromWindowsRuntimeString(stringHandle); } PhDeleteWindowsRuntimeString(stringHandle); } } if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_FULLNAME)) { if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackageId_get_FullName(appPackageID, &stringHandle))) { if (PhGetWindowsRuntimeStringLength(stringHandle)) { packageFullNameString = PhCreateStringFromWindowsRuntimeString(stringHandle); } PhDeleteWindowsRuntimeString(stringHandle); } } if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_FAMILYNAME)) { if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackageId_get_FamilyName(appPackageID, &stringHandle))) { if (PhGetWindowsRuntimeStringLength(stringHandle)) { packageFamilyNameString = PhCreateStringFromWindowsRuntimeString(stringHandle); } PhDeleteWindowsRuntimeString(stringHandle); } } if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_VERSION)) { __x_ABI_CWindows_CApplicationModel_CPackageVersion appPackageVersion = { 0 }; if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackageId_get_Version(appPackageID, &appPackageVersion))) { PH_FORMAT format[7]; PhInitFormatU(&format[0], appPackageVersion.Major); PhInitFormatC(&format[1], L'.'); PhInitFormatU(&format[2], appPackageVersion.Minor); PhInitFormatC(&format[3], L'.'); PhInitFormatU(&format[4], appPackageVersion.Revision); PhInitFormatC(&format[5], L'.'); PhInitFormatU(&format[6], appPackageVersion.Build); packageVersionString = PhFormat(format,RTL_NUMBER_OF(format), 0); } } __x_ABI_CWindows_CApplicationModel_CIPackageId_Release(appPackageID); } if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_DISPLAYNAME)) { if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackage2_get_DisplayName(AppPackage2, &stringHandle))) { if (PhGetWindowsRuntimeStringLength(stringHandle)) { packageDisplayNameString = PhCreateStringFromWindowsRuntimeString(stringHandle); } PhDeleteWindowsRuntimeString(stringHandle); } } if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_LOGO)) { if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackage2_get_Logo(AppPackage2, &appPackageLogo))) { if (SUCCEEDED(__x_ABI_CWindows_CFoundation_CIUriRuntimeClass_get_RawUri(appPackageLogo, &stringHandle))) { packageLogoString = PhCreateStringFromWindowsRuntimeString(stringHandle); PhDeleteWindowsRuntimeString(stringHandle); } __x_ABI_CWindows_CFoundation_CIUriRuntimeClass_Release(appPackageLogo); } } if (FlagOn(FilterType, PH_QUERY_PACKAGE_INFO_LOCATION)) { if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackage_get_InstalledLocation(AppPackage, &appPackageFolder))) { if (SUCCEEDED(__x_ABI_CWindows_CStorage_CIStorageFolder_QueryInterface(appPackageFolder, &IID_IStorageItem, &appPackageFolderItem))) { if (SUCCEEDED(__x_ABI_CWindows_CStorage_CIStorageItem_get_Path(appPackageFolderItem, &stringHandle))) { if (PhGetWindowsRuntimeStringLength(stringHandle)) { packageInstallLocationString = PhCreateStringFromWindowsRuntimeString(stringHandle); } PhDeleteWindowsRuntimeString(stringHandle); } __x_ABI_CWindows_CStorage_CIStorageItem_Release(appPackageFolderItem); } __x_ABI_CWindows_CStorage_CIStorageFolder_Release(appPackageFolder); } } if (packageFullNameString) { ULONG applicationUserModelIdsCount; PWSTR* applicationUserModelIdsBuffer; if (PhGetPackageApplicationIds( PhGetString(packageFullNameString), &applicationUserModelIdsBuffer, &applicationUserModelIdsCount )) { for (ULONG i = 0; i < applicationUserModelIdsCount; ++i) { PPH_APPUSERMODELID_ENUM_ENTRY entry; entry = PhAllocateZero(sizeof(PH_APPUSERMODELID_ENUM_ENTRY)); entry->AppUserModelId = PhCreateString(applicationUserModelIdsBuffer[i]); PhSetReference(&entry->PackageName, packageNameString); PhSetReference(&entry->PackageDisplayName, packageDisplayNameString); PhSetReference(&entry->PackageFamilyName, packageFamilyNameString); PhSetReference(&entry->PackageInstallPath, packageInstallLocationString); PhSetReference(&entry->PackageFullName, packageFullNameString); PhSetReference(&entry->PackageVersion, packageVersionString); PhSetReference(&entry->SmallLogoPath, packageLogoString); PhAddItemList(PackageList, entry); } } } PhClearReference(&packageLogoString); PhClearReference(&packageVersionString); PhClearReference(&packageFullNameString); PhClearReference(&packageInstallLocationString); PhClearReference(&packageFamilyNameString); PhClearReference(&packageDisplayNameString); PhClearReference(&packageNameString); return TRUE; } PPH_LIST PhEnumPackageApplicationUserModelIds( VOID ) { HRESULT status; PPH_LIST list = NULL; __x_ABI_CWindows_CManagement_CDeployment_CIPackageManager* packageManager = NULL; __FIIterable_1_Windows__CApplicationModel__CPackage* enumPackages = NULL; __FIIterator_1_Windows__CApplicationModel__CPackage* enumPackage = NULL; __x_ABI_CWindows_CApplicationModel_CIPackage* currentPackage = NULL; __x_ABI_CWindows_CApplicationModel_CIPackage2* currentPackage2 = NULL; boolean haveCurrentPackage = FALSE; status = PhActivateInstance( L"AppXDeploymentClient.dll", RuntimeClass_Windows_Management_Deployment_PackageManager, &IID_IPackageManager, &packageManager ); if (HR_FAILED(status)) return NULL; if (PhGetOwnTokenAttributes().Elevated) status = __x_ABI_CWindows_CManagement_CDeployment_CIPackageManager_FindPackages(packageManager, &enumPackages); else status = __x_ABI_CWindows_CManagement_CDeployment_CIPackageManager_FindPackagesByUserSecurityId(packageManager, NULL, &enumPackages); if (HR_FAILED(status)) goto CleanupExit; status = __FIIterable_1_Windows__CApplicationModel__CPackage_First(enumPackages, &enumPackage); if (HR_FAILED(status)) goto CleanupExit; status = __FIIterator_1_Windows__CApplicationModel__CPackage_get_HasCurrent(enumPackage, &haveCurrentPackage); if (HR_FAILED(status)) goto CleanupExit; list = PhCreateList(10); while (haveCurrentPackage) { status = __FIIterator_1_Windows__CApplicationModel__CPackage_get_Current(enumPackage, ¤tPackage); if (HR_SUCCESS(status)) { status = __x_ABI_CWindows_CApplicationModel_CIPackage_QueryInterface(currentPackage, &IID_IPackage2, ¤tPackage2); if (HR_SUCCESS(status)) { PhQueryApplicationModelPackageInformation( list, currentPackage, currentPackage2, PH_QUERY_PACKAGE_INFO_NAME | PH_QUERY_PACKAGE_INFO_FULLNAME | PH_QUERY_PACKAGE_INFO_FAMILYNAME | PH_QUERY_PACKAGE_INFO_DISPLAYNAME | PH_QUERY_PACKAGE_INFO_LOGO ); // Note: GetPackageApplicationIds returns all identifiers while the IAppListEntry2_get_AppUserModelId interface only returns a single entry (dmex) //if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackage_QueryInterface(currentPackage, &IID_IPackage8, ¤tPackage8))) //if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CIPackage8_GetAppListEntries(currentPackage8, &packageAppListEntryArray))) //if (SUCCEEDED(__FIVectorView_1_Windows__CApplicationModel__CCore__CAppListEntry_get_Size(packageAppListEntryArray, &packageAppListEntryCount))) //for (UINT32 i = 0; i < packageAppListEntryCount; i++) //if (SUCCEEDED(__FIVectorView_1_Windows__CApplicationModel__CCore__CAppListEntry_GetAt(packageAppListEntryArray, i, &packageAppListEntry))) //if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CCore_CIAppListEntry_QueryInterface(packageAppListEntry, &IID_IAppListEntry2, &packageAppListEntry2))) //if (SUCCEEDED(__x_ABI_CWindows_CApplicationModel_CCore_CIAppListEntry2_get_AppUserModelId(packageAppListEntry2, &packageAppUserModelIdString))) __x_ABI_CWindows_CApplicationModel_CIPackage2_Release(currentPackage2); } __FIIterator_1_Windows__CApplicationModel__CPackage_Release(currentPackage); } if (HR_FAILED(status)) break; status = __FIIterator_1_Windows__CApplicationModel__CPackage_MoveNext(enumPackage, &haveCurrentPackage); if (HR_FAILED(status)) break; } CleanupExit: if (enumPackage) __FIIterator_1_Windows__CApplicationModel__CPackage_Release(enumPackage); if (enumPackages) __FIIterable_1_Windows__CApplicationModel__CPackage_Release(enumPackages); __x_ABI_CWindows_CManagement_CDeployment_CIPackageManager_Release(packageManager); return list; } VOID PhDestroyEnumPackageApplicationUserModelIds( _In_ PPH_LIST PackageList ) { if (!PackageList) return; for (ULONG i = 0; i < PackageList->Count; i++) { PPH_APPUSERMODELID_ENUM_ENTRY entry = PackageList->Items[i]; PhClearReference(&entry->AppUserModelId); PhClearReference(&entry->PackageName); PhClearReference(&entry->PackageDisplayName); PhClearReference(&entry->PackageFamilyName); PhClearReference(&entry->PackageInstallPath); PhClearReference(&entry->PackageFullName); PhClearReference(&entry->PackageVersion); PhClearReference(&entry->SmallLogoPath); PhFree(entry); } PhDereferenceObject(PackageList); } #pragma endregion ================================================ FILE: phlib/avltree.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #include /** * Initializes an AVL tree. * * \param Tree The tree. * \param CompareFunction A function used to compare tree elements. */ VOID PhInitializeAvlTree( _Out_ PPH_AVL_TREE Tree, _In_ PPH_AVL_TREE_COMPARE_FUNCTION CompareFunction ) { Tree->Root.Parent = NULL; Tree->Root.Left = NULL; Tree->Root.Right = NULL; Tree->Root.Balance = 0; Tree->Count = 0; Tree->CompareFunction = CompareFunction; } /** * Finds an element in an AVL tree. * * \param Tree The tree. * \param Element The element to find. * \param Result The result of the search. */ FORCEINLINE PPH_AVL_LINKS PhpFindElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element, _Out_ PLONG Result ) { PPH_AVL_LINKS links; LONG result; links = PhRootElementAvlTree(Tree); if (!links) { *Result = 1; return &Tree->Root; } while (TRUE) { result = Tree->CompareFunction(Element, links); if (result == 0) { *Result = 0; return links; } else if (result < 0) { if (links->Left) { links = links->Left; } else { *Result = -1; return links; } } else { if (links->Right) { links = links->Right; } else { *Result = 1; return links; } } } } FORCEINLINE VOID PhpRotateLeftAvlLinks( _Inout_ PPH_AVL_LINKS *Root ) { PPH_AVL_LINKS P; PPH_AVL_LINKS Q; // P // | | // A Q // | | // B C // // becomes // // Q // | | // P C // | | // A B // // P and Q must exist. // B may not exist. // A and C are not affected. P = *Root; Q = P->Right; // The new root is Q *Root = Q; Q->Parent = P->Parent; // P.Right = Q.Left (transfer B) P->Right = Q->Left; if (P->Right) P->Right->Parent = P; // Q.Left = P Q->Left = P; P->Parent = Q; } FORCEINLINE VOID PhpRotateLeftTwiceAvlLinks( _Inout_ PPH_AVL_LINKS *Root ) { PPH_AVL_LINKS P; PPH_AVL_LINKS Q; PPH_AVL_LINKS R; // P // | | // A Q // | | // R D // | | // B C // // becomes // // R // | | // P Q // | | | | // A B C D // // P, Q, and R must exist. // B and C may not exist. // A and D are not affected. // PhpRotateRightAvlLinks(&(*Root)->Right); // PhpRotateLeftAvlLinks(Root); // P is the current root // Q is P.Right // R is Q.Left (P.Right.Left) P = *Root; Q = P->Right; R = Q->Left; // The new root is R *Root = R; R->Parent = P->Parent; // Q.Left = R.Right (transfer C) Q->Left = R->Right; if (Q->Left) Q->Left->Parent = Q; // R.Right = Q R->Right = Q; Q->Parent = R; // P.Right = R.Left (transfer B) P->Right = R->Left; if (P->Right) P->Right->Parent = P; // R.Left = P R->Left = P; P->Parent = R; } FORCEINLINE VOID PhpRotateRightAvlLinks( _Inout_ PPH_AVL_LINKS *Root ) { PPH_AVL_LINKS Q; PPH_AVL_LINKS P; // Q // | | // P C // | | // A B // // becomes // // P // | | // A Q // | | // B C // // Q and P must exist. // B may not exist. // A and C are not affected. Q = *Root; P = Q->Left; // The new root is P *Root = P; P->Parent = Q->Parent; // Q.Left = P.Right (transfer B) Q->Left = P->Right; if (Q->Left) Q->Left->Parent = Q; // P.Right = Q P->Right = Q; Q->Parent = P; } FORCEINLINE VOID PhpRotateRightTwiceAvlLinks( _Inout_ PPH_AVL_LINKS *Root ) { PPH_AVL_LINKS P; PPH_AVL_LINKS Q; PPH_AVL_LINKS R; // P // | | // Q D // | | // A R // | | // B C // // becomes // // R // | | // Q P // | | | | // A B C D // // P, Q, and R must exist. // B and C may not exist. // A and D are not affected. // PhpRotateLeftAvlLinks(&(*Root)->Left); // PhpRotateRightAvlLinks(Root); // P is the current root // Q is P.Left // R is Q.Right (P.Left.Right) P = *Root; Q = P->Left; R = Q->Right; // The new root is R *Root = R; R->Parent = P->Parent; // Q.Right = R.Left (transfer B) Q->Right = R->Left; if (Q->Right) Q->Right->Parent = Q; // R.Left = Q R->Left = Q; Q->Parent = R; // P.Left = R.Right (transfer C) P->Left = R->Right; if (P->Left) P->Left->Parent = P; // R.Right = P R->Right = P; P->Parent = R; } ULONG PhpRebalanceAvlLinks( _Inout_ PPH_AVL_LINKS *Root ) { PPH_AVL_LINKS P; PPH_AVL_LINKS Q; PPH_AVL_LINKS R; P = *Root; if (P->Balance == -1) { Q = P->Left; if (Q->Balance == -1) { // Left-left PhpRotateRightAvlLinks(Root); P->Balance = 0; Q->Balance = 0; return 1; } else if (Q->Balance == 1) { // Left-right R = Q->Right; PhpRotateRightTwiceAvlLinks(Root); if (R->Balance == -1) { P->Balance = 1; Q->Balance = 0; } else if (R->Balance == 1) { P->Balance = 0; Q->Balance = -1; } else { P->Balance = 0; Q->Balance = 0; } R->Balance = 0; return 2; } else { // Special (only occurs when removing) // D // | | // B E // | | // A C // // Removing E results in: // // D // | // B // | | // A C // // which is unbalanced. Rotating right at B results in: // // B // | | // A D // | // C // // The same applies for the mirror case. PhpRotateRightAvlLinks(Root); Q->Balance = 1; return 3; } } else { Q = P->Right; if (Q->Balance == 1) { // Right-right PhpRotateLeftAvlLinks(Root); P->Balance = 0; Q->Balance = 0; return 1; } else if (Q->Balance == -1) { // Right-left R = Q->Left; PhpRotateLeftTwiceAvlLinks(Root); if (R->Balance == -1) { P->Balance = 0; Q->Balance = 1; } else if (R->Balance == 1) { P->Balance = -1; Q->Balance = 0; } else { P->Balance = 0; Q->Balance = 0; } R->Balance = 0; return 2; } else { // Special (only occurs when removing) PhpRotateLeftAvlLinks(Root); Q->Balance = -1; return 3; } } } /** * Adds an element to an AVL tree. * * \param Tree The tree. * \param Element The element to add. * * \return NULL if the element was added, or an existing element. */ PPH_AVL_LINKS PhAddElementAvlTree( _Inout_ PPH_AVL_TREE Tree, _Out_ PPH_AVL_LINKS Element ) { LONG result; PPH_AVL_LINKS P; PPH_AVL_LINKS root; LONG balance; P = PhpFindElementAvlTree(Tree, Element, &result); if (result < 0) P->Left = Element; else if (result > 0) P->Right = Element; else return P; Element->Parent = P; Element->Left = NULL; Element->Right = NULL; Element->Balance = 0; // Balance the tree. P = Element; root = PhRootElementAvlTree(Tree); while (P != root) { // In this implementation, the balance factor is the right height minus left height. if (P->Parent->Left == P) balance = -1; else balance = 1; P = P->Parent; if (P->Balance == 0) { // The balance becomes -1 or 1. Rotations are not needed // yet, but we should keep tracing upwards. P->Balance = balance; } else if (P->Balance != balance) { // The balance is opposite the new balance, so it now // becomes 0. P->Balance = 0; break; } else { PPH_AVL_LINKS *ref; // The balance is the same as the new balance, meaning // it now becomes -2 or 2. Rotations are needed. if (P->Parent->Left == P) ref = &P->Parent->Left; else ref = &P->Parent->Right; PhpRebalanceAvlLinks(ref); break; } } Tree->Count++; return NULL; } /** * Removes an element from an AVL tree. * * \param Tree The tree. * \param Element An element already present in the tree. */ VOID PhRemoveElementAvlTree( _Inout_ PPH_AVL_TREE Tree, _Inout_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS newElement; PPH_AVL_LINKS *replace; PPH_AVL_LINKS P; PPH_AVL_LINKS root; LONG balance; if (!Element->Left || !Element->Right) { newElement = Element; } else if (Element->Balance >= 0) // Pick the side depending on the balance to minimize rebalances { newElement = Element->Right; while (newElement->Left) newElement = newElement->Left; } else { newElement = Element->Left; while (newElement->Right) newElement = newElement->Right; } if (newElement->Parent->Left == newElement) { replace = &newElement->Parent->Left; balance = -1; } else { replace = &newElement->Parent->Right; balance = 1; } if (!newElement->Right) { *replace = newElement->Left; if (newElement->Left) newElement->Left->Parent = newElement->Parent; } else { *replace = newElement->Right; newElement->Right->Parent = newElement->Parent; // we know Right exists } P = newElement->Parent; root = &Tree->Root; while (P != root) { if (P->Balance == balance) { // The balance is cancelled by the remove operation and becomes 0. // Rotations are not needed yet, but we should keep tracing upwards. P->Balance = 0; } else if (P->Balance == 0) { // The balance is 0, so it now becomes -1 or 1. P->Balance = -balance; break; } else { PPH_AVL_LINKS *ref; // The balance is the same as the new balance, meaning // it now becomes -2 or 2. Rotations are needed. if (P->Parent->Left == P) ref = &P->Parent->Left; else ref = &P->Parent->Right; // We can stop tracing if we have a special case rotation. if (PhpRebalanceAvlLinks(ref) == 3) break; P = P->Parent; } if (P->Parent->Left == P) balance = -1; else balance = 1; P = P->Parent; } if (newElement != Element) { // Replace the subject with the new subject. *newElement = *Element; if (Element->Parent->Left == Element) newElement->Parent->Left = newElement; else newElement->Parent->Right = newElement; if (newElement->Left) newElement->Left->Parent = newElement; if (newElement->Right) newElement->Right->Parent = newElement; } Tree->Count--; } /** * Finds an element in an AVL tree. * * \param Tree The tree. * \param Element An element to find. * * \return The element, or NULL if it could not be found. */ PPH_AVL_LINKS PhFindElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; LONG result; links = PhpFindElementAvlTree(Tree, Element, &result); if (result == 0) return links; else return NULL; } /** * Finds the first element in an AVL tree that is greater than or equal to the specified element. * * \param Tree The tree. * \param Element The element to find. * * \return The bound element, or NULL if the tree is empty. */ PPH_AVL_LINKS PhLowerBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; PPH_AVL_LINKS closest; LONG result; links = PhRootElementAvlTree(Tree); closest = NULL; while (links) { result = Tree->CompareFunction(Element, links); if (result > 0) { links = links->Right; } else { closest = links; links = links->Left; } } return closest; } /** * Finds the first element in an AVL tree that is greater than the specified element. * * \param Tree The tree. * \param Element The element to find. * * \return The bound element, or NULL if the tree is empty. */ PPH_AVL_LINKS PhUpperBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; PPH_AVL_LINKS closest; LONG result; links = PhRootElementAvlTree(Tree); closest = NULL; while (links) { result = Tree->CompareFunction(Element, links); if (result >= 0) { links = links->Right; } else { closest = links; links = links->Left; } } return closest; } /** * Finds the last element in an AVL tree that is less than the specified element. * * \param Tree The tree. * \param Element The element to find. * * \return The bound element, or NULL if the tree is empty. */ PPH_AVL_LINKS PhLowerDualBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; PPH_AVL_LINKS closest; LONG result; links = PhRootElementAvlTree(Tree); closest = NULL; while (links) { result = Tree->CompareFunction(Element, links); if (result > 0) { closest = links; links = links->Right; } else { links = links->Left; } } return closest; } /** * Finds the last element in an AVL tree that is less than or equal to the specified element. * * \param Tree The tree. * \param Element The element to find. * * \return The bound element, or NULL if the tree is empty. */ PPH_AVL_LINKS PhUpperDualBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; PPH_AVL_LINKS closest; LONG result; links = PhRootElementAvlTree(Tree); closest = NULL; while (links) { result = Tree->CompareFunction(Element, links); if (result >= 0) { closest = links; links = links->Right; } else { links = links->Left; } } return closest; } /** * Finds the smallest element in an AVL tree. * * \param Tree The tree. * * \return An element, or NULL if the tree is empty. */ PPH_AVL_LINKS PhMinimumElementAvlTree( _In_ PPH_AVL_TREE Tree ) { PPH_AVL_LINKS links; links = PhRootElementAvlTree(Tree); if (!links) return NULL; while (links->Left) links = links->Left; return links; } /** * Finds the biggest element in an AVL tree. * * \param Tree The tree. * * \return An element, or NULL if the tree is empty. */ PPH_AVL_LINKS PhMaximumElementAvlTree( _In_ PPH_AVL_TREE Tree ) { PPH_AVL_LINKS links; links = PhRootElementAvlTree(Tree); if (!links) return NULL; while (links->Right) links = links->Right; return links; } /** * Finds the next element in an AVL tree. * * \param Element The element. * * \return The next element, or NULL if there are no more elements. */ PPH_AVL_LINKS PhSuccessorElementAvlTree( _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; if (Element->Right) { Element = Element->Right; while (Element->Left) Element = Element->Left; return Element; } else { // Trace back to the next vertical level. Note // that this code does in fact return NULL when there // are no more elements because of the way the root // element is constructed. links = Element->Parent; while (links && links->Right == Element) { Element = links; links = links->Parent; } return links; } } /** * Finds the previous element in an AVL tree. * * \param Element The element. * * \return The previous element, or NULL if there are no more elements. */ PPH_AVL_LINKS PhPredecessorElementAvlTree( _In_ PPH_AVL_LINKS Element ) { PPH_AVL_LINKS links; if (Element->Left) { Element = Element->Left; while (Element->Right) Element = Element->Right; return Element; } else { links = Element->Parent; while (links && links->Left == Element) { Element = links; links = links->Parent; } if (links) { // We need an additional check because the tree root is // stored in Root.Right, not Left. if (!links->Parent) return NULL; // reached Root, so no more elements } return links; } } /** * Enumerates the elements in an AVL tree. * * \param Tree The tree. * \param Order The enumeration order. * \param Callback The callback function. * \param Context A user-defined value to pass to the callback function. */ VOID PhEnumAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PH_TREE_ENUMERATION_ORDER Order, _In_ PPH_ENUM_AVL_TREE_CALLBACK Callback, _In_opt_ PVOID Context ) { // The maximum height of an AVL tree is around 1.44 * log2(n). // The maximum number of elements in this implementation is 2^32, so the maximum height is // around 46.08. PPH_AVL_LINKS stackBase[47]; PPH_AVL_LINKS *stack; PPH_AVL_LINKS links; stack = stackBase; switch (Order) { case TreeEnumerateInOrder: links = PhRootElementAvlTree(Tree); while (links) { *stack++ = links; links = links->Left; } while (stack != stackBase) { links = *--stack; if (!Callback(Tree, links, Context)) break; links = links->Right; while (links) { *stack++ = links; links = links->Left; } } break; case TreeEnumerateInReverseOrder: links = PhRootElementAvlTree(Tree); while (links) { *stack++ = links; links = links->Right; } while (stack != stackBase) { links = *--stack; if (!Callback(Tree, links, Context)) break; links = links->Left; while (links) { *stack++ = links; links = links->Right; } } break; } } ================================================ FILE: phlib/basestring.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2019-2023 * */ #include #include #include #include #include #include #include #include #ifndef PH_NATIVE_STRING_CONVERSION #define PH_NATIVE_STRING_CONVERSION 1 #endif #ifndef PH_NATIVE_STRING_IN_STRING #define PH_NATIVE_STRING_IN_STRING 1 #endif /** * Determines the length of the specified string, in characters. * * \param String The string. */ SIZE_T PhCountStringZ( _In_ PCWSTR String ) { #ifndef _ARM64_ if (PhHasAVX) { PWSTR p; ULONG unaligned; __m256i b; __m256i z; ULONG mask; ULONG index; p = (PWSTR)((ULONG_PTR)String & ~0x1f); unaligned = (ULONG_PTR)String & 0x1f; z = _mm256_setzero_si256(); if (unaligned != 0) { b = _mm256_loadu_si256((__m256i const*)p); b = _mm256_cmpeq_epi16(b, z); mask = _mm256_movemask_epi8(b) >> unaligned; if (_BitScanForward(&index, mask)) { _mm256_zeroupper(); return index / sizeof(WCHAR); } p += 32 / sizeof(WCHAR); } while (TRUE) { b = _mm256_load_si256((__m256i const*)p); b = _mm256_cmpeq_epi16(b, z); mask = _mm256_movemask_epi8(b); if (_BitScanForward(&index, mask)) { _mm256_zeroupper(); return (SIZE_T)(p - String) + index / sizeof(WCHAR); } p += 32 / sizeof(WCHAR); } } else #endif if (PhHasIntrinsics) { PWSTR p; ULONG unaligned; PH_INT128 b; PH_INT128 z; ULONG mask; ULONG index; p = (PWSTR)((ULONG_PTR)String & ~0xf); unaligned = (ULONG_PTR)String & 0xf; z = PhSetZeroINT128(); if (unaligned != 0) { b = PhLoadINT128U((PLONG)p); b = PhCompareEqINT128by16(b, z); mask = PhMoveMaskINT128by8(b) >> unaligned; if (_BitScanForward(&index, mask)) { return index / sizeof(WCHAR); } p += 16 / sizeof(WCHAR); } while (TRUE) { b = PhLoadINT128((PLONG)p); b = PhCompareEqINT128by16(b, z); mask = PhMoveMaskINT128by8(b); if (_BitScanForward(&index, mask)) { return (SIZE_T)(p - String) + index / sizeof(WCHAR); } p += 16 / sizeof(WCHAR); } } else { return wcslen(String); } } /** * Allocates space for and copies a byte string. * * \param String The string to duplicate. * * \return The new string, which can be freed using PhFree(). */ _Use_decl_annotations_ PSTR PhDuplicateBytesZ( _In_ PCSTR String ) { PSTR newString; SIZE_T length; length = strlen(String) + sizeof(ANSI_NULL); // include the null terminator newString = PhAllocate(length); memcpy(newString, String, length); return newString; } /** * Allocates space for and copies a byte string. * * \param String The string to duplicate. * * \return The new string, which can be freed using PhFree(), or NULL if storage could not be * allocated. */ _Use_decl_annotations_ PSTR PhDuplicateBytesZSafe( _In_ PCSTR String ) { PSTR newString; SIZE_T length; length = strlen(String) + sizeof(ANSI_NULL); // include the null terminator newString = PhAllocateSafe(length); if (!newString) return NULL; memcpy(newString, String, length); return newString; } /** * Allocates space for and copies a 16-bit string. * * \param String The string to duplicate. * * \return The new string, which can be freed using PhFree(). */ _Use_decl_annotations_ PWSTR PhDuplicateStringZ( _In_ PCWSTR String ) { PWSTR newString; SIZE_T length; length = PhCountStringZ(String) * sizeof(WCHAR) + sizeof(UNICODE_NULL); // include the null terminator newString = PhAllocate(length); memcpy(newString, String, length); return newString; } /** * Copies a string with optional null termination and a maximum number of characters. * * \param InputBuffer A pointer to the input string. * \param InputCount The maximum number of characters to copy, not including the null terminator. * Specify -1 for no limit. * \param OutputBuffer A pointer to the output buffer. * \param OutputCount The number of characters in the output buffer, including the null terminator. * \param ReturnCount A variable which receives the number of characters required to contain the * input string, including the null terminator. If the function returns TRUE, this variable contains * the number of characters written to the output buffer. * \return TRUE if the input string was copied to the output string, otherwise FALSE. * \remarks The function stops copying when it encounters the first null character in the input * string. It will also stop copying when it reaches the character count specified in \a InputCount, * if \a InputCount is not -1. */ NTSTATUS PhCopyBytesZ( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ) { NTSTATUS status; SIZE_T i; // Determine the length of the input string. if (InputCount != SIZE_MAX) { i = 0; while (i < InputCount && InputBuffer[i]) i++; } else { i = strlen(InputBuffer); } // Copy the string if there is enough room. if (OutputBuffer && OutputCount >= i + sizeof(ANSI_NULL)) // need one character for null terminator { memcpy(OutputBuffer, InputBuffer, i); OutputBuffer[i] = ANSI_NULL; status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnCount) { *ReturnCount = i + sizeof(ANSI_NULL); } return status; } /** * Copies a string with optional null termination and a maximum number of characters. * * \param InputBuffer A pointer to the input string. * \param InputCount The maximum number of characters to copy, not including the null terminator. * Specify -1 for no limit. * \param OutputBuffer A pointer to the output buffer. * \param OutputCount The number of characters in the output buffer, including the null terminator. * \param ReturnCount A variable which receives the number of characters required to contain the * input string, including the null terminator. If the function returns TRUE, this variable contains * the number of characters written to the output buffer. * \return TRUE if the input string was copied to the output string, otherwise FALSE. * \remarks The function stops copying when it encounters the first null character in the input * string. It will also stop copying when it reaches the character count specified in \a InputCount, * if \a InputCount is not -1. */ NTSTATUS PhCopyStringZ( _In_ PCWSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ) { NTSTATUS status; SIZE_T i; // Determine the length of the input string. if (InputCount != SIZE_MAX) { i = 0; while (i < InputCount && InputBuffer[i]) i++; } else { i = PhCountStringZ(InputBuffer); } // Copy the string if there is enough room. if (OutputBuffer && OutputCount >= i + 1) // need one character for null terminator { memcpy(OutputBuffer, InputBuffer, i * sizeof(WCHAR)); OutputBuffer[i] = UNICODE_NULL; status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnCount) { *ReturnCount = i + 1; } return status; } /** * Copies a string with optional null termination and a maximum number of characters. * * \param InputBuffer A pointer to the input string. * \param InputCount The maximum number of characters to copy, not including the null terminator. * Specify -1 for no limit. * \param OutputBuffer A pointer to the output buffer. * \param OutputCount The number of characters in the output buffer, including the null terminator. * \param ReturnCount A variable which receives the number of characters required to contain the * input string, including the null terminator. If the function returns TRUE, this variable contains * the number of characters written to the output buffer. * \return TRUE if the input string was copied to the output string, otherwise FALSE. * \remarks The function stops copying when it encounters the first null character in the input * string. It will also stop copying when it reaches the character count specified in \a InputCount, * if \a InputCount is not -1. */ NTSTATUS PhCopyStringZFromBytes( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ) { NTSTATUS status; SIZE_T i; // Determine the length of the input string. if (InputCount != SIZE_MAX) { i = 0; while (i < InputCount && InputBuffer[i]) i++; } else { i = strlen(InputBuffer); } // Copy the string if there is enough room. if (OutputBuffer && OutputCount >= i + 1) // need one character for null terminator { PhZeroExtendToUtf16Buffer(InputBuffer, i, OutputBuffer); OutputBuffer[i] = UNICODE_NULL; status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnCount) { *ReturnCount = i + 1; } return status; } /** * Copies a string with optional null termination and a maximum number of characters. * * \param InputBuffer A pointer to the input string. * \param InputCount The maximum number of characters to copy, not including the null terminator. * Specify -1 for no limit. * \param OutputBuffer A pointer to the output buffer. * \param OutputCount The number of characters in the output buffer, including the null terminator. * \param ReturnCount A variable which receives the number of characters required to contain the * input string, including the null terminator. If the function returns TRUE, this variable contains * the number of characters written to the output buffer. * \return TRUE if the input string was copied to the output string, otherwise FALSE. * \remarks The function stops copying when it encounters the first null character in the input * string. It will also stop copying when it reaches the character count specified in \a InputCount, * if \a InputCount is not -1. */ NTSTATUS PhCopyStringZFromMultiByte( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ) { NTSTATUS status; SIZE_T i; ULONG inputBytes; ULONG unicodeBytes; // Determine the length of the input string. if (InputCount != SIZE_MAX) { i = 0; while (i < InputCount && InputBuffer[i]) i++; } else { i = strlen(InputBuffer); } status = RtlSizeTToULong(i, &inputBytes); if (!NT_SUCCESS(status)) { if (ReturnCount) *ReturnCount = SIZE_MAX; return status; } // Determine the length of the output string. status = RtlMultiByteToUnicodeSize( &unicodeBytes, InputBuffer, inputBytes ); if (!NT_SUCCESS(status)) { if (ReturnCount) *ReturnCount = SIZE_MAX; return status; } // Convert the string to Unicode if there is enough room. if (OutputBuffer && OutputCount >= (unicodeBytes + sizeof(UNICODE_NULL)) / sizeof(WCHAR)) { status = RtlMultiByteToUnicodeN( OutputBuffer, unicodeBytes, NULL, InputBuffer, inputBytes ); if (NT_SUCCESS(status)) { // RtlMultiByteToUnicodeN doesn't null terminate the string. *(PWCHAR)PTR_ADD_OFFSET(OutputBuffer, unicodeBytes) = UNICODE_NULL; } } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnCount) { *ReturnCount = (unicodeBytes + sizeof(UNICODE_NULL)) / sizeof(WCHAR); } return status; } /** * Copies a UTF-8 encoded string to a wide-character (UTF-16) string buffer. * * \param InputBuffer Pointer to the input UTF-8 string buffer. * \param InputCount Size, in bytes, of the input buffer. * \param OutputBuffer Pointer to the output wide-character string buffer. Can be NULL if OutputCount is 0. * \param OutputCount Size, in characters, of the output buffer. * \param ReturnCount Optional pointer to receive the number of characters written to the output buffer (excluding the null terminator). * \return NTSTATUS Successful or errant status. * \remarks The output buffer will be null-terminated if OutputCount is greater than zero. */ NTSTATUS PhCopyStringZFromUtf8( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ) { NTSTATUS status; SIZE_T i; ULONG inputBytes; ULONG unicodeBytes; // Determine the length of the input string. if (InputCount != SIZE_MAX) { i = 0; while (i < InputCount && InputBuffer[i]) i++; } else { i = strlen(InputBuffer); } status = RtlSizeTToULong(i, &inputBytes); if (!NT_SUCCESS(status)) { if (ReturnCount) *ReturnCount = SIZE_MAX; return status; } // Determine the length of the output string. status = RtlUTF8ToUnicodeN( NULL, 0, &unicodeBytes, InputBuffer, inputBytes ); if (!NT_SUCCESS(status)) { if (ReturnCount) *ReturnCount = SIZE_MAX; return status; } // Convert the string to Unicode if there is enough room. if (OutputBuffer && OutputCount >= (unicodeBytes + sizeof(UNICODE_NULL)) / sizeof(WCHAR)) { status = RtlUTF8ToUnicodeN( OutputBuffer, unicodeBytes, NULL, InputBuffer, inputBytes ); if (NT_SUCCESS(status)) { // RtlUTF8ToUnicodeN doesn't null terminate the string. *(PWCHAR)PTR_ADD_OFFSET(OutputBuffer, unicodeBytes) = UNICODE_NULL; } } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnCount) { *ReturnCount = (unicodeBytes + sizeof(UNICODE_NULL)) / sizeof(WCHAR); } return status; } FORCEINLINE LONG PhpCompareRightNatural( _In_ PCWSTR A, _In_ PCWSTR B ) { LONG bias = 0; for (; ; A++, B++) { if (!PhIsDigitCharacter(*A) && !PhIsDigitCharacter(*B)) { return bias; } else if (!PhIsDigitCharacter(*A)) { return -1; } else if (!PhIsDigitCharacter(*B)) { return 1; } else if (*A < *B) { if (bias == 0) bias = -1; } else if (*A > *B) { if (bias == 0) bias = 1; } else if (!*A && !*B) { return bias; } } return 0; } FORCEINLINE LONG PhpCompareLeftNatural( _In_ PCWSTR A, _In_ PCWSTR B ) { for (; ; A++, B++) { if (!PhIsDigitCharacter(*A) && !PhIsDigitCharacter(*B)) { return 0; } else if (!PhIsDigitCharacter(*A)) { return -1; } else if (!PhIsDigitCharacter(*B)) { return 1; } else if (*A < *B) { return -1; } else if (*A > *B) { return 1; } } return 0; } FORCEINLINE LONG PhpCompareStringZNatural( _In_ PCWSTR A, _In_ PCWSTR B, _In_ BOOLEAN IgnoreCase ) { /* strnatcmp.c -- Perform 'natural order' comparisons of strings in C. Copyright (C) 2000, 2004 by Martin Pool This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. This code has been modified for System Informer. */ ULONG ai, bi; WCHAR ca, cb; LONG result; BOOLEAN fractional; ai = 0; bi = 0; while (TRUE) { ca = A[ai]; cb = B[bi]; /* Skip over leading spaces. */ while (ca == ' ') ca = A[++ai]; while (cb == ' ') cb = B[++bi]; /* Process run of digits. */ if (PhIsDigitCharacter(ca) && PhIsDigitCharacter(cb)) { fractional = (ca == '0' || cb == '0'); if (fractional) { if ((result = PhpCompareLeftNatural(A + ai, B + bi)) != 0) return result; } else { if ((result = PhpCompareRightNatural(A + ai, B + bi)) != 0) return result; } while (PhIsDigitCharacter(A[ai])) ai++; while (PhIsDigitCharacter(B[bi])) bi++; continue; } if (!ca && !cb) { /* Strings are considered the same. */ return 0; } if (IgnoreCase) { ca = PhUpcaseUnicodeChar(ca); cb = PhUpcaseUnicodeChar(cb); } if (ca < cb) return -1; else if (ca > cb) return 1; ai++; bi++; } } /** * Compares two strings in natural sort order. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase TRUE to perform a case-insensitive comparison, otherwise FALSE. * \return A value less than zero if \a String1 is less than \a String2, a value greater than zero if * \a String1 is greater than \a String2, or zero if the strings are equal. */ LONG PhCompareStringZNatural( _In_ PCWSTR String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { return PhpCompareStringZNatural(String1, String2, IgnoreCase); } /** * Compares two strings. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase TRUE to perform a case-insensitive comparison, otherwise FALSE. * \return A value less than zero if \a String1 is less than \a String2, a value greater than zero if * \a String1 is greater than \a String2, or zero if the strings are equal. */ LONG PhCompareStringRef( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ BOOLEAN IgnoreCase ) { SIZE_T l1; SIZE_T l2; PWCHAR s1; PWCHAR s2; WCHAR c1; WCHAR c2; PWCHAR end; // Note: this function assumes that the difference between the lengths of the two strings can // fit inside a LONG. l1 = String1->Length; l2 = String2->Length; assert(!(l1 & 1)); assert(!(l2 & 1)); s1 = String1->Buffer; s2 = String2->Buffer; if (PhHasIntrinsics) { SIZE_T commonLength = l1 <= l2 ? l1 : l2; #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length = commonLength / 32; if (length != 0) { if (IgnoreCase) { do { __m256i b1 = _mm256_loadu_si256((__m256i const*)s1); __m256i b2 = _mm256_loadu_si256((__m256i const*)s2); // SIMD uppercase conversion __m256i ub1 = PhUppercaseLatin1INT256by16(b1); __m256i ub2 = PhUppercaseLatin1INT256by16(b2); // Compare uppercased values __m256i cmp = _mm256_cmpeq_epi16(ub1, ub2); if ((ULONG)_mm256_movemask_epi8(cmp) != 0xffffffff) { _mm256_zeroupper(); goto CompareCharacters; } s1 += 32 / sizeof(WCHAR); s2 += 32 / sizeof(WCHAR); } while (--length != 0); _mm256_zeroupper(); } else { do { __m256i b1 = _mm256_loadu_si256((__m256i const*)s1); __m256i b2 = _mm256_loadu_si256((__m256i const*)s2); __m256i cmp = _mm256_cmpeq_epi16(b1, b2); if ((ULONG)_mm256_movemask_epi8(cmp) != 0xffffffff) { _mm256_zeroupper(); goto CompareCharacters; } s1 += 32 / sizeof(WCHAR); s2 += 32 / sizeof(WCHAR); } while (--length != 0); _mm256_zeroupper(); } } } else #endif if (IgnoreCase) { SIZE_T length = commonLength / 16; if (length != 0) { do { PH_INT128 b1 = PhLoadINT128U((PLONG)s1); PH_INT128 b2 = PhLoadINT128U((PLONG)s2); // SIMD uppercase conversion PH_INT128 ub1 = PhUppercaseLatin1INT128by16(b1); PH_INT128 ub2 = PhUppercaseLatin1INT128by16(b2); // Compare uppercased values PH_INT128 cmp = PhCompareEqINT128by16(ub1, ub2); if (PhMoveMaskINT128by8(cmp) != 0xffff) { goto CompareCharacters; } s1 += 16 / sizeof(WCHAR); s2 += 16 / sizeof(WCHAR); } while (--length != 0); } } else { SIZE_T length = commonLength / 16; if (length != 0) { do { PH_INT128 b1 = PhLoadINT128U((PLONG)s1); PH_INT128 b2 = PhLoadINT128U((PLONG)s2); PH_INT128 cmp = PhCompareEqINT128by16(b1, b2); if (PhMoveMaskINT128by8(cmp) != 0xffff) { goto CompareCharacters; } s1 += 16 / sizeof(WCHAR); s2 += 16 / sizeof(WCHAR); } while (--length != 0); } } } CompareCharacters: end = PTR_ADD_OFFSET(String1->Buffer, l1 <= l2 ? l1 : l2); if (IgnoreCase) { while (s1 != end) { c1 = *s1; c2 = *s2; if (c1 != c2) { c1 = PhUpcaseUnicodeChar(c1); c2 = PhUpcaseUnicodeChar(c2); if (c1 != c2) return (LONG)c1 - (LONG)c2; } s1++; s2++; } } else { while (s1 != end) { c1 = *s1; c2 = *s2; if (c1 != c2) return (LONG)c1 - (LONG)c2; s1++; s2++; } } return (LONG)(l1 - l2); } /** * Determines if two strings are equal. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase TRUE to perform a case-insensitive comparison, otherwise FALSE. * \return TRUE if the strings are equal, otherwise FALSE */ BOOLEAN PhEqualStringRef( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ BOOLEAN IgnoreCase ) { SIZE_T l1; SIZE_T l2; PWSTR s1; PWSTR s2; WCHAR c1; WCHAR c2; SIZE_T length; l1 = String1->Length; l2 = String2->Length; assert(!(l1 & 1)); assert(!(l2 & 1)); if (l1 != l2) return FALSE; s1 = String1->Buffer; s2 = String2->Buffer; if (PhHasIntrinsics) { #ifndef _ARM64_ if (PhHasAVX) { if (IgnoreCase) { length = l1 / 32; if (length != 0) { do { __m256i b1 = _mm256_loadu_si256((__m256i const*)s1); __m256i b2 = _mm256_loadu_si256((__m256i const*)s2); // SIMD uppercase conversion b1 = PhUppercaseLatin1INT256by16(b1); b2 = PhUppercaseLatin1INT256by16(b2); // Compare uppercased values __m256i cmp = _mm256_cmpeq_epi16(b1, b2); if ((ULONG)_mm256_movemask_epi8(cmp) != 0xffffffff) { _mm256_zeroupper(); l1 = (String1->Length / sizeof(WCHAR)) - (s1 - String1->Buffer); goto CompareCharacters; } s1 += 32 / sizeof(WCHAR); s2 += 32 / sizeof(WCHAR); } while (--length != 0); _mm256_zeroupper(); } l1 = (l1 & 31) / sizeof(WCHAR); } else { length = l1 / 32; if (length != 0) { do { __m256i b1 = _mm256_loadu_si256((__m256i const*)s1); __m256i b2 = _mm256_loadu_si256((__m256i const*)s2); __m256i cmp = _mm256_cmpeq_epi16(b1, b2); if ((ULONG)_mm256_movemask_epi8(cmp) != 0xffffffff) { _mm256_zeroupper(); return FALSE; } s1 += 32 / sizeof(WCHAR); s2 += 32 / sizeof(WCHAR); } while (--length != 0); _mm256_zeroupper(); } l1 = (l1 & 31) / sizeof(WCHAR); } } else #endif if (IgnoreCase) { length = l1 / 16; if (length != 0) { do { PH_INT128 b1 = PhLoadINT128U((PLONG)s1); PH_INT128 b2 = PhLoadINT128U((PLONG)s2); // SIMD uppercase conversion b1 = PhUppercaseLatin1INT128by16(b1); b2 = PhUppercaseLatin1INT128by16(b2); // Compare uppercased values PH_INT128 cmp = PhCompareEqINT128by16(b1, b2); if (PhMoveMaskINT128by8(cmp) != 0xffff) { // Mismatch - fall back to scalar l1 = (String1->Length / sizeof(WCHAR)) - (s1 - String1->Buffer); goto CompareCharacters; } s1 += 16 / sizeof(WCHAR); s2 += 16 / sizeof(WCHAR); } while (--length != 0); } // Compare character-by-character because we have no more 16-byte blocks to compare. l1 = (l1 & 15) / sizeof(WCHAR); } else { length = l1 / 16; if (length != 0) { PH_INT128 b1; PH_INT128 b2; do { b1 = PhLoadINT128U((PLONG)s1); b2 = PhLoadINT128U((PLONG)s2); b1 = PhCompareEqINT128by32(b1, b2); if (PhMoveMaskINT128by8(b1) != 0xffff) { l1 = (String1->Length / sizeof(WCHAR)) - (s1 - String1->Buffer); goto CompareCharacters; } s1 += 16 / sizeof(WCHAR); s2 += 16 / sizeof(WCHAR); } while (--length != 0); } // Compare character-by-character because we have no more 16-byte blocks to compare. l1 = (l1 & 15) / sizeof(WCHAR); } } else { length = l1 / sizeof(ULONG_PTR); if (length != 0) { do { if (*(PULONG_PTR)s1 != *(PULONG_PTR)s2) { l1 = (String1->Length / sizeof(WCHAR)) - (s1 - String1->Buffer); goto CompareCharacters; } s1 += sizeof(ULONG_PTR) / sizeof(WCHAR); s2 += sizeof(ULONG_PTR) / sizeof(WCHAR); } while (--length != 0); } // Compare character-by-character because we have no more ULONG_PTR blocks to compare. l1 = (l1 & (sizeof(ULONG_PTR) - 1)) / sizeof(WCHAR); } CompareCharacters: if (l1 != 0) { if (IgnoreCase) { do { c1 = *s1; c2 = *s2; if (c1 != c2) { c1 = PhUpcaseUnicodeChar(c1); c2 = PhUpcaseUnicodeChar(c2); if (c1 != c2) return FALSE; } s1++; s2++; } while (--l1 != 0); } else { do { c1 = *s1; c2 = *s2; if (c1 != c2) return FALSE; s1++; s2++; } while (--l1 != 0); } } return TRUE; } /** * Locates a character in a string. * * \param String The string to search. * \param Character The character to search for. * \param IgnoreCase TRUE to perform a case-insensitive search, otherwise FALSE. * \return The index, in characters, of the first occurrence of \a Character in \a String1. If * \a Character was not found, -1 is returned. */ ULONG_PTR PhFindCharInStringRef( _In_ PCPH_STRINGREF String, _In_ WCHAR Character, _In_ BOOLEAN IgnoreCase ) { PWSTR buffer; SIZE_T length; buffer = String->Buffer; length = String->Length / sizeof(WCHAR); if (IgnoreCase) { if (Character <= 0xFF && Character != 0x00DF) { #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length32; length32 = String->Length / 32; length &= 15; if (length32 != 0) { __m256i pattern; __m256i block; ULONG mask; ULONG index; WCHAR upC = PhUpcaseUnicodeChar(Character); pattern = _mm256_set1_epi16(upC); do { block = _mm256_loadu_si256((__m256i*)buffer); block = PhUppercaseLatin1INT256by16(block); block = _mm256_cmpeq_epi16(block, pattern); mask = _mm256_movemask_epi8(block); if (mask != 0) { if (_BitScanForward(&index, mask)) { _mm256_zeroupper(); return (buffer - String->Buffer) + index / 2; } } buffer += 16; } while (--length32 != 0); _mm256_zeroupper(); } } else #endif if (PhHasIntrinsics) { SIZE_T length16; length16 = String->Length / 16; length &= 7; if (length16 != 0) { PH_INT128 pattern; PH_INT128 block; ULONG mask; ULONG index; WCHAR upC = PhUpcaseUnicodeChar(Character); pattern = PhSetINT128by16(upC); do { block = PhLoadINT128U((PLONG)buffer); block = PhUppercaseLatin1INT128by16(block); block = PhCompareEqINT128by16(block, pattern); mask = PhMoveMaskINT128by8(block); if (_BitScanForward(&index, mask)) { return (buffer - String->Buffer) + index / 2; } buffer += 8; } while (--length16 != 0); } } } else { WCHAR upC = PhUpcaseUnicodeChar(Character); WCHAR lowC = PhDowncaseUnicodeChar(Character); if (upC == lowC) { // Not a casing character, use standard path. return PhFindCharInStringRef(String, Character, FALSE); } #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length32; length32 = String->Length / 32; length &= 15; if (length32 != 0) { __m256i patUp; __m256i patLow; __m256i block; ULONG mask; ULONG index; patUp = _mm256_set1_epi16(upC); patLow = _mm256_set1_epi16(lowC); do { block = _mm256_loadu_si256((__m256i*)buffer); block = _mm256_or_si256(_mm256_cmpeq_epi16(block, patUp), _mm256_cmpeq_epi16(block, patLow)); mask = _mm256_movemask_epi8(block); if (mask != 0) { if (_BitScanForward(&index, mask)) { _mm256_zeroupper(); return (buffer - String->Buffer) + index / 2; } } buffer += 16; } while (--length32 != 0); _mm256_zeroupper(); } } else #endif if (PhHasIntrinsics) { SIZE_T length16; length16 = String->Length / 16; length &= 7; if (length16 != 0) { PH_INT128 patUp; PH_INT128 patLow; PH_INT128 block; ULONG mask; ULONG index; patUp = PhSetINT128by16(upC); patLow = PhSetINT128by16(lowC); do { block = PhLoadINT128U((PLONG)buffer); block = PhOrINT128(PhCompareEqINT128by16(block, patUp), PhCompareEqINT128by16(block, patLow)); mask = PhMoveMaskINT128by8(block); if (_BitScanForward(&index, mask)) { return (buffer - String->Buffer) + index / 2; } buffer += 8; } while (--length16 != 0); } } } if (length != 0) { WCHAR c; c = PhUpcaseUnicodeChar(Character); do { if (PhUpcaseUnicodeChar(*buffer) == c) { return (ULONG_PTR)(buffer - String->Buffer); } buffer++; } while (--length != 0); } } else { #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length32; length32 = String->Length / 32; length &= 15; if (length32 != 0) { __m256i pattern; __m256i block; ULONG mask; ULONG index; pattern = _mm256_set1_epi16(Character); do { block = _mm256_loadu_si256((__m256i*)buffer); block = _mm256_cmpeq_epi16(block, pattern); mask = _mm256_movemask_epi8(block); if (_BitScanForward(&index, mask)) { _mm256_zeroupper(); return (buffer - String->Buffer) + index / 2; } buffer += 16; } while (--length32 != 0); _mm256_zeroupper(); } } else #endif if (PhHasIntrinsics) { SIZE_T length16; length16 = String->Length / 16; length &= 7; if (length16 != 0) { PH_INT128 pattern; PH_INT128 block; ULONG mask; ULONG index; pattern = PhSetINT128by16(Character); do { block = PhLoadINT128U((PLONG)buffer); block = PhCompareEqINT128by16(block, pattern); mask = PhMoveMaskINT128by8(block); if (_BitScanForward(&index, mask)) { return (buffer - String->Buffer) + index / 2; } buffer += 16 / sizeof(WCHAR); } while (--length16 != 0); } } if (length != 0) { do { if (*buffer == Character) return (ULONG_PTR)(buffer - String->Buffer); buffer++; } while (--length != 0); } } return SIZE_MAX; } /** * Locates a character in a string, searching backwards. * * \param String The string to search. * \param Character The character to search for. * \param IgnoreCase TRUE to perform a case-insensitive search, otherwise FALSE. * \return The index, in characters, of the last occurrence of \a Character in \a String1. If * \a Character was not found, -1 is returned. */ ULONG_PTR PhFindLastCharInStringRef( _In_ PCPH_STRINGREF String, _In_ WCHAR Character, _In_ BOOLEAN IgnoreCase ) { PWCHAR buffer; SIZE_T length; buffer = PTR_ADD_OFFSET(String->Buffer, String->Length); length = String->Length / sizeof(WCHAR); if (IgnoreCase) { if (Character <= 0xFF && Character != 0x00DF) { #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length32; length32 = String->Length / 32; length &= 15; if (length32 != 0) { __m256i pattern; __m256i block; ULONG mask; ULONG index; WCHAR upC = PhUpcaseUnicodeChar(Character); pattern = _mm256_set1_epi16(upC); do { buffer -= 16; block = _mm256_loadu_si256((__m256i*)buffer); block = PhUppercaseLatin1INT256by16(block); block = _mm256_cmpeq_epi16(block, pattern); mask = _mm256_movemask_epi8(block); if (mask != 0) { if (_BitScanReverse(&index, mask)) { _mm256_zeroupper(); return (buffer - String->Buffer) + index / 2; } } } while (--length32 != 0); _mm256_zeroupper(); } } else #endif if (PhHasIntrinsics) { SIZE_T length16; length16 = String->Length / 16; length &= 7; if (length16 != 0) { PH_INT128 pattern; PH_INT128 block; ULONG mask; ULONG index; WCHAR upC = PhUpcaseUnicodeChar(Character); pattern = PhSetINT128by16(upC); do { buffer -= 8; block = PhLoadINT128U((PLONG)buffer); block = PhUppercaseLatin1INT128by16(block); block = PhCompareEqINT128by16(block, pattern); mask = PhMoveMaskINT128by8(block); if (mask != 0) { if (_BitScanReverse(&index, mask)) { return (buffer - String->Buffer) + index / 2; } } } while (--length16 != 0); } } } else { WCHAR upC = PhUpcaseUnicodeChar(Character); WCHAR lowC = PhDowncaseUnicodeChar(Character); if (upC == lowC) { // Not a casing character, use standard path. return PhFindLastCharInStringRef(String, Character, FALSE); } #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length32; length32 = String->Length / 32; length &= 15; if (length32 != 0) { __m256i patUp; __m256i patLow; __m256i block; ULONG mask; ULONG index; patUp = _mm256_set1_epi16(upC); patLow = _mm256_set1_epi16(lowC); do { buffer -= 16; block = _mm256_loadu_si256((__m256i*)buffer); block = _mm256_or_si256(_mm256_cmpeq_epi16(block, patUp), _mm256_cmpeq_epi16(block, patLow)); mask = _mm256_movemask_epi8(block); if (mask != 0) { if (_BitScanReverse(&index, mask)) { _mm256_zeroupper(); return (buffer - String->Buffer) + index / 2; } } } while (--length32 != 0); _mm256_zeroupper(); } } else #endif if (PhHasIntrinsics) { SIZE_T length16; length16 = String->Length / 16; length &= 7; if (length16 != 0) { PH_INT128 patUp; PH_INT128 patLow; PH_INT128 block; ULONG mask; ULONG index; patUp = PhSetINT128by16(upC); patLow = PhSetINT128by16(lowC); do { buffer -= 8; block = PhLoadINT128U((PLONG)buffer); block = PhOrINT128(PhCompareEqINT128by16(block, patUp), PhCompareEqINT128by16(block, patLow)); mask = PhMoveMaskINT128by8(block); if (mask != 0) { if (_BitScanReverse(&index, mask)) { return (buffer - String->Buffer) + index / 2; } } } while (--length16 != 0); } } } if (length != 0) { WCHAR c; c = PhUpcaseUnicodeChar(Character); buffer--; do { if (PhUpcaseUnicodeChar(*buffer) == c) return (ULONG_PTR)(buffer - String->Buffer); buffer--; } while (--length != 0); } } else { #ifndef _ARM64_ if (PhHasAVX) { SIZE_T length32; length32 = String->Length / 32; length &= 15; if (length32 != 0) { __m256i pattern; __m256i block; ULONG mask; ULONG index; pattern = _mm256_set1_epi16(Character); do { buffer -= 16; block = _mm256_loadu_si256((__m256i*)buffer); block = _mm256_cmpeq_epi16(block, pattern); mask = _mm256_movemask_epi8(block); if (_BitScanReverse(&index, mask)) { _mm256_zeroupper(); return (buffer - String->Buffer) + index / 2; } } while (--length32 != 0); _mm256_zeroupper(); } } else #endif if (PhHasIntrinsics) { SIZE_T length16; length16 = String->Length / 16; length &= 7; if (length16 != 0) { PH_INT128 pattern; PH_INT128 block; ULONG mask; ULONG index; pattern = PhSetINT128by16(Character); do { buffer -= 8; block = PhLoadINT128U((PLONG)buffer); block = PhCompareEqINT128by16(block, pattern); mask = PhMoveMaskINT128by8(block); if (_BitScanReverse(&index, mask)) { return (buffer - String->Buffer) + index / 2; } } while (--length16 != 0); } } if (length != 0) { buffer--; do { if (*buffer == Character) return (ULONG_PTR)(buffer - String->Buffer); buffer--; } while (--length != 0); } } return SIZE_MAX; } /** * Locates a string in a string. * * \param String The string to search. * \param SubString The string to search for. * \param IgnoreCase TRUE to perform a case-insensitive search, otherwise FALSE. * \return The index, in characters, of the first occurrence of \a SubString in \a String. If * \a SubString was not found, -1 is returned. */ ULONG_PTR PhFindStringInStringRef( _In_ PCPH_STRINGREF String, _In_ PCPH_STRINGREF SubString, _In_ BOOLEAN IgnoreCase ) { SIZE_T length1; SIZE_T length2; length1 = String->Length / sizeof(WCHAR); length2 = SubString->Length / sizeof(WCHAR); // Can't be a substring if it's bigger than the first string. if (length2 > length1) return SIZE_MAX; // We always get a match if the substring is zero-length. if (length2 == 0) return 0; #if defined(PH_NATIVE_STRING_IN_STRING) { PH_STRINGREF haystackRef; PH_STRINGREF sr1; PH_STRINGREF sr2; WCHAR c; PWSTR haystack; SIZE_T haystackCount; if (length2 == 1) return PhFindCharInStringRef(String, SubString->Buffer[0], IgnoreCase); haystack = String->Buffer; haystackCount = length1 - length2 + 1; sr2.Buffer = SubString->Buffer + 1; sr2.Length = SubString->Length - sizeof(WCHAR); sr1.Length = sr2.Length; if (IgnoreCase) { c = PhUpcaseUnicodeChar(SubString->Buffer[0]); while (haystackCount > 0) { haystackRef.Buffer = haystack; haystackRef.Length = haystackCount * sizeof(WCHAR); ULONG_PTR offset = PhFindCharInStringRef(&haystackRef, c, TRUE); if (offset == SIZE_MAX) break; haystack += offset; haystackCount -= offset; sr1.Buffer = haystack + 1; if (PhEqualStringRef(&sr1, &sr2, TRUE)) return (ULONG_PTR)(haystack - String->Buffer); haystack++; haystackCount--; } } else { c = SubString->Buffer[0]; while (haystackCount > 0) { haystackRef.Buffer = haystack; haystackRef.Length = haystackCount * sizeof(WCHAR); ULONG_PTR offset = PhFindCharInStringRef(&haystackRef, c, FALSE); if (offset == SIZE_MAX) break; haystack += offset; haystackCount -= offset; sr1.Buffer = haystack + 1; if (PhEqualStringRef(&sr1, &sr2, FALSE)) return (ULONG_PTR)(haystack - String->Buffer); haystack++; haystackCount--; } } } #else { PH_STRINGREF sr1; PH_STRINGREF sr2; WCHAR c; SIZE_T i; sr1.Buffer = String->Buffer; sr1.Length = SubString->Length - sizeof(WCHAR); sr2.Buffer = SubString->Buffer; sr2.Length = SubString->Length - sizeof(WCHAR); if (IgnoreCase) { c = PhUpcaseUnicodeChar(*sr2.Buffer++); for (i = length1 - length2 + 1; i != 0; i--) { if (PhUpcaseUnicodeChar(*sr1.Buffer++) == c && PhEqualStringRef(&sr1, &sr2, TRUE)) { goto FoundUString; } } } else { c = *sr2.Buffer++; for (i = length1 - length2 + 1; i != 0; i--) { if (*sr1.Buffer++ == c && PhEqualStringRef(&sr1, &sr2, FALSE)) { goto FoundUString; } } } return SIZE_MAX; FoundUString: return (ULONG_PTR)(sr1.Buffer - String->Buffer - 1); } #endif return SIZE_MAX; } /** * Splits a string. * * \param Input The input string. * \param Separator The character to split at. * \param FirstPart A variable which receives the part of \a Input before the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * \a Input. * \param SecondPart A variable which receives the part of \a Input after the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * an empty string. * \return TRUE if \a Separator was found in \a Input, otherwise FALSE. */ BOOLEAN PhSplitStringRefAtChar( _In_ PCPH_STRINGREF Input, _In_ WCHAR Separator, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart ) { PH_STRINGREF input; ULONG_PTR index; input = *Input; // get a copy of the input because FirstPart/SecondPart may alias Input index = PhFindCharInStringRef(Input, Separator, FALSE); if (index == SIZE_MAX) { // The separator was not found. FirstPart->Buffer = Input->Buffer; FirstPart->Length = Input->Length; SecondPart->Buffer = NULL; SecondPart->Length = 0; return FALSE; } FirstPart->Buffer = input.Buffer; FirstPart->Length = index * sizeof(WCHAR); SecondPart->Buffer = PTR_ADD_OFFSET(input.Buffer, index * sizeof(WCHAR) + sizeof(UNICODE_NULL)); SecondPart->Length = input.Length - index * sizeof(WCHAR) - sizeof(UNICODE_NULL); return TRUE; } /** * Splits a string at the last occurrence of a character. * * \param Input The input string. * \param Separator The character to split at. * \param FirstPart A variable which receives the part of \a Input before the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * \a Input. * \param SecondPart A variable which receives the part of \a Input after the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * an empty string. * \return TRUE if \a Separator was found in \a Input, otherwise FALSE. */ BOOLEAN PhSplitStringRefAtLastChar( _In_ PCPH_STRINGREF Input, _In_ WCHAR Separator, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart ) { PH_STRINGREF input; ULONG_PTR index; input = *Input; // get a copy of the input because FirstPart/SecondPart may alias Input index = PhFindLastCharInStringRef(Input, Separator, FALSE); if (index == SIZE_MAX) { // The separator was not found. FirstPart->Buffer = Input->Buffer; FirstPart->Length = Input->Length; SecondPart->Buffer = NULL; SecondPart->Length = 0; return FALSE; } FirstPart->Buffer = input.Buffer; FirstPart->Length = index * sizeof(WCHAR); SecondPart->Buffer = PTR_ADD_OFFSET(input.Buffer, (index + 1) * sizeof(WCHAR)); SecondPart->Length = input.Length - (index + 1) * sizeof(WCHAR); return TRUE; } /** * Splits a string. * * \param Input The input string. * \param Separator The string to split at. * \param IgnoreCase TRUE to perform a case-insensitive search, otherwise FALSE. * \param FirstPart A variable which receives the part of \a Input before the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * \a Input. * \param SecondPart A variable which receives the part of \a Input after the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * an empty string. * \return TRUE if \a Separator was found in \a Input, otherwise FALSE. */ BOOLEAN PhSplitStringRefAtString( _In_ PCPH_STRINGREF Input, _In_ PCPH_STRINGREF Separator, _In_ BOOLEAN IgnoreCase, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart ) { PH_STRINGREF input; ULONG_PTR index; input = *Input; // get a copy of the input because FirstPart/SecondPart may alias Input index = PhFindStringInStringRef(Input, Separator, IgnoreCase); if (index == SIZE_MAX) { // The separator was not found. FirstPart->Buffer = Input->Buffer; FirstPart->Length = Input->Length; SecondPart->Buffer = NULL; SecondPart->Length = 0; return FALSE; } FirstPart->Buffer = input.Buffer; FirstPart->Length = index * sizeof(WCHAR); SecondPart->Buffer = PTR_ADD_OFFSET(input.Buffer, index * sizeof(WCHAR) + Separator->Length); SecondPart->Length = input.Length - index * sizeof(WCHAR) - Separator->Length; return TRUE; } /** * Splits a string. * * \param Input The input string. * \param Separator The character set, string or range to split at. * \param Flags A combination of flags. * \li \c PH_SPLIT_AT_CHAR_SET \a Separator specifies a character set. \a Input will be split at a * character which is contained in \a Separator. * \li \c PH_SPLIT_AT_STRING \a Separator specifies a string. \a Input will be split an occurrence * of \a Separator. * \li \c PH_SPLIT_AT_RANGE \a Separator specifies a range. The \a Buffer field contains a character * index cast to \c PWSTR and the \a Length field contains the length of the range, in bytes. * \li \c PH_SPLIT_CASE_INSENSITIVE Specifies a case-insensitive search. * \li \c PH_SPLIT_COMPLEMENT_CHAR_SET If used with \c PH_SPLIT_AT_CHAR_SET, the separator is a * character which is not contained in \a Separator. * \li \c PH_SPLIT_START_AT_END If used with \c PH_SPLIT_AT_CHAR_SET, the search is performed * starting from the end of the string. * \li \c PH_SPLIT_CHAR_SET_IS_UPPERCASE If used with \c PH_SPLIT_CASE_INSENSITIVE, specifies that * the character set in \a Separator contains only uppercase characters. * \param FirstPart A variable which receives the part of \a Input before the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * \a Input. * \param SecondPart A variable which receives the part of \a Input after the separator. This may be * the same variable as \a Input. If the separator is not found in \a Input, this variable is set to * an empty string. * \param SeparatorPart A variable which receives the part of \a Input that is the separator. If the * separator is not found in \a Input, this variable is set to an empty string. * \return TRUE if a separator was found in \a Input, otherwise FALSE. */ BOOLEAN PhSplitStringRefEx( _In_ PCPH_STRINGREF Input, _In_ PCPH_STRINGREF Separator, _In_ ULONG Flags, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart, _Out_opt_ PPH_STRINGREF SeparatorPart ) { PH_STRINGREF input; SIZE_T separatorIndex; SIZE_T separatorLength; PWCHAR charSet; SIZE_T charSetCount; BOOLEAN charSetTable[256]; BOOLEAN charSetTableComplete; SIZE_T i; SIZE_T j; USHORT c; PWCHAR s; LONG_PTR direction; input = *Input; // Get a copy of the input because FirstPart/SecondPart/SeparatorPart may alias Input if (Flags & PH_SPLIT_AT_RANGE) { separatorIndex = (SIZE_T)Separator->Buffer; separatorLength = Separator->Length; if (separatorIndex == SIZE_MAX) goto SeparatorNotFound; goto SeparatorFound; } else if (Flags & PH_SPLIT_AT_STRING) { if (Flags & PH_SPLIT_START_AT_END) { // not implemented goto SeparatorNotFound; } separatorIndex = PhFindStringInStringRef(Input, Separator, !!(Flags & PH_SPLIT_CASE_INSENSITIVE)); if (separatorIndex == SIZE_MAX) goto SeparatorNotFound; separatorLength = Separator->Length; goto SeparatorFound; } // Special case for character sets with only one character. if (!(Flags & PH_SPLIT_COMPLEMENT_CHAR_SET) && Separator->Length == sizeof(WCHAR)) { if (!(Flags & PH_SPLIT_START_AT_END)) separatorIndex = PhFindCharInStringRef(Input, Separator->Buffer[0], !!(Flags & PH_SPLIT_CASE_INSENSITIVE)); else separatorIndex = PhFindLastCharInStringRef(Input, Separator->Buffer[0], !!(Flags & PH_SPLIT_CASE_INSENSITIVE)); if (separatorIndex == SIZE_MAX) goto SeparatorNotFound; separatorLength = sizeof(WCHAR); goto SeparatorFound; } if (input.Length == 0) goto SeparatorNotFound; // Build the character set lookup table. charSet = Separator->Buffer; charSetCount = Separator->Length / sizeof(WCHAR); memset(charSetTable, 0, sizeof(charSetTable)); charSetTableComplete = TRUE; for (i = 0; i < charSetCount; i++) { c = charSet[i]; if (Flags & PH_SPLIT_CASE_INSENSITIVE) c = PhUpcaseUnicodeChar(c); charSetTable[c & 0xff] = TRUE; if (c >= 256) charSetTableComplete = FALSE; } // Perform the search. i = input.Length / sizeof(WCHAR); separatorLength = sizeof(WCHAR); if (!(Flags & PH_SPLIT_START_AT_END)) { s = input.Buffer; direction = 1; } else { s = PTR_ADD_OFFSET(input.Buffer, input.Length - sizeof(WCHAR)); direction = -1; } do { c = *s; if (Flags & PH_SPLIT_CASE_INSENSITIVE) c = PhUpcaseUnicodeChar(c); if (c < 256 && charSetTableComplete) { if (!(Flags & PH_SPLIT_COMPLEMENT_CHAR_SET)) { if (charSetTable[c]) goto CharFound; } else { if (!charSetTable[c]) goto CharFound; } } else { if (!(Flags & PH_SPLIT_COMPLEMENT_CHAR_SET)) { if (charSetTable[c & 0xff]) { if (!(Flags & PH_SPLIT_CASE_INSENSITIVE) || (Flags & PH_SPLIT_CHAR_SET_IS_UPPERCASE)) { for (j = 0; j < charSetCount; j++) { if (charSet[j] == c) goto CharFound; } } else { for (j = 0; j < charSetCount; j++) { if (PhUpcaseUnicodeChar(charSet[j]) == c) goto CharFound; } } } } else { if (charSetTable[c & 0xff]) { if (!(Flags & PH_SPLIT_CASE_INSENSITIVE) || (Flags & PH_SPLIT_CHAR_SET_IS_UPPERCASE)) { for (j = 0; j < charSetCount; j++) { if (charSet[j] == c) break; } } else { for (j = 0; j < charSetCount; j++) { if (PhUpcaseUnicodeChar(charSet[j]) == c) break; } } if (j == charSetCount) goto CharFound; } else { goto CharFound; } } } s += direction; } while (--i != 0); goto SeparatorNotFound; CharFound: separatorIndex = s - input.Buffer; SeparatorFound: FirstPart->Buffer = input.Buffer; FirstPart->Length = separatorIndex * sizeof(WCHAR); SecondPart->Buffer = PTR_ADD_OFFSET(input.Buffer, separatorIndex * sizeof(WCHAR) + separatorLength); SecondPart->Length = input.Length - separatorIndex * sizeof(WCHAR) - separatorLength; if (SeparatorPart) { SeparatorPart->Buffer = input.Buffer + separatorIndex; SeparatorPart->Length = separatorLength; } return TRUE; SeparatorNotFound: FirstPart->Buffer = input.Buffer; FirstPart->Length = input.Length; SecondPart->Buffer = NULL; SecondPart->Length = 0; if (SeparatorPart) { SeparatorPart->Buffer = NULL; SeparatorPart->Length = 0; } return FALSE; } VOID PhSplitStringRef( _In_ PCPH_STRINGREF Input, _In_ WCHAR Separator, _Out_ PVOID **Strings, _Out_ PULONG NumberOfStrings ) { PH_ARRAY array; PH_STRINGREF remainingPart; PH_STRINGREF part; PhInitializeArray(&array, sizeof(PPH_STRING), 4); remainingPart = *Input; while (PhSplitStringRefAtChar(&remainingPart, Separator, &part, &remainingPart)) { if (part.Length > 0) { PPH_STRING string = PhCreateString2(&part); PhAddItemArray(&array, &string); } } if (remainingPart.Length > 0) { PPH_STRING string = PhCreateString2(&remainingPart); PhAddItemArray(&array, &string); } *NumberOfStrings = (ULONG)PhFinalArrayCount(&array); *Strings = (PVOID *)PhFinalArrayItems(&array); } VOID PhFreeStringArray( _In_ PVOID *Strings, _In_ ULONG NumberOfStrings ) { for (ULONG i = 0; i < NumberOfStrings; i++) { PhDereferenceObject(Strings[i]); } PhFree(Strings); } /** * Trims characters from the beginning and/or end of a string reference. * * \param String Pointer to a PH_STRINGREF structure representing the string to be trimmed. The string is modified in place. * \param CharSet Pointer to a PH_STRINGREF structure containing the set of characters to trim from the string. * \param Flags Specifies trimming options. Can be used to indicate whether to trim from the left, right, or both ends. * \remarks This function removes all characters specified in CharSet from the start and/or end of the string referenced by String, * depending on the Flags provided. */ VOID PhTrimStringRef( _Inout_ PPH_STRINGREF String, _In_ PCPH_STRINGREF CharSet, _In_ ULONG Flags ) { PWCHAR charSet; SIZE_T charSetCount; BOOLEAN charSetTable[256]; BOOLEAN charSetTableComplete; SIZE_T i; SIZE_T j; USHORT c; SIZE_T trimCount; SIZE_T count; PWCHAR s; if (!String->Buffer || String->Length == 0 || CharSet->Length == 0) return; if (CharSet->Length == sizeof(WCHAR)) { c = CharSet->Buffer[0]; if (!(Flags & PH_TRIM_END_ONLY)) { trimCount = 0; count = String->Length / sizeof(WCHAR); s = String->Buffer; while (count-- != 0) { if (*s++ != c) break; trimCount++; } PhSkipStringRef(String, trimCount * sizeof(WCHAR)); } if (!(Flags & PH_TRIM_START_ONLY)) { trimCount = 0; count = String->Length / sizeof(WCHAR); s = PTR_ADD_OFFSET(String->Buffer, String->Length - sizeof(WCHAR)); while (count-- != 0) { if (*s-- != c) break; trimCount++; } String->Length -= trimCount * sizeof(WCHAR); } return; } // Build the character set lookup table. charSet = CharSet->Buffer; charSetCount = CharSet->Length / sizeof(WCHAR); memset(charSetTable, 0, sizeof(charSetTable)); charSetTableComplete = TRUE; for (i = 0; i < charSetCount; i++) { c = charSet[i]; charSetTable[c & 0xff] = TRUE; if (c >= 256) charSetTableComplete = FALSE; } // Trim the string. if (!(Flags & PH_TRIM_END_ONLY)) { trimCount = 0; count = String->Length / sizeof(WCHAR); s = String->Buffer; while (count-- != 0) { c = *s++; if (!charSetTable[c & 0xff]) break; if (!charSetTableComplete) { for (j = 0; j < charSetCount; j++) { if (charSet[j] == c) goto CharFound; } break; } CharFound: trimCount++; } PhSkipStringRef(String, trimCount * sizeof(WCHAR)); } if (!(Flags & PH_TRIM_START_ONLY)) { trimCount = 0; count = String->Length / sizeof(WCHAR); s = PTR_ADD_OFFSET(String->Buffer, String->Length - sizeof(WCHAR)); while (count-- != 0) { c = *s--; if (!charSetTable[c & 0xff]) break; if (!charSetTableComplete) { for (j = 0; j < charSetCount; j++) { if (charSet[j] == c) goto CharFound2; } break; } CharFound2: trimCount++; } String->Length -= trimCount * sizeof(WCHAR); } } /** * Creates a string object using a specified length. * * \param Buffer A null-terminated Unicode string. * \param Length The length, in bytes, of the string. */ _Use_decl_annotations_ PPH_STRING PhCreateStringEx( _In_reads_bytes_opt_(Length) PCWCHAR Buffer, _In_ SIZE_T Length ) { PPH_STRING string; string = PhCreateObject( UFIELD_OFFSET(PH_STRING, Data) + Length + sizeof(UNICODE_NULL), PhStringType ); assert(!(Length & 1)); string->Length = Length; string->Buffer = string->Data; *(PWCHAR)PTR_ADD_OFFSET(string->Buffer, Length) = UNICODE_NULL; if (Buffer) { memcpy(string->Buffer, Buffer, Length); } return string; } /** * Creates a string object using a specified length and mode. * * \param String A string reference to create a new string object from. * \param Flags A combination of PH_STRING flags. * \param TrimCharSet A string containing characters to trim. If NULL, no trimming is performed. */ _Use_decl_annotations_ PPH_STRING PhCreateString3( _In_ PCPH_STRINGREF String, _In_ ULONG Flags, _In_opt_ PCPH_STRINGREF TrimCharSet ) { PPH_STRING string; PH_STRINGREF sr; sr = *String; if (TrimCharSet) PhTrimStringRef(&sr, TrimCharSet, Flags & PH_STRING_TRIM_MASK); string = PhCreateObject( UFIELD_OFFSET(PH_STRING, Data) + sr.Length + sizeof(UNICODE_NULL), // Null terminator for compatibility PhStringType ); assert(!(sr.Length & 1)); string->Length = sr.Length; string->Buffer = string->Data; *(PWCHAR)PTR_ADD_OFFSET(string->Buffer, sr.Length) = UNICODE_NULL; if (!sr.Buffer) return string; if (!(Flags & PH_STRING_CASE_MASK)) { memcpy(string->Buffer, sr.Buffer, sr.Length); return string; } if (Flags & PH_STRING_UPPER_CASE) PhUpperStringRefInto(&string->sr, &sr); else PhLowerStringRefInto(&string->sr, &sr); return string; } /** * Obtains a reference to a zero-length string. */ PPH_STRING PhReferenceEmptyString( VOID ) { PPH_STRING string; PPH_STRING newString; // Initial lightweight atomic read string = ReadPointerAcquire(&PhSharedEmptyString); if (!string) { newString = PhCreateStringEx(NULL, 0); // Final atomic compare-and-swap string = InterlockedCompareExchangePointer( &PhSharedEmptyString, newString, NULL ); if (string) { PhDereferenceObject(newString); } else { string = newString; // success } } return PhReferenceObject(string); } /** * Concatenates multiple strings. * * \param Count The number of strings to concatenate. * \param ... The list of strings. */ _Use_decl_annotations_ PPH_STRING PhConcatStrings( _In_ ULONG Count, ... ) { PPH_STRING string; va_list argptr; va_start(argptr, Count); string = PhConcatStrings_V(Count, argptr); va_end(argptr); return string; } /** * Concatenates multiple strings. * * \param Count The number of strings to concatenate. * \param ArgPtr A pointer to an array of strings. */ _Use_decl_annotations_ PPH_STRING PhConcatStrings_V( _In_ ULONG Count, _In_ va_list ArgPtr ) { va_list argptr; ULONG i; SIZE_T totalLength = 0; SIZE_T stringLength; SIZE_T cachedLengths[PH_CONCAT_STRINGS_LENGTH_CACHE_SIZE]; PWSTR arg; PPH_STRING string; // Compute the total length, in bytes, of the strings. argptr = ArgPtr; for (i = 0; i < Count; i++) { arg = va_arg(argptr, PWSTR); stringLength = PhCountStringZ(arg) * sizeof(WCHAR); totalLength += stringLength; if (i < PH_CONCAT_STRINGS_LENGTH_CACHE_SIZE) cachedLengths[i] = stringLength; } // Create the string. string = PhCreateStringEx(NULL, totalLength); totalLength = 0; // Append the strings one by one. argptr = ArgPtr; for (i = 0; i < Count; i++) { arg = va_arg(argptr, PWSTR); if (i < PH_CONCAT_STRINGS_LENGTH_CACHE_SIZE) stringLength = cachedLengths[i]; else stringLength = PhCountStringZ(arg) * sizeof(WCHAR); memcpy( PTR_ADD_OFFSET(string->Buffer, totalLength), arg, stringLength ); totalLength += stringLength; } return string; } /** * Concatenates two strings. * * \param String1 The first string. * \param String2 The second string. */ _Use_decl_annotations_ PPH_STRING PhConcatStrings2( _In_ PCWSTR String1, _In_ PCWSTR String2 ) { PPH_STRING string; SIZE_T length1; SIZE_T length2; length1 = PhCountStringZ(String1) * sizeof(WCHAR); length2 = PhCountStringZ(String2) * sizeof(WCHAR); string = PhCreateStringEx(NULL, length1 + length2); memcpy( string->Buffer, String1, length1 ); memcpy( PTR_ADD_OFFSET(string->Buffer, length1), String2, length2 ); return string; } /** * Concatenates two strings. * * \param String1 The first string. * \param String2 The second string. */ _Use_decl_annotations_ PPH_STRING PhConcatStringRef2( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2 ) { PPH_STRING string; assert(!(String1->Length & 1)); assert(!(String2->Length & 1)); string = PhCreateStringEx(NULL, String1->Length + String2->Length); memcpy( string->Buffer, String1->Buffer, String1->Length ); memcpy( PTR_ADD_OFFSET(string->Buffer, String1->Length), String2->Buffer, String2->Length ); return string; } /** * Concatenates three strings. * * \param String1 The first string. * \param String2 The second string. * \param String3 The third string. */ _Use_decl_annotations_ PPH_STRING PhConcatStringRef3( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ PCPH_STRINGREF String3 ) { PPH_STRING string; PCHAR buffer; assert(!(String1->Length & 1)); assert(!(String2->Length & 1)); assert(!(String3->Length & 1)); string = PhCreateStringEx(NULL, String1->Length + String2->Length + String3->Length); buffer = (PCHAR)string->Buffer; memcpy(buffer, String1->Buffer, String1->Length); buffer += String1->Length; memcpy(buffer, String2->Buffer, String2->Length); buffer += String2->Length; memcpy(buffer, String3->Buffer, String3->Length); return string; } /** * Concatenates four strings. * * \param String1 The first string. * \param String2 The second string. * \param String3 The third string. * \param String4 The forth string. */ _Use_decl_annotations_ PPH_STRING PhConcatStringRef4( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ PCPH_STRINGREF String3, _In_ PCPH_STRINGREF String4 ) { PPH_STRING string; PCHAR buffer; assert(!(String1->Length & 1)); assert(!(String2->Length & 1)); assert(!(String3->Length & 1)); assert(!(String4->Length & 1)); string = PhCreateStringEx(NULL, String1->Length + String2->Length + String3->Length + String4->Length); buffer = (PCHAR)string->Buffer; memcpy(buffer, String1->Buffer, String1->Length); buffer += String1->Length; memcpy(buffer, String2->Buffer, String2->Length); buffer += String2->Length; memcpy(buffer, String3->Buffer, String3->Length); buffer += String3->Length; memcpy(buffer, String4->Buffer, String4->Length); return string; } /** * Creates a string using format specifiers. * * \param Format The format-control string. * \param ... The list of arguments. */ _Use_decl_annotations_ PPH_STRING PhFormatString( _In_ _Printf_format_string_ PCWSTR Format, ... ) { PPH_STRING string; va_list argptr; va_start(argptr, Format); string = PhFormatString_V(Format, argptr); va_end(argptr); return string; } /** * Creates a string using format specifiers. * * \param Format The format-control string. * \param ArgPtr A pointer to the list of arguments. */ _Use_decl_annotations_ PPH_STRING PhFormatString_V( _In_ _Printf_format_string_ PCWSTR Format, _In_ va_list ArgPtr ) { PPH_STRING string; LONG length; length = _vscwprintf(Format, ArgPtr); if (length == INT_ERROR) return NULL; string = PhCreateStringEx(NULL, length * sizeof(WCHAR)); _vsnwprintf(string->Buffer, length, Format, ArgPtr); return string; } /** * Creates a bytes object. * * \param Buffer An array of bytes. * \param Length The length of \a Buffer, in bytes. */ PPH_BYTES PhCreateBytesEx( _In_opt_ PCCH Buffer, _In_ SIZE_T Length ) { PPH_BYTES bytes; bytes = PhCreateObject( UFIELD_OFFSET(PH_BYTES, Data) + Length + sizeof(ANSI_NULL), // Null terminator for compatibility PhBytesType ); bytes->Length = Length; bytes->Buffer = bytes->Data; bytes->Buffer[Length] = ANSI_NULL; if (Buffer) { memcpy(bytes->Buffer, Buffer, Length); } return bytes; } /** * Formats a string using the specified format and argument list. * * \param Format A printf-style format string. * \param ArgPtr A va_list containing the arguments to format. * \return A pointer to a PPH_BYTES structure containing the formatted string. */ PPH_BYTES PhFormatBytes_V( _In_ _Printf_format_string_ PCSTR Format, _In_ va_list ArgPtr ) { PPH_BYTES string; LONG length; length = _vscprintf(Format, ArgPtr); if (length == INT_ERROR) return NULL; string = PhCreateBytesEx(NULL, length * sizeof(CHAR)); _vsnprintf(string->Buffer, length, Format, ArgPtr); return string; } /** * Formats a sequence of bytes according to a specified format string. * * \param Format A printf-style format string that specifies how the bytes should be formatted. * \param ... Additional arguments required by the format string. * \return A pointer to a PPH_BYTES structure containing the formatted bytes. */ PPH_BYTES PhFormatBytes( _In_ _Printf_format_string_ PCSTR Format, ... ) { PPH_BYTES string; va_list argptr; va_start(argptr, Format); string = PhFormatBytes_V(Format, argptr); va_end(argptr); return string; } BOOLEAN PhWriteUnicodeDecoder( _Inout_ PPH_UNICODE_DECODER Decoder, _In_ ULONG CodeUnit ) { switch (Decoder->Encoding) { case PH_UNICODE_UTF8: if (Decoder->InputCount >= 4) return FALSE; Decoder->u.Utf8.Input[Decoder->InputCount] = (UCHAR)CodeUnit; Decoder->InputCount++; return TRUE; case PH_UNICODE_UTF16: if (Decoder->InputCount >= 2) return FALSE; Decoder->u.Utf16.Input[Decoder->InputCount] = (USHORT)CodeUnit; Decoder->InputCount++; return TRUE; case PH_UNICODE_UTF32: if (Decoder->InputCount >= 1) return FALSE; Decoder->u.Utf32.Input = CodeUnit; Decoder->InputCount = 1; return TRUE; default: PhRaiseStatus(STATUS_UNSUCCESSFUL); } } _Success_(return) BOOLEAN PhpReadUnicodeDecoder( _Inout_ PPH_UNICODE_DECODER Decoder, _Out_ PULONG CodeUnit ) { switch (Decoder->Encoding) { case PH_UNICODE_UTF8: if (Decoder->InputCount == 0) return FALSE; *CodeUnit = Decoder->u.Utf8.Input[0]; Decoder->u.Utf8.Input[0] = Decoder->u.Utf8.Input[1]; Decoder->u.Utf8.Input[1] = Decoder->u.Utf8.Input[2]; Decoder->u.Utf8.Input[2] = Decoder->u.Utf8.Input[3]; Decoder->InputCount--; return TRUE; case PH_UNICODE_UTF16: if (Decoder->InputCount == 0) return FALSE; *CodeUnit = Decoder->u.Utf16.Input[0]; Decoder->u.Utf16.Input[0] = Decoder->u.Utf16.Input[1]; Decoder->InputCount--; return TRUE; case PH_UNICODE_UTF32: if (Decoder->InputCount == 0) return FALSE; *CodeUnit = Decoder->u.Utf32.Input; Decoder->InputCount--; return TRUE; default: PhRaiseStatus(STATUS_UNSUCCESSFUL); } } VOID PhpUnreadUnicodeDecoder( _Inout_ PPH_UNICODE_DECODER Decoder, _In_ ULONG CodeUnit ) { switch (Decoder->Encoding) { case PH_UNICODE_UTF8: if (Decoder->InputCount >= 4) PhRaiseStatus(STATUS_UNSUCCESSFUL); Decoder->u.Utf8.Input[3] = Decoder->u.Utf8.Input[2]; Decoder->u.Utf8.Input[2] = Decoder->u.Utf8.Input[1]; Decoder->u.Utf8.Input[1] = Decoder->u.Utf8.Input[0]; Decoder->u.Utf8.Input[0] = (UCHAR)CodeUnit; Decoder->InputCount++; break; case PH_UNICODE_UTF16: if (Decoder->InputCount >= 2) PhRaiseStatus(STATUS_UNSUCCESSFUL); Decoder->u.Utf16.Input[1] = Decoder->u.Utf16.Input[0]; Decoder->u.Utf16.Input[0] = (USHORT)CodeUnit; Decoder->InputCount++; break; case PH_UNICODE_UTF32: if (Decoder->InputCount >= 1) PhRaiseStatus(STATUS_UNSUCCESSFUL); Decoder->u.Utf32.Input = CodeUnit; Decoder->InputCount = 1; break; default: PhRaiseStatus(STATUS_UNSUCCESSFUL); } } BOOLEAN PhpDecodeUtf8Error( _Inout_ PPH_UNICODE_DECODER Decoder, _Out_ PULONG CodePoint, _In_ ULONG Which ) { if (Which >= 4) PhpUnreadUnicodeDecoder(Decoder, Decoder->u.Utf8.CodeUnit4); if (Which >= 3) PhpUnreadUnicodeDecoder(Decoder, Decoder->u.Utf8.CodeUnit3); if (Which >= 2) PhpUnreadUnicodeDecoder(Decoder, Decoder->u.Utf8.CodeUnit2); *CodePoint = (ULONG)Decoder->u.Utf8.CodeUnit1 + 0xdc00; Decoder->State = 0; return TRUE; } _Use_decl_annotations_ BOOLEAN PhDecodeUnicodeDecoder( _Inout_ PPH_UNICODE_DECODER Decoder, _Out_ PULONG CodePoint ) { ULONG codeUnit; while (TRUE) { switch (Decoder->Encoding) { case PH_UNICODE_UTF8: if (!PhpReadUnicodeDecoder(Decoder, &codeUnit)) return FALSE; switch (Decoder->State) { case 0: Decoder->u.Utf8.CodeUnit1 = (UCHAR)codeUnit; if (codeUnit < 0x80) { *CodePoint = codeUnit; return TRUE; } else if (codeUnit < 0xc2) { return PhpDecodeUtf8Error(Decoder, CodePoint, 1); } else if (codeUnit < 0xe0) { Decoder->State = 1; // 2 byte sequence continue; } else if (codeUnit < 0xf0) { Decoder->State = 2; // 3 byte sequence continue; } else if (codeUnit < 0xf5) { Decoder->State = 3; // 4 byte sequence continue; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 1); } break; case 1: // 2 byte sequence Decoder->u.Utf8.CodeUnit2 = (UCHAR)codeUnit; if ((codeUnit & 0xc0) == 0x80) { *CodePoint = ((ULONG)Decoder->u.Utf8.CodeUnit1 << 6) + codeUnit - 0x3080; Decoder->State = 0; return TRUE; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 2); } break; case 2: // 3 byte sequence (1) Decoder->u.Utf8.CodeUnit2 = (UCHAR)codeUnit; if (((codeUnit & 0xc0) == 0x80) && (Decoder->u.Utf8.CodeUnit1 != 0xe0 || codeUnit >= 0xa0)) { Decoder->State = 4; // 3 byte sequence (2) continue; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 2); } break; case 3: // 4 byte sequence (1) Decoder->u.Utf8.CodeUnit2 = (UCHAR)codeUnit; if (((codeUnit & 0xc0) == 0x80) && (Decoder->u.Utf8.CodeUnit1 != 0xf0 || codeUnit >= 0x90) && (Decoder->u.Utf8.CodeUnit1 != 0xf4 || codeUnit < 0x90)) { Decoder->State = 5; // 4 byte sequence (2) continue; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 2); } break; case 4: // 3 byte sequence (2) Decoder->u.Utf8.CodeUnit3 = (UCHAR)codeUnit; if ((codeUnit & 0xc0) == 0x80) { *CodePoint = ((ULONG)Decoder->u.Utf8.CodeUnit1 << 12) + ((ULONG)Decoder->u.Utf8.CodeUnit2 << 6) + codeUnit - 0xe2080; Decoder->State = 0; return TRUE; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 3); } break; case 5: // 4 byte sequence (2) Decoder->u.Utf8.CodeUnit3 = (UCHAR)codeUnit; if ((codeUnit & 0xc0) == 0x80) { Decoder->State = 6; // 4 byte sequence (3) continue; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 3); } break; case 6: // 4 byte sequence (3) Decoder->u.Utf8.CodeUnit4 = (UCHAR)codeUnit; if ((codeUnit & 0xc0) == 0x80) { *CodePoint = ((ULONG)Decoder->u.Utf8.CodeUnit1 << 18) + ((ULONG)Decoder->u.Utf8.CodeUnit2 << 12) + ((ULONG)Decoder->u.Utf8.CodeUnit3 << 6) + codeUnit - 0x3c82080; Decoder->State = 0; return TRUE; } else { return PhpDecodeUtf8Error(Decoder, CodePoint, 4); } break; } return FALSE; case PH_UNICODE_UTF16: if (!PhpReadUnicodeDecoder(Decoder, &codeUnit)) return FALSE; switch (Decoder->State) { case 0: if (PH_UNICODE_UTF16_IS_HIGH_SURROGATE(codeUnit)) { Decoder->u.Utf16.CodeUnit = (USHORT)codeUnit; Decoder->State = 1; continue; } else { *CodePoint = codeUnit; return TRUE; } break; case 1: if (PH_UNICODE_UTF16_IS_LOW_SURROGATE(codeUnit)) { *CodePoint = PH_UNICODE_UTF16_TO_CODE_POINT(Decoder->u.Utf16.CodeUnit, codeUnit); Decoder->State = 0; return TRUE; } else { *CodePoint = Decoder->u.Utf16.CodeUnit; PhpUnreadUnicodeDecoder(Decoder, codeUnit); Decoder->State = 0; return TRUE; } break; } return FALSE; case PH_UNICODE_UTF32: if (PhpReadUnicodeDecoder(Decoder, CodePoint)) return TRUE; return FALSE; default: return FALSE; } } } _Use_decl_annotations_ BOOLEAN PhEncodeUnicode( _In_ UCHAR Encoding, _In_ ULONG CodePoint, _Out_opt_ PVOID CodeUnits, _Out_ PULONG NumberOfCodeUnits ) { switch (Encoding) { case PH_UNICODE_UTF8: { PUCHAR codeUnits = CodeUnits; if (CodePoint < 0x80) { *NumberOfCodeUnits = 1; if (codeUnits) codeUnits[0] = (UCHAR)CodePoint; } else if (CodePoint <= 0x7ff) { *NumberOfCodeUnits = 2; if (codeUnits) { codeUnits[0] = (UCHAR)(CodePoint >> 6) + 0xc0; codeUnits[1] = (UCHAR)(CodePoint & 0x3f) + 0x80; } } else if (CodePoint <= 0xffff) { *NumberOfCodeUnits = 3; if (codeUnits) { codeUnits[0] = (UCHAR)(CodePoint >> 12) + 0xe0; codeUnits[1] = (UCHAR)((CodePoint >> 6) & 0x3f) + 0x80; codeUnits[2] = (UCHAR)(CodePoint & 0x3f) + 0x80; } } else if (CodePoint <= PH_UNICODE_MAX_CODE_POINT) { *NumberOfCodeUnits = 4; if (codeUnits) { codeUnits[0] = (UCHAR)(CodePoint >> 18) + 0xf0; codeUnits[1] = (UCHAR)((CodePoint >> 12) & 0x3f) + 0x80; codeUnits[2] = (UCHAR)((CodePoint >> 6) & 0x3f) + 0x80; codeUnits[3] = (UCHAR)(CodePoint & 0x3f) + 0x80; } } else { return FALSE; } } return TRUE; case PH_UNICODE_UTF16: { PUSHORT codeUnits = CodeUnits; if (CodePoint < 0x10000) { *NumberOfCodeUnits = 1; if (codeUnits) codeUnits[0] = (USHORT)CodePoint; } else if (CodePoint <= PH_UNICODE_MAX_CODE_POINT) { *NumberOfCodeUnits = 2; if (codeUnits) { codeUnits[0] = PH_UNICODE_UTF16_TO_HIGH_SURROGATE(CodePoint); codeUnits[1] = PH_UNICODE_UTF16_TO_LOW_SURROGATE(CodePoint); } } else { return FALSE; } } return TRUE; case PH_UNICODE_UTF32: *NumberOfCodeUnits = 1; if (CodeUnits) *(PULONG)CodeUnits = CodePoint; return TRUE; default: return FALSE; } } /** * Converts an ASCII string to a UTF-16 string by zero-extending each byte. * * \param Input The original ASCII string. * \param InputLength The length of \a Input. * \param Output A buffer which will contain the converted string. */ VOID PhZeroExtendToUtf16Buffer( _In_reads_bytes_(InputLength) PCCH Input, _In_ SIZE_T InputLength, _Out_writes_bytes_(InputLength * sizeof(WCHAR)) PWCH Output ) { SIZE_T inputLength; inputLength = InputLength & -4; if (inputLength) { do { Output[0] = C_1uTo2(Input[0]); Output[1] = C_1uTo2(Input[1]); Output[2] = C_1uTo2(Input[2]); Output[3] = C_1uTo2(Input[3]); Input += 4; Output += 4; inputLength -= 4; } while (inputLength != 0); } switch (InputLength & 3) { case 3: *Output++ = C_1uTo2(*Input++); case 2: *Output++ = C_1uTo2(*Input++); case 1: *Output++ = C_1uTo2(*Input++); } } /** * Converts a zero-terminated ANSI string to a UTF-16 string, extending the input as needed. * * \param Input Pointer to the input ANSI string. * \param InputLength Length of the input string in bytes. * \return A pointer to a PPH_STRING containing the UTF-16 representation of the input string. */ PPH_STRING PhZeroExtendToUtf16Ex( _In_reads_bytes_(InputLength) PCCH Input, _In_ SIZE_T InputLength ) { PPH_STRING string; string = PhCreateStringEx(NULL, InputLength * sizeof(WCHAR)); PhZeroExtendToUtf16Buffer(Input, InputLength, string->Buffer); return string; } /** * Converts a UTF-16 string to an ASCII byte array. * * \param Buffer Pointer to the UTF-16 string buffer to convert. * \param Length Length of the UTF-16 string, in characters. * \param Replacement Optional character to use when a UTF-16 character cannot be represented in ASCII. * \return Pointer to a PPH_BYTES structure containing the converted ASCII bytes. */ PPH_BYTES PhConvertUtf16ToAsciiEx( _In_ PCWCH Buffer, _In_ SIZE_T Length, _In_opt_ CHAR Replacement ) { PPH_BYTES bytes; PH_UNICODE_DECODER decoder; PWCH in; SIZE_T inRemaining; PCH out; SIZE_T outLength; ULONG codePoint; bytes = PhCreateBytesEx(NULL, Length / sizeof(WCHAR)); PhInitializeUnicodeDecoder(&decoder, PH_UNICODE_UTF16); in = (PWCH)Buffer; inRemaining = Length / sizeof(WCHAR); out = bytes->Buffer; outLength = 0; while (inRemaining != 0) { PhWriteUnicodeDecoder(&decoder, (USHORT)*in); in++; inRemaining--; while (PhDecodeUnicodeDecoder(&decoder, &codePoint)) { if (codePoint < 0x80) { *out++ = (CHAR)codePoint; outLength++; } else if (Replacement) { *out++ = Replacement; outLength++; } } } bytes->Length = outLength; bytes->Buffer[outLength] = ANSI_NULL; return bytes; } /** * Creates a string object from an existing null-terminated multi-byte string. * * \param Buffer A null-terminated multi-byte string. */ PPH_STRING PhConvertMultiByteToUtf16( _In_ PCSTR Buffer ) { return PhConvertMultiByteToUtf16Ex( Buffer, strlen(Buffer) ); } /** * Creates a string object from an existing null-terminated multi-byte string. * * \param Buffer A null-terminated multi-byte string. * \param Length The number of bytes to use. */ PPH_STRING PhConvertMultiByteToUtf16Ex( _In_ PCSTR Buffer, _In_ SIZE_T Length ) { NTSTATUS status; PPH_STRING string; ULONG bufferLength; ULONG unicodeBytes; status = RtlSizeTToULong(Length, &bufferLength); if (!NT_SUCCESS(status)) return NULL; status = RtlMultiByteToUnicodeSize( &unicodeBytes, Buffer, bufferLength ); if (!NT_SUCCESS(status)) return NULL; string = PhCreateStringEx(NULL, unicodeBytes); status = RtlMultiByteToUnicodeN( string->Buffer, (ULONG)string->Length, NULL, Buffer, bufferLength ); if (!NT_SUCCESS(status)) { PhDereferenceObject(string); return NULL; } return string; } /** * Creates a multi-byte string from an existing null-terminated UTF-16 string. * * \param Buffer A null-terminated UTF-16 string. */ PPH_BYTES PhConvertUtf16ToMultiByte( _In_ PCWSTR Buffer ) { return PhConvertUtf16ToMultiByteEx( Buffer, PhCountStringZ(Buffer) * sizeof(WCHAR) ); } /** * Creates a multi-byte string from an existing null-terminated UTF-16 string. * * \param Buffer A null-terminated UTF-16 string. * \param Length The number of bytes to use. */ PPH_BYTES PhConvertUtf16ToMultiByteEx( _In_ PCWCH Buffer, _In_ SIZE_T Length ) { NTSTATUS status; PPH_BYTES bytes; ULONG bufferLength; ULONG multiByteLength; status = RtlSizeTToULong(Length, &bufferLength); if (!NT_SUCCESS(status)) return NULL; status = RtlUnicodeToMultiByteSize( &multiByteLength, Buffer, bufferLength ); if (!NT_SUCCESS(status)) return NULL; bytes = PhCreateBytesEx(NULL, multiByteLength); status = RtlUnicodeToMultiByteN( bytes->Buffer, (ULONG)bytes->Length, NULL, Buffer, bufferLength ); if (!NT_SUCCESS(status)) { PhDereferenceObject(bytes); return NULL; } return bytes; } /** * Converts a UTF-8 encoded string to its UTF-16 equivalent and calculates the size in bytes of the resulting UTF-16 string. * * \param BytesInUtf16String Pointer to a variable that receives the size in bytes of the UTF-16 string. * \param Utf8String Pointer to the UTF-8 encoded input string. * \param BytesInUtf8String The size in bytes of the UTF-8 input string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConvertUtf8ToUtf16Size( _Out_ PSIZE_T BytesInUtf16String, _In_reads_bytes_(BytesInUtf8String) PCCH Utf8String, _In_ SIZE_T BytesInUtf8String ) { #if defined(PH_NATIVE_STRING_CONVERSION) NTSTATUS status; ULONG bytesInUtf16String = 0; status = RtlUTF8ToUnicodeN( NULL, 0, &bytesInUtf16String, Utf8String, (ULONG)BytesInUtf8String ); if (NT_SUCCESS(status)) { if (BytesInUtf16String) { *BytesInUtf16String = bytesInUtf16String; } } return status; #else NTSTATUS status; PH_UNICODE_DECODER decoder; PCH in; SIZE_T inRemaining; SIZE_T bytesInUtf16String; ULONG codePoint; ULONG numberOfCodeUnits; status = STATUS_SUCCESS; PhInitializeUnicodeDecoder(&decoder, PH_UNICODE_UTF8); in = Utf8String; inRemaining = BytesInUtf8String; bytesInUtf16String = 0; while (inRemaining != 0) { PhWriteUnicodeDecoder(&decoder, (UCHAR)*in); in++; inRemaining--; while (PhDecodeUnicodeDecoder(&decoder, &codePoint)) { if (PhEncodeUnicode(PH_UNICODE_UTF16, codePoint, NULL, &numberOfCodeUnits)) { bytesInUtf16String += numberOfCodeUnits * sizeof(WCHAR); } else { status = STATUS_BUFFER_TOO_SMALL; break; } } if (!NT_SUCCESS(status)) break; } *BytesInUtf16String = bytesInUtf16String; return status; #endif } /** * Converts a UTF-8 encoded string to a UTF-16 encoded buffer. * * \param Utf16String Pointer to the buffer that receives the converted UTF-16 string. * \param MaxBytesInUtf16String The maximum number of bytes that can be written to Utf16String. * \param BytesInUtf16String Optional pointer that receives the number of bytes written to Utf16String. * \param Utf8String Pointer to the UTF-8 encoded input string. * \param BytesInUtf8String The number of bytes in the input UTF-8 string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConvertUtf8ToUtf16Buffer( _Out_writes_bytes_to_(MaxBytesInUtf16String, *BytesInUtf16String) PWCH Utf16String, _In_ SIZE_T MaxBytesInUtf16String, _Out_opt_ PSIZE_T BytesInUtf16String, _In_reads_bytes_(BytesInUtf8String) PCCH Utf8String, _In_ SIZE_T BytesInUtf8String ) { #if defined(PH_NATIVE_STRING_CONVERSION) NTSTATUS status; ULONG bytesInUtf16String = 0; status = RtlUTF8ToUnicodeN( Utf16String, (ULONG)MaxBytesInUtf16String, &bytesInUtf16String, Utf8String, (ULONG)BytesInUtf8String ); if (NT_SUCCESS(status)) { if (BytesInUtf16String) { *BytesInUtf16String = bytesInUtf16String; } } return status; #else NTSTATUS status; PH_UNICODE_DECODER decoder; PCH in; SIZE_T inRemaining; PWCH out; SIZE_T outRemaining; SIZE_T bytesInUtf16String; ULONG codePoint; USHORT codeUnits[2]; ULONG numberOfCodeUnits; status = STATUS_SUCCESS; PhInitializeUnicodeDecoder(&decoder, PH_UNICODE_UTF8); in = Utf8String; inRemaining = BytesInUtf8String; out = Utf16String; outRemaining = MaxBytesInUtf16String / sizeof(WCHAR); bytesInUtf16String = 0; while (inRemaining != 0) { PhWriteUnicodeDecoder(&decoder, (UCHAR)*in); in++; inRemaining--; while (PhDecodeUnicodeDecoder(&decoder, &codePoint)) { if (PhEncodeUnicode(PH_UNICODE_UTF16, codePoint, codeUnits, &numberOfCodeUnits)) { bytesInUtf16String += numberOfCodeUnits * sizeof(WCHAR); if (outRemaining >= numberOfCodeUnits) { *out++ = codeUnits[0]; if (numberOfCodeUnits >= 2) *out++ = codeUnits[1]; outRemaining -= numberOfCodeUnits; } else { status = STATUS_BUFFER_TOO_SMALL; break; } } else { status = STATUS_BUFFER_TOO_SMALL; break; } } if (!NT_SUCCESS(status)) break; } if (BytesInUtf16String) *BytesInUtf16String = bytesInUtf16String; return status; #endif } /** * Converts a UTF-8 encoded string to a UTF-16 encoded string. * * \param Buffer A pointer to a null-terminated UTF-8 encoded string. * \return A pointer to a PPH_STRING containing the converted UTF-16 string. * \remarks Returns NULL if the conversion fails. */ _Use_decl_annotations_ PPH_STRING PhConvertUtf8ToUtf16( _In_ PCSTR Buffer ) { return PhConvertUtf8ToUtf16Ex( Buffer, strlen(Buffer) ); } /** * Converts a UTF-8 encoded string to a UTF-16 string. * * \param Buffer Pointer to the UTF-8 encoded input buffer. * \param Length Length of the input buffer in bytes. * \return A pointer to a PPH_STRING containing the converted UTF-16 string. * \remarks Returns NULL if the conversion fails. */ _Use_decl_annotations_ PPH_STRING PhConvertUtf8ToUtf16Ex( _In_ PCCH Buffer, _In_ SIZE_T Length ) { NTSTATUS status; PPH_STRING string; SIZE_T utf16Bytes; status = PhConvertUtf8ToUtf16Size( &utf16Bytes, Buffer, Length ); if (!NT_SUCCESS(status)) return NULL; string = PhCreateStringEx(NULL, utf16Bytes); status = PhConvertUtf8ToUtf16Buffer( string->Buffer, string->Length, NULL, Buffer, Length ); if (!NT_SUCCESS(status)) { PhDereferenceObject(string); return NULL; } return string; } /** * Calculates the size in bytes required to store the UTF-8 encoded version of a given UTF-16 string. * * \param BytesInUtf8String Pointer to a variable that receives the required size in bytes for the UTF-8 string. * \param Utf16String Pointer to the UTF-16 string to be converted. * \param BytesInUtf16String The size in bytes of the input UTF-16 string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConvertUtf16ToUtf8Size( _Out_ PSIZE_T BytesInUtf8String, _In_reads_bytes_(BytesInUtf16String) PCWCH Utf16String, _In_ SIZE_T BytesInUtf16String ) { #if defined(PH_NATIVE_STRING_CONVERSION) NTSTATUS status; ULONG bytesInUtf8String = 0; status = RtlUnicodeToUTF8N( NULL, 0, &bytesInUtf8String, Utf16String, (ULONG)BytesInUtf16String ); if (NT_SUCCESS(status)) { if (BytesInUtf8String) { *BytesInUtf8String = bytesInUtf8String; } } return status; #else NTSTATUS status; PH_UNICODE_DECODER decoder; PWCH in; SIZE_T inRemaining; SIZE_T bytesInUtf8String; ULONG codePoint; ULONG numberOfCodeUnits; status = STATUS_SUCCESS; PhInitializeUnicodeDecoder(&decoder, PH_UNICODE_UTF16); in = Utf16String; inRemaining = BytesInUtf16String / sizeof(WCHAR); bytesInUtf8String = 0; while (inRemaining != 0) { PhWriteUnicodeDecoder(&decoder, (USHORT)*in); in++; inRemaining--; while (PhDecodeUnicodeDecoder(&decoder, &codePoint)) { if (PhEncodeUnicode(PH_UNICODE_UTF8, codePoint, NULL, &numberOfCodeUnits)) { bytesInUtf8String += numberOfCodeUnits; } else { status = STATUS_BUFFER_TOO_SMALL; break; } } if (!NT_SUCCESS(status)) break; } *BytesInUtf8String = bytesInUtf8String; return status; #endif } /** * Converts a UTF-16 encoded string to a UTF-8 encoded buffer. * * \param Utf8String A pointer to the buffer that receives the UTF-8 encoded string. * * \param MaxBytesInUtf8String The maximum number of bytes that can be written to the Utf8String buffer. * \param BytesInUtf8String Optional pointer to a variable that receives the number of bytes written to Utf8String. * \param Utf16String A pointer to the UTF-16 encoded input string. * \param BytesInUtf16String The number of bytes in the UTF-16 encoded input string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConvertUtf16ToUtf8Buffer( _Out_writes_bytes_to_(MaxBytesInUtf8String, *BytesInUtf8String) PCH Utf8String, _In_ SIZE_T MaxBytesInUtf8String, _Out_opt_ PSIZE_T BytesInUtf8String, _In_reads_bytes_(BytesInUtf16String) PCWCH Utf16String, _In_ SIZE_T BytesInUtf16String ) { #if defined(PH_NATIVE_STRING_CONVERSION) NTSTATUS status; ULONG bytesInUtf8String = 0; status = RtlUnicodeToUTF8N( Utf8String, (ULONG)MaxBytesInUtf8String, &bytesInUtf8String, Utf16String, (ULONG)BytesInUtf16String ); if (NT_SUCCESS(status)) { if (BytesInUtf8String) { *BytesInUtf8String = bytesInUtf8String; } } return status; #else NTSTATUS status; PH_UNICODE_DECODER decoder; PWCH in; SIZE_T inRemaining; PCH out; SIZE_T outRemaining; SIZE_T bytesInUtf8String; ULONG codePoint; UCHAR codeUnits[4]; ULONG numberOfCodeUnits; PhInitializeUnicodeDecoder(&decoder, PH_UNICODE_UTF16); in = Utf16String; inRemaining = BytesInUtf16String / sizeof(WCHAR); out = Utf8String; outRemaining = MaxBytesInUtf8String; bytesInUtf8String = 0; while (inRemaining != 0) { PhWriteUnicodeDecoder(&decoder, (USHORT)*in); in++; inRemaining--; while (PhDecodeUnicodeDecoder(&decoder, &codePoint)) { if (PhEncodeUnicode(PH_UNICODE_UTF8, codePoint, codeUnits, &numberOfCodeUnits)) { bytesInUtf8String += numberOfCodeUnits; if (outRemaining >= numberOfCodeUnits) { *out++ = codeUnits[0]; if (numberOfCodeUnits >= 2) *out++ = codeUnits[1]; if (numberOfCodeUnits >= 3) *out++ = codeUnits[2]; if (numberOfCodeUnits >= 4) *out++ = codeUnits[3]; outRemaining -= numberOfCodeUnits; } else { status = STATUS_BUFFER_TOO_SMALL; break; } } else { status = STATUS_BUFFER_TOO_SMALL; break; } } if (!NT_SUCCESS(status)) break; } if (BytesInUtf8String) { *BytesInUtf8String = bytesInUtf8String; } return status; #endif } /** * Converts a UTF-16 encoded wide string to a UTF-8 encoded byte array. * * \param Buffer Pointer to a null-terminated UTF-16 string (PCWSTR) to be converted. * \return A pointer to a PPH_BYTES structure containing the UTF-8 encoded result. * \remarks Returns NULL if the conversion fails. */ _Use_decl_annotations_ PPH_BYTES PhConvertUtf16ToUtf8( _In_ PCWSTR Buffer ) { return PhConvertUtf16ToUtf8Ex( Buffer, PhCountStringZ(Buffer) * sizeof(WCHAR) ); } _Use_decl_annotations_ PPH_BYTES PhConvertUtf16ToUtf8Ex( _In_ PCWCH Buffer, _In_ SIZE_T Length ) { NTSTATUS status; PPH_BYTES bytes; SIZE_T utf8Bytes; status = PhConvertUtf16ToUtf8Size( &utf8Bytes, Buffer, Length ); if (!NT_SUCCESS(status)) return NULL; bytes = PhCreateBytesEx(NULL, utf8Bytes); status = PhConvertUtf16ToUtf8Buffer( bytes->Buffer, bytes->Length, NULL, Buffer, Length ); if (!NT_SUCCESS(status)) { PhDereferenceObject(bytes); return NULL; } return bytes; } /** * Initializes a string builder object. * * \param StringBuilder A string builder object. * \param InitialCapacity The number of bytes to allocate initially. */ VOID PhInitializeStringBuilder( _Out_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T InitialCapacity ) { // Make sure the initial capacity is even, as required for all string objects. if (InitialCapacity & 1) InitialCapacity++; StringBuilder->AllocatedLength = InitialCapacity; // Allocate a PH_STRING for the string builder. // We will dereference it and allocate a new one when we need to resize the string. StringBuilder->String = PhCreateStringEx(NULL, StringBuilder->AllocatedLength); // We will keep modifying the Length field of the string so that: // 1. We know how much of the string is used, and // 2. The user can simply get a reference to the string and use it as-is. StringBuilder->String->Length = 0; // Write the null terminator. StringBuilder->String->Buffer[0] = UNICODE_NULL; PHLIB_INC_STATISTIC(BaseStringBuildersCreated); } /** * Frees resources used by a string builder object. * * \param StringBuilder A string builder object. */ VOID PhDeleteStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder ) { PhDereferenceObject(StringBuilder->String); } /** * Obtains a reference to the string constructed by a string builder object and frees resources used * by the object. * * \param StringBuilder A string builder object. * * \return A pointer to a string. You must free the string using PhDereferenceObject() when you no * longer need it. */ PPH_STRING PhFinalStringBuilderString( _Inout_ PPH_STRING_BUILDER StringBuilder ) { return StringBuilder->String; } VOID PhpResizeStringBuilder( _In_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T NewCapacity ) { PPH_STRING newString; // Double the string size. If that still isn't enough room, just use the new length. StringBuilder->AllocatedLength *= 2; if (StringBuilder->AllocatedLength < NewCapacity) StringBuilder->AllocatedLength = NewCapacity; // Allocate a new string. newString = PhCreateStringEx(NULL, StringBuilder->AllocatedLength); // Copy the old string to the new string. memcpy( newString->Buffer, StringBuilder->String->Buffer, StringBuilder->String->Length + sizeof(UNICODE_NULL) // Include null terminator ); // Copy the old string length. newString->Length = StringBuilder->String->Length; // Dereference the old string and replace it with the new string. PhMoveReference(&StringBuilder->String, newString); PHLIB_INC_STATISTIC(BaseStringBuildersResized); } FORCEINLINE VOID PhpWriteNullTerminatorStringBuilder( _In_ PPH_STRING_BUILDER StringBuilder ) { assert(!(StringBuilder->String->Length & 1)); *(PWCHAR)PTR_ADD_OFFSET(StringBuilder->String->Buffer, StringBuilder->String->Length) = UNICODE_NULL; } /** * Appends a string to the end of a string builder string. * * \param StringBuilder A string builder object. * \param String The string to append. Specify NULL to simply reserve \a Length bytes. * \param Length The number of bytes to append. */ VOID PhAppendStringBuilderEx( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_opt_ PWCHAR String, _In_ SIZE_T Length ) { if (Length == 0) return; // See if we need to re-allocate the string. if (StringBuilder->AllocatedLength < StringBuilder->String->Length + Length) { PhpResizeStringBuilder(StringBuilder, StringBuilder->String->Length + Length); } // Copy the string, add the length, then write the null terminator. if (String) { memcpy( PTR_ADD_OFFSET(StringBuilder->String->Buffer, StringBuilder->String->Length), String, Length ); } StringBuilder->String->Length += Length; PhpWriteNullTerminatorStringBuilder(StringBuilder); } /** * Appends a character to the end of a string builder string. * * \param StringBuilder A string builder object. * \param Character The character to append. */ VOID PhAppendCharStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ WCHAR Character ) { if (StringBuilder->AllocatedLength < StringBuilder->String->Length + sizeof(WCHAR)) { PhpResizeStringBuilder(StringBuilder, StringBuilder->String->Length + sizeof(WCHAR)); } *(PWCHAR)PTR_ADD_OFFSET(StringBuilder->String->Buffer, StringBuilder->String->Length) = Character; StringBuilder->String->Length += sizeof(WCHAR); PhpWriteNullTerminatorStringBuilder(StringBuilder); } /** * Appends a number of characters to the end of a string builder string. * * \param StringBuilder A string builder object. * \param Character The character to append. * \param Count The number of times to append the character. */ VOID PhAppendCharStringBuilder2( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ WCHAR Character, _In_ SIZE_T Count ) { if (Count == 0) return; // See if we need to re-allocate the string. if (StringBuilder->AllocatedLength < StringBuilder->String->Length + Count * sizeof(WCHAR)) { PhpResizeStringBuilder(StringBuilder, StringBuilder->String->Length + Count * sizeof(WCHAR)); } wmemset( PTR_ADD_OFFSET(StringBuilder->String->Buffer, StringBuilder->String->Length), Character, Count ); StringBuilder->String->Length += Count * sizeof(WCHAR); PhpWriteNullTerminatorStringBuilder(StringBuilder); } /** * Appends a formatted string to the end of a string builder string. * * \param StringBuilder A string builder object. * \param Format The format-control string. * \param ... The list of strings. */ VOID PhAppendFormatStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ _Printf_format_string_ PCWSTR Format, ... ) { va_list argptr; va_start(argptr, Format); PhAppendFormatStringBuilder_V(StringBuilder, Format, argptr); va_end(argptr); } /** * Appends a formatted string to the specified string builder using a variable argument list. * * \param StringBuilder A pointer to the string builder to which the formatted string will be appended. * \param Format A printf-style format string that specifies how to format the arguments. * \param ArgPtr A va_list containing the arguments to format according to the format string. */ VOID PhAppendFormatStringBuilder_V( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ _Printf_format_string_ PCWSTR Format, _In_ va_list ArgPtr ) { LONG length; SIZE_T lengthInBytes; length = _vscwprintf(Format, ArgPtr); if (length == INT_ERROR || length == 0) return; lengthInBytes = length * sizeof(WCHAR); if (StringBuilder->AllocatedLength < StringBuilder->String->Length + lengthInBytes) PhpResizeStringBuilder(StringBuilder, StringBuilder->String->Length + lengthInBytes); _vsnwprintf( PTR_ADD_OFFSET(StringBuilder->String->Buffer, StringBuilder->String->Length), length, Format, ArgPtr ); StringBuilder->String->Length += lengthInBytes; PhpWriteNullTerminatorStringBuilder(StringBuilder); } /** * Inserts a string into a string builder string. * * \param StringBuilder A string builder object. * \param Index The index, in characters, at which to insert the string. * \param String The string to insert. */ VOID PhInsertStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Index, _In_ PCPH_STRINGREF String ) { PhInsertStringBuilderEx( StringBuilder, Index, String->Buffer, String->Length ); } /** * Inserts a string into a string builder string. * * \param StringBuilder A string builder object. * \param Index The index, in characters, at which to insert the string. * \param String The string to insert. */ VOID PhInsertStringBuilder2( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Index, _In_ PCWSTR String ) { PhInsertStringBuilderEx( StringBuilder, Index, String, PhCountStringZ(String) * sizeof(WCHAR) ); } /** * Inserts a string into a string builder string. * * \param StringBuilder A string builder object. * \param Index The index, in characters, at which to insert the string. * \param String The string to insert. Specify NULL to simply reserve \a Length bytes at \a Index. * \param Length The number of bytes to insert. */ VOID PhInsertStringBuilderEx( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Index, _In_opt_ PCWCHAR String, _In_ SIZE_T Length ) { if (Length == 0) return; // See if we need to re-allocate the string. if (StringBuilder->AllocatedLength < StringBuilder->String->Length + Length) { PhpResizeStringBuilder(StringBuilder, StringBuilder->String->Length + Length); } if (Index * sizeof(WCHAR) < StringBuilder->String->Length) { // Create some space for the string. memmove( &StringBuilder->String->Buffer[Index + Length / sizeof(WCHAR)], &StringBuilder->String->Buffer[Index], StringBuilder->String->Length - Index * sizeof(WCHAR) ); } if (String) { // Copy the new string. memcpy( &StringBuilder->String->Buffer[Index], String, Length ); } StringBuilder->String->Length += Length; PhpWriteNullTerminatorStringBuilder(StringBuilder); } /** * Removes characters from a string builder string. * * \param StringBuilder A string builder object. * \param StartIndex The index, in characters, at which to begin removing characters. * \param Count The number of characters to remove. */ VOID PhRemoveStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T StartIndex, _In_ SIZE_T Count ) { // Overwrite the removed part with the part // behind it. memmove( &StringBuilder->String->Buffer[StartIndex], &StringBuilder->String->Buffer[StartIndex + Count], StringBuilder->String->Length - (Count + StartIndex) * sizeof(WCHAR) ); StringBuilder->String->Length -= Count * sizeof(WCHAR); PhpWriteNullTerminatorStringBuilder(StringBuilder); } /** * Initializes a byte string builder object. * * \param BytesBuilder A byte string builder object. * \param InitialCapacity The number of bytes to allocate initially. */ VOID PhInitializeBytesBuilder( _Out_ PPH_BYTES_BUILDER BytesBuilder, _In_ SIZE_T InitialCapacity ) { BytesBuilder->AllocatedLength = InitialCapacity; BytesBuilder->Bytes = PhCreateBytesEx(NULL, BytesBuilder->AllocatedLength); BytesBuilder->Bytes->Length = 0; BytesBuilder->Bytes->Buffer[0] = ANSI_NULL; } /** * Frees resources used by a byte string builder object. * * \param BytesBuilder A byte string builder object. */ VOID PhDeleteBytesBuilder( _Inout_ PPH_BYTES_BUILDER BytesBuilder ) { PhDereferenceObject(BytesBuilder->Bytes); } /** * Obtains a reference to the byte string constructed by a byte string builder object and frees * resources used by the object. * * \param BytesBuilder A byte string builder object. * \return A pointer to a byte string. You must free the byte string using PhDereferenceObject() * when you no longer need it. */ PPH_BYTES PhFinalBytesBuilderBytes( _Inout_ PPH_BYTES_BUILDER BytesBuilder ) { return BytesBuilder->Bytes; } VOID PhpResizeBytesBuilder( _In_ PPH_BYTES_BUILDER BytesBuilder, _In_ SIZE_T NewCapacity ) { PPH_BYTES newBytes; // Double the byte string size. If that still isn't enough room, just use the new length. BytesBuilder->AllocatedLength *= 2; if (BytesBuilder->AllocatedLength < NewCapacity) BytesBuilder->AllocatedLength = NewCapacity; // Allocate a new byte string. newBytes = PhCreateBytesEx(NULL, BytesBuilder->AllocatedLength); // Copy the old byte string to the new byte string. memcpy( newBytes->Buffer, BytesBuilder->Bytes->Buffer, BytesBuilder->Bytes->Length + sizeof(ANSI_NULL) // Include null terminator ); // Copy the old byte string length. newBytes->Length = BytesBuilder->Bytes->Length; // Dereference the old byte string and replace it with the new byte string. PhMoveReference(&BytesBuilder->Bytes, newBytes); } FORCEINLINE VOID PhpWriteNullTerminatorBytesBuilder( _In_ PPH_BYTES_BUILDER BytesBuilder ) { BytesBuilder->Bytes->Buffer[BytesBuilder->Bytes->Length] = ANSI_NULL; } /** * Appends a byte string to the end of a byte string builder string. * * \param BytesBuilder A byte string builder object. * \param Bytes The byte string to append. */ VOID PhAppendBytesBuilder( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ PPH_BYTESREF Bytes ) { PhAppendBytesBuilderEx( BytesBuilder, Bytes->Buffer, Bytes->Length, 0, NULL ); } /** * Appends a byte string to the end of a byte string builder string. * * \param BytesBuilder A byte string builder object. * \param Buffer The byte string to append. Specify NULL to simply reserve \a Length bytes. * \param Length The number of bytes to append. * \param Alignment The required alignment. This should not be greater than 8. * \param Offset A variable which receives the byte offset of the appended or reserved bytes in the * byte string builder string. * * \return A pointer to the appended or reserved bytes. */ PVOID PhAppendBytesBuilderEx( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_opt_ PVOID Buffer, _In_ SIZE_T Length, _In_opt_ SIZE_T Alignment, _Out_opt_ PSIZE_T Offset ) { SIZE_T currentLength; currentLength = BytesBuilder->Bytes->Length; if (Length == 0) goto Done; if (Alignment) currentLength = ALIGN_UP_BY(currentLength, Alignment); // See if we need to re-allocate the byte string. if (BytesBuilder->AllocatedLength < currentLength + Length) PhpResizeBytesBuilder(BytesBuilder, currentLength + Length); // Copy the byte string, add the length, then write the null terminator. if (Buffer) memcpy(BytesBuilder->Bytes->Buffer + currentLength, Buffer, Length); BytesBuilder->Bytes->Length = currentLength + Length; PhpWriteNullTerminatorBytesBuilder(BytesBuilder); Done: if (Offset) *Offset = currentLength; return BytesBuilder->Bytes->Buffer + currentLength; } /** * Appends formatted data to a bytes builder using a variable argument list. * * \param BytesBuilder Pointer to the bytes builder structure to which the formatted data will be appended. * \param Format A printf-style format string specifying how to format the data. * \param ArgPtr A variable argument list containing the values to format according to the Format string. */ VOID PhAppendFormatBytesBuilder_V( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ _Printf_format_string_ PCSTR Format, _In_ va_list ArgPtr ) { LONG length; SIZE_T lengthInBytes; length = _vscprintf(Format, ArgPtr); if (length == INT_ERROR || length == 0) return; lengthInBytes = length * sizeof(CHAR); if (BytesBuilder->AllocatedLength < BytesBuilder->Bytes->Length + lengthInBytes) PhpResizeBytesBuilder(BytesBuilder, BytesBuilder->Bytes->Length + lengthInBytes); _vsnprintf( PTR_ADD_OFFSET(BytesBuilder->Bytes->Buffer, BytesBuilder->Bytes->Length), length, Format, ArgPtr ); BytesBuilder->Bytes->Length += lengthInBytes; PhpWriteNullTerminatorBytesBuilder(BytesBuilder); } /** * Appends formatted data to a bytes builder. * * This function formats a string using the specified format and arguments, * then appends the resulting bytes to the provided bytes builder. * * \param BytesBuilder A pointer to the bytes builder structure to which the formatted bytes will be appended. * \param Format A printf-style format string specifying how to format the data. * \param ... Additional arguments to be formatted according to the format string. */ VOID PhAppendFormatBytesBuilder( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ _Printf_format_string_ PCSTR Format, ... ) { va_list argptr; va_start(argptr, Format); PhAppendFormatBytesBuilder_V(BytesBuilder, Format, argptr); va_end(argptr); } /** * Generates a hash code for a string. * * \param String The string to hash. * \param IgnoreCase TRUE for a case-insensitive hash function, otherwise FALSE. */ ULONG PhHashStringRefOriginal( _In_ PCPH_STRINGREF String, _In_ BOOLEAN IgnoreCase ) { ULONG hash = 0; SIZE_T count; PWCHAR p; if (String->Length == 0) return 0; count = String->Length / sizeof(WCHAR); p = String->Buffer; if (IgnoreCase) { while (count-- != 0) { hash ^= (USHORT)PhUpcaseUnicodeChar(*p++); hash *= 0x01000193; } } else { return PhHashBytes((PUCHAR)String->Buffer, String->Length); } return hash; } /** * Generates a hash code for a string. * * \param String The string to hash. * \param IgnoreCase TRUE for a case-insensitive hash function, otherwise FALSE. */ ULONG PhHashStringRef( _In_ PCPH_STRINGREF String, _In_ BOOLEAN IgnoreCase ) { ULONG hash = 0; SIZE_T count; PWCHAR p; if (String->Length == 0) return 0; count = String->Length / sizeof(WCHAR); p = String->Buffer; if (IgnoreCase) { #ifndef _ARM64_ if (PhHasAVX && count >= 16) { // AVX hash path for case-insensitive SIZE_T length32 = count / 16; WCHAR uppercased[16]; for (SIZE_T i = 0; i < length32; i++) { __m256i chunk; chunk = _mm256_loadu_si256((__m256i const*)p); chunk = PhUppercaseLatin1INT256by16(chunk); _mm256_storeu_si256((__m256i*)uppercased, chunk); // Hash 16 uppercased characters for (ULONG j = 0; j < 16; j++) { hash ^= (USHORT)uppercased[j]; hash *= 0x01000193; } p += 16; } _mm256_zeroupper(); count %= 16; } #endif if (PhHasIntrinsics && count >= 8) { // SIMD hash path for case-insensitive SIZE_T length16 = count / 8; WCHAR uppercased[8]; for (SIZE_T i = 0; i < length16; i++) { PH_INT128 chunk; chunk = PhLoadINT128U((PLONG)p); chunk = PhUppercaseLatin1INT128by16(chunk); PhStoreINT128U((PLONG)uppercased, chunk); // Hash 8 uppercased characters for (ULONG j = 0; j < 8; j++) { hash ^= (USHORT)uppercased[j]; hash *= 0x01000193; } p += 8; } count %= 8; } while (count-- != 0) { hash ^= (USHORT)PhUpcaseUnicodeChar(*p++); hash *= 0x01000193; } } else { return PhHashBytes((PUCHAR)String->Buffer, String->Length); } return hash; } /** * Computes a hash value for the specified string reference using the given hash algorithm. * * \param String Pointer to a PH_STRINGREF structure representing the string to hash. * \param IgnoreCase If TRUE, the hash computation ignores case differences; otherwise, case is considered. * \param HashAlgorithm The hash algorithm to use for computing the hash value. * \return The computed hash value as an unsigned long. */ ULONG PhHashStringRefEx( _In_ PCPH_STRINGREF String, _In_ BOOLEAN IgnoreCase, _In_ PH_STRING_HASH HashAlgorithm ) { switch (HashAlgorithm) { case PH_STRING_HASH_DEFAULT: case PH_STRING_HASH_FNV1A: return PhHashStringRef(String, IgnoreCase); case PH_STRING_HASH_X65599: { ULONG hash = 0; PWCHAR end; PWCHAR p; if (String->Length == 0) return 0; end = String->Buffer + (String->Length / sizeof(WCHAR)); p = String->Buffer; if (IgnoreCase) { #ifndef _ARM64_ if (PhHasAVX && (end - p) >= 16) { // AVX hash path for case-insensitive SIZE_T count = (end - p) / 16; WCHAR uppercased[16]; for (SIZE_T i = 0; i < count; i++) { __m256i chunk; chunk = _mm256_loadu_si256((__m256i const*)p); chunk = PhUppercaseLatin1INT256by16(chunk); _mm256_storeu_si256((__m256i*)uppercased, chunk); // Hash 16 uppercased characters for (ULONG j = 0; j < 16; j++) { hash = ((65599 * (hash)) + (ULONG)uppercased[j]); } p += 16; } _mm256_zeroupper(); } #endif for (; p != end; p++) { hash = ((65599 * (hash)) + (ULONG)(((*p) >= L'a' && (*p) <= L'z') ? (*p) - L'a' + L'A' : (*p))); } // Medium fast //UNICODE_STRING unicodeString; // //if (!PhStringRefToUnicodeString(String, &unicodeString)) // return 0; // //if (!NT_SUCCESS(RtlHashUnicodeString(&unicodeString, TRUE, HASH_STRING_ALGORITHM_X65599, &hash))) // return 0; // // Slower than the above two (based on PhHashBytes) (dmex) //SIZE_T count = String->Length / sizeof(WCHAR); //PWCHAR p = String->Buffer; //do //{ // hash += (USHORT)PhUpcaseUnicodeChar(*p++); // __ascii_towupper(*p++); // hash *= 0x1003F; //} while (--count != 0); } else { #ifndef _ARM64_ if (PhHasAVX && (end - p) >= 16) { // AVX hash path for case-sensitive SIZE_T count = (end - p) / 16; WCHAR buffer[16]; for (SIZE_T i = 0; i < count; i++) { __m256i chunk; chunk = _mm256_loadu_si256((__m256i const*)p); _mm256_storeu_si256((__m256i*)buffer, chunk); // Hash 16 characters for (ULONG j = 0; j < 16; j++) { hash = ((65599 * (hash)) + (ULONG)buffer[j]); } p += 16; } _mm256_zeroupper(); } #endif for (; p != end; p++) { hash = ((65599 * (hash)) + (ULONG)(*p)); } } return hash; } case PH_STRING_HASH_XXH32: { if (String->Length == 0) return 0; return PhHashXXH32(String->Buffer, String->Length, 0); } } return 0; } /** * Converts a sequence of hexadecimal digits into a byte array. * * \param String A string containing hexadecimal digits to convert. The string must have an even * number of digits, because each pair of hexadecimal digits represents one byte. Example: * "129a2eff5c0b". * \param Buffer The output buffer. * \return TRUE if the string was successfully converted, otherwise FALSE. */ BOOLEAN PhHexStringToBuffer( _In_ PCPH_STRINGREF String, _Out_writes_bytes_(String->Length / sizeof(WCHAR) / 2) PUCHAR Buffer ) { SIZE_T i; SIZE_T length; // The string must have an even length. if ((String->Length / sizeof(WCHAR)) & 1) return FALSE; length = String->Length / sizeof(WCHAR) / 2; for (i = 0; i < length; i++) { Buffer[i] = (UCHAR)(PhCharToInteger[(UCHAR)String->Buffer[i * sizeof(WCHAR)]] << 4) + (UCHAR)PhCharToInteger[(UCHAR)String->Buffer[i * sizeof(WCHAR) + 1]]; } return TRUE; } /** * Converts a hexadecimal string to a binary buffer. * * \param String Pointer to a PH_STRINGREF structure containing the hexadecimal string to convert. * \param BufferLength The length, in bytes, of the output buffer. * \param Buffer Pointer to the buffer that receives the converted binary data. Must be at least BufferLength bytes. * \return TRUE if the conversion was successful; FALSE otherwise. */ BOOLEAN PhHexStringToBufferEx( _In_ PCPH_STRINGREF String, _In_ SIZE_T BufferLength, _Out_writes_bytes_(BufferLength) PVOID Buffer ) { SIZE_T length; SIZE_T i; if ((String->Length / sizeof(WCHAR)) & 1) return FALSE; length = String->Length / sizeof(WCHAR) / 2; if (length > BufferLength) return FALSE; for (i = 0; i < length; i++) { ((PBYTE)Buffer)[i] = (BYTE)(PhCharToInteger[(BYTE)String->Buffer[i * sizeof(WCHAR)]] << 4) + (BYTE)PhCharToInteger[(BYTE)String->Buffer[i * sizeof(WCHAR) + 1]]; } return TRUE; } /** * Converts a byte array into a sequence of hexadecimal digits. * * \param Buffer The input buffer. * \param Length The number of bytes to convert. * \return A string containing a sequence of hexadecimal digits. */ _Use_decl_annotations_ PPH_STRING PhBufferToHexString( _In_reads_bytes_(Length) PUCHAR Buffer, _In_ SIZE_T Length ) { return PhBufferToHexStringEx(Buffer, Length, FALSE); } /** * Converts a byte array into a sequence of hexadecimal digits. * * \param Buffer The input buffer. * \param Length The number of bytes to convert. * \param UpperCase TRUE to use uppercase characters, otherwise FALSE. * \return A string containing a sequence of hexadecimal digits. */ _Use_decl_annotations_ PPH_STRING PhBufferToHexStringEx( _In_reads_bytes_(Length) PUCHAR Buffer, _In_ SIZE_T Length, _In_ BOOLEAN UpperCase ) { PPH_STRING string; PCCH table; SIZE_T i; if (UpperCase) table = PhIntegerToCharUpper; else table = PhIntegerToChar; string = PhCreateStringEx(NULL, Length * sizeof(WCHAR) * 2); for (i = 0; i < Length; i++) { string->Buffer[i * sizeof(WCHAR)] = table[Buffer[i] >> 4]; string->Buffer[i * sizeof(WCHAR) + 1] = table[Buffer[i] & 0xf]; } return string; } /** * Converts a binary buffer to a hexadecimal string representation. * * \param InputBuffer Pointer to the input buffer containing binary data. * \param InputLength Length of the input buffer, in bytes. * \param UpperCase If TRUE, output hex digits in uppercase; otherwise, lowercase. * \param OutputBuffer Pointer to the buffer that receives the hexadecimal string. * \param OutputLength Size of the output buffer, in bytes. * \param ReturnLength Optional pointer to receive the number of bytes written to OutputBuffer. * \return TRUE if the conversion was successful and the output buffer was large enough; FALSE otherwise. */ _Use_decl_annotations_ BOOLEAN PhBufferToHexStringBuffer( _In_reads_bytes_(InputLength) PUCHAR InputBuffer, _In_ SIZE_T InputLength, _In_ BOOLEAN UpperCase, _Out_writes_bytes_to_(OutputLength, *ReturnLength) PWSTR OutputBuffer, _In_ SIZE_T OutputLength, _Out_opt_ PSIZE_T ReturnLength ) { PCCH table; ULONG i; if (OutputLength < InputLength * sizeof(WCHAR) * 2) { if (ReturnLength) *ReturnLength = InputLength * sizeof(WCHAR) * 2; return FALSE; } if (UpperCase) table = PhIntegerToCharUpper; else table = PhIntegerToChar; for (i = 0; i < InputLength; i++) { OutputBuffer[i * sizeof(WCHAR)] = table[InputBuffer[i] >> 4]; OutputBuffer[i * sizeof(WCHAR) + 1] = table[InputBuffer[i] & 0xf]; } OutputBuffer[i * sizeof(WCHAR)] = UNICODE_NULL; if (ReturnLength) *ReturnLength = i * sizeof(WCHAR) * 2; return TRUE; } /** * Converts a string to an integer. * * \param String The string to process. * \param Base The base which the string uses to represent the integer. The maximum value is 69. * \param Integer The resulting integer. */ BOOLEAN PhpStringToInteger64( _In_ PCPH_STRINGREF String, _In_ ULONG Base, _Out_opt_ PULONG64 Integer ) { BOOLEAN valid = TRUE; ULONG64 result; SIZE_T length; SIZE_T i; length = String->Length / sizeof(WCHAR); result = 0; for (i = 0; i < length; i++) { ULONG value; value = PhCharToInteger[(UCHAR)String->Buffer[i]]; if (value < Base) result = result * Base + value; else valid = FALSE; } if (Integer) { *Integer = result; } return valid; } /** * Converts a string to an integer. * * \param String The string to process. * \param Base The base which the string uses to represent the integer. The maximum value is 69. If * the parameter is 0, the base is inferred from the string. * \param Integer The resulting integer. * * \remarks If \a Base is 0, the following prefixes may be used to indicate bases: * * \li \c 0x Base 16. * \li \c 0o Base 8. * \li \c 0b Base 2. * \li \c 0t Base 3. * \li \c 0q Base 4. * \li \c 0w Base 12. * \li \c 0r Base 32. * * If there is no recognized prefix, base 10 is used. */ _Use_decl_annotations_ BOOLEAN PhStringToInteger64( _In_ PCPH_STRINGREF String, _In_opt_ ULONG Base, _Out_opt_ PLONG64 Integer ) { BOOLEAN valid; ULONG64 result; PH_STRINGREF string; BOOLEAN negative; ULONG base; if (Base > 69) return FALSE; string = *String; negative = FALSE; if (string.Length != 0 && (string.Buffer[0] == L'-' || string.Buffer[0] == L'+')) { if (string.Buffer[0] == L'-') negative = TRUE; PhSkipStringRef(&string, sizeof(WCHAR)); } // If the caller specified a base, don't perform any additional processing. if (Base) { base = Base; } else { base = 10; if (string.Length >= 2 * sizeof(WCHAR) && string.Buffer[0] == L'0') { switch (string.Buffer[1]) { case L'x': case L'X': base = 16; break; case L'o': case L'O': base = 8; break; case L'b': case L'B': base = 2; break; case L't': // ternary case L'T': base = 3; break; case L'q': // quaternary case L'Q': base = 4; break; case L'w': // base 12 case L'W': base = 12; break; case L'r': // base 32 case L'R': base = 32; break; } if (base != 10) PhSkipStringRef(&string, 2 * sizeof(WCHAR)); } } valid = PhpStringToInteger64(&string, base, &result); if (Integer) *Integer = negative ? -(LONG64)result : result; return valid; } /** * Converts a string reference to an unsigned 64-bit integer. * * \param String Pointer to a PH_STRINGREF structure containing the string to convert. * \param Base Optional base for conversion (e.g., 10 for decimal, 16 for hexadecimal). * \param Integer Optional pointer to a ULONG64 variable that receives the converted value. * \return TRUE if the conversion was successful; otherwise, FALSE. */ _Use_decl_annotations_ BOOLEAN PhStringToUInt64( _In_ PCPH_STRINGREF String, _In_opt_ ULONG Base, _Out_opt_ PULONG64 Integer ) { PH_STRINGREF string; ULONG base; if (Base > 69) return FALSE; string = *String; if (string.Length != 0 && (string.Buffer[0] == L'-' || string.Buffer[0] == L'+')) { PhSkipStringRef(&string, sizeof(WCHAR)); } // If the caller specified a base, don't perform any additional processing. if (Base) { base = Base; } else { base = 10; if (string.Length >= 2 * sizeof(WCHAR) && string.Buffer[0] == L'0') { switch (string.Buffer[1]) { case L'x': case L'X': base = 16; break; case L'o': case L'O': base = 8; break; case L'b': case L'B': base = 2; break; case L't': // ternary case L'T': base = 3; break; case L'q': // quaternary case L'Q': base = 4; break; case L'w': // base 12 case L'W': base = 12; break; case L'r': // base 32 case L'R': base = 32; break; } if (base != 10) PhSkipStringRef(&string, 2 * sizeof(WCHAR)); } } return PhpStringToInteger64(&string, base, Integer); } BOOLEAN PhpStringToDouble( _In_ PCPH_STRINGREF String, _In_ ULONG Base, _Out_ DOUBLE *Double ) { BOOLEAN valid = TRUE; BOOLEAN dotSeen = FALSE; DOUBLE result; DOUBLE fraction; SIZE_T length; SIZE_T i; length = String->Length / sizeof(WCHAR); result = 0; fraction = 1; for (i = 0; i < length; i++) { if (String->Buffer[i] == L'.') { if (!dotSeen) dotSeen = TRUE; else valid = FALSE; } else { ULONG value; value = PhCharToInteger[(UCHAR)String->Buffer[i]]; if (value < Base) { if (!dotSeen) { result = result * Base + value; } else { fraction /= Base; result = result + value * fraction; } } else { valid = FALSE; } } } *Double = result; return valid; } /** * Converts a string to a double-precision floating point value. * * \param String The string to process. * \param Base Reserved. * \param Double The resulting double value. */ BOOLEAN PhStringToDouble( _In_ PCPH_STRINGREF String, _Reserved_ ULONG Base, _Out_opt_ DOUBLE *Double ) { BOOLEAN valid; DOUBLE result; PH_STRINGREF string; BOOLEAN negative; string = *String; negative = FALSE; if (string.Length != 0 && (string.Buffer[0] == L'-' || string.Buffer[0] == L'+')) { if (string.Buffer[0] == L'-') negative = TRUE; PhSkipStringRef(&string, sizeof(WCHAR)); } valid = PhpStringToDouble(&string, 10, &result); if (Double) *Double = negative ? -result : result; return valid; } /** * Converts an integer to a string. * * \param Integer The integer to process. * \param Base The base which the integer is represented with. The maximum value is 69. The base * cannot be 1. If the parameter is 0, the base used is 10. * \param Signed TRUE if \a Integer is a signed value, otherwise FALSE. * * \return The resulting string, or NULL if an error occurred. */ _Use_decl_annotations_ PPH_STRING PhIntegerToString64( _In_ LONG64 Integer, _In_opt_ ULONG Base, _In_ BOOLEAN Signed ) { PH_FORMAT format; if (Base == 1 || Base > 69) return NULL; if (Signed) PhInitFormatI64D(&format, Integer); else PhInitFormatI64U(&format, Integer); if (Base != 0) { format.Type |= FormatUseRadix; format.Radix = (UCHAR)Base; } return PhFormat(&format, 1, 0); } // PhDoesNameContainWildCards and PhIsNameInExpression compared to // RtlDoesNameContainWildCards and RtlIsNameInExpression (dmex) // - Full wildcard support: // - * -Standard wildcard - zero or more any chars // - ? -Single character wildcard // - < (ANSI_DOS_STAR) - Zero or more chars until dot // - > (ANSI_DOS_QM) - Zero or one char (not dot) // - " (ANSI_DOS_DOT) - Zero or one dot // - DOS semantics: // - -DOS_STAR(<) stops matching at dots (for filename matching like file<.txt) // - -DOS_QM(>) matches 0 or 1 non-dot character. // - -DOS_DOT(") matches optional dot character. // // Example patterns: // - *chrome* - matches anything with "chrome" // - chrome.??? - matches chrome.exe, chrome.dll(3 - char extension) // - file<.txt - matches file.txt, fileabc.txt(< stops at dot) // - test>" - matches test, testa, test. (> is 0-1 char, " is optional dot) // replacement RtlDoesNameContainWildCards (dmex) /** * Determines whether a string contains wildcard characters. * * \param Expression A pointer to the string to be checked. * \return TRUE if one or more wildcard characters were found, FALSE otherwise. * \remarks The following are wildcard characters: *, ?, ANSI_DOS_STAR (<), ANSI_DOS_DOT ("), and ANSI_DOS_QM (>). */ BOOLEAN PhDoesNameContainWildCards( _In_ PCPH_STRINGREF Expression ) { for (SIZE_T i = 0; i < Expression->Length / sizeof(WCHAR); i++) { WCHAR c = Expression->Buffer[i]; if (c == L'*' || c == L'?' || c == ANSI_DOS_STAR_W || c == ANSI_DOS_DOT_W || c == ANSI_DOS_QM_W ) { return TRUE; } } return FALSE; } // replacement RtlIsNameInExpression (dmex) /** * Determines whether a string matches the specified wildcard pattern. * * \param Expression A pointer to the pattern string. Can contain wildcards: *, ?, < (DOS_STAR), > (DOS_QM), " (DOS_DOT). * \param Name A pointer to the string to match against the pattern. * \param IgnoreCase TRUE for case-insensitive matching, FALSE for case-sensitive matching. * \return TRUE if the string matches the pattern, FALSE otherwise. * \remarks Wildcard semantics: * * - Matches zero or more characters * ? - Matches exactly one character * < (ANSI_DOS_STAR) - Matches zero or more characters until dot or end * > (ANSI_DOS_QM) - Matches zero or one character (not dot) * " (ANSI_DOS_DOT) - Matches zero or one dot */ BOOLEAN PhIsNameInExpression( _In_ PCPH_STRINGREF Expression, _In_ PCPH_STRINGREF Name, _In_ BOOLEAN IgnoreCase ) { SIZE_T exprLen = Expression->Length / sizeof(WCHAR); SIZE_T nameLen = Name->Length / sizeof(WCHAR); SIZE_T e = 0; // expression index SIZE_T n = 0; // name index SIZE_T starE = SIZE_MAX; // last * or < position in expression SIZE_T starN = SIZE_MAX; // name position when * or < was encountered BOOLEAN dosStarMode = FALSE; // TRUE if last star was DOS_STAR (<) while (n < nameLen) { if (e < exprLen) { WCHAR exprChar = Expression->Buffer[e]; WCHAR nameChar = Name->Buffer[n]; WCHAR exprCharUpper = IgnoreCase ? PhUpcaseUnicodeChar(exprChar) : exprChar; WCHAR nameCharUpper = IgnoreCase ? PhUpcaseUnicodeChar(nameChar) : nameChar; // * - matches zero or more of any character if (exprChar == L'*') { starE = e++; starN = n; dosStarMode = FALSE; continue; } // < (ANSI_DOS_STAR) - matches zero or more characters until dot or end else if (exprChar == ANSI_DOS_STAR_W) { starE = e++; starN = n; dosStarMode = TRUE; continue; } // " (ANSI_DOS_DOT) - matches zero or one dot else if (exprChar == ANSI_DOS_DOT_W) { if (nameChar == L'.') { e++; n++; } else { e++; // skip the DOS_DOT, match zero dots } continue; } // > (ANSI_DOS_QM) - matches zero or one character (not dot) else if (exprChar == ANSI_DOS_QM_W) { if (nameChar != L'.') { e++; n++; // consume one character } else { e++; // skip DOS_QM, match zero characters } continue; } // ? - matches exactly one character else if (exprChar == L'?') { e++; n++; continue; } // Exact character match else if (exprCharUpper == nameCharUpper) { e++; n++; continue; } } // Mismatch - backtrack if we saw a * or < if (starE != SIZE_MAX) { e = starE + 1; n = ++starN; // If in DOS_STAR mode, stop backtracking at dot if (dosStarMode && starN < nameLen && Name->Buffer[starN] == L'.') { dosStarMode = FALSE; starE = SIZE_MAX; // can't backtrack past dot } continue; } return FALSE; } // Consume remaining wildcards in expression while (e < exprLen) { WCHAR c = Expression->Buffer[e]; if ( c == L'*' || c == ANSI_DOS_STAR_W || c == ANSI_DOS_DOT_W || c == ANSI_DOS_QM_W ) { e++; } else { break; } } return e == exprLen; } /** * Performs fuzzy matching between a pattern and a text string. * * \param Pattern A pointer to the search pattern. * \param Text A pointer to the text to match against. * \param IgnoreCase TRUE for case-insensitive matching, FALSE for case-sensitive matching. * \return TRUE if the text fuzzy-matches the pattern, FALSE otherwise. * \remarks Fuzzy matching allows characters from the pattern to appear in order * in the text, but not necessarily consecutively. his is useful for quick * filtering where users type a few key characters. */ BOOLEAN PhStringFuzzyMatch( _In_ PCPH_STRINGREF Pattern, _In_ PCPH_STRINGREF Text, _In_ BOOLEAN IgnoreCase ) { SIZE_T patternLength = Pattern->Length / sizeof(WCHAR); SIZE_T textLength = Text->Length / sizeof(WCHAR); SIZE_T p = 0; // pattern index SIZE_T t = 0; // text index if (patternLength == 0) return TRUE; if (textLength == 0) return FALSE; while (t < textLength && p < patternLength) { WCHAR pattern = Pattern->Buffer[p]; WCHAR text = Text->Buffer[t]; if (IgnoreCase) { pattern = PhUpcaseUnicodeChar(pattern); text = PhUpcaseUnicodeChar(text); } if (pattern == text) { p++; // advance on match } t++; // always advance text } // Match succeeds if entire pattern was consumed return (p == patternLength); } /** * Validate the string does not contain control or formatting content. * * Returns FALSE if the string is NULL, empty, all whitespace, or contains * control/formatting characters (RTLO, zero-width chars, etc.). * * \param String The string to validate. * \return TRUE if the string is valid; otherwise, FALSE. */ BOOLEAN PhIsControlOrFormattingString( _In_opt_ PPH_STRING String ) { SIZE_T length; BOOLEAN hasVisibleContent = FALSE; if (!String || String->Length == 0) return FALSE; length = String->Length / sizeof(WCHAR); for (SIZE_T i = 0; i < length; i++) { WCHAR c = String->Buffer[i]; // Reject strings with control/formatting characters. if (PhIsControlOrFormattingUnicodeChar(c)) return FALSE; // Check if we have non-whitespace content. if (!PhIsWhiteSpaceUnicodeChar(c)) { hasVisibleContent = TRUE; } } // String must have at least one visible character return hasVisibleContent; } /** * Sanitizes a string in-place by replacing control and formatting characters. * * Replaces unicode characters (RTLO, zero-width chars, control chars, etc.) * with a visible replacement character directly in the string buffer. * * \param String The string to sanitize in-place. * \param ReplacementChar The character to use as a replacement (e.g., L'?' or PH_UNICODE_REPLACEMENT_CHARACTER). * \return The number of characters replaced. */ ULONG PhFilterControlOrFormattingString( _Inout_ PPH_STRINGREF String, _In_ WCHAR ReplacementChar ) { SIZE_T length; ULONG replaced = 0; if (!String || String->Length == 0) return 0; length = String->Length / sizeof(WCHAR); for (SIZE_T i = 0; i < length; i++) { if (PhIsControlOrFormattingUnicodeChar(String->Buffer[i])) { String->Buffer[i] = PH_UNICODE_REPLACEMENT_CHARACTER; replaced++; } } return replaced; } ================================================ FILE: phlib/basesup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2019-2023 * */ /* * This file contains basic low-level code as well as general algorithms and data structures. * * Memory allocation. PhAllocate is a wrapper around RtlAllocateHeap, and always allocates from the * phlib heap. PhAllocatePage is a wrapper around NtAllocateVirtualMemory and allocates pages. * * Null-terminated strings. The Ph*StringZ functions manipulate null-terminated strings. The copying * functions provide a simple way to copy strings which may not be null-terminated, but have a * specified limit. * * String. The design of the string object was chosen for maximum compatibility. As such each string * buffer must be null-terminated, and each object contains an embedded PH_STRINGREF structure. Note * that efficient sub-string creation (no copying, only references the parent string object) could * not be implemented due to the mandatory null-termination. String objects must be regarded as * immutable (for thread-safety reasons) unless the object has just been created and no references * have been shared. * * String builder. This is a set of functions which allow for efficient modification of strings. For * performance reasons, these functions modify string objects directly, even though they are * normally immutable. * * List. A simple PVOID list that resizes itself when needed. * * Pointer list. Similar to the normal list object, but uses a free list in order to support * constant time insertion and deletion. In order for the free list to work, normal entries have * their lowest bit clear while free entries have their lowest bit set, with the index of the next * free entry in the upper bits. * * Hashtable. A hashtable with power-of-two bucket sizes and with all entries stored in a single * array. This improves locality but may be inefficient when resizing the hashtable. It is a good * idea to store pointers to objects as entries, as opposed to the objects themselves. * * Simple hashtable. A wrapper around the normal hashtable, with PVOID keys and PVOID values. * * Free list. A thread-safe memory allocation method where freed blocks are stored in a S-list, and * allocations are made from this list whenever possible. * * Callback. A thread-safe notification mechanism where clients can register callback functions * which are then invoked by other code. */ #include #include #include #include #include #include #include #include #ifndef PH_NATIVE_THREAD_CREATE #define PH_NATIVE_THREAD_CREATE 1 #endif #ifndef PHNT_NATIVE_TIME #define PHNT_NATIVE_TIME 1 #endif typedef struct _PHP_BASE_THREAD_CONTEXT { PUSER_THREAD_START_ROUTINE StartAddress; PVOID Parameter; } PHP_BASE_THREAD_CONTEXT, *PPHP_BASE_THREAD_CONTEXT; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpListDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpPointerListDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpHashtableDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); // Types PPH_OBJECT_TYPE PhStringType = NULL; PPH_OBJECT_TYPE PhBytesType = NULL; PPH_OBJECT_TYPE PhListType = NULL; PPH_OBJECT_TYPE PhPointerListType = NULL; PPH_OBJECT_TYPE PhHashtableType = NULL; // Misc. PPH_STRING PhSharedEmptyString = NULL; // Threads static PH_FREE_LIST PhpBaseThreadContextFreeList; #ifdef DEBUG ULONG PhDbgThreadDbgTlsIndex; RTL_STATIC_LIST_HEAD(PhDbgThreadListHead); PH_QUEUED_LOCK PhDbgThreadListLock = PH_QUEUED_LOCK_INIT; #endif // Data static CONST ULONG PhpPrimeNumbers[] = { 0x3, 0x7, 0xb, 0x11, 0x17, 0x1d, 0x25, 0x2f, 0x3b, 0x47, 0x59, 0x6b, 0x83, 0xa3, 0xc5, 0xef, 0x125, 0x161, 0x1af, 0x209, 0x277, 0x2f9, 0x397, 0x44f, 0x52f, 0x63d, 0x78b, 0x91d, 0xaf1, 0xd2b, 0xfd1, 0x12fd, 0x16cf, 0x1b65, 0x20e3, 0x2777, 0x2f6f, 0x38ff, 0x446f, 0x521f, 0x628d, 0x7655, 0x8e01, 0xaa6b, 0xcc89, 0xf583, 0x126a7, 0x1619b, 0x1a857, 0x1fd3b, 0x26315, 0x2dd67, 0x3701b, 0x42023, 0x4f361, 0x5f0ed, 0x72125, 0x88e31, 0xa443b, 0xc51eb, 0xec8c1, 0x11bdbf, 0x154a3f, 0x198c4f, 0x1ea867, 0x24ca19, 0x2c25c1, 0x34fa1b, 0x3f928f, 0x4c4987, 0x5b8b6f, 0x6dda89 }; /** * Initializes the base support module. */ NTSTATUS PhBaseInitialization( VOID ) { PH_OBJECT_TYPE_PARAMETERS parameters; PhStringType = PhCreateObjectType(L"String", 0, NULL); PhBytesType = PhCreateObjectType(L"Bytes", 0, NULL); memset(¶meters, 0, sizeof(PH_OBJECT_TYPE_PARAMETERS)); parameters.FreeListSize = sizeof(PH_LIST); parameters.FreeListCount = 128; PhListType = PhCreateObjectTypeEx(L"List", PH_OBJECT_TYPE_USE_FREE_LIST, PhpListDeleteProcedure, ¶meters); PhPointerListType = PhCreateObjectType(L"PointerList", 0, PhpPointerListDeleteProcedure); memset(¶meters, 0, sizeof(PH_OBJECT_TYPE_PARAMETERS)); parameters.FreeListSize = sizeof(PH_HASHTABLE); parameters.FreeListCount = 64; PhHashtableType = PhCreateObjectTypeEx(L"Hashtable", PH_OBJECT_TYPE_USE_FREE_LIST, PhpHashtableDeleteProcedure, ¶meters); PhInitializeFreeList(&PhpBaseThreadContextFreeList, sizeof(PHP_BASE_THREAD_CONTEXT), 16); #ifdef DEBUG PhDbgThreadDbgTlsIndex = PhTlsAlloc(); if (PhDbgThreadDbgTlsIndex == TLS_OUT_OF_INDEXES) return STATUS_NO_MEMORY; #endif return STATUS_SUCCESS; } /** * Entry point for a base thread in the system. * * This function serves as the start routine for a user thread. It initializes COM for the thread, * sets up debugging information (in debug builds), and invokes the user-supplied thread function. * After the user function returns, it performs necessary cleanup, including COM uninitialization * and removal of debugging information. * \param Parameter Pointer to a PHP_BASE_THREAD_CONTEXT structure containing the user-supplied * thread start address and parameter. * \return NTSTATUS Status code returned by the user-supplied thread function. */ _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpBaseThreadStart( _In_ PVOID Parameter ) { NTSTATUS status; HRESULT result; PHP_BASE_THREAD_CONTEXT context; #ifdef DEBUG PHP_BASE_THREAD_DBG dbg; #endif context = *(PPHP_BASE_THREAD_CONTEXT)Parameter; PhFreeToFreeList(&PhpBaseThreadContextFreeList, Parameter); #ifdef DEBUG memset(&dbg, 0, sizeof(PHP_BASE_THREAD_DBG)); dbg.ClientId = NtCurrentTeb()->ClientId; dbg.StartAddress = context.StartAddress; dbg.Parameter = context.Parameter; dbg.CurrentAutoPool = NULL; PhAcquireQueuedLockExclusive(&PhDbgThreadListLock); InsertTailList(&PhDbgThreadListHead, &dbg.ListEntry); PhReleaseQueuedLockExclusive(&PhDbgThreadListLock); PhTlsSetValue(PhDbgThreadDbgTlsIndex, &dbg); #endif // Initialization code result = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); // Call the user-supplied function. status = context.StartAddress(context.Parameter); // De-initialization code if (result == S_OK || result == S_FALSE) CoUninitialize(); #ifdef DEBUG PhAcquireQueuedLockExclusive(&PhDbgThreadListLock); RemoveEntryList(&dbg.ListEntry); PhReleaseQueuedLockExclusive(&PhDbgThreadListLock); #endif return status; } /** * Creates a thread. * * \param ProcessHandle A handle to the process in which the thread is to be created. * \param ThreadSecurityDescriptor A pointer to a security descriptor for the new thread and * \a determines whether child processes can inherit the thread handle. * \param DesiredAccess The desired access to the thread. * \param CreateFlags The flags that control the creation of the thread. * \param ZeroBits The number of high-order address bits that must be zero. * \a If this parameter is zero, the new thread uses the default for the executable. * \param StackSize The initial size of the stack, in bytes. The system rounds this value to the nearest page. * \a If this parameter is zero, the new thread uses the default size for the executable. * \param MaximumStackSize The maximum size of the stack, in bytes. The system rounds this value to the nearest page. * \a If this parameter is zero, the new thread uses the default maximum for the executable. * \param StartRoutine A pointer to the starting address of the thread. * \param Argument A pointer to a variable to be passed to the StartRoutine. * \param ThreadHandle A pointer to a variable that receives a handle to the new thread. * \param ClientId A pointer to a variable that receives the thread identifier. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateUserThread( _In_ HANDLE ProcessHandle, _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_opt_ ULONG CreateFlags, _In_opt_ SIZE_T ZeroBits, _In_opt_ SIZE_T StackSize, _In_opt_ SIZE_T MaximumStackSize, _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Argument, _Out_opt_ PHANDLE ThreadHandle, _Out_opt_ PCLIENT_ID ClientId ) { #if defined(PH_NATIVE_THREAD_CREATE) NTSTATUS status; HANDLE threadHandle; OBJECT_ATTRIBUTES objectAttributes; UCHAR buffer[FIELD_OFFSET(PS_ATTRIBUTE_LIST, Attributes) + sizeof(PS_ATTRIBUTE[1])] = { 0 }; PPS_ATTRIBUTE_LIST attributeList = (PPS_ATTRIBUTE_LIST)buffer; CLIENT_ID clientId = { NULL, NULL }; InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, ThreadSecurityDescriptor); attributeList->TotalLength = sizeof(buffer); attributeList->Attributes[0].Attribute = PS_ATTRIBUTE_CLIENT_ID; attributeList->Attributes[0].Size = sizeof(CLIENT_ID); attributeList->Attributes[0].ValuePtr = &clientId; attributeList->Attributes[0].ReturnLength = NULL; status = NtCreateThreadEx( &threadHandle, DesiredAccess, &objectAttributes, ProcessHandle, StartRoutine, Argument, CreateFlags, ZeroBits, StackSize, MaximumStackSize, attributeList ); if (NT_SUCCESS(status)) { if (ThreadHandle) { *ThreadHandle = threadHandle; } else if (threadHandle) { NtClose(threadHandle); } if (ClientId) { *ClientId = clientId; } } return status; #else return RtlCreateUserThread( ProcessHandle, ThreadSecurityDescriptor, BooleanFlagOn(CreateFlags, THREAD_CREATE_FLAGS_CREATE_SUSPENDED), (ULONG)ZeroBits, MaximumStackSize, StackSize, StartRoutine, Argument, ThreadHandle, ClientId ); #endif } /** * Creates a thread. * * \param StackSize The initial stack size of the thread. * \param StartAddress The function to execute in the thread. * \param Parameter A user-defined value to pass to the function. * \return HANDLE A handle to the new thread. */ HANDLE PhCreateThread( _In_opt_ SIZE_T StackSize, _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter ) { NTSTATUS status; HANDLE threadHandle; PPHP_BASE_THREAD_CONTEXT context; context = PhAllocateFromFreeList(&PhpBaseThreadContextFreeList); context->StartAddress = StartAddress; context->Parameter = Parameter; status = PhCreateUserThread( NtCurrentProcess(), NULL, THREAD_ALL_ACCESS, 0, 0, 0, StackSize, PhpBaseThreadStart, context, &threadHandle, NULL ); if (NT_SUCCESS(status)) { PHLIB_INC_STATISTIC(BaseThreadsCreated); return threadHandle; } else { PHLIB_INC_STATISTIC(BaseThreadsCreateFailed); PhFreeToFreeList(&PhpBaseThreadContextFreeList, context); return NULL; } } /** * Creates a new thread in the current process. * * \param ThreadHandle Pointer to a variable that receives the handle of the newly created thread. * \param StartAddress Pointer to the function to be executed by the thread. * \param Parameter Optional parameter to be passed to the thread function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateThreadEx( _Out_ PHANDLE ThreadHandle, _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter ) { NTSTATUS status; HANDLE threadHandle; PPHP_BASE_THREAD_CONTEXT context; context = PhAllocateFromFreeList(&PhpBaseThreadContextFreeList); context->StartAddress = StartAddress; context->Parameter = Parameter; status = PhCreateUserThread( NtCurrentProcess(), NULL, THREAD_ALL_ACCESS, 0, 0, 0, 0, PhpBaseThreadStart, context, &threadHandle, NULL ); if (NT_SUCCESS(status)) { PHLIB_INC_STATISTIC(BaseThreadsCreated); *ThreadHandle = threadHandle; } else { PHLIB_INC_STATISTIC(BaseThreadsCreateFailed); PhFreeToFreeList(&PhpBaseThreadContextFreeList, context); } return status; } /** * Creates a new thread and begins execution at the specified start address. * * \param StartAddress Pointer to the function to be executed by the new thread. * \param Parameter Optional parameter to be passed to the thread function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateThread2( _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter ) { NTSTATUS status; PPHP_BASE_THREAD_CONTEXT context; context = PhAllocateFromFreeList(&PhpBaseThreadContextFreeList); context->StartAddress = StartAddress; context->Parameter = Parameter; status = PhCreateUserThread( NtCurrentProcess(), NULL, THREAD_ALL_ACCESS, 0, 0, 0, 0, PhpBaseThreadStart, context, NULL, NULL ); if (NT_SUCCESS(status)) { PHLIB_INC_STATISTIC(BaseThreadsCreated); } else { PHLIB_INC_STATISTIC(BaseThreadsCreateFailed); PhFreeToFreeList(&PhpBaseThreadContextFreeList, context); } return status; } /** * Callback function that starts a queued base thread. * * This function is called by the thread pool when a work item is dequeued. * It retrieves the thread context, frees the context structure, and invokes * the user-supplied start address with the provided parameter. * \param Instance Pointer to the thread pool callback instance. * \param Context Pointer to a PHP_BASE_THREAD_CONTEXT structure, which will be freed. */ _Function_class_(TP_CALLBACK_ROUTINE) VOID PhpBaseThreadQueueStart( _Inout_ PTP_CALLBACK_INSTANCE Instance, _In_ _Frees_ptr_ PVOID Context ) { PHP_BASE_THREAD_CONTEXT context; context = *(PPHP_BASE_THREAD_CONTEXT)Context; PhFreeToFreeList(&PhpBaseThreadContextFreeList, Context); context.StartAddress(context.Parameter); } /** * Queues a callback to be executed by a thread pool thread. * * This function allocates a thread context, initializes a callback environment, * and posts the work item to a thread pool. If the operation succeeds, a statistic * for created threads is incremented; otherwise, a failure statistic is incremented * and the context is freed. * \param StartRoutine Pointer to the user-defined thread start routine to execute. * \param Parameter Optional parameter to pass to the start routine. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueueUserWorkItem( _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Parameter ) { NTSTATUS status; PPHP_BASE_THREAD_CONTEXT context; TP_CALLBACK_ENVIRON environment; context = PhAllocateFromFreeList(&PhpBaseThreadContextFreeList); context->StartAddress = StartRoutine; context->Parameter = Parameter; TpInitializeCallbackEnviron(&environment); TpSetCallbackLongFunction(&environment); TpSetCallbackPriority(&environment, TP_CALLBACK_PRIORITY_NORMAL); status = TpSimpleTryPost(PhpBaseThreadQueueStart, context, &environment); if (NT_SUCCESS(status)) { PHLIB_INC_STATISTIC(BaseThreadsCreated); } else { PHLIB_INC_STATISTIC(BaseThreadsCreateFailed); PhFreeToFreeList(&PhpBaseThreadContextFreeList, context); } return status; } DOUBLE PhReadTimeStampFrequency( VOID ) { LARGE_INTEGER frequency; LARGE_INTEGER start; LARGE_INTEGER end; ULONG_PTR old_affinity = 0; DOUBLE elapsed_qpc; ULONG64 elapsed_tsc; DOUBLE tsc_freq; ULONG64 tsc_start; ULONG64 tsc_end; // Wait interval (in QPC ticks) PhQueryPerformanceFrequency(&frequency); const LONGLONG interval_ms = 100; // 100 ms const LONGLONG interval_ticks = (frequency.QuadPart * interval_ms) / 1000; // Warm up for (volatile ULONG i = 0UL; i < 1000000UL; ++i) {} // Pin thread to one CPU (optional, for best accuracy) PhGetThreadAffinityMask(NtCurrentThread(), &old_affinity); PhSetThreadAffinityMask(NtCurrentThread(), 1); PhQueryPerformanceCounter(&start); SpeculationFence(); tsc_start = ReadTimeStampCounter(); SpeculationFence(); // Wait for interval for (;;) { PhQueryPerformanceCounter(&end); if ((end.QuadPart - start.QuadPart) >= interval_ticks) break; YieldProcessor(); } SpeculationFence(); tsc_end = ReadTimeStampCounter(); SpeculationFence(); if (old_affinity) { PhSetThreadAffinityMask(NtCurrentThread(), old_affinity); } elapsed_qpc = (DOUBLE)(end.QuadPart - start.QuadPart) / frequency.QuadPart; elapsed_tsc = tsc_end - tsc_start; tsc_freq = elapsed_tsc / elapsed_qpc; return tsc_freq; } /** * Reads the time stamp counter. * * This function reads the time stamp counter using the `__rdtscp` instruction, * which is a serializing variant of the `rdtsc` instruction. It also includes * a memory fence to ensure proper ordering of memory operations. * \return The current value of the time stamp counter. */ ULONG64 PhReadTimeStampCounter( VOID ) { #if defined(PHNT_RDTSCP) unsigned int processorIndex; ULONG64 value = __rdtscp(&processorIndex); SpeculationFence(); return value; #else MemoryBarrier(); ULONG64 value = ReadTimeStampCounter(); MemoryBarrier(); return value; #endif } // rev from QueryPerformanceCounter (dmex) /** * Retrieves the current value of the performance counter, which is a high resolution (<1us) time stamp that can be used for time-interval measurements. * * \param PerformanceCounter A pointer to a variable that receives the current performance-counter value, in counts. * \return Successful or errant status. * \remarks On systems that run Windows XP or later, the function will always succeed and will thus never return zero. */ BOOLEAN PhQueryPerformanceCounter( _Out_ PLARGE_INTEGER PerformanceCounter ) { #if defined(PH_WIN32_PERFCOUNTER) return !!QueryPerformanceCounter(PerformanceCounter); #elif defined(PH_NATIVE_PERFCOUNTER) return NT_SUCCESS(NtQueryPerformanceCounter(PerformanceCounter, NULL)); #else return !!RtlQueryPerformanceCounter(PerformanceCounter); #endif } // rev from QueryPerformanceFrequency (dmex) /** * Retrieves the frequency of the performance counter. * The frequency of the performance counter is fixed at system boot and is consistent across all processors. * Therefore, the frequency need only be queried upon application initialization, and the result can be cached. * * \param PerformanceFrequency A pointer to a variable that receives the current performance-counter frequency, in counts per second. * \return Successful or errant status. * \remarks On systems that run Windows XP or later, the function will always succeed and will thus never return zero. */ BOOLEAN PhQueryPerformanceFrequency( _Out_ PLARGE_INTEGER PerformanceFrequency ) { #if defined(PH_WIN32_PERFCOUNTER) return !!QueryPerformanceFrequency(PerformanceFrequency); #elif defined(PH_NATIVE_PERFCOUNTER) LARGE_INTEGER performanceCounter; return NT_SUCCESS(NtQueryPerformanceCounter(&performanceCounter, PerformanceFrequency)); #else return !!RtlQueryPerformanceFrequency(PerformanceFrequency); #endif } /** * Gets the current interrupt-time count. */ VOID PhQueryInterruptTime( _Out_ PLARGE_INTEGER InterruptTime ) { #if defined(PHNT_NATIVE_TIME) while (TRUE) { InterruptTime->HighPart = USER_SHARED_DATA->InterruptTime.High1Time; InterruptTime->LowPart = USER_SHARED_DATA->InterruptTime.LowPart; if (InterruptTime->HighPart == USER_SHARED_DATA->InterruptTime.High2Time) break; YieldProcessor(); } #elif defined(PHNT_SYSTEM_TIME) ULONGLONG interruptTime; QueryInterruptTime(&interruptTime); InterruptTime->QuadPart = interruptTime; #else do { InterruptTime->HighPart = USER_SHARED_DATA->InterruptTime.High1Time; InterruptTime->LowPart = USER_SHARED_DATA->InterruptTime.LowPart; } while (InterruptTime->HighPart != USER_SHARED_DATA->InterruptTime.High2Time); #endif } /** * Gets the current system time (UTC). * * \remarks Use this function instead of NtQuerySystemTime() because no system calls are involved. */ VOID PhQuerySystemTime( _Out_ PLARGE_INTEGER SystemTime ) { #if defined(PHNT_NATIVE_TIME) while (TRUE) { SystemTime->HighPart = USER_SHARED_DATA->SystemTime.High1Time; SystemTime->LowPart = USER_SHARED_DATA->SystemTime.LowPart; if (SystemTime->HighPart == USER_SHARED_DATA->SystemTime.High2Time) break; YieldProcessor(); } #elif defined(PHNT_SYSTRM_TIME) SYSTEMTIME systemTime; FILETIME fileTime; GetSystemTime(&systemTime); SystemTimeToFileTime(&systemTime, &fileTime); SystemTime->LowPart = fileTime.dwLowDateTime; SystemTime->HighPart = fileTime.dwHighDateTime; #else do { SystemTime->HighPart = USER_SHARED_DATA->SystemTime.High1Time; SystemTime->LowPart = USER_SHARED_DATA->SystemTime.LowPart; } while (SystemTime->HighPart != USER_SHARED_DATA->SystemTime.High2Time); #endif } /** * Gets the offset of the current time zone from UTC. * * \remarks Use this function instead of GetTimeZoneInformation() because no system calls are involved. */ NTSTATUS PhQueryTimeZoneBias( _Out_ PLARGE_INTEGER TimeZoneBias ) { #if defined(PHNT_NATIVE_TIME) while (TRUE) { TimeZoneBias->HighPart = USER_SHARED_DATA->TimeZoneBias.High1Time; TimeZoneBias->LowPart = USER_SHARED_DATA->TimeZoneBias.LowPart; if (TimeZoneBias->HighPart == USER_SHARED_DATA->TimeZoneBias.High2Time) break; YieldProcessor(); } return STATUS_SUCCESS; #elif defined(PHNT_SYSTEM_TIME) NTSTATUS status; SYSTEM_TIMEOFDAY_INFORMATION timeOfDayInfo = { 0 }; status = NtQuerySystemInformation( SystemTimeOfDayInformation, &timeOfDayInfo, sizeof(SYSTEM_TIMEOFDAY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { TimeZoneBias->QuadPart = timeOfDayInfo.TimeZoneBias.QuadPart; } return status; #else do { TimeZoneBias->HighPart = USER_SHARED_DATA->TimeZoneBias.High1Time; TimeZoneBias->LowPart = USER_SHARED_DATA->TimeZoneBias.LowPart; } while (TimeZoneBias->HighPart != USER_SHARED_DATA->TimeZoneBias.High2Time); return STATUS_SUCCESS; #endif } /** * Converts system time to local time. * * \param SystemTime A UTC time value. * \param LocalTime A variable which receives the local time value. This may be the same variable as * \a SystemTime. * \return NTSTATUS Successful or errant status. * \remarks Use this function instead of RtlSystemTimeToLocalTime() because no system calls are * involved. */ NTSTATUS PhSystemTimeToLocalTime( _In_ PLARGE_INTEGER SystemTime, _Out_ PLARGE_INTEGER LocalTime ) { #if defined(PHNT_NATIVE_TIME) NTSTATUS status; LARGE_INTEGER timeZoneBias; status = PhQueryTimeZoneBias(&timeZoneBias); if (NT_SUCCESS(status)) { LocalTime->QuadPart = SystemTime->QuadPart - timeZoneBias.QuadPart; } return status; #else return RtlSystemTimeToLocalTime(SystemTime, LocalTime); #endif } /** * Converts local time to system time. * * \param LocalTime A local time value. * \param SystemTime A variable which receives the UTC time value. This may be the same variable as * \a LocalTime. * \return NTSTATUS Successful or errant status. * \remarks Use this function instead of RtlLocalTimeToSystemTime() because no system calls are * involved. */ NTSTATUS PhLocalTimeToSystemTime( _In_ PLARGE_INTEGER LocalTime, _Out_ PLARGE_INTEGER SystemTime ) { #if defined(PHNT_NATIVE_TIME) NTSTATUS status; LARGE_INTEGER timeZoneBias; status = PhQueryTimeZoneBias(&timeZoneBias); if (NT_SUCCESS(status)) { SystemTime->QuadPart = LocalTime->QuadPart + timeZoneBias.QuadPart; } return status; #else return RtlLocalTimeToSystemTime(LocalTime, SystemTime); #endif } /** * Converts a system time value to the number of seconds elapsed since January 1, 1980 (the DOS epoch). * * \param Time Pointer to a LARGE_INTEGER representing the system time (in 100-nanosecond intervals since January 1, 1601 UTC). * \param ElapsedSeconds Pointer to a ULONG that receives the number of seconds since January 1, 1980. * \return TRUE if the conversion was successful and the result fits in a ULONG; FALSE otherwise. */ BOOLEAN PhTimeToSecondsSince1980( _In_ PLARGE_INTEGER Time, _Out_ PULONG ElapsedSeconds ) { #if defined(PHNT_NATIVE_TIME) LARGE_INTEGER time; time.QuadPart = Time->QuadPart - (SecondsToStartOf1980 * PH_TICKS_PER_SEC); time.QuadPart /= PH_TICKS_PER_SEC; if (time.HighPart) { *ElapsedSeconds = 0; return FALSE; } *ElapsedSeconds = time.LowPart; return TRUE; #else return RtlTimeToSecondsSince1980(Time, ElapsedSeconds); #endif } /** * Converts a system time value to the number of seconds elapsed since January 1, 1970 (the Unix epoch). * * \param Time Pointer to a LARGE_INTEGER representing the system time (in 100-nanosecond intervals since January 1, 1601 UTC). * \param ElapsedSeconds Pointer to a ULONG that receives the number of seconds since January 1, 1970. * \return TRUE if the conversion was successful and the result fits in a ULONG; FALSE otherwise. */ BOOLEAN PhTimeToSecondsSince1970( _In_ PLARGE_INTEGER Time, _Out_ PULONG ElapsedSeconds ) { #if defined(PHNT_NATIVE_TIME) LARGE_INTEGER time; time.QuadPart = Time->QuadPart - (SecondsToStartOf1970 * PH_TICKS_PER_SEC); time.QuadPart /= PH_TICKS_PER_SEC; if (time.HighPart) { *ElapsedSeconds = 0; return FALSE; } *ElapsedSeconds = time.LowPart; return TRUE; #else return RtlTimeToSecondsSince1970(Time, ElapsedSeconds); #endif } /** * Converts the number of seconds elapsed since 1980 to a system time value. * * \param ElapsedSeconds The number of seconds since January 1, 1980. * \param Time Pointer to a LARGE_INTEGER that receives the converted time value. */ VOID PhSecondsSince1980ToTime( _In_ ULONG ElapsedSeconds, _Out_ PLARGE_INTEGER Time ) { #if defined(PHNT_NATIVE_TIME) Time->QuadPart = PH_TICKS_PER_SEC * (SecondsToStartOf1980 + ElapsedSeconds); #else RtlSecondsSince1980ToTime(ElapsedSeconds, Time); #endif } /** * Converts the number of seconds elapsed since January 1, 1970 (the Unix epoch) * to a Windows FILETIME-compatible 64-bit time value. * * \param ElapsedSeconds The number of seconds since January 1, 1970. * \param Time Pointer to a LARGE_INTEGER that receives the converted time value. */ VOID PhSecondsSince1970ToTime( _In_ ULONG ElapsedSeconds, _Out_ PLARGE_INTEGER Time ) { #if defined(PHNT_NATIVE_TIME) Time->QuadPart = PH_TICKS_PER_SEC * (SecondsToStartOf1970 + ElapsedSeconds); #else RtlSecondsSince1970ToTime(ElapsedSeconds, Time); #endif } /** * Allocates a block of memory. * * \param Size The number of bytes to allocate. * \return A pointer to the allocated block of memory. * \remarks If the function fails to allocate the block of memory, it raises an exception. The block * is guaranteed to be aligned at MEMORY_ALLOCATION_ALIGNMENT bytes. */ _Use_decl_annotations_ PVOID PhAllocate( _In_ SIZE_T Size ) { assert(Size > 0 && Size < PH_LARGE_BUFFER_SIZE); #if defined(PH_DEBUG_HEAP) return malloc(Size); #else return RtlAllocateHeap(PhHeapHandle, HEAP_GENERATE_EXCEPTIONS, Size); #endif } /** * Allocates a block of memory. * * \param Size The number of bytes to allocate. * \return A pointer to the allocated block of memory, * or NULL if the block could not be allocated. */ _Use_decl_annotations_ PVOID PhAllocateSafe( _In_ SIZE_T Size ) { assert(Size > 0 && Size < PH_LARGE_BUFFER_SIZE); #if defined(PH_DEBUG_HEAP) return malloc(Size); #else return RtlAllocateHeap(PhHeapHandle, 0, Size); #endif } /** * Allocates a block of memory. * * \param Size The number of bytes to allocate. * \param Flags Flags controlling the allocation. * \return A pointer to the allocated block of memory, * or NULL if the block could not be allocated. */ _Use_decl_annotations_ PVOID PhAllocateExSafe( _In_ SIZE_T Size, _In_ ULONG Flags ) { assert(Size > 0 && Size < PH_LARGE_BUFFER_SIZE); #if defined(PH_DEBUG_HEAP) return malloc(Size); #else return RtlAllocateHeap(PhHeapHandle, Flags, Size); #endif } /** * Frees a block of memory allocated with PhAllocate(). * * \param Memory A pointer to a block of memory. */ _Use_decl_annotations_ VOID PhFree( _In_opt_ _Frees_ptr_opt_ _Post_invalid_ PVOID Memory ) { #if defined(PH_DEBUG_HEAP) free(Memory); #else RtlFreeHeap(PhHeapHandle, 0, Memory); #endif } /** * Re-allocates a block of memory originally allocated with PhAllocate(). * * \param Memory A pointer to a block of memory. * \param Size The new size of the memory block, in bytes. * \return A pointer to the new block of memory. The existing contents of the memory block are * copied to the new block. * \remarks If the function fails to allocate the block of memory, it raises an exception. */ _Use_decl_annotations_ PVOID PhReAllocate( _In_opt_ _Frees_ptr_opt_ PVOID Memory, _In_ SIZE_T Size ) { assert(Size > 0 && Size < PH_LARGE_BUFFER_SIZE); #if defined(PH_DEBUG_HEAP) return realloc(Memory, Size); #else if (Size == 0) { if (Memory) PhFree(Memory); return NULL; } if (Memory) { return RtlReAllocateHeap(PhHeapHandle, HEAP_GENERATE_EXCEPTIONS, Memory, Size); } return RtlAllocateHeap(PhHeapHandle, HEAP_GENERATE_EXCEPTIONS, Size); #endif } /** * Re-allocates a block of memory originally allocated with PhAllocate(). * * \param Memory A pointer to a block of memory. * \param Size The new size of the memory block, in bytes. * \return A pointer to the new block of memory, or NULL if the block could not be allocated. The * existing contents of the memory block are copied to the new block. */ _Use_decl_annotations_ PVOID PhReAllocateSafe( _In_opt_ _Frees_ptr_opt_ PVOID Memory, _In_ SIZE_T Size ) { assert(Size > 0 && Size < PH_LARGE_BUFFER_SIZE); #if defined(PH_DEBUG_HEAP) return realloc(Memory, Size); #else if (Size == 0) { if (Memory) PhFree(Memory); return NULL; } if (Memory) { return RtlReAllocateHeap(PhHeapHandle, 0, Memory, Size); } return RtlAllocateHeap(PhHeapHandle, 0, Size); #endif } _Use_decl_annotations_ SIZE_T PhSizeHeap( _In_ PVOID Memory ) { #if defined(PH_DEBUG_HEAP) return _msize(Memory); #else return RtlSizeHeap(PhHeapHandle, 0, Memory); #endif } /** * Allocates pages of memory. * * \param Size The number of bytes to allocate. The number of pages allocated will be large enough * to contain \a Size bytes. * \param NewSize The number of bytes actually allocated. This is \a Size rounded up to the next * multiple of PAGE_SIZE. * \return A pointer to the allocated block of memory, or NULL if the block could not be allocated. */ _Use_decl_annotations_ PVOID PhAllocatePage( _In_ SIZE_T Size, _Out_opt_ PSIZE_T NewSize ) { PVOID baseAddress; SIZE_T regionSize; baseAddress = NULL; regionSize = Size; if (NT_SUCCESS(NtAllocateVirtualMemory( NtCurrentProcess(), &baseAddress, 0, ®ionSize, MEM_COMMIT, PAGE_READWRITE ))) { if (NewSize) *NewSize = regionSize; return baseAddress; } else { return NULL; } } /** * Frees pages of memory allocated with PhAllocatePage(). * * \param Memory A pointer to a block of memory. */ VOID PhFreePage( _In_opt_ _Frees_ptr_opt_ _Post_invalid_ PVOID Memory ) { PhFreeVirtualMemory(NtCurrentProcess(), Memory, MEM_RELEASE); } /** * Allocates pages of memory. * * \param Size The number of bytes to allocate. The number of pages allocated will be large enough to contain \a Size bytes. * \param Alignment The alignment value, which must be an integer power of 2. * \return A pointer to the allocated block of memory, or NULL if the block could not be allocated. */ _Use_decl_annotations_ PVOID PhAllocatePageAligned( _In_ SIZE_T Size, _In_ SIZE_T Alignment ) { return _aligned_malloc(Size, Alignment); //NTSTATUS status; //PVOID baseAddress = NULL; //MEM_EXTENDED_PARAMETER extended[1]; //MEM_ADDRESS_REQUIREMENTS requirements; // //memset(&requirements, 0, sizeof(MEM_ADDRESS_REQUIREMENTS)); ////requirements.HighestEndingAddress = (PVOID)(ULONG_PTR)0x7fffffff; // Below 2GB //requirements.Alignment = Alignment; // //memset(extended, 0, sizeof(extended)); //extended[0].Type = MemExtendedParameterAddressRequirements; //extended[0].Pointer = &requirements; // //status = NtAllocateVirtualMemoryEx( // NtCurrentProcess(), // &baseAddress, // &Size, // MEM_RESERVE | MEM_COMMIT, // PAGE_READWRITE, // extended, // RTL_NUMBER_OF(extended) // ); // //if (NT_SUCCESS(status)) //{ // if (NewSize) // *NewSize = Size; // if (BaseAddress) // *BaseAddress = baseAddress; //} // //return status; } /** * Frees pages of memory allocated with PhAllocatePageAligned(). * * \param Memory A pointer to a block of memory. */ VOID PhFreePageAligned( _In_opt_ _Frees_ptr_opt_ _Post_invalid_ PVOID Memory ) { _aligned_free(Memory); } /** * Reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process. * * \param ProcessHandle A handle to the process. * \param BaseAddress The pointer that specifies a desired starting address for the region of pages that you want to allocate. * If you are reserving memory, the function rounds this address down to the nearest multiple of the allocation granularity. * If you are committing memory that is already reserved, the function rounds this address down to the nearest page boundary. * \param AllocationSize The size of the region of memory to allocate, in bytes. If BaseAddress is NULL, the function rounds Size up to the next page boundary. * \param AllocationType The type of memory allocation. * \param Protection The type of memory protection. * \return Successful or errant status. */ NTSTATUS PhAllocateVirtualMemory( _In_ HANDLE ProcessHandle, _Outptr_result_bytebuffer_(AllocationSize) PVOID* BaseAddress, _In_ SIZE_T AllocationSize, _In_ ULONG AllocationType, _In_ ULONG Protection ) { NTSTATUS status; PVOID baseAddress = NULL; SIZE_T allocationSize = AllocationSize; status = NtAllocateVirtualMemory( ProcessHandle, &baseAddress, 0, &allocationSize, AllocationType, Protection ); if (NT_SUCCESS(status)) { *BaseAddress = baseAddress; } return status; } /** * Releases, decommits, or both releases and decommits, a region of pages within the virtual address space of a specified process. * * \param ProcessHandle A handle to the process. * \param BaseAddress The pointer that specifies a desired starting address for the region of pages that you want to allocate. * \param FreeType A bitmask containing flags that describe the type of free operation. * \return Successful or errant status. */ NTSTATUS PhFreeVirtualMemory( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG FreeType ) { NTSTATUS status; PVOID regionAddress = BaseAddress; SIZE_T regionSize = 0; status = NtFreeVirtualMemory( ProcessHandle, ®ionAddress, ®ionSize, FreeType ); //if (status == STATUS_INVALID_PAGE_PROTECTION) //{ // if (RtlFlushSecureMemoryCache(regionAddress, regionSize)) // { // status = NtFreeVirtualMemory( // ProcessHandle, // ®ionAddress, // ®ionSize, // FreeType // ); // } //} return status; } NTSTATUS PhProtectVirtualMemory( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _In_ ULONG NewProtection, _Out_opt_ PULONG OldProtection ) { NTSTATUS status; PVOID regionAddress = BaseAddress; SIZE_T regionSize = RegionSize; ULONG oldProtection = 0; status = NtProtectVirtualMemory( ProcessHandle, ®ionAddress, ®ionSize, NewProtection, &oldProtection ); if (NT_SUCCESS(status) && OldProtection) { *OldProtection = oldProtection; return STATUS_SUCCESS; } //if (status == STATUS_INVALID_PAGE_PROTECTION) //{ // if (RtlFlushSecureMemoryCache(regionAddress, regionSize)) // { // status = NtProtectVirtualMemory( // ProcessHandle, // ®ionAddress, // ®ionSize, // NewProtection, // &oldProtection // ); // // if (NT_SUCCESS(status) && OldProtection) // { // *OldProtection = oldProtection; // return STATUS_SUCCESS; // } // } //} return status; } /** * Reads virtual memory from a specified process. * * \param ProcessHandle Handle to the process from which the memory is to be read. * \param BaseAddress Optional pointer to the base address in the specified process from which to read. * \param Buffer Pointer to a buffer that receives the contents from the address space of the specified process. * \param BufferSize Size of the buffer, in bytes. * \param NumberOfBytesRead Optional pointer to a variable that receives the number of bytes read into the buffer. * \return Successful or errant status. */ NTSTATUS PhReadVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead ) { NTSTATUS status; SIZE_T numberOfBytesRead; if (ProcessHandle == NtCurrentProcess()) { RtlMoveMemory(Buffer, BaseAddress, BufferSize); if (NumberOfBytesRead) *NumberOfBytesRead = BufferSize; return STATUS_SUCCESS; } numberOfBytesRead = 0; status = NtReadVirtualMemory( ProcessHandle, BaseAddress, Buffer, BufferSize, &numberOfBytesRead ); if (NT_SUCCESS(status)) { assert(BufferSize == numberOfBytesRead); } if (NumberOfBytesRead) { *NumberOfBytesRead = numberOfBytesRead; } return status; } /** * Writes virtual memory to the specified process. * * \param ProcessHandle Handle to the process from which the memory is to be read. * \param BaseAddress Optional pointer to the base address in the specified process from which to read. * \param Buffer Pointer to a buffer that receives the contents from the address space of the specified process. * \param NumberOfBytesToWrite The number of bytes to be written to the specified process. * \param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer. * \return Successful or errant status. */ NTSTATUS PhWriteVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, _In_ SIZE_T NumberOfBytesToWrite, _Out_opt_ PSIZE_T NumberOfBytesWritten ) { NTSTATUS status; SIZE_T numberOfBytesWritten; numberOfBytesWritten = 0; status = NtWriteVirtualMemory( ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, &numberOfBytesWritten ); if (NT_SUCCESS(status)) { assert(NumberOfBytesToWrite == numberOfBytesWritten); } if (NumberOfBytesWritten) { *NumberOfBytesWritten = numberOfBytesWritten; } return status; } /** * Creates an array object. * * \param Array An array object. * \param ItemSize The size of each item, in bytes. * \param InitialCapacity The number of elements to allocate storage for, initially. */ VOID PhInitializeArray( _Out_ PPH_ARRAY Array, _In_ SIZE_T ItemSize, _In_ SIZE_T InitialCapacity ) { // Initial capacity of 0 is not allowed. if (InitialCapacity == 0) InitialCapacity = 1; Array->Count = 0; Array->AllocatedCount = InitialCapacity; Array->ItemSize = ItemSize; Array->Items = PhAllocate(Array->AllocatedCount * ItemSize); } /** * Frees resources used by an array object. * * \param Array An array object. */ VOID PhDeleteArray( _Inout_ PPH_ARRAY Array ) { PhFree(Array->Items); } /** * Resizes an array. * * \param Array An array object. * \param NewCapacity The new required number of elements for which storage has been reserved. This * must not be smaller than the current number of items in the array. */ VOID PhResizeArray( _Inout_ PPH_ARRAY Array, _In_ SIZE_T NewCapacity ) { if (Array->Count > NewCapacity) PhRaiseStatus(STATUS_INVALID_PARAMETER_2); Array->AllocatedCount = NewCapacity; Array->Items = PhReAllocate(Array->Items, Array->AllocatedCount * Array->ItemSize); } /** * Adds an item to an array. * * \param Array An array object. * \param Item The item to add. */ VOID PhAddItemArray( _Inout_ PPH_ARRAY Array, _In_ PVOID Item ) { // See if we need to resize the list. if (Array->Count == Array->AllocatedCount) { Array->AllocatedCount *= 2; Array->Items = PhReAllocate(Array->Items, Array->AllocatedCount * Array->ItemSize); } memcpy(PhItemArray(Array, Array->Count), Item, Array->ItemSize); Array->Count++; } /** * Adds items to an array. * * \param Array An array object. * \param Items An array containing the items to add. * \param Count The number of items to add. */ VOID PhAddItemsArray( _Inout_ PPH_ARRAY Array, _In_ PVOID Items, _In_ SIZE_T Count ) { // See if we need to resize the list. if (Array->AllocatedCount < Array->Count + Count) { Array->AllocatedCount *= 2; if (Array->AllocatedCount < Array->Count + Count) Array->AllocatedCount = Array->Count + Count; Array->Items = PhReAllocate(Array->Items, Array->AllocatedCount * Array->ItemSize); } memcpy( PhItemArray(Array, Array->Count), Items, Count * Array->ItemSize ); Array->Count += Count; } /** * Clears an array. * * \param Array An array object. */ VOID PhClearArray( _Inout_ PPH_ARRAY Array ) { Array->Count = 0; } /** * Removes an item from an array. * * \param Array An array object. * \param Index The index of the item. */ VOID PhRemoveItemArray( _Inout_ PPH_ARRAY Array, _In_ SIZE_T Index ) { PhRemoveItemsArray(Array, Index, 1); } /** * Removes items from an array. * * \param Array An array object. * \param StartIndex The index at which to begin removing items. * \param Count The number of items to remove. */ VOID PhRemoveItemsArray( _Inout_ PPH_ARRAY Array, _In_ SIZE_T StartIndex, _In_ SIZE_T Count ) { // Shift the items after the items forward. memmove( PhItemArray(Array, StartIndex), PhItemArray(Array, StartIndex + Count), (Array->Count - StartIndex - Count) * Array->ItemSize ); Array->Count -= Count; } /** * Creates a list object. * * \param InitialCapacity The number of elements to allocate storage for, initially. */ PPH_LIST PhCreateList( _In_ ULONG InitialCapacity ) { PPH_LIST list; list = PhCreateObject(sizeof(PH_LIST), PhListType); // Initial capacity of 0 is not allowed. if (InitialCapacity == 0) InitialCapacity = 1; list->Count = 0; list->AllocatedCount = InitialCapacity; list->Items = PhAllocate(list->AllocatedCount * sizeof(PVOID)); return list; } _Use_decl_annotations_ VOID PhpListDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_LIST list = (PPH_LIST)Object; PhFree(list->Items); } /** * Resizes a list. * * \param List A list object. * \param NewCapacity The new required number of elements for which storage has been reserved. This * must not be smaller than the current number of items in the list. */ VOID PhResizeList( _Inout_ PPH_LIST List, _In_ ULONG NewCapacity ) { if (List->Count > NewCapacity) PhRaiseStatus(STATUS_INVALID_PARAMETER_2); List->AllocatedCount = NewCapacity; List->Items = PhReAllocate(List->Items, List->AllocatedCount * sizeof(PVOID)); } /** * Adds an item to a list. * * \param List A list object. * \param Item The item to add. */ VOID PhAddItemList( _Inout_ PPH_LIST List, _In_ PVOID Item ) { // See if we need to resize the list. if (List->Count == List->AllocatedCount) { List->AllocatedCount *= 2; List->Items = PhReAllocate(List->Items, List->AllocatedCount * sizeof(PVOID)); } List->Items[List->Count++] = Item; } /** * Adds items to a list. * * \param List A list object. * \param Items An array containing the items to add. * \param Count The number of items to add. */ VOID PhAddItemsList( _Inout_ PPH_LIST List, _In_ PVOID *Items, _In_ ULONG Count ) { // See if we need to resize the list. if (List->AllocatedCount < List->Count + Count) { List->AllocatedCount *= 2; if (List->AllocatedCount < List->Count + Count) List->AllocatedCount = List->Count + Count; List->Items = PhReAllocate(List->Items, List->AllocatedCount * sizeof(PVOID)); } memcpy( &List->Items[List->Count], Items, Count * sizeof(PVOID) ); List->Count += Count; } /** * Clears a list. * * \param List A list object. */ VOID PhClearList( _Inout_ PPH_LIST List ) { List->Count = 0; } /** * Locates an item in a list. * * \param List A list object. * \param Item The item to search for. * * \return The index of the item. If the * item was not found, -1 is returned. */ _Use_decl_annotations_ ULONG PhFindItemList( _In_ PPH_LIST List, _In_ PVOID Item ) { for (ULONG i = 0; i < List->Count; i++) { if (List->Items[i] == Item) return i; } return ULONG_MAX; } /** * Inserts an item into a list. * * \param List A list object. * \param Index The index at which to insert the item. * \param Item The item to add. */ VOID PhInsertItemList( _Inout_ PPH_LIST List, _In_ ULONG Index, _In_ PVOID Item ) { PhInsertItemsList(List, Index, &Item, 1); } /** * Inserts items into a list. * * \param List A list object. * \param Index The index at which to insert the items. * \param Items An array containing the items to add. * \param Count The number of items to add. */ VOID PhInsertItemsList( _Inout_ PPH_LIST List, _In_ ULONG Index, _In_ PVOID *Items, _In_ ULONG Count ) { // See if we need to resize the list. if (List->AllocatedCount < List->Count + Count) { List->AllocatedCount *= 2; if (List->AllocatedCount < List->Count + Count) List->AllocatedCount = List->Count + Count; List->Items = PhReAllocate(List->Items, List->AllocatedCount * sizeof(PVOID)); } if (Index < List->Count) { // Shift the existing items backward. memmove( &List->Items[Index + Count], &List->Items[Index], (List->Count - Index) * sizeof(PVOID) ); } // Copy the new items into the list. memcpy( &List->Items[Index], Items, Count * sizeof(PVOID) ); List->Count += Count; } /** * Removes an item from a list. * * \param List A list object. * \param Index The index of the item. */ VOID PhRemoveItemList( _Inout_ PPH_LIST List, _In_ ULONG Index ) { PhRemoveItemsList(List, Index, 1); } /** * Removes items from a list. * * \param List A list object. * \param StartIndex The index at which to begin removing items. * \param Count The number of items to remove. */ VOID PhRemoveItemsList( _Inout_ PPH_LIST List, _In_ ULONG StartIndex, _In_ ULONG Count ) { // Shift the items after the items forward. memmove( &List->Items[StartIndex], &List->Items[StartIndex + Count], (List->Count - StartIndex - Count) * sizeof(PVOID) ); List->Count -= Count; } /** * Creates a pointer list object. * * \param InitialCapacity The number of elements to allocate storage for initially. */ PPH_POINTER_LIST PhCreatePointerList( _In_ ULONG InitialCapacity ) { PPH_POINTER_LIST pointerList; pointerList = PhCreateObject(sizeof(PH_POINTER_LIST), PhPointerListType); // Initial capacity of 0 is not allowed. if (InitialCapacity == 0) InitialCapacity = 1; pointerList->Count = 0; pointerList->AllocatedCount = InitialCapacity; pointerList->FreeEntry = ULONG_MAX; pointerList->NextEntry = 0; pointerList->Items = PhAllocate(pointerList->AllocatedCount * sizeof(PVOID)); return pointerList; } _Use_decl_annotations_ VOID NTAPI PhpPointerListDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_POINTER_LIST pointerList = (PPH_POINTER_LIST)Object; PhFree(pointerList->Items); } /** * Decodes an index stored in a free entry. */ FORCEINLINE ULONG PhpDecodePointerListIndex( _In_ PVOID Index ) { // At least with Microsoft's compiler, shift right on a signed value preserves the sign. This is // important because we want decode(encode(-1)) = ((-1 << 1) | 1) >> 1 = -1. return (ULONG)((LONG_PTR)Index >> 1); } /** * Encodes an index for storage in a free entry. */ FORCEINLINE PVOID PhpEncodePointerListIndex( _In_ ULONG Index ) { return (PVOID)(((ULONG_PTR)Index << 1) | 0x1); } FORCEINLINE HANDLE PhpPointerListIndexToHandle( _In_ ULONG Index ) { // Add one to allow NULL handles to indicate failure/an invalid index. return UlongToHandle(Index + 1); } FORCEINLINE ULONG PhpPointerListHandleToIndex( _In_ HANDLE Handle ) { return HandleToUlong(Handle) - 1; } /** * Adds a pointer to a pointer list. * * \param PointerList A pointer list object. * \param Pointer The pointer to add. The pointer must be at least 2 byte aligned. * \return A handle to the pointer, valid until the pointer is removed from the pointer list. */ HANDLE PhAddItemPointerList( _Inout_ PPH_POINTER_LIST PointerList, _In_ PVOID Pointer ) { ULONG index; assert(PH_IS_LIST_POINTER_VALID(Pointer)); // Use a free entry if possible. if (PointerList->FreeEntry != ULONG_MAX) { PVOID oldPointer; index = PointerList->FreeEntry; oldPointer = PointerList->Items[index]; PointerList->Items[index] = Pointer; PointerList->FreeEntry = PhpDecodePointerListIndex(oldPointer); } else { // Use the next entry. if (PointerList->NextEntry == PointerList->AllocatedCount) { PointerList->AllocatedCount *= 2; PointerList->Items = PhReAllocate(PointerList->Items, PointerList->AllocatedCount * sizeof(PVOID)); } index = PointerList->NextEntry++; PointerList->Items[index] = Pointer; } PointerList->Count++; return PhpPointerListIndexToHandle(index); } /** * Enumerates the next pointer in a pointer list. * * \param PointerList A pointer to the pointer list to enumerate. * \param EnumerationKey A pointer to a variable that maintains the enumeration state. * This should be initialized to zero before the first call. * \param Pointer Receives the next pointer in the list. * \param PointerHandle Receives the handle associated with the pointer, if any. * \return TRUE if a pointer was successfully enumerated; FALSE if there are no more pointers. */ _Use_decl_annotations_ BOOLEAN PhEnumPointerListEx( _In_ PPH_POINTER_LIST PointerList, _Inout_ PULONG EnumerationKey, _Out_ PVOID *Pointer, _Out_ PHANDLE PointerHandle ) { ULONG index; while ((index = *EnumerationKey) < PointerList->NextEntry) { PVOID pointer = PointerList->Items[index]; (*EnumerationKey)++; if (PH_IS_LIST_POINTER_VALID(pointer)) { *Pointer = pointer; *PointerHandle = PhpPointerListIndexToHandle(index); return TRUE; } } return FALSE; } /** * Locates a pointer in a pointer list. * * \param PointerList A pointer list object. * \param Pointer The pointer to find. The pointer must be at least 2 byte aligned. * \return A handle to the pointer, valid until the pointer is removed from the pointer list. If the * pointer is not contained in the pointer list, NULL is returned. */ HANDLE PhFindItemPointerList( _In_ PPH_POINTER_LIST PointerList, _In_ PVOID Pointer ) { ULONG i; assert(PH_IS_LIST_POINTER_VALID(Pointer)); for (i = 0; i < PointerList->NextEntry; i++) { if (PointerList->Items[i] == Pointer) return PhpPointerListIndexToHandle(i); } return NULL; } /** * Removes a pointer from a pointer list. * * \param PointerList A pointer list object. * \param PointerHandle A handle to the pointer to remove. * \remarks No checking is performed on the pointer handle. Make sure the handle is valid before * calling the function. */ VOID PhRemoveItemPointerList( _Inout_ PPH_POINTER_LIST PointerList, _In_ HANDLE PointerHandle ) { ULONG index; assert(PointerHandle); index = PhpPointerListHandleToIndex(PointerHandle); PointerList->Items[index] = PhpEncodePointerListIndex(PointerList->FreeEntry); PointerList->FreeEntry = index; PointerList->Count--; } FORCEINLINE ULONG PhpValidateHash( _In_ ULONG Hash ) { // No point in using a full hash when we're going to AND with size minus one anyway. #if defined(PH_HASHTABLE_FULL_HASH) && !defined(PH_HASHTABLE_POWER_OF_TWO_SIZE) if (Hash != ULONG_MAX) return Hash; else return 0; #else return Hash & MAXLONG; #endif } FORCEINLINE ULONG PhpIndexFromHash( _In_ PPH_HASHTABLE Hashtable, _In_ ULONG Hash ) { #ifdef PH_HASHTABLE_POWER_OF_TWO_SIZE return Hash & (Hashtable->AllocatedBuckets - 1); #else return Hash % Hashtable->AllocatedBuckets; #endif } FORCEINLINE ULONG PhpGetNumberOfBuckets( _In_ ULONG Capacity ) { #ifdef PH_HASHTABLE_POWER_OF_TWO_SIZE return PhRoundUpToPowerOfTwo(Capacity); #else return PhGetPrimeNumber(Capacity); #endif } /** * Creates a hashtable object. * * \param EntrySize The size of each hashtable entry, in bytes. * \param EqualFunction A comparison function that is executed to compare two hashtable entries. * \param HashFunction A hash function that is executed to generate a hash code for a hashtable entry. * \param InitialCapacity The number of entries to allocate storage for initially. */ PPH_HASHTABLE PhCreateHashtable( _In_ ULONG EntrySize, _In_ PPH_HASHTABLE_EQUAL_FUNCTION EqualFunction, _In_ PPH_HASHTABLE_HASH_FUNCTION HashFunction, _In_ ULONG InitialCapacity ) { PPH_HASHTABLE hashtable; hashtable = PhCreateObject(sizeof(PH_HASHTABLE), PhHashtableType); // Initial capacity of 0 is not allowed. if (InitialCapacity == 0) InitialCapacity = 1; hashtable->EntrySize = EntrySize; hashtable->EqualFunction = EqualFunction; hashtable->HashFunction = HashFunction; // Allocate the buckets. hashtable->AllocatedBuckets = PhpGetNumberOfBuckets(InitialCapacity); hashtable->Buckets = PhAllocate(sizeof(ULONG) * hashtable->AllocatedBuckets); // Set all bucket values to -1. memset(hashtable->Buckets, 0xff, sizeof(ULONG) * hashtable->AllocatedBuckets); // Allocate the entries. hashtable->AllocatedEntries = hashtable->AllocatedBuckets; hashtable->Entries = PhAllocate(PH_HASHTABLE_ENTRY_SIZE(EntrySize) * hashtable->AllocatedEntries); hashtable->Count = 0; hashtable->FreeEntry = ULONG_MAX; hashtable->NextEntry = 0; return hashtable; } _Use_decl_annotations_ VOID PhpHashtableDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_HASHTABLE hashtable = (PPH_HASHTABLE)Object; PhFree(hashtable->Buckets); PhFree(hashtable->Entries); } VOID PhpResizeHashtable( _Inout_ PPH_HASHTABLE Hashtable, _In_ ULONG NewCapacity ) { PPH_HASHTABLE_ENTRY entry; ULONG i; // Re-allocate the buckets. Note that we don't need to keep the contents. Hashtable->AllocatedBuckets = PhpGetNumberOfBuckets(NewCapacity); PhFree(Hashtable->Buckets); Hashtable->Buckets = PhAllocate(sizeof(ULONG) * Hashtable->AllocatedBuckets); // Set all bucket values to -1. memset(Hashtable->Buckets, 0xff, sizeof(ULONG) * Hashtable->AllocatedBuckets); // Re-allocate the entries. Hashtable->AllocatedEntries = Hashtable->AllocatedBuckets; Hashtable->Entries = PhReAllocate( Hashtable->Entries, PH_HASHTABLE_ENTRY_SIZE(Hashtable->EntrySize) * Hashtable->AllocatedEntries ); // Re-distribute the entries among the buckets. // PH_HASHTABLE_GET_ENTRY is quite slow (it involves a multiply), so we use a pointer here. entry = Hashtable->Entries; for (i = 0; i < Hashtable->NextEntry; i++) { if (entry->HashCode != ULONG_MAX) { ULONG index = PhpIndexFromHash(Hashtable, entry->HashCode); entry->Next = Hashtable->Buckets[index]; Hashtable->Buckets[index] = i; } entry = PTR_ADD_OFFSET(entry, PH_HASHTABLE_ENTRY_SIZE(Hashtable->EntrySize)); } } FORCEINLINE PVOID PhpAddEntryHashtable( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry, _In_ BOOLEAN CheckForDuplicate, _Out_opt_ PBOOLEAN Added ) { ULONG hashCode; // hash code of the new entry ULONG index; // bucket index of the new entry ULONG freeEntry; // index of new entry in entry array PPH_HASHTABLE_ENTRY entry; // pointer to new entry in entry array hashCode = PhpValidateHash(Hashtable->HashFunction(Entry)); index = PhpIndexFromHash(Hashtable, hashCode); if (CheckForDuplicate) { ULONG i; for (i = Hashtable->Buckets[index]; i != ULONG_MAX; i = entry->Next) { entry = PH_HASHTABLE_GET_ENTRY(Hashtable, i); if (entry->HashCode == hashCode && Hashtable->EqualFunction(&entry->Body, Entry)) { if (Added) *Added = FALSE; return &entry->Body; } } } // Use a free entry if possible. if (Hashtable->FreeEntry != ULONG_MAX) { freeEntry = Hashtable->FreeEntry; entry = PH_HASHTABLE_GET_ENTRY(Hashtable, freeEntry); Hashtable->FreeEntry = entry->Next; } else { // Use the next entry in the entry array. if (Hashtable->NextEntry == Hashtable->AllocatedEntries) { // Resize the hashtable. PhpResizeHashtable(Hashtable, Hashtable->AllocatedBuckets * 2); index = PhpIndexFromHash(Hashtable, hashCode); } freeEntry = Hashtable->NextEntry++; entry = PH_HASHTABLE_GET_ENTRY(Hashtable, freeEntry); } // Initialize the entry. entry->HashCode = hashCode; entry->Next = Hashtable->Buckets[index]; Hashtable->Buckets[index] = freeEntry; // Copy the user-supplied data to the entry. memcpy(&entry->Body, Entry, Hashtable->EntrySize); Hashtable->Count++; if (Added) *Added = TRUE; return &entry->Body; } /** * Adds an entry to a hashtable. * * \param Hashtable A hashtable object. * \param Entry The entry to add. * \return A pointer to the entry as stored in the hashtable. This pointer is valid until the * hashtable is modified. If the hashtable already contained an equal entry, NULL is returned. * \remarks Entries are only guaranteed to be 8 byte aligned, even on 64-bit systems. */ PVOID PhAddEntryHashtable( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry ) { PVOID entry; BOOLEAN added; entry = PhpAddEntryHashtable(Hashtable, Entry, TRUE, &added); if (added) return entry; else return NULL; } /** * Adds an entry to a hashtable or returns an existing one. * * \param Hashtable A hashtable object. * \param Entry The entry to add. * \param Added A variable which receives TRUE if a new entry was created, and FALSE if an existing * entry was returned. * \return A pointer to the entry as stored in the hashtable. This pointer is valid until the * hashtable is modified. If the hashtable already contained an equal entry, the existing entry is * returned. Check the value of \a Added to determine whether the returned entry is new or existing. * \remarks Entries are only guaranteed to be 8 byte aligned, even on 64-bit systems. */ PVOID PhAddEntryHashtableEx( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry, _Out_opt_ PBOOLEAN Added ) { return PhpAddEntryHashtable(Hashtable, Entry, TRUE, Added); } /** * Clears a hashtable. * * \param Hashtable A hashtable object. */ VOID PhClearHashtable( _Inout_ PPH_HASHTABLE Hashtable ) { if (Hashtable->Count > 0) { memset(Hashtable->Buckets, 0xff, sizeof(ULONG) * Hashtable->AllocatedBuckets); Hashtable->Count = 0; Hashtable->FreeEntry = ULONG_MAX; Hashtable->NextEntry = 0; } } /** * Enumerates the entries in a hashtable. * * \param Hashtable A hashtable object. * \param Entry A variable which receives a pointer to the hashtable entry. The pointer is valid * until the hashtable is modified. * \param EnumerationKey A variable which is initialized to 0 before first calling this function. * \return TRUE if an entry pointer was stored in \a Entry, FALSE if there are no more entries. * \remarks Do not modify the hashtable while the hashtable is being enumerated (between calls to * this function). Otherwise, the function may behave unexpectedly. You may reset the * \a EnumerationKey variable to 0 if you wish to restart the enumeration. */ _Use_decl_annotations_ BOOLEAN PhEnumHashtable( _In_ PPH_HASHTABLE Hashtable, _Out_ PVOID *Entry, _Inout_ PULONG EnumerationKey ) { while (*EnumerationKey < Hashtable->NextEntry) { PPH_HASHTABLE_ENTRY entry = PH_HASHTABLE_GET_ENTRY(Hashtable, *EnumerationKey); (*EnumerationKey)++; if (entry->HashCode != ULONG_MAX) { *Entry = &entry->Body; return TRUE; } } return FALSE; } /** * Locates an entry in a hashtable. * * \param Hashtable A hashtable object. * \param Entry An entry representing the entry to find. * \return A pointer to the entry as stored in the hashtable. This pointer is valid until the * hashtable is modified. If the entry could not be found, NULL is returned. * \remarks The entry specified in \a Entry can be a partial entry that is filled in enough so that * the comparison and hash functions can work with them. */ PVOID PhFindEntryHashtable( _In_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry ) { ULONG hashCode; ULONG index; ULONG i; PPH_HASHTABLE_ENTRY entry; hashCode = PhpValidateHash(Hashtable->HashFunction(Entry)); index = PhpIndexFromHash(Hashtable, hashCode); for (i = Hashtable->Buckets[index]; i != ULONG_MAX; i = entry->Next) { entry = PH_HASHTABLE_GET_ENTRY(Hashtable, i); if (entry->HashCode == hashCode && Hashtable->EqualFunction(&entry->Body, Entry)) { return &entry->Body; } } return NULL; } /** * Removes an entry from a hashtable. * * \param Hashtable A hashtable object. * \param Entry The entry to remove. * \return TRUE if the entry was removed, FALSE if the entry could not be found. * \remarks The entry specified in \a Entry can be an actual entry pointer returned by * PhFindEntryHashtable, or a partial entry. */ BOOLEAN PhRemoveEntryHashtable( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry ) { ULONG hashCode; ULONG index; ULONG i; ULONG previousIndex; PPH_HASHTABLE_ENTRY entry; hashCode = PhpValidateHash(Hashtable->HashFunction(Entry)); index = PhpIndexFromHash(Hashtable, hashCode); previousIndex = ULONG_MAX; for (i = Hashtable->Buckets[index]; i != ULONG_MAX; i = entry->Next) { entry = PH_HASHTABLE_GET_ENTRY(Hashtable, i); if (entry->HashCode == hashCode && Hashtable->EqualFunction(&entry->Body, Entry)) { // Unlink the entry from the bucket. if (previousIndex == ULONG_MAX) { Hashtable->Buckets[index] = entry->Next; } else { PH_HASHTABLE_GET_ENTRY(Hashtable, previousIndex)->Next = entry->Next; } entry->HashCode = ULONG_MAX; // indicates the entry is not being used entry->Next = Hashtable->FreeEntry; Hashtable->FreeEntry = i; Hashtable->Count--; return TRUE; } previousIndex = i; } return FALSE; } /** * Generates a hash code for a sequence of bytes. * * \param Bytes A pointer to a byte array. * \param Length The number of bytes to hash. */ ULONG PhHashBytes( _In_reads_(Length) PUCHAR Bytes, _In_ SIZE_T Length ) { ULONG hash = 0; if (Length == 0) return hash; // FNV-1a algorithm: http://www.isthe.com/chongo/src/fnv/hash_32a.c while (Length-- != 0) { hash ^= *Bytes++; hash *= 0x01000193; } return hash; } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpSimpleHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_KEY_VALUE_PAIR entry1 = Entry1; PPH_KEY_VALUE_PAIR entry2 = Entry2; return entry1->Key == entry2->Key; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpSimpleHashtableHashFunction( _In_ PVOID Entry ) { PPH_KEY_VALUE_PAIR entry = Entry; return PhHashIntPtr((ULONG_PTR)entry->Key); } /** * Creates a simple hash table with the specified initial capacity. * * \param InitialCapacity The initial number of buckets to allocate for the hash table. * \return A pointer to the newly created hash table (PPH_HASHTABLE), or NULL if allocation fails. */ PPH_HASHTABLE PhCreateSimpleHashtable( _In_ ULONG InitialCapacity ) { return PhCreateHashtable( sizeof(PH_KEY_VALUE_PAIR), PhpSimpleHashtableEqualFunction, PhpSimpleHashtableHashFunction, InitialCapacity ); } /** * Adds an item to a simple hashtable. * * \param SimpleHashtable Pointer to the hashtable to which the item will be added. * \param Key Optional pointer to the key for the item. * \param Value Optional pointer to the value to associate with the key. * \return Returns a pointer to the added item, or NULL if the operation fails. */ PVOID PhAddItemSimpleHashtable( _Inout_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key, _In_opt_ PVOID Value ) { PH_KEY_VALUE_PAIR entry; entry.Key = Key; entry.Value = Value; if (PhAddEntryHashtable(SimpleHashtable, &entry)) return Value; else return NULL; } /** * Finds an item in a simple hashtable by its key. * * \param SimpleHashtable A pointer to the hashtable to search. * \param Key An optional pointer to the key to search for. If NULL, the function may behave differently depending on implementation. * \return A pointer to the found item, or NULL if the key is not present in the hashtable. */ PVOID *PhFindItemSimpleHashtable( _In_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key ) { PH_KEY_VALUE_PAIR lookupEntry; PPH_KEY_VALUE_PAIR entry; lookupEntry.Key = Key; entry = PhFindEntryHashtable(SimpleHashtable, &lookupEntry); if (entry) return &entry->Value; else return NULL; } /** * Removes an item from a simple hashtable. * * \param SimpleHashtable Pointer to the hashtable from which the item will be removed. * \param Key Optional pointer to the key of the item to remove. If NULL, no item is removed. * \return TRUE if the item was successfully removed; FALSE otherwise. */ BOOLEAN PhRemoveItemSimpleHashtable( _Inout_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key ) { PH_KEY_VALUE_PAIR lookupEntry; lookupEntry.Key = Key; return PhRemoveEntryHashtable(SimpleHashtable, &lookupEntry); } /** * Initializes a free list object. * * \param FreeList A pointer to the free list object. * \param Size The number of bytes in each allocation. * \param MaximumCount The number of unused allocations to store. */ VOID PhInitializeFreeList( _Out_ PPH_FREE_LIST FreeList, _In_ SIZE_T Size, _In_ ULONG MaximumCount ) { PhInitializeSListHead(&FreeList->ListHead); FreeList->Count = 0; FreeList->MaximumCount = MaximumCount; FreeList->Size = Size; } /** * Frees resources used by a free list object. * * \param FreeList A pointer to the free list object. */ VOID PhDeleteFreeList( _Inout_ PPH_FREE_LIST FreeList ) { PPH_FREE_LIST_ENTRY entry; PSLIST_ENTRY listEntry; listEntry = RtlInterlockedFlushSList(&FreeList->ListHead); while (listEntry) { entry = CONTAINING_RECORD(listEntry, PH_FREE_LIST_ENTRY, ListEntry); listEntry = listEntry->Next; PhFree(entry); } } /** * Allocates a block of memory from a free list. * * \param FreeList A pointer to a free list object. * * \return A pointer to the allocated block of memory. The memory must be freed using * PhFreeToFreeList(). The block is guaranteed to be aligned at MEMORY_ALLOCATION_ALIGNMENT bytes. */ PVOID PhAllocateFromFreeList( _Inout_ PPH_FREE_LIST FreeList ) { PPH_FREE_LIST_ENTRY entry; PSLIST_ENTRY listEntry; listEntry = RtlInterlockedPopEntrySList(&FreeList->ListHead); if (listEntry) { _InterlockedDecrement((PLONG)&FreeList->Count); entry = CONTAINING_RECORD(listEntry, PH_FREE_LIST_ENTRY, ListEntry); } else { entry = PhAllocate(UFIELD_OFFSET(PH_FREE_LIST_ENTRY, Body) + FreeList->Size); } return &entry->Body; } /** * Frees a block of memory to a free list. * * \param FreeList A pointer to a free list object. * \param Memory A pointer to a block of memory. */ VOID PhFreeToFreeList( _Inout_ PPH_FREE_LIST FreeList, _In_ _Post_invalid_ PVOID Memory ) { PPH_FREE_LIST_ENTRY entry; entry = CONTAINING_RECORD(Memory, PH_FREE_LIST_ENTRY, Body); // We don't enforce Count <= MaximumCount (that would require locking), // but we do check it. if (FreeList->Count < FreeList->MaximumCount) { RtlInterlockedPushEntrySList(&FreeList->ListHead, &entry->ListEntry); _InterlockedIncrement((PLONG)&FreeList->Count); } else { PhFree(entry); } } /** * Initializes a callback object. * * \param Callback A pointer to a callback object. */ VOID PhInitializeCallback( _Out_ PPH_CALLBACK Callback ) { InitializeListHead(&Callback->ListHead); PhInitializeQueuedLock(&Callback->ListLock); PhInitializeCondition(&Callback->BusyCondition); } /** * Frees resources used by a callback object. * * \param Callback A pointer to a callback object. */ VOID PhDeleteCallback( _Inout_ PPH_CALLBACK Callback ) { PhAcquireQueuedLockExclusive(&Callback->ListLock); // Assert that all callbacks have been unregistered assert(IsListEmpty(&Callback->ListHead)); PhReleaseQueuedLockExclusive(&Callback->ListLock); } /** * Registers a callback function to be notified. * * \param Callback A pointer to a callback object. * \param Function The callback function. * \param Context A user-defined value to pass to the callback function. * \param Registration A variable which receives registration information for the callback. Do not * modify the contents of this structure and do not free the storage for this structure until you * have unregistered the callback. */ VOID PhRegisterCallback( _Inout_ PPH_CALLBACK Callback, _In_ PPH_CALLBACK_FUNCTION Function, _In_opt_ PVOID Context, _Out_ PPH_CALLBACK_REGISTRATION Registration ) { PhRegisterCallbackEx( Callback, Function, Context, 0, Registration ); } /** * Registers a callback function to be notified. * * \param Callback A pointer to a callback object. * \param Function The callback function. * \param Context A user-defined value to pass to the callback function. * \param Flags A combination of flags controlling the callback. Set this parameter to 0. * \param Registration A variable which receives registration information for the callback. Do not * modify the contents of this structure and do not free the storage for this structure until you * have unregistered the callback. */ VOID PhRegisterCallbackEx( _Inout_ PPH_CALLBACK Callback, _In_ PPH_CALLBACK_FUNCTION Function, _In_opt_ PVOID Context, _In_ USHORT Flags, _Out_ PPH_CALLBACK_REGISTRATION Registration ) { Registration->Function = Function; Registration->Context = Context; Registration->Busy = 0; Registration->Unregistering = FALSE; Registration->Flags = Flags; PhAcquireQueuedLockExclusive(&Callback->ListLock); InsertTailList(&Callback->ListHead, &Registration->ListEntry); PhReleaseQueuedLockExclusive(&Callback->ListLock); } /** * Unregisters a callback function. * * \param Callback A pointer to a callback object. * \param Registration The structure returned by PhRegisterCallback(). * * \remarks It is guaranteed that the callback function will not be in execution once this function * returns. Attempting to unregister a callback function from within the same function will result * in a deadlock. */ VOID PhUnregisterCallback( _Inout_ PPH_CALLBACK Callback, _Inout_ PPH_CALLBACK_REGISTRATION Registration ) { Registration->Unregistering = TRUE; PhAcquireQueuedLockExclusive(&Callback->ListLock); // Wait for the callback to be unbusy. while (Registration->Busy) PhWaitForCondition(&Callback->BusyCondition, &Callback->ListLock, NULL); RemoveEntryList(&Registration->ListEntry); PhReleaseQueuedLockExclusive(&Callback->ListLock); } /** * Notifies all registered callback functions. * * \param Callback A pointer to a callback object. * \param Parameter A value to pass to all callback functions. */ VOID PhInvokeCallback( _In_ PPH_CALLBACK Callback, _In_opt_ PVOID Parameter ) { PLIST_ENTRY listEntry; PhTraceFuncEnter("Invoke callback %p", Callback); PhAcquireQueuedLockShared(&Callback->ListLock); for (listEntry = Callback->ListHead.Flink; listEntry != &Callback->ListHead; listEntry = listEntry->Flink) { PPH_CALLBACK_REGISTRATION registration; LONG busy; registration = CONTAINING_RECORD(listEntry, PH_CALLBACK_REGISTRATION, ListEntry); // Don't bother executing the callback function if it is being unregistered. if (registration->Unregistering) continue; _InterlockedIncrement(®istration->Busy); // Execute the callback function. PhReleaseQueuedLockShared(&Callback->ListLock); registration->Function( Parameter, registration->Context ); PhAcquireQueuedLockShared(&Callback->ListLock); busy = _InterlockedDecrement(®istration->Busy); if (registration->Unregistering && busy == 0) { // Someone started unregistering while the callback function was executing, and we must // wake them. PhPulseAllCondition(&Callback->BusyCondition); } } PhReleaseQueuedLockShared(&Callback->ListLock); PhTraceFuncExit("Invoke callback %p", Callback); } /** * Retrieves a prime number bigger than or equal to the specified number. */ ULONG PhGetPrimeNumber( _In_ ULONG Minimum ) { ULONG i, j; for (i = 0; i < sizeof(PhpPrimeNumbers) / sizeof(ULONG); i++) { if (PhpPrimeNumbers[i] >= Minimum) return PhpPrimeNumbers[i]; } for (i = Minimum | 1; i < MAXLONG; i += 2) { ULONG sqrtI = (ULONG)sqrt(i); for (j = 3; j <= sqrtI; j += 2) { if (i % j == 0) { // Not a prime. goto NextPrime; } } // Success. return i; NextPrime: NOTHING; } return Minimum; } /** * Rounds up a number to the next power of two. */ ULONG PhRoundUpToPowerOfTwo( _In_ ULONG Number ) { Number--; Number |= Number >> 1; Number |= Number >> 2; Number |= Number >> 4; Number |= Number >> 8; Number |= Number >> 16; Number++; return Number; } /** * Performs exponentiation. */ ULONG PhExponentiate( _In_ ULONG Base, _In_ ULONG Exponent ) { ULONG result = 1; while (Exponent) { if (Exponent & 1) result *= Base; Exponent >>= 1; Base *= Base; } return result; } /** * Performs 64-bit exponentiation. */ ULONG64 PhExponentiate64( _In_ ULONG64 Base, _In_ ULONG Exponent ) { ULONG64 result = 1; while (Exponent) { if (Exponent & 1) result *= Base; Exponent >>= 1; Base *= Base; } return result; } /** * Formats a time span, specified in ticks, into a human-readable string. * * \param Destination A pointer to a buffer that receives the formatted time span string. * \param Ticks The time span to format, in ticks. * \param Mode Optional formatting mode. If specified, determines the output format. */ VOID PhPrintTimeSpan( _Out_writes_(PH_TIMESPAN_STR_LEN_1) PWSTR Destination, _In_ ULONG64 Ticks, _In_opt_ ULONG Mode ) { PhPrintTimeSpanToBuffer( Ticks, Mode, Destination, PH_TIMESPAN_STR_LEN_1 * sizeof(WCHAR), NULL ); } /** * Converts a time span specified in ticks to a human-readable string and writes it to the provided buffer. * * \param Ticks The time span to print, in ticks (typically 100-nanosecond intervals). * \param Mode mode specifying the formatting style. Can be NULL for default formatting. * \param Buffer Pointer to the buffer that receives the formatted time span string. * \param BufferLength Size of the buffer, in bytes. * \param ReturnLength Optional pointer that receives the number of characters written to the buffer (excluding the null terminator). * \return TRUE if the time span was successfully formatted and written to the buffer; FALSE otherwise. */ BOOLEAN PhPrintTimeSpanToBuffer( _In_ ULONG64 Ticks, _In_opt_ ULONG Mode, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { switch (Mode) { case PH_TIMESPAN_HMSM: { PH_FORMAT format[7]; // %02I64u:%02I64u:%02I64u.%03I64u PhInitFormatI64UWithWidth(&format[0], PH_TICKS_PARTIAL_HOURS(Ticks), 2); PhInitFormatC(&format[1], L':'); PhInitFormatI64UWithWidth(&format[2], PH_TICKS_PARTIAL_MIN(Ticks), 2); PhInitFormatC(&format[3], L':'); PhInitFormatI64UWithWidth(&format[4], PH_TICKS_PARTIAL_SEC(Ticks), 2); PhInitFormatC(&format[5], L'.'); PhInitFormatI64UWithWidth(&format[6], PH_TICKS_PARTIAL_MS(Ticks), 3); return PhFormatToBuffer(format, RTL_NUMBER_OF(format), Buffer, BufferLength, ReturnLength); } break; case PH_TIMESPAN_DHMS: { PH_FORMAT format[7]; // %llu:%02I64u:%02I64u:%02I64u PhInitFormatI64U(&format[0], PH_TICKS_PARTIAL_DAYS(Ticks)); PhInitFormatC(&format[1], L':'); PhInitFormatI64UWithWidth(&format[2], PH_TICKS_PARTIAL_HOURS(Ticks), 2); PhInitFormatC(&format[3], L':'); PhInitFormatI64UWithWidth(&format[4], PH_TICKS_PARTIAL_MIN(Ticks), 2); PhInitFormatC(&format[5], L':'); PhInitFormatI64UWithWidth(&format[6], PH_TICKS_PARTIAL_SEC(Ticks), 2); return PhFormatToBuffer(format, RTL_NUMBER_OF(format), Buffer, BufferLength, ReturnLength); } break; case PH_TIMESPAN_DHMSM: { PH_FORMAT format[9]; // %llu:%02I64u:%02I64u:%02I64u PhInitFormatI64U(&format[0], PH_TICKS_PARTIAL_DAYS(Ticks)); PhInitFormatC(&format[1], L':'); PhInitFormatI64UWithWidth(&format[2], PH_TICKS_PARTIAL_HOURS(Ticks), 2); PhInitFormatC(&format[3], L':'); PhInitFormatI64UWithWidth(&format[4], PH_TICKS_PARTIAL_MIN(Ticks), 2); PhInitFormatC(&format[5], L':'); PhInitFormatI64UWithWidth(&format[6], PH_TICKS_PARTIAL_SEC(Ticks), 2); PhInitFormatC(&format[7], L':'); PhInitFormatI64UWithWidth(&format[8], PH_TICKS_PARTIAL_MS(Ticks), 3); return PhFormatToBuffer(format, RTL_NUMBER_OF(format), Buffer, BufferLength, ReturnLength); } break; default: { PH_FORMAT format[5]; // %02I64u:%02I64u:%02I64u PhInitFormatI64UWithWidth(&format[0], PH_TICKS_PARTIAL_HOURS(Ticks), 2); PhInitFormatC(&format[1], L':'); PhInitFormatI64UWithWidth(&format[2], PH_TICKS_PARTIAL_MIN(Ticks), 2); PhInitFormatC(&format[3], L'.'); PhInitFormatI64UWithWidth(&format[4], PH_TICKS_PARTIAL_SEC(Ticks), 2); return PhFormatToBuffer(format, RTL_NUMBER_OF(format), Buffer, BufferLength, ReturnLength); } break; } return FALSE; } /** * Calculates the entropy, mean, and variance of a given buffer. * * \param Buffer Pointer to the buffer containing data to analyze. * \param BufferLength Length of the buffer in bytes. * \param Entropy Optional pointer to a FLOAT to receive the calculated entropy. * \param Mean Optional pointer to a FLOAT to receive the calculated mean. * \param Variance Optional pointer to a FLOAT to receive the calculated variance. * \return TRUE if the calculation was successful, FALSE otherwise. */ BOOLEAN PhCalculateEntropy( _In_ PBYTE Buffer, _In_ ULONG64 BufferLength, _Out_opt_ PFLOAT Entropy, _Out_opt_ PFLOAT Mean, _Out_opt_ PFLOAT Variance ) { FLOAT bufferEntropy = 0.f; FLOAT bufferMeanValue = 0.f; FLOAT bufferVarianceValue = 0.f; ULONG64 bufferOffset = 0; ULONG64 bufferSumValue = 0; ULONG64 counts[UCHAR_MAX + 1]; memset(counts, 0, sizeof(counts)); while (bufferOffset < BufferLength) { BYTE value = *(PBYTE)PTR_ADD_OFFSET(Buffer, bufferOffset++); bufferSumValue += value; counts[value]++; } // Calculate entropy for (ULONG i = 0; i < RTL_NUMBER_OF(counts); i++) { FLOAT value = (FLOAT)counts[i] / (FLOAT)BufferLength; if (value > 0.f) bufferEntropy -= value * log2f(value); } bufferMeanValue = (FLOAT)bufferSumValue / (FLOAT)BufferLength; // Calculate variance if (BufferLength > 0) { for (ULONG i = 0; i < RTL_NUMBER_OF(counts); i++) { FLOAT diff = (FLOAT)i - bufferMeanValue; bufferVarianceValue += counts[i] * diff * diff; } bufferVarianceValue /= (FLOAT)BufferLength; } if (Entropy) *Entropy = bufferEntropy; if (Mean) *Mean = bufferMeanValue; if (Variance) *Variance = bufferVarianceValue; return TRUE; } /** * Formats entropy, mean, and variance values into a string representation with specified precision. * * \param Entropy The entropy value to format. * \param EntropyPrecision The number of decimal places for the entropy value. * \param Mean (Optional) The mean value to format. * \param MeanPrecision (Optional) The number of decimal places for the mean value. * \param Variance (Optional) The variance value to format. * \param VariancePrecision (Optional) The number of decimal places for the variance value. * \return A pointer to a PPH_STRING containing the formatted string. */ PPH_STRING PhFormatEntropy( _In_ FLOAT Entropy, _In_ USHORT EntropyPrecision, _In_opt_ FLOAT Mean, _In_opt_ USHORT MeanPrecision, _In_opt_ FLOAT Variance, _In_opt_ USHORT VariancePrecision ) { if (Mean && Variance) { PH_FORMAT format[6]; // %s S (%s X) format[0].Type = SingleFormatType | FormatUsePrecision | FormatCropZeros; format[0].u.Single = Entropy; format[0].Precision = EntropyPrecision; PhInitFormatS(&format[1], L" S ("); format[2].Type = SingleFormatType | FormatUsePrecision | FormatCropZeros; format[2].u.Single = Mean; format[2].Precision = MeanPrecision; PhInitFormatS(&format[3], L" M) ("); format[4].Type = SingleFormatType | FormatUsePrecision | FormatCropZeros; format[4].u.Single = Variance; format[4].Precision = VariancePrecision; PhInitFormatS(&format[5], L" X)"); return PhFormat(format, ARRAYSIZE(format), 0); } else if (Variance) { PH_FORMAT format[4]; // %s S (%s X) format[0].Type = SingleFormatType | FormatUsePrecision | FormatCropZeros; format[0].u.Single = Entropy; format[0].Precision = EntropyPrecision; PhInitFormatS(&format[1], L" S ("); format[2].Type = SingleFormatType | FormatUsePrecision | FormatCropZeros; format[2].u.Single = Variance; format[2].Precision = VariancePrecision; PhInitFormatS(&format[3], L" X)"); return PhFormat(format, ARRAYSIZE(format), 0); } else { PH_FORMAT format; format.Type = SingleFormatType | FormatUsePrecision | FormatCropZeros; format.u.Single = Entropy; format.Precision = EntropyPrecision; return PhFormat(&format, 1, 0); } } /** * Fills a memory block with a ULONG pattern. * * \param Memory The memory block. The block must be 4 byte aligned. * \param Value The ULONG pattern. * \param Count The number of elements. */ VOID PhFillMemoryUlongOriginal( _Inout_updates_(Count) PULONG Memory, _In_ ULONG Value, _In_ SIZE_T Count ) { PH_INT128 pattern; SIZE_T count; if (!PhHasIntrinsics) { if (Count != 0) { do { *Memory++ = Value; } while (--Count != 0); } return; } if ((ULONG_PTR)Memory & 0xf) { switch ((ULONG_PTR)Memory & 0xf) { case 0x4: if (Count >= 1) { *Memory++ = Value; Count--; } __fallthrough; case 0x8: if (Count >= 1) { *Memory++ = Value; Count--; } __fallthrough; case 0xc: if (Count >= 1) { *Memory++ = Value; Count--; } break; } } pattern = PhSetINT128by32(Value); count = Count / 4; if (count != 0) { do { PhStoreINT128((PLONG)Memory, pattern); Memory += 4; } while (--count != 0); } switch (Count & 0x3) { case 0x3: *Memory++ = Value; __fallthrough; case 0x2: *Memory++ = Value; __fallthrough; case 0x1: *Memory++ = Value; break; } } /** * Fills a memory block with a ULONG pattern. * * \param Memory The memory block. The block must be 4 byte aligned. * \param Value The ULONG pattern. * \param Count The number of elements. */ VOID PhFillMemoryUlong( _Inout_updates_(Count) PULONG Memory, _In_ ULONG Value, _In_ SIZE_T Count ) { if (Count == 0) return; #ifndef _ARM64_ if (PhHasAVX && IS_ALIGNED(Memory, 32)) { SIZE_T count = Count & ~0x7; if (count != 0) { PULONG end; __m256i pattern; end = (PULONG)(ULONG_PTR)(Memory + count); pattern = _mm256_set1_epi32(Value); while (Memory != end) { _mm256_store_si256((__m256i*)Memory, pattern); Memory += 8; } _mm256_zeroupper(); Count &= 0x7; } } #endif if (PhHasIntrinsics && IS_ALIGNED(Memory, 16)) { SIZE_T count = Count & ~0x3; if (count != 0) { PULONG end; PH_INT128 pattern; end = (PULONG)(ULONG_PTR)(Memory + count); pattern = PhSetINT128by32(Value); while (Memory != end) { PhStoreINT128((PLONG)Memory, pattern); Memory += 4; } Count &= 0x3; } } while (Count-- != 0) { *Memory++ = Value; } } /** * Divides an array of numbers by a number. * * \param A The destination array, divided by \a B. * \param B The number. * \param Count The number of elements. */ VOID PhDivideSinglesBySingleOriginal( _Inout_updates_(Count) PFLOAT A, _In_ FLOAT B, _In_ SIZE_T Count ) { PFLOAT endA; PH_FLOAT128 b; if (!PhHasIntrinsics) { while (Count--) *A++ /= B; return; } if ((ULONG_PTR)A & 0xf) { switch ((ULONG_PTR)A & 0xf) { case 0x4: if (Count >= 1) { *A++ /= B; Count--; } __fallthrough; case 0x8: if (Count >= 1) { *A++ /= B; Count--; } __fallthrough; case 0xc: if (Count >= 1) { *A++ /= B; Count--; } else { return; // essential; A may not be aligned properly } break; } } endA = (PFLOAT)((ULONG_PTR)(A + Count) & ~0xf); b = PhSetFLOAT128by32(B); while (A != endA) { PH_FLOAT128 a; a = PhLoadFLOAT128(A); a = PhDivideFLOAT128(a, b); PhStoreFLOAT128(A, a); A += 4; } switch (Count & 0x3) { case 0x3: *A++ /= B; __fallthrough; case 0x2: *A++ /= B; __fallthrough; case 0x1: *A++ /= B; break; } } /** * Divides an array of numbers by a number. * * \param A The destination array, divided by \a B. * \param B The number. * \param Count The number of elements. */ VOID PhDivideSinglesBySingle( _Inout_updates_(Count) PFLOAT A, _In_ FLOAT B, _In_ SIZE_T Count ) { if (Count == 0) return; if (B == 1.0f || B == 0.0f) return; // Note: This uses reciprocal multiply since it's faster than per-element divides // and preserves IEEE-754 behavior for +/-0, +/-INF, and NaN (0/0 -> NaN, x/0 -> +/-INF). (dmex) const FLOAT invB = 1.0f / B; #ifndef _ARM64_ if (PhHasAVX && IS_ALIGNED(A, 32)) { SIZE_T count = Count & ~0x7; if (count != 0) { PFLOAT end; __m256 a; __m256 b; end = (PFLOAT)(ULONG_PTR)(A + count); b = _mm256_set1_ps(invB); // _mm256_broadcast_ss(&B); while (A != end) { a = _mm256_load_ps(A); a = _mm256_mul_ps(a, b); // _mm256_div_ps(a, b); _mm256_store_ps(A, a); A += 8; } Count &= 0x7; } } #endif if (PhHasIntrinsics && IS_ALIGNED(A, 16)) { SIZE_T count = Count & ~0x3; if (count != 0) { PFLOAT end; PH_FLOAT128 a; PH_FLOAT128 b; end = A + count; b = PhSetFLOAT128by32(invB); // PhSetFLOAT128by32(B); while (A != end) { a = PhLoadFLOAT128(A); a = PhMultiplyFLOAT128(a, b); // PhDivideFLOAT128(a, b); PhStoreFLOAT128(A, a); A += 4; } Count &= 0x3; } } while (Count--) { *A++ *= invB; } } /** * Adds one array of integers to another. * * \param A The destination array to which the source * array is added. The array must be 16 byte aligned. * \param B The source array. The array must be 16 * byte aligned. * \param Count The number of elements. */ VOID PhAddMemoryUlongOriginal( _Inout_ PULONG A, _In_ PULONG B, _In_ ULONG Count ) { #ifndef _ARM64_ if (PhHasIntrinsics) { while (Count >= 4) { __m128i a; __m128i b; a = _mm_load_si128((__m128i*)A); b = _mm_load_si128((__m128i*)B); a = _mm_add_epi32(a, b); _mm_store_si128((__m128i*)A, a); A += 4; B += 4; Count -= 4; } switch (Count & 0x3) { case 0x3: *A++ += *B++; __fallthrough; case 0x2: *A++ += *B++; __fallthrough; case 0x1: *A++ += *B++; break; } } else #endif { while (Count--) *A++ += *B++; } } /** * Returns the maximum value of an array of floats. * * \param A The array. * \param Count The total number of array elements. * \return The maximum of any single element. */ FLOAT PhMaxMemorySingles( _In_ PFLOAT A, _In_ SIZE_T Count ) { FLOAT maximum = 0.0f; if (Count == 0) return maximum; #ifndef _ARM64_ if (PhHasAVX && IS_ALIGNED(A, 32)) { SIZE_T count = Count & ~0x7; if (count != 0) { PFLOAT end; __m256 a; __m256 c; __m128 hi; __m128 lo; __m128 d; end = (PFLOAT)(ULONG_PTR)(A + count); c = _mm256_setzero_ps(); while (A != end) { a = _mm256_load_ps(A); c = _mm256_max_ps(c, a); A += 8; } c = _mm256_max_ps(c, _mm256_permute_ps(c, _MM_SHUFFLE(2, 3, 0, 1))); // swap neighbors c = _mm256_max_ps(c, _mm256_permute_ps(c, _MM_SHUFFLE(1, 0, 3, 2))); // swap pairs lo = _mm256_castps256_ps128(c); hi = _mm256_extractf128_ps(c, 1); d = _mm_max_ps(lo, hi); d = _mm_max_ps(d, _mm_shuffle_ps(d, d, _MM_SHUFFLE(2, 3, 0, 1))); d = _mm_max_ps(d, _mm_shuffle_ps(d, d, _MM_SHUFFLE(1, 0, 3, 2))); maximum = _mm_cvtss_f32(d); _mm256_zeroupper(); Count &= 0x7; } } #endif if (PhHasIntrinsics && IS_ALIGNED(A, 16)) { SIZE_T count = Count & ~0x3; if (count != 0) { FLOAT value; PFLOAT end; PH_FLOAT128 a; PH_FLOAT128 c; end = (PFLOAT)(ULONG_PTR)(A + count); c = PhZeroFLOAT128(); while (A != end) { a = PhLoadFLOAT128(A); c = PhMaxFLOAT128(c, a); A += 4; } // Compare adjacent pairs (swap elements within pairs) c = PhMaxFLOAT128(c, PhShuffleFLOAT128_2301(c, c)); // Compare results (swap pairs themselves) c = PhMaxFLOAT128(c, PhShuffleFLOAT128_1032(c, c)); PhStoreFLOAT128LowSingle(&value, c); if (maximum < value) maximum = value; Count &= 0x3; } } while (Count--) { FLOAT value = *A++; if (maximum < value) maximum = value; } return maximum; } /** * Adds one array of floats to another and returns the maximum. * * \param A The first array. * \param B The second array. * \param Count The total number of array elements. * \return The maximum of any single element. */ FLOAT PhAddPlusMaxMemorySingles( _Inout_updates_(Count) PFLOAT A, _Inout_updates_(Count) PFLOAT B, _In_ SIZE_T Count ) { FLOAT maximum = 0.0f; if (Count == 0) return maximum; #ifndef _ARM64_ if (PhHasAVX && (IS_ALIGNED(A, 32) && IS_ALIGNED(B, 32))) { SIZE_T count = Count & ~0x7; if (count != 0) { PFLOAT end; __m256 a; __m256 b; __m256 c; __m128 lo; __m128 hi; __m128 d; end = (PFLOAT)(ULONG_PTR)(A + count); c = _mm256_setzero_ps(); while (A != end) { a = _mm256_load_ps(A); b = _mm256_load_ps(B); a = _mm256_add_ps(b, a); c = _mm256_max_ps(c, a); A += 8; B += 8; } c = _mm256_max_ps(c, _mm256_permute_ps(c, _MM_SHUFFLE(2, 3, 0, 1))); c = _mm256_max_ps(c, _mm256_permute_ps(c, _MM_SHUFFLE(1, 0, 3, 2))); lo = _mm256_castps256_ps128(c); hi = _mm256_extractf128_ps(c, 1); d = _mm_max_ps(lo, hi); d = _mm_max_ps(d, _mm_shuffle_ps(d, d, _MM_SHUFFLE(2, 3, 0, 1))); d = _mm_max_ps(d, _mm_shuffle_ps(d, d, _MM_SHUFFLE(1, 0, 3, 2))); maximum = _mm_cvtss_f32(d); _mm256_zeroupper(); Count &= 0x7; } } #endif if (PhHasIntrinsics && (IS_ALIGNED(A, 16) && IS_ALIGNED(B, 16))) { SIZE_T count = Count & ~0x3; if (count != 0) { FLOAT value; PFLOAT end; PH_FLOAT128 a; PH_FLOAT128 b; PH_FLOAT128 c; end = (PFLOAT)(ULONG_PTR)(A + count); c = PhZeroFLOAT128(); while (A != end) { a = PhLoadFLOAT128(A); b = PhLoadFLOAT128(B); a = PhAddFLOAT128(b, a); c = PhMaxFLOAT128(c, a); A += 4; B += 4; } c = PhMaxFLOAT128(c, PhShuffleFLOAT128_2301(c, c)); // swap neighbors c = PhMaxFLOAT128(c, PhShuffleFLOAT128_1032(c, c)); // swap pairs PhStoreFLOAT128LowSingle(&value, c); if (maximum < value) maximum = value; Count &= 0x3; } } while (Count--) { FLOAT value = *A++ + *B++; if (maximum < value) maximum = value; } return maximum; } /** * Converts an array of integers to floats. * * \param From The source integers. * \param To The destination floats. * \param Count The number of elements. */ VOID PhConvertCopyMemoryUlong( _Inout_updates_(Count) PULONG From, _Inout_updates_(Count) PFLOAT To, _In_ SIZE_T Count ) { if (Count == 0) return; #ifndef _ARM64_ if (PhHasAVX && IS_ALIGNED(From, 32) && IS_ALIGNED(To, 32)) { SIZE_T count = Count & ~0x7; if (count != 0) { PULONG end; __m256i a; __m256 b; end = (PULONG)(ULONG_PTR)(From + count); while (From != end) { a = _mm256_load_si256((__m256i const*)From); b = _mm256_cvtf_epu32(a); // _mm256_cvtepi32_ps _mm256_store_ps(To, b); From += 8; To += 8; } _mm256_zeroupper(); Count &= 0x7; } } #endif if (PhHasIntrinsics && IS_ALIGNED(From, 16) && IS_ALIGNED(To, 16)) { SIZE_T count = Count & ~0x3; if (count != 0) { PULONG end; PH_INT128 a; PH_FLOAT128 b; end = (PULONG)(ULONG_PTR)(From + count); while (From != end) { a = PhLoadINT128(From); // _mm_loadl_epi64 b = PhConvertUINT128ToFLOAT128(a); // _mm_cvtepi32_ps // _mm_cvtepu32_ps PhStoreFLOAT128(To, b); From += 4; To += 4; } Count &= 0x3; } } while (Count--) { *To++ = (FLOAT)*From++; } } /** * Converts an array of 64-bit unsigned integers to floats. * * \param From The source 64-bit integers. * \param To The destination floats. * \param Count The number of elements. */ VOID PhConvertCopyMemoryUlong64( _Inout_updates_(Count) PULONG64 From, _Inout_updates_(Count) PFLOAT To, _In_ SIZE_T Count ) { if (Count == 0) return; #ifndef _ARM64_ #if defined(PH_NATIVE_AVX512) if (PhHasAVX512) { SIZE_T count = Count & ~0xF; if (count) { PULONG64 end = From + count; // Convert 16 × uint64 → 16 × float in single iteration while (From != end) { // Load 16 × uint64 (2 × 512-bit loads = 128 bytes) __m512i v0 = _mm512_load_si512((__m512i const*)From); // 8 × uint64 __m512i v1 = _mm512_load_si512((__m512i const*)(From + 8)); // 8 × uint64 // Direct uint64 → double conversion (AVX-512 DQ) __m512d d0 = _mm512_cvtepu64_pd(v0); // 8 × double __m512d d1 = _mm512_cvtepu64_pd(v1); // 8 × double // Double → float conversion with rounding __m256 f0 = _mm512_cvtpd_ps(d0); // 8 × float __m256 f1 = _mm512_cvtpd_ps(d1); // 8 × float // Combine into single 512-bit register __m512 result = _mm512_insertf32x8(_mm512_castps256_ps512(f0), f1, 1); // Store 16 floats _mm512_storeu_ps(To, result); From += 16; To += 16; } Count &= 0xF; } } #endif if (PhHasAVX && IS_ALIGNED(From, 32) && IS_ALIGNED(To, 32)) { SIZE_T count = Count & ~0x7; if (count) { PULONG64 end = From + count; // Constant for reconstructing float from high/low 32-bit parts. const __m256 ps2p32 = _mm256_set1_ps(4294967296.0f); // 2^32 // Mask to de-interleave low and high 32-bit words from 64-bit lanes. const __m256i deinterleave_mask = _mm256_setr_epi32(0, 2, 4, 6, 1, 3, 5, 7); while (From != end) { // Load 8 uint64_t values into two 256-bit registers. __m256i v0 = _mm256_load_si256((__m256i const*)From); // u0, u1, u2, u3 __m256i v1 = _mm256_load_si256((__m256i const*)(From + 4)); // u4, u5, u6, u7 // Within each register, shuffle to group low 32-bit parts and high 32-bit parts. // shuf0 becomes [u0_lo, u1_lo, u2_lo, u3_lo, u0_hi, u1_hi, u2_hi, u3_hi] __m256i shuf0 = _mm256_permutevar8x32_epi32(v0, deinterleave_mask); // shuf1 becomes [u4_lo, u5_lo, u6_lo, u7_lo, u4_hi, u5_hi, u6_hi, u7_hi] __m256i shuf1 = _mm256_permutevar8x32_epi32(v1, deinterleave_mask); // Combine the parts from both registers to get two vectors: // one with all 8 low parts, and one with all 8 high parts. __m256i all_los = _mm256_permute2x128_si256(shuf0, shuf1, 0x20); // combines low(shuf0), low(shuf1) __m256i all_his = _mm256_permute2x128_si256(shuf0, shuf1, 0x31); // combines high(shuf0), high(shuf1) // Convert the two vectors of 8 unsigned 32-bit integers to floats // using the helper from phintrin.h. __m256 los_ps = _mm256_cvtf_epu32(all_los); __m256 his_ps = _mm256_cvtf_epu32(all_his); // Reconstruct the float representation of the original uint64_t values. // float(u64) approx= float(low32) + float(high32) * 2^32 // FMA (fused multiply-add) is used for better performance. __m256 val = _mm256_fmadd_ps(his_ps, ps2p32, los_ps); // Store the 8 resulting floats. _mm256_storeu_ps(To, val); From += 8; To += 8; } _mm256_zeroupper(); Count &= 0x7; } } //#ifndef _ARM64_ // if(PhHasAVX) // { // SIZE_T count = Count & ~0x3; // // if (count) // { // PULONG64 end = From + count; // const __m256i MaskLo32_64 = _mm256_set1_epi64x(0xFFFFFFFFULL); // for AND on 64-bit lanes // const __m256i PackIdx = _mm256_setr_epi32(0, 2, 4, 6, 0, 0, 0, 0); // take elements 0,2,4,6 into lower 128 // const __m128 Ps2p31 = _mm_set1_ps(2147483648.0f); // 2^31 // const __m128 Ps2p32 = _mm_set1_ps(4294967296.0f); // 2^32 (exact power of two) // const __m128i Mask7fffffff = _mm_set1_epi32(0x7FFFFFFF); // // while (From != end) // { // // Load 4x uint64_t (256 bits) // __m256i v = _mm256_loadu_si256((__m256i const*)From); // // // Split each 64-bit lane into its low/high 32-bit halves (still in 64-bit lanes) // __m256i lo32_64 = _mm256_and_si256(v, MaskLo32_64); // [u0_lo,0, u1_lo,0, u2_lo,0, u3_lo,0] // __m256i hi32_64 = _mm256_srli_epi64(v, 32); // [u0_hi,0, u1_hi,0, u2_hi,0, u3_hi,0] // // // Pack 32-bit elements (indices 0,2,4,6) into lower 128 as contiguous 4x int32 // __m256i loPacked = _mm256_permutevar8x32_epi32(lo32_64, PackIdx); // __m256i hiPacked = _mm256_permutevar8x32_epi32(hi32_64, PackIdx); // // __m128i lo128 = _mm256_castsi256_si128(loPacked); // [u0_lo, u1_lo, u2_lo, u3_lo] // __m128i hi128 = _mm256_castsi256_si128(hiPacked); // [u0_hi, u1_hi, u2_hi, u3_hi] // // // Convert unsigned 32 -> float: // // f = float(x & 0x7fffffff) + float(x >> 31) * 2^31 // __m128i loCarryI = _mm_srli_epi32(lo128, 31); // __m128 loPs = _mm_cvtepi32_ps(_mm_and_si128(lo128, Mask7fffffff)); // loPs = _mm_add_ps(loPs, _mm_mul_ps(_mm_cvtepi32_ps(loCarryI), Ps2p31)); // // __m128i hiCarryI = _mm_srli_epi32(hi128, 31); // __m128 hiPs = _mm_cvtepi32_ps(_mm_and_si128(hi128, Mask7fffffff)); // hiPs = _mm_add_ps(hiPs, _mm_mul_ps(_mm_cvtepi32_ps(hiCarryI), Ps2p31)); // // // Reconstruct: float(u64) = float(low32) + float(high32) * 2^32 // // (Use FMA if you dispatch it) // __m128 val = _mm_add_ps(loPs, _mm_mul_ps(hiPs, Ps2p32)); // // _mm_storeu_ps(To, val); // store exactly 4 floats // // From += 4; // To += 4; // } // // Count &= 0x3; // } // } //#endif if (PhHasIntrinsics && IS_ALIGNED(From, 16) && IS_ALIGNED(To, 16)) { SIZE_T count = Count & ~0x3; // Process 4 at a time if (count) { PULONG64 end = From + count; const __m128d scale = _mm_set1_pd(4294967296.0); while (From != end) { // Load 4 × uint64 as 2 × __m128i __m128i v0 = _mm_load_si128((__m128i const*)From); // 2 × uint64 __m128i v1 = _mm_load_si128((__m128i const*)(From + 2)); // 2 × uint64 // Split low/high 32-bit __m128i mask = _mm_set1_epi64x(0xFFFFFFFFULL); __m128i v0_lo = _mm_and_si128(v0, mask); __m128i v0_hi = _mm_srli_epi64(v0, 32); __m128i v1_lo = _mm_and_si128(v1, mask); __m128i v1_hi = _mm_srli_epi64(v1, 32); // Convert uint32 → double (exact) __m128d d0_lo = _mm_cvtepi32_pd(_mm_shuffle_epi32(v0_lo, 0x08)); __m128d d0_hi = _mm_cvtepi32_pd(_mm_shuffle_epi32(v0_hi, 0x08)); __m128d d1_lo = _mm_cvtepi32_pd(_mm_shuffle_epi32(v1_lo, 0x08)); __m128d d1_hi = _mm_cvtepi32_pd(_mm_shuffle_epi32(v1_hi, 0x08)); // Reconstruct __m128d d0 = _mm_add_pd(d0_lo, _mm_mul_pd(d0_hi, scale)); __m128d d1 = _mm_add_pd(d1_lo, _mm_mul_pd(d1_hi, scale)); // Double → float __m128 f0 = _mm_cvtpd_ps(d0); // 2 floats in low 64 bits __m128 f1 = _mm_cvtpd_ps(d1); // 2 floats in low 64 bits // Combine into 4 floats __m128 result = _mm_movelh_ps(f0, f1); // Store 4 floats _mm_storeu_ps(To, result); From += 4; To += 4; } Count &= 0x3; } } #endif while (Count--) { *To++ = (FLOAT)*From++; } } /** * Converts an array of floats to integers. * * \param From The source floats. * \param To The destination integers. * \param Count The number of elements. */ VOID PhConvertCopyMemorySingles( _Inout_updates_(Count) PFLOAT From, _Inout_updates_(Count) PULONG To, _In_ SIZE_T Count ) { if (Count == 0) return; #ifndef _ARM64_ if (PhHasAVX && IS_ALIGNED(From, 32) && IS_ALIGNED(To, 32)) { SIZE_T count = Count & ~0x7; if (count != 0) { PFLOAT end = From + count; __m256 a; __m256i b; while (From != end) { a = _mm256_load_ps(From); // Truncate toward zero to match scalar (C cast) semantics. b = _mm256_cvttps_epi32(a); // _mm256_cvtps_epi32 // _mm256_cvtps_epu32 _mm256_store_si256((__m256i*)To, b); From += 8; To += 8; } _mm256_zeroupper(); Count &= 0x7; } } #endif if (PhHasIntrinsics && IS_ALIGNED(From, 16) && IS_ALIGNED(To, 16)) { SIZE_T count = Count & ~0x3; if (count != 0) { PFLOAT end; PH_FLOAT128 a; PH_INT128 b; end = (PFLOAT)(ULONG_PTR)(From + count); while (From != end) { a = PhLoadFLOAT128(From); b = PhConvertFLOAT128ToUINT128(a); PhStoreINT128(To, b); From += 4; To += 4; } Count &= 0x3; } } while (Count--) { *To++ = (ULONG)*From++; } } // based on PhCopyCircularBuffer (FLOAT) (\phlib\circbuf_i.h) (dmex) VOID PhCopyConvertCircularBufferULONG( _Inout_ PPH_CIRCULAR_BUFFER_ULONG Buffer, _Out_writes_(Count) FLOAT* Destination, _In_ ULONG Count ) { ULONG tailSize; ULONG headSize; tailSize = (ULONG)(Buffer->Size - Buffer->Index); headSize = Buffer->Count - tailSize; if (Count > Buffer->Count) Count = Buffer->Count; if (tailSize >= Count) { // Convert and copy only a part of the tail. PhConvertCopyMemoryUlong(&Buffer->Data[Buffer->Index], Destination, Count); } else { // Convert and copy the tail, then only part of the head. PhConvertCopyMemoryUlong(&Buffer->Data[Buffer->Index], Destination, tailSize); PhConvertCopyMemoryUlong(Buffer->Data, &Destination[tailSize], (Count - tailSize)); } } VOID PhCopyConvertCircularBufferULONG64( _Inout_ PPH_CIRCULAR_BUFFER_ULONG64 Buffer, _Out_writes_(Count) FLOAT* Destination, _In_ ULONG Count ) { ULONG tailSize; ULONG headSize; tailSize = (ULONG)(Buffer->Size - Buffer->Index); headSize = Buffer->Count - tailSize; if (Count > Buffer->Count) Count = Buffer->Count; if (tailSize >= Count) { // Convert and copy only a part of the tail. PhConvertCopyMemoryUlong64(&Buffer->Data[Buffer->Index], Destination, Count); } else { // Convert and copy the tail, then only part of the head. PhConvertCopyMemoryUlong64(&Buffer->Data[Buffer->Index], Destination, tailSize); PhConvertCopyMemoryUlong64(Buffer->Data, &Destination[tailSize], (Count - tailSize)); } } /** * Counts the number of set bits (1s) in the given 32-bit unsigned integer value. * * \param Value The 32-bit unsigned integer whose bits are to be counted. * \return The number of bits set to 1 in the input value. */ ULONG PhCountBits( _In_ ULONG Value ) { if (PhHasPopulationCount) { return PhPopulationCount32(Value); } else { #undef T #define T ULONG ULONG count; // http://graphics.stanford.edu/~seander/bithacks.html#CountBitsSetParallel Value = Value - ((Value >> 1) & (T)~(T)0 / 3); Value = (Value & (T)~(T)0 / 15 * 3) + ((Value >> 2) & (T)~(T)0 / 15 * 3); Value = (Value + (Value >> 4)) & (T)~(T)0 / 255 * 15; count = (T)(Value * ((T)~(T)0 / 255)) >> (sizeof(T) - 1) * CHAR_BIT; return count; //ULONG count = 0; // //while (Value) //{ // count++; // Value &= Value - 1; //} // //return count; } } /** * Counts the number of set bits (1s) in the specified ULONG_PTR value. * * \param Value The ULONG_PTR value whose bits are to be counted. * \return The number of bits set to 1 in the input value. */ ULONG PhCountBitsUlongPtr( _In_ ULONG_PTR Value ) { #if defined(PH_NATIVE_COUNTBITS) return RtlNumberOfSetBitsUlongPtr(Value); #else #ifdef _WIN64 if (PhHasPopulationCount) { return (ULONG)PhPopulationCount64(Value); } else #endif { #undef T #define T ULONG ULONG count; // http://graphics.stanford.edu/~seander/bithacks.html#CountBitsSetParallel Value = Value - ((Value >> 1) & (T)~(T)0 / 3); Value = (Value & (T)~(T)0 / 15 * 3) + ((Value >> 2) & (T)~(T)0 / 15 * 3); Value = (Value + (Value >> 4)) & (T)~(T)0 / 255 * 15; count = (T)(Value * ((T)~(T)0 / 255)) >> (sizeof(T) - 1) * CHAR_BIT; return count; //ULONG count = 0; // //while (Value) //{ // count++; // Value &= Value - 1; //} // //return count; } #endif } #pragma region Thread Local Storage (TLS) /** * Allocates a new TLS (Thread Local Storage) index. * * \return Returns the allocated TLS index as an ULONG value. */ ULONG PhTlsAlloc( VOID ) { if (WindowsVersion < WINDOWS_NEW) { PTEB currentTeb; PPEB currentPeb; ULONG i; currentTeb = NtCurrentTeb(); currentPeb = currentTeb->ProcessEnvironmentBlock; RtlAcquirePebLock(); for ( i = RtlFindClearBitsAndSet(currentPeb->TlsBitmap, 1, 0); ; i = RtlFindClearBitsAndSet(currentPeb->TlsBitmap, 1, 0) ) { if (i != ULONG_MAX) { RtlReleasePebLock(); currentTeb->TlsSlots[i] = NULL; return i; } if (currentTeb->TlsExpansionSlots) break; RtlReleasePebLock(); currentTeb->TlsExpansionSlots = (PVOID*)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, TLS_EXPANSION_SLOTS * sizeof(PVOID)); if (!currentTeb->TlsExpansionSlots) goto CleanupExit; RtlAcquirePebLock(); } i = RtlFindClearBitsAndSet(currentPeb->TlsExpansionBitmap, 1, 0); RtlReleasePebLock(); if (i != ULONG_MAX) { currentTeb->TlsExpansionSlots[i] = NULL; return i + TLS_MINIMUM_AVAILABLE; } } CleanupExit: //RtlSetLastWin32ErrorAndNtStatusFromNtStatus(STATUS_NO_MEMORY); //return ULONG_MAX; return TlsAlloc(); } /** * Frees a thread-local storage (TLS) slot previously allocated. * * \param Index The index of the TLS slot to be freed. * \return Returns an NTSTATUS code indicating success or failure of the operation. */ NTSTATUS PhTlsFree( _In_ ULONG Index ) { NTSTATUS status; if (WindowsVersion < WINDOWS_NEW) { PTEB currentTeb; PPEB currentPeb; PRTL_BITMAP bitmap; ULONG i; currentTeb = NtCurrentTeb(); currentPeb = currentTeb->ProcessEnvironmentBlock; if (Index >= TLS_MINIMUM_AVAILABLE) { i = Index - TLS_MINIMUM_AVAILABLE; if (i >= TLS_EXPANSION_SLOTS) { return STATUS_INVALID_PARAMETER; } bitmap = currentPeb->TlsExpansionBitmap; Index = i; } else { bitmap = currentPeb->TlsBitmap; } RtlAcquirePebLock(); if (RtlAreBitsSet(bitmap, Index, 1)) { status = NtSetInformationThread( NtCurrentThread(), ThreadZeroTlsCell, &Index, sizeof(ULONG) ); if (NT_SUCCESS(status)) { RtlClearBits(bitmap, Index, 1); } else { status = STATUS_INVALID_PARAMETER; } } else { status = STATUS_INVALID_PARAMETER; } RtlReleasePebLock(); return status; } else { if (TlsFree(Index)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } } /** * Retrieves the value stored in the thread-local storage (TLS) slot specified by the given index. * * \param Index The index of the TLS slot to retrieve the value from. * \return A pointer to the value stored in the specified TLS slot, or NULL if no value is set. */ PVOID PhTlsGetValue( _In_ ULONG Index ) { if (WindowsVersion < WINDOWS_NEW && Index < TLS_MINIMUM_AVAILABLE) { return NtCurrentTeb()->TlsSlots[Index]; } return TlsGetValue(Index); } /** * Retrieves the value stored in the thread-local storage (TLS) slot specified by the given index. * * \param Index The index of the TLS slot to retrieve the value from. * \param Value A pointer to a variable that receives the value stored in the specified TLS slot. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhTlsGetValueEx( _In_ ULONG Index, _Out_ PVOID* Value ) { if (WindowsVersion < WINDOWS_NEW && Index < TLS_MINIMUM_AVAILABLE) { *Value = NtCurrentTeb()->TlsSlots[Index]; return STATUS_SUCCESS; } *Value = TlsGetValue(Index); return PhGetLastWin32ErrorAsNtStatus(); } /** * Sets the value for a thread-local storage (TLS) slot identified by the specified index. * * \param Index The index of the TLS slot to set the value for. * \param Value The value to set for the TLS slot. Can be NULL. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhTlsSetValue( _In_ ULONG Index, _In_opt_ PVOID Value ) { if (WindowsVersion < WINDOWS_NEW && Index < TLS_MINIMUM_AVAILABLE) { NtCurrentTeb()->TlsSlots[Index] = Value; return STATUS_SUCCESS; } if (TlsSetValue(Index, Value)) return STATUS_SUCCESS; return PhGetLastWin32ErrorAsNtStatus(); } #pragma endregion /** * Retrieves the last error code generated by the system or the current thread. * * \return The last error code as an unsigned long value. */ ULONG PhGetLastError( VOID ) { if (WindowsVersion < WINDOWS_NEW) return NtReadCurrentTebUlong(FIELD_OFFSET(TEB, LastErrorValue)); // NtCurrentTeb()->LastErrorValue return GetLastError(); } /** * Sets the last error value for the current thread. * * \param ErrorValue The error code to set as the last error. */ VOID PhSetLastError( _In_ ULONG ErrorValue ) { if (WindowsVersion < WINDOWS_NEW) NtCurrentTeb()->LastErrorValue = ErrorValue; else SetLastError(ErrorValue); } ================================================ FILE: phlib/bcd.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2021-2023 * */ #include #include #include static PVOID BcdDllBaseAddress = nullptr; static decltype(&BcdOpenSystemStore) BcdOpenSystemStore_I = nullptr; static decltype(&BcdCloseStore) BcdCloseStore_I = nullptr; static decltype(&BcdOpenObject) BcdOpenObject_I = nullptr; static decltype(&BcdCloseObject) BcdCloseObject_I = nullptr; static decltype(&BcdGetElementData) BcdGetElementData_I = nullptr; static decltype(&BcdSetElementData) BcdSetElementData_I = nullptr; //static decltype(&BcdDeleteElement) BcdDeleteElement_I = nullptr; static decltype(&BcdEnumerateObjects) BcdEnumerateObjects_I = nullptr; /** * Ensures the BCD API (bcd.dll) is loaded and the required procedure * pointers are initialized and cached. * * \return TRUE if the BCD API is available and initialized, FALSE otherwise. */ static BOOLEAN PhpBcdApiInitialized( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN bcdInitialized = FALSE; if (PhBeginInitOnce(&initOnce)) { if (BcdDllBaseAddress = PhLoadLibrary(L"bcd.dll")) { BcdOpenSystemStore_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdOpenSystemStore", 0)); BcdCloseStore_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdCloseStore", 0)); BcdOpenObject_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdOpenObject", 0)); BcdCloseObject_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdCloseObject", 0)); BcdGetElementData_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdGetElementData", 0)); BcdSetElementData_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdSetElementData", 0)); //BcdDeleteElement_I = reinterpret_cast(PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdDeleteElement", 0)); } if ( BcdOpenSystemStore_I && BcdCloseStore_I && BcdOpenObject_I && BcdCloseObject_I && BcdGetElementData_I && BcdSetElementData_I ) { bcdInitialized = TRUE; } PhEndInitOnce(&initOnce); } return bcdInitialized; } /** * Opens the system BCD store. * * \param StoreHandle Receives the handle to the opened BCD store on success. * \return NTSTATUS result code. */ NTSTATUS PhBcdOpenSystemStore( _Out_ PHANDLE StoreHandle ) { NTSTATUS status; HANDLE bcdStoreHandle; if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; status = BcdOpenSystemStore_I( &bcdStoreHandle ); if (NT_SUCCESS(status)) { *StoreHandle = bcdStoreHandle; } return status; } /** * Closes a previously opened BCD store handle. * * \param StoreHandle The handle to the BCD store to close. * \return NTSTATUS result code. */ NTSTATUS PhBcdCloseStore( _In_ HANDLE StoreHandle ) { if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; return BcdCloseStore_I(StoreHandle); } /** * Opens a BCD object identified by \p Identifier from the specified store. * * \param StoreHandle Handle to the BCD store. * \param Identifier Pointer to the GUID that identifies the BCD object to open. * \param ObjectHandle Receives the opened object handle on success. * \return NTSTATUS result code. */ NTSTATUS PhBcdOpenObject( _In_ HANDLE StoreHandle, _In_ PCGUID Identifier, _Out_ PHANDLE ObjectHandle ) { NTSTATUS status; HANDLE bcdObjectHandle; if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; status = BcdOpenObject_I( StoreHandle, Identifier, &bcdObjectHandle ); if (NT_SUCCESS(status)) { *ObjectHandle = bcdObjectHandle; } return status; } /** * Closes a previously opened BCD object handle. * * \param ObjectHandle The handle to the BCD object to close. * \return NTSTATUS result code. */ NTSTATUS PhBcdCloseObject( _In_ HANDLE ObjectHandle ) { if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; return BcdCloseObject_I(ObjectHandle); } /** * Retrieves element data from a BCD object. * * \param ObjectHandle Handle to the BCD object. * \param ElementType The element type to retrieve. * \param Buffer Buffer to receive the element data; may be NULL to query size. * \param BufferSize On input the size of \p Buffer; on output receives the number of bytes written or required. * \return NTSTATUS result code. */ NTSTATUS PhBcdGetElementData( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, _Inout_ PULONG BufferSize ) { if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; return BcdGetElementData_I( ObjectHandle, ElementType, Buffer, BufferSize ); } /** * Sets element data on a BCD object. * * \param ObjectHandle Handle to the BCD object. * \param ElementType The element type to set. * \param Buffer Buffer containing the element data. * \param BufferSize Size of \p Buffer in bytes. * \return NTSTATUS result code. */ NTSTATUS PhBcdSetElementData( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _In_reads_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize ) { if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; return BcdSetElementData_I( ObjectHandle, ElementType, Buffer, BufferSize ); } //NTSTATUS PhBcdDeleteElement( // _In_ HANDLE ObjectHandle, // _In_ ULONG ElementType // ) //{ // if (!PhpBcdApiInitialized()) // return STATUS_UNSUCCESSFUL; // // return BcdDeleteElement_I( // ObjectHandle, // ElementType // ); //} /** * Enumerates BCD objects in the provided store that match \p EnumDescriptor. * * \param StoreHandle Handle to the BCD store. * \param EnumDescriptor Descriptor used to filter the enumeration. * \param Buffer Buffer to receive enumeration results; may be NULL to query size. * \param BufferSize On input the size of \p Buffer; on output receives the number of bytes written or required. * \param ObjectCount Receives the number of objects returned. * \return NTSTATUS result code. */ NTSTATUS PhBcdEnumerateObjects( _In_ HANDLE StoreHandle, _In_ PBCD_OBJECT_DESCRIPTION EnumDescriptor, _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, _Inout_ PULONG BufferSize, _Out_ PULONG ObjectCount ) { if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; if (!BcdEnumerateObjects_I) { BcdEnumerateObjects_I = reinterpret_cast( PhGetDllBaseProcedureAddress(BcdDllBaseAddress, "BcdEnumerateObjects", 0)); } if (!BcdEnumerateObjects_I) return STATUS_UNSUCCESSFUL; return BcdEnumerateObjects_I( StoreHandle, EnumDescriptor, Buffer, BufferSize, ObjectCount ); } /** * Retrieves a string element from a BCD object into a newly allocated PH_STRING. * * \param ObjectHandle Handle to the BCD object. * \param ElementType The element type to retrieve (must be string format). * \param ElementString On success receives a referenced PH_STRING; caller must dereference when finished. May be NULL. * \return NTSTATUS result code. */ NTSTATUS PhBcdGetElementString( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _Out_opt_ PPH_STRING* ElementString ) { NTSTATUS status; PPH_STRING string; ULONG stringLength; assert(GET_BCDE_DATA_FORMAT(ElementType) == BCD_ELEMENT_DATATYPE_FORMAT_STRING); if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; stringLength = 0x80; string = PhCreateStringEx(nullptr, stringLength); status = PhBcdGetElementData( ObjectHandle, ElementType, string->Buffer, &stringLength ); if (status == STATUS_BUFFER_TOO_SMALL) { PhDereferenceObject(string); string = PhCreateStringEx(nullptr, stringLength); status = PhBcdGetElementData( ObjectHandle, ElementType, string->Buffer, &stringLength ); } if (NT_SUCCESS(status)) { string->Length = stringLength - sizeof(UNICODE_NULL); if (ElementString) *ElementString = string; else PhDereferenceObject(string); return STATUS_SUCCESS; } PhDereferenceObject(string); return status; } /** * Retrieves a 64-bit integer element from a BCD object. * * \param ObjectHandle Handle to the BCD object. * \param ElementType The element type to retrieve (must be integer format). * \param ElementValue Receives the 64-bit value on success. * \return NTSTATUS result code. */ NTSTATUS PhBcdGetElementUlong64( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _Out_ PULONG64 ElementValue ) { NTSTATUS status; ULONG valueLength = sizeof(ULONG64); ULONG64 valueBuffer = 0; assert(GET_BCDE_DATA_FORMAT(ElementType) == BCD_ELEMENT_DATATYPE_FORMAT_INTEGER); if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; status = PhBcdGetElementData( ObjectHandle, ElementType, &valueBuffer, &valueLength ); if (NT_SUCCESS(status)) { *ElementValue = valueBuffer; } return status; } /** * Retrieves a boolean element from a BCD object. * * \param ObjectHandle Handle to the BCD object. * \param ElementType The element type to retrieve (must be boolean format). * \param ElementValue Receives the boolean value on success. * \return NTSTATUS result code. */ NTSTATUS PhBcdGetElementBoolean( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _Out_ PBOOLEAN ElementValue ) { NTSTATUS status; ULONG valueLength = sizeof(BOOLEAN); BOOLEAN valueBuffer = FALSE; assert(GET_BCDE_DATA_FORMAT(ElementType) == BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN); if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; status = PhBcdGetElementData( ObjectHandle, ElementType, &valueBuffer, &valueLength ); if (NT_SUCCESS(status)) { *ElementValue = valueBuffer; } return status; } /** * Helper that opens the system store and the current boot entry and retrieves an element's data. * * \param ElementType The element type to retrieve. * \param Buffer Buffer to receive the element data; may be NULL to query size. * \param BufferSize On input the size of \p Buffer; on output receives the number of bytes written or required. * \return NTSTATUS result code. */ NTSTATUS PhBcdGetElementData2( _In_ ULONG ElementType, _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, _Inout_ PULONG BufferSize ) { NTSTATUS status; HANDLE storeHandle = nullptr; HANDLE objectHandle = nullptr; if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; status = BcdOpenSystemStore_I( &storeHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = BcdOpenObject_I( storeHandle, &GUID_CURRENT_BOOT_ENTRY, &objectHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = BcdGetElementData_I( objectHandle, ElementType, Buffer, BufferSize ); CleanupExit: if (objectHandle) PhBcdCloseObject(objectHandle); if (storeHandle) PhBcdCloseStore(storeHandle); return status; } /** * Helper that opens the system store and the current boot entry and sets an element's data. * * \param ElementType The element type to set. * \param Buffer Buffer containing the element data. * \param BufferSize Size of \p Buffer in bytes. * \return NTSTATUS result code. */ NTSTATUS PhBcdSetElementData2( _In_ ULONG ElementType, _In_reads_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize ) { NTSTATUS status; HANDLE storeHandle = nullptr; HANDLE objectHandle = nullptr; if (!PhpBcdApiInitialized()) return STATUS_UNSUCCESSFUL; status = BcdOpenSystemStore_I( &storeHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = BcdOpenObject_I( storeHandle, &GUID_CURRENT_BOOT_ENTRY, &objectHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = BcdSetElementData_I( objectHandle, ElementType, Buffer, BufferSize ); CleanupExit: if (objectHandle) BcdCloseObject_I(objectHandle); if (storeHandle) BcdCloseStore_I(storeHandle); return status; } /** * Sets or clears the "Advanced Options One Time" flag for the current boot entry. * * \param Enable TRUE to enable the one-time advanced options, FALSE to disable. * \return NTSTATUS result code. */ NTSTATUS PhBcdSetAdvancedOptionsOneTime( _In_ BOOLEAN Enable ) { NTSTATUS status; HANDLE storeHandle = nullptr; HANDLE objectHandle = nullptr; status = PhBcdOpenSystemStore(&storeHandle); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhBcdOpenObject( storeHandle, &GUID_CURRENT_BOOT_ENTRY, &objectHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhBcdSetElementData( objectHandle, BcdOSLoaderBoolean_AdvancedOptionsOneTime, &Enable, sizeof(BOOLEAN) ); CleanupExit: if (objectHandle) PhBcdCloseObject(objectHandle); if (storeHandle) PhBcdCloseStore(storeHandle); return status; } /** * Sets the Windows boot manager's one-time boot application and optionally synchronizes the firmware one-time entry. * * \param Identifier GUID of the boot application to set as one-time. * \param UpdateOneTimeFirmware If TRUE attempt to update the firmware boot manager's one-time entry for a seamless reboot. * \return NTSTATUS result code. */ NTSTATUS PhBcdSetBootApplicationOneTime( _In_ PCGUID Identifier, _In_opt_ BOOLEAN UpdateOneTimeFirmware ) { NTSTATUS status; HANDLE storeHandle = nullptr; HANDLE objectHandle = nullptr; BCD_ELEMENT_OBJECT_LIST objectElementList[1]; status = PhBcdOpenSystemStore(&storeHandle); if (!NT_SUCCESS(status)) return status; if (UpdateOneTimeFirmware) { HANDLE objectFirmwareHandle; // The user might have a third party boot loader where the Windows NT {bootmgr} // is NOT the default {fwbootmgr} entry. So make the reboot seamless/effortless by // synchronizing the {fwbootmgr} one-time option to the Windows NT {bootmgr}. // This is a QOL optimization so you don't have to manually select Windows // first for it to then launch the boot application we already selected. (dmex) if (NT_SUCCESS(PhBcdOpenObject( storeHandle, &GUID_FIRMWARE_BOOTMGR, &objectFirmwareHandle ))) { BCD_ELEMENT_OBJECT_LIST objectFirmwareList[32]; // dynamic? ULONG objectFirmwareListLength; memset(objectFirmwareList, 0, sizeof(objectFirmwareList)); objectFirmwareListLength = sizeof(objectFirmwareList); if (NT_SUCCESS(PhBcdGetElementData( objectFirmwareHandle, BcdBootMgrObjectList_DisplayOrder, objectFirmwareList, &objectFirmwareListLength ))) { // Check if the default entry is some third party application. if (!IsEqualGUID(objectFirmwareList->ObjectList[0], GUID_WINDOWS_BOOTMGR)) { BCD_ELEMENT_OBJECT_LIST firmwareOneTimeBootEntry[1]; firmwareOneTimeBootEntry->ObjectList[0] = GUID_WINDOWS_BOOTMGR; // Set the Windows NT {bootmgr} the one-time {fwbootmgr} entry. status = PhBcdSetElementData( objectFirmwareHandle, BcdBootMgrObjectList_BootSequence, firmwareOneTimeBootEntry, sizeof(firmwareOneTimeBootEntry) ); } } PhBcdCloseObject(objectFirmwareHandle); } } if (!NT_SUCCESS(status)) goto CleanupExit; status = PhBcdOpenObject( storeHandle, &GUID_WINDOWS_BOOTMGR, &objectHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; memcpy(&objectElementList->ObjectList[0], Identifier, sizeof(GUID)); status = PhBcdSetElementData( objectHandle, BcdBootMgrObjectList_BootSequence, objectElementList, sizeof(objectElementList) ); CleanupExit: if (objectHandle) PhBcdCloseObject(objectHandle); if (storeHandle) PhBcdCloseStore(storeHandle); return status; } /** * Sets the firmware boot manager's one-time boot application. * * \param Identifier GUID of the firmware boot application to set as one-time. * \return NTSTATUS result code. */ NTSTATUS PhBcdSetFirmwareBootApplicationOneTime( _In_ PCGUID Identifier ) { NTSTATUS status; HANDLE storeHandle = nullptr; HANDLE objectHandle = nullptr; BCD_ELEMENT_OBJECT_LIST objectElementList[1]; status = PhBcdOpenSystemStore(&storeHandle); if (!NT_SUCCESS(status)) return status; status = PhBcdOpenObject( storeHandle, &GUID_FIRMWARE_BOOTMGR, &objectHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; memcpy(&objectElementList->ObjectList[0], Identifier, sizeof(GUID)); status = PhBcdSetElementData( objectHandle, BcdBootMgrObjectList_BootSequence, objectElementList, sizeof(objectElementList) ); CleanupExit: if (objectHandle) PhBcdCloseObject(objectHandle); if (storeHandle) PhBcdCloseStore(storeHandle); return status; } /** * Enumerates OS loader BCD objects and appends entries to the provided list. * * \param StoreHandle Handle to the BCD store to enumerate. * \param ObjectList List that receives PPH_BCD_OBJECT_LIST entries. */ static VOID PhpBcdEnumerateOsLoaderList( _In_ HANDLE StoreHandle, _In_ PPH_LIST ObjectList ) { NTSTATUS status; ULONG objectCount = 0; ULONG objectSize = 0; PBCD_OBJECT object = nullptr; BCD_OBJECT_DESCRIPTION description; description.Version = BCD_OBJECT_DESCRIPTION_VERSION; description.Type = BCD_OBJECT_OSLOADER_TYPE; // restrict enumeration to OSLOADER types status = PhBcdEnumerateObjects( StoreHandle, &description, object, &objectSize, &objectCount ); if (status == STATUS_BUFFER_TOO_SMALL) { object = static_cast(PhAllocate(objectSize)); memset(object, 0, objectSize); status = PhBcdEnumerateObjects( StoreHandle, &description, object, &objectSize, &objectCount ); } if (!NT_SUCCESS(status) || !object) { if (object) PhFree(object); return; } for (ULONG i = 0; i < objectCount; i++) { HANDLE objectHandle; PPH_STRING objectDescription; if (!NT_SUCCESS(PhBcdOpenObject( StoreHandle, &object[i].Identifier, &objectHandle ))) { continue; } if (NT_SUCCESS(PhBcdGetElementString( objectHandle, BcdLibraryString_Description, &objectDescription ))) { PPH_BCD_OBJECT_LIST entry; entry = static_cast(PhAllocateZero(sizeof(PH_BCD_OBJECT_LIST))); memcpy(&entry->ObjectGuid, &object[i].Identifier, sizeof(GUID)); entry->ObjectName = objectDescription; PhAddItemList(ObjectList, entry); } PhBcdCloseObject(objectHandle); } { HANDLE objectHandle; PPH_STRING objectDescription; // Manually add the memory test application since it's a separate guid. (dmex) if (NT_SUCCESS(PhBcdOpenObject(StoreHandle, &GUID_WINDOWS_MEMORY_TESTER, &objectHandle))) { if (NT_SUCCESS(PhBcdGetElementString(objectHandle, BcdLibraryString_Description, &objectDescription))) { PPH_BCD_OBJECT_LIST entry; entry = static_cast(PhAllocateZero(sizeof(PH_BCD_OBJECT_LIST))); memcpy(&entry->ObjectGuid, &GUID_WINDOWS_MEMORY_TESTER, sizeof(GUID)); entry->ObjectName = objectDescription; PhAddItemList(ObjectList, entry); } PhBcdCloseObject(objectHandle); } } PhFree(object); } /** * Enumerates object lists from a boot manager entry and appends entries to the provided list. * * \param StoreHandle Handle to the BCD store. * \param Identifier GUID of the object whose list will be enumerated. * \param ElementType The element type that contains the object list. * \param ObjectList List that receives PPH_BCD_OBJECT_LIST entries. */ static VOID PhpBcdEnumerateBootMgrList( _In_ HANDLE StoreHandle, _In_ PCGUID Identifier, _In_ ULONG ElementType, _In_ PPH_LIST ObjectList ) { NTSTATUS status; HANDLE objectHandle = nullptr; BCD_ELEMENT_OBJECT_LIST objectElementList[32] = { }; // dynamic? ULONG objectListLength = sizeof(objectElementList); status = PhBcdOpenObject( StoreHandle, Identifier, &objectHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhBcdGetElementData( objectHandle, ElementType, objectElementList, &objectListLength ); if (!NT_SUCCESS(status)) goto CleanupExit; for (ULONG i = 0; i < objectListLength / sizeof(BCD_ELEMENT_OBJECT_LIST); i++) { HANDLE objectEntryHandle; PPH_STRING objectEntryDescription; if (!NT_SUCCESS(PhBcdOpenObject( StoreHandle, &objectElementList->ObjectList[i], &objectEntryHandle ))) { continue; } if (NT_SUCCESS(PhBcdGetElementString( objectEntryHandle, BcdLibraryString_Description, &objectEntryDescription ))) { PPH_BCD_OBJECT_LIST entry; entry = static_cast(PhAllocateZero(sizeof(PH_BCD_OBJECT_LIST))); memcpy(&entry->ObjectGuid, &objectElementList->ObjectList[i], sizeof(GUID)); entry->ObjectName = objectEntryDescription; PhAddItemList(ObjectList, entry); } PhBcdCloseObject(objectEntryHandle); } CleanupExit: if (objectHandle) PhBcdCloseObject(objectHandle); } /** * Queries and returns a list of boot applications. * * \param EnumerateAllObjects TRUE to enumerate all OS loader objects; FALSE to use the boot manager display and tools order. * \return A referenced PPH_LIST containing PPH_BCD_OBJECT_LIST entries on success, or NULL on failure. */ PPH_LIST PhBcdQueryBootApplicationList( _In_ BOOLEAN EnumerateAllObjects ) { NTSTATUS status; HANDLE storeHandle; PPH_LIST objectApplicationList; status = PhBcdOpenSystemStore(&storeHandle); if (!NT_SUCCESS(status)) return nullptr; objectApplicationList = PhCreateList(5); if (EnumerateAllObjects) { PhpBcdEnumerateOsLoaderList( storeHandle, objectApplicationList ); } else { PhpBcdEnumerateBootMgrList( storeHandle, &GUID_WINDOWS_BOOTMGR, BcdBootMgrObjectList_DisplayOrder, objectApplicationList ); PhpBcdEnumerateBootMgrList( storeHandle, &GUID_WINDOWS_BOOTMGR, BcdBootMgrObjectList_ToolsDisplayOrder, objectApplicationList ); } PhBcdCloseStore(storeHandle); return objectApplicationList; } /** * Queries and returns a list of firmware boot applications from the firmware boot manager. * * \return A referenced PPH_LIST containing PPH_BCD_OBJECT_LIST entries on success, or NULL on failure. */ PPH_LIST PhBcdQueryFirmwareBootApplicationList( VOID ) { NTSTATUS status; HANDLE storeHandle; PPH_LIST objectApplicationList; status = PhBcdOpenSystemStore(&storeHandle); if (!NT_SUCCESS(status)) return nullptr; objectApplicationList = PhCreateList(5); PhpBcdEnumerateBootMgrList( storeHandle, &GUID_FIRMWARE_BOOTMGR, BcdBootMgrObjectList_DisplayOrder, objectApplicationList ); PhpBcdEnumerateBootMgrList( storeHandle, &GUID_FIRMWARE_BOOTMGR, BcdBootMgrObjectList_ToolsDisplayOrder, objectApplicationList ); PhBcdCloseStore(storeHandle); return objectApplicationList; } /** * Destroys a boot application list and frees associated entries and references. * * \param ObjectApplicationList The list to destroy and free. */ VOID PhBcdDestroyBootApplicationList( _In_ PPH_LIST ObjectApplicationList ) { for (ULONG i = 0; i < ObjectApplicationList->Count; i++) { PPH_BCD_OBJECT_LIST entry = static_cast(ObjectApplicationList->Items[i]); PhDereferenceObject(entry->ObjectName); PhFree(entry); } PhDereferenceObject(ObjectApplicationList); } ================================================ FILE: phlib/circbuf.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2025 * */ #include #include #pragma push_macro("T") #undef T #define T ULONG #include "circbuf_i.h" #undef T #define T ULONG64 #include "circbuf_i.h" #undef T #define T PVOID #include "circbuf_i.h" #undef T #define T SIZE_T #include "circbuf_i.h" #undef T #define T FLOAT #include "circbuf_i.h" #undef T #define T DOUBLE #include "circbuf_i.h" #undef T #pragma pop_macro("T") ================================================ FILE: phlib/circbuf_i.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifdef T #include VOID T___(PhInitializeCircularBuffer, T)( _Out_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ ULONG Size ) { #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE Buffer->Size = PhRoundUpToPowerOfTwo(Size); Buffer->SizeMinusOne = Buffer->Size - 1; #else Buffer->Size = Size; #endif Buffer->Count = 0; Buffer->Index = 0; Buffer->Data = PhAllocate(sizeof(T) * Buffer->Size); } VOID T___(PhDeleteCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer ) { PhFree(Buffer->Data); } VOID T___(PhResizeCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ ULONG NewSize ) { T *newData; ULONG tailSize; ULONG headSize; #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE NewSize = PhRoundUpToPowerOfTwo(NewSize); #endif // If we're not actually resizing it, return. if (NewSize == Buffer->Size) return; newData = PhAllocate(sizeof(T) * NewSize); tailSize = (ULONG)(Buffer->Size - Buffer->Index); headSize = Buffer->Count - tailSize; if (NewSize > Buffer->Size) { // Copy the tail, then the head. memcpy(newData, &Buffer->Data[Buffer->Index], sizeof(T) * tailSize); memcpy(&newData[tailSize], Buffer->Data, sizeof(T) * headSize); Buffer->Index = 0; } else { if (tailSize >= NewSize) { // Copy only a part of the tail. memcpy(newData, &Buffer->Data[Buffer->Index], sizeof(T) * NewSize); Buffer->Index = 0; } else { // Copy the tail, then only part of the head. memcpy(newData, &Buffer->Data[Buffer->Index], sizeof(T) * tailSize); memcpy(&newData[tailSize], Buffer->Data, sizeof(T) * (NewSize - tailSize)); Buffer->Index = 0; } // Since we're making the circular buffer smaller, limit the count. if (Buffer->Count > NewSize) Buffer->Count = NewSize; } Buffer->Data = newData; Buffer->Size = NewSize; #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE Buffer->SizeMinusOne = NewSize - 1; #endif } VOID T___(PhClearCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer ) { Buffer->Count = 0; Buffer->Index = 0; } VOID T___(PhCopyCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _Out_writes_(Count) T *Destination, _In_ ULONG Count ) { ULONG tailSize; ULONG headSize; tailSize = (ULONG)(Buffer->Size - Buffer->Index); headSize = Buffer->Count - tailSize; if (Count > Buffer->Count) Count = Buffer->Count; if (tailSize >= Count) { // Copy only a part of the tail. memcpy(Destination, &Buffer->Data[Buffer->Index], sizeof(T) * Count); } else { // Copy the tail, then only part of the head. memcpy(Destination, &Buffer->Data[Buffer->Index], sizeof(T) * tailSize); memcpy(&Destination[tailSize], Buffer->Data, sizeof(T) * (Count - tailSize)); } } #endif ================================================ FILE: phlib/colorbox.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2017-2024 * */ #include #include #include #include typedef struct _PH_COLORBOX_CONTEXT { COLORREF SelectedColor; union { ULONG Flags; struct { ULONG Hot : 1; ULONG HasFocus : 1; ULONG EnableThemeSupport : 1; ULONG Spare : 29; }; }; } PH_COLORBOX_CONTEXT, *PPH_COLORBOX_CONTEXT; LRESULT CALLBACK PhColorBoxWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); RTL_ATOM PhColorBoxInitialization( VOID ) { WNDCLASSEX wcex; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.style = CS_GLOBALCLASS; wcex.lpfnWndProc = PhColorBoxWndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = sizeof(PVOID); wcex.hInstance = NtCurrentImageBase(); wcex.hCursor = PhLoadCursor(NULL, IDC_ARROW); wcex.lpszClassName = PH_COLORBOX_CLASSNAME; return RegisterClassEx(&wcex); } PPH_COLORBOX_CONTEXT PhCreateColorBoxContext( VOID ) { PPH_COLORBOX_CONTEXT context; context = PhAllocate(sizeof(PH_COLORBOX_CONTEXT)); memset(context, 0, sizeof(PH_COLORBOX_CONTEXT)); return context; } VOID PhFreeColorBoxContext( _In_ _Post_invalid_ PPH_COLORBOX_CONTEXT Context ) { PhFree(Context); } UINT_PTR CALLBACK PhpColorBoxDlgHookProc( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uMsg) { case WM_INITDIALOG: { LPCHOOSECOLOR chooseColor = (LPCHOOSECOLOR)lParam; PPH_COLORBOX_CONTEXT context = (PPH_COLORBOX_CONTEXT)chooseColor->lCustData; PhCenterWindow(hwndDlg, GetParent(hwndDlg)); PhInitializeWindowTheme(hwndDlg, !!context->EnableThemeSupport); } break; case WM_CTLCOLORBTN: return HANDLE_WM_CTLCOLORBTN(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORDLG: return HANDLE_WM_CTLCOLORDLG(hwndDlg, wParam, lParam, PhWindowThemeControlColor); case WM_CTLCOLORSTATIC: return HANDLE_WM_CTLCOLORSTATIC(hwndDlg, wParam, lParam, PhWindowThemeControlColor); } return FALSE; } VOID PhpChooseColor( _In_ HWND hwnd, _In_ PPH_COLORBOX_CONTEXT Context ) { CHOOSECOLOR chooseColor = { sizeof(chooseColor) }; COLORREF customColors[16] = { 0 }; chooseColor.hwndOwner = hwnd; chooseColor.rgbResult = Context->SelectedColor; chooseColor.lpCustColors = customColors; chooseColor.lCustData = (LPARAM)Context; chooseColor.lpfnHook = PhpColorBoxDlgHookProc; chooseColor.Flags = CC_ANYCOLOR | CC_ENABLEHOOK | CC_FULLOPEN | CC_RGBINIT; if (ChooseColor(&chooseColor)) { Context->SelectedColor = chooseColor.rgbResult; InvalidateRect(hwnd, NULL, TRUE); UpdateWindow(hwnd); } } LRESULT CALLBACK PhColorBoxWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_COLORBOX_CONTEXT context = PhGetWindowContextEx(hwnd); switch (uMsg) { case WM_NCCREATE: { context = PhCreateColorBoxContext(); PhSetWindowContextEx(hwnd, context); } break; case WM_NCDESTROY: { PhRemoveWindowContextEx(hwnd); PhFreeColorBoxContext(context); } break; case WM_PAINT: { PAINTSTRUCT paintStruct; RECT updateRect; HBRUSH oldBrush; HPEN oldPen; HDC hdc; if (hdc = BeginPaint(hwnd, &paintStruct)) { updateRect = paintStruct.rcPaint; // Border color oldPen = SelectPen(hdc, PhGetStockPen(DC_PEN)); SetDCPenColor(hdc, RGB(0x44, 0x44, 0x44)); // Select the border and fill. oldBrush = SelectBrush(hdc, PhGetStockBrush(DC_BRUSH)); // Fill color if (!context->Hot && !context->HasFocus) SetDCBrushColor(hdc, context->SelectedColor); else SetDCBrushColor(hdc, PhMakeColorBrighter(context->SelectedColor, 64)); // Draw the border and fill. Rectangle(hdc, updateRect.left, updateRect.top, updateRect.right, updateRect.bottom); // Restore the original border and fill. SelectBrush(hdc, oldBrush); SelectPen(hdc, oldPen); EndPaint(hwnd, &paintStruct); } } return 0; case WM_ERASEBKGND: return 1; case WM_MOUSEMOVE: { if (!context->Hot) { TRACKMOUSEEVENT trackMouseEvent = { sizeof(trackMouseEvent) }; context->Hot = TRUE; InvalidateRect(hwnd, NULL, TRUE); trackMouseEvent.dwFlags = TME_LEAVE; trackMouseEvent.hwndTrack = hwnd; TrackMouseEvent(&trackMouseEvent); } } break; case WM_MOUSELEAVE: { context->Hot = FALSE; InvalidateRect(hwnd, NULL, TRUE); } break; case WM_LBUTTONDOWN: { PhpChooseColor(hwnd, context); } break; case WM_SETFOCUS: { context->HasFocus = TRUE; InvalidateRect(hwnd, NULL, TRUE); } return 0; case WM_KILLFOCUS: { context->HasFocus = FALSE; InvalidateRect(hwnd, NULL, TRUE); } return 0; case WM_GETDLGCODE: if (wParam == VK_RETURN) return DLGC_WANTMESSAGE; return 0; case WM_KEYDOWN: { switch (wParam) { case VK_SPACE: case VK_RETURN: PhpChooseColor(hwnd, context); break; } } break; case CBCM_SETCOLOR: context->SelectedColor = (COLORREF)wParam; return TRUE; case CBCM_GETCOLOR: return (LRESULT)context->SelectedColor; case CBCM_THEMESUPPORT: context->EnableThemeSupport = (BOOLEAN)wParam; return TRUE; } return DefWindowProc(hwnd, uMsg, wParam, lParam); } ================================================ FILE: phlib/cpysave.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2012 * dmex 2018-2023 * */ #include #include #include #include #define TAB_SIZE 8 VOID PhpEscapeStringForCsv( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ PPH_STRING String ) { SIZE_T i; SIZE_T length; PWCHAR runStart; SIZE_T runLength; length = String->Length / sizeof(WCHAR); runStart = NULL; runLength = 0; for (i = 0; i < length; i++) { switch (String->Buffer[i]) { case L'\"': if (runStart) { PhAppendStringBuilderEx(StringBuilder, runStart, runLength * sizeof(WCHAR)); runStart = NULL; } PhAppendStringBuilder2(StringBuilder, L"\"\""); break; case L',': if (runStart) { PhAppendStringBuilderEx(StringBuilder, runStart, runLength * sizeof(WCHAR)); runStart = NULL; } // Note: There doesn't seem to be a proper way to escape // commas for some locales in a way that works with all // third party software. For now we'll swap commas // for full stops. This works but prevents formatting // integers with the correct decimal separator. (dmex) PhAppendStringBuilder2(StringBuilder, L"."); break; default: if (runStart) { runLength++; } else { runStart = &String->Buffer[i]; runLength = 1; } break; } } if (runStart) PhAppendStringBuilderEx(StringBuilder, runStart, runLength * sizeof(WCHAR)); } /** * Allocates a text table. * * \param Table A variable which receives a pointer to the text table. * \param Rows The number of rows in the table. * \param Columns The number of columns in the table. */ VOID PhaCreateTextTable( _Out_ PPH_STRING ***Table, _In_ ULONG Rows, _In_ ULONG Columns ) { PPH_STRING **table; ULONG i; table = PH_AUTO(PhCreateAlloc(sizeof(PPH_STRING *) * Rows)); for (i = 0; i < Rows; i++) { table[i] = PH_AUTO(PhCreateAlloc(sizeof(PPH_STRING) * Columns)); memset(table[i], 0, sizeof(PPH_STRING) * Columns); } *Table = table; } /** * Formats a text table to a list of lines. * * \param Table A pointer to the text table. * \param Rows The number of rows in the table. * \param Columns The number of columns in the table. * \param Mode The export formatting mode. * * \return A list of strings for each line in the output. The list object and * string objects are not auto-dereferenced. */ PPH_LIST PhaFormatTextTable( _In_ PPH_STRING **Table, _In_ ULONG Rows, _In_ ULONG Columns, _In_ ULONG Mode ) { PPH_LIST lines; // The tab count array contains the number of tabs need to fill the biggest // row cell in each column. PULONG tabCount = NULL; ULONG i; ULONG j; if (Mode == PH_EXPORT_MODE_TABS || Mode == PH_EXPORT_MODE_SPACES) { // Create the tab count array. tabCount = PH_AUTO(PhCreateAlloc(sizeof(ULONG) * Columns)); memset(tabCount, 0, sizeof(ULONG) * Columns); // zero all values for (i = 0; i < Rows; i++) { for (j = 0; j < Columns; j++) { ULONG newCount; if (Table[i][j]) newCount = (ULONG)(Table[i][j]->Length / sizeof(WCHAR) / TAB_SIZE); else newCount = 0; // Replace the existing count if this tab count is bigger. if (tabCount[j] < newCount) tabCount[j] = newCount; } } } // Create the final list of lines by going through each cell and appending // the proper tab count (if we are using tabs). This will make sure each column // is properly aligned. lines = PhCreateList(Rows); for (i = 0; i < Rows; i++) { PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 0x100); switch (Mode) { case PH_EXPORT_MODE_TABS: { for (j = 0; j < Columns; j++) { ULONG k; if (Table[i][j]) { // Calculate the number of tabs needed. k = (ULONG)(tabCount[j] + 1 - Table[i][j]->Length / sizeof(WCHAR) / TAB_SIZE); PhAppendStringBuilder(&stringBuilder, &Table[i][j]->sr); } else { k = tabCount[j] + 1; } PhAppendCharStringBuilder2(&stringBuilder, L'\t', k); } } break; case PH_EXPORT_MODE_SPACES: { for (j = 0; j < Columns; j++) { ULONG k; if (Table[i][j]) { // Calculate the number of spaces needed. k = (ULONG)((tabCount[j] + 1) * TAB_SIZE - Table[i][j]->Length / sizeof(WCHAR)); PhAppendStringBuilder(&stringBuilder, &Table[i][j]->sr); } else { k = (tabCount[j] + 1) * TAB_SIZE; } PhAppendCharStringBuilder2(&stringBuilder, L' ', k); } } break; case PH_EXPORT_MODE_CSV: { for (j = 0; j < Columns; j++) { PhAppendCharStringBuilder(&stringBuilder, L'\"'); if (Table[i][j]) { PhpEscapeStringForCsv(&stringBuilder, Table[i][j]); } PhAppendCharStringBuilder(&stringBuilder, L'\"'); if (j != Columns - 1) PhAppendCharStringBuilder(&stringBuilder, L','); } } break; } PhAddItemList(lines, PhFinalStringBuilderString(&stringBuilder)); } return lines; } _Use_decl_annotations_ BOOLEAN PhMapDisplayIndexTreeNew( _In_ HWND TreeNewHandle, _Out_opt_ PULONG *DisplayToId, _Out_opt_ PWSTR **DisplayToText, _Out_ PULONG NumberOfColumns ) { BOOLEAN result = TRUE; PPH_TREENEW_COLUMN fixedColumn; ULONG numberOfColumns; PULONG displayToId; PWSTR *displayToText; ULONG i; PH_TREENEW_COLUMN column; fixedColumn = TreeNew_GetFixedColumn(TreeNewHandle); numberOfColumns = TreeNew_GetVisibleColumnCount(TreeNewHandle); displayToId = PhAllocate(numberOfColumns * sizeof(ULONG)); if (fixedColumn) { TreeNew_GetColumnOrderArray(TreeNewHandle, numberOfColumns - 1, displayToId + 1); displayToId[0] = fixedColumn->Id; } else { TreeNew_GetColumnOrderArray(TreeNewHandle, numberOfColumns, displayToId); } if (DisplayToText) { displayToText = PhAllocate(numberOfColumns * sizeof(PWSTR)); for (i = 0; i < numberOfColumns; i++) { if (TreeNew_GetColumn(TreeNewHandle, displayToId[i], &column)) { displayToText[i] = (PWSTR)column.Text; } else { result = FALSE; break; } } *DisplayToText = displayToText; } if (result) { if (DisplayToId) *DisplayToId = displayToId; else PhFree(displayToId); *NumberOfColumns = numberOfColumns; return TRUE; } PhFree(displayToId); return FALSE; } PPH_STRING PhGetTreeNewText( _In_ HWND TreeNewHandle, _Reserved_ ULONG Reserved ) { PH_STRING_BUILDER stringBuilder; PULONG displayToId; ULONG rows; ULONG columns; ULONG i; ULONG j; PhMapDisplayIndexTreeNew(TreeNewHandle, &displayToId, NULL, &columns); rows = TreeNew_GetFlatNodeCount(TreeNewHandle); PhInitializeStringBuilder(&stringBuilder, 0x100); for (i = 0; i < rows; i++) { PH_TREENEW_GET_CELL_TEXT getCellText; getCellText.Node = TreeNew_GetFlatNode(TreeNewHandle, i); assert(getCellText.Node); if (!getCellText.Node->Selected) continue; for (j = 0; j < columns; j++) { getCellText.Id = displayToId[j]; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(TreeNewHandle, &getCellText); // Ignore empty columns. (dmex) if (getCellText.Text.Length != 0) { PhAppendStringBuilder(&stringBuilder, &getCellText.Text); } PhAppendStringBuilder2(&stringBuilder, L", "); } // Remove the trailing comma and space. if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 2); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } PhFree(displayToId); return PhFinalStringBuilderString(&stringBuilder); } PPH_LIST PhGetGenericTreeNewLines( _In_ HWND TreeNewHandle, _In_ ULONG Mode ) { PH_AUTO_POOL autoPool; PPH_LIST lines; ULONG rows; ULONG columns; ULONG numberOfNodes; PULONG displayToId; PWSTR *displayToText; PPH_STRING **table; ULONG i; ULONG j; PhInitializeAutoPool(&autoPool); numberOfNodes = TreeNew_GetFlatNodeCount(TreeNewHandle); rows = numberOfNodes + 1; PhMapDisplayIndexTreeNew(TreeNewHandle, &displayToId, &displayToText, &columns); PhaCreateTextTable(&table, rows, columns); for (i = 0; i < columns; i++) table[0][i] = PhaCreateString(displayToText[i]); for (i = 0; i < numberOfNodes; i++) { PPH_TREENEW_NODE node; node = TreeNew_GetFlatNode(TreeNewHandle, i); if (node) { for (j = 0; j < columns; j++) { PH_TREENEW_GET_CELL_TEXT getCellText; getCellText.Node = node; getCellText.Id = displayToId[j]; PhInitializeEmptyStringRef(&getCellText.Text); TreeNew_GetCellText(TreeNewHandle, &getCellText); table[i + 1][j] = PhaCreateStringEx(getCellText.Text.Buffer, getCellText.Text.Length); } } else { for (j = 0; j < columns; j++) { table[i + 1][j] = PH_AUTO(PhReferenceEmptyString()); } } } PhFree(displayToText); PhFree(displayToId); lines = PhaFormatTextTable(table, rows, columns, Mode); PhDeleteAutoPool(&autoPool); return lines; } _Use_decl_annotations_ BOOLEAN PhaMapDisplayIndexListView( _In_ HWND ListViewHandle, _Out_writes_(Count) PULONG DisplayToId, _Out_writes_opt_(Count) PPH_STRING *DisplayToText, _In_ ULONG Count, _Out_ PULONG NumberOfColumns ) { LVCOLUMN lvColumn; ULONG i; ULONG count; WCHAR buffer[128]; count = 0; lvColumn.mask = LVCF_ORDER | LVCF_TEXT; lvColumn.pszText = buffer; lvColumn.cchTextMax = sizeof(buffer) / sizeof(WCHAR); for (i = 0; i < Count; i++) { if (ListView_GetColumn(ListViewHandle, i, &lvColumn)) { ULONG displayIndex; displayIndex = (ULONG)lvColumn.iOrder; assert(displayIndex < Count); DisplayToId[displayIndex] = i; if (DisplayToText) DisplayToText[displayIndex] = PhaCreateString(buffer); count++; } else { break; } } *NumberOfColumns = count; return TRUE; } PPH_STRING PhGetListViewItemText( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG SubItemIndex ) { PPH_STRING buffer; SIZE_T allocatedCount; SIZE_T count; LVITEM lvItem; // Unfortunately LVM_GETITEMTEXT doesn't want to return the actual length of the text. // Keep doubling the buffer size until we get a return count that is strictly less than // the amount we allocated. buffer = NULL; allocatedCount = 256; count = allocatedCount; while (count >= allocatedCount) { allocatedCount *= 2; if (buffer) PhDereferenceObject(buffer); buffer = PhCreateStringEx(NULL, (allocatedCount + 1) * sizeof(WCHAR)); lvItem.iSubItem = SubItemIndex; lvItem.cchTextMax = (LONG)allocatedCount; lvItem.pszText = buffer->Buffer; count = SendMessage(ListViewHandle, LVM_GETITEMTEXT, Index, (LPARAM)&lvItem); } PhTrimToNullTerminatorString(buffer); return buffer; } //PPH_STRING PhGetListViewItemText( // _In_ HWND ListViewHandle, // _In_ INT Index, // _In_ INT SubIndex // ) //{ // WCHAR buffer[DOS_MAX_PATH_LENGTH] = L""; // LVITEM item; // // item.mask = LVIF_TEXT; // item.iItem = Index; // item.iSubItem = SubIndex; // item.pszText = buffer; // item.cchTextMax = RTL_NUMBER_OF(buffer); // // if (ListView_GetItem(ListViewHandle, &item)) // { // return PhCreateString(buffer); // } // // return NULL; //} PPH_STRING PhGetListViewSelectedItemText( _In_ HWND ListViewHandle ) { LONG index; index = PhFindListViewItemByFlags( ListViewHandle, INT_ERROR, LVNI_SELECTED ); if (index != INT_ERROR) { return PhGetListViewItemText(ListViewHandle, index, 0); } return NULL; } PPH_STRING PhaGetListViewItemText( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG SubItemIndex ) { PPH_STRING value; if (value = PhGetListViewItemText(ListViewHandle, Index, SubItemIndex)) { PH_AUTO(value); return value; } return NULL; } PPH_STRING PhGetListViewText( _In_ HWND ListViewHandle ) { PH_AUTO_POOL autoPool; PH_STRING_BUILDER stringBuilder; ULONG displayToId[100]; ULONG rows; ULONG columns; ULONG i; ULONG j; PhInitializeAutoPool(&autoPool); PhaMapDisplayIndexListView(ListViewHandle, displayToId, NULL, 100, &columns); rows = ListView_GetItemCount(ListViewHandle); PhInitializeStringBuilder(&stringBuilder, 0x100); for (i = 0; i < rows; i++) { if (!(ListView_GetItemState(ListViewHandle, i, LVIS_SELECTED) & LVIS_SELECTED)) continue; for (j = 0; j < columns; j++) { PhAppendStringBuilder(&stringBuilder, &PhaGetListViewItemText(ListViewHandle, i, j)->sr); PhAppendStringBuilder2(&stringBuilder, L", "); } // Remove the trailing comma and space. if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 2); PhAppendStringBuilder2(&stringBuilder, L"\r\n"); } PhDeleteAutoPool(&autoPool); return PhFinalStringBuilderString(&stringBuilder); } PPH_LIST PhGetListViewLines( _In_ HWND ListViewHandle, _In_ ULONG Mode ) { PH_AUTO_POOL autoPool; PPH_LIST lines; ULONG rows; ULONG columns; ULONG displayToId[100]; PPH_STRING displayToText[100]; PPH_STRING **table; ULONG i; ULONG j; PhInitializeAutoPool(&autoPool); rows = ListView_GetItemCount(ListViewHandle) + 1; // +1 for column headers // Create the display index/text to ID map. PhaMapDisplayIndexListView(ListViewHandle, displayToId, displayToText, 100, &columns); PhaCreateTextTable(&table, rows, columns); // Populate the first row with the column headers. for (i = 0; i < columns; i++) table[0][i] = displayToText[i]; // Populate the other rows with text. for (i = 1; i < rows; i++) { for (j = 0; j < columns; j++) { // Important: use this to bypass extlv's hooking. // extlv only hooks LVM_GETITEM, not LVM_GETITEMTEXT. table[i][j] = PhaGetListViewItemText(ListViewHandle, i - 1, j); } } lines = PhaFormatTextTable(table, rows, columns, Mode); PhDeleteAutoPool(&autoPool); return lines; } ================================================ FILE: phlib/data.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2026 * */ #include #include // SIDs CONST SID PhSeNobodySid = { SID_REVISION, 1, SECURITY_NULL_SID_AUTHORITY, { SECURITY_NULL_RID } }; CONST SID PhSeEveryoneSid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } }; CONST SID PhSeLocalSid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHORITY, { SECURITY_LOCAL_RID } }; CONST SID PhSeCreatorOwnerSid = { SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, { SECURITY_CREATOR_OWNER_RID } }; CONST SID PhSeCreatorGroupSid = { SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, { SECURITY_CREATOR_GROUP_RID } }; CONST SID PhSeDialupSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_DIALUP_RID } }; CONST SID PhSeNetworkSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_NETWORK_RID } }; CONST SID PhSeBatchSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_BATCH_RID } }; CONST SID PhSeInteractiveSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } }; CONST SID PhSeServiceSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_SERVICE_RID } }; CONST SID PhSeAnonymousLogonSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } }; CONST SID PhSeProxySid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_PROXY_RID } }; CONST SID PhSeAuthenticatedUserSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } }; CONST SID PhSeRestrictedCodeSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_RESTRICTED_CODE_RID } }; CONST SID PhSeTerminalServerUserSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_TERMINAL_SERVER_RID } }; CONST SID PhSeRemoteInteractiveLogonSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_REMOTE_LOGON_RID } }; CONST SID PhSeLocalSystemSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } }; CONST SID PhSeLocalServiceSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SERVICE_RID } }; CONST SID PhSeNetworkServiceSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_NETWORK_SERVICE_RID } }; PSID PhSeAdministratorsSid( // WinBuiltinAdministratorsSid (dmex) VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static UCHAR administratorsSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG[2])]; static SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_AUTHORITY; PSID administratorsSid = (PSID)administratorsSidBuffer; if (PhBeginInitOnce(&initOnce)) { PhInitializeSid(administratorsSid, &authority, 2); *PhSubAuthoritySid(administratorsSid, 0) = SECURITY_BUILTIN_DOMAIN_RID; *PhSubAuthoritySid(administratorsSid, 1) = DOMAIN_ALIAS_RID_ADMINS; PhEndInitOnce(&initOnce); } assert(PhLengthSid(administratorsSid) == sizeof(administratorsSidBuffer)); return administratorsSid; } PSID PhSeUsersSid( // WinBuiltinUsersSid (dmex) VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static UCHAR usersSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG[2])]; static SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_AUTHORITY; PSID usersSid = (PSID)usersSidBuffer; if (PhBeginInitOnce(&initOnce)) { PhInitializeSid(usersSid, &authority, 2); *PhSubAuthoritySid(usersSid, 0) = SECURITY_BUILTIN_DOMAIN_RID; *PhSubAuthoritySid(usersSid, 1) = DOMAIN_ALIAS_RID_USERS; PhEndInitOnce(&initOnce); } assert(PhLengthSid(usersSid) == sizeof(usersSidBuffer)); return usersSid; } PSID PhSeAnyPackageSid( // WinBuiltinAnyPackageSid (dmex) VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static UCHAR anyAppPackagesSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG[2])]; static SID_IDENTIFIER_AUTHORITY authority = SECURITY_APP_PACKAGE_AUTHORITY; PSID anyAppPackagesSid = (PSID)anyAppPackagesSidBuffer; if (PhBeginInitOnce(&initOnce)) { PhInitializeSid(anyAppPackagesSid, &authority, SECURITY_BUILTIN_APP_PACKAGE_RID_COUNT); *PhSubAuthoritySid(anyAppPackagesSid, 0) = SECURITY_APP_PACKAGE_BASE_RID; *PhSubAuthoritySid(anyAppPackagesSid, 1) = SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE; PhEndInitOnce(&initOnce); } assert(PhLengthSid(anyAppPackagesSid) == sizeof(anyAppPackagesSidBuffer)); return anyAppPackagesSid; } PSID PhSeInternetExplorerSid( // S-1-15-3-4096 (dmex) VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static UCHAR internetExplorerSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG[2])]; static SID_IDENTIFIER_AUTHORITY authority = SECURITY_APP_PACKAGE_AUTHORITY; PSID internetExplorerSid = (PSID)internetExplorerSidBuffer; if (PhBeginInitOnce(&initOnce)) { PhInitializeSid(internetExplorerSid, &authority, SECURITY_BUILTIN_APP_PACKAGE_RID_COUNT); *PhSubAuthoritySid(internetExplorerSid, 0) = SECURITY_CAPABILITY_BASE_RID; *PhSubAuthoritySid(internetExplorerSid, 1) = SECURITY_CAPABILITY_INTERNET_EXPLORER; PhEndInitOnce(&initOnce); } assert(PhLengthSid(internetExplorerSid) == sizeof(internetExplorerSidBuffer)); return internetExplorerSid; } PSID PhSeCloudActiveDirectorySid( // S-1-12-1 (dmex) VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static UCHAR activeDirectorySidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG[1])]; static SID_IDENTIFIER_AUTHORITY authority = { 0, 0, 0, 0, 0, 12 }; PSID activeDirectorySid = (PSID)activeDirectorySidBuffer; if (PhBeginInitOnce(&initOnce)) { PhInitializeSid(activeDirectorySid, &authority, 1); *PhSubAuthoritySid(activeDirectorySid, 0) = 1; PhEndInitOnce(&initOnce); } assert(PhLengthSid(activeDirectorySid) == sizeof(activeDirectorySidBuffer)); return activeDirectorySid; } PSID PhSeLogonIdSid( _In_ ULONG LogonId ) { static UCHAR logonSessionSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG[SECURITY_LOGON_IDS_RID_COUNT])]; static SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_AUTHORITY; PSID logonSessionSid = (PSID)logonSessionSidBuffer; PhInitializeSid(logonSessionSid, &authority, SECURITY_LOGON_IDS_RID_COUNT); *PhSubAuthoritySid(logonSessionSid, 0) = SECURITY_LOGON_IDS_RID; *PhSubAuthoritySid(logonSessionSid, 1) = 0; *PhSubAuthoritySid(logonSessionSid, 2) = LogonId; return logonSessionSid; } // Unicode DECLSPEC_SELECTANY CONST PH_STRINGREF PhUnicodeByteOrderMark = PH_STRINGREF_INIT(L"\ufeff"); // Characters DECLSPEC_SELECTANY CONST BOOLEAN PhCharIsPrintable[256] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, /* 0 - 15 */ // TAB, LF and CR are printable 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 16 - 31 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* ' ' - '/' */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* '0' - '9' */ 1, 1, 1, 1, 1, 1, 1, /* ':' - '@' */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 'A' - 'Z' */ 1, 1, 1, 1, 1, 1, /* '[' - '`' */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 'a' - 'z' */ 1, 1, 1, 1, 0, /* '{' - 127 */ // DEL is not printable 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 128 - 143 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 144 - 159 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 160 - 175 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 176 - 191 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 192 - 207 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 208 - 223 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 224 - 239 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 /* 240 - 255 */ }; DECLSPEC_SELECTANY CONST BOOLEAN PhCharIsPrintableEx[256] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, /* 0 - 15 */ // TAB, LF and CR are printable 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 16 - 31 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* ' ' - '/' */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* '0' - '9' */ 1, 1, 1, 1, 1, 1, 1, /* ':' - '@' */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 'A' - 'Z' */ 1, 1, 1, 1, 1, 1, /* '[' - '`' */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 'a' - 'z' */ 1, 1, 1, 1, 0, /* '{' - 127 */ // DEL is not printable 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 128 - 143 (excluded by iswprint) */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 144 - 159 (excluded by iswprint) */ 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 160 - 175 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 176 - 191 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 192 - 207 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 208 - 223 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 224 - 239 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 /* 240 - 255 */ }; /** * Table mapping ASCII character codes to their corresponding integer values. * * This table is used for fast character-to-integer conversion, supporting: * - Decimal digits ('0'-'9') mapped to 0-9 * - Uppercase letters ('A'-'Z') and lowercase letters ('a'-'z') mapped to 10-35 * - Common printable symbols mapped to 36-68 * - All other values are set to -1 (invalid) * * Example usage: * LONG value = PhCharToInteger['A']; // value == 10 * * \note * - Indices 0-255 correspond to all possible unsigned char values. * - Non-mapped characters (including control codes) return -1. */ DECLSPEC_SELECTANY CONST LONG PhCharToInteger[256] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0 - 15 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 16 - 31 */ 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, /* ' ' - '/' */ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, /* '0' - '9' */ 52, 53, 54, 55, 56, 57, 58, /* ':' - '@' */ 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, /* 'A' - 'Z' */ 59, 60, 61, 62, 63, 64, /* '[' - '`' */ 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, /* 'a' - 'z' */ 65, 66, 67, 68, -1, /* '{' - 127 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 128 - 143 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 144 - 159 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 160 - 175 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 176 - 191 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 192 - 207 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 208 - 223 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 224 - 239 */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 /* 240 - 255 */ }; // UTF-16 Validation Tables // // UTF-16 encodes Unicode using 16-bit code units: // - BMP (U+0000 to U+FFFF): Single 16-bit unit, excluding surrogate range (0xD800-0xDFFF) // - Supplementary planes (U+10000 to U+10FFFF): Surrogate pairs // * High surrogate: 0xD800-0xDBFF (high byte: 0xD8-0xDB) // * Low surrogate: 0xDC00-0xDFFF (high byte: 0xDC-0xDF) // // For memory scanning: // 1. Check if high byte is a high surrogate (0xD8-0xDB) - must be followed by low surrogate // 2. Check if high byte is a low surrogate (0xDC-0xDF) - must be preceded by high surrogate // 3. All other high bytes (0x00-0xD7, 0xE0-0xFF) represent valid single-unit characters // Valid UTF-16 high surrogate high bytes (0xD8, 0xD9, 0xDA, 0xDB) DECLSPEC_SELECTANY CONST BOOLEAN PhIsUTF16HighSurrogateHighByte[256] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x00 - 0x0F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x10 - 0x1F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x20 - 0x2F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x30 - 0x3F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x40 - 0x4F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x50 - 0x5F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x60 - 0x6F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x70 - 0x7F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x80 - 0x8F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x90 - 0x9F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xA0 - 0xAF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xB0 - 0xBF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xC0 - 0xCF */ 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, /* 0xD0 - 0xDF (0xD8-0xDB are high surrogates) */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xE0 - 0xEF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 /* 0xF0 - 0xFF */ }; // Valid UTF-16 low surrogate high bytes (0xDC, 0xDD, 0xDE, 0xDF) DECLSPEC_SELECTANY CONST BOOLEAN PhIsUTF16LowSurrogateHighByte[256] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x00 - 0x0F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x10 - 0x1F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x20 - 0x2F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x30 - 0x3F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x40 - 0x4F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x50 - 0x5F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x60 - 0x6F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x70 - 0x7F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x80 - 0x8F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x90 - 0x9F */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xA0 - 0xAF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xB0 - 0xBF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xC0 - 0xCF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, /* 0xD0 - 0xDF (0xDC-0xDF are low surrogates) */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xE0 - 0xEF */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 /* 0xF0 - 0xFF */ }; // Valid standalone character high bytes (excludes surrogate range 0xD8-0xDF) // These can appear as standalone UTF-16 characters DECLSPEC_SELECTANY CONST BOOLEAN PhIsUTF16StandaloneHighByte[256] = { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x00 - 0x0F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x10 - 0x1F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x20 - 0x2F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x30 - 0x3F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x40 - 0x4F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x50 - 0x5F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x60 - 0x6F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x70 - 0x7F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x80 - 0x8F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x90 - 0x9F */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xA0 - 0xAF */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xB0 - 0xBF */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xC0 - 0xCF */ 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xD0 - 0xDF (0xD8-0xDF are surrogates) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xE0 - 0xEF */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 /* 0xF0 - 0xFF */ }; // Printable character high bytes (common printable ranges) // Based on Unicode categories: Latin, punctuation, symbols, CJK, etc. // Non-printable: C0/C1 controls (0x00-0x1F, 0x7F-0x9F), private use, specials DECLSPEC_SELECTANY CONST BOOLEAN PhIsUTF16PrintableHighByte[256] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x00 - 0x0F (C0 controls) */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x10 - 0x1F (C0 controls) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x20 - 0x2F (Latin-1, punctuation) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x30 - 0x3F (Latin Extended, IPA) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x40 - 0x4F (Cyrillic, Armenian, Hebrew) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x50 - 0x5F (Arabic, Devanagari, Bengali) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x60 - 0x6F (Thai, Lao, Tibetan) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x70 - 0x7F (Georgian, Hangul Jamo) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x80 - 0x8F (Latin Extended Additional) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x90 - 0x9F (Greek Extended) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xA0 - 0xAF (Punctuation, Currency, Letterlike) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xB0 - 0xBF (Arrows, Math, Technical) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0xC0 - 0xCF (Box Drawing, Block Elements, CJK) */ 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xD0 - 0xDF (Hangul Syllables / surrogates) */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0xE0 - 0xEF (Private Use Area) */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0 /* 0xF0 - 0xFF (CJK Compatibility, Specials) */ }; DECLSPEC_SELECTANY CONST CHAR PhIntegerToChar[69] = "0123456789" /* 0 - 9 */ "abcdefghijklmnopqrstuvwxyz" /* 10 - 35 */ " !\"#$%&'()*+,-./" /* 36 - 51 */ ":;<=>?@" /* 52 - 58 */ "[\\]^_`" /* 59 - 64 */ "{|}~" /* 65 - 68 */ ; DECLSPEC_SELECTANY CONST CHAR PhIntegerToCharUpper[69] = "0123456789" /* 0 - 9 */ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" /* 10 - 35 */ " !\"#$%&'()*+,-./" /* 36 - 51 */ ":;<=>?@" /* 52 - 58 */ "[\\]^_`" /* 59 - 64 */ "{|}~" /* 65 - 68 */ ; // CRC32 (IEEE 802.3) DECLSPEC_SELECTANY CONST ULONG PhCrc32Table[256] = { 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d }; // Enums DECLSPEC_SELECTANY CONST PH_STRINGREF PhIoPriorityHintNames[] = { PH_STRINGREF_INIT(L"Very low"), PH_STRINGREF_INIT(L"Low"), PH_STRINGREF_INIT(L"Normal"), PH_STRINGREF_INIT(L"High"), PH_STRINGREF_INIT(L"Critical"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhPagePriorityNames[] = { PH_STRINGREF_INIT(L"Lowest"), PH_STRINGREF_INIT(L"Very low"), PH_STRINGREF_INIT(L"Low"), PH_STRINGREF_INIT(L"Medium"), PH_STRINGREF_INIT(L"Below normal"), PH_STRINGREF_INIT(L"Normal"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhKThreadStateNames[] = { PH_STRINGREF_INIT(L"Initialized"), PH_STRINGREF_INIT(L"Ready"), PH_STRINGREF_INIT(L"Running"), PH_STRINGREF_INIT(L"Standby"), PH_STRINGREF_INIT(L"Terminated"), PH_STRINGREF_INIT(L"Waiting"), PH_STRINGREF_INIT(L"Transition"), PH_STRINGREF_INIT(L"DeferredReady"), PH_STRINGREF_INIT(L"GateWait"), PH_STRINGREF_INIT(L"WaitingForProcessInSwap"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhKWaitReasonNames[] = { PH_STRINGREF_INIT(L"Executive"), PH_STRINGREF_INIT(L"FreePage"), PH_STRINGREF_INIT(L"PageIn"), PH_STRINGREF_INIT(L"PoolAllocation"), PH_STRINGREF_INIT(L"DelayExecution"), PH_STRINGREF_INIT(L"Suspended"), PH_STRINGREF_INIT(L"UserRequest"), PH_STRINGREF_INIT(L"WrExecutive"), PH_STRINGREF_INIT(L"WrFreePage"), PH_STRINGREF_INIT(L"WrPageIn"), PH_STRINGREF_INIT(L"WrPoolAllocation"), PH_STRINGREF_INIT(L"WrDelayExecution"), PH_STRINGREF_INIT(L"WrSuspended"), PH_STRINGREF_INIT(L"WrUserRequest"), PH_STRINGREF_INIT(L"WrEventPair"), PH_STRINGREF_INIT(L"WrQueue"), PH_STRINGREF_INIT(L"WrLpcReceive"), PH_STRINGREF_INIT(L"WrLpcReply"), PH_STRINGREF_INIT(L"WrVirtualMemory"), PH_STRINGREF_INIT(L"WrPageOut"), PH_STRINGREF_INIT(L"WrRendezvous"), PH_STRINGREF_INIT(L"WrKeyedEvent"), PH_STRINGREF_INIT(L"WrTerminated"), PH_STRINGREF_INIT(L"WrProcessInSwap"), PH_STRINGREF_INIT(L"WrCpuRateControl"), PH_STRINGREF_INIT(L"WrCalloutStack"), PH_STRINGREF_INIT(L"WrKernel"), PH_STRINGREF_INIT(L"WrResource"), PH_STRINGREF_INIT(L"WrPushLock"), PH_STRINGREF_INIT(L"WrMutex"), PH_STRINGREF_INIT(L"WrQuantumEnd"), PH_STRINGREF_INIT(L"WrDispatchInt"), PH_STRINGREF_INIT(L"WrPreempted"), PH_STRINGREF_INIT(L"WrYieldExecution"), PH_STRINGREF_INIT(L"WrFastMutex"), PH_STRINGREF_INIT(L"WrGuardedMutex"), PH_STRINGREF_INIT(L"WrRundown"), PH_STRINGREF_INIT(L"WrAlertByThreadId"), PH_STRINGREF_INIT(L"WrDeferredPreempt"), PH_STRINGREF_INIT(L"WrPhysicalFault"), PH_STRINGREF_INIT(L"WrIoRing"), PH_STRINGREF_INIT(L"WrMdlCache"), PH_STRINGREF_INIT(L"WrRcu"), }; static_assert(ARRAYSIZE(PhIoPriorityHintNames) == MaxIoPriorityTypes, "PhIoPriorityHintNames must equal MaxIoPriorityTypes"); static_assert(ARRAYSIZE(PhPagePriorityNames) == MEMORY_PRIORITY_NORMAL + 1, "PhPagePriorityNames must equal MEMORY_PRIORITY"); static_assert(ARRAYSIZE(PhKThreadStateNames) == MaximumThreadState, "PhKThreadStateNames must equal MaximumThreadState"); static_assert(ARRAYSIZE(PhKWaitReasonNames) == MaximumWaitReason, "PhKWaitReasonNames must equal MaximumWaitReason"); // File aliases (Windows 11 25H2) DECLSPEC_SELECTANY CONST PH_STRINGREF PhHalFileAliasList[] = { PH_STRINGREF_INIT(L"hal.dll"), PH_STRINGREF_INIT(L"halaacpi.dll"), PH_STRINGREF_INIT(L"halacpi.dll"), PH_STRINGREF_INIT(L"halapic.dll"), PH_STRINGREF_INIT(L"halmacpi.dll"), PH_STRINGREF_INIT(L"halmps.dll"), PH_STRINGREF_INIT(L"hal486c.dll"), PH_STRINGREF_INIT(L"halborg.dll"), PH_STRINGREF_INIT(L"halsp.dll"), PH_STRINGREF_INIT(L"halomap.dll"), PH_STRINGREF_INIT(L"halomap4.dll"), PH_STRINGREF_INIT(L"haltegra2.dll"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhKernelFileAliasList[] = { PH_STRINGREF_INIT(L"ntkrnlmp.exe"), PH_STRINGREF_INIT(L"ntoskrnl.exe"), PH_STRINGREF_INIT(L"ntkrnlup.exe"), PH_STRINGREF_INIT(L"ntkrnlpa.exe"), PH_STRINGREF_INIT(L"ntkrpamp.exe"), PH_STRINGREF_INIT(L"xboxkrnlc.exe"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhSecureKernelFileAliasList[] = { PH_STRINGREF_INIT(L"securekernel.exe"), PH_STRINGREF_INIT(L"securekernella57.exe"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhHypervisorFileAliasList[] = { PH_STRINGREF_INIT(L"hvix64.exe"), PH_STRINGREF_INIT(L"hvax64.exe"), PH_STRINGREF_INIT(L"hvaa64.exe"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhOsLoaderFileAliasList[] = { PH_STRINGREF_INIT(L"winload.efi"), PH_STRINGREF_INIT(L"winload_prod.efi"), }; DECLSPEC_SELECTANY CONST PH_STRINGREF PhOsBootFileAliasList[] = { PH_STRINGREF_INIT(L"bootmgfw.efi"), PH_STRINGREF_INIT(L"bootaa64.efi"), PH_STRINGREF_INIT(L"bootarm.efi"), PH_STRINGREF_INIT(L"bootmgr.efi"), PH_STRINGREF_INIT(L"bootia32.efi"), }; ================================================ FILE: phlib/directdraw.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2022-2023 * */ #include #include #include #define GDIPVER 0x0110 #include //#include #include using namespace Gdiplus; //std::unique_ptr make_bitmap( // _In_ LONG Width, // _In_ LONG Height, // _In_ PixelFormat Format // ) //{ // return std::make_unique(Width, Height, Format); //} // //std::unique_ptr make_bitmap( // _In_ LONG Width, // _In_ LONG Height, // _In_ LONG Stride, // _In_ PixelFormat Format, // _In_reads_opt_(_Inexpressible_("height * stride")) PBYTE Buffer // ) //{ // return std::make_unique(Width, Height, Stride, Format, Buffer); //} // //std::unique_ptr make_graphics( // _In_ const std::unique_ptr& image // ) //{ // return std::unique_ptr(Graphics::FromImage(image.get())); //} BOOLEAN PhInitializeGDIPlus( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN initialized = FALSE; if (PhBeginInitOnce(&initOnce)) { static ULONG_PTR gdiplusToken = 0; static GdiplusStartupInput gdiplusStartupInput = { nullptr, false, true }; if (GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, nullptr) == Status::Ok) { initialized = TRUE; } PhEndInitOnce(&initOnce); } return initialized; } static Bitmap* PhGdiplusCreateBitmapFromDIB( _In_ HBITMAP OriginalBitmap ) { DIBSECTION dib = {}; if (GetObject(OriginalBitmap, sizeof(DIBSECTION), &dib) == sizeof(DIBSECTION)) { LONG width = dib.dsBmih.biWidth; LONG height = dib.dsBmih.biHeight; LONG pitch = dib.dsBm.bmWidthBytes; BYTE* bitmapBuffer = static_cast(dib.dsBm.bmBits); return new Bitmap(width, height, pitch, PixelFormat32bppARGB, bitmapBuffer); } return nullptr; } // Note: This function is used to draw bitmaps with the current accent color // as the background of the bitmap similar to what Task Manager does (dmex) HICON PhGdiplusConvertBitmapToIcon( _In_ HBITMAP OriginalBitmap, _In_ LONG Width, _In_ LONG Height, _In_ COLORREF Background ) { HICON icon; if (PhInitializeGDIPlus()) { DIBSECTION dib; RtlZeroMemory(&dib, sizeof(DIBSECTION)); if (GetObject(OriginalBitmap, sizeof(DIBSECTION), &dib) != sizeof(DIBSECTION)) return nullptr; LONG width = dib.dsBmih.biWidth; LONG height = dib.dsBmih.biHeight; LONG pitch = dib.dsBm.bmWidthBytes; BYTE* bitmapBuffer = static_cast(dib.dsBm.bmBits); Bitmap image(width, height, pitch, PixelFormat32bppARGB, bitmapBuffer); Bitmap buffer(Width, Height, PixelFormat32bppARGB); Graphics graphics(&buffer); if (Background) { Color color(Color::DodgerBlue); color.SetFromCOLORREF(Background); graphics.Clear(color); } else { graphics.Clear(Color::DodgerBlue); } if (graphics.DrawImage(&image, 0, 0) == Status::Ok) { if (buffer.GetHICON(&icon) == Status::Ok) { return icon; } } } return nullptr; } HICON PhGdiplusConvertHBitmapToHIcon( _In_ HBITMAP BitmapHandle ) { HICON iconHandle = nullptr; if (PhInitializeGDIPlus()) { Bitmap bitmap(BitmapHandle, nullptr); bitmap.GetHICON(&iconHandle); } return iconHandle; } #ifdef PHNT_TRANSPARENT_BITMAP #include #pragma comment(lib, "uxtheme.lib") VOID PhUpdateTransparentBackgroundWindow( _In_ HWND WindowHandle, _In_ PRECT ClientRect ) { HDC hdc; SIZE windowSize; POINT windowPoint = { 0, 0 }; BLENDFUNCTION blendFunction = { AC_SRC_OVER, 0, 255, AC_SRC_ALPHA }; BP_PAINTPARAMS paintParams = { sizeof(paintParams) }; HDC bufferHdc; HPAINTBUFFER paintBuffer; hdc = GetDC(WindowHandle); windowSize.cx = ClientRect->right - ClientRect->left; windowSize.cy = ClientRect->bottom - ClientRect->top; paintParams.dwFlags = BPPF_ERASE; // Clear rectangle to ARGB 0,0,0,0 paintParams.pBlendFunction = &blendFunction; if (paintBuffer = BeginBufferedPaint(hdc, ClientRect, BPBF_TOPDOWNDIB, &paintParams, &bufferHdc)) { BufferedPaintSetAlpha(paintBuffer, ClientRect, 128); UpdateLayeredWindow( WindowHandle, nullptr, &windowPoint, &windowSize, bufferHdc, &windowPoint, 0, &blendFunction, ULW_ALPHA ); EndBufferedPaint(paintBuffer, FALSE); } else { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN initialized = FALSE; HBITMAP bitmapHandle; HGDIOBJ oldBitmapHandle; if (PhBeginInitOnce(&initOnce)) { ULONG_PTR gdiplusToken = 0; GdiplusStartupInput gdiplusStartupInput{}; if (GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, nullptr) == Status::Ok) { initialized = TRUE; } PhEndInitOnce(&initOnce); } bufferHdc = CreateCompatibleDC(hdc); bitmapHandle = CreateCompatibleBitmap(hdc, ClientRect->right, ClientRect->bottom); oldBitmapHandle = SelectBitmap(bufferHdc, bitmapHandle); if (initialized) { Graphics graphics(bufferHdc); graphics.Clear(Color(128, 0, 0, 0)); } UpdateLayeredWindow( WindowHandle, nullptr, &windowPoint, &windowSize, bufferHdc, &windowPoint, 0, &blendFunction, ULW_ALPHA ); SelectBitmap(bufferHdc, oldBitmapHandle); DeleteBitmap(bitmapHandle); DeleteDC(bufferHdc); } ReleaseDC(WindowHandle, hdc); } #endif LRESULT CALLBACK PhTransparentBackgroundWindowCallback( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (WindowMessage) { case WM_CREATE: { LPCREATESTRUCT createStruct = reinterpret_cast(lParam); if (PhGetIntegerSetting(L"EnableStreamerMode")) { SetWindowDisplayAffinity(WindowHandle, WDA_EXCLUDEFROMCAPTURE); } if (createStruct->hwndParent) { HMENU menu = GetMenu(createStruct->hwndParent); if (menu) { PhSetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT, menu); SetMenu(createStruct->hwndParent, nullptr); } } #ifdef PHNT_TRANSPARENT_BITMAP RECT clientRect; clientRect.left = 0; clientRect.top = 0; clientRect.right = createStruct->cx; clientRect.bottom = createStruct->cy; PhUpdateTransparentBackgroundWindow(WindowHandle, &clientRect); #else constexpr ULONG OpacityPercent = 50; // The opacity value is backwards - 0 means opaque, 100 means transparent. SetLayeredWindowAttributes( WindowHandle, 0, static_cast(255 * (100 - OpacityPercent) / 100), LWA_ALPHA ); #endif } break; case WM_DESTROY: { HMENU menu = static_cast(PhGetWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT)); if (menu) { SetMenu(GetParent(WindowHandle), menu); } PhRemoveWindowContext(WindowHandle, PH_WINDOW_CONTEXT_DEFAULT); } break; #ifndef PHNT_TRANSPARENT_BITMAP case WM_ERASEBKGND: { HDC hdc = reinterpret_cast(wParam); RECT clientRect; if (!PhGetClientRect(WindowHandle, &clientRect)) break; FillRect(hdc, &clientRect, PhGetStockBrush(BLACK_BRUSH)); } return TRUE; #endif } return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } RTL_ATOM PhInitializeBackgroundWindowClass( VOID ) { WNDCLASSEX wcex; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.lpfnWndProc = PhTransparentBackgroundWindowCallback; wcex.hCursor = PhLoadCursor(nullptr, IDC_ARROW); wcex.lpszClassName = L"TransparentBackgroundWindowClass"; return RegisterClassEx(&wcex); } HWND PhCreateBackgroundWindow( _In_ HWND ParentWindowHandle, _In_ BOOLEAN DesktopWindow ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static RTL_ATOM windowAtom = 0; HWND windowHandle; RECT windowRect = { 0 }; if (WindowsVersion < WINDOWS_8) return nullptr; if (!PhGetClientRect(ParentWindowHandle, &windowRect)) return nullptr; { MENUBARINFO menuInfo; memset(&menuInfo, 0, sizeof(MENUBARINFO)); menuInfo.cbSize = sizeof(MENUBARINFO); if (GetMenuBarInfo(ParentWindowHandle, OBJID_MENU, 0, &menuInfo)) { windowRect.bottom += menuInfo.rcBar.bottom; } } if (PhBeginInitOnce(&initOnce)) { windowAtom = PhInitializeBackgroundWindowClass(); PhEndInitOnce(&initOnce); } if (windowAtom == INVALID_ATOM) return nullptr; windowHandle = CreateWindowEx( #ifdef PHNT_TRANSPARENT_BITMAP WS_EX_LAYERED | WS_EX_NOREDIRECTIONBITMAP, #else WS_EX_LAYERED, #endif MAKEINTATOM(windowAtom), nullptr, DesktopWindow ? WS_POPUPWINDOW : WS_CHILD, 0, 0, windowRect.right, windowRect.bottom, DesktopWindow ? nullptr : ParentWindowHandle, nullptr, nullptr, nullptr ); SetWindowPos( windowHandle, HWND_TOP, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_SHOWWINDOW ); return windowHandle; } //#pragma comment(lib, "d2d1.lib") //#pragma comment(lib, "dwrite.lib") // //#include //#include //#include // //static IDWriteTextFormat* PhDirectWriteTextFormat = nullptr; //static ID2D1DCRenderTarget* PhDirectWriteRenderTarget = nullptr; //static ID2D1SolidColorBrush* PhDirectWriteSolidBrush = nullptr; // //BOOLEAN PhCreateDirectWriteTextResources( // VOID // ) //{ // D2D1_RENDER_TARGET_PROPERTIES render_target_properties = // { // .type = D2D1_RENDER_TARGET_TYPE_SOFTWARE, // .pixelFormat = // { // .format = DXGI_FORMAT_B8G8R8A8_UNORM, // .alphaMode = D2D1_ALPHA_MODE_IGNORE, // D2D1_ALPHA_MODE_PREMULTIPLIED // }, // .dpiX = 0, .dpiY = 0, // .usage = D2D1_RENDER_TARGET_USAGE_GDI_COMPATIBLE, // .minLevel = D2D1_FEATURE_LEVEL_DEFAULT // }; // HRESULT status; // ID2D1Factory* directFactory = nullptr; // IDWriteFactory* dwriteFactory = nullptr; // // status = DWriteCreateFactory( // DWRITE_FACTORY_TYPE_SHARED, // __uuidof(IDWriteFactory), // reinterpret_cast(&dwriteFactory) // ); // // if (FAILED(status)) // return FALSE; // // status = dwriteFactory->CreateTextFormat( // L"Segoe UI", // nullptr, // DWRITE_FONT_WEIGHT_NORMAL, // DWRITE_FONT_STYLE_NORMAL, // DWRITE_FONT_STRETCH_NORMAL, // 12, // L"", // locale // &PhDirectWriteTextFormat // ); // // if (FAILED(status)) // return FALSE; // // status = D2D1CreateFactory( // D2D1_FACTORY_TYPE_SINGLE_THREADED, // reinterpret_cast(&directFactory) // ); // // if (FAILED(status)) // return FALSE; // // status = directFactory->CreateDCRenderTarget( // &render_target_properties, // &PhDirectWriteRenderTarget // ); // // if (FAILED(status)) // return FALSE; // // status = PhDirectWriteRenderTarget->CreateSolidColorBrush( // D2D1::ColorF(D2D1::ColorF::Black, 1.0f), // &PhDirectWriteSolidBrush // ); // // if (FAILED(status)) // return FALSE; // // return TRUE; //} // //VOID DirectWriteDrawText( // _In_ HDC Hdc, // _In_ PRECT ClientRect, // _In_ PWSTR Text, // _In_ SIZE_T TextLength // ) //{ // static PH_INITONCE initOnce = PH_INITONCE_INIT; // // if (PhBeginInitOnce(&initOnce)) // { // PhCreateDirectWriteTextResources(); // PhEndInitOnce(&initOnce); // } // // if (FAILED(PhDirectWriteRenderTarget->BindDC(Hdc, ClientRect))) // return; // // PhDirectWriteRenderTarget->BeginDraw(); // PhDirectWriteRenderTarget->DrawText( // Text, // static_cast(TextLength), // PhDirectWriteTextFormat, // D2D1::RectF(0, 0, static_cast(ClientRect->right), static_cast(ClientRect->bottom)), // PhDirectWriteSolidBrush, // D2D1_DRAW_TEXT_OPTIONS_CLIP, // DWRITE_MEASURING_MODE_GDI_CLASSIC // ); // PhDirectWriteRenderTarget->EndDraw(); //} ================================================ FILE: phlib/dspick.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * */ #include #include #include #include #include //#define IDataObject_AddRef(This) ((This)->lpVtbl->AddRef(This)) //#define IDataObject_Release(This) ((This)->lpVtbl->Release(This)) //#define IDataObject_GetData(This, pformatetcIn, pmedium) ((This)->lpVtbl->GetData(This, pformatetcIn, pmedium)) #define IDsObjectPicker_QueryInterface(This, riid, ppvObject) ((This)->lpVtbl->QueryInterface(This, riid, ppvObject)) #define IDsObjectPicker_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IDsObjectPicker_Release(This) ((This)->lpVtbl->Release(This)) #define IDsObjectPicker_Initialize(This, pInitInfo) ((This)->lpVtbl->Initialize(This, pInitInfo)) #define IDsObjectPicker_InvokeDialog(This, hwndParent, ppdoSelections) ((This)->lpVtbl->InvokeDialog(This, hwndParent, ppdoSelections)) IDsObjectPicker *PhpCreateDsObjectPicker( VOID ) { IDsObjectPicker *picker; if (SUCCEEDED(PhGetClassObject( L"objsel.dll", &CLSID_DsObjectPicker, &IID_IDsObjectPicker, &picker ))) { return picker; } else { return NULL; } } VOID PhFreeDsObjectPickerDialog( _In_ PVOID PickerDialog ) { IDsObjectPicker_Release((IDsObjectPicker *)PickerDialog); } PVOID PhCreateDsObjectPickerDialog( _In_ ULONG Flags ) { IDsObjectPicker *picker; DSOP_INIT_INFO initInfo; DSOP_SCOPE_INIT_INFO scopeInit[1]; picker = PhpCreateDsObjectPicker(); if (!picker) return NULL; memset(scopeInit, 0, sizeof(scopeInit)); scopeInit[0].cbSize = sizeof(DSOP_SCOPE_INIT_INFO); scopeInit[0].flType = DSOP_SCOPE_TYPE_TARGET_COMPUTER; scopeInit[0].flScope = DSOP_SCOPE_FLAG_WANT_PROVIDER_WINNT | DSOP_SCOPE_FLAG_WANT_SID_PATH | DSOP_SCOPE_FLAG_DEFAULT_FILTER_USERS | DSOP_SCOPE_FLAG_DEFAULT_FILTER_GROUPS; scopeInit[0].FilterFlags.Uplevel.flBothModes = DSOP_FILTER_INCLUDE_ADVANCED_VIEW | DSOP_FILTER_USERS | DSOP_FILTER_BUILTIN_GROUPS | DSOP_FILTER_WELL_KNOWN_PRINCIPALS; scopeInit[0].FilterFlags.flDownlevel = DSOP_DOWNLEVEL_FILTER_USERS | DSOP_DOWNLEVEL_FILTER_LOCAL_GROUPS | DSOP_DOWNLEVEL_FILTER_GLOBAL_GROUPS | DSOP_DOWNLEVEL_FILTER_ALL_WELLKNOWN_SIDS; memset(&initInfo, 0, sizeof(DSOP_INIT_INFO)); initInfo.cbSize = sizeof(DSOP_INIT_INFO); initInfo.pwzTargetComputer = NULL; initInfo.cDsScopeInfos = 1; initInfo.aDsScopeInfos = scopeInit; initInfo.flOptions = DSOP_FLAG_SKIP_TARGET_COMPUTER_DC_CHECK; if (Flags & PH_DSPICK_MULTISELECT) initInfo.flOptions |= DSOP_FLAG_MULTISELECT; if (!SUCCEEDED(IDsObjectPicker_Initialize(picker, &initInfo))) { IDsObjectPicker_Release(picker); return NULL; } return picker; } PDS_SELECTION_LIST PhpGetDsSelectionList( _In_ IDataObject *Selections ) { FORMATETC format; STGMEDIUM medium; format.cfFormat = (CLIPFORMAT)RegisterClipboardFormat(L"CFSTR_DSOP_DS_SELECTION_LIST"); format.ptd = NULL; format.dwAspect = ULONG_MAX; format.lindex = -1; format.tymed = TYMED_HGLOBAL; if (SUCCEEDED(IDataObject_GetData(Selections, &format, &medium))) { if (medium.tymed != TYMED_HGLOBAL) return NULL; return (PDS_SELECTION_LIST)GlobalLock(medium.hGlobal); } else { return NULL; } } _Success_(return) BOOLEAN PhShowDsObjectPickerDialog( _In_ HWND hWnd, _In_ PVOID PickerDialog, _Out_ PPH_DSPICK_OBJECTS *Objects ) { IDsObjectPicker *picker; IDataObject *dataObject; PDS_SELECTION_LIST selections; PPH_DSPICK_OBJECTS objects; ULONG i; picker = (IDsObjectPicker *)PickerDialog; if (!SUCCEEDED(IDsObjectPicker_InvokeDialog(picker, hWnd, &dataObject))) return FALSE; if (!dataObject) return FALSE; selections = PhpGetDsSelectionList(dataObject); IDataObject_Release(dataObject); if (!selections) return FALSE; objects = PhAllocate( FIELD_OFFSET(PH_DSPICK_OBJECTS, Objects) + selections->cItems * sizeof(PH_DSPICK_OBJECT) ); objects->NumberOfObjects = selections->cItems; for (i = 0; i < selections->cItems; i++) { PDS_SELECTION selection; PSID sid; PH_STRINGREF path; PH_STRINGREF prefix; selection = &selections->aDsSelection[i]; objects->Objects[i].Name = PhCreateString(selection->pwzName); objects->Objects[i].Sid = NULL; if (selection->pwzADsPath && selection->pwzADsPath[0] != 0) { PhInitializeStringRef(&path, selection->pwzADsPath); PhInitializeStringRef(&prefix, L"LDAP://" at end sid = PhAllocate(path.Length / sizeof(WCHAR) / 2); if (PhHexStringToBuffer(&path, (PUCHAR)sid)) { if (PhValidSid(sid)) objects->Objects[i].Sid = sid; else PhFree(sid); } else { PhFree(sid); } } } else { // Try to get the SID. PhLookupName(&objects->Objects[i].Name->sr, &objects->Objects[i].Sid, NULL, NULL); } } *Objects = objects; return TRUE; } VOID PhFreeDsObjectPickerObjects( _In_ PPH_DSPICK_OBJECTS Objects ) { ULONG i; for (i = 0; i < Objects->NumberOfObjects; i++) { PhDereferenceObject(Objects->Objects[i].Name); if (Objects->Objects[i].Sid) PhFree(Objects->Objects[i].Sid); } PhFree(Objects); } ================================================ FILE: phlib/emenu.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2019-2023 * */ #include #include #include static const PH_FLAG_MAPPING EMenuTypeMappings[] = { { PH_EMENU_MENUBARBREAK, MFT_MENUBARBREAK }, { PH_EMENU_MENUBREAK, MFT_MENUBREAK }, { PH_EMENU_RADIOCHECK, MFT_RADIOCHECK }, { PH_EMENU_RIGHTORDER, MFT_RIGHTORDER }, }; static const PH_FLAG_MAPPING EMenuStateMappings[] = { { PH_EMENU_CHECKED, MFS_CHECKED }, { PH_EMENU_DEFAULT, MFS_DEFAULT }, { PH_EMENU_DISABLED, MFS_DISABLED }, { PH_EMENU_HIGHLIGHT, MFS_HILITE } }; /** * Creates a menu item. * * \param Flags A combination of the following: * \li \c PH_EMENU_DISABLED The menu item is greyed and cannot be selected. * \li \c PH_EMENU_CHECKED A check mark is displayed. * \li \c PH_EMENU_HIGHLIGHT The menu item is highlighted. * \li \c PH_EMENU_MENUBARBREAK Places the menu item in a new column, separated by a vertical line. * \li \c PH_EMENU_MENUBREAK Places the menu item in a new column, with no vertical line. * \li \c PH_EMENU_DEFAULT The menu item is displayed as the default item. This causes the text to * be bolded. * \li \c PH_EMENU_RADIOCHECK Uses a radio-button mark instead of a check mark. * \param Id A unique identifier for the menu item. * \param Text The text displayed for the menu item. * \param Bitmap A bitmap image for the menu item. * \param Context A user-defined value. */ PPH_EMENU_ITEM PhCreateEMenuItem( _In_ ULONG Flags, _In_ ULONG Id, _In_opt_ PCWSTR Text, _In_opt_ HBITMAP Bitmap, _In_opt_ PVOID Context ) { PPH_EMENU_ITEM item; item = PhAllocate(sizeof(PH_EMENU_ITEM)); memset(item, 0, sizeof(PH_EMENU_ITEM)); item->Flags = Flags; item->Id = Id; item->Text = (PWSTR)Text; item->Bitmap = Bitmap; item->Context = Context; return item; } PPH_EMENU_ITEM PhCreateEMenuItemCallback( _In_ ULONG Flags, _In_ ULONG Id, _In_opt_ PCWSTR Text, _In_opt_ HBITMAP Bitmap, _In_opt_ PVOID Context, _In_opt_ PPH_EMENU_ITEM_DELAY_FUNCTION DelayFunction ) { PPH_EMENU_ITEM item; PPH_EMENU_ITEM delay; item = PhAllocateZero(sizeof(PH_EMENU_ITEM)); item->Flags = Flags; item->Id = Id; item->Text = (PWSTR)Text; item->Bitmap = Bitmap; item->Context = Context; item->DelayFunction = DelayFunction; delay = PhCreateEMenuItem(0, USHRT_MAX, L" ", NULL, NULL); PhInsertEMenuItem(item, delay, ULONG_MAX); return item; } /** * Frees resources used by a menu item and its children. * * \param Item The menu item. * \remarks The menu item is NOT automatically removed from its parent. It is safe to call this * function while enumerating menu items. */ VOID PhpDestroyEMenuItem( _In_ _Post_invalid_ PPH_EMENU_ITEM Item ) { if (Item->DeleteFunction) Item->DeleteFunction(Item); if ((Item->Flags & PH_EMENU_TEXT_OWNED) && Item->Text) PhFree(Item->Text); if ((Item->Flags & PH_EMENU_BITMAP_OWNED) && Item->Bitmap) DeleteBitmap(Item->Bitmap); if (Item->Items) { for (ULONG i = 0; i < Item->Items->Count; i++) PhpDestroyEMenuItem(PhItemList(Item->Items, i)); PhDereferenceObject(Item->Items); } PhFree(Item); } /** * Frees resources used by a menu item and its children. * * \param Item The menu item. * \remarks The menu item is automatically removed from its parent. */ VOID PhDestroyEMenuItem( _In_ _Post_invalid_ PPH_EMENU_ITEM Item ) { // Remove the item from its parent, if it has one. if (Item->Parent) PhRemoveEMenuItem(NULL, Item, ULONG_MAX); PhpDestroyEMenuItem(Item); } /** * Finds a child menu item. * * \param Item The parent menu item. * \param Flags A combination of the following: * \li \c PH_EMENU_FIND_DESCEND Searches recursively within child menu items. * \li \c PH_EMENU_FIND_STARTSWITH Performs a partial text search instead of an exact search. * \li \c PH_EMENU_FIND_LITERAL Performs a literal search instead of ignoring prefix characters * (ampersands). * \param Text The text of the menu item to find. If NULL, the text is ignored. * \param Id The identifier of the menu item to find. If 0, the identifier is ignored. * \return The found menu item, or NULL if the menu item could not be found. */ _Use_decl_annotations_ PPH_EMENU_ITEM PhFindEMenuItem( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Flags, _In_opt_ PCWSTR Text, _In_ ULONG Id ) { return PhFindEMenuItemEx(Item, Flags, Text, Id, NULL, NULL); } /** * Finds a child menu item. * * \param Item The parent menu item. * \param Flags A combination of the following: * \li \c PH_EMENU_FIND_DESCEND Searches recursively within child menu items. * \li \c PH_EMENU_FIND_STARTSWITH Performs a partial text search instead of an exact search. * \li \c PH_EMENU_FIND_LITERAL Performs a literal search instead of ignoring prefix characters * (ampersands). * \param Text The text of the menu item to find. If NULL, the text is ignored. * \param Id The identifier of the menu item to find. If 0, the identifier is ignored. * \param FoundParent A variable which receives the parent of the found menu item. * \param FoundIndex A variable which receives the index of the found menu item. * \return The found menu item, or NULL if the menu item could not be found. */ _Use_decl_annotations_ PPH_EMENU_ITEM PhFindEMenuItemEx( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Flags, _In_opt_ PCWSTR Text, _In_ ULONG Id, _Out_opt_ PPH_EMENU_ITEM *FoundParent, _Out_opt_ PULONG FoundIndex ) { PH_STRINGREF searchText; ULONG i; PPH_EMENU_ITEM item; if (!Item->Items) return NULL; if (Text && (Flags & PH_EMENU_FIND_LITERAL)) PhInitializeStringRefLongHint(&searchText, Text); for (i = 0; i < Item->Items->Count; i++) { item = PhItemList(Item->Items, i); if (Text) { if (Flags & PH_EMENU_FIND_LITERAL) { PH_STRINGREF text; PhInitializeStringRefLongHint(&text, item->Text); if (Flags & PH_EMENU_FIND_STARTSWITH) { if (PhStartsWithStringRef(&text, &searchText, TRUE)) goto FoundItemHere; } else { if (PhEqualStringRef(&text, &searchText, TRUE)) goto FoundItemHere; } } else { if (PhCompareUnicodeStringZIgnoreMenuPrefix( Text, item->Text, TRUE, !!(Flags & PH_EMENU_FIND_STARTSWITH )) == 0) { goto FoundItemHere; } } } if (Id && item->Id == Id) goto FoundItemHere; if (Flags & PH_EMENU_FIND_DESCEND) { PPH_EMENU_ITEM foundItem = NULL; PPH_EMENU_ITEM foundParent = NULL; ULONG foundIndex = 0; foundItem = PhFindEMenuItemEx(item, Flags, Text, Id, &foundParent, &foundIndex); if (foundItem) { if (FoundParent) *FoundParent = foundParent; if (FoundIndex) *FoundIndex = foundIndex; return foundItem; } } } return NULL; FoundItemHere: if (FoundParent) *FoundParent = Item; if (FoundIndex) *FoundIndex = i; return item; } /** * Determines the index of a menu item. * * \param Parent The parent menu item. * \param Item The child menu item. * * \return The index of the menu item, or -1 if the menu item was not found in the parent menu item. */ ULONG PhIndexOfEMenuItem( _In_ PPH_EMENU_ITEM Parent, _In_ PPH_EMENU_ITEM Item ) { if (!Parent->Items) return ULONG_MAX; return PhFindItemList(Parent->Items, Item); } /** * Inserts a menu item into a parent menu item. * * \param Parent The parent menu item. * \param Item The menu item to insert. * \param Index The index at which to insert the menu item. If the index is too large, the menu item * is inserted at the last position. */ VOID PhInsertEMenuItem( _Inout_ PPH_EMENU_ITEM Parent, _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG Index ) { // Remove the item from its old parent if it has one. if (Item->Parent) PhRemoveEMenuItem(Item->Parent, Item, 0); if (!Parent->Items) Parent->Items = PhCreateList(5); if (Index > Parent->Items->Count) Index = Parent->Items->Count; if (Index == ULONG_MAX) PhAddItemList(Parent->Items, Item); else PhInsertItemList(Parent->Items, Index, Item); Item->Parent = Parent; } /** * Removes a menu item from its parent. * * \param Parent The parent menu item. If \a Item is NULL, this parameter must be specified. * \param Item The child menu item. This may be NULL if \a Index is specified. * \param Index The index of the menu item to remove. If \a Item is specified, this parameter is * ignored. */ BOOLEAN PhRemoveEMenuItem( _Inout_opt_ PPH_EMENU_ITEM Parent, _In_opt_ PPH_EMENU_ITEM Item, _In_opt_ ULONG Index ) { if (Item) { if (!Parent) Parent = Item->Parent; if (!Parent->Items) return FALSE; Index = PhFindItemList(Parent->Items, Item); if (Index == ULONG_MAX) return FALSE; } else { if (!Parent) return FALSE; if (!Parent->Items) return FALSE; } Item = PhItemList(Parent->Items, Index); PhRemoveItemList(Parent->Items, Index); Item->Parent = NULL; return TRUE; } /** * Removes all children from a menu item. * * \param Parent The parent menu item. */ VOID PhRemoveAllEMenuItems( _Inout_ PPH_EMENU_ITEM Parent ) { ULONG i; if (!Parent->Items) return; for (i = 0; i < Parent->Items->Count; i++) { PhpDestroyEMenuItem(PhItemList(Parent->Items, i)); } PhClearList(Parent->Items); } /** * Creates a root menu. */ PPH_EMENU PhCreateEMenu( VOID ) { PPH_EMENU menu; menu = PhAllocate(sizeof(PH_EMENU)); memset(menu, 0, sizeof(PH_EMENU)); menu->Items = PhCreateList(5); return menu; } /** * Frees resources used by a root menu and its children. * * \param Menu A root menu. */ VOID PhDestroyEMenu( _In_ PPH_EMENU Menu ) { ULONG i; for (i = 0; i < Menu->Items->Count; i++) { PhpDestroyEMenuItem(PhItemList(Menu->Items, i)); } PhDereferenceObject(Menu->Items); PhFree(Menu); } /** * Initializes a data structure containing additional information resulting from a call to * PhEMenuToHMenu(). */ VOID PhInitializeEMenuData( _Out_ PPH_EMENU_DATA Data ) { Data->IdToItem = PhCreateList(5); } /** * Frees resources used by a data structure initialized by PhInitializeEMenuData(). */ VOID PhDeleteEMenuData( _Inout_ PPH_EMENU_DATA Data ) { PhDereferenceObject(Data->IdToItem); } /** * Converts an EMENU to a Windows menu object. * * \param Menu The menu item to convert. * \param Flags A combination of the following: * \li \c PH_EMENU_CONVERT_ID Automatically assigns a unique identifier to each converted menu item. * The resulting mappings are placed in \a Data. * \param Data Additional data resulting from the conversion. The data structure must be initialized * by PhInitializeEMenuData() prior to calling this function. * * \return A menu handle. The menu object must be destroyed using DestroyMenu() when it is no longer * needed. */ HMENU PhEMenuToHMenu( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG Flags, _Inout_opt_ PPH_EMENU_DATA Data ) { HMENU menuHandle; if ((Menu->Flags & PH_EMENU_MAINMENU) == PH_EMENU_MAINMENU) { if (!(menuHandle = CreateMenu())) return NULL; } else { if (!(menuHandle = CreatePopupMenu())) return NULL; } PhEMenuToHMenu2(menuHandle, Menu, Flags, Data); if (!(Menu->Flags & PH_EMENU_SEPARATECHECKSPACE)) { MENUINFO menuInfo; memset(&menuInfo, 0, sizeof(MENUINFO)); menuInfo.cbSize = sizeof(MENUINFO); menuInfo.fMask = MIM_STYLE; menuInfo.dwStyle = MNS_CHECKORBMP; if ((WindowsVersion < WINDOWS_10_19H2 || PhEnableThemeAcrylicSupport) && PhEnableThemeSupport) { menuInfo.fMask |= MIM_BACKGROUND | MIM_APPLYTOSUBMENUS; menuInfo.hbrBack = PhThemeWindowBackgroundBrush; } SetMenuInfo(menuHandle, &menuInfo); } return menuHandle; } /** * Converts an EMENU to a Windows menu object. * * \param MenuHandle A handle to a Windows menu object. * \param Menu The menu item to convert. The items are appended to \a MenuHandle. * \param Flags A combination of the following: * \li \c PH_EMENU_CONVERT_ID Automatically assigns a unique identifier to each converted menu item. * The resulting mappings are placed in \a Data. * \param Data Additional data resulting from the conversion. The data structure must be initialized * by PhInitializeEMenuData() prior to calling this function. */ VOID PhEMenuToHMenu2( _In_ HMENU MenuHandle, _In_ PPH_EMENU_ITEM Menu, _In_ ULONG Flags, _Inout_opt_ PPH_EMENU_DATA Data ) { ULONG i; PPH_EMENU_ITEM item; MENUITEMINFO menuItemInfo; for (i = 0; i < Menu->Items->Count; i++) { item = PhItemList(Menu->Items, i); memset(&menuItemInfo, 0, sizeof(MENUITEMINFO)); menuItemInfo.cbSize = sizeof(MENUITEMINFO); // Type menuItemInfo.fMask = MIIM_FTYPE | MIIM_STATE; if (FlagOn(item->Flags, PH_EMENU_SEPARATOR)) { menuItemInfo.fType = MFT_SEPARATOR; } else { menuItemInfo.fType = MFT_STRING; menuItemInfo.fMask |= MIIM_STRING; menuItemInfo.dwTypeData = item->Text; } PhMapFlags1( &menuItemInfo.fType, item->Flags, EMenuTypeMappings, sizeof(EMenuTypeMappings) / sizeof(PH_FLAG_MAPPING) ); // Bitmap if (item->Bitmap) { menuItemInfo.hbmpItem = item->Bitmap; if (WindowsVersion < WINDOWS_10_19H2) { if (!PhEnableThemeSupport) { SetFlag(menuItemInfo.fMask, MIIM_BITMAP); } } else { SetFlag(menuItemInfo.fMask, MIIM_BITMAP); } } // Id if (FlagOn(Flags, PH_EMENU_CONVERT_ID)) { if (Data) { ULONG id; PhAddItemList(Data->IdToItem, item); id = Data->IdToItem->Count; menuItemInfo.fMask |= MIIM_ID; menuItemInfo.wID = id; } } else { if (!FlagOn(Menu->Flags, PH_EMENU_SEPARATOR) && !FlagOn(Menu->Flags, PH_EMENU_MAINMENU)) { if (item->Id) { menuItemInfo.fMask |= MIIM_ID; menuItemInfo.wID = item->Id; } } } // State PhMapFlags1( &menuItemInfo.fState, item->Flags, EMenuStateMappings, sizeof(EMenuStateMappings) / sizeof(PH_FLAG_MAPPING) ); // Context menuItemInfo.fMask |= MIIM_DATA; menuItemInfo.dwItemData = (ULONG_PTR)item; // Submenu if (item->Items && item->Items->Count != 0) { menuItemInfo.fMask |= MIIM_SUBMENU; menuItemInfo.hSubMenu = PhEMenuToHMenu(item, Flags, Data); } // Themes if (WindowsVersion < WINDOWS_10_19H2) { if (PhEnableThemeSupport) { SetFlag(menuItemInfo.fType, MFT_OWNERDRAW); } } else { if (FlagOn(item->Flags, PH_EMENU_MAINMENU)) { if (PhEnableThemeSupport) { SetFlag(menuItemInfo.fType, MFT_OWNERDRAW); } } } if (FlagOn(Flags, PH_EMENU_RIGHTORDER)) { SetFlag(menuItemInfo.fType, MFT_RIGHTORDER); } InsertMenuItem(MenuHandle, ULONG_MAX, TRUE, &menuItemInfo); } } /** * Converts a Windows menu object to an EMENU. * * \param MenuItem The menu item in which the converted menu items will be placed. * \param MenuHandle A menu handle. */ VOID PhHMenuToEMenuItem( _Inout_ PPH_EMENU_ITEM MenuItem, _In_ HMENU MenuHandle ) { INT i; INT count; count = GetMenuItemCount(MenuHandle); if (count == INT_ERROR) return; for (i = 0; i < count; i++) { MENUITEMINFO menuItemInfo; PPH_EMENU_ITEM menuItem; WCHAR buffer[MAX_PATH] = L""; menuItemInfo.cbSize = sizeof(menuItemInfo); menuItemInfo.fMask = MIIM_FTYPE | MIIM_ID | MIIM_STATE | MIIM_STRING | MIIM_SUBMENU; menuItemInfo.cch = RTL_NUMBER_OF(buffer); menuItemInfo.dwTypeData = buffer; if (!GetMenuItemInfo(MenuHandle, i, TRUE, &menuItemInfo)) continue; menuItem = PhCreateEMenuItem( PH_EMENU_TEXT_OWNED, menuItemInfo.wID, PhDuplicateStringZ(buffer), NULL, NULL ); if (menuItemInfo.fType & MFT_SEPARATOR) menuItem->Flags |= PH_EMENU_SEPARATOR; PhMapFlags2( &menuItem->Flags, menuItemInfo.fType, EMenuTypeMappings, RTL_NUMBER_OF(EMenuTypeMappings) ); PhMapFlags2( &menuItem->Flags, menuItemInfo.fState, EMenuStateMappings, RTL_NUMBER_OF(EMenuStateMappings) ); if (menuItemInfo.hSubMenu) PhHMenuToEMenuItem(menuItem, menuItemInfo.hSubMenu); PhInsertEMenuItem(MenuItem, menuItem, ULONG_MAX); } } /** * Loads a menu resource and converts it to an EMENU. * * \param MenuItem The menu item in which the converted menu items will be placed. * \param InstanceHandle The module containing the menu resource. * \param Resource The resource identifier. * \param SubMenuIndex The index of the sub menu to use, or -1 to use the root menu. */ VOID PhLoadResourceEMenuItem( _Inout_ PPH_EMENU_ITEM MenuItem, _In_ HINSTANCE InstanceHandle, _In_ PCWSTR Resource, _In_ LONG SubMenuIndex ) { HMENU menu; HMENU realMenu; menu = PhLoadMenu(InstanceHandle, Resource); if (SubMenuIndex != INT_ERROR) realMenu = GetSubMenu(menu, SubMenuIndex); else realMenu = menu; PhHMenuToEMenuItem(MenuItem, realMenu); DestroyMenu(menu); } /** * Displays a menu. * * \param Menu A menu. * \param WindowHandle The window that owns the popup menu. * \param Flags A combination of the following: * \li \c PH_EMENU_SHOW_SEND_COMMAND A WM_COMMAND message is sent to the window when the user clicks * on a menu item. * \li \c PH_EMENU_SHOW_LEFTRIGHT The user can select menu items with both the left and right mouse * buttons. * \param Align The alignment of the menu. * \param X The horizontal location of the menu. * \param Y The vertical location of the menu. * \return The selected menu item, or NULL if the menu was cancelled. */ PPH_EMENU_ITEM PhShowEMenu( _In_ PPH_EMENU Menu, _In_ HWND WindowHandle, _In_ ULONG Flags, _In_ ULONG Align, _In_ ULONG X, _In_ ULONG Y ) { PPH_EMENU_ITEM selectedItem; ULONG result; ULONG flags; PH_EMENU_DATA data; HMENU popupMenu; selectedItem = NULL; flags = TPM_RETURNCMD | TPM_NONOTIFY; // Flags if (Flags & PH_EMENU_SHOW_LEFTRIGHT) flags |= TPM_RIGHTBUTTON; else flags |= TPM_LEFTBUTTON; // Align if (Align & PH_ALIGN_LEFT) flags |= TPM_LEFTALIGN; else if (Align & PH_ALIGN_RIGHT) flags |= TPM_RIGHTALIGN; else flags |= TPM_CENTERALIGN; if (Align & PH_ALIGN_TOP) flags |= TPM_TOPALIGN; else if (Align & PH_ALIGN_BOTTOM) flags |= TPM_BOTTOMALIGN; else flags |= TPM_VCENTERALIGN; PhInitializeEMenuData(&data); if (popupMenu = PhEMenuToHMenu(Menu, PH_EMENU_CONVERT_ID, &data)) { result = TrackPopupMenu( popupMenu, flags, X, Y, 0, WindowHandle, NULL ); if (result != 0) { selectedItem = PhItemList(data.IdToItem, result - 1); } DestroyMenu(popupMenu); } PhDeleteEMenuData(&data); if ((Flags & PH_EMENU_SHOW_SEND_COMMAND) && selectedItem && selectedItem->Id != 0) SendMessage(WindowHandle, WM_COMMAND, MAKEWPARAM(selectedItem->Id, 0), 0); return selectedItem; } /** * Sets the flags of a menu item. * * \param Item The parent menu item. * \param Id The identifier of the child menu item. * \param Mask The flags to modify. * \param Value The new value of the flags. */ BOOLEAN PhSetFlagsEMenuItem( _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG Id, _In_ ULONG Mask, _In_ ULONG Value ) { PPH_EMENU_ITEM item; item = PhFindEMenuItem(Item, PH_EMENU_FIND_DESCEND, NULL, Id); if (item) { item->Flags &= ~Mask; item->Flags |= Value; return TRUE; } else { return FALSE; } } /** * Sets flags for all children of a menu item. * * \param Item The parent menu item. * \param Mask The flags to modify. * \param Value The new value of the flags. */ VOID PhSetFlagsAllEMenuItems( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Mask, _In_ ULONG Value ) { ULONG i; for (i = 0; i < Item->Items->Count; i++) { PPH_EMENU_ITEM item = PhItemList(Item->Items, i); item->Flags &= ~Mask; item->Flags |= Value; } } VOID PhModifyEMenuItem( _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG ModifyFlags, _In_ ULONG OwnedFlags, _In_opt_ PWSTR Text, _In_opt_ HBITMAP Bitmap ) { if (ModifyFlags & PH_EMENU_MODIFY_TEXT) { if ((Item->Flags & PH_EMENU_TEXT_OWNED) && Item->Text) PhFree(Item->Text); Item->Text = Text; Item->Flags &= ~PH_EMENU_TEXT_OWNED; Item->Flags |= OwnedFlags & PH_EMENU_TEXT_OWNED; } if (ModifyFlags & PH_EMENU_MODIFY_BITMAP) { if ((Item->Flags & PH_EMENU_BITMAP_OWNED) && Item->Bitmap) DeleteBitmap(Item->Bitmap); Item->Bitmap = Bitmap; Item->Flags &= ~PH_EMENU_BITMAP_OWNED; Item->Flags |= OwnedFlags & PH_EMENU_BITMAP_OWNED; } } VOID PhSetHMenuStyle( _In_ HMENU Menu, _In_ BOOLEAN MainMenu ) { MENUINFO menuInfo; memset(&menuInfo, 0, sizeof(MENUINFO)); menuInfo.cbSize = sizeof(MENUINFO); menuInfo.fMask = MIM_STYLE; menuInfo.dwStyle = MNS_CHECKORBMP; if (MainMenu) { if (PhEnableThemeSupport) { menuInfo.fMask |= MIM_BACKGROUND; menuInfo.hbrBack = PhThemeWindowBackgroundBrush; } } else { if ((WindowsVersion < WINDOWS_10_19H2 || PhEnableThemeAcrylicSupport) && PhEnableThemeSupport) { menuInfo.fMask |= MIM_BACKGROUND | MIM_APPLYTOSUBMENUS; menuInfo.hbrBack = PhThemeWindowBackgroundBrush; } } SetMenuInfo(Menu, &menuInfo); } BOOLEAN PhSetHMenuWindow( _In_ HWND WindowHandle, _In_ HMENU MenuHandle ) { return !!SetMenu(WindowHandle, MenuHandle); } BOOLEAN PhSetHMenuNotify( _In_ HMENU MenuHandle ) { MENUINFO menuInfo; memset(&menuInfo, 0, sizeof(MENUINFO)); menuInfo.cbSize = sizeof(MENUINFO); menuInfo.fMask = MIM_STYLE; menuInfo.dwStyle = MNS_NOTIFYBYPOS; return !!SetMenuInfo(MenuHandle, &menuInfo); } VOID PhDeleteHMenu( _In_ HMENU Menu ) { while (DeleteMenu(Menu, 0, MF_BYPOSITION)) NOTHING; } _Success_(return) BOOLEAN PhGetHMenuStringToBuffer( _In_ HMENU Menu, _In_ ULONG Id, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { MENUITEMINFO menuInfo; memset(&menuInfo, 0, sizeof(MENUITEMINFO)); menuInfo.cbSize = sizeof(MENUITEMINFO); menuInfo.fMask = MIIM_STRING; menuInfo.dwTypeData = Buffer; menuInfo.cch = (ULONG)BufferLength / sizeof(WCHAR); if (GetMenuItemInfo(Menu, Id, TRUE, &menuInfo)) { if (ReturnLength) *ReturnLength = menuInfo.cch; Buffer[menuInfo.cch] = UNICODE_NULL; return TRUE; } return FALSE; } PPH_EMENU_ITEM PhGetMenuData( _In_ HMENU Menu, _In_ ULONG Index ) { MENUITEMINFO menuItemInfo; memset(&menuItemInfo, 0, sizeof(MENUITEMINFO)); menuItemInfo.cbSize = sizeof(MENUITEMINFO); menuItemInfo.fMask = MIIM_ID | MIIM_DATA; menuItemInfo.wID = 0; if (GetMenuItemInfo(Menu, Index, TRUE, &menuItemInfo)) { return (PPH_EMENU_ITEM)menuItemInfo.dwItemData; } return NULL; } VOID PhMenuCallbackDispatch( _In_ HMENU Menu, _In_ ULONG Index ) { PPH_EMENU_ITEM item; HMENU menu; if (item = PhGetMenuData(Menu, Index)) { if (!FlagOn(item->Flags, PH_EMENU_CALLBACK)) { SetFlag(item->Flags, PH_EMENU_CALLBACK); if (item->DelayFunction) { if (menu = GetSubMenu(Menu, Index)) { item->DelayFunction(menu, item); } } } } } ================================================ FILE: phlib/error.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2018-2024 * */ #include /** * Converts a NTSTATUS value to a Win32 error code. * * \remarks This function handles FACILITY_NTWIN32 status values properly, unlike * RtlNtStatusToDosError. */ ULONG PhNtStatusToDosError( _In_ NTSTATUS Status ) { if (NT_NTWIN32(Status)) // RtlNtStatusToDosError doesn't seem to handle these cases correctly return WIN32_FROM_NTSTATUS(Status); else return RtlNtStatusToDosErrorNoTeb(Status); } /** * Converts a NTSTATUS value to a Win32 service error code. */ ULONG PhNtStatusToServiceStatus( _In_ NTSTATUS Status ) { switch (Status) { case STATUS_SUCCESS: return ERROR_SUCCESS; case STATUS_SERVICE_NOTIFICATION: return ERROR_SERVICE_NOTIFICATION; case STATUS_UNSATISFIED_DEPENDENCIES: return ERROR_DEPENDENT_SERVICES_RUNNING; case STATUS_IMAGE_ALREADY_LOADED: return ERROR_SERVICE_ALREADY_RUNNING; case STATUS_ACCOUNT_DISABLED: return ERROR_SERVICE_DISABLED; case STATUS_OBJECT_NAME_NOT_FOUND: return ERROR_SERVICE_DOES_NOT_EXIST; case STATUS_OBJECT_NAME_COLLISION: return ERROR_SERVICE_EXISTS; case STATUS_OBJECT_NAME_EXISTS: return ERROR_DUPLICATE_SERVICE_NAME; case STATUS_OBJECT_PATH_INVALID: return ERROR_SERVICE_NOT_FOUND; case STATUS_SERVICES_FAILED_AUTOSTART: return ERROR_SERVICES_FAILED_AUTOSTART; case STATUS_THREAD_NOT_RUNNING: return ERROR_SERVICE_NEVER_STARTED; default: { return ERROR_MR_MID_NOT_FOUND; } } } /** * Converts a Win32 error code to a NTSTATUS value. * * \remarks Only a small number of cases are currently supported. Other status values are wrapped * using FACILITY_NTWIN32. */ NTSTATUS PhDosErrorToNtStatus( _In_ ULONG DosError ) { if (NT_CUSTOMER(DosError)) return DosError; switch (DosError) { case ERROR_SUCCESS: return STATUS_SUCCESS; case ERROR_INVALID_FUNCTION: return STATUS_ILLEGAL_FUNCTION; case ERROR_FILE_NOT_FOUND: return STATUS_NO_SUCH_FILE; case ERROR_PATH_NOT_FOUND: return STATUS_OBJECT_PATH_NOT_FOUND; case ERROR_ACCESS_DENIED: return STATUS_ACCESS_DENIED; case ERROR_INVALID_HANDLE: return STATUS_INVALID_HANDLE; case ERROR_INVALID_DATA: return STATUS_DATA_ERROR; case ERROR_NO_MORE_FILES: return STATUS_NO_MORE_FILES; case ERROR_BAD_LENGTH: return STATUS_INFO_LENGTH_MISMATCH; case ERROR_SHARING_VIOLATION: return STATUS_SHARING_VIOLATION; case ERROR_HANDLE_EOF: return STATUS_END_OF_FILE; case ERROR_NOT_SUPPORTED: return STATUS_NOT_SUPPORTED; case ERROR_INVALID_PARAMETER: return STATUS_INVALID_PARAMETER; case ERROR_INSUFFICIENT_BUFFER: return STATUS_BUFFER_TOO_SMALL; case ERROR_INVALID_NAME: return STATUS_OBJECT_NAME_INVALID; case ERROR_MOD_NOT_FOUND: return STATUS_DLL_NOT_FOUND; case ERROR_PROC_NOT_FOUND: return STATUS_PROCEDURE_NOT_FOUND; case ERROR_NOT_LOCKED: return STATUS_NOT_LOCKED; case ERROR_BAD_PATHNAME: return STATUS_OBJECT_PATH_INVALID; case ERROR_INVALID_ORDINAL: return STATUS_ORDINAL_NOT_FOUND; case ERROR_ALREADY_EXISTS: return STATUS_OBJECT_NAME_COLLISION; case ERROR_BAD_EXE_FORMAT: return STATUS_INVALID_IMAGE_FORMAT; case ERROR_DELETE_PENDING: return STATUS_DELETE_PENDING; case ERROR_MORE_DATA: return STATUS_MORE_ENTRIES; case ERROR_NO_MORE_ITEMS: return STATUS_NO_MORE_ENTRIES; case ERROR_PARTIAL_COPY: return STATUS_PARTIAL_COPY; case ERROR_INVALID_IMAGE_HASH: return STATUS_INVALID_IMAGE_HASH; case ERROR_NOINTERFACE: return STATUS_NOINTERFACE; case ERROR_SERVICE_NOTIFICATION: return STATUS_SERVICE_NOTIFICATION; case ERROR_ALERTED: return STATUS_ALERTED; case ERROR_ELEVATION_REQUIRED: return STATUS_ELEVATION_REQUIRED; case ERROR_NOACCESS: return STATUS_ACCESS_VIOLATION; case ERROR_STACK_OVERFLOW: return STATUS_STACK_OVERFLOW; case ERROR_NO_TOKEN: return STATUS_NO_TOKEN; case ERROR_DEPENDENT_SERVICES_RUNNING: return STATUS_UNSATISFIED_DEPENDENCIES; case ERROR_SERVICE_ALREADY_RUNNING: return STATUS_IMAGE_ALREADY_LOADED; case ERROR_SERVICE_DISABLED: return STATUS_ILL_FORMED_SERVICE_ENTRY; // STATUS_INVALID_CONFIG_VALUE case ERROR_SERVICE_DOES_NOT_EXIST: return STATUS_OBJECT_NAME_NOT_FOUND; case ERROR_SERVICE_EXISTS: return STATUS_OBJECT_NAME_COLLISION; case ERROR_SERVICE_NEVER_STARTED: return STATUS_THREAD_NOT_RUNNING; case ERROR_PROCESS_ABORTED: return STATUS_FATAL_APP_EXIT; case ERROR_DUPLICATE_SERVICE_NAME: return STATUS_OBJECT_NAME_EXISTS; case ERROR_DLL_INIT_FAILED: return STATUS_DLL_INIT_FAILED; case ERROR_NOT_FOUND: return STATUS_NOT_FOUND; case ERROR_CANCELLED: return STATUS_CANCELLED; case ERROR_SERVICE_NOT_FOUND: return STATUS_OBJECT_PATH_INVALID; case ERROR_SOME_NOT_MAPPED: return STATUS_SOME_NOT_MAPPED; case ERROR_PRIVILEGE_NOT_HELD: return STATUS_PRIVILEGE_NOT_HELD; case ERROR_LOGON_FAILURE: return STATUS_LOGON_FAILURE; case ERROR_ACCOUNT_RESTRICTION: return STATUS_ACCOUNT_RESTRICTION; case ERROR_ACCOUNT_DISABLED: return STATUS_ACCOUNT_DISABLED; case ERROR_NONE_MAPPED: return STATUS_NONE_MAPPED; case ERROR_NO_SUCH_DOMAIN: return STATUS_NO_SUCH_DOMAIN; case ERROR_INTERNAL_ERROR: return STATUS_INTERNAL_ERROR; case ERROR_INVALID_WINDOW_HANDLE: return STATUS_INVALID_HANDLE; case ERROR_NO_SYSTEM_RESOURCES: return STATUS_INSUFFICIENT_RESOURCES; case ERROR_TIMEOUT: return STATUS_TIMEOUT; case ERROR_INVALID_MONITOR_HANDLE: return STATUS_INVALID_HANDLE; case ERROR_DYNAMIC_CODE_BLOCKED: return STATUS_DYNAMIC_CODE_BLOCKED; case ERROR_STRICT_CFG_VIOLATION: return STATUS_STRICT_CFG_VIOLATION; case ERROR_RESOURCE_TYPE_NOT_FOUND: return STATUS_RESOURCE_TYPE_NOT_FOUND; case ERROR_RESOURCE_NAME_NOT_FOUND: return STATUS_RESOURCE_NAME_NOT_FOUND; case ERROR_RESOURCE_LANG_NOT_FOUND: return STATUS_RESOURCE_LANG_NOT_FOUND; case ERROR_NOT_ENOUGH_QUOTA: return STATUS_QUOTA_EXCEEDED; case ERROR_INVALID_TIME: return STATUS_INVALID_PARAMETER; case ERROR_WMI_GUID_NOT_FOUND: return STATUS_WMI_GUID_NOT_FOUND; case ERROR_WMI_INSTANCE_NOT_FOUND: return STATUS_WMI_INSTANCE_NOT_FOUND; case ERROR_ACTIVE_CONNECTIONS: return STATUS_ALREADY_DISCONNECTED; case ERROR_CTX_CLOSE_PENDING: return STATUS_CTX_CLOSE_PENDING; case ERROR_SERVICES_FAILED_AUTOSTART: return STATUS_SERVICES_FAILED_AUTOSTART; case ERROR_INVALID_SERVICE_CONTROL: return STATUS_INVALID_DEVICE_REQUEST; case ERROR_MUI_FILE_NOT_FOUND: return STATUS_MUI_FILE_NOT_FOUND; case ERROR_MUI_INVALID_FILE: return STATUS_MUI_INVALID_FILE; case ERROR_MUI_INVALID_RC_CONFIG: return STATUS_MUI_INVALID_RC_CONFIG; case ERROR_MUI_INVALID_LOCALE_NAME: return STATUS_MUI_INVALID_LOCALE_NAME; case ERROR_MUI_INVALID_ULTIMATEFALLBACK_NAME: return STATUS_MUI_INVALID_ULTIMATEFALLBACK_NAME; case ERROR_MUI_FILE_NOT_LOADED: return STATUS_MUI_FILE_NOT_LOADED; case ERROR_RESOURCE_ENUM_USER_STOP: return STATUS_RESOURCE_ENUM_USER_STOP; case NTE_INVALID_HANDLE: return STATUS_INVALID_HANDLE; case NTE_INVALID_PARAMETER: return STATUS_INVALID_PARAMETER; case NTE_BUFFER_TOO_SMALL: return STATUS_BUFFER_TOO_SMALL; default: { assert(FALSE); // Update the table. (dmex) return NTSTATUS_FROM_WIN32(DosError); } } } /** * Determines whether a NTSTATUS value indicates that a file cannot be not found. */ BOOLEAN PhNtStatusFileNotFound( _In_ NTSTATUS Status ) { switch (Status) { case STATUS_NO_SUCH_FILE: return TRUE; case STATUS_OBJECT_NAME_INVALID: return TRUE; case STATUS_OBJECT_NAME_NOT_FOUND: return TRUE; case STATUS_OBJECT_NO_LONGER_EXISTS: return TRUE; case STATUS_OBJECT_PATH_INVALID: return TRUE; case STATUS_OBJECT_PATH_NOT_FOUND: return TRUE; default: return FALSE; } } /** * Determines whether a HRESULT value was converted from a NTSTATUS and returns the original error code. */ NTSTATUS PhNtStatusFromHResult( _In_ HRESULT Result ) { if (HRESULT_CUSTOMER(Result)) { NOTHING; } else if (HRESULT_NTSTATUS(Result)) // if (FlagOn(Result, FACILITY_NT_BIT)) { ClearFlag(Result, FACILITY_NT_BIT); // reverse HRESULT_FROM_NT (dmex) } else if ( HRESULT_FACILITY(Result) == FACILITY_WIN32 || HRESULT_FACILITY(Result) == FACILITY_WINDOWS ) { Result = PhDosErrorToNtStatus(HRESULT_CODE(Result)); } return Result; } ================================================ FILE: phlib/extlv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2012 * dmex 2017-2024 * */ /* * The extended list view adds some functionality to the default list view control, such as sorting, * item colors and fonts, better redraw disabling, and the ability to change the cursor. This is * currently implemented by hooking the window procedure. */ #include #include #include #define PH_MAX_COMPARE_FUNCTIONS 16 typedef struct _PH_EXTLV_CONTEXT { HWND Handle; WNDPROC OldWndProc; PVOID Context; // Sorting BOOLEAN TriState; LONG SortColumn; LONG DefaultSortColumn; PH_SORT_ORDER SortOrder; PH_SORT_ORDER DefaultSortOrder; BOOLEAN SortFast; _Function_class_(PH_COMPARE_FUNCTION) PPH_COMPARE_FUNCTION TriStateCompareFunction; _Function_class_(PH_COMPARE_FUNCTION) PPH_COMPARE_FUNCTION CompareFunctions[PH_MAX_COMPARE_FUNCTIONS]; ULONG FallbackColumns[PH_MAX_COMPARE_FUNCTIONS]; ULONG NumberOfFallbackColumns; // Color and Font PPH_EXTLV_GET_ITEM_COLOR ItemColorFunction; PPH_EXTLV_GET_ITEM_FONT ItemFontFunction; // Misc. LONG EnableRedraw; LONG WindowDpi; HCURSOR Cursor; PPH_LISTVIEW_CONTEXT ListViewContext; } PH_EXTLV_CONTEXT, *PPH_EXTLV_CONTEXT; LRESULT CALLBACK PhpExtendedListViewWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ); LONG PhpExtendedListViewCompareFunc( _In_ LPARAM lParam1, _In_ LPARAM lParam2, _In_ LPARAM lParamSort ); LONG PhpExtendedListViewCompareFastFunc( _In_ LPARAM lParam1, _In_ LPARAM lParam2, _In_ LPARAM lParamSort ); LONG PhpCompareListViewItems( _In_ PPH_EXTLV_CONTEXT Context, _In_ LONG X, _In_ LONG Y, _In_ PVOID XParam, _In_ PVOID YParam, _In_ ULONG Column, _In_ BOOLEAN EnableDefault ); LONG PhpDefaultCompareListViewItems( _In_ PPH_EXTLV_CONTEXT Context, _In_ LONG X, _In_ LONG Y, _In_ ULONG Column ); /** * Enables extended list view support for a list view control. * * \param WindowHandle A handle to the list view control. */ VOID PhSetExtendedListView( _In_ HWND WindowHandle ) { PhSetExtendedListViewEx(WindowHandle, 0, AscendingSortOrder); } VOID PhSetExtendedListViewEx( _In_ HWND WindowHandle, _In_ ULONG SortColumn, _In_ ULONG SortOrder ) { PPH_EXTLV_CONTEXT context; context = PhAllocateZero(sizeof(PH_EXTLV_CONTEXT)); context->Handle = WindowHandle; context->Context = NULL; context->TriState = FALSE; context->SortColumn = SortColumn; context->DefaultSortColumn = SortColumn; context->SortOrder = SortOrder; context->DefaultSortOrder = SortOrder; context->SortFast = FALSE; context->TriStateCompareFunction = NULL; context->NumberOfFallbackColumns = 0; context->ItemColorFunction = NULL; context->ItemFontFunction = NULL; context->EnableRedraw = 1; context->Cursor = NULL; context->ListViewContext = PhListView_Initialize(WindowHandle); context->OldWndProc = PhGetWindowProcedure(WindowHandle); PhSetWindowContext(WindowHandle, MAXCHAR, context); PhSetWindowProcedure(WindowHandle, PhpExtendedListViewWndProc); ExtendedListView_Init(WindowHandle); } LRESULT CALLBACK PhpExtendedListViewWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_EXTLV_CONTEXT context; WNDPROC oldWndProc; context = PhGetWindowContext(WindowHandle, MAXCHAR); if (!context) return 0; oldWndProc = context->OldWndProc; switch (WindowMessage) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, MAXCHAR); PhSetWindowProcedure(WindowHandle, oldWndProc); PhListView_Destroy(context->ListViewContext); PhFree(context); } break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case HDN_ITEMCLICK: { HWND headerHandle; if (!PhListView_GetHeader(context->ListViewContext, &headerHandle)) break; if (header->hwndFrom == headerHandle) { LPNMHEADER header2 = (LPNMHEADER)header; if (header2->iItem == context->SortColumn) { if (context->TriState) { if (context->SortOrder == AscendingSortOrder) context->SortOrder = DescendingSortOrder; else if (context->SortOrder == DescendingSortOrder) context->SortOrder = NoSortOrder; else context->SortOrder = AscendingSortOrder; } else { if (context->SortOrder == AscendingSortOrder) context->SortOrder = DescendingSortOrder; else context->SortOrder = AscendingSortOrder; } } else { context->SortColumn = header2->iItem; context->SortOrder = AscendingSortOrder; } PhSetHeaderSortIcon(headerHandle, context->SortColumn, context->SortOrder); ExtendedListView_SortItems(WindowHandle); } } break; case NM_RCLICK: { LPNMITEMACTIVATE itemActivate = (LPNMITEMACTIVATE)lParam; HWND headerHandle; PPH_EMENU menu; PPH_EMENU_ITEM selectedItem; POINT position; if (!PhListView_GetHeader(context->ListViewContext, &headerHandle)) break; if (header->hwndFrom != headerHandle) break; if (!PhGetMessagePos(&position)) break; menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"Size column to fit", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 2, L"Size all columns to fit", NULL, NULL), ULONG_MAX); if (context->SortOrder != context->DefaultSortOrder || context->SortColumn != context->DefaultSortColumn) { PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 3, L"Reset sort", NULL, NULL), ULONG_MAX); } selectedItem = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, position.x, position.y ); if (selectedItem && selectedItem->Id) { switch (selectedItem->Id) { case 1: { LONG headerCount; headerCount = Header_GetItemCount(headerHandle); if (headerCount != INT_ERROR) { if (!PhScreenToClient(WindowHandle, &position)) break; for (LONG i = 0; i < headerCount; ++i) { RECT headerRect; if (Header_GetItemRect(headerHandle, i, &headerRect) && PhPtInRect(&headerRect, &position)) { CallWindowProc(oldWndProc, WindowHandle, LVM_SETCOLUMNWIDTH, i, LVSCW_AUTOSIZE); break; } } } } break; case 2: { LONG headerCount; headerCount = Header_GetItemCount(headerHandle); if (headerCount != INT_ERROR) { for (LONG i = 0; i < headerCount; i++) { HDITEM item; item.mask = HDI_ORDER; if (Header_GetItem(headerHandle, i, &item)) { CallWindowProc(oldWndProc, WindowHandle, LVM_SETCOLUMNWIDTH, item.iOrder, LVSCW_AUTOSIZE); } } } } break; case 3: { ExtendedListView_SetSort(WindowHandle, context->DefaultSortColumn, context->DefaultSortOrder); ExtendedListView_SortItems(WindowHandle); } break; } } PhDestroyEMenu(menu); } return 1; } } break; case WM_REFLECT + WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; switch (header->code) { case NM_CUSTOMDRAW: { if (header->hwndFrom == WindowHandle) { LPNMLVCUSTOMDRAW customDraw = (LPNMLVCUSTOMDRAW)header; switch (customDraw->nmcd.dwDrawStage) { case CDDS_PREPAINT: return CDRF_NOTIFYITEMDRAW; case CDDS_ITEMPREPAINT: { BOOLEAN colorChanged = FALSE; BOOLEAN selected = FALSE; HFONT newFont = NULL; if (context->ItemColorFunction) { customDraw->clrTextBk = context->ItemColorFunction( (LONG)customDraw->nmcd.dwItemSpec, (PVOID)customDraw->nmcd.lItemlParam, context->Context ); colorChanged = TRUE; } if (context->ItemFontFunction) { newFont = context->ItemFontFunction( (LONG)customDraw->nmcd.dwItemSpec, (PVOID)customDraw->nmcd.lItemlParam, context->Context ); } if (newFont) SelectFont(customDraw->nmcd.hdc, newFont); // Fix text readability for hot and selected colored items (Dart Vanya) if (PhEnableThemeSupport) { ULONG state; if (context->ListViewContext && PhListView_GetItemState( context->ListViewContext, (LONG)customDraw->nmcd.dwItemSpec, LVIS_SELECTED, &state )) { if (FlagOn(customDraw->nmcd.uItemState, CDIS_HOT) || FlagOn(state, LVIS_SELECTED)) { selected = TRUE; } } else { if (FlagOn(customDraw->nmcd.uItemState, CDIS_HOT) || FlagOn(CallWindowProc( oldWndProc, WindowHandle, LVM_GETITEMSTATE, customDraw->nmcd.dwItemSpec, LVIS_SELECTED ), LVIS_SELECTED)) { selected = TRUE; } } } if (selected) { customDraw->clrText = PhThemeWindowTextColor; } else if (colorChanged) { if (PhGetColorBrightness(customDraw->clrTextBk) > 100) // slightly less than half customDraw->clrText = RGB(0x00, 0x00, 0x00); else customDraw->clrText = RGB(0xff, 0xff, 0xff); } if (newFont) return CDRF_NEWFONT; else return CDRF_DODEFAULT; } break; } } } break; } } break; case WM_SETCURSOR: { if (context->Cursor) { PhSetCursor(context->Cursor); return TRUE; } } break; case WM_UPDATEUISTATE: { // Disable focus rectangles by setting or masking out the flag where appropriate. switch (LOWORD(wParam)) { case UIS_SET: wParam |= UISF_HIDEFOCUS << 16; break; case UIS_CLEAR: case UIS_INITIALIZE: wParam &= ~(UISF_HIDEFOCUS << 16); break; } } break; case ELVM_ADDFALLBACKCOLUMN: { if (context->NumberOfFallbackColumns < PH_MAX_COMPARE_FUNCTIONS) context->FallbackColumns[context->NumberOfFallbackColumns++] = (ULONG)wParam; else return FALSE; } return TRUE; case ELVM_ADDFALLBACKCOLUMNS: { ULONG numberOfColumns = (ULONG)wParam; PULONG columns = (PULONG)lParam; if (context->NumberOfFallbackColumns + numberOfColumns <= PH_MAX_COMPARE_FUNCTIONS) { memcpy( &context->FallbackColumns[context->NumberOfFallbackColumns], columns, numberOfColumns * sizeof(ULONG) ); context->NumberOfFallbackColumns += numberOfColumns; } else { return FALSE; } } return TRUE; case ELVM_INIT: { HWND windowHandle; context->WindowDpi = PhGetWindowDpi(WindowHandle); if (PhListView_GetHeader(context->ListViewContext, &windowHandle)) { PhSetHeaderSortIcon(windowHandle, context->SortColumn, context->SortOrder); } if (PhListView_GetToolTip(context->ListViewContext, &windowHandle)) { // Fix tooltips showing behind Always On Top windows. SetWindowPos(windowHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE); } // Make sure focus rectangles are disabled. SendMessage(WindowHandle, WM_CHANGEUISTATE, MAKELONG(UIS_SET, UISF_HIDEFOCUS), 0); } return TRUE; case ELVM_SETCOLUMNWIDTH: { ULONG column = (ULONG)wParam; LONG width = (LONG)lParam; if (width == ELVSCW_AUTOSIZE_REMAININGSPACE) { RECT clientRect; LONG availableWidth; ULONG i; LVCOLUMN lvColumn; if (!PhGetClientRect(WindowHandle, &clientRect)) break; availableWidth = clientRect.right; i = 0; lvColumn.mask = LVCF_WIDTH; while (TRUE) { if (i != column) { if (context->ListViewContext) { if (PhListView_GetColumn(context->ListViewContext, i, &lvColumn)) { availableWidth -= lvColumn.cx; } else { break; } } else { if (CallWindowProc(oldWndProc, WindowHandle, LVM_GETCOLUMN, i, (LPARAM)&lvColumn)) { availableWidth -= lvColumn.cx; } else { break; } } } i++; } if (availableWidth >= 40) { if (context->ListViewContext && PhListView_SetColumnWidth(context->ListViewContext, column, availableWidth)) return TRUE; return CallWindowProc(oldWndProc, WindowHandle, LVM_SETCOLUMNWIDTH, column, availableWidth); } } if (context->ListViewContext && PhListView_SetColumnWidth(context->ListViewContext, column, width)) return TRUE; return CallWindowProc(oldWndProc, WindowHandle, LVM_SETCOLUMNWIDTH, column, width); } break; case ELVM_SETCOMPAREFUNCTION: { PPH_COMPARE_FUNCTION compareFunction = (PPH_COMPARE_FUNCTION)lParam; ULONG column = (ULONG)wParam; if (column >= PH_MAX_COMPARE_FUNCTIONS) return FALSE; context->CompareFunctions[column] = compareFunction; } return TRUE; case ELVM_SETCONTEXT: { context->Context = (PVOID)lParam; } return TRUE; case ELVM_SETCURSOR: { context->Cursor = (HCURSOR)lParam; } return TRUE; case ELVM_SETITEMCOLORFUNCTION: { context->ItemColorFunction = (PPH_EXTLV_GET_ITEM_COLOR)lParam; } return TRUE; case ELVM_SETITEMFONTFUNCTION: { context->ItemFontFunction = (PPH_EXTLV_GET_ITEM_FONT)lParam; } return TRUE; case ELVM_SETREDRAW: { if (wParam) context->EnableRedraw++; else context->EnableRedraw--; if (context->EnableRedraw == 1) { CallWindowProc(oldWndProc, WindowHandle, WM_SETREDRAW, TRUE, 0); InvalidateRect(WindowHandle, NULL, FALSE); } else if (context->EnableRedraw == 0) { CallWindowProc(oldWndProc, WindowHandle, WM_SETREDRAW, FALSE, 0); } } return TRUE; case ELVM_GETSORT: { PULONG sortColumn = (PULONG)wParam; PPH_SORT_ORDER sortOrder = (PPH_SORT_ORDER)lParam; if (sortColumn) *sortColumn = context->SortColumn; if (sortOrder) *sortOrder = context->SortOrder; } return TRUE; case ELVM_SETSORT: { HWND windowHandle; context->SortColumn = (ULONG)wParam; context->SortOrder = (PH_SORT_ORDER)lParam; if (PhListView_GetHeader(context->ListViewContext, &windowHandle)) { PhSetHeaderSortIcon(windowHandle, context->SortColumn, context->SortOrder); } } return TRUE; case ELVM_SETSORTFAST: { context->SortFast = !!wParam; } return TRUE; case ELVM_SETTRISTATE: { context->TriState = !!wParam; } return TRUE; case ELVM_SETTRISTATECOMPAREFUNCTION: { PPH_EXTLV_SETCOMPAREFUNCTION compare = (PPH_EXTLV_SETCOMPAREFUNCTION)lParam; context->TriStateCompareFunction = compare->CompareFunction; } return TRUE; case ELVM_SORTITEMS: { BOOL result; if (context->SortFast) { // This sort method is faster than the normal sort because our comparison function // doesn't have to call the list view window procedure to get the item lParam // values. The disadvantage of this method is that default sorting is not available // - if a column doesn't have a comparison function, it doesn't get sorted at all. if (context->ListViewContext) { result = !!PhListView_SortItems( context->ListViewContext, FALSE, (PFNLVCOMPARE)PhpExtendedListViewCompareFastFunc, context ); } else { result = (BOOL)CallWindowProc( // ListView_SortItems oldWndProc, WindowHandle, LVM_SORTITEMS, (WPARAM)context, (LPARAM)(PFNLVCOMPARE)PhpExtendedListViewCompareFastFunc ); } } else { if (context->ListViewContext) { result = !!PhListView_SortItems( context->ListViewContext, TRUE, (PFNLVCOMPARE)PhpExtendedListViewCompareFunc, context ); } else { result = (BOOL)CallWindowProc( // ListView_SortItemsEx oldWndProc, WindowHandle, LVM_SORTITEMSEX, (WPARAM)context, (LPARAM)(PFNLVCOMPARE)PhpExtendedListViewCompareFunc ); } } return result; } break; case WM_DPICHANGED_AFTERPARENT: { LONG listviewDpi; LVCOLUMN lvColumn; ULONG i; i = 0; lvColumn.mask = LVCF_WIDTH; listviewDpi = PhGetWindowDpi(WindowHandle); if (context->WindowDpi == 0) break; // Workaround the ListView using incorrect widths for header columns by re-setting the width. (dmex) // Note: This resets the width a second time after the header control has already set the width. ExtendedListView_SetRedraw(WindowHandle, FALSE); while (TRUE) { if (context->ListViewContext) { if (PhListView_GetColumn(context->ListViewContext, i, &lvColumn)) { lvColumn.cx = PhMultiplyDivideSigned(lvColumn.cx, listviewDpi, context->WindowDpi); PhListView_SetColumn(context->ListViewContext, i, &lvColumn); } else { break; } } else { if (CallWindowProc(oldWndProc, WindowHandle, LVM_GETCOLUMN, i, (LPARAM)&lvColumn)) { lvColumn.cx = PhMultiplyDivideSigned(lvColumn.cx, listviewDpi, context->WindowDpi); CallWindowProc(oldWndProc, WindowHandle, LVM_SETCOLUMN, i, (WPARAM)&lvColumn); } else { break; } } i++; } ExtendedListView_SetRedraw(WindowHandle, TRUE); context->WindowDpi = listviewDpi; } break; } return CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); } /** * Visually indicates the sort order of a header control item. * * \param WindowHandle A handle to the header control. * \param Index The index of the item. * \param Order The sort order of the item. */ VOID PhSetHeaderSortIcon( _In_ HWND WindowHandle, _In_ LONG Index, _In_ PH_SORT_ORDER Order ) { LONG count; LONG i; count = Header_GetItemCount(WindowHandle); if (count == INT_ERROR) return; for (i = 0; i < count; i++) { HDITEM item; item.mask = HDI_FORMAT; Header_GetItem(WindowHandle, i, &item); if (Order != NoSortOrder && i == Index) { if (Order == AscendingSortOrder) { item.fmt &= ~HDF_SORTDOWN; item.fmt |= HDF_SORTUP; } else if (Order == DescendingSortOrder) { item.fmt &= ~HDF_SORTUP; item.fmt |= HDF_SORTDOWN; } } else { item.fmt &= ~(HDF_SORTDOWN | HDF_SORTUP); } Header_SetItem(WindowHandle, i, &item); } } LONG PhpExtendedListViewCompareFunc( _In_ LPARAM lParam1, _In_ LPARAM lParam2, _In_ LPARAM lParamSort ) { PPH_EXTLV_CONTEXT context = (PPH_EXTLV_CONTEXT)lParamSort; LONG result; LONG x = (LONG)lParam1; LONG y = (LONG)lParam2; ULONG i; PULONG fallbackColumns; LVITEM xItem; LVITEM yItem; // Get the param values. xItem.mask = LVIF_PARAM | LVIF_STATE; xItem.iItem = x; xItem.iSubItem = 0; yItem.mask = LVIF_PARAM | LVIF_STATE; yItem.iItem = y; yItem.iSubItem = 0; if (context->ListViewContext) { if (!PhListView_GetItem(context->ListViewContext, &xItem)) return 0; if (!PhListView_GetItem(context->ListViewContext, &yItem)) return 0; } else { if (!CallWindowProc(context->OldWndProc, context->Handle, LVM_GETITEM, 0, (LPARAM)&xItem)) return 0; if (!CallWindowProc(context->OldWndProc, context->Handle, LVM_GETITEM, 0, (LPARAM)&yItem)) return 0; } // First, do tri-state sorting. if ( context->TriState && context->SortOrder == NoSortOrder && context->TriStateCompareFunction ) { result = context->TriStateCompareFunction( (PVOID)xItem.lParam, (PVOID)yItem.lParam, context->Context ); if (result != 0) return result; } // Compare using the user-selected column and move on to the fallback columns if necessary. result = PhpCompareListViewItems(context, x, y, (PVOID)xItem.lParam, (PVOID)yItem.lParam, context->SortColumn, TRUE); if (result != 0) return result; fallbackColumns = context->FallbackColumns; for (i = context->NumberOfFallbackColumns; i != 0; i--) { ULONG fallbackColumn = *fallbackColumns++; if (fallbackColumn == context->SortColumn) continue; result = PhpCompareListViewItems(context, x, y, (PVOID)xItem.lParam, (PVOID)yItem.lParam, fallbackColumn, TRUE); if (result != 0) return result; } return 0; } LONG PhpExtendedListViewCompareFastFunc( _In_ LPARAM lParam1, _In_ LPARAM lParam2, _In_ LPARAM lParamSort ) { PPH_EXTLV_CONTEXT context = (PPH_EXTLV_CONTEXT)lParamSort; LONG result; ULONG i; PULONG fallbackColumns; if (!lParam1 || !lParam2) return 0; // First, do tri-state sorting. if ( context->TriState && context->SortOrder == NoSortOrder && context->TriStateCompareFunction ) { result = context->TriStateCompareFunction( (PVOID)lParam1, (PVOID)lParam2, context->Context ); if (result != 0) return result; } // Compare using the user-selected column and move on to the fallback columns if necessary. result = PhpCompareListViewItems(context, 0, 0, (PVOID)lParam1, (PVOID)lParam2, context->SortColumn, FALSE); if (result != 0) return result; fallbackColumns = context->FallbackColumns; for (i = context->NumberOfFallbackColumns; i != 0; i--) { ULONG fallbackColumn = *fallbackColumns++; if (fallbackColumn == context->SortColumn) continue; result = PhpCompareListViewItems(context, 0, 0, (PVOID)lParam1, (PVOID)lParam2, fallbackColumn, FALSE); if (result != 0) return result; } return 0; } FORCEINLINE LONG PhpCompareListViewItems( _In_ PPH_EXTLV_CONTEXT Context, _In_ LONG X, _In_ LONG Y, _In_ PVOID XParam, _In_ PVOID YParam, _In_ ULONG Column, _In_ BOOLEAN EnableDefault ) { if ( Column < PH_MAX_COMPARE_FUNCTIONS && Context->CompareFunctions[Column] ) { LONG result; result = PhModifySort( Context->CompareFunctions[Column](XParam, YParam, Context->Context), Context->SortOrder ); if (result != 0) return result; } if (EnableDefault) { return PhModifySort( PhpDefaultCompareListViewItems(Context, X, Y, Column), Context->SortOrder ); } else { return 0; } } LONG PhpDefaultCompareListViewItems( _In_ PPH_EXTLV_CONTEXT Context, _In_ LONG X, _In_ LONG Y, _In_ ULONG Column ) { WCHAR xText[MAX_PATH + 1]; WCHAR yText[MAX_PATH + 1]; LVITEM item; // Get the X item text. item.mask = LVIF_TEXT; item.iItem = X; item.iSubItem = Column; item.pszText = xText; item.cchTextMax = MAX_PATH; xText[0] = UNICODE_NULL; if (Context->ListViewContext) PhListView_GetItem(Context->ListViewContext, &item); else CallWindowProc(Context->OldWndProc, Context->Handle, LVM_GETITEM, 0, (LPARAM)&item); // Get the Y item text. item.iItem = Y; item.pszText = yText; item.cchTextMax = MAX_PATH; yText[0] = UNICODE_NULL; if (Context->ListViewContext) PhListView_GetItem(Context->ListViewContext, &item); else CallWindowProc(Context->OldWndProc, Context->Handle, LVM_GETITEM, 0, (LPARAM)&item); // Compare them. #if 1 return PhCompareStringZNatural(xText, yText, TRUE); #else return _wcsicmp(xText, yText); #endif } ================================================ FILE: phlib/fastlock.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2010 * */ #include #include // FastLock is a fast resource (reader-writer) lock. // // The code is a direct port of FastResourceLock from PH 1.x. Please see FastResourceLock.cs in PH // 1.x for details. // // The fast lock is around 7% faster than the critical section when there is no contention, when // used solely for mutual exclusion. It is also much smaller than the critical section. // // There are three types of acquire methods: // * Normal methods (AcquireExclusive, AcquireShared) are preferred for general purpose use. // * Busy wait methods (SpinAcquireExclusive, SpinAcquireShared) are preferred if // very little time is spent while the lock is acquired. However, these do not give exclusive // acquires precedence over shared acquires. // * Try methods (TryAcquireExclusive, TryAcquireShared) can be used to quickly test if the lock is available. // // Note that all three types of functions can be used concurrently by the same FastLock instance. // // Details // // Resource lock value width: 32 bits. // Lock owned (either exclusive or shared): L (1 bit). // Exclusive waking: W (1 bit). // Shared owners count: SC (10 bits). // Shared waiters count: SW (10 bits). // Exclusive waiters count: EW (10 bits). // // Acquire exclusive: // {L=0,W=0,SC=0,SW,EW=0} -> {L=1,W=0,SC=0,SW,EW=0} // {L=0,W=1,SC=0,SW,EW} or {L=1,W,SC,SW,EW} -> // {L,W,SC,SW,EW+1}, // wait on event, // {L=0,W=1,SC=0,SW,EW} -> {L=1,W=0,SC=0,SW,EW} // // Acquire shared: // {L=0,W=0,SC=0,SW,EW=0} -> {L=1,W=0,SC=1,SW,EW=0} // {L=1,W=0,SC>0,SW,EW=0} -> {L=1,W=0,SC+1,SW,EW=0} // {L=1,W=0,SC=0,SW,EW=0} or {L,W=1,SC,SW,EW} or // {L,W,SC,SW,EW>0} -> {L,W,SC,SW+1,EW}, // wait on event, // retry. // // Release exclusive: // {L=1,W=0,SC=0,SW,EW>0} -> // {L=0,W=1,SC=0,SW,EW-1}, // release one exclusive waiter. // {L=1,W=0,SC=0,SW,EW=0} -> // {L=0,W=0,SC=0,SW=0,EW=0}, // release all shared waiters. // // Note that we never do a direct acquire when W=1 // (i.e. L=0 if W=1), so here we don't have to check // the value of W. // // Release shared: // {L=1,W=0,SC>1,SW,EW} -> {L=1,W=0,SC-1,SW,EW} // {L=1,W=0,SC=1,SW,EW=0} -> {L=0,W=0,SC=0,SW,EW=0} // {L=1,W=0,SC=1,SW,EW>0} -> // {L=0,W=1,SC=0,SW,EW-1}, // release one exclusive waiter. // // Again, we don't need to check the value of W. // // Convert exclusive to shared: // {L=1,W=0,SC=0,SW,EW} -> // {L=1,W=0,SC=1,SW=0,EW}, // release all shared waiters. // // Convert shared to exclusive: // {L=1,W=0,SC=1,SW,EW} -> // {L=1,W=0,SC=0,SW,EW} // // Lock owned: 1 bit. #define PH_LOCK_OWNED 0x1 // Exclusive waking: 1 bit. #define PH_LOCK_EXCLUSIVE_WAKING 0x2 // Shared owners count: 10 bits. #define PH_LOCK_SHARED_OWNERS_SHIFT 2 #define PH_LOCK_SHARED_OWNERS_MASK 0x3fful #define PH_LOCK_SHARED_OWNERS_INC 0x4 // Shared waiters count: 10 bits. #define PH_LOCK_SHARED_WAITERS_SHIFT 12 #define PH_LOCK_SHARED_WAITERS_MASK 0x3fful #define PH_LOCK_SHARED_WAITERS_INC 0x1000 // Exclusive waiters count: 10 bits. #define PH_LOCK_EXCLUSIVE_WAITERS_SHIFT 22 #define PH_LOCK_EXCLUSIVE_WAITERS_MASK 0x3fful #define PH_LOCK_EXCLUSIVE_WAITERS_INC 0x400000 #define PH_LOCK_EXCLUSIVE_MASK \ (PH_LOCK_EXCLUSIVE_WAKING | \ (PH_LOCK_EXCLUSIVE_WAITERS_MASK << PH_LOCK_EXCLUSIVE_WAITERS_SHIFT)) VOID PhInitializeFastLock( _Out_ PPH_FAST_LOCK FastLock ) { FastLock->Value = 0; FastLock->ExclusiveWakeEvent = NULL; FastLock->SharedWakeEvent = NULL; } VOID PhDeleteFastLock( _Inout_ PPH_FAST_LOCK FastLock ) { if (FastLock->ExclusiveWakeEvent) { NtClose(FastLock->ExclusiveWakeEvent); FastLock->ExclusiveWakeEvent = NULL; } if (FastLock->SharedWakeEvent) { NtClose(FastLock->SharedWakeEvent); FastLock->SharedWakeEvent = NULL; } } FORCEINLINE VOID PhpEnsureEventCreated( _Inout_ PHANDLE Handle ) { HANDLE semaphoreHandle; OBJECT_ATTRIBUTES objectAttributes; if (ReadPointerAcquire(Handle)) return; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); NtCreateSemaphore( &semaphoreHandle, SEMAPHORE_ALL_ACCESS, &objectAttributes, 0, MAXLONG ); assert(semaphoreHandle); if (_InterlockedCompareExchangePointer( Handle, semaphoreHandle, NULL ) != NULL) { NtClose(semaphoreHandle); } } FORCEINLINE ULONG PhpGetSpinCount( VOID ) { if (PhSystemBasicInformation.NumberOfProcessors > 1) return 4000; else return 0; } _May_raise_ _Acquires_exclusive_lock_(*FastLock) VOID FASTCALL PhfAcquireFastLockExclusive( _Inout_ PPH_FAST_LOCK FastLock ) { ULONG value; ULONG i = 0; ULONG spinCount; spinCount = PhpGetSpinCount(); while (TRUE) { value = ReadULongAcquire(&FastLock->Value); if (!(value & (PH_LOCK_OWNED | PH_LOCK_EXCLUSIVE_WAKING))) { if (_InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_OWNED, value ) == value) break; } else if (i >= spinCount) { PhpEnsureEventCreated(&FastLock->ExclusiveWakeEvent); if (_InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_EXCLUSIVE_WAITERS_INC, value ) == value) { if (NtWaitForSingleObject( FastLock->ExclusiveWakeEvent, FALSE, NULL ) != STATUS_WAIT_0) PhRaiseStatus(STATUS_UNSUCCESSFUL); do { value = FastLock->Value; } while (_InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_OWNED - PH_LOCK_EXCLUSIVE_WAKING, value ) != value); break; } } i++; YieldProcessor(); } } _May_raise_ _Acquires_shared_lock_(*FastLock) VOID FASTCALL PhfAcquireFastLockShared( _Inout_ PPH_FAST_LOCK FastLock ) { ULONG value; ULONG i = 0; ULONG spinCount; spinCount = PhpGetSpinCount(); while (TRUE) { value = ReadULongAcquire(&FastLock->Value); if (!(value & ( PH_LOCK_OWNED | (PH_LOCK_SHARED_OWNERS_MASK << PH_LOCK_SHARED_OWNERS_SHIFT) | PH_LOCK_EXCLUSIVE_MASK ))) { if (_InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_OWNED + PH_LOCK_SHARED_OWNERS_INC, value ) == value) break; } else if ( (value & PH_LOCK_OWNED) && ((value >> PH_LOCK_SHARED_OWNERS_SHIFT) & PH_LOCK_SHARED_OWNERS_MASK) > 0 && !(value & PH_LOCK_EXCLUSIVE_MASK) ) { if (_InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_SHARED_OWNERS_INC, value ) == value) break; } else if (i >= spinCount) { PhpEnsureEventCreated(&FastLock->SharedWakeEvent); if (_InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_SHARED_WAITERS_INC, value ) == value) { if (NtWaitForSingleObject( FastLock->SharedWakeEvent, FALSE, NULL ) != STATUS_WAIT_0) PhRaiseStatus(STATUS_UNSUCCESSFUL); continue; } } i++; YieldProcessor(); } } _Releases_exclusive_lock_(*FastLock) VOID FASTCALL PhfReleaseFastLockExclusive( _Inout_ PPH_FAST_LOCK FastLock ) { ULONG value; while (TRUE) { value = ReadULongAcquire(&FastLock->Value); if ((value >> PH_LOCK_EXCLUSIVE_WAITERS_SHIFT) & PH_LOCK_EXCLUSIVE_WAITERS_MASK) { if (_InterlockedCompareExchange( &FastLock->Value, value - PH_LOCK_OWNED + PH_LOCK_EXCLUSIVE_WAKING - PH_LOCK_EXCLUSIVE_WAITERS_INC, value ) == value) { NtReleaseSemaphore(FastLock->ExclusiveWakeEvent, 1, NULL); break; } } else { ULONG sharedWaiters; sharedWaiters = (value >> PH_LOCK_SHARED_WAITERS_SHIFT) & PH_LOCK_SHARED_WAITERS_MASK; if (_InterlockedCompareExchange( &FastLock->Value, value & ~(PH_LOCK_OWNED | (PH_LOCK_SHARED_WAITERS_MASK << PH_LOCK_SHARED_WAITERS_SHIFT)), value ) == value) { if (sharedWaiters) NtReleaseSemaphore(FastLock->SharedWakeEvent, sharedWaiters, 0); break; } } YieldProcessor(); } } _Releases_shared_lock_(*FastLock) VOID FASTCALL PhfReleaseFastLockShared( _Inout_ PPH_FAST_LOCK FastLock ) { ULONG value; while (TRUE) { value = ReadULongAcquire(&FastLock->Value); if (((value >> PH_LOCK_SHARED_OWNERS_SHIFT) & PH_LOCK_SHARED_OWNERS_MASK) > 1) { if (_InterlockedCompareExchange( &FastLock->Value, value - PH_LOCK_SHARED_OWNERS_INC, value ) == value) break; } else if ((value >> PH_LOCK_EXCLUSIVE_WAITERS_SHIFT) & PH_LOCK_EXCLUSIVE_WAITERS_MASK) { if (_InterlockedCompareExchange( &FastLock->Value, value - PH_LOCK_OWNED + PH_LOCK_EXCLUSIVE_WAKING - PH_LOCK_SHARED_OWNERS_INC - PH_LOCK_EXCLUSIVE_WAITERS_INC, value ) == value) { NtReleaseSemaphore(FastLock->ExclusiveWakeEvent, 1, NULL); break; } } else { if (_InterlockedCompareExchange( &FastLock->Value, value - PH_LOCK_OWNED - PH_LOCK_SHARED_OWNERS_INC, value ) == value) break; } YieldProcessor(); } } _When_(return != 0, _Acquires_exclusive_lock_(*FastLock)) BOOLEAN FASTCALL PhfTryAcquireFastLockExclusive( _Inout_ PPH_FAST_LOCK FastLock ) { ULONG value; value = ReadULongAcquire(&FastLock->Value); if (value & (PH_LOCK_OWNED | PH_LOCK_EXCLUSIVE_WAKING)) return FALSE; return _InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_OWNED, value ) == value; } _When_(return != 0, _Acquires_shared_lock_(*FastLock)) BOOLEAN FASTCALL PhfTryAcquireFastLockShared( _Inout_ PPH_FAST_LOCK FastLock ) { ULONG value; value = ReadULongAcquire(&FastLock->Value); if (value & PH_LOCK_EXCLUSIVE_MASK) return FALSE; if (!(value & PH_LOCK_OWNED)) { return _InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_OWNED + PH_LOCK_SHARED_OWNERS_INC, value ) == value; } else if ((value >> PH_LOCK_SHARED_OWNERS_SHIFT) & PH_LOCK_SHARED_OWNERS_MASK) { return _InterlockedCompareExchange( &FastLock->Value, value + PH_LOCK_SHARED_OWNERS_INC, value ) == value; } else { return FALSE; } } ================================================ FILE: phlib/filepool.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011 * */ /* * File pool allows blocks of storage to be allocated from a file. Each file looks like this: * * Segment 0 __________________________________________________________ * | | | | | * | Block Header | File Header | Block Header | Segment Header | * |______________|________________|______________|________________| * | | | | | * | Block Header | User Data | Block Header | User Data | * |______________|________________|______________|________________| * | | | | | * | ... | ... | ... | ... | * |______________|________________|______________|________________| * Segment 1 __________________________________________________________ * | | | | | * | Block Header | Segment Header | Block Header | User Data | * |______________|________________|______________|________________| * | | | | | * | ... | ... | ... | ... | * |______________|________________|______________|________________| * Segment 2 __________________________________________________________ * | | | | | * | ... | ... | ... | ... | * |______________|________________|______________|________________| * */ /* * A file consists of a variable number of segments, with the segment size specified as a power of * two. Each segment contains a fixed number of blocks, leading to a variable block size. Every * allocation made by the user is an allocation of a certain number of blocks, with enough space for * the block header. This is placed at the beginning of each allocation and contains the number of * blocks in the allocation (a better name for it would be the allocation header). * * Block management in each segment is handled by a bitmap which is stored in the segment header at * the beginning of each segment. The first segment (segment 0) is special with the file header * being placed immediately after an initial block header. This is because the segment size is * stored in the file header, and without it we cannot calculate the block size, which is used to * locate everything else in the file. * * To speed up allocations a number of free lists are maintained which categorize each segment based * on how many free blocks they have. This means we can avoid trying to allocate from every existing * segment before finding out we have to allocate a new segment, or trying to allocate from segments * without the required number of free blocks. The downside of this technique is that it doesn't * account for fragmentation within the allocation bitmap. * * Each segment is mapped in separately, and each view is cached. Even after a view becomes inactive * (has a reference count of 0) it remains mapped in until the maximum number of inactive views is * reached. */ #include #include #include /** * Creates or opens a file pool. * * \param Pool A variable which receives the file pool instance. * \param FileHandle A handle to the file. * \param ReadOnly TRUE to disallow writes to the file. * \param Parameters Parameters for on-disk and runtime structures. */ NTSTATUS PhCreateFilePool( _Out_ PPH_FILE_POOL *Pool, _In_ HANDLE FileHandle, _In_ BOOLEAN ReadOnly, _In_opt_ PPH_FILE_POOL_PARAMETERS Parameters ) { NTSTATUS status; PPH_FILE_POOL pool; LARGE_INTEGER fileSize; PH_FILE_POOL_PARAMETERS localParameters; BOOLEAN creating; HANDLE sectionHandle; PPH_FP_BLOCK_HEADER initialBlock; PPH_FP_FILE_HEADER header; ULONG i; if (Parameters) { PhpValidateFilePoolParameters(Parameters); } else { PhpSetDefaultFilePoolParameters(&localParameters); Parameters = &localParameters; } pool = PhAllocate(sizeof(PH_FILE_POOL)); memset(pool, 0, sizeof(PH_FILE_POOL)); pool->FileHandle = FileHandle; pool->ReadOnly = ReadOnly; if (!NT_SUCCESS(status = PhGetFileSize(FileHandle, &fileSize))) goto CleanupExit; creating = FALSE; // If the file is smaller than the page size, assume we're creating a new file. if (fileSize.QuadPart < PAGE_SIZE) { if (ReadOnly) { status = STATUS_BAD_FILE_TYPE; goto CleanupExit; } fileSize.QuadPart = PAGE_SIZE; if (!NT_SUCCESS(status = PhSetFileSize(FileHandle, &fileSize))) goto CleanupExit; creating = TRUE; } // Create a section. status = PhCreateSection( §ionHandle, SECTION_ALL_ACCESS, &fileSize, !ReadOnly ? PAGE_READWRITE : PAGE_READONLY, SEC_COMMIT, FileHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; pool->SectionHandle = sectionHandle; // Map in the first segment, set up initial parameters, then remap the first segment. if (!NT_SUCCESS(status = PhFppMapRange(pool, 0, PAGE_SIZE, &initialBlock))) goto CleanupExit; header = (PPH_FP_FILE_HEADER)&initialBlock->Body; if (creating) { header->Magic = PH_FP_MAGIC; header->SegmentShift = Parameters->SegmentShift; header->SegmentCount = 1; for (i = 0; i < PH_FP_FREE_LIST_COUNT; i++) header->FreeLists[i] = ULONG_MAX; } else { if (header->Magic != PH_FP_MAGIC) { PhFppUnmapRange(pool, initialBlock); status = STATUS_BAD_FILE_TYPE; goto CleanupExit; } } pool->SegmentShift = header->SegmentShift; pool->SegmentSize = 1 << pool->SegmentShift; pool->BlockShift = pool->SegmentShift - PH_FP_BLOCK_COUNT_SHIFT; pool->BlockSize = 1 << pool->BlockShift; pool->FileHeaderBlockSpan = (sizeof(PH_FP_FILE_HEADER) + pool->BlockSize - 1) >> pool->BlockShift; pool->SegmentHeaderBlockSpan = (sizeof(PH_FP_SEGMENT_HEADER) + pool->BlockSize - 1) >> pool->BlockShift; // Unmap the first segment and remap with the new segment size. PhFppUnmapRange(pool, initialBlock); if (creating) { // Extend the section so it fits the entire first segment. if (!NT_SUCCESS(status = PhFppExtendRange(pool, pool->SegmentSize))) goto CleanupExit; } // Runtime structure initialization PhInitializeFreeList(&pool->ViewFreeList, sizeof(PH_FILE_POOL_VIEW), 32); pool->ByIndexSize = 32; pool->ByIndexBuckets = PhAllocate(sizeof(PPH_FILE_POOL_VIEW) * pool->ByIndexSize); memset(pool->ByIndexBuckets, 0, sizeof(PPH_FILE_POOL_VIEW) * pool->ByIndexSize); PhInitializeAvlTree(&pool->ByBaseSet, PhpFilePoolViewByBaseCompareFunction); pool->MaximumInactiveViews = Parameters->MaximumInactiveViews; InitializeListHead(&pool->InactiveViewsListHead); // File structure initialization pool->FirstBlockOfFirstSegment = PhFppReferenceSegment(pool, 0); pool->Header = (PPH_FP_FILE_HEADER)&pool->FirstBlockOfFirstSegment->Body; if (creating) { PPH_FP_BLOCK_HEADER segmentHeaderBlock; // Set up the first segment properly. pool->FirstBlockOfFirstSegment->Span = pool->FileHeaderBlockSpan; segmentHeaderBlock = (PPH_FP_BLOCK_HEADER)PTR_ADD_OFFSET(pool->FirstBlockOfFirstSegment, (pool->FileHeaderBlockSpan << pool->BlockShift)); PhFppInitializeSegment(pool, segmentHeaderBlock, pool->FileHeaderBlockSpan); pool->Header->FreeLists[1] = 0; } CleanupExit: if (NT_SUCCESS(status)) { *Pool = pool; } else { // Don't close the file handle the user passed in. pool->FileHandle = NULL; PhDestroyFilePool(pool); } return status; } /** * Creates or opens a file pool. * * \param Pool A variable which receives the file pool instance. * \param FileName The file name of the file pool. * \param ReadOnly TRUE to disallow writes to the file. * \param ShareAccess The file access granted to other threads. * \param CreateDisposition The action to perform if the file does or does not exist. See * PhCreateFileWin32() for more information. * \param Parameters Parameters for on-disk and runtime structures. */ NTSTATUS PhCreateFilePool2( _Out_ PPH_FILE_POOL *Pool, _In_ PCWSTR FileName, _In_ BOOLEAN ReadOnly, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_opt_ PPH_FILE_POOL_PARAMETERS Parameters ) { NTSTATUS status; PPH_FILE_POOL pool; HANDLE fileHandle; ULONG createStatus; if (!NT_SUCCESS(status = PhCreateFileWin32Ex( &fileHandle, FileName, !ReadOnly ? (FILE_GENERIC_READ | FILE_GENERIC_WRITE | DELETE) : FILE_GENERIC_READ, NULL, FILE_ATTRIBUTE_NORMAL, ShareAccess, CreateDisposition, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, &createStatus ))) { return status; } status = PhCreateFilePool(&pool, fileHandle, ReadOnly, Parameters); if (NT_SUCCESS(status)) { *Pool = pool; } else { if (!ReadOnly && createStatus == FILE_CREATED) { FILE_DISPOSITION_INFORMATION dispositionInfo; IO_STATUS_BLOCK isb; dispositionInfo.DeleteFile = TRUE; NtSetInformationFile(fileHandle, &isb, &dispositionInfo, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation); } NtClose(fileHandle); } return status; } /** * Frees resources used by a file pool instance. * * \param Pool The file pool. */ VOID PhDestroyFilePool( _In_ _Post_invalid_ PPH_FILE_POOL Pool ) { ULONG i; PLIST_ENTRY head; PLIST_ENTRY entry; PPH_FILE_POOL_VIEW view; // Unmap all views. for (i = 0; i < Pool->ByIndexSize; i++) { if (head = Pool->ByIndexBuckets[i]) { entry = head; do { view = CONTAINING_RECORD(entry, PH_FILE_POOL_VIEW, ByIndexListEntry); entry = entry->Flink; PhFppUnmapRange(Pool, view->Base); PhFreeToFreeList(&Pool->ViewFreeList, view); } while (entry != head); } } if (Pool->ByIndexBuckets) PhFree(Pool->ByIndexBuckets); PhDeleteFreeList(&Pool->ViewFreeList); if (Pool->SectionHandle) NtClose(Pool->SectionHandle); if (Pool->FileHandle) NtClose(Pool->FileHandle); PhFree(Pool); } /** * Validates and corrects file pool parameters. * * \param Parameters The parameters structure which is validated and modified if necessary. */ NTSTATUS PhpValidateFilePoolParameters( _Inout_ PPH_FILE_POOL_PARAMETERS Parameters ) { NTSTATUS status = STATUS_SUCCESS; // 16 <= SegmentShift <= 28 if (Parameters->SegmentShift < 16) { Parameters->SegmentShift = 16; status = STATUS_SOME_NOT_MAPPED; } if (Parameters->SegmentShift > 28) { Parameters->SegmentShift = 28; status = STATUS_SOME_NOT_MAPPED; } return status; } /** * Creates default file pool parameters. * * \param Parameters The parameters structure which receives the default parameter values. */ VOID PhpSetDefaultFilePoolParameters( _Out_ PPH_FILE_POOL_PARAMETERS Parameters ) { Parameters->SegmentShift = 18; // 256kB Parameters->MaximumInactiveViews = 128; } /** * Allocates a block from a file pool. * * \param Pool The file pool. * \param Size The number of bytes to allocate. * \param Rva A variable which receives the relative virtual address of the allocated block. * * \return A pointer to the allocated block. You must call PhDereferenceFilePool() or * PhDereferenceFilePoolByRva() when you no longer need a reference to the block. * * \remarks The returned pointer is not valid beyond the lifetime of the file pool instance. Use the * relative virtual address if you need a permanent reference to the allocated block. */ PVOID PhAllocateFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Size, _Out_opt_ PULONG Rva ) { PPH_FP_BLOCK_HEADER blockHeader; ULONG numberOfBlocks; PPH_FP_BLOCK_HEADER firstBlock; PPH_FP_SEGMENT_HEADER segmentHeader; ULONG freeListIndex; ULONG freeListLimit; ULONG segmentIndex; ULONG nextSegmentIndex; ULONG newFreeListIndex; // Calculate the number of blocks needed for the allocation. numberOfBlocks = (FIELD_OFFSET(PH_FP_BLOCK_HEADER, Body) + Size + Pool->BlockSize - 1) >> Pool->BlockShift; if (numberOfBlocks > PH_FP_BLOCK_COUNT - Pool->SegmentHeaderBlockSpan) { // TODO: Perform a large allocation. return NULL; } // Scan each applicable free list and try to allocate from those segments. freeListLimit = PhFppComputeFreeListIndex(Pool, numberOfBlocks); for (freeListIndex = 0; freeListIndex <= freeListLimit; freeListIndex++) { segmentIndex = Pool->Header->FreeLists[freeListIndex]; while (segmentIndex != ULONG_MAX) { firstBlock = PhFppReferenceSegment(Pool, segmentIndex); if (!firstBlock) return NULL; segmentHeader = PhFppGetHeaderSegment(Pool, firstBlock); nextSegmentIndex = segmentHeader->FreeFlink; blockHeader = PhFppAllocateBlocks(Pool, firstBlock, segmentHeader, numberOfBlocks); if (blockHeader) goto BlockAllocated; PhFppDereferenceSegment(Pool, segmentIndex); segmentIndex = nextSegmentIndex; } } // No segments have the required number of contiguous free blocks. Allocate a new one. firstBlock = PhFppAllocateSegment(Pool, &segmentIndex); if (!firstBlock) return NULL; freeListIndex = 0; segmentHeader = PhFppGetHeaderSegment(Pool, firstBlock); blockHeader = PhFppAllocateBlocks(Pool, firstBlock, segmentHeader, numberOfBlocks); if (!blockHeader) { PhFppDereferenceSegment(Pool, segmentIndex); return NULL; } BlockAllocated: // Compute the new free list index of the segment and move it to another free list if necessary. newFreeListIndex = PhFppComputeFreeListIndex(Pool, segmentHeader->FreeBlocks); if (newFreeListIndex != freeListIndex) { PhFppRemoveFreeList(Pool, freeListIndex, segmentIndex, segmentHeader); PhFppInsertFreeList(Pool, newFreeListIndex, segmentIndex, segmentHeader); } if (Rva) { *Rva = PhFppEncodeRva(Pool, segmentIndex, firstBlock, &blockHeader->Body); } return &blockHeader->Body; } /** * Frees a block. * * \param Pool The file pool. * \param SegmentIndex The index of the segment containing the block. * \param FirstBlock The first block of the segment containing the block. * \param Block A pointer to the block. */ VOID PhpFreeFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _In_ PVOID Block ) { PPH_FP_SEGMENT_HEADER segmentHeader; ULONG oldFreeListIndex; ULONG newFreeListIndex; segmentHeader = PhFppGetHeaderSegment(Pool, FirstBlock); oldFreeListIndex = PhFppComputeFreeListIndex(Pool, segmentHeader->FreeBlocks); PhFppFreeBlocks(Pool, FirstBlock, segmentHeader, PhFppGetHeaderBlock(Pool, Block)); newFreeListIndex = PhFppComputeFreeListIndex(Pool, segmentHeader->FreeBlocks); // Move the segment into another free list if needed. if (newFreeListIndex != oldFreeListIndex) { PhFppRemoveFreeList(Pool, oldFreeListIndex, SegmentIndex, segmentHeader); PhFppInsertFreeList(Pool, newFreeListIndex, SegmentIndex, segmentHeader); } } /** * Frees a block allocated by PhAllocateFilePool(). * * \param Pool The file pool. * \param Block A pointer to the block. The pointer is no longer valid after you call this function. * Do not use PhDereferenceFilePool() or PhDereferenceFilePoolByRva(). */ VOID PhFreeFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Block ) { PPH_FILE_POOL_VIEW view; PPH_FP_BLOCK_HEADER firstBlock; view = PhFppFindViewByBase(Pool, Block); if (!view) PhRaiseStatus(STATUS_INVALID_PARAMETER_2); firstBlock = view->Base; PhpFreeFilePool(Pool, view->SegmentIndex, firstBlock, Block); PhFppDereferenceView(Pool, view); } /** * Frees a block allocated by PhAllocateFilePool(). * * \param Pool The file pool. * \param Rva The relative virtual address of the block. */ BOOLEAN PhFreeFilePoolByRva( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Rva ) { ULONG segmentIndex; ULONG offset; PPH_FP_BLOCK_HEADER firstBlock; offset = PhFppDecodeRva(Pool, Rva, &segmentIndex); if (offset == ULONG_MAX) return FALSE; firstBlock = PhFppReferenceSegment(Pool, segmentIndex); if (!firstBlock) return FALSE; PhpFreeFilePool(Pool, segmentIndex, firstBlock, PTR_ADD_OFFSET(firstBlock, offset)); PhFppDereferenceSegment(Pool, segmentIndex); return TRUE; } /** * Increments the reference count for the specified address. * * \param Pool The file pool. * \param Address An address. */ VOID PhReferenceFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Address ) { PhFppReferenceSegmentByBase(Pool, Address); } /** * Decrements the reference count for the specified address. * * \param Pool The file pool. * \param Address An address. */ VOID PhDereferenceFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Address ) { PhFppDereferenceSegmentByBase(Pool, Address); } /** * Obtains a pointer for a relative virtual address, incrementing the reference count of the * address. * * \param Pool The file pool. * \param Rva A relative virtual address. */ PVOID PhReferenceFilePoolByRva( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Rva ) { ULONG segmentIndex; ULONG offset; PPH_FP_BLOCK_HEADER firstBlock; if (Rva == 0) return NULL; offset = PhFppDecodeRva(Pool, Rva, &segmentIndex); if (offset == ULONG_MAX) return NULL; firstBlock = PhFppReferenceSegment(Pool, segmentIndex); if (!firstBlock) return NULL; return PTR_ADD_OFFSET(firstBlock, offset); } /** * Decrements the reference count for the specified relative virtual address. * * \param Pool The file pool. * \param Rva A relative virtual address. */ BOOLEAN PhDereferenceFilePoolByRva( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Rva ) { ULONG segmentIndex; ULONG offset; offset = PhFppDecodeRva(Pool, Rva, &segmentIndex); if (offset == ULONG_MAX) return FALSE; PhFppDereferenceSegment(Pool, segmentIndex); return TRUE; } /** * Obtains a relative virtual address for a pointer. * * \param Pool The file pool. * \param Address A pointer. * * \return The relative virtual address. * * \remarks No reference counts are changed. */ ULONG PhEncodeRvaFilePool( _In_ PPH_FILE_POOL Pool, _In_ PVOID Address ) { PPH_FILE_POOL_VIEW view; if (!Address) return 0; view = PhFppFindViewByBase(Pool, Address); if (!view) PhRaiseStatus(STATUS_INVALID_PARAMETER_2); return PhFppEncodeRva(Pool, view->SegmentIndex, view->Base, Address); } /** * Retrieves user data. * * \param Pool The file pool. * \param Context A variable which receives the user data. */ VOID PhGetUserContextFilePool( _In_ PPH_FILE_POOL Pool, _Out_ PULONGLONG Context ) { *Context = Pool->Header->UserContext; } /** * Stores user data. * * \param Pool The file pool. * \param Context A variable which contains the user data. */ VOID PhSetUserContextFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PULONGLONG Context ) { Pool->Header->UserContext = *Context; } /** * Extends a file pool. * * \param Pool The file pool. * \param NewSize The new size of the file, in bytes. */ NTSTATUS PhFppExtendRange( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG NewSize ) { LARGE_INTEGER newSectionSize; newSectionSize.QuadPart = NewSize; return NtExtendSection(Pool->SectionHandle, &newSectionSize); } /** * Maps in a view of a file pool. * * \param Pool The file pool. * \param Offset The offset of the view, in bytes. * \param Size The size of the view, in bytes. * \param Base A variable which receives the base address of the view. */ NTSTATUS PhFppMapRange( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Offset, _In_ ULONG Size, _Out_ PVOID *Base ) { NTSTATUS status; PVOID baseAddress; LARGE_INTEGER sectionOffset; SIZE_T viewSize; baseAddress = NULL; sectionOffset.QuadPart = Offset; viewSize = Size; status = PhMapViewOfSection( Pool->SectionHandle, NtCurrentProcess(), &baseAddress, viewSize, §ionOffset, &viewSize, ViewUnmap, 0, !Pool->ReadOnly ? PAGE_READWRITE : PAGE_READONLY ); if (NT_SUCCESS(status)) *Base = baseAddress; return status; } /** * Unmaps a view of a file pool. * * \param Pool The file pool. * \param Base The base address of the view. */ NTSTATUS PhFppUnmapRange( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ) { return PhUnmapViewOfSection(NtCurrentProcess(), Base); } /** * Initializes a segment. * * \param Pool The file pool. * \param BlockOfSegmentHeader The block header of the span containing the segment header. * \param AdditionalBlocksUsed The number of blocks already allocated from the segment, excluding * the blocks comprising the segment header. */ VOID PhFppInitializeSegment( _Inout_ PPH_FILE_POOL Pool, _Out_ PPH_FP_BLOCK_HEADER BlockOfSegmentHeader, _In_ ULONG AdditionalBlocksUsed ) { PPH_FP_SEGMENT_HEADER segmentHeader; RTL_BITMAP bitmap; BlockOfSegmentHeader->Span = Pool->SegmentHeaderBlockSpan; segmentHeader = (PPH_FP_SEGMENT_HEADER)&BlockOfSegmentHeader->Body; RtlInitializeBitMap(&bitmap, segmentHeader->Bitmap, PH_FP_BLOCK_COUNT); RtlSetBits(&bitmap, 0, Pool->SegmentHeaderBlockSpan + AdditionalBlocksUsed); segmentHeader->FreeBlocks = PH_FP_BLOCK_COUNT - (Pool->SegmentHeaderBlockSpan + AdditionalBlocksUsed); segmentHeader->FreeFlink = ULONG_MAX; segmentHeader->FreeBlink = ULONG_MAX; } /** * Allocates a segment. * * \param Pool The file pool. * \param NewSegmentIndex A variable which receives the index of the new segment. * * \return A pointer to the first block of the segment. */ PPH_FP_BLOCK_HEADER PhFppAllocateSegment( _Inout_ PPH_FILE_POOL Pool, _Out_ PULONG NewSegmentIndex ) { ULONG newSize; ULONG segmentIndex; PPH_FP_BLOCK_HEADER firstBlock; PPH_FP_SEGMENT_HEADER segmentHeader; newSize = (Pool->Header->SegmentCount + 1) << Pool->SegmentShift; if (!NT_SUCCESS(PhFppExtendRange(Pool, newSize))) return NULL; segmentIndex = Pool->Header->SegmentCount++; firstBlock = PhFppReferenceSegment(Pool, segmentIndex); PhFppInitializeSegment(Pool, firstBlock, 0); segmentHeader = (PPH_FP_SEGMENT_HEADER)&firstBlock->Body; PhFppInsertFreeList(Pool, 0, segmentIndex, segmentHeader); *NewSegmentIndex = segmentIndex; return firstBlock; } /** * Retrieves the header of a segment. * * \param Pool The file pool. * \param FirstBlock The first block of the segment. */ PPH_FP_SEGMENT_HEADER PhFppGetHeaderSegment( _Inout_ PPH_FILE_POOL Pool, _In_ PPH_FP_BLOCK_HEADER FirstBlock ) { if (FirstBlock != Pool->FirstBlockOfFirstSegment) { return (PPH_FP_SEGMENT_HEADER)&FirstBlock->Body; } else { // In the first segment, the segment header is after the file header. return (PPH_FP_SEGMENT_HEADER)&((PPH_FP_BLOCK_HEADER)PTR_ADD_OFFSET(FirstBlock, (Pool->FileHeaderBlockSpan << Pool->BlockShift)))->Body; } } VOID PhFppAddViewByIndex( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { ULONG index; PLIST_ENTRY head; index = View->SegmentIndex & (Pool->ByIndexSize - 1); head = Pool->ByIndexBuckets[index]; if (head) { InsertHeadList(head, &View->ByIndexListEntry); } else { InitializeListHead(&View->ByIndexListEntry); Pool->ByIndexBuckets[index] = &View->ByIndexListEntry; } } VOID PhFppRemoveViewByIndex( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { ULONG index; PLIST_ENTRY head; index = View->SegmentIndex & (Pool->ByIndexSize - 1); head = Pool->ByIndexBuckets[index]; assert(head); // Unlink the entry from the chain. RemoveEntryList(&View->ByIndexListEntry); if (&View->ByIndexListEntry == head) { // This entry is currently the chain head. // If this was the last entry in the chain, then indicate that the chain is empty. // Otherwise, choose a new head. if (IsListEmpty(head)) Pool->ByIndexBuckets[index] = NULL; else Pool->ByIndexBuckets[index] = head->Flink; } } /** * Finds a view for the specified segment. * * \param Pool The file pool. * \param SegmentIndex The index of the segment. * * \return The view for the segment, or NULL if no view is present for the segment. */ PPH_FILE_POOL_VIEW PhFppFindViewByIndex( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ) { ULONG index; PLIST_ENTRY head; PLIST_ENTRY entry; PPH_FILE_POOL_VIEW view; index = SegmentIndex & (Pool->ByIndexSize - 1); head = Pool->ByIndexBuckets[index]; if (!head) return NULL; entry = head; do { view = CONTAINING_RECORD(entry, PH_FILE_POOL_VIEW, ByIndexListEntry); if (view->SegmentIndex == SegmentIndex) return view; entry = entry->Flink; } while (entry != head); return NULL; } _Function_class_(PH_AVL_TREE_COMPARE_FUNCTION) LONG NTAPI PhpFilePoolViewByBaseCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ) { PPH_FILE_POOL_VIEW view1 = CONTAINING_RECORD(Links1, PH_FILE_POOL_VIEW, ByBaseLinks); PPH_FILE_POOL_VIEW view2 = CONTAINING_RECORD(Links2, PH_FILE_POOL_VIEW, ByBaseLinks); return uintptrcmp((ULONG_PTR)view1->Base, (ULONG_PTR)view2->Base); } VOID PhFppAddViewByBase( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { PhAddElementAvlTree(&Pool->ByBaseSet, &View->ByBaseLinks); } VOID PhFppRemoveViewByBase( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { PhRemoveElementAvlTree(&Pool->ByBaseSet, &View->ByBaseLinks); } /** * Finds a view containing the specified address. * * \param Pool The file pool. * \param Base The address. * * \return The view containing the address, or NULL if no view is present for the address. */ PPH_FILE_POOL_VIEW PhFppFindViewByBase( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ) { PPH_FILE_POOL_VIEW view; PPH_AVL_LINKS links; PH_FILE_POOL_VIEW lookupView; // This is an approximate search to find the target view in which the specified address lies. lookupView.Base = Base; links = PhUpperDualBoundElementAvlTree(&Pool->ByBaseSet, &lookupView.ByBaseLinks); if (!links) return NULL; view = CONTAINING_RECORD(links, PH_FILE_POOL_VIEW, ByBaseLinks); if ((ULONG_PTR)Base < (ULONG_PTR)view->Base + Pool->SegmentSize) return view; return NULL; } PPH_FILE_POOL_VIEW PhFppCreateView( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ) { PPH_FILE_POOL_VIEW view; PVOID base; // Map in the segment. if (!NT_SUCCESS(PhFppMapRange(Pool, SegmentIndex << Pool->SegmentShift, Pool->SegmentSize, &base))) return NULL; // Create and add the view entry. view = PhAllocateFromFreeList(&Pool->ViewFreeList); memset(view, 0, sizeof(PH_FILE_POOL_VIEW)); view->RefCount = 1; view->SegmentIndex = SegmentIndex; view->Base = base; PhFppAddViewByIndex(Pool, view); PhFppAddViewByBase(Pool, view); return view; } VOID PhFppDestroyView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { PhFppUnmapRange(Pool, View->Base); PhFppRemoveViewByIndex(Pool, View); PhFppRemoveViewByBase(Pool, View); PhFreeToFreeList(&Pool->ViewFreeList, View); } VOID PhFppActivateView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { RemoveEntryList(&View->InactiveViewsListEntry); Pool->NumberOfInactiveViews--; } VOID PhFppDeactivateView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { InsertHeadList(&Pool->InactiveViewsListHead, &View->InactiveViewsListEntry); Pool->NumberOfInactiveViews++; // If we have too many inactive views, destroy the least recent ones. while (Pool->NumberOfInactiveViews > Pool->MaximumInactiveViews) { PLIST_ENTRY lruEntry; PPH_FILE_POOL_VIEW lruView; lruEntry = RemoveTailList(&Pool->InactiveViewsListHead); Pool->NumberOfInactiveViews--; assert(lruEntry != &Pool->InactiveViewsListHead); lruView = CONTAINING_RECORD(lruEntry, PH_FILE_POOL_VIEW, InactiveViewsListEntry); PhFppDestroyView(Pool, lruView); } } VOID PhFppReferenceView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { if (View->RefCount == 0) { // The view is inactive, so make it active. PhFppActivateView(Pool, View); } View->RefCount++; } VOID PhFppDereferenceView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ) { if (--View->RefCount == 0) { if (View->SegmentIndex == 0) PhRaiseStatus(STATUS_INTERNAL_ERROR); PhFppDeactivateView(Pool, View); } } PPH_FP_BLOCK_HEADER PhFppReferenceSegment( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ) { PPH_FILE_POOL_VIEW view; // Validate parameters. if (SegmentIndex != 0 && SegmentIndex >= Pool->Header->SegmentCount) return NULL; // Try to get a cached view. view = PhFppFindViewByIndex(Pool, SegmentIndex); if (view) { PhFppReferenceView(Pool, view); return (PPH_FP_BLOCK_HEADER)view->Base; } // No cached view, so create one. view = PhFppCreateView(Pool, SegmentIndex); if (!view) return NULL; return (PPH_FP_BLOCK_HEADER)view->Base; } VOID PhFppDereferenceSegment( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ) { PPH_FILE_POOL_VIEW view; view = PhFppFindViewByIndex(Pool, SegmentIndex); if (!view) PhRaiseStatus(STATUS_INTERNAL_ERROR); PhFppDereferenceView(Pool, view); } VOID PhFppReferenceSegmentByBase( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ) { PPH_FILE_POOL_VIEW view; view = PhFppFindViewByBase(Pool, Base); if (!view) PhRaiseStatus(STATUS_INTERNAL_ERROR); PhFppReferenceView(Pool, view); } VOID PhFppDereferenceSegmentByBase( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ) { PPH_FILE_POOL_VIEW view; view = PhFppFindViewByBase(Pool, Base); if (!view) PhRaiseStatus(STATUS_INTERNAL_ERROR); PhFppDereferenceView(Pool, view); } /** * Allocates blocks from a segment. * * \param Pool The file pool. * \param FirstBlock The first block of the segment. * \param SegmentHeader The header of the segment. * \param NumberOfBlocks The number of blocks to allocate. * * \return The header of the allocated span, or NULL if there is an insufficient number of * contiguous free blocks for the allocation. */ PPH_FP_BLOCK_HEADER PhFppAllocateBlocks( _Inout_ PPH_FILE_POOL Pool, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _Inout_ PPH_FP_SEGMENT_HEADER SegmentHeader, _In_ ULONG NumberOfBlocks ) { RTL_BITMAP bitmap; ULONG hintIndex; ULONG foundIndex; PPH_FP_BLOCK_HEADER blockHeader; if (FirstBlock != Pool->FirstBlockOfFirstSegment) hintIndex = Pool->SegmentHeaderBlockSpan; else hintIndex = Pool->SegmentHeaderBlockSpan + Pool->FileHeaderBlockSpan; RtlInitializeBitMap(&bitmap, SegmentHeader->Bitmap, PH_FP_BLOCK_COUNT); // Find a range of free blocks and mark them as in-use. foundIndex = RtlFindClearBitsAndSet(&bitmap, NumberOfBlocks, hintIndex); if (foundIndex == ULONG_MAX) { // No more space. return NULL; } SegmentHeader->FreeBlocks -= NumberOfBlocks; blockHeader = (PPH_FP_BLOCK_HEADER)PTR_ADD_OFFSET(FirstBlock, (foundIndex << Pool->BlockShift)); blockHeader->Flags = 0; blockHeader->Span = NumberOfBlocks; return blockHeader; } /** * Frees blocks in a segment. * * \param Pool The file pool. * \param FirstBlock The first block of the segment. * \param SegmentHeader The header of the segment. * \param BlockHeader The header of the allocated span. */ VOID PhFppFreeBlocks( _Inout_ PPH_FILE_POOL Pool, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _Inout_ PPH_FP_SEGMENT_HEADER SegmentHeader, _In_ PPH_FP_BLOCK_HEADER BlockHeader ) { RTL_BITMAP bitmap; ULONG startIndex; ULONG blockSpan; RtlInitializeBitMap(&bitmap, SegmentHeader->Bitmap, PH_FP_BLOCK_COUNT); // Mark the blocks as free. startIndex = PtrToUlong(PTR_SUB_OFFSET(BlockHeader, FirstBlock)) >> Pool->BlockShift; blockSpan = BlockHeader->Span; RtlClearBits(&bitmap, startIndex, blockSpan); SegmentHeader->FreeBlocks += blockSpan; } /** * Computes the free list index (category) for a specified number of blocks. * * \param Pool The file pool. * \param NumberOfBlocks The number of free or required blocks. */ ULONG PhFppComputeFreeListIndex( _In_ PPH_FILE_POOL Pool, _In_ ULONG NumberOfBlocks ) { // Use a binary tree to speed up comparison. if (NumberOfBlocks >= PH_FP_BLOCK_COUNT / 64) { if (NumberOfBlocks >= PH_FP_BLOCK_COUNT / 2) { if (NumberOfBlocks >= PH_FP_BLOCK_COUNT - Pool->SegmentHeaderBlockSpan) return 0; else return 1; } else { if (NumberOfBlocks >= PH_FP_BLOCK_COUNT / 16) return 2; else return 3; } } else { if (NumberOfBlocks >= 4) { if (NumberOfBlocks >= PH_FP_BLOCK_COUNT / 256) return 4; else return 5; } else { if (NumberOfBlocks >= 1) return 6; else return 7; } } } /** * Inserts a segment into a free list. * * \param Pool The file pool. * \param FreeListIndex The index of a free list. * \param SegmentIndex The index of the segment. * \param SegmentHeader The header of the segment. */ BOOLEAN PhFppInsertFreeList( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG FreeListIndex, _In_ ULONG SegmentIndex, _In_ PPH_FP_SEGMENT_HEADER SegmentHeader ) { ULONG oldSegmentIndex; PPH_FP_BLOCK_HEADER oldSegmentFirstBlock = NULL; PPH_FP_SEGMENT_HEADER oldSegmentHeader; oldSegmentIndex = Pool->Header->FreeLists[FreeListIndex]; // Try to reference the segment before we commit any changes. if (oldSegmentIndex != ULONG_MAX) { oldSegmentFirstBlock = PhFppReferenceSegment(Pool, oldSegmentIndex); if (!oldSegmentFirstBlock) return FALSE; } // Insert the segment into the list. SegmentHeader->FreeBlink = ULONG_MAX; SegmentHeader->FreeFlink = oldSegmentIndex; Pool->Header->FreeLists[FreeListIndex] = SegmentIndex; if (oldSegmentIndex != ULONG_MAX) { oldSegmentHeader = PhFppGetHeaderSegment(Pool, oldSegmentFirstBlock); oldSegmentHeader->FreeBlink = SegmentIndex; PhFppDereferenceSegment(Pool, oldSegmentIndex); } return TRUE; } /** * Removes a segment from a free list. * * \param Pool The file pool. * \param FreeListIndex The index of a free list. * \param SegmentIndex The index of the segment. * \param SegmentHeader The header of the segment. */ BOOLEAN PhFppRemoveFreeList( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG FreeListIndex, _In_ ULONG SegmentIndex, _In_ PPH_FP_SEGMENT_HEADER SegmentHeader ) { ULONG flinkSegmentIndex; PPH_FP_BLOCK_HEADER flinkSegmentFirstBlock = NULL; PPH_FP_SEGMENT_HEADER flinkSegmentHeader = NULL; ULONG blinkSegmentIndex; PPH_FP_BLOCK_HEADER blinkSegmentFirstBlock = NULL; PPH_FP_SEGMENT_HEADER blinkSegmentHeader = NULL; flinkSegmentIndex = SegmentHeader->FreeFlink; blinkSegmentIndex = SegmentHeader->FreeBlink; // Try to reference the segments before we commit any changes. if (flinkSegmentIndex != ULONG_MAX) { flinkSegmentFirstBlock = PhFppReferenceSegment(Pool, flinkSegmentIndex); if (!flinkSegmentFirstBlock) return FALSE; } if (blinkSegmentIndex != ULONG_MAX) { blinkSegmentFirstBlock = PhFppReferenceSegment(Pool, blinkSegmentIndex); if (!blinkSegmentFirstBlock) { if (flinkSegmentIndex != ULONG_MAX) PhFppDereferenceSegment(Pool, flinkSegmentIndex); return FALSE; } } // Unlink the segment from the list. if (flinkSegmentIndex != ULONG_MAX) { flinkSegmentHeader = PhFppGetHeaderSegment(Pool, flinkSegmentFirstBlock); flinkSegmentHeader->FreeBlink = blinkSegmentIndex; PhFppDereferenceSegment(Pool, flinkSegmentIndex); } if (blinkSegmentIndex != ULONG_MAX) { blinkSegmentHeader = PhFppGetHeaderSegment(Pool, blinkSegmentFirstBlock); blinkSegmentHeader->FreeFlink = flinkSegmentIndex; PhFppDereferenceSegment(Pool, blinkSegmentIndex); } else { // The segment was the list head; select a new one. Pool->Header->FreeLists[FreeListIndex] = flinkSegmentIndex; } return TRUE; } /** * Retrieves the header of a block. * * \param Pool The file pool. * \param Block A pointer to the body of the block. */ PPH_FP_BLOCK_HEADER PhFppGetHeaderBlock( _In_ PPH_FILE_POOL Pool, _In_ PVOID Block ) { return CONTAINING_RECORD(Block, PH_FP_BLOCK_HEADER, Body); } /** * Creates a relative virtual address. * * \param Pool The file pool. * \param SegmentIndex The index of the segment containing \a Address. * \param FirstBlock The first block of the segment containing \a Address. * \param Address An address. */ ULONG PhFppEncodeRva( _In_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _In_ PVOID Address ) { return (SegmentIndex << Pool->SegmentShift) + PtrToUlong(PTR_SUB_OFFSET(Address, FirstBlock)); } /** * Decodes a relative virtual address. * * \param Pool The file pool. * \param Rva The relative virtual address. * \param SegmentIndex A variable which receives the segment index. * * \return An offset into the segment specified by \a SegmentIndex, or -1 if \a Rva is invalid. */ ULONG PhFppDecodeRva( _In_ PPH_FILE_POOL Pool, _In_ ULONG Rva, _Out_ PULONG SegmentIndex ) { ULONG segmentIndex; segmentIndex = Rva >> Pool->SegmentShift; if (segmentIndex >= Pool->Header->SegmentCount) return ULONG_MAX; *SegmentIndex = segmentIndex; return Rva & (Pool->SegmentSize - 1); } ================================================ FILE: phlib/filestream.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * */ #include #include #include PPH_OBJECT_TYPE PhFileStreamType = NULL; /** * Creates a file stream from a file path. * * \param FileStream Receives the new file stream object. * \param FileName Path to the file to open. * \param DesiredAccess Requested access mask. * \param ShareAccess Share access flags. * \param CreateDisposition Create/open disposition for the file. * \param Flags Stream creation flags (buffering, append, asynchronous, etc.) * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateFileStream( _Out_ PPH_FILE_STREAM *FileStream, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG Flags ) { NTSTATUS status; PPH_FILE_STREAM fileStream; HANDLE fileHandle; ULONG createOptions; if (Flags & PH_FILE_STREAM_ASYNCHRONOUS) createOptions = FILE_NON_DIRECTORY_FILE; else createOptions = FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT; if (!NT_SUCCESS(status = PhCreateFileWin32( &fileHandle, FileName, DesiredAccess, FILE_ATTRIBUTE_NORMAL, ShareAccess, CreateDisposition, createOptions ))) return status; if (!NT_SUCCESS(status = PhCreateFileStream2( &fileStream, fileHandle, Flags, PAGE_SIZE ))) { NtClose(fileHandle); return status; } if (Flags & PH_FILE_STREAM_APPEND) { LARGE_INTEGER zero; zero.QuadPart = 0; if (!NT_SUCCESS(status = PhSeekFileStream( fileStream, &zero, SeekEnd ))) { PhDereferenceObject(fileStream); return status; } } *FileStream = fileStream; return status; } /** * Creates a file stream from an existing file handle. * * \param FileStream Receives the new file stream object. * \param FileHandle Open file handle (ownership depends on flags). * \param Flags Stream flags (buffering, unowned handle, etc.) * \param BufferLength Buffer size used for buffered operations. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateFileStream2( _Out_ PPH_FILE_STREAM *FileStream, _In_ HANDLE FileHandle, _In_ ULONG Flags, _In_ ULONG BufferLength ) { static PH_INITONCE fileStreamInitOnce = PH_INITONCE_INIT; PPH_FILE_STREAM fileStream; if (PhBeginInitOnce(&fileStreamInitOnce)) { PH_OBJECT_TYPE_PARAMETERS parameters; parameters.FreeListSize = sizeof(PH_FILE_STREAM); parameters.FreeListCount = 16; PhFileStreamType = PhCreateObjectTypeEx( L"FileStream", PH_OBJECT_TYPE_USE_FREE_LIST, PhpFileStreamDeleteProcedure, ¶meters ); PhEndInitOnce(&fileStreamInitOnce); } fileStream = PhCreateObject(sizeof(PH_FILE_STREAM), PhFileStreamType); fileStream->FileHandle = FileHandle; fileStream->Flags = Flags; fileStream->Position.QuadPart = 0; if (!(Flags & PH_FILE_STREAM_UNBUFFERED)) { fileStream->Buffer = NULL; fileStream->BufferLength = BufferLength; } else { fileStream->Buffer = NULL; fileStream->BufferLength = 0; } fileStream->ReadPosition = 0; fileStream->ReadLength = 0; fileStream->WritePosition = 0; *FileStream = fileStream; return STATUS_SUCCESS; } /** * The object delete procedure for file stream objects ensures * buffers are flushed, closes the handle if owned, and frees the buffer. * * \param Object The file stream object being deleted. * \param Flags Delete flags (unused). */ _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpFileStreamDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_FILE_STREAM fileStream = (PPH_FILE_STREAM)Object; PhFlushFileStream(fileStream, FALSE); if (!(fileStream->Flags & PH_FILE_STREAM_HANDLE_UNOWNED)) NtClose(fileStream->FileHandle); if (fileStream->Buffer) PhFreePage(fileStream->Buffer); } /** * Verifies that a file stream's position matches the position held by the file object. */ VOID PhVerifyFileStream( _In_ PPH_FILE_STREAM FileStream ) { NTSTATUS status; // If the file object is asynchronous, the file object doesn't maintain its position. if (!(FileStream->Flags & ( PH_FILE_STREAM_OWN_POSITION | PH_FILE_STREAM_ASYNCHRONOUS ))) { FILE_POSITION_INFORMATION positionInfo; IO_STATUS_BLOCK isb; if (!NT_SUCCESS(status = NtQueryInformationFile( FileStream->FileHandle, &isb, &positionInfo, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation ))) PhRaiseStatus(status); if (FileStream->Position.QuadPart != positionInfo.CurrentByteOffset.QuadPart) PhRaiseStatus(STATUS_INTERNAL_ERROR); } } /** * Allocates the page-aligned buffer for a buffered file stream. * * \param FileStream Stream requiring a buffer. * \return STATUS_SUCCESS on success or STATUS_NO_MEMORY. */ NTSTATUS PhpAllocateBufferFileStream( _Inout_ PPH_FILE_STREAM FileStream ) { FileStream->Buffer = PhAllocatePage(FileStream->BufferLength, NULL); if (FileStream->Buffer) return STATUS_SUCCESS; else return STATUS_NO_MEMORY; } /** * Performs a raw read from the underlying file object (unbuffered). * * \param FileStream Stream to read from. * \param Buffer Destination buffer. * \param Length Number of bytes to read. * \param ReadLength Receives number of bytes actually read (optional). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpReadFileStream( _Inout_ PPH_FILE_STREAM FileStream, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG ReadLength ) { NTSTATUS status; IO_STATUS_BLOCK isb; PLARGE_INTEGER position; position = NULL; if (FileStream->Flags & PH_FILE_STREAM_OWN_POSITION) position = &FileStream->Position; status = NtReadFile( FileStream->FileHandle, NULL, NULL, NULL, &isb, Buffer, Length, position, NULL ); if (status == STATUS_PENDING) { // Wait for the operation to finish. This probably means we got called on an asynchronous // file object. status = NtWaitForSingleObject(FileStream->FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (NT_SUCCESS(status)) { FileStream->Position.QuadPart += isb.Information; if (ReadLength) *ReadLength = (ULONG)isb.Information; } return status; } /** * Reads from a file stream with optional buffering. If the stream is unbuffered * this forwards to the raw read routine. For buffered streams it satisfies * reads from the internal buffer where possible and fills it as needed. * * \param FileStream Stream to read from. * \param Buffer Destination buffer. * \param Length Number of bytes to read. * \param ReadLength Receives number of bytes read (optional). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhReadFileStream( _Inout_ PPH_FILE_STREAM FileStream, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG ReadLength ) { NTSTATUS status = STATUS_SUCCESS; ULONG availableLength; ULONG readLength; if (FileStream->Flags & PH_FILE_STREAM_UNBUFFERED) { return PhpReadFileStream( FileStream, Buffer, Length, ReadLength ); } // How much do we have available to copy out of the buffer? availableLength = FileStream->ReadLength - FileStream->ReadPosition; if (availableLength == 0) { // Make sure buffered writes are flushed. if (FileStream->WritePosition != 0) { if (!NT_SUCCESS(status = PhpFlushWriteFileStream(FileStream))) return status; } // If this read is too big, pass it through. if (Length >= FileStream->BufferLength) { // These are now invalid. FileStream->ReadPosition = 0; FileStream->ReadLength = 0; return PhpReadFileStream( FileStream, Buffer, Length, ReadLength ); } if (!FileStream->Buffer) { if (!NT_SUCCESS(status = PhpAllocateBufferFileStream(FileStream))) return status; } // Read as much as we can into our buffer. if (!NT_SUCCESS(status = PhpReadFileStream( FileStream, FileStream->Buffer, FileStream->BufferLength, &readLength ))) return status; if (readLength == 0) { // No data read. if (ReadLength) *ReadLength = readLength; return status; } FileStream->ReadPosition = 0; FileStream->ReadLength = readLength; } else { readLength = availableLength; } if (readLength > Length) readLength = Length; // Try to satisfy the request from the buffer. memcpy( Buffer, PTR_ADD_OFFSET(FileStream->Buffer, FileStream->ReadPosition), readLength ); FileStream->ReadPosition += readLength; // If we didn't completely satisfy the request, read some more. if ( readLength < Length && // Don't try to read more if the buffer wasn't even filled up last time. (No more to read.) FileStream->ReadLength == FileStream->BufferLength ) { ULONG readLength2; if (NT_SUCCESS(status = PhpReadFileStream( FileStream, PTR_ADD_OFFSET(Buffer, readLength), Length - readLength, &readLength2 ))) { readLength += readLength2; // These are now invalid. FileStream->ReadPosition = 0; FileStream->ReadLength = 0; } } if (NT_SUCCESS(status)) { if (ReadLength) *ReadLength = readLength; } return status; } /** * Performs a raw write to the underlying file object (unbuffered). * * \param FileStream Stream to write to. * \param Buffer Source buffer. * \param Length Number of bytes to write. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpWriteFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ) { NTSTATUS status; IO_STATUS_BLOCK isb; PLARGE_INTEGER position; position = NULL; if (FileStream->Flags & PH_FILE_STREAM_OWN_POSITION) position = &FileStream->Position; status = NtWriteFile( FileStream->FileHandle, NULL, NULL, NULL, &isb, Buffer, Length, position, NULL ); if (status == STATUS_PENDING) { // Wait for the operation to finish. This probably means we got called on an asynchronous // file object. status = NtWaitForSingleObject(FileStream->FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (NT_SUCCESS(status)) { FileStream->Position.QuadPart += isb.Information; FileStream->Flags |= PH_FILE_STREAM_WRITTEN; } return status; } /** * Writes to a file stream with optional buffering. For buffered streams * this will append to the internal buffer and flush as needed. For * unbuffered streams this forwards to the raw write routine. * * \param FileStream Stream to write to. * \param Buffer Source buffer. * \param Length Number of bytes to write. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhWriteFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ) { NTSTATUS status = STATUS_SUCCESS; ULONG availableLength; ULONG writtenLength; if (FileStream->Flags & PH_FILE_STREAM_UNBUFFERED) { return PhpWriteFileStream( FileStream, Buffer, Length ); } if (FileStream->WritePosition == 0) { // Make sure buffered reads are flushed. if (!NT_SUCCESS(status = PhpFlushReadFileStream(FileStream))) return status; } if (FileStream->WritePosition != 0) { availableLength = FileStream->BufferLength - FileStream->WritePosition; // Try to satisfy the request by copying the data to the buffer. if (availableLength != 0) { writtenLength = availableLength; if (writtenLength > Length) writtenLength = Length; memcpy( PTR_ADD_OFFSET(FileStream->Buffer, FileStream->WritePosition), Buffer, writtenLength ); FileStream->WritePosition += writtenLength; if (writtenLength == Length) { // The request has been completely satisfied. return status; } Buffer = PTR_ADD_OFFSET(Buffer, writtenLength); Length -= writtenLength; } // If we didn't completely satisfy the request, it's because the buffer is full. Flush it. if (!NT_SUCCESS(status = PhpWriteFileStream( FileStream, FileStream->Buffer, FileStream->WritePosition ))) return status; FileStream->WritePosition = 0; } // If the write is too big, pass it through. if (Length >= FileStream->BufferLength) { if (!NT_SUCCESS(status = PhpWriteFileStream( FileStream, Buffer, Length ))) return status; } else if (Length != 0) { if (!FileStream->Buffer) { if (!NT_SUCCESS(status = PhpAllocateBufferFileStream(FileStream))) return status; } // Completely satisfy the request by copying the data to the buffer. memcpy( FileStream->Buffer, Buffer, Length ); FileStream->WritePosition = Length; } return status; } /** * Flushes any buffered read state back to the file position. If there is unread * buffered data the stream position is moved backward to the first unread byte * and subsequent reads align with the file object. * * \param FileStream Stream to flush read buffer from. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpFlushReadFileStream( _Inout_ PPH_FILE_STREAM FileStream ) { NTSTATUS status = STATUS_SUCCESS; if (FileStream->ReadLength - FileStream->ReadPosition != 0) { LARGE_INTEGER offset; // We have some buffered read data, so our position is too far ahead. We need to move it // back to the first unused byte. offset.QuadPart = -(LONG)(FileStream->ReadLength - FileStream->ReadPosition); if (!NT_SUCCESS(status = PhpSeekFileStream( FileStream, &offset, SeekCurrent ))) return status; } FileStream->ReadPosition = 0; FileStream->ReadLength = 0; return status; } /** * Flushes any buffered write data to the underlying file. * * \param FileStream Stream to flush. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpFlushWriteFileStream( _Inout_ PPH_FILE_STREAM FileStream ) { NTSTATUS status = STATUS_SUCCESS; if (!NT_SUCCESS(status = PhpWriteFileStream( FileStream, FileStream->Buffer, FileStream->WritePosition ))) return status; FileStream->WritePosition = 0; return status; } /** * Flushes the file stream buffers and optionally flushes the file through the OS. * * \param FileStream A file stream object. * \param Full TRUE to flush the file object through the operating system, otherwise FALSE to only * ensure the buffer is flushed to the operating system. */ NTSTATUS PhFlushFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ BOOLEAN Full ) { NTSTATUS status = STATUS_SUCCESS; if (FileStream->WritePosition != 0) { if (!NT_SUCCESS(status = PhpFlushWriteFileStream(FileStream))) return status; } if (FileStream->ReadPosition != 0) { if (!NT_SUCCESS(status = PhpFlushReadFileStream(FileStream))) return status; } if (Full && (FileStream->Flags & PH_FILE_STREAM_WRITTEN)) { IO_STATUS_BLOCK isb; if (!NT_SUCCESS(status = NtFlushBuffersFile( FileStream->FileHandle, &isb ))) return status; } return status; } /** * Retrieves the logical position within the stream (taking buffered state into account). * * \param FileStream Stream to query. * \param Position Receives the calculated position. */ VOID PhGetPositionFileStream( _In_ PPH_FILE_STREAM FileStream, _Out_ PLARGE_INTEGER Position ) { Position->QuadPart = FileStream->Position.QuadPart + (FileStream->ReadPosition - FileStream->ReadLength) + FileStream->WritePosition; } /** * Performs a seek operation that updates the internal position variable and, if required, * writes the position to the underlying file object. This does not account for buffered * read/write state; use PhSeekFileStream to handle buffers. * * \param FileStream Stream to seek. * \param Offset Offset value (interpretation per Origin). * \param Origin Seek origin (SeekStart, SeekCurrent, SeekEnd). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpSeekFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Offset, _In_ PH_SEEK_ORIGIN Origin ) { NTSTATUS status = STATUS_SUCCESS; switch (Origin) { case SeekStart: { FileStream->Position = *Offset; } break; case SeekCurrent: { FileStream->Position.QuadPart += Offset->QuadPart; } break; case SeekEnd: { if (!NT_SUCCESS(status = PhGetFileSize( FileStream->FileHandle, &FileStream->Position ))) return status; FileStream->Position.QuadPart += Offset->QuadPart; } break; } if (!(FileStream->Flags & PH_FILE_STREAM_OWN_POSITION)) { FILE_POSITION_INFORMATION positionInfo; IO_STATUS_BLOCK isb; positionInfo.CurrentByteOffset = FileStream->Position; if (!NT_SUCCESS(status = NtSetInformationFile( FileStream->FileHandle, &isb, &positionInfo, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation ))) return status; } return status; } /** * Public seek that handles buffered state (flushes writes, adjusts for buffered reads). * * \param FileStream Stream to seek. * \param Offset Offset value (interpretation per Origin). * \param Origin Seek origin (SeekStart, SeekCurrent, SeekEnd). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSeekFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Offset, _In_ PH_SEEK_ORIGIN Origin ) { NTSTATUS status = STATUS_SUCCESS; LARGE_INTEGER offset; offset = *Offset; if (FileStream->WritePosition != 0) { if (!NT_SUCCESS(status = PhpFlushWriteFileStream(FileStream))) return status; } else if (FileStream->ReadPosition != 0) { if (Origin == SeekCurrent) { // We have buffered read data, which means our position is too far ahead. Subtract this // difference from the offset (which will affect the position accordingly). offset.QuadPart -= FileStream->ReadLength - FileStream->ReadPosition; } // TODO: Try to keep some of the read buffer. FileStream->ReadPosition = 0; FileStream->ReadLength = 0; } if (!NT_SUCCESS(status = PhpSeekFileStream( FileStream, &offset, Origin ))) return status; return status; } /** * Locks a byte range in the file. * * \param FileStream Stream containing the file handle. * \param Position Starting byte offset to lock. * \param Length Length of the region to lock. * \param Wait If TRUE, wait for the lock; otherwise return immediately if unavailable. * \param Shared If TRUE, acquire a shared lock; otherwise exclusive. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLockFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Position, _In_ PLARGE_INTEGER Length, _In_ BOOLEAN Wait, _In_ BOOLEAN Shared ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtLockFile( FileStream->FileHandle, NULL, NULL, NULL, &isb, Position, Length, 0, !Wait, !Shared ); if (status == STATUS_PENDING) { // Wait for the operation to finish. This probably means we got called on an asynchronous // file object. NtWaitForSingleObject(FileStream->FileHandle, FALSE, NULL); status = isb.Status; } return status; } /** * Unlocks a previously locked byte range. * * \param FileStream Stream containing the file handle. * \param Position Starting byte offset of the locked region. * \param Length Length of the region to unlock. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhUnlockFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Position, _In_ PLARGE_INTEGER Length ) { IO_STATUS_BLOCK isb; return NtUnlockFile( FileStream->FileHandle, &isb, Position, Length, 0 ); } /** * Sets the allocation and end-of-file size for the file. * * \param FileStream Stream containing the file handle. * \param AllocationSize Desired allocation / end-of-file size. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetAllocationSizeFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER AllocationSize ) { NTSTATUS status; IO_STATUS_BLOCK isb; FILE_END_OF_FILE_INFORMATION endOfFileInfo; FILE_ALLOCATION_INFORMATION allocationInfo; memset(&endOfFileInfo, 0, sizeof(FILE_END_OF_FILE_INFORMATION)); endOfFileInfo.EndOfFile.QuadPart = AllocationSize->QuadPart; if (!NT_SUCCESS(status = NtSetInformationFile( FileStream->FileHandle, &isb, &endOfFileInfo, sizeof(FILE_END_OF_FILE_INFORMATION), FileEndOfFileInformation ))) return status; memset(&allocationInfo, 0, sizeof(FILE_ALLOCATION_INFORMATION)); allocationInfo.AllocationSize.QuadPart = AllocationSize->QuadPart; if (!NT_SUCCESS(status = NtSetInformationFile( FileStream->FileHandle, &isb, &allocationInfo, sizeof(FILE_ALLOCATION_INFORMATION), FileAllocationInformation ))) return status; return status; } /** * Writes a Unicode string as UTF-8 to the stream. * * \param FileStream Stream to write to. * \param String String reference to write. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhWriteStringAsUtf8FileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PPH_STRINGREF String ) { return PhWriteStringAsUtf8FileStreamEx(FileStream, String->Buffer, String->Length); } /** * Writes a UTF-16 buffer as UTF-8 to the stream, handling large buffers in chunks. * * \param FileStream Stream to write to. * \param Buffer UTF-16 buffer to convert and write. * \param Length The length of Buffer in bytes. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhWriteStringAsUtf8FileStreamEx( _Inout_ PPH_FILE_STREAM FileStream, _In_ PCWSTR Buffer, _In_ SIZE_T Length ) { NTSTATUS status = STATUS_SUCCESS; PH_STRINGREF block; SIZE_T inPlaceUtf8Size = 0; PCHAR inPlaceUtf8 = NULL; PPH_BYTES utf8 = NULL; if (Length > PAGE_SIZE) { // In UTF-8, the maximum number of bytes per code point is 4. inPlaceUtf8Size = PAGE_SIZE / sizeof(WCHAR) * 4; inPlaceUtf8 = PhAllocatePage(inPlaceUtf8Size, NULL); } while (Length != 0) { block.Buffer = (PWCH)Buffer; block.Length = PAGE_SIZE; if (block.Length > Length) block.Length = Length; if (inPlaceUtf8) { SIZE_T bytesInUtf8String; status = PhConvertUtf16ToUtf8Buffer( inPlaceUtf8, inPlaceUtf8Size, &bytesInUtf8String, block.Buffer, block.Length ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWriteFileStream(FileStream, inPlaceUtf8, (ULONG)bytesInUtf8String); } else { utf8 = PhConvertUtf16ToUtf8Ex(block.Buffer, block.Length); if (!utf8) { status = STATUS_INVALID_PARAMETER; goto CleanupExit; } status = PhWriteFileStream(FileStream, utf8->Buffer, (ULONG)utf8->Length); PhDereferenceObject(utf8); } if (!NT_SUCCESS(status)) goto CleanupExit; Buffer += block.Length / sizeof(WCHAR); Length -= block.Length; } CleanupExit: if (inPlaceUtf8) PhFreePage(inPlaceUtf8); return status; } /** * Formats a Unicode string (va_list) and writes it as UTF-8 to the stream. * * \param FileStream Stream to write to. * \param Format printf-style format string. * \param ArgPtr Variadic arguments (va_list). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhWriteStringFormatAsUtf8FileStream_V( _Inout_ PPH_FILE_STREAM FileStream, _In_ _Printf_format_string_ PCWSTR Format, _In_ va_list ArgPtr ) { NTSTATUS status; PPH_STRING string; string = PhFormatString_V(Format, ArgPtr); status = PhWriteStringAsUtf8FileStream(FileStream, &string->sr); PhDereferenceObject(string); return status; } /** * Formats a Unicode string and writes it as UTF-8 to the stream. * * \param FileStream Stream to write to. * \param Format printf-style format string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhWriteStringFormatAsUtf8FileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ _Printf_format_string_ PCWSTR Format, ... ) { NTSTATUS status; va_list argptr; va_start(argptr, Format); status = PhWriteStringFormatAsUtf8FileStream_V(FileStream, Format, argptr); va_end(argptr); return status; } ================================================ FILE: phlib/firmware.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025 * */ #include #include #include // https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/feature-discovery // private typedef enum _HV_CPUID_FUNCTION { HvCpuIdFunctionVersionAndFeatures = 0x00000001, // CPUID.01h.ECX:31 // if set, virtualization present HvCpuIdFunctionHvVendorAndMaxFunction = 0x40000000, // HV_VENDOR_AND_MAX_FUNCTION HvCpuIdFunctionHvInterface = 0x40000001, // HV_HYPERVISOR_INTERFACE_INFO HvCpuIdFunctionMsHvVersion = 0x40000002, // HV_HYPERVISOR_VERSION_INFO HvCpuIdFunctionMsHvFeatures = 0x40000003, // HV_HYPERVISOR_FEATURES/HV_X64_HYPERVISOR_FEATURES HvCpuIdFunctionMsHvEnlightenmentInformation = 0x40000004, // HV_ENLIGHTENMENT_INFORMATION HvCpuIdFunctionMsHvImplementationLimits = 0x40000005, // HV_IMPLEMENTATION_LIMITS HvCpuIdFunctionMsHvHardwareFeatures = 0x40000006, // HV_X64_HYPERVISOR_HARDWARE_FEATURES HvCpuIdFunctionMsHvCpuManagementFeatures = 0x40000007, // HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES HvCpuIdFunctionMsHvSvmFeatures = 0x40000008, // HV_HYPERVISOR_SVM_FEATURES HvCpuIdFunctionMsHvSkipLevelFeatures = 0x40000009, // HV_HYPERVISOR_SKIP_LEVEL_FEATURES // 1511+ HvCpuidFunctionMsHvNestedVirtFeatures = 0x4000000A, // HV_HYPERVISOR_NESTED_VIRT_FEATURES HvCpuidFunctionMsHvIptFeatures = 0x4000000B, // HV_HYPERVISOR_IPT_FEATURES // 1903+ HvCpuIdFunctionMaxReserved } HV_CPUID_FUNCTION, *PHV_CPUID_FUNCTION; // https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/datatypes/hv_partition_privilege_mask typedef union _HV_PARTITION_PRIVILEGE_MASK { struct { // Access to virtual MSRs UINT64 AccessVpRunTimeReg : 1; UINT64 AccessPartitionReferenceCounter : 1; UINT64 AccessSynicRegs : 1; UINT64 AccessSyntheticTimerRegs : 1; UINT64 AccessIntrCtrlRegs : 1; UINT64 AccessHypercallMsrs : 1; UINT64 AccessVpIndex : 1; UINT64 AccessResetReg : 1; UINT64 AccessStatsReg : 1; UINT64 AccessPartitionReferenceTsc : 1; UINT64 AccessGuestIdleReg : 1; UINT64 AccessFrequencyRegs : 1; UINT64 AccessDebugRegs : 1; UINT64 AccessReenlightenmentControls : 1; UINT64 Reserved1 : 18; // Access to hypercalls UINT64 CreatePartitions : 1; UINT64 AccessPartitionId : 1; UINT64 AccessMemoryPool : 1; UINT64 Reserved2 : 1; UINT64 PostMessages : 1; UINT64 SignalEvents : 1; UINT64 CreatePort : 1; UINT64 ConnectPort : 1; UINT64 AccessStats : 1; UINT64 Reserved3 : 2; UINT64 Debugging : 1; UINT64 CpuManagement : 1; UINT64 Reserved4 : 1; UINT64 Reserved5 : 1; UINT64 Reserved6 : 1; UINT64 AccessVSM : 1; UINT64 AccessVpRegisters : 1; UINT64 Reserved7 : 1; UINT64 Reserved8 : 1; UINT64 EnableExtendedHypercalls : 1; UINT64 StartVirtualProcessor : 1; UINT64 Reserved9 : 10; }; UINT32 LowPart; UINT32 HighPart; } HV_PARTITION_PRIVILEGE_MASK, *PHV_PARTITION_PRIVILEGE_MASK; // private typedef struct _HV_VENDOR_AND_MAX_FUNCTION { // // Eax // UINT32 MaxFunctions; // // Ebx, Ecx, and Edx // UINT8 VendorName[12]; } HV_VENDOR_AND_MAX_FUNCTION, *PHV_VENDOR_AND_MAX_FUNCTION; static_assert(sizeof(HV_VENDOR_AND_MAX_FUNCTION) == 16); // private typedef enum _HV_HYPERVISOR_INTERFACE { HvMicrosoftHypervisorInterface = 0x31237648, // '1#vH' HvMicrosoftXboxNanovisor = 0x766E6258 , // 'vnbX' } HV_HYPERVISOR_INTERFACE, *PHV_HYPERVISOR_INTERFACE; // private typedef struct _HV_HYPERVISOR_INTERFACE_INFO { // // Eax // UINT32 Interface; // HV_HYPERVISOR_INTERFACE // // Ebx // UINT32 Reserved1; // // Ecx // UINT32 Reserved2; // // Edx // UINT32 Reserved3; } HV_HYPERVISOR_INTERFACE_INFO, *PHV_HYPERVISOR_INTERFACE_INFO; static_assert(sizeof(HV_HYPERVISOR_INTERFACE_INFO) == 16); // private typedef struct _HV_HYPERVISOR_VERSION_INFO { // // Eax // UINT32 BuildNumber; // // Ebx // UINT32 MinorVersion : 16; UINT32 MajorVersion : 16; // // Ecx // UINT32 ServicePack; // // Edx // UINT32 ServiceNumber : 24; UINT32 ServiceBranch : 8; } HV_HYPERVISOR_VERSION_INFO, *PHV_HYPERVISOR_VERSION_INFO; static_assert(sizeof(HV_HYPERVISOR_VERSION_INFO) == 16); // private typedef struct _HV_HYPERVISOR_FEATURES { // // Eax and Ebx // HV_PARTITION_PRIVILEGE_MASK PartitionPrivileges; // // Ecx // UINT32 MaxSupportedCState : 4; UINT32 HpetNeededForC3PowerState_Deprecated : 1; UINT32 Reserved : 27; // // Edx // UINT32 MwaitAvailable_Deprecated : 1; UINT32 GuestDebuggingAvailable : 1; UINT32 PerformanceMonitorsAvailable : 1; UINT32 CpuDynamicPartitioningAvailable : 1; UINT32 XmmRegistersForFastHypercallAvailable : 1; UINT32 GuestIdleAvailable : 1; UINT32 HypervisorSleepStateSupportAvailable : 1; UINT32 NumaDistanceQueryAvailable : 1; UINT32 FrequencyRegsAvailable : 1; UINT32 SyntheticMachineCheckAvailable : 1; UINT32 GuestCrashRegsAvailable : 1; UINT32 DebugRegsAvailable : 1; UINT32 Npiep1Available : 1; UINT32 DisableHypervisorAvailable : 1; UINT32 Reserved1 : 18; } HV_HYPERVISOR_FEATURES, *PHV_HYPERVISOR_FEATURES; static_assert(sizeof(HV_HYPERVISOR_FEATURES) == 16); // private typedef struct _HV_X64_HYPERVISOR_FEATURES { // // Eax and Ebx // HV_PARTITION_PRIVILEGE_MASK PartitionPrivileges; // // Ecx // UINT32 MaxSupportedCState : 4; UINT32 HpetNeededForC3PowerState_Deprecated : 1; UINT32 Reserved : 27; // // Edx // UINT32 MwaitAvailable_Deprecated : 1; UINT32 GuestDebuggingAvailable : 1; UINT32 PerformanceMonitorsAvailable : 1; UINT32 CpuDynamicPartitioningAvailable : 1; UINT32 XmmRegistersForFastHypercallAvailable : 1; UINT32 GuestIdleAvailable : 1; UINT32 HypervisorSleepStateSupportAvailable : 1; UINT32 NumaDistanceQueryAvailable : 1; UINT32 FrequencyRegsAvailable : 1; UINT32 SyntheticMachineCheckAvailable : 1; UINT32 GuestCrashRegsAvailable : 1; UINT32 DebugRegsAvailable : 1; UINT32 Npiep1Available : 1; UINT32 DisableHypervisorAvailable : 1; UINT32 ExtendedGvaRangesForFlushVirtualAddressListAvailable : 1; UINT32 FastHypercallOutputAvailable : 1; UINT32 SvmFeaturesAvailable : 1; UINT32 SintPollingModeAvailable : 1; UINT32 HypercallMsrLockAvailable : 1; // 1511+ UINT32 DirectSyntheticTimers : 1; // 1607+ UINT32 RegisterPatAvailable : 1; // 1703+ UINT32 RegisterBndcfgsAvailable : 1; UINT32 WatchdogTimerAvailable : 1; UINT32 SyntheticTimeUnhaltedTimerAvailable : 1; // 1709+ UINT32 DeviceDomainsAvailable : 1; UINT32 S1DeviceDomainsAvailable : 1; // 1803+ UINT32 LbrAvailable : 1; // 1809+ UINT32 IptAvailable : 1; // 1903+ UINT32 CrossVtlFlushAvailable : 1; UINT32 IdleSpecCtrlAvailable : 1; // 2004+ UINT32 Reserved1 : 2; } HV_X64_HYPERVISOR_FEATURES, *PHV_X64_HYPERVISOR_FEATURES; static_assert(sizeof(HV_X64_HYPERVISOR_FEATURES) == 16); // private typedef struct _HV_ENLIGHTENMENT_INFORMATION { // // Eax // UINT32 UseHypercallForAddressSpaceSwitch : 1; UINT32 UseHypercallForLocalFlush : 1; UINT32 UseHypercallForRemoteFlush : 1; UINT32 UseApicMsrs : 1; // UseMsrForApicAccess UINT32 UseMsrForReset : 1; UINT32 UseRelaxedTiming : 1; UINT32 UseDmaRemapping : 1; UINT32 UseInterruptRemapping : 1; UINT32 UseX2ApicMsrs : 1; UINT32 DeprecateAutoEoi : 1; UINT32 Reserved : 22; // // Ebx // UINT32 LongSpinWaitCount; // // Ecx // UINT32 ReservedEcx; // // Edx // UINT32 ReservedEdx; } HV_ENLIGHTENMENT_INFORMATION, *PHV_ENLIGHTENMENT_INFORMATION; static_assert(sizeof(HV_ENLIGHTENMENT_INFORMATION) == 16); // private typedef struct _HV_IMPLEMENTATION_LIMITS { // // Eax // UINT32 MaxVirtualProcessorCount; // // Ebx // UINT32 MaxLogicalProcessorCount; // // Ecx // UINT32 MaxInterruptMappingCount; // // Edx // UINT32 Reserved; } HV_IMPLEMENTATION_LIMITS, *PHV_IMPLEMENTATION_LIMITS; static_assert(sizeof(HV_IMPLEMENTATION_LIMITS) == 16); // private typedef struct _HV_X64_HYPERVISOR_HARDWARE_FEATURES { // // Eax // UINT32 ApicOverlayAssistInUse : 1; UINT32 MsrBitmapsInUse : 1; UINT32 ArchitecturalPerformanceCountersInUse : 1; UINT32 SecondLevelAddressTranslationInUse : 1; UINT32 DmaRemappingInUse : 1; UINT32 InterruptRemappingInUse : 1; UINT32 MemoryPatrolScrubberPresent : 1; UINT32 DmaProtectionInUse : 1; UINT32 HpetRequested : 1; UINT32 SyntheticTimersVolatile : 1; UINT32 HypervisorLevel : 4; UINT32 PhysicalDestinationModeRequired : 1; UINT32 UseVmfuncForAliasMapSwitch : 1; UINT32 HvRegisterForMemoryZeroingSupported : 1; UINT32 UnrestrictedGuestSupported : 1; UINT32 RdtAFeaturesSupported : 1; UINT32 RdtMFeaturesSupported : 1; UINT32 ChildPerfmonPmuSupported : 1; UINT32 ChildPerfmonLbrSupported : 1; UINT32 ChildPerfmonIptSupported : 1; UINT32 ApicEmulationSupported : 1; UINT32 ChildX2ApicRecommended : 1; UINT32 HardwareWatchdogReserved : 1; UINT32 DeviceAccessTrackingSupported : 1; UINT32 Reserved : 5; // // Ebx // UINT32 DeviceDomainInputWidth : 8; UINT32 ReservedEbx : 24; // // Ecx // UINT32 ReservedEcx; // // Edx // UINT32 ReservedEdx; } HV_X64_HYPERVISOR_HARDWARE_FEATURES, *PHV_X64_HYPERVISOR_HARDWARE_FEATURES; static_assert(sizeof(HV_X64_HYPERVISOR_HARDWARE_FEATURES) == 16); #undef LogicalProcessorIdling // private typedef struct _HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES { // // Eax // UINT32 StartLogicalProcessor : 1; UINT32 CreateRootVirtualProcessor : 1; UINT32 PerformanceCounterSync : 1; // 1703+ UINT32 Reserved0 : 28; UINT32 ReservedIdentityBit : 1; // // Ebx // UINT32 ProcessorPowerManagement : 1; UINT32 MwaitIdleStates : 1; UINT32 LogicalProcessorIdling : 1; UINT32 Reserved1 : 29; // // Ecx // UINT32 RemapGuestUncached : 1; // 1803+ UINT32 ReservedZ2 : 31; // // Edx // UINT32 ReservedEdx; } HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES, *PHV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES; static_assert(sizeof(HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES) == 16); // private typedef struct _HV_HYPERVISOR_SVM_FEATURES { // // Eax // UINT32 SvmSupported : 1; UINT32 Reserved0 : 10; UINT32 MaxPasidSpacePasidCount : 21; // // Ebx // UINT32 MaxPasidSpaceCount; // // Ecx // UINT32 MaxDevicePrqSize; // // Edx // UINT32 Reserved1; } HV_HYPERVISOR_SVM_FEATURES, *PHV_HYPERVISOR_SVM_FEATURES; static_assert(sizeof(HV_HYPERVISOR_SVM_FEATURES) == 16); // private typedef struct _HV_HYPERVISOR_SKIP_LEVEL_FEATURES { // // Eax // UINT32 Reserved0 : 2; UINT32 AccessSynicRegs : 1; UINT32 Reserved1 : 1; UINT32 AccessIntrCtrlRegs : 1; UINT32 AccessHypercallMsrs : 1; UINT32 AccessVpIndex : 1; UINT32 Reserved2 : 5; UINT32 AccessReenlightenmentControls : 1; UINT32 Reserved3 : 19; // // Ebx // UINT32 ReservedEbx; // // Ecx // UINT32 ReservedEcx; // // Edx // UINT32 Reserved4 : 4; UINT32 XmmRegistersForFastHypercallAvailable : 1; UINT32 Reserved5 : 10; UINT32 FastHypercallOutputAvailable : 1; UINT32 Reserved6 : 1; UINT32 SintPollingModeAvailable : 1; UINT32 Reserved7 : 14; } HV_HYPERVISOR_SKIP_LEVEL_FEATURES, *PHV_HYPERVISOR_SKIP_LEVEL_FEATURES; static_assert(sizeof(HV_HYPERVISOR_SKIP_LEVEL_FEATURES) == 16); // private typedef struct _HV_HYPERVISOR_NESTED_VIRT_FEATURES { // // Eax // UINT32 EnlightedVmcsVersionLow : 8; UINT32 EnlightedVmcsVesionHigh : 8; UINT32 FlushGuestPhysicalHypercall_Deprecated : 1; // 1607+ UINT32 NestedFlushVirtualHypercall : 1; UINT32 FlushGuestPhysicalHypercall : 1; UINT32 MsrBitmap : 1; UINT32 VirtualizationException : 1; // 1709+ UINT32 DebugCtl : 1; // 2004+ UINT32 Reserved0 : 10; // // Ebx // UINT32 PerfGlobalCtrl : 1; UINT32 Reserved1 : 31; // // Ecx // UINT32 ReservedEcx; // // Edx // UINT32 ReservedEdx; } HV_HYPERVISOR_NESTED_VIRT_FEATURES, *PHV_HYPERVISOR_NESTED_VIRT_FEATURES; static_assert(sizeof(HV_HYPERVISOR_NESTED_VIRT_FEATURES) == 16); // private typedef struct _HV_HYPERVISOR_IPT_FEATURES { // // Eax // UINT32 ChainedToPA : 1; UINT32 Enlightened : 1; UINT32 Reserved0 : 10; UINT32 MaxTraceBufferSizePerVtl : 20; // // Ebx // UINT32 Reserved1; // // Ecx // UINT32 Reserved2; // // Ecx // UINT32 HypervisorIpt : 1; // 2004+ UINT32 Reserved3 : 31; } HV_HYPERVISOR_IPT_FEATURES, *PHV_HYPERVISOR_IPT_FEATURES; static_assert(sizeof(HV_HYPERVISOR_IPT_FEATURES) == 16); // private typedef struct _HV_X64_PLATFORM_CAPABILITIES { UINT64 AsUINT64[2]; struct { // // Eax // UINT AllowRedSignedCode : 1; UINT AllowKernelModeDebugging : 1; UINT AllowUserModeDebugging : 1; UINT AllowTelnetServer : 1; UINT AllowIOPorts : 1; UINT AllowFullMsrSpace : 1; UINT AllowPerfCounters : 1; UINT AllowHost512MB : 1; UINT AllowRemoteRecovery : 1; UINT AllowStreaming : 1; UINT AllowPushDeployment : 1; UINT AllowPullDeployment : 1; UINT AllowProfiling : 1; UINT AllowJsProfiling : 1; UINT AllowCrashDump : 1; UINT AllowVsCrashDump : 1; UINT AllowToolFileIO : 1; UINT AllowConsoleMgmt : 1; UINT AllowTracing : 1; UINT AllowXStudio : 1; UINT AllowGestureBuilder : 1; UINT AllowSpeechLab : 1; UINT AllowSmartglassStudio : 1; UINT AllowNetworkTools : 1; UINT AllowTcrTool : 1; UINT AllowHostNetworkStack : 1; UINT AllowSystemUpdateTest : 1; UINT AllowOffChipPerfCtrStreaming : 1; UINT AllowToolingMemory : 1; UINT AllowSystemDowngrade : 1; UINT AllowGreenDiskLicenses : 1; // // Ebx // UINT IsLiveConnected : 1; UINT IsMteBoosted : 1; UINT IsQaSlt : 1; UINT IsStockImage : 1; UINT IsMsTestLab : 1; UINT IsRetailDebugger : 1; UINT IsXvdSort : 1; UINT IsGreenDebug : 1; UINT IsHwDevTest : 1; UINT AllowDiskLicenses : 1; // 1511+ UINT AllowInstrumentation : 1; UINT AllowWifiTester : 1; UINT AllowWifiTesterDFS : 1; UINT IsHwTest : 1; UINT AllowHostOddTest : 1; UINT IsLiveUnrestricted : 1; UINT AllowDiscLicensesWithoutMediaAuth : 1; UINT ReservedEbx : 15; // // Ecx // UINT ReservedEcx; // // Edx // UINT ReservedEdx : 31; UINT UseAlternateXvd : 1; }; } HV_X64_PLATFORM_CAPABILITIES, *PHV_X64_PLATFORM_CAPABILITIES; static_assert(sizeof(HV_X64_PLATFORM_CAPABILITIES) == 32); #if defined(_M_IX86) || defined(_M_AMD64) typedef union _PH_CPUID { struct { ULONG EAX; ULONG EBX; ULONG ECX; ULONG EDX; }; struct { ULONG64 LowPart; ULONG64 HighPart; }; INT32 Data[4]; } PH_CPUID, *PPH_CPUID; VOID PhCpuId( _Out_ PPH_CPUID CpuId, _In_ ULONG Function, _In_ ULONG SubFunction ) { CpuId->LowPart = 0; CpuId->HighPart = 0; CpuIdEx(CpuId->Data, Function, SubFunction); } BOOLEAN PhCpuIsIntel( VOID ) { PH_CPUID cpuid; PhCpuId(&cpuid, 0, 0); // GenuineIntel if (cpuid.EBX == 'uneG' && cpuid.EDX == 'Ieni' && cpuid.ECX == 'letn') return TRUE; return FALSE; } BOOLEAN PhCpuIsAMD( VOID ) { PH_CPUID cpuid; PhCpuId(&cpuid, 0, 0); // AuthenticAMD if (cpuid.EBX == 'htuA' && cpuid.EDX == 'itne' && cpuid.ECX == 'DMAc') return TRUE; return FALSE; } BOOLEAN PhHypervisorIsPresent( VOID ) { PH_CPUID cpuid; PhCpuId(&cpuid, HvCpuIdFunctionVersionAndFeatures, 0); // https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/feature-discovery#hypervisor-discovery if (cpuid.ECX & 0x80000000) return TRUE; return FALSE; } BOOLEAN PhVCpuIsMicrosoftHyperV( VOID ) { PH_CPUID cpuid; PhCpuId(&cpuid, HvCpuIdFunctionHvVendorAndMaxFunction, 0); // Microsoft Hv if (cpuid.EBX == 'rciM' && cpuid.ECX == 'foso' && cpuid.EDX == 'vH t') return TRUE; return FALSE; } VOID PhGetHvPartitionPrivilegeMask( _Out_ PHV_PARTITION_PRIVILEGE_MASK Mask ) { PH_CPUID cpuid; PhCpuId(&cpuid, HvCpuIdFunctionMsHvFeatures, 0); Mask->LowPart = cpuid.EAX; Mask->HighPart = cpuid.EBX; } #endif NTSTATUS PhGetHypervisorVendorId( _Out_ PULONG VendorId ) { NTSTATUS status; SYSTEM_HYPERVISOR_DETAIL_INFORMATION info; *VendorId = 0; if (!NT_SUCCESS(status = NtQuerySystemInformation( SystemHypervisorDetailInformation, &info, sizeof(info), NULL ))) return status; *VendorId = info.HvVendorAndMaxFunction.Data[1]; return STATUS_SUCCESS; } PH_VIRTUAL_STATUS PhGetVirtualStatus( VOID ) { #if defined(_ARM64_) ULONG vendorId; if (NT_SUCCESS(PhGetHypervisorVendorId(&vendorId))) { if (vendorId == 'MOCQ') { if (USER_SHARED_DATA->QcSlIsSupported) { return PhVirtualStatusEnabledFirmware; } return PhVirtualStatusNotCapable; } else { SYSTEM_HYPERVISOR_DETAIL_INFORMATION info; if (NT_SUCCESS(NtQuerySystemInformation( SystemHypervisorDetailInformation, &info, sizeof(info), NULL ))) { if (info.HvFeatures.Data[1] & 0x1000) { return PhVirtualStatusEnabledHyperV; } } return PhVirtualStatusVirtualMachine; } } if (USER_SHARED_DATA->ArchStartedInEl2 || USER_SHARED_DATA->QcSlIsSupported) { return PhVirtualStatusEnabledFirmware; } return PhVirtualStatusNotCapable; #else if (PhHypervisorIsPresent()) { if (PhVCpuIsMicrosoftHyperV()) { HV_PARTITION_PRIVILEGE_MASK mask; PhGetHvPartitionPrivilegeMask(&mask); if (mask.AccessVpRunTimeReg) { return PhVirtualStatusEnabledHyperV; } } return PhVirtualStatusVirtualMachine; } if (PhCpuIsIntel()) { PH_CPUID cpuid; PhCpuId(&cpuid, 1, 0); // Virtual Machine Extensions (VMX) if (!(cpuid.ECX & 0x20)) { return PhVirtualStatusNotCapable; } } else if (PhCpuIsAMD()) { PH_CPUID cpuid; PhCpuId(&cpuid, 0x80000001, 0); // Secure Virtual Machine (SVM) if (!(cpuid.ECX & 0x2)) { return PhVirtualStatusNotCapable; } } else { //return PhVirtualStatusUnknown; return PhVirtualStatusNotCapable; } if (USER_SHARED_DATA->ProcessorFeatures[PF_VIRT_FIRMWARE_ENABLED]) { return PhVirtualStatusEnabledFirmware; } if (USER_SHARED_DATA->ProcessorFeatures[PF_SECOND_LEVEL_ADDRESS_TRANSLATION] && USER_SHARED_DATA->ProcessorFeatures[PF_NX_ENABLED]) { return PhVirtualStatusDisabledWithHyperV; } return PhVirtualStatusDisabled; #endif } typedef struct _PH_SMBIOS_STRINGREF { USHORT Length; PSTR Buffer; } PH_SMBIOS_STRINGREF, *PPH_SMBIOS_STRINGREF; typedef struct _PH_SMBIOS_PARSE_CONTEXT { PRAW_SMBIOS_DATA Data; PVOID End; PH_SMBIOS_STRINGREF Strings[256]; } PH_SMBIOS_PARSE_CONTEXT, *PPH_SMBIOS_PARSE_CONTEXT; NTSTATUS PhpParseSMBIOS( _In_ PPH_SMBIOS_PARSE_CONTEXT Context, _In_ PSMBIOS_HEADER Current, _Out_ PSMBIOS_HEADER* Next ) { NTSTATUS status; PSTR pointer; PSTR string; UCHAR nulls; USHORT length; UCHAR count; *Next = NULL; memset(Context->Strings, 0, sizeof(Context->Strings)); pointer = SMBIOS_STRING_TABLE(Current); string = pointer; if ((ULONG_PTR)pointer >= (ULONG_PTR)Context->End) return STATUS_BUFFER_OVERFLOW; nulls = 0; length = 0; count = 0; while ((ULONG_PTR)pointer < (ULONG_PTR)Context->End) { if (*pointer++ != ANSI_NULL) { if (!NT_SUCCESS(status = RtlUShortAdd(length, 1, &length))) return status; nulls = 0; continue; } if (nulls++) break; Context->Strings[count].Length = length; Context->Strings[count].Buffer = string; count++; string = pointer; length = 0; } if (nulls != 2) return STATUS_INVALID_ADDRESS; if (Current->Type != SMBIOS_END_OF_TABLE_TYPE) *Next = (PSMBIOS_HEADER)pointer; return STATUS_SUCCESS; } NTSTATUS PhpEnumSMBIOS( _In_ PRAW_SMBIOS_DATA Data, _In_ PPH_ENUM_SMBIOS_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PH_SMBIOS_PARSE_CONTEXT context; PSMBIOS_HEADER current; PSMBIOS_HEADER next; memset(&context, 0, sizeof(context)); context.Data = Data; context.End = PTR_ADD_OFFSET(Data->SMBIOSTableData, Data->Length); current = (PSMBIOS_HEADER)Data->SMBIOSTableData; next = NULL; while (NT_SUCCESS(status = PhpParseSMBIOS(&context, current, &next))) { if (Callback( (ULONG_PTR)&context, Data->SMBIOSMajorVersion, Data->SMBIOSMinorVersion, (PPH_SMBIOS_ENTRY)current, Context )) break; if (!next) break; current = next; } return status; } NTSTATUS PhEnumSMBIOS( _In_ PPH_ENUM_SMBIOS_CALLBACK Callback, _In_opt_ PVOID Context ) { static volatile ULONG cachedLength = sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION) + 64; NTSTATUS status; ULONG length; PSYSTEM_FIRMWARE_TABLE_INFORMATION info; length = ReadULongAcquire(&cachedLength); if (!(info = PhAllocateStack(length))) return STATUS_NO_MEMORY; RtlZeroMemory(info, length); info->ProviderSignature = 'RSMB'; info->TableID = 0; info->Action = SystemFirmwareTableGet; info->TableBufferLength = length - sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION); status = NtQuerySystemInformation( SystemFirmwareTableInformation, info, length, &length ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFreeStack(info); if (!(info = PhAllocateStack(length))) return STATUS_NO_MEMORY; RtlZeroMemory(info, length); info->ProviderSignature = 'RSMB'; info->TableID = 0; info->Action = SystemFirmwareTableGet; info->TableBufferLength = length - sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION); status = NtQuerySystemInformation( SystemFirmwareTableInformation, info, length, &length ); if (NT_SUCCESS(status)) { WriteULongRelease(&cachedLength, length); } } if (NT_SUCCESS(status)) { status = PhpEnumSMBIOS( (PRAW_SMBIOS_DATA)info->TableBuffer, Callback, Context ); } PhFreeStack(info); return status; } NTSTATUS PhGetSMBIOSString( _In_ ULONG_PTR EnumHandle, _In_ UCHAR Index, _Out_ PPH_STRING* String ) { PPH_SMBIOS_PARSE_CONTEXT context; PPH_SMBIOS_STRINGREF string; context = (PPH_SMBIOS_PARSE_CONTEXT)EnumHandle; *String = NULL; if (Index == SMBIOS_INVALID_STRING) return STATUS_INVALID_PARAMETER; string = &context->Strings[Index - 1]; if (!string->Buffer) return STATUS_INVALID_PARAMETER; *String = PhConvertUtf8ToUtf16Ex(string->Buffer, string->Length); return STATUS_SUCCESS; } ================================================ FILE: phlib/format.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2020 * */ /* * This module provides a high-performance string formatting mechanism. Instead of using format * strings, the user supplies an array of structures. This system is 2-5 times faster than * printf-based functions. * * This file contains the public interfaces, while including the real formatting code from * elsewhere. There are currently two functions: PhFormat, which returns a string object containing * the formatted string, and PhFormatToBuffer, which writes the formatted string to a buffer. The * latter is a bit faster due to the lack of resizing logic. */ #include #include extern ULONG PhMaxSizeUnit; #define SMALL_BUFFER_LENGTH (PH_OBJECT_SMALL_OBJECT_SIZE - FIELD_OFFSET(PH_STRING, Data) - sizeof(WCHAR)) #define BUFFER_SIZE 512 #define PHP_FORMAT_NEGATIVE 0x1 #define PHP_FORMAT_POSITIVE 0x2 #define PHP_FORMAT_PAD 0x4 // Keep in sync with PhSizeUnitNames CONST PH_STRINGREF PhSizeUnitNamesCounted[7] = { PH_STRINGREF_INIT(L"B"), PH_STRINGREF_INIT(L"kB"), PH_STRINGREF_INIT(L"MB"), PH_STRINGREF_INIT(L"GB"), PH_STRINGREF_INIT(L"TB"), PH_STRINGREF_INIT(L"PB"), PH_STRINGREF_INIT(L"EB") }; CONST PH_STRINGREF PhPrefixUnitNamesCounted[7] = { PH_STRINGREF_INIT(L"b"), PH_STRINGREF_INIT(L"k"), PH_STRINGREF_INIT(L"M"), PH_STRINGREF_INIT(L"B"), PH_STRINGREF_INIT(L"T"), PH_STRINGREF_INIT(L"P"), PH_STRINGREF_INIT(L"E") }; CONST PH_STRINGREF PhSiPrefixUnitNamesCounted[7] = { PH_STRINGREF_INIT(L" Bps"), PH_STRINGREF_INIT(L" Kbps"), PH_STRINGREF_INIT(L" Mbps"), PH_STRINGREF_INIT(L" Gbps"), PH_STRINGREF_INIT(L" Tbps"), PH_STRINGREF_INIT(L" Pbps"), PH_STRINGREF_INIT(L" Ebps") }; static PH_INITONCE PhpFormatInitOnce = PH_INITONCE_INIT; static WCHAR PhpFormatDecimalSeparator = L'.'; static WCHAR PhpFormatThousandSeparator = L','; static _locale_t PhpFormatUserLocale = NULL; VOID PhpFormatSingleToUtf8Locale( _In_ FLOAT Value, _In_ ULONG Type, _In_ LONG Precision, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { if (!NT_SUCCESS(PhFormatSingleToUtf8( Value, Type, Precision, Buffer, BufferLength, ReturnLength ))) { if (Buffer) *Buffer = ANSI_NULL; if (ReturnLength) *ReturnLength = 0; return; } if (PhpFormatUserLocale && Buffer) { for (PCH c = Buffer; *c; ++c) { if (*c == '.') { *c = (CHAR)PhpFormatDecimalSeparator; break; } } } if (Type & FormatUpperCase) { if (PhpFormatUserLocale) _strupr_l(Buffer, PhpFormatUserLocale); else _strupr(Buffer); //for (PCH c = Buffer; *c; ++c) // *c = RtlUpperChar(*c); } } VOID PhpFormatDoubleToUtf8Locale( _In_ DOUBLE Value, _In_ ULONG Type, _In_ LONG Precision, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { if (!NT_SUCCESS(PhFormatDoubleToUtf8( Value, Type, Precision, Buffer, BufferLength, ReturnLength ))) { if (Buffer) *Buffer = ANSI_NULL; if (ReturnLength) *ReturnLength = 0; return; } if (PhpFormatUserLocale && Buffer) { for (PCH c = Buffer; *c; ++c) { if (*c == '.') { *c = (CHAR)PhpFormatDecimalSeparator; break; } } } if (Type & FormatUpperCase) { if (PhpFormatUserLocale) _strupr_l(Buffer, PhpFormatUserLocale); else _strupr(Buffer); //for (PCH c = Buffer; *c; ++c) // *c = RtlUpperChar(*c); } } // From Source\10.0.10150.0\ucrt\inc\corecrt_internal_stdio_output.h in SDK v10. VOID PhpCropZeros( _Inout_ PCHAR Buffer ) { CHAR decimalSeparator = (CHAR)PhpFormatDecimalSeparator; while (*Buffer && *Buffer != decimalSeparator) ++Buffer; if (*Buffer++) { while (*Buffer && *Buffer != 'e' && *Buffer != 'E') ++Buffer; PCHAR stop = Buffer--; while (*Buffer == '0') --Buffer; if (*Buffer == decimalSeparator) --Buffer; while ((*++Buffer = *stop++) != ANSI_NULL) NOTHING; } } PPH_STRING PhpResizeFormatBuffer( _In_ PPH_STRING String, _Inout_ PSIZE_T AllocatedLength, _In_ SIZE_T UsedLength, _In_ SIZE_T NeededLength ) { PPH_STRING newString; SIZE_T allocatedLength; allocatedLength = *AllocatedLength; allocatedLength *= 2; if (allocatedLength < UsedLength + NeededLength) allocatedLength = UsedLength + NeededLength; newString = PhCreateStringEx(NULL, allocatedLength); memcpy(newString->Buffer, String->Buffer, UsedLength); PhDereferenceObject(String); *AllocatedLength = allocatedLength; return newString; } /** * Creates a formatted string. * * \param Format An array of format structures. * \param Count The number of structures supplied in \a Format. * \param InitialCapacity The number of bytes to reserve initially for the string. If 0 is * specified, a default value is used. */ PPH_STRING PhFormat( _In_reads_(Count) PPH_FORMAT Format, _In_ ULONG Count, _In_opt_ SIZE_T InitialCapacity ) { PPH_STRING string; SIZE_T allocatedLength; PWSTR buffer; SIZE_T usedLength; // Set up the buffer. // If the specified initial capacity is too small (or zero), use the largest buffer size which // will still be eligible for allocation from the small object free list. if (InitialCapacity < SMALL_BUFFER_LENGTH) InitialCapacity = SMALL_BUFFER_LENGTH; string = PhCreateStringEx(NULL, InitialCapacity); allocatedLength = InitialCapacity; buffer = string->Buffer; usedLength = 0; #undef ENSURE_BUFFER #undef OK_BUFFER #undef ADVANCE_BUFFER #define ENSURE_BUFFER(NeededLength) \ do { \ if (allocatedLength < usedLength + (NeededLength)) \ { \ string = PhpResizeFormatBuffer(string, &allocatedLength, usedLength, (NeededLength)); \ buffer = string->Buffer + usedLength / sizeof(WCHAR); \ } \ } while (0) #define OK_BUFFER (TRUE) #define ADVANCE_BUFFER(Length) \ do { buffer += (Length) / sizeof(WCHAR); usedLength += (Length); } while (0) #include "format_i.h" string->Length = usedLength; // Null-terminate the string. string->Buffer[usedLength / sizeof(WCHAR)] = UNICODE_NULL; return string; } /** * Writes a formatted string to a buffer. * * \param Format An array of format structures. * \param Count The number of structures supplied in \a Format. * \param Buffer A buffer. If NULL, no data is written. * \param BufferLength The number of bytes available in \a Buffer, including space for the null * terminator. * \param ReturnLength The number of bytes required to hold the string, including the null * terminator. * * \return TRUE if the buffer was large enough and the string was written (i.e. \a BufferLength >= * \a ReturnLength), otherwise FALSE. In either case, the required number of bytes is stored in * \a ReturnLength. * * \remarks If the function fails but \a BufferLength != 0, a single null byte is written to the * start of \a Buffer. */ BOOLEAN PhFormatToBuffer( _In_reads_(Count) PPH_FORMAT Format, _In_ ULONG Count, _Out_writes_bytes_opt_(BufferLength) PWSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { PWSTR buffer; SIZE_T usedLength; BOOLEAN overrun; buffer = Buffer; usedLength = 0; overrun = FALSE; // Make sure we don't try to write anything if we don't have a buffer. if (!Buffer) overrun = TRUE; #undef ENSURE_BUFFER #undef OK_BUFFER #undef ADVANCE_BUFFER #define ENSURE_BUFFER(NeededLength) \ do { \ if (!overrun && (BufferLength < usedLength + (NeededLength))) \ overrun = TRUE; \ } while (0) #define OK_BUFFER (!overrun) #define ADVANCE_BUFFER(Length) \ do { buffer += (Length) / sizeof(WCHAR); usedLength += (Length); } while (0) #include "format_i.h" // Write the null-terminator. ENSURE_BUFFER(sizeof(WCHAR)); if (OK_BUFFER) *buffer = UNICODE_NULL; else if (Buffer && BufferLength != 0) // try to null-terminate even if this function fails *Buffer = UNICODE_NULL; ADVANCE_BUFFER(sizeof(WCHAR)); if (ReturnLength) *ReturnLength = usedLength; return OK_BUFFER; } ================================================ FILE: phlib/format_i.h ================================================ /* * This file contains the actual formatting code used by various public interface functions. * * There are three macros defined by the parent function which control how this code writes the * formatted string: * * ENSURE_BUFFER - This macro is passed the number of bytes required whenever characters need to * be written to the buffer. The macro can resize the buffer if needed. * * OK_BUFFER - This macro returns TRUE if it is OK to write to the buffer, otherwise FALSE when * the buffer is too large, is not specified, or some other error has occurred. * * ADVANCE_BUFFER - This macro is passed the number of bytes written to the buffer and should * increment the "buffer" pointer and "usedLength" counter. * In addition to these macros, the "buffer" and "usedLength" variables are assumed to be present. * * The below code defines many macros; this is so that composite formatting types can be constructed * (e.g. the "size" type). */ { if (PhBeginInitOnce(&PhpFormatInitOnce)) { WCHAR localeBuffer[4]; if (GetLocaleInfoEx(LOCALE_NAME_USER_DEFAULT, LOCALE_SDECIMAL, localeBuffer, 4)) { PhpFormatDecimalSeparator = localeBuffer[0]; } if (GetLocaleInfoEx(LOCALE_NAME_USER_DEFAULT, LOCALE_STHOUSAND, localeBuffer, 4)) { PhpFormatThousandSeparator = localeBuffer[0]; } if (PhpFormatDecimalSeparator != L'.') PhpFormatUserLocale = _wcreate_locale(LC_ALL, L""); PhEndInitOnce(&PhpFormatInitOnce); } while (Count--) { PPH_FORMAT format; SIZE_T partLength; WCHAR tempBuffer[BUFFER_SIZE]; ULONG flags; ULONG int32; ULONG64 int64; format = Format++; // Save the currently used length so we can compute the part length later. partLength = usedLength; flags = 0; switch (format->Type & FormatTypeMask) { // Characters and Strings case CharFormatType: ENSURE_BUFFER(sizeof(WCHAR)); if (OK_BUFFER) *buffer = format->u.Char; ADVANCE_BUFFER(sizeof(WCHAR)); break; case StringFormatType: ENSURE_BUFFER(format->u.String.Length); if (OK_BUFFER) memcpy(buffer, format->u.String.Buffer, format->u.String.Length); ADVANCE_BUFFER(format->u.String.Length); break; case StringZFormatType: { SIZE_T count; count = PhCountStringZ(format->u.StringZ); ENSURE_BUFFER(count * sizeof(WCHAR)); if (OK_BUFFER) memcpy(buffer, format->u.StringZ, count * sizeof(WCHAR)); ADVANCE_BUFFER(count * sizeof(WCHAR)); } break; case MultiByteStringFormatType: case MultiByteStringZFormatType: { ULONG bytesInUnicodeString; PSTR multiByteBuffer; SIZE_T multiByteLength; if (format->Type == MultiByteStringFormatType) { multiByteBuffer = format->u.MultiByteString.Buffer; multiByteLength = format->u.MultiByteString.Length; } else { multiByteBuffer = format->u.MultiByteStringZ; multiByteLength = strlen(multiByteBuffer); } if (NT_SUCCESS(RtlMultiByteToUnicodeSize( &bytesInUnicodeString, multiByteBuffer, (ULONG)multiByteLength ))) { ENSURE_BUFFER(bytesInUnicodeString); if (!OK_BUFFER || NT_SUCCESS(RtlMultiByteToUnicodeN( buffer, bytesInUnicodeString, NULL, multiByteBuffer, (ULONG)multiByteLength ))) { ADVANCE_BUFFER(bytesInUnicodeString); } } } break; // Integers #define PROCESS_DIGIT(Input) \ do { \ r = (ULONG)(Input % radix); \ Input /= radix; \ *temp-- = integerToChar[r]; \ tempCount++; \ } while (0) #define COMMON_INTEGER_FORMAT(Input, Format) \ do { \ ULONG radix; \ PCCH integerToChar; \ PWSTR temp; \ ULONG tempCount; \ ULONG r; \ ULONG preCount; \ ULONG padCount; \ \ radix = 10; \ if (((Format)->Type & FormatUseRadix) && (Format)->Radix >= 2 && (Format)->Radix <= 69) \ radix = (Format)->Radix; \ integerToChar = PhIntegerToChar; \ if ((Format)->Type & FormatUpperCase) \ integerToChar = PhIntegerToCharUpper; \ temp = tempBuffer + BUFFER_SIZE - 1; \ tempCount = 0; \ \ if (Input != 0) \ { \ if ((Format)->Type & FormatGroupDigits) \ { \ ULONG needsSep = 0; \ \ do \ { \ PROCESS_DIGIT(Input); \ \ if (++needsSep == 3 && Input != 0) /* get rid of trailing separator */ \ { \ *temp-- = PhpFormatThousandSeparator; \ tempCount++; \ needsSep = 0; \ } \ } while (Input != 0); \ } \ else \ { \ do \ { \ PROCESS_DIGIT(Input); \ } while (Input != 0); \ } \ } \ else \ { \ *temp-- = '0'; \ tempCount++; \ } \ \ preCount = 0; \ \ if (flags & PHP_FORMAT_NEGATIVE) \ preCount++; \ else if ((Format)->Type & FormatPrefixSign) \ preCount++; \ \ if (((Format)->Type & FormatPadZeros) && !((Format)->Type & FormatGroupDigits)) \ { \ if (preCount + tempCount < (Format)->Width) \ { \ flags |= PHP_FORMAT_PAD; \ padCount = (Format)->Width - (preCount + tempCount); \ preCount += padCount; \ } \ } \ \ temp++; \ ENSURE_BUFFER((preCount + tempCount) * sizeof(WCHAR)); \ if (OK_BUFFER) \ { \ if (flags & PHP_FORMAT_NEGATIVE) \ *buffer++ = L'-'; \ else if ((Format)->Type & FormatPrefixSign) \ *buffer++ = L'+'; \ \ if (flags & PHP_FORMAT_PAD) \ { \ wmemset(buffer, '0', padCount); \ buffer += padCount; \ } \ \ memcpy(buffer, temp, tempCount * sizeof(WCHAR)); \ buffer += tempCount; \ } \ usedLength += (preCount + tempCount) * sizeof(WCHAR); \ } while (0) #ifndef _WIN64 case IntPtrFormatType: int32 = format->u.IntPtr; goto CommonMaybeNegativeInt32Format; #endif case Int32FormatType: int32 = format->u.Int32; #ifndef _WIN64 CommonMaybeNegativeInt32Format: #endif if ((LONG)int32 < 0) { int32 = -(LONG)int32; flags |= PHP_FORMAT_NEGATIVE; } goto CommonInt32Format; #ifndef _WIN64 case UIntPtrFormatType: int32 = format->u.UIntPtr; goto CommonInt32Format; #endif case UInt32FormatType: int32 = format->u.UInt32; CommonInt32Format: COMMON_INTEGER_FORMAT(int32, format); break; #ifdef _WIN64 case IntPtrFormatType: int64 = format->u.IntPtr; goto CommonMaybeNegativeInt64Format; #endif case Int64FormatType: int64 = format->u.Int64; #ifdef _WIN64 CommonMaybeNegativeInt64Format: #endif if ((LONG64)int64 < 0) { int64 = -(LONG64)int64; flags |= PHP_FORMAT_NEGATIVE; } goto CommonInt64Format; #ifdef _WIN64 case UIntPtrFormatType: int64 = format->u.UIntPtr; goto CommonInt64Format; #endif case UInt64FormatType: int64 = format->u.UInt64; CommonInt64Format: COMMON_INTEGER_FORMAT(int64, format); break; // Floating point numbers #define COMMON_DOUBLE_FORMAT(DataType, Format, FormatType, FormatToBufferUtf8) \ do { \ ULONG precision; \ DataType value; \ PSTR temp; \ ULONG length; \ SIZE_T returnLength; \ \ if ((Format)->Type & FormatUsePrecision) \ { \ precision = (Format)->Precision; \ \ if (precision > BUFFER_SIZE - 1 - _CVTBUFSIZE) \ precision = BUFFER_SIZE - 1 - _CVTBUFSIZE; \ } \ else \ { \ precision = 6; \ } \ \ value = (Format)->u.FormatType; \ temp = (PSTR)tempBuffer + 1; /* leave one character so we can insert a prefix if needed */ \ returnLength = 0; \ FormatToBufferUtf8( \ value, \ (Format)->Type, \ precision, \ temp, \ sizeof(tempBuffer) - 1, \ &returnLength \ ); \ \ /* if (((Format)->Type & FormatForceDecimalPoint) && precision == 0) */ \ /* _forcdecpt_l(tempBufferAnsi, PhpFormatUserLocale); */ \ if ((Format)->Type & FormatCropZeros) \ { \ PhpCropZeros(temp); \ \ length = (ULONG)strlen(temp); \ } \ else \ { \ length = (ULONG)returnLength; \ } \ \ if (temp[0] == '-') \ { \ flags |= PHP_FORMAT_NEGATIVE; \ temp++; \ length--; \ } \ else if ((Format)->Type & FormatPrefixSign) \ { \ flags |= PHP_FORMAT_POSITIVE; \ } \ \ if (((Format)->Type & FormatGroupDigits) && !((Format)->Type & (FormatStandardForm | FormatHexadecimalForm))) \ { \ PSTR whole; \ PSTR decimalPoint; \ ULONG wholeCount; \ ULONG sepsCount; \ ULONG ensureLength; \ ULONG copyCount; \ ULONG needsSep; \ \ /* Find the first non-digit character and assume that is the */ \ /* decimal point (or the end of the string). */ \ \ whole = temp; \ decimalPoint = temp; \ \ while ((UCHAR)(*decimalPoint - '0') < 10) \ decimalPoint++; \ \ /* Copy the characters to the output buffer, and at the same time */ \ /* insert the separators. */ \ \ wholeCount = (ULONG)(decimalPoint - temp); \ \ if (wholeCount != 0) \ sepsCount = (wholeCount + 2) / 3 - 1; \ else \ sepsCount = 0; \ \ ensureLength = (length + sepsCount) * sizeof(WCHAR); \ if (flags & (PHP_FORMAT_NEGATIVE | PHP_FORMAT_POSITIVE)) \ ensureLength += sizeof(WCHAR); \ ENSURE_BUFFER(ensureLength); \ \ copyCount = wholeCount; \ needsSep = (wholeCount + 2) % 3; \ \ if (OK_BUFFER) \ { \ if (flags & PHP_FORMAT_NEGATIVE) \ *buffer++ = L'-'; \ else if (flags & PHP_FORMAT_POSITIVE) \ *buffer++ = L'+'; \ \ while (copyCount--) \ { \ *buffer++ = *whole++; \ \ if (needsSep-- == 0 && copyCount != 0) /* get rid of trailing separator */ \ { \ *buffer++ = PhpFormatThousandSeparator; \ needsSep = 2; \ } \ } \ } \ \ if (flags & (PHP_FORMAT_NEGATIVE | PHP_FORMAT_POSITIVE)) \ usedLength += sizeof(WCHAR); \ usedLength += (wholeCount + sepsCount) * sizeof(WCHAR); \ \ /* Copy the rest. */ \ \ copyCount = length - wholeCount; \ \ if (OK_BUFFER) \ { \ PhZeroExtendToUtf16Buffer(decimalPoint, copyCount, buffer); \ ADVANCE_BUFFER(copyCount * sizeof(WCHAR)); \ } \ } \ else \ { \ SIZE_T preLength; \ SIZE_T padLength; \ \ /* Take care of the sign and zero padding. */ \ preLength = 0; \ \ if (flags & (PHP_FORMAT_NEGATIVE | PHP_FORMAT_POSITIVE)) \ preLength++; \ \ if ((Format)->Type & FormatPadZeros) \ { \ if (preLength + length < (Format)->Width) \ { \ flags |= PHP_FORMAT_PAD; \ padLength = (Format)->Width - (preLength + length); \ preLength += padLength; \ } \ } \ /* We don't need to group digits, so directly copy the characters */ \ /* to the output buffer. */ \ \ ENSURE_BUFFER((preLength + length) * sizeof(WCHAR)); \ \ if (OK_BUFFER) \ { \ if (flags & PHP_FORMAT_NEGATIVE) \ *buffer++ = L'-'; \ else if (flags & PHP_FORMAT_POSITIVE) \ *buffer++ = L'+'; \ \ if (flags & PHP_FORMAT_PAD) \ { \ wmemset(buffer, '0', padLength); \ buffer += padLength; \ } \ } \ \ usedLength += preLength * sizeof(WCHAR); \ \ if (OK_BUFFER) \ { \ PhZeroExtendToUtf16Buffer(temp, length, buffer); \ ADVANCE_BUFFER(length * sizeof(WCHAR)); \ } \ } \ } while (0) case SingleFormatType: flags = 0; COMMON_DOUBLE_FORMAT(FLOAT, format, Single, PhpFormatSingleToUtf8Locale); break; case DoubleFormatType: flags = 0; COMMON_DOUBLE_FORMAT(DOUBLE, format, Double, PhpFormatDoubleToUtf8Locale); break; // Additional types case SizeFormatType: { ULONG i = 0; ULONG maxSizeUnit; DOUBLE s; PH_FORMAT doubleFormat; s = (DOUBLE)format->u.Size; if (format->u.Size == 0) { ENSURE_BUFFER(sizeof(WCHAR)); if (OK_BUFFER) *buffer = '0'; ADVANCE_BUFFER(sizeof(WCHAR)); goto ContinueLoop; } if (format->Type & FormatUseRadix) maxSizeUnit = format->Radix; else maxSizeUnit = PhMaxSizeUnit; while ( s >= 1000 && i < sizeof(PhSizeUnitNamesCounted) / sizeof(PH_STRINGREF) && i < maxSizeUnit ) { s /= 1024; i++; } // Format the number, then append the unit name. doubleFormat.Type = DoubleFormatType | FormatUsePrecision | FormatCropZeros | FormatGroupDigits; doubleFormat.Precision = (format->Type & FormatUsePrecision) ? format->Precision : 2; doubleFormat.Width = 0; // stupid compiler doubleFormat.u.Double = s; flags = 0; COMMON_DOUBLE_FORMAT(DOUBLE, &doubleFormat, Double, PhpFormatDoubleToUtf8Locale); ENSURE_BUFFER(sizeof(WCHAR) + PhSizeUnitNamesCounted[i].Length); if (OK_BUFFER) { *buffer = L' '; memcpy(buffer + 1, PhSizeUnitNamesCounted[i].Buffer, PhSizeUnitNamesCounted[i].Length); } ADVANCE_BUFFER(sizeof(WCHAR) + PhSizeUnitNamesCounted[i].Length); } break; } ContinueLoop: partLength = usedLength - partLength; if (format->Type & (FormatLeftAlign | FormatRightAlign)) { SIZE_T newLength; SIZE_T addLength; newLength = format->Width * sizeof(WCHAR); // We only pad and never truncate. if (partLength < newLength) { addLength = newLength - partLength; ENSURE_BUFFER(addLength); if (OK_BUFFER) { WCHAR pad; if (format->Type & FormatUsePad) pad = format->Pad; else pad = L' '; if (format->Type & FormatLeftAlign) { // Left alignment is easy; we just fill the remaining space with the pad // character. wmemset(buffer, pad, addLength / sizeof(WCHAR)); } else { PWSTR start; // Right alignment is much slower and involves moving the text forward, then // filling in the space before it. start = buffer - partLength / sizeof(WCHAR); memmove(start + addLength / sizeof(WCHAR), start, partLength); wmemset(start, pad, addLength / sizeof(WCHAR)); } } ADVANCE_BUFFER(addLength); } } } } ================================================ FILE: phlib/format_std.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2020-2024 * */ #include #include extern NTSTATUS PhErrcToNtStatus( _In_ std::errc ec ); NTSTATUS PhFormatSingleToUtf8( _In_ FLOAT Value, _In_ ULONG Type, _In_ LONG Precision, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { #if defined(PH_TOCHARS_BUFFER) chars_format format = chars_format::fixed; to_chars_result result; SIZE_T returnLength; CHAR buffer[_CVTBUFSIZE + 1]; if (Type & FormatStandardForm) format = chars_format::general; else if (Type & FormatHexadecimalForm) format = chars_format::hex; result = std::to_chars( buffer, Buffer + BufferLength - sizeof(ANSI_NULL), // Reserve space for null terminator // end(buffer) Value, format, Precision ); if (result.ec != static_cast(0)) return PhErrcToNtStatus(result.ec); returnLength = result.ptr - buffer; if (returnLength == 0) return STATUS_UNSUCCESSFUL; // This could be removed in favor of directly passing the input buffer to std:to_chars but // for now use memcpy so that failures writing a value don't touch the input buffer (dmex) memcpy_s(Buffer, BufferLength, buffer, returnLength); Buffer[returnLength] = ANSI_NULL; if (ReturnLength) *ReturnLength = returnLength; return STATUS_SUCCESS; #else std::chars_format format; std::to_chars_result result; SIZE_T returnLength; if (Precision < 0) { // This overload finds the shortest string that converts back to the exact same double. // It is roughly 2x faster than the version with explicit precision. result = std::to_chars( Buffer, Buffer + BufferLength - sizeof(ANSI_NULL), Value ); } else { if (FlagOn(Type, FormatStandardForm)) format = std::chars_format::general; else if (FlagOn(Type, FormatHexadecimalForm)) format = std::chars_format::hex; else format = std::chars_format::fixed; result = std::to_chars( Buffer, Buffer + BufferLength - sizeof(ANSI_NULL), // Reserve space for null terminator // end(buffer) Value, format, Precision ); } if (result.ec != static_cast(0)) return PhErrcToNtStatus(result.ec); returnLength = result.ptr - Buffer; if (ReturnLength) { *ReturnLength = returnLength; } Buffer[returnLength] = ANSI_NULL; return STATUS_SUCCESS; #endif } NTSTATUS PhFormatDoubleToUtf8( _In_ DOUBLE Value, _In_ ULONG Type, _In_ LONG Precision, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { #if defined(PH_TOCHARS_BUFFER) chars_format format = chars_format::fixed; to_chars_result result; SIZE_T returnLength; CHAR buffer[_CVTBUFSIZE + 1]; if (Precision < 0) { // This overload finds the shortest string that converts back to the exact same double. // It is roughly 2x faster than the version with explicit precision. result = std::to_chars( Buffer, Buffer + BufferLength - sizeof(ANSI_NULL), Value ); } else { if (FlagOn(Type, FormatStandardForm)) format = std::chars_format::general; else if (FlagOn(Type, FormatHexadecimalForm)) format = std::chars_format::hex; else format = std::chars_format::fixed; result = to_chars( buffer, Buffer + BufferLength - sizeof(ANSI_NULL), // end(buffer) Value, format, Precision ); } if (result.ec != static_cast(0)) return STATUS_UNSUCCESSFUL; returnLength = result.ptr - buffer; if (returnLength == 0) return STATUS_UNSUCCESSFUL; // This could be removed in favor of directly passing the input buffer to std:to_chars but // for now use memcpy so that failures writing a value don't touch the input buffer (dmex) memcpy_s(Buffer, BufferLength, buffer, returnLength); Buffer[returnLength] = ANSI_NULL; if (ReturnLength) *ReturnLength = returnLength; return STATUS_SUCCESS; #else std::chars_format format; std::to_chars_result result; SIZE_T returnLength; if (Precision < 0) { // This overload finds the shortest string that converts back to the exact same double. // It is roughly 2x faster than the version with explicit precision. result = std::to_chars( Buffer, Buffer + BufferLength - sizeof(ANSI_NULL), Value ); } else { if (FlagOn(Type, FormatStandardForm)) format = std::chars_format::general; else if (FlagOn(Type, FormatHexadecimalForm)) format = std::chars_format::hex; else format = std::chars_format::fixed; result = std::to_chars( Buffer, Buffer + BufferLength - sizeof(ANSI_NULL), // Reserve space for null terminator Value, format, Precision ); } if (result.ec != static_cast(0)) return PhErrcToNtStatus(result.ec); returnLength = result.ptr - Buffer; if (ReturnLength) { *ReturnLength = returnLength; } Buffer[returnLength] = ANSI_NULL; return STATUS_SUCCESS; #endif } /** * Converts an integer to a UTF-8 string buffer (Replicates PhIntegerToString64). * * \param Integer The integer to convert. * \param Base The radix (e.g., 10, 16, 8). If 0, defaults to 10. * \param Signed TRUE to treat as signed int64, FALSE for unsigned int64. * \param Buffer The output buffer. * \param BufferLength The size of the buffer in bytes. * \param ReturnLength Contains the number of bytes written (excluding null terminator). */ NTSTATUS PhIntegerToUtf8Buffer( _In_ LONG64 Integer, _In_opt_ ULONG Base, _In_ BOOLEAN Signed, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { std::to_chars_result result; INT radix = (Base == 0) ? 10 : (INT)Base; if (!Buffer || BufferLength == 0) return STATUS_BUFFER_TOO_SMALL; if (radix < 2 || radix > 36) return STATUS_INVALID_PARAMETER; // Reserve 1 byte for null terminator PSTR endBuffer = Buffer + BufferLength - sizeof(ANSI_NULL); if (Signed) { result = std::to_chars( Buffer, endBuffer, (long long)Integer, radix ); } else { result = std::to_chars( Buffer, endBuffer, (unsigned long long)Integer, radix ); } if (result.ec != std::errc()) { if (result.ec == std::errc::value_too_large) return STATUS_BUFFER_OVERFLOW; return STATUS_UNSUCCESSFUL; } *result.ptr = ANSI_NULL; //Null-terminate if (ReturnLength) { SIZE_T length = result.ptr - Buffer; // Calculate written length *ReturnLength = length; } return STATUS_SUCCESS; } NTSTATUS PhErrcToNtStatus( _In_ std::errc ec ) { switch (ec) { case std::errc::address_family_not_supported: return STATUS_NOT_SUPPORTED; case std::errc::address_in_use: return STATUS_ADDRESS_ALREADY_ASSOCIATED; case std::errc::address_not_available: return STATUS_ADDRESS_NOT_ASSOCIATED; case std::errc::already_connected: return STATUS_CONNECTION_ACTIVE; case std::errc::argument_list_too_long: case std::errc::argument_out_of_domain: return STATUS_INVALID_PARAMETER; case std::errc::bad_address: return STATUS_INVALID_ADDRESS; case std::errc::bad_file_descriptor: return STATUS_INVALID_HANDLE; case std::errc::bad_message: return STATUS_DATA_ERROR; case std::errc::broken_pipe: return STATUS_PIPE_BROKEN; case std::errc::connection_aborted: return STATUS_CONNECTION_ABORTED; case std::errc::connection_already_in_progress: return STATUS_CONNECTION_ACTIVE; case std::errc::connection_refused: return STATUS_CONNECTION_REFUSED; case std::errc::connection_reset: return STATUS_CONNECTION_RESET; case std::errc::cross_device_link: return STATUS_NOT_SAME_DEVICE; case std::errc::destination_address_required: return STATUS_DESTINATION_ELEMENT_FULL; case std::errc::device_or_resource_busy: return STATUS_DEVICE_BUSY; case std::errc::directory_not_empty: return STATUS_DIRECTORY_NOT_EMPTY; case std::errc::executable_format_error: return STATUS_INVALID_IMAGE_FORMAT; case std::errc::file_exists: return STATUS_OBJECT_NAME_COLLISION; case std::errc::file_too_large: return STATUS_FILE_TOO_LARGE; case std::errc::filename_too_long: return STATUS_NAME_TOO_LONG; case std::errc::function_not_supported: return STATUS_NOT_SUPPORTED; case std::errc::host_unreachable: return STATUS_HOST_UNREACHABLE; case std::errc::identifier_removed: return STATUS_OBJECT_NAME_NOT_FOUND; case std::errc::illegal_byte_sequence: return STATUS_ILLEGAL_CHARACTER; case std::errc::inappropriate_io_control_operation: return STATUS_INVALID_DEVICE_REQUEST; case std::errc::interrupted: return STATUS_ALERTED; case std::errc::invalid_argument: case std::errc::invalid_seek: return STATUS_INVALID_PARAMETER; case std::errc::io_error: return STATUS_IO_DEVICE_ERROR; case std::errc::is_a_directory: return STATUS_FILE_IS_A_DIRECTORY; case std::errc::message_size: return STATUS_BUFFER_OVERFLOW; case std::errc::network_down: return STATUS_NETWORK_UNREACHABLE; case std::errc::network_reset: return STATUS_CONNECTION_RESET; case std::errc::network_unreachable: return STATUS_NETWORK_UNREACHABLE; case std::errc::no_buffer_space: return STATUS_INSUFFICIENT_RESOURCES; case std::errc::no_child_process: return STATUS_INVALID_CID; case std::errc::no_link: return STATUS_NOT_FOUND; case std::errc::no_lock_available: return STATUS_LOCK_NOT_GRANTED; case std::errc::no_message: return STATUS_NO_DATA_DETECTED; case std::errc::no_protocol_option: return STATUS_PROTOCOL_UNREACHABLE; case std::errc::no_space_on_device: return STATUS_DISK_FULL; case std::errc::no_such_device_or_address: return STATUS_INVALID_ADDRESS; case std::errc::no_such_device: return STATUS_NO_SUCH_DEVICE; case std::errc::no_such_file_or_directory: return STATUS_OBJECT_NAME_NOT_FOUND; case std::errc::no_such_process: return STATUS_INVALID_CID; case std::errc::not_a_directory: return STATUS_NOT_A_DIRECTORY; case std::errc::not_a_socket: return STATUS_OBJECT_TYPE_MISMATCH; case std::errc::not_connected: return STATUS_CONNECTION_DISCONNECTED; case std::errc::not_enough_memory: return STATUS_NO_MEMORY; case std::errc::not_supported: return STATUS_NOT_SUPPORTED; case std::errc::operation_canceled: return STATUS_CANCELLED; case std::errc::operation_in_progress: return STATUS_PENDING; case std::errc::operation_not_permitted: return STATUS_PRIVILEGE_NOT_HELD; case std::errc::operation_not_supported: return STATUS_NOT_SUPPORTED; case std::errc::operation_would_block: return STATUS_DEVICE_BUSY; case std::errc::owner_dead: return STATUS_INVALID_CID; case std::errc::permission_denied: return STATUS_ACCESS_DENIED; case std::errc::protocol_error: case std::errc::protocol_not_supported: return STATUS_PROTOCOL_UNREACHABLE; case std::errc::read_only_file_system: return STATUS_MEDIA_WRITE_PROTECTED; case std::errc::resource_deadlock_would_occur: return STATUS_POSSIBLE_DEADLOCK; case std::errc::resource_unavailable_try_again: return STATUS_DEVICE_BUSY; case std::errc::result_out_of_range: return STATUS_INTEGER_OVERFLOW; case std::errc::state_not_recoverable: return STATUS_UNSUCCESSFUL; case std::errc::text_file_busy: return STATUS_FILE_LOCK_CONFLICT; case std::errc::timed_out: return STATUS_TIMEOUT; case std::errc::too_many_files_open_in_system: case std::errc::too_many_files_open: return STATUS_TOO_MANY_OPENED_FILES; case std::errc::too_many_links: case std::errc::too_many_symbolic_link_levels: return STATUS_TOO_MANY_LINKS; case std::errc::value_too_large: return STATUS_INTEGER_OVERFLOW; case std::errc::wrong_protocol_type: return STATUS_PROTOCOL_UNREACHABLE; case std::errc(): return STATUS_SUCCESS; default: return STATUS_UNSUCCESSFUL; } } ================================================ FILE: phlib/global.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2013 * dmex 2017-2023 * */ #include #include #include PVOID PhInstanceHandle = NULL; PCWSTR PhApplicationName = NULL; HANDLE PhHeapHandle = NULL; RTL_OSVERSIONINFOEX PhOsVersion = { 0 }; PHLIBAPI PH_SYSTEM_BASIC_INFORMATION PhSystemBasicInformation = { 0 }; PH_SYSTEM_PROCESSOR_INFORMATION PhSystemProcessorInformation = { 0 }; ULONG WindowsVersion = WINDOWS_NEW; // Internal data #ifdef DEBUG PHLIB_STATISTICS_BLOCK PhLibStatisticsBlock; #endif NTSTATUS PhInitializePhLib( _In_ PCWSTR ApplicationName ) { NTSTATUS status; WPP_INIT_TRACING(ApplicationName); PhTraceInfo("%ls initializing", ApplicationName); PhApplicationName = ApplicationName; PhInstanceHandle = NtCurrentImageBase(); PhInitializeRuntimeInformation(); PhInitializeWindowsInformation(); PhInitializeSystemInformation(); if (!NT_SUCCESS(status = PhHeapInitialization())) return status; if (!NT_SUCCESS(status = PhQueuedLockInitialization())) return status; if (!NT_SUCCESS(status = PhRefInitialization())) return status; if (!NT_SUCCESS(status = PhBaseInitialization())) return status; PhInitializeProcessorInformation(); return STATUS_SUCCESS; } BOOLEAN PhIsExecutingInWow64( VOID ) { #ifndef _WIN64 static volatile BOOLEAN valid = FALSE; static BOOLEAN isWow64 = FALSE; if (!ReadBooleanAcquire(&valid)) { PhGetProcessIsWow64(NtCurrentProcess(), &isWow64); WriteBooleanRelease(&valid, TRUE); } return isWow64; #else return FALSE; #endif } NTSTATUS PhInitializeRuntimeInformation( VOID ) { #if defined _M_IX86 // Enable SSE2 CRT support. _set_SSE2_enable(1); #endif // Enable UTF8 CRT support. //_wsetlocale(LC_ALL, L".UTF8"); return STATUS_SUCCESS; } NTSTATUS PhInitializeSystemInformation( VOID ) { NTSTATUS status; SYSTEM_BASIC_INFORMATION basicInfo = { 0 }; PhSystemBasicInformation.PageSize = PAGE_SIZE; PhSystemBasicInformation.NumberOfProcessors = 1; PhSystemBasicInformation.NumberOfPhysicalPages = ULONG_MAX; PhSystemBasicInformation.MaximumTimerResolution = 0x2625A; PhSystemBasicInformation.AllocationGranularity = 0x10000; PhSystemBasicInformation.MaximumUserModeAddress = 0x10000; PhSystemBasicInformation.ActiveProcessorsAffinityMask = USHRT_MAX; status = NtQuerySystemInformation( SystemBasicInformation, &basicInfo, sizeof(SYSTEM_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { PhSystemBasicInformation.PageSize = (USHORT)basicInfo.PageSize; PhSystemBasicInformation.NumberOfProcessors = (USHORT)basicInfo.NumberOfProcessors; PhSystemBasicInformation.NumberOfPhysicalPages = basicInfo.NumberOfPhysicalPages; PhSystemBasicInformation.MaximumTimerResolution = basicInfo.TimerResolution; PhSystemBasicInformation.AllocationGranularity = basicInfo.AllocationGranularity; PhSystemBasicInformation.MaximumUserModeAddress = basicInfo.MaximumUserModeAddress; PhSystemBasicInformation.ActiveProcessorsAffinityMask = basicInfo.ActiveProcessorsAffinityMask; } PhTraceInfo("InitializeSystemInformation: %!STATUS!", status); return status; } NTSTATUS PhInitializeWindowsInformation( VOID ) { NTSTATUS status; RTL_OSVERSIONINFOEX versionInfo; ULONG majorVersion; ULONG minorVersion; ULONG buildVersion; memset(&versionInfo, 0, sizeof(RTL_OSVERSIONINFOEX)); versionInfo.OSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEX); if (!NT_SUCCESS(status = RtlGetVersion(&versionInfo))) { WindowsVersion = WINDOWS_ANCIENT; return status; } memcpy(&PhOsVersion, &versionInfo, sizeof(RTL_OSVERSIONINFOEX)); majorVersion = versionInfo.MajorVersion; minorVersion = versionInfo.MinorVersion; buildVersion = versionInfo.BuildNumber; if (majorVersion == 6 && minorVersion < 1 || majorVersion < 6) { WindowsVersion = WINDOWS_ANCIENT; } // Windows 7, Windows Server 2008 R2 else if (majorVersion == 6 && minorVersion == 1) { WindowsVersion = WINDOWS_7; } // Windows 8, Windows Server 2012 else if (majorVersion == 6 && minorVersion == 2) { WindowsVersion = WINDOWS_8; } // Windows 8.1, Windows Server 2012 R2 else if (majorVersion == 6 && minorVersion == 3) { WindowsVersion = WINDOWS_8_1; } // Windows 10, Windows Server 2016 else if (majorVersion == 10 && minorVersion == 0) { if (buildVersion > 28000) { WindowsVersion = WINDOWS_NEW; } else if (buildVersion >= 28000) { WindowsVersion = WINDOWS_11_26H1; } else if (buildVersion >= 26200) { WindowsVersion = WINDOWS_11_25H2; } else if (buildVersion >= 26100) { WindowsVersion = WINDOWS_11_24H2; } else if (buildVersion >= 22631) { WindowsVersion = WINDOWS_11_23H2; } else if (buildVersion >= 22621) { WindowsVersion = WINDOWS_11_22H2; } else if (buildVersion >= 22000) { WindowsVersion = WINDOWS_11; } else if (buildVersion >= 19045) { WindowsVersion = WINDOWS_10_22H2; } else if (buildVersion >= 19044) { WindowsVersion = WINDOWS_10_21H2; } else if (buildVersion >= 19043) { WindowsVersion = WINDOWS_10_21H1; } else if (buildVersion >= 19042) { WindowsVersion = WINDOWS_10_20H2; } else if (buildVersion >= 19041) { WindowsVersion = WINDOWS_10_20H1; } else if (buildVersion >= 18363) { WindowsVersion = WINDOWS_10_19H2; } else if (buildVersion >= 18362) { WindowsVersion = WINDOWS_10_19H1; } else if (buildVersion >= 17763) { WindowsVersion = WINDOWS_10_RS5; } else if (buildVersion >= 17134) { WindowsVersion = WINDOWS_10_RS4; } else if (buildVersion >= 16299) { WindowsVersion = WINDOWS_10_RS3; } else if (buildVersion >= 15063) { WindowsVersion = WINDOWS_10_RS2; } else if (buildVersion >= 14393) { WindowsVersion = WINDOWS_10_RS1; } else if (buildVersion >= 10586) { WindowsVersion = WINDOWS_10_TH2; } else if (buildVersion >= 10240) { WindowsVersion = WINDOWS_10; } else { WindowsVersion = WINDOWS_10; } } else { WindowsVersion = WINDOWS_NEW; } return status; } NTSTATUS PhHeapInitialization( VOID ) { #if !defined(PH_DEBUG_HEAP) NTSTATUS status = STATUS_UNSUCCESSFUL; if (WindowsVersion >= WINDOWS_8) { if (PhHeapHandle = RtlCreateHeap( HEAP_GROWABLE | HEAP_CREATE_SEGMENT_HEAP | HEAP_CLASS_1, NULL, 0, 0, NULL, NULL )) { status = STATUS_SUCCESS; } } if (!NT_SUCCESS(status)) { if (PhHeapHandle = RtlCreateHeap( HEAP_GROWABLE | HEAP_CLASS_1, NULL, 2 * 1024 * 1024, // 2 MB 1024 * 1024, // 1 MB NULL, NULL )) { status = STATUS_SUCCESS; } if (NT_SUCCESS(status)) { const ULONG defaultHeapCompatibilityMode = HEAP_COMPATIBILITY_MODE_LFH; RtlSetHeapInformation( PhHeapHandle, HeapCompatibilityInformation, &defaultHeapCompatibilityMode, sizeof(ULONG) ); } } PhTraceInfo("HeapInitialization: %!STATUS!", status); return status; #else PhHeapHandle = RtlProcessHeap(); return STATUS_SUCCESS; #endif } NTSTATUS PhInitializeProcessorInformation( VOID ) { if ( USER_SHARED_DATA->ActiveGroupCount == 1 && // optimization (dmex) USER_SHARED_DATA->ActiveProcessorCount > 0 && USER_SHARED_DATA->ActiveProcessorCount <= MAXIMUM_PROC_PER_GROUP ) { PhSystemProcessorInformation.SingleProcessorGroup = TRUE; PhSystemProcessorInformation.NumberOfProcessors = PhSystemBasicInformation.NumberOfProcessors; PhSystemProcessorInformation.NumberOfProcessorGroups = 1; PhSystemProcessorInformation.ActiveProcessorsAffinityMasks = &PhSystemBasicInformation.ActiveProcessorsAffinityMask; return STATUS_SUCCESS; } else { NTSTATUS status; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX processorInformation; ULONG processorInformationLength; USHORT numberOfProcessorGroups = 0; USHORT numberOfProcessors = 0; USHORT i; status = PhGetSystemLogicalProcessorInformation( RelationGroup, &processorInformation, &processorInformationLength ); if (NT_SUCCESS(status)) { numberOfProcessorGroups = processorInformation->Group.ActiveGroupCount; for (i = 0; i < numberOfProcessorGroups; i++) { numberOfProcessors += processorInformation->Group.GroupInfo[i].ActiveProcessorCount; } if (numberOfProcessorGroups > 1) { PhSystemProcessorInformation.ActiveProcessorCount = PhAllocate(numberOfProcessorGroups * sizeof(USHORT)); PhSystemProcessorInformation.ActiveProcessorsAffinityMasks = PhAllocate(numberOfProcessorGroups * sizeof(KAFFINITY)); for (i = 0; i < numberOfProcessorGroups; i++) { PhSystemProcessorInformation.ActiveProcessorCount[i] = processorInformation->Group.GroupInfo[i].ActiveProcessorCount; PhSystemProcessorInformation.ActiveProcessorsAffinityMasks[i] = processorInformation->Group.GroupInfo[i].ActiveProcessorMask; } } PhFree(processorInformation); } assert(numberOfProcessorGroups == USER_SHARED_DATA->ActiveGroupCount); assert(numberOfProcessors == USER_SHARED_DATA->ActiveProcessorCount); if (numberOfProcessorGroups > 1 && numberOfProcessors) { PhSystemProcessorInformation.SingleProcessorGroup = FALSE; PhSystemProcessorInformation.NumberOfProcessors = numberOfProcessors; PhSystemProcessorInformation.NumberOfProcessorGroups = numberOfProcessorGroups; } else { PhSystemProcessorInformation.SingleProcessorGroup = TRUE; PhSystemProcessorInformation.NumberOfProcessors = PhSystemBasicInformation.NumberOfProcessors; PhSystemProcessorInformation.NumberOfProcessorGroups = 1; PhSystemProcessorInformation.ActiveProcessorsAffinityMasks = &PhSystemBasicInformation.ActiveProcessorsAffinityMask; } PhTraceInfo("InitializeProcessorInformation: %!STATUS!", status); return status; } } #define WORKAROUND_CRTBUG_EXITPROCESS #ifdef WORKAROUND_CRTBUG_EXITPROCESS PH_CLANG_DIAGNOSTIC_PUSH(); PH_CLANG_DIAGNOSTIC_IGNORED("-Winvalid-noreturn"); #endif _Use_decl_annotations_ VOID PhExitApplication( _In_ NTSTATUS Status ) { PhTraceInfo("%ls exiting: %!STATUS!", PhApplicationName, Status); WPP_CLEANUP(); #ifdef WORKAROUND_CRTBUG_EXITPROCESS //HANDLE standardHandle; // //if (standardHandle = PhGetStdHandle(STD_OUTPUT_HANDLE)) //{ // DEVICE_TYPE deviceType; // // if (NT_SUCCESS(PhGetDeviceType(NtCurrentProcess(), standardHandle, &deviceType))) // { // if (deviceType == FILE_DEVICE_CONSOLE) // { // FlushFileBuffers(standardHandle); // } // } //} NtTerminateProcess(NtCurrentProcess(), Status); #else RtlExitUserProcess(Status); #endif } #ifdef WORKAROUND_CRTBUG_EXITPROCESS PH_CLANG_DIAGNOSTIC_POP(); #endif ================================================ FILE: phlib/graph.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #define COLORREF_TO_BITS(Color) (_byteswap_ulong(Color) >> 8) typedef struct _PHP_GRAPH_CONTEXT { HWND Handle; HWND ParentHandle; ULONG Style; ULONG ExStyle; ULONG_PTR Id; PH_GRAPH_DRAW_INFO DrawInfo; PH_GRAPH_OPTIONS Options; union { USHORT Flags; struct { USHORT NeedsUpdate : 1; USHORT NeedsDraw : 1; USHORT Hot : 1; USHORT Spare : 13; }; }; HDC BufferedContext; HBITMAP BufferedOldBitmap; HBITMAP BufferedBitmap; PVOID BufferedBits; RECT BufferedContextRect; HDC FadeOutContext; HBITMAP FadeOutOldBitmap; HBITMAP FadeOutBitmap; PVOID FadeOutBits; RECT FadeOutContextRect; HWND TooltipHandle; WNDPROC TooltipOldWndProc; POINT LastCursorLocation; PPH_GRAPH_MESSAGE_CALLBACK Callback; PVOID Context; } PHP_GRAPH_CONTEXT, *PPHP_GRAPH_CONTEXT; LRESULT CALLBACK PhpGraphWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); RECT PhNormalGraphTextMargin = { 5, 5, 5, 5 }; RECT PhNormalGraphTextPadding = { 3, 3, 3, 3 }; RTL_ATOM PhGraphControlInitialization( ) { WNDCLASSEX wcex; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.style = CS_GLOBALCLASS | CS_DBLCLKS; wcex.lpfnWndProc = PhpGraphWndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = sizeof(PVOID); wcex.hInstance = NtCurrentImageBase(); wcex.hCursor = PhLoadCursor(NULL, IDC_ARROW); wcex.lpszClassName = PH_GRAPH_CLASSNAME; return RegisterClassEx(&wcex); } FORCEINLINE VOID PhpGetGraphPoint( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG Index, _Out_ PULONG H1, _Out_ PULONG H2 ) { if (Index < DrawInfo->LineDataCount) { FLOAT f1; FLOAT f2; f1 = DrawInfo->LineData1[Index]; if (f1 < 0) f1 = 0; if (f1 > 1) f1 = 1; *H1 = (ULONG)(f1 * (DrawInfo->Height - 1)); if (DrawInfo->Flags & PH_GRAPH_USE_LINE_2) { f2 = f1 + DrawInfo->LineData2[Index]; if (f2 < 0) f2 = 0; if (f2 > 1) f2 = 1; *H2 = (ULONG)(f2 * (DrawInfo->Height - 1)); } else { *H2 = *H1; } } else { *H1 = 0; *H2 = 0; } } /** * Draws a graph directly to memory. * * \param hdc The DC to draw to. This is only used when drawing text. * \param Bits The bits in a bitmap. * \param DrawInfo A structure which contains graphing information. * * \remarks The following information is fixed: * \li The graph is fixed to the origin (0, 0). * \li The total size of the bitmap is assumed to be \a Width and \a Height in \a DrawInfo. * \li \a Step is fixed at 2. * \li If \ref PH_GRAPH_USE_LINE_2 is specified in \a Flags, \ref PH_GRAPH_OVERLAY_LINE_2 is never * used. */ VOID PhDrawGraphDirect( _In_ HDC hdc, _In_ PVOID Bits, _In_ PPH_GRAPH_DRAW_INFO DrawInfo ) { PULONG bits = Bits; LONG width = DrawInfo->Width; LONG height = DrawInfo->Height; LONG numberOfPixels = width * height; ULONG flags = DrawInfo->Flags; LONG i; LONG x; BOOLEAN intermediate = FALSE; // whether we are currently between two data positions ULONG dataIndex = 0; // the data index of the current position ULONG h1_i; // the line 1 height value to the left of the current position ULONG h1_o; // the line 1 height value at the current position ULONG h2_i; // the line 1 + line 2 height value to the left of the current position ULONG h2_o; // the line 1 + line 2 height value at the current position ULONG h1; // current pixel ULONG h1_left; // current pixel ULONG h2; // current pixel ULONG h2_left; // current pixel LONG mid; LONG h1_low1; LONG h1_high1; LONG h1_low2; LONG h1_high2; LONG h2_low1; LONG h2_high1; LONG h2_low2; LONG h2_high2; LONG old_low2; LONG old_high2; ULONG lineColor1; ULONG lineBackColor1; ULONG lineColor2; ULONG lineBackColor2; FLOAT gridHeight; LONG gridYThreshold; ULONG gridYCounter; ULONG gridColor; FLOAT gridBase; FLOAT gridLevel; ULONG yLabelMax; ULONG yLabelDataIndex; lineColor1 = COLORREF_TO_BITS(DrawInfo->LineColor1); lineBackColor1 = COLORREF_TO_BITS(DrawInfo->LineBackColor1); lineColor2 = COLORREF_TO_BITS(DrawInfo->LineColor2); lineBackColor2 = COLORREF_TO_BITS(DrawInfo->LineBackColor2); if (DrawInfo->BackColor == 0) { memset(bits, 0, numberOfPixels * sizeof(RGBQUAD)); } else { PhFillMemoryUlong(bits, COLORREF_TO_BITS(DrawInfo->BackColor), numberOfPixels); } x = width - 1; h1_low2 = MAXLONG; h1_high2 = 0; h2_low2 = MAXLONG; h2_high2 = 0; PhpGetGraphPoint(DrawInfo, 0, &h1_i, &h2_i); if (flags & (PH_GRAPH_USE_GRID_X | PH_GRAPH_USE_GRID_Y)) { gridHeight = max(DrawInfo->GridHeight, 0); gridLevel = gridHeight; gridYThreshold = DrawInfo->GridYThreshold; gridYCounter = DrawInfo->GridWidth - (DrawInfo->GridXOffset * DrawInfo->Step) % DrawInfo->GridWidth - 1; gridColor = COLORREF_TO_BITS(DrawInfo->GridColor); } if ((flags & (PH_GRAPH_USE_GRID_Y | PH_GRAPH_LOGARITHMIC_GRID_Y)) == (PH_GRAPH_USE_GRID_Y | PH_GRAPH_LOGARITHMIC_GRID_Y)) { // Pre-process to find the largest integer n such that GridHeight*GridBase^n < 1. gridBase = DrawInfo->GridBase; if (gridBase > 1) { DOUBLE logBase; DOUBLE exponent; DOUBLE high; logBase = log(gridBase); exponent = ceil(-log(gridHeight) / logBase) - 1; // Works for both GridHeight > 1 and GridHeight < 1 high = exp(exponent * logBase); gridLevel = (FLOAT)(gridHeight * high); if (gridLevel < 0 || !isfinite(gridLevel)) gridLevel = 0; if (gridLevel > 1) gridLevel = 1; } else { // This is an error. gridLevel = 0; } } if (flags & PH_GRAPH_LABEL_MAX_Y) { yLabelMax = h2_i; yLabelDataIndex = 0; } while (x >= 0) { // Calculate the height of the graph at this point. if (!intermediate) { h1_o = h1_i; h2_o = h2_i; // Pull in new data. dataIndex++; PhpGetGraphPoint(DrawInfo, dataIndex, &h1_i, &h2_i); h1 = h1_o; h1_left = (h1_i + h1_o) / 2; h2 = h2_o; h2_left = (h2_i + h2_o) / 2; if ((flags & PH_GRAPH_LABEL_MAX_Y) && dataIndex < DrawInfo->LabelMaxYIndexLimit) { if (yLabelMax <= h2_i) { yLabelMax = h2_i; yLabelDataIndex = dataIndex; } } } else { h1 = h1_left; h1_left = h1_i; h2 = h2_left; h2_left = h2_i; } // The graph is drawn right-to-left. There is one iteration of the loop per horizontal pixel. // There is a fixed step value of 2, so every other iteration is a mid-point (intermediate) // iteration with a height value of (left + right) / 2. In order to rasterize the outline, // effectively in each iteration half of the line is drawn at the current column and the other // half is drawn in the column to the left. // Rasterize the data outline. // h?_low2 to h?_high2 is the vertical line to the left of the current pixel. // h?_low1 to h?_high1 is the vertical line at the current pixel. // We merge (union) the old h?_low2 to h?_high2 line with the current line in each iteration. // // For example: // // X represents a data point. M represents the mid-point between two data points ("intermediate"). // X, M and x are all part of the outline. # represents the background filled in during // the current loop iteration. // // slope > 0: slope < 0: // // X < high1 X < high2 (of next loop iteration) // x x // x < low1 x < low2 (of next loop iteration) // x# < high2 x < high1 (of next loop iteration) // M# < low2 M < low1 (of next loop iteration) // x# < high1 (of next loop iteration) x < high2 // x# < low1 (of next loop iteration) x < low2 // x # < high2 (of next loop iteration) x < high1 // x # x // X # < low2 (of next loop iteration) X < low1 // # # // ^ ^ // ^| current pixel ^| current pixel // | | // | left of current pixel | left of current pixel // // In both examples above, the line low2-high2 will be merged with the line low1-high1 of // the next iteration. mid = ((h1_left + h1) / 2) * width; old_low2 = h1_low2; old_high2 = h1_high2; if (h1_left < h1) // slope > 0 { h1_low2 = h1_left * width; h1_high2 = mid; h1_low1 = mid + width; h1_high1 = h1 * width; } else // slope < 0 { h1_high2 = h1_left * width; h1_low2 = mid + width; h1_high1 = mid; h1_low1 = h1 * width; } // Merge the lines. if (h1_low1 > old_low2) h1_low1 = old_low2; if (h1_high1 < old_high2) h1_high1 = old_high2; // Fix up values for the current horizontal offset. h1_low1 += x; h1_high1 += x; if (flags & PH_GRAPH_USE_LINE_2) { mid = ((h2_left + h2) / 2) * width; old_low2 = h2_low2; old_high2 = h2_high2; if (h2_left < h2) // slope > 0 { h2_low2 = h2_left * width; h2_high2 = mid; h2_low1 = mid + width; h2_high1 = h2 * width; } else // slope < 0 { h2_high2 = h2_left * width; h2_low2 = mid + width; h2_high1 = mid; h2_low1 = h2 * width; } // Merge the lines. if (h2_low1 > old_low2) h2_low1 = old_low2; if (h2_high1 < old_high2) h2_high1 = old_high2; // Fix up values for the current horizontal offset. h2_low1 += x; h2_high1 += x; } // Fill in the background. if (flags & PH_GRAPH_USE_LINE_2) { for (i = h1_high1 + width; i < h2_low1; i += width) { bits[i] = lineBackColor2; } } for (i = x; i < h1_low1; i += width) { bits[i] = lineBackColor1; } // Draw the grid. if (flags & PH_GRAPH_USE_GRID_X) { // Draw the vertical grid line. if (gridYCounter == 0) { for (i = x; i < numberOfPixels; i += width) { bits[i] = gridColor; } } gridYCounter++; if (gridYCounter == DrawInfo->GridWidth) gridYCounter = 0; } if (flags & PH_GRAPH_USE_GRID_Y) { FLOAT level; LONG h; LONG h_last; // Draw the horizontal grid line. if (flags & PH_GRAPH_LOGARITHMIC_GRID_Y) { level = gridLevel; h = (LONG)(level * (height - 1)); h_last = height + gridYThreshold - 1; while (TRUE) { if (h <= h_last - gridYThreshold) { bits[x + h * width] = gridColor; h_last = h; } else { break; } level /= gridBase; h = (LONG)(level * (height - 1)); } } else { level = gridHeight; h = (LONG)(level * (height - 1)); h_last = 0; while (h < height - 1) { if (h >= h_last + gridYThreshold) { bits[x + h * width] = gridColor; h_last = h; } level += gridHeight; h = (LONG)(level * (height - 1)); } } } // Draw the outline (line 1 is allowed to paint over line 2). if (flags & PH_GRAPH_USE_LINE_2) { for (i = h2_low1; i <= h2_high1; i += width) // exclude pixel in the middle { bits[i] = lineColor2; } } for (i = h1_low1; i <= h1_high1; i += width) { bits[i] = lineColor1; } intermediate = !intermediate; x--; } if ((flags & PH_GRAPH_LABEL_MAX_Y) && yLabelDataIndex < DrawInfo->LineDataCount) { FLOAT value; PPH_STRING label; value = DrawInfo->LineData1[yLabelDataIndex]; if (flags & PH_GRAPH_USE_LINE_2) value += DrawInfo->LineData2[yLabelDataIndex]; if (label = DrawInfo->LabelYFunction(DrawInfo, yLabelDataIndex, value, DrawInfo->LabelYFunctionParameter)) { HFONT oldFont = NULL; SIZE textSize; RECT rect; if (DrawInfo->LabelYFont) oldFont = SelectFont(hdc, DrawInfo->LabelYFont); SetTextColor(hdc, DrawInfo->LabelYColor); SetBkMode(hdc, TRANSPARENT); GetTextExtentPoint32(hdc, label->Buffer, (ULONG)label->Length / sizeof(WCHAR), &textSize); rect.bottom = height - yLabelMax - PhNormalGraphTextPadding.top; rect.top = rect.bottom - textSize.cy; if (rect.top < PhNormalGraphTextPadding.top) { rect.top = PhNormalGraphTextPadding.top; rect.bottom = rect.top + textSize.cy; } rect.left = 0; rect.right = width - min((LONG)yLabelDataIndex * 2, width) - PhNormalGraphTextPadding.right; DrawText(hdc, label->Buffer, (ULONG)label->Length / sizeof(WCHAR), &rect, DT_NOCLIP | DT_RIGHT); if (oldFont) SelectFont(hdc, oldFont); PhDereferenceObject(label); } } if (DrawInfo->Text.Buffer) { HFONT oldFont = NULL; HBRUSH brush; if (DrawInfo->TextFont) oldFont = SelectFont(hdc, DrawInfo->TextFont); SetBkMode(hdc, TRANSPARENT); // Fill in the text box. brush = PhGetStockBrush(DC_BRUSH); SelectBrush(hdc, brush); SetDCBrushColor(hdc, DrawInfo->TextBoxColor); FillRect(hdc, &DrawInfo->TextBoxRect, brush); // Draw the text. SetTextColor(hdc, DrawInfo->TextColor); DrawText(hdc, DrawInfo->Text.Buffer, (ULONG)DrawInfo->Text.Length / sizeof(WCHAR), &DrawInfo->TextRect, DT_NOCLIP); if (oldFont) SelectFont(hdc, oldFont); } if (DrawInfo->Text2.Buffer) { HFONT oldFont = NULL; if (DrawInfo->TextFont) oldFont = SelectFont(hdc, DrawInfo->TextFont); //SetBkMode(hdc, TRANSPARENT); // Fill in the text box. SetDCBrushColor(hdc, DrawInfo->TextBoxColor); FillRect(hdc, &DrawInfo->TextBoxRect2, PhGetStockBrush(DC_BRUSH)); // Draw the text. SetTextColor(hdc, DrawInfo->TextColor); DrawText(hdc, DrawInfo->Text2.Buffer, (ULONG)DrawInfo->Text2.Length / sizeof(WCHAR), &DrawInfo->TextRect2, DT_NOCLIP); if (oldFont) SelectFont(hdc, oldFont); } } /** * Sets the text in a graphing information structure. * * \param hdc The DC to perform calculations from. * \param DrawInfo A structure which contains graphing information. The structure is modified to * contain the new text information. * \param Text The text. * \param Margin The margins of the text box from the edges of the graph. * \param Padding The padding within the text box. * \param Align The alignment of the text box. */ VOID PhSetGraphText( _In_ HDC hdc, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ PPH_STRINGREF Text, _In_ PRECT Margin, _In_ PRECT Padding, _In_ ULONG Align ) { HFONT oldFont = NULL; SIZE textSize; PH_RECTANGLE boxRectangle; PH_RECTANGLE textRectangle; if (DrawInfo->TextFont) oldFont = SelectFont(hdc, DrawInfo->TextFont); DrawInfo->Text = *Text; GetTextExtentPoint32(hdc, Text->Buffer, (ULONG)Text->Length / sizeof(WCHAR), &textSize); if (oldFont) SelectFont(hdc, oldFont); // Calculate the box rectangle. boxRectangle.Width = textSize.cx + Padding->left + Padding->right; boxRectangle.Height = textSize.cy + Padding->top + Padding->bottom; if (Align & PH_ALIGN_LEFT) boxRectangle.Left = Margin->left; else if (Align & PH_ALIGN_RIGHT) boxRectangle.Left = DrawInfo->Width - boxRectangle.Width - Margin->right; else boxRectangle.Left = (DrawInfo->Width - boxRectangle.Width) / 2; if (Align & PH_ALIGN_TOP) boxRectangle.Top = Margin->top; else if (Align & PH_ALIGN_BOTTOM) boxRectangle.Top = DrawInfo->Height - boxRectangle.Height - Margin->bottom; else boxRectangle.Top = (DrawInfo->Height - boxRectangle.Height) / 2; // Calculate the text rectangle. textRectangle.Left = boxRectangle.Left + Padding->left; textRectangle.Top = boxRectangle.Top + Padding->top; textRectangle.Width = textSize.cx; textRectangle.Height = textSize.cy; // Save the rectangles. PhRectangleToRect(&DrawInfo->TextRect, &textRectangle); PhRectangleToRect(&DrawInfo->TextBoxRect, &boxRectangle); } VOID PhSetGraphText2( _In_ HDC hdc, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ PPH_STRINGREF Text, _In_ PRECT Margin, _In_ PRECT Padding, _In_ ULONG Align ) { HFONT oldFont = NULL; RECT calcRect = { 0, 0, DrawInfo->Width, DrawInfo->Height }; UINT flags = DT_NOPREFIX | DT_WORDBREAK | DT_EDITCONTROL; PH_RECTANGLE boxRectangle; PH_RECTANGLE textRectangle; // Horizontal alignment if (FlagOn(Align, PH_ALIGN_LEFT)) flags |= DT_LEFT; else if (FlagOn(Align, PH_ALIGN_RIGHT)) flags |= DT_RIGHT; else flags |= DT_CENTER; // Vertical alignment (handled manually after measuring) // DT_TOP is default; DT_VCENTER/DT_BOTTOM don't work with CALCRECT flags |= DT_TOP; // Select font for measurement if (DrawInfo->TextFont) oldFont = SelectFont(hdc, DrawInfo->TextFont); // Measure multi-line text DrawInfo->Text = *Text; DrawText( hdc, Text->Buffer, (LONG)(Text->Length / sizeof(WCHAR)), &calcRect, flags | DT_CALCRECT ); if (oldFont) SelectFont(hdc, oldFont); // Compute box size LONG textWidth = calcRect.right - calcRect.left; LONG textHeight = calcRect.bottom - calcRect.top; boxRectangle.Width = textWidth + Padding->left + Padding->right; boxRectangle.Height = textHeight + Padding->top + Padding->bottom; // Horizontal positioning if (FlagOn(Align, PH_ALIGN_LEFT)) boxRectangle.Left = Margin->left; else if (FlagOn(Align, PH_ALIGN_RIGHT)) boxRectangle.Left = DrawInfo->Width - boxRectangle.Width - Margin->right; else boxRectangle.Left = (DrawInfo->Width - boxRectangle.Width) / 2; // Vertical positioning if (FlagOn(Align, PH_ALIGN_TOP)) boxRectangle.Top = Margin->top; else if (FlagOn(Align, PH_ALIGN_BOTTOM)) boxRectangle.Top = DrawInfo->Height - boxRectangle.Height - Margin->bottom; else boxRectangle.Top = (DrawInfo->Height - boxRectangle.Height) / 2; // Compute final text rectangle textRectangle.Left = boxRectangle.Left + Padding->left; textRectangle.Top = boxRectangle.Top + Padding->top; textRectangle.Width = textWidth; textRectangle.Height = textHeight; // Save rectangles PhRectangleToRect(&DrawInfo->TextRect, &textRectangle); PhRectangleToRect(&DrawInfo->TextBoxRect, &boxRectangle); } PPHP_GRAPH_CONTEXT PhCreateGraphContext( VOID ) { PPHP_GRAPH_CONTEXT context; context = PhAllocate(sizeof(PHP_GRAPH_CONTEXT)); memset(context, 0, sizeof(PHP_GRAPH_CONTEXT)); context->DrawInfo.Width = 3; context->DrawInfo.Height = 3; context->DrawInfo.Flags = PH_GRAPH_USE_GRID_X; context->DrawInfo.Step = 2; context->DrawInfo.BackColor = RGB(0xef, 0xef, 0xef); context->DrawInfo.LineDataCount = 0; context->DrawInfo.LineData1 = NULL; context->DrawInfo.LineData2 = NULL; context->DrawInfo.LineColor1 = RGB(0x00, 0xff, 0x00); context->DrawInfo.LineColor2 = RGB(0xff, 0x00, 0x00); context->DrawInfo.LineBackColor1 = RGB(0x00, 0x77, 0x00); context->DrawInfo.LineBackColor2 = RGB(0x77, 0x00, 0x00); context->DrawInfo.GridColor = RGB(0xc7, 0xc7, 0xc7); context->DrawInfo.GridWidth = 20; context->DrawInfo.GridHeight = 0.25f; context->DrawInfo.GridXOffset = 0; context->DrawInfo.GridYThreshold = 10; context->DrawInfo.GridBase = 2.0f; context->DrawInfo.LabelYColor = RGB(0x77, 0x77, 0x77); context->DrawInfo.LabelMaxYIndexLimit = -1; context->DrawInfo.TextColor = RGB(0x00, 0xff, 0x00); context->DrawInfo.TextBoxColor = RGB(0x00, 0x22, 0x00); context->Options.FadeOutBackColor = RGB(0xef, 0xef, 0xef); context->Options.FadeOutWidth = 100; return context; } VOID PhpFreeGraphContext( _Inout_ _Post_invalid_ PPHP_GRAPH_CONTEXT Context ) { PhFree(Context); } static VOID PhpDeleteBufferedContext( _In_ PPHP_GRAPH_CONTEXT Context ) { if (Context->BufferedContext && Context->BufferedOldBitmap) { SelectBitmap(Context->BufferedContext, Context->BufferedOldBitmap); Context->BufferedOldBitmap = NULL; } if (Context->BufferedBitmap) { DeleteBitmap(Context->BufferedBitmap); Context->BufferedBitmap = NULL; } if (Context->BufferedContext) { DeleteDC(Context->BufferedContext); Context->BufferedContext = NULL; } Context->BufferedBits = NULL; } static VOID PhpCreateBufferedContext( _In_ PPHP_GRAPH_CONTEXT Context ) { PhpDeleteBufferedContext(Context); if (!PhGetClientRect(Context->Handle, &Context->BufferedContextRect)) return; Context->BufferedContext = CreateCompatibleDC(NULL); if (!Context->BufferedContext) return; Context->BufferedBitmap = PhCreateDIBSection( Context->BufferedContext, PHBF_DIB, Context->BufferedContextRect.right, Context->BufferedContextRect.bottom, &Context->BufferedBits ); if (!Context->BufferedBitmap) return; Context->BufferedOldBitmap = SelectBitmap( Context->BufferedContext, Context->BufferedBitmap ); } static VOID PhpDeleteFadeOutContext( _In_ PPHP_GRAPH_CONTEXT Context ) { if (Context->FadeOutContext && Context->FadeOutOldBitmap) { SelectBitmap(Context->FadeOutContext, Context->FadeOutOldBitmap); Context->FadeOutOldBitmap = NULL; } if (Context->FadeOutBitmap) { DeleteBitmap(Context->FadeOutBitmap); Context->FadeOutBitmap = NULL; } if (Context->FadeOutContext) { DeleteDC(Context->FadeOutContext); Context->FadeOutContext = NULL; } Context->FadeOutBits = NULL; } static VOID PhpCreateFadeOutContext( _In_ PPHP_GRAPH_CONTEXT Context ) { ULONG i; ULONG j; ULONG height; COLORREF backColor; ULONG fadeOutWidth; FLOAT fadeOutWidthSquared; ULONG currentAlpha; ULONG currentColor; PhpDeleteFadeOutContext(Context); if (!PhGetClientRect(Context->Handle, &Context->FadeOutContextRect)) return; Context->FadeOutContextRect.right = Context->Options.FadeOutWidth; Context->FadeOutContext = CreateCompatibleDC(NULL); if (!Context->FadeOutContext) return; Context->FadeOutBitmap = PhCreateDIBSection( Context->FadeOutContext, PHBF_DIB, Context->FadeOutContextRect.right, Context->FadeOutContextRect.bottom, &Context->FadeOutBits ); if (!Context->FadeOutBitmap || !Context->FadeOutBits) return; Context->FadeOutOldBitmap = SelectBitmap(Context->FadeOutContext, Context->FadeOutBitmap); if (!Context->FadeOutOldBitmap) return; height = Context->FadeOutContextRect.bottom; backColor = Context->Options.FadeOutBackColor; fadeOutWidth = Context->Options.FadeOutWidth; fadeOutWidthSquared = (FLOAT)fadeOutWidth * fadeOutWidth; for (i = 0; i < fadeOutWidth; i++) { currentAlpha = 255 - (ULONG)((FLOAT)(i * i) / fadeOutWidthSquared * 255); currentColor = ((backColor & 0xff) * currentAlpha / 255) + ((((backColor >> 8) & 0xff) * currentAlpha / 255) << 8) + ((((backColor >> 16) & 0xff) * currentAlpha / 255) << 16) + (currentAlpha << 24); for (j = i; j < height * fadeOutWidth; j += fadeOutWidth) { ((PULONG)Context->FadeOutBits)[j] = currentColor; } } } VOID PhpUpdateDrawInfo( _In_ HWND hwnd, _In_ PPHP_GRAPH_CONTEXT Context ) { PH_GRAPH_GETDRAWINFO getDrawInfo; if (!(Context->BufferedContextRect.right && Context->BufferedContextRect.bottom)) return; Context->DrawInfo.Width = Context->BufferedContextRect.right; Context->DrawInfo.Height = Context->BufferedContextRect.bottom; memset(&getDrawInfo, 0, sizeof(PH_GRAPH_GETDRAWINFO)); getDrawInfo.Header.hwndFrom = hwnd; getDrawInfo.Header.idFrom = Context->Id; getDrawInfo.Header.code = GCN_GETDRAWINFO; getDrawInfo.DrawInfo = &Context->DrawInfo; if (Context->Callback) Context->Callback(hwnd, GCN_GETDRAWINFO, &getDrawInfo, NULL, Context->Context); else SendMessage(Context->ParentHandle, WM_NOTIFY, 0, (LPARAM)&getDrawInfo); } VOID PhpDrawGraphControl( _In_ HWND hwnd, _In_ PPHP_GRAPH_CONTEXT Context ) { if (Context->BufferedBits) PhDrawGraphDirect(Context->BufferedContext, Context->BufferedBits, &Context->DrawInfo); if (Context->Style & GC_STYLE_FADEOUT) { BLENDFUNCTION blendFunction; if (!Context->FadeOutContext) PhpCreateFadeOutContext(Context); blendFunction.BlendOp = AC_SRC_OVER; blendFunction.BlendFlags = 0; blendFunction.SourceConstantAlpha = 255; blendFunction.AlphaFormat = AC_SRC_ALPHA; if (Context->FadeOutContext) { GdiAlphaBlend( Context->BufferedContext, 0, 0, Context->Options.FadeOutWidth, Context->FadeOutContextRect.bottom, Context->FadeOutContext, 0, 0, Context->Options.FadeOutWidth, Context->FadeOutContextRect.bottom, blendFunction ); } } if (Context->Style & GC_STYLE_DRAW_PANEL) { PH_GRAPH_DRAWPANEL drawPanel; memset(&drawPanel, 0, sizeof(PH_GRAPH_DRAWPANEL)); drawPanel.Header.hwndFrom = hwnd; drawPanel.Header.idFrom = Context->Id; drawPanel.Header.code = GCN_DRAWPANEL; drawPanel.hdc = Context->BufferedContext; drawPanel.Rect = Context->BufferedContextRect; if (Context->Callback) Context->Callback(hwnd, GCN_DRAWPANEL, &drawPanel, NULL, Context->Context); else SendMessage(Context->ParentHandle, WM_NOTIFY, 0, (LPARAM)&drawPanel); } } LRESULT CALLBACK PhpGraphWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_GRAPH_CONTEXT context; if (uMsg == WM_NCCREATE) { context = PhCreateGraphContext(); PhSetWindowContextEx(hwnd, context); } else { context = PhGetWindowContextEx(hwnd); } switch (uMsg) { case WM_NCCREATE: { CREATESTRUCT *createStruct = (CREATESTRUCT *)lParam; context->Handle = hwnd; context->ParentHandle = createStruct->hwndParent; context->Style = createStruct->style; context->Id = (ULONG_PTR)createStruct->hMenu; if (createStruct->lpCreateParams) { PPH_GRAPH_CREATEPARAMS params = createStruct->lpCreateParams; if (RTL_CONTAINS_FIELD(params, params->Size, Options)) { if (params->Options.DefaultCursor || params->Options.FadeOutBackColor || params->Options.FadeOutWidth) { memcpy(&context->Options, ¶ms->Options, sizeof(PH_GRAPH_OPTIONS)); } } if (RTL_CONTAINS_FIELD(params, params->Size, Callback)) { if (params->Callback) { context->Callback = params->Callback; } } if (RTL_CONTAINS_FIELD(params, params->Size, Context)) { if (params->Context) { context->Context = params->Context; } } } PhSetWindowContextEx(hwnd, context); } break; case WM_NCDESTROY: { PhRemoveWindowContextEx(hwnd); if (context->TooltipHandle) DestroyWindow(context->TooltipHandle); PhpDeleteFadeOutContext(context); PhpDeleteBufferedContext(context); PhpFreeGraphContext(context); } break; case WM_STYLECHANGED: { STYLESTRUCT *styleStruct = (STYLESTRUCT *)lParam; if (wParam == GWL_STYLE) { context->Style = styleStruct->styleNew; context->NeedsDraw = TRUE; } if (wParam == GWL_EXSTYLE) { context->ExStyle = styleStruct->styleNew; context->NeedsDraw = TRUE; } } break; case WM_SIZE: { // Force a re-create of the buffered context. PhpDeleteBufferedContext(context); PhpCreateBufferedContext(context); PhpDeleteFadeOutContext(context); PhpUpdateDrawInfo(hwnd, context); context->NeedsDraw = TRUE; InvalidateRect(hwnd, NULL, FALSE); if (context->TooltipHandle) { TOOLINFO toolInfo; memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.hwnd = hwnd; toolInfo.uId = 1; if (PhGetClientRect(hwnd, &toolInfo.rect)) { SendMessage(context->TooltipHandle, TTM_NEWTOOLRECT, 0, (LPARAM)&toolInfo); } } } break; case WM_PAINT: { PAINTSTRUCT paintStruct; HDC hdc; if (hdc = BeginPaint(hwnd, &paintStruct)) { if (!context->BufferedContext) PhpCreateBufferedContext(context); if (context->NeedsUpdate) { PhpUpdateDrawInfo(hwnd, context); context->NeedsUpdate = FALSE; } if (context->NeedsDraw) { PhpDrawGraphControl(hwnd, context); context->NeedsDraw = FALSE; } BitBlt( hdc, paintStruct.rcPaint.left, paintStruct.rcPaint.top, paintStruct.rcPaint.right - paintStruct.rcPaint.left, paintStruct.rcPaint.bottom - paintStruct.rcPaint.top, context->BufferedContext, paintStruct.rcPaint.left, paintStruct.rcPaint.top, SRCCOPY ); EndPaint(hwnd, &paintStruct); } } return 0; case WM_ERASEBKGND: return 1; //case WM_NCPAINT: // { // HRGN updateRegion; // // updateRegion = (HRGN)wParam; // // if (updateRegion == HRGN_FULL) // updateRegion = NULL; // // // Themed border // if (context->Style & WS_BORDER) // { // HDC hdc; // ULONG flags; // RECT rect; // // // Note the use of undocumented flags below. GetDCEx doesn't work without these. // // flags = DCX_WINDOW | DCX_LOCKWINDOWUPDATE | 0x10000; // // if (updateRegion) // flags |= DCX_INTERSECTRGN | 0x40000; // // if (hdc = GetDCEx(hwnd, updateRegion, flags)) // { // GetClientRect(hwnd, &rect); // rect.right += 2; // rect.bottom += 2; // SetDCBrushColor(hdc, RGB(0x8f, 0x8f, 0x8f)); // FrameRect(hdc, &rect, PhGetStockBrush(DC_BRUSH)); // // ReleaseDC(hwnd, hdc); // return 0; // } // } // } // break; case WM_NOTIFY: { LPNMHDR header = (LPNMHDR)lParam; if (!context->TooltipHandle) break; if (header->hwndFrom == context->TooltipHandle) { switch (header->code) { case TTN_GETDISPINFO: { LPNMTTDISPINFO dispInfo = (LPNMTTDISPINFO)header; POINT point; RECT clientRect; PH_GRAPH_GETTOOLTIPTEXT getTooltipText; if (!PhGetClientPos(hwnd, &point)) break; if (!PhGetClientRect(hwnd, &clientRect)) break; memset(&getTooltipText, 0, sizeof(PH_GRAPH_GETTOOLTIPTEXT)); getTooltipText.Header.hwndFrom = hwnd; getTooltipText.Header.idFrom = context->Id; getTooltipText.Header.code = GCN_GETTOOLTIPTEXT; getTooltipText.Index = (clientRect.right - point.x - 1) / context->DrawInfo.Step; getTooltipText.TotalCount = context->DrawInfo.LineDataCount; getTooltipText.Text.Buffer = NULL; getTooltipText.Text.Length = 0; if (context->Callback) context->Callback(hwnd, GCN_GETTOOLTIPTEXT, &getTooltipText, NULL, context->Context); else SendMessage(context->ParentHandle, WM_NOTIFY, 0, (LPARAM)&getTooltipText); if (getTooltipText.Text.Buffer) { dispInfo->lpszText = getTooltipText.Text.Buffer; } } break; } } } break; case WM_SETCURSOR: { if (context->Options.DefaultCursor) { PhSetCursor(context->Options.DefaultCursor); return TRUE; } } break; case WM_MOUSEMOVE: { POINT cursorPos; cursorPos.x = GET_X_LPARAM(lParam); cursorPos.y = GET_Y_LPARAM(lParam); if (context->TooltipHandle) { MSG message; memset(&message, 0, sizeof(message)); message.hwnd = hwnd; message.message = uMsg; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } if (context->LastCursorLocation.x != cursorPos.x || context->LastCursorLocation.y != cursorPos.y) { if (context->TooltipHandle) SendMessage(context->TooltipHandle, TTM_UPDATE, 0, 0); context->LastCursorLocation = cursorPos; } if (!context->Hot) { TRACKMOUSEEVENT trackMouseEvent; context->Hot = TRUE; memset(&trackMouseEvent, 0, sizeof(TRACKMOUSEEVENT)); trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); trackMouseEvent.dwFlags = TME_LEAVE; trackMouseEvent.hwndTrack = hwnd; trackMouseEvent.dwHoverTime = 0; TrackMouseEvent(&trackMouseEvent); } } break; case WM_MOUSELEAVE: { context->Hot = FALSE; if (context->TooltipHandle) { SendMessage(context->TooltipHandle, TTM_POP, 0, 0); } } break; case WM_LBUTTONDOWN: case WM_LBUTTONUP: case WM_LBUTTONDBLCLK: case WM_RBUTTONDOWN: case WM_RBUTTONUP: case WM_RBUTTONDBLCLK: { PH_GRAPH_MOUSEEVENT mouseEvent; RECT clientRect; if (context->TooltipHandle) { MSG message; memset(&message, 0, sizeof(message)); message.hwnd = hwnd; message.message = uMsg; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } if (!PhGetClientRect(hwnd, &clientRect)) break; memset(&mouseEvent, 0, sizeof(PH_GRAPH_MOUSEEVENT)); mouseEvent.Header.hwndFrom = hwnd; mouseEvent.Header.idFrom = context->Id; mouseEvent.Header.code = GCN_MOUSEEVENT; mouseEvent.Message = uMsg; mouseEvent.Keys = (ULONG)wParam; mouseEvent.Point.x = GET_X_LPARAM(lParam); mouseEvent.Point.y = GET_Y_LPARAM(lParam); mouseEvent.Index = (clientRect.right - mouseEvent.Point.x - 1) / context->DrawInfo.Step; mouseEvent.TotalCount = context->DrawInfo.LineDataCount; if (context->Callback) context->Callback(hwnd, GCN_MOUSEEVENT, &mouseEvent, NULL, context->Context); else SendMessage(context->ParentHandle, WM_NOTIFY, 0, (LPARAM)&mouseEvent); } break; case WM_MBUTTONDOWN: case WM_MBUTTONUP: { if (context->TooltipHandle) { MSG message; memset(&message, 0, sizeof(message)); message.hwnd = hwnd; message.message = uMsg; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } } break; case GCM_GETDRAWINFO: { PPH_GRAPH_DRAW_INFO drawInfo = (PPH_GRAPH_DRAW_INFO)lParam; memcpy(drawInfo, &context->DrawInfo, sizeof(PH_GRAPH_DRAW_INFO)); } return TRUE; case GCM_SETDRAWINFO: { PPH_GRAPH_DRAW_INFO drawInfo = (PPH_GRAPH_DRAW_INFO)lParam; ULONG width; ULONG height; width = context->DrawInfo.Width; height = context->DrawInfo.Height; memcpy(&context->DrawInfo, drawInfo, sizeof(PH_GRAPH_DRAW_INFO)); context->DrawInfo.Width = width; context->DrawInfo.Height = height; } return TRUE; case GCM_DRAW: { PhpUpdateDrawInfo(hwnd, context); context->NeedsDraw = TRUE; } return TRUE; case GCM_MOVEGRID: { LONG increment = (LONG)wParam; context->DrawInfo.GridXOffset += increment; } return TRUE; case GCM_GETBUFFEREDCONTEXT: return (LRESULT)context->BufferedContext; case GCM_SETTOOLTIP: { if (wParam) { TOOLINFO toolInfo; context->TooltipHandle = PhCreateWindowEx( TOOLTIPS_CLASS, NULL, WS_POPUP | TTS_NOPREFIX | TTS_NOANIMATE | TTS_NOFADE | TTS_ALWAYSTIP, WS_EX_TOPMOST | WS_EX_TRANSPARENT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, NULL, NULL ); SetWindowPos(context->TooltipHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE | SWP_NOACTIVATE | SWP_NOREDRAW); memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.uFlags = 0; toolInfo.hwnd = hwnd; toolInfo.uId = 1; toolInfo.lpszText = LPSTR_TEXTCALLBACK; SendMessage(context->TooltipHandle, TTM_ADDTOOL, 0, (LPARAM)&toolInfo); SendMessage(context->TooltipHandle, TTM_SETDELAYTIME, TTDT_INITIAL, 0); SendMessage(context->TooltipHandle, TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); // Allow newlines (-1 doesn't work) SendMessage(context->TooltipHandle, TTM_SETMAXTIPWIDTH, 0, MAXSHORT); if (PhEnableThemeSupport) { PhSetControlTheme(context->TooltipHandle, L"DarkMode_Explorer"); //SendMessage(context->TooltipHandle, TTM_SETWINDOWTHEME, 0, (LPARAM)L"DarkMode_Explorer"); } } else { if (context->TooltipHandle) { DestroyWindow(context->TooltipHandle); context->TooltipHandle = NULL; } } } return TRUE; case GCM_UPDATETOOLTIP: { if (!context->TooltipHandle) return FALSE; SendMessage(context->TooltipHandle, TTM_UPDATE, 0, 0); } return TRUE; case GCM_GETOPTIONS: memcpy((PPH_GRAPH_OPTIONS)lParam, &context->Options, sizeof(PH_GRAPH_OPTIONS)); return TRUE; case GCM_SETOPTIONS: memcpy(&context->Options, (PPH_GRAPH_OPTIONS)lParam, sizeof(PH_GRAPH_OPTIONS)); PhpDeleteFadeOutContext(context); return TRUE; case GCM_UPDATE: { #define INCREMENT_OFFSET 1 // GCM_MOVEGRID context->DrawInfo.GridXOffset += INCREMENT_OFFSET; // GCM_DRAW PhpUpdateDrawInfo(hwnd, context); context->NeedsDraw = TRUE; // GCM_UPDATETOOLTIP if (context->TooltipHandle) { SendMessage(context->TooltipHandle, TTM_UPDATE, 0, 0); } InvalidateRect(hwnd, NULL, FALSE); } return TRUE; case GCM_SETCALLBACK: { context->Callback = (PVOID)wParam; context->Context = (PVOID)lParam; } return TRUE; } return DefWindowProc(hwnd, uMsg, wParam, lParam); } /** * Initializes a graph buffer management structure. * * \param Buffers The buffer management structure. */ VOID PhInitializeGraphBuffers( _Out_ PPH_GRAPH_BUFFERS Buffers ) { Buffers->AllocatedCount = 0; Buffers->Data1 = NULL; Buffers->Data2 = NULL; Buffers->Valid = FALSE; } /** * Frees resources used by a graph buffer management structure. * * \param Buffers The buffer management structure. */ VOID PhDeleteGraphBuffers( _Inout_ PPH_GRAPH_BUFFERS Buffers ) { if (Buffers->Data1) PhFree(Buffers->Data1); if (Buffers->Data2) PhFree(Buffers->Data2); Buffers->AllocatedCount = 0; Buffers->Data1 = NULL; Buffers->Data2 = NULL; Buffers->Valid = FALSE; } /** * Sets up a graphing information structure with information from a graph buffer management * structure. * * \param Buffers The buffer management structure. * \param DrawInfo The graphing information structure. * \param DataCount The number of data points currently required. The buffers are resized if needed. */ VOID PhGetDrawInfoGraphBuffers( _Inout_ PPH_GRAPH_BUFFERS Buffers, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataCount ) { DrawInfo->LineDataCount = min(DataCount, PH_GRAPH_DATA_COUNT(DrawInfo->Width, DrawInfo->Step)); // Do we need to allocate or re-allocate the data buffers? if (Buffers->AllocatedCount < DrawInfo->LineDataCount) { if (Buffers->Data1) PhFree(Buffers->Data1); if ((DrawInfo->Flags & PH_GRAPH_USE_LINE_2) && Buffers->Data2) PhFree(Buffers->Data2); Buffers->AllocatedCount *= 2; if (Buffers->AllocatedCount < DrawInfo->LineDataCount) Buffers->AllocatedCount = DrawInfo->LineDataCount; Buffers->Data1 = PhAllocate(Buffers->AllocatedCount * sizeof(FLOAT)); if (DrawInfo->Flags & PH_GRAPH_USE_LINE_2) { Buffers->Data2 = PhAllocate(Buffers->AllocatedCount * sizeof(FLOAT)); } Buffers->Valid = FALSE; } DrawInfo->LineData1 = Buffers->Data1; DrawInfo->LineData2 = Buffers->Data2; } VOID PhInitializeGraphState( _Out_ PPH_GRAPH_STATE State ) { PhInitializeGraphBuffers(&State->Buffers); State->Text = NULL; State->TooltipText = NULL; State->TooltipIndex = ULONG_MAX; State->TextLine2 = NULL; } VOID PhDeleteGraphState( _Inout_ PPH_GRAPH_STATE State ) { PhDeleteGraphBuffers(&State->Buffers); if (State->Text) PhDereferenceObject(State->Text); if (State->TooltipText) PhDereferenceObject(State->TooltipText); if (State->TextLine2) PhDereferenceObject(State->TextLine2); } VOID PhGraphStateGetDrawInfo( _Inout_ PPH_GRAPH_STATE State, _In_ PPH_GRAPH_GETDRAWINFO GetDrawInfo, _In_ ULONG DataCount ) { PhGetDrawInfoGraphBuffers(&State->Buffers, GetDrawInfo->DrawInfo, DataCount); } ================================================ FILE: phlib/guisup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #include #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpWindowContextHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpWindowContextHashtableHashFunction( _In_ PVOID Entry ); _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhpWindowCallbackHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhpWindowCallbackHashtableHashFunction( _In_ PVOID Entry ); VOID NTAPI PhWindowFlsCallback( _In_ PVOID FlsData ); typedef struct _PH_WINDOW_PROPERTY_CONTEXT { ULONG PropertyHash; HWND WindowHandle; PVOID Context; } PH_WINDOW_PROPERTY_CONTEXT, *PPH_WINDOW_PROPERTY_CONTEXT; HFONT PhApplicationFont = NULL; HFONT PhTreeWindowFont = NULL; HFONT PhMonospaceFont = NULL; LONG PhFontQuality = 0; LONG PhSystemDpi = USER_DEFAULT_SCREEN_DPI; PH_INTEGER_PAIR PhSmallIconSize = { 16, 16 }; PH_INTEGER_PAIR PhLargeIconSize = { 32, 32 }; static PH_INITONCE SharedIconCacheInitOnce = PH_INITONCE_INIT; static PPH_HASHTABLE SharedIconCacheHashtable; static PH_QUEUED_LOCK SharedIconCacheLock = PH_QUEUED_LOCK_INIT; static PPH_HASHTABLE WindowCallbackHashTable = NULL; static PH_QUEUED_LOCK WindowCallbackListLock = PH_QUEUED_LOCK_INIT; static ULONG WindowCallbackFlsIndex = FLS_OUT_OF_INDEXES; static typeof(&OpenThemeDataForDpi) OpenThemeDataForDpi_I = NULL; static typeof(&OpenThemeData) OpenThemeData_I = NULL; static typeof(&CloseThemeData) CloseThemeData_I = NULL; static typeof(&SetWindowTheme) SetWindowTheme_I = NULL; static typeof(&IsThemeActive) IsThemeActive_I = NULL; static typeof(&IsAppThemed) IsAppThemed_I = NULL; static typeof(&IsThemePartDefined) IsThemePartDefined_I = NULL; static _GetThemeClass GetThemeClass_I = NULL; static typeof(&GetThemeColor) GetThemeColor_I = NULL; static typeof(&GetThemeInt) GetThemeInt_I = NULL; static typeof(&GetThemePartSize) GetThemePartSize_I = NULL; static typeof(&GetThemeMargins) GetThemeMargins_I = NULL; static typeof(&DrawThemeBackground) DrawThemeBackground_I = NULL; static _AllowDarkModeForWindow AllowDarkModeForWindow_I = NULL; // Win10-RS5 (uxtheme.dll ordinal 133) static _IsDarkModeAllowedForWindow IsDarkModeAllowedForWindow_I = NULL; // Win10-RS5 (uxtheme.dll ordinal 137) static typeof(&GetDpiForMonitor) GetDpiForMonitor_I = NULL; // win81+ static typeof(&GetDpiForWindow) GetDpiForWindow_I = NULL; // win10rs1+ static typeof(&GetDpiForSystem) GetDpiForSystem_I = NULL; // win10rs1+ //static _GetDpiForSession GetDpiForSession_I = NULL; // ordinal 2713 static typeof(&GetSystemMetricsForDpi) GetSystemMetricsForDpi_I = NULL; static typeof(&SystemParametersInfoForDpi) SystemParametersInfoForDpi_I = NULL; static _CreateMRUList CreateMRUList_I = NULL; static _AddMRUString AddMRUString_I = NULL; static _EnumMRUList EnumMRUList_I = NULL; static _FreeMRUList FreeMRUList_I = NULL; /** * Initializes the GUI support layer used by the support library. * * Loads optional GUI-related DLLs (uxtheme, shcore, user32 variants) and * resolves optional function pointers used for theme/DPI operations. * Also initializes internal structures such as the WindowCallback FLS slot * and the shared icon cache. */ VOID PhGuiSupportInitialization( VOID ) { PVOID baseAddress; WindowCallbackFlsIndex = FlsAlloc(PhWindowFlsCallback); WindowCallbackHashTable = PhCreateHashtable( sizeof(PH_PLUGIN_WINDOW_CALLBACK_REGISTRATION), PhpWindowCallbackHashtableEqualFunction, PhpWindowCallbackHashtableHashFunction, 10 ); if (baseAddress = PhLoadLibrary(L"uxtheme.dll")) { OpenThemeDataForDpi_I = PhGetDllBaseProcedureAddress(baseAddress, "OpenThemeDataForDpi", 0); OpenThemeData_I = PhGetDllBaseProcedureAddress(baseAddress, "OpenThemeData", 0); CloseThemeData_I = PhGetDllBaseProcedureAddress(baseAddress, "CloseThemeData", 0); SetWindowTheme_I = PhGetDllBaseProcedureAddress(baseAddress, "SetWindowTheme", 0); IsThemeActive_I = PhGetDllBaseProcedureAddress(baseAddress, "IsThemeActive", 0); IsAppThemed_I = PhGetDllBaseProcedureAddress(baseAddress, "IsAppThemed", 0); IsThemePartDefined_I = PhGetDllBaseProcedureAddress(baseAddress, "IsThemePartDefined", 0); GetThemeColor_I = PhGetDllBaseProcedureAddress(baseAddress, "GetThemeColor", 0); GetThemeInt_I = PhGetDllBaseProcedureAddress(baseAddress, "GetThemeInt", 0); GetThemePartSize_I = PhGetDllBaseProcedureAddress(baseAddress, "GetThemePartSize", 0); GetThemeMargins_I = PhGetDllBaseProcedureAddress(baseAddress, "GetThemeMargins", 0); DrawThemeBackground_I = PhGetDllBaseProcedureAddress(baseAddress, "DrawThemeBackground", 0); if (WindowsVersion >= WINDOWS_11) { GetThemeClass_I = PhGetDllBaseProcedureAddress(baseAddress, NULL, 74); } if (WindowsVersion >= WINDOWS_10_RS5) { AllowDarkModeForWindow_I = PhGetDllBaseProcedureAddress(baseAddress, NULL, 133); IsDarkModeAllowedForWindow_I = PhGetDllBaseProcedureAddress(baseAddress, NULL, 137); } } if (WindowsVersion >= WINDOWS_8_1) { if (baseAddress = PhLoadLibrary(L"shcore.dll")) { GetDpiForMonitor_I = PhGetDllBaseProcedureAddress(baseAddress, "GetDpiForMonitor", 0); } } if (WindowsVersion >= WINDOWS_10_RS1) { if (baseAddress = PhLoadLibrary(L"user32.dll")) { GetDpiForWindow_I = PhGetDllBaseProcedureAddress(baseAddress, "GetDpiForWindow", 0); GetDpiForSystem_I = PhGetDllBaseProcedureAddress(baseAddress, "GetDpiForSystem", 0); GetSystemMetricsForDpi_I = PhGetDllBaseProcedureAddress(baseAddress, "GetSystemMetricsForDpi", 0); SystemParametersInfoForDpi_I = PhGetDllBaseProcedureAddress(baseAddress, "SystemParametersInfoForDpi", 0); } } PhGuiSupportUpdateSystemMetrics(NULL, 0); } /** * Updates system metrics cached by the GUI support layer. * * \param WindowHandle Optional window handle used to determine DPI for metrics update. * \param WindowDpi Optional DPI override; if non-zero it is used instead of querying the window/system DPI. */ VOID PhGuiSupportUpdateSystemMetrics( _In_opt_ HWND WindowHandle, _In_opt_ LONG WindowDpi ) { PhSystemDpi = WindowDpi ? WindowDpi : (WindowHandle ? PhGetWindowDpi(WindowHandle) : PhGetSystemDpi()); PhSmallIconSize.X = PhGetSystemMetrics(SM_CXSMICON, PhSystemDpi); PhSmallIconSize.Y = PhGetSystemMetrics(SM_CYSMICON, PhSystemDpi); PhLargeIconSize.X = PhGetSystemMetrics(SM_CXICON, PhSystemDpi); PhLargeIconSize.Y = PhGetSystemMetrics(SM_CYICON, PhSystemDpi); } /** * Maps a font quality setting to the corresponding GDI constant. * * \param FontQuality The font quality setting (0-6). * \return The corresponding GDI font quality constant. */ LONG PhGetFontQualitySetting( _In_ LONG FontQuality ) { switch (FontQuality) { case 0: return DEFAULT_QUALITY; case 1: return DRAFT_QUALITY; case 2: return PROOF_QUALITY; case 3: return NONANTIALIASED_QUALITY; case 4: return ANTIALIASED_QUALITY; case 5: return CLEARTYPE_QUALITY; case 6: return CLEARTYPE_NATURAL_QUALITY; } return DEFAULT_QUALITY; } /** * Creates a font with specified properties. * * \param Name Optional pointer to the font name (typeface). * \param Size The desired font size in points. * \param Weight The font weight (e.g., FW_NORMAL, FW_BOLD). * \param PitchAndFamily The pitch and family of the font. * \param Dpi The dots per inch (DPI) value for scaling. * \return Handle to the created font, or NULL if creation fails. */ HFONT PhCreateFont( _In_opt_ PCWSTR Name, _In_ LONG Size, _In_ LONG Weight, _In_ LONG PitchAndFamily, _In_ LONG Dpi ) { return CreateFont( -(LONG)PhMultiplyDivide(Size, Dpi, 72), 0, 0, 0, Weight, FALSE, FALSE, FALSE, ANSI_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, PhFontQuality, PitchAndFamily, Name ); } /** * Creates a common font with the specified size and weight. * * \param Size The font size in logical units. * \param Weight The font weight (e.g., FW_NORMAL, FW_BOLD). * \param WindowHandle Optional handle to a window for DPI awareness. If NULL, uses system DPI. * \param WindowDpi The DPI of the target window for scaling calculations. * \return A handle to the created font object, or NULL if the operation fails. */ HFONT PhCreateCommonFont( _In_ LONG Size, _In_ LONG Weight, _In_opt_ HWND WindowHandle, _In_ LONG WindowDpi ) { HFONT fontHandle; LOGFONT logFont; if (!PhGetSystemParametersInfo(SPI_GETICONTITLELOGFONT, sizeof(LOGFONT), &logFont, WindowDpi)) return NULL; fontHandle = CreateFont( -PhMultiplyDivideSigned(Size, WindowDpi, 72), 0, 0, 0, Weight, FALSE, FALSE, FALSE, ANSI_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, PhFontQuality, DEFAULT_PITCH, logFont.lfFaceName ); if (!fontHandle) return NULL; if (WindowHandle) { SetWindowFont(WindowHandle, fontHandle, TRUE); } return fontHandle; } HFONT PhCreateIconTitleFont( _In_opt_ LONG WindowDpi ) { LOGFONT logFont; if (PhGetSystemParametersInfo(SPI_GETICONTITLELOGFONT, sizeof(LOGFONT), &logFont, WindowDpi)) { logFont.lfQuality = (UCHAR)PhFontQuality; return CreateFontIndirect(&logFont); } return NULL; } HFONT PhCreateMessageFont( _In_opt_ LONG WindowDpi ) { NONCLIENTMETRICS metrics = { sizeof(metrics) }; if (PhGetSystemParametersInfo(SPI_GETNONCLIENTMETRICS, sizeof(metrics), &metrics, WindowDpi)) { metrics.lfMessageFont.lfQuality = (UCHAR)PhFontQuality; return CreateFontIndirect(&metrics.lfMessageFont); } return NULL; } HFONT PhDuplicateFont( _In_ HFONT Font ) { LOGFONT logFont; if (GetObject(Font, sizeof(LOGFONT), &logFont)) { logFont.lfQuality = (UCHAR)PhFontQuality; return CreateFontIndirect(&logFont); } return NULL; } HFONT PhDuplicateFontWithNewWeight( _In_ HFONT Font, _In_ LONG NewWeight ) { LOGFONT logFont; if (GetObject(Font, sizeof(LOGFONT), &logFont)) { logFont.lfWeight = NewWeight; logFont.lfQuality = (UCHAR)PhFontQuality; return CreateFontIndirect(&logFont); } return NULL; } HFONT PhDuplicateFontWithNewHeight( _In_ HFONT Font, _In_ LONG NewHeight, _In_ LONG dpiValue ) { LOGFONT logFont; if (GetObject(Font, sizeof(LOGFONT), &logFont)) { logFont.lfHeight = PhGetDpi(NewHeight, dpiValue); logFont.lfQuality = (UCHAR)PhFontQuality; return CreateFontIndirect(&logFont); } return NULL; } HFONT PhInitializeFont( _In_ LONG WindowDpi ) { HFONT fontHandle; if (fontHandle = PhCreateFont(L"Microsoft Sans Serif", 8, FW_NORMAL, DEFAULT_PITCH, WindowDpi)) return fontHandle; if (fontHandle = PhCreateFont(L"Tahoma", 8, FW_NORMAL, DEFAULT_PITCH, WindowDpi)) return fontHandle; if (fontHandle = PhCreateMessageFont(WindowDpi)) return fontHandle; return GetStockFont(DEFAULT_GUI_FONT); } HFONT PhInitializeMonospaceFont( _In_ LONG WindowDpi ) { HFONT fontHandle; if (fontHandle = PhCreateFont(L"Lucida Console", 9, FW_DONTCARE, FF_MODERN, WindowDpi)) return fontHandle; if (fontHandle = PhCreateFont(L"Courier New", 9, FW_DONTCARE, FF_MODERN, WindowDpi)) return fontHandle; if (fontHandle = PhCreateFont(NULL, 9, FW_DONTCARE, FF_MODERN, WindowDpi)) return fontHandle; //{ // NONCLIENTMETRICS metrics; // // memset(&metrics, 0, sizeof(NONCLIENTMETRICS)); // metrics.cbSize = sizeof(NONCLIENTMETRICS); // // if (PhGetSystemParametersInfo(SPI_GETNONCLIENTMETRICS, sizeof(NONCLIENTMETRICS), &metrics, WindowDpi)) // { // return CreateFontIndirect(&metrics.lfMessageFont); // } //} LOGFONT logFont; fontHandle = GetStockFont(SYSTEM_FIXED_FONT); if (GetObject(fontHandle, sizeof(LOGFONT), &logFont)) { logFont.lfWeight = -(LONG)PhMultiplyDivide(logFont.lfWeight, WindowDpi, 72); return CreateFontIndirect(&logFont); } return fontHandle; } /** * The PhGetDC function retrieves a handle to a device context (DC). * \return The handle to the requested stock object. */ HDC PhGetDC( _In_opt_ HWND WindowHandle ) { return GetDC(WindowHandle); } /** * Releases a device context previously obtained via PhGetDC. * * \param WindowHandle The window handle associated with the DC; may be NULL to indicate the desktop. * \param Hdc The HDC to release. After this call the handle is no longer valid for the caller. */ VOID PhReleaseDC( _In_opt_ HWND WindowHandle, _In_ _Frees_ptr_ HDC Hdc ) { ReleaseDC(WindowHandle, Hdc); } /** * The PhGetStockBrush function retrieves a handle to one of the stock pens, brushes, fonts, or palettes. * * \param Index The type of stock object. * \return The handle to the requested stock object. */ HGDIOBJ PhGetStockObject( _In_ LONG Index ) { return GetStockObject(Index); } /** * Opens the theme data for the specified window handle, class list, and window DPI. * * \param WindowHandle The handle to the window for which to open the theme data. Can be NULL. * \param ClassList The class list of the theme to open. * \param WindowDpi The DPI of the window. * \return The handle to the opened theme data, or NULL if the theme data could not be opened. */ HTHEME PhOpenThemeData( _In_opt_ HWND WindowHandle, _In_ PCWSTR ClassList, _In_ LONG WindowDpi ) { if (OpenThemeDataForDpi_I && WindowDpi) { return OpenThemeDataForDpi_I(WindowHandle, ClassList, WindowDpi); } if (OpenThemeData_I) { return OpenThemeData_I(WindowHandle, ClassList); } return NULL; } /** * Closes theme data opened with PhOpenThemeData. * * \param ThemeHandle Theme handle previously returned by PhOpenThemeData. */ VOID PhCloseThemeData( _In_ HTHEME ThemeHandle ) { if (CloseThemeData_I) { CloseThemeData_I(ThemeHandle); } } /** * Applies a theme class to a control (wrapper around SetWindowTheme). * * \param Handle Handle to the control window. * \param Theme Optional class list string to apply, or NULL to remove theme. */ VOID PhSetControlTheme( _In_ HWND Handle, _In_opt_ PCWSTR Theme ) { if (SetWindowTheme_I) { SetWindowTheme_I(Handle, Theme, NULL); } } /** * Queries whether visual themes are active on the system. * * \return TRUE if themes are active, otherwise FALSE. */ BOOLEAN PhIsThemeActive( VOID ) { if (!IsThemeActive_I) return FALSE; return !!IsThemeActive_I(); } BOOLEAN PhIsAppThemed( VOID ) { if (!IsAppThemed_I) return FALSE; return !!IsAppThemed_I(); } /** * Determines whether a theme part/state is defined for the given theme data. * * \param ThemeHandle Theme handle returned by PhOpenThemeData. * \param PartId Part identifier. * \param StateId State identifier. * \return TRUE if the part/state is defined, otherwise FALSE. */ BOOLEAN PhIsThemePartDefined( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId ) { if (!IsThemePartDefined_I) return FALSE; return !!IsThemePartDefined_I(ThemeHandle, PartId, StateId); } /** * Retrieves the class name associated with theme data. * * \param ThemeHandle Theme handle. * \param Class Buffer that receives the class name (null-terminated). * \param ClassLength Length of the Class buffer in characters. * \return TRUE on success, FALSE on failure or if API not present. */ _Success_(return) BOOLEAN PhGetThemeClass( _In_ HTHEME ThemeHandle, _Out_writes_z_(ClassLength) PWSTR Class, _In_ ULONG ClassLength ) { if (!GetThemeClass_I) return FALSE; return SUCCEEDED(GetThemeClass_I(ThemeHandle, Class, ClassLength)); } /** * Retrieves a color value from theme data. * * \param ThemeHandle Theme handle. * \param PartId Part identifier. * \param StateId State identifier. * \param PropId Property identifier to query. * \param Color Receives the COLORREF value on success. * \return TRUE on success, FALSE on failure or if API not present. */ _Success_(return) BOOLEAN PhGetThemeColor( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId, _In_ LONG PropId, _Out_ COLORREF* Color ) { if (!GetThemeColor_I) return FALSE; return SUCCEEDED(GetThemeColor_I(ThemeHandle, PartId, StateId, PropId, Color)); } /** * Retrieves an integer property from theme data. * * \param ThemeHandle Theme handle. * \param PartId Part identifier. * \param StateId State identifier. * \param PropId Property identifier to query. * \param Value Receives the integer value on success. * \return TRUE on success, FALSE on failure or if API not present. */ _Success_(return) BOOLEAN PhGetThemeInt( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId, _In_ LONG PropId, _Out_ PLONG Value ) { if (!GetThemeInt_I) return FALSE; return SUCCEEDED(GetThemeInt_I(ThemeHandle, PartId, StateId, PropId, (PLONG)Value)); } /** * Retrieves the size of a theme part. * * \param ThemeHandle Theme handle. * \param hdc Optional device context for size calculation. * \param PartId Part identifier. * \param StateId State identifier. * \param Rect Optional bounding rect used by some parts. * \param Flags THEMEPARTSIZE selector (min/actual/true). * \param Size Receives the part size on success. * \return TRUE on success, FALSE on failure or if API not present. */ _Success_(return) BOOLEAN PhGetThemePartSize( _In_ HTHEME ThemeHandle, _In_opt_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_opt_ LPCRECT Rect, _In_ THEMEPARTSIZE Flags, _Out_ PSIZE Size ) { if (!GetThemePartSize_I) return FALSE; return SUCCEEDED(GetThemePartSize_I(ThemeHandle, hdc, PartId, StateId, Rect, (enum THEMESIZE)Flags, Size)); } /** * Retrieves theme margins for a part/property. * * \param ThemeHandle Theme handle. * \param hdc Optional device context. * \param PartId Part identifier. * \param StateId State identifier. * \param PropId Margin property identifier. * \param Rect Optional bounding rect used by some margin queries. * \param Margins Receives the THEMEMARGINS on success. * \return TRUE on success, FALSE on failure or if API not present. */ _Success_(return) BOOLEAN PhGetThemeMargins( _In_ HTHEME ThemeHandle, _In_opt_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_ LONG PropId, _In_opt_ LPCRECT Rect, _Out_ PTHEMEMARGINS Margins ) { if (!GetThemeMargins_I) return FALSE; return SUCCEEDED(GetThemeMargins_I(ThemeHandle, hdc, PartId, StateId, PropId, Rect, (PMARGINS)Margins)); } /** * Draws a themed background for a part/state into the specified DC. * * \param ThemeHandle Theme handle. * \param hdc Destination device context. * \param PartId Part identifier. * \param StateId State identifier. * \param Rect Destination rectangle. * \param ClipRect Optional clip rectangle. * \return TRUE on success, FALSE on failure or if API not present. */ BOOLEAN PhDrawThemeBackground( _In_ HTHEME ThemeHandle, _In_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_ LPCRECT Rect, _In_opt_ LPCRECT ClipRect ) { if (!DrawThemeBackground_I) return FALSE; return SUCCEEDED(DrawThemeBackground_I(ThemeHandle, hdc, PartId, StateId, Rect, ClipRect)); } /** * Draws themed text for a part/state. * * \param ThemeHandle Theme handle. * \param hdc Destination device context. * \param PartId Part identifier. * \param StateId State identifier. * \param Text Pointer to the text buffer. * \param cchText Number of characters in Text. * \param TextFlags Text drawing flags for DrawThemeText. * \param Rect Destination rectangle. * \return TRUE on success, FALSE on failure or if API not present. */ BOOLEAN PhDrawThemeText( _In_ HTHEME ThemeHandle, _In_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_reads_(cchText) PCWSTR Text, _In_ LONG cchText, _In_ ULONG TextFlags, _In_ LPCRECT Rect ) { static typeof(&DrawThemeText) DrawThemeText_I = NULL; if (!DrawThemeText_I) DrawThemeText_I = PhGetModuleProcAddress(L"uxtheme.dll", "DrawThemeText"); if (!DrawThemeText_I) return FALSE; return HR_SUCCESS(DrawThemeText_I(ThemeHandle, hdc, PartId, StateId, Text, cchText, TextFlags, 0, Rect)); } /** * Draws themed text for a part/state with extended options (DrawThemeTextEx). * * \param ThemeHandle Theme handle. * \param hdc Destination device context. * \param PartId Part identifier. * \param StateId State identifier. * \param Text Pointer to the text buffer. * \param cchText Number of characters in Text. * \param TextFlags Text drawing flags. * \param Rect In/out destination rectangle; may be modified by the call. * \param Options Optional pointer to DTTOPTS structure. * \return TRUE on success, FALSE on failure or if API not present. */ BOOLEAN PhDrawThemeTextEx( _In_ HTHEME ThemeHandle, _In_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_reads_(cchText) PCWSTR Text, _In_ LONG cchText, _In_ ULONG TextFlags, _Inout_ LPRECT Rect, _In_opt_ const PVOID Options // DTTOPTS* ) { static typeof(&DrawThemeTextEx) DrawThemeTextEx_I = NULL; if (!DrawThemeTextEx_I) DrawThemeTextEx_I = PhGetModuleProcAddress(L"uxtheme.dll", "DrawThemeTextEx"); if (!DrawThemeTextEx_I) return FALSE; return HR_SUCCESS(DrawThemeTextEx_I(ThemeHandle, hdc, PartId, StateId, Text, cchText, TextFlags, Rect, Options)); } /** * Tests whether a theme background is partially transparent for a given part/state. * * \param ThemeHandle Theme handle. * \param PartId Part identifier. * \param StateId State identifier. * \return TRUE if the theme background is partially transparent, otherwise FALSE. */ BOOLEAN PhIsThemeBackgroundPartiallyTransparent( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId ) { static typeof(&IsThemeBackgroundPartiallyTransparent) IsThemeBackgroundPartiallyTransparent_I = NULL; if (!IsThemeBackgroundPartiallyTransparent_I) IsThemeBackgroundPartiallyTransparent_I = PhGetModuleProcAddress(L"uxtheme.dll", "IsThemeBackgroundPartiallyTransparent"); if (!IsThemeBackgroundPartiallyTransparent_I) return FALSE; return !!IsThemeBackgroundPartiallyTransparent_I(ThemeHandle, PartId, StateId); } /** * Draws the parent background for a window using theme APIs. * * \param WindowHandle Window handle whose parent background will be drawn. * \param Hdc Destination device context. * \param Rect Optional rectangle within the window to draw. * \return TRUE on success, FALSE on failure or if API not present. */ BOOLEAN PhDrawThemeParentBackground( _In_ HWND WindowHandle, _In_ HDC Hdc, _In_opt_ const PRECT Rect ) { static typeof(&DrawThemeParentBackground) DrawThemeParentBackground_I = NULL; if (!DrawThemeParentBackground_I) DrawThemeParentBackground_I = PhGetModuleProcAddress(L"uxtheme.dll", "DrawThemeParentBackground"); if (!DrawThemeParentBackground_I) return FALSE; return HR_SUCCESS(DrawThemeParentBackground_I(WindowHandle, Hdc, Rect)); } /** * Enables or disables dark mode for a window (when supported). * * \param WindowHandle Handle of the window. * \param Enabled TRUE to enable dark mode, FALSE to disable. * \return TRUE on success, FALSE if API not present or call failed. */ BOOLEAN PhAllowDarkModeForWindow( _In_ HWND WindowHandle, _In_ BOOL Enabled ) { if (!AllowDarkModeForWindow_I) return FALSE; return !!AllowDarkModeForWindow_I(WindowHandle, Enabled); } /** * Queries whether dark mode is allowed for a given window. * * \param WindowHandle Handle of the window to test. * \return TRUE if dark mode is allowed, otherwise FALSE. */ BOOLEAN PhIsDarkModeAllowedForWindow( _In_ HWND WindowHandle ) { if (!IsDarkModeAllowedForWindow_I) return FALSE; return !!IsDarkModeAllowedForWindow_I(WindowHandle); } // rev from EtwRundown.dll!EtwpLogDPISettingsInfo (dmex) //LONG PhGetUserOrMachineDpi( // VOID // ) //{ // static PH_STRINGREF machineKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Hardware Profiles\\Current\\Software\\Fonts"); // static PH_STRINGREF userKeyName = PH_STRINGREF_INIT(L"Control Panel\\Desktop"); // HANDLE keyHandle; // LONG dpi = 0; // // if (NT_SUCCESS(PhOpenKey(&keyHandle, KEY_QUERY_VALUE, PH_KEY_USERS, &userKeyName, 0))) // { // dpi = PhQueryRegistryUlongZ(keyHandle, L"LogPixels"); // NtClose(keyHandle); // } // // if (dpi == 0) // { // if (NT_SUCCESS(PhOpenKey(&keyHandle, KEY_QUERY_VALUE, PH_KEY_LOCAL_MACHINE, &machineKeyName, 0))) // { // dpi = PhQueryRegistryUlongZ(keyHandle, L"LogPixels"); // NtClose(keyHandle); // } // } // // return dpi; //} /** * Retrieves the client rectangle adjusted for scroll range/position. * * \param WindowHandle The window whose client rectangle is queried. * \param ClientRect Receives the adjusted client rectangle. * \return TRUE on success, FALSE on failure or empty client rect. */ BOOLEAN PhGetClientRectOffsetScroll( _In_ HWND WindowHandle, _Out_ PRECT ClientRect ) { LONG scrollRangeMax; LONG scrollRangeMin; LONG scrollPosition; if (!PhGetClientRect(WindowHandle, ClientRect)) return FALSE; if (!(ClientRect->right && ClientRect->bottom)) return FALSE; ULONG windowStyle = PhGetWindowStyle(WindowHandle); if (FlagOn(windowStyle, WS_HSCROLL)) { if (GetScrollRange(WindowHandle, SB_HORZ, &scrollRangeMin, &scrollRangeMax)) { scrollPosition = GetScrollPos(WindowHandle, SB_HORZ); ClientRect->right = ClientRect->left + scrollRangeMax; PhOffsetRect(ClientRect, -scrollPosition, 0); } } if (FlagOn(windowStyle, WS_VSCROLL)) { if (GetScrollRange(WindowHandle, SB_VERT, &scrollRangeMin, &scrollRangeMax)) { scrollPosition = GetScrollPos(WindowHandle, SB_VERT); ClientRect->bottom = ClientRect->top + scrollRangeMax; PhOffsetRect(ClientRect, 0, -scrollPosition); } } return TRUE; } /** * Determines whether a window belongs to a hung (non-responsive) application. * * \param WindowHandle Handle to the window to test. May be NULL (result will be FALSE). * \return TRUE if the system reports the window is hung (not responding), otherwise FALSE. */ BOOLEAN PhIsHungAppWindow( _In_ HWND WindowHandle ) { return !!IsHungAppWindow(WindowHandle); } /** * Returns the shell (desktop) window handle. * * \return HWND of the shell window (may be NULL). */ HWND PhGetShellWindow( VOID ) { return GetShellWindow(); } /** * Marks a child window so it doesn't activate when created. * * \param WindowHandle Child window handle. * \param ThreadId Currently ignored; retained for compatibility. * \return TRUE on success, FALSE if API not present or call fails. */ BOOLEAN PhSetChildWindowNoActivate( _In_ HWND WindowHandle, _In_ HANDLE ThreadId ) { typedef ULONG (WINAPI* SetChildWindowNoActivate)( _In_ HWND WindowHandle ); static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(SetChildWindowNoActivate) SetChildWindowNoActivate_I = NULL; // NtUserSetChildWindowNoActivate if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"user32.dll")) { SetChildWindowNoActivate_I = PhGetDllBaseProcedureAddress(baseAddress, NULL, 2005); } PhEndInitOnce(&initOnce); } if (!SetChildWindowNoActivate_I) return FALSE; return !!SetChildWindowNoActivate_I(WindowHandle); } /** * Checks whether the given window belongs to the specified thread's desktop. * * \param WindowHandle The window to check. * \param ThreadId Thread id owning the desktop to check. * \return TRUE if the window belongs to the thread's desktop, otherwise FALSE. */ BOOLEAN PhCheckWindowThreadDesktop( _In_ HWND WindowHandle, _In_ HANDLE ThreadId ) { typedef LOGICAL (WINAPI* CheckWindowThreadDesktop)( _In_ HWND WindowHandle, _In_ ULONG ThreadId ); static PH_INITONCE initOnce = PH_INITONCE_INIT; static CheckWindowThreadDesktop CheckWindowThreadDesktop_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"user32.dll")) { CheckWindowThreadDesktop_I = PhGetDllBaseProcedureAddress(baseAddress, "CheckWindowThreadDesktop", 0); } PhEndInitOnce(&initOnce); } if (!CheckWindowThreadDesktop_I) return FALSE; return !!CheckWindowThreadDesktop_I(WindowHandle, HandleToUlong(ThreadId)); } /** * Gets an effective DPI for a monitor/window rectangle. * * \param WindowHandle Optional window handle used to locate a monitor. * \param WindowRect Optional rectangle used to locate a monitor. * \return DPI (horizontal) for the monitor or USER_DEFAULT_SCREEN_DPI on failure. */ LONG PhGetMonitorDpi( _In_opt_ HWND WindowHandle, _In_opt_ PRECT WindowRect ) { if (WindowRect && GetDpiForMonitor_I) { LONG dpi_x, dpi_y; HMONITOR monitor; monitor = MonitorFromRect(WindowRect, MONITOR_DEFAULTTONEAREST); if (HR_SUCCESS(GetDpiForMonitor_I(monitor, MDT_EFFECTIVE_DPI, &dpi_x, &dpi_y))) return dpi_x; } else if (WindowHandle && GetDpiForMonitor_I) { LONG dpi_x, dpi_y; HMONITOR monitor; monitor = MonitorFromWindow(WindowHandle, MONITOR_DEFAULTTONEAREST); if (HR_SUCCESS(GetDpiForMonitor_I(monitor, MDT_EFFECTIVE_DPI, &dpi_x, &dpi_y))) return dpi_x; } return USER_DEFAULT_SCREEN_DPI; } /** * Attempts to discover the system DPI using a sequence of fallbacks. * * \return Effective system DPI (pixels per inch) or USER_DEFAULT_SCREEN_DPI on failure. */ LONG PhGetSystemDpi( VOID ) { LONG dpi; if (dpi = PhGetTaskbarDpi()) return dpi; if (dpi = PhGetDpiValue(NULL, NULL)) return dpi; return USER_DEFAULT_SCREEN_DPI; } // rev from GetDpiForShellUIComponent (dmex) //LONG PhGetShellDpi( // VOID // ) //{ // static HWND trayWindow = NULL; // HWND windowHandle; // LONG dpi = 0; // // if (IsWindow(trayWindow)) // { // windowHandle = trayWindow; // } // else // { // windowHandle = trayWindow = FindWindow(L"Shell_TrayWnd", NULL); // } // // if (windowHandle) // { // dpi = HandleToLong(GetProp(windowHandle, L"TaskbarDPI_NotificationArea")); // } // // //if (dpi == 0) // //{ // // dpi = GetDpiForShellUIComponent(SHELL_UI_COMPONENT_NOTIFICATIONAREA); // //} // // if (dpi == 0) // { // dpi = USER_DEFAULT_SCREEN_DPI; // } // // return dpi; //} /** * Retrieves an effective DPI for the taskbar area (used as a reasonable * approximation for shell UI DPI). The function attempts several fallbacks * shell window bounds -> monitor DPI, then DpiValue from other sources, * and finally USER_DEFAULT_SCREEN_DPI. * * \return Effective taskbar DPI (pixels per inch) or USER_DEFAULT_SCREEN_DPI on failure. */ LONG PhGetTaskbarDpi( VOID ) { LONG dpi = 0; HWND windowHandle; RECT windowRect = { 0 }; if (windowHandle = PhGetShellWindow()) { PhGetWindowRect(windowHandle, &windowRect); } if (PhRectEmpty(&windowRect)) { if (windowHandle = GetDesktopWindow()) { PhGetWindowRect(windowHandle, &windowRect); } } //if (PhRectEmpty(&windowRect)) //{ // APPBARDATA appbarData = { sizeof(APPBARDATA) }; // // if (SHAppBarMessage(ABM_GETTASKBARPOS, &appbarData)) // { // windowRect = appbarData.rc; // } //} if (!PhRectEmpty(&windowRect)) { dpi = PhGetMonitorDpi(NULL, &windowRect); } if (dpi == 0) { dpi = PhGetDpiValue(NULL, NULL); } //if (dpi == 0) //{ // dpi = PhGetShellDpi(); //} if (dpi == 0) { dpi = USER_DEFAULT_SCREEN_DPI; } return dpi; } /** * Retrieves the DPI for the specified window. * * Uses multiple strategies depending on OS version: * - On Windows 10+: queries per-window/per-monitor values. * - On older systems: queries device context LOGPIXELSX. * * \param WindowHandle Window handle to query DPI for. * \return DPI (horizontal) for the window or USER_DEFAULT_SCREEN_DPI on failure. */ LONG PhGetWindowDpi( _In_ HWND WindowHandle ) { if (WindowsVersion >= WINDOWS_10) { LONG dpi; RECT windowRect; if (dpi = PhGetDpiValue(WindowHandle, NULL)) return dpi; if (PhGetWindowRect(WindowHandle, &windowRect)) { if (dpi = PhGetDpiValue(NULL, &windowRect)) return dpi; } } else // Windows 7 and Windows 8 { LONG dpi; HDC screenHdc; if (screenHdc = PhGetDC(WindowHandle)) { dpi = GetDeviceCaps(screenHdc, LOGPIXELSX); PhReleaseDC(WindowHandle, screenHdc); return dpi; } } return USER_DEFAULT_SCREEN_DPI; } /** * Attempts to determine DPI using modern APIs and fallbacks. * * \param WindowHandle Optional window handle to query. * \param WindowRect Optional rectangle used to locate a monitor. * \return Determined DPI or USER_DEFAULT_SCREEN_DPI on failure. */ LONG PhGetDpiValue( _In_opt_ HWND WindowHandle, _In_opt_ PRECT WindowRect ) { LONG dpi; // Windows 10 (RS1) if (WindowHandle && GetDpiForWindow_I) { if (dpi = GetDpiForWindow_I(WindowHandle)) return dpi; } // Windows 8.1 if (WindowRect && GetDpiForMonitor_I) { if (dpi = PhGetMonitorDpi(NULL, WindowRect)) return dpi; } if (WindowHandle && GetDpiForMonitor_I) { if (dpi = PhGetMonitorDpi(WindowHandle, NULL)) return dpi; } // Windows 10 (RS1) { if (GetDpiForSystem_I) { return GetDpiForSystem_I(); } } // Windows 7 and Windows 8 { HDC screenHdc; if (screenHdc = PhGetDC(NULL)) { dpi = GetDeviceCaps(screenHdc, LOGPIXELSX); PhReleaseDC(NULL, screenHdc); if (dpi) { return dpi; } } } return USER_DEFAULT_SCREEN_DPI; } /** * Retrieves the system metrics for the specified index. * * \param Index The index of the system metric to retrieve. * \param DpiValue The DPI value to use for retrieving the system metric. If not provided, the default DPI value will be used. * \return The value of the system metric. */ LONG PhGetSystemMetrics( _In_ LONG Index, _In_opt_ LONG DpiValue ) { if (DpiValue > 0 && GetSystemMetricsForDpi_I) { return GetSystemMetricsForDpi_I(Index, DpiValue); } return GetSystemMetrics(Index); } /** * Queries whether the system is running in Safe Boot (clean boot) mode. * * \return TRUE if the system is in Safe Boot mode, otherwise FALSE. */ BOOLEAN PhGetSystemSafeBootMode( VOID ) { if (WindowsVersion < WINDOWS_NEW) { return !!USER_SHARED_DATA->SafeBootMode; } return !!PhGetSystemMetrics(SM_CLEANBOOT, 0); } /** * Wrapper for SystemParametersInfo that supports a DPI-aware variant when available. * * \param Action The SPI_* action to perform. * \param Param1 Additional parameter for the action (see SystemParametersInfo docs). * \param Param2 Pointer to or buffer for action-specific data. * \param DpiValue Optional DPI to pass to SystemParametersInfoForDpi when supported (>0). * \return BOOL nonzero on success, zero on failure. */ BOOL PhGetSystemParametersInfo( _In_ LONG Action, _In_ ULONG Param1, _Pre_maybenull_ _Post_valid_ PVOID Param2, _In_opt_ LONG DpiValue ) { if (DpiValue > 0 && SystemParametersInfoForDpi_I) { return SystemParametersInfoForDpi_I(Action, Param1, Param2, 0, DpiValue); } return SystemParametersInfo(Action, Param1, Param2, 0); } /** * Inserts a tab into a tab control at the specified index with given text. * * \param TabControlHandle Handle to the tab control. * \param Index Zero-based index to insert the new tab at. * \param Text Text label for the new tab. * \return Index of the inserted item on success, or an error value on failure. */ LONG PhAddTabControlTab( _In_ HWND TabControlHandle, _In_ LONG Index, _In_ PCWSTR Text ) { TCITEM item; item.mask = TCIF_TEXT; item.pszText = (PWSTR)Text; return TabCtrl_InsertItem(TabControlHandle, Index, &item); } /** * Retrieves the window text as a referenced PPH_STRING object. * * This is a convenience wrapper around PhGetWindowTextEx that requests * the default behavior (no special flags). * * \param WindowHandle Window handle whose text is requested. * \return A reference to a PPH_STRING. Caller should PhDereferenceObject when done. */ PPH_STRING PhGetWindowText( _In_ HWND WindowHandle ) { PPH_STRING text; PhGetWindowTextEx(WindowHandle, 0, &text); return text; } /** * Retrieves window text with extended options. * * If PH_GET_WINDOW_TEXT_INTERNAL is specified the function uses InternalGetWindowText. * If PH_GET_WINDOW_TEXT_LENGTH_ONLY is specified only the length is retrieved. * * \param WindowHandle Window handle to query. * \param Flags Combination of PH_GET_WINDOW_TEXT_* flags that control behavior. * \param Text Optional out parameter that receives a referenced PPH_STRING when provided. * \return Number of characters in the retrieved text (not including terminating NULL). */ ULONG PhGetWindowTextEx( _In_ HWND WindowHandle, _In_ ULONG Flags, _Out_opt_ PPH_STRING *Text ) { PPH_STRING string; ULONG length; if (Flags & PH_GET_WINDOW_TEXT_INTERNAL) { if (Flags & PH_GET_WINDOW_TEXT_LENGTH_ONLY) { WCHAR buffer[32]; length = InternalGetWindowText(WindowHandle, buffer, sizeof(buffer) / sizeof(WCHAR)); if (Text) *Text = NULL; } else { // TODO: Resize the buffer until we get the entire thing. string = PhCreateStringEx(NULL, 256 * sizeof(WCHAR)); length = InternalGetWindowText(WindowHandle, string->Buffer, (ULONG)string->Length / sizeof(WCHAR) + 1); string->Length = length * sizeof(WCHAR); if (Text) *Text = string; else PhDereferenceObject(string); } return length; } else { length = GetWindowTextLength(WindowHandle); if (length == 0 || (Flags & PH_GET_WINDOW_TEXT_LENGTH_ONLY)) { if (Text) *Text = PhReferenceEmptyString(); return length; } string = PhCreateStringEx(NULL, length * sizeof(WCHAR)); if (GetWindowText(WindowHandle, string->Buffer, (ULONG)string->Length / sizeof(WCHAR) + 1)) { if (Text) *Text = string; else PhDereferenceObject(string); return length; } else { if (Text) *Text = PhReferenceEmptyString(); PhDereferenceObject(string); return 0; } } } /** * Retrieves window text into a caller-supplied buffer. * * \param WindowHandle Window handle to query. * \param Flags PH_GET_WINDOW_TEXT_INTERNAL to use internal API; otherwise uses GetWindowText. * \param Buffer Buffer that receives the text (may be NULL if BufferLength is 0). * \param BufferLength Size of Buffer in characters. * \param ReturnLength Optional receives the number of characters written (not including NULL). * \return STATUS_SUCCESS on success or an appropriate NTSTATUS error code. */ NTSTATUS PhGetWindowTextToBuffer( _In_ HWND WindowHandle, _In_ ULONG Flags, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_opt_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; ULONG length; if (Flags & PH_GET_WINDOW_TEXT_INTERNAL) length = InternalGetWindowText(WindowHandle, Buffer, BufferLength); else length = GetWindowText(WindowHandle, Buffer, BufferLength); if (length == 0) status = PhGetLastWin32ErrorAsNtStatus(); else status = STATUS_SUCCESS; if (ReturnLength) *ReturnLength = length; return status; } /** * Retrieves the class name of a window. * * \param WindowHandle Window handle to query. * \param Buffer Buffer that receives the class name (wide string). * \param BufferLength Length of Buffer in characters. * \param ReturnLength Optional receives the number of characters written (not including NULL). * \return STATUS_SUCCESS on success or an NTSTATUS error on failure. */ NTSTATUS PhGetClassName( _In_ HWND WindowHandle, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; LONG length; length = GetClassName(WindowHandle, Buffer, BufferLength); if (length == 0) status = PhGetLastWin32ErrorAsNtStatus(); else status = STATUS_SUCCESS; if (ReturnLength) *ReturnLength = length; return status; } /** * Retrieves the string for a combobox item. * * \param WindowHandle Handle of the combobox control. * \param Index Zero-based item index or INT_ERROR to use current selection. * \return A referenced PPH_STRING on success, PhReferenceEmptyString() for empty string, or NULL on error. * \remarks If Index is INT_ERROR the current selection is used. */ PPH_STRING PhGetComboBoxString( _In_ HWND WindowHandle, _In_ LONG Index ) { PPH_STRING string; LONG length; if (Index == INT_ERROR) { Index = ComboBox_GetCurSel(WindowHandle); if (Index == CB_ERR) return NULL; } length = ComboBox_GetLBTextLen(WindowHandle, Index); if (length == CB_ERR) return NULL; if (length == 0) return PhReferenceEmptyString(); string = PhCreateStringEx(NULL, length * sizeof(WCHAR)); if (ComboBox_GetLBText(WindowHandle, Index, string->Buffer) != CB_ERR) { return string; } else { PhDereferenceObject(string); return NULL; } } /** * Selects a string in a combobox. * * \param WindowHandle Handle of the combobox control. * \param String String to select. * \param Partial If TRUE, selects the first item that matches partially; otherwise performs exact match. * \return Index of the selected item, or CB_ERR if not found. */ LONG PhSelectComboBoxString( _In_ HWND WindowHandle, _In_ PCWSTR String, _In_ BOOLEAN Partial ) { if (Partial) { return ComboBox_SelectString(WindowHandle, INT_ERROR, String); } else { LONG index; index = ComboBox_FindStringExact(WindowHandle, INT_ERROR, String); if (index == CB_ERR) return CB_ERR; ComboBox_SetCurSel(WindowHandle, index); InvalidateRect(WindowHandle, NULL, TRUE); return index; } } /** * Deletes all strings from a combobox. * * \param ComboBoxHandle Handle to the combobox control. * \param ResetContent If TRUE, calls ComboBox_ResetContent after deleting individual strings. */ VOID PhDeleteComboBoxStrings( _In_ HWND ComboBoxHandle, _In_ BOOLEAN ResetContent ) { LONG total; if ((total = ComboBox_GetCount(ComboBoxHandle)) == CB_ERR) return; for (LONG i = 0; i < total; i++) { ComboBox_DeleteString(ComboBoxHandle, i); } if (ResetContent) { ComboBox_ResetContent(ComboBoxHandle); } } /** * Retrieves the string for a listbox item. * * \param WindowHandle Handle of the listbox control. * \param Index Zero-based item index or INT_ERROR to use current selection. * \return A newly created PPH_STRING on success, or NULL on error/empty. Caller must PhDereferenceObject when done. * \remarks If Index is INT_ERROR the current selection is used. */ PPH_STRING PhGetListBoxString( _In_ HWND WindowHandle, _In_ LONG Index ) { PPH_STRING string; LONG length; if (Index == INT_ERROR) { Index = ListBox_GetCurSel(WindowHandle); if (Index == LB_ERR) return NULL; } length = ListBox_GetTextLen(WindowHandle, Index); if (length == LB_ERR) return NULL; if (length == 0) return NULL; string = PhCreateStringEx(NULL, length * sizeof(WCHAR)); if (ListBox_GetText(WindowHandle, Index, string->Buffer) != LB_ERR) { return string; } else { PhDereferenceObject(string); return NULL; } } /** * Loads a bitmap resource and replaces the specified imagelist entry with it. * * \param ImageList HIMAGELIST to update. * \param Index Index of the image to replace. * \param InstanceHandle Module instance handle containing the bitmap. * \param BitmapName Resource name of the bitmap. */ VOID PhSetImageListBitmap( _In_ HIMAGELIST ImageList, _In_ LONG Index, _In_ HINSTANCE InstanceHandle, _In_ PCWSTR BitmapName ) { HBITMAP bitmap; bitmap = LoadImage(InstanceHandle, BitmapName, IMAGE_BITMAP, 0, 0, 0); if (bitmap) { PhImageListReplace(ImageList, Index, bitmap, NULL); DeleteBitmap(bitmap); } } /** * Hashtable equality function used for shared icon cache. * * Compares two icon cache entries by instance handle, dimensions, DPI and * resource/name. Handles both string and integer resource identifiers. * * \param Entry1 Pointer to first PHP_ICON_ENTRY. * \param Entry2 Pointer to second PHP_ICON_ENTRY. * \return TRUE if entries represent the same icon lookup key, otherwise FALSE. */ _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN SharedIconCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPHP_ICON_ENTRY entry1 = Entry1; PPHP_ICON_ENTRY entry2 = Entry2; if (entry1->InstanceHandle != entry2->InstanceHandle || entry1->Width != entry2->Width || entry1->Height != entry2->Height || entry1->DpiValue != entry2->DpiValue) { return FALSE; } if (IS_INTRESOURCE(entry1->Name)) { if (IS_INTRESOURCE(entry2->Name)) return PtrToUlong(entry1->Name) == PtrToUlong(entry2->Name); else return FALSE; } else { if (!IS_INTRESOURCE(entry2->Name)) return PhEqualStringZ(entry1->Name, entry2->Name, FALSE); else return FALSE; } } /** * Hashtable hash function used for shared icon cache. * * Computes a hash for a PHP_ICON_ENTRY by mixing the name (or resource id), * instance handle, dimensions and DPI value. * * \param Entry Pointer to PHP_ICON_ENTRY. * \return Computed hash value. */ _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG SharedIconCacheHashtableHashFunction( _In_ PVOID Entry ) { PPHP_ICON_ENTRY entry = Entry; ULONG nameHash; if (IS_INTRESOURCE(entry->Name)) nameHash = PtrToUlong(entry->Name); else nameHash = PhHashBytes((PUCHAR)entry->Name, PhCountStringZ(entry->Name)); return nameHash ^ (PtrToUlong(entry->InstanceHandle) >> 5) ^ (entry->Width << 3) ^ entry->Height ^ entry->DpiValue; } /** * Loads or returns a shared icon from cache. * * If PH_LOAD_ICON_SHARED is specified the function will attempt to return * a cached shared icon handle. If not found it will load, possibly scale, * and optionally insert the icon into the shared cache. * * \param ImageBaseAddress Optional module base to load the icon from. * \param Name The resource name or identifier. * \param Flags Flags controlling loading behavior (size, shared, strict, ...). * \param Width Desired width (or 0 to use defaults). * \param Height Desired height (or 0 to use defaults). * \param SystemDpi DPI value for scaling. * \return Handle to an HICON on success, otherwise NULL. */ HICON PhLoadIcon( _In_opt_ PVOID ImageBaseAddress, _In_ PCWSTR Name, _In_ ULONG Flags, _In_opt_ LONG Width, _In_opt_ LONG Height, _In_opt_ LONG SystemDpi ) { PHP_ICON_ENTRY entry; PPHP_ICON_ENTRY actualEntry; HICON icon = NULL; LONG width; LONG height; if (PhBeginInitOnce(&SharedIconCacheInitOnce)) { SharedIconCacheHashtable = PhCreateHashtable(sizeof(PHP_ICON_ENTRY), SharedIconCacheHashtableEqualFunction, SharedIconCacheHashtableHashFunction, 10); PhEndInitOnce(&SharedIconCacheInitOnce); } if (Flags & PH_LOAD_ICON_SHARED) { PhAcquireQueuedLockExclusive(&SharedIconCacheLock); entry.InstanceHandle = ImageBaseAddress; entry.Name = Name; entry.Width = PhpGetIconEntrySize(Width, Flags); entry.Height = PhpGetIconEntrySize(Height, Flags); entry.DpiValue = SystemDpi; actualEntry = PhFindEntryHashtable(SharedIconCacheHashtable, &entry); if (actualEntry) { icon = actualEntry->Icon; PhReleaseQueuedLockExclusive(&SharedIconCacheLock); return icon; } } if (Flags & (PH_LOAD_ICON_SIZE_SMALL | PH_LOAD_ICON_SIZE_LARGE)) { if (Flags & PH_LOAD_ICON_SIZE_SMALL) { width = PhGetSystemMetrics(SM_CXSMICON, SystemDpi); height = PhGetSystemMetrics(SM_CYSMICON, SystemDpi); } else { width = PhGetSystemMetrics(SM_CXICON, SystemDpi); height = PhGetSystemMetrics(SM_CYICON, SystemDpi); } LoadIconWithScaleDown(ImageBaseAddress, Name, width, height, &icon); } else { LoadIconWithScaleDown(ImageBaseAddress, Name, Width, Height, &icon); } if (!icon && !(Flags & PH_LOAD_ICON_STRICT)) { if (Flags & PH_LOAD_ICON_SIZE_SMALL) { width = PhGetSystemMetrics(SM_CXSMICON, SystemDpi); height = PhGetSystemMetrics(SM_CYSMICON, SystemDpi); } else { width = PhGetSystemMetrics(SM_CXICON, SystemDpi); height = PhGetSystemMetrics(SM_CYICON, SystemDpi); } icon = LoadImage(ImageBaseAddress, Name, IMAGE_ICON, width, height, 0); } if (Flags & PH_LOAD_ICON_SHARED) { if (icon) { if (!IS_INTRESOURCE(Name)) entry.Name = PhDuplicateStringZ(Name); entry.Icon = icon; PhAddEntryHashtable(SharedIconCacheHashtable, &entry); } PhReleaseQueuedLockExclusive(&SharedIconCacheLock); } return icon; } /** * Gets the default icon used for executable files. * * \param SmallIcon A variable which receives the small default executable icon. Do not destroy the * icon using DestroyIcon(); it is shared between callers. * \param LargeIcon A variable which receives the large default executable icon. Do not destroy the * icon using DestroyIcon(); it is shared between callers. */ VOID PhGetStockApplicationIcon( _Out_opt_ HICON *SmallIcon, _Out_opt_ HICON *LargeIcon ) { static HICON smallIcon = NULL; static HICON largeIcon = NULL; static LONG systemDpi = 0; if (systemDpi != PhSystemDpi) { if (smallIcon) { DestroyIcon(smallIcon); smallIcon = NULL; } if (largeIcon) { DestroyIcon(largeIcon); largeIcon = NULL; } systemDpi = PhSystemDpi; } // This no longer uses SHGetFileInfo because it is *very* slow and causes many other DLLs to be // loaded, increasing memory usage. The worst thing about it, however, is that it is horribly // incompatible with multi-threading. The first time it is called, it tries to perform some // one-time initialization. It guards this with a lock, but when multiple threads try to call // the function at the same time, instead of waiting for initialization to finish it simply // fails the other threads. if (!smallIcon || !largeIcon) { if (WindowsVersion < WINDOWS_10) { PPH_STRING systemDirectory; PPH_STRING dllFileName; // imageres,11 (Windows 10 and above), user32,0 (Vista and above) or shell32,2 (XP) contains // the default application icon. if (systemDirectory = PhGetSystemDirectory()) { dllFileName = PhConcatStringRefZ(&systemDirectory->sr, L"\\user32.dll"); PhExtractIcon( dllFileName->Buffer, &largeIcon, &smallIcon ); PhDereferenceObject(dllFileName); PhDereferenceObject(systemDirectory); } } else { static CONST PH_STRINGREF imageFileName = PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\imageres.dll"); PhExtractIconEx( &imageFileName, TRUE, 11, PhGetSystemMetrics(SM_CXICON, systemDpi), PhGetSystemMetrics(SM_CYICON, systemDpi), PhGetSystemMetrics(SM_CXSMICON, systemDpi), PhGetSystemMetrics(SM_CYSMICON, systemDpi), &largeIcon, &smallIcon ); } } if (!smallIcon) smallIcon = PhLoadIcon(NULL, IDI_APPLICATION, PH_LOAD_ICON_SIZE_SMALL, 0, 0, systemDpi); if (!largeIcon) largeIcon = PhLoadIcon(NULL, IDI_APPLICATION, PH_LOAD_ICON_SIZE_LARGE, 0, 0, systemDpi); if (SmallIcon) *SmallIcon = smallIcon; if (LargeIcon) *LargeIcon = largeIcon; } //HICON PhGetFileShellIcon( // _In_opt_ PWSTR FileName, // _In_opt_ PWSTR DefaultExtension, // _In_ BOOLEAN LargeIcon // ) //{ // SHFILEINFO fileInfo; // ULONG iconFlag; // HICON icon; // // if (DefaultExtension && PhEqualStringZ(DefaultExtension, L".exe", TRUE)) // { // // Special case for executable files (see above for reasoning). // // icon = NULL; // // if (FileName) // { // PhExtractIcon( // FileName, // LargeIcon ? &icon : NULL, // !LargeIcon ? &icon : NULL // ); // } // // if (!icon) // { // PhGetStockApplicationIcon( // !LargeIcon ? &icon : NULL, // LargeIcon ? &icon : NULL // ); // // if (icon) // icon = CopyIcon(icon); // } // // return icon; // } // // iconFlag = LargeIcon ? SHGFI_LARGEICON : SHGFI_SMALLICON; // icon = NULL; // memset(&fileInfo, 0, sizeof(SHFILEINFO)); // // if (FileName && SHGetFileInfo( // FileName, // 0, // &fileInfo, // sizeof(SHFILEINFO), // SHGFI_ICON | iconFlag // )) // { // icon = fileInfo.hIcon; // } // // if (!icon && DefaultExtension) // { // memset(&fileInfo, 0, sizeof(SHFILEINFO)); // // if (SHGetFileInfo( // DefaultExtension, // FILE_ATTRIBUTE_NORMAL, // &fileInfo, // sizeof(SHFILEINFO), // SHGFI_ICON | iconFlag | SHGFI_USEFILEATTRIBUTES // )) // icon = fileInfo.hIcon; // } // // return icon; //} /** * Sets clipboard data for the specified format. * * \param WindowHandle Owner window for OpenClipboard (may be NULL). * \param Format Clipboard format identifier (e.g. CF_UNICODETEXT). * \param Data Handle to the data to place on the clipboard. */ VOID PhpSetClipboardData( _In_ HWND WindowHandle, _In_ ULONG Format, _In_ HANDLE Data ) { if (OpenClipboard(WindowHandle)) { if (!EmptyClipboard()) goto Fail; if (!SetClipboardData(Format, Data)) goto Fail; CloseClipboard(); return; } Fail: GlobalFree(Data); } /** * Copies a unicode string into the clipboard as CF_UNICODETEXT. * * \param WindowHandle Owner window used for OpenClipboard (may be NULL). * \param String Pointer to a PH_STRINGREF describing the unicode buffer and length in bytes. */ VOID PhSetClipboardString( _In_ HWND WindowHandle, _In_ PCPH_STRINGREF String ) { HANDLE data; PVOID memory; data = GlobalAlloc(GMEM_MOVEABLE, String->Length + sizeof(UNICODE_NULL)); memory = GlobalLock(data); memcpy(memory, String->Buffer, String->Length); *(PWCHAR)PTR_ADD_OFFSET(memory, String->Length) = UNICODE_NULL; GlobalUnlock(memory); PhpSetClipboardData(WindowHandle, CF_UNICODETEXT, data); } /** * Retrieves a unicode string from the clipboard (CF_UNICODETEXT). If the clipboard does not * contain CF_UNICODETEXT, or it cannot be opened, a reference to the empty string is returned. * * \param WindowHandle Owner window used for OpenClipboard (may be NULL). * \return Referenced PPH_STRING containing the clipboard text. */ PPH_STRING PhGetClipboardString( _In_ HWND WindowHandle ) { PPH_STRING string; HGLOBAL data; string = PhReferenceEmptyString(); if (!IsClipboardFormatAvailable(CF_UNICODETEXT)) return string; if (!OpenClipboard(WindowHandle)) return string; data = GetClipboardData(CF_UNICODETEXT); if (data) { PVOID str; str = GlobalLock(data); if (str) { PhMoveReference(&string, PhCreateString(str)); GlobalUnlock(data); } } CloseClipboard(); return string; } /** * Creates a dialog from a dialog-template resource copying the template. * * This allows modifying the copied template (style) prior to creating the * dialog. The allocated template copy is freed after CreateDialogIndirectParam * returns. * * \param Parent Parent window handle for the dialog. * \param Style Style bits to apply to the dialog template. * \param Instance Module instance whose resources contain the template. * \param Template Resource name of the dialog template. * \param DialogProc Dialog procedure for the new dialog. * \param Parameter Optional parameter passed to DialogProc via lParam. * \return HWND of the created dialog on success, or NULL on failure. */ HWND PhCreateDialogFromTemplate( _In_ HWND Parent, _In_ ULONG Style, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_ PVOID Parameter ) { PDLGTEMPLATEEX dialogTemplate; HWND dialogHandle; if (!NT_SUCCESS(PhLoadResourceCopy(Instance, Template, RT_DIALOG, NULL, &dialogTemplate))) return NULL; if (dialogTemplate->signature == USHRT_MAX) { dialogTemplate->style = Style; } else { ((DLGTEMPLATE *)dialogTemplate)->style = Style; } dialogHandle = CreateDialogIndirectParam( Instance, (DLGTEMPLATE *)dialogTemplate, Parent, DialogProc, (LPARAM)Parameter ); PhFree(dialogTemplate); return dialogHandle; } /** * Creates a dialog from a dialog-template resource. * * \param Instance Module instance whose resources contain the dialog template. * \param Template Resource name of the dialog template. * \param ParentWindow Optional parent window handle. * \param DialogProc Dialog procedure for the dialog. * \param Parameter Optional parameter passed to DialogProc via lParam. * \return HWND of the created dialog on success, or NULL on failure. */ HWND PhCreateDialog( _In_ PVOID Instance, _In_ PCWSTR Template, _In_opt_ HWND ParentWindow, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ) { PDLGTEMPLATEEX dialogTemplate; HWND dialogHandle; if (!NT_SUCCESS(PhLoadResource(Instance, Template, RT_DIALOG, NULL, &dialogTemplate))) return NULL; dialogHandle = CreateDialogIndirectParam( Instance, (LPDLGTEMPLATE)dialogTemplate, ParentWindow, DialogProc, (LPARAM)Parameter ); return dialogHandle; } /** * Creates a window with extended styles. * * \param ClassName Window class name. * \param WindowName Window title (may be NULL). * \param Style Window style flags. * \param ExStyle Extended window style flags. * \param X Initial x position. * \param Y Initial y position. * \param Width Initial width. * \param Height Initial height. * \param ParentWindow Optional parent or owner window handle. * \param MenuHandle Optional menu or child-control identifier. * \param InstanceHandle Optional module instance handle. * \param Parameter Optional creation parameter passed to WM_CREATE. * \return HWND of the created window, or NULL on failure. */ HWND PhCreateWindowEx( _In_ PCWSTR ClassName, _In_opt_ PCWSTR WindowName, _In_ ULONG Style, _In_ ULONG ExStyle, _In_ LONG X, _In_ LONG Y, _In_ LONG Width, _In_ LONG Height, _In_opt_ HWND ParentWindow, _In_opt_ HMENU MenuHandle, _In_opt_ PVOID InstanceHandle, _In_opt_ PVOID Parameter ) { HWND windowHandle; windowHandle = CreateWindowEx( ExStyle, ClassName, WindowName, Style, X, Y, Width, Height, ParentWindow, MenuHandle, InstanceHandle, Parameter ); return windowHandle; } /** * Creates a message-only window. * * \return HWND of the created message window or NULL on failure. */ HWND PhCreateMessageWindow( VOID ) { HWND windowHandle; windowHandle = CreateWindowEx( 0, L"Message", NULL, 0, 0, 0, 0, 0, HWND_MESSAGE, NULL, NULL, NULL ); return windowHandle; } /** * Displays a modal dialog box from a dialog-template resource. * * \param Instance Module instance whose resources contain the dialog template. * \param Template Resource name of the dialog template. * \param ParentWindow Optional parent window handle. * \param DialogProc Dialog procedure for the dialog. * \param Parameter Optional parameter passed to DialogProc via lParam. * \return Dialog result (as returned by DialogBoxIndirectParam) or INT_ERROR on failure. */ INT_PTR PhDialogBox( _In_ PVOID Instance, _In_ PCWSTR Template, _In_opt_ HWND ParentWindow, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ) { PDLGTEMPLATEEX dialogTemplate; INT_PTR dialogResult; if (!NT_SUCCESS(PhLoadResource(Instance, Template, RT_DIALOG, NULL, &dialogTemplate))) return INT_ERROR; dialogResult = DialogBoxIndirectParam( Instance, (LPDLGTEMPLATE)dialogTemplate, ParentWindow, DialogProc, (LPARAM)Parameter ); return dialogResult; } /** * Loads a menu resource by name from a module. * * \param DllBase Module base (mapped image or HMODULE) containing the menu resource. * \param MenuName Resource name of the menu to load. * \return HMENU created from the menu template, or NULL on failure. */ HMENU PhLoadMenu( _In_ PVOID DllBase, _In_ PCWSTR MenuName ) { LPMENUTEMPLATE templateBuffer; if (NT_SUCCESS(PhLoadResource( DllBase, MenuName, RT_MENU, NULL, &templateBuffer ))) { return LoadMenuIndirect(templateBuffer); } return NULL; } /** * Property-sheet window procedure used to provide consistent behaviour across * property-sheets created by the library. * * This procedure is installed as a wrapper that: * - Restores the previous window procedure on WM_NCDESTROY. * - Forwards WM_KEYDOWN messages to the current page to allow page-level key handling. * - Prevents the hidden OK button from closing the dialog when activated. * * \param hwnd Property sheet window handle. * \param uMsg Window message. * \param wParam WPARAM. * \param lParam LPARAM. * \return Result from the original window procedure or message-specific result. */ LRESULT CALLBACK PhDefaultPropSheetWindowProcedure( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { WNDPROC oldWndProc; oldWndProc = PhGetWindowContext(hwnd, 0xF); if (!oldWndProc) return 0; switch (uMsg) { case WM_NCDESTROY: { PhRemoveWindowContext(hwnd, 0xF); PhSetWindowProcedure(hwnd, oldWndProc); } break; case WM_SYSCOMMAND: { switch (wParam & 0xFFF0) { case SC_CLOSE: { PostMessage(hwnd, WM_CLOSE, 0, 0); return 0; } break; } } break; case WM_COMMAND: { switch (GET_WM_COMMAND_ID(wParam, lParam)) { case IDOK: // Prevent the OK button from working (even though // it's already hidden). This prevents the Enter // key from closing the dialog box. return 0; } } break; case WM_KEYDOWN: // forward key messages { HWND pageWindowHandle; if (pageWindowHandle = PropSheet_GetCurrentPageHwnd(hwnd)) { if (SendMessage(pageWindowHandle, uMsg, wParam, lParam)) { return TRUE; } } } break; } return CallWindowProc(oldWndProc, hwnd, uMsg, wParam, lParam); } /** * Property-sheet callback used to initialise property-sheets created by the * library. Sets up the wrapper window procedure and hides the OK button. * * \param hwndDlg Property sheet window handle. * \param uMsg Callback message (PSCB_INITIALIZED expected). * \param lParam Additional parameter (unused). * \return 0 always. */ INT CALLBACK PhModalPropSheetWindowProcedure( _In_ HWND hwndDlg, _In_ UINT uMsg, _In_ LPARAM lParam ) { switch (uMsg) { case PSCB_INITIALIZED: { PhSetWindowContext(hwndDlg, 0xF, (PVOID)PhGetWindowProcedure(hwndDlg)); PhSetWindowProcedure(hwndDlg, PhDefaultPropSheetWindowProcedure); // Hide the OK button. ShowWindow(GetDlgItem(hwndDlg, IDOK), SW_HIDE); // Set the Cancel button's text to "Close". PhSetDialogItemText(hwndDlg, IDCANCEL, L"Close"); } break; } return 0; } /** * Displays a property sheet using a custom message loop to avoid a known * PropertySheet bug which may discard WM_QUIT in rare cases. * * The function temporarily disables/enables the top level owner window and * pumps messages until the sheet closes. An automatic pool is created and * drained on each loop iteration to manage transient allocations. * * \param Header Pointer to a PROPSHEETHEADER structure describing the property sheet. * \return TRUE on success, FALSE on failure. */ BOOLEAN PhModalPropertySheet( _Inout_ PROPSHEETHEADER *Header ) { // PropertySheet incorrectly discards WM_QUIT messages in certain cases, so we will use our own // message loop. An example of this is when GetMessage (called by PropertySheet's message loop) // dispatches a message directly from kernel-mode that causes the property sheet to close. In // that case PropertySheet will retrieve the WM_QUIT message but will ignore it because of its // buggy logic. // This is also a good opportunity to introduce an auto-pool. PH_AUTO_POOL autoPool; HWND oldFocus; HWND topLevelOwner; HWND hwnd; BOOL result; MSG message; PhInitializeAutoPool(&autoPool); oldFocus = GetFocus(); topLevelOwner = Header->hwndParent; while (topLevelOwner && (PhGetWindowStyle(topLevelOwner) & WS_CHILD)) topLevelOwner = GetParent(topLevelOwner); if (topLevelOwner && (topLevelOwner == GetDesktopWindow() || EnableWindow(topLevelOwner, FALSE))) topLevelOwner = NULL; Header->dwFlags |= PSH_MODELESS; // Allow to close other modeless property sheets (ex. Handle properties) by clicking the X on // the taskbar window thumbnail, also forward key messages (Dart Vanya) if (!Header->pfnCallback) { Header->dwFlags |= PSH_USECALLBACK; Header->pfnCallback = PhModalPropSheetWindowProcedure; } hwnd = (HWND)PropertySheet(Header); if (!hwnd) { if (topLevelOwner) EnableWindow(topLevelOwner, TRUE); return FALSE; } while (result = GetMessage(&message, NULL, 0, 0)) { BOOLEAN processed = FALSE; if (result == INT_ERROR) break; if (!processed) { if (!PropSheet_IsDialogMessage(hwnd, &message)) { TranslateMessage(&message); DispatchMessage(&message); } } PhDrainAutoPool(&autoPool); // Destroy the window when necessary. if (!PropSheet_GetCurrentPageHwnd(hwnd)) break; } if (result == 0) PostQuitMessage((INT)message.wParam); if (Header->hwndParent && GetActiveWindow() == hwnd) SetActiveWindow(Header->hwndParent); if (topLevelOwner) EnableWindow(topLevelOwner, TRUE); if (oldFocus && IsWindow(oldFocus)) SetFocus(oldFocus); DestroyWindow(hwnd); PhDeleteAutoPool(&autoPool); return TRUE; } /** * Initializes a the root layout item instance for the specified window. * * \param Manager Pointer to the PH_LAYOUT_MANAGER to initialize. * \param RootWindowHandle Handle of the root window for layout operations. * \return TRUE on success, FALSE on failure. */ BOOLEAN PhInitializeLayoutManager( _Out_ PPH_LAYOUT_MANAGER Manager, _In_ HWND RootWindowHandle ) { memset(Manager, 0, sizeof(PH_LAYOUT_MANAGER)); Manager->List = PhCreateList(4); if (!Manager->List) return FALSE; Manager->WindowDpi = PhGetWindowDpi(RootWindowHandle); Manager->RootItem.Handle = RootWindowHandle; Manager->RootItem.ParentItem = NULL; Manager->RootItem.LayoutParentItem = NULL; Manager->RootItem.LayoutNumber = 0; Manager->RootItem.NumberOfChildren = 0; Manager->RootItem.DeferHandle = NULL; if (PhGetClientRect(RootWindowHandle, &Manager->RootItem.Rect)) { PhGetSizeDpiValue(&Manager->RootItem.Rect, Manager->WindowDpi, FALSE); return TRUE; } return FALSE; } /** * Destroys a layout manager created by PhInitializeLayoutManager. * \param Manager Pointer to the PH_LAYOUT_MANAGER to delete. */ VOID PhDeleteLayoutManager( _Inout_ PPH_LAYOUT_MANAGER Manager ) { ULONG i; for (i = 0; i < Manager->List->Count; i++) PhFree(Manager->List->Items[i]); PhDereferenceObject(Manager->List); } // HACK: The math below is all horribly broken, especially the HACK for multiline tab controls. /** * Adds a layout item for a window using default margin (zero). * * Convenience wrapper around PhAddLayoutItemEx which passes a zero margin. * * \param Manager Pointer to the layout manager. * \param Handle Window handle to manage. * \param ParentItem Optional parent layout item; if NULL the root item is used. * \param Anchor Anchor flags controlling layout behaviour. * \return Pointer to the newly created PPH_LAYOUT_ITEM. */ PPH_LAYOUT_ITEM PhAddLayoutItem( _Inout_ PPH_LAYOUT_MANAGER Manager, _In_ HWND Handle, _In_opt_ PPH_LAYOUT_ITEM ParentItem, _In_ ULONG Anchor ) { PPH_LAYOUT_ITEM layoutItem; RECT dummy = { 0 }; layoutItem = PhAddLayoutItemEx( Manager, Handle, ParentItem, Anchor, &dummy ); layoutItem->Margin = layoutItem->Rect; PhConvertRect(&layoutItem->Margin, &layoutItem->ParentItem->Rect); if (layoutItem->ParentItem != layoutItem->LayoutParentItem) { // Fix the margin because the item has a dummy parent. They share the same layout parent // item. layoutItem->Margin.top -= layoutItem->ParentItem->Rect.top; layoutItem->Margin.left -= layoutItem->ParentItem->Rect.left; layoutItem->Margin.right = layoutItem->ParentItem->Margin.right; layoutItem->Margin.bottom = layoutItem->ParentItem->Margin.bottom; } return layoutItem; } /** * Adds a layout item with explicit margin values. * * \param Manager Pointer to the layout manager. * \param Handle Window handle to manage. * \param ParentItem Optional parent layout item; if NULL the root item is used. * \param Anchor Anchor flags controlling layout behaviour. * \param Margin Pointer to a RECT that specifies the margin for the item. * \return Pointer to the newly created PPH_LAYOUT_ITEM. */ PPH_LAYOUT_ITEM PhAddLayoutItemEx( _Inout_ PPH_LAYOUT_MANAGER Manager, _In_ HWND Handle, _In_opt_ PPH_LAYOUT_ITEM ParentItem, _In_ ULONG Anchor, _In_ PRECT Margin ) { PPH_LAYOUT_ITEM item; if (!ParentItem) ParentItem = &Manager->RootItem; item = PhAllocateZero(sizeof(PH_LAYOUT_ITEM)); item->Handle = Handle; item->ParentItem = ParentItem; item->LayoutNumber = Manager->LayoutNumber; item->NumberOfChildren = 0; item->DeferHandle = NULL; item->Anchor = Anchor; item->Rect = (RECT){ 0 }; item->LayoutParentItem = item->ParentItem; while ((item->LayoutParentItem->Anchor & PH_LAYOUT_DUMMY_MASK) && item->LayoutParentItem->LayoutParentItem) { item->LayoutParentItem = item->LayoutParentItem->LayoutParentItem; } item->LayoutParentItem->NumberOfChildren++; PhGetWindowRect(Handle, &item->Rect); MapWindowRect(HWND_DESKTOP, item->LayoutParentItem->Handle, &item->Rect); if (item->Anchor & PH_LAYOUT_TAB_CONTROL) { // We want to convert the tab control rectangle to the tab page display rectangle. TabCtrl_AdjustRect(Handle, FALSE, &item->Rect); } PhGetSizeDpiValue(&item->Rect, Manager->WindowDpi, FALSE); item->Margin = *Margin; PhGetSizeDpiValue(&item->Margin, Manager->WindowDpi, FALSE); PhAddItemList(Manager->List, item); return item; } /** * Performs layout calculations for a single layout item and its parents. * * \param Manager Pointer to the layout manager. * \param Item Pointer to the layout item to layout. */ VOID PhpLayoutItemLayout( _Inout_ PPH_LAYOUT_MANAGER Manager, _Inout_ PPH_LAYOUT_ITEM Item ) { RECT margin; RECT rect; ULONG diff; BOOLEAN hasDummyParent; if (Item->NumberOfChildren > 0 && !Item->DeferHandle) Item->DeferHandle = BeginDeferWindowPos(Item->NumberOfChildren); if (Item->LayoutNumber == Manager->LayoutNumber) return; // If this is the root item we must stop here. if (!Item->ParentItem) return; PhpLayoutItemLayout(Manager, Item->ParentItem); if (Item->ParentItem != Item->LayoutParentItem) { PhpLayoutItemLayout(Manager, Item->LayoutParentItem); hasDummyParent = TRUE; } else { hasDummyParent = FALSE; } if (!PhGetWindowRect(Item->Handle, &Item->Rect)) return; MapWindowRect(HWND_DESKTOP, Item->LayoutParentItem->Handle, &Item->Rect); if (Item->Anchor & PH_LAYOUT_TAB_CONTROL) { // We want to convert the tab control rectangle to the tab page display rectangle. TabCtrl_AdjustRect(Item->Handle, FALSE, &Item->Rect); } PhGetSizeDpiValue(&Item->Rect, Manager->WindowDpi, FALSE); if (!(Item->Anchor & PH_LAYOUT_DUMMY_MASK)) { margin = Item->Margin; rect = Item->Rect; // Convert right/bottom into margins to make the calculations // easier. PhConvertRect(&rect, &Item->LayoutParentItem->Rect); if (!(Item->Anchor & (PH_ANCHOR_LEFT | PH_ANCHOR_RIGHT))) { // TODO PhRaiseStatus(STATUS_NOT_IMPLEMENTED); } else if (Item->Anchor & PH_ANCHOR_RIGHT) { if (Item->Anchor & PH_ANCHOR_LEFT) { rect.left = (hasDummyParent ? Item->ParentItem->Rect.left : 0) + margin.left; rect.right = margin.right; } else { diff = margin.right - rect.right; rect.left -= diff; rect.right += diff; } } if (!(Item->Anchor & (PH_ANCHOR_TOP | PH_ANCHOR_BOTTOM))) { // TODO PhRaiseStatus(STATUS_NOT_IMPLEMENTED); } else if (Item->Anchor & PH_ANCHOR_BOTTOM) { if (Item->Anchor & PH_ANCHOR_TOP) { // tab control hack rect.top = (hasDummyParent ? Item->ParentItem->Rect.top : 0) + margin.top; rect.bottom = margin.bottom; } else { diff = margin.bottom - rect.bottom; rect.top -= diff; rect.bottom += diff; } } // Convert the right/bottom back into co-ordinates. PhConvertRect(&rect, &Item->LayoutParentItem->Rect); Item->Rect = rect; PhGetSizeDpiValue(&rect, Manager->WindowDpi, TRUE); if (!(Item->Anchor & PH_LAYOUT_IMMEDIATE_RESIZE)) { Item->LayoutParentItem->DeferHandle = DeferWindowPos( Item->LayoutParentItem->DeferHandle, Item->Handle, NULL, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER ); } else { // This is needed for tab controls, so that TabCtrl_AdjustRect will give us an // up-to-date result. SetWindowPos( Item->Handle, NULL, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, SWP_NOACTIVATE | SWP_NOZORDER ); } } Item->LayoutNumber = Manager->LayoutNumber; } /** * Performs a layout pass for all items managed by the layout manager. * * \param Manager Pointer to the layout manager. */ VOID PhLayoutManagerLayout( _Inout_ PPH_LAYOUT_MANAGER Manager ) { ULONG count = Manager->List->Count; PPH_LAYOUT_ITEM* items = (PPH_LAYOUT_ITEM*)Manager->List->Items; Manager->LayoutNumber++; if (!PhGetClientRect(Manager->RootItem.Handle, &Manager->RootItem.Rect)) return; PhGetSizeDpiValue(&Manager->RootItem.Rect, Manager->WindowDpi, FALSE); // BeginDeferWindowPos before the child items are laid out. for (ULONG i = 0; i < count; i++) { PhpLayoutItemLayout(Manager, items[i]); } // EndDeferWindowPos after all child items are laid out. for (ULONG i = 0; i < count; i++) { PPH_LAYOUT_ITEM item = items[i]; if (item->DeferHandle) { EndDeferWindowPos(item->DeferHandle); item->DeferHandle = NULL; } if (item->Anchor & PH_LAYOUT_FORCE_INVALIDATE) { InvalidateRect(item->Handle, NULL, FALSE); } } if (Manager->RootItem.DeferHandle) { EndDeferWindowPos(Manager->RootItem.DeferHandle); Manager->RootItem.DeferHandle = NULL; } } /** * Updates the layout manager's DPI value. * * If WindowDpi is non-zero it is used directly; otherwise the DPI for the * manager's root window is queried. * * \param Manager Pointer to the layout manager. * \param WindowDpi New DPI value or 0 to query the root window DPI. */ VOID PhLayoutManagerUpdate( _Inout_ PPH_LAYOUT_MANAGER Manager, _In_ LONG WindowDpi ) { if (WindowDpi) Manager->WindowDpi = WindowDpi; else Manager->WindowDpi = PhGetWindowDpi(Manager->RootItem.Handle); } /** * Window property context hashtable equality function. * * Compares two PH_WINDOW_PROPERTY_CONTEXT entries for equality by * comparing the window handle and property hash. * * \param Entry1 First entry pointer. * \param Entry2 Second entry pointer. * \return TRUE if the entries are equal, otherwise FALSE. */ _Use_decl_annotations_ BOOLEAN NTAPI PhpWindowContextHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_WINDOW_PROPERTY_CONTEXT entry1 = Entry1; PPH_WINDOW_PROPERTY_CONTEXT entry2 = Entry2; return entry1->WindowHandle == entry2->WindowHandle && entry1->PropertyHash == entry2->PropertyHash; } /** * Window property context hashtable hash function. * * Produces a hash for a PH_WINDOW_PROPERTY_CONTEXT entry by combining * the window handle and the property hash to produce an unsigned value. * * \param Entry Entry pointer. * \return Computed hash value. */ _Use_decl_annotations_ ULONG NTAPI PhpWindowContextHashtableHashFunction( _In_ PVOID Entry ) { PPH_WINDOW_PROPERTY_CONTEXT entry = Entry; return PhHashIntPtr((ULONG_PTR)entry->WindowHandle) ^ entry->PropertyHash; // PhHashInt32 } VOID NTAPI PhWindowFlsCallback( _In_ PVOID FlsData ) { PPH_HASHTABLE hashtable = (PPH_HASHTABLE)FlsData; PhClearReference(&hashtable); } /** * Returns or creates the per-thread window-context hashtable stored in FLS. * * If the hashtable does not exist for the current thread it is created and * stored in the thread's FLS slot. On failure the function will fail-fast. * * \return Pointer to the per-thread PPH_HASHTABLE. */ static PPH_HASHTABLE PhGetWindowContextHashTable( VOID ) { PPH_HASHTABLE hashtable; if (hashtable = FlsGetValue(WindowCallbackFlsIndex)) return hashtable; hashtable = PhCreateHashtable( sizeof(PH_WINDOW_PROPERTY_CONTEXT), PhpWindowContextHashtableEqualFunction, PhpWindowContextHashtableHashFunction, 5 ); if (!FlsSetValue(WindowCallbackFlsIndex, hashtable)) { PhShowStatus(NULL, L"Unable to create the window context.", 0, PhGetLastError()); RtlFailFast(FAST_FAIL_INVALID_FLS_DATA); } return hashtable; } /** * Retrieves a stored context pointer for a window and property hash. * * \param WindowHandle The window handle. * \param PropertyHash The property hash key. * \return The stored context pointer, or NULL if not found. */ PVOID PhGetWindowContext( _In_ HWND WindowHandle, _In_ ULONG PropertyHash ) { PH_WINDOW_PROPERTY_CONTEXT lookupEntry; PPH_WINDOW_PROPERTY_CONTEXT entry; lookupEntry.WindowHandle = WindowHandle; lookupEntry.PropertyHash = PropertyHash; entry = PhFindEntryHashtable(PhGetWindowContextHashTable(), &lookupEntry); if (entry) return entry->Context; else return NULL; } /** * Stores a window context value associated with a property hash. * * If an entry for the given window/property pair already exists it will be * updated by PhAddEntryHashtable semantics. * * \param WindowHandle The window handle. * \param PropertyHash The property hash key. * \param Context The context pointer to store. */ VOID PhSetWindowContext( _In_ HWND WindowHandle, _In_ ULONG PropertyHash, _In_ PVOID Context ) { PH_WINDOW_PROPERTY_CONTEXT entry; memset(&entry, 0, sizeof(PH_WINDOW_PROPERTY_CONTEXT)); entry.WindowHandle = WindowHandle; entry.PropertyHash = PropertyHash; entry.Context = Context; PhAddEntryHashtable(PhGetWindowContextHashTable(), &entry); } /** * Removes a stored window context entry. * * \param WindowHandle The window handle. * \param PropertyHash The property hash key to remove. */ VOID PhRemoveWindowContext( _In_ HWND WindowHandle, _In_ ULONG PropertyHash ) { PH_WINDOW_PROPERTY_CONTEXT lookupEntry; lookupEntry.WindowHandle = WindowHandle; lookupEntry.PropertyHash = PropertyHash; PhRemoveEntryHashtable(PhGetWindowContextHashTable(), &lookupEntry); } typedef struct _PH_WINDOW_ENUM_CONTEXT { _Function_class_(PH_WINDOW_ENUM_CALLBACK) _In_ PPH_WINDOW_ENUM_CALLBACK Callback; _In_opt_ PVOID Context; BOOLEAN StopSearch; } PH_WINDOW_ENUM_CONTEXT, *PPH_WINDOW_ENUM_CONTEXT; static BOOL CALLBACK PhEnumWindowsCallback( _In_ HWND WindowHandle, _In_opt_ LPARAM Context ) { PPH_WINDOW_ENUM_CONTEXT context = (PPH_WINDOW_ENUM_CONTEXT)Context; if (context->Callback(WindowHandle, context->Context)) return TRUE; context->StopSearch = TRUE; // Note: If EnumWindowsProc returns zero, the return value is also zero. // The callback should call SetLastError, but we can check StopSearch (dmex) return FALSE; } /** * Enumerates all top-level windows on the screen. * * \param Callback The callback function to be called for each child window. * \param Context An optional context parameter to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumWindows( _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ) { PH_WINDOW_ENUM_CONTEXT context; memset(&context, 0, sizeof(PH_WINDOW_ENUM_CONTEXT)); context.Callback = Callback; context.Context = Context; if (EnumWindows(PhEnumWindowsCallback, (LPARAM)&context) || context.StopSearch) return STATUS_SUCCESS; return PhGetLastWin32ErrorAsNtStatus(); } /** * Enumerates windows using FindWindowEx. * This function enumerates windows that EnumWindows may miss, such as UWP/Metro apps. * * \param ParentWindow The parent window to enumerate children of. If NULL, enumerates all top-level windows. * \param Callback The callback function to be called for each window. * \param Context An optional context parameter to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumWindowsEx( _In_opt_ HWND ParentWindow, _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ) { HWND windowHandle = NULL; ULONG i = 0; while (i < 0x8000 && (windowHandle = FindWindowEx(ParentWindow, windowHandle, NULL, NULL))) { if (!Callback(windowHandle, Context)) return STATUS_SUCCESS; i++; } return STATUS_SUCCESS; } /** * Walks the window chain using GetWindow, enumerating windows in their exact Z-order. * This is a flexible function that can enumerate windows using any command: * * - GW_HWNDFIRST - First sibling * - GW_HWNDLAST - Last sibling * - GW_HWNDNEXT - Next sibling * - GW_HWNDPREV - Previous sibling * - GW_OWNER - Owner window * - GW_CHILD - First child * * Usage example: * * // Enumerate all siblings of a window * PhEnumGetWindow(hwnd, GW_HWNDNEXT, 1000, MyCallback, context); * * // Enumerate children * PhEnumGetWindow(hwnd, GW_CHILD, 1000, MyCallback, context); * * \param StartWindow The window to start enumeration from. If NULL, starts with the first top-level window. * \param Command The GetWindow command (GW_HWNDFIRST, GW_HWNDLAST, GW_HWNDNEXT, GW_HWNDPREV, GW_OWNER, GW_CHILD). * \param Callback The callback function to be called for each window. * \param Context An optional context parameter to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumGetWindow( _In_opt_ HWND StartWindow, _In_ ULONG Command, _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ) { HWND windowHandle; ULONG i = 0; if (StartWindow) { windowHandle = StartWindow; } else { // Get the first window if StartWindow is NULL windowHandle = GetWindow(GetDesktopWindow(), GW_CHILD); } if (!windowHandle) { return STATUS_SUCCESS; } while (i < 0x8000 && windowHandle) { HWND nextWindow; if (!Callback(windowHandle, Context)) break; // Get the next window before incrementing, in case callback modifies window nextWindow = GetWindow(windowHandle, Command); // Break if we've looped back to the start (shouldn't happen but safety check) if (nextWindow == StartWindow || (i > 0 && nextWindow == windowHandle)) break; windowHandle = nextWindow; i++; } return STATUS_SUCCESS; } /** * Enumerates all top-level windows in Z-order (top to bottom). * This is a convenience wrapper around PhEnumGetWindow that enumerates top-level windows. * * \param Callback The callback function to be called for each window. * \param Context An optional context parameter to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumWindowsZOrder( _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ) { HWND windowHandle; ULONG i = 0; // Get the first top-level window windowHandle = GetWindow(GetDesktopWindow(), GW_CHILD); if (!windowHandle) { return STATUS_SUCCESS; } // Enumerate all top-level windows in Z-order while (i < 0x8000 && windowHandle) { HWND nextWindow; if (!Callback(windowHandle, Context)) return STATUS_SUCCESS; nextWindow = GetWindow(windowHandle, GW_HWNDNEXT); windowHandle = nextWindow; i++; } return STATUS_SUCCESS; } /** * Enumerates the child windows of the specified window handle. * * \param WindowHandle The handle of the parent window. * \param Callback The callback function to be called for each child window. * \param Context An optional context parameter to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumChildWindows( _In_opt_ HWND WindowHandle, _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ) { PH_WINDOW_ENUM_CONTEXT context; memset(&context, 0, sizeof(PH_WINDOW_ENUM_CONTEXT)); context.Callback = Callback; context.Context = Context; if (EnumChildWindows(WindowHandle, PhEnumWindowsCallback, (LPARAM)&context)) return STATUS_SUCCESS; //HWND childWindow = NULL; //ULONG i = 0; // //while (i < Limit && (childWindow = FindWindowEx(WindowHandle, childWindow, NULL, NULL))) //{ // if (!Callback(childWindow, Context)) // return; // // i++; //} // Note: EnumChildWindows doesn't support GetLastError. (dmex) return STATUS_UNSUCCESSFUL; } /** * Builds a list of window handles and returns a pointer to a contiguous array of HWND values. * * \param DesktopHandle Optional desktop handle. If NULL, the current desktop is used. * \param ParentWindowHandle Optional parent window handle. If NULL, enumerates top-level windows. * \param IncludeChildren When TRUE, includes child windows in the result list. * \param ExcludeImmersive When TRUE, excludes immersive (UWP/Metro) windows. * \param ThreadId Optional GUI thread identifier to filter results. If NULL, windows from all threads are returned. * \param NumberOfHandles Receives the number of HWND entries in \a Handles. * \param Handles Receives a pointer to an array of HWND values. The caller must free the returned buffer using PhFree(). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhBuildHwndList( _In_opt_ HANDLE DesktopHandle, _In_opt_ HWND ParentWindowHandle, _In_ BOOLEAN IncludeChildren, _In_ BOOLEAN ExcludeImmersive, _In_opt_ HANDLE ThreadId, _Out_ PULONG NumberOfHandles, _Outptr_result_buffer_(*NumberOfHandles) HWND** Handles ) { NTSTATUS status; PVOID buffer = NULL; ULONG bufferSize = 0x1000; ULONG returnLength = 0; if (!NtUserBuildHwndList_Import()) return STATUS_PROCEDURE_NOT_FOUND; buffer = PhAllocate(bufferSize); while (TRUE) { status = NtUserBuildHwndList_Import()( DesktopHandle, ParentWindowHandle, IncludeChildren, ExcludeImmersive, HandleToUlong(ThreadId), bufferSize, buffer, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); } else { break; } } if (!NT_SUCCESS(status) && status != STATUS_INVALID_HANDLE) { PhFree(buffer); return status; } //if (returnLength < sizeof(HWND) || (returnLength % sizeof(HWND)) != 0) //{ // PhFree(buffer); // return STATUS_INVALID_THREAD; //} *NumberOfHandles = returnLength / sizeof(HWND); *Handles = PTR_ADD_OFFSET(buffer, 0); return STATUS_SUCCESS; } typedef struct _GET_PROCESS_MAIN_WINDOW_CONTEXT { HWND Window; HWND ImmersiveWindow; HANDLE ProcessId; BOOLEAN IsImmersive; BOOLEAN SkipInvisible; } GET_PROCESS_MAIN_WINDOW_CONTEXT, *PGET_PROCESS_MAIN_WINDOW_CONTEXT; _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhpGetProcessMainWindowEnumWindowsProc( _In_ HWND WindowHandle, _In_ PVOID Context ) { PGET_PROCESS_MAIN_WINDOW_CONTEXT context = (PGET_PROCESS_MAIN_WINDOW_CONTEXT)Context; CLIENT_ID clientId; WINDOWINFO windowInfo; if (context->SkipInvisible && !IsWindowVisible(WindowHandle)) return TRUE; if (!NT_SUCCESS(PhGetWindowClientId(WindowHandle, &clientId))) return TRUE; //if (UlongToHandle(processId) == context->ProcessId && (context->SkipInvisible ? // !((parentWindow = GetParent(WindowHandle)) && IsWindowVisible(parentWindow)) && // skip windows with a visible parent // PhGetWindowTextEx(WindowHandle, PH_GET_WINDOW_TEXT_INTERNAL | PH_GET_WINDOW_TEXT_LENGTH_ONLY, NULL) != 0 : TRUE)) // skip windows with no title if (clientId.UniqueProcess == context->ProcessId) { if (!context->ImmersiveWindow && context->IsImmersive && GetProp(WindowHandle, L"Windows.ImmersiveShell.IdentifyAsMainCoreWindow")) { context->ImmersiveWindow = WindowHandle; } windowInfo.cbSize = sizeof(WINDOWINFO); if (!context->Window && GetWindowInfo(WindowHandle, &windowInfo) && (windowInfo.dwStyle & WS_DLGFRAME)) { context->Window = WindowHandle; // If we're not looking at an immersive process, there's no need to search any more windows. if (!context->IsImmersive) return FALSE; } } return TRUE; } HWND PhGetProcessMainWindow( _In_opt_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle ) { return PhGetProcessMainWindowEx(ProcessId, ProcessHandle, TRUE); } HWND PhGetProcessMainWindowEx( _In_opt_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ BOOLEAN SkipInvisible ) { GET_PROCESS_MAIN_WINDOW_CONTEXT context; HANDLE processHandle = NULL; memset(&context, 0, sizeof(GET_PROCESS_MAIN_WINDOW_CONTEXT)); context.ProcessId = ProcessId; context.SkipInvisible = SkipInvisible; if (ProcessHandle) processHandle = ProcessHandle; else PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId); if (processHandle && WindowsVersion >= WINDOWS_8) context.IsImmersive = PhIsImmersiveProcess(processHandle); PhEnumWindows(PhpGetProcessMainWindowEnumWindowsProc, &context); //PhEnumChildWindows(NULL, 0x800, PhpGetProcessMainWindowEnumWindowsProc, &context); if (!ProcessHandle && processHandle) NtClose(processHandle); return context.ImmersiveWindow ? context.ImmersiveWindow : context.Window; } ULONG PhGetDialogItemValue( _In_ HWND WindowHandle, _In_ LONG ControlID ) { ULONG64 controlValue = 0; HWND controlHandle; PPH_STRING controlText; if (controlHandle = GetDlgItem(WindowHandle, ControlID)) { if (controlText = PhGetWindowText(controlHandle)) { PhStringToInteger64(&controlText->sr, 10, &controlValue); PhDereferenceObject(controlText); } } return (ULONG)controlValue; } /** * Sets the text of a control in a dialog box to the string representation of a specified integer value. * * \param WindowHandle The handle of the parent window. * \param ControlID The control to be changed. * \param Value The integer value used to generate the item text. * \param Signed Indicates whether the Value parameter is signed or unsigned. */ VOID PhSetDialogItemValue( _In_ HWND WindowHandle, _In_ LONG ControlID, _In_ ULONG Value, _In_ BOOLEAN Signed ) { HWND controlHandle; WCHAR valueString[PH_INT32_STR_LEN_1]; if (Signed) PhPrintInt32(valueString, (LONG)Value); else PhPrintUInt32(valueString, Value); if (controlHandle = GetDlgItem(WindowHandle, ControlID)) { PhSetWindowText(controlHandle, valueString); } } /** * Sets the title or text of a control in a dialog box. * * \param WindowHandle The handle of the parent window. * \param ControlID The control with a title or text to be set. * \param WindowText The text to be copied to the control. */ BOOLEAN PhSetDialogItemText( _In_ HWND WindowHandle, _In_ LONG ControlID, _In_ PCWSTR WindowText ) { HWND controlHandle; if (controlHandle = GetDlgItem(WindowHandle, ControlID)) { if (PhSetWindowText(controlHandle, WindowText)) return TRUE; } return FALSE; } /** * Sets the title or text of a control. * * \param WindowHandle The handle of the parent window. * \param WindowText The text to be copied to the control. */ BOOLEAN PhSetWindowText( _In_ HWND WindowHandle, _In_ PCWSTR WindowText ) { ULONG_PTR result = 0; if (SendMessageTimeout( WindowHandle, WM_SETTEXT, 0, (LPARAM)WindowText, SMTO_ABORTIFHUNG | SMTO_BLOCK, 1000, &result ) && result > 0) { return TRUE; } //if (SendMessage(WindowHandle, WM_SETTEXT, 0, (LPARAM)WindowText) > 0) //{ // return TRUE; //} //if (DefWindowProc(WindowHandle, WM_SETTEXT, 0, (LPARAM)WindowText) > 0) //{ // return TRUE; //} return FALSE; } VOID PhSetGroupBoxText( _In_ HWND WindowHandle, _In_ PCWSTR WindowText ) { // Suspend the groupbox when setting the text otherwise // the groupbox doesn't paint the text with dark theme colors. (dmex) SendMessage(WindowHandle, WM_SETREDRAW, FALSE, 0); PhSetWindowText(WindowHandle, WindowText); SendMessage(WindowHandle, WM_SETREDRAW, TRUE, 0); InvalidateRect(WindowHandle, NULL, FALSE); } VOID PhSetWindowAlwaysOnTop( _In_ HWND WindowHandle, _In_ BOOLEAN AlwaysOnTop ) { SetFocus(WindowHandle); // HACK - SetWindowPos doesn't work properly without this (wj32) SetWindowPos( WindowHandle, AlwaysOnTop ? HWND_TOPMOST : HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE ); } _Success_(return) BOOLEAN PhSendMessageTimeout( _In_ HWND WindowHandle, _In_ ULONG WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ ULONG Timeout, _Out_opt_ PULONG_PTR Result ) { ULONG_PTR result = 0; if (SendMessageTimeout( WindowHandle, WindowMessage, wParam, lParam, SMTO_ABORTIFHUNG | SMTO_BLOCK, Timeout, &result ) && result > 0) { if (Result) { *Result = result; } return TRUE; } return FALSE; } /** * Window-callback registration equality function. * * Compares two window-callback registration entries by window handle. * * \param Entry1 First entry pointer. * \param Entry2 Second entry pointer. * \return TRUE if the window handles match, otherwise FALSE. */ _Use_decl_annotations_ BOOLEAN NTAPI PhpWindowCallbackHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { return ((PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION)Entry1)->WindowHandle == ((PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION)Entry2)->WindowHandle; } /** * Window-callback registration hash function. * * Returns a hash derived from the window handle member of the registration. * * \param Entry Entry pointer. * \return Computed hash value. */ _Use_decl_annotations_ ULONG NTAPI PhpWindowCallbackHashtableHashFunction( _In_ PVOID Entry ) { return PhHashIntPtr((ULONG_PTR)((PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION)Entry)->WindowHandle); } VOID PhRegisterWindowCallback( _In_ HWND WindowHandle, _In_ PH_PLUGIN_WINDOW_EVENT_TYPE Type, _In_opt_ PVOID Context ) { PH_PLUGIN_WINDOW_CALLBACK_REGISTRATION entry; entry.WindowHandle = WindowHandle; entry.Type = Type; switch (Type) // HACK { case PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST: if (PhGetIntegerSetting(L"MainWindowAlwaysOnTop")) PhSetWindowAlwaysOnTop(WindowHandle, TRUE); break; } PhAcquireQueuedLockExclusive(&WindowCallbackListLock); PhAddEntryHashtable(WindowCallbackHashTable, &entry); PhReleaseQueuedLockExclusive(&WindowCallbackListLock); } VOID PhUnregisterWindowCallback( _In_ HWND WindowHandle ) { PH_PLUGIN_WINDOW_CALLBACK_REGISTRATION lookupEntry; PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION entry; lookupEntry.WindowHandle = WindowHandle; PhAcquireQueuedLockExclusive(&WindowCallbackListLock); entry = PhFindEntryHashtable(WindowCallbackHashTable, &lookupEntry); assert(entry); PhRemoveEntryHashtable(WindowCallbackHashTable, entry); PhReleaseQueuedLockExclusive(&WindowCallbackListLock); } VOID PhWindowNotifyTopMostEvent( _In_ BOOLEAN TopMost ) { PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION entry; ULONG i = 0; PhAcquireQueuedLockExclusive(&WindowCallbackListLock); while (PhEnumHashtable(WindowCallbackHashTable, &entry, &i)) { if (entry->Type & PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST) { PhSetWindowAlwaysOnTop(entry->WindowHandle, TopMost); } } PhReleaseQueuedLockExclusive(&WindowCallbackListLock); } /** * Retrieves the environment variables for the specified user. * * \param Environment A pointer to the new environment block. * \param TokenHandle Token to query for user environment variables. * If this is a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. * If the token is an impersonation token, it must have TOKEN_QUERY access. * If this parameter is NULL, the returned environment block contains system variables only. * \param Inherit Specifies whether to inherit variables from the current process' environment. If this value is TRUE, the process inherits the current process' environment. * \return A pointer to the imported procedure, or NULL if the procedure could not be imported. * \remarks User-specific environment variables such as %USERPROFILE% are set only when the user's profile is loaded. To load a user's profile, call the LoadUserProfile function. */ NTSTATUS PhCreateEnvironmentBlock( _Out_ PVOID* Environment, _In_opt_ HANDLE TokenHandle, _In_ BOOLEAN Inherit ) { //#include //HANDLE profileHandle; // //if (TokenHandle) //{ // PROFILEINFO profileInfo = { sizeof(PROFILEINFO) }; // LoadUserProfile(TokenHandle, &profileInfo); // profileHandle = profileInfo.hProfile; //} *Environment = NULL; if (CreateEnvironmentBlock_Import()(Environment, TokenHandle, Inherit)) { return STATUS_SUCCESS; } //if (TokenHandle && profileHandle) //{ // UnloadUserProfile(TokenHandle, profileHandle); //} return PhGetLastWin32ErrorAsNtStatus(); } /** * Frees environment variables created by the CreateEnvironmentBlock function. * * \param Environment A pointer to the new environment block. */ VOID PhDestroyEnvironmentBlock( _In_ _Post_invalid_ PVOID Environment ) { DestroyEnvironmentBlock_Import()(Environment); } _Success_(return) BOOLEAN PhRegenerateUserEnvironment( _Out_opt_ PVOID* NewEnvironment, _In_ BOOLEAN UpdateCurrentEnvironment ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOL (WINAPI *RegenerateUserEnvironment_I)( _Out_ PVOID* NewEnvironment, _In_ BOOL UpdateCurrentEnvironment ) = NULL; PVOID environment; if (PhBeginInitOnce(&initOnce)) { PVOID shell32Handle; if (shell32Handle = PhLoadLibrary(L"shell32.dll")) { RegenerateUserEnvironment_I = PhGetDllBaseProcedureAddress(shell32Handle, "RegenerateUserEnvironment", 0); } PhEndInitOnce(&initOnce); } if (!RegenerateUserEnvironment_I) return FALSE; if (RegenerateUserEnvironment_I(&environment, UpdateCurrentEnvironment)) { if (NewEnvironment) { *NewEnvironment = environment; } else { if (DestroyEnvironmentBlock_Import() && !UpdateCurrentEnvironment) { DestroyEnvironmentBlock_Import()(environment); } } return TRUE; } return FALSE; } HICON PhGetInternalWindowIcon( _In_ HWND WindowHandle, _In_ UINT Type ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HICON (WINAPI *InternalGetWindowIcon_I)( _In_ HWND WindowHandle, _In_ ULONG Type ) = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID shell32Handle; if (shell32Handle = PhLoadLibrary(L"shell32.dll")) { InternalGetWindowIcon_I = PhGetDllBaseProcedureAddress(shell32Handle, "InternalGetWindowIcon", 0); } PhEndInitOnce(&initOnce); } if (!InternalGetWindowIcon_I) return NULL; return InternalGetWindowIcon_I(WindowHandle, Type); } BOOLEAN PhIsImmersiveProcess( _In_ HANDLE ProcessHandle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&IsImmersiveProcess) IsImmersiveProcess_I = NULL; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_8) IsImmersiveProcess_I = PhGetDllProcedureAddressZ(L"user32.dll", "IsImmersiveProcess", 0); PhEndInitOnce(&initOnce); } if (!IsImmersiveProcess_I) return FALSE; return !!IsImmersiveProcess_I(ProcessHandle); } _Success_(return) BOOLEAN PhGetProcessUIContextInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_UICONTEXT_INFORMATION UIContext ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&GetProcessUIContextInformation) GetProcessUIContextInformation_I = NULL; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_8) GetProcessUIContextInformation_I = PhGetDllProcedureAddressZ(L"user32.dll", "GetProcessUIContextInformation", 0); PhEndInitOnce(&initOnce); } if (!GetProcessUIContextInformation_I) return FALSE; return !!GetProcessUIContextInformation_I(ProcessHandle, UIContext); } _Success_(return) BOOLEAN PhGetProcessDpiAwareness( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_DPI_AWARENESS ProcessDpiAwareness ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&GetDpiAwarenessContextForProcess) GetDpiAwarenessContextForProcess_I = NULL; static typeof(&AreDpiAwarenessContextsEqual) AreDpiAwarenessContextsEqual_I = NULL; static BOOL (WINAPI* GetProcessDpiAwarenessInternal_I)(_In_ HANDLE hprocess, _Out_ PROCESS_DPI_AWARENESS* value) = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetLoaderEntryDllBaseZ(L"user32.dll")) { if (WindowsVersion >= WINDOWS_10_RS1) { GetDpiAwarenessContextForProcess_I = PhGetDllBaseProcedureAddress(baseAddress, "GetDpiAwarenessContextForProcess", 0); AreDpiAwarenessContextsEqual_I = PhGetDllBaseProcedureAddress(baseAddress, "AreDpiAwarenessContextsEqual", 0); } if (!(GetDpiAwarenessContextForProcess_I && AreDpiAwarenessContextsEqual_I)) { GetProcessDpiAwarenessInternal_I = PhGetDllBaseProcedureAddress(baseAddress, "GetProcessDpiAwarenessInternal", 0); } } PhEndInitOnce(&initOnce); } if (GetDpiAwarenessContextForProcess_I && AreDpiAwarenessContextsEqual_I) { DPI_AWARENESS_CONTEXT context = GetDpiAwarenessContextForProcess_I(ProcessHandle); if (AreDpiAwarenessContextsEqual_I(context, DPI_AWARENESS_CONTEXT_UNAWARE)) { *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_UNAWARE; return TRUE; } if (AreDpiAwarenessContextsEqual_I(context, DPI_AWARENESS_CONTEXT_SYSTEM_AWARE)) { *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_SYSTEM_DPI_AWARE; return TRUE; } if (AreDpiAwarenessContextsEqual_I(context, DPI_AWARENESS_CONTEXT_PER_MONITOR_AWARE)) { *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_PER_MONITOR_DPI_AWARE; return TRUE; } if (AreDpiAwarenessContextsEqual_I(context, DPI_AWARENESS_CONTEXT_PER_MONITOR_AWARE_V2)) { *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_PER_MONITOR_AWARE_V2; return TRUE; } if (AreDpiAwarenessContextsEqual_I(context, DPI_AWARENESS_CONTEXT_UNAWARE_GDISCALED)) { *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_UNAWARE_GDISCALED; return TRUE; } } if (GetProcessDpiAwarenessInternal_I) { PROCESS_DPI_AWARENESS dpiAwareness = PROCESS_DPI_UNAWARE; if (GetProcessDpiAwarenessInternal_I(ProcessHandle, &dpiAwareness)) { switch (dpiAwareness) { case PROCESS_DPI_UNAWARE: *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_UNAWARE; return TRUE; case PROCESS_SYSTEM_DPI_AWARE: *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_SYSTEM_DPI_AWARE; return TRUE; case PROCESS_PER_MONITOR_DPI_AWARE: *ProcessDpiAwareness = PH_PROCESS_DPI_AWARENESS_PER_MONITOR_DPI_AWARE; return TRUE; } } } return FALSE; } NTSTATUS PhGetPhysicallyInstalledSystemMemory( _Out_ PULONGLONG TotalMemory, _Out_ PULONGLONG ReservedMemory ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&GetPhysicallyInstalledSystemMemory) GetPhysicallyInstalledSystemMemory_I = NULL; ULONGLONG physicallyInstalledSystemMemory = 0; if (PhBeginInitOnce(&initOnce)) { GetPhysicallyInstalledSystemMemory_I = PhGetDllProcedureAddressZ(L"kernel32.dll", "GetPhysicallyInstalledSystemMemory", 0); PhEndInitOnce(&initOnce); } if (!GetPhysicallyInstalledSystemMemory_I) { return STATUS_PROCEDURE_NOT_FOUND; } if (GetPhysicallyInstalledSystemMemory_I(&physicallyInstalledSystemMemory)) { *TotalMemory = physicallyInstalledSystemMemory * 1024ULL; *ReservedMemory = physicallyInstalledSystemMemory * 1024ULL - UInt32x32To64(PhSystemBasicInformation.NumberOfPhysicalPages, PAGE_SIZE); return STATUS_SUCCESS; } *TotalMemory = 0; *ReservedMemory = 0; return PhGetLastWin32ErrorAsNtStatus(); } /** * Retrieves the GUI resources used by a session. * * \param Flags The flags to be used for retrieving the GUI resources. * \param Total Pointer to a variable that will receive the total number of GUI resources. * \return Returns the status code indicating the success or failure of the operation. */ NTSTATUS PhGetSessionGuiResources( _In_ ULONG Flags, _Out_ PULONG Total ) { return PhGetProcessGuiResources(GR_GLOBAL, Flags, Total); } /** * Retrieves the GUI resources used by a process. * * \param ProcessHandle The handle to the process for which to retrieve the GUI resources. * \param Flags The flags to be used for retrieving the GUI resources. * \param Total Pointer to a variable that will receive the total number of GUI resources. * \return Returns the status code indicating the success or failure of the operation. */ NTSTATUS PhGetProcessGuiResources( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _Out_ PULONG Total ) { if (*Total = GetGuiResources(ProcessHandle, Flags)) return STATUS_SUCCESS; return PhGetLastWin32ErrorAsNtStatus(); } /** * Retrieves information about the active window or a specified GUI thread. * * \param ThreadId The identifier for the thread for which information is to be retrieved. If this parameter is NULL, the function returns information for the foreground thread. * \param ThreadInfo A pointer to a GUITHREADINFO structure that receives information describing the thread. * \return Returns the status code indicating the success or failure of the operation. */ NTSTATUS PhGetGUIThreadInfo( _In_opt_ HANDLE ThreadId, _Out_ PGUITHREADINFO ThreadInfo ) { ThreadInfo->cbSize = sizeof(GUITHREADINFO); if (GetGUIThreadInfo(HandleToUlong(ThreadId), ThreadInfo)) { return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } BOOLEAN PhGetThreadWin32Thread( _In_ HANDLE ThreadId ) { GUITHREADINFO info; return NT_SUCCESS(PhGetGUIThreadInfo(ThreadId, &info)); } NTSTATUS PhGetSendMessageReceiver( _In_ HANDLE ThreadId, _Out_ HWND *WindowHandle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&GetSendMessageReceiver) GetSendMessageReceiver_I = NULL; HWND windowHandle; // GetSendMessageReceiver is an undocumented function exported by // user32.dll. It retrieves the handle of the window which a thread // is sending a message to. (wj32) if (PhBeginInitOnce(&initOnce)) { GetSendMessageReceiver_I = PhGetDllProcedureAddressZ(L"user32.dll", "GetSendMessageReceiver", 0); PhEndInitOnce(&initOnce); } if (!GetSendMessageReceiver_I) { return STATUS_PROCEDURE_NOT_FOUND; } if (windowHandle = GetSendMessageReceiver_I(ThreadId)) { *WindowHandle = windowHandle; return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } // rev from ExtractIconExW _Success_(return) BOOLEAN PhExtractIcon( _In_ PCWSTR FileName, _Out_opt_ HICON *IconLarge, _Out_opt_ HICON *IconSmall ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static LONG (WINAPI *PrivateExtractIconExW)( _In_ PCWSTR FileName, _In_ LONG IconIndex, _Out_opt_ HICON* IconLarge, _Out_opt_ HICON* IconSmall, _In_ LONG IconCount ) = NULL; HICON iconLarge = NULL; HICON iconSmall = NULL; if (PhBeginInitOnce(&initOnce)) { PrivateExtractIconExW = PhGetDllProcedureAddressZ(L"user32.dll", "PrivateExtractIconExW", 0); PhEndInitOnce(&initOnce); } if (!PrivateExtractIconExW) return FALSE; if (PrivateExtractIconExW( FileName, 0, IconLarge ? &iconLarge : NULL, IconSmall ? &iconSmall : NULL, 1 ) > 0) { if (IconLarge) *IconLarge = iconLarge; if (IconSmall) *IconSmall = iconSmall; return TRUE; } if (iconLarge) DestroyIcon(iconLarge); if (iconSmall) DestroyIcon(iconSmall); return FALSE; } #ifndef MAKEFOURCC #define MAKEFOURCC(ch0, ch1, ch2, ch3) \ ((ULONG)(BYTE)(ch0) | ((ULONG)(BYTE)(ch1) << 8) | \ ((ULONG)(BYTE)(ch2) << 16) | ((ULONG)(BYTE)(ch3) << 24 )) #endif // https://docs.microsoft.com/en-us/windows/win32/menurc/newheader // One or more RESDIR structures immediately follow the NEWHEADER structure. typedef struct _NEWHEADER { USHORT Reserved; USHORT ResourceType; USHORT ResourceCount; } NEWHEADER, *PNEWHEADER; /** * Creates an icon handle from a resource directory within a mapped image. * * \param MappedImage Pointer to a mapped image structure containing the resource data. * \param ResourceDirectory Pointer to the resource directory within the mapped image. * \param IconDirectory Pointer to the icon directory structure. * \param Width The desired width of the icon in pixels. * \param Height The desired height of the icon in pixels. * \param Flags Flags that control the icon creation behavior. * \param IconHandle Pointer to an HICON variable that receives the handle to the created icon. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateIconFromResourceDirectory( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PVOID ResourceDirectory, _In_ PVOID IconDirectory, _In_ LONG Width, _In_ LONG Height, _In_ ULONG Flags, _Out_ HICON* IconHandle ) { NTSTATUS status; HICON iconHandle; LONG iconResourceId; ULONG iconResourceLength; PVOID iconResourceBuffer; if (!(iconResourceId = LookupIconIdFromDirectoryEx( IconDirectory, TRUE, Width, Height, Flags ))) { return PhGetLastWin32ErrorAsNtStatus(); } status = PhGetMappedImageResourceIndex( MappedImage, ResourceDirectory, -iconResourceId, RT_ICON, &iconResourceLength, &iconResourceBuffer ); if (!NT_SUCCESS(status)) return status; if ( ((PBITMAPINFOHEADER)iconResourceBuffer)->biSize != sizeof(BITMAPINFOHEADER) && ((PBITMAPCOREHEADER)iconResourceBuffer)->bcSize != sizeof(BITMAPCOREHEADER) && ((PBITMAPCOREHEADER)iconResourceBuffer)->bcSize != MAKEFOURCC(137, 'P', 'N', 'G') && ((PBITMAPCOREHEADER)iconResourceBuffer)->bcSize != MAKEFOURCC('J', 'P', 'E', 'G') ) { return STATUS_RESOURCE_TYPE_NOT_FOUND; } if (!(iconHandle = CreateIconFromResourceEx( iconResourceBuffer, iconResourceLength, TRUE, 0x30000, Width, Height, Flags ))) { return PhGetLastWin32ErrorAsNtStatus(); } *IconHandle = iconHandle; return STATUS_SUCCESS; } // rev from LdrLoadAlternateResourceModuleEx and GetMunResourceModuleForEnumIfExist (dmex) /** * Retrieves the filename of the \SystemResources\.mun alternate resource (mandatory on 19H1 and later). * * \param FileName A string containing a file name. * \param NativeFileName The type of name format. * \param FilePathType * \param ResourceFileName A pointer to the MUN filename. * \return Successful or errant status. * \remarks LdrLoadAlternateResourceModuleEx and GetMunResourceModuleForEnumIfExist always search the parent directory * and this function has the same logic and semantics. For example: C:\Windows\explorer.exe -> C:\SystemResources\explorer.exe.mun */ NTSTATUS PhGetSystemResourcesFileName( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName, _In_ RTL_PATH_TYPE FilePathType, _Out_ PPH_STRING* ResourceFileName ) { static CONST PH_STRINGREF directoryName = PH_STRINGREF_INIT(L"\\SystemResources\\"); static CONST PH_STRINGREF extensionName = PH_STRINGREF_INIT(L".mun"); PPH_STRING fileName; PH_STRINGREF directoryPart; PH_STRINGREF fileNamePart; PH_STRINGREF baseNamePart; if (WindowsVersion < WINDOWS_10_19H1) return STATUS_UNSUCCESSFUL; if (FilePathType == RtlPathTypeUncAbsolute) return STATUS_OBJECT_PATH_SYNTAX_BAD; if (!PhGetBasePath(FileName, &directoryPart, &fileNamePart)) return STATUS_OBJECT_PATH_INVALID; if (directoryPart.Length && fileNamePart.Length) { if (!PhGetBasePath(&directoryPart, &baseNamePart, NULL)) return STATUS_OBJECT_PATH_INVALID; fileName = PhConcatStringRef4( &baseNamePart, &directoryName, &fileNamePart, &extensionName ); if (NativeFileName) { if (PhDoesFileExist(&fileName->sr)) { *ResourceFileName = fileName; return STATUS_SUCCESS; } } else { if (PhDoesFileExistWin32(PhGetString(fileName))) { *ResourceFileName = fileName; return STATUS_SUCCESS; } } PhClearReference(&fileName); } return STATUS_UNSUCCESSFUL; } /** * Extracts icons from the specified executable file. * * \param FileName A string containing a file name. * \param NativeFileName The type of name format. * \param IconIndex The zero-based index of the icon within the group or a negative number for a specific resource identifier. * \param IconLargeWidth * \param IconLargeHeight * \param IconSmallWidth * \param IconSmallHeight * \param IconLarge A handle to the large icon within the group or handle to the an icon from the resource identifier. * \param IconSmall A handle to the small icon within the group or handle to the an icon from the resource identifier. * \return Successful or errant status. * \remarks Use this function instead of PrivateExtractIconExW() because images are mapped with SEC_COMMIT and READONLY * while PrivateExtractIconExW loads images with EXECUTE and SEC_IMAGE (section allocations and relocation processing). */ NTSTATUS PhExtractIconEx( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName, _In_ LONG IconIndex, _In_ LONG IconLargeWidth, _In_ LONG IconLargeHeight, _In_ LONG IconSmallWidth, _In_ LONG IconSmallHeight, _Out_opt_ HICON *IconLarge, _Out_opt_ HICON *IconSmall ) { NTSTATUS status; HICON iconLarge = NULL; HICON iconSmall = NULL; PPH_STRING resourceFileName = NULL; PH_STRINGREF fileName; PH_MAPPED_IMAGE mappedImage; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_RESOURCE_DIRECTORY resourceDirectory; ULONG iconDirectoryResourceLength; PNEWHEADER iconDirectoryResource; RTL_PATH_TYPE fileNameType; fileNameType = PhDetermineDosPathNameType(FileName); if (!(fileNameType == RtlPathTypeRooted || fileNameType == RtlPathTypeDriveAbsolute)) return STATUS_OBJECT_PATH_SYNTAX_BAD; status = PhGetSystemResourcesFileName( FileName, NativeFileName, fileNameType, &resourceFileName ); if (NT_SUCCESS(status)) { fileName.Buffer = resourceFileName->Buffer; fileName.Length = resourceFileName->Length; } else { fileName.Buffer = FileName->Buffer; fileName.Length = FileName->Length; } if (PhIsNullOrEmptyStringRef(&fileName)) { PhClearReference(&resourceFileName); return FALSE; } __try { if (NativeFileName) { status = PhLoadMappedImageEx( &fileName, NULL, &mappedImage ); } else { status = PhLoadMappedImage( PhGetStringRefZ(&fileName), NULL, &mappedImage ); } if (!NT_SUCCESS(status)) { PhClearReference(&resourceFileName); return FALSE; } status = PhGetMappedImageDataDirectory( &mappedImage, IMAGE_DIRECTORY_ENTRY_RESOURCE, &dataDirectory ); if (!NT_SUCCESS(status)) goto CleanupExit; resourceDirectory = PhMappedImageRvaToVa( &mappedImage, dataDirectory->VirtualAddress, NULL ); if (!resourceDirectory) goto CleanupExit; status = PhGetMappedImageResourceIndex( &mappedImage, resourceDirectory, IconIndex, RT_GROUP_ICON, &iconDirectoryResourceLength, &iconDirectoryResource ); if (!NT_SUCCESS(status)) goto CleanupExit; if (iconDirectoryResource->ResourceType != RES_ICON) goto CleanupExit; if (IconLarge) { status = PhCreateIconFromResourceDirectory( &mappedImage, resourceDirectory, iconDirectoryResource, IconLargeWidth, IconLargeHeight, LR_DEFAULTCOLOR, &iconLarge ); if (!NT_SUCCESS(status)) goto CleanupExit; } if (IconSmall) { status = PhCreateIconFromResourceDirectory( &mappedImage, resourceDirectory, iconDirectoryResource, IconSmallWidth, IconSmallHeight, LR_DEFAULTCOLOR, &iconSmall ); if (!NT_SUCCESS(status)) goto CleanupExit; } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } CleanupExit: PhUnloadMappedImage(&mappedImage); PhClearReference(&resourceFileName); if (IconLarge && IconSmall) { if (iconLarge && iconSmall) { *IconLarge = iconLarge; *IconSmall = iconSmall; return TRUE; } if (iconLarge) DestroyIcon(iconLarge); if (iconSmall) DestroyIcon(iconSmall); return FALSE; } if (IconLarge && iconLarge) { *IconLarge = iconLarge; return TRUE; } if (IconSmall && iconSmall) { *IconSmall = iconSmall; return TRUE; } if (iconLarge) DestroyIcon(iconLarge); if (iconSmall) DestroyIcon(iconSmall); return FALSE; } // Imagelist support HIMAGELIST PhImageListCreate( _In_ LONG Width, _In_ LONG Height, _In_ LONG Flags, _In_ LONG InitialCount, _In_ LONG GrowCount ) { HRESULT status; IImageList2* imageList; status = ImageList_CoCreateInstance( &CLSID_ImageList, NULL, &IID_IImageList2, &imageList ); if (SUCCEEDED(status)) { status = IImageList2_Initialize( imageList, Width, Height, Flags, InitialCount, GrowCount ); } //if (FAILED(status)) //{ // status = ImageList_CoCreateInstance( // &CLSID_ImageList, // NULL, // &IID_IImageList, // &imageList // ); //} if (FAILED(status)) return NULL; return IImageListToHIMAGELIST(imageList); } BOOLEAN PhImageListDestroy( _In_opt_ HIMAGELIST ImageListHandle ) { if (!ImageListHandle) return TRUE; return SUCCEEDED(IImageList2_Release((IImageList2*)ImageListHandle)); } BOOLEAN PhImageListSetImageCount( _In_ HIMAGELIST ImageListHandle, _In_ ULONG Count ) { return SUCCEEDED(IImageList2_SetImageCount((IImageList2*)ImageListHandle, Count)); } BOOLEAN PhImageListGetImageCount( _In_ HIMAGELIST ImageListHandle, _Out_ PLONG Count ) { return SUCCEEDED(IImageList2_GetImageCount((IImageList2*)ImageListHandle, Count)); } BOOLEAN PhImageListSetBkColor( _In_ HIMAGELIST ImageListHandle, _In_ COLORREF BackgroundColor ) { COLORREF previousColor = 0; return SUCCEEDED(IImageList2_SetBkColor( (IImageList2*)ImageListHandle, BackgroundColor, &previousColor )); } LONG PhImageListAddIcon( _In_ HIMAGELIST ImageListHandle, _In_ HICON IconHandle ) { LONG index = INT_ERROR; IImageList2_ReplaceIcon( (IImageList2*)ImageListHandle, INT_ERROR, IconHandle, &index ); return index; } LONG PhImageListAddBitmap( _In_ HIMAGELIST ImageListHandle, _In_ HBITMAP BitmapImage, _In_opt_ HBITMAP BitmapMask ) { LONG index = INT_ERROR; IImageList2_Add( (IImageList2*)ImageListHandle, BitmapImage, BitmapMask, &index ); return index; } BOOLEAN PhImageListRemoveIcon( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index ) { return SUCCEEDED(IImageList2_Remove( (IImageList2*)ImageListHandle, Index )); } HICON PhImageListGetIcon( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ ULONG Flags ) { HICON iconhandle = NULL; IImageList2_GetIcon( (IImageList2*)ImageListHandle, Index, Flags, &iconhandle ); return iconhandle; } BOOLEAN PhImageListGetIconSize( _In_ HIMAGELIST ImageListHandle, _Out_ PLONG cx, _Out_ PLONG cy ) { return SUCCEEDED(IImageList2_GetIconSize( (IImageList2*)ImageListHandle, cx, cy )); } BOOLEAN PhImageListReplace( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ HBITMAP BitmapImage, _In_opt_ HBITMAP BitmapMask ) { return SUCCEEDED(IImageList2_Replace( (IImageList2*)ImageListHandle, Index, BitmapImage, BitmapMask )); } BOOLEAN PhImageListDrawIcon( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ HDC Hdc, _In_ LONG x, _In_ LONG y, _In_ UINT32 Style, _In_ BOOLEAN Disabled ) { return PhImageListDrawEx( ImageListHandle, Index, Hdc, x, y, 0, 0, CLR_DEFAULT, CLR_DEFAULT, Style, Disabled ? ILS_SATURATE : ILS_NORMAL ); } BOOLEAN PhImageListDrawEx( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ HDC Hdc, _In_ LONG x, _In_ LONG y, _In_ LONG dx, _In_ LONG dy, _In_ COLORREF BackColor, _In_ COLORREF ForeColor, _In_ UINT32 Style, _In_ ULONG State ) { IMAGELISTDRAWPARAMS imagelistDraw; memset(&imagelistDraw, 0, sizeof(IMAGELISTDRAWPARAMS)); imagelistDraw.cbSize = sizeof(IMAGELISTDRAWPARAMS); imagelistDraw.himl = ImageListHandle; imagelistDraw.hdcDst = Hdc; imagelistDraw.i = Index; imagelistDraw.x = x; imagelistDraw.y = y; imagelistDraw.cx = dx; imagelistDraw.cy = dy; imagelistDraw.rgbBk = BackColor; imagelistDraw.rgbFg = ForeColor; imagelistDraw.fStyle = Style; imagelistDraw.fState = State; return SUCCEEDED(IImageList2_Draw((IImageList2*)ImageListHandle, &imagelistDraw)); } BOOLEAN PhImageListSetIconSize( _In_ HIMAGELIST ImageListHandle, _In_ LONG cx, _In_ LONG cy ) { return SUCCEEDED(IImageList2_SetIconSize((IImageList2*)ImageListHandle, cx, cy)); } static const PH_FLAG_MAPPING PhpInitiateShutdownMappings[] = { { PH_SHUTDOWN_RESTART, SHUTDOWN_RESTART }, { PH_SHUTDOWN_POWEROFF, SHUTDOWN_POWEROFF }, { PH_SHUTDOWN_INSTALL_UPDATES, SHUTDOWN_INSTALL_UPDATES }, { PH_SHUTDOWN_HYBRID, SHUTDOWN_HYBRID }, { PH_SHUTDOWN_RESTART_BOOTOPTIONS, SHUTDOWN_RESTART_BOOTOPTIONS }, { PH_CREATE_PROCESS_EXTENDED_STARTUPINFO, EXTENDED_STARTUPINFO_PRESENT }, }; ULONG PhInitiateShutdown( _In_ ULONG Flags ) { ULONG status; ULONG newFlags; newFlags = 0; PhMapFlags1(&newFlags, Flags, PhpInitiateShutdownMappings, ARRAYSIZE(PhpInitiateShutdownMappings)); status = InitiateShutdown( NULL, NULL, 0, SHUTDOWN_FORCE_OTHERS | newFlags, SHTDN_REASON_FLAG_PLANNED ); return status; } /** * Sets shutdown parameters for the current process relative to the other processes in the system. * * \param Level The shutdown priority for the current process. * \param Flags Optional flags for terminating the current process. * * \return Successful or errant status. */ BOOLEAN PhSetProcessShutdownParameters( _In_ ULONG Level, _In_ ULONG Flags ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&SetProcessShutdownParameters) SetProcessShutdownParameters_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"kernel32.dll")) { SetProcessShutdownParameters_I = PhGetDllBaseProcedureAddress(baseAddress, "SetProcessShutdownParameters", 0); } PhEndInitOnce(&initOnce); } if (!SetProcessShutdownParameters_I) return FALSE; return !!SetProcessShutdownParameters_I(Level, Flags); } // Timeline drawing support VOID PhCustomDrawTreeTimeLine( _In_ HDC Hdc, _In_ PRECT CellRect, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER StartTime, _In_ PLARGE_INTEGER CreateTime ) { RECT drawRect = *CellRect; LONG percent; LARGE_INTEGER systemTime; LARGE_INTEGER startTime; LARGE_INTEGER createTime; if (StartTime) { PhQuerySystemTime(&systemTime); startTime.QuadPart = systemTime.QuadPart - StartTime->QuadPart; createTime.QuadPart = systemTime.QuadPart - CreateTime->QuadPart; } else { static LARGE_INTEGER bootTime = { 0 }; if (bootTime.QuadPart == 0) { PhGetSystemBootTime(&bootTime); } PhQuerySystemTime(&systemTime); startTime.QuadPart = systemTime.QuadPart - bootTime.QuadPart; createTime.QuadPart = systemTime.QuadPart - CreateTime->QuadPart; } // Clamp percent between 0 and 100, avoid division by zero. if (createTime.QuadPart > startTime.QuadPart || startTime.QuadPart == 0) { SetFlag(Flags, PH_DRAW_TIMELINE_OVERFLOW); percent = 100; } else { percent = (LONG)((createTime.QuadPart * 100) / startTime.QuadPart); if (percent < 0) percent = 0; else if (percent > 100) percent = 100; } // Fill background and set brush color. if (FlagOn(Flags, PH_DRAW_TIMELINE_DARKTHEME)) { FillRect(Hdc, CellRect, PhThemeWindowBackgroundBrush); SetDCBrushColor(Hdc, FlagOn(Flags, PH_DRAW_TIMELINE_OVERFLOW) ? RGB(128, 128, 128) : RGB(0, 130, 135)); SelectBrush(Hdc, PhGetStockBrush(DC_BRUSH)); } else { FillRect(Hdc, CellRect, (HBRUSH)(COLOR_BTNFACE + 1)); SetDCBrushColor(Hdc, FlagOn(Flags, PH_DRAW_TIMELINE_OVERFLOW) ? RGB(128, 128, 128) : RGB(158, 202, 158)); SelectBrush(Hdc, PhGetStockBrush(DC_BRUSH)); } PhInflateRect(&drawRect, -1, -1); drawRect.bottom += 1; //RECT fillRect = *CellRect; //fillRect.right = fillRect.left + ((fillRect.right - fillRect.left) * percent) / 100; //PatBlt( // Hdc, // fillRect.left, // fillRect.top, // fillRect.right - fillRect.left, // fillRect.bottom - fillRect.top, // PATCOPY // ); // //LONG left = CellRect->right - PhMultiplyDivideSigned(CellRect->right - CellRect->left, percent, 100); //PatBlt( // Hdc, // left, // CellRect->top, // CellRect->right - left, // CellRect->bottom - CellRect->top, // PATCOPY // ); LONG width = CellRect->right - CellRect->left; LONG left = CellRect->right - ((width * percent) / 100); PatBlt( Hdc, left, CellRect->top, width - (left - CellRect->left), CellRect->bottom - CellRect->top, PATCOPY ); FrameRect(Hdc, CellRect, PhGetStockBrush(GRAY_BRUSH)); } // Windows Imaging Component (WIC) bitmap support HBITMAP PhCreateDIBSection( _In_ HDC Hdc, _In_ PH_BUFFERFORMAT Format, _In_ LONG Width, _In_ LONG Height, _Out_opt_ PVOID* Bits ) { if (Bits) { *Bits = NULL; } switch (Format) { case PHBF_COMPATIBLEBITMAP: { return CreateCompatibleBitmap(Hdc, Width, Height); } break; case PHBF_DIB: case PHBF_TOPDOWNDIB: case PHBF_TOPDOWNMONODIB: { BITMAPINFO bitmapInfo; memset(&bitmapInfo, 0, sizeof(BITMAPINFOHEADER)); bitmapInfo.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); bitmapInfo.bmiHeader.biWidth = Width; bitmapInfo.bmiHeader.biHeight = Format == PHBF_TOPDOWNDIB ? -Height : Height; bitmapInfo.bmiHeader.biPlanes = 1; bitmapInfo.bmiHeader.biBitCount = Format == PHBF_TOPDOWNMONODIB ? 1 : 32; bitmapInfo.bmiHeader.biCompression = BI_RGB; return CreateDIBSection(Hdc, &bitmapInfo, DIB_RGB_COLORS, Bits, NULL, 0); } break; } return NULL; } HBITMAP PhCreateBitmapHandle( _In_ LONG Width, _In_ LONG Height, _Outptr_opt_ _When_(return != NULL, _Notnull_) PVOID* Bits ) { HDC hdc; HBITMAP bitmapHandle; BITMAPINFO bitmapInfo; memset(&bitmapInfo, 0, sizeof(BITMAPINFO)); bitmapInfo.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); bitmapInfo.bmiHeader.biWidth = Width; bitmapInfo.bmiHeader.biHeight = -Height; bitmapInfo.bmiHeader.biPlanes = 1; bitmapInfo.bmiHeader.biBitCount = 32; bitmapInfo.bmiHeader.biCompression = BI_RGB; hdc = PhGetDC(NULL); bitmapHandle = CreateDIBSection(hdc, &bitmapInfo, DIB_RGB_COLORS, Bits, NULL, 0); PhReleaseDC(NULL, hdc); return bitmapHandle; } static PCGUID PhpGetImageFormatDecoderType( _In_ PH_IMAGE_FORMAT_TYPE Format ) { switch (Format) { case PH_IMAGE_FORMAT_TYPE_ICO: return &GUID_ContainerFormatIco; case PH_IMAGE_FORMAT_TYPE_BMP: return &GUID_ContainerFormatBmp; case PH_IMAGE_FORMAT_TYPE_JPG: return &GUID_ContainerFormatJpeg; case PH_IMAGE_FORMAT_TYPE_PNG: return &GUID_ContainerFormatPng; } return &GUID_ContainerFormatRaw; } HBITMAP PhLoadImageFormatFromResource( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _In_ PH_IMAGE_FORMAT_TYPE Format, _In_ LONG Width, _In_ LONG Height ) { BOOLEAN success = FALSE; HBITMAP bitmapHandle = NULL; ULONG resourceLength = 0; WICInProcPointer resourceBuffer = NULL; PVOID bitmapBuffer = NULL; IWICImagingFactory* wicImagingFactory = NULL; IWICStream* wicBitmapStream = NULL; IWICBitmapSource* wicBitmapSource = NULL; IWICBitmapDecoder* wicBitmapDecoder = NULL; IWICBitmapFrameDecode* wicBitmapFrame = NULL; WICPixelFormatGUID pixelFormat; UINT sourceWidth = 0; UINT sourceHeight = 0; if (!NT_SUCCESS(PhLoadResource(DllBase, Name, Type, &resourceLength, &resourceBuffer))) goto CleanupExit; if (FAILED(PhGetClassObject(L"windowscodecs.dll", &CLSID_WICImagingFactory, &IID_IWICImagingFactory, &wicImagingFactory))) goto CleanupExit; if (FAILED(IWICImagingFactory_CreateStream(wicImagingFactory, &wicBitmapStream))) goto CleanupExit; if (FAILED(IWICStream_InitializeFromMemory(wicBitmapStream, resourceBuffer, resourceLength))) goto CleanupExit; if (FAILED(IWICImagingFactory_CreateDecoder(wicImagingFactory, PhpGetImageFormatDecoderType(Format), &GUID_VendorMicrosoftBuiltIn, &wicBitmapDecoder))) goto CleanupExit; if (FAILED(IWICBitmapDecoder_Initialize(wicBitmapDecoder, (IStream*)wicBitmapStream, WICDecodeMetadataCacheOnDemand))) goto CleanupExit; if (FAILED(IWICBitmapDecoder_GetFrame(wicBitmapDecoder, 0, &wicBitmapFrame))) goto CleanupExit; if (FAILED(IWICBitmapFrameDecode_GetPixelFormat(wicBitmapFrame, &pixelFormat))) goto CleanupExit; if (IsEqualGUID(&pixelFormat, &GUID_WICPixelFormat32bppBGRA)) // CreateDIBSection format { if (FAILED(IWICBitmapFrameDecode_QueryInterface(wicBitmapFrame, &IID_IWICBitmapSource, &wicBitmapSource))) goto CleanupExit; } else { IWICFormatConverter* wicFormatConverter = NULL; if (FAILED(IWICImagingFactory_CreateFormatConverter(wicImagingFactory, &wicFormatConverter))) goto CleanupExit; if (FAILED(IWICFormatConverter_Initialize( wicFormatConverter, (IWICBitmapSource*)wicBitmapFrame, &GUID_WICPixelFormat32bppBGRA, WICBitmapDitherTypeNone, NULL, 0.0f, WICBitmapPaletteTypeCustom ))) { IWICFormatConverter_Release(wicFormatConverter); goto CleanupExit; } if (FAILED(IWICFormatConverter_QueryInterface(wicFormatConverter, &IID_IWICBitmapSource, &wicBitmapSource))) goto CleanupExit; IWICFormatConverter_Release(wicFormatConverter); } if (!(bitmapHandle = PhCreateBitmapHandle(Width, Height, &bitmapBuffer))) goto CleanupExit; if (SUCCEEDED(IWICBitmapSource_GetSize(wicBitmapSource, &sourceWidth, &sourceHeight)) && sourceWidth == Width && sourceHeight == Height) { if (SUCCEEDED(IWICBitmapSource_CopyPixels( wicBitmapSource, NULL, Width * sizeof(RGBQUAD), Width * Height * sizeof(RGBQUAD), bitmapBuffer ))) { success = TRUE; } } else { IWICBitmapScaler* wicBitmapScaler = NULL; if (SUCCEEDED(IWICImagingFactory_CreateBitmapScaler(wicImagingFactory, &wicBitmapScaler))) { if (SUCCEEDED(IWICBitmapScaler_Initialize( wicBitmapScaler, wicBitmapSource, Width, Height, WindowsVersion < WINDOWS_10 ? WICBitmapInterpolationModeFant : WICBitmapInterpolationModeHighQualityCubic ))) { if (SUCCEEDED(IWICBitmapScaler_CopyPixels( wicBitmapScaler, NULL, Width * sizeof(RGBQUAD), Width * Height * sizeof(RGBQUAD), bitmapBuffer ))) { success = TRUE; } } IWICBitmapScaler_Release(wicBitmapScaler); } } CleanupExit: if (wicBitmapSource) IWICBitmapSource_Release(wicBitmapSource); if (wicBitmapDecoder) IWICBitmapDecoder_Release(wicBitmapDecoder); if (wicBitmapFrame) IWICBitmapFrameDecode_Release(wicBitmapFrame); if (wicBitmapStream) IWICStream_Release(wicBitmapStream); if (wicImagingFactory) IWICImagingFactory_Release(wicImagingFactory); if (!success) { if (bitmapHandle) DeleteBitmap(bitmapHandle); return NULL; } return bitmapHandle; } HBITMAP PhLoadImageFromAddress( _In_ PVOID Buffer, _In_ ULONG BufferLength, _In_ LONG Width, _In_ LONG Height ) { BOOLEAN success = FALSE; HBITMAP bitmapHandle = NULL; PVOID bitmapBuffer = NULL; IWICImagingFactory* wicImagingFactory = NULL; IWICStream* wicBitmapStream = NULL; IWICBitmapSource* wicBitmapSource = NULL; IWICBitmapDecoder* wicBitmapDecoder = NULL; IWICBitmapFrameDecode* wicBitmapFrame = NULL; WICPixelFormatGUID pixelFormat; UINT sourceWidth = 0; UINT sourceHeight = 0; if (FAILED(PhGetClassObject(L"windowscodecs.dll", &CLSID_WICImagingFactory1, &IID_IWICImagingFactory, &wicImagingFactory))) goto CleanupExit; if (FAILED(IWICImagingFactory_CreateStream(wicImagingFactory, &wicBitmapStream))) goto CleanupExit; if (FAILED(IWICStream_InitializeFromMemory(wicBitmapStream, Buffer, BufferLength))) goto CleanupExit; if (FAILED(IWICImagingFactory_CreateDecoderFromStream(wicImagingFactory, (IStream*)wicBitmapStream, &GUID_VendorMicrosoftBuiltIn, WICDecodeMetadataCacheOnDemand, &wicBitmapDecoder))) goto CleanupExit; if (FAILED(IWICBitmapDecoder_GetFrame(wicBitmapDecoder, 0, &wicBitmapFrame))) goto CleanupExit; if (FAILED(IWICBitmapFrameDecode_GetPixelFormat(wicBitmapFrame, &pixelFormat))) goto CleanupExit; if (IsEqualGUID(&pixelFormat, &GUID_WICPixelFormat32bppBGRA)) { if (FAILED(IWICBitmapFrameDecode_QueryInterface(wicBitmapFrame, &IID_IWICBitmapSource, &wicBitmapSource))) goto CleanupExit; } else { IWICFormatConverter* wicFormatConverter = NULL; if (FAILED(IWICImagingFactory_CreateFormatConverter(wicImagingFactory, &wicFormatConverter))) goto CleanupExit; if (FAILED(IWICFormatConverter_Initialize( wicFormatConverter, (IWICBitmapSource*)wicBitmapFrame, &GUID_WICPixelFormat32bppBGRA, WICBitmapDitherTypeNone, NULL, 0.0f, WICBitmapPaletteTypeCustom ))) { IWICFormatConverter_Release(wicFormatConverter); goto CleanupExit; } if (FAILED(IWICFormatConverter_QueryInterface(wicFormatConverter, &IID_IWICBitmapSource, &wicBitmapSource))) goto CleanupExit; IWICFormatConverter_Release(wicFormatConverter); } if (!(bitmapHandle = PhCreateBitmapHandle(Width, Height, &bitmapBuffer))) goto CleanupExit; if (SUCCEEDED(IWICBitmapSource_GetSize(wicBitmapSource, &sourceWidth, &sourceHeight)) && sourceWidth == Width && sourceHeight == Height) { if (SUCCEEDED(IWICBitmapSource_CopyPixels( wicBitmapSource, NULL, Width * sizeof(RGBQUAD), Width * Height * sizeof(RGBQUAD), bitmapBuffer ))) { success = TRUE; } } else { IWICBitmapScaler* wicBitmapScaler = NULL; if (SUCCEEDED(IWICImagingFactory_CreateBitmapScaler(wicImagingFactory, &wicBitmapScaler))) { if (SUCCEEDED(IWICBitmapScaler_Initialize( wicBitmapScaler, wicBitmapSource, Width, Height, WindowsVersion < WINDOWS_10 ? WICBitmapInterpolationModeFant : WICBitmapInterpolationModeHighQualityCubic ))) { if (SUCCEEDED(IWICBitmapScaler_CopyPixels( wicBitmapScaler, NULL, Width * sizeof(RGBQUAD), Width * Height * sizeof(RGBQUAD), bitmapBuffer ))) { success = TRUE; } } IWICBitmapScaler_Release(wicBitmapScaler); } } CleanupExit: if (wicBitmapSource) IWICBitmapSource_Release(wicBitmapSource); if (wicBitmapDecoder) IWICBitmapDecoder_Release(wicBitmapDecoder); if (wicBitmapFrame) IWICBitmapFrameDecode_Release(wicBitmapFrame); if (wicBitmapStream) IWICStream_Release(wicBitmapStream); if (wicImagingFactory) IWICImagingFactory_Release(wicImagingFactory); if (!success) { if (bitmapHandle) DeleteBitmap(bitmapHandle); return NULL; } return bitmapHandle; } // Load image and auto-detect the format (dmex) HBITMAP PhLoadImageFromResource( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _In_ LONG Width, _In_ LONG Height ) { ULONG resourceLength; WICInProcPointer resourceBuffer; if (NT_SUCCESS(PhLoadResource(DllBase, Name, Type, &resourceLength, &resourceBuffer))) { return PhLoadImageFromAddress(resourceBuffer, resourceLength, Width, Height); } return NULL; } // Load image and auto-detect the format (dmex) HBITMAP PhLoadImageFromFile( _In_ PCWSTR FileName, _In_ LONG Width, _In_ LONG Height ) { BOOLEAN success = FALSE; HBITMAP bitmapHandle = NULL; PVOID bitmapBuffer = NULL; IWICImagingFactory* wicImagingFactory = NULL; IWICBitmapSource* wicBitmapSource = NULL; IWICBitmapDecoder* wicBitmapDecoder = NULL; IWICBitmapFrameDecode* wicBitmapFrame = NULL; WICPixelFormatGUID pixelFormat; UINT sourceWidth = 0; UINT sourceHeight = 0; if (FAILED(PhGetClassObject(L"windowscodecs.dll", &CLSID_WICImagingFactory1, &IID_IWICImagingFactory, &wicImagingFactory))) goto CleanupExit; if (FAILED(IWICImagingFactory_CreateDecoderFromFilename(wicImagingFactory, FileName, &GUID_VendorMicrosoftBuiltIn, GENERIC_READ, WICDecodeMetadataCacheOnDemand, &wicBitmapDecoder))) goto CleanupExit; if (FAILED(IWICBitmapDecoder_GetFrame(wicBitmapDecoder, 0, &wicBitmapFrame))) goto CleanupExit; if (FAILED(IWICBitmapFrameDecode_GetPixelFormat(wicBitmapFrame, &pixelFormat))) goto CleanupExit; if (IsEqualGUID(&pixelFormat, &GUID_WICPixelFormat32bppBGRA)) { if (FAILED(IWICBitmapFrameDecode_QueryInterface(wicBitmapFrame, &IID_IWICBitmapSource, &wicBitmapSource))) goto CleanupExit; } else { IWICFormatConverter* wicFormatConverter = NULL; if (FAILED(IWICImagingFactory_CreateFormatConverter(wicImagingFactory, &wicFormatConverter))) goto CleanupExit; if (FAILED(IWICFormatConverter_Initialize( wicFormatConverter, (IWICBitmapSource*)wicBitmapFrame, &GUID_WICPixelFormat32bppBGRA, WICBitmapDitherTypeNone, NULL, 0.0f, WICBitmapPaletteTypeCustom ))) { IWICFormatConverter_Release(wicFormatConverter); goto CleanupExit; } if (FAILED(IWICFormatConverter_QueryInterface(wicFormatConverter, &IID_IWICBitmapSource, &wicBitmapSource))) goto CleanupExit; IWICFormatConverter_Release(wicFormatConverter); } if (!(bitmapHandle = PhCreateBitmapHandle(Width, Height, &bitmapBuffer))) goto CleanupExit; if (SUCCEEDED(IWICBitmapSource_GetSize(wicBitmapSource, &sourceWidth, &sourceHeight)) && sourceWidth == Width && sourceHeight == Height) { if (SUCCEEDED(IWICBitmapSource_CopyPixels( wicBitmapSource, NULL, Width * sizeof(RGBQUAD), Width * Height * sizeof(RGBQUAD), bitmapBuffer ))) { success = TRUE; } } else { IWICBitmapScaler* wicBitmapScaler = NULL; if (SUCCEEDED(IWICImagingFactory_CreateBitmapScaler(wicImagingFactory, &wicBitmapScaler))) { if (SUCCEEDED(IWICBitmapScaler_Initialize( wicBitmapScaler, wicBitmapSource, Width, Height, WindowsVersion < WINDOWS_10 ? WICBitmapInterpolationModeFant : WICBitmapInterpolationModeHighQualityCubic ))) { if (SUCCEEDED(IWICBitmapScaler_CopyPixels( wicBitmapScaler, NULL, Width * sizeof(RGBQUAD), Width * Height * sizeof(RGBQUAD), bitmapBuffer ))) { success = TRUE; } } IWICBitmapScaler_Release(wicBitmapScaler); } } CleanupExit: if (wicBitmapSource) IWICBitmapSource_Release(wicBitmapSource); if (wicBitmapDecoder) IWICBitmapDecoder_Release(wicBitmapDecoder); if (wicBitmapFrame) IWICBitmapFrameDecode_Release(wicBitmapFrame); if (wicImagingFactory) IWICImagingFactory_Release(wicImagingFactory); if (!success) { if (bitmapHandle) DeleteBitmap(bitmapHandle); return NULL; } return bitmapHandle; } NTSTATUS PhGetWindowCompositionAttribute( _In_ HWND WindowHandle, _Inout_ PWINDOWCOMPOSITIONATTRIBUTEDATA AttributeData ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOL (WINAPI* GetWindowCompositionAttribute_I)( _In_ HWND WindowHandle, _Inout_ PWINDOWCOMPOSITIONATTRIBUTEDATA AttributeData ) = NULL; if (PhBeginInitOnce(&initOnce)) { GetWindowCompositionAttribute_I = PhGetDllProcedureAddressZ(L"user32.dll", "GetWindowCompositionAttribute", 0); PhEndInitOnce(&initOnce); } if (GetWindowCompositionAttribute_I) { if (GetWindowCompositionAttribute_I(WindowHandle, AttributeData)) { return STATUS_SUCCESS; } } return PhGetLastWin32ErrorAsNtStatus(); } NTSTATUS PhSetWindowCompositionAttribute( _In_ HWND WindowHandle, _In_ PWINDOWCOMPOSITIONATTRIBUTEDATA AttributeData ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOL (WINAPI* SetWindowCompositionAttribute_I)( _In_ HWND WindowHandle, _In_ PWINDOWCOMPOSITIONATTRIBUTEDATA AttributeData ) = NULL; if (PhBeginInitOnce(&initOnce)) { SetWindowCompositionAttribute_I = PhGetDllProcedureAddressZ(L"user32.dll", "SetWindowCompositionAttribute", 0); PhEndInitOnce(&initOnce); } if (SetWindowCompositionAttribute_I) { if (SetWindowCompositionAttribute_I(WindowHandle, AttributeData)) { return STATUS_SUCCESS; } } return PhGetLastWin32ErrorAsNtStatus(); } NTSTATUS PhSetWindowAcrylicCompositionColor( _In_ HWND WindowHandle, _In_ ULONG GradientColor ) { ACCENT_POLICY policy = { ACCENT_ENABLE_ACRYLICBLURBEHIND, ACCENT_WINDOWS11_LUMINOSITY | ACCENT_BORDER_ALL, GradientColor, 0 }; WINDOWCOMPOSITIONATTRIBUTEDATA attribute = { WCA_ACCENT_POLICY, &policy, sizeof(ACCENT_POLICY) }; return PhSetWindowCompositionAttribute(WindowHandle, &attribute); } HCURSOR PhLoadArrowCursor( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HCURSOR arrowCursorHandle = NULL; if (PhBeginInitOnce(&initOnce)) { arrowCursorHandle = PhLoadCursor(NULL, IDC_ARROW); PhEndInitOnce(&initOnce); } return arrowCursorHandle; } HCURSOR PhLoadDividerCursor( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HCURSOR dividerCursorHandle = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; //dividerCursorHandle = PhLoadCursor(NULL, IDC_SIZEWE); if (baseAddress = PhGetLoaderEntryDllBaseZ(L"comctl32.dll")) { dividerCursorHandle = PhLoadCursor(baseAddress, IDC_DIVIDER); } PhEndInitOnce(&initOnce); } return dividerCursorHandle; } NTSTATUS PhGetUserObjectInformation( _In_ HANDLE Handle, _In_ LONG Index, _Out_writes_bytes_opt_(UserObjectInformationLength) PVOID UserObjectInformation, _In_ ULONG UserObjectInformationLength, _Out_opt_ PULONG ReturnLength ) { if (GetUserObjectInformation( Handle, Index, UserObjectInformation, UserObjectInformationLength, ReturnLength )) { return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } NTSTATUS PhIsInteractiveUserSession( VOID ) { NTSTATUS status; USEROBJECTFLAGS flags; memset(&flags, 0, sizeof(USEROBJECTFLAGS)); status = PhGetUserObjectInformation( GetProcessWindowStation(), UOI_FLAGS, &flags, sizeof(USEROBJECTFLAGS), NULL ); if (NT_SUCCESS(status)) { if (BooleanFlagOn(flags.dwFlags, WSF_VISIBLE)) return STATUS_SUCCESS; return STATUS_NOT_GUI_PROCESS; } return status; } NTSTATUS PhGetUserObjectNameInformation( _In_ HANDLE Handle, _Out_ PPH_STRING* String ) { NTSTATUS status; PPH_STRING string; ULONG returnLength; status = PhGetUserObjectInformation( Handle, UOI_NAME, NULL, 0, &returnLength ); if (status != STATUS_BUFFER_TOO_SMALL) return STATUS_INVALID_BUFFER_SIZE; if (!(returnLength % sizeof(WCHAR)) == 0 && returnLength > sizeof(UNICODE_NULL)) return STATUS_INVALID_BUFFER_SIZE; string = PhCreateStringEx(NULL, returnLength - sizeof(UNICODE_NULL)); status = PhGetUserObjectInformation( Handle, UOI_NAME, string->Buffer, (ULONG)string->Length + sizeof(UNICODE_NULL), &returnLength ); if (!NT_SUCCESS(status)) { PhDereferenceObject(string); goto CleanupExit; } PhTrimToNullTerminatorString(string); *String = string; return STATUS_SUCCESS; CleanupExit: return status; } NTSTATUS PhGetUserObjectTypeInformation( _In_ HANDLE Handle, _Out_ PPH_STRING* String ) { NTSTATUS status; PPH_STRING string; ULONG returnLength; status = PhGetUserObjectInformation( Handle, UOI_TYPE, NULL, 0, &returnLength ); if (status != STATUS_BUFFER_TOO_SMALL) return STATUS_INVALID_BUFFER_SIZE; if (!(returnLength % sizeof(WCHAR)) == 0 && returnLength > sizeof(UNICODE_NULL)) return STATUS_INVALID_BUFFER_SIZE; string = PhCreateStringEx(NULL, returnLength - sizeof(UNICODE_NULL)); status = PhGetUserObjectInformation( Handle, UOI_TYPE, string->Buffer, (ULONG)string->Length + sizeof(UNICODE_NULL), &returnLength ); if (!NT_SUCCESS(status)) { PhDereferenceObject(string); goto CleanupExit; } PhTrimToNullTerminatorString(string); *String = string; return STATUS_SUCCESS; CleanupExit: return status; } NTSTATUS PhGetUserObjectSidInformationToBuffer( _In_ HANDLE Handle, _Out_ PPH_USER_OBJECT_SID ObjectSid, _In_ ULONG ObjectSidLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; status = PhGetUserObjectInformation( Handle, UOI_USER_SID, ObjectSid, ObjectSidLength, ReturnLength ); return status; } NTSTATUS PhGetUserObjectSidInformationCopy( _In_ HANDLE Handle, _Out_ PSID* ObjectSid ) { NTSTATUS status; ULONG returnLength; UCHAR objectSidBuffer[SECURITY_MAX_SID_SIZE]; PSID objectSid = (PSID)objectSidBuffer; status = PhGetUserObjectInformation( Handle, UOI_USER_SID, objectSidBuffer, sizeof(objectSidBuffer), &returnLength ); if (NT_SUCCESS(status)) { *ObjectSid = PhAllocateCopy(objectSid, PhLengthSid(objectSid)); } return status; } PPH_STRING PhGetCurrentWindowStationName( VOID ) { PPH_STRING string; if (NT_SUCCESS(PhGetUserObjectNameInformation( GetProcessWindowStation(), &string ))) { return string; } return PhCreateString(L"WinSta0"); // assume the current window station is WinSta0 } PPH_STRING PhGetCurrentThreadDesktopName( VOID ) { HDESK desktopHandle; PPH_STRING string; if (desktopHandle = GetThreadDesktop(HandleToUlong(NtCurrentThreadId()))) { if (NT_SUCCESS(PhGetUserObjectNameInformation(desktopHandle, &string))) { return string; } } return PhCreateString(L"Default"); // assume the current thread desktop is Default } static BOOLEAN PhpInitializeMRUList( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID comctl32ModuleHandle = NULL; if (PhBeginInitOnce(&initOnce)) { if (comctl32ModuleHandle = PhLoadLibrary(L"comctl32.dll")) { CreateMRUList_I = PhGetDllBaseProcedureAddress(comctl32ModuleHandle, "CreateMRUListW", 0); AddMRUString_I = PhGetDllBaseProcedureAddress(comctl32ModuleHandle, "AddMRUStringW", 0); EnumMRUList_I = PhGetDllBaseProcedureAddress(comctl32ModuleHandle, "EnumMRUListW", 0); FreeMRUList_I = PhGetDllBaseProcedureAddress(comctl32ModuleHandle, "FreeMRUList", 0); if (!(CreateMRUList_I && AddMRUString_I && EnumMRUList_I && FreeMRUList_I)) { PhFreeLibrary(comctl32ModuleHandle); comctl32ModuleHandle = NULL; } } PhEndInitOnce(&initOnce); } if (comctl32ModuleHandle) return TRUE; return FALSE; } BOOLEAN PhRecentListAddCommand( _In_ PPH_STRINGREF Command ) { static CONST PH_STRINGREF prefixSr = PH_STRINGREF_INIT(L"\\1"); BOOLEAN result = FALSE; MRUINFO info; HANDLE listHandle; if (!PhpInitializeMRUList()) return FALSE; memset(&info, 0, sizeof(MRUINFO)); info.cbSize = sizeof(MRUINFO); info.uMaxItems = UINT_MAX; info.hKey = HKEY_CURRENT_USER; info.lpszSubKey = L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"; if (listHandle = CreateMRUList_I(&info)) { PPH_STRING command = PhConcatStringRef2(Command, &prefixSr); if (AddMRUString_I(listHandle, PhGetString(command)) != INT_ERROR) { result = TRUE; } PhDereferenceObject(command); FreeMRUList_I(listHandle); } return result; } VOID PhEnumerateRecentList( _In_ PPH_ENUM_MRULIST_CALLBACK Callback, _In_opt_ PVOID Context ) { MRUINFO info; HANDLE listHandle; LONG listCount; if (!PhpInitializeMRUList()) return; memset(&info, 0, sizeof(MRUINFO)); info.cbSize = sizeof(MRUINFO); info.uMaxItems = UINT_MAX; info.hKey = HKEY_CURRENT_USER; info.lpszSubKey = L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"; if (!(listHandle = CreateMRUList_I(&info))) return; listCount = EnumMRUList_I( listHandle, MAXINT, NULL, 0 ); for (LONG i = 0; i < listCount; i++) { PH_STRINGREF string; SIZE_T returnLength; WCHAR buffer[DOS_MAX_PATH_LENGTH] = L""; returnLength = EnumMRUList_I( listHandle, i, buffer, RTL_NUMBER_OF(buffer) ); if (returnLength >= RTL_NUMBER_OF(buffer)) continue; if (returnLength < sizeof(UNICODE_NULL)) continue; buffer[returnLength] = UNICODE_NULL; string.Buffer = buffer; string.Length = returnLength * sizeof(WCHAR); // trim \\1 (dmex) if (string.Buffer[returnLength - 1] == L'1' && string.Buffer[returnLength - 2] == L'\\') { string.Buffer[returnLength - 2] = UNICODE_NULL; string.Length -= 4; } if (!Callback(&string, Context)) break; } FreeMRUList_I(listHandle); } /** * Forcibly closes the specified window. * * \param WindowHandle A handle to the window to be closed. * \param Force If TRUE, force the destruction of the window if an initial attempt to gently close the window using WM_CLOSE fails. If FALSE, only WM_CLOSE is attempted. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-endtask */ NTSTATUS PhTerminateWindow( _In_ HWND WindowHandle, _In_ BOOLEAN Force ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOL (WINAPI* EndTask_I)(_In_ HWND hWnd, _In_ BOOL fShutDown, _In_ BOOL fForce) = NULL; if (PhBeginInitOnce(&initOnce)) { EndTask_I = PhGetDllProcedureAddressZ(L"user32.dll", "EndTask", 0); PhEndInitOnce(&initOnce); } if (!EndTask_I) return STATUS_PROCEDURE_NOT_FOUND; if (EndTask_I(WindowHandle, FALSE, !!Force)) return STATUS_SUCCESS; return PhGetLastWin32ErrorAsNtStatus(); } /** * Queries information for a window using the user subsystem entry NtUserQueryWindow. * * \param WindowHandle A handle to the target window. * \param WindowInfo The WINDOWINFOCLASS selector describing which piece of information to query. * \return The value returned by NtUserQueryWindow on success. Returns 0 (NULL) if the * function is unavailable or the call fails. */ ULONG_PTR PhUserQueryWindow( _In_ HWND WindowHandle, _In_ WINDOWINFOCLASS WindowInfo ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&NtUserQueryWindow) NtUserQueryWindow_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetDllHandle(L"win32u.dll")) { NtUserQueryWindow_I = PhGetDllBaseProcedureAddress(baseAddress, "NtUserQueryWindow", 0); } PhEndInitOnce(&initOnce); } if (NtUserQueryWindow_I) { return NtUserQueryWindow_I(WindowHandle, WindowInfo); } return 0; } /** * Opens a handle to the process associated with the specified window. * * \param ProcessHandle Pointer to a variable that receives the process handle. * \param DesiredAccess The access rights requested for the process handle. * \param WindowHandle Handle to the window whose associated process is to be opened. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenWindowProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HWND WindowHandle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&NtUserGetWindowProcessHandle) NtUserGetWindowProcessHandle_I = NULL; HANDLE processHandle; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetDllHandle(L"win32u.dll")) { NtUserGetWindowProcessHandle_I = PhGetDllBaseProcedureAddress(baseAddress, "NtUserGetWindowProcessHandle", 0); } PhEndInitOnce(&initOnce); } if (!NtUserGetWindowProcessHandle_I) { return STATUS_PROCEDURE_NOT_FOUND; } if (processHandle = NtUserGetWindowProcessHandle_I(WindowHandle, DesiredAccess)) { *ProcessHandle = processHandle; return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } /** * Retrieves the source of the input message. * * \param InputMessageSource The INPUT_MESSAGE_SOURCE that holds the device type and the ID of the input message source. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getcurrentinputmessagesource */ NTSTATUS PhGetInputMessageSource( _Out_ INPUT_MESSAGE_SOURCE* InputMessageSource ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&GetCurrentInputMessageSource) GetCurrentInputMessageSource_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetDllHandle(L"user32.dll")) { GetCurrentInputMessageSource_I = PhGetDllBaseProcedureAddress(baseAddress, "GetCurrentInputMessageSource", 0); } PhEndInitOnce(&initOnce); } if (GetCurrentInputMessageSource_I) { if (GetCurrentInputMessageSource_I(InputMessageSource)) { return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } return STATUS_PROCEDURE_NOT_FOUND; } /** * Retrieves the source of the input message (GetCurrentInputMessageSourceInSendMessage). * * \param InputMessageSource The INPUT_MESSAGE_SOURCE that holds the device type and the ID of the input message source. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getcimssm */ NTSTATUS PhGetInputMessageSourceSM( _Out_ INPUT_MESSAGE_SOURCE* InputMessageSource ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&GetCIMSSM) GetCIMSSM_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetDllHandle(L"user32.dll")) { GetCIMSSM_I = PhGetDllBaseProcedureAddress(baseAddress, "GetCIMSSM", 0); } PhEndInitOnce(&initOnce); } if (GetCIMSSM_I) { if (GetCIMSSM_I(InputMessageSource)) { return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } return STATUS_PROCEDURE_NOT_FOUND; } ================================================ FILE: phlib/guisuplistview.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include #include #include LONG PhAddListViewColumnDpi( _In_ HWND ListViewHandle, _In_ LONG ListViewDpi, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ) { LVCOLUMN column; memset(&column, 0, sizeof(LVCOLUMN)); column.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM | LVCF_ORDER; column.fmt = Format; column.cx = WindowsVersion < WINDOWS_10 ? Width : PhGetDpi(Width, ListViewDpi); column.pszText = const_cast(Text); column.iSubItem = SubItemIndex; column.iOrder = DisplayIndex; return ListView_InsertColumn(ListViewHandle, Index, &column); } LONG PhAddIListViewColumnDpi( _In_ IListView* ListView, _In_ LONG ListViewDpi, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ) { LVCOLUMN column; LONG index; memset(&column, 0, sizeof(LVCOLUMN)); column.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM | LVCF_ORDER; column.fmt = Format; column.cx = WindowsVersion < WINDOWS_10 ? Width : PhGetDpi(Width, ListViewDpi); column.pszText = const_cast(Text); column.iSubItem = SubItemIndex; column.iOrder = DisplayIndex; if (SUCCEEDED(ListView->InsertColumn(Index, &column, &index))) return index; return INT_ERROR; } LONG PhAddListViewColumn( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ) { LONG dpiValue; dpiValue = PhGetWindowDpi(ListViewHandle); return PhAddListViewColumnDpi( ListViewHandle, dpiValue, Index, DisplayIndex, SubItemIndex, Format, Width, Text ); } LONG PhAddIListViewColumn( _In_ IListView* ListView, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ) { LONG dpiValue; HWND windowHandle; if (!SUCCEEDED(ListView->GetHeaderControl(&windowHandle))) return INT_ERROR; dpiValue = PhGetWindowDpi(windowHandle); return PhAddIListViewColumnDpi( ListView, dpiValue, Index, DisplayIndex, SubItemIndex, Format, Width, Text ); } LONG PhAddListViewItem( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ) { LVITEM item; item.mask = LVIF_TEXT | LVIF_PARAM; item.iItem = Index; item.iSubItem = 0; item.pszText = const_cast(Text); item.lParam = reinterpret_cast(Param); return ListView_InsertItem(ListViewHandle, &item); } LONG PhAddIListViewItem( _In_ IListView* ListView, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ) { LVITEM item; LONG index; item.mask = LVIF_TEXT | LVIF_PARAM; item.iItem = Index; item.iSubItem = 0; item.pszText = const_cast(Text); item.lParam = reinterpret_cast(Param); if (SUCCEEDED(ListView->InsertItem(&item, &index))) return index; return INT_ERROR; } LONG PhFindListViewItemByFlags( _In_ HWND ListViewHandle, _In_ LONG StartIndex, _In_ ULONG Flags ) { return ListView_GetNextItem(ListViewHandle, StartIndex, Flags); } LONG PhFindIListViewItemByFlags( _In_ IListView* ListView, _In_ LONG StartIndex, _In_ ULONG Flags ) { LVITEMINDEX itemIndex; LVITEMINDEX nextItemIndex; itemIndex.iItem = StartIndex; itemIndex.iGroup = INT_ERROR; if (SUCCEEDED(ListView->GetNextItem(itemIndex, Flags, &nextItemIndex))) return nextItemIndex.iItem; return INT_ERROR; } LONG PhFindListViewItemByParam( _In_ HWND ListViewHandle, _In_ LONG StartIndex, _In_opt_ PVOID Param ) { LVFINDINFO findInfo; findInfo.flags = LVFI_PARAM; findInfo.lParam = reinterpret_cast(Param); return ListView_FindItem(ListViewHandle, StartIndex, &findInfo); } LONG PhFindIListViewItemByParam( _In_ IListView* ListView, _In_ LONG StartIndex, _In_opt_ PVOID Param ) { LVITEMINDEX itemIndex; LVITEMINDEX foundIndex; LVFINDINFO findInfo; itemIndex.iItem = StartIndex; itemIndex.iGroup = INT_ERROR; findInfo.flags = LVFI_PARAM; findInfo.lParam = reinterpret_cast(Param); if (SUCCEEDED(ListView->FindItem(itemIndex, &findInfo, &foundIndex))) { #if DEBUG HWND windowHandle = nullptr; ListView->GetHeaderControl(&windowHandle); windowHandle = GetParent(windowHandle); LONG index = PhFindListViewItemByParam(windowHandle, StartIndex, Param); assert(index == foundIndex.iItem); // Items changed during enumeration. (dmex) #endif return foundIndex.iItem; } return INT_ERROR; } _Success_(return) BOOLEAN PhGetListViewItemImageIndex( _In_ HWND ListViewHandle, _In_ LONG Index, _Out_ PLONG ImageIndex ) { LVITEM item; item.mask = LVIF_IMAGE; item.iItem = Index; item.iSubItem = 0; if (!ListView_GetItem(ListViewHandle, &item)) return FALSE; *ImageIndex = item.iImage; return TRUE; } _Success_(return) BOOLEAN PhGetIListViewItemImageIndex( _In_ IListView* ListView, _In_ LONG Index, _Out_ PLONG ImageIndex ) { LVITEM item; item.mask = LVIF_IMAGE; item.iItem = Index; item.iSubItem = 0; if (!SUCCEEDED(ListView->GetItem(&item))) return FALSE; *ImageIndex = item.iImage; return TRUE; } _Success_(return) BOOLEAN PhGetListViewItemParam( _In_ HWND ListViewHandle, _In_ LONG Index, _Outptr_ PVOID* Param ) { LVITEM item; item.mask = LVIF_PARAM; item.iItem = Index; item.iSubItem = 0; if (!ListView_GetItem(ListViewHandle, &item)) return FALSE; *Param = reinterpret_cast(item.lParam); return TRUE; } _Success_(return) BOOLEAN PhGetIListViewItemParam( _In_ IListView* ListView, _In_ LONG Index, _Outptr_ PVOID* Param ) { LVITEM item; item.mask = LVIF_PARAM; item.iItem = Index; item.iSubItem = 0; if (!SUCCEEDED(ListView->GetItem(&item))) return FALSE; *Param = reinterpret_cast(item.lParam); return TRUE; } BOOLEAN PhSetListViewItemParam( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ PVOID Param ) { LVITEM item; item.mask = LVIF_PARAM; item.iItem = Index; item.lParam = reinterpret_cast(Param); return !!ListView_SetItem(ListViewHandle, &item); } BOOLEAN PhSetIListViewItemParam( _In_ IListView* ListView, _In_ LONG Index, _In_ PVOID Param ) { LVITEM item; item.mask = LVIF_PARAM; item.iItem = Index; item.lParam = reinterpret_cast(Param); return SUCCEEDED(ListView->SetItem(&item)); } VOID PhRemoveListViewItem( _In_ HWND ListViewHandle, _In_ LONG Index ) { ListView_DeleteItem(ListViewHandle, Index); } VOID PhRemoveIListViewItem( _In_ IListView* ListView, _In_ LONG Index ) { ListView->DeleteItem(Index); } VOID PhSetListViewItemImageIndex( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG ImageIndex ) { LVITEM item; item.mask = LVIF_IMAGE; item.iItem = Index; item.iSubItem = 0; item.iImage = ImageIndex; ListView_SetItem(ListViewHandle, &item); } VOID PhSetIListViewItemImageIndex( _In_ IListView* ListView, _In_ LONG Index, _In_ LONG ImageIndex ) { LVITEM item; item.mask = LVIF_IMAGE; item.iItem = Index; item.iSubItem = 0; item.iImage = ImageIndex; ListView->SetItem(&item); } VOID PhSetListViewSubItem( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG SubItemIndex, _In_ PCWSTR Text ) { LVITEM item; item.mask = LVIF_TEXT; item.iItem = Index; item.iSubItem = SubItemIndex; item.pszText = const_cast(Text); ListView_SetItem(ListViewHandle, &item); } VOID PhSetIListViewSubItem( _In_ IListView* ListView, _In_ LONG Index, _In_ LONG SubItemIndex, _In_ PCWSTR Text ) { LVITEM item; item.mask = LVIF_TEXT; item.iItem = Index; item.iSubItem = SubItemIndex; item.pszText = const_cast(Text); ListView->SetItem(&item); } VOID PhRedrawListViewItems( _In_ HWND ListViewHandle ) { ListView_RedrawItems(ListViewHandle, 0, INT_MAX); // Note: UpdateWindow() is a workaround for ListView_RedrawItems() failing to send LVN_GETDISPINFO // and fixes RedrawItems() graphical artifacts when the listview doesn't have foreground focus. (dmex) UpdateWindow(ListViewHandle); } VOID PhRedrawIListViewItems( _In_ IListView* ListView, _In_ HWND ListViewHandle ) { ListView->RedrawItems(0, INT_MAX); // Note: UpdateWindow() is a workaround for ListView_RedrawItems() failing to send LVN_GETDISPINFO // and fixes RedrawItems() graphical artifacts when the listview doesn't have foreground focus. (dmex) UpdateWindow(ListViewHandle); } LONG PhAddListViewGroup( _In_ HWND ListViewHandle, _In_ LONG GroupId, _In_ PCWSTR Text ) { LVGROUP group; memset(&group, 0, sizeof(LVGROUP)); group.cbSize = sizeof(LVGROUP); group.mask = LVGF_HEADER | LVGF_ALIGN | LVGF_STATE | LVGF_GROUPID; group.uAlign = LVGA_HEADER_LEFT; group.state = LVGS_COLLAPSIBLE; group.iGroupId = GroupId; group.pszHeader = const_cast(Text); return static_cast(ListView_InsertGroup(ListViewHandle, MAXUINT, &group)); } LONG PhAddIListViewGroup( _In_ IListView* ListView, _In_ LONG GroupId, _In_ PCWSTR Text ) { LVGROUP group; LONG index = 0; memset(&group, 0, sizeof(LVGROUP)); group.cbSize = sizeof(LVGROUP); group.mask = LVGF_HEADER | LVGF_ALIGN | LVGF_STATE | LVGF_GROUPID; group.uAlign = LVGA_HEADER_LEFT; group.state = LVGS_COLLAPSIBLE; group.iGroupId = GroupId; group.pszHeader = const_cast(Text); if (SUCCEEDED(ListView->InsertGroup(MAXUINT, &group, &index))) return index; return INT_ERROR; } LONG PhAddListViewGroupItem( _In_ HWND ListViewHandle, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ) { LVITEM item; item.mask = LVIF_TEXT | LVIF_GROUPID; item.iItem = Index; item.iSubItem = 0; item.pszText = const_cast(Text); item.iGroupId = GroupId; if (Param) { item.mask |= LVIF_PARAM; item.lParam = reinterpret_cast(Param); } return ListView_InsertItem(ListViewHandle, &item); } LONG PhAddIListViewGroupItem( _In_ IListView* ListView, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ) { LVITEM item; LONG index; item.mask = LVIF_TEXT | LVIF_GROUPID; item.iItem = Index; item.iSubItem = 0; item.pszText = const_cast(Text); item.iGroupId = GroupId; if (Param) { item.mask |= LVIF_PARAM; item.lParam = reinterpret_cast(Param); } if (SUCCEEDED(ListView->InsertItem(&item, &index))) return index; return INT_ERROR; } VOID PhSetStateAllListViewItems( _In_ HWND WindowHandle, _In_ ULONG State, _In_ ULONG Mask ) { LONG i; LONG count; count = ListView_GetItemCount(WindowHandle); if (count <= 0) return; for (i = 0; i < count; i++) { ListView_SetItemState(WindowHandle, i, State, Mask); } } PVOID PhGetSelectedListViewItemParam( _In_ HWND WindowHandle ) { LONG index; PVOID param; index = PhFindListViewItemByFlags( WindowHandle, INT_ERROR, LVNI_SELECTED ); if (index != INT_ERROR) { if (PhGetListViewItemParam( WindowHandle, index, ¶m )) { return param; } } return nullptr; } VOID PhGetSelectedListViewItemParams( _In_ HWND WindowHandle, _Out_ PVOID **Items, _Out_ PULONG NumberOfItems ) { PH_ARRAY array; LONG index; PVOID param; PhInitializeArray(&array, sizeof(PVOID), 2); index = INT_ERROR; while ((index = PhFindListViewItemByFlags( WindowHandle, index, LVNI_SELECTED )) != INT_ERROR) { if (PhGetListViewItemParam(WindowHandle, index, ¶m)) PhAddItemArray(&array, ¶m); } *NumberOfItems = static_cast(PhFinalArrayCount(&array)); *Items = static_cast(PhFinalArrayItems(&array)); } VOID PhGetSelectedIListViewItemParams( _In_ IListView* ListView, _Out_ PVOID **Items, _Out_ PULONG NumberOfItems ) { PH_ARRAY array; LONG index; PVOID param; PhInitializeArray(&array, sizeof(PVOID), 2); index = INT_ERROR; while ((index = PhFindIListViewItemByFlags( ListView, index, LVNI_SELECTED )) != INT_ERROR) { if (PhGetIListViewItemParam(ListView, index, ¶m)) PhAddItemArray(&array, ¶m); } *NumberOfItems = static_cast(PhFinalArrayCount(&array)); *Items = static_cast(PhFinalArrayItems(&array)); } BOOLEAN PhGetIListViewClientRect( _In_ IListView* ListView, _Inout_ PRECT ClientRect ) { return SUCCEEDED(ListView->GetClientRect(FALSE, ClientRect)); } BOOLEAN PhGetIListViewItemRect( _In_ IListView* ListView, _In_ LONG StartIndex, _In_ ULONG Flags, // LVIR_SELECTBOUNDS | LVIR_BOUNDS _Inout_ PRECT ItemRect ) { LVITEMINDEX itemIndex; itemIndex.iItem = StartIndex; itemIndex.iGroup = -1; return SUCCEEDED(ListView->GetItemRect(itemIndex, Flags, ItemRect)); } PPH_LISTVIEW_CONTEXT PhListView_Initialize( _In_ HWND ListViewHandle ) { PPH_LISTVIEW_CONTEXT context; IListView* listviewInterface; context = (PPH_LISTVIEW_CONTEXT)PhAllocateZero(sizeof(PH_LISTVIEW_CONTEXT)); context->ListViewHandle = ListViewHandle; context->ThreadId = UlongToHandle(GetWindowThreadProcessId(ListViewHandle, nullptr)); if (listviewInterface = PhGetListViewInterface(ListViewHandle)) { context->ListViewInterface = listviewInterface; } return context; } VOID PhListView_Destroy( _In_ PPH_LISTVIEW_CONTEXT Context ) { if (Context->ListViewInterface) { Context->ListViewInterface->Release(); Context->ListViewInterface = NULL; } PhFree(Context); } _Use_decl_annotations_ BOOLEAN PhListView_GetItemCount( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ PLONG ItemCount ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->GetItemCount(ItemCount))) { return TRUE; } } else { LONG count = ListView_GetItemCount(Context->ListViewHandle); if (count != INT_ERROR) { *ItemCount = count; return TRUE; } } return FALSE; } BOOLEAN PhListView_SetItemCount( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemCount, _In_ ULONG Flags ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SetItemCount(ItemCount, Flags))) { return TRUE; } } else { if (ListView_SetItemCountEx(Context->ListViewHandle, ItemCount, Flags)) { return TRUE; } } return FALSE; } BOOLEAN PhListView_GetItem( _In_ PPH_LISTVIEW_CONTEXT Context, _Inout_ LVITEM* Item ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->GetItem(Item))) return TRUE; } else { if (ListView_GetItem(Context->ListViewHandle, Item)) return TRUE; } return FALSE; } BOOLEAN PhListView_SetItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LVITEM* Item ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SetItem(Item))) return TRUE; } else { if (ListView_SetItem(Context->ListViewHandle, Item)) return TRUE; } return FALSE; } _Use_decl_annotations_ BOOLEAN PhListView_GetItemText( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ LONG SubItemIndex, _Out_writes_(BufferSize) PWSTR Buffer, _In_ LONG BufferSize ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->GetItemText( ItemIndex, SubItemIndex, Buffer, BufferSize ))) { return TRUE; } } else { LVITEM item; ZeroMemory(&item, sizeof(LVITEM)); item.iSubItem = SubItemIndex; item.cchTextMax = BufferSize; item.pszText = Buffer; if (SendMessage(Context->ListViewHandle, LVM_GETITEMTEXTW, ItemIndex, (LPARAM)&item)) { return TRUE; } } return FALSE; } BOOLEAN PhListView_SetItemText( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ LONG SubItemIndex, _In_ PWSTR Text ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SetItemText(ItemIndex, SubItemIndex, Text))) { return TRUE; } } else { LVITEM item; ZeroMemory(&item, sizeof(LVITEM)); item.iSubItem = SubItemIndex; item.pszText = Text; if (SendMessage(Context->ListViewHandle, LVM_SETITEMTEXTW, ItemIndex, (LPARAM)&item)) { return TRUE; } } return FALSE; } BOOLEAN PhListView_DeleteItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->DeleteItem(ItemIndex))) { return TRUE; } } else { if (ListView_DeleteItem(Context->ListViewHandle, ItemIndex)) { return TRUE; } } return FALSE; } BOOLEAN PhListView_DeleteAllItems( _In_ PPH_LISTVIEW_CONTEXT Context ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->DeleteAllItems())) return TRUE; } else { if (ListView_DeleteAllItems(Context->ListViewHandle)) return TRUE; } return FALSE; } _Use_decl_annotations_ BOOLEAN PhListView_InsertItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LVITEMW* Item, _Out_opt_ PLONG ItemIndex ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->InsertItem(Item, ItemIndex))) return TRUE; } else { LONG index = ListView_InsertItem(Context->ListViewHandle, Item); if (index != INT_ERROR) { if (ItemIndex) { *ItemIndex = index; } return TRUE; } } return FALSE; } _Use_decl_annotations_ BOOLEAN PhListView_InsertGroup( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG InsertAt, _In_ LVGROUP* Group, _Out_opt_ PLONG GroupId ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->InsertGroup(InsertAt, Group, GroupId))) return TRUE; } else { LONG index = (LONG)ListView_InsertGroup(Context->ListViewHandle, InsertAt, Group); if (index != INT_ERROR) { if (GroupId) { *GroupId = index; } return TRUE; } } return FALSE; } _Use_decl_annotations_ BOOLEAN PhListView_GetItemState( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ ULONG Mask, _Out_ PULONG State ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { ULONG state = 0; if (HR_SUCCESS(Context->ListViewInterface->GetItemState(ItemIndex, 0, Mask, &state))) { *State = state; return TRUE; } } else { *State = ListView_GetItemState(Context->ListViewHandle, ItemIndex, Mask); return TRUE; } return FALSE; } BOOLEAN PhListView_SetItemState( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ ULONG State, _In_ ULONG Mask ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SetItemState(ItemIndex, 0, State, Mask))) return TRUE; } else { LVITEM item; ZeroMemory(&item, sizeof(LVITEM)); item.state = State; item.stateMask = Mask; item.mask = LVIF_STATE; item.iItem = ItemIndex; if (SendMessage(Context->ListViewHandle, LVM_SETITEMSTATE, ItemIndex, (LPARAM)&item)) { return TRUE; } } return FALSE; } BOOLEAN PhListView_SortItems( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ BOOL SortingByIndex, _In_ PFNLVCOMPARE Compare, _In_ PVOID CompareContext ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SortItems( SortingByIndex, (LPARAM)CompareContext, Compare ))) { return TRUE; } } else { if (SortingByIndex) { if (ListView_SortItemsEx( Context->ListViewHandle, Compare, CompareContext )) { return TRUE; } } else { if (ListView_SortItems( Context->ListViewHandle, Compare, CompareContext )) { return TRUE; } } } return FALSE; } BOOLEAN PhListView_GetColumn( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG ColumnIndex, _Inout_ LV_COLUMN* Column ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->GetColumn(ColumnIndex, Column))) return TRUE; } else { if (ListView_GetColumn(Context->ListViewHandle, ColumnIndex, Column)) return TRUE; } return FALSE; } BOOLEAN PhListView_SetColumn( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG ColumnIndex, _In_ LV_COLUMN* Column ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SetColumn(ColumnIndex, Column))) return TRUE; } else { if (ListView_SetColumn(Context->ListViewHandle, ColumnIndex, Column)) return TRUE; } return FALSE; } BOOLEAN PhListView_SetColumnWidth( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG ColumnIndex, _In_ ULONG Width ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { if (HR_SUCCESS(Context->ListViewInterface->SetColumnWidth(ColumnIndex, Width))) return TRUE; } else { if (ListView_SetColumnWidth(Context->ListViewHandle, ColumnIndex, Width)) return TRUE; } return FALSE; } BOOLEAN PhListView_GetHeader( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ HWND* WindowHandle ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { HWND headerWindowHandle = nullptr; if (HR_SUCCESS(Context->ListViewInterface->GetHeaderControl(&headerWindowHandle))) { *WindowHandle = headerWindowHandle; return TRUE; } } else { HWND headerWindowHandle; if (headerWindowHandle = ListView_GetHeader(Context->ListViewHandle)) { *WindowHandle = headerWindowHandle; return TRUE; } } return FALSE; } BOOLEAN PhListView_GetToolTip( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ HWND* WindowHandle ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { HWND tooltipWindowHandle = nullptr; if (HR_SUCCESS(Context->ListViewInterface->GetToolTip(&tooltipWindowHandle))) { *WindowHandle = tooltipWindowHandle; return TRUE; } } else { HWND tooltipWindowHandle; if (tooltipWindowHandle = ListView_GetToolTips(Context->ListViewHandle)) { *WindowHandle = tooltipWindowHandle; return TRUE; } } return FALSE; } LONG PhListView_AddColumn( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhAddIListViewColumn(Context->ListViewInterface, Index, DisplayIndex, SubItemIndex, Format, Width, Text); } else { return PhAddListViewColumn(Context->ListViewHandle, Index, DisplayIndex, SubItemIndex, Format, Width, Text); } } LONG PhListView_AddItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhAddIListViewItem(Context->ListViewInterface, Index, Text, Param); } else { return PhAddListViewItem(Context->ListViewHandle, Index, Text, Param); } } LONG PhListView_FindItemByFlags( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG StartIndex, _In_ ULONG Flags ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhFindIListViewItemByFlags(Context->ListViewInterface, StartIndex, Flags); } else { return PhFindListViewItemByFlags(Context->ListViewHandle, StartIndex, Flags); } } LONG PhListView_FindItemByParam( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG StartIndex, _In_opt_ PVOID Param ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhFindIListViewItemByParam(Context->ListViewInterface, StartIndex, Param); } else { return PhFindListViewItemByParam(Context->ListViewHandle, StartIndex, Param); } } _Success_(return) BOOLEAN PhListView_GetItemParam( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _Outptr_ PVOID* Param ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhGetIListViewItemParam(Context->ListViewInterface, Index, Param); } else { return PhGetListViewItemParam(Context->ListViewHandle, Index, Param); } } VOID PhListView_SetSubItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _In_ LONG SubItemIndex, _In_ PCWSTR Text ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { PhSetIListViewSubItem(Context->ListViewInterface, Index, SubItemIndex, Text); } else { PhSetListViewSubItem(Context->ListViewHandle, Index, SubItemIndex, Text); } } VOID PhListView_RedrawItems( _In_ PPH_LISTVIEW_CONTEXT Context ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { PhRedrawIListViewItems(Context->ListViewInterface, Context->ListViewHandle); } else { PhRedrawListViewItems(Context->ListViewHandle); } } LONG PhListView_AddGroup( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG GroupId, _In_ PCWSTR Text ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhAddIListViewGroup(Context->ListViewInterface, GroupId, Text); } else { return PhAddListViewGroup(Context->ListViewHandle, GroupId, Text); } } LONG PhListView_AddGroupItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhAddIListViewGroupItem(Context->ListViewInterface, GroupId, Index, Text, Param); } else { return PhAddListViewGroupItem(Context->ListViewHandle, GroupId, Index, Text, Param); } } VOID PhListView_SetStateAllItems( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG State, _In_ ULONG Mask ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { LONG i; LONG count; if (HR_SUCCESS(Context->ListViewInterface->GetItemCount(&count))) { for (i = 0; i < count; i++) { Context->ListViewInterface->SetItemState(i, 0, Mask, State); } } } else { PhSetStateAllListViewItems(Context->ListViewHandle, State, Mask); } } PVOID PhListView_GetSelectedItemParam( _In_ PPH_LISTVIEW_CONTEXT Context ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { LONG index; PVOID param; index = PhFindIListViewItemByFlags( Context->ListViewInterface, INT_ERROR, LVNI_SELECTED ); if (index != INT_ERROR) { if (PhGetIListViewItemParam(Context->ListViewInterface, index, ¶m)) return param; } return nullptr; } else { return PhGetSelectedListViewItemParam(Context->ListViewHandle); } } _Success_(return) BOOLEAN PhListView_GetSelectedCount( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ PLONG SelectedCount ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return HR_SUCCESS(Context->ListViewInterface->GetSelectedCount(SelectedCount)); } else { LONG count = ListView_GetSelectedCount(Context->ListViewHandle); if (count != INT_ERROR) { *SelectedCount = count; return TRUE; } } return FALSE; } VOID PhListView_GetSelectedItemParams( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ PVOID** Items, _Out_ PULONG NumberOfItems ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { PhGetSelectedIListViewItemParams(Context->ListViewInterface, Items, NumberOfItems); } else { PhGetSelectedListViewItemParams(Context->ListViewHandle, Items, NumberOfItems); } } BOOLEAN PhListView_GetClientRect( _In_ PPH_LISTVIEW_CONTEXT Context, _Inout_ PRECT ClientRect ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhGetIListViewClientRect(Context->ListViewInterface, ClientRect); } else { return !!GetClientRect(Context->ListViewHandle, ClientRect); } } BOOLEAN PhListView_GetItemRect( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG StartIndex, _In_ ULONG Flags, _Inout_ PRECT ItemRect ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return PhGetIListViewItemRect(Context->ListViewInterface, StartIndex, Flags, ItemRect); } else { return !!ListView_GetItemRect(Context->ListViewHandle, StartIndex, ItemRect, Flags); } } BOOLEAN PhListView_EnableGroupView( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ BOOLEAN Enable ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return HR_SUCCESS(Context->ListViewInterface->EnableGroupView(Enable)); } else { return !!ListView_EnableGroupView(Context->ListViewHandle, Enable); } } BOOLEAN PhListView_EnsureItemVisible( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ BOOLEAN PartialOk ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { LVITEMINDEX itemIndex; itemIndex.iItem = ItemIndex; itemIndex.iGroup = INT_ERROR; return SUCCEEDED(Context->ListViewInterface->EnsureItemVisible(itemIndex, PartialOk)); } else { return !!ListView_EnsureVisible(Context->ListViewHandle, ItemIndex, PartialOk); } } BOOLEAN PhListView_IsItemVisible( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _Out_ PBOOLEAN Visible ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { LVITEMINDEX itemIndex; BOOL visible; itemIndex.iItem = ItemIndex; itemIndex.iGroup = INT_ERROR; if (SUCCEEDED(Context->ListViewInterface->IsItemVisible(itemIndex, &visible))) { *Visible = !!visible; return TRUE; } return FALSE; } else { RECT itemRect; RECT clientRect; if (!ListView_GetItemRect(Context->ListViewHandle, ItemIndex, &itemRect, LVIR_BOUNDS)) return FALSE; if (!GetClientRect(Context->ListViewHandle, &clientRect)) return FALSE; // Check if the item rectangle intersects with the client area *Visible = (itemRect.top < clientRect.bottom && itemRect.bottom > clientRect.top); return TRUE; } } BOOLEAN PhListView_HitTestSubItem( _In_ PPH_LISTVIEW_CONTEXT Context, _Inout_ LVHITTESTINFO* HitTestInfo ) { if (Context->ListViewInterface && NtCurrentThreadId() == Context->ThreadId) { return HR_SUCCESS(Context->ListViewInterface->HitTestSubItem(HitTestInfo)); } else { return ListView_SubItemHitTest(Context->ListViewHandle, HitTestInfo) != INT_ERROR; } } ================================================ FILE: phlib/handle.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * */ #include #include #include static PH_INITONCE PhHandleTableInitOnce = PH_INITONCE_INIT; static PH_FREE_LIST PhHandleTableLevel0FreeList; static PH_FREE_LIST PhHandleTableLevel1FreeList; PPH_HANDLE_TABLE PhCreateHandleTable( VOID ) { PPH_HANDLE_TABLE handleTable; ULONG i; if (PhBeginInitOnce(&PhHandleTableInitOnce)) { PhInitializeFreeList( &PhHandleTableLevel0FreeList, sizeof(PH_HANDLE_TABLE_ENTRY) * PH_HANDLE_TABLE_LEVEL_ENTRIES, 64 ); PhInitializeFreeList( &PhHandleTableLevel1FreeList, sizeof(PPH_HANDLE_TABLE_ENTRY) * PH_HANDLE_TABLE_LEVEL_ENTRIES, 64 ); PhEndInitOnce(&PhHandleTableInitOnce); } #ifdef PH_HANDLE_TABLE_SAFE handleTable = PhAllocateSafe(sizeof(PH_HANDLE_TABLE)); if (!handleTable) return NULL; #else handleTable = PhAllocate(sizeof(PH_HANDLE_TABLE)); #endif PhInitializeQueuedLock(&handleTable->Lock); PhInitializeWakeEvent(&handleTable->HandleWakeEvent); handleTable->NextValue = 0; handleTable->Count = 0; handleTable->TableValue = (ULONG_PTR)PhpCreateHandleTableLevel0(handleTable, TRUE); #ifdef PH_HANDLE_TABLE_SAFE if (!handleTable->TableValue) { PhFree(handleTable); return NULL; } #endif // We have now created the level 0 table. The free list can now be set up to point to handle 0, // which points to the rest of the free list (1 -> 2 -> 3 -> ...). The next batch of handles // that need to be created start at PH_HANDLE_TABLE_LEVEL_ENTRIES. handleTable->FreeValue = 0; handleTable->NextValue = PH_HANDLE_TABLE_LEVEL_ENTRIES; handleTable->FreeValueAlt = PH_HANDLE_VALUE_INVALID; // no entries in alt. free list handleTable->Flags = 0; for (i = 0; i < PH_HANDLE_TABLE_LOCKS; i++) PhInitializeQueuedLock(&handleTable->Locks[i]); return handleTable; } VOID PhDestroyHandleTable( _In_ _Post_invalid_ PPH_HANDLE_TABLE HandleTable ) { ULONG_PTR tableValue; ULONG tableLevel; PPH_HANDLE_TABLE_ENTRY table0; PPH_HANDLE_TABLE_ENTRY *table1; PPH_HANDLE_TABLE_ENTRY **table2; ULONG i; ULONG j; tableValue = HandleTable->TableValue; tableLevel = tableValue & PH_HANDLE_TABLE_LEVEL_MASK; tableValue -= tableLevel; switch (tableLevel) { case 0: { table0 = (PPH_HANDLE_TABLE_ENTRY)tableValue; PhpFreeHandleTableLevel0(table0); } break; case 1: { table1 = (PPH_HANDLE_TABLE_ENTRY *)tableValue; for (i = 0; i < PH_HANDLE_TABLE_LEVEL_ENTRIES; i++) { if (!table1[i]) break; PhpFreeHandleTableLevel0(table1[i]); } PhpFreeHandleTableLevel1(table1); } break; case 2: { table2 = (PPH_HANDLE_TABLE_ENTRY **)tableValue; for (i = 0; i < PH_HANDLE_TABLE_LEVEL_ENTRIES; i++) { if (!table2[i]) break; for (j = 0; j < PH_HANDLE_TABLE_LEVEL_ENTRIES; j++) { if (!table2[i][j]) break; PhpFreeHandleTableLevel0(table2[i][j]); } PhpFreeHandleTableLevel1(table2[i]); } PhpFreeHandleTableLevel2(table2); } break; default: ASSUME_NO_DEFAULT; } PhFree(HandleTable); } VOID PhpBlockOnLockedHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ) { PH_QUEUED_WAIT_BLOCK waitBlock; ULONG_PTR value; PhQueueWakeEvent(&HandleTable->HandleWakeEvent, &waitBlock); value = HandleTableEntry->Value; if ( (value & PH_HANDLE_TABLE_ENTRY_TYPE) != PH_HANDLE_TABLE_ENTRY_IN_USE || (value & PH_HANDLE_TABLE_ENTRY_LOCKED) ) { // Entry is not in use or has been unlocked; cancel the wait. PhSetWakeEvent(&HandleTable->HandleWakeEvent, &waitBlock); } else { PhWaitForWakeEvent(&HandleTable->HandleWakeEvent, &waitBlock, TRUE, NULL); } } BOOLEAN PhLockHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ) { ULONG_PTR value; while (TRUE) { value = HandleTableEntry->Value; if ((value & PH_HANDLE_TABLE_ENTRY_TYPE) != PH_HANDLE_TABLE_ENTRY_IN_USE) return FALSE; if (value & PH_HANDLE_TABLE_ENTRY_LOCKED) { if ((ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&HandleTableEntry->Value, (PVOID)(value - PH_HANDLE_TABLE_ENTRY_LOCKED), (PVOID)value ) == value) { return TRUE; } } PhpBlockOnLockedHandleTableEntry(HandleTable, HandleTableEntry); } } VOID PhUnlockHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ) { _interlockedbittestandset( (PLONG)&HandleTableEntry->Value, PH_HANDLE_TABLE_ENTRY_LOCKED_SHIFT ); PhSetWakeEvent(&HandleTable->HandleWakeEvent, NULL); } HANDLE PhCreateHandle( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ) { PPH_HANDLE_TABLE_ENTRY entry; ULONG handleValue; entry = PhpAllocateHandleTableEntry(HandleTable, &handleValue); if (!entry) return NULL; // Copy the given handle table entry to the allocated entry. // All free entries have the Free type and have the (not) locked bit clear. There is no problem // with setting the Type now; the entry is still locked, so they will block. entry->TypeAndValue.Type = PH_HANDLE_TABLE_ENTRY_IN_USE; entry->TypeAndValue.Value = HandleTableEntry->TypeAndValue.Value; entry->Value2 = HandleTableEntry->Value2; // Now we unlock this entry, waking anyone who was caught back there before we had finished // setting up the entry. PhUnlockHandleTableEntry(HandleTable, entry); return PhpEncodeHandle(handleValue); } BOOLEAN PhDestroyHandle( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ HANDLE Handle, _In_opt_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ) { ULONG handleValue; handleValue = PhpDecodeHandle(Handle); if (!HandleTableEntry) { HandleTableEntry = PhpLookupHandleTableEntry(HandleTable, handleValue); if (!HandleTableEntry) return FALSE; if (!PhLockHandleTableEntry(HandleTable, HandleTableEntry)) return FALSE; } _InterlockedExchangePointer( (PVOID *)&HandleTableEntry->Value, (PVOID)PH_HANDLE_TABLE_ENTRY_FREE ); // The handle table entry is now free; wake any waiters because they can't lock the entry now. // Any future lock attempts will fail because the entry is marked as being free. PhSetWakeEvent(&HandleTable->HandleWakeEvent, NULL); PhpFreeHandleTableEntry(HandleTable, handleValue, HandleTableEntry); return TRUE; } PPH_HANDLE_TABLE_ENTRY PhLookupHandleTableEntry( _In_ PPH_HANDLE_TABLE HandleTable, _In_ HANDLE Handle ) { PPH_HANDLE_TABLE_ENTRY entry; entry = PhpLookupHandleTableEntry(HandleTable, PhpDecodeHandle(Handle)); if (!entry) return NULL; if (!PhLockHandleTableEntry(HandleTable, entry)) return NULL; return entry; } VOID PhEnumHandleTable( _In_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_ENUM_HANDLE_TABLE_CALLBACK Callback, _In_opt_ PVOID Context ) { ULONG handleValue; PPH_HANDLE_TABLE_ENTRY entry; BOOLEAN cont; handleValue = 0; while (entry = PhpLookupHandleTableEntry(HandleTable, handleValue)) { if (PhLockHandleTableEntry(HandleTable, entry)) { cont = Callback( HandleTable, PhpEncodeHandle(handleValue), entry, Context ); PhUnlockHandleTableEntry(HandleTable, entry); if (!cont) break; } handleValue++; } } VOID PhSweepHandleTable( _In_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_ENUM_HANDLE_TABLE_CALLBACK Callback, _In_opt_ PVOID Context ) { ULONG handleValue; PPH_HANDLE_TABLE_ENTRY entry; BOOLEAN cont; handleValue = 0; while (entry = PhpLookupHandleTableEntry(HandleTable, handleValue)) { if (entry->TypeAndValue.Type == PH_HANDLE_TABLE_ENTRY_IN_USE) { cont = Callback( HandleTable, PhpEncodeHandle(handleValue), entry, Context ); if (!cont) break; } handleValue++; } } NTSTATUS PhQueryInformationHandleTable( _In_ PPH_HANDLE_TABLE HandleTable, _In_ PH_HANDLE_TABLE_INFORMATION_CLASS InformationClass, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status = STATUS_SUCCESS; ULONG returnLength; switch (InformationClass) { case HandleTableBasicInformation: { PPH_HANDLE_TABLE_BASIC_INFORMATION basicInfo = Buffer; if (BufferLength == sizeof(PH_HANDLE_TABLE_BASIC_INFORMATION)) { basicInfo->Count = HandleTable->Count; basicInfo->Flags = HandleTable->Flags; basicInfo->TableLevel = HandleTable->TableValue & PH_HANDLE_TABLE_LEVEL_MASK; } else { status = STATUS_INFO_LENGTH_MISMATCH; } returnLength = sizeof(PH_HANDLE_TABLE_BASIC_INFORMATION); } break; case HandleTableFlagsInformation: { PPH_HANDLE_TABLE_FLAGS_INFORMATION flagsInfo = Buffer; if (BufferLength == sizeof(PH_HANDLE_TABLE_FLAGS_INFORMATION)) { flagsInfo->Flags = HandleTable->Flags; } else { status = STATUS_INFO_LENGTH_MISMATCH; } returnLength = sizeof(PH_HANDLE_TABLE_FLAGS_INFORMATION); } break; default: status = STATUS_INVALID_INFO_CLASS; returnLength = 0; break; } if (ReturnLength) *ReturnLength = returnLength; return status; } NTSTATUS PhSetInformationHandleTable( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ PH_HANDLE_TABLE_INFORMATION_CLASS InformationClass, _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength ) { NTSTATUS status = STATUS_SUCCESS; switch (InformationClass) { case HandleTableFlagsInformation: { PPH_HANDLE_TABLE_FLAGS_INFORMATION flagsInfo = Buffer; ULONG flags; if (BufferLength == sizeof(PH_HANDLE_TABLE_FLAGS_INFORMATION)) { flags = flagsInfo->Flags; if ((flags & PH_HANDLE_TABLE_VALID_FLAGS) == flags) HandleTable->Flags = flags; else status = STATUS_INVALID_PARAMETER; } else { status = STATUS_INFO_LENGTH_MISMATCH; } } break; default: status = STATUS_INVALID_INFO_CLASS; } return status; } PPH_HANDLE_TABLE_ENTRY PhpAllocateHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _Out_ PULONG HandleValue ) { PPH_HANDLE_TABLE_ENTRY entry; ULONG freeValue; ULONG lockIndex; ULONG nextFreeValue; ULONG oldFreeValue; BOOLEAN result; while (TRUE) { freeValue = HandleTable->FreeValue; while (freeValue == PH_HANDLE_VALUE_INVALID) { PhAcquireQueuedLockExclusive(&HandleTable->Lock); // Check again to see if we have free handles. freeValue = HandleTable->FreeValue; if (freeValue != PH_HANDLE_VALUE_INVALID) { PhReleaseQueuedLockExclusive(&HandleTable->Lock); break; } // Move handles from the alt. free list to the main free list, and check again. freeValue = PhpMoveFreeHandleTableEntries(HandleTable); if (freeValue != PH_HANDLE_VALUE_INVALID) { PhReleaseQueuedLockExclusive(&HandleTable->Lock); break; } result = PhpAllocateMoreHandleTableEntries(HandleTable, TRUE); PhReleaseQueuedLockExclusive(&HandleTable->Lock); freeValue = HandleTable->FreeValue; // Note that PhpAllocateMoreHandleTableEntries only returns FALSE if it failed to // allocate memory. Success does not guarantee a free handle to be allocated, as they // may have been all used up (however unlikely) when we reach this point. Success simply // means to retry the allocation using the fast path. if (!result && freeValue == PH_HANDLE_VALUE_INVALID) return NULL; } entry = PhpLookupHandleTableEntry(HandleTable, freeValue); lockIndex = PH_HANDLE_TABLE_LOCK_INDEX(freeValue); // To avoid the ABA problem, we would ideally have one queued lock per handle table entry. // That would make the overhead too large, so instead there is a fixed number of locks, // indexed by the handle value (mod no. locks). // Possibilities at this point: // 1. freeValue != A (our copy), but the other thread has freed A, so FreeValue = A. No ABA // problem since freeValue != A. // 2. freeValue != A, and FreeValue != A. No ABA problem. // 3. freeValue = A, and the other thread has freed A, so FreeValue = A. No ABA problem // since we haven't read NextFreeValue yet. // 4. freeValue = A, and FreeValue != A. No problem if this stays the same later, as the CAS // will take care of it. PhpLockHandleTableShared(HandleTable, lockIndex); if (HandleTable->FreeValue != freeValue) { PhpUnlockHandleTableShared(HandleTable, lockIndex); continue; } MemoryBarrier(); nextFreeValue = entry->NextFreeValue; // Possibilities/non-possibilities at this point: // 1. freeValue != A (our copy), but the other thread has freed A, so FreeValue = A. This is // actually impossible since we have acquired the lock on A and the free code checks that // and uses the alt. free list instead. // 2. freeValue != A, and FreeValue != A. No ABA problem. // 3. freeValue = A, and the other thread has freed A, so FreeValue = A. Impossible like // above. This is *the* ABA problem which we have now prevented. // 4. freeValue = A, and FreeValue != A. CAS will take care of it. oldFreeValue = _InterlockedCompareExchange( &HandleTable->FreeValue, nextFreeValue, freeValue ); PhpUnlockHandleTableShared(HandleTable, lockIndex); if (oldFreeValue == freeValue) break; } _InterlockedIncrement((PLONG)&HandleTable->Count); *HandleValue = freeValue; return entry; } VOID PhpFreeHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ ULONG HandleValue, _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ) { PULONG freeList; ULONG flags; ULONG oldValue; _InterlockedDecrement((PLONG)&HandleTable->Count); flags = HandleTable->Flags; // Choose the free list to use depending on whether someone is popping from the main free list // (see PhpAllocateHandleTableEntry for details). We always use the alt. free list if strict // FIFO is enabled. if (!(flags & PH_HANDLE_TABLE_STRICT_FIFO) && PhTryAcquireReleaseQueuedLockExclusive( &HandleTable->Locks[PH_HANDLE_TABLE_LOCK_INDEX(HandleValue)])) { freeList = &HandleTable->FreeValue; } else { freeList = &HandleTable->FreeValueAlt; } while (TRUE) { oldValue = *freeList; HandleTableEntry->NextFreeValue = oldValue; if (_InterlockedCompareExchange( freeList, HandleValue, oldValue ) == oldValue) { break; } } } BOOLEAN PhpAllocateMoreHandleTableEntries( _In_ PPH_HANDLE_TABLE HandleTable, _In_ BOOLEAN Initialize ) { ULONG_PTR tableValue; ULONG tableLevel; PPH_HANDLE_TABLE_ENTRY table0 = NULL; PPH_HANDLE_TABLE_ENTRY *table1; PPH_HANDLE_TABLE_ENTRY **table2; ULONG i; ULONG j; ULONG oldNextValue; ULONG freeValue; // Get a pointer to the table, and its level. tableValue = HandleTable->TableValue; tableLevel = tableValue & PH_HANDLE_TABLE_LEVEL_MASK; tableValue -= tableLevel; switch (tableLevel) { case 0: { // Create a level 1 table. table1 = PhpCreateHandleTableLevel1(HandleTable); #ifdef PH_HANDLE_TABLE_SAFE if (!table1) return FALSE; #endif // Create a new level 0 table and move the existing level into the new level 1 table. table0 = PhpCreateHandleTableLevel0(HandleTable, Initialize); #ifdef PH_HANDLE_TABLE_SAFE if (!table0) { PhpFreeHandleTableLevel1(table1); return FALSE; } #endif table1[0] = (PPH_HANDLE_TABLE_ENTRY)tableValue; table1[1] = table0; tableValue = (ULONG_PTR)table1 | 1; //_InterlockedExchangePointer((PVOID *)&HandleTable->TableValue, (PVOID)tableValue); HandleTable->TableValue = tableValue; } break; case 1: { table1 = (PPH_HANDLE_TABLE_ENTRY *)tableValue; // Determine whether we need to create a new level 0 table or create a level 2 table. i = HandleTable->NextValue / PH_HANDLE_TABLE_LEVEL_ENTRIES; if (i < PH_HANDLE_TABLE_LEVEL_ENTRIES) { table0 = PhpCreateHandleTableLevel0(HandleTable, TRUE); #ifdef PH_HANDLE_TABLE_SAFE if (!table0) return FALSE; #endif //_InterlockedExchangePointer((PVOID *)&table1[i], table0); table1[i] = table0; } else { // Create a level 2 table. table2 = PhpCreateHandleTableLevel2(HandleTable); #ifdef PH_HANDLE_TABLE_SAFE if (!table2) return FALSE; #endif // Create a new level 1 table and move the existing level into the new level 2 // table. table1 = PhpCreateHandleTableLevel1(HandleTable); #ifdef PH_HANDLE_TABLE_SAFE if (!table1) { PhpFreeHandleTableLevel2(table2); return FALSE; } #endif table0 = PhpCreateHandleTableLevel0(HandleTable, Initialize); #ifdef PH_HANDLE_TABLE_SAFE if (!table0) { PhpFreeHandleTableLevel1(table1); PhpFreeHandleTableLevel2(table2); return FALSE; } #endif table1[0] = table0; table2[0] = (PPH_HANDLE_TABLE_ENTRY *)tableValue; table2[1] = table1; tableValue = (ULONG_PTR)table2 | 2; //_InterlockedExchangePointer((PVOID *)&HandleTable->TableValue, (PVOID)tableValue); HandleTable->TableValue = tableValue; } } break; case 2: { table2 = (PPH_HANDLE_TABLE_ENTRY **)tableValue; i = HandleTable->NextValue / (PH_HANDLE_TABLE_LEVEL_ENTRIES * PH_HANDLE_TABLE_LEVEL_ENTRIES); // i contains an index into the level 2 table, of the containing level 1 table. // Check if we have exceeded the maximum number of handles. if (i >= PH_HANDLE_TABLE_LEVEL_ENTRIES) return FALSE; // Check if we should create a new level 0 table or a new level 2 table. if (table2[i]) { table0 = PhpCreateHandleTableLevel0(HandleTable, Initialize); #ifdef PH_HANDLE_TABLE_SAFE if (!table0) return FALSE; #endif // Same as j = HandleTable->NextValue % (no. entries * no. entries), but we already // calculated i so just use it. j = HandleTable->NextValue - i * (PH_HANDLE_TABLE_LEVEL_ENTRIES * PH_HANDLE_TABLE_LEVEL_ENTRIES); j /= PH_HANDLE_TABLE_LEVEL_ENTRIES; // j now contains an index into the level 1 table, of the containing level 0 table // (the one which was created). //_InterlockedExchangePointer((PVOID *)&table2[i][j], table0); table2[i][j] = table0; } else { table1 = PhpCreateHandleTableLevel1(HandleTable); #ifdef PH_HANDLE_TABLE_SAFE if (!table1) return FALSE; #endif table0 = PhpCreateHandleTableLevel0(HandleTable, TRUE); #ifdef PH_HANDLE_TABLE_SAFE if (!table0) { PhpFreeHandleTableLevel1(table1); return FALSE; } #endif table1[0] = table0; //_InterlockedExchangePointer((PVOID *)&table2[i], table1); table2[i] = table1; } } break; default: ASSUME_NO_DEFAULT; } // In each of the cases above, we allocated one additional level 0 table. oldNextValue = _InterlockedExchangeAdd( (PLONG)&HandleTable->NextValue, PH_HANDLE_TABLE_LEVEL_ENTRIES ); if (Initialize) { // No ABA problem since these are new handles being pushed. while (TRUE) { freeValue = HandleTable->FreeValue; table0[PH_HANDLE_TABLE_LEVEL_ENTRIES - 1].NextFreeValue = freeValue; if (_InterlockedCompareExchange( &HandleTable->FreeValue, oldNextValue, freeValue ) == freeValue) { break; } } } return TRUE; } PPH_HANDLE_TABLE_ENTRY PhpLookupHandleTableEntry( _In_ PPH_HANDLE_TABLE HandleTable, _In_ ULONG HandleValue ) { ULONG_PTR tableValue; ULONG tableLevel; PPH_HANDLE_TABLE_ENTRY table0; PPH_HANDLE_TABLE_ENTRY *table1; PPH_HANDLE_TABLE_ENTRY **table2; PPH_HANDLE_TABLE_ENTRY entry = NULL; if (HandleValue >= HandleTable->NextValue) return NULL; // Get a pointer to the table, and its level. tableValue = HandleTable->TableValue; tableLevel = tableValue & PH_HANDLE_TABLE_LEVEL_MASK; tableValue -= tableLevel; // No additional checking needed; already checked against NextValue. switch (tableLevel) { case 0: { table0 = (PPH_HANDLE_TABLE_ENTRY)tableValue; entry = &table0[HandleValue]; } break; case 1: { table1 = (PPH_HANDLE_TABLE_ENTRY *)tableValue; table0 = table1[PH_HANDLE_VALUE_LEVEL1_U(HandleValue)]; entry = &table0[PH_HANDLE_VALUE_LEVEL0(HandleValue)]; } break; case 2: { table2 = (PPH_HANDLE_TABLE_ENTRY **)tableValue; table1 = table2[PH_HANDLE_VALUE_LEVEL2_U(HandleValue)]; table0 = table1[PH_HANDLE_VALUE_LEVEL1(HandleValue)]; entry = &table0[PH_HANDLE_VALUE_LEVEL0(HandleValue)]; } break; default: ASSUME_NO_DEFAULT; } return entry; } ULONG PhpMoveFreeHandleTableEntries( _Inout_ PPH_HANDLE_TABLE HandleTable ) { ULONG freeValueAlt; ULONG flags; ULONG i; ULONG index; ULONG nextIndex; ULONG lastIndex; PPH_HANDLE_TABLE_ENTRY entry; PPH_HANDLE_TABLE_ENTRY firstEntry = NULL; ULONG count; ULONG freeValue; // Remove all entries from the alt. free list. freeValueAlt = _InterlockedExchange(&HandleTable->FreeValueAlt, PH_HANDLE_VALUE_INVALID); if (freeValueAlt == PH_HANDLE_VALUE_INVALID) { // No handles on the alt. free list. return PH_HANDLE_VALUE_INVALID; } // Avoid the ABA problem by testing all locks (see PhpAllocateHandleTableEntry for details). // Unlike in PhpFreeHandleTableEntry we have no "alternative" list, so we must allow blocking. for (i = 0; i < PH_HANDLE_TABLE_LOCKS; i++) PhAcquireReleaseQueuedLockExclusive(&HandleTable->Locks[i]); flags = HandleTable->Flags; if (!(flags & PH_HANDLE_TABLE_STRICT_FIFO)) { // Shortcut: if there are no entries in the main free list and we don't need to reverse the // chain, just return. if (_InterlockedCompareExchange( &HandleTable->FreeValue, freeValueAlt, PH_HANDLE_VALUE_INVALID ) == PH_HANDLE_VALUE_INVALID) return freeValueAlt; } // Reverse the chain (even if strict FIFO is off; we have to traverse the list to find the last // entry, so we might as well reverse it along the way). index = freeValueAlt; lastIndex = PH_HANDLE_VALUE_INVALID; count = 0; while (TRUE) { entry = PhpLookupHandleTableEntry(HandleTable, index); count++; if (lastIndex == PH_HANDLE_VALUE_INVALID) firstEntry = entry; nextIndex = entry->NextFreeValue; entry->NextFreeValue = lastIndex; lastIndex = index; if (nextIndex == PH_HANDLE_VALUE_INVALID) break; index = nextIndex; } // Note that firstEntry actually contains the last free entry, since we reversed the list. // Similarly index/lastIndex both contain the index of the first free entry. // Push the entries onto the free list. while (TRUE) { freeValue = HandleTable->FreeValue; firstEntry->NextFreeValue = freeValue; if (_InterlockedCompareExchange( &HandleTable->FreeValue, index, freeValue ) == freeValue) break; } // Force expansion if we don't have enough free handles. if ( (flags & PH_HANDLE_TABLE_STRICT_FIFO) && count < PH_HANDLE_TABLE_FREE_COUNT ) { index = PH_HANDLE_VALUE_INVALID; } return index; } PPH_HANDLE_TABLE_ENTRY PhpCreateHandleTableLevel0( _In_ PPH_HANDLE_TABLE HandleTable, _In_ BOOLEAN Initialize ) { PPH_HANDLE_TABLE_ENTRY table; PPH_HANDLE_TABLE_ENTRY entry; ULONG baseValue; ULONG i; #ifdef PH_HANDLE_TABLE_SAFE __try { table = PhAllocateFromFreeList(&PhHandleTableLevel0FreeList); } __except (SIMPLE_EXCEPTION_FILTER(GetExceptionCode() == STATUS_NO_MEMORY)) { return NULL; } #else table = PhAllocateFromFreeList(&PhHandleTableLevel0FreeList); #endif if (Initialize) { entry = &table[0]; baseValue = HandleTable->NextValue; for (i = baseValue + 1; i < baseValue + PH_HANDLE_TABLE_LEVEL_ENTRIES; i++) { entry->Value = PH_HANDLE_TABLE_ENTRY_FREE; entry->NextFreeValue = i; entry++; } entry->Value = PH_HANDLE_TABLE_ENTRY_FREE; entry->NextFreeValue = PH_HANDLE_VALUE_INVALID; } return table; } VOID PhpFreeHandleTableLevel0( _In_ PPH_HANDLE_TABLE_ENTRY Table ) { PhFreeToFreeList(&PhHandleTableLevel0FreeList, Table); } PPH_HANDLE_TABLE_ENTRY *PhpCreateHandleTableLevel1( _In_ PPH_HANDLE_TABLE HandleTable ) { PPH_HANDLE_TABLE_ENTRY *table; #ifdef PH_HANDLE_TABLE_SAFE __try { table = PhAllocateFromFreeList(&PhHandleTableLevel1FreeList); } __except (SIMPLE_EXCEPTION_FILTER(GetExceptionCode() == STATUS_NO_MEMORY)) { return NULL; } #else table = PhAllocateFromFreeList(&PhHandleTableLevel1FreeList); #endif memset(table, 0, sizeof(PPH_HANDLE_TABLE_ENTRY) * PH_HANDLE_TABLE_LEVEL_ENTRIES); return table; } VOID PhpFreeHandleTableLevel1( _In_ PPH_HANDLE_TABLE_ENTRY *Table ) { PhFreeToFreeList(&PhHandleTableLevel1FreeList, Table); } PPH_HANDLE_TABLE_ENTRY **PhpCreateHandleTableLevel2( _In_ PPH_HANDLE_TABLE HandleTable ) { PPH_HANDLE_TABLE_ENTRY **table; #ifdef PH_HANDLE_TABLE_SAFE table = PhAllocateSafe(sizeof(PPH_HANDLE_TABLE_ENTRY *) * PH_HANDLE_TABLE_LEVEL_ENTRIES); if (!table) return NULL; #else table = PhAllocate(sizeof(PPH_HANDLE_TABLE_ENTRY *) * PH_HANDLE_TABLE_LEVEL_ENTRIES); #endif memset(table, 0, sizeof(PPH_HANDLE_TABLE_ENTRY *) * PH_HANDLE_TABLE_LEVEL_ENTRIES); return table; } VOID PhpFreeHandleTableLevel2( _In_ PPH_HANDLE_TABLE_ENTRY **Table ) { PhFree(Table); } ================================================ FILE: phlib/hexedit.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include // Code originally from http://www.codeguru.com/Cpp/controls/editctrl/article.php/c539 RTL_ATOM PhHexEditInitialization( VOID ) { WNDCLASSEX wcex; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.style = CS_GLOBALCLASS | CS_DBLCLKS; wcex.lpfnWndProc = PhpHexEditWndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = sizeof(PVOID); wcex.hInstance = NtCurrentImageBase(); wcex.hCursor = PhLoadCursor(NULL, IDC_ARROW); wcex.lpszClassName = PH_HEXEDIT_CLASSNAME; return RegisterClassEx(&wcex); } PPHP_HEXEDIT_CONTEXT PhpCreateHexEditContext( VOID ) { PPHP_HEXEDIT_CONTEXT context; context = PhAllocate(sizeof(PHP_HEXEDIT_CONTEXT)); memset(context, 0, sizeof(PHP_HEXEDIT_CONTEXT)); // important, set NullWidth to 0 context->Data = NULL; context->Length = 0; context->TopIndex = 0; context->BytesPerRow = 16; context->LinesPerPage = 1; context->ShowHex = TRUE; context->ShowAscii = TRUE; context->ShowAddress = TRUE; context->AddressIsWide = TRUE; context->AllowLengthChange = FALSE; context->AddressOffset = 0; context->HexOffset = 0; context->AsciiOffset = 0; context->Update = TRUE; context->NoAddressChange = FALSE; context->CurrentMode = EDIT_NONE; context->EditPosition.x = 0; context->EditPosition.y = 0; context->CurrentAddress = 0; context->HalfPage = TRUE; context->SelStart = -1; context->SelEnd = -1; return context; } VOID PhpFreeHexEditContext( _In_ _Post_invalid_ PPHP_HEXEDIT_CONTEXT Context ) { if (!Context->UserBuffer && Context->Data) PhFree(Context->Data); if (Context->CharBuffer) PhFree(Context->CharBuffer); if (Context->Font) DeleteFont(Context->Font); PhFree(Context); } LRESULT CALLBACK PhpHexEditWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_HEXEDIT_CONTEXT context; context = PhGetWindowContextEx(hwnd); if (uMsg == WM_NCCREATE) { context = PhpCreateHexEditContext(); PhSetWindowContextEx(hwnd, context); } if (!context) return DefWindowProc(hwnd, uMsg, wParam, lParam); switch (uMsg) { case WM_CREATE: { context->WindowDpi = PhGetWindowDpi(hwnd); context->Font = CreateFont( -(LONG)PhGetDpi(12, context->WindowDpi), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, L"Courier New" ); } break; case WM_DESTROY: { PhRemoveWindowContextEx(hwnd); PhpFreeHexEditContext(context); } break; case WM_PAINT: { PAINTSTRUCT paintStruct; HDC hdc; if (hdc = BeginPaint(hwnd, &paintStruct)) { PhpHexEditOnPaint(hwnd, context, &paintStruct, hdc); EndPaint(hwnd, &paintStruct); } } break; case WM_SIZE: { PhpHexEditUpdateMetrics(hwnd, context, FALSE, NULL); } break; case WM_DPICHANGED_AFTERPARENT: { context->WindowDpi = PhGetWindowDpi(hwnd); } break; case WM_SETFOCUS: { if (context->Data && !PhpHexEditHasSelected(context)) { if (context->EditPosition.x == 0 && context->ShowAddress) PhpHexEditCreateAddressCaret(hwnd, context); else PhpHexEditCreateEditCaret(hwnd, context); SetCaretPos(context->EditPosition.x, context->EditPosition.y); ShowCaret(hwnd); } } break; case WM_KILLFOCUS: { DestroyCaret(); } break; case WM_VSCROLL: { SHORT scrollRequest = LOWORD(wParam); LONG currentPosition; LONG originalTopIndex; SCROLLINFO scrollInfo = { sizeof(scrollInfo) }; originalTopIndex = context->TopIndex; scrollInfo.fMask = SIF_TRACKPOS; GetScrollInfo(hwnd, SB_VERT, &scrollInfo); currentPosition = scrollInfo.nTrackPos; if (context->Data) { LONG mult; mult = context->LinesPerPage * context->BytesPerRow; switch (scrollRequest) { case SB_LINEDOWN: if (context->TopIndex < context->Length - mult) { context->TopIndex += context->BytesPerRow; REDRAW_WINDOW(hwnd); } break; case SB_LINEUP: if (context->TopIndex >= context->BytesPerRow) { context->TopIndex -= context->BytesPerRow; REDRAW_WINDOW(hwnd); } break; case SB_PAGEDOWN: if (context->TopIndex < context->Length - mult) { LONG pageEnd = 0; while (pageEnd < context->Length - mult) pageEnd += context->BytesPerRow; context->TopIndex += mult; if (context->TopIndex > pageEnd) context->TopIndex = pageEnd; REDRAW_WINDOW(hwnd); } break; case SB_PAGEUP: if (context->TopIndex > 0) { context->TopIndex -= mult; if (context->TopIndex < 0) context->TopIndex = 0; REDRAW_WINDOW(hwnd); } break; case SB_THUMBTRACK: context->TopIndex = currentPosition * context->BytesPerRow; REDRAW_WINDOW(hwnd); break; case SB_TOP: context->TopIndex = 0; REDRAW_WINDOW(hwnd); break; case SB_BOTTOM: while (context->TopIndex < context->Length - mult) context->TopIndex += context->BytesPerRow; REDRAW_WINDOW(hwnd); break; } SetScrollPos(hwnd, SB_VERT, context->TopIndex / context->BytesPerRow, TRUE); if (!context->NoAddressChange && FALSE) // this behaviour sucks, so just leave it out context->CurrentAddress += context->TopIndex - originalTopIndex; PhpHexEditRepositionCaret(hwnd, context, context->CurrentAddress); } } break; case WM_MOUSEWHEEL: { SHORT wheelDelta = GET_WHEEL_DELTA_WPARAM(wParam); if (context->Data) { ULONG wheelScrollLines; if (!PhGetSystemParametersInfo(SPI_GETWHEELSCROLLLINES, 0, &wheelScrollLines, 0)) { wheelScrollLines = PhGetDpi(3, context->WindowDpi); } context->TopIndex += context->BytesPerRow * (LONG)wheelScrollLines * -wheelDelta / WHEEL_DELTA; if (context->TopIndex < 0) context->TopIndex = 0; if (context->Length >= context->LinesPerPage * context->BytesPerRow) { if (context->TopIndex > context->Length - context->LinesPerPage * context->BytesPerRow) context->TopIndex = context->Length - context->LinesPerPage * context->BytesPerRow; } REDRAW_WINDOW(hwnd); SetScrollPos(hwnd, SB_VERT, context->TopIndex / context->BytesPerRow, TRUE); PhpHexEditRepositionCaret(hwnd, context, context->CurrentAddress); } } break; case WM_GETDLGCODE: if (wParam != VK_ESCAPE) return DLGC_WANTALLKEYS; break; case WM_ERASEBKGND: return 1; case WM_LBUTTONDOWN: { ULONG flags = (ULONG)wParam; POINT cursorPos; cursorPos.x = GET_X_LPARAM(lParam); cursorPos.y = GET_Y_LPARAM(lParam); SetFocus(hwnd); if (context->Data) { POINT point; if (wParam & MK_SHIFT) context->SelStart = context->CurrentAddress; PhpHexEditCalculatePosition(hwnd, context, cursorPos.x, cursorPos.y, &point); if (point.x > -1) { context->EditPosition = point; point.x *= context->NullWidth; point.y *= context->LineHeight; if (point.x == 0 && context->ShowAddress) PhpHexEditCreateAddressCaret(hwnd, context); else PhpHexEditCreateEditCaret(hwnd, context); SetCaretPos(point.x, point.y); if (flags & MK_SHIFT) { context->SelEnd = context->CurrentAddress; if (context->CurrentMode == EDIT_HIGH || context->CurrentMode == EDIT_LOW) context->SelEnd++; REDRAW_WINDOW(hwnd); } } if (!(flags & MK_SHIFT)) { if (DragDetect(hwnd, cursorPos)) { context->SelStart = context->CurrentAddress; context->SelEnd = context->SelStart; SetCapture(hwnd); context->HasCapture = TRUE; } else { BOOLEAN selected; selected = context->SelStart != -1; context->SelStart = -1; context->SelEnd = -1; if (selected) REDRAW_WINDOW(hwnd); } } if (!PhpHexEditHasSelected(context)) ShowCaret(hwnd); } } break; case WM_LBUTTONUP: { if (context->HasCapture && PhpHexEditHasSelected(context)) ReleaseCapture(); context->HasCapture = FALSE; } break; case WM_MOUSEMOVE: { ULONG flags = (ULONG)wParam; POINT cursorPos; cursorPos.x = GET_X_LPARAM(lParam); cursorPos.y = GET_Y_LPARAM(lParam); if ( context->Data && context->HasCapture && context->SelStart != -1 ) { RECT rect; POINT point; ULONG oldSelEnd; // User is dragging. GetClientRect(hwnd, &rect); if (!PhPtInRect(&rect, &cursorPos)) { if (cursorPos.y < 0) { SendMessage(hwnd, WM_VSCROLL, SB_LINEUP, 0); cursorPos.y = 0; } else if (cursorPos.y > rect.bottom) { SendMessage(hwnd, WM_VSCROLL, SB_LINEDOWN, 0); cursorPos.y = rect.bottom - 1; } } oldSelEnd = context->SelEnd; PhpHexEditCalculatePosition(hwnd, context, cursorPos.x, cursorPos.y, &point); if (point.x > -1) { context->SelEnd = context->CurrentAddress; if (context->CurrentMode == EDIT_HIGH || context->CurrentMode == EDIT_LOW) context->SelEnd++; } if (PhpHexEditHasSelected(context)) DestroyCaret(); if (context->SelEnd != oldSelEnd) REDRAW_WINDOW(hwnd); } } break; case WM_CHAR: { ULONG c = (ULONG)wParam; if (!context->Data) goto DefaultHandler; if (c == '\t') goto DefaultHandler; if (GetKeyState(VK_CONTROL) < 0) { switch (c) { case 0x3: if (PhpHexEditHasSelected(context)) PhpHexEditCopyEdit(hwnd, context); goto DefaultHandler; case 0x16: PhpHexEditPasteEdit(hwnd, context); goto DefaultHandler; case 0x18: if (PhpHexEditHasSelected(context)) PhpHexEditCutEdit(hwnd, context); goto DefaultHandler; case 0x1a: PhpHexEditUndoEdit(hwnd, context); goto DefaultHandler; } } // Disallow editing beyond the end of the data. if (context->CurrentAddress >= context->Length) goto DefaultHandler; if (c == 0x8) { if (context->CurrentAddress != 0) { context->CurrentAddress--; PhpHexEditSelDelete(hwnd, context, context->CurrentAddress, context->CurrentAddress + 1); PhpHexEditRepositionCaret(hwnd, context, context->CurrentAddress); REDRAW_WINDOW(hwnd); } goto DefaultHandler; } PhpHexEditSetSel(hwnd, context, -1, -1); switch (context->CurrentMode) { case EDIT_NONE: goto DefaultHandler; case EDIT_HIGH: case EDIT_LOW: if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f')) { ULONG b = c - '0'; if (b > 9) b = 10 + c - 'a'; if (context->CurrentMode == EDIT_HIGH) { context->Data[context->CurrentAddress] = (UCHAR)((context->Data[context->CurrentAddress] & 0x0f) | (b << 4)); } else { context->Data[context->CurrentAddress] = (UCHAR)((context->Data[context->CurrentAddress] & 0xf0) | b); } PhpHexEditMove(hwnd, context, 1, 0); } break; case EDIT_ASCII: context->Data[context->CurrentAddress] = (UCHAR)c; PhpHexEditMove(hwnd, context, 1, 0); break; } REDRAW_WINDOW(hwnd); } break; case WM_KEYDOWN: { ULONG vk = (ULONG)wParam; BOOLEAN shift = GetKeyState(VK_SHIFT) < 0; BOOLEAN oldNoAddressChange = context->NoAddressChange; BOOLEAN noScrollIntoView = FALSE; context->NoAddressChange = TRUE; switch (vk) { case VK_DOWN: if (context->CurrentMode != EDIT_NONE) { if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; PhpHexEditMove(hwnd, context, 0, 1); context->SelEnd = context->CurrentAddress; if (context->CurrentMode == EDIT_HIGH || context->CurrentMode == EDIT_LOW) context->SelEnd++; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } PhpHexEditMove(hwnd, context, 0, 1); noScrollIntoView = TRUE; } else { PhpHexEditMove(hwnd, context, 0, 1); } break; case VK_UP: if (context->CurrentMode != EDIT_NONE) { if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; PhpHexEditMove(hwnd, context, 0, -1); context->SelEnd = context->CurrentAddress; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } PhpHexEditMove(hwnd, context, 0, -1); noScrollIntoView = TRUE; } else { PhpHexEditMove(hwnd, context, 0, -1); } break; case VK_LEFT: if (context->CurrentMode != EDIT_NONE) { if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; PhpHexEditMove(hwnd, context, -1, 0); context->SelEnd = context->CurrentAddress; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } PhpHexEditMove(hwnd, context, -1, 0); noScrollIntoView = TRUE; } break; case VK_RIGHT: if (context->CurrentMode != EDIT_NONE) { if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; PhpHexEditMove(hwnd, context, 1, 0); context->SelEnd = context->CurrentAddress; if (context->CurrentMode == EDIT_HIGH || context->CurrentMode == EDIT_LOW) context->SelEnd++; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } PhpHexEditMove(hwnd, context, 1, 0); noScrollIntoView = TRUE; } break; case VK_PRIOR: if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; SendMessage(hwnd, WM_VSCROLL, SB_PAGEUP, 0); PhpHexEditMove(hwnd, context, 0, 0); context->SelEnd = context->CurrentAddress; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } SendMessage(hwnd, WM_VSCROLL, SB_PAGEUP, 0); PhpHexEditMove(hwnd, context, 0, 0); noScrollIntoView = TRUE; break; case VK_NEXT: if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; SendMessage(hwnd, WM_VSCROLL, SB_PAGEDOWN, 0); PhpHexEditMove(hwnd, context, 0, 0); context->SelEnd = context->CurrentAddress; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } SendMessage(hwnd, WM_VSCROLL, SB_PAGEDOWN, 0); PhpHexEditMove(hwnd, context, 0, 0); noScrollIntoView = TRUE; break; case VK_HOME: if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; if (GetKeyState(VK_CONTROL) < 0) { SendMessage(hwnd, WM_VSCROLL, SB_THUMBTRACK, 0); } else { // Round down. context->CurrentAddress /= context->BytesPerRow; context->CurrentAddress *= context->BytesPerRow; } PhpHexEditMove(hwnd, context, 0, 0); context->SelEnd = context->CurrentAddress; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } if (GetKeyState(VK_CONTROL) < 0) { SendMessage(hwnd, WM_VSCROLL, SB_THUMBTRACK, 0); context->CurrentAddress = 0; } else { // Round down. context->CurrentAddress /= context->BytesPerRow; context->CurrentAddress *= context->BytesPerRow; } PhpHexEditMove(hwnd, context, 0, 0); noScrollIntoView = TRUE; break; case VK_END: if (shift) { if (!PhpHexEditHasSelected(context)) context->SelStart = context->CurrentAddress; if (GetKeyState(VK_CONTROL) < 0) { context->CurrentAddress = context->Length - 1; SendMessage(hwnd, WM_VSCROLL, MAKEWPARAM(SB_THUMBTRACK, ((context->Length + (context->BytesPerRow / 2)) / context->BytesPerRow) - context->LinesPerPage), 0); } else { context->CurrentAddress /= context->BytesPerRow; context->CurrentAddress *= context->BytesPerRow; context->CurrentAddress += context->BytesPerRow - 1; if (context->CurrentAddress > context->Length) context->CurrentAddress = context->Length - 1; } PhpHexEditMove(hwnd, context, 0, 0); context->SelEnd = context->CurrentAddress; REDRAW_WINDOW(hwnd); break; } else { PhpHexEditSetSel(hwnd, context, -1, -1); } if (GetKeyState(VK_CONTROL) < 0) { context->CurrentAddress = context->Length - 1; if (context->HalfPage) { SendMessage(hwnd, WM_VSCROLL, 0, 0); } else { SendMessage(hwnd, WM_VSCROLL, MAKEWPARAM(SB_THUMBTRACK, ((context->Length + (context->BytesPerRow / 2)) / context->BytesPerRow) - context->LinesPerPage), 0); } } else { context->CurrentAddress /= context->BytesPerRow; context->CurrentAddress *= context->BytesPerRow; context->CurrentAddress += context->BytesPerRow - 1; if (context->CurrentAddress > context->Length) context->CurrentAddress = context->Length - 1; } PhpHexEditMove(hwnd, context, 0, 0); noScrollIntoView = TRUE; break; case VK_INSERT: PhpHexEditSelInsert(hwnd, context, context->CurrentAddress, max(1, context->SelEnd - context->SelStart)); REDRAW_WINDOW(hwnd); break; case VK_DELETE: if (PhpHexEditHasSelected(context)) { PhpHexEditClearEdit(hwnd, context); } else { PhpHexEditSelDelete(hwnd, context, context->CurrentAddress, context->CurrentAddress + 1); REDRAW_WINDOW(hwnd); } break; case '\t': switch (context->CurrentMode) { case EDIT_NONE: context->CurrentMode = EDIT_HIGH; break; case EDIT_HIGH: case EDIT_LOW: context->CurrentMode = EDIT_ASCII; break; case EDIT_ASCII: context->CurrentMode = EDIT_HIGH; break; } PhpHexEditMove(hwnd, context, 0, 0); break; } // Scroll into view if not in view. if ( !noScrollIntoView && (context->CurrentAddress < context->TopIndex || context->CurrentAddress >= context->TopIndex + context->LinesPerPage * context->BytesPerRow) ) { PhpHexEditScrollTo(hwnd, context, context->CurrentAddress); } context->NoAddressChange = oldNoAddressChange; } break; case HEM_SETBUFFER: { PhpHexEditSetBuffer(hwnd, context, (PUCHAR)lParam, (ULONG)wParam); } return TRUE; case HEM_SETDATA: { PhpHexEditSetData(hwnd, context, (PUCHAR)lParam, (ULONG)wParam); } return TRUE; case HEM_GETBUFFER: { PULONG length = (PULONG)wParam; if (length) *length = context->Length; return (LPARAM)context->Data; } case HEM_SETSEL: { LONG selStart = (LONG)wParam; LONG selEnd = (LONG)lParam; if (selStart <= 0) return FALSE; if (selEnd > context->Length) return FALSE; PhpHexEditScrollTo(hwnd, context, selStart); PhpHexEditSetSel(hwnd, context, selStart, selEnd); PhpHexEditRepositionCaret(hwnd, context, selStart); REDRAW_WINDOW(hwnd); } return TRUE; case HEM_SETEDITMODE: { context->CurrentMode = (LONG)wParam; REDRAW_WINDOW(hwnd); } return TRUE; case HEM_SETBYTESPERROW: { LONG bytesPerRow = (LONG)wParam; if (bytesPerRow >= 4) { context->BytesPerRow = bytesPerRow; PhpHexEditUpdateMetrics(hwnd, context, TRUE, NULL); PhpHexEditUpdateScrollbars(hwnd, context); PhpHexEditScrollTo(hwnd, context, context->CurrentAddress); PhpHexEditRepositionCaret(hwnd, context, context->CurrentAddress); REDRAW_WINDOW(hwnd); } } return TRUE; case HEM_SETEXTENDEDUNICODE: { context->ExtendedUnicode = !!(LONG)wParam; } return TRUE; } DefaultHandler: return DefWindowProc(hwnd, uMsg, wParam, lParam); } FORCEINLINE INT PhpIsPrintable( _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ UCHAR Byte ) { if (Context->ExtendedUnicode) return iswctype(Byte, _PUNCT | _ALPHA | _DIGIT); // iswprint else return ((ULONG)((Byte)-' ') <= (ULONG)('~' - ' ')); } FORCEINLINE VOID PhpPrintHex( _In_ HDC hdc, _In_ PPHP_HEXEDIT_CONTEXT Context, _Inout_ PWCHAR Buffer, _In_ UCHAR Byte, _Inout_ PLONG X, _Inout_ PLONG Y, _Inout_ PULONG N ) { PWCHAR p = Buffer; TO_HEX(p, Byte); *p++ = ' '; TextOut(hdc, *X, *Y, Buffer, 3); *X += Context->NullWidth * 3; (*N)++; if (*N == Context->BytesPerRow) { *N = 0; *X = Context->HexOffset; *Y += Context->LineHeight; } } FORCEINLINE VOID PhpPrintAscii( _In_ HDC hdc, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ UCHAR Byte, _Inout_ PLONG X, _Inout_ PLONG Y, _Inout_ PULONG N ) { WCHAR c; c = PhpIsPrintable(Context, Byte) ? Byte : '.'; TextOut(hdc, *X, *Y, &c, 1); *X += Context->NullWidth; (*N)++; if (*N == Context->BytesPerRow) { *N = 0; *X = Context->AsciiOffset; *Y += Context->LineHeight; } } FORCEINLINE COLORREF GetLighterHighlightColor( VOID ) { COLORREF color; UCHAR r; UCHAR g; UCHAR b; color = GetSysColor(COLOR_HIGHLIGHT); r = (UCHAR)color; g = (UCHAR)(color >> 8); b = (UCHAR)(color >> 16); if (r <= 255 - 64) r += 64; else r = 255; if (g <= 255 - 64) g += 64; else g = 255; if (b <= 255 - 64) b += 64; else b = 255; return RGB(r, g, b); } VOID PhpHexEditUpdateMetrics( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ BOOLEAN UpdateLineHeight, _In_opt_ HDC hdc ) { BOOLEAN freeHdc = FALSE; RECT clientRect; SIZE size; if (!hdc && UpdateLineHeight) { hdc = CreateCompatibleDC(hdc); SelectFont(hdc, Context->Font); freeHdc = TRUE; } GetClientRect(hwnd, &clientRect); if (UpdateLineHeight) { GetCharWidth(hdc, '0', '0', &Context->NullWidth); GetTextExtentPoint32(hdc, L"0", 1, &size); Context->LineHeight = size.cy; } Context->HexOffset = Context->ShowAddress ? (Context->AddressIsWide ? Context->NullWidth * 9 : Context->NullWidth * 5) : 0; Context->AsciiOffset = Context->HexOffset + (Context->ShowHex ? (Context->BytesPerRow * 3 * Context->NullWidth) : 0); if (Context->LineHeight != 0) { Context->LinesPerPage = clientRect.bottom / Context->LineHeight; Context->HalfPage = FALSE; if (Context->LinesPerPage * Context->BytesPerRow > Context->Length) { Context->LinesPerPage = (Context->Length + Context->BytesPerRow / 2) / Context->BytesPerRow; if (Context->Length % Context->BytesPerRow != 0) { Context->HalfPage = TRUE; Context->LinesPerPage++; } } } if (freeHdc && hdc) DeleteDC(hdc); } VOID PhpHexEditOnPaint( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ PAINTSTRUCT *PaintStruct, _In_ HDC hdc ) { RECT clientRect; HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; LONG height; LONG x; LONG y; LONG i; ULONG requiredBufferLength; PWCHAR buffer; GetClientRect(hwnd, &clientRect); bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, clientRect.right, clientRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); SetDCBrushColor(bufferDc, GetSysColor(COLOR_WINDOW)); FillRect(bufferDc, &clientRect, PhGetStockBrush(DC_BRUSH)); SelectFont(bufferDc, Context->Font); SetBoundsRect(bufferDc, &clientRect, DCB_DISABLE); requiredBufferLength = (max(8, Context->BytesPerRow * 3) + 1) * sizeof(WCHAR); if (Context->CharBufferLength < requiredBufferLength) { if (Context->CharBuffer) PhFree(Context->CharBuffer); Context->CharBuffer = PhAllocate(requiredBufferLength); Context->CharBufferLength = requiredBufferLength; buffer = Context->CharBuffer; } buffer = Context->CharBuffer; if (Context->Data) { // Get character dimensions. if (Context->Update) { PhpHexEditUpdateMetrics(hwnd, Context, TRUE, bufferDc); Context->Update = FALSE; PhpHexEditUpdateScrollbars(hwnd, Context); } height = (clientRect.bottom + Context->LineHeight - 1) / Context->LineHeight * Context->LineHeight; // round up to height if (Context->ShowAddress) { PH_FORMAT format; ULONG w; RECT rect; PhInitFormatX(&format, 0); format.Type |= FormatPadZeros; format.Width = Context->AddressIsWide ? 8 : 4; w = Context->AddressIsWide ? 8 : 4; rect = clientRect; rect.left = Context->AddressOffset; rect.top = 0; for (i = Context->TopIndex; i < Context->Length && rect.top < height; i += Context->BytesPerRow) { format.u.Int32 = i; PhFormatToBuffer(&format, 1, buffer, requiredBufferLength, NULL); DrawText(bufferDc, buffer, w, &rect, DT_LEFT | DT_TOP | DT_SINGLELINE | DT_NOPREFIX | DT_NOCLIP); rect.top += Context->LineHeight; } } if (Context->ShowHex) { RECT rect; LONG n = 0; x = Context->HexOffset; y = 0; rect = clientRect; rect.left = x; rect.top = 0; if (Context->SelStart != -1) { COLORREF highlightColor; LONG selStart; LONG selEnd; if (Context->CurrentMode == EDIT_HIGH || Context->CurrentMode == EDIT_LOW) highlightColor = GetSysColor(COLOR_HIGHLIGHT); else highlightColor = GetLighterHighlightColor(); selStart = Context->SelStart; selEnd = Context->SelEnd; if (selStart > selEnd) { ULONG t; t = selEnd; selEnd = selStart; selStart = t; } if (selStart >= Context->Length) selStart = Context->Length - 1; if (selEnd > Context->Length) selEnd = Context->Length; // Bytes before the selection for (i = Context->TopIndex; i < selStart && y < height; i++) { PhpPrintHex(bufferDc, Context, buffer, Context->Data[i], &x, &y, &n); } // Bytes in the selection SetTextColor(bufferDc, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetBkColor(bufferDc, highlightColor); for (; i < selEnd && i < Context->Length && y < height; i++) { PhpPrintHex(bufferDc, Context, buffer, Context->Data[i], &x, &y, &n); } // Bytes after the selection SetTextColor(bufferDc, GetSysColor(COLOR_WINDOWTEXT)); SetBkColor(bufferDc, GetSysColor(COLOR_WINDOW)); for (; i < Context->Length && y < height; i++) { PhpPrintHex(bufferDc, Context, buffer, Context->Data[i], &x, &y, &n); } } else { i = Context->TopIndex; while (i < Context->Length && rect.top < height) { PWCHAR p = buffer; for (n = 0; n < Context->BytesPerRow && i < Context->Length; n++) { TO_HEX(p, Context->Data[i]); *p++ = ' '; i++; } while (n < Context->BytesPerRow) { p[0] = ' '; p[1] = ' '; p[2] = ' '; p += 3; n++; } DrawText(bufferDc, buffer, Context->BytesPerRow * 3, &rect, DT_LEFT | DT_TOP | DT_SINGLELINE | DT_NOPREFIX | DT_NOCLIP); rect.top += Context->LineHeight; } } } if (Context->ShowAscii) { RECT rect; LONG n = 0; x = Context->AsciiOffset; y = 0; rect = clientRect; rect.left = x; rect.top = 0; if (Context->SelStart != -1) { COLORREF highlightColor; LONG selStart; LONG selEnd; if (Context->CurrentMode == EDIT_ASCII) highlightColor = GetSysColor(COLOR_HIGHLIGHT); else highlightColor = GetLighterHighlightColor(); selStart = Context->SelStart; selEnd = Context->SelEnd; if (selStart > selEnd) { LONG t; t = selEnd; selEnd = selStart; selStart = t; } if (selStart >= Context->Length) selStart = Context->Length - 1; if (selEnd > Context->Length) selEnd = Context->Length; // Bytes before the selection for (i = Context->TopIndex; i < selStart && y < height; i++) { PhpPrintAscii(bufferDc, Context, Context->Data[i], &x, &y, &n); } // Bytes in the selection SetTextColor(bufferDc, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetBkColor(bufferDc, highlightColor); for (; i < selEnd && i < Context->Length && y < height; i++) { PhpPrintAscii(bufferDc, Context, Context->Data[i], &x, &y, &n); } // Bytes after the selection SetTextColor(bufferDc, GetSysColor(COLOR_WINDOWTEXT)); SetBkColor(bufferDc, GetSysColor(COLOR_WINDOW)); for (; i < Context->Length && y < height; i++) { PhpPrintAscii(bufferDc, Context, Context->Data[i], &x, &y, &n); } } else { i = Context->TopIndex; while (i < Context->Length && rect.top < height) { PWCHAR p = buffer; for (n = 0; n < Context->BytesPerRow && i < Context->Length; n++) { *p++ = PhpIsPrintable(Context, Context->Data[i]) ? Context->Data[i] : '.'; // 1 i++; } DrawText(bufferDc, buffer, n, &rect, DT_LEFT | DT_TOP | DT_SINGLELINE | DT_NOPREFIX | DT_NOCLIP); rect.top += Context->LineHeight; } } } } BitBlt(hdc, 0, 0, clientRect.right, clientRect.bottom, bufferDc, 0, 0, SRCCOPY); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); } VOID PhpHexEditUpdateScrollbars( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { SCROLLINFO si = { sizeof(si) }; si.fMask = SIF_ALL; si.nMin = 0; si.nMax = Context->Length / Context->BytesPerRow; si.nPage = Context->LinesPerPage; si.nPos = Context->TopIndex / Context->BytesPerRow; SetScrollInfo(hwnd, SB_VERT, &si, TRUE); if (si.nMax > (LONG)si.nPage - 1) EnableScrollBar(hwnd, SB_VERT, ESB_ENABLE_BOTH); // No horizontal scrollbar please. /*si.nMin = 0; si.nMax = ((Context->ShowAddress ? (Context->AddressIsWide ? 8 : 4) : 0) + (Context->ShowHex ? Context->BytesPerRow * 3 : 0) + (Context->ShowAscii ? Context->BytesPerRow : 0)) * Context->NullWidth; si.nPage = 1; si.nPos = 0; SetScrollInfo(hwnd, SB_HORZ, &si, TRUE);*/ } VOID PhpHexEditCreateAddressCaret( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { DestroyCaret(); CreateCaret(hwnd, NULL, Context->NullWidth * (Context->AddressIsWide ? 8 : 4), Context->LineHeight); } VOID PhpHexEditCreateEditCaret( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { DestroyCaret(); CreateCaret(hwnd, NULL, Context->NullWidth, Context->LineHeight); } VOID PhpHexEditRepositionCaret( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG Position ) { ULONG x; ULONG y; RECT rect; x = (Position - Context->TopIndex) % Context->BytesPerRow; y = (Position - Context->TopIndex) / Context->BytesPerRow; switch (Context->CurrentMode) { case EDIT_NONE: PhpHexEditCreateAddressCaret(hwnd, Context); x = 0; break; case EDIT_HIGH: PhpHexEditCreateEditCaret(hwnd, Context); x *= Context->NullWidth * 3; x += Context->HexOffset; break; case EDIT_LOW: PhpHexEditCreateEditCaret(hwnd, Context); x *= Context->NullWidth * 3; x += Context->NullWidth; x += Context->HexOffset; break; case EDIT_ASCII: PhpHexEditCreateEditCaret(hwnd, Context); x *= Context->NullWidth; x += Context->AsciiOffset; break; } Context->EditPosition.x = x; Context->EditPosition.y = y * Context->LineHeight; GetClientRect(hwnd, &rect); if (PhPtInRect(&rect, &Context->EditPosition)) { SetCaretPos(Context->EditPosition.x, Context->EditPosition.y); ShowCaret(hwnd); } } VOID PhpHexEditCalculatePosition( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG X, _In_ LONG Y, _Out_ POINT *Point ) { LONG xp; Y /= Context->LineHeight; if (Y < 0 || Y >= Context->LinesPerPage) { Point->x = -1; Point->y = -1; return; } if (Y * Context->BytesPerRow >= Context->Length) { Point->x = -1; Point->y = -1; return; } X += Context->NullWidth; X /= Context->NullWidth; if (Context->ShowAddress && X <= (Context->AddressIsWide ? 8 : 4)) { Context->CurrentAddress = Context->TopIndex + Context->BytesPerRow * Y; Context->CurrentMode = EDIT_NONE; Point->x = 0; Point->y = Y; return; } xp = Context->HexOffset / Context->NullWidth + Context->BytesPerRow * 3; if (Context->ShowHex && X < xp) { if (X % 3) X--; Context->CurrentAddress = Context->TopIndex + Context->BytesPerRow * Y + (X - (Context->HexOffset / Context->NullWidth)) / 3; Context->CurrentMode = ((X % 3) & 1) ? EDIT_LOW : EDIT_HIGH; Point->x = X; Point->y = Y; return; } X--; // fix selection problem xp = Context->AsciiOffset / Context->NullWidth + Context->BytesPerRow; if (Context->ShowAscii && X * Context->NullWidth >= Context->AsciiOffset && X <= xp) { Context->CurrentAddress = Context->TopIndex + Context->BytesPerRow * Y + (X - (Context->AsciiOffset / Context->NullWidth)); Context->CurrentMode = EDIT_ASCII; Point->x = X; Point->y = Y; return; } Point->x = -1; Point->y = -1; } VOID PhpHexEditMove( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG X, _In_ LONG Y ) { switch (Context->CurrentMode) { case EDIT_NONE: Context->CurrentAddress += Y * Context->BytesPerRow; break; case EDIT_HIGH: if (X != 0) Context->CurrentMode = EDIT_LOW; if (X == -1) Context->CurrentAddress--; Context->CurrentAddress += Y * Context->BytesPerRow; break; case EDIT_LOW: if (X != 0) Context->CurrentMode = EDIT_HIGH; if (X == 1) Context->CurrentAddress++; Context->CurrentAddress += Y * Context->BytesPerRow; break; case EDIT_ASCII: Context->CurrentAddress += X; Context->CurrentAddress += Y * Context->BytesPerRow; break; } if (Context->CurrentAddress < 0) Context->CurrentAddress = 0; if (Context->CurrentAddress >= Context->Length) { Context->CurrentAddress -= X; Context->CurrentAddress -= Y * Context->BytesPerRow; } Context->NoAddressChange = TRUE; if (Context->CurrentAddress < Context->TopIndex) SendMessage(hwnd, WM_VSCROLL, SB_LINEUP, 0); if (Context->CurrentAddress >= Context->TopIndex + Context->LinesPerPage * Context->BytesPerRow) SendMessage(hwnd, WM_VSCROLL, SB_LINEDOWN, 0); Context->NoAddressChange = FALSE; PhpHexEditRepositionCaret(hwnd, Context, Context->CurrentAddress); } VOID PhpHexEditSetSel( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG S, _In_ LONG E ) { DestroyCaret(); Context->SelStart = S; Context->SelEnd = E; REDRAW_WINDOW(hwnd); if (S != -1 && E != -1) { Context->CurrentAddress = S; } else { if (Context->EditPosition.x == 0 && Context->ShowAddress) PhpHexEditCreateAddressCaret(hwnd, Context); else PhpHexEditCreateEditCaret(hwnd, Context); SetCaretPos(Context->EditPosition.x, Context->EditPosition.y); ShowCaret(hwnd); } } VOID PhpHexEditScrollTo( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG Position ) { if (Position < Context->TopIndex || Position > Context->TopIndex + Context->LinesPerPage * Context->BytesPerRow) { Context->TopIndex = Position / Context->BytesPerRow * Context->BytesPerRow; // round down Context->TopIndex -= Context->LinesPerPage / 3 * Context->BytesPerRow; if (Context->TopIndex < 0) Context->TopIndex = 0; if (Context->Length >= Context->LinesPerPage * Context->BytesPerRow) { if (Context->TopIndex > Context->Length - Context->LinesPerPage * Context->BytesPerRow) Context->TopIndex = Context->Length - Context->LinesPerPage * Context->BytesPerRow; } PhpHexEditUpdateScrollbars(hwnd, Context); REDRAW_WINDOW(hwnd); } } VOID PhpHexEditClearEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { if (Context->AllowLengthChange) { Context->CurrentAddress = Context->SelStart; PhpHexEditSelDelete(hwnd, Context, Context->SelStart, Context->SelEnd); PhpHexEditRepositionCaret(hwnd, Context, Context->CurrentAddress); REDRAW_WINDOW(hwnd); } } VOID PhpHexEditCopyEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { if (OpenClipboard(hwnd)) { EmptyClipboard(); PhpHexEditNormalizeSel(hwnd, Context); if (Context->CurrentMode != EDIT_ASCII) { ULONG length = Context->SelEnd - Context->SelStart; HGLOBAL binaryMemory; HGLOBAL hexMemory; binaryMemory = GlobalAlloc(GMEM_MOVEABLE | GMEM_ZEROINIT, length); if (binaryMemory) { PUCHAR p = GlobalLock(binaryMemory); memcpy(p, &Context->Data[Context->SelStart], length); GlobalUnlock(binaryMemory); hexMemory = GlobalAlloc(GMEM_MOVEABLE | GMEM_ZEROINIT, (length * 3 + 1) * sizeof(WCHAR)); if (hexMemory) { PWCHAR pw; ULONG i; pw = GlobalLock(hexMemory); for (i = 0; i < length; i++) { TO_HEX(pw, Context->Data[Context->SelStart + i]); *pw++ = ' '; } *pw = 0; GlobalUnlock(hexMemory); SetClipboardData(CF_UNICODETEXT, hexMemory); } SetClipboardData(RegisterClipboardFormat(L"BinaryData"), binaryMemory); } } else { ULONG length = Context->SelEnd - Context->SelStart; HGLOBAL binaryMemory; HGLOBAL asciiMemory; binaryMemory = GlobalAlloc(GMEM_MOVEABLE | GMEM_ZEROINIT, length); asciiMemory = GlobalAlloc(GMEM_MOVEABLE | GMEM_ZEROINIT, length + 1); if (binaryMemory) { PUCHAR p = GlobalLock(binaryMemory); memcpy(p, &Context->Data[Context->SelStart], length); GlobalUnlock(binaryMemory); if (asciiMemory) { ULONG i; p = GlobalLock(asciiMemory); memcpy(p, &Context->Data[Context->SelStart], length); for (i = 0; i < length; i++) { if (!PhpIsPrintable(Context, *p)) *p = '.'; p++; } *p = 0; GlobalUnlock(asciiMemory); SetClipboardData(CF_TEXT, asciiMemory); } SetClipboardData(RegisterClipboardFormat(L"BinaryData"), binaryMemory); } } CloseClipboard(); } } VOID PhpHexEditCutEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { if (Context->AllowLengthChange) { PhpHexEditCopyEdit(hwnd, Context); PhpHexEditSelDelete(hwnd, Context, Context->SelStart, Context->SelEnd); REDRAW_WINDOW(hwnd); } } VOID PhpHexEditPasteEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { if (OpenClipboard(hwnd)) { HANDLE memory; memory = GetClipboardData(RegisterClipboardFormat(L"BinaryData")); if (!memory) memory = GetClipboardData(CF_TEXT); if (memory) { PUCHAR p = GlobalLock(memory); ULONG length = (ULONG)GlobalSize(memory); ULONG paste; ULONG oldCurrentAddress = Context->CurrentAddress; PhpHexEditNormalizeSel(hwnd, Context); if (Context->AllowLengthChange) { if (Context->SelStart == -1) { if (Context->CurrentMode == EDIT_LOW) Context->CurrentAddress++; paste = Context->CurrentAddress; PhpHexEditSelInsert(hwnd, Context, Context->CurrentAddress, length); } else { paste = Context->SelStart; PhpHexEditSelDelete(hwnd, Context, Context->SelStart, Context->SelEnd); PhpHexEditSelInsert(hwnd, Context, paste, length); PhpHexEditSetSel(hwnd, Context, -1, -1); } } else { if (Context->SelStart == -1) { if (Context->CurrentMode == EDIT_LOW) Context->CurrentAddress++; paste = Context->CurrentAddress; } else { paste = Context->SelStart; } if (length > Context->Length - paste) length = Context->Length - paste; } memcpy(&Context->Data[paste], p, length); GlobalUnlock(memory); Context->CurrentAddress = oldCurrentAddress; REDRAW_WINDOW(hwnd); } CloseClipboard(); } } VOID PhpHexEditSelectAll( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { Context->SelStart = 0; Context->SelEnd = Context->Length; DestroyCaret(); REDRAW_WINDOW(hwnd); } VOID PhpHexEditUndoEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { // TODO } VOID PhpHexEditNormalizeSel( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ) { if (Context->SelStart > Context->SelEnd) { LONG t; t = Context->SelEnd; Context->SelEnd = Context->SelStart; Context->SelStart = t; } } VOID PhpHexEditSelDelete( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG S, _In_ LONG E ) { if (Context->AllowLengthChange && Context->Length > 0) { PUCHAR p = PhAllocate(Context->Length - (E - S) + 1); memcpy(p, Context->Data, S); if (S < Context->Length - (E - S)) memcpy(&p[S], &Context->Data[E], Context->Length - E); PhFree(Context->Data); Context->Data = p; PhpHexEditSetSel(hwnd, Context, -1, -1); Context->Length -= E - S; if (Context->CurrentAddress > Context->Length) { Context->CurrentAddress = Context->Length; PhpHexEditRepositionCaret(hwnd, Context, Context->CurrentAddress); } Context->Update = TRUE; } } VOID PhpHexEditSelInsert( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG S, _In_ LONG L ) { if (Context->AllowLengthChange) { PUCHAR p = PhAllocate(Context->Length + L); memset(p, 0, Context->Length + L); memcpy(p, Context->Data, S); memcpy(&p[S + L], &Context->Data[S], Context->Length - S); PhFree(Context->Data); Context->Data = p; PhpHexEditSetSel(hwnd, Context, -1, -1); Context->Length += L; Context->Update = TRUE; } } VOID PhpHexEditSetBuffer( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ PUCHAR Data, _In_ ULONG Length ) { Context->Data = Data; PhpHexEditSetSel(hwnd, Context, -1, -1); Context->Length = Length; Context->CurrentAddress = 0; Context->EditPosition.x = Context->EditPosition.y = 0; Context->CurrentMode = EDIT_HIGH; Context->TopIndex = 0; Context->Update = TRUE; Context->UserBuffer = TRUE; Context->AllowLengthChange = FALSE; } VOID PhpHexEditSetData( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ PUCHAR Data, _In_ ULONG Length ) { if (Context->Data) PhFree(Context->Data); Context->Data = PhAllocate(Length); memcpy(Context->Data, Data, Length); PhpHexEditSetBuffer(hwnd, Context, Context->Data, Length); Context->UserBuffer = FALSE; Context->AllowLengthChange = TRUE; } ================================================ FILE: phlib/hndlinfo.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #define PH_QUERY_HACK_MAX_THREADS 20 typedef struct _PHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT { SLIST_ENTRY ListEntry; PUSER_THREAD_START_ROUTINE Routine; PVOID Context; HANDLE StartEventHandle; HANDLE CompletedEventHandle; HANDLE ThreadHandle; } PHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT, *PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT; typedef enum _PHP_QUERY_OBJECT_WORK { NtQueryObjectWork, NtQuerySecurityObjectWork, NtSetSecurityObjectWork, NtQueryFileInformationWork, KphQueryFileInformationWork } PHP_QUERY_OBJECT_WORK; typedef struct _PHP_QUERY_OBJECT_COMMON_CONTEXT { PHP_QUERY_OBJECT_WORK Work; NTSTATUS Status; union { struct { HANDLE Handle; OBJECT_INFORMATION_CLASS ObjectInformationClass; PVOID ObjectInformation; ULONG ObjectInformationLength; PULONG ReturnLength; } NtQueryObject; struct { HANDLE Handle; SECURITY_INFORMATION SecurityInformation; PSECURITY_DESCRIPTOR SecurityDescriptor; ULONG Length; PULONG LengthNeeded; } NtQuerySecurityObject; struct { HANDLE Handle; SECURITY_INFORMATION SecurityInformation; PSECURITY_DESCRIPTOR SecurityDescriptor; } NtSetSecurityObject; struct { HANDLE Handle; FILE_INFORMATION_CLASS FileInformationClass; PVOID FileInformation; ULONG FileInformationLength; } NtQueryFileInformation; struct { HANDLE ProcessHandle; HANDLE Handle; FILE_INFORMATION_CLASS FileInformationClass; PVOID FileInformation; ULONG FileInformationLength; } KphQueryFileInformation; } u; } PHP_QUERY_OBJECT_COMMON_CONTEXT, *PPHP_QUERY_OBJECT_COMMON_CONTEXT; PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT PhpAcquireCallWithTimeoutThread( _In_opt_ PLARGE_INTEGER Timeout ); VOID PhpReleaseCallWithTimeoutThread( _Inout_ PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT ThreadContext ); NTSTATUS PhpCallWithTimeout( _Inout_ PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT ThreadContext, _In_ PUSER_THREAD_START_ROUTINE Routine, _In_opt_ PVOID Context, _In_ PLARGE_INTEGER Timeout ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpCallWithTimeoutThreadStart( _In_ PVOID Parameter ); BOOLEAN PhEnableProcessHandlePnPDeviceNameSupport = FALSE; static PPH_STRING PhObjectTypeNames[MAX_OBJECT_TYPE_NUMBER] = { 0 }; static PPH_GET_CLIENT_ID_NAME PhHandleGetClientIdName = PhStdGetClientIdName; static SLIST_HEADER PhpCallWithTimeoutThreadListHead; static PH_WAKE_EVENT PhpCallWithTimeoutThreadReleaseEvent = PH_WAKE_EVENT_INIT; PPH_GET_CLIENT_ID_NAME PhSetHandleClientIdFunction( _In_ PPH_GET_CLIENT_ID_NAME GetClientIdName ) { return _InterlockedExchangePointer( (PVOID *)&PhHandleGetClientIdName, GetClientIdName ); } NTSTATUS PhGetObjectBasicInformation( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ POBJECT_BASIC_INFORMATION BasicInformation ) { NTSTATUS status; if (KsiLevel() >= KphLevelMed && ProcessHandle) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectBasicInformation, BasicInformation, sizeof(OBJECT_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { // The object was referenced in KSystemInformer, so we need to subtract 1 from the // pointer count. BasicInformation->PointerCount -= 1; } } else { ULONG returnLength; status = NtQueryObject( Handle, ObjectBasicInformation, BasicInformation, sizeof(OBJECT_BASIC_INFORMATION), &returnLength ); if (NT_SUCCESS(status)) { // The object was referenced in NtQueryObject and a handle was opened to the object. We // need to subtract 1 from the pointer count, then subtract 1 from both counts. BasicInformation->HandleCount -= 1; BasicInformation->PointerCount -= 2; } } return status; } NTSTATUS PhGetObjectTypeName( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ ULONG ObjectTypeNumber, _Out_ PPH_STRING *TypeName ) { NTSTATUS status = STATUS_SUCCESS; PPH_STRING typeName = NULL; // Enumerate the available object types and pre-cache the object type name. (dmex) if (WindowsVersion >= WINDOWS_8_1) { static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { POBJECT_TYPES_INFORMATION objectTypes; POBJECT_TYPE_INFORMATION objectType; if (NT_SUCCESS(PhEnumObjectTypes(&objectTypes))) { objectType = PH_FIRST_OBJECT_TYPE(objectTypes); for (ULONG i = 0; i < objectTypes->NumberOfTypes; i++) { PhMoveReference( &PhObjectTypeNames[objectType->TypeIndex], PhCreateStringFromUnicodeString(&objectType->TypeName) ); objectType = PH_NEXT_OBJECT_TYPE(objectType); } PhFree(objectTypes); } PhEndInitOnce(&initOnce); } } // If the cache contains the object type name, use it. Otherwise, query the type name. (dmex) if (ObjectTypeNumber != ULONG_MAX && ObjectTypeNumber < MAX_OBJECT_TYPE_NUMBER) typeName = PhObjectTypeNames[ObjectTypeNumber]; if (typeName) { PhReferenceObject(typeName); } else { POBJECT_TYPE_INFORMATION buffer; ULONG returnLength = 0; PPH_STRING oldTypeName; KPH_LEVEL level; level = KsiLevel(); // Get the needed buffer size. if (level >= KphLevelMed) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectTypeInformation, NULL, 0, &returnLength ); } else { status = NtQueryObject( Handle, ObjectTypeInformation, NULL, 0, &returnLength ); } if (returnLength == 0) return STATUS_UNSUCCESSFUL; buffer = PhAllocate(returnLength); if (level >= KphLevelMed) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectTypeInformation, buffer, returnLength, &returnLength ); } else { status = NtQueryObject( Handle, ObjectTypeInformation, buffer, returnLength, &returnLength ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } // Create a copy of the type name. typeName = PhCreateStringFromUnicodeString(&buffer->TypeName); if (ObjectTypeNumber != ULONG_MAX && ObjectTypeNumber < MAX_OBJECT_TYPE_NUMBER) { // Try to store the type name in the cache. oldTypeName = _InterlockedCompareExchangePointer( &PhObjectTypeNames[ObjectTypeNumber], typeName, NULL ); // Add a reference if we stored the type name successfully. if (PhIsNullOrEmptyString(oldTypeName)) { PhReferenceObject(typeName); } } PhFree(buffer); } // At this point typeName should contain a type name with one additional reference. *TypeName = typeName; return status; } NTSTATUS PhGetObjectName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ BOOLEAN WithTimeout, _Out_ PPH_STRING *ObjectName ) { NTSTATUS status; POBJECT_NAME_INFORMATION buffer; ULONG bufferSize; ULONG attempts = 8; bufferSize = sizeof(OBJECT_NAME_INFORMATION) + (MAXIMUM_FILENAME_LENGTH * sizeof(WCHAR)); buffer = PhAllocate(bufferSize); // A loop is needed because the I/O subsystem likes to give us the wrong return lengths... (wj32) do { if (KsiLevel() >= KphLevelMed) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectNameInformation, buffer, bufferSize, &bufferSize ); } else { if (WithTimeout) { status = PhCallNtQueryObjectWithTimeout( Handle, ObjectNameInformation, buffer, bufferSize, &bufferSize ); } else { status = NtQueryObject( Handle, ObjectNameInformation, buffer, bufferSize, &bufferSize ); } } if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_INFO_LENGTH_MISMATCH || status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } while (--attempts); if (NT_SUCCESS(status)) { if (RtlIsNullOrEmptyUnicodeString(&buffer->Name)) { status = STATUS_OBJECT_NAME_INVALID; } else { *ObjectName = PhCreateStringFromUnicodeString(&buffer->Name); } } PhFree(buffer); return status; } NTSTATUS PhQueryObjectName( _In_ HANDLE Handle, _Out_ PPH_STRING *ObjectName ) { if (Handle == NULL || Handle == NtCurrentProcess() || Handle == NtCurrentThread()) return STATUS_INVALID_HANDLE; return PhGetObjectName(NtCurrentProcess(), Handle, FALSE, ObjectName); } NTSTATUS PhQueryObjectBasicInformation( _In_ HANDLE Handle, _Out_ POBJECT_BASIC_INFORMATION BasicInformation ) { if (Handle == NULL || Handle == NtCurrentProcess() || Handle == NtCurrentThread()) return STATUS_INVALID_HANDLE; return PhGetObjectBasicInformation(NtCurrentProcess(), Handle, BasicInformation); } NTSTATUS PhQueryCloseHandle( _In_ _Post_ptr_invalid_ HANDLE Handle ) { NTSTATUS status; OBJECT_HANDLE_FLAG_INFORMATION objectInfo = { 0 }; status = NtQueryObject( Handle, ObjectHandleFlagInformation, &objectInfo, sizeof(objectInfo), NULL ); if (NT_SUCCESS(status) && objectInfo.ProtectFromClose) { objectInfo.ProtectFromClose = FALSE; NtSetInformationObject( Handle, ObjectHandleFlagInformation, &objectInfo, sizeof(objectInfo) ); } status = NtClose(Handle); return status; } NTSTATUS PhCompareObjects( _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle ) { NTSTATUS status; if (NtCompareObjects_Import()) { status = NtCompareObjects_Import()( FirstObjectHandle, SecondObjectHandle ); } else { status = STATUS_NOT_SUPPORTED; } return status; } NTSTATUS PhGetEtwObjectName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ PPH_STRING *ObjectName ) { NTSTATUS status; KPH_ETWREG_BASIC_INFORMATION basicInfo; if (KsiLevel() >= KphLevelMed) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectEtwRegBasicInformation, &basicInfo, sizeof(KPH_ETWREG_BASIC_INFORMATION), NULL ); } else { status = STATUS_UNSUCCESSFUL; } if (NT_SUCCESS(status)) { *ObjectName = PhFormatGuid(&basicInfo.Guid); } return status; } typedef struct _PH_ETW_TRACEGUID_ENTRY { PPH_STRING Name; PGUID Guid; } PH_ETW_TRACEGUID_ENTRY, *PPH_ETW_TRACEGUID_ENTRY; VOID PhInitializeEtwTraceGuidCache( _Inout_ PPH_ARRAY EtwTraceGuidArrayList ) { PPH_BYTES guidListString = NULL; PPH_STRING guidListFileName; PVOID jsonObject; ULONG arrayLength; if (guidListFileName = PhGetApplicationDirectoryFileNameZ(L"Resources\\EtwGuids.txt", TRUE)) { PhFileReadAllText(&guidListString, &guidListFileName->sr, TRUE); PhDereferenceObject(guidListFileName); } if (!guidListString) return; PhInitializeArray(EtwTraceGuidArrayList, sizeof(PH_ETW_TRACEGUID_ENTRY), 2000); if (!NT_SUCCESS(PhCreateJsonParserEx(&jsonObject, guidListString, FALSE))) return; if (!(arrayLength = PhGetJsonArrayLength(jsonObject))) { PhFreeJsonObject(jsonObject); return; } for (ULONG i = 0; i < arrayLength; i++) { PVOID jsonArrayObject; PPH_STRING guidString; PPH_STRING guidName; GUID guid; PH_ETW_TRACEGUID_ENTRY result; if (!(jsonArrayObject = PhGetJsonArrayIndexObject(jsonObject, i))) continue; guidString = PhGetJsonValueAsString(jsonArrayObject, "guid"); guidName = PhGetJsonValueAsString(jsonArrayObject, "name"); //guidGroup = PhGetJsonValueAsString(jsonArrayObject, "group"); if (!NT_SUCCESS(PhStringToGuid(&guidString->sr, &guid))) { PhDereferenceObject(guidName); PhDereferenceObject(guidString); continue; } result.Name = guidName; result.Guid = PhAllocateCopy(&guid, sizeof(GUID)); PhAddItemArray(EtwTraceGuidArrayList, &result); PhDereferenceObject(guidString); } PhFreeJsonObject(jsonObject); PhDereferenceObject(guidListString); } PPH_STRING PhGetEtwTraceGuidName( _In_ PGUID Guid ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PH_ARRAY etwTraceGuidArrayList; PPH_ETW_TRACEGUID_ENTRY entry; SIZE_T i; if (WindowsVersion < WINDOWS_8) return NULL; if (PhBeginInitOnce(&initOnce)) { PhInitializeEtwTraceGuidCache(&etwTraceGuidArrayList); PhEndInitOnce(&initOnce); } for (i = 0; i < etwTraceGuidArrayList.Count; i++) { entry = PhItemArray(&etwTraceGuidArrayList, i); if (IsEqualGUID(entry->Guid, Guid)) { return PhReferenceObject(entry->Name); } } return NULL; } PPH_STRING PhGetEtwPublisherName( _In_ PGUID Guid ) { static CONST PH_STRINGREF publishersKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\"); PPH_STRING guidString; PPH_STRING keyName; HANDLE keyHandle; PPH_STRING publisherName = NULL; guidString = PhFormatGuid(Guid); // We should perform a lookup on the GUID to get the publisher name. (wj32) keyName = PhConcatStringRef2(&publishersKeyName, &guidString->sr); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName->sr, 0 ))) { publisherName = PhQueryRegistryString(keyHandle, NULL); if (publisherName && publisherName->Length == 0) { PhDereferenceObject(publisherName); publisherName = NULL; } PhQueryCloseHandle(keyHandle); } PhDereferenceObject(keyName); if (publisherName) { PhDereferenceObject(guidString); return publisherName; } else { if (publisherName = PhGetEtwTraceGuidName(Guid)) { PhDereferenceObject(guidString); return publisherName; } return guidString; } } PPH_STRING PhGetPnPDeviceName( _In_ PPH_STRING ObjectName ) { PPH_STRING objectPnPDeviceName = NULL; ULONG deviceCount = 0; PDEV_OBJECT deviceObjects = NULL; DEVPROPCOMPKEY deviceProperties[2]; DEVPROP_FILTER_EXPRESSION deviceFilter[1]; DEVPROPERTY deviceFilterProperty; DEVPROPCOMPKEY deviceFilterCompoundProp; memset(deviceProperties, 0, sizeof(deviceProperties)); deviceProperties[0].Key = DEVPKEY_NAME; deviceProperties[0].Store = DEVPROP_STORE_SYSTEM; deviceProperties[1].Key = DEVPKEY_Device_BusReportedDeviceDesc; deviceProperties[1].Store = DEVPROP_STORE_SYSTEM; memset(&deviceFilterCompoundProp, 0, sizeof(deviceFilterCompoundProp)); deviceFilterCompoundProp.Key = DEVPKEY_Device_PDOName; deviceFilterCompoundProp.Store = DEVPROP_STORE_SYSTEM; deviceFilterCompoundProp.LocaleName = NULL; memset(&deviceFilterProperty, 0, sizeof(deviceFilterProperty)); deviceFilterProperty.CompKey = deviceFilterCompoundProp; deviceFilterProperty.Type = DEVPROP_TYPE_STRING; deviceFilterProperty.BufferSize = (ULONG)ObjectName->Length + sizeof(UNICODE_NULL); deviceFilterProperty.Buffer = ObjectName->Buffer; memset(deviceFilter, 0, sizeof(deviceFilter)); deviceFilter[0].Operator = DEVPROP_OPERATOR_EQUALS_IGNORE_CASE; deviceFilter[0].Property = deviceFilterProperty; if (HR_SUCCESS(PhDevGetObjects( DevObjectTypeDevice, DevQueryFlagNone, RTL_NUMBER_OF(deviceProperties), deviceProperties, RTL_NUMBER_OF(deviceFilter), deviceFilter, &deviceCount, &deviceObjects ))) { // Note: We can get a success with 0 results. if (deviceCount > 0) { DEV_OBJECT device = deviceObjects[0]; PPH_STRING deviceName = NULL; PPH_STRING deviceDesc = NULL; PH_STRINGREF displayName; PH_STRINGREF displayDesc; PH_STRINGREF firstPart; PH_STRINGREF secondPart; displayName.Length = device.pProperties[0].BufferSize; displayName.Buffer = device.pProperties[0].Buffer; displayDesc.Length = device.pProperties[1].BufferSize; displayDesc.Buffer = device.pProperties[1].Buffer; if (PhSplitStringRefAtLastChar(&displayName, L';', &firstPart, &secondPart)) deviceName = PhCreateString2(&secondPart); else deviceName = PhCreateString2(&displayName); if (PhSplitStringRefAtLastChar(&displayDesc, L';', &firstPart, &secondPart)) deviceDesc = PhCreateString2(&secondPart); else deviceDesc = PhCreateString2(&displayDesc); if (deviceName->Length >= sizeof(UNICODE_NULL) && deviceName->Buffer[deviceName->Length / sizeof(WCHAR)] == UNICODE_NULL) deviceName->Length -= sizeof(UNICODE_NULL); // PhTrimToNullTerminatorString(deviceName); if (deviceDesc->Length >= sizeof(UNICODE_NULL) && deviceDesc->Buffer[deviceDesc->Length / sizeof(WCHAR)] == UNICODE_NULL) deviceDesc->Length -= sizeof(UNICODE_NULL); // PhTrimToNullTerminatorString(deviceDesc); if (!PhIsNullOrEmptyString(deviceDesc)) { PH_FORMAT format[4]; PhInitFormatSR(&format[0], deviceDesc->sr); PhInitFormatS(&format[1], L" (PDO: "); PhInitFormatSR(&format[2], ObjectName->sr); PhInitFormatC(&format[3], ')'); PhSetReference(&objectPnPDeviceName, PhFormat(format, RTL_NUMBER_OF(format), 0)); } else if (!PhIsNullOrEmptyString(deviceName)) { PH_FORMAT format[4]; PhInitFormatSR(&format[0], deviceName->sr); PhInitFormatS(&format[1], L" (PDO: "); PhInitFormatSR(&format[2], ObjectName->sr); PhInitFormatC(&format[3], ')'); PhSetReference(&objectPnPDeviceName, PhFormat(format, RTL_NUMBER_OF(format), 0)); } if (deviceDesc) PhDereferenceObject(deviceDesc); if (deviceName) PhDereferenceObject(deviceName); } PhDevFreeObjects(deviceCount, deviceObjects); } return objectPnPDeviceName; } PPH_STRING PhFormatNativeKeyName( _In_ PPH_STRING Name ) { static CONST PH_STRINGREF hklmPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine"); static CONST PH_STRINGREF hkcrPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine\\Software\\Classes"); static CONST PH_STRINGREF hkuPrefix = PH_STRINGREF_INIT(L"\\Registry\\User"); static PPH_STRING hkcuPrefix; static PPH_STRING hkcucrPrefix; static CONST PH_STRINGREF hklmString = PH_STRINGREF_INIT(L"HKLM"); static CONST PH_STRINGREF hkcrString = PH_STRINGREF_INIT(L"HKCR"); static CONST PH_STRINGREF hkuString = PH_STRINGREF_INIT(L"HKU"); static CONST PH_STRINGREF hkcuString = PH_STRINGREF_INIT(L"HKCU"); static CONST PH_STRINGREF hkcucrString = PH_STRINGREF_INIT(L"HKCU\\Software\\Classes"); static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_STRING newName; PH_STRINGREF name; if (PhBeginInitOnce(&initOnce)) { PH_TOKEN_USER tokenUser; PPH_STRING stringSid = NULL; if (NT_SUCCESS(PhGetTokenUser(PhGetOwnTokenAttributes().TokenHandle, &tokenUser))) { stringSid = PhSidToStringSid(tokenUser.User.Sid); } if (stringSid) { static CONST PH_STRINGREF registryUserPrefix = PH_STRINGREF_INIT(L"\\Registry\\User\\"); static CONST PH_STRINGREF classesString = PH_STRINGREF_INIT(L"_Classes"); hkcuPrefix = PhConcatStringRef2(®istryUserPrefix, &stringSid->sr); hkcucrPrefix = PhConcatStringRef2(&hkcuPrefix->sr, &classesString); PhDereferenceObject(stringSid); } else { hkcuPrefix = PhCreateString(L"..."); // some random string that won't ever get matched hkcucrPrefix = PhCreateString(L"..."); } PhEndInitOnce(&initOnce); } name = Name->sr; if (PhStartsWithStringRef(&name, &hkcrPrefix, TRUE)) { PhSkipStringRef(&name, hkcrPrefix.Length); newName = PhConcatStringRef2(&hkcrString, &name); } else if (PhStartsWithStringRef(&name, &hklmPrefix, TRUE)) { PhSkipStringRef(&name, hklmPrefix.Length); newName = PhConcatStringRef2(&hklmString, &name); } else if (PhStartsWithStringRef(&name, &hkcucrPrefix->sr, TRUE)) { PhSkipStringRef(&name, hkcucrPrefix->Length); newName = PhConcatStringRef2(&hkcucrString, &name); } else if (PhStartsWithStringRef(&name, &hkcuPrefix->sr, TRUE)) { PhSkipStringRef(&name, hkcuPrefix->Length); newName = PhConcatStringRef2(&hkcuString, &name); } else if (PhStartsWithStringRef(&name, &hkuPrefix, TRUE)) { PhSkipStringRef(&name, hkuPrefix.Length); newName = PhConcatStringRef2(&hkuString, &name); } else { PhSetReference(&newName, Name); } return newName; } NTSTATUS PhGetSectionFileName( _In_ HANDLE SectionHandle, _Out_ PPH_STRING *FileName ) { NTSTATUS status; SIZE_T viewSize; PVOID viewBase; viewSize = PAGE_SIZE; viewBase = NULL; status = PhMapViewOfSection( SectionHandle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, WindowsVersion >= WINDOWS_10_RS2 ? MEM_MAPPED : 0, PAGE_READONLY ); if (!NT_SUCCESS(status)) return status; status = PhGetProcessMappedFileName(NtCurrentProcess(), viewBase, FileName); PhUnmapViewOfSection(NtCurrentProcess(), viewBase); return status; } _Callback_ PPH_STRING PhStdGetClientIdName( _In_ PCLIENT_ID ClientId ) { return PhStdGetClientIdNameEx(ClientId, NULL); } PPH_STRING PhStdGetClientIdNameEx( _In_ PCLIENT_ID ClientId, _In_opt_ PPH_STRING ProcessName ) { PPH_STRING result; PPH_STRING processName = NULL; PPH_STRING threadName = NULL; PH_STRINGREF processNameStringRef; PH_STRINGREF threadNameStringRef; BOOLEAN processIsTerminated = FALSE; BOOLEAN threadIsTerminated = FALSE; PhInitializeStringRef(&processNameStringRef, L"unknown process"); PhInitializeStringRef(&threadNameStringRef, L"unnamed thread"); if (PhIsNullOrEmptyString(ProcessName)) { if (ClientId->UniqueProcess == SYSTEM_PROCESS_ID) { if (processName = PhGetKernelFileName()) { PhMoveReference(&processName, PhGetBaseName(processName)); processNameStringRef.Length = processName->Length; processNameStringRef.Buffer = processName->Buffer; } } else { // Determine the name of the process ourselves (diversenok) if (ClientId->UniqueProcess && NT_SUCCESS(PhGetProcessImageFileNameById( ClientId->UniqueProcess, NULL, &processName ))) { processNameStringRef.Length = processName->Length; processNameStringRef.Buffer = processName->Buffer; } } } else { processNameStringRef.Length = ProcessName->Length; processNameStringRef.Buffer = ProcessName->Buffer; } if (ClientId->UniqueProcess) { HANDLE processHandle; if (NT_SUCCESS(PhOpenProcessClientId( &processHandle, SYNCHRONIZE, // PROCESS_QUERY_LIMITED_INFORMATION ClientId ))) { // Check if the process is alive PhGetProcessIsTerminated(processHandle, &processIsTerminated); // Use the name of the process if available //if (PhIsNullOrEmptyString(ProcessName) && NT_SUCCESS(PhGetProcessImageFileName(processHandle, &processName))) //{ // processNameStringRef.Length = processName->Length; // processNameStringRef.Buffer = processName->Buffer; //} NtClose(processHandle); } } if (ClientId->UniqueThread) { HANDLE threadHandle; if (NT_SUCCESS(PhOpenThreadClientId( &threadHandle, THREAD_QUERY_LIMITED_INFORMATION, ClientId ))) { // Check if the thread is alive PhGetThreadIsTerminated(threadHandle, &threadIsTerminated); // Use the name of the thread if available if (NT_SUCCESS(PhGetThreadName(threadHandle, &threadName))) { threadNameStringRef.Length = threadName->Length; threadNameStringRef.Buffer = threadName->Buffer; } NtClose(threadHandle); } } // Combine everything if (ClientId->UniqueThread) { PH_FORMAT format[10]; // L"%s%.*s (%lu): %s%.*s (%lu)" PhInitFormatS(&format[0], processIsTerminated ? L"Terminated " : L""); PhInitFormatSR(&format[1], processNameStringRef); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(ClientId->UniqueProcess)); PhInitFormatS(&format[4], L"): "); PhInitFormatS(&format[5], threadIsTerminated ? L"Terminated " : L""); PhInitFormatSR(&format[6], threadNameStringRef); PhInitFormatS(&format[7], L" ("); PhInitFormatU(&format[8], HandleToUlong(ClientId->UniqueThread)); PhInitFormatC(&format[9], L')'); result = PhFormat(format, RTL_NUMBER_OF(format), 0); } else { PH_FORMAT format[5]; // L"%s%.*s (%lu)" PhInitFormatS(&format[0], processIsTerminated ? L"Terminated " : L""); PhInitFormatSR(&format[1], processNameStringRef); PhInitFormatS(&format[2], L" ("); PhInitFormatU(&format[3], HandleToUlong(ClientId->UniqueProcess)); PhInitFormatC(&format[4], L')'); result = PhFormat(format, RTL_NUMBER_OF(format), 0); } //result = PhFormatString( // ClientId->UniqueThread ? L"%s%.*s (%lu): %s%.*s (%lu)" : L"%s%.*s (%lu)", // processIsTerminated ? L"Terminated " : L"", // processNameStringRef.Length / sizeof(WCHAR), // processNameStringRef.Buffer, // HandleToUlong(ClientId->UniqueProcess), // threadIsTerminated ? L"terminated " : L"", // threadNameStringRef.Length / sizeof(WCHAR), // threadNameStringRef.Buffer, // HandleToUlong(ClientId->UniqueThread) // ); PhClearReference(&processName); PhClearReference(&threadName); return result; } NTSTATUS PhpGetBestObjectName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ PPH_STRING ObjectName, _In_ PPH_STRING TypeName, _Out_ PPH_STRING *BestObjectName, _Out_ PPH_STRING *ResolvedObjectName ) { NTSTATUS status; PPH_STRING bestObjectName = NULL; PPH_GET_CLIENT_ID_NAME handleGetClientIdName = PhHandleGetClientIdName; PhSetReference(ResolvedObjectName, ObjectName); if (PhEqualString2(TypeName, L"EtwRegistration", TRUE)) { if (KsiLevel() >= KphLevelMed) { KPH_ETWREG_BASIC_INFORMATION basicInfo; status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectEtwRegBasicInformation, &basicInfo, sizeof(KPH_ETWREG_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { bestObjectName = PhGetEtwPublisherName(&basicInfo.Guid); } } } else if (PhEqualString2(TypeName, L"File", TRUE)) { // Use the socket address for AFD handles if (PhAfdIsSocketObjectName(ObjectName)) { HANDLE dupHandle; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, 0, 0, DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES ); if (NT_SUCCESS(status)) { bestObjectName = PhAfdFormatSocketBestName(dupHandle); PhQueryCloseHandle(dupHandle); } } if (PhIsNullOrEmptyString(bestObjectName)) { // Convert the file name to a DOS file name. bestObjectName = PhResolveDevicePrefix(&ObjectName->sr); if (PhIsNullOrEmptyString(bestObjectName)) { if (PhEnableProcessHandlePnPDeviceNameSupport) { if (PhStartsWithString2(ObjectName, L"\\Device\\", TRUE)) { // The device might be a PDO... Query the PnP manager for the friendly name of the device. (dmex) bestObjectName = PhGetPnPDeviceName(ObjectName); } } if (PhIsNullOrEmptyString(bestObjectName)) { // The file doesn't have a DOS filename and doesn't have a PnP friendly name. PhSetReference(&bestObjectName, ObjectName); } } } if (PhIsNullOrEmptyString(bestObjectName) && (KsiLevel() >= KphLevelMed)) { HANDLE fileObjectDriver; PPH_STRING driverName; status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectFileObjectDriver, &fileObjectDriver, sizeof(HANDLE), NULL ); if (NT_SUCCESS(status) && fileObjectDriver) { if (NT_SUCCESS(PhGetDriverName(fileObjectDriver, &driverName))) { static CONST PH_STRINGREF prefix = PH_STRINGREF_INIT(L"Unnamed file: "); PhMoveReference(&bestObjectName, PhConcatStringRef2(&prefix, &driverName->sr)); PhDereferenceObject(driverName); } PhQueryCloseHandle(fileObjectDriver); } } } else if (PhEqualString2(TypeName, L"Job", TRUE)) { HANDLE dupHandle; PJOBOBJECT_BASIC_PROCESS_ID_LIST processIdList; // Skip when we already have a valid job object name. (dmex) if (!PhIsNullOrEmptyString(ObjectName)) goto CleanupExit; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, JOB_OBJECT_QUERY, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; if (handleGetClientIdName && NT_SUCCESS(PhGetJobProcessIdList(dupHandle, &processIdList))) { PH_STRING_BUILDER sb; ULONG i; CLIENT_ID clientId; PPH_STRING name; PhInitializeStringBuilder(&sb, 40); clientId.UniqueThread = NULL; for (i = 0; i < processIdList->NumberOfProcessIdsInList; i++) { clientId.UniqueProcess = (HANDLE)processIdList->ProcessIdList[i]; name = handleGetClientIdName(&clientId); if (name) { PhAppendStringBuilder(&sb, &name->sr); PhAppendStringBuilder2(&sb, L"; "); PhDereferenceObject(name); } } PhFree(processIdList); if (sb.String->Length != 0) PhRemoveEndStringBuilder(&sb, 2); if (sb.String->Length == 0) PhAppendStringBuilder2(&sb, L"(No processes)"); bestObjectName = PhFinalStringBuilderString(&sb); } PhQueryCloseHandle(dupHandle); } else if (PhEqualString2(TypeName, L"Key", TRUE)) { bestObjectName = PhFormatNativeKeyName(ObjectName); } else if (PhEqualString2(TypeName, L"Process", TRUE)) { CLIENT_ID clientId; clientId.UniqueThread = NULL; if (KsiLevel() >= KphLevelMed) { PROCESS_BASIC_INFORMATION basicInfo; status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; clientId.UniqueProcess = basicInfo.UniqueProcessId; } else { HANDLE dupHandle; PROCESS_BASIC_INFORMATION basicInfo; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, PROCESS_QUERY_LIMITED_INFORMATION, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcessBasicInformation(dupHandle, &basicInfo); PhQueryCloseHandle(dupHandle); if (!NT_SUCCESS(status)) goto CleanupExit; clientId.UniqueProcess = basicInfo.UniqueProcessId; } if (handleGetClientIdName) bestObjectName = handleGetClientIdName(&clientId); } else if (PhEqualString2(TypeName, L"Section", TRUE)) { HANDLE dupHandle = NULL; PPH_STRING fileName = NULL; if (!PhIsNullOrEmptyString(ObjectName)) goto CleanupExit; if (KsiLevel() >= KphLevelMed) { ULONG returnLength; ULONG bufferSize; PUNICODE_STRING buffer; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectSectionFileName, buffer, bufferSize, &returnLength ); if (status == STATUS_BUFFER_OVERFLOW && returnLength > 0) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectSectionFileName, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status)) fileName = PhCreateStringFromUnicodeString(buffer); PhFree(buffer); } else { status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, SECTION_QUERY | SECTION_MAP_READ, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetSectionFileName(dupHandle, &fileName); } if (NT_SUCCESS(status)) { bestObjectName = PhResolveDevicePrefix(&fileName->sr); PhDereferenceObject(fileName); } else { SECTION_BASIC_INFORMATION basicInfo = { NULL }; if (KsiLevel() >= KphLevelMed) { status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectSectionBasicInformation, &basicInfo, sizeof(basicInfo), NULL ); } else if (dupHandle) { status = PhGetSectionBasicInformation(dupHandle, &basicInfo); } if (NT_SUCCESS(status)) { PH_FORMAT format[4]; PCWSTR sectionType = L"Unknown"; if (basicInfo.AllocationAttributes & SEC_COMMIT) sectionType = L"Commit"; else if (basicInfo.AllocationAttributes & SEC_FILE) sectionType = L"File"; else if (basicInfo.AllocationAttributes & SEC_IMAGE) sectionType = L"Image"; else if (basicInfo.AllocationAttributes & SEC_RESERVE) sectionType = L"Reserve"; PhInitFormatS(&format[0], sectionType); PhInitFormatS(&format[1], L" ("); PhInitFormatSize(&format[2], basicInfo.MaximumSize.QuadPart); PhInitFormatC(&format[3], ')'); bestObjectName = PhFormat(format, RTL_NUMBER_OF(format), 0); } } if (dupHandle) PhQueryCloseHandle(dupHandle); } else if (PhEqualString2(TypeName, L"Thread", TRUE)) { CLIENT_ID clientId; if (KsiLevel() >= KphLevelMed) { THREAD_BASIC_INFORMATION basicInfo; status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectThreadBasicInformation, &basicInfo, sizeof(THREAD_BASIC_INFORMATION), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; clientId = basicInfo.ClientId; } else { HANDLE dupHandle; THREAD_BASIC_INFORMATION basicInfo; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, THREAD_QUERY_LIMITED_INFORMATION, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetThreadBasicInformation(dupHandle, &basicInfo); PhQueryCloseHandle(dupHandle); if (!NT_SUCCESS(status)) goto CleanupExit; clientId = basicInfo.ClientId; } if (handleGetClientIdName) bestObjectName = handleGetClientIdName(&clientId); } else if (PhEqualString2(TypeName, L"TmEn", TRUE)) { HANDLE dupHandle; ENLISTMENT_BASIC_INFORMATION basicInfo; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, ENLISTMENT_QUERY_INFORMATION, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetEnlistmentBasicInformation(dupHandle, &basicInfo); PhQueryCloseHandle(dupHandle); if (NT_SUCCESS(status)) { bestObjectName = PhFormatGuid(&basicInfo.EnlistmentId); } } else if (PhEqualString2(TypeName, L"TmRm", TRUE)) { HANDLE dupHandle; GUID guid; PPH_STRING description; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, RESOURCEMANAGER_QUERY_INFORMATION, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetResourceManagerBasicInformation( dupHandle, &guid, &description ); PhQueryCloseHandle(dupHandle); if (NT_SUCCESS(status)) { if (!PhIsNullOrEmptyString(description)) { bestObjectName = description; } else { bestObjectName = PhFormatGuid(&guid); if (description) PhDereferenceObject(description); } } } else if (PhEqualString2(TypeName, L"TmTm", TRUE)) { HANDLE dupHandle; PPH_STRING logFileName = NULL; TRANSACTIONMANAGER_BASIC_INFORMATION basicInfo; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, TRANSACTIONMANAGER_QUERY_INFORMATION, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetTransactionManagerLogFileName( dupHandle, &logFileName ); if (NT_SUCCESS(status) && !PhIsNullOrEmptyString(logFileName)) { bestObjectName = PhGetFileName(logFileName); PhDereferenceObject(logFileName); } else { if (logFileName) PhDereferenceObject(logFileName); status = PhGetTransactionManagerBasicInformation( dupHandle, &basicInfo ); if (NT_SUCCESS(status)) { bestObjectName = PhFormatGuid(&basicInfo.TmIdentity); } } PhQueryCloseHandle(dupHandle); } else if (PhEqualString2(TypeName, L"TmTx", TRUE)) { HANDLE dupHandle; PPH_STRING description = NULL; TRANSACTION_BASIC_INFORMATION basicInfo; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, TRANSACTION_QUERY_INFORMATION, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetTransactionPropertiesInformation( dupHandle, NULL, NULL, &description ); if (NT_SUCCESS(status) && !PhIsNullOrEmptyString(description)) { bestObjectName = description; } else { if (description) PhDereferenceObject(description); status = PhGetTransactionBasicInformation( dupHandle, &basicInfo ); if (NT_SUCCESS(status)) { bestObjectName = PhFormatGuid(&basicInfo.TransactionId); } } PhQueryCloseHandle(dupHandle); } else if (PhEqualString2(TypeName, L"Token", TRUE)) { HANDLE dupHandle; PH_TOKEN_USER tokenUser = { 0 }; TOKEN_STATISTICS statistics = { 0 }; status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &dupHandle, TOKEN_QUERY, 0, DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetTokenUser(dupHandle, &tokenUser); PhGetTokenStatistics(dupHandle, &statistics); if (NT_SUCCESS(status)) { PPH_STRING fullName; fullName = PhGetSidFullName(tokenUser.User.Sid, TRUE, NULL); if (fullName) { PH_FORMAT format[4]; PhInitFormatSR(&format[0], fullName->sr); PhInitFormatS(&format[1], L": 0x"); PhInitFormatX(&format[2], statistics.AuthenticationId.LowPart); PhInitFormatS(&format[3], statistics.TokenType == TokenPrimary ? L" (Primary)" : L" (Impersonation)"); bestObjectName = PhFormat(format, RTL_NUMBER_OF(format), fullName->Length + 8 + 16 + 16); PhDereferenceObject(fullName); } } PhQueryCloseHandle(dupHandle); } else if (PhEqualString2(TypeName, L"ALPC Port", TRUE)) { PROCESS_BASIC_INFORMATION processInfo; KPH_ALPC_COMMUNICATION_INFORMATION commsInfo; PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION namesInfo; USHORT formatCount = 0; PH_FORMAT format[5]; PPH_STRING name = NULL; CLIENT_ID clientId; if (KsiLevel() < KphLevelMed) goto CleanupExit; status = PhGetProcessBasicInformation(ProcessHandle, &processInfo); if (!NT_SUCCESS(status)) goto CleanupExit; status = KphAlpcQueryInformation( ProcessHandle, Handle, KphAlpcCommunicationInformation, &commsInfo, sizeof(commsInfo), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!NT_SUCCESS(KphAlpcQueryCommunicationsNamesInfo(ProcessHandle, Handle, &namesInfo))) { namesInfo = NULL; } if (commsInfo.ClientCommunicationPort.OwnerProcessId == processInfo.UniqueProcessId) { PhInitFormatS(&format[formatCount++], L"Client: "); if (commsInfo.ServerCommunicationPort.OwnerProcessId) { PhInitFormatS(&format[formatCount++], L"Connection to "); clientId.UniqueProcess = commsInfo.ServerCommunicationPort.OwnerProcessId; clientId.UniqueThread = 0; name = PhStdGetClientIdName(&clientId); } else if (commsInfo.ClientCommunicationPort.ConnectionRefused) { PhInitFormatS(&format[formatCount++], L"Refused "); } else if (commsInfo.ClientCommunicationPort.Closed) { PhInitFormatS(&format[formatCount++], L"Closed "); } else if (commsInfo.ClientCommunicationPort.Disconnected) { PhInitFormatS(&format[formatCount++], L"Disconnected "); } else if (commsInfo.ClientCommunicationPort.ConnectionPending) { PhInitFormatS(&format[formatCount++], L"Pending "); } } else if (commsInfo.ServerCommunicationPort.OwnerProcessId == processInfo.UniqueProcessId) { PhInitFormatS(&format[formatCount++], L"Server: "); if (commsInfo.ClientCommunicationPort.OwnerProcessId) { PhInitFormatS(&format[formatCount++], L" Connection from "); clientId.UniqueProcess = commsInfo.ClientCommunicationPort.OwnerProcessId; clientId.UniqueThread = 0; name = PhStdGetClientIdName(&clientId); } else if (commsInfo.ClientCommunicationPort.ConnectionRefused) { PhInitFormatS(&format[formatCount++], L"Refused "); } else if (commsInfo.ServerCommunicationPort.Closed) { PhInitFormatS(&format[formatCount++], L"Closed "); } else if (commsInfo.ServerCommunicationPort.Disconnected) { PhInitFormatS(&format[formatCount++], L"Disconnected "); } else if (commsInfo.ServerCommunicationPort.ConnectionPending) { PhInitFormatS(&format[formatCount++], L"Pending "); } } else if (commsInfo.ConnectionPort.OwnerProcessId == processInfo.UniqueProcessId) { PhInitFormatS(&format[formatCount++], L"Connection: "); } if (name) { PhInitFormatSR(&format[formatCount++], name->sr); if (namesInfo && namesInfo->ConnectionPort.Length > 0) { PhInitFormatS(&format[formatCount++], L" on "); } } if (namesInfo && namesInfo->ConnectionPort.Length > 0) { PhInitFormatUCS(&format[formatCount++], &namesInfo->ConnectionPort); if (PhIsNullOrEmptyString(*ResolvedObjectName)) PhMoveReference(ResolvedObjectName, PhCreateStringFromUnicodeString(&namesInfo->ConnectionPort)); } if (formatCount > 0) bestObjectName = PhFormat(format, formatCount, 0); if (name) PhDereferenceObject(name); if (namesInfo) PhFree(namesInfo); } CleanupExit: if (PhIsNullOrEmptyString(bestObjectName)) { PhSetReference(&bestObjectName, ObjectName); } *BestObjectName = bestObjectName; return STATUS_SUCCESS; } /** * Gets information for a handle. * * \param ProcessHandle A handle to the process in which the handle resides. * \param Handle The handle value. * \param ObjectTypeNumber The object type number of the handle. You can specify -1 for this * parameter if the object type number is not known. * \param BasicInformation A variable which receives basic information about the object. * \param TypeName A variable which receives the object type name. * \param ObjectName A variable which receives the object name. * \param BestObjectName A variable which receives the formatted object name. * * \retval STATUS_INVALID_HANDLE The handle specified in \c ProcessHandle or \c Handle is invalid. * \retval STATUS_INVALID_PARAMETER_3 The value specified in \c ObjectTypeNumber is invalid. */ NTSTATUS PhGetHandleInformation( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ ULONG ObjectTypeNumber, _Out_opt_ POBJECT_BASIC_INFORMATION BasicInformation, _Out_opt_ PPH_STRING *TypeName, _Out_opt_ PPH_STRING *ObjectName, _Out_opt_ PPH_STRING *BestObjectName ) { NTSTATUS status; NTSTATUS subStatus; status = PhGetHandleInformationEx( ProcessHandle, Handle, ObjectTypeNumber, 0, &subStatus, BasicInformation, TypeName, ObjectName, BestObjectName, NULL ); if (!NT_SUCCESS(status)) return status; // Fail if any component failed, for compatibility reasons. if (!NT_SUCCESS(subStatus)) { if (TypeName) PhClearReference(TypeName); if (ObjectName) PhClearReference(ObjectName); if (BestObjectName) PhClearReference(BestObjectName); return subStatus; } return status; } /** * Gets information for a handle. * * \param ProcessHandle A handle to the process in which the handle resides. * \param Handle The handle value. * \param ObjectTypeNumber The object type number of the handle. You can specify -1 for this * parameter if the object type number is not known. * \param Flags Reserved. * \param SubStatus A variable which receives the NTSTATUS value of the last component that fails. * If all operations succeed, the value will be STATUS_SUCCESS. If the function returns an error * status, this variable is not set. * \param BasicInformation A variable which receives basic information about the object. * \param TypeName A variable which receives the object type name. * \param ObjectName A variable which receives the object name. * \param BestObjectName A variable which receives the formatted object name. * \param ExtraInformation Reserved. * * \retval STATUS_INVALID_HANDLE The handle specified in \c ProcessHandle or \c Handle is invalid. * \retval STATUS_INVALID_PARAMETER_3 The value specified in \c ObjectTypeNumber is invalid. * * \remarks If \a BasicInformation or \a TypeName are specified, the function will fail if either * cannot be queried. \a ObjectName, \a BestObjectName and \a ExtraInformation will be NULL if they * cannot be queried. */ NTSTATUS PhGetHandleInformationEx( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ ULONG ObjectTypeNumber, _Reserved_ ULONG Flags, _Out_opt_ PNTSTATUS SubStatus, _Out_opt_ POBJECT_BASIC_INFORMATION BasicInformation, _Out_opt_ PPH_STRING *TypeName, _Out_opt_ PPH_STRING *ObjectName, _Out_opt_ PPH_STRING *BestObjectName, _Reserved_ PVOID *ExtraInformation ) { NTSTATUS status = STATUS_SUCCESS; NTSTATUS subStatus = STATUS_SUCCESS; HANDLE objectHandle = NULL; PPH_STRING typeName = NULL; PPH_STRING objectName = NULL; PPH_STRING bestObjectName = NULL; PPH_STRING resolvedObjectName = NULL; BOOLEAN ksienabled; if (ProcessHandle == NULL || Handle == NULL || Handle == NtCurrentProcess() || Handle == NtCurrentThread()) return STATUS_INVALID_HANDLE; if (ObjectTypeNumber != ULONG_MAX && ObjectTypeNumber >= MAX_OBJECT_TYPE_NUMBER) return STATUS_INVALID_PARAMETER_3; ksienabled = (KsiLevel() >= KphLevelMed); if (ProcessHandle == NtCurrentProcess() || ksienabled) { objectHandle = Handle; } else { status = NtDuplicateObject( ProcessHandle, Handle, NtCurrentProcess(), &objectHandle, 0, 0, DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(status)) return status; } // Get basic information. if (BasicInformation) { status = PhGetObjectBasicInformation( ProcessHandle, objectHandle, BasicInformation ); if (!NT_SUCCESS(status)) goto CleanupExit; } // Exit early if we don't need to get any other information. if (!TypeName && !ObjectName && !BestObjectName) goto CleanupExit; // Get the type name. status = PhGetObjectTypeName( ProcessHandle, objectHandle, ObjectTypeNumber, &typeName ); if (!NT_SUCCESS(status)) goto CleanupExit; // Exit early if we don't need to get the object name. if (!ObjectName && !BestObjectName) goto CleanupExit; // Get the object name. // If we're dealing with a file handle we must take special precautions so we don't hang. if (PhEqualString2(typeName, L"File", TRUE) && !ksienabled) { status = PhGetObjectName( ProcessHandle, objectHandle, TRUE, &objectName ); } else if (PhEqualString2(typeName, L"EtwRegistration", TRUE)) { status = PhGetEtwObjectName( ProcessHandle, Handle, &objectName ); } else { // Query the object normally. status = PhGetObjectName( ProcessHandle, objectHandle, FALSE, &objectName ); } if (!NT_SUCCESS(status)) { if ( (ksienabled && PhEqualString2(typeName, L"File", TRUE)) || PhEqualString2(typeName, L"EtwRegistration", TRUE) || PhEqualString2(typeName, L"Process", TRUE) || PhEqualString2(typeName, L"Thread", TRUE) || PhEqualString2(typeName, L"Token", TRUE) || PhEqualString2(typeName, L"ALPC Port", TRUE) || PhEqualString2(typeName, L"Section", TRUE) ) { // PhpGetBestObjectName can provide us with a name. objectName = PhReferenceEmptyString(); status = STATUS_SUCCESS; } else { subStatus = status; status = STATUS_SUCCESS; goto CleanupExit; } } // Exit early if we don't need to get the best object name. if (!BestObjectName) goto CleanupExit; status = PhpGetBestObjectName( ProcessHandle, Handle, objectName, typeName, &bestObjectName, &resolvedObjectName ); if (!NT_SUCCESS(status)) { subStatus = status; status = STATUS_SUCCESS; goto CleanupExit; } PhMoveReference(&objectName, resolvedObjectName); CleanupExit: if (NT_SUCCESS(status)) { if (SubStatus) *SubStatus = subStatus; if (TypeName) PhSetReference(TypeName, typeName); if (ObjectName) PhSetReference(ObjectName, objectName); if (BestObjectName) PhSetReference(BestObjectName, bestObjectName); } if (!ksienabled && objectHandle && ProcessHandle != NtCurrentProcess()) { PhQueryCloseHandle(objectHandle); } PhClearReference(&typeName); PhClearReference(&objectName); PhClearReference(&bestObjectName); return status; } NTSTATUS PhEnumObjectTypes( _Out_ POBJECT_TYPES_INFORMATION *ObjectTypes ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG returnLength; bufferSize = 0x1000; buffer = PhAllocate(bufferSize); while ((status = NtQueryObject( NULL, ObjectTypesInformation, buffer, bufferSize, &returnLength )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *ObjectTypes = (POBJECT_TYPES_INFORMATION)buffer; return status; } NTSTATUS PhGetObjectTypeMask( _In_ PPH_STRINGREF TypeName, _Out_ PGENERIC_MAPPING GenericMapping ) { NTSTATUS status = STATUS_NOT_FOUND; POBJECT_TYPES_INFORMATION objectTypes; POBJECT_TYPE_INFORMATION objectType; if (NT_SUCCESS(PhEnumObjectTypes(&objectTypes))) { objectType = PH_FIRST_OBJECT_TYPE(objectTypes); for (ULONG i = 0; i < objectTypes->NumberOfTypes; i++) { PH_STRINGREF typeName; PhUnicodeStringToStringRef(&objectType->TypeName, &typeName); if (PhEqualStringRef(&typeName, TypeName, TRUE)) { *GenericMapping = objectType->GenericMapping; status = STATUS_SUCCESS; break; } objectType = PH_NEXT_OBJECT_TYPE(objectType); } PhFree(objectTypes); } return status; } ULONG PhGetObjectTypeNumber( _In_ PPH_STRINGREF TypeName ) { POBJECT_TYPES_INFORMATION objectTypes; POBJECT_TYPE_INFORMATION objectType; ULONG objectIndex = ULONG_MAX; ULONG i; if (NT_SUCCESS(PhEnumObjectTypes(&objectTypes))) { objectType = PH_FIRST_OBJECT_TYPE(objectTypes); for (i = 0; i < objectTypes->NumberOfTypes; i++) { PH_STRINGREF typeNameSr; PhUnicodeStringToStringRef(&objectType->TypeName, &typeNameSr); if (PhEqualStringRef(&typeNameSr, TypeName, TRUE)) { if (WindowsVersion >= WINDOWS_8_1) { objectIndex = objectType->TypeIndex; break; } else { objectIndex = i + 2; break; } } objectType = PH_NEXT_OBJECT_TYPE(objectType); } PhFree(objectTypes); } return objectIndex; } PPH_STRING PhGetObjectTypeIndexName( _In_ ULONG TypeIndex ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static POBJECT_TYPES_INFORMATION objectTypes = NULL; POBJECT_TYPE_INFORMATION objectType; PPH_STRING objectTypeName = NULL; ULONG i; if (PhBeginInitOnce(&initOnce)) { PhEnumObjectTypes(&objectTypes); PhEndInitOnce(&initOnce); } if (objectTypes) { objectType = PH_FIRST_OBJECT_TYPE(objectTypes); for (i = 0; i < objectTypes->NumberOfTypes; i++) { if (WindowsVersion >= WINDOWS_8_1) { if (TypeIndex == objectType->TypeIndex) { objectTypeName = PhCreateStringFromUnicodeString(&objectType->TypeName); break; } } else { if (TypeIndex == (i + 2)) { objectTypeName = PhCreateStringFromUnicodeString(&objectType->TypeName); break; } } objectType = PH_NEXT_OBJECT_TYPE(objectType); } } return objectTypeName; } PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT PhpAcquireCallWithTimeoutThread( _In_opt_ PLARGE_INTEGER Timeout ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT threadContext; PSLIST_ENTRY listEntry; PH_QUEUED_WAIT_BLOCK waitBlock; if (PhBeginInitOnce(&initOnce)) { ULONG i; PhInitializeSListHead(&PhpCallWithTimeoutThreadListHead); for (i = 0; i < PH_QUERY_HACK_MAX_THREADS; i++) { threadContext = PhAllocate(sizeof(PHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT)); memset(threadContext, 0, sizeof(PHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT)); RtlInterlockedPushEntrySList(&PhpCallWithTimeoutThreadListHead, &threadContext->ListEntry); } PhEndInitOnce(&initOnce); } while (TRUE) { if (listEntry = RtlInterlockedPopEntrySList(&PhpCallWithTimeoutThreadListHead)) break; if (!Timeout || Timeout->QuadPart != 0) { PhQueueWakeEvent(&PhpCallWithTimeoutThreadReleaseEvent, &waitBlock); if (listEntry = RtlInterlockedPopEntrySList(&PhpCallWithTimeoutThreadListHead)) { // A new entry has just become available; cancel the wait. PhSetWakeEvent(&PhpCallWithTimeoutThreadReleaseEvent, &waitBlock); break; } else { PhWaitForWakeEvent(&PhpCallWithTimeoutThreadReleaseEvent, &waitBlock, FALSE, Timeout); // TODO: Recompute the timeout value. } } else { return NULL; } } return CONTAINING_RECORD(listEntry, PHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT, ListEntry); } VOID PhpReleaseCallWithTimeoutThread( _Inout_ PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT ThreadContext ) { RtlInterlockedPushEntrySList(&PhpCallWithTimeoutThreadListHead, &ThreadContext->ListEntry); PhSetWakeEvent(&PhpCallWithTimeoutThreadReleaseEvent, NULL); } NTSTATUS PhpCallWithTimeout( _Inout_ PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT ThreadContext, _In_ PUSER_THREAD_START_ROUTINE Routine, _In_opt_ PVOID Context, _In_ PLARGE_INTEGER Timeout ) { NTSTATUS status; // Create objects if necessary. if (!ThreadContext->StartEventHandle) { if (!NT_SUCCESS(status = PhCreateEvent(&ThreadContext->StartEventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE))) return status; } if (!ThreadContext->CompletedEventHandle) { if (!NT_SUCCESS(status = PhCreateEvent(&ThreadContext->CompletedEventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE))) return status; } // Create a query thread if we don't have one. if (!ThreadContext->ThreadHandle) { CLIENT_ID clientId; NtClearEvent(ThreadContext->StartEventHandle); NtClearEvent(ThreadContext->CompletedEventHandle); if (!NT_SUCCESS(status = PhCreateUserThread( NtCurrentProcess(), NULL, THREAD_ALL_ACCESS, 0, 0, UInt32x32To64(32, 1024), 0, PhpCallWithTimeoutThreadStart, ThreadContext, &ThreadContext->ThreadHandle, &clientId ))) { return status; } // Wait for the thread to initialize. NtWaitForSingleObject(ThreadContext->CompletedEventHandle, FALSE, NULL); } ThreadContext->Routine = Routine; ThreadContext->Context = Context; NtSetEvent(ThreadContext->StartEventHandle, NULL); status = NtWaitForSingleObject(ThreadContext->CompletedEventHandle, FALSE, Timeout); ThreadContext->Routine = NULL; MemoryBarrier(); ThreadContext->Context = NULL; if (status != STATUS_WAIT_0) { // The operation timed out, or there was an error. Kill the thread. On Vista and above, the // thread stack is freed automatically. NtTerminateThread(ThreadContext->ThreadHandle, STATUS_UNSUCCESSFUL); status = NtWaitForSingleObject(ThreadContext->ThreadHandle, FALSE, NULL); NtClose(ThreadContext->ThreadHandle); ThreadContext->ThreadHandle = NULL; status = STATUS_UNSUCCESSFUL; } return status; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpCallWithTimeoutThreadStart( _In_ PVOID Parameter ) { PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT threadContext = Parameter; NtSetEvent(threadContext->CompletedEventHandle, NULL); while (TRUE) { if (NtWaitForSingleObject(threadContext->StartEventHandle, FALSE, NULL) != STATUS_WAIT_0) continue; if (threadContext->Routine) threadContext->Routine(threadContext->Context); NtSetEvent(threadContext->CompletedEventHandle, NULL); } return STATUS_SUCCESS; } NTSTATUS PhCallWithTimeout( _In_ PUSER_THREAD_START_ROUTINE Routine, _In_opt_ PVOID Context, _In_opt_ PLARGE_INTEGER AcquireTimeout, _In_ PLARGE_INTEGER CallTimeout ) { NTSTATUS status; PPHP_CALL_WITH_TIMEOUT_THREAD_CONTEXT threadContext; if (threadContext = PhpAcquireCallWithTimeoutThread(AcquireTimeout)) { status = PhpCallWithTimeout(threadContext, Routine, Context, CallTimeout); PhpReleaseCallWithTimeoutThread(threadContext); } else { status = STATUS_UNSUCCESSFUL; } return status; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpCommonQueryObjectRoutine( _In_ PVOID Parameter ) { PPHP_QUERY_OBJECT_COMMON_CONTEXT context = Parameter; IO_STATUS_BLOCK isb; switch (context->Work) { case NtQueryObjectWork: context->Status = NtQueryObject( context->u.NtQueryObject.Handle, context->u.NtQueryObject.ObjectInformationClass, context->u.NtQueryObject.ObjectInformation, context->u.NtQueryObject.ObjectInformationLength, context->u.NtQueryObject.ReturnLength ); break; case NtQuerySecurityObjectWork: context->Status = NtQuerySecurityObject( context->u.NtQuerySecurityObject.Handle, context->u.NtQuerySecurityObject.SecurityInformation, context->u.NtQuerySecurityObject.SecurityDescriptor, context->u.NtQuerySecurityObject.Length, context->u.NtQuerySecurityObject.LengthNeeded ); break; case NtSetSecurityObjectWork: context->Status = NtSetSecurityObject( context->u.NtSetSecurityObject.Handle, context->u.NtSetSecurityObject.SecurityInformation, context->u.NtSetSecurityObject.SecurityDescriptor ); break; case NtQueryFileInformationWork: { context->Status = NtQueryInformationFile( context->u.NtQueryFileInformation.Handle, &isb, context->u.NtQueryFileInformation.FileInformation, context->u.NtQueryFileInformation.FileInformationLength, context->u.NtQueryFileInformation.FileInformationClass ); } break; case KphQueryFileInformationWork: { context->Status = KphQueryInformationFile( context->u.KphQueryFileInformation.ProcessHandle, context->u.KphQueryFileInformation.Handle, context->u.KphQueryFileInformation.FileInformationClass, context->u.KphQueryFileInformation.FileInformation, context->u.KphQueryFileInformation.FileInformationLength, &isb ); } break; default: context->Status = STATUS_INVALID_PARAMETER; break; } return STATUS_SUCCESS; } NTSTATUS PhpCommonQueryObjectWithTimeout( _In_ PPHP_QUERY_OBJECT_COMMON_CONTEXT Context ) { NTSTATUS status; LARGE_INTEGER timeout; timeout.QuadPart = -(LONGLONG)UInt32x32To64(1, PH_TIMEOUT_SEC); status = PhCallWithTimeout(PhpCommonQueryObjectRoutine, Context, NULL, &timeout); if (NT_SUCCESS(status)) status = Context->Status; PhFree(Context); return status; } NTSTATUS PhCallNtQueryObjectWithTimeout( _In_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength ) { PPHP_QUERY_OBJECT_COMMON_CONTEXT context; context = PhAllocate(sizeof(PHP_QUERY_OBJECT_COMMON_CONTEXT)); context->Work = NtQueryObjectWork; context->Status = STATUS_UNSUCCESSFUL; context->u.NtQueryObject.Handle = Handle; context->u.NtQueryObject.ObjectInformationClass = ObjectInformationClass; context->u.NtQueryObject.ObjectInformation = ObjectInformation; context->u.NtQueryObject.ObjectInformationLength = ObjectInformationLength; context->u.NtQueryObject.ReturnLength = ReturnLength; return PhpCommonQueryObjectWithTimeout(context); } NTSTATUS PhCallNtQuerySecurityObjectWithTimeout( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Length, _Out_ PULONG LengthNeeded ) { PPHP_QUERY_OBJECT_COMMON_CONTEXT context; context = PhAllocate(sizeof(PHP_QUERY_OBJECT_COMMON_CONTEXT)); context->Work = NtQuerySecurityObjectWork; context->Status = STATUS_UNSUCCESSFUL; context->u.NtQuerySecurityObject.Handle = Handle; context->u.NtQuerySecurityObject.SecurityInformation = SecurityInformation; context->u.NtQuerySecurityObject.SecurityDescriptor = SecurityDescriptor; context->u.NtQuerySecurityObject.Length = Length; context->u.NtQuerySecurityObject.LengthNeeded = LengthNeeded; return PhpCommonQueryObjectWithTimeout(context); } NTSTATUS PhCallNtSetSecurityObjectWithTimeout( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { PPHP_QUERY_OBJECT_COMMON_CONTEXT context; context = PhAllocate(sizeof(PHP_QUERY_OBJECT_COMMON_CONTEXT)); context->Work = NtSetSecurityObjectWork; context->Status = STATUS_UNSUCCESSFUL; context->u.NtSetSecurityObject.Handle = Handle; context->u.NtSetSecurityObject.SecurityInformation = SecurityInformation; context->u.NtSetSecurityObject.SecurityDescriptor = SecurityDescriptor; return PhpCommonQueryObjectWithTimeout(context); } NTSTATUS PhCallNtQueryFileInformationWithTimeout( _In_ HANDLE Handle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_opt_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength ) { PPHP_QUERY_OBJECT_COMMON_CONTEXT context; context = PhAllocate(sizeof(PHP_QUERY_OBJECT_COMMON_CONTEXT)); context->Work = NtQueryFileInformationWork; context->Status = STATUS_UNSUCCESSFUL; context->u.NtQueryFileInformation.Handle = Handle; context->u.NtQueryFileInformation.FileInformationClass = FileInformationClass; context->u.NtQueryFileInformation.FileInformation = FileInformation; context->u.NtQueryFileInformation.FileInformationLength = FileInformationLength; return PhpCommonQueryObjectWithTimeout(context); } NTSTATUS PhCallKphQueryFileInformationWithTimeout( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_opt_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength ) { PPHP_QUERY_OBJECT_COMMON_CONTEXT context; context = PhAllocate(sizeof(PHP_QUERY_OBJECT_COMMON_CONTEXT)); context->Work = KphQueryFileInformationWork; context->Status = STATUS_UNSUCCESSFUL; context->u.KphQueryFileInformation.ProcessHandle = ProcessHandle; context->u.KphQueryFileInformation.Handle = Handle; context->u.KphQueryFileInformation.FileInformationClass = FileInformationClass; context->u.KphQueryFileInformation.FileInformation = FileInformation; context->u.KphQueryFileInformation.FileInformationLength = FileInformationLength; return PhpCommonQueryObjectWithTimeout(context); } ================================================ FILE: phlib/http.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #include #include #include #include #include static const PH_FLAG_MAPPING PhpHttpRequestFlagMappings[] = { { PH_HTTP_FLAG_SECURE, WINHTTP_FLAG_SECURE }, { PH_HTTP_FLAG_REFRESH, WINHTTP_FLAG_REFRESH } }; static const PH_FLAG_MAPPING PhpHttpHeaderQueryMappings[] = { { PH_HTTP_QUERY_CONTENT_LENGTH, WINHTTP_QUERY_CONTENT_LENGTH }, { PH_HTTP_QUERY_STATUS_CODE, WINHTTP_QUERY_STATUS_CODE }, }; static const PH_FLAG_MAPPING PhpHttpFeatureMappings[] = { { PH_HTTP_FEATURE_REDIRECTS, WINHTTP_DISABLE_REDIRECTS }, { PH_HTTP_FEATURE_KEEP_ALIVE, WINHTTP_DISABLE_KEEP_ALIVE }, }; static const PH_FLAG_MAPPING PhpHttpSecurityFlagsMappings[] = { { PH_HTTP_SECURITY_IGNORE_UNKNOWN_CA, SECURITY_FLAG_IGNORE_UNKNOWN_CA }, { PH_HTTP_SECURITY_IGNORE_CERT_DATE_INVALID, SECURITY_FLAG_IGNORE_CERT_DATE_INVALID }, }; NTSTATUS PhHttpErrorToNtStatus( _In_ ULONG WinhttpError ); VOID CALLBACK PhWinHttpStatusCallback( _In_ HINTERNET InternetHandle, _In_ ULONG_PTR Context, _In_ ULONG InternetStatus, _In_opt_ PVOID StatusInformation, _In_ ULONG StatusInformationLength ); NTSTATUS PhGetLastWinHttpErrorAsNtStatus( VOID ) { return PhHttpErrorToNtStatus(PhGetLastError()); } PPH_STRING PhWinHttpUserAgentString( VOID ) { PH_FORMAT format[4]; SIZE_T returnLength; WCHAR formatBuffer[260]; #ifndef PHAPP_VERSION_MAJOR #define PHAPP_VERSION_MAJOR 0 #endif #ifndef PHAPP_VERSION_MINOR #define PHAPP_VERSION_MINOR 0 #endif PhInitFormatS(&format[0], L"SystemInformer_A2D1C96D_D25915D9_"); PhInitFormatU(&format[1], PHAPP_VERSION_MAJOR); PhInitFormatC(&format[2], L'_'); PhInitFormatU(&format[3], PHAPP_VERSION_MINOR); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength)) { PH_STRINGREF stringFormat; stringFormat.Buffer = formatBuffer; stringFormat.Length = returnLength - sizeof(UNICODE_NULL); return PhCreateString2(&stringFormat); } return PhFormat(format, RTL_NUMBER_OF(format), 0); } static NTSTATUS PhWinHttpOpen( _Out_ HINTERNET* SessionHandle ) { NTSTATUS status; HINTERNET sessionHandle; PPH_STRING httpUserAgent; ULONG httpAccessType; httpUserAgent = PhWinHttpUserAgentString(); if (WindowsVersion >= WINDOWS_8_1) httpAccessType = WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY; else httpAccessType = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY; if (sessionHandle = WinHttpOpen( PhGetString(httpUserAgent), httpAccessType, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0 )) { *SessionHandle = sessionHandle; status = STATUS_SUCCESS; } else { *SessionHandle = NULL; status = PhGetLastWinHttpErrorAsNtStatus(); } PhDereferenceObject(httpUserAgent); return status; } static NTSTATUS PhWinHttpConnect( _In_ HINTERNET SessionHandle, _In_ PCWSTR ServerName, _In_ USHORT ServerPort, _Out_ HINTERNET* ConnectionHandle ) { HINTERNET connectionHandle; if (connectionHandle = WinHttpConnect( SessionHandle, ServerName, ServerPort, 0 )) { *ConnectionHandle = connectionHandle; return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } static NTSTATUS PhWinHttpOpenRequest( _In_ HINTERNET ConnectionHandle, _In_ PCWSTR RequestMethod, _In_ PCWSTR RequestPath, _In_ ULONG Flags, _Out_ HINTERNET* RequestHandle ) { HINTERNET requestHandle; ULONG httpFlags = 0; //ULONG httpOptions; PhMapFlags1( &httpFlags, Flags, PhpHttpRequestFlagMappings, RTL_NUMBER_OF(PhpHttpRequestFlagMappings) ); if (requestHandle = WinHttpOpenRequest( ConnectionHandle, RequestMethod, RequestPath, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, httpFlags )) { *RequestHandle = requestHandle; return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpInitialize( _Out_ PPH_HTTP_CONTEXT *HttpContext ) { NTSTATUS status; PPH_HTTP_CONTEXT httpContext; HINTERNET sessionHandle; status = PhWinHttpOpen(&sessionHandle); if (!NT_SUCCESS(status)) return status; httpContext = PhAllocateZero(sizeof(PH_HTTP_CONTEXT)); httpContext->SessionHandle = sessionHandle; if (WindowsVersion < WINDOWS_8_1) { PhHttpSetOption(sessionHandle, WINHTTP_OPTION_SECURE_PROTOCOLS, WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2); } else { PhHttpSetOption(sessionHandle, WINHTTP_OPTION_SECURE_PROTOCOLS, WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3); PhHttpSetOption(sessionHandle, WINHTTP_OPTION_DECOMPRESSION, WINHTTP_DECOMPRESSION_FLAG_GZIP | WINHTTP_DECOMPRESSION_FLAG_DEFLATE); PhHttpSetOption(sessionHandle, WINHTTP_OPTION_ASSURED_NON_BLOCKING_CALLBACKS, TRUE); if (WindowsVersion >= WINDOWS_10) { PhHttpSetOption(sessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, WINHTTP_PROTOCOL_FLAG_HTTP2); //PhHttpSetOption(sessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, WINHTTP_PROTOCOL_FLAG_HTTP2 | WINHTTP_PROTOCOL_FLAG_HTTP3); } if (WindowsVersion >= WINDOWS_10_RS5) { PhHttpSetOption(sessionHandle, WINHTTP_OPTION_IPV6_FAST_FALLBACK, TRUE); PhHttpSetOption(sessionHandle, WINHTTP_OPTION_DISABLE_STREAM_QUEUE, TRUE); } if (WindowsVersion >= WINDOWS_11) { PhHttpSetOption(sessionHandle, WINHTTP_OPTION_DISABLE_GLOBAL_POOLING, TRUE); PhHttpSetOption(sessionHandle, WINHTTP_OPTION_TLS_FALSE_START, TRUE); PhHttpSetOption(sessionHandle, WINHTTP_OPTION_TCP_FAST_OPEN, TRUE); } if (WindowsVersion >= WINDOWS_11_24H2) { PhHttpSetOption(sessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, WINHTTP_PROTOCOL_FLAG_HTTP2 | WINHTTP_PROTOCOL_FLAG_HTTP3); PhHttpSetOption(sessionHandle, WINHTTP_OPTION_HTTP3_HANDSHAKE_TIMEOUT, 5000); // 5 second timeout before reverting to HTTP2 } } *HttpContext = httpContext; return STATUS_SUCCESS; } VOID PhHttpDestroy( _In_ _Maybenull_ _Frees_ptr_ PPH_HTTP_CONTEXT HttpContext ) { if (!HttpContext) return; // if (HttpContext->SessionHandle && HttpContext->EventCallbackRegistered) // { // // WinHTTP does not synchronize WinHttpSetStatusCallback with worker threads. // // If a callback originating in another thread is in progress when an application calls WinHttpSetStatusCallback, // // the application still receives a callback notification even after WinHttpSetStatusCallback successfully // // sets the callback function to NULL and returns. // // PhHttpSetCallback(HttpContext->SessionHandle, NULL, WINHTTP_CALLBACK_FLAG_ALL_NOTIFICATIONS); // } PhHttpClose(HttpContext, ULONG_MAX); PhFree(HttpContext); } VOID PhHttpClose( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PH_HTTP_SOCKET_CLOSE_TYPE Type ) { if (Type & PH_HTTP_SOCKET_CLOSE_SESSION) { if (HttpContext->SessionHandle) { WinHttpCloseHandle(HttpContext->SessionHandle); HttpContext->SessionHandle = NULL; } } if (Type & PH_HTTP_SOCKET_CLOSE_CONNECTION) { if (HttpContext->ConnectionHandle) { WinHttpCloseHandle(HttpContext->ConnectionHandle); HttpContext->ConnectionHandle = NULL; } } if (Type & PH_HTTP_SOCKET_CLOSE_REQUEST) { if (HttpContext->RequestHandle) { WinHttpCloseHandle(HttpContext->RequestHandle); HttpContext->RequestHandle = NULL; } } } NTSTATUS PhHttpConnect( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR ServerName, _In_ USHORT ServerPort ) { NTSTATUS status; HINTERNET connectionHandle; if (HttpContext->Callback) { HttpContext->Callback(PHHTTP_EVENT_CONNECTING, NULL, HttpContext->Context); } status = PhWinHttpConnect( HttpContext->SessionHandle, ServerName, ServerPort, &connectionHandle ); if (NT_SUCCESS(status)) { HttpContext->ConnectionHandle = connectionHandle; } //PDNS_RECORD dnsRecordList = PhDnsQuery(ServerName, DNS_TYPE_A); // //if (dnsRecordList) //{ // for (PDNS_RECORD dnsRecord = dnsRecordList; dnsRecord; dnsRecord = dnsRecord->pNext) // { // switch (dnsRecord->wType) // { // case DNS_TYPE_A: // { // WCHAR ipAddressString[INET_ADDRSTRLEN]; // // RtlIpv4AddressToString((PIN_ADDR)&dnsRecord->Data.A.IpAddress, ipAddressString); // // HttpContext->ServerName = ServerName; // HttpContext->ConnectionHandle = WinHttpConnect( // HttpContext->SessionHandle, // ipAddressString, // ServerPort, // 0 // ); // } // break; // case DNS_TYPE_AAAA: // { // WCHAR ipAddressString[INET6_ADDRSTRLEN]; // // RtlIpv6AddressToString((PIN6_ADDR)&dnsRecord->Data.AAAA.Ip6Address, ipAddressString); // // HttpContext->ServerName = ServerName; // HttpContext->ConnectionHandle = WinHttpConnect( // HttpContext->SessionHandle, // ipAddressString, // ServerPort, // 0 // ); // } // break; // } // } // // DnsFree(dnsRecordList, DnsFreeRecordList); //} return status; } NTSTATUS PhHttpBeginRequest( _In_ PPH_HTTP_CONTEXT HttpContext, _In_opt_ PCWSTR RequestMethod, _In_ PCWSTR RequestPath, _In_ ULONG Flags ) { NTSTATUS status; HINTERNET requestHandle; status = PhWinHttpOpenRequest( HttpContext->ConnectionHandle, RequestMethod, RequestPath, Flags, &requestHandle ); if (NT_SUCCESS(status)) { HttpContext->RequestHandle = requestHandle; //PhHttpSetContext(requestHandle, HttpContext); } return status; } NTSTATUS PhHttpSendRequest( _In_ PPH_HTTP_CONTEXT HttpContext, _In_opt_ PCWSTR HeadersBuffer, _In_ ULONG HeadersLength, _In_opt_ PVOID OptionalBuffer, _In_ ULONG OptionalLength, _In_ ULONG TotalLength ) { if (HttpContext->Callback) { HttpContext->Callback(PHHTTP_EVENT_SENDING_REQUEST, NULL, HttpContext->Context); } if (WinHttpSendRequest( HttpContext->RequestHandle, HeadersBuffer, HeadersLength, OptionalBuffer, OptionalLength, TotalLength, (ULONG_PTR)HttpContext )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpReceiveResponse( _In_ PPH_HTTP_CONTEXT HttpContext ) { if (WinHttpReceiveResponse(HttpContext->RequestHandle, NULL)) { //ULONG connectionInfoLength; //WINHTTP_CONNECTION_INFO connectionInfo; // //connectionInfoLength = sizeof(WINHTTP_CONNECTION_INFO); //memset(&connectionInfo, 0, connectionInfoLength); //connectionInfo.cbSize = connectionInfoLength; // //if (WinHttpQueryOption( // HttpContext->RequestHandle, // WINHTTP_OPTION_CONNECTION_INFO, // &connectionInfo, // &connectionInfoLength // )) //{ // //} #if DEBUG { ULONG option = 0; ULONG optionLength = sizeof(ULONG); if (WinHttpQueryOption( HttpContext->RequestHandle, WINHTTP_OPTION_HTTP_PROTOCOL_USED, &option, &optionLength )) { if (option & WINHTTP_PROTOCOL_FLAG_HTTP3) { dprintf("[PH_HTTP] %s", "HTTP3 socket\n"); } if (option & WINHTTP_PROTOCOL_FLAG_HTTP2) { dprintf("[PH_HTTP] %s", "HTTP2 socket\n"); } } } #endif return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpReadData( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PVOID Buffer, _In_ ULONG BufferLength, _Out_ PULONG BytesCopied ) { if (WinHttpReadData( HttpContext->RequestHandle, Buffer, BufferLength, BytesCopied )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpWriteData( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PVOID Buffer, _In_ ULONG BufferLength, _Out_ PULONG BytesCopied ) { if (WinHttpWriteData( HttpContext->RequestHandle, Buffer, BufferLength, BytesCopied )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpAddRequestHeaders( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR Headers, _In_opt_ ULONG HeadersLength ) { if (WinHttpAddRequestHeaders( HttpContext->RequestHandle, Headers, HeadersLength ? HeadersLength : ULONG_MAX, WINHTTP_ADDREQ_FLAG_ADD | WINHTTP_ADDREQ_FLAG_REPLACE )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } PPH_STRING PhHttpQueryHeaders( _In_ PPH_HTTP_CONTEXT HttpContext ) { ULONG bufferLength = 0; PPH_STRING stringBuffer; if (!WinHttpQueryHeaders( HttpContext->RequestHandle, WINHTTP_QUERY_RAW_HEADERS_CRLF, NULL, WINHTTP_NO_OUTPUT_BUFFER, &bufferLength, WINHTTP_NO_HEADER_INDEX )) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) return NULL; } stringBuffer = PhCreateStringEx(NULL, bufferLength); if (!WinHttpQueryHeaders( HttpContext->RequestHandle, WINHTTP_QUERY_RAW_HEADERS_CRLF, NULL, stringBuffer->Buffer, &bufferLength, WINHTTP_NO_HEADER_INDEX )) { PhDereferenceObject(stringBuffer); return NULL; } return stringBuffer; } PPH_STRING PhHttpQueryHeaderString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR HeaderString ) { ULONG bufferLength = 0; PPH_STRING stringBuffer; if (!WinHttpQueryHeaders( HttpContext->RequestHandle, WINHTTP_QUERY_CUSTOM, HeaderString, WINHTTP_NO_OUTPUT_BUFFER, &bufferLength, // includes null WINHTTP_NO_HEADER_INDEX )) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) return NULL; } stringBuffer = PhCreateStringEx(NULL, bufferLength); if (!WinHttpQueryHeaders( HttpContext->RequestHandle, WINHTTP_QUERY_CUSTOM, HeaderString, stringBuffer->Buffer, &bufferLength, // excludes null WINHTTP_NO_HEADER_INDEX )) { PhDereferenceObject(stringBuffer); return NULL; } PhTrimToNullTerminatorString(stringBuffer); //stringBuffer->Length = bufferLength; return stringBuffer; } NTSTATUS PhHttpQueryHeaderUlong( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG QueryValue, _Out_ PULONG HeaderValue ) { //ULONG queryFlags = 0; //ULONG headerValue = 0; //ULONG valueLength = sizeof(ULONG); // //PhMapFlags1( // &queryFlags, // QueryValue, // PhpHttpHeaderQueryMappings, // RTL_NUMBER_OF(PhpHttpHeaderQueryMappings) // ); // //if (WinHttpQueryHeaders( // HttpContext->RequestHandle, // queryFlags | WINHTTP_QUERY_FLAG_NUMBER, // WINHTTP_HEADER_NAME_BY_INDEX, // &headerValue, // &valueLength, // WINHTTP_NO_HEADER_INDEX // )) //{ // *HeaderValue = headerValue; // return TRUE; //} NTSTATUS status; ULONG64 headerValue; status = PhHttpQueryHeaderUlong64( HttpContext, QueryValue, &headerValue ); if (NT_SUCCESS(status)) { if (headerValue <= ULONG_MAX) { *HeaderValue = (ULONG)headerValue; status = STATUS_SUCCESS; } else { status = STATUS_INTEGER_OVERFLOW; } } return status; } NTSTATUS PhHttpQueryHeaderUlong64( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG QueryValue, _Out_ PULONG64 HeaderValue ) { ULONG queryFlags = 0; ULONG valueLength = 0x100; WCHAR valueBuffer[0x100]; PhMapFlags1( &queryFlags, QueryValue, PhpHttpHeaderQueryMappings, RTL_NUMBER_OF(PhpHttpHeaderQueryMappings) ); // Note: The WINHTTP_QUERY_FLAG_NUMBER flag returns invalid integers when // querying some types with ULONG64 like WINHTTP_QUERY_STATUS_CODE. So we'll // do the conversion for improved reliability and performance. (dmex) if (WinHttpQueryHeaders( HttpContext->RequestHandle, queryFlags, WINHTTP_HEADER_NAME_BY_INDEX, valueBuffer, &valueLength, WINHTTP_NO_HEADER_INDEX )) { if (valueLength != 0) { PH_STRINGREF string; ULONG64 integer; string.Buffer = valueBuffer; string.Length = valueLength; if (PhStringToUInt64(&string, 10, &integer)) { *HeaderValue = integer; return STATUS_SUCCESS; } else { return STATUS_INTEGER_OVERFLOW; } } else { return STATUS_DATA_LATE_ERROR; } } return PhGetLastWinHttpErrorAsNtStatus(); } //ULONG PhHttpQueryStatusCode( // _In_ PPH_HTTP_CONTEXT HttpContext // ) //{ // ULONG headerValue = 0; // ULONG valueLength = sizeof(ULONG); // // if (WinHttpQueryHeaders( // HttpContext->RequestHandle, // WINHTTP_QUERY_STATUS_CODE | WINHTTP_QUERY_FLAG_NUMBER, // WINHTTP_HEADER_NAME_BY_INDEX, // &headerValue, // &valueLength, // WINHTTP_NO_HEADER_INDEX // )) // { // return headerValue; // } // // return ULONG_MAX; //} ULONG PhHttpQueryStatusCode( _In_ PPH_HTTP_CONTEXT HttpContext ) { ULONG headerValue = 0; ULONG valueLength = sizeof(ULONG); // Retrieves additional information about the status of a response that might not be reflected by the response status code. if (WinHttpQueryHeaders( HttpContext->RequestHandle, WINHTTP_QUERY_WARNING, WINHTTP_HEADER_NAME_BY_INDEX, &headerValue, &valueLength, WINHTTP_NO_HEADER_INDEX )) { return headerValue; } return ULONG_MAX; } PVOID PhHttpQueryOption( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN SessionOption, _In_ ULONG QueryOption ) { HINTERNET queryHandle; ULONG bufferLength = 0; PVOID optionBuffer; if (SessionOption) queryHandle = HttpContext->SessionHandle; else queryHandle = HttpContext->RequestHandle; if (!WinHttpQueryOption( queryHandle, QueryOption, NULL, &bufferLength )) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) return NULL; } optionBuffer = PhAllocate(bufferLength); memset(optionBuffer, 0, bufferLength); if (!WinHttpQueryOption( queryHandle, QueryOption, optionBuffer, &bufferLength )) { PhFree(optionBuffer); return NULL; } return optionBuffer; } PPH_STRING PhHttpQueryOptionString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN SessionOption, _In_ ULONG QueryOption ) { PVOID optionBuffer; PPH_STRING stringBuffer = NULL; optionBuffer = PhHttpQueryOption( HttpContext, SessionOption, QueryOption ); if (optionBuffer) { stringBuffer = PhCreateString(optionBuffer); PhFree(optionBuffer); } return stringBuffer; } NTSTATUS PhHttpReadDataToBuffer( _In_ PVOID RequestHandle, _Out_ PVOID *Buffer, _Out_ ULONG *BufferLength ) { PSTR data; ULONG allocatedLength; ULONG dataLength; ULONG returnLength; BYTE buffer[PAGE_SIZE]; allocatedLength = sizeof(buffer); data = (PSTR)PhAllocate(allocatedLength); dataLength = 0; while (WinHttpReadData(RequestHandle, buffer, PAGE_SIZE, &returnLength)) { if (returnLength == 0) break; if (allocatedLength < dataLength + returnLength) { allocatedLength *= 2; data = PhReAllocate(data, allocatedLength); } memcpy(data + dataLength, buffer, returnLength); dataLength += returnLength; } if (allocatedLength < dataLength + 1) { allocatedLength++; data = PhReAllocate(data, allocatedLength); } data[dataLength] = ANSI_NULL; if (dataLength) { if (Buffer) *Buffer = data; else PhFree(data); if (BufferLength) *BufferLength = dataLength; return STATUS_SUCCESS; } else { PhFree(data); return STATUS_UNSUCCESSFUL; } } NTSTATUS PhHttpDownloadString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN Unicode, _Out_ PVOID* StringBuffer ) { NTSTATUS status; PVOID buffer; ULONG bufferLength; status = PhHttpReadDataToBuffer( HttpContext->RequestHandle, &buffer, &bufferLength ); if (NT_SUCCESS(status)) { if (Unicode) *StringBuffer = PhConvertUtf8ToUtf16Ex(buffer, bufferLength); else *StringBuffer = PhCreateBytesEx(buffer, bufferLength); PhFree(buffer); } return status; } NTSTATUS PhHttpDownloadToFile( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PPH_STRINGREF FileName, _In_ PPH_HTTPDOWNLOAD_CALLBACK Callback, _In_opt_ PVOID Context ) { PH_HTTPDOWNLOAD_CONTEXT context = { 0 }; NTSTATUS status; HANDLE fileHandle; LARGE_INTEGER fileSize; ULONG64 numberOfBytesTotal = 0; ULONG numberOfBytesRead = 0; ULONG64 numberOfBytesReadTotal = 0; ULONG64 timeTicks; LARGE_INTEGER timeNow; LARGE_INTEGER timeStart; PPH_STRING fileName; IO_STATUS_BLOCK isb; BYTE buffer[PAGE_SIZE]; PhQuerySystemTime(&timeStart); status = PhHttpQueryHeaderUlong64( HttpContext, PH_HTTP_QUERY_CONTENT_LENGTH, &numberOfBytesTotal ); if (!NT_SUCCESS(status)) return status; if (numberOfBytesTotal == 0) return STATUS_UNSUCCESSFUL; fileName = PhGetTemporaryDirectoryRandomAlphaFileName(); fileSize.QuadPart = (LONGLONG)numberOfBytesTotal; if (PhIsNullOrEmptyString(fileName)) return STATUS_UNSUCCESSFUL; status = PhCreateFileWin32Ex( &fileHandle, PhGetString(fileName), FILE_GENERIC_WRITE, &fileSize, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_CREATE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL ); if (!NT_SUCCESS(status)) { PhDereferenceObject(fileName); return status; } memset(buffer, 0, sizeof(buffer)); while (TRUE) { status = PhHttpReadData( HttpContext, buffer, PAGE_SIZE, &numberOfBytesRead ); if (!NT_SUCCESS(status)) break; if (numberOfBytesRead == 0) break; status = NtWriteFile( fileHandle, NULL, NULL, NULL, &isb, buffer, numberOfBytesRead, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; if (numberOfBytesRead != isb.Information) { status = STATUS_UNSUCCESSFUL; break; } if (Callback) { PhQuerySystemTime(&timeNow); timeTicks = (timeNow.QuadPart - timeStart.QuadPart) / PH_TICKS_PER_SEC; numberOfBytesReadTotal += isb.Information; context.ReadLength = numberOfBytesReadTotal; context.TotalLength = numberOfBytesTotal; context.BitsPerSecond = numberOfBytesReadTotal / __max(timeTicks, 1); context.Percent = (((DOUBLE)numberOfBytesReadTotal / (DOUBLE)numberOfBytesTotal) * 100); if (!Callback(&context, Context)) break; } } if (numberOfBytesReadTotal != numberOfBytesTotal) { status = STATUS_UNSUCCESSFUL; } if (status != STATUS_SUCCESS) { PhSetFileDelete(fileHandle); } NtClose(fileHandle); if (NT_SUCCESS(status)) { status = PhCreateDirectoryFullPathWin32(FileName); if (NT_SUCCESS(status)) { status = PhMoveFileWin32(PhGetString(fileName), PhGetStringRefZ(FileName), FALSE); } } PhDereferenceObject(fileName); return status; } NTSTATUS PhHttpSetFeature( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Feature, _In_ BOOLEAN Enable ) { ULONG featureValue = 0; PhMapFlags1( &featureValue, Feature, PhpHttpFeatureMappings, RTL_NUMBER_OF(PhpHttpFeatureMappings) ); if (WinHttpSetOption( HttpContext->RequestHandle, Enable ? WINHTTP_OPTION_ENABLE_FEATURE : WINHTTP_OPTION_DISABLE_FEATURE, &featureValue, sizeof(ULONG) )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetOption( _In_ PVOID HttpHandle, _In_ ULONG Option, _In_ ULONG Value ) { ULONG optionValue = Value; if (WinHttpSetOption( HttpHandle, Option, &optionValue, sizeof(ULONG) )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetOptionString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Option, _In_ PPH_STRINGREF Value ) { ULONG optionLength = (ULONG)Value->Length; if (WinHttpSetOption( HttpContext->RequestHandle, Option, Value->Buffer, optionLength )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetCallback( _In_ PVOID HttpHandle, _In_ PPH_HTTP_STATUS_CALLBACK Callback, _In_ ULONG NotificationFlags ) { PPH_HTTP_STATUS_CALLBACK previousCallback; previousCallback = WinHttpSetStatusCallback( HttpHandle, Callback, NotificationFlags, 0 ); if (previousCallback == WINHTTP_INVALID_STATUS_CALLBACK) { return PhGetLastWinHttpErrorAsNtStatus(); } return STATUS_SUCCESS; } NTSTATUS PhHttpGetContext( _In_ PVOID HttpHandle, _In_ PVOID Context ) { ULONG bufferLength = sizeof(ULONG_PTR); if (WinHttpQueryOption(HttpHandle, WINHTTP_OPTION_CONTEXT_VALUE, Context, &bufferLength)) return STATUS_SUCCESS; return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetContext( _In_ PVOID HttpHandle, _In_ PVOID Context ) { if (WinHttpSetOption(HttpHandle, WINHTTP_OPTION_CONTEXT_VALUE, Context, sizeof(ULONG_PTR))) return STATUS_SUCCESS; return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetSecurity( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Feature ) { ULONG featureValue = 0; PhMapFlags1( &featureValue, Feature, PhpHttpSecurityFlagsMappings, RTL_NUMBER_OF(PhpHttpSecurityFlagsMappings) ); if (WinHttpSetOption( HttpContext->RequestHandle, WINHTTP_OPTION_SECURITY_FLAGS, &featureValue, sizeof(ULONG) )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetProtocol( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN Session, _In_ ULONG Protocol, _In_ ULONG Timeout ) { NTSTATUS status; if (Session) { status = PhHttpSetOption(HttpContext->SessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, Protocol); if (!NT_SUCCESS(status)) return status; if (FlagOn(Protocol, PH_HTTP_PROTOCOL_FLAG_HTTP3)) { status = PhHttpSetOption(HttpContext->SessionHandle, WINHTTP_OPTION_HTTP3_HANDSHAKE_TIMEOUT, Timeout); } } else { status = PhHttpSetOption(HttpContext->RequestHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, Protocol); if (!NT_SUCCESS(status)) return status; if (FlagOn(Protocol, PH_HTTP_PROTOCOL_FLAG_HTTP3)) { status = PhHttpSetOption(HttpContext->RequestHandle, WINHTTP_OPTION_HTTP3_HANDSHAKE_TIMEOUT, Timeout); } } return status; } NTSTATUS PhHttpCrackUrl( _In_ PPH_STRING Url, _Out_ PPH_STRING *HostPart, _Out_ PPH_STRING *PathPart, _Out_ PUSHORT PortPart ) { URL_COMPONENTS httpParts; PPH_STRING hostPart = NULL; PPH_STRING pathPart = NULL; memset(&httpParts, 0, sizeof(URL_COMPONENTS)); httpParts.dwStructSize = sizeof(URL_COMPONENTS); httpParts.dwHostNameLength = ULONG_MAX; httpParts.dwUrlPathLength = ULONG_MAX; if (!WinHttpCrackUrl( Url->Buffer, (ULONG)Url->Length / sizeof(WCHAR), 0, &httpParts )) { return PhGetLastWinHttpErrorAsNtStatus(); } if (httpParts.dwHostNameLength) { hostPart = PhCreateStringEx(httpParts.lpszHostName, httpParts.dwHostNameLength * sizeof(WCHAR)); } if (httpParts.dwUrlPathLength) { pathPart = PhCreateStringEx(httpParts.lpszUrlPath, httpParts.dwUrlPathLength * sizeof(WCHAR)); } if (hostPart && pathPart) { *HostPart = hostPart; *PathPart = pathPart; if (PortPart) { *PortPart = httpParts.nPort; } return STATUS_SUCCESS; } else { PhClearReference(&hostPart); PhClearReference(&pathPart); return STATUS_UNSUCCESSFUL; } } PPH_STRING PhHttpGetErrorMessage( _In_ ULONG ErrorCode ) { PVOID winhttpHandle; PPH_STRING message = NULL; if (!(winhttpHandle = PhGetLoaderEntryDllBaseZ(L"winhttp.dll"))) return NULL; if (message = PhGetMessage(winhttpHandle, 0xb, PhGetUserDefaultLangID(), ErrorCode)) { PhTrimToNullTerminatorString(message); } // Remove any trailing newline if (message && message->Length >= 2 * sizeof(WCHAR) && message->Buffer[message->Length / sizeof(WCHAR) - 2] == L'\r' && message->Buffer[message->Length / sizeof(WCHAR) - 1] == L'\n') { PhMoveReference(&message, PhCreateStringEx(message->Buffer, message->Length - 2 * sizeof(WCHAR))); } return message; } NTSTATUS PhHttpGetCertificateInfo( _In_ PPH_HTTP_CONTEXT HttpContext, _Out_ PPH_HTTP_CERTIFICATE_INFO Certificate ) { ULONG certificateInfoLength; WINHTTP_CERTIFICATE_INFO certificateInfoBuffer; certificateInfoLength = sizeof(WINHTTP_CERTIFICATE_INFO); RtlZeroMemory(&certificateInfoBuffer, sizeof(WINHTTP_CERTIFICATE_INFO)); if (WinHttpQueryOption( HttpContext->SessionHandle, WINHTTP_OPTION_EXTENDED_ERROR, &certificateInfoBuffer, &certificateInfoLength )) { RtlZeroMemory(Certificate, sizeof(PH_HTTP_CERTIFICATE_INFO)); Certificate->Expiry.LowPart = certificateInfoBuffer.ftExpiry.dwLowDateTime; Certificate->Expiry.HighPart = certificateInfoBuffer.ftExpiry.dwHighDateTime; Certificate->Start.LowPart = certificateInfoBuffer.ftStart.dwLowDateTime; Certificate->Start.HighPart = certificateInfoBuffer.ftStart.dwHighDateTime; Certificate->SubjectInfo = certificateInfoBuffer.lpszSubjectInfo; Certificate->IssuerInfo = certificateInfoBuffer.lpszIssuerInfo; Certificate->ProtocolName = certificateInfoBuffer.lpszProtocolName; Certificate->SignatureAlgName = certificateInfoBuffer.lpszSignatureAlgName; Certificate->EncryptionAlgName = certificateInfoBuffer.lpszEncryptionAlgName; Certificate->KeySize = certificateInfoBuffer.dwKeySize; return STATUS_SUCCESS; } RtlZeroMemory(Certificate, sizeof(PH_HTTP_CERTIFICATE_INFO)); return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpGetTimingInfo( _In_ PPH_HTTP_CONTEXT HttpContext ) { ULONG requestTimeLength; WINHTTP_REQUEST_TIMES requestTimeBuffer; requestTimeLength = sizeof(WINHTTP_REQUEST_TIMES); memset(&requestTimeBuffer, 0, sizeof(WINHTTP_REQUEST_TIMES)); requestTimeBuffer.cTimes = WinHttpRequestTimeMax; if (WinHttpQueryOption( HttpContext->SessionHandle, WINHTTP_OPTION_REQUEST_TIMES, &requestTimeBuffer, &requestTimeLength )) { for (ULONG i = 0; i < WinHttpRequestTimeMax; i++) { dprintf("%lu: %lu\n", i, requestTimeBuffer.rgullTimes[i]); } return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpGetStatistics( _In_ PPH_HTTP_CONTEXT HttpContext, _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PVOID Buffer, _Inout_ PULONG BufferLength ) { // WINHTTP_OPTION_CONNECTION_STATS_V0 // WINHTTP_OPTION_CONNECTION_STATS_V1 // WINHTTP_OPTION_CONNECTION_STATS_V2 if (WinHttpQueryOption( HttpContext->SessionHandle, WINHTTP_OPTION_CONNECTION_STATS_V0, Buffer, BufferLength )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); //ULONG statisticsInfoLength = sizeof(TCP_INFO_v0); //TCP_INFO_v0 statisticsInfo = { 0 }; //dprintf("State: %d\n", statisticsInfo.State); //dprintf("Mss: %lu\n", statisticsInfo.Mss); //dprintf("ConnectionTimeMs: %llu\n", statisticsInfo.ConnectionTimeMs); //dprintf("TimestampsEnabled: %d\n", statisticsInfo.TimestampsEnabled); //dprintf("RttUs: %lu\n", statisticsInfo.RttUs); //dprintf("MinRttUs: %lu\n", statisticsInfo.MinRttUs); //dprintf("BytesInFlight: %lu\n", statisticsInfo.BytesInFlight); //dprintf("Cwnd: %lu\n", statisticsInfo.Cwnd); //dprintf("SndWnd: %lu\n", statisticsInfo.SndWnd); //dprintf("RcvWnd: %lu\n", statisticsInfo.RcvWnd); //dprintf("RcvBuf: %lu\n", statisticsInfo.RcvBuf); //dprintf("BytesOut: %llu\n", statisticsInfo.BytesOut); //dprintf("BytesIn: %llu\n", statisticsInfo.BytesIn); //dprintf("BytesReordered: %lu\n", statisticsInfo.BytesReordered); //dprintf("BytesRetrans: %lu\n", statisticsInfo.BytesRetrans); //dprintf("FastRetrans: %lu\n", statisticsInfo.FastRetrans); //dprintf("DupAcksIn: %lu\n", statisticsInfo.DupAcksIn); //dprintf("TimeoutEpisodes: %lu\n", statisticsInfo.TimeoutEpisodes); //dprintf("SynRetrans: %u\n", statisticsInfo.SynRetrans); } ULONG PhHttpGetExtendedStatusCode( _In_ PPH_HTTP_CONTEXT HttpContext ) { ULONG bufferLength = sizeof(ULONG); ULONG socketcode = ULONG_MAX; WinHttpQueryOption( HttpContext->SessionHandle, WINHTTP_OPTION_EXTENDED_ERROR, &socketcode, &bufferLength ); return socketcode; } NTSTATUS PhHttpSetCredentials( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR Name, _In_ PCWSTR Value ) { if (WinHttpSetCredentials( HttpContext->RequestHandle, WINHTTP_AUTH_TARGET_SERVER, WINHTTP_AUTH_SCHEME_BASIC, Name, Value, NULL )) { return STATUS_SUCCESS; } return PhGetLastWinHttpErrorAsNtStatus(); } NTSTATUS PhHttpSetEventCallback( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PPH_HTTP_EVENT_CALLBACK EventCallback, _In_opt_ PVOID Context ) { HttpContext->Callback = EventCallback; HttpContext->Context = Context; //PhHttpSetContext(HttpContext->SessionHandle, HttpContext); //PhHttpSetCallback(HttpContext->SessionHandle, PhWinHttpStatusCallback, WINHTTP_CALLBACK_FLAG_ALL_NOTIFICATIONS); if (HttpContext->Callback) { HttpContext->Callback(PHHTTP_EVENT_INITIALIZING, NULL, Context); } return STATUS_SUCCESS; } VOID CALLBACK PhWinHttpStatusCallback( _In_ HINTERNET InternetHandle, _In_ ULONG_PTR Context, _In_ ULONG InternetStatus, _In_opt_ PVOID StatusInformation, _In_ ULONG StatusInformationLength ) { PPH_HTTP_CONTEXT context = NULL; if (!Context) { PVOID httpContext; if (NT_SUCCESS(PhHttpGetContext(InternetHandle, &httpContext))) { context = (PPH_HTTP_CONTEXT)httpContext; } } else { context = (PPH_HTTP_CONTEXT)Context; } switch (InternetStatus) { case WINHTTP_CALLBACK_STATUS_RESOLVING_NAME: { PH_STRINGREF string; string.Buffer = (PWSTR)StatusInformation; string.Length = (StatusInformationLength - 1) * sizeof(WCHAR); if (context->Callback) { context->Callback(PHHTTP_EVENT_RESOLVING_NAME, &string, context->Context); } } break; case WINHTTP_CALLBACK_STATUS_NAME_RESOLVED: { PH_STRINGREF string; string.Buffer = (PWSTR)StatusInformation; string.Length = (StatusInformationLength - 1) * sizeof(WCHAR); if (context->Callback) { context->Callback(PHHTTP_EVENT_NAME_RESOLVED, &string, context->Context); } } break; case WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER: { PH_STRINGREF string; string.Buffer = (PWSTR)StatusInformation; string.Length = (StatusInformationLength - 1) * sizeof(WCHAR); if (context->Callback) { context->Callback(PHHTTP_EVENT_CONNECTING, &string, context->Context); } } break; case WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER: { PH_STRINGREF string; string.Buffer = (PWSTR)StatusInformation; string.Length = (StatusInformationLength - 1) * sizeof(WCHAR); if (context->Callback) { context->Callback(InternetStatus, &string, context->Context); } } break; case WINHTTP_CALLBACK_STATUS_SENDING_REQUEST: { dprintf("WINHTTP_CALLBACK_STATUS_SENDING_REQUEST\n"); } break; case WINHTTP_CALLBACK_STATUS_REQUEST_SENT: { ULONG numberOfBytesSent = *(PULONG)StatusInformation; dprintf("WINHTTP_CALLBACK_STATUS_REQUEST_SENT: %lu\n", numberOfBytesSent); } break; case WINHTTP_CALLBACK_STATUS_RECEIVING_RESPONSE: { dprintf("WINHTTP_CALLBACK_STATUS_RECEIVING_RESPONSE\n"); } break; case WINHTTP_CALLBACK_STATUS_RESPONSE_RECEIVED: { ULONG numberOfBytesReceived = *(PULONG)StatusInformation; dprintf("WINHTTP_CALLBACK_STATUS_RESPONSE_RECEIVED: %lu\n", numberOfBytesReceived); } break; case WINHTTP_CALLBACK_STATUS_CLOSING_CONNECTION: { dprintf("WINHTTP_CALLBACK_STATUS_CLOSING_CONNECTION\n"); } break; case WINHTTP_CALLBACK_STATUS_CONNECTION_CLOSED: { dprintf("WINHTTP_CALLBACK_STATUS_CONNECTION_CLOSED\n"); } break; case WINHTTP_CALLBACK_STATUS_HANDLE_CREATED: { HINTERNET handle = (HINTERNET)*(PULONG_PTR)StatusInformation; ULONG option = 0; ULONG optionLength = sizeof(ULONG); dprintf("WINHTTP_CALLBACK_STATUS_HANDLE_CREATED: 0x%llx ", handle); if (WinHttpQueryOption( handle, WINHTTP_OPTION_HANDLE_TYPE, &option, &optionLength )) { switch (option) { case WINHTTP_HANDLE_TYPE_SESSION: dprintf("[%s]\n", "Session handle"); break; case WINHTTP_HANDLE_TYPE_CONNECT: dprintf("[%s]\n", "Connect handle"); break; case WINHTTP_HANDLE_TYPE_REQUEST: dprintf("[%s]\n", "Request handle"); break; case WINHTTP_HANDLE_TYPE_PROXY_RESOLVER: dprintf("[%s]\n", "Proxy handle"); break; case WINHTTP_HANDLE_TYPE_WEBSOCKET: dprintf("[%s]\n", "Websocket handle"); break; case WINHTTP_HANDLE_TYPE_PROTOCOL: dprintf("[%s]\n", "Protocol handle"); break; } } } break; case WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING: { HINTERNET handle = (HINTERNET)*(PULONG_PTR)StatusInformation; dprintf("WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING: 0x%llx\n", handle); } break; case WINHTTP_CALLBACK_STATUS_DETECTING_PROXY: { dprintf("WINHTTP_CALLBACK_STATUS_DETECTING_PROXY\n"); } break; case WINHTTP_CALLBACK_STATUS_REDIRECT: { dprintf("WINHTTP_CALLBACK_STATUS_REDIRECT\n"); } break; case WINHTTP_CALLBACK_STATUS_INTERMEDIATE_RESPONSE: { dprintf("WINHTTP_CALLBACK_STATUS_INTERMEDIATE_RESPONSE\n"); } break; case WINHTTP_CALLBACK_STATUS_SECURE_FAILURE: { dprintf("WINHTTP_CALLBACK_STATUS_SECURE_FAILURE\n"); } break; case WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE: { dprintf("WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE\n"); } break; case WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE: { dprintf("WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE\n"); } break; case WINHTTP_CALLBACK_STATUS_READ_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_READ_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_WRITE_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_WRITE_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_REQUEST_ERROR: { dprintf("WINHTTP_CALLBACK_STATUS_REQUEST_ERROR\n"); } break; case WINHTTP_CALLBACK_STATUS_SENDREQUEST_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_SENDREQUEST_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_GETPROXYFORURL_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_GETPROXYFORURL_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_CLOSE_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_CLOSE_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_SHUTDOWN_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_SHUTDOWN_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_GETPROXYSETTINGS_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_GETPROXYSETTINGS_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_SETTINGS_WRITE_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_SETTINGS_WRITE_COMPLETE\n"); } break; case WINHTTP_CALLBACK_STATUS_SETTINGS_READ_COMPLETE: { dprintf("WINHTTP_CALLBACK_STATUS_SETTINGS_READ_COMPLETE\n"); } break; } } NTSTATUS PhHttpErrorToNtStatus( _In_ ULONG WinhttpError ) { switch (WinhttpError) { case ERROR_WINHTTP_OUT_OF_HANDLES: return STATUS_NO_MEMORY; case ERROR_WINHTTP_TIMEOUT: return STATUS_TIMEOUT; case ERROR_WINHTTP_INTERNAL_ERROR: return STATUS_INTERNAL_ERROR; case ERROR_WINHTTP_INVALID_URL: return STATUS_OBJECT_PATH_INVALID; case ERROR_WINHTTP_UNRECOGNIZED_SCHEME: return STATUS_OBJECT_NAME_INVALID; case ERROR_WINHTTP_NAME_NOT_RESOLVED: return STATUS_OBJECT_NAME_NOT_FOUND; case ERROR_WINHTTP_INVALID_OPTION: case ERROR_WINHTTP_OPTION_NOT_SETTABLE: return STATUS_INVALID_DEVICE_REQUEST; case ERROR_WINHTTP_SHUTDOWN: return STATUS_SYSTEM_SHUTDOWN; case ERROR_WINHTTP_LOGIN_FAILURE: return STATUS_LOGON_FAILURE; case ERROR_WINHTTP_OPERATION_CANCELLED: return STATUS_CANCELLED; case ERROR_WINHTTP_INCORRECT_HANDLE_TYPE: case ERROR_WINHTTP_INCORRECT_HANDLE_STATE: return STATUS_INVALID_HANDLE; case ERROR_WINHTTP_CANNOT_CONNECT: return STATUS_CONNECTION_REFUSED; case ERROR_WINHTTP_CONNECTION_ERROR: return STATUS_CONNECTION_ABORTED; case ERROR_WINHTTP_RESEND_REQUEST: return STATUS_RETRY; case ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED: return STATUS_PKINIT_FAILURE; case ERROR_WINHTTP_CANNOT_CALL_BEFORE_OPEN: case ERROR_WINHTTP_CANNOT_CALL_BEFORE_SEND: case ERROR_WINHTTP_CANNOT_CALL_AFTER_SEND: case ERROR_WINHTTP_CANNOT_CALL_AFTER_OPEN: return STATUS_INVALID_DEVICE_STATE; case ERROR_WINHTTP_HEADER_NOT_FOUND: return STATUS_OBJECT_NAME_NOT_FOUND; case ERROR_WINHTTP_INVALID_SERVER_RESPONSE: return STATUS_INVALID_NETWORK_RESPONSE; case ERROR_WINHTTP_INVALID_HEADER: case ERROR_WINHTTP_INVALID_QUERY_REQUEST: return STATUS_INVALID_PARAMETER; case ERROR_WINHTTP_HEADER_ALREADY_EXISTS: return STATUS_OBJECT_NAME_COLLISION; case ERROR_WINHTTP_REDIRECT_FAILED: return STATUS_UNSUCCESSFUL; case ERROR_WINHTTP_AUTO_PROXY_SERVICE_ERROR: return STATUS_LOGON_FAILURE; case ERROR_WINHTTP_BAD_AUTO_PROXY_SCRIPT: case ERROR_WINHTTP_UNABLE_TO_DOWNLOAD_SCRIPT: case ERROR_WINHTTP_UNHANDLED_SCRIPT_TYPE: case ERROR_WINHTTP_SCRIPT_EXECUTION_ERROR: return STATUS_INVALID_PARAMETER; case ERROR_WINHTTP_NOT_INITIALIZED: return STATUS_INVALID_DEVICE_STATE; case ERROR_WINHTTP_SECURE_FAILURE: return STATUS_ENCRYPTION_FAILED; case ERROR_WINHTTP_SECURE_CERT_DATE_INVALID: case ERROR_WINHTTP_SECURE_CERT_CN_INVALID: case ERROR_WINHTTP_SECURE_INVALID_CA: case ERROR_WINHTTP_SECURE_CERT_REV_FAILED: case ERROR_WINHTTP_SECURE_CHANNEL_ERROR: case ERROR_WINHTTP_SECURE_INVALID_CERT: case ERROR_WINHTTP_SECURE_CERT_REVOKED: case ERROR_WINHTTP_SECURE_CERT_WRONG_USAGE: case ERROR_WINHTTP_AUTODETECTION_FAILED: return STATUS_NO_SECURITY_CONTEXT; case ERROR_WINHTTP_HEADER_COUNT_EXCEEDED: case ERROR_WINHTTP_HEADER_SIZE_OVERFLOW: case ERROR_WINHTTP_CHUNKED_ENCODING_HEADER_SIZE_OVERFLOW: case ERROR_WINHTTP_RESPONSE_DRAIN_OVERFLOW: return STATUS_BUFFER_OVERFLOW; case ERROR_WINHTTP_CLIENT_CERT_NO_PRIVATE_KEY: case ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY: return STATUS_INVALID_PARAMETER; case ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED_PROXY: return STATUS_NO_SECURITY_CONTEXT; case ERROR_WINHTTP_SECURE_FAILURE_PROXY: case ERROR_WINHTTP_RESERVED_189: case ERROR_WINHTTP_HTTP_PROTOCOL_MISMATCH: case ERROR_WINHTTP_GLOBAL_CALLBACK_FAILED: return STATUS_INVALID_PARAMETER; case ERROR_WINHTTP_FEATURE_DISABLED: case ERROR_WINHTTP_FAST_FORWARDING_NOT_SUPPORTED: return STATUS_NOT_SUPPORTED; } if ( WinhttpError < WINHTTP_ERROR_BASE || WinhttpError > ERROR_WINHTTP_FAST_FORWARDING_NOT_SUPPORTED ) { return PhDosErrorToNtStatus(WinhttpError); } return STATUS_UNSUCCESSFUL; } // // IPv4 and IPv6 // NTSTATUS PhIpv4AddressToString( _In_ PCIN_ADDR Address, _In_ USHORT Port, _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, _Inout_ PULONG AddressStringLength ) { return RtlIpv4AddressToStringEx(Address, Port, AddressString, AddressStringLength); } NTSTATUS PhIpv4StringToAddress( _In_ PCWSTR AddressString, _In_ BOOLEAN Strict, _Out_ PIN_ADDR Address, _Out_ PUSHORT Port ) { return RtlIpv4StringToAddressEx(AddressString, Strict, Address, Port); } NTSTATUS PhIpv6AddressToString( _In_ PCIN6_ADDR Address, _In_ ULONG ScopeId, _In_ USHORT Port, _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, _Inout_ PULONG AddressStringLength ) { return RtlIpv6AddressToStringEx(Address, ScopeId, Port, AddressString, AddressStringLength); } NTSTATUS PhIpv6StringToAddress( _In_ PCWSTR AddressString, _Out_ PIN6_ADDR Address, _Out_ PULONG ScopeId, _Out_ PUSHORT Port ) { return RtlIpv6StringToAddressEx(AddressString, Address, ScopeId, Port); } // // DOH // HINTERNET PhCreateDohConnectionHandle( _In_opt_ PCWSTR DnsServerAddress ) { static HINTERNET httpSessionHandle = NULL; static HINTERNET httpConnectionHandle = NULL; static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { NTSTATUS status; status = PhWinHttpOpen(&httpSessionHandle); if (NT_SUCCESS(status)) { if (WindowsVersion < WINDOWS_8_1) { PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_SECURE_PROTOCOLS, WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2); } else { PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_SECURE_PROTOCOLS, WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3); PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_DECOMPRESSION, WINHTTP_DECOMPRESSION_FLAG_GZIP | WINHTTP_DECOMPRESSION_FLAG_DEFLATE); if (WindowsVersion >= WINDOWS_10) { PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, WINHTTP_PROTOCOL_FLAG_HTTP2); //PhHttpSetOption(sessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, WINHTTP_PROTOCOL_FLAG_HTTP2 | WINHTTP_PROTOCOL_FLAG_HTTP3); } if (WindowsVersion >= WINDOWS_10_RS5) { PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_IPV6_FAST_FALLBACK, TRUE); PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_DISABLE_STREAM_QUEUE, TRUE); } if (WindowsVersion >= WINDOWS_11) { PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_DISABLE_GLOBAL_POOLING, TRUE); PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_TLS_FALSE_START, TRUE); PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_TCP_FAST_OPEN, TRUE); } if (WindowsVersion >= WINDOWS_11_24H2) { PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, WINHTTP_PROTOCOL_FLAG_HTTP2 | WINHTTP_PROTOCOL_FLAG_HTTP3); PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_HTTP3_HANDSHAKE_TIMEOUT, 5000); // 5 second timeout before reverting to HTTP2 } } PhHttpSetOption(httpSessionHandle, WINHTTP_OPTION_MAX_CONNS_PER_SERVER, 1); if (WindowsVersion >= WINDOWS_10) { httpConnectionHandle = WinHttpConnect( httpSessionHandle, DnsServerAddress ? DnsServerAddress : L"1.1.1.1", INTERNET_DEFAULT_HTTPS_PORT, 0 ); } } PhEndInitOnce(&initOnce); } if (WindowsVersion < WINDOWS_10) { httpConnectionHandle = WinHttpConnect( httpSessionHandle, DnsServerAddress ? DnsServerAddress : L"1.1.1.1", INTERNET_DEFAULT_HTTPS_PORT, 0 ); } return httpConnectionHandle; } HINTERNET PhCreateDohRequestHandle( _In_ HINTERNET HttpConnectionHandle ) { static PCWSTR httpAcceptTypes[2] = { L"application/dns-message", NULL }; HINTERNET httpRequestHandle; ULONG httpOptions; if (!(httpRequestHandle = WinHttpOpenRequest( HttpConnectionHandle, L"POST", L"/dns-query", NULL, WINHTTP_NO_REFERER, httpAcceptTypes, WINHTTP_FLAG_SECURE ))) { return NULL; } WinHttpAddRequestHeaders( httpRequestHandle, L"Content-Type: application/dns-message", ULONG_MAX, WINHTTP_ADDREQ_FLAG_ADD | WINHTTP_ADDREQ_FLAG_REPLACE ); if (WindowsVersion <= WINDOWS_8) { // Winhttp on Windows 7 doesn't correctly validate the certificate CN for connections using an IP address. (dmex) httpOptions = SECURITY_FLAG_IGNORE_CERT_CN_INVALID; WinHttpSetOption( httpRequestHandle, WINHTTP_OPTION_SECURITY_FLAGS, &httpOptions, sizeof(ULONG) ); } return httpRequestHandle; } PPH_STRING PhDnsReverseLookupNameFromAddress( _In_ ULONG Type, _In_ PVOID Address ) { #define IP4_REVERSE_DOMAIN_STRING_LENGTH (IP4_ADDRESS_STRING_LENGTH + sizeof(DNS_IP4_REVERSE_DOMAIN_STRING_W) + 1) #define IP6_REVERSE_DOMAIN_STRING_LENGTH (IP6_ADDRESS_STRING_LENGTH + sizeof(DNS_IP6_REVERSE_DOMAIN_STRING_W) + 1) switch (Type) { case PH_NETWORK_TYPE_IPV4: { static CONST PH_STRINGREF reverseLookupDomainName = PH_STRINGREF_INIT(DNS_IP4_REVERSE_DOMAIN_STRING); PIN_ADDR inAddrV4 = Address; PH_FORMAT format[9]; SIZE_T returnLength; WCHAR reverseNameBuffer[IP4_REVERSE_DOMAIN_STRING_LENGTH]; PhInitFormatU(&format[0], inAddrV4->s_impno); PhInitFormatC(&format[1], L'.'); PhInitFormatU(&format[2], inAddrV4->s_lh); PhInitFormatC(&format[3], L'.'); PhInitFormatU(&format[4], inAddrV4->s_host); PhInitFormatC(&format[5], L'.'); PhInitFormatU(&format[6], inAddrV4->s_net); PhInitFormatC(&format[7], L'.'); PhInitFormatSR(&format[8], reverseLookupDomainName); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), reverseNameBuffer, sizeof(reverseNameBuffer), &returnLength )) { PH_STRINGREF reverseNameString; reverseNameString.Buffer = reverseNameBuffer; reverseNameString.Length = returnLength - sizeof(UNICODE_NULL); return PhCreateString2(&reverseNameString); } else { return PhFormat(format, RTL_NUMBER_OF(format), IP4_REVERSE_DOMAIN_STRING_LENGTH); } } case PH_NETWORK_TYPE_IPV6: { static CONST PH_STRINGREF reverseLookupDomainName = PH_STRINGREF_INIT(DNS_IP6_REVERSE_DOMAIN_STRING); PIN6_ADDR inAddrV6 = Address; PH_STRING_BUILDER stringBuilder; // DNS_MAX_IP6_REVERSE_NAME_LENGTH PhInitializeStringBuilder(&stringBuilder, IP6_REVERSE_DOMAIN_STRING_LENGTH); for (LONG i = sizeof(IN6_ADDR) - 1; i >= 0; i--) { PH_FORMAT format[4]; SIZE_T returnLength; WCHAR reverseNameBuffer[IP6_REVERSE_DOMAIN_STRING_LENGTH]; PhInitFormatX(&format[0], inAddrV6->s6_addr[i] & 0xF); PhInitFormatC(&format[1], L'.'); PhInitFormatX(&format[2], (inAddrV6->s6_addr[i] >> 4) & 0xF); PhInitFormatC(&format[3], L'.'); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), reverseNameBuffer, sizeof(reverseNameBuffer), &returnLength )) { PhAppendStringBuilderEx( &stringBuilder, reverseNameBuffer, returnLength - sizeof(UNICODE_NULL) ); } else { PhAppendFormatStringBuilder( &stringBuilder, L"%hhx.%hhx.", inAddrV6->s6_addr[i] & 0xF, (inAddrV6->s6_addr[i] >> 4) & 0xF ); } } PhAppendStringBuilder(&stringBuilder, &reverseLookupDomainName); return PhFinalStringBuilderString(&stringBuilder); } default: return NULL; } } static typeof(&DnsQuery_W) DnsQuery_W_I = NULL; #if defined(PHNT_DNSQUERY_FUTURE) static typeof(&DnsQueryEx) DnsQueryEx_I = NULL; static typeof(&DnsCancelQuery) DnsCancelQuery_I = NULL; #endif static typeof(&DnsExtractRecordsFromMessage_W) DnsExtractRecordsFromMessage_W_I = NULL; static typeof(&DnsWriteQuestionToBuffer_W) DnsWriteQuestionToBuffer_W_I = NULL; static typeof(&DnsFree) DnsFree_I = NULL; static BOOLEAN PhDnsApiInitialized( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN initialized = FALSE; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"dnsapi.dll")) { DnsQuery_W_I = PhGetDllBaseProcedureAddress(baseAddress, "DnsQuery_W", 0); #if defined(PHNT_DNSQUERY_FUTURE) DnsQueryEx_I = PhGetDllBaseProcedureAddress(baseAddress, "DnsQueryEx", 0); DnsCancelQuery_I = PhGetDllBaseProcedureAddress(baseAddress, "DnsCancelQuery", 0); #endif DnsExtractRecordsFromMessage_W_I = PhGetDllBaseProcedureAddress(baseAddress, "DnsExtractRecordsFromMessage_W", 0); DnsWriteQuestionToBuffer_W_I = PhGetDllBaseProcedureAddress(baseAddress, "DnsWriteQuestionToBuffer_W", 0); DnsFree_I = PhGetDllBaseProcedureAddress(baseAddress, "DnsFree", 0); } if ( DnsQuery_W_I && #if defined(PHNT_DNSQUERY_FUTURE) DnsQueryEx_I && DnsCancelQuery_I && #endif DnsExtractRecordsFromMessage_W_I && DnsWriteQuestionToBuffer_W_I && DnsFree_I ) { initialized = TRUE; } PhEndInitOnce(&initOnce); } return initialized; } _Success_(return) static NTSTATUS PhCreateDnsMessageBuffer( _In_ PCWSTR Message, _In_ USHORT MessageType, _In_ USHORT MessageId, _Outptr_opt_result_maybenull_ PVOID* Buffer, _Out_opt_ ULONG* BufferLength ) { BOOLEAN status; ULONG dnsBufferLength; PDNS_MESSAGE_BUFFER dnsBuffer; dnsBufferLength = PAGE_SIZE; dnsBuffer = PhAllocate(dnsBufferLength); if (!(status = !!DnsWriteQuestionToBuffer_W_I( dnsBuffer, &dnsBufferLength, Message, MessageType, MessageId, TRUE ))) { PhFree(dnsBuffer); dnsBuffer = PhAllocate(dnsBufferLength); status = !!DnsWriteQuestionToBuffer_W_I( dnsBuffer, &dnsBufferLength, Message, MessageType, MessageId, TRUE ); } if (status) { if (Buffer) *Buffer = dnsBuffer; else PhFree(dnsBuffer); if (BufferLength) *BufferLength = dnsBufferLength; return STATUS_SUCCESS; } else { if (dnsBuffer) PhFree(dnsBuffer); return STATUS_UNSUCCESSFUL; } } _Success_(return) static NTSTATUS PhParseDnsMessageBuffer( _In_ USHORT Xid, _In_ PDNS_MESSAGE_BUFFER DnsReplyBuffer, _In_ ULONG DnsReplyBufferLength, _Outptr_opt_result_maybenull_ PVOID* DnsRecordList ) { DNS_STATUS status; PDNS_RECORD dnsRecordList = NULL; PDNS_HEADER dnsRecordHeader; if (DnsReplyBufferLength > USHRT_MAX) return STATUS_NO_MEMORY; // DNS_BYTE_FLIP_HEADER_COUNTS dnsRecordHeader = &DnsReplyBuffer->MessageHead; dnsRecordHeader->Xid = _byteswap_ushort(dnsRecordHeader->Xid); dnsRecordHeader->QuestionCount = _byteswap_ushort(dnsRecordHeader->QuestionCount); dnsRecordHeader->AnswerCount = _byteswap_ushort(dnsRecordHeader->AnswerCount); dnsRecordHeader->NameServerCount = _byteswap_ushort(dnsRecordHeader->NameServerCount); dnsRecordHeader->AdditionalCount = _byteswap_ushort(dnsRecordHeader->AdditionalCount); if (dnsRecordHeader->Xid != Xid) return STATUS_FAIL_CHECK; status = DnsExtractRecordsFromMessage_W_I( DnsReplyBuffer, (USHORT)DnsReplyBufferLength, &dnsRecordList ); //status == ERROR_SUCCESS //status == DNS_ERROR_RCODE_NAME_ERROR if (dnsRecordList) { if (DnsRecordList) *DnsRecordList = dnsRecordList; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } // Cloudflare DNS over HTTPs (DoH) // https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat/ // host: cloudflare-dns.com // host: one.one.one.one // 1.1.1.1 // 1.0.0.1 // 2606:4700:4700::1111 // 2606:4700:4700::1001 // // Google DNS over HTTPs (DoH) // https://developers.google.com/speed/public-dns/docs/doh/ // host: dns.google // 8.8.4.4 // 8.8.8.8 // 2001:4860:4860::8888 // 2001:4860:4860::8844 // NTSTATUS PhHttpDnsQuery( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType, _Out_ PDNS_RECORD* DnsQueryRecord ) { static volatile USHORT seed = 0; NTSTATUS status; HINTERNET httpConnectionHandle = NULL; HINTERNET httpRequestHandle = NULL; PDNS_MESSAGE_BUFFER dnsSendBuffer = NULL; PDNS_MESSAGE_BUFFER dnsReceiveBuffer = NULL; PDNS_RECORD dnsRecordList = NULL; ULONG dnsSendBufferLength; ULONG dnsReceiveBufferLength; USHORT dnsQueryId; if (!PhDnsApiInitialized()) return STATUS_UNSUCCESSFUL; dnsQueryId = _InterlockedIncrement16(&seed); status = PhCreateDnsMessageBuffer( DnsQueryMessage, DnsQueryMessageType, dnsQueryId, &dnsSendBuffer, &dnsSendBufferLength ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!(httpConnectionHandle = PhCreateDohConnectionHandle(DnsServerAddress))) goto CleanupExit; if (!(httpRequestHandle = PhCreateDohRequestHandle(httpConnectionHandle))) goto CleanupExit; if (!WinHttpSendRequest( httpRequestHandle, WINHTTP_NO_ADDITIONAL_HEADERS, 0, dnsSendBuffer, dnsSendBufferLength, dnsSendBufferLength, 0 )) { status = PhGetLastWinHttpErrorAsNtStatus(); goto CleanupExit; } if (!WinHttpReceiveResponse(httpRequestHandle, NULL)) { status = PhGetLastWinHttpErrorAsNtStatus(); goto CleanupExit; } #if DEBUG { ULONG option = 0; ULONG optionLength = sizeof(ULONG); if (WinHttpQueryOption( httpRequestHandle, WINHTTP_OPTION_HTTP_PROTOCOL_USED, &option, &optionLength )) { if (option & WINHTTP_PROTOCOL_FLAG_HTTP3) { dprintf("[DOH] %s", "HTTP3 socket\n"); } if (option & WINHTTP_PROTOCOL_FLAG_HTTP2) { dprintf("[DOH] %s", "HTTP2 socket\n"); } } } #endif status = PhHttpReadDataToBuffer( httpRequestHandle, &dnsReceiveBuffer, &dnsReceiveBufferLength ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhParseDnsMessageBuffer( dnsQueryId, dnsReceiveBuffer, dnsReceiveBufferLength, &dnsRecordList ); if (!NT_SUCCESS(status)) goto CleanupExit; CleanupExit: if (httpRequestHandle) WinHttpCloseHandle(httpRequestHandle); if (dnsReceiveBuffer) PhFree(dnsReceiveBuffer); if (dnsSendBuffer) PhFree(dnsSendBuffer); if (NT_SUCCESS(status)) { *DnsQueryRecord = dnsRecordList; } return status; } PDNS_RECORD PhDnsQuery( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType ) { NTSTATUS status; PDNS_RECORD dnsRecordList = NULL; if (!PhDnsApiInitialized()) return NULL; status = PhHttpDnsQuery( DnsServerAddress, DnsQueryMessage, DnsQueryMessageType, &dnsRecordList ); if (!NT_SUCCESS(status)) { if (DnsServerAddress) { IP4_ARRAY dnsServerAddressList; IN_ADDR dnsQueryServerAddressIpv4; USHORT dnsQueryServerAddressPort; status = RtlIpv4StringToAddressEx( DnsServerAddress, TRUE, &dnsQueryServerAddressIpv4, &dnsQueryServerAddressPort ); dnsServerAddressList.AddrCount = !!NT_SUCCESS(status); dnsServerAddressList.AddrArray[0] = dnsQueryServerAddressIpv4.s_addr; DnsQuery_W_I( DnsQueryMessage, DnsQueryMessageType, DNS_QUERY_BYPASS_CACHE | DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_MULTICAST, &dnsServerAddressList, &dnsRecordList, NULL ); } else { DnsQuery_W_I( DnsQueryMessage, DnsQueryMessageType, DNS_QUERY_BYPASS_CACHE | DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_MULTICAST, NULL, &dnsRecordList, NULL ); } } return dnsRecordList; } PDNS_RECORD PhDnsQuery2( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType, _In_ USHORT DnsQueryMessageOptions ) { PDNS_RECORD dnsRecordList = NULL; if (PhDnsApiInitialized()) { if (DnsServerAddress) { NTSTATUS status; IP4_ARRAY dnsServerAddressList; IN_ADDR dnsQueryServerAddressIpv4 = { 0 }; USHORT dnsQueryServerAddressPort = 0; status = RtlIpv4StringToAddressEx( DnsServerAddress, FALSE, &dnsQueryServerAddressIpv4, &dnsQueryServerAddressPort ); dnsServerAddressList.AddrCount = !!NT_SUCCESS(status); dnsServerAddressList.AddrArray[0] = dnsQueryServerAddressIpv4.s_addr; DnsQuery_W_I( DnsQueryMessage, DnsQueryMessageType, DNS_QUERY_BYPASS_CACHE | DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_MULTICAST, &dnsServerAddressList, &dnsRecordList, NULL ); } else { DnsQuery_W_I( DnsQueryMessage, DnsQueryMessageType, DnsQueryMessageOptions | DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_MULTICAST, NULL, &dnsRecordList, NULL ); } } return dnsRecordList; } VOID PhDnsFree( _In_ PDNS_RECORD DnsRecordList ) { if (!PhDnsApiInitialized()) return; DnsFree_I(DnsRecordList, DnsFreeRecordList); } #if defined(PHNT_DNSQUERY_FUTURE) typedef struct _PH_DNS_QUERY_CONTEXT { volatile LONG RefCount; DNS_QUERY_RESULT QueryResults; DNS_QUERY_CANCEL QueryCancelContext; HANDLE QueryCompletedEvent; PDNS_RECORD QueryRecords; } PH_DNS_QUERY_CONTEXT, *PPH_DNS_QUERY_CONTEXT; VOID PhDnsAddReferenceQueryContext( _Inout_ PPH_DNS_QUERY_CONTEXT QueryContext ) { InterlockedIncrement(&QueryContext->RefCount); } VOID PhDnsDeReferenceQueryContext( _Inout_ PPH_DNS_QUERY_CONTEXT* QueryContext ) { PPH_DNS_QUERY_CONTEXT dnsQueryContext = *QueryContext; if (InterlockedDecrement(&dnsQueryContext->RefCount) == 0) { if (dnsQueryContext->QueryCompletedEvent) { NtClose(dnsQueryContext->QueryCompletedEvent); } PhFree(dnsQueryContext); *QueryContext = NULL; } } NTSTATUS PhDnsAllocateQueryContext( _Out_ PPH_DNS_QUERY_CONTEXT* QueryContext ) { NTSTATUS status; PPH_DNS_QUERY_CONTEXT context; HANDLE eventHandle; status = PhCreateEvent( &eventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE ); if (!NT_SUCCESS(status)) return status; context = PhAllocateZero(sizeof(PH_DNS_QUERY_CONTEXT)); PhDnsAddReferenceQueryContext(context); context->QueryResults.Version = DNS_QUERY_RESULTS_VERSION1; context->QueryCompletedEvent = eventHandle; *QueryContext = context; return status; } NTSTATUS PhDnsCreateDnsServerList( _In_ PCWSTR AddressString, _Inout_ PDNS_ADDR_ARRAY DnsQueryServerList) { NTSTATUS status; IN_ADDR dnsQueryServerAddressIpv4; IN6_ADDR dnsQueryServerAddressIpv6; ULONG dnsQueryServerAddressScope; USHORT dnsQueryServerAddressPort; status = RtlIpv4StringToAddressEx( AddressString, TRUE, &dnsQueryServerAddressIpv4, &dnsQueryServerAddressPort ); if (NT_SUCCESS(status)) { memset(DnsQueryServerList, 0, sizeof(DNS_ADDR_ARRAY)); DnsQueryServerList->MaxCount = 1; DnsQueryServerList->AddrCount = 1; ((PSOCKADDR_IN)&DnsQueryServerList->AddrArray[0])->sin_family = AF_INET; ((PSOCKADDR_IN)&DnsQueryServerList->AddrArray[0])->sin_addr = dnsQueryServerAddressIpv4; return status; } status = RtlIpv6StringToAddressEx( AddressString, &dnsQueryServerAddressIpv6, &dnsQueryServerAddressScope, &dnsQueryServerAddressPort ); if (NT_SUCCESS(status)) { memset(DnsQueryServerList, 0, sizeof(DNS_ADDR_ARRAY)); DnsQueryServerList->MaxCount = 1; DnsQueryServerList->AddrCount = 1; ((PSOCKADDR_IN6)&DnsQueryServerList->AddrArray[0])->sin6_family = AF_INET6; ((PSOCKADDR_IN6)&DnsQueryServerList->AddrArray[0])->sin6_addr = dnsQueryServerAddressIpv6; return status; } return status; } // HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DohWellKnownServers NTSTATUS PhDnsCreateCustomDnsServerList( _In_ PCWSTR AddressString, _Inout_ DNS_CUSTOM_SERVER* DnsCustomServerList ) { NTSTATUS status; IN_ADDR dnsQueryServerAddressIpv4; IN6_ADDR dnsQueryServerAddressIpv6; ULONG dnsQueryServerAddressScope; USHORT dnsQueryServerAddressPort; memset(DnsCustomServerList, 0, sizeof(DNS_CUSTOM_SERVER)); DnsCustomServerList->dwServerType = DNS_CUSTOM_SERVER_TYPE_DOH; DnsCustomServerList->ullFlags = DNS_CUSTOM_SERVER_UDP_FALLBACK; DnsCustomServerList->pwszTemplate = L"https://cloudflare-dns.com/dns-query"; status = RtlIpv4StringToAddressEx( AddressString, TRUE, &dnsQueryServerAddressIpv4, &dnsQueryServerAddressPort ); if (NT_SUCCESS(status)) { DnsCustomServerList->ServerAddr.si_family = AF_INET; DnsCustomServerList->ServerAddr.Ipv4.sin_family = AF_INET; DnsCustomServerList->ServerAddr.Ipv4.sin_addr = dnsQueryServerAddressIpv4; return status; } status = RtlIpv6StringToAddressEx( AddressString, &dnsQueryServerAddressIpv6, &dnsQueryServerAddressScope, &dnsQueryServerAddressPort ); if (NT_SUCCESS(status)) { DnsCustomServerList->ServerAddr.si_family = AF_INET6; DnsCustomServerList->ServerAddr.Ipv6.sin6_family = AF_INET6; DnsCustomServerList->ServerAddr.Ipv6.sin6_addr = dnsQueryServerAddressIpv6; return status; } return status; } VOID WINAPI PhDnsQueryCompleteCallback( _In_ PVOID Context, _Inout_ PDNS_QUERY_RESULT QueryResults ) { PPH_DNS_QUERY_CONTEXT context = (PPH_DNS_QUERY_CONTEXT)Context; context->QueryRecords = QueryResults->pQueryRecords; //if (QueryResults->QueryStatus != ERROR_SUCCESS) //{ // dprintf("DnsQuery failed: %%lu\n", QueryResults->QueryStatus); //} // //if (QueryResults->pQueryRecords) //{ // DnsRecordListFree(QueryResults->pQueryRecords, DnsFreeRecordList); //} NtSetEvent(context->QueryCompletedEvent, NULL); PhDnsDeReferenceQueryContext(&context); } PDNS_RECORD PhDnsQuery3( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType, _In_ USHORT DnsQueryMessageOptions ) { ULONG status; PDNS_RECORD dnsQueryRecords = NULL; PPH_DNS_QUERY_CONTEXT dnsQueryContext = NULL; DNS_ADDR_ARRAY dnsQueryServerList; DNS_CUSTOM_SERVER dnsCustomServerList; DNS_QUERY_REQUEST3 dnsQueryRequest; LARGE_INTEGER timeout; status = PhDnsAllocateQueryContext(&dnsQueryContext); if (!NT_SUCCESS(status)) goto CleanupExit; memset(&dnsQueryRequest, 0, sizeof(dnsQueryRequest)); dnsQueryRequest.Version = WindowsVersion < WINDOWS_11_22H2 ? DNS_QUERY_REQUEST_VERSION1 : DNS_QUERY_REQUEST_VERSION3; dnsQueryRequest.QueryName = DnsQueryMessage; dnsQueryRequest.QueryType = DnsQueryMessageType; dnsQueryRequest.QueryOptions = (ULONG64)DnsQueryMessageOptions; dnsQueryRequest.pQueryContext = dnsQueryContext; dnsQueryRequest.pQueryCompletionCallback = PhDnsQueryCompleteCallback; if (DnsServerAddress) { { status = PhDnsCreateDnsServerList(DnsServerAddress, &dnsQueryServerList); if (!NT_SUCCESS(status)) goto CleanupExit; dnsQueryRequest.pDnsServerList = &dnsQueryServerList; } { status = PhDnsCreateCustomDnsServerList(DnsServerAddress, &dnsCustomServerList); if (!NT_SUCCESS(status)) goto CleanupExit; dnsQueryRequest.cCustomServers = 1; // PhFinalArrayCount() dnsQueryRequest.pCustomServers = &dnsCustomServerList; // PhFinalArrayItems() } } PhDnsAddReferenceQueryContext(dnsQueryContext); status = DnsQueryEx_I( (PDNS_QUERY_REQUEST)&dnsQueryRequest, &dnsQueryContext->QueryResults, &dnsQueryContext->QueryCancelContext ); if (status != DNS_REQUEST_PENDING) { PhDnsQueryCompleteCallback(dnsQueryContext, &dnsQueryContext->QueryResults); goto CleanupExit; } if (NtWaitForSingleObject( dnsQueryContext->QueryCompletedEvent, FALSE, PhTimeoutFromMilliseconds(&timeout, 5000) ) == WAIT_TIMEOUT) { DnsCancelQuery_I(&dnsQueryContext->QueryCancelContext); NtWaitForSingleObject( dnsQueryContext->QueryCompletedEvent, FALSE, PhTimeoutFromMilliseconds(&timeout, INFINITE) ); } CleanupExit: dnsQueryRecords = dnsQueryContext->QueryRecords; //if (dnsQueryContext->pQueryRecords) //{ // DnsRecordListFree(dnsQueryContext->pQueryRecords, DnsFreeRecordList); //} if (dnsQueryContext) { PhDnsDeReferenceQueryContext(&dnsQueryContext); } return dnsQueryRecords; } #endif ================================================ FILE: phlib/hvsocketcontrol.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023-2025 * */ #include #include #ifdef _WIN64 static const UNICODE_STRING HvSocketVmGroupSddlString = RTL_CONSTANT_STRING(L"D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;S-1-5-83-0)(A;;GA;;;S-1-15-3-1024-2268835264-3721307629-241982045-173645152-1490879176-104643441-2915960892-1612460704)"); static const UNICODE_STRING HvSocketSystemDevicePath = RTL_CONSTANT_STRING(L"\\Device\\HvSocketSystem"); // SDDL_DEVOBJ_SYS_ALL_ADM_ALL "D:P(A;;GA;;;SY)(A;;GA;;;BA)" static const UNICODE_STRING HvSocketSystemSymLink = RTL_CONSTANT_STRING(L"\\DosDevices\\HvSocketSystem"); static const UNICODE_STRING HvSocketVmGroupDevicePath = RTL_CONSTANT_STRING(L"\\Device\\HvSocket"); // HvSocketVmGroupSddlString static const UNICODE_STRING HvSocketVmGroupSymLink = RTL_CONSTANT_STRING(L"\\DosDevices\\HvSocket"); static const UNICODE_STRING HvSocketControlName = RTL_CONSTANT_STRING(L"HvSocketControl"); static const UNICODE_STRING HvSocketAddressInfoName = RTL_CONSTANT_STRING(L"AddressInfo"); static const UNICODE_STRING HvSocketControlFileName = RTL_CONSTANT_STRING(L"\\Device\\HvSocketSystem\\HvSocketControl"); static const OBJECT_ATTRIBUTES HvSocketSystemDeviceAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&HvSocketSystemDevicePath, 0); static const OBJECT_ATTRIBUTES HvSocketVmGroupDeviceAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&HvSocketVmGroupDevicePath, 0); static const OBJECT_ATTRIBUTES HvSocketControlAttributes = RTL_CONSTANT_OBJECT_ATTRIBUTES(&HvSocketControlFileName, 0); #define IOCTL_HVSOCKET_UPDATE_ADDRESS_INFO CTL_CODE(FILE_DEVICE_TRANSPORT, 0x1, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_UPDATE_PARTITION_PROPERTIES CTL_CODE(FILE_DEVICE_TRANSPORT, 0x2, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_UPDATE_SERVICE_INFO CTL_CODE(FILE_DEVICE_TRANSPORT, 0x3, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_GET_SERVICE_INFO CTL_CODE(FILE_DEVICE_TRANSPORT, 0x4, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_UPDATE_SERVICE_TABLE CTL_CODE(FILE_DEVICE_TRANSPORT, 0x5, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_UPDATE_PROVIDER_PROPERTIES CTL_CODE(FILE_DEVICE_TRANSPORT, 0x6, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_GET_PARTITION_LISTENERS CTL_CODE(FILE_DEVICE_TRANSPORT, 0x7, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_HVSOCKET_GET_PARTITION_CONNECTIONS CTL_CODE(FILE_DEVICE_TRANSPORT, 0x8, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define HVSOCKET_SYSTEM_PATH_LENGTH (sizeof(L"\\Device\\HvSocketSystem") /* \\ */ + sizeof(L"AddressInfo") /* \\ */ + sizeof(L"{00000000-0000-0000-0000-000000000000}")) NTSTATUS PhHvSocketOpenSystemControl( _Out_ PHANDLE SystemHandle, _In_opt_ const GUID* VmId ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; if (VmId) { #if defined(PHNT_USE_NATIVE_APPEND) UNICODE_STRING systemPath; UNICODE_STRING guidString; OBJECT_ATTRIBUTES objectAttributes; BYTE buffer[HVSOCKET_SYSTEM_PATH_LENGTH]; RtlInitEmptyUnicodeString(&systemPath, (PWCHAR)buffer, sizeof(buffer)); status = RtlAppendUnicodeStringToString(&systemPath, &HvSocketSystemDevicePath); if (!NT_SUCCESS(status)) return status; status = RtlAppendUnicodeToString(&systemPath, L"\\"); if (!NT_SUCCESS(status)) return status; status = RtlAppendUnicodeStringToString(&systemPath, &HvSocketAddressInfoName); if (!NT_SUCCESS(status)) return status; status = RtlAppendUnicodeToString(&systemPath, L"\\"); if (!NT_SUCCESS(status)) return status; status = RtlStringFromGUID((PGUID)VmId, &guidString); if (!NT_SUCCESS(status)) return status; status = RtlAppendUnicodeStringToString(&systemPath, &guidString); RtlFreeUnicodeString(&guidString); if (!NT_SUCCESS(status)) return status; #else PPH_STRING gidString; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; PH_STRINGREF stringRef; SIZE_T returnLength; PH_FORMAT format[5]; WCHAR formatBuffer[0x100]; if (!(gidString = PhFormatGuid((PGUID)VmId))) return STATUS_NO_MEMORY; PhInitFormatUCS(&format[0], &HvSocketSystemDevicePath); PhInitFormatSR(&format[1], PhNtPathSeparatorString); PhInitFormatUCS(&format[2], &HvSocketAddressInfoName); PhInitFormatSR(&format[3], PhNtPathSeparatorString); PhInitFormatSR(&format[4], gidString->sr); if (!PhFormatToBuffer(format, 1, formatBuffer, sizeof(formatBuffer), &returnLength)) { PhDereferenceObject(gidString); return STATUS_NO_MEMORY; } PhDereferenceObject(gidString); stringRef.Length = returnLength - sizeof(UNICODE_NULL); stringRef.Buffer = formatBuffer; if (!PhStringRefToUnicodeString(&stringRef, &objectName)) return STATUS_NAME_TOO_LONG; #endif InitializeObjectAttributes( &objectAttributes, &objectName, 0, NULL, NULL ); status = NtCreateFile( SystemHandle, FILE_READ_ACCESS | FILE_WRITE_ACCESS | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE, // required by hvsocketcontrol.sys FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); } else { status = NtCreateFile( SystemHandle, FILE_READ_ACCESS | FILE_WRITE_ACCESS | SYNCHRONIZE, &HvSocketControlAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE, // required by hvsocketcontrol.sys FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); } return status; } NTSTATUS PhHvSocketGetListeners( _In_ HANDLE SystemHandle, _In_ const GUID* VmId, _In_opt_ PHVSOCKET_LISTENERS Listeners, _In_ ULONG ListenersLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; RtlZeroMemory(&ioStatusBlock, sizeof(IO_STATUS_BLOCK)); status = NtDeviceIoControlFile( SystemHandle, NULL, NULL, NULL, &ioStatusBlock, IOCTL_HVSOCKET_GET_PARTITION_LISTENERS, (PVOID)VmId, sizeof(GUID), Listeners, ListenersLength ); if (ReturnLength) { *ReturnLength = (ULONG)ioStatusBlock.Information; } return status; } NTSTATUS PhHvSocketGetConnections( _In_ HANDLE SystemHandle, _In_ const GUID* VmId, _In_opt_ PHVSOCKET_CONNECTIONS Connections, _In_ ULONG ConnectionsLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; RtlZeroMemory(&ioStatusBlock, sizeof(IO_STATUS_BLOCK)); status = NtDeviceIoControlFile( SystemHandle, NULL, NULL, NULL, &ioStatusBlock, IOCTL_HVSOCKET_GET_PARTITION_CONNECTIONS, (PVOID)VmId, sizeof(GUID), Connections, ConnectionsLength ); if (ReturnLength) { *ReturnLength = (ULONG)ioStatusBlock.Information; } return status; } NTSTATUS PhHvSocketGetServiceInfo( _In_ HANDLE SystemHandle, _In_ const GUID* ServiceId, _Out_ PHVSOCKET_SERVICE_INFO ServiceInfo ) { // // This can bug check the system (jxy-s) // //IO_STATUS_BLOCK ioStatusBlock; // //return NtDeviceIoControlFile( // SystemHandle, // NULL, // NULL, // NULL, // &ioStatusBlock, // IOCTL_HVSOCKET_GET_SERVICE_INFO, // (PVOID)ServiceId, // sizeof(GUID), // ServiceInfo, // sizeof(HVSOCKET_SERVICE_INFO) // ); UNREFERENCED_PARAMETER(SystemHandle); UNREFERENCED_PARAMETER(ServiceId); UNREFERENCED_PARAMETER(ServiceInfo); return STATUS_NOT_IMPLEMENTED; } #endif // _WIN64 BOOLEAN PhHvSocketIsVSockTemplate( _In_ PGUID ServiceId ) { GUID template = *ServiceId; template.Data1 = 0; return !!IsEqualGUID(&template, &HV_GUID_VSOCK_TEMPLATE); } _Maybenull_ PPH_STRING PhHvSocketGetVmName( _In_ PGUID VmId ) { static const PH_STRINGREF hvComputeSystemKey = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\HostComputeService\\VolatileStore\\ComputeSystem\\"); static const PH_STRINGREF trimSet = PH_STRINGREF_INIT(L"{}"); PPH_STRING vmName = NULL; PPH_STRING guidString; PH_STRINGREF guidStringTrimmed; PPH_STRING keyName; HANDLE keyHandle; guidString = PhFormatGuid(VmId); guidStringTrimmed = guidString->sr; PhTrimStringRef(&guidStringTrimmed, &trimSet, 0); keyName = PhConcatStringRef2(&hvComputeSystemKey, &guidStringTrimmed); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_QUERY_VALUE, PH_KEY_LOCAL_MACHINE, &keyName->sr, 0 ))) { PPH_STRING value; if (value = PhQueryRegistryStringZ(keyHandle, L"VmName")) PhMoveReference(&vmName, value); else if (value = PhQueryRegistryStringZ(keyHandle, L"VmId")) PhMoveReference(&vmName, value); else PhMoveReference(&vmName, PhCreateString3(&guidStringTrimmed, PH_STRING_UPPER_CASE, NULL)); NtClose(keyHandle); } PhDereferenceObject(keyName); PhDereferenceObject(guidString); return vmName; } _Maybenull_ PPH_STRING PhHvSocketGetServiceName( _In_ PGUID ServiceId ) { static const PH_STRINGREF hvGuestServicesKey = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization\\GuestCommunicationServices\\"); static const PH_STRINGREF trimSet = PH_STRINGREF_INIT(L"{}"); PPH_STRING serviceName = NULL; PPH_STRING guidString; PH_STRINGREF guidStringTrimmed; PPH_STRING keyName; HANDLE keyHandle; guidString = PhFormatGuid(ServiceId); guidStringTrimmed = guidString->sr; PhTrimStringRef(&guidStringTrimmed, &trimSet, 0); keyName = PhConcatStringRef2(&hvGuestServicesKey, &guidStringTrimmed); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_QUERY_VALUE, PH_KEY_LOCAL_MACHINE, &keyName->sr, 0 ))) { PPH_STRING elementName; if (elementName = PhQueryRegistryStringZ(keyHandle, L"ElementName")) PhMoveReference(&serviceName, elementName); NtClose(keyHandle); } // Keep this after element name lookup. Certain services define the VSOCK // template with a specific port (e.g. Docker). (jxy-s) if (!serviceName && PhHvSocketIsVSockTemplate(ServiceId)) PhMoveReference(&serviceName, PhCreateString(L"VSOCK")); PhDereferenceObject(keyName); PhDereferenceObject(guidString); return serviceName; } PPH_STRING PhHvSocketAddressString( _In_ PGUID Address ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PPH_STRING wildcardString; static PPH_STRING broadcastString; static PPH_STRING childrenString; static PPH_STRING loopbackString; static PPH_STRING hostString; static PPH_STRING siloHostString; PPH_STRING addressString = NULL; if (PhBeginInitOnce(&initOnce)) { wildcardString = PhCreateString(L"*"); broadcastString = PhCreateString(L"Broadcast"); childrenString = PhCreateString(L"Children"); loopbackString = PhCreateString(L"Loopback"); hostString = PhCreateString(L"Host"); siloHostString = PhCreateString(L"Silo Host"); PhEndInitOnce(&initOnce); } if (IsEqualGUID(Address, &HV_GUID_WILDCARD)) return PhReferenceObject(wildcardString); if (IsEqualGUID(Address, &HV_GUID_BROADCAST)) return PhReferenceObject(broadcastString); if (IsEqualGUID(Address, &HV_GUID_CHILDREN)) return PhReferenceObject(childrenString); if (IsEqualGUID(Address, &HV_GUID_LOOPBACK)) return PhReferenceObject(loopbackString); if (IsEqualGUID(Address, &HV_GUID_PARENT)) return PhReferenceObject(hostString); if (IsEqualGUID(Address, &HV_GUID_SILOHOST)) return PhReferenceObject(siloHostString); return PhFormatGuid(Address); } ================================================ FILE: phlib/icotobmp.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2023 * */ #include #include #include #include // code from http://msdn.microsoft.com/en-us/library/bb757020.aspx typedef HPAINTBUFFER (WINAPI* _BeginBufferedPaint)( _In_ HDC hdcTarget, _In_ const RECT *prcTarget, _In_ BP_BUFFERFORMAT dwFormat, _In_ BP_PAINTPARAMS *pPaintParams, _Out_ HDC *phdc ); typedef HRESULT (WINAPI* _EndBufferedPaint)( _In_ HPAINTBUFFER hBufferedPaint, _In_ BOOL fUpdateTarget ); typedef HRESULT (WINAPI* _GetBufferedPaintBits)( _In_ HPAINTBUFFER hBufferedPaint, _Out_ RGBQUAD **ppbBuffer, _Out_ int *pcxRow ); static BOOLEAN ImportsInitialized = FALSE; static _BeginBufferedPaint BeginBufferedPaint_I = NULL; static _EndBufferedPaint EndBufferedPaint_I = NULL; static _GetBufferedPaintBits GetBufferedPaintBits_I = NULL; static HBITMAP PhpCreateBitmap32( _In_ HDC hdc, _In_ LONG Width, _In_ LONG Height, _Out_ PVOID *Bits ) { BITMAPINFO bitmapInfo; memset(&bitmapInfo, 0, sizeof(BITMAPINFO)); bitmapInfo.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); bitmapInfo.bmiHeader.biWidth = Width; bitmapInfo.bmiHeader.biHeight = Height; bitmapInfo.bmiHeader.biPlanes = 1; bitmapInfo.bmiHeader.biBitCount = 32; bitmapInfo.bmiHeader.biCompression = BI_RGB; bitmapInfo.bmiHeader.biSizeImage = Width * Height; return CreateDIBSection(hdc, &bitmapInfo, DIB_RGB_COLORS, Bits, NULL, 0); } static BOOLEAN PhpHasAlpha( _In_ PULONG Argb, _In_ LONG Width, _In_ LONG Height, _In_ ULONG RowWidth ) { ULONG delta; ULONG x; ULONG y; delta = RowWidth - Width; for (y = Width; y; y--) { for (x = Height; x; x--) { if (*Argb++ & 0xff000000) return TRUE; } Argb += delta; } return FALSE; } static VOID PhpConvertToPArgb32( _In_ HDC hdc, _Inout_ PULONG Argb, _In_ HBITMAP Bitmap, _In_ LONG Width, _In_ LONG Height, _In_ ULONG RowWidth ) { BITMAPINFO bitmapInfo; PVOID bits; memset(&bitmapInfo, 0, sizeof(BITMAPINFO)); bitmapInfo.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); bitmapInfo.bmiHeader.biWidth = Width; bitmapInfo.bmiHeader.biHeight = Height; bitmapInfo.bmiHeader.biPlanes = 1; bitmapInfo.bmiHeader.biBitCount = 32; bitmapInfo.bmiHeader.biCompression = BI_RGB; bitmapInfo.bmiHeader.biSizeImage = Width * Height; bits = PhAllocate(Width * sizeof(RGBQUAD) * Height); if (GetDIBits(hdc, Bitmap, 0, Height, bits, &bitmapInfo, DIB_RGB_COLORS) == Height) { PULONG argbMask; ULONG delta; ULONG x; ULONG y; argbMask = (PULONG)bits; delta = RowWidth - Width; for (y = Height; y; y--) { for (x = Width; x; x--) { if (*argbMask++) { *Argb++ = 0; // transparent } else { *Argb++ |= 0xff000000; // opaque } } Argb += delta; } } PhFree(bits); } static VOID PhpConvertToPArgb32IfNeeded( _In_ HPAINTBUFFER PaintBuffer, _In_ HDC hdc, _In_ HICON Icon, _In_ LONG Width, _In_ LONG Height ) { RGBQUAD *quad; ULONG rowWidth; if (SUCCEEDED(GetBufferedPaintBits_I(PaintBuffer, &quad, &rowWidth))) { PULONG argb = (PULONG)quad; if (!PhpHasAlpha(argb, Width, Height, rowWidth)) { ICONINFO iconInfo; if (GetIconInfo(Icon, &iconInfo)) { if (iconInfo.hbmMask) { PhpConvertToPArgb32(hdc, argb, iconInfo.hbmMask, Width, Height, rowWidth); DeleteBitmap(iconInfo.hbmMask); } DeleteBitmap(iconInfo.hbmColor); } } } } HBITMAP PhIconToBitmap( _In_ HICON Icon, _In_ LONG Width, _In_ LONG Height ) { HBITMAP bitmap; RECT iconRectangle; HDC screenHdc; PVOID bits; HDC hdc; HBITMAP oldBitmap; BLENDFUNCTION blendFunction = { AC_SRC_OVER, 0, 255, AC_SRC_ALPHA }; BP_PAINTPARAMS paintParams = { sizeof(paintParams) }; HDC bufferHdc; HPAINTBUFFER bufferedPaint; iconRectangle.left = 0; iconRectangle.top = 0; iconRectangle.right = Width; iconRectangle.bottom = Height; if (!ImportsInitialized) { PVOID uxtheme; uxtheme = PhLoadLibrary(L"uxtheme.dll"); BeginBufferedPaint_I = PhGetDllBaseProcedureAddress(uxtheme, "BeginBufferedPaint", 0); EndBufferedPaint_I = PhGetDllBaseProcedureAddress(uxtheme, "EndBufferedPaint", 0); GetBufferedPaintBits_I = PhGetDllBaseProcedureAddress(uxtheme, "GetBufferedPaintBits", 0); ImportsInitialized = TRUE; } if (!BeginBufferedPaint_I || !EndBufferedPaint_I || !GetBufferedPaintBits_I) { // Probably XP. screenHdc = GetDC(NULL); hdc = CreateCompatibleDC(screenHdc); bitmap = CreateCompatibleBitmap(screenHdc, Width, Height); ReleaseDC(NULL, screenHdc); oldBitmap = SelectObject(hdc, bitmap); FillRect(hdc, &iconRectangle, (HBRUSH)(COLOR_WINDOW + 1)); DrawIconEx(hdc, 0, 0, Icon, Width, Height, 0, NULL, DI_NORMAL); SelectObject(hdc, oldBitmap); DeleteDC(hdc); return bitmap; } hdc = CreateCompatibleDC(NULL); bitmap = PhpCreateBitmap32(hdc, Width, Height, &bits); oldBitmap = SelectBitmap(hdc, bitmap); paintParams.dwFlags = BPPF_ERASE; paintParams.pBlendFunction = &blendFunction; if (bufferedPaint = BeginBufferedPaint_I(hdc, &iconRectangle, BPBF_DIB, &paintParams, &bufferHdc)) { DrawIconEx(bufferHdc, 0, 0, Icon, Width, Height, 0, NULL, DI_NORMAL); // If the icon did not have an alpha channel, we need to convert the buffer to PARGB. PhpConvertToPArgb32IfNeeded(bufferedPaint, hdc, Icon, Width, Height); // This will write the buffer contents to the destination bitmap. EndBufferedPaint_I(bufferedPaint, TRUE); } else { // Default to unbuffered painting. FillRect(hdc, &iconRectangle, (HBRUSH)(COLOR_WINDOW + 1)); DrawIconEx(hdc, 0, 0, Icon, Width, Height, 0, NULL, DI_NORMAL); } SelectBitmap(hdc, oldBitmap); DeleteDC(hdc); return bitmap; } // based on BufferedPaintSetAlpha/BufferedPaintMakeOpaque (dmex) VOID PhBitmapSetAlpha( _In_ PVOID Bits, _In_ LONG Width, _In_ LONG Height ) { ULONG count = Width * Height; //RGBQUAD* quad = (RGBQUAD*)Bits; // //for (ULONG i = 0; i < count; i++) //{ // if (quad[i].rgbBlue != 0 || quad[i].rgbGreen != 0 || quad[i].rgbRed != 0) // { // quad[i].rgbReserved = 255; // opaque // } //} for (ULONG i = 0; i < count; i++) { if (((PULONG)Bits)[i] != 0) { ((PULONG)Bits)[i] |= 0xff000000; // opaque } } } ================================================ FILE: phlib/imgcoherency.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2020-2022 * dmex 2021-2023 * */ #include #include #include #define PH_IMGCOHERENCY_NORMAL_SCAN_LIMIT (40 * (1024 * 1024)) // 40Mib #define PH_IMGCOHERENCY_QUICK_SCAN_LIMIT (PAGE_SIZE * 2) #define PH_IMGCOHERENCY_MIN_ENTRY_INSPECT (PAGE_SIZE * 2) /** * Image coherency context, used during the calculation of the process * image coherency. */ typedef struct _PH_IMAGE_COHERENCY_CONTEXT { PH_IMAGE_COHERENCY_SCAN_TYPE Type; /**< Type of scan to perform */ SIZE_T CoherentBytes; /**< Updated during inspection, coherent bytes */ SIZE_T TotalBytes; /**< Updated during inspection, total bytes analyzed */ SIZE_T SkippedBytes; /**< Bytes skipped during inspection */ NTSTATUS MappedImageStatus; /**< Status of initializing MappedImage */ PH_MAPPED_IMAGE MappedImage; /**< On-disk image mapping */ PPH_HASHTABLE MappedImageReloc; /**< On-disk mapped image relocations table */ ULONG MappedImageBaseRva; /**< On-disk optional header image base RVA. */ ULONG MappedImageIatRva; /**< On-disk import address table RVA */ ULONG MappedImageIatSize; /**< On-disk import address table size */ NTSTATUS RemoteMappedImageStatus; /**< Status of initializing RemoteMappedImage */ PH_REMOTE_MAPPED_IMAGE RemoteMappedImage; /**< Remote image mapping */ PVOID RemoteImageBase; /**< Remote image base address */ SIZE_T RemoteImageSize; /**< Remote image size */ BOOLEAN ImageIsKernelModule; } PH_IMAGE_COHERENCY_CONTEXT, *PPH_IMAGE_COHERENCY_CONTEXT; /** * Inspection skip callback type. * * \param[in] Rva - Current rva in the range being inspected. * \param[in] Context - Context supplied to this callback. * \return Number of bytes to skip, 0 does not skip bytes. */ typedef _Function_class_(PH_IMGCOHERENCY_SKIP_BYTE_CALLBACK) ULONG CALLBACK PH_IMGCOHERENCY_SKIP_BYTE_CALLBACK( _In_ ULONG Rva, _In_opt_ PVOID Context ); typedef PH_IMGCOHERENCY_SKIP_BYTE_CALLBACK *PPH_IMGCOHERENCY_SKIP_BYTE_CALLBACK; /** * Retrieves the size of the section to scan given the scan type. * * \param[in] Type - Image coherency scan type. * \param[in] SectionHeader - Image section header. * \return Amount of the section to scan given the scan type. */ ULONG PhpGetSectionScanSize( _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _In_ PIMAGE_SECTION_HEADER SectionHeader ) { ULONG size; size = min(SectionHeader->SizeOfRawData, SectionHeader->Misc.VirtualSize); switch (Type) { case PhImageCoherencyQuick: { if (size > PH_IMGCOHERENCY_QUICK_SCAN_LIMIT) { size = PH_IMGCOHERENCY_QUICK_SCAN_LIMIT; } } break; case PhImageCoherencyNormal: { if (size > PH_IMGCOHERENCY_NORMAL_SCAN_LIMIT) { size = PH_IMGCOHERENCY_NORMAL_SCAN_LIMIT; } } break; case PhImageCoherencyFull: default: break; } return size; } /** * Determines if the section should be scanned given the scan type. * * \param[in] Type - Image coherency scan type. * \param[in] SectionHeader - Section header to inspect. * \return TRUE if the section should be scanned for the given scan type, FALSE otherwise. */ BOOLEAN PhpShouldScanSection( _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _In_ PIMAGE_SECTION_HEADER SectionHeader ) { switch (Type) { case PhImageCoherencyQuick: case PhImageCoherencyNormal: case PhImageCoherencyFull: { if ((SectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0) { // // Anything marked execute. // return TRUE; } } break; } return FALSE; } /** * Frees the image coherency context. * * \param[in] Context - Context to free, may be NULL. */ VOID PhpFreeImageCoherencyContext( _In_opt_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { if (Context) { PhUnloadMappedImage(&Context->MappedImage); PhUnloadRemoteMappedImage(&Context->RemoteMappedImage); if (Context->MappedImageReloc) PhDereferenceObject(Context->MappedImageReloc); PhFree(Context); } } static NTSTATUS NTAPI PhImageCoherencyRelocationCallback( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DATA_DIRECTORY DataDirectory, _In_ PIMAGE_BASE_RELOCATION RelocationDirectory, _In_ PIMAGE_RELOCATION_RECORD Relocations, _In_ ULONG RelocationCount, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { for (ULONG i = 0; i < RelocationCount; i++) { PIMAGE_RELOCATION_RECORD entry = &Relocations[i]; __try { PhMappedImageProbe(MappedImage, entry, sizeof(IMAGE_RELOCATION_RECORD)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if ( (entry->Type != IMAGE_REL_BASED_ABSOLUTE) && (entry->Type != IMAGE_REL_BASED_RESERVED) ) { PVOID rva = PTR_ADD_OFFSET(RelocationDirectory->VirtualAddress, entry->Offset); if (entry->Type == IMAGE_REL_BASED_DIR64) { PhAddItemSimpleHashtable(Context->MappedImageReloc, rva, UlongToPtr(8)); } else { // // For now, we're just going to do a 4 byte skip for // all other relocations. This could probably use some // work for higher accuracy. // PhAddItemSimpleHashtable(Context->MappedImageReloc, rva, UlongToPtr(4)); } } } return STATUS_SUCCESS; } static NTSTATUS NTAPI PhImageCoherencyDynamicRelocationCallback( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_IMAGE_DYNAMIC_RELOC_ENTRY Entry, _In_opt_ PVOID Context ) { PPH_IMAGE_COHERENCY_CONTEXT context = Context; ULONG_PTR rva = 0; ULONG_PTR size = 0; if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_ARM64X) { rva = (ULONG_PTR)Entry->ARM64X.BlockRva + Entry->ARM64X.RecordFixup.Offset; switch (Entry->ARM64X.RecordFixup.Type) { case IMAGE_DVRT_ARM64X_FIXUP_TYPE_ZEROFILL: case IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE: size = (ULONG_PTR)(1ull << Entry->ARM64X.RecordFixup.Size); break; case IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA: size = 4; break; } } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER) { rva = (ULONG_PTR)Entry->ImportControl.BlockRva + Entry->ImportControl.Record.PageRelativeOffset; // // 48 FF 15 XX XX XX XX call qword ptr [_imp_] // 0F 1F 44 00 00 nop // size = 12; } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER) { rva = (ULONG_PTR)Entry->ARM64ImportControl.BlockRva + (Entry->ARM64ImportControl.Record.PageRelativeOffset << 2); // // ARM64 instructions are fixed 4 bytes // Either BR or BLR instruction for indirect call/jump // size = 4; } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE) { rva = (ULONG_PTR)Entry->RFPrologue.BlockRva; // // Prologue size is variable, specified in PrologueByteCount // size = Entry->RFPrologue.PrologueByteCount; } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE) { rva = (ULONG_PTR)Entry->RFEpilogue.BlockRva; // // Epilogue size is variable // Total size = EpilogueByteCount + (BranchDescriptorElementSize * BranchDescriptorCount) + bitmap // size = (ULONG_PTR)Entry->RFEpilogue.EpilogueByteCount + ((ULONG_PTR)Entry->RFEpilogue.BranchDescriptorElementSize * Entry->RFEpilogue.BranchDescriptorCount) + ((Entry->RFEpilogue.BranchDescriptorCount + 7) / 8); } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER) { rva = (ULONG_PTR)Entry->IndirControl.BlockRva + Entry->IndirControl.Record.PageRelativeOffset; size = 12; } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH) { rva = (ULONG_PTR)Entry->SwitchBranch.BlockRva + Entry->SwitchBranch.Record.PageRelativeOffset; // // FF D0 jmp rax // CC CC CC int 3 // size = 5; } else if (Entry->Symbol == IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE) { rva = (ULONG_PTR)Entry->FuncOverride.BlockRva + Entry->FuncOverride.Record.Offset; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) size = 4; else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) size = 8; } else { // // This should only be absolute, skipping others. // if (Entry->Other.Record.Type == IMAGE_REL_BASED_ABSOLUTE) { rva = (ULONG_PTR)Entry->Other.BlockRva + Entry->Other.Record.Offset; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) size = 4; else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) size = 8; } } if (rva && size) PhAddItemSimpleHashtable(context->MappedImageReloc, (PVOID)rva, (PVOID)size); return STATUS_SUCCESS; } _Function_class_(PH_READ_VIRTUAL_MEMORY_CALLBACK) static NTSTATUS PhImageCoherencyReadVirtualMemoryCallback( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead, _In_opt_ PVOID Context ) { PPH_IMAGE_COHERENCY_CONTEXT context = (PPH_IMAGE_COHERENCY_CONTEXT)Context; if (!context) return STATUS_INVALID_PARAMETER_6; if (context->ImageIsKernelModule) return KphReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesRead); return PhReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesRead); } /** * Created the image coherency context. This is done best-effort and * the status is stored in the context. * * \param[in] Type - Image coherency scan type. * \param[in] FileName - Win32 file name of the image to inspect. * \param[in] ProcessHandle - Handle to process to inspect. Requires * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ. * \param[in] RemoteImageBase - Remove image base address, optional. * \param[in] RemoteImageSize - Remove image size, optional. * \param[in] RemoteImageBaseStatus - If RemoteImageBase is null, this is stored * in the context instead of attempting to map the image. * \param[in] ReadVirtualMemoryCallback - Callback to use to read virtual memory. * \return Pointer to newly allocated image coherency context, or NULL on * allocation failure. The created context must be passed to * PhpFreeImageCoherencyContext to free. */ PPH_IMAGE_COHERENCY_CONTEXT PhpCreateImageCoherencyContext( _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _In_ PPH_STRING FileName, _In_ HANDLE ProcessHandle, _In_opt_ PVOID RemoteImageBase, _In_opt_ SIZE_T RemoteImageSize, _In_ NTSTATUS RemoteImageBaseStatus, _In_ BOOLEAN ImageIsKernelModule ) { PPH_IMAGE_COHERENCY_CONTEXT context; // // This is best-effort context creation, we don't fail if the mapping // fails - the caller of the API may make decisions based on success of // each // context = PhAllocateZero(sizeof(PH_IMAGE_COHERENCY_CONTEXT)); context->Type = Type; context->ImageIsKernelModule = ImageIsKernelModule; if (NT_SUCCESS(RemoteImageBaseStatus)) { context->RemoteImageBase = RemoteImageBase; context->RemoteImageSize = RemoteImageSize; // // Map the on-disk image // context->MappedImageStatus = PhLoadMappedImageEx( &FileName->sr, NULL, &context->MappedImage ); if (NT_SUCCESS(context->MappedImageStatus)) { PIMAGE_DATA_DIRECTORY directory; PhMappedImagePrefetch(&context->MappedImage); // // Build a hash table for the relocation entries to skip later. // This hash table will map the RVA to the number of bytes to skip. // context->MappedImageReloc = PhCreateSimpleHashtable(50); context->MappedImageStatus = PhMappedImageEnumerateRelocations( &context->MappedImage, PhImageCoherencyRelocationCallback, context ); PhMappedImageEnumerateDynamicRelocations( &context->MappedImage, PhImageCoherencyDynamicRelocationCallback, context ); if (NT_SUCCESS(PhGetMappedImageDataDirectory( &context->MappedImage, IMAGE_DIRECTORY_ENTRY_IAT, &directory ))) { context->MappedImageIatRva = directory->VirtualAddress; context->MappedImageIatSize = directory->Size; } if (context->MappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PVOID address; address = &context->MappedImage.NtHeaders32->OptionalHeader.ImageBase; context->MappedImageBaseRva = PtrToUlong(PTR_SUB_OFFSET(address, context->MappedImage.ViewBase)); } else if (context->MappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PVOID address; address = &context->MappedImage.NtHeaders->OptionalHeader.ImageBase; context->MappedImageBaseRva = PtrToUlong(PTR_SUB_OFFSET(address, context->MappedImage.ViewBase)); } else { context->MappedImageBaseRva = 0; } } // // Map the remote image // context->RemoteMappedImageStatus = PhInitializeRemoteMappedImage( &context->RemoteMappedImage, PhImageCoherencyReadVirtualMemoryCallback, context ); if (NT_SUCCESS(context->RemoteMappedImageStatus)) { context->RemoteMappedImageStatus = PhLoadRemoteMappedImage( &context->RemoteMappedImage, ProcessHandle, context->RemoteImageBase, context->RemoteImageSize ); } } else { context->RemoteMappedImageStatus = RemoteImageBaseStatus; } return context; } /** * Inspects two buffers and adds them to the coherency calculation. * * \param[in] LeftBuffer - First buffer to inspect. * \param[in] LeftCount - Number of bytes in the first buffer. * \param[in] RightBuffer - Second buffer to inspect. * \param[in] RightCount - Number of bytes in the second buffer. * \param[in,out] Context - Context to be updated during inspection. * \param[in] Rva - RVA from which the buffers were retrieved, informs skip callback. * \param[in] SkipCallback - Optional, if provided the skip callback is invoked * for each inspected byte, the callback may return any number of bytes to skip. * \param[in] SkipCallbackContext - Optional, callback context passed to the skip callback. */ NTSTATUS PhpAnalyzeImageCoherencyInspect( _In_opt_ PBYTE LeftBuffer, _In_ ULONG LeftCount, _In_opt_ PBYTE RightBuffer, _In_ ULONG RightCount, _Inout_ PPH_IMAGE_COHERENCY_CONTEXT Context, _In_opt_ ULONG Rva, _In_opt_ PPH_IMGCOHERENCY_SKIP_BYTE_CALLBACK SkipCallback, _In_opt_ PVOID SkipCallbackContext ) { NTSTATUS status = STATUS_SUCCESS; // // For the minimum bytes between the buffers increment the coherent bytes // for each match. // if (LeftBuffer && RightBuffer) { ULONG length = min(LeftCount, RightCount); for (ULONG i = 0; i < length; i++) { if (SkipCallback) { ULONG skip = SkipCallback(Rva + i, SkipCallbackContext); if (skip != 0) { ULONG remaining = length - i; ULONG effectiveSkip = (skip > remaining) ? remaining : skip; Context->CoherentBytes += effectiveSkip; Context->SkippedBytes += effectiveSkip; Context->TotalBytes += effectiveSkip; i += effectiveSkip; continue; } } Context->TotalBytes++; __try { if (LeftBuffer[i] == RightBuffer[i]) { Context->CoherentBytes++; } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); break; } } } // // Buffers of mismatched sizes are incoherent over mismatched range. // Include any diff in the total bytes. // if (LeftCount > RightCount) { Context->TotalBytes += ((SIZE_T)LeftCount - (SIZE_T)RightCount); } else if (LeftCount < RightCount) { Context->TotalBytes += ((SIZE_T)RightCount - (SIZE_T)LeftCount); } return status; } /** * Analyzes the image coherency as if it were a native application. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Rva - Relative virtual address to inspect. * \param[in] Size - Size of data to inspect from the RVA. * \param[in] Context - Image coherency context. * \param[in] SkipCallback - Optional skip callback used to skip analysis. * \param[in] SkipCallbackContext - Context passed to the skip callback. */ VOID PhpAnalyzeImageCoherencyCommonByRva( _In_ HANDLE ProcessHandle, _In_ ULONG Rva, _In_ ULONG Size, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context, _In_opt_ PPH_IMGCOHERENCY_SKIP_BYTE_CALLBACK SkipCallback, _In_opt_ PVOID SkipCallbackContext ) { NTSTATUS status; BYTE buffer[PAGE_SIZE]; ULONG remainingBytes; ULONG chunk; PBYTE fileBytes; SIZE_T bytesRead; SIZE_T remainingView; SIZE_T bytes; ULONG rva; remainingBytes = Size; rva = Rva; while (remainingBytes > 0) { chunk = PAGE_SIZE; if (chunk > remainingBytes) { chunk = remainingBytes; } // // Try to read the remote process // if (!NT_SUCCESS(PhImageCoherencyReadVirtualMemoryCallback( ProcessHandle, PTR_ADD_OFFSET(Context->RemoteImageBase, rva), buffer, chunk, &bytesRead, Context ))) { // // Force 0, we'll handle this below // bytesRead = 0; } fileBytes = PhMappedImageRvaToVa(&Context->MappedImage, rva, NULL); if (fileBytes) { // // Calculate the remaining view from the VA // remainingView = (SIZE_T)PTR_SUB_OFFSET(Context->MappedImage.ViewSize, PTR_SUB_OFFSET(fileBytes, Context->MappedImage.ViewBase)); } else { // // Force 0, we'll handle this below // remainingView = 0; } // // We will cast to ULONG below, should never have over PAGE_SIZE here. // bytes = __min(bytesRead, remainingView); assert(bytes <= PAGE_SIZE); // // Do the inspection, clamp the bytes to the minimum // status = PhpAnalyzeImageCoherencyInspect( fileBytes, (ULONG)bytes, buffer, (ULONG)bytes, Context, rva, SkipCallback, SkipCallbackContext ); if (!NT_SUCCESS(status)) break; rva += chunk; remainingBytes -= chunk; } } /** * Analyzes the image coherency as if it were a native application. And expects * certain bytes over the range, used for code cave scanning. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Rva - Relative virtual address to inspect. * \param[in] Size - Size of data to inspect from the RVA. * \param[in] Context - Image coherency context. * \param[in] ExpectedByte - Expected byte in the entire range. */ VOID PhpAnalyzeImageCoherencyCommonByRvaExpectBytes( _In_ HANDLE ProcessHandle, _In_ ULONG Rva, _In_ ULONG Size, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context, _In_ BYTE ExpectedByte ) { NTSTATUS status; BYTE buffer[PAGE_SIZE]; BYTE expected[PAGE_SIZE]; ULONG remainingBytes; ULONG chunk; SIZE_T bytesRead; ULONG rva; remainingBytes = Size; rva = Rva; RtlFillMemory(expected, PAGE_SIZE, ExpectedByte); while (remainingBytes > 0) { chunk = PAGE_SIZE; if (chunk > remainingBytes) { chunk = remainingBytes; } // // Try to read the remote process // if (NT_SUCCESS(PhImageCoherencyReadVirtualMemoryCallback( ProcessHandle, PTR_ADD_OFFSET(Context->RemoteImageBase, rva), buffer, chunk, &bytesRead, Context ))) { assert(bytesRead <= PAGE_SIZE); // // Do the inspection // status = PhpAnalyzeImageCoherencyInspect( expected, (ULONG)bytesRead, buffer, (ULONG)bytesRead, Context, rva, NULL, NULL ); if (!NT_SUCCESS(status)) break; } rva += chunk; remainingBytes -= chunk; } } /** * Skip bytes callback to skip bytes during inspection. * * \param[in] Rva - Current rva in the range being inspected. * \param[in] Context - Relocation skip context. * \return Number of bytes to skip, 0 otherwise. */ _Function_class_(PH_IMGCOHERENCY_SKIP_BYTE_CALLBACK) ULONG CALLBACK PhpImgCoherencySkip( _In_ ULONG Rva, _In_ PVOID Context ) { PPH_IMAGE_COHERENCY_CONTEXT context; PVOID* entry; context = (PPH_IMAGE_COHERENCY_CONTEXT)Context; if (context->MappedImageBaseRva && (context->MappedImageBaseRva == Rva)) { if (context->MappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) return RTL_FIELD_SIZE(IMAGE_OPTIONAL_HEADER32, ImageBase); else if (context->MappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) return RTL_FIELD_SIZE(IMAGE_OPTIONAL_HEADER64, ImageBase); else return 0; } if (context->MappedImageReloc) { // // Look up the RVA in our hash table, if we find one we will skip the // number of bytes stored in the hash table for that entry. // entry = PhFindItemSimpleHashtable(context->MappedImageReloc, PTR_ADD_OFFSET(NULL, Rva)); if (entry) return PtrToUlong(*entry); } if (context->MappedImageIatRva && (context->MappedImageIatRva == Rva)) { // // Skip over the import address table. // return context->MappedImageIatSize; } return 0; } /** * Analyzes the image coherency as if it were a native application. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Context - Image coherency context. */ VOID PhpAnalyzeImageCoherencyCommonAsNative( _In_ HANDLE ProcessHandle, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { ULONG addressOfEntry = 0; PIMAGE_SECTION_HEADER entrySection; switch (Context->MappedImage.Magic) { case IMAGE_NT_OPTIONAL_HDR32_MAGIC: addressOfEntry = Context->MappedImage.NtHeaders32->OptionalHeader.AddressOfEntryPoint; break; case IMAGE_NT_OPTIONAL_HDR64_MAGIC: addressOfEntry = Context->MappedImage.NtHeaders->OptionalHeader.AddressOfEntryPoint; break; default: break; } if (addressOfEntry != 0) entrySection = PhMappedImageRvaToSection(&Context->MappedImage, addressOfEntry); else entrySection = NULL; // // Here we will inspect each executable section. // for (USHORT i = 0; i < __max(Context->MappedImage.NumberOfSections, Context->RemoteMappedImage.NumberOfSections); i++) { if ((i < Context->MappedImage.NumberOfSections) && (i < Context->RemoteMappedImage.NumberOfSections)) { PIMAGE_SECTION_HEADER mappedSection; PIMAGE_SECTION_HEADER remoteMappedSection; mappedSection = &Context->MappedImage.Sections[i]; remoteMappedSection = &Context->RemoteMappedImage.Sections[i]; if (PhpShouldScanSection(Context->Type, mappedSection) || PhpShouldScanSection(Context->Type, remoteMappedSection)) { ULONG size; SIZE_T prevTotal; SIZE_T bytesInspected; SIZE_T prevSkipped; SIZE_T bytesSkipped; size = PhpGetSectionScanSize(Context->Type, mappedSection); prevTotal = Context->TotalBytes; prevSkipped = Context->SkippedBytes; PhpAnalyzeImageCoherencyCommonByRva( ProcessHandle, mappedSection->VirtualAddress, size, Context, PhpImgCoherencySkip, Context ); bytesInspected = (Context->TotalBytes - prevTotal); bytesSkipped = (Context->SkippedBytes - prevSkipped); if (entrySection == mappedSection) { ULONG length; // // Make sure we scanned enough of the entry point. // If not, force scan that part. // length = __min(entrySection->SizeOfRawData, entrySection->Misc.VirtualSize); length -= (addressOfEntry - entrySection->VirtualAddress); if (length > PH_IMGCOHERENCY_MIN_ENTRY_INSPECT) { length = PH_IMGCOHERENCY_MIN_ENTRY_INSPECT; } if ((bytesInspected + bytesSkipped) < (((ULONGLONG)addressOfEntry - entrySection->VirtualAddress) + length)) { PhpAnalyzeImageCoherencyCommonByRva( ProcessHandle, addressOfEntry, length, Context, PhpImgCoherencySkip, Context ); } } // // If we're doing a full scan, inspect for possible code caves // beyond on-disk content. // If VirtualAddress is greater than SizeOfRawData the loader // will zero initialize the bytes to extend the mapping. // If there is non-zero content here someone has written // into the code cave. // if ((Context->Type == PhImageCoherencyFull) && ((mappedSection->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0) && (mappedSection->Misc.VirtualSize > mappedSection->SizeOfRawData)) { PhpAnalyzeImageCoherencyCommonByRvaExpectBytes( ProcessHandle, mappedSection->VirtualAddress + mappedSection->SizeOfRawData, mappedSection->Misc.VirtualSize - mappedSection->SizeOfRawData, Context, 0x00 ); } } } else { // // There are a mismatched number of sections // Inflate the total bytes // if (i < Context->MappedImage.NumberOfSections) { Context->TotalBytes += __min(Context->MappedImage.Sections[i].SizeOfRawData, Context->MappedImage.Sections[i].Misc.VirtualSize); } else { Context->TotalBytes += __min(Context->RemoteMappedImage.Sections[i].SizeOfRawData, Context->RemoteMappedImage.Sections[i].Misc.VirtualSize); } } } } /** * Analyzes the image coherency as if it were a managed (.NET) application. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Context - Image coherency context. */ VOID PhpAnalyzeImageCoherencyCommonAsManaged( _In_ HANDLE ProcessHandle, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_COR20_HEADER dotNet; // // We will check for coherency across two blocks here // 1. The COR20 header // 2. The .NET Meta Data // // // Get the COM32 directory bytes // if (!NT_SUCCESS(PhGetMappedImageDataDirectory( &Context->MappedImage, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &dataDirectory ))) { return; } // // Inspect the COR20 header // PhpAnalyzeImageCoherencyCommonByRva( ProcessHandle, dataDirectory->VirtualAddress, dataDirectory->Size, Context, NULL, NULL ); // // Get the .NET MetaData // dotNet = PhMappedImageRvaToVa(&Context->MappedImage, dataDirectory->VirtualAddress, NULL); if (!dotNet || (dotNet->MetaData.Size == 0) || !dotNet->MetaData.VirtualAddress) { return; } // // Inspect the .NET MetaData // PhpAnalyzeImageCoherencyCommonByRva( ProcessHandle, dotNet->MetaData.VirtualAddress, dotNet->MetaData.Size, Context, NULL, NULL ); } /** * Checks if the image is a .NET application. * * \param[in] Context - Image coherency context. * * \return TRUE if the image is a .NET application, FALSE otherwise. */ BOOLEAN PhpAnalyzeImageCoherencyIsDotNet ( _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_COR20_HEADER dotNet; PULONG dotNetMagic; // // Get the com descriptor directly, if it doesn't exist it isn't .NET // if (!NT_SUCCESS(PhGetMappedImageDataDirectory( &Context->MappedImage, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &dataDirectory ))) { return FALSE; } // // Check for the COR20 header // dotNet = PhMappedImageRvaToVa( &Context->MappedImage, dataDirectory->VirtualAddress, NULL ); if (!dotNet || (dotNet->cb != sizeof(IMAGE_COR20_HEADER))) { return FALSE; } dotNetMagic = PhMappedImageRvaToVa( &Context->MappedImage, dotNet->MetaData.VirtualAddress, NULL ); // // If we can locate the magic number and it equal the .NET magic then we // are reasonably confident it is .NET. // return (dotNetMagic && *dotNetMagic == 0x424A5342); } /** * Common analysis for image coherency. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Context - Image coherency context. */ VOID PhpAnalyzeImageCoherencyCommon( _In_ HANDLE ProcessHandle, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { // // Loop over the number of sections and include them in the calculation // for (USHORT i = 0; i < __max(Context->MappedImage.NumberOfSections, Context->RemoteMappedImage.NumberOfSections); i++) { if ((i < Context->MappedImage.NumberOfSections) && (i < Context->RemoteMappedImage.NumberOfSections)) { PhpAnalyzeImageCoherencyInspect( (PBYTE)&Context->MappedImage.Sections[i], IMAGE_SIZEOF_SECTION_HEADER, (PBYTE)&Context->RemoteMappedImage.Sections[i], IMAGE_SIZEOF_SECTION_HEADER, Context, 0, NULL, NULL ); } else { // // There are a mismatched number of sections // Inflate the total bytes // Context->TotalBytes += IMAGE_SIZEOF_SECTION_HEADER; } } // // If we detect the on-disk image is a .NET application use the managed // path, this will assume the remote image is a .NET app, if it isn't // we'll detect lots of incoherent bytes. // // Otherwise use the native path and inspect by the supplied RVAs // if (PhpAnalyzeImageCoherencyIsDotNet(Context)) PhpAnalyzeImageCoherencyCommonAsManaged(ProcessHandle, Context); else PhpAnalyzeImageCoherencyCommonAsNative(ProcessHandle, Context); } /** * Analyzes image coherency for 32 bit images. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Context - Image coherency context. * * \return Success status or failure. */ NTSTATUS PhpAnalyzeImageCoherencyNt32( _In_ HANDLE ProcessHandle, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { PIMAGE_OPTIONAL_HEADER32 fileOptHeader; PIMAGE_OPTIONAL_HEADER32 procOptHeader; fileOptHeader = (PIMAGE_OPTIONAL_HEADER32)&Context->MappedImage.NtHeaders32->OptionalHeader; procOptHeader = (PIMAGE_OPTIONAL_HEADER32)&Context->RemoteMappedImage.NtHeaders32->OptionalHeader; // // Inspect the header // PhpAnalyzeImageCoherencyInspect( (PBYTE)Context->MappedImage.NtHeaders32, UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader), (PBYTE)Context->RemoteMappedImage.NtHeaders32, UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader), Context, PtrToUlong(PTR_SUB_OFFSET(Context->MappedImage.NtHeaders32, Context->MappedImage.ViewBase)), PhpImgCoherencySkip, Context ); // // Inspect the optional header // PhpAnalyzeImageCoherencyInspect( (PBYTE)fileOptHeader, sizeof(IMAGE_OPTIONAL_HEADER32), (PBYTE)procOptHeader, sizeof(IMAGE_OPTIONAL_HEADER32), Context, PtrToUlong(PTR_SUB_OFFSET(fileOptHeader, Context->MappedImage.ViewBase)), PhpImgCoherencySkip, Context ); // // Do the common inspection // PhpAnalyzeImageCoherencyCommon(ProcessHandle, Context); if (fileOptHeader->CheckSum != procOptHeader->CheckSum) { return STATUS_INVALID_IMAGE_HASH; } return STATUS_SUCCESS; } /** * Analyzes image coherency for 64 bit images. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Context - Image coherency context. * * \return Success status or failure. */ NTSTATUS PhpAnalyzeImageCoherencyNt64( _In_ HANDLE ProcessHandle, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context ) { PIMAGE_OPTIONAL_HEADER64 fileOptHeader; PIMAGE_OPTIONAL_HEADER64 procOptHeader; fileOptHeader = (PIMAGE_OPTIONAL_HEADER64)&Context->MappedImage.NtHeaders->OptionalHeader; procOptHeader = (PIMAGE_OPTIONAL_HEADER64)&Context->RemoteMappedImage.NtHeaders->OptionalHeader; // // Inspect the header // PhpAnalyzeImageCoherencyInspect( (PBYTE)Context->MappedImage.NtHeaders, UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader), (PBYTE)Context->RemoteMappedImage.NtHeaders, UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader), Context, PtrToUlong(PTR_SUB_OFFSET(Context->MappedImage.NtHeaders, Context->MappedImage.ViewBase)), PhpImgCoherencySkip, Context ); // // Inspect the optional header // PhpAnalyzeImageCoherencyInspect( (PBYTE)fileOptHeader, sizeof(IMAGE_OPTIONAL_HEADER64), (PBYTE)procOptHeader, sizeof(IMAGE_OPTIONAL_HEADER64), Context, PtrToUlong(PTR_SUB_OFFSET(fileOptHeader, Context->MappedImage.ViewBase)), PhpImgCoherencySkip, Context ); // // Do the common inspection // PhpAnalyzeImageCoherencyCommon(ProcessHandle, Context); if (fileOptHeader->CheckSum != procOptHeader->CheckSum) { // // The optional header checksum doesn't match the in memory checksum // return status to reflect that. We could inflate the TotalBytes here // but choose not. // return STATUS_INVALID_IMAGE_HASH; } return STATUS_SUCCESS; } /** * Inspects the process image coherency compared to the file on disk. * * \param[in] ProcessHandle - Handle to the process requires PROCESS_VM_READ. * \param[in] Context - Image coherency context. * \param[out] ImageCoherency Image coherency value between 0 and 1. This * indicates how similar the image on-disk is compared to what is mapped into * the process. A value of 1 means coherent while a value lower than 1 * indicates how incoherent the image is. * * \return Status indicating the coherency calculation, note errors may indicate * partial success. * STATUS_SUCCESS The coherency calculation was successful. * STATUS_INVALID_IMAGE_HASH The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_INVALID_IMAGE_FORMAT The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_SUBSYSTEM_NOT_PRESENT The coherency calculation was successful or * partially successful and unusually incoherent. * All other errors are failures to calculate. */ NTSTATUS PhpInspectForImageCoherency( _In_ HANDLE ProcessHandle, _In_ PPH_IMAGE_COHERENCY_CONTEXT Context, _Out_ PFLOAT ImageCoherency ) { NTSTATUS status; // // Creating the coherency context is best-effort and will store the status // in the context. We can infer some state if one fails, do so here. // if (!NT_SUCCESS(Context->MappedImageStatus) || !NT_SUCCESS(Context->RemoteMappedImageStatus)) { if (NT_SUCCESS(Context->RemoteMappedImageStatus) && ((Context->MappedImageStatus == STATUS_INVALID_IMAGE_FORMAT) || (Context->MappedImageStatus == STATUS_INVALID_IMAGE_HASH) || (Context->MappedImageStatus == STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT))) { // // If we succeeded to map the remote image but the on-disk image // is inherently incoherent, return the status from the on-disk // mapping. // status = Context->MappedImageStatus; } else { // // If we failed for any other reason, return the error from the // remote mapping. // status = Context->RemoteMappedImageStatus; } goto CleanupExit; } if (Context->MappedImage.Magic != Context->RemoteMappedImage.Magic) { // // The image types don't match. This is incoherent but we have one more // case to check. .NET can change this in the loaded PE to run "AnyCPU" // in some cases, if it's a .NET mapping do the managed calculation. // if (PhpAnalyzeImageCoherencyIsDotNet(Context)) PhpAnalyzeImageCoherencyCommonAsManaged(ProcessHandle, Context); status = STATUS_INVALID_IMAGE_FORMAT; goto CleanupExit; } switch (Context->MappedImage.Magic) { case IMAGE_NT_OPTIONAL_HDR32_MAGIC: status = PhpAnalyzeImageCoherencyNt32(ProcessHandle, Context); break; case IMAGE_NT_OPTIONAL_HDR64_MAGIC: status = PhpAnalyzeImageCoherencyNt64(ProcessHandle, Context); break; default: { // // Not supporting ELF for WSL yet. Note however, if the image type // is mismatched above we will still reflect that // (e.g. ELF<->non-ELF). But we don't yet support coherency checks // for ELF<->ELF. The remote image mapping should be updated to // handle remote mapping ELF. // status = STATUS_NOT_IMPLEMENTED; } break; } CleanupExit: if (Context->TotalBytes) *ImageCoherency = (FLOAT)Context->CoherentBytes / (FLOAT)Context->TotalBytes; else *ImageCoherency = 0.0f; return status; } /** * Inspects a module image coherency compared to the file on disk. * * \param[in] FileName Win32 path to the image file on disk. * \param[in] ProcessHandle - Handle to the process where the module is mapped * requires PROCESS_VM_READ. * \param[in] RemoteImageBase - Base address of the image. * \param[in] RemoteImageSize - Size of the image. * \param[in] RemoteImageBaseStatus - If RemoteImageBase is null, this is stored * in the context instead of attempting to map the image. * \param[in] IsKernelModule - Notes if this is a kernel module. * \param[in] Type - Image coherency scan type. * \param[out] ImageCoherency Image coherency value between 0 and 1. This * indicates how similar the image on-disk is compared to what is mapped into * the process. A value of 1 means coherent while a value lower than 1 * indicates how incoherent the image is. * * \return Status indicating the coherency calculation, note errors may indicate * partial success. * STATUS_SUCCESS The coherency calculation was successful. * STATUS_INVALID_IMAGE_HASH The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_INVALID_IMAGE_FORMAT The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_SUBSYSTEM_NOT_PRESENT The coherency calculation was successful or * partially successful and unusually incoherent. * All other errors are failures to calculate. */ NTSTATUS PhpGetModuleCoherency( _In_ PPH_STRING FileName, _In_ HANDLE ProcessHandle, _In_opt_ PVOID RemoteImageBase, _In_opt_ SIZE_T RemoteImageSize, _In_ NTSTATUS RemoteImageBaseStatus, _In_ BOOLEAN IsKernelModule, _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _Out_ PFLOAT ImageCoherency ) { NTSTATUS status; *ImageCoherency = 0.0f; if (Type == PhImageCoherencySharedOriginal) { SIZE_T numberOfPages; SIZE_T numberOfTamperedPages; if (!RemoteImageBase || RemoteImageSize < PAGE_SIZE) return STATUS_INVALID_PARAMETER; status = PhCheckImagePagesForTampering( ProcessHandle, RemoteImageBase, RemoteImageSize, &numberOfPages, &numberOfTamperedPages ); if (NT_SUCCESS(status)) { *ImageCoherency = (FLOAT)(numberOfPages - numberOfTamperedPages) / (FLOAT)numberOfPages; } } else { PPH_IMAGE_COHERENCY_CONTEXT context; context = PhpCreateImageCoherencyContext( Type, FileName, ProcessHandle, RemoteImageBase, RemoteImageSize, RemoteImageBaseStatus, IsKernelModule ); status = PhpInspectForImageCoherency(ProcessHandle, context, ImageCoherency); PhpFreeImageCoherencyContext(context); } return status; } /** * Inspects the process image coherency compared to the file on disk. * * \param[in] FileName Win32 path to the image file on disk. * \param[in] ProcessId Process ID of the active process to compare to. * \param[in] Type - Image coherency scan type. * \param[out] ImageCoherency Image coherency value between 0 and 1. This * indicates how similar the image on-disk is compared to what is mapped into * the process. A value of 1 means coherent while a value lower than 1 * indicates how incoherent the image is. * * \return Status indicating the coherency calculation, note errors may indicate * partial success. * STATUS_SUCCESS The coherency calculation was successful. * STATUS_INVALID_IMAGE_HASH The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_INVALID_IMAGE_FORMAT The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_SUBSYSTEM_NOT_PRESENT The coherency calculation was successful or * partially successful and unusually incoherent. * All other errors are failures to calculate. */ NTSTATUS PhGetProcessImageCoherency( _In_ PPH_STRING FileName, _In_ HANDLE ProcessId, _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _Out_ PFLOAT ImageCoherency ) { NTSTATUS status; HANDLE processHandle; PVOID remoteImageBase; PVOID imageBase; SIZE_T imageSize; remoteImageBase = NULL; imageBase = NULL; imageSize = 0; *ImageCoherency = 0.0f; // Try to get a handle with query information + vm read access. if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ProcessId ))) { // Try to get a handle with query limited information + vm read access. if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ))) { processHandle = NULL; goto CleanupExit; } } // // Get the remote image base // status = PhGetProcessImageBaseAddress(processHandle, &remoteImageBase); if (NT_SUCCESS(status)) { status = PhGetProcessMappedImageBaseFromAddress( processHandle, remoteImageBase, &imageBase, &imageSize ); } if (NT_SUCCESS(status)) { status = PhpGetModuleCoherency( FileName, processHandle, imageBase, imageSize, status, FALSE, Type, ImageCoherency ); } CleanupExit: if (processHandle) { NtClose(processHandle); } return status; } /** * Inspects a module image coherency compared to the file on disk. * * \param[in] FileName Win32 path to the image file on disk. * \param[in] ProcessHandle - Handle to the process where the module is mapped * requires PROCESS_VM_READ. * \param[in] ImageBaseAddress - Base address of the image. * \param[in] ImageSize - Size of the image. * \param[in] IsKernelModule - Notes if this is a kernel module. * \param[in] Type - Image coherency scan type. * \param[out] ImageCoherency Image coherency value between 0 and 1. This * indicates how similar the image on-disk is compared to what is mapped into * the process. A value of 1 means coherent while a value lower than 1 * indicates how incoherent the image is. * * \return Status indicating the coherency calculation, note errors may indicate * partial success. * STATUS_SUCCESS The coherency calculation was successful. * STATUS_INVALID_IMAGE_HASH The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_INVALID_IMAGE_FORMAT The coherency calculation was successful or * partially successful and unusually incoherent. * STATUS_SUBSYSTEM_NOT_PRESENT The coherency calculation was successful or * partially successful and unusually incoherent. * All other errors are failures to calculate. */ NTSTATUS PhGetProcessModuleImageCoherency( _In_ PPH_STRING FileName, _In_ HANDLE ProcessHandle, _In_ PVOID ImageBaseAddress, _In_ SIZE_T ImageSize, _In_ BOOLEAN IsKernelModule, _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _Out_ PFLOAT ImageCoherency ) { return PhpGetModuleCoherency( FileName, ProcessHandle, ImageBaseAddress, ImageSize, STATUS_SUCCESS, IsKernelModule, Type, ImageCoherency ); } /** * \brief Checks the image pages for tampering. * * \details Checkout out or blog for more info: * https://windows-internals.com/understanding-a-new-mitigation-module-tampering-protection/ * * \param[in] ProcessHandle - Handle to the process where the module is mapped. * \param[in] BaseAddress - Base address of the image pages to check. * \param[in] SizeOfImage - Size of the image to check. * \param[out] NumberOfPages - Number of pages checked. * \param[out] NumberOfTamperedPages - Number of tampered pages. * * \return Successful or errant status. */ NTSTATUS PhCheckImagePagesForTampering( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T SizeOfImage, _Out_ PSIZE_T NumberOfPages, _Out_ PSIZE_T NumberOfTamperedPages ) { NTSTATUS status; SIZE_T numberOfPages; ULONG_PTR virtualAddress; MEMORY_WORKING_SET_EX_INFORMATION* info; SIZE_T i; *NumberOfPages = 0; *NumberOfTamperedPages = 0; numberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES(BaseAddress, SizeOfImage); virtualAddress = (ULONG_PTR)PAGE_ALIGN(BaseAddress); if (!numberOfPages) return STATUS_INVALID_PARAMETER; info = PhAllocatePage(numberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL); if (!info) return STATUS_NO_MEMORY; for (i = 0; i < numberOfPages; i++) { info[i].VirtualAddress = (PVOID)virtualAddress; virtualAddress += PAGE_SIZE; } status = NtQueryVirtualMemory( ProcessHandle, NULL, MemoryWorkingSetExInformation, info, numberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *NumberOfPages = numberOfPages; for (i = 0; i < numberOfPages; i++) { PMEMORY_WORKING_SET_EX_BLOCK page = &info[i].VirtualAttributes; if (!page->SharedOriginal) { (*NumberOfTamperedPages)++; } } } PhFreePage(info); return status; } ================================================ FILE: phlib/include/apiimport.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2024 * */ #ifndef _PH_APIIMPORT_H #define _PH_APIIMPORT_H #include #include #include #include #include #include EXTERN_C_START #define PH_DECLARE_IMPORT(Name) typeof(&(Name)) Name##_Import(VOID) // Ntdll PH_DECLARE_IMPORT(NtQueryInformationEnlistment); PH_DECLARE_IMPORT(NtQueryInformationResourceManager); PH_DECLARE_IMPORT(NtQueryInformationTransaction); PH_DECLARE_IMPORT(NtQueryInformationTransactionManager); PH_DECLARE_IMPORT(NtCreateProcessStateChange); PH_DECLARE_IMPORT(NtChangeProcessState); PH_DECLARE_IMPORT(NtCreateThreadStateChange); PH_DECLARE_IMPORT(NtChangeThreadState); PH_DECLARE_IMPORT(NtCopyFileChunk); PH_DECLARE_IMPORT(NtCompareObjects); PH_DECLARE_IMPORT(NtCreateTimer2); PH_DECLARE_IMPORT(NtSetTimer2); PH_DECLARE_IMPORT(NtSetInformationVirtualMemory); PH_DECLARE_IMPORT(LdrSystemDllInitBlock); PH_DECLARE_IMPORT(LdrResFindResource); PH_DECLARE_IMPORT(LdrResSearchResource); PH_DECLARE_IMPORT(RtlDefaultNpAcl); PH_DECLARE_IMPORT(RtlDelayExecution); PH_DECLARE_IMPORT(RtlDeriveCapabilitySidsFromName); PH_DECLARE_IMPORT(RtlDosLongPathNameToNtPathName_U_WithStatus); PH_DECLARE_IMPORT(RtlGetTokenNamedObjectPath); PH_DECLARE_IMPORT(RtlGetAppContainerNamedObjectPath); PH_DECLARE_IMPORT(RtlGetAppContainerSidType); PH_DECLARE_IMPORT(RtlGetAppContainerParent); PH_DECLARE_IMPORT(PssNtCaptureSnapshot); PH_DECLARE_IMPORT(PssNtQuerySnapshot); PH_DECLARE_IMPORT(PssNtFreeSnapshot); PH_DECLARE_IMPORT(PssNtFreeRemoteSnapshot); PH_DECLARE_IMPORT(NtPssCaptureVaSpaceBulk); PH_DECLARE_IMPORT(TpSetPoolThreadBasePriority); // Advapi32 PH_DECLARE_IMPORT(ConvertSecurityDescriptorToStringSecurityDescriptorW); PH_DECLARE_IMPORT(ConvertStringSecurityDescriptorToSecurityDescriptorW); // Cfgmgr32 PH_DECLARE_IMPORT(DevGetObjects); PH_DECLARE_IMPORT(DevFreeObjects); PH_DECLARE_IMPORT(DevGetObjectProperties); PH_DECLARE_IMPORT(DevFreeObjectProperties); PH_DECLARE_IMPORT(DevCreateObjectQuery); PH_DECLARE_IMPORT(DevCloseObjectQuery); // Shlwapi PH_DECLARE_IMPORT(SHAutoComplete); PH_DECLARE_IMPORT(SHCreateStreamOnFileEx); // Userenv PH_DECLARE_IMPORT(CreateEnvironmentBlock); PH_DECLARE_IMPORT(DestroyEnvironmentBlock); PH_DECLARE_IMPORT(GetAppContainerRegistryLocation); PH_DECLARE_IMPORT(GetAppContainerFolderPath); // User32 PH_DECLARE_IMPORT(ConsoleControl); PH_DECLARE_IMPORT(GetCurrentInputMessageSource); PH_DECLARE_IMPORT(GetCIMSSM); PH_DECLARE_IMPORT(NtUserBuildHwndList); // Xmllite PH_DECLARE_IMPORT(CreateXmlReader); PH_DECLARE_IMPORT(CreateXmlWriter); EXTERN_C_END #endif ================================================ FILE: phlib/include/appresolver.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #ifndef _PH_APPRESOLVER_H #define _PH_APPRESOLVER_H EXTERN_C_START HRESULT PhAppResolverGetAppIdForProcess( _In_ HANDLE ProcessId, _Out_ PPH_STRING *ApplicationUserModelId ); HRESULT PhAppResolverGetAppIdForWindow( _In_ HWND WindowHandle, _Out_ PPH_STRING *ApplicationUserModelId ); HRESULT PhAppResolverActivateAppId( _In_ PPH_STRING ApplicationUserModelId, _In_opt_ PCWSTR CommandLine, _Out_opt_ HANDLE *ProcessId ); HRESULT PhAppResolverPackageTerminateProcess( _In_ PCWSTR PackageFullName ); typedef struct _PH_PACKAGE_TASK_ENTRY { PPH_STRING TaskName; GUID TaskGuid; } PH_PACKAGE_TASK_ENTRY, *PPH_PACKAGE_TASK_ENTRY; HRESULT PhAppResolverEnumeratePackageBackgroundTasks( _In_ PCWSTR PackageFullName, _Inout_ PPH_LIST BackgroundTasks ); HRESULT PhAppResolverPackageStopSessionRedirection( _In_ PCWSTR PackageFullName ); PPH_STRING PhGetAppContainerName( _In_ PSID AppContainerSid ); PPH_STRING PhGetAppContainerSidFromName( _In_ PCWSTR AppContainerName ); PPH_STRING PhGetAppContainerPackageName( _In_ PSID Sid ); BOOLEAN PhIsPackageCapabilitySid( _In_ PSID AppContainerSid, _In_ PSID Sid ); PPH_STRING PhGetPackagePath( _In_ PPH_STRING PackageFullName ); PPH_LIST PhGetPackageAssetsFromResourceFile( _In_ PCWSTR FilePath ); typedef struct _PH_APPUSERMODELID_ENUM_ENTRY { PPH_STRING AppUserModelId; PPH_STRING PackageName; PPH_STRING PackageDisplayName; PPH_STRING PackageFamilyName; PPH_STRING PackageInstallPath; PPH_STRING PackageFullName; PPH_STRING PackageVersion; PPH_STRING SmallLogoPath; } PH_APPUSERMODELID_ENUM_ENTRY, *PPH_APPUSERMODELID_ENUM_ENTRY; PPH_LIST PhEnumApplicationUserModelIds( VOID ); HRESULT PhAppResolverGetPackageResourceFilePath( _In_ PCWSTR PackageFullName, _In_ PCWSTR Key, _Out_ PWSTR* FilePath ); _Success_(return) BOOLEAN PhAppResolverGetPackageIcon( _In_ HANDLE ProcessId, _In_ PPH_STRING PackageFullName, _Out_opt_ HICON* IconLarge, _Out_opt_ HICON* IconSmall, _In_ LONG SystemDpi ); // Immersive PLM task support HRESULT PhAppResolverBeginCrashDumpTask( _In_ HANDLE ProcessId, _Out_ HANDLE* TaskHandle ); HRESULT PhAppResolverBeginCrashDumpTaskByHandle( _In_ HANDLE ProcessHandle, _Out_ HANDLE* TaskHandle ); HRESULT PhAppResolverEndCrashDumpTask( _In_ HANDLE TaskHandle ); // Desktop Bridge HRESULT PhCreateProcessDesktopPackage( _In_ PCWSTR ApplicationUserModelId, _In_ PCWSTR Executable, _In_ PCWSTR Arguments, _In_opt_ PCWSTR Directory, _In_ BOOLEAN PreventBreakaway, _In_opt_ HANDLE ParentProcessId, _Out_opt_ PHANDLE ProcessHandle ); // // Windows Runtime // #ifndef __hstring_h__ typedef struct HSTRING__* HSTRING; #endif // Note: The HSTRING structures can be found in the Windows SDK // \cppwinrt\winrt\base.h under MIT License. (dmex) typedef struct _WSTRING_HEADER // HSTRING_HEADER (WinSDK) { union { PVOID Reserved1; #if defined(_WIN64) char Reserved2[24]; #else char Reserved2[20]; #endif } Reserved; } WSTRING_HEADER; #define HSTRING_REFERENCE_FLAG 0x1 // hstring_reference_flag (WinSDK) typedef struct _HSTRING_REFERENCE // Stack { union { WSTRING_HEADER Header; struct { UINT32 Flags; UINT32 Length; UINT32 Padding1; UINT32 Padding2; PCWSTR Buffer; }; }; } HSTRING_REFERENCE; #ifdef __hstring_h__ static_assert(sizeof(HSTRING_REFERENCE) == sizeof(HSTRING_HEADER), "HSTRING_REFERENCE must equal WSTRING_HEADER"); #else static_assert(sizeof(HSTRING_REFERENCE) == sizeof(WSTRING_HEADER), "HSTRING_REFERENCE must equal WSTRING_HEADER"); #endif typedef struct _HSTRING_INSTANCE // Heap { // Header union { WSTRING_HEADER Header; struct { UINT32 Flags; UINT32 Length; UINT32 Padding1; UINT32 Padding2; PCWSTR Buffer; }; }; // Data volatile LONG ReferenceCount; WCHAR Data[ANYSIZE_ARRAY]; } HSTRING_INSTANCE; #define HSTRING_FROM_STRING(Header) \ ((HSTRING)&(Header)) PHLIBAPI PPH_STRING NTAPI PhCreateStringFromWindowsRuntimeString( _In_ HSTRING String ); PHLIBAPI HRESULT NTAPI PhCreateWindowsRuntimeStringReference( _In_ PCWSTR SourceString, _Out_ PVOID String ); PHLIBAPI HRESULT NTAPI PhCreateWindowsRuntimeStringReferenceEx( _In_ PCWSTR SourceString, _In_ UINT32 Length, _Out_ PVOID String ); FORCEINLINE HRESULT NTAPI PhCreateWindowsRuntimeStringRef( _In_ PPH_STRINGREF SourceString, _Out_ PVOID String ) { if (SourceString->Length >= ULONG_MAX) { return HRESULT_FROM_WIN32(ERROR_OUTOFMEMORY); } return PhCreateWindowsRuntimeStringReferenceEx(SourceString->Buffer, (ULONG)SourceString->Length / sizeof(WCHAR), String); } PHLIBAPI HRESULT NTAPI PhCreateWindowsRuntimeString( _In_ PCWSTR SourceString, _Out_ HSTRING* String ); PHLIBAPI VOID NTAPI PhDeleteWindowsRuntimeString( _In_opt_ HSTRING String ); PHLIBAPI ULONG NTAPI PhGetWindowsRuntimeStringLength( _In_opt_ HSTRING String ); PHLIBAPI PCWSTR NTAPI PhGetWindowsRuntimeStringBuffer( _In_opt_ HSTRING String, _Out_opt_ PULONG Length ); PHLIBAPI HRESULT NTAPI PhGetProcessSystemIdentification( _In_ HANDLE ProcessId, _Out_ PPH_STRING* SystemIdForPublisher, _Out_ PPH_STRING* SystemIdForUser ); PHLIBAPI PPH_LIST NTAPI PhEnumPackageApplicationUserModelIds( VOID ); PHLIBAPI VOID NTAPI PhDestroyEnumPackageApplicationUserModelIds( _In_ PPH_LIST PackageList ); #pragma region Activation Factory // 00000035-0000-0000-C000-000000000046 DEFINE_GUID(IID_IActivationFactory, 0x00000035, 0x0000, 0x0000, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46); // AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90 DEFINE_GUID(IID_IInspectable, 0xAF86E2E0, 0xB12D, 0x4c6a, 0x9C, 0x5A, 0xD7, 0xAA, 0x65, 0x10, 0x1E, 0x90); #ifdef interface #ifndef __IInspectable_FWD_DEFINED__ #define __IInspectable_FWD_DEFINED__ typedef interface IInspectable IInspectable; #endif #ifndef __IInspectable_INTERFACE_DEFINED__ #define __IInspectable_INTERFACE_DEFINED__ #if defined(__cplusplus) && !defined(CINTERFACE) MIDL_INTERFACE("AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90") IInspectable : public IUnknown { public: virtual HRESULT STDMETHODCALLTYPE GetIids( __RPC__out ULONG * iidCount, __RPC__deref_out_ecount_full_opt(*iidCount) IID * *iids) = 0; virtual HRESULT STDMETHODCALLTYPE GetRuntimeClassName( __RPC__deref_out_opt HSTRING* className) = 0; virtual HRESULT STDMETHODCALLTYPE GetTrustLevel( __RPC__out ULONG* trustLevel) = 0; }; #else typedef struct IInspectableVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IUnknown, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( __RPC__in IInspectable* This, __RPC__in REFIID riid, _COM_Outptr_ void** ppvObject); DECLSPEC_XFGVIRT(IUnknown, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( __RPC__in IInspectable* This); DECLSPEC_XFGVIRT(IUnknown, Release) ULONG (STDMETHODCALLTYPE* Release)( __RPC__in IInspectable* This); DECLSPEC_XFGVIRT(IInspectable, GetIids) HRESULT (STDMETHODCALLTYPE* GetIids)( __RPC__in IInspectable* This, __RPC__out ULONG* iidCount, __RPC__deref_out_ecount_full_opt(*iidCount) IID** iids); DECLSPEC_XFGVIRT(IInspectable, GetRuntimeClassName) HRESULT (STDMETHODCALLTYPE* GetRuntimeClassName)( __RPC__in IInspectable* This, __RPC__deref_out_opt HSTRING* className); DECLSPEC_XFGVIRT(IInspectable, GetTrustLevel) HRESULT (STDMETHODCALLTYPE* GetTrustLevel)( __RPC__in IInspectable* This, __RPC__out ULONG* trustLevel); // TrustLevel END_INTERFACE } IInspectableVtbl; interface IInspectable { CONST_VTBL struct IInspectableVtbl* lpVtbl; }; #ifdef COBJMACROS #define IInspectable_QueryInterface(This,riid,ppvObject) \ ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IInspectable_AddRef(This) \ ((This)->lpVtbl->AddRef(This)) #define IInspectable_Release(This) \ ((This)->lpVtbl->Release(This)) #define IInspectable_GetIids(This,iidCount,iids) \ ((This)->lpVtbl->GetIids(This,iidCount,iids)) #define IInspectable_GetRuntimeClassName(This,className) \ ((This)->lpVtbl->GetRuntimeClassName(This,className)) #define IInspectable_GetTrustLevel(This,trustLevel) \ ((This)->lpVtbl->GetTrustLevel(This,trustLevel)) #endif #endif #endif #ifndef __IActivationFactory_FWD_DEFINED__ #define __IActivationFactory_FWD_DEFINED__ typedef interface IActivationFactory IActivationFactory; #endif #ifndef __IActivationFactory_INTERFACE_DEFINED__ #define __IActivationFactory_INTERFACE_DEFINED__ #if defined(__cplusplus) && !defined(CINTERFACE) MIDL_INTERFACE("00000035-0000-0000-C000-000000000046") IActivationFactory : public IInspectable { public: virtual HRESULT STDMETHODCALLTYPE ActivateInstance( __RPC__deref_out_opt IInspectable * *instance) = 0; }; #else typedef struct IActivationFactoryVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IUnknown, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( __RPC__in IActivationFactory* This, __RPC__in REFIID riid, _COM_Outptr_ void** ppvObject); DECLSPEC_XFGVIRT(IUnknown, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( __RPC__in IActivationFactory* This); DECLSPEC_XFGVIRT(IUnknown, Release) ULONG (STDMETHODCALLTYPE* Release)( __RPC__in IActivationFactory* This); DECLSPEC_XFGVIRT(IInspectable, GetIids) HRESULT (STDMETHODCALLTYPE* GetIids)( __RPC__in IActivationFactory* This, __RPC__out ULONG* iidCount, __RPC__deref_out_ecount_full_opt(*iidCount) IID** iids); DECLSPEC_XFGVIRT(IInspectable, GetRuntimeClassName) HRESULT (STDMETHODCALLTYPE* GetRuntimeClassName)( __RPC__in IActivationFactory* This, __RPC__deref_out_opt HSTRING* className); DECLSPEC_XFGVIRT(IInspectable, GetTrustLevel) HRESULT (STDMETHODCALLTYPE* GetTrustLevel)( __RPC__in IActivationFactory* This, __RPC__out ULONG* trustLevel); // TrustLevel enum DECLSPEC_XFGVIRT(IActivationFactory, ActivateInstance) HRESULT (STDMETHODCALLTYPE* ActivateInstance)( __RPC__in IActivationFactory* This, __RPC__deref_out_opt IInspectable** instance); END_INTERFACE } IActivationFactoryVtbl; interface IActivationFactory { CONST_VTBL struct IActivationFactoryVtbl* lpVtbl; }; #ifdef COBJMACROS #define IActivationFactory_QueryInterface(This,riid,ppvObject) \ ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IActivationFactory_AddRef(This) \ ((This)->lpVtbl->AddRef(This)) #define IActivationFactory_Release(This) \ ((This)->lpVtbl->Release(This)) #define IActivationFactory_GetIids(This,iidCount,iids) \ ((This)->lpVtbl->GetIids(This,iidCount,iids)) #define IActivationFactory_GetRuntimeClassName(This,className) \ ((This)->lpVtbl->GetRuntimeClassName(This,className)) #define IActivationFactory_GetTrustLevel(This,trustLevel) \ ((This)->lpVtbl->GetTrustLevel(This,trustLevel)) #define IActivationFactory_ActivateInstance(This,instance) \ ((This)->lpVtbl->ActivateInstance(This,instance)) #endif #endif #endif #endif #pragma endregion EXTERN_C_END #endif ================================================ FILE: phlib/include/appresolverp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #ifndef _PH_APPRESOLVER_P_H #define _PH_APPRESOLVER_P_H // "660B90C8-73A9-4B58-8CAE-355B7F55341B" DEFINE_GUID(CLSID_StartMenuCacheAndAppResolver_I, 0x660B90C8, 0x73A9, 0x4B58, 0x8C, 0xAE, 0x35, 0x5B, 0x7F, 0x55, 0x34, 0x1B); // "46A6EEFF-908E-4DC6-92A6-64BE9177B41C" DEFINE_GUID(IID_IApplicationResolver_I, 0x46A6EEFF, 0x908E, 0x4DC6, 0x92, 0xA6, 0x64, 0xBE, 0x91, 0x77, 0xB4, 0x1c); // "DE25675A-72DE-44b4-9373-05170450C140" DEFINE_GUID(IID_IApplicationResolver2_I, 0xDE25675A, 0x72DE, 0x44b4, 0x93, 0x73, 0x05, 0x17, 0x04, 0x50, 0xC1, 0x40); // "33F71155-C2E9-4FFE-9786-A32D98577CFF" DEFINE_GUID(IID_IStartMenuAppItems_I, 0x33F71155, 0xC2E9, 0x4FFE, 0x97, 0x86, 0xA3, 0x2D, 0x98, 0x57, 0x7C, 0xFF); // "02C5CCF3-805F-4654-A7B7-340A74335365" DEFINE_GUID(IID_IStartMenuAppItems2_I, 0x02C5CCF3, 0x805F, 0x4654, 0xA7, 0xB7, 0x34, 0x0A, 0x74, 0x33, 0x53, 0x65); // ba5a92ae_bfd7_4916_854f_6b3a402b84a8 // 21cbc515_2dde_4d66_8292_ba34bd25094a // 17541a17_f509_4cb6_8d08_651dc68d8227 // 67383c80_7543_4e04_9e97_c990f5e3878d // 3af46105_16ce_776f_43a2_341172b6e95a // 6b1d7151_7a17_4c66_abc4_c9b1bc6c0e8d // ffd2cca4_adfb_46e9_9a02_49d019db2a68 // 8dda7cc4_ae71_4e2a_bc8d_7f16ec66f540 // "ba5a92ae-bfd7-4916-854f-6b3a402b84a8" //DEFINE_GUID(IID_IStartMenuItemsCache, 0xba5a92ae, 0xbfd7, 0x4916, 0x85, 0x4f, 0x6b, 0x3a, 0x40, 0x2b, 0x84, 0xa8); // "21cbc515-2dde-4d66-8292-ba34bd25094a" DEFINE_GUID(IID_IDesktopTileActivator, 0x21cbc515, 0x2dde, 0x4d66, 0x82, 0x92, 0xba, 0x34, 0xbd, 0x25, 0x09, 0x4a); // "17541a17-f509-4cb6-8d08-651dc68d8227" DEFINE_GUID(IID_IAppResolverPinToStart, 0x17541a17, 0xf509, 0x4cb6, 0x8d, 0x08, 0x65, 0x1d, 0xc6, 0x8d, 0x82, 0x27); // "67383c80-7543-4e04-9e97-c990f5e3878d" DEFINE_GUID(IID_ILauncherAppList, 0x67383c80, 0x7543, 0x4e04, 0x9e, 0x97, 0xc9, 0x90, 0xf5, 0xe3, 0x87, 0x8d); // "3af46105-16ce-776f-43a2-341172b6e95a" DEFINE_GUID(IID_IStartMenuRankManager, 0x3af46105, 0x16ce, 0x776f, 0x43, 0xa2, 0x34, 0x11, 0x72, 0xb6, 0xe9, 0x5a); // "6b1d7151-7a17-4c66-abc4-c9b1bc6c0e8d" DEFINE_GUID(IID_IAppResolverCacheAccessor, 0x6b1d7151, 0x7a17, 0x4c66, 0xab, 0xc4, 0xc9, 0xb1, 0xbc, 0x6c, 0x0e, 0x8d); // "ffd2cca4-adfb-46e9-9a02-49d019db2a68" DEFINE_GUID(IID_IAppResolverPinToStartFF, 0xffd2cca4, 0xadfb, 0x46e9, 0x9a, 0x02, 0x49, 0xd0, 0x19, 0xdb, 0x2a, 0x68); // "8dda7cc4-ae71-4e2a-bc8d-7f16ec66f540" DEFINE_GUID(IID_IAppResolverPinToStartF, 0x8dda7cc4, 0xae71, 0x4e2a, 0xbc, 0x8d, 0x7f, 0x16, 0xec, 0x66, 0xf5, 0x40); // "DE25675A-72DE-44b4-9373-05170450C140" // IStartMenuItemsCache // IDesktopTileActivator // IAppResolverPinToStart // ILauncherAppList // IStartMenuRankManager // IAppResolverCacheAccessor // "DBCE7E40-7345-439D-B12C-114A11819A09" DEFINE_GUID(CLSID_MrtResourceManager_I, 0xDBCE7E40, 0x7345, 0x439D, 0xB1, 0x2C, 0x11, 0x4A, 0x11, 0x81, 0x9A, 0x09); // "130A2F65-2BE7-4309-9A58-A9052FF2B61C" DEFINE_GUID(IID_IMrtResourceManager_I, 0x130A2F65, 0x2BE7, 0x4309, 0x9A, 0x58, 0xA9, 0x05, 0x2F, 0xF2, 0xB6, 0x1C); // "E3C22B30-8502-4B2F-9133-559674587E51" DEFINE_GUID(IID_IResourceContext_I, 0xE3C22B30, 0x8502, 0x4B2F, 0x91, 0x33, 0x55, 0x96, 0x74, 0x58, 0x7E, 0x51); // "6E21E72B-B9B0-42AE-A686-983CF784EDCD" DEFINE_GUID(IID_IResourceMap_I, 0x6E21E72B, 0xB9B0, 0x42AE, 0xA6, 0x86, 0x98, 0x3C, 0xF7, 0x84, 0xED, 0xCD); NTSYSAPI HRESULT NTAPI AppContainerDeriveSidFromMoniker( // DeriveAppContainerSidFromAppContainerName _In_ PCWSTR AppContainerName, _Out_ PSID *AppContainerSid ); // Note: LookupAppContainerDisplayName (userenv.dll, ordinal 211) has the same prototype but returns 'PackageName/ContainerName'. NTSYSAPI HRESULT NTAPI AppContainerLookupMoniker( _In_ PSID AppContainerSid, _Out_ PWSTR *PackageFamilyName ); NTSYSAPI HRESULT NTAPI AppContainerRegisterSid( _In_ PSID Sid, _In_ PCWSTR AppContainerName, _In_ PCWSTR DisplayName ); NTSYSAPI HRESULT NTAPI AppContainerUnregisterSid( _In_ PSID Sid ); NTSYSAPI BOOL NTAPI AppContainerFreeMemory( _Frees_ptr_opt_ PVOID Memory ); // rev NTSYSAPI NTSTATUS NTAPI PsmGetKeyFromProcess( _In_ HANDLE ProcessHandle, _Out_ PVOID KeyBuffer, _Inout_ PULONG KeyLength ); // rev NTSYSAPI NTSTATUS NTAPI PsmGetKeyFromToken( _In_ HANDLE TokenHandle, _Out_ PVOID KeyBuffer, _Inout_ PULONG KeyLength ); // rev NTSYSAPI NTSTATUS NTAPI PsmGetApplicationNameFromKey( _In_ PVOID KeyBuffer, _Out_ PVOID NameBuffer, _Inout_ PULONG NameLength ); // rev NTSYSAPI NTSTATUS NTAPI PsmGetPackageFullNameFromKey( _In_ PVOID KeyBuffer, _Out_ PVOID NameBuffer, _Inout_ PULONG NameLength ); // "168EB462-775F-42AE-9111-D714B2306C2E" DEFINE_GUID(CLSID_IDesktopAppXActivator_I, 0x168EB462, 0x775F, 0x42AE, 0x91, 0x11, 0xD7, 0x14, 0xB2, 0x30, 0x6C, 0x2E); // "72e3a5b0-8fea-485c-9f8b-822b16dba17f" DEFINE_GUID(IID_IDesktopAppXActivator1_I, 0x72e3a5b0, 0x8fea, 0x485c, 0x9f, 0x8b, 0x82, 0x2b, 0x16, 0xdb, 0xa1, 0x7f); // "F158268A-D5A5-45CE-99CF-00D6C3F3FC0A" DEFINE_GUID(IID_IDesktopAppXActivator2_I, 0xF158268A, 0xD5A5, 0x45CE, 0x99, 0xCF, 0x00, 0xD6, 0xC3, 0xF3, 0xFC, 0x0A); typedef enum _DESKTOP_APPX_ACTIVATE_OPTIONS { DAXAO_NONE = 0, DAXAO_ELEVATE = 1, DAXAO_NONPACKAGED_EXE = 2, DAXAO_NONPACKAGED_EXE_PROCESS_TREE = 4, DAXAO_NONPACKAGED_EXE_FLAGS = 6, DAXAO_NO_ERROR_UI = 8, DAXAO_CHECK_FOR_APPINSTALLER_UPDATES = 16, DAXAO_CENTENNIAL_PROCESS = 32, DAXAO_UNIVERSAL_PROCESS = 64, DAXAO_WIN32ALACARTE_PROCESS = 128, DAXAO_RUNTIME_BEHAVIOR_FLAGS = 224, DAXAO_PARTIAL_TRUST = 256, DAXAO_UNIVERSAL_CONSOLE = 512, DAXAO_APP_SILO = 1024, DAXAO_TRUST_LEVEL_FLAGS = 1280 } DESKTOP_APPX_ACTIVATE_OPTIONS, *PDESKTOP_APPX_ACTIVATE_OPTIONS; // IDesktopAppXActivator #ifndef __IDesktopAppXActivator_INTERFACE_DEFINED__ #define __IDesktopAppXActivator_INTERFACE_DEFINED__ typedef struct IDesktopAppXActivator IDesktopAppXActivator; typedef struct IDesktopAppXActivatorVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IDesktopAppXActivator, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IDesktopAppXActivator* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IDesktopAppXActivator, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IDesktopAppXActivator* This ); DECLSPEC_XFGVIRT(IDesktopAppXActivator, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IDesktopAppXActivator* This ); // IDesktopAppXActivator1 DECLSPEC_XFGVIRT(IDesktopAppXActivator, Activate) HRESULT (STDMETHODCALLTYPE* Activate)( _In_ IDesktopAppXActivator* This, _In_ PCWSTR ApplicationUserModelId, _In_ PCWSTR PackageRelativeExecutable, _In_ PCWSTR Arguments, _Out_ PHANDLE ProcessHandle ); DECLSPEC_XFGVIRT(IDesktopAppXActivator, ActivateWithOptions) HRESULT (STDMETHODCALLTYPE* ActivateWithOptions)( _In_ IDesktopAppXActivator* This, _In_ PCWSTR ApplicationUserModelId, _In_ PCWSTR Executable, _In_ PCWSTR Arguments, _In_ ULONG ActivationOptions, _In_opt_ ULONG ParentProcessId, _Out_ PHANDLE ProcessHandle ); // IDesktopAppXActivator2 DECLSPEC_XFGVIRT(IDesktopAppXActivator, ActivateWithOptionsAndArgs) HRESULT (STDMETHODCALLTYPE* ActivateWithOptionsAndArgs)( _In_ IDesktopAppXActivator* This, _In_ PCWSTR ApplicationUserModelId, _In_ PCWSTR Executable, _In_ PCWSTR Arguments, _In_opt_ ULONG ParentProcessId, _In_opt_ PVOID ActivatedEventArgs, _Out_ PHANDLE ProcessHandle ); DECLSPEC_XFGVIRT(IDesktopAppXActivator, ActivateWithOptionsArgsWorkingDirectoryShowWindow) HRESULT (STDMETHODCALLTYPE* ActivateWithOptionsArgsWorkingDirectoryShowWindow)( _In_ IDesktopAppXActivator* This, _In_ PCWSTR ApplicationUserModelId, _In_ PCWSTR Executable, _In_ PCWSTR Arguments, _In_ ULONG ActivationOptions, _In_opt_ ULONG ParentProcessId, _In_opt_ PVOID ActivatedEventArgs, _In_ PCWSTR WorkingDirectory, _In_ ULONG ShowWindow, _Out_ PHANDLE ProcessHandle ); END_INTERFACE } IDesktopAppXActivatorVtbl; interface IDesktopAppXActivator { CONST_VTBL struct IDesktopAppXActivatorVtbl* lpVtbl; }; #ifdef COBJMACROS #define IDesktopAppXActivator_QueryInterface(This,riid,ppvObject) \ ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IDesktopAppXActivator_AddRef(This) \ ((This)->lpVtbl->AddRef(This)) #define IDesktopAppXActivator_Release(This) \ ((This)->lpVtbl->Release(This)) #define IDesktopAppXActivator_Activate(This,AUMID,PRE,Args,ProcessHandle) \ ((This)->lpVtbl->Activate(This,AUMID,PRE,Args,ProcessHandle)) #define IDesktopAppXActivator_ActivateWithOptions(This,AUMID,Exe,Args,Options,ParentPid,ProcessHandle) \ ((This)->lpVtbl->ActivateWithOptions(This,AUMID,Exe,Args,Options,ParentPid,ProcessHandle)) #define IDesktopAppXActivator_ActivateWithOptionsAndArgs(This,AUMID,Exe,Args,ParentPid,EventArgs,ProcessHandle) \ ((This)->lpVtbl->ActivateWithOptionsAndArgs(This,AUMID,Exe,Args,ParentPid,EventArgs,ProcessHandle)) #define IDesktopAppXActivator_ActivateWithOptionsArgsWorkingDirectoryShowWindow(This,AUMID,Exe,Args,Options,ParentPid,EventArgs,WorkingDir,ShowWindow,ProcessHandle) \ ((This)->lpVtbl->ActivateWithOptionsArgsWorkingDirectoryShowWindow(This,AUMID,Exe,Args,Options,ParentPid,EventArgs,WorkingDir,ShowWindow,ProcessHandle)) #endif // COBJMACROS #endif // __IDesktopAppXActivator_INTERFACE_DEFINED__ // "ba5a92ae-bfd7-4916-854f-6b3a402b84a8" DEFINE_GUID(IID_IStartMenuItemsCache, 0xba5a92ae, 0xbfd7, 0x4916, 0x85, 0x4f, 0x6b, 0x3a, 0x40, 0x2b, 0x84, 0xa8); // Note: Interface checks GetModuleFileNameW is equal L"EXPLORER.EXE", // else L"PPISHELL.EXE", L"TE.PROCESSHOST.EXE" from HKLM "AppResolverHostProcess" // IStartMenuItemsCache #ifndef __IStartMenuItemsCache_INTERFACE_DEFINED__ #define __IStartMenuItemsCache_INTERFACE_DEFINED__ typedef struct IStartMenuItemsCache IStartMenuItemsCache; typedef struct IStartMenuItemsCacheVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IStartMenuItemsCache, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IStartMenuItemsCache* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject); DECLSPEC_XFGVIRT(IStartMenuItemsCache, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, OnChangeNotify) HRESULT (STDMETHODCALLTYPE* OnChangeNotify)( _In_ IStartMenuItemsCache* This, _In_ ULONG, _In_ LONG, _In_ PCIDLIST_ABSOLUTE, _In_ PCIDLIST_ABSOLUTE); DECLSPEC_XFGVIRT(IStartMenuItemsCache, RegisterForNotifications) HRESULT (STDMETHODCALLTYPE* RegisterForNotifications)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, UnregisterForNotifications) HRESULT (STDMETHODCALLTYPE* UnregisterForNotifications)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, PauseNotifications) HRESULT (STDMETHODCALLTYPE* PauseNotifications)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, ResumeNotifications) HRESULT (STDMETHODCALLTYPE* ResumeNotifications)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, RegisterARNotify) HRESULT (STDMETHODCALLTYPE* RegisterARNotify)( _In_ IStartMenuItemsCache* This, _In_ struct IAppResolverNotify* AppResolverNotify); DECLSPEC_XFGVIRT(IStartMenuItemsCache, RefreshCache) HRESULT (STDMETHODCALLTYPE* RefreshCache)( _In_ IStartMenuItemsCache* This, _In_ enum START_MENU_REFRESH_CACHE_FLAGS Flags); DECLSPEC_XFGVIRT(IStartMenuItemsCache, ReleaseGlobalCacheObject) HRESULT (STDMETHODCALLTYPE* ReleaseGlobalCacheObject)( _In_ IStartMenuItemsCache* This); DECLSPEC_XFGVIRT(IStartMenuItemsCache, IsCacheMatchingLanguage) HRESULT (STDMETHODCALLTYPE* IsCacheMatchingLanguage)( _In_ IStartMenuItemsCache* This, _Out_ PLONG LanguageId); DECLSPEC_XFGVIRT(IStartMenuItemsCache, EnableAppUsageData) HRESULT (STDMETHODCALLTYPE* EnableAppUsageData)( _In_ IStartMenuItemsCache* This); END_INTERFACE } IStartMenuItemsCacheVtbl; interface IStartMenuItemsCache { CONST_VTBL struct IStartMenuItemsCacheVtbl* lpVtbl; }; #ifdef COBJMACROS #define IStartMenuItemsCache_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IStartMenuItemsCache_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IStartMenuItemsCache_Release(This) ((This)->lpVtbl->Release(This)) #define IStartMenuItemsCache_OnChangeNotify(This,a,b,c,d) ((This)->lpVtbl->OnChangeNotify(This,a,b,c,d)) #define IStartMenuItemsCache_RegisterForNotifications(This) ((This)->lpVtbl->RegisterForNotifications(This)) #define IStartMenuItemsCache_UnregisterForNotifications(This) ((This)->lpVtbl->UnregisterForNotifications(This)) #define IStartMenuItemsCache_PauseNotifications(This) ((This)->lpVtbl->PauseNotifications(This)) #define IStartMenuItemsCache_ResumeNotifications(This) ((This)->lpVtbl->ResumeNotifications(This)) #define IStartMenuItemsCache_RegisterARNotify(This,p) ((This)->lpVtbl->RegisterARNotify(This,p)) #define IStartMenuItemsCache_RefreshCache(This,Flags) ((This)->lpVtbl->RefreshCache(This,Flags)) #define IStartMenuItemsCache_ReleaseGlobalCacheObject(This) ((This)->lpVtbl->ReleaseGlobalCacheObject(This)) #define IStartMenuItemsCache_IsCacheMatchingLanguage(This,pLong) ((This)->lpVtbl->IsCacheMatchingLanguage(This,pLong)) #define IStartMenuItemsCache_EnableAppUsageData(This) ((This)->lpVtbl->EnableAppUsageData(This)) #endif // COBJMACROS #endif // __IStartMenuItemsCache_INTERFACE_DEFINED__ typedef enum _START_MENU_APP_ITEMS_FLAGS { SMAIF_DEFAULT = 0, SMAIF_EXTENDED = 1, SMAIF_USAGEINFO = 2 } START_MENU_APP_ITEMS_FLAGS; // IApplicationResolver #ifndef __IApplicationResolver_INTERFACE_DEFINED__ #define __IApplicationResolver_INTERFACE_DEFINED__ typedef struct IApplicationResolver IApplicationResolver; typedef struct IApplicationResolverVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IApplicationResolver, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IApplicationResolver* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IApplicationResolver, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IApplicationResolver* This ); DECLSPEC_XFGVIRT(IApplicationResolver, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IApplicationResolver* This ); DECLSPEC_XFGVIRT(IApplicationResolver, GetAppIDForShortcut) HRESULT (STDMETHODCALLTYPE* GetAppIDForShortcut)( _In_ IApplicationResolver* This, _In_ IShellItem* psi, _Outptr_ PWSTR* ppszAppID ); DECLSPEC_XFGVIRT(IApplicationResolver, GetAppIDForWindow) HRESULT (STDMETHODCALLTYPE* GetAppIDForWindow)( _In_ IApplicationResolver* This, _In_ HWND WindowHandle, _Outptr_ PWSTR* ppszAppID, _Out_opt_ PBOOL pfPinningPrevented, _Out_opt_ PBOOL pfExplicitAppID, _Out_opt_ PBOOL pfEmbeddedShortcutValid ); DECLSPEC_XFGVIRT(IApplicationResolver, GetAppIDForProcess) HRESULT (STDMETHODCALLTYPE* GetAppIDForProcess)( _In_ IApplicationResolver* This, _In_ ULONG dwProcessID, _Outptr_ PWSTR* ppszAppID, _Out_opt_ PBOOL pfPinningPrevented, _Out_opt_ PBOOL pfExplicitAppID, _Out_opt_ PBOOL pfEmbeddedShortcutValid ); DECLSPEC_XFGVIRT(IApplicationResolver, GetShortcutForProcess) HRESULT (STDMETHODCALLTYPE* GetShortcutForProcess)( _In_ IApplicationResolver* This, _In_ ULONG dwProcessID, _Outptr_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver, GetBestShortcutForAppID) HRESULT (STDMETHODCALLTYPE* GetBestShortcutForAppID)( _In_ IApplicationResolver* This, _In_ PCWSTR pszAppID, _Outptr_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver, GetBestShortcutAndAppIDForAppPath) HRESULT (STDMETHODCALLTYPE* GetBestShortcutAndAppIDForAppPath)( _In_ IApplicationResolver* This, _In_ PCWSTR pszAppPath, _Outptr_opt_ IShellItem** ppsi, _Outptr_opt_ PWSTR* ppszAppID ); DECLSPEC_XFGVIRT(IApplicationResolver, CanPinApp) HRESULT (STDMETHODCALLTYPE* CanPinApp)( _In_ IApplicationResolver* This, _In_ IShellItem* psi ); DECLSPEC_XFGVIRT(IApplicationResolver, GetRelaunchProperties) HRESULT (STDMETHODCALLTYPE* GetRelaunchProperties)( _In_ IApplicationResolver* This, _In_ HWND WindowHandle, _Outptr_opt_result_maybenull_ PWSTR* ppszAppID, _Outptr_opt_result_maybenull_ PWSTR* ppszCmdLine, _Outptr_opt_result_maybenull_ PWSTR* ppszIconResource, _Outptr_opt_result_maybenull_ PWSTR* ppszDisplayNameResource, _Out_opt_ BOOL* pfPinnable ); DECLSPEC_XFGVIRT(IApplicationResolver, GenerateShortcutFromWindowProperties) HRESULT (STDMETHODCALLTYPE* GenerateShortcutFromWindowProperties)( _In_ IApplicationResolver* This, _Outptr_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver, GenerateShortcutFromItemProperties) HRESULT (STDMETHODCALLTYPE* GenerateShortcutFromItemProperties)( _In_ IApplicationResolver* This, _In_ IShellItem2* psi2, _Out_opt_ IShellItem** ppsi ); END_INTERFACE } IApplicationResolverVtbl; interface IApplicationResolver { CONST_VTBL struct IApplicationResolverVtbl* lpVtbl; }; #ifdef COBJMACROS #define IApplicationResolver_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IApplicationResolver_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IApplicationResolver_Release(This) ((This)->lpVtbl->Release(This)) #define IApplicationResolver_GetAppIDForShortcut(This,psi,ppszAppID) ((This)->lpVtbl->GetAppIDForShortcut(This,psi,ppszAppID)) #define IApplicationResolver_GetAppIDForWindow(This,hWnd,ppszAppID,pPrev,pExp,pEmb) ((This)->lpVtbl->GetAppIDForWindow(This,hWnd,ppszAppID,pPrev,pExp,pEmb)) #define IApplicationResolver_GetAppIDForProcess(This,pid,ppszAppID,pPrev,pExp,pEmb) ((This)->lpVtbl->GetAppIDForProcess(This,pid,ppszAppID,pPrev,pExp,pEmb)) #define IApplicationResolver_GetShortcutForProcess(This,pid,ppsi) ((This)->lpVtbl->GetShortcutForProcess(This,pid,ppsi)) #define IApplicationResolver_GetBestShortcutForAppID(This,appId,ppsi) ((This)->lpVtbl->GetBestShortcutForAppID(This,appId,ppsi)) #define IApplicationResolver_GetBestShortcutAndAppIDForAppPath(This,path,ppsi,ppszAppID) ((This)->lpVtbl->GetBestShortcutAndAppIDForAppPath(This,path,ppsi,ppszAppID)) #define IApplicationResolver_CanPinApp(This,psi) ((This)->lpVtbl->CanPinApp(This,psi)) #define IApplicationResolver_GetRelaunchProperties(This,hWnd,ppszAppID,ppszCmd,ppszIcon,ppszDisplay,pPinnable) ((This)->lpVtbl->GetRelaunchProperties(This,hWnd,ppszAppID,ppszCmd,ppszIcon,ppszDisplay,pPinnable)) #define IApplicationResolver_GenerateShortcutFromWindowProperties(This,ppsi) ((This)->lpVtbl->GenerateShortcutFromWindowProperties(This,ppsi)) #define IApplicationResolver_GenerateShortcutFromItemProperties(This,psi2,ppsi) ((This)->lpVtbl->GenerateShortcutFromItemProperties(This,psi2,ppsi)) #endif // COBJMACROS #endif // __IApplicationResolver_INTERFACE_DEFINED__ typedef enum tagAPP_RESOLVER_ITEM_FILTER_FLAGS { ARIFF_NONE = 0, ARIFF_REQUIRE_PREVENT_PINNING_NOT_SET = 1, ARIFF_REQUIRE_PINNABLE = 2, } APP_RESOLVER_ITEM_FILTER_FLAGS; // IApplicationResolver2 #ifndef __IApplicationResolver2_INTERFACE_DEFINED__ #define __IApplicationResolver2_INTERFACE_DEFINED__ typedef struct IApplicationResolver2 IApplicationResolver2; typedef struct IApplicationResolver2Vtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IApplicationResolver2, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IApplicationResolver2* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IApplicationResolver2, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IApplicationResolver2* This ); DECLSPEC_XFGVIRT(IApplicationResolver2, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IApplicationResolver2* This ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetAppIDForShortcut) HRESULT (STDMETHODCALLTYPE* GetAppIDForShortcut)( _In_ IApplicationResolver2* This, _In_ IShellItem* psi, _Outptr_ PWSTR* ppszAppID ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetAppIDForShortcutObject) HRESULT (STDMETHODCALLTYPE* GetAppIDForShortcutObject)( _In_ IApplicationResolver2* This, _In_ IShellLinkW* psl, _In_ IShellItem* psi, _Outptr_ PWSTR* ppszAppID ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetAppIDForWindow) HRESULT (STDMETHODCALLTYPE* GetAppIDForWindow)( _In_ IApplicationResolver2* This, _In_ HWND WindowHandle, _Outptr_ PWSTR* ppszAppID, _Out_opt_ BOOL* pfPinningPrevented, _Out_opt_ BOOL* pfExplicitAppID, _Out_opt_ BOOL* pfEmbeddedShortcutValid ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetAppIDForProcess) HRESULT (STDMETHODCALLTYPE* GetAppIDForProcess)( _In_ IApplicationResolver2* This, _In_ ULONG dwProcessID, _Outptr_ PWSTR* ppszAppID, _Out_opt_ BOOL* pfPinningPrevented, _Out_opt_ BOOL* pfExplicitAppID, _Out_opt_ BOOL* pfEmbeddedShortcutValid ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetShortcutForProcess) HRESULT (STDMETHODCALLTYPE* GetShortcutForProcess)( _In_ IApplicationResolver2* This, _In_ ULONG dwProcessID, _Outptr_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetBestShortcutForAppID) HRESULT (STDMETHODCALLTYPE* GetBestShortcutForAppID)( _In_ IApplicationResolver2* This, _In_ PCWSTR pszAppID, _Outptr_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetBestShortcutAndAppIDForAppPath) HRESULT (STDMETHODCALLTYPE* GetBestShortcutAndAppIDForAppPath)( _In_ IApplicationResolver2* This, _In_ PCWSTR pszAppPath, _Outptr_opt_ IShellItem** ppsi, _Outptr_opt_ PWSTR* ppszAppID ); DECLSPEC_XFGVIRT(IApplicationResolver2, CanPinApp) HRESULT (STDMETHODCALLTYPE* CanPinApp)( _In_ IApplicationResolver2* This, _In_ IShellItem* psi ); DECLSPEC_XFGVIRT(IApplicationResolver2, CanPinAppShortcut) HRESULT (STDMETHODCALLTYPE* CanPinAppShortcut)( _In_ IApplicationResolver2* This, _In_ IShellLinkW* psl, _In_ IShellItem* psi ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetRelaunchProperties) HRESULT (STDMETHODCALLTYPE* GetRelaunchProperties)( _In_ IApplicationResolver2* This, _In_ HWND WindowHandle, _Outptr_opt_result_maybenull_ PWSTR* ppszAppID, _Outptr_opt_result_maybenull_ PWSTR* ppszCmdLine, _Outptr_opt_result_maybenull_ PWSTR* ppszIconResource, _Outptr_opt_result_maybenull_ PWSTR* ppszDisplayNameResource, _Out_opt_ BOOL* pfPinnable ); DECLSPEC_XFGVIRT(IApplicationResolver2, GenerateShortcutFromWindowProperties) HRESULT (STDMETHODCALLTYPE* GenerateShortcutFromWindowProperties)( _In_ IApplicationResolver2* This, _Outptr_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver2, GenerateShortcutFromItemProperties) HRESULT (STDMETHODCALLTYPE* GenerateShortcutFromItemProperties)( _In_ IApplicationResolver2* This, _In_ IShellItem2* psi2, _Out_opt_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetLauncherAppIDForItem) HRESULT (STDMETHODCALLTYPE* GetLauncherAppIDForItem)( _In_ IApplicationResolver2* This, _In_ IShellItem* psi, _Outptr_opt_ PWSTR* ppszAppID ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetShortcutForAppID) HRESULT (STDMETHODCALLTYPE* GetShortcutForAppID)( _In_ IApplicationResolver2* This, _In_ PCWSTR ppszAppID, _Out_opt_ IShellItem** ppsi ); DECLSPEC_XFGVIRT(IApplicationResolver2, GetLauncherAppIDForItemEx) HRESULT (STDMETHODCALLTYPE* GetLauncherAppIDForItemEx)( _In_ IApplicationResolver2* This, _In_ IShellItem* psi, _In_ APP_RESOLVER_ITEM_FILTER_FLAGS Flags, _Outptr_opt_ PWSTR* ppszAppID ); END_INTERFACE } IApplicationResolver2Vtbl; interface IApplicationResolver2 { CONST_VTBL struct IApplicationResolver2Vtbl* lpVtbl; }; #ifdef COBJMACROS #define IApplicationResolver2_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IApplicationResolver2_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IApplicationResolver2_Release(This) ((This)->lpVtbl->Release(This)) #define IApplicationResolver2_GetAppIDForShortcut(This,psi,ppszAppID) ((This)->lpVtbl->GetAppIDForShortcut(This,psi,ppszAppID)) #define IApplicationResolver2_GetAppIDForShortcutObject(This,psl,psi,ppszAppID) ((This)->lpVtbl->GetAppIDForShortcutObject(This,psl,psi,ppszAppID)) #define IApplicationResolver2_GetAppIDForWindow(This,hWnd,ppszAppID,pPrev,pExp,pEmb) ((This)->lpVtbl->GetAppIDForWindow(This,hWnd,ppszAppID,pPrev,pExp,pEmb)) #define IApplicationResolver2_GetAppIDForProcess(This,pid,ppszAppID,pPrev,pExp,pEmb) ((This)->lpVtbl->GetAppIDForProcess(This,pid,ppszAppID,pPrev,pExp,pEmb)) #define IApplicationResolver2_GetShortcutForProcess(This,pid,ppsi) ((This)->lpVtbl->GetShortcutForProcess(This,pid,ppsi)) #define IApplicationResolver2_GetBestShortcutForAppID(This,appId,ppsi) ((This)->lpVtbl->GetBestShortcutForAppID(This,appId,ppsi)) #define IApplicationResolver2_GetBestShortcutAndAppIDForAppPath(This,path,ppsi,ppszAppID) ((This)->lpVtbl->GetBestShortcutAndAppIDForAppPath(This,path,ppsi,ppszAppID)) #define IApplicationResolver2_CanPinApp(This,psi) ((This)->lpVtbl->CanPinApp(This,psi)) #define IApplicationResolver2_CanPinAppShortcut(This,psl,psi) ((This)->lpVtbl->CanPinAppShortcut(This,psl,psi)) #define IApplicationResolver2_GetRelaunchProperties(This,hWnd,ppszAppID,ppszCmd,ppszIcon,ppszDisplay,pPinnable) ((This)->lpVtbl->GetRelaunchProperties(This,hWnd,ppszAppID,ppszCmd,ppszIcon,ppszDisplay,pPinnable)) #define IApplicationResolver2_GenerateShortcutFromWindowProperties(This,ppsi) ((This)->lpVtbl->GenerateShortcutFromWindowProperties(This,ppsi)) #define IApplicationResolver2_GenerateShortcutFromItemProperties(This,psi2,ppsi) ((This)->lpVtbl->GenerateShortcutFromItemProperties(This,psi2,ppsi)) #define IApplicationResolver2_GetLauncherAppIDForItem(This,psi,ppszAppID) ((This)->lpVtbl->GetLauncherAppIDForItem(This,psi,ppszAppID)) #define IApplicationResolver2_GetShortcutForAppID(This,appId,ppsi) ((This)->lpVtbl->GetShortcutForAppID(This,appId,ppsi)) #define IApplicationResolver2_GetLauncherAppIDForItemEx(This,psi,Flags,ppszAppID) ((This)->lpVtbl->GetLauncherAppIDForItemEx(This,psi,Flags,ppszAppID)) #endif // COBJMACROS #endif // __IApplicationResolver2_INTERFACE_DEFINED__ // IStartMenuAppItems #ifndef __IStartMenuAppItems_INTERFACE_DEFINED__ #define __IStartMenuAppItems_INTERFACE_DEFINED__ typedef struct IStartMenuAppItems IStartMenuAppItems; typedef struct IStartMenuAppItemsVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IStartMenuAppItems, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IStartMenuAppItems* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IStartMenuAppItems, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IStartMenuAppItems* This); DECLSPEC_XFGVIRT(IStartMenuAppItems, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IStartMenuAppItems* This ); DECLSPEC_XFGVIRT(IStartMenuAppItems, EnumItems) HRESULT (STDMETHODCALLTYPE* EnumItems)( _In_ IStartMenuAppItems* This, _In_ START_MENU_APP_ITEMS_FLAGS Flags, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); DECLSPEC_XFGVIRT(IStartMenuAppItems, GetItem) HRESULT (STDMETHODCALLTYPE* GetItem)( _In_ IStartMenuAppItems* This, _In_ START_MENU_APP_ITEMS_FLAGS Flags, _In_ PCWSTR AppUserModelId, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); END_INTERFACE } IStartMenuAppItemsVtbl; struct IStartMenuAppItems { CONST_VTBL struct IStartMenuAppItemsVtbl* lpVtbl; }; #ifdef COBJMACROS #define IStartMenuAppItems_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IStartMenuAppItems_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IStartMenuAppItems_Release(This) ((This)->lpVtbl->Release(This)) #define IStartMenuAppItems_EnumItems(This,Flags,riid,ppvObject) ((This)->lpVtbl->EnumItems(This,Flags,riid,ppvObject)) #define IStartMenuAppItems_GetItem(This,Flags,AUMID,riid,ppvObject) ((This)->lpVtbl->GetItem(This,Flags,AUMID,riid,ppvObject)) #endif // COBJMACROS #endif // __IStartMenuAppItems_INTERFACE_DEFINED__ // IStartMenuAppItems2 #ifndef __IStartMenuAppItems2_INTERFACE_DEFINED__ #define __IStartMenuAppItems2_INTERFACE_DEFINED__ typedef struct IStartMenuAppItems2 IStartMenuAppItems2; typedef struct IStartMenuAppItems2Vtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IStartMenuAppItems2, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IStartMenuAppItems2* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IStartMenuAppItems2, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IStartMenuAppItems2* This ); DECLSPEC_XFGVIRT(IStartMenuAppItems2, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IStartMenuAppItems2* This ); DECLSPEC_XFGVIRT(IStartMenuAppItems2, EnumItems) HRESULT (STDMETHODCALLTYPE* EnumItems)( _In_ IStartMenuAppItems2* This, _In_ START_MENU_APP_ITEMS_FLAGS Flags, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); DECLSPEC_XFGVIRT(IStartMenuAppItems2, GetItem) HRESULT (STDMETHODCALLTYPE* GetItem)( _In_ IStartMenuAppItems2* This, _In_ START_MENU_APP_ITEMS_FLAGS Flags, _In_ PCWSTR AppUserModelId, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); DECLSPEC_XFGVIRT(IStartMenuAppItems2, GetItemByAppPath) HRESULT (STDMETHODCALLTYPE* GetItemByAppPath)( _In_ IStartMenuAppItems2* This, _In_ PCWSTR AppPath, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); DECLSPEC_XFGVIRT(IStartMenuAppItems2, EnumCachedItems) HRESULT (STDMETHODCALLTYPE* EnumCachedItems)( _In_ IStartMenuAppItems2* This, _In_ PCIDLIST_ABSOLUTE pidl, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); END_INTERFACE } IStartMenuAppItems2Vtbl; interface IStartMenuAppItems2 { CONST_VTBL struct IStartMenuAppItems2Vtbl* lpVtbl; }; #ifdef COBJMACROS #define IStartMenuAppItems2_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IStartMenuAppItems2_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IStartMenuAppItems2_Release(This) ((This)->lpVtbl->Release(This)) #define IStartMenuAppItems2_EnumItems(This,Flags,riid,ppvObject) ((This)->lpVtbl->EnumItems(This,Flags,riid,ppvObject)) #define IStartMenuAppItems2_GetItem(This,Flags,AUMID,riid,ppvObject) ((This)->lpVtbl->GetItem(This,Flags,AUMID,riid,ppvObject)) #define IStartMenuAppItems2_GetItemByAppPath(This,AppPath,riid,ppvObject) ((This)->lpVtbl->GetItemByAppPath(This,AppPath,riid,ppvObject)) #define IStartMenuAppItems2_EnumCachedItems(This,pidl,riid,ppvObject) ((This)->lpVtbl->EnumCachedItems(This,pidl,riid,ppvObject)) #endif // COBJMACROS #endif // __IStartMenuAppItems2_INTERFACE_DEFINED__ // IMrtResourceManager #ifndef __IMrtResourceManager_INTERFACE_DEFINED__ #define __IMrtResourceManager_INTERFACE_DEFINED__ typedef struct IMrtResourceManager IMrtResourceManager; typedef struct IMrtResourceManagerVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IMrtResourceManager, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)(_In_ IMrtResourceManager* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject); DECLSPEC_XFGVIRT(IMrtResourceManager, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)(_In_ IMrtResourceManager* This); DECLSPEC_XFGVIRT(IMrtResourceManager, Release) ULONG (STDMETHODCALLTYPE* Release)(_In_ IMrtResourceManager* This); DECLSPEC_XFGVIRT(IMrtResourceManager, Initialize) HRESULT (STDMETHODCALLTYPE* Initialize)(_In_ IMrtResourceManager* This); DECLSPEC_XFGVIRT(IMrtResourceManager, InitializeForCurrentApplication) HRESULT (STDMETHODCALLTYPE* InitializeForCurrentApplication)(_In_ IMrtResourceManager* This); DECLSPEC_XFGVIRT(IMrtResourceManager, InitializeForPackage) HRESULT (STDMETHODCALLTYPE* InitializeForPackage)(_In_ IMrtResourceManager* This, _In_ PCWSTR PackageName); DECLSPEC_XFGVIRT(IMrtResourceManager, InitializeForFile) HRESULT (STDMETHODCALLTYPE* InitializeForFile)(_In_ IMrtResourceManager* This, _In_ PCWSTR FilePath); DECLSPEC_XFGVIRT(IMrtResourceManager, GetMainResourceMap) HRESULT (STDMETHODCALLTYPE* GetMainResourceMap)(_In_ IMrtResourceManager* This, _In_ REFIID riid, _Outptr_ PVOID* ppvObject); DECLSPEC_XFGVIRT(IMrtResourceManager, GetResourceMap) HRESULT (STDMETHODCALLTYPE* GetResourceMap)(_In_ IMrtResourceManager* This, _In_ PCWSTR Name, _In_ REFIID riid, _Outptr_ PVOID* ppvObject); DECLSPEC_XFGVIRT(IMrtResourceManager, GetDefaultContext) HRESULT (STDMETHODCALLTYPE* GetDefaultContext)(_In_ IMrtResourceManager* This, _In_ REFIID riid, _Outptr_ PVOID* ppvObject); DECLSPEC_XFGVIRT(IMrtResourceManager, GetReference) HRESULT (STDMETHODCALLTYPE* GetReference)(_In_ IMrtResourceManager* This, _In_ REFIID riid, _Outptr_ PVOID* ppvObject); DECLSPEC_XFGVIRT(IMrtResourceManager, IsResourceReference) HRESULT (STDMETHODCALLTYPE* IsResourceReference)(_In_ IMrtResourceManager* This, _In_ PCWSTR Name, _Out_ BOOL* IsReference); END_INTERFACE } IMrtResourceManagerVtbl; interface IMrtResourceManager { CONST_VTBL struct IMrtResourceManagerVtbl* lpVtbl; }; #ifdef COBJMACROS #define IMrtResourceManager_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IMrtResourceManager_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IMrtResourceManager_Release(This) ((This)->lpVtbl->Release(This)) #define IMrtResourceManager_Initialize(This) ((This)->lpVtbl->Initialize(This)) #define IMrtResourceManager_InitializeForCurrentApplication(This) ((This)->lpVtbl->InitializeForCurrentApplication(This)) #define IMrtResourceManager_InitializeForPackage(This,PackageName) ((This)->lpVtbl->InitializeForPackage(This,PackageName)) #define IMrtResourceManager_InitializeForFile(This,FilePath) ((This)->lpVtbl->InitializeForFile(This,FilePath)) #define IMrtResourceManager_GetMainResourceMap(This,riid,ppvObject) ((This)->lpVtbl->GetMainResourceMap(This,riid,ppvObject)) #define IMrtResourceManager_GetResourceMap(This,Name,riid,ppvObject) ((This)->lpVtbl->GetResourceMap(This,Name,riid,ppvObject)) #define IMrtResourceManager_GetDefaultContext(This,riid,ppvObject) ((This)->lpVtbl->GetDefaultContext(This,riid,ppvObject)) #define IMrtResourceManager_GetReference(This,riid,ppvObject) ((This)->lpVtbl->GetReference(This,riid,ppvObject)) #define IMrtResourceManager_IsResourceReference(This,Name,IsReference) ((This)->lpVtbl->IsResourceReference(This,Name,IsReference)) #endif // COBJMACROS #endif // __IMrtResourceManager_INTERFACE_DEFINED__ // IResourceContext #ifndef __IResourceContext_INTERFACE_DEFINED__ #define __IResourceContext_INTERFACE_DEFINED__ typedef struct IResourceContext IResourceContext; typedef struct IResourceContextVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IResourceContext, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IResourceContext* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IResourceContext, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IResourceContext* This ); DECLSPEC_XFGVIRT(IResourceContext, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IResourceContext* This ); DECLSPEC_XFGVIRT(IResourceContext, GetLanguage) HRESULT (STDMETHODCALLTYPE* GetLanguage)( _In_ IResourceContext* This, _COM_Outptr_result_maybenull_ PWSTR* Language ); DECLSPEC_XFGVIRT(IResourceContext, GetHomeRegion) HRESULT (STDMETHODCALLTYPE* GetHomeRegion)( _In_ IResourceContext* This, _COM_Outptr_result_maybenull_ PCWSTR* Region ); DECLSPEC_XFGVIRT(IResourceContext, GetLayoutDirection) HRESULT (STDMETHODCALLTYPE* GetLayoutDirection)( _In_ IResourceContext* This, _Out_ ULONG* LayoutDirection ); DECLSPEC_XFGVIRT(IResourceContext, GetTargetSize) HRESULT (STDMETHODCALLTYPE* GetTargetSize)( _In_ IResourceContext* This, _Out_ USHORT* TargetSize ); DECLSPEC_XFGVIRT(IResourceContext, GetScale) HRESULT (STDMETHODCALLTYPE* GetScale)( _In_ IResourceContext* This, _Out_ ULONG* Scale ); DECLSPEC_XFGVIRT(IResourceContext, GetContrast) HRESULT (STDMETHODCALLTYPE* GetContrast)( _In_ IResourceContext* This, _Out_ ULONG* Contrast ); DECLSPEC_XFGVIRT(IResourceContext, GetAlternateForm) HRESULT (STDMETHODCALLTYPE* GetAlternateForm)( _In_ IResourceContext* This, _COM_Outptr_result_maybenull_ PCWSTR* AlternateForm ); DECLSPEC_XFGVIRT(IResourceContext, GetQualifierValue) HRESULT (STDMETHODCALLTYPE* GetQualifierValue)( _In_ IResourceContext* This, _In_ PCWSTR QualifierName, _COM_Outptr_result_maybenull_ PWSTR* QualifierValue ); DECLSPEC_XFGVIRT(IResourceContext, SetLanguage) HRESULT (STDMETHODCALLTYPE* SetLanguage)( _In_ IResourceContext* This, _In_ PCWSTR Language ); DECLSPEC_XFGVIRT(IResourceContext, SetHomeRegion) HRESULT (STDMETHODCALLTYPE* SetHomeRegion)( _In_ IResourceContext* This, _In_ PCWSTR Region ); DECLSPEC_XFGVIRT(IResourceContext, SetLayoutDirection) HRESULT (STDMETHODCALLTYPE* SetLayoutDirection)( _In_ IResourceContext* This, _In_ ULONG LayoutDirection ); DECLSPEC_XFGVIRT(IResourceContext, SetTargetSize) HRESULT (STDMETHODCALLTYPE* SetTargetSize)( _In_ IResourceContext* This, _In_ USHORT TargetSize ); DECLSPEC_XFGVIRT(IResourceContext, SetScale) HRESULT (STDMETHODCALLTYPE* SetScale)( _In_ IResourceContext* This, _In_ ULONG Scale ); DECLSPEC_XFGVIRT(IResourceContext, SetContrast) HRESULT (STDMETHODCALLTYPE* SetContrast)( _In_ IResourceContext* This, _In_ ULONG Contrast ); DECLSPEC_XFGVIRT(IResourceContext, SetAlternateForm) HRESULT (STDMETHODCALLTYPE* SetAlternateForm)( _In_ IResourceContext* This, _In_ PCWSTR AlternateForm ); DECLSPEC_XFGVIRT(IResourceContext, SetQualifierValue) HRESULT (STDMETHODCALLTYPE* SetQualifierValue)( _In_ IResourceContext* This, _In_ PCWSTR QualifierName, _In_ PCWSTR QualifierValue ); DECLSPEC_XFGVIRT(IResourceContext, TrySetQualifierValue) HRESULT (STDMETHODCALLTYPE* TrySetQualifierValue)( _In_ IResourceContext* This, _In_ PCWSTR QualifierName, _In_ LPCWSTR QualifierValue, _Out_ HRESULT* Result ); DECLSPEC_XFGVIRT(IResourceContext, Reset) HRESULT (STDMETHODCALLTYPE* Reset)( _In_ IResourceContext* This ); DECLSPEC_XFGVIRT(IResourceContext, ResetQualifierValue) HRESULT (STDMETHODCALLTYPE* ResetQualifierValue)( _In_ IResourceContext* This, _In_ LPCWSTR QualifierName ); DECLSPEC_XFGVIRT(IResourceContext, Clone) HRESULT (STDMETHODCALLTYPE* Clone)( _In_ IResourceContext* This, _COM_Outptr_ IResourceContext** CloneContext ); DECLSPEC_XFGVIRT(IResourceContext, OverrideToMatch) HRESULT (STDMETHODCALLTYPE* OverrideToMatch)( _In_ IResourceContext* This, _In_ struct IResourceCandidate* Candidate ); END_INTERFACE } IResourceContextVtbl; interface IResourceContext { CONST_VTBL struct IResourceContextVtbl* lpVtbl; }; #ifdef COBJMACROS #define IResourceContext_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IResourceContext_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IResourceContext_Release(This) ((This)->lpVtbl->Release(This)) #define IResourceContext_GetLanguage(This,ppLang) ((This)->lpVtbl->GetLanguage(This,ppLang)) #define IResourceContext_GetHomeRegion(This,ppRegion) ((This)->lpVtbl->GetHomeRegion(This,ppRegion)) #define IResourceContext_GetLayoutDirection(This,pDir) ((This)->lpVtbl->GetLayoutDirection(This,pDir)) #define IResourceContext_GetTargetSize(This,pSize) ((This)->lpVtbl->GetTargetSize(This,pSize)) #define IResourceContext_GetScale(This,pScale) ((This)->lpVtbl->GetScale(This,pScale)) #define IResourceContext_GetContrast(This,pContrast) ((This)->lpVtbl->GetContrast(This,pContrast)) #define IResourceContext_GetAlternateForm(This,ppForm) ((This)->lpVtbl->GetAlternateForm(This,ppForm)) #define IResourceContext_GetQualifierValue(This,key,ppVal) ((This)->lpVtbl->GetQualifierValue(This,key,ppVal)) #define IResourceContext_SetLanguage(This,val) ((This)->lpVtbl->SetLanguage(This,val)) #define IResourceContext_SetHomeRegion(This,val) ((This)->lpVtbl->SetHomeRegion(This,val)) #define IResourceContext_SetLayoutDirection(This,val) ((This)->lpVtbl->SetLayoutDirection(This,val)) #define IResourceContext_SetTargetSize(This,val) ((This)->lpVtbl->SetTargetSize(This,val)) #define IResourceContext_SetScale(This,val) ((This)->lpVtbl->SetScale(This,val)) #define IResourceContext_SetContrast(This,val) ((This)->lpVtbl->SetContrast(This,val)) #define IResourceContext_SetAlternateForm(This,val) ((This)->lpVtbl->SetAlternateForm(This,val)) #define IResourceContext_SetQualifierValue(This,key,val) ((This)->lpVtbl->SetQualifierValue(This,key,val)) #define IResourceContext_TrySetQualifierValue(This,key,val,pHr) ((This)->lpVtbl->TrySetQualifierValue(This,key,val,pHr)) #define IResourceContext_Reset(This) ((This)->lpVtbl->Reset(This)) #define IResourceContext_ResetQualifierValue(This,key) ((This)->lpVtbl->ResetQualifierValue(This,key)) #define IResourceContext_Clone(This,ppCtx) ((This)->lpVtbl->Clone(This,ppCtx)) #define IResourceContext_OverrideToMatch(This,pCand) ((This)->lpVtbl->OverrideToMatch(This,pCand)) #endif // COBJMACROS #endif // __IResourceContext_INTERFACE_DEFINED__ // IResourceMap #ifndef __IResourceMap_INTERFACE_DEFINED__ #define __IResourceMap_INTERFACE_DEFINED__ typedef struct IResourceMap IResourceMap; typedef struct IResourceMapVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IResourceMap, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IResourceMap* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IResourceMap, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IResourceMap* This ); DECLSPEC_XFGVIRT(IResourceMap, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IResourceMap* This ); DECLSPEC_XFGVIRT(IResourceMap, GetUri) HRESULT (STDMETHODCALLTYPE* GetUri)( _In_ IResourceMap* This, _COM_Outptr_ PWSTR* UriString ); DECLSPEC_XFGVIRT(IResourceMap, GetSubtree) HRESULT (STDMETHODCALLTYPE* GetSubtree)( _In_ IResourceMap* This, _In_ PCWSTR* Name, _COM_Outptr_ IResourceMap** ResourceMap ); DECLSPEC_XFGVIRT(IResourceMap, GetString) HRESULT (STDMETHODCALLTYPE* GetString)( _In_ IResourceMap* This, _In_ PCWSTR Key, _COM_Outptr_ PWSTR* Value ); DECLSPEC_XFGVIRT(IResourceMap, GetStringForContext) HRESULT (STDMETHODCALLTYPE* GetStringForContext)( _In_ IResourceMap* This, _In_ IResourceContext* Context, _In_ PCWSTR Key, _COM_Outptr_ PWSTR* Value ); DECLSPEC_XFGVIRT(IResourceMap, GetFilePath) HRESULT (STDMETHODCALLTYPE* GetFilePath)( _In_ IResourceMap* This, _In_ PCWSTR Key, _COM_Outptr_ PWSTR* Value ); DECLSPEC_XFGVIRT(IResourceMap, GetFilePathForContext) HRESULT (STDMETHODCALLTYPE* GetFilePathForContext)( _In_ IResourceMap* This, _In_ IResourceContext* Context, _In_ PCWSTR Key, _COM_Outptr_ PWSTR* Value ); DECLSPEC_XFGVIRT(IResourceMap, GetNamedResourceCount) HRESULT (STDMETHODCALLTYPE* GetNamedResourceCount)( _In_ IResourceMap* This, _Out_ PULONG Count ); DECLSPEC_XFGVIRT(IResourceMap, GetNamedResourceUri) HRESULT (STDMETHODCALLTYPE* GetNamedResourceUri)( _In_ IResourceMap* This, _In_ ULONG Index, _COM_Outptr_ PWSTR* UriString ); DECLSPEC_XFGVIRT(IResourceMap, GetNamedResource) HRESULT (STDMETHODCALLTYPE* GetNamedResource)( _In_ IResourceMap* This, _In_ PCWSTR, _In_ REFIID riid, _Outptr_ PVOID* ppvObject ); DECLSPEC_XFGVIRT(IResourceMap, GetFullyQualifiedReference) HRESULT (STDMETHODCALLTYPE* GetFullyQualifiedReference)( _In_ IResourceMap* This, _In_ LPCWSTR, _In_ LPCWSTR, _COM_Outptr_ PWSTR* ); DECLSPEC_XFGVIRT(IResourceMap, GetFilePathByUri) HRESULT (STDMETHODCALLTYPE* GetFilePathByUri)( _In_ IResourceMap* This, _In_ IUri* Uri, _COM_Outptr_ PWSTR* Path ); DECLSPEC_XFGVIRT(IResourceMap, GetFilePathForContextByUri) HRESULT (STDMETHODCALLTYPE* GetFilePathForContextByUri)( _In_ IResourceMap* This, _In_ IResourceContext* Context, _In_ IUri* Uri, _COM_Outptr_ PWSTR* Path ); END_INTERFACE } IResourceMapVtbl; interface IResourceMap { CONST_VTBL struct IResourceMapVtbl* lpVtbl; }; #ifdef COBJMACROS #define IResourceMap_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IResourceMap_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IResourceMap_Release(This) ((This)->lpVtbl->Release(This)) #define IResourceMap_GetUri(This,ppUri) ((This)->lpVtbl->GetUri(This,ppUri)) #define IResourceMap_GetSubtree(This,pName,ppMap) ((This)->lpVtbl->GetSubtree(This,pName,ppMap)) #define IResourceMap_GetString(This,key,ppVal) ((This)->lpVtbl->GetString(This,key,ppVal)) #define IResourceMap_GetStringForContext(This,ctx,key,ppVal) ((This)->lpVtbl->GetStringForContext(This,ctx,key,ppVal)) #define IResourceMap_GetFilePath(This,key,ppVal) ((This)->lpVtbl->GetFilePath(This,key,ppVal)) #define IResourceMap_GetFilePathForContext(This,ctx,key,ppVal) ((This)->lpVtbl->GetFilePathForContext(This,ctx,key,ppVal)) #define IResourceMap_GetNamedResourceCount(This,pCount) ((This)->lpVtbl->GetNamedResourceCount(This,pCount)) #define IResourceMap_GetNamedResourceUri(This,index,ppName) ((This)->lpVtbl->GetNamedResourceUri(This,index,ppName)) #define IResourceMap_GetNamedResource(This,name,riid,ppv) ((This)->lpVtbl->GetNamedResource(This,name,riid,ppv)) #define IResourceMap_GetFullyQualifiedReference(This,a,b,ppRef) ((This)->lpVtbl->GetFullyQualifiedReference(This,a,b,ppRef)) #define IResourceMap_GetFilePathByUri(This,pUri,ppPath) ((This)->lpVtbl->GetFilePathByUri(This,pUri,ppPath)) #define IResourceMap_GetFilePathForContextByUri(This,ctx,pUri,ppPath) ((This)->lpVtbl->GetFilePathForContextByUri(This,ctx,pUri,ppPath)) #endif // COBJMACROS #endif // __IResourceMap_INTERFACE_DEFINED__ // Note: Documented PKEY_AppUserModel_XYZ keys can be found in propkey.h DEFINE_PROPERTYKEY(PKEY_AppUserModel_ID, 0x9F4C2855, 0x9F79, 0x4B39, 0xA8, 0xD0, 0xE1, 0xD4, 0x2D, 0xE1, 0xD5, 0xF3, 5); DEFINE_PROPERTYKEY(PKEY_AppUserModel_HostEnvironment, 0x9F4C2855, 0x9F79, 0x4B39, 0xA8, 0xD0, 0xE1, 0xD4, 0x2D, 0xE1, 0xD5, 0xF3, 14); DEFINE_PROPERTYKEY(PKEY_AppUserModel_PackageInstallPath, 0x9F4C2855, 0x9F79, 0x4B39, 0xA8, 0xD0, 0xE1, 0xD4, 0x2D, 0xE1, 0xD5, 0xF3, 15); DEFINE_PROPERTYKEY(PKEY_AppUserModel_PackageFamilyName, 0x9F4C2855, 0x9F79, 0x4B39, 0xA8, 0xD0, 0xE1, 0xD4, 0x2D, 0xE1, 0xD5, 0xF3, 17); DEFINE_PROPERTYKEY(PKEY_AppUserModel_ParentID, 0x9F4C2855, 0x9F79, 0x4B39, 0xA8, 0xD0, 0xE1, 0xD4, 0x2D, 0xE1, 0xD5, 0xF3, 19); DEFINE_PROPERTYKEY(PKEY_AppUserModel_PackageFullName, 0x9F4C2855, 0x9F79, 0x4B39, 0xA8, 0xD0, 0xE1, 0xD4, 0x2D, 0xE1, 0xD5, 0xF3, 21); // PKEY_AppUserModel_ExcludeFromShowInNewInstall {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 8 //3 PKEY_AppUserModel_IsDestListSeparator {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 6 //4 PKEY_AppUserModel_IsDualMode {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 11 //5 PKEY_AppUserModel_PreventPinning {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 9 //6 PKEY_AppUserModel_RelaunchCommand {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 2 //7 PKEY_AppUserModel_RelaunchDisplayNameResource {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 4 //8 PKEY_AppUserModel_RelaunchIconResource {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 3 //9 PKEY_AppUserModel_StartPinOption {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 12 //10 PKEY_AppUserModel_ToastActivatorCLSID {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 26 //12 PKEY_AppUserModel_RecordState {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 16 //14 PKEY_AppUserModel_DestListProvidedTitle {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 27 //15 PKEY_AppUserModel_DestListProvidedDescription {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 28 //18 PKEY_AppUserModel_Relevance {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 13 //19 PKEY_AppUserModel_PackageRelativeApplicationID {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 22 //20 PKEY_AppUserModel_ExcludedFromLauncher {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 23 //21 PKEY_AppUserModel_DestListLogoUri {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 29 //22 PKEY_AppUserModel_ActivationContext {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 20 //24 PKEY_AppUserModel_BestShortcut {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 10 //25 PKEY_AppUserModel_IsDestListLink {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 7 //26 PKEY_AppUserModel_InstalledBy {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 18 //27 PKEY_AppUserModel_RunFlags {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 25 //28 PKEY_AppUserModel_DestListProvidedGroupName {9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3} 30 DEFINE_PROPERTYKEY(PKEY_Tile_SmallLogoPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 2); DEFINE_PROPERTYKEY(PKEY_Tile_Background, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 4); DEFINE_PROPERTYKEY(PKEY_Tile_Foreground, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 5); DEFINE_PROPERTYKEY(PKEY_Tile_LongDisplayName, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 11); DEFINE_PROPERTYKEY(PKEY_Tile_Flags, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 14); DEFINE_PROPERTYKEY(PKEY_Tile_SuiteDisplayName, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 16); DEFINE_PROPERTYKEY(PKEY_Tile_SuiteSortName, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 17); DEFINE_PROPERTYKEY(PKEY_Tile_DisplayNameLanguage, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 18); DEFINE_PROPERTYKEY(PKEY_Tile_BadgeLogoPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 15); DEFINE_PROPERTYKEY(PKEY_Tile_Square150x150LogoPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 12); DEFINE_PROPERTYKEY(PKEY_Tile_Wide310x150LogoPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 13); DEFINE_PROPERTYKEY(PKEY_Tile_Square310x310LogoPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 19); DEFINE_PROPERTYKEY(PKEY_Tile_Square70x70LogoPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 20); DEFINE_PROPERTYKEY(PKEY_Tile_FencePost, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 21); DEFINE_PROPERTYKEY(PKEY_Tile_InstallProgress, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 22); DEFINE_PROPERTYKEY(PKEY_Tile_EncodedTargetPath, 0x86D40B4D, 0x9069, 0x443C, 0x81, 0x9A, 0x2A, 0x54, 0x09, 0x0D, 0xCC, 0xEC, 23); // Immersive PLM task support // "07fc2b94-5285-417e-8ac3-c2ce5240b0fa" DEFINE_GUID(CLSID_OSTaskCompletion_I, 0x07fc2b94, 0x5285, 0x417e, 0x8a, 0xc3, 0xc2, 0xce, 0x52, 0x40, 0xb0, 0xfa); // "c7e40572-c36a-43ea-9a40-f3b168da5558" DEFINE_GUID(IID_IOSTaskCompletion_I, 0xc7e40572, 0xc36a, 0x43ea, 0x9a, 0x40, 0xf3, 0xb1, 0x68, 0xda, 0x55, 0x58); typedef enum _PLM_TASKCOMPLETION_CATEGORY_FLAGS { PT_TC_NONE = 0, PT_TC_PBM = 1, PT_TC_FILEOPENPICKER = 2, PT_TC_SHARING = 4, PT_TC_PRINTING = 8, PT_TC_GENERIC = 16, PT_TC_CAMERA_DCA = 32, PT_TC_PRINTER_DCA = 64, PT_TC_PLAYTO = 128, PT_TC_FILESAVEPICKER = 256, PT_TC_CONTACTPICKER = 512, PT_TC_CACHEDFILEUPDATER_LOCAL = 1024, PT_TC_CACHEDFILEUPDATER_REMOTE = 2048, PT_TC_ERROR_REPORT = 8192, PT_TC_DATA_PACKAGE = 16384, PT_TC_CRASHDUMP = 0x10000, PT_TC_STREAMEDFILE = 0x20000, PT_TC_PBM_COMMUNICATION = 0x80000, PT_TC_HOSTEDAPPLICATION = 0x100000, PT_TC_MEDIA_CONTROLS_ACTIVE = 0x200000, PT_TC_EMPTYHOST = 0x400000, PT_TC_SCANNING = 0x800000, PT_TC_ACTIONS = 0x1000000, PT_TC_KERNEL_MODE = 0x20000000, PT_TC_REALTIMECOMM = 0x40000000, PT_TC_IGNORE_NAV_LEVEL_FOR_CS = 0x80000000 } PLM_TASKCOMPLETION_CATEGORY_FLAGS; // IOSTaskCompletion #ifndef __IOSTaskCompletion_INTERFACE_DEFINED__ #define __IOSTaskCompletion_INTERFACE_DEFINED__ typedef struct IOSTaskCompletion IOSTaskCompletion; typedef struct IOSTaskCompletionVtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IOSTaskCompletion, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IOSTaskCompletion* This, _In_ REFIID riid, _COM_Outptr_ void** ppvObject ); DECLSPEC_XFGVIRT(IOSTaskCompletion, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IOSTaskCompletion* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IOSTaskCompletion* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion, BeginTask) HRESULT (STDMETHODCALLTYPE* BeginTask)( _In_ IOSTaskCompletion* This, _In_ ULONG ProcessId, _In_ PLM_TASKCOMPLETION_CATEGORY_FLAGS Flags ); DECLSPEC_XFGVIRT(IOSTaskCompletion, BeginTaskByHandle) HRESULT (STDMETHODCALLTYPE* BeginTaskByHandle)( _In_ IOSTaskCompletion* This, _In_ HANDLE ProcessHandle, _In_ PLM_TASKCOMPLETION_CATEGORY_FLAGS Flags ); DECLSPEC_XFGVIRT(IOSTaskCompletion, EndTask) HRESULT (STDMETHODCALLTYPE* EndTask)( _In_ IOSTaskCompletion* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion, ValidateStreamedFileTaskCompletionUsage) ULONG (STDMETHODCALLTYPE* ValidateStreamedFileTaskCompletionUsage)( _In_ IOSTaskCompletion* This, _In_ HANDLE ProcessHandle, _In_ ULONG ProcessId ); END_INTERFACE } IOSTaskCompletionVtbl; interface IOSTaskCompletion { CONST_VTBL struct IOSTaskCompletionVtbl* lpVtbl; }; #ifdef COBJMACROS #define IOSTaskCompletion_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IOSTaskCompletion_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IOSTaskCompletion_Release(This) ((This)->lpVtbl->Release(This)) #define IOSTaskCompletion_BeginTask(This,pid,Flags) ((This)->lpVtbl->BeginTask(This,pid,Flags)) #define IOSTaskCompletion_BeginTaskByHandle(This,hProc,Flags) ((This)->lpVtbl->BeginTaskByHandle(This,hProc,Flags)) #define IOSTaskCompletion_EndTask(This) ((This)->lpVtbl->EndTask(This)) #define IOSTaskCompletion_ValidateStreamedFileTaskCompletionUsage(This,hProc,pid) ((This)->lpVtbl->ValidateStreamedFileTaskCompletionUsage(This,hProc,pid)) #endif // COBJMACROS #endif // __IOSTaskCompletion_INTERFACE_DEFINED__ // IOSTaskCompletion2 #ifndef __IOSTaskCompletion2_INTERFACE_DEFINED__ #define __IOSTaskCompletion2_INTERFACE_DEFINED__ typedef struct IOSTaskCompletion2 IOSTaskCompletion2; typedef struct IOSTaskCompletion2Vtbl { BEGIN_INTERFACE DECLSPEC_XFGVIRT(IOSTaskCompletion2, QueryInterface) HRESULT (STDMETHODCALLTYPE* QueryInterface)( _In_ IOSTaskCompletion2* This, _In_ REFIID riid, _COM_Outptr_ PVOID* ppvObject ); DECLSPEC_XFGVIRT(IOSTaskCompletion2, AddRef) ULONG (STDMETHODCALLTYPE* AddRef)( _In_ IOSTaskCompletion2* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion2, Release) ULONG (STDMETHODCALLTYPE* Release)( _In_ IOSTaskCompletion2* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion2, InternalGetTrustLevelStatic) HRESULT (STDMETHODCALLTYPE* InternalGetTrustLevelStatic)( _In_ IOSTaskCompletion2* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion2, InternalGetTrustLevelStatic2) HRESULT (STDMETHODCALLTYPE* InternalGetTrustLevelStatic2)( _In_ IOSTaskCompletion2* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion2, EndAllTasksAndWait) HRESULT (STDMETHODCALLTYPE* EndAllTasksAndWait)( _In_ IOSTaskCompletion2* This ); DECLSPEC_XFGVIRT(IOSTaskCompletion2, BeginTaskByHandleEx) HRESULT (STDMETHODCALLTYPE* BeginTaskByHandleEx)( _In_ IOSTaskCompletion2* This, _In_ HANDLE ProcessHandle, _In_ PLM_TASKCOMPLETION_CATEGORY_FLAGS Flags, _In_ enum PLM_TASKCOMPLETION_BEGIN_TASK_FLAGS TaskFlags ); END_INTERFACE } IOSTaskCompletion2Vtbl; interface IOSTaskCompletion2 { CONST_VTBL struct IOSTaskCompletion2Vtbl* lpVtbl; }; #ifdef COBJMACROS #define IOSTaskCompletion2_QueryInterface(This,riid,ppvObject) ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IOSTaskCompletion2_AddRef(This) ((This)->lpVtbl->AddRef(This)) #define IOSTaskCompletion2_Release(This) ((This)->lpVtbl->Release(This)) #define IOSTaskCompletion2_InternalGetTrustLevelStatic(This) ((This)->lpVtbl->InternalGetTrustLevelStatic(This)) #define IOSTaskCompletion2_InternalGetTrustLevelStatic2(This) ((This)->lpVtbl->InternalGetTrustLevelStatic2(This)) #define IOSTaskCompletion2_EndAllTasksAndWait(This) ((This)->lpVtbl->EndAllTasksAndWait(This)) #define IOSTaskCompletion2_BeginTaskByHandleEx(This,hProc,Flags,TaskFlags) ((This)->lpVtbl->BeginTaskByHandleEx(This,hProc,Flags,TaskFlags)) #endif // COBJMACROS #endif // __IOSTaskCompletion2_INTERFACE_DEFINED__ // EDP typedef enum _EDP_CONTEXT_STATES { EDP_CONTEXT_NONE = 0, EDP_CONTEXT_IS_EXEMPT = 1, EDP_CONTEXT_IS_ENLIGHTENED = 2, EDP_CONTEXT_IS_UNENLIGHTENED_ALLOWED = 4, EDP_CONTEXT_IS_PERMISSIVE = 8, EDP_CONTEXT_IS_COPY_EXEMPT = 16, EDP_CONTEXT_IS_DENIED = 32, } EDP_CONTEXT_STATES; typedef struct _EDP_CONTEXT { EDP_CONTEXT_STATES contextStates; ULONG allowedEnterpriseIdCount; PWSTR enterpriseIdForUIEnforcement; WCHAR allowedEnterpriseIds[1]; } EDP_CONTEXT, *PEDP_CONTEXT; static HRESULT (WINAPI* EdpGetContextForWindow_I)( _In_ HWND WindowHandle, _Out_ PEDP_CONTEXT* EdpContext ) = NULL; static HRESULT (WINAPI* EdpGetContextForProcess_I)( _In_ ULONG ProcessId, _Out_ PEDP_CONTEXT* EdpContext ) = NULL; static VOID (WINAPI* EdpFreeContext_I)( _In_ PEDP_CONTEXT EdpContext ) = NULL; #endif ================================================ FILE: phlib/include/bcd.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2021 * */ #ifndef _PH_BCD_H #define _PH_BCD_H EXTERN_C_START NTSTATUS PhBcdOpenObject( _In_ HANDLE StoreHandle, _In_ PCGUID Identifier, _Out_ PHANDLE ObjectHandle ); NTSTATUS PhBcdGetElementData( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, _Inout_ PULONG BufferSize ); NTSTATUS PhBcdSetElementData( _In_ HANDLE ObjectHandle, _In_ ULONG ElementType, _In_reads_bytes_opt_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize ); NTSTATUS PhBcdSetAdvancedOptionsOneTime( _In_ BOOLEAN Enable ); NTSTATUS PhBcdSetBootApplicationOneTime( _In_ PCGUID Identifier, _In_opt_ BOOLEAN UpdateOneTimeFirmware ); NTSTATUS PhBcdSetFirmwareBootApplicationOneTime( _In_ PCGUID Identifier ); typedef struct _PH_BCD_OBJECT_LIST { GUID ObjectGuid; PPH_STRING ObjectName; } PH_BCD_OBJECT_LIST, *PPH_BCD_OBJECT_LIST; PPH_LIST PhBcdQueryFirmwareBootApplicationList( VOID ); PPH_LIST PhBcdQueryBootApplicationList( _In_ BOOLEAN EnumerateAllObjects ); VOID PhBcdDestroyBootApplicationList( _In_ PPH_LIST ObjectApplicationList ); EXTERN_C_END #endif ================================================ FILE: phlib/include/circbuf.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2025 * */ #ifndef _PH_CIRCBUF_H #define _PH_CIRCBUF_H #define PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE #undef T #define T ULONG #include "circbuf_h.h" #undef T #define T ULONG64 #include "circbuf_h.h" #undef T #define T PVOID #include "circbuf_h.h" #undef T #define T SIZE_T #include "circbuf_h.h" #undef T #define T FLOAT #include "circbuf_h.h" #undef T #define T DOUBLE #include "circbuf_h.h" #undef T #endif ================================================ FILE: phlib/include/circbuf_h.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifdef T #include #ifdef __cplusplus extern "C" { #endif typedef struct T___(_PH_CIRCULAR_BUFFER, T) { ULONG Size; #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE ULONG SizeMinusOne; #endif ULONG Count; LONG Index; T *Data; } T___(PH_CIRCULAR_BUFFER, T), *T___(PPH_CIRCULAR_BUFFER, T); PHLIBAPI VOID NTAPI T___(PhInitializeCircularBuffer, T)( _Out_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ ULONG Size ); PHLIBAPI VOID NTAPI T___(PhDeleteCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer ); PHLIBAPI VOID NTAPI T___(PhResizeCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ ULONG NewSize ); PHLIBAPI VOID NTAPI T___(PhClearCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer ); PHLIBAPI VOID NTAPI T___(PhCopyCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _Out_writes_(Count) T *Destination, _In_ ULONG Count ); FORCEINLINE T T___(PhGetItemCircularBuffer, T)( _In_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ LONG Index ) { #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE return Buffer->Data[(Buffer->Index + Index) & Buffer->SizeMinusOne]; #else ULONG size; size = Buffer->Size; // Modulo is dividend-based. return Buffer->Data[(((Buffer->Index + Index) % size) + size) % size]; #endif } FORCEINLINE VOID T___(PhSetItemCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ LONG Index, _In_ T Value ) { #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE Buffer->Data[(Buffer->Index + Index) & Buffer->SizeMinusOne] = Value; #else ULONG size; size = Buffer->Size; Buffer->Data[(((Buffer->Index + Index) % size) + size) % size] = Value; #endif } FORCEINLINE VOID T___(PhAddItemCircularBuffer, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ T Value ) { #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE Buffer->Data[Buffer->Index = ((Buffer->Index - 1) & Buffer->SizeMinusOne)] = Value; #else ULONG size; size = Buffer->Size; Buffer->Data[Buffer->Index = (((Buffer->Index - 1) % size) + size) % size] = Value; #endif if (Buffer->Count < Buffer->Size) Buffer->Count++; } FORCEINLINE T T___(PhAddItemCircularBuffer2, T)( _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, _In_ T Value ) { LONG index; T oldValue; #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE index = ((Buffer->Index - 1) & Buffer->SizeMinusOne); #else ULONG size; size = Buffer->Size; index = (((Buffer->Index - 1) % size) + size) % size; #endif Buffer->Index = index; oldValue = Buffer->Data[index]; Buffer->Data[index] = Value; if (Buffer->Count < Buffer->Size) Buffer->Count++; return oldValue; } #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/colorbox.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2021 * */ #ifndef _PH_COLORBOX_H #define _PH_COLORBOX_H #ifdef __cplusplus extern "C" { #endif #define PH_COLORBOX_CLASSNAME L"PhColorBox" PHLIBAPI RTL_ATOM NTAPI PhColorBoxInitialization( VOID ); #define CBCM_SETCOLOR (WM_APP + 1501) #define CBCM_GETCOLOR (WM_APP + 1502) #define CBCM_THEMESUPPORT (WM_APP + 1503) #define ColorBox_SetColor(hWnd, Color) \ SendMessage((hWnd), CBCM_SETCOLOR, (WPARAM)(Color), 0) #define ColorBox_GetColor(hWnd) \ ((COLORREF)SendMessage((hWnd), CBCM_GETCOLOR, 0, 0)) #define ColorBox_ThemeSupport(hWnd, Enable) \ SendMessage((hWnd), CBCM_THEMESUPPORT, (WPARAM)(Enable), 0); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/cpysave.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2019 * */ #ifndef _PH_CPYSAVE_H #define _PH_CPYSAVE_H #ifdef __cplusplus extern "C" { #endif #define PH_EXPORT_MODE_TABS 0 #define PH_EXPORT_MODE_SPACES 1 #define PH_EXPORT_MODE_CSV 2 PHLIBAPI VOID PhaCreateTextTable( _Out_ PPH_STRING ***Table, _In_ ULONG Rows, _In_ ULONG Columns ); PHLIBAPI PPH_LIST PhaFormatTextTable( _In_ PPH_STRING **Table, _In_ ULONG Rows, _In_ ULONG Columns, _In_ ULONG Mode ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhMapDisplayIndexTreeNew( _In_ HWND TreeNewHandle, _Out_opt_ PULONG *DisplayToId, _Out_opt_ PWSTR **DisplayToText, _Out_ PULONG NumberOfColumns ); PHLIBAPI PPH_STRING PhGetTreeNewText( _In_ HWND TreeNewHandle, _Reserved_ ULONG Reserved ); PHLIBAPI PPH_LIST PhGetGenericTreeNewLines( _In_ HWND TreeNewHandle, _In_ ULONG Mode ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhaMapDisplayIndexListView( _In_ HWND ListViewHandle, _Out_writes_(Count) PULONG DisplayToId, _Out_writes_opt_(Count) PPH_STRING *DisplayToText, _In_ ULONG Count, _Out_ PULONG NumberOfColumns ); PHLIBAPI PPH_STRING NTAPI PhGetListViewItemText( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG SubItemIndex ); PHLIBAPI PPH_STRING NTAPI PhGetListViewSelectedItemText( _In_ HWND ListViewHandle ); PHLIBAPI PPH_STRING NTAPI PhaGetListViewItemText( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG SubItemIndex ); PHLIBAPI PPH_STRING NTAPI PhGetListViewText( _In_ HWND ListViewHandle ); PHLIBAPI PPH_LIST PhGetListViewLines( _In_ HWND ListViewHandle, _In_ ULONG Mode ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/dltmgr.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * */ #ifndef _PH_DLTMGR_H #define _PH_DLTMGR_H typedef struct _PH_SINGLE_DELTA { FLOAT Value; FLOAT Delta; } PH_SINGLE_DELTA, *PPH_SINGLE_DELTA; typedef struct _PH_DOUBLE_DELTA { DOUBLE Value; DOUBLE Delta; } PH_DOUBLE_DELTA, *PPH_DOUBLE_DELTA; typedef struct _PH_UINT32_DELTA { ULONG Value; ULONG Delta; } PH_UINT32_DELTA, *PPH_UINT32_DELTA; typedef struct _PH_UINT64_DELTA { ULONG64 Value; ULONG64 Delta; } PH_UINT64_DELTA, *PPH_UINT64_DELTA; typedef struct _PH_UINTPTR_DELTA { ULONG_PTR Value; ULONG_PTR Delta; } PH_UINTPTR_DELTA, *PPH_UINTPTR_DELTA; #define PhInitializeDelta(DltMgr) \ ((DltMgr)->Value = 0, (DltMgr)->Delta = 0) #define PhUpdateDelta(DltMgr, NewValue) \ ((DltMgr)->Delta = (NewValue) - (DltMgr)->Value, \ (DltMgr)->Value = (NewValue), (DltMgr)->Delta) #define PH_SINGLE_DELTA_INIT { 0.0F, 0.0F } #define PH_DOUBLE_DELTA_INIT { 0.0, 0.0 } #define PH_UINT32_DELTA_INIT { 0UL, 0UL } #define PH_UINT64_DELTA_INIT { 0ULL, 0ULL } #define PH_UINTPTR_DELTA_INIT { 0, 0 } #endif ================================================ FILE: phlib/include/dspick.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifndef _PH_DSPICK_H #define _PH_DSPICK_H #ifdef __cplusplus extern "C" { #endif #define PH_DSPICK_MULTISELECT 0x1 typedef struct _PH_DSPICK_OBJECT { PPH_STRING Name; PSID Sid; } PH_DSPICK_OBJECT, *PPH_DSPICK_OBJECT; typedef struct _PH_DSPICK_OBJECTS { ULONG NumberOfObjects; PH_DSPICK_OBJECT Objects[1]; } PH_DSPICK_OBJECTS, *PPH_DSPICK_OBJECTS; PHLIBAPI VOID PhFreeDsObjectPickerDialog( _In_ PVOID PickerDialog ); PHLIBAPI PVOID PhCreateDsObjectPickerDialog( _In_ ULONG Flags ); _Success_(return) PHLIBAPI BOOLEAN PhShowDsObjectPickerDialog( _In_ HWND hWnd, _In_ PVOID PickerDialog, _Out_ PPH_DSPICK_OBJECTS *Objects ); PHLIBAPI VOID PhFreeDsObjectPickerObjects( _In_ PPH_DSPICK_OBJECTS Objects ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/emenu.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef _PH_EMENU_H #define _PH_EMENU_H EXTERN_C_START #define PH_EMENU_DISABLED 0x1 #define PH_EMENU_CHECKED 0x2 #define PH_EMENU_HIGHLIGHT 0x4 #define PH_EMENU_MENUBARBREAK 0x8 #define PH_EMENU_MENUBREAK 0x10 #define PH_EMENU_DEFAULT 0x20 #define PH_EMENU_MOUSESELECT 0x40 #define PH_EMENU_RADIOCHECK 0x80 #define PH_EMENU_RIGHTORDER 0x100 #define PH_EMENU_SEPARATECHECKSPACE 0x100000 #define PH_EMENU_SEPARATOR 0x200000 #define PH_EMENU_MAINMENU 0x400000 #define PH_EMENU_CALLBACK 0x800000 #define PH_EMENU_TEXT_OWNED 0x80000000 #define PH_EMENU_BITMAP_OWNED 0x40000000 typedef struct _PH_EMENU_ITEM *PPH_EMENU_ITEM; typedef _Function_class_(PH_EMENU_ITEM_DELETE_FUNCTION) VOID NTAPI PH_EMENU_ITEM_DELETE_FUNCTION( _In_ PPH_EMENU_ITEM Item ); typedef PH_EMENU_ITEM_DELETE_FUNCTION* PPH_EMENU_ITEM_DELETE_FUNCTION; typedef _Function_class_(PH_EMENU_ITEM_DELAY_FUNCTION) VOID NTAPI PH_EMENU_ITEM_DELAY_FUNCTION( _In_ HMENU Menu, _In_ PPH_EMENU_ITEM Item ); typedef PH_EMENU_ITEM_DELAY_FUNCTION* PPH_EMENU_ITEM_DELAY_FUNCTION; typedef struct _PH_EMENU_ITEM { ULONG Flags; ULONG Id; PWSTR Text; HBITMAP Bitmap; PVOID Parameter; PVOID Context; PPH_EMENU_ITEM_DELETE_FUNCTION DeleteFunction; PPH_EMENU_ITEM_DELAY_FUNCTION DelayFunction; PPH_EMENU_ITEM Parent; PPH_LIST Items; } PH_EMENU_ITEM, *PPH_EMENU_ITEM; typedef struct _PH_EMENU_ITEM PH_EMENU, *PPH_EMENU; PHLIBAPI PPH_EMENU_ITEM NTAPI PhCreateEMenuItem( _In_ ULONG Flags, _In_ ULONG Id, _In_opt_ PCWSTR Text, _In_opt_ HBITMAP Bitmap, _In_opt_ PVOID Context ); PPH_EMENU_ITEM PhCreateEMenuItemCallback( _In_ ULONG Flags, _In_ ULONG Id, _In_opt_ PCWSTR Text, _In_opt_ HBITMAP Bitmap, _In_opt_ PVOID Context, _In_opt_ PPH_EMENU_ITEM_DELAY_FUNCTION DelayFunction ); PHLIBAPI VOID NTAPI PhDestroyEMenuItem( _In_ _Post_invalid_ PPH_EMENU_ITEM Item ); #define PH_EMENU_FIND_DESCEND 0x1 #define PH_EMENU_FIND_STARTSWITH 0x2 #define PH_EMENU_FIND_LITERAL 0x4 _Success_(return != NULL) PHLIBAPI PPH_EMENU_ITEM NTAPI PhFindEMenuItem( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Flags, _In_opt_ PCWSTR Text, _In_ ULONG Id ); _Success_(return != NULL) PHLIBAPI PPH_EMENU_ITEM NTAPI PhFindEMenuItemEx( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Flags, _In_opt_ PCWSTR Text, _In_ ULONG Id, _Out_opt_ PPH_EMENU_ITEM *FoundParent, _Out_opt_ PULONG FoundIndex ); PHLIBAPI ULONG NTAPI PhIndexOfEMenuItem( _In_ PPH_EMENU_ITEM Parent, _In_ PPH_EMENU_ITEM Item ); PHLIBAPI VOID NTAPI PhInsertEMenuItem( _Inout_ PPH_EMENU_ITEM Parent, _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG Index ); PHLIBAPI BOOLEAN NTAPI PhRemoveEMenuItem( _Inout_opt_ PPH_EMENU_ITEM Parent, _In_opt_ PPH_EMENU_ITEM Item, _In_opt_ ULONG Index ); PHLIBAPI VOID PhRemoveAllEMenuItems( _Inout_ PPH_EMENU_ITEM Parent ); PHLIBAPI PPH_EMENU NTAPI PhCreateEMenu( VOID ); PHLIBAPI VOID NTAPI PhDestroyEMenu( _In_ PPH_EMENU Menu ); #define PH_EMENU_CONVERT_ID 0x1 typedef struct _PH_EMENU_DATA { PPH_LIST IdToItem; } PH_EMENU_DATA, *PPH_EMENU_DATA; PHLIBAPI VOID NTAPI PhInitializeEMenuData( _Out_ PPH_EMENU_DATA Data ); PHLIBAPI VOID NTAPI PhDeleteEMenuData( _Inout_ PPH_EMENU_DATA Data ); PHLIBAPI HMENU NTAPI PhEMenuToHMenu( _In_ PPH_EMENU_ITEM Menu, _In_ ULONG Flags, _Inout_opt_ PPH_EMENU_DATA Data ); PHLIBAPI VOID NTAPI PhEMenuToHMenu2( _In_ HMENU MenuHandle, _In_ PPH_EMENU_ITEM Menu, _In_ ULONG Flags, _Inout_opt_ PPH_EMENU_DATA Data ); PHLIBAPI VOID NTAPI PhHMenuToEMenuItem( _Inout_ PPH_EMENU_ITEM MenuItem, _In_ HMENU MenuHandle ); PHLIBAPI VOID NTAPI PhLoadResourceEMenuItem( _Inout_ PPH_EMENU_ITEM MenuItem, _In_ HINSTANCE InstanceHandle, _In_ PCWSTR Resource, _In_ LONG SubMenuIndex ); #define PH_EMENU_SHOW_SEND_COMMAND 0x1 #define PH_EMENU_SHOW_LEFTRIGHT 0x2 PHLIBAPI PPH_EMENU_ITEM NTAPI PhShowEMenu( _In_ PPH_EMENU Menu, _In_ HWND WindowHandle, _In_ ULONG Flags, _In_ ULONG Align, _In_ ULONG X, _In_ ULONG Y ); PHLIBAPI BOOLEAN NTAPI PhSetFlagsEMenuItem( _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG Id, _In_ ULONG Mask, _In_ ULONG Value ); PHLIBAPI VOID NTAPI PhSetFlagsAllEMenuItems( _In_ PPH_EMENU_ITEM Item, _In_ ULONG Mask, _In_ ULONG Value ); #define PH_EMENU_MODIFY_TEXT 0x1 #define PH_EMENU_MODIFY_BITMAP 0x2 PHLIBAPI VOID NTAPI PhModifyEMenuItem( _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG ModifyFlags, _In_ ULONG OwnedFlags, _In_opt_ PWSTR Text, _In_opt_ HBITMAP Bitmap ); VOID PhSetHMenuStyle( _In_ HMENU Menu, _In_ BOOLEAN MainMenu ); BOOLEAN PhSetHMenuWindow( _In_ HWND WindowHandle, _In_ HMENU MenuHandle ); BOOLEAN PhSetHMenuNotify( _In_ HMENU MenuHandle ); VOID PhDeleteHMenu( _In_ HMENU Menu ); _Success_(return) BOOLEAN PhGetHMenuStringToBuffer( _In_ HMENU Menu, _In_ ULONG Id, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PPH_EMENU_ITEM PhGetMenuData( _In_ HMENU Menu, _In_ ULONG Index ); VOID PhMenuCallbackDispatch( _In_ HMENU Menu, _In_ ULONG Index ); // Convenience functions FORCEINLINE PPH_EMENU_ITEM PhCreateEMenuSeparator( VOID ) { return PhCreateEMenuItem(PH_EMENU_SEPARATOR, 0, NULL, NULL, NULL); } FORCEINLINE PPH_EMENU_ITEM PhCreateEMenuItemEmpty( VOID ) { return PhCreateEMenuItem(0, USHRT_MAX, NULL, NULL, NULL); } FORCEINLINE BOOLEAN PhEnableEMenuItem( _Inout_ PPH_EMENU_ITEM Item, _In_ ULONG Id, _In_ BOOLEAN Enable ) { return PhSetFlagsEMenuItem(Item, Id, PH_EMENU_DISABLED, Enable ? 0 : PH_EMENU_DISABLED); } FORCEINLINE VOID PhSetDisabledEMenuItem( _In_ PPH_EMENU_ITEM Item ) { Item->Flags |= PH_EMENU_DISABLED; } FORCEINLINE VOID PhSetEnabledEMenuItem( _In_ PPH_EMENU_ITEM Item, _In_ BOOLEAN Enable ) { if (Enable) Item->Flags &= ~PH_EMENU_DISABLED; else Item->Flags |= PH_EMENU_DISABLED; } EXTERN_C_END #endif ================================================ FILE: phlib/include/exlf.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2018-2023 * */ #ifndef _PH_EXLF_H #define _PH_EXLF_H /* * This file contains the required types for ELF binaries. * * References: * http://man7.org/linux/man-pages/man5/elf.5.html * http://www.skyfree.org/linux/references/ELF_Format.pdf * https://github.com/torvalds/linux/blob/master/include/uapi/linux/elf.h * https://chromium.googlesource.com/chromiumos/chromite/+/HEAD/lib/parseelf.py */ #define EI_NIDENT 16 // e_ident[] indexes #define EI_MAG0 0 #define EI_MAG1 1 #define EI_MAG2 2 #define EI_MAG3 3 #define EI_CLASS 4 #define EI_DATA 5 #define EI_VERSION 6 #define EI_OSABI 7 #define EI_PAD 8 // EI_MAG #define ELFMAG0 0x7f #define ELFMAG1 'E' #define ELFMAG2 'L' #define ELFMAG3 'F' // EI_CLASS #define ELFCLASSNONE 0 #define ELFCLASS32 1 #define ELFCLASS64 2 // EI_DATA #define ELFDATANONE 0 #define ELFDATA2LSB 1 #define ELFDATA2MSB 2 // EI_VERSION and e_version #define EV_NONE 0 #define EV_CURRENT 1 #define ELFOSABI_NONE 0 #define ELFOSABI_LINUX 3 // e_type #define ET_NONE 0 #define ET_REL 1 #define ET_EXEC 2 #define ET_DYN 3 #define ET_CORE 4 #define ET_LOPROC 0xff00 #define ET_HIPROC 0xffff // e_machine #define EM_386 3 #define EM_X86_64 62 /* segment types */ #define PT_NULL 0 #define PT_LOAD 1 #define PT_DYNAMIC 2 #define PT_INTERP 3 #define PT_NOTE 4 #define PT_SHLIB 5 #define PT_PHDR 6 #define PT_TLS 7 /* Thread local storage segment */ #define PT_LOOS 0x60000000 /* OS-specific */ #define PT_HIOS 0x6fffffff /* OS-specific */ #define PT_LOPROC 0x70000000 #define PT_HIPROC 0x7fffffff #define PT_GNU_EH_FRAME 0x6474e550 #define PT_GNU_STACK (PT_LOOS + 0x474e551) /* permissions on sections in the program header, p_flags. */ #define PF_NONE 0x0 #define PF_X 0x1 #define PF_W 0x2 #define PF_R 0x4 // sh_type #define SHT_NULL 0 // Section header table entry (unused). #define SHT_PROGBITS 1 // Program data. #define SHT_SYMTAB 2 // Link editing symbol table. #define SHT_STRTAB 3 // A string table. #define SHT_RELA 4 // Relocation entries with addends. #define SHT_HASH 5 // A symbol hash table. #define SHT_DYNAMIC 6 // Information for dynamic linking. #define SHT_NOTE 7 // Information that marks file. #define SHT_NOBITS 8 // Section occupies no space in file. #define SHT_REL 9 // Relocation entries, no addends. #define SHT_SHLIB 10 // Reserved, unspecified semantics. #define SHT_DYNSYM 11 // Dynamic linking symbol table. //#define SHT_NUM 12 #define SHT_INIT_ARRAY 14 // Array of constructors. #define SHT_FINI_ARRAY 15 // Array of destructors. #define SHT_PREINIT_ARRAY 16 // Array of pre-constructors. #define SHT_GROUP 17 // Section group. #define SHT_SYMTAB_SHNDX 18 // Extended section indeces. #define SHT_NUM 19 // Number of defined types. (dmex: Some tools define this as 19 and others as 12???) #define SHT_LOOS 0x60000000 // First of OS specific semantics. #define SHT_HIOS 0x6fffffff // Last of OS specific semantics. #define SHT_GNU_INCREMENTAL_INPUTS 0x6fff4700 // incremental build data. #define SHT_GNU_ATTRIBUTES 0x6ffffff5 // Object attributes. #define SHT_GNU_HASH 0x6ffffff6 // GNU style symbol hash table. #define SHT_GNU_LIBLIST 0x6ffffff7 // List of prelink dependencies. #define SHT_LOPROC 0x70000000 #define SHT_HIPROC 0x7fffffff #define SHT_LOUSER 0x80000000 #define SHT_HIUSER 0xffffffff #define SHT_SUNW_verdef 0x6ffffffd // Versions defined by file. #define SHT_SUNW_verneed 0x6ffffffe // Versions needed by file. #define SHT_SUNW_versym 0x6fffffff // Symbol versions. // sh_flags #define SHF_WRITE 0x1 /* Section contains writable data. */ #define SHF_ALLOC 0x2 /* Section occupies memory. */ #define SHF_EXECINSTR 0x4 /* Section contains instructions. */ #define SHF_MERGE 0x10 /* Section may be merged. */ #define SHF_STRINGS 0x20 /* Section contains strings. */ #define SHF_INFO_LINK 0x40 /* sh_info holds section index. */ #define SHF_LINK_ORDER 0x80 /* Special ordering requirements. */ #define SHF_OS_NONCONFORMING 0x100 /* OS-specific processing required. */ #define SHF_GROUP 0x200 /* Member of section group. */ #define SHF_TLS 0x400 /* Section contains TLS data. */ #define SHF_MASKOS 0x0ff00000 /* OS-specific semantics. */ #define SHF_MASKPROC 0xf0000000 /* Processor-specific semantics. */ // special section indexes. #define SHN_UNDEF 0 // An undefined symbol. #define SHN_LORESERVE 0xff00 #define SHN_LOPROC 0xff00 #define SHN_HIPROC 0xff1f #define SHN_LIVEPATCH 0xff20 #define SHN_ABS 0xfff1 #define SHN_COMMON 0xfff2 #define SHN_HIRESERVE 0xffff // dynamic section #define DT_NULL 0 #define DT_NEEDED 1 #define DT_PLTRELSZ 2 #define DT_PLTGOT 3 #define DT_HASH 4 #define DT_STRTAB 5 #define DT_SYMTAB 6 #define DT_RELA 7 #define DT_RELASZ 8 #define DT_RELAENT 9 #define DT_STRSZ 10 #define DT_SYMENT 11 #define DT_INIT 12 #define DT_FINI 13 #define DT_SONAME 14 #define DT_RPATH 15 #define DT_SYMBOLIC 16 #define DT_REL 17 #define DT_RELSZ 18 #define DT_RELENT 19 #define DT_PLTREL 20 #define DT_DEBUG 21 #define DT_TEXTREL 22 #define DT_JMPREL 23 #define DT_INIT_ARRAY 25 #define DT_FINI_ARRAY 26 #define DT_INIT_ARRAYSZ 27 #define DT_FINI_ARRAYSZ 28 #define DT_RUNPATH 29 #define DT_FLAGS 30 #define DT_PREINIT_ARRAY 32 // DT_ENCODING #define DT_PREINIT_ARRAYSZ 33 #define OLD_DT_LOOS 0x60000000 #define DT_LOOS 0x6000000d #define DT_HIOS 0x6ffff000 #define DT_VALRNGLO 0x6ffffd00 #define DT_VALRNGHI 0x6ffffdff #define DT_ADDRRNGLO 0x6ffffe00 #define DT_ADDRRNGHI 0x6ffffeff #define DT_GNU_HASH 0x6ffffef5 #define DT_VERSYM 0x6ffffff0 #define DT_RELACOUNT 0x6ffffff9 #define DT_RELCOUNT 0x6ffffffa #define DT_FLAGS_1 0x6ffffffb #define DT_VERDEF 0x6ffffffc #define DT_VERDEFNUM 0x6ffffffd #define DT_VERNEED 0x6ffffffe #define DT_VERNEEDNUM 0x6fffffff #define OLD_DT_HIOS 0x6fffffff #define DT_LOPROC 0x70000000 #define DT_HIPROC 0x7fffffff // symbol table section #define STB_LOCAL 0 /* Local symbol */ #define STB_GLOBAL 1 /* Global symbol */ #define STB_WEAK 2 /* Weak symbol */ #define STB_NUM 3 /* Number of defined types. */ #define STB_LOOS 10 /* Start of OS-specific */ #define STB_GNU_UNIQUE 10 /* Unique symbol. */ #define STB_HIOS 12 /* End of OS-specific */ #define STB_LOPROC 13 /* Start of processor-specific */ #define STB_HIPROC 15 /* End of processor-specific */ #define STT_NOTYPE 0 #define STT_OBJECT 1 #define STT_FUNC 2 #define STT_SECTION 3 #define STT_FILE 4 #define STT_COMMON 5 #define STT_TLS 6 #define STT_GNU_IFUNC 10 #define STT_LOOS 10 #define STT_HIOS 12 #define STT_LOPROC 13 #define STT_HIPROC 15 #define STV_DEFAULT 0 /* Default symbol visibility rules */ #define STV_INTERNAL 1 /* Processor specific hidden class */ #define STV_HIDDEN 2 /* Sym unavailable in other modules */ #define STV_PROTECTED 3 /* Not preemptible, not exported */ #define ELF_ST_BIND(x) ((x) >> 4) #define ELF_ST_TYPE(x) ((x) & 0xF) #define ELF_ST_VISIBILITY(x) ((x) & 0x03) #define ELF32_ST_BIND(x) ELF_ST_BIND(x) #define ELF32_ST_TYPE(x) ELF_ST_TYPE(x) #define ELF32_ST_VIS(a) ELF_ST_VISIBILITY(a) #define ELF64_ST_BIND(x) ELF_ST_BIND(x) #define ELF64_ST_TYPE(x) ELF_ST_TYPE(x) #define ELF64_ST_VIS(a) ELF_ST_VISIBILITY(a) // Non-standard ELF definitions (dmex) #define IMAGE_ELF_SIGNATURE 0x457f // "\x7fELF" #define ELFMAG ((BYTE[4]){ELFMAG0,ELFMAG1,ELFMAG2,ELFMAG3}) typedef struct _ELF_IMAGE_HEADER { union { unsigned char e_ident[EI_NIDENT]; struct { unsigned char MagicNumber[4]; unsigned char Class; unsigned char Data; unsigned char Version; unsigned char Abi; unsigned char AbiVersion; unsigned char Unused[7]; }; }; unsigned short e_type; unsigned short e_machine; unsigned int e_version; //union { // PELF_IMAGE_HEADER32 Headers32; // PELF_IMAGE_HEADER64 Headers64; //}; } ELF_IMAGE_HEADER, *PELF_IMAGE_HEADER; typedef struct _ELF_IMAGE_HEADER32 { // ELF_IMAGE_HEADER Header; unsigned int e_entry; // Entry point virtual address. unsigned int e_phoff; // Program header table file offset. unsigned int e_shoff; // Section header table file offset. unsigned int e_flags; // Processor-specific flags. unsigned short e_ehsize; // ELF header size in bytes. unsigned short e_phentsize; // Program header table entry size. unsigned short e_phnum; // Program header table entry count. unsigned short e_shentsize; // Section header table entry size. unsigned short e_shnum; // Section header table entry count. unsigned short e_shstrndx; // Section header string table index. } ELF_IMAGE_HEADER32, *PELF_IMAGE_HEADER32; typedef struct _ELF_IMAGE_HEADER64 { // ELF_IMAGE_HEADER Header; unsigned long long e_entry; // Entry point virtual address. unsigned long long e_phoff; // Program header table file offset. unsigned long long e_shoff; // Section header table file offset. unsigned int e_flags; // Processor-specific flags. unsigned short e_ehsize; // ELF header size in bytes. unsigned short e_phentsize; // Program header table entry size. unsigned short e_phnum; // Program header table entry count. unsigned short e_shentsize; // Section header table entry size. unsigned short e_shnum; // Section header table entry count. unsigned short e_shstrndx; // Section header string table index. } ELF_IMAGE_HEADER64, *PELF_IMAGE_HEADER64; typedef struct _ELF32_IMAGE_SEGMENT_HEADER { unsigned int p_type; // Segment type. unsigned int p_offset; // Segment file offset. unsigned int p_vaddr; // Segment virtual address. unsigned int p_paddr; // Segment physical address. unsigned int p_filesz; // Segment size in file. unsigned int p_memsz; // Segment size in memory. unsigned int p_flags; // Segment flags. unsigned int p_align; // Segment alignment. } ELF32_IMAGE_SEGMENT_HEADER; typedef struct _ELF64_IMAGE_SEGMENT_HEADER { unsigned int p_type; // Segment type. unsigned int p_flags; // Segment flags. unsigned long long p_offset; // Segment file offset. unsigned long long p_vaddr; // Segment virtual address. unsigned long long p_paddr; // Segment physical address. unsigned long long p_filesz; // Segment size in file. unsigned long long p_memsz; // Segment size in memory. unsigned long long p_align; // Segment alignment. } ELF64_IMAGE_SEGMENT_HEADER, *PELF64_IMAGE_SEGMENT_HEADER; #define IMAGE_FIRST_ELF64_SEGMENT(MappedWslImage) \ ((PELF64_IMAGE_SEGMENT_HEADER)PTR_ADD_OFFSET(MappedWslImage->Header, MappedWslImage->Headers64->e_phoff)) #define IMAGE_ELF64_SEGMENT_BY_INDEX(SegmentHeader, Index) \ ((PELF64_IMAGE_SEGMENT_HEADER)PTR_ADD_OFFSET(SegmentHeader, sizeof(ELF64_IMAGE_SEGMENT_HEADER) * Index)) //((PELF64_IMAGE_SEGMENT_HEADER)&SegmentHeaderTable[Index]) typedef struct _ELF32_IMAGE_SECTION_HEADER { unsigned int sh_name; unsigned int sh_type; unsigned int sh_flags; unsigned int sh_addr; unsigned int sh_offset; unsigned int sh_size; unsigned int sh_link; unsigned int sh_info; unsigned int sh_addralign; unsigned int sh_entsize; } ELF32_IMAGE_SECTION_HEADER; typedef struct _ELF64_IMAGE_SECTION_HEADER { unsigned int sh_name; /* Section name, index in string tbl */ unsigned int sh_type; /* Type of section */ unsigned long long sh_flags; /* Miscellaneous section attributes */ unsigned long long sh_addr; /* Section virtual addr at execution */ unsigned long long sh_offset; /* Section file offset */ unsigned long long sh_size; /* Size of section in bytes */ unsigned int sh_link; /* Index of another section */ unsigned int sh_info; /* Additional section information */ unsigned long long sh_addralign; /* Section alignment */ unsigned long long sh_entsize; /* Entry size if section holds table */ } ELF64_IMAGE_SECTION_HEADER, *PELF64_IMAGE_SECTION_HEADER; #define IMAGE_FIRST_ELF64_SECTION(MappedWslImage) \ ((PELF64_IMAGE_SECTION_HEADER)PTR_ADD_OFFSET(MappedWslImage->Header, MappedWslImage->Headers64->e_shoff)) #define IMAGE_ELF64_SECTION_BY_INDEX(SectionHeader, Index) \ ((PELF64_IMAGE_SECTION_HEADER)PTR_ADD_OFFSET(SectionHeader, sizeof(ELF64_IMAGE_SECTION_HEADER) * Index)) // ((PELF64_IMAGE_SECTION_HEADER)&SectionHeaderTable[Index]) // ELF dynamic entries typedef struct _ELF32_IMAGE_DYNAMIC_ENTRY // Elf32_Dyn { int d_tag; unsigned int d_val; } ELF32_IMAGE_DYNAMIC_ENTRY, *PELF32_IMAGE_DYNAMIC_ENTRY; typedef struct _ELF64_IMAGE_DYNAMIC_ENTRY // Elf64_Dyn { long long d_tag; unsigned long long d_val; } ELF64_IMAGE_DYNAMIC_ENTRY, *PELF64_IMAGE_DYNAMIC_ENTRY; // ELF symbol entries typedef struct _ELF_IMAGE_SYMBOL_ENTRY // Elf_Sym { unsigned int st_name; unsigned char st_info; unsigned char st_other; unsigned short st_shndx; unsigned long long st_value; unsigned long long st_size; } ELF_IMAGE_SYMBOL_ENTRY, *PELF_IMAGE_SYMBOL_ENTRY; // ELF version entries typedef struct _ELF_VERSION_TABLE // Elf_Versym { unsigned short vs_vers; } ELF_VERSION_TABLE, *PELF_VERSION_TABLE; typedef struct { unsigned short vd_version; unsigned short vd_flags; // flags (VER_FLG_*). unsigned short vd_ndx; // version index. unsigned short vd_cnt; // number of verdaux entries. unsigned int vd_hash; // hash of name. unsigned int vd_aux; // offset to verdaux entries. unsigned int vd_next; // offset to next verdef. } Elf_Verdef; typedef struct { unsigned int vda_name; /* string table offset of name */ unsigned int vda_next; /* offset to verdaux */ } Elf_Verdaux; // vn_version #define VER_NEED_NONE 0 /* No version */ #define VER_NEED_CURRENT 1 /* Current version */ #define VER_NEED_NUM 2 /* Given version number */ typedef struct _ELF_VERSION_NEED // Elf_Verneed { unsigned short vn_version; unsigned short vn_cnt; unsigned int vn_file; unsigned int vn_aux; unsigned int vn_next; } ELF_VERSION_NEED, *PELF_VERSION_NEED; typedef struct _ELF_VERSION_AUX // Elf_Vernaux { unsigned int vna_hash; // dependency name hash. unsigned short vna_flags; // flags (VER_FLG_*). unsigned short vna_other; unsigned int vna_name; unsigned int vna_next; } ELF_VERSION_AUX, *PELF_VERSION_AUX; #endif ================================================ FILE: phlib/include/exprodid.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2020-2022 * */ #ifndef _PH_EXPRODID_H #define _PH_EXPRODID_H /* * This file contains the required types for the RICH header. * * References: * http://bytepointer.com/articles/the_microsoft_rich_header.htm * https://infocon.hackingand.coffee/Hacktivity/Hacktivity%202016/Presentations/George_Webster-and-Julian-Kirsch.pdf * https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/ */ #define ProdIdTagStart 0x68636952 #define ProdIdTagEnd 0x536e6144 // private typedef struct PRODITEM { ULONG dwProdid; // Product identity ULONG dwCount; // Count of objects built with that product } PRODITEM, *PPRODITEM; // This enum was built from https://github.com/kirschju/richheader licensed under GPL3 (dmex) typedef enum _PRODID { prodidUnknown = 0x0000, prodidImport0 = 0x0001, // Linker generated import object version 0 prodidLinker510 = 0x0002, // LINK 5.10 (Visual Studio 97 SP3) prodidCvtomf510 = 0x0003, // LINK 5.10 (Visual Studio 97 SP3) OMF to COFF conversion prodidLinker600 = 0x0004, // LINK 6.00 (Visual Studio 98) prodidCvtomf600 = 0x0005, // LINK 6.00 (Visual Studio 98) OMF to COFF conversion prodidCvtres500 = 0x0006, // CVTRES 5.00 prodidUtc11_Basic = 0x0007, // VB 5.0 native code prodidUtc11_C = 0x0008, // VC++ 5.0 C/C++ prodidUtc12_Basic = 0x0009, // VB 6.0 native code prodidUtc12_C = 0x000A, // VC++ 6.0 C prodidUtc12_CPP = 0x000B, // VC++ 6.0 C++ prodidAliasObj60 = 0x000C, // ALIASOBJ.EXE (CRT Tool that builds OLDNAMES.LIB) prodidVisualBasic60 = 0x000D, // VB 6.0 generated object prodidMasm613 = 0x000E, // MASM 6.13 prodidMasm701 = 0x000F, // MASM 7.01 (prodidMasm710) prodidLinker511 = 0x0010, // LINK 5.11 prodidCvtomf511 = 0x0011, // LINK 5.11 OMF to COFF conversion prodidMasm614 = 0x0012, // MASM 6.14 (MMX2 support) prodidLinker512 = 0x0013, // LINK 5.12 prodidCvtomf512 = 0x0014, // LINK 5.12 OMF to COFF conversion prodidUtc12_C_Std = 0x0015, prodidUtc12_CPP_Std = 0x0016, prodidUtc12_C_Book = 0x0017, prodidUtc12_CPP_Book = 0x0018, prodidImplib700 = 0x0019, prodidCvtomf700 = 0x001a, prodidUtc13_Basic = 0x001b, prodidUtc13_C = 0x001c, prodidUtc13_CPP = 0x001d, prodidLinker610 = 0x001e, prodidCvtomf610 = 0x001f, prodidLinker601 = 0x0020, prodidCvtomf601 = 0x0021, prodidUtc12_1_Basic = 0x0022, prodidUtc12_1_C = 0x0023, prodidUtc12_1_CPP = 0x0024, prodidLinker620 = 0x0025, prodidCvtomf620 = 0x0026, prodidAliasObj70 = 0x0027, prodidLinker621 = 0x0028, prodidCvtomf621 = 0x0029, prodidMasm615 = 0x002a, prodidUtc13_LTCG_C = 0x002b, prodidUtc13_LTCG_CPP = 0x002c, prodidMasm620 = 0x002d, prodidILAsm100 = 0x002e, prodidUtc12_2_Basic = 0x002f, prodidUtc12_2_C = 0x0030, prodidUtc12_2_CPP = 0x0031, prodidUtc12_2_C_Std = 0x0032, prodidUtc12_2_CPP_Std = 0x0033, prodidUtc12_2_C_Book = 0x0034, prodidUtc12_2_CPP_Book = 0x0035, prodidImplib622 = 0x0036, prodidCvtomf622 = 0x0037, prodidCvtres501 = 0x0038, prodidUtc13_C_Std = 0x0039, prodidUtc13_CPP_Std = 0x003a, prodidCvtpgd1300 = 0x003b, prodidLinker622 = 0x003c, prodidLinker700 = 0x003d, prodidExport622 = 0x003e, prodidExport700 = 0x003f, prodidMasm700 = 0x0040, prodidUtc13_POGO_I_C = 0x0041, prodidUtc13_POGO_I_CPP = 0x0042, prodidUtc13_POGO_O_C = 0x0043, prodidUtc13_POGO_O_CPP = 0x0044, prodidCvtres700 = 0x0045, prodidCvtres710p = 0x0046, prodidLinker710p = 0x0047, prodidCvtomf710p = 0x0048, prodidExport710p = 0x0049, prodidImplib710p = 0x004a, prodidMasm710p = 0x004b, prodidUtc1310p_C = 0x004c, prodidUtc1310p_CPP = 0x004d, prodidUtc1310p_C_Std = 0x004e, prodidUtc1310p_CPP_Std = 0x004f, prodidUtc1310p_LTCG_C = 0x0050, prodidUtc1310p_LTCG_CPP = 0x0051, prodidUtc1310p_POGO_I_C = 0x0052, prodidUtc1310p_POGO_I_CPP = 0x0053, prodidUtc1310p_POGO_O_C = 0x0054, prodidUtc1310p_POGO_O_CPP = 0x0055, prodidLinker624 = 0x0056, prodidCvtomf624 = 0x0057, prodidExport624 = 0x0058, prodidImplib624 = 0x0059, prodidLinker710 = 0x005a, prodidCvtomf710 = 0x005b, prodidExport710 = 0x005c, prodidImplib710 = 0x005d, prodidCvtres710 = 0x005e, prodidUtc1310_C = 0x005f, prodidUtc1310_CPP = 0x0060, prodidUtc1310_C_Std = 0x0061, prodidUtc1310_CPP_Std = 0x0062, prodidUtc1310_LTCG_C = 0x0063, prodidUtc1310_LTCG_CPP = 0x0064, prodidUtc1310_POGO_I_C = 0x0065, prodidUtc1310_POGO_I_CPP = 0x0066, prodidUtc1310_POGO_O_C = 0x0067, prodidUtc1310_POGO_O_CPP = 0x0068, prodidAliasObj710 = 0x0069, prodidAliasObj710p = 0x006a, prodidCvtpgd1310 = 0x006b, prodidCvtpgd1310p = 0x006c, prodidUtc1400_C = 0x006d, prodidUtc1400_CPP = 0x006e, prodidUtc1400_C_Std = 0x006f, prodidUtc1400_CPP_Std = 0x0070, prodidUtc1400_LTCG_C = 0x0071, prodidUtc1400_LTCG_CPP = 0x0072, prodidUtc1400_POGO_I_C = 0x0073, prodidUtc1400_POGO_I_CPP = 0x0074, prodidUtc1400_POGO_O_C = 0x0075, prodidUtc1400_POGO_O_CPP = 0x0076, prodidCvtpgd1400 = 0x0077, prodidLinker800 = 0x0078, prodidCvtomf800 = 0x0079, prodidExport800 = 0x007a, prodidImplib800 = 0x007b, prodidCvtres800 = 0x007c, prodidMasm800 = 0x007d, prodidAliasObj800 = 0x007e, prodidPhoenixPrerelease = 0x007f, prodidUtc1400_CVTCIL_C = 0x0080, prodidUtc1400_CVTCIL_CPP = 0x0081, prodidUtc1400_LTCG_MSIL = 0x0082, prodidUtc1500_C = 0x0083, prodidUtc1500_CPP = 0x0084, prodidUtc1500_C_Std = 0x0085, prodidUtc1500_CPP_Std = 0x0086, prodidUtc1500_CVTCIL_C = 0x0087, prodidUtc1500_CVTCIL_CPP = 0x0088, prodidUtc1500_LTCG_C = 0x0089, prodidUtc1500_LTCG_CPP = 0x008a, prodidUtc1500_LTCG_MSIL = 0x008b, prodidUtc1500_POGO_I_C = 0x008c, prodidUtc1500_POGO_I_CPP = 0x008d, prodidUtc1500_POGO_O_C = 0x008e, prodidUtc1500_POGO_O_CPP = 0x008f, prodidCvtpgd1500 = 0x0090, prodidLinker900 = 0x0091, prodidExport900 = 0x0092, prodidImplib900 = 0x0093, prodidCvtres900 = 0x0094, prodidMasm900 = 0x0095, prodidAliasObj900 = 0x0096, prodidResource = 0x0097, prodidAliasObj1000 = 0x0098, prodidCvtpgd1600 = 0x0099, prodidCvtres1000 = 0x009a, prodidExport1000 = 0x009b, prodidImplib1000 = 0x009c, prodidLinker1000 = 0x009d, prodidMasm1000 = 0x009e, prodidPhx1600_C = 0x009f, prodidPhx1600_CPP = 0x00a0, prodidPhx1600_CVTCIL_C = 0x00a1, prodidPhx1600_CVTCIL_CPP = 0x00a2, prodidPhx1600_LTCG_C = 0x00a3, prodidPhx1600_LTCG_CPP = 0x00a4, prodidPhx1600_LTCG_MSIL = 0x00a5, prodidPhx1600_POGO_I_C = 0x00a6, prodidPhx1600_POGO_I_CPP = 0x00a7, prodidPhx1600_POGO_O_C = 0x00a8, prodidPhx1600_POGO_O_CPP = 0x00a9, prodidUtc1600_C = 0x00aa, prodidUtc1600_CPP = 0x00ab, prodidUtc1600_CVTCIL_C = 0x00ac, prodidUtc1600_CVTCIL_CPP = 0x00ad, prodidUtc1600_LTCG_C = 0x00ae, prodidUtc1600_LTCG_CPP = 0x00af, prodidUtc1600_LTCG_MSIL = 0x00b0, prodidUtc1600_POGO_I_C = 0x00b1, prodidUtc1600_POGO_I_CPP = 0x00b2, prodidUtc1600_POGO_O_C = 0x00b3, prodidUtc1600_POGO_O_CPP = 0x00b4, prodidAliasObj1010 = 0x00b5, prodidCvtpgd1610 = 0x00b6, prodidCvtres1010 = 0x00b7, prodidExport1010 = 0x00b8, prodidImplib1010 = 0x00b9, prodidLinker1010 = 0x00ba, prodidMasm1010 = 0x00bb, prodidUtc1610_C = 0x00bc, prodidUtc1610_CPP = 0x00bd, prodidUtc1610_CVTCIL_C = 0x00be, prodidUtc1610_CVTCIL_CPP = 0x00bf, prodidUtc1610_LTCG_C = 0x00c0, prodidUtc1610_LTCG_CPP = 0x00c1, prodidUtc1610_LTCG_MSIL = 0x00c2, prodidUtc1610_POGO_I_C = 0x00c3, prodidUtc1610_POGO_I_CPP = 0x00c4, prodidUtc1610_POGO_O_C = 0x00c5, prodidUtc1610_POGO_O_CPP = 0x00c6, prodidAliasObj1100 = 0x00c7, prodidCvtpgd1700 = 0x00c8, prodidCvtres1100 = 0x00c9, prodidExport1100 = 0x00ca, prodidImplib1100 = 0x00cb, prodidLinker1100 = 0x00cc, prodidMasm1100 = 0x00cd, prodidUtc1700_C = 0x00ce, prodidUtc1700_CPP = 0x00cf, prodidUtc1700_CVTCIL_C = 0x00d0, prodidUtc1700_CVTCIL_CPP = 0x00d1, prodidUtc1700_LTCG_C = 0x00d2, prodidUtc1700_LTCG_CPP = 0x00d3, prodidUtc1700_LTCG_MSIL = 0x00d4, prodidUtc1700_POGO_I_C = 0x00d5, prodidUtc1700_POGO_I_CPP = 0x00d6, prodidUtc1700_POGO_O_C = 0x00d7, prodidUtc1700_POGO_O_CPP = 0x00d8, prodidAliasObj1200 = 0x00d9, prodidCvtpgd1800 = 0x00da, prodidCvtres1200 = 0x00db, prodidExport1200 = 0x00dc, prodidImplib1200 = 0x00dd, prodidLinker1200 = 0x00de, prodidMasm1200 = 0x00df, prodidUtc1800_C = 0x00e0, prodidUtc1800_CPP = 0x00e1, prodidUtc1800_CVTCIL_C = 0x00e2, prodidUtc1800_CVTCIL_CPP = 0x00e3, // 0x00d3 ?? prodidUtc1800_LTCG_C = 0x00e4, prodidUtc1800_LTCG_CPP = 0x00e5, prodidUtc1800_LTCG_MSIL = 0x00e6, prodidUtc1800_POGO_I_C = 0x00e7, prodidUtc1800_POGO_I_CPP = 0x00e8, prodidUtc1800_POGO_O_C = 0x00e9, prodidUtc1800_POGO_O_CPP = 0x00ea, prodidAliasObj1210 = 0x00eb, prodidCvtpgd1810 = 0x00ec, prodidCvtres1210 = 0x00ed, prodidExport1210 = 0x00ee, prodidImplib1210 = 0x00ef, prodidLinker1210 = 0x00f0, prodidMasm1210 = 0x00f1, prodidUtc1810_C = 0x00f2, prodidUtc1810_CPP = 0x00f3, prodidUtc1810_CVTCIL_C = 0x00f4, prodidUtc1810_CVTCIL_CPP = 0x00f5, prodidUtc1810_LTCG_C = 0x00f6, prodidUtc1810_LTCG_CPP = 0x00f7, prodidUtc1810_LTCG_MSIL = 0x00f8, prodidUtc1810_POGO_I_C = 0x00f9, prodidUtc1810_POGO_I_CPP = 0x00fa, prodidUtc1810_POGO_O_C = 0x00fb, prodidUtc1810_POGO_O_CPP = 0x00fc, prodidAliasObj1400 = 0x00fd, prodidCvtpgd1900 = 0x00fe, prodidCvtres1400 = 0x00ff, prodidExport1400 = 0x0100, prodidImplib1400 = 0x0101, prodidLinker1400 = 0x0102, prodidMasm1400 = 0x0103, prodidUtc1900_C = 0x0104, prodidUtc1900_CPP = 0x0105, prodidUtc1900_CVTCIL_C = 0x0106, prodidUtc1900_CVTCIL_CPP = 0x0107, prodidUtc1900_LTCG_C = 0x0108, prodidUtc1900_LTCG_CPP = 0x0109, prodidUtc1900_LTCG_MSIL = 0x010a, prodidUtc1900_POGO_I_C = 0x010b, prodidUtc1900_POGO_I_CPP = 0x010c, prodidUtc1900_POGO_O_C = 0x010d, prodidUtc1900_POGO_O_CPP = 0x010e } PRODID; #define DwProdidFromProdidWBuild(Prodid, Build) ((((ULONG)(Prodid)) << 16) | (Build)) #define ProdidFromDwProdid(Prodid) ((PRODID)((Prodid) >> 16)) #define WBuildFromDwProdid(Prodid) ((Prodid) & 0xFFFF) #endif ================================================ FILE: phlib/include/fastlock.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2015 * */ #ifndef _PH_FASTLOCK_H #define _PH_FASTLOCK_H // FastLock is a port of FastResourceLock from PH 1.x. #ifdef __cplusplus extern "C" { #endif typedef struct _PH_FAST_LOCK { ULONG Value; HANDLE ExclusiveWakeEvent; HANDLE SharedWakeEvent; } PH_FAST_LOCK, *PPH_FAST_LOCK; #define PH_FAST_LOCK_INIT { 0, NULL, NULL } PHLIBAPI VOID NTAPI PhInitializeFastLock( _Out_ PPH_FAST_LOCK FastLock ); PHLIBAPI VOID NTAPI PhDeleteFastLock( _Inout_ PPH_FAST_LOCK FastLock ); #define PhAcquireFastLockExclusive PhfAcquireFastLockExclusive _May_raise_ _Acquires_exclusive_lock_(*FastLock) PHLIBAPI VOID FASTCALL PhfAcquireFastLockExclusive( _Inout_ PPH_FAST_LOCK FastLock ); #define PhAcquireFastLockShared PhfAcquireFastLockShared _May_raise_ _Acquires_shared_lock_(*FastLock) PHLIBAPI VOID FASTCALL PhfAcquireFastLockShared( _Inout_ PPH_FAST_LOCK FastLock ); #define PhReleaseFastLockExclusive PhfReleaseFastLockExclusive _Releases_exclusive_lock_(*FastLock) PHLIBAPI VOID FASTCALL PhfReleaseFastLockExclusive( _Inout_ PPH_FAST_LOCK FastLock ); #define PhReleaseFastLockShared PhfReleaseFastLockShared _Releases_shared_lock_(*FastLock) PHLIBAPI VOID FASTCALL PhfReleaseFastLockShared( _Inout_ PPH_FAST_LOCK FastLock ); #define PhTryAcquireFastLockExclusive PhfTryAcquireFastLockExclusive _When_(return != 0, _Acquires_exclusive_lock_(*FastLock)) PHLIBAPI BOOLEAN FASTCALL PhfTryAcquireFastLockExclusive( _Inout_ PPH_FAST_LOCK FastLock ); #define PhTryAcquireFastLockShared PhfTryAcquireFastLockShared _When_(return != 0, _Acquires_shared_lock_(*FastLock)) PHLIBAPI BOOLEAN FASTCALL PhfTryAcquireFastLockShared( _Inout_ PPH_FAST_LOCK FastLock ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/filepool.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * */ #ifndef _PH_FILEPOOL_H #define _PH_FILEPOOL_H #ifdef __cplusplus extern "C" { #endif // On-disk structures // Each file has at least one segment. Each segment has a number of blocks, which are allocated from // a bitmap. The segment header is always in the first block of each segment, except for the first // segment. In the first segment, the file header is in the first few blocks, followed by the // segment header. // // The segments are placed in a particular free list depending on how many blocks they have free; // this allows allocators to simply skip the segments which don't have enough segments free, and // allocate new segments if necessary. The free list does not however guarantee that a particular // segment has a particular number of contiguous blocks free; low performance can still occur when // there is fragmentation. /** The number of 32-bit integers used for each allocation bitmap. */ #define PH_FP_BITMAP_SIZE 64 /** The power-of-two index of the bitmap size. */ #define PH_FP_BITMAP_SIZE_SHIFT 6 /** The number of blocks that are available in each segment. */ #define PH_FP_BLOCK_COUNT (PH_FP_BITMAP_SIZE * 32) /** The power-of-two index of the block count. */ #define PH_FP_BLOCK_COUNT_SHIFT (PH_FP_BITMAP_SIZE_SHIFT + 5) /** The number of free lists for segments. */ #define PH_FP_FREE_LIST_COUNT 8 // Block flags /** The block is the beginning of a large allocation (one that spans several segments). */ #define PH_FP_BLOCK_LARGE_ALLOCATION 0x1 typedef struct _PH_FP_BLOCK_HEADER { ULONG Flags; // PH_FP_BLOCK_* /** The number of blocks in the entire logical block, or the number * of segments in a large allocation. */ ULONG Span; QUAD_PTR Body; } PH_FP_BLOCK_HEADER, *PPH_FP_BLOCK_HEADER; C_ASSERT((FIELD_OFFSET(PH_FP_BLOCK_HEADER, Body) % MEMORY_ALLOCATION_ALIGNMENT) == 0); typedef struct _PH_FP_SEGMENT_HEADER { ULONG Bitmap[PH_FP_BITMAP_SIZE]; ULONG FreeBlocks; ULONG FreeFlink; ULONG FreeBlink; ULONG Reserved[13]; } PH_FP_SEGMENT_HEADER, *PPH_FP_SEGMENT_HEADER; #define PH_FP_MAGIC ('loPF') typedef struct _PH_FP_FILE_HEADER { ULONG Magic; ULONG SegmentShift; ULONG SegmentCount; ULONGLONG UserContext; ULONG FreeLists[PH_FP_FREE_LIST_COUNT]; } PH_FP_FILE_HEADER, *PPH_FP_FILE_HEADER; // Runtime typedef struct _PH_FILE_POOL_PARAMETERS { // File options /** * The base-2 logarithm of the size of each segment. This value must be between 16 and 28, * inclusive. */ ULONG SegmentShift; // Runtime options /** The maximum number of inactive segments to keep mapped. */ ULONG MaximumInactiveViews; } PH_FILE_POOL_PARAMETERS, *PPH_FILE_POOL_PARAMETERS; typedef struct _PH_FILE_POOL { HANDLE FileHandle; HANDLE SectionHandle; BOOLEAN ReadOnly; PH_FREE_LIST ViewFreeList; PLIST_ENTRY *ByIndexBuckets; ULONG ByIndexSize; PH_AVL_TREE ByBaseSet; ULONG MaximumInactiveViews; ULONG NumberOfInactiveViews; LIST_ENTRY InactiveViewsListHead; PPH_FP_BLOCK_HEADER FirstBlockOfFirstSegment; PPH_FP_FILE_HEADER Header; ULONG SegmentShift; // The power-of-two size of each segment ULONG SegmentSize; // The size of each segment ULONG BlockShift; // The power-of-two size of each block in each segment ULONG BlockSize; // The size of each block in each segment ULONG FileHeaderBlockSpan; // The number of blocks needed to store a file header ULONG SegmentHeaderBlockSpan; // The number of blocks needed to store a segment header } PH_FILE_POOL, *PPH_FILE_POOL; PHLIBAPI NTSTATUS PhCreateFilePool( _Out_ PPH_FILE_POOL *Pool, _In_ HANDLE FileHandle, _In_ BOOLEAN ReadOnly, _In_opt_ PPH_FILE_POOL_PARAMETERS Parameters ); PHLIBAPI NTSTATUS PhCreateFilePool2( _Out_ PPH_FILE_POOL *Pool, _In_ PCWSTR FileName, _In_ BOOLEAN ReadOnly, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_opt_ PPH_FILE_POOL_PARAMETERS Parameters ); PHLIBAPI VOID PhDestroyFilePool( _In_ _Post_invalid_ PPH_FILE_POOL Pool ); PHLIBAPI PVOID PhAllocateFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Size, _Out_opt_ PULONG Rva ); PHLIBAPI VOID PhFreeFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Block ); PHLIBAPI BOOLEAN PhFreeFilePoolByRva( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Rva ); PHLIBAPI VOID PhReferenceFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Address ); PHLIBAPI VOID PhDereferenceFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Address ); PHLIBAPI PVOID PhReferenceFilePoolByRva( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Rva ); PHLIBAPI BOOLEAN PhDereferenceFilePoolByRva( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Rva ); PHLIBAPI ULONG PhEncodeRvaFilePool( _In_ PPH_FILE_POOL Pool, _In_ PVOID Address ); PHLIBAPI VOID PhGetUserContextFilePool( _In_ PPH_FILE_POOL Pool, _Out_ PULONGLONG Context ); PHLIBAPI VOID PhSetUserContextFilePool( _Inout_ PPH_FILE_POOL Pool, _In_ PULONGLONG Context ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/filepoolp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2013 * */ #ifndef _PH_FILEPOOLP_H #define _PH_FILEPOOLP_H typedef struct _PH_FILE_POOL_VIEW { LIST_ENTRY ByIndexListEntry; PH_AVL_LINKS ByBaseLinks; LIST_ENTRY InactiveViewsListEntry; ULONG RefCount; ULONG SegmentIndex; PVOID Base; } PH_FILE_POOL_VIEW, *PPH_FILE_POOL_VIEW; NTSTATUS PhpValidateFilePoolParameters( _Inout_ PPH_FILE_POOL_PARAMETERS Parameters ); VOID PhpSetDefaultFilePoolParameters( _Out_ PPH_FILE_POOL_PARAMETERS Parameters ); // Range mapping NTSTATUS PhFppExtendRange( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG NewSize ); NTSTATUS PhFppMapRange( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG Offset, _In_ ULONG Size, _Out_ PVOID *Base ); NTSTATUS PhFppUnmapRange( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ); // Segments VOID PhFppInitializeSegment( _Inout_ PPH_FILE_POOL Pool, _Out_ PPH_FP_BLOCK_HEADER BlockOfSegmentHeader, _In_ ULONG AdditionalBlocksUsed ); PPH_FP_BLOCK_HEADER PhFppAllocateSegment( _Inout_ PPH_FILE_POOL Pool, _Out_ PULONG NewSegmentIndex ); PPH_FP_SEGMENT_HEADER PhFppGetHeaderSegment( _Inout_ PPH_FILE_POOL Pool, _In_ PPH_FP_BLOCK_HEADER FirstBlock ); // Views VOID PhFppAddViewByIndex( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); VOID PhFppRemoveViewByIndex( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); PPH_FILE_POOL_VIEW PhFppFindViewByIndex( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ); _Function_class_(PH_AVL_TREE_COMPARE_FUNCTION) LONG NTAPI PhpFilePoolViewByBaseCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ); VOID PhFppAddViewByBase( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); VOID PhFppRemoveViewByBase( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); PPH_FILE_POOL_VIEW PhFppFindViewByBase( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ); PPH_FILE_POOL_VIEW PhFppCreateView( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ); VOID PhFppDestroyView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); VOID PhFppActivateView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); VOID PhFppDeactivateView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); VOID PhFppReferenceView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); VOID PhFppDereferenceView( _Inout_ PPH_FILE_POOL Pool, _Inout_ PPH_FILE_POOL_VIEW View ); PPH_FP_BLOCK_HEADER PhFppReferenceSegment( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ); VOID PhFppDereferenceSegment( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex ); VOID PhFppReferenceSegmentByBase( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ); VOID PhFppDereferenceSegmentByBase( _Inout_ PPH_FILE_POOL Pool, _In_ PVOID Base ); // Bitmap allocation PPH_FP_BLOCK_HEADER PhFppAllocateBlocks( _Inout_ PPH_FILE_POOL Pool, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _Inout_ PPH_FP_SEGMENT_HEADER SegmentHeader, _In_ ULONG NumberOfBlocks ); VOID PhFppFreeBlocks( _Inout_ PPH_FILE_POOL Pool, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _Inout_ PPH_FP_SEGMENT_HEADER SegmentHeader, _In_ PPH_FP_BLOCK_HEADER BlockHeader ); // Free list ULONG PhFppComputeFreeListIndex( _In_ PPH_FILE_POOL Pool, _In_ ULONG NumberOfBlocks ); BOOLEAN PhFppInsertFreeList( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG FreeListIndex, _In_ ULONG SegmentIndex, _In_ PPH_FP_SEGMENT_HEADER SegmentHeader ); BOOLEAN PhFppRemoveFreeList( _Inout_ PPH_FILE_POOL Pool, _In_ ULONG FreeListIndex, _In_ ULONG SegmentIndex, _In_ PPH_FP_SEGMENT_HEADER SegmentHeader ); // Misc. PPH_FP_BLOCK_HEADER PhFppGetHeaderBlock( _In_ PPH_FILE_POOL Pool, _In_ PVOID Block ); ULONG PhFppEncodeRva( _In_ PPH_FILE_POOL Pool, _In_ ULONG SegmentIndex, _In_ PPH_FP_BLOCK_HEADER FirstBlock, _In_ PVOID Address ); ULONG PhFppDecodeRva( _In_ PPH_FILE_POOL Pool, _In_ ULONG Rva, _Out_ PULONG SegmentIndex ); #endif ================================================ FILE: phlib/include/filestream.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * */ #ifndef _PH_FILESTREAM_H #define _PH_FILESTREAM_H #ifdef __cplusplus extern "C" { #endif // Core flags (PhCreateFileStream2) /** Indicates that the file stream object should not close the file handle upon deletion. */ #define PH_FILE_STREAM_HANDLE_UNOWNED 0x1 /** * Indicates that the file stream object should not buffer I/O operations. Note that this does not * prevent the operating system from buffering I/O. */ #define PH_FILE_STREAM_UNBUFFERED 0x2 /** * Indicates that the file handle supports asynchronous operations. The file handle must not have * been opened with FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT. */ #define PH_FILE_STREAM_ASYNCHRONOUS 0x4 /** * Indicates that the file stream object should maintain the file position and not use the file * object's own file position. */ #define PH_FILE_STREAM_OWN_POSITION 0x8 // Higher-level flags (PhCreateFileStream) #define PH_FILE_STREAM_APPEND 0x00010000 // Internal flags /** Indicates that at least one write has been issued to the file handle. */ #define PH_FILE_STREAM_WRITTEN 0x80000000 // Seek typedef enum _PH_SEEK_ORIGIN { SeekStart, SeekCurrent, SeekEnd } PH_SEEK_ORIGIN; typedef struct _PH_FILE_STREAM { HANDLE FileHandle; ULONG Flags; LARGE_INTEGER Position; // file object position, *not* the actual position PVOID Buffer; ULONG BufferLength; ULONG ReadPosition; // read position in buffer ULONG ReadLength; // how much available to read from buffer ULONG WritePosition; // write position in buffer } PH_FILE_STREAM, *PPH_FILE_STREAM; extern PPH_OBJECT_TYPE PhFileStreamType; PHLIBAPI NTSTATUS NTAPI PhCreateFileStream( _Out_ PPH_FILE_STREAM* FileStream, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhCreateFileStream2( _Out_ PPH_FILE_STREAM *FileStream, _In_ HANDLE FileHandle, _In_ ULONG Flags, _In_ ULONG BufferLength ); PHLIBAPI VOID NTAPI PhVerifyFileStream( _In_ PPH_FILE_STREAM FileStream ); PHLIBAPI NTSTATUS NTAPI PhReadFileStream( _Inout_ PPH_FILE_STREAM FileStream, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG ReadLength ); PHLIBAPI NTSTATUS NTAPI PhWriteFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ); PHLIBAPI NTSTATUS NTAPI PhFlushFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ BOOLEAN Full ); PHLIBAPI VOID NTAPI PhGetPositionFileStream( _In_ PPH_FILE_STREAM FileStream, _Out_ PLARGE_INTEGER Position ); PHLIBAPI NTSTATUS NTAPI PhSeekFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Offset, _In_ PH_SEEK_ORIGIN Origin ); PHLIBAPI NTSTATUS NTAPI PhLockFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Position, _In_ PLARGE_INTEGER Length, _In_ BOOLEAN Wait, _In_ BOOLEAN Shared ); PHLIBAPI NTSTATUS NTAPI PhUnlockFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Position, _In_ PLARGE_INTEGER Length ); PHLIBAPI NTSTATUS NTAPI PhWriteStringAsUtf8FileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PPH_STRINGREF String ); FORCEINLINE NTSTATUS PhWriteStringAsUtf8FileStream2( _Inout_ PPH_FILE_STREAM FileStream, _In_ PCWSTR String ) { PH_STRINGREF string; PhInitializeStringRef(&string, String); return PhWriteStringAsUtf8FileStream(FileStream, &string); } PHLIBAPI NTSTATUS NTAPI PhWriteStringAsUtf8FileStreamEx( _Inout_ PPH_FILE_STREAM FileStream, _In_ PCWSTR Buffer, _In_ SIZE_T Length ); PHLIBAPI NTSTATUS NTAPI PhWriteStringFormatAsUtf8FileStream_V( _Inout_ PPH_FILE_STREAM FileStream, _In_ _Printf_format_string_ PCWSTR Format, _In_ va_list ArgPtr ); PHLIBAPI NTSTATUS NTAPI PhWriteStringFormatAsUtf8FileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ _Printf_format_string_ PCWSTR Format, ... ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/filestreamp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifndef _PH_FILESTREAMP_H #define _PH_FILESTREAMP_H _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpFileStreamDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); NTSTATUS PhpAllocateBufferFileStream( _Inout_ PPH_FILE_STREAM FileStream ); NTSTATUS PhpReadFileStream( _Inout_ PPH_FILE_STREAM FileStream, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG ReadLength ); NTSTATUS PhpWriteFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ); NTSTATUS PhpFlushReadFileStream( _Inout_ PPH_FILE_STREAM FileStream ); NTSTATUS PhpFlushWriteFileStream( _Inout_ PPH_FILE_STREAM FileStream ); NTSTATUS PhpSeekFileStream( _Inout_ PPH_FILE_STREAM FileStream, _In_ PLARGE_INTEGER Offset, _In_ PH_SEEK_ORIGIN Origin ); #endif ================================================ FILE: phlib/include/graph.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2024 * */ #ifndef _PH_GRAPH_H #define _PH_GRAPH_H #ifdef __cplusplus extern "C" { #endif // Graph drawing extern RECT PhNormalGraphTextMargin; extern RECT PhNormalGraphTextPadding; #define PH_GRAPH_USE_GRID_X 0x1 #define PH_GRAPH_USE_GRID_Y 0x2 #define PH_GRAPH_LOGARITHMIC_GRID_Y 0x4 #define PH_GRAPH_USE_LINE_2 0x10 #define PH_GRAPH_OVERLAY_LINE_2 0x20 #define PH_GRAPH_LABEL_MAX_Y 0x1000 typedef struct _PH_GRAPH_DRAW_INFO *PPH_GRAPH_DRAW_INFO; typedef _Function_class_(PH_GRAPH_LABEL_Y_FUNCTION) PPH_STRING NTAPI PH_GRAPH_LABEL_Y_FUNCTION( _In_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataIndex, _In_ FLOAT Value, _In_ FLOAT Parameter ); typedef PH_GRAPH_LABEL_Y_FUNCTION* PPH_GRAPH_LABEL_Y_FUNCTION; typedef struct _PH_GRAPH_DRAW_INFO { // Basic LONG Width; LONG Height; ULONG Flags; ULONG Step; COLORREF BackColor; // Data/lines ULONG LineDataCount; PFLOAT LineData1; PFLOAT LineData2; COLORREF LineColor1; COLORREF LineColor2; COLORREF LineBackColor1; COLORREF LineBackColor2; // Grid COLORREF GridColor; ULONG GridWidth; FLOAT GridHeight; LONG GridXOffset; LONG GridYThreshold; FLOAT GridBase; // Base for logarithmic grid // y-axis label PPH_GRAPH_LABEL_Y_FUNCTION LabelYFunction; FLOAT LabelYFunctionParameter; HFONT LabelYFont; COLORREF LabelYColor; ULONG LabelMaxYIndexLimit; // Text PH_STRINGREF Text; RECT TextRect; RECT TextBoxRect; HFONT TextFont; COLORREF TextColor; COLORREF TextBoxColor; PH_STRINGREF Text2; RECT TextRect2; RECT TextBoxRect2; } PH_GRAPH_DRAW_INFO, *PPH_GRAPH_DRAW_INFO; // Graph control #define PH_GRAPH_CLASSNAME L"PhGraph" PHLIBAPI RTL_ATOM NTAPI PhGraphControlInitialization( VOID ); PHLIBAPI VOID NTAPI PhDrawGraphDirect( _In_ HDC hdc, _In_ PVOID Bits, _In_ PPH_GRAPH_DRAW_INFO DrawInfo ); PHLIBAPI VOID NTAPI PhSetGraphText( _In_ HDC hdc, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ PPH_STRINGREF Text, _In_ PRECT Margin, _In_ PRECT Padding, _In_ ULONG Align ); PHLIBAPI VOID NTAPI PhSetGraphText2( _In_ HDC hdc, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ PPH_STRINGREF Text, _In_ PRECT Margin, _In_ PRECT Padding, _In_ ULONG Align ); // Configuration typedef struct _PH_GRAPH_OPTIONS { COLORREF FadeOutBackColor; LONG FadeOutWidth; HCURSOR DefaultCursor; } PH_GRAPH_OPTIONS, *PPH_GRAPH_OPTIONS; // Styles #define GC_STYLE_FADEOUT 0x1 #define GC_STYLE_DRAW_PANEL 0x2 // Messages #define GCM_GETDRAWINFO (WM_USER + 1301) #define GCM_SETDRAWINFO (WM_USER + 1302) #define GCM_DRAW (WM_USER + 1303) #define GCM_MOVEGRID (WM_USER + 1304) #define GCM_GETBUFFEREDCONTEXT (WM_USER + 1305) #define GCM_SETTOOLTIP (WM_USER + 1306) #define GCM_UPDATETOOLTIP (WM_USER + 1307) #define GCM_GETOPTIONS (WM_USER + 1308) #define GCM_SETOPTIONS (WM_USER + 1309) #define GCM_UPDATE (WM_USER + 1310) #define GCM_SETCALLBACK (WM_USER + 1311) #define Graph_GetDrawInfo(hWnd, DrawInfo) \ SendMessage((hWnd), GCM_GETDRAWINFO, 0, (LPARAM)(DrawInfo)) #define Graph_SetDrawInfo(hWnd, DrawInfo) \ SendMessage((hWnd), GCM_SETDRAWINFO, 0, (LPARAM)(DrawInfo)) #define Graph_Draw(hWnd) \ SendMessage((hWnd), GCM_DRAW, 0, 0) #define Graph_MoveGrid(hWnd, Increment) \ SendMessage((hWnd), GCM_MOVEGRID, (WPARAM)(Increment), 0) #define Graph_GetBufferedContext(hWnd) \ ((HDC)SendMessage((hWnd), GCM_GETBUFFEREDCONTEXT, 0, 0)) #define Graph_SetTooltip(hWnd, Enable) \ ((HDC)SendMessage((hWnd), GCM_SETTOOLTIP, (WPARAM)(Enable), 0)) #define Graph_UpdateTooltip(hWnd) \ ((HDC)SendMessage((hWnd), GCM_UPDATETOOLTIP, 0, 0)) #define Graph_GetOptions(hWnd, Options) \ SendMessage((hWnd), GCM_GETOPTIONS, 0, (LPARAM)(Options)) #define Graph_SetOptions(hWnd, Options) \ SendMessage((hWnd), GCM_SETOPTIONS, 0, (LPARAM)(Options)) #define Graph_Update(hWnd) \ SendMessage((hWnd), GCM_UPDATE, 0, 0) #define Graph_SetCallback(hWnd, Callback, Context) \ SendMessage((hWnd), GCM_SETCALLBACK, (LPARAM)(Callback), (WPARAM)(Context)) // Notifications #define GCN_GETDRAWINFO (WM_USER + 1351) #define GCN_GETTOOLTIPTEXT (WM_USER + 1352) #define GCN_MOUSEEVENT (WM_USER + 1353) #define GCN_DRAWPANEL (WM_USER + 1354) typedef _Function_class_(PH_GRAPH_MESSAGE_CALLBACK) BOOLEAN NTAPI PH_GRAPH_MESSAGE_CALLBACK( _In_ HWND WindowHandle, _In_ ULONG Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ); typedef PH_GRAPH_MESSAGE_CALLBACK* PPH_GRAPH_MESSAGE_CALLBACK; typedef struct _PH_GRAPH_CREATEPARAMS { ULONG Size; ULONG Flags; PH_GRAPH_OPTIONS Options; PPH_GRAPH_MESSAGE_CALLBACK Callback; PVOID Context; // Add new fields here. } PH_GRAPH_CREATEPARAMS, *PPH_GRAPH_CREATEPARAMS; typedef struct _PH_GRAPH_GETDRAWINFO { NMHDR Header; PPH_GRAPH_DRAW_INFO DrawInfo; } PH_GRAPH_GETDRAWINFO, *PPH_GRAPH_GETDRAWINFO; typedef struct _PH_GRAPH_GETTOOLTIPTEXT { NMHDR Header; ULONG Index; ULONG TotalCount; PH_STRINGREF Text; // must be null-terminated } PH_GRAPH_GETTOOLTIPTEXT, *PPH_GRAPH_GETTOOLTIPTEXT; typedef struct _PH_GRAPH_MOUSEEVENT { NMHDR Header; ULONG Index; ULONG TotalCount; ULONG Message; ULONG Keys; POINT Point; } PH_GRAPH_MOUSEEVENT, *PPH_GRAPH_MOUSEEVENT; typedef struct _PH_GRAPH_DRAWPANEL { NMHDR Header; HDC hdc; RECT Rect; } PH_GRAPH_DRAWPANEL, *PPH_GRAPH_DRAWPANEL; // Graph buffer management #define PH_GRAPH_DATA_COUNT(Width, Step) (((Width) + (Step) - 1) / (Step) + 1) // round up in division typedef struct _PH_GRAPH_BUFFERS { PFLOAT Data1; // invalidate by setting Valid to FALSE PFLOAT Data2; // invalidate by setting Valid to FALSE ULONG AllocatedCount; BOOLEAN Valid; // indicates the data is valid } PH_GRAPH_BUFFERS, *PPH_GRAPH_BUFFERS; PHLIBAPI VOID NTAPI PhInitializeGraphBuffers( _Out_ PPH_GRAPH_BUFFERS Buffers ); PHLIBAPI VOID NTAPI PhDeleteGraphBuffers( _Inout_ PPH_GRAPH_BUFFERS Buffers ); PHLIBAPI VOID NTAPI PhGetDrawInfoGraphBuffers( _Inout_ PPH_GRAPH_BUFFERS Buffers, _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, _In_ ULONG DataCount ); // Graph control state // The basic buffer management structure was moved out of this section because // the text management is not needed for most cases. typedef struct _PH_GRAPH_STATE { // Union for compatibility union { struct { PFLOAT Data1; // invalidate by setting Valid to FALSE PFLOAT Data2; // invalidate by setting Valid to FALSE ULONG AllocatedCount; BOOLEAN Valid; // indicates the data is valid }; PH_GRAPH_BUFFERS Buffers; }; PPH_STRING Text; PPH_STRING TooltipText; // invalidate by setting TooltipIndex to -1 ULONG TooltipIndex; // indicates the tooltip text is valid for this index PPH_STRING TextLine2; } PH_GRAPH_STATE, *PPH_GRAPH_STATE; PHLIBAPI VOID NTAPI PhInitializeGraphState( _Out_ PPH_GRAPH_STATE State ); PHLIBAPI VOID NTAPI PhDeleteGraphState( _Inout_ PPH_GRAPH_STATE State ); PHLIBAPI VOID NTAPI PhGraphStateGetDrawInfo( _Inout_ PPH_GRAPH_STATE State, _In_ PPH_GRAPH_GETDRAWINFO GetDrawInfo, _In_ ULONG DataCount ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/guisup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef _PH_PHGUI_H #define _PH_PHGUI_H #include #include EXTERN_C_START // guisup #define RFF_NOBROWSE 0x0001 #define RFF_NODEFAULT 0x0002 #define RFF_CALCDIRECTORY 0x0004 #define RFF_NOLABEL 0x0008 #define RFF_NOSEPARATEMEM 0x0020 #define RFF_OPTRUNAS 0x0040 #define RFN_VALIDATE (-510) #define RFN_LIMITEDRUNAS (-511) typedef struct _NMRUNFILEDLGW { NMHDR hdr; PWSTR lpszFile; PWSTR lpszDirectory; UINT ShowCmd; } NMRUNFILEDLGW, *LPNMRUNFILEDLGW, *PNMRUNFILEDLGW; typedef NMRUNFILEDLGW NMRUNFILEDLG; typedef PNMRUNFILEDLGW PNMRUNFILEDLG; typedef LPNMRUNFILEDLGW LPNMRUNFILEDLG; #define RF_OK 0x0000 #define RF_CANCEL 0x0001 #define RF_RETRY 0x0002 typedef HANDLE HTHEME; #define DCX_USESTYLE 0x00010000 #define DCX_NODELETERGN 0x00040000 #define HRGN_FULL ((HRGN)1) // passed by WM_NCPAINT even though it's completely undocumented (wj32) extern LONG PhFontQuality; extern LONG PhSystemDpi; extern PH_INTEGER_PAIR PhSmallIconSize; extern PH_INTEGER_PAIR PhLargeIconSize; PHLIBAPI VOID NTAPI PhGuiSupportInitialization( VOID ); PHLIBAPI VOID NTAPI PhGuiSupportUpdateSystemMetrics( _In_opt_ HWND WindowHandle, _In_opt_ LONG WindowDpi ); PHLIBAPI LONG NTAPI PhGetFontQualitySetting( _In_ LONG FontQuality ); PHLIBAPI HFONT NTAPI PhInitializeFont( _In_ LONG WindowDpi ); PHLIBAPI HFONT NTAPI PhInitializeMonospaceFont( _In_ LONG WindowDpi ); PHLIBAPI HDC NTAPI PhGetDC( _In_opt_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhReleaseDC( _In_opt_ HWND WindowHandle, _In_ _Frees_ptr_ HDC Hdc ); PHLIBAPI HGDIOBJ NTAPI PhGetStockObject( _In_ LONG Index ); #define PhGetStockBrush(i) ((HBRUSH)PhGetStockObject(i)) #define PhGetStockPen(i) ((HPEN)PhGetStockObject(i)) PHLIBAPI HTHEME NTAPI PhOpenThemeData( _In_opt_ HWND WindowHandle, _In_ PCWSTR ClassList, _In_ LONG WindowDpi ); PHLIBAPI VOID NTAPI PhCloseThemeData( _In_ HTHEME ThemeHandle ); PHLIBAPI VOID NTAPI PhSetControlTheme( _In_ HWND Handle, _In_opt_ PCWSTR Theme ); PHLIBAPI BOOLEAN NTAPI PhIsThemeActive( VOID ); PHLIBAPI BOOLEAN NTAPI PhIsAppThemed( VOID ); PHLIBAPI BOOLEAN NTAPI PhIsThemePartDefined( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetThemeClass( _In_ HTHEME ThemeHandle, _Out_writes_z_(ClassLength) PWSTR Class, _In_ ULONG ClassLength ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetThemeColor( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId, _In_ LONG PropId, _Out_ COLORREF* Color ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetThemeInt( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId, _In_ LONG PropId, _Out_ PLONG Value ); typedef enum _THEMEPARTSIZE { THEMEPARTSIZE_MIN, // minimum size THEMEPARTSIZE_TRUE, // size without stretching THEMEPARTSIZE_DRAW // size that theme mgr will use to draw part } THEMEPARTSIZE; _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetThemePartSize( _In_ HTHEME ThemeHandle, _In_opt_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_opt_ LPCRECT Rect, _In_ THEMEPARTSIZE Flags, _Out_ PSIZE Size ); typedef struct _THEMEMARGINS { LONG cxLeftWidth; // width of left border that retains its size LONG cxRightWidth; // width of right border that retains its size LONG cyTopHeight; // height of top border that retains its size LONG cyBottomHeight; // height of bottom border that retains its size } THEMEMARGINS, *PTHEMEMARGINS; _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetThemeMargins( _In_ HTHEME ThemeHandle, _In_opt_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_ LONG PropId, _In_opt_ LPCRECT Rect, _Out_ PTHEMEMARGINS Margins ); PHLIBAPI BOOLEAN NTAPI PhDrawThemeBackground( _In_ HTHEME ThemeHandle, _In_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_ LPCRECT Rect, _In_opt_ LPCRECT ClipRect ); PHLIBAPI BOOLEAN NTAPI PhDrawThemeText( _In_ HTHEME ThemeHandle, _In_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_reads_(cchText) PCWSTR Text, _In_ LONG cchText, _In_ ULONG TextFlags, _In_ LPCRECT Rect ); PHLIBAPI BOOLEAN NTAPI PhDrawThemeTextEx( _In_ HTHEME ThemeHandle, _In_ HDC hdc, _In_ LONG PartId, _In_ LONG StateId, _In_reads_(cchText) PCWSTR Text, _In_ LONG cchText, _In_ ULONG TextFlags, _Inout_ LPRECT Rect, _In_opt_ const PVOID Options // DTTOPTS* ); PHLIBAPI BOOLEAN NTAPI PhIsThemeBackgroundPartiallyTransparent( _In_ HTHEME ThemeHandle, _In_ LONG PartId, _In_ LONG StateId ); PHLIBAPI BOOLEAN NTAPI PhDrawThemeParentBackground( _In_ HWND WindowHandle, _In_ HDC Hdc, _In_opt_ const PRECT Rect ); PHLIBAPI BOOLEAN NTAPI PhAllowDarkModeForWindow( _In_ HWND WindowHandle, _In_ BOOL Enabled ); PHLIBAPI BOOLEAN NTAPI PhIsDarkModeAllowedForWindow( _In_ HWND WindowHandle ); FORCEINLINE BOOLEAN NTAPI PhRectEmpty( _In_ PRECT Rect ) { #if defined(PHNT_NATIVE_RECT) return !!IsRectEmpty(Rect); #else if (Rect) { if (Rect->left >= Rect->right || Rect->top >= Rect->bottom) return TRUE; } return FALSE; #endif } FORCEINLINE BOOLEAN NTAPI PhInflateRect( _In_ PRECT Rect, _In_ LONG dx, _In_ LONG dy ) { #if defined(PHNT_NATIVE_RECT) return !!InflateRect(Rect, dx, dy); #else Rect->left -= dx; Rect->top -= dy; Rect->right += dx; Rect->bottom += dy; return TRUE; #endif } FORCEINLINE BOOLEAN NTAPI PhOffsetRect( _In_ PRECT Rect, _In_ LONG dx, _In_ LONG dy ) { #if defined(PHNT_NATIVE_RECT) return !!OffsetRect(Rect, dx, dy); #else Rect->left += dx; Rect->top += dy; Rect->right += dx; Rect->bottom += dy; return TRUE; #endif } FORCEINLINE BOOLEAN NTAPI PhPtInRect( _In_ PRECT Rect, _In_ PPOINT Point ) { #if defined(PHNT_NATIVE_RECT) return !!PtInRect(Rect, Point); #else return Point->x >= Rect->left && Point->x < Rect->right && Point->y >= Rect->top && Point->y < Rect->bottom; #endif } _Success_(return) FORCEINLINE BOOLEAN NTAPI PhGetWindowRect( _In_ HWND WindowHandle, _Out_ PRECT WindowRect ) { // Note: GetWindowRect can return success with either invalid (0,0) or empty rects (40,40) and in some cases // this results in unwanted clipping, performance issues with the CreateCompatibleBitmap double buffering and // issues with MonitorFromRect layout and DPI queries, so ignore the return status and check the rect (dmex) if (!GetWindowRect(WindowHandle, WindowRect)) return FALSE; if (PhRectEmpty(WindowRect)) return FALSE; return TRUE; } _Success_(return) FORCEINLINE BOOLEAN NTAPI PhGetClientRect( _In_ HWND WindowHandle, _Out_ PRECT ClientRect ) { if (!GetClientRect(WindowHandle, ClientRect)) return FALSE; if (!(ClientRect->right && ClientRect->bottom)) return FALSE; return TRUE; } _Success_(return) FORCEINLINE BOOLEAN NTAPI PhGetCursorPos( _Out_ PPOINT Point ) { if (GetCursorPos(Point)) return TRUE; return FALSE; } _Success_(return) FORCEINLINE BOOLEAN NTAPI PhGetMessagePos( _Out_ PPOINT MessagePoint ) { ULONG position; POINT point; position = GetMessagePos(); point.x = GET_X_LPARAM(position); point.y = GET_Y_LPARAM(position); memcpy(MessagePoint, &point, sizeof(POINT)); return TRUE; } _Success_(return) FORCEINLINE BOOLEAN NTAPI PhGetClientPos( _In_ HWND WindowHandle, _Out_ PPOINT ClientPoint ) { ULONG position; POINT point; position = GetMessagePos(); point.x = GET_X_LPARAM(position); point.y = GET_Y_LPARAM(position); if (ScreenToClient(WindowHandle, &point)) { memcpy(ClientPoint, &point, sizeof(POINT)); return TRUE; } return FALSE; } _Success_(return) FORCEINLINE BOOLEAN NTAPI PhGetScreenPos( _In_ HWND WindowHandle, _Out_ PPOINT ClientPoint ) { ULONG position; POINT point; position = GetMessagePos(); point.x = GET_X_LPARAM(position); point.y = GET_Y_LPARAM(position); if (ClientToScreen(WindowHandle, &point)) { memcpy(ClientPoint, &point, sizeof(POINT)); return TRUE; } return FALSE; } FORCEINLINE BOOLEAN NTAPI PhClientToScreen( _In_ HWND WindowHandle, _Inout_ PPOINT Point ) { if (ClientToScreen(WindowHandle, Point)) return TRUE; return FALSE; } FORCEINLINE BOOLEAN NTAPI PhScreenToClient( _In_ HWND WindowHandle, _Inout_ PPOINT Point ) { if (ScreenToClient(WindowHandle, Point)) return TRUE; return FALSE; } FORCEINLINE BOOLEAN NTAPI PhClientToScreenRect( _In_ HWND WindowHandle, _Inout_ PRECT Rect ) { //if (!ClientToScreen(WindowHandle, (PPOINT)Rect)) // return FALSE; //if (!ClientToScreen(WindowHandle, ((PPOINT)Rect) + 1)) // return FALSE; if (MapWindowRect(WindowHandle, HWND_DESKTOP, Rect) == 0) return FALSE; return TRUE; } FORCEINLINE BOOLEAN NTAPI PhScreenToClientRect( _In_ HWND WindowHandle, _Inout_ PRECT Rect ) { if (MapWindowRect(HWND_DESKTOP, WindowHandle, Rect) == 0) return FALSE; return TRUE; //if (!ScreenToClient(WindowHandle, (PPOINT)Rect)) // return FALSE; //if (!ScreenToClient(WindowHandle, ((PPOINT)Rect) + 1)) // return FALSE; //return TRUE; } PHLIBAPI BOOLEAN NTAPI PhIsHungAppWindow( _In_ HWND WindowHandle ); PHLIBAPI HWND NTAPI PhGetShellWindow( VOID ); /** * Converts default logical units (based on 96 DPI) to physical units appropriate for the current current monitor's display DPI. * \param Value The value to scale. * \param Scale The target DPI scale. * \return The scaled value. */ FORCEINLINE LONG NTAPI PhScaleToDisplay( _In_ LONG Value, _In_ LONG Scale ) { return PhMultiplyDivideSigned(Value, Scale, USER_DEFAULT_SCREEN_DPI); } /** * Converts a value from physical units (current DPI) to default logical units (based on 96 DPI). * * \param Value The value to convert from physical units. * \param Scale The current DPI scale. * \return The value converted to default logical units (96 DPI). */ FORCEINLINE LONG NTAPI PhScaleToDefault( _In_ LONG Value, _In_ LONG Scale ) { return PhMultiplyDivideSigned(Value, USER_DEFAULT_SCREEN_DPI, Scale); } FORCEINLINE LONG NTAPI PhGetDpi( _In_ LONG Value, _In_ LONG Scale ) { return PhMultiplyDivideSigned(Value, Scale, USER_DEFAULT_SCREEN_DPI); } PHLIBAPI LONG NTAPI PhGetMonitorDpi( _In_opt_ HWND WindowHandle, _In_opt_ PRECT WindowRect ); FORCEINLINE LONG PhGetMonitorDpiFromRect( _In_ PPH_RECTANGLE Rectangle ) { RECT rect = { 0 }; PhRectangleToRect(&rect, Rectangle); return PhGetMonitorDpi(NULL, &rect); } PHLIBAPI LONG NTAPI PhGetSystemDpi( VOID ); PHLIBAPI LONG NTAPI PhGetTaskbarDpi( VOID ); PHLIBAPI LONG NTAPI PhGetWindowDpi( _In_ HWND WindowHandle ); PHLIBAPI LONG NTAPI PhGetDpiValue( _In_opt_ HWND WindowHandle, _In_opt_ PRECT WindowRect ); FORCEINLINE VOID PhGetSizeDpiValue( _Inout_ PRECT Rect, _In_ LONG Dpi, _In_ BOOLEAN ScaleToDisplay ) { PH_RECTANGLE rect; if (Dpi == USER_DEFAULT_SCREEN_DPI) return; PhRectToRectangle(&rect, Rect); if (ScaleToDisplay) { if (rect.Left) rect.Left = PhScaleToDisplay(rect.Left, Dpi); if (rect.Top) rect.Top = PhScaleToDisplay(rect.Top, Dpi); if (rect.Width) rect.Width = PhScaleToDisplay(rect.Width, Dpi); if (rect.Height) rect.Height = PhScaleToDisplay(rect.Height, Dpi); } else { if (rect.Left) rect.Left = PhScaleToDefault(rect.Left, Dpi); if (rect.Top) rect.Top = PhScaleToDefault(rect.Top, Dpi); if (rect.Width) rect.Width = PhScaleToDefault(rect.Width, Dpi); if (rect.Height) rect.Height = PhScaleToDefault(rect.Height, Dpi); } PhRectangleToRect(Rect, &rect); } PHLIBAPI LONG NTAPI PhGetSystemMetrics( _In_ LONG Index, _In_opt_ LONG DpiValue ); PHLIBAPI BOOLEAN NTAPI PhGetSystemSafeBootMode( VOID ); PHLIBAPI BOOL NTAPI PhGetSystemParametersInfo( _In_ LONG Action, _In_ ULONG Param1, _Pre_maybenull_ _Post_valid_ PVOID Param2, _In_opt_ LONG DpiValue ); FORCEINLINE ULONG PhGetClassStyle( _In_ HWND WindowHandle ) { return (ULONG)GetClassLongPtr(WindowHandle, GCL_STYLE); } FORCEINLINE VOID PhSetClassStyle( _In_ HWND Handle, _In_ ULONG Mask, _In_ ULONG Value ) { ULONG style; style = (ULONG)GetClassLongPtr(Handle, GCL_STYLE); style = (style & ~Mask) | (Value & Mask); SetClassLongPtr(Handle, GCL_STYLE, style); } FORCEINLINE ULONG PhGetWindowStyle( _In_ HWND WindowHandle ) { return (ULONG)GetWindowLongPtr(WindowHandle, GWL_STYLE); } FORCEINLINE ULONG PhGetWindowStyleEx( _In_ HWND WindowHandle ) { return (ULONG)GetWindowLongPtr(WindowHandle, GWL_EXSTYLE); } FORCEINLINE VOID PhSetWindowStyle( _In_ HWND Handle, _In_ ULONG Mask, _In_ ULONG Value ) { ULONG style; style = (ULONG)GetWindowLongPtr(Handle, GWL_STYLE); style = (style & ~Mask) | (Value & Mask); SetWindowLongPtr(Handle, GWL_STYLE, style); } FORCEINLINE VOID PhSetWindowExStyle( _In_ HWND Handle, _In_ ULONG Mask, _In_ ULONG Value ) { ULONG style; style = (ULONG)GetWindowLongPtr(Handle, GWL_EXSTYLE); style = (style & ~Mask) | (Value & Mask); SetWindowLongPtr(Handle, GWL_EXSTYLE, style); } FORCEINLINE WNDPROC PhGetWindowProcedure( _In_ HWND WindowHandle ) { return (WNDPROC)GetWindowLongPtr(WindowHandle, GWLP_WNDPROC); } FORCEINLINE WNDPROC PhSetWindowProcedure( _In_ HWND WindowHandle, _In_ WNDPROC SubclassProcedure ) { return (WNDPROC)SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)SubclassProcedure); } FORCEINLINE BOOL PhGetClassInfo( _In_opt_ HINSTANCE Instance, _In_ PCWSTR ClassName, _Out_ PWNDCLASS WindowClass ) { return GetClassInfo(Instance, ClassName, WindowClass); } FORCEINLINE RTL_ATOM PhGetClassInfoEx( _In_opt_ HINSTANCE Instance, _In_ PCWSTR ClassName, _Out_ PWNDCLASSEX WindowClass ) { // Note: GetClassInfoEx returns BOOL but contains the RTL_ATOM (dmex) return (RTL_ATOM)GetClassInfoEx(Instance, ClassName, WindowClass); } #define PH_WINDOW_TIMER_DEFAULT 0xF FORCEINLINE ULONG_PTR PhSetTimer( _In_ HWND WindowHandle, _In_ ULONG_PTR TimerID, _In_ ULONG Elapse, _In_opt_ TIMERPROC TimerProcedure ) { assert(WindowHandle); return SetTimer(WindowHandle, TimerID, Elapse, TimerProcedure); } FORCEINLINE BOOL PhKillTimer( _In_ HWND WindowHandle, _In_ ULONG_PTR TimerID ) { assert(WindowHandle); return KillTimer(WindowHandle, TimerID); } FORCEINLINE VOID PhBringWindowToTop( _In_ HWND WindowHandle ) { // Move the window to the top of the Z-order. (dmex) // This is a workaround for a Windows or third party issue breaking // SetForegroundWindow and displaying the main window behind other programs. // https://github.com/winsiderss/systeminformer/issues/639 SetWindowPos( WindowHandle, HWND_TOP, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE | SWP_SHOWWINDOW | SWP_NOACTIVATE ); } #define IDC_DIVIDER MAKEINTRESOURCE(106) // comctl32.dll FORCEINLINE HCURSOR NTAPI PhLoadCursor( _In_opt_ PVOID BaseAddress, _In_ PCWSTR CursorName ) { return (HCURSOR)LoadImage((HINSTANCE)BaseAddress, CursorName, IMAGE_CURSOR, 0, 0, LR_SHARED); //return LoadCursor((HINSTANCE)BaseAddress, CursorName); } FORCEINLINE HCURSOR NTAPI PhGetCursor( VOID ) { return GetCursor(); } FORCEINLINE HCURSOR NTAPI PhSetCursor( _In_opt_ HCURSOR CursorHandle ) { return SetCursor(CursorHandle); } FORCEINLINE BOOLEAN NTAPI PhGetKeyState( _In_ LONG VirtualKey ) { return GetKeyState(VirtualKey) < 0; } #ifndef WM_REFLECT #define WM_REFLECT 0x2000 #endif FORCEINLINE LRESULT PhReflectMessage( _In_ HWND Handle, _In_ ULONG Message, _In_ WPARAM wParam, _In_ LPARAM lParam ) { if (Message == WM_NOTIFY) { LPNMHDR header = (LPNMHDR)lParam; if (header->hwndFrom == Handle) return SendMessage(Handle, WM_REFLECT + Message, wParam, lParam); } return 0; } #define REFLECT_MESSAGE(hwnd, msg, wParam, lParam) \ { \ LRESULT result_ = PhReflectMessage(hwnd, msg, wParam, lParam); \ \ if (result_) \ return result_; \ } #define REFLECT_MESSAGE_DLG(WindowHandle, hwnd, msg, wParam, lParam) \ { \ LRESULT result_ = PhReflectMessage(hwnd, msg, wParam, lParam); \ \ if (result_) \ { \ SetWindowLongPtr(WindowHandle, DWLP_MSGRESULT, result_); \ return TRUE; \ } \ } FORCEINLINE VOID PhSetListViewStyle( _In_ HWND Handle, _In_ BOOLEAN AllowDragDrop, _In_ BOOLEAN ShowLabelTips ) { ULONG style; style = LVS_EX_FULLROWSELECT | LVS_EX_DOUBLEBUFFER | LVS_EX_INFOTIP; if (AllowDragDrop) style |= LVS_EX_HEADERDRAGDROP; if (ShowLabelTips) style |= LVS_EX_LABELTIP; ListView_SetExtendedListViewStyleEx( Handle, style, INT_ERROR ); } PHLIBAPI LONG NTAPI PhAddListViewColumnDpi( _In_ HWND ListViewHandle, _In_ LONG ListViewDpi, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ); PHLIBAPI LONG NTAPI PhAddListViewColumn( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ); PHLIBAPI LONG NTAPI PhAddListViewItem( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ); PHLIBAPI LONG NTAPI PhFindListViewItemByFlags( _In_ HWND ListViewHandle, _In_ LONG StartIndex, _In_ ULONG Flags ); PHLIBAPI LONG NTAPI PhFindListViewItemByParam( _In_ HWND ListViewHandle, _In_ LONG StartIndex, _In_opt_ PVOID Param ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetListViewItemImageIndex( _In_ HWND ListViewHandle, _In_ LONG Index, _Out_ PLONG ImageIndex ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetListViewItemParam( _In_ HWND ListViewHandle, _In_ LONG Index, _Outptr_ PVOID *Param ); PHLIBAPI BOOLEAN NTAPI PhSetListViewItemParam( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ PVOID Param ); PHLIBAPI VOID NTAPI PhRemoveListViewItem( _In_ HWND ListViewHandle, _In_ LONG Index ); PHLIBAPI VOID NTAPI PhSetListViewItemImageIndex( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG ImageIndex ); PHLIBAPI VOID NTAPI PhSetListViewSubItem( _In_ HWND ListViewHandle, _In_ LONG Index, _In_ LONG SubItemIndex, _In_ PCWSTR Text ); PHLIBAPI VOID NTAPI PhRedrawListViewItems( _In_ HWND ListViewHandle ); PHLIBAPI LONG NTAPI PhAddListViewGroup( _In_ HWND ListViewHandle, _In_ LONG GroupId, _In_ PCWSTR Text ); PHLIBAPI LONG NTAPI PhAddListViewGroupItem( _In_ HWND ListViewHandle, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ); PHLIBAPI LONG NTAPI PhAddTabControlTab( _In_ HWND TabControlHandle, _In_ LONG Index, _In_ PCWSTR Text ); #define PhaGetDlgItemText(WindowHandle, id) \ PH_AUTO_T(PH_STRING, PhGetWindowText(GetDlgItem(WindowHandle, id))) PHLIBAPI PPH_STRING NTAPI PhGetWindowText( _In_ HWND WindowHandle ); #define PhaGetWindowText(WindowHandle) \ PH_AUTO_T(PH_STRING, PhGetWindowText(WindowHandle)) #define PH_GET_WINDOW_TEXT_INTERNAL 0x1 #define PH_GET_WINDOW_TEXT_LENGTH_ONLY 0x2 PHLIBAPI ULONG NTAPI PhGetWindowTextEx( _In_ HWND WindowHandle, _In_ ULONG Flags, _Out_opt_ PPH_STRING *Text ); PHLIBAPI NTSTATUS NTAPI PhGetWindowTextToBuffer( _In_ HWND WindowHandle, _In_ ULONG Flags, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_opt_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ); FORCEINLINE VOID NTAPI PhAddComboBoxStrings( _In_ HWND WindowHandle, _In_ PCWSTR* Strings, _In_ ULONG NumberOfStrings ) { for (ULONG i = 0; i < NumberOfStrings; i++) ComboBox_AddString(WindowHandle, Strings[i]); } FORCEINLINE VOID NTAPI PhAddComboBoxStringRefs( _In_ HWND WindowHandle, _In_ CONST PCPH_STRINGREF* Strings, _In_ ULONG NumberOfStrings ) { for (ULONG i = 0; i < NumberOfStrings; i++) ComboBox_AddString(WindowHandle, Strings[i]->Buffer); } PHLIBAPI NTSTATUS NTAPI PhGetClassName( _In_ HWND WindowHandle, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI PPH_STRING NTAPI PhGetComboBoxString( _In_ HWND WindowHandle, _In_ LONG Index ); PHLIBAPI LONG NTAPI PhSelectComboBoxString( _In_ HWND WindowHandle, _In_ PCWSTR String, _In_ BOOLEAN Partial ); PHLIBAPI VOID NTAPI PhDeleteComboBoxStrings( _In_ HWND ComboBoxHandle, _In_ BOOLEAN ResetContent ); PHLIBAPI PPH_STRING NTAPI PhGetListBoxString( _In_ HWND WindowHandle, _In_ LONG Index ); PHLIBAPI VOID NTAPI PhSetStateAllListViewItems( _In_ HWND WindowHandle, _In_ ULONG State, _In_ ULONG Mask ); PHLIBAPI PVOID NTAPI PhGetSelectedListViewItemParam( _In_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhGetSelectedListViewItemParams( _In_ HWND WindowHandle, _Out_ PVOID **Items, _Out_ PULONG NumberOfItems ); FORCEINLINE IListView* NTAPI PhGetListViewInterface( _In_ HWND ListViewHandle ) { IListView* listviewInterface = NULL; SendMessage( ListViewHandle, LVM_QUERYINTERFACE, (WPARAM)&IID_IListView, (LPARAM)&listviewInterface ); return listviewInterface; } #define PhDestroyListViewInterface(ListViewClass) \ if (ListViewClass) IListView_Release((struct IListView*)(ListViewClass)); PHLIBAPI VOID NTAPI PhSetImageListBitmap( _In_ HIMAGELIST ImageList, _In_ LONG Index, _In_ HINSTANCE InstanceHandle, _In_ PCWSTR BitmapName ); #define PH_LOAD_ICON_SHARED 0x1 #define PH_LOAD_ICON_SIZE_SMALL 0x2 #define PH_LOAD_ICON_SIZE_LARGE 0x4 #define PH_LOAD_ICON_STRICT 0x8 PHLIBAPI HICON NTAPI PhLoadIcon( _In_opt_ PVOID ImageBaseAddress, _In_ PCWSTR Name, _In_ ULONG Flags, _In_opt_ LONG Width, _In_opt_ LONG Height, _In_opt_ LONG SystemDpi ); PHLIBAPI VOID NTAPI PhGetStockApplicationIcon( _Out_opt_ HICON *SmallIcon, _Out_opt_ HICON *LargeIcon ); //PHLIBAPI //HICON PhGetFileShellIcon( // _In_opt_ PWSTR FileName, // _In_opt_ PWSTR DefaultExtension, // _In_ BOOLEAN LargeIcon // ); PHLIBAPI VOID NTAPI PhSetClipboardString( _In_ HWND WindowHandle, _In_ PCPH_STRINGREF String ); PHLIBAPI PPH_STRING NTAPI PhGetClipboardString( _In_ HWND WindowHandle ); #include typedef struct _DLGTEMPLATEEX { USHORT dlgVer; USHORT signature; ULONG helpID; ULONG exStyle; ULONG style; USHORT cDlgItems; SHORT x; SHORT y; SHORT cx; SHORT cy; //sz_Or_Ord menu; //sz_Or_Ord windowClass; //WCHAR title[titleLen]; //USHORT pointsize; //USHORT weight; //BYTE italic; //BYTE charset; //WCHAR typeface[stringLen]; } DLGTEMPLATEEX, *PDLGTEMPLATEEX; #include PHLIBAPI HWND NTAPI PhCreateDialogFromTemplate( _In_ HWND Parent, _In_ ULONG Style, _In_ PVOID Instance, _In_ PCWSTR Template, _In_ DLGPROC DialogProc, _In_ PVOID Parameter ); PHLIBAPI HWND NTAPI PhCreateDialog( _In_ PVOID Instance, _In_ PCWSTR Template, _In_opt_ HWND ParentWindow, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ); PHLIBAPI HWND NTAPI PhCreateWindowEx( _In_ PCWSTR ClassName, _In_opt_ PCWSTR WindowName, _In_ ULONG Style, _In_ ULONG ExStyle, _In_ LONG X, _In_ LONG Y, _In_ LONG Width, _In_ LONG Height, _In_opt_ HWND ParentWindow, _In_opt_ HMENU MenuHandle, _In_opt_ PVOID InstanceHandle, _In_opt_ PVOID Parameter ); #define PhCreateWindow(ClassName, WindowName, Style, X, Y, Width, Height, ParentWindow, MenuHandle, InstanceHandle, Parameter) \ PhCreateWindowEx(ClassName, WindowName, Style, 0, X, Y, Width, Height, ParentWindow, MenuHandle, InstanceHandle, Parameter) //FORCEINLINE //HWND //PhCreateWindow( // _In_ PCWSTR ClassName, // _In_opt_ PCWSTR WindowName, // _In_ ULONG Style, // _In_ LONG X, // _In_ LONG Y, // _In_ LONG Width, // _In_ LONG Height, // _In_opt_ HWND ParentWindow, // _In_opt_ HMENU MenuHandle, // _In_opt_ PVOID InstanceHandle, // _In_opt_ PVOID Parameter // ) //{ // return PhCreateWindowEx( // ClassName, // WindowName, // Style, // 0, // X, // Y, // Width, // Height, // ParentWindow, // MenuHandle, // InstanceHandle, // Parameter // ); //} PHLIBAPI INT_PTR NTAPI PhDialogBox( _In_ PVOID Instance, _In_ PCWSTR Template, _In_opt_ HWND ParentWindow, _In_ DLGPROC DialogProc, _In_opt_ PVOID Parameter ); PHLIBAPI HMENU NTAPI PhLoadMenu( _In_ PVOID DllBase, _In_ PCWSTR MenuName ); PHLIBAPI BOOLEAN NTAPI PhModalPropertySheet( _Inout_ PROPSHEETHEADER *Header ); #define PH_ANCHOR_LEFT 0x1 #define PH_ANCHOR_TOP 0x2 #define PH_ANCHOR_RIGHT 0x4 #define PH_ANCHOR_BOTTOM 0x8 #define PH_ANCHOR_ALL 0xf // This interface is horrible and should be rewritten, but it works for now. #define PH_LAYOUT_FORCE_INVALIDATE 0x1000 // invalidate the control when it is resized #define PH_LAYOUT_TAB_CONTROL 0x2000 // this is a dummy item, a hack for the tab control #define PH_LAYOUT_IMMEDIATE_RESIZE 0x4000 // needed for the tab control hack #define PH_LAYOUT_DUMMY_MASK (PH_LAYOUT_TAB_CONTROL) // items that don't have a window handle, or don't actually get their window resized typedef struct _PH_LAYOUT_ITEM { HWND Handle; struct _PH_LAYOUT_ITEM *ParentItem; // for rectangle calculation struct _PH_LAYOUT_ITEM *LayoutParentItem; // for actual resizing ULONG LayoutNumber; ULONG NumberOfChildren; HDWP DeferHandle; RECT Rect; RECT Margin; ULONG Anchor; } PH_LAYOUT_ITEM, *PPH_LAYOUT_ITEM; typedef struct _PH_LAYOUT_MANAGER { PPH_LIST List; PH_LAYOUT_ITEM RootItem; ULONG LayoutNumber; LONG WindowDpi; } PH_LAYOUT_MANAGER, *PPH_LAYOUT_MANAGER; PHLIBAPI BOOLEAN NTAPI PhInitializeLayoutManager( _Out_ PPH_LAYOUT_MANAGER Manager, _In_ HWND RootWindowHandle ); PHLIBAPI VOID NTAPI PhDeleteLayoutManager( _Inout_ PPH_LAYOUT_MANAGER Manager ); PHLIBAPI PPH_LAYOUT_ITEM NTAPI PhAddLayoutItem( _Inout_ PPH_LAYOUT_MANAGER Manager, _In_ HWND Handle, _In_opt_ PPH_LAYOUT_ITEM ParentItem, _In_ ULONG Anchor ); PHLIBAPI PPH_LAYOUT_ITEM NTAPI PhAddLayoutItemEx( _Inout_ PPH_LAYOUT_MANAGER Manager, _In_ HWND Handle, _In_opt_ PPH_LAYOUT_ITEM ParentItem, _In_ ULONG Anchor, _In_ PRECT Margin ); PHLIBAPI VOID NTAPI PhLayoutManagerLayout( _Inout_ PPH_LAYOUT_MANAGER Manager ); PHLIBAPI VOID NTAPI PhLayoutManagerUpdate( _Inout_ PPH_LAYOUT_MANAGER Manager, _In_ LONG WindowDpi ); #define PH_WINDOW_CONTEXT_DEFAULT 0xFFFF PHLIBAPI PVOID NTAPI PhGetWindowContext( _In_ HWND WindowHandle, _In_ ULONG PropertyHash ); PHLIBAPI VOID NTAPI PhSetWindowContext( _In_ HWND WindowHandle, _In_ ULONG PropertyHash, _In_ PVOID Context ); PHLIBAPI VOID NTAPI PhRemoveWindowContext( _In_ HWND WindowHandle, _In_ ULONG PropertyHash ); /** * Retrieves the window context pointer associated with a window handle. * * \param[in] WindowHandle A handle to the window from which to retrieve the context. * \return A pointer to the window context, or NULL if no context has been set. * * */ FORCEINLINE PVOID NTAPI PhGetWindowContextEx( _In_ HWND WindowHandle ) { #if defined(PHNT_WINDOW_CLASS_CONTEXT) return PhGetWindowContext(WindowHandle, MAXCHAR); #else //assert(GetClassLongPtr(WindowHandle, GCL_CBWNDEXTRA) == sizeof(PVOID)); return (PVOID)GetWindowLongPtr(WindowHandle, 0); #endif } /** * Sets the extended window context for a window handle. * * \param[in] WindowHandle The handle to the window for which to set the context. * \param[in] Context A pointer to the context data to associate with the window. * \return This function does not return a value. * \remarks The window must have sufficient extra bytes allocated to store a PVOID * if PHNT_WINDOW_CLASS_CONTEXT is not defined. */ FORCEINLINE VOID NTAPI PhSetWindowContextEx( _In_ HWND WindowHandle, _In_ PVOID Context ) { #if defined(PHNT_WINDOW_CLASS_CONTEXT) PhSetWindowContext(WindowHandle, MAXCHAR, Context); #else //assert(GetClassLongPtr(WindowHandle, GCL_CBWNDEXTRA) == sizeof(PVOID)); SetWindowLongPtr(WindowHandle, 0, (LONG_PTR)Context); #endif } /** * Removes the window context from a window handle. * * \param[in] WindowHandle The handle to the window from which to remove the context. * \remarks * If PHNT_WINDOW_CLASS_CONTEXT is defined, this function delegates to PhRemoveWindowContext * with MAXCHAR as the context identifier. Otherwise, it clears the window's extra data by * setting the window long pointer at offset 0 to NULL. */ FORCEINLINE VOID NTAPI PhRemoveWindowContextEx( _In_ HWND WindowHandle ) { #if defined(PHNT_WINDOW_CLASS_CONTEXT) PhRemoveWindowContext(WindowHandle, MAXCHAR); #else //assert(GetClassLongPtr(WindowHandle, GCL_CBWNDEXTRA) == sizeof(PVOID)); SetWindowLongPtr(WindowHandle, 0, (LONG_PTR)NULL); #endif } FORCEINLINE PVOID NTAPI PhGetDialogContext( _In_ HWND WindowHandle ) { #if defined(PHNT_WINDOW_CLASS_CONTEXT) return PhGetWindowContext(WindowHandle, MAXCHAR); #else return (PVOID)GetWindowLongPtr(WindowHandle, DWLP_USER); #endif } FORCEINLINE VOID NTAPI PhSetDialogContext( _In_ HWND WindowHandle, _In_ PVOID Context ) { #if defined(PHNT_WINDOW_CLASS_CONTEXT) PhSetWindowContext(WindowHandle, MAXCHAR, Context); #else SetWindowLongPtr(WindowHandle, DWLP_USER, (LONG_PTR)Context); #endif } FORCEINLINE VOID NTAPI PhRemoveDialogContext( _In_ HWND WindowHandle ) { #if defined(PHNT_WINDOW_CLASS_CONTEXT) PhRemoveWindowContext(WindowHandle, MAXCHAR); #else SetWindowLongPtr(WindowHandle, DWLP_USER, (LONG_PTR)NULL); #endif } FORCEINLINE VOID NTAPI PhSetWindowRedraw( _In_ HWND WindowHandle, _In_ BOOLEAN Enable ) { SendMessage(WindowHandle, WM_SETREDRAW, Enable, 0); } FORCEINLINE BOOL NTAPI PhInvalidateRect( _In_ HWND WindowHandle, _In_opt_ CONST RECT* Rect, _In_ BOOL Erase ) { return InvalidateRect(WindowHandle, Rect, Erase); } FORCEINLINE VOID NTAPI PhUpdateWindow( _In_ HWND WindowHandle ) { UpdateWindow(WindowHandle); } FORCEINLINE VOID NTAPI PhInvalidateUpdateWindow( _In_ HWND WindowHandle ) { PhInvalidateRect(WindowHandle, NULL, TRUE); PhUpdateWindow(WindowHandle); } FORCEINLINE VOID NTAPI PhRedrawWindow( _In_ HWND WindowHandle ) { // You should use RedrawWindow with the specified flags, instead of InvalidateRect, // because the former is necessary for some controls that have nonclient area of their own, // or have window styles that cause them to be given a nonclient area (such as WS_THICKFRAME, WS_BORDER, or WS_EX_CLIENTEDGE). // If the control does not have a nonclient area, then RedrawWindow with these flags // will do only as much invalidation as InvalidateRect would. // https://learn.microsoft.com/en-us/windows/win32/gdi/wm-setredraw RedrawWindow(WindowHandle, NULL, NULL, RDW_ERASE | RDW_FRAME | RDW_INVALIDATE | RDW_ALLCHILDREN); } typedef _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN NTAPI PH_WINDOW_ENUM_CALLBACK( _In_ HWND WindowHandle, _In_opt_ PVOID Context ); typedef PH_WINDOW_ENUM_CALLBACK* PPH_WINDOW_ENUM_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumWindows( _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumWindowsEx( _In_opt_ HWND ParentWindow, _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumGetWindow( _In_opt_ HWND StartWindow, _In_ ULONG Command, _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumWindowsZOrder( _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumChildWindows( _In_opt_ HWND WindowHandle, _In_ PH_WINDOW_ENUM_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhBuildHwndList( _In_opt_ HANDLE DesktopHandle, _In_opt_ HWND ParentWindowHandle, _In_ BOOLEAN IncludeChildren, _In_ BOOLEAN ExcludeImmersive, _In_opt_ HANDLE ThreadId, _Out_ PULONG NumberOfHandles, _Outptr_result_buffer_(*NumberOfHandles) HWND** Handles ); HWND NTAPI PhGetProcessMainWindow( _In_opt_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle ); HWND NTAPI PhGetProcessMainWindowEx( _In_opt_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ BOOLEAN SkipInvisible ); PHLIBAPI ULONG NTAPI PhGetDialogItemValue( _In_ HWND WindowHandle, _In_ LONG ControlID ); PHLIBAPI VOID NTAPI PhSetDialogItemValue( _In_ HWND WindowHandle, _In_ LONG ControlID, _In_ ULONG Value, _In_ BOOLEAN Signed ); PHLIBAPI BOOLEAN NTAPI PhSetDialogItemText( _In_ HWND WindowHandle, _In_ LONG ControlID, _In_ PCWSTR WindowText ); PHLIBAPI BOOLEAN NTAPI PhSetWindowText( _In_ HWND WindowHandle, _In_ PCWSTR WindowText ); PHLIBAPI VOID NTAPI PhSetGroupBoxText( _In_ HWND WindowHandle, _In_ PCWSTR WindowText ); PHLIBAPI VOID NTAPI PhSetWindowAlwaysOnTop( _In_ HWND WindowHandle, _In_ BOOLEAN AlwaysOnTop ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhSendMessageTimeout( _In_ HWND WindowHandle, _In_ ULONG WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam, _In_ ULONG Timeout, _Out_opt_ PULONG_PTR Result ); FORCEINLINE ULONG PhGetWindowTextLength( _In_ HWND WindowHandle ) { return (ULONG)SendMessage(WindowHandle, WM_GETTEXTLENGTH, 0, 0); // DefWindowProc } FORCEINLINE VOID PhSetDialogFocus( _In_ HWND WindowHandle, _In_ HWND FocusHandle ) { // Do not use the SendMessage function to send a WM_NEXTDLGCTL message if your application will // concurrently process other messages that set the focus. Use the PostMessage function instead. SendMessage(WindowHandle, WM_NEXTDLGCTL, (WPARAM)FocusHandle, MAKELPARAM(TRUE, 0)); } FORCEINLINE VOID PhResizingMinimumSize( _Inout_ PRECT Rect, _In_ WPARAM Edge, _In_ LONG MinimumWidth, _In_ LONG MinimumHeight ) { if (Edge == WMSZ_BOTTOMRIGHT || Edge == WMSZ_RIGHT || Edge == WMSZ_TOPRIGHT) { if (Rect->right - Rect->left < MinimumWidth) Rect->right = Rect->left + MinimumWidth; } else if (Edge == WMSZ_BOTTOMLEFT || Edge == WMSZ_LEFT || Edge == WMSZ_TOPLEFT) { if (Rect->right - Rect->left < MinimumWidth) Rect->left = Rect->right - MinimumWidth; } if (Edge == WMSZ_BOTTOMRIGHT || Edge == WMSZ_BOTTOM || Edge == WMSZ_BOTTOMLEFT) { if (Rect->bottom - Rect->top < MinimumHeight) Rect->bottom = Rect->top + MinimumHeight; } else if (Edge == WMSZ_TOPRIGHT || Edge == WMSZ_TOP || Edge == WMSZ_TOPLEFT) { if (Rect->bottom - Rect->top < MinimumHeight) Rect->top = Rect->bottom - MinimumHeight; } } FORCEINLINE VOID PhCopyControlRectangle( _In_ HWND ParentWindowHandle, _In_ HWND FromControlHandle, _In_ HWND ToControlHandle ) { RECT windowRect; if (!PhGetWindowRect(FromControlHandle, &windowRect)) return; MapWindowRect(NULL, ParentWindowHandle, &windowRect); MoveWindow(ToControlHandle, windowRect.left, windowRect.top, windowRect.right - windowRect.left, windowRect.bottom - windowRect.top, FALSE); } // icotobmp PHLIBAPI HBITMAP NTAPI PhIconToBitmap( _In_ HICON Icon, _In_ LONG Width, _In_ LONG Height ); PHLIBAPI VOID NTAPI PhBitmapSetAlpha( _In_ PVOID Bits, _In_ LONG Width, _In_ LONG Height ); // // Extended ListView // #define PH_ALIGN_CENTER 0x0 #define PH_ALIGN_LEFT 0x1 #define PH_ALIGN_RIGHT 0x2 #define PH_ALIGN_TOP 0x4 #define PH_ALIGN_BOTTOM 0x8 #define PH_ALIGN_MONOSPACE_FONT 0x80000000 typedef enum _PH_ITEM_STATE { // The item is normal. Use the ItemColorFunction to determine the color of the item. NormalItemState = 0, // The item is new. On the next tick, change the state to NormalItemState. When an item is in // this state, highlight it in NewColor. NewItemState, // The item is being removed. On the next tick, delete the item. When an item is in this state, // highlight it in RemovingColor. RemovingItemState } PH_ITEM_STATE; typedef _Function_class_(PH_EXTLV_GET_ITEM_COLOR) COLORREF NTAPI PH_EXTLV_GET_ITEM_COLOR( _In_ LONG Index, _In_ PVOID Param, _In_opt_ PVOID Context ); typedef PH_EXTLV_GET_ITEM_COLOR* PPH_EXTLV_GET_ITEM_COLOR; typedef _Function_class_(PH_EXTLV_GET_ITEM_FONT) HFONT NTAPI PH_EXTLV_GET_ITEM_FONT( _In_ LONG Index, _In_ PVOID Param, _In_opt_ PVOID Context ); typedef PH_EXTLV_GET_ITEM_FONT* PPH_EXTLV_GET_ITEM_FONT; typedef struct _PH_EXTLV_SETCOMPAREFUNCTION { PPH_COMPARE_FUNCTION CompareFunction; } PH_EXTLV_SETCOMPAREFUNCTION, *PPH_EXTLV_SETCOMPAREFUNCTION; typedef struct _PH_EXTLV_SETITEMCOLORFUNCTION { PPH_EXTLV_GET_ITEM_COLOR ColorFunction; } PH_EXTLV_SETITEMCOLORFUNCTION, *PPH_EXTLV_SETITEMCOLORFUNCTION; typedef struct _PH_EXTLV_SETITEMFONTFUNCTION { PPH_EXTLV_GET_ITEM_FONT FontFunction; } PH_EXTLV_SETITEMFONTFUNCTION, *PPH_EXTLV_SETITEMFONTFUNCTION; PHLIBAPI VOID NTAPI PhSetExtendedListView( _In_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhSetExtendedListViewEx( _In_ HWND WindowHandle, _In_ ULONG SortColumn, _In_ ULONG SortOrder ); PHLIBAPI VOID NTAPI PhSetHeaderSortIcon( _In_ HWND hwnd, _In_ LONG Index, _In_ PH_SORT_ORDER Order ); // next 1122 #define ELVM_INIT (WM_APP + 1102) #define ELVM_ADDFALLBACKCOLUMN (WM_APP + 1106) #define ELVM_ADDFALLBACKCOLUMNS (WM_APP + 1109) #define ELVM_RESERVED5 (WM_APP + 1120) #define ELVM_SETCOLUMNWIDTH (WM_APP + 1121) #define ELVM_SETCOMPAREFUNCTION (WM_APP + 1104) #define ELVM_SETCONTEXT (WM_APP + 1103) #define ELVM_SETCURSOR (WM_APP + 1114) #define ELVM_RESERVED4 (WM_APP + 1118) #define ELVM_SETITEMCOLORFUNCTION (WM_APP + 1111) #define ELVM_SETITEMFONTFUNCTION (WM_APP + 1117) #define ELVM_RESERVED1 (WM_APP + 1112) #define ELVM_SETREDRAW (WM_APP + 1116) #define ELVM_GETSORT (WM_APP + 1113) #define ELVM_SETSORT (WM_APP + 1108) #define ELVM_SETSORTFAST (WM_APP + 1119) #define ELVM_RESERVED0 (WM_APP + 1110) #define ELVM_SETTRISTATE (WM_APP + 1107) #define ELVM_SETTRISTATECOMPAREFUNCTION (WM_APP + 1105) #define ELVM_SORTITEMS (WM_APP + 1101) #define ELVM_RESERVED3 (WM_APP + 1115) #define ExtendedListView_AddFallbackColumn(hWnd, Column) \ SendMessage((hWnd), ELVM_ADDFALLBACKCOLUMN, (WPARAM)(Column), 0) #define ExtendedListView_AddFallbackColumns(hWnd, NumberOfColumns, Columns) \ SendMessage((hWnd), ELVM_ADDFALLBACKCOLUMNS, (WPARAM)(NumberOfColumns), (LPARAM)(Columns)) #define ExtendedListView_Init(hWnd) \ SendMessage((hWnd), ELVM_INIT, 0, 0) #define ExtendedListView_SetColumnWidth(hWnd, Column, Width) \ SendMessage((hWnd), ELVM_SETCOLUMNWIDTH, (WPARAM)(Column), (LPARAM)(Width)) #define ExtendedListView_SetCompareFunction(hWnd, Column, CompareFunction) \ SendMessage((hWnd), ELVM_SETCOMPAREFUNCTION, (WPARAM)(Column), (LPARAM)(CompareFunction)) #define ExtendedListView_SetContext(hWnd, Context) \ SendMessage((hWnd), ELVM_SETCONTEXT, 0, (LPARAM)(Context)) #define ExtendedListView_SetCursor(hWnd, Cursor) \ SendMessage((hWnd), ELVM_SETCURSOR, 0, (LPARAM)(Cursor)) #define ExtendedListView_SetItemColorFunction(hWnd, ItemColorFunction) \ SendMessage((hWnd), ELVM_SETITEMCOLORFUNCTION, 0, (LPARAM)(ItemColorFunction)) #define ExtendedListView_SetItemFontFunction(hWnd, ItemFontFunction) \ SendMessage((hWnd), ELVM_SETITEMFONTFUNCTION, 0, (LPARAM)(ItemFontFunction)) #define ExtendedListView_SetRedraw(hWnd, Redraw) \ SendMessage((hWnd), ELVM_SETREDRAW, (WPARAM)(Redraw), 0) #define ExtendedListView_GetSort(hWnd, Column, Order) \ SendMessage((hWnd), ELVM_GETSORT, (WPARAM)(Column), (LPARAM)(Order)) #define ExtendedListView_SetSort(hWnd, Column, Order) \ SendMessage((hWnd), ELVM_SETSORT, (WPARAM)(Column), (LPARAM)(Order)) #define ExtendedListView_SetSortFast(hWnd, Fast) \ SendMessage((hWnd), ELVM_SETSORTFAST, (WPARAM)(Fast), 0) #define ExtendedListView_SetTriState(hWnd, TriState) \ SendMessage((hWnd), ELVM_SETTRISTATE, (WPARAM)(TriState), 0) #define ExtendedListView_SetTriStateCompareFunction(hWnd, CompareFunction) \ SendMessage((hWnd), ELVM_SETTRISTATECOMPAREFUNCTION, 0, (LPARAM)(CompareFunction)) #define ExtendedListView_SortItems(hWnd) \ SendMessage((hWnd), ELVM_SORTITEMS, 0, 0) #define ELVSCW_AUTOSIZE (-1) #define ELVSCW_AUTOSIZE_USEHEADER (-2) #define ELVSCW_AUTOSIZE_REMAININGSPACE (-3) // // Listview Wrappers // typedef struct _PH_LISTVIEW_CONTEXT { HWND ListViewHandle; IListView* ListViewInterface; HANDLE ThreadId; } PH_LISTVIEW_CONTEXT, *PPH_LISTVIEW_CONTEXT; PHLIBAPI PPH_LISTVIEW_CONTEXT NTAPI PhListView_Initialize( _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhListView_Destroy( _In_ PPH_LISTVIEW_CONTEXT Context ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_GetItemCount( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ PLONG ItemCount ); PHLIBAPI BOOLEAN NTAPI PhListView_SetItemCount( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemCount, _In_ ULONG Flags ); PHLIBAPI BOOLEAN NTAPI PhListView_GetItem( _In_ PPH_LISTVIEW_CONTEXT Context, _Inout_ LVITEM* Item ); PHLIBAPI BOOLEAN NTAPI PhListView_SetItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LVITEM* Item ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_GetItemText( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ LONG SubItemIndex, _Out_writes_(BufferSize) PWSTR Buffer, _In_ LONG BufferSize ); PHLIBAPI BOOLEAN NTAPI PhListView_SetItemText( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ LONG SubItemIndex, _In_ PWSTR Text ); PHLIBAPI BOOLEAN NTAPI PhListView_DeleteItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex ); PHLIBAPI BOOLEAN NTAPI PhListView_DeleteAllItems( _In_ PPH_LISTVIEW_CONTEXT Context ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_InsertItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LVITEMW* Item, _Out_opt_ PLONG ItemIndex ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_InsertGroup( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG InsertAt, _In_ LVGROUP* Group, _Out_opt_ PLONG GroupId ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_GetItemState( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ ULONG Mask, _Out_ PULONG State ); PHLIBAPI BOOLEAN NTAPI PhListView_SetItemState( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ ULONG State, _In_ ULONG Mask ); PHLIBAPI BOOLEAN NTAPI PhListView_SortItems( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ BOOL SortingByIndex, _In_ PFNLVCOMPARE Compare, _In_ PVOID CompareContext ); PHLIBAPI BOOLEAN NTAPI PhListView_GetColumn( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG ColumnIndex, _Inout_ LV_COLUMN* Column ); PHLIBAPI BOOLEAN NTAPI PhListView_SetColumn( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG ColumnIndex, _In_ LV_COLUMN* Column ); PHLIBAPI BOOLEAN NTAPI PhListView_SetColumnWidth( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG ColumnIndex, _In_ ULONG Width ); PHLIBAPI BOOLEAN NTAPI PhListView_GetHeader( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ HWND* WindowHandle ); PHLIBAPI BOOLEAN NTAPI PhListView_GetToolTip( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ HWND* WindowHandle ); PHLIBAPI LONG NTAPI PhListView_AddColumn( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _In_ LONG DisplayIndex, _In_ LONG SubItemIndex, _In_ LONG Format, _In_ LONG Width, _In_ PCWSTR Text ); PHLIBAPI LONG NTAPI PhListView_AddItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ); PHLIBAPI LONG NTAPI PhListView_FindItemByFlags( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG StartIndex, _In_ ULONG Flags ); PHLIBAPI LONG NTAPI PhListView_FindItemByParam( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG StartIndex, _In_opt_ PVOID Param ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_GetItemParam( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _Outptr_ PVOID* Param ); PHLIBAPI VOID NTAPI PhListView_SetSubItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG Index, _In_ LONG SubItemIndex, _In_ PCWSTR Text ); PHLIBAPI VOID NTAPI PhListView_RedrawItems( _In_ PPH_LISTVIEW_CONTEXT Context ); PHLIBAPI LONG NTAPI PhListView_AddGroup( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG GroupId, _In_ PCWSTR Text ); PHLIBAPI LONG NTAPI PhListView_AddGroupItem( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG GroupId, _In_ LONG Index, _In_ PCWSTR Text, _In_opt_ PVOID Param ); PHLIBAPI VOID NTAPI PhListView_SetStateAllItems( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ ULONG State, _In_ ULONG Mask ); PHLIBAPI PVOID NTAPI PhListView_GetSelectedItemParam( _In_ PPH_LISTVIEW_CONTEXT Context ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhListView_GetSelectedCount( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ PLONG SelectedCount ); PHLIBAPI VOID NTAPI PhListView_GetSelectedItemParams( _In_ PPH_LISTVIEW_CONTEXT Context, _Out_ PVOID** Items, _Out_ PULONG NumberOfItems ); PHLIBAPI BOOLEAN NTAPI PhListView_GetClientRect( _In_ PPH_LISTVIEW_CONTEXT Context, _Inout_ PRECT ClientRect ); PHLIBAPI BOOLEAN NTAPI PhListView_GetItemRect( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG StartIndex, _In_ ULONG Flags, _Inout_ PRECT ItemRect ); PHLIBAPI BOOLEAN NTAPI PhListView_EnableGroupView( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ BOOLEAN Enable ); PHLIBAPI BOOLEAN NTAPI PhListView_EnsureItemVisible( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _In_ BOOLEAN PartialOk ); PHLIBAPI BOOLEAN NTAPI PhListView_IsItemVisible( _In_ PPH_LISTVIEW_CONTEXT Context, _In_ LONG ItemIndex, _Out_ PBOOLEAN Visible ); PHLIBAPI BOOLEAN NTAPI PhListView_HitTestSubItem( _In_ PPH_LISTVIEW_CONTEXT Context, _Inout_ LVHITTESTINFO * HitTestInfo ); /** * Gets the brightness of a color. * * \param Color The color. * * \return A value ranging from 0 to 255, indicating the brightness of the color. */ FORCEINLINE ULONG PhGetColorBrightness( _In_ COLORREF Color ) { ULONG r = Color & 0xff; ULONG g = (Color >> 8) & 0xff; ULONG b = (Color >> 16) & 0xff; ULONG min; ULONG max; min = r; if (g < min) min = g; if (b < min) min = b; max = r; if (g > max) max = g; if (b > max) max = b; return (min + max) / 2; } FORCEINLINE COLORREF PhHalveColorBrightness( _In_ COLORREF Color ) { /*return RGB( (UCHAR)Color / 2, (UCHAR)(Color >> 8) / 2, (UCHAR)(Color >> 16) / 2 );*/ // Since all targets are little-endian, we can use the following method. *((PUCHAR)&Color) /= 2; *((PUCHAR)&Color + 1) /= 2; *((PUCHAR)&Color + 2) /= 2; return Color; } FORCEINLINE COLORREF PhMakeColorBrighter( _In_ COLORREF Color, _In_ UCHAR Increment ) { UCHAR r; UCHAR g; UCHAR b; r = (UCHAR)Color; g = (UCHAR)(Color >> 8); b = (UCHAR)(Color >> 16); if (r <= 255 - Increment) r += Increment; else r = 255; if (g <= 255 - Increment) g += Increment; else g = 255; if (b <= 255 - Increment) b += Increment; else b = 255; return RGB(r, g, b); } // Window support typedef enum _PH_PLUGIN_WINDOW_EVENT_TYPE { PH_PLUGIN_WINDOW_EVENT_TYPE_NONE, PH_PLUGIN_WINDOW_EVENT_TYPE_TOPMOST, PH_PLUGIN_WINDOW_EVENT_TYPE_MAX } PH_PLUGIN_WINDOW_EVENT_TYPE; typedef struct _PH_PLUGIN_WINDOW_CALLBACK_REGISTRATION { HWND WindowHandle; PH_PLUGIN_WINDOW_EVENT_TYPE Type; } PH_PLUGIN_WINDOW_CALLBACK_REGISTRATION, *PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION; typedef struct _PH_PLUGIN_WINDOW_NOTIFY_EVENT { PH_PLUGIN_WINDOW_EVENT_TYPE Type; union { BOOLEAN TopMost; //HFONT FontHandle; }; } PH_PLUGIN_WINDOW_NOTIFY_EVENT, *PPH_PLUGIN_WINDOW_NOTIFY_EVENT; typedef struct _PH_PLUGIN_MAINWINDOW_NOTIFY_EVENT { PPH_PLUGIN_WINDOW_NOTIFY_EVENT Event; PPH_PLUGIN_WINDOW_CALLBACK_REGISTRATION Callback; } PH_PLUGIN_MAINWINDOW_NOTIFY_EVENT, *PPH_PLUGIN_MAINWINDOW_NOTIFY_EVENT; PHLIBAPI VOID NTAPI PhRegisterWindowCallback( _In_ HWND WindowHandle, _In_ PH_PLUGIN_WINDOW_EVENT_TYPE Type, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhUnregisterWindowCallback( _In_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhWindowNotifyTopMostEvent( _In_ BOOLEAN TopMost ); PHLIBAPI NTSTATUS NTAPI PhCreateEnvironmentBlock( _Out_ PVOID* Environment, _In_opt_ HANDLE TokenHandle, _In_ BOOLEAN Inherit ); PHLIBAPI VOID NTAPI PhDestroyEnvironmentBlock( _In_ _Post_invalid_ PVOID Environment ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhRegenerateUserEnvironment( _Out_opt_ PVOID* NewEnvironment, _In_ BOOLEAN UpdateCurrentEnvironment ); PHLIBAPI BOOLEAN NTAPI PhIsImmersiveProcess( _In_ HANDLE ProcessHandle ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetProcessUIContextInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_UICONTEXT_INFORMATION UIContext ); typedef enum _PH_PROCESS_DPI_AWARENESS { PH_PROCESS_DPI_AWARENESS_UNAWARE = 0, PH_PROCESS_DPI_AWARENESS_SYSTEM_DPI_AWARE = 1, PH_PROCESS_DPI_AWARENESS_PER_MONITOR_DPI_AWARE = 2, PH_PROCESS_DPI_AWARENESS_PER_MONITOR_AWARE_V2 = 3, PH_PROCESS_DPI_AWARENESS_UNAWARE_GDISCALED = 4, } PH_PROCESS_DPI_AWARENESS, *PPH_PROCESS_DPI_AWARENESS; _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetProcessDpiAwareness( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_DPI_AWARENESS ProcessDpiAwareness ); PHLIBAPI NTSTATUS NTAPI PhGetPhysicallyInstalledSystemMemory( _Out_ PULONGLONG TotalMemory, _Out_ PULONGLONG ReservedMemory ); PHLIBAPI NTSTATUS NTAPI PhGetSessionGuiResources( _In_ ULONG Flags, _Out_ PULONG Total ); PHLIBAPI NTSTATUS NTAPI PhGetProcessGuiResources( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _Out_ PULONG Total ); PHLIBAPI BOOLEAN NTAPI PhGetThreadWin32Thread( _In_ HANDLE ThreadId ); PHLIBAPI NTSTATUS NTAPI PhGetSendMessageReceiver( _In_ HANDLE ThreadId, _Out_ HWND *WindowHandle ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhExtractIcon( _In_ PCWSTR FileName, _Out_opt_ HICON *IconLarge, _Out_opt_ HICON *IconSmall ); PHLIBAPI NTSTATUS NTAPI PhExtractIconEx( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName, _In_ LONG IconIndex, _In_ LONG IconLargeWidth, _In_ LONG IconLargeHeight, _In_ LONG IconSmallWidth, _In_ LONG IconSmallHeight, _Out_opt_ HICON *IconLarge, _Out_opt_ HICON *IconSmall ); // Imagelist support PHLIBAPI HIMAGELIST NTAPI PhImageListCreate( _In_ LONG Width, _In_ LONG Height, _In_ LONG Flags, _In_ LONG InitialCount, _In_ LONG GrowCount ); PHLIBAPI BOOLEAN NTAPI PhImageListDestroy( _In_opt_ HIMAGELIST ImageListHandle ); PHLIBAPI BOOLEAN NTAPI PhImageListSetImageCount( _In_ HIMAGELIST ImageListHandle, _In_ ULONG Count ); PHLIBAPI BOOLEAN NTAPI PhImageListGetImageCount( _In_ HIMAGELIST ImageListHandle, _Out_ PLONG Count ); PHLIBAPI BOOLEAN NTAPI PhImageListSetBkColor( _In_ HIMAGELIST ImageListHandle, _In_ COLORREF BackgroundColor ); PHLIBAPI BOOLEAN NTAPI PhImageListRemoveIcon( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index ); #define PhImageListRemoveAll(ImageListHandle) \ PhImageListRemoveIcon((ImageListHandle), INT_ERROR) PHLIBAPI LONG NTAPI PhImageListAddIcon( _In_ HIMAGELIST ImageListHandle, _In_ HICON IconHandle ); PHLIBAPI LONG NTAPI PhImageListAddBitmap( _In_ HIMAGELIST ImageListHandle, _In_ HBITMAP BitmapImage, _In_opt_ HBITMAP BitmapMask ); PHLIBAPI HICON NTAPI PhImageListGetIcon( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ ULONG Flags ); PHLIBAPI BOOLEAN NTAPI PhImageListGetIconSize( _In_ HIMAGELIST ImageListHandle, _Out_ PLONG cx, _Out_ PLONG cy ); PHLIBAPI BOOLEAN NTAPI PhImageListReplace( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ HBITMAP BitmapImage, _In_opt_ HBITMAP BitmapMask ); PHLIBAPI BOOLEAN NTAPI PhImageListDrawIcon( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ HDC Hdc, _In_ LONG x, _In_ LONG y, _In_ UINT32 Style, _In_ BOOLEAN Disabled ); PHLIBAPI BOOLEAN NTAPI PhImageListDrawEx( _In_ HIMAGELIST ImageListHandle, _In_ LONG Index, _In_ HDC Hdc, _In_ LONG x, _In_ LONG y, _In_ LONG dx, _In_ LONG dy, _In_ COLORREF BackColor, _In_ COLORREF ForeColor, _In_ UINT32 Style, _In_ ULONG State ); PHLIBAPI BOOLEAN NTAPI PhImageListSetIconSize( _In_ HIMAGELIST ImageListHandle, _In_ LONG cx, _In_ LONG cy ); #define PH_SHUTDOWN_RESTART 0x1 #define PH_SHUTDOWN_POWEROFF 0x2 #define PH_SHUTDOWN_INSTALL_UPDATES 0x4 #define PH_SHUTDOWN_HYBRID 0x8 #define PH_SHUTDOWN_RESTART_BOOTOPTIONS 0x10 PHLIBAPI ULONG NTAPI PhInitiateShutdown( _In_ ULONG Flags ); PHLIBAPI BOOLEAN NTAPI PhSetProcessShutdownParameters( _In_ ULONG Level, _In_ ULONG Flags ); #define PH_DRAW_TIMELINE_OVERFLOW 0x1 #define PH_DRAW_TIMELINE_DARKTHEME 0x2 PHLIBAPI VOID NTAPI PhCustomDrawTreeTimeLine( _In_ HDC Hdc, _In_ PRECT CellRect, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER StartTime, _In_ PLARGE_INTEGER CreateTime ); // // Windows Imaging Component (WIC) bitmap support // DEFINE_GUID(IID_IWICBitmapSource, 0x00000120, 0xa8f2, 0x4877, 0xba, 0x0a, 0xfd, 0x2b, 0x66, 0x45, 0xfb, 0x94); DEFINE_GUID(IID_IWICImagingFactory, 0xec5ec8a9, 0xc395, 0x4314, 0x9c, 0x77, 0x54, 0xd7, 0xa9, 0x35, 0xff, 0x70); typedef enum _PH_BUFFERFORMAT { PHBF_COMPATIBLEBITMAP, // Compatible bitmap PHBF_DIB, // Device-independent bitmap PHBF_TOPDOWNDIB, // Top-down device-independent bitmap PHBF_TOPDOWNMONODIB // Top-down monochrome device-independent bitmap } PH_BUFFERFORMAT; HBITMAP PhCreateDIBSection( _In_ HDC Hdc, _In_ PH_BUFFERFORMAT Format, _In_ LONG Width, _In_ LONG Height, _Out_opt_ PVOID* Bits ); typedef enum _PH_IMAGE_FORMAT_TYPE { PH_IMAGE_FORMAT_TYPE_NONE, PH_IMAGE_FORMAT_TYPE_ICO, PH_IMAGE_FORMAT_TYPE_BMP, PH_IMAGE_FORMAT_TYPE_JPG, PH_IMAGE_FORMAT_TYPE_PNG, } PH_IMAGE_FORMAT_TYPE, *PPH_IMAGE_FORMAT_TYPE; PHLIBAPI HBITMAP NTAPI PhLoadImageFormatFromResource( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _In_ PH_IMAGE_FORMAT_TYPE Format, _In_ LONG Width, _In_ LONG Height ); PHLIBAPI HBITMAP NTAPI PhLoadImageFromAddress( _In_ PVOID Buffer, _In_ ULONG BufferLength, _In_ LONG Width, _In_ LONG Height ); PHLIBAPI HBITMAP NTAPI PhLoadImageFromResource( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _In_ LONG Width, _In_ LONG Height ); PHLIBAPI HBITMAP NTAPI PhLoadImageFromFile( _In_ PCWSTR FileName, _In_ LONG Width, _In_ LONG Height ); // Acrylic support typedef enum _WINDOWCOMPOSITIONATTRIB { WCA_UNDEFINED = 0, WCA_NCRENDERING_ENABLED = 1, // q: BOOL WCA_NCRENDERING_POLICY = 2, // s: ULONG // DWMNCRENDERINGPOLICY WCA_TRANSITIONS_FORCEDISABLED = 3, // s: BOOL WCA_ALLOW_NCPAINT = 4, // s: BOOL WCA_CAPTION_BUTTON_BOUNDS = 5, // q: RECT WCA_NONCLIENT_RTL_LAYOUT = 6, // s: BOOL WCA_FORCE_ICONIC_REPRESENTATION = 7, // s: BOOL WCA_EXTENDED_FRAME_BOUNDS = 8, // q: RECT WCA_HAS_ICONIC_BITMAP = 9, // q: BOOL WCA_THEME_ATTRIBUTES = 10, // s: ULONG WCA_NCRENDERING_EXILED = 11, // q: BOOL WCA_NCADORNMENTINFO = 12, // q: WCA_EXCLUDED_FROM_LIVEPREVIEW = 13, // s: BOOL WCA_VIDEO_OVERLAY_ACTIVE = 14, // q: BOOL WCA_FORCE_ACTIVEWINDOW_APPEARANCE = 15, // s: BOOL WCA_DISALLOW_PEEK = 16, // s: BOOL WCA_CLOAK = 17, // s: ULONG WCA_CLOAKED = 18, // q: ULONG // DWM_CLOAKED_* WCA_ACCENT_POLICY = 19, // s: ACCENT_POLICY // since WIN11 WCA_FREEZE_REPRESENTATION = 20, // s: BOOL WCA_EVER_UNCLOAKED = 21, // q: BOOL WCA_VISUAL_OWNER = 22, // s: HANDLE WCA_HOLOGRAPHIC = 23, // q: BOOL WCA_EXCLUDED_FROM_DDA = 24, // s: BOOL WCA_PASSIVEUPDATEMODE = 25, // s: BOOL WCA_USEDARKMODECOLORS = 26, // s: BOOL WCA_CORNER_STYLE = 27, // s: ULONG // DWM_WINDOW_CORNER_PREFERENCE WCA_PART_COLOR = 28, // s: ULONG // COLORREF WCA_DISABLE_MOVESIZE_FEEDBACK = 29, // s: BOOL WCA_SYSTEMBACKDROP_TYPE = 30, // s: ULONG // DWM_SYSTEMBACKDROP_TYPE WCA_SET_TAGGED_WINDOW_RECT = 31, // s: RECT WCA_CLEAR_TAGGED_WINDOW_RECT = 32, // s: RECT WCA_REMOTEAPP_POLICY = 33, // s: ULONG // since 24H2 WCA_HAS_ACCENT_POLICY = 34, // q: BOOL WCA_REDIRECTIONBITMAP_FILL_COLOR = 35, // s: ULONG // COLORREF WCA_REDIRECTIONBITMAP_ALPHA = 36, // s: UCHAR WCA_BORDER_MARGINS = 37, // s: MARGINS WCA_LAST } WINDOWCOMPOSITIONATTRIB; typedef struct _WINDOWCOMPOSITIONATTRIBUTEDATA { WINDOWCOMPOSITIONATTRIB Attribute; PVOID Data; SIZE_T Length; } WINDOWCOMPOSITIONATTRIBUTEDATA, *PWINDOWCOMPOSITIONATTRIBUTEDATA; PHLIBAPI NTSTATUS NTAPI PhGetWindowCompositionAttribute( _In_ HWND WindowHandle, _Inout_ PWINDOWCOMPOSITIONATTRIBUTEDATA AttributeData ); PHLIBAPI NTSTATUS NTAPI PhSetWindowCompositionAttribute( _In_ HWND WindowHandle, _In_ PWINDOWCOMPOSITIONATTRIBUTEDATA AttributeData ); // TODO: https://stackoverflow.com/questions/12304848/fast-algorithm-to-invert-an-argb-color-value-to-abgr/42133405#42133405 FORCEINLINE ULONG MakeARGB( _In_ BYTE a, _In_ BYTE r, _In_ BYTE g, _In_ BYTE b) { return (((ULONG)(b) << 0) | ((ULONG)(g) << 8) | ((ULONG)(r) << 16) | ((ULONG)(a) << 24)); } FORCEINLINE ULONG MakeABGR( _In_ BYTE a, _In_ BYTE b, _In_ BYTE g, _In_ BYTE r) { return (((ULONG)(a) << 24) | ((ULONG)(b) << 16) | ((ULONG)(g) << 8) | ((ULONG)(r) << 0)); } FORCEINLINE ULONG MakeARGBFromCOLORREF(_In_ BYTE Alpha, _In_ COLORREF rgb) { return MakeARGB(Alpha, GetRValue(rgb), GetGValue(rgb), GetBValue(rgb)); } FORCEINLINE ULONG MakeABGRFromCOLORREF(_In_ BYTE Alpha, _In_ COLORREF rgb) { return MakeABGR(Alpha, GetBValue(rgb), GetGValue(rgb), GetRValue(rgb)); } typedef enum _ACCENT_STATE { ACCENT_DISABLED, ACCENT_ENABLE_GRADIENT = 1, ACCENT_ENABLE_TRANSPARENTGRADIENT = 2, ACCENT_ENABLE_BLURBEHIND = 3, ACCENT_ENABLE_ACRYLICBLURBEHIND = 4, ACCENT_ENABLE_HOSTBACKDROP = 5, ACCENT_INVALID_STATE } ACCENT_STATE; typedef enum _ACCENT_FLAG { ACCENT_NONE, ACCENT_WINDOWS11_LUMINOSITY = 0x2, ACCENT_BORDER_LEFT = 0x20, ACCENT_BORDER_TOP = 0x40, ACCENT_BORDER_RIGHT = 0x80, ACCENT_BORDER_BOTTOM = 0x100, ACCENT_BORDER_ALL = (ACCENT_BORDER_LEFT | ACCENT_BORDER_TOP | ACCENT_BORDER_RIGHT | ACCENT_BORDER_BOTTOM) } ACCENT_FLAG; typedef struct _ACCENT_POLICY { ACCENT_STATE AccentState; ULONG AccentFlags; ULONG GradientColor; ULONG AnimationId; } ACCENT_POLICY; PHLIBAPI NTSTATUS NTAPI PhSetWindowAcrylicCompositionColor( _In_ HWND WindowHandle, _In_ ULONG GradientColor ); PHLIBAPI HCURSOR NTAPI PhLoadArrowCursor( VOID ); PHLIBAPI HCURSOR NTAPI PhLoadDividerCursor( VOID ); PHLIBAPI NTSTATUS NTAPI PhIsInteractiveUserSession( VOID ); typedef struct _PH_USER_OBJECT_SID { union { SID Sid; BYTE Buffer[SECURITY_MAX_SID_SIZE]; }; } PH_USER_OBJECT_SID, *PPH_USER_OBJECT_SID; static_assert(sizeof(PH_USER_OBJECT_SID) == SECURITY_MAX_SID_SIZE, "sizeof(PH_USER_OBJECT_SID) is invalid."); PHLIBAPI NTSTATUS NTAPI PhGetUserObjectSidInformationToBuffer( _In_ HANDLE Handle, _Out_ PPH_USER_OBJECT_SID ObjectSid, _In_ ULONG ObjectSidLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhGetUserObjectSidInformationCopy( _In_ HANDLE Handle, _Out_ PSID* ObjectSid ); PHLIBAPI PPH_STRING NTAPI PhGetCurrentWindowStationName( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetCurrentThreadDesktopName( VOID ); PHLIBAPI BOOLEAN NTAPI PhRecentListAddCommand( _In_ PPH_STRINGREF Command ); typedef _Function_class_(PH_ENUM_MRULIST_CALLBACK) BOOLEAN NTAPI PH_ENUM_MRULIST_CALLBACK( _In_ PPH_STRINGREF Command, _In_opt_ PVOID Context ); typedef PH_ENUM_MRULIST_CALLBACK* PPH_ENUM_MRULIST_CALLBACK; PHLIBAPI VOID NTAPI PhEnumerateRecentList( _In_ PPH_ENUM_MRULIST_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhTerminateWindow( _In_ HWND WindowHandle, _In_ BOOLEAN Force ); PHLIBAPI NTSTATUS NTAPI PhOpenWindowProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HWND WindowHandle ); PHLIBAPI ULONG_PTR NTAPI PhUserQueryWindow( _In_ HWND WindowHandle, _In_ WINDOWINFOCLASS WindowInfo ); FORCEINLINE ULONG PhQueryWindowRealProcess( _In_ HWND WindowHandle ) { return (ULONG)PhUserQueryWindow( WindowHandle, WindowRealProcess ); } FORCEINLINE BOOLEAN PhWindowIsHung( _In_ HWND WindowHandle ) { return (BOOLEAN)(ULONG_PTR)PhUserQueryWindow( WindowHandle, WindowIsHung ); } #ifndef DBT_DEVICEARRIVAL #define DBT_DEVICEARRIVAL 0x8000 // system detected a new device #define DBT_DEVICEREMOVECOMPLETE 0x8004 // device is gone #define DBT_DEVTYP_VOLUME 0x00000002 // logical volume typedef struct _DEV_BROADCAST_HDR { ULONG dbch_size; ULONG dbch_devicetype; ULONG dbch_reserved; } DEV_BROADCAST_HDR, *PDEV_BROADCAST_HDR; #endif // theme support (theme.c) extern HFONT PhApplicationFont; extern HFONT PhTreeWindowFont; extern HFONT PhMonospaceFont; extern HBRUSH PhThemeWindowBackgroundBrush; extern BOOLEAN PhEnableThemeSupport; extern BOOLEAN PhEnableThemeAcrylicSupport; extern BOOLEAN PhEnableThemeAcrylicWindowSupport; extern BOOLEAN PhEnableThemeNativeButtons; extern BOOLEAN PhEnableThemeListviewBorder; extern COLORREF PhThemeWindowForegroundColor; extern COLORREF PhThemeWindowBackgroundColor; extern COLORREF PhThemeWindowBackground2Color; extern COLORREF PhThemeWindowHighlightColor; extern COLORREF PhThemeWindowHighlight2Color; extern COLORREF PhThemeWindowTextColor; PHLIBAPI VOID NTAPI PhInitializeWindowTheme( _In_ HWND WindowHandle, _In_ BOOLEAN EnableThemeSupport ); PHLIBAPI VOID NTAPI PhInitializeWindowThemeEx( _In_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhReInitializeWindowTheme( _In_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhInitializeThemeWindowFrame( _In_ HWND WindowHandle ); PHLIBAPI HBRUSH NTAPI PhWindowThemeControlColor( _In_ HWND WindowHandle, _In_ HDC Hdc, _In_ HWND ChildWindowHandle, _In_ LONG Type ); PHLIBAPI BOOLEAN NTAPI PhThemeWindowDrawItem( _In_ HWND WindowHandle, _In_ PDRAWITEMSTRUCT DrawInfo ); PHLIBAPI LRESULT NTAPI PhThemeWindowDrawButton( _In_ LPNMCUSTOMDRAW DrawInfo ); PHLIBAPI BOOLEAN NTAPI PhThemeWindowMeasureItem( _In_ HWND WindowHandle, _In_ PMEASUREITEMSTRUCT DrawInfo ); PHLIBAPI VOID NTAPI PhInitializeWindowThemeMainMenu( _In_ HMENU MenuHandle ); PHLIBAPI LRESULT CALLBACK PhThemeWindowDrawRebar( _In_ LPNMCUSTOMDRAW DrawInfo ); PHLIBAPI LRESULT CALLBACK PhThemeWindowDrawToolbar( _In_ LPNMTBCUSTOMDRAW DrawInfo ); // Font support PHLIBAPI HFONT NTAPI PhCreateFont( _In_opt_ PCWSTR Name, _In_ LONG Size, _In_ LONG Weight, _In_ LONG PitchAndFamily, _In_ LONG Dpi ); PHLIBAPI HFONT NTAPI PhCreateCommonFont( _In_ LONG Size, _In_ LONG Weight, _In_opt_ HWND WindowHandle, _In_ LONG WindowDpi ); PHLIBAPI HFONT NTAPI PhCreateIconTitleFont( _In_opt_ LONG WindowDpi ); PHLIBAPI HFONT NTAPI PhCreateMessageFont( _In_opt_ LONG WindowDpi ); PHLIBAPI HFONT NTAPI PhDuplicateFont( _In_ HFONT Font ); PHLIBAPI HFONT NTAPI PhDuplicateFontWithNewWeight( _In_ HFONT Font, _In_ LONG NewWeight ); PHLIBAPI HFONT NTAPI PhDuplicateFontWithNewHeight( _In_ HFONT Font, _In_ LONG NewHeight, _In_ LONG dpiValue ); VOID PhWindowThemeMainMenuBorder( _In_ HWND WindowHandle ); // directdraw.cpp HICON PhGdiplusConvertBitmapToIcon( _In_ HBITMAP Bitmap, _In_ LONG Width, _In_ LONG Height, _In_ COLORREF Background ); HWND PhCreateBackgroundWindow( _In_ HWND ParentWindowHandle, _In_ BOOLEAN DesktopWindow ); HICON PhGdiplusConvertHBitmapToHIcon( _In_ HBITMAP BitmapHandle ); EXTERN_C_END #endif ================================================ FILE: phlib/include/guisupp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2023 * */ #ifndef _PH_GUISUPP_H #define _PH_GUISUPP_H typedef HRESULT (WINAPI* _GetThemeClass)( _In_ HTHEME ThemeHandle, _Out_writes_z_(BufferLength) PWSTR Buffer, _In_ ULONG BufferLength ); typedef BOOL(WINAPI* _AllowDarkModeForWindow)( _In_ HWND WindowHandle, _In_ BOOL Enabled ); typedef BOOL(WINAPI* _IsDarkModeAllowedForWindow)( _In_ HWND WindowHandle ); typedef LONG (WINAPI* _GetDpiForSession)( VOID ); // Comctl32 typedef LONG (CALLBACK *MRUSTRINGCMPPROC)(PCWSTR String1, PCWSTR String2); typedef LONG (CALLBACK *MRUINARYCMPPROC)(PVOID String1, PVOID String2, ULONG Length); #define MRU_STRING 0x0000 #define MRU_BINARY 0x0001 #define MRU_CACHEWRITE 0x0002 typedef struct _MRUINFO { ULONG cbSize; UINT uMaxItems; UINT uFlags; HANDLE hKey; PCWSTR lpszSubKey; MRUSTRINGCMPPROC lpfnCompare; } MRUINFO, *PMRUINFO; typedef HANDLE (WINAPI* _CreateMRUList)( _In_ PMRUINFO lpmi ); typedef LONG (WINAPI* _AddMRUString)( _In_ HANDLE hMRU, _In_ PCWSTR szString ); typedef LONG (WINAPI* _EnumMRUList)( _In_ HANDLE hMRU, _In_ INT nItem, _Out_ PVOID lpData, _In_ UINT uLen ); typedef LONG (WINAPI* _FreeMRUList)( _In_ HANDLE hMRU ); // Icons typedef struct _PHP_ICON_ENTRY { PVOID InstanceHandle; PCWSTR Name; ULONG Width; ULONG Height; HICON Icon; LONG DpiValue; } PHP_ICON_ENTRY, *PPHP_ICON_ENTRY; #define PHP_ICON_ENTRY_SIZE_SMALL (-1) #define PHP_ICON_ENTRY_SIZE_LARGE (-2) FORCEINLINE ULONG PhpGetIconEntrySize( _In_ ULONG InputSize, _In_ ULONG Flags ) { if (Flags & PH_LOAD_ICON_SIZE_SMALL) return PHP_ICON_ENTRY_SIZE_SMALL; if (Flags & PH_LOAD_ICON_SIZE_LARGE) return PHP_ICON_ENTRY_SIZE_LARGE; return InputSize; } #endif ================================================ FILE: phlib/include/guisupview.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2023 * */ #ifndef _PH_GUISUPPVIEW_H #define _PH_GUISUPPVIEW_H // // Listview2 (Undocumented) // #ifndef LVM_QUERYINTERFACE #define LVM_QUERYINTERFACE (LVM_FIRST + 189) // IListView, IListView2, IOleWindow, IVisualProperties, IPropertyControlSite, IListViewFooter #endif // {E5B16AF2-3990-4681-A609-1F060CD14269} DEFINE_GUID(IID_IListView, 0xE5B16AF2, 0x3990, 0x4681, 0xA6, 0x09, 0x1F, 0x06, 0x0C, 0xD1, 0x42, 0x69); // {E6DFF6FD-BCD5-4162-9C65-A3B18C616FDB} DEFINE_GUID(IID_IDrawPropertyControl, 0xE6DFF6FD, 0xBCD5, 0x4162, 0x9C, 0x65, 0xA3, 0xB1, 0x8C, 0x61, 0x6F, 0xDB); // {1572DD51-443C-44B0-ACE4-38A005FC697E} DEFINE_GUID(IID_IDrawPropertyControlWin10, 0x1572DD51, 0x443C, 0x44B0, 0xAC, 0xE4, 0x38, 0xA0, 0x05, 0xFC, 0x69, 0x7E); // {F0034DA8-8A22-4151-8F16-2EBA76565BCC} DEFINE_GUID(IID_IListViewFooter, 0xF0034DA8, 0x8A22, 0x4151, 0x8F, 0x16, 0x2E, 0xBA, 0x76, 0x56, 0x5B, 0xCC); // {88EB9442-913B-4AB4-A741-DD99DCB7558B} DEFINE_GUID(IID_IListViewFooterCallback, 0x88EB9442, 0x913B, 0x4AB4, 0xA7, 0x41, 0xDD, 0x99, 0xDC, 0xB7, 0x55, 0x8B); // {44C09D56-8D3B-419D-A462-7B956B105B47} DEFINE_GUID(IID_IOwnerDataCallback, 0x44C09D56, 0x8D3B, 0x419D, 0xA4, 0x62, 0x7B, 0x95, 0x6B, 0x10, 0x5B, 0x47); // {5E82A4DD-9561-476A-8634-1BEBACBA4A38} DEFINE_GUID(IID_IPropertyControl, 0x5E82A4DD, 0x9561, 0x476A, 0x86, 0x34, 0x1B, 0xEB, 0xAC, 0xBA, 0x4A, 0x38); // {6E71A510-732A-4557-9596-A827E36DAF8F} DEFINE_GUID(IID_IPropertyControlBase, 0x6E71A510, 0x732A, 0x4557, 0x95, 0x96, 0xA8, 0x27, 0xE3, 0x6D, 0xAF, 0x8F); // {7AF7F355-1066-4E17-B1F2-19FE2F099CD2} DEFINE_GUID(IID_IPropertyValue, 0x7AF7F355, 0x1066, 0x4E17, 0xB1, 0xF2, 0x19, 0xFE, 0x2F, 0x09, 0x9C, 0xD2); // {11A66240-5489-42C2-AEBF-286FC831524C} DEFINE_GUID(IID_ISubItemCallback, 0x11A66240, 0x5489, 0x42C2, 0xAE, 0xBF, 0x28, 0x6F, 0xC8, 0x31, 0x52, 0x4C); // CLSID_CAsyncSubItemControlsView: {A1DCCC29-7C70-4821-97AE-67F04105EC91} DEFINE_GUID(CLSID_CAsyncSubItemControlsView, 0xa1dccc29, 0x7c70, 0x4821, 0x97, 0xae, 0x67, 0xf0, 0x41, 0x5, 0xec, 0x91); // CLSID_CFooterAreaView: {EBE684BF-3301-4A6D-83CE-E4D6851BE881} DEFINE_GUID(CLSID_CFooterAreaView, 0xebe684bf, 0x3301, 0x4a6d, 0x83, 0xce, 0xe4, 0xd6, 0x85, 0x1b, 0xe8, 0x81); // CLSID_CGroupedVirtualModeView: {A08A0F2D-0647-4443-9450-C460F4791046} DEFINE_GUID(CLSID_CGroupedVirtualModeView, 0xa08a0f2d, 0x647, 0x4443, 0x94, 0x50, 0xc4, 0x60, 0xf4, 0x79, 0x10, 0x46); // CLSID_CGroupSubsetView: {64A11699-104A-482A-9D85-CCFEA2EE3C94} DEFINE_GUID(CLSID_CGroupSubsetView, 0x64a11699, 0x104a, 0x482a, 0x9d, 0x85, 0xcc, 0xfe, 0xa2, 0xee, 0x3c, 0x94); // CLSID_CSubItemControlsView: {13E88673-D30C-46BA-8F2E-97C5CD024E73} DEFINE_GUID(CLSID_CSubItemControlsView, 0x13e88673, 0xd30c, 0x46ba, 0x8f, 0x2e, 0x97, 0xc5, 0xcd, 0x2, 0x4e, 0x73); // {1E8F0D70-7399-41BF-8598-7949A2DEC898} DEFINE_GUID(CLSID_CBooleanControl, 0x1E8F0D70, 0x7399, 0x41BF, 0x85, 0x98, 0x79, 0x49, 0xA2, 0xDE, 0xC8, 0x98); // {e2183960-9d58-4e9c-878a-4acc06ca564a} DEFINE_GUID(CLSID_CCustomDrawMultiValuePropertyControl, 0xE2183960, 0x9D58, 0x4E9C, 0x87, 0x8A, 0x4A, 0xCC, 0x06, 0xCA, 0x56, 0x4A); // {AB517586-73CF-489c-8D8C-5AE0EAD0613A} DEFINE_GUID(CLSID_CCustomDrawPercentFullControl, 0xAB517586, 0x73CF, 0x489c, 0x8D, 0x8C, 0x5A, 0xE0, 0xEA, 0xD0, 0x61, 0x3A); // {0d81ea0d-13bf-44b2-af1c-fcdf6be7927c} DEFINE_GUID(CLSID_CCustomDrawProgressControl, 0x0d81ea0d, 0x13bf, 0x44B2, 0xAF, 0x1C, 0xFC, 0xDF, 0x6B, 0xE7, 0x92, 0x7C); // {15756be1-a4ad-449c-b576-df3df0e068d3} DEFINE_GUID(CLSID_CHyperlinkControl, 0x15756BE1, 0xA4AD, 0x449C, 0xB5, 0x76, 0xDF, 0x3D, 0xF0, 0xE0, 0x68, 0xD3); // {53a01e9d-61cc-4cb0-83b1-31bc8df63156} DEFINE_GUID(CLSID_CIconListControl, 0x53A01E9D, 0x61CC, 0x4CB0, 0x83, 0xB1, 0x31, 0xBC, 0x8D, 0xF6, 0x31, 0x56); // {6A205B57-2567-4a2c-B881-F787FAB579A3} DEFINE_GUID(CLSID_CInPlaceCalendarControl, 0x6A205B57, 0x2567, 0x4A2C, 0xB8, 0x81, 0xF7, 0x87, 0xFA, 0xB5, 0x79, 0xA3); // {0EEA25CC-4362-4a12-850B-86EE61B0D3EB} DEFINE_GUID(CLSID_CInPlaceDropListComboControl, 0x0EEA25CC, 0x4362, 0x4A12, 0x85, 0x0B, 0x86, 0xEE, 0x61, 0xB0, 0xD3, 0xEB); // {A9CF0EAE-901A-4739-A481-E35B73E47F6D} DEFINE_GUID(CLSID_CInPlaceEditBoxControl, 0xA9CF0EAE, 0x901A, 0x4739, 0xA4, 0x81, 0xE3, 0x5B, 0x73, 0xE4, 0x7F, 0x6D); // {8EE97210-FD1F-4b19-91DA-67914005F020} DEFINE_GUID(CLSID_CInPlaceMLEditBoxControl, 0x8EE97210, 0xFD1F, 0x4B19, 0x91, 0xDA, 0x67, 0x91, 0x40, 0x05, 0xF0, 0x20); // {8e85d0ce-deaf-4ea1-9410-fd1a2105ceb5} DEFINE_GUID(CLSID_CInPlaceMultiValuePropertyControl, 0x8E85D0CE, 0xDEAF, 0x4EA1, 0x94, 0x10, 0xFD, 0x1A, 0x21, 0x05, 0xCE, 0xB5); // {85e94d25-0712-47ed-8cde-b0971177c6a1} DEFINE_GUID(CLSID_CRatingControl, 0x85e94d25, 0x0712, 0x47ed, 0x8C, 0xDE, 0xB0, 0x97, 0x11, 0x77, 0xC6, 0xA1); // {527c9a9b-b9a2-44b0-84f9-f0dc11c2bcfb} DEFINE_GUID(CLSID_CStaticPropertyControl, 0x527C9A9B, 0xB9A2, 0x44B0, 0x84, 0xF9, 0xF0, 0xDC, 0x11, 0xC2, 0xBC, 0xFB); #undef INTERFACE #define INTERFACE IOwnerDataCallback /** * IOwnerDataCallback * * Callback interface used by owner-data list views to query and set * positions and grouping relations of items, and to receive cache hints. */ DECLARE_INTERFACE_(IOwnerDataCallback, IUnknown) { BEGIN_INTERFACE // // IUnknown // DECLSPEC_XFGVIRT(IOwnerDataCallback, QueryInterface) STDMETHOD(QueryInterface)(THIS_ REFIID riid, void** ppvObject) PURE; DECLSPEC_XFGVIRT(IOwnerDataCallback, AddRef) STDMETHOD_(ULONG, AddRef)(THIS) PURE; DECLSPEC_XFGVIRT(IOwnerDataCallback, Release) STDMETHOD_(ULONG, Release)(THIS) PURE; // // IOwnerDataCallback // /** * Retrieves the current position of an item. * * \param itemIndex The zero-based index of the item. * \param pPosition Receives the item's position in view coordinates. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IOwnerDataCallback, GetItemPosition) STDMETHOD(GetItemPosition)(THIS_ LONG itemIndex, LPPOINT pPosition) PURE; /** * Sets the position of an item. * * \param itemIndex The zero-based index of the item. * \param position The desired item position in view coordinates. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IOwnerDataCallback, SetItemPosition) STDMETHOD(SetItemPosition)(THIS_ LONG itemIndex, POINT position) PURE; /** * Maps a group-wide index to the control-wide item index. * * \param groupIndex Zero-based list view group index. * \param groupWideItemIndex Zero-based index of the item within the group. * \param pTotalItemIndex Receives the control-wide item index. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IOwnerDataCallback, GetItemInGroup) STDMETHOD(GetItemInGroup)(THIS_ LONG groupIndex, LONG groupWideItemIndex, PLONG pTotalItemIndex) PURE; /** * Retrieves the group for a specific occurrence of an item. * * \param itemIndex Control-wide zero-based item index. * \param occurenceIndex Zero-based occurrence index of the item. * \param pGroupIndex Receives the group's zero-based index. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IOwnerDataCallback, GetItemGroup) STDMETHOD(GetItemGroup)(THIS_ LONG itemIndex, LONG occurenceIndex, PLONG pGroupIndex) PURE; /** * Retrieves how often an item occurs in the control. * * \param itemIndex Control-wide zero-based item index. * \param pOccurenceCount Receives the number of occurrences. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IOwnerDataCallback, GetItemGroupCount) STDMETHOD(GetItemGroupCount)(THIS_ LONG itemIndex, PLONG pOccurenceCount) PURE; /** * Provides a cache hint for a range of items. * * \param firstItem First item to cache (group-wide index). * \param lastItem Last item to cache (group-wide index). * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IOwnerDataCallback, OnCacheHint) STDMETHOD(OnCacheHint)(THIS_ LVITEMINDEX firstItem, LVITEMINDEX lastItem) PURE; END_INTERFACE }; #undef INTERFACE #define INTERFACE ISubItemCallback /** * ISubItemCallback * * Callback interface for subitem operations in a custom list view. Allows * retrieving subitem titles, providing editing/controls per subitem or group, * and invoking custom verbs. */ DECLARE_INTERFACE_(ISubItemCallback, IUnknown) { BEGIN_INTERFACE // // IUnknown // DECLSPEC_XFGVIRT(ISubItemCallback, QueryInterface) STDMETHOD(QueryInterface)(THIS_ REFIID riid, void** ppvObject) PURE; DECLSPEC_XFGVIRT(ISubItemCallback, AddRef) STDMETHOD_(ULONG, AddRef)(THIS) PURE; DECLSPEC_XFGVIRT(ISubItemCallback, Release) STDMETHOD_(ULONG, Release)(THIS) PURE; // // ISubItemCallback // /** * Retrieves the title of a subitem. * * \param subItemIndex Zero-based subitem index. * \param pBuffer Wide-character buffer to receive the title. * \param bufferSize Buffer size in characters. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, GetSubItemTitle) STDMETHOD(GetSubItemTitle)(THIS_ LONG subItemIndex, PWSTR pBuffer, LONG bufferSize) PURE; /** * Retrieves a control interface for a specific subitem. * * \param itemIndex Zero-based item index. * \param subItemIndex Zero-based subitem index. * \param requiredInterface IID of the required control interface. * \param ppObject Receives the interface pointer for the subitem control. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, GetSubItemControl) STDMETHOD(GetSubItemControl)(THIS_ LONG itemIndex, LONG subItemIndex, REFIID requiredInterface, void** ppObject) PURE; // IPropertyControl /** * Begins editing a subitem. * * \param itemIndex Zero-based item index. * \param subItemIndex Zero-based subitem index. * \param mode Edit mode flags. * \param requiredInterface IID of the required editing control interface. * \param ppObject Receives the interface pointer for the editing control. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, BeginSubItemEdit) STDMETHOD(BeginSubItemEdit)(THIS_ LONG itemIndex, LONG subItemIndex, LONG mode, REFIID requiredInterface, void** ppObject) PURE; // IPropertyControl /** * Ends editing of a subitem. * * \param itemIndex Zero-based item index. * \param subItemIndex Zero-based subitem index. * \param mode Edit mode flags. * \param pPropertyControl The property control used during editing. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, EndSubItemEdit) STDMETHOD(EndSubItemEdit)(THIS_ LONG itemIndex, LONG subItemIndex, LONG mode, void** ppObject) PURE; // IPropertyControl /** * Begins editing a group. * * \param groupIndex Zero-based group index. * \param requiredInterface IID of the required editing control interface. * \param ppObject Receives the interface pointer for the editing control. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, BeginGroupEdit) STDMETHOD(BeginGroupEdit)(THIS_ LONG groupIndex, REFIID iid, void** ppObject) PURE; // IPropertyControl /** * Ends editing of a group. * * \param groupIndex Zero-based group index. * \param mode Edit mode flags. * \param pPropertyControl The property control used during editing. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, EndGroupEdit) STDMETHOD(EndGroupEdit)(THIS_ LONG groupIndex, LONG mode, void** ppObject) PURE; // IPropertyControl /** * Invokes a custom verb on a subitem. * * \param itemIndex Zero-based item index. * \param pVerb The verb to invoke (wide string). * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(ISubItemCallback, OnInvokeVerb) STDMETHOD(OnInvokeVerb)(THIS_ LONG itemIndex, LPCWSTR pVerb) PURE; END_INTERFACE }; #undef INTERFACE #define INTERFACE IDrawPropertyControl /** * IDrawPropertyControl * * This interface defines methods for custom drawing of property controls within the application's * graphical user interface. Implementers provide the logic necessary to render the visuals. */ DECLARE_INTERFACE_(IDrawPropertyControl, IUnknown) { BEGIN_INTERFACE // // IUnknown // DECLSPEC_XFGVIRT(IDrawPropertyControl, QueryInterface) STDMETHOD(QueryInterface)(THIS_ REFIID riid, void** ppvObject) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, AddRef) STDMETHOD_(ULONG, AddRef)(THIS) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, Release) STDMETHOD_(ULONG, Release)(THIS) PURE; // // IPropertyControlBase // DECLSPEC_XFGVIRT(IDrawPropertyControl, Initialize) STDMETHOD(Initialize)(THIS_ IUnknown*, ULONG) PURE; // 2/calendar, 3/textbox DECLSPEC_XFGVIRT(IDrawPropertyControl, GetSize) STDMETHOD(GetSize)(THIS_ enum PROPCTL_RECT_TYPE, HDC, SIZE const*, SIZE*) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, SetWindowTheme) STDMETHOD(SetWindowTheme)(THIS_ PCWSTR, PCWSTR) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, SetFont) STDMETHOD(SetFont)(THIS_ HFONT) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, SetForeColor) STDMETHOD(SetForeColor)(THIS_ ULONG) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, GetFlags) STDMETHOD(GetFlags)(THIS_ LONG*) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, SetFlags) STDMETHOD(SetFlags)(THIS_ LONG, LONG) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, AdjustWindowRectPCB) STDMETHOD(AdjustWindowRectPCB)(THIS_ HWND, RECT*, RECT const*, LONG) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, SetValue) STDMETHOD(SetValue)(THIS_ IUnknown*) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, InvokeDefaultAction) STDMETHOD(InvokeDefaultAction)(THIS) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, Destroy) STDMETHOD(Destroy)(THIS) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, SetFormatFlags) STDMETHOD(SetFormatFlags)(THIS_ LONG) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, GetFormatFlags) STDMETHOD(GetFormatFlags)(THIS_ LONG*) PURE; // // IDrawPropertyControl // DECLSPEC_XFGVIRT(IDrawPropertyControl, GetDrawFlags) STDMETHOD(GetDrawFlags)(THIS_ PLONG Flags) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, WindowlessDraw) STDMETHOD(WindowlessDraw)(THIS_ HDC hDC, RECT pDrawingRectangle, LONG a) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, HasVisibleContent) STDMETHOD(HasVisibleContent)(THIS) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, GetDisplayText) STDMETHOD(GetDisplayText)(THIS_ PWSTR *Text) PURE; DECLSPEC_XFGVIRT(IDrawPropertyControl, GetTooltipInfo) STDMETHOD(GetTooltipInfo)(THIS_ HDC, SIZE const*, PLONG) PURE; END_INTERFACE }; #undef INTERFACE #define INTERFACE IPropertyControl DECLARE_INTERFACE_(IPropertyControl, IUnknown) { BEGIN_INTERFACE // // IUnknown // DECLSPEC_XFGVIRT(IPropertyControl, QueryInterface) STDMETHOD(QueryInterface)(THIS_ REFIID riid, void** ppvObject) PURE; DECLSPEC_XFGVIRT(IPropertyControl, AddRef) STDMETHOD_(ULONG, AddRef)(THIS) PURE; DECLSPEC_XFGVIRT(IPropertyControl, Release) STDMETHOD_(ULONG, Release)(THIS) PURE; // // IPropertyControl // DECLSPEC_XFGVIRT(IPropertyControl, GetValue) STDMETHOD(GetValue)(THIS_ REFIID riid, void** ppvObject) PURE; DECLSPEC_XFGVIRT(IPropertyControl, Create) STDMETHOD(Create)(THIS_ HWND Parent, RECT const* ItemRectangle, RECT const* Unknown1, int Unknown2) PURE; DECLSPEC_XFGVIRT(IPropertyControl, SetPosition) STDMETHOD(SetPosition)(THIS_ RECT const*, RECT const*) PURE; DECLSPEC_XFGVIRT(IPropertyControl, IsModified) STDMETHOD(IsModified)(THIS_ PBOOL Modified) PURE; DECLSPEC_XFGVIRT(IPropertyControl, SetModified) STDMETHOD(SetModified)(THIS_ BOOL Modified) PURE; DECLSPEC_XFGVIRT(IPropertyControl, ValidationFailed) STDMETHOD(ValidationFailed)(THIS_ PCWSTR) PURE; DECLSPEC_XFGVIRT(IPropertyControl, GetState) STDMETHOD(GetState)(THIS_ PULONG State) PURE; END_INTERFACE }; #undef INTERFACE #define INTERFACE IListView DECLARE_INTERFACE_(IListView, IUnknown) // real name is IListView2 { BEGIN_INTERFACE // // IUnknown // DECLSPEC_XFGVIRT(IListView, QueryInterface) STDMETHOD(QueryInterface)(THIS_ REFIID riid, void** ppvObject) PURE; DECLSPEC_XFGVIRT(IListView, AddRef) STDMETHOD_(ULONG, AddRef)(THIS) PURE; DECLSPEC_XFGVIRT(IListView, Release) STDMETHOD_(ULONG, Release)(THIS) PURE; // // IOleWindow // DECLSPEC_XFGVIRT(IListView, GetWindow) STDMETHOD(GetWindow)(THIS_ __RPC__in IOleWindow* window, __RPC__deref_out_opt HWND* WindowHandle) PURE; DECLSPEC_XFGVIRT(IListView, ContextSensitiveHelp) STDMETHOD(ContextSensitiveHelp)(THIS_ __RPC__in IOleWindow* window, _In_ BOOL fEnterMode) PURE; // // IListView // /** * Retrieves the handle to the image list used by the list view. * * \param ImageListType The type of image list to retrieve (e.g., normal, small, state). * \param ImageList Pointer to a variable that receives the handle to the image list. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, GetImageList) STDMETHOD(GetImageList)(THIS_ LONG ImageListType, HIMAGELIST* ImageList) PURE; /** * Sets a new image list for the list view and optionally retrieves the handle to the previous image list. * * \param ImageListType The type of image list to set (e.g., normal, small, state). * \param NewImageList Handle to the new image list to associate with the list view. * \param OldImageList Pointer to a variable that receives the handle to the previous image list. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, SetImageList) STDMETHOD(SetImageList)(THIS_ LONG ImageListType, HIMAGELIST NewImageList, HIMAGELIST* OldImageList) PURE; /** * Retrieves the current background color of the list view. * * \param Color Pointer to a variable that receives the background color (COLORREF). * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, GetBackgroundColor) STDMETHOD(GetBackgroundColor)(THIS_ COLORREF* Color) PURE; /** * Sets the background color of the list view. * * \param color The new background color (COLORREF) to set. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, SetBackgroundColor) STDMETHOD(SetBackgroundColor)(THIS_ COLORREF Color) PURE; /** * \brief Retrieves the current text color used by the list view. * * \param[out] Color Pointer to a COLORREF variable that receives the current text color. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, GetTextColor) STDMETHOD(GetTextColor)(THIS_ COLORREF* Color) PURE; /** * \brief Sets the foreground (text) color for the list view. * * \param[in] Color The COLORREF value specifying the new text color. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, SetForeColor) STDMETHOD(SetForeColor)(THIS_ COLORREF Color) PURE; /** * \brief Retrieves the current background color used for the text in the list view. * * \param[out] Color Pointer to a COLORREF variable that receives the current text background color. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, GetTextBackgroundColor) STDMETHOD(GetTextBackgroundColor)(THIS_ COLORREF* Color) PURE; /** * \brief Sets the background color for the text in the list view. * * \param[in] color The COLORREF value specifying the new text background color. * \return HRESULT indicating success or failure. */ DECLSPEC_XFGVIRT(IListView, SetTextBackgroundColor) STDMETHOD(SetTextBackgroundColor)(THIS_ COLORREF Color) PURE; DECLSPEC_XFGVIRT(IListView, GetHotLightColor) STDMETHOD(GetHotLightColor)(THIS_ COLORREF* Color) PURE; DECLSPEC_XFGVIRT(IListView, SetHotLightColor) STDMETHOD(SetHotLightColor)(THIS_ COLORREF Color) PURE; DECLSPEC_XFGVIRT(IListView, GetItemCount) STDMETHOD(GetItemCount)(THIS_ PLONG ItemCount) PURE; DECLSPEC_XFGVIRT(IListView, SetItemCount) STDMETHOD(SetItemCount)(THIS_ LONG ItemCount, ULONG Flags) PURE; DECLSPEC_XFGVIRT(IListView, GetItem) STDMETHOD(GetItem)(THIS_ LVITEMW* Item) PURE; DECLSPEC_XFGVIRT(IListView, SetItem) STDMETHOD(SetItem)(THIS_ LVITEMW* const Item) PURE; DECLSPEC_XFGVIRT(IListView, GetItemState) STDMETHOD(GetItemState)(THIS_ LONG ItemIndex, LONG SubItemIndex, ULONG Mask, PULONG State) PURE; DECLSPEC_XFGVIRT(IListView, SetItemState) STDMETHOD(SetItemState)(THIS_ LONG ItemIndex, LONG SubItemIndex, ULONG Mask, ULONG State) PURE; DECLSPEC_XFGVIRT(IListView, GetItemText) STDMETHOD(GetItemText)(THIS_ LONG ItemIndex, LONG SubItemIndex, PWSTR Buffer, LONG BufferSize) PURE; DECLSPEC_XFGVIRT(IListView, SetItemText) STDMETHOD(SetItemText)(THIS_ LONG ItemIndex, LONG SubItemIndex, PCWSTR Text) PURE; DECLSPEC_XFGVIRT(IListView, GetBackgroundImage) STDMETHOD(GetBackgroundImage)(THIS_ LVBKIMAGEW* pBkImage) PURE; DECLSPEC_XFGVIRT(IListView, SetBackgroundImage) STDMETHOD(SetBackgroundImage)(THIS_ LVBKIMAGEW* const BkImage) PURE; DECLSPEC_XFGVIRT(IListView, GetFocusedColumn) STDMETHOD(GetFocusedColumn)(THIS_ PLONG ColumnIndex) PURE; DECLSPEC_XFGVIRT(IListView, SetSelectionFlags) STDMETHOD(SetSelectionFlags)(THIS_ LONG Mask, LONG Flags) PURE; // HRESULT SetSelectionFlags (SELECTION_FLAGS, SELECTION_FLAGS); DECLSPEC_XFGVIRT(IListView, GetSelectedColumn) STDMETHOD(GetSelectedColumn)(THIS_ PLONG ColumnIndex) PURE; DECLSPEC_XFGVIRT(IListView, SetSelectedColumn) STDMETHOD(SetSelectedColumn)(THIS_ LONG ColumnIndex) PURE; DECLSPEC_XFGVIRT(IListView, GetView) STDMETHOD(GetView)(THIS_ PULONG View) PURE; DECLSPEC_XFGVIRT(IListView, SetView) STDMETHOD(SetView)(THIS_ ULONG View) PURE; DECLSPEC_XFGVIRT(IListView, InsertItem) STDMETHOD(InsertItem)(THIS_ LVITEMW* const Item, PLONG ItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, DeleteItem) STDMETHOD(DeleteItem)(THIS_ LONG ItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, DeleteAllItems) STDMETHOD(DeleteAllItems)(THIS) PURE; DECLSPEC_XFGVIRT(IListView, UpdateItem) STDMETHOD(UpdateItem)(THIS_ LONG ItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, GetItemRect) STDMETHOD(GetItemRect)(THIS_ LVITEMINDEX ItemIndex, LONG RectangleType, PRECT Rectangle) PURE; DECLSPEC_XFGVIRT(IListView, GetSubItemRect) STDMETHOD(GetSubItemRect)(THIS_ LVITEMINDEX ItemIndex, LONG SubItemIndex, LONG RectangleType, PRECT Rectangle) PURE; DECLSPEC_XFGVIRT(IListView, HitTestSubItem) STDMETHOD(HitTestSubItem)(THIS_ LVHITTESTINFO* HitTestData) PURE; DECLSPEC_XFGVIRT(IListView, GetIncrSearchString) STDMETHOD(GetIncrSearchString)(THIS_ PWSTR Buffer, LONG BufferSize, PLONG CopiedChars) PURE; DECLSPEC_XFGVIRT(IListView, GetItemSpacing) STDMETHOD(GetItemSpacing)(THIS_ BOOL SmallIconView, PLONG HorizontalSpacing, PLONG VerticalSpacing) PURE; DECLSPEC_XFGVIRT(IListView, SetIconSpacing) STDMETHOD(SetIconSpacing)(THIS_ LONG HorizontalSpacing, LONG VerticalSpacing, PLONG OldHorizontalSpacing, PLONG OldVerticalSpacing) PURE; DECLSPEC_XFGVIRT(IListView, GetNextItem) STDMETHOD(GetNextItem)(THIS_ LVITEMINDEX ItemIndex, ULONG Flags, LVITEMINDEX* NextItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, FindItem) STDMETHOD(FindItem)(THIS_ LVITEMINDEX startItemIndex, LVFINDINFOW const* FindInfo, LVITEMINDEX* FoundItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, GetSelectionMark) STDMETHOD(GetSelectionMark)(THIS_ LVITEMINDEX* SelectionMark) PURE; DECLSPEC_XFGVIRT(IListView, SetSelectionMark) STDMETHOD(SetSelectionMark)(THIS_ LVITEMINDEX NewSelectionMark, LVITEMINDEX* OldSelectionMark) PURE; DECLSPEC_XFGVIRT(IListView, GetItemPosition) STDMETHOD(GetItemPosition)(THIS_ LVITEMINDEX ItemIndex, POINT* Position) PURE; DECLSPEC_XFGVIRT(IListView, SetItemPosition) STDMETHOD(SetItemPosition)(THIS_ LONG ItemIndex, POINT const* Position) PURE; DECLSPEC_XFGVIRT(IListView, ScrollView) STDMETHOD(ScrollView)(THIS_ ULONG HorizontalScrollDistance, ULONG VerticalScrollDistance) PURE; DECLSPEC_XFGVIRT(IListView, EnsureItemVisible) STDMETHOD(EnsureItemVisible)(THIS_ LVITEMINDEX ItemIndex, BOOL PartialOk) PURE; DECLSPEC_XFGVIRT(IListView, EnsureSubItemVisible) STDMETHOD(EnsureSubItemVisible)(THIS_ LVITEMINDEX ItemIndex, LONG SubItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, EditSubItem) STDMETHOD(EditSubItem)(THIS_ LVITEMINDEX ItemIndex, LONG SubItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, RedrawItems) STDMETHOD(RedrawItems)(THIS_ LONG FirstItemIndex, LONG LastItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, ArrangeItems) STDMETHOD(ArrangeItems)(THIS_ LONG Mode) PURE; DECLSPEC_XFGVIRT(IListView, RecomputeItems) STDMETHOD(RecomputeItems)(THIS_ LONG Mode) PURE; DECLSPEC_XFGVIRT(IListView, GetEditControl) STDMETHOD(GetEditControl)(THIS_ HWND* EditWindowHandle) PURE; DECLSPEC_XFGVIRT(IListView, EditLabel) STDMETHOD(EditLabel)(THIS_ LVITEMINDEX ItemIndex, PCWSTR InitialEditText, HWND* EditWindowHandle) PURE; DECLSPEC_XFGVIRT(IListView, EditGroupLabel) STDMETHOD(EditGroupLabel)(THIS_ LONG GroupIndex) PURE; DECLSPEC_XFGVIRT(IListView, CancelEditLabel) STDMETHOD(CancelEditLabel)(THIS) PURE; DECLSPEC_XFGVIRT(IListView, GetEditItem) STDMETHOD(GetEditItem)(THIS_ LVITEMINDEX* ItemIndex, PLONG SubItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, HitTest) STDMETHOD(HitTest)(THIS_ LVHITTESTINFO* HitTestData) PURE; DECLSPEC_XFGVIRT(IListView, GetStringWidth) STDMETHOD(GetStringWidth)(THIS_ PCWSTR String, PLONG Width) PURE; DECLSPEC_XFGVIRT(IListView, GetColumn) STDMETHOD(GetColumn)(THIS_ LONG ColumnIndex, LVCOLUMNW* Column) PURE; DECLSPEC_XFGVIRT(IListView, SetColumn) STDMETHOD(SetColumn)(THIS_ LONG ColumnIndex, LVCOLUMNW* const Column) PURE; DECLSPEC_XFGVIRT(IListView, GetColumnOrderArray) STDMETHOD(GetColumnOrderArray)(THIS_ LONG NumberOfColumns, _Out_ PVOID* Columns) PURE; DECLSPEC_XFGVIRT(IListView, SetColumnOrderArray) STDMETHOD(SetColumnOrderArray)(THIS_ LONG NumberOfColumns, _In_ PVOID Columns) PURE; DECLSPEC_XFGVIRT(IListView, GetHeaderControl) STDMETHOD(GetHeaderControl)(THIS_ HWND* HeaderWindowHandle) PURE; DECLSPEC_XFGVIRT(IListView, InsertColumn) STDMETHOD(InsertColumn)(THIS_ LONG InsertAt, LVCOLUMNW* const Column, PLONG ColumnIndex) PURE; DECLSPEC_XFGVIRT(IListView, DeleteColumn) STDMETHOD(DeleteColumn)(THIS_ LONG ColumnIndex) PURE; DECLSPEC_XFGVIRT(IListView, CreateDragImage) STDMETHOD(CreateDragImage)(THIS_ LONG ItemIndex, POINT const* UpperLeft, HIMAGELIST* ImageList) PURE; DECLSPEC_XFGVIRT(IListView, GetViewRect) STDMETHOD(GetViewRect)(THIS_ RECT* Rectangle) PURE; DECLSPEC_XFGVIRT(IListView, GetClientRect) STDMETHOD(GetClientRect)(THIS_ BOOL StyleAndClientRect, RECT* ClientRectangle) PURE; DECLSPEC_XFGVIRT(IListView, GetColumnWidth) STDMETHOD(GetColumnWidth)(THIS_ LONG ColumnIndex, PLONG Width) PURE; DECLSPEC_XFGVIRT(IListView, SetColumnWidth) STDMETHOD(SetColumnWidth)(THIS_ LONG ColumnIndex, LONG Width) PURE; DECLSPEC_XFGVIRT(IListView, GetCallbackMask) STDMETHOD(GetCallbackMask)(THIS_ PULONG Mask) PURE; DECLSPEC_XFGVIRT(IListView, SetCallbackMask) STDMETHOD(SetCallbackMask)(THIS_ ULONG Mask) PURE; DECLSPEC_XFGVIRT(IListView, GetTopIndex) STDMETHOD(GetTopIndex)(THIS_ PLONG TopIndex) PURE; DECLSPEC_XFGVIRT(IListView, GetCountPerPage) STDMETHOD(GetCountPerPage)(THIS_ PLONG CountPerPage) PURE; DECLSPEC_XFGVIRT(IListView, GetOrigin) STDMETHOD(GetOrigin)(THIS_ POINT* Origin) PURE; DECLSPEC_XFGVIRT(IListView, GetSelectedCount) STDMETHOD(GetSelectedCount)(THIS_ PLONG SelectedCount) PURE; DECLSPEC_XFGVIRT(IListView, SortItems) STDMETHOD(SortItems)(THIS_ BOOL SortingByIndex, LPARAM lParam, PFNLVCOMPARE ComparisonFunction) PURE; DECLSPEC_XFGVIRT(IListView, GetExtendedStyle) STDMETHOD(GetExtendedStyle)(THIS_ PULONG Style) PURE; DECLSPEC_XFGVIRT(IListView, SetExtendedStyle) STDMETHOD(SetExtendedStyle)(THIS_ ULONG Mask, ULONG Style, PULONG OldStyle) PURE; DECLSPEC_XFGVIRT(IListView, GetHoverTime) STDMETHOD(GetHoverTime)(THIS_ PULONG Time) PURE; DECLSPEC_XFGVIRT(IListView, SetHoverTime) STDMETHOD(SetHoverTime)(THIS_ ULONG Time, PULONG OldSetting) PURE; DECLSPEC_XFGVIRT(IListView, GetToolTip) STDMETHOD(GetToolTip)(THIS_ HWND* ToolTipWindowHandle) PURE; DECLSPEC_XFGVIRT(IListView, SetToolTip) STDMETHOD(SetToolTip)(THIS_ HWND ToolTipWindowHandle, HWND* OldToolTipWindowHandle) PURE; DECLSPEC_XFGVIRT(IListView, GetHotItem) STDMETHOD(GetHotItem)(THIS_ LVITEMINDEX* HotItem) PURE; DECLSPEC_XFGVIRT(IListView, SetHotItem) STDMETHOD(SetHotItem)(THIS_ LVITEMINDEX NewHotItem, LVITEMINDEX* OldHotItem) PURE; DECLSPEC_XFGVIRT(IListView, GetHotCursor) STDMETHOD(GetHotCursor)(THIS_ HCURSOR* Cursor) PURE; DECLSPEC_XFGVIRT(IListView, SetHotCursor) STDMETHOD(SetHotCursor)(THIS_ HCURSOR Cursor, HCURSOR* OldCursor) PURE; DECLSPEC_XFGVIRT(IListView, ApproximateViewRect) STDMETHOD(ApproximateViewRect)(THIS_ LONG ItemCount, PLONG Width, PLONG Height) PURE; DECLSPEC_XFGVIRT(IListView, SetRangeObject) STDMETHOD(SetRangeObject)(THIS_ LONG unknown, void** Object) PURE; DECLSPEC_XFGVIRT(IListView, GetWorkAreas) STDMETHOD(GetWorkAreas)(THIS_ LONG NumberOfWorkAreas, RECT* WorkAreas) PURE; DECLSPEC_XFGVIRT(IListView, SetWorkAreas) STDMETHOD(SetWorkAreas)(THIS_ LONG NumberOfWorkAreas, RECT const* WorkAreas) PURE; DECLSPEC_XFGVIRT(IListView, GetWorkAreaCount) STDMETHOD(GetWorkAreaCount)(THIS_ PLONG NumberOfWorkAreas) PURE; DECLSPEC_XFGVIRT(IListView, ResetEmptyText) STDMETHOD(ResetEmptyText)(THIS) PURE; DECLSPEC_XFGVIRT(IListView, EnableGroupView) STDMETHOD(EnableGroupView)(THIS_ BOOL Enable) PURE; DECLSPEC_XFGVIRT(IListView, IsGroupViewEnabled) STDMETHOD(IsGroupViewEnabled)(THIS_ PBOOL IsEnabled) PURE; DECLSPEC_XFGVIRT(IListView, SortGroups) STDMETHOD(SortGroups)(THIS_ PFNLVGROUPCOMPARE pComparisonFunction, PVOID lParam) PURE; DECLSPEC_XFGVIRT(IListView, GetGroupInfo) STDMETHOD(GetGroupInfo)(THIS_ BOOL GetGroupInfoByIndex, LONG GroupIDOrIndex, LVGROUP* Group) PURE; DECLSPEC_XFGVIRT(IListView, SetGroupInfo) STDMETHOD(SetGroupInfo)(THIS_ BOOL SetGroupInfoByIndex, LONG GroupIDOrIndex, LVGROUP* const Group) PURE; DECLSPEC_XFGVIRT(IListView, GetGroupRect) STDMETHOD(GetGroupRect)(THIS_ BOOL GetGroupRectByIndex, LONG GroupIDOrIndex, LONG RectangleType, RECT* pRectangle) PURE; DECLSPEC_XFGVIRT(IListView, GetGroupState) STDMETHOD(GetGroupState)(THIS_ LONG GroupID, ULONG Mask, PULONG State) PURE; DECLSPEC_XFGVIRT(IListView, HasGroup) STDMETHOD(HasGroup)(THIS_ LONG GroupID, BOOL* HasGroup) PURE; DECLSPEC_XFGVIRT(IListView, InsertGroup) STDMETHOD(InsertGroup)(THIS_ LONG InsertAt, LVGROUP* const Group, PLONG GroupID) PURE; DECLSPEC_XFGVIRT(IListView, RemoveGroup) STDMETHOD(RemoveGroup)(THIS_ LONG GroupID) PURE; DECLSPEC_XFGVIRT(IListView, InsertGroupSorted) STDMETHOD(InsertGroupSorted)(THIS_ LVINSERTGROUPSORTED const* Group, PLONG GroupID) PURE; DECLSPEC_XFGVIRT(IListView, GetGroupMetrics) STDMETHOD(GetGroupMetrics)(THIS_ LVGROUPMETRICS* Metrics) PURE; DECLSPEC_XFGVIRT(IListView, SetGroupMetrics) STDMETHOD(SetGroupMetrics)(THIS_ LVGROUPMETRICS* const Metrics) PURE; DECLSPEC_XFGVIRT(IListView, RemoveAllGroups) STDMETHOD(RemoveAllGroups)(THIS) PURE; DECLSPEC_XFGVIRT(IListView, GetFocusedGroup) STDMETHOD(GetFocusedGroup)(THIS_ PLONG pGroupID) PURE; DECLSPEC_XFGVIRT(IListView, GetGroupCount) STDMETHOD(GetGroupCount)(THIS_ PLONG pCount) PURE; DECLSPEC_XFGVIRT(IListView, SetOwnerDataCallback) STDMETHOD(SetOwnerDataCallback)(THIS_ IOwnerDataCallback* pCallback) PURE; DECLSPEC_XFGVIRT(IListView, GetTileViewInfo) STDMETHOD(GetTileViewInfo)(THIS_ LVTILEVIEWINFO* pInfo) PURE; DECLSPEC_XFGVIRT(IListView, SetTileViewInfo) STDMETHOD(SetTileViewInfo)(THIS_ LVTILEVIEWINFO* const pInfo) PURE; DECLSPEC_XFGVIRT(IListView, GetTileInfo) STDMETHOD(GetTileInfo)(THIS_ LVTILEINFO* pTileInfo) PURE; DECLSPEC_XFGVIRT(IListView, SetTileInfo) STDMETHOD(SetTileInfo)(THIS_ LVTILEINFO* const pTileInfo) PURE; DECLSPEC_XFGVIRT(IListView, GetInsertMark) STDMETHOD(GetInsertMark)(THIS_ LVINSERTMARK* pInsertMarkDetails) PURE; DECLSPEC_XFGVIRT(IListView, SetInsertMark) STDMETHOD(SetInsertMark)(THIS_ LVINSERTMARK const* pInsertMarkDetails) PURE; DECLSPEC_XFGVIRT(IListView, GetInsertMarkRect) STDMETHOD(GetInsertMarkRect)(THIS_ LPRECT pInsertMarkRectangle) PURE; DECLSPEC_XFGVIRT(IListView, GetInsertMarkColor) STDMETHOD(GetInsertMarkColor)(THIS_ COLORREF* pColor) PURE; DECLSPEC_XFGVIRT(IListView, SetInsertMarkColor) STDMETHOD(SetInsertMarkColor)(THIS_ COLORREF color, COLORREF* pOldColor) PURE; DECLSPEC_XFGVIRT(IListView, HitTestInsertMark) STDMETHOD(HitTestInsertMark)(THIS_ POINT const* Point, LVINSERTMARK* pInsertMarkDetails) PURE; DECLSPEC_XFGVIRT(IListView, SetInfoTip) STDMETHOD(SetInfoTip)(THIS_ LVSETINFOTIP* const InfoTip) PURE; DECLSPEC_XFGVIRT(IListView, GetOutlineColor) STDMETHOD(GetOutlineColor)(THIS_ COLORREF* Color) PURE; DECLSPEC_XFGVIRT(IListView, SetOutlineColor) STDMETHOD(SetOutlineColor)(THIS_ COLORREF Color, COLORREF* OldColor) PURE; DECLSPEC_XFGVIRT(IListView, GetFrozenItem) STDMETHOD(GetFrozenItem)(THIS_ PLONG ItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, SetFrozenItem) STDMETHOD(SetFrozenItem)(THIS_ LONG ItemIndexStart, LONG ItemIndexEnd) PURE; DECLSPEC_XFGVIRT(IListView, GetFrozenSlot) STDMETHOD(GetFrozenSlot)(THIS_ RECT* Rect) PURE; DECLSPEC_XFGVIRT(IListView, SetFrozenSlot) STDMETHOD(SetFrozenSlot)(THIS_ LONG Slot, POINT const* Rect) PURE; DECLSPEC_XFGVIRT(IListView, GetViewMargin) STDMETHOD(GetViewMargin)(THIS_ RECT* Margin) PURE; DECLSPEC_XFGVIRT(IListView, SetViewMargin) STDMETHOD(SetViewMargin)(THIS_ RECT const* Margin) PURE; DECLSPEC_XFGVIRT(IListView, SetKeyboardSelected) STDMETHOD(SetKeyboardSelected)(THIS_ LVITEMINDEX ItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, MapIndexToId) STDMETHOD(MapIndexToId)(THIS_ LONG ItemIndex, PLONG ItemID) PURE; DECLSPEC_XFGVIRT(IListView, MapIdToIndex) STDMETHOD(MapIdToIndex)(THIS_ LONG ItemID, PLONG ItemIndex) PURE; DECLSPEC_XFGVIRT(IListView, IsItemVisible) STDMETHOD(IsItemVisible)(THIS_ LVITEMINDEX ItemIndex, BOOL* Visible) PURE; DECLSPEC_XFGVIRT(IListView, EnableAlphaShadow) STDMETHOD(EnableAlphaShadow)(THIS_ BOOL Enable) PURE; DECLSPEC_XFGVIRT(IListView, GetGroupSubsetCount) STDMETHOD(GetGroupSubsetCount)(THIS_ PLONG NumberOfRowsDisplayed) PURE; DECLSPEC_XFGVIRT(IListView, SetGroupSubsetCount) STDMETHOD(SetGroupSubsetCount)(THIS_ LONG NumberOfRowsToDisplay) PURE; DECLSPEC_XFGVIRT(IListView, GetVisibleSlotCount) STDMETHOD(GetVisibleSlotCount)(THIS_ PLONG Count) PURE; DECLSPEC_XFGVIRT(IListView, GetColumnMargin) STDMETHOD(GetColumnMargin)(THIS_ RECT* Margin) PURE; DECLSPEC_XFGVIRT(IListView, SetSubItemCallback) STDMETHOD(SetSubItemCallback)(THIS_ LPVOID Callback) PURE; DECLSPEC_XFGVIRT(IListView, GetVisibleItemRange) STDMETHOD(GetVisibleItemRange)(THIS_ LVITEMINDEX* FirstItem, LVITEMINDEX* LastItem) PURE; DECLSPEC_XFGVIRT(IListView, SetTypeAheadFlags) STDMETHOD(SetTypeAheadFlags)(THIS_ ULONG Mask, ULONG Flags) PURE; // HRESULT SetTypeAheadFlags (TYPEAHEAD_FLAGS, TYPEAHEAD_FLAGS); // Windows 10 /** * \brief Sets the work areas with DPI awareness for the view. * * \param [in] LONG The number of work areas to set. * \param [in] struct tagLVWORKAREAWITHDPI const* Pointer to an array of LVWORKAREAWITHDPI structures that define the work areas and their associated DPI settings. * \return HRESULT Returns S_OK if successful, or an error code otherwise. */ DECLSPEC_XFGVIRT(IListView, SetWorkAreasWithDpi) STDMETHOD(SetWorkAreasWithDpi)(THIS_ LONG index, struct tagLVWORKAREAWITHDPI const*) PURE; /** * \brief Retrieves the work areas along with their associated DPI settings. * * \param [in] LONG The index or identifier for the work area. * \param [out] tagLVWORKAREAWITHDPI* Pointer to a structure that receives the work area information and its DPI. * * \return HRESULT indicating success or failure of the operation. */ DECLSPEC_XFGVIRT(IListView, GetWorkAreasWithDpi) STDMETHOD(GetWorkAreasWithDpi)(THIS_ LONG index, struct tagLVWORKAREAWITHDPI*) PURE; /** * Sets the image list for the work area. * * \param [in] param1 The first LONG parameter (purpose depends on implementation). * \param [in] param2 The second LONG parameter (purpose depends on implementation). * \param [in] hImageList Handle to the image list to be set. * \param [out] phOldImageList Pointer to a variable that receives the handle to the previous image list. * \return HRESULT Returns S_OK on success, or an error code otherwise. */ DECLSPEC_XFGVIRT(IListView, SetWorkAreaImageList) STDMETHOD(SetWorkAreaImageList)(THIS_ LONG param1, LONG param2, HIMAGELIST hImageList, HIMAGELIST* phOldImageList) PURE; /** * Retrieves the image list associated with a specified work area. * * \param [in] param1 The first LONG parameter, typically representing the work area index or identifier. * \param [in] param2 The second LONG parameter, usage depends on implementation context. * \param [out] phImageList Pointer to a HIMAGELIST that receives the handle to the image list. * \return HRESULT Returns S_OK on success, or an error code otherwise. */ DECLSPEC_XFGVIRT(IListView, GetWorkAreaImageList) STDMETHOD(GetWorkAreaImageList)(THIS_ LONG param1, LONG param2, HIMAGELIST* phImageList) PURE; /** * Enables or disables the "Icon Bullying" feature. * * This method controls the behavior of icon manipulation within the interface. * * \param Mode Specifies the mode for icon bullying. * \return HRESULT indicating success or failure of the operation. */ DECLSPEC_XFGVIRT(IListView, EnableIconBullying) STDMETHOD(EnableIconBullying)(THIS_ LONG Mode) PURE; /** * \brief Enables or configures specific quirks or compatibility modes. * * \param Flags A bitmask of flags specifying which quirks to enable. * \return HRESULT indicating success or failure of the operation. */ DECLSPEC_XFGVIRT(IListView, EnableQuirks) STDMETHOD(EnableQuirks)(THIS_ ULONG Flags) PURE; END_INTERFACE }; #undef INTERFACE #define IListViewQueryInterface(This,riid,ppvObject) \ ((This)->lpVtbl->QueryInterface(This,riid,ppvObject)) #define IListView_AddRef(This) \ ((This)->lpVtbl->AddRef(This)) #define IListView_Release(This) \ ((This)->lpVtbl->Release(This)) #define IListView_GetWindow(This, OleWindow, WindowHandle) \ ((This)->lpVtbl->GetWindow(This, OleWindow, WindowHandle)) #define IListView_ContextSensitiveHelp(This, fEnterMode) \ ((This)->lpVtbl->ContextSensitiveHelp(This, fEnterMode)) #define IListView_GetImageList(This, imageList, pHImageList) \ ((This)->lpVtbl->GetImageList(This, imageList, pHImageList)) #define IListView_SetImageList(This, imageList, hNewImageList, pHOldImageList) \ ((This)->lpVtbl->SetImageList(This, imageList, hNewImageList, pHOldImageList)) #define IListView_GetBackgroundColor(This, pColor) \ ((This)->lpVtbl->GetBackgroundColor(This, pColor)) #define IListView_SetBackgroundColor(This, color) \ ((This)->lpVtbl->SetBackgroundColor(This, color)) #define IListView_GetTextColor(This, pColor) \ ((This)->lpVtbl->GetTextColor(This, pColor)) #define IListView_SetTextColor(This, color) \ ((This)->lpVtbl->SetTextColor(This, color)) #define IListView_GetTextBackgroundColor(This, pColor) \ ((This)->lpVtbl->GetTextBackgroundColor(This, pColor)) #define IListView_SetTextBackgroundColor(This, color) \ ((This)->lpVtbl->SetTextBackgroundColor(This, color)) #define IListView_GetHotLightColor(This, pColor) \ ((This)->lpVtbl->GetHotLightColor(This, pColor)) #define IListView_SetHotLightColor(This, color) \ ((This)->lpVtbl->SetHotLightColor(This, color)) #define IListView_GetItemCount(This, pItemCount) \ ((This)->lpVtbl->GetItemCount(This, pItemCount)) #define IListView_SetItemCount(This, itemCount, flags) \ ((This)->lpVtbl->SetItemCount(This, itemCount, flags)) #define IListView_GetItem(This, pItem) \ ((This)->lpVtbl->GetItem(This, pItem)) #define IListView_SetItem(This, pItem) \ ((This)->lpVtbl->SetItem(This, pItem)) #define IListView_GetItemState(This, itemIndex, subItemIndex, mask, pState) \ ((This)->lpVtbl->GetItemState(This, itemIndex, subItemIndex, mask, pState)) #define IListView_SetItemState(This, itemIndex, subItemIndex, mask, state) \ ((This)->lpVtbl->SetItemState(This, itemIndex, subItemIndex, mask, state)) #define IListView_GetItemText(This, itemIndex, subItemIndex, pBuffer, bufferSize) \ ((This)->lpVtbl->GetItemText(This, itemIndex, subItemIndex, pBuffer, bufferSize)) #define IListView_SetItemText(This, itemIndex, subItemIndex, pText) \ ((This)->lpVtbl->SetItemText(This, itemIndex, subItemIndex, pText)) #define IListView_GetBackgroundImage(This, pBkImage) \ ((This)->lpVtbl->GetBackgroundImage(This, pBkImage)) #define IListView_SetBackgroundImage(This, pBkImage) \ ((This)->lpVtbl->SetBackgroundImage(This, pBkImage)) #define IListView_GetFocusedColumn(This, pColumnIndex) \ ((This)->lpVtbl->GetFocusedColumn(This, pColumnIndex)) #define IListView_SetSelectionFlags(This, mask, flags) \ ((This)->lpVtbl->SetSelectionFlags(This, mask, flags)) #define IListView_GetSelectedColumn(This, pColumnIndex) \ ((This)->lpVtbl->GetSelectedColumn(This, pColumnIndex)) #define IListView_SetSelectedColumn(This, columnIndex) \ ((This)->lpVtbl->SetSelectedColumn(This, columnIndex)) #define IListView_GetView(This, pView) \ ((This)->lpVtbl->GetView(This, pView)) #define IListView_SetView(This, view) \ ((This)->lpVtbl->SetView(This, view)) #define IListView_InsertItem(This, pItem, pItemIndex) \ ((This)->lpVtbl->InsertItem(This, pItem, pItemIndex)) #define IListView_DeleteItem(This, itemIndex) \ ((This)->lpVtbl->DeleteItem(This, itemIndex)) #define IListView_DeleteAllItems(This) \ ((This)->lpVtbl->DeleteAllItems(This)) #define IListView_UpdateItem(This, itemIndex) \ ((This)->lpVtbl->UpdateItem(This, itemIndex)) #define IListView_GetItemRect(This, itemIndex, rectangleType, pRectangle) \ ((This)->lpVtbl->GetItemRect(This, itemIndex, rectangleType, pRectangle)) #define IListView_GetSubItemRect(This, itemIndex, subItemIndex, rectangleType, pRectangle) \ ((This)->lpVtbl->GetSubItemRect(This, itemIndex, subItemIndex, rectangleType, pRectangle)) #define IListView_HitTestSubItem(This, pHitTestData) \ ((This)->lpVtbl->HitTestSubItem(This, pHitTestData)) #define IListView_GetIncrSearchString(This, pBuffer, bufferSize, pCopiedChars) \ ((This)->lpVtbl->GetIncrSearchString(This, pBuffer, bufferSize, pCopiedChars)) #define IListView_GetItemSpacing(This, smallIconView, pHorizontalSpacing, pVerticalSpacing) \ ((This)->lpVtbl->GetItemSpacing(This, smallIconView, pHorizontalSpacing, pVerticalSpacing)) #define IListView_SetIconSpacing(This, horizontalSpacing, verticalSpacing, pHorizontalSpacing, pVerticalSpacing) \ ((This)->lpVtbl->SetIconSpacing(This, horizontalSpacing, verticalSpacing, pHorizontalSpacing, pVerticalSpacing)) #define IListView_GetNextItem(This, itemIndex, flags, pNextItemIndex) \ ((This)->lpVtbl->GetNextItem(This, itemIndex, flags, pNextItemIndex)) #define IListView_FindItem(This, startItemIndex, pFindInfo, pFoundItemIndex) \ ((This)->lpVtbl->FindItem(This, startItemIndex, pFindInfo, pFoundItemIndex)) #define IListView_GetSelectionMark(This, pSelectionMark) \ ((This)->lpVtbl->GetSelectionMark(This, pSelectionMark)) #define IListView_SetSelectionMark(This, newSelectionMark, pOldSelectionMark) \ ((This)->lpVtbl->SetSelectionMark(This, newSelectionMark, pOldSelectionMark)) #define IListView_GetItemPosition(This, itemIndex, pPosition) \ ((This)->lpVtbl->GetItemPosition(This, itemIndex, pPosition)) #define IListView_SetItemPosition(This, itemIndex, pPosition) \ ((This)->lpVtbl->SetItemPosition(This, itemIndex, pPosition)) #define IListView_ScrollView(This, horizontalScrollDistance, verticalScrollDistance) \ ((This)->lpVtbl->ScrollView(This, horizontalScrollDistance, verticalScrollDistance)) #define IListView_EnsureItemVisible(This, itemIndex, partialOk) \ ((This)->lpVtbl->EnsureItemVisible(This, itemIndex, partialOk)) #define IListView_EnsureSubItemVisible(This, itemIndex, subItemIndex) \ ((This)->lpVtbl->EnsureSubItemVisible(This, itemIndex, subItemIndex)) #define IListView_EditSubItem(This, itemIndex, subItemIndex) \ ((This)->lpVtbl->EditSubItem(This, itemIndex, subItemIndex)) #define IListView_RedrawItems(This, firstItemIndex, lastItemIndex) \ ((This)->lpVtbl->RedrawItems(This, firstItemIndex, lastItemIndex)) #define IListView_ArrangeItems(This, mode) \ ((This)->lpVtbl->ArrangeItems(This, mode)) #define IListView_RecomputeItems(This, unknown) \ ((This)->lpVtbl->RecomputeItems(This, unknown)) #define IListView_GetEditControl(This, EditWindowHandle) \ ((This)->lpVtbl->GetEditControl(This, EditWindowHandle)) #define IListView_EditLabel(This, itemIndex, initialEditText, EditWindowHandle) \ ((This)->lpVtbl->EditLabel(This, itemIndex, initialEditText, EditWindowHandle)) #define IListView_EditGroupLabel(This, groupIndex) \ ((This)->lpVtbl->EditGroupLabel(This, groupIndex)) #define IListView_CancelEditLabel(This) \ ((This)->lpVtbl->CancelEditLabel(This)) #define IListView_GetEditItem(This, itemIndex, subItemIndex) \ ((This)->lpVtbl->GetEditItem(This, itemIndex, subItemIndex)) #define IListView_HitTest(This, pHitTestData) \ ((This)->lpVtbl->HitTest(This, pHitTestData)) #define IListView_GetStringWidth(This, pString, pWidth) \ ((This)->lpVtbl->GetStringWidth(This, pString, pWidth)) #define IListView_GetColumn(This, columnIndex, pColumn) \ ((This)->lpVtbl->GetColumn(This, columnIndex, pColumn)) #define IListView_SetColumn(This, columnIndex, pColumn) \ ((This)->lpVtbl->SetColumn(This, columnIndex, pColumn)) #define IListView_GetColumnOrderArray(This, numberOfColumns, pColumns) \ ((This)->lpVtbl->GetColumnOrderArray(This, numberOfColumns, pColumns)) #define IListView_SetColumnOrderArray(This, numberOfColumns, pColumns) \ ((This)->lpVtbl->SetColumnOrderArray(This, numberOfColumns, pColumns)) #define IListView_GetHeaderControl(This, HeaderWindowHandle) \ ((This)->lpVtbl->GetHeaderControl(This, HeaderWindowHandle)) #define IListView_InsertColumn(This, insertAt, pColumn, pColumnIndex) \ ((This)->lpVtbl->InsertColumn(This, insertAt, pColumn, pColumnIndex)) #define IListView_DeleteColumn(This, columnIndex) \ ((This)->lpVtbl->DeleteColumn(This, columnIndex)) #define IListView_CreateDragImage(This, itemIndex, pUpperLeft, pHImageList) \ ((This)->lpVtbl->CreateDragImage(This, itemIndex, pUpperLeft, pHImageList)) #define IListView_GetViewRect(This, pRectangle) \ ((This)->lpVtbl->GetViewRect(This, pRectangle)) #define IListView_GetClientRect(This, unknown, pClientRectangle) \ ((This)->lpVtbl->GetClientRect(This, unknown, pClientRectangle)) #define IListView_GetColumnWidth(This, columnIndex, pWidth) \ ((This)->lpVtbl->GetColumnWidth(This, columnIndex, pWidth)) #define IListView_SetColumnWidth(This, columnIndex, width) \ ((This)->lpVtbl->SetColumnWidth(This, columnIndex, width)) #define IListView_GetCallbackMask(This, pMask) \ ((This)->lpVtbl->GetCallbackMask(This, pMask)) #define IListView_SetCallbackMask(This, mask) \ ((This)->lpVtbl->SetCallbackMask(This, mask)) #define IListView_GetTopIndex(This, pTopIndex) \ ((This)->lpVtbl->GetTopIndex(This, pTopIndex)) #define IListView_GetCountPerPage(This, pCountPerPage) \ ((This)->lpVtbl->GetCountPerPage(This, pCountPerPage)) #define IListView_GetOrigin(This, pOrigin) \ ((This)->lpVtbl->GetOrigin(This, pOrigin)) #define IListView_GetSelectedCount(This, pSelectedCount) \ ((This)->lpVtbl->GetSelectedCount(This, pSelectedCount)) #define IListView_SortItems(This, SortingByIndex, lParam, pComparisonFunction) \ ((This)->lpVtbl->SortItems(This, SortingByIndex, lParam, pComparisonFunction)) #define IListView_GetExtendedStyle(This, pStyle) \ ((This)->lpVtbl->GetExtendedStyle(This, pStyle)) #define IListView_SetExtendedStyle(This, mask, style, pOldStyle) \ ((This)->lpVtbl->SetExtendedStyle(This, mask, style, pOldStyle)) #define IListView_GetHoverTime(This, pTime) \ ((This)->lpVtbl->GetHoverTime(This, pTime)) #define IListView_SetHoverTime(This, time, pOldSetting) \ ((This)->lpVtbl->SetHoverTime(This, time, pOldSetting)) #define IListView_GetToolTip(This, ToolTipWindowHandle) \ ((This)->lpVtbl->GetToolTip(This, ToolTipWindowHandle)) #define IListView_SetToolTip(This, ToolTipWindowHandle, OldToolTipWindowHandle) \ ((This)->lpVtbl->SetToolTip(This, ToolTipWindowHandle, OldToolTipWindowHandle)) #define IListView_GetHotItem(This, pHotItem) \ ((This)->lpVtbl->GetHotItem(This, pHotItem)) #define IListView_SetHotItem(This, newHotItem, pOldHotItem) \ ((This)->lpVtbl->SetHotItem(This, newHotItem, pOldHotItem)) #define IListView_GetHotCursor(This, pHCursor) \ ((This)->lpVtbl->GetHotCursor(This, pHCursor)) #define IListView_SetHotCursor(This, hCursor, pHOldCursor) \ ((This)->lpVtbl->SetHotCursor(This, hCursor, pHOldCursor)) #define IListView_ApproximateViewRect(This, itemCount, pWidth, pHeight) \ ((This)->lpVtbl->ApproximateViewRect(This, itemCount, pWidth, pHeight)) #define IListView_SetRangeObject(This, unknown, pObject) \ ((This)->lpVtbl->SetRangeObject(This, unknown, pObject)) #define IListView_GetWorkAreas(This, numberOfWorkAreas, pWorkAreas) \ ((This)->lpVtbl->GetWorkAreas(This, numberOfWorkAreas, pWorkAreas)) #define IListView_SetWorkAreas(This, numberOfWorkAreas, pWorkAreas) \ ((This)->lpVtbl->SetWorkAreas(This, numberOfWorkAreas, pWorkAreas)) #define IListView_GetWorkAreaCount(This, pNumberOfWorkAreas) \ ((This)->lpVtbl->GetWorkAreaCount(This, pNumberOfWorkAreas)) #define IListView_ResetEmptyText(This) \ ((This)->lpVtbl->ResetEmptyText(This)) #define IListView_EnableGroupView(This, enable) \ ((This)->lpVtbl->EnableGroupView(This, enable)) #define IListView_IsGroupViewEnabled(This, pIsEnabled) \ ((This)->lpVtbl->IsGroupViewEnabled(This, pIsEnabled)) #define IListView_SortGroups(This, pComparisonFunction, lParam) \ ((This)->lpVtbl->SortGroups(This, pComparisonFunction, lParam)) #define IListView_GetGroupInfo(This, GetGroupInfoByIndex, GroupIDOrIndex, pGroup) \ ((This)->lpVtbl->GetGroupInfo(This, GetGroupInfoByIndex, GroupIDOrIndex, pGroup)) #define IListView_SetGroupInfo(This, SetGroupInfoByIndex, GroupIDOrIndex, pGroup) \ ((This)->lpVtbl->SetGroupInfo(This, SetGroupInfoByIndex, GroupIDOrIndex, pGroup)) #define IListView_GetGroupRect(This, GetGroupRectByIndex, GroupIDOrIndex, rectangleType, pRectangle) \ ((This)->lpVtbl->GetGroupRect(This, GetGroupRectByIndex, GroupIDOrIndex, rectangleType, pRectangle)) #define IListView_GetGroupState(This, groupID, mask, pState) \ ((This)->lpVtbl->GetGroupState(This, groupID, mask, pState)) #define IListView_HasGroup(This, groupID, pHasGroup) \ ((This)->lpVtbl->HasGroup(This, groupID, pHasGroup)) #define IListView_InsertGroup(This, insertAt, pGroup, pGroupID) \ ((This)->lpVtbl->InsertGroup(This, insertAt, pGroup, pGroupID)) #define IListView_RemoveGroup(This, groupID) \ ((This)->lpVtbl->RemoveGroup(This, groupID)) #define IListView_InsertGroupSorted(This, pGroup, pGroupID) \ ((This)->lpVtbl->InsertGroupSorted(This, pGroup, pGroupID)) #define IListView_GetGroupMetrics(This, pMetrics) \ ((This)->lpVtbl->GetGroupMetrics(This, pMetrics)) #define IListView_SetGroupMetrics(This, pMetrics) \ ((This)->lpVtbl->SetGroupMetrics(This, pMetrics)) #define IListView_RemoveAllGroups(This) \ ((This)->lpVtbl->RemoveAllGroups(This)) #define IListView_GetFocusedGroup(This, pGroupID) \ ((This)->lpVtbl->GetFocusedGroup(This, pGroupID)) #define IListView_GetGroupCount(This, pCount) \ ((This)->lpVtbl->GetGroupCount(This, pCount)) #define IListView_SetOwnerDataCallback(This, pCallback) \ ((This)->lpVtbl->SetOwnerDataCallback(This, pCallback)) #define IListView_GetTileViewInfo(This, pInfo) \ ((This)->lpVtbl->GetTileViewInfo(This, pInfo)) #define IListView_SetTileViewInfo(This, pInfo) \ ((This)->lpVtbl->SetTileViewInfo(This, pInfo)) #define IListView_GetTileInfo(This, pTileInfo) \ ((This)->lpVtbl->GetTileInfo(This, pTileInfo)) #define IListView_SetTileInfo(This, pTileInfo) \ ((This)->lpVtbl->SetTileInfo(This, pTileInfo)) #define IListView_GetInsertMark(This, pInsertMarkDetails) \ ((This)->lpVtbl->GetInsertMark(This, pInsertMarkDetails)) #define IListView_SetInsertMark(This, pInsertMarkDetails) \ ((This)->lpVtbl->SetInsertMark(This, pInsertMarkDetails)) #define IListView_GetInsertMarkRect(This, pInsertMarkRectangle) \ ((This)->lpVtbl->GetInsertMarkRect(This, pInsertMarkRectangle)) #define IListView_GetInsertMarkColor(This, pColor) \ ((This)->lpVtbl->GetInsertMarkColor(This, pColor)) #define IListView_SetInsertMarkColor(This, color, pOldColor) \ ((This)->lpVtbl->SetInsertMarkColor(This, color, pOldColor)) #define IListView_HitTestInsertMark(This, pPoint, pInsertMarkDetails) \ ((This)->lpVtbl->HitTestInsertMark(This, pPoint, pInsertMarkDetails)) #define IListView_SetInfoTip(This, pInfoTip) \ ((This)->lpVtbl->SetInfoTip(This, pInfoTip)) #define IListView_GetOutlineColor(This, pColor) \ ((This)->lpVtbl->GetOutlineColor(This, pColor)) #define IListView_SetOutlineColor(This, color, pOldColor) \ ((This)->lpVtbl->SetOutlineColor(This, color, pOldColor)) #define IListView_GetFrozenItem(This, pItemIndex) \ ((This)->lpVtbl->GetFrozenItem(This, pItemIndex)) #define IListView_SetFrozenItem(This, unknown1, unknown2) \ ((This)->lpVtbl->SetFrozenItem(This, unknown1, unknown2)) #define IListView_GetFrozenSlot(This, pUnknown) \ ((This)->lpVtbl->GetFrozenSlot(This, pUnknown)) #define IListView_SetFrozenSlot(This, unknown1, pUnknown2) \ ((This)->lpVtbl->SetFrozenSlot(This, unknown1, pUnknown2)) #define IListView_GetViewMargin(This, pMargin) \ ((This)->lpVtbl->GetViewMargin(This, pMargin)) #define IListView_SetViewMargin(This, pMargin) \ ((This)->lpVtbl->SetViewMargin(This, pMargin)) #define IListView_SetKeyboardSelected(This, itemIndex) \ ((This)->lpVtbl->SetKeyboardSelected(This, itemIndex)) #define IListView_MapIndexToId(This, itemIndex, pItemID) \ ((This)->lpVtbl->MapIndexToId(This, itemIndex, pItemID)) #define IListView_MapIdToIndex(This, itemID, pItemIndex) \ ((This)->lpVtbl->MapIdToIndex(This, itemID, pItemIndex)) #define IListView_IsItemVisible(This, itemIndex, pVisible) \ ((This)->lpVtbl->IsItemVisible(This, itemIndex, pVisible)) #define IListView_EnableAlphaShadow(This, enable) \ ((This)->lpVtbl->EnableAlphaShadow(This, enable)) #define IListView_GetGroupSubsetCount(This, pNumberOfRowsDisplayed) \ ((This)->lpVtbl->GetGroupSubsetCount(This, pNumberOfRowsDisplayed)) #define IListView_SetGroupSubsetCount(This, numberOfRowsToDisplay) \ ((This)->lpVtbl->SetGroupSubsetCount(This, numberOfRowsToDisplay)) #define IListView_GetVisibleSlotCount(This, pCount) \ ((This)->lpVtbl->GetVisibleSlotCount(This, pCount)) #define IListView_GetColumnMargin(This, pMargin) \ ((This)->lpVtbl->GetColumnMargin(This, pMargin)) #define IListView_SetSubItemCallback(This, pCallback) \ ((This)->lpVtbl->SetSubItemCallback(This, pCallback)) #define IListView_GetVisibleItemRange(This, pFirstItem, pLastItem) \ ((This)->lpVtbl->GetVisibleItemRange(This, pFirstItem, pLastItem)) #define IListView_SetTypeAheadFlags(This, mask, flags) \ ((This)->lpVtbl->SetTypeAheadFlags(This, mask, flags)) #endif ================================================ FILE: phlib/include/handle.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * */ #ifndef _PH_HANDLE_H #define _PH_HANDLE_H #ifdef __cplusplus extern "C" { #endif struct _PH_HANDLE_TABLE; typedef struct _PH_HANDLE_TABLE *PPH_HANDLE_TABLE; typedef struct _PH_HANDLE_TABLE_ENTRY { union { PVOID Object; ULONG_PTR Value; struct { /** The type of the entry; 1 if the entry is free, otherwise 0 if the entry is in use. */ ULONG_PTR Type : 1; /** * Whether the entry is not locked; 1 if the entry is not locked, otherwise 0 if the * entry is locked. */ ULONG_PTR Locked : 1; ULONG_PTR Value : sizeof(ULONG_PTR) * 8 - 2; } TypeAndValue; }; union { ACCESS_MASK GrantedAccess; ULONG NextFreeValue; ULONG_PTR Value2; }; } PH_HANDLE_TABLE_ENTRY, *PPH_HANDLE_TABLE_ENTRY; #define PH_HANDLE_TABLE_SAFE #define PH_HANDLE_TABLE_FREE_COUNT 64 #define PH_HANDLE_TABLE_STRICT_FIFO 0x1 #define PH_HANDLE_TABLE_VALID_FLAGS 0x1 PHLIBAPI PPH_HANDLE_TABLE NTAPI PhCreateHandleTable( VOID ); PHLIBAPI VOID NTAPI PhDestroyHandleTable( _In_ _Post_invalid_ PPH_HANDLE_TABLE HandleTable ); PHLIBAPI BOOLEAN NTAPI PhLockHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ); PHLIBAPI VOID NTAPI PhUnlockHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ); PHLIBAPI HANDLE NTAPI PhCreateHandle( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ); PHLIBAPI BOOLEAN NTAPI PhDestroyHandle( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ HANDLE Handle, _In_opt_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ); PHLIBAPI PPH_HANDLE_TABLE_ENTRY NTAPI PhLookupHandleTableEntry( _In_ PPH_HANDLE_TABLE HandleTable, _In_ HANDLE Handle ); typedef BOOLEAN (NTAPI *PPH_ENUM_HANDLE_TABLE_CALLBACK)( _In_ PPH_HANDLE_TABLE HandleTable, _In_ HANDLE Handle, _In_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhEnumHandleTable( _In_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_ENUM_HANDLE_TABLE_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhSweepHandleTable( _In_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_ENUM_HANDLE_TABLE_CALLBACK Callback, _In_opt_ PVOID Context ); typedef enum _PH_HANDLE_TABLE_INFORMATION_CLASS { HandleTableBasicInformation, HandleTableFlagsInformation, MaxHandleTableInfoClass } PH_HANDLE_TABLE_INFORMATION_CLASS; typedef struct _PH_HANDLE_TABLE_BASIC_INFORMATION { ULONG Count; ULONG Flags; ULONG TableLevel; } PH_HANDLE_TABLE_BASIC_INFORMATION, *PPH_HANDLE_TABLE_BASIC_INFORMATION; typedef struct _PH_HANDLE_TABLE_FLAGS_INFORMATION { ULONG Flags; } PH_HANDLE_TABLE_FLAGS_INFORMATION, *PPH_HANDLE_TABLE_FLAGS_INFORMATION; PHLIBAPI NTSTATUS NTAPI PhQueryInformationHandleTable( _In_ PPH_HANDLE_TABLE HandleTable, _In_ PH_HANDLE_TABLE_INFORMATION_CLASS InformationClass, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhSetInformationHandleTable( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ PH_HANDLE_TABLE_INFORMATION_CLASS InformationClass, _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/handlep.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifndef _PH_HANDLEP_H #define _PH_HANDLEP_H #define PH_HANDLE_TABLE_ENTRY_TYPE 0x1 #define PH_HANDLE_TABLE_ENTRY_IN_USE 0x0 #define PH_HANDLE_TABLE_ENTRY_FREE 0x1 // Locked actually means Not Locked. This means that an in use, locked handle table entry can be // used as-is. #define PH_HANDLE_TABLE_ENTRY_LOCKED 0x2 #define PH_HANDLE_TABLE_ENTRY_LOCKED_SHIFT 1 // There is initially one handle table level, with 256 entries. When the handle table is expanded, // the table is replaced with a level 1 table, which contains 256 pointers to level 0 tables (the // first entry already points to the initial level 0 table). Similarly, when the handle table is // expanded a second time, the table is replaced with a level 2 table, which contains 256 pointers // to level 1 tables. // // This provides a maximum of 16,777,216 handles. #define PH_HANDLE_TABLE_LEVEL_ENTRIES 256 #define PH_HANDLE_TABLE_LEVEL_MASK 0x3 #define PH_HANDLE_TABLE_LOCKS 8 #define PH_HANDLE_TABLE_LOCK_INDEX(HandleValue) ((HandleValue) % PH_HANDLE_TABLE_LOCKS) typedef struct _PH_HANDLE_TABLE { PH_QUEUED_LOCK Lock; PH_WAKE_EVENT HandleWakeEvent; ULONG Count; ULONG_PTR TableValue; ULONG FreeValue; ULONG NextValue; ULONG FreeValueAlt; ULONG Flags; PH_QUEUED_LOCK Locks[PH_HANDLE_TABLE_LOCKS]; } PH_HANDLE_TABLE, *PPH_HANDLE_TABLE; FORCEINLINE VOID PhpLockHandleTableShared( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ ULONG Index ) { PhAcquireQueuedLockShared(&HandleTable->Locks[Index]); } FORCEINLINE VOID PhpUnlockHandleTableShared( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ ULONG Index ) { PhReleaseQueuedLockShared(&HandleTable->Locks[Index]); } // Handle values work by specifying indices into each // level. // // Bits 0-7: level 0 // Bits 8-15: level 1 // Bits 16-23: level 2 // Bits 24-31: reserved #define PH_HANDLE_VALUE_INVALID ((ULONG)-1) #define PH_HANDLE_VALUE_SHIFT 2 #define PH_HANDLE_VALUE_BIAS 4 #define PH_HANDLE_VALUE_LEVEL0(HandleValue) ((HandleValue) & 0xff) #define PH_HANDLE_VALUE_LEVEL1_U(HandleValue) ((HandleValue) >> 8) #define PH_HANDLE_VALUE_LEVEL1(HandleValue) (PH_HANDLE_VALUE_LEVEL1_U(HandleValue) & 0xff) #define PH_HANDLE_VALUE_LEVEL2_U(HandleValue) ((HandleValue) >> 16) #define PH_HANDLE_VALUE_LEVEL2(HandleValue) (PH_HANDLE_VALUE_LEVEL2_U(HandleValue) & 0xff) #define PH_HANDLE_VALUE_IS_INVALID(HandleValue) (((HandleValue) >> 24) != 0) FORCEINLINE HANDLE PhpEncodeHandle( _In_ ULONG HandleValue ) { return UlongToHandle(((HandleValue << PH_HANDLE_VALUE_SHIFT) + PH_HANDLE_VALUE_BIAS)); } FORCEINLINE ULONG PhpDecodeHandle( _In_ HANDLE Handle ) { return (HandleToUlong(Handle) - PH_HANDLE_VALUE_BIAS) >> PH_HANDLE_VALUE_SHIFT; } VOID PhpBlockOnLockedHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ); PPH_HANDLE_TABLE_ENTRY PhpAllocateHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _Out_ PULONG HandleValue ); VOID PhpFreeHandleTableEntry( _Inout_ PPH_HANDLE_TABLE HandleTable, _In_ ULONG HandleValue, _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry ); BOOLEAN PhpAllocateMoreHandleTableEntries( _In_ PPH_HANDLE_TABLE HandleTable, _In_ BOOLEAN Initialize ); PPH_HANDLE_TABLE_ENTRY PhpLookupHandleTableEntry( _In_ PPH_HANDLE_TABLE HandleTable, _In_ ULONG HandleValue ); ULONG PhpMoveFreeHandleTableEntries( _Inout_ PPH_HANDLE_TABLE HandleTable ); PPH_HANDLE_TABLE_ENTRY PhpCreateHandleTableLevel0( _In_ PPH_HANDLE_TABLE HandleTable, _In_ BOOLEAN Initialize ); VOID PhpFreeHandleTableLevel0( _In_ PPH_HANDLE_TABLE_ENTRY Table ); PPH_HANDLE_TABLE_ENTRY *PhpCreateHandleTableLevel1( _In_ PPH_HANDLE_TABLE HandleTable ); VOID PhpFreeHandleTableLevel1( _In_ PPH_HANDLE_TABLE_ENTRY *Table ); PPH_HANDLE_TABLE_ENTRY **PhpCreateHandleTableLevel2( _In_ PPH_HANDLE_TABLE HandleTable ); VOID PhpFreeHandleTableLevel2( _In_ PPH_HANDLE_TABLE_ENTRY **Table ); #endif ================================================ FILE: phlib/include/hexedit.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifndef _PH_HEXEDIT_H #define _PH_HEXEDIT_H #ifdef __cplusplus extern "C" { #endif #define PH_HEXEDIT_CLASSNAME L"PhHexEdit" #define EDIT_NONE 0 #define EDIT_ASCII 1 #define EDIT_HIGH 2 #define EDIT_LOW 3 PHLIBAPI RTL_ATOM NTAPI PhHexEditInitialization( VOID ); #define HEM_SETBUFFER (WM_USER + 1) #define HEM_SETDATA (WM_USER + 2) #define HEM_GETBUFFER (WM_USER + 3) #define HEM_SETSEL (WM_USER + 4) #define HEM_SETEDITMODE (WM_USER + 5) #define HEM_SETBYTESPERROW (WM_USER + 6) #define HEM_SETEXTENDEDUNICODE (WM_USER + 7) #define HexEdit_SetBuffer(hWnd, Buffer, Length) \ SendMessage((hWnd), HEM_SETBUFFER, (WPARAM)(Length), (LPARAM)(Buffer)) #define HexEdit_SetData(hWnd, Buffer, Length) \ SendMessage((hWnd), HEM_SETDATA, (WPARAM)(Length), (LPARAM)(Buffer)) #define HexEdit_GetBuffer(hWnd, Length) \ ((PUCHAR)SendMessage((hWnd), HEM_GETBUFFER, (WPARAM)(Length), 0)) #define HexEdit_SetSel(hWnd, Start, End) \ SendMessage((hWnd), HEM_SETSEL, (WPARAM)(Start), (LPARAM)(End)) #define HexEdit_SetEditMode(hWnd, Mode) \ SendMessage((hWnd), HEM_SETEDITMODE, (WPARAM)(Mode), 0) #define HexEdit_SetBytesPerRow(hWnd, BytesPerRow) \ SendMessage((hWnd), HEM_SETBYTESPERROW, (WPARAM)(BytesPerRow), 0) #define HexEdit_SetExtendedUnicode(hWnd, ExtendedUnicode) \ SendMessage((hWnd), HEM_SETEXTENDEDUNICODE, (WPARAM)(ExtendedUnicode), 0) #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/hexeditp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifndef _PH_HEXEDITP_H #define _PH_HEXEDITP_H typedef struct _PHP_HEXEDIT_CONTEXT { PUCHAR Data; LONG Length; BOOLEAN UserBuffer; LONG TopIndex; // index of first visible byte on screen LONG CurrentAddress; LONG CurrentMode; LONG SelStart; LONG SelEnd; LONG BytesPerRow; LONG LinesPerPage; union { BOOLEAN Flags; struct { BOOLEAN ShowAddress : 1; BOOLEAN ShowAscii : 1; BOOLEAN ShowHex : 1; BOOLEAN AddressIsWide : 1; BOOLEAN AllowLengthChange : 1; BOOLEAN NoAddressChange : 1; BOOLEAN HalfPage : 1; BOOLEAN ExtendedUnicode : 1; }; }; HFONT Font; LONG LineHeight; LONG NullWidth; PWCHAR CharBuffer; ULONG CharBufferLength; LONG WindowDpi; BOOLEAN Update; LONG HexOffset; LONG AsciiOffset; LONG AddressOffset; BOOLEAN HasCapture; POINT EditPosition; } PHP_HEXEDIT_CONTEXT, *PPHP_HEXEDIT_CONTEXT; #define TO_HEX(Buffer, Byte) \ { \ *(Buffer)++ = PhIntegerToChar[(Byte) >> 4]; \ *(Buffer)++ = PhIntegerToChar[(Byte) & 0xf]; \ } #define REDRAW_WINDOW(hwnd) \ RedrawWindow((hwnd), NULL, NULL, RDW_INVALIDATE | RDW_UPDATENOW | RDW_ERASE) PPHP_HEXEDIT_CONTEXT PhpCreateHexEditContext( VOID ); VOID PhpFreeHexEditContext( _In_ _Post_invalid_ PPHP_HEXEDIT_CONTEXT Context ); LRESULT CALLBACK PhpHexEditWndProc( _In_ HWND hwnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); VOID PhpHexEditUpdateMetrics( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ BOOLEAN UpdateLineHeight, _In_opt_ HDC hdc ); VOID PhpHexEditOnPaint( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ PAINTSTRUCT *PaintStruct, _In_ HDC hdc ); VOID PhpHexEditUpdateScrollbars( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); FORCEINLINE BOOLEAN PhpHexEditHasSelected( _In_ PPHP_HEXEDIT_CONTEXT Context ) { return Context->SelStart != -1; } VOID PhpHexEditCreateAddressCaret( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditCreateEditCaret( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditRepositionCaret( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG Position ); VOID PhpHexEditCalculatePosition( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG X, _In_ LONG Y, _Out_ POINT *Point ); VOID PhpHexEditMove( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG X, _In_ LONG Y ); VOID PhpHexEditSetSel( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG S, _In_ LONG E ); VOID PhpHexEditScrollTo( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG Position ); VOID PhpHexEditClearEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditCopyEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditCutEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditPasteEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditSelectAll( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditUndoEdit( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditNormalizeSel( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context ); VOID PhpHexEditSelDelete( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG S, _In_ LONG E ); VOID PhpHexEditSelInsert( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ LONG S, _In_ LONG L ); VOID PhpHexEditSetBuffer( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ PUCHAR Data, _In_ ULONG Length ); VOID PhpHexEditSetData( _In_ HWND hwnd, _In_ PPHP_HEXEDIT_CONTEXT Context, _In_ PUCHAR Data, _In_ ULONG Length ); #endif ================================================ FILE: phlib/include/hndlinfo.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef _PH_HNDLINFO_H #define _PH_HNDLINFO_H EXTERN_C_START #define MAX_OBJECT_TYPE_NUMBER 257 extern BOOLEAN PhEnableProcessHandlePnPDeviceNameSupport; typedef PPH_STRING (NTAPI *PPH_GET_CLIENT_ID_NAME)( _In_ PCLIENT_ID ClientId ); PHLIBAPI PPH_GET_CLIENT_ID_NAME NTAPI PhSetHandleClientIdFunction( _In_ PPH_GET_CLIENT_ID_NAME GetClientIdName ); PHLIBAPI NTSTATUS NTAPI PhGetObjectBasicInformation( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ POBJECT_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetEtwObjectName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ PPH_STRING* ObjectName ); PHLIBAPI NTSTATUS NTAPI PhGetObjectName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ BOOLEAN WithTimeout, _Out_ PPH_STRING* ObjectName ); PHLIBAPI NTSTATUS NTAPI PhGetObjectTypeName( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ ULONG ObjectTypeNumber, _Out_ PPH_STRING* TypeName ); PHLIBAPI NTSTATUS NTAPI PhQueryObjectName( _In_ HANDLE Handle, _Out_ PPH_STRING* ObjectName ); PHLIBAPI NTSTATUS NTAPI PhQueryObjectBasicInformation( _In_ HANDLE Handle, _Out_ POBJECT_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhCompareObjects( _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle ); PHLIBAPI PPH_STRING NTAPI PhGetEtwPublisherName( _In_ PGUID Guid ); PHLIBAPI PPH_STRING NTAPI PhFormatNativeKeyName( _In_ PPH_STRING Name ); PHLIBAPI NTSTATUS NTAPI PhGetSectionFileName( _In_ HANDLE SectionHandle, _Out_ PPH_STRING *FileName ); PHLIBAPI _Callback_ PPH_STRING NTAPI PhStdGetClientIdName( _In_ PCLIENT_ID ClientId ); PHLIBAPI PPH_STRING NTAPI PhStdGetClientIdNameEx( _In_ PCLIENT_ID ClientId, _In_opt_ PPH_STRING ProcessName ); PHLIBAPI NTSTATUS NTAPI PhGetHandleInformation( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ ULONG ObjectTypeNumber, _Out_opt_ POBJECT_BASIC_INFORMATION BasicInformation, _Out_opt_ PPH_STRING *TypeName, _Out_opt_ PPH_STRING *ObjectName, _Out_opt_ PPH_STRING *BestObjectName ); PHLIBAPI NTSTATUS NTAPI PhGetHandleInformationEx( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ ULONG ObjectTypeNumber, _Reserved_ ULONG Flags, _Out_opt_ PNTSTATUS SubStatus, _Out_opt_ POBJECT_BASIC_INFORMATION BasicInformation, _Out_opt_ PPH_STRING *TypeName, _Out_opt_ PPH_STRING *ObjectName, _Out_opt_ PPH_STRING *BestObjectName, _Reserved_ PVOID *ExtraInformation ); #define PH_FIRST_OBJECT_TYPE(ObjectTypes) \ PTR_ADD_OFFSET((ObjectTypes), ALIGN_UP(sizeof(OBJECT_TYPES_INFORMATION), ULONG_PTR)) #define PH_NEXT_OBJECT_TYPE(ObjectType) \ PTR_ADD_OFFSET((ObjectType), sizeof(OBJECT_TYPE_INFORMATION) + \ ALIGN_UP((ObjectType)->TypeName.MaximumLength, ULONG_PTR)) PHLIBAPI NTSTATUS NTAPI PhEnumObjectTypes( _Out_ POBJECT_TYPES_INFORMATION *ObjectTypes ); PHLIBAPI NTSTATUS NTAPI PhGetObjectTypeMask( _In_ PPH_STRINGREF TypeName, _Out_ PGENERIC_MAPPING GenericMapping ); PHLIBAPI ULONG NTAPI PhGetObjectTypeNumber( _In_ PPH_STRINGREF TypeName ); FORCEINLINE ULONG NTAPI PhGetObjectTypeNumberZ( _In_ PCWSTR TypeName ) { PH_STRINGREF typeName; PhInitializeStringRef(&typeName, TypeName); return PhGetObjectTypeNumber(&typeName); } PHLIBAPI PPH_STRING NTAPI PhGetObjectTypeIndexName( _In_ ULONG TypeIndex ); PHLIBAPI NTSTATUS NTAPI PhCallWithTimeout( _In_ PUSER_THREAD_START_ROUTINE Routine, _In_opt_ PVOID Context, _In_opt_ PLARGE_INTEGER AcquireTimeout, _In_ PLARGE_INTEGER CallTimeout ); PHLIBAPI NTSTATUS NTAPI PhCallNtQueryObjectWithTimeout( _In_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhCallNtQuerySecurityObjectWithTimeout( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Length, _Out_ PULONG LengthNeeded ); PHLIBAPI NTSTATUS NTAPI PhCallNtSetSecurityObjectWithTimeout( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhCallNtQueryFileInformationWithTimeout( _In_ HANDLE Handle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_opt_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength ); PHLIBAPI NTSTATUS NTAPI PhCallKphQueryFileInformationWithTimeout( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_opt_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength ); PHLIBAPI PPH_STRING NTAPI PhGetPnPDeviceName( _In_ PPH_STRING ObjectName ); EXTERN_C_END #endif ================================================ FILE: phlib/include/hvsocketcontrol.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023 * */ #ifndef _PH_HVSOCKETCONTROL_H #define _PH_HVSOCKETCONTROL_H #include EXTERN_C_START #ifdef _WIN64 PHLIBAPI NTSTATUS NTAPI PhHvSocketOpenSystemControl( _Out_ PHANDLE SystemHandle, _In_opt_ const GUID* VmId ); // rev typedef struct _HVSOCKET_LISTENER { union // HV_GUID_VSOCK_TEMPLATE { ULONG Port; GUID ServiceId; }; GUID VmId; ULONG ProcessId; LARGE_INTEGER TimeStamp; BYTE Unknown; // Type? } HVSOCKET_LISTENER, *PHVSOCKET_LISTENER; C_ASSERT(FIELD_OFFSET(HVSOCKET_LISTENER, ProcessId) == 32); C_ASSERT(sizeof(HVSOCKET_LISTENER) == 56); // rev typedef struct _HVSOCKET_LISTENERS { ULONG Count; HVSOCKET_LISTENER Listener[ANYSIZE_ARRAY]; } HVSOCKET_LISTENERS, *PHVSOCKET_LISTENERS; C_ASSERT(FIELD_OFFSET(HVSOCKET_LISTENERS, Listener) == 8); C_ASSERT(sizeof(HVSOCKET_LISTENERS) == 64); PHLIBAPI NTSTATUS NTAPI PhHvSocketGetListeners( _In_ HANDLE SystemHandle, _In_ const GUID* VmId, _In_opt_ PHVSOCKET_LISTENERS Listeners, _In_ ULONG ListenersLength, _Out_opt_ PULONG ReturnLength ); // rev typedef struct _HVSOCKET_CONNECTION { union // HV_GUID_VSOCK_TEMPLATE { ULONG Port; GUID ServiceId; }; GUID VmId; ULONG ProcessId; LARGE_INTEGER TimeStamp; ULONG Type; // 1 or 2? } HVSOCKET_CONNECTION, *PHVSOCKET_CONNECTION; C_ASSERT(FIELD_OFFSET(HVSOCKET_CONNECTION, ProcessId) == 32); C_ASSERT(sizeof(HVSOCKET_CONNECTION) == 56); // rev typedef struct _HVSOCKET_CONNECTIONS { ULONG Count; HVSOCKET_CONNECTION Connection[ANYSIZE_ARRAY]; } HVSOCKET_CONNECTIONS, *PHVSOCKET_CONNECTIONS; C_ASSERT(FIELD_OFFSET(HVSOCKET_CONNECTIONS, Connection) == 8); C_ASSERT(sizeof(HVSOCKET_CONNECTIONS) == 64); PHLIBAPI NTSTATUS NTAPI PhHvSocketGetConnections( _In_ HANDLE SystemHandle, _In_ const GUID* VmId, _In_opt_ PHVSOCKET_CONNECTIONS Connections, _In_ ULONG ConnectionsLength, _Out_opt_ PULONG ReturnLength ); // rev typedef struct _HVSOCKET_SERVICE_INFO { GUID Unknown1; ULONG Unknown2; ULONG Unknown3; } HVSOCKET_SERVICE_INFO, *PHVSOCKET_SERVICE_INFO; C_ASSERT(sizeof(HVSOCKET_SERVICE_INFO) == 24); PHLIBAPI NTSTATUS NTAPI PhHvSocketGetServiceInfo( _In_ HANDLE SystemHandle, _In_ const GUID* ServiceId, _Out_ PHVSOCKET_SERVICE_INFO ServiceInfo ); #endif // _WIN64 PHLIBAPI BOOLEAN NTAPI PhHvSocketIsVSockTemplate( _In_ PGUID ServiceId ); PHLIBAPI _Maybenull_ PPH_STRING NTAPI PhHvSocketGetVmName( _In_ PGUID VmId ); PHLIBAPI _Maybenull_ PPH_STRING NTAPI PhHvSocketGetServiceName( _In_ PGUID ServiceId ); PHLIBAPI PPH_STRING NTAPI PhHvSocketAddressString( _In_ PGUID Address ); EXTERN_C_END #endif // _PH_HVSOCKETCONTROL_H ================================================ FILE: phlib/include/json.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017 * */ #ifndef _PH_PHJSON_H #define _PH_PHJSON_H EXTERN_C_START typedef struct _JSON_ARRAY_LIST_OBJECT { PCSTR Key; PVOID Entry; } JSON_ARRAY_LIST_OBJECT, *PJSON_ARRAY_LIST_OBJECT; PHLIBAPI NTSTATUS NTAPI PhCreateJsonParser( _Out_ PVOID* JsonObject, _In_ PCSTR JsonString ); PHLIBAPI NTSTATUS NTAPI PhCreateJsonParserEx( _Out_ PVOID* JsonObject, _In_ PVOID JsonString, _In_ BOOLEAN Unicode ); PHLIBAPI VOID NTAPI PhFreeJsonObject( _In_ PVOID Object ); PHLIBAPI PPH_STRING NTAPI PhGetJsonValueAsString( _In_ PVOID Object, _In_ PCSTR Key ); PHLIBAPI PPH_STRING NTAPI PhGetJsonObjectString( _In_ PVOID Object ); PHLIBAPI LONGLONG NTAPI PhGetJsonValueAsInt64( _In_ PVOID Object, _In_ PCSTR Key ); PHLIBAPI ULONGLONG NTAPI PhGetJsonValueAsUInt64( _In_ PVOID Object, _In_ PCSTR Key ); FORCEINLINE ULONG PhGetJsonValueAsUlong( _In_ PVOID Object, _In_ PCSTR Key ) { return (ULONG)PhGetJsonValueAsUInt64(Object, Key); } PHLIBAPI ULONG NTAPI PhGetJsonUInt32Object( _In_ PVOID Object ); PHLIBAPI ULONGLONG NTAPI PhGetJsonUInt64Object( _In_ PVOID Object ); PHLIBAPI LONGLONG NTAPI PhGetJsonInt64Object( _In_ PVOID Object ); PHLIBAPI PVOID NTAPI PhCreateJsonObject( VOID ); PHLIBAPI PVOID NTAPI PhGetJsonObject( _In_ PVOID Object, _In_ PCSTR Key ); typedef enum _PH_JSON_OBJECT_TYPE { PH_JSON_OBJECT_TYPE_NULL, PH_JSON_OBJECT_TYPE_BOOLEAN, PH_JSON_OBJECT_TYPE_DOUBLE, PH_JSON_OBJECT_TYPE_INT, PH_JSON_OBJECT_TYPE_OBJECT, PH_JSON_OBJECT_TYPE_ARRAY, PH_JSON_OBJECT_TYPE_STRING, PH_JSON_OBJECT_TYPE_UNKNOWN } PH_JSON_OBJECT_TYPE; PHLIBAPI PH_JSON_OBJECT_TYPE NTAPI PhGetJsonObjectType( _In_ PVOID Object ); PHLIBAPI LONG NTAPI PhGetJsonObjectLength( _In_ PVOID Object ); PHLIBAPI BOOLEAN NTAPI PhGetJsonObjectBool( _In_ PVOID Object, _In_ PCSTR Key ); PHLIBAPI VOID NTAPI PhAddJsonObjectValue( _In_ PVOID Object, _In_ PCSTR Key, _In_ PVOID Value ); PHLIBAPI VOID NTAPI PhAddJsonObject( _In_ PVOID Object, _In_ PCSTR Key, _In_ PCSTR Value ); PHLIBAPI VOID NTAPI PhAddJsonObject2( _In_ PVOID Object, _In_ PCSTR Key, _In_ PCSTR Value, _In_ SIZE_T Length ); PHLIBAPI VOID NTAPI PhAddJsonObjectUtf8( _In_ PVOID Object, _In_ PCSTR Key, _In_ PPH_BYTES String ); PHLIBAPI VOID NTAPI PhAddJsonObjectInt64( _In_ PVOID Object, _In_ PCSTR Key, _In_ LONGLONG Value ); PHLIBAPI VOID NTAPI PhAddJsonObjectUInt64( _In_ PVOID Object, _In_ PCSTR Key, _In_ ULONGLONG Value ); PHLIBAPI VOID NTAPI PhAddJsonObjectDouble( _In_ PVOID Object, _In_ PCSTR Key, _In_ DOUBLE Value ); PHLIBAPI PVOID NTAPI PhCreateJsonArray( VOID ); PHLIBAPI VOID NTAPI PhAddJsonArrayObject( _In_ PVOID Object, _In_ PVOID Value ); PHLIBAPI PVOID NTAPI PhGetJsonArrayString( _In_ PVOID Object, _In_ BOOLEAN Unicode ); PHLIBAPI INT64 NTAPI PhGetJsonArrayLong64( _In_ PVOID Object, _In_ ULONG Index ); PHLIBAPI ULONG NTAPI PhGetJsonArrayLength( _In_ PVOID Object ); PHLIBAPI PVOID NTAPI PhGetJsonArrayIndexObject( _In_ PVOID Object, _In_ ULONG Index ); typedef BOOLEAN (NTAPI* PPH_ENUM_JSON_OBJECT_CALLBACK)( _In_ PVOID Object, _In_ PCSTR Key, _In_ PVOID Value, _In_opt_ PVOID Context ); VOID PhEnumJsonArrayObject( _In_ PVOID Object, _In_ PPH_ENUM_JSON_OBJECT_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI PVOID NTAPI PhGetJsonObjectAsArrayList( _In_ PVOID Object ); PHLIBAPI NTSTATUS NTAPI PhLoadJsonObjectFromFile( _Out_ PVOID* JsonObject, _In_ PCPH_STRINGREF FileName ); #define PH_JSON_TO_STRING_PLAIN 0x0001 #define PH_JSON_TO_STRING_SPACED 0x0002 #define PH_JSON_TO_STRING_PRETTY 0x0004 PHLIBAPI BOOLEAN NTAPI PhJsonObjectToString( _In_ PPH_BYTES_BUILDER StringBuilder, _In_ PVOID Object, _In_ ULONG Level, _In_ ULONG Flags ); PHLIBAPI PPH_BYTES NTAPI PhJsonObjectToJsonString( _In_ PVOID Object, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhSaveJsonObjectToFile( _In_ PCPH_STRINGREF FileName, _In_ PVOID Object, _In_opt_ ULONG Flags ); // XML PHLIBAPI PVOID NTAPI PhLoadXmlObjectFromString( _In_ PCSTR String ); PHLIBAPI PVOID NTAPI PhLoadXmlObjectFromString2( _In_ PCSTR String ); PHLIBAPI NTSTATUS NTAPI PhLoadXmlObjectFromFile( _In_ PCPH_STRINGREF FileName, _Out_opt_ PVOID* XmlRootObject ); PHLIBAPI NTSTATUS NTAPI PhSaveXmlObjectToFile( _In_ PCPH_STRINGREF FileName, _In_ PVOID XmlRootObject, _In_opt_ PVOID XmlSaveCallback ); PHLIBAPI VOID NTAPI PhFreeXmlObject( _In_ PVOID XmlRootObject ); PHLIBAPI PVOID NTAPI PhGetXmlObject( _In_ PVOID XmlNodeObject, _In_ PCSTR Path ); PHLIBAPI PVOID NTAPI PhFindXmlObject( _In_ PVOID XmlNodeObject, _In_opt_ PVOID XmlTopObject, _In_opt_ PCSTR Element, _In_opt_ PCSTR Attribute, _In_opt_ PCSTR Value ); PHLIBAPI PPH_STRING NTAPI PhGetXmlNodeOpaqueText( _In_ PVOID XmlNodeObject ); PHLIBAPI PCSTR NTAPI PhGetXmlNodeElementText( _In_ PVOID XmlNodeObject ); PHLIBAPI PCSTR NTAPI PhGetXmlNodeCDATAText( _In_ PVOID XmlNodeObject ); PHLIBAPI PPH_STRING NTAPI PhGetXmlNodeAttributeText( _In_ PVOID XmlNodeObject, _In_ PCSTR AttributeName ); PHLIBAPI PCSTR NTAPI PhGetXmlNodeAttributeByIndex( _In_ PVOID XmlNodeObject, _In_ SIZE_T Index, _Out_ PCSTR* AttributeName ); PHLIBAPI VOID NTAPI PhSetXmlNodeAttributeText( _In_ PVOID XmlNodeObject, _In_ PCSTR Name, _In_ PCSTR Value ); PHLIBAPI SIZE_T NTAPI PhGetXmlNodeAttributeCount( _In_ PVOID XmlNodeObject ); PHLIBAPI PVOID NTAPI PhGetXmlNodeFirstChild( _In_ PVOID XmlNodeObject ); PHLIBAPI PVOID NTAPI PhGetXmlNodeNextChild( _In_ PVOID XmlNodeObject ); PHLIBAPI PVOID NTAPI PhCreateXmlNode( _In_opt_ PVOID ParentNode, _In_ PCSTR Name ); PHLIBAPI PVOID NTAPI PhCreateXmlOpaqueNode( _In_opt_ PVOID ParentNode, _In_ PCSTR Value ); typedef PVOID (NTAPI* PH_XML_LOAD_OBJECT_FROM_STRING)( _In_ PCSTR String ); typedef NTSTATUS (NTAPI* PH_XML_LOAD_OBJECT_FROM_FILE)( _In_ PCPH_STRINGREF FileName, _Out_opt_ PVOID* XmlRootNode ); typedef NTSTATUS (NTAPI* PH_XML_SAVE_OBJECT_TO_FILE)( _In_ PCPH_STRINGREF FileName, _In_ PVOID XmlRootObject, _In_opt_ PVOID XmlSaveCallback ); typedef VOID (NTAPI* PH_XML_FREE_OBJECT)( _In_ PVOID XmlRootObject ); typedef PVOID (NTAPI* PH_XML_GET_OBJECT)( _In_ PVOID XmlNodeObject, _In_ PCSTR Path ); typedef PVOID (NTAPI* PH_XML_CREATE_NODE)( _In_opt_ PVOID ParentNode, _In_ PCSTR Name ); typedef PVOID (NTAPI* PH_XML_CREATE_OPAQUE_NODE)( _In_opt_ PVOID ParentNode, _In_ PCSTR Value ); typedef PVOID (NTAPI* PH_XML_FIND_OBJECT)( _In_ PVOID XmlNodeObject, _In_ PVOID XmlTopObject, _In_ PCSTR Element, _In_ PCSTR Attribute, _In_ PCSTR Value ); typedef PVOID (NTAPI* PH_XML_GET_NODE_FIRST_CHILD)( _In_ PVOID XmlNodeObject ); typedef PVOID (NTAPI* PH_XML_GET_NODE_NEXT_CHILD)( _In_ PVOID XmlNodeObject ); typedef PPH_STRING (NTAPI* PH_XML_GET_XML_NODE_OPAQUE_TEXT)( _In_ PVOID XmlNodeObject ); typedef PCSTR (NTAPI* PH_XML_GET_XML_NODE_ELEMENT_TEXT)( _In_ PVOID XmlNodeObject ); typedef PPH_STRING (NTAPI* PH_XML_GET_XML_NODE_ATTRIBUTE_TEXT)( _In_ PVOID XmlNodeObject, _In_ PCSTR AttributeName ); typedef PCSTR (NTAPI* PH_XML_GET_XML_NODE_ATTRIBUTE_BY_INDEX)( _In_ PVOID XmlNodeObject, _In_ SIZE_T Index, _Out_ PCSTR* AttributeName ); typedef VOID (NTAPI* PH_XML_SET_XML_NODE_ATTRIBUTE_TEXT)( _In_ PVOID XmlNodeObject, _In_ PCSTR Name, _In_ PCSTR Value ); typedef SIZE_T (NTAPI* PH_XML_GET_XML_NODE_ATTRIBUTE_COUNT)( _In_ PVOID XmlNodeObject ); typedef struct _PH_XML_INTERFACE { ULONG Version; PH_XML_LOAD_OBJECT_FROM_STRING LoadXmlObjectFromString; PH_XML_LOAD_OBJECT_FROM_FILE LoadXmlObjectFromFile; PH_XML_SAVE_OBJECT_TO_FILE SaveXmlObjectToFile; PH_XML_FREE_OBJECT FreeXmlObject; PH_XML_GET_OBJECT GetXmlObject; PH_XML_CREATE_NODE CreateXmlNode; PH_XML_CREATE_OPAQUE_NODE CreateXmlOpaqueNode; PH_XML_FIND_OBJECT FindXmlObject; PH_XML_GET_NODE_FIRST_CHILD GetXmlNodeFirstChild; PH_XML_GET_NODE_NEXT_CHILD GetXmlNodeNextChild; PH_XML_GET_XML_NODE_OPAQUE_TEXT GetXmlNodeOpaqueText; PH_XML_GET_XML_NODE_ELEMENT_TEXT GetXmlNodeElementText; PH_XML_GET_XML_NODE_ATTRIBUTE_TEXT GetXmlNodeAttributeText; PH_XML_GET_XML_NODE_ATTRIBUTE_BY_INDEX GetXmlNodeAttributeByIndex; PH_XML_SET_XML_NODE_ATTRIBUTE_TEXT SetXmlNodeAttributeText; PH_XML_GET_XML_NODE_ATTRIBUTE_COUNT GetXmlNodeAttributeCount; } PH_XML_INTERFACE, *PPH_XML_INTERFACE; #define PH_XML_INTERFACE_VERSION 1 PPH_XML_INTERFACE PhGetXmlInterface( _In_ ULONG Version ); EXTERN_C_END #endif ================================================ FILE: phlib/include/kphcomms.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022 * */ #ifndef _PH_KPHCOMMS_H #define _PH_KPHCOMMS_H #include /** * \brief Callback for handling messages from the kernel. * * \details Synchronous messages expecting a reply must always be handled. The * callback may return FALSE even when the kernel is expecting a reply. In this * case, the internals of the system will handle the reply on behalf of the * callback. * * \param[in] ReplyToken The token used to reply to kernel messages. If zero * the kernel is not expecting a reply. Use KphCommsReplyMessage to reply. * \param[in] Message The message from the kernel. * * \return TRUE if the message was handled by this callback, FALSE otherwise. */ typedef _Function_class_(KPH_COMMS_CALLBACK) BOOLEAN NTAPI KPH_COMMS_CALLBACK( _In_ ULONG_PTR ReplyToken, _In_ PCKPH_MESSAGE Message ); typedef KPH_COMMS_CALLBACK* PKPH_COMMS_CALLBACK; _Must_inspect_result_ NTSTATUS NTAPI KphCommsStart( _In_ PCPH_STRINGREF PortName, _In_opt_ PKPH_COMMS_CALLBACK Callback, _In_ ULONG RingBufferLength ); VOID NTAPI KphCommsStop( VOID ); BOOLEAN NTAPI KphCommsIsConnected( VOID ); NTSTATUS NTAPI KphCommsReplyMessage( _In_ ULONG_PTR ReplyToken, _In_ PKPH_MESSAGE Message ); _Must_inspect_result_ NTSTATUS NTAPI KphCommsSendMessage( _Inout_ PKPH_MESSAGE Message ); #endif ================================================ FILE: phlib/include/kphuser.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * jxy-s 2021-2022 * */ #ifndef _PH_KPHUSER_H #define _PH_KPHUSER_H #include #include EXTERN_C_START #define KPH_SERVICE_NAME TEXT("KSystemInformer") #define KPH_OBJECT_NAME TEXT("\\Driver\\KSystemInformer") #define KPH_PORT_NAME TEXT("\\KSystemInformer") typedef struct _KPH_CONFIG_PARAMETERS { _In_ PPH_STRINGREF FileName; _In_ PPH_STRINGREF ServiceName; _In_ PPH_STRINGREF ObjectName; _In_opt_ PCPH_STRINGREF PortName; _In_opt_ PCPH_STRINGREF Altitude; _In_opt_ PCPH_STRINGREF SystemProcessName; _In_ ULONG FsSupportedFeatures; _In_ KPH_PARAMETER_FLAGS Flags; _In_ BOOLEAN EnableNativeLoad; _In_ BOOLEAN EnableFilterLoad; _In_ ULONG RingBufferLength; _In_opt_ PKPH_COMMS_CALLBACK Callback; } KPH_CONFIG_PARAMETERS, *PKPH_CONFIG_PARAMETERS; PHLIBAPI VOID NTAPI KphInitialize( VOID ); PHLIBAPI NTSTATUS NTAPI KphConnect( _In_ PKPH_CONFIG_PARAMETERS Options ); PHLIBAPI NTSTATUS NTAPI KphSetParameters( _In_ PKPH_CONFIG_PARAMETERS Options ); PHLIBAPI VOID NTAPI KphSetServiceSecurity( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI NTSTATUS NTAPI KsiLoadUnloadService( _In_ PKPH_CONFIG_PARAMETERS Config, _In_ BOOLEAN LoadDriver ); PHLIBAPI NTSTATUS NTAPI KphServiceStop( _In_ PKPH_CONFIG_PARAMETERS Config ); //PHLIBAPI //NTSTATUS //NTAPI //KphInstall( // _In_ PPH_STRINGREF ServiceName, // _In_ PPH_STRINGREF ObjectName, // _In_ PPH_STRINGREF PortName, // _In_ PPH_STRINGREF FileName, // _In_ PPH_STRINGREF Altitude, // _In_ BOOLEAN DisableImageLoadProtection // ); // //PHLIBAPI //NTSTATUS //NTAPI //KphUninstall( // _In_ PPH_STRINGREF ServiceName // ); PHLIBAPI PKPH_MESSAGE NTAPI KphCreateMessage( _In_ SIZE_T Size ); PHLIBAPI NTSTATUS NTAPI KphGetInformerSettings( _Out_ PKPH_INFORMER_SETTINGS Settings ); PHLIBAPI NTSTATUS NTAPI KphSetInformerSettings( _In_ PKPH_INFORMER_SETTINGS Settings ); PHLIBAPI NTSTATUS NTAPI KphOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ); PHLIBAPI NTSTATUS NTAPI KphOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI KphOpenProcessJob( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE JobHandle ); PHLIBAPI NTSTATUS NTAPI KphTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ); PHLIBAPI NTSTATUS NTAPI KphReadVirtualMemory( _In_opt_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead ); PHLIBAPI NTSTATUS NTAPI KphOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ); PHLIBAPI NTSTATUS NTAPI KphOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle ); #define KPH_STACK_BACK_TRACE_USER_MODE 0x00000001ul #define KPH_STACK_BACK_TRACE_SKIP_KPH 0x00000002ul #define KPH_STACK_BACK_TRACE_NO_SENTINEL 0x00000004ul PHLIBAPI NTSTATUS NTAPI KphCaptureStackBackTraceThread( _In_ HANDLE ThreadHandle, _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID* BackTrace, _Out_ PULONG CapturedFrames, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI KphEnumerateProcessHandles( _In_ HANDLE ProcessHandle, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_opt_ ULONG BufferLength, _Inout_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KsiEnumerateProcessHandles( _In_ HANDLE ProcessHandle, _Out_ PKPH_PROCESS_HANDLE_INFORMATION *Handles ); PHLIBAPI NTSTATUS NTAPI KphQueryInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KphQueryObjectThreadName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ PPH_STRING* ThreadName ); PHLIBAPI NTSTATUS NTAPI KphQueryObjectSectionMappingsInfo( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ PKPH_SECTION_MAPPINGS_INFORMATION* Info ); PHLIBAPI NTSTATUS NTAPI KphSetInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength ); PHLIBAPI NTSTATUS NTAPI KphOpenDriver( _Out_ PHANDLE DriverHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); PHLIBAPI NTSTATUS NTAPI KphQueryInformationDriver( _In_ HANDLE DriverHandle, _In_ KPH_DRIVER_INFORMATION_CLASS DriverInformationClass, _Out_writes_bytes_opt_(DriverInformationLength) PVOID DriverInformation, _In_ ULONG DriverInformationLength, _Inout_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KphQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _Out_writes_bytes_opt_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Inout_opt_ PULONG ReturnLength ); PHLIBAPI KPH_PROCESS_STATE NTAPI KphGetProcessState( _In_ HANDLE ProcessHandle ); PHLIBAPI KPH_PROCESS_STATE NTAPI KphGetCurrentProcessState( VOID ); typedef enum _KPH_LEVEL { KphLevelNone, KphLevelMin, KphLevelLow, KphLevelMed, KphLevelHigh, KphLevelMax } KPH_LEVEL; PHLIBAPI KPH_LEVEL NTAPI KphProcessLevel( _In_ HANDLE ProcessHandle ); PHLIBAPI KPH_LEVEL NTAPI KphLevelEx( _In_ BOOLEAN Cached ); PHLIBAPI KPH_LEVEL NTAPI KsiLevel( VOID ); PHLIBAPI NTSTATUS NTAPI KphSetInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength ); PHLIBAPI NTSTATUS NTAPI KphSetInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength ); PHLIBAPI NTSTATUS NTAPI KphSystemControl( _In_ KPH_SYSTEM_CONTROL_CLASS SystemControlClass, _In_reads_bytes_(SystemControlInfoLength) PVOID SystemControlInfo, _In_ ULONG SystemControlInfoLength ); PHLIBAPI NTSTATUS NTAPI KphAlpcQueryInformation( _In_ HANDLE ProcessHandle, _In_ HANDLE PortHandle, _In_ KPH_ALPC_INFORMATION_CLASS AlpcInformationClass, _Out_writes_bytes_opt_(AlpcInformationLength) PVOID AlpcInformation, _In_ ULONG AlpcInformationLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KphAlpcQueryCommunicationsNamesInfo( _In_ HANDLE ProcessHandle, _In_ HANDLE PortHandle, _Out_ PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION* Names ); PHLIBAPI NTSTATUS NTAPI KphQueryInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); PHLIBAPI NTSTATUS NTAPI KphQueryVolumeInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FS_INFORMATION_CLASS FsInformationClass, _Out_writes_bytes_(FsInformationLength) PVOID FsInformation, _In_ ULONG FsInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); PHLIBAPI NTSTATUS NTAPI KphDuplicateObject( _In_ HANDLE ProcessHandle, _In_ HANDLE SourceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TargetHandle ); PHLIBAPI NTSTATUS NTAPI KphQueryPerformanceCounter( _Out_ PLARGE_INTEGER PerformanceCounter, _Out_opt_ PLARGE_INTEGER PerformanceFrequency ); #define IO_OPEN_TARGET_DIRECTORY 0x0004 #define IO_STOP_ON_SYMLINK 0x0008 #define IO_IGNORE_SHARE_ACCESS_CHECK 0x0800 // Ignores share access checks on opens. PHLIBAPI NTSTATUS NTAPI KphCreateFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, _In_ ULONG EaLength, _In_ ULONG Options ); PHLIBAPI NTSTATUS NTAPI KphQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _Out_writes_bytes_opt_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KphQuerySection( _In_ HANDLE SectionHandle, _In_ KPH_SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, _In_ ULONG SectionInformationLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KphQuerySectionMappingsInfo( _In_ HANDLE SectionHandle, _Out_ PKPH_SECTION_MAPPINGS_INFORMATION* Info ); PHLIBAPI NTSTATUS NTAPI KphCompareObjects( _In_ HANDLE ProcessHandle, _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle ); PHLIBAPI NTSTATUS NTAPI KphGetInformerClientSettings( _Out_ PKPH_INFORMER_CLIENT_SETTINGS Settings ); PHLIBAPI NTSTATUS NTAPI KphSetInformerClientSettings( _Out_ PKPH_INFORMER_CLIENT_SETTINGS Settings ); PHLIBAPI NTSTATUS NTAPI KphAcquireDriverUnloadProtection( _Out_opt_ PLONG PreviousCount, _Out_opt_ PLONG ClientPreviousCount ); PHLIBAPI NTSTATUS NTAPI KphReleaseDriverUnloadProtection( _Out_opt_ PLONG PreviousCount, _Out_opt_ PLONG ClientPreviousCount ); PHLIBAPI NTSTATUS NTAPI KphGetConnectedClientCount( _Out_ PULONG Count ); PHLIBAPI NTSTATUS NTAPI KphActivateDynData( _In_ PBYTE DynData, _In_ ULONG DynDataLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength ); PHLIBAPI NTSTATUS NTAPI KphIsDynDataActive( _Out_ PBOOLEAN IsActive ); PHLIBAPI NTSTATUS NTAPI KphRequestSessionAccessToken( _Out_ PKPH_SESSION_ACCESS_TOKEN AccessToken, _In_ PLARGE_INTEGER Expiry, _In_ ULONG Privileges, _In_ LONG Uses ); PHLIBAPI NTSTATUS NTAPI KphAssignProcessSessionToken( _In_ HANDLE ProcessHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength ); PHLIBAPI NTSTATUS NTAPI KphAssignThreadSessionToken( _In_ HANDLE ThreadHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength ); PHLIBAPI NTSTATUS NTAPI KphGetInformerProcessSettings( _In_ HANDLE ProcessHandle, _In_ PKPH_INFORMER_SETTINGS Settings ); PHLIBAPI NTSTATUS NTAPI KphSetInformerProcessSettings( _In_opt_ HANDLE ProcessHandle, _In_ PKPH_INFORMER_SETTINGS Settings ); PHLIBAPI NTSTATUS NTAPI KphStripProtectedProcessMasks( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask ); PHLIBAPI NTSTATUS NTAPI KphQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ KPH_MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_opt_(MemoryInformationLength) PVOID MemoryInformation, _In_ ULONG MemoryInformationLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI KsiQueryHashInformationFile( _In_ HANDLE FileHandle, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG HashInformationLength ); PHLIBAPI NTSTATUS NTAPI KphOpenDevice( _Out_ PHANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); PHLIBAPI NTSTATUS NTAPI KphOpenDeviceDriver( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE DriverHandle ); PHLIBAPI NTSTATUS NTAPI KphOpenDeviceBaseDevice( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE BaseDeviceHandle ); PHLIBAPI NTSTATUS NTAPI KphGetInformerStats( _In_opt_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_STATS Stats ); PHLIBAPI NTSTATUS NTAPI KphGetInformerClientStats( _Out_ PKPH_INFORMER_CLIENT_STATS Stats ); EXTERN_C_END #endif ================================================ FILE: phlib/include/lsamsup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2023 * */ #ifndef _PH_LSAMSUP_H #define _PH_LSAMSUP_H EXTERN_C_START PHLIBAPI NTSTATUS NTAPI PhOpenSamHandle( _Out_ PSAM_HANDLE SamHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PUNICODE_STRING SystemName ); PHLIBAPI NTSTATUS NTAPI PhGetSamServerHandle( _Out_ PSAM_HANDLE SamHandle ); PHLIBAPI NTSTATUS NTAPI PhOpenSamDomainHandle( _Out_ PSAM_HANDLE DomainHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PSID DomainSid ); PHLIBAPI NTSTATUS NTAPI PhGetSamDomainHandle( _In_ ACCESS_MASK DesiredAccess, _Out_ PSAM_HANDLE DomainHandle ); PHLIBAPI NTSTATUS NTAPI PhLookupSamName( _In_ SAM_HANDLE DomainHandle, _In_ PPH_STRINGREF Name, _Out_ PULONG RelativeId, _Out_ PSID_NAME_USE Use ); PHLIBAPI NTSTATUS NTAPI PhLookupSamNames( _In_ SAM_HANDLE DomainHandle, _In_ ULONG Count, _In_ PPH_STRINGREF Names, _Out_ PULONG* RelativeIds, _Out_ PSID_NAME_USE* Uses ); PHLIBAPI NTSTATUS NTAPI PhGetSamAliasDescription( _In_ PSID Sid, _Out_ PPH_STRING *Description ); PHLIBAPI NTSTATUS NTAPI PhGetSamGroupDescription( _In_ PSID Sid, _Out_ PPH_STRING *Description ); PHLIBAPI NTSTATUS NTAPI PhGetSamUserDescription( _In_ PSID Sid, _Out_ PPH_STRING *Description ); PHLIBAPI PPH_STRING NTAPI PhGetSamAccountDescription( _In_ PSID Sid ); PHLIBAPI NTSTATUS NTAPI PhQueryLogonInformation( _In_ PCPH_STRINGREF DomainName, _In_ PCPH_STRINGREF UserName, _Out_ PUSER_LOGON_INFORMATION* LogonInfo ); EXTERN_C_END #endif // _PH_LSAMSUP_H ================================================ FILE: phlib/include/lsasup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2018-2022 * */ #ifndef _PH_LSASUP_H #define _PH_LSASUP_H #ifdef __cplusplus extern "C" { #endif PHLIBAPI NTSTATUS NTAPI PhOpenLsaPolicy( _Out_ PLSA_HANDLE PolicyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PUNICODE_STRING SystemName ); PHLIBAPI LSA_HANDLE NTAPI PhGetLookupPolicyHandle( VOID ); PHLIBAPI NTSTATUS NTAPI PhLookupPrivilegeName( _In_ PLUID PrivilegeValue, _Out_ PPH_STRING *PrivilegeName ); PHLIBAPI NTSTATUS NTAPI PhLookupPrivilegeDisplayName( _In_ PPH_STRINGREF PrivilegeName, _Out_ PPH_STRING *PrivilegeDisplayName ); PHLIBAPI NTSTATUS NTAPI PhLookupPrivilegeValue( _In_ PPH_STRINGREF PrivilegeName, _Out_ PLUID PrivilegeValue ); PHLIBAPI NTSTATUS NTAPI PhLookupSid( _In_ PSID Sid, _Out_opt_ PPH_STRING *Name, _Out_opt_ PPH_STRING *DomainName, _Out_opt_ PSID_NAME_USE NameUse ); PHLIBAPI NTSTATUS NTAPI PhLookupSids( _In_ ULONG Count, _In_ PSID *Sids, _Out_ PPH_STRING **FullNames ); PHLIBAPI NTSTATUS NTAPI PhLookupName( _In_ PPH_STRINGREF Name, _Out_opt_ PSID *Sid, _Out_opt_ PPH_STRING *DomainName, _Out_opt_ PSID_NAME_USE NameUse ); PHLIBAPI PPH_STRING NTAPI PhGetSidFullName( _In_ PSID Sid, _In_ BOOLEAN IncludeDomain, _Out_opt_ PSID_NAME_USE NameUse ); PHLIBAPI PPH_STRING NTAPI PhSidToStringSid( _In_ PSID Sid ); PHLIBAPI NTSTATUS NTAPI PhSidToBuffer( _In_ PSID Sid, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ USHORT BufferLength, _Out_opt_ PUSHORT ReturnLength ); PHLIBAPI PPH_STRING NTAPI PhGetTokenUserString( _In_ HANDLE TokenHandle, _In_ BOOLEAN IncludeDomain ); PHLIBAPI NTSTATUS NTAPI PhGetAccountPrivileges( _In_ PSID AccountSid, _Out_ PTOKEN_PRIVILEGES* Privileges ); typedef NTSTATUS (NTAPI* PPH_ENUM_PRIVILEGES)( _In_ PPOLICY_PRIVILEGE_DEFINITION Privileges, _In_ ULONG NumberOfPrivileges, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumeratePrivileges( _In_ PPH_ENUM_PRIVILEGES Callback, _In_opt_ PVOID Context ); typedef enum _LSA_USER_ACCOUNT_TYPE { UnknownUserAccountType, LocalUserAccountType, PrimaryDomainUserAccountType, ExternalDomainUserAccountType, LocalConnectedUserAccountType, AADUserAccountType, InternetUserAccountType, MSAUserAccountType } LSA_USER_ACCOUNT_TYPE, *PLSA_USER_ACCOUNT_TYPE; PHLIBAPI NTSTATUS NTAPI PhGetSidAccountType( _In_ PSID Sid, _Out_ PLSA_USER_ACCOUNT_TYPE AccountType ); PHLIBAPI PCWSTR NTAPI PhGetSidAccountTypeString( _In_ PSID Sid ); PHLIBAPI PPH_STRING NTAPI PhGetCapabilitySidName( _In_ PSID CapabilitySid ); PHLIBAPI PPH_STRING NTAPI PhGetCapabilityGuidName( _In_ PPH_STRING GuidString ); PHLIBAPI BOOLEAN NTAPI PhBuildTrusteeWithSid( _Out_ PVOID Trustee, _In_opt_ PSID Sid ); PHLIBAPI VOID NTAPI PhMapGenericMask( _Inout_ PACCESS_MASK AccessMask, _In_ PGENERIC_MAPPING GenericMapping ); typedef _Function_class_(PH_ENUM_ACCOUNT_CALLBACK) NTSTATUS PH_ENUM_ACCOUNT_CALLBACK( _In_ PPH_STRINGREF AccountName, _In_opt_ PVOID Context ); typedef PH_ENUM_ACCOUNT_CALLBACK* PPH_ENUM_ACCOUNT_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumerateAccounts( _In_ PPH_ENUM_ACCOUNT_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhCreateServiceSidToBuffer( _In_ PPH_STRINGREF ServiceName, _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid, _Inout_ PULONG ServiceSidLength ); PHLIBAPI PPH_STRING NTAPI PhCreateServiceSidToStringSid( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI PPH_STRING NTAPI PhGetAzureDirectoryObjectSid( _In_ PSID ActiveDirectorySid ); PHLIBAPI BOOLEAN NTAPI PhIsDomainJoined( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetSidAuthorityName( _In_ PSID Sid ); PHLIBAPI PPH_STRING NTAPI PhFormatSidTooltip( _In_ PSID Sid, _In_ BOOLEAN IncludeName, _In_opt_ PLSA_USER_ACCOUNT_TYPE AccountType ); PHLIBAPI BOOLEAN NTAPI PhIsServiceSid( _In_ PSID Sid ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/mapimg.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2017-2023 * jx-s 2023 * */ #ifndef _PH_MAPIMG_H #define _PH_MAPIMG_H EXTERN_C_START #include #include // Section mapping type flags #define PH_MAPPED_IMAGE_FLAG_SEC_COMMIT 0x0 // File mapping (default) #define PH_MAPPED_IMAGE_FLAG_SEC_IMAGE 0x1 // Image mapping (SEC_IMAGE*) typedef struct _PH_MAPPED_IMAGE { USHORT Signature; USHORT Flags; ULONG Spare; PVOID ViewBase; SIZE_T ViewSize; union { struct // PE image { union { PIMAGE_NT_HEADERS32 NtHeaders32; PIMAGE_NT_HEADERS64 NtHeaders64; PIMAGE_NT_HEADERS NtHeaders; }; USHORT Magic; USHORT NumberOfSections; PIMAGE_SECTION_HEADER Sections; }; struct // ELF image { struct _ELF_IMAGE_HEADER *Header; union { struct _ELF_IMAGE_HEADER32 *Headers32; struct _ELF_IMAGE_HEADER64 *Headers64; }; }; }; } PH_MAPPED_IMAGE, *PPH_MAPPED_IMAGE; FORCEINLINE VOID NTAPI PhMappedImageProbe( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PVOID Address, _In_ SIZE_T Length ) { PhProbeAddress(Address, Length, MappedImage->ViewBase, MappedImage->ViewSize, __alignof(UCHAR)); } PHLIBAPI NTSTATUS NTAPI PhInitializeMappedImage( _Out_ PPH_MAPPED_IMAGE MappedImage, _In_ PVOID ViewBase, _In_ SIZE_T ViewSize ); PHLIBAPI NTSTATUS NTAPI PhLoadMappedImage( _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhLoadMappedImageEx( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhLoadMappedImageHeaderPageSize( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhUnloadMappedImage( _Inout_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhLoadMappedImageHeaderFromFile( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhUnloadMappedImageHeaderFromFile( _Inout_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhMapViewOfEntireFile( _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PVOID *ViewBase, _Out_ PSIZE_T ViewSize ); PHLIBAPI NTSTATUS NTAPI PhMapViewOfEntireFileEx( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PVOID* ViewBase, _Out_ PSIZE_T ViewSize ); PHLIBAPI VOID NTAPI PhMappedImagePrefetch( _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI PIMAGE_SECTION_HEADER NTAPI PhMappedImageSectionByName( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PCWSTR Name, _In_ BOOLEAN IgnoreCase ); PHLIBAPI PIMAGE_SECTION_HEADER NTAPI PhMappedImageRvaToSection( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Rva ); _Success_(return != NULL) PHLIBAPI PVOID NTAPI PhMappedImageRvaToVa( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Rva, _Out_opt_ PIMAGE_SECTION_HEADER *Section ); _Success_(return != NULL) PHLIBAPI PVOID NTAPI PhMappedImageVaToVa( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONGLONG Va, _Out_opt_ PIMAGE_SECTION_HEADER* Section ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageSectionName( _In_ PIMAGE_SECTION_HEADER Section, _Out_writes_opt_z_(Count) PWSTR Buffer, _In_ ULONG Count, _Out_opt_ PULONG ReturnCount ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageDataDirectory( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Index, _Out_ PIMAGE_DATA_DIRECTORY *Entry ); PHLIBAPI NTSTATUS NTAPI PhRelocateMappedImageDataEntryARM64X( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DATA_DIRECTORY Entry, _Out_ PIMAGE_DATA_DIRECTORY RelocatedEntry ); PHLIBAPI PVOID NTAPI PhGetMappedImageDirectoryEntry( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Index ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageLoadConfig32( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PIMAGE_LOAD_CONFIG_DIRECTORY32 *LoadConfig ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageLoadConfig64( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PIMAGE_LOAD_CONFIG_DIRECTORY64 *LoadConfig ); // Remote mapped image typedef _Function_class_(PH_READ_VIRTUAL_MEMORY_CALLBACK) NTSTATUS NTAPI PH_READ_VIRTUAL_MEMORY_CALLBACK( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead, _In_opt_ PVOID Context ); typedef PH_READ_VIRTUAL_MEMORY_CALLBACK* PPH_READ_VIRTUAL_MEMORY_CALLBACK; typedef struct _PH_REMOTE_MAPPED_IMAGE { HANDLE ProcessHandle; PVOID ViewBase; SIZE_T ViewSize; union { PIMAGE_NT_HEADERS32 NtHeaders32; PIMAGE_NT_HEADERS64 NtHeaders64; PIMAGE_NT_HEADERS NtHeaders; }; USHORT Magic; USHORT NumberOfSections; PIMAGE_SECTION_HEADER Sections; PVOID PageCache; PPH_READ_VIRTUAL_MEMORY_CALLBACK ReadVirtualMemoryCallback; PVOID Context; } PH_REMOTE_MAPPED_IMAGE, *PPH_REMOTE_MAPPED_IMAGE; FORCEINLINE VOID NTAPI RemoteMappedImageProbe( _In_ PPH_REMOTE_MAPPED_IMAGE MappedImage, _In_ PVOID Address, _In_ SIZE_T Length ) { PhProbeAddress(Address, Length, MappedImage->ViewBase, MappedImage->ViewSize, 1); } PHLIBAPI NTSTATUS NTAPI PhInitializeRemoteMappedImage( _Out_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_opt_ PPH_READ_VIRTUAL_MEMORY_CALLBACK ReadVirtualMemoryCallback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhLoadRemoteMappedImage( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ HANDLE ProcessHandle, _In_ PVOID ViewBase, _In_ SIZE_T ViewSize ); PHLIBAPI NTSTATUS NTAPI PhUnloadRemoteMappedImage( _Inout_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage ); PHLIBAPI NTSTATUS NTAPI PhGetRemoteMappedImageDataEntry( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ ULONG Index, _Out_ PIMAGE_DATA_DIRECTORY* Entry ); PHLIBAPI NTSTATUS NTAPI PhGetRemoteMappedImageDirectoryEntry( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ ULONG Index, _Out_ PVOID* DataBuffer, _Out_opt_ ULONG* DataLength ); PHLIBAPI NTSTATUS NTAPI PhGetRemoteMappedImageDebugEntryByType( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ ULONG Type, _Out_opt_ PULONG DataLength, _Out_ PPVOID DataBuffer ); PHLIBAPI NTSTATUS NTAPI PhGetRemoteMappedImageGuardFlags( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _Out_ PULONG GuardFlags ); typedef struct _PH_MAPPED_IMAGE_EXPORTS { PPH_MAPPED_IMAGE MappedImage; ULONG NumberOfEntries; PIMAGE_DATA_DIRECTORY DataDirectory; IMAGE_DATA_DIRECTORY DataDirectoryARM64X; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PULONG AddressTable; PULONG NamePointerTable; PUSHORT OrdinalTable; } PH_MAPPED_IMAGE_EXPORTS, *PPH_MAPPED_IMAGE_EXPORTS; typedef struct _PH_MAPPED_IMAGE_EXPORT_ENTRY { USHORT Ordinal; ULONG Hint; PCSTR Name; } PH_MAPPED_IMAGE_EXPORT_ENTRY, *PPH_MAPPED_IMAGE_EXPORT_ENTRY; typedef struct _PH_MAPPED_IMAGE_EXPORT_FUNCTION { PVOID Function; PCSTR ForwardedName; } PH_MAPPED_IMAGE_EXPORT_FUNCTION, *PPH_MAPPED_IMAGE_EXPORT_FUNCTION; #define PH_GET_IMAGE_EXPORTS_ARM64X 0x00000001ul PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExportsEx( _Out_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExports( _Out_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExportEntry( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ ULONG Index, _Out_ PPH_MAPPED_IMAGE_EXPORT_ENTRY Entry ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExportFunction( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_opt_ PCSTR Name, _In_opt_ USHORT Ordinal, _Out_ PPH_MAPPED_IMAGE_EXPORT_FUNCTION Function ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExportFunctionRemote( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_opt_ PCSTR Name, _In_opt_ USHORT Ordinal, _In_ PVOID RemoteBase, _Out_ PVOID *Function ); #define PH_MAPPED_IMAGE_DELAY_IMPORTS 0x1 typedef struct _PH_MAPPED_IMAGE_IMPORTS { PPH_MAPPED_IMAGE MappedImage; ULONG Flags; ULONG NumberOfDlls; union { PIMAGE_IMPORT_DESCRIPTOR DescriptorTable; PIMAGE_DELAYLOAD_DESCRIPTOR DelayDescriptorTable; }; } PH_MAPPED_IMAGE_IMPORTS, *PPH_MAPPED_IMAGE_IMPORTS; typedef struct _PH_MAPPED_IMAGE_IMPORT_DLL { PPH_MAPPED_IMAGE MappedImage; ULONG Flags; ULONG NumberOfEntries; PCSTR Name; union { PIMAGE_IMPORT_DESCRIPTOR Descriptor; PIMAGE_DELAYLOAD_DESCRIPTOR DelayDescriptor; }; PVOID LookupTable; } PH_MAPPED_IMAGE_IMPORT_DLL, *PPH_MAPPED_IMAGE_IMPORT_DLL; typedef struct _PH_MAPPED_IMAGE_IMPORT_ENTRY { PCSTR Name; union { USHORT Ordinal; USHORT NameHint; }; } PH_MAPPED_IMAGE_IMPORT_ENTRY, *PPH_MAPPED_IMAGE_IMPORT_ENTRY; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageImports( _Out_ PPH_MAPPED_IMAGE_IMPORTS Imports, _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageImportDll( _In_ PPH_MAPPED_IMAGE_IMPORTS Imports, _In_ ULONG Index, _Out_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageImportEntry( _In_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll, _In_ ULONG Index, _Out_ PPH_MAPPED_IMAGE_IMPORT_ENTRY Entry ); PHLIBAPI ULONG NTAPI PhGetMappedImageImportEntryRva( _In_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll, _In_ ULONG Index, _In_ BOOLEAN DelayImport ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageDelayImports( _Out_ PPH_MAPPED_IMAGE_IMPORTS Imports, _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI USHORT NTAPI PhCheckSum( _In_ ULONG Sum, _In_reads_(Count) PUSHORT Buffer, _In_ ULONG Count ); PHLIBAPI ULONG NTAPI PhCheckSumMappedImage( _In_ PPH_MAPPED_IMAGE MappedImage ); typedef struct _IMAGE_CFG_ENTRY { ULONG Rva; struct { BOOLEAN SuppressedCall : 1; BOOLEAN ExportSuppressed : 1; BOOLEAN LangExcptHandler : 1; BOOLEAN Xfg : 1; BOOLEAN Reserved : 4; }; ULONG64 XfgHash; } IMAGE_CFG_ENTRY, *PIMAGE_CFG_ENTRY; typedef struct _PH_MAPPED_IMAGE_CFG { PPH_MAPPED_IMAGE MappedImage; ULONG EntrySize; union { ULONG GuardFlags; struct { ULONG CfgInstrumented : 1; ULONG WriteIntegrityChecks : 1; ULONG CfgFunctionTablePresent : 1; ULONG SecurityCookieUnused : 1; ULONG ProtectDelayLoadedIat : 1; ULONG DelayLoadInDidatSection : 1; ULONG HasExportSuppressionInfos : 1; ULONG EnableExportSuppression : 1; ULONG CfgLongJumpTablePresent : 1; ULONG Spare : 23; }; }; PULONGLONG GuardFunctionTable; ULONGLONG NumberOfGuardFunctionEntries; PULONGLONG GuardAdressIatTable; ULONGLONG NumberOfGuardAdressIatEntries; PULONGLONG GuardLongJumpTable; ULONGLONG NumberOfGuardLongJumpEntries; } PH_MAPPED_IMAGE_CFG, *PPH_MAPPED_IMAGE_CFG; typedef enum _CFG_ENTRY_TYPE { ControlFlowGuardFunction, ControlFlowGuardTakenIatEntry, ControlFlowGuardLongJump } CFG_ENTRY_TYPE; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageCfg( _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig, _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageCfgEntry( _In_ PPH_MAPPED_IMAGE_CFG CfgConfig, _In_ ULONGLONG Index, _In_ CFG_ENTRY_TYPE Type, _Out_ PIMAGE_CFG_ENTRY Entry ); typedef struct _PH_IMAGE_RESOURCE_ENTRY { ULONG_PTR Type; ULONG_PTR Name; ULONG_PTR Language; ULONG Offset; ULONG Size; ULONG CodePage; //PVOID Data; // PhMappedImageRvaToVa(MappedImage, resourceData->OffsetToData, NULL); } PH_IMAGE_RESOURCE_ENTRY, *PPH_IMAGE_RESOURCE_ENTRY; typedef struct _PH_MAPPED_IMAGE_RESOURCES { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DATA_DIRECTORY DataDirectory; PIMAGE_RESOURCE_DIRECTORY ResourceDirectory; ULONG NumberOfEntries; PPH_IMAGE_RESOURCE_ENTRY ResourceEntries; } PH_MAPPED_IMAGE_RESOURCES, *PPH_MAPPED_IMAGE_RESOURCES; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageResources( _Out_ PPH_MAPPED_IMAGE_RESOURCES Resources, _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageResource( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PCWSTR Name, _In_ PCWSTR Type, _In_opt_ USHORT Language, _Out_opt_ PULONG ResourceLength, _Out_opt_ PVOID* ResourceBuffer ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageResourceIndex( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_RESOURCE_DIRECTORY ResourceDirectory, _In_ LONG ResourceIndex, _In_ PCWSTR ResourceType, _Out_opt_ ULONG* ResourceLength, _Out_opt_ PVOID* ResourceBuffer ); typedef struct _PH_IMAGE_TLS_CALLBACK_ENTRY { ULONGLONG Index; ULONGLONG Address; } PH_IMAGE_TLS_CALLBACK_ENTRY, *PPH_IMAGE_TLS_CALLBACK_ENTRY; typedef struct _PH_MAPPED_IMAGE_TLS_CALLBACKS { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DATA_DIRECTORY DataDirectory; union { PIMAGE_TLS_DIRECTORY32 TlsDirectory32; PIMAGE_TLS_DIRECTORY64 TlsDirectory64; }; //PVOID CallbackIndexes; PVOID CallbackAddress; ULONG NumberOfEntries; PPH_IMAGE_TLS_CALLBACK_ENTRY Entries; } PH_MAPPED_IMAGE_TLS_CALLBACKS, *PPH_MAPPED_IMAGE_TLS_CALLBACKS; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageTlsCallbacks( _Out_ PPH_MAPPED_IMAGE_TLS_CALLBACKS TlsCallbacks, _In_ PPH_MAPPED_IMAGE MappedImage ); typedef struct _PH_MAPPED_IMAGE_PRODID_ENTRY { USHORT ProductId; USHORT ProductBuild; ULONG ProductCount; } PH_MAPPED_IMAGE_PRODID_ENTRY, *PPH_MAPPED_IMAGE_PRODID_ENTRY; typedef struct _PH_MAPPED_IMAGE_PRODID { //WCHAR Key[PH_PTR_STR_LEN_1]; BOOLEAN Valid; PPH_STRING Key; PPH_STRING RawHash; PPH_STRING Hash; ULONG NumberOfEntries; PPH_MAPPED_IMAGE_PRODID_ENTRY ProdIdEntries; } PH_MAPPED_IMAGE_PRODID, *PPH_MAPPED_IMAGE_PRODID; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageProdIdHeader( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_PRODID ProdIdHeader ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageProdIdExtents( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PULONG ProdIdHeaderStart, _Out_ PULONG ProdIdHeaderEnd ); typedef struct _PH_IMAGE_DEBUG_ENTRY { ULONG Characteristics; ULONG TimeDateStamp; USHORT MajorVersion; USHORT MinorVersion; ULONG Type; ULONG SizeOfData; ULONG AddressOfRawData; ULONG PointerToRawData; } PH_IMAGE_DEBUG_ENTRY, *PPH_IMAGE_DEBUG_ENTRY; typedef struct _PH_MAPPED_IMAGE_DEBUG { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DATA_DIRECTORY DataDirectory; PIMAGE_DEBUG_DIRECTORY DebugDirectory; ULONG NumberOfEntries; PPH_IMAGE_DEBUG_ENTRY DebugEntries; } PH_MAPPED_IMAGE_DEBUG, *PPH_MAPPED_IMAGE_DEBUG; // Note: Remove once they've been added to the Windows SDK. (dmex) #ifndef IMAGE_DEBUG_TYPE_EMBEDDEDPORTABLEPDB #define IMAGE_DEBUG_TYPE_EMBEDDEDPORTABLEPDB 17 #endif #ifndef IMAGE_DEBUG_TYPE_PDBCHECKSUM #define IMAGE_DEBUG_TYPE_PDBCHECKSUM 19 #endif #ifndef IMAGE_DEBUG_TYPE_PERFMAP #define IMAGE_DEBUG_TYPE_PERFMAP 21 #endif typedef struct _IMAGE_DEBUG_TYPE_PERFMAPV1 { ULONG Magic; // 0x4D523252 BYTE Signature[16]; ULONG Version; // BYTE Data[1]; } IMAGE_DEBUG_TYPE_PERFMAPV1, *PIMAGE_DEBUG_TYPE_PERFMAPV1; #define CODEVIEW_SIGNATURE_NB10 '01BN' #define CODEVIEW_SIGNATURE_RSDS 'SDSR' typedef struct _CODEVIEW_HEADER { ULONG Signature; LONG Offset; } CODEVIEW_HEADER, *PCODEVIEW_HEADER; typedef struct _CODEVIEW_INFO_PDB20 { CODEVIEW_HEADER Header; ULONG Timestamp; // seconds since 1970 ULONG Age; CHAR PdbFileName[1]; } CODEVIEW_INFO_PDB20, *PCODEVIEW_INFO_PDB20; typedef struct _CODEVIEW_INFO_PDB70 { ULONG Signature; GUID PdbGuid; ULONG PdbAge; CHAR ImageName[1]; } CODEVIEW_INFO_PDB70, *PCODEVIEW_INFO_PDB70; // IMAGE_GUARD_EH_CONTINUATION_TABLE_PRESENT, Windows 20H1 and 21H1 have different values #define IMAGE_GUARD_EH_CONTINUATION_TABLE_PRESENT_V1 0x00200000 #define IMAGE_GUARD_EH_CONTINUATION_TABLE_PRESENT_V2 0x00400000 #ifndef IMAGE_GUARD_XFG_ENABLED #define IMAGE_GUARD_XFG_ENABLED 0x00800000 // Module was built with xfg #endif PHLIBAPI NTSTATUS NTAPI PhGetMappedImageDebug( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_DEBUG Debug ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageDebugEntryByType( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Type, _Out_opt_ ULONG* DataLength, _Out_opt_ PVOID* DataBuffer ); // maplib typedef struct _PH_MAPPED_ARCHIVE *PPH_MAPPED_ARCHIVE; typedef enum _PH_MAPPED_ARCHIVE_MEMBER_TYPE { NormalArchiveMemberType, LinkerArchiveMemberType, LongnamesArchiveMemberType } PH_MAPPED_ARCHIVE_MEMBER_TYPE; typedef struct _PH_MAPPED_ARCHIVE_MEMBER { PPH_MAPPED_ARCHIVE MappedArchive; PH_MAPPED_ARCHIVE_MEMBER_TYPE Type; PCSTR Name; ULONG Size; PVOID Data; PIMAGE_ARCHIVE_MEMBER_HEADER Header; CHAR NameBuffer[20]; } PH_MAPPED_ARCHIVE_MEMBER, *PPH_MAPPED_ARCHIVE_MEMBER; typedef struct _PH_MAPPED_ARCHIVE { PVOID ViewBase; SIZE_T Size; PH_MAPPED_ARCHIVE_MEMBER FirstLinkerMember; PH_MAPPED_ARCHIVE_MEMBER SecondLinkerMember; PH_MAPPED_ARCHIVE_MEMBER LongnamesMember; BOOLEAN HasLongnamesMember; PPH_MAPPED_ARCHIVE_MEMBER FirstStandardMember; PPH_MAPPED_ARCHIVE_MEMBER LastStandardMember; } PH_MAPPED_ARCHIVE, *PPH_MAPPED_ARCHIVE; typedef struct _PH_MAPPED_ARCHIVE_IMPORT_ENTRY { PCSTR Name; PCSTR DllName; union { USHORT Ordinal; USHORT NameHint; }; BYTE Type; BYTE NameType; USHORT Machine; } PH_MAPPED_ARCHIVE_IMPORT_ENTRY, *PPH_MAPPED_ARCHIVE_IMPORT_ENTRY; PHLIBAPI NTSTATUS NTAPI PhInitializeMappedArchive( _Out_ PPH_MAPPED_ARCHIVE MappedArchive, _In_ PVOID ViewBase, _In_ SIZE_T Size ); PHLIBAPI NTSTATUS NTAPI PhLoadMappedArchive( _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_ARCHIVE MappedArchive ); PHLIBAPI NTSTATUS NTAPI PhUnloadMappedArchive( _Inout_ PPH_MAPPED_ARCHIVE MappedArchive ); PHLIBAPI NTSTATUS NTAPI PhGetNextMappedArchiveMember( _In_ PPH_MAPPED_ARCHIVE_MEMBER Member, _Out_ PPH_MAPPED_ARCHIVE_MEMBER NextMember ); PHLIBAPI BOOLEAN NTAPI PhIsMappedArchiveMemberShortFormat( _In_ PPH_MAPPED_ARCHIVE_MEMBER Member ); PHLIBAPI NTSTATUS NTAPI PhGetMappedArchiveImportEntry( _In_ PPH_MAPPED_ARCHIVE_MEMBER Member, _Out_ PPH_MAPPED_ARCHIVE_IMPORT_ENTRY Entry ); typedef struct _PH_MAPPED_IMAGE_EH_CONT { PULONGLONG EhContTable; ULONGLONG NumberOfEhContEntries; ULONG EntrySize; } PH_MAPPED_IMAGE_EH_CONT, *PPH_MAPPED_IMAGE_EH_CONT; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageEhCont( _Out_ PPH_MAPPED_IMAGE_EH_CONT EhContConfig, _In_ PPH_MAPPED_IMAGE MappedImage ); typedef struct _PH_IMAGE_DEBUG_POGO_ENTRY { ULONG Rva; ULONG Size; PVOID Data; WCHAR Name[0x100]; } PH_IMAGE_DEBUG_POGO_ENTRY, *PPH_IMAGE_DEBUG_POGO_ENTRY; typedef struct _PH_MAPPED_IMAGE_DEBUG_POGO { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DEBUG_POGO_SIGNATURE PogoDirectory; ULONG NumberOfEntries; PPH_IMAGE_DEBUG_POGO_ENTRY PogoEntries; } PH_MAPPED_IMAGE_DEBUG_POGO, *PPH_MAPPED_IMAGE_DEBUG_POGO; PHLIBAPI NTSTATUS NTAPI PhGetMappedImagePogo( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_DEBUG_POGO PogoDebug ); typedef struct _PH_IMAGE_RELOC_ENTRY { ULONG BlockIndex; ULONG BlockRva; IMAGE_RELOCATION_RECORD Record; PVOID ImageBaseVa; PVOID MappedImageVa; } PH_IMAGE_RELOC_ENTRY, *PPH_IMAGE_RELOC_ENTRY; typedef struct _PH_MAPPED_IMAGE_RELOC { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DATA_DIRECTORY DataDirectory; PIMAGE_BASE_RELOCATION FirstRelocationDirectory; ULONG NumberOfEntries; PPH_IMAGE_RELOC_ENTRY RelocationEntries; } PH_MAPPED_IMAGE_RELOC, *PPH_MAPPED_IMAGE_RELOC; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_RELOC Relocations ); PHLIBAPI VOID NTAPI PhFreeMappedImageRelocations( _In_opt_ PPH_MAPPED_IMAGE_RELOC Relocations ); typedef struct _PH_IMAGE_DYNAMIC_RELOC_ENTRY { ULONGLONG Symbol; union { // IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER struct { ULONG BlockIndex; ULONG BlockRva; IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION Record; } ImportControl; // IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER struct { ULONG BlockIndex; ULONG BlockRva; IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION Record; } IndirControl; // IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH struct { ULONG BlockIndex; ULONG BlockRva; IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION Record; } SwitchBranch; // IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE struct { ULONG BlockIndex; ULONG BlockRva; IMAGE_RELOCATION_RECORD Record; PIMAGE_BDD_DYNAMIC_RELOCATION BDDNodes; ULONG BDDNodesCount; ULONG OriginalRva; ULONG BDDOffset; PULONG Rvas; ULONG RvasCount; } FuncOverride; // IMAGE_DYNAMIC_RELOCATION_ARM64X struct { ULONG BlockIndex; ULONG BlockRva; union { LONG64 Delta; ULONG64 Value8; ULONG Value4; USHORT Value2; }; union { IMAGE_DVRT_ARM64X_FIXUP_RECORD RecordFixup; IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD RecordDelta; }; } ARM64X; // IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER struct { ULONG BlockIndex; ULONG BlockRva; IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION Record; } ARM64ImportControl; // IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE struct { ULONG BlockIndex; ULONG BlockRva; UCHAR PrologueByteCount; PVOID PrologueBytes; // Pointer to prologue byte array } RFPrologue; // IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE struct { ULONG BlockIndex; ULONG BlockRva; ULONG EpilogueCount; UCHAR EpilogueByteCount; UCHAR BranchDescriptorElementSize; USHORT BranchDescriptorCount; PVOID BranchDescriptors; // Pointer to branch descriptors PVOID BranchDescriptorBitMap; // Pointer to branch descriptor bitmap } RFEpilogue; // IMAGE_DYNAMIC_RELOCATION_KI_USER_SHARED_DATA64 or similar struct { ULONG BlockIndex; ULONG BlockRva; IMAGE_RELOCATION_RECORD Record; } Other; }; PVOID ImageBaseVa; PVOID MappedImageVa; } PH_IMAGE_DYNAMIC_RELOC_ENTRY, *PPH_IMAGE_DYNAMIC_RELOC_ENTRY; typedef struct _PH_MAPPED_IMAGE_DYNAMIC_RELOC { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DYNAMIC_RELOCATION_TABLE RelocationTable; ULONG NumberOfEntries; PPH_IMAGE_DYNAMIC_RELOC_ENTRY RelocationEntries; } PH_MAPPED_IMAGE_DYNAMIC_RELOC, *PPH_MAPPED_IMAGE_DYNAMIC_RELOC; typedef _Function_class_(PH_MAPPED_IMAGE_RELOC_CALLBACK) NTSTATUS NTAPI PH_MAPPED_IMAGE_RELOC_CALLBACK( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DATA_DIRECTORY DataDirectory, _In_ PIMAGE_BASE_RELOCATION RelocationDirectory, _In_ PIMAGE_RELOCATION_RECORD Relocations, _In_ ULONG RelocationCount, _In_opt_ PVOID Context ); typedef PH_MAPPED_IMAGE_RELOC_CALLBACK *PPH_MAPPED_IMAGE_RELOC_CALLBACK; typedef _Function_class_(PH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK) NTSTATUS NTAPI PH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_IMAGE_DYNAMIC_RELOC_ENTRY Entry, _In_opt_ PVOID Context ); typedef PH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK *PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhMappedImageEnumerateRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_MAPPED_IMAGE_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhMappedImageEnumerateDynamicRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageDynamicRelocationsTable( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_opt_ PIMAGE_DYNAMIC_RELOCATION_TABLE* Table ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageDynamicRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC Relocations ); PHLIBAPI VOID NTAPI PhFreeMappedImageDynamicRelocations( _In_opt_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC Relocations ); typedef struct _PH_MAPPED_IMAGE_EXCEPTIONS { PPH_MAPPED_IMAGE MappedImage; PIMAGE_DATA_DIRECTORY DataDirectory; IMAGE_DATA_DIRECTORY DataDirectoryARM64X; PVOID ExceptionDirectory; ULONG NumberOfEntries; PVOID ExceptionEntries; } PH_MAPPED_IMAGE_EXCEPTIONS, *PPH_MAPPED_IMAGE_EXCEPTIONS; #define PH_GET_IMAGE_EXCEPTIONS_ARM64X 0x00000001ul PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExceptionsEx( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_EXCEPTIONS Exceptions, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageExceptions( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_EXCEPTIONS Exceptions ); // Note: Remove if/when added to the Windows SDK. (dmex) #ifndef _IMAGE_VOLATILE_METADATA typedef struct _IMAGE_VOLATILE_METADATA { ULONG Size; ULONG Version; ULONG VolatileAccessTable; ULONG VolatileAccessTableSize; ULONG VolatileInfoRangeTable; ULONG VolatileInfoRangeTableSize; } IMAGE_VOLATILE_METADATA, *PIMAGE_VOLATILE_METADATA; #endif // Note: Remove if/when added to the Windows SDK. (dmex) #ifndef _IMAGE_VOLATILE_RVA_METADATA typedef struct _IMAGE_VOLATILE_RVA_METADATA { ULONG Rva; } IMAGE_VOLATILE_RVA_METADATA, *PIMAGE_VOLATILE_RVA_METADATA; #endif // Note: Remove if/when added to the Windows SDK. (dmex) #ifndef _IMAGE_VOLATILE_RANGE_METADATA typedef struct _IMAGE_VOLATILE_RANGE_METADATA { ULONG Rva; ULONG Size; } IMAGE_VOLATILE_RANGE_METADATA, *PIMAGE_VOLATILE_RANGE_METADATA; #endif typedef struct _PH_IMAGE_VOLATILE_ENTRY { ULONG Rva; ULONG Size; } PH_IMAGE_VOLATILE_ENTRY, *PPH_IMAGE_VOLATILE_ENTRY; typedef struct _PH_MAPPED_IMAGE_VOLATILE_METADATA { PPH_MAPPED_IMAGE MappedImage; PIMAGE_VOLATILE_METADATA VolatileMetadata; ULONG NumberOfAccessEntries; ULONG NumberOfRangeEntries; PPH_IMAGE_VOLATILE_ENTRY AccessEntries; PPH_IMAGE_VOLATILE_ENTRY RangeEntries; } PH_MAPPED_IMAGE_VOLATILE_METADATA, *PPH_MAPPED_IMAGE_VOLATILE_METADATA; PHLIBAPI NTSTATUS NTAPI PhGetMappedImageVolatileMetadata( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_VOLATILE_METADATA VolatileMetadata ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageAuthenticodeHash( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PH_HASH_ALGORITHM Algorithm, _Out_ PPH_STRING* AuthenticodeHash ); PHLIBAPI NTSTATUS NTAPI PhGetMappedImageWdacHash( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PH_HASH_ALGORITHM Algorithm, _Out_ PPH_STRING* WdacHash ); PHLIBAPI BOOLEAN NTAPI PhGetMappedImageEntropy( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PFLOAT ImageEntropy, _Out_ PFLOAT ImageMean, _Out_ PFLOAT ImageVariance ); PHLIBAPI ULONG NTAPI PhGetMappedImageCHPEVersion( _In_ PPH_MAPPED_IMAGE MappedImage ); PHLIBAPI NTSTATUS NTAPI PhGetRemoteMappedImageCHPEVersion( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _Out_ PULONG CHPEVersion ); // ELF binary support NTSTATUS PhInitializeMappedWslImage( _Out_ PPH_MAPPED_IMAGE MappedWslImage, _In_ PVOID ViewBase, _In_ SIZE_T Size ); ULONG64 PhGetMappedWslImageBaseAddress( _In_ PPH_MAPPED_IMAGE MappedWslImage ); typedef struct _PH_ELF_IMAGE_SECTION { UINT32 Type; ULONGLONG Flags; ULONGLONG Address; ULONGLONG Offset; ULONGLONG Size; WCHAR Name[MAX_PATH]; } PH_ELF_IMAGE_SECTION, *PPH_ELF_IMAGE_SECTION; BOOLEAN PhGetMappedWslImageSections( _In_ PPH_MAPPED_IMAGE MappedWslImage, _Out_ USHORT *NumberOfSections, _Out_ PPH_ELF_IMAGE_SECTION *ImageSections ); typedef struct _PH_ELF_IMAGE_SYMBOL_ENTRY { union { BOOLEAN Flags; struct { BOOLEAN ImportSymbol : 1; BOOLEAN ExportSymbol : 1; BOOLEAN UnknownSymbol : 1; BOOLEAN Spare : 5; }; }; UCHAR TypeInfo; UCHAR OtherInfo; ULONG SectionIndex; ULONGLONG Address; ULONGLONG Size; WCHAR Name[MAX_PATH * 2]; WCHAR Module[MAX_PATH * 2]; } PH_ELF_IMAGE_SYMBOL_ENTRY, *PPH_ELF_IMAGE_SYMBOL_ENTRY; BOOLEAN PhGetMappedWslImageSymbols( _In_ PPH_MAPPED_IMAGE MappedWslImage, _Out_ PPH_LIST *ImageSymbols ); VOID PhFreeMappedWslImageSymbols( _In_ PPH_LIST ImageSymbols ); typedef struct _PH_ELF_IMAGE_DYNAMIC_ENTRY { LONGLONG Tag; PWSTR Type; PPH_STRING Value; } PH_ELF_IMAGE_DYNAMIC_ENTRY, *PPH_ELF_IMAGE_DYNAMIC_ENTRY; BOOLEAN PhGetMappedWslImageDynamic( _In_ PPH_MAPPED_IMAGE MappedWslImage, _Out_ PPH_LIST *DynamicSymbols ); VOID PhFreeMappedWslImageDynamic( _In_ PPH_LIST ImageDynamic ); EXTERN_C_END #endif ================================================ FILE: phlib/include/mapldr.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef _PH_MAPLDR_H #define _PH_MAPLDR_H EXTERN_C_START PHLIBAPI PVOID NTAPI PhLoadLibrary( _In_ PCWSTR FileName ); PHLIBAPI BOOLEAN NTAPI PhFreeLibrary( _In_ PVOID BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhLoadLibraryAsImageResource( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName, _Out_opt_ PVOID *BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhFreeLibraryAsImageResource( _In_ PVOID BaseAddress ); PHLIBAPI PVOID NTAPI PhGetDllHandle( _In_ PCWSTR DllName ); PHLIBAPI PVOID NTAPI PhGetModuleProcAddress( _In_ PCWSTR ModuleName, _In_opt_ PCSTR ProcedureName ); PHLIBAPI PVOID NTAPI PhGetProcedureAddress( _In_ PVOID DllHandle, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ); PHLIBAPI NTSTATUS NTAPI PhGetProcedureAddressRemote( _In_ HANDLE ProcessHandle, _In_ PCPH_STRINGREF FileName, _In_ PCSTR ProcedureName, _Out_ PVOID *ProcedureAddress, _Out_opt_ PVOID *DllBase ); FORCEINLINE NTSTATUS NTAPI PhGetProcedureAddressRemoteZ( _In_ HANDLE ProcessHandle, _In_ PCWSTR FileName, _In_ PCSTR ProcedureName, _Out_ PVOID *ProcedureAddress, _Out_opt_ PVOID *DllBase ) { PH_STRINGREF fileName; PhInitializeStringRef(&fileName, FileName); return PhGetProcedureAddressRemote( ProcessHandle, &fileName, ProcedureName, ProcedureAddress, DllBase ); } PHLIBAPI NTSTATUS NTAPI PhLoadResource( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _Out_opt_ ULONG *ResourceLength, _Out_opt_ PVOID *ResourceBuffer ); PHLIBAPI NTSTATUS NTAPI PhLoadResourceCopy( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _Out_opt_ ULONG *ResourceLength, _Out_opt_ PVOID *ResourceBuffer ); PHLIBAPI PPH_STRING NTAPI PhLoadString( _In_ PVOID DllBase, _In_ ULONG ResourceId ); PHLIBAPI PPH_STRING NTAPI PhLoadIndirectString( _In_ PCPH_STRINGREF SourceString ); _Success_(return != NULL) PHLIBAPI PPH_STRING NTAPI PhGetDllFileName( _In_ PVOID DllBase, _Out_opt_ PULONG IndexOfFileName ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetLoaderEntryData( _In_ PCPH_STRINGREF BaseDllName, _Out_opt_ PVOID* DllBase, _Out_opt_ ULONG* SizeOfImage, _Out_opt_ PPH_STRING* FullName ); FORCEINLINE BOOLEAN NTAPI PhGetLoaderEntryDataZ( _In_ PCWSTR BaseDllName, _Out_opt_ PVOID* DllBase, _Out_opt_ ULONG* SizeOfImage, _Out_opt_ PPH_STRING* FullName ) { PH_STRINGREF baseDllName; PhInitializeStringRef(&baseDllName, BaseDllName); return PhGetLoaderEntryData( &baseDllName, DllBase, SizeOfImage, FullName ); } PHLIBAPI PVOID NTAPI PhGetLoaderEntryAddressDllBase( _In_ PVOID PcAddress ); PHLIBAPI PVOID NTAPI PhGetLoaderEntryDllBase( _In_opt_ PCPH_STRINGREF FullDllName, _In_opt_ PCPH_STRINGREF BaseDllName ); FORCEINLINE PVOID NTAPI PhGetLoaderEntryDllBaseZ( _In_ PCWSTR DllName ) { PH_STRINGREF baseDllName; PhInitializeStringRef(&baseDllName, DllName); return PhGetLoaderEntryDllBase(NULL, &baseDllName); } PHLIBAPI NTSTATUS NTAPI PhCaptureSystemDllInitBlock( _In_ PVOID Source, _Out_ PPS_SYSTEM_DLL_INIT_BLOCK Destination ); PHLIBAPI NTSTATUS NTAPI PhGetSystemDllInitBlock( _Out_ PPS_SYSTEM_DLL_INIT_BLOCK SystemDllInitBlock ); PHLIBAPI PVOID NTAPI PhGetDllBaseProcedureAddress( _In_ PVOID DllBase, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ); PHLIBAPI PVOID NTAPI PhGetDllBaseProcedureAddressWithHint( _In_ PVOID BaseAddress, _In_ PCSTR ProcedureName, _In_ USHORT ProcedureHint ); PHLIBAPI PVOID NTAPI PhGetDllProcedureAddress( _In_ PCPH_STRINGREF DllName, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ); FORCEINLINE PVOID NTAPI PhGetDllProcedureAddressZ( _In_ PCWSTR DllName, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ) { PH_STRINGREF fileName; PhInitializeStringRef(&fileName, DllName); return PhGetDllProcedureAddress( &fileName, ProcedureName, ProcedureNumber ); } PHLIBAPI NTSTATUS NTAPI PhGetLoaderEntryImageNtHeaders( _In_ PVOID BaseAddress, _Out_ PIMAGE_NT_HEADERS *ImageNtHeaders ); PHLIBAPI NTSTATUS NTAPI PhGetLoaderEntryImageDirectory( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ ULONG ImageDirectoryIndex, _Out_ PIMAGE_DATA_DIRECTORY *ImageDataDirectoryEntry, _Out_ PVOID *ImageDirectoryEntry, _Out_opt_ SIZE_T *ImageDirectoryLength ); PHLIBAPI NTSTATUS NTAPI PhGetLoaderEntryImageVaToSection( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ PVOID ImageDirectoryAddress, _Out_ PVOID *ImageSectionAddress, _Out_ SIZE_T *ImageSectionLength ); PHLIBAPI NTSTATUS NTAPI PhLoaderEntryImageRvaToSection( _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ ULONG Rva, _Out_ PIMAGE_SECTION_HEADER *ImageSection, _Out_ SIZE_T *ImageSectionLength ); PHLIBAPI NTSTATUS NTAPI PhLoaderEntryImageRvaToVa( _In_ PVOID BaseAddress, _In_ ULONG Rva, _Out_ PVOID *Va ); PHLIBAPI BOOLEAN NTAPI PhLoaderEntryImageExportSupressionPresent( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader ); PHLIBAPI VOID NTAPI PhLoaderEntryGrantSuppressedCall( _In_ PVOID ExportAddress ); PHLIBAPI PVOID NTAPI PhGetLoaderEntryImageExportFunction( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ PIMAGE_DATA_DIRECTORY DataDirectory, _In_ PIMAGE_EXPORT_DIRECTORY ExportDirectory, _In_opt_ PCSTR ExportName, _In_opt_ USHORT ExportOrdinal ); PHLIBAPI PPH_STRING NTAPI PhGetExportNameFromOrdinal( _In_ PVOID DllBase, _In_opt_ USHORT ProcedureNumber ); PHLIBAPI NTSTATUS NTAPI PhLoaderEntryDetourImportProcedure( _In_ PVOID BaseAddress, _In_ PCSTR ImportName, _In_ PCSTR ProcedureName, _In_ PVOID FunctionAddress, _Out_opt_ PVOID* OriginalAddress ); PHLIBAPI NTSTATUS NTAPI PhLoaderEntryLoadDll( _In_ PCPH_STRINGREF FileName, _In_opt_ HANDLE RootDirectory, _Out_ PVOID* BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhLoaderEntryLoadAllImportsForDll( _In_ PVOID BaseAddress, _In_ PCSTR ImportDllName ); PHLIBAPI NTSTATUS NTAPI PhLoadAllImportsForDll( _In_ PCWSTR TargetDllName, _In_ PCSTR ImportDllName ); PHLIBAPI NTSTATUS NTAPI PhLoadPluginImage( _In_ PCPH_STRINGREF FileName, _In_opt_ HANDLE RootDirectory, _Out_opt_ PVOID *BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhGetFileBinaryTypeWin32( _In_ PCWSTR FileName, _Out_ PULONG BinaryType ); EXTERN_C_END #endif ================================================ FILE: phlib/include/ph.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2018 * */ #ifndef _PH_PH_H #define _PH_PH_H #include #include #include #include #endif ================================================ FILE: phlib/include/phafd.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * diversenok 2025 * */ #ifndef _PH_PHAFD_H #define _PH_PHAFD_H #include EXTERN_C_START PHLIBAPI BOOLEAN NTAPI PhAfdIsSocketObjectName( _In_opt_ PPH_STRING ObjectName ); PHLIBAPI NTSTATUS NTAPI PhAfdIsSocketHandle( _In_ HANDLE Handle ); PHLIBAPI NTSTATUS NTAPI PhAfdDeviceIoControl( _In_ HANDLE SocketHandle, _In_ ULONG IoControlCode, _In_reads_bytes_(InBufferSize) PVOID InBuffer, _In_ ULONG InBufferSize, _Out_writes_bytes_to_opt_(OutputBufferSize, *BytesReturned) PVOID OutputBuffer, _In_ ULONG OutputBufferSize, _Out_opt_ PULONG BytesReturned, _Inout_opt_ LPOVERLAPPED Overlapped ); PHLIBAPI NTSTATUS NTAPI PhAfdQuerySharedInfo( _In_ HANDLE SocketHandle, _Out_ PSOCK_SHARED_INFO SharedInfo ); PHLIBAPI NTSTATUS NTAPI PhAfdQuerySimpleInfo( _In_ HANDLE SocketHandle, _In_ ULONG InformationType, _Out_ PAFD_INFORMATION Information ); PHLIBAPI NTSTATUS NTAPI PhAfdQuerySocketOption( _In_ HANDLE SocketHandle, _In_ ULONG Level, _In_ ULONG OptionName, _Out_ PVOID OptionValue, _In_ ULONG OptionLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhAfdQueryOption( _In_ HANDLE SocketHandle, _In_ ULONG Level, _In_ ULONG OptionName, _Out_ PULONG OptionValue ); typedef struct _TCP_INFO_v2 TCP_INFO_v2, *PTCP_INFO_v2; PHLIBAPI NTSTATUS NTAPI PhAfdQueryTcpInfo( _In_ HANDLE SocketHandle, _Out_ PTCP_INFO_v2 TcpInfo, _Out_ PULONG TcpInfoVersion ); PHLIBAPI NTSTATUS NTAPI PhAfdQueryTdiHandle( _In_ HANDLE SocketHandle, _In_ ULONG QueryMode, _Out_ PHANDLE TdiHandle ); PHLIBAPI NTSTATUS NTAPI PhAfdQueryFormatTdiDeviceName( _In_ HANDLE SocketHandle, _In_ ULONG QueryMode, _Outptr_ PPH_STRING* TdiDeviceName ); PHLIBAPI NTSTATUS NTAPI PhAfdQueryAddress( _In_ HANDLE SocketHandle, _In_ BOOLEAN Remote, _Out_ PSOCKADDR_STORAGE Address ); // Address formatting flags #define PH_AFD_ADDRESS_SIMPLIFY 0x01 // Print addresses as human-readable PHLIBAPI NTSTATUS NTAPI PhAfdQueryFormatAddress( _In_ HANDLE SocketHandle, _In_ BOOLEAN Remote, _Out_ PPH_STRING *AddressString, _In_ ULONG Flags ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatSocketState( _In_ SOCKET_STATE SocketState ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatSocketType( _In_ LONG SocketType ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatAddressFamily( _In_ LONG AddressFamily ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatProtocol( _In_ LONG AddressFamily, _In_ LONG Protocol ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatProviderFlags( _In_ ULONG ProviderFlags ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatServiceFlags( _In_ ULONG ServiceFlags ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatCreationFlags( _In_ ULONG CreationFlags ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatSharedInfoFlags( _In_ PSOCK_SHARED_INFO SharedInfo ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatGroupType( _In_ AFD_GROUP_TYPE GroupType ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatProtectionLevel( _In_ ULONG ProtectionLevel ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatMtuDiscoveryMode( _In_ ULONG MtuDiscover ); typedef enum _TCPSTATE TCPSTATE; PHLIBAPI PPH_STRING NTAPI PhAfdFormatTcpState( _In_ TCPSTATE TcpState ); PHLIBAPI PPH_STRING NTAPI PhAfdFormatInterfaceOption( _In_ ULONG Interface ); _Maybenull_ PPH_STRING NTAPI PhAfdFormatSocketBestName( _In_ HANDLE SocketHandle ); EXTERN_C_END #endif // _PH_PHAFD_H ================================================ FILE: phlib/include/phbase.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2016-2023 * */ #ifndef _PH_PHBASE_H #define _PH_PHBASE_H #ifndef PHLIB_NO_DEFAULT_LIB #pragma comment(lib, "ntdll.lib") #pragma comment(lib, "bcrypt.lib") #pragma comment(lib, "comctl32.lib") #pragma comment(lib, "winsta.lib") #endif #if !defined(_PHLIB_) #define PHLIBAPI __declspec(dllimport) #else #define PHLIBAPI #endif #ifdef __clang__ #define PH_CLANG_STRINGIFYX(x) #x #define PH_CLANG_STRINGIFY(x) PH_CLANG_STRINGIFYX(x) #define PH_CLANG_DIAGNOSTIC_PUSH() _Pragma("clang diagnostic push") #define PH_CLANG_DIAGNOSTIC_IGNORED(x) _Pragma(PH_CLANG_STRINGIFY(clang diagnostic ignored x)) #define PH_CLANG_DIAGNOSTIC_POP() _Pragma("clang diagnostic pop") #if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 202311L #define typeof __typeof__ #endif #else #define PH_CLANG_DIAGNOSTIC_PUSH() #define PH_CLANG_DIAGNOSTIC_IGNORED(x) #define PH_CLANG_DIAGNOSTIC_POP() #endif #include #include #include #include #include #include #include #include #endif ================================================ FILE: phlib/include/phbasesup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef _PH_PHBASESUP_H #define _PH_PHBASESUP_H EXTERN_C_START PHLIBAPI NTSTATUS NTAPI PhBaseInitialization( VOID ); // // Threads // #ifdef DEBUG typedef struct _PH_AUTO_POOL *PPH_AUTO_POOL; typedef struct _PHP_BASE_THREAD_DBG { CLIENT_ID ClientId; LIST_ENTRY ListEntry; PVOID StartAddress; PVOID Parameter; PPH_AUTO_POOL CurrentAutoPool; } PHP_BASE_THREAD_DBG, *PPHP_BASE_THREAD_DBG; extern ULONG PhDbgThreadDbgTlsIndex; extern LIST_ENTRY PhDbgThreadListHead; extern PH_QUEUED_LOCK PhDbgThreadListLock; #endif PHLIBAPI NTSTATUS NTAPI PhCreateUserThread( _In_ HANDLE ProcessHandle, _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_opt_ ULONG CreateFlags, _In_opt_ SIZE_T ZeroBits, _In_opt_ SIZE_T StackSize, _In_opt_ SIZE_T MaximumStackSize, _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Argument, _Out_opt_ PHANDLE ThreadHandle, _Out_opt_ PCLIENT_ID ClientId ); PHLIBAPI HANDLE NTAPI PhCreateThread( _In_opt_ SIZE_T StackSize, _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter ); PHLIBAPI NTSTATUS NTAPI PhCreateThreadEx( _Out_ PHANDLE ThreadHandle, _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter ); PHLIBAPI NTSTATUS NTAPI PhCreateThread2( _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter ); PHLIBAPI NTSTATUS NTAPI PhQueueUserWorkItem( _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Argument ); // // Misc. system // PHLIBAPI ULONG64 NTAPI PhReadTimeStampCounter( VOID ); PHLIBAPI BOOLEAN NTAPI PhQueryPerformanceCounter( _Out_ PLARGE_INTEGER PerformanceCounter ); PHLIBAPI BOOLEAN NTAPI PhQueryPerformanceFrequency( _Out_ PLARGE_INTEGER PerformanceFrequency ); FORCEINLINE ULONGLONG NTAPI PhReadPerformanceCounter( VOID ) { LARGE_INTEGER counter; PhQueryPerformanceCounter(&counter); return (ULONGLONG)counter.QuadPart; } FORCEINLINE ULONGLONG NTAPI PhReadPerformanceFrequency( VOID ) { LARGE_INTEGER counter; PhQueryPerformanceFrequency(&counter); return (ULONGLONG)counter.QuadPart; } PHLIBAPI VOID NTAPI PhQueryInterruptTime( _Out_ PLARGE_INTEGER InterruptTime ); PHLIBAPI VOID NTAPI PhQuerySystemTime( _Out_ PLARGE_INTEGER SystemTime ); PHLIBAPI NTSTATUS NTAPI PhQueryTimeZoneBias( _Out_ PLARGE_INTEGER TimeZoneBias ); PHLIBAPI NTSTATUS NTAPI PhSystemTimeToLocalTime( _In_ PLARGE_INTEGER SystemTime, _Out_ PLARGE_INTEGER LocalTime ); PHLIBAPI NTSTATUS NTAPI PhLocalTimeToSystemTime( _In_ PLARGE_INTEGER LocalTime, _Out_ PLARGE_INTEGER SystemTime ); PHLIBAPI BOOLEAN NTAPI PhTimeToSecondsSince1980( _In_ PLARGE_INTEGER Time, _Out_ PULONG ElapsedSeconds ); PHLIBAPI BOOLEAN NTAPI PhTimeToSecondsSince1970( _In_ PLARGE_INTEGER Time, _Out_ PULONG ElapsedSeconds ); PHLIBAPI VOID NTAPI PhSecondsSince1980ToTime( _In_ ULONG ElapsedSeconds, _Out_ PLARGE_INTEGER Time ); PHLIBAPI VOID NTAPI PhSecondsSince1970ToTime( _In_ ULONG ElapsedSeconds, _Out_ PLARGE_INTEGER Time ); // // Heap // _May_raise_ _Post_writable_byte_size_(Size) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhAllocate( _In_ SIZE_T Size ); _Must_inspect_result_ _Ret_maybenull_ _When_(return != NULL, _Post_writable_byte_size_(Size)) _Success_(return != NULL) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhAllocateSafe( _In_ SIZE_T Size ); _Must_inspect_result_ _Ret_maybenull_ _When_(return != NULL, _Post_writable_byte_size_(Size)) _Success_(return != NULL) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhAllocateExSafe( _In_ SIZE_T Size, _In_ ULONG Flags ); PHLIBAPI VOID NTAPI PhFree( _In_opt_ _Frees_ptr_opt_ _Post_invalid_ PVOID Memory ); _May_raise_ _Ret_maybenull_ _When_(Size == 0, _Post_null_) _When_(return != NULL, _Post_writable_byte_size_(Size)) _Success_(return != NULL) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhReAllocate( _In_opt_ _Frees_ptr_opt_ PVOID Memory, _In_ SIZE_T Size ); _Must_inspect_result_ _Ret_maybenull_ _When_(return != NULL, _Post_writable_byte_size_(Size)) _Success_(return != NULL) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhReAllocateSafe( _In_opt_ _Frees_ptr_opt_ PVOID Memory, _In_ SIZE_T Size ); PHLIBAPI SIZE_T NTAPI PhSizeHeap( _In_ PVOID Memory ); _Must_inspect_result_ _Ret_maybenull_ _When_(return != NULL, _Post_writable_byte_size_(Size)) _Success_(return != NULL) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhAllocatePage( _In_ SIZE_T Size, _Out_opt_ PSIZE_T NewSize ); PHLIBAPI VOID NTAPI PhFreePage( _In_opt_ _Frees_ptr_opt_ _Post_invalid_ PVOID Memory ); FORCEINLINE PVOID PhAllocatePageZero( _In_ SIZE_T Size ) { PVOID buffer; if (buffer = PhAllocatePage(Size, NULL)) { memset(buffer, 0, Size); return buffer; } return NULL; } _Must_inspect_result_ _Ret_maybenull_ _When_(return != NULL, _Post_writable_byte_size_(Size)) _Success_(return != NULL) PHLIBAPI DECLSPEC_ALLOCATOR DECLSPEC_NOALIAS DECLSPEC_RESTRICT PVOID NTAPI PhAllocatePageAligned( _In_ SIZE_T Size, _In_ SIZE_T Alignment ); PHLIBAPI VOID NTAPI PhFreePageAligned( _In_opt_ _Frees_ptr_opt_ _Post_invalid_ PVOID Memory ); PHLIBAPI NTSTATUS NTAPI PhAllocateVirtualMemory( _In_ HANDLE ProcessHandle, _Outptr_result_bytebuffer_(AllocationSize) PVOID* BaseAddress, _In_ SIZE_T AllocationSize, _In_ ULONG AllocationType, _In_ ULONG Protection ); PHLIBAPI NTSTATUS NTAPI PhFreeVirtualMemory( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG FreeType ); PHLIBAPI NTSTATUS NTAPI PhProtectVirtualMemory( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _In_ ULONG NewProtection, _Out_opt_ PULONG OldProtection ); PHLIBAPI NTSTATUS NTAPI PhReadVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead ); PHLIBAPI NTSTATUS NTAPI PhWriteVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, _In_ SIZE_T NumberOfBytesToWrite, _Out_opt_ PSIZE_T NumberOfBytesWritten ); FORCEINLINE PVOID PhAllocateCopy( _In_ PVOID Data, _In_ SIZE_T Size ) { PVOID copy; copy = PhAllocate(Size); memcpy(copy, Data, Size); return copy; } FORCEINLINE PVOID PhAllocateZero( _In_ SIZE_T Size ) { PVOID buffer; buffer = PhAllocate(Size); memset(buffer, 0, Size); return buffer; } FORCEINLINE PVOID PhAllocateZeroSafe( _In_ SIZE_T Size ) { PVOID buffer; if (buffer = PhAllocateSafe(Size)) { memset(buffer, 0, Size); return buffer; } return NULL; } FORCEINLINE PVOID PhReAllocateZeroSafe( _In_opt_ PVOID Memory, _In_ SIZE_T Size ) { PVOID buffer; if (buffer = PhReAllocateSafe(Memory, Size)) { memset(buffer, 0, Size); return buffer; } return NULL; } #define PhAllocateStack(Size) _malloca(Size) #define PhFreeStack(Memory) _freea(Memory) // // Singly linked list // // rev from RtlInitializeSListHead (dmex) /** * The PhInitializeSListHead function initializes a sequenced singly linked listhead. * * \param ListHead A pointer to a sequenced singly linked listhead. */ FORCEINLINE VOID NTAPI PhInitializeSListHead( _Out_ PSLIST_HEADER ListHead ) { #if defined(PHNT_NATIVE_SLIST) RtlInitializeSListHead(ListHead); #else if (IS_ALIGNED(ListHead, MEMORY_ALLOCATION_ALIGNMENT)) memset(ListHead, 0, sizeof(SLIST_HEADER)); else PhRaiseStatus(STATUS_DATATYPE_MISALIGNMENT); #endif } // rev from RtlQueryDepthSList (dmex) /** * The PhQueryDepthSList function queries the current number of entries contained in a sequenced single linked list. * * \param ListHead A pointer to a sequenced singly linked listhead. * \return The current number of entries in the sequenced singly linked list is returned as the function value. */ FORCEINLINE USHORT NTAPI PhQueryDepthSList( _In_ PSLIST_HEADER ListHead ) { #if defined(PHNT_NATIVE_SLIST) return RtlQueryDepthSList(ListHead); #else #ifdef _M_X64 return (USHORT)ListHead->HeaderX64.Depth; #elif _M_ARM64 return (USHORT)ListHead->HeaderArm64.Depth; #else return ListHead->Depth; #endif #endif } // // Event // #define PH_EVENT_SET 0x1 #define PH_EVENT_SET_SHIFT 0 #define PH_EVENT_REFCOUNT_SHIFT 1 #define PH_EVENT_REFCOUNT_INC 0x2 #define PH_EVENT_REFCOUNT_MASK (((ULONG_PTR)1 << 15) - 1) /** * A fast event object. * * \remarks This event object does not use a kernel event object until necessary, and frees the * object automatically when it is no longer needed. */ typedef struct _PH_EVENT { union { ULONG_PTR Value; struct { USHORT Set : 1; USHORT RefCount : 15; UCHAR Reserved; UCHAR AvailableForUse; #ifdef _WIN64 ULONG Spare; #endif }; }; HANDLE EventHandle; } PH_EVENT, *PPH_EVENT; #define PH_EVENT_INIT { { PH_EVENT_REFCOUNT_INC }, NULL } PHLIBAPI VOID FASTCALL PhfInitializeEvent( _Out_ PPH_EVENT Event ); #define PhSetEvent PhfSetEvent PHLIBAPI VOID FASTCALL PhfSetEvent( _Inout_ PPH_EVENT Event ); PHLIBAPI BOOLEAN FASTCALL PhfWaitForEvent( _Inout_ PPH_EVENT Event, _In_opt_ PLARGE_INTEGER Timeout ); FORCEINLINE BOOLEAN PhWaitForEvent( _Inout_ PPH_EVENT Event, _In_opt_ PLARGE_INTEGER Timeout ) { if (Event->Set) return TRUE; return PhfWaitForEvent(Event, Timeout); } #define PhResetEvent PhfResetEvent PHLIBAPI VOID FASTCALL PhfResetEvent( _Inout_ PPH_EVENT Event ); FORCEINLINE VOID PhInitializeEvent( _Out_ PPH_EVENT Event ) { WriteULongPtrRelease(&Event->Value, PH_EVENT_REFCOUNT_INC); WritePointerRelease(&Event->EventHandle, UlongToPtr(0)); } /** * Determines whether an event object is set. * * \param Event A pointer to an event object. * * \return TRUE if the event object is set, otherwise FALSE. */ FORCEINLINE BOOLEAN PhTestEvent( _In_ PPH_EVENT Event ) { return (BOOLEAN)Event->Set; } // // Barrier // #define PH_BARRIER_COUNT_SHIFT 0 #define PH_BARRIER_COUNT_MASK (((LONG_PTR)1 << (sizeof(ULONG_PTR) * 8 / 2 - 1)) - 1) #define PH_BARRIER_COUNT_INC ((LONG_PTR)1 << PH_BARRIER_COUNT_SHIFT) #define PH_BARRIER_TARGET_SHIFT (sizeof(ULONG_PTR) * 8 / 2) #define PH_BARRIER_TARGET_MASK (((LONG_PTR)1 << (sizeof(ULONG_PTR) * 8 / 2 - 1)) - 1) #define PH_BARRIER_TARGET_INC ((LONG_PTR)1 << PH_BARRIER_TARGET_SHIFT) #define PH_BARRIER_WAKING ((LONG_PTR)1 << (sizeof(ULONG_PTR) * 8 - 1)) #define PH_BARRIER_MASTER 1 #define PH_BARRIER_SLAVE 2 #define PH_BARRIER_OBSERVER 3 typedef struct _PH_BARRIER { ULONG_PTR Value; PH_WAKE_EVENT WakeEvent; } PH_BARRIER, *PPH_BARRIER; #define PH_BARRIER_INIT(Target) { (ULONG_PTR)(Target) << PH_BARRIER_TARGET_SHIFT, PH_WAKE_EVENT_INIT } PHLIBAPI VOID FASTCALL PhfInitializeBarrier( _Out_ PPH_BARRIER Barrier, _In_ ULONG_PTR Target ); #define PhWaitForBarrier PhfWaitForBarrier PHLIBAPI BOOLEAN FASTCALL PhfWaitForBarrier( _Inout_ PPH_BARRIER Barrier, _In_ BOOLEAN Spin ); FORCEINLINE VOID PhInitializeBarrier( _Out_ PPH_BARRIER Barrier, _In_ ULONG_PTR Target ) { Barrier->Value = Target << PH_BARRIER_TARGET_SHIFT; PhInitializeQueuedLock(&Barrier->WakeEvent); } // // Rundown protection // #define PH_RUNDOWN_ACTIVE 0x1 #define PH_RUNDOWN_REF_SHIFT 1 #define PH_RUNDOWN_REF_INC 0x2 typedef struct _PH_RUNDOWN_PROTECT { ULONG_PTR Value; } PH_RUNDOWN_PROTECT, *PPH_RUNDOWN_PROTECT; #define PH_RUNDOWN_PROTECT_INIT { 0 } typedef struct _PH_RUNDOWN_WAIT_BLOCK { ULONG_PTR Count; PH_EVENT WakeEvent; } PH_RUNDOWN_WAIT_BLOCK, *PPH_RUNDOWN_WAIT_BLOCK; PHLIBAPI VOID FASTCALL PhfInitializeRundownProtection( _Out_ PPH_RUNDOWN_PROTECT Protection ); PHLIBAPI BOOLEAN FASTCALL PhfAcquireRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ); PHLIBAPI VOID FASTCALL PhfReleaseRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ); PHLIBAPI VOID FASTCALL PhfWaitForRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ); FORCEINLINE VOID PhInitializeRundownProtection( _Out_ PPH_RUNDOWN_PROTECT Protection ) { Protection->Value = 0; } FORCEINLINE BOOLEAN PhAcquireRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ) { ULONG_PTR value; value = ReadULongPtrAcquire(&Protection->Value) & ~PH_RUNDOWN_ACTIVE; // fail fast path when rundown is active if ((ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)(value + PH_RUNDOWN_REF_INC), (PVOID)value ) == value) { return TRUE; } else { return PhfAcquireRundownProtection(Protection); } } FORCEINLINE VOID PhReleaseRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ) { ULONG_PTR value; value = ReadULongPtrAcquire(&Protection->Value) & ~PH_RUNDOWN_ACTIVE; // Fail fast path when rundown is active if ((ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)(value - PH_RUNDOWN_REF_INC), (PVOID)value ) != value) { PhfReleaseRundownProtection(Protection); } } FORCEINLINE VOID PhWaitForRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ) { ULONG_PTR value; value = (ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)PH_RUNDOWN_ACTIVE, (PVOID)0 ); if (value != 0 && value != PH_RUNDOWN_ACTIVE) PhfWaitForRundownProtection(Protection); } // // One-time initialization // #define PH_INITONCE_SHIFT 31 #define PH_INITONCE_INITIALIZING (0x1 << PH_INITONCE_SHIFT) #define PH_INITONCE_INITIALIZING_SHIFT PH_INITONCE_SHIFT typedef struct _PH_INITONCE { PH_EVENT Event; } PH_INITONCE, *PPH_INITONCE; C_ASSERT(PH_INITONCE_SHIFT >= FIELD_OFFSET(PH_EVENT, AvailableForUse) * 8); #define PH_INITONCE_INIT { PH_EVENT_INIT } #define PhInitializeInitOnce PhfInitializeInitOnce PHLIBAPI VOID FASTCALL PhfInitializeInitOnce( _Out_ PPH_INITONCE InitOnce ); PHLIBAPI BOOLEAN FASTCALL PhfBeginInitOnce( _Inout_ PPH_INITONCE InitOnce ); #define PhEndInitOnce PhfEndInitOnce PHLIBAPI VOID FASTCALL PhfEndInitOnce( _Inout_ PPH_INITONCE InitOnce ); FORCEINLINE BOOLEAN PhBeginInitOnce( _Inout_ PPH_INITONCE InitOnce ) { if (InitOnce->Event.Set) return FALSE; else return PhfBeginInitOnce(InitOnce); } FORCEINLINE BOOLEAN PhTestInitOnce( _In_ PPH_INITONCE InitOnce ) { return (BOOLEAN)InitOnce->Event.Set; } // // String // PHLIBAPI SIZE_T NTAPI PhCountStringZ( _In_ PCWSTR String ); FORCEINLINE SIZE_T PhCountBytesZ( _In_ PCSTR String ) { return (SIZE_T)strlen(String); } _Ret_notnull_ _Post_z_ PHLIBAPI PSTR NTAPI PhDuplicateBytesZ( _In_ PCSTR String ); _Ret_maybenull_ _Post_z_ PHLIBAPI PSTR NTAPI PhDuplicateBytesZSafe( _In_ PCSTR String ); _Ret_notnull_ _Post_z_ PHLIBAPI PWSTR NTAPI PhDuplicateStringZ( _In_ PCWSTR String ); PHLIBAPI NTSTATUS NTAPI PhCopyBytesZ( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ); PHLIBAPI NTSTATUS NTAPI PhCopyStringZ( _In_ PCWSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ); PHLIBAPI NTSTATUS NTAPI PhCopyStringZFromBytes( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ); PHLIBAPI NTSTATUS NTAPI PhCopyStringZFromMultiByte( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ); PHLIBAPI NTSTATUS NTAPI PhCopyStringZFromUtf8( _In_ PCSTR InputBuffer, _In_ SIZE_T InputCount, _Out_writes_opt_z_(OutputCount) PWSTR OutputBuffer, _In_ SIZE_T OutputCount, _Out_opt_ PSIZE_T ReturnCount ); FORCEINLINE BOOLEAN PhAreCharactersDifferent( _In_ WCHAR Char1, _In_ WCHAR Char2 ) { WCHAR d; d = Char1 ^ Char2; // We ignore bits beyond bit 5 because bit 6 is the case bit, and also we // don't support localization here. if (d & 0x1f) return TRUE; return FALSE; } FORCEINLINE BOOLEAN PhIsDigitCharacter( _In_ WCHAR Char ) { return (USHORT)(Char - '0') < 10; } FORCEINLINE WCHAR NTAPI_INLINE PhUpcaseUnicodeChar( _In_ WCHAR SourceCharacter ) { WCHAR c; //c = towupper(c); //c = __ascii_towupper(c); c = RtlUpcaseUnicodeChar(SourceCharacter); return c; } FORCEINLINE WCHAR NTAPI_INLINE PhDowncaseUnicodeChar( _In_ WCHAR SourceCharacter ) { WCHAR c; c = RtlDowncaseUnicodeChar(SourceCharacter); return c; } /** * Tests if a character is whitespace. * * \param c The character to test. * \return TRUE if the character is whitespace (space, tab, CR, LF, etc.); otherwise, FALSE. */ FORCEINLINE BOOLEAN PhIsWhiteSpaceUnicodeChar( _In_ WCHAR SourceCharacter ) { return ( SourceCharacter == L' ' || SourceCharacter == L'\t' || SourceCharacter == L'\r' || SourceCharacter == L'\n' || SourceCharacter == L'\v' || SourceCharacter == L'\f' ); } /** * Tests if a character is a unicode control or formatting character. * * Detects bidirectional overrides (RTLO, etc.), zero-width characters, and * control characters (including tab, CR, LF). * * \param c The character to test. * \return TRUE if the character is a control/formatting character; otherwise, FALSE. */ FORCEINLINE BOOLEAN PhIsControlOrFormattingUnicodeChar( _In_ WCHAR c ) { // C0 and C1 control characters if (c < 0x20 || (c >= 0x7F && c <= 0x9F)) // TAB, CR, LF return TRUE; // Bidirectional format characters if (c >= 0x202A && c <= 0x202E) return TRUE; // Direction mark characters if (c == 0x200E || c == 0x200F) return TRUE; // Zero-width and invisible characters if (c >= 0x200B && c <= 0x200D) // ZWSP, ZWNJ, ZWJ return TRUE; // Zero-width no-break space (BOM) if (c == 0xFEFF) return TRUE; return FALSE; } FORCEINLINE LONG PhCompareBytesZ( _In_ PCSTR String1, _In_ PCSTR String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return _stricmp(String1, String2); else return strcmp(String1, String2); } FORCEINLINE BOOLEAN PhEqualBytesZ( _In_ PCSTR String1, _In_ PCSTR String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return _stricmp(String1, String2) == 0; else return strcmp(String1, String2) == 0; } FORCEINLINE BOOLEAN PhEqualStringZ( _In_ PCWSTR String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) { // wcsicmp is very expensive, so we do a quick check for negatives first. if (PhAreCharactersDifferent(String1[0], String2[0])) return FALSE; return _wcsicmp(String1, String2) == 0; } else { return wcscmp(String1, String2) == 0; } } typedef struct _PH_STRINGREF { /** The length, in bytes, of the string. */ SIZE_T Length; /** The buffer containing the contents of the string. */ PWCH Buffer; } PH_STRINGREF, *PPH_STRINGREF; typedef const PH_STRINGREF* PCPH_STRINGREF; typedef struct _PH_BYTESREF { /** The length, in bytes, of the string. */ SIZE_T Length; /** The buffer containing the contents of the string. */ PCH Buffer; } PH_BYTESREF, *PPH_BYTESREF; typedef const PH_BYTESREF* PCPH_BYTESREF; typedef struct _PH_RELATIVE_BYTESREF { /** The length, in bytes, of the string. */ ULONG Length; /** A user-defined offset. */ ULONG Offset; } PH_RELATIVE_BYTESREF, *PPH_RELATIVE_BYTESREF, PH_RELATIVE_STRINGREF, *PPH_RELATIVE_STRINGREF; #define PH_STRINGREF_INIT(String) { sizeof(String) - sizeof(UNICODE_NULL), RTL_CONST_CAST(PWCH)(String) } #define PH_BYTESREF_INIT(String) { sizeof(String) - sizeof(ANSI_NULL), RTL_CONST_CAST(PCH)(String) } FORCEINLINE VOID PhInitializeStringRef( _Out_ PPH_STRINGREF String, _In_ PCWSTR Buffer ) { String->Length = wcslen(Buffer) * sizeof(WCHAR); String->Buffer = (PWCH)Buffer; } FORCEINLINE VOID PhInitializeStringRefLongHint( _Out_ PPH_STRINGREF String, _In_ PCWSTR Buffer ) { String->Length = PhCountStringZ(Buffer) * sizeof(WCHAR); String->Buffer = (PWCH)Buffer; } FORCEINLINE VOID PhInitializeBytesRef( _Out_ PPH_BYTESREF Bytes, _In_ PCSTR Buffer ) { Bytes->Length = strlen(Buffer) * sizeof(CHAR); Bytes->Buffer = (PCH)Buffer; } FORCEINLINE VOID PhInitializeEmptyStringRef( _Out_ PPH_STRINGREF String ) { String->Length = 0; String->Buffer = NULL; } FORCEINLINE VOID PhInitializeEmptyBytesRef( _Out_ PPH_BYTESREF String ) { String->Length = 0; String->Buffer = NULL; } FORCEINLINE VOID NTAPI PhInitializeBufferStringRef( _Out_ PPH_STRINGREF String, _Writable_bytes_(Length) _When_(Length != 0, _Notnull_) PWCH Buffer, _In_ SIZE_T Length ) { memset(String, 0, sizeof(PH_STRINGREF)); String->Length = Length; String->Buffer = Buffer; } FORCEINLINE VOID NTAPI PhInitializeBufferBytesRef( _Out_ PPH_BYTESREF String, _Writable_bytes_(Length) _When_(Length != 0, _Notnull_) PCH Buffer, _In_ SIZE_T Length ) { memset(String, 0, sizeof(PH_BYTESREF)); String->Length = Length; String->Buffer = Buffer; } FORCEINLINE BOOLEAN PhStringRefToUnicodeString( _In_ PCPH_STRINGREF String, _Out_ PUNICODE_STRING UnicodeString ) { memset(UnicodeString, 0, sizeof(UNICODE_STRING)); UnicodeString->Length = (USHORT)String->Length; UnicodeString->MaximumLength = (USHORT)String->Length + sizeof(UNICODE_NULL); UnicodeString->Buffer = String->Buffer; return String->Length <= UNICODE_STRING_MAX_BYTES; } FORCEINLINE VOID PhUnicodeStringToStringRef( _In_ PCUNICODE_STRING UnicodeString, _Out_ PPH_STRINGREF String ) { memset(String, 0, sizeof(PH_STRINGREF)); String->Length = UnicodeString->Length; String->Buffer = UnicodeString->Buffer; } FORCEINLINE LONG PhCompareStringZ( _In_ PCWSTR String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return _wcsicmp(String1, String2); else return wcscmp(String1, String2); } PHLIBAPI LONG NTAPI PhCompareStringZNatural( _In_ PCWSTR A, _In_ PCWSTR B, _In_ BOOLEAN IgnoreCase ); PHLIBAPI LONG NTAPI PhCompareStringRef( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ BOOLEAN IgnoreCase ); PHLIBAPI BOOLEAN NTAPI PhEqualStringRef( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ BOOLEAN IgnoreCase ); PHLIBAPI ULONG_PTR NTAPI PhFindCharInStringRef( _In_ PCPH_STRINGREF String, _In_ WCHAR Character, _In_ BOOLEAN IgnoreCase ); PHLIBAPI ULONG_PTR NTAPI PhFindLastCharInStringRef( _In_ PCPH_STRINGREF String, _In_ WCHAR Character, _In_ BOOLEAN IgnoreCase ); PHLIBAPI ULONG_PTR NTAPI PhFindStringInStringRef( _In_ PCPH_STRINGREF String, _In_ PCPH_STRINGREF SubString, _In_ BOOLEAN IgnoreCase ); FORCEINLINE ULONG_PTR PhFindStringInStringRefZ( _In_ PCPH_STRINGREF String, _In_ PCWSTR SubString, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF sr2; PhInitializeStringRef(&sr2, SubString); return PhFindStringInStringRef(String, &sr2, IgnoreCase); } PHLIBAPI BOOLEAN NTAPI PhSplitStringRefAtChar( _In_ PCPH_STRINGREF Input, _In_ WCHAR Separator, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart ); PHLIBAPI BOOLEAN NTAPI PhSplitStringRefAtLastChar( _In_ PCPH_STRINGREF Input, _In_ WCHAR Separator, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart ); PHLIBAPI BOOLEAN NTAPI PhSplitStringRefAtString( _In_ PCPH_STRINGREF Input, _In_ PCPH_STRINGREF Separator, _In_ BOOLEAN IgnoreCase, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart ); #define PH_SPLIT_AT_CHAR_SET 0x0 // default #define PH_SPLIT_AT_STRING 0x1 #define PH_SPLIT_AT_RANGE 0x2 #define PH_SPLIT_CASE_INSENSITIVE 0x1000 #define PH_SPLIT_COMPLEMENT_CHAR_SET 0x2000 #define PH_SPLIT_START_AT_END 0x4000 #define PH_SPLIT_CHAR_SET_IS_UPPERCASE 0x8000 PHLIBAPI BOOLEAN NTAPI PhSplitStringRefEx( _In_ PCPH_STRINGREF Input, _In_ PCPH_STRINGREF Separator, _In_ ULONG Flags, _Out_ PPH_STRINGREF FirstPart, _Out_ PPH_STRINGREF SecondPart, _Out_opt_ PPH_STRINGREF SeparatorPart ); PHLIBAPI VOID NTAPI PhSplitStringRef( _In_ PCPH_STRINGREF Input, _In_ WCHAR Separator, _Out_ PVOID **Strings, _Out_ PULONG NumberOfStrings ); PHLIBAPI VOID NTAPI PhFreeStringArray( _In_ PVOID *Strings, _In_ ULONG NumberOfStrings ); #define PH_TRIM_START_ONLY 0x1 #define PH_TRIM_END_ONLY 0x2 PHLIBAPI VOID NTAPI PhTrimStringRef( _Inout_ PPH_STRINGREF String, _In_ PCPH_STRINGREF CharSet, _In_ ULONG Flags ); FORCEINLINE LONG PhCompareStringRef2( _In_ PCPH_STRINGREF String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF sr2; PhInitializeStringRef(&sr2, String2); return PhCompareStringRef(String1, &sr2, IgnoreCase); } FORCEINLINE BOOLEAN PhEqualStringRef2( _In_ PCPH_STRINGREF String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF sr2; PhInitializeStringRef(&sr2, String2); return PhEqualStringRef(String1, &sr2, IgnoreCase); } FORCEINLINE BOOLEAN PhStartsWithStringRef( _In_ PCPH_STRINGREF String, _In_ PCPH_STRINGREF Prefix, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF sr; sr.Buffer = String->Buffer; sr.Length = Prefix->Length; if (String->Length < sr.Length) return FALSE; return PhEqualStringRef(&sr, Prefix, IgnoreCase); } FORCEINLINE BOOLEAN PhStartsWithStringRef2( _In_ PCPH_STRINGREF String, _In_ PCWSTR Prefix, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF prefix; PhInitializeStringRef(&prefix, Prefix); return PhStartsWithStringRef(String, &prefix, IgnoreCase); } FORCEINLINE BOOLEAN PhEndsWithStringRef( _In_ PCPH_STRINGREF String, _In_ PCPH_STRINGREF Suffix, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF sr; if (Suffix->Length > String->Length) return FALSE; sr.Buffer = (PWCH)PTR_ADD_OFFSET(String->Buffer, String->Length - Suffix->Length); sr.Length = Suffix->Length; return PhEqualStringRef(&sr, Suffix, IgnoreCase); } FORCEINLINE BOOLEAN PhEndsWithStringRef2( _In_ PCPH_STRINGREF String, _In_ PCWSTR Suffix, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF suffix; PhInitializeStringRef(&suffix, Suffix); return PhEndsWithStringRef(String, &suffix, IgnoreCase); } FORCEINLINE VOID PhSkipStringRef( _Inout_ PPH_STRINGREF String, _In_ SIZE_T Length ) { String->Buffer = (PWCH)PTR_ADD_OFFSET(String->Buffer, Length); String->Length -= Length; } FORCEINLINE VOID PhReverseStringRef( _In_ PCPH_STRINGREF String ) { SIZE_T i; SIZE_T j; WCHAR t; for (i = 0, j = String->Length / sizeof(WCHAR) - 1; i <= j; i++, j--) { t = String->Buffer[i]; String->Buffer[i] = String->Buffer[j]; String->Buffer[j] = t; } } extern PPH_OBJECT_TYPE PhStringType; /** * A 16-bit string object, which supports UTF-16. * * \remarks The \a Length never includes the null terminator. Every string must have a null * terminator at the end, for compatibility reasons. The invariant is: * \code Buffer[Length / sizeof(WCHAR)] = 0 \endcode */ typedef struct _PH_STRING { // Header union { PH_STRINGREF sr; struct { /** The length, in bytes, of the string. */ SIZE_T Length; /** The buffer containing the contents of the string. */ PWCH Buffer; }; }; // Data union { WCHAR Data[1]; struct { /** Reserved. */ ULONG AllocationFlags; /** Reserved. */ PVOID Allocation; }; }; } PH_STRING, *PPH_STRING; extern PPH_STRING PhSharedEmptyString; _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhCreateStringEx( _In_reads_bytes_opt_(Length) PCWCHAR Buffer, _In_ SIZE_T Length ); /** * Creates a string object from an existing null-terminated string. * * \param Buffer A null-terminated Unicode string. */ FORCEINLINE PPH_STRING NTAPI PhCreateString( _In_ PCWSTR Buffer ) { return PhCreateStringEx(Buffer, PhCountStringZ(Buffer) * sizeof(WCHAR)); } PHLIBAPI PPH_STRING NTAPI PhReferenceEmptyString( VOID ); FORCEINLINE PPH_STRING NTAPI_INLINE PhCreateString2( _In_ PCPH_STRINGREF String ) { if (String->Length == 0) return PhReferenceEmptyString(); return PhCreateStringEx(String->Buffer, String->Length); } /** * Creates a string object from a null-terminated string. * * \param String A null-terminated Unicode string. */ FORCEINLINE PPH_STRING NTAPI_INLINE PhCreateStringZ( _In_z_ PCWSTR String ) { PH_STRINGREF string; string.Length = wcslen(String) * sizeof(WCHAR); string.Buffer = (PWSTR)String; //PhInitializeStringRef(&string, (PWSTR)String); return PhCreateString2(&string); } /** * Creates a string object from a null-terminated string up to a maximum length. * * \param String A null-terminated Unicode string. * \param MaximumLength The maximum length, in bytes, of the string. */ FORCEINLINE PPH_STRING NTAPI_INLINE PhCreateStringZ2( _In_reads_or_z_(MaximumLength / sizeof(WCHAR)) PCWSTR String, _In_ SIZE_T MaximumLength ) { PH_STRINGREF string; string.Length = wcsnlen(String, MaximumLength / sizeof(WCHAR)) * sizeof(WCHAR); string.Buffer = (PWSTR)String; return PhCreateString2(&string); } #define PH_STRING_TRIM_START_ONLY PH_TRIM_START_ONLY #define PH_STRING_TRIM_END_ONLY PH_TRIM_END_ONLY #define PH_STRING_TRIM_MASK (PH_STRING_TRIM_START_ONLY | PH_STRING_TRIM_END_ONLY) #define PH_STRING_UPPER_CASE 0x4 #define PH_STRING_LOWER_CASE 0x8 #define PH_STRING_CASE_MASK (PH_STRING_UPPER_CASE | PH_STRING_LOWER_CASE) _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhCreateString3( _In_ PCPH_STRINGREF String, _In_ ULONG Flags, _In_opt_ PCPH_STRINGREF TrimCharSet ); FORCEINLINE PPH_STRING NTAPI_INLINE PhTrimStringZ( _In_ PCPH_STRINGREF String, _In_ ULONG Flags, _In_ PCWSTR TrimCharSet ) { PH_STRINGREF string; PhInitializeStringRef(&string, TrimCharSet); return PhCreateString3(String, Flags, &string); } FORCEINLINE VOID NTAPI_INLINE PhUpperStringRefInto( _Inout_ PPH_STRINGREF Destination, _In_ PCPH_STRINGREF Source ) { assert(Destination->Length >= Source->Length); SIZE_T numberOfChars = Source->Length / sizeof(WCHAR); for (SIZE_T i = 0; i < numberOfChars; i++) Destination->Buffer[i] = PhUpcaseUnicodeChar(Source->Buffer[i]); Destination->Length = Source->Length; } FORCEINLINE VOID NTAPI_INLINE PhUpperStringRef( _Inout_ PPH_STRINGREF String ) { PhUpperStringRefInto(String, String); } FORCEINLINE VOID NTAPI_INLINE PhLowerStringRefInto( _Inout_ PPH_STRINGREF Destination, _In_ PCPH_STRINGREF Source ) { assert(Destination->Length >= Source->Length); SIZE_T numberOfChars = Source->Length / sizeof(WCHAR); for (SIZE_T i = 0; i < numberOfChars; i++) Destination->Buffer[i] = PhDowncaseUnicodeChar(Source->Buffer[i]); Destination->Length = Source->Length; } FORCEINLINE VOID NTAPI_INLINE PhLowerStringRef( _Inout_ PPH_STRINGREF String ) { PhLowerStringRefInto(String, String); } FORCEINLINE VOID NTAPI_INLINE PhLowerStringZ( _Inout_ PCWSTR String ) { PH_STRINGREF string; PhInitializeStringRef(&string, String); PhLowerStringRefInto(&string, &string); } FORCEINLINE VOID NTAPI_INLINE PhLowerStringMaxZ( _In_reads_or_z_(MaximumLength / sizeof(WCHAR)) PCWSTR String, _In_ SIZE_T MaximumLength ) { PH_STRINGREF string; string.Length = wcsnlen(String, MaximumLength / sizeof(WCHAR)) * sizeof(WCHAR); string.Buffer = (PWSTR)String; PhLowerStringRefInto(&string, &string); } FORCEINLINE PPH_STRING NTAPI_INLINE PhCreateStringFromUnicodeString( _In_ PCUNICODE_STRING UnicodeString ) { if (UnicodeString->Length == 0) return PhReferenceEmptyString(); return PhCreateStringEx(UnicodeString->Buffer, UnicodeString->Length); } _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhConcatStrings( _In_ ULONG Count, ... ); #define PH_CONCAT_STRINGS_LENGTH_CACHE_SIZE 16 _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhConcatStrings_V( _In_ ULONG Count, _In_ va_list ArgPtr ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhConcatStrings2( _In_ PCWSTR String1, _In_ PCWSTR String2 ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhConcatStringRef2( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2 ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhConcatStringRef3( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ PCPH_STRINGREF String3 ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhConcatStringRef4( _In_ PCPH_STRINGREF String1, _In_ PCPH_STRINGREF String2, _In_ PCPH_STRINGREF String3, _In_ PCPH_STRINGREF String4 ); FORCEINLINE PPH_STRING PhConcatStringRefZ( _In_ PCPH_STRINGREF String1, _In_ PCWSTR String2 ) { PH_STRINGREF string; PhInitializeStringRef(&string, String2); return PhConcatStringRef2(String1, &string); } _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhFormatString( _In_ _Printf_format_string_ PCWSTR Format, ... ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhFormatString_V( _In_ _Printf_format_string_ PCWSTR Format, _In_ va_list ArgPtr ); /** * Retrieves a pointer to a string object's buffer or returns NULL. * * \param String A pointer to a string object. * * \return A pointer to the string object's buffer if the supplied pointer is non-NULL, otherwise * NULL. */ FORCEINLINE PWSTR PhGetString( _In_opt_ PPH_STRING String ) { if (String) return String->Buffer; else return NULL; } /** * Retrieves a string reference from a given string object. * * This function returns a `PH_STRINGREF` structure that references the string * contained in the provided `PPH_STRING` object. If the input string object is * `NULL`, it initializes and returns an empty `PH_STRINGREF`. * * \param String A pointer to a `PPH_STRING` object. This parameter is optional and can be `NULL`. * \return A `PH_STRINGREF` structure that references the string in the provided `PPH_STRING` object, * or an empty `PH_STRINGREF` if the input is `NULL`. */ FORCEINLINE PH_STRINGREF PhGetStringRef( _In_opt_ PPH_STRING String ) { PH_STRINGREF sr; if (String) sr = String->sr; else PhInitializeEmptyStringRef(&sr); return sr; } /** * Retrieves the buffer from a PPH_STRINGREF structure or returns an empty string if the input is NULL. * * This function checks if the provided PPH_STRINGREF structure is not NULL. If it is not NULL, it returns the buffer * contained within the structure. If the structure is NULL, it returns an empty string. * * \param String A pointer to a PPH_STRINGREF structure. This parameter is optional and can be NULL. * \return A pointer to the buffer contained within the PPH_STRINGREF structure if it is not NULL, otherwise an empty string. */ FORCEINLINE PCWSTR PhGetStringRefZ( _In_opt_ PCPH_STRINGREF String ) { if (String) return String->Buffer; else return L""; } /** * Retrieves a pointer to a string object's buffer or returns an empty string. * * \param String A pointer to a string object. * \return A pointer to the string object's buffer if the supplied pointer is non-NULL, otherwise an empty string. */ FORCEINLINE PCWSTR PhGetStringOrEmpty( _In_opt_ PPH_STRING String ) { if (String) return String->Buffer; else return L""; } /** * Retrieves a pointer to a string object's buffer or returns the specified alternative string. * * \param String A pointer to a string object. * \param DefaultString The alternative string. * * \return A pointer to the string object's buffer if the supplied pointer is non-NULL, otherwise * the specified alternative string. */ FORCEINLINE PCWSTR PhGetStringOrDefault( _In_opt_ PPH_STRING String, _In_ PCWSTR DefaultString ) { if (String) return String->Buffer; else return DefaultString; } /** * Determines whether a string is null or empty. * * \param String A pointer to a string object. */ _Success_(return == FALSE) _At_(String, _When_(return == FALSE, _Notnull_)) FORCEINLINE BOOLEAN PhIsNullOrEmptyString( _In_opt_ PPH_STRING String ) { if (String == NULL) return TRUE; return String->Length == 0; } /** * Determines whether a STRINGREF is null or empty. * * \param String A pointer to a string object. */ _Success_(return == FALSE) _At_(String, _When_(return == FALSE, _Notnull_)) FORCEINLINE BOOLEAN PhIsNullOrEmptyStringRef( _In_opt_ PCPH_STRINGREF String ) { return !(String && String->Length); } /** * Tests if a string is null, empty, or starts with whitespace. * * \param String The string to test. * \return TRUE if the string is null, empty, or starts with whitespace; otherwise, FALSE. */ #undef PhIsNullOrWhitespaceString #define PhIsNullOrWhitespaceString(string) \ ((!(string)) || ((string)->Length == 0) || PhIsWhiteSpaceUnicodeChar((string)->Buffer[0])) // FORCEINLINE // BOOLEAN // PhIsNullOrWhitespaceString( // _In_opt_ PPH_STRING String // ) // { // SIZE_T length; // // if (!String || String->Length == 0) // return TRUE; // // length = String->Length / sizeof(WCHAR); // // // Check first and last character (leading/trailing whitespace) // if (PhIsWhiteSpaceUnicodeChar(String->Buffer[0]) || // PhIsWhiteSpaceUnicodeChar(String->Buffer[length - 1])) // { // return TRUE; // } // // return FALSE; // } // The MSVC static analyzer can misinterpret the _In_opt_ SAL for String on PhIsNullOrEmptyString and raise C6387. // Provide a macro override during analysis to avoid the false positive while preserving semantics. #if (defined(_PREFAST_) || defined(_MSC_ANALYSIS)) #undef PhIsNullOrEmptyString #define PhIsNullOrEmptyString(string) \ ((!(string)) || ((string)->Length == 0)) #undef PhIsNullOrEmptyStringRef #define PhIsNullOrEmptyStringRef(string) \ ((!(string)) || ((string)->Length == 0)) #endif /** * Duplicates a string. * * \param String A string to duplicate. */ FORCEINLINE PPH_STRING PhDuplicateString( _In_ PPH_STRING String ) { return PhCreateStringEx(String->Buffer, String->Length); } /** * Compares two strings. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase Whether to ignore character cases. */ FORCEINLINE LONG PhCompareString( _In_ PPH_STRING String1, _In_ PPH_STRING String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return PhCompareStringRef(&String1->sr, &String2->sr, IgnoreCase); // faster than wcsicmp else return wcscmp(String1->Buffer, String2->Buffer); } /** * Compares two strings. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase Whether to ignore character cases. */ FORCEINLINE LONG PhCompareString2( _In_ PPH_STRING String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return PhCompareStringRef2(&String1->sr, String2, IgnoreCase); else return wcscmp(String1->Buffer, String2); } /** * Compares two strings, handling NULL strings. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase Whether to ignore character cases. */ FORCEINLINE LONG PhCompareStringWithNull( _In_opt_ PPH_STRING String1, _In_opt_ PPH_STRING String2, _In_ BOOLEAN IgnoreCase ) { if (String1 && String2) { return PhCompareString(String1, String2, IgnoreCase); } else if (!String1) { return !String2 ? 0 : 1; } else { return -1; } } /** * Compares two strings with support for null values and customizable sort order. * * This function compares two strings, taking into account the possibility of null values and allowing for customizable sort order. * If both `String1` and `String2` are not null, the function calls `PhCompareString` to perform the comparison. * If `String1` is null and `String2` is not null, the function returns 0 if `String2` is also null, or 1 or -1 based on the specified `Order` (AscendingSortOrder or DescendingSortOrder). * If `String1` is not null and `String2` is null, the function returns -1 or 1 based on the specified `Order`. * * \param String1 The first string to compare. * \param String2 The second string to compare. * \param Order The sort order to use for the comparison (AscendingSortOrder or DescendingSortOrder). * \param IgnoreCase Specifies whether the comparison should be case-insensitive (TRUE) or case-sensitive (FALSE). * \return Returns a negative value if `String1` is less than `String2`, a positive value if `String1` is greater than `String2`, or 0 if they are equal. */ FORCEINLINE LONG PhCompareStringWithNullSortOrder( _In_opt_ PPH_STRING String1, _In_opt_ PPH_STRING String2, _In_ PH_SORT_ORDER Order, _In_ BOOLEAN IgnoreCase ) { if (String1 && String2) { return PhCompareString(String1, String2, IgnoreCase); } else if (!String1) { return !String2 ? 0 : (Order == AscendingSortOrder ? 1 : -1); } else { return (Order == AscendingSortOrder ? -1 : 1); } } /** * Compares two strings with support for null values and customizable sort order. * * This function compares two strings, taking into account the possibility of null values and allowing for customizable sort order. * If both `String1` and `String2` are not null, the function calls `PhCompareString` to perform the comparison. * If `String1` is null and `String2` is not null, the function returns 0 if `String2` is also null, or 1 if `String2` is not null, depending on the specified sort order. * If `String1` is not null and `String2` is null, the function returns -1 or 1, depending on the specified sort order. * * \param String1 The first string to compare. Can be null. * \param String2 The second string to compare. Can be null. * \param Order The sort order to use for the comparison. Must be either `AscendingSortOrder` or `DescendingSortOrder`. * \param IgnoreCase Specifies whether the comparison should be case-insensitive (`true`) or case-sensitive (`false`). * \return The result of the comparison. Returns a negative value if `String1` is less than `String2`, 0 if they are equal, or a positive value if `String1` is greater than `String2`. */ FORCEINLINE LONG PhCompareStringRefWithNullSortOrder( _In_opt_ PCPH_STRINGREF String1, _In_opt_ PCPH_STRINGREF String2, _In_ PH_SORT_ORDER Order, _In_ BOOLEAN IgnoreCase ) { if (String1 && String2) { return PhCompareStringRef(String1, String2, IgnoreCase); } else if (!String1) { return !String2 ? 0 : (Order == AscendingSortOrder ? 1 : -1); } else { return (Order == AscendingSortOrder ? -1 : 1); } } /** * Determines whether two strings are equal. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase Whether to ignore character cases. */ FORCEINLINE BOOLEAN PhEqualString( _In_ PPH_STRING String1, _In_ PPH_STRING String2, _In_ BOOLEAN IgnoreCase ) { return PhEqualStringRef(&String1->sr, &String2->sr, IgnoreCase); } /** * Determines whether two strings are equal. * * \param String1 The first string. * \param String2 The second string. * \param IgnoreCase Whether to ignore character cases. */ FORCEINLINE BOOLEAN PhEqualString2( _In_ PPH_STRING String1, _In_ PCWSTR String2, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return PhEqualStringRef2(&String1->sr, String2, IgnoreCase); else return wcscmp(String1->Buffer, String2) == 0; } /** * Determines whether a string starts with another. * * \param String The first string. * \param Prefix The second string. * \param IgnoreCase Whether to ignore character cases. * * \return TRUE if \a String starts with \a Prefix, otherwise FALSE. */ FORCEINLINE BOOLEAN PhStartsWithString( _In_ PPH_STRING String, _In_ PPH_STRING Prefix, _In_ BOOLEAN IgnoreCase ) { return PhStartsWithStringRef(&String->sr, &Prefix->sr, IgnoreCase); } /** * Determines whether a string starts with another. * * \param String The first string. * \param Prefix The second string. * \param IgnoreCase Whether to ignore character cases. * * \return TRUE if \a String starts with \a Prefix, otherwise FALSE. */ FORCEINLINE BOOLEAN PhStartsWithString2( _In_ PPH_STRING String, _In_ PCWSTR Prefix, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF prefix; PhInitializeStringRef(&prefix, Prefix); return PhStartsWithStringRef(&String->sr, &prefix, IgnoreCase); } /** * Determines whether a string ends with another. * * \param String The first string. * \param Suffix The second string. * \param IgnoreCase Whether to ignore character cases. * * \return TRUE if \a String ends with \a Suffix, otherwise FALSE. */ FORCEINLINE BOOLEAN PhEndsWithString( _In_ PPH_STRING String, _In_ PPH_STRING Suffix, _In_ BOOLEAN IgnoreCase ) { return PhEndsWithStringRef(&String->sr, &Suffix->sr, IgnoreCase); } /** * Determines whether a string ends with another. * * \param String The first string. * \param Suffix The second string. * \param IgnoreCase Whether to ignore character cases. * * \return TRUE if \a String ends with \a Suffix, otherwise FALSE. */ FORCEINLINE BOOLEAN PhEndsWithString2( _In_ PPH_STRING String, _In_ PCWSTR Suffix, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF suffix; PhInitializeStringRef(&suffix, Suffix); return PhEndsWithStringRef(&String->sr, &suffix, IgnoreCase); } /** * Locates a character in a string. * * \param String The string to search. * \param StartIndex The index, in characters, to start searching at. * \param Char The character to search for. * * \return The index, in characters, of the first occurrence of \a Char in \a String after * \a StartIndex. If \a Char was not found, -1 is returned. */ FORCEINLINE ULONG_PTR PhFindCharInString( _In_ PPH_STRING String, _In_ SIZE_T StartIndex, _In_ WCHAR Char ) { if (StartIndex != 0) { ULONG_PTR r; PH_STRINGREF sr; sr = String->sr; PhSkipStringRef(&sr, StartIndex * sizeof(WCHAR)); r = PhFindCharInStringRef(&sr, Char, FALSE); if (r != SIZE_MAX) return r + StartIndex; else return SIZE_MAX; } else { return PhFindCharInStringRef(&String->sr, Char, FALSE); } } /** * Locates a character in a string, backwards. * * \param String The string to search. * \param StartIndex The index, in characters, to start searching at. * \param Char The character to search for. * * \return The index, in characters, of the last occurrence of \a Char in \a String after * \a StartIndex. If \a Char was not found, -1 is returned. */ FORCEINLINE ULONG_PTR PhFindLastCharInString( _In_ PPH_STRING String, _In_ SIZE_T StartIndex, _In_ WCHAR Char ) { if (StartIndex != 0) { ULONG_PTR r; PH_STRINGREF sr; sr = String->sr; PhSkipStringRef(&sr, StartIndex * sizeof(WCHAR)); r = PhFindLastCharInStringRef(&sr, Char, FALSE); if (r != SIZE_MAX) return r + StartIndex; else return SIZE_MAX; } else { return PhFindLastCharInStringRef(&String->sr, Char, FALSE); } } /** * Locates a string in a string. * * \param String The string to search. * \param StartIndex The index, in characters, to start searching at. * \param SubString The string to search for. * * \return The index, in characters, of the first occurrence of \a SubString in \a String after * \a StartIndex. If \a SubString was not found, -1 is returned. */ FORCEINLINE ULONG_PTR PhFindStringInString( _In_ PPH_STRING String, _In_ SIZE_T StartIndex, _In_ PCWSTR SubString ) { PH_STRINGREF sr2; PhInitializeStringRef(&sr2, SubString); if (StartIndex != 0) { ULONG_PTR r; PH_STRINGREF sr1; sr1 = String->sr; PhSkipStringRef(&sr1, StartIndex * sizeof(WCHAR)); r = PhFindStringInStringRef(&sr1, &sr2, FALSE); if (r != SIZE_MAX) return r + StartIndex; else return SIZE_MAX; } else { return PhFindStringInStringRef(&String->sr, &sr2, FALSE); } } /** * Creates a substring of a string. * * \param String The original string. * \param StartIndex The start index, in characters. * \param Count The number of characters to use. */ FORCEINLINE PPH_STRING PhSubstring( _In_ PPH_STRING String, _In_ SIZE_T StartIndex, _In_ SIZE_T Count ) { return PhCreateStringEx(&String->Buffer[StartIndex], Count * sizeof(WCHAR)); } /** * Updates a string object's length with its true length as determined by an embedded null * terminator. * * \param String The string to modify. * * \remarks Use this function after modifying a string object's buffer manually. */ FORCEINLINE VOID PhTrimToNullTerminatorString( _Inout_ PPH_STRING String ) { String->Length = PhCountStringZ(String->Buffer) * sizeof(WCHAR); } // Byte string extern PPH_OBJECT_TYPE PhBytesType; /** * An 8-bit string object, which supports ASCII, UTF-8 and Windows multi-byte encodings, as well as * binary data. */ typedef struct _PH_BYTES { // Header union { PH_BYTESREF br; struct { /** The length, in bytes, of the string. */ SIZE_T Length; /** The buffer containing the contents of the string. */ PCH Buffer; }; }; // Data union { CHAR Data[1]; struct { /** Reserved. */ ULONG AllocationFlags; /** Reserved. */ PVOID Allocation; }; }; } PH_BYTES, *PPH_BYTES; PHLIBAPI PPH_BYTES NTAPI PhCreateBytes( _In_ PCSTR Buffer ); PHLIBAPI PPH_BYTES NTAPI PhCreateBytesEx( _In_opt_ PCCH Buffer, _In_ SIZE_T Length ); /** * Creates a bytes object from an existing null-terminated string of bytes. * * \param Buffer A null-terminated byte string. */ FORCEINLINE PPH_BYTES NTAPI PhCreateBytes( _In_ PCSTR Buffer ) { return PhCreateBytesEx(Buffer, strlen(Buffer) * sizeof(CHAR)); } FORCEINLINE PPH_BYTES NTAPI PhCreateBytes2( _In_ PPH_BYTESREF Bytes ) { return PhCreateBytesEx(Bytes->Buffer, Bytes->Length); } PPH_BYTES NTAPI PhFormatBytes_V( _In_ _Printf_format_string_ PCSTR Format, _In_ va_list ArgPtr ); PPH_BYTES NTAPI PhFormatBytes( _In_ _Printf_format_string_ PCSTR Format, ... ); // // Unicode // #define PH_UNICODE_BYTE_ORDER_MARK 0xfeff #define PH_UNICODE_MAX_CODE_POINT 0x10ffff #define PH_UNICODE_REPLACEMENT_CHARACTER 0xfffd #define PH_UNICODE_UTF16_TO_HIGH_SURROGATE(CodePoint) ((USHORT)((CodePoint) >> 10) + 0xd7c0) #define PH_UNICODE_UTF16_TO_LOW_SURROGATE(CodePoint) ((USHORT)((CodePoint) & 0x3ff) + 0xdc00) #define PH_UNICODE_UTF16_IS_HIGH_SURROGATE(CodeUnit) ((CodeUnit) >= 0xd800 && (CodeUnit) <= 0xdbff) #define PH_UNICODE_UTF16_IS_LOW_SURROGATE(CodeUnit) ((CodeUnit) >= 0xdc00 && (CodeUnit) <= 0xdfff) #define PH_UNICODE_UTF16_TO_CODE_POINT(HighSurrogate, LowSurrogate) (((ULONG)(HighSurrogate) << 10) + (ULONG)(LowSurrogate) - 0x35fdc00) #define PH_UNICODE_UTF8 0 #define PH_UNICODE_UTF16 1 #define PH_UNICODE_UTF32 2 typedef struct _PH_UNICODE_DECODER { UCHAR Encoding; // PH_UNICODE_* UCHAR State; UCHAR InputCount; UCHAR Reserved; union { UCHAR Utf8[4]; USHORT Utf16[2]; ULONG Utf32; } Input; union { struct { UCHAR Input[4]; UCHAR CodeUnit1; UCHAR CodeUnit2; UCHAR CodeUnit3; UCHAR CodeUnit4; } Utf8; struct { USHORT Input[2]; USHORT CodeUnit; } Utf16; struct { ULONG Input; } Utf32; } u; } PH_UNICODE_DECODER, *PPH_UNICODE_DECODER; FORCEINLINE VOID PhInitializeUnicodeDecoder( _Out_ PPH_UNICODE_DECODER Decoder, _In_ UCHAR Encoding ) { memset(Decoder, 0, sizeof(PH_UNICODE_DECODER)); Decoder->Encoding = Encoding; } PHLIBAPI BOOLEAN NTAPI PhWriteUnicodeDecoder( _Inout_ PPH_UNICODE_DECODER Decoder, _In_ ULONG CodeUnit ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhDecodeUnicodeDecoder( _Inout_ PPH_UNICODE_DECODER Decoder, _Out_ PULONG CodePoint ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhEncodeUnicode( _In_ UCHAR Encoding, _In_ ULONG CodePoint, _Out_opt_ PVOID CodeUnits, _Out_ PULONG NumberOfCodeUnits ); // // 8-bit to UTF-16 // PHLIBAPI VOID NTAPI PhZeroExtendToUtf16Buffer( _In_reads_bytes_(InputLength) PCCH Input, _In_ SIZE_T InputLength, _Out_writes_bytes_(InputLength * sizeof(WCHAR)) PWCH Output ); PHLIBAPI PPH_STRING NTAPI PhZeroExtendToUtf16Ex( _In_reads_bytes_(InputLength) PCCH Input, _In_ SIZE_T InputLength ); FORCEINLINE PPH_STRING NTAPI PhZeroExtendToUtf16( _In_ PCSTR Input ) { return PhZeroExtendToUtf16Ex(Input, strlen(Input)); } // // UTF-16 to ASCII // PHLIBAPI PPH_BYTES NTAPI PhConvertUtf16ToAsciiEx( _In_ PCWCH Buffer, _In_ SIZE_T Length, _In_opt_ CHAR Replacement ); FORCEINLINE PPH_BYTES PhConvertUtf16ToAscii( _In_ PCWSTR Buffer, _In_opt_ CHAR Replacement ) { return PhConvertUtf16ToAsciiEx(Buffer, PhCountStringZ(Buffer) * sizeof(WCHAR), Replacement); } // // Multi-byte to UTF-16 // In-place: RtlMultiByteToUnicodeN, RtlMultiByteToUnicodeSize // PHLIBAPI PPH_STRING NTAPI PhConvertMultiByteToUtf16( _In_ PCSTR Buffer ); PHLIBAPI PPH_STRING NTAPI PhConvertMultiByteToUtf16Ex( _In_ PCSTR Buffer, _In_ SIZE_T Length ); // // UTF-16 to multi-byte // In-place: RtlUnicodeToMultiByteN, RtlUnicodeToMultiByteSize // PHLIBAPI PPH_BYTES NTAPI PhConvertUtf16ToMultiByte( _In_ PCWSTR Buffer ); PHLIBAPI PPH_BYTES NTAPI PhConvertUtf16ToMultiByteEx( _In_ PCWCH Buffer, _In_ SIZE_T Length ); // // UTF-8 to UTF-16 // In-place: RtlUTF8ToUnicodeN // PHLIBAPI NTSTATUS NTAPI PhConvertUtf8ToUtf16Size( _Out_ PSIZE_T BytesInUtf16String, _In_reads_bytes_(BytesInUtf8String) PCCH Utf8String, _In_ SIZE_T BytesInUtf8String ); PHLIBAPI NTSTATUS NTAPI PhConvertUtf8ToUtf16Buffer( _Out_writes_bytes_to_(MaxBytesInUtf16String, *BytesInUtf16String) PWCH Utf16String, _In_ SIZE_T MaxBytesInUtf16String, _Out_opt_ PSIZE_T BytesInUtf16String, _In_reads_bytes_(BytesInUtf8String) PCCH Utf8String, _In_ SIZE_T BytesInUtf8String ); _Ret_maybenull_ PHLIBAPI PPH_STRING NTAPI PhConvertUtf8ToUtf16( _In_ PCSTR Buffer ); _Ret_maybenull_ PHLIBAPI PPH_STRING NTAPI PhConvertUtf8ToUtf16Ex( _In_reads_bytes_(Length) PCCH Buffer, _In_ SIZE_T Length ); // // UTF-16 to UTF-8 // In-place: RtlUnicodeToUTF8N // PHLIBAPI NTSTATUS NTAPI PhConvertUtf16ToUtf8Size( _Out_ PSIZE_T BytesInUtf8String, _In_reads_bytes_(BytesInUtf16String) PCWCH Utf16String, _In_ SIZE_T BytesInUtf16String ); PHLIBAPI NTSTATUS NTAPI PhConvertUtf16ToUtf8Buffer( _Out_writes_bytes_to_(MaxBytesInUtf8String, *BytesInUtf8String) PCH Utf8String, _In_ SIZE_T MaxBytesInUtf8String, _Out_opt_ PSIZE_T BytesInUtf8String, _In_reads_bytes_(BytesInUtf16String) PCWCH Utf16String, _In_ SIZE_T BytesInUtf16String ); _Ret_notnull_ PHLIBAPI PPH_BYTES NTAPI PhConvertUtf16ToUtf8( _In_ PCWSTR Buffer ); _Ret_notnull_ PHLIBAPI PPH_BYTES NTAPI PhConvertUtf16ToUtf8Ex( _In_reads_bytes_(Length) PCWCH Buffer, _In_ SIZE_T Length ); FORCEINLINE PPH_BYTES NTAPI PhConvertStringToUtf8( _In_ PPH_STRING String ) { return PhConvertUtf16ToUtf8Ex(String->Buffer, String->Length); } FORCEINLINE PPH_BYTES NTAPI PhConvertStringRefToUtf8( _In_ PCPH_STRINGREF String ) { return PhConvertUtf16ToUtf8Ex(String->Buffer, String->Length); } FORCEINLINE PPH_STRING NTAPI PhConvertBytesToUtf16( _In_ PPH_BYTES String ) { return PhConvertUtf8ToUtf16Ex(String->Buffer, String->Length); } // // String builder // /** * A string builder structure. * The string builder object allows you to easily construct complex strings without allocating * a great number of strings in the process. */ typedef struct _PH_STRING_BUILDER { /** Allocated length of the string, not including the null terminator. */ SIZE_T AllocatedLength; /** * The constructed string. * \a String will be allocated for \a AllocatedLength, we will modify the \a Length field to be * the correct length. */ PPH_STRING String; } PH_STRING_BUILDER, *PPH_STRING_BUILDER; PHLIBAPI VOID NTAPI PhInitializeStringBuilder( _Out_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T InitialCapacity ); PHLIBAPI VOID NTAPI PhDeleteStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder ); PHLIBAPI PPH_STRING NTAPI PhFinalStringBuilderString( _Inout_ PPH_STRING_BUILDER StringBuilder ); PHLIBAPI VOID NTAPI PhAppendStringBuilderEx( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_opt_ PWCHAR String, _In_ SIZE_T Length ); /** * Appends a string to the end of a string builder string. * * \param StringBuilder A string builder object. * \param String The string to append. */ FORCEINLINE VOID NTAPI PhAppendStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ PCPH_STRINGREF String ) { PhAppendStringBuilderEx( StringBuilder, String->Buffer, String->Length ); } /** * Appends a string to the end of a string builder string. * * \param StringBuilder A string builder object. * \param String The string to append. */ FORCEINLINE VOID NTAPI PhAppendStringBuilder2( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ PCWSTR String ) { PH_STRINGREF string; PhInitializeStringRef(&string, String); PhAppendStringBuilder(StringBuilder, &string); } PHLIBAPI VOID NTAPI PhAppendCharStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ WCHAR Character ); PHLIBAPI VOID NTAPI PhAppendCharStringBuilder2( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ WCHAR Character, _In_ SIZE_T Count ); PHLIBAPI VOID NTAPI PhAppendFormatStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ _Printf_format_string_ PCWSTR Format, ... ); VOID NTAPI PhAppendFormatStringBuilder_V( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ _Printf_format_string_ PCWSTR Format, _In_ va_list ArgPtr ); PHLIBAPI VOID NTAPI PhInsertStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Index, _In_ PCPH_STRINGREF String ); PHLIBAPI VOID NTAPI PhInsertStringBuilder2( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Index, _In_ PCWSTR String ); PHLIBAPI VOID NTAPI PhInsertStringBuilderEx( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Index, _In_opt_ PCWCHAR String, _In_ SIZE_T Length ); PHLIBAPI VOID NTAPI PhRemoveStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T StartIndex, _In_ SIZE_T Count ); FORCEINLINE VOID PhRemoveEndStringBuilder( _Inout_ PPH_STRING_BUILDER StringBuilder, _In_ SIZE_T Count ) { PhRemoveStringBuilder( StringBuilder, StringBuilder->String->Length / sizeof(WCHAR) - Count, Count ); } // // Byte string builder // /** * A byte string builder structure. * This is similar to string builder, but is based on PH_BYTES and is suitable for general binary * data. */ typedef struct _PH_BYTES_BUILDER { /** Allocated length of the byte string, not including the null terminator. */ SIZE_T AllocatedLength; /** * The constructed byte string. * \a Bytes will be allocated for \a AllocatedLength, we will modify the \a Length field to be * the correct length. */ PPH_BYTES Bytes; } PH_BYTES_BUILDER, *PPH_BYTES_BUILDER; PHLIBAPI VOID NTAPI PhInitializeBytesBuilder( _Out_ PPH_BYTES_BUILDER BytesBuilder, _In_ SIZE_T InitialCapacity ); PHLIBAPI VOID NTAPI PhDeleteBytesBuilder( _Inout_ PPH_BYTES_BUILDER BytesBuilder ); PHLIBAPI PPH_BYTES NTAPI PhFinalBytesBuilderBytes( _Inout_ PPH_BYTES_BUILDER BytesBuilder ); FORCEINLINE PVOID PhOffsetBytesBuilder( _In_ PPH_BYTES_BUILDER BytesBuilder, _In_ SIZE_T Offset ) { return BytesBuilder->Bytes->Buffer + Offset; } PHLIBAPI VOID NTAPI PhAppendBytesBuilder( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ PPH_BYTESREF Bytes ); /** * Appends a byte string to the end of a byte string builder string. * * \param BytesBuilder A byte string builder object. * \param Bytes The byte string to append. */ FORCEINLINE VOID NTAPI PhAppendBytesBuilder2( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ PCSTR Bytes ) { PH_BYTESREF string; PhInitializeBytesRef(&string, Bytes); PhAppendBytesBuilder(BytesBuilder, &string); } PHLIBAPI PVOID NTAPI PhAppendBytesBuilderEx( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_opt_ PVOID Buffer, _In_ SIZE_T Length, _In_opt_ SIZE_T Alignment, _Out_opt_ PSIZE_T Offset ); PHLIBAPI VOID NTAPI PhAppendFormatBytesBuilder_V( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ _Printf_format_string_ PCSTR Format, _In_ va_list ArgPtr ); PHLIBAPI VOID NTAPI PhAppendFormatBytesBuilder( _Inout_ PPH_BYTES_BUILDER BytesBuilder, _In_ _Printf_format_string_ PCSTR Format, ... ); // // Array // /** An array structure. Storage is automatically allocated for new elements. */ typedef struct _PH_ARRAY { /** The number of items in the list. */ SIZE_T Count; /** The number of items for which storage is allocated. */ SIZE_T AllocatedCount; /** The size of each item, in bytes. */ SIZE_T ItemSize; /** The base address of the array. */ PVOID Items; } PH_ARRAY, *PPH_ARRAY; PHLIBAPI VOID NTAPI PhInitializeArray( _Out_ PPH_ARRAY Array, _In_ SIZE_T ItemSize, _In_ SIZE_T InitialCapacity ); PHLIBAPI VOID NTAPI PhDeleteArray( _Inout_ PPH_ARRAY Array ); FORCEINLINE PVOID PhItemArray( _In_ PPH_ARRAY Array, _In_ SIZE_T Index ) { return PTR_ADD_OFFSET(Array->Items, Index * Array->ItemSize); } FORCEINLINE PVOID PhFinalArrayItems( _Inout_ PPH_ARRAY Array ) { return Array->Items; } FORCEINLINE SIZE_T PhFinalArrayCount( _In_ PPH_ARRAY Array ) { return Array->Count; } PHLIBAPI VOID NTAPI PhResizeArray( _Inout_ PPH_ARRAY Array, _In_ SIZE_T NewCapacity ); PHLIBAPI VOID NTAPI PhAddItemArray( _Inout_ PPH_ARRAY Array, _In_ PVOID Item ); PHLIBAPI VOID NTAPI PhAddItemsArray( _Inout_ PPH_ARRAY Array, _In_ PVOID Items, _In_ SIZE_T Count ); PHLIBAPI VOID NTAPI PhClearArray( _Inout_ PPH_ARRAY Array ); PHLIBAPI VOID NTAPI PhRemoveItemArray( _Inout_ PPH_ARRAY Array, _In_ SIZE_T Index ); PHLIBAPI VOID NTAPI PhRemoveItemsArray( _Inout_ PPH_ARRAY Array, _In_ SIZE_T StartIndex, _In_ SIZE_T Count ); // // List // extern PPH_OBJECT_TYPE PhListType; /** A list structure. Storage is automatically allocated for new elements. */ typedef struct _PH_LIST { /** The number of items in the list. */ ULONG Count; /** The number of items for which storage is allocated. */ ULONG AllocatedCount; /** The array of list items. */ PVOID *Items; } PH_LIST, *PPH_LIST; FORCEINLINE PVOID PhItemList( _In_ PPH_LIST List, _In_ ULONG Index ) { return List->Items[Index]; } PHLIBAPI PPH_LIST NTAPI PhCreateList( _In_ ULONG InitialCapacity ); PHLIBAPI VOID NTAPI PhResizeList( _Inout_ PPH_LIST List, _In_ ULONG NewCapacity ); PHLIBAPI VOID NTAPI PhAddItemList( _Inout_ PPH_LIST List, _In_ PVOID Item ); PHLIBAPI VOID NTAPI PhAddItemsList( _Inout_ PPH_LIST List, _In_ PVOID *Items, _In_ ULONG Count ); PHLIBAPI VOID NTAPI PhClearList( _Inout_ PPH_LIST List ); _Success_(return != -1) PHLIBAPI ULONG NTAPI PhFindItemList( _In_ PPH_LIST List, _In_ PVOID Item ); PHLIBAPI VOID NTAPI PhInsertItemList( _Inout_ PPH_LIST List, _In_ ULONG Index, _In_ PVOID Item ); PHLIBAPI VOID NTAPI PhInsertItemsList( _Inout_ PPH_LIST List, _In_ ULONG Index, _In_ PVOID *Items, _In_ ULONG Count ); PHLIBAPI VOID NTAPI PhRemoveItemList( _Inout_ PPH_LIST List, _In_ ULONG Index ); PHLIBAPI VOID NTAPI PhRemoveItemsList( _Inout_ PPH_LIST List, _In_ ULONG StartIndex, _In_ ULONG Count ); /** * A comparison function. * * \param Item1 The first item. * \param Item2 The second item. * \param Context A user-defined value. * * \return * \li A positive value if \a Item1 > \a Item2, * \li A negative value if \a Item1 < \a Item2, and * \li 0 if \a Item1 = \a Item2. */ typedef _Function_class_(PH_COMPARE_FUNCTION) LONG NTAPI PH_COMPARE_FUNCTION( _In_ PVOID Item1, _In_ PVOID Item2, _In_opt_ PVOID Context ); typedef PH_COMPARE_FUNCTION* PPH_COMPARE_FUNCTION; // // Pointer list // extern PPH_OBJECT_TYPE PhPointerListType; /** * A pointer list structure. The pointer list is similar to the normal list structure, but both * insertions and deletions occur in constant time. The list is not ordered. */ typedef struct _PH_POINTER_LIST { /** The number of pointers in the list. */ ULONG Count; /** The number of pointers for which storage is allocated. */ ULONG AllocatedCount; /** Index into pointer array for free list. */ ULONG FreeEntry; /** Index of next usable index into pointer array. */ ULONG NextEntry; /** The array of pointers. */ PVOID *Items; } PH_POINTER_LIST, *PPH_POINTER_LIST; #define PH_IS_LIST_POINTER_VALID(Pointer) (!((ULONG_PTR)(Pointer) & 0x1)) PHLIBAPI PPH_POINTER_LIST NTAPI PhCreatePointerList( _In_ ULONG InitialCapacity ); PHLIBAPI HANDLE NTAPI PhAddItemPointerList( _Inout_ PPH_POINTER_LIST PointerList, _In_ PVOID Pointer ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhEnumPointerListEx( _In_ PPH_POINTER_LIST PointerList, _Inout_ PULONG EnumerationKey, _Out_ PVOID *Pointer, _Out_ PHANDLE PointerHandle ); PHLIBAPI HANDLE NTAPI PhFindItemPointerList( _In_ PPH_POINTER_LIST PointerList, _In_ PVOID Pointer ); PHLIBAPI VOID NTAPI PhRemoveItemPointerList( _Inout_ PPH_POINTER_LIST PointerList, _In_ HANDLE PointerHandle ); _Success_(return != FALSE) FORCEINLINE BOOLEAN PhEnumPointerList( _In_ PPH_POINTER_LIST PointerList, _Inout_ PULONG EnumerationKey, _Out_ PVOID *Pointer ) { while (*EnumerationKey < PointerList->NextEntry) { PVOID pointer = PointerList->Items[*EnumerationKey]; (*EnumerationKey)++; if (PH_IS_LIST_POINTER_VALID(pointer)) { *Pointer = pointer; return TRUE; } } return FALSE; } // // Hash // typedef struct _PH_HASH_ENTRY { struct _PH_HASH_ENTRY *Next; ULONG Hash; } PH_HASH_ENTRY, *PPH_HASH_ENTRY; #define PH_HASH_SET_INIT { 0 } #define PH_HASH_SET_SIZE(Buckets) (sizeof(Buckets) / sizeof(PPH_HASH_ENTRY)) /** * Initializes a hash set. * * \param Buckets The bucket array. * \param NumberOfBuckets The number of buckets. */ FORCEINLINE VOID PhInitializeHashSet( _Out_ PPH_HASH_ENTRY *Buckets, _In_ ULONG NumberOfBuckets ) { memset(Buckets, 0, sizeof(PPH_HASH_ENTRY) * NumberOfBuckets); } /** * Allocates and initializes a hash set. * * \param NumberOfBuckets The number of buckets. * * \return The allocated hash set. You must free it with PhFree() when you no longer need it. */ FORCEINLINE PPH_HASH_ENTRY * PhCreateHashSet( _In_ ULONG NumberOfBuckets ) { PPH_HASH_ENTRY *buckets; buckets = (PPH_HASH_ENTRY *)PhAllocate(sizeof(PPH_HASH_ENTRY) * NumberOfBuckets); PhInitializeHashSet(buckets, NumberOfBuckets); return buckets; } /** * Determines the number of entries in a hash set. * * \param Buckets The bucket array. * \param NumberOfBuckets The number of buckets. * * \return The number of entries in the hash set. */ FORCEINLINE ULONG PhCountHashSet( _In_ PPH_HASH_ENTRY *Buckets, _In_ ULONG NumberOfBuckets ) { ULONG i; PPH_HASH_ENTRY entry; ULONG count; count = 0; for (i = 0; i < NumberOfBuckets; i++) { for (entry = Buckets[i]; entry; entry = entry->Next) count++; } return count; } /** * Moves entries from one hash set to another. * * \param NewBuckets The new bucket array. * \param NumberOfNewBuckets The number of buckets in \a NewBuckets. * \param OldBuckets The old bucket array. * \param NumberOfOldBuckets The number of buckets in \a OldBuckets. * * \remarks \a NewBuckets and \a OldBuckets must be different. */ FORCEINLINE VOID PhDistributeHashSet( _Inout_ PPH_HASH_ENTRY *NewBuckets, _In_ ULONG NumberOfNewBuckets, _In_ CONST PPH_HASH_ENTRY *OldBuckets, _In_ ULONG NumberOfOldBuckets ) { ULONG i; PPH_HASH_ENTRY entry; PPH_HASH_ENTRY nextEntry; ULONG index; for (i = 0; i < NumberOfOldBuckets; i++) { entry = OldBuckets[i]; while (entry) { nextEntry = entry->Next; index = entry->Hash & (NumberOfNewBuckets - 1); entry->Next = NewBuckets[index]; NewBuckets[index] = entry; entry = nextEntry; } } } /** * Adds an entry to a hash set. * * \param Buckets The bucket array. * \param NumberOfBuckets The number of buckets. * \param Entry The entry. * \param Hash The hash for the entry. * * \remarks This function does not check for duplicates. */ FORCEINLINE VOID PhAddEntryHashSet( _Inout_ PPH_HASH_ENTRY *Buckets, _In_ ULONG NumberOfBuckets, _Out_ PPH_HASH_ENTRY Entry, _In_ ULONG Hash ) { ULONG index; index = Hash & (NumberOfBuckets - 1); Entry->Hash = Hash; Entry->Next = Buckets[index]; Buckets[index] = Entry; } /** * Begins the process of finding an entry in a hash set. * * \param Buckets The bucket array. * \param NumberOfBuckets The number of buckets. * \param Hash The hash for the entry. * * \return The first entry in the chain. * * \remarks If the function returns NULL, the entry does not exist in the hash set. */ FORCEINLINE PPH_HASH_ENTRY PhFindEntryHashSet( _In_ CONST PPH_HASH_ENTRY *Buckets, _In_ ULONG NumberOfBuckets, _In_ ULONG Hash ) { return Buckets[Hash & (NumberOfBuckets - 1)]; } /** * Removes an entry from a hash set. * * \param Buckets The bucket array. * \param NumberOfBuckets The number of buckets. * \param Entry An entry present in the hash set. */ FORCEINLINE VOID PhRemoveEntryHashSet( _Inout_ PPH_HASH_ENTRY *Buckets, _In_ ULONG NumberOfBuckets, _Inout_ PPH_HASH_ENTRY Entry ) { ULONG index; PPH_HASH_ENTRY entry; PPH_HASH_ENTRY previousEntry; index = Entry->Hash & (NumberOfBuckets - 1); previousEntry = NULL; entry = Buckets[index]; do { if (entry == Entry) { if (!previousEntry) Buckets[index] = entry->Next; else previousEntry->Next = entry->Next; return; } previousEntry = entry; entry = entry->Next; } while (entry); // Entry doesn't actually exist in the set. This is a fatal logic error. PhRaiseStatus(STATUS_INTERNAL_ERROR); } /** * Resizes a hash set. * * \param Buckets A pointer to the bucket array. On return the new bucket array is stored in this * variable. * \param NumberOfBuckets A pointer to the number of buckets. On return the new number of buckets is * stored in this variable. * \param NewNumberOfBuckets The new number of buckets. */ FORCEINLINE VOID PhResizeHashSet( _Inout_ PPH_HASH_ENTRY **Buckets, _Inout_ PULONG NumberOfBuckets, _In_ ULONG NewNumberOfBuckets ) { PPH_HASH_ENTRY *newBuckets; newBuckets = PhCreateHashSet(NewNumberOfBuckets); PhDistributeHashSet(newBuckets, NewNumberOfBuckets, *Buckets, *NumberOfBuckets); PhFree(*Buckets); *Buckets = newBuckets; *NumberOfBuckets = NewNumberOfBuckets; } // // Hashtable // extern PPH_OBJECT_TYPE PhHashtableType; typedef struct _PH_HASHTABLE_ENTRY { /** Hash code of the entry. -1 if entry is unused. */ ULONG HashCode; /** * Either the index of the next entry in the bucket, the index of the next free entry, or -1 for * invalid. */ ULONG Next; /** The beginning of user data. */ QUAD_PTR Body; } PH_HASHTABLE_ENTRY, *PPH_HASHTABLE_ENTRY; C_ASSERT((FIELD_OFFSET(PH_HASHTABLE_ENTRY, Body) % MEMORY_ALLOCATION_ALIGNMENT) == 0); /** * A comparison function used by a hashtable. * * \param Entry1 The first entry. * \param Entry2 The second entry. * * \return TRUE if the entries are equal, otherwise FALSE. */ typedef _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PH_HASHTABLE_EQUAL_FUNCTION( _In_ PVOID Entry1, _In_ PVOID Entry2 ); typedef PH_HASHTABLE_EQUAL_FUNCTION* PPH_HASHTABLE_EQUAL_FUNCTION; /** * A hash function used by a hashtable. * * \param Entry The entry. * * \return A hash code for the entry. * * \remarks * \li Two entries which are considered to be equal by the comparison function must be given the * same hash code. * \li Two different entries do not have to be given different hash codes. */ typedef _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PH_HASHTABLE_HASH_FUNCTION( _In_ PVOID Entry ); typedef PH_HASHTABLE_HASH_FUNCTION* PPH_HASHTABLE_HASH_FUNCTION; // Use power-of-two sizes instead of primes #define PH_HASHTABLE_POWER_OF_TWO_SIZE // Enables 2^32-1 possible hash codes instead of only 2^31 //#define PH_HASHTABLE_FULL_HASH /** * A hashtable structure. */ typedef struct _PH_HASHTABLE { /** Size of user data in each entry. */ ULONG EntrySize; /** The comparison function. */ PPH_HASHTABLE_EQUAL_FUNCTION EqualFunction; /** The hash function. */ PPH_HASHTABLE_HASH_FUNCTION HashFunction; /** The number of allocated buckets. */ ULONG AllocatedBuckets; /** The bucket array. */ PULONG Buckets; /** The number of allocated entries. */ ULONG AllocatedEntries; /** The entry array. */ PVOID Entries; /** Number of entries in the hashtable. */ ULONG Count; /** Index into entry array for free list. */ ULONG FreeEntry; /** * Index of next usable index into entry array, a.k.a. the count of entries that were ever * allocated. */ ULONG NextEntry; } PH_HASHTABLE, *PPH_HASHTABLE; #define PH_HASHTABLE_ENTRY_SIZE(InnerSize) (UInt32Add32To64(UFIELD_OFFSET(PH_HASHTABLE_ENTRY, Body), (InnerSize))) #define PH_HASHTABLE_GET_ENTRY(Hashtable, Index) ((PPH_HASHTABLE_ENTRY)PTR_ADD_OFFSET((Hashtable)->Entries, UInt32x32To64(PH_HASHTABLE_ENTRY_SIZE((Hashtable)->EntrySize), (Index)))) #define PH_HASHTABLE_GET_ENTRY_INDEX(Hashtable, Entry) ((ULONG)(PTR_ADD_OFFSET(Entry, -(Hashtable)->Entries) / PH_HASHTABLE_ENTRY_SIZE((Hashtable)->EntrySize))) PHLIBAPI PPH_HASHTABLE NTAPI PhCreateHashtable( _In_ ULONG EntrySize, _In_ PPH_HASHTABLE_EQUAL_FUNCTION EqualFunction, _In_ PPH_HASHTABLE_HASH_FUNCTION HashFunction, _In_ ULONG InitialCapacity ); PHLIBAPI PVOID NTAPI PhAddEntryHashtable( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry ); PHLIBAPI PVOID NTAPI PhAddEntryHashtableEx( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry, _Out_opt_ PBOOLEAN Added ); PHLIBAPI VOID NTAPI PhClearHashtable( _Inout_ PPH_HASHTABLE Hashtable ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhEnumHashtable( _In_ PPH_HASHTABLE Hashtable, _Out_ PVOID *Entry, _Inout_ PULONG EnumerationKey ); PHLIBAPI PVOID NTAPI PhFindEntryHashtable( _In_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry ); PHLIBAPI BOOLEAN NTAPI PhRemoveEntryHashtable( _Inout_ PPH_HASHTABLE Hashtable, _In_ PVOID Entry ); // New faster enumeration method typedef struct _PH_HASHTABLE_ENUM_CONTEXT { ULONG_PTR Current; ULONG_PTR End; ULONG_PTR Step; } PH_HASHTABLE_ENUM_CONTEXT, *PPH_HASHTABLE_ENUM_CONTEXT; FORCEINLINE VOID NTAPI_INLINE PhBeginEnumHashtable( _In_ PPH_HASHTABLE Hashtable, _Out_ PPH_HASHTABLE_ENUM_CONTEXT Context ) { Context->Current = (ULONG_PTR)Hashtable->Entries; Context->Step = PH_HASHTABLE_ENTRY_SIZE((ULONG_PTR)Hashtable->EntrySize); Context->End = Context->Current + (ULONG_PTR)Hashtable->NextEntry * Context->Step; } FORCEINLINE PVOID NTAPI_INLINE PhNextEnumHashtable( _Inout_ PPH_HASHTABLE_ENUM_CONTEXT Context ) { PPH_HASHTABLE_ENTRY entry; while (Context->Current != Context->End) { entry = (PPH_HASHTABLE_ENTRY)Context->Current; Context->Current += Context->Step; if (entry->HashCode != ULONG_MAX) return &entry->Body; } return NULL; } PHLIBAPI ULONG NTAPI PhHashBytes( _In_reads_(Length) PUCHAR Bytes, _In_ SIZE_T Length ); PHLIBAPI ULONG NTAPI PhHashStringRef( _In_ PCPH_STRINGREF String, _In_ BOOLEAN IgnoreCase ); typedef enum _PH_STRING_HASH { PH_STRING_HASH_DEFAULT, PH_STRING_HASH_FNV1A, PH_STRING_HASH_X65599, PH_STRING_HASH_XXH32, } PH_STRING_HASH; PHLIBAPI ULONG NTAPI PhHashStringRefEx( _In_ PCPH_STRINGREF String, _In_ BOOLEAN IgnoreCase, _In_ PH_STRING_HASH HashAlgorithm ); FORCEINLINE ULONG PhHashInt32( _In_ ULONG Value ) { // Java style. Value ^= (Value >> 20) ^ (Value >> 12); return Value ^ (Value >> 7) ^ (Value >> 4); } FORCEINLINE ULONG PhHashInt64( _In_ ULONG64 Value ) { // http://www.concentric.net/~Ttwang/tech/inthash.htm Value = ~Value + (Value << 18); Value ^= Value >> 31; Value *= 21; Value ^= Value >> 11; Value += Value << 6; Value ^= Value >> 22; return (ULONG)Value; } FORCEINLINE ULONG PhHashIntPtr( _In_ ULONG_PTR Value ) { #ifdef _WIN64 return PhHashInt64(Value); #else return PhHashInt32(Value); #endif } // // Simple hashtable // #define SIP(String, Integer) { (String), (PVOID)(Integer) } #define SREF(String) ((PVOID)&(PH_STRINGREF)PH_STRINGREF_INIT((String))) typedef struct _PH_KEY_VALUE_PAIR { PVOID Key; PVOID Value; } PH_KEY_VALUE_PAIR, *PPH_KEY_VALUE_PAIR; typedef CONST PH_KEY_VALUE_PAIR *PCPH_KEY_VALUE_PAIR; PHLIBAPI PPH_HASHTABLE NTAPI PhCreateSimpleHashtable( _In_ ULONG InitialCapacity ); PHLIBAPI PVOID NTAPI PhAddItemSimpleHashtable( _Inout_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key, _In_opt_ PVOID Value ); PHLIBAPI PVOID * NTAPI PhFindItemSimpleHashtable( _In_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key ); FORCEINLINE PVOID NTAPI_INLINE PhFindItemSimpleHashtable2( _In_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key ) { PVOID *item; item = PhFindItemSimpleHashtable(SimpleHashtable, Key); if (item) return *item; else return NULL; } PHLIBAPI BOOLEAN NTAPI PhRemoveItemSimpleHashtable( _Inout_ PPH_HASHTABLE SimpleHashtable, _In_opt_ PVOID Key ); // Free list typedef struct _PH_FREE_LIST { SLIST_HEADER ListHead; ULONG Count; ULONG MaximumCount; SIZE_T Size; } PH_FREE_LIST, *PPH_FREE_LIST; typedef struct _PH_FREE_LIST_ENTRY { SLIST_ENTRY ListEntry; QUAD_PTR Body; } PH_FREE_LIST_ENTRY, *PPH_FREE_LIST_ENTRY; C_ASSERT((FIELD_OFFSET(PH_FREE_LIST_ENTRY, Body) % MEMORY_ALLOCATION_ALIGNMENT) == 0); #ifdef _WIN64 C_ASSERT(FIELD_OFFSET(PH_FREE_LIST_ENTRY, ListEntry) == 0x0); C_ASSERT(FIELD_OFFSET(PH_FREE_LIST_ENTRY, Body) == 0x10); #else C_ASSERT(FIELD_OFFSET(PH_FREE_LIST_ENTRY, ListEntry) == 0x0); C_ASSERT(FIELD_OFFSET(PH_FREE_LIST_ENTRY, Body) == 0x8); #endif PHLIBAPI VOID NTAPI PhInitializeFreeList( _Out_ PPH_FREE_LIST FreeList, _In_ SIZE_T Size, _In_ ULONG MaximumCount ); PHLIBAPI VOID NTAPI PhDeleteFreeList( _Inout_ PPH_FREE_LIST FreeList ); PHLIBAPI PVOID NTAPI PhAllocateFromFreeList( _Inout_ PPH_FREE_LIST FreeList ); PHLIBAPI VOID NTAPI PhFreeToFreeList( _Inout_ PPH_FREE_LIST FreeList, _In_ _Post_invalid_ PVOID Memory ); // // Callback // /** * A callback function. * * \param Parameter A value given to all callback functions being notified. * \param Context A user-defined value passed to PhRegisterCallback(). */ typedef _Function_class_(PH_CALLBACK_FUNCTION) VOID NTAPI PH_CALLBACK_FUNCTION( _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); typedef PH_CALLBACK_FUNCTION *PPH_CALLBACK_FUNCTION; /** A callback registration structure. */ typedef struct _PH_CALLBACK_REGISTRATION { /** The list entry in the callbacks list. */ LIST_ENTRY ListEntry; /** The callback function. */ PPH_CALLBACK_FUNCTION Function; /** A user-defined value to be passed to the callback function. */ PVOID Context; /** A value indicating whether the registration structure is being used. */ LONG Busy; /** Whether the registration structure is being removed. */ BOOLEAN Unregistering; BOOLEAN Reserved; /** Flags controlling the callback. */ USHORT Flags; } PH_CALLBACK_REGISTRATION, *PPH_CALLBACK_REGISTRATION; /** * A callback structure. The callback object allows multiple callback functions to be registered and * notified in a thread-safe way. */ typedef struct _PH_CALLBACK { /** The list of registered callbacks. */ LIST_ENTRY ListHead; /** A lock protecting the callbacks list. */ PH_QUEUED_LOCK ListLock; /** A condition variable pulsed when the callback becomes free. */ PH_CONDITION BusyCondition; } PH_CALLBACK, *PPH_CALLBACK; #define PH_CALLBACK_DECLARE(Name) PH_CALLBACK Name = { &(Name).ListHead, &(Name).ListHead, PH_QUEUED_LOCK_INIT, PH_CONDITION_INIT } PHLIBAPI VOID NTAPI PhInitializeCallback( _Out_ PPH_CALLBACK Callback ); PHLIBAPI VOID NTAPI PhDeleteCallback( _Inout_ PPH_CALLBACK Callback ); PHLIBAPI VOID NTAPI PhRegisterCallback( _Inout_ PPH_CALLBACK Callback, _In_ PPH_CALLBACK_FUNCTION Function, _In_opt_ PVOID Context, _Out_ PPH_CALLBACK_REGISTRATION Registration ); PHLIBAPI VOID NTAPI PhRegisterCallbackEx( _Inout_ PPH_CALLBACK Callback, _In_ PPH_CALLBACK_FUNCTION Function, _In_opt_ PVOID Context, _In_ USHORT Flags, _Out_ PPH_CALLBACK_REGISTRATION Registration ); PHLIBAPI VOID NTAPI PhUnregisterCallback( _Inout_ PPH_CALLBACK Callback, _Inout_ PPH_CALLBACK_REGISTRATION Registration ); PHLIBAPI VOID NTAPI PhInvokeCallback( _In_ PPH_CALLBACK Callback, _In_opt_ PVOID Parameter ); // General PHLIBAPI ULONG NTAPI PhGetPrimeNumber( _In_ ULONG Minimum ); PHLIBAPI ULONG NTAPI PhRoundUpToPowerOfTwo( _In_ ULONG Number ); PHLIBAPI ULONG NTAPI PhExponentiate( _In_ ULONG Base, _In_ ULONG Exponent ); PHLIBAPI ULONG64 NTAPI PhExponentiate64( _In_ ULONG64 Base, _In_ ULONG Exponent ); PHLIBAPI BOOLEAN NTAPI PhHexStringToBuffer( _In_ PCPH_STRINGREF String, _Out_writes_bytes_(String->Length / sizeof(WCHAR) / 2) PUCHAR Buffer ); PHLIBAPI BOOLEAN NTAPI PhHexStringToBufferEx( _In_ PCPH_STRINGREF String, _In_ SIZE_T BufferLength, _Out_writes_bytes_(BufferLength) PVOID Buffer ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhBufferToHexString( _In_reads_bytes_(Length) PUCHAR Buffer, _In_ SIZE_T Length ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhBufferToHexStringEx( _In_reads_bytes_(Length) PUCHAR Buffer, _In_ SIZE_T Length, _In_ BOOLEAN UpperCase ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhBufferToHexStringBuffer( _In_reads_bytes_(InputLength) PUCHAR InputBuffer, _In_ SIZE_T InputLength, _In_ BOOLEAN UpperCase, _Out_writes_bytes_to_(OutputLength, *ReturnLength) PWSTR OutputBuffer, _In_ SIZE_T OutputLength, _Out_opt_ PSIZE_T ReturnLength ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhStringToInteger64( _In_ PCPH_STRINGREF String, _In_opt_ ULONG Base, _Out_opt_ PLONG64 Integer ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhStringToUInt64( _In_ PCPH_STRINGREF String, _In_opt_ ULONG Base, _Out_opt_ PULONG64 Integer ); PHLIBAPI BOOLEAN NTAPI PhStringToDouble( _In_ PCPH_STRINGREF String, _Reserved_ ULONG Base, _Out_opt_ DOUBLE *Double ); _Ret_notnull_ PHLIBAPI PPH_STRING NTAPI PhIntegerToString64( _In_ LONG64 Integer, _In_opt_ ULONG Base, _In_ BOOLEAN Signed ); #define PH_TIMESPAN_STR_LEN 30 #define PH_TIMESPAN_STR_LEN_1 (PH_TIMESPAN_STR_LEN + 1) #define PH_TIMESPAN_HMS 0 #define PH_TIMESPAN_HMSM 1 #define PH_TIMESPAN_DHMS 2 #define PH_TIMESPAN_DHMSM 3 PHLIBAPI VOID NTAPI PhPrintTimeSpan( _Out_writes_(PH_TIMESPAN_STR_LEN_1) PWSTR Destination, _In_ ULONG64 Ticks, _In_opt_ ULONG Mode ); PHLIBAPI BOOLEAN NTAPI PhPrintTimeSpanToBuffer( _In_ ULONG64 Ticks, _In_opt_ ULONG Mode, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI BOOLEAN NTAPI PhCalculateEntropy( _In_ PBYTE Buffer, _In_ ULONG64 BufferLength, _Out_opt_ PFLOAT Entropy, _Out_opt_ PFLOAT Mean, _Out_opt_ PFLOAT Variance ); PHLIBAPI PPH_STRING NTAPI PhFormatEntropy( _In_ FLOAT Entropy, _In_ USHORT EntropyPrecision, _In_opt_ FLOAT Mean, _In_opt_ USHORT MeanPrecision, _In_opt_ FLOAT Variance, _In_opt_ USHORT VariancePrecision ); DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhFillMemoryUlong( _Inout_updates_(Count) PULONG Memory, _In_ ULONG Value, _In_ SIZE_T Count ); DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhDivideSinglesBySingle( _Inout_updates_(Count) PFLOAT A, _In_ FLOAT B, _In_ SIZE_T Count ); DECLSPEC_NOALIAS PHLIBAPI FLOAT NTAPI PhMaxMemorySingles( _In_ PFLOAT A, _In_ SIZE_T Count ); DECLSPEC_NOALIAS PHLIBAPI FLOAT NTAPI PhAddPlusMaxMemorySingles( _Inout_updates_(Count) PFLOAT A, _Inout_updates_(Count) PFLOAT B, _In_ SIZE_T Count ); DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhConvertCopyMemoryUlong( _Inout_updates_(Count) PULONG From, _Inout_updates_(Count) PFLOAT To, _In_ SIZE_T Count ); DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhConvertCopyMemoryUlong64( _Inout_updates_(Count) PULONG64 From, _Inout_updates_(Count) PFLOAT To, _In_ SIZE_T Count ); DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhConvertCopyMemorySingles( _Inout_updates_(Count) PFLOAT From, _Inout_updates_(Count) PULONG To, _In_ SIZE_T Count ); typedef struct _PH_CIRCULAR_BUFFER_ULONG* PPH_CIRCULAR_BUFFER_ULONG; typedef struct _PH_CIRCULAR_BUFFER_ULONG64* PPH_CIRCULAR_BUFFER_ULONG64; DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhCopyConvertCircularBufferULONG( _Inout_ PPH_CIRCULAR_BUFFER_ULONG Buffer, _Out_writes_(Count) FLOAT* Destination, _In_ ULONG Count ); DECLSPEC_NOALIAS PHLIBAPI VOID NTAPI PhCopyConvertCircularBufferULONG64( _Inout_ PPH_CIRCULAR_BUFFER_ULONG64 Buffer, _Out_writes_(Count) FLOAT* Destination, _In_ ULONG Count ); PHLIBAPI ULONG NTAPI PhCountBits( _In_ ULONG Value ); PHLIBAPI ULONG NTAPI PhCountBitsUlongPtr( _In_ ULONG_PTR Value ); // // Thread Local Storage (TLS) // PHLIBAPI ULONG NTAPI PhTlsAlloc( VOID ); PHLIBAPI NTSTATUS NTAPI PhTlsFree( _In_ ULONG Index ); PHLIBAPI PVOID NTAPI PhTlsGetValue( _In_ ULONG Index ); PHLIBAPI NTSTATUS NTAPI PhTlsGetValueEx( _In_ ULONG Index, _Out_ PVOID* Value ); PHLIBAPI NTSTATUS NTAPI PhTlsSetValue( _In_ ULONG Index, _In_opt_ PVOID Value ); // // Errors // PHLIBAPI ULONG NTAPI PhGetLastError( VOID ); PHLIBAPI VOID NTAPI PhSetLastError( _In_ ULONG ErrorValue ); // // Wildcards // PHLIBAPI BOOLEAN NTAPI PhDoesNameContainWildCards( _In_ PCPH_STRINGREF Expression ); PHLIBAPI BOOLEAN NTAPI PhIsNameInExpression( _In_ PCPH_STRINGREF Expression, _In_ PCPH_STRINGREF Name, _In_ BOOLEAN IgnoreCase ); PHLIBAPI BOOLEAN NTAPI PhStringFuzzyMatch( _In_ PCPH_STRINGREF Pattern, _In_ PCPH_STRINGREF Text, _In_ BOOLEAN IgnoreCase ); FORCEINLINE BOOLEAN PhIsLegacyPrefix( _In_ PCPH_STRINGREF Name ) { static const WCHAR prefix[] = { L'P',L'r',L'o',L'c',L'e',L's',L's',L'H',L'a',L'c',L'k',L'e',L'r',L'.' }; if (Name->Length < sizeof(prefix)) return FALSE; for (ULONG i = 0; i < RTL_NUMBER_OF(prefix); i++) { if (PhUpcaseUnicodeChar(Name->Buffer[i]) != PhUpcaseUnicodeChar(prefix[i])) return FALSE; } return TRUE; } // // Auto-dereference convenience functions // FORCEINLINE PPH_STRING NTAPI_INLINE PhaCreateString( _In_ PCWSTR Buffer ) { return PH_AUTO_T(PH_STRING, PhCreateString(Buffer)); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaCreateStringEx( _In_opt_ PCWSTR Buffer, _In_ SIZE_T Length ) { return PH_AUTO_T(PH_STRING, PhCreateStringEx(Buffer, Length)); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaDuplicateString( _In_ PPH_STRING String ) { return PH_AUTO_T(PH_STRING, PhDuplicateString(String)); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaConcatStrings( _In_ ULONG Count, ... ) { PPH_STRING string; va_list argptr; va_start(argptr, Count); string = PH_AUTO_T(PH_STRING, PhConcatStrings_V(Count, argptr)); va_end(argptr); return string; } FORCEINLINE PPH_STRING NTAPI_INLINE PhaConcatStrings2( _In_ PCWSTR String1, _In_ PCWSTR String2 ) { return PH_AUTO_T(PH_STRING, PhConcatStrings2(String1, String2)); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaFormatString( _In_ _Printf_format_string_ PCWSTR Format, ... ) { PPH_STRING string; va_list argptr; va_start(argptr, Format); string = PH_AUTO_T(PH_STRING, PhFormatString_V(Format, argptr)); va_end(argptr); return string; } FORCEINLINE PPH_STRING NTAPI_INLINE PhLowerString( _In_ PPH_STRING String ) { return PhCreateString3(&String->sr, PH_STRING_LOWER_CASE, NULL); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaLowerString( _In_ PPH_STRING String ) { return PH_AUTO_T(PH_STRING, PhCreateString3(&String->sr, PH_STRING_LOWER_CASE, NULL)); } FORCEINLINE PPH_STRING NTAPI_INLINE PhUpperString( _In_ PPH_STRING String ) { return PhCreateString3(&String->sr, PH_STRING_UPPER_CASE, NULL); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaUpperString( _In_ PPH_STRING String ) { return PH_AUTO_T(PH_STRING, PhCreateString3(&String->sr, PH_STRING_UPPER_CASE, NULL)); } FORCEINLINE PPH_STRING NTAPI_INLINE PhaSubstring( _In_ PPH_STRING String, _In_ SIZE_T StartIndex, _In_ SIZE_T Count ) { return PH_AUTO_T(PH_STRING, PhSubstring(String, StartIndex, Count)); } // // Format // typedef enum _PH_FORMAT_TYPE { CharFormatType, StringFormatType, StringZFormatType, MultiByteStringFormatType, MultiByteStringZFormatType, Int32FormatType, Int64FormatType, IntPtrFormatType, UInt32FormatType, UInt64FormatType, UIntPtrFormatType, SingleFormatType, DoubleFormatType, SizeFormatType, FormatTypeMask = 0x3f, /** If not specified, for floating-point 6 is assumed **/ FormatUsePrecision = 0x40, /** If not specified, ' ' is assumed */ FormatUsePad = 0x80, /** If not specified, 10 is assumed */ FormatUseRadix = 0x100, /** If not specified, the default value is assumed */ FormatUseParameter = 0x200, // // Floating-point flags // /** Use standard form instead of normal form */ FormatStandardForm = 0x1000, /** Use hexadecimal form instead of normal form */ FormatHexadecimalForm = 0x2000, /** Reserved */ FormatForceDecimalPoint = 0x4000, /** Trailing zeros and possibly the decimal point are trimmed */ FormatCropZeros = 0x8000, // // Floating-point and integer flags // /** Group digits (with floating-point, only works when in normal form) */ FormatGroupDigits = 0x10000, /** Always insert a prefix, '+' for positive and '-' for negative */ FormatPrefixSign = 0x20000, /** * Pad left with zeros, taking into consideration the sign. Width must be specified. * Format*Align cannot be used in conjunction with this flag. If FormatGroupDigits is specified, * this flag is ignored. */ FormatPadZeros = 0x40000, // // General flags // /** Make characters uppercase (only available for some types) */ FormatUpperCase = 0x20000000, /** Applies right alignment. Width must be specified. */ FormatRightAlign = 0x40000000, /** Applies left alignment. Width must be specified. */ FormatLeftAlign = 0x80000000, } PH_FORMAT_TYPE; /** Describes an element to be formatted to a string. */ typedef struct _PH_FORMAT { /** Specifies the type of the element and optional flags. */ ULONG Type; /** * The precision of the element. The meaning of this field depends on the element type. For * \a Double and \a Size, this field specifies the number of decimal points to include. */ USHORT Precision; /** * The width of the element. This field specifies the minimum number of characters to output. * The remaining space is padded with either spaces, zeros, or a custom character. */ USHORT Width; /** The pad character. */ WCHAR Pad; /** * The meaning of this field depends on the element type. For integer types, this field * specifies the base to convert the number into. For \a Size, this field specifies the maximum * size unit. */ UCHAR Radix; /** * The meaning of this field depends on the element type. For \a Size, this field specifies the * minimum size unit. */ UCHAR Parameter; union { WCHAR Char; PH_STRINGREF String; PWSTR StringZ; PH_BYTESREF MultiByteString; PSTR MultiByteStringZ; LONG Int32; LONG64 Int64; LONG_PTR IntPtr; ULONG UInt32; ULONG64 UInt64; ULONG_PTR UIntPtr; FLOAT Single; DOUBLE Double; ULONG64 Size; } u; } PH_FORMAT, *PPH_FORMAT; // Convenience functions FORCEINLINE VOID PhInitFormatC( _Out_ PPH_FORMAT Format, _In_ WCHAR Char ) { Format->Type = CharFormatType; Format->u.Char = Char; } FORCEINLINE VOID PhInitFormatS( _Out_ PPH_FORMAT Format, _In_ PCWSTR String ) { Format->Type = StringFormatType; PhInitializeStringRef(&Format->u.String, String); } FORCEINLINE VOID PhInitFormatSR( _Out_ PPH_FORMAT Format, _In_ PH_STRINGREF String ) { Format->Type = StringFormatType; Format->u.String = String; } FORCEINLINE VOID PhInitFormatUCS( _Out_ PPH_FORMAT Format, _In_ PCUNICODE_STRING String ) { Format->Type = StringFormatType; PhUnicodeStringToStringRef(String, &Format->u.String); } FORCEINLINE VOID PhInitFormatMultiByteS( _Out_ PPH_FORMAT Format, _In_ PCSTR String ) { Format->Type = MultiByteStringFormatType; PhInitializeBytesRef(&Format->u.MultiByteString, String); } FORCEINLINE VOID PhInitFormatD( _Out_ PPH_FORMAT Format, _In_ LONG Int32 ) { Format->Type = Int32FormatType; Format->u.Int32 = Int32; } FORCEINLINE VOID PhInitFormatU( _Out_ PPH_FORMAT Format, _In_ ULONG UInt32 ) { Format->Type = UInt32FormatType; Format->u.UInt32 = UInt32; } FORCEINLINE VOID PhInitFormatX( _Out_ PPH_FORMAT Format, _In_ ULONG UInt32 ) { Format->Type = UInt32FormatType | FormatUseRadix; Format->u.UInt32 = UInt32; Format->Radix = 16; } FORCEINLINE VOID PhInitFormatI64D( _Out_ PPH_FORMAT Format, _In_ LONG64 Int64 ) { Format->Type = Int64FormatType; Format->u.Int64 = Int64; } FORCEINLINE VOID PhInitFormatI64U( _Out_ PPH_FORMAT Format, _In_ ULONG64 UInt64 ) { Format->Type = UInt64FormatType; Format->u.UInt64 = UInt64; } FORCEINLINE VOID PhInitFormatI64UGroupDigits( _Out_ PPH_FORMAT Format, _In_ ULONG64 UInt64 ) { Format->Type = UInt64FormatType | FormatGroupDigits; Format->u.UInt64 = UInt64; } FORCEINLINE VOID PhInitFormatI64UWithWidth( _Out_ PPH_FORMAT Format, _In_ ULONG64 UInt64, _In_ USHORT Width ) { Format->Type = UInt64FormatType | FormatPadZeros; Format->u.UInt64 = UInt64; Format->Width = Width; } FORCEINLINE VOID PhInitFormatI64X( _Out_ PPH_FORMAT Format, _In_ ULONG64 UInt64 ) { Format->Type = UInt64FormatType | FormatUseRadix; Format->u.UInt64 = UInt64; Format->Radix = 16; } FORCEINLINE VOID PhInitFormatI64XWithWidth( _Out_ PPH_FORMAT Format, _In_ ULONG64 UInt64, _In_ USHORT Width ) { Format->Type = UInt64FormatType | FormatUseRadix | FormatPadZeros; Format->u.UInt64 = UInt64; Format->Radix = 16; Format->Width = Width; } FORCEINLINE VOID PhInitFormatI64XPadZeroes( _Out_ PPH_FORMAT Format, _In_ ULONG64 UInt64, _In_ USHORT Width ) { Format->Type = UInt64FormatType | FormatUseRadix | FormatPadZeros; Format->u.UInt64 = UInt64; Format->Radix = 16; Format->Width = Width; } FORCEINLINE VOID PhInitFormatIU( _Out_ PPH_FORMAT Format, _In_ ULONG_PTR UIntPtr ) { Format->Type = UIntPtrFormatType; Format->u.UIntPtr = UIntPtr; } FORCEINLINE VOID PhInitFormatIX( _Out_ PPH_FORMAT Format, _In_ ULONG_PTR UIntPtr ) { Format->Type = UIntPtrFormatType | FormatUseRadix; Format->u.UIntPtr = UIntPtr; Format->Radix = 16; } FORCEINLINE VOID PhInitFormatIXPadZeros( _Out_ PPH_FORMAT Format, _In_ ULONG_PTR UIntPtr ) { Format->Type = UIntPtrFormatType | FormatUseRadix | FormatPadZeros; Format->u.UIntPtr = UIntPtr; Format->Radix = 16; Format->Width = sizeof(ULONG_PTR) * 2; } FORCEINLINE VOID PhInitFormatF( _Out_ PPH_FORMAT Format, _In_ FLOAT Single, _In_ USHORT Precision ) { Format->Type = SingleFormatType | FormatUsePrecision; Format->u.Single = Single; Format->Precision = Precision; } FORCEINLINE VOID PhInitFormatFD( _Out_ PPH_FORMAT Format, _In_ DOUBLE Double, _In_ USHORT Precision ) { Format->Type = DoubleFormatType | FormatUsePrecision; Format->u.Double = Double; Format->Precision = Precision; } FORCEINLINE VOID PhInitFormatE( _Out_ PPH_FORMAT Format, _In_ DOUBLE Double, _In_ USHORT Precision ) { Format->Type = DoubleFormatType | FormatStandardForm | FormatUsePrecision; Format->u.Double = Double; Format->Precision = Precision; } FORCEINLINE VOID PhInitFormatA( _Out_ PPH_FORMAT Format, _In_ DOUBLE Double, _In_ USHORT Precision ) { Format->Type = DoubleFormatType | FormatHexadecimalForm | FormatUsePrecision; Format->u.Double = Double; Format->Precision = Precision; } FORCEINLINE VOID PhInitFormatSize( _Out_ PPH_FORMAT Format, _In_ ULONG64 Size ) { Format->Type = SizeFormatType; Format->u.Size = Size; } FORCEINLINE VOID PhInitFormatSizeWithPrecision( _Out_ PPH_FORMAT Format, _In_ ULONG64 Size, _In_ USHORT Precision ) { Format->Type = SizeFormatType | FormatUsePrecision; Format->u.Size = Size; Format->Precision = Precision; } PHLIBAPI PPH_STRING NTAPI PhFormat( _In_reads_(Count) PPH_FORMAT Format, _In_ ULONG Count, _In_opt_ SIZE_T InitialCapacity ); FORCEINLINE PPH_STRING PhaFormat( _In_reads_(Count) PPH_FORMAT Format, _In_ ULONG Count, _In_opt_ SIZE_T InitialCapacity ) { return PH_AUTO_T(PH_STRING, PhFormat(Format, Count, InitialCapacity)); } PHLIBAPI BOOLEAN NTAPI PhFormatToBuffer( _In_reads_(Count) PPH_FORMAT Format, _In_ ULONG Count, _Out_writes_bytes_opt_(BufferLength) PWSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhFormatSingleToUtf8( _In_ FLOAT Value, _In_ ULONG Type, _In_ LONG Precision, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhFormatDoubleToUtf8( _In_ DOUBLE Value, _In_ ULONG Type, _In_ LONG Precision, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhIntegerToUtf8Buffer( _In_ LONG64 Integer, _In_opt_ ULONG Base, _In_ BOOLEAN Signed, _Out_writes_bytes_(BufferLength) PSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); // // Errors // #define HRESULT_CUSTOMER(hr) (((ULONG)(hr) >> 29) & 0x1) #define HRESULT_NTSTATUS(hr) (((ULONG)(hr) >> 28) & 0x1) PHLIBAPI ULONG NTAPI PhNtStatusToDosError( _In_ NTSTATUS Status ); PHLIBAPI ULONG NTAPI PhNtStatusToServiceStatus( _In_ NTSTATUS Status ); PHLIBAPI NTSTATUS NTAPI PhDosErrorToNtStatus( _In_ ULONG DosError ); PHLIBAPI BOOLEAN NTAPI PhNtStatusFileNotFound( _In_ NTSTATUS Status ); PHLIBAPI NTSTATUS NTAPI PhNtStatusFromHResult( _In_ HRESULT Result ); FORCEINLINE NTSTATUS NTAPI PhGetLastWin32ErrorAsNtStatus( VOID ) { return PhDosErrorToNtStatus(PhGetLastError()); } // // Generic tree definitions // typedef enum _PH_TREE_ENUMERATION_ORDER { TreeEnumerateInOrder, TreeEnumerateInReverseOrder } PH_TREE_ENUMERATION_ORDER; #define PhIsLeftChildElement(Links) ((Links)->Parent->Left == (Links)) #define PhIsRightChildElement(Links) ((Links)->Parent->Right == (Links)) // // avltree // typedef struct _PH_AVL_LINKS { struct _PH_AVL_LINKS *Parent; struct _PH_AVL_LINKS *Left; struct _PH_AVL_LINKS *Right; LONG Balance; } PH_AVL_LINKS, *PPH_AVL_LINKS; typedef _Function_class_(PH_AVL_TREE_COMPARE_FUNCTION) LONG NTAPI PH_AVL_TREE_COMPARE_FUNCTION( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ); typedef PH_AVL_TREE_COMPARE_FUNCTION* PPH_AVL_TREE_COMPARE_FUNCTION; typedef struct _PH_AVL_TREE { PH_AVL_LINKS Root; // Right contains real root ULONG Count; PPH_AVL_TREE_COMPARE_FUNCTION CompareFunction; } PH_AVL_TREE, *PPH_AVL_TREE; #define PH_AVL_TREE_INIT(CompareFunction) { { NULL, NULL, NULL, 0 }, 0, CompareFunction } #define PhRootElementAvlTree(Tree) ((Tree)->Root.Right) PHLIBAPI VOID NTAPI PhInitializeAvlTree( _Out_ PPH_AVL_TREE Tree, _In_ PPH_AVL_TREE_COMPARE_FUNCTION CompareFunction ); PHLIBAPI PPH_AVL_LINKS NTAPI PhAddElementAvlTree( _Inout_ PPH_AVL_TREE Tree, _Out_ PPH_AVL_LINKS Element ); PHLIBAPI VOID NTAPI PhRemoveElementAvlTree( _Inout_ PPH_AVL_TREE Tree, _Inout_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhFindElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhLowerBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhUpperBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhLowerDualBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhUpperDualBoundElementAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhMinimumElementAvlTree( _In_ PPH_AVL_TREE Tree ); PHLIBAPI PPH_AVL_LINKS NTAPI PhMaximumElementAvlTree( _In_ PPH_AVL_TREE Tree ); PHLIBAPI PPH_AVL_LINKS NTAPI PhSuccessorElementAvlTree( _In_ PPH_AVL_LINKS Element ); PHLIBAPI PPH_AVL_LINKS NTAPI PhPredecessorElementAvlTree( _In_ PPH_AVL_LINKS Element ); typedef _Function_class_(PH_ENUM_AVL_TREE_CALLBACK) BOOLEAN NTAPI PH_ENUM_AVL_TREE_CALLBACK( _In_ PPH_AVL_TREE Tree, _In_ PPH_AVL_LINKS Element, _In_opt_ PVOID Context ); typedef PH_ENUM_AVL_TREE_CALLBACK *PPH_ENUM_AVL_TREE_CALLBACK; PHLIBAPI VOID NTAPI PhEnumAvlTree( _In_ PPH_AVL_TREE Tree, _In_ PH_TREE_ENUMERATION_ORDER Order, _In_ PPH_ENUM_AVL_TREE_CALLBACK Callback, _In_opt_ PVOID Context ); EXTERN_C_END #endif ================================================ FILE: phlib/include/phconfig.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2025 * */ #ifndef _PH_PHCONFIG_H #define _PH_PHCONFIG_H #ifdef __cplusplus extern "C" { #endif EXTERN_C PVOID PhInstanceHandle; EXTERN_C PCWSTR PhApplicationName; EXTERN_C HANDLE PhHeapHandle; EXTERN_C RTL_OSVERSIONINFOEX PhOsVersion; EXTERN_C ULONG WindowsVersion; #define WINDOWS_ANCIENT 0 #define WINDOWS_XP 51 // August, 2001 #define WINDOWS_SERVER_2003 52 // April, 2003 #define WINDOWS_VISTA 60 // November, 2006 #define WINDOWS_7 61 // July, 2009 #define WINDOWS_8 62 // August, 2012 #define WINDOWS_8_1 63 // August, 2013 #define WINDOWS_10 100 // July, 2015 // Version 1507, Build 10240 #define WINDOWS_10_TH2 101 // November, 2015 // Version 1511, Build 10586 #define WINDOWS_10_RS1 102 // August, 2016 // Version 1607, Build 14393 #define WINDOWS_10_RS2 103 // April, 2017 // Version 1703, Build 15063 #define WINDOWS_10_RS3 104 // October, 2017 // Version 1709, Build 16299 #define WINDOWS_10_RS4 105 // April, 2018 // Version 1803, Build 17134 #define WINDOWS_10_RS5 106 // November, 2018 // Version 1809, Build 17763 #define WINDOWS_10_19H1 107 // May, 2019 // Version 1903, Build 18362 #define WINDOWS_10_19H2 108 // November, 2019 // Version 1909, Build 18363 #define WINDOWS_10_20H1 109 // May, 2020 // Version 2004, Build 19041 #define WINDOWS_10_20H2 110 // October, 2020 // Build 19042 #define WINDOWS_10_21H1 111 // May, 2021 // Build 19043 #define WINDOWS_10_21H2 112 // November, 2021 // Build 19044 #define WINDOWS_10_22H2 113 // October, 2022 // Build 19045 #define WINDOWS_11 114 // October, 2021 // Build 22000 #define WINDOWS_11_22H2 115 // September, 2022 // Build 22621 #define WINDOWS_11_23H2 116 // October, 2023 // Build 22631 #define WINDOWS_11_24H2 117 // October, 2024 // Build 26100 #define WINDOWS_11_25H2 118 // October, 2025 // Build 26200 #define WINDOWS_11_26H1 119 // Build 28000 #define WINDOWS_MAX WINDOWS_11_26H1 #define WINDOWS_NEW ULONG_MAX #ifdef DEBUG #define dprintf(format, ...) DbgPrint(format __VA_OPT__(,) __VA_ARGS__) #else #define dprintf(format, ...) #endif PHLIBAPI NTSTATUS NTAPI PhInitializePhLib( _In_ PCWSTR ApplicationName ); PHLIBAPI BOOLEAN NTAPI PhIsExecutingInWow64( VOID ); _Analysis_noreturn_ DECLSPEC_NORETURN VOID NTAPI PhExitApplication( _In_ NTSTATUS Status ); // Processor group support (dmex) typedef struct _PH_SYSTEM_BASIC_INFORMATION { USHORT PageSize; USHORT NumberOfProcessors; ULONG MaximumTimerResolution; ULONG NumberOfPhysicalPages; ULONG AllocationGranularity; ULONG_PTR MaximumUserModeAddress; KAFFINITY ActiveProcessorsAffinityMask; } PH_SYSTEM_BASIC_INFORMATION, *PPH_SYSTEM_BASIC_INFORMATION; PHLIBAPI extern PH_SYSTEM_BASIC_INFORMATION PhSystemBasicInformation; typedef struct _PH_SYSTEM_PROCESSOR_INFORMATION { BOOLEAN SingleProcessorGroup; USHORT NumberOfProcessors; USHORT NumberOfProcessorGroups; PUSHORT ActiveProcessorCount; PKAFFINITY ActiveProcessorsAffinityMasks; } PH_SYSTEM_PROCESSOR_INFORMATION, *PPH_SYSTEM_PROCESSOR_INFORMATION; extern PH_SYSTEM_PROCESSOR_INFORMATION PhSystemProcessorInformation; #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/phconsole.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2024 * */ #ifndef _PH_CONSOLE_H #define _PH_CONSOLE_H PHLIBAPI NTSTATUS NTAPI PhAttachConsole( _In_ HANDLE ProcessId ); PHLIBAPI HANDLE NTAPI PhGetStdHandle( _In_ ULONG StdHandle ); PHLIBAPI VOID NTAPI PhFreeConsole( VOID ); PHLIBAPI NTSTATUS NTAPI PhGetConsoleProcessList( _In_ HANDLE ProcessId, _In_ ULONG ProcessCount, _Out_writes_(ProcessCount) PULONG ProcessList, _Out_ PULONG ProcessTotal ); PHLIBAPI NTSTATUS NTAPI PhConsoleSetForeground( _In_ HANDLE ProcessHandle, _In_ BOOLEAN Foreground ); PHLIBAPI NTSTATUS NTAPI PhConsoleSetWindow( _In_ HANDLE ProcessID, _In_ HANDLE ThreadId, _In_ HWND WindowHandle ); PHLIBAPI NTSTATUS NTAPI PhConsoleEndTask( _In_ HANDLE ProcessId, _In_ HWND WindowHandle ); #endif ================================================ FILE: phlib/include/phdata.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * dmex 2023-2026 * */ #ifndef _PH_PHDATA_H #define _PH_PHDATA_H EXTERN_C_START // // SIDs // extern CONST SID PhSeNobodySid; extern CONST SID PhSeEveryoneSid; extern CONST SID PhSeLocalSid; extern CONST SID PhSeCreatorOwnerSid; extern CONST SID PhSeCreatorGroupSid; extern CONST SID PhSeDialupSid; extern CONST SID PhSeNetworkSid; extern CONST SID PhSeBatchSid; extern CONST SID PhSeInteractiveSid; extern CONST SID PhSeServiceSid; extern CONST SID PhSeAnonymousLogonSid; extern CONST SID PhSeProxySid; extern CONST SID PhSeAuthenticatedUserSid; extern CONST SID PhSeRestrictedCodeSid; extern CONST SID PhSeTerminalServerUserSid; extern CONST SID PhSeRemoteInteractiveLogonSid; extern CONST SID PhSeLocalSystemSid; extern CONST SID PhSeLocalServiceSid; extern CONST SID PhSeNetworkServiceSid; PSID PhSeAdministratorsSid( VOID ); PSID PhSeUsersSid( VOID ); PSID PhSeAnyPackageSid( VOID ); PSID PhSeInternetExplorerSid( VOID ); PSID PhSeCloudActiveDirectorySid( VOID ); PSID PhSeLogonIdSid( _In_ ULONG LogonId ); // // Unicode // extern CONST PH_STRINGREF PhUnicodeByteOrderMark; // // Characters // extern CONST BOOLEAN PhCharIsPrintable[256]; extern CONST BOOLEAN PhCharIsPrintableEx[256]; extern CONST LONG PhCharToInteger[256]; extern CONST CHAR PhIntegerToChar[69]; extern CONST CHAR PhIntegerToCharUpper[69]; // // UTF-16 // extern CONST BOOLEAN PhIsUTF16HighSurrogateHighByte[256]; extern CONST BOOLEAN PhIsUTF16LowSurrogateHighByte[256]; extern CONST BOOLEAN PhIsUTF16StandaloneHighByte[256]; extern CONST BOOLEAN PhIsUTF16PrintableHighByte[256]; // // CRC32 // extern CONST ULONG PhCrc32Table[256]; // // Enums // extern CONST PH_STRINGREF PhIoPriorityHintNames[]; extern CONST PH_STRINGREF PhPagePriorityNames[]; extern CONST PH_STRINGREF PhKThreadStateNames[]; extern CONST PH_STRINGREF PhKWaitReasonNames[]; // // Aliases // extern CONST PH_STRINGREF PhHalFileAliasList[]; extern CONST PH_STRINGREF PhKernelFileAliasList[]; extern CONST PH_STRINGREF PhSecureKernelFileAliasList[]; extern CONST PH_STRINGREF PhHypervisorFileAliasList[]; extern CONST PH_STRINGREF PhOsLoaderFileAliasList[]; extern CONST PH_STRINGREF PhOsBootFileAliasList[]; EXTERN_C_END #endif ================================================ FILE: phlib/include/phfirmware.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025 * */ #ifndef _PH_PHSMBIOS_H #define _PH_PHSMBIOS_H #include EXTERN_C_START typedef enum _PH_VIRTUAL_STATUS { PhVirtualStatusNotCapable = 0, PhVirtualStatusVirtualMachine = 1, PhVirtualStatusEnabledHyperV = 2, PhVirtualStatusEnabledFirmware = 3, //PhVirtualStatusUnknown = 4, PhVirtualStatusDisabledWithHyperV = 5, PhVirtualStatusDisabled = 6, } PH_VIRTUAL_STATUS, *PPH_VIRTUAL_STATUS; PHLIBAPI PH_VIRTUAL_STATUS NTAPI PhGetVirtualStatus( VOID ); #define PH_SMBIOS_CONTAINS_FIELD(Entry, Item, Field) \ (RTL_CONTAINS_FIELD(&(Entry)->Item, (Entry)->Header.Length, Field)) #define PH_SMBIOS_CONTAINS_STRING(Entry, Item, Field) \ (PH_SMBIOS_CONTAINS_FIELD(Entry, Item, Field) && \ (Entry)->Item.Field != SMBIOS_INVALID_STRING) typedef union _PH_SMBIOS_ENTRY { SMBIOS_HEADER Header; SMBIOS_FIRMWARE_INFORMATION Firmware; SMBIOS_SYSTEM_INFORMATION System; SMBIOS_BASEBOARD_INFORMATION Baseboard; SMBIOS_CHASSIS_INFORMATION Chassis; SMBIOS_PROCESSOR_INFORMATION Processor; SMBIOS_MEMORY_CONTROLLER_INFORMATION MemoryController; SMBIOS_MEMORY_MODULE_INFORMATION MemoryModule; SMBIOS_CACHE_INFORMATION Cache; SMBIOS_PORT_CONNECTOR_INFORMATION PortConnector; SMBIOS_SYSTEM_SLOT_INFORMATION SystemSlot; SMBIOS_ON_BOARD_DEVICE_INFORMATION OnBoardDevice; SMBIOS_OEM_STRING_INFORMATION OEMString; SMBIOS_SYSTEM_CONFIGURATION_OPTION_INFORMATION SystemConfigurationOption; SMBIOS_FIRMWARE_LANGUAGE_INFORMATION FirmwareLanguage; SMBIOS_GROUP_ASSOCIATION_INFORMATION GroupAssociation; SMBIOS_SYSTEM_EVENT_LOG_INFORMATION EventLog; SMBIOS_PHYSICAL_MEMORY_ARRAY_INFORMATION PhysicalMemoryArray; SMBIOS_MEMORY_DEVICE_INFORMATION MemoryDevice; SMBIOS_32_BIT_MEMORY_ERROR_INFORMATION MemoryError32; SMBIOS_MEMORY_ARRAY_MAPPED_ADDRESS_INFORMATION MemoryArrayMappedAddress; SMBIOS_MEMORY_DEVICE_MAPPED_ADDRESS_INFORMATION MemoryDeviceMappedAddress; SMBIOS_BUILT_IN_POINTING_DEVICE_INFORMATION BuiltInPointingDevice; SMBIOS_PORTABLE_BATTERY_INFORMATION PortableBattery; SMBIOS_SYSTEM_RESET_INFORMATION SystemReset; SMBIOS_HARDWARE_SECURITY_INFORMATION HardwareSecurity; SMBIOS_SYSTEM_POWER_CONTROLS_INFORMATION SystemPowerControls; SMBIOS_VOLTAGE_PROBE_INFORMATION VoltageProbe; SMBIOS_COOLING_DEVICE_INFORMATION CoolingDevice; SMBIOS_TEMPERATURE_PROBE_INFORMATION TemperatureProbe; SMBIOS_ELECTRICAL_CURRENT_PROBE_INFORMATION ElectricalCurrentProbe; SMBIOS_OUT_OF_BAND_REMOTE_ACCESS_INFORMATION OutOfBandRemoteAccess; SMBIOS_SYSTEM_BOOT_INFORMATION SystemBoot; SMBIOS_64_BIT_MEMORY_ERROR_INFORMATION MemoryError64; SMBIOS_MANAGEMENT_DEVICE_INFORMATION ManagementDevice; SMBIOS_MANAGEMENT_DEVICE_COMPONENT_INFORMATION ManagementDeviceComponent; SMBIOS_MANAGEMENT_DEVICE_THRESHOLD_INFORMATION ManagementDeviceThreshold; SMBIOS_MEMORY_CHANNEL_INFORMATION MemoryChannel; SMBIOS_IPMI_DEVICE_INFORMATION IPMIDevice; SMBIOS_SYSTEM_POWER_SUPPLY_INFORMATION SystemPowerSupply; SMBIOS_ADDITIONAL_INFORMATION AdditionalInformation; SMBIOS_ONBOARD_DEVICE_INFORMATION OnboardDevice; SMBIOS_MCHI_INFORMATION MCHInterface; SMBIOS_TPM_DEVICE_INFORMATION TPMDevice; SMBIOS_PROCESSOR_ADDITIONAL_INFORMATION ProcessorAdditional; SMBIOS_FIRMWARE_INVENTORY_INFORMATION FirmwareInventory; SMBIOS_STRING_PROPERTY StringProperty; SMBIOS_INACTIVE Inactive; SMBIOS_END_OF_TABLE EndOfTable; } PH_SMBIOS_ENTRY, *PPH_SMBIOS_ENTRY; typedef _Function_class_(PH_ENUM_SMBIOS_CALLBACK) BOOLEAN NTAPI PH_ENUM_SMBIOS_CALLBACK( _In_ ULONG_PTR EnumHandle, _In_ UCHAR MajorVersion, _In_ UCHAR MinorVersion, _In_ PPH_SMBIOS_ENTRY Entry, _In_opt_ PVOID Context ); typedef PH_ENUM_SMBIOS_CALLBACK* PPH_ENUM_SMBIOS_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumSMBIOS( _In_ PPH_ENUM_SMBIOS_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhGetSMBIOSString( _In_ ULONG_PTR EnumHandle, _In_ UCHAR Index, _Out_ PPH_STRING* String ); EXTERN_C_END #endif ================================================ FILE: phlib/include/phintrin.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2023 * dmex 2023 * */ /** * Intrinsics and SIMD wrapper header for cross-platform support. * * This header provides a unified interface for SIMD (Single Instruction Multiple Data) operations * and intrinsic functions across different platforms and architectures. It abstracts platform-specific * differences between ARM64 (using NEON) and x86/x64 (using SSE2, SSE4.2, AVX, AVX2) instruction sets. * * Key Features: * - Population count (bit counting) operations for 32-bit and 64-bit integers * - 128-bit integer vector operations (load, store, compare, arithmetic, bitwise) * - 128-bit floating-point vector operations (arithmetic, conversion, manipulation) * - Cross-platform type definitions (PH_INT128, PH_FLOAT128) * - ISA (Instruction Set Architecture) feature detection for x86/x64 * * Platform Support: * - ARM64: Uses ARM NEON intrinsics via * - x86/x64: Uses SSE2, SSE4.2, AVX, AVX2 intrinsics via * * Design Patterns: * - All functions are marked FORCEINLINE for performance-critical operations * - Conditional compilation (#ifdef _ARM64_) selects appropriate intrinsics per platform * - Operations support various element sizes: 8-bit, 16-bit, 32-bit, and 64-bit lanes * - Memory operations support both aligned and unaligned access variants * * \note Runtime ISA feature detection on x86/x64 uses MSCRT-provided __isa_available and __isa_enabled variables. * \warning Some operations require specific CPU features (SSE4.2 for popcnt, AVX2 for advanced operations). */ #ifndef _PH_PHINTRIN_H #define _PH_PHINTRIN_H #include #if defined(_M_ARM64) && defined(__clang__) #include #endif #ifdef _ARM64_ #define PhHasIntrinsics TRUE #define PhHasPopulationCount TRUE #define PhHasAVX FALSE #else /** * @var __isa_available * * External variable indicating the availability of ISA (Instruction Set Architecture) features. * * \note This is an external variable initialized by the MSCRT (Microsoft C Runtime). */ extern int __isa_available; #define ISA_AVAILABLE_X86 0 #define ISA_AVAILABLE_SSE2 1 #define ISA_AVAILABLE_SSE42 2 #define ISA_AVAILABLE_AVX 3 #define ISA_AVAILABLE_ENFSTRG 4 #define ISA_AVAILABLE_AVX2 5 #define ISA_AVAILABLE_AVX512 6 /** * @var __isa_enabled * * External variable indicating which ISA (Instruction Set Architecture) * extensions are enabled and available on the current system (e.g., SSE, AVX, etc.). * * \note This is an external variable initialized by the MSCRT (Microsoft C Runtime). */ extern long __isa_enabled; #define ISA_ENABLED_X86 0x00000001 #define ISA_ENABLED_SSE2 0x00000002 #define ISA_ENABLED_SSE42 0x00000004 #define ISA_ENABLED_AVX 0x00000008 //#define ISA_ENABLED_ENFSTRG 0x00000010 #define ISA_ENABLED_AVX2 0x00000020 #define ISA_ENABLED_AVX512 0x00000040 #ifdef _M_IX86 #define PhHasIntrinsics \ FlagOn(__isa_enabled, ISA_ENABLED_SSE2) #else #define PhHasIntrinsics TRUE #endif #define PhHasPopulationCount \ FlagOn(__isa_enabled, ISA_ENABLED_SSE42) #define PhHasAVX \ FlagOn(__isa_enabled, ISA_ENABLED_AVX2) #define PhHasAVX512 \ FlagOn(__isa_enabled, ISA_ENABLED_AVX512) #endif /** * Counts the number of set bits in a 32-bit unsigned integer. * * This function calculates the population count (Hamming weight) of the given * 32-bit value, returning the total number of '1' bits present in its binary * representation. * * \param[in] Value The 32-bit unsigned integer to count bits from. * \return The number of set bits in the input value. * \remarks * On ARM64 platforms, this function uses the native _CountOneBits intrinsic. * On other platforms (x86/x64), it uses the SSE4.2 _mm_popcnt_u32 intrinsic. * Both provide efficient hardware-accelerated bit counting when available. */ FORCEINLINE ULONG PhPopulationCount32( _In_ ULONG Value ) { #ifdef _ARM64_ return _CountOneBits(Value); #else return (ULONG)_mm_popcnt_u32(Value); #endif } #ifdef _WIN64 /** * Counts the number of set bits (population count) in a 64-bit unsigned integer. * * This function calculates the Hamming weight (number of 1-bits) in the given 64-bit value. * It uses platform-specific intrinsics for optimal performance: * - On ARM64: uses _CountOneBits64() intrinsic * - On other platforms: uses SSE4.2 _mm_popcnt_u64() intrinsic * * \param[in] Value The 64-bit unsigned integer to count bits in. * \return The number of set bits (1s) in the Value parameter. * \note This function requires SSE4.2 support on x86/x64 platforms or ARM64 platform. * \see _CountOneBits64, _mm_popcnt_u64 */ FORCEINLINE ULONG64 PhPopulationCount64( _In_ ULONG64 Value ) { #ifdef _ARM64_ return _CountOneBits64(Value); #else return (ULONG64)_mm_popcnt_u64(Value); #endif } #endif #ifdef _ARM64_ typedef int64x2_t PH_INT128; typedef float32x4_t PH_FLOAT128; #else typedef __m128i PH_INT128; typedef __m128 PH_FLOAT128; #endif typedef PH_INT128* PPH_INT128; typedef PH_FLOAT128* PPH_FLOAT128; /** * The PhSetZeroINT128 function initializes a 128-bit integer * value to zero using platform-specific intrinsic functions. * * \return A PH_INT128 value with all bits set to zero. */ FORCEINLINE PH_INT128 PhSetZeroINT128( VOID ) { #ifdef _ARM64_ return vdupq_n_s32(0); #else return _mm_setzero_si128(); #endif } /** * Loads a 128-bit integer value from an unaligned memory address. * * This function reads a 128-bit value from memory without requiring the memory * address to be aligned. * * \param[in] Memory Pointer to the memory location to load from. Does not need to be aligned. * \return A PH_INT128 value loaded from the specified memory address. * \remarks This is useful when the alignment of the source data cannot be guaranteed. */ FORCEINLINE PH_INT128 PhLoadINT128U( _In_reads_bytes_(2 * sizeof(LONG)) PLONG Memory ) { #ifdef _ARM64_ return vld1q_s32(Memory); #else return _mm_loadu_si128((__m128i const*)Memory); #endif } /** * Loads a 128-bit integer value from an aligned memory address. * * \param[in] Memory Pointer to the memory location to load from. Must be 16-byte aligned. * \return A PH_INT128 value loaded from the specified memory address. * \remarks The memory address must be properly aligned for optimal performance. */ FORCEINLINE PH_INT128 PhLoadINT128( _In_reads_bytes_(2 * sizeof(LONG)) PLONG Memory ) { #ifdef _ARM64_ return vld1q_s32(Memory); #else return _mm_load_si128((__m128i const*)Memory); #endif } /** * The PhStoreINT128 function stores a 128-bit integer value to the specified target address. * * \param[out] Target A pointer to a memory location where the 128-bit value will be stored. * Must be aligned to at least 16 bytes and writable for 16 bytes (2 * sizeof(LONG)). * \param[in] Value The 128-bit integer value to be stored. */ FORCEINLINE VOID PhStoreINT128( _Out_writes_bytes_(2 * sizeof(LONG)) PLONG Target, _In_ PH_INT128 Value ) { #ifdef _ARM64_ vst1q_s32(Target, Value); #else _mm_store_si128((__m128i*)Target, Value); #endif } /** * The PhStoreINT128U function stores a 128-bit integer value to the specified unaligned target address * without alignment requirements. * * \param[out] Target A pointer to a memory location where the 128-bit value will be stored. * The memory does not need to be aligned and must be at least 2 * sizeof(LONG) bytes. * \param[in] Value The 128-bit integer value to store. */ FORCEINLINE VOID PhStoreINT128U( _Out_writes_bytes_(2 * sizeof(LONG)) PLONG Target, _In_ PH_INT128 Value ) { #ifdef _ARM64_ vst1q_s32(Target, Value); #else _mm_storeu_si128((__m128i*)Target, Value); #endif } /** * Compares two 128-bit integers element-wise for equality using 16-bit signed integer elements. * * \param Left The left operand as a 128-bit integer. * \param Right The right operand as a 128-bit integer. * \return A 128-bit integer where each 16-bit element is set to all 1s (0xFFFF) if the * corresponding elements in Left and Right are equal, or all 0s (0x0000) if they are not equal. */ FORCEINLINE PH_INT128 PhCompareEqINT128by16( _In_ PH_INT128 Left, _In_ PH_INT128 Right ) { #ifdef _ARM64_ return vceqq_s16(Left, Right); #else return _mm_cmpeq_epi16(Left, Right); #endif } /** * Compares two 128-bit integer vectors element-wise for equality using 32-bit elements. * * \param[in] Left Left operand vector. * \param[in] Right Right operand vector. * \return A PH_INT128 where each 32-bit lane is 0xFFFFFFFF if equal, otherwise 0. */ FORCEINLINE PH_INT128 PhCompareEqINT128by32( _In_ PH_INT128 Left, _In_ PH_INT128 Right ) { #ifdef _ARM64_ return vceqq_s32(Left, Right); #else return _mm_cmpeq_epi32(Left, Right); #endif } /** * Creates a movemask from the top bit of each 8-bit lane in a 128-bit vector. * * \param[in] Value Input vector. * \return A mask in the low 16 bits where bit i corresponds to the top bit of byte i. */ FORCEINLINE ULONG PhMoveMaskINT128by8( _In_ PH_INT128 Value ) { #ifdef _ARM64_ // https://github.com/DLTcollab/sse2neon/blob/master/sse2neon.h uint8x16_t input = Value; uint16x8_t high_bits = vshrq_n_u8(input, 7); uint32x4_t paired16 = vsraq_n_u16(high_bits, high_bits, 7); uint64x2_t paired32 = vsraq_n_u32(paired16, paired16, 14); uint8x16_t paired64 = vsraq_n_u64(paired32, paired32, 28); return vgetq_lane_u8(paired64, 0) | ((int) vgetq_lane_u8(paired64, 8) << 8); #else return _mm_movemask_epi8(Value); #endif } /** * Broadcasts a single float into all lanes of a 128-bit float vector. * * \param[in] Value Float value to broadcast. * \return A PH_FLOAT128 containing Value in every lane. */ FORCEINLINE PH_FLOAT128 PhSetFLOAT128bySingle( _In_ FLOAT Value ) { #ifdef _ARM64_ return vdupq_n_f32(Value); #else return _mm_set1_ps(Value); #endif } /** * Broadcasts a 16-bit signed integer into all 16-bit lanes of a 128-bit vector. * * \param[in] Value 16-bit value to broadcast. * \return A PH_INT128 with Value replicated in each 16-bit lane. */ FORCEINLINE PH_INT128 PhSetINT128by16( _In_ SHORT Value ) { #ifdef _ARM64_ return vdupq_n_s16(Value); #else return _mm_set1_epi16(Value); #endif } /** * Broadcasts a 32-bit signed integer into all 32-bit lanes of a 128-bit vector. * * \param[in] Value 32-bit value to broadcast. * \return A PH_INT128 with Value replicated in each 32-bit lane. */ FORCEINLINE PH_INT128 PhSetINT128by32( _In_ LONG Value ) { #ifdef _ARM64_ return vdupq_n_s32(Value); #else return _mm_set1_epi32(Value); #endif } /** * Broadcasts a 32-bit unsigned integer into all 32-bit lanes of a 128-bit vector. * * \param[in] Value 32-bit unsigned value to broadcast. * \return A PH_INT128 with Value replicated in each 32-bit lane. */ FORCEINLINE PH_INT128 PhSetUINT128by32( _In_ ULONG Value ) { #ifdef _ARM64_ return vdupq_n_u32(Value); #else return _mm_set1_epi32(Value); #endif } /** * Broadcasts a single float by loading it as a replicated scalar into a 128-bit vector. * * \param[in] Value Float value to replicate. * \return A PH_FLOAT128 with Value in every lane. */ FORCEINLINE PH_FLOAT128 PhSetFLOAT128by32( _In_ FLOAT Value ) { #ifdef _ARM64_ return vld1q_dup_f32(&Value); #else return _mm_load_ps1(&Value); #endif } /** * Loads four floats from memory into a 128-bit float vector. * * \param[in] Memory Pointer to 4 floats (must be readable). * \return A PH_FLOAT128 loaded from Memory. */ FORCEINLINE PH_FLOAT128 PhLoadFLOAT128( _In_reads_bytes_(2 * sizeof(PFLOAT)) PFLOAT Memory ) { #ifdef _ARM64_ return vld1q_f32(Memory); #else return _mm_load_ps(Memory); #endif } /** * Adds two 128-bit float vectors lane-wise. * * \param[in] A First addend vector. * \param[in] B Second addend vector. * \return The lane-wise sum vector. */ FORCEINLINE PH_FLOAT128 PhAddFLOAT128( _In_ PH_FLOAT128 A, _In_ PH_FLOAT128 B ) { #ifdef _ARM64_ return vaddq_f32(A, B); #else return _mm_add_ps(A, B); #endif } /** * Divides one 128-bit floating-point vector by another. * * \param Divisor The dividend vector to be divided. * \param Dividend The divisor vector used to divide the Divisor. * \return A PH_FLOAT128 containing the lane-wise results of the division. */ FORCEINLINE PH_FLOAT128 PhDivideFLOAT128( _In_ PH_FLOAT128 Divisor, _In_ PH_FLOAT128 Dividend ) { #ifdef _ARM64_ // https://github.com/DLTcollab/sse2neon/blob/master/sse2neon.h float32x4_t recip = vrecpeq_f32(Dividend); recip = vmulq_f32(recip, vrecpsq_f32(recip, Dividend)); recip = vmulq_f32(recip, vrecpsq_f32(recip, Dividend)); return vmulq_f32(Divisor, recip); #else return _mm_div_ps(Divisor, Dividend); #endif } /** * Returns the lane-wise maximum of two 128-bit float vectors. * * \param[in] A First vector. * \param[in] B Second vector. * \return A vector containing the maximum of A and B per lane. */ FORCEINLINE PH_FLOAT128 PhMaxFLOAT128( _In_ PH_FLOAT128 A, _In_ PH_FLOAT128 B ) { #ifdef _ARM64_ // https://github.com/DLTcollab/sse2neon/blob/master/sse2neon.h #if SSE2NEON_PRECISE_MINMAX float32x4_t _a = A; float32x4_t _b = B; return vbslq_f32(vcgtq_f32(_a, _b), _a, _b); #else return vmaxq_f32(A, B); #endif #else return _mm_max_ps(A, B); #endif } /** * Multiplies two 128-bit float vectors lane-wise. * * \param[in] A First multiplicand vector. * \param[in] B Second multiplicand vector. * \return The lane-wise product vector. */ FORCEINLINE PH_FLOAT128 PhMultiplyFLOAT128( _In_ PH_FLOAT128 A, _In_ PH_FLOAT128 B ) { #ifdef _ARM64_ return vmulq_f32(A, B); #else return _mm_mul_ps(A, B); #endif } /** * Stores four floats from a 128-bit vector to memory. * * \param[out] Target Destination pointer to 4 floats (writable). * \param[in] Value Vector to store. */ FORCEINLINE VOID PhStoreFLOAT128( _Out_writes_bytes_(2 * sizeof(FLOAT)) PFLOAT Target, _In_ PH_FLOAT128 Value ) { #ifdef _ARM64_ vst1q_f32(Target, Value); #else _mm_store_ps(Target, Value); #endif } /** * Stores the lowest single float lane of a 128-bit vector to memory. * * \param[out] Target Destination pointer to a float. * \param[in] Value Vector containing the value to store in lane 0. */ FORCEINLINE VOID PhStoreFLOAT128LowSingle( _Out_writes_bytes_(2 * sizeof(FLOAT)) PFLOAT Target, _In_ PH_FLOAT128 Value ) { #ifdef _ARM64_ vst1q_lane_f32(Target, Value, 0); #else _mm_store_ss(Target, Value); #endif } /** * Returns a 128-bit float vector set to zero. * * \return A PH_FLOAT128 with all lanes set to 0.0f. */ FORCEINLINE PH_FLOAT128 PhZeroFLOAT128( VOID ) { #ifdef _ARM64_ return vdupq_n_f32(0); #else return _mm_setzero_ps(); #endif } #ifndef _MM_SHUFFLE #define _MM_SHUFFLE(fp3,fp2,fp1,fp0) (((fp3) << 6) | ((fp2) << 4) | ((fp1) << 2) | ((fp0))) #endif /** * Shuffle/combine lanes from two 128-bit float vectors in the 2,1,0,3 order. * * \param[in] A First input vector. * \param[in] B Second input vector. * \return A shuffled PH_FLOAT128 composed of selected lanes from A and B. */ FORCEINLINE PH_FLOAT128 PhShuffleFLOAT128_2103( _In_ PH_FLOAT128 A, _In_ PH_FLOAT128 B ) { #ifdef _ARM64_ // https://github.com/DLTcollab/sse2neon/blob/master/sse2neon.h float32x2_t a03 = vget_low_f32(vextq_f32(A, A, 3)); float32x2_t b21 = vget_high_f32(vextq_f32(B, B, 3)); return vcombine_f32(a03, b21); #else return _mm_shuffle_ps(A, B, _MM_SHUFFLE(2, 1, 0, 3)); #endif } /** * Shuffle/combine lanes from two 128-bit float vectors in the 2,3,0,1 order. * * \param[in] A First input vector. * \param[in] B Second input vector. * \return A shuffled PH_FLOAT128 composed of selected lanes from A and B. */ FORCEINLINE PH_FLOAT128 PhShuffleFLOAT128_2301( _In_ PH_FLOAT128 A, _In_ PH_FLOAT128 B ) { #ifdef _ARM64_ // https://github.com/DLTcollab/sse2neon/blob/master/sse2neon.h float32x2_t a03 = vget_low_f32(vextq_f32(A, A, 3)); float32x2_t b21 = vget_high_f32(vextq_f32(B, B, 3)); return vcombine_f32(a03, b21); #else return _mm_shuffle_ps(A, B, _MM_SHUFFLE(2, 3, 0, 1)); #endif } /** * Shuffle/combine lanes from two 128-bit float vectors in the 1,0,3,2 order. * * \param[in] A First input vector. * \param[in] B Second input vector. * \return A shuffled PH_FLOAT128 composed of selected lanes from A and B. */ FORCEINLINE PH_FLOAT128 PhShuffleFLOAT128_1032( _In_ PH_FLOAT128 A, _In_ PH_FLOAT128 B ) { #ifdef _ARM64_ // https://github.com/DLTcollab/sse2neon/blob/master/sse2neon.h float32x2_t a03 = vget_low_f32(vextq_f32(A, A, 3)); float32x2_t b21 = vget_high_f32(vextq_f32(B, B, 3)); return vcombine_f32(a03, b21); #else return _mm_shuffle_ps(A, B, _MM_SHUFFLE(1, 0, 3, 2)); #endif } /** * Shift each 32-bit lane left by a constant count. * * \param[in] A Vector to shift. * \param[in] Count Shift count in bits (0-255). * \return The shifted vector. */ FORCEINLINE PH_INT128 PhShiftLeftINT128( _In_ PH_INT128 A, _In_ _In_range_(0, 255) INT32 Count ) { #ifdef _ARM64_ return vshlq_s32(A, vdupq_n_s32(Count)); #else return _mm_slli_epi32(A, Count); #endif } /** * Shift each 32-bit lane right logically by a constant count. * * \param[in] A Vector to shift. * \param[in] Count Shift count in bits (0-255). * \return The shifted vector. */ FORCEINLINE PH_INT128 PhShiftRightINT128( _In_ PH_INT128 A, _In_ _In_range_(0, 255) INT32 Count ) { #ifdef _ARM64_ return vshlq_u32(A, vdupq_n_s32(-Count)); #else return _mm_srli_epi32(A, Count); #endif } /** * Compares two 128-bit integer vectors lane-wise treating lanes as signed 16-bit values. * * \param[in] A Left operand. * \param[in] B Right operand. * \return A mask vector with 0xFFFF in lanes where A > B, otherwise 0. */ FORCEINLINE PH_INT128 PhCompareGtINT128by16( _In_ PH_INT128 A, _In_ PH_INT128 B ) { #ifdef _ARM64_ return vcgtq_s16(A, B); #else return _mm_cmpgt_epi16(A, B); #endif } /** * Adds two 128-bit integer vectors lane-wise using 16-bit signed lanes. * * \param[in] A First addend. * \param[in] B Second addend. * \return Lane-wise sum vector. */ FORCEINLINE PH_INT128 PhAddINT128by16( _In_ PH_INT128 A, _In_ PH_INT128 B ) { #ifdef _ARM64_ return vaddq_s16(A, B); #else return _mm_add_epi16(A, B); #endif } /** * Subtracts two 128-bit integer vectors lane-wise using 16-bit signed lanes. * * \param[in] A Minuend. * \param[in] B Subtrahend. * \return Lane-wise difference vector. */ FORCEINLINE PH_INT128 PhSubINT128by16( _In_ PH_INT128 A, _In_ PH_INT128 B ) { #ifdef _ARM64_ return vsubq_s16(A, B); #else return _mm_sub_epi16(A, B); #endif } /** * Bitwise AND of two 128-bit integer vectors. * * \param[in] A First operand. * \param[in] B Second operand. * \return Result of A & B. */ FORCEINLINE PH_INT128 PhAndINT128( _In_ PH_INT128 A, _In_ PH_INT128 B ) { #ifdef _ARM64_ return vandq_s32(A, B); #else return _mm_and_si128(A, B); #endif } /** * Bitwise OR of two 128-bit integer vectors. * * \param[in] A First operand. * \param[in] B Second operand. * \return Result of A | B. */ FORCEINLINE PH_INT128 PhOrINT128( _In_ PH_INT128 A, _In_ PH_INT128 B ) { #ifdef _ARM64_ return vorrq_s32(A, B); #else return _mm_or_si128(A, B); #endif } /** * Convert 128-bit float vector to unsigned 32-bit integers per lane. * * \param[in] A Float vector to convert. * \return A PH_INT128 containing converted unsigned 32-bit integers. */ FORCEINLINE PH_INT128 PhConvertFLOAT128ToUINT128( _In_ PH_FLOAT128 A ) { #ifdef _ARM64_ return vcvtq_u32_f32(A); #else return _mm_cvtps_epu32(A); // _mm_cvtps_epi32 #endif } /** * Convert 128-bit signed 32-bit integer vector to float per lane. * * \param[in] A Integer vector to convert. * \return A PH_FLOAT128 containing converted floats. */ FORCEINLINE PH_FLOAT128 PhConvertINT128ToFLOAT128( _In_ PH_INT128 A ) { #ifdef _ARM64_ return vcvtq_f32_s32(A); #else return _mm_cvtepi32_ps(A); #endif } /** * Convert ASCII lower-case letters (a-z) to upper-case (A-Z) for 16-bit lanes. * * \param[in] Input Vector containing UTF-16 characters in 16-bit lanes. * \return Vector with ASCII letters converted to upper-case; other values unchanged. */ FORCEINLINE PH_INT128 PhUppercaseLatin1INT128by16( _In_ PH_INT128 Input ) { #ifdef _ARM64_ // NEON: convert a-z (0x61-0x7A) and à-þ (0xE0-0xFE) excluding ÷ (0xF7) uint16x8_t ge_a = vcgeq_u16(Input, vdupq_n_u16(0x0061)); uint16x8_t le_z = vcleq_u16(Input, vdupq_n_u16(0x007A)); uint16x8_t mask1 = vandq_u16(ge_a, le_z); uint16x8_t ge_lat = vcgeq_u16(Input, vdupq_n_u16(0x00E0)); uint16x8_t le_lat = vcleq_u16(Input, vdupq_n_u16(0x00FE)); uint16x8_t mask2 = vandq_u16(ge_lat, le_lat); uint16x8_t not_div = vceqq_u16(Input, vdupq_n_u16(0x00F7)); mask2 = vbicq_u16(mask2, not_div); uint16x8_t final_mask = vorrq_u16(mask1, mask2); return vsubq_u16(Input, vandq_u16(final_mask, vdupq_n_u16(0x0020))); #else // SSE2: convert a-z (0x61-0x7A) and à-þ (0xE0-0xFE) excluding ÷ (0xF7) __m128i ge_a = _mm_cmpgt_epi16(Input, _mm_set1_epi16(0x0060)); __m128i le_z = _mm_cmpgt_epi16(_mm_set1_epi16(0x007B), Input); __m128i mask1 = _mm_and_si128(ge_a, le_z); __m128i ge_lat = _mm_cmpgt_epi16(Input, _mm_set1_epi16(0x00DF)); __m128i le_lat = _mm_cmpgt_epi16(_mm_set1_epi16(0x00FF), Input); __m128i mask2 = _mm_and_si128(ge_lat, le_lat); __m128i is_div = _mm_cmpeq_epi16(Input, _mm_set1_epi16(0x00F7)); mask2 = _mm_andnot_si128(is_div, mask2); __m128i final_mask = _mm_or_si128(mask1, mask2); return _mm_sub_epi16(Input, _mm_and_si128(final_mask, _mm_set1_epi16(0x0020))); #endif } #ifndef _ARM64_ /** * Convert Latin-1 lowercase letters to upper-case (AVX2). * * \param[in] Input 256-bit vector containing UTF-16 characters in 16-bit lanes. * \return Vector with letters converted to upper-case; other values unchanged. */ FORCEINLINE __m256i PhUppercaseLatin1INT256by16( _In_ __m256i Input ) { // convert a-z (0x61-0x7A) and à-þ (0xE0-0xFE) excluding ÷ (0xF7) __m256i ge_a = _mm256_cmpgt_epi16(Input, _mm256_set1_epi16(0x0060)); __m256i le_z = _mm256_cmpgt_epi16(_mm256_set1_epi16(0x007B), Input); __m256i mask1 = _mm256_and_si256(ge_a, le_z); __m256i ge_lat = _mm256_cmpgt_epi16(Input, _mm256_set1_epi16(0x00DF)); __m256i le_lat = _mm256_cmpgt_epi16(_mm256_set1_epi16(0x00FF), Input); __m256i mask2 = _mm256_and_si256(ge_lat, le_lat); __m256i is_div = _mm256_cmpeq_epi16(Input, _mm256_set1_epi16(0x00F7)); mask2 = _mm256_andnot_si256(is_div, mask2); __m256i final_mask = _mm256_or_si256(mask1, mask2); return _mm256_sub_epi16(Input, _mm256_and_si256(final_mask, _mm256_set1_epi16(0x0020))); } #endif FORCEINLINE PH_INT128 PhUppercaseASCIIINT128by16( _In_ PH_INT128 Input ) { #ifdef _ARM64_ // NEON: convert a-z to A-Z int16x8_t ge_a = vcgeq_s16(Input, vdupq_n_s16(L'a')); int16x8_t le_z = vcleq_s16(Input, vdupq_n_s16(L'z')); int16x8_t mask = vandq_s16(ge_a, le_z); return vsubq_s16(Input, vandq_s16(mask, vdupq_n_s16(0x20))); #else // SSE2: convert a-z to A-Z (8 UTF-16 chars) __m128i ge_a = _mm_cmpgt_epi16(Input, _mm_set1_epi16(L'a' - 1)); __m128i le_z = _mm_cmpgt_epi16(_mm_set1_epi16(L'z' + 1), Input); __m128i mask = _mm_and_si128(ge_a, le_z); return _mm_sub_epi16(Input, _mm_and_si128(mask, _mm_set1_epi16(0x20))); #endif } #ifndef _ARM64_ /** * Convert ASCII lower-case letters (a-z) to upper-case (A-Z) for 16-bit lanes (AVX2). * * \param[in] Input 256-bit vector containing UTF-16 characters in 16-bit lanes. * \return Vector with ASCII letters converted to upper-case; other values unchanged. */ FORCEINLINE __m256i PhUppercaseASCIIINT256by16( _In_ __m256i Input ) { __m256i ge_a = _mm256_cmpgt_epi16(Input, _mm256_set1_epi16(L'a' - 1)); __m256i le_z = _mm256_cmpgt_epi16(_mm256_set1_epi16(L'z' + 1), Input); __m256i mask = _mm256_and_si256(ge_a, le_z); return _mm256_sub_epi16(Input, _mm256_and_si256(mask, _mm256_set1_epi16(0x20))); } /** * Convert 8 unsigned 32-bit integers in a 256-bit vector to floats. * * \param[in] Value 256-bit integer vector containing 8 uint32 values. * \return A __m256 of floats representing the unsigned conversion of Value. */ FORCEINLINE __m256 _mm256_cvtf_epu32( _In_ __m256i Value ) { const __m256 mul = _mm256_set1_ps(0x1.0p16f); const __m256i hi = _mm256_srli_epi32(Value, 16); const __m256i lo = _mm256_srli_epi32(_mm256_slli_epi32(Value, 16), 16); const __m256 fHi = _mm256_mul_ps(_mm256_cvtepi32_ps(hi), mul); const __m256 fLo = _mm256_cvtepi32_ps(lo); return _mm256_add_ps(fHi, fLo); } #endif /** * Convert a 128-bit vector of unsigned 32-bit integers to floats accurately. * * \param[in] Value Integer vector to convert. * \return Float vector with converted values. */ FORCEINLINE PH_FLOAT128 PhConvertUINT128ToFLOAT128( _In_ PH_INT128 Value ) { // https://stackoverflow.com/questions/9151711/most-efficient-way-to-convert-vector-of-uint32-to-vector-of-float const PH_FLOAT128 mul = PhSetFLOAT128bySingle(0x1.0p16f); // 65536 // Avoid double rounding by doing two exact conversions of high and low 16-bit segments. const PH_INT128 hi = PhShiftRightINT128(Value, 16); const PH_INT128 lo = PhShiftRightINT128(PhShiftLeftINT128(Value, 16), 16); // PhAndINT128(Value, PhSetINT128by32(0x0000FFFF)); const PH_FLOAT128 fHi = PhMultiplyFLOAT128(PhConvertINT128ToFLOAT128(hi), mul); const PH_FLOAT128 fLo = PhConvertINT128ToFLOAT128(lo); return PhAddFLOAT128(fHi, fLo); } #endif ================================================ FILE: phlib/include/phintrnl.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2023 * */ #ifndef _PH_PHINTRNL_H #define _PH_PHINTRNL_H NTSTATUS PhInitializeRuntimeInformation( VOID ); NTSTATUS PhInitializeSystemInformation( VOID ); NTSTATUS PhInitializeWindowsInformation( VOID ); NTSTATUS PhHeapInitialization( VOID ); NTSTATUS PhInitializeProcessorInformation( VOID ); typedef struct _PHLIB_STATISTICS_BLOCK { // basesup ULONG BaseThreadsCreated; ULONG BaseThreadsCreateFailed; ULONG BaseStringBuildersCreated; ULONG BaseStringBuildersResized; // ref ULONG RefObjectsCreated; ULONG RefObjectsDestroyed; ULONG RefObjectsAllocated; ULONG RefObjectsFreed; ULONG RefObjectsAllocatedFromSmallFreeList; ULONG RefObjectsFreedToSmallFreeList; ULONG RefObjectsAllocatedFromTypeFreeList; ULONG RefObjectsFreedToTypeFreeList; ULONG RefObjectsDeleteDeferred; ULONG RefAutoPoolsCreated; ULONG RefAutoPoolsDestroyed; ULONG RefAutoPoolsDynamicAllocated; ULONG RefAutoPoolsDynamicResized; // queuedlock ULONG QlBlockSpins; ULONG QlBlockWaits; ULONG QlAcquireExclusiveBlocks; ULONG QlAcquireSharedBlocks; // workqueue ULONG WqWorkQueueThreadsCreated; ULONG WqWorkQueueThreadsCreateFailed; ULONG WqWorkItemsQueued; } PHLIB_STATISTICS_BLOCK; #ifdef DEBUG extern PHLIB_STATISTICS_BLOCK PhLibStatisticsBlock; #endif #ifdef DEBUG #define PHLIB_INC_STATISTIC(Name) (_InterlockedIncrement(&PhLibStatisticsBlock.Name)) #else #define PHLIB_INC_STATISTIC(Name) #endif #endif ================================================ FILE: phlib/include/phnative.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #ifndef _PH_PHNATIVE_H #define _PH_PHNATIVE_H EXTERN_C_START /** The PID of the interrupt process. */ #define INTERRUPTS_PROCESS_ID ((HANDLE)(LONG_PTR)-3) /** The PID of the dpc process. */ #define DPCS_PROCESS_ID ((HANDLE)(LONG_PTR)-2) /** The PID of the current process. */ #define CURRENT_PROCESS_ID ((HANDLE)(LONG_PTR)-1) /** The PID of the idle process. */ #define SYSTEM_IDLE_PROCESS_ID ((HANDLE)0) /** The PID of the system process. */ #define SYSTEM_PROCESS_ID ((HANDLE)4) /** The name of the system idle process. */ #define SYSTEM_IDLE_PROCESS_NAME ((UNICODE_STRING)RTL_CONSTANT_STRING(L"System Idle Process")) #define PhNtPathSeparatorString ((PH_STRINGREF)PH_STRINGREF_INIT(L"\\")) // OBJ_NAME_PATH_SEPARATOR // RtlNtPathSeperatorString #define PhNtDosDevicesPrefix ((PH_STRINGREF)PH_STRINGREF_INIT(L"\\??\\")) // RtlDosDevicesPrefix #define PhNtDevicePathPrefix ((PH_STRINGREF)PH_STRINGREF_INIT(L"\\Device\\")) #define PhWin32ExtendedPathPrefix ((PH_STRINGREF)PH_STRINGREF_INIT(L"\\\\?\\")) // extended-length paths, disable path normalization FORCEINLINE BOOLEAN PhIsNullOrInvalidHandle( _In_ HANDLE Handle ) { return (((ULONG_PTR)Handle + 1) & 0xFFFFFFFFFFFFFFFEuLL) == 0; } // // General object-related function types // typedef _Function_class_(PH_OPEN_OBJECT) NTSTATUS NTAPI PH_OPEN_OBJECT( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ); typedef PH_OPEN_OBJECT* PPH_OPEN_OBJECT; typedef _Function_class_(PH_CLOSE_OBJECT) NTSTATUS NTAPI PH_CLOSE_OBJECT( _In_ HANDLE Handle, _In_ BOOLEAN Release, _In_opt_ PVOID Context ); typedef PH_CLOSE_OBJECT* PPH_CLOSE_OBJECT; typedef _Function_class_(PH_GET_OBJECT_SECURITY) NTSTATUS NTAPI PH_GET_OBJECT_SECURITY( _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_opt_ PVOID Context ); typedef PH_GET_OBJECT_SECURITY* PPH_GET_OBJECT_SECURITY; typedef _Function_class_(PH_SET_OBJECT_SECURITY) NTSTATUS NTAPI PH_SET_OBJECT_SECURITY( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_opt_ PVOID Context ); typedef PH_SET_OBJECT_SECURITY* PPH_SET_OBJECT_SECURITY; typedef struct _PH_TOKEN_ATTRIBUTES { HANDLE TokenHandle; struct { ULONG Elevated : 1; ULONG ElevationType : 2; ULONG SpareBits : 29; }; ULONG Spare; PSID TokenSid; } PH_TOKEN_ATTRIBUTES, *PPH_TOKEN_ATTRIBUTES; typedef enum _MANDATORY_LEVEL_RID { MandatoryUntrustedRID = SECURITY_MANDATORY_UNTRUSTED_RID, MandatoryLowRID = SECURITY_MANDATORY_LOW_RID, MandatoryMediumRID = SECURITY_MANDATORY_MEDIUM_RID, MandatoryMediumPlusRID = SECURITY_MANDATORY_MEDIUM_PLUS_RID, MandatoryHighRID = SECURITY_MANDATORY_HIGH_RID, MandatorySystemRID = SECURITY_MANDATORY_SYSTEM_RID, MandatorySecureProcessRID = SECURITY_MANDATORY_PROTECTED_PROCESS_RID } MANDATORY_LEVEL_RID, *PMANDATORY_LEVEL_RID; PHLIBAPI PH_TOKEN_ATTRIBUTES NTAPI PhGetOwnTokenAttributes( VOID ); PHLIBAPI NTSTATUS NTAPI PhOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ); /** * Opens a process handle with the best available query access. * * The function tries the following access combinations in order: * 1. PROCESS_QUERY_INFORMATION | DesiredAccess * 2. PROCESS_QUERY_LIMITED_INFORMATION | DesiredAccess * 3. PROCESS_QUERY_LIMITED_INFORMATION * * The first successful attempt is returned to the caller. If all attempts * fail, the final NTSTATUS code is returned. * * \param ProcessHandle Receives the resulting process handle on success. * \param DesiredAccess Additional access rights the caller wishes to request. * \param ProcessId The process identifier of the target process. * \return NTSTATUS Successful or errant status. */ FORCEINLINE NTSTATUS NTAPI PhOpenProcessWithQueryAccess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ) { NTSTATUS status; status = PhOpenProcess( ProcessHandle, PROCESS_QUERY_INFORMATION | DesiredAccess, ProcessId ); if (!NT_SUCCESS(status)) { status = PhOpenProcess( ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | DesiredAccess, ProcessId ); if (!NT_SUCCESS(status)) { status = PhOpenProcess( ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId ); } } return status; } PHLIBAPI NTSTATUS NTAPI PhOpenProcessClientId( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ); PHLIBAPI NTSTATUS NTAPI PhOpenProcessPublic( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId ); PHLIBAPI NTSTATUS NTAPI PhOpenThreadClientId( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ); PHLIBAPI NTSTATUS NTAPI PhOpenThreadPublic( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId ); PHLIBAPI NTSTATUS NTAPI PhOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhGetThreadBasicInformation( _In_ HANDLE ThreadHandle, _Out_ PTHREAD_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetThreadBasePriority( _In_ HANDLE ThreadHandle, _Out_ PKPRIORITY Increment ); PHLIBAPI NTSTATUS NTAPI PhGetThreadTeb( _In_ HANDLE ThreadHandle, _Out_ PULONG_PTR TebBaseAddress ); PHLIBAPI NTSTATUS NTAPI PhGetThreadTeb32( _In_ HANDLE ThreadHandle, _Out_ PULONG_PTR TebBaseAddress ); PHLIBAPI NTSTATUS NTAPI PhGetThreadStartAddress( _In_ HANDLE ThreadHandle, _Out_ PULONG_PTR StartAddress ); PHLIBAPI NTSTATUS NTAPI PhGetThreadIoPriority( _In_ HANDLE ThreadHandle, _Out_ IO_PRIORITY_HINT* IoPriority ); PHLIBAPI NTSTATUS NTAPI PhGetThreadPagePriority( _In_ HANDLE ThreadHandle, _Out_ PULONG PagePriority ); PHLIBAPI NTSTATUS NTAPI PhGetThreadPriorityBoost( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN PriorityBoostDisabled ); PHLIBAPI NTSTATUS NTAPI PhGetThreadPerformanceCounter( _In_ HANDLE ThreadHandle, _Out_ PLARGE_INTEGER PerformanceCounter ); PHLIBAPI NTSTATUS NTAPI PhGetThreadCycleTime( _In_ HANDLE ThreadHandle, _Out_ PULONG64 CycleTime ); PHLIBAPI NTSTATUS NTAPI PhGetThreadIdealProcessor( _In_ HANDLE ThreadHandle, _Out_ PPROCESSOR_NUMBER ProcessorNumber ); PHLIBAPI NTSTATUS NTAPI PhGetThreadSuspendCount( _In_ HANDLE ThreadHandle, _Out_ PULONG SuspendCount ); PHLIBAPI NTSTATUS NTAPI PhGetThreadWow64Context( _In_ HANDLE ThreadHandle, _Out_ PWOW64_CONTEXT Context ); #if defined(_ARM64_) PHLIBAPI NTSTATUS NTAPI PhGetThreadArm32Context( _In_ HANDLE ThreadHandle, _Out_ PARM_NT_CONTEXT Context ); #endif PHLIBAPI NTSTATUS NTAPI PhGetThreadBreakOnTermination( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN BreakOnTermination ); PHLIBAPI NTSTATUS NTAPI PhSetThreadBreakOnTermination( _In_ HANDLE ThreadHandle, _In_ BOOLEAN BreakOnTermination ); PHLIBAPI NTSTATUS NTAPI PhGetThreadContainerId( _In_ HANDLE ThreadHandle, _In_ PGUID ContainerId ); PHLIBAPI NTSTATUS NTAPI PhGetThreadIsIoPending( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN IsIoPending ); PHLIBAPI NTSTATUS NTAPI PhGetThreadTimes( _In_ HANDLE ThreadHandle, _Out_ PKERNEL_USER_TIMES Times ); PHLIBAPI NTSTATUS NTAPI PhGetThreadIsTerminated( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN IsTerminated ); PHLIBAPI BOOLEAN NTAPI PhGetThreadIsTerminated2( _In_ HANDLE ThreadHandle ); PHLIBAPI NTSTATUS NTAPI PhGetThreadGroupAffinity( _In_ HANDLE ThreadHandle, _Out_ PGROUP_AFFINITY GroupAffinity ); PHLIBAPI NTSTATUS NTAPI PhGetThreadIndexInformation( _In_ HANDLE ThreadHandle, _Out_ PTHREAD_INDEX_INFORMATION ThreadIndex ); PHLIBAPI NTSTATUS NTAPI PhOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhOpenProcessTokenPublic( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhOpenThreadToken( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _Out_ PHANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhGetObjectSecurity( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSetObjectSecurity( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); #define AUDIT_ALARM_ACE_TYPE_MASK ( \ (1 << SYSTEM_AUDIT_ACE_TYPE) | \ (1 << SYSTEM_ALARM_ACE_TYPE) | \ (1 << SYSTEM_AUDIT_OBJECT_ACE_TYPE) | \ (1 << SYSTEM_ALARM_OBJECT_ACE_TYPE) | \ (1 << SYSTEM_AUDIT_CALLBACK_ACE_TYPE) | \ (1 << SYSTEM_ALARM_CALLBACK_ACE_TYPE) | \ (1 << SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE) | \ (1 << SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE)) #define MANDATORY_LABEL_ACE_TYPE_MASK (1 << SYSTEM_MANDATORY_LABEL_ACE_TYPE) #define RESOURCE_ATTRIBUTE_ACE_TYPE_MASK (1 << SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE) #define SCOPED_POLICY_ACE_TYPE_MASK (1 << SYSTEM_SCOPED_POLICY_ID_ACE_TYPE) #define PROCESS_TRUST_ACE_TYPE_MASK (1 << SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE) #define ACCESS_FILTER_ACE_TYPE_MASK (1 << SYSTEM_ACCESS_FILTER_ACE_TYPE) PHLIBAPI NTSTATUS NTAPI PhMergeSystemAcls( _In_opt_ PACL LowerSacl, _In_opt_ PACL HigherSacl, _In_ SECURITY_INFORMATION SecurityInformation, _Outptr_result_maybenull_ PACL* MergedSacl ); PHLIBAPI NTSTATUS NTAPI PhMergeSecurityDescriptors( _In_ PSECURITY_DESCRIPTOR LowerSecurityDescriptor, _In_ PSECURITY_DESCRIPTOR HigherSecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _Outptr_ PSECURITY_DESCRIPTOR* MergedSecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ); PHLIBAPI NTSTATUS NTAPI PhSuspendProcess( _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhResumeProcess( _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhTerminateThread( _In_ HANDLE ThreadHandle, _In_ NTSTATUS ExitStatus ); PHLIBAPI NTSTATUS NTAPI PhGetProcessBasicInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetProcessExtendedBasicInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_EXTENDED_BASIC_INFORMATION ExtendedBasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetProcessTimes( _In_ HANDLE ProcessHandle, _Out_ PKERNEL_USER_TIMES Times ); PHLIBAPI NTSTATUS NTAPI PhGetProcessSessionId( _In_ HANDLE ProcessHandle, _Out_ PULONG SessionId ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsWow64( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsWow64Process ); PHLIBAPI NTSTATUS NTAPI PhGetProcessPeb32( _In_ HANDLE ProcessHandle, _Out_ PVOID* Peb32 ); PHLIBAPI NTSTATUS NTAPI PhGetProcessPeb( _In_ HANDLE ProcessHandle, _Out_ PVOID* PebBaseAddress ); PHLIBAPI NTSTATUS NTAPI PhGetProcessDebugObject( _In_ HANDLE ProcessHandle, _Out_ PHANDLE DebugObjectHandle ); PHLIBAPI NTSTATUS NTAPI PhGetProcessEnergyValues( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_EXTENDED_ENERGY_VALUES EnergyValues ); PHLIBAPI NTSTATUS NTAPI PhGetProcessErrorMode( _In_ HANDLE ProcessHandle, _Out_ PULONG ErrorMode ); PHLIBAPI NTSTATUS NTAPI PhSetProcessErrorMode( _In_ HANDLE ProcessHandle, _In_ ULONG ErrorMode ); PHLIBAPI NTSTATUS NTAPI PhGetProcessExecuteFlags( _In_ HANDLE ProcessHandle, _Out_ PULONG ExecuteFlags ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIoPriority( _In_ HANDLE ProcessHandle, _Out_ IO_PRIORITY_HINT *IoPriority ); PHLIBAPI NTSTATUS NTAPI PhGetProcessPagePriority( _In_ HANDLE ProcessHandle, _Out_ PULONG PagePriority ); PHLIBAPI NTSTATUS NTAPI PhGetProcessPriorityBoost( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN PriorityBoostDisabled ); PHLIBAPI NTSTATUS NTAPI PhGetProcessCycleTime( _In_ HANDLE ProcessHandle, _Out_ PULONG64 CycleTime ); PHLIBAPI NTSTATUS NTAPI PhGetProcessUptime( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_UPTIME_INFORMATION Uptime ); PHLIBAPI NTSTATUS NTAPI PhGetProcessConsoleHostProcessId( _In_ HANDLE ProcessHandle, _Out_ PHANDLE ConsoleHostProcessId ); PHLIBAPI NTSTATUS NTAPI PhGetProcessConsoleHostProcess( _In_ HANDLE ProcessHandle, _Out_ PHANDLE ConsoleHostProcessId, _Out_opt_ PBOOLEAN ConsoleApplication ); PHLIBAPI NTSTATUS NTAPI PhGetProcessProtection( _In_ HANDLE ProcessHandle, _Out_ PPS_PROTECTION Protection ); PHLIBAPI NTSTATUS NTAPI PhGetProcessAffinityMask( _In_ HANDLE ProcessHandle, _Out_ PKAFFINITY AffinityMask ); PHLIBAPI NTSTATUS NTAPI PhGetProcessGroupInformation( _In_ HANDLE ProcessHandle, _Inout_ PUSHORT GroupCount, _Out_ PUSHORT GroupArray ); PHLIBAPI NTSTATUS NTAPI PhGetProcessGroupAffinity( _In_ HANDLE ProcessHandle, _Out_ PGROUP_AFFINITY GroupAffinity ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsCFGuardEnabled( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsControlFlowGuardEnabled ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsXFGuardEnabled( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsXFGuardEnabled, _Out_ PBOOLEAN IsXFGuardAuditEnabled ); PHLIBAPI NTSTATUS NTAPI PhGetProcessHandleCount( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_HANDLE_INFORMATION HandleInfo ); PHLIBAPI NTSTATUS NTAPI PhGetProcessBreakOnTermination( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN BreakOnTermination ); PHLIBAPI NTSTATUS NTAPI PhSetProcessBreakOnTermination( _In_ HANDLE ProcessHandle, _In_ BOOLEAN BreakOnTermination ); PHLIBAPI NTSTATUS NTAPI PhGetProcessAppMemoryInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_JOB_MEMORY_INFO JobMemoryInfo ); PHLIBAPI NTSTATUS NTAPI PhGetProcessMitigationPolicy( _In_ HANDLE ProcessHandle, _In_ PROCESS_MITIGATION_POLICY Policy, _Out_ PPROCESS_MITIGATION_POLICY_INFORMATION MitigationPolicy ); PHLIBAPI NTSTATUS NTAPI PhGetProcessNetworkIoCounters( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_NETWORK_COUNTERS NetworkIoCounters ); typedef struct _PH_PROCESS_RUNTIME_LIBRARY { PH_STRINGREF NtdllFileName; PH_STRINGREF Kernel32FileName; PH_STRINGREF User32FileName; } PH_PROCESS_RUNTIME_LIBRARY, *PPH_PROCESS_RUNTIME_LIBRARY; PHLIBAPI NTSTATUS NTAPI PhGetProcessRuntimeLibrary( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_RUNTIME_LIBRARY* RuntimeLibrary, _Out_opt_ PBOOLEAN IsWow64Process ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileName( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileNameWin32( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileNameById( _In_ HANDLE ProcessId, _Out_opt_ PPH_STRING *FullFileName, _Out_opt_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileNameByProcessId( _In_opt_ HANDLE ProcessId, _Out_ PPH_STRING* FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsBeingDebugged( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsBeingDebugged ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsTerminating( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsTerminated ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsTerminated( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsTerminated ); PHLIBAPI NTSTATUS NTAPI PhGetProcessDeviceMap( _In_ HANDLE ProcessHandle, _Out_ PULONG DeviceMap ); /** Specifies a PEB string. */ typedef enum _PH_PEB_OFFSET { PhpoNone, PhpoCurrentDirectory, PhpoDllPath, PhpoImagePathName, PhpoCommandLine, PhpoWindowTitle, PhpoDesktopInfo, PhpoShellInfo, PhpoRuntimeData, PhpoTypeMask = 0xffff, PhpoWow64 = 0x10000 } PH_PEB_OFFSET; PHLIBAPI NTSTATUS NTAPI PhGetProcessPebString( _In_ HANDLE ProcessHandle, _In_ PH_PEB_OFFSET Offset, _Out_ PPH_STRING *String ); PHLIBAPI NTSTATUS NTAPI PhGetProcessCommandLine( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *CommandLine ); PHLIBAPI NTSTATUS NTAPI PhGetProcessCommandLineStringRef( _Out_ PPH_STRINGREF CommandLine ); PHLIBAPI NTSTATUS NTAPI PhGetProcessCurrentDirectory( _In_ HANDLE ProcessHandle, _In_ BOOLEAN IsWow64Process, _Out_ PPH_STRING* CurrentDirectory ); PHLIBAPI NTSTATUS NTAPI PhGetProcessDesktopInfo( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *DesktopInfo ); PHLIBAPI NTSTATUS NTAPI PhGetProcessWindowTitle( _In_ HANDLE ProcessHandle, _Out_ PULONG WindowFlags, _Out_ PPH_STRING *WindowTitle ); #define PH_PROCESS_DEP_ENABLED 0x1 #define PH_PROCESS_DEP_ATL_THUNK_EMULATION_DISABLED 0x2 #define PH_PROCESS_DEP_PERMANENT 0x4 #define PH_PROCESS_DEP_EXECUTE_ENABLED 0x8 #define PH_PROCESS_DEP_IMAGE_ENABLED 0x10 #define PH_PROCESS_DEP_DISABLE_EXCEPTION_CHAIN 0x20 PHLIBAPI NTSTATUS NTAPI PhGetProcessDepStatus( _In_ HANDLE ProcessHandle, _Out_ PULONG DepStatus ); PHLIBAPI NTSTATUS NTAPI PhGetProcessEnvironment( _In_ HANDLE ProcessHandle, _In_ BOOLEAN IsWow64Process, _Out_ PVOID *Environment, _Out_ PULONG EnvironmentLength ); typedef struct _PH_ENVIRONMENT_VARIABLE { PH_STRINGREF Name; PH_STRINGREF Value; } PH_ENVIRONMENT_VARIABLE, *PPH_ENVIRONMENT_VARIABLE; PHLIBAPI NTSTATUS NTAPI PhEnumProcessEnvironmentVariables( _In_ PVOID Environment, _In_ ULONG EnvironmentLength, _Inout_ PULONG EnumerationKey, _Out_ PPH_ENVIRONMENT_VARIABLE Variable ); PHLIBAPI NTSTATUS NTAPI PhQueryEnvironmentVariableStringRef( _In_opt_ PVOID Environment, _In_ PCPH_STRINGREF Name, _Inout_opt_ PPH_STRINGREF Value ); FORCEINLINE NTSTATUS NTAPI PhQueryEnvironmentVariableToBufferZ( _In_opt_ PVOID Environment, _In_ PCWSTR Name, _Out_writes_opt_(BufferLength) PWSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_ PSIZE_T ReturnLength ) { NTSTATUS status; PH_STRINGREF name; PhInitializeStringRef(&name, Name); status = RtlQueryEnvironmentVariable( Environment, name.Buffer, name.Length / sizeof(WCHAR), Buffer, BufferLength, ReturnLength ); return status; } PHLIBAPI NTSTATUS NTAPI PhQueryEnvironmentVariable( _In_opt_ PVOID Environment, _In_ PCPH_STRINGREF Name, _Out_opt_ PPH_STRING* Value ); FORCEINLINE NTSTATUS NTAPI PhQueryEnvironmentVariableZ( _In_opt_ PVOID Environment, _In_ PCWSTR Name, _Out_opt_ PPH_STRING* Value ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhQueryEnvironmentVariable(Environment, &name, Value); } PHLIBAPI NTSTATUS NTAPI PhSetEnvironmentVariable( _In_opt_ PVOID Environment, _In_ PCPH_STRINGREF Name, _In_opt_ PCPH_STRINGREF Value ); FORCEINLINE NTSTATUS NTAPI PhSetEnvironmentVariableZ( _In_opt_ PVOID Environment, _In_ PCWSTR Name, _In_opt_ PCWSTR Value ) { if (Value) { PH_STRINGREF name; PH_STRINGREF value; PhInitializeStringRef(&name, Name); PhInitializeStringRef(&value, Value); return PhSetEnvironmentVariable(Environment, &name, &value); } else { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhSetEnvironmentVariable(Environment, &name, NULL); } } PHLIBAPI NTSTATUS NTAPI PhGetProcessMappedFileName( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessMappedImageInformation( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PMEMORY_IMAGE_INFORMATION ImageInformation ); PHLIBAPI NTSTATUS NTAPI PhGetProcessMappedImageBaseFromAddress( _In_ HANDLE ProcessHandle, _In_ PVOID Address, _Out_ PVOID* ImageBase, _Out_opt_ PSIZE_T ImageSize ); PHLIBAPI NTSTATUS NTAPI PhGetProcessWorkingSetInformation( _In_ HANDLE ProcessHandle, _Out_ PMEMORY_WORKING_SET_INFORMATION *WorkingSetInformation ); typedef struct _PH_PROCESS_WS_COUNTERS { SIZE_T NumberOfPages; SIZE_T NumberOfPrivatePages; SIZE_T NumberOfSharedPages; SIZE_T NumberOfShareablePages; } PH_PROCESS_WS_COUNTERS, *PPH_PROCESS_WS_COUNTERS; PHLIBAPI NTSTATUS NTAPI PhGetProcessWsCounters( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_WS_COUNTERS WsCounters ); PHLIBAPI NTSTATUS NTAPI PhLoadDllProcess( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF FileName, _In_opt_ ULONG Timeout ); PHLIBAPI NTSTATUS NTAPI PhLoadDllProcessApcThread( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF FileName, _In_opt_ ULONG Timeout ); PHLIBAPI NTSTATUS NTAPI PhUnloadDllProcess( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_opt_ ULONG Timeout ); PHLIBAPI NTSTATUS NTAPI PhGetProcessUnloadedDlls( _In_ HANDLE ProcessId, _Out_ PVOID *EventTrace, _Out_ ULONG *EventTraceSize, _Out_ ULONG *EventTraceCount ); PHLIBAPI NTSTATUS NTAPI PhTraceControl( _In_ ETWTRACECONTROLCODE TraceInformationClass, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _Out_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhTraceControlVariableSize( _In_ ETWTRACECONTROLCODE TraceInformationClass, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(*OutputBufferLength) PVOID* OutputBuffer, _Out_opt_ PULONG OutputBufferLength ); PHLIBAPI NTSTATUS NTAPI PhSetEnvironmentVariableRemote( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF Name, _In_opt_ PPH_STRINGREF Value, _In_opt_ PLARGE_INTEGER Timeout ); PHLIBAPI NTSTATUS NTAPI PhGetWindowClientId( _In_ HWND WindowHandle, _Out_ PCLIENT_ID ClientId ); PHLIBAPI NTSTATUS NTAPI PhDestroyWindowRemote( _In_ HANDLE ProcessHandle, _In_ HWND WindowHandle ); PHLIBAPI NTSTATUS NTAPI PhInvokeWindowProcedureRemote( _In_ HWND WindowHandle, _In_ PPS_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); PHLIBAPI NTSTATUS NTAPI PhSetHandleInformationRemote( _In_ HANDLE ProcessHandle, _In_ HANDLE RemoteHandle, _In_ ULONG Mask, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhOpenJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ); PHLIBAPI NTSTATUS NTAPI PhGetJobProcessIdList( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_PROCESS_ID_LIST *ProcessIdList ); PHLIBAPI NTSTATUS NTAPI PhGetJobBasicAndIoAccounting( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION BasicAndIoAccounting ); PHLIBAPI NTSTATUS NTAPI PhGetJobBasicLimits( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimits ); PHLIBAPI NTSTATUS NTAPI PhGetJobExtendedLimits( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_EXTENDED_LIMIT_INFORMATION ExtendedLimits ); PHLIBAPI NTSTATUS NTAPI PhGetJobBasicUiRestrictions( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_UI_RESTRICTIONS BasicUiRestrictions ); PHLIBAPI NTSTATUS NTAPI PhQueryTokenVariableSize( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID *Buffer ); PHLIBAPI NTSTATUS NTAPI PhGetTokenType( _In_ HANDLE TokenHandle, _Out_ PTOKEN_TYPE Type ); PHLIBAPI NTSTATUS NTAPI PhGetTokenSessionId( _In_ HANDLE TokenHandle, _Out_ PULONG SessionId ); PHLIBAPI NTSTATUS NTAPI PhGetTokenElevationType( _In_ HANDLE TokenHandle, _Out_ PTOKEN_ELEVATION_TYPE ElevationType ); PHLIBAPI NTSTATUS NTAPI PhGetTokenElevation( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN TokenIsElevated ); PHLIBAPI NTSTATUS NTAPI PhGetTokenStatistics( _In_ HANDLE TokenHandle, _Out_ PTOKEN_STATISTICS Statistics ); PHLIBAPI NTSTATUS NTAPI PhGetTokenSource( _In_ HANDLE TokenHandle, _Out_ PTOKEN_SOURCE Source ); PHLIBAPI NTSTATUS NTAPI PhGetTokenLinkedToken( _In_ HANDLE TokenHandle, _Out_ PHANDLE LinkedTokenHandle ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIsRestricted( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsRestricted ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIsVirtualizationAllowed( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsVirtualizationAllowed ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIsVirtualizationEnabled( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsVirtualizationEnabled ); PHLIBAPI NTSTATUS NTAPI PhGetTokenUIAccess( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsUIAccessEnabled ); PHLIBAPI NTSTATUS NTAPI PhSetTokenUIAccess( _In_ HANDLE TokenHandle, _In_ BOOLEAN IsUIAccessEnabled ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIsSandBoxInert( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsSandBoxInert ); PHLIBAPI NTSTATUS NTAPI PhGetTokenMandatoryPolicy( _In_ HANDLE TokenHandle, _Out_ PTOKEN_MANDATORY_POLICY MandatoryPolicy ); PHLIBAPI NTSTATUS NTAPI PhGetTokenOrigin( _In_ HANDLE TokenHandle, _Out_ PTOKEN_ORIGIN Origin ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIsAppContainer( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsAppContainer ); PHLIBAPI NTSTATUS NTAPI PhGetTokenAppContainerNumber( _In_ HANDLE TokenHandle, _Out_ PULONG AppContainerNumber ); // rev from SE_TOKEN_USER (dmex) typedef struct _PH_TOKEN_USER { union { TOKEN_USER TokenUser; SID_AND_ATTRIBUTES User; }; union { SID Sid; BYTE Buffer[SECURITY_MAX_SID_SIZE]; }; } PH_TOKEN_USER, *PPH_TOKEN_USER; C_ASSERT(sizeof(PH_TOKEN_USER) >= TOKEN_USER_MAX_SIZE); PHLIBAPI NTSTATUS NTAPI PhGetTokenUser( _In_ HANDLE TokenHandle, _Out_ PPH_TOKEN_USER User ); typedef struct _PH_TOKEN_OWNER { union { TOKEN_OWNER TokenOwner; SID_AND_ATTRIBUTES Owner; }; union { SID Sid; BYTE Buffer[SECURITY_MAX_SID_SIZE]; }; } PH_TOKEN_OWNER, *PPH_TOKEN_OWNER; C_ASSERT(sizeof(PH_TOKEN_OWNER) >= TOKEN_OWNER_MAX_SIZE); PHLIBAPI NTSTATUS NTAPI PhGetTokenOwner( _In_ HANDLE TokenHandle, _Out_ PPH_TOKEN_OWNER Owner ); PHLIBAPI NTSTATUS NTAPI PhGetTokenPrimaryGroup( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIMARY_GROUP *PrimaryGroup ); PHLIBAPI NTSTATUS NTAPI PhGetTokenDefaultDacl( _In_ HANDLE TokenHandle, _Out_ PTOKEN_DEFAULT_DACL* DefaultDacl ); PHLIBAPI NTSTATUS NTAPI PhGetTokenGroups( _In_ HANDLE TokenHandle, _Out_ PTOKEN_GROUPS *Groups ); PHLIBAPI NTSTATUS NTAPI PhGetTokenRestrictedSids( _In_ HANDLE TokenHandle, _Out_ PTOKEN_GROUPS* RestrictedSids ); PHLIBAPI NTSTATUS NTAPI PhGetTokenPrivileges( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIVILEGES *Privileges ); PHLIBAPI NTSTATUS NTAPI PhGetTokenTrustLevel( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PROCESS_TRUST_LEVEL *TrustLevel ); typedef struct _PH_TOKEN_APPCONTAINER { union { TOKEN_APPCONTAINER_INFORMATION TokenAppContainer; SID_AND_ATTRIBUTES AppContainer; }; union { SID Sid; BYTE Buffer[SECURITY_MAX_SID_SIZE]; }; } PH_TOKEN_APPCONTAINER, *PPH_TOKEN_APPCONTAINER; C_ASSERT(sizeof(PH_TOKEN_APPCONTAINER) >= TOKEN_APPCONTAINER_SID_MAX_SIZE); PHLIBAPI NTSTATUS NTAPI PhGetTokenAppContainerSid( _In_ HANDLE TokenHandle, _Out_ PPH_TOKEN_APPCONTAINER AppContainerSid ); PHLIBAPI NTSTATUS NTAPI PhGetTokenSecurityAttributes( _In_ HANDLE TokenHandle, _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION* SecurityAttributes ); PHLIBAPI NTSTATUS NTAPI PhGetTokenSecurityAttribute( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF AttributeName, _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION* SecurityAttributes ); PHLIBAPI NTSTATUS NTAPI PhDoesTokenSecurityAttributeExist( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF AttributeName, _Out_ PBOOLEAN SecurityAttributeExists ); PHLIBAPI BOOLEAN NTAPI PhGetTokenIsFullTrustPackage( _In_ HANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIsLessPrivilegedAppContainer( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsLessPrivilegedAppContainer ); PHLIBAPI ULONG64 NTAPI PhGetTokenSecurityAttributeValueUlong64( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF Name, _In_ ULONG ValueIndex ); PHLIBAPI NTSTATUS NTAPI PhGetTokenPackageFullName( _In_ HANDLE TokenHandle, _Out_ PPH_STRING* PackageFullName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsStronglyNamed( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsStronglyNamed ); PHLIBAPI BOOLEAN NTAPI PhGetProcessIsFullTrustPackage( _In_ HANDLE ProcessHandle ); PHLIBAPI PPH_STRING NTAPI PhGetProcessPackageFullName( _In_ HANDLE ProcessHandle ); // rev from RtlInitializeSid (dmex) FORCEINLINE BOOLEAN NTAPI PhInitializeSid( _Out_ PSID Sid, _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, _In_ UCHAR SubAuthorityCount ) { #if defined(PHNT_NATIVE_INLINE) return NT_SUCCESS(RtlInitializeSid(Sid, IdentifierAuthority, SubAuthorityCount)); #else ((PISID)Sid)->Revision = SID_REVISION; ((PISID)Sid)->IdentifierAuthority = *IdentifierAuthority; ((PISID)Sid)->SubAuthorityCount = SubAuthorityCount; for (UCHAR i = 0; i < SubAuthorityCount; i++) { ((PISID)Sid)->SubAuthority[i] = 0; } return TRUE; #endif } // rev from RtlLengthSid (dmex) FORCEINLINE ULONG NTAPI PhLengthSid( _In_ PCSID Sid ) { #if defined(PHNT_NATIVE_INLINE) return RtlLengthSid((PSID)Sid); #else //return UFIELD_OFFSET(SID, SubAuthority) + (((PISID)Sid)->SubAuthorityCount * sizeof(ULONG)); return UFIELD_OFFSET(SID, SubAuthority[((PISID)Sid)->SubAuthorityCount]); #endif } // rev from RtlLengthRequiredSid (dmex) FORCEINLINE ULONG NTAPI PhLengthRequiredSid( _In_ ULONG SubAuthorityCount ) { #if defined(PHNT_NATIVE_INLINE) return RtlLengthRequiredSid(SubAuthorityCount); #else return UFIELD_OFFSET(SID, SubAuthority[SubAuthorityCount]); #endif } // rev from RtlEqualSid (dmex) FORCEINLINE BOOLEAN NTAPI PhEqualSid( _In_ PCSID Sid1, _In_ PCSID Sid2 ) { #if defined(PHNT_NATIVE_INLINE) return RtlEqualSid((PSID)Sid1, (PSID)Sid2); #else if (!(Sid1 && Sid2)) return FALSE; if (!( ((PISID)Sid1)->Revision == ((PISID)Sid2)->Revision && ((PISID)Sid1)->SubAuthorityCount == ((PISID)Sid2)->SubAuthorityCount )) { return FALSE; } ULONG length1 = PhLengthSid(Sid1); ULONG length2 = PhLengthSid(Sid2); if (length1 != length2) return FALSE; return (BOOLEAN)RtlEqualMemory(Sid1, Sid2, length1); #endif } // rev from RtlValidSid (dmex) FORCEINLINE BOOLEAN NTAPI PhValidSid( _In_ PCSID Sid ) { #if defined(PHNT_NATIVE_INLINE) return RtlValidSid((PSID)Sid); #else if ( ((PISID)Sid) && ((PISID)Sid)->Revision == SID_REVISION && ((PISID)Sid)->SubAuthorityCount <= SID_MAX_SUB_AUTHORITIES ) { return TRUE; } return FALSE; #endif } // rev from RtlSubAuthoritySid (dmex) FORCEINLINE PULONG NTAPI PhSubAuthoritySid( _In_ PCSID Sid, _In_ ULONG SubAuthority ) { #if defined(PHNT_NATIVE_INLINE) return RtlSubAuthoritySid((PSID)Sid, SubAuthority); #else return &((PISID)Sid)->SubAuthority[SubAuthority]; #endif } // rev from RtlSubAuthorityCountSid (dmex) FORCEINLINE PUCHAR NTAPI PhSubAuthorityCountSid( _In_ PCSID Sid ) { #if defined(PHNT_NATIVE_INLINE) return RtlSubAuthorityCountSid((PSID)Sid); #else return &((PISID)Sid)->SubAuthorityCount; #endif } // rev from RtlIdentifierAuthoritySid (dmex) FORCEINLINE PSID_IDENTIFIER_AUTHORITY NTAPI PhIdentifierAuthoritySid( _In_ PCSID Sid ) { #if defined(PHNT_NATIVE_INLINE) return RtlIdentifierAuthoritySid((PSID)Sid); #else return &((PISID)Sid)->IdentifierAuthority; #endif } FORCEINLINE BOOLEAN NTAPI PhEqualIdentifierAuthoritySid( _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthoritySid1, _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthoritySid2 ) { #if defined(PHNT_NATIVE_INLINE) return RtlEqualMemory(RtlIdentifierAuthoritySid(IdentifierAuthoritySid1), RtlIdentifierAuthoritySid(IdentifierAuthoritySid2), sizeof(SID_IDENTIFIER_AUTHORITY)); #else return (BOOLEAN)RtlEqualMemory(IdentifierAuthoritySid1, IdentifierAuthoritySid2, sizeof(SID_IDENTIFIER_AUTHORITY)); #endif } // rev from RtlCreateSecurityDescriptor (dmex) FORCEINLINE NTSTATUS NTAPI PhCreateSecurityDescriptor( _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision ) { #if defined(PHNT_NATIVE_INLINE) return RtlCreateSecurityDescriptor(SecurityDescriptor, Revision); #else memset(SecurityDescriptor, 0, sizeof(SECURITY_DESCRIPTOR)); ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision = (BYTE)Revision; return STATUS_SUCCESS; #endif } // rev from RtlValidAcl (dmex) FORCEINLINE BOOLEAN NTAPI PhValidAcl( _In_opt_ PACL Acl ) { if (!Acl || Acl->AclRevision < MIN_ACL_REVISION || Acl->AclRevision > MAX_ACL_REVISION) return FALSE; if (Acl->AclSize < sizeof(ACL) || ((Acl->AclSize & 3U) != 0)) // enforce alignment return FALSE; return RtlValidAcl(Acl); } FORCEINLINE UCHAR NTAPI PhRequiredAclRevision( _In_ UCHAR AceType ) { switch (AceType) { case ACCESS_ALLOWED_OBJECT_ACE_TYPE: case ACCESS_DENIED_OBJECT_ACE_TYPE: case SYSTEM_AUDIT_OBJECT_ACE_TYPE: case SYSTEM_ALARM_OBJECT_ACE_TYPE: case ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE: case ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE: case SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE: case SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE: return ACL_REVISION4; case ACCESS_ALLOWED_COMPOUND_ACE_TYPE: return ACL_REVISION3; default: return MIN_ACL_REVISION; } } FORCEINLINE VOID NTAPI PhEnsureAclRevision( _Inout_ PULONG_PTR AclRevision, _In_ UCHAR AceType ) { UCHAR requiredRevision = PhRequiredAclRevision(AceType); if (requiredRevision > *AclRevision) { *AclRevision = requiredRevision; } } FORCEINLINE PVOID NTAPI PhFirstAce( _In_ PACL Acl ) { return RTL_PTR_ADD(Acl, sizeof(ACL)); } FORCEINLINE PVOID NTAPI PhNextAce( _In_ PACL Ace ) { PACE_HEADER ace = (PACE_HEADER)Ace; if (ace->AceSize < sizeof(ACE_HEADER) || (ace->AceSize & 3U) != 0) // enforce alignment return NULL; return RTL_PTR_ADD(Ace, ace->AceSize); } FORCEINLINE BOOLEAN NTAPI PhFirstFreeAce( _In_ PACL Acl, _Out_ PVOID* FirstFree ) { #if defined(PHNT_NATIVE_INLINE) return RtlFirstFreeAce(Acl, FirstFree); #else if (!PhValidAcl(Acl)) { *FirstFree = NULL; return FALSE; } ULONG_PTR current = (ULONG_PTR)PhFirstAce(Acl); const ULONG_PTR last = (ULONG_PTR)RTL_PTR_ADD(Acl, Acl->AclSize); for (USHORT i = 0; i < Acl->AceCount; i++) { if (current >= last) goto InvalidAcl; //ULONG_PTR headerEnd = (ULONG_PTR)RTL_PTR_ADD(current, sizeof(ACE_HEADER)); //if (headerEnd > last) // goto InvalidAcl; ULONG_PTR next = (ULONG_PTR)PhNextAce((PACL)current); if (next > last) goto InvalidAcl; current = next; } *FirstFree = (PVOID)current; return TRUE; InvalidAcl: *FirstFree = NULL; return FALSE; #endif } FORCEINLINE NTSTATUS NTAPI PhGetAce( _In_ PACL Acl, _In_ ULONG AceIndex, _Out_ PVOID* Ace ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetAce(Acl, AceIndex, Ace); #else PVOID current; PVOID lastace; if (Acl->AclRevision < MIN_ACL_REVISION || Acl->AclRevision > MAX_ACL_REVISION || AceIndex >= Acl->AceCount) { return STATUS_INVALID_ACL; } current = PhFirstAce(Acl); lastace = RTL_PTR_ADD(Acl, Acl->AclSize); for (ULONG i = 0; i < AceIndex; i++) { if ((ULONG_PTR)current >= (ULONG_PTR)lastace) return STATUS_INVALID_ACL; current = PhNextAce((PACL)current); } if (current >= lastace) return STATUS_INVALID_ACL; *Ace = current; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhAddAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG StartingAceIndex, _In_reads_bytes_(AceListLength) PVOID AceList, _In_ ULONG AceListLength ) { PVOID firstFree = NULL; if (!PhValidAcl(Acl)) return STATUS_INVALID_PARAMETER; if (AceListLength == 0) return STATUS_SUCCESS; if (!PhFirstFreeAce(Acl, &firstFree) || !firstFree) return STATUS_INVALID_ACL; // Determine final revision (max of current ACL revision and requested). ULONG_PTR finalRevision = Acl->AclRevision; if ((ULONG_PTR)AceRevision > finalRevision) { finalRevision = (ULONG_PTR)AceRevision; } // Validate the incoming ACE list and compute newAceCount, while checking // the ACL revision supports the ACE types to be inserted. ULONG_PTR src = (ULONG_PTR)AceList; ULONG_PTR const srcEnd = src + AceListLength; USHORT newAceCount = 0; while (src < srcEnd) { if (src + sizeof(ACE_HEADER) > srcEnd) return STATUS_INVALID_PARAMETER; PACE_HEADER aceHdr = (PACE_HEADER)src; USHORT inSize = aceHdr->AceSize; if (inSize == 0 || src + inSize > srcEnd) return STATUS_INVALID_PARAMETER; // Ensure the ACL revision can host this ACE type. PhEnsureAclRevision(&finalRevision, aceHdr->AceType); src += inSize; ++newAceCount; } if (src != srcEnd) return STATUS_INVALID_PARAMETER; // Determine insertion point. PVOID insertAce = firstFree; ULONG existingAceCount = Acl->AceCount; if (StartingAceIndex < existingAceCount) { NTSTATUS status; status = PhGetAce( Acl, StartingAceIndex, &insertAce ); if (!NT_SUCCESS(status)) return status; } // else insert at end (firstFree) // Ensure AceListLength bytes free between end of ACL buffer and current firstFree. ULONG_PTR const aclStart = (ULONG_PTR)Acl; ULONG_PTR const aclEnd = aclStart + Acl->AclSize; if ((ULONG_PTR)PTR_ADD_OFFSET(firstFree, AceListLength) > (ULONG_PTR)aclEnd) return STATUS_BUFFER_TOO_SMALL; // Shift tail [insertPtr, firstFree) forward to make room. ULONG_PTR tailBytes = (ULONG_PTR)PTR_SUB_OFFSET(firstFree, insertAce); if (tailBytes > 0) { RtlMoveMemory(PTR_ADD_OFFSET(insertAce, AceListLength), insertAce, tailBytes); } // Copy new ACEs. RtlCopyMemory(insertAce, AceList, AceListLength); // Update counts and revision. Acl->AceCount = (USHORT)(Acl->AceCount + newAceCount); Acl->AclRevision = (UCHAR)finalRevision; return STATUS_SUCCESS; } FORCEINLINE NTSTATUS NTAPI PhCreateAcl( _Out_ PACL Acl, _In_ ULONG Length, _In_ ULONG Revision ) { #if defined(PHNT_NATIVE_INLINE) return RtlCreateAcl(Acl, Length, Revision); #else if (Length < sizeof(ACL)) return STATUS_BUFFER_TOO_SMALL; if (Length > USHRT_MAX) return STATUS_INVALID_PARAMETER; if (Revision < MIN_ACL_REVISION || Revision > MAX_ACL_REVISION) return STATUS_REVISION_MISMATCH; memset(Acl, 0, sizeof(ACL)); Acl->AclRevision = (BYTE)Revision; Acl->AclSize = (USHORT)(Length & ~0x0003); return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhGetDaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Outptr_result_maybenull_ PACL* Dacl, _Out_ PBOOLEAN DaclDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetDaclSecurityDescriptor(SecurityDescriptor, DaclPresent, Dacl, DaclDefaulted); #else PISECURITY_DESCRIPTOR securityDescriptor = (PISECURITY_DESCRIPTOR)SecurityDescriptor; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PACL dacl = NULL; if (securityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (present = BooleanFlagOn(securityDescriptor->Control, SE_DACL_PRESENT)) { defaulted = BooleanFlagOn(securityDescriptor->Control, SE_DACL_DEFAULTED); if (BooleanFlagOn(securityDescriptor->Control, SE_SELF_RELATIVE)) { PISECURITY_DESCRIPTOR_RELATIVE securityDescriptorRelative = (PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor; if (securityDescriptorRelative->Dacl) { dacl = (PACL)RTL_PTR_ADD(SecurityDescriptor, securityDescriptorRelative->Dacl); } } else { dacl = securityDescriptor->Dacl; } } *DaclPresent = present; *DaclDefaulted = defaulted; *Dacl = dacl; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhSetDaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN DaclPresent, _In_opt_ PACL Dacl, _In_opt_ BOOLEAN DaclDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlSetDaclSecurityDescriptor(SecurityDescriptor, DaclPresent, Dacl, DaclDefaulted); #else if (((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (FlagOn(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SELF_RELATIVE)) return STATUS_INVALID_SECURITY_DESCR; if (DaclPresent) SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_DACL_PRESENT); else ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_DACL_PRESENT); if (DaclDefaulted) SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_DACL_DEFAULTED); else ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_DACL_DEFAULTED); ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Dacl = Dacl; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhGetDaclSecurityDescriptorNotNull( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PBOOLEAN DaclDefaulted, _Outptr_result_maybenull_ PACL* Dacl ) { NTSTATUS status; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PACL dacl = NULL; status = PhGetDaclSecurityDescriptor( SecurityDescriptor, &present, &dacl, &defaulted ); if (NT_SUCCESS(status)) { if (dacl) { *DaclPresent = present; *DaclDefaulted = defaulted; *Dacl = dacl; } else { status = STATUS_INVALID_SECURITY_DESCR; } } return status; } FORCEINLINE NTSTATUS NTAPI PhGetSaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Outptr_result_maybenull_ PACL* Sacl, _Out_ PBOOLEAN SaclDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetSaclSecurityDescriptor(SecurityDescriptor, SaclPresent, Sacl, SaclDefaulted); #else PISECURITY_DESCRIPTOR securityDescriptor = (PISECURITY_DESCRIPTOR)SecurityDescriptor; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PACL sacl = NULL; if (securityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (present = BooleanFlagOn(securityDescriptor->Control, SE_SACL_PRESENT)) { defaulted = BooleanFlagOn(securityDescriptor->Control, SE_SACL_DEFAULTED); if (BooleanFlagOn(securityDescriptor->Control, SE_SELF_RELATIVE)) { PISECURITY_DESCRIPTOR_RELATIVE securityDescriptorRelative = (PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor; if (securityDescriptorRelative->Sacl) { sacl = (PACL)RTL_PTR_ADD(SecurityDescriptor, securityDescriptorRelative->Sacl); } } else { sacl = securityDescriptor->Sacl; } } *SaclPresent = present; *SaclDefaulted = defaulted; *Sacl = sacl; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhSetSaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN SaclPresent, _In_opt_ PACL Sacl, _In_opt_ BOOLEAN SaclDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlSetSaclSecurityDescriptor(SecurityDescriptor, SaclPresent, Sacl, SaclDefaulted); #else if (((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (FlagOn(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SELF_RELATIVE)) return STATUS_INVALID_SECURITY_DESCR; if (SaclPresent) SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SACL_PRESENT); else ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SACL_PRESENT); if (SaclDefaulted) SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SACL_DEFAULTED); else ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SACL_DEFAULTED); ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Sacl = Sacl; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhGetOwnerSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Outptr_result_maybenull_ PSID* Owner, _Out_ PBOOLEAN OwnerDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetOwnerSecurityDescriptor(SecurityDescriptor, Owner, OwnerDefaulted); #else PISECURITY_DESCRIPTOR securityDescriptor = (PISECURITY_DESCRIPTOR)SecurityDescriptor; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PSID owner = NULL; if (securityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; defaulted = BooleanFlagOn(securityDescriptor->Control, SE_OWNER_DEFAULTED); if (BooleanFlagOn(securityDescriptor->Control, SE_SELF_RELATIVE)) { PISECURITY_DESCRIPTOR_RELATIVE securityDescriptorRelative = (PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor; if (securityDescriptorRelative->Owner) { owner = RTL_PTR_ADD(SecurityDescriptor, securityDescriptorRelative->Owner); } } else { owner = securityDescriptor->Sacl; } *OwnerDefaulted = defaulted; *Owner = owner; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhSetOwnerSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID Owner, _In_opt_ BOOLEAN OwnerDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlSetOwnerSecurityDescriptor(SecurityDescriptor, Owner, OwnerDefaulted); #else if (((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (FlagOn(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SELF_RELATIVE)) { return STATUS_INVALID_SECURITY_DESCR; } else { if (OwnerDefaulted) SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_OWNER_DEFAULTED); else ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_OWNER_DEFAULTED); ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Owner = Owner; return STATUS_SUCCESS; } #endif } FORCEINLINE NTSTATUS NTAPI PhGetGroupSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Outptr_result_maybenull_ PSID* Group, _Out_ PBOOLEAN GroupDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetGroupSecurityDescriptor(SecurityDescriptor, Group, GroupDefaulted); #else PISECURITY_DESCRIPTOR securityDescriptor = (PISECURITY_DESCRIPTOR)SecurityDescriptor; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PSID group = NULL; if (securityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; defaulted = BooleanFlagOn(securityDescriptor->Control, SE_GROUP_DEFAULTED); if (BooleanFlagOn(securityDescriptor->Control, SE_SELF_RELATIVE)) { PISECURITY_DESCRIPTOR_RELATIVE securityDescriptorRelative = (PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor; if (securityDescriptorRelative->Group) { group = RTL_PTR_ADD(SecurityDescriptor, securityDescriptorRelative->Group); } } else { group = securityDescriptor->Group; } *GroupDefaulted = defaulted; *Group = group; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhSetGroupSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID Group, _In_opt_ BOOLEAN GroupDefaulted ) { #if defined(PHNT_NATIVE_INLINE) return RtlSetGroupSecurityDescriptor(SecurityDescriptor, Group, GroupDefaulted); #else if (((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (FlagOn(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SELF_RELATIVE)) { return STATUS_INVALID_SECURITY_DESCR; } else { if (GroupDefaulted) SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_GROUP_DEFAULTED); else ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_GROUP_DEFAULTED); ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Group = Group; return STATUS_SUCCESS; } #endif } FORCEINLINE NTSTATUS NTAPI PhGetControlSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PSECURITY_DESCRIPTOR_CONTROL Control, _Out_ PULONG Revision ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetControlSecurityDescriptor(SecurityDescriptor, Control, Revision); #else if (((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (FlagOn(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SELF_RELATIVE)) { return STATUS_INVALID_SECURITY_DESCR; } else { *Control = ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control; *Revision = ((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision; return STATUS_SUCCESS; } #endif } FORCEINLINE NTSTATUS NTAPI PhSetControlSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, _In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet ) { #if defined(PHNT_NATIVE_INLINE) return RtlSetControlSecurityDescriptor(SecurityDescriptor, ControlBitsOfInterest, ControlBitsToSet); #else if (((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Revision != SECURITY_DESCRIPTOR_REVISION) return STATUS_UNKNOWN_REVISION; if (FlagOn(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, SE_SELF_RELATIVE)) { return STATUS_INVALID_SECURITY_DESCR; } else { ClearFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, ControlBitsOfInterest); SetFlag(((PISECURITY_DESCRIPTOR)SecurityDescriptor)->Control, ControlBitsToSet); return STATUS_SUCCESS; } #endif } FORCEINLINE NTSTATUS NTAPI PhAddAccessAllowedAceEx( _In_ PACL Acl, _In_ ULONG AceRevision, _In_ UCHAR AceFlags, _In_ ACCESS_MASK AccessMask, _In_ PCSID Sid ) { #if defined(PHNT_NATIVE_INLINE) return RtlAddAccessAllowedAceEx(Acl, AceRevision, AceFlags, AccessMask, (PSID)Sid); #else PVOID offset; if (!PhValidSid(Sid)) return STATUS_INVALID_SID; if (!PhValidAcl(Acl)) return STATUS_INVALID_ACL; // Allow caller to pass any revision <= current ACL revision (matches RtlAddAce semantics). (dmex) if (AceRevision > Acl->AclRevision) return STATUS_REVISION_MISMATCH; if (!PhFirstFreeAce(Acl, &offset)) return STATUS_INVALID_ACL; ULONG sidLength = PhLengthSid(Sid); ULONG aceSize = UFIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + sidLength; // Ensure fits into USHORT and inside ACL buffer. (dmex) if (aceSize >= USHRT_MAX) return STATUS_INVALID_BUFFER_SIZE; if ((ULONG_PTR)RTL_PTR_ADD(offset, aceSize) > (ULONG_PTR)RTL_PTR_ADD(Acl, Acl->AclSize)) return STATUS_ALLOTTED_SPACE_EXCEEDED; PACCESS_ALLOWED_ACE ace = (PACCESS_ALLOWED_ACE)offset; PACE_HEADER header = &ace->Header; header->AceType = ACCESS_ALLOWED_ACE_TYPE; header->AceFlags = AceFlags; header->AceSize = (USHORT)aceSize; ace->Mask = AccessMask; RtlCopyMemory(&ace->SidStart, Sid, sidLength); Acl->AceCount++; return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhAddAccessAllowedAce( _In_ PACL Acl, _In_ ULONG AceRevision, _In_ ACCESS_MASK AccessMask, _In_ CONST SID* Sid ) { return PhAddAccessAllowedAceEx(Acl, AceRevision, 0, AccessMask, Sid); } FORCEINLINE NTSTATUS NTAPI PhAcquirePebLock( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlAcquirePebLock(); #else return RtlEnterCriticalSection(NtCurrentPeb()->FastPebLock); #endif } FORCEINLINE NTSTATUS NTAPI PhReleasePebLock( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlReleasePebLock(); #else return RtlLeaveCriticalSection(NtCurrentPeb()->FastPebLock); #endif } FORCEINLINE NTSTATUS NTAPI PhAcquireLoaderLock( VOID ) { return RtlEnterCriticalSection(NtCurrentPeb()->LoaderLock); } FORCEINLINE NTSTATUS NTAPI PhReleaseLoaderLock( VOID ) { return RtlLeaveCriticalSection(NtCurrentPeb()->LoaderLock); } FORCEINLINE USHORT NTAPI PhGetCurrentThreadPrimaryGroup( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetCurrentThreadPrimaryGroup(); #else return NtCurrentTeb()->PrimaryGroupAffinity.Group; #endif } FORCEINLINE ULONG NTAPI PhGetCurrentServiceSessionId( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetCurrentServiceSessionId(); #else if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) return NtCurrentPeb()->SharedData->ServiceSessionId; else return 0; #endif } FORCEINLINE ULONG NTAPI PhGetActiveConsoleId( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetActiveConsoleId(); #else if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) return NtCurrentPeb()->SharedData->ActiveConsoleId; else return USER_SHARED_DATA->ActiveConsoleId; #endif } FORCEINLINE LONGLONG NTAPI PhGetConsoleSessionForegroundProcessId( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetConsoleSessionForegroundProcessId(); #else if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) return NtCurrentPeb()->SharedData->ConsoleSessionForegroundProcessId; else return USER_SHARED_DATA->ConsoleSessionForegroundProcessId; #endif } FORCEINLINE PWSTR NTAPI PhRtlGetNtSystemRoot( VOID ) { #if defined(PHNT_NATIVE_INLINE) return RtlGetNtSystemRoot(); #else if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) // RtlGetCurrentServiceSessionId return NtCurrentPeb()->SharedData->NtSystemRoot; else return USER_SHARED_DATA->NtSystemRoot; #endif } FORCEINLINE BOOLEAN NTAPI PhAreLongPathsEnabled( VOID ) { //#if defined(PHNT_NATIVE_INLINE) // return RtlAreLongPathsEnabled(); //#else return NtCurrentPeb()->IsLongPathAwareProcess; //#endif } FORCEINLINE VOID NTAPI PhFreeUnicodeString( _Inout_ _At_(UnicodeString->Buffer, _Frees_ptr_opt_) PUNICODE_STRING UnicodeString ) { #if defined(PHNT_NATIVE_INLINE) RtlFreeUnicodeString(UnicodeString); #else if (UnicodeString->Buffer) { RtlFreeHeap(RtlProcessHeap(), 0, UnicodeString->Buffer); memset(UnicodeString, 0, sizeof(UNICODE_STRING)); } #endif } FORCEINLINE VOID NTAPI PhFreeAnsiString( _Inout_ _At_(AnsiString->Buffer, _Frees_ptr_opt_) PANSI_STRING AnsiString ) { #if defined(PHNT_NATIVE_INLINE) RtlFreeAnsiString(AnsiString); #else if (AnsiString->Buffer) { RtlFreeHeap(RtlProcessHeap(), 0, AnsiString->Buffer); memset(AnsiString, 0, sizeof(ANSI_STRING)); } #endif } FORCEINLINE VOID NTAPI PhFreeUTF8String( _Inout_ _At_(Utf8String->Buffer, _Frees_ptr_opt_) PUTF8_STRING Utf8String ) { #if defined(PHNT_NATIVE_INLINE) RtlFreeUTF8String(Utf8String); #else if (Utf8String->Buffer) { RtlFreeHeap(RtlProcessHeap(), 0, Utf8String->Buffer); memset(Utf8String, 0, sizeof(UTF8_STRING)); } #endif } FORCEINLINE PVOID NTAPI PhFreeSid( _In_ _Post_invalid_ PSID Sid ) { #if defined(PHNT_NATIVE_INLINE) return RtlFreeSid(Sid); #else RtlFreeHeap(RtlProcessHeap(), 0, Sid); return NULL; #endif } FORCEINLINE VOID NTAPI PhDeleteBoundaryDescriptor( _In_ _Post_invalid_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor ) { #if defined(PHNT_NATIVE_INLINE) RtlDeleteBoundaryDescriptor(BoundaryDescriptor); #else RtlFreeHeap(RtlProcessHeap(), 0, BoundaryDescriptor); #endif } //#define RtlDeleteSecurityObject(ObjectDescriptor) RtlFreeHeap(RtlProcessHeap(), 0, *(ObjectDescriptor)) //FORCEINLINE //NTSTATUS //RtlDeleteSecurityObject( // _Inout_ PSECURITY_DESCRIPTOR *ObjectDescriptor // ) //{ // RtlFreeHeap(RtlProcessHeap(), 0, *ObjectDescriptor); // return STATUS_SUCCESS; //} FORCEINLINE NTSTATUS NTAPI PhDestroyEnvironment( _In_ _Post_invalid_ PVOID Environment ) { #if defined(PHNT_NATIVE_INLINE) return RtlDestroyEnvironment(Environment); #else RtlFreeHeap(RtlProcessHeap(), 0, Environment); return STATUS_SUCCESS; #endif } FORCEINLINE NTSTATUS NTAPI PhDestroyProcessParameters( _In_ _Post_invalid_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters ) { #if defined(PHNT_NATIVE_INLINE) return RtlDestroyProcessParameters(ProcessParameters); #else RtlFreeHeap(RtlProcessHeap(), 0, ProcessParameters); return STATUS_SUCCESS; #endif } #define RtlAcquirePebLock PhAcquirePebLock #define RtlReleasePebLock PhReleasePebLock #define RtlGetCurrentThreadPrimaryGroup PhGetCurrentThreadPrimaryGroup #define RtlGetCurrentServiceSessionId PhGetCurrentServiceSessionId #define RtlGetActiveConsoleId PhGetActiveConsoleId #define RtlGetConsoleSessionForegroundProcessId PhGetConsoleSessionForegroundProcessId #define RtlGetNtSystemRoot PhRtlGetNtSystemRoot #define RtlAreLongPathsEnabled PhAreLongPathsEnabled //#define RtlFreeUnicodeString(UnicodeString) { if ((UnicodeString)->Buffer) RtlFreeHeap(RtlProcessHeap(), 0, (UnicodeString)->Buffer); memset(UnicodeString, 0, sizeof(UNICODE_STRING)); } #define RtlFreeUnicodeString PhFreeUnicodeString //#define RtlFreeAnsiString(UnicodeString) {if ((AnsiString)->Buffer) RtlFreeHeap(RtlProcessHeap(), 0, (AnsiString)->Buffer); memset(AnsiString, 0, sizeof(ANSI_STRING));} #define RtlFreeAnsiString PhFreeAnsiString //#define RtlFreeUTF8String(Utf8String) {if ((Utf8String)->Buffer) RtlFreeHeap(RtlProcessHeap(), 0, (Utf8String)->Buffer); memset(Utf8String, 0, sizeof(UTF8_STRING));} #define RtlFreeUTF8String PhFreeUTF8String //#define RtlFreeSid(Sid) RtlFreeHeap(RtlProcessHeap(), 0, (Sid)) #define RtlFreeSid PhFreeSid //#define RtlDeleteBoundaryDescriptor(BoundaryDescriptor) RtlFreeHeap(RtlProcessHeap(), 0, (BoundaryDescriptor)) #define RtlDeleteBoundaryDescriptor PhDeleteBoundaryDescriptor //#define RtlDestroyEnvironment(Environment) RtlFreeHeap(RtlProcessHeap(), 0, (Environment)) #define RtlDestroyEnvironment PhDestroyEnvironment //#define RtlDestroyProcessParameters(ProcessParameters) RtlFreeHeap(RtlProcessHeap(), 0, (ProcessParameters)) #define RtlDestroyProcessParameters PhDestroyProcessParameters PHLIBAPI NTSTATUS NTAPI PhGetTokenNamedObjectPath( _In_ HANDLE TokenHandle, _In_opt_ PSID Sid, _Out_ PPH_STRING* ObjectPath ); PHLIBAPI NTSTATUS NTAPI PhGetAppContainerNamedObjectPath( _In_ HANDLE TokenHandle, _In_opt_ PSID AppContainerSid, _In_ BOOLEAN RelativePath, _Out_ PPH_STRING* ObjectPath ); PHLIBAPI NTSTATUS NTAPI PhSetTokenSessionId( _In_ HANDLE TokenHandle, _In_ ULONG SessionId ); PHLIBAPI NTSTATUS NTAPI PhSetTokenPrivilege( _In_ HANDLE TokenHandle, _In_opt_ PCWSTR PrivilegeName, _In_opt_ PLUID PrivilegeLuid, _In_ ULONG Attributes ); PHLIBAPI NTSTATUS NTAPI PhSetTokenPrivilege2( _In_ HANDLE TokenHandle, _In_ LONG Privilege, _In_ ULONG Attributes ); PHLIBAPI NTSTATUS NTAPI PhAdjustPrivilege( _In_opt_ PCWSTR PrivilegeName, _In_opt_ LONG Privilege, _In_ BOOLEAN Enable ); PHLIBAPI NTSTATUS NTAPI PhSetTokenGroups( _In_ HANDLE TokenHandle, _In_opt_ PCWSTR GroupName, _In_opt_ PSID GroupSid, _In_ ULONG Attributes ); PHLIBAPI NTSTATUS NTAPI PhSetTokenIsVirtualizationEnabled( _In_ HANDLE TokenHandle, _In_ BOOLEAN IsVirtualizationEnabled ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIntegrityLevelRID( _In_ HANDLE TokenHandle, _Out_opt_ PMANDATORY_LEVEL_RID IntegrityLevelRID, _Out_opt_ PWSTR *IntegrityString ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIntegrityLevel( _In_ HANDLE TokenHandle, _Out_opt_ PMANDATORY_LEVEL IntegrityLevel, _Out_opt_ PWSTR *IntegrityString ); typedef union _PH_INTEGRITY_LEVEL { struct { // // Lower bits describe amendments to the MANDATOR_LEVEL which are a // combination of additional features closely related to integrity on // the system. // USHORT Plus : 1; USHORT AppContainer : 1; USHORT Spare : 10; USHORT Mandatory : 4; // MANDATORY_LEVEL }; USHORT Level; } PH_INTEGRITY_LEVEL, *PPH_INTEGRITY_LEVEL; PHLIBAPI NTSTATUS NTAPI PhGetTokenIntegrityLevelEx( _In_ HANDLE TokenHandle, _Out_opt_ PPH_INTEGRITY_LEVEL IntegrityLevel, _Out_opt_ PCPH_STRINGREF* IntegrityString ); PHLIBAPI NTSTATUS NTAPI PhGetProcessMandatoryPolicy( _In_ HANDLE ProcessHandle, _Out_ PACCESS_MASK Mask ); PHLIBAPI NTSTATUS NTAPI PhSetProcessMandatoryPolicy( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK Mask ); PHLIBAPI NTSTATUS NTAPI PhGetTokenProcessTrustLevelRID( _In_ HANDLE TokenHandle, _Out_opt_ PULONG ProtectionType, _Out_opt_ PULONG ProtectionLevel, _Out_opt_ PPH_STRING* TrustLevelString, _Out_opt_ PPH_STRING* TrustLevelSidString ); PHLIBAPI NTSTATUS NTAPI PhGetFileBasicInformation( _In_ HANDLE FileHandle, _Out_ PFILE_BASIC_INFORMATION BasicInfo ); PHLIBAPI NTSTATUS NTAPI PhSetFileBasicInformation( _In_ HANDLE FileHandle, _In_ PFILE_BASIC_INFORMATION BasicInfo ); PHLIBAPI NTSTATUS NTAPI PhGetFileFullAttributesInformation( _In_ HANDLE FileHandle, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ); PHLIBAPI NTSTATUS NTAPI PhGetFileStandardInformation( _In_ HANDLE FileHandle, _Out_ PFILE_STANDARD_INFORMATION StandardInfo ); PHLIBAPI NTSTATUS NTAPI PhSetFileCompletionNotificationMode( _In_ HANDLE FileHandle, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhGetFileSize( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER Size ); PHLIBAPI NTSTATUS NTAPI PhSetFileSize( _In_ HANDLE FileHandle, _In_ PLARGE_INTEGER Size ); PHLIBAPI NTSTATUS NTAPI PhGetFilePosition( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER Position ); PHLIBAPI NTSTATUS NTAPI PhSetFilePosition( _In_ HANDLE FileHandle, _In_opt_ PLARGE_INTEGER Position ); PHLIBAPI NTSTATUS NTAPI PhGetFileAllocationSize( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER AllocationSize ); PHLIBAPI NTSTATUS NTAPI PhSetFileAllocationSize( _In_ HANDLE FileHandle, _In_ PLARGE_INTEGER AllocationSize ); PHLIBAPI NTSTATUS NTAPI PhGetFileIndexNumber( _In_ HANDLE FileHandle, _Out_ PFILE_INTERNAL_INFORMATION IndexNumber ); PHLIBAPI NTSTATUS NTAPI PhSetFileDelete( _In_ HANDLE FileHandle ); PHLIBAPI NTSTATUS NTAPI PhSetFileRename( _In_ HANDLE FileHandle, _In_opt_ HANDLE RootDirectory, _In_ BOOLEAN ReplaceIfExists, _In_ PCPH_STRINGREF NewFileName ); PHLIBAPI NTSTATUS NTAPI PhGetFileIoPriorityHint( _In_ HANDLE FileHandle, _Out_ IO_PRIORITY_HINT* IoPriorityHint ); PHLIBAPI NTSTATUS NTAPI PhSetFileIoPriorityHint( _In_ HANDLE FileHandle, _In_ IO_PRIORITY_HINT IoPriorityHint ); PHLIBAPI NTSTATUS NTAPI PhFlushBuffersFile( _In_ HANDLE FileHandle ); PHLIBAPI NTSTATUS NTAPI PhGetFileHandleName( _In_ HANDLE FileHandle, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetFileNetworkPhysicalName( _In_ HANDLE FileHandle, _Out_ PPH_STRING* FileName ); PHLIBAPI NTSTATUS NTAPI PhGetFileAllInformation( _In_ HANDLE FileHandle, _Out_ PFILE_ALL_INFORMATION *FileInformation ); PHLIBAPI NTSTATUS NTAPI PhGetFileId( _In_ HANDLE FileHandle, _Out_ PFILE_ID_INFORMATION FileId ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIdsUsingFile( _In_ HANDLE FileHandle, _Out_ PFILE_PROCESS_IDS_USING_FILE_INFORMATION *ProcessIdsUsingFile ); typedef USN *PUSN; PHLIBAPI NTSTATUS NTAPI PhGetFileUsn( _In_ HANDLE FileHandle, _Out_ PUSN Usn ); PHLIBAPI NTSTATUS NTAPI PhSetFileBypassIO( _In_ HANDLE FileHandle, _In_ BOOLEAN Enable ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionManagerBasicInformation( _In_ HANDLE TransactionManagerHandle, _Out_ PTRANSACTIONMANAGER_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionManagerLogFileName( _In_ HANDLE TransactionManagerHandle, _Out_ PPH_STRING *LogFileName ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionBasicInformation( _In_ HANDLE TransactionHandle, _Out_ PTRANSACTION_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionPropertiesInformation( _In_ HANDLE TransactionHandle, _Out_opt_ PLARGE_INTEGER Timeout, _Out_opt_ TRANSACTION_OUTCOME *Outcome, _Out_opt_ PPH_STRING *Description ); PHLIBAPI NTSTATUS NTAPI PhGetResourceManagerBasicInformation( _In_ HANDLE ResourceManagerHandle, _Out_opt_ PGUID Guid, _Out_opt_ PPH_STRING *Description ); PHLIBAPI NTSTATUS NTAPI PhGetEnlistmentBasicInformation( _In_ HANDLE EnlistmentHandle, _Out_ PENLISTMENT_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhOpenDriverByBaseAddress( _Out_ PHANDLE DriverHandle, _In_ PVOID BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhOpenDriver( _Out_ PHANDLE DriverHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ); PHLIBAPI NTSTATUS NTAPI PhGetDriverName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *Name ); PHLIBAPI NTSTATUS NTAPI PhGetDriverImageFileName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *Name ); PHLIBAPI NTSTATUS NTAPI PhGetDriverServiceKeyName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *ServiceKeyName ); PHLIBAPI NTSTATUS NTAPI PhUnloadDriver( _In_opt_ PVOID BaseAddress, _In_opt_ PCPH_STRINGREF Name, _In_ PCPH_STRINGREF FileName ); typedef _Function_class_(PH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK) NTSTATUS NTAPI PH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress, _In_ PVOID ImageBase, _In_ SIZE_T ImageSize, _In_ PPH_STRING FileName, _In_opt_ PVOID Context ); typedef PH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK* PPH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumProcessModulesLimited( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK Callback, _In_opt_ PVOID Context ); typedef _Function_class_(PH_ENUM_PROCESS_MODULES_RUNDOWN_CALLBACK) NTSTATUS NTAPI PH_ENUM_PROCESS_MODULES_RUNDOWN_CALLBACK( _In_ PVOID ImageBase, _In_ SIZE_T ImageSize, _In_ PPH_STRING FileName, _In_opt_ PVOID Context ); typedef PH_ENUM_PROCESS_MODULES_RUNDOWN_CALLBACK* PPH_ENUM_PROCESS_MODULES_RUNDOWN_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumProcessModulesRundown( _In_opt_ HANDLE ProcessId, _In_ PPH_ENUM_PROCESS_MODULES_RUNDOWN_CALLBACK Callback, _In_opt_ PVOID Context ); /** * A callback function passed to PhEnumProcessModules() and called for each process module. * * \param Module A structure providing information about the module. * \param Context A user-defined value passed to PhEnumProcessModules(). * * \return TRUE to continue the enumeration, FALSE to stop. */ typedef _Function_class_(PH_ENUM_PROCESS_MODULES_CALLBACK) BOOLEAN NTAPI PH_ENUM_PROCESS_MODULES_CALLBACK( _In_ PLDR_DATA_TABLE_ENTRY Module, _In_opt_ PVOID Context ); typedef PH_ENUM_PROCESS_MODULES_CALLBACK* PPH_ENUM_PROCESS_MODULES_CALLBACK; #define PH_ENUM_PROCESS_MODULES_DONT_RESOLVE_WOW64_FS 0x1 #define PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME 0x2 #define PH_ENUM_PROCESS_MODULES_LIMIT 0x800 typedef struct _PH_ENUM_PROCESS_MODULES_PARAMETERS { PPH_ENUM_PROCESS_MODULES_CALLBACK Callback; PVOID Context; ULONG Flags; } PH_ENUM_PROCESS_MODULES_PARAMETERS, *PPH_ENUM_PROCESS_MODULES_PARAMETERS; PHLIBAPI NTSTATUS NTAPI PhEnumProcessModules( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessModulesEx( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters ); PHLIBAPI NTSTATUS NTAPI PhSetProcessModuleLoadCount( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessModules32( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessModules32Ex( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters ); PHLIBAPI NTSTATUS NTAPI PhSetProcessModuleLoadCount32( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount ); PHLIBAPI NTSTATUS NTAPI PhGetProcessQuotaLimits( _In_ HANDLE ProcessHandle, _Out_ PQUOTA_LIMITS QuotaLimits ); PHLIBAPI NTSTATUS NTAPI PhSetProcessQuotaLimits( _In_ HANDLE ProcessHandle, _In_ QUOTA_LIMITS QuotaLimits ); PHLIBAPI NTSTATUS NTAPI PhSetProcessEmptyWorkingSet( _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhSetProcessWorkingSetEmpty( _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhSetProcessEmptyPageWorkingSet( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T Size ); PHLIBAPI NTSTATUS NTAPI PhGetProcessPriorityClass( _In_ HANDLE ProcessHandle, _Out_ PUCHAR PriorityClass ); PHLIBAPI NTSTATUS NTAPI PhSetProcessPriorityClass( _In_ HANDLE ProcessHandle, _In_ UCHAR PriorityClass ); PHLIBAPI NTSTATUS NTAPI PhSetProcessIoPriority( _In_ HANDLE ProcessHandle, _In_ IO_PRIORITY_HINT IoPriority ); PHLIBAPI NTSTATUS NTAPI PhSetProcessPagePriority( _In_ HANDLE ProcessHandle, _In_ ULONG PagePriority ); PHLIBAPI NTSTATUS NTAPI PhSetProcessPriorityBoost( _In_ HANDLE ProcessHandle, _In_ BOOLEAN DisablePriorityBoost ); PHLIBAPI NTSTATUS NTAPI PhSetProcessAffinityMask( _In_ HANDLE ProcessHandle, _In_ KAFFINITY AffinityMask ); PHLIBAPI NTSTATUS NTAPI PhGetProcessActivityModerationState( _In_ PCPH_STRINGREF ModerationIdentifier, _Out_ PSYSTEM_ACTIVITY_MODERATION_APP_SETTINGS ModerationSettings ); PHLIBAPI NTSTATUS NTAPI PhSetProcessActivityModerationState( _In_ PCPH_STRINGREF ModerationIdentifier, _In_ SYSTEM_ACTIVITY_MODERATION_APP_TYPE ModerationType, _In_ SYSTEM_ACTIVITY_MODERATION_STATE ModerationState ); PHLIBAPI NTSTATUS NTAPI PhSetProcessGroupAffinity( _In_ HANDLE ProcessHandle, _In_ GROUP_AFFINITY GroupAffinity ); PHLIBAPI NTSTATUS NTAPI PhGetProcessPowerThrottlingState( _In_ HANDLE ProcessHandle, _Out_ PPOWER_THROTTLING_PROCESS_STATE PowerThrottlingState ); PHLIBAPI NTSTATUS NTAPI PhSetProcessPowerThrottlingState( _In_ HANDLE ProcessHandle, _In_ ULONG ControlMask, _In_ ULONG StateMask ); PHLIBAPI NTSTATUS NTAPI PhOpenSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF SectionName ); PHLIBAPI NTSTATUS NTAPI PhCreateSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle ); PHLIBAPI NTSTATUS NTAPI PhMapViewOfSection( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _In_ SIZE_T CommitSize, _In_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ SECTION_INHERIT InheritDisposition, _In_ ULONG AllocationType, _In_ ULONG PageProtection ); PHLIBAPI NTSTATUS NTAPI PhUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhEnumKernelModules( _Out_ PRTL_PROCESS_MODULES *Modules ); PHLIBAPI NTSTATUS NTAPI PhEnumKernelModulesEx( _Out_ PRTL_PROCESS_MODULE_INFORMATION_EX *Modules ); PHLIBAPI PPH_STRING NTAPI PhGetKernelFileName( VOID ); PHLIBAPI NTSTATUS NTAPI PhGetKernelFileNameEx( _Out_opt_ PPH_STRING* FileName, _Out_ PVOID* ImageBase, _Out_ ULONG* ImageSize ); PHLIBAPI PPH_STRING NTAPI PhGetSecureKernelFileName( VOID ); /** * Gets a pointer to the first process information structure in a buffer returned by * PhEnumProcesses(). * * \param Processes A pointer to a buffer returned by PhEnumProcesses(). */ #define PH_FIRST_PROCESS(Processes) ((PSYSTEM_PROCESS_INFORMATION)(Processes)) /** * Gets a pointer to the process information structure after a given structure. * * \param Process A pointer to a process information structure. * * \return A pointer to the next process information structure, or NULL if there are no more. */ #define PH_NEXT_PROCESS(Process) ( \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NextEntryOffset ? \ (PSYSTEM_PROCESS_INFORMATION)PTR_ADD_OFFSET((Process), \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NextEntryOffset) : \ NULL \ ) #define PH_PROCESS_EXTENSION(Process) \ ((PSYSTEM_PROCESS_INFORMATION_EXTENSION)PTR_ADD_OFFSET((Process), \ UFIELD_OFFSET(SYSTEM_PROCESS_INFORMATION, Threads) + \ sizeof(SYSTEM_THREAD_INFORMATION) * \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NumberOfThreads)) #define PH_EXTENDED_PROCESS_EXTENSION(Process) \ ((PSYSTEM_PROCESS_INFORMATION_EXTENSION)PTR_ADD_OFFSET((Process), \ UFIELD_OFFSET(SYSTEM_PROCESS_INFORMATION, Threads) + \ sizeof(SYSTEM_EXTENDED_THREAD_INFORMATION) * \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NumberOfThreads)) // rev from PsGetProcessStartKey (dmex) #define PH_PROCESS_EXTENSION_STARTKEY(SequenceNumber) \ ((SequenceNumber) | (((ULONGLONG)USER_SHARED_DATA->BootId) << 0x30)) // SYSTEM_PROCESS_INFORMATION_EXTENSION->ProcessSequenceNumber PHLIBAPI NTSTATUS NTAPI PhEnumProcesses( _Out_ PVOID *Processes ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessesEx( _Out_ PVOID *Processes, _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass ); typedef _Function_class_(PH_ENUM_PROCESS_THREADS) NTSTATUS NTAPI PH_ENUM_PROCESS_THREADS( _In_ ULONG NumberOfThreads, _In_ PSYSTEM_THREAD_INFORMATION Threads, _In_opt_ PVOID Context ); typedef PH_ENUM_PROCESS_THREADS* PPH_ENUM_PROCESS_THREADS; NTSTATUS PhEnumProcessThreads( _In_ HANDLE ProcessId, _In_ PPH_ENUM_PROCESS_THREADS Callback, _In_opt_ PVOID Context ); typedef _Function_class_(PH_ENUM_NEXT_PROCESS) NTSTATUS NTAPI PH_ENUM_NEXT_PROCESS( _In_ HANDLE ProcessHandle, _In_opt_ PVOID Context ); typedef PH_ENUM_NEXT_PROCESS* PPH_ENUM_NEXT_PROCESS; PHLIBAPI NTSTATUS NTAPI PhEnumNextProcess( _In_opt_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_ENUM_NEXT_PROCESS Callback, _In_opt_ PVOID Context ); typedef _Function_class_(PH_ENUM_NEXT_THREAD) NTSTATUS NTAPI PH_ENUM_NEXT_THREAD( _In_ HANDLE ThreadHandle, _In_opt_ PVOID Context ); typedef PH_ENUM_NEXT_THREAD* PPH_ENUM_NEXT_THREAD; PHLIBAPI NTSTATUS NTAPI PhEnumNextThread( _In_ HANDLE ProcessHandle, _In_opt_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_ENUM_NEXT_THREAD Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessesForSession( _Out_ PVOID *Processes, _In_ ULONG SessionId ); PHLIBAPI PSYSTEM_PROCESS_INFORMATION NTAPI PhFindProcessInformation( _In_ PVOID Processes, _In_ HANDLE ProcessId ); PHLIBAPI PSYSTEM_PROCESS_INFORMATION NTAPI PhFindProcessInformationByImageName( _In_ PVOID Processes, _In_ PCPH_STRINGREF ImageName ); PHLIBAPI NTSTATUS NTAPI PhEnumHandles( _Out_ PSYSTEM_HANDLE_INFORMATION *Handles ); PHLIBAPI NTSTATUS NTAPI PhEnumHandlesEx( _Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessHandles( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_HANDLE_SNAPSHOT_INFORMATION *Handles ); PHLIBAPI NTSTATUS NTAPI PhEnumHandlesGeneric( _In_ HANDLE ProcessId, _In_ HANDLE ProcessHandle, _In_ BOOLEAN EnableHandleSnapshot, _Out_ PSYSTEM_HANDLE_INFORMATION_EX* Handles ); #define PH_FIRST_PAGEFILE(Pagefiles) ( \ /* The size of a pagefile can never be 0. A TotalSize of 0 * is used to indicate that there are no pagefiles. */ ((PSYSTEM_PAGEFILE_INFORMATION)(Pagefiles))->TotalSize ? \ (PSYSTEM_PAGEFILE_INFORMATION)(Pagefiles) : \ NULL \ ) #define PH_NEXT_PAGEFILE(Pagefile) ( \ ((PSYSTEM_PAGEFILE_INFORMATION)(Pagefile))->NextEntryOffset ? \ (PSYSTEM_PAGEFILE_INFORMATION)PTR_ADD_OFFSET((Pagefile), \ ((PSYSTEM_PAGEFILE_INFORMATION)(Pagefile))->NextEntryOffset) : \ NULL \ ) #define PH_FIRST_PAGEFILE_EX(Pagefiles) ( \ ((PSYSTEM_PAGEFILE_INFORMATION_EX)(Pagefiles))->TotalSize ? \ (PSYSTEM_PAGEFILE_INFORMATION_EX)(Pagefiles) : \ NULL \ ) #define PH_NEXT_PAGEFILE_EX(Pagefile) ( \ ((PSYSTEM_PAGEFILE_INFORMATION_EX)(Pagefile))->NextEntryOffset ? \ (PSYSTEM_PAGEFILE_INFORMATION_EX)PTR_ADD_OFFSET((Pagefile), \ ((PSYSTEM_PAGEFILE_INFORMATION_EX)(Pagefile))->NextEntryOffset) : \ NULL \ ) PHLIBAPI NTSTATUS NTAPI PhEnumPagefiles( _Out_ PVOID *Pagefiles ); PHLIBAPI NTSTATUS NTAPI PhEnumPagefilesEx( _Out_ PVOID *Pagefiles ); PHLIBAPI NTSTATUS NTAPI PhEnumPoolTagInformation( _Out_ PVOID* Buffer ); PHLIBAPI NTSTATUS NTAPI PhEnumBigPoolInformation( _Out_ PVOID* Buffer ); _Must_inspect_result_ PHLIBAPI NTSTATUS NTAPI PhGetProcessIsContainer( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _Out_opt_ PBOOLEAN IsContainer ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsDotNet( _In_ HANDLE ProcessId, _Out_ PBOOLEAN IsDotNet ); #define PH_CLR_USE_SECTION_CHECK 0x1 #define PH_CLR_NO_WOW64_CHECK 0x2 #define PH_CLR_KNOWN_IS_WOW64 0x4 #define PH_CLR_VERSION_1_0 0x1 #define PH_CLR_VERSION_1_1 0x2 #define PH_CLR_VERSION_2_0 0x4 #define PH_CLR_VERSION_4_ABOVE 0x8 #define PH_CLR_CORE_3_0_ABOVE 0x10 #define PH_CLR_VERSION_MASK 0x1f #define PH_CLR_MSCORLIB_PRESENT 0x10000 #define PH_CLR_CORELIB_PRESENT 0x20000 #define PH_CLR_PROCESS_IS_WOW64 0x100000 PHLIBAPI NTSTATUS NTAPI PhGetProcessIsDotNetEx( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG InFlags, _Out_opt_ PBOOLEAN IsDotNet, _Out_opt_ PULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhOpenDirectoryObject( _Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ); /** * A callback function passed to PhEnumDirectoryObjects() and called for each directory object. * * \param RootDirectory The handle to the current object directory. * \param Name The name of the object. * \param TypeName The name of the object's type. * \param Context A user-defined value passed to PhEnumDirectoryObjects(). * \return TRUE to continue the enumeration, FALSE to stop. */ typedef _Function_class_(PH_ENUM_DIRECTORY_OBJECTS) NTSTATUS NTAPI PH_ENUM_DIRECTORY_OBJECTS( _In_ HANDLE RootDirectory, _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_opt_ PVOID Context ); typedef PH_ENUM_DIRECTORY_OBJECTS* PPH_ENUM_DIRECTORY_OBJECTS; PHLIBAPI NTSTATUS NTAPI PhEnumDirectoryObjects( _In_ HANDLE DirectoryHandle, _In_ PPH_ENUM_DIRECTORY_OBJECTS Callback, _In_opt_ PVOID Context ); typedef _Function_class_(PH_ENUM_DIRECTORY_FILE) BOOLEAN NTAPI PH_ENUM_DIRECTORY_FILE( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_opt_ PVOID Context ); typedef PH_ENUM_DIRECTORY_FILE* PPH_ENUM_DIRECTORY_FILE; PHLIBAPI NTSTATUS NTAPI PhEnumDirectoryFile( _In_ HANDLE FileHandle, _In_opt_ PCPH_STRINGREF SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ); FORCEINLINE NTSTATUS NTAPI PhEnumDirectoryFileZ( _In_ HANDLE FileHandle, _In_ PCWSTR SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ) { PH_STRINGREF searchPattern; PhInitializeStringRef(&searchPattern, SearchPattern); return PhEnumDirectoryFile( FileHandle, &searchPattern, Callback, Context ); } PHLIBAPI NTSTATUS NTAPI PhEnumDirectoryFileEx( _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _In_ BOOLEAN ReturnSingleEntry, _In_opt_ PCPH_STRINGREF SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ); FORCEINLINE NTSTATUS NTAPI PhEnumDirectoryFileExZ( _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _In_ BOOLEAN ReturnSingleEntry, _In_ PCWSTR SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ) { PH_STRINGREF searchPattern; PhInitializeStringRef(&searchPattern, SearchPattern); return PhEnumDirectoryFileEx( FileHandle, FileInformationClass, ReturnSingleEntry, &searchPattern, Callback, Context ); } typedef _Function_class_(PH_ENUM_REPARSE_POINT) NTSTATUS NTAPI PH_ENUM_REPARSE_POINT( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_ SIZE_T InformationLength, _In_opt_ PVOID Context ); typedef PH_ENUM_REPARSE_POINT* PPH_ENUM_REPARSE_POINT; PHLIBAPI NTSTATUS NTAPI PhEnumReparsePointInformation( _In_ HANDLE FileHandle, _In_ PPH_ENUM_REPARSE_POINT Callback, _In_opt_ PVOID Context ); typedef _Function_class_(PH_ENUM_OBJECT_ID) NTSTATUS NTAPI PH_ENUM_OBJECT_ID( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_ SIZE_T InformationLength, _In_opt_ PVOID Context ); typedef PH_ENUM_OBJECT_ID* PPH_ENUM_OBJECT_ID; PHLIBAPI NTSTATUS NTAPI PhEnumObjectIdInformation( _In_ HANDLE FileHandle, _In_ PPH_ENUM_OBJECT_ID Callback, _In_opt_ PVOID Context ); #define PH_FIRST_FILE_EA(Information) \ ((PFILE_FULL_EA_INFORMATION)(Information)) #define PH_NEXT_FILE_EA(Information) \ (((PFILE_FULL_EA_INFORMATION)(Information))->NextEntryOffset ? \ (PTR_ADD_OFFSET((Information), ((PFILE_FULL_EA_INFORMATION)(Information))->NextEntryOffset)) : \ NULL \ ) typedef _Function_class_(PH_ENUM_FILE_EA) NTSTATUS NTAPI PH_ENUM_FILE_EA( _In_ HANDLE RootDirectory, _In_ PFILE_FULL_EA_INFORMATION Information, _In_opt_ PVOID Context ); typedef PH_ENUM_FILE_EA* PPH_ENUM_FILE_EA; PHLIBAPI NTSTATUS NTAPI PhEnumFileExtendedAttributes( _In_ HANDLE FileHandle, _In_ PPH_ENUM_FILE_EA Callback, _In_opt_ PVOID Context ); #define PH_FIRST_STREAM(Streams) ((PFILE_STREAM_INFORMATION)(Streams)) #define PH_NEXT_STREAM(Stream) ( \ ((PFILE_STREAM_INFORMATION)(Stream))->NextEntryOffset ? \ (PFILE_STREAM_INFORMATION)(PTR_ADD_OFFSET((Stream), \ ((PFILE_STREAM_INFORMATION)(Stream))->NextEntryOffset)) : \ NULL \ ) PHLIBAPI NTSTATUS NTAPI PhSetFileExtendedAttributes( _In_ HANDLE FileHandle, _In_ PPH_BYTESREF Name, _In_opt_ PPH_BYTESREF Value ); PHLIBAPI NTSTATUS NTAPI PhEnumFileStreams( _In_ HANDLE FileHandle, _Out_ PVOID *Streams ); #define PH_FIRST_LINK(Links) ((PFILE_LINK_ENTRY_INFORMATION)(Links)) #define PH_NEXT_LINK(Links) ( \ ((PFILE_LINK_ENTRY_INFORMATION)(Links))->NextEntryOffset ? \ (PFILE_LINK_ENTRY_INFORMATION)(PTR_ADD_OFFSET((Links), \ ((PFILE_LINK_ENTRY_INFORMATION)(Links))->NextEntryOffset)) : \ NULL \ ) typedef _Function_class_(PH_ENUM_FILE_HARDLINKS) BOOLEAN NTAPI PH_ENUM_FILE_HARDLINKS( _In_ PFILE_LINK_ENTRY_INFORMATION Information, _In_opt_ PVOID Context ); typedef PH_ENUM_FILE_HARDLINKS* PPH_ENUM_FILE_HARDLINKS; PHLIBAPI NTSTATUS NTAPI PhEnumFileHardLinks( _In_ HANDLE FileHandle, _Out_ PVOID *HardLinks ); PHLIBAPI NTSTATUS NTAPI PhQuerySymbolicLinkObject( _Out_ PPH_STRING* LinkTarget, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ); FORCEINLINE NTSTATUS NTAPI PhQuerySymbolicLinkObjectZ( _Out_ PPH_STRING* LinkTarget, _In_opt_ HANDLE RootDirectory, _In_ PCWSTR ObjectName ) { PH_STRINGREF name; PhInitializeStringRef(&name, ObjectName); return PhQuerySymbolicLinkObject(LinkTarget, RootDirectory, &name); } PHLIBAPI VOID NTAPI PhUpdateMupDevicePrefixes( VOID ); PHLIBAPI VOID NTAPI PhUpdateDosDevicePrefixes( VOID ); PHLIBAPI NTSTATUS NTAPI PhFlushVolumeCache( VOID ); PHLIBAPI PPH_STRING NTAPI PhResolveDevicePrefix( _In_ PCPH_STRINGREF Name ); PHLIBAPI PPH_STRING NTAPI PhGetFileName( _In_ PPH_STRING FileName ); // "X:\" #define PATH_IS_WIN32_DRIVE_PREFIX(s) ( \ (s)->Length >= (3 * sizeof(WCHAR)) && \ (((s)->Buffer[0] >= L'A' && \ (s)->Buffer[0] <= L'Z') || \ ((s)->Buffer[0] >= L'a' && \ (s)->Buffer[0] <= L'z')) && \ (s)->Buffer[1] == L':' && \ (s)->Buffer[2] == OBJ_NAME_PATH_SEPARATOR) // "\??\" or "\\?\" or "\\.\" #define PATH_IS_WIN32_DOSDEVICES_PREFIX(s) ( \ (s)->Length >= (4 * sizeof(WCHAR)) && \ (s)->Buffer[0] == '\\' && \ ((s)->Buffer[1] == '?' || (s)->Buffer[1] == '\\') && \ (s)->Buffer[2] == '?' || (s)->Buffer[2] == '.'&& \ (s)->Buffer[3] == '\\') // "." or ".." #define PATH_IS_WIN32_RELATIVE_PREFIX(s) ( \ (s)->Length == (1 * sizeof(WCHAR)) && (s)->Buffer[0] == L'.' || \ (s)->Length == (2 * sizeof(WCHAR)) && (s)->Buffer[0] == L'.' && (s)->Buffer[1] == L'.') PHLIBAPI PPH_STRING NTAPI PhDosPathNameToNtPathName( _In_ PCPH_STRINGREF Name ); PHLIBAPI NTSTATUS NTAPI PhDosLongPathNameToNtPathNameWithStatus( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR* FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); PHLIBAPI PPH_STRING NTAPI PhGetNtPathRootPrefix( _In_ PCPH_STRINGREF Name ); PHLIBAPI PPH_STRING NTAPI PhGetExistingPathPrefix( _In_ PCPH_STRINGREF Name ); PHLIBAPI PPH_STRING NTAPI PhGetExistingPathPrefixWin32( _In_ PCPH_STRINGREF Name ); typedef enum _PH_MODULE_TYPE { PH_MODULE_TYPE_UNKNOWN = 0, PH_MODULE_TYPE_MODULE = 1, PH_MODULE_TYPE_MAPPED_FILE = 2, PH_MODULE_TYPE_WOW64_MODULE = 3, PH_MODULE_TYPE_KERNEL_MODULE = 4, PH_MODULE_TYPE_MAPPED_IMAGE = 5, PH_MODULE_TYPE_ELF_MAPPED_IMAGE = 6, PH_MODULE_TYPE_ENCLAVE_MODULE = 7 } PH_MODULE_TYPE; typedef struct _PH_MODULE_INFO { ULONG Type; ULONG Flags; ULONG Size; ULONG EnclaveType; PVOID BaseAddress; PVOID ParentBaseAddress; PVOID OriginalBaseAddress; PVOID EntryPoint; PPH_STRING Name; PPH_STRING FileName; USHORT LoadOrderIndex; // -1 if N/A USHORT LoadCount; // -1 if N/A USHORT LoadReason; // -1 if N/A USHORT Reserved; LARGE_INTEGER LoadTime; // 0 if N/A PVOID EnclaveBaseAddress; SIZE_T EnclaveSize; } PH_MODULE_INFO, *PPH_MODULE_INFO; /** * A callback function passed to PhEnumGenericModules() and called for each process module. * * \param Module A structure providing information about the module. * \param Context A user-defined value passed to PhEnumGenericModules(). * \return TRUE to continue the enumeration, FALSE to stop. */ typedef _Function_class_(PH_ENUM_GENERIC_MODULES_CALLBACK) BOOLEAN NTAPI PH_ENUM_GENERIC_MODULES_CALLBACK( _In_ PPH_MODULE_INFO Module, _In_opt_ PVOID Context ); typedef PH_ENUM_GENERIC_MODULES_CALLBACK* PPH_ENUM_GENERIC_MODULES_CALLBACK; #define PH_ENUM_GENERIC_MAPPED_FILES 0x1 #define PH_ENUM_GENERIC_MAPPED_IMAGES 0x2 PHLIBAPI NTSTATUS NTAPI PhEnumGenericModules( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); #define PH_KEY_PREDEFINE(Number) ((HANDLE)(LONG_PTR)(-3 - (Number) * 2)) #define PH_KEY_IS_PREDEFINED(Predefine) (((LONG_PTR)(Predefine) < 0) && ((LONG_PTR)(Predefine) & 0x1)) #define PH_KEY_PREDEFINE_TO_NUMBER(Predefine) (ULONG)(((-(LONG_PTR)(Predefine) - 3) >> 1)) #define PH_KEY_LOCAL_MACHINE PH_KEY_PREDEFINE(0) // \Registry\Machine #define PH_KEY_USERS PH_KEY_PREDEFINE(1) // \Registry\User #define PH_KEY_CLASSES_ROOT PH_KEY_PREDEFINE(2) // \Registry\Machine\Software\Classes #define PH_KEY_CURRENT_USER PH_KEY_PREDEFINE(3) // \Registry\User\ #define PH_KEY_CURRENT_USER_NUMBER 3 #define PH_KEY_MAXIMUM_PREDEFINE 4 PHLIBAPI NTSTATUS NTAPI PhCreateKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName, _In_ ULONG Attributes, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition ); FORCEINLINE NTSTATUS NTAPI PhCreateKeyZ( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCWSTR ObjectName, _In_ ULONG Attributes, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition ) { PH_STRINGREF name; PhInitializeStringRef(&name, ObjectName); return PhCreateKey(KeyHandle, DesiredAccess, RootDirectory, &name, Attributes, CreateOptions, Disposition); } PHLIBAPI NTSTATUS NTAPI PhOpenKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName, _In_ ULONG Attributes ); FORCEINLINE NTSTATUS NTAPI PhOpenKeyZ( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCWSTR ObjectName, _In_ ULONG Attributes ) { PH_STRINGREF name; PhInitializeStringRef(&name, ObjectName); return PhOpenKey(KeyHandle, DesiredAccess, RootDirectory, &name, Attributes); } PHLIBAPI NTSTATUS NTAPI PhLoadAppKey( _Out_ PHANDLE KeyHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhQueryKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_ PVOID *Buffer ); PHLIBAPI NTSTATUS NTAPI PhQueryKeyInformation( _In_ HANDLE KeyHandle, _Out_opt_ PKEY_FULL_INFORMATION Information ); PHLIBAPI NTSTATUS NTAPI PhQueryKeyLastWriteTime( _In_ HANDLE KeyHandle, _Out_ PLARGE_INTEGER LastWriteTime ); PHLIBAPI NTSTATUS NTAPI PhQueryValueKey( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_ PVOID *Buffer ); FORCEINLINE NTSTATUS NTAPI PhQueryValueKeyZ( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_ PVOID* Buffer ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhQueryValueKey( KeyHandle, &valueName, KeyValueInformationClass, Buffer ); } PHLIBAPI NTSTATUS NTAPI PhSetValueKey( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName, _In_ ULONG ValueType, _In_ PVOID Buffer, _In_ ULONG BufferLength ); FORCEINLINE NTSTATUS NTAPI PhSetValueKeyZ( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ ULONG ValueType, _In_ PVOID Buffer, _In_ ULONG BufferLength ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhSetValueKey( KeyHandle, &valueName, ValueType, Buffer, BufferLength ); } FORCEINLINE NTSTATUS NTAPI PhSetValueKeyStringZ( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ PCPH_STRINGREF String ) { PH_STRINGREF valueName; if (String->Length > ULONG_MAX) { return STATUS_INTEGER_OVERFLOW; } PhInitializeStringRef(&valueName, ValueName); return PhSetValueKey( KeyHandle, &valueName, REG_SZ, String->Buffer, (ULONG)String->Length + sizeof(UNICODE_NULL) ); } FORCEINLINE NTSTATUS NTAPI PhSetValueKeyString2Z( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ PCWSTR String ) { PH_STRINGREF valueName; PH_STRINGREF valueString; PhInitializeStringRef(&valueName, ValueName); PhInitializeStringRef(&valueString, String); return PhSetValueKey( KeyHandle, &valueName, REG_SZ, valueString.Buffer, (ULONG)valueString.Length + sizeof(UNICODE_NULL) ); } FORCEINLINE NTSTATUS NTAPI PhSetValueKeyUlong( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ ULONG Value ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhSetValueKey( KeyHandle, &valueName, REG_DWORD, &Value, sizeof(ULONG) ); } PHLIBAPI NTSTATUS NTAPI PhDeleteValueKey( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ); FORCEINLINE NTSTATUS NTAPI PhDeleteValueKeyZ( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhDeleteValueKey(KeyHandle, &valueName); } typedef _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PH_ENUM_KEY_CALLBACK( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_opt_ PVOID Context ); typedef PH_ENUM_KEY_CALLBACK* PPH_ENUM_KEY_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumerateKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS InformationClass, _In_ PPH_ENUM_KEY_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumerateValueKey( _In_ HANDLE KeyHandle, _In_ KEY_VALUE_INFORMATION_CLASS InformationClass, _In_ PPH_ENUM_KEY_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumerateValueKeyEx( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_VALUE_INFORMATION_CLASS InformationClass, _Out_ PVOID* Buffer ); PHLIBAPI NTSTATUS NTAPI PhCreateFileWin32( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions ); PHLIBAPI NTSTATUS NTAPI PhCreateFileWin32Ex( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _Out_opt_ PULONG CreateStatus ); PHLIBAPI NTSTATUS NTAPI PhCreateFileWin32ExAlt( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ ULONG CreateFlags, _In_opt_ PLARGE_INTEGER AllocationSize, _Out_opt_ PULONG CreateStatus ); PHLIBAPI NTSTATUS NTAPI PhCreateFile( _Out_ PHANDLE FileHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions ); PHLIBAPI NTSTATUS NTAPI PhCreateFileEx( _Out_ PHANDLE FileHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _Out_opt_ PULONG CreateStatus ); PHLIBAPI NTSTATUS NTAPI PhOpenFileWin32( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ); PHLIBAPI NTSTATUS NTAPI PhOpenFileWin32Ex( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions, _Out_opt_ PULONG OpenStatus ); PHLIBAPI NTSTATUS NTAPI PhOpenFile( _Out_ PHANDLE FileHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions, _Out_opt_ PULONG OpenStatus ); typedef struct _PH_FILE_ID_DESCRIPTOR { FILE_ID_TYPE Type; union { LARGE_INTEGER FileId; GUID ObjectId; FILE_ID_128 ExtendedFileId; }; } PH_FILE_ID_DESCRIPTOR, *PPH_FILE_ID_DESCRIPTOR; PHLIBAPI NTSTATUS NTAPI PhOpenFileById( _Out_ PHANDLE FileHandle, _In_ HANDLE VolumeHandle, _In_ PPH_FILE_ID_DESCRIPTOR FileId, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ); PHLIBAPI NTSTATUS NTAPI PhReOpenFile( _Out_ PHANDLE FileHandle, _In_ HANDLE OriginalFileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ); PHLIBAPI NTSTATUS NTAPI PhReadFile( _In_ HANDLE FileHandle, _In_ PVOID Buffer, _In_opt_ ULONG NumberOfBytesToRead, _In_opt_ PLARGE_INTEGER ByteOffset, _Out_opt_ PULONG NumberOfBytesRead ); PHLIBAPI NTSTATUS NTAPI PhWriteFile( _In_ HANDLE FileHandle, _In_ PVOID Buffer, _In_opt_ ULONG NumberOfBytesToWrite, _In_opt_ PLARGE_INTEGER ByteOffset, _Out_opt_ PULONG NumberOfBytesWritten ); PHLIBAPI NTSTATUS NTAPI PhQueryFullAttributesFileWin32( _In_ PCWSTR FileName, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ); PHLIBAPI NTSTATUS NTAPI PhQueryFullAttributesFile( _In_ PCPH_STRINGREF FileName, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ); PHLIBAPI NTSTATUS NTAPI PhQueryAttributesFileWin32( _In_ PCWSTR FileName, _Out_ PFILE_BASIC_INFORMATION FileInformation ); PHLIBAPI NTSTATUS NTAPI PhQueryAttributesFile( _In_ PCPH_STRINGREF FileName, _Out_ PFILE_BASIC_INFORMATION FileInformation ); PHLIBAPI BOOLEAN NTAPI PhDoesFileExistWin32( _In_ PCWSTR FileName ); PHLIBAPI BOOLEAN NTAPI PhDoesFileExist( _In_ PCPH_STRINGREF FileName ); PHLIBAPI BOOLEAN NTAPI PhDoesDirectoryExistWin32( _In_ PCWSTR FileName ); PHLIBAPI BOOLEAN NTAPI PhDoesDirectoryExist( _In_ PCPH_STRINGREF FileName ); PHLIBAPI RTL_PATH_TYPE NTAPI PhDetermineDosPathNameType( _In_ PCPH_STRINGREF FileName ); PHLIBAPI NTSTATUS NTAPI PhDeleteFileWin32( _In_ PCWSTR FileName ); PHLIBAPI NTSTATUS NTAPI PhDeleteFile( _In_ PCPH_STRINGREF FileName ); PHLIBAPI NTSTATUS NTAPI PhCopyFileWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ); PHLIBAPI NTSTATUS NTAPI PhCopyFileChunkWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ); PHLIBAPI NTSTATUS NTAPI PhMoveFile( _In_ PCPH_STRINGREF OldFileName, _In_ PCPH_STRINGREF NewFileName, _In_ BOOLEAN FailIfExists ); PHLIBAPI NTSTATUS NTAPI PhMoveFileWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ); PHLIBAPI NTSTATUS NTAPI PhCreateDirectoryWin32( _In_ PCPH_STRINGREF DirectoryPath ); PHLIBAPI NTSTATUS NTAPI PhCreateDirectory( _In_ PCPH_STRINGREF DirectoryPath ); PHLIBAPI NTSTATUS NTAPI PhCreateDirectoryFullPathWin32( _In_ PCPH_STRINGREF FileName ); PHLIBAPI NTSTATUS NTAPI PhCreateDirectoryFullPath( _In_ PCPH_STRINGREF FileName ); PHLIBAPI NTSTATUS NTAPI PhDeleteDirectory( _In_ PCPH_STRINGREF DirectoryPath ); PHLIBAPI NTSTATUS NTAPI PhDeleteDirectoryWin32( _In_ PCPH_STRINGREF DirectoryPath ); PHLIBAPI NTSTATUS NTAPI PhDeleteDirectoryFullPath( _In_ PCPH_STRINGREF FileName ); PHLIBAPI NTSTATUS NTAPI PhCreatePipe( _Out_ PHANDLE PipeReadHandle, _Out_ PHANDLE PipeWriteHandle ); PHLIBAPI NTSTATUS NTAPI PhCreatePipeEx( _Out_ PHANDLE PipeReadHandle, _Out_ PHANDLE PipeWriteHandle, _In_opt_ PSECURITY_ATTRIBUTES PipeReadAttributes, _In_opt_ PSECURITY_ATTRIBUTES PipeWriteAttributes ); PHLIBAPI NTSTATUS NTAPI PhCreateNamedPipe( _Out_ PHANDLE PipeHandle, _In_ PCPH_STRINGREF PipeName ); FORCEINLINE NTSTATUS NTAPI PhCreateNamedPipeZ( _Out_ PHANDLE PipeHandle, _In_ PCWSTR PipeName ) { PH_STRINGREF pipeName; PhInitializeStringRef(&pipeName, PipeName); return PhCreateNamedPipe(PipeHandle, &pipeName); } PHLIBAPI NTSTATUS NTAPI PhConnectPipe( _Out_ PHANDLE PipeHandle, _In_ PCPH_STRINGREF PipeName ); FORCEINLINE NTSTATUS NTAPI PhConnectPipeZ( _Out_ PHANDLE PipeHandle, _In_ PCWSTR PipeName ) { PH_STRINGREF pipeName; PhInitializeStringRef(&pipeName, PipeName); return PhConnectPipe(PipeHandle, &pipeName); } PHLIBAPI NTSTATUS NTAPI PhListenNamedPipe( _In_ HANDLE PipeHandle ); PHLIBAPI NTSTATUS NTAPI PhDisconnectNamedPipe( _In_ HANDLE PipeHandle ); PHLIBAPI NTSTATUS NTAPI PhPeekNamedPipe( _In_ HANDLE PipeHandle, _Out_writes_bytes_opt_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG NumberOfBytesRead, _Out_opt_ PULONG NumberOfBytesAvailable, _Out_opt_ PULONG NumberOfBytesLeftInMessage ); PHLIBAPI NTSTATUS NTAPI PhTransceiveNamedPipe( _In_ HANDLE PipeHandle, _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ); PHLIBAPI NTSTATUS NTAPI PhWaitForNamedPipe( _In_ PCWSTR PipeName, _In_opt_ ULONG Timeout ); PHLIBAPI NTSTATUS NTAPI PhImpersonateClientOfNamedPipe( _In_ HANDLE PipeHandle ); PHLIBAPI NTSTATUS NTAPI PhDisableImpersonateNamedPipe( _In_ HANDLE PipeHandle ); PHLIBAPI NTSTATUS NTAPI PhGetNamedPipeClientComputerName( _In_ HANDLE PipeHandle, _In_ ULONG ClientComputerNameLength, _Out_ PVOID ClientComputerName ); PHLIBAPI NTSTATUS NTAPI PhGetNamedPipeClientProcessId( _In_ HANDLE PipeHandle, _Out_ PHANDLE ClientProcessId ); PHLIBAPI NTSTATUS NTAPI PhGetNamedPipeServerProcessId( _In_ HANDLE PipeHandle, _Out_ PHANDLE ServerProcessId ); PHLIBAPI NTSTATUS NTAPI PhEnumDirectoryNamedPipe( _In_opt_ PCPH_STRINGREF SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhDefaultNpAcl( _Out_ PACL* DefaultNpAc ); PHLIBAPI NTSTATUS NTAPI PhGetContextThread( _In_ HANDLE ThreadHandle, _Inout_ PCONTEXT ThreadContext ); PHLIBAPI NTSTATUS NTAPI PhGetThreadName( _In_ HANDLE ThreadHandle, _Out_ PPH_STRING *ThreadName ); PHLIBAPI NTSTATUS NTAPI PhSetThreadName( _In_ HANDLE ThreadHandle, _In_ PCWSTR ThreadName ); PHLIBAPI NTSTATUS NTAPI PhGetThreadAffinityMask( _In_ HANDLE ThreadHandle, _Out_ PKAFFINITY AffinityMask ); PHLIBAPI NTSTATUS NTAPI PhSetThreadAffinityMask( _In_ HANDLE ThreadHandle, _In_ KAFFINITY AffinityMask ); PHLIBAPI NTSTATUS NTAPI PhSetThreadBasePriorityClientId( _In_ CLIENT_ID ClientId, _In_ KPRIORITY Increment ); PHLIBAPI NTSTATUS NTAPI PhSetThreadBasePriority( _In_ HANDLE ThreadHandle, _In_ KPRIORITY Increment ); PHLIBAPI NTSTATUS NTAPI PhSetThreadIoPriority( _In_ HANDLE ThreadHandle, _In_ IO_PRIORITY_HINT IoPriority ); PHLIBAPI NTSTATUS NTAPI PhSetThreadPagePriority( _In_ HANDLE ThreadHandle, _In_ ULONG PagePriority ); PHLIBAPI NTSTATUS NTAPI PhSetThreadPriorityBoost( _In_ HANDLE ThreadHandle, _In_ BOOLEAN DisablePriorityBoost ); PHLIBAPI NTSTATUS NTAPI PhGetThreadPowerThrottlingState( _In_ HANDLE ThreadHandle, _Out_ PPOWER_THROTTLING_THREAD_STATE PowerThrottlingState ); PHLIBAPI NTSTATUS NTAPI PhSetThreadIdealProcessor( _In_ HANDLE ThreadHandle, _In_ PPROCESSOR_NUMBER ProcessorNumber, _Out_opt_ PPROCESSOR_NUMBER PreviousIdealProcessor ); PHLIBAPI NTSTATUS NTAPI PhSetThreadGroupAffinity( _In_ HANDLE ThreadHandle, _In_ GROUP_AFFINITY GroupAffinity ); PHLIBAPI NTSTATUS NTAPI PhGetThreadLastSystemCall( _In_ HANDLE ThreadHandle, _Out_ PTHREAD_LAST_SYSCALL_INFORMATION LastSystemCall ); PHLIBAPI NTSTATUS NTAPI PhCreateImpersonationToken( _In_ HANDLE ThreadHandle, _Out_ PHANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhImpersonateToken( _In_ HANDLE ThreadHandle, _In_ HANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhRevertImpersonationToken( _In_ HANDLE ThreadHandle ); typedef struct _PH_PROCESS_DEBUG_HEAP_ENTRY { ULONG Flags; ULONG Signature; UCHAR HeapFrontEndType; ULONG NumberOfEntries; PVOID BaseAddress; SIZE_T BytesAllocated; SIZE_T BytesCommitted; } PH_PROCESS_DEBUG_HEAP_ENTRY, *PPH_PROCESS_DEBUG_HEAP_ENTRY; typedef struct _PH_PROCESS_DEBUG_HEAP_ENTRY32 { ULONG Flags; ULONG Signature; UCHAR HeapFrontEndType; ULONG NumberOfEntries; ULONG BaseAddress; ULONG BytesAllocated; ULONG BytesCommitted; } PH_PROCESS_DEBUG_HEAP_ENTRY32, *PPH_PROCESS_DEBUG_HEAP_ENTRY32; typedef struct _PH_PROCESS_DEBUG_HEAP_INFORMATION { ULONG NumberOfHeaps; PVOID DefaultHeap; PH_PROCESS_DEBUG_HEAP_ENTRY Heaps[1]; } PH_PROCESS_DEBUG_HEAP_INFORMATION, *PPH_PROCESS_DEBUG_HEAP_INFORMATION; typedef struct _PH_PROCESS_DEBUG_HEAP_INFORMATION32 { ULONG NumberOfHeaps; ULONG DefaultHeap; PH_PROCESS_DEBUG_HEAP_ENTRY32 Heaps[1]; } PH_PROCESS_DEBUG_HEAP_INFORMATION32, *PPH_PROCESS_DEBUG_HEAP_INFORMATION32; PHLIBAPI NTSTATUS NTAPI PhQueryProcessHeapInformation( _In_ HANDLE ProcessId, _Out_ PPH_PROCESS_DEBUG_HEAP_INFORMATION* HeapInformation ); typedef _Function_class_(PH_ENUM_PROCESS_LOCKS) NTSTATUS NTAPI PH_ENUM_PROCESS_LOCKS( _In_ ULONG NumberOfLocks, _In_ PRTL_PROCESS_LOCK_INFORMATION Locks, _In_opt_ PVOID Context ); typedef PH_ENUM_PROCESS_LOCKS* PPH_ENUM_PROCESS_LOCKS; PHLIBAPI NTSTATUS NTAPI PhQueryProcessLockInformation( _In_ HANDLE ProcessId, _In_ PPH_ENUM_PROCESS_LOCKS Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhQueryVolumeInformationFile( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FS_INFORMATION_CLASS FsInformationClass, _Out_writes_bytes_(FsInformationLength) PVOID FsInformation, _In_ ULONG FsInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); PHLIBAPI NTSTATUS NTAPI PhGetMachineTypeAttributes( _In_ USHORT Machine, _Out_ MACHINE_ATTRIBUTES* Attributes ); PHLIBAPI NTSTATUS NTAPI PhGetProcessArchitecture( _In_ HANDLE ProcessHandle, _Out_ PUSHORT ProcessArchitecture ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageBaseAddress( _In_ HANDLE ProcessHandle, _Out_ PVOID* ImageBaseAddress ); PHLIBAPI NTSTATUS NTAPI PhGetProcessCodePage( _In_ HANDLE ProcessHandle, _Out_ PUSHORT ProcessCodePage ); PHLIBAPI NTSTATUS NTAPI PhGetProcessConsoleCodePage( _In_ HANDLE ProcessHandle, _In_ BOOLEAN ConsoleOutputCP, _Out_ PUSHORT ConsoleCodePage ); PHLIBAPI NTSTATUS NTAPI PhGetProcessSecurityDomain( _In_ HANDLE ProcessHandle, _Out_ PULONGLONG SecurityDomain ); PHLIBAPI NTSTATUS NTAPI PhGetProcessServerSilo( _In_ HANDLE ProcessHandle, _Out_ PULONG ServerSilo ); PHLIBAPI NTSTATUS NTAPI PhGetProcessSequenceNumber( _In_ HANDLE ProcessHandle, _Out_ PULONGLONG SequenceNumber ); PHLIBAPI NTSTATUS NTAPI PhGetProcessStartKey( _In_ HANDLE ProcessHandle, _Out_ PULONGLONG ProcessStartKey ); PHLIBAPI NTSTATUS NTAPI PhGetProcessSystemDllInitBlock( _In_ HANDLE ProcessHandle, _Out_ PPS_SYSTEM_DLL_INIT_BLOCK SystemDllInitBlock ); PHLIBAPI NTSTATUS NTAPI PhGetProcessTelemetryIdInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_TELEMETRY_ID_INFORMATION* TelemetryInformation, _Out_opt_ PULONG TelemetryInformationLength ); PHLIBAPI NTSTATUS NTAPI PhGetProcessTlsBitMapCounters( _In_ HANDLE ProcessHandle, _Out_ PULONG TlsBitMapCount, _Out_ PULONG TlsExpansionBitMapCount ); PHLIBAPI NTSTATUS NTAPI PhGetThreadLastStatusValue( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PNTSTATUS LastStatusValue ); PHLIBAPI NTSTATUS NTAPI PhGetProcessMTAUsage( _In_ HANDLE ProcessHandle, _Out_opt_ PULONG MTAInits, _Out_opt_ PULONG MTAIncInits ); PHLIBAPI NTSTATUS NTAPI PhGetThreadApartmentFlags( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PULONG ApartmentState, _Out_opt_ PULONG ComInits ); typedef enum _PH_APARTMENT_TYPE { PH_APARTMENT_TYPE_INVALID = 0, PH_APARTMENT_TYPE_MAIN_STA, PH_APARTMENT_TYPE_STA, PH_APARTMENT_TYPE_APPLICATION_STA, PH_APARTMENT_TYPE_MTA, PH_APARTMENT_TYPE_IMPLICIT_MTA } PH_APARTMENT_TYPE; typedef struct _PH_APARTMENT_INFO { PH_APARTMENT_TYPE Type; BOOLEAN InNeutral; ULONG ComInits; ULONG Flags; } PH_APARTMENT_INFO, *PPH_APARTMENT_INFO; PHLIBAPI NTSTATUS NTAPI PhGetThreadApartment( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_APARTMENT_INFO ApartmentInfo ); typedef struct _PH_COM_CALLSTATE { ULONG ClientPID; ULONG ServerPID; ULONG ServerTID; GUID ServerGuid; } PH_COM_CALLSTATE, *PPH_COM_CALLSTATE; PHLIBAPI NTSTATUS NTAPI PhGetThreadApartmentCallState( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_COM_CALLSTATE ApartmentCallState ); PHLIBAPI NTSTATUS NTAPI PhGetThreadRpcState( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN HasRpcState ); PHLIBAPI NTSTATUS NTAPI PhGetThreadCriticalSectionOwnerThread( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessId, _Out_ PULONG ThreadId ); typedef enum _PH_THREAD_SOCKET_STATE { PH_THREAD_SOCKET_STATE_NONE, PH_THREAD_SOCKET_STATE_SHARED, PH_THREAD_SOCKET_STATE_DISCONNECTED, PH_THREAD_SOCKET_STATE_NOT_TCPIP } PH_THREAD_SOCKET_STATE, *PPH_THREAD_SOCKET_STATE; PHLIBAPI NTSTATUS NTAPI PhGetThreadSocketState( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_THREAD_SOCKET_STATE ThreadSocketState ); PHLIBAPI NTSTATUS NTAPI PhGetThreadStackLimits( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PULONG_PTR LowPart, _Out_ PULONG_PTR HighPart ); PHLIBAPI NTSTATUS NTAPI PhGetThreadStackSize( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PULONG_PTR StackUsage, _Out_ PULONG_PTR StackLimit ); PHLIBAPI NTSTATUS NTAPI PhGetThreadIsFiber( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN ThreadIsFiber ); PHLIBAPI BOOLEAN NTAPI PhSwitchToThread( VOID ); PHLIBAPI BOOLEAN NTAPI PhIsFirmwareSupported( VOID ); PHLIBAPI NTSTATUS NTAPI PhGetFirmwareEnvironmentVariable( _In_ PCPH_STRINGREF VariableName, _In_ PCPH_STRINGREF VendorGuid, _Out_writes_bytes_opt_(*ValueLength) PVOID* ValueBuffer, _Out_opt_ PULONG ValueLength, _Out_opt_ PULONG ValueAttributes ); PHLIBAPI NTSTATUS NTAPI PhSetFirmwareEnvironmentVariable( _In_ PCPH_STRINGREF VariableName, _In_ PCPH_STRINGREF VendorGuid, _In_reads_bytes_opt_(ValueLength) PVOID ValueBuffer, _In_ ULONG ValueLength, _In_ ULONG Attributes ); #define PH_FIRST_FIRMWARE_VALUE(Variables) ((PVARIABLE_NAME_AND_VALUE)(Variables)) #define PH_NEXT_FIRMWARE_VALUE(Variables) ( \ ((PVARIABLE_NAME_AND_VALUE)(Variables))->NextEntryOffset ? \ (PVARIABLE_NAME_AND_VALUE)(PTR_ADD_OFFSET((Variables), \ ((PVARIABLE_NAME_AND_VALUE)(Variables))->NextEntryOffset)) : \ NULL \ ) PHLIBAPI NTSTATUS NTAPI PhEnumFirmwareEnvironmentValues( _In_ SYSTEM_ENVIRONMENT_INFORMATION_CLASS InformationClass, _Out_ PVOID* Variables ); PHLIBAPI NTSTATUS NTAPI PhSetSystemEnvironmentBootToFirmware( VOID ); PHLIBAPI NTSTATUS NTAPI PhCreateExecutionRequiredRequest( _In_ HANDLE ProcessHandle, _Out_ PHANDLE PowerRequestHandle ); PHLIBAPI NTSTATUS NTAPI PhDestroyExecutionRequiredRequest( _In_opt_ _Post_ptr_invalid_ HANDLE PowerRequestHandle ); PHLIBAPI NTSTATUS NTAPI PhFreezeProcess( _Out_ PHANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhFreezeProcessById( _Out_ PHANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhThawProcess( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhThawProcessById( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhFreezeThread( _Out_ PHANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadHandle ); PHLIBAPI NTSTATUS NTAPI PhFreezeThreadById( _Out_ PHANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadId ); PHLIBAPI NTSTATUS NTAPI PhThawThread( _In_ HANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadHandle ); PHLIBAPI NTSTATUS NTAPI PhThawThreadById( _In_ HANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadId ); PHLIBAPI BOOLEAN NTAPI PhIsProcessExecutionRequired( _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhProcessExecutionRequiredEnable( _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhProcessExecutionRequiredDisable( _In_ HANDLE ProcessId ); PHLIBAPI BOOLEAN NTAPI PhIsKnownDllFileName( _In_ PPH_STRING FileName ); PHLIBAPI NTSTATUS NTAPI PhGetSystemProcessorPerformanceDistribution( _Out_ PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION* Buffer ); PHLIBAPI NTSTATUS NTAPI PhGetSystemProcessorPerformanceDistributionEx( _In_ USHORT ProcessorGroup, _Out_ PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION* Buffer ); PHLIBAPI NTSTATUS NTAPI PhGetSystemLogicalProcessorInformation( _In_ LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType, _Out_ PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX* Buffer, _Out_ PULONG BufferLength ); typedef struct _PH_LOGICAL_PROCESSOR_INFORMATION { ULONG ProcessorCoreCount; ULONG ProcessorNumaCount; ULONG ProcessorLogicalCount; ULONG ProcessorPackageCount; } PH_LOGICAL_PROCESSOR_INFORMATION, *PPH_LOGICAL_PROCESSOR_INFORMATION; PHLIBAPI NTSTATUS NTAPI PhGetSystemLogicalProcessorRelationInformation( _Out_ PPH_LOGICAL_PROCESSOR_INFORMATION LogicalProcessorInformation ); PHLIBAPI BOOLEAN NTAPI PhIsProcessorFeaturePresent( _In_ ULONG ProcessorFeature ); PHLIBAPI VOID NTAPI PhGetCurrentProcessorNumber( _Out_ PPROCESSOR_NUMBER ProcessorNumber ); PHLIBAPI USHORT NTAPI PhGetActiveProcessorCount( _In_ USHORT ProcessorGroup ); typedef struct _PH_PROCESSOR_NUMBER { USHORT Group; USHORT Number; } PH_PROCESSOR_NUMBER, *PPH_PROCESSOR_NUMBER; PHLIBAPI NTSTATUS NTAPI PhGetProcessorNumberFromIndex( _In_ ULONG ProcessorIndex, _Out_ PPH_PROCESSOR_NUMBER ProcessorNumber ); PHLIBAPI NTSTATUS NTAPI PhGetProcessorGroupActiveAffinityMask( _In_ USHORT ProcessorGroup, _Out_ PKAFFINITY ActiveProcessorMask ); PHLIBAPI NTSTATUS NTAPI PhGetProcessorSystemAffinityMask( _Out_ PKAFFINITY ActiveProcessorsAffinityMask ); PHLIBAPI NTSTATUS NTAPI PhGetNumaHighestNodeNumber( _Out_ PUSHORT NodeNumber ); PHLIBAPI BOOLEAN NTAPI PhGetNumaProcessorNode( _In_ PPH_PROCESSOR_NUMBER ProcessorNumber, _Out_ PUSHORT NodeNumber ); PHLIBAPI NTSTATUS NTAPI PhPrefetchVirtualMemory( _In_ HANDLE ProcessHandle, _In_ SIZE_T NumberOfEntries, _In_ PMEMORY_RANGE_ENTRY VirtualAddresses ); PHLIBAPI NTSTATUS NTAPI PhSetVirtualMemoryPagePriority( _In_ HANDLE ProcessHandle, _In_ ULONG PagePriority, _In_ PVOID VirtualAddress, _In_ SIZE_T NumberOfBytes ); PHLIBAPI NTSTATUS NTAPI PhGuardGrantSuppressedCallAccess( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ); PHLIBAPI NTSTATUS NTAPI PhGetProcessorNominalFrequency( _In_ PPH_PROCESSOR_NUMBER ProcessorNumber, _Out_ PULONG NominalFrequency ); typedef struct _PH_SYSTEM_STORE_COMPRESSION_INFORMATION { ULONG CompressionPid; ULONG WorkingSetSize; SIZE_T TotalDataCompressed; SIZE_T TotalCompressedSize; SIZE_T TotalUniqueDataCompressed; } PH_SYSTEM_STORE_COMPRESSION_INFORMATION, *PPH_SYSTEM_STORE_COMPRESSION_INFORMATION; PHLIBAPI NTSTATUS NTAPI PhGetSystemCompressionStoreInformation( _Out_ PPH_SYSTEM_STORE_COMPRESSION_INFORMATION SystemCompressionStoreInformation ); PHLIBAPI NTSTATUS NTAPI PhGetSystemFileCacheSize( _Out_ PSYSTEM_FILECACHE_INFORMATION CacheInfo ); PHLIBAPI NTSTATUS NTAPI PhSetSystemFileCacheSize( _In_ SIZE_T MinimumFileCacheSize, _In_ SIZE_T MaximumFileCacheSize, _In_ ULONG Flags ); PHLIBAPI NTSTATUS NTAPI PhCreateEvent( _Out_ PHANDLE EventHandle, _In_ ACCESS_MASK DesiredAccess, _In_ EVENT_TYPE EventType, _In_ BOOLEAN InitialState ); PHLIBAPI NTSTATUS NTAPI PhDeviceIoControlFile( _In_ HANDLE DeviceHandle, _In_ ULONG IoControlCode, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_to_opt_(OutputBufferLength, *ReturnLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _Out_opt_ PULONG ReturnLength ); typedef _Function_class_(PH_ENUM_MEMORY_CALLBACK) NTSTATUS NTAPI PH_ENUM_MEMORY_CALLBACK( _In_ HANDLE ProcessHandle, _In_ PMEMORY_BASIC_INFORMATION BasicInformation, _In_opt_ PVOID Context ); typedef PH_ENUM_MEMORY_CALLBACK *PPH_ENUM_MEMORY_CALLBACK; typedef _Function_class_(PH_ENUM_MEMORY_BULK_CALLBACK) NTSTATUS NTAPI PH_ENUM_MEMORY_BULK_CALLBACK( _In_ HANDLE ProcessHandle, _In_ PMEMORY_BASIC_INFORMATION BasicInfo, _In_ SIZE_T Count, _In_opt_ PVOID Context ); typedef PH_ENUM_MEMORY_BULK_CALLBACK *PPH_ENUM_MEMORY_BULK_CALLBACK; typedef _Function_class_(PH_ENUM_MEMORY_PAGE_CALLBACK) NTSTATUS NTAPI PH_ENUM_MEMORY_PAGE_CALLBACK( _In_ HANDLE ProcessHandle, _In_ ULONG_PTR NumberOfEntries, _In_ PMEMORY_WORKING_SET_BLOCK Blocks, _In_opt_ PVOID Context ); typedef PH_ENUM_MEMORY_PAGE_CALLBACK *PPH_ENUM_MEMORY_PAGE_CALLBACK; typedef _Function_class_(PH_ENUM_MEMORY_ATTRIBUTE_CALLBACK) NTSTATUS NTAPI PH_ENUM_MEMORY_ATTRIBUTE_CALLBACK( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T SizeOfImage, _In_ ULONG_PTR NumberOfEntries, _In_ PMEMORY_WORKING_SET_EX_INFORMATION Blocks, _In_opt_ PVOID Context ); typedef PH_ENUM_MEMORY_ATTRIBUTE_CALLBACK *PPH_ENUM_MEMORY_ATTRIBUTE_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhEnumVirtualMemory( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_MEMORY_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumVirtualMemoryBulk( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ BOOLEAN BulkQuery, _In_ PPH_ENUM_MEMORY_BULK_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumVirtualMemoryPages( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_MEMORY_PAGE_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumVirtualMemoryAttributes( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T Size, _In_ PPH_ENUM_MEMORY_ATTRIBUTE_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhGetKernelDebuggerInformation( _Out_opt_ PBOOLEAN KernelDebuggerEnabled, _Out_opt_ PBOOLEAN KernelDebuggerPresent ); PHLIBAPI BOOLEAN NTAPI PhIsDebuggerPresent( VOID ); PHLIBAPI NTSTATUS NTAPI PhGetDeviceType( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _Out_ DEVICE_TYPE* DeviceType ); PHLIBAPI BOOLEAN NTAPI PhIsAppExecutionAliasTarget( _In_ PPH_STRING FileName ); typedef BOOLEAN (NTAPI *PPH_ENUM_PROCESS_ENCLAVES_CALLBACK)( _In_ HANDLE ProcessHandle, _In_ PVOID EnclaveAddress, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessEnclaves( _In_ HANDLE ProcessHandle, _In_ PVOID LdrEnclaveList, _In_ PPH_ENUM_PROCESS_ENCLAVES_CALLBACK Callback, _In_opt_ PVOID Context ); typedef BOOLEAN (NTAPI *PPH_ENUM_PROCESS_ENCLAVE_MODULES_CALLBACK)( _In_ HANDLE ProcessHandle, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_ PVOID EntryAddress, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessEnclaveModules( _In_ HANDLE ProcessHandle, _In_ PVOID EnclaveAddress, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_ PPH_ENUM_PROCESS_ENCLAVE_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhGetProcessLdrTableEntryNames( _In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _Out_ PPH_STRING* Name, _Out_ PPH_STRING* FileName ); #ifdef _M_ARM64 PHLIBAPI VOID NTAPI PhEcContextToNativeContext( _Out_ PCONTEXT Context, _In_ PARM64EC_NT_CONTEXT EcContext ); PHLIBAPI VOID NTAPI PhNativeContextToEcContext( _When_(InitializeEc, _Out_) _When_(!InitializeEc, _Inout_) PARM64EC_NT_CONTEXT EcContext, _In_ PCONTEXT Context, _In_ BOOLEAN InitializeEc ); PHLIBAPI NTSTATUS NTAPI PhIsEcCode( _In_ HANDLE ProcessHandle, _In_ PVOID CodePointer, _Out_ PBOOLEAN IsEcCode ); #endif typedef enum _PH_MOTW_ZONE_ID { PhMotwZoneIdLocalComputer, PhMotwZoneIdLocalIntranet, PhMotwZoneIdTrustedSites, PhMotwZoneIdInternet, PhMotwZoneIdRestrictedSites, PhMotwZoneIdUnknown, } PH_MOTW_ZONE_ID, *PPH_MOTW_ZONE_ID; PHLIBAPI NTSTATUS PhGetFileMotw( _In_ PCPH_STRINGREF FileName, _Out_opt_ PPH_MOTW_ZONE_ID ZoneId, _Out_opt_ PPH_STRING* ReferrerUrl, _Out_opt_ PPH_STRING* HostUrl ); PHLIBAPI NTSTATUS NTAPI PhFlushProcessHeapsRemote( _In_ HANDLE ProcessHandle, _In_opt_ PLARGE_INTEGER Timeout ); PHLIBAPI NTSTATUS NTAPI PhFilterLoadUnload( _In_ PCPH_STRINGREF ServiceName, _In_ BOOLEAN LoadDriver ); PHLIBAPI NTSTATUS NTAPI PhFilterSendMessage( _In_ HANDLE Port, _In_reads_bytes_(InBufferSize) PVOID InBuffer, _In_ ULONG InBufferSize, _Out_writes_bytes_to_opt_(OutputBufferSize, *BytesReturned) PVOID OutputBuffer, _In_ ULONG OutputBufferSize, _Out_ PULONG BytesReturned ); typedef struct _FILTER_MESSAGE_HEADER { // // OUT // // Total buffer length in bytes, including the FILTER_REPLY_HEADER, of // the expected reply. If no reply is expected, 0 is returned. // ULONG ReplyLength; // // OUT // // Unique Id for this message. This will be set when the kernel message // satisfies this FilterGetMessage or FilterInstanceGetMessage request. // If replying to this message, this is the MessageId that should be used. // ULONGLONG MessageId; // // General filter-specific buffer data follows... // } FILTER_MESSAGE_HEADER, *PFILTER_MESSAGE_HEADER; typedef struct _FILTER_REPLY_HEADER { // // IN. // // Status of this reply. This status will be returned back to the filter // driver who is waiting for a reply. // NTSTATUS Status; // // IN // // Unique Id for this message. This id was returned in the // FILTER_MESSAGE_HEADER from the kernel message to which we are replying. // ULONGLONG MessageId; // // General filter-specific buffer data follows... // } FILTER_REPLY_HEADER, *PFILTER_REPLY_HEADER; PHLIBAPI NTSTATUS NTAPI PhFilterGetMessage( _In_ HANDLE Port, _Out_writes_bytes_(MessageBufferSize) PFILTER_MESSAGE_HEADER MessageBuffer, _In_ ULONG MessageBufferSize, _Inout_ LPOVERLAPPED Overlapped ); PHLIBAPI NTSTATUS NTAPI PhFilterReplyMessage( _In_ HANDLE Port, _In_reads_bytes_(ReplyBufferSize) PFILTER_REPLY_HEADER ReplyBuffer, _In_ ULONG ReplyBufferSize ); // Filter connect options: Windows 8 and above #define FLT_PORT_FLAG_SYNC_HANDLE 0x00000001 PHLIBAPI NTSTATUS NTAPI PhFilterConnectCommunicationPort( _In_ PCPH_STRINGREF PortName, _In_ ULONG Options, _In_reads_bytes_opt_(SizeOfContext) PVOID ConnectionContext, _In_ USHORT SizeOfContext, _In_opt_ PSECURITY_ATTRIBUTES SecurityAttributes, _Outptr_ PHANDLE Port ); EXTERN_C_END #endif ================================================ FILE: phlib/include/phnativeinl.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2018-2024 * */ #ifndef _PH_PHNATINL_H #define _PH_PHNATINL_H // This file contains inlined native API wrapper functions. These functions were previously // exported, but are now inlined because they are extremely simple wrappers around equivalent native // API functions. /** * Gets basic information for a event. * * \param EventHandle A handle to a event. The handle must have EVENT_QUERY_STATE access. * \param BasicInformation A variable which receives the information. */ FORCEINLINE NTSTATUS PhGetEventBasicInformation( _In_ HANDLE EventHandle, _Out_ PEVENT_BASIC_INFORMATION BasicInformation ) { return NtQueryEvent( EventHandle, EventBasicInformation, BasicInformation, sizeof(EVENT_BASIC_INFORMATION), NULL ); } FORCEINLINE NTSTATUS PhOpenMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_opt_ PCPH_STRINGREF ObjectName ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (ObjectName) { if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&objectName, NULL, 0); } InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtOpenMutant( MutantHandle, DesiredAccess, &objectAttributes ); return status; } FORCEINLINE NTSTATUS PhGetMutantBasicInformation( _In_ HANDLE MutantHandle, _Out_ PMUTANT_BASIC_INFORMATION BasicInformation ) { return NtQueryMutant( MutantHandle, MutantBasicInformation, BasicInformation, sizeof(MUTANT_BASIC_INFORMATION), NULL ); } FORCEINLINE NTSTATUS PhGetMutantOwnerInformation( _In_ HANDLE MutantHandle, _Out_ PMUTANT_OWNER_INFORMATION OwnerInformation ) { return NtQueryMutant( MutantHandle, MutantOwnerInformation, OwnerInformation, sizeof(MUTANT_OWNER_INFORMATION), NULL ); } FORCEINLINE NTSTATUS PhGetSectionBasicInformation( _In_ HANDLE SectionHandle, _Out_ PSECTION_BASIC_INFORMATION BasicInformation ) { return NtQuerySection( SectionHandle, SectionBasicInformation, BasicInformation, sizeof(SECTION_BASIC_INFORMATION), NULL ); } FORCEINLINE NTSTATUS PhGetSemaphoreBasicInformation( _In_ HANDLE SemaphoreHandle, _Out_ PSEMAPHORE_BASIC_INFORMATION BasicInformation ) { return NtQuerySemaphore( SemaphoreHandle, SemaphoreBasicInformation, BasicInformation, sizeof(SEMAPHORE_BASIC_INFORMATION), NULL ); } FORCEINLINE NTSTATUS PhGetTimerBasicInformation( _In_ HANDLE TimerHandle, _Out_ PTIMER_BASIC_INFORMATION BasicInformation ) { return NtQueryTimer( TimerHandle, TimerBasicInformation, BasicInformation, sizeof(TIMER_BASIC_INFORMATION), NULL ); } /** * The action to be performed when the calling thread exits. * * \param DebugObjectHandle A handle to a process' debug object. * \param KillProcessOnExit If this parameter is TRUE, the thread terminates all attached processes on exit * (note that this is the default). Otherwise, the thread detaches from all processes being debugged on exit. * \return Successful or errant status. */ FORCEINLINE NTSTATUS PhSetDebugKillProcessOnExit( _In_ HANDLE DebugObjectHandle, _In_ BOOLEAN KillProcessOnExit ) { ULONG killProcessOnExit; killProcessOnExit = KillProcessOnExit ? 1 : 0; return NtSetInformationDebugObject( DebugObjectHandle, DebugObjectKillProcessOnExitInformation, &killProcessOnExit, sizeof(ULONG), NULL ); } FORCEINLINE NTSTATUS PhGetProcessIsCetEnabled( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsCetEnabled, _Out_ PBOOLEAN IsCetStrictModeEnabled ) { NTSTATUS status; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; policyInfo.Policy = ProcessUserShadowStackPolicy; status = NtQueryInformationProcess( ProcessHandle, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { #if !defined(NTDDI_WIN10_CO) || (NTDDI_VERSION < NTDDI_WIN10_CO) *IsCetEnabled = _bittest((const PLONG)&policyInfo.ControlFlowGuardPolicy.Flags, 0); *IsCetStrictModeEnabled = _bittest((const PLONG)&policyInfo.ControlFlowGuardPolicy.Flags, 4); #else *IsCetEnabled = !!policyInfo.UserShadowStackPolicy.EnableUserShadowStack; *IsCetStrictModeEnabled = !!policyInfo.UserShadowStackPolicy.EnableUserShadowStackStrictMode; #endif } return status; } FORCEINLINE NTSTATUS NTAPI PhGetSystemHypervisorSharedPageInformation( _Out_ PSYSTEM_HYPERVISOR_USER_SHARED_DATA* HypervisorSharedUserVa ) { NTSTATUS status; SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION HypervisorSharedPageInfo; status = NtQuerySystemInformation( SystemHypervisorSharedPageInformation, &HypervisorSharedPageInfo, sizeof(SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *HypervisorSharedUserVa = HypervisorSharedPageInfo.HypervisorSharedUserVa; } return status; } FORCEINLINE NTSTATUS PhGetSystemShadowStackInformation( _Out_ PSYSTEM_SHADOW_STACK_INFORMATION ShadowStackInformation ) { return NtQuerySystemInformation( SystemShadowStackInformation, ShadowStackInformation, sizeof(SYSTEM_SHADOW_STACK_INFORMATION), NULL ); } /** * The system boot time in Coordinated Universal Time (UTC) format. * * \param BootTime A pointer to a LARGE_INTEGER structure to receive the current system boot date and time. * \return Successful or errant status. */ FORCEINLINE NTSTATUS PhGetSystemBootTime( _Out_ PLARGE_INTEGER BootTime ) { NTSTATUS status; SYSTEM_TIMEOFDAY_INFORMATION timeOfDayInfo; status = NtQuerySystemInformation( SystemTimeOfDayInformation, &timeOfDayInfo, sizeof(SYSTEM_TIMEOFDAY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *BootTime = timeOfDayInfo.BootTime; } return status; } /** * The system uptime in Coordinated Universal Time (UTC) format. * * \param Uptime A pointer to a LARGE_INTEGER structure to receive the current system uptime. * \return Successful or errant status. */ FORCEINLINE NTSTATUS PhGetSystemUptime( _Out_ PLARGE_INTEGER Uptime ) { NTSTATUS status; SYSTEM_TIMEOFDAY_INFORMATION timeOfDayInfo; status = NtQuerySystemInformation( SystemTimeOfDayInformation, &timeOfDayInfo, sizeof(SYSTEM_TIMEOFDAY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { Uptime->QuadPart = timeOfDayInfo.CurrentTime.QuadPart - timeOfDayInfo.BootTime.QuadPart; } return status; } /** * Waits until the specified object is in the signaled state or the time-out interval elapses. * * \param Handle A handle to the object. * \param Timeout The time-out interval. * If a nonzero value is specified, the function waits until the object is signaled or the interval elapses. * If Timeout is zero, the function does not enter a wait state if the object is not signaled; it always returns immediately. * If Timeout is INFINITE, the function will return only when the object is signaled. * \return Successful or errant status. */ FORCEINLINE NTSTATUS PhWaitForSingleObject( _In_ HANDLE Handle, _In_opt_ ULONG Timeout ) { if (Timeout) { LARGE_INTEGER timeout; timeout.QuadPart = -(LONGLONG)UInt32x32To64(Timeout, PH_TIMEOUT_MS); return NtWaitForSingleObject(Handle, FALSE, &timeout); } else { return NtWaitForSingleObject(Handle, FALSE, NULL); } } /** * Provides a process-wide memory barrier that ensures that reads and writes from any CPU cannot move across the barrier. * * The process-wide memory barrier method differs from the "normal" MemoryBarrier method as follows: * The process-wide memory barrier ensures that any read or write from any CPU being used in the process can't move across the barrier. * The process-wide memory barrier forces other CPUs to synchronize with process memory (for example, to flush write buffers and synchronize read buffers). * The process-wide memory barrier is very expensive. It has to force every CPU in the process do to something, at a probable cost of thousands of cycles. * The process-wide memory barrier suffers from all the subtleties of lock-free programming. * \sa https://learn.microsoft.com/en-us/dotnet/api/system.threading.interlocked.memorybarrierprocesswid * \return Successful or errant status. */ FORCEINLINE NTSTATUS PhMemoryBarrierProcessWide( VOID ) { return NtFlushProcessWriteBuffers(); } #endif ================================================ FILE: phlib/include/phnet.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #ifndef _PH_PHNET_H #define _PH_PHNET_H EXTERN_C_START #ifndef __WINDOT11_H__ #define __WINDOT11_H__ // Workaround windot11.h C2288 - WinSDK 10.0.22621 (dmex) #endif #ifndef PIO_APC_ROUTINE_DEFINED #define PIO_APC_ROUTINE_DEFINED 1 #endif #ifndef ALIGN_SIZE #define ALIGN_SIZE 0x00000008 #endif #ifndef UM_NDIS60 #define UM_NDIS60 1 #endif // #include #include #include #include #include #include #include #include #include #include #include EXTERN_C CONST DECLSPEC_SELECTANY IN_ADDR inaddr_any = { 0x00 }; EXTERN_C CONST DECLSPEC_SELECTANY IN6_ADDR in6addr_any = { 0x00 }; EXTERN_C CONST DECLSPEC_SELECTANY IN6_ADDR in6addr_v4mappedprefix = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 }; #define PH_NETWORK_TYPE_NONE 0x0 #define PH_NETWORK_TYPE_IPV4 0x1 #define PH_NETWORK_TYPE_IPV6 0x2 #define PH_NETWORK_TYPE_HYPERV 0x4 #define PH_NETWORK_TYPE_MASK 0x8 #define PH_PROTOCOL_TYPE_NONE 0x0 #define PH_PROTOCOL_TYPE_TCP 0x10 #define PH_PROTOCOL_TYPE_UDP 0x20 #define PH_PROTOCOL_TYPE_MASK 0x30 #define PH_NETWORK_PROTOCOL_NONE 0x0 #define PH_NETWORK_PROTOCOL_TCP4 (PH_NETWORK_TYPE_IPV4 | PH_PROTOCOL_TYPE_TCP) #define PH_NETWORK_PROTOCOL_TCP6 (PH_NETWORK_TYPE_IPV6 | PH_PROTOCOL_TYPE_TCP) #define PH_NETWORK_PROTOCOL_UDP4 (PH_NETWORK_TYPE_IPV4 | PH_PROTOCOL_TYPE_UDP) #define PH_NETWORK_PROTOCOL_UDP6 (PH_NETWORK_TYPE_IPV6 | PH_PROTOCOL_TYPE_UDP) #define PH_NETWORK_PROTOCOL_HYPERV (PH_NETWORK_TYPE_HYPERV) typedef struct _PH_IP_ADDRESS { ULONG Type; union { UCHAR Ipv4[4]; IN_ADDR InAddr; UCHAR Ipv6[16]; IN6_ADDR In6Addr; GUID HvAddr; }; } PH_IP_ADDRESS, *PPH_IP_ADDRESS; typedef struct _PH_IP_ENDPOINT { PH_IP_ADDRESS Address; ULONG Port; } PH_IP_ENDPOINT, *PPH_IP_ENDPOINT; FORCEINLINE BOOLEAN PhEqualIpAddress( _In_ PPH_IP_ADDRESS Address1, _In_ PPH_IP_ADDRESS Address2 ) { if ((Address1->Type | Address2->Type) == 0) // don't check addresses if both are invalid return TRUE; if (Address1->Type != Address2->Type) return FALSE; switch (Address1->Type) { case PH_NETWORK_TYPE_IPV4: { return IN4_ADDR_EQUAL(&Address1->InAddr, &Address2->InAddr); } break; case PH_NETWORK_TYPE_IPV6: { return IN6_ADDR_EQUAL(&Address1->In6Addr, &Address2->In6Addr); //#ifdef _WIN64 // return // *(PULONG64)(Address1->Ipv6) == *(PULONG64)(Address2->Ipv6) && // *(PULONG64)(Address1->Ipv6 + 8) == *(PULONG64)(Address2->Ipv6 + 8); //#else // return // *(PULONG)(Address1->Ipv6) == *(PULONG)(Address2->Ipv6) && // *(PULONG)(Address1->Ipv6 + 4) == *(PULONG)(Address2->Ipv6 + 4) && // *(PULONG)(Address1->Ipv6 + 8) == *(PULONG)(Address2->Ipv6 + 8) && // *(PULONG)(Address1->Ipv6 + 12) == *(PULONG)(Address2->Ipv6 + 12); //#endif } break; case PH_NETWORK_TYPE_HYPERV: { //return IsEqualGUID(&Address1->HvAddr, &Address2->HvAddr); return !memcmp(&Address1->HvAddr, &Address2->HvAddr, sizeof(GUID)); } break; } return FALSE; } FORCEINLINE ULONG PhHashIpAddress( _In_ PPH_IP_ADDRESS Address ) { if (Address->Type == PH_NETWORK_TYPE_NONE) return 0; switch (Address->Type) { case PH_NETWORK_TYPE_IPV4: { ULONG hash; hash = Address->Type | (Address->Type << 16); hash ^= *(PULONG)(Address->Ipv4); return hash; } break; case PH_NETWORK_TYPE_IPV6: { ULONG hash; hash = Address->Type | (Address->Type << 16); hash += *(PULONG)(Address->Ipv6); hash ^= *(PULONG)(Address->Ipv6 + 4); hash += *(PULONG)(Address->Ipv6 + 8); hash ^= *(PULONG)(Address->Ipv6 + 12); return hash; } break; case PH_NETWORK_TYPE_HYPERV: { ULONG hash; hash = Address->Type | (Address->Type << 16); hash += Address->HvAddr.Data1; hash ^= *(PULONG)(&Address->HvAddr.Data2); hash ^= *(PULONG)(Address->HvAddr.Data4); hash ^= *(PULONG)(Address->HvAddr.Data4 + 4); return hash; } break; } return 0; } FORCEINLINE BOOLEAN PhIsNullIpAddress( _In_ PPH_IP_ADDRESS Address ) { if (Address->Type == PH_NETWORK_TYPE_NONE) return TRUE; switch (Address->Type) { case PH_NETWORK_TYPE_IPV4: { return IN4_IS_ADDR_UNSPECIFIED(&Address->InAddr); } break; case PH_NETWORK_TYPE_IPV6: { return IN6_IS_ADDR_UNSPECIFIED(&Address->In6Addr); //#ifdef _WIN64 // return (*(PULONG64)(Address->Ipv6) | *(PULONG64)(Address->Ipv6 + 8)) == 0; //#else // return (*(PULONG)(Address->Ipv6) | *(PULONG)(Address->Ipv6 + 4) | // *(PULONG)(Address->Ipv6 + 8) | *(PULONG)(Address->Ipv6 + 12)) == 0; //#endif } break; case PH_NETWORK_TYPE_HYPERV: { //return IsEqualGUID(&Address->HvAddr, &HV_GUID_ZERO); return !memcmp(&Address->HvAddr, &HV_GUID_ZERO, sizeof(GUID)); } break; } return TRUE; } FORCEINLINE BOOLEAN PhEqualIpEndpoint( _In_ PPH_IP_ENDPOINT Endpoint1, _In_ PPH_IP_ENDPOINT Endpoint2 ) { return PhEqualIpAddress(&Endpoint1->Address, &Endpoint2->Address) && Endpoint1->Port == Endpoint2->Port; } FORCEINLINE ULONG PhHashIpEndpoint( _In_ PPH_IP_ENDPOINT Endpoint ) { return PhHashIpAddress(&Endpoint->Address) ^ Endpoint->Port; } // DOH/HTTP/HTTP2 support (dmex) typedef enum _PHHTTP_EVENT_TYPE { PHHTTP_EVENT_DEBUG, PHHTTP_EVENT_INITIALIZING, PHHTTP_EVENT_RESOLVING_NAME, PHHTTP_EVENT_NAME_RESOLVED, PHHTTP_EVENT_CONNECTING, PHHTTP_EVENT_CONNECTED, PHHTTP_EVENT_SENDING_REQUEST, PHHTTP_EVENT_REQUEST_SENT, PHHTTP_EVENT_RECEIVING_RESPONSE, PHHTTP_EVENT_RESPONSE_RECEIVED, PHHTTP_EVENT_CLOSING_CONNECTION, PHHTTP_EVENT_CONNECTION_CLOSED, PHHTTP_EVENT_HANDLE_CREATED, PHHTTP_EVENT_HANDLE_CLOSING, PHHTTP_EVENT_DETECTING_PROXY, PHHTTP_EVENT_REDIRECT } PHHTTP_EVENT_TYPE; typedef _Function_class_(PH_HTTP_EVENT_CALLBACK) VOID NTAPI PH_HTTP_EVENT_CALLBACK( _In_ PHHTTP_EVENT_TYPE Event, _In_opt_ PVOID Parameter, _In_opt_ PVOID Context ); typedef PH_HTTP_EVENT_CALLBACK* PPH_HTTP_EVENT_CALLBACK; typedef struct _PH_HTTP_CONTEXT { PVOID SessionHandle; PVOID ConnectionHandle; PVOID RequestHandle; BOOL EventCallbackRegistered; PPH_HTTP_EVENT_CALLBACK Callback; PVOID Context; } PH_HTTP_CONTEXT, *PPH_HTTP_CONTEXT; PHLIBAPI NTSTATUS NTAPI PhHttpInitialize( _Out_ PPH_HTTP_CONTEXT *HttpContext ); PHLIBAPI VOID NTAPI PhHttpDestroy( _In_ _Maybenull_ _Frees_ptr_ PPH_HTTP_CONTEXT HttpContext ); typedef enum _PH_HTTP_SOCKET_CLOSE_TYPE { PH_HTTP_SOCKET_CLOSE_SESSION = 0x1, PH_HTTP_SOCKET_CLOSE_CONNECTION = 0x2, PH_HTTP_SOCKET_CLOSE_REQUEST = 0x4, } PH_HTTP_SOCKET_CLOSE_TYPE; PHLIBAPI VOID NTAPI PhHttpClose( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PH_HTTP_SOCKET_CLOSE_TYPE Type ); #define PH_HTTP_DEFAULT_PORT 0 // use the protocol-specific default port #define PH_HTTP_DEFAULT_HTTP_PORT 80 #define PH_HTTP_DEFAULT_HTTPS_PORT 443 PHLIBAPI NTSTATUS NTAPI PhHttpConnect( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR ServerName, _In_ USHORT ServerPort ); #define PH_HTTP_FLAG_SECURE 0x1 #define PH_HTTP_FLAG_REFRESH 0x2 PHLIBAPI NTSTATUS NTAPI PhHttpBeginRequest( _In_ PPH_HTTP_CONTEXT HttpContext, _In_opt_ PCWSTR RequestMethod, _In_ PCWSTR RequestPath, _In_ ULONG Flags ); #define PH_HTTP_IGNORE_REQUEST_TOTAL_LENGTH 0 #define PH_HTTP_NO_ADDITIONAL_HEADERS NULL #define PH_HTTP_NO_REQUEST_DATA NULL PHLIBAPI NTSTATUS NTAPI PhHttpSendRequest( _In_ PPH_HTTP_CONTEXT HttpContext, _In_opt_ PCWSTR HeadersBuffer, _In_ ULONG HeadersLength, _In_opt_ PVOID OptionalBuffer, _In_ ULONG OptionalLength, _In_ ULONG TotalLength ); PHLIBAPI NTSTATUS NTAPI PhHttpReceiveResponse( _In_ PPH_HTTP_CONTEXT HttpContext ); PHLIBAPI NTSTATUS NTAPI PhHttpReadData( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PVOID Buffer, _In_ ULONG BufferLength, _Out_ PULONG BytesCopied ); PHLIBAPI NTSTATUS NTAPI PhHttpWriteData( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PVOID Buffer, _In_ ULONG BufferLength, _Out_ PULONG BytesCopied ); PHLIBAPI NTSTATUS NTAPI PhHttpAddRequestHeaders( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR Headers, _In_opt_ ULONG HeadersLength ); FORCEINLINE NTSTATUS PhHttpAddRequestHeadersSR( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCPH_STRINGREF Headers ) { return PhHttpAddRequestHeaders( HttpContext, Headers->Buffer, (ULONG)Headers->Length / sizeof(WCHAR) ); } PHLIBAPI PPH_STRING NTAPI PhHttpQueryHeaders( _In_ PPH_HTTP_CONTEXT HttpContext ); PHLIBAPI PPH_STRING NTAPI PhHttpQueryHeaderString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR HeaderString ); // status codes #define PH_HTTP_STATUS_OK 200 // request completed #define PH_HTTP_STATUS_CREATED 201 #define PH_HTTP_STATUS_REDIRECT_METHOD 303 // redirection w/ new access method #define PH_HTTP_STATUS_REDIRECT 302 // object temporarily moved // header query flags #define PH_HTTP_QUERY_CONTENT_LENGTH 0x1 #define PH_HTTP_QUERY_STATUS_CODE 0x2 PHLIBAPI NTSTATUS NTAPI PhHttpQueryHeaderUlong( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG QueryValue, _Out_ PULONG HeaderValue ); PHLIBAPI NTSTATUS NTAPI PhHttpQueryHeaderUlong64( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG QueryValue, _Out_ PULONG64 HeaderValue ); FORCEINLINE NTSTATUS NTAPI PhHttpQueryResponseStatus( _In_ PPH_HTTP_CONTEXT HttpContext ) { NTSTATUS status; ULONG httpStatus = PH_HTTP_STATUS_OK; status = PhHttpQueryHeaderUlong(HttpContext, PH_HTTP_QUERY_STATUS_CODE, &httpStatus); if (NT_SUCCESS(status)) { switch (httpStatus) { case 301: case 308: //status = STATUS_MORE_ENTRIES; case PH_HTTP_STATUS_OK: status = STATUS_SUCCESS; break; case 401: case 403: status = STATUS_ACCESS_DENIED; break; case 404: status = STATUS_OBJECT_NAME_NOT_FOUND; break; default: status = STATUS_UNEXPECTED_NETWORK_ERROR; break; } } return status; } PHLIBAPI PPH_STRING NTAPI PhHttpQueryOptionString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN SessionOption, _In_ ULONG QueryOption ); PHLIBAPI NTSTATUS NTAPI PhHttpReadDataToBuffer( _In_ PVOID RequestHandle, _Out_ PVOID* Buffer, _Out_ ULONG* BufferLength ); PHLIBAPI NTSTATUS NTAPI PhHttpDownloadString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN Unicode, _Out_ PVOID* StringBuffer ); typedef struct _PH_HTTPDOWNLOAD_CONTEXT { ULONG64 ReadLength; ULONG64 TotalLength; ULONG64 BitsPerSecond; DOUBLE Percent; } PH_HTTPDOWNLOAD_CONTEXT, *PPH_HTTPDOWNLOAD_CONTEXT; typedef BOOLEAN (NTAPI *PPH_HTTPDOWNLOAD_CALLBACK)( _In_opt_ PPH_HTTPDOWNLOAD_CONTEXT Parameter, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhHttpDownloadToFile( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PPH_STRINGREF FileName, _In_ PPH_HTTPDOWNLOAD_CALLBACK Callback, _In_opt_ PVOID Context ); #define PH_HTTP_FEATURE_REDIRECTS 0x1 #define PH_HTTP_FEATURE_KEEP_ALIVE 0x2 PHLIBAPI NTSTATUS NTAPI PhHttpSetFeature( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Feature, _In_ BOOLEAN Enable ); PHLIBAPI NTSTATUS NTAPI PhHttpSetOption( _In_ PVOID HttpHandle, _In_ ULONG Option, _In_ ULONG Value ); PHLIBAPI NTSTATUS NTAPI PhHttpSetOptionString( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Option, _In_ PPH_STRINGREF Value ); typedef _Function_class_(PH_HTTP_STATUS_CALLBACK) VOID CALLBACK PH_HTTP_STATUS_CALLBACK( _In_ PVOID InternetHandle, _In_ ULONG_PTR Context, _In_ ULONG InternetStatus, _In_opt_ LPVOID StatusInformation, _In_ ULONG StatusInformationLength ); typedef PH_HTTP_STATUS_CALLBACK* PPH_HTTP_STATUS_CALLBACK; PHLIBAPI NTSTATUS NTAPI PhHttpSetCallback( _In_ PVOID HttpHandle, _In_ PPH_HTTP_STATUS_CALLBACK Callback, _In_ ULONG NotificationFlags ); PHLIBAPI NTSTATUS NTAPI PhHttpSetContext( _In_ PVOID HttpHandle, _In_ PVOID Context ); FORCEINLINE NTSTATUS PhWinHttpSetOptionStringZ( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Option, _In_ PCWSTR Value ) { PH_STRINGREF string; PhInitializeStringRef(&string, Value); return PhHttpSetOptionString(HttpContext, Option, &string); } #define PH_HTTP_SECURITY_IGNORE_UNKNOWN_CA 0x1 #define PH_HTTP_SECURITY_IGNORE_CERT_DATE_INVALID 0x2 PHLIBAPI NTSTATUS NTAPI PhHttpSetSecurity( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ ULONG Feature ); #define PH_HTTP_PROTOCOL_FLAG_HTTP2 0x1 #define PH_HTTP_PROTOCOL_FLAG_HTTP3 0x2 PHLIBAPI NTSTATUS NTAPI PhHttpSetProtocol( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ BOOLEAN Session, _In_ ULONG Protocol, _In_ ULONG Timeout ); PHLIBAPI NTSTATUS NTAPI PhHttpCrackUrl( _In_ PPH_STRING Url, _Out_ PPH_STRING *Host, _Out_ PPH_STRING *Path, _Out_ PUSHORT Port ); PHLIBAPI PPH_STRING NTAPI PhHttpGetErrorMessage( _In_ ULONG ErrorCode ); typedef struct _PH_HTTP_CERTIFICATE_INFO { LARGE_INTEGER Expiry; LARGE_INTEGER Start; PWSTR SubjectInfo; PWSTR IssuerInfo; PWSTR ProtocolName; PWSTR SignatureAlgName; PWSTR EncryptionAlgName; ULONG KeySize; } PH_HTTP_CERTIFICATE_INFO, *PPH_HTTP_CERTIFICATE_INFO; PHLIBAPI NTSTATUS NTAPI PhHttpGetCertificateInfo( _In_ PPH_HTTP_CONTEXT HttpContext, _Out_ PPH_HTTP_CERTIFICATE_INFO Certificate ); PHLIBAPI NTSTATUS NTAPI PhHttpGetStatistics( _In_ PPH_HTTP_CONTEXT HttpContext, _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PVOID Buffer, _Inout_ PULONG BufferLength ); PHLIBAPI NTSTATUS NTAPI PhHttpSetCredentials( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PCWSTR Name, _In_ PCWSTR Value ); PHLIBAPI NTSTATUS NTAPI PhHttpSetEventCallback( _In_ PPH_HTTP_CONTEXT HttpContext, _In_ PPH_HTTP_EVENT_CALLBACK EventCallback, _In_opt_ PVOID Context ); // // IPv4 and IPv6 // PHLIBAPI NTSTATUS NTAPI PhIpv4AddressToString( _In_ PCIN_ADDR Address, _In_ USHORT Port, _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, _Inout_ PULONG AddressStringLength ); PHLIBAPI NTSTATUS NTAPI PhIpv4StringToAddress( _In_ PCWSTR AddressString, _In_ BOOLEAN Strict, _Out_ PIN_ADDR Address, _Out_ PUSHORT Port ); PHLIBAPI NTSTATUS NTAPI PhIpv6AddressToString( _In_ PCIN6_ADDR Address, _In_ ULONG ScopeId, _In_ USHORT Port, _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, _Inout_ PULONG AddressStringLength ); PHLIBAPI NTSTATUS NTAPI PhIpv6StringToAddress( _In_ PCWSTR AddressString, _Out_ PIN6_ADDR Address, _Out_ PULONG ScopeId, _Out_ PUSHORT Port ); // // DNS // PHLIBAPI PPH_STRING NTAPI PhDnsReverseLookupNameFromAddress( _In_ ULONG Type, _In_ PVOID Address ); PHLIBAPI NTSTATUS NTAPI PhHttpDnsQuery( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType, _Out_ PDNS_RECORD* DnsQueryRecord ); PHLIBAPI PDNS_RECORD NTAPI PhDnsQuery( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType ); PHLIBAPI PDNS_RECORD NTAPI PhDnsQuery2( _In_opt_ PCWSTR DnsServerAddress, _In_ PCWSTR DnsQueryMessage, _In_ USHORT DnsQueryMessageType, _In_ USHORT DnsQueryMessageOptions ); PHLIBAPI VOID NTAPI PhDnsFree( _In_ PDNS_RECORD DnsRecordList ); EXTERN_C_END #endif ================================================ FILE: phlib/include/phsup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #ifndef _PH_PHSUP_H #define _PH_PHSUP_H // This header file provides some useful definitions specific to phlib. // // Workaround for macro redefinition conflicts between Clang and MSVC. // Save and restore these definitions. // // See: https://github.com/llvm/llvm-project/issues/36748 // // C:\Program Files\LLVM\lib\clang\20\include\xmmintrin.h(2195,9): error: '_MM_HINT_T0' macro redefined [-Werror,-Wmacro-redefined] // 2195 | #define _MM_HINT_T0 3 // | ^ // C:\Program Files (x86)\Windows Kits\10\\include\10.0.26100.0\\um\winnt.h(3649,9): note: previous definition is here // 3649 | #define _MM_HINT_T0 1 // | // // Workaround for unused function warnings. // Narrowly suppress -Wunused-function warnings. // // C:\Program Files\LLVM\lib\clang\20\include\amxcomplexintrin.h(139,13): error: unused function '__tile_cmmimfp16ps' [-Werror,-Wunused-function] // 139 | static void __tile_cmmimfp16ps(__tile1024i *dst, __tile1024i src0, // | ^~~~~~~~~~~~~~~~~~ // C:\Program Files\LLVM\lib\clang\20\include\amxcomplexintrin.h(162,13): error: unused function '__tile_cmmrlfp16ps' [-Werror,-Wunused-function] // 162 | static void __tile_cmmrlfp16ps(__tile1024i *dst, __tile1024i src0, // | ^~~~~~~~~~~~~~~~~~ // #ifdef __clang__ #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wunused-function" #ifdef _MM_HINT_T0 #pragma push_macro("_MM_HINT_T0") #pragma push_macro("_MM_HINT_T1") #pragma push_macro("_MM_HINT_T2") #undef _MM_HINT_T0 #undef _MM_HINT_T1 #undef _MM_HINT_T2 #define PH_SAVED_MM_HINT_MACROS #endif // _MM_HINT_T0 #endif // __clang__ #include #ifdef __clang__ #pragma clang diagnostic pop #ifdef PH_SAVED_MM_HINT_MACROS #pragma pop_macro("_MM_HINT_T2") #pragma pop_macro("_MM_HINT_T1") #pragma pop_macro("_MM_HINT_T0") #undef PH_SAVED_MM_HINT_MACROS #endif // PH_SAVED_MM_HINT_MACROS #endif // __clang__ #include #include #include #include #include #include #include #include #include #include #include #include #include #include // // Memory // #if defined(_cplusplus) template FORCEINLINE T* PTR_ADD_OFFSET( _In_ const T* Pointer, _In_ const T* Offset ) { return reinterpret_cast( static_cast(Pointer) + static_cast(Offset) ); } template FORCEINLINE T* PTR_SUB_OFFSET( _In_ const T* Pointer, _In_ const T* Offset ) { return reinterpret_cast( static_cast(Pointer) - static_cast(Pointer) ); } #else #define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset))) #define PTR_SUB_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Offset))) #endif #define PH_LARGE_BUFFER_SIZE (256 * 1024 * 1024) #define XMM_SIZE sizeof(__m128i) #define XMM_OFFSET(p) ((XMM_SIZE - 1) & (ULONG_PTR)(p)) #define XMM_CHARS (XMM_SIZE / sizeof(wchar_t)) #define XMM_CHAR_ALIGNED(p) (0 == (((ULONG_PTR)(p) + sizeof(wchar_t) - 1) & (0-sizeof(wchar_t)) & (XMM_SIZE-1))) #define XMM_PAGE_SAFE(p) (PAGE_OFFSET(p) <= (PAGE_SIZE - XMM_SIZE)) // // Exceptions // #define PhRaiseStatus(Status) RtlRaiseStatus(Status) #define SIMPLE_EXCEPTION_FILTER(Condition) \ ((Condition) ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) // // Compiler // #ifdef DEBUG #define ASSUME_ASSERT(Expression) assert(Expression) #define ASSUME_NO_DEFAULT assert(FALSE) #else #define ASSUME_ASSERT(Expression) __assume(Expression) #define ASSUME_NO_DEFAULT __assume(FALSE) #endif // // Math // #if defined(_M_IX86) #define UInt32Add32To64(a, b) ((unsigned __int64)(((unsigned __int64)((unsigned int)(a))) + ((unsigned int)(b)))) // Avoids warning C26451 (dmex) #define UInt32Sub32To64(a, b) ((unsigned __int64)(((unsigned __int64)((unsigned int)(a))) - ((unsigned int)(b)))) #define UInt32Div32To64(a, b) ((unsigned __int64)(((unsigned __int64)((unsigned int)(a))) / ((unsigned int)(b)))) #define UInt32Mul32To64(a, b) ((unsigned __int64)(((unsigned __int64)((unsigned int)(a))) * ((unsigned int)(b)))) #else #define UInt32Add32To64(a, b) (((unsigned __int64)((unsigned int)(a))) + ((unsigned __int64)((unsigned int)(b)))) // from UInt32x32To64 (dmex) #define UInt32Sub32To64(a, b) (((unsigned __int64)((unsigned int)(a))) - ((unsigned __int64)((unsigned int)(b)))) #define UInt32Div32To64(a, b) (((unsigned __int64)((unsigned int)(a))) / ((unsigned __int64)((unsigned int)(b)))) #define UInt32Mul32To64(a, b) (((unsigned __int64)((unsigned int)(a))) * ((unsigned __int64)((unsigned int)(b)))) #endif // // Time // #define PH_TICKS_PER_NS ((LONG64)1 * 10) #define PH_TICKS_PER_MS (PH_TICKS_PER_NS * 1000) #define PH_TICKS_PER_SEC (PH_TICKS_PER_MS * 1000) #define PH_TICKS_PER_MIN (PH_TICKS_PER_SEC * 60) #define PH_TICKS_PER_HOUR (PH_TICKS_PER_MIN * 60) #define PH_TICKS_PER_DAY (PH_TICKS_PER_HOUR * 24) #define PH_TICKS_PARTIAL_NS(Ticks) (((ULONG64)(Ticks) / PH_TICKS_PER_NS) % 1000000) #define PH_TICKS_PARTIAL_MS(Ticks) (((ULONG64)(Ticks) / PH_TICKS_PER_MS) % 1000) #define PH_TICKS_PARTIAL_SEC(Ticks) (((ULONG64)(Ticks) / PH_TICKS_PER_SEC) % 60) #define PH_TICKS_PARTIAL_MIN(Ticks) (((ULONG64)(Ticks) / PH_TICKS_PER_MIN) % 60) #define PH_TICKS_PARTIAL_HOURS(Ticks) (((ULONG64)(Ticks) / PH_TICKS_PER_HOUR) % 24) #define PH_TICKS_PARTIAL_DAYS(Ticks) ((ULONG64)(Ticks) / PH_TICKS_PER_DAY) #define PH_TIMEOUT_MS PH_TICKS_PER_MS #define PH_TIMEOUT_SEC PH_TICKS_PER_SEC // // Annotations // /** * Indicates that a function assumes the specified number of references are available for the * object. * * \remarks Usually functions reference objects if they store them for later usage; this annotation * specifies that the caller must supply these extra references itself. In effect these references * are "transferred" to the function and must not be used. E.g. if you create an object and * immediately call a function with _Assume_refs_(1), you may no longer use the object since that * one reference you held is no longer yours. */ #define _Assume_refs_(count) #define _Callback_ /** * Indicates that a function may raise a software exception. * * \remarks Do not use this annotation for temporary usages of exceptions, e.g. unimplemented * functions. */ #define _May_raise_ // // Casts // // Zero extension and sign extension macros #define C_1uTo2(x) ((unsigned short)(unsigned char)(x)) #define C_1sTo2(x) ((unsigned short)(signed char)(x)) #define C_1uTo4(x) ((unsigned int)(unsigned char)(x)) #define C_1sTo4(x) ((unsigned int)(signed char)(x)) #define C_2uTo4(x) ((unsigned int)(unsigned short)(x)) #define C_2sTo4(x) ((unsigned int)(signed short)(x)) #define C_4uTo8(x) ((unsigned __int64)(unsigned int)(x)) #define C_4sTo8(x) ((unsigned __int64)(signed int)(x)) // // Sorting // typedef enum _PH_SORT_ORDER { NoSortOrder = 0, AscendingSortOrder, DescendingSortOrder } PH_SORT_ORDER, *PPH_SORT_ORDER; FORCEINLINE LONG PhModifySort( _In_ LONG Result, _In_ PH_SORT_ORDER Order ) { switch (Order) { case AscendingSortOrder: return Result; case DescendingSortOrder: return -Result; default: return Result; } } #define PH_BUILTIN_COMPARE(value1, value2) \ if ((value1) > (value2)) \ return 1; \ else if ((value1) < (value2)) \ return -1; \ \ return 0 FORCEINLINE int charcmp( _In_ signed char value1, _In_ signed char value2 ) { return C_1sTo4(value1 - value2); } FORCEINLINE int ucharcmp( _In_ unsigned char value1, _In_ unsigned char value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int shortcmp( _In_ signed short value1, _In_ signed short value2 ) { return C_2sTo4(value1 - value2); } FORCEINLINE int ushortcmp( _In_ unsigned short value1, _In_ unsigned short value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int intcmp( _In_ int value1, _In_ int value2 ) { return value1 - value2; } FORCEINLINE int uintcmp( _In_ unsigned int value1, _In_ unsigned int value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int int64cmp( _In_ __int64 value1, _In_ __int64 value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int uint64cmp( _In_ unsigned __int64 value1, _In_ unsigned __int64 value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int intptrcmp( _In_ LONG_PTR value1, _In_ LONG_PTR value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int uintptrcmp( _In_ ULONG_PTR value1, _In_ ULONG_PTR value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int singlecmp( _In_ float value1, _In_ float value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int doublecmp( _In_ double value1, _In_ double value2 ) { PH_BUILTIN_COMPARE(value1, value2); } FORCEINLINE int wcsicmp2( _In_opt_ PCWSTR Value1, _In_opt_ PCWSTR Value2 ) { if (Value1 && Value2) return _wcsicmp(Value1, Value2); else if (!Value1) return !Value2 ? 0 : -1; else return 1; } typedef int (__cdecl *PC_COMPARE_FUNCTION)(void *, const void *, const void *); // // Synchronization // FORCEINLINE LONG_PTR __InterlockedExchangeAddPointer( _Inout_ _Interlocked_operand_ LONG_PTR volatile *Addend, _In_ LONG_PTR Value ) { #ifdef _WIN64 return (LONG_PTR)_InterlockedExchangeAdd64((volatile LONG64*)Addend, (LONG64)Value); #else return (LONG_PTR)_InterlockedExchangeAdd((volatile LONG*)Addend, (LONG)Value); #endif } #define _InterlockedExchangeAddPointer __InterlockedExchangeAddPointer FORCEINLINE LONG_PTR _InterlockedIncrementPointer( _Inout_ _Interlocked_operand_ LONG_PTR volatile *Addend ) { #ifdef _WIN64 return (LONG_PTR)_InterlockedIncrement64((volatile LONG64*)Addend); #else return (LONG_PTR)_InterlockedIncrement((volatile LONG*)Addend); #endif } FORCEINLINE LONG_PTR __InterlockedDecrementPointer( _Inout_ _Interlocked_operand_ LONG_PTR volatile *Addend ) { #ifdef _WIN64 return (LONG_PTR)_InterlockedDecrement64((volatile LONG64*)Addend); #else return (LONG_PTR)_InterlockedDecrement((volatile LONG*)Addend); #endif } #define _InterlockedDecrementPointer __InterlockedDecrementPointer FORCEINLINE BOOLEAN _InterlockedBitTestAndResetPointer( _Inout_ _Interlocked_operand_ LONG_PTR volatile *Base, _In_ LONG_PTR Bit ) { #ifdef _WIN64 return _interlockedbittestandreset64((volatile LONG64*)Base, (LONG64)Bit); #else return _interlockedbittestandreset((volatile LONG*)Base, (LONG)Bit); #endif } FORCEINLINE BOOLEAN _InterlockedBitTestAndSetPointer( _Inout_ _Interlocked_operand_ LONG_PTR volatile *Base, _In_ LONG_PTR Bit ) { #ifdef _WIN64 return _interlockedbittestandset64((volatile LONG64*)Base, (LONG64)Bit); #else return _interlockedbittestandset((volatile LONG*)Base, (LONG)Bit); #endif } FORCEINLINE BOOLEAN _InterlockedIncrementNoZero( _Inout_ _Interlocked_operand_ LONG volatile *Addend ) { LONG value; LONG newValue; value = *Addend; while (TRUE) { if (value == 0) return FALSE; if ((newValue = _InterlockedCompareExchange( Addend, value + 1, value )) == value) { return TRUE; } value = newValue; } } FORCEINLINE BOOLEAN _InterlockedIncrementPositive( _Inout_ _Interlocked_operand_ LONG volatile *Addend ) { LONG value; LONG newValue; value = *Addend; while (TRUE) { if (value <= 0) return FALSE; if ((newValue = _InterlockedCompareExchange( Addend, value + 1, value )) == value) { return TRUE; } value = newValue; } } FORCEINLINE PVOID _InterlockedReadPointer( _Inout_ _Interlocked_operand_ volatile PVOID *Base ) { return _InterlockedCompareExchangePointer(Base, NULL, NULL); } FORCEINLINE PVOID _InterlockedWritePointer( _Inout_ _Interlocked_operand_ volatile PVOID* Base, _In_ PVOID Value ) { return _InterlockedExchangePointer(Base, Value); } #ifndef InterlockedReadPointer #define InterlockedReadPointer _InterlockedReadPointer #endif #ifndef InterlockedWritePointer #define InterlockedWritePointer _InterlockedWritePointer #endif // // Strings // #define PH_INT32_STR_LEN 12 #define PH_INT32_STR_LEN_1 (PH_INT32_STR_LEN + 1) #define PH_INT64_STR_LEN 50 #define PH_INT64_STR_LEN_1 (PH_INT64_STR_LEN + 1) #define PH_PTR_STR_LEN 24 #define PH_PTR_STR_LEN_1 (PH_PTR_STR_LEN + 1) #define PH_HEX_CHARS L"0123456789abcdef" #pragma warning(push) #pragma warning(disable:4996) FORCEINLINE VOID PhPrintInt32( _Out_writes_(PH_INT32_STR_LEN_1) CONST PWSTR Destination, _In_ CONST LONG Int32 ) { _ltow(Int32, Destination, 10); } FORCEINLINE VOID PhPrintUInt32( _Out_writes_(PH_INT32_STR_LEN_1) CONST PWSTR Destination, _In_ CONST ULONG UInt32 ) { _ultow(UInt32, Destination, 10); } FORCEINLINE VOID PhPrintUInt32IX( _Out_writes_(PH_PTR_STR_LEN_1) CONST PWSTR Destination, _In_ CONST ULONG UInt32 ) { _ultow(UInt32, Destination, 16); } FORCEINLINE VOID PhPrintInt64( _Out_writes_(PH_INT64_STR_LEN_1) CONST PWSTR Destination, _In_ CONST LONG64 Int64 ) { _i64tow(Int64, Destination, 10); } FORCEINLINE VOID PhPrintUInt64( _Out_writes_(PH_INT64_STR_LEN_1) CONST PWSTR Destination, _In_ CONST ULONG64 UInt64 ) { _ui64tow(UInt64, Destination, 10); } FORCEINLINE VOID PhPrintPointer( _Out_writes_(PH_PTR_STR_LEN_1) PWSTR Destination, _In_opt_ PVOID Pointer ) { Destination[0] = L'0'; Destination[1] = L'x'; #ifdef _WIN64 _ui64tow((ULONG64)Pointer, &Destination[2], 16); #else _ultow((ULONG)Pointer, &Destination[2], 16); #endif } #pragma warning(pop) FORCEINLINE VOID PhPrintPointerPadZeros( _Out_writes_(PH_PTR_STR_LEN_1) PWSTR Destination, _In_ PVOID Pointer ) { ULONG_PTR ptr = (ULONG_PTR)Pointer; PWSTR dest = Destination; *dest++ = L'0'; *dest++ = L'x'; #ifdef _WIN64 *dest++ = PH_HEX_CHARS[ptr >> 60]; *dest++ = PH_HEX_CHARS[(ptr & 0x0f00000000000000) >> 56]; *dest++ = PH_HEX_CHARS[(ptr & 0x00f0000000000000) >> 52]; *dest++ = PH_HEX_CHARS[(ptr & 0x000f000000000000) >> 48]; *dest++ = PH_HEX_CHARS[(ptr & 0x0000f00000000000) >> 44]; *dest++ = PH_HEX_CHARS[(ptr & 0x00000f0000000000) >> 40]; *dest++ = PH_HEX_CHARS[(ptr & 0x000000f000000000) >> 36]; *dest++ = PH_HEX_CHARS[(ptr & 0x0000000f00000000) >> 32]; *dest++ = PH_HEX_CHARS[(ptr & 0x00000000f0000000) >> 28]; *dest++ = PH_HEX_CHARS[(ptr & 0x000000000f000000) >> 24]; *dest++ = PH_HEX_CHARS[(ptr & 0x0000000000f00000) >> 20]; *dest++ = PH_HEX_CHARS[(ptr & 0x00000000000f0000) >> 16]; *dest++ = PH_HEX_CHARS[(ptr & 0x000000000000f000) >> 12]; *dest++ = PH_HEX_CHARS[(ptr & 0x0000000000000f00) >> 8]; *dest++ = PH_HEX_CHARS[(ptr & 0x00000000000000f0) >> 4]; *dest++ = PH_HEX_CHARS[ptr & 0x000000000000000f]; #else *dest++ = PH_HEX_CHARS[ptr >> 28]; *dest++ = PH_HEX_CHARS[(ptr & 0x0f000000) >> 24]; *dest++ = PH_HEX_CHARS[(ptr & 0x00f00000) >> 20]; *dest++ = PH_HEX_CHARS[(ptr & 0x000f0000) >> 16]; *dest++ = PH_HEX_CHARS[(ptr & 0x0000f000) >> 12]; *dest++ = PH_HEX_CHARS[(ptr & 0x00000f00) >> 8]; *dest++ = PH_HEX_CHARS[(ptr & 0x000000f0) >> 4]; *dest++ = PH_HEX_CHARS[ptr & 0x0000000f]; #endif *dest = UNICODE_NULL; } // // Misc. // /** * Rounds the given value to the nearest multiple of the specified granularity. * * \param Value The value to round. * \param Granularity The granularity to which the value should be rounded. * \return The value rounded to the nearest multiple of granularity. */ FORCEINLINE ULONG64 PhRoundNumber( _In_ CONST ULONG64 Value, _In_ CONST ULONG64 Granularity ) { return (Value + Granularity / 2) / Granularity * Granularity; } /** * Multiplies a number by a numerator and divides by a denominator, with rounding. * * This function performs the operation: ((Number * Numerator) + (Denominator / 2)) / Denominator * using 32-bit unsigned integers, avoiding overflow and providing rounding. * * \param Number The base number to multiply. * \param Numerator The numerator for multiplication. * \param Denominator The denominator for division. * \return The result of the multiply-divide operation, rounded to the nearest integer. */ FORCEINLINE ULONG PhMultiplyDivide( _In_ CONST ULONG Number, _In_ CONST ULONG Numerator, _In_ CONST ULONG Denominator ) { //return (((ULONG64)Number * (ULONG64)Numerator + (ULONG64)Denominator / 2) / (ULONG64)Denominator); return UInt32Div32To64(UInt32Add32To64(UInt32Mul32To64(Number, Numerator), UInt32Div32To64(Denominator, 2)), Denominator); } /** * Multiplies a signed number by a numerator and divides by a denominator, with rounding. * * This function performs the operation: ((Number * Numerator) + (Denominator / 2)) / Denominator * for signed numbers, preserving the sign and providing rounding. * * \param Number The signed base number to multiply. * \param Numerator The numerator for multiplication. * \param Denominator The denominator for division. * \return The result of the signed multiply-divide operation, rounded to the nearest integer. */ FORCEINLINE LONG PhMultiplyDivideSigned( _In_ CONST LONG Number, _In_ CONST ULONG Numerator, _In_ CONST ULONG Denominator ) { if (Number >= 0) return (LONG)PhMultiplyDivide(Number, Numerator, Denominator); else return -(LONG)PhMultiplyDivide(-Number, Numerator, Denominator); } /** * Probes a user-supplied address for validity and alignment within a specified buffer. * * This function checks that the given `UserAddress` is properly aligned to the specified `Alignment`, * and that the memory region defined by `UserAddress` and `UserLength` is fully contained within * the buffer defined by `BufferAddress` and `BufferLength`. If any of these checks fail, a software * exception is raised. * * \param UserAddress The starting address of the user-supplied memory region to probe. * \param UserLength The length, in bytes, of the memory region to probe. * \param BufferAddress The base address of the buffer within which the user region must reside. * \param BufferLength The length, in bytes, of the buffer. * \param Alignment The required alignment, in bytes, for the user address. * \remarks * This function does not actually access the memory at `UserAddress`; it only performs pointer arithmetic * and alignment checks. Use this function before reading from or writing to user-supplied memory to ensure * safety and prevent access violations. */ FORCEINLINE VOID PhProbeAddress( _In_ CONST PVOID UserAddress, _In_ CONST SIZE_T UserLength, _In_ CONST PVOID BufferAddress, _In_ CONST SIZE_T BufferLength, _In_ CONST ULONG Alignment ) { if (UserLength != 0) { if (!IS_ALIGNED(UserAddress, Alignment)) { PhRaiseStatus(STATUS_DATATYPE_MISALIGNMENT); } if ( ((ULONG_PTR)UserAddress + UserLength < (ULONG_PTR)UserAddress) || ((ULONG_PTR)UserAddress < (ULONG_PTR)BufferAddress) || ((ULONG_PTR)UserAddress + UserLength > (ULONG_PTR)BufferAddress + BufferLength) ) { PhRaiseStatus(STATUS_ACCESS_VIOLATION); } } } /** * Probes a user address for read access and checks if the specified user address is readable * and within the bounds of the buffer. * * \param UserAddress The address to probe. * \param UserLength The length of the memory to probe. * \param BufferAddress The base address of the buffer. * \param BufferLength The length of the buffer. * \param Alignment The required alignment of the address. */ FORCEINLINE VOID PhProbeForRead( _In_ CONST PVOID UserAddress, _In_ CONST SIZE_T UserLength, _In_ CONST PVOID BufferAddress, _In_ CONST SIZE_T BufferLength, _In_ CONST ULONG Alignment ) { if (UserLength != 0) { PhProbeAddress(UserAddress, UserLength, BufferAddress, BufferLength, Alignment); // Align the UserLength to the nearest page boundary. SIZE_T length = (SIZE_T)ALIGN_UP_BY(UserLength, PAGE_SIZE); // Iterate over each page and ensure the address is valid and accessible. for (SIZE_T offset = 0; offset < length; offset += PAGE_SIZE) { // Ensure the address does not overflow if ((ULONG_PTR)UserAddress + offset < (ULONG_PTR)UserAddress) { PhRaiseStatus(STATUS_ACCESS_VIOLATION); } *((volatile char*)UserAddress + offset); } } } FORCEINLINE VOID PhProbeForWrite( _In_ CONST PVOID UserAddress, _In_ CONST SIZE_T UserLength, _In_ CONST PVOID BufferAddress, _In_ CONST SIZE_T BufferLength, _In_ CONST ULONG Alignment ) { if (UserLength != 0) { PhProbeAddress(UserAddress, UserLength, BufferAddress, BufferLength, Alignment); // Align the UserLength to the nearest page boundary. SIZE_T length = (SIZE_T)ALIGN_UP_BY(UserLength, PAGE_SIZE); // Iterate over each page and ensure the address is valid and accessible. for (SIZE_T offset = 0; offset < length; offset += PAGE_SIZE) { // Ensure the address does not overflow if ((ULONG_PTR)UserAddress + offset < (ULONG_PTR)UserAddress) { PhRaiseStatus(STATUS_ACCESS_VIOLATION); } *((volatile char*)UserAddress + offset) = *((volatile char*)UserAddress + offset); } } } FORCEINLINE PLARGE_INTEGER PhTimeoutFromMilliseconds( _Out_ CONST PLARGE_INTEGER Timeout, _In_ CONST ULONG Milliseconds ) { if (Milliseconds == INFINITE) Timeout->QuadPart = MINLONGLONG; else Timeout->QuadPart = -(LONGLONG)UInt32x32To64(Milliseconds, PH_TIMEOUT_MS); return Timeout; } FORCEINLINE FLOAT PhClampSingle( _In_ FLOAT Value, _In_ FLOAT Min, _In_ FLOAT Max ) { return fminf(fmaxf(Value, Min), Max); } FORCEINLINE DOUBLE PhClampDouble( _In_ DOUBLE Value, _In_ DOUBLE Min, _In_ DOUBLE Max ) { return fmin(fmax(Value, Min), Max); } #endif ================================================ FILE: phlib/include/phutil.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef _PH_PHUTIL_H #define _PH_PHUTIL_H EXTERN_C_START extern CONST WCHAR *PhSizeUnitNames[7]; extern ULONG PhMaxSizeUnit; extern USHORT PhMaxPrecisionUnit; extern FLOAT PhMaxPrecisionLimit; extern CONST PH_STRINGREF PhPrefixUnitNamesCounted[7]; extern CONST PH_STRINGREF PhSiPrefixUnitNamesCounted[7]; typedef struct _PH_INTEGER_PAIR { LONG X; LONG Y; } PH_INTEGER_PAIR, *PPH_INTEGER_PAIR; typedef struct _PH_SCALABLE_INTEGER_PAIR { union { PH_INTEGER_PAIR Pair; struct { LONG X; LONG Y; }; }; union { PH_INTEGER_PAIR Padding; struct { LONG Scale; LONG Spare; }; }; } PH_SCALABLE_INTEGER_PAIR, *PPH_SCALABLE_INTEGER_PAIR; typedef struct _PH_RECTANGLE { union { PH_INTEGER_PAIR Position; struct { LONG Left; LONG Top; }; }; union { PH_INTEGER_PAIR Size; struct { LONG Width; LONG Height; }; }; } PH_RECTANGLE, *PPH_RECTANGLE; /** * Converts a Win32 RECT to a PPH_RECTANGLE. * * The resulting rectangle uses left/top coordinates and width/height * dimensions rather than Win32's left/top/right/bottom edge format. */ FORCEINLINE VOID PhRectToRectangle( _Out_ PPH_RECTANGLE Rectangle, _In_ PRECT Rect ) { Rectangle->Left = Rect->left; Rectangle->Top = Rect->top; Rectangle->Width = Rect->right - Rect->left; Rectangle->Height = Rect->bottom - Rect->top; } /** * Converts a PPH_RECTANGLE to a Win32 RECT. * * The output RECT uses absolute edge coordinates computed from the * rectangle's left/top origin and width/height dimensions. */ FORCEINLINE VOID PhRectangleToRect( _Out_ PRECT Rect, _In_ PPH_RECTANGLE Rectangle ) { Rect->left = Rectangle->Left; Rect->top = Rectangle->Top; Rect->right = Rectangle->Left + Rectangle->Width; Rect->bottom = Rectangle->Top + Rectangle->Height; } /** * Converts a RECT from right/bottom offsets to absolute coordinates. * * The right and bottom fields of the input RECT are interpreted as offsets * from the parent rectangle's right and bottom edges. This function converts * them into absolute coordinates relative to the parent. */ FORCEINLINE VOID PhConvertRect( _Inout_ PRECT Rect, _In_ PRECT ParentRect ) { Rect->right = ParentRect->right - ParentRect->left - Rect->right; Rect->bottom = ParentRect->bottom - ParentRect->top - Rect->bottom; } /** * Maps a RECT from an outer coordinate space into an inner one. * * The resulting RECT is expressed relative to the outer rectangle's origin. * This is useful when translating child‑window or sub‑region coordinates * into a parent coordinate system. */ FORCEINLINE VOID PhMapRect( _Out_ PRECT Rect, _In_ PRECT InnerRect, _In_ PRECT OuterRect ) { Rect->left = InnerRect->left - OuterRect->left; Rect->top = InnerRect->top - OuterRect->top; Rect->right = InnerRect->right - OuterRect->left; Rect->bottom = InnerRect->bottom - OuterRect->top; } PHLIBAPI VOID NTAPI PhAdjustRectangleToBounds( _Inout_ PPH_RECTANGLE Rectangle, _In_ PPH_RECTANGLE Bounds ); PHLIBAPI VOID NTAPI PhCenterRectangle( _Inout_ PPH_RECTANGLE Rectangle, _In_ PPH_RECTANGLE Bounds ); PHLIBAPI VOID NTAPI PhAdjustRectangleToWorkingArea( _In_opt_ HWND WindowHandle, _Inout_ PPH_RECTANGLE Rectangle ); PHLIBAPI VOID NTAPI PhCenterWindow( _In_ HWND WindowHandle, _In_opt_ HWND ParentWindowHandle ); PHLIBAPI NTSTATUS NTAPI PhMoveWindowToMonitor( _In_ HWND WindowHandle, _In_ HMONITOR MonitorHandle ); // // NLS // PHLIBAPI LANGID NTAPI PhGetUserDefaultLangID( VOID ); PHLIBAPI LCID NTAPI PhGetSystemDefaultLCID( VOID ); PHLIBAPI LCID NTAPI PhGetUserDefaultLCID( VOID ); PHLIBAPI BOOLEAN NTAPI PhGetUserLocaleInfoBool( _In_ LCTYPE LCType ); PHLIBAPI LCID NTAPI PhGetCurrentThreadLCID( VOID ); // // Time // PHLIBAPI VOID NTAPI PhLargeIntegerToSystemTime( _Out_ PSYSTEMTIME SystemTime, _In_ PLARGE_INTEGER LargeInteger ); PHLIBAPI BOOLEAN NTAPI PhSystemTimeToLargeInteger( _Out_ PLARGE_INTEGER LargeInteger, _In_ PSYSTEMTIME SystemTime ); PHLIBAPI VOID NTAPI PhLargeIntegerToLocalSystemTime( _Out_ PSYSTEMTIME SystemTime, _In_ PLARGE_INTEGER LargeInteger ); PHLIBAPI BOOLEAN NTAPI PhLocalSystemTimeToLargeInteger( _Out_ PLARGE_INTEGER LargeInteger, _In_ PSYSTEMTIME SystemTime ); PHLIBAPI BOOLEAN NTAPI PhSystemTimeToTzSpecificLocalTime( _In_ CONST SYSTEMTIME* UniversalTime, _Out_ PSYSTEMTIME LocalTime ); // // Error messages // PHLIBAPI PPH_STRING NTAPI PhGetMessage( _In_ PVOID DllHandle, _In_ ULONG MessageTableId, _In_ ULONG MessageLanguageId, _In_ ULONG MessageId ); PHLIBAPI PPH_STRING NTAPI PhGetNtMessage( _In_ NTSTATUS Status ); PHLIBAPI PPH_STRING NTAPI PhGetWin32Message( _In_ ULONG Result ); PHLIBAPI PPH_STRING NTAPI PhGetWin32FormatMessage( _In_ ULONG Result ); PHLIBAPI PPH_STRING NTAPI PhGetNtFormatMessage( _In_ NTSTATUS Status ); PHLIBAPI LONG NTAPI PhShowMessage( _In_opt_ HWND WindowHandle, _In_ ULONG Type, _In_ PCWSTR Format, ... ); #define PhShowError(WindowHandle, Format, ...) PhShowMessage(WindowHandle, MB_OK | MB_ICONERROR, Format, __VA_ARGS__) #define PhShowWarning(WindowHandle, Format, ...) PhShowMessage(WindowHandle, MB_OK | MB_ICONWARNING, Format, __VA_ARGS__) #define PhShowInformation(WindowHandle, Format, ...) PhShowMessage(WindowHandle, MB_OK | MB_ICONINFORMATION, Format, __VA_ARGS__) PHLIBAPI LONG NTAPI PhShowMessage2( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _In_ PCWSTR Format, ... ); #define TD_OK_BUTTON 0x0001 #define TD_YES_BUTTON 0x0002 #define TD_NO_BUTTON 0x0004 #define TD_CANCEL_BUTTON 0x0008 #define TD_RETRY_BUTTON 0x0010 #define TD_CLOSE_BUTTON 0x0020 #ifndef TD_WARNING_ICON #define TD_WARNING_ICON MAKEINTRESOURCEW(-1) #endif #ifndef TD_ERROR_ICON #define TD_ERROR_ICON MAKEINTRESOURCEW(-2) #endif #ifndef TD_INFORMATION_ICON #define TD_INFORMATION_ICON MAKEINTRESOURCEW(-3) #endif #ifndef TD_SHIELD_ICON #define TD_SHIELD_ICON MAKEINTRESOURCEW(-4) #endif #define PhShowError2(WindowHandle, Title, Format, ...) PhShowMessage2(WindowHandle, TD_CLOSE_BUTTON, TD_ERROR_ICON, Title, Format, __VA_ARGS__) #define PhShowWarning2(WindowHandle, Title, Format, ...) PhShowMessage2(WindowHandle, TD_CLOSE_BUTTON, TD_WARNING_ICON, Title, Format, __VA_ARGS__) #define PhShowInformation2(WindowHandle, Title, Format, ...) PhShowMessage2(WindowHandle, TD_CLOSE_BUTTON, TD_INFORMATION_ICON, Title, Format, __VA_ARGS__) PHLIBAPI BOOLEAN NTAPI PhShowMessageOneTime( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _In_ PCWSTR Format, ... ); PHLIBAPI LONG NTAPI PhShowMessageOneTime2( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _Out_opt_ PBOOLEAN Checked, _In_ PCWSTR Format, ... ); typedef struct _TASKDIALOGCONFIG TASKDIALOGCONFIG, *PTASKDIALOGCONFIG; // TDM_NAVIGATE_PAGE is not thread safe and accelerator keys crash the process // after navigating to the page and pressing ctrl, alt, home or insert keys. (dmex) FORCEINLINE VOID PhTaskDialogNavigatePage( _In_ HWND WindowHandle, _In_ PTASKDIALOGCONFIG Config ) { assert(HandleToUlong(NtCurrentThreadId()) == GetWindowThreadProcessId(WindowHandle, NULL)); #define WM_TDM_NAVIGATE_PAGE (WM_USER + 101) SendMessage(WindowHandle, WM_TDM_NAVIGATE_PAGE, 0, (LPARAM)(Config)); } #define TD_WARN_ICON MAKEINTRESOURCEW(-1) // Warning icon #define TD_ERROR_ICON MAKEINTRESOURCEW(-2) // Error icon #define TD_INFO_ICON MAKEINTRESOURCEW(-3) // Information icon #define TD_SHIELD_ICON MAKEINTRESOURCEW(-4) // Shield icon #define TD_SHIELD_INFO_ICON MAKEINTRESOURCEW(-5) // Shield icon + Blue background #define TD_SHIELD_WARNING_ICON MAKEINTRESOURCEW(-6) // Shield icon + Yellow background #define TD_SHIELD_ERROR_ICON MAKEINTRESOURCEW(-7) // Shield icon + Red background #define TD_SHIELD_SUCCESS_ICON MAKEINTRESOURCEW(-8) // Shield icon + Green background #define TD_SHIELD_INACTIVE_ICON MAKEINTRESOURCEW(-9) // Shield icon + Gray background _Success_(return) PHLIBAPI BOOLEAN NTAPI PhShowTaskDialog( _In_ PTASKDIALOGCONFIG Config, _Out_opt_ PULONG Button, _Out_opt_ PULONG RadioButton, _Out_opt_ PBOOLEAN FlagChecked ); PHLIBAPI PPH_STRING NTAPI PhGetStatusMessage( _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ); PHLIBAPI VOID NTAPI PhShowStatus( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Message, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ); PHLIBAPI BOOLEAN NTAPI PhShowContinueStatus( _In_ HWND WindowHandle, _In_opt_ PCWSTR Message, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ); PHLIBAPI BOOLEAN NTAPI PhShowConfirmMessage( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_ PCWSTR Object, _In_opt_ PCWSTR Message, _In_ BOOLEAN Warning ); /** * Finds an integer in an array of string-integer pairs. * * \param KeyValuePairs The array. * \param SizeOfKeyValuePairs The size of the array, in bytes. * \param String The string to search for. * \param Integer A variable which receives the found integer. * \return TRUE if the string was found, otherwise FALSE. * \remarks The search is case-sensitive. */ _Success_(return) FORCEINLINE BOOLEAN PhFindIntegerSiKeyValuePairs( _In_ PCPH_KEY_VALUE_PAIR KeyValuePairs, _In_ ULONG SizeOfKeyValuePairs, _In_ PCWSTR String, _Out_ PULONG Integer ) { for (ULONG i = 0; i < SizeOfKeyValuePairs / sizeof(PH_KEY_VALUE_PAIR); i++) { if (PhEqualStringZ((PCWSTR)KeyValuePairs[i].Key, String, TRUE)) { *Integer = PtrToUlong(KeyValuePairs[i].Value); return TRUE; } } return FALSE; } /** * Finds an integer in an array of string-integer pairs using a STRINGREF. * * \param KeyValuePairs The array. * \param SizeOfKeyValuePairs The size of the array, in bytes. * \param String The string reference to search for. * \param Integer A variable which receives the found integer. * \return TRUE if the string was found, otherwise FALSE. * \remarks The search is case-sensitive. */ _Success_(return) FORCEINLINE BOOLEAN PhFindIntegerSiKeyValuePairsStringRef( _In_ PCPH_KEY_VALUE_PAIR KeyValuePairs, _In_ ULONG SizeOfKeyValuePairs, _In_ PCPH_STRINGREF String, _Out_ PULONG Integer ) { for (ULONG i = 0; i < SizeOfKeyValuePairs / sizeof(PH_KEY_VALUE_PAIR); i++) { if (PhEqualStringRef((PCPH_STRINGREF)KeyValuePairs[i].Key, String, TRUE)) { *Integer = PtrToUlong(KeyValuePairs[i].Value); return TRUE; } } return FALSE; } /** * Finds a string in an array of string-integer pairs. * * \param KeyValuePairs The array. * \param SizeOfKeyValuePairs The size of the array, in bytes. * \param Integer The integer to search for. * \param String A variable which receives the found string. * \return TRUE if the integer was found, otherwise FALSE. */ _Success_(return) FORCEINLINE BOOLEAN PhFindStringSiKeyValuePairs( _In_ PCPH_KEY_VALUE_PAIR KeyValuePairs, _In_ ULONG SizeOfKeyValuePairs, _In_ ULONG Integer, _Out_ PCWSTR *String ) { for (ULONG i = 0; i < SizeOfKeyValuePairs / sizeof(PH_KEY_VALUE_PAIR); i++) { if (PtrToUlong(KeyValuePairs[i].Value) == Integer) { *String = (PCWSTR)KeyValuePairs[i].Key; return TRUE; } } return FALSE; } /** * Finds a string reference in an array of string-integer pairs. * * \param KeyValuePairs The array. * \param SizeOfKeyValuePairs The size of the array, in bytes. * \param Integer The integer to search for. * \param String A variable which receives the found string reference. * \return TRUE if the integer was found, otherwise FALSE. */ _Success_(return) FORCEINLINE BOOLEAN PhFindStringRefSiKeyValuePairs( _In_ PCPH_KEY_VALUE_PAIR KeyValuePairs, _In_ ULONG SizeOfKeyValuePairs, _In_ ULONG Integer, _Out_ PCPH_STRINGREF* String ) { for (ULONG i = 0; i < SizeOfKeyValuePairs / sizeof(PH_KEY_VALUE_PAIR); i++) { if (PtrToUlong(KeyValuePairs[i].Value) == Integer) { *String = (PCPH_STRINGREF)KeyValuePairs[i].Key; return TRUE; } } return FALSE; } /** * Retrieves a string from an array of string-integer pairs by index. * * \param KeyValuePairs The array. * \param SizeOfKeyValuePairs The size of the array, in bytes. * \param Integer The index or integer to search for. * \param String A variable which receives the found string. * \return TRUE if the string was found, otherwise FALSE. * \remarks If the index is out of range, a full search is performed. */ _Success_(return) FORCEINLINE BOOLEAN PhIndexStringSiKeyValuePairs( _In_ PCPH_KEY_VALUE_PAIR KeyValuePairs, _In_ ULONG SizeOfKeyValuePairs, _In_ ULONG Integer, _Out_ PCWSTR *String ) { assert(KeyValuePairs[0].Value == 0); // Values must be zero based if (Integer < SizeOfKeyValuePairs / sizeof(PH_KEY_VALUE_PAIR)) { *String = (PCWSTR)KeyValuePairs[Integer].Key; return TRUE; } return PhFindStringSiKeyValuePairs(KeyValuePairs, SizeOfKeyValuePairs, Integer, String); } /** * Retrieves a string reference from an array of string-integer pairs by index. * * \param KeyValuePairs The array. * \param SizeOfKeyValuePairs The size of the array, in bytes. * \param Integer The index or integer to search for. * \param String A variable which receives the found string reference. * \return TRUE if the string reference was found, otherwise FALSE. * \remarks Values must be zero-based. */ _Success_(return) FORCEINLINE BOOLEAN PhIndexStringRefSiKeyValuePairs( _In_ PCPH_KEY_VALUE_PAIR KeyValuePairs, _In_ ULONG SizeOfKeyValuePairs, _In_ ULONG Integer, _Out_ PCPH_STRINGREF* String ) { assert(KeyValuePairs[0].Value == 0); // Values must be zero based if (Integer < SizeOfKeyValuePairs / sizeof(PH_KEY_VALUE_PAIR)) { *String = (PCPH_STRINGREF)KeyValuePairs[Integer].Key; return TRUE; } return PhFindStringRefSiKeyValuePairs(KeyValuePairs, SizeOfKeyValuePairs, Integer, String); } #define GUID_VERSION_MAC 1 #define GUID_VERSION_DCE 2 #define GUID_VERSION_MD5 3 #define GUID_VERSION_RANDOM 4 #define GUID_VERSION_SHA1 5 #define GUID_VERSION_TIME 6 #define GUID_VERSION_EPOCH 7 #define GUID_VERSION_VENDOR 8 #define GUID_VARIANT_NCS_MASK 0x80 #define GUID_VARIANT_NCS 0x00 #define GUID_VARIANT_STANDARD_MASK 0xc0 #define GUID_VARIANT_STANDARD 0x80 #define GUID_VARIANT_MICROSOFT_MASK 0xe0 #define GUID_VARIANT_MICROSOFT 0xc0 #define GUID_VARIANT_RESERVED_MASK 0xe0 #define GUID_VARIANT_RESERVED 0xe0 typedef union _GUID_EX { GUID Guid; UCHAR Data[16]; struct { ULONG TimeLowPart; USHORT TimeMidPart; USHORT TimeHighPart; UCHAR ClockSequenceHigh; UCHAR ClockSequenceLow; UCHAR Node[6]; } s; struct { ULONG Part0; USHORT Part32; UCHAR Part48; UCHAR Part56 : 4; UCHAR Version : 4; UCHAR Variant; UCHAR Part72; USHORT Part80; ULONG Part96; } s2; } GUID_EX, *PGUID_EX; PHLIBAPI VOID NTAPI PhGenerateGuid( _Out_ PGUID Guid ); /** * Reverses the byte order of a GUID. * * \param Guid The GUID to reverse. * \remarks This function reverses the endianness of the first three GUID fields * (Data1, Data2, and Data3). The remaining fields are left unchanged. */ FORCEINLINE VOID NTAPI PhReverseGuid( _Inout_ PGUID Guid ) { Guid->Data1 = _byteswap_ulong(Guid->Data1); Guid->Data2 = _byteswap_ushort(Guid->Data2); Guid->Data3 = _byteswap_ushort(Guid->Data3); } PHLIBAPI VOID NTAPI PhGenerateGuidFromName( _Out_ PGUID Guid, _In_ PGUID Namespace, _In_ PCHAR Name, _In_ ULONG NameLength, _In_ UCHAR Version ); PHLIBAPI VOID NTAPI PhGenerateClass5Guid( _In_ REFGUID NamespaceGuid, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _Out_ PGUID Guid ); DEFINE_GUID(GUID_NAMESPACE_MICROSOFT, 0x70ffd812, 0x4c7f, 0x4c7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); PHLIBAPI VOID NTAPI PhGenerateHardwareIDGuid( _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _Out_ PGUID Guid ); PHLIBAPI VOID NTAPI PhGenerateRandomAlphaString( _Out_writes_z_(Count) PWSTR Buffer, _In_ SIZE_T Count ); PHLIBAPI VOID NTAPI PhGenerateRandomNumericString( _Out_writes_z_(Count) PWSTR Buffer, _In_ SIZE_T Count ); /** * Generates a random alphabetic string and initializes a STRINGREF to reference it. * * \param Buffer The buffer that receives the generated string. * \param Count The number of characters to generate, including the null terminator. * \param String A variable which receives the resulting string reference. */ FORCEINLINE VOID PhGenerateRandomAlphaStringRef( _Out_writes_z_(Count) PWSTR Buffer, _In_ SIZE_T Count, _Out_ PPH_STRINGREF String ) { PhGenerateRandomAlphaString(Buffer, Count); String->Buffer = Buffer; String->Length = (Count * sizeof(WCHAR)) - sizeof(UNICODE_NULL); } PHLIBAPI ULONG64 NTAPI PhGenerateRandomNumber64( VOID ); PHLIBAPI BOOLEAN NTAPI PhGenerateRandomNumber( _Out_ PLARGE_INTEGER Number ); PHLIBAPI BOOLEAN NTAPI PhGenerateRandomSeed( _Out_ PLARGE_INTEGER Seed ); PHLIBAPI PPH_STRING NTAPI PhEllipsisString( _In_ PPH_STRING String, _In_ SIZE_T DesiredCount ); PHLIBAPI PPH_STRING NTAPI PhEllipsisStringPath( _In_ PPH_STRING String, _In_ SIZE_T DesiredCount ); PHLIBAPI BOOLEAN NTAPI PhMatchWildcards( _In_ PCWSTR Pattern, _In_ PCWSTR String, _In_ BOOLEAN IgnoreCase ); PHLIBAPI PPH_STRING NTAPI PhEscapeStringForMenuPrefix( _In_ PCPH_STRINGREF String ); PHLIBAPI LONG NTAPI PhCompareUnicodeStringZIgnoreMenuPrefix( _In_ PCWSTR A, _In_ PCWSTR B, _In_ BOOLEAN IgnoreCase, _In_ BOOLEAN MatchIfPrefix ); PHLIBAPI PPH_STRING NTAPI PhFormatSystemTimeISO( _In_opt_ PSYSTEMTIME SystemTime ); PHLIBAPI PPH_STRING NTAPI PhFormatLocalSystemTimeISO( _In_opt_ PSYSTEMTIME SystemTime ); PHLIBAPI PPH_STRING NTAPI PhFormatDate( _In_opt_ PSYSTEMTIME Date, _In_opt_ PCWSTR Format ); PHLIBAPI PPH_STRING NTAPI PhFormatTime( _In_opt_ PSYSTEMTIME Time, _In_opt_ PCWSTR Format ); PHLIBAPI PPH_STRING NTAPI PhFormatDateTime( _In_opt_ PSYSTEMTIME DateTime ); #define PhaFormatDateTime(DateTime) PH_AUTO_T(PH_STRING, PhFormatDateTime(DateTime)) #define PH_DATETIME_STR_LEN 256 #define PH_DATETIME_STR_LEN_1 (PH_DATETIME_STR_LEN + 1) _Success_(return) PHLIBAPI BOOLEAN NTAPI PhFormatDateTimeToBuffer( _In_opt_ PSYSTEMTIME DateTime, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI PPH_STRING NTAPI PhFormatTimeSpan( _In_ ULONG64 Ticks, _In_opt_ ULONG Mode ); PHLIBAPI PPH_STRING NTAPI PhFormatTimeSpanRelative( _In_ ULONG64 TimeSpan ); PHLIBAPI PPH_STRING NTAPI PhFormatUInt64( _In_ ULONG64 Value, _In_ BOOLEAN GroupDigits ); #define PhaFormatUInt64(Value, GroupDigits) \ PH_AUTO_T(PH_STRING, PhFormatUInt64((Value), (GroupDigits))) PHLIBAPI PPH_STRING NTAPI PhFormatUInt64BitratePrefix( _In_ ULONG64 Value, _In_ BOOLEAN GroupDigits ); #define PhaFormatUInt64BitratePrefix(Value, GroupDigits) \ PH_AUTO_T(PH_STRING, PhFormatUInt64BitratePrefix((Value), (GroupDigits))) PHLIBAPI PPH_STRING NTAPI PhFormatDecimal( _In_ PCWSTR Value, _In_ ULONG FractionalDigits, _In_ BOOLEAN GroupDigits ); #define PhaFormatDecimal(Value, FractionalDigits, GroupDigits) \ PH_AUTO_T(PH_STRING, PhFormatDecimal((Value), (FractionalDigits), (GroupDigits))) PHLIBAPI PPH_STRING NTAPI PhFormatSize( _In_ ULONG64 Size, _In_ ULONG MaxSizeUnit ); #define PhaFormatSize(Size, MaxSizeUnit) \ PH_AUTO_T(PH_STRING, PhFormatSize((Size), (MaxSizeUnit))) PHLIBAPI BOOLEAN NTAPI PhFormatSizeToBuffer( _In_ ULONG64 Size, _In_ ULONG MaxSizeUnit, _Out_writes_bytes_opt_(BufferLength) PWSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI PPH_STRING NTAPI PhFormatGuid( _In_ PGUID Guid ); PHLIBAPI NTSTATUS NTAPI PhFormatGuidToBuffer( _In_ PGUID Guid, _Writable_bytes_(BufferLength) _When_(BufferLength != 0, _Notnull_) PWCHAR Buffer, _In_opt_ USHORT BufferLength, _Out_opt_ PSIZE_T ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhStringToGuid( _In_ PCPH_STRINGREF GuidString, _Out_ PGUID Guid ); typedef struct _VS_VERSION_INFO_STRUCT16 { USHORT Length; USHORT ValueLength; CHAR Key[1]; } VS_VERSION_INFO_STRUCT16, *PVS_VERSION_INFO_STRUCT16; typedef struct _VS_VERSION_INFO_STRUCT32 { USHORT Length; USHORT ValueLength; USHORT Type; WCHAR Key[1]; } VS_VERSION_INFO_STRUCT32, *PVS_VERSION_INFO_STRUCT32; FORCEINLINE BOOLEAN PhIsFileVersionInfo32( _In_ PVOID VersionInfo ) { return ((PVS_VERSION_INFO_STRUCT16)VersionInfo)->Key[0] < 32; } PHLIBAPI NTSTATUS NTAPI PhGetFileVersionInfo( _In_ PCWSTR FileName, _Out_ PVOID* VersionInfo ); PHLIBAPI NTSTATUS NTAPI PhGetFileVersionInfoEx( _In_ PCPH_STRINGREF FileName, _Out_ PVOID* VersionInfo ); PHLIBAPI NTSTATUS NTAPI PhGetFileVersionInfoKey( _In_ PVS_VERSION_INFO_STRUCT32 VersionInfo, _In_ SIZE_T KeyLength, _In_ PCWSTR Key, _Out_opt_ PVOID* Buffer ); PHLIBAPI NTSTATUS NTAPI PhGetFileVersionVarFileInfoValue( _In_ PVOID VersionInfo, _In_ PCPH_STRINGREF KeyName, _Out_opt_ PVOID* Buffer, _Out_opt_ PULONG BufferLength ); FORCEINLINE NTSTATUS NTAPI PhGetFileVersionVarFileInfoValueZ( _In_ PVOID VersionInfo, _In_ PCWSTR KeyName, _Out_opt_ PVOID* Buffer, _Out_opt_ PULONG BufferLength ) { PH_STRINGREF string; PhInitializeStringRef(&string, KeyName); return PhGetFileVersionVarFileInfoValue(VersionInfo, &string, Buffer, BufferLength); } PHLIBAPI VS_FIXEDFILEINFO* NTAPI PhGetFileVersionFixedInfo( _In_ PVOID VersionInfo ); typedef struct _LANGANDCODEPAGE { USHORT Language; USHORT CodePage; } LANGANDCODEPAGE, *PLANGANDCODEPAGE; PHLIBAPI ULONG NTAPI PhGetFileVersionInfoLangCodePage( _In_ PVOID VersionInfo ); PHLIBAPI PPH_STRING NTAPI PhGetFileVersionInfoString( _In_ PVOID VersionInfo, _In_ PCWSTR SubBlock ); PHLIBAPI PPH_STRING NTAPI PhGetFileVersionInfoString2( _In_ PVOID VersionInfo, _In_ ULONG LangCodePage, _In_ PCPH_STRINGREF KeyName ); typedef struct _PH_IMAGE_VERSION_INFO { PPH_STRING CompanyName; PPH_STRING FileDescription; PPH_STRING FileVersion; PPH_STRING ProductName; } PH_IMAGE_VERSION_INFO, *PPH_IMAGE_VERSION_INFO; PHLIBAPI NTSTATUS NTAPI PhInitializeImageVersionInfo( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PCWSTR FileName ); PHLIBAPI NTSTATUS NTAPI PhInitializeImageVersionInfoEx( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN ExtendedVersionInfo ); PHLIBAPI VOID NTAPI PhDeleteImageVersionInfo( _Inout_ PPH_IMAGE_VERSION_INFO ImageVersionInfo ); PHLIBAPI PPH_STRING NTAPI PhFormatImageVersionInfo( _In_opt_ PPH_STRING FileName, _In_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_opt_ PCPH_STRINGREF Indent, _In_opt_ ULONG LineLimit ); PHLIBAPI NTSTATUS NTAPI PhInitializeImageVersionInfoCached( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PPH_STRING FileName, _In_ BOOLEAN IsSubsystemProcess, _In_ BOOLEAN ExtendedVersion ); PHLIBAPI VOID NTAPI PhFlushImageVersionInfoCache( VOID ); PHLIBAPI NTSTATUS NTAPI PhGetFullPath( _In_ PCWSTR FileName, _Out_ PPH_STRING *FullPath, _Out_opt_ PULONG IndexOfFileName ); PHLIBAPI PPH_STRING NTAPI PhExpandEnvironmentStrings( _In_ PCPH_STRINGREF String ); FORCEINLINE PPH_STRING PhExpandEnvironmentStringsZ( _In_ PCWSTR String ) { PH_STRINGREF string; PhInitializeStringRef(&string, String); return PhExpandEnvironmentStrings(&string); } /** * Converts NT path separators to alternate DOS path separators in a string. * * \param String The string to modify. * \return The modified string. * \remarks Only the NT path separator ('\\') is replaced. The function operates * in-place and returns the same string pointer. */ FORCEINLINE PPH_STRING PhConvertNtPathSeperatorToAltSeperator( _In_ PPH_STRING String ) { if (String) { for (ULONG i = 0; i < String->Length / sizeof(WCHAR); i++) { if (String->Buffer[i] == OBJ_NAME_PATH_SEPARATOR) // RtlNtPathSeperatorString String->Buffer[i] = OBJ_NAME_ALTPATH_SEPARATOR; // RtlAlternateDosPathSeperatorString } } return String; } PHLIBAPI PPH_STRING NTAPI PhGetBaseName( _In_ PPH_STRING FileName ); PHLIBAPI PPH_STRING NTAPI PhGetBaseNameChangeExtension( _In_ PCPH_STRINGREF FileName, _In_ PCPH_STRINGREF FileExtension ); FORCEINLINE PPH_STRING NTAPI PhGetBaseNameChangeExtensionZ( _In_ PCPH_STRINGREF FileName, _In_ PCWSTR FileExtension ) { PH_STRINGREF string; PhInitializeStringRef(&string, FileExtension); return PhGetBaseNameChangeExtension(FileName, &string); } _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetBasePath( _In_ PCPH_STRINGREF FileName, _Out_opt_ PPH_STRINGREF BasePathName, _Out_opt_ PPH_STRINGREF BaseFileName ); PHLIBAPI PPH_STRING NTAPI PhGetBaseDirectory( _In_ PPH_STRING FileName ); PHLIBAPI PPH_STRING NTAPI PhGetSystemDirectory( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetSystemDirectoryWin32( _In_opt_ PCPH_STRINGREF AppendPath ); FORCEINLINE PPH_STRING PhGetSystemDirectoryWin32Z( _In_ PCWSTR AppendPath ) { PH_STRINGREF string; PhInitializeStringRef(&string, AppendPath); return PhGetSystemDirectoryWin32(&string); } PHLIBAPI VOID NTAPI PhGetSystemRoot( _Out_ PPH_STRINGREF SystemRoot ); PHLIBAPI VOID NTAPI PhGetNtSystemRoot( _Out_ PPH_STRINGREF NtSystemRoot ); PHLIBAPI PPH_STRING NTAPI PhGetApplicationFileName( VOID ); FORCEINLINE PPH_STRING PhGetApplicationFileNameZ( _In_ PCWSTR AppendPath ) { PPH_STRING fileName = NULL; PPH_STRING applicationFileName; if (applicationFileName = PhGetApplicationFileName()) { PH_STRINGREF string; PhInitializeStringRef(&string, AppendPath); fileName = PhConcatStringRef2(&applicationFileName->sr, &string); PhDereferenceObject(applicationFileName); } return fileName; } PHLIBAPI PPH_STRING NTAPI PhGetApplicationFileNameWin32( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetApplicationDirectory( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetApplicationDirectoryWin32( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetApplicationDirectoryFileName( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ); FORCEINLINE PPH_STRING PhGetApplicationDirectoryFileNameZ( _In_ PCWSTR FileName, _In_ BOOLEAN NativeFileName ) { PH_STRINGREF string; PhInitializeStringRef(&string, FileName); return PhGetApplicationDirectoryFileName(&string, NativeFileName); } PHLIBAPI PPH_STRING NTAPI PhGetTemporaryDirectoryRandomAlphaFileName( VOID ); PHLIBAPI PPH_STRING NTAPI PhGetLocalAppDataDirectory( _In_opt_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ); FORCEINLINE PPH_STRING PhGetLocalAppDataDirectoryZ( _In_ PCWSTR String, _In_ BOOLEAN NativeFileName ) { PH_STRINGREF string; PhInitializeStringRef(&string, String); return PhGetLocalAppDataDirectory(&string, NativeFileName); } PHLIBAPI PPH_STRING NTAPI PhGetRoamingAppDataDirectory( _In_opt_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ); FORCEINLINE PPH_STRING PhGetRoamingAppDataDirectoryZ( _In_ PCWSTR String, _In_ BOOLEAN NativeFileName ) { PH_STRINGREF string; PhInitializeStringRef(&string, String); return PhGetRoamingAppDataDirectory(&string, NativeFileName); } PHLIBAPI PPH_STRING NTAPI PhGetApplicationDataFileName( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ); #define PH_FOLDERID_LocalAppData 1 #define PH_FOLDERID_RoamingAppData 2 #define PH_FOLDERID_ProgramFiles 3 #define PH_FOLDERID_ProgramData 4 PHLIBAPI PPH_STRING NTAPI PhGetKnownLocation( _In_ ULONG Folder, _In_opt_ PCPH_STRINGREF AppendPath, _In_ BOOLEAN NativeFileName ); FORCEINLINE PPH_STRING PhGetKnownLocationZ( _In_ ULONG Folder, _In_ PCWSTR AppendPath, _In_ BOOLEAN NativeFileName ) { PH_STRINGREF string; PhInitializeStringRef(&string, AppendPath); return PhGetKnownLocation(Folder, &string, NativeFileName); } DEFINE_GUID(FOLDERID_LocalAppData, 0xF1B32785, 0x6FBA, 0x4FCF, 0x9D, 0x55, 0x7B, 0x8E, 0x7F, 0x15, 0x70, 0x91); DEFINE_GUID(FOLDERID_RoamingAppData, 0x3EB685DB, 0x65F9, 0x4CF6, 0xA0, 0x3A, 0xE3, 0xEF, 0x65, 0x72, 0x9F, 0x3D); DEFINE_GUID(FOLDERID_ProgramFiles, 0x905e63b6, 0xc1bf, 0x494e, 0xb2, 0x9c, 0x65, 0xb7, 0x32, 0xd3, 0xd2, 0x1a); DEFINE_GUID(FOLDERID_ProgramData, 0x62AB5D82, 0xFDC1, 0x4DC3, 0xA9, 0xDD, 0x07, 0x0D, 0x1D, 0x49, 0x5D, 0x97); #define PH_KF_FLAG_FORCE_PACKAGE_REDIRECTION 0x1 #define PH_KF_FLAG_FORCE_APPCONTAINER_REDIRECTION 0x2 PHLIBAPI PPH_STRING NTAPI PhGetKnownFolderPath( _In_ PCGUID Folder, _In_opt_ PCPH_STRINGREF AppendPath ); PHLIBAPI PPH_STRING NTAPI PhGetKnownFolderPathEx( _In_ PCGUID Folder, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _In_opt_ PCPH_STRINGREF AppendPath ); FORCEINLINE PPH_STRING PhGetKnownFolderPathZ( _In_ PCGUID Folder, _In_ PCWSTR AppendPath ) { PH_STRINGREF string; PhInitializeStringRef(&string, AppendPath); return PhGetKnownFolderPath(Folder, &string); } FORCEINLINE PPH_STRING PhGetKnownFolderPathExZ( _In_ PCGUID Folder, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _In_ PCWSTR AppendPath ) { PH_STRINGREF string; PhInitializeStringRef(&string, AppendPath); return PhGetKnownFolderPathEx(Folder, Flags, TokenHandle, &string); } PHLIBAPI PPH_STRING NTAPI PhGetTemporaryDirectory( _In_opt_ PCPH_STRINGREF AppendPath ); PHLIBAPI NTSTATUS NTAPI PhWaitForMultipleObjectsAndPump( _In_opt_ HWND WindowHandle, _In_ ULONG NumberOfHandles, _In_ PHANDLE Handles, _In_ ULONG Timeout, _In_ ULONG WakeMask ); typedef struct _PH_CREATE_PROCESS_INFO { PUNICODE_STRING DllPath; PUNICODE_STRING WindowTitle; PUNICODE_STRING DesktopInfo; PUNICODE_STRING ShellInfo; PUNICODE_STRING RuntimeData; } PH_CREATE_PROCESS_INFO, *PPH_CREATE_PROCESS_INFO; #define PH_CREATE_PROCESS_INHERIT_HANDLES 0x1 #define PH_CREATE_PROCESS_UNICODE_ENVIRONMENT 0x2 #define PH_CREATE_PROCESS_SUSPENDED 0x4 #define PH_CREATE_PROCESS_BREAKAWAY_FROM_JOB 0x8 #define PH_CREATE_PROCESS_NEW_CONSOLE 0x10 #define PH_CREATE_PROCESS_DEBUG 0x20 #define PH_CREATE_PROCESS_DEBUG_ONLY_THIS_PROCESS 0x40 #define PH_CREATE_PROCESS_EXTENDED_STARTUPINFO 0x80 #define PH_CREATE_PROCESS_DEFAULT_ERROR_MODE 0x100 PHLIBAPI NTSTATUS NTAPI PhCreateProcess( _In_ PCWSTR FileName, _In_opt_ PCPH_STRINGREF CommandLine, _In_opt_ PVOID Environment, _In_opt_ PCPH_STRINGREF CurrentDirectory, _In_opt_ PPH_CREATE_PROCESS_INFO Information, _In_ ULONG Flags, _In_opt_ HANDLE ParentProcessHandle, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ); PHLIBAPI NTSTATUS NTAPI PhCreateProcessWin32( _In_opt_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine, _In_opt_ PVOID Environment, _In_opt_ PCWSTR CurrentDirectory, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ); PHLIBAPI NTSTATUS NTAPI PhCreateProcessWin32Ex( _In_opt_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine, _In_opt_ PVOID Environment, _In_opt_ PCWSTR CurrentDirectory, _In_opt_ PVOID StartupInfo, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ); typedef struct _PH_CREATE_PROCESS_AS_USER_INFO { _In_opt_ PCWSTR ApplicationName; _In_opt_ PCWSTR CommandLine; _In_opt_ PCWSTR CurrentDirectory; _In_opt_ PVOID Environment; _In_opt_ PCWSTR DesktopName; _In_opt_ ULONG SessionId; // use PH_CREATE_PROCESS_SET_SESSION_ID union { struct { _In_ PCWSTR DomainName; _In_ PCWSTR UserName; _In_ PCWSTR Password; _In_opt_ ULONG LogonType; _In_opt_ ULONG LogonFlags; }; _In_ HANDLE ProcessIdWithToken; // use PH_CREATE_PROCESS_USE_PROCESS_TOKEN _In_ ULONG SessionIdWithToken; // use PH_CREATE_PROCESS_USE_SESSION_TOKEN }; } PH_CREATE_PROCESS_AS_USER_INFO, *PPH_CREATE_PROCESS_AS_USER_INFO; #define PH_CREATE_PROCESS_USE_PROCESS_TOKEN 0x1000 #define PH_CREATE_PROCESS_USE_SESSION_TOKEN 0x2000 #define PH_CREATE_PROCESS_USE_LINKED_TOKEN 0x10000 #define PH_CREATE_PROCESS_SET_SESSION_ID 0x20000 #define PH_CREATE_PROCESS_WITH_PROFILE 0x40000 #define PH_CREATE_PROCESS_SET_UIACCESS 0x80000 PHLIBAPI NTSTATUS NTAPI PhCreateProcessAsUser( _In_ PPH_CREATE_PROCESS_AS_USER_INFO Information, _In_ ULONG Flags, _In_opt_ PVOID StartupInfo, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ); PHLIBAPI NTSTATUS NTAPI PhFilterTokenForLimitedUser( _In_ HANDLE TokenHandle, _Out_ PHANDLE NewTokenHandle ); PHLIBAPI NTSTATUS NTAPI PhGetSecurityDescriptorAsString( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PPH_STRING* SecurityDescriptorString ); PHLIBAPI PSECURITY_DESCRIPTOR NTAPI PhGetSecurityDescriptorFromString( _In_ PCWSTR SecurityDescriptorString ); PHLIBAPI NTSTATUS NTAPI PhGetObjectSecurityDescriptorAsString( _In_ HANDLE Handle, _Out_ PPH_STRING* SecurityDescriptorString ); typedef struct _SHELLEXECUTEINFOW SHELLEXECUTEINFOW, *PSHELLEXECUTEINFOW; PHLIBAPI BOOLEAN NTAPI PhShellExecuteWin32( _Inout_ PSHELLEXECUTEINFOW ExecInfo ); PHLIBAPI VOID NTAPI PhShellExecute( _In_opt_ HWND WindowHandle, _In_ PCWSTR FileName, _In_opt_ PCWSTR Parameters ); #define PH_SHELL_EXECUTE_DEFAULT 0x0 #define PH_SHELL_EXECUTE_ADMIN 0x1 #define PH_SHELL_EXECUTE_PUMP_MESSAGES 0x2 PHLIBAPI NTSTATUS NTAPI PhShellExecuteEx( _In_opt_ HWND WindowHandle, _In_ PCWSTR FileName, _In_opt_ PCWSTR Parameters, _In_opt_ PCWSTR Directory, _In_ LONG ShowWindowType, _In_ ULONG Flags, _In_opt_ ULONG Timeout, _Out_opt_ PHANDLE ProcessHandle ); PHLIBAPI VOID NTAPI PhShellExploreFile( _In_ HWND WindowHandle, _In_ PCWSTR FileName ); PHLIBAPI VOID NTAPI PhShellProperties( _In_ HWND WindowHandle, _In_ PCWSTR FileName ); typedef struct _NOTIFYICONDATAW NOTIFYICONDATAW, *PNOTIFYICONDATAW; PHLIBAPI BOOLEAN NTAPI PhShellNotifyIcon( _In_ ULONG Message, _In_ PNOTIFYICONDATAW NotifyIconData ); PHLIBAPI HRESULT NTAPI PhShellGetKnownFolderPath( _In_ PCGUID rfid, // REFKNOWNFOLDERID _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _Outptr_ PWSTR* FolderPath ); PHLIBAPI HRESULT NTAPI PhShellGetKnownFolderItem( _In_ PCGUID rfid, // REFKNOWNFOLDERID _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _In_ REFIID riid, _Outptr_ PVOID* ppv ); PHLIBAPI PPH_STRING NTAPI PhExpandKeyName( _In_ PPH_STRING KeyName, _In_ BOOLEAN Computer ); PHLIBAPI PPH_STRING NTAPI PhQueryRegistryString( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ); FORCEINLINE PPH_STRING NTAPI PhQueryRegistryStringZ( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhQueryRegistryString(KeyHandle, &valueName); } PHLIBAPI ULONG NTAPI PhQueryRegistryUlong( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ); FORCEINLINE ULONG NTAPI PhQueryRegistryUlongZ( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhQueryRegistryUlong(KeyHandle, &valueName); } PHLIBAPI ULONG64 NTAPI PhQueryRegistryUlong64( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ); FORCEINLINE ULONG64 NTAPI PhQueryRegistryUlong64Z( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName ) { PH_STRINGREF valueName; PhInitializeStringRef(&valueName, ValueName); return PhQueryRegistryUlong64(KeyHandle, &valueName); } typedef struct _PH_FLAG_MAPPING { ULONG Flag1; ULONG Flag2; } PH_FLAG_MAPPING, *PPH_FLAG_MAPPING; PHLIBAPI VOID NTAPI PhMapFlags1( _Inout_ PULONG Value2, _In_ ULONG Value1, _In_ const PH_FLAG_MAPPING *Mappings, _In_ ULONG NumberOfMappings ); PHLIBAPI VOID NTAPI PhMapFlags2( _Inout_ PULONG Value1, _In_ ULONG Value2, _In_ const PH_FLAG_MAPPING *Mappings, _In_ ULONG NumberOfMappings ); PHLIBAPI PVOID NTAPI PhCreateOpenFileDialog( VOID ); PHLIBAPI PVOID NTAPI PhCreateSaveFileDialog( VOID ); PHLIBAPI VOID NTAPI PhFreeFileDialog( _In_ PVOID FileDialog ); PHLIBAPI BOOLEAN NTAPI PhShowFileDialog( _In_opt_ HWND WindowHandle, _In_ PVOID FileDialog ); #define PH_FILEDIALOG_CREATEPROMPT 0x1 #define PH_FILEDIALOG_PATHMUSTEXIST 0x2 // default both #define PH_FILEDIALOG_FILEMUSTEXIST 0x4 // default open #define PH_FILEDIALOG_SHOWHIDDEN 0x8 #define PH_FILEDIALOG_NODEREFERENCELINKS 0x10 #define PH_FILEDIALOG_OVERWRITEPROMPT 0x20 // default save #define PH_FILEDIALOG_DEFAULTEXPANDED 0x40 #define PH_FILEDIALOG_STRICTFILETYPES 0x80 #define PH_FILEDIALOG_PICKFOLDERS 0x100 #define PH_FILEDIALOG_NOPATHVALIDATE 0x200 #define PH_FILEDIALOG_DONTADDTORECENT 0x400 PHLIBAPI ULONG NTAPI PhGetFileDialogOptions( _In_ PVOID FileDialog ); PHLIBAPI VOID NTAPI PhSetFileDialogOptions( _In_ PVOID FileDialog, _In_ ULONG Options ); PHLIBAPI ULONG NTAPI PhGetFileDialogFilterIndex( _In_ PVOID FileDialog ); typedef struct _PH_FILETYPE_FILTER { PWSTR Name; PWSTR Filter; } PH_FILETYPE_FILTER, *PPH_FILETYPE_FILTER; PHLIBAPI VOID NTAPI PhSetFileDialogFilter( _In_ PVOID FileDialog, _In_ PPH_FILETYPE_FILTER Filters, _In_ ULONG NumberOfFilters ); PHLIBAPI PPH_STRING NTAPI PhGetFileDialogFileName( _In_ PVOID FileDialog ); PHLIBAPI VOID NTAPI PhSetFileDialogFileName( _In_ PVOID FileDialog, _In_ PCWSTR FileName ); PHLIBAPI NTSTATUS NTAPI PhIsExecutablePacked( _In_ PPH_STRING FileName, _Out_ PBOOLEAN IsPacked, _Out_opt_ PULONG NumberOfModules, _Out_opt_ PULONG NumberOfFunctions ); /** * Image Coherency Scan Type */ typedef enum _PH_IMGCOHERENCY_SCAN_TYPE { /** * Quick scan of the image coherency * - Image header information * - A few pages of each executable section * - Scans a few pages at entry point if it exists and was missed due to previous note * - .NET manifests if appropriate */ PhImageCoherencyQuick, /** * Normal scan of the image coherency * - Image header information * - Up to 40Mib of each executable section * - Scans a few pages at entry point if it exists and was missed due to previous note * - .NET manifests if appropriate */ PhImageCoherencyNormal, /** * Full scan of the image coherency * - Image header information * - Complete scan of all executable sections, this will include the entry point * - .NET manifests if appropriate * - Scans for code caves in tail of mapped sections (virtual mapping > size on disk) */ PhImageCoherencyFull, /** * Fast scan of the image coherency * - only checks for shared original pages using NtQueryVirtualMemory */ PhImageCoherencySharedOriginal, } PH_IMAGE_COHERENCY_SCAN_TYPE; PHLIBAPI NTSTATUS NTAPI PhGetProcessImageCoherency( _In_ PPH_STRING FileName, _In_ HANDLE ProcessId, _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _Out_ PFLOAT ImageCoherency ); PHLIBAPI NTSTATUS NTAPI PhGetProcessModuleImageCoherency( _In_ PPH_STRING FileName, _In_ HANDLE ProcessHandle, _In_ PVOID ImageBaseAddress, _In_ SIZE_T ImageSize, _In_ BOOLEAN IsKernelModule, _In_ PH_IMAGE_COHERENCY_SCAN_TYPE Type, _Out_ PFLOAT ImageCoherency ); PHLIBAPI NTSTATUS NTAPI PhCheckImagePagesForTampering( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T SizeOfImage, _Out_ PSIZE_T NumberOfPages, _Out_ PSIZE_T NumberOfTamperedPages ); PHLIBAPI ULONG NTAPI PhCrc32( _In_ ULONG Crc, _In_reads_(Length) PUCHAR Buffer, _In_ SIZE_T Length ); PHLIBAPI ULONG NTAPI PhCrc32C( _In_ ULONG Crc, _In_reads_(Length) PVOID Buffer, _In_ SIZE_T Length ); typedef enum _PH_HASH_ALGORITHM { Crc32HashAlgorithm, Crc32CHashAlgorithm, Md5HashAlgorithm, Sha1HashAlgorithm, Sha256HashAlgorithm } PH_HASH_ALGORITHM; #define PH_HASH_CRC32_LENGTH 4 #define PH_HASH_MD5_LENGTH 16 #define PH_HASH_SHA1_LENGTH 20 #define PH_HASH_SHA256_LENGTH 32 typedef struct _PH_HASH_CONTEXT { PH_HASH_ALGORITHM Algorithm; ULONG Context[64]; } PH_HASH_CONTEXT, *PPH_HASH_CONTEXT; PHLIBAPI NTSTATUS NTAPI PhInitializeHash( _Out_ PPH_HASH_CONTEXT Context, _In_ PH_HASH_ALGORITHM Algorithm ); PHLIBAPI NTSTATUS NTAPI PhUpdateHash( _In_ PPH_HASH_CONTEXT Context, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ); PHLIBAPI NTSTATUS NTAPI PhFinalHash( _In_ PPH_HASH_CONTEXT Context, _Out_writes_bytes_(HashLength) PVOID Hash, _In_ ULONG HashLength, _Out_opt_ PULONG ReturnLength ); /** * Completes a hash operation and returns the result as a hexadecimal string. * * \param Context The hash context. * \param HashString A variable which receives the resulting hexadecimal string. * \return An NTSTATUS value indicating success or failure. * \remarks The returned string contains the SHA-256 hash encoded as hexadecimal * characters. The caller is responsible for freeing the string. */ FORCEINLINE NTSTATUS NTAPI PhFinalHashString( _In_ PPH_HASH_CONTEXT Context, _Out_ PPH_STRING* HashString ) { NTSTATUS status; UCHAR hash[PH_HASH_SHA256_LENGTH]; status = PhFinalHash(Context, hash, sizeof(hash), NULL); if (NT_SUCCESS(status)) { *HashString = PhBufferToHexString(hash, sizeof(hash)); } return status; } typedef enum _PH_COMMAND_LINE_OPTION_TYPE { NoArgumentType, MandatoryArgumentType, OptionalArgumentType } PH_COMMAND_LINE_OPTION_TYPE, *PPH_COMMAND_LINE_OPTION_TYPE; typedef struct _PH_COMMAND_LINE_OPTION { ULONG Id; PCWSTR Name; PH_COMMAND_LINE_OPTION_TYPE Type; } PH_COMMAND_LINE_OPTION, *PPH_COMMAND_LINE_OPTION; typedef const PH_COMMAND_LINE_OPTION* PCPH_COMMAND_LINE_OPTION; typedef _Function_class_(PH_COMMAND_LINE_CALLBACK) BOOLEAN NTAPI PH_COMMAND_LINE_CALLBACK( _In_opt_ PCPH_COMMAND_LINE_OPTION Option, _In_opt_ PPH_STRING Value, _In_opt_ PVOID Context ); typedef PH_COMMAND_LINE_CALLBACK *PPH_COMMAND_LINE_CALLBACK; #define PH_COMMAND_LINE_IGNORE_UNKNOWN_OPTIONS 0x1 #define PH_COMMAND_LINE_IGNORE_FIRST_PART 0x2 PHLIBAPI PPH_STRING NTAPI PhParseCommandLinePart( _In_ PCPH_STRINGREF CommandLine, _Inout_ PULONG_PTR Index ); PHLIBAPI BOOLEAN NTAPI PhParseCommandLine( _In_ PCPH_STRINGREF CommandLine, _In_opt_ PCPH_COMMAND_LINE_OPTION Options, _In_ ULONG NumberOfOptions, _In_ ULONG Flags, _In_ PPH_COMMAND_LINE_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI PPH_STRING NTAPI PhEscapeCommandLinePart( _In_ PCPH_STRINGREF String ); PHLIBAPI BOOLEAN NTAPI PhParseCommandLineFuzzy( _In_ PCPH_STRINGREF CommandLine, _Out_ PPH_STRINGREF FileName, _Out_ PPH_STRINGREF Arguments, _Out_opt_ PPH_STRING *FullFileName ); PHLIBAPI PPH_LIST NTAPI PhCommandLineToList( _In_ PCWSTR CommandLine ); PHLIBAPI PPH_STRING NTAPI PhCommandLineQuoteSpaces( _In_ PCPH_STRINGREF CommandLine ); PHLIBAPI PPH_STRING NTAPI PhSearchFilePath( _In_ PCWSTR FileName, _In_opt_ PCWSTR Extension ); PHLIBAPI PPH_STRING NTAPI PhCreateCacheFile( _In_ BOOLEAN PortableDirectory, _In_ PPH_STRING FileName, _In_ BOOLEAN NativeFileName ); PHLIBAPI VOID NTAPI PhDeleteCacheFile( _In_ PPH_STRING FileName, _In_ BOOLEAN NativeFileName ); PHLIBAPI VOID NTAPI PhClearCacheDirectory( _In_ BOOLEAN PortableDirectory ); PHLIBAPI HANDLE NTAPI PhGetNamespaceHandle( VOID ); PHLIBAPI HWND NTAPI PhHungWindowFromGhostWindow( _In_ HWND WindowHandle ); PHLIBAPI NTSTATUS NTAPI PhGetFileData( _In_ HANDLE FileHandle, _Out_ PVOID* Buffer, _Out_ PULONG BufferLength ); PHLIBAPI NTSTATUS NTAPI PhGetFileText( _Out_ PVOID* String, _In_ HANDLE FileHandle, _In_ BOOLEAN Unicode ); PHLIBAPI NTSTATUS NTAPI PhFileReadAllText( _Out_ PVOID* String, _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN Unicode ); PHLIBAPI NTSTATUS NTAPI PhFileReadAllTextWin32( _Out_ PVOID* String, _In_ PCWSTR FileName, _In_ BOOLEAN Unicode ); PHLIBAPI HRESULT NTAPI PhGetClassObjectDllBase( _In_ PVOID DllBase, _In_ REFCLSID Rclsid, _In_ REFIID Riid, _Out_ PVOID * Ppv ); PHLIBAPI HRESULT NTAPI PhGetClassObject( _In_ PCWSTR DllName, _In_ REFCLSID Rclsid, _In_ REFIID Riid, _Out_ PVOID* Ppv ); PHLIBAPI HRESULT NTAPI PhGetActivationFactory( _In_ PCWSTR DllName, _In_ PCWSTR RuntimeClass, _In_ REFIID Riid, _Out_ PVOID* Ppv ); PHLIBAPI HRESULT NTAPI PhActivateInstance( _In_ PCWSTR DllName, _In_ PCWSTR RuntimeClass, _In_ REFIID Riid, _Out_ PVOID* Ppv ); PHLIBAPI NTSTATUS NTAPI PhDelayExecution( _In_ ULONG Milliseconds ); PHLIBAPI NTSTATUS NTAPI PhDelayExecutionEx( _In_ BOOLEAN Alertable, _In_ PLARGE_INTEGER DelayInterval ); // // Stopwatch // /** * Represents a high‑resolution stopwatch. */ typedef struct _PH_STOPWATCH { LARGE_INTEGER StartCounter; LARGE_INTEGER EndCounter; LARGE_INTEGER Frequency; } PH_STOPWATCH, *PPH_STOPWATCH; /** * Initializes a stopwatch structure. * \param Stopwatch The stopwatch to initialize. */ FORCEINLINE VOID PhInitializeStopwatch( _Out_ PPH_STOPWATCH Stopwatch ) { Stopwatch->StartCounter.QuadPart = 0; Stopwatch->EndCounter.QuadPart = 0; } /** * Starts a stopwatch. * * \param Stopwatch The stopwatch to start. * \remarks The performance counter frequency is also queried and stored. */ FORCEINLINE VOID PhStartStopwatch( _Inout_ PPH_STOPWATCH Stopwatch ) { PhQueryPerformanceCounter(&Stopwatch->StartCounter); PhQueryPerformanceFrequency(&Stopwatch->Frequency); } /** * Stops a stopwatch. * * \param Stopwatch The stopwatch to stop. */ FORCEINLINE VOID PhStopStopwatch( _Inout_ PPH_STOPWATCH Stopwatch ) { PhQueryPerformanceCounter(&Stopwatch->EndCounter); } /** * Retrieves the elapsed time of a stopwatch in milliseconds. * * \param Stopwatch The stopwatch. * \return The elapsed time, in milliseconds. */ FORCEINLINE ULONG PhGetMillisecondsStopwatch( _In_ PPH_STOPWATCH Stopwatch ) { LARGE_INTEGER elapsedMilliseconds; elapsedMilliseconds.QuadPart = Stopwatch->EndCounter.QuadPart - Stopwatch->StartCounter.QuadPart; elapsedMilliseconds.QuadPart *= 1000; elapsedMilliseconds.QuadPart /= Stopwatch->Frequency.QuadPart; return (ULONG)elapsedMilliseconds.QuadPart; } /** * Retrieves the elapsed time of a stopwatch in microseconds. * * \param Stopwatch The stopwatch. * \return The elapsed time, in microseconds. */ FORCEINLINE DOUBLE PhGetMicrosecondsStopwatch( _In_ PPH_STOPWATCH Stopwatch ) { DOUBLE elapsedMicroseconds; // Convert to microseconds before dividing by ticks-per-second. elapsedMicroseconds = (DOUBLE)(Stopwatch->EndCounter.QuadPart - Stopwatch->StartCounter.QuadPart); elapsedMicroseconds *= 1000000.0; elapsedMicroseconds /= (DOUBLE)Stopwatch->Frequency.QuadPart; return elapsedMicroseconds; } /** * Retrieves the elapsed time of a stopwatch in nanoseconds. * * \param Stopwatch The stopwatch. * \return The elapsed time, in nanoseconds. */ FORCEINLINE DOUBLE PhGetNanosecondsStopwatch( _In_ PPH_STOPWATCH Stopwatch ) { DOUBLE elapsedNanoseconds; // Convert to nanoseconds before dividing by ticks-per-second. elapsedNanoseconds = (DOUBLE)(Stopwatch->EndCounter.QuadPart - Stopwatch->StartCounter.QuadPart); elapsedNanoseconds *= 1000000000.0; elapsedNanoseconds /= (DOUBLE)Stopwatch->Frequency.QuadPart; return elapsedNanoseconds; } PHLIBAPI NTSTATUS NTAPI PhApiSetResolveToHost( _In_ PAPI_SET_NAMESPACE Schema, _In_ PCPH_STRINGREF ApiSetName, _In_opt_ PCPH_STRINGREF ParentName, _Out_ PPH_STRINGREF HostBinary ); PHLIBAPI HRESULT NTAPI PhCreateProcessAsInteractiveUser( _In_ PCWSTR CommandLine, _In_ PCWSTR CurrentDirectory ); PHLIBAPI NTSTATUS NTAPI PhCreateProcessClone( _Out_ PHANDLE ProcessHandle, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhCreateProcessReflection( _Out_ PPROCESS_REFLECTION_INFORMATION ReflectionInformation, _In_ HANDLE ProcessHandle ); PHLIBAPI VOID NTAPI PhFreeProcessReflection( _In_ PPROCESS_REFLECTION_INFORMATION ReflectionInformation ); PHLIBAPI NTSTATUS NTAPI PhCreateProcessSnapshot( _Out_ PHANDLE SnapshotHandle, _In_ HANDLE ProcessHandle ); PHLIBAPI VOID NTAPI PhFreeProcessSnapshot( _In_ HANDLE SnapshotHandle, _In_ HANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhCreateProcessRedirection( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ PCPH_STRINGREF CommandLine, _In_opt_ PCPH_STRINGREF CommandInput, _Out_opt_ PPH_STRING* CommandOutput ); PHLIBAPI NTSTATUS NTAPI PhInitializeProcThreadAttributeList( _Out_ PPROC_THREAD_ATTRIBUTE_LIST* AttributeList, _In_ ULONG AttributeCount ); PHLIBAPI NTSTATUS NTAPI PhDeleteProcThreadAttributeList( _In_ PPROC_THREAD_ATTRIBUTE_LIST AttributeList ); PHLIBAPI NTSTATUS NTAPI PhUpdateProcThreadAttribute( _In_ PPROC_THREAD_ATTRIBUTE_LIST AttributeList, _In_ ULONG_PTR Attribute, _In_ PVOID Buffer, _In_ SIZE_T BufferLength ); PHLIBAPI PPH_STRING NTAPI PhGetActiveComputerName( VOID ); #include #include typedef enum _DEV_OBJECT_TYPE DEV_OBJECT_TYPE, *PDEV_OBJECT_TYPE; typedef enum _DEV_QUERY_FLAGS DEV_QUERY_FLAGS, *PDEV_QUERY_FLAGS; typedef struct _DEVPROPCOMPKEY DEVPROPCOMPKEY, *PDEVPROPCOMPKEY; typedef struct _DEVPROP_FILTER_EXPRESSION DEVPROP_FILTER_EXPRESSION, *PDEVPROP_FILTER_EXPRESSION; typedef struct _DEV_OBJECT DEV_OBJECT, *PDEV_OBJECT; PHLIBAPI PDEVPROPERTY NTAPI PhDevFindProperty( _In_ PDEVPROPKEY Key, _In_ ULONG Store, _In_ ULONG PropertiesCount, _In_reads_(PropertiesCount) PDEVPROPERTY Properties ); PHLIBAPI HRESULT NTAPI PhDevGetObjects( _In_ DEV_OBJECT_TYPE ObjectType, _In_ DEV_QUERY_FLAGS QueryFlags, _In_ ULONG RequestedPropertiesCount, _In_reads_opt_(RequestedPropertiesCount) const DEVPROPCOMPKEY* RequestedProperties, _In_ ULONG FilterExpressionCount, _In_reads_opt_(FilterExpressionCount) const DEVPROP_FILTER_EXPRESSION* FilterExpressions, _Out_ PULONG ObjectCount, _Outptr_result_buffer_(*ObjectCount) const DEV_OBJECT** Objects ); PHLIBAPI VOID NTAPI PhDevFreeObjects( _In_ ULONG ObjectCount, _In_reads_(ObjectCount) const DEV_OBJECT* Objects ); typedef GUID DEVPROPGUID, *PDEVPROPGUID; typedef ULONG DEVPROPID, *PDEVPROPID; typedef struct _DEVPROPKEY DEVPROPKEY, *PDEVPROPKEY; typedef enum _DEVPROPSTORE DEVPROPSTORE, *PDEVPROPSTORE; typedef ULONG DEVPROPTYPE, *PDEVPROPTYPE; typedef struct _DEVPROPCOMPKEY DEVPROPCOMPKEY, *PDEVPROPCOMPKEY; PHLIBAPI HRESULT NTAPI PhDevGetObjectProperties( _In_ DEV_OBJECT_TYPE ObjectType, _In_ PCWSTR ObjectId, _In_ DEV_QUERY_FLAGS QueryFlags, _In_ ULONG RequestedPropertiesCount, _In_reads_(RequestedPropertiesCount) const DEVPROPCOMPKEY* RequestedProperties, _Out_ PULONG PropertiesCount, _Outptr_result_buffer_(*PropertiesCount) const DEVPROPERTY** Properties ); PHLIBAPI VOID NTAPI PhDevFreeObjectProperties( _In_ ULONG PropertiesCount, _In_reads_(PropertiesCount) const DEVPROPERTY* Properties ); PHLIBAPI HRESULT NTAPI PhDevCreateObjectQuery( _In_ DEV_OBJECT_TYPE ObjectType, _In_ DEV_QUERY_FLAGS QueryFlags, _In_ ULONG RequestedPropertiesCount, _In_reads_opt_(RequestedPropertiesCount) const DEVPROPCOMPKEY* RequestedProperties, _In_ ULONG FilterExpressionCount, _In_reads_opt_(FilterExpressionCount) const DEVPROP_FILTER_EXPRESSION* Filter, _In_ PDEV_QUERY_RESULT_CALLBACK Callback, _In_opt_ PVOID Context, _Out_ PHDEVQUERY DevQuery ); PHLIBAPI VOID NTAPI PhDevCloseObjectQuery( _In_ HDEVQUERY QueryHandle ); #define PH_DEVKEY_HARDWARE (0x00000000) #define PH_DEVKEY_SOFTWARE (0x00000001) #define PH_DEVKEY_USER (0x00000100) #define PH_DEVKEY_CONFIG (0x00000200) PHLIBAPI NTSTATUS NTAPI PhDevOpenObjectKey( _In_ PPH_STRING DeviceInstanceId, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG Flags, _Out_ PHANDLE KeyHandle ); PHLIBAPI HRESULT NTAPI PhTaskbarListCreate( _Out_ PHANDLE TaskbarHandle ); PHLIBAPI VOID NTAPI PhTaskbarListDestroy( _In_ HANDLE TaskbarHandle ); PHLIBAPI VOID NTAPI PhTaskbarListSetProgressValue( _In_ HANDLE TaskbarHandle, _In_ HWND WindowHandle, _In_ ULONGLONG Completed, _In_ ULONGLONG Total ); #define PH_TBLF_NOPROGRESS 0x1 #define PH_TBLF_INDETERMINATE 0x2 #define PH_TBLF_NORMAL 0x4 #define PH_TBLF_ERROR 0x8 #define PH_TBLF_PAUSED 0x10 PHLIBAPI VOID NTAPI PhTaskbarListSetProgressState( _In_ HANDLE TaskbarHandle, _In_ HWND WindowHandle, _In_ ULONG Flags ); PHLIBAPI VOID NTAPI PhTaskbarListSetOverlayIcon( _In_ HANDLE TaskbarHandle, _In_ HWND WindowHandle, _In_opt_ HICON IconHandle, _In_opt_ PCWSTR IconDescription ); /** * Adds an offset to a pointer with overflow protection. * * \param Pointer The pointer to modify. * \param Offset The number of bytes to add. * \return TRUE if the offset was successfully added, otherwise FALSE. * \remarks The function fails if the addition would wrap past the end of the * address space. */ FORCEINLINE BOOLEAN PhPtrAddOffset( _Inout_ PVOID* Pointer, _In_ SIZE_T Offset ) { PVOID pointer; pointer = PTR_ADD_OFFSET(*Pointer, Offset); if (pointer < *Pointer) return FALSE; *Pointer = pointer; return TRUE; } /** * Advances a pointer by a specified offset while ensuring it does not exceed a limit. * * \param Pointer The pointer to modify. * \param EndPointer The end boundary that must not be crossed. * \param Offset The number of bytes to advance. * \return TRUE if the pointer was successfully advanced, otherwise FALSE. * \remarks The function fails if the addition overflows or if the resulting * pointer would be greater than or equal to EndPointer. */ FORCEINLINE BOOLEAN PhPtrAdvance( _Inout_ PVOID* Pointer, _In_ PVOID EndPointer, _In_ SIZE_T Offset ) { PVOID pointer; pointer = *Pointer; if (!PhPtrAddOffset(&pointer, Offset)) return FALSE; if (pointer >= EndPointer) return FALSE; *Pointer = pointer; return TRUE; } typedef UINT D3DDDI_VIDEO_PRESENT_SOURCE_ID; typedef enum _D3DKMT_VIDPNSOURCEOWNER_TYPE D3DKMT_VIDPNSOURCEOWNER_TYPE; typedef struct _D3DKMT_QUERYVIDPNEXCLUSIVEOWNERSHIP D3DKMT_QUERYVIDPNEXCLUSIVEOWNERSHIP, *PD3DKMT_QUERYVIDPNEXCLUSIVEOWNERSHIP; BOOLEAN PhIsDirectXRunningFullScreen( VOID ); NTSTATUS PhRestoreFromDirectXRunningFullScreen( _In_ HANDLE ProcessHandle ); NTSTATUS PhQueryDirectXExclusiveOwnership( _Inout_ PD3DKMT_QUERYVIDPNEXCLUSIVEOWNERSHIP QueryExclusiveOwnership ); PHLIBAPI NTSTATUS NTAPI PhEndWindowSession( _In_ HWND WindowHandle ); PHLIBAPI PCPH_STRINGREF NTAPI PhGetLuidKnownTypeToString( _In_ PLUID Luid ); EXTERN_C_END #endif ================================================ FILE: phlib/include/provider.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2021-2022 * */ #ifndef _PH_PROVIDER_H #define _PH_PROVIDER_H #ifdef __cplusplus extern "C" { #endif #if defined(DEBUG) extern PPH_LIST PhDbgProviderList; extern PH_QUEUED_LOCK PhDbgProviderListLock; #endif typedef enum _PH_PROVIDER_THREAD_STATE { ProviderThreadRunning, ProviderThreadStopped, ProviderThreadStopping } PH_PROVIDER_THREAD_STATE; typedef _Function_class_(PH_PROVIDER_FUNCTION) VOID NTAPI PH_PROVIDER_FUNCTION( _In_opt_ PVOID Object ); typedef PH_PROVIDER_FUNCTION *PPH_PROVIDER_FUNCTION; typedef struct _PH_PROVIDER_THREAD *PPH_PROVIDER_THREAD; typedef struct _PH_PROVIDER_REGISTRATION { LIST_ENTRY ListEntry; PPH_PROVIDER_THREAD ProviderThread; PPH_PROVIDER_FUNCTION Function; PVOID Object; ULONG RunId; union { ULONG Flags; struct { ULONG Enabled : 1; ULONG Unregistering : 1; ULONG Boosting : 1; ULONG Spare : 29; }; }; PH_RUNDOWN_PROTECT RundownProtect; } PH_PROVIDER_REGISTRATION, *PPH_PROVIDER_REGISTRATION; typedef struct _PH_PROVIDER_THREAD { HANDLE ThreadHandle; HANDLE TimerHandle; ULONG Interval; PH_PROVIDER_THREAD_STATE State; PH_QUEUED_LOCK Lock; LIST_ENTRY ListHead; ULONG BoostCount; union { ULONG Flags; struct { ULONG UseHighResolution : 1; ULONG Spare : 31; }; }; } PH_PROVIDER_THREAD, *PPH_PROVIDER_THREAD; PHLIBAPI VOID NTAPI PhInitializeProviderThread( _Out_ PPH_PROVIDER_THREAD ProviderThread, _In_ ULONG Interval ); PHLIBAPI VOID NTAPI PhDeleteProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread ); PHLIBAPI NTSTATUS NTAPI PhStartProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread ); PHLIBAPI VOID NTAPI PhStopProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread ); PHLIBAPI NTSTATUS NTAPI PhSetIntervalProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread, _In_ LONG Interval ); PHLIBAPI VOID NTAPI PhRegisterProvider( _Inout_ PPH_PROVIDER_THREAD ProviderThread, _In_ PPH_PROVIDER_FUNCTION Function, _In_opt_ PVOID Object, _Out_ PPH_PROVIDER_REGISTRATION Registration ); PHLIBAPI VOID NTAPI PhUnregisterProvider( _Inout_ PPH_PROVIDER_REGISTRATION Registration ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhBoostProvider( _Inout_ PPH_PROVIDER_REGISTRATION Registration, _Out_opt_ PULONG FutureRunId ); PHLIBAPI ULONG NTAPI PhGetRunIdProvider( _In_ PPH_PROVIDER_REGISTRATION Registration ); PHLIBAPI BOOLEAN NTAPI PhGetEnabledProvider( _In_ PPH_PROVIDER_REGISTRATION Registration ); PHLIBAPI VOID NTAPI PhSetEnabledProvider( _Inout_ PPH_PROVIDER_REGISTRATION Registration, _In_ BOOLEAN Enabled ); PHLIBAPI VOID NTAPI PhSetHighResolutionProvider( _Inout_ PPH_PROVIDER_THREAD ProviderThread, _In_ BOOLEAN UseHighResolution ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/queuedlock.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ #ifndef _PH_QUEUEDLOCK_H #define _PH_QUEUEDLOCK_H #ifdef __cplusplus extern "C" { #endif #define PH_QUEUED_LOCK_OWNED ((ULONG_PTR)0x1) #define PH_QUEUED_LOCK_OWNED_SHIFT 0 #define PH_QUEUED_LOCK_WAITERS ((ULONG_PTR)0x2) // Valid only if Waiters = 0 #define PH_QUEUED_LOCK_SHARED_INC ((ULONG_PTR)0x4) #define PH_QUEUED_LOCK_SHARED_SHIFT 2 // Valid only if Waiters = 1 #define PH_QUEUED_LOCK_TRAVERSING ((ULONG_PTR)0x4) #define PH_QUEUED_LOCK_MULTIPLE_SHARED ((ULONG_PTR)0x8) #define PH_QUEUED_LOCK_FLAGS ((ULONG_PTR)0xf) #define PhGetQueuedLockSharedOwners(Value) \ ((ULONG_PTR)(Value) >> PH_QUEUED_LOCK_SHARED_SHIFT) #define PhGetQueuedLockWaitBlock(Value) \ ((PPH_QUEUED_WAIT_BLOCK)((ULONG_PTR)(Value) & ~PH_QUEUED_LOCK_FLAGS)) typedef struct _PH_QUEUED_LOCK { ULONG_PTR Value; } PH_QUEUED_LOCK, *PPH_QUEUED_LOCK; #define PH_QUEUED_LOCK_INIT { 0 } #define PH_QUEUED_WAITER_EXCLUSIVE 0x1 #define PH_QUEUED_WAITER_SPINNING 0x2 #define PH_QUEUED_WAITER_SPINNING_SHIFT 1 typedef struct DECLSPEC_ALIGN(16) _PH_QUEUED_WAIT_BLOCK { /** A pointer to the next wait block, i.e. the wait block pushed onto the list before this one. */ struct _PH_QUEUED_WAIT_BLOCK *Next; /** * A pointer to the previous wait block, i.e. the wait block pushed onto the list after this * one. */ struct _PH_QUEUED_WAIT_BLOCK *Previous; /** A pointer to the last wait block, i.e. the first waiter pushed onto the list. */ struct _PH_QUEUED_WAIT_BLOCK *Last; ULONG SharedOwners; ULONG Flags; } PH_QUEUED_WAIT_BLOCK, *PPH_QUEUED_WAIT_BLOCK; static_assert((sizeof(PH_QUEUED_WAIT_BLOCK) % MEMORY_ALLOCATION_ALIGNMENT) == 0, "PH_QUEUED_WAIT_BLOCK alignment invalid"); NTSTATUS PhQueuedLockInitialization( VOID ); // Queued lock FORCEINLINE VOID PhInitializeQueuedLock( _Out_ PPH_QUEUED_LOCK QueuedLock ) { QueuedLock->Value = 0; } PHLIBAPI VOID FASTCALL PhfAcquireQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ); _Acquires_exclusive_lock_(*QueuedLock) FORCEINLINE VOID PhAcquireQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { if (_InterlockedBitTestAndSetPointer((PLONG_PTR)&QueuedLock->Value, PH_QUEUED_LOCK_OWNED_SHIFT)) { // Owned bit was already set. Slow path. PhfAcquireQueuedLockExclusive(QueuedLock); } } PHLIBAPI VOID FASTCALL PhfAcquireQueuedLockShared( _Inout_ PPH_QUEUED_LOCK QueuedLock ); _Acquires_shared_lock_(*QueuedLock) FORCEINLINE VOID PhAcquireQueuedLockShared( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { if ((ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&QueuedLock->Value, (PVOID)(PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_SHARED_INC), (PVOID)NULL ) != 0) { PhfAcquireQueuedLockShared(QueuedLock); } } _When_(return != 0, _Acquires_exclusive_lock_(*QueuedLock)) FORCEINLINE BOOLEAN PhTryAcquireQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { if (!_InterlockedBitTestAndSetPointer((PLONG_PTR)&QueuedLock->Value, PH_QUEUED_LOCK_OWNED_SHIFT)) { return TRUE; } else { return FALSE; } } PHLIBAPI VOID FASTCALL PhfReleaseQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ); PHLIBAPI VOID FASTCALL PhfWakeForReleaseQueuedLock( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value ); _Releases_exclusive_lock_(*QueuedLock) FORCEINLINE VOID PhReleaseQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { ULONG_PTR value; value = (ULONG_PTR)_InterlockedExchangeAddPointer((PLONG_PTR)&QueuedLock->Value, -(LONG_PTR)PH_QUEUED_LOCK_OWNED); if ((value & (PH_QUEUED_LOCK_WAITERS | PH_QUEUED_LOCK_TRAVERSING)) == PH_QUEUED_LOCK_WAITERS) { PhfWakeForReleaseQueuedLock(QueuedLock, value - PH_QUEUED_LOCK_OWNED); } } PHLIBAPI VOID FASTCALL PhfReleaseQueuedLockShared( _Inout_ PPH_QUEUED_LOCK QueuedLock ); _Releases_shared_lock_(*QueuedLock) FORCEINLINE VOID PhReleaseQueuedLockShared( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { ULONG_PTR value; value = PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_SHARED_INC; if ((ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&QueuedLock->Value, (PVOID)NULL, (PVOID)value ) != value) { PhfReleaseQueuedLockShared(QueuedLock); } } FORCEINLINE VOID PhAcquireReleaseQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { BOOLEAN owned; MemoryBarrier(); owned = !!(QueuedLock->Value & PH_QUEUED_LOCK_OWNED); MemoryBarrier(); if (owned) { PhAcquireQueuedLockExclusive(QueuedLock); PhReleaseQueuedLockExclusive(QueuedLock); } } FORCEINLINE BOOLEAN PhTryAcquireReleaseQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { BOOLEAN owned; // Need two memory barriers because we don't want the compiler re-ordering the following check // in either direction. MemoryBarrier(); owned = !(QueuedLock->Value & PH_QUEUED_LOCK_OWNED); MemoryBarrier(); return owned; } // Condition variable typedef struct _PH_QUEUED_LOCK PH_CONDITION, *PPH_CONDITION; #define PH_CONDITION_INIT PH_QUEUED_LOCK_INIT FORCEINLINE VOID PhInitializeCondition( _Out_ PPH_CONDITION Condition ) { PhInitializeQueuedLock(Condition); } #define PhPulseCondition PhfPulseCondition PHLIBAPI VOID FASTCALL PhfPulseCondition( _Inout_ PPH_CONDITION Condition ); #define PhPulseAllCondition PhfPulseAllCondition PHLIBAPI VOID FASTCALL PhfPulseAllCondition( _Inout_ PPH_CONDITION Condition ); #define PhWaitForCondition PhfWaitForCondition PHLIBAPI VOID FASTCALL PhfWaitForCondition( _Inout_ PPH_CONDITION Condition, _Inout_ PPH_QUEUED_LOCK Lock, _In_opt_ PLARGE_INTEGER Timeout ); #define PH_CONDITION_WAIT_QUEUED_LOCK 0x1 #define PH_CONDITION_WAIT_CRITICAL_SECTION 0x2 #define PH_CONDITION_WAIT_FAST_LOCK 0x4 #define PH_CONDITION_WAIT_LOCK_TYPE_MASK 0xfff #define PH_CONDITION_WAIT_SHARED 0x1000 #define PH_CONDITION_WAIT_SPIN 0x2000 #define PhWaitForConditionEx PhfWaitForConditionEx PHLIBAPI VOID FASTCALL PhfWaitForConditionEx( _Inout_ PPH_CONDITION Condition, _Inout_ PVOID Lock, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER Timeout ); // Wake event typedef struct _PH_QUEUED_LOCK PH_WAKE_EVENT, *PPH_WAKE_EVENT; #define PH_WAKE_EVENT_INIT PH_QUEUED_LOCK_INIT FORCEINLINE VOID PhInitializeWakeEvent( _Out_ PPH_WAKE_EVENT WakeEvent ) { PhInitializeQueuedLock(WakeEvent); } #define PhQueueWakeEvent PhfQueueWakeEvent PHLIBAPI VOID FASTCALL PhfQueueWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Out_ PPH_QUEUED_WAIT_BLOCK WaitBlock ); PHLIBAPI VOID FASTCALL PhfSetWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock ); FORCEINLINE VOID PhSetWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock ) { // The wake event is similar to a synchronization event in that it does not have thread-safe // pulsing; we can simply skip the function call if there's nothing to wake. However, if we're // cancelling a wait (WaitBlock != NULL) we need to make the call. if (WakeEvent->Value || WaitBlock) PhfSetWakeEvent(WakeEvent, WaitBlock); } #define PhWaitForWakeEvent PhfWaitForWakeEvent PHLIBAPI NTSTATUS FASTCALL PhfWaitForWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Inout_ PPH_QUEUED_WAIT_BLOCK WaitBlock, _In_ BOOLEAN Spin, _In_opt_ PLARGE_INTEGER Timeout ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/ref.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #ifndef _PH_REF_H #define _PH_REF_H EXTERN_C_START // // Configuration // #define PH_OBJECT_SMALL_OBJECT_SIZE 48 #define PH_OBJECT_SMALL_OBJECT_COUNT 512 // Object type flags #define PH_OBJECT_TYPE_USE_FREE_LIST 0x00000001 #define PH_OBJECT_TYPE_TRY_USE_FREE_LIST 0x00000002 #define PH_OBJECT_TYPE_VALID_FLAGS 0x00000003 // // Object type callbacks // /** * The delete procedure for an object type, called when an object of the type is being freed. * * \param Object A pointer to the object being freed. * \param Flags Reserved. */ typedef _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PH_TYPE_DELETE_PROCEDURE( _In_ PVOID Object, _In_ ULONG Flags ); typedef PH_TYPE_DELETE_PROCEDURE* PPH_TYPE_DELETE_PROCEDURE; typedef struct _PH_OBJECT_TYPE PH_OBJECT_TYPE; typedef PH_OBJECT_TYPE* PPH_OBJECT_TYPE; typedef struct _PH_QUEUED_LOCK PH_QUEUED_LOCK; typedef PH_QUEUED_LOCK* PPH_QUEUED_LOCK; #ifdef DEBUG typedef _Function_class_(PH_CREATE_OBJECT_HOOK) VOID NTAPI PH_CREATE_OBJECT_HOOK( _In_ PVOID Object, _In_ SIZE_T Size, _In_ ULONG Flags, _In_ PPH_OBJECT_TYPE ObjectType ); typedef PH_CREATE_OBJECT_HOOK* PPH_CREATE_OBJECT_HOOK; #endif typedef struct _PH_OBJECT_TYPE_PARAMETERS { SIZE_T FreeListSize; ULONG FreeListCount; } PH_OBJECT_TYPE_PARAMETERS, *PPH_OBJECT_TYPE_PARAMETERS; typedef struct _PH_OBJECT_TYPE_INFORMATION { PCWSTR Name; ULONG NumberOfObjects; USHORT Flags; UCHAR TypeIndex; UCHAR Reserved; } PH_OBJECT_TYPE_INFORMATION, *PPH_OBJECT_TYPE_INFORMATION; extern PPH_OBJECT_TYPE PhObjectTypeObject; extern PPH_OBJECT_TYPE PhAllocType; #ifdef DEBUG extern LIST_ENTRY PhDbgObjectListHead; extern PH_QUEUED_LOCK PhDbgObjectListLock; extern PPH_CREATE_OBJECT_HOOK PhDbgCreateObjectHook; #endif NTSTATUS PhRefInitialization( VOID ); _May_raise_ PHLIBAPI PVOID NTAPI PhCreateObject( _In_ SIZE_T ObjectSize, _In_ PPH_OBJECT_TYPE ObjectType ); PHLIBAPI PVOID NTAPI PhReferenceObject( _In_ PVOID Object ); _May_raise_ PHLIBAPI PVOID NTAPI PhReferenceObjectEx( _In_ PVOID Object, _In_ LONG RefCount ); PHLIBAPI PVOID NTAPI PhReferenceObjectSafe( _In_ PVOID Object ); PHLIBAPI VOID NTAPI PhDereferenceObject( _In_ _Post_invalid_ PVOID Object ); PHLIBAPI VOID NTAPI PhDereferenceObjectDeferDelete( _In_ _Post_invalid_ PVOID Object ); _May_raise_ PHLIBAPI VOID NTAPI PhDereferenceObjectEx( _In_ PVOID Object, _In_ LONG RefCount, _In_ BOOLEAN DeferDelete ); /** * References an array of objects. * * \param Objects An array of objects. * \param NumberOfObjects The number of elements in \a Objects. */ FORCEINLINE VOID NTAPI PhReferenceObjects( _In_reads_(NumberOfObjects) const PVOID *Objects, _In_ ULONG NumberOfObjects ) { for (ULONG i = 0; i < NumberOfObjects; i++) PhReferenceObject(Objects[i]); } /** * Dereferences an array of objects. * * \param Objects An array of objects. * \param NumberOfObjects The number of elements in \a Objects. */ FORCEINLINE VOID NTAPI PhDereferenceObjects( _In_reads_(NumberOfObjects) const PVOID *Objects, _In_ ULONG NumberOfObjects ) { for (ULONG i = 0; i < NumberOfObjects; i++) PhDereferenceObject(Objects[i]); } PHLIBAPI ULONG NTAPI PhGetObjectRefCount( _In_ PVOID Object ); PHLIBAPI PPH_OBJECT_TYPE NTAPI PhGetObjectType( _In_ PVOID Object ); PHLIBAPI PPH_OBJECT_TYPE NTAPI PhCreateObjectType( _In_ PCWSTR Name, _In_ ULONG Flags, _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure ); PHLIBAPI PPH_OBJECT_TYPE NTAPI PhCreateObjectTypeEx( _In_ PCWSTR Name, _In_ ULONG Flags, _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure, _In_opt_ PPH_OBJECT_TYPE_PARAMETERS Parameters ); PHLIBAPI VOID NTAPI PhGetObjectTypeInformation( _In_ PPH_OBJECT_TYPE ObjectType, _Out_ PPH_OBJECT_TYPE_INFORMATION Information ); PHLIBAPI PVOID NTAPI PhCreateAlloc( _In_ SIZE_T Size ); // // Object reference functions // #if defined(__cplusplus) EXTERN_C_END template FORCEINLINE VOID PhSwapReference( _Inout_ T** ObjectReference, _In_opt_ T* NewObject ) { T* oldObject; oldObject = *ObjectReference; *ObjectReference = NewObject; if (NewObject) PhReferenceObject((PVOID)NewObject); if (oldObject) PhDereferenceObject((PVOID)oldObject); } template FORCEINLINE VOID PhMoveReference( _Inout_ T** ObjectReference, _In_opt_ _Assume_refs_(1) T* NewObject ) { T* oldObject = *ObjectReference; *ObjectReference = NewObject; if (oldObject) { PhDereferenceObject((PVOID)oldObject); } } template FORCEINLINE VOID PhSetReference( _Out_ T** ObjectReference, _In_opt_ T* NewObject ) { *ObjectReference = NewObject; if (NewObject) PhReferenceObject(NewObject); } template FORCEINLINE VOID PhClearReference( _Inout_ T** ObjectReference ) { T* oldObject = *ObjectReference; *ObjectReference = NULL; if (oldObject) { PhDereferenceObject((PVOID)oldObject); } } EXTERN_C_START #else FORCEINLINE VOID PhSwapReference( _Inout_ PVOID *ObjectReference, _In_opt_ PVOID NewObject ) { PVOID oldObject; oldObject = *ObjectReference; *ObjectReference = NewObject; if (NewObject) PhReferenceObject(NewObject); if (oldObject) PhDereferenceObject(oldObject); } FORCEINLINE VOID PhMoveReference( _Inout_ PVOID *ObjectReference, _In_opt_ _Assume_refs_(1) PVOID NewObject ) { PVOID oldObject; oldObject = *ObjectReference; *ObjectReference = NewObject; if (oldObject) PhDereferenceObject(oldObject); } FORCEINLINE VOID PhSetReference( _Out_ PVOID *ObjectReference, _In_opt_ PVOID NewObject ) { *ObjectReference = NewObject; if (NewObject) PhReferenceObject(NewObject); } FORCEINLINE VOID PhClearReference( _Inout_ PVOID* ObjectReference ) { PVOID oldObject; oldObject = *ObjectReference; *ObjectReference = NULL; if (oldObject) PhDereferenceObject(oldObject); } #endif // // Convenience functions // FORCEINLINE PVOID PhCreateObjectZero( _In_ SIZE_T ObjectSize, _In_ PPH_OBJECT_TYPE ObjectType ) { PVOID object; object = PhCreateObject(ObjectSize, ObjectType); memset(object, 0, ObjectSize); return object; } // // Auto-dereference pool // /** The size of the static array in an auto-release pool. */ #define PH_AUTO_POOL_STATIC_SIZE 64 /** The maximum size of the dynamic array for it to be kept after the auto-release pool is drained. */ #define PH_AUTO_POOL_DYNAMIC_BIG_SIZE 256 /** * An auto-dereference pool can be used for semi-automatic reference counting. Batches of objects * are dereferenced at a certain time. * * This object is not thread-safe and cannot be used across thread boundaries. Always store them as * local variables. */ typedef struct _PH_AUTO_POOL { ULONG StaticCount; PVOID StaticObjects[PH_AUTO_POOL_STATIC_SIZE]; ULONG DynamicCount; ULONG DynamicAllocated; PVOID *DynamicObjects; struct _PH_AUTO_POOL *NextPool; } PH_AUTO_POOL, *PPH_AUTO_POOL; PHLIBAPI VOID NTAPI PhInitializeAutoPool( _Out_ PPH_AUTO_POOL AutoPool ); _May_raise_ PHLIBAPI VOID NTAPI PhDeleteAutoPool( _In_ _Post_invalid_ PPH_AUTO_POOL AutoPool ); PHLIBAPI VOID NTAPI PhDrainAutoPool( _In_ PPH_AUTO_POOL AutoPool ); _May_raise_ PHLIBAPI PVOID NTAPI PhAutoDereferenceObject( _In_opt_ PVOID Object ); #define PH_AUTO PhAutoDereferenceObject #define PH_AUTO_T(Type, Object) ((Type *)PH_AUTO(Object)) EXTERN_C_END #endif ================================================ FILE: phlib/include/refp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #ifndef _PH_REFP_H #define _PH_REFP_H #define PH_OBJECT_TYPE_TABLE_SIZE 256 /** The object was allocated from the small free list. */ #define PH_OBJECT_FROM_SMALL_FREE_LIST 0x1 /** The object was allocated from the type free list. */ #define PH_OBJECT_FROM_TYPE_FREE_LIST 0x2 /** * The object header contains object manager information including the reference count of an object * and its type. */ typedef struct _PH_OBJECT_HEADER { union { struct { USHORT TypeIndex; UCHAR Flags; UCHAR Reserved1; #ifdef _WIN64 ULONG Reserved2; #endif union { LONG RefCount; struct { LONG SavedTypeIndex : 16; LONG SavedFlags : 8; LONG Reserved : 7; LONG DeferDelete : 1; // MUST be the high bit, so that RefCount < 0 when deferring delete }; }; #ifdef _WIN64 ULONG Reserved3; #endif }; SLIST_ENTRY DeferDeleteListEntry; }; #ifdef DEBUG PVOID StackBackTrace[16]; LIST_ENTRY ObjectListEntry; #endif /** * The body of the object. For use by the \ref PhObjectToObjectHeader and * \ref PhObjectHeaderToObject macros. */ QUAD_PTR Body; } PH_OBJECT_HEADER, *PPH_OBJECT_HEADER; static_assert((FIELD_OFFSET(PH_OBJECT_HEADER, Body) % MEMORY_ALLOCATION_ALIGNMENT) == 0, "PH_OBJECT_HEADER alignment invalid"); #ifdef _WIN64 static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, TypeIndex) == 0x0, "PH_OBJECT_HEADER.TypeIndex offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Flags) == 0x2, "PH_OBJECT_HEADER.Flags offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Reserved1) == 0x3, "PH_OBJECT_HEADER.Reserved1 offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Reserved2) == 0x4, "PH_OBJECT_HEADER.Reserved2 offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, RefCount) == 0x8, "PH_OBJECT_HEADER.RefCount offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Reserved3) == 0xc, "PH_OBJECT_HEADER.Reserved3 offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, DeferDeleteListEntry) == 0x0, "PH_OBJECT_HEADER.DeferDeleteListEntry offset mismatch"); #if defined(DEBUG) static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Body) == 0xA0, "PH_OBJECT_HEADER.Body offset mismatch"); #else static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Body) == 0x10, "PH_OBJECT_HEADER.Body offset mismatch"); #endif #else static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, TypeIndex) == 0x0, "PH_OBJECT_HEADER.TypeIndex offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Flags) == 0x2, "PH_OBJECT_HEADER.Flags offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Reserved1) == 0x3, "PH_OBJECT_HEADER.Reserved1 offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, RefCount) == 0x4, "PH_OBJECT_HEADER.RefCount offset mismatch"); static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, DeferDeleteListEntry) == 0x0, "PH_OBJECT_HEADER.DeferDeleteListEntry offset mismatch"); #if defined(DEBUG) static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Body) == 0x50, "PH_OBJECT_HEADER.Body offset mismatch"); #else static_assert(FIELD_OFFSET(PH_OBJECT_HEADER, Body) == 0x8, "PH_OBJECT_HEADER.Body offset mismatch"); #endif #endif /** * Gets a pointer to the object header for an object. * * \param Object A pointer to an object. * * \return A pointer to the object header of the object. */ #if defined(_PHLIB_) #define PhObjectToObjectHeader(Object) ((PPH_OBJECT_HEADER)CONTAINING_RECORD((Object), PH_OBJECT_HEADER, Body)) #else FORCEINLINE PPH_OBJECT_HEADER NTAPI PhObjectToObjectHeader( _In_ PVOID Object ) { return CONTAINING_RECORD(Object, PH_OBJECT_HEADER, Body); } #endif /** * Gets a pointer to an object from an object header. * * \param ObjectHeader A pointer to an object header. * * \return A pointer to an object. */ #if defined(_PHLIB_) #define PhObjectHeaderToObject(ObjectHeader) ((PVOID)&((PPH_OBJECT_HEADER)(ObjectHeader))->Body) #else FORCEINLINE PVOID PhObjectHeaderToObject( _In_ PPH_OBJECT_HEADER ObjectHeader ) { return &ObjectHeader->Body; } #endif /** * Calculates the total size to allocate for an object. * * \param Size The size of the object to allocate. * * \return The new size, including space for the object header. */ #if defined(_PHLIB_) #define PhAddObjectHeaderSize(Size) ((Size) + UFIELD_OFFSET(PH_OBJECT_HEADER, Body)) #else FORCEINLINE SIZE_T PhAddObjectHeaderSize( _In_ SIZE_T Size ) { return UFIELD_OFFSET(PH_OBJECT_HEADER, Body) + Size; } #endif /** An object type specifies a kind of object and its delete procedure. */ typedef struct _PH_OBJECT_TYPE { /** The flags that were used to create the object type. */ USHORT Flags; UCHAR TypeIndex; UCHAR Reserved; /** The total number of objects of this type that are alive. */ ULONG NumberOfObjects; /** An optional procedure called when objects of this type are freed. */ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure; /** The name of the type. */ PCWSTR Name; /** A free list to use when allocating for this type. */ PH_FREE_LIST FreeList; } PH_OBJECT_TYPE, *PPH_OBJECT_TYPE; /** * Increments a reference count, but will never increment from a nonpositive value to 1. * * \param RefCount A pointer to a reference count. */ FORCEINLINE BOOLEAN PhpInterlockedIncrementSafe( _Inout_ PLONG RefCount ) { /* Here we will attempt to increment the reference count, making sure that it is positive. */ return _InterlockedIncrementPositive(RefCount); } PPH_OBJECT_HEADER PhpAllocateObject( _In_ PPH_OBJECT_TYPE ObjectType, _In_ SIZE_T ObjectSize ); VOID PhpFreeObject( _In_ PPH_OBJECT_HEADER ObjectHeader ); VOID PhpDeferDeleteObject( _In_ PPH_OBJECT_HEADER ObjectHeader ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpDeferDeleteObjectRoutine( _In_ PVOID Parameter ); #endif ================================================ FILE: phlib/include/searchbox.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2012-2023 * jxy-s 2023-2024 * */ #ifndef _PH_SEARCHBOX_H #define _PH_SEARCHBOX_H EXTERN_C_START typedef _Function_class_(PH_SEARCHCONTROL_CALLBACK) VOID NTAPI PH_SEARCHCONTROL_CALLBACK( _In_ ULONG_PTR MatchHandle, _In_opt_ PVOID Context ); typedef PH_SEARCHCONTROL_CALLBACK* PPH_SEARCHCONTROL_CALLBACK; PHLIBAPI VOID NTAPI PhCreateSearchControlEx( _In_ HWND ParentWindowHandle, _In_ HWND SearchWindowHandle, _In_opt_ PCWSTR BannerText, _In_ PVOID ImageBaseAddress, _In_ PCWSTR SearchButtonResource, _In_ PCWSTR SearchButtonActiveResource, _In_ PCWSTR CaseButtonResource, _In_ PCWSTR RegexButtonResource, _In_ PCWSTR RegexSetting, _In_ PCWSTR CaseSetting, _In_ PPH_SEARCHCONTROL_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhSearchControlClear( _In_ HWND SearchWindowHandle ); PHLIBAPI BOOLEAN NTAPI PhSearchControlMatch( _In_ ULONG_PTR MatchHandle, _In_ PCPH_STRINGREF Text ); PHLIBAPI BOOLEAN NTAPI PhSearchControlMatchZ( _In_ ULONG_PTR MatchHandle, _In_ PCWSTR Text ); PHLIBAPI BOOLEAN NTAPI PhSearchControlMatchLongHintZ( _In_ ULONG_PTR MatchHandle, _In_ PCWSTR Text ); PHLIBAPI BOOLEAN NTAPI PhSearchControlMatchPointer( _In_ ULONG_PTR MatchHandle, _In_ PVOID Pointer ); PHLIBAPI BOOLEAN NTAPI PhSearchControlMatchPointerRange( _In_ ULONG_PTR MatchHandle, _In_ PVOID Pointer, _In_ SIZE_T Size ); EXTERN_C_END #endif ================================================ FILE: phlib/include/secedit.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015-2016 * dmex 2017-2023 * */ #ifndef _PH_SECEDIT_H #define _PH_SECEDIT_H EXTERN_C_START extern BOOLEAN PhEnableSecurityAdvancedDialog; // // secedit // typedef struct _PH_ACCESS_ENTRY { PCWSTR Name; ACCESS_MASK Access; BOOLEAN General; BOOLEAN Specific; PCWSTR ShortName; } PH_ACCESS_ENTRY, *PPH_ACCESS_ENTRY; PHLIBAPI PVOID NTAPI PhCreateSecurityPage( _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhEditSecurity( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_opt_ PPH_OPEN_OBJECT OpenObject, _In_opt_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhEditSecurityEx( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_opt_ PPH_OPEN_OBJECT OpenObject, _In_opt_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PPH_GET_OBJECT_SECURITY GetObjectSecurity, _In_opt_ PPH_SET_OBJECT_SECURITY SetObjectSecurity, _In_opt_ PVOID Context ); typedef struct _PH_STD_OBJECT_SECURITY { PVOID ObjectContext; PVOID Context; } PH_STD_OBJECT_SECURITY, *PPH_STD_OBJECT_SECURITY; FORCEINLINE ACCESS_MASK PhGetAccessForGetSecurity( _In_ SECURITY_INFORMATION SecurityInformation ) { ACCESS_MASK access = 0; if ( FlagOn(SecurityInformation, OWNER_SECURITY_INFORMATION) || FlagOn(SecurityInformation, GROUP_SECURITY_INFORMATION) || FlagOn(SecurityInformation, DACL_SECURITY_INFORMATION) || FlagOn(SecurityInformation, LABEL_SECURITY_INFORMATION) || FlagOn(SecurityInformation, ATTRIBUTE_SECURITY_INFORMATION) || FlagOn(SecurityInformation, SCOPE_SECURITY_INFORMATION) ) { SetFlag(access, READ_CONTROL); } if (FlagOn(SecurityInformation, SACL_SECURITY_INFORMATION)) { SetFlag(access, ACCESS_SYSTEM_SECURITY); } if (FlagOn(SecurityInformation, BACKUP_SECURITY_INFORMATION)) { SetFlag(access, READ_CONTROL | ACCESS_SYSTEM_SECURITY); } return access; } FORCEINLINE ACCESS_MASK PhGetAccessForSetSecurity( _In_ SECURITY_INFORMATION SecurityInformation ) { ACCESS_MASK access = 0; if ( FlagOn(SecurityInformation, OWNER_SECURITY_INFORMATION) || FlagOn(SecurityInformation, GROUP_SECURITY_INFORMATION) || FlagOn(SecurityInformation, LABEL_SECURITY_INFORMATION) ) { SetFlag(access, WRITE_OWNER); } if ( FlagOn(SecurityInformation, DACL_SECURITY_INFORMATION) || FlagOn(SecurityInformation, ATTRIBUTE_SECURITY_INFORMATION) || FlagOn(SecurityInformation, PROTECTED_DACL_SECURITY_INFORMATION) || FlagOn(SecurityInformation, UNPROTECTED_DACL_SECURITY_INFORMATION) ) { SetFlag(access, WRITE_DAC); } if ( FlagOn(SecurityInformation, SACL_SECURITY_INFORMATION) || FlagOn(SecurityInformation, SCOPE_SECURITY_INFORMATION) || FlagOn(SecurityInformation, PROTECTED_SACL_SECURITY_INFORMATION) || FlagOn(SecurityInformation, UNPROTECTED_SACL_SECURITY_INFORMATION) ) { SetFlag(access, ACCESS_SYSTEM_SECURITY); } if (FlagOn(SecurityInformation, BACKUP_SECURITY_INFORMATION)) { SetFlag(access, WRITE_DAC | WRITE_OWNER | ACCESS_SYSTEM_SECURITY); } return access; } PHLIBAPI NTSTATUS NTAPI PhStdGetObjectSecurity( _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhStdSetObjectSecurity( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhGetSeObjectSecurity( _In_ HANDLE Handle, _In_ ULONG ObjectType, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSetSeObjectSecurity( _In_ HANDLE Handle, _In_ ULONG ObjectType, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhLsaQuerySecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSamQuerySecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhGetSeObjectSecurityTokenDefault( _In_ HANDLE TokenHandle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSetSeObjectSecurityTokenDefault( _In_ HANDLE TokenHandle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhGetSeObjectSecurityPowerGuid( _In_ HANDLE Object, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSetSeObjectSecurityPowerGuid( _In_ HANDLE Object, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); // // secdata // PHLIBAPI BOOLEAN NTAPI PhGetAccessEntries( _In_ PCWSTR Type, _Out_ PPH_ACCESS_ENTRY *AccessEntries, _Out_ PULONG NumberOfAccessEntries ); PHLIBAPI PPH_STRING NTAPI PhGetAccessString( _In_ ACCESS_MASK Access, _In_ PPH_ACCESS_ENTRY AccessEntries, _In_ ULONG NumberOfAccessEntries ); EXTERN_C_END #endif ================================================ FILE: phlib/include/seceditp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2023 * */ #ifndef _PH_SECEDITP_H #define _PH_SECEDITP_H typedef enum _PH_SE_OBJECT_TYPE { PH_SE_DEFAULT_OBJECT_TYPE, // System objects PH_SE_ALPC_OBJECT_TYPE, PH_SE_FILE_OBJECT_TYPE, PH_SE_RDP_OBJECT_TYPE, PH_SE_SERVICE_OBJECT_TYPE, PH_SE_LSA_OBJECT_TYPE, PH_SE_SAM_OBJECT_TYPE, PH_SE_KEY_OBJECT, PH_SE_KERNEL_OBJECT, PH_SE_PROCESS_OBJECT_TYPE, PH_SE_THREAD_OBJECT_TYPE, PH_SE_WINDOW_OBJECT, PH_SE_WMIGUID_OBJECT, // ... // Virtual objects (always last) PH_SE_TOKENDEF_OBJECT_TYPE, PH_SE_POWERDEF_OBJECT_TYPE, PH_SE_RDPDEF_OBJECT_TYPE, PH_SE_WMIDEF_OBJECT_TYPE, PH_SE_COMACCESSDEF_OBJECT_TYPE, PH_SE_COMLAUNCHDEF_OBJECT_TYPE, // ... } PH_SE_OBJECT_TYPE; typedef struct { const ISecurityInformationVtbl *VTable; ULONG RefCount; HWND WindowHandle; BOOLEAN IsPage; BOOLEAN HaveGenericMapping; PPH_ACCESS_ENTRY AccessEntriesArray; PSI_ACCESS AccessEntries; ULONG NumberOfAccessEntries; GENERIC_MAPPING GenericMapping; PH_SE_OBJECT_TYPE ObjectType; PPH_STRING ObjectNameString; PPH_STRING ObjectTypeString; PPH_OPEN_OBJECT OpenObject; PPH_CLOSE_OBJECT CloseObject; PPH_GET_OBJECT_SECURITY GetObjectSecurity; PPH_SET_OBJECT_SECURITY SetObjectSecurity; PVOID Context; } PhSecurityInformation; typedef struct { const ISecurityInformation2Vtbl *VTable; PhSecurityInformation *Context; ULONG RefCount; } PhSecurityInformation2; typedef struct { const ISecurityInformation3Vtbl *VTable; PhSecurityInformation *Context; ULONG RefCount; } PhSecurityInformation3; typedef struct { const IDataObjectVtbl *VTable; PhSecurityInformation *Context; ULONG RefCount; ULONG SidCount; PSID *Sids; PPH_LIST NameCache; } PhSecurityIDataObject; typedef struct { const IEffectivePermissionVtbl *VTable; PhSecurityInformation *Context; ULONG RefCount; } PhEffectivePermission; #undef INTERFACE #define INTERFACE ISecurityObjectTypeInfoEx DECLARE_INTERFACE_IID_(ISecurityObjectTypeInfoEx, IUnknown, "FC3066EB-79EF-444b-9111-D18A75EBF2FA") { BEGIN_INTERFACE // *** IUnknown methods *** DECLSPEC_XFGVIRT(ISecurityObjectTypeInfoEx, QueryInterface) STDMETHOD(QueryInterface) (THIS_ _In_ REFIID riid, _Outptr_ void** ppvObj) PURE; DECLSPEC_XFGVIRT(ISecurityObjectTypeInfoEx, AddRef) STDMETHOD_(ULONG, AddRef) (THIS) PURE; DECLSPEC_XFGVIRT(ISecurityObjectTypeInfoEx, Release) STDMETHOD_(ULONG, Release) (THIS) PURE; // *** ISecurityInformation methods *** DECLSPEC_XFGVIRT(ISecurityObjectTypeInfoEx, GetInheritSource) STDMETHOD(GetInheritSource)(THIS_ _In_ SECURITY_INFORMATION si, _In_ PACL pACL, _In_ PINHERITED_FROM* ppInheritArray ) PURE; END_INTERFACE }; typedef ISecurityObjectTypeInfoEx* LPSecurityObjectTypeInfoEx; typedef struct { const ISecurityObjectTypeInfoExVtbl* VTable; PhSecurityInformation* Context; ULONG RefCount; } PhSecurityObjectTypeInfo; // ISecurityInformation ISecurityInformation *PhSecurityInformation_Create( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PPH_GET_OBJECT_SECURITY GetObjectSecurity, _In_opt_ PPH_SET_OBJECT_SECURITY SetObjectSecurity, _In_opt_ PVOID Context, _In_ BOOLEAN IsPage ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_QueryInterface( _In_ ISecurityInformation *This, _In_ REFIID Riid, _Out_ PVOID *Object ); ULONG STDMETHODCALLTYPE PhSecurityInformation_AddRef( _In_ ISecurityInformation *This ); ULONG STDMETHODCALLTYPE PhSecurityInformation_Release( _In_ ISecurityInformation *This ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetObjectInformation( _In_ ISecurityInformation *This, _Out_ PSI_OBJECT_INFO ObjectInfo ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetSecurity( _In_ ISecurityInformation *This, _In_ SECURITY_INFORMATION RequestedInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, _In_ BOOL Default ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_SetSecurity( _In_ ISecurityInformation *This, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetAccessRights( _In_ ISecurityInformation *This, _In_ PCGUID ObjectType, _In_ ULONG Flags, _Out_ PSI_ACCESS *Access, _Out_ PULONG Accesses, _Out_ PULONG DefaultAccess ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_MapGeneric( _In_ ISecurityInformation *This, _In_ PCGUID ObjectType, _In_ PUCHAR AceFlags, _Inout_ PACCESS_MASK Mask ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetInheritTypes( _In_ ISecurityInformation *This, _Out_ PSI_INHERIT_TYPE *InheritTypes, _Out_ PULONG InheritTypesCount ); HRESULT STDMETHODCALLTYPE PhSecurityInformation_PropertySheetPageCallback( _In_ ISecurityInformation *This, _In_ HWND hwnd, _In_ UINT uMsg, _In_ SI_PAGE_TYPE uPage ); // ISecurityInformation2 HRESULT STDMETHODCALLTYPE PhSecurityInformation2_QueryInterface( _In_ ISecurityInformation2 *This, _In_ REFIID Riid, _Out_ PVOID *Object ); ULONG STDMETHODCALLTYPE PhSecurityInformation2_AddRef( _In_ ISecurityInformation2 *This ); ULONG STDMETHODCALLTYPE PhSecurityInformation2_Release( _In_ ISecurityInformation2 *This ); BOOL STDMETHODCALLTYPE PhSecurityInformation2_IsDaclCanonical( _In_ ISecurityInformation2 *This, _In_ PACL pDacl ); HRESULT STDMETHODCALLTYPE PhSecurityInformation2_LookupSids( _In_ ISecurityInformation2 *This, _In_ ULONG cSids, _In_ PSID *rgpSids, _Out_ LPDATAOBJECT *ppdo ); // ISecurityInformation3 HRESULT STDMETHODCALLTYPE PhSecurityInformation3_QueryInterface( _In_ ISecurityInformation3 *This, _In_ REFIID Riid, _Out_ PVOID *Object ); ULONG STDMETHODCALLTYPE PhSecurityInformation3_AddRef( _In_ ISecurityInformation3 *This ); ULONG STDMETHODCALLTYPE PhSecurityInformation3_Release( _In_ ISecurityInformation3 *This ); HRESULT STDMETHODCALLTYPE PhSecurityInformation3_GetFullResourceName( _In_ ISecurityInformation3 *This, _Outptr_ PWSTR *ResourceName ); HRESULT STDMETHODCALLTYPE PhSecurityInformation3_OpenElevatedEditor( _In_ ISecurityInformation3 *This, _In_ HWND hWnd, _In_ SI_PAGE_TYPE uPage ); // IDataObject HRESULT STDMETHODCALLTYPE PhSecurityDataObject_QueryInterface( _In_ IDataObject *This, _In_ REFIID Riid, _COM_Outptr_ PVOID *Object ); ULONG STDMETHODCALLTYPE PhSecurityDataObject_AddRef( _In_ IDataObject *This ); ULONG STDMETHODCALLTYPE PhSecurityDataObject_Release( _In_ IDataObject *This ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_GetData( _In_ IDataObject *This, _In_ FORMATETC *pformatetcIn, _Out_ STGMEDIUM *pmedium); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_GetDataHere( _In_ IDataObject *This, _In_ FORMATETC *pformatetc, _Inout_ STGMEDIUM *pmedium ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_QueryGetData( _In_ IDataObject *This, _In_opt_ FORMATETC *pformatetc ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_GetCanonicalFormatEtc( _In_ IDataObject *This, _In_opt_ FORMATETC *pformatectIn, _Out_ FORMATETC *pformatetcOut ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_SetData( _In_ IDataObject *This, _In_ FORMATETC *pformatetc, _In_ STGMEDIUM *pmedium, _In_ BOOL fRelease ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_EnumFormatEtc( _In_ IDataObject *This, _In_ ULONG dwDirection, _Out_opt_ IEnumFORMATETC **ppenumFormatEtc ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_DAdvise( _In_ IDataObject *This, _In_ FORMATETC *pformatetc, _In_ ULONG advf, _In_opt_ IAdviseSink *pAdvSink, _Out_ ULONG *pdwConnection ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_DUnadvise( _In_ IDataObject *This, _In_ ULONG dwConnection ); HRESULT STDMETHODCALLTYPE PhSecurityDataObject_EnumDAdvise( _In_ IDataObject *This, _Out_opt_ IEnumSTATDATA **ppenumAdvise ); // ISecurityObjectTypeInfo HRESULT STDMETHODCALLTYPE PhSecurityObjectTypeInfo_QueryInterface( _In_ ISecurityObjectTypeInfoEx* This, _In_ REFIID Riid, _Out_ PVOID* Object ); ULONG STDMETHODCALLTYPE PhSecurityObjectTypeInfo_AddRef( _In_ ISecurityObjectTypeInfoEx* This ); ULONG STDMETHODCALLTYPE PhSecurityObjectTypeInfo_Release( _In_ ISecurityObjectTypeInfoEx* This ); HRESULT STDMETHODCALLTYPE PhSecurityObjectTypeInfo_GetInheritSource( _In_ ISecurityObjectTypeInfoEx* This, _In_ SECURITY_INFORMATION SecurityInfo, _In_ PACL Acl, _Out_ PINHERITED_FROM *InheritArray ); // IEffectivePermission HRESULT STDMETHODCALLTYPE PhEffectivePermission_QueryInterface( _In_ IEffectivePermission* This, _In_ REFIID Riid, _Out_ PVOID* Object ); ULONG STDMETHODCALLTYPE PhEffectivePermission_AddRef( _In_ IEffectivePermission* This ); ULONG STDMETHODCALLTYPE PhEffectivePermission_Release( _In_ IEffectivePermission* This ); HRESULT STDMETHODCALLTYPE PhEffectivePermission_GetEffectivePermission( _In_ IEffectivePermission* This, _In_ LPCGUID GuidObjectType, _In_ PSID UserSid, _In_ LPCWSTR ServerName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ POBJECT_TYPE_LIST* ObjectTypeList, _Out_ PULONG ObjectTypeListLength, _Out_ PACCESS_MASK* GrantedAccessList, _Out_ PULONG GrantedAccessListLength ); PH_SE_OBJECT_TYPE PhSecurityObjectType( _In_ PPH_STRING ObjectType ); #endif ================================================ FILE: phlib/include/secwmi.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2016-2023 * */ #ifndef _PH_SECWMI_H #define _PH_SECWMI_H EXTERN_C_START PHLIBAPI HRESULT NTAPI PhGetWbemLocatorClass( _Out_ struct IWbemLocator** WbemLocatorClass ); PHLIBAPI HRESULT NTAPI PhCoSetProxyBlanket( _In_ IUnknown* InterfacePtr ); PHLIBAPI HRESULT NTAPI PhGetWbemClassObjectDependency( _Out_ PVOID* WbemClassObjectDependency, _In_ struct IWbemClassObject* WbemClassObject, _In_ struct IWbemServices* WbemServices, _In_ PCWSTR Name ); PHLIBAPI PPH_STRING NTAPI PhGetWbemClassObjectString( _In_ PVOID WbemClassObject, _In_ PCWSTR Name ); PHLIBAPI ULONG64 NTAPI PhGetWbemClassObjectUlong64( _In_ PVOID WbemClassObject, _In_ PCWSTR Name ); PHLIBAPI PVOID NTAPI PhGetWbemClassObjectUlongPtr( _In_ PVOID WbemClassObject, _In_ PCWSTR Name ); #define PhStringRefToBSTR(String) \ SysAllocStringLen((String)->Buffer, (UINT)(String)->Length / sizeof(WCHAR)) #define PhStringZToBSTR(String) \ SysAllocStringLen((String), (UINT)((sizeof(String) / sizeof(WCHAR)) - 1)) // powrprof.h typedef enum _POWER_DATA_ACCESSOR POWER_DATA_ACCESSOR; // rev typedef ULONG (WINAPI* _PowerReadSecurityDescriptor)( _In_ POWER_DATA_ACCESSOR AccessFlags, _In_ PGUID PowerGuid, _Out_ PWSTR* StringSecurityDescriptor ); // rev typedef ULONG (WINAPI* _PowerWriteSecurityDescriptor)( _In_ POWER_DATA_ACCESSOR AccessFlags, _In_ PGUID PowerGuid, _In_ PCWSTR StringSecurityDescriptor ); // Power policy NTSTATUS PhpGetPowerPolicySecurityDescriptor( _Out_ PPH_STRING* StringSecurityDescriptor ); NTSTATUS PhpSetPowerPolicySecurityDescriptor( _In_ PPH_STRING StringSecurityDescriptor ); // Terminal server policy NTSTATUS PhpGetRemoteDesktopSecurityDescriptor( _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); NTSTATUS PhpSetRemoteDesktopSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); // Wbem namespace policy NTSTATUS PhGetWmiNamespaceSecurityDescriptor( _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); NTSTATUS PhSetWmiNamespaceSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); // COM access and launch policy NTSTATUS PhGetComSecurityDescriptor( _In_ COMSD comSDType, _Outptr_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); NTSTATUS PhSetComSecurityDescriptor( _In_ COMSD comSDType, _In_ ULONG SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); // Defender offline scan HRESULT PhRestartDefenderOfflineScan( VOID ); EXTERN_C_END #endif ================================================ FILE: phlib/include/settings.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2016-2023 * */ #ifndef PHLIB_SETTINGS_H #define PHLIB_SETTINGS_H EXTERN_C_START typedef enum _PH_SETTINGS_FORMAT { SettingsFormatJson = 1, SettingsFormatXml = 2, SettingsFormatKey = 3, SettingsFormatReg = 4, SettingsFormatBin = 5, SettingsFormatMax } PH_SETTINGS_FORMAT; typedef struct _PH_SETTINGS_STORE_DESCRIPTOR { PH_SETTINGS_FORMAT Format; PCWSTR Extension; BOOLEAN IsFileBased; BOOLEAN IsPreferred; BOOLEAN IsLegacy; INT Priority; } PH_SETTINGS_STORE_DESCRIPTOR, *PPH_SETTINGS_STORE_DESCRIPTOR; // begin_phapppub // These macros make sure the C strings can be seamlessly converted into // PH_STRINGREFs at compile time, for a small speed boost. #define ADD_SETTING_WRAPPER(Type, Name, DefaultValue) \ { \ static CONST PH_STRINGREF name = PH_STRINGREF_INIT(Name); \ static CONST PH_STRINGREF defaultValue = PH_STRINGREF_INIT(DefaultValue); \ PhAddSetting(Type, &name, &defaultValue); \ } #define PhpAddStringSetting(A, B) ADD_SETTING_WRAPPER(StringSettingType, A, B) #define PhpAddIntegerSetting(A, B) ADD_SETTING_WRAPPER(IntegerSettingType, A, B) #define PhpAddIntegerPairSetting(A, B) ADD_SETTING_WRAPPER(IntegerPairSettingType, A, B) #define PhpAddScalableIntegerPairSetting(A, B) ADD_SETTING_WRAPPER(ScalableIntegerPairSettingType, A, B) typedef enum _PH_SETTING_TYPE { StringSettingType, IntegerSettingType, IntegerPairSettingType, ScalableIntegerPairSettingType } PH_SETTING_TYPE, PPH_SETTING_TYPE; // end_phapppub typedef struct _PH_SETTING { PH_SETTING_TYPE Type; PH_STRINGREF Name; PH_STRINGREF DefaultValue; union { PVOID Pointer; ULONG Integer; PH_INTEGER_PAIR IntegerPair; } u; } PH_SETTING, *PPH_SETTING; PHLIBAPI VOID NTAPI PhSettingsInitialization( VOID ); // private PPH_STRING PhSettingToString( _In_ PH_SETTING_TYPE Type, _In_ PPH_SETTING Setting ); BOOLEAN PhSettingFromString( _In_ PH_SETTING_TYPE Type, _In_ PCPH_STRINGREF StringRef, _In_opt_ PPH_STRING String, _Inout_ PPH_SETTING Setting ); typedef _Function_class_(PH_SETTINGS_ENUM_CALLBACK) BOOLEAN NTAPI PH_SETTINGS_ENUM_CALLBACK( _In_ PPH_SETTING Setting, _In_ PVOID Context ); typedef PH_SETTINGS_ENUM_CALLBACK* PPH_SETTINGS_ENUM_CALLBACK; VOID PhEnumSettings( _In_ PPH_SETTINGS_ENUM_CALLBACK Callback, _In_ PVOID Context ); // begin_phapppub PHLIBAPI ULONG NTAPI PhGetIntegerStringRefSetting( _In_ PCPH_STRINGREF Name ); PHLIBAPI BOOLEAN NTAPI PhGetIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _Out_ PPH_INTEGER_PAIR IntegerPair ); PHLIBAPI BOOLEAN NTAPI PhGetScalableIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ BOOLEAN ScaleToDpi, _In_ LONG Dpi, _Out_ PPH_SCALABLE_INTEGER_PAIR* ScalableIntegerPair ); PHLIBAPI PPH_STRING NTAPI PhGetStringRefSetting( _In_ PCPH_STRINGREF Name ); PHLIBAPI VOID NTAPI PhSetIntegerStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ ULONG Value ); PHLIBAPI VOID NTAPI PhSetIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ PPH_INTEGER_PAIR Value ); PHLIBAPI VOID NTAPI PhSetScalableIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ PPH_SCALABLE_INTEGER_PAIR Value ); PHLIBAPI VOID NTAPI PhSetScalableIntegerPairStringRefSetting2( _In_ PCPH_STRINGREF Name, _In_ PPH_INTEGER_PAIR Value, _In_ LONG dpiValue ); PHLIBAPI VOID NTAPI PhSetStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ PCPH_STRINGREF Value ); FORCEINLINE VOID PhScalableIntegerPairToScale( _In_ PPH_SCALABLE_INTEGER_PAIR ScalableIntegerPair, _In_ LONG Scale ) { if (ScalableIntegerPair->Scale != Scale && ScalableIntegerPair->Scale != 0) { ScalableIntegerPair->X = PhMultiplyDivideSigned(ScalableIntegerPair->X, Scale, ScalableIntegerPair->Scale); ScalableIntegerPair->Y = PhMultiplyDivideSigned(ScalableIntegerPair->Y, Scale, ScalableIntegerPair->Scale); ScalableIntegerPair->Scale = Scale; } } FORCEINLINE VOID PhScalableIntegerPairScaleToDefault( _In_ PPH_SCALABLE_INTEGER_PAIR ScalableIntegerPair ) { PhScalableIntegerPairToScale(ScalableIntegerPair, USER_DEFAULT_SCREEN_DPI); } FORCEINLINE ULONG NTAPI PhGetIntegerSetting( _In_ PCWSTR Name ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhGetIntegerStringRefSetting(&name); } FORCEINLINE PH_INTEGER_PAIR NTAPI PhGetIntegerPairSetting( _In_ PCWSTR Name ) { PH_INTEGER_PAIR scalableIntegerPair = { 0 }; PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhGetIntegerPairStringRefSetting(&name, &scalableIntegerPair); return scalableIntegerPair; } FORCEINLINE PPH_SCALABLE_INTEGER_PAIR NTAPI PhGetScalableIntegerPairSetting( _In_ PCWSTR Name, _In_ BOOLEAN ScaleToDpi, _In_ LONG Dpi ) { PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair = NULL; PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhGetScalableIntegerPairStringRefSetting(&name, ScaleToDpi, Dpi, &scalableIntegerPair); return scalableIntegerPair; } FORCEINLINE PPH_STRING NTAPI PhGetStringSetting( _In_ PCWSTR Name ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); return PhGetStringRefSetting(&name); } #define PhaGetStringSetting(Name) PH_AUTO_T(PH_STRING, PhGetStringSetting(Name)) // phapppub FORCEINLINE PPH_STRING NTAPI PhGetExpandStringSetting( _In_ PCWSTR Name ) { PPH_STRING setting; setting = PhGetStringSetting(Name); PhMoveReference(&setting, PhExpandEnvironmentStrings(&setting->sr)); return setting; } FORCEINLINE VOID NTAPI PhSetIntegerSetting( _In_ PCWSTR Name, _In_ ULONG Value ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhSetIntegerStringRefSetting(&name, Value); } FORCEINLINE VOID NTAPI PhSetStringSetting( _In_ PCWSTR Name, _In_ PCWSTR Value ) { PH_STRINGREF name; PH_STRINGREF value; PhInitializeStringRef(&name, Name); PhInitializeStringRef(&value, Value); PhSetStringRefSetting(&name, &value); } FORCEINLINE VOID NTAPI PhSetStringSetting2( _In_ PCWSTR Name, _In_ PCPH_STRINGREF Value ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhSetStringRefSetting(&name, Value); } FORCEINLINE VOID NTAPI PhSetIntegerPairSetting( _In_ PCWSTR Name, _In_ PH_INTEGER_PAIR Value ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhSetIntegerPairStringRefSetting(&name, &Value); } FORCEINLINE VOID NTAPI PhSetScalableIntegerPairSetting( _In_ PCWSTR Name, _In_ PPH_SCALABLE_INTEGER_PAIR Value ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhSetScalableIntegerPairStringRefSetting(&name, Value); } FORCEINLINE VOID NTAPI PhSetScalableIntegerPairSetting2( _In_ PCWSTR Name, _In_ PH_INTEGER_PAIR Value, _In_ LONG dpiValue ) { PH_STRINGREF name; PhInitializeStringRef(&name, Name); PhSetScalableIntegerPairStringRefSetting2(&name, &Value, dpiValue); } // end_phapppub VOID PhClearIgnoredSettings( VOID ); ULONG PhCountIgnoredSettings( VOID ); VOID PhConvertIgnoredSettings( VOID ); NTSTATUS PhLoadSettings( _In_ PCPH_STRINGREF FileName ); PHLIBAPI NTSTATUS NTAPI PhLoadSettingsAutoDetect( _In_opt_ PPH_STRING BasePath, _In_opt_ PCWSTR DefaultName, _Out_opt_ PPH_STRING* ActualPath, _Out_opt_ PH_SETTINGS_FORMAT* ActualFormat, _Out_opt_ PBOOLEAN IsPortable ); NTSTATUS PhSaveSettings( _In_opt_ PCPH_STRINGREF FileName ); FORCEINLINE NTSTATUS PhLoadSettings2( _In_ PPH_STRING FileName ) { if (PhIsNullOrEmptyString(FileName)) return STATUS_UNSUCCESSFUL; return PhLoadSettings(&FileName->sr); } FORCEINLINE NTSTATUS PhSaveSettings2( _In_ PPH_STRING FileName ) { if (PhIsNullOrEmptyString(FileName)) return STATUS_UNSUCCESSFUL; return PhSaveSettings(&FileName->sr); } VOID PhResetSettings( _In_ HWND hwnd ); NTSTATUS PhResetSettingsFile( _In_ PCPH_STRINGREF FileName ); // begin_phapppub // High-level settings creation VOID PhAddSetting( _In_ PH_SETTING_TYPE Type, _In_ PCPH_STRINGREF Name, _In_ PCPH_STRINGREF DefaultValue ); typedef struct _PH_SETTING_CREATE { PH_SETTING_TYPE Type; PWSTR Name; PWSTR DefaultValue; } PH_SETTING_CREATE, *PPH_SETTING_CREATE; PHLIBAPI VOID NTAPI PhAddSettings( _In_ PPH_SETTING_CREATE Settings, _In_ ULONG NumberOfSettings ); PHLIBAPI PPH_SETTING NTAPI PhGetSetting( _In_ PCPH_STRINGREF Name ); PHLIBAPI VOID NTAPI PhLoadWindowPlacementFromRectangle( _In_ PCWSTR PositionSettingName, _In_ PCWSTR SizeSettingName, _Inout_ PPH_RECTANGLE WindowRectangle ); PHLIBAPI BOOLEAN NTAPI PhLoadWindowPlacementFromSetting( _In_opt_ PCWSTR PositionSettingName, _In_opt_ PCWSTR SizeSettingName, _In_ HWND WindowHandle ); FORCEINLINE BOOLEAN NTAPI PhValidWindowPlacementFromSetting( _In_ PCWSTR Name ) { PH_STRINGREF name; PH_INTEGER_PAIR integerPair; PhInitializeStringRef(&name, Name); if (PhGetIntegerPairStringRefSetting(&name, &integerPair)) { if (integerPair.X != 0) return TRUE; } return FALSE; } PHLIBAPI VOID NTAPI PhSaveWindowPlacementToSetting( _In_opt_ PCWSTR PositionSettingName, _In_opt_ PCWSTR SizeSettingName, _In_ HWND WindowHandle ); PHLIBAPI VOID NTAPI PhLoadListViewColumnsFromSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhSaveListViewColumnsToSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhLoadListViewSortColumnsFromSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhSaveListViewSortColumnsToSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhLoadListViewGroupStatesFromSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhSaveListViewGroupStatesToSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ); PHLIBAPI VOID NTAPI PhLoadCustomColorList( _In_ PCWSTR Name, _In_ PULONG CustomColorList, _In_ ULONG CustomColorCount ); PHLIBAPI VOID NTAPI PhSaveCustomColorList( _In_ PCWSTR Name, _In_ PULONG CustomColorList, _In_ ULONG CustomColorCount ); PHLIBAPI NTSTATUS NTAPI PhConvertSettingsXmlToJson( _In_ PCPH_STRINGREF XmlFileName, _In_ PCPH_STRINGREF JsonFileName ); // end_phapppub #define PH_GET_INTEGER_CACHED_SETTING(Name) ((PhCs##Name) = PhGetIntegerSetting(TEXT(#Name))) #define PH_SET_INTEGER_CACHED_SETTING(Name, Value) (PhSetIntegerSetting(TEXT(#Name), (PhCs##Name) = (Value))) EXTERN_C_END #endif ================================================ FILE: phlib/include/strsrch.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2017-2023 * jxy-s 2024 * */ #ifndef _PH_MEMSRCH_H #define _PH_MEMSRCH_H EXTERN_C_START typedef struct _PH_STRING_SEARCH_RESULT { PVOID Address; SIZE_T Length; PPH_STRING String; BOOLEAN Unicode; } PH_STRING_SEARCH_RESULT, *PPH_STRING_SEARCH_RESULT; _Function_class_(PH_STRING_SEARCH_CALLBACK) typedef _Must_inspect_result_ BOOLEAN NTAPI PH_STRING_SEARCH_CALLBACK( _In_ PPH_STRING_SEARCH_RESULT Result, _In_opt_ PVOID Context ); typedef PH_STRING_SEARCH_CALLBACK* PPH_STRING_SEARCH_CALLBACK; _Function_class_(PH_STRING_SEARCH_NEXT_BUFFER) typedef _Must_inspect_result_ NTSTATUS NTAPI PH_STRING_SEARCH_NEXT_BUFFER( _Inout_bytecount_(*Length) PVOID* Buffer, _Out_ PSIZE_T Length, _In_opt_ PVOID Context ); typedef PH_STRING_SEARCH_NEXT_BUFFER* PPH_STRING_SEARCH_NEXT_BUFFER; PHLIBAPI NTSTATUS NTAPI PhSearchStrings( _In_ ULONG MinimumLength, _In_ BOOLEAN ExtendedCharSet, _In_ PPH_STRING_SEARCH_NEXT_BUFFER NextBuffer, _In_ PPH_STRING_SEARCH_CALLBACK Callback, _In_opt_ PVOID Context ); EXTERN_C_END #endif ================================================ FILE: phlib/include/svcsup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2018-2023 * */ #ifndef _PH_SVCSUP_H #define _PH_SVCSUP_H typedef struct _PH_SVC_HOST_POLICY_INFO { ULONG AuthenticationCapabilities; ULONG AuthenticationLevel; ULONG BinarySignaturePolicy; ULONG CoInitializeSecurityAllowComCapability; ULONG CoInitializeSecurityAllowCrossContainer; ULONG CoInitializeSecurityAllowInteractiveUsers; ULONG CoInitializeSecurityAllowLowBox; ULONG CoInitializeSecurityParam; ULONG COM_UnmarshalingPolicy; ULONG DefaultRpcStackSize; ULONG DynamicCodePolicy; ULONG ImpersonationLevel; ULONG RedirectionTrustPolicy; ULONG RpcExceptionFilterMode; } PH_SVC_HOST_POLICY_INFO, *PPH_SVC_HOST_POLICY_INFO; EXTERN_C_START extern CONST PPH_STRINGREF PhServiceTypeStrings[12]; extern CONST PPH_STRINGREF PhServiceStartTypeStrings[5]; extern CONST PPH_STRINGREF PhServiceErrorControlStrings[4]; typedef SC_HANDLE* PSC_HANDLE; PHLIBAPI SC_HANDLE NTAPI PhGetServiceManagerHandle( VOID ); PHLIBAPI NTSTATUS NTAPI PhEnumServices( _Out_ LPENUM_SERVICE_STATUS_PROCESS* Services, _Out_ PULONG NumberOfServices ); PHLIBAPI NTSTATUS NTAPI PhEnumDependentServices( _In_ SC_HANDLE ServiceHandle, _Out_ LPENUM_SERVICE_STATUS* DependentServices, _Out_ PULONG NumberOfDependentServices ); PHLIBAPI NTSTATUS NTAPI PhOpenServiceManager( _Out_ PSC_HANDLE ServiceManagerHandle, _In_opt_ PCWSTR DatabaseName, _In_ ACCESS_MASK DesiredAccess ); PHLIBAPI NTSTATUS NTAPI PhOpenService( _Out_ PSC_HANDLE ServiceHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCWSTR ServiceName ); PHLIBAPI NTSTATUS NTAPI PhOpenServiceKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_STRINGREF ServiceName ); PHLIBAPI NTSTATUS NTAPI PhCloseServiceHandle( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI NTSTATUS NTAPI PhCreateService( _Out_ PSC_HANDLE ServiceHandle, _In_ PCWSTR ServiceName, _In_opt_ PCWSTR DisplayName, _In_ ULONG DesiredAccess, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR UserName, _In_opt_ PCWSTR Password ); PHLIBAPI NTSTATUS NTAPI PhChangeServiceConfig( _In_ SC_HANDLE ServiceHandle, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR LoadOrderGroup, _Out_opt_ PULONG TagId, _In_opt_ PCWSTR Dependencies, _In_opt_ PCWSTR ServiceStartName, _In_opt_ PCWSTR Password, _In_opt_ PCWSTR DisplayName ); PHLIBAPI NTSTATUS NTAPI PhChangeServiceConfig2( _In_ SC_HANDLE ServiceHandle, _In_ ULONG ServiceConfigLevel, _In_opt_ PVOID Buffer ); PHLIBAPI NTSTATUS NTAPI PhQueryServiceConfig( _In_ SC_HANDLE ServiceHandle, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhQueryServiceConfig2( _In_ SC_HANDLE ServiceHandle, _In_ ULONG ServiceConfigLevel, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ); PHLIBAPI NTSTATUS NTAPI PhGetServiceObjectSecurity( _In_ SC_HANDLE ServiceHandle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSetServiceObjectSecurity( _In_ SC_HANDLE ServiceHandle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhQueryServiceStatus( _In_ SC_HANDLE ServiceHandle, _Out_ LPSERVICE_STATUS_PROCESS ServiceStatus ); PHLIBAPI NTSTATUS NTAPI PhContinueService( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI NTSTATUS NTAPI PhPauseService( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI NTSTATUS NTAPI PhDeleteService( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI NTSTATUS NTAPI PhStartService( _In_ SC_HANDLE ServiceHandle, _In_ ULONG NumberOfServiceArgs, _In_reads_opt_(NumberOfServiceArgs) PCWSTR* ServiceArgVectors ); PHLIBAPI NTSTATUS NTAPI PhStopService( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI NTSTATUS NTAPI PhGetServiceConfig( _In_ SC_HANDLE ServiceHandle, _Out_ LPQUERY_SERVICE_CONFIG* ServiceConfig ); PHLIBAPI NTSTATUS NTAPI PhQueryServiceVariableSize( _In_ SC_HANDLE ServiceHandle, _In_ ULONG InfoLevel, _Out_ PVOID* ServiceConfig ); PHLIBAPI PPH_STRING NTAPI PhGetServiceDescription( _In_ SC_HANDLE ServiceHandle ); PHLIBAPI PPH_STRING NTAPI PhGetServiceDescriptionKey( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI NTSTATUS NTAPI PhGetServiceDelayedAutoStart( _In_ SC_HANDLE ServiceHandle, _Out_ PBOOLEAN DelayedAutoStart ); PHLIBAPI NTSTATUS NTAPI PhSetServiceDelayedAutoStart( _In_ SC_HANDLE ServiceHandle, _In_ BOOLEAN DelayedAutoStart ); PHLIBAPI NTSTATUS NTAPI PhGetServiceTriggerInfo( _In_ SC_HANDLE ServiceHandle, _Out_opt_ PSERVICE_TRIGGER_INFO* ServiceTriggerInfo ); PHLIBAPI PCPH_STRINGREF NTAPI PhGetServiceStateString( _In_ ULONG ServiceState ); PHLIBAPI PCPH_STRINGREF NTAPI PhGetServiceTypeString( _In_ ULONG ServiceType ); PHLIBAPI ULONG NTAPI PhGetServiceTypeInteger( _In_ PPH_STRINGREF ServiceType ); PHLIBAPI PCPH_STRINGREF NTAPI PhGetServiceStartTypeString( _In_ ULONG ServiceStartType ); PHLIBAPI ULONG NTAPI PhGetServiceStartTypeInteger( _In_ PPH_STRINGREF ServiceStartType ); PHLIBAPI PCPH_STRINGREF NTAPI PhGetServiceErrorControlString( _In_ ULONG ServiceErrorControl ); PHLIBAPI ULONG NTAPI PhGetServiceErrorControlInteger( _In_ PPH_STRINGREF ServiceErrorControl ); PHLIBAPI PPH_STRING NTAPI PhGetServiceNameFromTag( _In_ HANDLE ProcessId, _In_ PVOID ServiceTag ); PHLIBAPI PPH_STRING NTAPI PhGetServiceNameForModuleReference( _In_ HANDLE ProcessId, _In_ PCWSTR ModuleName ); PHLIBAPI NTSTATUS NTAPI PhGetThreadServiceTag( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PVOID *ServiceTag ); PHLIBAPI PPH_STRING NTAPI PhGetServiceKeyName( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI PPH_STRING NTAPI PhGetServiceParametersKeyName( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI PPH_STRING NTAPI PhGetServiceConfigFileName( _In_ ULONG ServiceType, _In_opt_ PCWSTR ServicePathName, _In_ PPH_STRINGREF ServiceName ); PHLIBAPI NTSTATUS NTAPI PhGetServiceHandleFileName( _In_ SC_HANDLE ServiceHandle, _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING* ServiceFileName ); PHLIBAPI NTSTATUS NTAPI PhGetServiceFileName( _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING* ServiceFileName ); PHLIBAPI NTSTATUS NTAPI PhGetServiceDllParameter( _In_ ULONG ServiceType, _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING *ServiceDll ); PHLIBAPI PPH_STRING NTAPI PhGetServiceAppUserModelId( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI ULONG NTAPI PhGetServiceBootFlags( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI ULONG NTAPI PhGetServiceUserFlags( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI PPH_STRING NTAPI PhGetServicePackageFullName( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI PPH_SVC_HOST_POLICY_INFO NTAPI PhGetSvchostGroupPolicy( _In_ PPH_STRINGREF ServiceName ); PHLIBAPI NTSTATUS NTAPI PhWaitForServiceStatus( _In_ SC_HANDLE ServiceHandle, _In_ ULONG WaitForState, _In_ ULONG Timeout ); FORCEINLINE VOID NTAPI PhServiceWorkaroundWindowsServiceTypeBug( _Inout_ LPENUM_SERVICE_STATUS_PROCESS ServiceEntry ) { // SERVICE_WIN32 is not a valid ServiceType: https://github.com/winsiderss/systeminformer/issues/120 (dmex) if (ServiceEntry->ServiceStatusProcess.dwServiceType == SERVICE_WIN32) ServiceEntry->ServiceStatusProcess.dwServiceType = SERVICE_WIN32_SHARE_PROCESS; if (ServiceEntry->ServiceStatusProcess.dwServiceType == (SERVICE_WIN32 | SERVICE_USER_SHARE_PROCESS | SERVICE_USERSERVICE_INSTANCE)) ServiceEntry->ServiceStatusProcess.dwServiceType = SERVICE_USER_SHARE_PROCESS | SERVICE_USERSERVICE_INSTANCE; } EXTERN_C_END #endif ================================================ FILE: phlib/include/symprv.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #ifndef _PH_SYMPRV_H #define _PH_SYMPRV_H EXTERN_C_START extern PPH_OBJECT_TYPE PhSymbolProviderType; extern PH_CALLBACK PhSymbolEventCallback; #define PH_MAX_SYMBOL_NAME_LEN MAX_SYM_NAME typedef struct _PH_SYMBOL_PROVIDER { LIST_ENTRY ModulesListHead; PH_QUEUED_LOCK ModulesListLock; HANDLE ProcessHandle; union { BOOLEAN Flags; struct { BOOLEAN IsRealHandle : 1; BOOLEAN IsRegistered : 1; BOOLEAN Terminating : 1; BOOLEAN Spare : 5; }; }; PH_INITONCE InitOnce; PH_AVL_TREE ModulesSet; } PH_SYMBOL_PROVIDER, *PPH_SYMBOL_PROVIDER; typedef enum _PH_SYMBOL_RESOLVE_LEVEL { PhsrlFunction, PhsrlModule, PhsrlAddress, PhsrlInvalid } PH_SYMBOL_RESOLVE_LEVEL, *PPH_SYMBOL_RESOLVE_LEVEL; typedef struct _PH_SYMBOL_INFORMATION { PVOID Address; PVOID ModuleBase; ULONG Index; ULONG Size; } PH_SYMBOL_INFORMATION, *PPH_SYMBOL_INFORMATION; typedef struct _PH_SYMBOL_LINE_INFORMATION { ULONG LineNumber; ULONG64 Address; } PH_SYMBOL_LINE_INFORMATION, *PPH_SYMBOL_LINE_INFORMATION; typedef enum _PH_SYMBOL_EVENT_TYPE { PH_SYMBOL_EVENT_TYPE_LOAD_START, PH_SYMBOL_EVENT_TYPE_LOAD_END, PH_SYMBOL_EVENT_TYPE_PROGRESS, } PH_SYMBOL_EVENT_TYPE; typedef struct _PH_SYMBOL_EVENT_DATA { PH_SYMBOL_EVENT_TYPE EventType; PVOID EventMessage; ULONG64 EventProgress; } PH_SYMBOL_EVENT_DATA, *PPH_SYMBOL_EVENT_DATA; PHLIBAPI PPH_SYMBOL_PROVIDER NTAPI PhCreateSymbolProvider( _In_opt_ HANDLE ProcessId ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetLineFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_ PPH_STRING *FileName, _Out_opt_ PULONG Displacement, _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information ); _Success_(return != 0) PHLIBAPI PVOID NTAPI PhGetModuleFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_opt_ PPH_STRING *FileName ); typedef struct _PH_SYMBOL_MODULE *PPH_SYMBOL_MODULE; PHLIBAPI PPH_SYMBOL_MODULE NTAPI PhGetSymbolModuleFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address ); _Success_(return != NULL) PHLIBAPI PPH_STRING NTAPI PhGetSymbolFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel, _Out_opt_ PPH_STRING *FileName, _Out_opt_ PPH_STRING *SymbolName, _Out_opt_ PULONG64 Displacement ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetSymbolFromName( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PCWSTR Name, _Out_ PPH_SYMBOL_INFORMATION Information ); PHLIBAPI BOOLEAN NTAPI PhLoadModuleSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_STRING FileName, _In_ PVOID BaseAddress, _In_ ULONG Size ); PHLIBAPI BOOLEAN NTAPI PhLoadFileNameSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_STRING FileName, _In_ PVOID BaseAddress, _In_ ULONG Size ); PHLIBAPI VOID NTAPI PhLoadSymbolProviderModules( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhLoadModulesForVirtualSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_opt_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle ); #define PH_SYMOPT_UNDNAME 0x1 #define PH_SYMOPT_VERIFY_MICROSOFT_CHAIN 0x2 PHLIBAPI VOID NTAPI PhSetOptionsSymbolProvider( _In_ ULONG Mask, _In_ ULONG Value ); PHLIBAPI VOID NTAPI PhSetSearchPathSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PCWSTR Path ); #ifdef _WIN64 PHLIBAPI NTSTATUS NTAPI PhAccessOutOfProcessFunctionEntry( _In_ HANDLE ProcessHandle, _In_ ULONG64 ControlPc, _Out_ PRUNTIME_FUNCTION Function ); #endif PHLIBAPI ULONG64 __stdcall PhGetModuleBase64( _In_ HANDLE hProcess, _In_ ULONG64 dwAddr ); PHLIBAPI PVOID __stdcall PhFunctionTableAccess64( _In_ HANDLE hProcess, _In_ ULONG64 AddrBase ); #ifndef _DBGHELP_ // Some of the types used below are defined in dbghelp.h. typedef struct _tagSTACKFRAME64 *LPSTACKFRAME64; typedef struct _tagSTACKFRAME_EX* LPSTACKFRAME_EX; typedef struct _tagADDRESS64 *LPADDRESS64; typedef BOOL (__stdcall *PREAD_PROCESS_MEMORY_ROUTINE64)( _In_ HANDLE hProcess, _In_ ULONG64 qwBaseAddress, _Out_writes_bytes_(nSize) PVOID lpBuffer, _In_ ULONG nSize, _Out_ PULONG lpNumberOfBytesRead ); typedef PVOID (__stdcall *PFUNCTION_TABLE_ACCESS_ROUTINE64)( _In_ HANDLE ahProcess, _In_ ULONG64 AddrBase ); typedef ULONG64 (__stdcall *PGET_MODULE_BASE_ROUTINE64)( _In_ HANDLE hProcess, _In_ ULONG64 Address ); typedef ULONG64 (__stdcall *PTRANSLATE_ADDRESS_ROUTINE64)( _In_ HANDLE hProcess, _In_ HANDLE hThread, _In_ LPADDRESS64 lpaddr ); typedef enum _MINIDUMP_TYPE MINIDUMP_TYPE; typedef struct _MINIDUMP_EXCEPTION_INFORMATION *PMINIDUMP_EXCEPTION_INFORMATION; typedef struct _MINIDUMP_USER_STREAM_INFORMATION *PMINIDUMP_USER_STREAM_INFORMATION; typedef struct _MINIDUMP_CALLBACK_INFORMATION *PMINIDUMP_CALLBACK_INFORMATION; #endif PHLIBAPI BOOLEAN NTAPI PhStackWalk( _In_ ULONG MachineType, _In_ HANDLE ProcessHandle, _In_ HANDLE ThreadHandle, _Inout_ LPSTACKFRAME_EX StackFrame, _Inout_ PVOID ContextRecord, _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress ); PHLIBAPI HRESULT NTAPI PhWriteMiniDumpProcess( _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId, _In_ HANDLE FileHandle, _In_ MINIDUMP_TYPE DumpType, _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam ); // High-level stack walking #define PH_THREAD_STACK_FRAME_KERNEL 0x0001 #define PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT 0x0002 /** Contains information about a thread stack frame. */ typedef struct _PH_THREAD_STACK_FRAME { PVOID PcAddress; PVOID ReturnAddress; PVOID FrameAddress; PVOID StackAddress; PVOID BStoreAddress; PVOID Params[4]; USHORT Machine; USHORT Flags; ULONG InlineFrameContext; } PH_THREAD_STACK_FRAME, *PPH_THREAD_STACK_FRAME; #define PH_WALK_USER_STACK 0x1 #define PH_WALK_USER_WOW64_STACK 0x2 #define PH_WALK_KERNEL_STACK 0x10 /** * A callback function passed to PhWalkThreadStack() and called for each stack frame. * * \param StackFrame A structure providing information about the stack frame. * \param Context A user-defined value passed to PhWalkThreadStack(). * \return TRUE to continue the stack walk, FALSE to stop. */ typedef _Function_class_(PH_WALK_THREAD_STACK_CALLBACK) BOOLEAN NTAPI PH_WALK_THREAD_STACK_CALLBACK( _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_opt_ PVOID Context ); typedef PH_WALK_THREAD_STACK_CALLBACK* PPH_WALK_THREAD_STACK_CALLBACK; /** * Walks the stack of a thread and invokes a callback for each stack frame. * * This function performs a stack walk for the specified thread, optionally using symbol information * to resolve stack frames. For each frame encountered, the provided callback function is called. * * \param ThreadHandle Handle to the thread whose stack is to be walked. * \param ProcessHandle Optional handle to the process containing the thread. May be NULL. * \param ClientId Optional pointer to a CLIENT_ID structure identifying the thread. May be NULL. * \param SymbolProvider Optional pointer to a symbol provider for resolving symbols. May be NULL. * \param Flags Flags controlling the stack walk behavior (e.g., PH_WALK_USER_STACK, PH_WALK_KERNEL_STACK). * \param Callback Pointer to a callback function to be called for each stack frame. * \param Context Optional user-defined context value passed to the callback. * \return Returns STATUS_SUCCESS on success, or an appropriate NTSTATUS error code on failure. */ PHLIBAPI NTSTATUS NTAPI PhWalkThreadStack( _In_ HANDLE ThreadHandle, _In_opt_ HANDLE ProcessHandle, _In_opt_ PCLIENT_ID ClientId, _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG Flags, _In_ PPH_WALK_THREAD_STACK_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI PPH_STRING NTAPI PhUndecorateSymbolName( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PCWSTR DecoratedName ); typedef struct _PH_SYMBOL_INFO { PH_STRINGREF Name; ULONG TypeIndex; // Type Index of symbol ULONG Index; ULONG Size; ULONG64 ModBase; // Base Address of module containing this symbol ULONG Flags; ULONG64 Value; // Value of symbol, ValuePresent should be 1 ULONG64 Address; // Address of symbol including base address of module ULONG Register; // register holding value or pointer to value ULONG Scope; // scope of the symbol ULONG Tag; // pdb classification } PH_SYMBOL_INFO, *PPH_SYMBOL_INFO; typedef BOOLEAN (NTAPI* PPH_ENUMERATE_SYMBOLS_CALLBACK)( _In_ PPH_SYMBOL_INFO SymbolInfo, _In_ ULONG SymbolSize, _In_opt_ PVOID UserContext ); PHLIBAPI BOOLEAN NTAPI PhEnumerateSymbols( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ HANDLE ProcessHandle, _In_ PVOID BaseOfDll, _In_opt_ PCWSTR Mask, _In_ PPH_ENUMERATE_SYMBOLS_CALLBACK EnumSymbolsCallback, _In_opt_ PVOID UserContext ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetSymbolProviderDiaSource( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID BaseOfDll, _Out_ PVOID* DiaSource ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetSymbolProviderDiaSession( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID BaseOfDll, _Out_ PVOID* DiaSession ); PHLIBAPI VOID NTAPI PhSymbolProviderFreeDiaString( _In_ PCWSTR DiaString ); // Inline stack support typedef union _INLINE_FRAME_CONTEXT { ULONG ContextValue; struct { UCHAR FrameId; UCHAR FrameType; USHORT FrameSignature; }; } INLINE_FRAME_CONTEXT, *PINLINE_FRAME_CONTEXT; #define STACK_FRAME_TYPE_INIT 0x00 #define STACK_FRAME_TYPE_STACK 0x01 #define STACK_FRAME_TYPE_INLINE 0x02 #define STACK_FRAME_TYPE_RA 0x80 // Whether the instruction pointer is the current IP or a RA from callee frame. #define STACK_FRAME_TYPE_IGNORE 0xFF #ifndef INLINE_FRAME_CONTEXT_INIT #define INLINE_FRAME_CONTEXT_INIT 0 #endif #ifndef INLINE_FRAME_CONTEXT_IGNORE #define INLINE_FRAME_CONTEXT_IGNORE 0xFFFFFFFF #endif FORCEINLINE BOOLEAN PhIsStackFrameTypeInline( _In_ ULONG InlineFrameContext ) { INLINE_FRAME_CONTEXT frameContext = { InlineFrameContext }; if (frameContext.ContextValue == INLINE_FRAME_CONTEXT_IGNORE) return FALSE; if (frameContext.FrameType & STACK_FRAME_TYPE_INLINE) return TRUE; return FALSE; } BOOLEAN PhSymbolProviderInlineContextSupported( VOID ); _Success_(return != NULL) PHLIBAPI PPH_STRING NTAPI PhGetSymbolFromInlineContext( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_THREAD_STACK_FRAME StackFrame, _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel, _Out_opt_ PPH_STRING* FileName, _Out_opt_ PPH_STRING* SymbolName, _Out_opt_ PULONG64 Displacement, _Out_opt_ PPVOID BaseAddress ); _Success_(return) PHLIBAPI BOOLEAN NTAPI PhGetLineFromInlineContext( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_opt_ PVOID BaseAddress, _Out_ PPH_STRING* FileName, _Out_opt_ PULONG Displacement, _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information ); //typedef struct _PH_INLINE_STACK_FRAME //{ // PH_SYMBOL_RESOLVE_LEVEL ResolveLevel; // PPH_STRING Symbol; // PPH_STRING FileName; // // ULONG64 LineAddress; // ULONG LineDisplacement; // ULONG LineNumber; // PPH_STRING LineFileName; //} PH_INLINE_STACK_FRAME, *PPH_INLINE_STACK_FRAME; // //PPH_LIST PhGetInlineStackSymbolsFromAddress( // _In_ PPH_SYMBOL_PROVIDER SymbolProvider, // _In_ PPH_THREAD_STACK_FRAME StackFrame, // _In_ BOOLEAN IncludeLineInformation // ); // //VOID PhFreeInlineStackSymbols( // _In_ PPH_LIST InlineSymbolList // ); typedef struct _PH_DIA_SYMBOL_INFORMATION { ULONG FunctionLength; PPH_STRING UndecoratedName; PPH_STRING SymbolInformation; PPH_STRING SymbolLangugage; } PH_DIA_SYMBOL_INFORMATION, *PPH_DIA_SYMBOL_INFORMATION; _Success_(return) BOOLEAN PhGetDiaSymbolInformation( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_ PPH_DIA_SYMBOL_INFORMATION SymbolInformation ); PHLIBAPI VOID NTAPI PhUnregisterSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider ); // symprv_std.cpp (dmex) EXTERN_C VOID PhPrintCurrentStacktrace( VOID ); EXTERN_C PPH_STRING PhGetStacktraceAsString( VOID ); EXTERN_C PPH_STRING PhGetStacktraceSymbolFromAddress( _In_ PVOID Address ); EXTERN_C PPH_STRING PhGetObjectTypeStacktraceToString( _In_ PVOID Object ); EXTERN_C_END #endif ================================================ FILE: phlib/include/symprvp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2015 * dmex 2017-2023 * */ #ifndef _PH_SYMPRVP_H #define _PH_SYMPRVP_H // undocumented typedef BOOL (WINAPI *_SymGetDiaSource)( _In_ HANDLE ProcessHandle, _In_ ULONG64 BaseOfDll, _Out_ PVOID* IDiaDataSource ); // undocumented typedef BOOL (WINAPI *_SymGetDiaSession)( _In_ HANDLE ProcessHandle, _In_ ULONG64 BaseOfDll, _Out_ PVOID* IDiaSession ); // undocumented typedef BOOL (WINAPI *_SymSetDiaSession)( _In_ HANDLE ProcessHandle, _In_ ULONG64 BaseOfDll, _In_ PVOID IDiaSession ); // undocumented typedef VOID (WINAPI *_SymFreeDiaString)( _In_ PCWSTR DiaString ); #endif ================================================ FILE: phlib/include/templ.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * */ #ifndef _PH_TEMPL_H #define _PH_TEMPL_H #define TEMPLATE_(f,T) f##_##T #define T___(f,T) TEMPLATE_(f,T) #endif ================================================ FILE: phlib/include/thirdparty.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2024 * */ #pragma once #define PCRE2_CODE_UNIT_WIDTH 16 #if __has_include("../../tools/thirdparty/pcre/pcre2.h") #include "../../tools/thirdparty/pcre/pcre2.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/jsonc/json.h") #include "../../tools/thirdparty/jsonc/json.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/mxml/mxml.h") #include "../../tools/thirdparty/mxml/mxml.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/detours/detours.h") #include "../../tools/thirdparty/detours/detours.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/md5/md5.h") #include "../../tools/thirdparty/md5/md5.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/sha/sha.h") #include "../../tools/thirdparty/sha/sha.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/sha256/sha256.h") #include "../../tools/thirdparty/sha256/sha256.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/winsdk/dia2.h") #include "../../tools/thirdparty/winsdk/dia2.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/winsdk/dia3.h") #include "../../tools/thirdparty/winsdk/dia3.h" #else #error "ThirdParty.lib is missing" #endif #if __has_include("../../tools/thirdparty/xxhash/xxhashwrapper.h") #include "../../tools/thirdparty/xxhash/xxhashwrapper.h" #else #error "ThirdParty.lib is missing" #endif ================================================ FILE: phlib/include/trace.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2025 * */ #pragma once #define WPP_CONTROL_GUIDS \ WPP_DEFINE_CONTROL_GUID( \ SystemInformer, (0b23b1bf, 45ee, 4219, bf51, 8979219d8acd), \ WPP_DEFINE_BIT(GENERAL) /* bit 0 = 0x00000001 */ \ WPP_DEFINE_BIT(PROFILING) /* bit 1 = 0x00000002 */ \ ) #define WPP_LEVEL_EVENT_LOGGER(level,event) WPP_LEVEL_LOGGER(event) #define WPP_LEVEL_EVENT_ENABLED(level,event) \ (WPP_LEVEL_ENABLED(event) && \ WPP_CONTROL(WPP_BIT_ ## event).Level >= level) // // begin_wpp config // // FUNC PhTracePrint(LEVEL,EVENT,MSG, ...); // FUNC PhTrace{LEVEL=TRACE_LEVEL_VERBOSE,EVENT=GENERAL}(MSG,...); // FUNC PhTraceInfo{LEVEL=TRACE_LEVEL_INFORMATION,EVENT=GENERAL}(MSG,...); // FUNC PhTraceWarning{LEVEL=TRACE_LEVEL_WARNING,EVENT=GENERAL}(MSG,...); // FUNC PhTraceError{LEVEL=TRACE_LEVEL_ERROR,EVENT=GENERAL}(MSG,...); // FUNC PhTraceFatal{LEVEL=TRACE_LEVEL_FATAL,EVENT=GENERAL}(MSG,...); // // FUNC PhTraceFuncEnter{LEVEL=TRACE_LEVEL_VERBOSE,EVENT=PROFILING,ENTERFUNC=0}(MSG,...); // USESUFFIX(PhTraceFuncEnter," enter"); // FUNC PhTraceFuncExit{LEVEL=TRACE_LEVEL_VERBOSE,EVENT=PROFILING,EXITFUNC=_traceElapsed}(MSG,...); // USESUFFIX(PhTraceFuncExit," exit (elapsed=%llu)",_traceElapsed); // // end_wpp // #ifdef SI_NO_WPP #define PhTracePrint(LEVEL,EVENT,MSG,...) ((void)(MSG, ## __VA_ARGS__)) #define PhTrace(MSG, ...) ((void)(MSG, ## __VA_ARGS__)) #define PhTraceInfo(MSG, ...) ((void)(MSG, ## __VA_ARGS__)) #define PhTraceWarning(MSG, ...) ((void)(MSG, ## __VA_ARGS__)) #define PhTraceError(MSG, ...) ((void)(MSG, ## __VA_ARGS__)) #define PhTraceFatal(MSG, ...) ((void)(MSG, ## __VA_ARGS__)) #define PhTraceFuncEnter(MSG,...) ((void)(MSG, ## __VA_ARGS__)) #define PhTraceFuncExit(MSG,...) ((void)(MSG, ## __VA_ARGS__)) #define WPP_INIT_TRACING(...) ((void)0) #define WPP_CLEANUP() ((void)0) #else // SI_NO_WPP // // PhTraceFuncEnter // #define WPP_LEVEL_EVENT_ENTERFUNC_PRE(level,event,zero) \ LARGE_INTEGER _traceStart; \ LARGE_INTEGER _traceEnd; \ ULONG64 _traceElapsed = 0; \ if (WPP_LEVEL_EVENT_ENABLED(level,event)) \ { \ PhQueryPerformanceCounter(&_traceStart); \ } \ else \ { \ _traceStart.QuadPart = 0; \ } //#define WPP_LEVEL_EVENT_ENTERFUNC_POST(level,event,zero) #define WPP_LEVEL_EVENT_ENTERFUNC_ENABLED(level,event,elapsed) WPP_LEVEL_EVENT_ENABLED(level,event) #define WPP_LEVEL_EVENT_ENTERFUNC_LOGGER(level,event,elapsed) WPP_LEVEL_EVENT_LOGGER(level,event) // // PhTraceFuncExit // #define WPP_LEVEL_EVENT_EXITFUNC_PRE(level,event,elapsed) \ if (WPP_LEVEL_EVENT_ENABLED(level,event)) \ { \ PhQueryPerformanceCounter(&_traceEnd); \ elapsed = _traceEnd.QuadPart - _traceStart.QuadPart; \ } //#define WPP_LEVEL_EVENT_EXITFUNC_POST(level,event,elapsed) #define WPP_LEVEL_EVENT_EXITFUNC_ENABLED(level,event,elapsed) WPP_LEVEL_EVENT_ENABLED(level,event) #define WPP_LEVEL_EVENT_EXITFUNC_LOGGER(level,event,elapsed) WPP_LEVEL_EVENT_LOGGER(level,event) #endif // SI_NO_WPP #define TMH_STRINGIFYX(x) #x #define TMH_STRINGIFY(x) TMH_STRINGIFYX(x) #ifdef TMH_FILE #include TMH_STRINGIFY(TMH_FILE) #endif ================================================ FILE: phlib/include/treenew.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2008-2016 * dmex 2017-2024 * */ #ifndef _PH_TREENEW_H #define _PH_TREENEW_H EXTERN_C_START #define PH_TREENEW_CLASSNAME L"PhTreeNew" typedef struct _PH_TREENEW_CREATEPARAMS { ULONG Size; COLORREF TextColor; COLORREF FocusColor; COLORREF SelectionColor; ULONG RowHeight; // Add new fields here. } PH_TREENEW_CREATEPARAMS, *PPH_TREENEW_CREATEPARAMS; typedef struct _PH_TREENEW_COLUMN { union { ULONG Flags; struct { ULONG Visible : 1; ULONG CustomDraw : 1; ULONG Fixed : 1; // Whether this is the fixed column ULONG SortDescending : 1; // Sort descending on initial click rather than ascending ULONG DpiScaleOnAdd : 1; // Whether to DPI scale the width (only when adding) ULONG SpareFlags : 27; }; }; ULONG Id; PVOID Context; PCWSTR Text; LONG Width; ULONG Alignment; ULONG DisplayIndex; // -1 for fixed column or invalid ULONG TextFlags; struct { LONG ViewIndex; // Actual index in header control LONG ViewX; // 0 for the fixed column, and an offset from the divider for normal columns } s; } PH_TREENEW_COLUMN, *PPH_TREENEW_COLUMN; typedef struct _PH_TREENEW_NODE { union { ULONG Flags; struct { ULONG Visible : 1; ULONG Selected : 1; ULONG Expanded : 1; ULONG UseAutoForeColor : 1; ULONG UseTempBackColor : 1; ULONG Unselectable : 1; ULONG SpareFlags : 26; }; }; COLORREF BackColor; COLORREF ForeColor; COLORREF TempBackColor; HFONT Font; HICON Icon; PPH_STRINGREF TextCache; ULONG TextCacheSize; ULONG Index; // Index within the flat list ULONG Level; // 0 for root, 1, 2, ... struct { union { ULONG Flags2; struct { ULONG IsLeaf : 1; ULONG CachedColorValid : 1; ULONG CachedFontValid : 1; ULONG CachedIconValid : 1; ULONG PlusMinusHot : 1; ULONG SpareFlags2 : 27; }; }; // Temp. drawing data COLORREF DrawBackColor; COLORREF DrawForeColor; } s; } PH_TREENEW_NODE, *PPH_TREENEW_NODE; // Styles #define TN_STYLE_ICONS 0x1 #define TN_STYLE_DOUBLE_BUFFERED 0x2 #define TN_STYLE_NO_DIVIDER 0x4 #define TN_STYLE_ANIMATE_DIVIDER 0x8 #define TN_STYLE_NO_COLUMN_SORT 0x10 #define TN_STYLE_NO_COLUMN_REORDER 0x20 #define TN_STYLE_THIN_ROWS 0x40 #define TN_STYLE_NO_COLUMN_HEADER 0x80 #define TN_STYLE_CUSTOM_COLORS 0x100 #define TN_STYLE_ALWAYS_SHOW_SELECTION 0x200 #define TN_STYLE_CUSTOM_HEADERDRAW 0x400 #define TN_STYLE_DRAG_REORDER_ROWS 0x800 // Extended flags #define TN_FLAG_ITEM_DRAG_SELECT 0x1 #define TN_FLAG_NO_UNFOLDING_TOOLTIPS 0x2 // Callback flags #define TN_CACHE 0x1 #define TN_AUTO_FORECOLOR 0x1000 // Column display flags #define TN_COLUMN_FIXED -2 // Column change flags #define TN_COLUMN_CONTEXT 0x1 #define TN_COLUMN_TEXT 0x2 #define TN_COLUMN_WIDTH 0x4 #define TN_COLUMN_ALIGNMENT 0x8 #define TN_COLUMN_DISPLAYINDEX 0x10 #define TN_COLUMN_TEXTFLAGS 0x20 #define TN_COLUMN_FLAG_VISIBLE 0x100000 #define TN_COLUMN_FLAG_CUSTOMDRAW 0x200000 #define TN_COLUMN_FLAG_FIXED 0x400000 #define TN_COLUMN_FLAG_SORTDESCENDING 0x800000 #define TN_COLUMN_FLAG_NODPISCALEONADD 0x1000000 #define TN_COLUMN_FLAGS 0xfff00000 // Cache flags #define TN_CACHE_COLOR 0x1 #define TN_CACHE_FONT 0x2 #define TN_CACHE_ICON 0x4 // Cell part input flags #define TN_MEASURE_TEXT 0x1 // Cell part flags #define TN_PART_CELL 0x1 #define TN_PART_PLUSMINUS 0x2 #define TN_PART_ICON 0x4 #define TN_PART_CONTENT 0x8 #define TN_PART_TEXT 0x10 // Hit test input flags #define TN_TEST_COLUMN 0x1 #define TN_TEST_SUBITEM 0x2 // requires TN_TEST_COLUMN // Hit test flags #define TN_HIT_LEFT 0x1 #define TN_HIT_RIGHT 0x2 #define TN_HIT_ABOVE 0x4 #define TN_HIT_BELOW 0x8 #define TN_HIT_ITEM 0x10 #define TN_HIT_ITEM_PLUSMINUS 0x20 // requires TN_TEST_SUBITEM #define TN_HIT_ITEM_ICON 0x40 // requires TN_TEST_SUBITEM #define TN_HIT_ITEM_CONTENT 0x80 // requires TN_TEST_SUBITEM #define TN_HIT_DIVIDER 0x100 // Selection flags #define TN_SELECT_DESELECT 0x1 #define TN_SELECT_TOGGLE 0x2 #define TN_SELECT_RESET 0x4 // Auto-size flags #define TN_AUTOSIZE_REMAINING_SPACE 0x1 typedef struct _PH_TREENEW_VIEW_PARTS { RECT ClientRect; LONG HeaderHeight; LONG RowHeight; ULONG VScrollWidth; ULONG HScrollHeight; LONG VScrollPosition; LONG HScrollPosition; LONG FixedWidth; LONG NormalLeft; LONG NormalWidth; ULONG64 ScrollTickCount; } PH_TREENEW_VIEW_PARTS, *PPH_TREENEW_VIEW_PARTS; typedef struct _PH_TREENEW_CELL_PARTS { ULONG Flags; RECT RowRect; RECT CellRect; // TN_PART_CELL RECT PlusMinusRect; // TN_PART_PLUSMINUS RECT IconRect; // TN_PART_ICON RECT ContentRect; // TN_PART_CONTENT RECT TextRect; // TN_PART_TEXT PH_STRINGREF Text; // TN_PART_TEXT HFONT Font; // TN_PART_TEXT } PH_TREENEW_CELL_PARTS, *PPH_TREENEW_CELL_PARTS; typedef struct _PH_TREENEW_HIT_TEST { POINT Point; ULONG InFlags; ULONG Flags; PPH_TREENEW_NODE Node; PPH_TREENEW_COLUMN Column; // requires TN_TEST_COLUMN } PH_TREENEW_HIT_TEST, *PPH_TREENEW_HIT_TEST; typedef enum _PH_TREENEW_MESSAGE { TreeNewGetChildren, // PPH_TREENEW_GET_CHILDREN Parameter1 TreeNewIsLeaf, // PPH_TREENEW_IS_LEAF Parameter1 TreeNewGetCellText, // PPH_TREENEW_GET_CELL_TEXT Parameter1 TreeNewGetNodeColor, // PPH_TREENEW_GET_NODE_COLOR Parameter1 TreeNewGetNodeFont, // PPH_TREENEW_GET_NODE_FONT Parameter1 TreeNewGetNodeIcon, // PPH_TREENEW_GET_NODE_ICON Parameter1 TreeNewGetCellTooltip, // PPH_TREENEW_GET_CELL_TOOLTIP Parameter1 TreeNewCustomDraw, // PPH_TREENEW_CUSTOM_DRAW Parameter1 // Notifications TreeNewNodeExpanding, // PPH_TREENEW_NODE Parameter1, PPH_TREENEW_NODE_EVENT Parameter2 TreeNewNodeSelecting, // PPH_TREENEW_NODE Parameter1 TreeNewSortChanged, // PH_TREENEW_SORT_CHANGED_EVENT Parameter1 TreeNewSelectionChanged, TreeNewKeyDown, // PPH_TREENEW_KEY_EVENT Parameter1 TreeNewLeftClick, // PPH_TREENEW_MOUSE_EVENT Parameter1 TreeNewRightClick, // PPH_TREENEW_MOUSE_EVENT Parameter1 TreeNewMiddleClick, // PPH_TREENEW_MOUSE_EVENT Parameter1 TreeNewLeftDoubleClick, // PPH_TREENEW_MOUSE_EVENT Parameter1 TreeNewRightDoubleClick, // PPH_TREENEW_MOUSE_EVENT Parameter1 TreeNewContextMenu, // PPH_TREENEW_CONTEXT_MENU Parameter1 TreeNewHeaderRightClick, // PPH_TREENEW_HEADER_MOUSE_EVENT Parameter1 TreeNewIncrementalSearch, // PPH_TREENEW_SEARCH_EVENT Parameter1 TreeNewColumnResized, // PPH_TREENEW_COLUMN Parameter1 TreeNewColumnReordered, TreeNewDestroying, TreeNewGetDialogCode, // ULONG Parameter1, PULONG Parameter2 TreeNewGetHeaderText, TreeNewDpiChanged, // PH_TREENEW_DPICHANGED_EVENT Parameter1 TreeNewReorderBegin, // PH_TREENEW_REORDER_EVENT (in/out) Parameter1 TreeNewReorderOver, // PH_TREENEW_REORDER_EVENT (in/out) Parameter1 TreeNewReorderCommit, // PH_TREENEW_REORDER_EVENT (in) Parameter1 TreeNewReorderCancel, // PH_TREENEW_REORDER_EVENT (best-effort notify) Parameter1 MaxTreeNewMessage } PH_TREENEW_MESSAGE; typedef BOOLEAN _Function_class_(PH_TREENEW_CALLBACK) NTAPI PH_TREENEW_CALLBACK( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ); typedef PH_TREENEW_CALLBACK* PPH_TREENEW_CALLBACK; typedef struct _PH_TREENEW_GET_CHILDREN { ULONG Flags; PPH_TREENEW_NODE Node; ULONG NumberOfChildren; PPH_TREENEW_NODE *Children; // can be NULL if no children } PH_TREENEW_GET_CHILDREN, *PPH_TREENEW_GET_CHILDREN; typedef struct _PH_TREENEW_IS_LEAF { ULONG Flags; PPH_TREENEW_NODE Node; BOOLEAN IsLeaf; } PH_TREENEW_IS_LEAF, *PPH_TREENEW_IS_LEAF; typedef struct _PH_TREENEW_GET_CELL_TEXT { ULONG Flags; PPH_TREENEW_NODE Node; ULONG Id; PH_STRINGREF Text; } PH_TREENEW_GET_CELL_TEXT, *PPH_TREENEW_GET_CELL_TEXT; typedef struct _PH_TREENEW_GET_NODE_COLOR { ULONG Flags; PPH_TREENEW_NODE Node; COLORREF BackColor; COLORREF ForeColor; } PH_TREENEW_GET_NODE_COLOR, *PPH_TREENEW_GET_NODE_COLOR; typedef struct _PH_TREENEW_GET_NODE_FONT { ULONG Flags; PPH_TREENEW_NODE Node; HFONT Font; } PH_TREENEW_GET_NODE_FONT, *PPH_TREENEW_GET_NODE_FONT; typedef struct _PH_TREENEW_GET_NODE_ICON { ULONG Flags; PPH_TREENEW_NODE Node; HICON Icon; } PH_TREENEW_GET_NODE_ICON, *PPH_TREENEW_GET_NODE_ICON; typedef struct _PH_TREENEW_GET_CELL_TOOLTIP { ULONG Flags; PPH_TREENEW_NODE Node; PPH_TREENEW_COLUMN Column; BOOLEAN Unfolding; PH_STRINGREF Text; HFONT Font; ULONG MaximumWidth; } PH_TREENEW_GET_CELL_TOOLTIP, *PPH_TREENEW_GET_CELL_TOOLTIP; typedef struct _PH_TREENEW_CUSTOM_DRAW { PPH_TREENEW_NODE Node; PPH_TREENEW_COLUMN Column; HDC Dc; RECT CellRect; RECT TextRect; ULONG Flags; } PH_TREENEW_CUSTOM_DRAW, *PPH_TREENEW_CUSTOM_DRAW; typedef struct _PH_TREENEW_MOUSE_EVENT { POINT Location; PPH_TREENEW_NODE Node; PPH_TREENEW_COLUMN Column; ULONG KeyFlags; } PH_TREENEW_MOUSE_EVENT, *PPH_TREENEW_MOUSE_EVENT; typedef struct _PH_TREENEW_KEY_EVENT { BOOLEAN Handled; BOOLEAN Spare[3]; ULONG VirtualKey; ULONG Data; } PH_TREENEW_KEY_EVENT, *PPH_TREENEW_KEY_EVENT; typedef struct _PH_TREENEW_SORT_CHANGED_EVENT { ULONG SortColumn; PH_SORT_ORDER SortOrder; } PH_TREENEW_SORT_CHANGED_EVENT, *PPH_TREENEW_SORT_CHANGED_EVENT; typedef struct _PH_TREENEW_NODE_EVENT { BOOLEAN Handled; BOOLEAN Spare[3]; ULONG Flags; PVOID Reserved1; PVOID Reserved2; } PH_TREENEW_NODE_EVENT, *PPH_TREENEW_NODE_EVENT; typedef struct _PH_TREENEW_CONTEXT_MENU { POINT Location; POINT ClientLocation; PPH_TREENEW_NODE Node; PPH_TREENEW_COLUMN Column; BOOLEAN KeyboardInvoked; } PH_TREENEW_CONTEXT_MENU, *PPH_TREENEW_CONTEXT_MENU; typedef struct _PH_TREENEW_HEADER_MOUSE_EVENT { POINT ScreenLocation; POINT Location; POINT HeaderLocation; PPH_TREENEW_COLUMN Column; } PH_TREENEW_HEADER_MOUSE_EVENT, *PPH_TREENEW_HEADER_MOUSE_EVENT; #define PH_TREENEW_SEARCH_TIMEOUT 1000 #define PH_TREENEW_SEARCH_MAXIMUM_LENGTH 1023 typedef struct _PH_TREENEW_SEARCH_EVENT { LONG FoundIndex; LONG StartIndex; PH_STRINGREF String; } PH_TREENEW_SEARCH_EVENT, *PPH_TREENEW_SEARCH_EVENT; #define PH_TREENEW_HEADER_TEXT_SIZE_MAX 0x40 typedef struct _PH_TREENEW_GET_HEADER_TEXT { PPH_TREENEW_COLUMN Column; PH_STRINGREF Text; PWSTR TextCache; ULONG TextCacheSize; } PH_TREENEW_GET_HEADER_TEXT, *PPH_TREENEW_GET_HEADER_TEXT; typedef struct _PH_TREENEW_SET_HEADER_CACHE { ULONG HeaderTreeColumnMax; PVOID HeaderTreeColumnStringCache; PVOID HeaderTreeColumnTextCache; } PH_TREENEW_SET_HEADER_CACHE, *PPH_TREENEW_SET_HEADER_CACHE; typedef struct _PH_TREENEW_DPICHANGED_EVENT { LONG OldWindowDpi; LONG NewWindowDpi; } PH_TREENEW_DPICHANGED_EVENT, *PPH_TREENEW_DPICHANGED_EVENT; typedef struct _PH_TREENEW_REORDER_EVENT { PPH_TREENEW_NODE Source; // node being dragged PPH_TREENEW_NODE Target; // node at drop caret (may be NULL if empty area) BOOLEAN DropAfter; // TRUE = insert after Target; FALSE = before Target BOOLEAN Allow; // in Begin/Over: host sets to TRUE to allow; Commit ignores this field } PH_TREENEW_REORDER_EVENT, *PPH_TREENEW_REORDER_EVENT; typedef struct _PH_TREENEW_GET_CELL_PARTS { ULONG Flags; PPH_TREENEW_NODE Node; PPH_TREENEW_COLUMN Column; PH_TREENEW_CELL_PARTS Parts; } PH_TREENEW_GET_CELL_PARTS, *PPH_TREENEW_GET_CELL_PARTS; #define TNM_FIRST (WM_USER + 1) #define TNM_SETCALLBACK (WM_USER + 1) #define TNM_NODESADDED (WM_USER + 2) // unimplemented #define TNM_NODESREMOVED (WM_USER + 3) // unimplemented #define TNM_NODESSTRUCTURED (WM_USER + 4) #define TNM_ADDCOLUMN (WM_USER + 5) #define TNM_REMOVECOLUMN (WM_USER + 6) #define TNM_GETCOLUMN (WM_USER + 7) #define TNM_SETCOLUMN (WM_USER + 8) #define TNM_GETCOLUMNORDERARRAY (WM_USER + 9) #define TNM_SETCOLUMNORDERARRAY (WM_USER + 10) #define TNM_SETCURSOR (WM_USER + 11) #define TNM_GETSORT (WM_USER + 12) #define TNM_SETSORT (WM_USER + 13) #define TNM_SETTRISTATE (WM_USER + 14) #define TNM_ENSUREVISIBLE (WM_USER + 15) #define TNM_SCROLL (WM_USER + 16) #define TNM_GETFLATNODECOUNT (WM_USER + 17) #define TNM_GETFLATNODE (WM_USER + 18) #define TNM_GETCELLTEXT (WM_USER + 19) #define TNM_SETNODEEXPANDED (WM_USER + 20) #define TNM_GETMAXID (WM_USER + 21) #define TNM_SETMAXID (WM_USER + 22) #define TNM_INVALIDATENODE (WM_USER + 23) #define TNM_INVALIDATENODES (WM_USER + 24) #define TNM_GETFIXEDHEADER (WM_USER + 25) #define TNM_GETHEADER (WM_USER + 26) #define TNM_GETTOOLTIPS (WM_USER + 27) #define TNM_SELECTRANGE (WM_USER + 28) #define TNM_DESELECTRANGE (WM_USER + 29) #define TNM_GETCOLUMNCOUNT (WM_USER + 30) #define TNM_SETREDRAW (WM_USER + 31) #define TNM_GETVIEWPARTS (WM_USER + 32) #define TNM_GETFIXEDCOLUMN (WM_USER + 33) #define TNM_GETFIRSTCOLUMN (WM_USER + 34) #define TNM_SETFOCUSNODE (WM_USER + 35) #define TNM_SETMARKNODE (WM_USER + 36) #define TNM_SETHOTNODE (WM_USER + 37) #define TNM_SETEXTENDEDFLAGS (WM_USER + 38) #define TNM_GETCALLBACK (WM_USER + 39) #define TNM_HITTEST (WM_USER + 40) #define TNM_GETVISIBLECOLUMNCOUNT (WM_USER + 41) #define TNM_AUTOSIZECOLUMN (WM_USER + 42) #define TNM_SETEMPTYTEXT (WM_USER + 43) #define TNM_SETROWHEIGHT (WM_USER + 44) #define TNM_ISFLATNODEVALID (WM_USER + 45) #define TNM_THEMESUPPORT (WM_USER + 46) #define TNM_SETIMAGELIST (WM_USER + 47) #define TNM_SETCOLUMNTEXTCACHE (WM_USER + 48) #define TNM_ENSUREVISIBLEINDEX (WM_USER + 49) #define TNM_GETVISIBLECOLUMN (WM_USER + 50) #define TNM_GETVISIBLECOLUMNARRAY (WM_USER + 51) #define TNM_GETSELECTEDCOUNT (WM_USER + 52) #define TNM_GETSELECTEDNODE (WM_USER + 53) #define TNM_FOCUSMARKSELECT (WM_USER + 54) #define TNM_FOCUSVISIBLENODE (WM_USER + 55) #define TNM_GETCELLPARTS (WM_USER + 56) #define TNM_LAST (WM_USER + 57) #if defined(_PHLIB_) EXTERN_C LRESULT PhTnSendMessage( _In_ HWND WindowHandle, _In_ ULONG WindowMessage, _Pre_maybenull_ _Post_valid_ WPARAM wParam, _Pre_maybenull_ _Post_valid_ LPARAM lParam ); #define TreeNew_SetCallback(hWnd, Callback, Context) \ PhTnSendMessage((hWnd), TNM_SETCALLBACK, (WPARAM)(Context), (LPARAM)(Callback)) #define TreeNew_NodesStructured(hWnd) \ PhTnSendMessage((hWnd), TNM_NODESSTRUCTURED, 0, 0) #define TreeNew_AddColumn(hWnd, Column) \ PhTnSendMessage((hWnd), TNM_ADDCOLUMN, 0, (LPARAM)(Column)) #define TreeNew_RemoveColumn(hWnd, Id) \ PhTnSendMessage((hWnd), TNM_REMOVECOLUMN, (WPARAM)(Id), 0) #define TreeNew_GetColumn(hWnd, Id, Column) \ PhTnSendMessage((hWnd), TNM_GETCOLUMN, (WPARAM)(Id), (LPARAM)(Column)) #define TreeNew_SetColumn(hWnd, Mask, Column) \ PhTnSendMessage((hWnd), TNM_SETCOLUMN, (WPARAM)(Mask), (LPARAM)(Column)) #define TreeNew_GetColumnOrderArray(hWnd, Count, Array) \ PhTnSendMessage((hWnd), TNM_GETCOLUMNORDERARRAY, (WPARAM)(Count), (LPARAM)(Array)) #define TreeNew_SetColumnOrderArray(hWnd, Count, Array) \ PhTnSendMessage((hWnd), TNM_SETCOLUMNORDERARRAY, (WPARAM)(Count), (LPARAM)(Array)) #define TreeNew_SetCursor(hWnd, Cursor) \ PhTnSendMessage((hWnd), TNM_SETCURSOR, 0, (LPARAM)(Cursor)) #define TreeNew_GetSort(hWnd, Column, Order) \ PhTnSendMessage((hWnd), TNM_GETSORT, (WPARAM)(Column), (LPARAM)(Order)) #define TreeNew_SetSort(hWnd, Column, Order) \ PhTnSendMessage((hWnd), TNM_SETSORT, (WPARAM)(Column), (LPARAM)(Order)) #define TreeNew_SetTriState(hWnd, TriState) \ PhTnSendMessage((hWnd), TNM_SETTRISTATE, (WPARAM)(TriState), 0) #define TreeNew_EnsureVisible(hWnd, Node) \ PhTnSendMessage((hWnd), TNM_ENSUREVISIBLE, 0, (LPARAM)(Node)) #define TreeNew_Scroll(hWnd, DeltaRows, DeltaX) \ PhTnSendMessage((hWnd), TNM_SCROLL, (WPARAM)(DeltaRows), (LPARAM)(DeltaX)) #define TreeNew_GetFlatNodeCount(hWnd) \ ((ULONG)PhTnSendMessage((hWnd), TNM_GETFLATNODECOUNT, 0, 0)) #define TreeNew_GetFlatNode(hWnd, Index) \ ((PPH_TREENEW_NODE)PhTnSendMessage((hWnd), TNM_GETFLATNODE, (WPARAM)(Index), 0)) #define TreeNew_GetCellText(hWnd, GetCellText) \ PhTnSendMessage((hWnd), TNM_GETCELLTEXT, 0, (LPARAM)(GetCellText)) #define TreeNew_SetNodeExpanded(hWnd, Node, Expanded) \ PhTnSendMessage((hWnd), TNM_SETNODEEXPANDED, (WPARAM)(Expanded), (LPARAM)(Node)) #define TreeNew_GetMaxId(hWnd) \ ((ULONG)PhTnSendMessage((hWnd), TNM_GETMAXID, 0, 0)) #define TreeNew_SetMaxId(hWnd, MaxId) \ PhTnSendMessage((hWnd), TNM_SETMAXID, (WPARAM)(MaxId), 0) #define TreeNew_InvalidateNode(hWnd, Node) \ PhTnSendMessage((hWnd), TNM_INVALIDATENODE, 0, (LPARAM)(Node)) #define TreeNew_InvalidateNodes(hWnd, Start, End) \ PhTnSendMessage((hWnd), TNM_INVALIDATENODES, (WPARAM)(Start), (LPARAM)(End)) #define TreeNew_GetFixedHeader(hWnd) \ ((HWND)PhTnSendMessage((hWnd), TNM_GETFIXEDHEADER, 0, 0)) #define TreeNew_GetHeader(hWnd) \ ((HWND)PhTnSendMessage((hWnd), TNM_GETHEADER, 0, 0)) #define TreeNew_GetTooltips(hWnd) \ ((HWND)PhTnSendMessage((hWnd), TNM_GETTOOLTIPS, 0, 0)) #define TreeNew_SelectRange(hWnd, Start, End) \ PhTnSendMessage((hWnd), TNM_SELECTRANGE, (WPARAM)(Start), (LPARAM)(End)) #define TreeNew_DeselectRange(hWnd, Start, End) \ PhTnSendMessage((hWnd), TNM_DESELECTRANGE, (WPARAM)(Start), (LPARAM)(End)) #define TreeNew_GetColumnCount(hWnd) \ ((ULONG)PhTnSendMessage((hWnd), TNM_GETCOLUMNCOUNT, 0, 0)) #define TreeNew_SetRedraw(hWnd, Redraw) \ ((LONG)PhTnSendMessage((hWnd), TNM_SETREDRAW, (WPARAM)(Redraw), 0)) #define TreeNew_GetViewParts(hWnd, Parts) \ PhTnSendMessage((hWnd), TNM_GETVIEWPARTS, 0, (LPARAM)(Parts)) #define TreeNew_GetFixedColumn(hWnd) \ ((PPH_TREENEW_COLUMN)PhTnSendMessage((hWnd), TNM_GETFIXEDCOLUMN, 0, 0)) #define TreeNew_GetFirstColumn(hWnd) \ ((PPH_TREENEW_COLUMN)PhTnSendMessage((hWnd), TNM_GETFIRSTCOLUMN, 0, 0)) #define TreeNew_SetFocusNode(hWnd, Node) \ PhTnSendMessage((hWnd), TNM_SETFOCUSNODE, 0, (LPARAM)(Node)) #define TreeNew_SetMarkNode(hWnd, Node) \ PhTnSendMessage((hWnd), TNM_SETMARKNODE, 0, (LPARAM)(Node)) #define TreeNew_SetHotNode(hWnd, Node) \ PhTnSendMessage((hWnd), TNM_SETHOTNODE, 0, (LPARAM)(Node)) #define TreeNew_SetExtendedFlags(hWnd, Mask, Value) \ PhTnSendMessage((hWnd), TNM_SETEXTENDEDFLAGS, (WPARAM)(Mask), (LPARAM)(Value)) #define TreeNew_GetCallback(hWnd, Callback, Context) \ PhTnSendMessage((hWnd), TNM_GETCALLBACK, (WPARAM)(Context), (LPARAM)(Callback)) #define TreeNew_HitTest(hWnd, HitTest) \ PhTnSendMessage((hWnd), TNM_HITTEST, 0, (LPARAM)(HitTest)) #define TreeNew_GetVisibleColumnCount(hWnd) \ ((ULONG)PhTnSendMessage((hWnd), TNM_GETVISIBLECOLUMNCOUNT, 0, 0)) #define TreeNew_AutoSizeColumn(hWnd, Id, Flags) \ PhTnSendMessage((hWnd), TNM_AUTOSIZECOLUMN, (WPARAM)(Id), (LPARAM)(Flags)) #define TreeNew_SetEmptyText(hWnd, Text, Flags) \ PhTnSendMessage((hWnd), TNM_SETEMPTYTEXT, (WPARAM)(Flags), (LPARAM)(Text)) #define TreeNew_SetRowHeight(hWnd, RowHeight) \ PhTnSendMessage((hWnd), TNM_SETROWHEIGHT, (WPARAM)(RowHeight), 0) #define TreeNew_IsFlatNodeValid(hWnd) \ ((BOOLEAN)PhTnSendMessage((hWnd), TNM_ISFLATNODEVALID, 0, 0)) #define TreeNew_ThemeSupport(hWnd, Enable) \ PhTnSendMessage((hWnd), TNM_THEMESUPPORT, (WPARAM)(Enable), 0) #define TreeNew_SetImageList(hWnd, ImageListHandle) \ PhTnSendMessage((hWnd), TNM_SETIMAGELIST, (WPARAM)(ImageListHandle), 0) #define TreeNew_SetColumnTextCache(hWnd, Cache) \ PhTnSendMessage((hWnd), TNM_SETCOLUMNTEXTCACHE, (WPARAM)(Cache), 0) #define TreeNew_EnsureVisibleIndex(hWnd, Index) \ PhTnSendMessage((hWnd), TNM_ENSUREVISIBLEINDEX, 0, (LPARAM)(Index)) #define TreeNew_GetVisibleColumn(hWnd, Index, Column) \ PhTnSendMessage((hWnd), TNM_GETVISIBLECOLUMN, (WPARAM)(Index), (LPARAM)(Column)) #define TreeNew_GetVisibleColumnArray(hWnd, Count, ColumnArray) \ ((BOOLEAN)PhTnSendMessage((hWnd), TNM_GETVISIBLECOLUMNARRAY, (WPARAM)(Count), (LPARAM)(ColumnArray))) #define TreeNew_GetSelectedNodeCount(hWnd) \ ((ULONG)PhTnSendMessage((hWnd), TNM_GETSELECTEDCOUNT, 0, 0)) #define TreeNew_GetSelectedNode(hWnd) \ ((PPH_TREENEW_NODE)PhTnSendMessage((hWnd), TNM_GETSELECTEDNODE, 0, 0)) #define TreeNew_GetVisibleNode(hWnd) \ ((PPH_TREENEW_NODE)PhTnSendMessage((hWnd), TNM_GETSELECTEDNODE, 0, 0)) #define TreeNew_FocusMarkSelectNode(hWnd, Node) \ PhTnSendMessage((hWnd), TNM_FOCUSMARKSELECT, 0, (LPARAM)(Node)) #define TreeNew_SelectFirstVisibleNode(hWnd) \ PhTnSendMessage((hWnd), TNM_FOCUSVISIBLENODE, 0, 0) #define TreeNew_GetCellParts(hWnd, Parts) \ ((BOOLEAN)PhTnSendMessage((hWnd), TNM_GETCELLPARTS, 0, (LPARAM)(Parts))) #else #define TreeNew_SetCallback(hWnd, Callback, Context) \ SendMessage((hWnd), TNM_SETCALLBACK, (WPARAM)(Context), (LPARAM)(Callback)) #define TreeNew_NodesStructured(hWnd) \ SendMessage((hWnd), TNM_NODESSTRUCTURED, 0, 0) #define TreeNew_AddColumn(hWnd, Column) \ SendMessage((hWnd), TNM_ADDCOLUMN, 0, (LPARAM)(Column)) #define TreeNew_RemoveColumn(hWnd, Id) \ SendMessage((hWnd), TNM_REMOVECOLUMN, (WPARAM)(Id), 0) #define TreeNew_GetColumn(hWnd, Id, Column) \ SendMessage((hWnd), TNM_GETCOLUMN, (WPARAM)(Id), (LPARAM)(Column)) #define TreeNew_SetColumn(hWnd, Mask, Column) \ SendMessage((hWnd), TNM_SETCOLUMN, (WPARAM)(Mask), (LPARAM)(Column)) #define TreeNew_GetColumnOrderArray(hWnd, Count, Array) \ SendMessage((hWnd), TNM_GETCOLUMNORDERARRAY, (WPARAM)(Count), (LPARAM)(Array)) #define TreeNew_SetColumnOrderArray(hWnd, Count, Array) \ SendMessage((hWnd), TNM_SETCOLUMNORDERARRAY, (WPARAM)(Count), (LPARAM)(Array)) #define TreeNew_SetCursor(hWnd, Cursor) \ SendMessage((hWnd), TNM_SETCURSOR, 0, (LPARAM)(Cursor)) #define TreeNew_GetSort(hWnd, Column, Order) \ SendMessage((hWnd), TNM_GETSORT, (WPARAM)(Column), (LPARAM)(Order)) #define TreeNew_SetSort(hWnd, Column, Order) \ SendMessage((hWnd), TNM_SETSORT, (WPARAM)(Column), (LPARAM)(Order)) #define TreeNew_SetTriState(hWnd, TriState) \ SendMessage((hWnd), TNM_SETTRISTATE, (WPARAM)(TriState), 0) #define TreeNew_EnsureVisible(hWnd, Node) \ SendMessage((hWnd), TNM_ENSUREVISIBLE, 0, (LPARAM)(Node)) #define TreeNew_Scroll(hWnd, DeltaRows, DeltaX) \ SendMessage((hWnd), TNM_SCROLL, (WPARAM)(DeltaRows), (LPARAM)(DeltaX)) #define TreeNew_GetFlatNodeCount(hWnd) \ ((ULONG)SendMessage((hWnd), TNM_GETFLATNODECOUNT, 0, 0)) #define TreeNew_GetFlatNode(hWnd, Index) \ ((PPH_TREENEW_NODE)SendMessage((hWnd), TNM_GETFLATNODE, (WPARAM)(Index), 0)) #define TreeNew_GetCellText(hWnd, GetCellText) \ SendMessage((hWnd), TNM_GETCELLTEXT, 0, (LPARAM)(GetCellText)) #define TreeNew_SetNodeExpanded(hWnd, Node, Expanded) \ SendMessage((hWnd), TNM_SETNODEEXPANDED, (WPARAM)(Expanded), (LPARAM)(Node)) #define TreeNew_GetMaxId(hWnd) \ ((ULONG)SendMessage((hWnd), TNM_GETMAXID, 0, 0)) #define TreeNew_SetMaxId(hWnd, MaxId) \ SendMessage((hWnd), TNM_SETMAXID, (WPARAM)(MaxId), 0) #define TreeNew_InvalidateNode(hWnd, Node) \ SendMessage((hWnd), TNM_INVALIDATENODE, 0, (LPARAM)(Node)) #define TreeNew_InvalidateNodes(hWnd, Start, End) \ SendMessage((hWnd), TNM_INVALIDATENODES, (WPARAM)(Start), (LPARAM)(End)) #define TreeNew_GetFixedHeader(hWnd) \ ((HWND)SendMessage((hWnd), TNM_GETFIXEDHEADER, 0, 0)) #define TreeNew_GetHeader(hWnd) \ ((HWND)SendMessage((hWnd), TNM_GETHEADER, 0, 0)) #define TreeNew_GetTooltips(hWnd) \ ((HWND)SendMessage((hWnd), TNM_GETTOOLTIPS, 0, 0)) #define TreeNew_SelectRange(hWnd, Start, End) \ SendMessage((hWnd), TNM_SELECTRANGE, (WPARAM)(Start), (LPARAM)(End)) #define TreeNew_DeselectRange(hWnd, Start, End) \ SendMessage((hWnd), TNM_DESELECTRANGE, (WPARAM)(Start), (LPARAM)(End)) #define TreeNew_GetColumnCount(hWnd) \ ((ULONG)SendMessage((hWnd), TNM_GETCOLUMNCOUNT, 0, 0)) #define TreeNew_SetRedraw(hWnd, Redraw) \ ((LONG)SendMessage((hWnd), TNM_SETREDRAW, (WPARAM)(Redraw), 0)) #define TreeNew_GetViewParts(hWnd, Parts) \ SendMessage((hWnd), TNM_GETVIEWPARTS, 0, (LPARAM)(Parts)) #define TreeNew_GetFixedColumn(hWnd) \ ((PPH_TREENEW_COLUMN)SendMessage((hWnd), TNM_GETFIXEDCOLUMN, 0, 0)) #define TreeNew_GetFirstColumn(hWnd) \ ((PPH_TREENEW_COLUMN)SendMessage((hWnd), TNM_GETFIRSTCOLUMN, 0, 0)) #define TreeNew_SetFocusNode(hWnd, Node) \ SendMessage((hWnd), TNM_SETFOCUSNODE, 0, (LPARAM)(Node)) #define TreeNew_SetMarkNode(hWnd, Node) \ SendMessage((hWnd), TNM_SETMARKNODE, 0, (LPARAM)(Node)) #define TreeNew_SetHotNode(hWnd, Node) \ SendMessage((hWnd), TNM_SETHOTNODE, 0, (LPARAM)(Node)) #define TreeNew_SetExtendedFlags(hWnd, Mask, Value) \ SendMessage((hWnd), TNM_SETEXTENDEDFLAGS, (WPARAM)(Mask), (LPARAM)(Value)) #define TreeNew_GetCallback(hWnd, Callback, Context) \ SendMessage((hWnd), TNM_GETCALLBACK, (WPARAM)(Context), (LPARAM)(Callback)) #define TreeNew_HitTest(hWnd, HitTest) \ SendMessage((hWnd), TNM_HITTEST, 0, (LPARAM)(HitTest)) #define TreeNew_GetVisibleColumnCount(hWnd) \ ((ULONG)SendMessage((hWnd), TNM_GETVISIBLECOLUMNCOUNT, 0, 0)) #define TreeNew_AutoSizeColumn(hWnd, Id, Flags) \ SendMessage((hWnd), TNM_AUTOSIZECOLUMN, (WPARAM)(Id), (LPARAM)(Flags)) #define TreeNew_SetEmptyText(hWnd, Text, Flags) \ SendMessage((hWnd), TNM_SETEMPTYTEXT, (WPARAM)(Flags), (LPARAM)(Text)) #define TreeNew_SetRowHeight(hWnd, RowHeight) \ SendMessage((hWnd), TNM_SETROWHEIGHT, (WPARAM)(RowHeight), 0) #define TreeNew_IsFlatNodeValid(hWnd) \ ((BOOLEAN)SendMessage((hWnd), TNM_ISFLATNODEVALID, 0, 0)) #define TreeNew_ThemeSupport(hWnd, Enable) \ SendMessage((hWnd), TNM_THEMESUPPORT, (WPARAM)(Enable), 0) #define TreeNew_SetImageList(hWnd, ImageListHandle) \ SendMessage((hWnd), TNM_SETIMAGELIST, (WPARAM)(ImageListHandle), 0) #define TreeNew_SetColumnTextCache(hWnd, Cache) \ SendMessage((hWnd), TNM_SETCOLUMNTEXTCACHE, (WPARAM)(Cache), 0) #define TreeNew_EnsureVisibleIndex(hWnd, Index) \ SendMessage((hWnd), TNM_ENSUREVISIBLEINDEX, 0, (LPARAM)(Index)) #define TreeNew_GetVisibleColumn(hWnd, Index, Column) \ SendMessage((hWnd), TNM_GETVISIBLECOLUMN, (WPARAM)(Index), (LPARAM)(Column)) #define TreeNew_GetVisibleColumnArray(hWnd, Count, ColumnArray) \ ((BOOLEAN)SendMessage((hWnd), TNM_GETVISIBLECOLUMNARRAY, (WPARAM)(Count), (LPARAM)(ColumnArray))) #define TreeNew_GetSelectedNodeCount(hWnd) \ ((ULONG)SendMessage((hWnd), TNM_GETSELECTEDCOUNT, 0, 0)) #define TreeNew_GetSelectedNode(hWnd) \ ((PPH_TREENEW_NODE)SendMessage((hWnd), TNM_GETSELECTEDNODE, 0, 0)) #define TreeNew_FocusMarkSelectNode(hWnd, Node) \ SendMessage((hWnd), TNM_FOCUSMARKSELECT, 0, (LPARAM)(Node)) #define TreeNew_SelectFirstVisibleNode(hWnd) \ SendMessage((hWnd), TNM_FOCUSVISIBLENODE, 0, 0) #define TreeNew_GetCellParts(hWnd, Parts) \ SendMessage((hWnd), TNM_GETCELLPARTS, 0, (LPARAM)(Parts)) #endif PHLIBAPI RTL_ATOM NTAPI PhTreeNewInitialization( VOID ); FORCEINLINE VOID PhInitializeTreeNewNode( _In_ PPH_TREENEW_NODE Node ) { memset(Node, 0, sizeof(PH_TREENEW_NODE)); Node->Visible = TRUE; Node->Expanded = TRUE; } FORCEINLINE VOID PhInvalidateTreeNewNode( _Inout_ PPH_TREENEW_NODE Node, _In_ ULONG Flags ) { if (Flags & TN_CACHE_COLOR) Node->s.CachedColorValid = FALSE; if (Flags & TN_CACHE_FONT) Node->s.CachedFontValid = FALSE; if (Flags & TN_CACHE_ICON) Node->s.CachedIconValid = FALSE; } FORCEINLINE BOOLEAN PhAddTreeNewColumn( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ BOOLEAN Visible, _In_ PCWSTR Text, _In_ ULONG Width, _In_ ULONG Alignment, _In_ ULONG DisplayIndex, _In_ ULONG TextFlags ) { PH_TREENEW_COLUMN column; memset(&column, 0, sizeof(PH_TREENEW_COLUMN)); column.Id = Id; column.Visible = Visible; column.Text = Text; column.Width = Width; column.Alignment = Alignment; column.DisplayIndex = DisplayIndex; column.TextFlags = TextFlags; column.DpiScaleOnAdd = TRUE; if (DisplayIndex == -2) column.Fixed = TRUE; return !!TreeNew_AddColumn(WindowHandle, &column); } FORCEINLINE BOOLEAN PhAddTreeNewColumnEx( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ BOOLEAN Visible, _In_ PCWSTR Text, _In_ ULONG Width, _In_ ULONG Alignment, _In_ ULONG DisplayIndex, _In_ ULONG TextFlags, _In_ BOOLEAN SortDescending ) { PH_TREENEW_COLUMN column; memset(&column, 0, sizeof(PH_TREENEW_COLUMN)); column.Id = Id; column.Visible = Visible; column.Text = Text; column.Width = Width; column.Alignment = Alignment; column.DisplayIndex = DisplayIndex; column.TextFlags = TextFlags; column.DpiScaleOnAdd = TRUE; if (DisplayIndex == -2) column.Fixed = TRUE; if (SortDescending) column.SortDescending = TRUE; return !!TreeNew_AddColumn(WindowHandle, &column); } FORCEINLINE BOOLEAN PhAddTreeNewColumnEx2( _In_ HWND WindowHandle, _In_ ULONG Id, _In_ BOOLEAN Visible, _In_ PCWSTR Text, _In_ ULONG Width, _In_ ULONG Alignment, _In_ ULONG DisplayIndex, _In_ ULONG TextFlags, _In_ ULONG ExtraFlags ) { PH_TREENEW_COLUMN column; memset(&column, 0, sizeof(PH_TREENEW_COLUMN)); column.Id = Id; column.Visible = Visible; column.Text = Text; column.Width = Width; column.Alignment = Alignment; column.DisplayIndex = DisplayIndex; column.TextFlags = TextFlags; if (DisplayIndex == -2) column.Fixed = TRUE; if (ExtraFlags & TN_COLUMN_FLAG_CUSTOMDRAW) column.CustomDraw = TRUE; if (ExtraFlags & TN_COLUMN_FLAG_SORTDESCENDING) column.SortDescending = TRUE; if (!(ExtraFlags & TN_COLUMN_FLAG_NODPISCALEONADD)) column.DpiScaleOnAdd = TRUE; return !!TreeNew_AddColumn(WindowHandle, &column); } EXTERN_C_END #endif ================================================ FILE: phlib/include/treenewp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ #ifndef _PH_TREENEWP_H #define _PH_TREENEWP_H // Important notes about pointers: // // All memory allocation for nodes and strings is handled by the user. This usually means there is a // very limited time during which they can be safely accessed. // // Node pointers are valid through the duration of message processing, and also up to the next // restructure operation, either user- or control- initiated. This means that state such as the // focused node, hot node and mark node must be carefully preserved through restructuring. If // restructuring is suspended by a set-redraw call, all nodes must be considered invalid and no user // input can be handled. // // Strings are valid only through the duration of message processing. typedef struct _PH_TREENEW_CONTEXT { HWND Handle; PVOID InstanceHandle; HWND FixedHeaderHandle; HWND HeaderHandle; HWND VScrollHandle; HWND HScrollHandle; HWND FillerBoxHandle; HWND TooltipsHandle; union { struct { ULONG FontOwned : 1; ULONG Tracking : 1; // tracking for fixed divider ULONG VScrollVisible : 1; ULONG HScrollVisible : 1; ULONG FixedColumnVisible : 1; ULONG FixedDividerVisible : 1; ULONG AnimateDivider : 1; ULONG AnimateDividerFadingIn : 1; ULONG AnimateDividerFadingOut : 1; ULONG CanAnyExpand : 1; ULONG TriState : 1; ULONG HasFocus : 1; ULONG ThemeInitialized : 1; // delay load theme data ULONG ThemeActive : 1; ULONG ThemeHasItemBackground : 1; ULONG ThemeHasGlyph : 1; ULONG ThemeHasHotGlyph : 1; ULONG FocusNodeFound : 1; // used to preserve the focused node across restructuring ULONG SearchFailed : 1; // used to prevent multiple beeps ULONG SearchSingleCharMode : 1; // LV style single-character search ULONG TooltipUnfolding : 1; // whether the current tooltip is unfolding ULONG DoubleBuffered : 1; ULONG SuspendUpdateStructure : 1; ULONG SuspendUpdateLayout : 1; ULONG SuspendUpdateMoveMouse : 1; ULONG DragSelectionActive : 1; ULONG SelectionRectangleAlpha : 1; // use alpha blending for the selection rectangle ULONG CustomRowHeight : 1; ULONG CustomColors : 1; ULONG ContextMenuActive : 1; ULONG ThemeSupport : 1; ULONG ImageListSupport : 1; }; ULONG Flags; }; ULONG Style; ULONG ExtendedStyle; ULONG ExtendedFlags; HFONT Font; HCURSOR Cursor; RECT ClientRect; LONG HeaderHeight; LONG RowHeight; LONG VScrollWidth; LONG HScrollHeight; LONG VScrollPosition; LONG HScrollPosition; LONG FixedWidth; // width of the fixed part of the tree list LONG FixedWidthMinimum; LONG NormalLeft; // FixedWidth + 1 if there is a fixed column, otherwise 0 LONG WheelScrollLines; LONG TextMarginPadding; LONG CellMarginLeft; LONG CellMarginRight; LONG IconRightPadding; LONG HeaderTextPadding; LONG HeaderTextMargin; LONG HeaderRowMargin; PPH_TREENEW_NODE FocusNode; ULONG HotNodeIndex; ULONG MarkNodeIndex; // selection mark ULONG MouseDownLast; POINT MouseDownLocation; POINT MouseLocation; PPH_TREENEW_CALLBACK Callback; PVOID CallbackContext; PPH_TREENEW_COLUMN *Columns; // columns, indexed by ID ULONG NextId; ULONG AllocatedColumns; ULONG NumberOfColumns; // just a statistic; do not use for actual logic PPH_TREENEW_COLUMN *ColumnsByDisplay; // columns, indexed by display order (excluding the fixed column) ULONG AllocatedColumnsByDisplay; ULONG NumberOfColumnsByDisplay; // the number of visible columns (excluding the fixed column) LONG TotalViewX; // total width of normal columns PPH_TREENEW_COLUMN FixedColumn; PPH_TREENEW_COLUMN FirstColumn; // first column, by display order (including the fixed column) PPH_TREENEW_COLUMN LastColumn; // last column, by display order (including the fixed column) PPH_TREENEW_COLUMN ResizingColumn; LONG OldColumnWidth; LONG TrackStartX; LONG TrackOldFixedWidth; ULONG DividerHot; // 0 for un-hot, 100 for completely hot PPH_LIST FlatList; ULONG SortColumn; // ID of the column to sort by PH_SORT_ORDER SortOrder; FLOAT VScrollRemainder; FLOAT HScrollRemainder; LONG SearchMessageTime; PWSTR SearchString; ULONG SearchStringCount; ULONG AllocatedSearchString; ULONG TooltipIndex; ULONG TooltipId; PPH_STRING TooltipText; RECT TooltipRect; // text rectangle of an unfolding tooltip HFONT TooltipFont; HFONT NewTooltipFont; ULONG TooltipColumnId; TEXTMETRIC TextMetrics; HTHEME ThemeData; COLORREF DefaultBackColor; COLORREF DefaultForeColor; // User configurable colors. COLORREF CustomTextColor; COLORREF CustomFocusColor; COLORREF CustomSelectedColor; LONG SystemBorderX; LONG SystemBorderY; LONG SystemEdgeX; LONG SystemEdgeY; HDC BufferedContext; HBITMAP BufferedOldBitmap; HBITMAP BufferedBitmap; RECT BufferedContextRect; LONG SystemDragX; LONG SystemDragY; RECT DragRect; LONG WindowDpi; LONG SmallIconWidth; LONG SmallIconHeight; LONG EnableRedraw; HRGN SuspendUpdateRegion; PH_STRINGREF EmptyText; WNDPROC HeaderWindowProc; WNDPROC FixedHeaderWindowProc; HIMAGELIST ImageListHandle; union { ULONG HeaderFlags; struct { ULONG HeaderCustomDraw : 1; ULONG HeaderMouseActive : 1; ULONG HeaderDragging : 1; ULONG HeaderUnused : 12; ULONG FillerBoxVisible : 1; ULONG ReorderDragActive : 1; ULONG ReorderJustStarted : 1; ULONG TooltipVisible : 1; ULONG TooltipActive : 1; ULONG SpareUnused : 12; }; }; ULONG HeaderHotColumn; HTHEME HeaderThemeHandle; HFONT HeaderBoldFontHandle; RECT HeaderLastHotRect; HDC HeaderBufferedDc; HBITMAP HeaderBufferedOldBitmap; HBITMAP HeaderBufferedBitmap; RECT HeaderBufferedContextRect; ULONG HeaderColumnCacheMax; PPH_STRINGREF HeaderStringCache; PVOID HeaderTextCache; HANDLE UniqueThread; ULONG64 ScrollTickCount; // Drag-reorder support ULONG ReorderSourceIndex; // source row index in FlatList ULONG ReorderTargetIndex; // target row index under caret BOOLEAN ReorderDropAfter; // caret drops after the target row RECT ReorderInsertRect; // last drawn caret invalidation HCURSOR ReorderCursor; // optional cursor during reorder } PH_TREENEW_CONTEXT, *PPH_TREENEW_CONTEXT; LRESULT CALLBACK PhTnpWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ); _Function_class_(PH_TREENEW_CALLBACK) BOOLEAN NTAPI PhTnpNullCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ); PPH_TREENEW_CONTEXT PhTnpCreateTreeNewContext( VOID ); VOID PhTnpDestroyTreeNewContext( _In_ PPH_TREENEW_CONTEXT Context ); // Event handlers BOOLEAN PhTnpOnCreate( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ CONST CREATESTRUCT *CreateStruct ); VOID PhTnpOnSize( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpOnSetFont( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ HFONT Font, _In_ LOGICAL Redraw ); VOID PhTnpOnStyleChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Type, _In_ STYLESTRUCT *StyleStruct ); VOID PhTnpOnSettingChange( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpOnThemeChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpOnDpiChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); ULONG PhTnpOnGetDlgCode( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey, _In_opt_ PMSG Message ); VOID PhTnpOnPaint( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpOnPrintClient( _In_ HWND hwnd, _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ ULONG Flags ); BOOLEAN PhTnpOnNcPaint( _In_ HWND hwnd, _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ HRGN UpdateRegion ); BOOLEAN PhTnpOnSetCursor( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ HWND CursorWindowHandle, _In_ ULONG HitTest, _In_ ULONG Source ); VOID PhTnpOnTimer( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id ); VOID PhTnpOnMouseMove( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ); VOID PhTnpOnMouseLeave( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpOnXxxButtonXxx( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Message, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ); VOID PhTnpOnCaptureChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpOnKeyDown( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey, _In_ ULONG Data ); VOID PhTnpOnChar( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Character, _In_ ULONG Data ); VOID PhTnpOnMouseWheel( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ); VOID PhTnpOnMouseHWheel( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ); VOID PhTnpOnContextMenu( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorScreenX, _In_ LONG CursorScreenY ); VOID PhTnpOnVScroll( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Request, _In_ USHORT Position ); VOID PhTnpOnHScroll( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Request, _In_ USHORT Position ); _Success_(return) BOOLEAN PhTnpOnNotify( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ NMHDR *Header, _Out_ LRESULT *Result ); LRESULT PhTnpOnUserMessage( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ); // Misc. VOID PhTnpSetFont( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ HFONT Font, _In_ BOOLEAN Redraw ); VOID PhTnpUpdateSystemMetrics( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpUpdateTextMetrics( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpUpdateThemeData( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpInitializeThemeData( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpCancelTrack( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpLayout( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpLayoutHeader( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpSetFixedWidth( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG FixedWidth ); VOID PhTnpSetRedraw( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Redraw ); VOID PhTnpSendMouseEvent( _In_ PPH_TREENEW_CONTEXT Context, _In_ PH_TREENEW_MESSAGE Message, _In_ LONG CursorX, _In_ LONG CursorY, _In_opt_ PPH_TREENEW_NODE Node, _In_opt_ PPH_TREENEW_COLUMN Column, _In_ ULONG VirtualKeys ); // Columns PPH_TREENEW_COLUMN PhTnpLookupColumnById( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id ); BOOLEAN PhTnpAddColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column ); BOOLEAN PhTnpRemoveColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id ); _Success_(return) BOOLEAN PhTnpCopyColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id, _Out_ PPH_TREENEW_COLUMN Column ); BOOLEAN PhTnpChangeColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Mask, _In_ ULONG Id, _In_ PPH_TREENEW_COLUMN Column ); VOID PhTnpExpandAllocatedColumns( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpUpdateColumnMaps( _In_ PPH_TREENEW_CONTEXT Context ); // Columns (header control) LONG PhTnpInsertColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column ); VOID PhTnpChangeColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Mask, _In_ PPH_TREENEW_COLUMN Column ); VOID PhTnpDeleteColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _Inout_ PPH_TREENEW_COLUMN Column ); VOID PhTnpUpdateColumnHeaders( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpUpdateColumnHeadersDpiChanged( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG OldWindowDpi, _In_ LONG NewWindowDpi ); VOID PhTnpProcessResizeColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column, _In_ LONG Delta ); VOID PhTnpProcessSortColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN NewColumn ); BOOLEAN PhTnpSetColumnHeaderSortIcon( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ PPH_TREENEW_COLUMN SortColumnPointer ); VOID PhTnpAutoSizeColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ HWND HeaderHandle, _In_ PPH_TREENEW_COLUMN Column, _In_ ULONG Flags ); // Nodes _Success_(return) BOOLEAN PhTnpGetNodeChildren( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ PPH_TREENEW_NODE Node, _Out_ PPH_TREENEW_NODE **Children, _Out_ PULONG NumberOfChildren ); BOOLEAN PhTnpIsNodeLeaf( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node ); _Success_(return) BOOLEAN PhTnpGetCellText( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ ULONG Id, _Out_ PPH_STRINGREF Text ); VOID PhTnpRestructureNodes( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpInsertNodeChildren( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ ULONG Level ); VOID PhTnpSetExpandedNode( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ BOOLEAN Expanded ); BOOLEAN PhTnpGetCellParts( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Index, _In_opt_ PPH_TREENEW_COLUMN Column, _In_ ULONG Flags, _Out_ PPH_TREENEW_CELL_PARTS Parts ); _Success_(return) BOOLEAN PhTnpGetRowRects( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Start, _In_ ULONG End, _In_ BOOLEAN Clip, _Out_ PRECT Rect ); VOID PhTnpHitTest( _In_ PPH_TREENEW_CONTEXT Context, _Inout_ PPH_TREENEW_HIT_TEST HitTest ); VOID PhTnpSelectRange( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Start, _In_ ULONG End, _In_ ULONG Flags, _Out_opt_ PULONG ChangedStart, _Out_opt_ PULONG ChangedEnd ); VOID PhTnpSetHotNode( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ PPH_TREENEW_NODE NewHotNode, _In_ BOOLEAN NewPlusMinusHot ); VOID PhTnpProcessSelectNode( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ LOGICAL ControlKey, _In_ LOGICAL ShiftKey, _In_ LOGICAL RightButton ); BOOLEAN PhTnpEnsureVisibleNode( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Index ); // Mouse VOID PhTnpProcessMoveMouse( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY ); VOID PhTnpProcessMouseVWheel( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance ); VOID PhTnpProcessMouseHWheel( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance ); // Keyboard BOOLEAN PhTnpProcessFocusKey( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey ); BOOLEAN PhTnpProcessNodeKey( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey ); VOID PhTnpProcessSearchKey( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Character ); BOOLEAN PhTnpDefaultIncrementalSearch( _In_ PPH_TREENEW_CONTEXT Context, _Inout_ PPH_TREENEW_SEARCH_EVENT SearchEvent, _In_ BOOLEAN Partial, _In_ BOOLEAN Wrap ); // Scrolling VOID PhTnpUpdateScrollBars( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpScroll( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG DeltaRows, _In_ LONG DeltaX ); VOID PhTnpProcessScroll( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG DeltaRows, _In_ LONG DeltaX ); BOOLEAN PhTnpCanScroll( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Horizontal, _In_ BOOLEAN Positive ); // Drawing VOID PhTnpPaint( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ PRECT PaintRect ); VOID PhTnpPrepareRowForDraw( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _Inout_ PPH_TREENEW_NODE Node ); VOID PhTnpDrawCell( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ PRECT CellRect, _In_ PPH_TREENEW_NODE Node, _In_ PPH_TREENEW_COLUMN Column, _In_ LONG RowIndex, _In_ LONG ColumnIndex ); VOID PhTnpDrawDivider( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc ); VOID PhTnpDrawPlusMinusGlyph( _In_ HDC hdc, _In_ PRECT Rect, _In_ BOOLEAN Plus ); VOID PhTnpDrawSelectionRectangle( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ PRECT Rect ); VOID PhTnpDrawThemedBorder( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc ); // Tooltips VOID PhTnpInitializeTooltips( _In_ PPH_TREENEW_CONTEXT Context ); _Success_(return) BOOLEAN PhTnpGetTooltipText( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPOINT Point, _Out_ PPH_STRING *Text ); BOOLEAN PhTnpPrepareTooltipShow( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpPrepareTooltipPop( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpPopTooltip( _In_ PPH_TREENEW_CONTEXT Context ); PPH_TREENEW_COLUMN PhTnpHitTestHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Fixed, _In_ PPOINT Point, _Out_opt_ PRECT ItemRect ); _Success_(return) BOOLEAN PhTnpGetHeaderTooltipText( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Fixed, _In_ PPOINT Point, _Out_ PPH_STRING *Text ); LRESULT CALLBACK PhTnpHeaderHookWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ); // Drag selection BOOLEAN PhTnpDetectDrag( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY, _In_ BOOLEAN DispatchMessages, _Out_opt_ PULONG CancelledByMessage ); VOID PhTnpDragSelect( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY ); VOID PhTnpProcessDragSelect( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKeys, _In_ PRECT OldRect, _In_ PRECT NewRect, _In_ PRECT TotalRect ); // Drag-reorder VOID PhTnpDrawInsertionCaret( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC Hdc ); VOID PhTnpReorderInvalidateCaret( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpReorderUpdateCaretRect( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpReorderBegin( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG SourceIndex ); VOID PhTnpReorderCancel( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpReorderCommit( _In_ PPH_TREENEW_CONTEXT Context ); VOID PhTnpReorderUpdate( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY ); // Double buffering VOID PhTnpCreateBufferedContext( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC Hdc ); VOID PhTnpDestroyBufferedContext( _In_ PPH_TREENEW_CONTEXT Context ); // Support functions _Success_(return) BOOLEAN PhTnpGetMessagePos( _In_ HWND WindowHandle, _Out_ PPOINT ClientPoint ); _Success_(return) BOOLEAN PhTnpGetColumnHeaderText( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column, _Out_ PPH_STRINGREF Text ); BOOLEAN TnHeaderCustomPaint( _In_ PPH_TREENEW_CONTEXT Context, _In_ LPNMCUSTOMDRAW CustomDraw ); // Macros #define TNP_CELL_LEFT_MARGIN 6 #define TNP_CELL_RIGHT_MARGIN 6 #define TNP_ICON_RIGHT_PADDING 4 #define TNP_TIMER_NULL 1 #define TNP_TIMER_ANIMATE_DIVIDER 2 #define TNP_TOOLTIPS_ITEM 0 #define TNP_TOOLTIPS_FIXED_HEADER 1 #define TNP_TOOLTIPS_HEADER 2 #define TNP_TOOLTIPS_DEFAULT_MAXIMUM_WIDTH 550 #define TNP_ANIMATE_DIVIDER_INTERVAL 10 #define TNP_ANIMATE_DIVIDER_INCREMENT 17 #define TNP_ANIMATE_DIVIDER_DECREMENT 2 #define TNP_HIT_TEST_FIXED_DIVIDER(X, Context) \ ((Context)->FixedDividerVisible && (X) >= (Context)->FixedWidth - 8 && (X) < (Context)->FixedWidth + 8) #define TNP_HIT_TEST_PLUS_MINUS_GLYPH(X, NodeLevel) \ (((X) >= TNP_CELL_LEFT_MARGIN + ((LONG)(NodeLevel) * SmallIconWidth)) && ((X) < TNP_CELL_LEFT_MARGIN + ((LONG)(NodeLevel) * SmallIconWidth) + SmallIconWidth)) #endif ================================================ FILE: phlib/include/verify.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2013-2016 * dmex 2017-2023 * */ #ifndef _PH_VERIFY_H #define _PH_VERIFY_H EXTERN_C_START #define PH_VERIFY_DEFAULT_SIZE_LIMIT (32 * 1024 * 1024) typedef enum _VERIFY_RESULT { VrUnknown = 0, VrNoSignature, VrTrusted, VrExpired, VrRevoked, VrDistrust, VrSecuritySettings, VrBadSignature } VERIFY_RESULT, *PVERIFY_RESULT; #define PH_VERIFY_UNTRUSTED(x) ((x) != VrUnknown && (x) != VrTrusted) PHLIBAPI PH_STRINGREF NTAPI PhVerifyResultToStringRef( _In_ VERIFY_RESULT Result ); #define PH_VERIFY_PREVENT_NETWORK_ACCESS 0x1 #define PH_VERIFY_VIEW_PROPERTIES 0x2 typedef struct _PH_VERIFY_FILE_INFO { HANDLE FileHandle; ULONG Flags; // PH_VERIFY_* ULONG FileSizeLimitForHash; // 0 for PH_VERIFY_DEFAULT_SIZE_LIMIT, -1 for unlimited ULONG NumberOfCatalogFileNames; PWSTR *CatalogFileNames; HWND hWnd; // for PH_VERIFY_VIEW_PROPERTIES } PH_VERIFY_FILE_INFO, *PPH_VERIFY_FILE_INFO; PHLIBAPI VERIFY_RESULT NTAPI PhVerifyFile( _In_ PCWSTR FileName, _Out_opt_ PPH_STRING *SignerName ); PHLIBAPI BOOLEAN NTAPI PhVerifyFileIsChainedToMicrosoft( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ); typedef struct _CERT_CONTEXT CERT_CONTEXT; typedef CERT_CONTEXT *PCERT_CONTEXT; PHLIBAPI NTSTATUS NTAPI PhVerifyFileEx( _In_ PPH_VERIFY_FILE_INFO Information, _Out_ VERIFY_RESULT *VerifyResult, _Out_opt_ PCERT_CONTEXT **Signatures, _Out_opt_ PULONG NumberOfSignatures ); PHLIBAPI VOID NTAPI PhFreeVerifySignatures( _In_opt_ PCERT_CONTEXT *Signatures, _In_ ULONG NumberOfSignatures ); PHLIBAPI PPH_STRING NTAPI PhGetSignerNameFromCertificate( _In_ PCERT_CONTEXT Certificate ); PHLIBAPI NTSTATUS NTAPI PhGetSystemComponentFromCertificate( _In_ PCERT_CONTEXT Certificate ); EXTERN_C_END #endif ================================================ FILE: phlib/include/verifyp.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2023 * */ #ifndef _PH_VERIFYP_H #define _PH_VERIFYP_H typedef struct _PH_VERIFY_CACHE_ENTRY { PPH_STRING FileName; ULONGLONG SequenceNumber; VERIFY_RESULT VerifyResult; PPH_STRING VerifySignerName; } PH_VERIFY_CACHE_ENTRY, *PPH_VERIFY_CACHE_ENTRY; _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpVerifyCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ); _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpVerifyCacheHashtableHashFunction( _In_ PVOID Entry ); typedef struct _CATALOG_INFO { ULONG cbStruct; _Field_z_ WCHAR wszCatalogFile[MAX_PATH]; } CATALOG_INFO, *PCATALOG_INFO; typedef struct tagCRYPTUI_VIEWSIGNERINFO_STRUCT { ULONG dwSize; HWND hwndParent; ULONG dwFlags; LPCTSTR szTitle; CMSG_SIGNER_INFO *pSignerInfo; HCRYPTMSG hMsg; LPCSTR pszOID; ULONG_PTR dwReserved; ULONG cStores; HCERTSTORE *rghStores; ULONG cPropSheetPages; PVOID rgPropSheetPages; } CRYPTUI_VIEWSIGNERINFO_STRUCT, *PCRYPTUI_VIEWSIGNERINFO_STRUCT; typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle)( _In_ HANDLE hFile, _Inout_ PULONG pcbHash, _Out_writes_bytes_to_opt_(*pcbHash, *pcbHash) PBYTE pbHash, _Reserved_ ULONG dwFlags ); typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle2)( _In_ HCATADMIN hCatAdmin, _In_ HANDLE hFile, _Inout_ PULONG pcbHash, _Out_writes_bytes_to_opt_(*pcbHash, *pcbHash) PBYTE pbHash, _Reserved_ ULONG dwFlags ); #define CRYPTCATADMIN_CALCHASH_FLAG_NONCONFORMANT_FILES_FALLBACK_FLAT 0x1 typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle3)( _In_ HCATADMIN hCatAdmin, _In_ HANDLE hFile, _Inout_ PULONG pcbHash, _Out_writes_bytes_to_opt_(*pcbHash, *pcbHash) PBYTE pbHash, _Reserved_ ULONG dwFlags ); typedef BOOL (WINAPI *_CryptCATAdminAcquireContext)( _Out_ HCATADMIN *phCatAdmin, _In_opt_ PCGUID pgSubsystem, _Reserved_ ULONG dwFlags ); typedef BOOL (WINAPI *_CryptCATAdminAcquireContext2)( _Out_ HCATADMIN *phCatAdmin, _In_opt_ PCGUID pgSubsystem, _In_opt_ PCWSTR pwszHashAlgorithm, _In_opt_ PCCERT_STRONG_SIGN_PARA pStrongHashPolicy, _Reserved_ ULONG dwFlags ); typedef HANDLE (WINAPI *_CryptCATAdminEnumCatalogFromHash)( _In_ HCATADMIN hCatAdmin, _In_reads_bytes_(cbHash) PBYTE pbHash, _In_ ULONG cbHash, _Reserved_ ULONG dwFlags, _Inout_opt_ HANDLE phPrevCatInfo // HCATINFO ); typedef BOOL (WINAPI *_CryptCATCatalogInfoFromContext)( _In_ HANDLE hCatInfo, _Inout_ CATALOG_INFO *psCatInfo, _In_ ULONG dwFlags ); typedef BOOL (WINAPI *_CryptCATAdminReleaseCatalogContext)( _In_ HCATADMIN hCatAdmin, _In_ HANDLE hCatInfo, _In_ ULONG dwFlags ); typedef BOOL (WINAPI *_CryptCATAdminReleaseContext)( _In_ HCATADMIN hCatAdmin, _In_ ULONG dwFlags ); typedef PCRYPT_PROVIDER_DATA (WINAPI *_WTHelperProvDataFromStateData)( _In_ HANDLE hStateData ); typedef PCRYPT_PROVIDER_SGNR (WINAPI *_WTHelperGetProvSignerFromChain)( _In_ CRYPT_PROVIDER_DATA *pProvData, _In_ ULONG idxSigner, _In_ BOOL fCounterSigner, _In_ ULONG idxCounterSigner ); typedef BOOL (WINAPI *_WTHelperIsChainedToMicrosoftFromStateData)( _In_ CRYPT_PROVIDER_DATA *pProvData ); typedef BOOL (WINAPI* _WTHelperIsChainedToMicrosoft)( _In_ PCCERT_CONTEXT pCertContext, _In_ HCERTSTORE hSiblingStore, _In_ BOOL IncludeMicrosoftTestRootCerts ); typedef BOOL (WINAPI* _WTHelperCheckCertUsage)( _In_ PCCERT_CONTEXT pCertContext, _In_ PCSTR pszOID ); typedef LONG (WINAPI *_WinVerifyTrust)( _In_ HWND hWnd, _In_ PCGUID pgActionID, _In_ PVOID pWVTData ); typedef VOID (WINAPI* _WintrustSetDefaultIncludePEPageHashes)( _In_ BOOL fIncludePEPageHashes ); typedef ULONG (WINAPI *_CertNameToStr)( _In_ ULONG dwCertEncodingType, _In_ PCERT_NAME_BLOB pName, _In_ ULONG dwStrType, _Out_writes_to_opt_(csz, return) PWSTR psz, _In_ ULONG csz ); typedef BOOL (WINAPI *_CertGetEnhancedKeyUsage)( _In_ PCCERT_CONTEXT pCertContext, _In_ ULONG dwFlags, _Out_writes_bytes_to_opt_(*pcbUsage, *pcbUsage) PCERT_ENHKEY_USAGE pUsage, _Inout_ PULONG pcbUsage ); typedef PCCERT_CONTEXT (WINAPI *_CertDuplicateCertificateContext)( _In_ PCCERT_CONTEXT pCertContext ); typedef BOOL (WINAPI *_CertFreeCertificateContext)( _In_ PCCERT_CONTEXT pCertContext ); typedef BOOL (WINAPI *_CryptUIDlgViewSignerInfo)( _In_ CRYPTUI_VIEWSIGNERINFO_STRUCT *pcvsi ); // C689AAB8-8E78-11D0-8C47-00C04FC295EE DEFINE_GUID(WINTRUST_KNOWN_SUBJECT_PE_IMAGE, 0xC689AAB8, 0x8E78, 0x11D0, 0x8C, 0x47, 0x0, 0xC0, 0x4F, 0xC2, 0x95, 0xEE); typedef enum _SIGNATURE_STATE { SIGNATURE_STATE_UNSIGNED_MISSING, SIGNATURE_STATE_UNSIGNED_UNSUPPORTED, SIGNATURE_STATE_UNSIGNED_POLICY, SIGNATURE_STATE_INVALID_CORRUPT, SIGNATURE_STATE_INVALID_POLICY, SIGNATURE_STATE_VALID, SIGNATURE_STATE_TRUSTED, SIGNATURE_STATE_UNTRUSTED } SIGNATURE_STATE; typedef enum _SIGNATURE_INFO_TYPE { SIT_UNKNOWN, SIT_AUTHENTICODE, SIT_CATALOG } SIGNATURE_INFO_TYPE; typedef enum _SIGNATURE_INFO_FLAGS { SIF_NONE = 0, SIF_AUTHENTICODE_SIGNED = 1, SIF_CATALOG_SIGNED = 2, SIF_VERSION_INFO = 4, SIF_CHECK_OS_BINARY = 0x800, SIF_BASE_VERIFICATION = 0x1000, SIF_CATALOG_FIRST = 0x2000, SIF_MOTW = 0x4000 } SIGNATURE_INFO_FLAGS; typedef struct _SIGNATURE_INFO { ULONG cbSize; SIGNATURE_STATE nSignatureState; SIGNATURE_INFO_TYPE nSignatureType; ULONG dwSignatureInfoAvailability; ULONG dwInfoAvailability; PWSTR pszDisplayName; ULONG cchDisplayName; PWSTR pszPublisherName; ULONG cchPublisherName; PWSTR pszMoreInfoURL; ULONG cchMoreInfoURL; PBYTE prgbHash; ULONG cbHash; BOOL fOSBinary; } SIGNATURE_INFO, *PSIGNATURE_INFO; typedef HRESULT (WINAPI* _WTGetSignatureInfo)( _In_opt_ PCWSTR pszFile, _In_opt_ HANDLE hFile, _In_ SIGNATURE_INFO_FLAGS sigInfoFlags, _Inout_ PSIGNATURE_INFO psiginfo, _Out_ PVOID ppCertContext, _Out_ PHANDLE phWVTStateData ); #endif ================================================ FILE: phlib/include/workqueue.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * */ #ifndef _PH_WORKQUEUE_H #define _PH_WORKQUEUE_H #ifdef __cplusplus extern "C" { #endif #if defined(DEBUG) extern PPH_LIST PhDbgWorkQueueList; extern PH_QUEUED_LOCK PhDbgWorkQueueListLock; #endif typedef struct _PH_WORK_QUEUE { PH_RUNDOWN_PROTECT RundownProtect; BOOLEAN Terminating; LIST_ENTRY QueueListHead; PH_QUEUED_LOCK QueueLock; PH_CONDITION QueueEmptyCondition; ULONG MaximumThreads; ULONG MinimumThreads; ULONG NoWorkTimeout; PH_QUEUED_LOCK StateLock; HANDLE SemaphoreHandle; ULONG CurrentThreads; ULONG BusyCount; } PH_WORK_QUEUE, *PPH_WORK_QUEUE; typedef VOID (NTAPI *PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION)( _In_ PUSER_THREAD_START_ROUTINE Function, _In_ PVOID Context ); typedef struct _PH_WORK_QUEUE_ENVIRONMENT { LONG BasePriority : 6; // Base priority increment ULONG IoPriority : 3; // I/O priority hint ULONG PagePriority : 3; // Page/memory priority ULONG ForceUpdate : 1; // Always set priorities regardless of cached values ULONG SpareBits : 19; } PH_WORK_QUEUE_ENVIRONMENT, *PPH_WORK_QUEUE_ENVIRONMENT; PHLIBAPI VOID NTAPI PhInitializeWorkQueue( _Out_ PPH_WORK_QUEUE WorkQueue, _In_ ULONG MinimumThreads, _In_ ULONG MaximumThreads, _In_ ULONG NoWorkTimeout ); PHLIBAPI VOID NTAPI PhDeleteWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue ); PHLIBAPI VOID NTAPI PhWaitForWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue ); PHLIBAPI VOID NTAPI PhQueueItemWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue, _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context ); PHLIBAPI VOID NTAPI PhQueueItemWorkQueueEx( _Inout_ PPH_WORK_QUEUE WorkQueue, _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context, _In_opt_ PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION DeleteFunction, _In_opt_ PPH_WORK_QUEUE_ENVIRONMENT Environment ); PHLIBAPI VOID NTAPI PhInitializeWorkQueueEnvironment( _Out_ PPH_WORK_QUEUE_ENVIRONMENT Environment ); PHLIBAPI PPH_WORK_QUEUE NTAPI PhGetGlobalWorkQueue( VOID ); #ifdef __cplusplus } #endif #endif ================================================ FILE: phlib/include/workqueuep.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2016 * */ #ifndef _PH_WORKQUEUEP_H #define _PH_WORKQUEUEP_H typedef struct _PH_WORK_QUEUE_ITEM { LIST_ENTRY ListEntry; PUSER_THREAD_START_ROUTINE Function; PVOID Context; PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION DeleteFunction; PH_WORK_QUEUE_ENVIRONMENT Environment; } PH_WORK_QUEUE_ITEM, *PPH_WORK_QUEUE_ITEM; VOID PhpGetDefaultWorkQueueEnvironment( _Out_ PPH_WORK_QUEUE_ENVIRONMENT Environment ); VOID PhpUpdateWorkQueueEnvironment( _Inout_ PPH_WORK_QUEUE_ENVIRONMENT CurrentEnvironment, _In_ PPH_WORK_QUEUE_ENVIRONMENT NewEnvironment ); PPH_WORK_QUEUE_ITEM PhpCreateWorkQueueItem( _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context, _In_opt_ PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION DeleteFunction, _In_opt_ PPH_WORK_QUEUE_ENVIRONMENT Environment ); VOID PhpDestroyWorkQueueItem( _In_ PPH_WORK_QUEUE_ITEM WorkQueueItem ); VOID PhpExecuteWorkQueueItem( _Inout_ PPH_WORK_QUEUE_ITEM WorkQueueItem ); HANDLE PhpGetSemaphoreWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue ); BOOLEAN PhpCreateWorkQueueThread( _Inout_ PPH_WORK_QUEUE WorkQueue ); _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpWorkQueueThreadStart( _In_ PVOID Parameter ); #endif ================================================ FILE: phlib/include/wslsup.h ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2019-2023 * */ #ifndef _PH_WSLSUP_H #define _PH_WSLSUP_H EXTERN_C_START NTSTATUS PhWslQueryDistroProcessCommandLine( _In_ PPH_STRINGREF FileName, _In_ ULONG LxssProcessId, _Out_ PPH_STRING* Result ); NTSTATUS PhWslQueryDistroProcessEnvironment( _In_ PPH_STRINGREF FileName, _In_ ULONG LxssProcessId, _Out_ PPH_STRING* Result ); NTSTATUS PhInitializeLxssImageVersionInfo( _Inout_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PPH_STRINGREF FileName ); NTSTATUS PhCreateProcessLxss( _In_ PPH_STRING DistributionGuid, _In_ PPH_STRING DistributionName, _In_ PPH_STRING DistributionCommand, _Out_ PPH_STRING* Result ); EXTERN_C_END #endif ================================================ FILE: phlib/json.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017-2023 * */ #include #include #include #include #include static PVOID json_get_object( _In_ PVOID Object, _In_ PCSTR Key ) { json_object* returnObj; if (json_object_object_get_ex(Object, Key, &returnObj)) { return returnObj; } return NULL; } static NTSTATUS PhJsonErrorToNtStatus( _In_ enum json_tokener_error JsonError ) { switch (JsonError) { case json_tokener_success: return STATUS_SUCCESS; case json_tokener_continue: return STATUS_MORE_ENTRIES; case json_tokener_error_depth: return STATUS_PARTIAL_COPY; case json_tokener_error_parse_eof: case json_tokener_error_parse_unexpected: case json_tokener_error_parse_null: case json_tokener_error_parse_boolean: case json_tokener_error_parse_number: case json_tokener_error_parse_array: case json_tokener_error_parse_object_key_name: case json_tokener_error_parse_object_key_sep: case json_tokener_error_parse_object_value_sep: case json_tokener_error_parse_string: case json_tokener_error_parse_comment: case json_tokener_error_parse_utf8_string: return STATUS_FAIL_CHECK; case json_tokener_error_memory: return STATUS_NO_MEMORY; case json_tokener_error_size: return STATUS_BUFFER_TOO_SMALL; } return STATUS_UNSUCCESSFUL; } NTSTATUS PhCreateJsonParser( _Out_ PVOID* JsonObject, _In_ PCSTR JsonString ) { if (*JsonObject = json_tokener_parse(JsonString)) return STATUS_SUCCESS; return STATUS_UNSUCCESSFUL; } NTSTATUS PhCreateJsonParserEx( _Out_ PVOID* JsonObject, _In_ PVOID JsonString, _In_ BOOLEAN Unicode ) { json_tokener* tokenerObject; json_object* jsonObject; enum json_tokener_error jsonStatus; if (Unicode) { PPH_STRING jsonStringUtf16 = JsonString; PPH_BYTES jsonStringUtf8; if (jsonStringUtf16->Length / sizeof(WCHAR) >= INT32_MAX) return STATUS_INVALID_BUFFER_SIZE; if (!(tokenerObject = json_tokener_new())) return STATUS_NO_MEMORY; json_tokener_set_flags( tokenerObject, JSON_TOKENER_STRICT | JSON_TOKENER_VALIDATE_UTF8 ); jsonStringUtf8 = PhConvertUtf16ToUtf8Ex( jsonStringUtf16->Buffer, jsonStringUtf16->Length ); jsonObject = json_tokener_parse_ex( tokenerObject, jsonStringUtf8->Buffer, (LONG)jsonStringUtf8->Length ); PhDereferenceObject(jsonStringUtf8); } else { PPH_BYTES jsonStringUtf8 = JsonString; if (jsonStringUtf8->Length >= INT32_MAX) return STATUS_INVALID_BUFFER_SIZE; if (!(tokenerObject = json_tokener_new())) return STATUS_NO_MEMORY; json_tokener_set_flags( tokenerObject, JSON_TOKENER_STRICT | JSON_TOKENER_VALIDATE_UTF8 ); jsonObject = json_tokener_parse_ex( tokenerObject, jsonStringUtf8->Buffer, (LONG)jsonStringUtf8->Length ); } jsonStatus = json_tokener_get_error(tokenerObject); if (jsonStatus != json_tokener_success) { json_tokener_free(tokenerObject); return PhJsonErrorToNtStatus(jsonStatus); } json_tokener_free(tokenerObject); *JsonObject = jsonObject; return STATUS_SUCCESS; } VOID PhFreeJsonObject( _In_ PVOID Object ) { json_object_put(Object); } PPH_STRING PhGetJsonValueAsString( _In_ PVOID Object, _In_ PCSTR Key ) { PVOID object; PCSTR value; size_t length; if (object = json_get_object(Object, (PCSTR)Key)) { if ( (length = json_object_get_string_len(object)) && (value = json_object_get_string(object)) ) { return PhConvertUtf8ToUtf16Ex(value, length); } } return NULL; } PPH_STRING PhGetJsonObjectString( _In_ PVOID Object ) { PCSTR value; size_t length; if ( (length = json_object_get_string_len(Object)) && (value = json_object_get_string(Object)) ) { return PhConvertUtf8ToUtf16Ex(value, length); } return PhReferenceEmptyString(); } LONGLONG PhGetJsonValueAsInt64( _In_ PVOID Object, _In_ PCSTR Key ) { return json_object_get_int64(json_get_object(Object, Key)); } ULONGLONG PhGetJsonValueAsUInt64( _In_ PVOID Object, _In_ PCSTR Key ) { return json_object_get_uint64(json_get_object(Object, Key)); } ULONG PhGetJsonUInt32Object( _In_ PVOID Object ) { return json_object_get_int(Object); } ULONGLONG PhGetJsonUInt64Object( _In_ PVOID Object ) { return json_object_get_uint64(Object); } LONGLONG PhGetJsonInt64Object( _In_ PVOID Object ) { return json_object_get_int64(Object); } PVOID PhCreateJsonObject( VOID ) { return json_object_new_object(); } PVOID PhCreateJsonStringObject( _In_ PCSTR Value ) { return json_object_new_string(Value); } PVOID PhGetJsonObject( _In_ PVOID Object, _In_ PCSTR Key ) { return json_get_object(Object, Key); } PH_JSON_OBJECT_TYPE PhGetJsonObjectType( _In_ PVOID Object ) { switch (json_object_get_type(Object)) { case json_type_null: return PH_JSON_OBJECT_TYPE_NULL; case json_type_boolean: return PH_JSON_OBJECT_TYPE_BOOLEAN; case json_type_double: return PH_JSON_OBJECT_TYPE_DOUBLE; case json_type_int: return PH_JSON_OBJECT_TYPE_INT; case json_type_object: return PH_JSON_OBJECT_TYPE_OBJECT; case json_type_array: return PH_JSON_OBJECT_TYPE_ARRAY; case json_type_string: return PH_JSON_OBJECT_TYPE_STRING; } return PH_JSON_OBJECT_TYPE_UNKNOWN; } LONG PhGetJsonObjectLength( _In_ PVOID Object ) { return json_object_object_length(Object); } BOOLEAN PhGetJsonObjectBool( _In_ PVOID Object, _In_ PCSTR Key ) { return json_object_get_boolean(json_get_object(Object, Key)) == TRUE; } VOID PhAddJsonObjectValue( _In_ PVOID Object, _In_ PCSTR Key, _In_ PVOID Value ) { json_object_object_add_ex(Object, Key, Value, JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } VOID PhAddJsonObject( _In_ PVOID Object, _In_ PCSTR Key, _In_ PCSTR Value ) { json_object_object_add_ex(Object, Key, json_object_new_string(Value), JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } VOID PhAddJsonObject2( _In_ PVOID Object, _In_ PCSTR Key, _In_ PCSTR Value, _In_ SIZE_T Length ) { PVOID string = json_object_new_string_len(Value, (UINT32)Length); json_object_object_add_ex(Object, Key, string, JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } VOID PhAddJsonObjectUtf8( _In_ PVOID Object, _In_ PCSTR Key, _In_ PPH_BYTES String ) { PVOID string = json_object_new_string_len(String->Buffer, (UINT32)String->Length); json_object_object_add_ex(Object, Key, string, JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } VOID PhAddJsonObjectInt64( _In_ PVOID Object, _In_ PCSTR Key, _In_ LONGLONG Value ) { json_object_object_add_ex(Object, Key, json_object_new_int64(Value), JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } VOID PhAddJsonObjectUInt64( _In_ PVOID Object, _In_ PCSTR Key, _In_ ULONGLONG Value ) { json_object_object_add_ex(Object, Key, json_object_new_uint64(Value), JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } VOID PhAddJsonObjectDouble( _In_ PVOID Object, _In_ PCSTR Key, _In_ DOUBLE Value ) { json_object_object_add_ex(Object, Key, json_object_new_double(Value), JSON_C_OBJECT_ADD_KEY_IS_NEW | JSON_C_OBJECT_ADD_CONSTANT_KEY); } PVOID PhCreateJsonArray( VOID ) { return json_object_new_array(); } VOID PhAddJsonArrayObject( _In_ PVOID Object, _In_ PVOID Value ) { json_object_array_add(Object, Value); } PVOID PhGetJsonArrayString( _In_ PVOID Object, _In_ BOOLEAN Unicode ) { PCSTR value; size_t length; if (value = json_object_to_json_string_length(Object, JSON_C_TO_STRING_PLAIN, &length)) // json_object_get_string(Object)) { if (Unicode) return PhConvertUtf8ToUtf16Ex(value, length); else return PhCreateBytesEx(value, length); } return NULL; } INT64 PhGetJsonArrayLong64( _In_ PVOID Object, _In_ ULONG Index ) { return json_object_get_int64(json_object_array_get_idx(Object, Index)); } ULONG PhGetJsonArrayLength( _In_ PVOID Object ) { return (ULONG)json_object_array_length(Object); } PVOID PhGetJsonArrayIndexObject( _In_ PVOID Object, _In_ ULONG Index ) { return json_object_array_get_idx(Object, Index); } VOID PhEnumJsonArrayObject( _In_ PVOID Object, _In_ PPH_ENUM_JSON_OBJECT_CALLBACK Callback, _In_opt_ PVOID Context ) { if (PhGetJsonObjectType(Object) == PH_JSON_OBJECT_TYPE_OBJECT) { json_object_iter iter; json_object_object_foreachC(Object, iter) { if (!Callback(Object, iter.key, iter.val, Context)) break; } } } PVOID PhGetJsonObjectAsArrayList( _In_ PVOID Object ) { PPH_LIST listArray = NULL; if (PhGetJsonObjectType(Object) == PH_JSON_OBJECT_TYPE_OBJECT) { json_object_iter iter; listArray = PhCreateList(1); json_object_object_foreachC(Object, iter) { PJSON_ARRAY_LIST_OBJECT object; object = PhAllocateZero(sizeof(JSON_ARRAY_LIST_OBJECT)); object->Key = iter.key; object->Entry = iter.val; PhAddItemList(listArray, object); } } return listArray; } NTSTATUS PhLoadJsonObjectFromFile( _Out_ PVOID* JsonObject, _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PPH_BYTES content; if (NT_SUCCESS(status = PhFileReadAllText(&content, FileName, FALSE))) { status = PhCreateJsonParserEx(JsonObject, content, FALSE); PhDereferenceObject(content); } return status; } static CONST PH_FLAG_MAPPING PhJsonFormatFlagMappings[] = { { PH_JSON_TO_STRING_PLAIN, JSON_C_TO_STRING_PLAIN }, { PH_JSON_TO_STRING_SPACED, JSON_C_TO_STRING_SPACED }, { PH_JSON_TO_STRING_PRETTY, JSON_C_TO_STRING_PRETTY }, }; static VOID PhJsonObjectToJsonStringIndent( _In_ PPH_BYTES_BUILDER StringBuilder, _In_ ULONG level, _In_ ULONG flags ) { if (FlagOn(flags, JSON_C_TO_STRING_PRETTY)) { // Print the indentation 'level' times for (ULONG i = 0; i < level; i++) { if (FlagOn(flags, JSON_C_TO_STRING_PRETTY_TAB)) { PhAppendBytesBuilder2(StringBuilder, "\t"); } else { // Standard 2-space indentation //PhAppendBytesBuilder2(StringBuilder, " "); } } } } static void PhJsonObjectToJsonStringEscape( _In_ PPH_BYTES_BUILDER StringBuilder, _In_ PCSTR JsonString, _In_ SIZE_T Length, _In_ ULONG Flags ) { SIZE_T pos = 0; SIZE_T offset = 0; UCHAR c; while (Length) { --Length; c = JsonString[pos]; switch (c) { case '\b': case '\n': case '\r': case '\t': case '\f': case '"': case '\\': case '/': { if ((Flags & JSON_C_TO_STRING_NOSLASHESCAPE) && c == '/') { pos++; break; } if (pos > offset) { PH_BYTESREF string; string.Buffer = (PCH)(JsonString + offset); string.Length = pos - offset; PhAppendBytesBuilder(StringBuilder, &string); } if (c == '\b') PhAppendBytesBuilder2(StringBuilder, "\\b"); else if (c == '\n') PhAppendBytesBuilder2(StringBuilder, "\\n"); else if (c == '\r') PhAppendBytesBuilder2(StringBuilder, "\\r"); else if (c == '\t') PhAppendBytesBuilder2(StringBuilder, "\\t"); else if (c == '\f') PhAppendBytesBuilder2(StringBuilder, "\\f"); else if (c == '"') PhAppendBytesBuilder2(StringBuilder, "\\\""); else if (c == '\\') PhAppendBytesBuilder2(StringBuilder, "\\\\"); else if (c == '/') PhAppendBytesBuilder2(StringBuilder, "\\/"); offset = ++pos; } break; default: { if (c < ' ') { if (pos > offset) { PH_BYTESREF string; string.Buffer = (PCH)(JsonString + offset); string.Length = pos - offset; PhAppendBytesBuilder(StringBuilder, &string); } char buffer[7]; const char* json_hex_chars = "0123456789abcdefABCDEF"; sprintf_s(buffer, sizeof(buffer), "\\u00%c%c", json_hex_chars[c >> 4], json_hex_chars[c & 0xf]); PH_BYTESREF string; string.Buffer = buffer; string.Length = (SIZE_T)strlen(buffer); PhAppendBytesBuilder(StringBuilder, &string); offset = ++pos; } else { pos++; } } break; } } if (pos > offset) { PH_BYTESREF string; string.Buffer = (PCH)(JsonString + offset); string.Length = pos - offset; PhAppendBytesBuilder(StringBuilder, &string); } } static BOOLEAN PhInternalJsonObjectObjectToString( _In_ PPH_BYTES_BUILDER StringBuilder, _In_ PVOID Object, _In_ ULONG Level, _In_ ULONG Flags ) { struct json_object_iterator it = json_object_iter_begin(Object); struct json_object_iterator itEnd = json_object_iter_end(Object); BOOLEAN had_children = FALSE; PhAppendBytesBuilder2(StringBuilder, "{"); while (!json_object_iter_equal(&it, &itEnd)) { const char* key = json_object_iter_peek_name(&it); struct json_object* val = json_object_iter_peek_value(&it); if (had_children) { PhAppendBytesBuilder2(StringBuilder, ","); } if (FlagOn(Flags, JSON_C_TO_STRING_PRETTY)) { PhAppendBytesBuilder2(StringBuilder, "\n"); } had_children = TRUE; if ((Flags & JSON_C_TO_STRING_SPACED) && !(Flags & JSON_C_TO_STRING_PRETTY)) { PhAppendBytesBuilder2(StringBuilder, " "); } PhJsonObjectToJsonStringIndent(StringBuilder, Level + 1, Flags); PhAppendBytesBuilder2(StringBuilder, "\""); PhJsonObjectToJsonStringEscape(StringBuilder, key, strlen(key), Flags); PhAppendBytesBuilder2(StringBuilder, "\""); if (FlagOn(Flags, JSON_C_TO_STRING_SPACED)) PhAppendBytesBuilder2(StringBuilder, ": "); else PhAppendBytesBuilder2(StringBuilder, ":"); if (val == NULL) { PhAppendBytesBuilder2(StringBuilder, "null"); } else if (!PhJsonObjectToString(StringBuilder, val, Level + 1, Flags)) { return FALSE; } json_object_iter_next(&it); } if (FlagOn(Flags, JSON_C_TO_STRING_PRETTY) && had_children) { PhAppendBytesBuilder2(StringBuilder, "\n"); PhJsonObjectToJsonStringIndent(StringBuilder, Level, Flags); } if (FlagOn(Flags, JSON_C_TO_STRING_SPACED) && !(Flags & JSON_C_TO_STRING_PRETTY)) { PhAppendBytesBuilder2(StringBuilder, " }"); } else { PhAppendBytesBuilder2(StringBuilder, "}"); } return TRUE; } static BOOLEAN PhInternalJsonObjectArrayToString( _In_ PPH_BYTES_BUILDER StringBuilder, _In_ PVOID Object, _In_ ULONG Level, _In_ ULONG Flags ) { SIZE_T length = json_object_array_length(Object); SIZE_T i; PhAppendBytesBuilder2(StringBuilder, "["); for (i = 0; i < length; i++) { struct json_object* value = json_object_array_get_idx(Object, i); if (i > 0) { PhAppendBytesBuilder2(StringBuilder, ","); } if (FlagOn(Flags, JSON_C_TO_STRING_PRETTY)) { PhAppendBytesBuilder2(StringBuilder, "\n"); } if ((Flags & JSON_C_TO_STRING_SPACED) && !(Flags & JSON_C_TO_STRING_PRETTY)) { PhAppendBytesBuilder2(StringBuilder, " "); } PhJsonObjectToJsonStringIndent(StringBuilder, Level + 1, Flags); if (value == NULL) // Should not happen in json-c arrays { PhAppendBytesBuilder2(StringBuilder, "null"); } else { if (!PhJsonObjectToString(StringBuilder, value, Level + 1, Flags)) return FALSE; } } if (FlagOn(Flags, JSON_C_TO_STRING_PRETTY) && length > 0) { PhAppendBytesBuilder2(StringBuilder, "\n"); PhJsonObjectToJsonStringIndent(StringBuilder, Level, Flags); } if (FlagOn(Flags, JSON_C_TO_STRING_SPACED) && !(Flags & JSON_C_TO_STRING_PRETTY)) PhAppendBytesBuilder2(StringBuilder, " ]"); else PhAppendBytesBuilder2(StringBuilder, "]"); return TRUE; } BOOLEAN PhJsonObjectToString( _In_ PPH_BYTES_BUILDER StringBuilder, _In_ PVOID Object, _In_ ULONG Level, _In_ ULONG Flags ) { switch (json_object_get_type(Object)) { case json_type_null: { PhAppendBytesBuilder2(StringBuilder, "null"); } break; case json_type_boolean: { if (json_object_get_boolean(Object)) PhAppendBytesBuilder2(StringBuilder, "true"); else PhAppendBytesBuilder2(StringBuilder, "false"); } break; case json_type_double: { SIZE_T returnLength; CHAR formatBuffer[_CVTBUFSIZE + 1]; if (NT_SUCCESS(PhFormatDoubleToUtf8( json_object_get_double(Object), FormatStandardForm, -1, formatBuffer, sizeof(formatBuffer), &returnLength ))) { PH_BYTESREF stringFormat; stringFormat.Buffer = formatBuffer; stringFormat.Length = returnLength - sizeof(ANSI_NULL); PhAppendBytesBuilder(StringBuilder, &stringFormat); } else { CHAR buffer[64]; // %.17g is standard to preserve double precision in text if (sprintf_s(buffer, sizeof(buffer), "%.17g", json_object_get_double(Object)) > 0) { // Handle specific JSON quirk: if double looks like int (no dot), append .0? // Standard JSON-C usually handles this, but strictly speaking "1" is a valid double in JSON. // We stick to the string output. PhAppendBytesBuilder2(StringBuilder, buffer); } } } break; case json_type_int: { SIZE_T returnLength; //PH_FORMAT format[1]; //WCHAR formatBuffer[260]; // //PhInitFormatI64D(&format[0], json_object_get_int64(Object)); // //if (PhFormatToBuffer( // format, // RTL_NUMBER_OF(format), // formatBuffer, // sizeof(formatBuffer), // &returnLength // )) //{ // PH_BYTESREF stringFormat; // // stringFormat.Buffer = formatBuffer; // stringFormat.Length = returnLength - sizeof(ANSI_NULL); // // PhAppendBytesBuilder(StringBuilder, &stringFormat); //} //else { CHAR formatBuffer[65]; if (NT_SUCCESS(PhIntegerToUtf8Buffer( json_object_get_int64(Object), 10, TRUE, formatBuffer, sizeof(formatBuffer), &returnLength ))) { PH_BYTESREF stringFormat; stringFormat.Buffer = formatBuffer; stringFormat.Length = returnLength - sizeof(ANSI_NULL); PhAppendBytesBuilder(StringBuilder, &stringFormat); } else { if (sprintf_s(formatBuffer, sizeof(formatBuffer), "%lld", json_object_get_int64(Object)) > 0) { PhAppendBytesBuilder2(StringBuilder, formatBuffer); } } } } break; case json_type_object: { return PhInternalJsonObjectObjectToString(StringBuilder, Object, Level, Flags); } break; case json_type_array: { return PhInternalJsonObjectArrayToString(StringBuilder, Object, Level, Flags); } break; case json_type_string: { PhAppendBytesBuilder2(StringBuilder, "\""); PhJsonObjectToJsonStringEscape( StringBuilder, json_object_get_string(Object), (size_t)json_object_get_string_len(Object), Flags ); PhAppendBytesBuilder2(StringBuilder, "\""); } break; default: return FALSE; } return TRUE; } PPH_BYTES PhJsonObjectToJsonString( _In_ PVOID Object, _In_ ULONG Flags ) { PH_BYTES_BUILDER stringBuilder; PhInitializeBytesBuilder(&stringBuilder, 25 * 1000); if (PhJsonObjectToString(&stringBuilder, Object, 0, Flags)) { return PhFinalBytesBuilderBytes(&stringBuilder); } PhDeleteBytesBuilder(&stringBuilder); return NULL; } NTSTATUS PhSaveJsonObjectToFile( _In_ PCPH_STRINGREF FileName, _In_ PVOID Object, _In_opt_ ULONG Flags ) { static CONST PH_STRINGREF extension = PH_STRINGREF_INIT(L".backup"); NTSTATUS status; ULONG json_flags = 0; HANDLE fileHandle = NULL; PPH_STRING fileName; IO_STATUS_BLOCK ioStatusBlock; LARGE_INTEGER allocationSize; PPH_BYTES jsonStringUtf8; //SIZE_T json_length; //PCSTR json_string; json_flags = 0; PhMapFlags1(&json_flags, Flags, PhJsonFormatFlagMappings, RTL_NUMBER_OF(PhJsonFormatFlagMappings)); jsonStringUtf8 = PhJsonObjectToJsonString(Object, json_flags); //json_string = json_object_to_json_string_length( // Object, // json_flags, // &json_length // ); if (!jsonStringUtf8 || jsonStringUtf8->Length == 0) return STATUS_UNSUCCESSFUL; // Preallocate the file size. allocationSize.QuadPart = jsonStringUtf8->Length; // Create the directory if it does not exist. status = PhCreateDirectoryFullPath(FileName); if (!NT_SUCCESS(status)) goto CleanupExit; // Create a temporary filename. fileName = PhGetBaseNameChangeExtension(FileName, &extension); // Create the temporary file. status = PhCreateFileEx( &fileHandle, &fileName->sr, FILE_GENERIC_WRITE | DELETE, NULL, &allocationSize, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_NONE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL ); // Cleanup the temporary filename. PhDereferenceObject(fileName); if (!NT_SUCCESS(status)) goto CleanupExit; // Write the buffer to the temporary file. status = NtWriteFile( fileHandle, NULL, NULL, NULL, &ioStatusBlock, (PVOID)jsonStringUtf8->Buffer, (ULONG)jsonStringUtf8->Length, NULL, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; // Flush the temporary file. PhFlushBuffersFile(fileHandle); // Atomically update the target file: // https://learn.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf#applications-updating-a-single-file-with-document-like-data status = PhSetFileRename( fileHandle, NULL, TRUE, FileName ); CleanupExit: if (fileHandle) { NtClose(fileHandle); } if (jsonStringUtf8) { PhDereferenceObject(jsonStringUtf8); } return status; } // XML support static mxml_node_t* PhXmlLoadString( _In_ PCSTR String ) { mxml_options_t* options; mxml_node_t* currentNode; options = mxmlOptionsNew(); mxmlOptionsSetTypeValue(options, MXML_TYPE_OPAQUE); currentNode = mxmlLoadString(NULL, options, String); mxmlOptionsDelete(options); return currentNode; } static PPH_BYTES PhXmlSaveString( _In_ PVOID XmlRootObject, _In_opt_ PVOID XmlSaveCallback ) { mxml_options_t* options; PPH_BYTES string; options = mxmlOptionsNew(); mxmlOptionsSetTypeValue(options, MXML_TYPE_OPAQUE); if (XmlSaveCallback) { mxmlOptionsSetWhitespaceCallback(options, XmlSaveCallback, NULL); } string = PhCreateBytes(mxmlSaveAllocString(XmlRootObject, options)); mxmlOptionsDelete(options); return string; } PVOID PhLoadXmlObjectFromString( _In_ PCSTR String ) { mxml_node_t* currentNode; if (currentNode = PhXmlLoadString(String)) { if (mxmlGetType(currentNode) == MXML_TYPE_ELEMENT) { return currentNode; } mxmlDelete(currentNode); } return NULL; } PVOID PhLoadXmlObjectFromString2( _In_ PCSTR String ) { mxml_node_t* currentNode; if (currentNode = PhXmlLoadString(String)) { return currentNode; } return NULL; } NTSTATUS PhLoadXmlObjectFromFile( _In_ PCPH_STRINGREF FileName, _Out_opt_ PVOID* XmlRootObject ) { NTSTATUS status; HANDLE fileHandle; LARGE_INTEGER fileSize; PPH_BYTES fileContent; mxml_node_t* currentNode = NULL; status = PhCreateFile( &fileHandle, FileName, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; if (NT_SUCCESS(PhGetFileSize(fileHandle, &fileSize)) && fileSize.QuadPart == 0) { // A blank file is OK. NtClose(fileHandle); return STATUS_END_OF_FILE; } if (NT_SUCCESS(status = PhGetFileText(&fileContent, fileHandle, FALSE))) { currentNode = PhXmlLoadString(fileContent->Buffer); PhDereferenceObject(fileContent); } NtClose(fileHandle); if (currentNode) { if (mxmlGetType(currentNode) == MXML_TYPE_ELEMENT) { if (XmlRootObject) *XmlRootObject = currentNode; return STATUS_SUCCESS; } mxmlDelete(currentNode); } return STATUS_FILE_CORRUPT_ERROR; } NTSTATUS PhSaveXmlObjectToFile( _In_ PCPH_STRINGREF FileName, _In_ PVOID XmlRootObject, _In_opt_ PVOID XmlSaveCallback ) { static CONST PH_STRINGREF extension = PH_STRINGREF_INIT(L".tmp"); NTSTATUS status; PPH_STRING fileName; HANDLE fileHandle = NULL; LARGE_INTEGER allocationSize; PPH_BYTES string; string = PhXmlSaveString(XmlRootObject, XmlSaveCallback); if (!string) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } allocationSize.QuadPart = string->Length; // Create the directory if it does not exist. status = PhCreateDirectoryFullPath(FileName); if (!NT_SUCCESS(status)) goto CleanupExit; // Create a temporary filename. fileName = PhGetBaseNameChangeExtension(FileName, &extension); // Create the temporary file. status = PhCreateFileEx( &fileHandle, &fileName->sr, FILE_GENERIC_WRITE | DELETE, NULL, &allocationSize, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_NONE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL ); // Cleanup the temporary filename. PhDereferenceObject(fileName); if (!NT_SUCCESS(status)) goto CleanupExit; // Write the buffer to the temporary file. status = PhWriteFile( fileHandle, (PVOID)string->Buffer, (ULONG)string->Length, NULL, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; // Flush the temporary file. PhFlushBuffersFile(fileHandle); // Atomically update the target file: // https://learn.microsoft.com/en-us/windows/win32/fileio/deprecation-of-txf#applications-updating-a-single-file-with-document-like-data status = PhSetFileRename( fileHandle, NULL, TRUE, FileName ); CleanupExit: if (fileHandle) { NtClose(fileHandle); } if (string) { PhDereferenceObject(string); } return status; } VOID PhFreeXmlObject( _In_ PVOID XmlRootObject ) { mxmlDelete(XmlRootObject); } PVOID PhGetXmlObject( _In_ PVOID XmlNodeObject, _In_ PCSTR Path ) { mxml_node_t* currentNode; mxml_node_t* realNode; if (currentNode = mxmlFindPath(XmlNodeObject, Path)) { if (realNode = mxmlGetParent(currentNode)) return realNode; return currentNode; } return NULL; } PVOID PhCreateXmlNode( _In_opt_ PVOID ParentNode, _In_ PCSTR Name ) { return mxmlNewElement(ParentNode, Name); } PVOID PhCreateXmlOpaqueNode( _In_opt_ PVOID ParentNode, _In_ PCSTR Value ) { return mxmlNewOpaque(ParentNode, Value); } PVOID PhFindXmlObject( _In_ PVOID XmlNodeObject, _In_opt_ PVOID XmlTopObject, _In_opt_ PCSTR Element, _In_opt_ PCSTR Attribute, _In_opt_ PCSTR Value ) { return mxmlFindElement(XmlNodeObject, XmlTopObject, Element, Attribute, Value, MXML_DESCEND_ALL); } PVOID PhGetXmlNodeFirstChild( _In_ PVOID XmlNodeObject ) { return mxmlGetFirstChild(XmlNodeObject); } PVOID PhGetXmlNodeNextChild( _In_ PVOID XmlNodeObject ) { return mxmlGetNextSibling(XmlNodeObject); } PPH_STRING PhGetXmlNodeOpaqueText( _In_ PVOID XmlNodeObject ) { PCSTR string; if (string = mxmlGetOpaque(XmlNodeObject)) { return PhConvertUtf8ToUtf16(string); } else { return PhReferenceEmptyString(); } } PCSTR PhGetXmlNodeElementText( _In_ PVOID XmlNodeObject ) { return mxmlGetElement(XmlNodeObject); } PCSTR PhGetXmlNodeCDATAText( _In_ PVOID XmlNodeObject ) { return mxmlGetCDATA(XmlNodeObject); } PPH_STRING PhGetXmlNodeAttributeText( _In_ PVOID XmlNodeObject, _In_ PCSTR AttributeName ) { PCSTR string; if (string = mxmlElementGetAttr(XmlNodeObject, AttributeName)) { return PhConvertUtf8ToUtf16(string); } return NULL; } PCSTR PhGetXmlNodeAttributeByIndex( _In_ PVOID XmlNodeObject, _In_ SIZE_T Index, _Out_ PCSTR* AttributeName ) { return mxmlElementGetAttrByIndex(XmlNodeObject, Index, AttributeName); } VOID PhSetXmlNodeAttributeText( _In_ PVOID XmlNodeObject, _In_ PCSTR Name, _In_ PCSTR Value ) { mxmlElementSetAttr(XmlNodeObject, Name, Value); } SIZE_T PhGetXmlNodeAttributeCount( _In_ PVOID XmlNodeObject ) { return mxmlElementGetAttrCount(XmlNodeObject); } typedef BOOLEAN (NTAPI* PPH_ENUM_XML_NODE_CALLBACK)( _In_ PVOID XmlNodeObject, _In_opt_ PVOID Context ); BOOLEAN PhEnumXmlNode( _In_ PVOID XmlNodeObject, _In_ PPH_ENUM_XML_NODE_CALLBACK Callback, _In_opt_ PVOID Context ) { PVOID currentNode; currentNode = PhGetXmlNodeFirstChild(XmlNodeObject); while (currentNode) { if (Callback(currentNode, Context)) break; currentNode = PhGetXmlNodeNextChild(currentNode); } return TRUE; } PPH_XML_INTERFACE PhGetXmlInterface( _In_ ULONG Version ) { static PH_XML_INTERFACE PhXmlInterface = { PH_XML_INTERFACE_VERSION, PhLoadXmlObjectFromString, PhLoadXmlObjectFromFile, PhSaveXmlObjectToFile, PhFreeXmlObject, PhGetXmlObject, PhCreateXmlNode, PhCreateXmlOpaqueNode, PhFindXmlObject, PhGetXmlNodeFirstChild, PhGetXmlNodeNextChild, PhGetXmlNodeOpaqueText, PhGetXmlNodeElementText, PhGetXmlNodeAttributeText, PhGetXmlNodeAttributeByIndex, PhSetXmlNodeAttributeText, PhGetXmlNodeAttributeCount }; if (Version < PH_XML_INTERFACE_VERSION) return NULL; return &PhXmlInterface; } ================================================ FILE: phlib/kph.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2018-2023 * */ #include #include #include static CONST PH_STRINGREF KphDefaultPortName = PH_STRINGREF_INIT(KPH_PORT_NAME); static PPH_OBJECT_TYPE KphMessageObjectType = NULL; static PPH_OBJECT_TYPE KphUserMessageObjectType = NULL; VOID KphInitialize( VOID ) { PH_OBJECT_TYPE_PARAMETERS parameters; parameters.FreeListSize = ALIGN_UP_BY(KPH_MESSAGE_MIN_SIZE, 1024); parameters.FreeListCount = 65536; KphMessageObjectType = PhCreateObjectTypeEx( L"KsiMessage", PH_OBJECT_TYPE_TRY_USE_FREE_LIST, NULL, ¶meters ); parameters.FreeListSize = KPH_MESSAGE_MIN_SIZE; parameters.FreeListCount = 16; KphUserMessageObjectType = PhCreateObjectTypeEx( L"KsiUserMessage", PH_OBJECT_TYPE_USE_FREE_LIST, NULL, ¶meters ); } PKPH_MESSAGE KphCreateMessage( _In_ SIZE_T Size ) { assert(KphMessageObjectType); return PhCreateObject(Size, KphMessageObjectType); } PKPH_MESSAGE KphCreateUserMessage( _In_ KPH_MESSAGE_ID MessageId ) { PKPH_MESSAGE msg; assert(KphUserMessageObjectType); msg = PhCreateObject(KPH_MESSAGE_MIN_SIZE, KphUserMessageObjectType); KphMsgInit(msg, MessageId); return msg; } NTSTATUS KphConnect( _In_ PKPH_CONFIG_PARAMETERS Config ) { NTSTATUS status; SC_HANDLE serviceHandle; BOOLEAN created = FALSE; PCPH_STRINGREF portName; portName = (Config->PortName ? Config->PortName : &KphDefaultPortName); status = KphCommsStart(portName, Config->Callback, Config->RingBufferLength); if (NT_SUCCESS(status) || (status == STATUS_ALREADY_INITIALIZED)) return status; // Load the driver, and try again. if (Config->EnableNativeLoad || Config->EnableFilterLoad) { status = KsiLoadUnloadService(Config, TRUE); if (NT_SUCCESS(status)) { status = KphCommsStart(portName, Config->Callback, Config->RingBufferLength); } return status; } // Try to start the service, if it exists. status = PhOpenService(&serviceHandle, SERVICE_START | SERVICE_QUERY_STATUS, PhGetStringRefZ(Config->ServiceName)); if (NT_SUCCESS(status)) { status = PhStartService(serviceHandle, 0, NULL); if (NT_SUCCESS(status)) { status = PhWaitForServiceStatus(serviceHandle, SERVICE_RUNNING, 5000); } PhCloseServiceHandle(serviceHandle); serviceHandle = NULL; if (!NT_SUCCESS(status)) goto CreateAndConnectEnd; status = KphCommsStart(portName, Config->Callback, Config->RingBufferLength); goto CreateAndConnectEnd; } if (!PhDoesFileExistWin32(PhGetStringRefZ(Config->FileName))) { status = STATUS_NO_SUCH_FILE; goto CreateAndConnectEnd; } // Try to create the service. status = PhCreateService( &serviceHandle, PhGetStringRefZ(Config->ServiceName), PhGetStringRefZ(Config->ServiceName), SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, PhGetStringRefZ(Config->FileName), PhGetStringRefZ(Config->ObjectName), NULL ); if (!NT_SUCCESS(status)) goto CreateAndConnectEnd; created = TRUE; KphSetServiceSecurity(serviceHandle); status = KphSetParameters(Config); if (!NT_SUCCESS(status)) goto CreateAndConnectEnd; status = PhStartService(serviceHandle, 0, NULL); if (!NT_SUCCESS(status)) goto CreateAndConnectEnd; status = PhWaitForServiceStatus(serviceHandle, SERVICE_RUNNING, 5000); if (!NT_SUCCESS(status)) goto CreateAndConnectEnd; status = KphCommsStart(portName, Config->Callback, Config->RingBufferLength); CreateAndConnectEnd: if (created && serviceHandle) { // // "Delete" the service (mark it for deletion), SCM will retain the // service entry as long as the "ObjectName" exists. We do not use a // device object, SCM will detect that the driver has gone away by the // driver object (the specified "ObjectName"). // PhDeleteService(serviceHandle); PhCloseServiceHandle(serviceHandle); } return status; } NTSTATUS KphpSetParametersService( _In_ PKPH_CONFIG_PARAMETERS Config ) { #ifdef _WIN64 NTSTATUS status; HANDLE servicesKeyHandle = NULL; ULONG disposition; SIZE_T returnLength; PH_STRINGREF servicesKeyName; PH_FORMAT format[3]; WCHAR servicesKeyNameBuffer[MAX_PATH]; PhInitFormatS(&format[0], L"System\\CurrentControlSet\\Services"); PhInitFormatSR(&format[1], PhNtPathSeparatorString); PhInitFormatSR(&format[2], *Config->ServiceName); if (!PhFormatToBuffer( format, RTL_NUMBER_OF(format), servicesKeyNameBuffer, sizeof(servicesKeyNameBuffer), &returnLength )) { return STATUS_UNSUCCESSFUL; } servicesKeyName.Buffer = servicesKeyNameBuffer; servicesKeyName.Length = returnLength - sizeof(UNICODE_NULL); status = PhCreateKey( &servicesKeyHandle, KEY_WRITE | DELETE, PH_KEY_LOCAL_MACHINE, &servicesKeyName, 0, 0, &disposition ); if (!NT_SUCCESS(status)) return status; status = PhSetValueKeyZ( servicesKeyHandle, L"SupportedFeatures", REG_DWORD, &Config->FsSupportedFeatures, sizeof(ULONG) ); if (!NT_SUCCESS(status)) goto CleanupExit; CleanupExit: if (servicesKeyHandle) NtClose(servicesKeyHandle); return status; #else return STATUS_NOT_SUPPORTED; #endif } NTSTATUS KphSetParameters( _In_ PKPH_CONFIG_PARAMETERS Config ) { #ifdef _WIN64 NTSTATUS status; HANDLE parametersKeyHandle = NULL; ULONG disposition; SIZE_T returnLength; PH_STRINGREF parametersKeyName; PH_FORMAT format[4]; WCHAR parametersKeyNameBuffer[MAX_PATH]; // Services key parameters. status = KphpSetParametersService(Config); if (!NT_SUCCESS(status)) return status; if (!Config->PortName && !Config->Altitude && !Config->Flags.Flags && !Config->SystemProcessName) { // Don't create parameters key unless we must. return STATUS_SUCCESS; } PhInitFormatS(&format[0], L"System\\CurrentControlSet\\Services"); PhInitFormatSR(&format[1], PhNtPathSeparatorString); PhInitFormatSR(&format[2], *Config->ServiceName); PhInitFormatS(&format[3], L"\\Parameters"); if (!PhFormatToBuffer( format, RTL_NUMBER_OF(format), parametersKeyNameBuffer, sizeof(parametersKeyNameBuffer), &returnLength )) { return STATUS_UNSUCCESSFUL; } parametersKeyName.Buffer = parametersKeyNameBuffer; parametersKeyName.Length = returnLength - sizeof(UNICODE_NULL); status = PhCreateKey( ¶metersKeyHandle, KEY_WRITE | DELETE, PH_KEY_LOCAL_MACHINE, ¶metersKeyName, 0, 0, &disposition ); if (!NT_SUCCESS(status)) return status; if (Config->PortName) { status = PhSetValueKeyStringZ(parametersKeyHandle, L"PortName", Config->PortName); if (!NT_SUCCESS(status)) goto CleanupExit; } if (Config->Altitude) { status = PhSetValueKeyStringZ(parametersKeyHandle, L"Altitude", Config->Altitude); if (!NT_SUCCESS(status)) goto CleanupExit; } if (Config->Flags.Flags) { C_ASSERT(sizeof(KPH_PARAMETER_FLAGS) == sizeof(ULONG)); status = PhSetValueKeyUlong(parametersKeyHandle, L"Flags", Config->Flags.Flags); if (!NT_SUCCESS(status)) goto CleanupExit; } if (Config->SystemProcessName) { status = PhSetValueKeyZ( parametersKeyHandle, L"SystemProcessName", REG_SZ, Config->SystemProcessName->Buffer, (ULONG)Config->SystemProcessName->Length + sizeof(UNICODE_NULL) ); if (!NT_SUCCESS(status)) goto CleanupExit; } // Put more parameters here... status = STATUS_SUCCESS; CleanupExit: if (!NT_SUCCESS(status)) { // Delete the key if we created it. if (disposition == REG_CREATED_NEW_KEY) NtDeleteKey(parametersKeyHandle); } NtClose(parametersKeyHandle); return status; #else return STATUS_NOT_SUPPORTED; #endif } VOID KphSetServiceSecurity( _In_ SC_HANDLE ServiceHandle ) { PSID administratorsSid = PhSeAdministratorsSid(); UCHAR securityDescriptorBuffer[SECURITY_DESCRIPTOR_MIN_LENGTH + 0x80]; PSECURITY_DESCRIPTOR securityDescriptor; ULONG sdAllocationLength; PACL dacl; sdAllocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH + (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&PhSeServiceSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(administratorsSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&PhSeInteractiveSid); securityDescriptor = (PSECURITY_DESCRIPTOR)securityDescriptorBuffer; dacl = PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH); PhCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION); PhCreateAcl(dacl, sdAllocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION); PhAddAccessAllowedAce(dacl, ACL_REVISION, SERVICE_ALL_ACCESS, &PhSeServiceSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, SERVICE_ALL_ACCESS, administratorsSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS | SERVICE_START | SERVICE_STOP | SERVICE_INTERROGATE | DELETE, &PhSeInteractiveSid ); PhSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE); PhSetServiceObjectSecurity(ServiceHandle, DACL_SECURITY_INFORMATION, securityDescriptor); NT_ASSERT(RtlValidSecurityDescriptor(securityDescriptor)); NT_ASSERT(sdAllocationLength < sizeof(securityDescriptorBuffer)); NT_ASSERT(RtlLengthSecurityDescriptor(securityDescriptor) < sizeof(securityDescriptorBuffer)); } _Function_class_(PH_ENUM_KEY_CALLBACK) static BOOLEAN NTAPI KsiLoadUnloadServiceCleanupKeyCallback( _In_ HANDLE RootDirectory, _In_ PKEY_BASIC_INFORMATION Information, _In_ PVOID Context ) { HANDLE keyHandle; PH_STRINGREF keyName; keyName.Buffer = Information->Name; keyName.Length = Information->NameLength; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ | DELETE, RootDirectory, &keyName, 0 ))) { PhEnumerateKey(keyHandle, KeyBasicInformation, KsiLoadUnloadServiceCleanupKeyCallback, NULL); NtDeleteKey(keyHandle); NtClose(keyHandle); } return TRUE; } NTSTATUS KsiLoadUnloadService( _In_ PKPH_CONFIG_PARAMETERS Config, _In_ BOOLEAN LoadDriver ) { #ifdef _WIN64 static CONST PH_STRINGREF fullServicesKeyName = PH_STRINGREF_INIT(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"); static CONST PH_STRINGREF parametersKeyName = PH_STRINGREF_INIT(L"Parameters"); NTSTATUS status; PPH_STRING fullServiceKeyName; PPH_STRING fullServiceFileName; UNICODE_STRING driverServiceKeyName; HANDLE serviceKeyHandle; HANDLE parametersKeyHandle = NULL; ULONG disposition; NT_ASSERT(Config->FileName); NT_ASSERT(Config->ServiceName); NT_ASSERT(Config->ObjectName); fullServiceKeyName = PhConcatStringRef2(&fullServicesKeyName, Config->ServiceName); if (!PhStringRefToUnicodeString(&fullServiceKeyName->sr, &driverServiceKeyName)) { PhDereferenceObject(fullServiceKeyName); return STATUS_NAME_TOO_LONG; } status = PhCreateKey( &serviceKeyHandle, KEY_WRITE | KEY_CREATE_SUB_KEY, NULL, &fullServiceKeyName->sr, 0, 0, &disposition ); if (NT_SUCCESS(status) && disposition == REG_CREATED_NEW_KEY) { fullServiceFileName = PhConcatStringRef2(&PhNtDosDevicesPrefix, Config->FileName); PhSetValueKeyUlong(serviceKeyHandle, L"ErrorControl", SERVICE_ERROR_NORMAL); PhSetValueKeyUlong(serviceKeyHandle, L"Type", SERVICE_KERNEL_DRIVER); PhSetValueKeyUlong(serviceKeyHandle, L"Start", SERVICE_DISABLED); PhSetValueKeyStringZ(serviceKeyHandle, L"ImagePath", &fullServiceFileName->sr); PhSetValueKeyStringZ(serviceKeyHandle, L"ObjectName", Config->ObjectName); PhDereferenceObject(fullServiceFileName); KphSetParameters(Config); NtClose(serviceKeyHandle); } if (LoadDriver) { if (Config->EnableFilterLoad) status = PhFilterLoadUnload(Config->ServiceName, TRUE); else status = NtLoadDriver(&driverServiceKeyName); // Handle rare race condition with natively loading the driver. if (status == STATUS_IMAGE_ALREADY_LOADED) status = STATUS_SUCCESS; } else { if (Config->EnableFilterLoad) status = PhFilterLoadUnload(Config->ServiceName, FALSE); else status = NtUnloadDriver(&driverServiceKeyName); } if (!NT_SUCCESS(status) || !LoadDriver) { if (NT_SUCCESS(PhOpenKey( &serviceKeyHandle, KEY_READ | DELETE, NULL, &fullServiceKeyName->sr, 0 ))) { if (NT_SUCCESS(PhOpenKey( ¶metersKeyHandle, DELETE, serviceKeyHandle, ¶metersKeyName, 0 ))) { NtDeleteKey(parametersKeyHandle); NtClose(parametersKeyHandle); } PhEnumerateKey(serviceKeyHandle, KeyBasicInformation, KsiLoadUnloadServiceCleanupKeyCallback, NULL); NtDeleteKey(serviceKeyHandle); NtClose(serviceKeyHandle); } } PhDereferenceObject(fullServiceKeyName); return status; #else return STATUS_NOT_SUPPORTED; #endif } NTSTATUS KphServiceStop( _In_ PKPH_CONFIG_PARAMETERS Config ) { NTSTATUS status; //KphCommsStop(); if (Config->EnableNativeLoad || Config->EnableFilterLoad) { status = KsiLoadUnloadService(Config, FALSE); } else { SC_HANDLE serviceHandle; status = PhOpenService(&serviceHandle, SERVICE_STOP, PhGetStringRefZ(Config->ServiceName)); if (NT_SUCCESS(status)) { status = PhStopService(serviceHandle); PhCloseServiceHandle(serviceHandle); } } return status; } NTSTATUS KphGetInformerSettings( _Out_ PKPH_INFORMER_SETTINGS Settings ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgGetInformerSettings); msg->User.GetInformerSettings.Settings = Settings; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.GetInformerSettings.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphSetInformerSettings( _In_ PKPH_INFORMER_SETTINGS Settings ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSetInformerSettings); msg->User.SetInformerSettings.Settings = Settings; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SetInformerSettings.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenProcess); msg->User.OpenProcess.ProcessHandle = ProcessHandle; msg->User.OpenProcess.DesiredAccess = DesiredAccess; msg->User.OpenProcess.ClientId = ClientId; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenProcess.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenProcessToken); msg->User.OpenProcessToken.ProcessHandle = ProcessHandle; msg->User.OpenProcessToken.DesiredAccess = DesiredAccess; msg->User.OpenProcessToken.TokenHandle = TokenHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenProcessToken.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenProcessJob( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE JobHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenProcessJob); msg->User.OpenProcessJob.ProcessHandle = ProcessHandle; msg->User.OpenProcessJob.DesiredAccess = DesiredAccess; msg->User.OpenProcessJob.JobHandle = JobHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenProcessJob.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgTerminateProcess); msg->User.TerminateProcess.ProcessHandle = ProcessHandle; msg->User.TerminateProcess.ExitStatus = ExitStatus; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.TerminateProcess.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphReadVirtualMemory( _In_opt_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgReadVirtualMemory); msg->User.ReadVirtualMemory.ProcessHandle = ProcessHandle; msg->User.ReadVirtualMemory.BaseAddress = BaseAddress; msg->User.ReadVirtualMemory.Buffer = Buffer; msg->User.ReadVirtualMemory.BufferSize = BufferSize; msg->User.ReadVirtualMemory.NumberOfBytesRead = NumberOfBytesRead; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.ReadVirtualMemory.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenThread); msg->User.OpenThread.ThreadHandle = ThreadHandle; msg->User.OpenThread.DesiredAccess = DesiredAccess; msg->User.OpenThread.ClientId = ClientId; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenThread.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenThreadProcess); msg->User.OpenThreadProcess.ThreadHandle = ThreadHandle; msg->User.OpenThreadProcess.DesiredAccess = DesiredAccess; msg->User.OpenThreadProcess.ProcessHandle = ProcessHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenThreadProcess.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphCaptureStackBackTraceThread( _In_ HANDLE ThreadHandle, _In_ ULONG FramesToSkip, _In_ ULONG FramesToCapture, _Out_writes_(FramesToCapture) PVOID *BackTrace, _Out_ PULONG CapturedFrames, _Out_opt_ PULONG BackTraceHash, _In_ ULONG Flags ) { NTSTATUS status; PKPH_MESSAGE msg; LARGE_INTEGER timeout; msg = KphCreateUserMessage(KphMsgCaptureStackBackTraceThread); msg->User.CaptureStackBackTraceThread.ThreadHandle = ThreadHandle; msg->User.CaptureStackBackTraceThread.FramesToSkip = FramesToSkip; msg->User.CaptureStackBackTraceThread.FramesToCapture = FramesToCapture; msg->User.CaptureStackBackTraceThread.BackTrace = BackTrace; msg->User.CaptureStackBackTraceThread.CapturedFrames = CapturedFrames; msg->User.CaptureStackBackTraceThread.BackTraceHash = BackTraceHash; msg->User.CaptureStackBackTraceThread.Timeout = PhTimeoutFromMilliseconds(&timeout, 300); msg->User.CaptureStackBackTraceThread.Flags = Flags; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.CaptureStackBackTraceThread.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphEnumerateProcessHandles( _In_ HANDLE ProcessHandle, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_opt_ ULONG BufferLength, _Inout_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgEnumerateProcessHandles); msg->User.EnumerateProcessHandles.ProcessHandle = ProcessHandle; msg->User.EnumerateProcessHandles.Buffer = Buffer; msg->User.EnumerateProcessHandles.BufferLength = BufferLength; msg->User.EnumerateProcessHandles.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.EnumerateProcessHandles.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KsiEnumerateProcessHandles( _In_ HANDLE ProcessHandle, _Out_ PKPH_PROCESS_HANDLE_INFORMATION *Handles ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 2048; buffer = PhAllocate(bufferSize); while (TRUE) { status = KphEnumerateProcessHandles( ProcessHandle, buffer, bufferSize, &bufferSize ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *Handles = buffer; return status; } NTSTATUS KphQueryInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryInformationObject); msg->User.QueryInformationObject.ProcessHandle = ProcessHandle; msg->User.QueryInformationObject.Handle = Handle; msg->User.QueryInformationObject.ObjectInformationClass = ObjectInformationClass; msg->User.QueryInformationObject.ObjectInformation = ObjectInformation; msg->User.QueryInformationObject.ObjectInformationLength = ObjectInformationLength; msg->User.QueryInformationObject.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryInformationObject.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryObjectThreadName( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ PPH_STRING* ThreadName ) { NTSTATUS status; ULONG bufferSize; ULONG returnLength; PTHREAD_NAME_INFORMATION buffer; returnLength = 0; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectThreadNameInformation, buffer, bufferSize, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL && returnLength > 0) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(returnLength); status = KphQueryInformationObject( ProcessHandle, Handle, KphObjectThreadNameInformation, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status)) { *ThreadName = PhCreateStringFromUnicodeString(&buffer->ThreadName); } PhFree(buffer); return status; } NTSTATUS KphQueryObjectSectionMappingsInfo( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _Out_ PKPH_SECTION_MAPPINGS_INFORMATION* Info ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = MAX_PATH; *Info = NULL; buffer = PhAllocate(bufferSize); while (TRUE) { status = KphQueryInformationObject(ProcessHandle, Handle, KphObjectSectionMappingsInformation, buffer, bufferSize, &bufferSize); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *Info = buffer; return status; } NTSTATUS KphSetInformationObject( _In_ HANDLE ProcessHandle, _In_ HANDLE Handle, _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSetInformationObject); msg->User.SetInformationObject.ProcessHandle = ProcessHandle; msg->User.SetInformationObject.Handle = Handle; msg->User.SetInformationObject.ObjectInformationClass = ObjectInformationClass; msg->User.SetInformationObject.ObjectInformation = ObjectInformation; msg->User.SetInformationObject.ObjectInformationLength = ObjectInformationLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SetInformationObject.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenDriver( _Out_ PHANDLE DriverHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenDriver); msg->User.OpenDriver.DriverHandle = DriverHandle; msg->User.OpenDriver.DesiredAccess = DesiredAccess; msg->User.OpenDriver.ObjectAttributes = (POBJECT_ATTRIBUTES)ObjectAttributes; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenDriver.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryInformationDriver( _In_ HANDLE DriverHandle, _In_ KPH_DRIVER_INFORMATION_CLASS DriverInformationClass, _Out_writes_bytes_opt_(DriverInformationLength) PVOID DriverInformation, _In_ ULONG DriverInformationLength, _Inout_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryInformationDriver); msg->User.QueryInformationDriver.DriverHandle = DriverHandle; msg->User.QueryInformationDriver.DriverInformationClass = DriverInformationClass; msg->User.QueryInformationDriver.DriverInformation = DriverInformation; msg->User.QueryInformationDriver.DriverInformationLength = DriverInformationLength; msg->User.QueryInformationDriver.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryInformationDriver.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _Out_writes_bytes_opt_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Inout_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryInformationProcess); msg->User.QueryInformationProcess.ProcessHandle = ProcessHandle; msg->User.QueryInformationProcess.ProcessInformationClass = ProcessInformationClass; msg->User.QueryInformationProcess.ProcessInformation = ProcessInformation; msg->User.QueryInformationProcess.ProcessInformationLength = ProcessInformationLength; msg->User.QueryInformationProcess.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryInformationProcess.Status; } PhDereferenceObject(msg); return status; } KPH_PROCESS_STATE KphGetProcessState( _In_ HANDLE ProcessHandle ) { KPH_PROCESS_STATE state; if (!KphCommsIsConnected()) return 0; if (!NT_SUCCESS(KphQueryInformationProcess( ProcessHandle, KphProcessStateInformation, &state, sizeof(state), NULL ))) return 0; return state; } KPH_PROCESS_STATE KphGetCurrentProcessState( VOID ) { return KphGetProcessState(NtCurrentProcess()); } KPH_LEVEL KphProcessLevel( _In_ HANDLE ProcessHandle ) { KPH_PROCESS_STATE state; // // This corresponds to the API access the client is currently given. // See comms_handlers.c // // Note that process state can change in runtime, so re-checking is // necessary. // state = KphGetProcessState(ProcessHandle); if ((state & KPH_PROCESS_STATE_MAXIMUM) == KPH_PROCESS_STATE_MAXIMUM) return KphLevelMax; if ((state & KPH_PROCESS_STATE_HIGH) == KPH_PROCESS_STATE_HIGH) return KphLevelHigh; if ((state & KPH_PROCESS_STATE_MEDIUM) == KPH_PROCESS_STATE_MEDIUM) return KphLevelMed; if ((state & KPH_PROCESS_STATE_LOW) == KPH_PROCESS_STATE_LOW) return KphLevelLow; if ((state & KPH_PROCESS_STATE_MINIMUM) == KPH_PROCESS_STATE_MINIMUM) return KphLevelMin; return KphLevelNone; } KPH_LEVEL KphLevelEx( _In_ BOOLEAN Cached ) { static KPH_LEVEL level = KphLevelNone; if (!Cached) level = KphProcessLevel(NtCurrentProcess()); return level; } KPH_LEVEL KsiLevel( VOID ) { return KphLevelEx(TRUE); } NTSTATUS KphSetInformationProcess( _In_ HANDLE ProcessHandle, _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSetInformationProcess); msg->User.SetInformationProcess.ProcessHandle = ProcessHandle; msg->User.SetInformationProcess.ProcessInformationClass = ProcessInformationClass; msg->User.SetInformationProcess.ProcessInformation = ProcessInformation; msg->User.SetInformationProcess.ProcessInformationLength = ProcessInformationLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SetInformationProcess.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphSetInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSetInformationThread); msg->User.SetInformationThread.ThreadHandle = ThreadHandle; msg->User.SetInformationThread.ThreadInformationClass = ThreadInformationClass; msg->User.SetInformationThread.ThreadInformation = ThreadInformation; msg->User.SetInformationThread.ThreadInformationLength = ThreadInformationLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SetInformationThread.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphSystemControl( _In_ KPH_SYSTEM_CONTROL_CLASS SystemControlClass, _In_reads_bytes_(SystemControlInfoLength) PVOID SystemControlInfo, _In_ ULONG SystemControlInfoLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSystemControl); msg->User.SystemControl.SystemControlClass = SystemControlClass; msg->User.SystemControl.SystemControlInfo = SystemControlInfo; msg->User.SystemControl.SystemControlInfoLength = SystemControlInfoLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SystemControl.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphAlpcQueryInformation( _In_ HANDLE ProcessHandle, _In_ HANDLE PortHandle, _In_ KPH_ALPC_INFORMATION_CLASS AlpcInformationClass, _Out_writes_bytes_opt_(AlpcInformationLength) PVOID AlpcInformation, _In_ ULONG AlpcInformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgAlpcQueryInformation); msg->User.AlpcQueryInformation.ProcessHandle = ProcessHandle; msg->User.AlpcQueryInformation.PortHandle = PortHandle; msg->User.AlpcQueryInformation.AlpcInformationClass = AlpcInformationClass; msg->User.AlpcQueryInformation.AlpcInformation = AlpcInformation; msg->User.AlpcQueryInformation.AlpcInformationLength = AlpcInformationLength; msg->User.AlpcQueryInformation.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.AlpcQueryInformation.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphAlpcQueryCommunicationsNamesInfo( _In_ HANDLE ProcessHandle, _In_ HANDLE PortHandle, _Out_ PKPH_ALPC_COMMUNICATION_NAMES_INFORMATION* Names ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = MAX_PATH; buffer = PhAllocate(bufferSize); while (TRUE) { status = KphAlpcQueryInformation(ProcessHandle, PortHandle, KphAlpcCommunicationNamesInformation, buffer, bufferSize, &bufferSize); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *Names = buffer; return status; } NTSTATUS KphQueryInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_writes_bytes_(FileInformationLength) PVOID FileInformation, _In_ ULONG FileInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryInformationFile); msg->User.QueryInformationFile.ProcessHandle = ProcessHandle; msg->User.QueryInformationFile.FileHandle = FileHandle; msg->User.QueryInformationFile.FileInformationClass = FileInformationClass; msg->User.QueryInformationFile.FileInformation = FileInformation; msg->User.QueryInformationFile.FileInformationLength = FileInformationLength; msg->User.QueryInformationFile.IoStatusBlock = IoStatusBlock; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryInformationFile.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryVolumeInformationFile( _In_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FS_INFORMATION_CLASS FsInformationClass, _Out_writes_bytes_(FsInformationLength) PVOID FsInformation, _In_ ULONG FsInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryVolumeInformationFile); msg->User.QueryVolumeInformationFile.ProcessHandle = ProcessHandle; msg->User.QueryVolumeInformationFile.FileHandle = FileHandle; msg->User.QueryVolumeInformationFile.FsInformationClass = FsInformationClass; msg->User.QueryVolumeInformationFile.FsInformation = FsInformation; msg->User.QueryVolumeInformationFile.FsInformationLength = FsInformationLength; msg->User.QueryVolumeInformationFile.IoStatusBlock = IoStatusBlock; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryVolumeInformationFile.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphDuplicateObject( _In_ HANDLE ProcessHandle, _In_ HANDLE SourceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TargetHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgDuplicateObject); msg->User.DuplicateObject.ProcessHandle = ProcessHandle; msg->User.DuplicateObject.SourceHandle = SourceHandle; msg->User.DuplicateObject.DesiredAccess = DesiredAccess; msg->User.DuplicateObject.TargetHandle = TargetHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.DuplicateObject.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryPerformanceCounter( _Out_ PLARGE_INTEGER PerformanceCounter, _Out_opt_ PLARGE_INTEGER PerformanceFrequency ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryPerformanceCounter); status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { *PerformanceCounter = msg->User.QueryPerformanceCounter.PerformanceCounter; if (PerformanceFrequency) { *PerformanceFrequency = msg->User.QueryPerformanceCounter.PerformanceFrequency; } } else { PerformanceCounter->QuadPart = 0; if (PerformanceFrequency) { PerformanceFrequency->QuadPart = 0; } } PhDereferenceObject(msg); return status; } NTSTATUS KphCreateFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, _In_ ULONG EaLength, _In_ ULONG Options ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgCreateFile); msg->User.CreateFile.FileHandle = FileHandle; msg->User.CreateFile.DesiredAccess = DesiredAccess; msg->User.CreateFile.ObjectAttributes = (POBJECT_ATTRIBUTES)ObjectAttributes; msg->User.CreateFile.IoStatusBlock = IoStatusBlock; msg->User.CreateFile.AllocationSize = AllocationSize; msg->User.CreateFile.FileAttributes = FileAttributes; msg->User.CreateFile.ShareAccess = ShareAccess; msg->User.CreateFile.CreateDisposition = CreateDisposition; msg->User.CreateFile.CreateOptions = CreateOptions; msg->User.CreateFile.EaBuffer = EaBuffer; msg->User.CreateFile.EaLength = EaLength; msg->User.CreateFile.Options = Options; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.CreateFile.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, _Out_writes_bytes_opt_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryInformationThread); msg->User.QueryInformationThread.ThreadHandle = ThreadHandle; msg->User.QueryInformationThread.ThreadInformationClass = ThreadInformationClass; msg->User.QueryInformationThread.ThreadInformation = ThreadInformation; msg->User.QueryInformationThread.ThreadInformationLength = ThreadInformationLength; msg->User.QueryInformationThread.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryInformationThread.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQuerySection( _In_ HANDLE SectionHandle, _In_ KPH_SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, _In_ ULONG SectionInformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQuerySection); msg->User.QuerySection.SectionHandle = SectionHandle; msg->User.QuerySection.SectionInformationClass = SectionInformationClass; msg->User.QuerySection.SectionInformation = SectionInformation; msg->User.QuerySection.SectionInformationLength = SectionInformationLength; msg->User.QuerySection.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QuerySection.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQuerySectionMappingsInfo( _In_ HANDLE SectionHandle, _Out_ PKPH_SECTION_MAPPINGS_INFORMATION* Info ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = MAX_PATH; *Info = NULL; buffer = PhAllocate(bufferSize); while (TRUE) { status = KphQuerySection(SectionHandle, KphSectionMappingsInformation, buffer, bufferSize, &bufferSize); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *Info = buffer; return status; } NTSTATUS KphCompareObjects( _In_ HANDLE ProcessHandle, _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgCompareObjects); msg->User.CompareObjects.ProcessHandle = ProcessHandle; msg->User.CompareObjects.FirstObjectHandle = FirstObjectHandle; msg->User.CompareObjects.SecondObjectHandle = SecondObjectHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.CompareObjects.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphGetInformerClientSettings( _Out_ PKPH_INFORMER_CLIENT_SETTINGS Settings ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgGetInformerClientSettings); msg->User.GetInformerClientSettings.Settings = Settings; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.GetInformerClientSettings.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphSetInformerClientSettings( _Out_ PKPH_INFORMER_CLIENT_SETTINGS Settings ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSetInformerClientSettings); msg->User.SetInformerClientSettings.Settings = Settings; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SetInformerClientSettings.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphAcquireDriverUnloadProtection( _Out_opt_ PLONG PreviousCount, _Out_opt_ PLONG ClientPreviousCount ) { NTSTATUS status; PKPH_MESSAGE msg; if (PreviousCount) *PreviousCount = 0; if (ClientPreviousCount) *ClientPreviousCount = 0; msg = KphCreateUserMessage(KphMsgAcquireDriverUnloadProtection); status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.AcquireDriverUnloadProtection.Status; if (NT_SUCCESS(status)) { if (PreviousCount) *PreviousCount = msg->User.AcquireDriverUnloadProtection.PreviousCount; if (ClientPreviousCount) *ClientPreviousCount = msg->User.AcquireDriverUnloadProtection.ClientPreviousCount; } } PhDereferenceObject(msg); return status; } NTSTATUS KphReleaseDriverUnloadProtection( _Out_opt_ PLONG PreviousCount, _Out_opt_ PLONG ClientPreviousCount ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgReleaseDriverUnloadProtection); status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.ReleaseDriverUnloadProtection.Status; if (NT_SUCCESS(status)) { if (PreviousCount) *PreviousCount = msg->User.ReleaseDriverUnloadProtection.PreviousCount; if (ClientPreviousCount) *ClientPreviousCount = msg->User.ReleaseDriverUnloadProtection.ClientPreviousCount; } } PhDereferenceObject(msg); return status; } NTSTATUS KphGetConnectedClientCount( _Out_ PULONG Count ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgGetConnectedClientCount); status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { *Count = msg->User.GetConnectedClientCount.Count; } PhDereferenceObject(msg); return status; } NTSTATUS KphActivateDynData( _In_ PBYTE DynData, _In_ ULONG DynDataLength, _In_ PBYTE Signature, _In_ ULONG SignatureLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgActivateDynData); msg->User.ActivateDynData.DynData = DynData; msg->User.ActivateDynData.DynDataLength = DynDataLength; msg->User.ActivateDynData.Signature = Signature; msg->User.ActivateDynData.SignatureLength = SignatureLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.ActivateDynData.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphIsDynDataActive( _Out_ PBOOLEAN IsActive ) { NTSTATUS status; PKPH_MESSAGE msg; *IsActive = FALSE; if (!KphCommsIsConnected()) return STATUS_PORT_DISCONNECTED; msg = KphCreateUserMessage(KphMsgIsDynDataActive); msg->User.IsDynDataActive.IsActive = IsActive; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.IsDynDataActive.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphRequestSessionAccessToken( _Out_ PKPH_SESSION_ACCESS_TOKEN AccessToken, _In_ PLARGE_INTEGER Expiry, _In_ ULONG Privileges, _In_ LONG Uses ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgRequestSessionAccessToken); msg->User.RequestSessionAccessToken.Expiry = *Expiry; msg->User.RequestSessionAccessToken.Privileges = Privileges; msg->User.RequestSessionAccessToken.Uses = Uses; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { RtlCopyMemory(AccessToken, &msg->User.RequestSessionAccessToken.AccessToken, sizeof(KPH_SESSION_ACCESS_TOKEN)); status = msg->User.RequestSessionAccessToken.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphAssignProcessSessionToken( _In_ HANDLE ProcessHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgAssignProcessSessionToken); msg->User.AssignProcessSessionToken.ProcessHandle = ProcessHandle; msg->User.AssignProcessSessionToken.Signature = Signature; msg->User.AssignProcessSessionToken.SignatureLength = SignatureLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.AssignProcessSessionToken.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphAssignThreadSessionToken( _In_ HANDLE ThreadHandle, _In_ PBYTE Signature, _In_ ULONG SignatureLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgAssignThreadSessionToken); msg->User.AssignThreadSessionToken.ThreadHandle = ThreadHandle; msg->User.AssignThreadSessionToken.Signature = Signature; msg->User.AssignThreadSessionToken.SignatureLength = SignatureLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.AssignThreadSessionToken.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphGetInformerProcessSettings( _In_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_SETTINGS Settings ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgGetInformerProcessSettings); msg->User.GetInformerProcessSettings.ProcessHandle = ProcessHandle; msg->User.GetInformerProcessSettings.Settings = Settings; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.GetInformerProcessSettings.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphSetInformerProcessSettings( _In_opt_ HANDLE ProcessHandle, _In_ PKPH_INFORMER_SETTINGS Settings ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgSetInformerProcessSettings); msg->User.SetInformerProcessSettings.ProcessHandle = ProcessHandle; msg->User.SetInformerProcessSettings.Settings = Settings; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.SetInformerProcessSettings.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphStripProtectedProcessMasks( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK ProcessAllowedMask, _In_ ACCESS_MASK ThreadAllowedMask ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgStripProtectedProcessMasks); msg->User.StripProtectedProcessMasks.ProcessHandle = ProcessHandle; msg->User.StripProtectedProcessMasks.ProcessAllowedMask = ProcessAllowedMask; msg->User.StripProtectedProcessMasks.ThreadAllowedMask = ThreadAllowedMask; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.StripProtectedProcessMasks.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ KPH_MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_opt_(MemoryInformationLength) PVOID MemoryInformation, _In_ ULONG MemoryInformationLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryVirtualMemory); msg->User.QueryVirtualMemory.ProcessHandle = ProcessHandle; msg->User.QueryVirtualMemory.BaseAddress = BaseAddress; msg->User.QueryVirtualMemory.MemoryInformationClass = MemoryInformationClass; msg->User.QueryVirtualMemory.MemoryInformation = MemoryInformation; msg->User.QueryVirtualMemory.MemoryInformationLength = MemoryInformationLength; msg->User.QueryVirtualMemory.ReturnLength = ReturnLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryVirtualMemory.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KsiQueryHashInformationFile( _In_ HANDLE FileHandle, _Inout_ PKPH_HASH_INFORMATION HashInformation, _In_ ULONG HashInformationLength ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgQueryHashInformationFile); msg->User.QueryHashInformationFile.FileHandle = FileHandle; msg->User.QueryHashInformationFile.HashingInformation = HashInformation; msg->User.QueryHashInformationFile.HashingInformationLength = HashInformationLength; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.QueryHashInformationFile.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenDevice( _Out_ PHANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenDevice); msg->User.OpenDevice.DeviceHandle = DeviceHandle; msg->User.OpenDevice.DesiredAccess = DesiredAccess; msg->User.OpenDevice.ObjectAttributes = ObjectAttributes; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenDevice.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenDeviceDriver( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE DriverHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenDeviceDriver); msg->User.OpenDeviceDriver.DeviceHandle = DeviceHandle; msg->User.OpenDeviceDriver.DesiredAccess = DesiredAccess; msg->User.OpenDeviceDriver.DriverHandle = DriverHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenDeviceDriver.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphOpenDeviceBaseDevice( _In_ HANDLE DeviceHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE BaseDeviceHandle ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgOpenDeviceBaseDevice); msg->User.OpenDeviceBaseDevice.DeviceHandle = DeviceHandle; msg->User.OpenDeviceBaseDevice.DesiredAccess = DesiredAccess; msg->User.OpenDeviceBaseDevice.BaseDeviceHandle = BaseDeviceHandle; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.OpenDeviceBaseDevice.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphGetInformerStats( _In_opt_ HANDLE ProcessHandle, _Out_ PKPH_INFORMER_STATS Stats ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgGetInformerStats); msg->User.GetInformerStats.ProcessHandle = ProcessHandle; msg->User.GetInformerStats.Stats = Stats; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.GetInformerStats.Status; } PhDereferenceObject(msg); return status; } NTSTATUS KphGetInformerClientStats( _Out_ PKPH_INFORMER_CLIENT_STATS Stats ) { NTSTATUS status; PKPH_MESSAGE msg; msg = KphCreateUserMessage(KphMsgGetInformerClientStats); msg->User.GetInformerClientStats.Stats = Stats; status = KphCommsSendMessage(msg); if (NT_SUCCESS(status)) { status = msg->User.GetInformerClientStats.Status; } PhDereferenceObject(msg); return status; } ================================================ FILE: phlib/kphcomms.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2022-2025 * dmex 2022-2025 * */ #include #include #include #include #include #include typedef struct _KPH_UMESSAGE { FILTER_MESSAGE_HEADER MessageHeader; KPH_MESSAGE Message; OVERLAPPED Overlapped; } KPH_UMESSAGE, *PKPH_UMESSAGE; typedef struct _KPH_UREPLY { FILTER_REPLY_HEADER ReplyHeader; KPH_MESSAGE Message; } KPH_UREPLY, *PKPH_UREPLY; PKPH_COMMS_CALLBACK KphpCommsRegisteredCallback = NULL; HANDLE KphpCommsFltPortHandle = NULL; BOOLEAN KphpCommsPortDisconnected = TRUE; PTP_POOL KphpCommsThreadPool = NULL; TP_CALLBACK_ENVIRON KphpCommsThreadPoolEnv; PTP_IO KphpCommsThreadPoolIo = NULL; PKPH_UMESSAGE KphpCommsMessages = NULL; ULONG KphpCommsMessageCount = 0; PH_RUNDOWN_PROTECT KphpCommsRundown; PH_FREE_LIST KphpCommsReplyFreeList; HANDLE KphpCommsRingBufferThread = NULL; KPH_RING_BUFFER_CONNECT KphpCommsRingBuffer = { 0 }; ULONG KphpCommsTlsSlot = TLS_OUT_OF_INDEXES; #define KPH_COMMS_MIN_THREADS 2 #define KPH_COMMS_MESSAGE_SCALE 2 #define KPH_COMMS_THREAD_SCALE 2 #define KPH_COMMS_MAX_MESSAGES 1024 #define KPH_COMMS_THREAD_PROPERTIES_SET UlongToPtr(1) VOID KphpCommsSetThreadProperties( _In_z_ PCWSTR ThreadName, _In_ KPRIORITY Priority ) { if (PhTlsGetValue(KphpCommsTlsSlot) != KPH_COMMS_THREAD_PROPERTIES_SET) { PhSetThreadName(NtCurrentThread(), ThreadName); if (Priority >= THREAD_PRIORITY_TIME_CRITICAL) Priority = LOW_REALTIME_PRIORITY; PhSetThreadBasePriority(NtCurrentThread(), Priority); PhTlsSetValue(KphpCommsTlsSlot, KPH_COMMS_THREAD_PROPERTIES_SET); } } /** * \brief Unhandled communications callback. * * \details Synchronous messages expecting a reply must always be handled, this * no-operation default callback will handle them as necessary. Used when no * callback is provided when connecting. Or when the callback does not handle * the message. * * \param[in] ReplyToken - Token used to reply, when possible. * \param[in] Message - Message from KPH to handle. */ VOID KphpCommsCallbackUnhandled( _In_ ULONG_PTR ReplyToken, _In_ PCKPH_MESSAGE Message ) { PKPH_MESSAGE msg; if (!ReplyToken) return; msg = KphCreateMessage(KPH_MESSAGE_MIN_SIZE); KphMsgInit(msg, KphMsgUnhandled); KphCommsReplyMessage(ReplyToken, msg); PhDereferenceObject(msg); } /** * \brief I/O thread pool callback for filter port. * * \param[in,out] Instance Unused * \param[in,out] Context Unused * \param[in,out] ApcContext Pointer to overlapped I/O that was completed. * \param[in] IoSB Result of the asynchronous I/O operation. * \param[in,out] Io Unused */ _Function_class_(TP_IO_CALLBACK) VOID WINAPI KphpCommsIoCallback( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context, _In_ PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoSB, _In_ PTP_IO Io ) { NTSTATUS status; PKPH_UMESSAGE msg; SIZE_T length; if (!PhAcquireRundownProtection(&KphpCommsRundown)) return; KphpCommsSetThreadProperties(L"Message Processor", THREAD_PRIORITY_TIME_CRITICAL); msg = CONTAINING_RECORD(ApcContext, KPH_UMESSAGE, Overlapped); if (IoSB->Status != STATUS_SUCCESS) { if (IoSB->Status == STATUS_PORT_DISCONNECTED) { KphpCommsPortDisconnected = TRUE; PhReleaseRundownProtection(&KphpCommsRundown); return; } goto QueueIoOperation; } assert(IoSB->Information >= UFIELD_OFFSET(KPH_UMESSAGE, Message)); if (IoSB->Information < UFIELD_OFFSET(KPH_UMESSAGE, Message)) goto QueueIoOperation; length = IoSB->Information - UFIELD_OFFSET(KPH_UMESSAGE, Message); assert(length >= KPH_MESSAGE_MIN_SIZE); if (length < KPH_MESSAGE_MIN_SIZE) goto QueueIoOperation; if (!NT_SUCCESS(status = KphMsgValidate(&msg->Message))) { assert(NT_SUCCESS(status)); goto QueueIoOperation; } if (msg->MessageHeader.ReplyLength) { BOOLEAN handled; ULONG_PTR replyToken; replyToken = (ULONG_PTR)&msg->MessageHeader; assert(length == msg->Message.Header.Size); if (KphpCommsRegisteredCallback) handled = KphpCommsRegisteredCallback(replyToken, &msg->Message); else handled = FALSE; if (!handled) KphpCommsCallbackUnhandled(replyToken, &msg->Message); } else if (KphpCommsRegisteredCallback) { for (ULONG offset = 0; offset < length; NOTHING) { PKPH_MESSAGE message; assert(offset < sizeof(KPH_MESSAGE)); message = PTR_ADD_OFFSET(&msg->Message, offset); KphpCommsRegisteredCallback(0, message); offset += message->Header.Size; } } QueueIoOperation: RtlZeroMemory(&msg->Overlapped, sizeof(OVERLAPPED)); assert(Io == KphpCommsThreadPoolIo); TpStartAsyncIoOperation(KphpCommsThreadPoolIo); status = PhFilterGetMessage( KphpCommsFltPortHandle, &msg->MessageHeader, FIELD_OFFSET(KPH_UMESSAGE, Overlapped), &msg->Overlapped ); if (status != STATUS_PENDING) { assert(status == STATUS_PORT_DISCONNECTED); if (status == STATUS_PORT_DISCONNECTED) KphpCommsPortDisconnected = TRUE; TpCancelAsyncIoOperation(KphpCommsThreadPoolIo); } PhReleaseRundownProtection(&KphpCommsRundown); } _Function_class_(KPH_RING_CALLBACK) BOOLEAN NTAPI KphpRingBufferCallback( _In_opt_ PVOID Context, _In_bytecount_(Length) PVOID Buffer, _In_ ULONG Length ) { if (!PhAcquireRundownProtection(&KphpCommsRundown)) return TRUE; if (KphpCommsRegisteredCallback && NT_VERIFY(Length >= KPH_MESSAGE_MIN_SIZE)) { if (NT_VERIFY(NT_SUCCESS(KphMsgValidate(Buffer)))) { KphpCommsRegisteredCallback(0, Buffer); } } PhReleaseRundownProtection(&KphpCommsRundown); return FALSE; } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI KphpRingBufferProcessor( _In_ PVOID Context ) { KphpCommsSetThreadProperties(L"Message Ring Processor", THREAD_PRIORITY_HIGHEST); while (PhAcquireRundownProtection(&KphpCommsRundown)) { PhReleaseRundownProtection(&KphpCommsRundown); if (!KphProcessRingBuffer(&KphpCommsRingBuffer.Ring, KphpRingBufferCallback, NULL)) { if (KphpCommsRingBuffer.EventHandle) PhWaitForSingleObject(KphpCommsRingBuffer.EventHandle, INFINITE); else PhDelayExecution(300); } } return STATUS_SUCCESS; } /** * \brief Starts the communications infrastructure. * * \param[in] PortName Communication port name. * \param[in] Callback Communication callback for receiving (and replying to) * messages from the driver. * \param[in] RingBufferLength Size of the ring buffer to use for messages. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphCommsStart( _In_ PCPH_STRINGREF PortName, _In_opt_ PKPH_COMMS_CALLBACK Callback, _In_ ULONG RingBufferLength ) { NTSTATUS status; ULONG numberOfThreads; PVOID connectionContext; PVOID connectionContextPointer; USHORT connectionContextSize; if (KphpCommsFltPortHandle) { status = STATUS_ALREADY_INITIALIZED; goto CleanupExit; } if (RingBufferLength) { NtCreateEvent(&KphpCommsRingBuffer.EventHandle, EVENT_ALL_ACCESS, NULL, SynchronizationEvent, FALSE); KphpCommsRingBuffer.Length = RingBufferLength; connectionContext = &KphpCommsRingBuffer; connectionContextPointer = &connectionContext; connectionContextSize = sizeof(PVOID); } else { connectionContextPointer = NULL; connectionContextSize = 0; } if (!NT_SUCCESS(status = PhFilterConnectCommunicationPort( PortName, 0, connectionContextPointer, connectionContextSize, NULL, &KphpCommsFltPortHandle ))) goto CleanupExit; KphpCommsPortDisconnected = FALSE; KphpCommsRegisteredCallback = Callback; PhInitializeRundownProtection(&KphpCommsRundown); PhInitializeFreeList(&KphpCommsReplyFreeList, sizeof(KPH_UREPLY), 16); KphpCommsTlsSlot = PhTlsAlloc(); if (KphpCommsTlsSlot == TLS_OUT_OF_INDEXES) { status = STATUS_INSUFFICIENT_RESOURCES; goto CleanupExit; } if (RingBufferLength) { if (!NT_SUCCESS(status = PhCreateThreadEx(&KphpCommsRingBufferThread, KphpRingBufferProcessor, NULL))) goto CleanupExit; } if (PhSystemProcessorInformation.NumberOfProcessors >= KPH_COMMS_MIN_THREADS) numberOfThreads = PhSystemProcessorInformation.NumberOfProcessors * KPH_COMMS_THREAD_SCALE; else numberOfThreads = KPH_COMMS_MIN_THREADS; KphpCommsMessageCount = numberOfThreads * KPH_COMMS_MESSAGE_SCALE; if (KphpCommsMessageCount > KPH_COMMS_MAX_MESSAGES) KphpCommsMessageCount = KPH_COMMS_MAX_MESSAGES; if (!NT_SUCCESS(status = TpAllocPool(&KphpCommsThreadPool, NULL))) goto CleanupExit; TpSetPoolMinThreads(KphpCommsThreadPool, KPH_COMMS_MIN_THREADS); TpSetPoolMaxThreads(KphpCommsThreadPool, numberOfThreads); if (TpSetPoolThreadBasePriority_Import()) TpSetPoolThreadBasePriority_Import()(KphpCommsThreadPool, THREAD_PRIORITY_HIGHEST); TpInitializeCallbackEnviron(&KphpCommsThreadPoolEnv); TpSetCallbackNoActivationContext(&KphpCommsThreadPoolEnv); TpSetCallbackPriority(&KphpCommsThreadPoolEnv, TP_CALLBACK_PRIORITY_HIGH); TpSetCallbackThreadpool(&KphpCommsThreadPoolEnv, KphpCommsThreadPool); //TpSetCallbackLongFunction(&KphpCommsThreadPoolEnv); PhSetFileCompletionNotificationMode(KphpCommsFltPortHandle, FILE_SKIP_SET_EVENT_ON_HANDLE); if (!NT_SUCCESS(status = TpAllocIoCompletion( &KphpCommsThreadPoolIo, KphpCommsFltPortHandle, KphpCommsIoCallback, NULL, &KphpCommsThreadPoolEnv ))) goto CleanupExit; KphpCommsMessages = PhAllocateZeroSafe(sizeof(KPH_UMESSAGE) * KphpCommsMessageCount); if (!KphpCommsMessages) { status = STATUS_NO_MEMORY; goto CleanupExit; } for (ULONG i = 0; i < KphpCommsMessageCount; i++) { RtlZeroMemory(&KphpCommsMessages[i].Overlapped, sizeof(OVERLAPPED)); TpStartAsyncIoOperation(KphpCommsThreadPoolIo); status = PhFilterGetMessage( KphpCommsFltPortHandle, &KphpCommsMessages[i].MessageHeader, FIELD_OFFSET(KPH_UMESSAGE, Overlapped), &KphpCommsMessages[i].Overlapped ); if (status == STATUS_PENDING) { status = STATUS_SUCCESS; } else { status = STATUS_FLT_INTERNAL_ERROR; goto CleanupExit; } } status = STATUS_SUCCESS; CleanupExit: if (!NT_SUCCESS(status)) KphCommsStop(); return status; } /** * \brief Stops the communications infrastructure. */ VOID KphCommsStop( VOID ) { if (!KphpCommsFltPortHandle) return; PhWaitForRundownProtection(&KphpCommsRundown); if (KphpCommsThreadPoolIo) { TpWaitForIoCompletion(KphpCommsThreadPoolIo, TRUE); TpReleaseIoCompletion(KphpCommsThreadPoolIo); KphpCommsThreadPoolIo = NULL; } TpDestroyCallbackEnviron(&KphpCommsThreadPoolEnv); if (KphpCommsThreadPool) { TpReleasePool(KphpCommsThreadPool); KphpCommsThreadPool = NULL; } if (KphpCommsRingBufferThread) { if (KphpCommsRingBuffer.EventHandle) NtSetEvent(KphpCommsRingBuffer.EventHandle, NULL); NtWaitForSingleObject(KphpCommsRingBufferThread, FALSE, NULL); NtClose(KphpCommsRingBufferThread); KphpCommsRingBufferThread = NULL; if (KphpCommsRingBuffer.Ring.Producer) { NtUnmapViewOfSection(NtCurrentProcess(), KphpCommsRingBuffer.Ring.Producer); KphpCommsRingBuffer.Ring.Producer = NULL; } if (KphpCommsRingBuffer.Ring.Consumer) { NtUnmapViewOfSection(NtCurrentProcess(), KphpCommsRingBuffer.Ring.Consumer); KphpCommsRingBuffer.Ring.Consumer = NULL; } if (KphpCommsRingBuffer.EventHandle) { NtClose(KphpCommsRingBuffer.EventHandle); KphpCommsRingBuffer.EventHandle = NULL; } } KphpCommsRegisteredCallback = NULL; KphpCommsPortDisconnected = TRUE; NtClose(KphpCommsFltPortHandle); KphpCommsFltPortHandle = NULL; if (KphpCommsMessages) { KphpCommsMessageCount = 0; PhFree(KphpCommsMessages); KphpCommsMessages = NULL; } if (KphpCommsTlsSlot != TLS_OUT_OF_INDEXES) { PhTlsFree(KphpCommsTlsSlot); KphpCommsTlsSlot = TLS_OUT_OF_INDEXES; } PhDeleteFreeList(&KphpCommsReplyFreeList); } /** * \brief Checks if communications is connected to the driver. * * \return TRUE if connected, FALSE otherwise. */ BOOLEAN KphCommsIsConnected( VOID ) { return (KphpCommsFltPortHandle && !KphpCommsPortDisconnected); } /** * \brief Replies to a message send to the communications callback. * * \param[in] ReplyToken Reply token from the communications callback. * \param[in] Message The message to reply with. * * \return Successful or errant status. */ NTSTATUS KphCommsReplyMessage( _In_ ULONG_PTR ReplyToken, _In_ PKPH_MESSAGE Message ) { NTSTATUS status; PKPH_UREPLY reply; PFILTER_MESSAGE_HEADER header; reply = NULL; header = (PFILTER_MESSAGE_HEADER)ReplyToken; if (!KphpCommsFltPortHandle) { status = STATUS_FLT_NOT_INITIALIZED; goto CleanupExit; } if (!header || !header->ReplyLength) { // // Kernel is not expecting a reply. // status = STATUS_INVALID_PARAMETER_1; goto CleanupExit; } if (!NT_SUCCESS(status = KphMsgValidate(Message))) goto CleanupExit; if (!(reply = PhAllocateFromFreeList(&KphpCommsReplyFreeList))) { status = STATUS_NO_MEMORY; goto CleanupExit; } RtlZeroMemory(reply, sizeof(KPH_UREPLY)); RtlCopyMemory(&reply->ReplyHeader, header, sizeof(reply->ReplyHeader)); RtlCopyMemory(&reply->Message, Message, Message->Header.Size); status = PhFilterReplyMessage( KphpCommsFltPortHandle, &reply->ReplyHeader, sizeof(reply->ReplyHeader) + Message->Header.Size ); if (status == STATUS_PORT_DISCONNECTED) KphpCommsPortDisconnected = TRUE; CleanupExit: if (reply) PhFreeToFreeList(&KphpCommsReplyFreeList, reply); return status; } /** * \brief Sends a message to the driver (and may receive output if applicable). * * \param[in,out] Message The message to send to driver, on success this message * contains the output from the driver. * * \return Successful or errant status. */ _Must_inspect_result_ NTSTATUS KphCommsSendMessage( _Inout_ PKPH_MESSAGE Message ) { NTSTATUS status; ULONG bytesReturned; if (!KphpCommsFltPortHandle) return STATUS_FLT_NOT_INITIALIZED; if (!NT_SUCCESS(status = KphMsgValidate(Message))) return status; status = PhFilterSendMessage( KphpCommsFltPortHandle, Message, Message->Header.Size, NULL, 0, &bytesReturned ); if (status == STATUS_PORT_DISCONNECTED) KphpCommsPortDisconnected = TRUE; return status; } ================================================ FILE: phlib/lsamsup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2023 * */ #include #include #include #include /** * Opens a handle to the SAM server. * * \param SamHandle A variable which receives the handle. * \param DesiredAccess The desired access to the handle. * \param SystemName The name of the system to connect to. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenSamHandle( _Out_ PSAM_HANDLE SamHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PUNICODE_STRING SystemName ) { OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); return SamConnect( SystemName, SamHandle, DesiredAccess, &objectAttributes ); } /** * Opens a handle to a SAM domain. * * \param DomainHandle A variable which receives the handle. * \param DesiredAccess The desired access to the handle. * \param DomainSid The SID of the domain to open. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenSamDomainHandle( _Out_ PSAM_HANDLE DomainHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PSID DomainSid ) { NTSTATUS status; SAM_HANDLE serverHandle; status = PhGetSamServerHandle(&serverHandle); if (!NT_SUCCESS(status)) return status; return SamOpenDomain( serverHandle, DesiredAccess, DomainSid, DomainHandle ); } /** * Retrieves a handle to the local SAM server with SAM_SERVER_LOOKUP_DOMAIN access. * * \param SamHandle A variable which receives the handle. * \return NTSTATUS Successful or errant status. * \remarks Do not close the handle; it is cached. */ NTSTATUS PhGetSamServerHandle( _Out_ PSAM_HANDLE SamHandle ) { static SAM_HANDLE cachedSamServerHandle = NULL; static NTSTATUS cachedStatus = STATUS_UNSUCCESSFUL; SAM_HANDLE samServerHandle; // Fast Path: No locking for the common case. samServerHandle = *(volatile SAM_HANDLE*)&cachedSamServerHandle; if (samServerHandle && samServerHandle != (SAM_HANDLE)-1) { *SamHandle = samServerHandle; return STATUS_SUCCESS; } while (TRUE) { // Attempt to acquire the lock (swap NULL with -1) samServerHandle = InterlockedCompareExchangePointer( &cachedSamServerHandle, (SAM_HANDLE)-1, NULL ); // Handle Contention if (samServerHandle != NULL) { // If the handle is fully initialized by another thread, return it. if (samServerHandle != (SAM_HANDLE)-1) { *SamHandle = samServerHandle; return STATUS_SUCCESS; } // The lock is held (-1). The other thread is talking to LSASS. // Try to yield execution to the lock-holder. if (!PhSwitchToThread()) { // If PhSwitchToThread returns FALSE, it means no yield happened // (we are alone on this core), so we must force a sleep to stop burning CPU. PhDelayExecution(100); } // If it returned TRUE, we yielded successfully. // We loop immediately to check if the lock is free now. continue; } // We hold the lock. Open the handle. SAM_HANDLE newSamServerHandle; NTSTATUS status; status = PhOpenSamHandle( &newSamServerHandle, SAM_SERVER_LOOKUP_DOMAIN | SAM_SERVER_CONNECT, NULL ); if (NT_SUCCESS(status)) { // Publish the new handle (releases waiting threads) InterlockedExchangePointer(&cachedSamServerHandle, newSamServerHandle); samServerHandle = newSamServerHandle; cachedStatus = STATUS_SUCCESS; } else { // Failed (e.g., Access Denied). Reset to NULL so we can try again later. InterlockedExchangePointer(&cachedSamServerHandle, NULL); samServerHandle = NULL; cachedStatus = status; } break; } if (samServerHandle && samServerHandle != (SAM_HANDLE)-1) { *SamHandle = samServerHandle; return STATUS_SUCCESS; } return cachedStatus; } /** * Retrieves a handle to the local SAM domain. * * \param DesiredAccess The desired access to the handle. * \param DomainHandle A variable which receives the handle. * \return NTSTATUS Successful or errant status. * \remarks Do not close the handle; it is cached. */ NTSTATUS PhGetSamDomainHandle( _In_ ACCESS_MASK DesiredAccess, _Out_ PSAM_HANDLE DomainHandle ) { static SAM_HANDLE cachedSamDomainHandle = NULL; NTSTATUS status = STATUS_SUCCESS; SAM_HANDLE samDomainHandle; // Fast Path: No locking for the common case. samDomainHandle = *(volatile SAM_HANDLE*)&cachedSamDomainHandle; if (samDomainHandle && samDomainHandle != (SAM_HANDLE)-1) { *DomainHandle = samDomainHandle; return STATUS_SUCCESS; } while (TRUE) { // Attempt to acquire the lock (swap NULL with -1) samDomainHandle = InterlockedCompareExchangePointer( &cachedSamDomainHandle, (SAM_HANDLE)-1, NULL ); // Handle Contention if (samDomainHandle != NULL) { // If the handle is fully initialized by another thread, return it. if (samDomainHandle != (SAM_HANDLE)-1) { *DomainHandle = samDomainHandle; return STATUS_SUCCESS; } // The lock is held (-1). The other thread is talking to LSASS. // Try to yield execution to the lock-holder. if (!PhSwitchToThread()) { // If PhSwitchToThread returns FALSE, it means no yield happened // (we are alone on this core), so we must force a sleep to stop burning CPU. PhDelayExecution(100); } // If it returned TRUE, we yielded successfully. // We loop immediately to check if the lock is free now. continue; } // We hold the lock. Open the handle. SAM_HANDLE newSamDomainHandle; PPOLICY_ACCOUNT_DOMAIN_INFO accountDomainInfo; status = LsaQueryInformationPolicy( PhGetLookupPolicyHandle(), PolicyAccountDomainInformation, &accountDomainInfo ); if (NT_SUCCESS(status)) { status = PhOpenSamDomainHandle( &newSamDomainHandle, DesiredAccess, accountDomainInfo->DomainSid ); if (NT_SUCCESS(status)) { // Publish the new handle (releases waiting threads) InterlockedExchangePointer(&cachedSamDomainHandle, newSamDomainHandle); samDomainHandle = newSamDomainHandle; } else { // Failed. Reset to NULL so we can try again later. InterlockedExchangePointer(&cachedSamDomainHandle, NULL); } LsaFreeMemory(accountDomainInfo); } else { InterlockedExchangePointer(&cachedSamDomainHandle, NULL); } break; } if (samDomainHandle && samDomainHandle != (SAM_HANDLE)-1) { *DomainHandle = samDomainHandle; return STATUS_SUCCESS; } return status; } /** * Looks up a SAM account name in a domain. * * \param DomainHandle A handle to a SAM domain. * \param Name The name of the account to look up. * \param RelativeId A variable which receives the RID of the account. * \param Use A variable which receives the usage of the account. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLookupSamName( _In_ SAM_HANDLE DomainHandle, _In_ PPH_STRINGREF Name, _Out_ PULONG RelativeId, _Out_ PSID_NAME_USE Use ) { NTSTATUS status; PULONG relativeIds; PSID_NAME_USE uses; status = PhLookupSamNames( DomainHandle, 1, Name, &relativeIds, &uses ); if (NT_SUCCESS(status)) { *RelativeId = relativeIds[0]; *Use = uses[0]; PhFree(relativeIds); PhFree(uses); } return status; } /** * Looks up multiple SAM account names in a domain. * * \param DomainHandle A handle to a SAM domain. * \param Count The number of names to look up. * \param Names An array of account names. * \param RelativeIds A variable which receives a pointer to an array of RIDs. You must free the array using PhFree(). * \param Uses A variable which receives a pointer to an array of usages. You must free the array using PhFree(). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLookupSamNames( _In_ SAM_HANDLE DomainHandle, _In_ ULONG Count, _In_ PPH_STRINGREF Names, _Out_ PULONG* RelativeIds, _Out_ PSID_NAME_USE* Uses ) { NTSTATUS status; PUNICODE_STRING names; PULONG relativeIds = NULL; PSID_NAME_USE uses = NULL; names = PhAllocateZero(sizeof(UNICODE_STRING) * Count); for (ULONG i = 0; i < Count; i++) { if (!PhStringRefToUnicodeString(&Names[i], &names[i])) { PhFree(names); return STATUS_NAME_TOO_LONG; } } status = SamLookupNamesInDomain( DomainHandle, Count, names, &relativeIds, &uses ); if (NT_SUCCESS(status) || status == STATUS_SOME_NOT_MAPPED) { *RelativeIds = PhAllocateCopy(relativeIds, sizeof(ULONG) * Count); *Uses = PhAllocateCopy(uses, sizeof(SID_NAME_USE) * Count); SamFreeMemory(relativeIds); SamFreeMemory(uses); } PhFree(names); return status; } /** * Gets the description of a SAM alias (local group). * * \param Sid The SID of the alias. * \param Description A variable which receives a pointer to a string containing the alias description. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSamAliasDescription( _In_ PSID Sid, _Out_ PPH_STRING *Description ) { NTSTATUS status; PPH_STRING description = NULL; SAM_HANDLE domainHandle; SAM_HANDLE aliasHandle; ULONG rid; PVOID infoBuffer; *Description = NULL; status = PhGetSamDomainHandle(DOMAIN_LOOKUP, &domainHandle); if (!NT_SUCCESS(status)) return status; rid = *PhSubAuthoritySid(Sid, *PhSubAuthorityCountSid(Sid) - 1); status = SamOpenAlias( domainHandle, ALIAS_READ_INFORMATION, rid, &aliasHandle ); if (NT_SUCCESS(status)) { status = SamQueryInformationAlias( aliasHandle, AliasAdminCommentInformation, &infoBuffer ); if (NT_SUCCESS(status)) { PALIAS_ADM_COMMENT_INFORMATION commentInfo = (PALIAS_ADM_COMMENT_INFORMATION)infoBuffer; description = PhCreateStringFromUnicodeString(&commentInfo->AdminComment); SamFreeMemory(infoBuffer); } SamCloseHandle(aliasHandle); } if (NT_SUCCESS(status)) { *Description = description; } return status; } /** * Gets the description of a SAM group. * * \param Sid The SID of the group. * \param Description A variable which receives a pointer to a string containing the group description. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSamGroupDescription( _In_ PSID Sid, _Out_ PPH_STRING *Description ) { NTSTATUS status; PPH_STRING description = NULL; SAM_HANDLE domainHandle; SAM_HANDLE groupHandle; ULONG rid; PVOID infoBuffer; status = PhGetSamDomainHandle(DOMAIN_LOOKUP, &domainHandle); if (!NT_SUCCESS(status)) return status; rid = *PhSubAuthoritySid(Sid, *PhSubAuthorityCountSid(Sid) - 1); status = SamOpenGroup( domainHandle, GROUP_READ_INFORMATION, rid, &groupHandle ); if (NT_SUCCESS(status)) { status = SamQueryInformationGroup( groupHandle, GroupAdminCommentInformation, &infoBuffer ); if (NT_SUCCESS(status)) { PGROUP_ADM_COMMENT_INFORMATION commentInfo = (PGROUP_ADM_COMMENT_INFORMATION)infoBuffer; description = PhCreateStringFromUnicodeString(&commentInfo->AdminComment); SamFreeMemory(infoBuffer); } SamCloseHandle(groupHandle); } if (NT_SUCCESS(status)) { *Description = description; } return status; } /** * Gets the description of a SAM user. * * \param Sid The SID of the user. * \param Description A variable which receives a pointer to a string containing the user description. * You must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSamUserDescription( _In_ PSID Sid, _Out_ PPH_STRING *Description ) { NTSTATUS status; SAM_HANDLE domainHandle; SAM_HANDLE userHandle; ULONG rid; PPH_STRING description = NULL; PVOID infoBuffer; *Description = NULL; status = PhGetSamDomainHandle(DOMAIN_LOOKUP, &domainHandle); if (!NT_SUCCESS(status)) return status; rid = *PhSubAuthoritySid(Sid, *PhSubAuthorityCountSid(Sid) - 1); status = SamOpenUser( domainHandle, USER_READ_GENERAL, rid, &userHandle ); if (NT_SUCCESS(status)) { status = SamQueryInformationUser( userHandle, UserAdminCommentInformation, &infoBuffer ); if (NT_SUCCESS(status)) { PUSER_ADMIN_COMMENT_INFORMATION commentInfo = (PUSER_ADMIN_COMMENT_INFORMATION)infoBuffer; description = PhCreateStringFromUnicodeString(&commentInfo->AdminComment); SamFreeMemory(infoBuffer); } SamCloseHandle(userHandle); } if (NT_SUCCESS(status)) { *Description = description; } return status; } /** * Gets the description of a SAM account (user, group or alias). * * \param Sid The SID of the account. * \return A string containing the account description, or NULL if not found. */ PPH_STRING PhGetSamAccountDescription( _In_ PSID Sid ) { PPH_STRING description; if (NT_SUCCESS(PhGetSamAliasDescription(Sid, &description))) { return description; } if (NT_SUCCESS(PhGetSamGroupDescription(Sid, &description))) { return description; } if (NT_SUCCESS(PhGetSamUserDescription(Sid, &description))) { return description; } return NULL; } /** * Queries logon information for a user. * * \param DomainName The name of the domain. * \param UserName The name of the user. * \param LogonInfo A variable which receives a pointer to a structure containing the logon * information. You must free the structure using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryLogonInformation( _In_ PCPH_STRINGREF DomainName, _In_ PCPH_STRINGREF UserName, _Out_ PUSER_LOGON_INFORMATION* LogonInfo ) { NTSTATUS status; SAM_HANDLE serverHandle; SAM_HANDLE domainHandle = NULL; SAM_HANDLE userHandle = NULL; PSID domainSid = NULL; UNICODE_STRING domainName; UNICODE_STRING userName; PULONG relativeIds = NULL; PSID_NAME_USE uses = NULL; PUSER_LOGON_INFORMATION samLogonInfo = NULL; if (DomainName) { if (!PhStringRefToUnicodeString(DomainName, &domainName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&domainName, NULL, 0); } if (UserName) { if (!PhStringRefToUnicodeString(UserName, &userName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&userName, NULL, 0); } status = PhOpenSamHandle( &serverHandle, SAM_SERVER_LOOKUP_DOMAIN | SAM_SERVER_CONNECT, NULL ); if (!NT_SUCCESS(status)) return status; status = SamLookupDomainInSamServer( serverHandle, &domainName, &domainSid ); if (!NT_SUCCESS(status)) goto CleanupExit; status = SamOpenDomain( serverHandle, DOMAIN_LOOKUP, domainSid, &domainHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = SamLookupNamesInDomain( domainHandle, 1, &userName, &relativeIds, &uses ); if (!NT_SUCCESS(status)) goto CleanupExit; status = SamOpenUser( domainHandle, USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT | USER_LIST_GROUPS | USER_READ_GROUP_INFORMATION, relativeIds[0], &userHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; status = SamQueryInformationUser( userHandle, UserLogonInformation, &samLogonInfo ); if (!NT_SUCCESS(status)) goto CleanupExit; RtlCopyMemory(LogonInfo, samLogonInfo, sizeof(USER_LOGON_INFORMATION)); CleanupExit: if (samLogonInfo) SamFreeMemory(samLogonInfo); if (relativeIds) SamFreeMemory(relativeIds); if (uses) SamFreeMemory(uses); if (userHandle) SamCloseHandle(userHandle); if (domainHandle) SamCloseHandle(domainHandle); if (domainSid) SamFreeMemory(domainSid); return status; } ================================================ FILE: phlib/lsasup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2011 * dmex 2019-2023 * */ /* * These are functions which communicate with LSA or are support functions. They replace certain * Win32 security-related functions such as LookupAccountName, LookupAccountSid and * LookupPrivilege*, which are badly designed. (LSA already allocates the return values for the * caller, yet the Win32 functions insist on their callers providing their own buffers.) */ #include #include #include #include #include /** * Opens a handle to the local LSA policy. * * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenLsaPolicy( _Out_ PLSA_HANDLE PolicyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PUNICODE_STRING SystemName ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); status = LsaOpenPolicy( SystemName, &objectAttributes, DesiredAccess, PolicyHandle ); return status; } /** * Retrieves a handle to the local LSA policy with POLICY_LOOKUP_NAMES access. * * \remarks Do not close the handle; it is cached. */ LSA_HANDLE PhGetLookupPolicyHandle( VOID ) { static LSA_HANDLE cachedLookupPolicyHandle = NULL; LSA_HANDLE lookupPolicyHandle; LSA_HANDLE newLookupPolicyHandle; // Use the cached value if possible. lookupPolicyHandle = InterlockedCompareExchangePointer(&cachedLookupPolicyHandle, NULL, NULL); // If there is no cached handle, open one. if (!lookupPolicyHandle) { if (NT_SUCCESS(PhOpenLsaPolicy( &newLookupPolicyHandle, POLICY_LOOKUP_NAMES, NULL ))) { // We succeeded in opening a policy handle, and since we did not have a cached handle // before, we will now store it. lookupPolicyHandle = InterlockedCompareExchangePointer( &cachedLookupPolicyHandle, newLookupPolicyHandle, NULL ); if (!lookupPolicyHandle) { // Success. Use our handle. lookupPolicyHandle = newLookupPolicyHandle; } else { // Someone already placed a handle in the cache. Close our handle and use their // handle. LsaClose(newLookupPolicyHandle); } } } return lookupPolicyHandle; } /** * Gets the name of a privilege from its LUID. * * \param PrivilegeValue The LUID of a privilege. * \param PrivilegeName A variable which receives a pointer to a string containing the privilege * name. You must free the string using PhDereferenceObject() when you no longer need it. */ NTSTATUS PhLookupPrivilegeName( _In_ PLUID PrivilegeValue, _Out_ PPH_STRING *PrivilegeName ) { NTSTATUS status; PUNICODE_STRING name; status = LsaLookupPrivilegeName( PhGetLookupPolicyHandle(), PrivilegeValue, &name ); if (!NT_SUCCESS(status)) return status; *PrivilegeName = PhCreateStringFromUnicodeString(name); LsaFreeMemory(name); return status; } /** * Gets the display name of a privilege from its name. * * \param PrivilegeName The name of a privilege. * \param PrivilegeDisplayName A variable which receives a pointer to a string containing the * privilege's display name. You must free the string using PhDereferenceObject() when you no longer * need it. */ NTSTATUS PhLookupPrivilegeDisplayName( _In_ PPH_STRINGREF PrivilegeName, _Out_ PPH_STRING *PrivilegeDisplayName ) { NTSTATUS status; UNICODE_STRING privilegeName; PUNICODE_STRING displayName; SHORT language; if (!PhStringRefToUnicodeString(PrivilegeName, &privilegeName)) return STATUS_NAME_TOO_LONG; status = LsaLookupPrivilegeDisplayName( PhGetLookupPolicyHandle(), &privilegeName, &displayName, &language ); if (!NT_SUCCESS(status)) return status; *PrivilegeDisplayName = PhCreateStringFromUnicodeString(displayName); LsaFreeMemory(displayName); return status; } /** * Gets the LUID of a privilege from its name. * * \param PrivilegeName The name of a privilege. * \param PrivilegeValue A variable which receives the LUID of the privilege. */ NTSTATUS PhLookupPrivilegeValue( _In_ PPH_STRINGREF PrivilegeName, _Out_ PLUID PrivilegeValue ) { NTSTATUS status; UNICODE_STRING privilegeName; if (!PhStringRefToUnicodeString(PrivilegeName, &privilegeName)) return STATUS_NAME_TOO_LONG; status = LsaLookupPrivilegeValue( PhGetLookupPolicyHandle(), &privilegeName, PrivilegeValue ); return status; } /** * Gets information about a SID. * * \param Sid A SID to query. * \param Name A variable which receives a pointer to a string containing the SID's name. You must * free the string using PhDereferenceObject() when you no longer need it. * \param DomainName A variable which receives a pointer to a string containing the SID's domain * name. You must free the string using PhDereferenceObject() when you no longer need it. * \param NameUse A variable which receives the SID's usage. */ NTSTATUS PhLookupSid( _In_ PSID Sid, _Out_opt_ PPH_STRING *Name, _Out_opt_ PPH_STRING *DomainName, _Out_opt_ PSID_NAME_USE NameUse ) { NTSTATUS status; LSA_HANDLE policyHandle; PLSA_REFERENCED_DOMAIN_LIST referencedDomains; PLSA_TRANSLATED_NAME names; policyHandle = PhGetLookupPolicyHandle(); referencedDomains = NULL; names = NULL; if (NT_SUCCESS(status = LsaLookupSids( policyHandle, 1, &Sid, &referencedDomains, &names ))) { if (names[0].Use != SidTypeInvalid && names[0].Use != SidTypeUnknown) { if (Name) { *Name = PhCreateStringFromUnicodeString(&names[0].Name); } if (DomainName) { if (names[0].DomainIndex >= 0) { PLSA_TRUST_INFORMATION trustInfo; trustInfo = &referencedDomains->Domains[names[0].DomainIndex]; *DomainName = PhCreateStringFromUnicodeString(&trustInfo->Name); } else { *DomainName = PhReferenceEmptyString(); } } if (NameUse) { *NameUse = names[0].Use; } } else { status = STATUS_NONE_MAPPED; } } // LsaLookupSids allocates memory even if it returns STATUS_NONE_MAPPED. if (referencedDomains) LsaFreeMemory(referencedDomains); if (names) LsaFreeMemory(names); return status; } /** * Converts an array of SIDs to a human-readable form. * * \param Count The size of the array. * \param Sids An array of SIDs to query. * \param FullNames A variable which receives a pointer to an array of strings in the following format: * domain\\user. If not applicable to a particular SID, the function returns its SDDL representation. * You must free each item using PhDereferenceObject(), and then free the array by calling PhFree(). */ NTSTATUS PhLookupSids( _In_ ULONG Count, _In_ PSID *Sids, _Out_ PPH_STRING **FullNames ) { NTSTATUS status; PLSA_REFERENCED_DOMAIN_LIST referencedDomains = NULL; PLSA_TRANSLATED_NAME names = NULL; PPH_STRING *translatedNames; translatedNames = PhAllocateZero(sizeof(PPH_STRING) * Count); status = LsaLookupSids( PhGetLookupPolicyHandle(), Count, Sids, &referencedDomains, &names ); if (status == STATUS_NONE_MAPPED) { // Even without mapping names it converts most of them to SDDL representation status = STATUS_SOME_NOT_MAPPED; } if (NT_SUCCESS(status)) { PPH_STRING userName; PPH_STRING domainName; for (ULONG i = 0; i < Count; i++) { userName = NULL; domainName = NULL; // Reference user if present if (names[i].Name.Length > 0) { userName = PhCreateStringFromUnicodeString(&names[i].Name); } // Reference domain if present if (names[i].DomainIndex >= 0) { PLSA_TRUST_INFORMATION trustInfo; trustInfo = &referencedDomains->Domains[names[i].DomainIndex]; if (trustInfo->Name.Length > 0) { domainName = PhCreateStringFromUnicodeString(&trustInfo->Name); } } // Construct the name if (names[i].Use != SidTypeInvalid && names[i].Use != SidTypeUnknown) { if (domainName && userName) { translatedNames[i] = PhConcatStringRef3( &domainName->sr, &PhNtPathSeparatorString, &userName->sr ); } else if (domainName) { translatedNames[i] = PhReferenceObject(domainName); } else if (userName) { translatedNames[i] = PhReferenceObject(userName); } } else { if (userName && PhStartsWithString2(userName, L"S-1-", TRUE)) { translatedNames[i] = PhReferenceObject(userName); } } if (userName) { PhDereferenceObject(userName); } if (domainName) { PhDereferenceObject(domainName); } } LsaFreeMemory(referencedDomains); LsaFreeMemory(names); } for (ULONG i = 0; i < Count; i++) { // Make sure everything is converted at least to SDDL if (!translatedNames[i]) { translatedNames[i] = PhSidToStringSid(Sids[i]); } } *FullNames = translatedNames; return status; } /** * Gets information about a name. * * \param Name A name to query. * \param Sid A variable which receives a pointer to a SID. You must free the SID using PhFree() * when you no longer need it. * \param DomainName A variable which receives a pointer to a string containing the SID's domain * name. You must free the string using PhDereferenceObject() when you no longer need it. * \param NameUse A variable which receives the SID's usage. */ NTSTATUS PhLookupName( _In_ PPH_STRINGREF Name, _Out_opt_ PSID *Sid, _Out_opt_ PPH_STRING *DomainName, _Out_opt_ PSID_NAME_USE NameUse ) { NTSTATUS status; LSA_HANDLE policyHandle; UNICODE_STRING name; PLSA_REFERENCED_DOMAIN_LIST referencedDomains; PLSA_TRANSLATED_SID2 sids; if (!PhStringRefToUnicodeString(Name, &name)) return STATUS_NAME_TOO_LONG; policyHandle = PhGetLookupPolicyHandle(); referencedDomains = NULL; sids = NULL; if (NT_SUCCESS(status = LsaLookupNames2( policyHandle, 0, 1, &name, &referencedDomains, &sids ))) { if (sids[0].Use != SidTypeInvalid && sids[0].Use != SidTypeUnknown) { if (Sid) { *Sid = PhAllocateCopy(sids[0].Sid, PhLengthSid(sids[0].Sid)); } if (DomainName) { if (sids[0].DomainIndex >= 0) { PLSA_TRUST_INFORMATION trustInfo; trustInfo = &referencedDomains->Domains[sids[0].DomainIndex]; *DomainName = PhCreateStringFromUnicodeString(&trustInfo->Name); } else { *DomainName = PhReferenceEmptyString(); } } if (NameUse) { *NameUse = sids[0].Use; } } else { status = STATUS_NONE_MAPPED; } } // LsaLookupNames2 allocates memory even if it returns STATUS_NONE_MAPPED. if (referencedDomains) LsaFreeMemory(referencedDomains); if (sids) LsaFreeMemory(sids); return status; } /** * Gets the name of a SID. * * \param Sid A SID to query. * \param IncludeDomain TRUE to include the domain name, otherwise FALSE. * \param NameUse A variable which receives the SID's usage. * * \return A pointer to a string containing the name of the SID in the following format: * domain\\name. You must free the string using PhDereferenceObject() when you no longer need it. If * an error occurs, the function returns NULL. */ PPH_STRING PhGetSidFullName( _In_ PSID Sid, _In_ BOOLEAN IncludeDomain, _Out_opt_ PSID_NAME_USE NameUse ) { NTSTATUS status; PPH_STRING fullName; LSA_HANDLE policyHandle; PLSA_REFERENCED_DOMAIN_LIST referencedDomains; PLSA_TRANSLATED_NAME names; policyHandle = PhGetLookupPolicyHandle(); referencedDomains = NULL; names = NULL; if (NT_SUCCESS(status = LsaLookupSids( policyHandle, 1, &Sid, &referencedDomains, &names ))) { if (names[0].Use != SidTypeInvalid && names[0].Use != SidTypeUnknown) { PWSTR domainNameBuffer; ULONG domainNameLength; if (IncludeDomain && names[0].DomainIndex >= 0) { PLSA_TRUST_INFORMATION trustInfo; trustInfo = &referencedDomains->Domains[names[0].DomainIndex]; domainNameBuffer = trustInfo->Name.Buffer; domainNameLength = trustInfo->Name.Length; } else { domainNameBuffer = NULL; domainNameLength = 0; } if (domainNameBuffer && domainNameLength != 0) { fullName = PhCreateStringEx(NULL, domainNameLength + sizeof(UNICODE_NULL) + names[0].Name.Length); memcpy(&fullName->Buffer[0], domainNameBuffer, domainNameLength); fullName->Buffer[domainNameLength / sizeof(WCHAR)] = OBJ_NAME_PATH_SEPARATOR; memcpy(&fullName->Buffer[domainNameLength / sizeof(WCHAR) + 1], names[0].Name.Buffer, names[0].Name.Length); } else { fullName = PhCreateStringFromUnicodeString(&names[0].Name); } if (NameUse) { *NameUse = names[0].Use; } } else { fullName = NULL; if (NameUse) { *NameUse = SidTypeUnknown; } } } else { fullName = NULL; if (NameUse) { *NameUse = SidTypeUnknown; } } if (referencedDomains) LsaFreeMemory(referencedDomains); if (names) LsaFreeMemory(names); return fullName; } /** * Gets a SDDL string representation of a SID. * * \param Sid A SID to query. * * \return A pointer to a string containing the SDDL representation of the SID. You must free the * string using PhDereferenceObject() when you no longer need it. If an error occurs, the function * returns NULL. */ PPH_STRING PhSidToStringSid( _In_ PSID Sid ) { PPH_STRING string; UNICODE_STRING unicodeString; string = PhCreateStringEx(NULL, SECURITY_MAX_SID_STRING_CHARACTERS * sizeof(WCHAR)); if (!PhStringRefToUnicodeString(&string->sr, &unicodeString)) { PhDereferenceObject(string); return NULL; } if (NT_SUCCESS(RtlConvertSidToUnicodeString( &unicodeString, Sid, FALSE ))) { string->Length = unicodeString.Length; string->Buffer[unicodeString.Length / sizeof(WCHAR)] = UNICODE_NULL; return string; } else { PhDereferenceObject(string); return NULL; } } /** * Converts a SID to its SDDL string representation and writes it to a buffer. * * \param Sid A pointer to the SID to convert. * \param Buffer A pointer to a buffer that receives the SDDL string representation. * \param BufferLength The size of the buffer in bytes. * \param ReturnLength A variable which receives the actual length of the SDDL string in bytes. * \return NTSTATUS Successful or errant status. * \remarks The buffer must be large enough to hold the SDDL representation. Use * SECURITY_MAX_SID_STRING_CHARACTERS * sizeof(WCHAR) for a safe buffer size. */ NTSTATUS PhSidToBuffer( _In_ PSID Sid, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ USHORT BufferLength, _Out_opt_ PUSHORT ReturnLength ) { NTSTATUS status; UNICODE_STRING unicodeString; RtlInitEmptyUnicodeString(&unicodeString, Buffer, BufferLength); status = RtlConvertSidToUnicodeString( &unicodeString, Sid, FALSE ); if (NT_SUCCESS(status)) { if (ReturnLength) *ReturnLength = unicodeString.Length; } return status; } /** * Gets the name of the user associated with a token. * * \param TokenHandle A handle to a token. * \param IncludeDomain TRUE to include the domain name in the result, FALSE to return only the username. * \return A pointer to a string containing the user's name, or NULL on failure. You must free the * string using PhDereferenceObject() when you no longer need it. The format is domain\\username * when IncludeDomain is TRUE, or just username otherwise. */ PPH_STRING PhGetTokenUserString( _In_ HANDLE TokenHandle, _In_ BOOLEAN IncludeDomain ) { PPH_STRING tokenUserString = NULL; PH_TOKEN_USER tokenUser; if (NT_SUCCESS(PhGetTokenUser(TokenHandle, &tokenUser))) { tokenUserString = PhGetSidFullName(tokenUser.User.Sid, IncludeDomain, NULL); } return tokenUserString; } /** * Retrieves the privileges assigned to an account. * * \param AccountSid A pointer to the SID of the account. * \param Privileges A variable which receives a pointer to a TOKEN_PRIVILEGES structure * containing the account's privileges. You must free the structure using PhFree() when * you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetAccountPrivileges( _In_ PSID AccountSid, _Out_ PTOKEN_PRIVILEGES *Privileges ) { NTSTATUS status; LSA_HANDLE accountHandle; PPRIVILEGE_SET accountPrivileges; PTOKEN_PRIVILEGES privileges; status = LsaOpenAccount(PhGetLookupPolicyHandle(), AccountSid, ACCOUNT_VIEW, &accountHandle); if (!NT_SUCCESS(status)) return status; status = LsaEnumeratePrivilegesOfAccount(accountHandle, &accountPrivileges); LsaClose(accountHandle); if (!NT_SUCCESS(status)) return status; privileges = PhAllocate(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(LUID_AND_ATTRIBUTES) * accountPrivileges->PrivilegeCount); privileges->PrivilegeCount = accountPrivileges->PrivilegeCount; memcpy(privileges->Privileges, accountPrivileges->Privilege, sizeof(LUID_AND_ATTRIBUTES) * accountPrivileges->PrivilegeCount); LsaFreeMemory(accountPrivileges); *Privileges = privileges; return status; } /** * Enumerates all privileges defined on the local system. * * \param Callback A callback function invoked for each batch of privileges. The callback should * return STATUS_SUCCESS to continue enumeration or an error status to stop. * \param Context An optional user-defined context value passed to the callback function. * \return NTSTATUS Successful or errant status. * \remarks This function invokes the callback multiple times with batches of privileges until * all privileges are enumerated or the callback returns an error status. */ NTSTATUS PhEnumeratePrivileges( _In_ PPH_ENUM_PRIVILEGES Callback, _In_opt_ PVOID Context ) { NTSTATUS status; LSA_HANDLE policyHandle; LSA_ENUMERATION_HANDLE enumContext; PPOLICY_PRIVILEGE_DEFINITION buffer; ULONG count; status = PhOpenLsaPolicy(&policyHandle, POLICY_VIEW_LOCAL_INFORMATION, NULL); if (!NT_SUCCESS(status)) return status; enumContext = 0; while (TRUE) { status = LsaEnumeratePrivileges( policyHandle, &enumContext, &buffer, 0x100, &count ); if (!NT_SUCCESS(status)) break; status = Callback(buffer, count, Context); if (!NT_SUCCESS(status)) break; LsaFreeMemory(buffer); } if (status == STATUS_NO_MORE_ENTRIES) status = STATUS_SUCCESS; LsaClose(policyHandle); return status; } /** * Determines the account type of a SID. * * \param Sid A pointer to the SID to examine. * \param AccountType A variable which receives the account type (e.g., LocalUserAccountType, * PrimaryDomainUserAccountType, AADUserAccountType). * \return NTSTATUS Successful or errant status. * \remarks This function requires the LsaLookupUserAccountType function from sechost.dll, which * may not be available on older versions of Windows. */ NTSTATUS PhGetSidAccountType( _In_ PSID Sid, _Out_ PLSA_USER_ACCOUNT_TYPE AccountType ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static NTSTATUS (WINAPI* LsaLookupUserAccountType_I)( _In_ PSID Sid, _Out_ PLSA_USER_ACCOUNT_TYPE AccountType ); LSA_USER_ACCOUNT_TYPE accountType = UnknownUserAccountType; NTSTATUS status; if (PhBeginInitOnce(&initOnce)) { LsaLookupUserAccountType_I = PhGetDllProcedureAddressZ(L"sechost.dll", "LsaLookupUserAccountType", 0); PhEndInitOnce(&initOnce); } if (!LsaLookupUserAccountType_I) return STATUS_UNSUCCESSFUL; status = LsaLookupUserAccountType_I( Sid, &accountType ); if (NT_SUCCESS(status)) { *AccountType = accountType; } return status; } /** * Gets a descriptive string representation of the account type for a SID. * * \param Sid A pointer to the SID to examine. * \return A pointer to a constant string describing the account type, such as "Local", "ActiveDirectory", * "Microsoft", "AzureAD", or "Unknown". The returned string should not be freed. * \remarks If the account type cannot be determined via LsaLookupUserAccountType, this function * falls back to examining the SID authority to provide a descriptive string. */ PCWSTR PhGetSidAccountTypeString( _In_ PSID Sid ) { LSA_USER_ACCOUNT_TYPE accountType; if (NT_SUCCESS(PhGetSidAccountType(Sid, &accountType))) { switch (accountType) { case LocalUserAccountType: return L"Local"; case PrimaryDomainUserAccountType: case ExternalDomainUserAccountType: return L"ActiveDirectory"; case LocalConnectedUserAccountType: case MSAUserAccountType: return L"Microsoft"; case AADUserAccountType: return L"AzureAD"; case InternetUserAccountType: { SID_IDENTIFIER_AUTHORITY msaAuthority = { 0, 0, 0, 0, 0, 11 }; if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &msaAuthority)) { return L"Microsoft"; } return L"Internet"; } break; } } // If we don't get a result from LsaLookupUserAccountType then return the SID authority (or some other value?) (dmex) if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_NULL_SID_AUTHORITY)) // 0 { return L"NULL (Authority)"; } if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_WORLD_SID_AUTHORITY)) // 1 { return L"World (Authority)"; } if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_LOCAL_SID_AUTHORITY)) // 2 { return L"Local (Authority)"; } if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_NT_AUTHORITY)) // 5 { return L"NT (Authority)"; } if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_APP_PACKAGE_AUTHORITY)) // 15 { return L"APP_PACKAGE (Authority)"; } if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_MANDATORY_LABEL_AUTHORITY)) // 16 { return L"Mandatory label"; } return L"Unknown"; } typedef struct _PH_CAPABILITY_ENTRY { PPH_STRING Name; PSID CapabilityGroupSid; PSID CapabilitySid; } PH_CAPABILITY_ENTRY, *PPH_CAPABILITY_ENTRY; /** * Initializes a cache of capability SIDs by reading the system capabilities list. * * \param CapabilitySidArrayList A variable which receives an initialized array containing * capability SIDs and their associated names. The caller is responsible for freeing the * array and its contents when no longer needed. * \remarks This function reads the capability information from CapsList.txt in the application's * Resources directory and populates the array with capability SIDs and names for efficient lookup. * This function requires Windows 8 or later and the RtlDeriveCapabilitySidsFromName function. */ VOID PhInitializeCapabilitySidCache( _Inout_ PPH_ARRAY CapabilitySidArrayList ) { PPH_STRING capabilityListString = NULL; PPH_STRING capabilityListFileName; PH_STRINGREF namePart; PH_STRINGREF remainingPart; if (!RtlDeriveCapabilitySidsFromName_Import()) return; if (capabilityListFileName = PhGetApplicationDirectoryFileNameZ(L"Resources\\CapsList.txt", TRUE)) { PhFileReadAllText(&capabilityListString, &capabilityListFileName->sr, TRUE); PhDereferenceObject(capabilityListFileName); } if (!capabilityListString) return; PhInitializeArray(CapabilitySidArrayList, sizeof(PH_CAPABILITY_ENTRY), 800); remainingPart = PhGetStringRef(capabilityListString); while (remainingPart.Length != 0) { PhSplitStringRefAtChar(&remainingPart, L'\n', &namePart, &remainingPart); if (namePart.Length != 0) { BYTE capabilityGroupSidBuffer[SECURITY_MAX_SID_SIZE] = { 0 }; BYTE capabilitySidBuffer[SECURITY_MAX_SID_SIZE] = { 0 }; PSID capabilityGroupSid = (PSID)capabilityGroupSidBuffer; PSID capabilitySid = (PSID)capabilitySidBuffer; UNICODE_STRING capabilityName; if (PhEndsWithStringRef2(&namePart, L"\r", FALSE)) namePart.Length -= sizeof(WCHAR); if (!PhStringRefToUnicodeString(&namePart, &capabilityName)) continue; if (NT_SUCCESS(RtlDeriveCapabilitySidsFromName_Import()( &capabilityName, capabilityGroupSid, capabilitySid ))) { PH_CAPABILITY_ENTRY entry; entry.Name = PhCreateStringFromUnicodeString(&capabilityName); entry.CapabilityGroupSid = PhAllocateCopy(capabilityGroupSid, PhLengthSid(capabilityGroupSid)); entry.CapabilitySid = PhAllocateCopy(capabilitySid, PhLengthSid(capabilitySid)); PhAddItemArray(CapabilitySidArrayList, &entry); } } } PhDereferenceObject(capabilityListString); } /** * Gets the display name of a capability SID. * * \param CapabilitySid A pointer to a capability SID. * \return A pointer to a string containing the capability's display name, or NULL if the * capability cannot be found. You must free the string using PhDereferenceObject() when * you no longer need it. * \remarks This function returns the cached capability name, allowing efficient lookup of * capability SIDs. This function requires Windows 8 or later. */ PPH_STRING PhGetCapabilitySidName( _In_ PSID CapabilitySid ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PH_ARRAY capabilitySidArrayList; PPH_CAPABILITY_ENTRY entry; SIZE_T i; if (WindowsVersion < WINDOWS_8) return NULL; if (PhBeginInitOnce(&initOnce)) { PhInitializeCapabilitySidCache(&capabilitySidArrayList); PhEndInitOnce(&initOnce); } for (i = 0; i < capabilitySidArrayList.Count; i++) { entry = PhItemArray(&capabilitySidArrayList, i); if (PhEqualSid(entry->CapabilitySid, CapabilitySid)) { return PhReferenceObject(entry->Name); } if (PhEqualSid(entry->CapabilityGroupSid, CapabilitySid)) { return PhReferenceObject(entry->Name); } } return NULL; } typedef struct _PH_CAPABILITY_GUID_ENTRY { PPH_STRING Name; PPH_STRING CapabilityGuid; } PH_CAPABILITY_GUID_ENTRY, *PPH_CAPABILITY_GUID_ENTRY; typedef struct _PH_CAPABILITY_KEY_CALLBACK { PPH_STRING KeyName; PVOID Context; } PH_CAPABILITY_KEY_CALLBACK, *PPH_CAPABILITY_KEY_CALLBACK; _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PhpAccessManagerEnumerateKeyCallback( _In_ HANDLE RootDirectory, _In_ PKEY_BASIC_INFORMATION Information, _In_ PVOID Context ) { HANDLE keyHandle; PPH_STRING guidString; PH_STRINGREF keyName; keyName.Buffer = Information->Name; keyName.Length = Information->NameLength; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, RootDirectory, &keyName, 0 ))) { if (guidString = PhQueryRegistryStringZ(keyHandle, L"LegacyInterfaceClassGuid")) { PH_CAPABILITY_GUID_ENTRY entry; PhSetReference(&entry.Name, PhCreateString2(&keyName)); PhSetReference(&entry.CapabilityGuid, guidString); PhAddItemArray(Context, &entry); PhDereferenceObject(guidString); } NtClose(keyHandle); } return TRUE; } _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PhpDeviceAccessSubKeyEnumerateKeyCallback( _In_ HANDLE RootDirectory, _In_ PKEY_BASIC_INFORMATION Information, _In_ PVOID Context ) { PPH_CAPABILITY_KEY_CALLBACK context = Context; HANDLE keyHandle; PH_STRINGREF keyName; keyName.Buffer = Information->Name; keyName.Length = Information->NameLength; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, RootDirectory, &keyName, 0 ))) { PH_CAPABILITY_GUID_ENTRY entry; PhSetReference(&entry.Name, context->KeyName); PhSetReference(&entry.CapabilityGuid, PhCreateString2(&keyName)); PhAddItemArray(context->Context, &entry); NtClose(keyHandle); } return TRUE; } _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PhpDeviceAccessEnumerateKeyCallback( _In_ HANDLE RootDirectory, _In_ PKEY_BASIC_INFORMATION Information, _In_ PVOID Context ) { HANDLE keyHandle; PH_STRINGREF keyName; keyName.Buffer = Information->Name; keyName.Length = Information->NameLength; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, RootDirectory, &keyName, 0 ))) { PH_CAPABILITY_KEY_CALLBACK entry; entry.KeyName = PhCreateString2(&keyName); entry.Context = Context; PhEnumerateKey(keyHandle, KeyBasicInformation, PhpDeviceAccessSubKeyEnumerateKeyCallback, &entry); PhDereferenceObject(entry.KeyName); NtClose(keyHandle); } return TRUE; } /** * Initializes a cache of capability GUIDs by reading the system registry. * * \param CapabilityGuidArrayList A variable which receives an initialized array containing * capability GUIDs and their associated names. The caller is responsible for freeing the * array and its contents when no longer needed. * \remarks This function reads capability GUID information from the Windows registry under * HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities * and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess\\CapabilityMappings * and populates the array for efficient lookup. This function requires Windows 8 or later. */ VOID PhInitializeCapabilityGuidCache( _Inout_ PPH_ARRAY CapabilityGuidArrayList ) { static CONST PH_STRINGREF accessManagerKeyPath = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities"); static CONST PH_STRINGREF deviceAccessKeyPath = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess\\CapabilityMappings"); HANDLE keyHandle; PhInitializeArray(CapabilityGuidArrayList, sizeof(PH_CAPABILITY_GUID_ENTRY), 100); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &accessManagerKeyPath, 0 ))) { PhEnumerateKey(keyHandle, KeyBasicInformation, PhpAccessManagerEnumerateKeyCallback, CapabilityGuidArrayList); NtClose(keyHandle); } if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &deviceAccessKeyPath, 0 ))) { PhEnumerateKey(keyHandle, KeyBasicInformation, PhpDeviceAccessEnumerateKeyCallback, CapabilityGuidArrayList); NtClose(keyHandle); } } /** * Gets the display name associated with a capability GUID. * * \param GuidString A string containing a capability GUID. * \return A pointer to a string containing the capability's display name, or NULL if the * GUID cannot be found. You must free the string using PhDereferenceObject() when you no * longer need it. * \remarks This function returns the cached capability name associated with the given GUID, * allowing efficient lookup of capability GUIDs. This function requires Windows 8 or later. */ PPH_STRING PhGetCapabilityGuidName( _In_ PPH_STRING GuidString ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PH_ARRAY capabilityGuidArrayList; PPH_CAPABILITY_GUID_ENTRY entry; SIZE_T i; if (WindowsVersion < WINDOWS_8) return NULL; if (PhBeginInitOnce(&initOnce)) { PhInitializeCapabilityGuidCache(&capabilityGuidArrayList); PhEndInitOnce(&initOnce); } for (i = 0; i < capabilityGuidArrayList.Count; i++) { entry = PhItemArray(&capabilityGuidArrayList, i); if (PhEqualString(entry->CapabilityGuid, GuidString, TRUE)) { return PhReferenceObject(entry->Name); } } return NULL; } // rev from BuildTrusteeWithSidW (dmex) /** * Initializes a TRUSTEE structure with a SID. * * \param Trustee A variable which receives a pointer to an initialized TRUSTEE structure. * \param Sid An optional pointer to a SID. If NULL, the TRUSTEE is initialized with no SID. * \return TRUE if the operation succeeds, FALSE otherwise. * \remarks This function is a replacement for the BuildTrusteeWithSidW API and initializes * the TRUSTEE structure with the appropriate fields set for use with access control functions. */ BOOLEAN PhBuildTrusteeWithSid( _Out_ PVOID Trustee, _In_opt_ PSID Sid ) { memset((PTRUSTEE)Trustee, 0, sizeof(TRUSTEE)); ((PTRUSTEE)Trustee)->pMultipleTrustee = NULL; ((PTRUSTEE)Trustee)->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; ((PTRUSTEE)Trustee)->TrusteeForm = TRUSTEE_IS_SID; ((PTRUSTEE)Trustee)->TrusteeType = TRUSTEE_IS_UNKNOWN; ((PTRUSTEE)Trustee)->ptstrName = (LPWCH)Sid; return TRUE; } // rev from RtlMapGenericMask (dmex) /** * Maps generic access rights to specific access rights. * * \param AccessMask A pointer to an access mask containing generic rights (GENERIC_READ, * GENERIC_WRITE, GENERIC_EXECUTE, GENERIC_ALL) to be converted to specific rights. * \param GenericMapping A pointer to a GENERIC_MAPPING structure containing the mapping * information for the object type. * \remarks This function modifies the access mask in-place, replacing generic access rights * with their corresponding specific rights. This is a replacement for the RtlMapGenericMask * function and is useful when working with access control lists and security descriptors. */ VOID PhMapGenericMask( _Inout_ PACCESS_MASK AccessMask, _In_ PGENERIC_MAPPING GenericMapping ) { ACCESS_MASK accessMask = *AccessMask; if (BooleanFlagOn(accessMask, GENERIC_READ)) SetFlag(accessMask, GenericMapping->GenericRead); if (BooleanFlagOn(accessMask, GENERIC_WRITE)) SetFlag(accessMask, GenericMapping->GenericWrite); if (BooleanFlagOn(accessMask, GENERIC_EXECUTE)) SetFlag(accessMask, GenericMapping->GenericExecute); if (BooleanFlagOn(accessMask, GENERIC_ALL)) SetFlag(accessMask, GenericMapping->GenericAll); *AccessMask = ClearFlag(accessMask, GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL); } /** * Enumerates all local user accounts on the system. * * \param Callback A callback function invoked for each user account. The callback should * return STATUS_SUCCESS to continue enumeration or an error status to stop. * \param Context An optional user-defined context value passed to the callback function. * \return STATUS_UNSUCCESSFUL if enumeration could not be performed or if the callback * returned an error, otherwise STATUS_SUCCESS. * \remarks This function enumerates accounts via the LSA policy and filters results to * include only user-type accounts (SidTypeUser). The callback function is invoked with * the account name as a string reference and the user-provided context. */ NTSTATUS PhEnumerateAccounts( _In_ PPH_ENUM_ACCOUNT_CALLBACK Callback, _In_opt_ PVOID Context ) { //static PH_INITONCE initOnce = PH_INITONCE_INIT; //static ULONG (WINAPI* NetUserEnum_I)( // NET_API_STATUS // _In_ PCWSTR servername, // _In_ ULONG level, // _In_ ULONG filter, // _Out_ PVOID* bufptr, // _In_ ULONG prefmaxlen, // _Out_ PULONG entriesread, // _Out_ PULONG totalentries, // _Inout_ PULONG resume_handle // ); //static ULONG (WINAPI* NetApiBufferFree_I)( // _Frees_ptr_opt_ PVOID Buffer // ); //typedef struct _USER_INFO_0 //{ // LPWSTR usri0_name; //} USER_INFO_0, *PUSER_INFO_0; //#define FILTER_NORMAL_ACCOUNT (0x0002) //ULONG status; //PUSER_INFO_0 userinfoArray = NULL; //ULONG userinfoEntriesRead = 0; //ULONG userinfoTotalEntries = 0; // //if (PhBeginInitOnce(&initOnce)) //{ // PVOID baseAddress; // // if (baseAddress = PhLoadLibrary(L"netapi32.dll")) // { // NetUserEnum_I = PhGetDllBaseProcedureAddress(baseAddress, "NetUserEnum", 0); // NetApiBufferFree_I = PhGetDllBaseProcedureAddress(baseAddress, "NetApiBufferFree", 0); // } // // PhEndInitOnce(&initOnce); //} // //if (!(NetUserEnum_I && NetApiBufferFree_I)) // return STATUS_UNSUCCESSFUL; // //NetUserEnum_I( // NULL, // 0, // FILTER_NORMAL_ACCOUNT, // &userinfoArray, // ULONG_MAX, // &userinfoEntriesRead, // &userinfoTotalEntries, // NULL // ); // //if (userinfoArray) //{ // NetApiBufferFree_I(userinfoArray); // userinfoArray = NULL; //} // //status = NetUserEnum_I( // NULL, // 0, // FILTER_NORMAL_ACCOUNT, // &userinfoArray, // ULONG_MAX, // &userinfoEntriesRead, // &userinfoTotalEntries, // NULL // ); // //if (status == ERROR_SUCCESS) //{ // for (ULONG i = 0; i < userinfoEntriesRead; i++) // { // PUSER_INFO_0 entry = PTR_ADD_OFFSET(userinfoArray, sizeof(USER_INFO_0) * i); // // if (entry->usri0_name) // { // PH_STRINGREF string; // // PhInitializeStringRefLongHint(&string, entry->usri0_name); // // if (!NT_SUCCESS(Callback(&string, Context))) // { // break; // } // } // } //} // //if (userinfoArray) // NetApiBufferFree_I(userinfoArray); LSA_HANDLE policyHandle; LSA_ENUMERATION_HANDLE enumerationContext = 0; PLSA_ENUMERATION_INFORMATION buffer; ULONG count; ULONG i; PPH_STRING name; SID_NAME_USE nameUse; if (NT_SUCCESS(PhOpenLsaPolicy(&policyHandle, POLICY_VIEW_LOCAL_INFORMATION, NULL))) { while (NT_SUCCESS(LsaEnumerateAccounts( policyHandle, &enumerationContext, &buffer, 0x100, &count ))) { for (i = 0; i < count; i++) { name = PhGetSidFullName(buffer[i].Sid, TRUE, &nameUse); if (name) { if (nameUse == SidTypeUser) { if (!NT_SUCCESS(Callback(&name->sr, Context))) { break; } } PhDereferenceObject(name); } } LsaFreeMemory(buffer); } LsaClose(policyHandle); } return STATUS_UNSUCCESSFUL; } /** * Creates a service SID from a service name and writes it to a buffer. * * \param ServiceName The name of the service for which to create a SID. * \param ServiceSid A pointer to a buffer that receives the service SID. If NULL, the function * returns the required buffer size in ServiceSidLength. * \param ServiceSidLength On input, contains the size of the ServiceSid buffer in bytes. * On output, receives the actual size of the SID in bytes. * \return STATUS_SUCCESS on success, or an error status indicating failure. * \remarks If ServiceSid is NULL, the function returns STATUS_BUFFER_TOO_SMALL with the * required buffer size. Service SIDs are created using RtlCreateServiceSid. */ NTSTATUS PhCreateServiceSidToBuffer( _In_ PPH_STRINGREF ServiceName, _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid, _Inout_ PULONG ServiceSidLength ) { UNICODE_STRING serviceName; NTSTATUS status; if (!PhStringRefToUnicodeString(ServiceName, &serviceName)) return STATUS_NAME_TOO_LONG; status = RtlCreateServiceSid( &serviceName, ServiceSid, ServiceSidLength ); return status; } /** * Converts a service name to its SDDL string representation of the service SID. * * \param ServiceName The name of the service for which to create a SID. * \return A pointer to a string containing the SDDL representation of the service SID, or NULL * on failure. You must free the string using PhDereferenceObject() when you no longer need it. * \remarks This function creates a service SID and then converts it to its SDDL representation * for display or storage purposes. */ PPH_STRING PhCreateServiceSidToStringSid( _In_ PPH_STRINGREF ServiceName ) { BYTE serviceSidBuffer[SECURITY_MAX_SID_SIZE] = { 0 }; ULONG serviceSidLength = sizeof(serviceSidBuffer); PSID serviceSid = (PSID)serviceSidBuffer; if (NT_SUCCESS(PhCreateServiceSidToBuffer(ServiceName, serviceSid, &serviceSidLength))) { return PhSidToStringSid(serviceSid); } return NULL; } /** * Extracts the Azure AD object GUID from an Azure AD directory SID. * * \param ActiveDirectorySid A pointer to a SID from Azure AD (cloud-based directory authority). * \return A pointer to a string containing the GUID of the Azure AD object, or NULL if the * SID is not an Azure AD SID or the GUID cannot be extracted. The returned string does not * include the surrounding braces. You must free the string using PhDereferenceObject() when * you no longer need it. * \remarks This function is specifically designed to work with Azure AD (cloud) SIDs and * extracts the object identifier from sub-authorities. The SID must have the Azure AD * authority identifier and follow the specific sub-authority format used by Azure AD. */ PPH_STRING PhGetAzureDirectoryObjectSid( _In_ PSID ActiveDirectorySid ) { if (PhEqualIdentifierAuthoritySid( PhIdentifierAuthoritySid(ActiveDirectorySid), PhIdentifierAuthoritySid(PhSeCloudActiveDirectorySid()) )) { ULONG subAuthority = *PhSubAuthoritySid(ActiveDirectorySid, 0); if (subAuthority == 1) { PPH_STRING string; union { GUID Guid; struct { ULONG Data1; ULONG Data2; ULONG Data3; ULONG Data4; }; } objectGuid; objectGuid.Data1 = *PhSubAuthoritySid(ActiveDirectorySid, 1); objectGuid.Data2 = *PhSubAuthoritySid(ActiveDirectorySid, 2); objectGuid.Data3 = *PhSubAuthoritySid(ActiveDirectorySid, 3); objectGuid.Data4 = *PhSubAuthoritySid(ActiveDirectorySid, 4); if (string = PhFormatGuid(&objectGuid.Guid)) { PhMoveReference(&string, PhSubstring(string, 1, string->Length / sizeof(WCHAR) - 2)); // Strip {} return string; } } } return NULL; } /** * Returns the user and the domain of the security principal that is invoking the method. * \param UserName A variable which receives a pointer to a string containing the username. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLsaGetUserName( _Out_ PPH_STRING* UserName ) { NTSTATUS status; PPH_STRING fullName = NULL; PLSA_UNICODE_STRING userName = NULL; PLSA_UNICODE_STRING domainName = NULL; status = LsaGetUserName( &userName, &domainName ); if (NT_SUCCESS(status)) { if (domainName && domainName->Length != 0) { fullName = PhCreateStringEx(NULL, domainName->MaximumLength + userName->MaximumLength); memcpy(&fullName->Buffer[0], domainName->Buffer, domainName->Length); fullName->Buffer[domainName->Length / sizeof(WCHAR)] = OBJ_NAME_PATH_SEPARATOR; memcpy(&fullName->Buffer[domainName->Length / sizeof(WCHAR) + 1], userName->Buffer, userName->Length); } else { fullName = PhCreateStringFromUnicodeString(userName); } LsaFreeMemory(userName); if (domainName) LsaFreeMemory(domainName); } if (UserName) *UserName = fullName; return status; } /** * Determines whether the local machine is joined to a domain. * * \return TRUE if the machine is domain-joined, FALSE otherwise. */ BOOLEAN PhIsDomainJoined( VOID ) { NTSTATUS status; PPOLICY_DNS_DOMAIN_INFO domainInfo = NULL; BOOLEAN joined = FALSE; status = LsaQueryInformationPolicy( PhGetLookupPolicyHandle(), PolicyDnsDomainInformation, &domainInfo ); if (NT_SUCCESS(status) && domainInfo) { joined = (domainInfo->DnsDomainName.Length != 0) || (domainInfo->Sid != NULL); LsaFreeMemory(domainInfo); } return joined; } /** * Determines whether a SID is a service SID. * * \param Sid A pointer to the SID to check. * \return TRUE if the SID is a service SID (NT AUTHORITY with SECURITY_SERVICE_ID_BASE_RID), FALSE otherwise. */ BOOLEAN PhIsServiceSid( _In_ PSID Sid ) { if (!Sid || !RtlValidSid(Sid)) return FALSE; if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(Sid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_NT_AUTHORITY)) { ULONG subAuthority = *PhSubAuthoritySid(Sid, 0); if (subAuthority == SECURITY_SERVICE_ID_BASE_RID) { return TRUE; } } return FALSE; } /** * Gets a descriptive name for a SID authority. * * \param Sid The SID to examine. * \return A string describing the authority, or NULL if unknown. You must free the string using PhDereferenceObject(). */ PPH_STRING PhGetSidAuthorityName( _In_ PSID Sid ) { PSID_IDENTIFIER_AUTHORITY authority; UCHAR authorityValue; if (!Sid || !RtlValidSid(Sid)) return NULL; authority = PhIdentifierAuthoritySid(Sid); // Get the last byte of the authority (most significant for standard authorities) authorityValue = authority->Value[5]; switch (authorityValue) { case 0: // SECURITY_NULL_SID_AUTHORITY return PhCreateString(L"NULL Authority"); case 1: // SECURITY_WORLD_SID_AUTHORITY return PhCreateString(L"World Authority"); case 2: // SECURITY_LOCAL_SID_AUTHORITY return PhCreateString(L"Local Authority"); case 3: // SECURITY_CREATOR_SID_AUTHORITY return PhCreateString(L"Creator Authority"); case 5: // SECURITY_NT_AUTHORITY return PhCreateString(L"NT Authority"); case 9: // SECURITY_RESOURCE_MANAGER_AUTHORITY return PhCreateString(L"Resource Manager Authority"); case 12: // Azure Active Directory return PhCreateString(L"Azure Active Directory"); case 15: // SECURITY_APP_PACKAGE_AUTHORITY return PhCreateString(L"App Package Authority"); case 16: // SECURITY_MANDATORY_LABEL_AUTHORITY return PhCreateString(L"Mandatory Label Authority"); case 18: // SECURITY_AUTHENTICATION_AUTHORITY return PhCreateString(L"Authentication Authority"); case 19: // SECURITY_PROCESS_TRUST_AUTHORITY return PhCreateString(L"Process Trust Authority"); default: return PhFormatString(L"Authority %u", authorityValue); } } ================================================ FILE: phlib/mapexlf.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2017 * */ #include #include NTSTATUS PhInitializeMappedWslImage( _Out_ PPH_MAPPED_IMAGE MappedWslImage, _In_ PVOID ViewBase, _In_ SIZE_T Size ) { MappedWslImage->ViewBase = ViewBase; MappedWslImage->ViewSize = Size; MappedWslImage->Header = (PELF_IMAGE_HEADER)ViewBase; __try { PhProbeAddress( MappedWslImage->Header, sizeof(ELF_IMAGE_HEADER), MappedWslImage->ViewBase, MappedWslImage->ViewSize, 1 ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // Check the magic number. if (!RtlEqualMemory(MappedWslImage->Header->e_ident, ELFMAG, sizeof(ELFMAG))) return STATUS_FAIL_CHECK; // Check the class type. if (MappedWslImage->Header->e_ident[EI_CLASS] == ELFCLASS64) { MappedWslImage->Headers64 = PTR_ADD_OFFSET(MappedWslImage->Header, sizeof(ELF_IMAGE_HEADER)); __try { PhProbeAddress( MappedWslImage->Headers64, sizeof(ELF64_IMAGE_SECTION_HEADER), MappedWslImage->ViewBase, MappedWslImage->ViewSize, 1 ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { // TODO: Add 32bit ELF support. return STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT; } //if (MappedWslImage->Headers64->e_phentsize != sizeof(ELF64_IMAGE_SEGMENT_HEADER)) // return STATUS_FAIL_CHECK; if (MappedWslImage->Headers64->e_shentsize != sizeof(ELF64_IMAGE_SECTION_HEADER)) return STATUS_FAIL_CHECK; return STATUS_SUCCESS; } PELF64_IMAGE_SEGMENT_HEADER PhGetMappedWslImageSegment( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_ USHORT Index ) { return IMAGE_ELF64_SEGMENT_BY_INDEX(IMAGE_FIRST_ELF64_SEGMENT(MappedWslImage), Index); } PELF64_IMAGE_SEGMENT_HEADER PhGetWslImageSegmentByType( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_opt_ USHORT Type ) { PELF64_IMAGE_SEGMENT_HEADER segmentHeader; USHORT i; segmentHeader = IMAGE_FIRST_ELF64_SEGMENT(MappedWslImage); for (i = 0; i < MappedWslImage->Headers64->e_phnum; i++) { if (segmentHeader[i].p_type == Type) return segmentHeader; } return NULL; } PVOID PhGetMappedWslImageSectionData( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_opt_ PCSTR Name, _In_opt_ USHORT Index ) { if (Name) { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER stringSection; PELF64_IMAGE_SECTION_HEADER section; PVOID stringTable; USHORT i; sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); stringSection = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, MappedWslImage->Headers64->e_shstrndx); stringTable = PTR_ADD_OFFSET(MappedWslImage->Header, stringSection->sh_offset); for (i = 0; i < MappedWslImage->Headers64->e_shnum; i++) { section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, i); if (PhEqualBytesZ(Name, PTR_ADD_OFFSET(stringTable, section->sh_name), FALSE)) { return PTR_ADD_OFFSET(MappedWslImage->Header, section->sh_offset); } } return NULL; } else { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER section; sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, Index); return PTR_ADD_OFFSET(MappedWslImage->Header, section->sh_offset); } } PVOID PhGetMappedWslImageSectionDataByType( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_ UINT32 Type ) { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER section; USHORT i; sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); for (i = 0; i < MappedWslImage->Headers64->e_shnum; i++) { section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, i); if (section->sh_type == Type) { return PTR_ADD_OFFSET(MappedWslImage->Header, section->sh_offset); } } return NULL; } PELF64_IMAGE_SECTION_HEADER PhGetMappedWslImageSectionByIndex( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_ USHORT Index ) { return IMAGE_ELF64_SECTION_BY_INDEX(IMAGE_FIRST_ELF64_SECTION(MappedWslImage), Index); } PELF64_IMAGE_SECTION_HEADER PhGetMappedWslImageSectionByType( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_ UINT32 Type ) { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER section; USHORT i; sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); for (i = 0; i < MappedWslImage->Headers64->e_shnum; i++) { section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, i); if (section->sh_type == Type) return section; } return NULL; } PELF64_IMAGE_SECTION_HEADER PhGetMappedWslImageSectionByName( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_ PCSTR Name ) { if (Name) { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER stringSection; PELF64_IMAGE_SECTION_HEADER section; PVOID stringTable; USHORT i; sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); stringSection = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, MappedWslImage->Headers64->e_shstrndx); stringTable = PTR_ADD_OFFSET(MappedWslImage->Header, stringSection->sh_offset); for (i = 0; i < MappedWslImage->Headers64->e_shnum; i++) { section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, i); if (PhEqualBytesZ(Name, PTR_ADD_OFFSET(stringTable, section->sh_name), FALSE)) { return section; } } } return NULL; } ULONG64 PhGetMappedWslImageBaseAddress( _In_ PPH_MAPPED_IMAGE MappedWslImage ) { ULONG64 baseAddress = MAXULONG64; PELF64_IMAGE_SEGMENT_HEADER segment; ULONG loadBias = 0; USHORT i; segment = IMAGE_FIRST_ELF64_SEGMENT(MappedWslImage); for (i = 0; i < MappedWslImage->Headers64->e_phnum; i++) { if (segment[i].p_type == PT_LOAD) { loadBias = (ULONG)ALIGN_DOWN_BY(segment[i].p_vaddr, PAGE_SIZE); break; } } for (i = 0; i < MappedWslImage->Headers64->e_phnum; i++) { if (segment[i].p_type == PT_LOAD) { if (segment[i].p_paddr < baseAddress) baseAddress = segment[i].p_paddr; } } if (baseAddress == MAXULONG64) baseAddress = 0; return baseAddress; } BOOLEAN PhGetMappedWslImageSections( _In_ PPH_MAPPED_IMAGE MappedWslImage, _Out_ USHORT *NumberOfSections, _Out_ PPH_ELF_IMAGE_SECTION *ImageSections ) { USHORT count; USHORT i; PPH_ELF_IMAGE_SECTION sections; PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER stringSection; PVOID stringTableAddress; count = MappedWslImage->Headers64->e_shnum; sections = PhAllocate(sizeof(PH_ELF_IMAGE_SECTION) * count); memset(sections, 0, sizeof(PH_ELF_IMAGE_SECTION) * count); // Get the first section. sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); // Get the string section. stringSection = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, MappedWslImage->Headers64->e_shstrndx); // Get the string table (The string table is an array of null terminated strings). stringTableAddress = PTR_ADD_OFFSET(MappedWslImage->Header, stringSection->sh_offset); // Enumerate the sections. for (i = 0; i < count; i++) { sections[i].Type = sectionHeader[i].sh_type; sections[i].Flags = sectionHeader[i].sh_flags; sections[i].Address = sectionHeader[i].sh_addr; sections[i].Offset = sectionHeader[i].sh_offset; sections[i].Size = sectionHeader[i].sh_size; if (sectionHeader[i].sh_name) { // Get the section name from the ELF string table and convert to unicode. PhCopyStringZFromUtf8( PTR_ADD_OFFSET(stringTableAddress, sectionHeader[i].sh_name), SIZE_MAX, sections[i].Name, sizeof(sections[i].Name), NULL ); } } *NumberOfSections = count; *ImageSections = sections; return TRUE; } typedef struct _PH_ELF_VERSION_RECORD { USHORT Version; PCSTR Name; PCSTR FileName; } PH_ELF_VERSION_RECORD, *PPH_ELF_VERSION_RECORD; static PPH_LIST PhpParseMappedWslImageVersionRecords( _In_ PPH_MAPPED_IMAGE MappedWslImage, _In_ PVOID SymbolStringTable ) { PPH_LIST recordsList; PELF_VERSION_NEED version; if (!(version = PhGetMappedWslImageSectionDataByType(MappedWslImage, SHT_SUNW_verneed))) return NULL; recordsList = PhCreateList(10); while (TRUE) { PELF_VERSION_AUX versionAux = PTR_ADD_OFFSET(version, version->vn_aux); while (TRUE) { PPH_ELF_VERSION_RECORD versionInfo; versionInfo = PhAllocateZero(sizeof(PH_ELF_VERSION_RECORD)); versionInfo->Version = versionAux->vna_other; versionInfo->Name = PTR_ADD_OFFSET(SymbolStringTable, versionAux->vna_name); versionInfo->FileName = PTR_ADD_OFFSET(SymbolStringTable, version->vn_file); PhAddItemList(recordsList, versionInfo); if (versionAux->vna_next == 0) break; versionAux = PTR_ADD_OFFSET(versionAux, versionAux->vna_next); } if (version->vn_next == 0) break; version = PTR_ADD_OFFSET(version, version->vn_next); } return recordsList; } static VOID PhpFreeMappedWslImageVersionRecords( _In_ PPH_LIST RecordsList ) { for (ULONG i = 0; i < RecordsList->Count; i++) PhFree(RecordsList->Items[i]); PhDereferenceObject(RecordsList); } static PCSTR PhpFindWslImageVersionRecordName( _In_ PPH_LIST VersionRecordList, _In_ USHORT VersionIndex ) { // Note: 'ldconfig -v' and 'ldconfig -p' can be used to locate the path from the FileName. for (ULONG i = 0; i < VersionRecordList->Count; i++) { PPH_ELF_VERSION_RECORD versionInfo = VersionRecordList->Items[i]; if (versionInfo->Version == VersionIndex) return versionInfo->FileName; } return NULL; } BOOLEAN PhGetMappedWslImageSymbols( _In_ PPH_MAPPED_IMAGE MappedWslImage, _Out_ PPH_LIST *ImageSymbols ) { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER section; PPH_LIST sectionSymbols; USHORT i; sectionSymbols = PhCreateList(0x800); sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); for (i = 0; i < MappedWslImage->Headers64->e_shnum; i++) { ULONGLONG count; ULONGLONG ii; PELF_IMAGE_SYMBOL_ENTRY entry; PVOID stringTable; PELF_VERSION_TABLE versionTable; PPH_LIST versionRecords; section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, i); // NOTE: The below code needs some improvements for SHT_SYMTAB -dmex if (section->sh_type != SHT_SYMTAB && section->sh_type != SHT_DYNSYM) continue; if (section->sh_entsize != sizeof(ELF_IMAGE_SYMBOL_ENTRY)) return FALSE; count = section->sh_size / sizeof(ELF_IMAGE_SYMBOL_ENTRY); entry = PTR_ADD_OFFSET(MappedWslImage->Header, section->sh_offset); stringTable = PhGetMappedWslImageSectionData(MappedWslImage, NULL, section->sh_link); // NOTE: SHT_DYNSYM entries include the version in the symbol name (e.g. printf@GLIBC_2.2.5) // instead of using a version record entry from the SHT_SUNW_versym section -dmex versionTable = PhGetMappedWslImageSectionDataByType(MappedWslImage, SHT_SUNW_versym); versionRecords = PhpParseMappedWslImageVersionRecords(MappedWslImage, stringTable); for (ii = 1; ii < count; ii++) { if (entry[ii].st_shndx == SHN_UNDEF) { PPH_ELF_IMAGE_SYMBOL_ENTRY import; import = PhAllocateZero(sizeof(PH_ELF_IMAGE_SYMBOL_ENTRY)); import->ImportSymbol = TRUE; import->Address = entry[ii].st_value; import->Size = entry[ii].st_size; import->TypeInfo = entry[ii].st_info; import->OtherInfo = entry[ii].st_other; import->SectionIndex = entry[ii].st_shndx; // function name PhCopyStringZFromBytes( PTR_ADD_OFFSET(stringTable, entry[ii].st_name), SIZE_MAX, import->Name, sizeof(import->Name), NULL ); // import library name if (versionTable && versionRecords) { PCSTR moduleName; if (moduleName = PhpFindWslImageVersionRecordName(versionRecords, versionTable[ii].vs_vers)) { PhCopyStringZFromUtf8( moduleName, SIZE_MAX, import->Module, sizeof(import->Module), NULL ); } } PhAddItemList(sectionSymbols, import); } else if (entry[ii].st_shndx != SHN_UNDEF && entry[ii].st_value != 0) { PPH_ELF_IMAGE_SYMBOL_ENTRY export; if (ELF_ST_TYPE(entry[ii].st_info) == STT_SECTION) // Ignore section symbol types. continue; export = PhAllocateZero(sizeof(PH_ELF_IMAGE_SYMBOL_ENTRY)); export->ExportSymbol = TRUE; export->Address = entry[ii].st_value; export->Size = entry[ii].st_size; export->TypeInfo = entry[ii].st_info; export->OtherInfo = entry[ii].st_other; export->SectionIndex = entry[ii].st_shndx; // function name PhCopyStringZFromUtf8( PTR_ADD_OFFSET(stringTable, entry[ii].st_name), SIZE_MAX, export->Name, sizeof(export->Name), NULL ); PhAddItemList(sectionSymbols, export); } else { PPH_ELF_IMAGE_SYMBOL_ENTRY export; export = PhAllocateZero(sizeof(PH_ELF_IMAGE_SYMBOL_ENTRY)); export->UnknownSymbol = TRUE; export->Address = entry[ii].st_value; export->Size = entry[ii].st_size; export->TypeInfo = entry[ii].st_info; export->OtherInfo = entry[ii].st_other; export->SectionIndex = entry[ii].st_shndx; // function name PhCopyStringZFromUtf8( PTR_ADD_OFFSET(stringTable, entry[ii].st_name), SIZE_MAX, export->Name, sizeof(export->Name), NULL ); PhAddItemList(sectionSymbols, export); } } if (versionRecords) PhpFreeMappedWslImageVersionRecords(versionRecords); } *ImageSymbols = sectionSymbols; return TRUE; } VOID PhFreeMappedWslImageSymbols( _In_ PPH_LIST ImageSymbols ) { for (ULONG i = 0; i < ImageSymbols->Count; i++) PhFree(ImageSymbols->Items[i]); PhDereferenceObject(ImageSymbols); } BOOLEAN PhGetMappedWslImageDynamic( _In_ PPH_MAPPED_IMAGE MappedWslImage, _Out_ PPH_LIST *ImageDynamic ) { PELF64_IMAGE_SECTION_HEADER sectionHeader; PELF64_IMAGE_SECTION_HEADER section; PPH_LIST dynamicSymbols; USHORT i; dynamicSymbols = PhCreateList(0x40); sectionHeader = IMAGE_FIRST_ELF64_SECTION(MappedWslImage); for (i = 0; i < MappedWslImage->Headers64->e_shnum; i++) { ULONGLONG count; ULONGLONG ii; PELF64_IMAGE_DYNAMIC_ENTRY entry; PVOID stringTable; section = IMAGE_ELF64_SECTION_BY_INDEX(sectionHeader, i); if (section->sh_type != SHT_DYNAMIC) continue; if (section->sh_entsize != sizeof(ELF64_IMAGE_DYNAMIC_ENTRY)) return FALSE; count = section->sh_size / sizeof(ELF64_IMAGE_DYNAMIC_ENTRY); entry = PTR_ADD_OFFSET(MappedWslImage->Header, section->sh_offset); stringTable = PhGetMappedWslImageSectionData(MappedWslImage, NULL, section->sh_link); for (ii = 0; ii < count; ii++) { PPH_ELF_IMAGE_DYNAMIC_ENTRY dynamic; dynamic = PhAllocateZero(sizeof(PH_ELF_IMAGE_DYNAMIC_ENTRY)); dynamic->Tag = entry[ii].d_tag; switch (dynamic->Tag) { case DT_NEEDED: case DT_SONAME: case DT_RPATH: case DT_RUNPATH: dynamic->Value = PhConvertUtf8ToUtf16(PTR_ADD_OFFSET(stringTable, entry[ii].d_val)); break; case DT_PLTRELSZ: case DT_RELASZ: case DT_RELAENT: case DT_STRSZ: case DT_SYMENT: case DT_RELSZ: case DT_RELENT: case DT_INIT_ARRAYSZ: case DT_FINI_ARRAYSZ: case DT_PREINIT_ARRAYSZ: dynamic->Value = PhFormatSize(entry[ii].d_val, ULONG_MAX); break; case DT_RELACOUNT: case DT_RELCOUNT: case DT_VERDEFNUM: case DT_VERNEEDNUM: dynamic->Value = PhFormatUInt64(entry[ii].d_val, TRUE); break; default: dynamic->Value = PhFormatString(L"0x%llx", entry[ii].d_val); break; } PhAddItemList(dynamicSymbols, dynamic); if (entry[ii].d_tag == DT_NULL) break; } } *ImageDynamic = dynamicSymbols; return TRUE; } VOID PhFreeMappedWslImageDynamic( _In_ PPH_LIST ImageDynamic ) { for (ULONG i = 0; i < ImageDynamic->Count; i++) { PPH_ELF_IMAGE_DYNAMIC_ENTRY dynamic = ImageDynamic->Items[i]; PhDereferenceObject(dynamic->Value); PhFree(dynamic); } PhDereferenceObject(ImageDynamic); } ================================================ FILE: phlib/mapimg.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2017-2023 * jxy-s 2023 * */ #include #include /** * Initializes a mapped PE image structure from a memory view. * * \param MappedImage A pointer to a structure that receives the mapped image information. * \param ViewBase The base address of the mapped view containing the PE image. * \param ViewSize The size of the mapped view in bytes. * \return NTSTATUS Successful or errant status. * \remarks This function validates the DOS and NT headers, verifies signatures, and initializes * the MappedImage structure with pointers to key PE structures. All memory accesses are * protected with structured exception handling. */ NTSTATUS PhInitializeMappedImage( _Out_ PPH_MAPPED_IMAGE MappedImage, _In_ PVOID ViewBase, _In_ SIZE_T ViewSize ) { PIMAGE_DOS_HEADER dosHeader; PIMAGE_NT_HEADERS ntHeaders; ULONG_PTR dosHeaderOffset; ULONG_PTR ntHeadersOffset; memset(MappedImage, 0, sizeof(PH_MAPPED_IMAGE)); MappedImage->ViewBase = ViewBase; MappedImage->ViewSize = ViewSize; if (ViewSize < sizeof(IMAGE_DOS_HEADER)) return STATUS_INVALID_VIEW_SIZE; // Get a pointer to the base address and probe it. dosHeaderOffset = (ULONG_PTR)ViewBase; if (dosHeaderOffset == 0 || dosHeaderOffset == SIZE_MAX) return STATUS_INVALID_PARAMETER; // Get a pointer to the dos headers and probe it. dosHeader = (PIMAGE_DOS_HEADER)dosHeaderOffset; __try { PhMappedImageProbe(MappedImage, dosHeader, sizeof(IMAGE_DOS_HEADER)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } MappedImage->Signature = dosHeader->e_magic; // Check the initial MZ. if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) return STATUS_INVALID_IMAGE_NOT_MZ; // Get a pointer to the nt headers and probe it. ntHeadersOffset = (ULONG_PTR)dosHeader->e_lfanew; if (ntHeadersOffset >= ViewSize || ntHeadersOffset >= RTL_IMAGE_MAX_DOS_HEADER) return STATUS_INVALID_IMAGE_FORMAT; // Get a pointer to the optional headers and probe it. ntHeaders = (PIMAGE_NT_HEADERS)PTR_ADD_OFFSET(dosHeader, ntHeadersOffset); __try { PhMappedImageProbe( MappedImage, ntHeaders, UFIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) ); PhMappedImageProbe( MappedImage, ntHeaders, UFIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + ntHeaders->FileHeader.SizeOfOptionalHeader + ntHeaders->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // Check the signature and verify the magic. if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) return STATUS_INVALID_IMAGE_FORMAT; if ( ntHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC && ntHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC ) return STATUS_INVALID_IMAGE_FORMAT; // Get a pointer to the first section. MappedImage->NtHeaders = ntHeaders; MappedImage->Magic = ntHeaders->OptionalHeader.Magic; MappedImage->NumberOfSections = ntHeaders->FileHeader.NumberOfSections; MappedImage->Sections = IMAGE_FIRST_SECTION(ntHeaders); return STATUS_SUCCESS; } /** * Loads a PE image file into memory and initializes a mapped image structure. * * \param FileName The path to the PE image file. Specify NULL to use FileHandle. * \param FileHandle A handle to an open file. Specify NULL to use FileName. * \param MappedImage A pointer to a structure that receives the mapped image information. * \return NTSTATUS Successful or errant status. * \remarks The entire file is mapped into memory using a section object. The caller must * call PhUnloadMappedImage() to release resources when finished. */ NTSTATUS PhLoadMappedImage( _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PVOID viewBase; SIZE_T viewSize; status = PhMapViewOfEntireFile( FileName, FileHandle, &viewBase, &viewSize ); if (NT_SUCCESS(status)) { status = PhInitializeMappedImage( MappedImage, viewBase, viewSize ); if (!NT_SUCCESS(status)) { PhUnloadMappedImage(MappedImage); } } return status; } /** * Loads an image file into memory and initializes a mapped image structure, with support for * multiple image formats (PE and ELF). * * \param FileName The path to the image file as a string reference. Specify NULL to use FileHandle. * \param FileHandle A handle to an open file. Specify NULL to use FileName. * \param MappedImage A pointer to a structure that receives the mapped image information. * \return NTSTATUS Successful or errant status. * \retval STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT The image format is not recognized. * \remarks This function detects the image type based on the signature and initializes it * appropriately. Supported formats include PE (IMAGE_DOS_SIGNATURE) and ELF (IMAGE_ELF_SIGNATURE). */ NTSTATUS PhLoadMappedImageEx( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PVOID viewBase; SIZE_T viewSize; status = PhMapViewOfEntireFileEx( FileName, FileHandle, &viewBase, &viewSize ); if (NT_SUCCESS(status)) { MappedImage->Signature = *(PUSHORT)viewBase; MappedImage->ViewBase = viewBase; MappedImage->ViewSize = viewSize; MappedImage->Flags = 0; MappedImage->Spare = 0; switch (MappedImage->Signature) { case IMAGE_DOS_SIGNATURE: { status = PhInitializeMappedImage( MappedImage, viewBase, viewSize ); } break; case IMAGE_ELF_SIGNATURE: { status = PhInitializeMappedWslImage( MappedImage, viewBase, viewSize ); } break; default: status = STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT; break; } if (!NT_SUCCESS(status)) { PhUnloadMappedImage(MappedImage); } } return status; } NTSTATUS PhLoadMappedImageNoExecute( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; BOOLEAN openedFile = FALSE; HANDLE sectionHandle; PVOID viewBase; SIZE_T viewSize; if (!FileName && !FileHandle) return STATUS_INVALID_PARAMETER_MIX; if (!FileHandle) { status = PhCreateFile( &FileHandle, FileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | FILE_EXECUTE | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; openedFile = TRUE; } status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ, NULL, PAGE_READONLY, SEC_IMAGE_NO_EXECUTE, FileHandle ); if (openedFile) NtClose(FileHandle); if (!NT_SUCCESS(status)) return status; viewBase = NULL; viewSize = 0; status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, WindowsVersion < WINDOWS_10_RS2 ? 0 : MEM_MAPPED, PAGE_READONLY ); NtClose(sectionHandle); if (status == STATUS_IMAGE_NOT_AT_BASE) status = STATUS_SUCCESS; if (!NT_SUCCESS(status)) return status; status = PhInitializeMappedImage( MappedImage, viewBase, viewSize ); if (NT_SUCCESS(status)) { MappedImage->Flags |= PH_MAPPED_IMAGE_FLAG_SEC_IMAGE; } else { PhUnloadMappedImage(MappedImage); } return status; } NTSTATUS PhLoadMappedImageHeaderPageSize( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; BOOLEAN openedFile = FALSE; LARGE_INTEGER sectionSize; HANDLE sectionHandle; SIZE_T viewSize; PVOID viewBase; if (!FileName && !FileHandle) return STATUS_INVALID_PARAMETER_MIX; if (!FileHandle) { status = PhCreateFile( &FileHandle, FileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; openedFile = TRUE; } sectionSize.QuadPart = PAGE_SIZE; status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ, §ionSize, PAGE_READONLY, SEC_COMMIT, FileHandle ); if (openedFile) NtClose(FileHandle); if (!NT_SUCCESS(status)) return status; viewSize = PAGE_SIZE; viewBase = NULL; status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY ); NtClose(sectionHandle); if (!NT_SUCCESS(status)) return status; status = PhInitializeMappedImage( MappedImage, viewBase, viewSize ); return status; } /** * Releases resources associated with a mapped image. * * \param MappedImage A pointer to the mapped image structure to unload. * \return NTSTATUS Successful or errant status. * \remarks This function unmaps the view and releases associated memory. The MappedImage * structure should not be used after this function is called. */ NTSTATUS PhUnloadMappedImage( _Inout_ PPH_MAPPED_IMAGE MappedImage ) { if (MappedImage->ViewBase) { PhUnmapViewOfSection(NtCurrentProcess(), MappedImage->ViewBase); MappedImage->ViewBase = NULL; } return STATUS_SUCCESS; } /** * Loads only the header portion of a PE image file into memory. * * \param FileName The path to the PE image file as a string reference. Specify NULL to use FileHandle. * \param FileHandle A handle to an open file. Specify NULL to use FileName. * \param MappedImage A pointer to a structure that receives the mapped image header information. * \return NTSTATUS Successful or errant status. * \remarks This function reads only the first page (4KB) of the file, which contains the DOS * and NT headers. This is more efficient than mapping the entire file when only header * information is needed. Call PhUnloadMappedImageHeaderFromFile() to release resources. */ NTSTATUS PhLoadMappedImageHeaderFromFile( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; BOOLEAN openedFile = FALSE; PVOID viewBase; LARGE_INTEGER byteOffset; ULONG bytesRead; if (!FileName && !FileHandle) return STATUS_INVALID_PARAMETER_MIX; if (!FileHandle) { status = PhCreateFile( &FileHandle, FileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; openedFile = TRUE; } viewBase = PhAllocatePageZero(PAGE_SIZE); if (!viewBase) { if (openedFile) NtClose(FileHandle); return STATUS_NO_MEMORY; } byteOffset.QuadPart = 0; bytesRead = 0; status = PhReadFile( FileHandle, viewBase, PAGE_SIZE, &byteOffset, &bytesRead ); if (status == STATUS_END_OF_FILE && bytesRead > 0) status = STATUS_SUCCESS; if (openedFile) NtClose(FileHandle); if (!NT_SUCCESS(status)) { PhFreePage(viewBase); return status; } status = PhInitializeMappedImage( MappedImage, viewBase, PAGE_SIZE ); if (!NT_SUCCESS(status)) { PhUnloadMappedImageHeaderFromFile(MappedImage); } return status; } /** * Releases resources associated with a mapped image header loaded from a file. * * \param MappedImage A pointer to the mapped image header structure to unload. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhUnloadMappedImageHeaderFromFile( _Inout_ PPH_MAPPED_IMAGE MappedImage ) { if (MappedImage->ViewBase) { PhFreePage(MappedImage->ViewBase); MappedImage->ViewBase = NULL; } return STATUS_SUCCESS; } /** * Maps an entire file into memory using a section object. * * \param FileName The path to the file. Specify NULL to use FileHandle. * \param FileHandle A handle to an open file. Specify NULL to use FileName. * \param ViewBase A pointer that receives the base address of the mapped view. * \param ViewSize A pointer that receives the size of the mapped view. * \return NTSTATUS Successful or errant status. * \remarks The file is mapped read-only. The caller must unmap the view using * PhUnmapViewOfSection() when finished. */ NTSTATUS PhMapViewOfEntireFile( _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PVOID *ViewBase, _Out_ PSIZE_T ViewSize ) { NTSTATUS status; BOOLEAN openedFile = FALSE; LARGE_INTEGER sectionSize; HANDLE sectionHandle; SIZE_T viewSize; PVOID viewBase; if (!FileName && !FileHandle) return STATUS_INVALID_PARAMETER_MIX; // Open the file if we weren't supplied a file handle. if (!FileHandle) { status = PhCreateFileWin32( &FileHandle, FileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; openedFile = TRUE; } // Get the file size and create the section. status = PhGetFileSize(FileHandle, §ionSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ, §ionSize, PAGE_READONLY, SEC_COMMIT, FileHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; // Map the section. viewSize = (SIZE_T)sectionSize.QuadPart; viewBase = NULL; status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY ); NtClose(sectionHandle); if (!NT_SUCCESS(status)) goto CleanupExit; *ViewBase = viewBase; *ViewSize = (SIZE_T)sectionSize.QuadPart; CleanupExit: if (openedFile) NtClose(FileHandle); return status; } NTSTATUS PhMapViewOfEntireFileEx( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ HANDLE FileHandle, _Out_ PVOID *ViewBase, _Out_ PSIZE_T ViewSize ) { NTSTATUS status; BOOLEAN openedFile = FALSE; LARGE_INTEGER sectionSize; HANDLE sectionHandle; SIZE_T viewSize; PVOID viewBase; if (!FileName && !FileHandle) return STATUS_INVALID_PARAMETER_MIX; // Open the file if we weren't supplied a file handle. if (!FileHandle) { status = PhCreateFile( &FileHandle, FileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; openedFile = TRUE; } // Get the file size and create the section. status = PhGetFileSize(FileHandle, §ionSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ, §ionSize, PAGE_READONLY, SEC_COMMIT, FileHandle ); if (!NT_SUCCESS(status)) goto CleanupExit; viewSize = (SIZE_T)sectionSize.QuadPart; viewBase = NULL; // Map the section. status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &viewBase, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY ); NtClose(sectionHandle); if (!NT_SUCCESS(status)) goto CleanupExit; *ViewBase = viewBase; *ViewSize = (SIZE_T)sectionSize.QuadPart; CleanupExit: if (openedFile) NtClose(FileHandle); return status; } VOID PhMappedImagePrefetch( _In_ PPH_MAPPED_IMAGE MappedImage ) { MEMORY_RANGE_ENTRY prefetchMemoryRange[1]; memset(prefetchMemoryRange, 0, sizeof(prefetchMemoryRange)); prefetchMemoryRange[0].NumberOfBytes = MappedImage->ViewSize; prefetchMemoryRange[0].VirtualAddress = MappedImage->ViewBase; PhPrefetchVirtualMemory(NtCurrentProcess(), RTL_NUMBER_OF(prefetchMemoryRange), prefetchMemoryRange); } /** * Retrieves a section header by name from a mapped image. * * \param MappedImage A pointer to the mapped image. * \param Name The name of the section to find (e.g., ".text", ".data"). * \param IgnoreCase TRUE to perform a case-insensitive comparison, FALSE for case-sensitive. * \return A pointer to the section header if found, otherwise NULL. */ PIMAGE_SECTION_HEADER PhMappedImageSectionByName( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PCWSTR Name, _In_ BOOLEAN IgnoreCase ) { for (USHORT i = 0; i < MappedImage->NumberOfSections; i++) { WCHAR sectionName[IMAGE_SIZEOF_SHORT_NAME + 1]; if (NT_SUCCESS(PhGetMappedImageSectionName( &MappedImage->Sections[i], sectionName, RTL_NUMBER_OF(sectionName), NULL )) && PhEqualStringZ(sectionName, Name, IgnoreCase)) { return &MappedImage->Sections[i]; } } return NULL; } /** * Locates the section that contains a given relative virtual address (RVA). * * \param MappedImage A pointer to the mapped image. * \param Rva The relative virtual address to locate. * \return A pointer to the section header containing the RVA, otherwise NULL. */ PIMAGE_SECTION_HEADER PhMappedImageRvaToSection( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Rva ) { for (USHORT i = 0; i < MappedImage->NumberOfSections; i++) { ULONG sectionSize; if (FlagOn(MappedImage->Flags, PH_MAPPED_IMAGE_FLAG_SEC_IMAGE)) sectionSize = MappedImage->Sections[i].Misc.VirtualSize; else sectionSize = MappedImage->Sections[i].SizeOfRawData; if ( (Rva >= MappedImage->Sections[i].VirtualAddress) && (Rva < MappedImage->Sections[i].VirtualAddress + sectionSize) ) { return &MappedImage->Sections[i]; } } return NULL; } /** * Converts a relative virtual address (RVA) to a virtual address within the mapped image. * * \param MappedImage A pointer to the mapped image. * \param Rva The relative virtual address to convert. * \param Section An optional pointer that receives the section header containing the RVA. * \return A pointer to the virtual address in the mapped view, otherwise NULL. * \remarks This function handles both memory-mapped images (SEC_IMAGE) and file-mapped images (SEC_COMMIT), * adjusting for section alignment differences. */ _Success_(return != NULL) PVOID PhMappedImageRvaToVa( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Rva, _Out_opt_ PIMAGE_SECTION_HEADER *Section ) { PIMAGE_SECTION_HEADER section; if (Rva == 0) return NULL; section = PhMappedImageRvaToSection(MappedImage, Rva); if (!section) return NULL; if (Section) *Section = section; if (FlagOn(MappedImage->Flags, PH_MAPPED_IMAGE_FLAG_SEC_IMAGE)) return PTR_ADD_OFFSET(MappedImage->ViewBase, Rva); return PTR_ADD_OFFSET(MappedImage->ViewBase, PTR_ADD_OFFSET( PTR_SUB_OFFSET(Rva, section->VirtualAddress), section->PointerToRawData )); } /** * Converts a virtual address (VA) to a pointer within the mapped image. * * \param MappedImage A pointer to the mapped image. * \param Va The virtual address to convert. * \param Section An optional pointer that receives the section header containing the address. * \return A pointer to the address in the mapped view, otherwise NULL. */ _Success_(return != NULL) PVOID PhMappedImageVaToVa( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONGLONG Va, _Out_opt_ PIMAGE_SECTION_HEADER *Section ) { ULONG rva; PIMAGE_SECTION_HEADER section; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { rva = PtrToUlong(PTR_SUB_OFFSET(Va, MappedImage->NtHeaders32->OptionalHeader.ImageBase)); } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { rva = PtrToUlong(PTR_SUB_OFFSET(Va, MappedImage->NtHeaders->OptionalHeader.ImageBase)); } else { return NULL; } section = PhMappedImageRvaToSection(MappedImage, rva); if (!section) return NULL; if (Section) *Section = section; if (FlagOn(MappedImage->Flags, PH_MAPPED_IMAGE_FLAG_SEC_IMAGE)) return PTR_ADD_OFFSET(MappedImage->ViewBase, rva); return PTR_ADD_OFFSET(MappedImage->ViewBase, PTR_ADD_OFFSET( PTR_SUB_OFFSET(rva, section->VirtualAddress), section->PointerToRawData )); } _Success_(return != NULL) PVOID PhMappedImageRvaToFileOffset( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Rva, _Out_opt_ PIMAGE_SECTION_HEADER *Section ) { PIMAGE_SECTION_HEADER section; if (Rva == 0) return NULL; section = PhMappedImageRvaToSection(MappedImage, Rva); if (!section) return NULL; if (Section) *Section = section; if (FlagOn(MappedImage->Flags, PH_MAPPED_IMAGE_FLAG_SEC_IMAGE)) return PTR_ADD_OFFSET(MappedImage->ViewBase, Rva); return PTR_ADD_OFFSET( PTR_SUB_OFFSET(Rva, section->VirtualAddress), section->PointerToRawData ); } /** * Retrieves the name of a PE section as a Unicode string. * * \param Section A pointer to the section header. * \param Buffer An optional buffer that receives the section name. * \param Count The size of the buffer in characters. * \param ReturnCount An optional pointer that receives the number of characters written. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageSectionName( _In_ PIMAGE_SECTION_HEADER Section, _Out_writes_opt_z_(Count) PWSTR Buffer, _In_ ULONG Count, _Out_opt_ PULONG ReturnCount ) { NTSTATUS status; SIZE_T returnCount = 0; status = PhCopyStringZFromUtf8( (PCSTR)Section->Name, IMAGE_SIZEOF_SHORT_NAME, Buffer, Count, &returnCount ); if (ReturnCount) *ReturnCount = (ULONG)returnCount; return status; } /** * Retrieves a data directory from the PE optional header. * * \param MappedImage A pointer to the mapped image. * \param Index The data directory index (e.g., IMAGE_DIRECTORY_ENTRY_EXPORT). * \param Entry A pointer that receives the data directory structure. * \return NTSTATUS Successful or errant status. * \remarks Data directories contain RVAs and sizes for various PE structures such as * exports, imports, resources, base relocations, and debug information. */ NTSTATUS PhGetMappedImageDataDirectory( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Index, _Out_ PIMAGE_DATA_DIRECTORY *Entry ) { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_OPTIONAL_HEADER32 optionalHeader; PIMAGE_DATA_DIRECTORY dataDirectory; optionalHeader = (PIMAGE_OPTIONAL_HEADER32)&MappedImage->NtHeaders32->OptionalHeader; if (Index >= optionalHeader->NumberOfRvaAndSizes) return STATUS_INVALID_PARAMETER_2; dataDirectory = &optionalHeader->DataDirectory[Index]; if (dataDirectory->VirtualAddress && dataDirectory->Size) { *Entry = dataDirectory; return STATUS_SUCCESS; } } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_OPTIONAL_HEADER64 optionalHeader; PIMAGE_DATA_DIRECTORY dataDirectory; optionalHeader = (PIMAGE_OPTIONAL_HEADER64)&MappedImage->NtHeaders->OptionalHeader; if (Index >= optionalHeader->NumberOfRvaAndSizes) return STATUS_INVALID_PARAMETER_2; dataDirectory = &optionalHeader->DataDirectory[Index]; if (dataDirectory->VirtualAddress && dataDirectory->Size) { *Entry = dataDirectory; return STATUS_SUCCESS; } } return STATUS_NOT_FOUND; } PVOID PhGetMappedImageDirectoryEntry( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Index ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; status = PhGetMappedImageDataDirectory( MappedImage, Index, &dataDirectory ); if (!NT_SUCCESS(status)) return NULL; return PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); } FORCEINLINE NTSTATUS PhpGetMappedImageLoadConfig( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ USHORT Magic, _In_ ULONG ProbeLength, _Out_ PVOID *LoadConfig ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY entry; PVOID loadConfig; if (MappedImage->Magic != Magic) return STATUS_INVALID_PARAMETER; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &entry ); if (!NT_SUCCESS(status)) return status; loadConfig = PhMappedImageRvaToVa( MappedImage, entry->VirtualAddress, NULL ); if (!loadConfig) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, loadConfig, ProbeLength); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } *LoadConfig = loadConfig; return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageLoadConfig32( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PIMAGE_LOAD_CONFIG_DIRECTORY32 *LoadConfig ) { return PhpGetMappedImageLoadConfig( MappedImage, IMAGE_NT_OPTIONAL_HDR32_MAGIC, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY32), LoadConfig ); } NTSTATUS PhGetMappedImageLoadConfig64( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PIMAGE_LOAD_CONFIG_DIRECTORY64 *LoadConfig ) { return PhpGetMappedImageLoadConfig( MappedImage, IMAGE_NT_OPTIONAL_HDR64_MAGIC, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64), LoadConfig ); } // Remote mapped image routines NTSTATUS PhInitializeRemoteMappedImage( _Out_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_opt_ PPH_READ_VIRTUAL_MEMORY_CALLBACK ReadVirtualMemoryCallback, _In_opt_ PVOID Context ) { memset(RemoteMappedImage, 0, sizeof(PH_REMOTE_MAPPED_IMAGE)); RemoteMappedImage->ReadVirtualMemoryCallback = ReadVirtualMemoryCallback; RemoteMappedImage->Context = Context; return STATUS_SUCCESS; } NTSTATUS PhLoadRemoteMappedImagePageSize( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ HANDLE ProcessHandle, _In_ PVOID ViewBase, _In_ SIZE_T ViewSize ) { NTSTATUS status; PIMAGE_DOS_HEADER dosHeader; PIMAGE_NT_HEADERS ntHeaders; ULONG_PTR dosHeaderOffset; ULONG_PTR ntHeadersOffset; SIZE_T ntHeadersSize; RemoteMappedImage->ViewBase = ViewBase; RemoteMappedImage->ViewSize = ViewSize; if (ViewSize < PAGE_SIZE) return STATUS_INSUFFICIENT_RESOURCES; // Get a pointer to the base address and probe it. dosHeaderOffset = (ULONG_PTR)ViewBase; if (dosHeaderOffset == 0 || dosHeaderOffset == SIZE_MAX) return STATUS_INVALID_PARAMETER; // Read one page and validate both headers. dosHeader = PhAllocatePageZero(PAGE_SIZE); if (!dosHeader) { return STATUS_NO_MEMORY; } if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( ProcessHandle, ViewBase, dosHeader, PAGE_SIZE, NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( ProcessHandle, ViewBase, dosHeader, PAGE_SIZE, NULL ); } if (!NT_SUCCESS(status)) goto CleanupExit; // Check the initial MZ. if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { status = STATUS_INVALID_IMAGE_NOT_MZ; goto CleanupExit; } // Get a pointer to the IMAGE_NT_HEADERS and probe it. ntHeadersOffset = (ULONG_PTR)dosHeader->e_lfanew; if (ntHeadersOffset == 0 || ntHeadersOffset >= ViewSize || ntHeadersOffset >= RTL_IMAGE_MAX_DOS_HEADER) { status = STATUS_INVALID_IMAGE_NOT_MZ; goto CleanupExit; } if (ntHeadersOffset + sizeof(IMAGE_NT_HEADERS) >= PAGE_SIZE) { status = STATUS_INSUFFICIENT_RESOURCES; goto CleanupExit; } ntHeaders = (PIMAGE_NT_HEADERS)PTR_ADD_OFFSET(dosHeader, ntHeadersOffset); // Check the signature and verify the magic. if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { status = STATUS_INVALID_IMAGE_FORMAT; goto CleanupExit; } if ( ntHeaders->FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER32) && ntHeaders->FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER64) ) { status = STATUS_BAD_FILE_TYPE; goto CleanupExit; } RemoteMappedImage->Magic = ntHeaders->OptionalHeader.Magic; if ( RemoteMappedImage->Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC && RemoteMappedImage->Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC ) { status = STATUS_INVALID_IMAGE_FORMAT; goto CleanupExit; } RemoteMappedImage->NumberOfSections = ntHeaders->FileHeader.NumberOfSections; if (RemoteMappedImage->NumberOfSections >= SCHAR_MAX) { status = STATUS_INVALID_IMAGE_FORMAT; goto CleanupExit; } // Get the total size and verify in the whole thing. ntHeadersSize = UFIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + ntHeaders->FileHeader.SizeOfOptionalHeader + RemoteMappedImage->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER; if (ntHeadersSize + ntHeadersOffset + sizeof(IMAGE_NT_HEADERS) >= PAGE_SIZE) { status = STATUS_INSUFFICIENT_RESOURCES; goto CleanupExit; } RemoteMappedImage->ProcessHandle = ProcessHandle; RemoteMappedImage->NtHeaders = ntHeaders; RemoteMappedImage->Sections = IMAGE_FIRST_SECTION(RemoteMappedImage->NtHeaders); RemoteMappedImage->PageCache = dosHeader; CleanupExit: if (!NT_SUCCESS(status)) { PhFreePage(dosHeader); } return status; } NTSTATUS PhLoadRemoteMappedImage( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ HANDLE ProcessHandle, _In_ PVOID ViewBase, _In_ SIZE_T ViewSize ) { NTSTATUS status; IMAGE_DOS_HEADER dosHeader; IMAGE_NT_HEADERS ntHeaders; ULONG_PTR dosHeaderOffset; ULONG_PTR ntHeadersOffset; SIZE_T ntHeadersSize; status = PhLoadRemoteMappedImagePageSize( RemoteMappedImage, ProcessHandle, ViewBase, ViewSize ); if (NT_SUCCESS(status) || status != STATUS_INSUFFICIENT_RESOURCES) return status; RemoteMappedImage->ViewBase = ViewBase; RemoteMappedImage->ViewSize = ViewSize; if (ViewSize < sizeof(IMAGE_DOS_HEADER)) return STATUS_INVALID_IMAGE_FORMAT; // Get a pointer to the base address and probe it. dosHeaderOffset = (ULONG_PTR)ViewBase; if (dosHeaderOffset == 0 || dosHeaderOffset == SIZE_MAX) return STATUS_INVALID_PARAMETER; if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( ProcessHandle, ViewBase, &dosHeader, sizeof(IMAGE_DOS_HEADER), NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( ProcessHandle, ViewBase, &dosHeader, sizeof(IMAGE_DOS_HEADER), NULL ); } if (!NT_SUCCESS(status)) return status; // Check the initial MZ. if (dosHeader.e_magic != IMAGE_DOS_SIGNATURE) return STATUS_INVALID_IMAGE_NOT_MZ; // Get a pointer to the IMAGE_NT_HEADERS and probe it. ntHeadersOffset = (ULONG_PTR)dosHeader.e_lfanew; if (ntHeadersOffset == 0 || ntHeadersOffset >= ViewSize || ntHeadersOffset >= RTL_IMAGE_MAX_DOS_HEADER) return STATUS_INVALID_IMAGE_FORMAT; if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( ProcessHandle, PTR_ADD_OFFSET(ViewBase, ntHeadersOffset), &ntHeaders, sizeof(IMAGE_NT_HEADERS), NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(ViewBase, ntHeadersOffset), &ntHeaders, sizeof(IMAGE_NT_HEADERS), NULL ); } if (!NT_SUCCESS(status)) return status; // Check the signature and verify the magic. if (ntHeaders.Signature != IMAGE_NT_SIGNATURE) return STATUS_INVALID_IMAGE_FORMAT; if ( ntHeaders.FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER32) && ntHeaders.FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER64) ) { return STATUS_BAD_FILE_TYPE; } RemoteMappedImage->Magic = ntHeaders.OptionalHeader.Magic; if ( RemoteMappedImage->Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC && RemoteMappedImage->Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC ) return STATUS_INVALID_IMAGE_FORMAT; RemoteMappedImage->NumberOfSections = ntHeaders.FileHeader.NumberOfSections; if (RemoteMappedImage->NumberOfSections >= SCHAR_MAX) { return STATUS_INVALID_IMAGE_FORMAT; } // Get the real size and read in the whole thing. ntHeadersSize = UFIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + ntHeaders.FileHeader.SizeOfOptionalHeader + RemoteMappedImage->NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER; if (ntHeadersSize > UInt32x32To64(1024, 1024)) // 1 MB return STATUS_INVALID_IMAGE_FORMAT; RemoteMappedImage->NtHeaders = PhAllocatePageZero(ntHeadersSize); if (!RemoteMappedImage->NtHeaders) { return STATUS_NO_MEMORY; } if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( ProcessHandle, PTR_ADD_OFFSET(ViewBase, ntHeadersOffset), RemoteMappedImage->NtHeaders, ntHeadersSize, NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(ViewBase, ntHeadersOffset), RemoteMappedImage->NtHeaders, ntHeadersSize, NULL ); } if (!NT_SUCCESS(status)) { PhFreePage(RemoteMappedImage->NtHeaders); RemoteMappedImage->NtHeaders = NULL; return status; } RemoteMappedImage->ProcessHandle = ProcessHandle; RemoteMappedImage->Sections = IMAGE_FIRST_SECTION(RemoteMappedImage->NtHeaders); return STATUS_SUCCESS; } NTSTATUS PhUnloadRemoteMappedImage( _Inout_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage ) { if (RemoteMappedImage->PageCache) { PhFreePage(RemoteMappedImage->PageCache); RemoteMappedImage->PageCache = NULL; } else if (RemoteMappedImage->NtHeaders) { PhFreePage(RemoteMappedImage->NtHeaders); RemoteMappedImage->NtHeaders = NULL; } return STATUS_SUCCESS; } NTSTATUS PhGetRemoteMappedImageDataEntry( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ ULONG Index, _Out_ PIMAGE_DATA_DIRECTORY* Entry ) { PIMAGE_DATA_DIRECTORY dataDirectory; if (RemoteMappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_OPTIONAL_HEADER32 optionalHeader; optionalHeader = (PIMAGE_OPTIONAL_HEADER32)&RemoteMappedImage->NtHeaders32->OptionalHeader; if (Index >= optionalHeader->NumberOfRvaAndSizes) return STATUS_INVALID_PARAMETER_2; dataDirectory = &optionalHeader->DataDirectory[Index]; } else if (RemoteMappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_OPTIONAL_HEADER64 optionalHeader; optionalHeader = (PIMAGE_OPTIONAL_HEADER64)&RemoteMappedImage->NtHeaders->OptionalHeader; if (Index >= optionalHeader->NumberOfRvaAndSizes) return STATUS_INVALID_PARAMETER_2; dataDirectory = &optionalHeader->DataDirectory[Index]; } else { return STATUS_INVALID_IMAGE_FORMAT; } if (!(dataDirectory->VirtualAddress && dataDirectory->Size)) return STATUS_UNSUCCESSFUL; *Entry = dataDirectory; return STATUS_SUCCESS; } NTSTATUS PhGetRemoteMappedImageDirectoryEntry( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ ULONG Index, _Out_ PVOID* DataBuffer, _Out_opt_ ULONG* DataLength ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PVOID dataBuffer; ULONG dataLength; status = PhGetRemoteMappedImageDataEntry( RemoteMappedImage, Index, &dataDirectory ); if (!NT_SUCCESS(status)) return status; if (dataDirectory->Size > 16 * 1024 * 1024) // 16 MB return STATUS_FAIL_CHECK; dataLength = dataDirectory->Size; dataBuffer = PhAllocatePageZero(dataLength); if (!dataBuffer) return STATUS_NO_MEMORY; if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( RemoteMappedImage->ProcessHandle, PTR_ADD_OFFSET(RemoteMappedImage->ViewBase, dataDirectory->VirtualAddress), dataBuffer, dataLength, NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( RemoteMappedImage->ProcessHandle, PTR_ADD_OFFSET(RemoteMappedImage->ViewBase, dataDirectory->VirtualAddress), dataBuffer, dataLength, NULL ); } if (!NT_SUCCESS(status)) { PhFreePage(dataBuffer); return status; } if (DataBuffer) *DataBuffer = dataBuffer; if (DataLength) *DataLength = dataLength; return status; } NTSTATUS PhGetRemoteMappedImageDebugEntryByType( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _In_ ULONG Type, _Out_opt_ PULONG DataLength, _Out_ PPVOID DataBuffer ) { NTSTATUS status; PIMAGE_DEBUG_DIRECTORY debugDirectory; ULONG debugDirectoryLength; status = PhGetRemoteMappedImageDirectoryEntry( RemoteMappedImage, IMAGE_DIRECTORY_ENTRY_DEBUG, &debugDirectory, &debugDirectoryLength ); if (!NT_SUCCESS(status)) return status; status = STATUS_NOT_FOUND; for (ULONG i = 0; i < debugDirectoryLength / sizeof(IMAGE_DEBUG_DIRECTORY); i++) { PIMAGE_DEBUG_DIRECTORY entry = PTR_ADD_OFFSET(debugDirectory, UInt32x32To64(i, sizeof(IMAGE_DEBUG_DIRECTORY))); if (entry->Type == Type) { PVOID dataBuffer; ULONG dataLength; if (entry->SizeOfData > 16 * 1024 * 1024) // 16 MB { status = STATUS_FAIL_CHECK; break; } dataLength = entry->SizeOfData; dataBuffer = PhAllocatePageZero(dataLength); if (!dataBuffer) { status = STATUS_INSUFFICIENT_RESOURCES; break; } if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( RemoteMappedImage->ProcessHandle, PTR_ADD_OFFSET(RemoteMappedImage->ViewBase, entry->AddressOfRawData), dataBuffer, dataLength, NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( RemoteMappedImage->ProcessHandle, PTR_ADD_OFFSET(RemoteMappedImage->ViewBase, entry->AddressOfRawData), dataBuffer, dataLength, NULL ); } if (NT_SUCCESS(status)) { if (DataLength) *DataLength = dataLength; *DataBuffer = dataBuffer; status = STATUS_SUCCESS; } else { PhFreePage(dataBuffer); } break; } } PhFreePage(debugDirectory); return status; } NTSTATUS PhGetRemoteMappedImageGuardFlags( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _Out_ PULONG GuardFlags ) { NTSTATUS status; ULONG guardFlags = ULONG_MAX; if (RemoteMappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY32 config32 = NULL; ULONG config32Length = 0; status = PhGetRemoteMappedImageDirectoryEntry( RemoteMappedImage, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &config32, &config32Length ); if (NT_SUCCESS(status)) { if (RTL_CONTAINS_FIELD(config32, min(config32->Size, config32Length), GuardFlags)) { guardFlags = config32->GuardFlags; } else { status = STATUS_NOT_FOUND; } PhFreePage(config32); } } else { PIMAGE_LOAD_CONFIG_DIRECTORY64 config64 = NULL; ULONG config64Length = 0; status = PhGetRemoteMappedImageDirectoryEntry( RemoteMappedImage, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &config64, &config64Length ); if (NT_SUCCESS(status)) { if (RTL_CONTAINS_FIELD(config64, min(config64->Size, config64Length), GuardFlags)) { guardFlags = config64->GuardFlags; } else { status = STATUS_NOT_FOUND; } PhFreePage(config64); } } if (NT_SUCCESS(status)) { if (guardFlags != ULONG_MAX) { *GuardFlags = guardFlags; } else { status = STATUS_NOT_FOUND; } } return status; } NTSTATUS PhGetRemoteMappedImageCHPEVersion( _In_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage, _Out_ PULONG CHPEVersion ) { NTSTATUS status; PVOID entry; ULONG entryLength; *CHPEVersion = 0; if (!NT_SUCCESS(status = PhGetRemoteMappedImageDirectoryEntry( RemoteMappedImage, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &entry, &entryLength ))) return status; if (RemoteMappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; IMAGE_CHPE_METADATA_X86 chpe32; if (entryLength < sizeof(IMAGE_LOAD_CONFIG_DIRECTORY32)) { status = STATUS_BUFFER_TOO_SMALL; goto CleanupExit; } config32 = entry; if (!RTL_CONTAINS_FIELD(config32, config32->Size, CHPEMetadataPointer) || !config32->CHPEMetadataPointer) { status = STATUS_SUCCESS; goto CleanupExit; } if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( RemoteMappedImage->ProcessHandle, ULongToPtr(config32->CHPEMetadataPointer), &chpe32, sizeof(chpe32), NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( RemoteMappedImage->ProcessHandle, ULongToPtr(config32->CHPEMetadataPointer), &chpe32, sizeof(chpe32), NULL ); } if (!NT_SUCCESS(status)) goto CleanupExit; *CHPEVersion = chpe32.Version; } else if (RemoteMappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY64 config64; IMAGE_ARM64EC_METADATA chpe64; if (entryLength < sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64)) { status = STATUS_BUFFER_TOO_SMALL; goto CleanupExit; } config64 = entry; if (!RTL_CONTAINS_FIELD(config64, config64->Size, CHPEMetadataPointer) || !config64->CHPEMetadataPointer) { status = STATUS_SUCCESS; goto CleanupExit; } if (RemoteMappedImage->ReadVirtualMemoryCallback) { status = RemoteMappedImage->ReadVirtualMemoryCallback( RemoteMappedImage->ProcessHandle, (PVOID)config64->CHPEMetadataPointer, &chpe64, sizeof(chpe64), NULL, RemoteMappedImage->Context ); } else { status = PhReadVirtualMemory( RemoteMappedImage->ProcessHandle, (PVOID)config64->CHPEMetadataPointer, &chpe64, sizeof(chpe64), NULL ); } if (!NT_SUCCESS(status)) goto CleanupExit; *CHPEVersion = chpe64.Version; } CleanupExit: PhFreePage(entry); return status; } // Mapped image NTSTATUS PhRelocateMappedImageDataEntryARM64X( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DATA_DIRECTORY Entry, _Out_ PIMAGE_DATA_DIRECTORY RelocatedEntry ) { NTSTATUS status; ULONG vaRva; ULONG sizeRva; PIMAGE_DYNAMIC_RELOCATION_TABLE table; PIMAGE_DYNAMIC_RELOCATION64 reloc; PVOID end; RtlZeroMemory(RelocatedEntry, sizeof(IMAGE_DATA_DIRECTORY)); if (MappedImage->Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC) return STATUS_INVALID_PARAMETER; status = PhGetMappedImageDynamicRelocationsTable(MappedImage, &table); if (!NT_SUCCESS(status)) return status; if (table->Version != 1) return STATUS_NOT_SUPPORTED; vaRva = PtrToUlong(PTR_SUB_OFFSET(Entry, MappedImage->ViewBase)); sizeRva = PtrToUlong(PTR_SUB_OFFSET(PTR_ADD_OFFSET(Entry, sizeof(ULONG)), MappedImage->ViewBase)); #define PH_ARM64X_DIR_FIX_DONE() (vaRva == 0 && sizeRva == 0) reloc = PTR_ADD_OFFSET(table, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION_TABLE, Size)); end = PTR_ADD_OFFSET(table, table->Size); while ((ULONG_PTR)reloc < (ULONG_PTR)end) { if (reloc->Symbol == IMAGE_DYNAMIC_RELOCATION_ARM64X) { PIMAGE_BASE_RELOCATION base; PVOID baseEnd; base = PTR_ADD_OFFSET(reloc, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION64, BaseRelocSize)); baseEnd = PTR_ADD_OFFSET(base, reloc->BaseRelocSize); for (;;) { PIMAGE_DVRT_ARM64X_FIXUP_RECORD record; PVOID recordsEnd; record = (PIMAGE_DVRT_ARM64X_FIXUP_RECORD)base; recordsEnd = PTR_ADD_OFFSET(base, base->SizeOfBlock); if (!PhPtrAdvance(&record, recordsEnd, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock))) break; for (;;) { SIZE_T consumed; if (record->Offset == 0 && record->Type == 0 && record->Size == 0) { // padding block(s), we're done break; } if (record->Type == IMAGE_DVRT_ARM64X_FIXUP_TYPE_ZEROFILL) { consumed = sizeof(IMAGE_DVRT_ARM64X_FIXUP_RECORD); } else if (record->Type == IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE) { consumed = sizeof(IMAGE_DVRT_ARM64X_FIXUP_RECORD); if (record->Size == IMAGE_DVRT_ARM64X_FIXUP_SIZE_2BYTES) { consumed += sizeof(USHORT); } else if (record->Size == IMAGE_DVRT_ARM64X_FIXUP_SIZE_4BYTES) { ULONG rva = base->VirtualAddress + record->Offset; ULONG value = *(PULONG)PTR_ADD_OFFSET(record, consumed); if (vaRva != 0 && vaRva == rva) { RelocatedEntry->VirtualAddress = value; vaRva = 0; } else if (sizeRva != 0 && sizeRva == rva) { RelocatedEntry->Size = value; sizeRva = 0; } consumed += sizeof(ULONG); } else if (record->Size == IMAGE_DVRT_ARM64X_FIXUP_SIZE_8BYTES) { consumed += sizeof(ULONG64); } else { break; } } else if (record->Type == IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA) { consumed = sizeof(IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD); consumed += sizeof(USHORT); } else { break; } if (PH_ARM64X_DIR_FIX_DONE()) break; if (!PhPtrAdvance(&record, recordsEnd, consumed)) break; } if (PH_ARM64X_DIR_FIX_DONE()) break; if (!PhPtrAdvance(&base, baseEnd, base->SizeOfBlock)) break; } } if (PH_ARM64X_DIR_FIX_DONE()) break; if (!PhPtrAdvance(&reloc, end, reloc->BaseRelocSize)) break; if (!PhPtrAdvance(&reloc, end, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION64, BaseRelocSize))) break; } return PH_ARM64X_DIR_FIX_DONE() ? STATUS_SUCCESS : STATUS_INVALID_PARAMETER; } /** * Retrieves export information from a mapped PE image with advanced options. * * \param Exports A pointer to a structure that receives the export information. * \param MappedImage A pointer to the mapped image. * \param Flags Flags that control the retrieval (e.g., PH_GET_IMAGE_EXPORTS_ARM64X). * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER The export directory is invalid or not found. * \remarks This function retrieves pointers to the export directory and associated tables * (address table, name pointer table, ordinal table). For ARM64X images, it can relocate * the export directory using dynamic relocations. All memory accesses are validated with * structured exception handling. */ NTSTATUS PhGetMappedImageExportsEx( _Out_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Flags ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_EXPORT_DIRECTORY exportDirectory; Exports->DataDirectoryARM64X.VirtualAddress = 0; Exports->DataDirectoryARM64X.Size = 0; // Get a pointer to the export directory. status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_EXPORT, &dataDirectory ); if (!NT_SUCCESS(status)) return status; if (Flags & PH_GET_IMAGE_EXPORTS_ARM64X) { status = PhRelocateMappedImageDataEntryARM64X( MappedImage, dataDirectory, &Exports->DataDirectoryARM64X ); if (!NT_SUCCESS(status)) return status; exportDirectory = PhMappedImageRvaToVa( MappedImage, Exports->DataDirectoryARM64X.VirtualAddress, NULL ); } else { exportDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); } if (!exportDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, exportDirectory, sizeof(IMAGE_EXPORT_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } Exports->MappedImage = MappedImage; Exports->DataDirectory = dataDirectory; Exports->ExportDirectory = exportDirectory; Exports->NumberOfEntries = exportDirectory->NumberOfFunctions; // Get pointers to the various tables and probe them. Exports->AddressTable = (PULONG)PhMappedImageRvaToVa( MappedImage, exportDirectory->AddressOfFunctions, NULL ); Exports->NamePointerTable = (PULONG)PhMappedImageRvaToVa( MappedImage, exportDirectory->AddressOfNames, NULL ); Exports->OrdinalTable = (PUSHORT)PhMappedImageRvaToVa( MappedImage, exportDirectory->AddressOfNameOrdinals, NULL ); // Note: NamePointerTable and OrdinalTable are null for binaries // such as mfc140u.dll yet contain valid exports (dmex) if (!Exports->AddressTable) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe( MappedImage, Exports->AddressTable, exportDirectory->NumberOfFunctions * sizeof(ULONG) ); if (Exports->NamePointerTable) { PhMappedImageProbe( MappedImage, Exports->NamePointerTable, exportDirectory->NumberOfNames * sizeof(ULONG) ); } if (Exports->OrdinalTable) { PhMappedImageProbe( MappedImage, Exports->OrdinalTable, // ordinal list for named exports exportDirectory->NumberOfNames * sizeof(USHORT) ); } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // The ordinal and name tables are parallel. // Getting an index into the name table (e.g. by doing a binary // search) and indexing into the ordinal table will produce the // ordinal for that name, *unbiased* (unlike in the specification). // The unbiased ordinal is an index into the address table. return STATUS_SUCCESS; } /** * Retrieves export information from a mapped PE image. * * \param Exports A pointer to a structure that receives the export information. * \param MappedImage A pointer to the mapped image. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageExports( _Out_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ PPH_MAPPED_IMAGE MappedImage ) { return PhGetMappedImageExportsEx(Exports, MappedImage, 0); } /** * Retrieves information about a specific export entry by index. * * \param Exports A pointer to the export information structure. * \param Index The zero-based index into the export address table. * \param Entry A pointer to a structure that receives the export entry information. * \return NTSTATUS Successful or errant status. * \retval STATUS_PROCEDURE_NOT_FOUND The index is out of range. * \retval STATUS_INVALID_PARAMETER The export name pointer is invalid. * \remarks The function populates the entry with the ordinal, name (if exported by name), * and hint. The ordinal is biased (index + base ordinal). */ NTSTATUS PhGetMappedImageExportEntry( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ ULONG Index, _Out_ PPH_MAPPED_IMAGE_EXPORT_ENTRY Entry ) { ULONG nameIndex = 0; BOOLEAN exportByName = FALSE; PCSTR name; if (Index >= Exports->ExportDirectory->NumberOfFunctions) return STATUS_PROCEDURE_NOT_FOUND; Entry->Ordinal = (USHORT)Index + (USHORT)Exports->ExportDirectory->Base; if (Exports->OrdinalTable) { // look into named exports ordinal list. for (nameIndex = 0; nameIndex < Exports->ExportDirectory->NumberOfNames; nameIndex++) { if (Index == Exports->OrdinalTable[nameIndex]) { exportByName = TRUE; break; } } } if (Exports->NamePointerTable && exportByName) { name = PhMappedImageRvaToVa( Exports->MappedImage, Exports->NamePointerTable[nameIndex], NULL ); if (!name) return STATUS_INVALID_PARAMETER; // TODO: Probe the name. Entry->Name = name; Entry->Hint = nameIndex; } else { Entry->Name = NULL; Entry->Hint = 0; } return STATUS_SUCCESS; } /** * Locates an export by name using binary search. * * \param Exports A pointer to the export information structure. * \param Name The name of the export to find. * \return The index of the export in the name table, or ULONG_MAX if not found. * \remarks The export name table is sorted alphabetically, allowing for efficient binary search. * The returned index can be used with the ordinal table to obtain the unbiased ordinal. */ ULONG PhLookupMappedImageExportName( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_ PCSTR Name ) { LONG low; LONG high; LONG i; if (Exports->ExportDirectory->NumberOfNames == 0) return ULONG_MAX; low = 0; high = Exports->ExportDirectory->NumberOfNames - 1; do { PCSTR name; INT comparison; i = (low + high) / 2; name = PhMappedImageRvaToVa( Exports->MappedImage, Exports->NamePointerTable[i], NULL ); if (!name) return ULONG_MAX; // TODO: Probe the name. comparison = strcmp(Name, name); if (comparison == 0) return i; else if (comparison < 0) high = i - 1; else low = i + 1; } while (low <= high); return ULONG_MAX; } /** * Retrieves the address of an exported function by name or ordinal. * * \param Exports A pointer to the export information structure. * \param Name The name of the exported function. Specify NULL to use Ordinal. * \param Ordinal The ordinal of the exported function. Specify 0 to use Name. * \param Function A pointer to a structure that receives the function information. * \return NTSTATUS Successful or errant status. * \retval STATUS_PROCEDURE_NOT_FOUND The function was not found. * \retval STATUS_INVALID_PARAMETER The forwarder name is invalid. * \remarks This function returns the RVA of the export. If the export is a forwarder, * the ForwardedName field will point to the forwarding string (e.g., "NTDLL.RtlAllocateHeap"). */ NTSTATUS PhGetMappedImageExportFunction( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_opt_ PCSTR Name, _In_opt_ USHORT Ordinal, _Out_ PPH_MAPPED_IMAGE_EXPORT_FUNCTION Function ) { ULONG rva; if (Name) { ULONG index; index = PhLookupMappedImageExportName(Exports, Name); if (index == ULONG_MAX) return STATUS_PROCEDURE_NOT_FOUND; Ordinal = Exports->OrdinalTable[index] + (USHORT)Exports->ExportDirectory->Base; } Ordinal -= (USHORT)Exports->ExportDirectory->Base; if (Ordinal >= Exports->ExportDirectory->NumberOfFunctions) return STATUS_PROCEDURE_NOT_FOUND; rva = Exports->AddressTable[Ordinal]; if ( (rva >= Exports->DataDirectory->VirtualAddress) && (rva < Exports->DataDirectory->VirtualAddress + Exports->DataDirectory->Size) ) { // This is a forwarder RVA. Function->ForwardedName = PhMappedImageRvaToVa( Exports->MappedImage, rva, NULL ); if (!Function->ForwardedName) return STATUS_INVALID_PARAMETER; // TODO: Probe the name. Function->Function = UlongToPtr(rva); } else { Function->Function = UlongToPtr(rva); Function->ForwardedName = NULL; } return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageExportFunctionRemote( _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, _In_opt_ PCSTR Name, _In_opt_ USHORT Ordinal, _In_ PVOID RemoteBase, _Out_ PVOID *Function ) { ULONG rva; if (Name) { ULONG index; index = PhLookupMappedImageExportName(Exports, Name); if (index == ULONG_MAX) return STATUS_PROCEDURE_NOT_FOUND; Ordinal = Exports->OrdinalTable[index] + (USHORT)Exports->ExportDirectory->Base; } Ordinal -= (USHORT)Exports->ExportDirectory->Base; if (Ordinal >= Exports->ExportDirectory->NumberOfFunctions) return STATUS_PROCEDURE_NOT_FOUND; rva = Exports->AddressTable[Ordinal]; if ( (rva >= Exports->DataDirectory->VirtualAddress) && (rva < Exports->DataDirectory->VirtualAddress + Exports->DataDirectory->Size) ) { // This is a forwarder RVA. Not supported for remote lookup. return STATUS_NOT_SUPPORTED; } else { *Function = PTR_ADD_OFFSET(RemoteBase, rva); } return STATUS_SUCCESS; } /** * Retrieves import information from a mapped PE image. * * \param Imports A pointer to a structure that receives the import information. * \param MappedImage A pointer to the mapped image. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageImports( _Out_ PPH_MAPPED_IMAGE_IMPORTS Imports, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_IMPORT_DESCRIPTOR descriptor; ULONG i; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_IMPORT, &dataDirectory ); if (!NT_SUCCESS(status)) return status; descriptor = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!descriptor) return STATUS_INVALID_PARAMETER; Imports->MappedImage = MappedImage; Imports->Flags = 0; Imports->DescriptorTable = descriptor; // Do a scan to determine how many import descriptors there are. i = 0; __try { while (TRUE) { PhMappedImageProbe(MappedImage, descriptor, sizeof(IMAGE_IMPORT_DESCRIPTOR)); if (descriptor->OriginalFirstThunk == 0 && descriptor->FirstThunk == 0) break; descriptor++; i++; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } Imports->NumberOfDlls = i; return STATUS_SUCCESS; } /** * Retrieves information about a specific imported DLL by index. * * \param Imports A pointer to the import information structure. * \param Index The zero-based index of the imported DLL. * \param ImportDll A pointer to a structure that receives the import DLL information. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER_2 The index is out of range. * \retval STATUS_INVALID_PARAMETER The DLL name or thunk data is invalid. * * \remarks This function retrieves the import descriptor, DLL name, and import/name tables * for a specific DLL. The lookup table (OriginalFirstThunk) contains import information, * while the address table (FirstThunk) is patched by the loader with actual addresses. */ NTSTATUS PhGetMappedImageImportDll( _In_ PPH_MAPPED_IMAGE_IMPORTS Imports, _In_ ULONG Index, _Out_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll ) { ULONG i; if (Index >= Imports->NumberOfDlls) return STATUS_INVALID_PARAMETER_2; ImportDll->MappedImage = Imports->MappedImage; ImportDll->Flags = Imports->Flags; if (!FlagOn(ImportDll->Flags, PH_MAPPED_IMAGE_DELAY_IMPORTS)) { ImportDll->Descriptor = &Imports->DescriptorTable[Index]; ImportDll->Name = PhMappedImageRvaToVa( ImportDll->MappedImage, ImportDll->Descriptor->Name, NULL ); if (!ImportDll->Name) return STATUS_INVALID_PARAMETER; // TODO: Probe the name. if (ImportDll->Descriptor->OriginalFirstThunk) { ImportDll->LookupTable = PhMappedImageRvaToVa( ImportDll->MappedImage, ImportDll->Descriptor->OriginalFirstThunk, NULL ); } else { ImportDll->LookupTable = PhMappedImageRvaToVa( ImportDll->MappedImage, ImportDll->Descriptor->FirstThunk, NULL ); } } else { ImportDll->DelayDescriptor = &Imports->DelayDescriptorTable[Index]; if (ImportDll->DelayDescriptor->Attributes.RvaBased) { ImportDll->Name = PhMappedImageRvaToVa( ImportDll->MappedImage, ImportDll->DelayDescriptor->DllNameRVA, NULL ); if (!ImportDll->Name) return STATUS_INVALID_PARAMETER; // TODO: Probe the name. ImportDll->LookupTable = PhMappedImageRvaToVa( ImportDll->MappedImage, ImportDll->DelayDescriptor->ImportNameTableRVA, NULL ); } else { ImportDll->Name = PhMappedImageVaToVa( ImportDll->MappedImage, ImportDll->DelayDescriptor->DllNameRVA, NULL ); if (!ImportDll->Name) return STATUS_INVALID_PARAMETER; // TODO: Probe the name. ImportDll->LookupTable = PhMappedImageVaToVa( ImportDll->MappedImage, ImportDll->DelayDescriptor->ImportNameTableRVA, NULL ); } } if (!ImportDll->LookupTable) return STATUS_INVALID_PARAMETER; // Do a scan to determine how many entries there are. i = 0; if (ImportDll->MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { UNALIGNED_PIMAGE_THUNK_DATA32 entry; entry = (UNALIGNED_PIMAGE_THUNK_DATA32)ImportDll->LookupTable; __try { while (TRUE) { PhMappedImageProbe(ImportDll->MappedImage, entry, sizeof(IMAGE_THUNK_DATA32)); if (entry->u1.AddressOfData == 0) break; entry++; i++; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else if (ImportDll->MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { UNALIGNED_PIMAGE_THUNK_DATA64 entry; entry = (UNALIGNED_PIMAGE_THUNK_DATA64)ImportDll->LookupTable; __try { while (TRUE) { PhMappedImageProbe(ImportDll->MappedImage, entry, sizeof(IMAGE_THUNK_DATA64)); if (entry->u1.AddressOfData == 0) break; entry++; i++; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { return STATUS_INVALID_PARAMETER; } ImportDll->NumberOfEntries = i; return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageImportEntry( _In_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll, _In_ ULONG Index, _Out_ PPH_MAPPED_IMAGE_IMPORT_ENTRY Entry ) { PIMAGE_IMPORT_BY_NAME importByName; if (Index >= ImportDll->NumberOfEntries) return STATUS_INVALID_PARAMETER_2; if (ImportDll->MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { IMAGE_THUNK_DATA32 entry = ((PIMAGE_THUNK_DATA32)ImportDll->LookupTable)[Index]; if (IMAGE_SNAP_BY_ORDINAL32(entry.u1.Ordinal)) { Entry->Name = NULL; Entry->Ordinal = IMAGE_ORDINAL32(entry.u1.Ordinal); return STATUS_SUCCESS; } else { if (FlagOn(ImportDll->Flags, PH_MAPPED_IMAGE_DELAY_IMPORTS) && !ImportDll->DelayDescriptor->Attributes.RvaBased) { importByName = PhMappedImageVaToVa(ImportDll->MappedImage, entry.u1.AddressOfData, NULL); } else { importByName = PhMappedImageRvaToVa(ImportDll->MappedImage, entry.u1.AddressOfData, NULL); } } } else if (ImportDll->MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { IMAGE_THUNK_DATA64 entry = ((PIMAGE_THUNK_DATA64)ImportDll->LookupTable)[Index]; if (IMAGE_SNAP_BY_ORDINAL64(entry.u1.Ordinal)) { Entry->Name = NULL; Entry->Ordinal = IMAGE_ORDINAL64(entry.u1.Ordinal); return STATUS_SUCCESS; } else { if (FlagOn(ImportDll->Flags, PH_MAPPED_IMAGE_DELAY_IMPORTS) && !ImportDll->DelayDescriptor->Attributes.RvaBased) { importByName = PhMappedImageVaToVa(ImportDll->MappedImage, entry.u1.AddressOfData, NULL); } else { importByName = PhMappedImageRvaToVa(ImportDll->MappedImage, (ULONG)entry.u1.AddressOfData, NULL); } } } else { return STATUS_INVALID_PARAMETER; } if (!importByName) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(ImportDll->MappedImage, importByName, sizeof(IMAGE_IMPORT_BY_NAME)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } Entry->Name = (PSTR)importByName->Name; Entry->NameHint = importByName->Hint; // TODO: Probe the name. return STATUS_SUCCESS; } ULONG PhGetMappedImageImportEntryRva( _In_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll, _In_ ULONG Index, _In_ BOOLEAN DelayImport ) { ULONG rva = 0; //PVOID va; if (ImportDll->MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { if (DelayImport) { rva = ImportDll->DelayDescriptor->ImportAddressTableRVA + Index * sizeof(IMAGE_THUNK_DATA32); //va = PTR_ADD_OFFSET(ImportDll->MappedImage->NtHeaders32->OptionalHeader.ImageBase, rva); } else { rva = ImportDll->Descriptor->FirstThunk + Index * sizeof(IMAGE_THUNK_DATA32); //va = PTR_ADD_OFFSET(ImportDll->MappedImage->NtHeaders32->OptionalHeader.ImageBase, rva); } } else if (ImportDll->MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { if (DelayImport) { rva = ImportDll->DelayDescriptor->ImportAddressTableRVA + Index * sizeof(IMAGE_THUNK_DATA64); //va = PTR_ADD_OFFSET(ImportDll->MappedImage->NtHeaders->OptionalHeader.ImageBase, rva); } else { rva = ImportDll->Descriptor->FirstThunk + Index * sizeof(IMAGE_THUNK_DATA64); //va = PTR_ADD_OFFSET(ImportDll->MappedImage->NtHeaders->OptionalHeader.ImageBase, rva); } } return rva; } /** * Retrieves delay-load import information from a mapped PE image. * * \param Imports A pointer to a structure that receives the delay-load import information. * \param MappedImage A pointer to the mapped image. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageDelayImports( _Out_ PPH_MAPPED_IMAGE_IMPORTS Imports, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_DELAYLOAD_DESCRIPTOR descriptor; ULONG i; Imports->MappedImage = MappedImage; Imports->Flags = PH_MAPPED_IMAGE_DELAY_IMPORTS; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, &dataDirectory ); if (!NT_SUCCESS(status)) return status; descriptor = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!descriptor) return STATUS_INVALID_PARAMETER; Imports->DelayDescriptorTable = descriptor; // Do a scan to determine how many import descriptors there are. i = 0; __try { while (TRUE) { PhMappedImageProbe(MappedImage, descriptor, sizeof(PIMAGE_DELAYLOAD_DESCRIPTOR)); if (descriptor->ImportAddressTableRVA == 0 && descriptor->ImportNameTableRVA == 0) break; descriptor++; i++; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } Imports->NumberOfDlls = i; return STATUS_SUCCESS; } /** * Computes a partial checksum for PE image validation. * * \param Sum The initial sum value. * \param Buffer A pointer to the buffer to checksum. * \param Count The number of 16-bit words to process. * \return The computed checksum value. * \remarks This implements the standard PE checksum algorithm used by Windows loaders * to verify image integrity. The algorithm processes 16-bit words with carry folding. */ USHORT PhCheckSum( _In_ ULONG Sum, _In_reads_(Count) PUSHORT Buffer, _In_ ULONG Count ) { while (Count--) { Sum += *Buffer++; Sum = (Sum >> 16) + (Sum & 0xffff); } Sum = (Sum >> 16) + Sum; return (USHORT)Sum; } /** * Computes the checksum of a mapped PE image. * * \param MappedImage A pointer to the mapped image. * \return The computed checksum value. * \remarks This function calculates the PE image checksum using the standard algorithm. * The checksum field in the optional header is excluded from the calculation. The result * can be compared with OptionalHeader.CheckSum to verify image integrity. */ ULONG PhCheckSumMappedImage( _In_ PPH_MAPPED_IMAGE MappedImage ) { ULONG checkSum; USHORT partialSum; PUSHORT adjust; partialSum = PhCheckSum(0, (PUSHORT)MappedImage->ViewBase, (ULONG)(MappedImage->ViewSize + 1) / 2); // This is actually the same for 32-bit and 64-bit executables. adjust = (PUSHORT)&MappedImage->NtHeaders->OptionalHeader.CheckSum; // Subtract the existing check sum (with carry). partialSum -= partialSum < adjust[0]; partialSum -= adjust[0]; partialSum -= partialSum < adjust[1]; partialSum -= adjust[1]; checkSum = partialSum + (ULONG)MappedImage->ViewSize; return checkSum; } NTSTATUS PhGetMappedImageCfg64( _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_LOAD_CONFIG_DIRECTORY64 config64; if (!NT_SUCCESS(status = PhGetMappedImageLoadConfig64(MappedImage, &config64))) return status; // Not every load configuration defines CFG characteristics if (!RTL_CONTAINS_FIELD(config64, config64->Size, GuardFlags)) return STATUS_INVALID_VIEW_SIZE; CfgConfig->MappedImage = MappedImage; CfgConfig->EntrySize = RTL_FIELD_SIZE(IMAGE_CFG_ENTRY, Rva) + (ULONG)((config64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT); CfgConfig->CfgInstrumented = !!(config64->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED); CfgConfig->WriteIntegrityChecks = !!(config64->GuardFlags & IMAGE_GUARD_CFW_INSTRUMENTED); CfgConfig->CfgFunctionTablePresent = !!(config64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT); CfgConfig->SecurityCookieUnused = !!(config64->GuardFlags & IMAGE_GUARD_SECURITY_COOKIE_UNUSED); CfgConfig->ProtectDelayLoadedIat = !!(config64->GuardFlags & IMAGE_GUARD_PROTECT_DELAYLOAD_IAT); CfgConfig->DelayLoadInDidatSection = !!(config64->GuardFlags & IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION); CfgConfig->EnableExportSuppression = !!(config64->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION); CfgConfig->HasExportSuppressionInfos = !!(config64->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT); CfgConfig->CfgLongJumpTablePresent = !!(config64->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT); CfgConfig->NumberOfGuardFunctionEntries = config64->GuardCFFunctionCount; CfgConfig->GuardFunctionTable = PhMappedImageVaToVa( MappedImage, config64->GuardCFFunctionTable, NULL ); if (CfgConfig->GuardFunctionTable && CfgConfig->NumberOfGuardFunctionEntries) { __try { PhMappedImageProbe( MappedImage, CfgConfig->GuardFunctionTable, (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardFunctionEntries) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } CfgConfig->NumberOfGuardAdressIatEntries = 0; CfgConfig->GuardAdressIatTable = 0; if (RTL_CONTAINS_FIELD(config64, config64->Size, GuardAddressTakenIatEntryTable)) { CfgConfig->NumberOfGuardAdressIatEntries = config64->GuardAddressTakenIatEntryCount; CfgConfig->GuardAdressIatTable = PhMappedImageVaToVa( MappedImage, config64->GuardAddressTakenIatEntryTable, NULL ); if (CfgConfig->GuardAdressIatTable && CfgConfig->NumberOfGuardAdressIatEntries) { __try { PhMappedImageProbe( MappedImage, CfgConfig->GuardAdressIatTable, (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardAdressIatEntries) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } CfgConfig->NumberOfGuardLongJumpEntries = 0; CfgConfig->GuardLongJumpTable = 0; if (RTL_CONTAINS_FIELD(config64, config64->Size, GuardLongJumpTargetTable)) { CfgConfig->NumberOfGuardLongJumpEntries = config64->GuardLongJumpTargetCount; CfgConfig->GuardLongJumpTable = PhMappedImageVaToVa( MappedImage, config64->GuardLongJumpTargetTable, NULL ); if (CfgConfig->GuardLongJumpTable && CfgConfig->NumberOfGuardLongJumpEntries) { __try { PhMappedImageProbe( MappedImage, CfgConfig->GuardLongJumpTable, (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardLongJumpEntries) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageCfg32( _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; if (!NT_SUCCESS(status = PhGetMappedImageLoadConfig32(MappedImage, &config32))) return status; // Not every load configuration defines CFG characteristics if (!RTL_CONTAINS_FIELD(config32, config32->Size, GuardFlags)) return STATUS_INVALID_VIEW_SIZE; CfgConfig->MappedImage = MappedImage; CfgConfig->EntrySize = RTL_FIELD_SIZE(IMAGE_CFG_ENTRY, Rva) + (ULONG)((config32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT); CfgConfig->CfgInstrumented = !!(config32->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED); CfgConfig->WriteIntegrityChecks = !!(config32->GuardFlags & IMAGE_GUARD_CFW_INSTRUMENTED); CfgConfig->CfgFunctionTablePresent = !!(config32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT); CfgConfig->SecurityCookieUnused = !!(config32->GuardFlags & IMAGE_GUARD_SECURITY_COOKIE_UNUSED); CfgConfig->ProtectDelayLoadedIat = !!(config32->GuardFlags & IMAGE_GUARD_PROTECT_DELAYLOAD_IAT); CfgConfig->DelayLoadInDidatSection = !!(config32->GuardFlags & IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION); CfgConfig->EnableExportSuppression = !!(config32->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION); CfgConfig->HasExportSuppressionInfos = !!(config32->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT); CfgConfig->CfgLongJumpTablePresent = !!(config32->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT); CfgConfig->NumberOfGuardFunctionEntries = config32->GuardCFFunctionCount; CfgConfig->GuardFunctionTable = PhMappedImageVaToVa( MappedImage, config32->GuardCFFunctionTable, NULL ); if (CfgConfig->GuardFunctionTable && CfgConfig->NumberOfGuardFunctionEntries) { __try { PhMappedImageProbe( MappedImage, CfgConfig->GuardFunctionTable, (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardFunctionEntries) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } CfgConfig->NumberOfGuardAdressIatEntries = 0; CfgConfig->GuardAdressIatTable = 0; if (RTL_CONTAINS_FIELD(config32, config32->Size, GuardAddressTakenIatEntryTable)) { CfgConfig->NumberOfGuardAdressIatEntries = config32->GuardAddressTakenIatEntryCount; CfgConfig->GuardAdressIatTable = PhMappedImageVaToVa( MappedImage, config32->GuardAddressTakenIatEntryTable, NULL ); if (CfgConfig->GuardAdressIatTable && CfgConfig->NumberOfGuardAdressIatEntries) { __try { PhMappedImageProbe( MappedImage, CfgConfig->GuardAdressIatTable, (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardAdressIatEntries) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } CfgConfig->NumberOfGuardLongJumpEntries = 0; CfgConfig->GuardLongJumpTable = 0; if (RTL_CONTAINS_FIELD(config32, config32->Size, GuardLongJumpTargetTable)) { CfgConfig->NumberOfGuardLongJumpEntries = config32->GuardLongJumpTargetCount; CfgConfig->GuardLongJumpTable = PhMappedImageVaToVa( MappedImage, config32->GuardLongJumpTargetTable, NULL ); if (CfgConfig->GuardLongJumpTable && CfgConfig->NumberOfGuardLongJumpEntries) { __try { PhMappedImageProbe( MappedImage, CfgConfig->GuardLongJumpTable, (SIZE_T)(CfgConfig->EntrySize * CfgConfig->NumberOfGuardLongJumpEntries) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageCfg( _Out_ PPH_MAPPED_IMAGE_CFG CfgConfig, _In_ PPH_MAPPED_IMAGE MappedImage ) { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { return PhGetMappedImageCfg32(CfgConfig, MappedImage); } else { return PhGetMappedImageCfg64(CfgConfig, MappedImage); } } NTSTATUS PhGetMappedImageCfgEntry( _In_ PPH_MAPPED_IMAGE_CFG CfgConfig, _In_ ULONGLONG Index, _In_ CFG_ENTRY_TYPE Type, _Out_ PIMAGE_CFG_ENTRY Entry ) { PULONGLONG guardTable; ULONGLONG numberofGuardEntries; PIMAGE_CFG_ENTRY cfgMappedEntry; switch (Type) { case ControlFlowGuardFunction: { guardTable = CfgConfig->GuardFunctionTable; numberofGuardEntries = CfgConfig->NumberOfGuardFunctionEntries; } break; case ControlFlowGuardTakenIatEntry: { guardTable = CfgConfig->GuardAdressIatTable; numberofGuardEntries = CfgConfig->NumberOfGuardAdressIatEntries; } break; case ControlFlowGuardLongJump: { guardTable = CfgConfig->GuardLongJumpTable; numberofGuardEntries = CfgConfig->NumberOfGuardLongJumpEntries; } break; default: return STATUS_INVALID_PARAMETER_3; } if (!guardTable || Index >= numberofGuardEntries) return STATUS_PROCEDURE_NOT_FOUND; cfgMappedEntry = (PIMAGE_CFG_ENTRY)PTR_ADD_OFFSET(guardTable, Index * CfgConfig->EntrySize); Entry->Rva = cfgMappedEntry->Rva; // Optional header after the rva entry if (CfgConfig->EntrySize > RTL_FIELD_SIZE(IMAGE_CFG_ENTRY, Rva)) { Entry->SuppressedCall = cfgMappedEntry->SuppressedCall; Entry->ExportSuppressed = cfgMappedEntry->ExportSuppressed; Entry->LangExcptHandler = cfgMappedEntry->LangExcptHandler; Entry->Xfg = cfgMappedEntry->Xfg; Entry->Reserved = cfgMappedEntry->Reserved; if (cfgMappedEntry->Xfg) { // XFG hashes are offset from the rva (dmex) PVOID cfgFunctionOffset = PTR_ADD_OFFSET(CfgConfig->MappedImage->ViewBase, Entry->Rva); Entry->XfgHash = *(PULONG64)PTR_SUB_OFFSET(cfgFunctionOffset, sizeof(ULONG64)); } } return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageResources( _Out_ PPH_MAPPED_IMAGE_RESOURCES Resources, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_RESOURCE_DIRECTORY resourceDirectory; PIMAGE_RESOURCE_DIRECTORY nameDirectory; PIMAGE_RESOURCE_DIRECTORY languageDirectory; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceType; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceName; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceLanguage; ULONG resourceCount = 0; ULONG resourceTypeCount; ULONG resourceNameCount; ULONG resourceLanguageCount; PH_ARRAY resourceArray; // Get a pointer to the resource directory. status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_RESOURCE, &dataDirectory ); if (!NT_SUCCESS(status)) return status; resourceDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!resourceDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, resourceDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // NOTE: We can't use LdrEnumResources here because we're using an image mapped with SEC_COMMIT. // Do a scan to determine how many resources there are. resourceType = PTR_ADD_OFFSET(resourceDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceTypeCount = resourceDirectory->NumberOfNamedEntries + resourceDirectory->NumberOfIdEntries; for (ULONG i = 0; i < resourceTypeCount; ++i, ++resourceType) { if (!resourceType->DataIsDirectory) continue; // return STATUS_RESOURCE_TYPE_NOT_FOUND; nameDirectory = PTR_ADD_OFFSET(resourceDirectory, resourceType->OffsetToDirectory); resourceName = PTR_ADD_OFFSET(nameDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceNameCount = nameDirectory->NumberOfNamedEntries + nameDirectory->NumberOfIdEntries; for (ULONG j = 0; j < resourceNameCount; ++j, ++resourceName) { if (!resourceName->DataIsDirectory) continue; // return STATUS_RESOURCE_NAME_NOT_FOUND; languageDirectory = PTR_ADD_OFFSET(resourceDirectory, resourceName->OffsetToDirectory); resourceLanguage = PTR_ADD_OFFSET(languageDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceLanguageCount = languageDirectory->NumberOfNamedEntries + languageDirectory->NumberOfIdEntries; for (ULONG k = 0; k < resourceLanguageCount; ++k, ++resourceLanguage) { if (resourceLanguage->DataIsDirectory) continue; // return STATUS_RESOURCE_DATA_NOT_FOUND; resourceCount++; } } } if (resourceCount == 0) return STATUS_INVALID_IMAGE_FORMAT; // Allocate the number of resources. PhInitializeArray(&resourceArray, sizeof(PH_IMAGE_RESOURCE_ENTRY), resourceCount); // Enumerate the resources adding them into our buffer. resourceType = PTR_ADD_OFFSET(resourceDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceTypeCount = resourceDirectory->NumberOfNamedEntries + resourceDirectory->NumberOfIdEntries; for (ULONG i = 0; i < resourceTypeCount; ++i, ++resourceType) { if (!resourceType->DataIsDirectory) continue; nameDirectory = PTR_ADD_OFFSET(resourceDirectory, resourceType->OffsetToDirectory); resourceName = PTR_ADD_OFFSET(nameDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceNameCount = nameDirectory->NumberOfNamedEntries + nameDirectory->NumberOfIdEntries; for (ULONG j = 0; j < resourceNameCount; ++j, ++resourceName) { if (!resourceName->DataIsDirectory) continue; languageDirectory = PTR_ADD_OFFSET(resourceDirectory, resourceName->OffsetToDirectory); resourceLanguage = PTR_ADD_OFFSET(languageDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceLanguageCount = languageDirectory->NumberOfNamedEntries + languageDirectory->NumberOfIdEntries; for (ULONG k = 0; k < resourceLanguageCount; ++k, ++resourceLanguage) { PIMAGE_RESOURCE_DATA_ENTRY resourceData; if (resourceLanguage->DataIsDirectory) continue; resourceData = PTR_ADD_OFFSET(resourceDirectory, resourceLanguage->OffsetToData); { PH_IMAGE_RESOURCE_ENTRY entry; entry.Type = NAME_FROM_RESOURCE_ENTRY(resourceDirectory, resourceType); entry.Name = NAME_FROM_RESOURCE_ENTRY(resourceDirectory, resourceName); entry.Language = NAME_FROM_RESOURCE_ENTRY(resourceDirectory, resourceLanguage); entry.Offset = resourceData->OffsetToData; entry.Size = resourceData->Size; entry.CodePage = resourceData->CodePage; //entry.Data = PhMappedImageRvaToVa(MappedImage, resourceData->OffsetToData, NULL); PhAddItemArray(&resourceArray, &entry); } } } } Resources->MappedImage = MappedImage; Resources->DataDirectory = dataDirectory; Resources->ResourceDirectory = resourceDirectory; Resources->NumberOfEntries = (ULONG)PhFinalArrayCount(&resourceArray); // resourceCount; Resources->ResourceEntries = PhFinalArrayItems(&resourceArray); return status; } NTSTATUS PhGetMappedImageResource( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PCWSTR Name, _In_ PCWSTR Type, _In_opt_ USHORT Language, _Out_opt_ PULONG ResourceLength, _Out_opt_ PVOID* ResourceBuffer ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_RESOURCE_DIRECTORY resourceDirectory; PIMAGE_RESOURCE_DIRECTORY nameDirectory; PIMAGE_RESOURCE_DIRECTORY languageDirectory; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceType; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceName; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceLanguage; ULONG resourceTypeCount; ULONG resourceNameCount; ULONG resourceLanguageCount; // Get a pointer to the resource directory. status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_RESOURCE, &dataDirectory ); if (!NT_SUCCESS(status)) return status; resourceDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!resourceDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, resourceDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } resourceType = PTR_ADD_OFFSET(resourceDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceTypeCount = resourceDirectory->NumberOfNamedEntries + resourceDirectory->NumberOfIdEntries; for (ULONG i = 0; i < resourceTypeCount; ++i, ++resourceType) { if (!resourceType->DataIsDirectory) continue; nameDirectory = PTR_ADD_OFFSET(resourceDirectory, resourceType->OffsetToDirectory); resourceName = PTR_ADD_OFFSET(nameDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceNameCount = nameDirectory->NumberOfNamedEntries + nameDirectory->NumberOfIdEntries; for (ULONG j = 0; j < resourceNameCount; ++j, ++resourceName) { if (!resourceName->DataIsDirectory) continue; languageDirectory = PTR_ADD_OFFSET(resourceDirectory, resourceName->OffsetToDirectory); resourceLanguage = PTR_ADD_OFFSET(languageDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceLanguageCount = languageDirectory->NumberOfNamedEntries + languageDirectory->NumberOfIdEntries; for (ULONG k = 0; k < resourceLanguageCount; ++k, ++resourceLanguage) { PIMAGE_RESOURCE_DATA_ENTRY resourceData; if (resourceLanguage->DataIsDirectory) continue; if (IS_INTRESOURCE(Type)) { if (resourceType->NameIsString) continue; if (resourceType->Id != PtrToUshort(Type)) continue; } else { PIMAGE_RESOURCE_DIR_STRING_U resourceString; PH_STRINGREF string1; PH_STRINGREF string2; if (!resourceType->NameIsString) continue; resourceString = PTR_ADD_OFFSET(resourceDirectory, resourceType->NameOffset); string1.Buffer = resourceString->NameString; string1.Length = resourceString->Length * sizeof(WCHAR); PhInitializeStringRefLongHint(&string2, Type); if (!PhEqualStringRef(&string1, &string2, TRUE)) continue; } if (IS_INTRESOURCE(Name)) { if (resourceName->NameIsString) continue; if (resourceName->Id != PtrToUshort(Name)) continue; } else { PIMAGE_RESOURCE_DIR_STRING_U resourceString; PH_STRINGREF string1; PH_STRINGREF string2; if (!resourceName->NameIsString) continue; resourceString = PTR_ADD_OFFSET(resourceDirectory, resourceName->NameOffset); string1.Buffer = resourceString->NameString; string1.Length = resourceString->Length * sizeof(WCHAR); PhInitializeStringRefLongHint(&string2, Name); if (!PhEqualStringRef(&string1, &string2, TRUE)) continue; } if (Language) { if (resourceLanguage->NameIsString) continue; if (resourceLanguage->Id != Language) continue; } resourceData = PTR_ADD_OFFSET(resourceDirectory, resourceLanguage->OffsetToData); if (ResourceLength) { *ResourceLength = resourceData->Size; } if (ResourceBuffer) { *ResourceBuffer = PhMappedImageRvaToVa(MappedImage, resourceData->OffsetToData, NULL); } return STATUS_SUCCESS; } } } return STATUS_UNSUCCESSFUL; } NTSTATUS PhGetMappedImageResourceIndex( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_RESOURCE_DIRECTORY ResourceDirectory, _In_ LONG ResourceIndex, _In_ PCWSTR ResourceType, _Out_opt_ ULONG* ResourceLength, _Out_opt_ PVOID* ResourceBuffer ) { ULONG resourceIndex; ULONG resourceCount; PVOID resourceBuffer; PIMAGE_RESOURCE_DIRECTORY nameDirectory; PIMAGE_RESOURCE_DIRECTORY languageDirectory; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceType; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceName; PIMAGE_RESOURCE_DIRECTORY_ENTRY resourceLanguage; PIMAGE_RESOURCE_DATA_ENTRY resourceData; // Find the type resourceCount = ResourceDirectory->NumberOfIdEntries + ResourceDirectory->NumberOfNamedEntries; resourceType = PTR_ADD_OFFSET(ResourceDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); for (resourceIndex = 0; resourceIndex < resourceCount; resourceIndex++) { if (resourceType[resourceIndex].NameIsString) continue; if (resourceType[resourceIndex].Name == PtrToUlong(ResourceType)) break; } if (resourceIndex == resourceCount) return STATUS_RESOURCE_TYPE_NOT_FOUND; if (!resourceType[resourceIndex].DataIsDirectory) return STATUS_RESOURCE_TYPE_NOT_FOUND; // Find the name nameDirectory = PTR_ADD_OFFSET(ResourceDirectory, resourceType[resourceIndex].OffsetToDirectory); resourceCount = nameDirectory->NumberOfIdEntries + nameDirectory->NumberOfNamedEntries; resourceName = PTR_ADD_OFFSET(nameDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); if (ResourceIndex < 0) // RT_ICON and DEVPKEY_DeviceClass_IconPath { for (resourceIndex = 0; resourceIndex < resourceCount; resourceIndex++) { if (resourceName[resourceIndex].NameIsString) continue; if (resourceName[resourceIndex].Name == (ULONG)-ResourceIndex) break; } } else // RT_GROUP_ICON { resourceIndex = ResourceIndex; } if (resourceIndex >= resourceCount) return STATUS_RESOURCE_NAME_NOT_FOUND; if (!resourceName[resourceIndex].DataIsDirectory) return STATUS_RESOURCE_NAME_NOT_FOUND; // Find the language languageDirectory = PTR_ADD_OFFSET(ResourceDirectory, resourceName[resourceIndex].OffsetToDirectory); //resourceCount = languageDirectory->NumberOfIdEntries + languageDirectory->NumberOfNamedEntries; resourceLanguage = PTR_ADD_OFFSET(languageDirectory, sizeof(IMAGE_RESOURCE_DIRECTORY)); resourceIndex = 0; // use the first entry if (resourceLanguage[resourceIndex].DataIsDirectory) return STATUS_RESOURCE_LANG_NOT_FOUND; resourceData = PTR_ADD_OFFSET(ResourceDirectory, resourceLanguage[resourceIndex].OffsetToData); if (!resourceData) return STATUS_RESOURCE_DATA_NOT_FOUND; resourceBuffer = PhMappedImageRvaToVa(MappedImage, resourceData->OffsetToData, NULL); if (!resourceBuffer) return STATUS_RESOURCE_DATA_NOT_FOUND; if (ResourceLength) *ResourceLength = resourceData->Size; if (ResourceBuffer) *ResourceBuffer = resourceBuffer; // if (LDR_IS_IMAGEMAPPING(ImageBaseAddress)) // PhLoaderEntryImageRvaToVa(ImageBaseAddress, resourceData->OffsetToData, resourceBuffer); // PhLoadResource(ImageBaseAddress, MAKEINTRESOURCE(ResourceIndex), ResourceType, &resourceLength, &resourceBuffer); return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageTlsCallbackDirectory32( _Out_ PPH_MAPPED_IMAGE_TLS_CALLBACKS TlsCallbacks, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_TLS_DIRECTORY32 tlsDirectory; ULONG tlsCallbacksOffset; // Get a pointer to the TLS directory. status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_TLS, &dataDirectory ); if (!NT_SUCCESS(status)) return status; tlsDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!tlsDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, tlsDirectory, sizeof(IMAGE_TLS_DIRECTORY32)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } TlsCallbacks->DataDirectory = dataDirectory; TlsCallbacks->TlsDirectory32 = tlsDirectory; if (tlsDirectory->StartAddressOfRawData > MappedImage->NtHeaders32->OptionalHeader.ImageBase) tlsCallbacksOffset = MappedImage->NtHeaders32->OptionalHeader.ImageBase; else tlsCallbacksOffset = 0; //TlsCallbacks->CallbackIndexes = PhMappedImageRvaToVa(MappedImage, PtrToUlong(PTR_SUB_OFFSET(tlsDirectory->AddressOfIndex, tlsCallbacksOffset)), NULL); TlsCallbacks->CallbackAddress = PhMappedImageRvaToVa(MappedImage, (tlsDirectory->AddressOfCallBacks - tlsCallbacksOffset), NULL); if (TlsCallbacks->CallbackAddress) return STATUS_SUCCESS; return STATUS_INVALID_PARAMETER; } NTSTATUS PhGetMappedImageTlsCallbackDirectory64( _Out_ PPH_MAPPED_IMAGE_TLS_CALLBACKS TlsCallbacks, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_TLS_DIRECTORY64 tlsDirectory; ULONG_PTR tlsCallbacksOffset; // Get a pointer to the TLS directory. status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_TLS, &dataDirectory ); if (!NT_SUCCESS(status)) return status; tlsDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!tlsDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, tlsDirectory, sizeof(IMAGE_TLS_DIRECTORY64)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } TlsCallbacks->DataDirectory = dataDirectory; TlsCallbacks->TlsDirectory64 = tlsDirectory; if (tlsDirectory->StartAddressOfRawData > MappedImage->NtHeaders->OptionalHeader.ImageBase) tlsCallbacksOffset = MappedImage->NtHeaders->OptionalHeader.ImageBase; else tlsCallbacksOffset = 0; //TlsCallbacks->CallbackIndexes = PhMappedImageRvaToVa(MappedImage, PtrToUlong(PTR_SUB_OFFSET(tlsDirectory->AddressOfIndex, tlsCallbacksOffset)), NULL); TlsCallbacks->CallbackAddress = PhMappedImageRvaToVa(MappedImage, PtrToUlong(PTR_SUB_OFFSET(tlsDirectory->AddressOfCallBacks, tlsCallbacksOffset)), NULL); if (TlsCallbacks->CallbackAddress) return STATUS_SUCCESS; return STATUS_INVALID_PARAMETER; } NTSTATUS PhGetMappedImageTlsCallbacks( _Out_ PPH_MAPPED_IMAGE_TLS_CALLBACKS TlsCallbacks, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; ULONG count = 0; PH_ARRAY entryArray; // Get a pointer to the TLS directory. if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) status = PhGetMappedImageTlsCallbackDirectory32(TlsCallbacks, MappedImage); else status = PhGetMappedImageTlsCallbackDirectory64(TlsCallbacks, MappedImage); if (!NT_SUCCESS(status)) return status; // Do a scan to determine how many callbacks there are. if (TlsCallbacks->CallbackAddress) { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PULONG array = (PULONG)(PULONG_PTR)TlsCallbacks->CallbackAddress; for (ULONG i = 0; array[i]; i++) count++; } else { PULONGLONG array = (PULONGLONG)(PULONG_PTR)TlsCallbacks->CallbackAddress; for (ULONG i = 0; array[i]; i++) count++; } } if (count == 0) return STATUS_INVALID_IMAGE_FORMAT; // Allocate the number of TLS callbacks. PhInitializeArray(&entryArray, sizeof(PH_IMAGE_TLS_CALLBACK_ENTRY), count); // Add the TLS callbacks into our buffer. if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PULONG array = (PULONG)(PULONG_PTR)TlsCallbacks->CallbackAddress; for (ULONG i = 0; i < count; i++) { PH_IMAGE_TLS_CALLBACK_ENTRY entry; entry.Address = array[i]; entry.Index = 0; // CallbackIndexes PhAddItemArray(&entryArray, &entry); } } else { PULONGLONG array = (PULONGLONG)(PULONG_PTR)TlsCallbacks->CallbackAddress; for (ULONG i = 0; i < count; i++) { PH_IMAGE_TLS_CALLBACK_ENTRY entry; entry.Address = array[i]; entry.Index = 0; // CallbackIndexes PhAddItemArray(&entryArray, &entry); } } TlsCallbacks->NumberOfEntries = count; TlsCallbacks->Entries = PhFinalArrayItems(&entryArray); return status; } NTSTATUS PhGetMappedImageProdIdHeader( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_PRODID ProdIdHeader ) { PIMAGE_DOS_HEADER imageDosHeader = NULL; PIMAGE_NT_HEADERS imageNtHeader = NULL; PPRODITEM richHeaderStart = NULL; // PTR_ADD_OFFSET(imageDosHeader, 0x80) PPRODITEM richHeaderEnd = NULL; // PTR_SUB_OFFSET(imageNtHeader, 0x0); PPRODITEM richHeaderChecksum = NULL; // PTR_SUB_OFFSET(imageNtHeader, 0x10); ULONG ntHeadersOffset = ULONG_MAX; ULONG richHeaderKey = ULONG_MAX; ULONG richHeaderValue = ULONG_MAX; ULONG richStartSignature = ULONG_MAX; ULONG richEndSignature = ULONG_MAX; ULONG richHeaderStartOffset = ULONG_MAX; ULONG richHeaderEndOffset = ULONG_MAX; ULONG richHeaderLength = ULONG_MAX; PH_ARRAY richHeaderEntryArray; imageDosHeader = (PIMAGE_DOS_HEADER)MappedImage->ViewBase; if (imageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return STATUS_INVALID_IMAGE_NOT_MZ; ntHeadersOffset = (ULONG)imageDosHeader->e_lfanew; if (ntHeadersOffset == 0 || ntHeadersOffset >= RTL_IMAGE_MAX_DOS_HEADER) return STATUS_INVALID_IMAGE_FORMAT; imageNtHeader = PTR_ADD_OFFSET(MappedImage->ViewBase, ntHeadersOffset); if (imageNtHeader->Signature == IMAGE_NT_SIGNATURE) { PBYTE startHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, ntHeadersOffset); PBYTE endHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, sizeof(IMAGE_DOS_HEADER)); for (PBYTE i = startHeaderAddress; i >= endHeaderAddress; i -= sizeof(ULONG)) { __try { if (*(PULONG)i == ProdIdTagStart) { richHeaderEndOffset = PtrToUlong(PTR_SUB_OFFSET(i, MappedImage->ViewBase)); break; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } if (richHeaderEndOffset == ULONG_MAX) return STATUS_FAIL_CHECK; richHeaderChecksum = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderEndOffset); __try { PhMappedImageProbe(MappedImage, richHeaderChecksum, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderKey = richHeaderChecksum->dwCount; richStartSignature = richHeaderChecksum->dwProdid; if (richHeaderKey && richStartSignature) { PBYTE startHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, ntHeadersOffset); PBYTE endHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, sizeof(IMAGE_DOS_HEADER)); for (PBYTE i = startHeaderAddress; i >= endHeaderAddress; i -= sizeof(ULONG)) { __try { if ((*(PULONG)i ^ richHeaderKey) == ProdIdTagEnd) { richHeaderStartOffset = PtrToUlong(PTR_SUB_OFFSET(i, MappedImage->ViewBase)); break; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } if (richHeaderStartOffset == ULONG_MAX) return STATUS_FAIL_CHECK; richHeaderValue = richHeaderStartOffset; richHeaderStart = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderStartOffset); __try { PhMappedImageProbe(MappedImage, richHeaderStart, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderEnd = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderEndOffset + sizeof(PRODITEM)); __try { PhMappedImageProbe(MappedImage, richHeaderEnd, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderLength = PtrToUlong(PTR_SUB_OFFSET(richHeaderEnd, richHeaderStart)); richEndSignature = richHeaderStart->dwProdid ^ richHeaderKey; if (richStartSignature == ProdIdTagStart && richEndSignature == ProdIdTagEnd) { PPH_STRING hashRawContentString = NULL; PPH_STRING hashContentString = NULL; ULONG currentCount = 0; PBYTE currentAddress; PBYTE currentEnd; PBYTE offset; currentAddress = PTR_ADD_OFFSET(richHeaderStart, 0); currentEnd = PTR_SUB_OFFSET(richHeaderEnd, 0); __try { PH_HASH_CONTEXT hashContext; PPH_STRING hashString = NULL; if (NT_SUCCESS(PhInitializeHash(&hashContext, Md5HashAlgorithm))) { if (NT_SUCCESS(PhUpdateHash(&hashContext, richHeaderStart, richHeaderLength))) { if (NT_SUCCESS(PhFinalHashString(&hashContext, &hashString))) { hashRawContentString = hashString; } } } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if (PhIsNullOrEmptyString(hashRawContentString)) return STATUS_FAIL_CHECK; // VT creates a different hash based on the decrypted header while other tools // (including this one) create the hash based on the raw header. So create a second hash // from the decrypted header so we can show and search both hashes (dmex) { PVOID richHeaderContentEnd; ULONG richHeaderContentLength; PULONG richHeaderContentBuffer; PULONG richHeaderContentOffset; PH_HASH_CONTEXT hashContext; UCHAR hash[PH_HASH_MD5_LENGTH]; // Recalculate the length needed for the hash since VT doesn't include the remaining entry. richHeaderContentEnd = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderEndOffset); richHeaderContentLength = PtrToUlong(PTR_SUB_OFFSET(richHeaderContentEnd, richHeaderStart)); // We already probed above so this isn't really needed but probe again just to be sure. __try { PhMappedImageProbe(MappedImage, richHeaderStart, richHeaderContentLength); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderContentBuffer = PhAllocateZero(richHeaderContentLength); memcpy(richHeaderContentBuffer, richHeaderStart, richHeaderContentLength); // Walk the buffer and decrypt the entire thing. Based on the same loop used by yara: // https://github.com/VirusTotal/yara/blob/master/libyara/modules/pe/pe.c#L251-L259 for ( richHeaderContentOffset = richHeaderContentBuffer; richHeaderContentOffset < (PULONG)PTR_ADD_OFFSET(richHeaderContentBuffer, richHeaderContentLength); richHeaderContentOffset++ ) { *richHeaderContentOffset ^= richHeaderKey; } if (NT_SUCCESS(PhInitializeHash(&hashContext, Md5HashAlgorithm))) { if (NT_SUCCESS(PhUpdateHash(&hashContext, richHeaderContentBuffer, richHeaderContentLength))) { if (NT_SUCCESS(PhFinalHash(&hashContext, hash, sizeof(hash), NULL))) { hashContentString = PhBufferToHexString(hash, sizeof(hash)); } } } PhFree(richHeaderContentBuffer); } if (PhIsNullOrEmptyString(hashContentString)) return STATUS_FAIL_CHECK; // Do a scan to determine how many entries there are. for (offset = currentAddress; offset < currentEnd; offset += sizeof(PRODITEM)) { currentCount++; } // Compute the DOS header and DOS stub checksums. for (ULONG i = 0; i < richHeaderStartOffset; i++) { BYTE value; // Skip the e_lfanew field. if (i >= UFIELD_OFFSET(IMAGE_DOS_HEADER, e_lfanew) && i <= UFIELD_OFFSET(IMAGE_DOS_HEADER, e_lfanew) + RTL_FIELD_SIZE(IMAGE_DOS_HEADER, e_lfanew) - sizeof(BYTE)) { continue; } __try { value = *(PBYTE)PTR_ADD_OFFSET(imageDosHeader, UInt32x32To64(i, sizeof(BYTE))); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderValue += _rotl(value, i); } // Compute each of the RICH entry value checksums. for (ULONG i = 0; i < currentCount; i++) { PPRODITEM entry; ULONG prodid; ULONG count; entry = PTR_ADD_OFFSET(currentAddress, UInt32x32To64(i, sizeof(PRODITEM))); __try { PhMappedImageProbe(MappedImage, entry, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } prodid = entry->dwProdid ^ richHeaderKey; count = entry->dwCount ^ richHeaderKey; if (count > 0 && count != richHeaderKey) { richHeaderValue += _rotl((ProdidFromDwProdid(prodid) << 16 | WBuildFromDwProdid(prodid)), count & 0x1F); } } // Allocate the number of product entries. PhInitializeArray(&richHeaderEntryArray, sizeof(PH_MAPPED_IMAGE_PRODID_ENTRY), currentCount); // Add the product entries into our buffer. for (ULONG i = 0; i < currentCount; i++) { PPRODITEM item = PTR_ADD_OFFSET(currentAddress, UInt32x32To64(i, sizeof(PRODITEM))); __try { PhMappedImageProbe(MappedImage, item, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // The prodid header can include 3 extra checksum values. Ignore these for now (dmex) if ((item->dwCount ^ richHeaderKey) != richHeaderKey) { PH_MAPPED_IMAGE_PRODID_ENTRY entry; entry.ProductId = ProdidFromDwProdid(item->dwProdid ^ richHeaderKey); entry.ProductBuild = WBuildFromDwProdid(item->dwProdid ^ richHeaderKey); entry.ProductCount = item->dwCount ^ richHeaderKey; PhAddItemArray(&richHeaderEntryArray, &entry); } } //PhPrintPointer(ProdIdHeader->Key, UlongToPtr(richHeaderKey)); ProdIdHeader->Valid = richHeaderKey == richHeaderValue; ProdIdHeader->Key = PhFormatString(L"%lx", richHeaderKey); ProdIdHeader->RawHash = hashRawContentString; ProdIdHeader->Hash = hashContentString; ProdIdHeader->NumberOfEntries = currentCount; ProdIdHeader->ProdIdEntries = PhFinalArrayItems(&richHeaderEntryArray); //for (offset = currentAddress; offset < currentEnd; offset += sizeof(PRODITEM)) //{ // PPRODITEM entry = (PPRODITEM)offset; // ULONG prodid = ProdidFromDwProdid(entry->dwProdid ^ richHeaderKey); // ULONG build = WBuildFromDwProdid(entry->dwProdid ^ richHeaderKey); // ULONG count = entry->dwCount ^ richHeaderKey; // dprintf("%x %x %x\n", prodid, build, count); //} return STATUS_SUCCESS; } return STATUS_FAIL_CHECK; } NTSTATUS PhGetMappedImageProdIdExtents( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PULONG ProdIdHeaderStart, _Out_ PULONG ProdIdHeaderEnd ) { PIMAGE_DOS_HEADER imageDosHeader = NULL; PIMAGE_NT_HEADERS imageNtHeader = NULL; PPRODITEM richHeaderStart = NULL; PPRODITEM richHeaderEnd = NULL; PPRODITEM richHeaderChecksum = NULL; ULONG ntHeadersOffset = ULONG_MAX; ULONG richHeaderKey = ULONG_MAX; ULONG richStartSignature = ULONG_MAX; ULONG richEndSignature = ULONG_MAX; ULONG richHeaderStartOffset = ULONG_MAX; ULONG richHeaderEndOffset = ULONG_MAX; imageDosHeader = (PIMAGE_DOS_HEADER)MappedImage->ViewBase; if (imageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return STATUS_INVALID_IMAGE_NOT_MZ; ntHeadersOffset = (ULONG)imageDosHeader->e_lfanew; if (ntHeadersOffset == 0 || ntHeadersOffset >= RTL_IMAGE_MAX_DOS_HEADER) return STATUS_INVALID_IMAGE_FORMAT; imageNtHeader = PTR_ADD_OFFSET(MappedImage->ViewBase, ntHeadersOffset); if (imageNtHeader->Signature == IMAGE_NT_SIGNATURE) { PBYTE startHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, ntHeadersOffset); PBYTE endHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, sizeof(IMAGE_DOS_HEADER)); for (PBYTE i = startHeaderAddress; i >= endHeaderAddress; i -= sizeof(ULONG)) { __try { if (*(PULONG)i == ProdIdTagStart) { richHeaderEndOffset = PtrToUlong(PTR_SUB_OFFSET(i, MappedImage->ViewBase)); break; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } if (richHeaderEndOffset == ULONG_MAX) return STATUS_FAIL_CHECK; richHeaderChecksum = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderEndOffset); __try { PhMappedImageProbe(MappedImage, richHeaderChecksum, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderKey = richHeaderChecksum->dwCount; richStartSignature = richHeaderChecksum->dwProdid; if (richHeaderKey && richStartSignature) { PBYTE startHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, ntHeadersOffset); PBYTE endHeaderAddress = PTR_ADD_OFFSET(MappedImage->ViewBase, sizeof(IMAGE_DOS_HEADER)); for (PBYTE i = startHeaderAddress; i >= endHeaderAddress; i -= sizeof(ULONG)) { __try { if ((*(PULONG)i ^ richHeaderKey) == ProdIdTagEnd) { richHeaderStartOffset = PtrToUlong(PTR_SUB_OFFSET(i, MappedImage->ViewBase)); break; } } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } } if (richHeaderStartOffset == ULONG_MAX) return STATUS_FAIL_CHECK; richHeaderStart = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderStartOffset); __try { PhMappedImageProbe(MappedImage, richHeaderStart, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richHeaderEnd = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderEndOffset + sizeof(PRODITEM)); __try { PhMappedImageProbe(MappedImage, richHeaderEnd, sizeof(PRODITEM)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } richEndSignature = richHeaderStart->dwProdid ^ richHeaderKey; if (richStartSignature == ProdIdTagStart && richEndSignature == ProdIdTagEnd) { ULONG richHeaderTotalLength; ULONG currentCount = 0; PBYTE currentAddress; PBYTE currentEnd; PBYTE offset; currentAddress = PTR_ADD_OFFSET(richHeaderStart, 0); currentEnd = PTR_SUB_OFFSET(richHeaderEnd, 0); // Do a scan to determine how many entries there are. for (offset = currentAddress; offset < currentEnd; offset += sizeof(PRODITEM)) { currentCount++; } // Calculate rich header and rich header padding. (Todo: Generate richHeaderKey and validate). richHeaderTotalLength = (richHeaderKey >> 5) % 3; richHeaderTotalLength += currentCount - 3; // remove 3 fixed checksum entries. richHeaderTotalLength *= sizeof(PRODITEM); richHeaderTotalLength += sizeof(PRODITEM) * 4; // add 3 fixed checksums and 1 null entry (0x20). richHeaderTotalLength += richHeaderStartOffset; // If we assert then the image has hidden data or the rich format changed. assert(richHeaderTotalLength == ntHeadersOffset); *ProdIdHeaderStart = richHeaderStartOffset; *ProdIdHeaderEnd = richHeaderTotalLength; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } NTSTATUS PhGetMappedImageDebug( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_DEBUG Debug ) { NTSTATUS status; ULONG currentCount; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_DEBUG_DIRECTORY debugDirectory; PH_ARRAY debugEntryArray; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_DEBUG, &dataDirectory ); if (!NT_SUCCESS(status)) return status; debugDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!debugDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, debugDirectory, sizeof(IMAGE_DEBUG_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } currentCount = dataDirectory->Size / sizeof(IMAGE_DEBUG_DIRECTORY); // Allocate the number of debug entries. PhInitializeArray(&debugEntryArray, sizeof(PH_IMAGE_DEBUG_ENTRY), currentCount); // Add the debug entries into our buffer. for (ULONG i = 0; i < currentCount; i++) { PIMAGE_DEBUG_DIRECTORY item = PTR_ADD_OFFSET(debugDirectory, UInt32x32To64(i, sizeof(IMAGE_DEBUG_DIRECTORY))); __try { PhMappedImageProbe(MappedImage, item, sizeof(IMAGE_DEBUG_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { break; } PH_IMAGE_DEBUG_ENTRY entry; entry.Characteristics = item->Characteristics; entry.TimeDateStamp = item->TimeDateStamp; entry.MajorVersion = item->MajorVersion; entry.MinorVersion = item->MinorVersion; entry.Type = item->Type; entry.SizeOfData = item->SizeOfData; entry.AddressOfRawData = item->AddressOfRawData; entry.PointerToRawData = item->PointerToRawData; PhAddItemArray(&debugEntryArray, &entry); } Debug->MappedImage = MappedImage; Debug->DataDirectory = dataDirectory; Debug->DebugDirectory = debugDirectory; Debug->NumberOfEntries = currentCount; Debug->DebugEntries = PhFinalArrayItems(&debugEntryArray); return status; } NTSTATUS PhGetMappedImageDebugEntryByType( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONG Type, _Out_opt_ ULONG* DataLength, _Out_opt_ PVOID* DataBuffer ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_DEBUG_DIRECTORY debugDirectory; PIMAGE_DEBUG_DIRECTORY debugEntry; ULONG currentCount; ULONG i; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_DEBUG, &dataDirectory ); if (!NT_SUCCESS(status)) return status; debugDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!debugDirectory) return STATUS_UNSUCCESSFUL; __try { PhMappedImageProbe(MappedImage, debugDirectory, sizeof(IMAGE_DEBUG_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } currentCount = dataDirectory->Size / sizeof(IMAGE_DEBUG_DIRECTORY); for (i = 0; i < currentCount; i++) { debugEntry = PTR_ADD_OFFSET(debugDirectory, UInt32x32To64(i, sizeof(IMAGE_DEBUG_DIRECTORY))); __try { PhMappedImageProbe(MappedImage, debugEntry, sizeof(IMAGE_DEBUG_DIRECTORY)); } __except (EXCEPTION_EXECUTE_HANDLER) { break; } if (debugEntry->Type == Type) { if (DataLength) *DataLength = debugEntry->SizeOfData; if (DataBuffer) *DataBuffer = PTR_ADD_OFFSET(MappedImage->ViewBase, debugEntry->PointerToRawData); return STATUS_SUCCESS; } } return STATUS_UNSUCCESSFUL; } NTSTATUS PhGetMappedImageEhCont32( _Out_ PPH_MAPPED_IMAGE_EH_CONT EhContConfig, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; if (!NT_SUCCESS(status = PhGetMappedImageLoadConfig32(MappedImage, &config32))) return status; // Not every load configuration contains eh continuation if (!RTL_CONTAINS_FIELD(config32, config32->Size, GuardEHContinuationCount)) return STATUS_INVALID_VIEW_SIZE; EhContConfig->EhContTable = PhMappedImageVaToVa(MappedImage, config32->GuardEHContinuationTable, NULL); EhContConfig->NumberOfEhContEntries = config32->GuardEHContinuationCount; // taken from nt!RtlGuardRestoreContext EhContConfig->EntrySize = ((config32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT) + sizeof(ULONG); if (EhContConfig->EhContTable && EhContConfig->NumberOfEhContEntries) { __try { PhMappedImageProbe( MappedImage, EhContConfig->EhContTable, (SIZE_T)(EhContConfig->NumberOfEhContEntries * EhContConfig->EntrySize) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageEhCont64( _Out_ PPH_MAPPED_IMAGE_EH_CONT EhContConfig, _In_ PPH_MAPPED_IMAGE MappedImage ) { NTSTATUS status; PIMAGE_LOAD_CONFIG_DIRECTORY64 config64; if (!NT_SUCCESS(status = PhGetMappedImageLoadConfig64(MappedImage, &config64))) return status; // Not every load configuration contains eh continuation if (!RTL_CONTAINS_FIELD(config64, config64->Size, GuardEHContinuationCount)) return STATUS_INVALID_VIEW_SIZE; EhContConfig->EhContTable = PhMappedImageVaToVa(MappedImage, config64->GuardEHContinuationTable, NULL); EhContConfig->NumberOfEhContEntries = config64->GuardEHContinuationCount; // taken from nt!RtlGuardRestoreContext EhContConfig->EntrySize = ((config64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT) + sizeof(ULONG); if (EhContConfig->EhContTable && EhContConfig->NumberOfEhContEntries) { __try { PhMappedImageProbe( MappedImage, EhContConfig->EhContTable, (SIZE_T)(EhContConfig->NumberOfEhContEntries * EhContConfig->EntrySize) ); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } return STATUS_SUCCESS; } NTSTATUS PhGetMappedImageEhCont( _Out_ PPH_MAPPED_IMAGE_EH_CONT EhContConfig, _In_ PPH_MAPPED_IMAGE MappedImage ) { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { return PhGetMappedImageEhCont32(EhContConfig, MappedImage); } else { return PhGetMappedImageEhCont64(EhContConfig, MappedImage); } } _Success_(return) BOOLEAN PhGetMappedImagePogoEntryByName( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PCSTR Name, _Out_opt_ ULONG* DataLength, _Out_opt_ PVOID* DataBuffer ) { ULONG debugEntryLength; PIMAGE_DEBUG_POGO_SIGNATURE debugEntry; PIMAGE_DEBUG_POGO_ENTRY debugPogoEntry; if (!NT_SUCCESS(PhGetMappedImageDebugEntryByType( MappedImage, IMAGE_DEBUG_TYPE_POGO, &debugEntryLength, &debugEntry ))) { return FALSE; } __try { PhMappedImageProbe(MappedImage, debugEntry, sizeof(IMAGE_DEBUG_POGO_SIGNATURE)); } __except (EXCEPTION_EXECUTE_HANDLER) { return FALSE; } if (debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_LTCG && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_PGI && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_PGO && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_PGU && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_SPGO) { // The signature can be zero but still contain valid entries. if (!(debugEntry->Signature == 0 && debugEntryLength > sizeof(IMAGE_DEBUG_POGO_SIGNATURE))) return FALSE; } debugPogoEntry = PTR_ADD_OFFSET(debugEntry, sizeof(IMAGE_DEBUG_POGO_SIGNATURE)); while ((ULONG_PTR)debugPogoEntry < (ULONG_PTR)PTR_ADD_OFFSET(debugEntry, debugEntryLength)) { __try { PhMappedImageProbe(MappedImage, debugPogoEntry, sizeof(IMAGE_DEBUG_POGO_ENTRY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return FALSE; } if (!(debugPogoEntry->Rva && debugPogoEntry->Size)) break; if (PhEqualBytesZ(debugPogoEntry->Name, Name, TRUE)) { if (DataLength) { *DataLength = debugPogoEntry->Size; } if (DataBuffer) { *DataBuffer = PTR_ADD_OFFSET(MappedImage->ViewBase, debugPogoEntry->Rva); } return TRUE; } debugPogoEntry = PTR_ADD_OFFSET(debugPogoEntry, ALIGN_UP(UFIELD_OFFSET(IMAGE_DEBUG_POGO_ENTRY, Name) + strlen(debugPogoEntry->Name) + sizeof(ANSI_NULL), ULONG)); } return FALSE; } NTSTATUS PhGetMappedImagePogo( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_DEBUG_POGO PogoDebug ) { ULONG debugEntryCount = 0; ULONG debugEntryLength = 0; PIMAGE_DEBUG_POGO_SIGNATURE debugEntry; PIMAGE_DEBUG_POGO_ENTRY debugPogoEntry; PH_ARRAY pogoArray; if (!NT_SUCCESS(PhGetMappedImageDebugEntryByType( MappedImage, IMAGE_DEBUG_TYPE_POGO, &debugEntryLength, &debugEntry ))) { return STATUS_UNSUCCESSFUL; } __try { PhMappedImageProbe(MappedImage, debugEntry, sizeof(IMAGE_DEBUG_POGO_SIGNATURE)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if (debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_LTCG && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_PGI && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_PGO && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_PGU && debugEntry->Signature != IMAGE_DEBUG_POGO_SIGNATURE_SPGO) { // The signature can be zero but still contain valid entries. if (!(debugEntry->Signature == 0 && debugEntryLength > sizeof(IMAGE_DEBUG_POGO_SIGNATURE))) return STATUS_UNSUCCESSFUL; } // Skip the signature. debugPogoEntry = PTR_ADD_OFFSET(debugEntry, sizeof(IMAGE_DEBUG_POGO_SIGNATURE)); // Do a scan to determine how many entries there are. while ((ULONG_PTR)debugPogoEntry < (ULONG_PTR)PTR_ADD_OFFSET(debugEntry, debugEntryLength)) { __try { PhMappedImageProbe(MappedImage, debugPogoEntry, sizeof(IMAGE_DEBUG_POGO_ENTRY)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } debugEntryCount++; debugPogoEntry = PTR_ADD_OFFSET(debugPogoEntry, ALIGN_UP(UFIELD_OFFSET(IMAGE_DEBUG_POGO_ENTRY, Name) + strlen(debugPogoEntry->Name) + sizeof(ANSI_NULL), ULONG)); } // Allocate the number of pogo entries. PhInitializeArray(&pogoArray, sizeof(PH_IMAGE_DEBUG_POGO_ENTRY), debugEntryCount); // Add the debug entries into our buffer. debugPogoEntry = PTR_ADD_OFFSET(debugEntry, sizeof(IMAGE_DEBUG_POGO_SIGNATURE)); while ((ULONG_PTR)debugPogoEntry < (ULONG_PTR)PTR_ADD_OFFSET(debugEntry, debugEntryLength)) { if (!(debugPogoEntry->Rva && debugPogoEntry->Size)) break; { PH_IMAGE_DEBUG_POGO_ENTRY entry; memset(entry.Name, ANSI_NULL, sizeof(entry.Name)); entry.Rva = debugPogoEntry->Rva; entry.Size = debugPogoEntry->Size; entry.Data = PhMappedImageRvaToVa(MappedImage, debugPogoEntry->Rva, NULL); PhCopyStringZFromUtf8( debugPogoEntry->Name, SIZE_MAX, entry.Name, RTL_NUMBER_OF(entry.Name), NULL ); PhAddItemArray(&pogoArray, &entry); } debugPogoEntry = PTR_ADD_OFFSET(debugPogoEntry, ALIGN_UP(UFIELD_OFFSET(IMAGE_DEBUG_POGO_ENTRY, Name) + strlen(debugPogoEntry->Name) + sizeof(ANSI_NULL), ULONG)); } PogoDebug->PogoDirectory = debugEntry; PogoDebug->NumberOfEntries = debugEntryCount; PogoDebug->PogoEntries = PhFinalArrayItems(&pogoArray); return STATUS_SUCCESS; } /** * Retrieves base relocation information from a mapped PE image. * * \param MappedImage A pointer to the mapped image. * \param Relocations A pointer to a structure that receives the relocation information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_RELOC Relocations ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_BASE_RELOCATION relocationDirectory; PVOID relocationDirectoryEnd; PH_ARRAY relocationArray; ULONG relocationTotal = 0; ULONG relocationIndex = 0; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_BASERELOC, &dataDirectory ); if (!NT_SUCCESS(status)) return status; relocationDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!relocationDirectory) return STATUS_INVALID_PARAMETER; Relocations->MappedImage = MappedImage; Relocations->DataDirectory = dataDirectory; Relocations->FirstRelocationDirectory = relocationDirectory; // // Do a scan to determine how many entries there are. And validate the // blocks are within the mapping. // relocationDirectory = Relocations->FirstRelocationDirectory; relocationDirectoryEnd = PTR_ADD_OFFSET(relocationDirectory, dataDirectory->Size); while ((ULONG_PTR)relocationDirectory < (ULONG_PTR)relocationDirectoryEnd) { __try { PhMappedImageProbe(MappedImage, relocationDirectory, sizeof(IMAGE_BASE_RELOCATION)); PhMappedImageProbe(MappedImage, relocationDirectory, relocationDirectory->SizeOfBlock); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if (relocationDirectory->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION)) { // // Prevent runaway. // return STATUS_INVALID_IMAGE_FORMAT; } relocationTotal += (relocationDirectory->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_RECORD); relocationDirectory = PTR_ADD_OFFSET(relocationDirectory, relocationDirectory->SizeOfBlock); } // Allocate the number of relocation entries. PhInitializeArray(&relocationArray, sizeof(PH_IMAGE_RELOC_ENTRY), relocationTotal); // Add the relocation entries into our buffer. relocationDirectory = Relocations->FirstRelocationDirectory; while ((ULONG_PTR)relocationDirectory < (ULONG_PTR)relocationDirectoryEnd) { ULONG relocationCount; PIMAGE_RELOCATION_RECORD relocations; relocationCount = (relocationDirectory->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_RECORD); relocations = PTR_ADD_OFFSET(relocationDirectory, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_RELOC_ENTRY entry; entry.BlockIndex = relocationIndex; entry.Record.Type = relocations[i].Type; entry.Record.Offset = relocations[i].Offset; entry.BlockRva = relocationDirectory->VirtualAddress; if (entry.Record.Type == IMAGE_REL_BASED_ABSOLUTE) { entry.ImageBaseVa = NULL; entry.MappedImageVa = NULL; } else { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) entry.ImageBaseVa = PTR_ADD_OFFSET(MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.BlockRva, entry.Record.Offset)); else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) entry.ImageBaseVa = PTR_ADD_OFFSET(MappedImage->NtHeaders32->OptionalHeader.ImageBase, UInt32Add32To64(entry.BlockRva, entry.Record.Offset)); entry.MappedImageVa = PhMappedImageRvaToVa(MappedImage, UInt32Add32To64(entry.BlockRva, entry.Record.Offset), NULL); } PhAddItemArray(&relocationArray, &entry); } relocationDirectory = PTR_ADD_OFFSET(relocationDirectory, relocationDirectory->SizeOfBlock); relocationIndex++; } Relocations->NumberOfEntries = (ULONG)PhFinalArrayCount(&relocationArray); Relocations->RelocationEntries = PhFinalArrayItems(&relocationArray); return status; } /** * Releases resources associated with mapped image relocations. * * \param Relocations A pointer to the relocation information structure. * * \remarks This function frees the relocation entries array allocated by * PhGetMappedImageRelocations(). */ VOID PhFreeMappedImageRelocations( _In_opt_ PPH_MAPPED_IMAGE_RELOC Relocations ) { if (Relocations && Relocations->RelocationEntries) { PhFree(Relocations->RelocationEntries); Relocations->RelocationEntries = NULL; Relocations->NumberOfEntries = 0; } } /** * Enumerates base relocations in a mapped PE image using a callback function. * * \param MappedImage A pointer to the mapped image. * \param Callback A callback function invoked for each relocation entry. * \param Context An optional context pointer passed to the callback. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMappedImageEnumerateRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_MAPPED_IMAGE_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_BASE_RELOCATION relocationDirectory; PVOID relocationDirectoryEnd; status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_BASERELOC, &dataDirectory ); if (!NT_SUCCESS(status)) return status; relocationDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!relocationDirectory) return STATUS_INVALID_PARAMETER; relocationDirectoryEnd = PTR_ADD_OFFSET(relocationDirectory, dataDirectory->Size); __try { PhMappedImageProbe(MappedImage, relocationDirectory, dataDirectory->Size); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } while ((ULONG_PTR)relocationDirectory < (ULONG_PTR)relocationDirectoryEnd) { ULONG relocationCount; PIMAGE_RELOCATION_RECORD relocations; __try { PhMappedImageProbe(MappedImage, relocationDirectory, sizeof(IMAGE_BASE_RELOCATION)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if (relocationDirectory->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION)) { // // Prevent runaway. // return STATUS_INVALID_IMAGE_FORMAT; } relocationCount = (relocationDirectory->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_RECORD); relocations = PTR_ADD_OFFSET(relocationDirectory, sizeof(IMAGE_BASE_RELOCATION)); __try { PhMappedImageProbe(MappedImage, relocations, relocationCount * sizeof(IMAGE_RELOCATION_RECORD)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } status = Callback( MappedImage, dataDirectory, relocationDirectory, relocations, relocationCount, Context ); if (status == STATUS_NO_MORE_ENTRIES) break; relocationDirectory = PTR_ADD_OFFSET(relocationDirectory, relocationDirectory->SizeOfBlock); } return status; } /** * Retrieves the dynamic relocation table from a mapped PE image. * * \param MappedImage A pointer to the mapped image. * \param Table An optional pointer that receives the dynamic relocation table. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageDynamicRelocationsTable( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_opt_ PIMAGE_DYNAMIC_RELOCATION_TABLE* Table ) { NTSTATUS status; PIMAGE_DYNAMIC_RELOCATION_TABLE table = NULL; PVOID reloc; if (Table) *Table = NULL; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; status = PhGetMappedImageLoadConfig32(MappedImage, &config32); if (!NT_SUCCESS(status)) return status; if (RTL_CONTAINS_FIELD(config32, config32->Size, DynamicValueRelocTable) && config32->DynamicValueRelocTable) { table = PhMappedImageRvaToVa(MappedImage, config32->DynamicValueRelocTable, NULL); } else if ( RTL_CONTAINS_FIELD(config32, config32->Size, DynamicValueRelocTableOffset) && config32->DynamicValueRelocTableOffset && RTL_CONTAINS_FIELD(config32, config32->Size, DynamicValueRelocTableSection) && config32->DynamicValueRelocTableSection ) { if (config32->DynamicValueRelocTableSection <= MappedImage->NumberOfSections) { PIMAGE_SECTION_HEADER section = &MappedImage->Sections[config32->DynamicValueRelocTableSection - 1]; PVOID offset = PTR_ADD_OFFSET(section->PointerToRawData, config32->DynamicValueRelocTableOffset); if (offset < PTR_ADD_OFFSET(section->PointerToRawData, section->SizeOfRawData)) { table = PTR_ADD_OFFSET(MappedImage->ViewBase, offset); } } } } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY64 config64; status = PhGetMappedImageLoadConfig64(MappedImage, &config64); if (!NT_SUCCESS(status)) return status; if (RTL_CONTAINS_FIELD(config64, config64->Size, DynamicValueRelocTable) && config64->DynamicValueRelocTable) { table = PhMappedImageRvaToVa(MappedImage, (ULONG)config64->DynamicValueRelocTable, NULL); } else if ( RTL_CONTAINS_FIELD(config64, config64->Size, DynamicValueRelocTableOffset) && config64->DynamicValueRelocTableOffset && RTL_CONTAINS_FIELD(config64, config64->Size, DynamicValueRelocTableSection) && config64->DynamicValueRelocTableSection ) { if (config64->DynamicValueRelocTableSection <= MappedImage->NumberOfSections) { PIMAGE_SECTION_HEADER section = &MappedImage->Sections[config64->DynamicValueRelocTableSection - 1]; PVOID offset = PTR_ADD_OFFSET(section->PointerToRawData, config64->DynamicValueRelocTableOffset); if (offset < PTR_ADD_OFFSET(section->PointerToRawData, section->SizeOfRawData)) { table = PTR_ADD_OFFSET(MappedImage->ViewBase, offset); } } } } else { return STATUS_INVALID_IMAGE_FORMAT; } if (!table) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, table, sizeof(IMAGE_DYNAMIC_RELOCATION_TABLE)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } reloc = PTR_ADD_OFFSET(table, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION_TABLE, Size)); __try { PhMappedImageProbe(MappedImage, reloc, table->Size); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if (Table) *Table = table; return STATUS_SUCCESS; } NTSTATUS PhpFillDynamicRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ ULONGLONG Symbol, _In_ PIMAGE_BASE_RELOCATION BaseRelocs, _In_ PVOID BaseRelocsEnd, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status = STATUS_SUCCESS; if (Symbol == IMAGE_DYNAMIC_RELOCATION_ARM64X) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { PIMAGE_DVRT_ARM64X_FIXUP_RECORD record; PVOID blockEnd; record = (PIMAGE_DVRT_ARM64X_FIXUP_RECORD)base; blockEnd = PTR_ADD_OFFSET(base, base->SizeOfBlock); if (!PhPtrAdvance(&record, blockEnd, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock))) break; for (;;) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; SIZE_T consumed; if (record->Offset == 0 && record->Type == 0 && record->Size == 0) { // padding block(s), we're done break; } RtlZeroMemory(&entry, sizeof(entry)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_ARM64X; entry.ARM64X.BlockIndex = blockIndex; entry.ARM64X.BlockRva = base->VirtualAddress; entry.ARM64X.RecordFixup = *record; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.ARM64X.BlockRva, entry.ARM64X.RecordFixup.Offset) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.ARM64X.BlockRva, entry.ARM64X.RecordFixup.Offset), NULL ); if (record->Type == IMAGE_DVRT_ARM64X_FIXUP_TYPE_ZEROFILL) { entry.ARM64X.Value8 = 0; consumed = sizeof(IMAGE_DVRT_ARM64X_FIXUP_RECORD); } else if (record->Type == IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE) { consumed = sizeof(IMAGE_DVRT_ARM64X_FIXUP_RECORD); if (entry.ARM64X.RecordFixup.Size == IMAGE_DVRT_ARM64X_FIXUP_SIZE_2BYTES) { entry.ARM64X.Value2 = *(PUSHORT)PTR_ADD_OFFSET(record, consumed); consumed += sizeof(USHORT); } else if (entry.ARM64X.RecordFixup.Size == IMAGE_DVRT_ARM64X_FIXUP_SIZE_4BYTES) { entry.ARM64X.Value4 = *(PULONG)PTR_ADD_OFFSET(record, consumed); consumed += sizeof(ULONG); } else if (entry.ARM64X.RecordFixup.Size == IMAGE_DVRT_ARM64X_FIXUP_SIZE_8BYTES) { entry.ARM64X.Value8 = *(PULONG64)PTR_ADD_OFFSET(record, consumed); consumed += sizeof(ULONG64); } else { break; } } else if (record->Type == IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA) { consumed = sizeof(IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD); entry.ARM64X.Delta = *(PUSHORT)PTR_ADD_OFFSET(record, consumed); entry.ARM64X.Delta *= entry.ARM64X.RecordDelta.Scale ? 8 : 4; entry.ARM64X.Delta *= entry.ARM64X.RecordDelta.Sign ? -1 : 1; consumed += sizeof(USHORT); } else { break; } status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; if (!PhPtrAdvance(&record, blockEnd, consumed)) break; } if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { PIMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER header; PVOID prologueBytes; PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; if (base->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION) + sizeof(IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER)) { break; } header = PTR_ADD_OFFSET(base, sizeof(IMAGE_BASE_RELOCATION)); prologueBytes = PTR_ADD_OFFSET(header, sizeof(IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER)); // Validate prologue bytes are within block bounds if ((ULONG_PTR)PTR_ADD_OFFSET(prologueBytes, header->PrologueByteCount) > (ULONG_PTR)PTR_ADD_OFFSET(base, base->SizeOfBlock)) { break; } RtlZeroMemory(&entry, sizeof(entry)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE; entry.RFPrologue.BlockIndex = blockIndex; entry.RFPrologue.BlockRva = base->VirtualAddress; entry.RFPrologue.PrologueByteCount = header->PrologueByteCount; entry.RFPrologue.PrologueBytes = prologueBytes; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, base->VirtualAddress ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, base->VirtualAddress, NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { PIMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER header; PVOID branchDescriptors; PVOID branchDescriptorBitMap; PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; SIZE_T descriptorsSize; SIZE_T bitMapSize; if (base->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION) + sizeof(IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER)) { break; } header = PTR_ADD_OFFSET(base, sizeof(IMAGE_BASE_RELOCATION)); branchDescriptors = PTR_ADD_OFFSET(header, sizeof(IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER)); // Calculate sizes and validate bounds descriptorsSize = (SIZE_T)header->BranchDescriptorElementSize * header->BranchDescriptorCount; branchDescriptorBitMap = PTR_ADD_OFFSET(branchDescriptors, descriptorsSize); // Bitmap size: (BranchDescriptorCount + 7) / 8 bytes bitMapSize = (header->BranchDescriptorCount + 7) / 8; if ((ULONG_PTR)PTR_ADD_OFFSET(branchDescriptorBitMap, bitMapSize) > (ULONG_PTR)PTR_ADD_OFFSET(base, base->SizeOfBlock)) { break; } RtlZeroMemory(&entry, sizeof(entry)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE; entry.RFEpilogue.BlockIndex = blockIndex; entry.RFEpilogue.BlockRva = base->VirtualAddress; entry.RFEpilogue.EpilogueCount = header->EpilogueCount; entry.RFEpilogue.EpilogueByteCount = header->EpilogueByteCount; entry.RFEpilogue.BranchDescriptorElementSize = header->BranchDescriptorElementSize; entry.RFEpilogue.BranchDescriptorCount = header->BranchDescriptorCount; entry.RFEpilogue.BranchDescriptors = branchDescriptors; entry.RFEpilogue.BranchDescriptorBitMap = branchDescriptorBitMap; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, base->VirtualAddress ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, base->VirtualAddress, NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { ULONG relocationCount; PIMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION relocations; if (base->SizeOfBlock < sizeof(IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION)) { break; } relocationCount = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION); relocations = PTR_ADD_OFFSET(base, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; RtlZeroMemory(&entry, sizeof(entry)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER; entry.ImportControl.Record = relocations[i]; entry.ImportControl.BlockIndex = blockIndex; entry.ImportControl.BlockRva = base->VirtualAddress; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.ImportControl.BlockRva, entry.ImportControl.Record.PageRelativeOffset) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.ImportControl.BlockRva, entry.ImportControl.Record.PageRelativeOffset), NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; } if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { ULONG relocationCount; PIMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION relocations; if (base->SizeOfBlock < sizeof(IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION)) { break; } relocationCount = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION); relocations = PTR_ADD_OFFSET(base, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; if (relocations[i].PageRelativeOffset == 0) { break; } RtlZeroMemory(&entry, sizeof(PH_IMAGE_DYNAMIC_RELOC_ENTRY)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER; entry.IndirControl.Record = relocations[i]; entry.IndirControl.BlockIndex = blockIndex; entry.IndirControl.BlockRva = base->VirtualAddress; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.IndirControl.BlockRva, entry.IndirControl.Record.PageRelativeOffset) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.IndirControl.BlockRva, entry.IndirControl.Record.PageRelativeOffset), NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; } if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { ULONG relocationCount; PIMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION relocations; if (base->SizeOfBlock < sizeof(IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION)) { break; } relocationCount = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION); relocations = PTR_ADD_OFFSET(base, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; if (relocations[i].PageRelativeOffset == 0) { break; } RtlZeroMemory(&entry, sizeof(PH_IMAGE_DYNAMIC_RELOC_ENTRY)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH; entry.SwitchBranch.Record.PageRelativeOffset = relocations[i].PageRelativeOffset; entry.SwitchBranch.Record.RegisterNumber = relocations[i].RegisterNumber; entry.SwitchBranch.BlockIndex = blockIndex; entry.SwitchBranch.BlockRva = base->VirtualAddress; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.SwitchBranch.BlockRva, entry.SwitchBranch.Record.PageRelativeOffset) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.SwitchBranch.BlockRva, entry.SwitchBranch.Record.PageRelativeOffset), NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; } if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE) { PIMAGE_FUNCTION_OVERRIDE_HEADER header; PVOID end; PIMAGE_BDD_INFO bddInfo; ULONG bddInfoSize; PIMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION funcOverride; PIMAGE_BDD_DYNAMIC_RELOCATION bddNodes = NULL; ULONG bddNodesCount = 0; header = (PIMAGE_FUNCTION_OVERRIDE_HEADER)BaseRelocs; end = header; if (!PhPtrAdvance(&end, BaseRelocsEnd, header->FuncOverrideSize)) return STATUS_INVALID_PARAMETER; funcOverride = PTR_ADD_OFFSET(header, RTL_SIZEOF_THROUGH_FIELD(IMAGE_FUNCTION_OVERRIDE_HEADER, FuncOverrideSize)); bddInfo = PTR_ADD_OFFSET(funcOverride, header->FuncOverrideSize); bddInfoSize = PtrToUlong(PTR_SUB_OFFSET(BaseRelocsEnd, BaseRelocs)); bddInfoSize -= (bddInfoSize > sizeof(IMAGE_FUNCTION_OVERRIDE_HEADER) ? sizeof(IMAGE_FUNCTION_OVERRIDE_HEADER) : bddInfoSize); bddInfoSize -= (bddInfoSize > header->FuncOverrideSize ? header->FuncOverrideSize : bddInfoSize); if (bddInfoSize && bddInfo->Version == 1 && bddInfo->BDDSize >= sizeof(IMAGE_BDD_DYNAMIC_RELOCATION)) { bddNodes = PTR_ADD_OFFSET(bddInfo, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BDD_INFO, BDDSize)); bddNodesCount = bddInfo->BDDSize / sizeof(IMAGE_BDD_DYNAMIC_RELOCATION); } for (ULONG blockIndex = 0;;) { PVOID next; PULONG rvas = NULL; ULONG rvasCount = 0; if (funcOverride->RvaSize >= sizeof(ULONG)) { rvas = PTR_ADD_OFFSET(funcOverride, RTL_SIZEOF_THROUGH_FIELD(IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION, BaseRelocSize)); rvasCount = funcOverride->RvaSize / sizeof(ULONG); } if (funcOverride->BaseRelocSize) { PIMAGE_BASE_RELOCATION base; PVOID baseEnd; base = PTR_ADD_OFFSET(funcOverride, RTL_SIZEOF_THROUGH_FIELD(IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION, BaseRelocSize)); base = PTR_ADD_OFFSET(base, funcOverride->RvaSize); baseEnd = PTR_ADD_OFFSET(base, funcOverride->BaseRelocSize); for (;; blockIndex++) { ULONG relocationCount; PIMAGE_RELOCATION_RECORD relocations; if (base->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION)) { break; } relocationCount = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_RECORD); relocations = PTR_ADD_OFFSET(base, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; if (relocations[i].Type == IMAGE_FUNCTION_OVERRIDE_INVALID) { break; } RtlZeroMemory(&entry, sizeof(PH_IMAGE_DYNAMIC_RELOC_ENTRY)); entry.Symbol = Symbol; entry.FuncOverride.BlockIndex = blockIndex; entry.FuncOverride.BlockRva = base->VirtualAddress; entry.FuncOverride.Record.Offset = relocations[i].Offset; entry.FuncOverride.Record.Type = relocations[i].Type; entry.FuncOverride.BDDNodes = bddNodes; entry.FuncOverride.BDDNodesCount = bddNodesCount; entry.FuncOverride.OriginalRva = funcOverride->OriginalRva; entry.FuncOverride.BDDOffset = funcOverride->BDDOffset; entry.FuncOverride.Rvas = rvas; entry.FuncOverride.RvasCount = rvasCount; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.FuncOverride.BlockRva, entry.FuncOverride.Record.Offset) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.FuncOverride.BlockRva, entry.FuncOverride.Record.Offset), NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; } if (!PhPtrAdvance(&base, baseEnd, base->SizeOfBlock)) break; } } next = funcOverride; if (!PhPtrAdvance(&next, bddInfo, RTL_SIZEOF_THROUGH_FIELD(IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION, BaseRelocSize))) break; if (!PhPtrAdvance(&next, bddInfo, funcOverride->RvaSize)) break; if (!PhPtrAdvance(&next, bddInfo, funcOverride->BaseRelocSize)) break; funcOverride = next; } } else if (Symbol == IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER) { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { ULONG relocationCount; PIMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION relocations; if (base->SizeOfBlock < sizeof(IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION)) break; relocationCount = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION); relocations = PTR_ADD_OFFSET(base, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; if (relocations[i].PageRelativeOffset == 0) break; RtlZeroMemory(&entry, sizeof(entry)); entry.Symbol = IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER; entry.ARM64ImportControl.Record = relocations[i]; entry.ARM64ImportControl.BlockIndex = blockIndex; entry.ARM64ImportControl.BlockRva = base->VirtualAddress; // ARM64 instructions are 4-byte aligned, so PageRelativeOffset is shifted left by 2 entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.ARM64ImportControl.BlockRva, entry.ARM64ImportControl.Record.PageRelativeOffset << 2) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.ARM64ImportControl.BlockRva, entry.ARM64ImportControl.Record.PageRelativeOffset << 2), NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; } if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } else if (Symbol > 0xff) // assumes IMAGE_DYNAMIC_RELOCATION_KI_USER_SHARED_DATA64 or similar { PIMAGE_BASE_RELOCATION base = BaseRelocs; for (ULONG blockIndex = 0; ; blockIndex++) { ULONG relocationCount; PIMAGE_RELOCATION_RECORD relocations; if (base->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION)) { break; } relocationCount = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_RECORD); relocations = PTR_ADD_OFFSET(base, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { PH_IMAGE_DYNAMIC_RELOC_ENTRY entry; RtlZeroMemory(&entry, sizeof(PH_IMAGE_DYNAMIC_RELOC_ENTRY)); entry.Symbol = Symbol; entry.Other.Record.Offset = relocations[i].Offset; entry.Other.Record.Type = relocations[i].Type; entry.Other.BlockIndex = blockIndex; entry.Other.BlockRva = base->VirtualAddress; entry.ImageBaseVa = PTR_ADD_OFFSET( MappedImage->NtHeaders->OptionalHeader.ImageBase, UInt32Add32To64(entry.Other.BlockRva, entry.Other.Record.Offset) ); entry.MappedImageVa = PhMappedImageRvaToVa( MappedImage, UInt32Add32To64(entry.Other.BlockRva, entry.Other.Record.Offset), NULL ); status = Callback(MappedImage, &entry, Context); if (!NT_SUCCESS(status)) return status; } if (!PhPtrAdvance(&base, BaseRelocsEnd, base->SizeOfBlock)) break; } } return status; } PVOID PhpFillDynamicRelocationsArray32( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DYNAMIC_RELOCATION32 Relocs, _In_ PVOID RelocsEnd, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { PVOID next; PIMAGE_BASE_RELOCATION base; PVOID end; base = PTR_ADD_OFFSET(Relocs, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION32, BaseRelocSize)); end = PTR_ADD_OFFSET(Relocs, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION32, BaseRelocSize)); end = PTR_ADD_OFFSET(end, Relocs->BaseRelocSize); PhpFillDynamicRelocations(MappedImage, (ULONGLONG)Relocs->Symbol, base, end, Callback, Context); next = Relocs; if (!PhPtrAdvance(&next, RelocsEnd, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION32, BaseRelocSize))) return RelocsEnd; if (!PhPtrAdvance(&next, RelocsEnd, Relocs->BaseRelocSize)) return RelocsEnd; return next; } PVOID PhpFillDynamicRelocationsArray64( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DYNAMIC_RELOCATION64 Relocs, _In_ PVOID RelocsEnd, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { PVOID next; PIMAGE_BASE_RELOCATION base; PVOID end; base = PTR_ADD_OFFSET(Relocs, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION64, BaseRelocSize)); end = PTR_ADD_OFFSET(Relocs, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION64, BaseRelocSize)); end = PTR_ADD_OFFSET(end, Relocs->BaseRelocSize); PhpFillDynamicRelocations(MappedImage, Relocs->Symbol, base, end, Callback, Context); next = Relocs; if (!PhPtrAdvance(&next, RelocsEnd, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION64, BaseRelocSize))) return RelocsEnd; if (!PhPtrAdvance(&next, RelocsEnd, Relocs->BaseRelocSize)) return RelocsEnd; return next; } PVOID PhpFillDynamicRelocationsArray32v2( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DYNAMIC_RELOCATION32_V2 Relocs, _In_ PVOID RelocsEnd, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { PVOID next; PIMAGE_BASE_RELOCATION base; PVOID end; base = PTR_ADD_OFFSET(Relocs, Relocs->HeaderSize); end = PTR_ADD_OFFSET(base, Relocs->FixupInfoSize); PhpFillDynamicRelocations(MappedImage, (ULONGLONG)Relocs->Symbol, base, end, Callback, Context); next = Relocs; if (!PhPtrAdvance(&next, RelocsEnd, Relocs->HeaderSize)) return RelocsEnd; if (!PhPtrAdvance(&next, RelocsEnd, Relocs->FixupInfoSize)) return RelocsEnd; return next; } PVOID PhpFillDynamicRelocationsArray64v2( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PIMAGE_DYNAMIC_RELOCATION64_V2 Relocs, _In_ PVOID RelocsEnd, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { PVOID next; PIMAGE_BASE_RELOCATION base; PVOID end; base = PTR_ADD_OFFSET(Relocs, Relocs->HeaderSize); end = PTR_ADD_OFFSET(base, Relocs->FixupInfoSize); PhpFillDynamicRelocations(MappedImage, Relocs->Symbol, base, end, Callback, Context); next = Relocs; if (!PhPtrAdvance(&next, RelocsEnd, Relocs->HeaderSize)) return RelocsEnd; if (!PhPtrAdvance(&next, RelocsEnd, Relocs->FixupInfoSize)) return RelocsEnd; return next; } /** * Enumerates dynamic relocations in a mapped PE image using a callback function. * * \param MappedImage A pointer to the mapped image. * \param Callback A callback function invoked for each dynamic relocation entry. * \param Context An optional context pointer passed to the callback. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMappedImageEnumerateDynamicRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PIMAGE_DYNAMIC_RELOCATION_TABLE table; PVOID reloc; PVOID end; status = PhGetMappedImageDynamicRelocationsTable(MappedImage, &table); if (!NT_SUCCESS(status)) return status; if (table->Version != 1 && table->Version != 2) { return STATUS_UNKNOWN_REVISION; } reloc = PTR_ADD_OFFSET(table, RTL_SIZEOF_THROUGH_FIELD(IMAGE_DYNAMIC_RELOCATION_TABLE, Size)); end = PTR_ADD_OFFSET(table, table->Size); while (reloc < end) { if (table->Version == 1) { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { reloc = PhpFillDynamicRelocationsArray32(MappedImage, reloc, end, Callback, Context); } else { assert(MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC); reloc = PhpFillDynamicRelocationsArray64(MappedImage, reloc, end, Callback, Context); } } else { assert(table->Version == 2); if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { reloc = PhpFillDynamicRelocationsArray32v2(MappedImage, reloc, end, Callback, Context); } else { assert(MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC); reloc = PhpFillDynamicRelocationsArray64v2(MappedImage, reloc, end, Callback, Context); } } } return STATUS_SUCCESS; } typedef struct _PHP_DYNAMIC_RELOC_CONTEXT { PPH_ARRAY Array; } PHP_DYNAMIC_RELOC_CONTEXT, *PPHP_DYNAMIC_RELOC_CONTEXT; NTSTATUS NTAPI PhpGetMappedImageDynamicRelocationsCallback( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PPH_IMAGE_DYNAMIC_RELOC_ENTRY Entry, _In_opt_ PVOID Context ) { PPHP_DYNAMIC_RELOC_CONTEXT context = Context; PhAddItemArray(context->Array, Entry); return STATUS_SUCCESS; } /** * Retrieves all dynamic relocations from a mapped PE image into an array. * * \param MappedImage A pointer to the mapped image. * \param Relocations A pointer to a structure that receives the dynamic relocation information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetMappedImageDynamicRelocations( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC Relocations ) { NTSTATUS status; PIMAGE_DYNAMIC_RELOCATION_TABLE table; PH_ARRAY relocationArray; PHP_DYNAMIC_RELOC_CONTEXT context; status = PhGetMappedImageDynamicRelocationsTable(MappedImage, &table); if (!NT_SUCCESS(status)) return status; PhInitializeArray(&relocationArray, sizeof(PH_IMAGE_DYNAMIC_RELOC_ENTRY), 1); context.Array = &relocationArray; status = PhMappedImageEnumerateDynamicRelocations( MappedImage, PhpGetMappedImageDynamicRelocationsCallback, &context ); if (!NT_SUCCESS(status)) { PhDeleteArray(&relocationArray); return status; } Relocations->MappedImage = MappedImage; Relocations->RelocationTable = table; Relocations->NumberOfEntries = (ULONG)relocationArray.Count; Relocations->RelocationEntries = PhFinalArrayItems(&relocationArray); return STATUS_SUCCESS; } /** * Releases resources associated with dynamic relocations. * * \param Relocations A pointer to the dynamic relocation information structure. */ VOID PhFreeMappedImageDynamicRelocations( _In_opt_ PPH_MAPPED_IMAGE_DYNAMIC_RELOC Relocations ) { if (Relocations && Relocations->RelocationEntries) { PhFree(Relocations->RelocationEntries); Relocations->RelocationEntries = NULL; Relocations->NumberOfEntries = 0; } } NTSTATUS PhGetMappedImageExceptions( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_EXCEPTIONS Exceptions ) { return PhGetMappedImageExceptionsEx(MappedImage, Exceptions, 0); } NTSTATUS PhGetMappedImageExceptionsEx( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_EXCEPTIONS Exceptions, _In_ ULONG Flags ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PVOID exceptionDirectory; PH_ARRAY exceptionArray; ULONG imageMachine; ULONG exceptionTotal = 0; ULONG exceptionEntrySize = 0; Exceptions->DataDirectoryARM64X.VirtualAddress = 0; Exceptions->DataDirectoryARM64X.Size = 0; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) imageMachine = MappedImage->NtHeaders32->FileHeader.Machine; else imageMachine = MappedImage->NtHeaders->FileHeader.Machine; // 32bit images require special handling for the SEH table. switch (imageMachine) { case IMAGE_FILE_MACHINE_I386: { PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; PULONG exceptionHandlerTable = NULL; status = PhGetMappedImageLoadConfig32(MappedImage, &config32); if (!NT_SUCCESS(status)) return status; if (config32->SEHandlerTable) { exceptionTotal = config32->SEHandlerCount; exceptionHandlerTable = PhMappedImageVaToVa(MappedImage, config32->SEHandlerTable, NULL); } if (!exceptionHandlerTable) return STATUS_UNSUCCESSFUL; __try { PhMappedImageProbe(MappedImage, exceptionHandlerTable, UInt32x32To64(exceptionTotal, sizeof(ULONG))); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // Allocate the number of exception entries. PhInitializeArray(&exceptionArray, sizeof(ULONG), exceptionTotal); // Add the exception entries into our buffer. for (ULONG i = 0; i < exceptionTotal; i++) { ULONG rva = *(PULONG)PTR_ADD_OFFSET(exceptionHandlerTable, UInt32x32To64(i, sizeof(ULONG))); PhAddItemArray(&exceptionArray, &rva); } Exceptions->MappedImage = MappedImage; Exceptions->DataDirectory = NULL; Exceptions->ExceptionDirectory = NULL; Exceptions->NumberOfEntries = (ULONG)exceptionArray.Count; Exceptions->ExceptionEntries = PhFinalArrayItems(&exceptionArray); return STATUS_SUCCESS; } break; } status = PhGetMappedImageDataDirectory( MappedImage, IMAGE_DIRECTORY_ENTRY_EXCEPTION, &dataDirectory ); if (!NT_SUCCESS(status)) return status; if (Flags & PH_GET_IMAGE_EXCEPTIONS_ARM64X) { status = PhRelocateMappedImageDataEntryARM64X( MappedImage, dataDirectory, &Exceptions->DataDirectoryARM64X ); if (!NT_SUCCESS(status)) return status; exceptionDirectory = PhMappedImageRvaToVa( MappedImage, Exceptions->DataDirectoryARM64X.VirtualAddress, NULL ); if (!exceptionDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, exceptionDirectory, Exceptions->DataDirectoryARM64X.Size); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // N.B. intentionally inverted switch (imageMachine) { //case IMAGE_FILE_MACHINE_AMD64: // { // exceptionEntrySize = sizeof(IMAGE_ARM64_RUNTIME_FUNCTION_ENTRY); // exceptionTotal = Exceptions->DataDirectoryARM64X.Size / exceptionEntrySize; // } // break; case IMAGE_FILE_MACHINE_ARM64: { exceptionEntrySize = sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY); exceptionTotal = Exceptions->DataDirectoryARM64X.Size / exceptionEntrySize; } break; default: return STATUS_NOT_SUPPORTED; } } else { exceptionDirectory = PhMappedImageRvaToVa( MappedImage, dataDirectory->VirtualAddress, NULL ); if (!exceptionDirectory) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, exceptionDirectory, dataDirectory->Size); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } switch (imageMachine) { case IMAGE_FILE_MACHINE_AMD64: case IMAGE_FILE_MACHINE_IA64: { exceptionEntrySize = sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY); exceptionTotal = dataDirectory->Size / exceptionEntrySize; } break; case IMAGE_FILE_MACHINE_ARMNT: { exceptionEntrySize = sizeof(IMAGE_ARM_RUNTIME_FUNCTION_ENTRY); exceptionTotal = dataDirectory->Size / exceptionEntrySize; } break; case IMAGE_FILE_MACHINE_ARM64: { exceptionEntrySize = sizeof(IMAGE_ARM64_RUNTIME_FUNCTION_ENTRY); exceptionTotal = dataDirectory->Size / exceptionEntrySize; } break; } } Exceptions->MappedImage = MappedImage; Exceptions->DataDirectory = dataDirectory; Exceptions->ExceptionDirectory = exceptionDirectory; // Allocate the number of exception entries. PhInitializeArray(&exceptionArray, exceptionEntrySize, exceptionTotal); // Add the exception entries into our buffer. for (ULONG i = 0; i < exceptionTotal; i++) { PVOID entry = PTR_ADD_OFFSET(exceptionDirectory, UInt32x32To64(i, exceptionEntrySize)); PhAddItemArray(&exceptionArray, entry); } Exceptions->NumberOfEntries = (ULONG)exceptionArray.Count; Exceptions->ExceptionEntries = PhFinalArrayItems(&exceptionArray); return status; } NTSTATUS PhGetMappedImageVolatileMetadata( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PPH_MAPPED_IMAGE_VOLATILE_METADATA VolatileMetadata ) { NTSTATUS status; PIMAGE_VOLATILE_METADATA metadata; ULONG metadataAccessTotal = 0; ULONG metadataRangeTotal = 0; PH_ARRAY metadataAccessArray = { 0 }; PH_ARRAY metadataRangeArray = { 0 }; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; status = PhGetMappedImageLoadConfig32(MappedImage, &config32); if (!NT_SUCCESS(status)) return status; if (!RTL_CONTAINS_FIELD(config32, config32->Size, VolatileMetadataPointer)) return STATUS_INVALID_VIEW_SIZE; if (config32->VolatileMetadataPointer == 0) return STATUS_INVALID_FILE_FOR_SECTION; metadata = PhMappedImageVaToVa( MappedImage, config32->VolatileMetadataPointer, NULL ); } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY64 config64; status = PhGetMappedImageLoadConfig64(MappedImage, &config64); if (!NT_SUCCESS(status)) return status; if (!RTL_CONTAINS_FIELD(config64, config64->Size, VolatileMetadataPointer)) return STATUS_INVALID_VIEW_SIZE; if (config64->VolatileMetadataPointer == 0) return STATUS_INVALID_FILE_FOR_SECTION; metadata = PhMappedImageVaToVa( MappedImage, config64->VolatileMetadataPointer, NULL ); } else { return STATUS_INVALID_PARAMETER; } if (!metadata) return STATUS_INVALID_PARAMETER; __try { PhMappedImageProbe(MappedImage, metadata, sizeof(IMAGE_VOLATILE_METADATA)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } if (metadata->Size != sizeof(IMAGE_VOLATILE_METADATA)) return STATUS_NOT_IMPLEMENTED; //USHORT metadataVersionMin = HIWORD(metadata->Version) & 0xff; //USHORT metadataVersionMax = LOWORD(metadata->Version) & 0xff; //if (metadataVersionMin != 2 && metadataVersionMax != 2) // return STATUS_NOT_IMPLEMENTED; if (metadata->VolatileAccessTable && metadata->VolatileAccessTableSize) { PVOID volatileAccessTable; PIMAGE_VOLATILE_RVA_METADATA entry; volatileAccessTable = PhMappedImageRvaToVa( MappedImage, metadata->VolatileAccessTable, NULL ); if (volatileAccessTable) { ULONG count; ULONG i; count = metadata->VolatileAccessTableSize / sizeof(IMAGE_VOLATILE_RVA_METADATA); PhInitializeArray(&metadataAccessArray, sizeof(PH_IMAGE_VOLATILE_ENTRY), count); for (i = 0; i < count; i++) { entry = PTR_ADD_OFFSET(volatileAccessTable, UInt32x32To64(i, sizeof(IMAGE_VOLATILE_RVA_METADATA))); __try { PhMappedImageProbe(MappedImage, entry, sizeof(IMAGE_VOLATILE_RVA_METADATA)); } __except (EXCEPTION_EXECUTE_HANDLER) { continue; } { PH_IMAGE_VOLATILE_ENTRY volatileRvaEntry; volatileRvaEntry.Rva = entry->Rva; volatileRvaEntry.Size = 0; PhAddItemArray(&metadataAccessArray, &volatileRvaEntry); } } metadataAccessTotal = (ULONG)metadataAccessArray.Count; } } if (metadata->VolatileInfoRangeTable && metadata->VolatileInfoRangeTableSize) { PVOID volatileRangeTable; PIMAGE_VOLATILE_RANGE_METADATA entry; volatileRangeTable = PhMappedImageRvaToVa( MappedImage, metadata->VolatileInfoRangeTable, NULL ); if (volatileRangeTable) { ULONG count; ULONG i; count = metadata->VolatileInfoRangeTableSize / sizeof(IMAGE_VOLATILE_RANGE_METADATA); PhInitializeArray(&metadataRangeArray, sizeof(PH_IMAGE_VOLATILE_ENTRY), count); for (i = 0; i < count; i++) { entry = PTR_ADD_OFFSET(volatileRangeTable, UInt32x32To64(i, sizeof(IMAGE_VOLATILE_RANGE_METADATA))); __try { PhMappedImageProbe(MappedImage, entry, sizeof(IMAGE_VOLATILE_RANGE_METADATA)); } __except (EXCEPTION_EXECUTE_HANDLER) { continue; } { PH_IMAGE_VOLATILE_ENTRY volatileRangeEntry; volatileRangeEntry.Rva = entry->Rva; volatileRangeEntry.Size = entry->Size; PhAddItemArray(&metadataRangeArray, &volatileRangeEntry); } } metadataRangeTotal = (ULONG)metadataRangeArray.Count; } } VolatileMetadata->MappedImage = MappedImage; VolatileMetadata->VolatileMetadata = metadata; VolatileMetadata->NumberOfAccessEntries = metadataAccessTotal; VolatileMetadata->NumberOfRangeEntries = metadataRangeTotal; VolatileMetadata->AccessEntries = PhFinalArrayItems(&metadataAccessArray); VolatileMetadata->RangeEntries = PhFinalArrayItems(&metadataRangeArray); return status; } NTSTATUS PhMappedImageUpdateHashData( _In_ PPH_HASH_CONTEXT HashContext, _In_ PVOID Buffer, _In_ ULONG64 BufferLength ) { NTSTATUS status = STATUS_UNSUCCESSFUL; __try { if (BufferLength >= ULONG_MAX) { PBYTE address; ULONG64 numberOfBytes; ULONG blockSize; // Chunk the data into smaller blocks when the buffer length // overflows the maximum length of the BCryptHashData function. address = (PBYTE)Buffer; numberOfBytes = BufferLength; blockSize = PAGE_SIZE * 64; while (numberOfBytes != 0) { if (blockSize > numberOfBytes) blockSize = (ULONG)numberOfBytes; status = PhUpdateHash(HashContext, address, blockSize); if (!NT_SUCCESS(status)) break; address += blockSize; numberOfBytes -= blockSize; } } else { status = PhUpdateHash(HashContext, Buffer, (ULONG)BufferLength); } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } return status; } typedef struct _PH_MAPPED_IMAGE_HASH_REGION { ULONG64 Offset; ULONG64 Length; } PH_MAPPED_IMAGE_HASH_REGION; NTSTATUS PhGetMappedImageAuthenticodeHash( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PH_HASH_ALGORITHM Algorithm, _Out_ PPH_STRING* AuthenticodeHash ) { NTSTATUS status; PIMAGE_DOS_HEADER imageDosHeader; PPH_STRING hashString = NULL; ULONG imageChecksumOffset; ULONG imageSecurityOffset; ULONG imageSecurityAddress = 0; ULONG imageSecuritySize = 0; PH_MAPPED_IMAGE_HASH_REGION imageHashBlock[4] = { 0 }; PIMAGE_DATA_DIRECTORY dataDirectory; PH_HASH_CONTEXT hashContext; __try { imageDosHeader = (PIMAGE_DOS_HEADER)MappedImage->ViewBase; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { imageChecksumOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader.CheckSum); imageSecurityOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { imageChecksumOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader.CheckSum); imageSecurityOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); } else { return STATUS_INVALID_IMAGE_FORMAT; } PhMappedImagePrefetch(MappedImage); if (NT_SUCCESS(PhGetMappedImageDataDirectory(MappedImage, IMAGE_DIRECTORY_ENTRY_SECURITY, &dataDirectory))) { imageSecurityAddress = dataDirectory->VirtualAddress; imageSecuritySize = dataDirectory->Size; } // BaseAddress -> Checksum imageHashBlock[0].Offset = 0; imageHashBlock[0].Length = imageChecksumOffset; // Checksum -> Security directory imageHashBlock[1].Offset = imageChecksumOffset + RTL_FIELD_SIZE(IMAGE_OPTIONAL_HEADER, CheckSum); imageHashBlock[1].Length = imageSecurityOffset - imageHashBlock[1].Offset; if (imageSecurityAddress && imageSecuritySize) { // Security directory -> Certificate data imageHashBlock[2].Offset = UInt32Add32To64(imageSecurityOffset, sizeof(IMAGE_DATA_DIRECTORY)); imageHashBlock[2].Length = imageSecurityAddress - imageHashBlock[2].Offset; // Certificate data -> End of file imageHashBlock[3].Offset = UInt32Add32To64(imageSecurityAddress, imageSecuritySize); imageHashBlock[3].Length = MappedImage->ViewSize - imageHashBlock[3].Offset; } else { // Security directory -> End of file imageHashBlock[2].Offset = UInt32Add32To64(imageSecurityOffset, sizeof(IMAGE_DATA_DIRECTORY)); imageHashBlock[2].Length = MappedImage->ViewSize - imageHashBlock[2].Offset; } status = PhInitializeHash(&hashContext, Algorithm); if (!NT_SUCCESS(status)) return status; for (ULONG i = 0; i < RTL_NUMBER_OF(imageHashBlock); i++) { if (imageHashBlock[i].Length) { status = PhMappedImageUpdateHashData( &hashContext, PTR_ADD_OFFSET(MappedImage->ViewBase, imageHashBlock[i].Offset), imageHashBlock[i].Length ); if (!NT_SUCCESS(status)) break; } } if (NT_SUCCESS(status)) { ULONG hashLength = PH_HASH_SHA256_LENGTH; UCHAR hash[PH_HASH_SHA256_LENGTH]; status = PhFinalHash(&hashContext, hash, hashLength, &hashLength); if (NT_SUCCESS(status)) { hashString = PhBufferToHexString(hash, sizeof(hash)); } } if (NT_SUCCESS(status)) { *AuthenticodeHash = hashString; } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } return status; } NTSTATUS PhGetMappedImageAuthenticodeLegacy( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PH_HASH_ALGORITHM Algorithm, _Out_ PPH_STRING* AuthenticodeHash ) { NTSTATUS status; PIMAGE_DOS_HEADER imageDosHeader; PPH_STRING hashString = NULL; ULONG64 offset = 0; ULONG imageChecksumOffset; ULONG imageSecurityOffset; ULONG directoryAddress = 0; ULONG directorySize = 0; PIMAGE_DATA_DIRECTORY dataDirectory; PH_HASH_CONTEXT hashContext; __try { imageDosHeader = (PIMAGE_DOS_HEADER)MappedImage->ViewBase; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { imageChecksumOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader.CheckSum); imageSecurityOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { imageChecksumOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader.CheckSum); imageSecurityOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); } else { return STATUS_INVALID_IMAGE_FORMAT; } PhMappedImagePrefetch(MappedImage); if (NT_SUCCESS(PhGetMappedImageDataDirectory(MappedImage, IMAGE_DIRECTORY_ENTRY_SECURITY, &dataDirectory))) { directoryAddress = dataDirectory->VirtualAddress; directorySize = dataDirectory->Size; } status = PhInitializeHash(&hashContext, Algorithm); if (!NT_SUCCESS(status)) return status; while (offset < imageChecksumOffset) { if (!NT_SUCCESS(status = PhUpdateHash(&hashContext, PTR_ADD_OFFSET(MappedImage->ViewBase, offset), sizeof(BYTE)))) break; offset++; } if (NT_SUCCESS(status)) { offset += RTL_FIELD_SIZE(IMAGE_OPTIONAL_HEADER, CheckSum); while (offset < imageSecurityOffset) { if (!NT_SUCCESS(status = PhUpdateHash(&hashContext, PTR_ADD_OFFSET(MappedImage->ViewBase, offset), sizeof(BYTE)))) break; offset++; } } if (NT_SUCCESS(status)) { offset += sizeof(IMAGE_DATA_DIRECTORY); while (offset < directoryAddress) { if (!NT_SUCCESS(status = PhUpdateHash(&hashContext, PTR_ADD_OFFSET(MappedImage->ViewBase, offset), sizeof(BYTE)))) break; offset++; } } if (NT_SUCCESS(status)) { offset += directorySize; while (offset < MappedImage->ViewSize) { if (!NT_SUCCESS(status = PhUpdateHash(&hashContext, PTR_ADD_OFFSET(MappedImage->ViewBase, offset), sizeof(BYTE)))) break; offset++; } } if (NT_SUCCESS(status)) { ULONG hashLength = PH_HASH_SHA256_LENGTH; UCHAR hash[PH_HASH_SHA256_LENGTH]; status = PhFinalHash(&hashContext, hash, hashLength, &hashLength); if (NT_SUCCESS(status)) { hashString = PhBufferToHexString(hash, sizeof(hash)); } } if (NT_SUCCESS(status)) { *AuthenticodeHash = hashString; } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } return status; } NTSTATUS PhGetMappedImageWdacHash( _In_ PPH_MAPPED_IMAGE MappedImage, _In_ PH_HASH_ALGORITHM Algorithm, _Out_ PPH_STRING* WdacHash ) { NTSTATUS status; PIMAGE_DOS_HEADER imageDosHeader; PPH_STRING hashString = NULL; ULONG offset = 0; ULONG imageChecksumOffset; ULONG imageSecurityOffset; ULONG imageSizeOfHeaders; PH_HASH_CONTEXT hashContext; __try { imageDosHeader = (PIMAGE_DOS_HEADER)MappedImage->ViewBase; if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { imageChecksumOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader.CheckSum); imageSecurityOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS32, OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); imageSizeOfHeaders = ((PIMAGE_OPTIONAL_HEADER32)&MappedImage->NtHeaders32->OptionalHeader)->SizeOfHeaders; } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { imageChecksumOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader.CheckSum); imageSecurityOffset = imageDosHeader->e_lfanew + UFIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]); imageSizeOfHeaders = ((PIMAGE_OPTIONAL_HEADER64)&MappedImage->NtHeaders->OptionalHeader)->SizeOfHeaders; } else { return STATUS_INVALID_IMAGE_FORMAT; } status = PhInitializeHash(&hashContext, Algorithm); if (!NT_SUCCESS(status)) return status; while (offset < PAGE_SIZE) { if (offset == imageChecksumOffset) offset += RTL_FIELD_SIZE(IMAGE_OPTIONAL_HEADER, CheckSum); if (offset == imageSecurityOffset) offset += sizeof(IMAGE_DATA_DIRECTORY); if (offset >= imageSizeOfHeaders) break; status = PhUpdateHash(&hashContext, PTR_ADD_OFFSET(MappedImage->ViewBase, offset), sizeof(BYTE)); if (!NT_SUCCESS(status)) break; offset++; } if (NT_SUCCESS(status)) { if (offset < PAGE_SIZE) { ULONG paddingLength; PVOID paddingBuffer; paddingLength = PAGE_SIZE - offset; paddingBuffer = PhAllocateZero(paddingLength); status = PhUpdateHash(&hashContext, paddingBuffer, paddingLength); PhFree(paddingBuffer); } } if (NT_SUCCESS(status)) { ULONG hashLength = PH_HASH_SHA256_LENGTH; UCHAR hash[PH_HASH_SHA256_LENGTH]; status = PhFinalHash(&hashContext, hash, hashLength, &hashLength); if (NT_SUCCESS(status)) { hashString = PhBufferToHexString(hash, hashLength); } } if (NT_SUCCESS(status)) { *WdacHash = hashString; } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } return status; } BOOLEAN PhGetMappedImageEntropy( _In_ PPH_MAPPED_IMAGE MappedImage, _Out_ PFLOAT ImageEntropy, _Out_ PFLOAT ImageMean, _Out_ PFLOAT ImageVariance ) { BOOLEAN status = FALSE; __try { status = PhCalculateEntropy( MappedImage->ViewBase, MappedImage->ViewSize, ImageEntropy, ImageMean, ImageVariance ); } __except (EXCEPTION_EXECUTE_HANDLER) { status = FALSE; } return status; } ULONG PhGetMappedImageCHPEVersion( _In_ PPH_MAPPED_IMAGE MappedImage ) { if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY32 config32; if (NT_SUCCESS(PhGetMappedImageLoadConfig32(MappedImage, &config32)) && RTL_CONTAINS_FIELD(config32, config32->Size, CHPEMetadataPointer) && config32->CHPEMetadataPointer) { PIMAGE_CHPE_METADATA_X86 chpe32; chpe32 = PhMappedImageVaToVa(MappedImage, config32->CHPEMetadataPointer, NULL); if (chpe32) return chpe32->Version; } } else if (MappedImage->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { PIMAGE_LOAD_CONFIG_DIRECTORY64 config64; if (NT_SUCCESS(PhGetMappedImageLoadConfig64(MappedImage, &config64)) && RTL_CONTAINS_FIELD(config64, config64->Size, CHPEMetadataPointer) && config64->CHPEMetadataPointer) { PIMAGE_ARM64EC_METADATA chpe64; chpe64 = PhMappedImageVaToVa(MappedImage, config64->CHPEMetadataPointer, NULL); if (chpe64) return chpe64->Version; } } return 0; } ================================================ FILE: phlib/mapldr.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include /** * Locates a loader entry in the current process. * * \param[in,opt] DllBase The base address of the DLL. Specify NULL if this is not a search criteria. * \param[in,opt] FullDllName The full name of the DLL. Specify NULL if this is not a search criteria. * \param[in,opt] BaseDllName The base name of the DLL. Specify NULL if this is not a search criteria. * \remarks This function must be called with the loader lock acquired. The first entry matching all * of the specified values is returned. */ PLDR_DATA_TABLE_ENTRY PhFindLoaderEntry( _In_opt_ PVOID DllBase, _In_opt_ PCPH_STRINGREF FullDllName, _In_opt_ PCPH_STRINGREF BaseDllName ) { PLDR_DATA_TABLE_ENTRY result = NULL; PLDR_DATA_TABLE_ENTRY entry; PH_STRINGREF fullDllName; PH_STRINGREF baseDllName; PLIST_ENTRY listHead; PLIST_ENTRY listEntry; listHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; listEntry = listHead->Flink; while (listEntry != listHead) { entry = CONTAINING_RECORD(listEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); PhUnicodeStringToStringRef(&entry->FullDllName, &fullDllName); PhUnicodeStringToStringRef(&entry->BaseDllName, &baseDllName); if ( (!DllBase || entry->DllBase == DllBase) && (!FullDllName || PhStartsWithStringRef(&fullDllName, FullDllName, TRUE)) && (!BaseDllName || PhStartsWithStringRef(&baseDllName, BaseDllName, TRUE)) ) { result = entry; break; } listEntry = listEntry->Flink; } return result; } /** * Locates a loader entry by address in the current process. * * \param[in] Address An address within the module's address range. * \return A pointer to the loader entry, or NULL if not found. */ PLDR_DATA_TABLE_ENTRY PhFindLoaderEntryAddress( _In_ PVOID Address ) { PLDR_DATA_TABLE_ENTRY result = NULL; PLDR_DATA_TABLE_ENTRY entry; PLIST_ENTRY listHead; PLIST_ENTRY listEntry; listHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; listEntry = listHead->Flink; while (listEntry != listHead) { entry = CONTAINING_RECORD(listEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if ( (ULONG_PTR)Address >= (ULONG_PTR)entry->DllBase && (ULONG_PTR)Address < (ULONG_PTR)PTR_ADD_OFFSET(entry->DllBase, entry->SizeOfImage) ) { result = entry; break; } listEntry = listEntry->Flink; } return result; } /** * Locates a loader entry by base name hash in the current process. * * \param[in] BaseNameHash The hash value of the DLL base name. * \return A pointer to the loader entry, or NULL if not found. */ PLDR_DATA_TABLE_ENTRY PhFindLoaderEntryNameHash( _In_ ULONG BaseNameHash ) { PLDR_DATA_TABLE_ENTRY entry; PLIST_ENTRY listHead; PLIST_ENTRY listEntry; listHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; listEntry = listHead->Flink; while (listEntry != listHead) { entry = CONTAINING_RECORD(listEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (entry->BaseNameHashValue == BaseNameHash) return entry; listEntry = listEntry->Flink; } return NULL; } /** * Loads a DLL into the current process with safe search path behavior. * * \param[in] FileName The file name of the DLL to load. * \return The base address of the loaded DLL, or NULL if loading failed. * \remarks This function attempts to load the DLL with safe search paths, prioritizing * System32 and the application directory. On Windows 7 without KB2533623, it falls back * to the default LoadLibraryEx behavior for compatibility. */ PVOID PhLoadLibrary( _In_ PCWSTR FileName ) { PVOID baseAddress; // Force System32 as the default search path. // - If the file name is not qualified this will fail. // - If the file name qualified this will succeed. // Note: Directories in the standard search path are not searched. if (baseAddress = LoadLibraryEx(FileName, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32)) return baseAddress; // Force the current executable directory as the default search path. // - If the file name is not qualified this will fail. // - If the file name qualified this will succeed. // Note: Directories in the standard search path are not searched. if (baseAddress = LoadLibraryEx(FileName, NULL, LOAD_LIBRARY_SEARCH_APPLICATION_DIR)) return baseAddress; // Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2008 // don't support the above flags prior to installing KB2533623. (dmex) if (WindowsVersion < WINDOWS_8) { // Note: This case is required for Windows 7 without KB2533623 (dmex) if (baseAddress = LoadLibraryEx(FileName, NULL, 0)) { return baseAddress; } } return NULL; } /** * Loads a library with specific flags. * * \param[out] BaseAddress Receives the base address of the loaded library. * \param[in] FileName The file name of the library to load. * \param[in] Flags Flags to control the loading behavior. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLoadLibraryEx( _Out_ PVOID* BaseAddress, _In_ PCWSTR FileName, _In_ ULONG Flags ) { PVOID baseAddress; if (baseAddress = LoadLibraryEx(FileName, NULL, Flags)) { *BaseAddress = baseAddress; return STATUS_SUCCESS; } *BaseAddress = NULL; return PhGetLastWin32ErrorAsNtStatus(); } /** * Frees a loaded library. * * \param[in] BaseAddress The base address of the library to free. * \return TRUE if successful, FALSE otherwise. */ BOOLEAN PhFreeLibrary( _In_ PVOID BaseAddress ) { return !!FreeLibrary(BaseAddress); } #ifdef DEBUG // rev from BasepLoadLibraryAsDataFileInternal (dmex) /** * Temporarily suppresses debugger symbol loading notifications for resource loading. * * \param [in] SuppressDebugMessage TRUE to suppress debug messages, FALSE to restore them. * * \remarks This function is based on BasepLoadLibraryAsDataFileInternal from kernelbase.dll. * On Windows 7/8, the Visual Studio debugger attempts to load symbols for non-executable resources, * causing unnecessary overhead. This function temporarily sets the TEB's SuppressDebugMsg flag to * prevent symbol loading during resource-only image mapping. On Windows 10+, SEC_IMAGE_NO_EXECUTE * prevents symbol loading, making this suppression unnecessary. Only enabled in DEBUG builds. */ FORCEINLINE VOID NtSuppressDebugMessage( _In_ BOOLEAN SuppressDebugMessage ) { // Note: The Visual Studio debugger on Windows 7/8 attempts to load symbols // for non-executable resources. The kernelbase BasepLoadLibraryAsDataFileInternal // function temporarily suppresses symbols while loading resources (both release and debug) // as a QOL optimization but we only suppress debug messages for debug builds. This issue was fixed // by Microsoft on Windows 10 and above with SEC_IMAGE_NO_EXECUTE and suppression is not required (dmex) if (WindowsVersion < WINDOWS_10) { NtCurrentTeb()->SuppressDebugMsg = SuppressDebugMessage; } } #else #define NtSuppressDebugMessage(SuppressDebugMessage) #endif /** * Loads a DLL as a read-only resource from a file handle. * * \param[in] FileHandle A handle to the file containing the DLL image. * \param[out,opt] BaseAddress An optional pointer that receives the base address with the image mapping flag. * \return NTSTATUS Successful or errant status. * \remarks This function creates a read-only SEC_IMAGE section and maps it into the current * process. On Windows 8+, SEC_IMAGE_NO_EXECUTE is used. The returned address has the * LDR_IS_IMAGEMAPPING flag set (bitwise OR 2). Debug messages are suppressed during mapping * on Windows versions prior to Windows 10. */ NTSTATUS PhLoadLibraryAsResource( _In_ HANDLE FileHandle, _Out_opt_ PVOID *BaseAddress ) { NTSTATUS status; HANDLE sectionHandle; PVOID imageBaseAddress; SIZE_T imageBaseSize; status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ, NULL, PAGE_READONLY, WindowsVersion < WINDOWS_8 ? SEC_IMAGE : SEC_IMAGE_NO_EXECUTE, FileHandle ); if (!NT_SUCCESS(status)) return status; imageBaseAddress = NULL; imageBaseSize = 0; NtSuppressDebugMessage(TRUE); status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &imageBaseAddress, 0, NULL, &imageBaseSize, ViewUnmap, WindowsVersion < WINDOWS_10_RS2 ? 0 : MEM_MAPPED, PAGE_READONLY ); NtSuppressDebugMessage(FALSE); if (status == STATUS_IMAGE_NOT_AT_BASE) { status = STATUS_SUCCESS; } NtClose(sectionHandle); if (NT_SUCCESS(status)) { // Windows returns the address with bitwise OR|2 for use with LDR_IS_IMAGEMAPPING (dmex) if (BaseAddress) { *BaseAddress = LDR_MAPPEDVIEW_TO_IMAGEMAPPING(imageBaseAddress); } } return status; } /** * Loads a DLL as a read-only image resource from a file path. * * \param[in] FileName The file name of the DLL as a string reference. * \param[in] NativeFileName TRUE if FileName is in NT native format, FALSE for Win32 format. * \param[out,opt] BaseAddress An optional pointer that receives the base address with the image mapping flag. * \return NTSTATUS Successful or errant status. * \remarks This function opens the file and calls PhLoadLibraryAsResource(). The file is * opened with read-only access and share permissions. */ NTSTATUS PhLoadLibraryAsImageResource( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName, _Out_opt_ PVOID *BaseAddress ) { NTSTATUS status; HANDLE fileHandle; if (NativeFileName) { status = PhCreateFile( &fileHandle, FileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); } else { status = PhCreateFileWin32( &fileHandle, FileName->Buffer, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); } if (!NT_SUCCESS(status)) return status; status = PhLoadLibraryAsResource(fileHandle, BaseAddress); NtClose(fileHandle); return status; } /** * Releases a DLL loaded as an image resource. * * \param[in] BaseAddress The base address returned by PhLoadLibraryAsImageResource(), with the image mapping flag. * \return NTSTATUS Successful or errant status. * \remarks This function unmaps the view created by PhLoadLibraryAsResource(). The * LDR_IS_IMAGEMAPPING flag is removed before unmapping. Debug messages are suppressed * during unmapping on Windows versions prior to Windows 10. */ NTSTATUS PhFreeLibraryAsImageResource( _In_ PVOID BaseAddress ) { NTSTATUS status; NtSuppressDebugMessage(TRUE); status = PhUnmapViewOfSection( NtCurrentProcess(), LDR_IMAGEMAPPING_TO_MAPPEDVIEW(BaseAddress) ); NtSuppressDebugMessage(FALSE); return status; } /** * Retrieves the base address of a loaded DLL by name. * * \param[in] DllName The base name of the DLL (e.g., "kernel32.dll"). * \return The base address of the DLL, or NULL if not found. * \remarks On builds with PHNT_NATIVE_LDR, this uses LdrGetDllHandle(). Otherwise, it * searches the loader data table manually. */ PVOID PhGetDllHandle( _In_ PCWSTR DllName ) { #if defined(PHNT_NATIVE_LDR) UNICODE_STRING dllName; PVOID dllHandle; RtlInitUnicodeString(&dllName, DllName); if (NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &dllName, &dllHandle))) return dllHandle; else return NULL; #else PH_STRINGREF baseDllName; PhInitializeStringRefLongHint(&baseDllName, DllName); return PhGetLoaderEntryDllBase(NULL, &baseDllName); #endif } /** * Retrieves the address of an exported function from a loaded module by name. * * \param[in] ModuleName The name of the module (e.g., "ntdll.dll"). * \param[in,opt] ProcedureName The name of the exported procedure, or an ordinal value cast to PCSTR. * \return The address of the procedure, or NULL if not found. * \remarks This function first locates the module, then retrieves the procedure address. * Ordinal values should be passed using the IS_INTRESOURCE macro. */ PVOID PhGetModuleProcAddress( _In_ PCWSTR ModuleName, _In_opt_ PCSTR ProcedureName ) { #if defined(PHNT_NATIVE_LDR) PVOID module; module = PhGetDllHandle(ModuleName); if (module) return PhGetProcedureAddress(module, ProcedureName, 0); else return NULL; #else PH_STRINGREF baseDllName; PhInitializeStringRefLongHint(&baseDllName, ModuleName); if (IS_INTRESOURCE(ProcedureName)) return PhGetDllProcedureAddress(&baseDllName, NULL, PtrToUshort(ProcedureName)); return PhGetDllProcedureAddress(&baseDllName, ProcedureName, 0); #endif } /** * Retrieves the address of an exported function from a loaded DLL. * * \param[in] DllHandle The base address of the DLL. * \param[in,opt] ProcedureName The name of the exported procedure. Specify NULL to use ProcedureNumber. * \param[in,opt] ProcedureNumber The ordinal of the exported procedure. Specify 0 to use ProcedureName. * \return The address of the procedure, or NULL if not found. * \remarks On builds with PHNT_NATIVE_LDR, this uses LdrGetProcedureAddress(). Otherwise, * it calls PhGetDllBaseProcedureAddress() which handles export suppression and forwarding. */ PVOID PhGetProcedureAddress( _In_ PVOID DllHandle, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ) { #if defined(PHNT_NATIVE_LDR) NTSTATUS status; ANSI_STRING procedureName; PVOID procedureAddress; if (ProcedureName) { RtlInitAnsiString(&procedureName, ProcedureName); status = LdrGetProcedureAddress( DllHandle, &procedureName, 0, &procedureAddress ); } else { status = LdrGetProcedureAddress( DllHandle, NULL, ProcedureNumber, &procedureAddress ); } if (!NT_SUCCESS(status)) return NULL; return procedureAddress; #else return PhGetDllBaseProcedureAddress(DllHandle, ProcedureName, ProcedureNumber); #endif } typedef struct _PH_PROCEDURE_ADDRESS_REMOTE_CONTEXT { PVOID DllBase; PPH_STRING FileName; } PH_PROCEDURE_ADDRESS_REMOTE_CONTEXT, *PPH_PROCEDURE_ADDRESS_REMOTE_CONTEXT; /** * Callback function for limited module enumeration during remote procedure address lookup. * * \param [in] ProcessHandle A handle to the target process. * \param [in] VirtualAddress The virtual address of the module. * \param [in] ImageBase The base address of the module. * \param [in] ImageSize The size of the module image in bytes. * \param [in] FileName The file name of the module. * \param [in] Context A pointer to PH_PROCEDURE_ADDRESS_REMOTE_CONTEXT containing search criteria. * \return STATUS_SUCCESS to continue enumeration, or STATUS_NO_MORE_ENTRIES to stop when a match is found. * \remarks This callback is used with limited process module enumeration (PROCESS_QUERY_LIMITED_INFORMATION) * to locate a DLL by name in a remote process. When the file name matches the search criteria, it stores * the base address in the context and returns STATUS_NO_MORE_ENTRIES to terminate enumeration. */ _Function_class_(PH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK) static NTSTATUS NTAPI PhpGetProcedureAddressRemoteLimitedCallback( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress, _In_ PVOID ImageBase, _In_ SIZE_T ImageSize, _In_ PPH_STRING FileName, _In_ PPH_PROCEDURE_ADDRESS_REMOTE_CONTEXT Context ) { if (PhEqualString(FileName, Context->FileName, TRUE)) { Context->DllBase = ImageBase; return STATUS_NO_MORE_ENTRIES; } return STATUS_SUCCESS; } /** * Callback function for full module enumeration during remote procedure address lookup. * * \param [in] Module A pointer to the loader data table entry for the module. * \param [in] Context A pointer to PH_PROCEDURE_ADDRESS_REMOTE_CONTEXT containing search criteria. * \return TRUE to continue enumeration, FALSE to stop when a match is found. * \remarks This callback is used with full process module enumeration (requiring PROCESS_VM_READ) * to locate a DLL by its full path in a remote process. When the full DLL name matches the search * criteria, it stores the base address in the context and returns FALSE to terminate enumeration. */ _Function_class_(PH_ENUM_PROCESS_MODULES_CALLBACK) static BOOLEAN PhpGetProcedureAddressRemoteCallback( _In_ PLDR_DATA_TABLE_ENTRY Module, _In_ PPH_PROCEDURE_ADDRESS_REMOTE_CONTEXT Context ) { PH_STRINGREF fullDllName; PhUnicodeStringToStringRef(&Module->FullDllName, &fullDllName); if (PhEqualStringRef(&fullDllName, &Context->FileName->sr, TRUE)) { Context->DllBase = Module->DllBase; return FALSE; } return TRUE; } /** * Gets the address of a procedure in a process. * * \param[in] ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param[in] FileName The file name of the DLL containing the procedure. * \param[in] ProcedureName The name or ordinal of the procedure. * \param[out] ProcedureAddress A variable which receives the address of the procedure in the address * space of the process. * \param[out,opt] DllBase A variable which receives the base address of the DLL containing the procedure. */ NTSTATUS PhGetProcedureAddressRemote( _In_ HANDLE ProcessHandle, _In_ PCPH_STRINGREF FileName, _In_ PCSTR ProcedureName, _Out_ PVOID *ProcedureAddress, _Out_opt_ PVOID *DllBase ) { NTSTATUS status; PPH_STRING fileName = NULL; PH_MAPPED_IMAGE mappedImage; PH_MAPPED_IMAGE_EXPORTS exports; PH_PROCEDURE_ADDRESS_REMOTE_CONTEXT context; PH_ENUM_PROCESS_MODULES_PARAMETERS parameters; #ifdef _M_ARM64 USHORT processArchitecture; ULONG exportsFlags; #endif status = PhLoadMappedImageEx( FileName, NULL, &mappedImage ); if (!NT_SUCCESS(status)) return status; fileName = PhDosPathNameToNtPathName(FileName); if (PhIsNullOrEmptyString(fileName)) { status = PhGetProcessMappedFileName( NtCurrentProcess(), mappedImage.ViewBase, &fileName ); if (!NT_SUCCESS(status)) goto CleanupExit; } memset(&context, 0, sizeof(PH_PROCEDURE_ADDRESS_REMOTE_CONTEXT)); context.FileName = fileName; status = PhEnumProcessModulesLimited( ProcessHandle, PhpGetProcedureAddressRemoteLimitedCallback, &context ); if (!context.DllBase) { memset(¶meters, 0, sizeof(PH_ENUM_PROCESS_MODULES_PARAMETERS)); parameters.Callback = PhpGetProcedureAddressRemoteCallback; parameters.Context = &context; parameters.Flags = PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME; switch (mappedImage.Magic) { case IMAGE_NT_OPTIONAL_HDR32_MAGIC: status = PhEnumProcessModules32Ex(ProcessHandle, ¶meters); break; case IMAGE_NT_OPTIONAL_HDR64_MAGIC: status = PhEnumProcessModulesEx(ProcessHandle, ¶meters); break; default: status = STATUS_NOT_SUPPORTED; break; } if (!NT_SUCCESS(status)) goto CleanupExit; } if (!context.DllBase) { status = STATUS_DLL_NOT_FOUND; goto CleanupExit; } #ifdef _M_ARM64 exportsFlags = 0; if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC && mappedImage.NtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_ARM64) { status = PhGetProcessArchitecture(ProcessHandle, &processArchitecture); if (!NT_SUCCESS(status)) goto CleanupExit; if (processArchitecture == IMAGE_FILE_MACHINE_AMD64) exportsFlags |= PH_GET_IMAGE_EXPORTS_ARM64X; } status = PhGetMappedImageExportsEx(&exports, &mappedImage, exportsFlags); #else status = PhGetMappedImageExports(&exports, &mappedImage); #endif if (!NT_SUCCESS(status)) goto CleanupExit; if (IS_INTRESOURCE(ProcedureName)) { status = PhGetMappedImageExportFunctionRemote( &exports, NULL, PtrToUshort(ProcedureName), context.DllBase, ProcedureAddress ); } else { status = PhGetMappedImageExportFunctionRemote( &exports, ProcedureName, 0, context.DllBase, ProcedureAddress ); } if (NT_SUCCESS(status)) { if (DllBase) *DllBase = context.DllBase; } CleanupExit: PhUnloadMappedImage(&mappedImage); PhClearReference(&fileName); return status; } // rev from LdrAccessResource (dmex) //NTSTATUS PhAccessResource( // _In_ PVOID DllBase, // _In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry, // _Out_opt_ PVOID *ResourceBuffer, // _Out_opt_ ULONG *ResourceLength // ) //{ // PVOID baseAddress; // // if (LDR_IS_DATAFILE(DllBase)) // baseAddress = LDR_DATAFILE_TO_MAPPEDVIEW(DllBase); // else if (LDR_IS_IMAGEMAPPING(DllBase)) // baseAddress = LDR_IMAGEMAPPING_TO_MAPPEDVIEW(DllBase); // else // baseAddress = DllBase; // // if (ResourceLength) // { // *ResourceLength = ResourceDataEntry->Size; // } // // if (ResourceBuffer) // { // if (LDR_IS_DATAFILE(DllBase)) // { // NTSTATUS status; // // status = PhLoaderEntryImageRvaToVa( // baseAddress, // ResourceDataEntry->OffsetToData, // ResourceBuffer // ); // // return status; // } // else // { // *ResourceBuffer = PTR_ADD_OFFSET( // baseAddress, // ResourceDataEntry->OffsetToData // ); // // return STATUS_SUCCESS; // } // } // // return STATUS_SUCCESS; //} /** * Finds and returns the address of a resource. * * \param[in] DllBase The base address of the image containing the resource. * \param[in] Name The name of the resource or the integer identifier. * \param[in] Type The type of resource or the integer identifier. * \param[out,opt] ResourceLength A variable which will receive the length of the resource block. * \param[out,opt] ResourceBuffer A variable which receives the address of the resource data. * \return TRUE if the resource was found, FALSE if an error occurred. * \remarks Use this function instead of LoadResource() because no memory allocation is required. * This function returns the address of the resource from the read-only section of the image * and does not need to be allocated or deallocated. This function cannot be used when the * image will be unloaded since the validity of the address is tied to the lifetime of the image. */ NTSTATUS PhLoadResource( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _Out_opt_ ULONG *ResourceLength, _Out_opt_ PVOID *ResourceBuffer ) { NTSTATUS status; PIMAGE_RESOURCE_DATA_ENTRY resourceData = NULL; PVOID resourceBuffer = NULL; ULONG resourceLength; ULONG_PTR resourcePath[] = { (ULONG_PTR)Type, (ULONG_PTR)Name, MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL) }; __try { status = LdrFindResource_U(DllBase, resourcePath, RTL_NUMBER_OF(resourcePath), &resourceData); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } if (!NT_SUCCESS(status)) return status; __try { status = LdrAccessResource(DllBase, resourceData, &resourceBuffer, &resourceLength); } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } if (!NT_SUCCESS(status)) return status; if (ResourceLength) *ResourceLength = resourceLength; if (ResourceBuffer) *ResourceBuffer = resourceBuffer; return status; } /** * Finds and returns a copy of the resource. * * \param[in] DllBase The base address of the image containing the resource. * \param[in] Name The name of the resource or the integer identifier. * \param[in] Type The type of resource or the integer identifier. * \param[out,opt] ResourceLength A variable which will receive the length of the resource block. * \param[out,opt] ResourceBuffer A variable which receives the address of the resource data. * \return TRUE if the resource was found, FALSE if an error occurred. * \remarks This function returns a copy of a resource from heap memory * and must be deallocated. Use this function when the image will be unloaded. */ NTSTATUS PhLoadResourceCopy( _In_ PVOID DllBase, _In_ PCWSTR Name, _In_ PCWSTR Type, _Out_opt_ ULONG *ResourceLength, _Out_opt_ PVOID *ResourceBuffer ) { NTSTATUS status; ULONG resourceLength; PVOID resourceBuffer; status = PhLoadResource( DllBase, Name, Type, &resourceLength, &resourceBuffer ); if (NT_SUCCESS(status)) { if (ResourceLength) *ResourceLength = resourceLength; if (ResourceBuffer) *ResourceBuffer = PhAllocateCopy(resourceBuffer, resourceLength); } return status; } // rev from LoadString (dmex) /** * Loads a string resource from the image into a buffer. * * \param[in] DllBase The base address of the image containing the resource. * \param[in] ResourceId The identifier of the string to be loaded. * \return A string containing a copy of the string resource. */ PPH_STRING PhLoadString( _In_ PVOID DllBase, _In_ ULONG ResourceId ) { ULONG resourceId = (LOWORD(ResourceId) >> 4) + 1; PIMAGE_RESOURCE_DIR_STRING_U stringBuffer; PPH_STRING string = NULL; ULONG resourceLength; PVOID resourceBuffer; ULONG stringIndex; if (!NT_SUCCESS(PhLoadResource( DllBase, MAKEINTRESOURCE(resourceId), RT_STRING, &resourceLength, &resourceBuffer ))) { return NULL; } if (!resourceBuffer) return NULL; stringBuffer = resourceBuffer; stringIndex = ResourceId & 0x000F; for (ULONG i = 0; i < stringIndex; i++) { stringBuffer = PTR_ADD_OFFSET(stringBuffer, (stringBuffer->Length + sizeof(ANSI_NULL)) * sizeof(WCHAR)); // ANSI_NULL required (dmex) } if ( stringBuffer->Length > 0 && // sizeof(UNICODE_NULL) || resourceLength stringBuffer->Length < UNICODE_STRING_MAX_BYTES ) { string = PhCreateStringEx( stringBuffer->NameString, stringBuffer->Length * sizeof(WCHAR) - sizeof(UNICODE_NULL) ); } return string; } // rev from SHLoadIndirectString (dmex) /** * Extracts a specified text resource when given that resource in the form of an indirect string (a string that begins with the '@' symbol). * \param[in] SourceString The indirect string from which the resource will be retrieved. */ PPH_STRING PhLoadIndirectString( _In_ PCPH_STRINGREF SourceString ) { PPH_STRING indirectString = NULL; if (!SourceString || !SourceString->Buffer) return NULL; if (SourceString->Buffer[0] == L'@') { PPH_STRING libraryString; PVOID libraryModule; PH_STRINGREF sourceRef; PH_STRINGREF dllNameRef; PH_STRINGREF dllIndexRef; LONG64 index64; LONG index; sourceRef.Length = SourceString->Length; sourceRef.Buffer = SourceString->Buffer; PhSkipStringRef(&sourceRef, sizeof(WCHAR)); // Skip the @ character. if (!PhSplitStringRefAtChar(&sourceRef, L',', &dllNameRef, &dllIndexRef)) return NULL; if (!PhStringToInteger64(&dllIndexRef, 10, &index64)) { // HACK: Services.exe includes custom logic for indirect Service description strings by reading descriptions from inf files, // these strings use the following format: "@FileName.inf,%SectionKeyName%;DefaultString". // Return the last token of the service string instead of locating and parsing the inf file with GetPrivateProfileString. if (PhSplitStringRefAtChar(&sourceRef, L';', &dllNameRef, &dllIndexRef)) // dllIndexRef.Buffer[0] == L'%' { return PhCreateString2(&dllIndexRef); } return NULL; } libraryString = PhCreateString2(&dllNameRef); index = (LONG)index64; if (libraryString->Buffer[0] == L'%') { PPH_STRING expandedString; if (expandedString = PhExpandEnvironmentStrings(&libraryString->sr)) PhMoveReference(&libraryString, expandedString); } if (PhDetermineDosPathNameType(&libraryString->sr) == RtlPathTypeRelative) { PPH_STRING librarySearchPathString; if (librarySearchPathString = PhSearchFilePath(libraryString->Buffer, L".dll")) { PhMoveReference(&libraryString, librarySearchPathString); } } if (NT_SUCCESS(PhLoadLibraryAsImageResource(&libraryString->sr, FALSE, &libraryModule))) { indirectString = PhLoadString(libraryModule, -index); PhFreeLibraryAsImageResource(libraryModule); } PhDereferenceObject(libraryString); } return indirectString; } /** * Retrieves the file name of a DLL loaded by the current process. * * \param[in] DllBase The base address of the DLL. * \param[out,opt] IndexOfFileName A variable which receives the index of the base name of the DLL in the * returned string. * \return The file name of the DLL, or NULL if the DLL could not be found. */ _Success_(return != NULL) PPH_STRING PhGetDllFileName( _In_ PVOID DllBase, _Out_opt_ PULONG IndexOfFileName ) { PLDR_DATA_TABLE_ENTRY entry; PPH_STRING fileName; ULONG_PTR indexOfFileName; PhAcquireLoaderLock(); entry = PhFindLoaderEntry(DllBase, NULL, NULL); if (entry) fileName = PhCreateStringFromUnicodeString(&entry->FullDllName); else fileName = NULL; PhReleaseLoaderLock(); if (!fileName) return NULL; PhMoveReference(&fileName, PhGetFileName(fileName)); if (IndexOfFileName) { indexOfFileName = PhFindLastCharInString(fileName, 0, OBJ_NAME_PATH_SEPARATOR); if (indexOfFileName != SIZE_MAX) indexOfFileName++; else indexOfFileName = 0; *IndexOfFileName = (ULONG)indexOfFileName; } return fileName; } /** * Retrieves information about a loaded DLL by its base name. * * \param[in] BaseDllName The base name of the DLL as a string reference (e.g., "kernel32.dll"). * \param[out,opt] DllBase An optional pointer that receives the base address of the DLL. * \param[out,opt] SizeOfImage An optional pointer that receives the size of the image in bytes. * \param[out,opt] FullName An optional pointer that receives the full path to the DLL. * \return TRUE if the DLL was found, FALSE otherwise. * \remarks This function searches the loader data table with the loader lock held. */ _Success_(return) BOOLEAN PhGetLoaderEntryData( _In_ PCPH_STRINGREF BaseDllName, _Out_opt_ PVOID* DllBase, _Out_opt_ ULONG* SizeOfImage, _Out_opt_ PPH_STRING* FullName ) { BOOLEAN result = FALSE; PLDR_DATA_TABLE_ENTRY entry; PhAcquireLoaderLock(); entry = PhFindLoaderEntry(NULL, NULL, BaseDllName); if (entry) { if (DllBase) { *DllBase = entry->DllBase; result = TRUE; } if (SizeOfImage) { *SizeOfImage = entry->SizeOfImage; result = TRUE; } if (FullName) { PH_STRINGREF fullName; PPH_STRING fileName; PhUnicodeStringToStringRef(&entry->FullDllName, &fullName); if (fileName = PhDosPathNameToNtPathName(&fullName)) { *FullName = fileName; result = TRUE; } else { result = FALSE; } } } PhReleaseLoaderLock(); return result; } /** * Retrieves the base address of a DLL containing the specified address. * * \param[in] Address An address within the DLL's address space. * \return The base address of the DLL, or NULL if not found. * \remarks This function searches the loader data table with the loader lock held. */ PVOID PhGetLoaderEntryAddressDllBase( _In_ PVOID Address ) { PLDR_DATA_TABLE_ENTRY entry; PVOID baseAddress; PhAcquireLoaderLock(); entry = PhFindLoaderEntryAddress(Address); if (entry) baseAddress = entry->DllBase; else baseAddress = NULL; PhReleaseLoaderLock(); return baseAddress; } /** * Retrieves the base address of a DLL by name. * * \param[in,opt] FullDllName The full path to the DLL. Specify NULL if not used. * \param[in,opt] BaseDllName The base name of the DLL (e.g., "kernel32.dll"). Specify NULL if not used. * \return The base address of the DLL, or NULL if not found. * \remarks On Windows 8 and later, when only BaseDllName is specified, this function uses * hash-based lookup for improved performance. Otherwise it performs a linear search. */ PVOID PhGetLoaderEntryDllBase( _In_opt_ PCPH_STRINGREF FullDllName, _In_opt_ PCPH_STRINGREF BaseDllName ) { PLDR_DATA_TABLE_ENTRY entry; PVOID baseAddress; PhAcquireLoaderLock(); if (WindowsVersion >= WINDOWS_8 && !FullDllName && BaseDllName) { ULONG baseNameHash = PhHashStringRefEx(BaseDllName, TRUE, PH_STRING_HASH_X65599); entry = PhFindLoaderEntryNameHash(baseNameHash); } else { entry = PhFindLoaderEntry(NULL, FullDllName, BaseDllName); } if (entry) baseAddress = entry->DllBase; else baseAddress = NULL; PhReleaseLoaderLock(); return baseAddress; } /** * Retrieves the address of an exported function from a loaded DLL. * * \param[in] DllBase The base address of the DLL. * \param[in,opt] ProcedureName The name of the exported procedure. Specify NULL to use ProcedureNumber. * \param[in,opt] ProcedureNumber The ordinal number of the exported procedure. Specify 0 to use ProcedureName. * \return The address of the exported function, or NULL if the function could not be found. * \remarks This function supports Control Flow Guard (CFG) export suppression on Windows 10 RS2 and later. * It also handles forwarded exports by recursively resolving them through the forwarding chain. */ PVOID PhGetDllBaseProcedureAddress( _In_ PVOID DllBase, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN exportSuppressionEnabled = FALSE; PVOID exportAddress; PIMAGE_NT_HEADERS imageNtHeader; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_EXPORT_DIRECTORY exportDirectory; PROCESS_MITIGATION_POLICY_INFORMATION mitigation; if (PhBeginInitOnce(&initOnce)) { if ((WindowsVersion >= WINDOWS_10_RS2) && NT_SUCCESS(PhGetProcessMitigationPolicy(NtCurrentProcess(), ProcessControlFlowGuardPolicy, &mitigation)) && mitigation.ControlFlowGuardPolicy.EnableExportSuppression) { exportSuppressionEnabled = TRUE; } PhEndInitOnce(&initOnce); } if (!NT_SUCCESS(PhGetLoaderEntryImageNtHeaders(DllBase, &imageNtHeader))) return NULL; if (!NT_SUCCESS(PhGetLoaderEntryImageDirectory( DllBase, imageNtHeader, IMAGE_DIRECTORY_ENTRY_EXPORT, &dataDirectory, &exportDirectory, NULL ))) return NULL; exportAddress = PhGetLoaderEntryImageExportFunction( DllBase, imageNtHeader, dataDirectory, exportDirectory, ProcedureName, ProcedureNumber ); if (exportAddress && exportSuppressionEnabled) { if (PhLoaderEntryImageExportSupressionPresent(DllBase, imageNtHeader)) { PhLoaderEntryGrantSuppressedCall(exportAddress); } } return exportAddress; } /** * Retrieves the address of an exported function from a loaded DLL. * * \param[in] BaseAddress The base address of the DLL. * \param[in,opt] ProcedureName The name of the exported procedure, or an ordinal value cast to a pointer. * \return The address of the exported function, or NULL if the function could not be found. * \remarks This is a convenience wrapper around PhGetDllBaseProcedureAddress that automatically * determines whether ProcedureName is a name or an ordinal based on IS_INTRESOURCE. */ PVOID PhGetDllBaseProcAddress( _In_ PVOID BaseAddress, _In_opt_ PCSTR ProcedureName ) { if (IS_INTRESOURCE(ProcedureName)) return PhGetDllBaseProcedureAddress(BaseAddress, NULL, PtrToUshort(ProcedureName)); return PhGetDllBaseProcedureAddress(BaseAddress, ProcedureName, 0); } /** * Retrieves the address of an exported function from a DLL by name. * * \param[in] DllName The name of the DLL. * \param[in,opt] ProcedureName The name of the exported procedure. Specify NULL to use ProcedureNumber. * \param[in,opt] ProcedureNumber The ordinal number of the exported procedure. Specify 0 to use ProcedureName. * \return The address of the exported function, or NULL if the DLL or function could not be found. * \remarks This function first locates the DLL in the loader data, then resolves the export address. */ PVOID PhGetDllProcedureAddress( _In_ PCPH_STRINGREF DllName, _In_opt_ PCSTR ProcedureName, _In_opt_ USHORT ProcedureNumber ) { PVOID baseAddress; if (!(baseAddress = PhGetLoaderEntryDllBase(NULL, DllName))) return NULL; return PhGetDllBaseProcedureAddress( baseAddress, ProcedureName, ProcedureNumber ); } /** * Retrieves the NT headers of a loaded image. * * \param[in] BaseAddress The base address of the image. * \param[out] ImageNtHeaders A variable which receives a pointer to the NT headers. * \return An NTSTATUS code indicating success or failure. * \retval STATUS_INVALID_IMAGE_NOT_MZ The DOS signature is invalid. * \retval STATUS_INVALID_IMAGE_FORMAT The NT headers offset or signature is invalid. * \remarks This function validates the DOS and NT signatures before returning the NT headers pointer. */ NTSTATUS PhGetLoaderEntryImageNtHeaders( _In_ PVOID BaseAddress, _Out_ PIMAGE_NT_HEADERS *ImageNtHeaders ) { PIMAGE_DOS_HEADER imageDosHeader; PIMAGE_NT_HEADERS imageNtHeaders; ULONG imageNtHeadersOffset; imageDosHeader = PTR_ADD_OFFSET(BaseAddress, 0); if (imageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return STATUS_INVALID_IMAGE_NOT_MZ; imageNtHeadersOffset = (ULONG)imageDosHeader->e_lfanew; if (imageNtHeadersOffset == 0 || imageNtHeadersOffset >= RTL_IMAGE_MAX_DOS_HEADER) return STATUS_INVALID_IMAGE_FORMAT; imageNtHeaders = PTR_ADD_OFFSET(BaseAddress, imageNtHeadersOffset); if (imageNtHeaders->Signature != IMAGE_NT_SIGNATURE) return STATUS_INVALID_IMAGE_FORMAT; *ImageNtHeaders = imageNtHeaders; return STATUS_SUCCESS; } /** * Retrieves the entry point address of an image. * * \param[in] BaseAddress The base address of the image. * \param[in] ImageNtHeader The NT headers of the image. * \param[out] ImageEntryPoint A variable which receives the entry point address. * \return An NTSTATUS code indicating success or failure. * \retval STATUS_ENTRYPOINT_NOT_FOUND The image has no entry point. * \remarks Some images, such as resource-only DLLs, may not have an entry point. */ NTSTATUS PhGetLoaderEntryImageEntryPoint( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _Out_ PDLL_INIT_ROUTINE *ImageEntryPoint ) { if (ImageNtHeader->OptionalHeader.AddressOfEntryPoint == 0) return STATUS_ENTRYPOINT_NOT_FOUND; *ImageEntryPoint = PTR_ADD_OFFSET(BaseAddress, ImageNtHeader->OptionalHeader.AddressOfEntryPoint); return STATUS_SUCCESS; } /** * Retrieves a data directory entry from an image. * * \param[in] BaseAddress The base address of the image. * \param[in] ImageNtHeader The NT headers of the image. * \param[in] ImageDirectoryIndex The index of the data directory (e.g., IMAGE_DIRECTORY_ENTRY_EXPORT). * \param[out] ImageDataDirectoryEntry A variable which receives a pointer to the data directory entry. * \param[out] ImageDirectoryEntry A variable which receives the virtual address of the directory data. * \param[out,opt] ImageDirectoryLength A variable which optionally receives the size of the directory. * \return An NTSTATUS code indicating success or failure. * \retval STATUS_INVALID_FILE_FOR_SECTION The directory index is invalid or the directory is empty. */ NTSTATUS PhGetLoaderEntryImageDirectory( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ ULONG ImageDirectoryIndex, _Out_ PIMAGE_DATA_DIRECTORY *ImageDataDirectoryEntry, _Out_ PVOID *ImageDirectoryEntry, _Out_opt_ SIZE_T *ImageDirectoryLength ) { PIMAGE_DATA_DIRECTORY directory; directory = &ImageNtHeader->OptionalHeader.DataDirectory[ImageDirectoryIndex]; //if (ImageNtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) //{ // PIMAGE_OPTIONAL_HEADER32 optionalHeader; // // optionalHeader = &((PIMAGE_NT_HEADERS32)ImageNtHeader)->OptionalHeader; // // if (ImageDirectoryIndex >= optionalHeader->NumberOfRvaAndSizes) // return STATUS_INVALID_FILE_FOR_SECTION; // // directory = &optionalHeader->DataDirectory[ImageDirectoryIndex]; //} //else if (ImageNtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) //{ // PIMAGE_OPTIONAL_HEADER64 optionalHeader; // // optionalHeader = &((PIMAGE_NT_HEADERS64)ImageNtHeader)->OptionalHeader; // // if (ImageDirectoryIndex >= optionalHeader->NumberOfRvaAndSizes) // return STATUS_INVALID_FILE_FOR_SECTION; // // directory = &optionalHeader->DataDirectory[ImageDirectoryIndex]; //} //else //{ // return STATUS_INVALID_FILE_FOR_SECTION; //} if (directory->VirtualAddress == 0 || directory->Size == 0) return STATUS_INVALID_FILE_FOR_SECTION; *ImageDataDirectoryEntry = directory; *ImageDirectoryEntry = PTR_ADD_OFFSET(BaseAddress, directory->VirtualAddress); if (ImageDirectoryLength) *ImageDirectoryLength = directory->Size; return STATUS_SUCCESS; } /** * Locates the section containing a given virtual address. * * \param[in] BaseAddress The base address of the image. * \param[in] ImageNtHeader The NT headers of the image. * \param[in] ImageDirectoryAddress The virtual address to locate. * \param[out] ImageSectionAddress A pointer that receives the base address of the section. * \param[out] ImageSectionLength A pointer that receives the size of the section. * \return NTSTATUS Successful or errant status. * \retval STATUS_SECTION_NOT_IMAGE The address is not within any section. * \remarks This function iterates through all sections to find which one contains the * specified address. Section size is calculated as the maximum of VirtualSize and SizeOfRawData. */ NTSTATUS PhGetLoaderEntryImageVaToSection( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ PVOID ImageDirectoryAddress, _Out_ PVOID *ImageSectionAddress, _Out_ SIZE_T *ImageSectionLength ) { SIZE_T directorySectionLength = 0; PIMAGE_SECTION_HEADER section; PIMAGE_SECTION_HEADER sectionHeader; PVOID directorySectionAddress = NULL; PVOID imageSectionStart; ULONG imageSectionSize; PVOID imageSectionEnd; section = IMAGE_FIRST_SECTION(ImageNtHeader); for (USHORT i = 0; i < ImageNtHeader->FileHeader.NumberOfSections; i++) { sectionHeader = PTR_ADD_OFFSET(section, UInt32x32To64(IMAGE_SIZEOF_SECTION_HEADER, i)); // Note: VirtualSize is used by the loader, SizeOfRawData is used for file on disk. // A .bss section in a PE file might have SizeOfRawData = 0 (since it is not stored in the file) // and VirtualSize = 4096 (the amount of memory to allocate and zero-fill). // The section length must be the maximum of the two values. imageSectionStart = PTR_ADD_OFFSET(BaseAddress, sectionHeader->VirtualAddress); imageSectionSize = max(sectionHeader->Misc.VirtualSize, sectionHeader->SizeOfRawData); imageSectionEnd = PTR_ADD_OFFSET(imageSectionStart, imageSectionSize); if ( ((ULONG_PTR)ImageDirectoryAddress >= (ULONG_PTR)imageSectionStart) && ((ULONG_PTR)ImageDirectoryAddress < (ULONG_PTR)imageSectionEnd) ) { directorySectionLength = imageSectionSize; directorySectionAddress = imageSectionStart; break; } } if (directorySectionAddress && directorySectionLength) { *ImageSectionAddress = directorySectionAddress; *ImageSectionLength = directorySectionLength; return STATUS_SUCCESS; } *ImageSectionAddress = NULL; *ImageSectionLength = 0; return STATUS_SECTION_NOT_IMAGE; } /** * Converts an RVA to a file offset within an image. * * \param[in] ImageNtHeader The NT headers of the image. * \param[in] Rva The relative virtual address to convert. * \param[out] Offset A pointer that receives the file offset. * \return NTSTATUS Successful or errant status. * \retval STATUS_NOT_FOUND The RVA is not within any section's raw data range. * \remarks This function calculates the file offset by finding the section containing * the RVA and adjusting for the section's PointerToRawData. */ NTSTATUS PhLoaderEntryImageRvaToFileOffset( _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ ULONG Rva, _Out_ PULONG Offset ) { PIMAGE_SECTION_HEADER section; PIMAGE_SECTION_HEADER sectionHeader; section = IMAGE_FIRST_SECTION(ImageNtHeader); for (USHORT i = 0; i < ImageNtHeader->FileHeader.NumberOfSections; i++) { sectionHeader = PTR_ADD_OFFSET(section, UInt32x32To64(IMAGE_SIZEOF_SECTION_HEADER, i)); if ( Rva >= sectionHeader->VirtualAddress && Rva < sectionHeader->VirtualAddress + sectionHeader->SizeOfRawData ) { *Offset = sectionHeader->PointerToRawData + (Rva - sectionHeader->VirtualAddress); return STATUS_SUCCESS; } } *Offset = 0; return STATUS_NOT_FOUND; } /** * Locates the section header containing a given RVA. * * \param[in] ImageNtHeader The NT headers of the image. * \param[in] Rva The relative virtual address to locate. * \param[out] ImageSection A pointer that receives the section header. * \param[out] ImageSectionLength A pointer that receives the section size. * \return NTSTATUS Successful or errant status. * \retval STATUS_SECTION_NOT_IMAGE The RVA is not within any section. * \remarks Section size is calculated as the maximum of VirtualSize and SizeOfRawData * to handle both memory-mapped and file-mapped scenarios correctly. */ NTSTATUS PhLoaderEntryImageRvaToSection( _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ ULONG Rva, _Out_ PIMAGE_SECTION_HEADER *ImageSection, _Out_ SIZE_T *ImageSectionLength ) { SIZE_T directorySectionLength = 0; PIMAGE_SECTION_HEADER section; PIMAGE_SECTION_HEADER sectionHeader; PIMAGE_SECTION_HEADER directorySectionHeader = NULL; ULONG imageSectionAddress; SIZE_T imageSectionLength; PVOID imageSectionMaximum; section = IMAGE_FIRST_SECTION(ImageNtHeader); for (USHORT i = 0; i < ImageNtHeader->FileHeader.NumberOfSections; i++) { sectionHeader = PTR_ADD_OFFSET(section, UInt32x32To64(IMAGE_SIZEOF_SECTION_HEADER, i)); imageSectionAddress = sectionHeader->VirtualAddress; imageSectionLength = __max(sectionHeader->Misc.VirtualSize, sectionHeader->SizeOfRawData); imageSectionMaximum = PTR_ADD_OFFSET(imageSectionAddress, imageSectionLength); if ( ((ULONG_PTR)Rva >= (ULONG_PTR)imageSectionAddress) && ((ULONG_PTR)Rva < (ULONG_PTR)imageSectionMaximum) ) { directorySectionLength = imageSectionLength; directorySectionHeader = sectionHeader; break; } } if (directorySectionHeader && directorySectionLength) { *ImageSection = directorySectionHeader; *ImageSectionLength = directorySectionLength; return STATUS_SUCCESS; } *ImageSection = NULL; *ImageSectionLength = 0; return STATUS_SECTION_NOT_IMAGE; } /** * Converts an RVA to a virtual address within a loaded image. * * \param[in] BaseAddress The base address of the image. * \param[in] Rva The relative virtual address to convert. * \param[out] Va A pointer that receives the virtual address. * \return NTSTATUS Successful or errant status. * \retval STATUS_SECTION_NOT_IMAGE The RVA is not within any section. * \remarks This function finds the section containing the RVA and calculates the * virtual address by adding the base address and adjusting for section alignment. */ NTSTATUS PhLoaderEntryImageRvaToVa( _In_ PVOID BaseAddress, _In_ ULONG Rva, _Out_ PVOID *Va ) { NTSTATUS status; SIZE_T imageSectionSize; PIMAGE_SECTION_HEADER imageSection; PIMAGE_NT_HEADERS imageNtHeader; status = PhGetLoaderEntryImageNtHeaders( BaseAddress, &imageNtHeader ); if (!NT_SUCCESS(status)) return status; status = PhLoaderEntryImageRvaToSection( imageNtHeader, Rva, &imageSection, &imageSectionSize ); if (!NT_SUCCESS(status)) return status; *Va = PTR_ADD_OFFSET(BaseAddress, PTR_ADD_OFFSET( PTR_SUB_OFFSET(Rva, imageSection->VirtualAddress), imageSection->PointerToRawData )); return STATUS_SUCCESS; } /** * Determines whether an image has Control Flow Guard export suppression information. * * \param[in] BaseAddress The base address of the image. * \param[in] ImageNtHeader The NT headers of the image. * \return TRUE if export suppression information is present; otherwise, FALSE. * \remarks This function checks the IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT flag * in the load configuration directory. Export suppression is a CFG feature on Windows 10 RS2 * and later that restricts which exported functions can be called. */ BOOLEAN PhLoaderEntryImageExportSupressionPresent( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader ) { PIMAGE_LOAD_CONFIG_DIRECTORY configDirectory; PIMAGE_DATA_DIRECTORY dataDirectory; if (NT_SUCCESS(PhGetLoaderEntryImageDirectory( BaseAddress, ImageNtHeader, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &dataDirectory, &configDirectory, NULL ))) { if (RTL_CONTAINS_FIELD(configDirectory, configDirectory->Size, GuardFlags)) { if (BooleanFlagOn(configDirectory->GuardFlags, IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT)) { return TRUE; } } } return FALSE; } /** * Grants CFG-suppressed call access to an export address. * * \param[in] ExportAddress The address of the suppressed export to grant access to. * \remarks This function maintains a cache of export addresses that have been granted access * to avoid making redundant system calls. On Windows 10 RS2 and later with CFG export * suppression enabled, attempting to call a suppressed export will fail unless access is * explicitly granted via PhGuardGrantSuppressedCallAccess. */ VOID PhLoaderEntryGrantSuppressedCall( _In_ PVOID ExportAddress ) { static PPH_HASHTABLE PhLoaderEntryCacheHashtable = NULL; if (!PhLoaderEntryCacheHashtable) { PhLoaderEntryCacheHashtable = PhCreateSimpleHashtable(10); } if (PhLoaderEntryCacheHashtable && !PhFindItemSimpleHashtable(PhLoaderEntryCacheHashtable, ExportAddress)) { if (NT_SUCCESS(PhGuardGrantSuppressedCallAccess(NtCurrentProcess(), ExportAddress))) { PhAddItemSimpleHashtable(PhLoaderEntryCacheHashtable, ExportAddress, UlongToPtr(TRUE)); } } } /** * Performs a binary search to find the index of an exported function by name. * * \param [in] BaseAddress The base address of the image. * \param [in] ExportDirectory The export directory structure. * \param [in] ExportNameTable The export name table (array of RVAs to name strings). * \param [in] ExportName The name of the exported function to search for. * * \return The index into the export name table, or ULONG_MAX if not found. * * \remarks This function performs a binary search on the export name table, which is sorted * alphabetically by the Windows linker. This provides O(log n) lookup performance compared to * linear search. The returned index can be used with the export ordinal table to locate the * function address in the export address table. */ static ULONG PhpLookupLoaderEntryImageExportFunctionIndex( _In_ PVOID BaseAddress, _In_ PIMAGE_EXPORT_DIRECTORY ExportDirectory, _In_ PULONG ExportNameTable, _In_ PCSTR ExportName ) { LONG low; LONG high; LONG i; if (ExportDirectory->NumberOfNames == 0) return ULONG_MAX; low = 0; high = ExportDirectory->NumberOfNames - 1; do { PSTR name; INT comparison; i = (low + high) / 2; name = PTR_ADD_OFFSET(BaseAddress, ExportNameTable[i]); if (!name) return ULONG_MAX; comparison = strcmp(ExportName, name); if (comparison == 0) return i; else if (comparison < 0) high = i - 1; else low = i + 1; } while (low <= high); return ULONG_MAX; } /** * Validates export table RVAs to prevent out-of-bounds memory access. * * \param [in] ImageNtHeader The NT headers of the image. * \param [in] ExportDirectory The export directory structure to validate. * \return TRUE if all export table RVAs are valid and within image bounds, FALSE otherwise. */ static BOOLEAN PhpValidateExportTableRvas( _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ PIMAGE_EXPORT_DIRECTORY ExportDirectory ) { ULONG imageSize; ULONG addressTableSize; ULONG nameTableSize; ULONG ordinalTableSize; ULONG addressTableEnd; ULONG nameTableEnd; ULONG ordinalTableEnd; imageSize = ImageNtHeader->OptionalHeader.SizeOfImage; if (ExportDirectory->NumberOfFunctions > 0) { if (ExportDirectory->AddressOfFunctions == 0) return FALSE; if (!NT_SUCCESS(RtlULongMult(ExportDirectory->NumberOfFunctions, sizeof(ULONG), &addressTableSize))) return FALSE; if (!NT_SUCCESS(RtlULongAdd(ExportDirectory->AddressOfFunctions, addressTableSize, &addressTableEnd))) return FALSE; if (addressTableEnd > imageSize) return FALSE; } if (ExportDirectory->NumberOfNames > 0) { if (ExportDirectory->AddressOfNames == 0) return FALSE; if (!NT_SUCCESS(RtlULongMult(ExportDirectory->NumberOfNames, sizeof(ULONG), &nameTableSize))) return FALSE; if (!NT_SUCCESS(RtlULongAdd(ExportDirectory->AddressOfNames, nameTableSize, &nameTableEnd))) return FALSE; if (nameTableEnd > imageSize) return FALSE; } if (ExportDirectory->NumberOfNames > 0) { if (ExportDirectory->AddressOfNameOrdinals == 0) return FALSE; if (!NT_SUCCESS(RtlULongMult(ExportDirectory->NumberOfNames, sizeof(USHORT), &ordinalTableSize))) return FALSE; if (!NT_SUCCESS(RtlULongAdd(ExportDirectory->AddressOfNameOrdinals, ordinalTableSize, &ordinalTableEnd))) return FALSE; if (ordinalTableEnd > imageSize) return FALSE; } return TRUE; } /** * Retrieves the address of an exported function from an image's export directory. * * \param [in] BaseAddress The base address of the image. * \param [in] ImageNtHeader The NT headers of the image. * \param [in] DataDirectory The data directory entry for the export table. * \param [in] ExportDirectory The export directory. * \param [in,opt] ExportName The name of the exported function. Specify NULL to use ExportOrdinal. * \param [in,opt] ExportOrdinal The ordinal number of the exported function. Specify 0 to use ExportName. * \return The address of the exported function, or NULL if the function could not be found or validation failed. * \remarks This function validates export table bounds before accessing export data to prevent * malformed DLLs from causing out-of-bounds reads. It uses safe integer arithmetic to prevent * overflow attacks. The function also handles forwarded exports by recursively calling * PhGetDllBaseProcedureAddress to resolve the forwarding chain. */ PVOID PhGetLoaderEntryImageExportFunction( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ PIMAGE_DATA_DIRECTORY DataDirectory, _In_ PIMAGE_EXPORT_DIRECTORY ExportDirectory, _In_opt_ PCSTR ExportName, _In_opt_ USHORT ExportOrdinal ) { PVOID exportAddress = NULL; PULONG exportAddressTable; PULONG exportNameTable; PUSHORT exportOrdinalTable; if (!PhpValidateExportTableRvas(ImageNtHeader, ExportDirectory)) return NULL; exportAddressTable = PTR_ADD_OFFSET(BaseAddress, ExportDirectory->AddressOfFunctions); exportNameTable = PTR_ADD_OFFSET(BaseAddress, ExportDirectory->AddressOfNames); exportOrdinalTable = PTR_ADD_OFFSET(BaseAddress, ExportDirectory->AddressOfNameOrdinals); if (ExportOrdinal) { ULONG maxOrdinal; if (!NT_SUCCESS(RtlULongAdd(ExportDirectory->Base, ExportDirectory->NumberOfFunctions, &maxOrdinal))) return NULL; if (ExportOrdinal > maxOrdinal) return NULL; exportAddress = PTR_ADD_OFFSET(BaseAddress, exportAddressTable[ExportOrdinal - ExportDirectory->Base]); } else if (ExportName) { ULONG exportIndex; exportIndex = PhpLookupLoaderEntryImageExportFunctionIndex( BaseAddress, ExportDirectory, exportNameTable, ExportName ); if (exportIndex == ULONG_MAX) return NULL; exportAddress = PTR_ADD_OFFSET(BaseAddress, exportAddressTable[exportOrdinalTable[exportIndex]]); //for (exportIndex = 0; exportIndex < ExportDirectory->NumberOfNames; exportIndex++) //{ // if (PhEqualBytesZ(ExportName, PTR_ADD_OFFSET(BaseAddress, exportNameTable[exportIndex]), FALSE)) // { // exportAddress = PTR_ADD_OFFSET(BaseAddress, exportAddressTable[exportOrdinalTable[exportIndex]]); // break; // } //} } if (!exportAddress) return NULL; if ( ((ULONG_PTR)exportAddress >= (ULONG_PTR)ExportDirectory) && ((ULONG_PTR)exportAddress < (ULONG_PTR)PTR_ADD_OFFSET(ExportDirectory, DataDirectory->Size)) ) { SIZE_T dllForwarderLength; PH_STRINGREF dllNameRef; PH_STRINGREF dllForwarderRef; PH_STRINGREF dllProcedureRef; WCHAR dllForwarderName[DOS_MAX_PATH_LENGTH] = L""; // This is a forwarder RVA. dllForwarderLength = PhCountBytesZ((PCSTR)exportAddress); PhZeroExtendToUtf16Buffer((PCSTR)exportAddress, dllForwarderLength, dllForwarderName); dllForwarderRef.Length = dllForwarderLength * sizeof(WCHAR); dllForwarderRef.Buffer = dllForwarderName; if (PhSplitStringRefAtChar(&dllForwarderRef, L'.', &dllNameRef, &dllProcedureRef)) { PVOID libraryDllBase; WCHAR libraryName[DOS_MAX_PATH_LENGTH] = L""; if (memcpy_s(libraryName, sizeof(libraryName), dllNameRef.Buffer, dllNameRef.Length)) { return NULL; } libraryDllBase = PhLoadLibrary(libraryName); if (libraryDllBase) { CHAR libraryFunctionName[DOS_MAX_PATH_LENGTH] = ""; if (!NT_SUCCESS(PhConvertUtf16ToUtf8Buffer( libraryFunctionName, sizeof(libraryFunctionName), NULL, dllProcedureRef.Buffer, dllProcedureRef.Length ))) { return NULL; } if (libraryFunctionName[0] == '#') // This is a forwarder RVA with an ordinal import. { LONG64 importOrdinal; PhSkipStringRef(&dllProcedureRef, sizeof(L'#')); if (PhStringToInteger64(&dllProcedureRef, 10, &importOrdinal)) exportAddress = PhGetDllBaseProcedureAddress(libraryDllBase, NULL, (USHORT)importOrdinal); else exportAddress = PhGetDllBaseProcedureAddress(libraryDllBase, libraryFunctionName, 0); } else { exportAddress = PhGetDllBaseProcedureAddress(libraryDllBase, libraryFunctionName, 0); } } } } return exportAddress; } /** * Retrieves the address of an exported function using a hint for optimization. * * \param[in] BaseAddress The base address of the image. * \param[in] ProcedureName The name of the exported procedure. * \param[in] ProcedureHint A hint index into the export name table (typically from import descriptor). * \return The address of the exported function, or NULL if not found. * \remarks The hint is an optimization that allows the loader to check if the export at * the hint index matches the desired name before performing a binary search. If the hint * matches, the lookup is O(1). If not, the function falls back to PhGetDllBaseProcedureAddress(). * This function also handles forwarded exports. */ PVOID PhGetDllBaseProcedureAddressWithHint( _In_ PVOID BaseAddress, _In_ PCSTR ProcedureName, _In_ USHORT ProcedureHint ) { PIMAGE_NT_HEADERS imageNtHeader; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_EXPORT_DIRECTORY exportDirectory; if (!NT_SUCCESS(PhGetLoaderEntryImageNtHeaders(BaseAddress, &imageNtHeader))) return NULL; if (!NT_SUCCESS(PhGetLoaderEntryImageDirectory( BaseAddress, imageNtHeader, IMAGE_DIRECTORY_ENTRY_EXPORT, &dataDirectory, &exportDirectory, NULL ))) { return NULL; } if (ProcedureHint < exportDirectory->NumberOfNames) { PULONG exportAddressTable = PTR_ADD_OFFSET(BaseAddress, exportDirectory->AddressOfFunctions); PULONG exportNameTable = PTR_ADD_OFFSET(BaseAddress, exportDirectory->AddressOfNames); PUSHORT exportOrdinalTable = PTR_ADD_OFFSET(BaseAddress, exportDirectory->AddressOfNameOrdinals); // If the import hint matches the export name then return the address. if (PhEqualBytesZ(ProcedureName, PTR_ADD_OFFSET(BaseAddress, exportNameTable[ProcedureHint]), FALSE)) { PVOID exportAddress = PTR_ADD_OFFSET(BaseAddress, exportAddressTable[exportOrdinalTable[ProcedureHint]]); if ( ((ULONG_PTR)exportAddress >= (ULONG_PTR)exportDirectory) && ((ULONG_PTR)exportAddress < (ULONG_PTR)PTR_ADD_OFFSET(exportDirectory, dataDirectory->Size)) ) { SIZE_T dllForwarderLength; PH_STRINGREF dllNameRef; PH_STRINGREF dllForwarderRef; PH_STRINGREF dllProcedureRef; WCHAR dllForwarderName[DOS_MAX_PATH_LENGTH] = L""; // This is a forwarder RVA. dllForwarderLength = PhCountBytesZ((PCSTR)exportAddress); PhZeroExtendToUtf16Buffer((PCSTR)exportAddress, dllForwarderLength, dllForwarderName); dllForwarderRef.Length = dllForwarderLength * sizeof(WCHAR); dllForwarderRef.Buffer = dllForwarderName; if (PhSplitStringRefAtChar(&dllForwarderRef, L'.', &dllNameRef, &dllProcedureRef)) { PVOID libraryDllBase; WCHAR libraryName[DOS_MAX_PATH_LENGTH] = L""; if (memcpy_s(libraryName, sizeof(libraryName), dllNameRef.Buffer, dllNameRef.Length)) { return NULL; } libraryDllBase = PhLoadLibrary(libraryName); if (libraryDllBase) { CHAR libraryFunctionName[DOS_MAX_PATH_LENGTH] = ""; if (!NT_SUCCESS(PhConvertUtf16ToUtf8Buffer( libraryFunctionName, sizeof(libraryFunctionName), NULL, dllProcedureRef.Buffer, dllProcedureRef.Length ))) { return NULL; } if (libraryFunctionName[0] == '#') // This is a forwarder RVA with an ordinal import. { LONG64 importOrdinal; PhSkipStringRef(&dllProcedureRef, sizeof(L'#')); if (PhStringToInteger64(&dllProcedureRef, 10, &importOrdinal)) exportAddress = PhGetDllBaseProcedureAddress(libraryDllBase, NULL, (USHORT)importOrdinal); else exportAddress = PhGetDllBaseProcedureAddress(libraryDllBase, libraryFunctionName, 0); } else { exportAddress = PhGetDllBaseProcedureAddress(libraryDllBase, libraryFunctionName, 0); } } } } return exportAddress; } } return PhGetDllBaseProcedureAddress(BaseAddress, ProcedureName, 0); } /** * Detours (replaces) an imported function in a loaded module's Import Address Table (IAT). * * \param[in] BaseAddress The base address of the module whose import to detour. * \param[in] ImportName The name of the DLL that exports the function (e.g., "ntdll.dll"). * \param[in] ProcedureName The name of the imported function to detour (e.g., "NtCreateFile"). * \param[in] FunctionAddress The address of the replacement function. * \param[out,opt] OriginalAddress An optional pointer that receives the original function address. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER BaseAddress, ImportName, or ProcedureName is NULL. * \retval STATUS_UNSUCCESSFUL The import or procedure was not found. * \remarks This function modifies the Import Address Table (IAT) to redirect calls to the * specified import to a new function address. The memory is temporarily made writable, the * thunk is updated, and protection is restored. On ARM64, the instruction cache is flushed. * This is commonly used for API hooking and function interception. The caller should save * the original address if they need to call the original function. */ NTSTATUS PhLoaderEntryDetourImportProcedure( _In_ PVOID BaseAddress, _In_ PCSTR ImportName, _In_ PCSTR ProcedureName, _In_ PVOID FunctionAddress, _Out_opt_ PVOID* OriginalAddress ) { NTSTATUS status; PIMAGE_NT_HEADERS imageNtHeaders; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_IMPORT_DESCRIPTOR importDirectory; if (!BaseAddress || !ImportName || !ProcedureName) return STATUS_INVALID_PARAMETER; status = PhGetLoaderEntryImageNtHeaders( BaseAddress, &imageNtHeaders ); if (!NT_SUCCESS(status)) return status; status = PhGetLoaderEntryImageDirectory( BaseAddress, imageNtHeaders, IMAGE_DIRECTORY_ENTRY_IMPORT, &dataDirectory, &importDirectory, NULL ); if (!NT_SUCCESS(status)) return status; status = STATUS_UNSUCCESSFUL; while (importDirectory->Name && importDirectory->OriginalFirstThunk) { PCSTR importName; PIMAGE_THUNK_DATA importThunk; PIMAGE_THUNK_DATA originalThunk; PIMAGE_IMPORT_BY_NAME importByName; importName = PTR_ADD_OFFSET(BaseAddress, importDirectory->Name); importThunk = PTR_ADD_OFFSET(BaseAddress, importDirectory->FirstThunk); originalThunk = PTR_ADD_OFFSET(BaseAddress, importDirectory->OriginalFirstThunk); if (PhEqualBytesZ(importName, ImportName, TRUE)) { for (; originalThunk->u1.AddressOfData; originalThunk++, importThunk++) // while (originalThunk->u1.AddressOfData) { SIZE_T importThunkSize = sizeof(IMAGE_THUNK_DATA); PVOID importThunkAddress = importThunk; ULONG importThunkProtect = 0; if (IMAGE_SNAP_BY_ORDINAL(originalThunk->u1.Ordinal)) continue; importByName = PTR_ADD_OFFSET(BaseAddress, originalThunk->u1.AddressOfData); if (!PhEqualBytesZ(importByName->Name, ProcedureName, FALSE)) continue; if (OriginalAddress) *OriginalAddress = (PVOID)importThunk->u1.Function; if (NT_SUCCESS(status = PhProtectVirtualMemory( NtCurrentProcess(), importThunkAddress, importThunkSize, PAGE_READWRITE, &importThunkProtect ))) { importThunk->u1.Function = (ULONG_PTR)FunctionAddress; PhProtectVirtualMemory( NtCurrentProcess(), importThunkAddress, importThunkSize, importThunkProtect, &importThunkProtect ); #ifdef _M_ARM64 NtFlushInstructionCache( NtCurrentProcess(), importThunkAddress, importThunkSize ); #endif } break; } } importDirectory++; } return status; } /** * Displays an error message when an import cannot be resolved during plugin loading. * * \param [in] BaseAddress The base address of the image that failed to load. * \param [in] ImportName The name of the DLL containing the unresolved import. * \param [in] OriginalThunk The thunk data for the unresolved import. * \remarks This function shows a user-friendly error dialog indicating which function * or ordinal could not be resolved from which module. This is typically called when * plugin loading fails due to missing dependencies. */ VOID PhLoaderEntrySnapShowErrorMessage( _In_ PVOID BaseAddress, _In_ PCSTR ImportName, _In_ PIMAGE_THUNK_DATA OriginalThunk ) { PPH_STRING fileName; if (!BaseAddress || !ImportName || !OriginalThunk) return; if (NT_SUCCESS(PhGetProcessMappedFileName(NtCurrentProcess(), BaseAddress, &fileName))) { PhMoveReference(&fileName, PhGetFileName(fileName)); PhMoveReference(&fileName, PhGetBaseName(fileName)); if (IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal)) { PhShowError2( NULL, L"Unable to load plugin.", L"Name: %s\r\nOrdinal: %u\r\nModule: %hs", PhGetStringOrEmpty(fileName), IMAGE_ORDINAL(OriginalThunk->u1.Ordinal), ImportName ); } else { PIMAGE_IMPORT_BY_NAME importByName; importByName = PTR_ADD_OFFSET(BaseAddress, OriginalThunk->u1.AddressOfData); PhShowError2( NULL, L"Unable to load plugin.", L"Name: %s\r\nFunction: %hs\r\nModule: %hs", PhGetStringOrEmpty(fileName), importByName->Name, ImportName ); } PhDereferenceObject(fileName); } } /** * Resolves a single import thunk by filling it with the actual function address. * * \param [in] BaseAddress The base address of the importing image. * \param [in] ImportBaseAddress The base address of the DLL containing the export. * \param [in] OriginalThunk The original thunk data containing the import information. * \param [in] ImportThunk The import thunk to be filled with the resolved address. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER One of the required parameters is NULL. * \retval STATUS_ORDINAL_NOT_FOUND The import could not be resolved. * * \remarks This function handles both ordinal and name-based imports. For ordinal imports, * it uses the ordinal number directly. For name-based imports, it uses the hint value * for optimization before falling back to a full lookup. This is the core function for * binding imports during dynamic loading. */ NTSTATUS PhLoaderEntrySnapImportThunk( _In_ PVOID BaseAddress, _In_ PVOID ImportBaseAddress, _In_ PIMAGE_THUNK_DATA OriginalThunk, _In_ PIMAGE_THUNK_DATA ImportThunk ) { if (!BaseAddress || !ImportBaseAddress || !OriginalThunk || !ImportThunk) return STATUS_INVALID_PARAMETER; if (IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal)) { USHORT procedureOrdinal; PVOID procedureAddress; procedureOrdinal = IMAGE_ORDINAL(OriginalThunk->u1.Ordinal); procedureAddress = PhGetDllBaseProcedureAddress(ImportBaseAddress, NULL, procedureOrdinal); if (procedureAddress) { ImportThunk->u1.Function = (ULONG_PTR)procedureAddress; return STATUS_SUCCESS; } } else { PIMAGE_IMPORT_BY_NAME importByName; PVOID procedureAddress; importByName = PTR_ADD_OFFSET(BaseAddress, OriginalThunk->u1.AddressOfData); procedureAddress = PhGetDllBaseProcedureAddressWithHint(ImportBaseAddress, importByName->Name, importByName->Hint); if (procedureAddress) { ImportThunk->u1.Function = (ULONG_PTR)procedureAddress; return STATUS_SUCCESS; } } return STATUS_ORDINAL_NOT_FOUND; } #if defined(PH_NATIVE_LOADER_WORKQUEUE) typedef struct _PH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT { PVOID BaseAddress; PVOID ImportBaseAddress; PIMAGE_THUNK_DATA OriginalThunkData; PIMAGE_THUNK_DATA ImportThunkData; } PH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT, *PPH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT; /** * Thread pool callback function that resolves import thunks asynchronously. * * \param Instance The callback instance. * \param Context A pointer to the PH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT structure. * \param Work The work item. * \remarks This function is called by the thread pool to resolve imports in parallel when * PH_NATIVE_LOADER_WORKQUEUE is defined. It calls PhLoaderEntrySnapImportThunk() and raises * an exception on failure. The context is freed after processing. */ VOID CALLBACK LoaderEntryImageImportThunkWorkQueueCallback( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context, _Inout_ PTP_WORK Work ) { PPH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT context = (PPH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT)Context; NTSTATUS status; status = PhLoaderEntrySnapImportThunk( context->BaseAddress, context->ImportBaseAddress, context->OriginalThunkData, context->ImportThunkData ); if (!NT_SUCCESS(status)) { #ifdef DEBUG PhLoaderEntrySnapShowErrorMessage(context->BaseAddress, "ThunkWorkQueue", context->OriginalThunkData); #endif PhRaiseStatus(status); } PhFree(context); } #endif /** * Resolves all imports from a specific DLL for a single import descriptor. * * \param [in] BaseAddress The base address of the importing image. * \param [in] ImportDirectory The import descriptor for the DLL. * \param [in] ImportDllName The name of the DLL to resolve imports from. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER One of the required parameters is NULL. * \remarks This function loads the specified DLL (if not already loaded), then iterates * through all import thunks for that DLL and resolves them to actual function addresses. * Special handling exists for self-imports (SystemInformer.exe importing from itself). * When PH_NATIVE_LOADER_WORKQUEUE is enabled, imports are resolved in parallel using a * thread pool for better performance. */ NTSTATUS PhLoaderEntrySnapImportDirectory( _In_ PVOID BaseAddress, _In_ PIMAGE_IMPORT_DESCRIPTOR ImportDirectory, _In_ PCSTR ImportDllName ) { NTSTATUS status = STATUS_UNSUCCESSFUL; PCSTR importName; PIMAGE_THUNK_DATA importThunk; PIMAGE_THUNK_DATA originalThunk; PVOID importBaseAddress; if (!BaseAddress || !ImportDirectory || !ImportDllName) return STATUS_INVALID_PARAMETER; importName = PTR_ADD_OFFSET(BaseAddress, ImportDirectory->Name); importThunk = PTR_ADD_OFFSET(BaseAddress, ImportDirectory->FirstThunk); originalThunk = PTR_ADD_OFFSET(BaseAddress, ImportDirectory->OriginalFirstThunk); if (PhEqualBytesZ(importName, ImportDllName, FALSE)) { importBaseAddress = NtCurrentImageBase(); } else { WCHAR dllImportName[DOS_MAX_PATH_LENGTH] = L""; PhZeroExtendToUtf16Buffer(importName, PhCountBytesZ(importName), dllImportName); importBaseAddress = PhLoadLibrary(dllImportName); } if (!importBaseAddress) { return STATUS_DLL_NOT_FOUND; } #if defined(PH_NATIVE_LOADER_WORKQUEUE) PTP_POOL loaderThreadpool; TP_CALLBACK_ENVIRON loaderThreadpoolEnvironment; PTP_CLEANUP_GROUP loaderThreadpoolCleanupGroup; status = TpAllocPool(&loaderThreadpool, NULL); if (!NT_SUCCESS(status)) return status; status = TpAllocCleanupGroup(&loaderThreadpoolCleanupGroup); if (!NT_SUCCESS(status)) goto CleanupExit; status = TpSetPoolMinThreads(loaderThreadpool, 1); // NtCurrentPeb()->ProcessParameters->LoaderThreads if (!NT_SUCCESS(status)) goto CleanupExit; TpSetPoolMaxThreads(loaderThreadpool, PhGetActiveProcessorCount(ALL_PROCESSOR_GROUPS)); TpInitializeCallbackEnviron(&loaderThreadpoolEnvironment); TpSetCallbackThreadpool(&loaderThreadpoolEnvironment, loaderThreadpool); TpSetCallbackCleanupGroup(&loaderThreadpoolEnvironment, loaderThreadpoolCleanupGroup, NULL); #endif while (originalThunk->u1.AddressOfData) { #if (PH_NATIVE_LOADER_WORKQUEUE) PPH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT context; PTP_WORK loaderThreadpoolWork; context = PhAllocateZero(sizeof(PH_LOADER_IMPORT_THUNK_WORKQUEUE_CONTEXT)); context->BaseAddress = BaseAddress; context->ImportBaseAddress = importBaseAddress; context->OriginalThunkData = originalThunk; context->ImportThunkData = importThunk; status = TpAllocWork( &loaderThreadpoolWork, LoaderEntryImageImportThunkWorkQueueCallback, context, &loaderThreadpoolEnvironment ); if (!NT_SUCCESS(status)) goto CleanupExit; TpPostWork(loaderThreadpoolWork); #else status = PhLoaderEntrySnapImportThunk( BaseAddress, importBaseAddress, originalThunk, importThunk ); if (!NT_SUCCESS(status)) { #ifdef DEBUG PhLoaderEntrySnapShowErrorMessage(BaseAddress, importName, originalThunk); #endif break; } #endif originalThunk++; importThunk++; } #if (PH_NATIVE_LOADER_WORKQUEUE) CleanupExit: TpReleaseCleanupGroupMembers(loaderThreadpoolCleanupGroup, FALSE, NULL); TpReleaseCleanupGroup(loaderThreadpoolCleanupGroup); TpReleasePool(loaderThreadpool); #endif return status; } #if (PH_NATIVE_LOADER_WORKQUEUE) typedef struct _PH_LOADER_IMPORTS_WORKQUEUE_CONTEXT { PVOID BaseAddress; PIMAGE_IMPORT_DESCRIPTOR ImportDirectory; PCSTR ImportName; } PH_LOADER_IMPORTS_WORKQUEUE_CONTEXT, *PPH_LOADER_IMPORTS_WORKQUEUE_CONTEXT; /** * Thread pool callback function that resolves import directories asynchronously. * * \param [in,out] Instance The callback instance. * \param [in,out,opt] Context A pointer to the PH_LOADER_IMPORTS_WORKQUEUE_CONTEXT structure. * \param [in,out] Work The work item. * \remarks This function is called by the thread pool to resolve import directories in parallel * when PH_NATIVE_LOADER_WORKQUEUE is defined. It calls PhLoaderEntrySnapImportDirectory() and * raises an exception on failure. The context is freed after processing. */ VOID CALLBACK LoaderEntryImageImportsWorkQueueCallback( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context, _Inout_ PTP_WORK Work ) { PPH_LOADER_IMPORTS_WORKQUEUE_CONTEXT context = (PPH_LOADER_IMPORTS_WORKQUEUE_CONTEXT)Context; NTSTATUS status; status = PhLoaderEntrySnapImportDirectory( context->BaseAddress, context->ImportDirectory, context->ImportName ); if (!NT_SUCCESS(status)) { PhRaiseStatus(status); } PhFree(context); } #endif /** * Resolves all standard imports for a loaded image from a specific DLL. * * \param [in] BaseAddress The base address of the image. * \param [in] ImageNtHeader The NT headers of the image. * \param [in] ImportDllName The name of the DLL to resolve imports from. * \return NTSTATUS Successful or errant status. * \remarks This function processes the import directory table, locating all import descriptors * and resolving their thunks. Memory protection is temporarily changed to PAGE_READWRITE to * allow updating the IAT, then restored. On ARM64, the instruction cache is flushed after * updates. When PH_NATIVE_LOADER_WORKQUEUE is enabled, import directories are processed * in parallel using a thread pool. */ static NTSTATUS PhpFixupLoaderEntryImageImports( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, _In_ PCSTR ImportDllName ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_IMPORT_DESCRIPTOR importDirectory; PVOID importDirectorySectionAddress; SIZE_T importDirectorySectionSize; ULONG importDirectoryProtect; status = PhGetLoaderEntryImageDirectory( BaseAddress, ImageNtHeader, IMAGE_DIRECTORY_ENTRY_IMPORT, &dataDirectory, &importDirectory, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetLoaderEntryImageVaToSection( BaseAddress, ImageNtHeader, importDirectory, &importDirectorySectionAddress, &importDirectorySectionSize ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhProtectVirtualMemory( NtCurrentProcess(), importDirectorySectionAddress, importDirectorySectionSize, PAGE_READWRITE, &importDirectoryProtect ); if (!NT_SUCCESS(status)) goto CleanupExit; #if (PH_NATIVE_LOADER_WORKQUEUE) PTP_POOL loaderThreadpool; TP_CALLBACK_ENVIRON loaderThreadpoolEnvironment; PTP_CLEANUP_GROUP loaderThreadpoolCleanupGroup; status = TpAllocPool(&loaderThreadpool, NULL); if (!NT_SUCCESS(status)) goto CleanupExit; status = TpAllocCleanupGroup(&loaderThreadpoolCleanupGroup); if (!NT_SUCCESS(status)) goto CleanupExit; status = TpSetPoolMinThreads(loaderThreadpool, 8); if (!NT_SUCCESS(status)) goto CleanupExit; TpSetPoolMaxThreads(loaderThreadpool, 8); TpInitializeCallbackEnviron(&loaderThreadpoolEnvironment); TpSetCallbackThreadpool(&loaderThreadpoolEnvironment, loaderThreadpool); TpSetCallbackCleanupGroup(&loaderThreadpoolEnvironment, loaderThreadpoolCleanupGroup, NULL); #endif while (importDirectory->Name && importDirectory->OriginalFirstThunk) { #if (PH_NATIVE_LOADER_WORKQUEUE) PPH_LOADER_IMPORTS_WORKQUEUE_CONTEXT context; PTP_WORK loaderThreadpoolWork; context = PhAllocateZero(sizeof(PH_LOADER_IMPORTS_WORKQUEUE_CONTEXT)); context->BaseAddress = BaseAddress; context->ImportDirectory = importDirectory; context->ImportName = ImportDllName; status = TpAllocWork( &loaderThreadpoolWork, LoaderEntryImageImportsWorkQueueCallback, context, &loaderThreadpoolEnvironment ); if (!NT_SUCCESS(status)) goto CleanupExit; TpPostWork(loaderThreadpoolWork); #else status = PhLoaderEntrySnapImportDirectory( BaseAddress, importDirectory, ImportDllName ); if (!NT_SUCCESS(status)) goto CleanupExit; #endif importDirectory++; } #if (PH_NATIVE_LOADER_WORKQUEUE) // Wait for all callbacks to finish. TpReleaseCleanupGroupMembers(loaderThreadpoolCleanupGroup, FALSE, NULL); // Clean up the pool. TpReleaseCleanupGroup(loaderThreadpoolCleanupGroup); TpReleasePool(loaderThreadpool); #endif status = PhProtectVirtualMemory( NtCurrentProcess(), importDirectorySectionAddress, importDirectorySectionSize, importDirectoryProtect, &importDirectoryProtect ); CleanupExit: #ifdef _M_ARM64 NtFlushInstructionCache( NtCurrentProcess(), importDirectorySectionAddress, importDirectorySectionSize ); #endif return status; } /** * Resolves all delay-load imports for a loaded image from a specific DLL. * * \param [in] BaseAddress The base address of the image. * \param [in] ImageNtHeaders The NT headers of the image. * \param [in] ImportDllName The name of the DLL to resolve delay-load imports from. * \return NTSTATUS Successful or errant status. * \retval STATUS_SUCCESS All delay-load imports were resolved or no delay-load imports exist. * \remarks Delay-load imports are resolved on-demand rather than at load time. This function * processes the delay-load import directory, loading required DLLs and binding their imports. * Special handling exists for self-imports and cached module handles. If the import DLL is already * cached in the module handle, it is reused to avoid redundant loading. */ static NTSTATUS PhpFixupLoaderEntryImageDelayImports( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeaders, _In_ PCSTR ImportDllName ) { NTSTATUS status; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_DELAYLOAD_DESCRIPTOR delayImportDirectory; PVOID importDirectorySectionAddress; SIZE_T importDirectorySectionSize; ULONG importDirectoryProtect; status = PhGetLoaderEntryImageDirectory( BaseAddress, ImageNtHeaders, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, &dataDirectory, &delayImportDirectory, NULL ); if (!NT_SUCCESS(status)) { if (status == STATUS_INVALID_FILE_FOR_SECTION) status = STATUS_SUCCESS; return status; } status = PhGetLoaderEntryImageVaToSection( BaseAddress, ImageNtHeaders, PTR_ADD_OFFSET(BaseAddress, delayImportDirectory->ImportAddressTableRVA), &importDirectorySectionAddress, &importDirectorySectionSize ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhProtectVirtualMemory( NtCurrentProcess(), importDirectorySectionAddress, importDirectorySectionSize, PAGE_READWRITE, &importDirectoryProtect ); if (!NT_SUCCESS(status)) goto CleanupExit; while (delayImportDirectory->ImportAddressTableRVA && delayImportDirectory->ImportNameTableRVA) { PCSTR importName; PVOID* importHandle; PIMAGE_THUNK_DATA importAddressTable; PIMAGE_THUNK_DATA importNameTable; PVOID importBaseAddress; BOOLEAN importNeedsFree = FALSE; importName = PTR_ADD_OFFSET(BaseAddress, delayImportDirectory->DllNameRVA); importHandle = PTR_ADD_OFFSET(BaseAddress, delayImportDirectory->ModuleHandleRVA); importAddressTable = PTR_ADD_OFFSET(BaseAddress, delayImportDirectory->ImportAddressTableRVA); importNameTable = PTR_ADD_OFFSET(BaseAddress, delayImportDirectory->ImportNameTableRVA); if (PhEqualBytesZ(importName, ImportDllName, TRUE)) { if (PhEqualBytesZ(importName, "SystemInformer.exe", FALSE)) { importBaseAddress = NtCurrentImageBase(); status = STATUS_SUCCESS; } else if (ReadPointerAcquire(importHandle)) { importBaseAddress = ReadPointerAcquire(importHandle); status = STATUS_SUCCESS; } else { WCHAR dllImportName[DOS_MAX_PATH_LENGTH] = L""; PhZeroExtendToUtf16Buffer(importName, PhCountBytesZ(importName), dllImportName); if (importBaseAddress = PhLoadLibrary(dllImportName)) { importNeedsFree = TRUE; status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } } if (!NT_SUCCESS(status)) break; if (!importBaseAddress) { status = STATUS_UNSUCCESSFUL; break; } while (importNameTable->u1.AddressOfData) { status = PhLoaderEntrySnapImportThunk( BaseAddress, importBaseAddress, importNameTable, importAddressTable ); if (!NT_SUCCESS(status)) break; importAddressTable++; importNameTable++; } if ((InterlockedExchangePointer(importHandle, importBaseAddress) == importBaseAddress) && importNeedsFree) { PhFreeLibrary(importBaseAddress); // A different thread has already updated the cache. } } delayImportDirectory++; } if (!NT_SUCCESS(status)) goto CleanupExit; status = PhProtectVirtualMemory( NtCurrentProcess(), importDirectorySectionAddress, importDirectorySectionSize, importDirectoryProtect, &importDirectoryProtect ); CleanupExit: #ifdef _M_ARM64 NtFlushInstructionCache( NtCurrentProcess(), importDirectorySectionAddress, importDirectorySectionSize ); #endif return status; } /** * Validates that a section handle represents a valid executable DLL image. * * \param [in] SectionHandle A handle to the section to validate. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_IMPORT_OF_NON_DLL The section is not a valid DLL or executable. * \retval STATUS_IMAGE_MACHINE_TYPE_MISMATCH The image architecture doesn't match the process. * \remarks This function queries section information to verify it's a Windows GUI subsystem * image with DLL and executable characteristics. It also validates the machine type matches * the current process architecture (x64 for 64-bit processes, x86 for 32-bit processes). * ARM64 images are also accepted on 64-bit processes. */ NTSTATUS PhLoaderEntryIsSectionImageExecutable( _In_ HANDLE SectionHandle ) { NTSTATUS status; SECTION_IMAGE_INFORMATION sectionInfo; status = NtQuerySection( SectionHandle, SectionImageInformation, §ionInfo, sizeof(SECTION_IMAGE_INFORMATION), NULL ); if (!NT_SUCCESS(status)) return status; if (sectionInfo.SubSystemType != IMAGE_SUBSYSTEM_WINDOWS_GUI) return STATUS_INVALID_IMPORT_OF_NON_DLL; if (!FlagOn(sectionInfo.ImageCharacteristics, IMAGE_FILE_DLL | IMAGE_FILE_EXECUTABLE_IMAGE)) return STATUS_INVALID_IMPORT_OF_NON_DLL; #ifdef _WIN64 if (sectionInfo.Machine != IMAGE_FILE_MACHINE_AMD64 && sectionInfo.Machine != IMAGE_FILE_MACHINE_ARM64) return STATUS_IMAGE_MACHINE_TYPE_MISMATCH; #else if (sectionInfo.Machine != IMAGE_FILE_MACHINE_I386) return STATUS_IMAGE_MACHINE_TYPE_MISMATCH; #endif return STATUS_SUCCESS; } /** * Applies base relocations to an image loaded at a different address than its preferred base. * * \param [in] BaseAddress The base address where the image is loaded. * \return NTSTATUS Successful or errant status. * \remarks This function is essential when loading DLLs at non-preferred base addresses due to * ASLR or address conflicts. It calculates the relocation delta (actual base - preferred base), * then iterates through all relocation blocks applying fixups to adjust pointers. */ NTSTATUS PhLoaderEntryRelocateImage( _In_ PVOID BaseAddress) { NTSTATUS status; PIMAGE_NT_HEADERS imageNtHeader; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_BASE_RELOCATION relocationDirectory; PVOID relocationDirectoryEnd; ULONG_PTR relocationDelta; status = PhGetLoaderEntryImageNtHeaders( BaseAddress, &imageNtHeader ); if (!NT_SUCCESS(status)) return status; status = PhGetLoaderEntryImageDirectory( BaseAddress, imageNtHeader, IMAGE_DIRECTORY_ENTRY_BASERELOC, &dataDirectory, &relocationDirectory, NULL ); if (!NT_SUCCESS(status)) return status; if (FlagOn(imageNtHeader->FileHeader.Characteristics, IMAGE_FILE_RELOCS_STRIPPED)) return STATUS_SUCCESS; for (USHORT i = 0; i < imageNtHeader->FileHeader.NumberOfSections; i++) { PIMAGE_SECTION_HEADER sectionHeader; PVOID sectionHeaderAddress; SIZE_T sectionHeaderSize; ULONG sectionProtectionJunk = 0; sectionHeader = PTR_ADD_OFFSET(IMAGE_FIRST_SECTION(imageNtHeader), UInt32x32To64(IMAGE_SIZEOF_SECTION_HEADER, i)); sectionHeaderAddress = PTR_ADD_OFFSET(BaseAddress, sectionHeader->VirtualAddress); sectionHeaderSize = sectionHeader->SizeOfRawData; status = PhProtectVirtualMemory( NtCurrentProcess(), sectionHeaderAddress, sectionHeaderSize, PAGE_READWRITE, §ionProtectionJunk ); if (!NT_SUCCESS(status)) break; } if (!NT_SUCCESS(status)) return status; relocationDirectoryEnd = PTR_ADD_OFFSET(relocationDirectory, dataDirectory->Size); relocationDelta = (ULONG_PTR)PTR_SUB_OFFSET(BaseAddress, imageNtHeader->OptionalHeader.ImageBase); while ((ULONG_PTR)relocationDirectory < (ULONG_PTR)relocationDirectoryEnd) { ULONG relocationCount; PVOID relocationAddress; PIMAGE_RELOCATION_RECORD relocations; relocationCount = (relocationDirectory->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_RECORD); relocationAddress = PTR_ADD_OFFSET(BaseAddress, relocationDirectory->VirtualAddress); relocations = PTR_ADD_OFFSET(relocationDirectory, RTL_SIZEOF_THROUGH_FIELD(IMAGE_BASE_RELOCATION, SizeOfBlock)); for (ULONG i = 0; i < relocationCount; i++) { switch (relocations[i].Type) { case IMAGE_REL_BASED_LOW: *(PUSHORT)PTR_ADD_OFFSET(relocationAddress, relocations[i].Offset) += (USHORT)relocationDelta; break; case IMAGE_REL_BASED_HIGHLOW: *(PULONG)PTR_ADD_OFFSET(relocationAddress, relocations[i].Offset) += (ULONG)relocationDelta; break; case IMAGE_REL_BASED_DIR64: *(PULONGLONG)PTR_ADD_OFFSET(relocationAddress, relocations[i].Offset) += (ULONGLONG)relocationDelta; break; } } relocationDirectory = PTR_ADD_OFFSET(relocationDirectory, relocationDirectory->SizeOfBlock); } for (USHORT i = 0; i < imageNtHeader->FileHeader.NumberOfSections; i++) { PIMAGE_SECTION_HEADER sectionHeader; PVOID sectionHeaderAddress; SIZE_T sectionHeaderSize; ULONG sectionProtection = 0; ULONG sectionProtectionJunk = 0; sectionHeader = PTR_ADD_OFFSET(IMAGE_FIRST_SECTION(imageNtHeader), UInt32x32To64(IMAGE_SIZEOF_SECTION_HEADER, i)); sectionHeaderAddress = PTR_ADD_OFFSET(BaseAddress, sectionHeader->VirtualAddress); sectionHeaderSize = sectionHeader->SizeOfRawData; if (FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_READ)) sectionProtection = PAGE_READONLY; if (FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_WRITE)) sectionProtection = PAGE_WRITECOPY; if (FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_EXECUTE)) sectionProtection = PAGE_EXECUTE; if (FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_READ) && FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_EXECUTE)) sectionProtection = PAGE_EXECUTE_READ; if (FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_WRITE) && FlagOn(sectionHeader->Characteristics, IMAGE_SCN_MEM_EXECUTE)) sectionProtection = PAGE_EXECUTE_READWRITE; status = PhProtectVirtualMemory( NtCurrentProcess(), sectionHeaderAddress, sectionHeaderSize, sectionProtection, §ionProtectionJunk ); #ifdef _M_ARM64 NtFlushInstructionCache( NtCurrentProcess(), sectionHeaderAddress, sectionHeaderSize ); #endif if (!NT_SUCCESS(status)) break; } return status; } /** * Retrieves the export name for a given ordinal from a DLL. * * \param [in] DllBase The base address of the DLL. * \param [in,opt] ProcedureNumber The ordinal number of the exported function. * \return A string containing the export name, or NULL if not found. * \remarks This function searches the export name table for an entry matching the specified * ordinal. If found and not a forwarder, it returns the function name. If the export is a * forwarder (RVA within the export directory), it returns the forwarder string. The returned * string must be freed by the caller using PhDereferenceObject(). */ PPH_STRING PhGetExportNameFromOrdinal( _In_ PVOID DllBase, _In_opt_ USHORT ProcedureNumber ) { PIMAGE_NT_HEADERS imageNtHeader; PIMAGE_DATA_DIRECTORY dataDirectory; PIMAGE_EXPORT_DIRECTORY exportDirectory; PULONG exportAddressTable; PULONG exportNameTable; PUSHORT exportOrdinalTable; ULONG i; if (!NT_SUCCESS(PhGetLoaderEntryImageNtHeaders(DllBase, &imageNtHeader))) return NULL; if (!NT_SUCCESS(PhGetLoaderEntryImageDirectory( DllBase, imageNtHeader, IMAGE_DIRECTORY_ENTRY_EXPORT, &dataDirectory, &exportDirectory, NULL ))) return NULL; exportAddressTable = PTR_ADD_OFFSET(DllBase, exportDirectory->AddressOfFunctions); exportNameTable = PTR_ADD_OFFSET(DllBase, exportDirectory->AddressOfNames); exportOrdinalTable = PTR_ADD_OFFSET(DllBase, exportDirectory->AddressOfNameOrdinals); for (i = 0; i < exportDirectory->NumberOfNames; i++) { if ((exportOrdinalTable[i] + exportDirectory->Base) == ProcedureNumber) { PVOID baseAddress = PTR_ADD_OFFSET(DllBase, exportAddressTable[exportOrdinalTable[i]]); if ( ((ULONG_PTR)baseAddress >= (ULONG_PTR)exportDirectory) && ((ULONG_PTR)baseAddress < (ULONG_PTR)PTR_ADD_OFFSET(exportDirectory, dataDirectory->Size)) ) { // This is a forwarder RVA. return PhZeroExtendToUtf16((PCSTR)baseAddress); } else { return PhZeroExtendToUtf16(PTR_ADD_OFFSET(DllBase, exportNameTable[i])); } } } return NULL; } /** * Loads a DLL from a file into the current process using native loader functionality. * * \param [in] FileName The path to the DLL file as a string reference. * \param [in,opt] RootDirectory An optional handle to a root directory for relative paths. * \param [out] BaseAddress A pointer that receives the base address of the loaded DLL. * \return NTSTATUS Successful or errant status. * \remarks This is only built to support plugins. */ NTSTATUS PhLoaderEntryLoadDll( _In_ PCPH_STRINGREF FileName, _In_opt_ HANDLE RootDirectory, _Out_ PVOID* BaseAddress ) { NTSTATUS status; HANDLE fileHandle; HANDLE sectionHandle; PVOID imageBaseAddress; SIZE_T imageBaseSize; status = PhCreateFileEx( &fileHandle, FileName, FILE_READ_DATA | FILE_EXECUTE | SYNCHRONIZE, RootDirectory, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL ); if (!NT_SUCCESS(status)) return status; status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE, NULL, PAGE_EXECUTE, SEC_IMAGE, fileHandle ); NtClose(fileHandle); if (!NT_SUCCESS(status)) return status; status = PhLoaderEntryIsSectionImageExecutable( sectionHandle ); if (!NT_SUCCESS(status)) { NtClose(sectionHandle); return status; } imageBaseAddress = NULL; imageBaseSize = 0; status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &imageBaseAddress, 0, NULL, &imageBaseSize, ViewUnmap, 0, PAGE_EXECUTE ); NtClose(sectionHandle); if (status == STATUS_IMAGE_NOT_AT_BASE) { status = PhLoaderEntryRelocateImage(imageBaseAddress); } if (NT_SUCCESS(status)) { if (BaseAddress) { *BaseAddress = imageBaseAddress; } } else { PhUnmapViewOfSection(NtCurrentProcess(), imageBaseAddress); } return status; } /** * Unloads a manually-loaded DLL from the current process. * * \param [in] BaseAddress The base address of the DLL to unload. * \return NTSTATUS Successful or errant status. * \remarks This function calls the DLL's entry point with DLL_PROCESS_DETACH to allow it to * perform cleanup operations, then unmaps the image from the process address space. If the * DLL entry point returns FALSE during detachment, STATUS_DLL_INIT_FAILED is returned. * This is the cleanup counterpart to PhLoaderEntryLoadDll(). */ NTSTATUS PhLoaderEntryUnloadDll( _In_ PVOID BaseAddress ) { NTSTATUS status; PIMAGE_NT_HEADERS imageNtHeaders; PDLL_INIT_ROUTINE imageEntryRoutine; status = PhGetLoaderEntryImageNtHeaders( BaseAddress, &imageNtHeaders ); if (!NT_SUCCESS(status)) return status; status = PhGetLoaderEntryImageEntryPoint( BaseAddress, imageNtHeaders, &imageEntryRoutine ); if (!NT_SUCCESS(status)) return status; if (!imageEntryRoutine(BaseAddress, DLL_PROCESS_DETACH, NULL)) status = STATUS_DLL_INIT_FAILED; PhUnmapViewOfSection(NtCurrentProcess(), BaseAddress); return status; } /** * Resolves all delay-load imports for a specific DLL within a loaded image. * * \param [in] BaseAddress The base address of the image to process. * \param [in] ImportDllName The name of the DLL whose imports should be resolved (e.g., "SystemInformer.exe"). * \return NTSTATUS Successful or errant status. * \remarks This function resolves delay-load imports from the specified DLL by calling * PhpFixupLoaderEntryImageDelayImports(). Delay-load imports are not resolved at load time * but are instead resolved on first use. This function allows preemptive resolution, which * is useful for plugins that need to ensure all imports from the host application are * available before proceeding. */ NTSTATUS PhLoaderEntryLoadAllImportsForDll( _In_ PVOID BaseAddress, _In_ PCSTR ImportDllName ) { NTSTATUS status; PIMAGE_NT_HEADERS imageNtHeaders; status = PhGetLoaderEntryImageNtHeaders( BaseAddress, &imageNtHeaders ); if (!NT_SUCCESS(status)) return status; status = PhpFixupLoaderEntryImageDelayImports( BaseAddress, imageNtHeaders, ImportDllName ); return status; } /** * Resolves all delay-load imports for a specific DLL within a loaded image identified by name. * * \param [in] TargetDllName The name of the target DLL whose imports should be resolved. * \param [in] ImportDllName The name of the DLL to import from (e.g., "SystemInformer.exe"). * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER The target DLL was not found in the process. * \remarks This is a convenience wrapper around PhLoaderEntryLoadAllImportsForDll() that * looks up the DLL by name in the loader data structures. It's useful when you know the * DLL name but not its base address. */ NTSTATUS PhLoadAllImportsForDll( _In_ PCWSTR TargetDllName, _In_ PCSTR ImportDllName ) { PVOID imageBaseAddress; if (!(imageBaseAddress = PhGetLoaderEntryDllBaseZ(TargetDllName))) return STATUS_INVALID_PARAMETER; return PhLoaderEntryLoadAllImportsForDll( imageBaseAddress, ImportDllName ); } /** * Loads a System Informer plugin image with full initialization. * * \param FileName The path to the plugin DLL as a string reference. * \param RootDirectory An optional handle to a root directory for relative paths. * \param BaseAddress An optional pointer that receives the base address of the loaded plugin. * \return NTSTATUS Successful or errant status. * \retval STATUS_DLL_INIT_FAILED The plugin's DllMain returned FALSE during initialization. * \remarks This function performs a complete plugin load sequence: * 1. Loads the plugin using PhLoaderEntryLoadDll() or LdrLoadDll() (if PH_NATIVE_PLUGIN_IMAGE_LOAD is defined) * 2. Resolves standard imports from SystemInformer.exe (this is required since the executable might be renamed) * 3. Resolves delay-load imports from SystemInformer.exe (this is required since the executable might be renamed) * 4. Calls the plugin's DllMain with DLL_PROCESS_ATTACH (optionally including an extra internal context) * The loader lock is held during the operation unless PH_NATIVE_PLUGIN_IMAGE_LOAD is defined. * On failure, the plugin is unloaded before returning. */ NTSTATUS PhLoadPluginImage( _In_ PCPH_STRINGREF FileName, _In_opt_ HANDLE RootDirectory, _Out_opt_ PVOID *BaseAddress ) { NTSTATUS status; PVOID imageBaseAddress; PIMAGE_NT_HEADERS imageNtHeaders; PDLL_INIT_ROUTINE imageEntryRoutine; #if defined(PH_NATIVE_PLUGIN_IMAGE_LOAD) UNICODE_STRING imageFileName; ULONG imageType; if (!PhStringRefToUnicodeString(FileName, &imageFileName)) return STATUS_NAME_TOO_LONG; imageType = IMAGE_FILE_EXECUTABLE_IMAGE; status = LdrLoadDll( NULL, &imageType, &imageFileName, &imageBaseAddress ); #else PhAcquireLoaderLock(); status = PhLoaderEntryLoadDll( FileName, RootDirectory, &imageBaseAddress ); #endif if (!NT_SUCCESS(status)) { #if !defined(PH_NATIVE_PLUGIN_IMAGE_LOAD) PhReleaseLoaderLock(); #endif return status; } status = PhGetLoaderEntryImageNtHeaders( imageBaseAddress, &imageNtHeaders ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhpFixupLoaderEntryImageImports( imageBaseAddress, imageNtHeaders, "SystemInformer.exe" ); if (!NT_SUCCESS(status)) goto CleanupExit; //status = PhLoaderEntryLoadAllImportsForDll(imageBaseAddress, "SystemInformer.exe"); status = PhpFixupLoaderEntryImageDelayImports( imageBaseAddress, imageNtHeaders, "SystemInformer.exe" ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetLoaderEntryImageEntryPoint( imageBaseAddress, imageNtHeaders, &imageEntryRoutine ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!imageEntryRoutine(imageBaseAddress, DLL_PROCESS_ATTACH, NULL)) status = STATUS_DLL_INIT_FAILED; CleanupExit: if (NT_SUCCESS(status)) { if (BaseAddress) { *BaseAddress = imageBaseAddress; } } else { #if defined(PH_NATIVE_PLUGIN_IMAGE_LOAD) LdrUnloadDll(imageBaseAddress); #else PhLoaderEntryUnloadDll(imageBaseAddress); #endif } #if !defined(PH_NATIVE_PLUGIN_IMAGE_LOAD) PhReleaseLoaderLock(); #endif return status; } /** * Determines the binary type of an executable file (32-bit, 64-bit, or DOS). * * \param FileName The path to the executable file. * \param BinaryType A pointer that receives the binary type constant (SCS_32BIT_BINARY, SCS_64BIT_BINARY, or SCS_DOS_BINARY). * \return NTSTATUS Successful or errant status. * \remarks This function mimics the behavior of GetBinaryTypeW by creating a SEC_IMAGE section * and querying its machine type. It returns: * - SCS_32BIT_BINARY for x86 images or STATUS_INVALID_IMAGE_WIN_32 * - SCS_64BIT_BINARY for x64/IA64 images or STATUS_INVALID_IMAGE_WIN_64 * - SCS_DOS_BINARY for DOS executables (STATUS_INVALID_IMAGE_PROTECT) or .COM/.PIF/.EXE files without valid PE headers * This is useful for determining compatibility before attempting to load an image. */ // based on GetBinaryTypeW (dmex) NTSTATUS PhGetFileBinaryTypeWin32( _In_ PCWSTR FileName, _Out_ PULONG BinaryType ) { NTSTATUS status; HANDLE fileHandle; HANDLE sectionHandle; UNICODE_STRING fileName; IO_STATUS_BLOCK ioStatusBlock; OBJECT_ATTRIBUTES objectAttributes; SECTION_IMAGE_INFORMATION section; RtlZeroMemory(§ion, sizeof(SECTION_IMAGE_INFORMATION)); status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenFile( &fileHandle, FILE_READ_DATA | FILE_EXECUTE | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateSection( §ionHandle, SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE, NULL, PAGE_EXECUTE, SEC_IMAGE, fileHandle ); NtClose(fileHandle); if (!NT_SUCCESS(status)) goto CleanupExit; status = NtQuerySection( sectionHandle, SectionImageInformation, §ion, sizeof(SECTION_IMAGE_INFORMATION), NULL ); NtClose(sectionHandle); CleanupExit: RtlFreeUnicodeString(&fileName); if (NT_SUCCESS(status)) { switch (section.Machine) { case IMAGE_FILE_MACHINE_I386: { *BinaryType = SCS_32BIT_BINARY; } return STATUS_SUCCESS; case IMAGE_FILE_MACHINE_IA64: case IMAGE_FILE_MACHINE_AMD64: { *BinaryType = SCS_64BIT_BINARY; } return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } else { switch (status) { case STATUS_INVALID_IMAGE_PROTECT: { *BinaryType = SCS_DOS_BINARY; } return STATUS_SUCCESS; case STATUS_INVALID_IMAGE_NOT_MZ: { static PH_STRINGREF extensionCOM = PH_STRINGREF_INIT(L".COM"); static PH_STRINGREF extensionPIF = PH_STRINGREF_INIT(L".PIF"); static PH_STRINGREF extensionEXE = PH_STRINGREF_INIT(L".EXE"); PH_STRINGREF fileNameSr; PhInitializeStringRefLongHint(&fileNameSr, FileName); if ( PhEndsWithStringRef(&fileNameSr, &extensionCOM, TRUE) || PhEndsWithStringRef(&fileNameSr, &extensionPIF, TRUE) || PhEndsWithStringRef(&fileNameSr, &extensionEXE, TRUE) ) { *BinaryType = SCS_DOS_BINARY; return STATUS_SUCCESS; } } break; case STATUS_INVALID_IMAGE_WIN_32: { *BinaryType = SCS_32BIT_BINARY; } return STATUS_SUCCESS; case STATUS_INVALID_IMAGE_WIN_64: { *BinaryType = SCS_64BIT_BINARY; } return STATUS_SUCCESS; } } return status; } /** * Converts a system DLL init block from the current OS version layout to the latest layout. * * \param[in] Source A buffer returned or copied from LdrSystemDllInitBlock. * \param[out] Destination A buffer for storing a version-independent copy of the structure. */ NTSTATUS PhCaptureSystemDllInitBlock( _In_ PVOID Source, _Out_ PPS_SYSTEM_DLL_INIT_BLOCK Destination ) { ULONG sourceSize; RtlZeroMemory(Destination, sizeof(PS_SYSTEM_DLL_INIT_BLOCK)); if (WindowsVersion >= WINDOWS_10_20H1) { PPS_SYSTEM_DLL_INIT_BLOCK_V3 source = (PPS_SYSTEM_DLL_INIT_BLOCK_V3)Source; sourceSize = source->Size; if (sourceSize > sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V3)) sourceSize = sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V3); // No adjustments necessary for the latest layout RtlCopyMemory(Destination, source, sourceSize); Destination->Size = sourceSize; return STATUS_SUCCESS; } else if (WindowsVersion >= WINDOWS_10_RS2) { PPS_SYSTEM_DLL_INIT_BLOCK_V2 source = (PPS_SYSTEM_DLL_INIT_BLOCK_V2)Source; sourceSize = source->Size; if (sourceSize > sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V2)) sourceSize = sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V2); // Everything up to and including Flags uses the same layout if (RTL_CONTAINS_FIELD(source, sourceSize, Flags)) { RtlCopyMemory( Destination, source, RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK_V2, Flags) ); Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Flags); } // Mitigation options include 2 out of 3 values if (RTL_CONTAINS_FIELD(source, sourceSize, MitigationOptionsMap)) { Destination->MitigationOptionsMap.Map[0] = source->MitigationOptionsMap.Map[0]; Destination->MitigationOptionsMap.Map[1] = source->MitigationOptionsMap.Map[1]; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, MitigationOptionsMap.Map[1]); } // The subsequent fields are shifted if (RTL_CONTAINS_FIELD(source, sourceSize, CfgBitMap)) { Destination->CfgBitMap = source->CfgBitMap; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMap); } if (RTL_CONTAINS_FIELD(source, sourceSize, CfgBitMapSize)) { Destination->CfgBitMapSize = source->CfgBitMapSize; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMapSize); } if (RTL_CONTAINS_FIELD(source, sourceSize, Wow64CfgBitMap)) { Destination->Wow64CfgBitMap = source->Wow64CfgBitMap; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMap); } if (RTL_CONTAINS_FIELD(source, sourceSize, Wow64CfgBitMapSize)) { Destination->Wow64CfgBitMapSize = source->Wow64CfgBitMapSize; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMapSize); } // Mitigation audit options include 2 out of 3 values if (RTL_CONTAINS_FIELD(source, sourceSize, MitigationAuditOptionsMap)) { Destination->MitigationAuditOptionsMap.Map[0] = source->MitigationAuditOptionsMap.Map[0]; Destination->MitigationAuditOptionsMap.Map[1] = source->MitigationAuditOptionsMap.Map[1]; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, MitigationAuditOptionsMap.Map[1]); } return STATUS_SUCCESS; } else if (WindowsVersion >= PHNT_WINDOWS_8) { PPS_SYSTEM_DLL_INIT_BLOCK_V1 source = (PPS_SYSTEM_DLL_INIT_BLOCK_V1)Source; sourceSize = source->Size; if (sourceSize > sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V1)) sourceSize = sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V1); // All fields are shifted if (RTL_CONTAINS_FIELD(source, sourceSize, SystemDllWowRelocation)) { Destination->SystemDllWowRelocation = source->SystemDllWowRelocation; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, SystemDllWowRelocation); } if (RTL_CONTAINS_FIELD(source, sourceSize, SystemDllNativeRelocation)) { Destination->SystemDllNativeRelocation = source->SystemDllNativeRelocation; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, SystemDllNativeRelocation); } if (RTL_CONTAINS_FIELD(source, sourceSize, Wow64SharedInformation)) { RtlCopyMemory( &Destination->Wow64SharedInformation, &source->Wow64SharedInformation, RTL_FIELD_SIZE(PS_SYSTEM_DLL_INIT_BLOCK_V1, Wow64SharedInformation) ); Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Wow64SharedInformation); } if (RTL_CONTAINS_FIELD(source, sourceSize, RngData)) { Destination->RngData = source->RngData; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, RngData); } if (RTL_CONTAINS_FIELD(source, sourceSize, Flags)) { Destination->Flags = source->Flags; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Flags); } // Mitigation options include 1 out of 3 values if (RTL_CONTAINS_FIELD(source, sourceSize, MitigationOptions)) { Destination->MitigationOptionsMap.Map[0] = source->MitigationOptions; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, MitigationOptionsMap.Map[0]); } if (RTL_CONTAINS_FIELD(source, sourceSize, CfgBitMap)) { Destination->CfgBitMap = source->CfgBitMap; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMap); } if (RTL_CONTAINS_FIELD(source, sourceSize, CfgBitMapSize)) { Destination->CfgBitMapSize = source->CfgBitMapSize; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMapSize); } if (RTL_CONTAINS_FIELD(source, sourceSize, Wow64CfgBitMap)) { Destination->Wow64CfgBitMap = source->Wow64CfgBitMap; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMap); } if (RTL_CONTAINS_FIELD(source, sourceSize, Wow64CfgBitMapSize)) { Destination->Wow64CfgBitMapSize = source->Wow64CfgBitMapSize; Destination->Size = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMapSize); } return STATUS_SUCCESS; } return STATUS_NOT_SUPPORTED; } /** * Retrieves a copy of the system DLL init block of the current process. * * \param[out] SystemDllInitBlock A buffer for storing a version-independent copy of LdrSystemDllInitBlock. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemDllInitBlock( _Out_ PPS_SYSTEM_DLL_INIT_BLOCK SystemDllInitBlock ) { PVOID systemDllInitBlock; if (!LdrSystemDllInitBlock_Import()) return STATUS_PROCEDURE_NOT_FOUND; systemDllInitBlock = LdrSystemDllInitBlock_Import(); if (!systemDllInitBlock) return STATUS_NOT_SUPPORTED; return PhCaptureSystemDllInitBlock(systemDllInitBlock, SystemDllInitBlock); } ================================================ FILE: phlib/maplib.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2019 * */ /* * This file contains functions to load and retrieve information for library/archive files (lib). * The file format for archive files is explained in the PE/COFF specification located at: * * http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx */ #include #include VOID PhpMappedArchiveProbe( _In_ PPH_MAPPED_ARCHIVE MappedArchive, _In_ PVOID Address, _In_ SIZE_T Length ); NTSTATUS PhpGetMappedArchiveMemberFromHeader( _In_ PPH_MAPPED_ARCHIVE MappedArchive, _In_ PIMAGE_ARCHIVE_MEMBER_HEADER Header, _Out_ PPH_MAPPED_ARCHIVE_MEMBER Member ); NTSTATUS PhInitializeMappedArchive( _Out_ PPH_MAPPED_ARCHIVE MappedArchive, _In_ PVOID ViewBase, _In_ SIZE_T Size ) { NTSTATUS status; PVOID start; start = ViewBase; memset(MappedArchive, 0, sizeof(PH_MAPPED_ARCHIVE)); MappedArchive->ViewBase = ViewBase; MappedArchive->Size = Size; __try { // Verify the file signature. PhpMappedArchiveProbe(MappedArchive, start, IMAGE_ARCHIVE_START_SIZE); if (memcmp(start, IMAGE_ARCHIVE_START, IMAGE_ARCHIVE_START_SIZE) != 0) PhRaiseStatus(STATUS_INVALID_IMAGE_FORMAT); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // Get the members. // Note: the names are checked. // First linker member status = PhpGetMappedArchiveMemberFromHeader( MappedArchive, PTR_ADD_OFFSET(start, IMAGE_ARCHIVE_START_SIZE), &MappedArchive->FirstLinkerMember ); if (!NT_SUCCESS(status)) return status; if (MappedArchive->FirstLinkerMember.Type != LinkerArchiveMemberType) return STATUS_INVALID_PARAMETER; MappedArchive->FirstStandardMember = &MappedArchive->FirstLinkerMember; // Second linker member status = PhGetNextMappedArchiveMember( &MappedArchive->FirstLinkerMember, &MappedArchive->SecondLinkerMember ); if (!NT_SUCCESS(status)) return status; if ( MappedArchive->SecondLinkerMember.Type != LinkerArchiveMemberType && MappedArchive->SecondLinkerMember.Type != NormalArchiveMemberType // NormalArchiveMemberType might not be correct here but set by LLVM compiled libs (dmex) ) return STATUS_INVALID_PARAMETER; // Longnames member // This member doesn't seem to be mandatory, contrary to the specification. // So we'll check if it's actually a longnames member, and if not, ignore it. status = PhGetNextMappedArchiveMember( &MappedArchive->SecondLinkerMember, &MappedArchive->LongnamesMember ); if ( NT_SUCCESS(status) && MappedArchive->LongnamesMember.Type == LongnamesArchiveMemberType ) { MappedArchive->HasLongnamesMember = TRUE; MappedArchive->LastStandardMember = &MappedArchive->LongnamesMember; } else { MappedArchive->LastStandardMember = &MappedArchive->SecondLinkerMember; } return STATUS_SUCCESS; } NTSTATUS PhLoadMappedArchive( _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PPH_MAPPED_ARCHIVE MappedArchive ) { NTSTATUS status; status = PhMapViewOfEntireFile( FileName, FileHandle, &MappedArchive->ViewBase, &MappedArchive->Size ); if (NT_SUCCESS(status)) { status = PhInitializeMappedArchive( MappedArchive, MappedArchive->ViewBase, MappedArchive->Size ); if (!NT_SUCCESS(status)) { PhUnloadMappedArchive(MappedArchive); } } return status; } NTSTATUS PhUnloadMappedArchive( _Inout_ PPH_MAPPED_ARCHIVE MappedArchive ) { if (MappedArchive->ViewBase) { PhUnmapViewOfSection(NtCurrentProcess(), MappedArchive->ViewBase); MappedArchive->ViewBase = NULL; } return STATUS_SUCCESS; } VOID PhpMappedArchiveProbe( _In_ PPH_MAPPED_ARCHIVE MappedArchive, _In_ PVOID Address, _In_ SIZE_T Length ) { PhProbeAddress(Address, Length, MappedArchive->ViewBase, MappedArchive->Size, 1); } /** * Gets the next archive member. * * \param Member An archive member structure. * \param NextMember A variable which receives a structure describing the next archive member. This * pointer may be the same as the pointer specified in \a Member. */ NTSTATUS PhGetNextMappedArchiveMember( _In_ PPH_MAPPED_ARCHIVE_MEMBER Member, _Out_ PPH_MAPPED_ARCHIVE_MEMBER NextMember ) { PIMAGE_ARCHIVE_MEMBER_HEADER nextHeader; nextHeader = (PIMAGE_ARCHIVE_MEMBER_HEADER)PTR_ADD_OFFSET( Member->Data, Member->Size ); // 2 byte alignment. if ((ULONG_PTR)nextHeader & 0x1) nextHeader = (PIMAGE_ARCHIVE_MEMBER_HEADER)PTR_ADD_OFFSET(nextHeader, 1); return PhpGetMappedArchiveMemberFromHeader( Member->MappedArchive, nextHeader, NextMember ); } NTSTATUS PhpGetMappedArchiveMemberFromHeader( _In_ PPH_MAPPED_ARCHIVE MappedArchive, _In_ PIMAGE_ARCHIVE_MEMBER_HEADER Header, _Out_ PPH_MAPPED_ARCHIVE_MEMBER Member ) { WCHAR integerString[11]; ULONG64 size; PH_STRINGREF string; PWSTR digit; PSTR slash; if ((ULONG_PTR)Header >= (ULONG_PTR)MappedArchive->ViewBase + MappedArchive->Size) return STATUS_NO_MORE_ENTRIES; __try { PhpMappedArchiveProbe(MappedArchive, Header, sizeof(IMAGE_ARCHIVE_MEMBER_HEADER)); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } Member->MappedArchive = MappedArchive; Member->Header = Header; Member->Data = PTR_ADD_OFFSET(Header, sizeof(IMAGE_ARCHIVE_MEMBER_HEADER)); Member->Type = NormalArchiveMemberType; // Read the size string, terminate it after the last digit and parse it. if (!NT_SUCCESS(PhCopyStringZFromBytes(Header->Size, 10, integerString, 11, NULL))) return STATUS_INVALID_PARAMETER; string.Buffer = integerString; string.Length = 0; digit = string.Buffer; while (iswdigit(*digit++)) string.Length += sizeof(WCHAR); if (!PhStringToInteger64(&string, 10, &size)) return STATUS_INVALID_PARAMETER; Member->Size = (ULONG)size; __try { PhpMappedArchiveProbe(MappedArchive, Member->Data, Member->Size); } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // Parse the name. if (!NT_SUCCESS(PhCopyBytesZ(Header->Name, 16, Member->NameBuffer, 20, NULL))) return STATUS_INVALID_PARAMETER; Member->Name = Member->NameBuffer; slash = strchr(Member->NameBuffer, '/'); if (!slash) return STATUS_INVALID_PARAMETER; // Special names: // * If the slash is the first character, then this is a linker member. // * If there is a slash after the slash which is a first character, then this is the longnames // member. // * If there are digits after the slash, then the real name is stored in the longnames member. if (slash == Member->NameBuffer) { if (Member->NameBuffer[1] == '/') { // Longnames member. Set the name to "/". Member->NameBuffer[0] = '/'; Member->NameBuffer[1] = ANSI_NULL; Member->Type = LongnamesArchiveMemberType; } else { // Linker member. Set the name to "". Member->NameBuffer[0] = ANSI_NULL; Member->Type = LinkerArchiveMemberType; } } else { if (isdigit(slash[1])) { PSTR digita; ULONG64 offset64; ULONG offset; // The name is stored in the longnames member. // Note: we make sure we have the longnames member first. if (!MappedArchive->LongnamesMember.Header) return STATUS_INVALID_PARAMETER; // Find the last digit and null terminate the string there. digita = slash + 2; while (isdigit(*digita)) digita++; *digita = 0; // Parse the offset and make sure it lies within the longnames member. if (!NT_SUCCESS(PhCopyStringZFromBytes(slash + 1, -1, integerString, 11, NULL))) return STATUS_INVALID_PARAMETER; PhInitializeStringRefLongHint(&string, integerString); if (!PhStringToUInt64(&string, 10, &offset64)) return STATUS_INVALID_PARAMETER; offset = (ULONG)offset64; if (offset >= MappedArchive->LongnamesMember.Size) return STATUS_INVALID_PARAMETER; // TODO: Probe the name. Member->Name = PTR_ADD_OFFSET(MappedArchive->LongnamesMember.Data, offset); } else { // Null terminate the string. slash[0] = 0; } } return STATUS_SUCCESS; } BOOLEAN PhIsMappedArchiveMemberShortFormat( _In_ PPH_MAPPED_ARCHIVE_MEMBER Member ) { PIMAGE_FILE_HEADER header; header = (PIMAGE_FILE_HEADER)Member->Data; return header->Machine != IMAGE_FILE_MACHINE_UNKNOWN; } NTSTATUS PhGetMappedArchiveImportEntry( _In_ PPH_MAPPED_ARCHIVE_MEMBER Member, _Out_ PPH_MAPPED_ARCHIVE_IMPORT_ENTRY Entry ) { IMPORT_OBJECT_HEADER *importHeader; importHeader = (IMPORT_OBJECT_HEADER *)Member->Data; if ( importHeader->Sig1 != IMAGE_FILE_MACHINE_UNKNOWN || importHeader->Sig2 != IMPORT_OBJECT_HDR_SIG2 ) return STATUS_INVALID_PARAMETER; Entry->Type = (BYTE)importHeader->Type; Entry->NameType = (BYTE)importHeader->NameType; Entry->Machine = importHeader->Machine; // TODO: Probe the name. Entry->Name = PTR_ADD_OFFSET(importHeader, sizeof(IMPORT_OBJECT_HEADER)); Entry->DllName = PTR_ADD_OFFSET(Entry->Name, strlen(Entry->Name) + 1); // Ordinal/NameHint are union'ed, so these statements are exactly the same. // It's there in case this changes in the future. if (Entry->NameType == IMPORT_OBJECT_ORDINAL) { Entry->Ordinal = importHeader->Ordinal; } else { Entry->NameHint = importHeader->Hint; } return STATUS_SUCCESS; } ================================================ FILE: phlib/native.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include #include #define PH_DEVICE_PREFIX_LENGTH 64 #define PH_DEVICE_MUP_PREFIX_MAX_COUNT 16 static PH_INITONCE PhDevicePrefixesInitOnce = PH_INITONCE_INIT; static UNICODE_STRING PhDevicePrefixes[26]; static PH_QUEUED_LOCK PhDevicePrefixesLock = PH_QUEUED_LOCK_INIT; static PPH_STRING PhDeviceMupPrefixes[PH_DEVICE_MUP_PREFIX_MAX_COUNT] = { 0 }; static ULONG PhDeviceMupPrefixesCount = 0; static PH_QUEUED_LOCK PhDeviceMupPrefixesLock = PH_QUEUED_LOCK_INIT; /** * Retrieves a copy of an object's security descriptor. * * \param Handle A handle to the object whose security descriptor is to be queried. * \param SecurityInformation The type of security information to be queried. * \param SecurityDescriptor A copy of the specified security descriptor in self-relative format. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetObjectSecurity( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ) { NTSTATUS status; ULONG bufferSize; PVOID buffer; bufferSize = 0x100; buffer = PhAllocate(bufferSize); // This is required (especially for File objects) because some drivers don't seem to handle // QuerySecurity properly. (wj32) memset(buffer, 0, bufferSize); status = NtQuerySecurityObject( Handle, SecurityInformation, buffer, bufferSize, &bufferSize ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); memset(buffer, 0, bufferSize); status = NtQuerySecurityObject( Handle, SecurityInformation, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *SecurityDescriptor = (PSECURITY_DESCRIPTOR)buffer; return status; } /** * Sets an object's security descriptor. * * \param Handle A handle to the object whose security descriptor is to be set. * \param SecurityInformation The type of security information to be set. * \param SecurityDescriptor The security descriptor in self-relative format. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetObjectSecurity( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { return NtSetSecurityObject( Handle, SecurityInformation, SecurityDescriptor ); } /** * Merges two SACLs according to the provided security information. * The function preserves ACEs not covered by the change from the lower SACL and replaces other * ACEs with the ones from the higher SACL. * * Example: * - A lower SACL containing two ACEs: a trust label and a mandatory label. * - A higher SACL containing one ACE: a trust label. * - Security information specifies PROCESS_TRUST_LABEL_SECURITY_INFORMATION. * Result: a SACL with the trust label from the higher SACL and the mandatory label from the lower SACL. * * \param LowerSacl An existing SACL with potentially mixed ACE types. * \param HigherSacl An overlaying SACL for the specified security information. * \param SecurityInformation The type of security information to be set. * \param MergedSacl The new merged SACL. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMergeSystemAcls( _In_opt_ PACL LowerSacl, _In_opt_ PACL HigherSacl, _In_ SECURITY_INFORMATION SecurityInformation, _Outptr_result_maybenull_ PACL* MergedSacl ) { NTSTATUS status; ULONG aceTypesToReplace = 0; ULONG requiredSize = 0; PACL mergedSacl; PACE_HEADER mergedAce; if (!LowerSacl && !HigherSacl) { // Nothing to merge *MergedSacl = NULL; return STATUS_SUCCESS; } if (LowerSacl && (LowerSacl->AclRevision < MIN_ACL_REVISION || LowerSacl->AclRevision > MAX_ACL_REVISION)) return STATUS_UNKNOWN_REVISION; if (HigherSacl && (HigherSacl->AclRevision < MIN_ACL_REVISION || HigherSacl->AclRevision > MAX_ACL_REVISION)) return STATUS_UNKNOWN_REVISION; // Identify which types of ACEs we want to keep from the lower SACL and // which to replace with the ones from the higher SACL if (FlagOn(SecurityInformation, SACL_SECURITY_INFORMATION)) aceTypesToReplace |= AUDIT_ALARM_ACE_TYPE_MASK; if (FlagOn(SecurityInformation, LABEL_SECURITY_INFORMATION)) aceTypesToReplace |= MANDATORY_LABEL_ACE_TYPE_MASK; if (FlagOn(SecurityInformation, ATTRIBUTE_SECURITY_INFORMATION)) aceTypesToReplace |= RESOURCE_ATTRIBUTE_ACE_TYPE_MASK; if (FlagOn(SecurityInformation, SCOPE_SECURITY_INFORMATION)) aceTypesToReplace |= SCOPED_POLICY_ACE_TYPE_MASK; if (FlagOn(SecurityInformation, PROCESS_TRUST_LABEL_SECURITY_INFORMATION)) aceTypesToReplace |= PROCESS_TRUST_ACE_TYPE_MASK; if (FlagOn(SecurityInformation, ACCESS_FILTER_SECURITY_INFORMATION)) aceTypesToReplace |= ACCESS_FILTER_ACE_TYPE_MASK; // Calculate the size of ACEs to keep from the lower SACL if (LowerSacl && !HigherSacl && aceTypesToReplace == 0) { if (LowerSacl->AclSize > USHORT_MAX) return STATUS_INVALID_PARAMETER; mergedSacl = (PACL)PhAllocate(LowerSacl->AclSize); RtlCopyMemory(mergedSacl, LowerSacl, LowerSacl->AclSize); *MergedSacl = mergedSacl; return STATUS_SUCCESS; } // Helper macro to walk the ACL. (dmex) #define START_FOR_EACH_ACE(_ACL_, _ACE_) \ if (_ACL_) \ { \ PVOID _end = PTR_ADD_OFFSET((_ACL_), (_ACL_)->AclSize); \ PACE_HEADER _ACE_ = (PACE_HEADER)PTR_ADD_OFFSET((_ACL_), sizeof(ACL)); \ for (USHORT _i = 0; _i < (_ACL_)->AceCount; _i++, _ACE_ = (PACE_HEADER)PTR_ADD_OFFSET(_ACE_, _ACE_->AceSize)) \ { \ if ((ULONG_PTR)_ACE_ >= (ULONG_PTR)_end) \ return STATUS_UNSUCCESSFUL; /* malformed */ \ if (_ACE_->AceSize < sizeof(ACE_HEADER) || PTR_ADD_OFFSET(_ACE_, _ACE_->AceSize) > _end) \ return STATUS_UNSUCCESSFUL; /* malformed */ #define END_FOR_EACH_ACE } } // Calculate required payload size (sum of selected ACE sizes). if (LowerSacl) { START_FOR_EACH_ACE(LowerSacl, ace) { ULONG bit = ace->AceType < 32 ? (1u << ace->AceType) : 0; if (!FlagOn(bit, aceTypesToReplace)) { requiredSize += ace->AceSize; } } END_FOR_EACH_ACE } // Calculate the size of ACEs to use from the higher SACL if (HigherSacl) { START_FOR_EACH_ACE(HigherSacl, ace) { ULONG bit = ace->AceType < 32 ? (1u << ace->AceType) : 0; if (FlagOn(bit, aceTypesToReplace)) { requiredSize += ace->AceSize; } } END_FOR_EACH_ACE } // Allocate new ACL (header + aligned payload). requiredSize = sizeof(ACL) + ALIGN_UP_BY(requiredSize, sizeof(ULONG)); if (requiredSize > USHORT_MAX) return STATUS_INVALID_PARAMETER; mergedSacl = (PACL)PhAllocate(requiredSize); mergedAce = (PACE_HEADER)PTR_ADD_OFFSET(mergedSacl, sizeof(ACL)); status = PhCreateAcl(mergedSacl, requiredSize, ACL_REVISION); if (!NT_SUCCESS(status)) { PhFree(mergedSacl); return status; } // Add the lower SACL ACEs we keep if (LowerSacl) { START_FOR_EACH_ACE(LowerSacl, ace) { ULONG bit = ace->AceType < 32 ? (1u << ace->AceType) : 0; if (!(bit & aceTypesToReplace)) { RtlCopyMemory(mergedAce, ace, ace->AceSize); mergedSacl->AceCount++; PhEnsureAclRevision((PULONG_PTR)&mergedSacl->AclRevision, mergedAce->AceType); mergedAce = (PACE_HEADER)PTR_ADD_OFFSET(mergedAce, mergedAce->AceSize); } } END_FOR_EACH_ACE } // Add the higher SACL ACEs if (HigherSacl) { START_FOR_EACH_ACE(HigherSacl, ace) { ULONG bit = ace->AceType < 32 ? (1u << ace->AceType) : 0; if (bit & aceTypesToReplace) { RtlCopyMemory(mergedAce, ace, ace->AceSize); mergedSacl->AceCount++; PhEnsureAclRevision((PULONG_PTR)&mergedSacl->AclRevision, mergedAce->AceType); mergedAce = (PACE_HEADER)PTR_ADD_OFFSET(mergedAce, mergedAce->AceSize); } } END_FOR_EACH_ACE } #undef START_FOR_EACH_ACE #undef END_FOR_EACH_ACE *MergedSacl = mergedSacl; return STATUS_SUCCESS; } /** * Merges two security descriptors according to the provided security information. * The function preserves parts not covered by the change from the lower security descriptor and * replaces other parts with the ones from the higher security descriptor. * * Example: * - A lower security descriptor containing a DACL, an owner, and a SACL with a trust label. * - A higher security descriptor containing a DACL, and a SACL with a mandatory label. * - Security information specifies DACL_SECURITY_INFORMATION and LABEL_SECURITY_INFORMATION. * Result: a security descriptor with the higher DACL, the lower owner, and a merged SACL with * the lower trust label and the higher mandatory label. * * \param LowerSecurityDescriptor An existing security descriptor. * \param HigherSecurityDescriptor An overlaying security descriptor for the specified security information. * \param SecurityInformation The type of security information to be set. * \param MergedSecurityDescriptor The new merged security descriptor. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMergeSecurityDescriptors( _In_ PSECURITY_DESCRIPTOR LowerSecurityDescriptor, _In_ PSECURITY_DESCRIPTOR HigherSecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _Outptr_ PSECURITY_DESCRIPTOR* MergedSecurityDescriptor ) { NTSTATUS status; SECURITY_DESCRIPTOR mergedSecurityDescriptor; PACL acl; PSID sid; BOOLEAN present; BOOLEAN defaulted; PACL higherSacl; PACL lowerSacl; PACL mergedSacl = NULL; PSECURITY_DESCRIPTOR relativeSecurityDescriptor = NULL; ULONG requiredLength = 0; status = PhCreateSecurityDescriptor(&mergedSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); if (!NT_SUCCESS(status)) return status; // Choose the DACL status = PhGetDaclSecurityDescriptor( (SecurityInformation & DACL_SECURITY_INFORMATION) ? HigherSecurityDescriptor : LowerSecurityDescriptor, &present, &acl, &defaulted ); if (!NT_SUCCESS(status)) return status; status = PhSetDaclSecurityDescriptor( &mergedSecurityDescriptor, present, acl, defaulted ); if (!NT_SUCCESS(status)) return status; // Choose the owner status = PhGetOwnerSecurityDescriptor( (SecurityInformation & OWNER_SECURITY_INFORMATION) ? HigherSecurityDescriptor : LowerSecurityDescriptor, &sid, &defaulted ); if (!NT_SUCCESS(status)) return status; if (!sid) return STATUS_INVALID_OWNER; status = PhSetOwnerSecurityDescriptor( &mergedSecurityDescriptor, sid, defaulted ); if (!NT_SUCCESS(status)) return status; // Choose the primary group status = PhGetGroupSecurityDescriptor( (SecurityInformation & GROUP_SECURITY_INFORMATION) ? HigherSecurityDescriptor : LowerSecurityDescriptor, &sid, &defaulted ); if (!NT_SUCCESS(status)) return status; if (!sid) return STATUS_INVALID_PRIMARY_GROUP; status = PhSetGroupSecurityDescriptor( &mergedSecurityDescriptor, sid, defaulted ); if (!NT_SUCCESS(status)) return status; // Collect both SACLs status = PhGetSaclSecurityDescriptor( LowerSecurityDescriptor, &present, &lowerSacl, &defaulted ); if (!NT_SUCCESS(status)) return status; if (!present) lowerSacl = NULL; status = PhGetSaclSecurityDescriptor( HigherSecurityDescriptor, &present, &higherSacl, &defaulted ); if (!NT_SUCCESS(status)) return status; if (!present) higherSacl = NULL; // Merge SACLs and apply status = PhMergeSystemAcls( lowerSacl, higherSacl, SecurityInformation, &mergedSacl ); if (!NT_SUCCESS(status)) return status; status = PhSetSaclSecurityDescriptor( &mergedSecurityDescriptor, !!mergedSacl, mergedSacl, FALSE ); if (!NT_SUCCESS(status)) goto CleanupExit; // Make the buffer self-relative status = RtlAbsoluteToSelfRelativeSD( &mergedSecurityDescriptor, NULL, &requiredLength ); if (status != STATUS_BUFFER_TOO_SMALL) { status = STATUS_INVALID_SECURITY_DESCR; goto CleanupExit; } relativeSecurityDescriptor = PhAllocate(requiredLength); status = RtlAbsoluteToSelfRelativeSD( &mergedSecurityDescriptor, relativeSecurityDescriptor, &requiredLength ); if (!NT_SUCCESS(status)) goto CleanupExit; *MergedSecurityDescriptor = relativeSecurityDescriptor; relativeSecurityDescriptor = NULL; CleanupExit: if (mergedSacl) PhFree(mergedSacl); if (relativeSecurityDescriptor) PhFree(relativeSecurityDescriptor); return status; } /** * Retrieves the next environment variable from a process environment block. * * \param Environment The environment block. * \param EnvironmentLength The length of the environment block, in bytes. * \param EnumerationKey A pointer to an index variable used for enumeration. * \param Variable A pointer to a structure that receives the variable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumProcessEnvironmentVariables( _In_ PVOID Environment, _In_ ULONG EnvironmentLength, _Inout_ PULONG EnumerationKey, _Out_ PPH_ENVIRONMENT_VARIABLE Variable ) { ULONG length; ULONG startIndex; PWCHAR name; ULONG nameLength; PWCHAR value; ULONG valueLength; PWCHAR currentChar; ULONG currentIndex; length = EnvironmentLength / sizeof(WCHAR); currentIndex = *EnumerationKey; currentChar = PTR_ADD_OFFSET(Environment, currentIndex * sizeof(WCHAR)); startIndex = currentIndex; name = currentChar; // Find the end of the name. while (TRUE) { if (currentIndex >= length) return STATUS_UNSUCCESSFUL; if (*currentChar == L'=' && startIndex != currentIndex) break; // equality sign is considered as a delimiter unless it is the first character (diversenok) if (*currentChar == UNICODE_NULL) return STATUS_UNSUCCESSFUL; // no more variables currentIndex++; currentChar++; } nameLength = currentIndex - startIndex; currentIndex++; currentChar++; startIndex = currentIndex; value = currentChar; // Find the end of the value. while (TRUE) { if (currentIndex >= length) return STATUS_UNSUCCESSFUL; if (*currentChar == UNICODE_NULL) break; currentIndex++; currentChar++; } valueLength = currentIndex - startIndex; currentIndex++; *EnumerationKey = currentIndex; Variable->Name.Buffer = name; Variable->Name.Length = nameLength * sizeof(WCHAR); Variable->Value.Buffer = value; Variable->Value.Length = valueLength * sizeof(WCHAR); return STATUS_SUCCESS; } /** * Queries an environment variable as a string reference. * * \param Environment The environment block. * \param Name The name of the variable. * \param Value A pointer to a string reference that receives the value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryEnvironmentVariableStringRef( _In_opt_ PVOID Environment, _In_ PCPH_STRINGREF Name, _Inout_opt_ PPH_STRINGREF Value ) { NTSTATUS status; SIZE_T returnLength; status = RtlQueryEnvironmentVariable( Environment, Name->Buffer, Name->Length / sizeof(WCHAR), Value ? Value->Buffer : NULL, Value ? Value->Length / sizeof(WCHAR) : 0, &returnLength ); if (Value && NT_SUCCESS(status)) { Value->Length = returnLength * sizeof(WCHAR); } return status; } /** * Queries an environment variable. * * \param Environment The environment block. * \param Name The name of the variable. * \param Value A pointer to a string that receives the value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryEnvironmentVariable( _In_opt_ PVOID Environment, _In_ PCPH_STRINGREF Name, _Out_opt_ PPH_STRING* Value ) { #ifdef PHNT_UNICODESTRING_ENVIRONMENTVARIABLE NTSTATUS status; UNICODE_STRING variableName; UNICODE_STRING variableValue; if (!PhStringRefToUnicodeString(Name, &variableName)) return STATUS_NAME_TOO_LONG; if (Value) { variableValue.Length = 0x100 * sizeof(WCHAR); variableValue.MaximumLength = variableValue.Length + sizeof(UNICODE_NULL); variableValue.Buffer = PhAllocate(variableValue.MaximumLength); } else { RtlInitEmptyUnicodeString(&variableValue, NULL, 0); } status = RtlQueryEnvironmentVariable_U( Environment, &variableName, &variableValue ); if (Value && status == STATUS_BUFFER_TOO_SMALL) { if (variableValue.Length + sizeof(UNICODE_NULL) > UNICODE_STRING_MAX_BYTES) variableValue.MaximumLength = variableValue.Length; else variableValue.MaximumLength = variableValue.Length + sizeof(UNICODE_NULL); PhFree(variableValue.Buffer); variableValue.Buffer = PhAllocate(variableValue.MaximumLength); status = RtlQueryEnvironmentVariable_U( Environment, &variableName, &variableValue ); } if (Value && NT_SUCCESS(status)) { *Value = PhCreateStringFromUnicodeString(&variableValue); } if (Value && variableValue.Buffer) { PhFree(variableValue.Buffer); } return status; #else NTSTATUS status; PPH_STRING buffer; SIZE_T returnLength; status = RtlQueryEnvironmentVariable( Environment, Name->Buffer, Name->Length / sizeof(WCHAR), NULL, 0, &returnLength ); if (Value && status == STATUS_BUFFER_TOO_SMALL) { buffer = PhCreateStringEx(NULL, returnLength * sizeof(WCHAR)); status = RtlQueryEnvironmentVariable( Environment, Name->Buffer, Name->Length / sizeof(WCHAR), buffer->Buffer, buffer->Length / sizeof(WCHAR), &returnLength ); if (NT_SUCCESS(status)) { buffer->Length = returnLength * sizeof(WCHAR); *Value = buffer; } else { PhDereferenceObject(buffer); } } else { if (Value) *Value = NULL; } return status; #endif } /** * Sets an environment variable. * * \param Environment The environment block. * \param Name The name of the variable. * \param Value The value to set, or NULL to delete the variable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetEnvironmentVariable( _In_opt_ PVOID Environment, _In_ PCPH_STRINGREF Name, _In_opt_ PCPH_STRINGREF Value ) { NTSTATUS status; UNICODE_STRING variableName; UNICODE_STRING variableValue; if (!PhStringRefToUnicodeString(Name, &variableName)) return STATUS_NAME_TOO_LONG; if (Value) { if (!PhStringRefToUnicodeString(Value, &variableValue)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&variableValue, NULL, 0); } status = RtlSetEnvironmentVariable( Environment, &variableName, &variableValue ); return status; } /** * Retrieves the file name for a mapped section in a process. * * \param SectionHandle The section handle. * \param ProcessHandle The process handle. * \param FileName A pointer to a string that receives the file name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessSectionFileName( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ) { NTSTATUS status; PVOID baseAddress; SIZE_T viewSize; baseAddress = NULL; viewSize = PAGE_SIZE; status = PhMapViewOfSection( SectionHandle, ProcessHandle, &baseAddress, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READONLY ); if (!NT_SUCCESS(status)) return status; status = PhGetProcessMappedFileName( ProcessHandle, baseAddress, FileName ); PhUnmapViewOfSection(ProcessHandle, baseAddress); return status; } /** * Retrieves the list of unloaded DLLs for a process. * * \param ProcessId The process ID. * \param EventTrace A pointer to the event trace buffer. * \param EventTraceSize The size of each event trace element. * \param EventTraceCount The number of event trace elements. */ NTSTATUS PhGetProcessUnloadedDlls( _In_ HANDLE ProcessId, _Out_ PVOID *EventTrace, _Out_ ULONG *EventTraceSize, _Out_ ULONG *EventTraceCount ) { NTSTATUS status; PULONG elementSize; PULONG elementCount; PVOID eventTrace; HANDLE processHandle = NULL; SIZE_T eventTraceSize; ULONG capturedElementSize = 0; ULONG capturedElementCount = 0; PVOID capturedEventTracePointer; PVOID capturedEventTrace = NULL; RtlGetUnloadEventTraceEx(&elementSize, &elementCount, &eventTrace); if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_VM_READ, ProcessId))) goto CleanupExit; // We have the pointers for the unload event trace information. // Since ntdll is loaded at the same base address across all processes, // we can read the information in. if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, elementSize, &capturedElementSize, sizeof(ULONG), NULL ))) goto CleanupExit; if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, elementCount, &capturedElementCount, sizeof(ULONG), NULL ))) goto CleanupExit; if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, eventTrace, &capturedEventTracePointer, sizeof(PVOID), NULL ))) goto CleanupExit; if (!capturedEventTracePointer) { status = STATUS_NOT_FOUND; // no events goto CleanupExit; } if (capturedElementCount > 0x4000) capturedElementCount = 0x4000; eventTraceSize = capturedElementSize * capturedElementCount; capturedEventTrace = PhAllocateSafe(eventTraceSize); if (!capturedEventTrace) { status = STATUS_NO_MEMORY; goto CleanupExit; } if (!NT_SUCCESS(status = PhReadVirtualMemory( processHandle, capturedEventTracePointer, capturedEventTrace, eventTraceSize, NULL ))) goto CleanupExit; CleanupExit: if (processHandle) NtClose(processHandle); if (NT_SUCCESS(status)) { *EventTrace = capturedEventTrace; *EventTraceSize = capturedElementSize; *EventTraceCount = capturedElementCount; } else { if (capturedEventTrace) PhFree(capturedEventTrace); } return status; } /** * Sends a trace control request. * * \param TraceInformationClass The trace information class. * \param InputBuffer The input buffer. * \param InputBufferLength The length of the input buffer. * \param OutputBuffer The output buffer. * \param OutputBufferLength The length of the output buffer. * \param ReturnLength A pointer to a variable that receives the return length. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhTraceControl( _In_ ETWTRACECONTROLCODE TraceInformationClass, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _Out_ PULONG ReturnLength ) { NTSTATUS status; status = NtTraceControl( TraceInformationClass, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, ReturnLength ); return status; } /** * Sends a trace control request with variable output size. * * \param TraceInformationClass The trace information class. * \param InputBuffer The input buffer. * \param InputBufferLength The length of the input buffer. * \param OutputBuffer A pointer to a buffer that receives the output. * \param OutputBufferLength A pointer to a variable that receives the output buffer length. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhTraceControlVariableSize( _In_ ETWTRACECONTROLCODE TraceInformationClass, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(*OutputBufferLength) PVOID* OutputBuffer, _Out_opt_ PULONG OutputBufferLength ) { NTSTATUS status; PVOID buffer = NULL; ULONG bufferLength = 0; ULONG returnLength = 0; status = NtTraceControl( TraceInformationClass, InputBuffer, InputBufferLength, NULL, 0, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { bufferLength = returnLength; buffer = PhAllocate(bufferLength); status = NtTraceControl( TraceInformationClass, InputBuffer, InputBufferLength, buffer, bufferLength, &bufferLength ); } if (NT_SUCCESS(status)) { if (OutputBuffer) *OutputBuffer = buffer; if (OutputBufferLength) *OutputBufferLength = bufferLength; } else { if (buffer) PhFree(buffer); } return status; } /** * Retrieves the client ID associated with the specified window handle. * * \param WindowHandle The handle to the window whose client ID is to be retrieved. * \param ClientId A pointer to a CLIENT_ID structure that receives the process and thread IDs. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetWindowClientId( _In_ HWND WindowHandle, _Out_ PCLIENT_ID ClientId ) { ULONG windowProcessId; ULONG windowThreadId; if (windowThreadId = GetWindowThreadProcessId(WindowHandle, &windowProcessId)) { ClientId->UniqueProcess = UlongToHandle(windowProcessId); ClientId->UniqueThread = UlongToHandle(windowThreadId); return STATUS_SUCCESS; } return STATUS_NOT_FOUND; } typedef struct _OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT { NTSTATUS Status; PVOID BaseAddress; HANDLE DriverHandle; } OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT, *POPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT; _Function_class_(PH_ENUM_DIRECTORY_OBJECTS) NTSTATUS NTAPI PhpOpenDriverByBaseAddressCallback( _In_ HANDLE RootDirectory, _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_ POPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT Context ) { NTSTATUS status; HANDLE driverHandle; UNICODE_STRING driverName; OBJECT_ATTRIBUTES objectAttributes; KPH_DRIVER_BASIC_INFORMATION basicInfo; if (!PhStringRefToUnicodeString(Name, &driverName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &driverName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = KphOpenDriver( &driverHandle, SYNCHRONIZE, &objectAttributes ); if (!NT_SUCCESS(status)) return status; status = KphQueryInformationDriver( driverHandle, KphDriverBasicInformation, &basicInfo, sizeof(KPH_DRIVER_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { if (basicInfo.DriverStart == Context->BaseAddress) { Context->Status = STATUS_SUCCESS; Context->DriverHandle = driverHandle; return STATUS_SUCCESS; } } NtClose(driverHandle); return status; } /** * Opens a driver object using a base address. * * \param DriverHandle A variable which receives a handle to the driver object. * \param BaseAddress The base address of the driver to open. * \return NTSTATUS Successful or errant status. * \remarks STATUS_OBJECT_NAME_NOT_FOUND is returned if the driver could not be found. */ NTSTATUS PhOpenDriverByBaseAddress( _Out_ PHANDLE DriverHandle, _In_ PVOID BaseAddress ) { NTSTATUS status; HANDLE directoryHandle; UNICODE_STRING objectDirectory; OBJECT_ATTRIBUTES objectAttributes; OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT context; RtlInitUnicodeString(&objectDirectory, L"\\Driver"); InitializeObjectAttributes( &objectAttributes, &objectDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenDirectoryObject( &directoryHandle, DIRECTORY_QUERY, &objectAttributes ); if (!NT_SUCCESS(status)) return status; context.Status = STATUS_OBJECT_NAME_NOT_FOUND; context.BaseAddress = BaseAddress; status = PhEnumDirectoryObjects( directoryHandle, PhpOpenDriverByBaseAddressCallback, &context ); NtClose(directoryHandle); if (NT_SUCCESS(status)) { if (NT_SUCCESS(context.Status)) { *DriverHandle = context.DriverHandle; return STATUS_SUCCESS; } return context.Status; } return status; } /** * Opens a handle to a driver object. * * \param DriverHandle Pointer to a variable that receives the handle to the driver object. * \param DesiredAccess Specifies the desired access rights to the driver object. * \param RootDirectory Optional handle to the root directory for the object name (can be NULL). * \param ObjectName Pointer to a string reference that specifies the name of the driver object. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenDriver( _Out_ PHANDLE DriverHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ) { if (KsiLevel() == KphLevelMax) { UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); return KphOpenDriver( DriverHandle, DesiredAccess, &objectAttributes ); } else { return STATUS_NOT_IMPLEMENTED; } } /** * Queries variable-sized information for a driver. The function allocates a buffer to contain the * information. * * \param DriverHandle A handle to a driver. The access required depends on the information class specified. * \param DriverInformationClass The information class to retrieve. * \param Buffer A variable which receives a pointer to a buffer containing the information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpQueryDriverVariableSize( _In_ HANDLE DriverHandle, _In_ KPH_DRIVER_INFORMATION_CLASS DriverInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer = NULL; ULONG bufferSize; ULONG returnLength = 0; status = KphQueryInformationDriver( DriverHandle, DriverInformationClass, NULL, 0, &returnLength ); if (NT_SUCCESS(status) && returnLength == 0) { return STATUS_NOT_FOUND; } if (status == STATUS_BUFFER_TOO_SMALL) { bufferSize = returnLength; buffer = PhAllocate(bufferSize); status = KphQueryInformationDriver( DriverHandle, DriverInformationClass, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status)) { if (returnLength == 0) { status = STATUS_NOT_FOUND; PhFree(buffer); } else { *Buffer = buffer; } } else { PhFree(buffer); } return status; } /** * Gets the object name of a driver. * * \param DriverHandle A handle to a driver. * \param Name A variable which receives a pointer to a string containing the object name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetDriverName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *Name ) { NTSTATUS status; PUNICODE_STRING unicodeString; if (!NT_SUCCESS(status = PhpQueryDriverVariableSize( DriverHandle, KphDriverNameInformation, &unicodeString ))) return status; *Name = PhCreateStringFromUnicodeString(unicodeString); PhFree(unicodeString); return status; } /** * Gets the object name of a driver. * * \param DriverHandle A handle to a driver. * \param Name A variable which receives a pointer to a string containing the driver image file name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetDriverImageFileName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *Name ) { NTSTATUS status; PUNICODE_STRING unicodeString; if (!NT_SUCCESS(status = PhpQueryDriverVariableSize( DriverHandle, KphDriverImageFileNameInformation, &unicodeString ))) return status; *Name = PhCreateStringFromUnicodeString(unicodeString); PhFree(unicodeString); return status; } /** * Gets the service key name of a driver. * * \param DriverHandle A handle to a driver. * \param ServiceKeyName A string containing the service key name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetDriverServiceKeyName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *ServiceKeyName ) { NTSTATUS status; PUNICODE_STRING unicodeString; if (!NT_SUCCESS(status = PhpQueryDriverVariableSize( DriverHandle, KphDriverServiceKeyNameInformation, &unicodeString ))) return status; *ServiceKeyName = PhCreateStringFromUnicodeString(unicodeString); PhFree(unicodeString); return status; } static NTSTATUS PhpUnloadDriver( _In_ PCPH_STRINGREF ServiceKeyName, _In_ PCPH_STRINGREF DriverFileName ) { static CONST PH_STRINGREF fullServicesKeyName = PH_STRINGREF_INIT(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"); NTSTATUS status; PPH_STRING fullServiceKeyName; UNICODE_STRING fullServiceKeyNameUs; HANDLE serviceKeyHandle; ULONG disposition; fullServiceKeyName = PhConcatStringRef2(&fullServicesKeyName, ServiceKeyName); if (!PhStringRefToUnicodeString(&fullServiceKeyName->sr, &fullServiceKeyNameUs)) { PhDereferenceObject(fullServiceKeyName); return STATUS_NAME_TOO_LONG; } if (NT_SUCCESS(status = PhCreateKey( &serviceKeyHandle, KEY_WRITE | DELETE, NULL, &fullServiceKeyName->sr, 0, 0, &disposition ))) { if (disposition == REG_CREATED_NEW_KEY) { ULONG regValue = 0; // Set up the required values. PhSetValueKeyZ(serviceKeyHandle, L"ErrorControl", REG_DWORD, ®Value, sizeof(ULONG)); PhSetValueKeyZ(serviceKeyHandle, L"Start", REG_DWORD, ®Value, sizeof(ULONG)); PhSetValueKeyZ(serviceKeyHandle, L"Type", REG_DWORD, ®Value, sizeof(ULONG)); PhSetValueKeyZ(serviceKeyHandle, L"ImagePath", REG_SZ, DriverFileName->Buffer, (ULONG)DriverFileName->Length + sizeof(UNICODE_NULL)); } status = NtUnloadDriver(&fullServiceKeyNameUs); if (disposition == REG_CREATED_NEW_KEY) { // We added values, not subkeys, so this function will work correctly. NtDeleteKey(serviceKeyHandle); } NtClose(serviceKeyHandle); } PhDereferenceObject(fullServiceKeyName); return status; } /** * Unloads a driver. * * \param BaseAddress The base address of the driver. This parameter can be NULL if a value is * specified in \c Name. * \param Name The base name of the driver. This parameter can be NULL if a value is specified in * \c BaseAddress and KSystemInformer is loaded. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER_MIX Both \c BaseAddress and \c Name were null, or \c Name was * not specified and KSystemInformer is not loaded. * \retval STATUS_OBJECT_NAME_NOT_FOUND The driver could not be found. */ NTSTATUS PhUnloadDriver( _In_opt_ PVOID BaseAddress, _In_opt_ PCPH_STRINGREF Name, _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; HANDLE driverHandle; PPH_STRING serviceKeyName = NULL; KPH_LEVEL level; level = KsiLevel(); if (!BaseAddress && !Name) return STATUS_INVALID_PARAMETER_MIX; if (!Name && (level != KphLevelMax)) return STATUS_INVALID_PARAMETER_MIX; // Try to get the service key name by scanning the Driver directory. if ((level == KphLevelMax) && BaseAddress) { if (PhGetOwnTokenAttributes().Elevated) { if (NT_SUCCESS(PhOpenDriverByBaseAddress( &driverHandle, BaseAddress ))) { PhGetDriverServiceKeyName(driverHandle, &serviceKeyName); NtClose(driverHandle); } } } // Use the base name if we didn't get the service key name. if (!serviceKeyName && Name) { PPH_STRING name; name = PhCreateString2(Name); // Remove the extension if it is present. if (PhEndsWithString2(name, L".sys", TRUE)) { serviceKeyName = PhSubstring(name, 0, name->Length / sizeof(WCHAR) - 4); PhDereferenceObject(name); } else { serviceKeyName = name; } } if (!serviceKeyName) return STATUS_OBJECT_NAME_NOT_FOUND; status = PhpUnloadDriver(&serviceKeyName->sr, FileName); PhDereferenceObject(serviceKeyName); return status; } /** * Enumerates the running processes. * * \param Processes A variable which receives a pointer to a buffer containing process information. * You must free the buffer using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. * \remarks You can use the \ref PH_FIRST_PROCESS and \ref PH_NEXT_PROCESS macros to process the * information contained in the buffer. */ NTSTATUS PhEnumProcesses( _Out_ PVOID *Processes ) { return PhEnumProcessesEx(Processes, SystemProcessInformation); } /** * Enumerates the running processes. * * \param Processes A variable which receives a pointer to a buffer containing process information. * You must free the buffer using PhFree() when you no longer need it. * \param SystemInformationClass A variable which indicates the kind of system information to be retrieved. * \return NTSTATUS Successful or errant status. * \remarks You can use the \ref PH_FIRST_PROCESS and \ref PH_NEXT_PROCESS macros to process the * information contained in the buffer. */ NTSTATUS PhEnumProcessesEx( _Out_ PVOID *Processes, _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass ) { static ULONG initialBufferSize[3] = { 0x4000, 0x4000, 0x4000 }; NTSTATUS status; ULONG classIndex; PVOID buffer; ULONG bufferSize; switch (SystemInformationClass) { case SystemProcessInformation: classIndex = 0; break; case SystemExtendedProcessInformation: classIndex = 1; break; case SystemFullProcessInformation: classIndex = 2; break; default: return STATUS_INVALID_INFO_CLASS; } bufferSize = initialBufferSize[classIndex]; buffer = PhAllocateSafe(bufferSize); if (!buffer) return STATUS_NO_MEMORY; while (TRUE) { status = NtQuerySystemInformation( SystemInformationClass, buffer, bufferSize, &bufferSize ); if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); buffer = PhAllocateSafe(bufferSize); if (!buffer) return STATUS_NO_MEMORY; } else { break; } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x100000) initialBufferSize[classIndex] = bufferSize; *Processes = buffer; return status; } /** * Enumerates the threads of a running process. * * \param ProcessId The ID of the process. * \param Callback The callback function to be called for each enumerated thread. * \param Context An optional context parameter to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumProcessThreads( _In_ HANDLE ProcessId, _In_ PPH_ENUM_PROCESS_THREADS Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; status = PhEnumProcesses(&processes); if (!NT_SUCCESS(status)) return status; if (process = PhFindProcessInformation(processes, ProcessId)) { status = Callback( process->NumberOfThreads, process->Threads, Context ); } else { status = STATUS_INVALID_CID; } PhFree(processes); return status; } /** * Enumerates the next process. * * \param ProcessHandle The handle to the current process. Pass NULL to start enumeration from the beginning. * \param DesiredAccess The desired access rights for the process handle. * \param Callback The callback function to be called for each enumerated process. * \param Context An optional context parameter to be passed to the callback function. * \return Returns the status of the enumeration operation. * If the enumeration is successful, it returns STATUS_SUCCESS. * If there are no more processes to enumerate, it returns STATUS_NO_MORE_ENTRIES. * Otherwise, it returns an appropriate NTSTATUS error code. */ NTSTATUS PhEnumNextProcess( _In_opt_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_ENUM_NEXT_PROCESS Callback, _In_opt_ PVOID Context ) { NTSTATUS status; HANDLE processHandle; HANDLE newProcessHandle; status = NtGetNextProcess( ProcessHandle, DesiredAccess, 0, 0, &processHandle ); if (!NT_SUCCESS(status)) return status; while (TRUE) { status = Callback(processHandle, Context); if (status == STATUS_NO_MORE_ENTRIES) break; if (!NT_SUCCESS(status)) { NtClose(processHandle); break; } status = NtGetNextProcess( processHandle, DesiredAccess, 0, 0, &newProcessHandle ); if (NT_SUCCESS(status)) { NtClose(processHandle); processHandle = newProcessHandle; } else { NtClose(processHandle); break; } } if (status == STATUS_NO_MORE_ENTRIES) status = STATUS_SUCCESS; return status; } /** * Enumerates the next thread. * * \param ProcessHandle The handle to the process. * \param ThreadHandle The handle to the current thread. Pass NULL to start enumeration from the beginning. * \param DesiredAccess The desired access rights for the thread handle. * \param Callback The callback function to be called for each enumerated thread. * \param Context An optional context parameter to be passed to the callback function. * \return Returns the status of the enumeration operation. * If the enumeration is successful, it returns STATUS_SUCCESS. * If there are no more threads to enumerate, it returns STATUS_NO_MORE_ENTRIES. * Otherwise, it returns an appropriate NTSTATUS error code. */ NTSTATUS PhEnumNextThread( _In_ HANDLE ProcessHandle, _In_opt_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_ENUM_NEXT_THREAD Callback, _In_opt_ PVOID Context ) { NTSTATUS status; HANDLE threadHandle; HANDLE newThreadHandle; status = NtGetNextThread( ProcessHandle, ThreadHandle, DesiredAccess, 0, 0, &threadHandle ); if (!NT_SUCCESS(status)) return status; while (TRUE) { status = Callback(threadHandle, Context); if (status == STATUS_NO_MORE_ENTRIES) break; if (!NT_SUCCESS(status)) { NtClose(threadHandle); break; } status = NtGetNextThread( ProcessHandle, threadHandle, DesiredAccess, 0, 0, &newThreadHandle ); if (NT_SUCCESS(status)) { NtClose(threadHandle); threadHandle = newThreadHandle; } else { NtClose(threadHandle); break; } } if (status == STATUS_NO_MORE_ENTRIES) status = STATUS_SUCCESS; return status; } /** * Enumerates the running processes for a session. * * \param Processes A variable which receives a pointer to a buffer containing process information. * You must free the buffer using PhFree() when you no longer need it. * \param SessionId A session ID. * \return NTSTATUS Successful or errant status. * \remarks You can use the \ref PH_FIRST_PROCESS and \ref PH_NEXT_PROCESS macros to process the * information contained in the buffer. */ NTSTATUS PhEnumProcessesForSession( _Out_ PVOID *Processes, _In_ ULONG SessionId ) { static ULONG initialBufferSize = 0x4000; NTSTATUS status; SYSTEM_SESSION_PROCESS_INFORMATION sessionProcessInfo; PVOID buffer; ULONG bufferSize; bufferSize = initialBufferSize; buffer = PhAllocate(bufferSize); sessionProcessInfo.SessionId = SessionId; while (TRUE) { sessionProcessInfo.BufferSize = bufferSize; sessionProcessInfo.Buffer = buffer; status = NtQuerySystemInformation( SystemSessionProcessInformation, &sessionProcessInfo, sizeof(SYSTEM_SESSION_PROCESS_INFORMATION), &bufferSize // size of the inner buffer gets returned ); if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { break; } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x100000) initialBufferSize = bufferSize; *Processes = buffer; return status; } /** * Finds the process information structure for a specific process. * * \param Processes A pointer to a buffer returned by PhEnumProcesses(). * \param ProcessId The ID of the process. * \return A pointer to the process information structure for the specified process, or NULL if the * structure could not be found. */ PSYSTEM_PROCESS_INFORMATION PhFindProcessInformation( _In_ PVOID Processes, _In_ HANDLE ProcessId ) { PSYSTEM_PROCESS_INFORMATION process; process = PH_FIRST_PROCESS(Processes); do { if (process->UniqueProcessId == ProcessId) return process; } while (process = PH_NEXT_PROCESS(process)); return NULL; } /** * Finds the process information structure for a specific process. * * \param Processes A pointer to a buffer returned by PhEnumProcesses(). * \param ImageName The image name to search for. * \return A pointer to the process information structure for the specified process, or NULL if the * structure could not be found. */ PSYSTEM_PROCESS_INFORMATION PhFindProcessInformationByImageName( _In_ PVOID Processes, _In_ PCPH_STRINGREF ImageName ) { PSYSTEM_PROCESS_INFORMATION process; PH_STRINGREF processImageName; process = PH_FIRST_PROCESS(Processes); do { PhUnicodeStringToStringRef(&process->ImageName, &processImageName); if (PhEqualStringRef(&processImageName, ImageName, TRUE)) return process; } while (process = PH_NEXT_PROCESS(process)); return NULL; } /** * Enumerates all open handles. * * \param Handles A variable which receives a pointer to a structure containing information about * all opened handles. You must free the structure using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. * \retval STATUS_INSUFFICIENT_RESOURCES The handle information returned by the kernel is too large. */ __declspec(deprecated("The SystemHandleInformation class is deprecated on 64-bit Windows. Use PhEnumHandlesEx instead.")) NTSTATUS PhEnumHandles( _Out_ PSYSTEM_HANDLE_INFORMATION *Handles ) { static ULONG initialBufferSize = 0x10000; NTSTATUS status; PVOID buffer; ULONG bufferSize; bufferSize = initialBufferSize; buffer = PhAllocate(bufferSize); while ((status = NtQuerySystemInformation( SystemHandleInformation, buffer, bufferSize, NULL )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x200000) initialBufferSize = bufferSize; *Handles = (PSYSTEM_HANDLE_INFORMATION)buffer; return status; } /** * Enumerates all open handles. * * \param Handles A variable which receives a pointer to a structure containing information about * all opened handles. You must free the structure using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. * \retval STATUS_INSUFFICIENT_RESOURCES The handle information returned by the kernel is too large. * \remarks This function is only available starting with Windows XP. */ NTSTATUS PhEnumHandlesEx( _Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles ) { static ULONG initialBufferSize = 0x10000; NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG returnLength = 0; ULONG attempts = 0; bufferSize = initialBufferSize; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemExtendedHandleInformation, buffer, bufferSize, &returnLength ); while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 10) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemExtendedHandleInformation, buffer, bufferSize, &returnLength ); attempts++; } if (!NT_SUCCESS(status)) { // Fall back to using the previous code that we've used since Windows XP (dmex) bufferSize = initialBufferSize; buffer = PhAllocate(bufferSize); while ((status = NtQuerySystemInformation( SystemExtendedHandleInformation, buffer, bufferSize, NULL )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x200000) initialBufferSize = bufferSize; *Handles = (PSYSTEM_HANDLE_INFORMATION_EX)buffer; return status; } /** * Enumerates all open handles. * * \param ProcessHandle A handle to the process. The handle must have PROCESS_QUERY_INFORMATION access. * \param Handles A variable which receives a pointer to a structure containing information about * handles opened by the process. You must free the structure using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. * \retval STATUS_INSUFFICIENT_RESOURCES The handle information returned by the kernel is too large. * \remarks This function is only available starting with Windows 8. */ NTSTATUS PhEnumProcessHandles( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_HANDLE_SNAPSHOT_INFORMATION *Handles ) { NTSTATUS status; PPROCESS_HANDLE_SNAPSHOT_INFORMATION buffer; ULONG bufferSize; ULONG returnLength = 0; ULONG attempts = 0; bufferSize = 0x8000; buffer = PhAllocatePage(bufferSize, NULL); if (!buffer) return STATUS_NO_MEMORY; buffer->NumberOfHandles = 0; status = NtQueryInformationProcess( ProcessHandle, ProcessHandleInformation, buffer, bufferSize, &returnLength ); while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { PhFreePage(buffer); bufferSize = returnLength; buffer = PhAllocatePage(bufferSize, NULL); if (!buffer) return STATUS_NO_MEMORY; buffer->NumberOfHandles = 0; status = NtQueryInformationProcess( ProcessHandle, ProcessHandleInformation, buffer, bufferSize, &returnLength ); attempts++; } if (NT_SUCCESS(status)) { // NOTE: This is needed to workaround minimal processes on Windows 10 // returning STATUS_SUCCESS with invalid handle data. (dmex) // NOTE: 21H1 and above no longer set NumberOfHandles to zero before returning // STATUS_SUCCESS so we first zero the entire buffer using PhAllocateZero. (dmex) if (buffer->NumberOfHandles == 0) { status = STATUS_UNSUCCESSFUL; PhFreePage(buffer); } else { *Handles = buffer; } } else { PhFreePage(buffer); } return status; } /** * Enumerates all handles in a process. * * \param ProcessId The ID of the process. * \param ProcessHandle A handle to the process. * \param EnableHandleSnapshot TRUE to return a snapshot of the process handles. * \param Handles A variable which receives a pointer to a buffer containing * information about the handles. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumHandlesGeneric( _In_ HANDLE ProcessId, _In_ HANDLE ProcessHandle, _In_ BOOLEAN EnableHandleSnapshot, _Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles ) { NTSTATUS status = STATUS_UNSUCCESSFUL; // There are three ways of enumerating handles: // * On Windows 8 and later, NtQueryInformationProcess with ProcessHandleInformation is the most efficient method. // * On Windows XP and later, NtQuerySystemInformation with SystemExtendedHandleInformation. // * Otherwise, NtQuerySystemInformation with SystemHandleInformation can be used. if ((KsiLevel() >= KphLevelMed) && ProcessHandle) { PKPH_PROCESS_HANDLE_INFORMATION handles; PSYSTEM_HANDLE_INFORMATION_EX convertedHandles; ULONG i; // Enumerate handles using KSystemInformer. Unlike with NtQuerySystemInformation, // this only enumerates handles for a single process and saves a lot of processing. if (NT_SUCCESS(status = KsiEnumerateProcessHandles(ProcessHandle, &handles))) { convertedHandles = PhAllocate(UFIELD_OFFSET(SYSTEM_HANDLE_INFORMATION_EX, Handles[handles->HandleCount])); convertedHandles->NumberOfHandles = handles->HandleCount; for (i = 0; i < handles->HandleCount; i++) { PKPH_PROCESS_HANDLE handle = &handles->Handles[i]; convertedHandles->Handles[i].Object = handle->Object; convertedHandles->Handles[i].UniqueProcessId = ProcessId; convertedHandles->Handles[i].HandleValue = handle->Handle; convertedHandles->Handles[i].GrantedAccess = handle->GrantedAccess; convertedHandles->Handles[i].CreatorBackTraceIndex = 0; convertedHandles->Handles[i].ObjectTypeIndex = handle->ObjectTypeIndex; convertedHandles->Handles[i].HandleAttributes = handle->HandleAttributes; } PhFree(handles); *Handles = convertedHandles; } } if (!NT_SUCCESS(status) && WindowsVersion >= WINDOWS_8 && ProcessHandle && EnableHandleSnapshot) { PPROCESS_HANDLE_SNAPSHOT_INFORMATION handles; PSYSTEM_HANDLE_INFORMATION_EX convertedHandles; ULONG i; if (NT_SUCCESS(status = PhEnumProcessHandles(ProcessHandle, &handles))) { convertedHandles = PhAllocate(UFIELD_OFFSET(SYSTEM_HANDLE_INFORMATION_EX, Handles[handles->NumberOfHandles])); convertedHandles->NumberOfHandles = handles->NumberOfHandles; for (i = 0; i < handles->NumberOfHandles; i++) { PPROCESS_HANDLE_TABLE_ENTRY_INFO handle = &handles->Handles[i]; convertedHandles->Handles[i].Object = NULL; convertedHandles->Handles[i].UniqueProcessId = ProcessId; convertedHandles->Handles[i].HandleValue = handle->HandleValue; convertedHandles->Handles[i].GrantedAccess = handle->GrantedAccess; convertedHandles->Handles[i].CreatorBackTraceIndex = 0; convertedHandles->Handles[i].ObjectTypeIndex = (USHORT)handle->ObjectTypeIndex; convertedHandles->Handles[i].HandleAttributes = handle->HandleAttributes; } PhFreePage(handles); *Handles = convertedHandles; } } if (!NT_SUCCESS(status)) { PSYSTEM_HANDLE_INFORMATION_EX handles; PSYSTEM_HANDLE_INFORMATION_EX convertedHandles; ULONG i, numberOfHandles = 0; ULONG firstIndex = 0, lastIndex = 0; if (NT_SUCCESS(status = PhEnumHandlesEx(&handles))) { for (i = 0; i < handles->NumberOfHandles; i++) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle = &handles->Handles[i]; if (handle->UniqueProcessId == ProcessId) { if (numberOfHandles == 0) firstIndex = i; lastIndex = i; numberOfHandles++; } } if (numberOfHandles) { convertedHandles = PhAllocate(UFIELD_OFFSET(SYSTEM_HANDLE_INFORMATION_EX, Handles[numberOfHandles])); convertedHandles->NumberOfHandles = numberOfHandles; if (lastIndex == firstIndex + numberOfHandles - 1) // consecutive { memcpy( &convertedHandles->Handles[0], &handles->Handles[firstIndex], numberOfHandles * sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX) ); *Handles = convertedHandles; } else { ULONG j = 0; for (i = firstIndex; i <= lastIndex; i++) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle = &handles->Handles[i]; if (handle->UniqueProcessId == ProcessId) { memcpy(&convertedHandles->Handles[j++], handle, sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)); } } *Handles = convertedHandles; } } else { status = STATUS_NOT_FOUND; } PhFree(handles); } return status; } return status; } /** * Enumerates all pagefiles. * * \param Pagefiles A variable which receives a pointer to a buffer containing information about all * active pagefiles. You must free the structure using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumPagefiles( _Out_ PVOID *Pagefiles ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x200; buffer = PhAllocate(bufferSize); while ((status = NtQuerySystemInformation( SystemPageFileInformation, buffer, bufferSize, NULL )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *Pagefiles = buffer; return status; } /** * Enumerates all pagefiles. * * \param Pagefiles A variable which receives a pointer to a buffer containing information about all * active pagefiles. You must free the structure using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumPagefilesEx( _Out_ PVOID *Pagefiles ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x200; buffer = PhAllocate(bufferSize); while ((status = NtQuerySystemInformation( SystemPageFileInformationEx, buffer, bufferSize, NULL )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *Pagefiles = buffer; return status; } /** * Enumerates pool tag information. * * \param Buffer A pointer to a buffer that will receive the pool tag information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumPoolTagInformation( _Out_ PVOID* Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG attempts; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemPoolTagInformation, buffer, bufferSize, &bufferSize ); attempts = 0; while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { PhFree(buffer); buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemPoolTagInformation, buffer, bufferSize, &bufferSize ); attempts++; } if (NT_SUCCESS(status)) *Buffer = buffer; else PhFree(buffer); return status; } /** * Enumerates information about the big pool allocations in the system. * * \param Buffer A pointer to a variable that receives the buffer containing the big pool information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumBigPoolInformation( _Out_ PVOID* Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG attempts; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemBigPoolInformation, buffer, bufferSize, &bufferSize ); attempts = 0; while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { buffer = PhReAllocate(buffer, bufferSize); status = NtQuerySystemInformation( SystemBigPoolInformation, buffer, bufferSize, &bufferSize ); attempts++; } if (NT_SUCCESS(status)) *Buffer = buffer; else PhFree(buffer); return status; } typedef struct _PH_IS_CONTAINER_CONTEXT { HANDLE ProcessObject; BOOLEAN Found; } PH_IS_CONTAINER_CONTEXT, *PPH_IS_CONTAINER_CONTEXT; _Function_class_(PH_ENUM_KEY_CALLBACK) static BOOLEAN NTAPI PhEnumHostComputeServiceKeyCallback( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_ PVOID Context ) { static CONST PH_STRINGREF objectNamePrefix = PH_STRINGREF_INIT(L"Container_"); PKEY_BASIC_INFORMATION basicInfo = (PKEY_BASIC_INFORMATION)Information; PPH_IS_CONTAINER_CONTEXT context = (PPH_IS_CONTAINER_CONTEXT)Context; PH_STRINGREF keyName; PPH_STRING string; keyName.Buffer = basicInfo->Name; keyName.Length = basicInfo->NameLength; if (string = PhConcatStringRef2(&objectNamePrefix, &keyName)) { HANDLE objectHandle; if (NT_SUCCESS(PhOpenJobObject( &objectHandle, JOB_OBJECT_QUERY, NULL, &string->sr ))) { PJOBOBJECT_BASIC_PROCESS_ID_LIST processIdList; if (NT_SUCCESS(PhGetJobProcessIdList(objectHandle, &processIdList))) { for (ULONG i = 0; i < processIdList->NumberOfProcessIdsInList; i++) { if (context->ProcessObject == (HANDLE)processIdList->ProcessIdList[i]) { context->Found = TRUE; break; } } PhFree(processIdList); } // JobObjectAssociateCompletionPortInformation for process start/stop notifications (dmex) NtClose(objectHandle); } } if (context->Found) return FALSE; return TRUE; } NTSTATUS PhEnumHostComputeService( _In_ HANDLE ProcessId ) { static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\HostComputeService\\VolatileStore\\ComputeSystem"); NTSTATUS status; HANDLE keyHandle; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName, 0 ); if (NT_SUCCESS(status)) { PH_IS_CONTAINER_CONTEXT context; context.ProcessObject = ProcessId; context.Found = FALSE; status = PhEnumerateKey( keyHandle, KeyBasicInformation, PhEnumHostComputeServiceKeyCallback, &context ); NtClose(keyHandle); } return status; } _Function_class_(PH_ENUM_DIRECTORY_OBJECTS) static NTSTATUS NTAPI PhIsContainerEnumCallback( _In_ HANDLE RootDirectory, _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_ PVOID Context ) { PPH_IS_CONTAINER_CONTEXT context = (PPH_IS_CONTAINER_CONTEXT)Context; HANDLE objectHandle; if (!PhEqualStringRef2(TypeName, L"Job", FALSE)) return STATUS_NAME_TOO_LONG; if (NT_SUCCESS(PhOpenJobObject( &objectHandle, JOB_OBJECT_QUERY, RootDirectory, Name ))) { if (NT_SUCCESS(NtIsProcessInJob( context->ProcessObject, objectHandle ))) { context->Found = TRUE; NtClose(objectHandle); return STATUS_NO_MORE_ENTRIES; } NtClose(objectHandle); } return STATUS_SUCCESS; } /** * Determines if a process is managed. * * \param ProcessId The ID of the process. * \param ProcessHandle A handle to the process. * \param IsContainer A variable which receives a boolean indicating whether the process is managed. * \return NTSTATUS Successful or errant status. */ _Use_decl_annotations_ NTSTATUS PhGetProcessIsContainer( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _Out_opt_ PBOOLEAN IsContainer ) { { static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\HostComputeService\\VolatileStore\\ComputeSystem"); HANDLE keyHandle; PH_IS_CONTAINER_CONTEXT context; context.ProcessObject = NULL; context.Found = FALSE; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName, 0 ))) { PhEnumerateKey( keyHandle, KeyBasicInformation, PhEnumHostComputeServiceKeyCallback, &context ); NtClose(keyHandle); } if (context.Found) { if (IsContainer) *IsContainer = TRUE; return STATUS_SUCCESS; } } { static CONST PH_STRINGREF directoryName = PH_STRINGREF_INIT(L"\\"); NTSTATUS status; HANDLE directoryHandle; HANDLE processHandle; PH_IS_CONTAINER_CONTEXT context; context.ProcessObject = NULL; context.Found = FALSE; status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId ); if (NT_SUCCESS(status)) { status = PhOpenDirectoryObject( &directoryHandle, DIRECTORY_QUERY, NULL, &directoryName ); if (NT_SUCCESS(status)) { context.ProcessObject = processHandle; status = PhEnumDirectoryObjects( directoryHandle, PhIsContainerEnumCallback, NULL ); NtClose(directoryHandle); } NtClose(processHandle); } if (context.Found) { if (IsContainer) *IsContainer = TRUE; return STATUS_SUCCESS; } if (IsContainer) *IsContainer = FALSE; return status; } } /** * Determines if a process is managed. * * \param ProcessId The ID of the process. * \param IsDotNet A variable which receives a boolean indicating whether the process is managed. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessIsDotNet( _In_ HANDLE ProcessId, _Out_ PBOOLEAN IsDotNet ) { return PhGetProcessIsDotNetEx(ProcessId, NULL, 0, IsDotNet, NULL); } _Function_class_(PH_ENUM_PROCESS_MODULES_CALLBACK) static BOOLEAN NTAPI PhpIsDotNetEnumProcessModulesCallback( _In_ PLDR_DATA_TABLE_ENTRY Module, _In_ PVOID Context ) { static CONST PH_STRINGREF clrString = PH_STRINGREF_INIT(L"clr.dll"); static CONST PH_STRINGREF clrcoreString = PH_STRINGREF_INIT(L"coreclr.dll"); static CONST PH_STRINGREF mscorwksString = PH_STRINGREF_INIT(L"mscorwks.dll"); static CONST PH_STRINGREF mscorsvrString = PH_STRINGREF_INIT(L"mscorsvr.dll"); static CONST PH_STRINGREF mscorlibString = PH_STRINGREF_INIT(L"mscorlib.dll"); static CONST PH_STRINGREF mscorlibNiString = PH_STRINGREF_INIT(L"mscorlib.ni.dll"); static CONST PH_STRINGREF frameworkString = PH_STRINGREF_INIT(L"\\Microsoft.NET\\Framework\\"); static CONST PH_STRINGREF framework64String = PH_STRINGREF_INIT(L"\\Microsoft.NET\\Framework64\\"); PH_STRINGREF baseDllName; PhUnicodeStringToStringRef(&Module->BaseDllName, &baseDllName); if ( PhEqualStringRef(&baseDllName, &clrString, TRUE) || PhEqualStringRef(&baseDllName, &mscorwksString, TRUE) || PhEqualStringRef(&baseDllName, &mscorsvrString, TRUE) ) { PH_STRINGREF fileName; PH_STRINGREF systemRoot; PCPH_STRINGREF frameworkPart; #ifdef _WIN64 if (*(PULONG)Context & PH_CLR_PROCESS_IS_WOW64) { #endif frameworkPart = &frameworkString; #ifdef _WIN64 } else { frameworkPart = &framework64String; } #endif PhUnicodeStringToStringRef(&Module->FullDllName, &fileName); PhGetSystemRoot(&systemRoot); if (PhStartsWithStringRef(&fileName, &systemRoot, TRUE)) { fileName.Buffer = PTR_ADD_OFFSET(fileName.Buffer, systemRoot.Length); fileName.Length -= systemRoot.Length; if (PhStartsWithStringRef(&fileName, frameworkPart, TRUE)) { fileName.Buffer = PTR_ADD_OFFSET(fileName.Buffer, frameworkPart->Length); fileName.Length -= frameworkPart->Length; if (fileName.Length >= 4 * sizeof(WCHAR)) // vx.x { if (fileName.Buffer[1] == L'1') { if (fileName.Buffer[3] == L'0') *(PULONG)Context |= PH_CLR_VERSION_1_0; else if (fileName.Buffer[3] == L'1') *(PULONG)Context |= PH_CLR_VERSION_1_1; } else if (fileName.Buffer[1] == L'2') { *(PULONG)Context |= PH_CLR_VERSION_2_0; } else if (fileName.Buffer[1] >= L'4' && fileName.Buffer[1] <= L'9') { *(PULONG)Context |= PH_CLR_VERSION_4_ABOVE; } } } } } else if ( PhEqualStringRef(&baseDllName, &mscorlibString, TRUE) || PhEqualStringRef(&baseDllName, &mscorlibNiString, TRUE) ) { *(PULONG)Context |= PH_CLR_MSCORLIB_PRESENT; } else if (PhEqualStringRef(&baseDllName, &clrcoreString, TRUE)) { *(PULONG)Context |= PH_CLR_CORELIB_PRESENT; } return TRUE; } typedef struct _PHP_PIPE_NAME_HASH { ULONG NameHash; ULONG Found; } PHP_PIPE_NAME_HASH, *PPHP_PIPE_NAME_HASH; _Function_class_(PH_ENUM_DIRECTORY_FILE) static BOOLEAN NTAPI PhpDotNetCorePipeHashCallback( _In_ HANDLE RootDirectory, _In_ PFILE_DIRECTORY_INFORMATION Information, _In_ PVOID Context ) { PPHP_PIPE_NAME_HASH context = Context; PH_STRINGREF objectName; objectName.Length = Information->FileNameLength; objectName.Buffer = Information->FileName; if (PhHashStringRefEx(&objectName, FALSE, PH_STRING_HASH_X65599) == context->NameHash) { context->Found = TRUE; return FALSE; } return TRUE; } /** * Determines if a process is managed. * * \param ProcessId The ID of the process. * \param ProcessHandle An optional handle to the process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param InFlags A combination of flags. * \li \c PH_CLR_USE_SECTION_CHECK Checks for the existence of related section objects to determine * whether the process is managed. * \li \c PH_CLR_NO_WOW64_CHECK Instead of a separate query, uses the presence of the * \c PH_CLR_KNOWN_IS_WOW64 flag to determine whether the process is running under WOW64. * \li \c PH_CLR_KNOWN_IS_WOW64 When \c PH_CLR_NO_WOW64_CHECK is specified, indicates that the * process is managed. * \param IsDotNet A variable which receives a boolean indicating whether the process is managed. * \param Flags A variable which receives additional flags. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessIsDotNetEx( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG InFlags, _Out_opt_ PBOOLEAN IsDotNet, _Out_opt_ PULONG Flags ) { if (InFlags & PH_CLR_USE_SECTION_CHECK) { NTSTATUS status; HANDLE sectionHandle; SIZE_T returnLength; PH_STRINGREF objectName; PH_FORMAT format[2]; WCHAR formatBuffer[0x80]; // Most .NET processes have a handle open to a section named // \BaseNamedObjects\Cor_Private_IPCBlock(_v4)_. This is the same object used by // the ICorPublish::GetProcess function. Instead of calling that function, we simply check // for the existence of that section object. This means: // * Better performance. // * No need for admin rights to get .NET status of processes owned by other users. // Version 4 section object PhInitFormatS(&format[0], L"\\BaseNamedObjects\\Cor_Private_IPCBlock_v4_"); PhInitFormatU(&format[1], HandleToUlong(ProcessId)); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength)) { objectName.Length = returnLength - sizeof(UNICODE_NULL); objectName.Buffer = formatBuffer; } else { return STATUS_NO_MEMORY; } status = PhOpenSection( §ionHandle, SECTION_QUERY, NULL, &objectName ); if (NT_SUCCESS(status) || status == STATUS_ACCESS_DENIED) { if (NT_SUCCESS(status)) NtClose(sectionHandle); if (IsDotNet) *IsDotNet = TRUE; if (Flags) *Flags = PH_CLR_VERSION_4_ABOVE; return STATUS_SUCCESS; } // Version 2 section object PhInitFormatS(&format[0], L"\\BaseNamedObjects\\Cor_Private_IPCBlock_"); PhInitFormatU(&format[1], HandleToUlong(ProcessId)); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength)) { objectName.Length = returnLength - sizeof(UNICODE_NULL); objectName.Buffer = formatBuffer; } else { return STATUS_NO_MEMORY; } status = PhOpenSection( §ionHandle, SECTION_QUERY, NULL, &objectName ); if (NT_SUCCESS(status) || status == STATUS_ACCESS_DENIED) { if (NT_SUCCESS(status)) NtClose(sectionHandle); if (IsDotNet) *IsDotNet = TRUE; if (Flags) *Flags = PH_CLR_VERSION_2_0; return STATUS_SUCCESS; } // .NET Core 3.0 and above objects PhInitFormatS(&format[0], L"dotnet-diagnostic-"); PhInitFormatU(&format[1], HandleToUlong(ProcessId)); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength)) { PHP_PIPE_NAME_HASH context; objectName.Length = returnLength - sizeof(UNICODE_NULL); objectName.Buffer = formatBuffer; context.NameHash = PhHashStringRefEx(&objectName, FALSE, PH_STRING_HASH_X65599); context.Found = FALSE; status = PhEnumDirectoryNamedPipe( &objectName, PhpDotNetCorePipeHashCallback, &context ); if (NT_SUCCESS(status)) { if (!context.Found) { status = STATUS_OBJECT_NAME_NOT_FOUND; } } // NOTE: NtQueryAttributesFile and other query functions connect to the pipe and should be avoided. (dmex) // //FILE_BASIC_INFORMATION fileInfo; // //objectNameSr.Length = returnLength - sizeof(UNICODE_NULL); //objectNameSr.Buffer = formatBuffer; // //PhStringRefToUnicodeString(&objectNameSr, &objectName); //InitializeObjectAttributes( // &objectAttributes, // &objectName, // OBJ_CASE_INSENSITIVE, // NULL, // NULL // ); // //status = NtQueryAttributesFile(&objectAttributes, &fileInfo) } if (NT_SUCCESS(status)) { if (IsDotNet) *IsDotNet = TRUE; if (Flags) *Flags = PH_CLR_VERSION_4_ABOVE | PH_CLR_CORE_3_0_ABOVE; return STATUS_SUCCESS; } return status; } else { NTSTATUS status; HANDLE processHandle = NULL; ULONG flags = 0; #ifdef _WIN64 BOOLEAN isWow64; #endif if (!ProcessHandle) { if (!NT_SUCCESS(status = PhOpenProcess(&processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId))) return status; ProcessHandle = processHandle; } #ifdef _WIN64 if (InFlags & PH_CLR_NO_WOW64_CHECK) { isWow64 = !!(InFlags & PH_CLR_KNOWN_IS_WOW64); } else { isWow64 = FALSE; PhGetProcessIsWow64(ProcessHandle, &isWow64); } if (isWow64) { flags |= PH_CLR_PROCESS_IS_WOW64; status = PhEnumProcessModules32(ProcessHandle, PhpIsDotNetEnumProcessModulesCallback, &flags); } else { #endif status = PhEnumProcessModules(ProcessHandle, PhpIsDotNetEnumProcessModulesCallback, &flags); #ifdef _WIN64 } #endif if (processHandle) NtClose(processHandle); if (IsDotNet) *IsDotNet = (flags & PH_CLR_VERSION_MASK) && (flags & (PH_CLR_MSCORLIB_PRESENT | PH_CLR_CORELIB_PRESENT)); if (Flags) *Flags = flags; return status; } } /* * Opens a directory object. * * \param DirectoryHandle A variable which receives a handle to the directory object. * \param DesiredAccess The desired access to the directory object. * \param RootDirectory A handle to the root directory of the object. * \param ObjectName The name of the directory object. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenDirectoryObject( _Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtOpenDirectoryObject( DirectoryHandle, DesiredAccess, &objectAttributes ); return status; } /** * Enumerates the objects in a directory object. * * \param DirectoryHandle A handle to a directory. The handle must have DIRECTORY_QUERY access. * \param Callback A callback function which is executed for each object. * \param Context A user-defined value to pass to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumDirectoryObjects( _In_ HANDLE DirectoryHandle, _In_ PPH_ENUM_DIRECTORY_OBJECTS Callback, _In_opt_ PVOID Context ) { NTSTATUS status; ULONG context = 0; BOOLEAN firstTime = TRUE; ULONG bufferSize; POBJECT_DIRECTORY_INFORMATION buffer; ULONG i; bufferSize = 0x200; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; while (TRUE) { // Get a batch of entries. while ((status = NtQueryDirectoryObject( DirectoryHandle, buffer, bufferSize, FALSE, firstTime, &context, NULL )) == STATUS_MORE_ENTRIES) { // Check if we have at least one entry. If not, we'll double the buffer size and try // again. if (buffer[0].Name.Buffer) break; // Make sure we don't use too much memory. if (bufferSize > PH_LARGE_BUFFER_SIZE) { PhFreeStack(buffer); return STATUS_INSUFFICIENT_RESOURCES; } PhFreeStack(buffer); bufferSize *= 2; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; } if (!NT_SUCCESS(status)) { if (status == STATUS_NO_MORE_ENTRIES) status = STATUS_SUCCESS; PhFreeStack(buffer); return status; } // Read the batch and execute the callback function for each object. i = 0; while (TRUE) { POBJECT_DIRECTORY_INFORMATION info; PH_STRINGREF name; PH_STRINGREF typeName; info = &buffer[i]; if (!info->Name.Buffer) break; PhUnicodeStringToStringRef(&info->Name, &name); PhUnicodeStringToStringRef(&info->TypeName, &typeName); status = Callback( DirectoryHandle, &name, &typeName, Context ); if (status == STATUS_NO_MORE_ENTRIES) break; i++; } if (status == STATUS_NO_MORE_ENTRIES) break; firstTime = FALSE; } if (status == STATUS_NO_MORE_ENTRIES) status = STATUS_SUCCESS; PhFreeStack(buffer); return status; } /** * Creates a symbolic link object. * * \param LinkHandle Pointer to a variable that receives the handle to the symbolic link object. * \param DesiredAccess Specifies the desired access rights for the symbolic link object. * \param RootDirectory Optional handle to the root directory for the symbolic link object name. * \param FileName Pointer to a string that specifies the target file or object to which the symbolic link points. * \param LinkName Pointer to a string that specifies the name of the symbolic link object to be created. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateSymbolicLinkObject( _Out_ PHANDLE LinkHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF FileName, _In_ PCPH_STRINGREF LinkName ) { NTSTATUS status; HANDLE linkHandle; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING objectName; UNICODE_STRING objectTarget; if (!PhStringRefToUnicodeString(FileName, &objectName)) return STATUS_NAME_TOO_LONG; if (!PhStringRefToUnicodeString(LinkName, &objectTarget)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtCreateSymbolicLinkObject( &linkHandle, DesiredAccess, &objectAttributes, &objectTarget ); if (NT_SUCCESS(status)) { *LinkHandle = linkHandle; } return status; } /** * Queries the target of a symbolic link object. * * \param LinkTarget Pointer to a variable that receives the target of the symbolic link as a PPH_STRING. * \param RootDirectory Optional handle to the root directory for the object name. Can be NULL. * \param ObjectName Pointer to a string reference that specifies the name of the symbolic link object. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQuerySymbolicLinkObject( _Out_ PPH_STRING* LinkTarget, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ) { NTSTATUS status; HANDLE linkHandle; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING objectName; UNICODE_STRING targetName; ULONG returnLength = 0; WCHAR stackBuffer[DOS_MAX_PATH_LENGTH]; ULONG bufferLength = sizeof(stackBuffer); PWCHAR buffer = stackBuffer; if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtOpenSymbolicLinkObject( &linkHandle, SYMBOLIC_LINK_QUERY, &objectAttributes ); if (!NT_SUCCESS(status)) return status; RtlInitEmptyUnicodeString(&targetName, buffer, (USHORT)bufferLength); status = NtQuerySymbolicLinkObject( linkHandle, &targetName, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { bufferLength = returnLength; buffer = PhAllocate(bufferLength); RtlInitEmptyUnicodeString(&targetName, buffer, (USHORT)bufferLength); status = NtQuerySymbolicLinkObject( linkHandle, &targetName, &returnLength ); } if (NT_SUCCESS(status)) { *LinkTarget = PhCreateStringFromUnicodeString(&targetName); } if (buffer != stackBuffer) { PhFree(buffer); } NtClose(linkHandle); return status; } /** * Initializes the device prefixes module. */ VOID PhpInitializeDevicePrefixes( VOID ) { ULONG i; PWCHAR buffer; // Allocate one buffer for all 26 prefixes to reduce overhead. buffer = PhAllocate(PH_DEVICE_PREFIX_LENGTH * sizeof(WCHAR) * 26); for (i = 0; i < 26; i++) { PhDevicePrefixes[i].Length = 0; PhDevicePrefixes[i].MaximumLength = PH_DEVICE_PREFIX_LENGTH * sizeof(WCHAR); PhDevicePrefixes[i].Buffer = buffer; buffer = PTR_ADD_OFFSET(buffer, PH_DEVICE_PREFIX_LENGTH * sizeof(WCHAR)); } } VOID PhUpdateMupDevicePrefixes( VOID ) { static CONST PH_STRINGREF orderKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control\\NetworkProvider\\Order"); static CONST PH_STRINGREF servicesStringPart = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services"); static CONST PH_STRINGREF networkProviderStringPart = PH_STRINGREF_INIT(L"\\NetworkProvider"); HANDLE orderKeyHandle; PPH_STRING providerOrder = NULL; ULONG i; PH_STRINGREF remainingPart; PH_STRINGREF part; // The provider names are stored in the ProviderOrder value in this key: // HKLM\System\CurrentControlSet\Control\NetworkProvider\Order // Each name can then be looked up, its device name in the DeviceName value in: // HKLM\System\CurrentControlSet\Services\\NetworkProvider // Note that we assume the providers only claim their device name. Some providers such as DFS // claim an extra part, and are not resolved correctly here. if (NT_SUCCESS(PhOpenKey( &orderKeyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &orderKeyName, 0 ))) { providerOrder = PhQueryRegistryStringZ(orderKeyHandle, L"ProviderOrder"); NtClose(orderKeyHandle); } if (!providerOrder) return; PhAcquireQueuedLockExclusive(&PhDeviceMupPrefixesLock); for (i = 0; i < PhDeviceMupPrefixesCount; i++) { PhDereferenceObject(PhDeviceMupPrefixes[i]); PhDeviceMupPrefixes[i] = NULL; } PhDeviceMupPrefixesCount = 0; PhDeviceMupPrefixes[PhDeviceMupPrefixesCount++] = PhCreateString(L"\\Device\\Mup"); // DFS claims an extra part of file names, which we don't handle. // PhDeviceMupPrefixes[PhDeviceMupPrefixesCount++] = PhCreateString(L"\\Device\\DfsClient"); remainingPart = providerOrder->sr; while (remainingPart.Length != 0) { PPH_STRING serviceKeyName; HANDLE networkProviderKeyHandle; PPH_STRING deviceName; if (PhDeviceMupPrefixesCount == PH_DEVICE_MUP_PREFIX_MAX_COUNT) break; PhSplitStringRefAtChar(&remainingPart, L',', &part, &remainingPart); if (part.Length != 0) { serviceKeyName = PhConcatStringRef4( &servicesStringPart, &PhNtPathSeparatorString, &part, &networkProviderStringPart ); if (NT_SUCCESS(PhOpenKey( &networkProviderKeyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &serviceKeyName->sr, 0 ))) { if (deviceName = PhQueryRegistryStringZ(networkProviderKeyHandle, L"DeviceName")) { PhDeviceMupPrefixes[PhDeviceMupPrefixesCount] = deviceName; PhDeviceMupPrefixesCount++; } NtClose(networkProviderKeyHandle); } PhDereferenceObject(serviceKeyName); } } PhReleaseQueuedLockExclusive(&PhDeviceMupPrefixesLock); PhDereferenceObject(providerOrder); } /** * Updates the DOS device names array. */ VOID PhUpdateDosDevicePrefixes( VOID ) { WCHAR deviceNameBuffer[7] = L"\\??\\ :"; ULONG deviceMap = 0; PhGetProcessDeviceMap(NtCurrentProcess(), &deviceMap); PhAcquireQueuedLockExclusive(&PhDevicePrefixesLock); for (ULONG i = 0; i < 0x1A; i++) { HANDLE linkHandle; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING deviceName; if (deviceMap) { if (!(deviceMap & (0x1 << i))) { PhDevicePrefixes[i].Length = 0; continue; } } deviceNameBuffer[4] = (WCHAR)('A' + i); deviceName.Buffer = deviceNameBuffer; deviceName.Length = sizeof(deviceNameBuffer) - sizeof(UNICODE_NULL); deviceName.MaximumLength = deviceName.Length + sizeof(UNICODE_NULL); InitializeObjectAttributes( &objectAttributes, &deviceName, OBJ_CASE_INSENSITIVE, NULL, NULL ); if (NT_SUCCESS(NtOpenSymbolicLinkObject( &linkHandle, SYMBOLIC_LINK_QUERY, &objectAttributes ))) { if (!NT_SUCCESS(NtQuerySymbolicLinkObject( linkHandle, &PhDevicePrefixes[i], NULL ))) { PhDevicePrefixes[i].Length = 0; } NtClose(linkHandle); } else { PhDevicePrefixes[i].Length = 0; } } PhReleaseQueuedLockExclusive(&PhDevicePrefixesLock); } // rev from FindFirstVolumeW (dmex) /** * Retrieves the mount points of volumes. * * \param DeviceHandle A handle to the MountPointManager. * \param MountPoints An array of mounts. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetVolumeMountPoints( _In_ HANDLE DeviceHandle, _Out_ PMOUNTMGR_MOUNT_POINTS* MountPoints ) { NTSTATUS status; IO_STATUS_BLOCK isb; MOUNTMGR_MOUNT_POINT inputBuffer = { 0 }; PMOUNTMGR_MOUNT_POINTS outputBuffer; ULONG inputBufferLength = sizeof(inputBuffer); ULONG outputBufferLength; ULONG attempts = 16; outputBufferLength = 0x800; outputBuffer = PhAllocate(outputBufferLength); do { status = NtDeviceIoControlFile( DeviceHandle, NULL, NULL, NULL, &isb, IOCTL_MOUNTMGR_QUERY_POINTS, &inputBuffer, inputBufferLength, outputBuffer, outputBufferLength ); if (NT_SUCCESS(status)) break; if (status == STATUS_BUFFER_OVERFLOW) { outputBufferLength = outputBuffer->Size; PhFree(outputBuffer); if (outputBufferLength > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; outputBuffer = PhAllocate(outputBufferLength); } else { PhFree(outputBuffer); return status; } } while (--attempts); if (NT_SUCCESS(status)) { *MountPoints = outputBuffer; } else { PhFree(outputBuffer); } return status; } // rev from GetVolumePathNamesForVolumeNameW (dmex) /** * \brief Retrieves a list of drive letters and mounted folder paths for the specified volume. * * \param DeviceHandle A handle to the MountPointManager. * \param VolumeName A volume GUID path for the volume. * \param VolumePathNames A pointer to a buffer that receives the list of drive letters and mounted folder paths. * \a The list is an array of null-terminated strings terminated by an additional NULL character. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetVolumePathNamesForVolumeName( _In_ HANDLE DeviceHandle, _In_ PCPH_STRINGREF VolumeName, _Out_ PMOUNTMGR_VOLUME_PATHS* VolumePathNames ) { NTSTATUS status; IO_STATUS_BLOCK isb; PMOUNTMGR_TARGET_NAME inputBuffer; PMOUNTMGR_VOLUME_PATHS outputBuffer; ULONG inputBufferLength; ULONG outputBufferLength; ULONG attempts = 16; inputBufferLength = UFIELD_OFFSET(MOUNTMGR_TARGET_NAME, DeviceName[VolumeName->Length]) + sizeof(UNICODE_NULL); inputBuffer = PhAllocateStack(inputBufferLength); // Volume{guid}, CM_Get_Device_Interface_List, SymbolicLinks, [??] if (!inputBuffer) return STATUS_NO_MEMORY; inputBuffer->DeviceNameLength = (USHORT)VolumeName->Length; RtlCopyMemory(inputBuffer->DeviceName, VolumeName->Buffer, VolumeName->Length); outputBufferLength = UFIELD_OFFSET(MOUNTMGR_VOLUME_PATHS, MultiSz[DOS_MAX_PATH_LENGTH]) + sizeof(UNICODE_NULL); outputBuffer = PhAllocate(outputBufferLength); do { status = NtDeviceIoControlFile( DeviceHandle, NULL, NULL, NULL, &isb, IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS, inputBuffer, inputBufferLength, outputBuffer, outputBufferLength ); if (NT_SUCCESS(status)) break; if (status == STATUS_BUFFER_OVERFLOW) { outputBufferLength = (outputBuffer->MultiSzLength * sizeof(WCHAR)) + sizeof(UNICODE_NULL); PhFree(outputBuffer); outputBuffer = PhAllocate(outputBufferLength); } else { PhFreeStack(inputBuffer); PhFree(outputBuffer); return status; } } while (--attempts); if (NT_SUCCESS(status)) { *VolumePathNames = outputBuffer; } else { PhFree(outputBuffer); } PhFreeStack(inputBuffer); return status; } /** * Flush file caches on all volumes. * * \return NTSTATUS Successful or errant status. */ NTSTATUS PhFlushVolumeCache( VOID ) { NTSTATUS status; HANDLE deviceHandle; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; PMOUNTMGR_MOUNT_POINTS objectMountPoints; RtlInitUnicodeString(&objectName, MOUNTMGR_DEVICE_NAME); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &deviceHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) return status; status = PhGetVolumeMountPoints( deviceHandle, &objectMountPoints ); NtClose(deviceHandle); if (!NT_SUCCESS(status)) goto CleanupExit; for (ULONG i = 0; i < objectMountPoints->NumberOfMountPoints; i++) { PMOUNTMGR_MOUNT_POINT mountPoint = &objectMountPoints->MountPoints[i]; objectName.Length = mountPoint->SymbolicLinkNameLength; objectName.MaximumLength = mountPoint->SymbolicLinkNameLength + sizeof(UNICODE_NULL); objectName.Buffer = PTR_ADD_OFFSET(objectMountPoints, mountPoint->SymbolicLinkNameOffset); if (MOUNTMGR_IS_VOLUME_NAME(&objectName)) // \\??\\Volume{1111-2222} { HANDLE volumeHandle; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &volumeHandle, FILE_WRITE_DATA | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (NT_SUCCESS(status)) { //if (WindowsVersion >= WINDOWS_8) //{ // status = NtFlushBuffersFileEx(volumeHandle, 0, 0, 0, &ioStatusBlock); //} //else { status = NtFlushBuffersFile(volumeHandle, &ioStatusBlock); } NtClose(volumeHandle); } } } PhFree(objectMountPoints); CleanupExit: return status; } //NTSTATUS PhUpdateDosDeviceMountPrefixes( // VOID // ) //{ // NTSTATUS status; // HANDLE deviceHandle; // UNICODE_STRING objectName; // OBJECT_ATTRIBUTES objectAttributes; // IO_STATUS_BLOCK ioStatusBlock; // PMOUNTMGR_MOUNT_POINTS deviceMountPoints; // // RtlInitUnicodeString(&objectName, MOUNTMGR_DEVICE_NAME); // InitializeObjectAttributes( // &objectAttributes, // &objectName, // OBJ_CASE_INSENSITIVE, // NULL, // NULL // ); // // status = NtCreateFile( // &deviceHandle, // FILE_READ_ATTRIBUTES | SYNCHRONIZE, // &objectAttributes, // &ioStatusBlock, // NULL, // FILE_ATTRIBUTE_NORMAL, // FILE_SHARE_READ | FILE_SHARE_WRITE, // FILE_OPEN, // FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, // NULL, // 0 // ); // // if (!NT_SUCCESS(status)) // return status; // // status = PhGetVolumeMountPoints( // deviceHandle, // &deviceMountPoints // ); // // if (!NT_SUCCESS(status)) // goto CleanupExit; // // for (ULONG i = 0; i < RTL_NUMBER_OF(PhDevicePrefixes); i++) // { // PhDevicePrefixes[i].Length = 0; // } // // for (ULONG i = 0; i < deviceMountPoints->NumberOfMountPoints; i++) // { // PMOUNTMGR_MOUNT_POINT entry = &deviceMountPoints->MountPoints[i]; // UNICODE_STRING linkName = // { // entry->SymbolicLinkNameLength, // entry->SymbolicLinkNameLength + sizeof(UNICODE_NULL), // PTR_ADD_OFFSET(deviceMountPoints, entry->SymbolicLinkNameOffset) // }; // UNICODE_STRING deviceName = // { // entry->DeviceNameLength, // entry->DeviceNameLength + sizeof(UNICODE_NULL), // PTR_ADD_OFFSET(deviceMountPoints, entry->DeviceNameOffset) // }; // // if (MOUNTMGR_IS_DRIVE_LETTER(&linkName)) // \\DosDevices\\C: // { // USHORT index = (USHORT)(linkName.Buffer[12] - L'A'); // // if (index >= RTL_NUMBER_OF(PhDevicePrefixes)) // continue; // if (deviceName.Length >= PhDevicePrefixes[index].MaximumLength - sizeof(UNICODE_NULL)) // continue; // // PhDevicePrefixes[index].Length = deviceName.Length; // memcpy_s( // PhDevicePrefixes[index].Buffer, // PhDevicePrefixes[index].MaximumLength, // deviceName.Buffer, // deviceName.Length // ); // } // // //if (MOUNTMGR_IS_VOLUME_NAME(&linkName)) // \\??\\Volume{1111-2222} // //{ // // PH_STRINGREF volumeLinkName; // // PMOUNTMGR_VOLUME_PATHS volumePaths; // // // // PhUnicodeStringToStringRef(&linkName, &volumeLinkName); // // // // if (NT_SUCCESS(PhGetVolumePathNamesForVolumeName(deviceHandle, &volumeLinkName, &volumePaths))) // // { // // for (PWSTR path = volumePaths->MultiSz; *path; path += PhCountStringZ(path) + 1) // // { // // dprintf("%S\n", path); // C:\\Mounted\\Folders // // } // // } // //} // } // // PhFree(deviceMountPoints); // //CleanupExit: // NtClose(deviceHandle); // // return status; //} /** * Resolves the mount prefix for a given file name. * * \param Name A pointer to a constant PPH_STRINGREF structure that specifies the file name to resolve. * \param NativeFileName A BOOLEAN value indicating whether the file name is in native NT format (TRUE) or DOS/Win32 format (FALSE). * \return A pointer to a PPH_STRING structure containing the resolved mount prefix, or NULL if the resolution fails. */ PPH_STRING PhResolveMountPrefix( _In_ PCPH_STRINGREF Name, _In_ BOOLEAN NativeFileName ) { NTSTATUS status; HANDLE deviceHandle; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; PMOUNTMGR_MOUNT_POINTS mountPoints; PPH_STRING newName = NULL; RtlInitUnicodeString(&objectName, MOUNTMGR_DEVICE_NAME); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &deviceHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) return NULL; status = PhGetVolumeMountPoints( deviceHandle, &mountPoints ); NtClose(deviceHandle); if (!NT_SUCCESS(status)) { return NULL; } for (ULONG i = 0; i < mountPoints->NumberOfMountPoints; i++) { PMOUNTMGR_MOUNT_POINT entry = &mountPoints->MountPoints[i]; const PH_STRINGREF linkPrefix = { entry->SymbolicLinkNameLength, RTL_PTR_ADD(mountPoints, entry->SymbolicLinkNameOffset) }; const PH_STRINGREF devicePrefix = { entry->DeviceNameLength, RTL_PTR_ADD(mountPoints, entry->DeviceNameOffset) }; if (NativeFileName) { if (PhStartsWithStringRef(Name, &devicePrefix, TRUE)) { if (PATH_IS_WIN32_DOSDEVICES_PREFIX(&linkPrefix) && linkPrefix.Buffer[1] == L'?') { // \??\Volume -> \\?\Volume linkPrefix.Buffer[1] = OBJ_NAME_PATH_SEPARATOR; } // \\Device\\VhdHardDisk{12345678-abcd-1234-abcd-123456789abc} -> \\\\?\\Volume{12345678-abcd-1234-abcd-123456789abc} newName = PhCreateStringEx(NULL, linkPrefix.Length + (Name->Length - devicePrefix.Length)); memcpy(newName->Buffer, linkPrefix.Buffer, linkPrefix.Length); memcpy( PTR_ADD_OFFSET(newName->Buffer, linkPrefix.Length), &Name->Buffer[devicePrefix.Length / sizeof(WCHAR)], Name->Length - devicePrefix.Length ); PhTrimToNullTerminatorString(newName); break; } } else { if (PhStartsWithStringRef(Name, &linkPrefix, TRUE)) { // \\?\Volume{12345678-abcd-1234-abcd-123456789abc} -> \Device\VhdHardDisk{12345678-abcd-1234-abcd-123456789abc} newName = PhCreateStringEx(NULL, devicePrefix.Length + (Name->Length - linkPrefix.Length)); memcpy(newName->Buffer, devicePrefix.Buffer, devicePrefix.Length); memcpy( PTR_ADD_OFFSET(newName->Buffer, devicePrefix.Length), &Name->Buffer[linkPrefix.Length / sizeof(WCHAR)], Name->Length - linkPrefix.Length ); PhTrimToNullTerminatorString(newName); break; } } } PhFree(mountPoints); return newName; } /** * Resolves a NT path into a Win32 path. * * \param Name A string containing the path to resolve. * \return A pointer to a string containing the Win32 path. You must free the string using * PhDereferenceObject() when you no longer need it. */ PPH_STRING PhResolveDevicePrefix( _In_ PCPH_STRINGREF Name ) { ULONG i; PPH_STRING newName = NULL; if (PhBeginInitOnce(&PhDevicePrefixesInitOnce)) { PhpInitializeDevicePrefixes(); PhUpdateDosDevicePrefixes(); PhUpdateMupDevicePrefixes(); //PhUpdateDosDeviceMountPrefixes(); PhEndInitOnce(&PhDevicePrefixesInitOnce); } PhAcquireQueuedLockShared(&PhDevicePrefixesLock); // Go through the DOS devices and try to find a matching prefix. for (i = 0; i < 26; i++) { BOOLEAN isPrefix = FALSE; PH_STRINGREF prefix; PhUnicodeStringToStringRef(&PhDevicePrefixes[i], &prefix); if (prefix.Length != 0) { if (PhStartsWithStringRef(Name, &prefix, TRUE)) { // To ensure we match the longest prefix, make sure the next character is a // backslash or the path is equal to the prefix. if (Name->Length == prefix.Length || Name->Buffer[prefix.Length / sizeof(WCHAR)] == OBJ_NAME_PATH_SEPARATOR) { isPrefix = TRUE; } } } if (isPrefix) { // :path newName = PhCreateStringEx(NULL, 2 * sizeof(WCHAR) + Name->Length - prefix.Length); newName->Buffer[0] = (WCHAR)('A' + i); newName->Buffer[1] = L':'; memcpy( &newName->Buffer[2], &Name->Buffer[prefix.Length / sizeof(WCHAR)], Name->Length - prefix.Length ); break; } } PhReleaseQueuedLockShared(&PhDevicePrefixesLock); if (i == 26) { // Resolve network providers. PhAcquireQueuedLockShared(&PhDeviceMupPrefixesLock); for (i = 0; i < PhDeviceMupPrefixesCount; i++) { BOOLEAN isPrefix = FALSE; SIZE_T prefixLength; prefixLength = PhDeviceMupPrefixes[i]->Length; if (prefixLength != 0) { if (PhStartsWithStringRef(Name, &PhDeviceMupPrefixes[i]->sr, TRUE)) { // To ensure we match the longest prefix, make sure the next character is a // backslash. Don't resolve if the name *is* the prefix. Otherwise, we will end // up with a useless string like "\". if (Name->Length != prefixLength && Name->Buffer[prefixLength / sizeof(WCHAR)] == OBJ_NAME_PATH_SEPARATOR) { isPrefix = TRUE; } } } if (isPrefix) { // \path newName = PhCreateStringEx(NULL, 1 * sizeof(WCHAR) + Name->Length - prefixLength); newName->Buffer[0] = OBJ_NAME_PATH_SEPARATOR; memcpy( &newName->Buffer[1], &Name->Buffer[prefixLength / sizeof(WCHAR)], Name->Length - prefixLength ); break; } } PhReleaseQueuedLockShared(&PhDeviceMupPrefixesLock); } if (PhIsNullOrEmptyString(newName) && (Name->Length != 0 && Name->Buffer[0] == OBJ_NAME_PATH_SEPARATOR)) { // We didn't find a match. Try the mount point prefixes. newName = PhResolveMountPrefix(Name, TRUE); } if (newName) PhTrimToNullTerminatorString(newName); return newName; } /** * Converts a file name into Win32 format. * * \param FileName A string containing a file name. * \return A pointer to a string containing the Win32 file name. You must free the string using * PhDereferenceObject() when you no longer need it. * \remarks This function may convert NT object name paths to invalid ones. If the path to be * converted is not necessarily a file name, use PhResolveDevicePrefix(). */ PPH_STRING PhGetFileName( _In_ PPH_STRING FileName ) { PPH_STRING newFileName; newFileName = FileName; // "\??\" refers to \GLOBAL??\. Just remove it. if (PhStartsWithString2(FileName, L"\\??\\", FALSE)) { newFileName = PhCreateStringEx(NULL, FileName->Length - 4 * sizeof(WCHAR)); memcpy(newFileName->Buffer, &FileName->Buffer[4], FileName->Length - 4 * sizeof(WCHAR)); } // "\SystemRoot" means "C:\Windows". else if (PhStartsWithString2(FileName, L"\\SystemRoot", TRUE)) { PH_STRINGREF systemRoot; PhGetSystemRoot(&systemRoot); newFileName = PhCreateStringEx(NULL, systemRoot.Length + FileName->Length - 11 * sizeof(WCHAR)); memcpy(newFileName->Buffer, systemRoot.Buffer, systemRoot.Length); memcpy(PTR_ADD_OFFSET(newFileName->Buffer, systemRoot.Length), &FileName->Buffer[11], FileName->Length - 11 * sizeof(WCHAR)); } // System32, SysWOW64, SysArm32, and SyChpe32 are all identical length, fixup is the same else if ( // "System32\" means "C:\Windows\System32\". PhStartsWithString2(FileName, L"System32\\", TRUE) #if _WIN64 // "SysWOW64\" means "C:\Windows\SysWOW64\". || PhStartsWithString2(FileName, L"SysWOW64\\", TRUE) #if _M_ARM64 // "SysArm32\" means "C:\Windows\SysArm32\". || PhStartsWithString2(FileName, L"SysArm32\\", TRUE) // "SyChpe32\" means "C:\Windows\SyChpe32\". || PhStartsWithString2(FileName, L"SyChpe32\\", TRUE) #endif #endif ) { PH_STRINGREF systemRoot; PhGetSystemRoot(&systemRoot); newFileName = PhCreateStringEx(NULL, systemRoot.Length + sizeof(UNICODE_NULL) + FileName->Length); memcpy(newFileName->Buffer, systemRoot.Buffer, systemRoot.Length); newFileName->Buffer[systemRoot.Length / sizeof(WCHAR)] = OBJ_NAME_PATH_SEPARATOR; memcpy(PTR_ADD_OFFSET(newFileName->Buffer, systemRoot.Length + sizeof(UNICODE_NULL)), FileName->Buffer, FileName->Length); } else if (FileName->Length != 0 && FileName->Buffer[0] == OBJ_NAME_PATH_SEPARATOR) { PPH_STRING resolvedName; resolvedName = PhResolveDevicePrefix(&FileName->sr); if (resolvedName) { newFileName = resolvedName; } else { // We didn't find a match. // If the file name starts with "\Windows", prepend the system drive. if (PhStartsWithString2(newFileName, L"\\Windows", TRUE)) { PH_STRINGREF systemRoot; PhGetSystemRoot(&systemRoot); newFileName = PhCreateStringEx(NULL, FileName->Length + 2 * sizeof(WCHAR)); newFileName->Buffer[0] = systemRoot.Buffer[0]; newFileName->Buffer[1] = L':'; memcpy(&newFileName->Buffer[2], FileName->Buffer, FileName->Length); } else { PhReferenceObject(newFileName); } } } else { // Just return the supplied file name. Note that we need to add a reference. PhReferenceObject(newFileName); } return newFileName; } /** * Converts a DOS-style path name to an NT-style path name. * * \param Name A pointer to a PPH_STRINGREF structure that contains the DOS path to convert. * \return A PPH_STRING containing the converted NT path, or NULL if the conversion fails. */ PPH_STRING PhDosPathNameToNtPathName( _In_ PCPH_STRINGREF Name ) { PPH_STRING newName = NULL; PH_STRINGREF prefix; ULONG index; PH_STRINGREF name; if (PhBeginInitOnce(&PhDevicePrefixesInitOnce)) { PhpInitializeDevicePrefixes(); PhUpdateDosDevicePrefixes(); PhUpdateMupDevicePrefixes(); PhEndInitOnce(&PhDevicePrefixesInitOnce); } if (PhIsNullOrEmptyStringRef(Name)) return NULL; name = *Name; if (PhStartsWithStringRef(&name, &PhWin32ExtendedPathPrefix, TRUE)) { PhSkipStringRef(&name, PhWin32ExtendedPathPrefix.Length); } if (PATH_IS_WIN32_DRIVE_PREFIX(&name)) { index = (ULONG)(PhUpcaseUnicodeChar(name.Buffer[0]) - L'A'); if (index >= RTL_NUMBER_OF(PhDevicePrefixes)) return NULL; PhAcquireQueuedLockShared(&PhDevicePrefixesLock); PhUnicodeStringToStringRef(&PhDevicePrefixes[index], &prefix); if (prefix.Length != 0) { // C:\\Name -> \\Device\\HardDiskVolumeX\\Name newName = PhCreateStringEx(NULL, prefix.Length + name.Length - sizeof(WCHAR[2])); memcpy( newName->Buffer, prefix.Buffer, prefix.Length ); memcpy( PTR_ADD_OFFSET(newName->Buffer, prefix.Length), PTR_ADD_OFFSET(name.Buffer, sizeof(WCHAR[2])), name.Length - sizeof(WCHAR[2]) ); } PhReleaseQueuedLockShared(&PhDevicePrefixesLock); } else if (PhStartsWithStringRef2(&name, L"\\SystemRoot", TRUE)) { PhAcquireQueuedLockShared(&PhDevicePrefixesLock); PhUnicodeStringToStringRef(&PhDevicePrefixes[(ULONG)'C'-'A'], &prefix); if (prefix.Length != 0) { static CONST PH_STRINGREF systemRoot = PH_STRINGREF_INIT(L"\\Windows"); // \\SystemRoot\\Name -> \\Device\\HardDiskVolumeX\\Windows\\Name newName = PhCreateStringEx(NULL, prefix.Length + name.Length + systemRoot.Length - sizeof(L"SystemRoot")); memcpy( newName->Buffer, prefix.Buffer, prefix.Length ); memcpy( PTR_ADD_OFFSET(newName->Buffer, prefix.Length), systemRoot.Buffer, systemRoot.Length ); memcpy( PTR_ADD_OFFSET(newName->Buffer, prefix.Length + systemRoot.Length), PTR_ADD_OFFSET(name.Buffer, sizeof(L"SystemRoot")), name.Length - sizeof(L"SystemRoot") ); } PhReleaseQueuedLockShared(&PhDevicePrefixesLock); } else if (PATH_IS_WIN32_DOSDEVICES_PREFIX(&name)) { newName = PhResolveMountPrefix(&name, FALSE); } return newName; } /** * Converts a DOS-style file path to an NT-style file path. * * \param DosFileName The DOS-style file path to convert (e.g., "C:\\Windows\\System32"). * \param NtFileName A pointer to a UNICODE_STRING structure that receives the resulting NT-style file path. * \param FilePart If specified, receives a pointer to the file part of the path (the final component). * \param RelativeName If specified, receives a pointer to a RTL_RELATIVE_NAME_U structure that describes the relative name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDosLongPathNameToNtPathNameWithStatus( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR* FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ) { NTSTATUS status; if ( WindowsVersion >= WINDOWS_10_RS1 && PhAreLongPathsEnabled() && RtlDosLongPathNameToNtPathName_U_WithStatus_Import() ) { status = RtlDosLongPathNameToNtPathName_U_WithStatus_Import()( DosFileName, NtFileName, FilePart, RelativeName ); } else { status = RtlDosPathNameToNtPathName_U_WithStatus( DosFileName, NtFileName, FilePart, RelativeName ); } return status; } /** * Retrieves the root prefix of an NT path from the specified string reference. * * \param Name A pointer to a PPH_STRINGREF structure that contains the NT path string. * \return A PPH_STRING representing the root prefix of the NT path, or NULL if the prefix cannot be determined. */ PPH_STRING PhGetNtPathRootPrefix( _In_ PCPH_STRINGREF Name ) { PPH_STRING pathDevicePrefix = NULL; PH_STRINGREF prefix; PhAcquireQueuedLockShared(&PhDevicePrefixesLock); for (ULONG i = 0; i < RTL_NUMBER_OF(PhDevicePrefixes); i++) { PhUnicodeStringToStringRef(&PhDevicePrefixes[i], &prefix); if (prefix.Length && PhStartsWithStringRef(Name, &prefix, FALSE)) { pathDevicePrefix = PhCreateString2(&prefix); break; } } PhReleaseQueuedLockShared(&PhDevicePrefixesLock); return pathDevicePrefix; } /** * Retrieves the existing path prefix from the specified string reference. * * This function examines the provided string reference, which is expected to represent a file or directory path, * and returns a PPH_STRING containing the longest existing prefix of that path. If no part of the path exists, * the function may return NULL or an empty string, depending on implementation. * * \param Name A pointer to a PPH_STRINGREF structure that contains the path to be examined. * \return A PPH_STRING containing the longest existing prefix of the specified path, or NULL if no prefix exists. */ PPH_STRING PhGetExistingPathPrefix( _In_ PCPH_STRINGREF Name ) { PPH_STRING existingPathPrefix = NULL; PH_STRINGREF remainingPart; PH_STRINGREF directoryPart; PH_STRINGREF baseNamePart; if (PATH_IS_WIN32_DRIVE_PREFIX(Name)) { assert(FALSE); return NULL; } if (PhDoesDirectoryExist(Name)) { return PhCreateString2(Name); } remainingPart = *Name; while (remainingPart.Length != 0) { PhSplitStringRefAtLastChar(&remainingPart, OBJ_NAME_PATH_SEPARATOR, &directoryPart, &baseNamePart); if (directoryPart.Length != 0) { if (PhDoesDirectoryExist(&directoryPart)) { existingPathPrefix = PhCreateString2(&directoryPart); break; } } remainingPart = directoryPart; } //if (PhEqualStringRef(&existingPathPrefix, PhGetNtPathRootPrefix(Name), FALSE)) // return NULL; return existingPathPrefix; } /** * Retrieves the existing path prefix from a given string reference representing a path. * * This function examines the provided path and returns the longest existing prefix * (i.e., the deepest directory that actually exists on the filesystem). * * \param Name A pointer to a PPH_STRINGREF structure that contains the path to be checked. * \return A PPH_STRING containing the longest existing path prefix, or NULL if no part of the path exists. */ PPH_STRING PhGetExistingPathPrefixWin32( _In_ PCPH_STRINGREF Name ) { PPH_STRING existingPathPrefix = NULL; PH_STRINGREF remainingPart; PH_STRINGREF directoryPart; PH_STRINGREF baseNamePart; if (!PATH_IS_WIN32_DRIVE_PREFIX(Name)) { assert(FALSE); return NULL; } if (PhDoesDirectoryExistWin32(PhGetStringRefZ(Name))) { return PhCreateString2(Name); } remainingPart = *Name; while (remainingPart.Length != 0) { PhSplitStringRefAtLastChar(&remainingPart, OBJ_NAME_PATH_SEPARATOR, &directoryPart, &baseNamePart); if (directoryPart.Length != 0) { existingPathPrefix = PhCreateString2(&directoryPart); if (PhDoesDirectoryExistWin32(PhGetString(existingPathPrefix))) break; PhClearReference(&existingPathPrefix); } remainingPart = directoryPart; } return existingPathPrefix; } // rev from GetLongPathNameW (dmex) /** * Retrieves the long (non-8.3) path form of the specified file or directory name. * * \param FileName A pointer to a PPH_STRINGREF structure that contains the file or directory name for which to retrieve the long path name. * \return A PPH_STRING containing the long path name if successful, or NULL if the operation fails. */ PPH_STRING PhGetLongPathName( _In_ PCPH_STRINGREF FileName ) { PPH_STRING longPathName = NULL; NTSTATUS status; HANDLE fileHandle; IO_STATUS_BLOCK ioStatusBlock; PFILE_BOTH_DIR_INFORMATION directoryInfoBuffer; ULONG directoryInfoLength; PH_STRINGREF baseNamePart; UNICODE_STRING baseNameUs; status = PhOpenFile( &fileHandle, FileName, FILE_READ_DATA | FILE_LIST_DIRECTORY | SYNCHRONIZE, NULL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_FOR_BACKUP_INTENT, NULL ); if (!NT_SUCCESS(status)) return NULL; if (!PhGetBasePath(FileName, NULL, &baseNamePart)) goto CleanupExit; if (!PhStringRefToUnicodeString(&baseNamePart, &baseNameUs)) goto CleanupExit; directoryInfoLength = PAGE_SIZE; directoryInfoBuffer = PhAllocate(directoryInfoLength); status = NtQueryDirectoryFile( fileHandle, NULL, NULL, NULL, &ioStatusBlock, directoryInfoBuffer, directoryInfoLength, FileBothDirectoryInformation, TRUE, &baseNameUs, FALSE ); if (NT_SUCCESS(status)) { longPathName = PhCreateStringEx(directoryInfoBuffer->FileName, directoryInfoBuffer->FileNameLength); } PhFree(directoryInfoBuffer); CleanupExit: NtClose(fileHandle); return longPathName; } /** * Retrieves the heap signature from a process heap structure. * * \param ProcessHandle A handle to the process. The handle must have PROCESS_VM_READ access. * \param HeapAddress The base address of the heap in the target process. * \param IsWow64 Specifies whether the target process is running under WOW64 (TRUE) or is native (FALSE). * \param HeapSignature A pointer to a variable that receives the heap signature value. * \return NTSTATUS Successful or errant status. * \remarks The heap signature is a validation field in the _HEAP structure used to verify heap integrity. * This function reads the SegmentSignature field at different offsets depending on the process architecture: * - For WOW64 processes: offset 0x8 * - For native 64-bit processes: offset 0x10 * The signature value is only available on Windows 7 and later versions. */ NTSTATUS PhGetProcessHeapSignature( _In_ HANDLE ProcessHandle, _In_ PVOID HeapAddress, _In_ ULONG IsWow64, _Out_ ULONG *HeapSignature ) { NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG heapSignature = ULONG_MAX; if (WindowsVersion >= WINDOWS_7) { // dt _HEAP SegmentSignature status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(HeapAddress, IsWow64 ? 0x8 : 0x10), &heapSignature, sizeof(ULONG), NULL ); } if (NT_SUCCESS(status)) { if (HeapSignature) *HeapSignature = heapSignature; } return status; } /** * Retrieves the front-end type of a specified heap in a process. * * \param ProcessHandle A handle to the process containing the heap. * \param HeapAddress The base address of the heap to query. * \param IsWow64 A flag indicating whether the process is running under WOW64. * \param HeapFrontEndType A pointer to a UCHAR that receives the front-end type of the heap. * Possible values include 0x0 (no front-end), 0x1 (LFH), etc., depending on the heap configuration. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessHeapFrontEndType( _In_ HANDLE ProcessHandle, _In_ PVOID HeapAddress, _In_ ULONG IsWow64, _Out_ UCHAR *HeapFrontEndType ) { NTSTATUS status = STATUS_UNSUCCESSFUL; UCHAR heapFrontEndType = UCHAR_MAX; if (WindowsVersion >= WINDOWS_10) { // dt _HEAP FrontEndHeapType status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(HeapAddress, IsWow64 ? 0x0ea : 0x1a2), &heapFrontEndType, sizeof(UCHAR), NULL ); } else if (WindowsVersion >= WINDOWS_8_1) { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(HeapAddress, IsWow64 ? 0x0d6 : 0x17a), &heapFrontEndType, sizeof(UCHAR), NULL ); } else if (WindowsVersion >= WINDOWS_7) { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(HeapAddress, IsWow64 ? 0x0da : 0x182), &heapFrontEndType, sizeof(UCHAR), NULL ); } if (NT_SUCCESS(status)) { if (HeapFrontEndType) *HeapFrontEndType = heapFrontEndType; } return status; } /** * Queries heap information for a specified process. * * \param ProcessId Handle to the process whose heap information is to be queried. * \param HeapInformation Pointer to a variable that receives a pointer to a structure containing heap information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryProcessHeapInformation( _In_ HANDLE ProcessId, _Out_ PPH_PROCESS_DEBUG_HEAP_INFORMATION* HeapInformation ) { NTSTATUS status; PRTL_DEBUG_INFORMATION debugBuffer = NULL; PPH_PROCESS_DEBUG_HEAP_INFORMATION heapDebugInfo = NULL; for (ULONG i = 0x400000; ; i *= 2) // rev from Heap32First/Heap32Next (dmex) { if (!(debugBuffer = RtlCreateQueryDebugBuffer(i, FALSE))) return STATUS_UNSUCCESSFUL; status = RtlQueryProcessDebugInformation( ProcessId, RTL_QUERY_PROCESS_HEAP_SUMMARY | RTL_QUERY_PROCESS_HEAP_ENTRIES | RTL_QUERY_PROCESS_NONINVASIVE, debugBuffer ); if (!NT_SUCCESS(status)) { RtlDestroyQueryDebugBuffer(debugBuffer); debugBuffer = NULL; } if (NT_SUCCESS(status) || status != STATUS_NO_MEMORY) break; if (2 * i <= i) { status = STATUS_UNSUCCESSFUL; break; } } if (!NT_SUCCESS(status)) return status; if (!debugBuffer->Heaps) { // The RtlQueryProcessDebugInformation function has two bugs on some versions // when querying the ProcessId for a frozen (suspended) immersive process. (dmex) // // 1) It'll deadlock the current thread for 30 seconds. // 2) It'll return STATUS_SUCCESS but with a NULL Heaps buffer. // // A workaround was implemented using PhCreateExecutionRequiredRequest() (dmex) RtlDestroyQueryDebugBuffer(debugBuffer); return STATUS_UNSUCCESSFUL; } if (WindowsVersion > WINDOWS_11) { heapDebugInfo = PhAllocateZero(sizeof(PH_PROCESS_DEBUG_HEAP_INFORMATION) + ((PRTL_PROCESS_HEAPS_V2)debugBuffer->Heaps)->NumberOfHeaps * sizeof(PH_PROCESS_DEBUG_HEAP_ENTRY)); heapDebugInfo->NumberOfHeaps = ((PRTL_PROCESS_HEAPS_V2)debugBuffer->Heaps)->NumberOfHeaps; } else { heapDebugInfo = PhAllocateZero(sizeof(PH_PROCESS_DEBUG_HEAP_INFORMATION) + ((PRTL_PROCESS_HEAPS_V1)debugBuffer->Heaps)->NumberOfHeaps * sizeof(PH_PROCESS_DEBUG_HEAP_ENTRY)); heapDebugInfo->NumberOfHeaps = ((PRTL_PROCESS_HEAPS_V1)debugBuffer->Heaps)->NumberOfHeaps; } heapDebugInfo->DefaultHeap = debugBuffer->ProcessHeap; for (ULONG i = 0; i < heapDebugInfo->NumberOfHeaps; i++) { RTL_HEAP_INFORMATION_V2 heapInfo = { 0 }; HANDLE processHandle; SIZE_T allocated = 0; SIZE_T committed = 0; if (WindowsVersion > WINDOWS_11) { heapInfo = ((PRTL_PROCESS_HEAPS_V2)debugBuffer->Heaps)->Heaps[i]; } else { RTL_HEAP_INFORMATION_V1 heapInfoV1 = ((PRTL_PROCESS_HEAPS_V1)debugBuffer->Heaps)->Heaps[i]; heapInfo.NumberOfEntries = heapInfoV1.NumberOfEntries; heapInfo.Entries = heapInfoV1.Entries; heapInfo.BytesCommitted = heapInfoV1.BytesCommitted; heapInfo.Flags = heapInfoV1.Flags; heapInfo.BaseAddress = heapInfoV1.BaseAddress; } // go through all heap entries and compute amount of allocated and committed bytes (ge0rdi) for (ULONG e = 0; e < heapInfo.NumberOfEntries; e++) { PRTL_HEAP_ENTRY entry = &heapInfo.Entries[e]; if (entry->Flags & RTL_HEAP_BUSY) allocated += entry->Size; if (entry->Flags & RTL_HEAP_SEGMENT) committed += entry->u.s2.CommittedSize; } // sometimes computed number if committed bytes is few pages smaller than the one reported by API, lets use the higher value (ge0rdi) if (committed < heapInfo.BytesCommitted) committed = heapInfo.BytesCommitted; // make sure number of allocated bytes is not higher than number of committed bytes (as that would make no sense) (ge0rdi) if (allocated > committed) allocated = committed; heapDebugInfo->Heaps[i].Flags = heapInfo.Flags; heapDebugInfo->Heaps[i].Signature = ULONG_MAX; heapDebugInfo->Heaps[i].HeapFrontEndType = UCHAR_MAX; heapDebugInfo->Heaps[i].NumberOfEntries = heapInfo.NumberOfEntries; heapDebugInfo->Heaps[i].BaseAddress = heapInfo.BaseAddress; heapDebugInfo->Heaps[i].BytesAllocated = allocated; heapDebugInfo->Heaps[i].BytesCommitted = committed; if (NT_SUCCESS(PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ))) { ULONG signature = ULONG_MAX; UCHAR frontEndType = UCHAR_MAX; #ifndef _WIN64 BOOLEAN isWow64 = TRUE; #else BOOLEAN isWow64 = FALSE; PhGetProcessIsWow64(processHandle, &isWow64); #endif if (NT_SUCCESS(PhGetProcessHeapSignature( processHandle, heapInfo.BaseAddress, isWow64, &signature ))) { heapDebugInfo->Heaps[i].Signature = signature; } if (NT_SUCCESS(PhGetProcessHeapFrontEndType( processHandle, heapInfo.BaseAddress, isWow64, &frontEndType ))) { heapDebugInfo->Heaps[i].HeapFrontEndType = frontEndType; } NtClose(processHandle); } } if (HeapInformation) *HeapInformation = heapDebugInfo; else PhFree(heapDebugInfo); if (debugBuffer) RtlDestroyQueryDebugBuffer(debugBuffer); return STATUS_SUCCESS; } /** * Queries lock information for a specified process and invokes the provided callback * for each lock associated with the process. * * \param ProcessId The handle to the process for which to query lock information. * \param Callback A pointer to a callback function of type PPH_ENUM_PROCESS_LOCKS * that will be called for each lock. * \param Context An optional pointer to user-defined context data that will be * passed to the callback function. * \return NTSTATUS indicating success or failure. */ NTSTATUS PhQueryProcessLockInformation( _In_ HANDLE ProcessId, _In_ PPH_ENUM_PROCESS_LOCKS Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PRTL_DEBUG_INFORMATION debugBuffer = NULL; for (ULONG i = 0x400000; ; i *= 2) // rev from Heap32First/Heap32Next (dmex) { if (!(debugBuffer = RtlCreateQueryDebugBuffer(i, FALSE))) return STATUS_UNSUCCESSFUL; status = RtlQueryProcessDebugInformation( ProcessId, RTL_QUERY_PROCESS_LOCKS, debugBuffer ); if (!NT_SUCCESS(status)) { RtlDestroyQueryDebugBuffer(debugBuffer); debugBuffer = NULL; } if (NT_SUCCESS(status) || status != STATUS_NO_MEMORY) break; if (2 * i <= i) { status = STATUS_UNSUCCESSFUL; break; } } if (!NT_SUCCESS(status)) return status; if (!debugBuffer->Locks) { // The RtlQueryProcessDebugInformation function has two bugs on some versions // when querying the ProcessId for a frozen (suspended) immersive process. (dmex) // // 1) It'll deadlock the current thread for 30 seconds. // 2) It'll return STATUS_SUCCESS but with a NULL Heaps buffer. // // A workaround was implemented using PhCreateExecutionRequiredRequest() (dmex) RtlDestroyQueryDebugBuffer(debugBuffer); return STATUS_UNSUCCESSFUL; } status = Callback( debugBuffer->Locks->NumberOfLocks, debugBuffer->Locks->Locks, Context ); if (debugBuffer) { RtlDestroyQueryDebugBuffer(debugBuffer); } return status; } // rev from kernelbase!GetMachineTypeAttributes (dmex) /** * Retrieves the attributes associated with a specified machine type. * * \param Machine The machine type identifier (e.g., IMAGE_FILE_MACHINE_I386). * \param Attributes A pointer to a MACHINE_ATTRIBUTES structure that receives the attributes. * \return NTSTATUS indicating success or failure. * \remarks Queries if the specified architecture is supported on the current system, * either natively or by any form of compatibility or emulation layer. */ NTSTATUS PhGetMachineTypeAttributes( _In_ USHORT Machine, _Out_ MACHINE_ATTRIBUTES* Attributes ) { NTSTATUS status; HANDLE input[1] = { 0 }; SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION output[6] = { 0 }; ULONG returnLength; status = NtQuerySystemInformationEx( SystemSupportedProcessorArchitectures2, input, sizeof(input), output, sizeof(output), &returnLength ); if (NT_SUCCESS(status)) { MACHINE_ATTRIBUTES attributes; memset(&attributes, 0, sizeof(MACHINE_ATTRIBUTES)); for (ULONG i = 0; i < returnLength / sizeof(SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION); i++) { if (output[i].Machine == Machine) { if (output[i].KernelMode) SetFlag(attributes, KernelEnabled); if (output[i].UserMode) SetFlag(attributes, UserEnabled); if (output[i].WoW64Container) SetFlag(attributes, Wow64Container); break; } } *Attributes = attributes; } return status; } /** * Checks if firmware-related features are supported on the current system. * * \return TRUE if firmware features are supported, FALSE otherwise. */ BOOLEAN PhIsFirmwareSupported( VOID ) { static CONST UNICODE_STRING variableName = RTL_CONSTANT_STRING(L" "); static CONST GUID vendorGuid = { 0 }; ULONG variableValueLength = 0; if (NtQuerySystemEnvironmentValueEx( &variableName, &vendorGuid, NULL, &variableValueLength, NULL ) == STATUS_VARIABLE_NOT_FOUND) { return TRUE; } return FALSE; } // rev from GetFirmwareEnvironmentVariableW (dmex) /** * Retrieves the value of a specified firmware environment variable. * * \param VariableName A pointer to a PH_STRINGREF structure that specifies the name of the variable to retrieve. * \param VendorGuid A pointer to a PH_STRINGREF structure that specifies the GUID of the firmware vendor. * \param ValueBuffer A pointer to a buffer that receives the value of the environment variable. * \param ValueLength An optional pointer to a ULONG that receives the length of the value returned in ValueBuffer. * \param ValueAttributes An optional pointer to a ULONG that receives the attributes of the environment variable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetFirmwareEnvironmentVariable( _In_ PCPH_STRINGREF VariableName, _In_ PCPH_STRINGREF VendorGuid, _Out_writes_bytes_opt_(*ValueLength) PVOID* ValueBuffer, _Out_opt_ PULONG ValueLength, _Out_opt_ PULONG ValueAttributes ) { NTSTATUS status; GUID vendorGuid; UNICODE_STRING variableName; PVOID valueBuffer; ULONG valueLength = 0; ULONG valueAttributes = 0; if (!PhStringRefToUnicodeString(VariableName, &variableName)) return STATUS_NAME_TOO_LONG; status = PhStringToGuid( VendorGuid, &vendorGuid ); if (!NT_SUCCESS(status)) return status; status = NtQuerySystemEnvironmentValueEx( &variableName, &vendorGuid, NULL, &valueLength, &valueAttributes ); if (status != STATUS_BUFFER_TOO_SMALL) return STATUS_UNSUCCESSFUL; valueBuffer = PhAllocate(valueLength); memset(valueBuffer, 0, valueLength); status = NtQuerySystemEnvironmentValueEx( &variableName, &vendorGuid, valueBuffer, &valueLength, &valueAttributes ); if (NT_SUCCESS(status)) { if (ValueBuffer) *ValueBuffer = valueBuffer; else PhFree(valueBuffer); if (ValueLength) *ValueLength = valueLength; if (ValueAttributes) *ValueAttributes = valueAttributes; } else { PhFree(valueBuffer); } return status; } /** * Sets a firmware environment variable. * * \param VariableName A pointer to a PH_STRINGREF structure that specifies the name of the variable to set. * \param VendorGuid A pointer to a PH_STRINGREF structure that specifies the vendor GUID associated with the variable. * \param ValueBuffer An optional pointer to the buffer containing the value to set for the variable. * \param ValueLength The length, in bytes, of the value buffer. * \param Attributes Attributes to apply to the variable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetFirmwareEnvironmentVariable( _In_ PCPH_STRINGREF VariableName, _In_ PCPH_STRINGREF VendorGuid, _In_reads_bytes_opt_(ValueLength) PVOID ValueBuffer, _In_ ULONG ValueLength, _In_ ULONG Attributes ) { NTSTATUS status; GUID vendorGuid; UNICODE_STRING variableName; if (!PhStringRefToUnicodeString(VariableName, &variableName)) return STATUS_NAME_TOO_LONG; status = PhStringToGuid( VendorGuid, &vendorGuid ); if (!NT_SUCCESS(status)) return status; status = NtSetSystemEnvironmentValueEx( &variableName, &vendorGuid, ValueBuffer, ValueLength, Attributes ); return status; } /** * Enumerates firmware environment values based on the specified information class. * * \param InformationClass The type of system environment information to enumerate. * \param Variables A pointer to a variable that receives the enumerated firmware environment values. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumFirmwareEnvironmentValues( _In_ SYSTEM_ENVIRONMENT_INFORMATION_CLASS InformationClass, _Out_ PVOID* Variables ) { NTSTATUS status; PVOID buffer; ULONG bufferLength; bufferLength = PAGE_SIZE; buffer = PhAllocate(bufferLength); while (TRUE) { status = NtEnumerateSystemEnvironmentValuesEx( InformationClass, buffer, &bufferLength ); if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); buffer = PhAllocate(bufferLength); } else { break; } } if (NT_SUCCESS(status)) { *Variables = buffer; } else { PhFree(buffer); } return status; } /** * Sets the system environment to boot into firmware on next restart. * * This function modifies the system environment variables to ensure that * the system boots directly into the firmware interface (such as UEFI or BIOS) * on the next system startup. * * \return NTSTATUS code indicating success or failure of the operation. */ NTSTATUS PhSetSystemEnvironmentBootToFirmware( VOID ) { static CONST GUID EFI_GLOBAL_VARIABLE_GUID = { 0x8be4df61, 0x93ca, 0x11d2, { 0xaa, 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c } }; static CONST UNICODE_STRING OsIndicationsSupportedName = RTL_CONSTANT_STRING(L"OsIndicationsSupported"); static CONST UNICODE_STRING OsIndicationsName = RTL_CONSTANT_STRING(L"OsIndications"); const ULONG64 EFI_OS_INDICATIONS_BOOT_TO_FW_UI = 0x0000000000000001ULL; ULONG osIndicationsLength = sizeof(ULONG64); ULONG osIndicationsAttributes = 0; ULONG64 osIndicationsSupported = 0; ULONG64 osIndicationsValue = 0; NTSTATUS status; status = NtQuerySystemEnvironmentValueEx( &OsIndicationsSupportedName, &EFI_GLOBAL_VARIABLE_GUID, &osIndicationsSupported, &osIndicationsLength, NULL ); if (status == STATUS_VARIABLE_NOT_FOUND || !(osIndicationsSupported & EFI_OS_INDICATIONS_BOOT_TO_FW_UI)) { status = STATUS_NOT_SUPPORTED; } if (NT_SUCCESS(status)) { status = NtQuerySystemEnvironmentValueEx( &OsIndicationsName, &EFI_GLOBAL_VARIABLE_GUID, &osIndicationsValue, &osIndicationsLength, &osIndicationsAttributes ); if (NT_SUCCESS(status) || status == STATUS_VARIABLE_NOT_FOUND) { osIndicationsValue |= EFI_OS_INDICATIONS_BOOT_TO_FW_UI; if (status == STATUS_VARIABLE_NOT_FOUND) { osIndicationsAttributes = EFI_VARIABLE_NON_VOLATILE; } status = NtSetSystemEnvironmentValueEx( &OsIndicationsName, &EFI_GLOBAL_VARIABLE_GUID, &osIndicationsValue, osIndicationsLength, osIndicationsAttributes ); } } return status; } // rev from RtlpCreateExecutionRequiredRequest (dmex) /** * Create a new power request object. The process will continue to run instead of being suspended or terminated by PLM (Process Lifetime Management). * This is mandatory on Windows 8 and above to prevent threads created by DebugActiveProcess, QueueUserAPC and RtlQueryProcessDebug* functions from deadlocking the current application. * * \param ProcessHandle A handle to the process for which the power request is to be created. * \param PowerRequestHandle A pointer to a variable that receives a handle to the new power request. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateExecutionRequiredRequest( _In_ HANDLE ProcessHandle, _Out_ PHANDLE PowerRequestHandle ) { NTSTATUS status; HANDLE powerRequestHandle = NULL; COUNTED_REASON_CONTEXT powerRequestReason; POWER_REQUEST_ACTION powerRequestAction; memset(&powerRequestReason, 0, sizeof(COUNTED_REASON_CONTEXT)); powerRequestReason.Version = POWER_REQUEST_CONTEXT_VERSION; powerRequestReason.Flags = POWER_REQUEST_CONTEXT_NOT_SPECIFIED; status = NtPowerInformation( PlmPowerRequestCreate, &powerRequestReason, sizeof(COUNTED_REASON_CONTEXT), &powerRequestHandle, sizeof(HANDLE) ); if (!NT_SUCCESS(status)) return status; memset(&powerRequestAction, 0, sizeof(POWER_REQUEST_ACTION)); powerRequestAction.PowerRequestHandle = powerRequestHandle; powerRequestAction.RequestType = PowerRequestExecutionRequiredInternal; powerRequestAction.SetAction = TRUE; powerRequestAction.ProcessHandle = ProcessHandle; status = NtPowerInformation( PowerRequestAction, &powerRequestAction, sizeof(POWER_REQUEST_ACTION), NULL, 0 ); if (NT_SUCCESS(status)) { *PowerRequestHandle = powerRequestHandle; } else { NtClose(powerRequestHandle); } return status; } // rev from RtlpDestroyExecutionRequiredRequest (dmex) /** * Destroys an execution required power request handle. * * \param PowerRequestHandle An optional handle to the power request to destroy. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDestroyExecutionRequiredRequest( _In_opt_ _Post_ptr_invalid_ HANDLE PowerRequestHandle ) { POWER_REQUEST_ACTION requestPowerAction; if (!PowerRequestHandle) return STATUS_INVALID_PARAMETER; memset(&requestPowerAction, 0, sizeof(POWER_REQUEST_ACTION)); requestPowerAction.PowerRequestHandle = PowerRequestHandle; requestPowerAction.RequestType = PowerRequestExecutionRequiredInternal; requestPowerAction.SetAction = FALSE; requestPowerAction.ProcessHandle = NULL; NtPowerInformation( PowerRequestAction, &requestPowerAction, sizeof(POWER_REQUEST_ACTION), NULL, 0 ); return NtClose(PowerRequestHandle); } /** * Retrieves the nominal frequency (in MHz) of the specified processor. * * \param ProcessorNumber The processor number structure identifying the target processor. * \param NominalFrequency Pointer to a variable that receives the nominal frequency of the processor. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessorNominalFrequency( _In_ PPH_PROCESSOR_NUMBER ProcessorNumber, _Out_ PULONG NominalFrequency ) { NTSTATUS status; POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT frequencyInput; POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT frequencyOutput; memset(&frequencyInput, 0, sizeof(frequencyInput)); frequencyInput.InternalType = PowerInternalProcessorBrandedFrequency; frequencyInput.ProcessorNumber.Group = ProcessorNumber->Group; // USHRT_MAX for max frequencyInput.ProcessorNumber.Number = (BYTE)ProcessorNumber->Number; // UCHAR_MAX for max frequencyInput.ProcessorNumber.Reserved = 0; // UCHAR_MAX memset(&frequencyOutput, 0, sizeof(frequencyOutput)); frequencyOutput.Version = POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_VERSION; status = NtPowerInformation( PowerInformationInternal, &frequencyInput, sizeof(POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT), &frequencyOutput, sizeof(POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT) ); if (NT_SUCCESS(status)) { if (frequencyOutput.Version == POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_VERSION) { *NominalFrequency = frequencyOutput.NominalFrequency; } else { status = STATUS_INVALID_KERNEL_INFO_VERSION; } } return status; } // // Process freeze/thaw support // /** * Freezes the execution of a specified process. * * \param[out] ProcessStateChangeHandle A pointer to a handle that will receive the state change handle for the frozen process. * \param[in] ProcessHandle The handle to the process to be frozen. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhFreezeProcess( _Out_ PHANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; HANDLE processStateChangeHandle = NULL; if (!(NtCreateProcessStateChange_Import() && NtChangeProcessState_Import())) return STATUS_PROCEDURE_NOT_FOUND; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); status = NtCreateProcessStateChange_Import()( &processStateChangeHandle, STATECHANGE_SET_ATTRIBUTES, &objectAttributes, ProcessHandle, 0 ); if (!NT_SUCCESS(status)) return status; status = NtChangeProcessState_Import()( processStateChangeHandle, ProcessHandle, ProcessStateChangeSuspend, NULL, 0, 0 ); if (NT_SUCCESS(status)) { *ProcessStateChangeHandle = processStateChangeHandle; } return status; } /** * Freezes a process specified by its process ID. * * \param[out] ProcessStateChangeHandle A pointer to a handle that will receive the state change handle for the frozen process. * \param[in] ProcessId The handle to the process to be frozen. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhFreezeProcessById( _Out_ PHANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle; HANDLE processStateChangeHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME, ProcessId ); if (!NT_SUCCESS(status)) return status; status = PhFreezeProcess( &processStateChangeHandle, processHandle ); NtClose(processHandle); if (NT_SUCCESS(status)) { *ProcessStateChangeHandle = processStateChangeHandle; } return status; } /** * Thaws (resumes) a previously frozen process. * * \param ProcessStateChangeHandle Handle to the process state change object. * \param ProcessHandle Handle to the target process to be thawed. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhThawProcess( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle ) { NTSTATUS status; if (!NtChangeProcessState_Import()) { return STATUS_PROCEDURE_NOT_FOUND; } status = NtChangeProcessState_Import()( ProcessStateChangeHandle, ProcessHandle, ProcessStateChangeResume, NULL, 0, 0 ); return status; } /** * Thaws (resumes) a process specified by its process ID. * * \param ProcessStateChangeHandle Handle used to manage process state changes. * \param ProcessId Handle to the process to be thawed (resumed). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhThawProcessById( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle; status = PhOpenProcess( &processHandle, PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME, ProcessId ); if (!NT_SUCCESS(status)) return status; status = PhThawProcess( ProcessStateChangeHandle, processHandle ); NtClose(processHandle); return status; } /** * Freezes (suspends) the specified thread. * * \param[out] ThreadStateChangeHandle A pointer to a handle that receives the thread state change handle. * \param[in] ThreadHandle A handle to the thread to be frozen. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhFreezeThread( _Out_ PHANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadHandle ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; HANDLE threadStateChangeHandle = NULL; if (!(NtCreateThreadStateChange_Import() && NtChangeThreadState_Import())) { return STATUS_PROCEDURE_NOT_FOUND; } InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); status = NtCreateThreadStateChange_Import()( &threadStateChangeHandle, STATECHANGE_SET_ATTRIBUTES, &objectAttributes, ThreadHandle, 0 ); if (!NT_SUCCESS(status)) return status; status = NtChangeThreadState_Import()( threadStateChangeHandle, ThreadHandle, ThreadStateChangeSuspend, NULL, 0, 0 ); if (NT_SUCCESS(status)) { *ThreadStateChangeHandle = threadStateChangeHandle; } return status; } /** * Freezes the specified thread by its ID. * * \param ThreadStateChangeHandle A pointer to a handle that will receive the thread state change handle. * \param ThreadId The ID of the thread to freeze. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhFreezeThreadById( _Out_ PHANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadId ) { NTSTATUS status; HANDLE threadHandle; HANDLE threadStateChangeHandle; status = PhOpenThread( &threadHandle, THREAD_SET_INFORMATION | THREAD_SUSPEND_RESUME, ThreadId ); if (!NT_SUCCESS(status)) return status; status = PhFreezeThread( &threadStateChangeHandle, threadHandle ); if (NT_SUCCESS(status)) { *ThreadStateChangeHandle = threadStateChangeHandle; } NtClose(threadHandle); return status; } /** * Resumes a suspended thread using the thread state change mechanism. * * \param ThreadStateChangeHandle A handle to the thread state change object, obtained from a prior suspend operation. * \param ThreadHandle A handle to the thread to be resumed. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhThawThread( _In_ HANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadHandle ) { NTSTATUS status; if (!NtChangeThreadState_Import()) { return STATUS_PROCEDURE_NOT_FOUND; } status = NtChangeThreadState_Import()( ThreadStateChangeHandle, ThreadHandle, ThreadStateChangeResume, NULL, 0, 0 ); return status; } /** * Resumes (thaws) a suspended thread by its ID using a thread state change handle. * * \param ThreadStateChangeHandle A handle to the thread state change object, obtained from a previous suspend operation. * \param ThreadId The ID of the thread to resume. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhThawThreadById( _In_ HANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadId ) { NTSTATUS status; HANDLE threadHandle; status = PhOpenThread( &threadHandle, THREAD_SET_INFORMATION | THREAD_SUSPEND_RESUME, ThreadId ); if (!NT_SUCCESS(status)) return status; status = PhThawThread( ThreadStateChangeHandle, threadHandle ); NtClose(threadHandle); return status; } // // Process execution request support // static PH_INITONCE PhExecutionRequestInitOnce = PH_INITONCE_INIT; static PPH_HASHTABLE PhExecutionRequestHashtable = NULL; typedef struct _PH_EXECUTIONREQUEST_CACHE_ENTRY { HANDLE ProcessId; HANDLE ExecutionRequestHandle; } PH_EXECUTIONREQUEST_CACHE_ENTRY, *PPH_EXECUTIONREQUEST_CACHE_ENTRY; _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN NTAPI PhExecutionRequestHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { return ((PPH_EXECUTIONREQUEST_CACHE_ENTRY)Entry1)->ProcessId == ((PPH_EXECUTIONREQUEST_CACHE_ENTRY)Entry2)->ProcessId; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG NTAPI PhExecutionRequestHashtableHashFunction( _In_ PVOID Entry ) { return HandleToUlong(((PPH_EXECUTIONREQUEST_CACHE_ENTRY)Entry)->ProcessId) / 4; } /** * Initializes the execution request table. * * This function sets up the execution request table, which is used to manage * and handle execution requests within the system. * \return TRUE if the initialization succeeds, FALSE otherwise. */ BOOLEAN PhInitializeExecutionRequestTable( VOID ) { if (PhBeginInitOnce(&PhExecutionRequestInitOnce)) { PhExecutionRequestHashtable = PhCreateHashtable( sizeof(PH_EXECUTIONREQUEST_CACHE_ENTRY), PhExecutionRequestHashtableEqualFunction, PhExecutionRequestHashtableHashFunction, 1 ); PhEndInitOnce(&PhExecutionRequestInitOnce); } return TRUE; } /** * Determines whether execution is required for the specified process. * * This function checks if the process identified by the given process ID requires * execution, typically in the context of process management or debugging. * * \param ProcessId A handle to the process ID to check. * \return TRUE if execution is required for the process, FALSE otherwise. */ BOOLEAN PhIsProcessExecutionRequired( _In_ HANDLE ProcessId ) { if (PhInitializeExecutionRequestTable()) { PH_EXECUTIONREQUEST_CACHE_ENTRY entry; entry.ProcessId = ProcessId; if (PhFindEntryHashtable(PhExecutionRequestHashtable, &entry)) { return TRUE; } } return FALSE; } /** * Enables the execution required state for the specified process. * This prevents the process from being terminated or suspended by the system * under certain conditions, ensuring it remains running. * * \param ProcessId The handle to the process for which to enable execution required. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhProcessExecutionRequiredEnable( _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle; HANDLE requestHandle; if (PhInitializeExecutionRequestTable()) { PH_EXECUTIONREQUEST_CACHE_ENTRY entry; entry.ProcessId = ProcessId; if (PhFindEntryHashtable(PhExecutionRequestHashtable, &entry)) { return STATUS_SUCCESS; } } status = PhOpenProcess( &processHandle, PROCESS_SET_LIMITED_INFORMATION, ProcessId ); if (!NT_SUCCESS(status)) return status; status = PhCreateExecutionRequiredRequest( processHandle, &requestHandle ); NtClose(processHandle); if (NT_SUCCESS(status)) { PH_EXECUTIONREQUEST_CACHE_ENTRY entry; entry.ProcessId = ProcessId; entry.ExecutionRequestHandle = requestHandle; PhAddEntryHashtable(PhExecutionRequestHashtable, &entry); } return status; } /** * Disables the execution required state for the specified process. * * \param ProcessId A handle to the process for which the execution required state should be disabled. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhProcessExecutionRequiredDisable( _In_ HANDLE ProcessId ) { if (PhInitializeExecutionRequestTable()) { PH_EXECUTIONREQUEST_CACHE_ENTRY lookupEntry; PPH_EXECUTIONREQUEST_CACHE_ENTRY entry; lookupEntry.ProcessId = ProcessId; if (entry = PhFindEntryHashtable(PhExecutionRequestHashtable, &lookupEntry)) { HANDLE requestHandle = entry->ExecutionRequestHandle; PhRemoveEntryHashtable(PhExecutionRequestHashtable, &lookupEntry); if (requestHandle) { return PhDestroyExecutionRequiredRequest(requestHandle); } } } return STATUS_UNSUCCESSFUL; } // KnownDLLs cache support static PH_INITONCE PhKnownDllsInitOnce = PH_INITONCE_INIT; static PPH_HASHTABLE PhKnownDllsHashtable = NULL; typedef struct _PH_KNOWNDLL_CACHE_ENTRY { PPH_STRING FileName; } PH_KNOWNDLL_CACHE_ENTRY, *PPH_KNOWNDLL_CACHE_ENTRY; _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN NTAPI PhKnownDllsHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_KNOWNDLL_CACHE_ENTRY entry1 = (PPH_KNOWNDLL_CACHE_ENTRY)Entry1; PPH_KNOWNDLL_CACHE_ENTRY entry2 = (PPH_KNOWNDLL_CACHE_ENTRY)Entry2; return PhEqualStringRef(&entry1->FileName->sr, &entry2->FileName->sr, FALSE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG NTAPI PhKnownDllsHashtableHashFunction( _In_ PVOID Entry ) { PPH_KNOWNDLL_CACHE_ENTRY entry = (PPH_KNOWNDLL_CACHE_ENTRY)Entry; return PhHashStringRefEx(&entry->FileName->sr, FALSE, PH_STRING_HASH_XXH32); } _Function_class_(PH_ENUM_DIRECTORY_OBJECTS) static NTSTATUS NTAPI PhpKnownDllObjectsCallback( _In_ HANDLE RootDirectory, _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_ PVOID Context ) { NTSTATUS status; HANDLE sectionHandle; PVOID baseAddress; SIZE_T viewSize; PPH_STRING fileName; status = PhOpenSection( §ionHandle, SECTION_MAP_READ, RootDirectory, Name ); if (!NT_SUCCESS(status)) goto CleanupExit; baseAddress = NULL; viewSize = PAGE_SIZE; status = PhMapViewOfSection( sectionHandle, NtCurrentProcess(), &baseAddress, 0, NULL, &viewSize, ViewUnmap, WindowsVersion < WINDOWS_10_RS2 ? 0 : MEM_MAPPED, PAGE_READONLY ); NtClose(sectionHandle); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcessMappedFileName( NtCurrentProcess(), baseAddress, &fileName ); PhUnmapViewOfSection(NtCurrentProcess(), baseAddress); if (NT_SUCCESS(status)) { PH_KNOWNDLL_CACHE_ENTRY entry; entry.FileName = fileName; PhAddEntryHashtable(PhKnownDllsHashtable, &entry); } CleanupExit: return STATUS_SUCCESS; // continue enumeration (dmex) } /** * Initializes the known DLLs for the system based on the provided object name. * \param ObjectName A pointer to a constant string reference specifying the object name. */ VOID PhInitializeKnownDlls( _In_ PCPH_STRINGREF ObjectName ) { HANDLE directoryHandle; if (NT_SUCCESS(PhOpenDirectoryObject( &directoryHandle, DIRECTORY_QUERY, NULL, ObjectName ))) { PhEnumDirectoryObjects( directoryHandle, PhpKnownDllObjectsCallback, NULL ); NtClose(directoryHandle); } } /** * Initializes the Known DLLs table used by the system. * \return TRUE if the Known DLLs table was successfully initialized, FALSE otherwise. */ BOOLEAN PhInitializeKnownDllsTable( VOID ) { if (PhBeginInitOnce(&PhKnownDllsInitOnce)) { static const PH_STRINGREF KnownDllsObjectName = PH_STRINGREF_INIT(L"\\KnownDlls"); static const PH_STRINGREF KnownDlls32ObjectName = PH_STRINGREF_INIT(L"\\KnownDlls32"); #ifdef _ARM64_ static const PH_STRINGREF KnownDllsArm32ObjectName = PH_STRINGREF_INIT(L"\\KnownDllsArm32"); static const PH_STRINGREF KnownDllsChpe32ObjectName = PH_STRINGREF_INIT(L"\\KnownDllsChpe32"); #endif PhKnownDllsHashtable = PhCreateHashtable( sizeof(PH_KNOWNDLL_CACHE_ENTRY), PhKnownDllsHashtableEqualFunction, PhKnownDllsHashtableHashFunction, 10 ); PhInitializeKnownDlls(&KnownDllsObjectName); PhInitializeKnownDlls(&KnownDlls32ObjectName); #ifdef _ARM64_ PhInitializeKnownDlls(&KnownDllsArm32ObjectName); PhInitializeKnownDlls(&KnownDllsChpe32ObjectName); #endif PhEndInitOnce(&PhKnownDllsInitOnce); } return TRUE; } /** * Checks if the specified file name corresponds to a known DLL. * * \param FileName A pointer to a PPH_STRING containing the file name to check. * \return TRUE if the file name is a known DLL, FALSE otherwise. */ BOOLEAN PhIsKnownDllFileName( _In_ PPH_STRING FileName ) { if (PhInitializeKnownDllsTable()) { PH_KNOWNDLL_CACHE_ENTRY entry; entry.FileName = FileName; if (PhFindEntryHashtable(PhKnownDllsHashtable, &entry)) { return TRUE; } } return FALSE; } /** * Retrieves the system processor performance distribution information. * * \param Buffer A pointer to the performance distribution data for all processors in the system. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemProcessorPerformanceDistribution( _Out_ PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG attempts; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemProcessorPerformanceDistribution, buffer, bufferSize, &bufferSize ); attempts = 0; while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { PhFree(buffer); buffer = PhAllocate(bufferSize); status = NtQuerySystemInformation( SystemProcessorPerformanceDistribution, buffer, bufferSize, &bufferSize ); attempts++; } if (NT_SUCCESS(status)) *Buffer = buffer; else PhFree(buffer); return status; } /** * Retrieves the processor performance distribution information for a specified processor group. * * \param ProcessorGroup The processor group number for which to retrieve performance distribution information. * \param Buffer A pointer to a variable that receives a pointer to a SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION * structure containing the performance distribution data. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemProcessorPerformanceDistributionEx( _In_ USHORT ProcessorGroup, _Out_ PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG attempts; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformationEx( SystemProcessorPerformanceDistribution, &ProcessorGroup, sizeof(USHORT), buffer, bufferSize, &bufferSize ); attempts = 0; while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { PhFree(buffer); buffer = PhAllocate(bufferSize); status = NtQuerySystemInformationEx( SystemProcessorPerformanceDistribution, &ProcessorGroup, sizeof(USHORT), buffer, bufferSize, &bufferSize ); attempts++; } if (NT_SUCCESS(status)) *Buffer = buffer; else PhFree(buffer); return status; } /** * Retrieves information about the logical processors in the system. * * \param RelationshipType The relationship type to filter the logical processor information (e.g., processor core, NUMA node). * \param Buffer A pointer to a variable that receives a pointer to a buffer containing an array of SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX structures. * \param BufferLength A pointer to a variable that on input specifies the size of the buffer pointed to by Buffer, * and on output receives the number of bytes returned or required. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemLogicalProcessorInformation( _In_ LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType, _Out_ PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX *Buffer, _Out_ PULONG BufferLength ) { static ULONG initialBufferSize[] = { 0x200, 0x80, 0x100, 0x1000 }; NTSTATUS status; ULONG classIndex; PVOID buffer; ULONG bufferSize; ULONG attempts; switch (RelationshipType) { case RelationProcessorCore: classIndex = 0; break; case RelationProcessorPackage: classIndex = 1; break; case RelationGroup: classIndex = 2; break; case RelationAll: classIndex = 3; break; default: return STATUS_INVALID_INFO_CLASS; } bufferSize = initialBufferSize[classIndex]; buffer = PhAllocate(bufferSize); status = NtQuerySystemInformationEx( SystemLogicalProcessorAndGroupInformation, &RelationshipType, sizeof(LOGICAL_PROCESSOR_RELATIONSHIP), buffer, bufferSize, &bufferSize ); attempts = 0; while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { PhFree(buffer); buffer = PhAllocate(bufferSize); status = NtQuerySystemInformationEx( SystemLogicalProcessorAndGroupInformation, &RelationshipType, sizeof(LOGICAL_PROCESSOR_RELATIONSHIP), buffer, bufferSize, &bufferSize ); attempts++; } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x100000) initialBufferSize[classIndex] = bufferSize; *Buffer = buffer; *BufferLength = bufferSize; return status; } /** * Retrieves information about the logical processor relationships in the system. * * \param LogicalProcessorInformation A pointer to a PH_LOGICAL_PROCESSOR_INFORMATION structure * that receives the logical processor relationship information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemLogicalProcessorRelationInformation( _Out_ PPH_LOGICAL_PROCESSOR_INFORMATION LogicalProcessorInformation ) { NTSTATUS status; ULONG logicalInformationLength = 0; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX logicalInformation; status = PhGetSystemLogicalProcessorInformation( RelationAll, &logicalInformation, &logicalInformationLength ); if (NT_SUCCESS(status)) { ULONG processorCoreCount = 0; ULONG processorNumaCount = 0; ULONG processorLogicalCount = 0; ULONG processorPackageCount = 0; for ( PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX processorInfo = logicalInformation; (ULONG_PTR)processorInfo < (ULONG_PTR)PTR_ADD_OFFSET(logicalInformation, logicalInformationLength); processorInfo = PTR_ADD_OFFSET(processorInfo, processorInfo->Size) ) { switch (processorInfo->Relationship) { case RelationProcessorCore: { processorCoreCount++; for (USHORT j = 0; j < processorInfo->Processor.GroupCount; j++) { processorLogicalCount += PhCountBitsUlongPtr(processorInfo->Processor.GroupMask[j].Mask); // RtlNumberOfSetBitsUlongPtr } } break; case RelationNumaNode: processorNumaCount++; break; case RelationProcessorPackage: processorPackageCount++; break; } } memset(LogicalProcessorInformation, 0, sizeof(PH_LOGICAL_PROCESSOR_INFORMATION)); LogicalProcessorInformation->ProcessorCoreCount = processorCoreCount; LogicalProcessorInformation->ProcessorNumaCount = processorNumaCount; LogicalProcessorInformation->ProcessorLogicalCount = processorLogicalCount; LogicalProcessorInformation->ProcessorPackageCount = processorPackageCount; PhFree(logicalInformation); } return status; } // based on RtlIsProcessorFeaturePresent (dmex) /** * Checks if a specific processor feature is present on the system. * * This function first checks if the current Windows version is older than a specified version * and if the requested processor feature index is within the valid range. If so, it queries * the processor feature from the user shared data. Otherwise, it calls the system API * `IsProcessorFeaturePresent` to determine the presence of the feature. * * \param ProcessorFeature The index of the processor feature to check. * \return TRUE if the processor feature is present, FALSE otherwise. */ BOOLEAN PhIsProcessorFeaturePresent( _In_ ULONG ProcessorFeature ) { if (WindowsVersion < WINDOWS_NEW && ProcessorFeature < PROCESSOR_FEATURE_MAX) { return USER_SHARED_DATA->ProcessorFeatures[ProcessorFeature]; } return !!IsProcessorFeaturePresent(ProcessorFeature); // RtlIsProcessorFeaturePresent } /** * Retrieves the processor number information for the current processor. * * \param ProcessorNumber A pointer to a PROCESSOR_NUMBER structure that receives the processor number details. */ VOID PhGetCurrentProcessorNumber( _Out_ PPROCESSOR_NUMBER ProcessorNumber ) { //if (PhIsProcessorFeaturePresent(PF_RDPID_INSTRUCTION_AVAILABLE)) // _rdpid_u32(); //if (PhIsProcessorFeaturePresent(PF_RDTSCP_INSTRUCTION_AVAILABLE)) // __rdtscp(); memset(ProcessorNumber, 0, sizeof(PROCESSOR_NUMBER)); RtlGetCurrentProcessorNumberEx(ProcessorNumber); } // based on GetActiveProcessorCount (dmex) /** * Retrieves the number of active processors in the specified processor group. * * \param ProcessorGroup The processor group for which to retrieve the active processor count. * \return The number of active processors in the specified group. */ USHORT PhGetActiveProcessorCount( _In_ USHORT ProcessorGroup ) { if (PhSystemProcessorInformation.ActiveProcessorCount) { USHORT numberOfProcessors = 0; if (ProcessorGroup == ALL_PROCESSOR_GROUPS) { for (USHORT i = 0; i < PhSystemProcessorInformation.NumberOfProcessorGroups; i++) { numberOfProcessors += PhSystemProcessorInformation.ActiveProcessorCount[i]; } } else { if (ProcessorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups) { numberOfProcessors = PhSystemProcessorInformation.ActiveProcessorCount[ProcessorGroup]; } } return numberOfProcessors; } else { return PhSystemProcessorInformation.NumberOfProcessors; } } /** * Retrieves the processor number structure corresponding to a given processor index. * * \param ProcessorIndex The zero-based index of the processor. * \param ProcessorNumber A pointer to a PPH_PROCESSOR_NUMBER structure that receives the processor number information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessorNumberFromIndex( _In_ ULONG ProcessorIndex, _Out_ PPH_PROCESSOR_NUMBER ProcessorNumber ) { USHORT processorIndex = 0; for (USHORT processorGroup = 0; processorGroup < PhSystemProcessorInformation.NumberOfProcessorGroups; processorGroup++) { USHORT processorCount = PhGetActiveProcessorCount(processorGroup); for (USHORT processorNumber = 0; processorNumber < processorCount; processorNumber++) { if (processorIndex++ == ProcessorIndex) { memset(ProcessorNumber, 0, sizeof(PH_PROCESSOR_NUMBER)); ProcessorNumber->Group = processorGroup; ProcessorNumber->Number = processorNumber; return STATUS_SUCCESS; } } } return STATUS_UNSUCCESSFUL; } /** * Retrieves the active processor affinity mask for a specified processor group. * * \param ProcessorGroup The processor group number for which to retrieve the active affinity mask. * \param ActiveProcessorMask A pointer to a variable that receives the active processor affinity mask for the specified group. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessorGroupActiveAffinityMask( _In_ USHORT ProcessorGroup, _Out_ PKAFFINITY ActiveProcessorMask ) { NTSTATUS status; PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX processorInformation; ULONG processorInformationLength; status = PhGetSystemLogicalProcessorInformation( RelationGroup, &processorInformation, &processorInformationLength ); if (NT_SUCCESS(status)) { if (ProcessorGroup < processorInformation->Group.ActiveGroupCount) { *ActiveProcessorMask = processorInformation->Group.GroupInfo[ProcessorGroup].ActiveProcessorMask; } else { status = STATUS_UNSUCCESSFUL; } PhFree(processorInformation); } return status; } /** * Retrieves the system affinity mask for active processors. * * \param[out] ActiveProcessorsAffinityMask Pointer to a variable that receives the affinity mask representing active processors in the system. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessorSystemAffinityMask( _Out_ PKAFFINITY ActiveProcessorsAffinityMask ) { if (PhSystemProcessorInformation.SingleProcessorGroup) { *ActiveProcessorsAffinityMask = PhSystemBasicInformation.ActiveProcessorsAffinityMask; return STATUS_SUCCESS; } else { PROCESSOR_NUMBER processorNumber; PhGetCurrentProcessorNumber(&processorNumber); return PhGetProcessorGroupActiveAffinityMask(processorNumber.Group, ActiveProcessorsAffinityMask); } } // rev from GetNumaHighestNodeNumber (dmex) /** * Retrieves the highest NUMA (Non-Uniform Memory Access) node number available on the system. * * \param[out] NodeNumber A pointer to a variable that receives the highest NUMA node number. * \return Returns an NTSTATUS code indicating success or failure of the operation. * \remarks The function queries the system for NUMA topology information and stores the highest node number * in the variable pointed to by NodeNumber. The value is zero-based; for example, if the system has * two NUMA nodes, the highest node number will be 1. */ NTSTATUS PhGetNumaHighestNodeNumber( _Out_ PUSHORT NodeNumber ) { NTSTATUS status; SYSTEM_NUMA_INFORMATION numaProcessorMap; status = NtQuerySystemInformation( SystemNumaProcessorMap, &numaProcessorMap, sizeof(SYSTEM_NUMA_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *NodeNumber = (USHORT)numaProcessorMap.HighestNodeNumber; } return status; } // rev from GetNumaProcessorNodeEx (dmex) /** * Retrieves the NUMA node number for a specified processor. * * \param ProcessorNumber A pointer to a PPH_PROCESSOR_NUMBER structure that specifies the processor for which to retrieve the NUMA node. * \param NodeNumber A pointer to a variable that receives the NUMA node number associated with the specified processor. * \return Returns TRUE if the NUMA node number was successfully retrieved; otherwise, returns FALSE. */ BOOLEAN PhGetNumaProcessorNode( _In_ PPH_PROCESSOR_NUMBER ProcessorNumber, _Out_ PUSHORT NodeNumber ) { NTSTATUS status; SYSTEM_NUMA_INFORMATION numaProcessorMap; USHORT processorNode = 0; if (ProcessorNumber->Group >= 20 || ProcessorNumber->Number >= MAXIMUM_PROC_PER_GROUP) { *NodeNumber = USHRT_MAX; return FALSE; } status = NtQuerySystemInformation( SystemNumaProcessorMap, &numaProcessorMap, sizeof(SYSTEM_NUMA_INFORMATION), NULL ); if (!NT_SUCCESS(status)) { *NodeNumber = USHRT_MAX; return FALSE; } while ( numaProcessorMap.ActiveProcessorsGroupAffinity[processorNode].Group != ProcessorNumber->Group || (numaProcessorMap.ActiveProcessorsGroupAffinity[processorNode].Mask & AFFINITY_MASK(ProcessorNumber->Number)) == 0 ) { if (++processorNode > numaProcessorMap.HighestNodeNumber) { *NodeNumber = USHRT_MAX; return FALSE; } } *NodeNumber = processorNode; return TRUE; } // rev from GetNumaProximityNodeEx (dmex) /** * Retrieves the NUMA (Non-Uniform Memory Access) node number associated with a given proximity ID. * * \param ProximityId The proximity ID for which to retrieve the corresponding NUMA node number. * \param NodeNumber A pointer to a variable that receives the NUMA node number associated with the specified proximity ID. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetNumaProximityNode( _In_ ULONG ProximityId, _Out_ PUSHORT NodeNumber ) { NTSTATUS status; SYSTEM_NUMA_PROXIMITY_MAP numaProximityMap; memset(&numaProximityMap, 0, sizeof(SYSTEM_NUMA_PROXIMITY_MAP)); numaProximityMap.NodeProximityId = ProximityId; status = NtQuerySystemInformation( SystemNumaProximityNodeInformation, &numaProximityMap, sizeof(SYSTEM_NUMA_PROXIMITY_MAP), NULL ); if (NT_SUCCESS(status)) { *NodeNumber = numaProximityMap.NodeNumber; } return status; } DECLSPEC_GUARDNOCF static NTSTATUS PhpSetInformationVirtualMemory( _In_ HANDLE ProcessHandle, _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, _In_ ULONG_PTR NumberOfEntries, _In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses, _In_reads_bytes_(VmInformationLength) PVOID VmInformation, _In_ ULONG VmInformationLength ) { assert(NtSetInformationVirtualMemory_Import()); // // Our custom loader logic creates chicken and egg problem. To register // valid CFG call targets, we need access to NtSetInformationVirtualMemory, // but that function itself cannot be marked as a valid target until it has // been imported. Here we wrap the call in a routine that disables CFG. // return NtSetInformationVirtualMemory_Import()( ProcessHandle, VmInformationClass, NumberOfEntries, VirtualAddresses, VmInformation, VmInformationLength ); } // rev from PrefetchVirtualMemory (dmex) /** * Provides an efficient mechanism to bring into memory potentially discontiguous virtual address ranges in a process address space. * * \param ProcessHandle A handle to the process whose virtual address ranges are to be prefetched. * \param NumberOfEntries Number of entries in the array pointed to by the VirtualAddresses parameter. * \param VirtualAddresses A pointer to an array of MEMORY_RANGE_ENTRY structures which each specify a virtual address range * to be prefetched. The virtual address ranges may cover any part of the process address space accessible by the target process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhPrefetchVirtualMemory( _In_ HANDLE ProcessHandle, _In_ SIZE_T NumberOfEntries, _In_ PMEMORY_RANGE_ENTRY VirtualAddresses ) { NTSTATUS status; ULONG prefetchInformationFlags; if (!NtSetInformationVirtualMemory_Import()) return STATUS_PROCEDURE_NOT_FOUND; memset(&prefetchInformationFlags, 0, sizeof(prefetchInformationFlags)); status = PhpSetInformationVirtualMemory( ProcessHandle, VmPrefetchInformation, NumberOfEntries, VirtualAddresses, &prefetchInformationFlags, sizeof(prefetchInformationFlags) ); return status; } // rev from OfferVirtualMemory (dmex) //NTSTATUS PhOfferVirtualMemory( // _In_ HANDLE ProcessHandle, // _In_ PVOID VirtualAddress, // _In_ SIZE_T NumberOfBytes, // _In_ MEMORY_PAGE_PRIORITY_INFORMATION Priority // ) //{ // NTSTATUS status; // MEMORY_RANGE_ENTRY virtualMemoryRange; // ULONG virtualMemoryFlags; // // if (!NtSetInformationVirtualMemory_Import()) // return STATUS_PROCEDURE_NOT_FOUND; // // // TODO: NtQueryVirtualMemory (dmex) // // memset(&virtualMemoryRange, 0, sizeof(MEMORY_RANGE_ENTRY)); // virtualMemoryRange.VirtualAddress = VirtualAddress; // virtualMemoryRange.NumberOfBytes = NumberOfBytes; // // memset(&virtualMemoryFlags, 0, sizeof(virtualMemoryFlags)); // virtualMemoryFlags = Priority; // // status = PhpSetInformationVirtualMemory( // ProcessHandle, // VmPagePriorityInformation, // 1, // &virtualMemoryRange, // &virtualMemoryFlags, // sizeof(virtualMemoryFlags) // ); // // return status; //} // // rev from DiscardVirtualMemory (dmex) //NTSTATUS PhDiscardVirtualMemory( // _In_ HANDLE ProcessHandle, // _In_ PVOID VirtualAddress, // _In_ SIZE_T NumberOfBytes // ) //{ // NTSTATUS status; // MEMORY_RANGE_ENTRY virtualMemoryRange; // ULONG virtualMemoryFlags; // // if (!NtSetInformationVirtualMemory_Import()) // return STATUS_PROCEDURE_NOT_FOUND; // // memset(&virtualMemoryRange, 0, sizeof(MEMORY_RANGE_ENTRY)); // virtualMemoryRange.VirtualAddress = VirtualAddress; // virtualMemoryRange.NumberOfBytes = NumberOfBytes; // // memset(&virtualMemoryFlags, 0, sizeof(virtualMemoryFlags)); // // status = PhpSetInformationVirtualMemory( // ProcessHandle, // VmPagePriorityInformation, // 1, // &virtualMemoryRange, // &virtualMemoryFlags, // sizeof(virtualMemoryFlags) // ); // // return status; //} /** * Sets the priority of a range of virtual memory pages in a specified process. * * \param ProcessHandle Handle to the process whose memory pages will be modified. * \param PagePriority The priority value to assign to the memory pages. * \param VirtualAddress Pointer to the starting address of the memory region. * \param NumberOfBytes Size, in bytes, of the memory region to modify. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetVirtualMemoryPagePriority( _In_ HANDLE ProcessHandle, _In_ ULONG PagePriority, _In_ PVOID VirtualAddress, _In_ SIZE_T NumberOfBytes ) { NTSTATUS status; MEMORY_RANGE_ENTRY virtualMemoryRange; memset(&virtualMemoryRange, 0, sizeof(MEMORY_RANGE_ENTRY)); virtualMemoryRange.VirtualAddress = VirtualAddress; virtualMemoryRange.NumberOfBytes = NumberOfBytes; status = PhpSetInformationVirtualMemory( ProcessHandle, VmPagePriorityInformation, 1, &virtualMemoryRange, &PagePriority, sizeof(PagePriority) ); return status; } // rev from SetProcessValidCallTargets (dmex) //NTSTATUS PhSetProcessValidCallTarget( // _In_ HANDLE ProcessHandle, // _In_ PVOID VirtualAddress // ) //{ // NTSTATUS status; // MEMORY_BASIC_INFORMATION basicInfo; // MEMORY_RANGE_ENTRY cfgCallTargetRangeInfo; // CFG_CALL_TARGET_INFO cfgCallTargetInfo; // CFG_CALL_TARGET_LIST_INFORMATION cfgCallTargetListInfo; // ULONG numberOfEntriesProcessed = 0; // // if (!NtSetInformationVirtualMemory_Import()) // return STATUS_PROCEDURE_NOT_FOUND; // // status = NtQueryVirtualMemory( // ProcessHandle, // VirtualAddress, // MemoryBasicInformation, // &basicInfo, // sizeof(MEMORY_BASIC_INFORMATION), // NULL // ); // // if (!NT_SUCCESS(status)) // return status; // // memset(&cfgCallTargetInfo, 0, sizeof(CFG_CALL_TARGET_INFO)); // cfgCallTargetInfo.Offset = (ULONG_PTR)VirtualAddress - (ULONG_PTR)basicInfo.AllocationBase; // cfgCallTargetInfo.Flags = CFG_CALL_TARGET_VALID; // // memset(&cfgCallTargetRangeInfo, 0, sizeof(MEMORY_RANGE_ENTRY)); // cfgCallTargetRangeInfo.VirtualAddress = basicInfo.AllocationBase; // cfgCallTargetRangeInfo.NumberOfBytes = basicInfo.RegionSize; // // memset(&cfgCallTargetListInfo, 0, sizeof(CFG_CALL_TARGET_LIST_INFORMATION)); // cfgCallTargetListInfo.NumberOfEntries = 1; // cfgCallTargetListInfo.Reserved = 0; // cfgCallTargetListInfo.NumberOfEntriesProcessed = &numberOfEntriesProcessed; // cfgCallTargetListInfo.CallTargetInfo = &cfgCallTargetInfo; // // status = PhpSetInformationVirtualMemory( // ProcessHandle, // VmCfgCallTargetInformation, // 1, // &cfgCallTargetRangeInfo, // &cfgCallTargetListInfo, // sizeof(CFG_CALL_TARGET_LIST_INFORMATION) // ); // // if (status == STATUS_INVALID_PAGE_PROTECTION) // status = STATUS_SUCCESS; // // return status; //} // rev from RtlGuardGrantSuppressedCallAccess (dmex) /** * Grants suppressed call access to a specific virtual address in the target process. * * \param ProcessHandle Handle to the process in which access is to be granted. * \param VirtualAddress Pointer to the virtual address for which suppressed call access is requested. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGuardGrantSuppressedCallAccess( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ) { NTSTATUS status; MEMORY_RANGE_ENTRY cfgCallTargetRangeInfo; CFG_CALL_TARGET_INFO cfgCallTargetInfo; CFG_CALL_TARGET_LIST_INFORMATION cfgCallTargetListInfo; ULONG numberOfEntriesProcessed = 0; if (!NtSetInformationVirtualMemory_Import()) return STATUS_PROCEDURE_NOT_FOUND; memset(&cfgCallTargetRangeInfo, 0, sizeof(MEMORY_RANGE_ENTRY)); cfgCallTargetRangeInfo.VirtualAddress = PAGE_ALIGN(VirtualAddress); cfgCallTargetRangeInfo.NumberOfBytes = PAGE_SIZE; memset(&cfgCallTargetInfo, 0, sizeof(CFG_CALL_TARGET_INFO)); cfgCallTargetInfo.Offset = BYTE_OFFSET(VirtualAddress); cfgCallTargetInfo.Flags = CFG_CALL_TARGET_VALID; memset(&cfgCallTargetListInfo, 0, sizeof(CFG_CALL_TARGET_LIST_INFORMATION)); cfgCallTargetListInfo.NumberOfEntries = 1; cfgCallTargetListInfo.Reserved = 0; cfgCallTargetListInfo.NumberOfEntriesProcessed = &numberOfEntriesProcessed; cfgCallTargetListInfo.CallTargetInfo = &cfgCallTargetInfo; status = PhpSetInformationVirtualMemory( ProcessHandle, VmCfgCallTargetInformation, 1, &cfgCallTargetRangeInfo, &cfgCallTargetListInfo, sizeof(CFG_CALL_TARGET_LIST_INFORMATION) ); if (status == STATUS_INVALID_PAGE_PROTECTION) status = STATUS_SUCCESS; return status; } // rev from RtlDisableXfgOnTarget (dmex) /** * Disables Control Flow Guard (CFG/XFG) protection on a specified memory region in a target process. * * \param ProcessHandle Handle to the target process. * \param VirtualAddress Pointer to the base address of the memory region to modify. * \return NTSTATUS code indicating success or failure of the operation. */ NTSTATUS PhDisableXfgOnTarget( _In_ HANDLE ProcessHandle, _In_ PVOID VirtualAddress ) { NTSTATUS status; PS_SYSTEM_DLL_INIT_BLOCK systemDllInitBlock; MEMORY_RANGE_ENTRY cfgCallTargetRangeInfo; CFG_CALL_TARGET_INFO cfgCallTargetInfo; CFG_CALL_TARGET_LIST_INFORMATION cfgCallTargetListInfo; ULONG numberOfEntriesProcessed = 0; if (!NtSetInformationVirtualMemory_Import()) return STATUS_PROCEDURE_NOT_FOUND; if (!NT_SUCCESS(status = PhGetSystemDllInitBlock(&systemDllInitBlock))) return status; // Check if CFG is disabled. PhGetProcessIsCFGuardEnabled(NtCurrentProcess()); if (!(systemDllInitBlock.CfgBitMap && systemDllInitBlock.CfgBitMapSize)) return STATUS_SUCCESS; memset(&cfgCallTargetRangeInfo, 0, sizeof(MEMORY_RANGE_ENTRY)); cfgCallTargetRangeInfo.VirtualAddress = PAGE_ALIGN(VirtualAddress); cfgCallTargetRangeInfo.NumberOfBytes = PAGE_SIZE; memset(&cfgCallTargetInfo, 0, sizeof(CFG_CALL_TARGET_INFO)); cfgCallTargetInfo.Offset = BYTE_OFFSET(VirtualAddress); cfgCallTargetInfo.Flags = CFG_CALL_TARGET_CONVERT_XFG_TO_CFG; memset(&cfgCallTargetListInfo, 0, sizeof(CFG_CALL_TARGET_LIST_INFORMATION)); cfgCallTargetListInfo.NumberOfEntries = 1; cfgCallTargetListInfo.Reserved = 0; cfgCallTargetListInfo.NumberOfEntriesProcessed = &numberOfEntriesProcessed; cfgCallTargetListInfo.CallTargetInfo = &cfgCallTargetInfo; status = PhpSetInformationVirtualMemory( ProcessHandle, VmCfgCallTargetInformation, 1, &cfgCallTargetRangeInfo, &cfgCallTargetListInfo, sizeof(CFG_CALL_TARGET_LIST_INFORMATION) ); if (status == STATUS_INVALID_PAGE_PROTECTION) status = STATUS_SUCCESS; return status; } /** * Retrieves information about the system compression store. * * \param[out] SystemCompressionStoreInformation A pointer to the compression store information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemCompressionStoreInformation( _Out_ PPH_SYSTEM_STORE_COMPRESSION_INFORMATION SystemCompressionStoreInformation ) { NTSTATUS status; SYSTEM_STORE_INFORMATION storeInfo; SM_STORE_COMPRESSION_INFORMATION_REQUEST compressionInfo; memset(&compressionInfo, 0, sizeof(SM_STORE_COMPRESSION_INFORMATION_REQUEST)); compressionInfo.Version = SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION_V1; memset(&storeInfo, 0, sizeof(SYSTEM_STORE_INFORMATION)); storeInfo.Version = SYSTEM_STORE_INFORMATION_VERSION; storeInfo.StoreInformationClass = MemCompressionInfoRequest; storeInfo.Data = &compressionInfo; storeInfo.Length = SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V1; status = NtQuerySystemInformation( SystemStoreInformation, &storeInfo, sizeof(SYSTEM_STORE_INFORMATION), NULL ); if (NT_SUCCESS(status)) { memset(SystemCompressionStoreInformation, 0, sizeof(PH_SYSTEM_STORE_COMPRESSION_INFORMATION)); SystemCompressionStoreInformation->CompressionPid = compressionInfo.CompressionPid; SystemCompressionStoreInformation->WorkingSetSize = compressionInfo.WorkingSetSize; SystemCompressionStoreInformation->TotalDataCompressed = compressionInfo.TotalDataCompressed; SystemCompressionStoreInformation->TotalCompressedSize = compressionInfo.TotalCompressedSize; SystemCompressionStoreInformation->TotalUniqueDataCompressed = compressionInfo.TotalUniqueDataCompressed; } return status; } // rev from PsmServiceExtHost!RmpMemoryMonitorEmptySystemStore (dmex) /** * Requests a trim operation on the system compression store. * This function initiates a trim request for the system's compression store, * potentially freeing up unused or unnecessary compressed memory. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSystemCompressionStoreTrimRequest( VOID ) { NTSTATUS status; SYSTEM_STORE_INFORMATION storeInfo; SM_SYSTEM_STORE_TRIM_REQUEST trimRequestInfo; PH_SYSTEM_STORE_COMPRESSION_INFORMATION compressionInfo; status = PhGetSystemCompressionStoreInformation(&compressionInfo); if (!NT_SUCCESS(status)) return status; memset(&trimRequestInfo, 0, sizeof(SM_SYSTEM_STORE_TRIM_REQUEST)); trimRequestInfo.Version = SYSTEM_STORE_TRIM_INFORMATION_VERSION_V1; trimRequestInfo.PagesToTrim = BYTES_TO_PAGES(compressionInfo.WorkingSetSize); memset(&storeInfo, 0, sizeof(SYSTEM_STORE_INFORMATION)); storeInfo.Version = SYSTEM_STORE_INFORMATION_VERSION; storeInfo.StoreInformationClass = SystemStoreTrimRequest; storeInfo.Data = &trimRequestInfo; storeInfo.Length = SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1; status = NtQuerySystemInformation( SystemStoreInformation, &storeInfo, sizeof(SYSTEM_STORE_INFORMATION), NULL ); return status; } /** * Requests to set or clear high memory priority for the system compression store of a process. * * \param ProcessHandle Handle to the target process. * \param SetHighMemoryPriority TRUE to set high memory priority, FALSE to clear it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSystemCompressionStoreHighMemoryPriorityRequest( _In_ HANDLE ProcessHandle, _In_ BOOLEAN SetHighMemoryPriority ) { NTSTATUS status; SYSTEM_STORE_INFORMATION storeInfo; SM_STORE_MEMORY_PRIORITY_REQUEST memoryPriorityInfo; memset(&memoryPriorityInfo, 0, sizeof(SM_STORE_MEMORY_PRIORITY_REQUEST)); memoryPriorityInfo.Version = SYSTEM_STORE_PRIORITY_REQUEST_VERSION; memoryPriorityInfo.Flags = SYSTEM_STORE_PRIORITY_FLAG_REQUIRE_HANDLE; memoryPriorityInfo.ProcessHandle = ProcessHandle; if (SetHighMemoryPriority) { SetFlag(memoryPriorityInfo.Flags, SYSTEM_STORE_PRIORITY_FLAG_SET_PRIORITY); } memset(&storeInfo, 0, sizeof(SYSTEM_STORE_INFORMATION)); storeInfo.Version = SYSTEM_STORE_INFORMATION_VERSION; storeInfo.StoreInformationClass = StoreHighMemoryPriorityRequest; storeInfo.Data = &memoryPriorityInfo; storeInfo.Length = SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1; status = NtQuerySystemInformation( SystemStoreInformation, &storeInfo, sizeof(SYSTEM_STORE_INFORMATION), NULL ); return status; } /** * Retrieves the current size limits for the working set of the virtual memory manager system cache. * * \param CacheInfo A pointer to a variable that receives the file cache information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetSystemFileCacheSize( _Out_ PSYSTEM_FILECACHE_INFORMATION CacheInfo ) { return NtQuerySystemInformation( SystemFileCacheInformationEx, CacheInfo, sizeof(SYSTEM_FILECACHE_INFORMATION), 0 ); } // rev from SetSystemFileCacheSize (MSDN) (dmex) /** * Limits the size of the working set of the virtual memory manager system cache. * * \param CacheInfo The minimum size of the file cache, in bytes. The virtual memory manager * attempts to keep at least this much memory resident in the system file cache. * \param CacheInfo The maximum size of the file cache, in bytes. The virtual memory manager * enforces this limit only if this call or a previous call to SetSystemFileCacheSize * specifies FILE_CACHE_MAX_HARD_ENABLE. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetSystemFileCacheSize( _In_ SIZE_T MinimumFileCacheSize, _In_ SIZE_T MaximumFileCacheSize, _In_ ULONG Flags ) { NTSTATUS status; SYSTEM_FILECACHE_INFORMATION cacheInfo; memset(&cacheInfo, 0, sizeof(SYSTEM_FILECACHE_INFORMATION)); cacheInfo.MinimumWorkingSet = MinimumFileCacheSize; cacheInfo.MaximumWorkingSet = MaximumFileCacheSize; cacheInfo.Flags = Flags; status = NtSetSystemInformation( SystemFileCacheInformationEx, &cacheInfo, sizeof(SYSTEM_FILECACHE_INFORMATION) ); return status; } /** * Creates an event object, sets the initial state of the event to the specified value, * and opens a handle to the object with the specified desired access. * * \param EventHandle A pointer to a variable that receives the event object handle. * \param DesiredAccess The access mask that specifies the requested access to the event object. * \param EventType The type of the event, which can be SynchronizationEvent or a NotificationEvent. * \param InitialState The initial state of the event object. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateEvent( _Out_ PHANDLE EventHandle, _In_ ACCESS_MASK DesiredAccess, _In_ EVENT_TYPE EventType, _In_ BOOLEAN InitialState ) { NTSTATUS status; HANDLE eventHandle; OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); status = NtCreateEvent( &eventHandle, DesiredAccess, &objectAttributes, EventType, InitialState ); if (NT_SUCCESS(status)) { *EventHandle = eventHandle; } return status; } /** * Sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation. * * \param DeviceHandle A handle to the device on which the operation is to be performed. * \param IoControlCode The control code for the operation. This value identifies the specific operation to be performed and the type of device on which to perform it. * \param InputBuffer A pointer to the input buffer that contains the data required to perform the operation. * \param InputBufferLength The size of the input buffer, in bytes. * \param OutputBuffer A pointer to the output buffer that is to receive the data returned by the operation. * \param OutputBufferLength The size of the output buffer, in bytes. * \param ReturnLength A pointer to a variable that receives the size of the data stored in the output buffer, in bytes. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDeviceIoControlFile( _In_ HANDLE DeviceHandle, _In_ ULONG IoControlCode, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_to_opt_(OutputBufferLength, *ReturnLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; if (DEVICE_TYPE_FROM_CTL_CODE(IoControlCode) == FILE_DEVICE_FILE_SYSTEM) { status = NtFsControlFile( DeviceHandle, NULL, NULL, NULL, &ioStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); } else { status = NtDeviceIoControlFile( DeviceHandle, NULL, NULL, NULL, &ioStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); } if (status == STATUS_PENDING) { status = NtWaitForSingleObject(DeviceHandle, FALSE, NULL); if (NT_SUCCESS(status)) { status = ioStatusBlock.Status; } } if (ReturnLength) { *ReturnLength = (ULONG)ioStatusBlock.Information; } return status; } // rev from RtlpWow64SelectSystem32PathInternal (dmex) /** * Selects the appropriate System32 path for the specified machine architecture. * * \param Machine The machine architecture identifier (e.g., IMAGE_FILE_MACHINE_AMD64, IMAGE_FILE_MACHINE_I386). * \param IncludePathSeperator If TRUE, appends a path separator to the returned path. * \param SystemPath A pointer to a PPH_STRINGREF that receives the selected System32 path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhWow64SelectSystem32Path( _In_ USHORT Machine, _In_ BOOLEAN IncludePathSeperator, _Out_ PPH_STRINGREF SystemPath ) { PWSTR WithSeperators; PWSTR WithoutSeperators; if (Machine != IMAGE_FILE_MACHINE_TARGET_HOST) { switch (Machine) { case IMAGE_FILE_MACHINE_I386: WithoutSeperators = L"SysWOW64"; WithSeperators = L"\\SysWOW64\\"; goto CreateResult; case IMAGE_FILE_MACHINE_ARMNT: WithoutSeperators = L"SysArm32"; WithSeperators = L"\\SysArm32\\"; goto CreateResult; case IMAGE_FILE_MACHINE_CHPE_X86: WithoutSeperators = L"SyChpe32"; WithSeperators = L"\\SyChpe32\\"; goto CreateResult; } if (Machine != IMAGE_FILE_MACHINE_AMD64 && Machine != IMAGE_FILE_MACHINE_ARM64) return STATUS_INVALID_PARAMETER; } WithSeperators = L"\\System32\\"; WithoutSeperators = L"System32"; CreateResult: if (!IncludePathSeperator) WithSeperators = WithoutSeperators; PhInitializeStringRefLongHint(SystemPath, WithSeperators); // RtlInitUnicodeString return STATUS_SUCCESS; } /** * Retrieves information about a range of pages within the virtual address space of a specified process. * * \param ProcessHandle A handle to a process. * \param Callback A callback function which is executed for each memory region. * \param Context A user-defined value to pass to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumVirtualMemory( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_MEMORY_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status = STATUS_SUCCESS; PVOID baseAddress; MEMORY_BASIC_INFORMATION basicInfo; baseAddress = (PVOID)0; while (TRUE) { status = NtQueryVirtualMemory( ProcessHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ); if (!NT_SUCCESS(status)) break; if (basicInfo.State & MEM_FREE) { basicInfo.AllocationBase = basicInfo.BaseAddress; basicInfo.AllocationProtect = basicInfo.Protect; } status = Callback(ProcessHandle, &basicInfo, Context); if (!NT_SUCCESS(status)) break; baseAddress = PTR_ADD_OFFSET(baseAddress, basicInfo.RegionSize); if ((ULONG_PTR)baseAddress >= PhSystemBasicInformation.MaximumUserModeAddress) break; } return status; } /** * Retrieves information about a range of pages within the virtual address space of a specified process in batches for improved performance. * * \param ProcessHandle A handle to a process. * \param BaseAddress The base address at which to begin retrieving information. * \param BulkQuery A boolean indicating the mode of bulk query (accuracy vs reliability). * \param Callback A callback function which is executed for each memory region. * \param Context A user-defined value to pass to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumVirtualMemoryBulk( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ BOOLEAN BulkQuery, _In_ PPH_ENUM_MEMORY_BULK_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; if (PhIsExecutingInWow64()) { return STATUS_NOT_SUPPORTED; } if (!NtPssCaptureVaSpaceBulk_Import()) { return STATUS_NOT_SUPPORTED; } // BulkQuery... TRUE: // * Faster. // * More accurate snapshots. // * Copies the entire VA space into local memory. // * Wastes large amounts of heap memory due to buffer doubling. // * Unsuitable for low-memory situations and fails with insufficient system resources. // * ... // // BulkQuery... FALSE: // * Slightly slower. // * Slightly less accurate snapshots. // * Does not copy the VA space. // * Does not waste heap memory. // * Suitable for low-memory situations and doesn't fail with insufficient system resources. // * ... if (BulkQuery) { SIZE_T bufferLength; PNTPSS_MEMORY_BULK_INFORMATION buffer; PMEMORY_BASIC_INFORMATION information; bufferLength = sizeof(NTPSS_MEMORY_BULK_INFORMATION) + sizeof(MEMORY_BASIC_INFORMATION[20]); buffer = PhAllocate(bufferLength); buffer->QueryFlags = MEMORY_BULK_INFORMATION_FLAG_BASIC; // Allocate a large buffer and copy all entries. while ((status = NtPssCaptureVaSpaceBulk_Import()( ProcessHandle, BaseAddress, buffer, bufferLength, NULL )) == STATUS_MORE_ENTRIES) { PhFree(buffer); bufferLength *= 2; if (bufferLength > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferLength); buffer->QueryFlags = MEMORY_BULK_INFORMATION_FLAG_BASIC; } if (NT_SUCCESS(status)) { // Skip the enumeration header. information = PTR_ADD_OFFSET(buffer, RTL_SIZEOF_THROUGH_FIELD(NTPSS_MEMORY_BULK_INFORMATION, NextValidAddress)); // Execute the callback. Callback(ProcessHandle, information, buffer->NumberOfEntries, Context); } PhFree(buffer); } else { UCHAR stackBuffer[sizeof(NTPSS_MEMORY_BULK_INFORMATION) + sizeof(MEMORY_BASIC_INFORMATION[20])]; SIZE_T bufferLength; PNTPSS_MEMORY_BULK_INFORMATION buffer; PMEMORY_BASIC_INFORMATION information; bufferLength = sizeof(stackBuffer); buffer = (PNTPSS_MEMORY_BULK_INFORMATION)stackBuffer; buffer->QueryFlags = MEMORY_BULK_INFORMATION_FLAG_BASIC; buffer->NextValidAddress = BaseAddress; while (TRUE) { // Get a batch of entries. status = NtPssCaptureVaSpaceBulk_Import()( ProcessHandle, buffer->NextValidAddress, buffer, bufferLength, NULL ); if (!NT_SUCCESS(status)) break; // Skip the enumeration header. information = PTR_ADD_OFFSET(buffer, RTL_SIZEOF_THROUGH_FIELD(NTPSS_MEMORY_BULK_INFORMATION, NextValidAddress)); // Execute the callback. if (!NT_SUCCESS(Callback(ProcessHandle, information, buffer->NumberOfEntries, Context))) break; // Get the next batch. if (status != STATUS_MORE_ENTRIES) break; } } return status; } /** * Retrieves information about the pages currently added to the working set of the specified process. * * \param ProcessHandle A handle to a process. * \param Callback A callback function which is executed for each memory page. * \param Context A user-defined value to pass to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumVirtualMemoryPages( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_MEMORY_PAGE_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PMEMORY_WORKING_SET_INFORMATION pageInfo; status = PhGetProcessWorkingSetInformation( ProcessHandle, &pageInfo ); if (NT_SUCCESS(status)) { status = Callback( ProcessHandle, pageInfo->NumberOfEntries, pageInfo->WorkingSetInfo, Context ); //for (ULONG_PTR i = 0; i < pageInfo->NumberOfEntries; i++) //{ // PMEMORY_WORKING_SET_BLOCK workingSetBlock = &pageInfo->WorkingSetInfo[i]; // PVOID virtualAddress = (PVOID)(workingSetBlock->VirtualPage << PAGE_SHIFT); //} PhFree(pageInfo); } return status; } /** * Retrieves extended information about memory pages in the working set * of the specified process, beginning at a given virtual address. * * \param[in] ProcessHandle A handle to the target process. * \param[in] BaseAddress The starting virtual address from which page information should be queried. * \param[in] Size The total size, in bytes, of the address range to examine. * \param[in] Callback A user-supplied callback invoked once for each page in the range. * \param[in] Context A user-defined value passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumVirtualMemoryAttributes( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T Size, _In_ PPH_ENUM_MEMORY_ATTRIBUTE_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status = STATUS_SUCCESS; SIZE_T numberOfPages; ULONG_PTR virtualAddress; PMEMORY_WORKING_SET_EX_INFORMATION info; SIZE_T i; numberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES(BaseAddress, Size); virtualAddress = (ULONG_PTR)PAGE_ALIGN(BaseAddress); if (!numberOfPages) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } info = PhAllocatePage(numberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL); if (!info) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } for (i = 0; i < numberOfPages; i++) { info[i].VirtualAddress = (PVOID)virtualAddress; virtualAddress += PAGE_SIZE; } status = NtQueryVirtualMemory( ProcessHandle, NULL, MemoryWorkingSetExInformation, info, numberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION), NULL ); if (NT_SUCCESS(status)) { status = Callback( ProcessHandle, BaseAddress, Size, numberOfPages, info, Context ); } PhFreePage(info); CleanupExit: return status; } /** * Retrieves information about the state of the kernel debugger. * * \param[out] KernelDebuggerEnabled Optional. Receives a BOOLEAN value that indicates whether the kernel debugger is enabled. * \param[out] KernelDebuggerPresent Optional. Receives a BOOLEAN value that indicates whether the kernel debugger is present. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetKernelDebuggerInformation( _Out_opt_ PBOOLEAN KernelDebuggerEnabled, _Out_opt_ PBOOLEAN KernelDebuggerPresent ) { NTSTATUS status; SYSTEM_KERNEL_DEBUGGER_INFORMATION debugInfo; status = NtQuerySystemInformation( SystemKernelDebuggerInformation, &debugInfo, sizeof(SYSTEM_KERNEL_DEBUGGER_INFORMATION), NULL ); if (NT_SUCCESS(status)) { if (KernelDebuggerEnabled) *KernelDebuggerEnabled = debugInfo.KernelDebuggerEnabled; if (KernelDebuggerPresent) *KernelDebuggerPresent = !debugInfo.KernelDebuggerNotPresent; } return status; } // rev from BasepIsDebugPortPresent (dmex) /** * Checks if a debug port is present for the current process. * \return TRUE if a debug port is detected, otherwise FALSE. */ BOOLEAN PhIsDebugPortPresent( VOID ) { BOOLEAN isBeingDebugged; if (NT_SUCCESS(PhGetProcessIsBeingDebugged(NtCurrentProcess(), &isBeingDebugged))) { if (isBeingDebugged) { return TRUE; } } return FALSE; } // rev from IsDebuggerPresent (dmex) /** * Determines whether the calling process is being debugged by a user-mode debugger. * * \return TRUE if the current process is running in the context of a debugger, otherwise the return value is FALSE. */ BOOLEAN PhIsDebuggerPresent( VOID ) { #ifdef PHNT_NATIVE_DEBUGGER return !!IsDebuggerPresent(); #else return NtCurrentPeb()->BeingDebugged; #endif } // rev from GetFileType (dmex) /** * Retrieves the type of the specified file handle. * * \param ProcessHandle A handle to the process. * \param FileHandle A handle to the file. * \param DeviceType The type of the specified file * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetDeviceType( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _Out_ DEVICE_TYPE* DeviceType ) { NTSTATUS status; FILE_FS_DEVICE_INFORMATION debugInfo; IO_STATUS_BLOCK isb; status = PhQueryVolumeInformationFile( ProcessHandle, FileHandle, FileFsDeviceInformation, &debugInfo, sizeof(FILE_FS_DEVICE_INFORMATION), &isb ); if (NT_SUCCESS(status)) { *DeviceType = debugInfo.DeviceType; } return status; } /** * Checks if the specified file name is an App Execution Alias target. * * \param FileName A pointer to a PPH_STRING structure containing the file name to check. * \return TRUE if the file name is an App Execution Alias target, FALSE otherwise. */ BOOLEAN PhIsAppExecutionAliasTarget( _In_ PPH_STRING FileName ) { PPH_STRING targetFileName = NULL; PREPARSE_DATA_BUFFER reparseBuffer; ULONG reparseLength; HANDLE fileHandle; IO_STATUS_BLOCK isb; if (PhIsNullOrEmptyString(FileName)) return FALSE; if (!NT_SUCCESS(PhCreateFileWin32( &fileHandle, PhGetString(FileName), FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_REPARSE_POINT ))) { return FALSE; } reparseLength = MAXIMUM_REPARSE_DATA_BUFFER_SIZE; reparseBuffer = PhAllocateZero(reparseLength); if (NT_SUCCESS(NtFsControlFile( fileHandle, NULL, NULL, NULL, &isb, FSCTL_GET_REPARSE_POINT, NULL, 0, reparseBuffer, reparseLength ))) { if ( IsReparseTagMicrosoft(reparseBuffer->ReparseTag) && reparseBuffer->ReparseTag == IO_REPARSE_TAG_APPEXECLINK ) { PCWSTR string; string = (PCWSTR)reparseBuffer->AppExecLinkReparseBuffer.StringList; for (ULONG i = 0; i < reparseBuffer->AppExecLinkReparseBuffer.StringCount; i++) { if (i == 2 && PhDoesFileExistWin32(string)) { targetFileName = PhCreateString(string); break; } string += PhCountStringZ(string) + 1; } } } PhFree(reparseBuffer); NtClose(fileHandle); if (targetFileName) { if (PhDoesFileExistWin32(targetFileName->Buffer)) { PhDereferenceObject(targetFileName); return TRUE; } PhDereferenceObject(targetFileName); } return FALSE; } /** * Enumerates the enclaves of a process. * * \param ProcessHandle Handle to the process whose enclaves are to be enumerated. * \param LdrEnclaveList Pointer to the process's loader enclave list. * \param Callback Callback function to be called for each enclave found. * \param Context Optional context to be passed to the callback function. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumProcessEnclaves( _In_ HANDLE ProcessHandle, _In_ PVOID LdrEnclaveList, _In_ PPH_ENUM_PROCESS_ENCLAVES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; LIST_ENTRY enclaveList; LDR_SOFTWARE_ENCLAVE enclave; status = PhReadVirtualMemory( ProcessHandle, LdrEnclaveList, &enclaveList, sizeof(LIST_ENTRY), NULL ); if (!NT_SUCCESS(status)) return status; for (PLIST_ENTRY link = enclaveList.Flink; link != LdrEnclaveList; link = enclave.Links.Flink) { PVOID enclaveAddress; enclaveAddress = CONTAINING_RECORD(link, LDR_SOFTWARE_ENCLAVE, Links); status = PhReadVirtualMemory( ProcessHandle, link, &enclave, sizeof(enclave), NULL ); if (!NT_SUCCESS(status)) return status; if (!Callback(ProcessHandle, enclaveAddress, &enclave, Context)) break; } return status; } #ifdef _M_ARM64 // rev from ntdll!RtlEcContextToNativeContext (jxy-s) VOID PhEcContextToNativeContext( _Out_ PCONTEXT Context, _In_ PARM64EC_NT_CONTEXT EcContext ) { Context->ContextFlags = 0; //#define CONTEXT_AMD64 0x00100000L //#define CONTEXT_CONTROL (CONTEXT_AMD64 | 0x00000001L) if (BooleanFlagOn(EcContext->ContextFlags, 0x00100000L | 0x00000001L)) SetFlag(Context->ContextFlags, CONTEXT_CONTROL); //#define CONTEXT_INTEGER (CONTEXT_AMD64 | 0x00000002L) if (BooleanFlagOn(EcContext->ContextFlags, 0x00100000L | 0x00000002L)) SetFlag(Context->ContextFlags, CONTEXT_INTEGER); //#define CONTEXT_FLOATING_POINT (CONTEXT_AMD64 | 0x00000008L) if (BooleanFlagOn(EcContext->ContextFlags, 0x00100000L | 0x00000008L)) SetFlag(Context->ContextFlags, CONTEXT_FLOATING_POINT); SetFlag(Context->ContextFlags, EcContext->ContextFlags & ( CONTEXT_EXCEPTION_ACTIVE | CONTEXT_SERVICE_ACTIVE | CONTEXT_EXCEPTION_REQUEST | CONTEXT_EXCEPTION_REPORTING )); Context->Cpsr = (EcContext->AMD64_EFlags & 0x00000100); // Overflow Flag Context->Cpsr |= ((EcContext->AMD64_EFlags & 0x00000800) << 4); // Direction Flag Context->Cpsr |= ((EcContext->AMD64_EFlags & 0xFFFFFFC0) << 7); // Other Flags Context->Cpsr |= ((EcContext->AMD64_EFlags & 0x00000001) << 5); // Carry Flag Context->Cpsr <<= 13; Context->X0 = EcContext->X0; Context->X2 = EcContext->X2; Context->X4 = EcContext->X4; Context->X6 = EcContext->X6; Context->X7 = EcContext->X7; Context->X8 = EcContext->X8; Context->X9 = EcContext->X9; Context->X10 = EcContext->X10; Context->X11 = EcContext->X11; Context->X12 = EcContext->X12; Context->X14 = 0; Context->X15 = EcContext->X15; Context->X16 = EcContext->X16_0; Context->X16 |= ((ULONG64)EcContext->X16_1 << 16); Context->X16 |= ((ULONG64)EcContext->X16_2 << 32); Context->X16 |= ((ULONG64)EcContext->X16_3 << 48); Context->X17 = EcContext->X17_0; Context->X17 |= ((ULONG64)EcContext->X17_1 << 16); Context->X17 |= ((ULONG64)EcContext->X17_2 << 32); Context->X17 |= ((ULONG64)EcContext->X17_3 << 48); Context->X19 = EcContext->X19; Context->X21 = EcContext->X21; Context->X23 = 0; Context->X25 = EcContext->X25; Context->X27 = EcContext->X27; Context->Fp = EcContext->Fp; Context->Lr = EcContext->Lr; Context->Sp = EcContext->Sp; Context->Pc = EcContext->Pc; Context->V[0] = EcContext->V[0]; Context->V[1] = EcContext->V[1]; Context->V[2] = EcContext->V[2]; Context->V[3] = EcContext->V[3]; Context->V[4] = EcContext->V[4]; Context->V[5] = EcContext->V[5]; Context->V[6] = EcContext->V[6]; Context->V[7] = EcContext->V[7]; Context->V[8] = EcContext->V[8]; Context->V[9] = EcContext->V[9]; Context->V[10] = EcContext->V[10]; Context->V[11] = EcContext->V[11]; Context->V[12] = EcContext->V[12]; Context->V[13] = EcContext->V[13]; Context->V[14] = EcContext->V[14]; Context->V[15] = EcContext->V[15]; RtlZeroMemory(&Context->V[16], sizeof(ARM64_NT_NEON128)); Context->Fpcr = (EcContext->AMD64_MxCsr & 0x00000080) == 0; // IM: Invalid Operation Mask Context->Fpcr |= ((EcContext->AMD64_MxCsr & 0x00000200) == 0) << 1; // ZM: Divide-by-Zero Mask Context->Fpcr |= ((EcContext->AMD64_MxCsr & 0x00000400) == 0) << 2; // OM: Overflow Mask Context->Fpcr |= ((EcContext->AMD64_MxCsr & 0x00000800) == 0) << 3; // UM: Underflow Mask Context->Fpcr |= ((EcContext->AMD64_MxCsr & 0x00001000) == 0) << 4; // PM: Precision Mask Context->Fpcr |= (EcContext->AMD64_MxCsr & 0x00000040) << 5; // DAZ: Denormals Are Zero Mask Context->Fpcr |= ((EcContext->AMD64_MxCsr & 0x00000100) == 0) << 7; // DM: Denormal Operation Mask Context->Fpcr |= (EcContext->AMD64_MxCsr & 0x00002000); // FZ: Flush to Zero Mask Context->Fpcr |= (EcContext->AMD64_MxCsr & 0x0000C000); // RC: Rounding Control Context->Fpcr <<= 8; Context->Fpsr = EcContext->AMD64_MxCsr & 1; // IE: Invalid Operation Flag Context->Fpsr |= (EcContext->AMD64_MxCsr & 2) << 6; // DE: Denormal Flag Context->Fpsr |= (EcContext->AMD64_MxCsr >> 1) & 0x1E; // ZE | OE | UE | PE: Zero, Overflow, Underflow, Precision Flags RtlZeroMemory(Context->Bcr, sizeof(Context->Bcr)); RtlZeroMemory(Context->Bvr, sizeof(Context->Bvr)); RtlZeroMemory(Context->Wcr, sizeof(Context->Wcr)); RtlZeroMemory(Context->Wvr, sizeof(Context->Wvr)); } // rev from ntdll!RtlNativeContextToEcContext (jxy-s) VOID PhNativeContextToEcContext( _When_(InitializeEc, _Out_) _When_(!InitializeEc, _Inout_) PARM64EC_NT_CONTEXT EcContext, _In_ PCONTEXT Context, _In_ BOOLEAN InitializeEc ) { if (InitializeEc) { EcContext->ContextFlags = 0; //#define CONTEXT_AMD64 0x00100000L //#define CONTEXT_CONTROL (CONTEXT_AMD64 | 0x00000001L) if (BooleanFlagOn(Context->ContextFlags, CONTEXT_CONTROL)) SetFlag(EcContext->ContextFlags, (0x00100000L | 0x00000001L)); //#define CONTEXT_INTEGER (CONTEXT_AMD64 | 0x00000002L) if (BooleanFlagOn(Context->ContextFlags, CONTEXT_INTEGER)) SetFlag(EcContext->ContextFlags, (0x00100000L | 0x00000002L)); //#define CONTEXT_FLOATING_POINT (CONTEXT_AMD64 | 0x00000008L) if (BooleanFlagOn(Context->ContextFlags, CONTEXT_FLOATING_POINT)) SetFlag(EcContext->ContextFlags, (0x00100000L | 0x00000008L)); EcContext->AMD64_P1Home = 0; EcContext->AMD64_P2Home = 0; EcContext->AMD64_P3Home = 0; EcContext->AMD64_P4Home = 0; EcContext->AMD64_P5Home = 0; EcContext->AMD64_P6Home = 0; EcContext->AMD64_Dr0 = 0; EcContext->AMD64_Dr1 = 0; EcContext->AMD64_Dr3 = 0; EcContext->AMD64_Dr6 = 0; EcContext->AMD64_Dr7 = 0; EcContext->AMD64_MxCsr_copy = 0; EcContext->AMD64_SegCs = 0x0033; EcContext->AMD64_SegDs = 0x002B; EcContext->AMD64_SegEs = 0x002B; EcContext->AMD64_SegFs = 0x0053; EcContext->AMD64_SegGs = 0x002B; EcContext->AMD64_SegSs = 0x002B; EcContext->AMD64_ControlWord = 0; EcContext->AMD64_StatusWord = 0; EcContext->AMD64_TagWord = 0; EcContext->AMD64_Reserved1 = 0; EcContext->AMD64_ErrorOpcode = 0; EcContext->AMD64_ErrorOffset = 0; EcContext->AMD64_ErrorSelector = 0; EcContext->AMD64_Reserved2= 0; EcContext->AMD64_DataOffset = 0; EcContext->AMD64_DataSelector = 0; EcContext->AMD64_Reserved3 = 0; EcContext->AMD64_MxCsr = 0; EcContext->AMD64_MxCsr_Mask = 0; EcContext->AMD64_St0_Reserved1 = 0; EcContext->AMD64_St0_Reserved2 = 0; EcContext->AMD64_St1_Reserved1 = 0; EcContext->AMD64_St1_Reserved2 = 0; EcContext->AMD64_St2_Reserved1 = 0; EcContext->AMD64_St2_Reserved2 = 0; EcContext->AMD64_St3_Reserved1 = 0; EcContext->AMD64_St3_Reserved2 = 0; EcContext->AMD64_St4_Reserved1 = 0; EcContext->AMD64_St4_Reserved2 = 0; EcContext->AMD64_St5_Reserved1 = 0; EcContext->AMD64_St5_Reserved2 = 0; EcContext->AMD64_St6_Reserved1 = 0; EcContext->AMD64_St6_Reserved2 = 0; EcContext->AMD64_St7_Reserved1 = 0; EcContext->AMD64_St7_Reserved2 = 0; EcContext->AMD64_EFlags = 0x202; // IF(EI) | RESERVED_1(always set) } EcContext->ContextFlags &= 0x7ffffffff; SetFlag(EcContext->ContextFlags, Context->ContextFlags & ( CONTEXT_EXCEPTION_ACTIVE | CONTEXT_SERVICE_ACTIVE | CONTEXT_EXCEPTION_REQUEST | CONTEXT_EXCEPTION_REPORTING )); EcContext->AMD64_MxCsr_copy &= 0xFFFF0000; EcContext->AMD64_MxCsr_copy |= (Context->Fpsr & 0x00000080) >> 6; // IM: Invalid Operation Mask EcContext->AMD64_MxCsr_copy |= (Context->Fpcr & 0x00400000) >> 8; // ZM: Divide-by-Zero Mask EcContext->AMD64_MxCsr_copy |= (Context->Fpcr & 0x01000000) >> 9; // OM: Overflow Mask EcContext->AMD64_MxCsr_copy |= (Context->Fpcr & 0x00080000) >> 7; // UM: Underflow Mask EcContext->AMD64_MxCsr_copy |= (Context->Fpcr & 0x00800000) >> 7; // PM: Precision Mask EcContext->AMD64_MxCsr_copy |= (Context->Fpsr & 0x0000001E) << 1; // Other Flags EcContext->AMD64_MxCsr_copy |= ((Context->Fpcr & 0x00000100) == 0) << 7; // DAZ: Denormals Are Zeros EcContext->AMD64_MxCsr_copy |= ((Context->Fpcr & 0x00008000) == 0) << 8; // DM: Denormal Operation Mask EcContext->AMD64_MxCsr_copy |= ((Context->Fpcr & 0x00000200) == 0) << 9; // FZ: Flush to Zero EcContext->AMD64_MxCsr_copy |= ((Context->Fpcr & 0x00000400) == 0) << 10; // RC: Rounding Control EcContext->AMD64_MxCsr_copy |= ((Context->Fpcr & 0x00000800) == 0) << 11; // RC: Rounding Control EcContext->AMD64_MxCsr_copy |= ((Context->Fpcr & 0x00001000) == 0) << 12; // RC: Rounding Control EcContext->AMD64_MxCsr_copy |= Context->Fpsr & 0x00000001; EcContext->AMD64_EFlags &= 0xFFFFF63E; EcContext->AMD64_EFlags |= ((Context->Cpsr & 0x200000) >> 13); // Overflow Flag EcContext->AMD64_EFlags |= ((Context->Cpsr & 0x10000000) >> 17); // Direction Flag EcContext->AMD64_EFlags |= (((Context->Cpsr >> 5) & 0x1000000) >> 20); // Carry Flag EcContext->AMD64_EFlags |= ((Context->Cpsr & 0xC0FFFFFF) >> 20); // Other Flags EcContext->Pc = Context->Pc; EcContext->X8 = Context->X8; EcContext->X0 = Context->X0; EcContext->X1 = Context->X1; EcContext->X27 = Context->X27; EcContext->Sp = Context->Sp; EcContext->Fp = Context->Fp; EcContext->X25 = Context->X25; EcContext->X26 = Context->X26; EcContext->X2 = Context->X2; EcContext->X3 = Context->X3; EcContext->X4 = Context->X4; EcContext->X5 = Context->X5; EcContext->X19 = Context->X19; EcContext->X20 = Context->X20; EcContext->X21 = Context->X21; EcContext->X22 = Context->X22; EcContext->Lr = Context->Lr; EcContext->X16_0 = LOWORD(Context->X16); EcContext->X6 = Context->X6; EcContext->X16_1 = HIWORD(Context->X16); EcContext->X7 = Context->X7; EcContext->X16_2 = LOWORD(Context->X16 >> 32); EcContext->X9 = Context->X9; EcContext->X16_3 = HIWORD(Context->X16 >> 32); EcContext->X10 = Context->X10; EcContext->X17_0 = LOWORD(Context->X17); EcContext->X11 = Context->X11; EcContext->X17_1 = HIWORD(Context->X17); EcContext->X12 = Context->X12; EcContext->X17_2 = LOWORD(Context->X17 >> 32); EcContext->X15 = Context->X15; EcContext->X17_3 = HIWORD(Context->X17 >> 32); EcContext->V[0] = Context->V[0]; EcContext->V[1] = Context->V[1]; EcContext->V[2] = Context->V[2]; EcContext->V[3] = Context->V[3]; EcContext->V[4] = Context->V[4]; EcContext->V[5] = Context->V[5]; EcContext->V[6] = Context->V[6]; EcContext->V[7] = Context->V[7]; EcContext->V[8] = Context->V[8]; EcContext->V[9] = Context->V[9]; EcContext->V[10] = Context->V[10]; EcContext->V[11] = Context->V[11]; EcContext->V[12] = Context->V[12]; EcContext->V[13] = Context->V[13]; EcContext->V[14] = Context->V[14]; EcContext->V[15] = Context->V[15]; } // rev from ntdll!RtlIsEcCode (jxy-s) NTSTATUS PhIsEcCode( _In_ HANDLE ProcessHandle, _In_ PVOID CodePointer, _Out_ PBOOLEAN IsEcCode ) { NTSTATUS status; PVOID pebBaseAddress; PVOID ecCodeBitMap; ULONG64 bitmap; *IsEcCode = FALSE; // hack (jxy-s) // 0x00007ffffffeffff = LdrpEcBitmapData.HighestAddress (MmHighestUserAddress) // 0x0000000000010000 = MM_LOWEST_USER_ADDRESS if ((ULONG_PTR)CodePointer > 0x00007ffffffeffff || (ULONG_PTR)CodePointer < 0x0000000000010000) return STATUS_INVALID_PARAMETER_2; if (!NT_SUCCESS(status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, FIELD_OFFSET(PEB, EcCodeBitMap)), &ecCodeBitMap, sizeof(PVOID), NULL ))) return status; if (!ecCodeBitMap) return STATUS_INVALID_PARAMETER_1; // each byte of bitmap indexes 8*4K = 2^15 byte span ecCodeBitMap = PTR_ADD_OFFSET(ecCodeBitMap, (ULONG_PTR)CodePointer >> 15); if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, ecCodeBitMap, &bitmap, sizeof(ULONG64), NULL ))) return status; // index to the 4k page within the 8*4K span bitmap >>= (((ULONG_PTR)CodePointer >> PAGE_SHIFT) & 7); // test the specific page if (bitmap & 1) *IsEcCode = TRUE; return STATUS_SUCCESS; } #endif /** * Retrieves the Mark of the Web (MOTW) information from a file. * * The MOTW information resides in the Zone.Identifier alternate data * stream on a file. This routine attempts to open and read this alternate data * stream and optionally returns the MOTW information. * * \param[in] FileName - File name to retrieve the MOTS information from. * \param[out] ZoneId - Optionally receives the zone identifier for the file. * \param[out] ReferrerUrl - Optionally receives the referrer URL for the file. * Can be an empty string if no referrer URL is present. * \param[out] HostUrl - Optionally receives the host URL for the file. Can be * an empty string if no referrer URL is present. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetFileMotw( _In_ PCPH_STRINGREF FileName, _Out_opt_ PPH_MOTW_ZONE_ID ZoneId, _Out_opt_ PPH_STRING* ReferrerUrl, _Out_opt_ PPH_STRING* HostUrl ) { static const PH_STRINGREF zoneIdentifierStream = PH_STRINGREF_INIT(L":Zone.Identifier"); static const PH_STRINGREF newLine = PH_STRINGREF_INIT(L"\r\n"); static const PH_STRINGREF zoneIdKey = PH_STRINGREF_INIT(L"ZoneId"); static const PH_STRINGREF referrerUrlKey = PH_STRINGREF_INIT(L"ReferrerUrl"); static const PH_STRINGREF hostUrlKey = PH_STRINGREF_INIT(L"HostUrl"); NTSTATUS status; PPH_STRING fileName; HANDLE fileHandle; ULONG zoneId = ULONG_MAX; PPH_STRING referrerUrl = NULL; PPH_STRING hostUrl = NULL; if (ZoneId) *ZoneId = PhMotwZoneIdUnknown; if (ReferrerUrl) *ReferrerUrl = NULL; if (HostUrl) *HostUrl = NULL; fileName = PhConcatStringRef2(FileName, &zoneIdentifierStream); if (NT_SUCCESS(status = PhCreateFile( &fileHandle, &fileName->sr, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { PPH_STRING fileText; if (NT_SUCCESS(status = PhGetFileText(&fileText, fileHandle, TRUE))) { PH_STRINGREF line; PH_STRINGREF remaining; PH_STRINGREF key; PH_STRINGREF value; status = STATUS_NOT_FOUND; remaining = fileText->sr; while (remaining.Length) { PhSplitStringRefAtString(&remaining, &newLine, FALSE, &line, &remaining); PhSplitStringRefAtChar(&line, L'=', &key, &value); if (!value.Length) continue; if (zoneId == ULONG_MAX && PhEqualStringRef(&key, &zoneIdKey, TRUE)) { zoneId = value.Buffer[0] - L'0'; if (zoneId > PhMotwZoneIdRestrictedSites) zoneId = PhMotwZoneIdUnknown; } else if (!referrerUrl && PhEqualStringRef(&key, &referrerUrlKey, TRUE)) { referrerUrl = PhCreateString2(&value); } else if (!hostUrl && PhEqualStringRef(&key, &hostUrlKey, TRUE)) { hostUrl = PhCreateString2(&value); } if (zoneId != ULONG_MAX && referrerUrl && hostUrl) break; } if (zoneId == ULONG_MAX) { status = STATUS_NOT_FOUND; PhClearReference(&referrerUrl); PhClearReference(&hostUrl); } else { status = STATUS_SUCCESS; if (!referrerUrl) referrerUrl = PhReferenceEmptyString(); if (!hostUrl) hostUrl = PhReferenceEmptyString(); if (ZoneId) *ZoneId = zoneId; if (ReferrerUrl) PhMoveReference(ReferrerUrl, referrerUrl); else PhClearReference(&referrerUrl); if (HostUrl) PhMoveReference(HostUrl, hostUrl); else PhClearReference(&hostUrl); } } NtClose(fileHandle); } return status; } ================================================ FILE: phlib/nativefile.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include /** * Creates or opens a file. * * \param FileHandle A variable that receives the file handle. * \param FileName The Win32 file name. * \param DesiredAccess The desired access to the file. * \param FileAttributes File attributes applied if the file is created or overwritten. * \param ShareAccess The file access granted to other threads. * \li \c FILE_SHARE_READ Allows other threads to read from the file. * \li \c FILE_SHARE_WRITE Allows other threads to write to the file. * \li \c FILE_SHARE_DELETE Allows other threads to delete the file. * \param CreateDisposition The action to perform if the file does or does not exist. * \li \c FILE_SUPERSEDE If the file exists, replace it. Otherwise, create the file. * \li \c FILE_CREATE If the file exists, fail. Otherwise, create the file. * \li \c FILE_OPEN If the file exists, open it. Otherwise, fail. * \li \c FILE_OPEN_IF If the file exists, open it. Otherwise, create the file. * \li \c FILE_OVERWRITE If the file exists, open and overwrite it. Otherwise, fail. * \li \c FILE_OVERWRITE_IF If the file exists, open and overwrite it. Otherwise, create the file. * \param CreateOptions The options to apply when the file is opened or created. */ NTSTATUS PhCreateFileWin32( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions ) { return PhCreateFileWin32Ex( FileHandle, FileName, DesiredAccess, NULL, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL ); } /** * Creates or opens a file. * * \param FileHandle A variable that receives the file handle. * \param FileName The Win32 file name. * \param DesiredAccess The desired access to the file. * \param AllocationSize The initial allocation size if the file is being created, overwritten, or superseded. * \param FileAttributes File attributes applied if the file is created or overwritten. * \param ShareAccess The file access granted to other threads. * \li \c FILE_SHARE_READ Allows other threads to read from the file. * \li \c FILE_SHARE_WRITE Allows other threads to write to the file. * \li \c FILE_SHARE_DELETE Allows other threads to delete the file. * \param CreateDisposition The action to perform if the file does or does not exist. * \li \c FILE_SUPERSEDE If the file exists, replace it. Otherwise, create the file. * \li \c FILE_CREATE If the file exists, fail. Otherwise, create the file. * \li \c FILE_OPEN If the file exists, open it. Otherwise, fail. * \li \c FILE_OPEN_IF If the file exists, open it. Otherwise, create the file. * \li \c FILE_OVERWRITE If the file exists, open and overwrite it. Otherwise, fail. * \li \c FILE_OVERWRITE_IF If the file exists, open and overwrite it. Otherwise, create the file. * \param CreateOptions The options to apply when the file is opened or created. * \param CreateStatus A variable that receives creation information. * \li \c FILE_SUPERSEDED The file was replaced because \c FILE_SUPERSEDE was specified in * \a CreateDisposition. * \li \c FILE_OPENED The file was opened because \c FILE_OPEN or \c FILE_OPEN_IF was specified in * \a CreateDisposition. * \li \c FILE_CREATED The file was created because \c FILE_CREATE or \c FILE_OPEN_IF was specified * in \a CreateDisposition. * \li \c FILE_OVERWRITTEN The file was overwritten because \c FILE_OVERWRITE or * \c FILE_OVERWRITE_IF was specified in \a CreateDisposition. * \li \c FILE_EXISTS The file was not opened because it already existed and \c FILE_CREATE was * specified in \a CreateDisposition. * \li \c FILE_DOES_NOT_EXIST The file was not opened because it did not exist and \c FILE_OPEN or * \c FILE_OVERWRITE was specified in \a CreateDisposition. */ NTSTATUS PhCreateFileWin32Ex( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _Out_opt_ PULONG CreateStatus ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL, 0 ); if (status == STATUS_SHARING_VIOLATION && KsiLevel() >= KphLevelMed && (DesiredAccess & KPH_FILE_READ_ACCESS) == DesiredAccess && CreateDisposition == KPH_FILE_READ_DISPOSITION) { status = KphCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK ); } RtlFreeUnicodeString(&fileName); if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } if (CreateStatus) *CreateStatus = (ULONG)ioStatusBlock.Information; return status; } NTSTATUS PhCreateFileWin32ExAlt( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ ULONG CreateFlags, _In_opt_ PLARGE_INTEGER AllocationSize, _Out_opt_ PULONG CreateStatus ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; EXTENDED_CREATE_INFORMATION extendedInfo; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); memset(&extendedInfo, 0, sizeof(EXTENDED_CREATE_INFORMATION)); extendedInfo.ExtendedCreateFlags = CreateFlags; status = NtCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions | FILE_CONTAINS_EXTENDED_CREATE_INFORMATION, &extendedInfo, sizeof(EXTENDED_CREATE_INFORMATION) ); if (status == STATUS_SHARING_VIOLATION && KsiLevel() >= KphLevelMed && (DesiredAccess & KPH_FILE_READ_ACCESS) == DesiredAccess && CreateDisposition == KPH_FILE_READ_DISPOSITION) { status = KphCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions | FILE_CONTAINS_EXTENDED_CREATE_INFORMATION, &extendedInfo, sizeof(EXTENDED_CREATE_INFORMATION), IO_IGNORE_SHARE_ACCESS_CHECK ); } RtlFreeUnicodeString(&fileName); if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } if (CreateStatus) *CreateStatus = (ULONG)ioStatusBlock.Information; return status; } /** * Creates or opens a file. * * \param FileHandle A variable that receives the file handle. * \param FileName The Win32 file name. * \param DesiredAccess The desired access to the file. * \param FileAttributes File attributes applied if the file is created or overwritten. * \param ShareAccess The file access granted to other threads. * \li \c FILE_SHARE_READ Allows other threads to read from the file. * \li \c FILE_SHARE_WRITE Allows other threads to write to the file. * \li \c FILE_SHARE_DELETE Allows other threads to delete the file. * \param CreateDisposition The action to perform if the file does or does not exist. * \li \c FILE_SUPERSEDE If the file exists, replace it. Otherwise, create the file. * \li \c FILE_CREATE If the file exists, fail. Otherwise, create the file. * \li \c FILE_OPEN If the file exists, open it. Otherwise, fail. * \li \c FILE_OPEN_IF If the file exists, open it. Otherwise, create the file. * \li \c FILE_OVERWRITE If the file exists, open and overwrite it. Otherwise, fail. * \li \c FILE_OVERWRITE_IF If the file exists, open and overwrite it. Otherwise, create the file. * \param CreateOptions The options to apply when the file is opened or created. * \return Successful or errant status. */ NTSTATUS PhCreateFile( _Out_ PHANDLE FileHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; if (!PhStringRefToUnicodeString(FileName, &fileName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, NULL, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL, 0 ); if (status == STATUS_SHARING_VIOLATION && KsiLevel() >= KphLevelMed && (DesiredAccess & KPH_FILE_READ_ACCESS) == DesiredAccess && CreateDisposition == KPH_FILE_READ_DISPOSITION) { status = KphCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, NULL, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK ); } if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } return status; } /** * Creates or opens a file. * * \param FileHandle A variable that receives the file handle. * \param FileName The Win32 file name. * \param DesiredAccess The desired access to the file. * \param RootDirectory The root object directory for the file. * \param AllocationSize The initial allocation size if the file is being created, overwritten, or superseded. * \param FileAttributes File attributes applied if the file is created or overwritten. * \param ShareAccess The file access granted to other threads. * \li \c FILE_SHARE_READ Allows other threads to read from the file. * \li \c FILE_SHARE_WRITE Allows other threads to write to the file. * \li \c FILE_SHARE_DELETE Allows other threads to delete the file. * \param CreateDisposition The action to perform if the file does or does not exist. * \li \c FILE_SUPERSEDE If the file exists, replace it. Otherwise, create the file. * \li \c FILE_CREATE If the file exists, fail. Otherwise, create the file. * \li \c FILE_OPEN If the file exists, open it. Otherwise, fail. * \li \c FILE_OPEN_IF If the file exists, open it. Otherwise, create the file. * \li \c FILE_OVERWRITE If the file exists, open and overwrite it. Otherwise, fail. * \li \c FILE_OVERWRITE_IF If the file exists, open and overwrite it. Otherwise, create the file. * \param CreateOptions The options to apply when the file is opened or created. * \param CreateStatus A variable that receives creation information. * \li \c FILE_SUPERSEDED The file was replaced because \c FILE_SUPERSEDE was specified in * \a CreateDisposition. * \li \c FILE_OPENED The file was opened because \c FILE_OPEN or \c FILE_OPEN_IF was specified in * \a CreateDisposition. * \li \c FILE_CREATED The file was created because \c FILE_CREATE or \c FILE_OPEN_IF was specified * in \a CreateDisposition. * \li \c FILE_OVERWRITTEN The file was overwritten because \c FILE_OVERWRITE or * \c FILE_OVERWRITE_IF was specified in \a CreateDisposition. * \li \c FILE_EXISTS The file was not opened because it already existed and \c FILE_CREATE was * specified in \a CreateDisposition. * \li \c FILE_DOES_NOT_EXIST The file was not opened because it did not exist and \c FILE_OPEN or * \c FILE_OVERWRITE was specified in \a CreateDisposition. * \return Successful or errant status. */ NTSTATUS PhCreateFileEx( _Out_ PHANDLE FileHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _Out_opt_ PULONG CreateStatus ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; if (!PhStringRefToUnicodeString(FileName, &fileName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL, 0 ); if (status == STATUS_SHARING_VIOLATION && KsiLevel() >= KphLevelMed && (DesiredAccess & KPH_FILE_READ_ACCESS) == DesiredAccess && CreateDisposition == KPH_FILE_READ_DISPOSITION) { status = KphCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK ); } if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } if (CreateStatus) *CreateStatus = (ULONG)ioStatusBlock.Information; return status; } NTSTATUS PhOpenFileWin32( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ) { return PhOpenFileWin32Ex( FileHandle, FileName, DesiredAccess, ShareAccess, OpenOptions, NULL ); } NTSTATUS PhOpenFileWin32Ex( _Out_ PHANDLE FileHandle, _In_ PCWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions, _Out_opt_ PULONG OpenStatus ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, ShareAccess, OpenOptions ); RtlFreeUnicodeString(&fileName); if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } if (OpenStatus) *OpenStatus = (ULONG)ioStatusBlock.Information; return status; } NTSTATUS PhOpenFile( _Out_ PHANDLE FileHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions, _Out_opt_ PULONG OpenStatus ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; if (!PhStringRefToUnicodeString(FileName, &fileName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtOpenFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, ShareAccess, OpenOptions ); if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } if (OpenStatus) { *OpenStatus = (ULONG)ioStatusBlock.Information; } return status; } // rev from OpenFileById NTSTATUS PhOpenFileById( _Out_ PHANDLE FileHandle, _In_ HANDLE VolumeHandle, _In_ PPH_FILE_ID_DESCRIPTOR FileId, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; switch (FileId->Type) { case FileIdType: { fileName.Length = sizeof(LONGLONG); fileName.MaximumLength = sizeof(LONGLONG); fileName.Buffer = (PWSTR)&FileId->FileId.QuadPart; } break; case ObjectIdType: { fileName.Length = sizeof(GUID); fileName.MaximumLength = sizeof(GUID); fileName.Buffer = (PWSTR)&FileId->ObjectId; } break; case ExtendedFileIdType: { fileName.Length = sizeof(FILE_ID_128); fileName.MaximumLength = sizeof(FILE_ID_128); fileName.Buffer = (PWSTR)&FileId->ExtendedFileId.Identifier; } break; default: return STATUS_UNSUCCESSFUL; } InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, VolumeHandle, NULL ); status = NtOpenFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, ShareAccess, OpenOptions | FILE_OPEN_BY_FILE_ID ); if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } return status; } // rev from ReOpenFile (dmex) /** * Reopens the specified file handle with different access rights, sharing mode, and flags. * Note: This function creates new FILE_OBJECTs compared to other functions simply referencing the existing object. * * \param FileHandle A variable that receives the file handle. * \param OriginalFileHandle A handle to the object to be reopened. * \param DesiredAccess The desired access to the file. * \param ShareAccess The file access granted to other threads. * \param OpenOptions The options to apply when the file is opened. * \return Successful or errant status. */ NTSTATUS PhReOpenFile( _Out_ PHANDLE FileHandle, _In_ HANDLE OriginalFileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; RtlInitEmptyUnicodeString(&fileName, NULL, 0); InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, OriginalFileHandle, NULL ); status = NtCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, NULL, 0, ShareAccess, FILE_OPEN, OpenOptions, NULL, 0 ); if (status == STATUS_SHARING_VIOLATION && KsiLevel() >= KphLevelMed && (DesiredAccess & KPH_FILE_READ_ACCESS) == DesiredAccess) { assert(KPH_FILE_READ_DISPOSITION == FILE_OPEN); status = KphCreateFile( &fileHandle, DesiredAccess, &objectAttributes, &ioStatusBlock, NULL, 0, ShareAccess, FILE_OPEN, OpenOptions, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK ); } if (NT_SUCCESS(status)) { *FileHandle = fileHandle; } return status; } NTSTATUS PhReadFile( _In_ HANDLE FileHandle, _In_ PVOID Buffer, _In_opt_ ULONG NumberOfBytesToRead, _In_opt_ PLARGE_INTEGER ByteOffset, _Out_opt_ PULONG NumberOfBytesRead ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtReadFile( FileHandle, NULL, NULL, NULL, &isb, Buffer, NumberOfBytesToRead, ByteOffset, NULL ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) { status = isb.Status; } } if (NT_SUCCESS(status)) { if (NumberOfBytesRead) { *NumberOfBytesRead = (ULONG)isb.Information; } } return status; } NTSTATUS PhWriteFile( _In_ HANDLE FileHandle, _In_ PVOID Buffer, _In_opt_ ULONG NumberOfBytesToWrite, _In_opt_ PLARGE_INTEGER ByteOffset, _Out_opt_ PULONG NumberOfBytesWritten ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtWriteFile( FileHandle, NULL, NULL, NULL, &isb, Buffer, NumberOfBytesToWrite, ByteOffset, NULL ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) { status = isb.Status; } } if (NT_SUCCESS(status)) { if (NumberOfBytesWritten) { *NumberOfBytesWritten = (ULONG)isb.Information; } } return status; } NTSTATUS PhEnumDirectoryFile( _In_ HANDLE FileHandle, _In_opt_ PCPH_STRINGREF SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ) { return PhEnumDirectoryFileEx( FileHandle, FileDirectoryInformation, FALSE, SearchPattern, Callback, Context ); } NTSTATUS PhEnumDirectoryFileEx( _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _In_ BOOLEAN ReturnSingleEntry, _In_opt_ PCPH_STRINGREF SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ) { NTSTATUS status; IO_STATUS_BLOCK isb; BOOLEAN firstTime = TRUE; UNICODE_STRING searchPattern; PVOID buffer; ULONG bufferSize = 0x400; ULONG i; BOOLEAN cont; if (SearchPattern) { if (!PhStringRefToUnicodeString(SearchPattern, &searchPattern)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&searchPattern, NULL, 0); } buffer = PhAllocate(bufferSize); while (TRUE) { // Query the directory, doubling the buffer each time NtQueryDirectoryFile fails. (wj32) while (TRUE) { status = NtQueryDirectoryFile( FileHandle, NULL, NULL, NULL, &isb, buffer, bufferSize, FileInformationClass, ReturnSingleEntry, &searchPattern, firstTime ); // Our ISB is on the stack, so we have to wait for the operation to complete before continuing. (wj32) if (status == STATUS_PENDING) { status = NtWaitForSingleObject(FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; buffer = PhAllocate(bufferSize); } else { break; } } // If we don't have any entries to read, exit. (wj32) if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; // Read the batch and execute the callback function for each file. (wj32) i = 0; cont = TRUE; while (TRUE) { CONST PFILE_DIRECTORY_NEXT_INFORMATION information = PTR_ADD_OFFSET(buffer, i); if (!Callback(FileHandle, information, Context)) { cont = FALSE; break; } if (information->NextEntryOffset != 0) i += information->NextEntryOffset; else break; } if (!cont) break; firstTime = FALSE; } PhFree(buffer); return status; } /** * Queries file attributes. * * \param FileName The Win32 file name. * \param FileInformation A variable that receives the file information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryFullAttributesFileWin32( _In_ PCWSTR FileName, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ) { NTSTATUS status; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtQueryFullAttributesFile(&objectAttributes, FileInformation); RtlFreeUnicodeString(&fileName); return status; } /** * Queries file attributes. * * \param FileName The file name. * \param FileInformation A variable that receives the file information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryFullAttributesFile( _In_ PCPH_STRINGREF FileName, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ) { NTSTATUS status; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(FileName, &fileName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtQueryFullAttributesFile(&objectAttributes, FileInformation); return status; } /** * Queries file attributes. * * \param FileName The Win32 file name. * \param FileInformation A variable that receives the file information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryAttributesFileWin32( _In_ PCWSTR FileName, _Out_ PFILE_BASIC_INFORMATION FileInformation ) { NTSTATUS status; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtQueryAttributesFile(&objectAttributes, FileInformation); RtlFreeUnicodeString(&fileName); return status; } /** * Queries file attributes. * * \param FileName The file name. * \param FileInformation A variable that receives the file information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryAttributesFile( _In_ PCPH_STRINGREF FileName, _Out_ PFILE_BASIC_INFORMATION FileInformation ) { NTSTATUS status; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(FileName, &fileName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtQueryAttributesFile(&objectAttributes, FileInformation); return status; } // rev from RtlDoesFileExists_U (dmex) /** * Checks whether a file exists at the specified path using Win32 APIs. * * \param FileName A pointer to a null-terminated string that specifies the path to the file. * \return Returns TRUE if the file exists, otherwise FALSE. */ BOOLEAN PhDoesFileExistWin32( _In_ PCWSTR FileName ) { NTSTATUS status; FILE_BASIC_INFORMATION basicInfo; status = PhQueryAttributesFileWin32(FileName, &basicInfo); if ( NT_SUCCESS(status) || status == STATUS_SHARING_VIOLATION || status == STATUS_ACCESS_DENIED ) { return TRUE; } return FALSE; } /** * Checks whether a file exists at the specified path. * * \param FileName A pointer to a PH_STRINGREF structure that specifies the path of the file to check. * \return TRUE if the file exists, FALSE otherwise. */ BOOLEAN PhDoesFileExist( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; FILE_BASIC_INFORMATION basicInfo; status = PhQueryAttributesFile(FileName, &basicInfo); if ( NT_SUCCESS(status) || status == STATUS_SHARING_VIOLATION || status == STATUS_ACCESS_DENIED ) { return TRUE; } return FALSE; } /** * Checks whether a directory exists at the specified path. * * \param FileName The path of the directory to check. * \return TRUE if the directory exists, FALSE otherwise. */ BOOLEAN PhDoesDirectoryExistWin32( _In_ PCWSTR FileName ) { NTSTATUS status; FILE_BASIC_INFORMATION basicInfo; status = PhQueryAttributesFileWin32(FileName, &basicInfo); if (NT_SUCCESS(status)) { if (basicInfo.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) return TRUE; } return FALSE; } /** * Checks whether a directory exists at the specified path. * * \param FileName The path of the directory to check. * \return TRUE if the directory exists, FALSE otherwise. */ BOOLEAN PhDoesDirectoryExist( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; FILE_BASIC_INFORMATION basicInfo; status = PhQueryAttributesFile(FileName, &basicInfo); if (NT_SUCCESS(status)) { if (basicInfo.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) return TRUE; } return FALSE; } // rev from RtlDetermineDosPathNameType_U (dmex) /** * Determines the type of DOS path name. * * \param FileName A reference to the file name string. * \return The type of the DOS path name. */ RTL_PATH_TYPE PhDetermineDosPathNameType( _In_ PCPH_STRINGREF FileName ) { #if defined(PHNT_USE_NATIVE_PATHTYPE) return RtlDetermineDosPathNameType_U(FileName); #else if (FileName->Buffer[0] == OBJ_NAME_PATH_SEPARATOR || FileName->Buffer[0] == OBJ_NAME_ALTPATH_SEPARATOR) { if (FileName->Buffer[1] == OBJ_NAME_PATH_SEPARATOR || FileName->Buffer[1] == OBJ_NAME_ALTPATH_SEPARATOR) { if (FileName->Buffer[2] == L'?' || FileName->Buffer[2] == L'.') { if (FileName->Buffer[3] == OBJ_NAME_PATH_SEPARATOR || FileName->Buffer[3] == OBJ_NAME_ALTPATH_SEPARATOR) return RtlPathTypeLocalDevice; if (FileName->Buffer[3] != UNICODE_NULL) return RtlPathTypeUncAbsolute; return RtlPathTypeRootLocalDevice; } return RtlPathTypeUncAbsolute; } return RtlPathTypeRooted; } else if (FileName->Buffer[0] != UNICODE_NULL && FileName->Buffer[1] == L':') { if (FileName->Buffer[2] == OBJ_NAME_PATH_SEPARATOR || FileName->Buffer[2] == OBJ_NAME_ALTPATH_SEPARATOR) return RtlPathTypeDriveAbsolute; return RtlPathTypeDriveRelative; } return RtlPathTypeRelative; #endif } /** * Deletes a file. * * \param FileName The Win32 file name. */ NTSTATUS PhDeleteFileWin32( _In_ PCWSTR FileName ) { NTSTATUS status; #if defined(PHNT_USE_NATIVE_DELETE) UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtDeleteFile(&objectAttributes); RtlFreeUnicodeString(&fileName); if (!NT_SUCCESS(status)) #endif { HANDLE fileHandle; status = PhCreateFileWin32( &fileHandle, FileName, DELETE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_DELETE_ON_CLOSE ); if (!NT_SUCCESS(status)) { if (status == STATUS_OBJECT_NAME_NOT_FOUND) status = STATUS_SUCCESS; return status; } //PhSetFileDelete(fileHandle); NtClose(fileHandle); } return status; } /** * Deletes a file. * * \param FileName The file name. */ NTSTATUS PhDeleteFile( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; #if defined(PHNT_USE_NATIVE_DELETE) UNICODE_STRING fileName; OBJECT_ATTRIBUTES objectAttributes; if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtDeleteFile(&objectAttributes); RtlFreeUnicodeString(&fileName); if (!NT_SUCCESS(status)) #endif { HANDLE fileHandle; status = PhCreateFile( &fileHandle, FileName, DELETE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_DELETE_ON_CLOSE ); if (!NT_SUCCESS(status)) { if (status == STATUS_OBJECT_NAME_NOT_FOUND) status = STATUS_SUCCESS; return status; } NtClose(fileHandle); } return status; } /** * Creates a directory path recursively. * * \param DirectoryPath The directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateDirectory( _In_ PCPH_STRINGREF DirectoryPath ) { PPH_STRING directoryPath; PPH_STRING directoryName; PH_STRINGREF directoryPart; PH_STRINGREF remainingPart; if (PhDoesDirectoryExist(DirectoryPath)) return STATUS_SUCCESS; directoryPath = PhGetExistingPathPrefix(DirectoryPath); if (PhIsNullOrEmptyString(directoryPath)) return STATUS_UNSUCCESSFUL; remainingPart.Length = DirectoryPath->Length - directoryPath->Length - sizeof(OBJ_NAME_PATH_SEPARATOR); remainingPart.Buffer = PTR_ADD_OFFSET(DirectoryPath->Buffer, directoryPath->Length + sizeof(OBJ_NAME_PATH_SEPARATOR)); while (remainingPart.Length != 0) { PhSplitStringRefAtChar(&remainingPart, OBJ_NAME_PATH_SEPARATOR, &directoryPart, &remainingPart); if (directoryPart.Length != 0) { directoryName = PhConcatStringRef3( &directoryPath->sr, &PhNtPathSeparatorString, &directoryPart ); if (!PhDoesDirectoryExist(&directoryName->sr)) { HANDLE directoryHandle; if (NT_SUCCESS(PhCreateFile( &directoryHandle, &directoryName->sr, FILE_LIST_DIRECTORY | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_FOR_BACKUP_INTENT //| FILE_OPEN_REPARSE_POINT ))) { NtClose(directoryHandle); } } PhMoveReference(&directoryPath, directoryName); } } PhClearReference(&directoryPath); if (!PhDoesDirectoryExist(DirectoryPath)) return STATUS_NOT_FOUND; return STATUS_SUCCESS; } /** * Creates a directory path recursively. * * \param DirectoryPath The Win32 directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateDirectoryWin32( _In_ PCPH_STRINGREF DirectoryPath ) { PPH_STRING directoryPath; PPH_STRING directoryName; PH_STRINGREF directoryPart; PH_STRINGREF remainingPart; if (PhDoesDirectoryExistWin32(PhGetStringRefZ(DirectoryPath))) return STATUS_SUCCESS; directoryPath = PhGetExistingPathPrefixWin32(DirectoryPath); if (PhIsNullOrEmptyString(directoryPath)) return STATUS_UNSUCCESSFUL; remainingPart.Length = DirectoryPath->Length - directoryPath->Length - sizeof(OBJ_NAME_PATH_SEPARATOR); remainingPart.Buffer = PTR_ADD_OFFSET(DirectoryPath->Buffer, directoryPath->Length + sizeof(OBJ_NAME_PATH_SEPARATOR)); while (remainingPart.Length != 0) { PhSplitStringRefAtChar(&remainingPart, OBJ_NAME_PATH_SEPARATOR, &directoryPart, &remainingPart); if (directoryPart.Length != 0) { if (PhIsNullOrEmptyString(directoryPath)) { PhMoveReference(&directoryPath, PhCreateString2(&directoryPart)); } else { directoryName = PhConcatStringRef3(&directoryPath->sr, &PhNtPathSeparatorString, &directoryPart); // Check if the directory already exists. (dmex) if (!PhDoesDirectoryExistWin32(PhGetString(directoryName))) { HANDLE directoryHandle; // Create the directory. (dmex) if (NT_SUCCESS(PhCreateFileWin32( &directoryHandle, PhGetString(directoryName), FILE_LIST_DIRECTORY | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_FOR_BACKUP_INTENT //| FILE_OPEN_REPARSE_POINT ))) { NtClose(directoryHandle); } } PhMoveReference(&directoryPath, directoryName); } } } PhClearReference(&directoryPath); if (!PhDoesDirectoryExistWin32(PhGetStringRefZ(DirectoryPath))) return STATUS_NOT_FOUND; return STATUS_SUCCESS; } /** * Creates a directory path recursively. * * \param DirectoryPath The Win32 directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateDirectoryFullPathWin32( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status = STATUS_UNSUCCESSFUL; PH_STRINGREF directoryPart; PPH_STRING directoryPath; PPH_STRING directory; if (PhGetBasePath(FileName, &directoryPart, NULL)) { if (directory = PhCreateString2(&directoryPart)) { if (NT_SUCCESS(PhGetFullPath(PhGetString(directory), &directoryPath, NULL))) { status = PhCreateDirectoryWin32(&directoryPath->sr); PhDereferenceObject(directoryPath); } PhDereferenceObject(directory); } } return status; } /** * Creates a directory path recursively. * * \param DirectoryPath The directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateDirectoryFullPath( _In_ PCPH_STRINGREF FileName ) { PH_STRINGREF directoryPart; if (PhGetBasePath(FileName, &directoryPart, NULL)) { return PhCreateDirectory(&directoryPart); } return STATUS_UNSUCCESSFUL; } // NOTE: This callback handles both Native and Win32 filenames // since they're both relative to the parent RootDirectory. (dmex) _Function_class_(PH_ENUM_DIRECTORY_FILE) static BOOLEAN PhDeleteDirectoryCallback( _In_ HANDLE RootDirectory, _In_ PFILE_DIRECTORY_INFORMATION Information, _In_ PVOID Context ) { PH_STRINGREF fileName; HANDLE fileHandle; fileName.Buffer = Information->FileName; fileName.Length = Information->FileNameLength; if (FlagOn(Information->FileAttributes, FILE_ATTRIBUTE_DIRECTORY)) { if (PATH_IS_WIN32_RELATIVE_PREFIX(&fileName)) return TRUE; if (NT_SUCCESS(PhCreateFileEx( &fileHandle, &fileName, FILE_LIST_DIRECTORY | FILE_READ_ATTRIBUTES | DELETE | SYNCHRONIZE, RootDirectory, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_FOR_BACKUP_INTENT, // | FILE_OPEN_REPARSE_POINT NULL ))) { PhEnumDirectoryFile(fileHandle, NULL, PhDeleteDirectoryCallback, Context); PhSetFileDelete(fileHandle); NtClose(fileHandle); } } else { if (NT_SUCCESS(PhCreateFileEx( &fileHandle, &fileName, FILE_WRITE_ATTRIBUTES | DELETE | SYNCHRONIZE, RootDirectory, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, // | FILE_OPEN_REPARSE_POINT NULL ))) { if (FlagOn(Information->FileAttributes, FILE_ATTRIBUTE_READONLY) && WindowsVersion < WINDOWS_10_RS5) { FILE_BASIC_INFORMATION fileBasicInfo; memset(&fileBasicInfo, 0, sizeof(FILE_BASIC_INFORMATION)); fileBasicInfo.FileAttributes = ClearFlag(Information->FileAttributes, FILE_ATTRIBUTE_READONLY); PhSetFileBasicInformation(fileHandle, &fileBasicInfo); } PhSetFileDelete(fileHandle); NtClose(fileHandle); } } return TRUE; } /** * Deletes a directory path recursively. * * \param DirectoryPath The directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDeleteDirectory( _In_ PCPH_STRINGREF DirectoryPath ) { NTSTATUS status; HANDLE directoryHandle; status = PhCreateFile( &directoryHandle, DirectoryPath, FILE_LIST_DIRECTORY | FILE_READ_ATTRIBUTES | DELETE | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_FOR_BACKUP_INTENT | FILE_OPEN_REPARSE_POINT ); if (NT_SUCCESS(status)) { // Remove any files or folders inside the directory. (dmex) status = PhEnumDirectoryFile( directoryHandle, NULL, PhDeleteDirectoryCallback, NULL ); if (NT_SUCCESS(status)) { // Remove the directory. (dmex) status = PhSetFileDelete(directoryHandle); } NtClose(directoryHandle); } if (!PhDoesDirectoryExist(DirectoryPath)) return STATUS_SUCCESS; return status; } /** * Deletes a directory path recursively. * * \param DirectoryPath The Win32 directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDeleteDirectoryWin32( _In_ PCPH_STRINGREF DirectoryPath ) { NTSTATUS status; HANDLE directoryHandle; status = PhCreateFileWin32( &directoryHandle, PhGetStringRefZ(DirectoryPath), FILE_LIST_DIRECTORY | FILE_READ_ATTRIBUTES | DELETE | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_FOR_BACKUP_INTENT | FILE_OPEN_REPARSE_POINT ); if (NT_SUCCESS(status)) { // Remove any files or folders inside the directory. (dmex) status = PhEnumDirectoryFile( directoryHandle, NULL, PhDeleteDirectoryCallback, (PVOID)DirectoryPath ); if (NT_SUCCESS(status)) { // Remove the directory. (dmex) status = PhSetFileDelete(directoryHandle); } NtClose(directoryHandle); } if (!PhDoesDirectoryExistWin32(PhGetStringRefZ(DirectoryPath))) return STATUS_SUCCESS; return status; } /** * Deletes a directory path recursively. * * \param DirectoryPath The directory path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDeleteDirectoryFullPath( _In_ PCPH_STRINGREF FileName ) { PH_STRINGREF directoryPart; if (PhGetBasePath(FileName, &directoryPart, NULL)) { return PhDeleteDirectory(&directoryPart); } return STATUS_UNSUCCESSFUL; } /** * Copies a file from OldFileName to NewFileName using Win32 APIs. * * \param OldFileName The path to the source file to copy. * \param NewFileName The path to the destination file. * \param FailIfExists If TRUE, the function fails if the destination file already exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCopyFileWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ) { NTSTATUS status; HANDLE fileHandle; HANDLE newFileHandle; FILE_BASIC_INFORMATION basicInfo; LARGE_INTEGER newFileSize; IO_STATUS_BLOCK isb; ULONG bufferLength; PBYTE buffer; status = PhCreateFileWin32( &fileHandle, OldFileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY ); if (!NT_SUCCESS(status)) return status; status = PhGetFileBasicInformation(fileHandle, &basicInfo); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetFileSize(fileHandle, &newFileSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateFileWin32Ex( &newFileHandle, NewFileName, FILE_GENERIC_WRITE, &newFileSize, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FailIfExists ? FILE_CREATE : FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; bufferLength = PAGE_SIZE * 2; buffer = PhAllocatePage(bufferLength, NULL); if (!buffer) { status = STATUS_NO_MEMORY; goto CleanupExit; } while (TRUE) { status = NtReadFile( fileHandle, NULL, NULL, NULL, &isb, buffer, bufferLength, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; status = NtWriteFile( newFileHandle, NULL, NULL, NULL, &isb, buffer, (ULONG)isb.Information, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; } PhFreePage(buffer); if (status == STATUS_END_OF_FILE) { status = STATUS_SUCCESS; } if (NT_SUCCESS(status)) { PhSetFileBasicInformation( newFileHandle, &basicInfo ); } else { PhSetFileDelete(newFileHandle); } NtClose(newFileHandle); CleanupExit: NtClose(fileHandle); return status; } /** * Copies a file from OldFileName to NewFileName using file chunk APIs. * * \param OldFileName The path to the source file to copy. * \param NewFileName The path to the destination file. * \param FailIfExists If TRUE, the function fails if the destination file already exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCopyFileChunkDirectIoWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ) { NTSTATUS status; HANDLE sourceHandle; HANDLE destinationHandle; FILE_BASIC_INFORMATION basicInfo; FILE_FS_SECTOR_SIZE_INFORMATION sourceSectorInfo = { 0 }; FILE_FS_SECTOR_SIZE_INFORMATION destinationSectorInfo = { 0 }; IO_STATUS_BLOCK ioStatusBlock; LARGE_INTEGER sourceOffset = { 0 }; LARGE_INTEGER destinationOffset = { 0 }; LARGE_INTEGER fileSize; SIZE_T numberOfBytes; ULONG alignSize; ULONG blockSize; if (!NtCopyFileChunk_Import()) return STATUS_NOT_SUPPORTED; status = PhCreateFileWin32ExAlt( &sourceHandle, OldFileName, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NO_INTERMEDIATE_BUFFERING, EX_CREATE_FLAG_FILE_SOURCE_OPEN_FOR_COPY, NULL, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetFileBasicInformation(sourceHandle, &basicInfo); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetFileSize(sourceHandle, &fileSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateFileWin32ExAlt( &destinationHandle, NewFileName, FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, 0, FailIfExists ? FILE_CREATE : FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NO_INTERMEDIATE_BUFFERING, EX_CREATE_FLAG_FILE_DEST_OPEN_FOR_COPY, &fileSize, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; // https://learn.microsoft.com/en-us/windows/win32/w8cookbook/advanced-format--4k--disk-compatibility-update NtQueryVolumeInformationFile( sourceHandle, &ioStatusBlock, &sourceSectorInfo, sizeof(FILE_FS_SECTOR_SIZE_INFORMATION), FileFsSectorSizeInformation ); NtQueryVolumeInformationFile( destinationHandle, &ioStatusBlock, &destinationSectorInfo, sizeof(FILE_FS_SECTOR_SIZE_INFORMATION), FileFsSectorSizeInformation ); // Non-cached I/O requires 'blockSize' be sector-aligned with whichever file is opened as non-cached. // If both, the length should be aligned with the larger sector size of the two. (dmex) alignSize = __max(max(sourceSectorInfo.PhysicalBytesPerSectorForPerformance, destinationSectorInfo.PhysicalBytesPerSectorForPerformance), max(sourceSectorInfo.PhysicalBytesPerSectorForAtomicity, destinationSectorInfo.PhysicalBytesPerSectorForAtomicity)); // Enable BypassIO (skip error checking since might be disabled) (dmex) PhSetFileBypassIO(sourceHandle, TRUE); PhSetFileBypassIO(destinationHandle, TRUE); blockSize = PAGE_SIZE; numberOfBytes = (SIZE_T)fileSize.QuadPart; while (numberOfBytes != 0) { if (blockSize > numberOfBytes) blockSize = (ULONG)numberOfBytes; blockSize = ALIGN_UP_BY(blockSize, alignSize); status = NtCopyFileChunk_Import()( sourceHandle, destinationHandle, NULL, &ioStatusBlock, blockSize, &sourceOffset, &destinationOffset, NULL, NULL, 0 ); if (!NT_SUCCESS(status)) break; destinationOffset.QuadPart += blockSize; sourceOffset.QuadPart += blockSize; numberOfBytes -= blockSize; } if (status == STATUS_END_OF_FILE) status = STATUS_SUCCESS; if (NT_SUCCESS(status)) { status = PhSetFileSize(destinationHandle, &fileSize); // Required (dmex) } if (NT_SUCCESS(status)) { status = PhSetFileBasicInformation(destinationHandle, &basicInfo); } if (!NT_SUCCESS(status)) { PhSetFileDelete(destinationHandle); } NtClose(destinationHandle); CleanupExit: NtClose(sourceHandle); return status; } /** * Copies a file from OldFileName to NewFileName using Win32 APIs, potentially in chunks. * * \param OldFileName The path to the source file to copy. * \param NewFileName The path to the destination file. * \param FailIfExists If TRUE, the function fails if the destination file already exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCopyFileChunkWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ) { NTSTATUS status; HANDLE sourceHandle; HANDLE destinationHandle; FILE_BASIC_INFORMATION basicInfo; IO_STATUS_BLOCK ioStatusBlock; LARGE_INTEGER sourceOffset = { 0 }; LARGE_INTEGER destinationOffset = { 0 }; LARGE_INTEGER fileSize; if (!NtCopyFileChunk_Import()) { return PhCopyFileWin32(OldFileName, NewFileName, FailIfExists); } status = PhCreateFileWin32ExAlt( &sourceHandle, OldFileName, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, EX_CREATE_FLAG_FILE_SOURCE_OPEN_FOR_COPY, NULL, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetFileBasicInformation(sourceHandle, &basicInfo); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetFileSize(sourceHandle, &fileSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateFileWin32ExAlt( &destinationHandle, NewFileName, FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FailIfExists ? FILE_CREATE : FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, EX_CREATE_FLAG_FILE_DEST_OPEN_FOR_COPY, &fileSize, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (fileSize.QuadPart >= ULONG_MAX) { SIZE_T numberOfBytes = (SIZE_T)fileSize.QuadPart; ULONG blockSize = ULONG_MAX; // Split into smaller blocks when the length // overflows the maximum chunk size. (dmex) while (numberOfBytes != 0) { if (blockSize > numberOfBytes) blockSize = (ULONG)numberOfBytes; status = NtCopyFileChunk_Import()( sourceHandle, destinationHandle, NULL, &ioStatusBlock, blockSize, &sourceOffset, &destinationOffset, NULL, NULL, 0 ); if (!NT_SUCCESS(status)) break; destinationOffset.QuadPart += blockSize; sourceOffset.QuadPart += blockSize; numberOfBytes -= blockSize; } } else { status = NtCopyFileChunk_Import()( sourceHandle, destinationHandle, NULL, &ioStatusBlock, (ULONG)fileSize.QuadPart, &sourceOffset, &destinationOffset, NULL, NULL, 0 ); } if (NT_SUCCESS(status)) { PhSetFileBasicInformation( destinationHandle, &basicInfo ); } else { PhSetFileDelete(destinationHandle); } NtClose(destinationHandle); CleanupExit: NtClose(sourceHandle); return status; } /** * Moves a file from OldFileName to NewFileName. * * \param OldFileName Pointer to a PH_STRINGREF structure containing the source file name. * \param NewFileName Pointer to a PH_STRINGREF structure containing the destination file name. * \param FailIfExists If TRUE, the operation fails if the destination file already exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMoveFile( _In_ PCPH_STRINGREF OldFileName, _In_ PCPH_STRINGREF NewFileName, _In_ BOOLEAN FailIfExists ) { NTSTATUS status; HANDLE fileHandle; IO_STATUS_BLOCK isb; ULONG fileNameLength; ULONG renameInfoLength; PFILE_RENAME_INFORMATION renameInfo = NULL; status = PhCreateFile( &fileHandle, OldFileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | DELETE | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY ); if (!NT_SUCCESS(status)) return status; status = RtlSIZETToULong(NewFileName->Length, &fileNameLength); if (!NT_SUCCESS(status)) goto CleanupExit; renameInfoLength = sizeof(FILE_RENAME_INFORMATION) + fileNameLength + sizeof(UNICODE_NULL); renameInfo = PhAllocateStack(renameInfoLength); if (!renameInfo) return STATUS_NO_MEMORY; memset(renameInfo, 0, renameInfoLength); renameInfo->ReplaceIfExists = FailIfExists ? FALSE : TRUE; renameInfo->RootDirectory = NULL; renameInfo->FileNameLength = fileNameLength; memcpy(renameInfo->FileName, NewFileName->Buffer, fileNameLength); status = NtSetInformationFile( fileHandle, &isb, renameInfo, renameInfoLength, FileRenameInformation ); if (status == STATUS_NOT_SAME_DEVICE) { HANDLE newFileHandle; LARGE_INTEGER newFileSize; ULONG bufferLength; PBYTE buffer; status = PhGetFileSize(fileHandle, &newFileSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateFileEx( &newFileHandle, NewFileName, FILE_GENERIC_WRITE, NULL, &newFileSize, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FailIfExists ? FILE_CREATE : FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY, NULL ); if (NT_SUCCESS(status)) { bufferLength = PAGE_SIZE * 2; buffer = PhAllocatePage(bufferLength, NULL); if (!buffer) { status = STATUS_NO_MEMORY; goto CleanupExit; } while (TRUE) { status = NtReadFile( fileHandle, NULL, NULL, NULL, &isb, buffer, bufferLength, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; status = NtWriteFile( newFileHandle, NULL, NULL, NULL, &isb, buffer, (ULONG)isb.Information, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; } PhFreePage(buffer); if (status == STATUS_END_OF_FILE) { status = STATUS_SUCCESS; } if (status != STATUS_SUCCESS) { PhSetFileDelete(newFileHandle); } NtClose(newFileHandle); } } CleanupExit: NtClose(fileHandle); PhFreeStack(renameInfo); return status; } /** * Moves a file from OldFileName to NewFileName using Win32 semantics. * * \param OldFileName The path to the existing file to be moved. * \param NewFileName The destination path for the moved file. * \param FailIfExists If TRUE, the operation fails if NewFileName already exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMoveFileWin32( _In_ PCWSTR OldFileName, _In_ PCWSTR NewFileName, _In_ BOOLEAN FailIfExists ) { NTSTATUS status; HANDLE fileHandle; IO_STATUS_BLOCK isb; ULONG renameInfoLength; UNICODE_STRING newFileName; PFILE_RENAME_INFORMATION renameInfo; status = PhDosLongPathNameToNtPathNameWithStatus( NewFileName, &newFileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; status = PhCreateFileWin32( &fileHandle, OldFileName, FILE_READ_ATTRIBUTES | FILE_READ_DATA | DELETE | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY ); if (!NT_SUCCESS(status)) { RtlFreeUnicodeString(&newFileName); return status; } renameInfoLength = sizeof(FILE_RENAME_INFORMATION) + newFileName.Length + sizeof(UNICODE_NULL); renameInfo = PhAllocateStack(renameInfoLength); if (!renameInfo) return STATUS_NO_MEMORY; memset(renameInfo, 0, renameInfoLength); renameInfo->ReplaceIfExists = FailIfExists ? FALSE : TRUE; renameInfo->RootDirectory = NULL; renameInfo->FileNameLength = newFileName.Length; memcpy(renameInfo->FileName, newFileName.Buffer, newFileName.Length); RtlFreeUnicodeString(&newFileName); status = NtSetInformationFile( fileHandle, &isb, renameInfo, renameInfoLength, FileRenameInformation ); if (status == STATUS_NOT_SAME_DEVICE) { HANDLE newFileHandle; LARGE_INTEGER newFileSize; PBYTE buffer; status = PhGetFileSize(fileHandle, &newFileSize); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateFileWin32Ex( &newFileHandle, NewFileName, FILE_GENERIC_WRITE, &newFileSize, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FailIfExists ? FILE_CREATE : FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY, NULL ); if (NT_SUCCESS(status)) { buffer = PhAllocatePage(PAGE_SIZE * 2, NULL); if (!buffer) { status = STATUS_NO_MEMORY; goto CleanupExit; } while (TRUE) { status = NtReadFile( fileHandle, NULL, NULL, NULL, &isb, buffer, PAGE_SIZE * 2, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; status = NtWriteFile( newFileHandle, NULL, NULL, NULL, &isb, buffer, (ULONG)isb.Information, NULL, NULL ); if (!NT_SUCCESS(status)) break; if (isb.Information == 0) break; } PhFreePage(buffer); if (status == STATUS_END_OF_FILE) { status = STATUS_SUCCESS; } if (status != STATUS_SUCCESS) { PhSetFileDelete(newFileHandle); } NtClose(newFileHandle); } } CleanupExit: NtClose(fileHandle); PhFreeStack(renameInfo); return status; } /** * \brief Enumerates the volume Reparse Points using the \\$Extend\\$Reparse:$R:$INDEX_ALLOCATION directory. * * \param FileHandle A handle to the volume. * \param Callback A pointer to a callback function. * \param Context A user-defined value to pass to the callback function. * \return Successful or errant status */ NTSTATUS PhEnumReparsePointInformation( _In_ HANDLE FileHandle, _In_ PPH_ENUM_REPARSE_POINT Callback, _In_opt_ PVOID Context ) { NTSTATUS status; IO_STATUS_BLOCK isb; BOOLEAN firstTime = TRUE; ULONG bufferSize; PVOID buffer; bufferSize = sizeof(FILE_REPARSE_POINT_INFORMATION[512]); buffer = PhAllocate(bufferSize); while (TRUE) { status = NtQueryDirectoryFile( FileHandle, NULL, NULL, NULL, &isb, buffer, bufferSize, FileReparsePointInformation, FALSE, NULL, firstTime ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; status = Callback(FileHandle, buffer, isb.Information, Context); if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; firstTime = FALSE; } PhFree(buffer); return status; } /** * \brief Enumerates the volume ObjectIDs using the \\$Extend\\$ObjId:$O:$INDEX_ALLOCATION directory. * * \param FileHandle A handle to the volume. * \param Callback A pointer to a callback function. * \param Context A user-defined value to pass to the callback function. * \return Successful or errant status */ NTSTATUS PhEnumObjectIdInformation( _In_ HANDLE FileHandle, _In_ PPH_ENUM_OBJECT_ID Callback, _In_opt_ PVOID Context ) { NTSTATUS status; IO_STATUS_BLOCK isb; BOOLEAN firstTime = TRUE; ULONG bufferSize; PVOID buffer; bufferSize = sizeof(FILE_OBJECTID_INFORMATION[128]); buffer = PhAllocate(bufferSize); while (TRUE) { status = NtQueryDirectoryFile( FileHandle, NULL, NULL, NULL, &isb, buffer, bufferSize, FileObjectIdInformation, FALSE, NULL, firstTime ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; status = Callback(FileHandle, buffer, isb.Information, Context); if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; firstTime = FALSE; } PhFree(buffer); return status; } NTSTATUS PhEnumFileExtendedAttributes( _In_ HANDLE FileHandle, _In_ PPH_ENUM_FILE_EA Callback, _In_opt_ PVOID Context ) { NTSTATUS status; BOOLEAN firstTime = TRUE; IO_STATUS_BLOCK isb; ULONG bufferSize; PVOID buffer; bufferSize = 0x400; buffer = PhAllocate(bufferSize); while (TRUE) { while (TRUE) { status = NtQueryEaFile( FileHandle, &isb, buffer, bufferSize, FALSE, NULL, 0, NULL, firstTime ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(FileHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; buffer = PhAllocate(bufferSize); } else { break; } } if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; status = Callback(FileHandle, buffer, Context); if (status == STATUS_NO_MORE_FILES) { status = STATUS_SUCCESS; break; } if (!NT_SUCCESS(status)) break; firstTime = FALSE; } PhFree(buffer); return status; } NTSTATUS PhSetFileExtendedAttributes( _In_ HANDLE FileHandle, _In_ PPH_BYTESREF Name, _In_opt_ PPH_BYTESREF Value ) { NTSTATUS status; ULONG infoLength; PFILE_FULL_EA_INFORMATION info; IO_STATUS_BLOCK isb; infoLength = sizeof(FILE_FULL_EA_INFORMATION) + (ULONG)Name->Length + sizeof(ANSI_NULL); if (Value) infoLength += (ULONG)Value->Length + sizeof(ANSI_NULL); info = PhAllocateZero(infoLength); info->EaNameLength = (UCHAR)Name->Length; memcpy( info->EaName, Name->Buffer, Name->Length ); if (Value) { info->EaValueLength = (USHORT)Value->Length; memcpy( PTR_ADD_OFFSET(info->EaName, info->EaNameLength + sizeof(ANSI_NULL)), Value->Buffer, Value->Length ); } status = NtSetEaFile( FileHandle, &isb, info, infoLength ); PhFree(info); return status; } NTSTATUS PhpQueryFileVariableSize( _In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; IO_STATUS_BLOCK isb; PVOID buffer; ULONG bufferSize = 0x200; buffer = PhAllocate(bufferSize); while (TRUE) { status = NtQueryInformationFile( FileHandle, &isb, buffer, bufferSize, FileInformationClass ); if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; buffer = PhAllocate(bufferSize); } else { break; } } if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); } return status; } NTSTATUS PhEnumFileStreams( _In_ HANDLE FileHandle, _Out_ PVOID *Streams ) { return PhpQueryFileVariableSize( FileHandle, FileStreamInformation, Streams ); } NTSTATUS PhEnumFileHardLinks( _In_ HANDLE FileHandle, _Out_ PVOID *HardLinks ) { return PhpQueryFileVariableSize( FileHandle, FileHardLinkInformation, HardLinks ); } /** * Queries information about the volume associated with a given file, directory, storage device, or volume. * * \param ProcessHandle A handle to a process. * \param FileHandle A handle to the volume. * \param FsInformationClass Type of information to be returned about the volume. * \param FsInformation A pointer to a caller-allocated buffer. * \param FsInformationLength Size in bytes of the buffer pointed to by FsInformation. * \param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the query operation. */ NTSTATUS PhQueryVolumeInformationFile( _In_opt_ HANDLE ProcessHandle, _In_ HANDLE FileHandle, _In_ FS_INFORMATION_CLASS FsInformationClass, _Out_writes_bytes_(FsInformationLength) PVOID FsInformation, _In_ ULONG FsInformationLength, _Out_ PIO_STATUS_BLOCK IoStatusBlock ) { NTSTATUS status; if (ProcessHandle) { if (KsiLevel() >= KphLevelMed) { status = KphQueryVolumeInformationFile( ProcessHandle, FileHandle, FsInformationClass, FsInformation, FsInformationLength, IoStatusBlock ); } else if (ProcessHandle == NtCurrentProcess()) { status = NtQueryVolumeInformationFile( FileHandle, IoStatusBlock, FsInformation, FsInformationLength, FsInformationClass ); } else { status = STATUS_UNSUCCESSFUL; } } else { status = NtQueryVolumeInformationFile( FileHandle, IoStatusBlock, FsInformation, FsInformationLength, FsInformationClass ); } return status; } NTSTATUS PhGetFileBasicInformation( _In_ HANDLE FileHandle, _Out_ PFILE_BASIC_INFORMATION BasicInfo ) { IO_STATUS_BLOCK isb; return NtQueryInformationFile( FileHandle, &isb, BasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation ); } NTSTATUS PhSetFileBasicInformation( _In_ HANDLE FileHandle, _In_ PFILE_BASIC_INFORMATION BasicInfo ) { IO_STATUS_BLOCK isb; return NtSetInformationFile( FileHandle, &isb, BasicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation ); } NTSTATUS PhGetFileFullAttributesInformation( _In_ HANDLE FileHandle, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ) { NTSTATUS status; IO_STATUS_BLOCK isb; FILE_NETWORK_OPEN_INFORMATION fullAttributesInfo; status = NtQueryInformationFile( FileHandle, &isb, &fullAttributesInfo, sizeof(FILE_NETWORK_OPEN_INFORMATION), FileNetworkOpenInformation ); if (NT_SUCCESS(status)) { *FileInformation = fullAttributesInfo; } return status; } NTSTATUS PhGetFileStandardInformation( _In_ HANDLE FileHandle, _Out_ PFILE_STANDARD_INFORMATION StandardInfo ) { NTSTATUS status; IO_STATUS_BLOCK isb; FILE_STANDARD_INFORMATION standardInfo; status = NtQueryInformationFile( FileHandle, &isb, &standardInfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation ); if (NT_SUCCESS(status)) { *StandardInfo = standardInfo; } return status; } // rev from SetFileCompletionNotificationModes (dmex) NTSTATUS PhSetFileCompletionNotificationMode( _In_ HANDLE FileHandle, _In_ ULONG Flags ) { FILE_IO_COMPLETION_NOTIFICATION_INFORMATION completionMode; IO_STATUS_BLOCK isb; completionMode.Flags = Flags; return NtSetInformationFile( FileHandle, &isb, &completionMode, sizeof(FILE_IO_COMPLETION_NOTIFICATION_INFORMATION), FileIoCompletionNotificationInformation ); } NTSTATUS PhGetFileSize( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER Size ) { NTSTATUS status; FILE_STANDARD_INFORMATION standardInfo; status = PhGetFileStandardInformation( FileHandle, &standardInfo ); if (NT_SUCCESS(status)) { *Size = standardInfo.EndOfFile; } return status; } NTSTATUS PhSetFileSize( _In_ HANDLE FileHandle, _In_ PLARGE_INTEGER Size ) { FILE_END_OF_FILE_INFORMATION endOfFileInfo; IO_STATUS_BLOCK isb; endOfFileInfo.EndOfFile = *Size; return NtSetInformationFile( FileHandle, &isb, &endOfFileInfo, sizeof(FILE_END_OF_FILE_INFORMATION), FileEndOfFileInformation ); } NTSTATUS PhGetFilePosition( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER Position ) { NTSTATUS status; FILE_POSITION_INFORMATION positionInfo; IO_STATUS_BLOCK isb; status = NtQueryInformationFile( FileHandle, &isb, &positionInfo, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation ); if (!NT_SUCCESS(status)) return status; *Position = positionInfo.CurrentByteOffset; return status; } NTSTATUS PhSetFilePosition( _In_ HANDLE FileHandle, _In_opt_ PLARGE_INTEGER Position ) { FILE_POSITION_INFORMATION positionInfo; IO_STATUS_BLOCK isb; if (Position) positionInfo.CurrentByteOffset.QuadPart = Position->QuadPart; else positionInfo.CurrentByteOffset.QuadPart = 0; return NtSetInformationFile( FileHandle, &isb, &positionInfo, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation ); } NTSTATUS PhGetFileAllocationSize( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER AllocationSize ) { NTSTATUS status; FILE_ALLOCATION_INFORMATION allocationInfo; IO_STATUS_BLOCK isb; status = NtQueryInformationFile( FileHandle, &isb, &allocationInfo, sizeof(FILE_ALLOCATION_INFORMATION), FileAllocationInformation ); if (!NT_SUCCESS(status)) return status; *AllocationSize = allocationInfo.AllocationSize; return status; } NTSTATUS PhSetFileAllocationSize( _In_ HANDLE FileHandle, _In_ PLARGE_INTEGER AllocationSize ) { FILE_ALLOCATION_INFORMATION allocationInfo; IO_STATUS_BLOCK isb; allocationInfo.AllocationSize = *AllocationSize; return NtSetInformationFile( FileHandle, &isb, &allocationInfo, sizeof(FILE_ALLOCATION_INFORMATION), FileAllocationInformation ); } NTSTATUS PhGetFileIndexNumber( _In_ HANDLE FileHandle, _Out_ PFILE_INTERNAL_INFORMATION IndexNumber ) { IO_STATUS_BLOCK isb; return NtQueryInformationFile( FileHandle, &isb, IndexNumber, sizeof(FILE_INTERNAL_INFORMATION), FileInternalInformation ); } NTSTATUS PhGetFileIsRemoteDevice( _In_ HANDLE FileHandle, _Out_ PBOOLEAN FileIsRemoteDevice ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; FILE_IS_REMOTE_DEVICE_INFORMATION fileRemoteInfo; status = NtQueryInformationFile( FileHandle, &ioStatusBlock, &fileRemoteInfo, sizeof(FILE_IS_REMOTE_DEVICE_INFORMATION), FileIsRemoteDeviceInformation ); if (NT_SUCCESS(status)) { *FileIsRemoteDevice = !!fileRemoteInfo.IsRemote; } return status; } NTSTATUS PhSetFileDelete( _In_ HANDLE FileHandle ) { NTSTATUS status = STATUS_UNSUCCESSFUL; if (WindowsVersion >= WINDOWS_10_RS5) { FILE_DISPOSITION_INFO_EX dispositionInfo; IO_STATUS_BLOCK ioStatusBlock; dispositionInfo.Flags = FILE_DISPOSITION_FLAG_DELETE | FILE_DISPOSITION_FLAG_POSIX_SEMANTICS | FILE_DISPOSITION_FLAG_IGNORE_READONLY_ATTRIBUTE; status = NtSetInformationFile( FileHandle, &ioStatusBlock, &dispositionInfo, sizeof(FILE_DISPOSITION_INFO_EX), FileDispositionInformationEx ); } if (!NT_SUCCESS(status)) { FILE_DISPOSITION_INFORMATION dispositionInfo; IO_STATUS_BLOCK ioStatusBlock; dispositionInfo.DeleteFile = TRUE; status = NtSetInformationFile( FileHandle, &ioStatusBlock, &dispositionInfo, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation ); } //if (!NT_SUCCESS(status)) //{ // HANDLE deleteHandle; // // if (NT_SUCCESS(PhReOpenFile( // &deleteHandle, // FileHandle, // DELETE, // FILE_SHARE_DELETE, // FILE_DELETE_ON_CLOSE // ))) // { // NtClose(deleteHandle); // status = STATUS_SUCCESS; // } //} return status; } NTSTATUS PhSetFileRename( _In_ HANDLE FileHandle, _In_opt_ HANDLE RootDirectory, _In_ BOOLEAN ReplaceIfExists, _In_ PCPH_STRINGREF NewFileName ) { NTSTATUS status = STATUS_UNSUCCESSFUL; if (WindowsVersion >= WINDOWS_10_RS2) { PFILE_RENAME_INFORMATION_EX renameInfo; IO_STATUS_BLOCK ioStatusBlock; ULONG renameInfoLength; renameInfoLength = sizeof(FILE_RENAME_INFORMATION_EX) + (ULONG)NewFileName->Length + sizeof(UNICODE_NULL); renameInfo = PhAllocateStack(renameInfoLength); if (renameInfo) { RtlZeroMemory(renameInfo, renameInfoLength); renameInfo->Flags = (ReplaceIfExists ? FILE_RENAME_REPLACE_IF_EXISTS : 0) | FILE_RENAME_POSIX_SEMANTICS; renameInfo->RootDirectory = RootDirectory; renameInfo->FileNameLength = (ULONG)NewFileName->Length; RtlCopyMemory(renameInfo->FileName, NewFileName->Buffer, NewFileName->Length); if (WindowsVersion >= WINDOWS_10_RS5) { SetFlag(renameInfo->Flags, FILE_RENAME_IGNORE_READONLY_ATTRIBUTE); } else { FILE_BASIC_INFORMATION basicInfo; RtlZeroMemory(&basicInfo, sizeof(FILE_BASIC_INFORMATION)); basicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL; PhSetFileBasicInformation(FileHandle, &basicInfo); } status = NtSetInformationFile( FileHandle, &ioStatusBlock, renameInfo, renameInfoLength, FileRenameInformationEx ); PhFreeStack(renameInfo); } else { status = STATUS_NO_MEMORY; } } if (!NT_SUCCESS(status)) { PFILE_RENAME_INFORMATION renameInfo; IO_STATUS_BLOCK ioStatusBlock; ULONG renameInfoLength; renameInfoLength = sizeof(FILE_RENAME_INFORMATION) + (ULONG)NewFileName->Length + sizeof(UNICODE_NULL); renameInfo = PhAllocateStack(renameInfoLength); if (renameInfo) { RtlZeroMemory(renameInfo, renameInfoLength); renameInfo->ReplaceIfExists = ReplaceIfExists; renameInfo->RootDirectory = RootDirectory; renameInfo->FileNameLength = (ULONG)NewFileName->Length; RtlCopyMemory(renameInfo->FileName, NewFileName->Buffer, NewFileName->Length); { FILE_BASIC_INFORMATION basicInfo; RtlZeroMemory(&basicInfo, sizeof(FILE_BASIC_INFORMATION)); basicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL; PhSetFileBasicInformation(FileHandle, &basicInfo); } status = NtSetInformationFile( FileHandle, &ioStatusBlock, renameInfo, renameInfoLength, FileRenameInformation ); PhFreeStack(renameInfo); } else { status = STATUS_NO_MEMORY; } } return status; } NTSTATUS PhGetFileIoPriorityHint( _In_ HANDLE FileHandle, _Out_ IO_PRIORITY_HINT* IoPriorityHint ) { NTSTATUS status; FILE_IO_PRIORITY_HINT_INFORMATION ioPriorityHint; IO_STATUS_BLOCK ioStatusBlock; status = NtQueryInformationFile( FileHandle, &ioStatusBlock, &ioPriorityHint, sizeof(FILE_IO_PRIORITY_HINT_INFORMATION), FileIoPriorityHintInformation ); if (!NT_SUCCESS(status)) return status; *IoPriorityHint = ioPriorityHint.PriorityHint; return status; } NTSTATUS PhSetFileIoPriorityHint( _In_ HANDLE FileHandle, _In_ IO_PRIORITY_HINT IoPriorityHint ) { IO_STATUS_BLOCK ioStatusBlock; #ifndef _WIN64 FILE_IO_PRIORITY_HINT_INFORMATION ioPriorityHint; #else FILE_IO_PRIORITY_HINT_INFORMATION_EX ioPriorityHint; #endif memset(&ioPriorityHint, 0, sizeof(ioPriorityHint)); ioPriorityHint.PriorityHint = IoPriorityHint; return NtSetInformationFile( FileHandle, &ioStatusBlock, &ioPriorityHint, sizeof(ioPriorityHint), FileIoPriorityHintInformation ); } /** * Flushes the buffers of a file. * - Write any modified data for the given file from the Windows in-memory cache. * - Commit all pending metadata changes for the given file from the Windows in-memory cache. * - Send a SYNC command to the storage device to commit in-memory cache to persistent storage. * \param FileHandle Handle to the file. * \return NTSTATUS Status code. */ NTSTATUS PhFlushBuffersFile( _In_ HANDLE FileHandle ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; //if (WindowsVersion >= WINDOWS_8) //{ // status = NtFlushBuffersFileEx(volumeHandle, 0, 0, 0, &ioStatusBlock); //} //else { status = NtFlushBuffersFile(FileHandle, &ioStatusBlock); } return status; } NTSTATUS PhGetFileHandleName( _In_ HANDLE FileHandle, _Out_ PPH_STRING *FileName ) { NTSTATUS status; ULONG bufferSize; PFILE_NAME_INFORMATION buffer; IO_STATUS_BLOCK isb; bufferSize = sizeof(FILE_NAME_INFORMATION) + MAX_PATH; buffer = PhAllocateZero(bufferSize); status = NtQueryInformationFile( FileHandle, &isb, buffer, bufferSize, FileNameInformation ); if (status == STATUS_BUFFER_OVERFLOW) { bufferSize = sizeof(FILE_NAME_INFORMATION) + buffer->FileNameLength + sizeof(UNICODE_NULL); PhFree(buffer); buffer = PhAllocateZero(bufferSize); status = NtQueryInformationFile( FileHandle, &isb, buffer, bufferSize, FileNameInformation ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *FileName = PhCreateStringEx(buffer->FileName, buffer->FileNameLength); PhFree(buffer); return status; } NTSTATUS PhGetFileNetworkPhysicalName( _In_ HANDLE FileHandle, _Out_ PPH_STRING* FileName ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; ULONG bufferLength; PFILE_NETWORK_PHYSICAL_NAME_INFORMATION buffer; bufferLength = UFIELD_OFFSET(FILE_NETWORK_PHYSICAL_NAME_INFORMATION, FileName[DOS_MAX_PATH_LENGTH]) + sizeof(UNICODE_NULL); buffer = PhAllocate(bufferLength); status = NtQueryInformationFile( FileHandle, &ioStatusBlock, buffer, bufferLength, FileNetworkPhysicalNameInformation ); if (status == STATUS_BUFFER_OVERFLOW) { bufferLength = sizeof(FILE_NETWORK_PHYSICAL_NAME_INFORMATION) + buffer->FileNameLength; PhFree(buffer); buffer = PhAllocate(bufferLength); status = NtQueryInformationFile( FileHandle, &ioStatusBlock, buffer, bufferLength, FileNetworkPhysicalNameInformation ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *FileName = PhCreateStringEx(buffer->FileName, buffer->FileNameLength); PhFree(buffer); return status; } NTSTATUS PhGetFileAllInformation( _In_ HANDLE FileHandle, _Out_ PFILE_ALL_INFORMATION *FileInformation ) { return PhpQueryFileVariableSize( FileHandle, FileAllInformation, FileInformation ); } NTSTATUS PhGetFileId( _In_ HANDLE FileHandle, _Out_ PFILE_ID_INFORMATION FileId ) { IO_STATUS_BLOCK isb; return NtQueryInformationFile( FileHandle, &isb, FileId, sizeof(FILE_ID_INFORMATION), FileIdInformation ); } NTSTATUS PhGetProcessIdsUsingFile( _In_ HANDLE FileHandle, _Out_ PFILE_PROCESS_IDS_USING_FILE_INFORMATION *ProcessIdsUsingFile ) { return PhpQueryFileVariableSize( FileHandle, FileProcessIdsUsingFileInformation, ProcessIdsUsingFile ); } NTSTATUS PhGetProcessIdsUsingFileByName( _In_ PCPH_STRINGREF FileName, _In_opt_ HANDLE RootDirectory, _Out_ PFILE_PROCESS_IDS_USING_FILE_INFORMATION *ProcessIdsUsingFile ) { NTSTATUS status; HANDLE fileHandle; status = PhOpenFile( &fileHandle, FileName, FILE_READ_ATTRIBUTES | SYNCHRONIZE, RootDirectory, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL ); if (NT_SUCCESS(status)) { status = PhpQueryFileVariableSize( fileHandle, FileProcessIdsUsingFileInformation, ProcessIdsUsingFile ); NtClose(fileHandle); } return status; } NTSTATUS PhGetProcessesUsingVolumeOrFile( _In_ HANDLE VolumeOrFileHandle, _Out_ PFILE_PROCESS_IDS_USING_FILE_INFORMATION *Information ) { static ULONG initialBufferSize = 0x4000; NTSTATUS status; PVOID buffer; ULONG bufferSize; IO_STATUS_BLOCK isb; bufferSize = initialBufferSize; buffer = PhAllocate(bufferSize); while ((status = NtQueryInformationFile( VolumeOrFileHandle, &isb, buffer, bufferSize, FileProcessIdsUsingFileInformation )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > (1 << 30)) // 1GiB return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x100000) initialBufferSize = bufferSize; *Information = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)buffer; return status; } NTSTATUS PhGetFileUsn( _In_ HANDLE FileHandle, _Out_ PUSN Usn ) { NTSTATUS status; ULONG recordLength; PUSN_RECORD_V2 recordBuffer; // USN_RECORD_UNION UCHAR buffer[sizeof(USN_RECORD_V2) + MAXIMUM_FILENAME_LENGTH * sizeof(WCHAR)]; IO_STATUS_BLOCK isb; recordLength = sizeof(buffer); recordBuffer = (PUSN_RECORD_V2)buffer; status = NtFsControlFile( FileHandle, NULL, NULL, NULL, &isb, FSCTL_READ_FILE_USN_DATA, // FSCTL_WRITE_USN_CLOSE_RECORD NULL, // READ_FILE_USN_DATA 0, recordBuffer, recordLength ); if (NT_SUCCESS(status)) { *Usn = recordBuffer->Usn; //switch (recordBuffer->Header.MajorVersion) //{ //case 2: // *Usn = recordBuffer->V2.Usn; // break; //case 3: // *Usn = recordBuffer->V3.Usn; // break; //case 4: // *Usn = recordBuffer->V4.Usn; // break; //} } return status; } NTSTATUS PhSetFileBypassIO( _In_ HANDLE FileHandle, _In_ BOOLEAN Enable ) { NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; FS_BPIO_INPUT bypassIoInput; FS_BPIO_OUTPUT bypassIoOutput; // https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/bypassio memset(&bypassIoInput, 0, sizeof(FS_BPIO_INPUT)); bypassIoInput.Operation = Enable ? FS_BPIO_OP_ENABLE : FS_BPIO_OP_DISABLE; memset(&bypassIoOutput, 0, sizeof(FS_BPIO_OUTPUT)); status = NtFsControlFile( FileHandle, NULL, NULL, NULL, &ioStatusBlock, FSCTL_MANAGE_BYPASS_IO, &bypassIoInput, sizeof(bypassIoInput), &bypassIoOutput, sizeof(bypassIoOutput) ); #ifdef DEBUG if (bypassIoOutput.OutFlags != FSBPIO_OUTFL_COMPATIBLE_STORAGE_DRIVER) // NT_SUCCESS(bypassIoOutput.Enable.OpStatus) { dprintf("BypassIO failed: (%S) %S\n", bypassIoOutput.Enable.FailingDriverName, bypassIoOutput.Enable.FailureReason); } #endif return status; } ================================================ FILE: phlib/nativeflt.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * jxy-s 2024-2025 * */ #include /** * \brief Wrapper which is essentially FilterpDeviceIoControl. * * \param[in] Handle Filter port handle. * \param[in] IoControlCode Filter I/O control code * \param[in] InBuffer Input buffer. * \param[in] InBufferSize Input buffer size. * \param[out] OutputBuffer Output Buffer. * \param[in] OutputBufferSize Output buffer size. * \param[out] BytesReturned Optionally set to the number of bytes returned. * \param[in,out] Overlapped Optional overlapped structure. * * \return Successful or errant status. */ NTSTATUS PhpFilterDeviceIoControl( _In_ HANDLE Handle, _In_ ULONG IoControlCode, _In_reads_bytes_(InBufferSize) PVOID InBuffer, _In_ ULONG InBufferSize, _Out_writes_bytes_to_opt_(OutputBufferSize, *BytesReturned) PVOID OutputBuffer, _In_ ULONG OutputBufferSize, _Out_opt_ PULONG BytesReturned, _Inout_opt_ LPOVERLAPPED Overlapped ) { NTSTATUS status; if (BytesReturned) *BytesReturned = 0; if (Overlapped) { Overlapped->Internal = STATUS_PENDING; if (DEVICE_TYPE_FROM_CTL_CODE(IoControlCode) == FILE_DEVICE_FILE_SYSTEM) { status = NtFsControlFile( Handle, Overlapped->hEvent, NULL, Overlapped, (PIO_STATUS_BLOCK)Overlapped, IoControlCode, InBuffer, InBufferSize, OutputBuffer, OutputBufferSize ); } else { status = NtDeviceIoControlFile( Handle, Overlapped->hEvent, NULL, Overlapped, (PIO_STATUS_BLOCK)Overlapped, IoControlCode, InBuffer, InBufferSize, OutputBuffer, OutputBufferSize ); } if (NT_INFORMATION(status) && BytesReturned) *BytesReturned = (ULONG)Overlapped->InternalHigh; } else { IO_STATUS_BLOCK ioStatusBlock; if (DEVICE_TYPE_FROM_CTL_CODE(IoControlCode) == FILE_DEVICE_FILE_SYSTEM) { status = NtFsControlFile( Handle, NULL, NULL, NULL, &ioStatusBlock, IoControlCode, InBuffer, InBufferSize, OutputBuffer, OutputBufferSize ); } else { status = NtDeviceIoControlFile( Handle, NULL, NULL, NULL, &ioStatusBlock, IoControlCode, InBuffer, InBufferSize, OutputBuffer, OutputBufferSize ); } if (status == STATUS_PENDING) { if (NT_SUCCESS(status = NtWaitForSingleObject(Handle, FALSE, NULL))) status = ioStatusBlock.Status; } if (BytesReturned) *BytesReturned = (ULONG)ioStatusBlock.Information; } return status; } // rev from FilterLoad/FilterUnload (fltlib) (dmex) /** * \brief An application with mini-filter support can dynamically load and * unload the mini-filter. * * \param[in] ServiceName The service name from the registry. * \param[in] LoadDriver TRUE to load the kernel driver, FALSE to unload the * kernel driver. * * \remarks The caller must have SE_LOAD_DRIVER_PRIVILEGE. * \remarks This IOCTL is a kernel wrapper around NtLoad/UnloadDriver. * * \return Successful or errant status. */ NTSTATUS PhFilterLoadUnload( _In_ PCPH_STRINGREF ServiceName, _In_ BOOLEAN LoadDriver ) { NTSTATUS status; HANDLE fileHandle; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; ULONG filterLoadParametersLength; PFLT_LOAD_PARAMETERS filterLoadParameters; SECURITY_QUALITY_OF_SERVICE filterSecurityQos = { sizeof(SECURITY_QUALITY_OF_SERVICE), SecurityImpersonation, SECURITY_DYNAMIC_TRACKING, TRUE }; RtlInitUnicodeString(&objectName, FLT_MSG_DEVICE_NAME); InitializeObjectAttributesEx( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE | (WindowsVersion < WINDOWS_10 ? 0 : OBJ_DONT_REPARSE), NULL, NULL, &filterSecurityQos ); if (!NT_SUCCESS(status = NtCreateFile( &fileHandle, FILE_READ_ATTRIBUTES | GENERIC_WRITE | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ))) return status; filterLoadParametersLength = UFIELD_OFFSET(FLT_LOAD_PARAMETERS, FilterName[ServiceName->Length]) + sizeof(UNICODE_NULL); filterLoadParameters = PhAllocateStack(filterLoadParametersLength); if (filterLoadParameters) { RtlZeroMemory(filterLoadParameters, filterLoadParametersLength); filterLoadParameters->FilterNameSize = (USHORT)ServiceName->Length; RtlCopyMemory(filterLoadParameters->FilterName, ServiceName->Buffer, ServiceName->Length); status = NtDeviceIoControlFile( fileHandle, NULL, NULL, NULL, &ioStatusBlock, LoadDriver ? FLT_CTL_LOAD : FLT_CTL_UNLOAD, filterLoadParameters, filterLoadParametersLength, NULL, 0 ); PhFreeStack(filterLoadParameters); } else { status = STATUS_NO_MEMORY; } NtClose(fileHandle); return status; } /** * \brief Wrapper which is essentially FilterSendMessage. * * \param[in] Port Filter port handle. * \param[in] InBuffer Input buffer. * \param[in] InBufferSize Input buffer size. * \param[out] OutputBuffer Output Buffer. * \param[in] OutputBufferSize Output buffer size. * \param[out] BytesReturned Set to the number of bytes returned. * * \return Successful or errant status. */ NTSTATUS PhFilterSendMessage( _In_ HANDLE Port, _In_reads_bytes_(InBufferSize) PVOID InBuffer, _In_ ULONG InBufferSize, _Out_writes_bytes_to_opt_(OutputBufferSize, *BytesReturned) PVOID OutputBuffer, _In_ ULONG OutputBufferSize, _Out_ PULONG BytesReturned ) { return PhpFilterDeviceIoControl( Port, FLT_CTL_SEND_MESSAGE, InBuffer, InBufferSize, OutputBuffer, OutputBufferSize, BytesReturned, NULL ); } /** * \brief Wrapper which is essentially FilterGetMessage. * * \param[in] Port Filter port handle. * \param[out] MessageBuffer Message buffer. * \param[in] MessageBufferSize Message buffer size. * \param[in] Overlapped Th overlapped structure. * * \return Successful or errant status. */ NTSTATUS PhFilterGetMessage( _In_ HANDLE Port, _Out_writes_bytes_(MessageBufferSize) PFILTER_MESSAGE_HEADER MessageBuffer, _In_ ULONG MessageBufferSize, _Inout_ LPOVERLAPPED Overlapped ) { return PhpFilterDeviceIoControl( Port, FLT_CTL_GET_MESSAGE, NULL, 0, MessageBuffer, MessageBufferSize, NULL, Overlapped ); } /** * \brief Wrapper which is essentially FilterReplyMessage. * * \param[in] Port Filter port handle. * \param[in] ReplyBuffer Reply buffer. * \param[in] ReplyBufferSize Reply buffer size. * * \return Successful or errant status. */ NTSTATUS PhFilterReplyMessage( _In_ HANDLE Port, _In_reads_bytes_(ReplyBufferSize) PFILTER_REPLY_HEADER ReplyBuffer, _In_ ULONG ReplyBufferSize ) { return PhpFilterDeviceIoControl( Port, FLT_CTL_REPLY_MESSAGE, ReplyBuffer, ReplyBufferSize, NULL, 0, NULL, NULL ); } /** * \brief Wrapper which is essentially FilterConnectCommunicationPort. * * \param[in] PortName Name of filter port to connect to. * \param[in] Options Filter port options. * \param[in] ConnectionContext Connection context. * \param[in] SizeOfContext Size of connection context. * \param[in] SecurityAttributes Security attributes for handle. * \param[out] Port Set to filter port handle on success, null on failure. * * \return Successful or errant status. */ NTSTATUS PhFilterConnectCommunicationPort( _In_ PCPH_STRINGREF PortName, _In_ ULONG Options, _In_reads_bytes_opt_(SizeOfContext) PVOID ConnectionContext, _In_ USHORT SizeOfContext, _In_opt_ PSECURITY_ATTRIBUTES SecurityAttributes, _Outptr_ PHANDLE Port ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING objectName; UNICODE_STRING portName; UNICODE_STRING64 portName64; ULONG eaLength; PFILE_FULL_EA_INFORMATION ea; PFLT_CONNECT_CONTEXT eaValue; IO_STATUS_BLOCK ioStatusBlock; *Port = NULL; if ((SizeOfContext > 0 && !ConnectionContext) || (SizeOfContext == 0 && ConnectionContext)) return STATUS_INVALID_PARAMETER; if (SizeOfContext >= FLT_PORT_CONTEXT_MAX) return STATUS_INTEGER_OVERFLOW; if (!PhStringRefToUnicodeString(PortName, &portName)) return STATUS_NAME_TOO_LONG; portName64.Buffer = (ULONGLONG)portName.Buffer; portName64.Length = portName.Length; portName64.MaximumLength = portName.MaximumLength; // // Build the filter EA, this contains the port name and the context. // eaLength = FLT_PORT_FULL_EA_SIZE + FLT_PORT_FULL_EA_VALUE_SIZE + SizeOfContext; ea = _malloca(eaLength); if (!ea) return STATUS_NO_MEMORY; RtlZeroMemory(ea, eaLength); ea->Flags = 0; ea->EaNameLength = sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL); ea->EaValueLength = FLT_PORT_FULL_EA_VALUE_SIZE + SizeOfContext; RtlCopyMemory(ea->EaName, FLT_PORT_EA_NAME, sizeof(FLT_PORT_EA_NAME)); eaValue = PTR_ADD_OFFSET(ea->EaName, sizeof(FLT_PORT_EA_NAME)); eaValue->PortName = &portName; eaValue->PortName64 = &portName64; eaValue->SizeOfContext = SizeOfContext; if (SizeOfContext > 0) RtlCopyMemory(eaValue->Context, ConnectionContext, SizeOfContext); RtlInitUnicodeString(&objectName, FLT_MSG_DEVICE_NAME); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE | (WindowsVersion < WINDOWS_10 ? 0 : OBJ_DONT_REPARSE), NULL, NULL ); if (SecurityAttributes) { if (SecurityAttributes->bInheritHandle) objectAttributes.Attributes |= OBJ_INHERIT; objectAttributes.SecurityDescriptor = SecurityAttributes->lpSecurityDescriptor; } status = NtCreateFile( Port, FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE, &objectAttributes, &ioStatusBlock, NULL, 0, 0, FILE_OPEN_IF, FlagOn(Options, FLT_PORT_FLAG_SYNC_HANDLE) ? FILE_SYNCHRONOUS_IO_NONALERT : 0, ea, eaLength ); _freea(ea); return status; } ================================================ FILE: phlib/nativejob.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include /** * Create a new job object in the object namespace. * * \param JobObject Receives the handle to the created job object on success. * \param DesiredAccess Desired access mask for the returned handle (e.g., JOB_OBJECT_ALL_ACCESS). * \param RootDirectory Optional handle to an object directory; if non-NULL the object is created relative to this directory. * \param ObjectName Pointer to a constant string reference that names the object. If NULL or empty, an unnamed job is created. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateJobObject( _Out_ PHANDLE JobObject, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_opt_ PCPH_STRINGREF ObjectName ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (ObjectName) { if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&objectName, NULL, 0); } InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtCreateJobObject( JobObject, DesiredAccess, &objectAttributes ); return status; } /* * Opens a job object. * * \param JobHandle A variable which receives a handle to the job object. * \param DesiredAccess The desired access to the job object. * \param RootDirectory A handle to the object directory of the job. * \param ObjectName The name of the job object. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtOpenJobObject( JobHandle, DesiredAccess, &objectAttributes ); return status; } /** * Retrieves the list of process IDs associated with a specified job object. * * \param JobHandle A handle to the job object whose process ID list is to be retrieved. * \param ProcessIdList A pointer to a JOBOBJECT_BASIC_PROCESS_ID_LIST structure containing the list of process IDs. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetJobProcessIdList( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_PROCESS_ID_LIST *ProcessIdList ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x100; do { buffer = PhAllocate(bufferSize); status = NtQueryInformationJobObject( JobHandle, JobObjectBasicProcessIdList, buffer, bufferSize, &bufferSize ); if (NT_SUCCESS(status)) { *ProcessIdList = (PJOBOBJECT_BASIC_PROCESS_ID_LIST)buffer; } else { PhFree(buffer); } } while (status == STATUS_BUFFER_OVERFLOW); return status; } /** * Query basic and I/O accounting information for a job object. * * \param JobHandle Handle to the job object to query. * \param BasicAndIoAccounting Pointer to a JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION structure that receives the data. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetJobBasicAndIoAccounting( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION BasicAndIoAccounting ) { return NtQueryInformationJobObject( JobHandle, JobObjectBasicAndIoAccountingInformation, BasicAndIoAccounting, sizeof(JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION), NULL ); } /** * Query the basic limit information for a job object. * * \param JobHandle Handle to the job object to query. * \param BasicLimits Pointer to a JOBOBJECT_BASIC_LIMIT_INFORMATION structure that receives the data. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetJobBasicLimits( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimits ) { return NtQueryInformationJobObject( JobHandle, JobObjectBasicLimitInformation, BasicLimits, sizeof(JOBOBJECT_BASIC_LIMIT_INFORMATION), NULL ); } /** * Query extended limit information for a job object. * * \param JobHandle Handle to the job object to query. * \param ExtendedLimits Pointer to a JOBOBJECT_EXTENDED_LIMIT_INFORMATION structure that receives the data. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetJobExtendedLimits( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_EXTENDED_LIMIT_INFORMATION ExtendedLimits ) { return NtQueryInformationJobObject( JobHandle, JobObjectExtendedLimitInformation, ExtendedLimits, sizeof(JOBOBJECT_EXTENDED_LIMIT_INFORMATION), NULL ); } /** * Query UI restrictions imposed by a job object. * * \param JobHandle Handle to the job object to query. * \param BasicUiRestrictions Pointer to a JOBOBJECT_BASIC_UI_RESTRICTIONS structure that receives the data. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetJobBasicUiRestrictions( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_UI_RESTRICTIONS BasicUiRestrictions ) { return NtQueryInformationJobObject( JobHandle, JobObjectBasicUIRestrictions, BasicUiRestrictions, sizeof(JOBOBJECT_BASIC_UI_RESTRICTIONS), NULL ); } ================================================ FILE: phlib/nativekey.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include static PH_INITONCE PhPredefineKeyInitOnce = PH_INITONCE_INIT; static UNICODE_STRING PhPredefineKeyNames[PH_KEY_MAXIMUM_PREDEFINE] = { RTL_CONSTANT_STRING(L"\\Registry\\Machine"), RTL_CONSTANT_STRING(L"\\Registry\\User"), RTL_CONSTANT_STRING(L"\\Registry\\Machine\\Software\\Classes"), { 0, 0, NULL } }; static HANDLE PhPredefineKeyHandles[PH_KEY_MAXIMUM_PREDEFINE] = { 0 }; /** * Initializes usage of predefined keys. */ VOID PhpInitializePredefineKeys( VOID ) { static CONST UNICODE_STRING currentUserPrefix = RTL_CONSTANT_STRING(L"\\Registry\\User\\"); NTSTATUS status; PH_TOKEN_USER tokenUser; UNICODE_STRING stringSid; WCHAR stringSidBuffer[SECURITY_MAX_SID_STRING_CHARACTERS]; PUNICODE_STRING currentUserKeyName; // Get the string SID of the current user. if (NT_SUCCESS(status = PhGetTokenUser(PhGetOwnTokenAttributes().TokenHandle, &tokenUser))) { RtlInitEmptyUnicodeString(&stringSid, stringSidBuffer, sizeof(stringSidBuffer)); if (PhEqualSid(tokenUser.User.Sid, &PhSeLocalSystemSid)) { status = RtlInitUnicodeStringEx(&stringSid, L".DEFAULT"); } else { status = RtlConvertSidToUnicodeString(&stringSid, tokenUser.User.Sid, FALSE); } } // Construct the current user key name. if (NT_SUCCESS(status)) { currentUserKeyName = &PhPredefineKeyNames[PH_KEY_CURRENT_USER_NUMBER]; currentUserKeyName->Length = currentUserPrefix.Length + stringSid.Length; currentUserKeyName->MaximumLength = currentUserKeyName->Length + sizeof(UNICODE_NULL); currentUserKeyName->Buffer = PhAllocate(currentUserKeyName->MaximumLength); memcpy(currentUserKeyName->Buffer, currentUserPrefix.Buffer, currentUserPrefix.Length); memcpy(¤tUserKeyName->Buffer[currentUserPrefix.Length / sizeof(WCHAR)], stringSid.Buffer, stringSid.Length); } } /** * Initializes the attributes of a key object for creating/opening. * * \param RootDirectory A handle to a root key, or one of the predefined keys. See PhCreateKey() for details. * \param ObjectName The path to the key. * \param Attributes Additional object flags. * \param ObjectAttributes The OBJECT_ATTRIBUTES structure to initialize. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpInitializeKeyObjectAttributes( _In_opt_ HANDLE RootDirectory, _In_ PUNICODE_STRING ObjectName, _In_ ULONG Attributes, _Out_ POBJECT_ATTRIBUTES ObjectAttributes ) { NTSTATUS status; ULONG predefineIndex; HANDLE predefineHandle; OBJECT_ATTRIBUTES predefineObjectAttributes; InitializeObjectAttributes( ObjectAttributes, ObjectName, Attributes | OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); if (RootDirectory && PH_KEY_IS_PREDEFINED(RootDirectory)) { predefineIndex = PH_KEY_PREDEFINE_TO_NUMBER(RootDirectory); if (predefineIndex < PH_KEY_MAXIMUM_PREDEFINE) { if (PhBeginInitOnce(&PhPredefineKeyInitOnce)) { PhpInitializePredefineKeys(); PhEndInitOnce(&PhPredefineKeyInitOnce); } predefineHandle = InterlockedReadPointer(&PhPredefineKeyHandles[predefineIndex]); if (!predefineHandle) { // The predefined key has not been opened yet. Do so now. if (!PhPredefineKeyNames[predefineIndex].Buffer) // we may have failed in getting the current user key name return STATUS_UNSUCCESSFUL; InitializeObjectAttributes( &predefineObjectAttributes, &PhPredefineKeyNames[predefineIndex], OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenKey( &predefineHandle, KEY_READ, &predefineObjectAttributes ); if (!NT_SUCCESS(status)) return status; HANDLE keyHandle = InterlockedCompareExchangePointer( &PhPredefineKeyHandles[predefineIndex], predefineHandle, NULL ); if (keyHandle) { // Someone else already opened the key and cached it. NtClose(predefineHandle); predefineHandle = keyHandle; } } ObjectAttributes->RootDirectory = predefineHandle; } } return STATUS_SUCCESS; } /** * Creates or opens a registry key. * * \param KeyHandle A variable which receives a handle to the key. * \param DesiredAccess The desired access to the key. * \param RootDirectory A handle to a root key, or one of the following predefined keys: * \li \c PH_KEY_LOCAL_MACHINE Represents \\Registry\\Machine. * \li \c PH_KEY_USERS Represents \\Registry\\User. * \li \c PH_KEY_CLASSES_ROOT Represents \\Registry\\Machine\\Software\\Classes. * \li \c PH_KEY_CURRENT_USER Represents \\Registry\\User\\[SID of current user]. * \param ObjectName The path to the key. * \param Attributes Additional object flags. * \param CreateOptions The options to apply when creating or opening the key. * \param Disposition A variable which receives a value indicating whether a new key was created or * an existing key was opened: * \li \c REG_CREATED_NEW_KEY A new key was created. * \li \c REG_OPENED_EXISTING_KEY An existing key was opened. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName, _In_ ULONG Attributes, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; if (!NT_SUCCESS(status = PhpInitializeKeyObjectAttributes( RootDirectory, &objectName, Attributes, &objectAttributes ))) { return status; } status = NtCreateKey( KeyHandle, DesiredAccess, &objectAttributes, 0, NULL, CreateOptions, Disposition ); return status; } /** * Opens a registry key. * * \param KeyHandle A variable which receives a handle to the key. * \param DesiredAccess The desired access to the key. * \param RootDirectory A handle to a root key, or one of the predefined keys. See PhCreateKey() for details. * \param ObjectName The path to the key. * \param Attributes Additional object flags. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF ObjectName, _In_ ULONG Attributes ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; if (!PhStringRefToUnicodeString(ObjectName, &objectName)) return STATUS_NAME_TOO_LONG; if (!NT_SUCCESS(status = PhpInitializeKeyObjectAttributes( RootDirectory, &objectName, Attributes, &objectAttributes ))) { return status; } status = NtOpenKey( KeyHandle, DesiredAccess, &objectAttributes ); return status; } // rev from RegLoadAppKey (dmex) /** * Loads the specified registry hive file into a private application hive. * * \param KeyHandle A variable which receives a handle to the key. * \param FileName A string containing a file name. * \param DesiredAccess The desired access to the key. * \param Flags Optional flags for loading the hive. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhLoadAppKey( _Out_ PHANDLE KeyHandle, _In_ PCPH_STRINGREF FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ ULONG Flags ) { NTSTATUS status; GUID guid; UNICODE_STRING fileName; UNICODE_STRING objectName; OBJECT_ATTRIBUTES targetAttributes; OBJECT_ATTRIBUTES sourceAttributes; if (!PhStringRefToUnicodeString(FileName, &fileName)) return STATUS_NAME_TOO_LONG; PhGenerateGuid(&guid); #if defined(PHNT_USE_NATIVE_APPEND) UNICODE_STRING guidStringUs; WCHAR objectNameBuffer[MAXIMUM_FILENAME_LENGTH]; RtlInitEmptyUnicodeString(&objectName, objectNameBuffer, sizeof(objectNameBuffer)); if (!NT_SUCCESS(status = RtlStringFromGUID(&guid, &guidStringUs))) return status; if (!NT_SUCCESS(status = RtlAppendUnicodeToString(&objectName, L"\\REGISTRY\\A\\"))) goto CleanupExit; if (!NT_SUCCESS(status = RtlAppendUnicodeStringToString(&objectName, &guidStringUs))) goto CleanupExit; #else static CONST PH_STRINGREF namespaceString = PH_STRINGREF_INIT(L"\\REGISTRY\\A\\"); PPH_STRING guidString; if (!(guidString = PhFormatGuid(&guid))) return STATUS_UNSUCCESSFUL; PhMoveReference(&guidString, PhConcatStringRef2(&namespaceString, &guidString->sr)); if (!PhStringRefToUnicodeString(&guidString->sr, &objectName)) { PhDereferenceObject(guidString); return STATUS_NAME_TOO_LONG; } #endif InitializeObjectAttributes( &targetAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); InitializeObjectAttributes( &sourceAttributes, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtLoadKeyEx( &targetAttributes, &sourceAttributes, REG_APP_HIVE | Flags, NULL, NULL, DesiredAccess, KeyHandle, NULL ); #if defined(PHNT_USE_NATIVE_APPEND) RtlFreeUnicodeString(&guidStringUs); #else PhDereferenceObject(guidString); #endif return status; } /** * Gets information about a registry key. * * \param KeyHandle A handle to the key. * \param KeyInformationClass The information class to query. * \param Buffer A variable which receives a pointer to a buffer containing information about the * registry key. You must free the buffer with PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG attempts = 16; bufferSize = 0x100; buffer = PhAllocate(bufferSize); do { status = NtQueryKey( KeyHandle, KeyInformationClass, buffer, bufferSize, &bufferSize ); if (NT_SUCCESS(status)) break; if (status == STATUS_BUFFER_OVERFLOW) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { PhFree(buffer); return status; } } while (--attempts); *Buffer = buffer; return status; } /** * Gets the information for a registry key. * * \param KeyHandle A handle to the key. * \param Information The registry key information, including information * about its subkeys and the maximum length for their names and value entries. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryKeyInformation( _In_ HANDLE KeyHandle, _Out_opt_ PKEY_FULL_INFORMATION Information ) { NTSTATUS status; ULONG bufferLength = 0; status = NtQueryKey( KeyHandle, KeyFullInformation, Information, sizeof(KEY_FULL_INFORMATION), &bufferLength ); return status; } /** * Gets the last write time for a registry key without allocating memory. (dmex) * * \param KeyHandle A handle to the key. * \param LastWriteTime The last write time of the key. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryKeyLastWriteTime( _In_ HANDLE KeyHandle, _Out_ PLARGE_INTEGER LastWriteTime ) { NTSTATUS status; KEY_BASIC_INFORMATION basicInfo = { 0 }; ULONG bufferLength = 0; status = NtQueryKey( KeyHandle, KeyBasicInformation, &basicInfo, UFIELD_OFFSET(KEY_BASIC_INFORMATION, Name), &bufferLength ); if (status == STATUS_BUFFER_OVERFLOW && basicInfo.LastWriteTime.QuadPart != 0) { *LastWriteTime = basicInfo.LastWriteTime; return STATUS_SUCCESS; } else { PKEY_BASIC_INFORMATION buffer; status = PhQueryKey( KeyHandle, KeyBasicInformation, &buffer ); if (NT_SUCCESS(status)) { memcpy(LastWriteTime, &buffer->LastWriteTime, sizeof(LARGE_INTEGER)); PhFree(buffer); } } return status; } /** * Gets a registry value of any type. * * \param KeyHandle A handle to the key. * \param ValueName The name of the value. * \param KeyValueInformationClass The information class to query. * \param Buffer A variable which receives a pointer to a buffer containing information about the * registry value. You must free the buffer with PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryValueKey( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; UNICODE_STRING valueName; PVOID buffer; ULONG bufferSize; ULONG attempts = 16; if (ValueName && ValueName->Length) { if (!PhStringRefToUnicodeString(ValueName, &valueName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&valueName, NULL, 0); } bufferSize = 0x100; buffer = PhAllocate(bufferSize); do { status = NtQueryValueKey( KeyHandle, &valueName, KeyValueInformationClass, buffer, bufferSize, &bufferSize ); if (NT_SUCCESS(status)) break; if (status == STATUS_BUFFER_OVERFLOW) { PhFree(buffer); buffer = PhAllocate(bufferSize); } else { PhFree(buffer); return status; } } while (--attempts); *Buffer = buffer; return status; } /** * Sets the value of a registry key. * * \param KeyHandle Handle to an open registry key. * \param ValueName Optional pointer to a PH_STRINGREF structure that specifies the name of the value to set. * \param ValueType Type of data to be stored (e.g., REG_SZ, REG_DWORD). * \param Buffer Pointer to the data to be stored. * \param BufferLength Length, in bytes, of the data pointed to by Buffer. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetValueKey( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName, _In_ ULONG ValueType, _In_ PVOID Buffer, _In_ ULONG BufferLength ) { NTSTATUS status; UNICODE_STRING valueName; if (ValueName) { if (!PhStringRefToUnicodeString(ValueName, &valueName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&valueName, NULL, 0); } status = NtSetValueKey( KeyHandle, &valueName, 0, ValueType, Buffer, BufferLength ); return status; } /** * Deletes a value from the specified registry key. * * \param KeyHandle Handle to an open registry key. * \param ValueName Optional. Pointer to a PH_STRINGREF structure that specifies the name of the value to delete. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDeleteValueKey( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ) { UNICODE_STRING valueName; if (ValueName) { if (!PhStringRefToUnicodeString(ValueName, &valueName)) return STATUS_NAME_TOO_LONG; } else { RtlInitEmptyUnicodeString(&valueName, NULL, 0); } return NtDeleteValueKey(KeyHandle, &valueName); } /** * Enumerates subkeys of a registry key and invokes a callback for each enumerated entry. * * \param KeyHandle Handle to an open registry key to enumerate. * \param InformationClass KEY_INFORMATION_CLASS value specifying the format of the returned records. * \param Callback A function pointer invoked for each successfully retrieved key entry. * \param Context Optional context pointer forwarded to the callback. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumerateKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS InformationClass, _In_ PPH_ENUM_KEY_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG index = 0; bufferSize = 0x100; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; while (TRUE) { status = NtEnumerateKey( KeyHandle, index, InformationClass, buffer, bufferSize, &bufferSize ); if (status == STATUS_NO_MORE_ENTRIES) { status = STATUS_SUCCESS; break; } if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL) { PhFreeStack(buffer); buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; status = NtEnumerateKey( KeyHandle, index, InformationClass, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) break; if (!Callback(KeyHandle, buffer, Context)) break; index++; } PhFreeStack(buffer); return status; } /** * Enumerates the values of a registry key and invokes a callback for each enumerated value entry. * * \param KeyHandle Handle to an open registry key to enumerate values from. * \param InformationClass KEY_VALUE_INFORMATION_CLASS value specifying the format of the returned records. * \param Callback A function pointer invoked for each successfully retrieved value entry. * \param Context Optional context pointer forwarded to the callback. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumerateValueKey( _In_ HANDLE KeyHandle, _In_ KEY_VALUE_INFORMATION_CLASS InformationClass, _In_ PPH_ENUM_KEY_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG index = 0; bufferSize = 0x100; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; while (TRUE) { status = NtEnumerateValueKey( KeyHandle, index, InformationClass, buffer, bufferSize, &bufferSize ); if (status == STATUS_NO_MORE_ENTRIES) { status = STATUS_SUCCESS; break; } if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL) { PhFreeStack(buffer); buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; status = NtEnumerateValueKey( KeyHandle, index, InformationClass, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) break; if (!Callback(KeyHandle, buffer, Context)) break; index++; } PhFreeStack(buffer); return status; } /** * Enumerates the values of a registry key and returns a buffer for each enumerated value entry. * * \param[in] KeyHandle Handle to an open registry key to enumerate values from. * \param[in] Index Zero-based index of the value entry to retrieve. * \param[in] InformationClass KEY_VALUE_INFORMATION_CLASS value specifying the format of the returned record. * \param[out] Buffer Receives a pointer to a buffer containing the value entry information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEnumerateValueKeyEx( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_VALUE_INFORMATION_CLASS InformationClass, _Out_ PVOID* Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG returnLength; bufferSize = 256; buffer = PhAllocate(bufferSize); status = NtEnumerateValueKey( KeyHandle, Index, InformationClass, buffer, bufferSize, &returnLength ); if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); status = NtEnumerateValueKey( KeyHandle, Index, InformationClass, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); *Buffer = NULL; } return status; } ================================================ FILE: phlib/nativemodule.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include typedef _Function_class_(PH_ENUM_MODULES_CALLBACK) BOOLEAN NTAPI PH_ENUM_MODULES_CALLBACK( _In_ HANDLE ProcessHandle, _In_ PVOID Entry, _In_ PVOID AddressOfEntry, _In_ ULONG SizeOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2 ); typedef PH_ENUM_MODULES_CALLBACK* PPH_ENUM_MODULES_CALLBACK; /** * Opens a named section object and a handle to the section object. * * \param[out] SectionHandle Receives the opened section handle on success; NULL on failure. * \param[in] DesiredAccess Access mask specifying desired rights. * \param[in] RootDirectory Optional root directory handle for relative section name resolution; NULL for absolute names. * \param[in] SectionName Pointer to the section name. If the name is too long, STATUS_NAME_TOO_LONG is returned. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PCPH_STRINGREF SectionName ) { NTSTATUS status; UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; HANDLE sectionHandle; if (!PhStringRefToUnicodeString(SectionName, &objectName)) return STATUS_NAME_TOO_LONG; InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, RootDirectory, NULL ); status = NtOpenSection( §ionHandle, DesiredAccess, &objectAttributes ); if (NT_SUCCESS(status)) { *SectionHandle = sectionHandle; } else { *SectionHandle = NULL; } return status; } /** * Creates a section object. * * \param[out] SectionHandle Pointer to a variable that receives a handle to the section object. * \param[in] DesiredAccess The access mask that specifies the requested access to the section object. * \param[in] MaximumSize The maximum size, in bytes, of the section. The actual size when backed by the paging file, or the maximum the file can be extended or mapped when backed by an ordinary file. * \param[in] SectionPageProtection Specifies the protection to place on each page in the section. * \param[in] AllocationAttributes A bitmask of SEC_XXX flags that determines the allocation attributes of the section. * \param[in] FileHandle Optionally specifies a handle for an open file object. If the value of FileHandle is NULL, the section is backed by the paging file. Otherwise, the section is backed by the specified file. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; HANDLE sectionHandle; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); //if (WindowsVersion >= WINDOWS_10_RS5) //{ // MEM_ADDRESS_REQUIREMENTS addressRequirement; // MEM_EXTENDED_PARAMETER extendedParameters[3]; // // addressRequirement.LowestStartingAddress = NULL; // addressRequirement.HighestEndingAddress = UlongToPtr(MAXLONG); // 0x7fffffff // below 4GB // addressRequirement.Alignment = PAGE_SIZE; // // extendedParameters[0].Type = MemExtendedParameterAddressRequirements; // extendedParameters[0].Pointer = &addressRequirement; // extendedParameters[1].Type = MemExtendedParameterAttributeFlags; // extendedParameters[1].ULong64 = MEM_EXTENDED_PARAMETER_EC_CODE; // extendedParameters[2].Type = MemExtendedParameterImageMachine; // extendedParameters[2].ULong64 = IMAGE_FILE_MACHINE_ARM64EC; // // status = NtCreateSectionEx( // §ionHandle, // DesiredAccess, // &objectAttributes, // MaximumSize, // SectionPageProtection, // AllocationAttributes, // FileHandle, // extendedParameters, // RTL_NUMBER_OF(extendedParameters) // ); //} status = NtCreateSection( §ionHandle, DesiredAccess, &objectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle ); if (NT_SUCCESS(status)) { *SectionHandle = sectionHandle; } else { *SectionHandle = NULL; } return status; } /** * Maps a view of a section into the address space of a process. * * \param[in] SectionHandle Handle to the section object. * \param[in] ProcessHandle Handle to the process to map into. * \param[in,out] BaseAddress On input, preferred base address; on output, actual base address. * \param[in] CommitSize Size of the initially committed pages in the view. * \param[in] SectionOffset Optional offset in the section to begin mapping. * \param[in,out] ViewSize On input, requested view size; on output, actual mapped size. * \param[in] InheritDisposition Specifies whether the view is shared or unshared. * \param[in] AllocationType Type of allocation (usually 0). * \param[in] PageProtection Protection for the mapped pages. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhMapViewOfSection( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _In_ SIZE_T CommitSize, _In_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ SECTION_INHERIT InheritDisposition, _In_ ULONG AllocationType, _In_ ULONG PageProtection ) { NTSTATUS status; PVOID baseAddress = *BaseAddress; SIZE_T viewSize = *ViewSize; //if (WindowsVersion >= WINDOWS_10_RS5) //{ // MEM_ADDRESS_REQUIREMENTS addressRequirement; // MEM_EXTENDED_PARAMETER extendedParameters[3]; // // addressRequirement.LowestStartingAddress = NULL; // addressRequirement.HighestEndingAddress = UlongToPtr(MAXLONG); // 0x7fffffff // below 4GB // addressRequirement.Alignment = PAGE_SIZE; // // extendedParameters[0].Type = MemExtendedParameterAddressRequirements; // extendedParameters[0].Pointer = &addressRequirement; // extendedParameters[1].Type = MemExtendedParameterAttributeFlags; // extendedParameters[1].ULong64 = MEM_EXTENDED_PARAMETER_EC_CODE; // extendedParameters[2].Type = MemExtendedParameterImageMachine; // extendedParameters[2].ULong64 = IMAGE_FILE_MACHINE_ARM64EC; // // status = NtMapViewOfSectionEx( // SectionHandle, // ProcessHandle, // &baseAddress, // SectionOffset, // &viewSize, // AllocationType, // PageProtection, // extendedParameters, // RTL_NUMBER_OF(extendedParameters) // ); //} status = NtMapViewOfSection( SectionHandle, ProcessHandle, &baseAddress, 0, CommitSize, SectionOffset, &viewSize, InheritDisposition, AllocationType, PageProtection ); if (NT_SUCCESS(status)) { *BaseAddress = baseAddress; *ViewSize = viewSize; } else { *BaseAddress = NULL; *ViewSize = 0; } return status; } /** * Unmaps a view of a section from the address space of a process. * * \param ProcessHandle Handle to the process from which the section view will be unmapped. * \param BaseAddress Optional base address of the mapped view to unmap. If NULL, the system determines the base address. * \return NTSTATUS code indicating success or failure of the operation. * * This function calls NtUnmapViewOfSection to remove a mapped section from the specified process's address space. */ NTSTATUS PhUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress ) { NTSTATUS status; status = NtUnmapViewOfSection( ProcessHandle, BaseAddress ); return status; } /** * Enumerates the modules loaded by the kernel. * * \param Modules A variable which receives a pointer to a structure containing information about * the kernel modules. You must free the structure using PhFree() when you no longer need it. */ NTSTATUS PhEnumKernelModules( _Out_ PRTL_PROCESS_MODULES *Modules ) { static ULONG initialBufferSize = 0x1000; NTSTATUS status; PRTL_PROCESS_MODULES buffer; ULONG bufferSize; bufferSize = initialBufferSize; buffer = PhAllocateZero(bufferSize); status = NtQuerySystemInformation( SystemModuleInformation, buffer, bufferSize, &bufferSize ); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); buffer = PhAllocateZero(bufferSize); status = NtQuerySystemInformation( SystemModuleInformation, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } // Note: Windows 11 24H2 introduced breaking changes where, without SeDebugPrivilege, every module's reported base address is zero. // System Informer previously keyed modules by base address in a hash table; this causes enumeration collisions and prevents modules // from being displayed correctly. It also breaks displaying symbol information and interoperability with APIs that require distinct // base addresses for symbol resolution (for example, dbghelp). System Informer only presents module metadata and does not require the // base addresses to be valid. To preserve unique identifiers and restore correct enumeration and symbol-related behavior, generate a // synthetic base address for each module above MaximumUserModeAddress. (dmex) if (WindowsVersion >= WINDOWS_11_24H2 && !PhGetOwnTokenAttributes().Elevated) { PBYTE pseudoBase = IntToPtr(INT32_MIN); PRTL_PROCESS_MODULE_INFORMATION module; for (ULONG i = 0; i < buffer->NumberOfModules; i++) { module = &buffer->Modules[i]; if (module->ImageBase == 0) module->ImageBase = pseudoBase; pseudoBase += module->ImageSize; } } if (bufferSize <= 0x100000) initialBufferSize = bufferSize; *Modules = buffer; return status; } /** * Enumerates the modules loaded by the kernel. * * \param Modules A variable which receives a pointer to a structure containing information about * the kernel modules. You must free the structure using PhFree() when you no longer need it. */ NTSTATUS PhEnumKernelModulesEx( _Out_ PRTL_PROCESS_MODULE_INFORMATION_EX *Modules ) { static ULONG initialBufferSize = 0x1000; NTSTATUS status; PRTL_PROCESS_MODULE_INFORMATION_EX buffer; ULONG bufferSize; bufferSize = initialBufferSize; buffer = PhAllocateZero(bufferSize); status = NtQuerySystemInformation( SystemModuleInformationEx, buffer, bufferSize, &bufferSize ); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); buffer = PhAllocateZero(bufferSize); status = NtQuerySystemInformation( SystemModuleInformationEx, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } // Note: Windows 11 24H2 introduced breaking changes where, without SeDebugPrivilege, every module's reported base address is zero. // System Informer previously keyed modules by base address in a hash table; this causes enumeration collisions and prevents modules // from being displayed correctly. It also breaks displaying symbol information and interoperability with APIs that require distinct // base addresses for symbol resolution (for example, dbghelp). System Informer only presents module metadata and does not require the // base addresses to be valid. To preserve unique identifiers and restore correct enumeration and symbol-related behavior, generate a // synthetic base address for each module above MaximumUserModeAddress. (dmex) if (WindowsVersion >= WINDOWS_11_24H2 && !PhGetOwnTokenAttributes().Elevated) { PBYTE pseudoBase = IntToPtr(INT32_MIN); PRTL_PROCESS_MODULE_INFORMATION_EX module; for (module = buffer; module->NextOffset; module = RTL_PTR_ADD(module, module->NextOffset)) { if (module->ImageBase == 0) module->ImageBase = pseudoBase; pseudoBase += module->ImageSize; } } if (bufferSize <= 0x100000) initialBufferSize = bufferSize; *Modules = buffer; return status; } /** * Gets the file name of the kernel image. * * \return A pointer to a string containing the kernel image file name. You must free the string * using PhDereferenceObject() when you no longer need it. */ PPH_STRING PhGetKernelFileName( VOID ) { NTSTATUS status; UCHAR buffer[FIELD_OFFSET(RTL_PROCESS_MODULES, Modules) + sizeof(RTL_PROCESS_MODULE_INFORMATION)] = { 0 }; PRTL_PROCESS_MODULES modules; ULONG modulesLength; modules = (PRTL_PROCESS_MODULES)buffer; modulesLength = sizeof(buffer); status = NtQuerySystemInformation( SystemModuleInformation, modules, modulesLength, &modulesLength ); if (status != STATUS_SUCCESS && status != STATUS_INFO_LENGTH_MISMATCH) return NULL; if (status == STATUS_SUCCESS || modules->NumberOfModules < 1) return NULL; return PhZeroExtendToUtf16((PCSTR)modules->Modules[0].FullPathName); } /** * Gets the file name, base address and size of the kernel image. * * \return A pointer to a string containing the kernel image file name. You must free the string * using PhDereferenceObject() when you no longer need it. */ NTSTATUS PhGetKernelFileNameEx( _Out_opt_ PPH_STRING* FileName, _Out_ PVOID* ImageBase, _Out_ ULONG* ImageSize ) { NTSTATUS status; UCHAR buffer[FIELD_OFFSET(RTL_PROCESS_MODULES, Modules) + sizeof(RTL_PROCESS_MODULE_INFORMATION)] = { 0 }; PRTL_PROCESS_MODULES modules; ULONG modulesLength; modules = (PRTL_PROCESS_MODULES)buffer; modulesLength = sizeof(buffer); status = NtQuerySystemInformation( SystemModuleInformation, modules, modulesLength, &modulesLength ); if (status != STATUS_SUCCESS && status != STATUS_INFO_LENGTH_MISMATCH) return STATUS_UNSUCCESSFUL; if (status == STATUS_SUCCESS || modules->NumberOfModules < 1) return STATUS_UNSUCCESSFUL; if (FileName) { *FileName = PhZeroExtendToUtf16((PCSTR)modules->Modules[0].FullPathName); } if (WindowsVersion >= WINDOWS_11_24H2 && !PhGetOwnTokenAttributes().Elevated) { // Note: Windows 11 24H2 introduced breaking changes where, without SeDebugPrivilege, every module's reported base address is zero. // System Informer previously keyed modules by base address in a hash table; this causes enumeration collisions and prevents modules // from being displayed correctly. It also breaks displaying symbol information and interoperability with APIs that require distinct // base addresses for symbol resolution (for example, dbghelp). System Informer only presents module metadata and does not require the // base addresses to be valid. To preserve unique identifiers and restore correct enumeration and symbol-related behavior, generate a // synthetic base address for each module above MaximumUserModeAddress. (dmex) if (modules->Modules[0].ImageBase == 0) modules->Modules[0].ImageBase = IntToPtr(INT32_MIN); } *ImageBase = modules->Modules[0].ImageBase; *ImageSize = modules->Modules[0].ImageSize; return STATUS_SUCCESS; } PPH_STRING PhGetSecureKernelFileName( VOID ) { static CONST PH_STRINGREF system32String = PH_STRINGREF_INIT(L"\\System32\\"); static CONST PH_STRINGREF secureKernelPathPart = PH_STRINGREF_INIT(L"\\securekernel.exe"); static CONST PH_STRINGREF secureKernella57PathPart = PH_STRINGREF_INIT(L"\\securekernella57.exe"); PPH_STRING fileName = NULL; PPH_STRING kernelFileName; BOOLEAN isLa57 = FALSE; if (kernelFileName = PhGetKernelFileName()) { PH_STRINGREF baseName; if (PhEndsWithStringRef2(&kernelFileName->sr, L"la57.exe", TRUE)) { isLa57 = TRUE; } if (PhGetBasePath(&kernelFileName->sr, &baseName, NULL)) { fileName = PhConcatStringRef2(&baseName, isLa57 ? &PhSecureKernelFileAliasList[1] : &secureKernelPathPart); } PhDereferenceObject(kernelFileName); } if (PhIsNullOrEmptyString(fileName)) { PH_STRINGREF systemRootString; PhGetNtSystemRoot(&systemRootString); fileName = PhConcatStringRef3( &systemRootString, &system32String, isLa57 ? &secureKernella57PathPart : &secureKernelPathPart ); } return fileName; } NTSTATUS PhpEnumProcessModules( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_MODULES_CALLBACK Callback, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2 ) { NTSTATUS status; PPEB peb; PVOID ldr; PEB_LDR_DATA pebLdrData; PLIST_ENTRY startLink; PLIST_ENTRY currentLink; ULONG entrySize; LDR_DATA_TABLE_ENTRY currentEntry; ULONG i; // Get the PEB address. status = PhGetProcessPeb(ProcessHandle, &peb); if (!NT_SUCCESS(status)) return status; // Read the address of the loader data. status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(peb, FIELD_OFFSET(PEB, Ldr)), &ldr, sizeof(PVOID), NULL ); if (!NT_SUCCESS(status)) return status; if (!ldr) return STATUS_UNSUCCESSFUL; // Read the loader data. status = PhReadVirtualMemory( ProcessHandle, ldr, &pebLdrData, sizeof(PEB_LDR_DATA), NULL ); if (!NT_SUCCESS(status)) return status; // Check the loader was initialized (dmex) if (!pebLdrData.Initialized) return STATUS_UNSUCCESSFUL; if (WindowsVersion >= WINDOWS_11) entrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN11; else if (WindowsVersion >= WINDOWS_8) entrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN8; else entrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN7; // Traverse the linked list (in load order). i = 0; startLink = PTR_ADD_OFFSET(ldr, UFIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModuleList)); currentLink = pebLdrData.InLoadOrderModuleList.Flink; while ( currentLink != startLink && i <= PH_ENUM_PROCESS_MODULES_LIMIT ) { PVOID addressOfEntry; addressOfEntry = CONTAINING_RECORD(currentLink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); status = PhReadVirtualMemory( ProcessHandle, addressOfEntry, ¤tEntry, entrySize, NULL ); if (!NT_SUCCESS(status)) return status; // Make sure the entry is valid. if (currentEntry.DllBase) { // Execute the callback. if (!Callback( ProcessHandle, ¤tEntry, addressOfEntry, entrySize, Context1, Context2 )) break; } currentLink = currentEntry.InLoadOrderLinks.Flink; i++; } return status; } _Function_class_(PH_ENUM_MODULES_CALLBACK) static BOOLEAN NTAPI PhpEnumProcessModulesCallback( _In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID AddressOfEntry, _In_ ULONG SizeOfEntry, _In_ PVOID Context1, _In_ PVOID Context2 ) { PPH_ENUM_PROCESS_MODULES_PARAMETERS parameters = Context1; NTSTATUS status; BOOLEAN result; PPH_STRING mappedFileName = NULL; PWSTR fullDllNameOriginal; PWSTR fullDllNameBuffer = NULL; PWSTR baseDllNameOriginal; PWSTR baseDllNameBuffer = NULL; if (parameters->Flags & PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME) { PhGetProcessMappedFileName(ProcessHandle, Entry->DllBase, &mappedFileName); } if (mappedFileName) { ULONG_PTR indexOfLastBackslash; PhStringRefToUnicodeString(&mappedFileName->sr, &Entry->FullDllName); indexOfLastBackslash = PhFindLastCharInString(mappedFileName, 0, OBJ_NAME_PATH_SEPARATOR); if (indexOfLastBackslash != SIZE_MAX) { Entry->BaseDllName.Buffer = Entry->FullDllName.Buffer + indexOfLastBackslash + 1; Entry->BaseDllName.Length = Entry->FullDllName.Length - (USHORT)indexOfLastBackslash * sizeof(WCHAR) - sizeof(UNICODE_NULL); Entry->BaseDllName.MaximumLength = Entry->BaseDllName.Length + sizeof(UNICODE_NULL); } else { Entry->BaseDllName = Entry->FullDllName; } } else { // Read the full DLL name string and add a null terminator. fullDllNameOriginal = Entry->FullDllName.Buffer; fullDllNameBuffer = PhAllocate(Entry->FullDllName.Length + sizeof(UNICODE_NULL)); Entry->FullDllName.Buffer = fullDllNameBuffer; if (NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, fullDllNameOriginal, fullDllNameBuffer, Entry->FullDllName.Length, NULL ))) { fullDllNameBuffer[Entry->FullDllName.Length / sizeof(WCHAR)] = UNICODE_NULL; } else { fullDllNameBuffer[0] = UNICODE_NULL; Entry->FullDllName.Length = 0; } baseDllNameOriginal = Entry->BaseDllName.Buffer; // Try to use the buffer we just read in. if ( NT_SUCCESS(status) && (ULONG_PTR)baseDllNameOriginal >= (ULONG_PTR)fullDllNameOriginal && (ULONG_PTR)baseDllNameOriginal + Entry->BaseDllName.Length >= (ULONG_PTR)baseDllNameOriginal && (ULONG_PTR)baseDllNameOriginal + Entry->BaseDllName.Length <= (ULONG_PTR)fullDllNameOriginal + Entry->FullDllName.Length ) { baseDllNameBuffer = NULL; Entry->BaseDllName.Buffer = (PWCHAR)((ULONG_PTR)Entry->FullDllName.Buffer + ((ULONG_PTR)baseDllNameOriginal - (ULONG_PTR)fullDllNameOriginal)); } else { // Read the base DLL name string and add a null terminator. baseDllNameBuffer = PhAllocate(Entry->BaseDllName.Length + sizeof(UNICODE_NULL)); Entry->BaseDllName.Buffer = baseDllNameBuffer; if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, baseDllNameOriginal, baseDllNameBuffer, Entry->BaseDllName.Length, NULL ))) { baseDllNameBuffer[Entry->BaseDllName.Length / sizeof(WCHAR)] = UNICODE_NULL; } else { baseDllNameBuffer[0] = UNICODE_NULL; Entry->BaseDllName.Length = 0; } } } if (WindowsVersion >= WINDOWS_8 && Entry->DdagNode && RTL_CONTAINS_FIELD(Entry, SizeOfEntry, DdagNode)) { LDR_DDAG_NODE ldrDagNode; memset(&ldrDagNode, 0, sizeof(LDR_DDAG_NODE)); if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, Entry->DdagNode, &ldrDagNode, sizeof(LDR_DDAG_NODE), NULL ))) { // Fixup the module load count. (dmex) Entry->ObsoleteLoadCount = (USHORT)ldrDagNode.LoadCount; } } // Execute the callback. result = parameters->Callback(Entry, parameters->Context); if (mappedFileName) { PhDereferenceObject(mappedFileName); } else { if (fullDllNameBuffer) PhFree(fullDllNameBuffer); if (baseDllNameBuffer) PhFree(baseDllNameBuffer); } return result; } /** * Enumerates the modules loaded by a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param Callback A callback function which is executed for each process module. * \param Context A user-defined value to pass to the callback function. */ NTSTATUS PhEnumProcessModules( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ) { PH_ENUM_PROCESS_MODULES_PARAMETERS parameters; parameters.Callback = Callback; parameters.Context = Context; parameters.Flags = 0; return PhEnumProcessModulesEx(ProcessHandle, ¶meters); } /** * Enumerates the modules loaded by a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. If * \c PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME is specified in \a Parameters, the handle should * have PROCESS_QUERY_INFORMATION access. * \param Parameters The enumeration parameters. */ NTSTATUS PhEnumProcessModulesEx( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters ) { return PhpEnumProcessModules( ProcessHandle, PhpEnumProcessModulesCallback, Parameters, NULL ); } typedef struct _SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT { NTSTATUS Status; PVOID BaseAddress; ULONG LoadCount; } SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT, *PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT; _Function_class_(PH_ENUM_MODULES_CALLBACK) BOOLEAN NTAPI PhpSetProcessModuleLoadCountCallback( _In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID AddressOfEntry, _In_ ULONG SizeOfEntry, _In_ PVOID Context1, _In_opt_ PVOID Context2 ) { PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT context = Context1; if (Entry->DllBase == context->BaseAddress) { context->Status = PhWriteVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(AddressOfEntry, FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ObsoleteLoadCount)), &context->LoadCount, sizeof(USHORT), NULL ); return FALSE; } return TRUE; } /** * Sets the load count of a process module. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_VM_READ and PROCESS_VM_WRITE access. * \param BaseAddress The base address of a module. * \param LoadCount The new load count of the module. * * \retval STATUS_DLL_NOT_FOUND The module was not found. */ NTSTATUS PhSetProcessModuleLoadCount( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount ) { NTSTATUS status; SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT context; context.Status = STATUS_DLL_NOT_FOUND; context.BaseAddress = BaseAddress; context.LoadCount = LoadCount; status = PhpEnumProcessModules( ProcessHandle, PhpSetProcessModuleLoadCountCallback, &context, NULL ); if (!NT_SUCCESS(status)) return status; return context.Status; } NTSTATUS PhpEnumProcessModules32( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_MODULES_CALLBACK Callback, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2 ) { NTSTATUS status; PPEB32 peb; ULONG ldr; // PEB_LDR_DATA32 *32 PEB_LDR_DATA32 pebLdrData; ULONG startLink; // LIST_ENTRY32 *32 ULONG currentLink; // LIST_ENTRY32 *32 ULONG entrySize; LDR_DATA_TABLE_ENTRY32 currentEntry; ULONG i; // Get the 32-bit PEB address. status = PhGetProcessPeb32(ProcessHandle, &peb); if (!NT_SUCCESS(status)) return status; // Read the address of the loader data. status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(peb, FIELD_OFFSET(PEB32, Ldr)), &ldr, sizeof(ULONG), NULL ); if (!NT_SUCCESS(status)) return status; if (!ldr) return STATUS_UNSUCCESSFUL; // Read the loader data. status = PhReadVirtualMemory( ProcessHandle, UlongToPtr(ldr), &pebLdrData, sizeof(PEB_LDR_DATA32), NULL ); if (!NT_SUCCESS(status)) return status; // Check the loader was initialized (dmex) if (!pebLdrData.Initialized) return STATUS_UNSUCCESSFUL; if (WindowsVersion >= WINDOWS_11) entrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN11_32; else if (WindowsVersion >= WINDOWS_8) entrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32; else entrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32; // Traverse the linked list (in load order). i = 0; startLink = ldr + UFIELD_OFFSET(PEB_LDR_DATA32, InLoadOrderModuleList); currentLink = pebLdrData.InLoadOrderModuleList.Flink; while ( currentLink != startLink && i <= PH_ENUM_PROCESS_MODULES_LIMIT ) { PVOID addressOfEntry; addressOfEntry = CONTAINING_RECORD(UlongToPtr(currentLink), LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks); status = PhReadVirtualMemory( ProcessHandle, addressOfEntry, ¤tEntry, entrySize, NULL ); if (!NT_SUCCESS(status)) return status; // Make sure the entry is valid. if (currentEntry.DllBase) { // Execute the callback. if (!Callback( ProcessHandle, ¤tEntry, addressOfEntry, entrySize, Context1, Context2 )) break; } currentLink = currentEntry.InLoadOrderLinks.Flink; i++; } return status; } _Function_class_(PH_ENUM_MODULES_CALLBACK) BOOLEAN NTAPI PhpEnumProcessModules32Callback( _In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY32 Entry, _In_ PVOID AddressOfEntry, _In_ ULONG SizeOfEntry, _In_ PVOID Context1, _In_opt_ PVOID Context2 ) { static CONST PH_STRINGREF system32String = PH_STRINGREF_INIT(L"\\System32\\"); PPH_ENUM_PROCESS_MODULES_PARAMETERS parameters = Context1; BOOLEAN cont; LDR_DATA_TABLE_ENTRY nativeEntry; PPH_STRING mappedFileName; PWSTR baseDllNameBuffer = NULL; PWSTR fullDllNameBuffer = NULL; PH_STRINGREF fullDllName; PH_STRINGREF systemRootString; // Convert the 32-bit entry to a native-sized entry. memset(&nativeEntry, 0, sizeof(LDR_DATA_TABLE_ENTRY)); nativeEntry.DllBase = UlongToPtr(Entry->DllBase); nativeEntry.EntryPoint = UlongToPtr(Entry->EntryPoint); nativeEntry.SizeOfImage = Entry->SizeOfImage; UStr32ToUStr(&nativeEntry.FullDllName, &Entry->FullDllName); UStr32ToUStr(&nativeEntry.BaseDllName, &Entry->BaseDllName); nativeEntry.Flags = Entry->Flags; nativeEntry.ObsoleteLoadCount = Entry->ObsoleteLoadCount; nativeEntry.TlsIndex = Entry->TlsIndex; nativeEntry.TimeDateStamp = Entry->TimeDateStamp; nativeEntry.OriginalBase = UlongToPtr(Entry->OriginalBase); nativeEntry.LoadTime = Entry->LoadTime; nativeEntry.BaseNameHashValue = Entry->BaseNameHashValue; nativeEntry.LoadReason = Entry->LoadReason; nativeEntry.ParentDllBase = UlongToPtr(Entry->ParentDllBase); mappedFileName = NULL; if (parameters->Flags & PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME) { PhGetProcessMappedFileName(ProcessHandle, nativeEntry.DllBase, &mappedFileName); } if (mappedFileName) { ULONG_PTR indexOfLastBackslash; PhStringRefToUnicodeString(&mappedFileName->sr, &nativeEntry.FullDllName); indexOfLastBackslash = PhFindLastCharInString(mappedFileName, 0, OBJ_NAME_PATH_SEPARATOR); if (indexOfLastBackslash != SIZE_MAX) { nativeEntry.BaseDllName.Buffer = nativeEntry.FullDllName.Buffer + indexOfLastBackslash + 1; nativeEntry.BaseDllName.Length = nativeEntry.FullDllName.Length - (USHORT)indexOfLastBackslash * sizeof(WCHAR) - sizeof(UNICODE_NULL); nativeEntry.BaseDllName.MaximumLength = nativeEntry.BaseDllName.Length + sizeof(UNICODE_NULL); } else { nativeEntry.BaseDllName = nativeEntry.FullDllName; } } else { // Read the base DLL name string and add a null terminator. baseDllNameBuffer = PhAllocate(nativeEntry.BaseDllName.Length + sizeof(UNICODE_NULL)); if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, nativeEntry.BaseDllName.Buffer, baseDllNameBuffer, nativeEntry.BaseDllName.Length, NULL ))) { baseDllNameBuffer[nativeEntry.BaseDllName.Length / sizeof(WCHAR)] = UNICODE_NULL; } else { baseDllNameBuffer[0] = UNICODE_NULL; nativeEntry.BaseDllName.Length = 0; } nativeEntry.BaseDllName.Buffer = baseDllNameBuffer; // Read the full DLL name string and add a null terminator. fullDllNameBuffer = PhAllocate(nativeEntry.FullDllName.Length + sizeof(UNICODE_NULL)); if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, nativeEntry.FullDllName.Buffer, fullDllNameBuffer, nativeEntry.FullDllName.Length, NULL ))) { fullDllNameBuffer[nativeEntry.FullDllName.Length / sizeof(WCHAR)] = UNICODE_NULL; if (!(parameters->Flags & PH_ENUM_PROCESS_MODULES_DONT_RESOLVE_WOW64_FS)) { // WOW64 file system redirection - convert "system32" to "SysWOW64" or "SysArm32". if (!(nativeEntry.FullDllName.Length & 1)) // validate the string length { #ifdef _M_ARM64 USHORT arch; if (NT_SUCCESS(PhGetProcessArchitecture(ProcessHandle, &arch))) { #endif fullDllName.Buffer = fullDllNameBuffer; fullDllName.Length = nativeEntry.FullDllName.Length; PhGetSystemRoot(&systemRootString); if (PhStartsWithStringRef(&fullDllName, &systemRootString, TRUE)) { PhSkipStringRef(&fullDllName, systemRootString.Length); if (PhStartsWithStringRef(&fullDllName, &system32String, TRUE)) { #ifdef _M_ARM64 if (arch == IMAGE_FILE_MACHINE_ARMNT) { fullDllName.Buffer[1] = L'S'; fullDllName.Buffer[2] = L'y'; fullDllName.Buffer[3] = L's'; fullDllName.Buffer[4] = L'A'; fullDllName.Buffer[5] = L'r'; fullDllName.Buffer[6] = L'm'; fullDllName.Buffer[7] = L'3'; fullDllName.Buffer[8] = L'2'; } else #endif { fullDllName.Buffer[1] = L'S'; fullDllName.Buffer[4] = L'W'; fullDllName.Buffer[5] = L'O'; fullDllName.Buffer[6] = L'W'; fullDllName.Buffer[7] = L'6'; fullDllName.Buffer[8] = L'4'; } } } #ifdef _M_ARM64 } else { fullDllNameBuffer[0] = UNICODE_NULL; nativeEntry.FullDllName.Length = 0; } #endif } } } else { fullDllNameBuffer[0] = UNICODE_NULL; nativeEntry.FullDllName.Length = 0; } nativeEntry.FullDllName.Buffer = fullDllNameBuffer; } if (WindowsVersion >= WINDOWS_8 && Entry->DdagNode && RTL_CONTAINS_FIELD(Entry, SizeOfEntry, DdagNode)) { LDR_DDAG_NODE32 ldrDagNode32 = { 0 }; if (NT_SUCCESS(PhReadVirtualMemory( ProcessHandle, UlongToPtr(Entry->DdagNode), &ldrDagNode32, sizeof(LDR_DDAG_NODE32), NULL ))) { // Fixup the module load count. (dmex) nativeEntry.ObsoleteLoadCount = (USHORT)ldrDagNode32.LoadCount; } } // Execute the callback. cont = parameters->Callback(&nativeEntry, parameters->Context); if (mappedFileName) { PhDereferenceObject(mappedFileName); } else { if (baseDllNameBuffer) PhFree(baseDllNameBuffer); if (fullDllNameBuffer) PhFree(fullDllNameBuffer); } return cont; } /** * Enumerates the 32-bit modules loaded by a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param Callback A callback function which is executed for each process module. * \param Context A user-defined value to pass to the callback function. * * \retval STATUS_NOT_SUPPORTED The process is not running under WOW64. * * \remarks Do not use this function under a 32-bit environment. */ NTSTATUS PhEnumProcessModules32( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ) { PH_ENUM_PROCESS_MODULES_PARAMETERS parameters; parameters.Callback = Callback; parameters.Context = Context; parameters.Flags = 0; return PhEnumProcessModules32Ex(ProcessHandle, ¶meters); } /** * Enumerates the 32-bit modules loaded by a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. If * \c PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME is specified in \a Parameters, the handle should * have PROCESS_QUERY_INFORMATION access. * \param Parameters The enumeration parameters. * * \retval STATUS_NOT_SUPPORTED The process is not running under WOW64. * * \remarks Do not use this function under a 32-bit environment. */ NTSTATUS PhEnumProcessModules32Ex( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters ) { return PhpEnumProcessModules32( ProcessHandle, PhpEnumProcessModules32Callback, Parameters, NULL ); } _Function_class_(PH_ENUM_MODULES_CALLBACK) static BOOLEAN NTAPI PhSetProcessModuleLoadCount32Callback( _In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY32 Entry, _In_ PVOID AddressOfEntry, _In_ ULONG SizeOfEntry, _In_ PVOID Context1, _In_opt_ PVOID Context2 ) { PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT context = Context1; if (UlongToPtr(Entry->DllBase) == context->BaseAddress) { context->Status = PhWriteVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(AddressOfEntry, FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ObsoleteLoadCount)), &context->LoadCount, sizeof(USHORT), NULL ); return FALSE; } return TRUE; } /** * Sets the load count of a 32-bit process module. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_VM_READ and PROCESS_VM_WRITE access. * \param BaseAddress The base address of a module. * \param LoadCount The new load count of the module. * * \retval STATUS_DLL_NOT_FOUND The module was not found. * \retval STATUS_NOT_SUPPORTED The process is not running under WOW64. * * \remarks Do not use this function under a 32-bit environment. */ NTSTATUS PhSetProcessModuleLoadCount32( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount ) { NTSTATUS status; SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT context; context.Status = STATUS_DLL_NOT_FOUND; context.BaseAddress = BaseAddress; context.LoadCount = LoadCount; status = PhpEnumProcessModules32( ProcessHandle, PhSetProcessModuleLoadCount32Callback, &context, NULL ); if (!NT_SUCCESS(status)) return status; return context.Status; } typedef struct _ENUM_GENERIC_PROCESS_MODULES_CONTEXT { PPH_HASHTABLE BaseAddressHashtable; PPH_ENUM_GENERIC_MODULES_CALLBACK Callback; PVOID Context; ULONG Type; ULONG LoadOrderIndex; } ENUM_GENERIC_PROCESS_MODULES_CONTEXT, *PENUM_GENERIC_PROCESS_MODULES_CONTEXT; ULONG PhGetRtlModuleType( _In_ PVOID ImageBase ) { if ((ULONG_PTR)ImageBase > (ULONG_PTR)PhSystemBasicInformation.MaximumUserModeAddress) return PH_MODULE_TYPE_KERNEL_MODULE; return PH_MODULE_TYPE_MODULE; } _Function_class_(PH_ENUM_PROCESS_MODULES_CALLBACK) static BOOLEAN EnumGenericProcessModulesCallback( _In_ PLDR_DATA_TABLE_ENTRY Module, _In_ PENUM_GENERIC_PROCESS_MODULES_CONTEXT Context ) { PH_MODULE_INFO moduleInfo; BOOLEAN result; // Check if we have a duplicate base address. if (PhFindEntryHashtable(Context->BaseAddressHashtable, &Module->DllBase)) return TRUE; PhAddEntryHashtable(Context->BaseAddressHashtable, &Module->DllBase); RtlZeroMemory(&moduleInfo, sizeof(PH_MODULE_INFO)); moduleInfo.Type = Context->Type; moduleInfo.BaseAddress = Module->DllBase; moduleInfo.Size = Module->SizeOfImage; moduleInfo.EntryPoint = Module->EntryPoint; moduleInfo.Flags = Module->Flags; moduleInfo.LoadOrderIndex = (USHORT)(Context->LoadOrderIndex++); moduleInfo.LoadCount = Module->ObsoleteLoadCount; moduleInfo.Name = PhCreateStringFromUnicodeString(&Module->BaseDllName); moduleInfo.FileName = PhCreateStringFromUnicodeString(&Module->FullDllName); if (WindowsVersion >= WINDOWS_8) { moduleInfo.ParentBaseAddress = Module->ParentDllBase; moduleInfo.OriginalBaseAddress = Module->OriginalBase; moduleInfo.LoadReason = (USHORT)Module->LoadReason; moduleInfo.LoadTime = Module->LoadTime; } else { moduleInfo.ParentBaseAddress = NULL; moduleInfo.OriginalBaseAddress = NULL; moduleInfo.LoadReason = USHRT_MAX; moduleInfo.LoadTime.QuadPart = 0; } result = Context->Callback(&moduleInfo, Context->Context); PhDereferenceObject(moduleInfo.Name); PhDereferenceObject(moduleInfo.FileName); return result; } VOID PhpRtlModulesToGenericModules( _In_ PRTL_PROCESS_MODULES Modules, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_ PPH_HASHTABLE BaseAddressHashtable, _In_opt_ PVOID Context ) { PRTL_PROCESS_MODULE_INFORMATION module; PH_MODULE_INFO moduleInfo; BOOLEAN result; for (ULONG i = 0; i < Modules->NumberOfModules; i++) { module = &Modules->Modules[i]; // Check if we have a duplicate base address. if (PhFindEntryHashtable(BaseAddressHashtable, &module->ImageBase)) continue; PhAddEntryHashtable(BaseAddressHashtable, &module->ImageBase); RtlZeroMemory(&moduleInfo, sizeof(PH_MODULE_INFO)); moduleInfo.Type = PhGetRtlModuleType(module->ImageBase); moduleInfo.BaseAddress = module->ImageBase; moduleInfo.Size = module->ImageSize; moduleInfo.EntryPoint = NULL; moduleInfo.Flags = module->Flags; moduleInfo.LoadOrderIndex = module->LoadOrderIndex; moduleInfo.LoadCount = module->LoadCount; moduleInfo.LoadReason = USHRT_MAX; moduleInfo.LoadTime.QuadPart = 0; moduleInfo.ParentBaseAddress = NULL; moduleInfo.OriginalBaseAddress = NULL; if (module->OffsetToFileName == 0) { static CONST PH_STRINGREF driversString = PH_STRINGREF_INIT(L"\\System32\\Drivers\\"); PH_STRINGREF systemRoot; // We only have the file name, without a path. The driver must be in the default drivers // directory. PhGetNtSystemRoot(&systemRoot); moduleInfo.Name = PhConvertUtf8ToUtf16((PSTR)module->FullPathName); moduleInfo.FileName = PhConcatStringRef3(&systemRoot, &driversString, &moduleInfo.Name->sr); } else { moduleInfo.Name = PhConvertUtf8ToUtf16((PSTR)&module->FullPathName[module->OffsetToFileName]); moduleInfo.FileName = PhConvertUtf8ToUtf16((PSTR)module->FullPathName); } result = Callback(&moduleInfo, Context); PhDereferenceObject(moduleInfo.Name); PhDereferenceObject(moduleInfo.FileName); if (!result) break; } } static VOID PhpRtlModulesExToGenericModules( _In_ PRTL_PROCESS_MODULE_INFORMATION_EX Modules, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_ PPH_HASHTABLE BaseAddressHashtable, _In_opt_ PVOID Context ) { PRTL_PROCESS_MODULE_INFORMATION_EX module; PH_MODULE_INFO moduleInfo; BOOLEAN result; for (module = Modules; module->NextOffset; module = RTL_PTR_ADD(module, module->NextOffset)) { // Check if we have a duplicate base address. if (PhFindEntryHashtable(BaseAddressHashtable, &module->ImageBase)) continue; PhAddEntryHashtable(BaseAddressHashtable, &module->ImageBase); RtlZeroMemory(&moduleInfo, sizeof(PH_MODULE_INFO)); moduleInfo.Type = PhGetRtlModuleType(module->ImageBase); moduleInfo.BaseAddress = module->ImageBase; moduleInfo.Size = module->ImageSize; moduleInfo.EntryPoint = NULL; moduleInfo.Flags = module->Flags; moduleInfo.LoadOrderIndex = module->LoadOrderIndex; moduleInfo.LoadCount = module->LoadCount; moduleInfo.LoadReason = USHRT_MAX; moduleInfo.LoadTime.QuadPart = 0; moduleInfo.ParentBaseAddress = NULL; moduleInfo.OriginalBaseAddress = NULL; if (module->OffsetToFileName == 0) { static CONST PH_STRINGREF driversString = PH_STRINGREF_INIT(L"\\System32\\Drivers\\"); PH_STRINGREF systemRoot; // We only have the file name, without a path. The driver must be in the default drivers // directory. PhGetNtSystemRoot(&systemRoot); moduleInfo.Name = PhConvertUtf8ToUtf16((PSTR)module->FullPathName); moduleInfo.FileName = PhConcatStringRef3(&systemRoot, &driversString, &moduleInfo.Name->sr); } else { moduleInfo.Name = PhConvertUtf8ToUtf16((PSTR)&module->FullPathName[module->OffsetToFileName]); moduleInfo.FileName = PhConvertUtf8ToUtf16((PSTR)module->FullPathName); } result = Callback(&moduleInfo, Context); PhDereferenceObject(moduleInfo.Name); PhDereferenceObject(moduleInfo.FileName); if (!result) break; } } static BOOLEAN PhpCallbackMappedFileOrImage( _In_ PVOID AllocationBase, _In_ SIZE_T AllocationSize, _In_ ULONG Type, _In_ PPH_STRING FileName, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ) { PH_MODULE_INFO moduleInfo; BOOLEAN result; RtlZeroMemory(&moduleInfo, sizeof(PH_MODULE_INFO)); moduleInfo.Type = Type; moduleInfo.BaseAddress = AllocationBase; moduleInfo.Size = (ULONG)AllocationSize; moduleInfo.EntryPoint = NULL; moduleInfo.Flags = 0; moduleInfo.FileName = FileName; moduleInfo.Name = PhGetBaseName(moduleInfo.FileName); moduleInfo.LoadOrderIndex = USHRT_MAX; moduleInfo.LoadCount = USHRT_MAX; moduleInfo.LoadReason = USHRT_MAX; moduleInfo.LoadTime.QuadPart = 0; moduleInfo.ParentBaseAddress = NULL; moduleInfo.OriginalBaseAddress = NULL; result = Callback(&moduleInfo, Context); PhDereferenceObject(moduleInfo.FileName); PhDereferenceObject(moduleInfo.Name); return result; } //typedef struct _PH_ENUM_MAPPED_MODULES_PARAMETERS //{ // PPH_ENUM_GENERIC_MODULES_CALLBACK Callback; // PVOID Context; // PPH_HASHTABLE BaseAddressHashtable; //} PH_ENUM_MAPPED_MODULES_PARAMETERS, *PPH_ENUM_MAPPED_MODULES_PARAMETERS; // //NTSTATUS NTAPI PhpEnumGenericMappedFilesAndImagesBulk( // _In_ HANDLE ProcessHandle, // _In_ PMEMORY_BASIC_INFORMATION MemoryBasicInfo, // _In_ SIZE_T Count, // _In_ PPH_ENUM_MAPPED_MODULES_PARAMETERS Parameters // ) //{ // ULONG type; // PPH_STRING fileName; // // for (SIZE_T i = 0; i < Count; i++) // { // PMEMORY_BASIC_INFORMATION basicInfo = &MemoryBasicInfo[i]; // // if (basicInfo->Type == MEM_MAPPED || basicInfo->Type == MEM_IMAGE) // { // if (basicInfo->Type == MEM_MAPPED) // type = PH_MODULE_TYPE_MAPPED_FILE; // else // type = PH_MODULE_TYPE_MAPPED_IMAGE; // // if (!PhFindEntryHashtable(Parameters->BaseAddressHashtable, &basicInfo->AllocationBase)) // { // if (NT_SUCCESS(PhGetProcessMappedFileName(ProcessHandle, basicInfo->AllocationBase, &fileName))) // { // PhAddEntryHashtable(Parameters->BaseAddressHashtable, &basicInfo->AllocationBase); // // if (!PhpCallbackMappedFileOrImage( // basicInfo->AllocationBase, // basicInfo->RegionSize, // type, // fileName, // Parameters->Callback, // Parameters->Context // )) // { // break; // } // } // } // } // } // // return STATUS_SUCCESS; //} // //VOID PhpEnumGenericBulkMappedFilesAndImages( // _In_ HANDLE ProcessHandle, // _In_ ULONG Flags, // _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, // _In_ PPH_HASHTABLE BaseAddressHashtable, // _In_opt_ PVOID Context // ) //{ // PH_ENUM_MAPPED_MODULES_PARAMETERS enumParameters; // // memset(&enumParameters, 0, sizeof(PH_ENUM_MAPPED_MODULES_PARAMETERS)); // enumParameters.BaseAddressHashtable = BaseAddressHashtable; // enumParameters.Callback = Callback; // enumParameters.Context = Context; // // if (NT_SUCCESS(PhEnumVirtualMemoryBulk( // ProcessHandle, // NULL, // FALSE, // PhpEnumGenericMappedFilesAndImagesBulk, // &enumParameters // ))) // { // return; // } //} static VOID PhpEnumGenericMappedFilesAndImages( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_ PPH_HASHTABLE BaseAddressHashtable, _In_opt_ PVOID Context ) { BOOLEAN querySucceeded; PVOID baseAddress; MEMORY_BASIC_INFORMATION basicInfo; baseAddress = (PVOID)0; if (!NT_SUCCESS(NtQueryVirtualMemory( ProcessHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { return; } querySucceeded = TRUE; while (querySucceeded) { PVOID allocationBase; SIZE_T allocationSize; ULONG type; PPH_STRING fileName; BOOLEAN result; if (basicInfo.Type == MEM_MAPPED || basicInfo.Type == MEM_IMAGE) { if (basicInfo.Type == MEM_MAPPED) type = PH_MODULE_TYPE_MAPPED_FILE; else type = PH_MODULE_TYPE_MAPPED_IMAGE; // Find the total allocation size. allocationBase = basicInfo.AllocationBase; allocationSize = 0; do { baseAddress = PTR_ADD_OFFSET(baseAddress, basicInfo.RegionSize); allocationSize += basicInfo.RegionSize; if (!NT_SUCCESS(NtQueryVirtualMemory( ProcessHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { querySucceeded = FALSE; break; } } while (basicInfo.AllocationBase == allocationBase); if ((type == PH_MODULE_TYPE_MAPPED_FILE && !(Flags & PH_ENUM_GENERIC_MAPPED_FILES)) || (type == PH_MODULE_TYPE_MAPPED_IMAGE && !(Flags & PH_ENUM_GENERIC_MAPPED_IMAGES))) { // The user doesn't want this type of entry. continue; } // Check if we have a duplicate base address. if (PhFindEntryHashtable(BaseAddressHashtable, &allocationBase)) { continue; } if (!NT_SUCCESS(PhGetProcessMappedFileName( ProcessHandle, allocationBase, &fileName ))) { continue; } PhAddEntryHashtable(BaseAddressHashtable, &allocationBase); result = PhpCallbackMappedFileOrImage( allocationBase, allocationSize, type, fileName, Callback, Context ); if (!result) break; } else { baseAddress = PTR_ADD_OFFSET(baseAddress, basicInfo.RegionSize); if (!NT_SUCCESS(NtQueryVirtualMemory( ProcessHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { querySucceeded = FALSE; } } } } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN NTAPI PhpBaseAddressHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { return *(PVOID *)Entry1 == *(PVOID *)Entry2; } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG NTAPI PhpBaseAddressHashtableHashFunction( _In_ PVOID Entry ) { return PhHashIntPtr((ULONG_PTR)*(PVOID *)Entry); } /** * Enumerates the modules loaded by a process. * * \param ProcessId The ID of a process. If \ref SYSTEM_PROCESS_ID is specified the function * enumerates the kernel modules. * \param ProcessHandle A handle to the process. * \param Flags Flags controlling the information to retrieve. * \li \c PH_ENUM_GENERIC_MAPPED_FILES Enumerate mapped files. * \li \c PH_ENUM_GENERIC_MAPPED_IMAGES Enumerate mapped images (those which are not mapped by the * loader). * \param Callback A callback function which is executed for each module. * \param Context A user-defined value to pass to the callback function. */ NTSTATUS PhEnumGenericModules( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PPH_HASHTABLE baseAddressHashtable; baseAddressHashtable = PhCreateHashtable( sizeof(PVOID), PhpBaseAddressHashtableEqualFunction, PhpBaseAddressHashtableHashFunction, 100 ); if (ProcessId == SYSTEM_PROCESS_ID) { // Kernel modules PVOID modules; status = PhEnumKernelModulesEx((PRTL_PROCESS_MODULE_INFORMATION_EX*)&modules); if (NT_SUCCESS(status)) { PhpRtlModulesExToGenericModules( modules, Callback, baseAddressHashtable, Context ); PhFree(modules); } else { status = PhEnumKernelModules((PRTL_PROCESS_MODULES*)&modules); if (NT_SUCCESS(status)) { PhpRtlModulesToGenericModules( modules, Callback, baseAddressHashtable, Context ); PhFree(modules); } } } else { // Process modules BOOLEAN opened = FALSE; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif ENUM_GENERIC_PROCESS_MODULES_CONTEXT context; PH_ENUM_PROCESS_MODULES_PARAMETERS parameters; if (!ProcessHandle) { if (!NT_SUCCESS(status = PhOpenProcess( &ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, // needed for enumerating mapped files ProcessId ))) { if (!NT_SUCCESS(status = PhOpenProcess( &ProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, ProcessId ))) { goto CleanupExit; } } opened = TRUE; } context.Callback = Callback; context.Context = Context; context.Type = PH_MODULE_TYPE_MODULE; context.BaseAddressHashtable = baseAddressHashtable; context.LoadOrderIndex = 0; parameters.Callback = EnumGenericProcessModulesCallback; parameters.Context = &context; parameters.Flags = PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME; status = PhEnumProcessModulesEx( ProcessHandle, ¶meters ); #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); // 32-bit process modules if (isWow64) { context.Callback = Callback; context.Context = Context; context.Type = PH_MODULE_TYPE_WOW64_MODULE; context.BaseAddressHashtable = baseAddressHashtable; context.LoadOrderIndex = 0; status = PhEnumProcessModules32Ex( ProcessHandle, ¶meters ); } #endif // Mapped files and mapped images // This is done last because it provides the least amount of information. if (Flags & (PH_ENUM_GENERIC_MAPPED_FILES | PH_ENUM_GENERIC_MAPPED_IMAGES)) { PhpEnumGenericMappedFilesAndImages( ProcessHandle, Flags, Callback, baseAddressHashtable, Context ); } if (opened) NtClose(ProcessHandle); } CleanupExit: PhDereferenceObject(baseAddressHashtable); return status; } typedef struct _PH_ENUM_PROCESS_MODULES_LIMITED_PARAMETERS { PPH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK Callback; PPH_HASHTABLE BaseAddressHashtable; PVOID Context; } PH_ENUM_PROCESS_MODULES_LIMITED_PARAMETERS, *PPH_ENUM_PROCESS_MODULES_LIMITED_PARAMETERS; _Function_class_(PH_ENUM_MEMORY_PAGE_CALLBACK) static NTSTATUS NTAPI PhEnumProcessModulesLimitedCallback( _In_ HANDLE ProcessHandle, _In_ ULONG_PTR NumberOfEntries, _In_ PMEMORY_WORKING_SET_BLOCK WorkingSetBlock, _In_ PVOID Context ) { PPH_ENUM_PROCESS_MODULES_LIMITED_PARAMETERS parameters = Context; NTSTATUS status = STATUS_UNSUCCESSFUL; MEMORY_IMAGE_INFORMATION imageInformation; PVOID baseAddress = NULL; PPH_STRING fileName; for (ULONG_PTR i = 0; i < NumberOfEntries; i++) { PMEMORY_WORKING_SET_BLOCK workingSetBlock = &WorkingSetBlock[i]; PVOID virtualAddress = (PVOID)(workingSetBlock->VirtualPage << PAGE_SHIFT); if (virtualAddress < baseAddress) continue; status = PhGetProcessMappedImageInformation( ProcessHandle, virtualAddress, &imageInformation ); if ( !NT_SUCCESS(status) || !imageInformation.ImageBase || imageInformation.ImageNotExecutable || imageInformation.ImagePartialMap ) { continue; } if (PhFindEntryHashtable(parameters->BaseAddressHashtable, &imageInformation.ImageBase)) continue; PhAddEntryHashtable(parameters->BaseAddressHashtable, &imageInformation.ImageBase); status = PhGetProcessMappedFileName( ProcessHandle, imageInformation.ImageBase, &fileName ); if (!NT_SUCCESS(status)) continue; status = parameters->Callback( ProcessHandle, virtualAddress, imageInformation.ImageBase, imageInformation.SizeOfImage, fileName, parameters->Context ); PhDereferenceObject(fileName); if (!NT_SUCCESS(status)) break; baseAddress = PTR_ADD_OFFSET(imageInformation.ImageBase, imageInformation.SizeOfImage); } if (status == STATUS_NO_MORE_ENTRIES) { status = STATUS_SUCCESS; } return status; } NTSTATUS PhEnumProcessModulesLimited( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_LIMITED_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PH_ENUM_PROCESS_MODULES_LIMITED_PARAMETERS limitedParameters; PPH_HASHTABLE baseAddressHashtable; baseAddressHashtable = PhCreateHashtable( sizeof(PVOID), PhpBaseAddressHashtableEqualFunction, PhpBaseAddressHashtableHashFunction, 100 ); memset(&limitedParameters, 0, sizeof(PH_ENUM_PROCESS_MODULES_LIMITED_PARAMETERS)); limitedParameters.BaseAddressHashtable = baseAddressHashtable; limitedParameters.Callback = Callback; limitedParameters.Context = Context; status = PhEnumVirtualMemoryPages( ProcessHandle, PhEnumProcessModulesLimitedCallback, &limitedParameters ); PhDereferenceObject(baseAddressHashtable); return status; } NTSTATUS PhEnumProcessEnclaveModules( _In_ HANDLE ProcessHandle, _In_ PVOID EnclaveAddress, _In_ PLDR_SOFTWARE_ENCLAVE Enclave, _In_ PPH_ENUM_PROCESS_ENCLAVE_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PVOID listHead; LDR_DATA_TABLE_ENTRY entry; status = STATUS_SUCCESS; listHead = PTR_ADD_OFFSET(EnclaveAddress, FIELD_OFFSET(LDR_SOFTWARE_ENCLAVE, Modules)); for (PLIST_ENTRY link = Enclave->Modules.Flink; link != listHead; link = entry.InLoadOrderLinks.Flink) { PVOID entryAddress; entryAddress = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); status = PhReadVirtualMemory( ProcessHandle, entryAddress, &entry, sizeof(entry), NULL ); if (!NT_SUCCESS(status)) return status; if (!Callback(ProcessHandle, Enclave, entryAddress, &entry, Context)) break; } return status; } NTSTATUS PhGetProcessLdrTableEntryNames( _In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _Out_ PPH_STRING* Name, _Out_ PPH_STRING* FileName ) { NTSTATUS status; PPH_STRING name; PPH_STRING fileName; PWSTR fullDllName; ULONG_PTR index; *Name = NULL; *FileName = NULL; name = NULL; fileName = NULL; fullDllName = NULL; if (Entry->DllBase) { PhGetProcessMappedFileName(ProcessHandle, Entry->DllBase, &fileName); } if (PhIsNullOrEmptyString(fileName)) { fullDllName = PhAllocate(Entry->FullDllName.Length); status = PhReadVirtualMemory( ProcessHandle, Entry->FullDllName.Buffer, fullDllName, Entry->FullDllName.Length, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!(Entry->FullDllName.Length & 1)) // validate the string length { fileName = PhCreateStringEx(fullDllName, Entry->FullDllName.Length); } else { goto CleanupExit; } } index = PhFindLastCharInStringRef( &fileName->sr, OBJ_NAME_PATH_SEPARATOR, FALSE ); if (index != SIZE_MAX) { name = PhCreateStringEx( &fileName->Buffer[index + 1], fileName->Length - (index * sizeof(WCHAR)) ); } else { name = PhReferenceObject(fileName); } *Name = name; *FileName = fileName; name = NULL; fileName = NULL; CleanupExit: if (fullDllName) PhFree(fullDllName); PhClearReference(&name); PhClearReference(&fileName); return STATUS_SUCCESS; } ================================================ FILE: phlib/nativepipe.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include /** * Creates an anonymous pipe. * * \param PipeReadHandle The pipe read handle. * \param PipeWriteHandle The pipe write handle. */ NTSTATUS PhCreatePipe( _Out_ PHANDLE PipeReadHandle, _Out_ PHANDLE PipeWriteHandle ) { return PhCreatePipeEx(PipeReadHandle, PipeWriteHandle, NULL, NULL); } /** * Creates an anonymous pipe. * * \param[out] PipeReadHandle The pipe read handle. * \param[out] PipeWriteHandle The pipe write handle. * \param[in] PipeReadAttributes Optional pipe read attributes. * \param[in] PipeWriteAttributes Optional pipe write attributes. */ NTSTATUS PhCreatePipeEx( _Out_ PHANDLE PipeReadHandle, _Out_ PHANDLE PipeWriteHandle, _In_opt_ PSECURITY_ATTRIBUTES PipeReadAttributes, _In_opt_ PSECURITY_ATTRIBUTES PipeWriteAttributes ) { NTSTATUS status; PACL pipeAcl = NULL; HANDLE pipeDirectoryHandle; HANDLE pipeReadHandle; HANDLE pipeWriteHandle; UNICODE_STRING pipeName; SECURITY_DESCRIPTOR securityDescriptor; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK isb; LARGE_INTEGER timeout; SECURITY_QUALITY_OF_SERVICE pipeSecurityQos = { sizeof(SECURITY_QUALITY_OF_SERVICE), SecurityAnonymous, SECURITY_STATIC_TRACKING, FALSE }; RtlInitUnicodeString(&pipeName, DEVICE_NAMED_PIPE); InitializeObjectAttributes( &objectAttributes, &pipeName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenFile( &pipeDirectoryHandle, GENERIC_READ | SYNCHRONIZE, &objectAttributes, &isb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; RtlInitEmptyUnicodeString(&pipeName, NULL, 0); InitializeObjectAttributesEx( &objectAttributes, &pipeName, OBJ_CASE_INSENSITIVE, pipeDirectoryHandle, NULL, &pipeSecurityQos ); if (PipeReadAttributes) { if (PipeReadAttributes->bInheritHandle) { SetFlag(objectAttributes.Attributes, OBJ_INHERIT); } if (PipeReadAttributes->lpSecurityDescriptor) { objectAttributes.SecurityDescriptor = PipeReadAttributes->lpSecurityDescriptor; } } if (!objectAttributes.SecurityDescriptor) { status = PhDefaultNpAcl(&pipeAcl); if (NT_SUCCESS(status)) { status = PhCreateSecurityDescriptor(&securityDescriptor, SECURITY_DESCRIPTOR_REVISION); if (NT_SUCCESS(status)) { status = PhSetDaclSecurityDescriptor(&securityDescriptor, TRUE, pipeAcl, FALSE); if (NT_SUCCESS(status)) { objectAttributes.SecurityDescriptor = &securityDescriptor; } assert(RtlValidSecurityDescriptor(&securityDescriptor)); } } if (!NT_SUCCESS(status)) goto CleanupExit; } status = NtCreateNamedPipeFile( &pipeReadHandle, FILE_WRITE_ATTRIBUTES | GENERIC_READ | SYNCHRONIZE, &objectAttributes, &isb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_CREATE, FILE_PIPE_INBOUND | FILE_SYNCHRONOUS_IO_NONALERT, FILE_PIPE_BYTE_STREAM_TYPE | FILE_PIPE_REJECT_REMOTE_CLIENTS, FILE_PIPE_BYTE_STREAM_MODE, FILE_PIPE_QUEUE_OPERATION, 1, PAGE_SIZE, PAGE_SIZE, PhTimeoutFromMilliseconds(&timeout, 120000) ); if (!NT_SUCCESS(status)) goto CleanupExit; RtlInitEmptyUnicodeString(&pipeName, NULL, 0); InitializeObjectAttributesEx( &objectAttributes, &pipeName, OBJ_CASE_INSENSITIVE, pipeReadHandle, NULL, &pipeSecurityQos ); if (PipeWriteAttributes) { if (PipeWriteAttributes->bInheritHandle) { SetFlag(objectAttributes.Attributes, OBJ_INHERIT); } if (PipeWriteAttributes->lpSecurityDescriptor) { objectAttributes.SecurityDescriptor = PipeWriteAttributes->lpSecurityDescriptor; } } status = NtOpenFile( &pipeWriteHandle, FILE_READ_ATTRIBUTES | GENERIC_WRITE | SYNCHRONIZE, &objectAttributes, &isb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { *PipeReadHandle = pipeReadHandle; *PipeWriteHandle = pipeWriteHandle; } CleanupExit: if (pipeAcl) { PhFree(pipeAcl); } NtClose(pipeDirectoryHandle); return status; } /** * Creates an named pipe. * * \param PipeHandle The pipe read/write handle. * \param PipeName The pipe name. */ NTSTATUS PhCreateNamedPipe( _Out_ PHANDLE PipeHandle, _In_ PCPH_STRINGREF PipeName ) { static CONST PH_STRINGREF deviceName = PH_STRINGREF_INIT(DEVICE_NAMED_PIPE); NTSTATUS status; PACL pipeAcl = NULL; HANDLE pipeHandle; PPH_STRING pipeName; UNICODE_STRING pipeNameUs; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK isb; LARGE_INTEGER timeout; SECURITY_DESCRIPTOR securityDescriptor; SECURITY_QUALITY_OF_SERVICE pipeSecurityQos = { sizeof(SECURITY_QUALITY_OF_SERVICE), SecurityAnonymous, SECURITY_STATIC_TRACKING, FALSE }; pipeName = PhConcatStringRef2(&deviceName, PipeName); if (!PhStringRefToUnicodeString(&pipeName->sr, &pipeNameUs)) { PhDereferenceObject(pipeName); return STATUS_NAME_TOO_LONG; } InitializeObjectAttributesEx( &objectAttributes, &pipeNameUs, OBJ_CASE_INSENSITIVE, NULL, NULL, &pipeSecurityQos ); if (NT_SUCCESS(PhDefaultNpAcl(&pipeAcl))) { PhCreateSecurityDescriptor(&securityDescriptor, SECURITY_DESCRIPTOR_REVISION); PhSetDaclSecurityDescriptor(&securityDescriptor, TRUE, pipeAcl, FALSE); objectAttributes.SecurityDescriptor = &securityDescriptor; } status = NtCreateNamedPipeFile( &pipeHandle, FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, &objectAttributes, &isb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_PIPE_FULL_DUPLEX | FILE_SYNCHRONOUS_IO_NONALERT, FILE_PIPE_MESSAGE_TYPE | FILE_PIPE_REJECT_REMOTE_CLIENTS, FILE_PIPE_MESSAGE_MODE, FILE_PIPE_QUEUE_OPERATION, FILE_PIPE_UNLIMITED_INSTANCES, PAGE_SIZE, PAGE_SIZE, PhTimeoutFromMilliseconds(&timeout, 1000) ); if (NT_SUCCESS(status)) { *PipeHandle = pipeHandle; } if (pipeAcl) { PhFree(pipeAcl); } PhDereferenceObject(pipeName); return status; } NTSTATUS PhConnectPipe( _Out_ PHANDLE PipeHandle, _In_ PCPH_STRINGREF PipeName ) { static CONST PH_STRINGREF deviceName = PH_STRINGREF_INIT(DEVICE_NAMED_PIPE); NTSTATUS status; HANDLE pipeHandle; PPH_STRING pipeName; UNICODE_STRING pipeNameUs; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK isb; SECURITY_QUALITY_OF_SERVICE pipeSecurityQos = { sizeof(SECURITY_QUALITY_OF_SERVICE), SecurityAnonymous, SECURITY_STATIC_TRACKING, FALSE }; pipeName = PhConcatStringRef2(&deviceName, PipeName); if (!PhStringRefToUnicodeString(&pipeName->sr, &pipeNameUs)) { PhDereferenceObject(pipeName); return STATUS_NAME_TOO_LONG; } InitializeObjectAttributesEx( &objectAttributes, &pipeNameUs, OBJ_CASE_INSENSITIVE, NULL, NULL, &pipeSecurityQos ); status = NtCreateFile( &pipeHandle, FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, &objectAttributes, &isb, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (NT_SUCCESS(status)) { *PipeHandle = pipeHandle; } PhDereferenceObject(pipeName); return status; } NTSTATUS PhListenNamedPipe( _In_ HANDLE PipeHandle ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_LISTEN, NULL, 0, NULL, 0 ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } return status; } NTSTATUS PhDisconnectNamedPipe( _In_ HANDLE PipeHandle ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_DISCONNECT, NULL, 0, NULL, 0 ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } return status; } NTSTATUS PhPeekNamedPipe( _In_ HANDLE PipeHandle, _Out_writes_bytes_opt_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG NumberOfBytesRead, _Out_opt_ PULONG NumberOfBytesAvailable, _Out_opt_ PULONG NumberOfBytesLeftInMessage ) { NTSTATUS status; IO_STATUS_BLOCK isb; PFILE_PIPE_PEEK_BUFFER peekBuffer; ULONG peekBufferLength; peekBufferLength = FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data) + Length; peekBuffer = PhAllocate(peekBufferLength); status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_PEEK, NULL, 0, peekBuffer, peekBufferLength ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } // STATUS_BUFFER_OVERFLOW means that there is data remaining; this is normal. if (status == STATUS_BUFFER_OVERFLOW) status = STATUS_SUCCESS; if (NT_SUCCESS(status)) { ULONG numberOfBytesRead = 0; if (Buffer || NumberOfBytesRead || NumberOfBytesLeftInMessage) numberOfBytesRead = (ULONG)(isb.Information - FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data)); if (Buffer) memcpy(Buffer, peekBuffer->Data, numberOfBytesRead); if (NumberOfBytesRead) *NumberOfBytesRead = numberOfBytesRead; if (NumberOfBytesAvailable) *NumberOfBytesAvailable = peekBuffer->ReadDataAvailable; if (NumberOfBytesLeftInMessage) *NumberOfBytesLeftInMessage = peekBuffer->MessageLength - numberOfBytesRead; } PhFree(peekBuffer); return status; } NTSTATUS PhCallNamedPipe( _In_ PCWSTR PipeName, _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ) { NTSTATUS status; HANDLE pipeHandle = NULL; status = PhConnectPipeZ(&pipeHandle, PipeName); if (!NT_SUCCESS(status)) { PhWaitForNamedPipe(PipeName, 1000); status = PhConnectPipeZ(&pipeHandle, PipeName); } if (NT_SUCCESS(status)) { FILE_PIPE_INFORMATION pipeInfo; IO_STATUS_BLOCK isb; memset(&pipeInfo, 0, sizeof(FILE_PIPE_INFORMATION)); pipeInfo.CompletionMode = FILE_PIPE_QUEUE_OPERATION; pipeInfo.ReadMode = FILE_PIPE_MESSAGE_MODE; status = NtSetInformationFile( pipeHandle, &isb, &pipeInfo, sizeof(FILE_PIPE_INFORMATION), FilePipeInformation ); } if (NT_SUCCESS(status)) { status = PhTransceiveNamedPipe( pipeHandle, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); } if (pipeHandle) { IO_STATUS_BLOCK ioStatusBlock; NtFlushBuffersFile(pipeHandle, &ioStatusBlock); PhDisconnectNamedPipe(pipeHandle); NtClose(pipeHandle); } return status; } NTSTATUS PhTransceiveNamedPipe( _In_ HANDLE PipeHandle, _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_TRANSCEIVE, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } return status; } NTSTATUS PhWaitForNamedPipe( _In_ PCWSTR PipeName, _In_opt_ ULONG Timeout ) { NTSTATUS status; IO_STATUS_BLOCK isb; PH_STRINGREF pipeName; UNICODE_STRING objectName; HANDLE fileSystemHandle; OBJECT_ATTRIBUTES objectAttributes; PFILE_PIPE_WAIT_FOR_BUFFER waitForBuffer; ULONG waitForBufferLength; RtlInitUnicodeString(&objectName, DEVICE_NAMED_PIPE); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenFile( &fileSystemHandle, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &objectAttributes, &isb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) return status; PhInitializeStringRefLongHint(&pipeName, PipeName); waitForBufferLength = FIELD_OFFSET(FILE_PIPE_WAIT_FOR_BUFFER, Name) + (ULONG)pipeName.Length; waitForBuffer = PhAllocate(waitForBufferLength); if (Timeout) { PhTimeoutFromMilliseconds(&waitForBuffer->Timeout, Timeout); waitForBuffer->TimeoutSpecified = TRUE; } else { waitForBuffer->Timeout.LowPart = 0; waitForBuffer->Timeout.HighPart = MINLONG; // a very long time waitForBuffer->TimeoutSpecified = TRUE; } waitForBuffer->NameLength = (ULONG)pipeName.Length; memcpy(waitForBuffer->Name, pipeName.Buffer, pipeName.Length); status = NtFsControlFile( fileSystemHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_WAIT, waitForBuffer, waitForBufferLength, NULL, 0 ); PhFree(waitForBuffer); NtClose(fileSystemHandle); return status; } NTSTATUS PhImpersonateClientOfNamedPipe( _In_ HANDLE PipeHandle ) { IO_STATUS_BLOCK isb; return NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_IMPERSONATE, NULL, 0, NULL, 0 ); } NTSTATUS PhDisableImpersonateNamedPipe( _In_ HANDLE PipeHandle ) { IO_STATUS_BLOCK isb; return NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_DISABLE_IMPERSONATE, NULL, 0, NULL, 0 ); } NTSTATUS PhGetNamedPipeClientComputerName( _In_ HANDLE PipeHandle, _In_ ULONG ClientComputerNameLength, _Out_ PVOID ClientComputerName ) { NTSTATUS status; IO_STATUS_BLOCK isb; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE, "ClientComputerName", sizeof("ClientComputerName"), ClientComputerName, ClientComputerNameLength ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } return status; } NTSTATUS PhGetNamedPipeClientProcessId( _In_ HANDLE PipeHandle, _Out_ PHANDLE ClientProcessId ) { NTSTATUS status; IO_STATUS_BLOCK isb; ULONG processId = 0; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE, "ClientProcessId", sizeof("ClientProcessId"), &processId, sizeof(ULONG) ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (NT_SUCCESS(status)) { if (ClientProcessId) { *ClientProcessId = UlongToHandle(processId); } } return status; } NTSTATUS PhGetNamedPipeClientSessionId( _In_ HANDLE PipeHandle, _Out_ PHANDLE ClientSessionId ) { NTSTATUS status; IO_STATUS_BLOCK isb; ULONG processId = 0; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE, "ClientSessionId", sizeof("ClientSessionId"), &processId, sizeof(ULONG) ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (NT_SUCCESS(status)) { if (ClientSessionId) { *ClientSessionId = UlongToHandle(processId); } } return status; } NTSTATUS PhGetNamedPipeServerProcessId( _In_ HANDLE PipeHandle, _Out_ PHANDLE ServerProcessId ) { NTSTATUS status; IO_STATUS_BLOCK isb; ULONG processId = 0; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_GET_PIPE_ATTRIBUTE, "ServerProcessId", sizeof("ServerProcessId"), &processId, sizeof(ULONG) ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (NT_SUCCESS(status)) { if (ServerProcessId) { *ServerProcessId = UlongToHandle(processId); } } return status; } NTSTATUS PhGetNamedPipeServerSessionId( _In_ HANDLE PipeHandle, _Out_ PHANDLE ServerSessionId ) { NTSTATUS status; IO_STATUS_BLOCK isb; ULONG processId = 0; status = NtFsControlFile( PipeHandle, NULL, NULL, NULL, &isb, FSCTL_PIPE_GET_PIPE_ATTRIBUTE, "ServerSessionId", sizeof("ServerSessionId"), &processId, sizeof(ULONG) ); if (status == STATUS_PENDING) { status = NtWaitForSingleObject(PipeHandle, FALSE, NULL); if (NT_SUCCESS(status)) status = isb.Status; } if (NT_SUCCESS(status)) { if (ServerSessionId) { *ServerSessionId = UlongToHandle(processId); } } return status; } NTSTATUS PhEnumDirectoryNamedPipe( _In_opt_ PCPH_STRINGREF SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ) { static CONST PH_STRINGREF objectName = PH_STRINGREF_INIT(DEVICE_NAMED_PIPE); HANDLE objectHandle; NTSTATUS status; status = PhOpenFile( &objectHandle, &objectName, FILE_LIST_DIRECTORY | SYNCHRONIZE, NULL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL ); if (NT_SUCCESS(status)) { status = PhEnumDirectoryFile( objectHandle, SearchPattern, Callback, Context ); NtClose(objectHandle); } return status; } // rev from RtlDefaultNpAcl NTSTATUS PhDefaultNpAcl( _Out_ PACL* DefaultNpAc ) { NTSTATUS status; PACL pipeAcl; PH_TOKEN_OWNER tokenQuery; status = PhGetTokenOwner( NtCurrentThreadEffectiveToken(), &tokenQuery ); if (NT_SUCCESS(status)) { APPCONTAINER_SID_TYPE appContainerSidType = InvalidAppContainerSidType; PH_TOKEN_APPCONTAINER tokenAppContainer = { 0 }; PSID appContainerSidParent = NULL; ULONG defaultAclSize = (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid((PSID)&PhSeLocalSystemSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(PhSeAdministratorsSid()) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(tokenQuery.TokenOwner.Owner) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid((PSID)&PhSeEveryoneSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid((PSID)&PhSeAnonymousLogonSid); if (NT_SUCCESS(PhGetTokenAppContainerSid(NtCurrentThreadEffectiveToken(), &tokenAppContainer))) { if (RtlGetAppContainerSidType_Import()) RtlGetAppContainerSidType_Import()(tokenAppContainer.AppContainer.Sid, &appContainerSidType); if (appContainerSidType == ChildAppContainerSidType) { if (RtlGetAppContainerParent_Import()) RtlGetAppContainerParent_Import()(tokenAppContainer.AppContainer.Sid, &appContainerSidParent); } } if (tokenAppContainer.AppContainer.Sid) defaultAclSize += (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(tokenAppContainer.AppContainer.Sid); if (appContainerSidParent) defaultAclSize += (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(appContainerSidParent); pipeAcl = PhAllocateZero(defaultAclSize); PhCreateAcl(pipeAcl, defaultAclSize, ACL_REVISION); PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_ALL, &PhSeLocalSystemSid); PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_ALL, PhSeAdministratorsSid()); if (tokenAppContainer.AppContainer.Sid) PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_ALL, tokenAppContainer.AppContainer.Sid); if (appContainerSidParent) PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_ALL, appContainerSidParent); PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_ALL, tokenQuery.TokenOwner.Owner); PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_READ, &PhSeEveryoneSid); PhAddAccessAllowedAce(pipeAcl, ACL_REVISION, GENERIC_READ, &PhSeAnonymousLogonSid); *DefaultNpAc = pipeAcl; if (appContainerSidParent) { RtlFreeSid(appContainerSidParent); } } return status; } ================================================ FILE: phlib/nativeprocess.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include /** * Opens a process. * * \param ProcessHandle A variable which receives a handle to the process. * \param DesiredAccess The desired access to the process. * \param ProcessId The ID of the process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; CLIENT_ID clientId; KPH_LEVEL level; clientId.UniqueProcess = ProcessId; clientId.UniqueThread = NULL; level = KsiLevel(); if ((level >= KphLevelMed) && (DesiredAccess & KPH_PROCESS_READ_ACCESS) == DesiredAccess) { status = KphOpenProcess( ProcessHandle, DesiredAccess, &clientId ); } else { InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); status = NtOpenProcess( ProcessHandle, DesiredAccess, &objectAttributes, &clientId ); if (status == STATUS_ACCESS_DENIED && (level == KphLevelMax)) { status = KphOpenProcess( ProcessHandle, DesiredAccess, &clientId ); } } return status; } /** * Opens a process handle using a CLIENT_ID structure. * * \param ProcessHandle A variable which receives a handle to the process. * \param DesiredAccess The desired access rights for the process handle. * \param ClientId A pointer to a CLIENT_ID structure that specifies the process and (optionally) thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenProcessClientId( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; KPH_LEVEL level; level = KsiLevel(); if ((level >= KphLevelMed) && (DesiredAccess & KPH_PROCESS_READ_ACCESS) == DesiredAccess) { status = KphOpenProcess( ProcessHandle, DesiredAccess, ClientId ); } else { InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); status = NtOpenProcess( ProcessHandle, DesiredAccess, &objectAttributes, ClientId ); if (status == STATUS_ACCESS_DENIED && (level == KphLevelMax)) { status = KphOpenProcess( ProcessHandle, DesiredAccess, ClientId ); } } return status; } /** Limited API for untrusted/external code. */ /** * Opens a process with limited access for untrusted or external code. * * \param ProcessHandle A variable which receives a handle to the process. * \param DesiredAccess The desired access rights for the process handle. * \param ProcessId The unique identifier (PID) of the process to open. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenProcessPublic( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ) { OBJECT_ATTRIBUTES objectAttributes; CLIENT_ID clientId; InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); clientId.UniqueProcess = ProcessId; clientId.UniqueThread = NULL; return NtOpenProcess( ProcessHandle, DesiredAccess, &objectAttributes, &clientId ); } /** * Terminates a process. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_TERMINATE access. * \param ExitStatus A status value that indicates why the process is being terminated. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ) { NTSTATUS status; if (KsiLevel() == KphLevelMax) { status = KphTerminateProcess( ProcessHandle, ExitStatus ); if (NT_SUCCESS(status)) return status; } status = NtTerminateProcess( ProcessHandle, ExitStatus ); return status; } /** * Suspends the specified process. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_SUSPEND_RESUME access. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSuspendProcess( _In_ HANDLE ProcessHandle ) { NTSTATUS status; status = NtSuspendProcess( ProcessHandle ); return status; } /** * Resumes the specified process. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_SUSPEND_RESUME access. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhResumeProcess( _In_ HANDLE ProcessHandle ) { NTSTATUS status; status = NtResumeProcess( ProcessHandle ); return status; } /** * Gets basic information for a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param BasicInformation A variable which receives the information. * \return Successful or errant status. */ NTSTATUS PhGetProcessBasicInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_BASIC_INFORMATION BasicInformation ) { return NtQueryInformationProcess( ProcessHandle, ProcessBasicInformation, BasicInformation, sizeof(PROCESS_BASIC_INFORMATION), NULL ); } /** * Gets extended basic information for a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param ExtendedBasicInformation A variable which receives the information. * \return Successful or errant status. */ NTSTATUS PhGetProcessExtendedBasicInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_EXTENDED_BASIC_INFORMATION ExtendedBasicInformation ) { ExtendedBasicInformation->Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION); return NtQueryInformationProcess( ProcessHandle, ProcessBasicInformation, ExtendedBasicInformation, sizeof(PROCESS_EXTENDED_BASIC_INFORMATION), NULL ); } /** * Gets time information for a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param Times A variable which receives the information. * \return Successful or errant status. */ NTSTATUS PhGetProcessTimes( _In_ HANDLE ProcessHandle, _Out_ PKERNEL_USER_TIMES Times ) { return NtQueryInformationProcess( ProcessHandle, ProcessTimes, Times, sizeof(KERNEL_USER_TIMES), NULL ); } /** * Gets a process' session ID. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param SessionId A variable which receives the process' session ID. * \return Successful or errant status. */ NTSTATUS PhGetProcessSessionId( _In_ HANDLE ProcessHandle, _Out_ PULONG SessionId ) { NTSTATUS status; PROCESS_SESSION_INFORMATION sessionInfo; status = NtQueryInformationProcess( ProcessHandle, ProcessSessionInformation, &sessionInfo, sizeof(PROCESS_SESSION_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *SessionId = sessionInfo.SessionId; } return status; } /** * Gets whether a process is running under 32-bit emulation. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param IsWow64Process A variable which receives a boolean indicating whether the process is 32-bit. * \return Successful or errant status. */ NTSTATUS PhGetProcessIsWow64( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsWow64Process ) { NTSTATUS status; ULONG_PTR wow64; status = NtQueryInformationProcess( ProcessHandle, ProcessWow64Information, &wow64, sizeof(ULONG_PTR), NULL ); if (NT_SUCCESS(status)) { *IsWow64Process = !!wow64; } return status; } /** * Gets a process' WOW64 PEB address. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param Peb32 A variable which receives the base address of the process' WOW64 PEB. If the process * is 64-bit, the variable receives NULL. * \return Successful or errant status. */ NTSTATUS PhGetProcessPeb32( _In_ HANDLE ProcessHandle, _Out_ PVOID* Peb32 ) { NTSTATUS status; ULONG_PTR wow64; status = NtQueryInformationProcess( ProcessHandle, ProcessWow64Information, &wow64, sizeof(ULONG_PTR), NULL ); if (NT_SUCCESS(status)) { // No PEB for System, Minimal or Pico processes. (dmex) if (!wow64) return STATUS_UNSUCCESSFUL; *Peb32 = (PVOID)wow64; } return status; } NTSTATUS PhGetProcessPeb( _In_ HANDLE ProcessHandle, _Out_ PVOID* PebBaseAddress ) { NTSTATUS status; PROCESS_BASIC_INFORMATION basicInfo; status = PhGetProcessBasicInformation(ProcessHandle, &basicInfo); if (NT_SUCCESS(status)) { // No PEB for System, Minimal or Pico processes. (dmex) if (!basicInfo.PebBaseAddress) return STATUS_UNSUCCESSFUL; *PebBaseAddress = (PVOID)basicInfo.PebBaseAddress; } return status; } /** * Gets a handle to a process' debug object. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION access. * \param DebugObjectHandle A variable which receives a handle to the debug object associated with * the process. You must close the handle when you no longer need it. * \return Successful or errant status. * \retval STATUS_PORT_NOT_SET The process is not being debugged and has no associated debug object. */ NTSTATUS PhGetProcessDebugObject( _In_ HANDLE ProcessHandle, _Out_ PHANDLE DebugObjectHandle ) { return NtQueryInformationProcess( ProcessHandle, ProcessDebugObjectHandle, DebugObjectHandle, sizeof(HANDLE), NULL ); } NTSTATUS PhGetProcessEnergyValues( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_EXTENDED_ENERGY_VALUES EnergyValues ) { return NtQueryInformationProcess( ProcessHandle, ProcessEnergyValues, EnergyValues, sizeof(PROCESS_EXTENDED_ENERGY_VALUES), NULL ); } NTSTATUS PhGetProcessErrorMode( _In_ HANDLE ProcessHandle, _Out_ PULONG ErrorMode ) { return NtQueryInformationProcess( ProcessHandle, ProcessDefaultHardErrorMode, ErrorMode, sizeof(ULONG), NULL ); } /** * Sets the error mode for a process. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_SET_INFORMATION access. * \param ErrorMode The error mode to set for the process. * \return STATUS_SUCCESS if the error mode was successfully set, otherwise an appropriate NTSTATUS error code. */ NTSTATUS PhSetProcessErrorMode( _In_ HANDLE ProcessHandle, _In_ ULONG ErrorMode ) { return NtSetInformationProcess( ProcessHandle, ProcessDefaultHardErrorMode, &ErrorMode, sizeof(ULONG) ); } /** * Gets a process' no-execute status. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION access. * \param ExecuteFlags A variable which receives the no-execute flags. * \return Successful or errant status. */ NTSTATUS PhGetProcessExecuteFlags( _In_ HANDLE ProcessHandle, _Out_ PULONG ExecuteFlags ) { return NtQueryInformationProcess( ProcessHandle, ProcessExecuteFlags, ExecuteFlags, sizeof(ULONG), NULL ); } /** * Gets a process' I/O priority. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param IoPriority A variable which receives the I/O priority of the process. * \return Successful or errant status. */ NTSTATUS PhGetProcessIoPriority( _In_ HANDLE ProcessHandle, _Out_ IO_PRIORITY_HINT *IoPriority ) { return NtQueryInformationProcess( ProcessHandle, ProcessIoPriority, IoPriority, sizeof(IO_PRIORITY_HINT), NULL ); } /** * Gets a process' page priority. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param PagePriority A variable which receives the page priority of the process. * \return Successful or errant status. */ NTSTATUS PhGetProcessPagePriority( _In_ HANDLE ProcessHandle, _Out_ PULONG PagePriority ) { NTSTATUS status; PAGE_PRIORITY_INFORMATION pagePriorityInfo; status = NtQueryInformationProcess( ProcessHandle, ProcessPagePriority, &pagePriorityInfo, sizeof(PAGE_PRIORITY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *PagePriority = pagePriorityInfo.PagePriority; } return status; } NTSTATUS PhGetProcessPriorityBoost( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN PriorityBoostDisabled ) { NTSTATUS status; ULONG priorityBoostDisabled; status = NtQueryInformationProcess( ProcessHandle, ProcessPriorityBoost, &priorityBoostDisabled, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *PriorityBoostDisabled = !!priorityBoostDisabled; } return status; } /** * Gets a process' cycle count. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param CycleTime A variable which receives the 64-bit cycle time. * \return Successful or errant status. */ NTSTATUS PhGetProcessCycleTime( _In_ HANDLE ProcessHandle, _Out_ PULONG64 CycleTime ) { NTSTATUS status; PROCESS_CYCLE_TIME_INFORMATION cycleTimeInfo; status = NtQueryInformationProcess( ProcessHandle, ProcessCycleTime, &cycleTimeInfo, sizeof(PROCESS_CYCLE_TIME_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *CycleTime = cycleTimeInfo.AccumulatedCycles; } return status; } NTSTATUS PhGetProcessUptime( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_UPTIME_INFORMATION Uptime ) { NTSTATUS status; PROCESS_UPTIME_INFORMATION uptimeInfo; status = NtQueryInformationProcess( ProcessHandle, ProcessUptimeInformation, &uptimeInfo, sizeof(PROCESS_UPTIME_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *Uptime = uptimeInfo; } return status; } NTSTATUS PhGetProcessConsoleHostProcessId( _In_ HANDLE ProcessHandle, _Out_ PHANDLE ConsoleHostProcessId ) { NTSTATUS status; ULONG_PTR consoleHostProcess; status = NtQueryInformationProcess( ProcessHandle, ProcessConsoleHostProcess, &consoleHostProcess, sizeof(ULONG_PTR), NULL ); if (NT_SUCCESS(status)) { *ConsoleHostProcessId = (HANDLE)consoleHostProcess; } return status; } NTSTATUS PhGetProcessConsoleHostProcess( _In_ HANDLE ProcessHandle, _Out_ PHANDLE ConsoleHostProcessId, _Out_opt_ PBOOLEAN ConsoleApplication ) { NTSTATUS status; ULONG_PTR consoleHostProcess; status = NtQueryInformationProcess( ProcessHandle, ProcessConsoleHostProcess, &consoleHostProcess, sizeof(ULONG_PTR), NULL ); if (NT_SUCCESS(status)) { *ConsoleHostProcessId = (HANDLE)(consoleHostProcess & ~3); } if (ConsoleApplication) { *ConsoleApplication = !!(ULONG_PTR)(consoleHostProcess & 2); } return status; } NTSTATUS PhGetProcessProtection( _In_ HANDLE ProcessHandle, _Out_ PPS_PROTECTION Protection ) { return NtQueryInformationProcess( ProcessHandle, ProcessProtectionInformation, Protection, sizeof(PS_PROTECTION), NULL ); } NTSTATUS PhGetProcessAffinityMask( _In_ HANDLE ProcessHandle, _Out_ PKAFFINITY AffinityMask ) { NTSTATUS status; KAFFINITY affinityMask; memset(&affinityMask, 0, sizeof(KAFFINITY)); status = NtQueryInformationProcess( ProcessHandle, ProcessAffinityMask, &affinityMask, sizeof(KAFFINITY), NULL ); if (NT_SUCCESS(status)) { *AffinityMask = affinityMask; } else // Windows 7 (dmex) { PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetProcessBasicInformation(ProcessHandle, &basicInfo))) { *AffinityMask = basicInfo.AffinityMask; return STATUS_SUCCESS; } } return status; } NTSTATUS PhGetProcessGroupInformation( _In_ HANDLE ProcessHandle, _Inout_ PUSHORT GroupCount, _Out_ PUSHORT GroupArray ) { NTSTATUS status; ULONG returnLength; // rev from GetProcessGroupAffinity (dmex) status = NtQueryInformationProcess( ProcessHandle, ProcessGroupInformation, GroupArray, sizeof(USHORT) * *GroupCount, &returnLength ); if (NT_SUCCESS(status) || status == STATUS_BUFFER_TOO_SMALL) { *GroupCount = (USHORT)returnLength / sizeof(USHORT); // (USHORT)returnLength >> 1 } return status; } NTSTATUS PhGetProcessGroupAffinity( _In_ HANDLE ProcessHandle, _Out_ PGROUP_AFFINITY GroupAffinity ) { NTSTATUS status; GROUP_AFFINITY groupAffinity; memset(&groupAffinity, 0, sizeof(GROUP_AFFINITY)); status = NtQueryInformationProcess( ProcessHandle, ProcessAffinityMask, &groupAffinity, sizeof(GROUP_AFFINITY), NULL ); if (NT_SUCCESS(status)) { memcpy(GroupAffinity, &groupAffinity, sizeof(GROUP_AFFINITY)); } else // Windows 7 (dmex) { KAFFINITY affinityMask; if (NT_SUCCESS(PhGetProcessAffinityMask(ProcessHandle, &affinityMask))) { groupAffinity.Mask = affinityMask; memcpy(GroupAffinity, &groupAffinity, sizeof(GROUP_AFFINITY)); return STATUS_SUCCESS; } } return status; } NTSTATUS PhGetProcessIsCFGuardEnabled( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsControlFlowGuardEnabled ) { NTSTATUS status; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; policyInfo.Policy = ProcessControlFlowGuardPolicy; policyInfo.ControlFlowGuardPolicy.Flags = 0; status = NtQueryInformationProcess( ProcessHandle, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *IsControlFlowGuardEnabled = !!policyInfo.ControlFlowGuardPolicy.EnableControlFlowGuard; } return status; } NTSTATUS PhGetProcessIsXFGuardEnabled( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsXFGuardEnabled, _Out_ PBOOLEAN IsXFGuardAuditEnabled ) { NTSTATUS status; PROCESS_MITIGATION_POLICY_INFORMATION policyInfo; policyInfo.Policy = ProcessControlFlowGuardPolicy; policyInfo.ControlFlowGuardPolicy.Flags = 0; status = NtQueryInformationProcess( ProcessHandle, ProcessMitigationPolicy, &policyInfo, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { #if !defined(NTDDI_WIN10_CO) || (NTDDI_VERSION < NTDDI_WIN10_CO) *IsXFGuardEnabled = _bittest((const PLONG)&policyInfo.ControlFlowGuardPolicy.Flags, 3); *IsXFGuardAuditEnabled = _bittest((const PLONG)&policyInfo.ControlFlowGuardPolicy.Flags, 4); #else *IsXFGuardEnabled = !!policyInfo.ControlFlowGuardPolicy.EnableXfg; *IsXFGuardAuditEnabled = !!policyInfo.ControlFlowGuardPolicy.EnableXfgAuditMode; #endif } return status; } NTSTATUS PhGetProcessHandleCount( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_HANDLE_INFORMATION HandleInfo ) { return NtQueryInformationProcess( ProcessHandle, ProcessHandleCount, HandleInfo, sizeof(PROCESS_HANDLE_INFORMATION), NULL ); } NTSTATUS PhGetProcessBreakOnTermination( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN BreakOnTermination ) { NTSTATUS status; ULONG breakOnTermination; status = NtQueryInformationProcess( ProcessHandle, ProcessBreakOnTermination, &breakOnTermination, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *BreakOnTermination = !!breakOnTermination; } return status; } NTSTATUS PhSetProcessBreakOnTermination( _In_ HANDLE ProcessHandle, _In_ BOOLEAN BreakOnTermination ) { ULONG breakOnTermination; breakOnTermination = BreakOnTermination ? 1 : 0; return NtSetInformationProcess( ProcessHandle, ProcessBreakOnTermination, &breakOnTermination, sizeof(ULONG) ); } NTSTATUS PhGetProcessAppMemoryInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_JOB_MEMORY_INFO JobMemoryInfo ) { NTSTATUS status; PROCESS_JOB_MEMORY_INFO jobMemoryInfo; // Win32 called this ProcessAppMemoryInfo with APP_MEMORY_INFORMATION struct (dmex) status = NtQueryInformationProcess( ProcessHandle, ProcessJobMemoryInformation, &jobMemoryInfo, sizeof(PROCESS_JOB_MEMORY_INFO), NULL ); if (NT_SUCCESS(status)) { *JobMemoryInfo = jobMemoryInfo; } return status; } NTSTATUS PhGetProcessMitigationPolicy( _In_ HANDLE ProcessHandle, _In_ PROCESS_MITIGATION_POLICY Policy, _Out_ PPROCESS_MITIGATION_POLICY_INFORMATION MitigationPolicy ) { memset(MitigationPolicy, 0, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION)); MitigationPolicy->Policy = Policy; return NtQueryInformationProcess( ProcessHandle, ProcessMitigationPolicy, MitigationPolicy, sizeof(PROCESS_MITIGATION_POLICY_INFORMATION), NULL ); } NTSTATUS PhGetProcessNetworkIoCounters( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_NETWORK_COUNTERS NetworkIoCounters ) { return NtQueryInformationProcess( ProcessHandle, ProcessNetworkIoCounters, NetworkIoCounters, sizeof(PROCESS_NETWORK_COUNTERS), NULL ); } /** * Queries variable-sized information for a process. The function allocates a buffer to contain the * information. * * \param ProcessHandle A handle to a process. The access required depends on the information class * specified. * \param ProcessInformationClass The information class to retrieve. * \param Buffer A variable which receives a pointer to a buffer containing the information. You * must free the buffer using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpQueryProcessVariableSize( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer; ULONG returnLength = 0; status = NtQueryInformationProcess( ProcessHandle, ProcessInformationClass, NULL, 0, &returnLength ); if (status != STATUS_BUFFER_OVERFLOW && status != STATUS_BUFFER_TOO_SMALL && status != STATUS_INFO_LENGTH_MISMATCH) { *Buffer = NULL; return status; } buffer = PhAllocate(returnLength); status = NtQueryInformationProcess( ProcessHandle, ProcessInformationClass, buffer, returnLength, &returnLength ); if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); *Buffer = NULL; } return status; } /** * Gets the cookie of the process. * A ProcessCookie is a per-process random value generated by the Windows kernel. * Its main purpose is to help protect against certain types of security attacks, * such as handle prediction and spoofing. By associating a unique, unpredictable * cookie with each process, the system can use it as part of internal validation * checks-making it harder for malicious code to guess or forge process information. * \param ProcessHandle Handle to the process for which the cookie is retrieved. * \param ProcessModifiedCookie Pointer to a ULONG that receives the modified process cookie. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessModifiedCookie( _In_ HANDLE ProcessHandle, _Out_ PULONG ProcessModifiedCookie ) { NTSTATUS status; ULONG processCookie; status = NtQueryInformationProcess( ProcessHandle, ProcessCookie, &processCookie, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *ProcessModifiedCookie = (0x7FFFFFED * processCookie + 0x7FFFFFC3) % 0x7FFFFFFF; } return status; } /** * Gets the file name of the process' image. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param FileName A variable which receives a pointer to a string containing the file name. You * must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessImageFileName( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ) { NTSTATUS status; PUNICODE_STRING fileName; ULONG bufferLength; ULONG returnLength = 0; bufferLength = sizeof(UNICODE_STRING) + DOS_MAX_PATH_LENGTH * sizeof(WCHAR); fileName = PhAllocateStack(bufferLength); if (!fileName) return STATUS_NO_MEMORY; status = NtQueryInformationProcess( ProcessHandle, ProcessImageFileName, fileName, bufferLength, &returnLength ); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFreeStack(fileName); bufferLength = returnLength; fileName = PhAllocateStack(bufferLength); if (!fileName) return STATUS_NO_MEMORY; status = NtQueryInformationProcess( ProcessHandle, ProcessImageFileName, fileName, bufferLength, &returnLength ); } if (!NT_SUCCESS(status)) { PhFreeStack(fileName); return status; } // Note: Some minimal/pico processes have UNICODE_NULL as their filename. (dmex) if (RtlIsNullOrEmptyUnicodeString(fileName)) { PhFreeStack(fileName); return STATUS_UNSUCCESSFUL; } *FileName = PhCreateStringFromUnicodeString(fileName); PhFreeStack(fileName); return status; } /** * Gets the Win32 file name of the process' image. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param FileName A variable which receives a pointer to a string containing the file name. You * must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. * \remarks This function is only available on Windows Vista and above. */ NTSTATUS PhGetProcessImageFileNameWin32( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ) { NTSTATUS status; PUNICODE_STRING fileName; ULONG bufferLength; ULONG returnLength = 0; bufferLength = sizeof(UNICODE_STRING) + DOS_MAX_PATH_LENGTH * sizeof(WCHAR); fileName = PhAllocateStack(bufferLength); if (!fileName) return STATUS_NO_MEMORY; status = NtQueryInformationProcess( ProcessHandle, ProcessImageFileNameWin32, fileName, bufferLength, &returnLength ); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFreeStack(fileName); bufferLength = returnLength; fileName = PhAllocateStack(bufferLength); if (!fileName) return STATUS_NO_MEMORY; status = NtQueryInformationProcess( ProcessHandle, ProcessImageFileNameWin32, fileName, bufferLength, &returnLength ); } if (NT_SUCCESS(status)) { PPH_STRING fileNameWin32; // Note: Some minimal/pico processes have UNICODE_NULL as their filename. (dmex) if (RtlIsNullOrEmptyUnicodeString(fileName)) { PhFreeStack(fileName); return STATUS_UNSUCCESSFUL; } fileNameWin32 = PhCreateStringFromUnicodeString(fileName); // Note: ProcessImageFileNameWin32 returns the NT device path // instead of the Win32 path in some cases were drivers haven't // registered with the volume manager or have ignored the mount // manager (e.g. ImDisk). We workaround these issues by calling // PhGetFileName and resolving the NT device prefix. (dmex) if (fileNameWin32->Buffer[0] == OBJ_NAME_PATH_SEPARATOR) { PhMoveReference(&fileNameWin32, PhGetFileName(fileNameWin32)); } *FileName = fileNameWin32; } PhFreeStack(fileName); return status; } /** * Gets the file name of the process' image by a PID. * * \param ProcessId A unique identifier of the process. * \param FullFileName A variable which receives a pointer to a string containing the full name * of the file. You must free the string using PhDereferenceObject() when you no longer need it. * \param FileName A variable which receives a pointer to a string containing the file name without * the path. You must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessImageFileNameById( _In_ HANDLE ProcessId, _Out_opt_ PPH_STRING *FullFileName, _Out_opt_ PPH_STRING *FileName ) { NTSTATUS status; PVOID buffer; USHORT bufferSize; SYSTEM_PROCESS_ID_INFORMATION processIdInfo; if (!FullFileName && !FileName) return STATUS_INVALID_PARAMETER_MIX; bufferSize = 0x200; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; processIdInfo.ProcessId = ProcessId; processIdInfo.ImageName.Length = 0; processIdInfo.ImageName.MaximumLength = bufferSize; processIdInfo.ImageName.Buffer = buffer; status = NtQuerySystemInformation( SystemProcessIdInformation, &processIdInfo, sizeof(SYSTEM_PROCESS_ID_INFORMATION), NULL ); if (status == STATUS_INFO_LENGTH_MISMATCH) { // Required length is stored in MaximumLength. PhFreeStack(buffer); buffer = PhAllocateStack(processIdInfo.ImageName.MaximumLength); if (!buffer) return STATUS_NO_MEMORY; processIdInfo.ImageName.Buffer = buffer; status = NtQuerySystemInformation( SystemProcessIdInformation, &processIdInfo, sizeof(SYSTEM_PROCESS_ID_INFORMATION), NULL ); } if (!NT_SUCCESS(status)) { PhFreeStack(buffer); return status; } if (FullFileName) { *FullFileName = PhCreateStringFromUnicodeString(&processIdInfo.ImageName); } if (FileName) { PH_STRINGREF stringRef; ULONG_PTR index; stringRef.Length = processIdInfo.ImageName.Length; stringRef.Buffer = processIdInfo.ImageName.Buffer; // Find where the name starts index = PhFindLastCharInStringRef(&stringRef, L'\\', FALSE); if (index == SIZE_MAX) *FileName = PhCreateStringFromUnicodeString(&processIdInfo.ImageName); else { // Reference the tail only stringRef.Buffer = PTR_ADD_OFFSET(stringRef.Buffer, index * sizeof(WCHAR) + sizeof(UNICODE_NULL)); stringRef.Length = stringRef.Length - index * sizeof(WCHAR) - sizeof(UNICODE_NULL); *FileName = PhCreateString2(&stringRef); } } PhFreeStack(buffer); return status; } /** * Gets the file name of a process' image. * * \param ProcessId The ID of the process. * \param FileName A variable which receives a pointer to a string containing the file name. You * must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. * \remarks This function only works on Windows Vista and above. There does not appear to be any * access checking performed by the kernel for this. */ NTSTATUS PhGetProcessImageFileNameByProcessId( _In_opt_ HANDLE ProcessId, _Out_ PPH_STRING *FileName ) { NTSTATUS status; PVOID buffer; USHORT bufferSize; SYSTEM_PROCESS_ID_INFORMATION processIdInfo; bufferSize = 0x200; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; processIdInfo.ProcessId = ProcessId; processIdInfo.ImageName.Length = 0; processIdInfo.ImageName.MaximumLength = bufferSize; processIdInfo.ImageName.Buffer = buffer; status = NtQuerySystemInformation( SystemProcessIdInformation, &processIdInfo, sizeof(SYSTEM_PROCESS_ID_INFORMATION), NULL ); if (status == STATUS_INFO_LENGTH_MISMATCH) { // Required length is stored in MaximumLength. PhFreeStack(buffer); buffer = PhAllocateStack(processIdInfo.ImageName.MaximumLength); if (!buffer) return STATUS_NO_MEMORY; processIdInfo.ImageName.Buffer = buffer; status = NtQuerySystemInformation( SystemProcessIdInformation, &processIdInfo, sizeof(SYSTEM_PROCESS_ID_INFORMATION), NULL ); } if (!NT_SUCCESS(status)) { PhFreeStack(buffer); return status; } // Note: Some minimal/pico processes have UNICODE_NULL as their filename. (dmex) if (RtlIsNullOrEmptyUnicodeString(&processIdInfo.ImageName)) { PhFreeStack(buffer); return STATUS_UNSUCCESSFUL; } *FileName = PhCreateStringFromUnicodeString(&processIdInfo.ImageName); PhFreeStack(buffer); return status; } /** * Gets whether a process is being debugged. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION access. * \param IsBeingDebugged A variable which receives a boolean indicating whether the process is being debugged. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessIsBeingDebugged( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsBeingDebugged ) { NTSTATUS status; PVOID debugHandle; status = NtQueryInformationProcess( ProcessHandle, ProcessDebugPort, &debugHandle, sizeof(PVOID), NULL ); if (NT_SUCCESS(status)) { *IsBeingDebugged = !!debugHandle; return status; } if (KsiLevel() >= KphLevelLow) { KPH_PROCESS_STATE processState; status = KphQueryInformationProcess( ProcessHandle, KphProcessStateInformation, &processState, sizeof(processState), NULL ); if (NT_SUCCESS(status)) { *IsBeingDebugged = !BooleanFlagOn(processState, KPH_PROCESS_NOT_BEING_DEBUGGED); } } return status; } /** * Determines if a process has started termination. * * \param[in] ProcessHandle A handle to the process whose termination state is to be retrieved. * \param[out] IsTerminated A pointer to a variable that receives the termination state (TRUE if terminated). * \return Successful or errant status. * \remarks The handle must have PROCESS_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetProcessIsTerminating( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsTerminated ) { NTSTATUS status; PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; status = PhGetProcessExtendedBasicInformation(ProcessHandle, &basicInfo); if (NT_SUCCESS(status)) { *IsTerminated = !!basicInfo.IsProcessDeleting; } return status; } /** * Determines if a process has terminated by waiting with zero timeout. * * \param[in] ProcessHandle A handle to the process. * \return TRUE if the process is terminated, FALSE otherwise. * \remarks The handle must have SYNCRONIZE access. */ NTSTATUS PhGetProcessIsTerminated( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsTerminated ) { NTSTATUS status; LARGE_INTEGER timeout; memset(&timeout, 0, sizeof(LARGE_INTEGER)); status = NtWaitForSingleObject( ProcessHandle, FALSE, &timeout ); *IsTerminated = status == STATUS_WAIT_0; return status; } /** * Retrieves the device map for a specified process. * * \param ProcessHandle Handle to the process whose device map is to be queried. * \param DeviceMap Pointer to a ULONG that receives the device map value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessDeviceMap( _In_ HANDLE ProcessHandle, _Out_ PULONG DeviceMap ) { NTSTATUS status; #ifndef _WIN64 PROCESS_DEVICEMAP_INFORMATION deviceMapInfo; #else PROCESS_DEVICEMAP_INFORMATION_EX deviceMapInfo; #endif memset(&deviceMapInfo, 0, sizeof(deviceMapInfo)); status = NtQueryInformationProcess( ProcessHandle, ProcessDeviceMap, &deviceMapInfo, sizeof(deviceMapInfo), NULL ); if (NT_SUCCESS(status)) { if (DeviceMap) { *DeviceMap = deviceMapInfo.Query.DriveMap; } } return status; } /** * Gets a string stored in a process' parameters structure. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param Offset The string to retrieve. * \param String A variable which receives a pointer to the requested string. You must free the * string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. * \retval STATUS_INVALID_PARAMETER_2 An invalid value was specified in the Offset parameter. */ NTSTATUS PhGetProcessPebString( _In_ HANDLE ProcessHandle, _In_ PH_PEB_OFFSET Offset, _Out_ PPH_STRING *String ) { NTSTATUS status; PPH_STRING string; ULONG offset; #define PEB_OFFSET_CASE(Enum, Field) \ case Enum: offset = FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, Field); break; \ case Enum | PhpoWow64: offset = FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS32, Field); break switch (Offset) { PEB_OFFSET_CASE(PhpoCurrentDirectory, CurrentDirectory); PEB_OFFSET_CASE(PhpoDllPath, DllPath); PEB_OFFSET_CASE(PhpoImagePathName, ImagePathName); PEB_OFFSET_CASE(PhpoCommandLine, CommandLine); PEB_OFFSET_CASE(PhpoWindowTitle, WindowTitle); PEB_OFFSET_CASE(PhpoDesktopInfo, DesktopInfo); PEB_OFFSET_CASE(PhpoShellInfo, ShellInfo); PEB_OFFSET_CASE(PhpoRuntimeData, RuntimeData); default: return STATUS_INVALID_PARAMETER_2; } if (!(Offset & PhpoWow64)) { PVOID pebBaseAddress; PVOID processParameters; UNICODE_STRING unicodeString; // Get the PEB address. if (!NT_SUCCESS(status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress))) return status; // Read the address of the process parameters. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, FIELD_OFFSET(PEB, ProcessParameters)), &processParameters, sizeof(PVOID), NULL ))) return status; // Read the string structure. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processParameters, offset), &unicodeString, sizeof(UNICODE_STRING), NULL ))) return status; if (RtlIsNullOrEmptyUnicodeString(&unicodeString)) { *String = PhReferenceEmptyString(); return status; } string = PhCreateStringEx(NULL, unicodeString.Length); // Read the string contents. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, unicodeString.Buffer, string->Buffer, string->Length, NULL ))) { PhDereferenceObject(string); return status; } } else { PVOID pebBaseAddress32; ULONG processParameters32; UNICODE_STRING32 unicodeString32; if (!NT_SUCCESS(status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress32))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress32, FIELD_OFFSET(PEB32, ProcessParameters)), &processParameters32, sizeof(ULONG), NULL ))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processParameters32, offset), &unicodeString32, sizeof(UNICODE_STRING32), NULL ))) return status; if (unicodeString32.Length == 0) { *String = PhReferenceEmptyString(); return status; } string = PhCreateStringEx(NULL, unicodeString32.Length); // Read the string contents. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, UlongToPtr(unicodeString32.Buffer), string->Buffer, string->Length, NULL ))) { PhDereferenceObject(string); return status; } } *String = string; return status; } /** * Gets a process' command line. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION. Before Windows 8.1, the handle must also have PROCESS_VM_READ * access. * \param CommandLine A variable which receives a pointer to a string containing the command line. You * must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessCommandLine( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *CommandLine ) { if (WindowsVersion >= WINDOWS_8_1) { NTSTATUS status; PUNICODE_STRING buffer; ULONG bufferLength; ULONG returnLength = 0; bufferLength = sizeof(UNICODE_STRING) + DOS_MAX_PATH_LENGTH * sizeof(WCHAR); buffer = PhAllocateStack(bufferLength); if (!buffer) return STATUS_NO_MEMORY; status = NtQueryInformationProcess( ProcessHandle, ProcessCommandLineInformation, buffer, bufferLength, &returnLength ); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFreeStack(buffer); bufferLength = returnLength; buffer = PhAllocateStack(bufferLength); if (!buffer) return STATUS_NO_MEMORY; status = NtQueryInformationProcess( ProcessHandle, ProcessCommandLineInformation, buffer, bufferLength, &returnLength ); } if (NT_SUCCESS(status)) { *CommandLine = PhCreateStringFromUnicodeString(buffer); } PhFreeStack(buffer); return status; } return PhGetProcessPebString(ProcessHandle, PhpoCommandLine, CommandLine); } /** * Retrieves the command line string reference for the current process. * * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessCommandLineStringRef( _Out_ PPH_STRINGREF CommandLine ) { PhUnicodeStringToStringRef(&NtCurrentPeb()->ProcessParameters->CommandLine, CommandLine); return STATUS_SUCCESS; } /** * Retrieves the current directory of a specified process. * * \param ProcessHandle A handle to the process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param IsWow64 Specifies whether to retrieve the current directory from the WOW64 PEB (TRUE) or the native PEB (FALSE). * \param CurrentDirectory A variable which receives a pointer to a string containing the current directory. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessCurrentDirectory( _In_ HANDLE ProcessHandle, _In_ BOOLEAN IsWow64, _Out_ PPH_STRING* CurrentDirectory ) { return PhGetProcessPebString(ProcessHandle, PhpoCurrentDirectory | (IsWow64 ? PhpoWow64 : PhpoNone), CurrentDirectory); } /** * Retrieves the desktop information string for a specified process. * * \param ProcessHandle A handle to the process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param DesktopInfo A variable which receives a pointer to a string containing the desktop information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessDesktopInfo( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING* DesktopInfo ) { return PhGetProcessPebString(ProcessHandle, PhpoDesktopInfo, DesktopInfo); } /** * Gets the window flags and window title of a process. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION. Before Windows 7 SP1, the handle must also have * PROCESS_VM_READ access. * \param WindowFlags A variable which receives the window flags. * \param WindowTitle A variable which receives a pointer to the window title. You must free the * string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessWindowTitle( _In_ HANDLE ProcessHandle, _Out_ PULONG WindowFlags, _Out_ PPH_STRING *WindowTitle ) { NTSTATUS status; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif ULONG windowFlags; PPROCESS_WINDOW_INFORMATION windowInfo; ULONG bufferLength; ULONG returnLength = 0; bufferLength = UFIELD_OFFSET(PROCESS_WINDOW_INFORMATION, WindowTitle[DOS_MAX_PATH_LENGTH]) + sizeof(UNICODE_NULL); windowInfo = PhAllocate(bufferLength); status = NtQueryInformationProcess( ProcessHandle, ProcessWindowInformation, windowInfo, bufferLength, &returnLength ); if (status == STATUS_INFO_LENGTH_MISMATCH) { PhFree(windowInfo); bufferLength = returnLength; windowInfo = PhAllocate(bufferLength); status = NtQueryInformationProcess( ProcessHandle, ProcessWindowInformation, windowInfo, bufferLength, &returnLength ); } if (NT_SUCCESS(status)) { *WindowFlags = windowInfo->WindowFlags; *WindowTitle = PhCreateStringEx(windowInfo->WindowTitle, windowInfo->WindowTitleLength); PhFree(windowInfo); return status; } #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (!isWow64) #endif { PVOID pebBaseAddress; PVOID processParameters; // Get the PEB address. if (!NT_SUCCESS(status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress))) return status; // Read the address of the process parameters. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, FIELD_OFFSET(PEB, ProcessParameters)), &processParameters, sizeof(PVOID), NULL ))) return status; // Read the window flags. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processParameters, FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, WindowFlags)), &windowFlags, sizeof(ULONG), NULL ))) return status; } #ifdef _WIN64 else { PVOID pebBaseAddress32; ULONG processParameters32; if (!NT_SUCCESS(status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress32))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress32, FIELD_OFFSET(PEB32, ProcessParameters)), &processParameters32, sizeof(ULONG), NULL ))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processParameters32, FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS32, WindowFlags)), &windowFlags, sizeof(ULONG), NULL ))) return status; } #endif #ifdef _WIN64 status = PhGetProcessPebString(ProcessHandle, PhpoWindowTitle | (isWow64 ? PhpoWow64 : PhpoNone), WindowTitle); #else status = PhGetProcessPebString(ProcessHandle, PhpoWindowTitle, WindowTitle); #endif if (NT_SUCCESS(status)) *WindowFlags = windowFlags; return status; } /** * Retrieves the Data Execution Prevention (DEP) status for a specified process. * * \param ProcessHandle Handle to the process whose DEP status is to be queried. * \param DepStatus Pointer to a variable that receives the DEP status flags. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessDepStatus( _In_ HANDLE ProcessHandle, _Out_ PULONG DepStatus ) { NTSTATUS status; ULONG executeFlags; ULONG depStatus; if (!NT_SUCCESS(status = PhGetProcessExecuteFlags( ProcessHandle, &executeFlags ))) return status; // Check if execution of data pages is enabled. // TODO: if we want real, effective DEP status here as computed by nt!MiCanGrantExecute (x64 oskernels): // canGrantExecEvenForNxPages = (EPROCESS.WoW64Process && EPROCESS.Machine == IMAGE_FILE_MACHINE_I386) // && (KF_GLOBAL_32BIT_EXECUTE || MEM_EXECUTE_OPTION_ENABLE // || (!KF_GLOBAL_32BIT_NOEXECUTE && !MEM_EXECUTE_OPTION_DISABLE)); if (executeFlags & MEM_EXECUTE_OPTION_DISABLE) depStatus = PH_PROCESS_DEP_ENABLED; else depStatus = 0; if (executeFlags & MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION) depStatus |= PH_PROCESS_DEP_ATL_THUNK_EMULATION_DISABLED; if (executeFlags & MEM_EXECUTE_OPTION_PERMANENT) depStatus |= PH_PROCESS_DEP_PERMANENT; *DepStatus = depStatus; return status; } /** * Gets a process' environment block. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION and * PROCESS_VM_READ access. * \param IsWow64Process A variable which receives a boolean indicating whether the process is 32-bit. * \li \c PH_GET_PROCESS_ENVIRONMENT_WOW64 Retrieve the environment block from the WOW64 PEB. * \param Environment A variable which will receive a pointer to the environment block copied from * the process. You must free the block using PhFreePage() when you no longer need it. * \param EnvironmentLength A variable which will receive the length of the environment block, in bytes. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessEnvironment( _In_ HANDLE ProcessHandle, _In_ BOOLEAN IsWow64Process, _Out_ PVOID *Environment, _Out_ PULONG EnvironmentLength ) { NTSTATUS status; PVOID environmentRemote; MEMORY_BASIC_INFORMATION basicInfo; PVOID environment; SIZE_T environmentLength; ULONG_PTR environmenOffset; if (IsWow64Process) { PVOID pebBaseAddress32; ULONG processParameters32; ULONG environmentRemote32; status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress32); if (!NT_SUCCESS(status)) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress32, UFIELD_OFFSET(PEB32, ProcessParameters)), &processParameters32, sizeof(ULONG), NULL ))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processParameters32, UFIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS32, Environment)), &environmentRemote32, sizeof(ULONG), NULL ))) return status; environmentRemote = UlongToPtr(environmentRemote32); } else { PVOID pebBaseAddress; PVOID processParameters; status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB, ProcessParameters)), &processParameters, sizeof(PVOID), NULL ))) return status; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(processParameters, UFIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, Environment)), &environmentRemote, sizeof(PVOID), NULL ))) return status; } if (!NT_SUCCESS(status = NtQueryVirtualMemory( ProcessHandle, environmentRemote, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) return status; // Read in the entire region of memory. #if defined(PH_NATIVE_ENVCHECK) environmentLength = (SIZE_T)PTR_SUB_OFFSET(mbi.RegionSize, PTR_SUB_OFFSET(environmentRemote, mbi.BaseAddress)); #else // Check environment address is valid for the region. (dmex) status = RtlULongPtrSub( (ULONG_PTR)environmentRemote, (ULONG_PTR)basicInfo.BaseAddress, &environmenOffset ); if (!NT_SUCCESS(status)) return status; if (environmenOffset > (ULONG_PTR)basicInfo.RegionSize) return STATUS_FAIL_CHECK; status = RtlSizeTSub( (SIZE_T)basicInfo.RegionSize, (SIZE_T)environmenOffset, &environmentLength ); if (!NT_SUCCESS(status)) return status; #endif environment = PhAllocatePage(environmentLength, NULL); if (!environment) return STATUS_NO_MEMORY; if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, environmentRemote, environment, environmentLength, NULL ))) { PhFreePage(environment); return status; } *Environment = environment; if (EnvironmentLength) *EnvironmentLength = (ULONG)environmentLength; return status; } /** * Gets the file name of a mapped section. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION access. * \param BaseAddress The base address of the section view. * \param FileName A variable which receives a pointer to a string containing the file name of the * section. You must free the string using PhDereferenceObject() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessMappedFileName( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PPH_STRING *FileName ) { NTSTATUS status; SIZE_T bufferSize; SIZE_T returnLength; PUNICODE_STRING buffer; returnLength = 0; bufferSize = 0x200; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; status = NtQueryVirtualMemory( ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, buffer, bufferSize, &returnLength ); if (status == STATUS_BUFFER_OVERFLOW && returnLength > 0) // returnLength > 0 required for MemoryMappedFilename on Windows 7 SP1 (dmex) { PhFreeStack(buffer); bufferSize = returnLength; buffer = PhAllocateStack(bufferSize); if (!buffer) return STATUS_NO_MEMORY; status = NtQueryVirtualMemory( ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, buffer, bufferSize, &returnLength ); } if (!NT_SUCCESS(status)) { PhFreeStack(buffer); return status; } *FileName = PhCreateStringFromUnicodeString(buffer); PhFreeStack(buffer); return status; } /** * Retrieves information about a mapped image in the virtual memory of a process. * * \param ProcessHandle Handle to the process whose memory is being queried. * \param BaseAddress Base address of the mapped image in the process's virtual memory. * \param ImageInformation Pointer to a MEMORY_IMAGE_INFORMATION structure that receives the image information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessMappedImageInformation( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PMEMORY_IMAGE_INFORMATION ImageInformation ) { NTSTATUS status; MEMORY_IMAGE_INFORMATION imageInformation; status = NtQueryVirtualMemory( ProcessHandle, BaseAddress, MemoryImageInformation, &imageInformation, sizeof(MEMORY_IMAGE_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *ImageInformation = imageInformation; } return status; } /** * Retrieves the base address and optional size of a mapped image in a process, given an address within the image. * * This function queries the process for image mapping information at the specified address. * If the address is valid and corresponds to an executable image, the base address and size * (if requested) are returned. Otherwise, an unsuccessful status is returned. * * \param ProcessHandle Handle to the target process. * \param Address Address within the mapped image in the target process. * \param ImageBaseAddress Receives the base address of the mapped image. * \param SizeOfImage Optional pointer to receive the size of the mapped image. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessMappedImageBaseFromAddress( _In_ HANDLE ProcessHandle, _In_ PVOID Address, _Out_ PVOID* ImageBaseAddress, _Out_opt_ PSIZE_T SizeOfImage ) { NTSTATUS status; MEMORY_IMAGE_INFORMATION imageInfo; status = PhGetProcessMappedImageInformation( ProcessHandle, Address, &imageInfo ); if (!NT_SUCCESS(status)) return status; if (!imageInfo.ImageBase || imageInfo.ImageNotExecutable || imageInfo.ImagePartialMap) return STATUS_UNSUCCESSFUL; if (Address < imageInfo.ImageBase || (imageInfo.SizeOfImage && ((ULONG_PTR)Address >= (ULONG_PTR)imageInfo.ImageBase + imageInfo.SizeOfImage))) return STATUS_UNSUCCESSFUL; *ImageBaseAddress = imageInfo.ImageBase; if (SizeOfImage) { *SizeOfImage = imageInfo.SizeOfImage; } return STATUS_SUCCESS; } /** * Gets working set information for a process. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION access. * \param WorkingSetInformation A variable which receives a pointer to the information. You must * free the buffer using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessWorkingSetInformation( _In_ HANDLE ProcessHandle, _Out_ PMEMORY_WORKING_SET_INFORMATION *WorkingSetInformation ) { NTSTATUS status; PMEMORY_WORKING_SET_INFORMATION buffer; SIZE_T bufferSize; ULONG attempts = 0; bufferSize = 0x8000; buffer = PhAllocate(bufferSize); status = NtQueryVirtualMemory( ProcessHandle, NULL, MemoryWorkingSetInformation, buffer, bufferSize, NULL ); while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { bufferSize = UFIELD_OFFSET(MEMORY_WORKING_SET_INFORMATION, WorkingSetInfo[buffer->NumberOfEntries]); PhFree(buffer); buffer = PhAllocate(bufferSize); status = NtQueryVirtualMemory( ProcessHandle, NULL, MemoryWorkingSetInformation, buffer, bufferSize, NULL ); attempts++; } if (!NT_SUCCESS(status)) { // Fall back to using the previous code that we've used since Windows 7 (dmex) bufferSize = 0x8000; buffer = PhAllocate(bufferSize); while ((status = NtQueryVirtualMemory( ProcessHandle, NULL, MemoryWorkingSetInformation, buffer, bufferSize, NULL )) == STATUS_INFO_LENGTH_MISMATCH) { PhFree(buffer); bufferSize *= 2; // Fail if we're resizing the buffer to something very large. if (bufferSize > PH_LARGE_BUFFER_SIZE) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *WorkingSetInformation = (PMEMORY_WORKING_SET_INFORMATION)buffer; return status; } /** * Gets working set counters for a process. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_QUERY_INFORMATION access. * \param WsCounters A variable which receives the counters. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessWsCounters( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_WS_COUNTERS WsCounters ) { NTSTATUS status; PMEMORY_WORKING_SET_INFORMATION wsInfo; PH_PROCESS_WS_COUNTERS wsCounters; ULONG_PTR i; if (!NT_SUCCESS(status = PhGetProcessWorkingSetInformation( ProcessHandle, &wsInfo ))) return status; memset(&wsCounters, 0, sizeof(PH_PROCESS_WS_COUNTERS)); for (i = 0; i < wsInfo->NumberOfEntries; i++) { wsCounters.NumberOfPages++; if (wsInfo->WorkingSetInfo[i].ShareCount > 1) wsCounters.NumberOfSharedPages++; if (wsInfo->WorkingSetInfo[i].ShareCount == 0) wsCounters.NumberOfPrivatePages++; if (wsInfo->WorkingSetInfo[i].Shared) wsCounters.NumberOfShareablePages++; } PhFree(wsInfo); *WsCounters = wsCounters; return status; } /** * Retrieves the mandatory integrity policy for a specified process. * * \param ProcessHandle A handle to the process whose mandatory policy is to be queried. * \param Mask A pointer to an ACCESS_MASK variable that receives the mandatory policy mask. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessMandatoryPolicy( _In_ HANDLE ProcessHandle, _Out_ PACCESS_MASK Mask ) { NTSTATUS status; BOOLEAN found = FALSE; ACCESS_MASK currentMask = 0; PSYSTEM_MANDATORY_LABEL_ACE currentAce; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentSaclPresent; BOOLEAN currentSaclDefaulted; PACL currentSacl; status = PhGetObjectSecurity( ProcessHandle, LABEL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (!NT_SUCCESS(status)) return status; status = PhGetSaclSecurityDescriptor( currentSecurityDescriptor, ¤tSaclPresent, ¤tSacl, ¤tSaclDefaulted ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!(currentSaclPresent && currentSacl)) goto CleanupExit; for (USHORT i = 0; i < currentSacl->AceCount; i++) { status = PhGetAce(currentSacl, i, ¤tAce); if (!NT_SUCCESS(status)) break; if (currentAce->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) { currentMask = currentAce->Mask; found = TRUE; break; } } CleanupExit: PhFree(currentSecurityDescriptor); if (NT_SUCCESS(status)) { if (found) { *Mask = currentMask; status = STATUS_SUCCESS; } else { status = STATUS_NOT_FOUND; } } return status; } /** * Sets the mandatory label policy for a specified process. * * \param ProcessHandle Handle to the target process. * \param Mask Mandatory label policy mask to apply. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessMandatoryPolicy( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK Mask ) { NTSTATUS status; PSYSTEM_MANDATORY_LABEL_ACE currentAce; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentSaclPresent; BOOLEAN currentSaclDefaulted; PACL currentSacl; status = PhGetObjectSecurity( ProcessHandle, LABEL_SECURITY_INFORMATION, ¤tSecurityDescriptor ); if (!NT_SUCCESS(status)) return status; status = PhGetSaclSecurityDescriptor( currentSecurityDescriptor, ¤tSaclPresent, ¤tSacl, ¤tSaclDefaulted ); if (!NT_SUCCESS(status)) goto CleanupExit; status = STATUS_UNSUCCESSFUL; if (!(currentSaclPresent && currentSacl)) goto CleanupExit; for (USHORT i = 0; i < currentSacl->AceCount; i++) { status = PhGetAce(currentSacl, i, ¤tAce); if (!NT_SUCCESS(status)) break; if (currentAce->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) { currentAce->Mask = Mask; status = PhSetObjectSecurity( ProcessHandle, LABEL_SECURITY_INFORMATION, currentSecurityDescriptor ); break; } } CleanupExit: PhFree(currentSecurityDescriptor); return status; } /** * Retrieves the quota limits for a specified process. * * \param ProcessHandle Handle to the process whose quota limits are to be queried. * \param QuotaLimits Pointer to a QUOTA_LIMITS structure that receives the quota limits. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessQuotaLimits( _In_ HANDLE ProcessHandle, _Out_ PQUOTA_LIMITS QuotaLimits ) { NTSTATUS status; status = NtQueryInformationProcess( ProcessHandle, ProcessQuotaLimits, QuotaLimits, sizeof(QUOTA_LIMITS), NULL ); // Not implemented (dmex) //if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) //{ // status = KphQueryInformationProcess( // ProcessHandle, // KphProcessQuotaLimits, // QuotaLimits, // sizeof(QUOTA_LIMITS), // NULL // ); //} return status; } /** * Sets the quota limits for a specified process. * * \param ProcessHandle A handle to the process whose quota limits are to be set. * \param QuotaLimits The quota limits to apply to the process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessQuotaLimits( _In_ HANDLE ProcessHandle, _In_ QUOTA_LIMITS QuotaLimits ) { NTSTATUS status; status = NtSetInformationProcess( ProcessHandle, ProcessQuotaLimits, &QuotaLimits, sizeof(QUOTA_LIMITS) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessQuotaLimits, &QuotaLimits, sizeof(QUOTA_LIMITS) ); } return status; } /** * Attempts to empty the working set of the specified process. * * \param ProcessHandle A handle to the process whose working set should be emptied. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessEmptyWorkingSet( _In_ HANDLE ProcessHandle ) { NTSTATUS status; QUOTA_LIMITS_EX quotaLimits; memset("aLimits, 0, sizeof(QUOTA_LIMITS_EX)); quotaLimits.MinimumWorkingSetSize = SIZE_MAX; quotaLimits.MaximumWorkingSetSize = SIZE_MAX; status = NtSetInformationProcess( ProcessHandle, ProcessQuotaLimits, "aLimits, sizeof(QUOTA_LIMITS_EX) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessEmptyWorkingSet, "aLimits, sizeof(QUOTA_LIMITS_EX) ); } return status; } /** * Empties the working set of the specified process. * * \param ProcessHandle A handle to the process whose working set should be emptied. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessWorkingSetEmpty( _In_ HANDLE ProcessHandle ) { NTSTATUS status; PROCESS_WORKING_SET_CONTROL controlInfo; memset(&controlInfo, 0, sizeof(PROCESS_WORKING_SET_CONTROL)); controlInfo.Version = PROCESS_WORKING_SET_CONTROL_VERSION; controlInfo.Operation = ProcessWorkingSetEmpty; controlInfo.Flags = PROCESS_WORKING_SET_FLAG_EMPTY_PAGES; status = NtSetInformationProcess( ProcessHandle, ProcessWorkingSetControl, &controlInfo, sizeof(PROCESS_WORKING_SET_CONTROL) ); return status; } /** * Sets the specified region of a process's working set to empty pages. * * \param ProcessHandle Handle to the target process. * \param BaseAddress Pointer to the base address of the region to modify. * \param Size Size, in bytes, of the region to modify. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessEmptyPageWorkingSet( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T Size ) { NTSTATUS status; PVOID baseAddress; SIZE_T regionSize; baseAddress = BaseAddress; regionSize = Size; // Calling VirtualUnlock on a range of memory that is not locked // releases the pages from the process's working set. (MSDN) status = NtUnlockVirtualMemory( ProcessHandle, &baseAddress, ®ionSize, MAP_PROCESS ); // Note: STATUS_SUCCESS is a bad status in this case. (dmex) assert(status == STATUS_NOT_LOCKED); if (status == STATUS_NOT_LOCKED) status = STATUS_SUCCESS; return status; } /** * Retrieves the priority class of a specified process. * * \param ProcessHandle Handle to the process whose priority class is to be retrieved. * \param PriorityClass Pointer to a variable that receives the priority class value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessPriorityClass( _In_ HANDLE ProcessHandle, _Out_ PUCHAR PriorityClass ) { NTSTATUS status; PROCESS_PRIORITY_CLASS processPriorityClass; memset(&processPriorityClass, 0, sizeof(PROCESS_PRIORITY_CLASS)); status = NtQueryInformationProcess( ProcessHandle, ProcessPriorityClass, &processPriorityClass, sizeof(PROCESS_PRIORITY_CLASS), NULL ); if (NT_SUCCESS(status)) { *PriorityClass = processPriorityClass.PriorityClass; } return status; } /** * Sets the priority class of a process. * * \param ProcessHandle A handle to the process whose priority class is to be set. * \param PriorityClass The priority class value to assign to the process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessPriorityClass( _In_ HANDLE ProcessHandle, _In_ UCHAR PriorityClass ) { NTSTATUS status; if (WindowsVersion >= WINDOWS_11_22H2) { PROCESS_PRIORITY_CLASS_EX processPriorityClassEx; memset(&processPriorityClassEx, 0, sizeof(PROCESS_PRIORITY_CLASS_EX)); processPriorityClassEx.PriorityClassValid = TRUE; processPriorityClassEx.PriorityClass = PriorityClass; status = NtSetInformationProcess( ProcessHandle, ProcessPriorityClassEx, &processPriorityClassEx, sizeof(PROCESS_PRIORITY_CLASS_EX) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessPriorityClassEx, &processPriorityClassEx, sizeof(PROCESS_PRIORITY_CLASS_EX) ); } } else { PROCESS_PRIORITY_CLASS processPriorityClass; memset(&processPriorityClass, 0, sizeof(PROCESS_PRIORITY_CLASS)); processPriorityClass.Foreground = FALSE; processPriorityClass.PriorityClass = PriorityClass; status = NtSetInformationProcess( ProcessHandle, ProcessPriorityClass, &processPriorityClass, sizeof(PROCESS_PRIORITY_CLASS) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessPriorityClass, &processPriorityClass, sizeof(PROCESS_PRIORITY_CLASS) ); } } return status; } /** * Sets a process' I/O priority. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_SET_INFORMATION access. * \param IoPriority The new I/O priority. */ NTSTATUS PhSetProcessIoPriority( _In_ HANDLE ProcessHandle, _In_ IO_PRIORITY_HINT IoPriority ) { NTSTATUS status; status = NtSetInformationProcess( ProcessHandle, ProcessIoPriority, &IoPriority, sizeof(IO_PRIORITY_HINT) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessIoPriority, &IoPriority, sizeof(IO_PRIORITY_HINT) ); } return status; } /** * Sets the page priority for the specified process. * * \param ProcessHandle Handle to the process whose page priority is to be set. * \param PagePriority The desired page priority value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessPagePriority( _In_ HANDLE ProcessHandle, _In_ ULONG PagePriority ) { // See also PhSetVirtualMemoryPagePriority (dmex) NTSTATUS status; PAGE_PRIORITY_INFORMATION pagePriorityInfo; pagePriorityInfo.PagePriority = PagePriority; status = NtSetInformationProcess( ProcessHandle, ProcessPagePriority, &pagePriorityInfo, sizeof(PAGE_PRIORITY_INFORMATION) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessPagePriority, &pagePriorityInfo, sizeof(PAGE_PRIORITY_INFORMATION) ); } return status; } /** * Sets the priority boost for a specified process. * * \param ProcessHandle Handle to the process whose priority boost setting is to be changed. * \param DisablePriorityBoost If TRUE, disables priority boost for the process; if FALSE, enables it. * \return NTSTATUS code indicating success or failure of the operation. */ NTSTATUS PhSetProcessPriorityBoost( _In_ HANDLE ProcessHandle, _In_ BOOLEAN DisablePriorityBoost ) { NTSTATUS status; ULONG priorityBoost; priorityBoost = DisablePriorityBoost ? 1 : 0; status = NtSetInformationProcess( ProcessHandle, ProcessPriorityBoost, &priorityBoost, sizeof(ULONG) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessPriorityBoost, &priorityBoost, sizeof(ULONG) ); } return status; } /** * Retrieves the activity moderation state for a process based on the specified moderation identifier. * * \param processId The identifier of the process to query. * \param moderationId The moderation identifier to check. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessActivityModerationState( _In_ PCPH_STRINGREF ModerationIdentifier, _Out_ PSYSTEM_ACTIVITY_MODERATION_APP_SETTINGS ModerationSettings ) { NTSTATUS status; SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS activityModeration; PKEY_VALUE_PARTIAL_INFORMATION keyValueInfo = NULL; RtlZeroMemory(&activityModeration, sizeof(SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS)); status = NtQuerySystemInformation( SystemActivityModerationUserSettings, &activityModeration, sizeof(SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS), NULL ); if (!NT_SUCCESS(status)) return status; status = PhQueryValueKey( activityModeration.UserKeyHandle, ModerationIdentifier, KeyValuePartialInformation, &keyValueInfo ); if (!NT_SUCCESS(status)) goto CleanupExit; if ( keyValueInfo->Type != REG_BINARY || keyValueInfo->DataLength != sizeof(SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS) ) { status = STATUS_INVALID_KERNEL_INFO_VERSION; } if (!NT_SUCCESS(status)) goto CleanupExit; RtlCopyMemory( ModerationSettings, keyValueInfo->Data, sizeof(SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS) ); CleanupExit: if (activityModeration.UserKeyHandle) { NtClose(activityModeration.UserKeyHandle); } if (keyValueInfo) { PhFree(keyValueInfo); } return status; } /** * Sets the activity moderation state for a process. * * \param ModerationIdentifier A pointer to a PH_STRINGREF structure that identifies the moderation context. * \param ModerationType The type of activity moderation to apply (SYSTEM_ACTIVITY_MODERATION_APP_TYPE). * \param ModerationState The desired moderation state (SYSTEM_ACTIVITY_MODERATION_STATE). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessActivityModerationState( _In_ PCPH_STRINGREF ModerationIdentifier, _In_ SYSTEM_ACTIVITY_MODERATION_APP_TYPE ModerationType, _In_ SYSTEM_ACTIVITY_MODERATION_STATE ModerationState ) { NTSTATUS status; SYSTEM_ACTIVITY_MODERATION_INFO moderationInfo; RtlZeroMemory(&moderationInfo, sizeof(SYSTEM_ACTIVITY_MODERATION_INFO)); moderationInfo.AppType = ModerationType; moderationInfo.ModerationState = ModerationState; if (!PhStringRefToUnicodeString(ModerationIdentifier, &moderationInfo.Identifier)) return STATUS_NAME_TOO_LONG; status = NtSetSystemInformation( SystemActivityModerationExeState, &moderationInfo, sizeof(SYSTEM_ACTIVITY_MODERATION_INFO) ); if (NT_SUCCESS(status)) { SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS activityModeration; RtlZeroMemory(&activityModeration, sizeof(SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS)); status = NtQuerySystemInformation( SystemActivityModerationUserSettings, &activityModeration, sizeof(SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS), NULL ); if (NT_SUCCESS(status)) { SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS moderationSettings; RtlZeroMemory(&moderationSettings, sizeof(SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS)); PhQuerySystemTime(&moderationSettings.LastUpdatedTime); moderationSettings.AppType = ModerationType; moderationSettings.ModerationState = ModerationState; status = PhSetValueKey( activityModeration.UserKeyHandle, ModerationIdentifier, REG_BINARY, &moderationSettings, sizeof(SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS) ); NtClose(activityModeration.UserKeyHandle); } } return status; } /** * Sets a process' affinity mask. * * \param ProcessHandle A handle to a process. The handle must have PROCESS_SET_INFORMATION access. * \param AffinityMask The new affinity mask. */ NTSTATUS PhSetProcessAffinityMask( _In_ HANDLE ProcessHandle, _In_ KAFFINITY AffinityMask ) { NTSTATUS status; status = NtSetInformationProcess( ProcessHandle, ProcessAffinityMask, &AffinityMask, sizeof(KAFFINITY) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessAffinityMask, &AffinityMask, sizeof(KAFFINITY) ); } return status; } /** * Sets the processor group affinity for a specified process. * * \param ProcessHandle Handle to the process whose group affinity is to be set. * \param GroupAffinity The GROUP_AFFINITY structure specifying the desired processor group and affinity mask. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessGroupAffinity( _In_ HANDLE ProcessHandle, _In_ GROUP_AFFINITY GroupAffinity ) { NTSTATUS status; status = NtSetInformationProcess( ProcessHandle, ProcessAffinityMask, &GroupAffinity, sizeof(GROUP_AFFINITY) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessAffinityMask, &GroupAffinity, sizeof(GROUP_AFFINITY) ); } return status; } /** * Query the power throttling state for a specified process. * * \param ProcessHandle The handle to the target process. * \param PowerThrottlingState The control and state masks indicating the current power throttling of the process. * \return The NTSTATUS code indicating the success or failure of the operation. */ NTSTATUS PhGetProcessPowerThrottlingState( _In_ HANDLE ProcessHandle, _Out_ PPOWER_THROTTLING_PROCESS_STATE PowerThrottlingState ) { NTSTATUS status; memset(PowerThrottlingState, 0, sizeof(POWER_THROTTLING_PROCESS_STATE)); PowerThrottlingState->Version = POWER_THROTTLING_PROCESS_CURRENT_VERSION; status = NtQueryInformationProcess( ProcessHandle, ProcessPowerThrottlingState, PowerThrottlingState, sizeof(POWER_THROTTLING_PROCESS_STATE), NULL ); return status; } /** * Sets the power throttling state for a specified process. * * \param ProcessHandle The handle to the target process. * \param ControlMask The control mask specifying the power throttling control actions to perform. * \param StateMask The state mask specifying the power throttling states to set. * \return The NTSTATUS code indicating the success or failure of the operation. */ NTSTATUS PhSetProcessPowerThrottlingState( _In_ HANDLE ProcessHandle, _In_ ULONG ControlMask, _In_ ULONG StateMask ) { NTSTATUS status; POWER_THROTTLING_PROCESS_STATE powerThrottlingState; memset(&powerThrottlingState, 0, sizeof(POWER_THROTTLING_PROCESS_STATE)); powerThrottlingState.Version = POWER_THROTTLING_PROCESS_CURRENT_VERSION; powerThrottlingState.ControlMask = ControlMask; powerThrottlingState.StateMask = StateMask; status = NtSetInformationProcess( ProcessHandle, ProcessPowerThrottlingState, &powerThrottlingState, sizeof(POWER_THROTTLING_PROCESS_STATE) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationProcess( ProcessHandle, KphProcessPowerThrottlingState, &powerThrottlingState, sizeof(POWER_THROTTLING_PROCESS_STATE) ); } return status; } // rev from KernelBase!QueryProcessMachine (jxy-s) /** * Retrieves the architecture of the specified process. * * \param ProcessHandle A handle to the process whose architecture is to be determined. * \param ProcessArchitecture A pointer to a variable that receives the process architecture. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessArchitecture( _In_ HANDLE ProcessHandle, _Out_ PUSHORT ProcessArchitecture ) { NTSTATUS status; HANDLE input[1] = { ProcessHandle }; SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION output[6]; ULONG returnLength; status = NtQuerySystemInformationEx( SystemSupportedProcessorArchitectures2, input, sizeof(input), output, sizeof(output), &returnLength ); if (NT_SUCCESS(status)) { for (ULONG i = 0; i < returnLength / sizeof(SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION); i++) { if (output[i].Process) { *ProcessArchitecture = (USHORT)output[i].Machine; return STATUS_SUCCESS; } } status = STATUS_NOT_FOUND; } return status; } /** * Retrieves the base address of the image for a specified process. * * \param ProcessHandle A handle to the process whose image base address is to be retrieved. * \param ImageBaseAddress A pointer that receives the image base address of the process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessImageBaseAddress( _In_ HANDLE ProcessHandle, _Out_ PVOID* ImageBaseAddress ) { NTSTATUS status; PVOID pebAddress; PVOID baseAddress; #ifdef _WIN64 BOOLEAN isWow64; PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { ULONG imageBaseAddress32; status = PhGetProcessPeb32(ProcessHandle, &pebAddress); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebAddress, UFIELD_OFFSET(PEB32, ImageBaseAddress)), &imageBaseAddress32, sizeof(ULONG), NULL ); if (!NT_SUCCESS(status)) return status; baseAddress = UlongToPtr(imageBaseAddress32); } else #endif { PVOID imageBaseAddress; status = PhGetProcessPeb(ProcessHandle, &pebAddress); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebAddress, UFIELD_OFFSET(PEB, ImageBaseAddress)), &imageBaseAddress, sizeof(PVOID), NULL ); if (!NT_SUCCESS(status)) return status; baseAddress = imageBaseAddress; } if (NT_SUCCESS(status)) { *ImageBaseAddress = baseAddress; } return status; } /** * Retrieves the security domain identifier for a specified process. * * \param ProcessHandle A handle to the process whose security domain is to be retrieved. * \param SecurityDomain A pointer to a variable that receives the security domain identifier. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessSecurityDomain( _In_ HANDLE ProcessHandle, _Out_ PULONGLONG SecurityDomain ) { NTSTATUS status; PROCESS_SECURITY_DOMAIN_INFORMATION processSecurityDomainInfo; memset(&processSecurityDomainInfo, 0, sizeof(PROCESS_SECURITY_DOMAIN_INFORMATION)); status = NtQueryInformationProcess( ProcessHandle, ProcessSecurityDomainInformation, &processSecurityDomainInfo, sizeof(PROCESS_SECURITY_DOMAIN_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *SecurityDomain = processSecurityDomainInfo.SecurityDomain; } return status; } /** * Retrieves the Server Silo identifier for a specified process. * * \param ProcessHandle A handle to the process for which the Server Silo information is to be retrieved. * \param ServerSilo A pointer to a variable that receives the Server Silo identifier. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessServerSilo( _In_ HANDLE ProcessHandle, _Out_ PULONG ServerSilo ) { NTSTATUS status; PROCESS_MEMBERSHIP_INFORMATION processMembershipInfo; memset(&processMembershipInfo, 0, sizeof(PROCESS_MEMBERSHIP_INFORMATION)); status = NtQueryInformationProcess( ProcessHandle, ProcessMembershipInformation, &processMembershipInfo, sizeof(PROCESS_MEMBERSHIP_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *ServerSilo = processMembershipInfo.ServerSiloId; } return status; } /** * Retrieves the sequence number of a process. * * \param ProcessHandle A handle to the process whose sequence number is to be retrieved. * \param SequenceNumber A pointer to a variable that receives the process sequence number. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessSequenceNumber( _In_ HANDLE ProcessHandle, _Out_ PULONGLONG SequenceNumber ) { NTSTATUS status; if (KsiLevel() >= KphLevelLow) { // The driver exposes this information earlier than ProcessSequenceNumber was introduced. // Where not available it synthesizes it for informer messages, for consistency use it if // it's enabled. status = KphQueryInformationProcess( ProcessHandle, KphProcessSequenceNumber, SequenceNumber, sizeof(ULONGLONG), NULL ); } else { ULONGLONG sequenceNumber = 0; status = NtQueryInformationProcess( ProcessHandle, ProcessSequenceNumber, &sequenceNumber, sizeof(ULONGLONG), NULL ); if (NT_SUCCESS(status)) { *SequenceNumber = sequenceNumber; } else if (status == STATUS_INVALID_INFO_CLASS && WindowsVersion >= WINDOWS_10) { PROCESS_TELEMETRY_ID_INFORMATION telemetryInfo; memset(&telemetryInfo, 0, sizeof(PROCESS_TELEMETRY_ID_INFORMATION)); // ProcessTelemetryIdInformation exposes the process sequence number (and process start // key) earlier than ProcessSequenceNumber was introduced. status = NtQueryInformationProcess( ProcessHandle, ProcessTelemetryIdInformation, &telemetryInfo, sizeof(PROCESS_TELEMETRY_ID_INFORMATION), NULL ); if ( status == STATUS_BUFFER_OVERFLOW && RTL_CONTAINS_FIELD(&telemetryInfo, telemetryInfo.HeaderSize, ProcessSequenceNumber) ) { status = STATUS_SUCCESS; } if (NT_SUCCESS(status)) { *SequenceNumber = telemetryInfo.ProcessSequenceNumber; } } } return status; } /** * Retrieves the unique start key for a specified process. * * \param ProcessHandle Handle to the process whose start key is to be retrieved. * \param ProcessStartKey Pointer to a variable that receives the process start key. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessStartKey( _In_ HANDLE ProcessHandle, _Out_ PULONGLONG ProcessStartKey ) { NTSTATUS status; if (KsiLevel() >= KphLevelLow) { // The driver exposes this information earlier than ProcessSequenceNumber was introduced. // Where not available it synthesizes it for informer messages, for consistency use it if // it's enabled. status = KphQueryInformationProcess( ProcessHandle, KphProcessStartKey, ProcessStartKey, sizeof(ULONGLONG), NULL ); } else { ULONGLONG processSequenceNumber; status = PhGetProcessSequenceNumber( ProcessHandle, &processSequenceNumber ); if (NT_SUCCESS(status)) { *ProcessStartKey = PH_PROCESS_EXTENSION_STARTKEY(processSequenceNumber); } } return status; } /** * Retrieves the telemetry application session GUID for a specified process. * * \param ProcessHandle Handle to the process whose telemetry session GUID is to be retrieved. * \param TelemetrySessionGuid Pointer to a GUID structure that receives the telemetry session GUID. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessTelemetryAppSessionGuid( _In_ HANDLE ProcessHandle, _Out_ PGUID TelemetrySessionGuid ) { NTSTATUS status; PROCESS_TELEMETRY_ID_INFORMATION telemetryInfo; ULONG returnLength; memset(&telemetryInfo, 0, sizeof(PROCESS_TELEMETRY_ID_INFORMATION)); status = NtQueryInformationProcess( ProcessHandle, ProcessTelemetryIdInformation, &telemetryInfo, sizeof(PROCESS_TELEMETRY_ID_INFORMATION), &returnLength ); if (NT_SUCCESS(status) || (status == STATUS_BUFFER_OVERFLOW && RTL_CONTAINS_FIELD(&telemetryInfo, returnLength, BootId) && RTL_CONTAINS_FIELD(&telemetryInfo, telemetryInfo.HeaderSize, BootId))) { GUID telemetryAppGuid; memset(&telemetryAppGuid, 0, sizeof(GUID)); telemetryAppGuid.Data1 = telemetryInfo.ProcessId; telemetryAppGuid.Data2 = (USHORT)telemetryInfo.SessionId; telemetryAppGuid.Data3 = (USHORT)telemetryInfo.BootId; if (memcpy_s(telemetryAppGuid.Data4, sizeof(telemetryAppGuid.Data4), &telemetryInfo.CreateTime, sizeof(telemetryInfo.CreateTime))) return STATUS_FAIL_CHECK; if (memcpy_s(TelemetrySessionGuid, sizeof(*TelemetrySessionGuid), &telemetryAppGuid, sizeof(telemetryAppGuid))) return STATUS_FAIL_CHECK; } return status; } /** * Retrieves telemetry ID information for a specified process. * * \param ProcessHandle Handle to the process for which telemetry information is to be retrieved. * \param TelemetryInformation Pointer to a variable that receives a pointer to the telemetry ID information structure. * \param TelemetryInformationLength Optional pointer to a variable that receives the length, in bytes, of the telemetry information structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessTelemetryIdInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_TELEMETRY_ID_INFORMATION* TelemetryInformation, _Out_opt_ PULONG TelemetryInformationLength ) { NTSTATUS status; PPROCESS_TELEMETRY_ID_INFORMATION telemetryBuffer; ULONG telemetryLength; ULONG returnLength; ULONG attempts; telemetryLength = sizeof(PROCESS_TELEMETRY_ID_INFORMATION) + SECURITY_MAX_SID_SIZE + (DOS_MAX_PATH_LENGTH * sizeof(WCHAR)) + (DOS_MAX_PATH_LENGTH * sizeof(WCHAR)); telemetryBuffer = PhAllocateZero(telemetryLength); status = NtQueryInformationProcess( ProcessHandle, ProcessTelemetryIdInformation, telemetryBuffer, telemetryLength, &returnLength ); attempts = 0; while (status == STATUS_INFO_LENGTH_MISMATCH && attempts < 8) { telemetryLength = returnLength; telemetryBuffer = PhReAllocate(telemetryBuffer, telemetryLength); status = NtQueryInformationProcess( ProcessHandle, ProcessTelemetryIdInformation, telemetryBuffer, telemetryLength, &returnLength ); attempts++; } if (NT_SUCCESS(status)) { *TelemetryInformation = telemetryBuffer; if (TelemetryInformationLength) { *TelemetryInformationLength = telemetryLength; } } return status; } /** * Retrieves the count of TLS (Thread Local Storage) bitmap entries and TLS expansion bitmap entries for a specified process. * * \param ProcessHandle A handle to the process whose TLS bitmap counters are to be retrieved. * \param TlsBitMapCount Pointer to a variable that receives the count of TLS bitmap entries. * \param TlsExpansionBitMapCount Pointer to a variable that receives the count of TLS expansion bitmap entries. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessTlsBitMapCounters( _In_ HANDLE ProcessHandle, _Out_ PULONG TlsBitMapCount, _Out_ PULONG TlsExpansionBitMapCount ) { NTSTATUS status; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif PVOID pebBaseAddress; RTL_BITMAP tlsBitMap; RTL_BITMAP tlsExpansionBitMap; ULONG bitmapBits[2] = { 0 }; ULONG bitmapExpansionBits[32] = { 0 }; static_assert(sizeof(bitmapBits) == RTL_FIELD_SIZE(PEB, TlsBitmapBits), "Buffer must equal TlsBitmapBits"); static_assert(sizeof(bitmapExpansionBits) == RTL_FIELD_SIZE(PEB, TlsExpansionBitmapBits), "Buffer must equal TlsExpansionBitmapBits"); #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB32, TlsBitmapBits)), bitmapBits, sizeof(bitmapBits), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB32, TlsExpansionBitmapBits)), bitmapExpansionBits, sizeof(bitmapExpansionBits), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; } else #endif { status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB, TlsBitmapBits)), bitmapBits, sizeof(bitmapBits), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB, TlsExpansionBitmapBits)), bitmapExpansionBits, sizeof(bitmapExpansionBits), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; } RtlInitializeBitMap(&tlsBitMap, bitmapBits, TLS_MINIMUM_AVAILABLE); RtlInitializeBitMap(&tlsExpansionBitMap, bitmapExpansionBits, TLS_EXPANSION_SLOTS); *TlsBitMapCount = RtlNumberOfSetBits(&tlsBitMap); *TlsExpansionBitMapCount = RtlNumberOfSetBits(&tlsExpansionBitMap); CleanupExit: return status; } /** * Gets whether the process is running under the POSIX subsystem. * * \param ProcessHandle A handle to a process. * \param IsPosix A variable which receives a boolean * indicating whether the process is running under the POSIX subsystem. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessIsPosix( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsPosix ) { NTSTATUS status; PVOID pebBaseAddress; ULONG imageSubsystem; #ifdef _WIN64 BOOLEAN isWow64; #endif if (WindowsVersion >= WINDOWS_10) { *IsPosix = FALSE; // Not supported (dmex) return STATUS_SUCCESS; } #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB32, ImageSubsystem)), &imageSubsystem, sizeof(ULONG), NULL ); } else #endif { status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB, ImageSubsystem)), &imageSubsystem, sizeof(ULONG), NULL ); } if (NT_SUCCESS(status)) { *IsPosix = imageSubsystem == IMAGE_SUBSYSTEM_POSIX_CUI; } return status; } ================================================ FILE: phlib/nativesocket.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * diversenok 2025 * */ #include #include #include #include #include #include #include #include #include #include /** * Determines if an object name represents an AFD socket handle. * * \param[in] ObjectName A native object name. * \return Whether the name matches an AFD socket name format. */ BOOLEAN PhAfdIsSocketObjectName( _In_opt_ PPH_STRING ObjectName ) { static CONST PH_STRINGREF deviceName = PH_STRINGREF_INIT(AFD_DEVICE_NAME); if (ObjectName && PhStartsWithStringRef(&ObjectName->sr, &deviceName, TRUE)) { // N.B. Check explicitly for "\\Device\\Afd" or "\\Device\\Afd\\" to avoid "\\Device\\AfdABC" if (ObjectName->Length == deviceName.Length) return TRUE; assert(ObjectName->Length > deviceName.Length); if (ObjectName->Buffer[deviceName.Length / sizeof(WCHAR)] == OBJ_NAME_PATH_SEPARATOR) return TRUE; } return FALSE; } /** * Determines if a file handle is an AFD socket handle. * * \param[in] Handle A file handle. * \return A successful status if the handle is an AFD socket or an errant status otherwise. */ NTSTATUS PhAfdIsSocketHandle( _In_ HANDLE Handle ) { static CONST PH_STRINGREF deviceName = PH_STRINGREF_INIT(AFD_DEVICE_NAME); NTSTATUS status; PH_STRINGREF volumeName; IO_STATUS_BLOCK ioStatusBlock; union { FILE_VOLUME_NAME_INFORMATION VolumeName; UCHAR Raw[sizeof(FILE_VOLUME_NAME_INFORMATION) + sizeof(AFD_DEVICE_NAME) - sizeof(UNICODE_NULL)]; } Buffer; // Query the backing device name status = NtQueryInformationFile( Handle, &ioStatusBlock, &Buffer, sizeof(Buffer), FileVolumeNameInformation ); // If the name does not fit into the buffer, it's not AFD if (status == STATUS_BUFFER_OVERFLOW) return STATUS_NOT_SAME_DEVICE; if (!NT_SUCCESS(status)) return status; volumeName.Buffer = Buffer.VolumeName.DeviceName; volumeName.Length = Buffer.VolumeName.DeviceNameLength; // Compare the file's device name to AFD return PhEqualStringRef(&volumeName, &deviceName, TRUE) ? STATUS_SUCCESS : STATUS_NOT_SAME_DEVICE; } /** * Issues an IOCTL on an AFD handle and waits for its completion. * * \param[in] SocketHandle An AFD socket handle. * \param[in] IoControlCode I/O control code * \param[in] InBuffer Input buffer. * \param[in] InBufferSize Input buffer size. * \param[out] OutputBuffer Output Buffer. * \param[in] OutputBufferSize Output buffer size. * \param[out] BytesReturned Optionally set to the number of bytes returned. * \param[in,out] Overlapped Optional overlapped structure. * \return Successful or errant status. */ NTSTATUS PhAfdDeviceIoControl( _In_ HANDLE SocketHandle, _In_ ULONG IoControlCode, _In_reads_bytes_(InBufferSize) PVOID InBuffer, _In_ ULONG InBufferSize, _Out_writes_bytes_to_opt_(OutputBufferSize, *BytesReturned) PVOID OutputBuffer, _In_ ULONG OutputBufferSize, _Out_opt_ PULONG BytesReturned, _Inout_opt_ LPOVERLAPPED Overlapped ) { NTSTATUS status; HANDLE eventHandle; IO_STATUS_BLOCK ioStatusBlock; if (BytesReturned) { *BytesReturned = 0; } if (Overlapped) { eventHandle = Overlapped->hEvent; Overlapped->Internal = STATUS_PENDING; } else { // We cannot wait on the file handle because it might not grant SYNCHRONIZE access. // Always use an event instead. status = PhCreateEvent( &eventHandle, EVENT_ALL_ACCESS, SynchronizationEvent, FALSE ); if (!NT_SUCCESS(status)) return status; } status = NtDeviceIoControlFile( SocketHandle, eventHandle, NULL, Overlapped, Overlapped ? (PIO_STATUS_BLOCK)Overlapped : &ioStatusBlock, IoControlCode, InBuffer, InBufferSize, OutputBuffer, OutputBufferSize ); if (Overlapped) { if (NT_INFORMATION(status) && BytesReturned) { *BytesReturned = (ULONG)Overlapped->InternalHigh; } } else { if (status == STATUS_PENDING) { NtWaitForSingleObject(eventHandle, FALSE, NULL); status = ioStatusBlock.Status; } NtClose(eventHandle); if (BytesReturned) { *BytesReturned = (ULONG)ioStatusBlock.Information; } } return status; } /** * Retrieves shared information for an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \param[out] SharedInfo A buffer with the shared socket information. * * \return Successful or errant status. */ NTSTATUS PhAfdQuerySharedInfo( _In_ HANDLE SocketHandle, _Out_ PSOCK_SHARED_INFO SharedInfo ) { NTSTATUS status; ULONG returnLength; status = PhAfdDeviceIoControl( SocketHandle, IOCTL_AFD_GET_CONTEXT, NULL, 0, SharedInfo, sizeof(SOCK_SHARED_INFO), &returnLength, NULL ); if (status == STATUS_BUFFER_OVERFLOW) return STATUS_SUCCESS; if (!NT_SUCCESS(status)) return status; // Shared information is provided by the Win32 level; do a sanity check on the returned size return returnLength < sizeof(SOCK_SHARED_INFO) ? STATUS_NOT_FOUND : status; } /** * Retrieves simple information for an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \param[in] InformationType The type of information to query, such as AFD_CONNECT_TIME or AFD_GROUP_ID_AND_TYPE. * \param[out] Information Output buffer. * \return Successful or errant status. */ NTSTATUS PhAfdQuerySimpleInfo( _In_ HANDLE SocketHandle, _In_ ULONG InformationType, _Out_ PAFD_INFORMATION Information ) { Information->InformationType = InformationType; return PhAfdDeviceIoControl( SocketHandle, IOCTL_AFD_GET_INFORMATION, Information, sizeof(AFD_INFORMATION), Information, sizeof(AFD_INFORMATION), NULL, NULL ); } /** * Retrieves socket option for an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \param[in] Level A level for the option, such as SOL_SOCKET or IPPROTO_IP. * \param[in] OptionName An option identifier within the level, such as SO_REUSEADDR or IP_TTL. * \param[out] OptionValue A buffer that receives the option value. * \param[in] OptionLength The size of the OptionValue buffer. * \param[in] ReturnLength The size of the returned option value, if available. * \return Successful or errant status. */ NTSTATUS PhAfdQuerySocketOption( _In_ HANDLE SocketHandle, _In_ ULONG Level, _In_ ULONG OptionName, _Out_ PVOID OptionValue, _In_ ULONG OptionLength, _Out_opt_ PULONG ReturnLength ) { AFD_TL_IO_CONTROL_INFO controlInfo; memset(&controlInfo, 0, sizeof(AFD_TL_IO_CONTROL_INFO)); controlInfo.Type = TlGetSockOptIoControlType; controlInfo.EndpointIoctl = TRUE; controlInfo.Level = Level; controlInfo.IoControlCode = OptionName; return PhAfdDeviceIoControl( SocketHandle, IOCTL_AFD_TRANSPORT_IOCTL, &controlInfo, sizeof(AFD_TL_IO_CONTROL_INFO), OptionValue, OptionLength, ReturnLength, NULL ); } /** * Retrieves socket option for an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \param[in] Level A level for the option, such as SOL_SOCKET or IPPROTO_IP. * \param[in] OptionName An option identifier within the level, such as SO_REUSEADDR or IP_TTL. * \param[out] OptionValue A buffer that receives the option value. * \return Successful or errant status. */ NTSTATUS PhAfdQueryOption( _In_ HANDLE SocketHandle, _In_ ULONG Level, _In_ ULONG OptionName, _Out_ PULONG OptionValue ) { AFD_TL_IO_CONTROL_INFO controlInfo = { 0 }; controlInfo.Type = TlGetSockOptIoControlType; controlInfo.EndpointIoctl = TRUE; controlInfo.Level = Level; controlInfo.IoControlCode = OptionName; *OptionValue = 0; return PhAfdDeviceIoControl( SocketHandle, IOCTL_AFD_TRANSPORT_IOCTL, &controlInfo, sizeof(AFD_TL_IO_CONTROL_INFO), OptionValue, sizeof(ULONG), NULL, NULL ); } /** * Retrieves the latest supported TCP_INFO for an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \param[out] TcpInfo A buffer that receives the TCP information. * \param[out] TcpInfoVersion The version of the returned structure. * \return Successful or errant status. */ NTSTATUS PhAfdQueryTcpInfo( _In_ HANDLE SocketHandle, _Out_ PTCP_INFO_v2 TcpInfo, _Out_ PULONG TcpInfoVersion ) { static CONST ULONG tcpInfoSize[] = { sizeof(TCP_INFO_v0), sizeof(TCP_INFO_v1), sizeof(TCP_INFO_v2) }; NTSTATUS status = STATUS_UNSUCCESSFUL; AFD_TL_IO_CONTROL_INFO controlInfo = { 0 }; LONG version; controlInfo.Type = TlSocketIoControlType; controlInfo.EndpointIoctl = TRUE; controlInfo.IoControlCode = SIO_TCP_INFO; controlInfo.InputBuffer = &version; controlInfo.InputBufferLength = sizeof(LONG); RtlZeroMemory(TcpInfo, sizeof(TCP_INFO_v2)); for (version = 2; version >= 0; version--) { status = PhAfdDeviceIoControl( SocketHandle, IOCTL_AFD_TRANSPORT_IOCTL, &controlInfo, sizeof(AFD_TL_IO_CONTROL_INFO), TcpInfo, tcpInfoSize[version], NULL, NULL ); if (NT_SUCCESS(status)) { *TcpInfoVersion = version; break; } } return status; } /** * Opens an address or a connection handle to the underlying device for a TDI socket. * * \param[in] SocketHandle An AFD socket handle. * \param[in] QueryMode A type of the query, either AFD_QUERY_ADDRESS_HANDLE or AFD_QUERY_CONNECTION_HANDLE. * \param[out] TdiHandle A pointer to a variable that receives a TDI device handle, NULL (when no handle is available), or INVALID_HANDLE_VALUE (for non-TDI sockets). * \return Successful or errant status. */ NTSTATUS PhAfdQueryTdiHandle( _In_ HANDLE SocketHandle, _In_ ULONG QueryMode, _Out_ PHANDLE TdiHandle ) { NTSTATUS status; AFD_HANDLE_INFO handles; if (QueryMode != AFD_QUERY_ADDRESS_HANDLE && QueryMode != AFD_QUERY_CONNECTION_HANDLE) return STATUS_INVALID_INFO_CLASS; status = PhAfdDeviceIoControl( SocketHandle, IOCTL_AFD_QUERY_HANDLES, &QueryMode, sizeof(QueryMode), &handles, sizeof(handles), NULL, NULL ); if (NT_SUCCESS(status)) { if (QueryMode == AFD_QUERY_ADDRESS_HANDLE) *TdiHandle = handles.TdiAddressHandle; else *TdiHandle = handles.TdiConnectionHandle; } return status; } /** * Formats a TDI device name for a socket. * * \param[in] SocketHandle An AFD socket handle. * \param[in] QueryMode A type of the query, either AFD_QUERY_ADDRESS_HANDLE or AFD_QUERY_CONNECTION_HANDLE. * \param[out] TdiDeviceName A pointer to a variable that receives a device name string. * \return Successful or errant status. */ NTSTATUS PhAfdQueryFormatTdiDeviceName( _In_ HANDLE SocketHandle, _In_ ULONG QueryMode, _Outptr_ PPH_STRING *TdiDeviceName ) { NTSTATUS status; HANDLE hTdiDevice; status = PhAfdQueryTdiHandle( SocketHandle, QueryMode, &hTdiDevice ); if (!NT_SUCCESS(status)) return status; if (hTdiDevice == INVALID_HANDLE_VALUE) { *TdiDeviceName = PhCreateString(L"N/A (transport is not TDI)"); } else if (hTdiDevice == NULL) { *TdiDeviceName = PhCreateString(L"None"); } else { status = PhGetObjectName(NtCurrentProcess(), hTdiDevice, TRUE, TdiDeviceName); NtClose(hTdiDevice); } return status; } /** * Determines if we know how to handle a specific address family. * * \param[in] AddressFamily A socket address family value. * \return Whether the address family is supported. */ BOOLEAN PhpAfdIsSupportedAddressFamily( _In_ LONG AddressFamily ) { switch (AddressFamily) { case AF_UNIX: case AF_INET: case AF_INET6: case AF_BTH: case AF_HYPERV: return TRUE; default: return FALSE; } } /** * Retrieves an address associated with an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \param[in] Remote Whether the function should return a remote or a local address. * \param[out] Address Output buffer. * \return Successful or errant status. */ NTSTATUS PhAfdQueryAddress( _In_ HANDLE SocketHandle, _In_ BOOLEAN Remote, _Out_ PSOCKADDR_STORAGE Address ) { NTSTATUS status; AFD_ADDRESS buffer = { 0 }; if (Remote) { // HACK: If the socket has a suitable state but no remote address, the IOCTL can succeed without // writing anything to the buffer, yet setting IO_STATUS_BLOCK's Information to a non-zero value. // We issue a zero-size query to recognize this scenario. (diversenok) if (NT_SUCCESS(PhAfdDeviceIoControl(SocketHandle, IOCTL_AFD_GET_REMOTE_ADDRESS, NULL, 0, NULL, 0, NULL, NULL))) return STATUS_NOT_FOUND; } // Retrieve the address status = PhAfdDeviceIoControl( SocketHandle, Remote ? IOCTL_AFD_GET_REMOTE_ADDRESS : IOCTL_AFD_GET_ADDRESS, NULL, 0, &buffer, sizeof(buffer), NULL, NULL ); if (!NT_SUCCESS(status)) return status; // Most sockets are TLI; their addresses don't need conversion. if (PhpAfdIsSupportedAddressFamily(buffer.TliAddress.ss_family)) { *Address = buffer.TliAddress; return status; } // Some sockets (like Bluetooth) use TDI. Verify the header and extarct the socket address. if (buffer.TdiAddress.ActivityCount > 0 && buffer.TdiAddress.Address.TAAddressCount >= 1 && buffer.TdiAddress.Address.Address[0].AddressLength <= sizeof(buffer) - RTL_SIZEOF_THROUGH_FIELD(TDI_ADDRESS_INFO, Address.Address[0].AddressType) && PhpAfdIsSupportedAddressFamily(buffer.TdiAddress.Address.Address[0].AddressType)) { RtlZeroMemory(Address, sizeof(SOCKADDR_STORAGE)); // AddressLength covers the length after the AddressType field, while the socket address starts at the AddressType field. // See comments in AFD_ADDRESS for details about the layout. RtlCopyMemory( Address, &buffer.TdiAddressUnpacked.EmbeddedAddress, buffer.TdiAddress.Address.Address[0].AddressLength + RTL_FIELD_SIZE(TDI_ADDRESS_INFO, Address.Address[0].AddressType) ); return status; } return STATUS_UNKNOWN_REVISION; } /** * Formats a socket address as a strings. * * \param[in] Address The address buffer. * \param[out] AddressString The string representation of the address. * \param[in] Flags A bit mask of PH_AFD_ADDRESS_* flags that control address formatting. * \return Successful or errant status. */ NTSTATUS PhAfdFormatAddress( _In_ PSOCKADDR_STORAGE Address, _Out_ PPH_STRING *AddressString, _In_ ULONG Flags ) { NTSTATUS status = STATUS_NOT_SUPPORTED; WCHAR buffer[70]; ULONG characters = RTL_NUMBER_OF(buffer); if (Address->ss_family == AF_UNIX) { PSOCKADDR_UN address = (PSOCKADDR_UN)Address; *AddressString = PhConvertUtf8ToUtf16Ex(address->sun_path, strnlen(address->sun_path, UNIX_PATH_MAX)); if (!(*AddressString)) return STATUS_SOME_NOT_MAPPED; status = STATUS_SUCCESS; } else if (Address->ss_family == AF_INET) { PSOCKADDR_IN address = (PSOCKADDR_IN)Address; // Format an IPv4 address status = RtlIpv4AddressToStringExW( &address->sin_addr, address->sin_port, buffer, &characters ); if (!NT_SUCCESS(status)) return status; *AddressString = PhCreateStringEx(buffer, characters * sizeof(WCHAR) - sizeof(UNICODE_NULL)); } else if (Address->ss_family == AF_INET6) { PSOCKADDR_IN6 address = (PSOCKADDR_IN6)Address; // Format an IPv6 address status = RtlIpv6AddressToStringExW( &address->sin6_addr, address->sin6_scope_id, address->sin6_port, buffer, &characters ); if (!NT_SUCCESS(status)) return status; *AddressString = PhCreateStringEx(buffer, characters * sizeof(WCHAR) - sizeof(UNICODE_NULL)); } else if (Address->ss_family == AF_BTH) { PSOCKADDR_BTH address = (PSOCKADDR_BTH)Address; // Format a Bluetooth address *AddressString = PhFormatString( L"(%02X:%02X:%02X:%02X:%02X:%02X):%d", (UCHAR)(address->btAddr >> 40), (UCHAR)(address->btAddr >> 32), (UCHAR)(address->btAddr >> 24), (UCHAR)(address->btAddr >> 16), (UCHAR)(address->btAddr >> 8), (UCHAR)(address->btAddr), address->port ); status = STATUS_SUCCESS; } else if (Address->ss_family == AF_HYPERV) { PSOCKADDR_HV address = (PSOCKADDR_HV)Address; if (Flags & PH_AFD_ADDRESS_SIMPLIFY) { PH_FORMAT format[5]; ULONG count = 0; PPH_STRING serviceString = NULL; PPH_STRING vmName = NULL; if (PhHvSocketIsVSockTemplate(&address->ServiceId)) { PhInitFormatS(&format[count++], L"VSOCK:"); PhInitFormatU(&format[count++], address->ServiceId.Data1); } else if (serviceString = PhHvSocketGetServiceName(&address->ServiceId)) { PhInitFormatSR(&format[count++], serviceString->sr); } else { serviceString = PhFormatGuid(&address->ServiceId); PhInitFormatSR(&format[count++], serviceString->sr); } if (!IsEqualGUID(&address->VmId, &HV_GUID_WILDCARD)) { PhInitFormatS(&format[count++], L" (VM: "); if (vmName = PhHvSocketGetVmName(&address->VmId)) { PhInitFormatSR(&format[count++], vmName->sr); } else { vmName = PhHvSocketAddressString(&address->VmId); PhInitFormatSR(&format[count++], vmName->sr); } PhInitFormatS(&format[count++], L")"); } *AddressString = PhFormat(format, count, 80); PhClearReference(&serviceString); PhClearReference(&vmName); } else { PPH_STRING vmIdPart; PPH_STRING serviceIdPart; PH_FORMAT format[3]; vmIdPart = PhFormatGuid(&address->VmId); serviceIdPart = PhFormatGuid(&address->ServiceId); PhInitFormatSR(&format[0], vmIdPart->sr); PhInitFormatC(&format[1], L':'); PhInitFormatSR(&format[2], serviceIdPart->sr); *AddressString = PhFormat(format, 3, 80); PhDereferenceObject(vmIdPart); PhDereferenceObject(serviceIdPart); } status = STATUS_SUCCESS; } return status; } /** * Queries an address associated with an AFD socket and prints it into a string. * * \param[in] SocketHandle An AFD socket handle. * \param[in] Remote Whether the function should return a remote or a local address. * \param[out] AddressString The string representation of the address. * \param[in] Flags A bit mask of PH_AFD_ADDRESS_* flags that control address formatting. * Successful or errant status. */ NTSTATUS PhAfdQueryFormatAddress( _In_ HANDLE SocketHandle, _In_ BOOLEAN Remote, _Out_ PPH_STRING *AddressString, _In_ ULONG Flags ) { NTSTATUS status; SOCKADDR_STORAGE address; status = PhAfdQueryAddress(SocketHandle, Remote, &address); if (!NT_SUCCESS(status)) return status; return PhAfdFormatAddress(&address, AddressString, Flags); } /** * Looks up a human-readable name of a known socket state. * * \param[in] SocketState The socket state value. * \return A string with the state name or NULL when the state value is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetSocketStateString( _In_ SOCKET_STATE SocketState ) { switch (SocketState) { case SocketStateInitializing: return L"Initializing"; case SocketStateOpen: return L"Open"; case SocketStateBound: return L"Bound"; case SocketStateBoundSpecific: return L"Bound (specific)"; case SocketStateConnected: return L"Connected"; case SocketStateClosing: return L"Closing"; default: return NULL; } } /** * Formats a socket state as a string. * * \param[in] SocketState The socket state value. * \return A human-readable name of the socket state. */ PPH_STRING PhAfdFormatSocketState( _In_ SOCKET_STATE SocketState ) { PCWSTR knownName = PhpAfdGetSocketStateString(SocketState); if (knownName) return PhCreateString(knownName); else return PhFormatString(L"Invalid state (%d)", SocketState); } /** * Looks up a human-readable name of a known socket type. * * \param[in] SocketType The socket type value. * \return A string with the socket type name or NULL when the value is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetSocketTypeString( _In_ LONG SocketType ) { switch (SocketType) { case SOCK_STREAM: return L"Stream"; case SOCK_DGRAM: return L"Datagram"; case SOCK_RAW: return L"Raw"; case SOCK_RDM: return L"Reliably-delivered message"; case SOCK_SEQPACKET: return L"Pseudo-stream"; default: return NULL; } } /** * Formats a socket type as a string. * * \param[in] SocketType The socket type value. * \return A human-readable name for the socket type. */ PPH_STRING PhAfdFormatSocketType( _In_ LONG SocketType ) { PCWSTR knownName = PhpAfdGetSocketTypeString(SocketType); if (knownName) return PhCreateString(knownName); else return PhFormatString(L"Unknown (%d)", SocketType); } /** * Formats a human-readable name for a set of protocol provider flags. * * \param[in] ProviderFlags The provider flags value. * \return A string with the flag names. */ PPH_STRING PhAfdFormatProviderFlags( _In_ ULONG ProviderFlags ) { #define PH_AFD_PROVIDER_FLAG(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY providerFlags[] = { PH_AFD_PROVIDER_FLAG(PFL_MULTIPLE_PROTO_ENTRIES, L"Multiple entries"), PH_AFD_PROVIDER_FLAG(PFL_RECOMMENDED_PROTO_ENTRY, L"Recommended entry"), PH_AFD_PROVIDER_FLAG(PFL_HIDDEN, L"Hidden"), PH_AFD_PROVIDER_FLAG(PFL_MATCHES_PROTOCOL_ZERO, L"Matches protocol zero"), PH_AFD_PROVIDER_FLAG(PFL_NETWORKDIRECT_PROVIDER, L"Network direct"), }; PPH_STRING string; PH_FORMAT format[5]; if (ProviderFlags) { string = PhGetAccessString(ProviderFlags, (PPH_ACCESS_ENTRY)providerFlags, RTL_NUMBER_OF(providerFlags)); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], ProviderFlags); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], string->sr); PhInitFormatC(&format[4], L')'); PhMoveReference(&string, PhFormat(format, 5, 10)); } else { string = PhCreateString(L"None"); } return string; } /** * Formats a human-readable name for a set of service flags. * * \param[in] ServiceFlags The service flags value. * \return A string with the flag names. */ PPH_STRING PhAfdFormatServiceFlags( _In_ ULONG ServiceFlags ) { #define PH_AFD_SERVICE_FLAG(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY serviceFlags[] = { PH_AFD_SERVICE_FLAG(XP1_CONNECTIONLESS, L"Connectionless"), PH_AFD_SERVICE_FLAG(XP1_GUARANTEED_DELIVERY, L"Guaranteed delivery"), PH_AFD_SERVICE_FLAG(XP1_GUARANTEED_ORDER, L"Guaranteed order"), PH_AFD_SERVICE_FLAG(XP1_MESSAGE_ORIENTED, L"Message-oriented"), PH_AFD_SERVICE_FLAG(XP1_PSEUDO_STREAM, L"Pseudo-stream"), PH_AFD_SERVICE_FLAG(XP1_GRACEFUL_CLOSE, L"Graceful close"), PH_AFD_SERVICE_FLAG(XP1_EXPEDITED_DATA, L"Expedited data"), PH_AFD_SERVICE_FLAG(XP1_CONNECT_DATA, L"Connect data"), PH_AFD_SERVICE_FLAG(XP1_DISCONNECT_DATA, L"Disconnect data"), PH_AFD_SERVICE_FLAG(XP1_SUPPORT_BROADCAST, L"Broadcast"), PH_AFD_SERVICE_FLAG(XP1_SUPPORT_MULTIPOINT, L"Support multipoint"), PH_AFD_SERVICE_FLAG(XP1_MULTIPOINT_CONTROL_PLANE, L"Multipoint control plane"), PH_AFD_SERVICE_FLAG(XP1_MULTIPOINT_DATA_PLANE, L"Multipoint data plane"), PH_AFD_SERVICE_FLAG(XP1_QOS_SUPPORTED, L"QoS supported"), PH_AFD_SERVICE_FLAG(XP1_INTERRUPT, L"Interrupt"), PH_AFD_SERVICE_FLAG(XP1_UNI_SEND, L"Unidirectional send"), PH_AFD_SERVICE_FLAG(XP1_UNI_RECV, L"Unidirectional receive"), PH_AFD_SERVICE_FLAG(XP1_IFS_HANDLES, L"IFS handles"), PH_AFD_SERVICE_FLAG(XP1_PARTIAL_MESSAGE, L"Partial message"), PH_AFD_SERVICE_FLAG(XP1_SAN_SUPPORT_SDP, L"SAN"), }; PPH_STRING string; PH_FORMAT format[5]; if (ServiceFlags) { string = PhGetAccessString(ServiceFlags, (PPH_ACCESS_ENTRY)serviceFlags, RTL_NUMBER_OF(serviceFlags)); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], ServiceFlags); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], string->sr); PhInitFormatC(&format[4], L')'); PhMoveReference(&string, PhFormat(format, 5, 10)); } else { string = PhCreateString(L"None"); } return string; } /** * Formats a human-readable name for a set of socket creation flags. * * \param[in] CreationFlags The creation flags value. * \return A string with the flag names. */ PPH_STRING PhAfdFormatCreationFlags( _In_ ULONG CreationFlags ) { #define PH_AFD_CREATION_FLAG(x, n) { TEXT(#x), x, FALSE, FALSE, n } static const PH_ACCESS_ENTRY creationFlags[] = { PH_AFD_CREATION_FLAG(WSA_FLAG_OVERLAPPED, L"Overlapped"), PH_AFD_CREATION_FLAG(WSA_FLAG_MULTIPOINT_C_ROOT, L"Multipoint control root"), PH_AFD_CREATION_FLAG(WSA_FLAG_MULTIPOINT_C_LEAF, L"Multipoint control leaf"), PH_AFD_CREATION_FLAG(WSA_FLAG_MULTIPOINT_D_ROOT, L"Multipoint data root"), PH_AFD_CREATION_FLAG(WSA_FLAG_MULTIPOINT_D_LEAF, L"Multipoint data leaf"), PH_AFD_CREATION_FLAG(WSA_FLAG_ACCESS_SYSTEM_SECURITY, L"Access SACL"), PH_AFD_CREATION_FLAG(WSA_FLAG_NO_HANDLE_INHERIT, L"No handle inherit"), PH_AFD_CREATION_FLAG(WSA_FLAG_REGISTERED_IO, L"Registered I/O"), }; PPH_STRING string; PH_FORMAT format[5]; if (CreationFlags) { string = PhGetAccessString(CreationFlags, (PPH_ACCESS_ENTRY)creationFlags, RTL_NUMBER_OF(creationFlags)); PhInitFormatS(&format[0], L"0x"); PhInitFormatX(&format[1], CreationFlags); PhInitFormatS(&format[2], L" ("); PhInitFormatSR(&format[3], string->sr); PhInitFormatC(&format[4], L')'); PhMoveReference(&string, PhFormat(format, 5, 10)); } else { string = PhCreateString(L"None"); } return string; } /** * Formats a human-readable name for a set of AFD socket flags. * * \param[in] SharedInfo The shared socket information buffer. * \return A string with the flag names. */ PPH_STRING PhAfdFormatSharedInfoFlags( _In_ PSOCK_SHARED_INFO SharedInfo ) { PH_STRING_BUILDER stringBuilder; if (!SharedInfo->Flags) return PhCreateString(L"None"); PhInitializeStringBuilder(&stringBuilder, 80); PhAppendFormatStringBuilder(&stringBuilder, L"0x%x (", SharedInfo->Flags); if (SharedInfo->Listening) PhAppendStringBuilder2(&stringBuilder, L"Listening, "); if (SharedInfo->Broadcast) PhAppendStringBuilder2(&stringBuilder, L"Broadcast, "); if (SharedInfo->Debug) PhAppendStringBuilder2(&stringBuilder, L"Debug, "); if (SharedInfo->OobInline) PhAppendStringBuilder2(&stringBuilder, L"OOB in line, "); if (SharedInfo->ReuseAddresses) PhAppendStringBuilder2(&stringBuilder, L"Reuse addresses, "); if (SharedInfo->ExclusiveAddressUse) PhAppendStringBuilder2(&stringBuilder, L"Exclusive address use, "); if (SharedInfo->NonBlocking) PhAppendStringBuilder2(&stringBuilder, L"Non-blocking, "); if (SharedInfo->DontUseWildcard) PhAppendStringBuilder2(&stringBuilder, L"Don't use wildcard, "); if (SharedInfo->ReceiveShutdown) PhAppendStringBuilder2(&stringBuilder, L"Receive shutdown, "); if (SharedInfo->SendShutdown) PhAppendStringBuilder2(&stringBuilder, L"Send shutdown, "); if (SharedInfo->ConditionalAccept) PhAppendStringBuilder2(&stringBuilder, L"Conditional accept, "); if (SharedInfo->IsSANSocket) PhAppendStringBuilder2(&stringBuilder, L"SAN, "); if (SharedInfo->fIsTLI) PhAppendStringBuilder2(&stringBuilder, L"TLI, "); if (SharedInfo->Rio) PhAppendStringBuilder2(&stringBuilder, L"RIO, "); if (SharedInfo->ReceiveBufferSizeSet) PhAppendStringBuilder2(&stringBuilder, L"Receive buffer size set, "); if (SharedInfo->SendBufferSizeSet) PhAppendStringBuilder2(&stringBuilder, L"Send buffer size set, "); // Remove the trailing comma PhRemoveEndStringBuilder(&stringBuilder, 2); PhAppendStringBuilder2(&stringBuilder, L")"); return PhFinalStringBuilderString(&stringBuilder); } /** * Looks up a name of a known address family. * * \param[in] AddressFamily The address family value. * \return A string with the address family name or NULL when it is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetAddressFamilyString( _In_ LONG AddressFamily ) { switch (AddressFamily) { case AF_UNSPEC: return L"Unspecified"; case AF_UNIX: return L"Unix"; case AF_INET: return L"Internet"; case AF_INET6: return L"Internet v6"; case AF_BTH: return L"Bluetooth"; case AF_HYPERV: return L"Hyper-V"; default: return NULL; } } /** * Formats an address family as a string. * * \param[in] AddressFamily The address family value. * \return A string with the address family name. */ PPH_STRING PhAfdFormatAddressFamily( _In_ LONG AddressFamily ) { PCWSTR knownName = PhpAfdGetAddressFamilyString(AddressFamily); if (knownName) return PhCreateString(knownName); else return PhFormatString(L"Unrecognized address family %d", AddressFamily); } /** * Looks up a name for a known protocol. * * \param[in] AddressFamily The address family of the protocol. * \param[in] Protocol The protocol value. * \return A string with the protocol name or NULL when it is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetProtocolString( _In_ LONG AddressFamily, _In_ LONG Protocol ) { switch (AddressFamily) { case AF_UNIX: return L"UNIX"; case AF_INET: case AF_INET6: { switch (Protocol) { case IPPROTO_ICMP: return L"ICMP"; case IPPROTO_IGMP: return L"IGMP"; case IPPROTO_TCP: return L"TCP"; case IPPROTO_UDP: return L"UDP"; case IPPROTO_RDP: return L"RDP"; case IPPROTO_ICMPV6: return L"ICMPv6"; case IPPROTO_PGM: return L"PGM"; case IPPROTO_L2TP: return L"L2TP"; case IPPROTO_SCTP: return L"SCTP"; case IPPROTO_RAW: return L"RAW"; case IPPROTO_RESERVED_IPSEC: return L"IPSec"; } } break; case AF_BTH: { switch (Protocol) { case BTHPROTO_RFCOMM: return L"RFCOMM"; case BTHPROTO_L2CAP: return L"L2CAP"; } } break; case AF_HYPERV: { switch (Protocol) { case HV_PROTOCOL_RAW: return L"RAW"; } } break; } return NULL; } /** * Formats a protocol name as a string. * * \param[in] AddressFamily The address family of the protocol. * \param[in] Protocol The protocol value. * \return A string with a human-readable protocol name. */ PPH_STRING PhAfdFormatProtocol( _In_ LONG AddressFamily, _In_ LONG Protocol ) { PCWSTR knownName = PhpAfdGetProtocolString(AddressFamily, Protocol); if (knownName) return PhCreateString(knownName); else return PhFormatString(L"Unrecognized protocol %d", Protocol); } /** * Looks up a short human-readable identifier for a known protocol. * * \param[in] AddressFamily The address family of the protocol. * \param[in] Protocol The protocol value. * \return A string with the protocol name or NULL when it is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetProtocolSummary( _In_ LONG AddressFamily, _In_ LONG Protocol ) { switch (AddressFamily) { case AF_UNIX: return L"UNIX"; case AF_INET: switch (Protocol) { case IPPROTO_ICMP: return L"ICMP"; case IPPROTO_TCP: return L"TCP"; case IPPROTO_UDP: return L"UDP"; case IPPROTO_RAW: return L"RAW/IPv4"; } case AF_INET6: switch (Protocol) { case IPPROTO_ICMPV6: return L"ICMP6"; case IPPROTO_TCP: return L"TCP6"; case IPPROTO_UDP: return L"UDP6"; case IPPROTO_RAW: return L"RAW/IPv6"; } case AF_BTH: switch (Protocol) { case BTHPROTO_RFCOMM: return L"RFCOMM [Bluetooth]"; case BTHPROTO_L2CAP: return L"L2CAP [Bluetooth]"; } case AF_HYPERV: switch (Protocol) { case HV_PROTOCOL_RAW: return L"Hyper-V RAW"; } } return NULL; } /** * Looks up a human-readable name of a group type. * * \param[in] GroupType The socket group type value. * \return A string with the group type name or NULL when the value is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetGroupTypeString( _In_ AFD_GROUP_TYPE GroupType ) { switch (GroupType) { case GroupTypeNeither: return L"Neither"; case GroupTypeUnconstrained: return L"Unconstrained"; case GroupTypeConstrained: return L"Constrained"; default: return NULL; } } /** * Formats a group type name as a string. * * \param[in] GroupType The socket group type value. * \return A string with a human-readable group type name. */ PPH_STRING PhAfdFormatGroupType( _In_ AFD_GROUP_TYPE GroupType ) { PCWSTR knownName = PhpAfdGetGroupTypeString(GroupType); if (knownName) return PhCreateString(knownName); else return PhFormatString(L"Unrecognized type (%d)", GroupType); } /** * Looks up a human-readable name for an IPv6 protection level. * * \param[in] ProtectionLevel The protection level value. * \return A string with the protection level name or NULL when the value is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetProtectionLevelString( _In_ ULONG ProtectionLevel ) { switch (ProtectionLevel) { case PROTECTION_LEVEL_UNRESTRICTED: return L"Unrestricted"; case PROTECTION_LEVEL_EDGERESTRICTED: return L"Edge-restricted"; case PROTECTION_LEVEL_RESTRICTED: return L"Restricted"; case PROTECTION_LEVEL_DEFAULT: return L"Default"; default: return NULL; } } /** * Formats an IPv6 protection level name as a string. * * \param[in] ProtectionLevel The protection level value. * \return A string with a human-readable protection level name. */ PPH_STRING PhAfdFormatProtectionLevel( _In_ ULONG ProtectionLevel ) { PCWSTR knownName; if (knownName = PhpAfdGetProtectionLevelString(ProtectionLevel)) { return PhCreateString(knownName); } return PhFormatString(L"Unrecognized value (%d)", ProtectionLevel); } /** * Looks up a human-readable name for MTU discovery mode. * * \param[in] MtuDiscover The MTU discovery value. * \return A string with the MTU discovery mode name or NULL when the value is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetMtuDiscoveryString( _In_ ULONG MtuDiscover ) { switch (MtuDiscover) { case IP_PMTUDISC_NOT_SET: return L"Not set"; case IP_PMTUDISC_DO: return L"Perform"; case IP_PMTUDISC_DONT: return L"Don't perform"; case IP_PMTUDISC_PROBE: return L"Probe"; default: return NULL; } } /** * Formats an MTU discovery mode as a string. * * \param[in] MtuDiscover The MTU discovery value. * \return A string with a human-readable MTU discovery mode name. */ PPH_STRING PhAfdFormatMtuDiscoveryMode( _In_ ULONG MtuDiscover ) { PCWSTR knownName; if (knownName = PhpAfdGetMtuDiscoveryString(MtuDiscover)) { return PhCreateString(knownName); } return PhFormatString(L"Unrecognized value (%d)", MtuDiscover); } /** * Looks up a human-readable name for a TCP state. * * \param[in] TcpState The TCP state value. * \return A string with the TCP state name or NULL when the value is not recognized. */ _Maybenull_ PCWSTR PhpAfdGetTcpStateString( _In_ TCPSTATE TcpState ) { switch (TcpState) { case TCPSTATE_CLOSED: return L"Closed"; case TCPSTATE_LISTEN: return L"Listen"; case TCPSTATE_SYN_SENT: return L"SYN sent"; case TCPSTATE_SYN_RCVD: return L"SYN received"; case TCPSTATE_ESTABLISHED: return L"Established"; case TCPSTATE_FIN_WAIT_1: return L"FIN wait 1"; case TCPSTATE_FIN_WAIT_2: return L"FIN wait 2"; case TCPSTATE_CLOSE_WAIT: return L"Close wait"; case TCPSTATE_CLOSING: return L"Closing"; case TCPSTATE_LAST_ACK: return L"Last ACK"; case TCPSTATE_TIME_WAIT: return L"Time wait"; default: return NULL; } } /** * Formats a TCP state as a string. * * \param[in] TcpState The TCP state value. * \return A string with a human-readable TCP state name. */ PPH_STRING PhAfdFormatTcpState( _In_ TCPSTATE TcpState ) { PCWSTR knownName; if (knownName = PhpAfdGetTcpStateString(TcpState)) { return PhCreateString(knownName); } return PhFormatString(L"Unrecognized state (%d)", TcpState); } /** * Formats an interface identifier as a string. * * \param[in] Interface The interface identifier. * \return A human-readable string with the interface IP address or scope ID. */ PPH_STRING PhAfdFormatInterfaceOption( _In_ ULONG Interface ) { if (Interface & 0x000000FF) { NTSTATUS status; IN_ADDR interfaceIp; ULONG addressStringLength = INET6_ADDRSTRLEN; WCHAR addressString[INET6_ADDRSTRLEN]; // Values with a non-zero first octet identify an interface by IP address interfaceIp.S_un.S_addr = Interface; status = PhIpv4AddressToString( &interfaceIp, 0, addressString, &addressStringLength ); if (NT_SUCCESS(status)) { PH_STRINGREF string; string.Buffer = addressString; string.Length = (addressStringLength - 1) * sizeof(WCHAR); return PhCreateString2(&string); } return PhFormatString(L"Error: %lu", status); } else if (Interface) { PH_FORMAT format[2]; // Other values (0.0.0.0/24 addresses) store a big-endian interface index/scope ID PhInitFormatC(&format[0], L'%'); PhInitFormatU(&format[1], _byteswap_ulong(Interface)); return PhFormat(format, RTL_NUMBER_OF(format), 8); } else { // The zero interface is special return PhCreateString(L"Default"); } } /** * Formats a human-readable name for an AFD socket. * * \param[in] SocketHandle An AFD socket handle. * \return The best handle name representation available on success, or NULL on error. */ _Maybenull_ PPH_STRING PhAfdFormatSocketBestName( _In_ HANDLE SocketHandle ) { PPH_STRING string = NULL; PH_FORMAT format[9]; ULONG count = 0; SOCK_SHARED_INFO sharedInfo; PPH_STRING addressString = NULL; PPH_STRING remoteAddressString = NULL; PhInitFormatS(&format[count++], L"AFD socket:"); if (NT_SUCCESS(PhAfdQuerySharedInfo(SocketHandle, &sharedInfo))) { PCWSTR detail; // State if (detail = PhpAfdGetSocketStateString(sharedInfo.State)) { PhInitFormatC(&format[count++], L' '); PhInitFormatS(&format[count++], detail); } // Protocol if (detail = PhpAfdGetProtocolSummary(sharedInfo.AddressFamily, sharedInfo.Protocol)) { PhInitFormatC(&format[count++], L' '); PhInitFormatS(&format[count++], detail); } } // Local address if (NT_SUCCESS(PhAfdQueryFormatAddress(SocketHandle, FALSE, &addressString, PH_AFD_ADDRESS_SIMPLIFY)) && !PhIsNullOrEmptyString(addressString)) { PhInitFormatS(&format[count++], L" on "); PhInitFormatSR(&format[count++], addressString->sr); } // Remote address if (NT_SUCCESS(PhAfdQueryFormatAddress(SocketHandle, TRUE, &remoteAddressString, PH_AFD_ADDRESS_SIMPLIFY)) && !PhIsNullOrEmptyString(remoteAddressString)) { PhInitFormatS(&format[count++], L" to "); PhInitFormatSR(&format[count++], remoteAddressString->sr); } if (count > 1) string = PhFormat(format, count, 10); PhClearReference(&addressString); PhClearReference(&remoteAddressString); return string; } ================================================ FILE: phlib/nativethread.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include #include #include #include /** * Opens a thread. * * \param[out] ThreadHandle A variable which receives a handle to the thread. * \param[in] DesiredAccess The desired access to the thread. * \param[in] ThreadId The ID of the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; CLIENT_ID clientId; KPH_LEVEL level; clientId.UniqueProcess = NULL; clientId.UniqueThread = ThreadId; level = KsiLevel(); if ((level >= KphLevelMed) && (DesiredAccess & KPH_THREAD_READ_ACCESS) == DesiredAccess) { status = KphOpenThread( ThreadHandle, DesiredAccess, &clientId ); } else { InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); status = NtOpenThread( ThreadHandle, DesiredAccess, &objectAttributes, &clientId ); if (status == STATUS_ACCESS_DENIED && (level == KphLevelMax)) { status = KphOpenThread( ThreadHandle, DesiredAccess, &clientId ); } } return status; } /** * Opens a thread using a CLIENT_ID structure. * * \param[out] ThreadHandle Receives a handle to the opened thread. * \param[in] DesiredAccess The access rights requested for the thread. * \param[in] ClientId Pointer to a CLIENT_ID structure identifying the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenThreadClientId( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCLIENT_ID ClientId ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; KPH_LEVEL level; level = KsiLevel(); if ((level >= KphLevelMed) && (DesiredAccess & KPH_THREAD_READ_ACCESS) == DesiredAccess) { status = KphOpenThread( ThreadHandle, DesiredAccess, ClientId ); } else { InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); status = NtOpenThread( ThreadHandle, DesiredAccess, &objectAttributes, ClientId ); if (status == STATUS_ACCESS_DENIED && (level == KphLevelMax)) { status = KphOpenThread( ThreadHandle, DesiredAccess, ClientId ); } } return status; } /** * Limited API for untrusted/external code. * * \param[out] ThreadHandle A variable which receives a handle to the thread. * \param[in] DesiredAccess The desired access to the thread. * \param[in] ThreadId The ID of the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenThreadPublic( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId ) { OBJECT_ATTRIBUTES objectAttributes; CLIENT_ID clientId; clientId.UniqueProcess = NULL; clientId.UniqueThread = ThreadId; InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL); return NtOpenThread( ThreadHandle, DesiredAccess, &objectAttributes, &clientId ); } /** * Opens the process that owns the specified thread. * * \param[in] ThreadHandle Handle to the thread whose owning process is to be opened. * \param[in] DesiredAccess Access rights requested for the process handle. * \param[out] ProcessHandle Receives a handle to the opened process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; KPH_LEVEL level; level = KsiLevel(); if (level == KphLevelMax || (level >= KphLevelMed && FlagOn(DesiredAccess, KPH_PROCESS_READ_ACCESS) == DesiredAccess)) { status = KphOpenThreadProcess( ThreadHandle, DesiredAccess, ProcessHandle ); if (NT_SUCCESS(status)) return status; } status = PhGetThreadBasicInformation( ThreadHandle, &basicInfo ); if (!NT_SUCCESS(status)) return status; status = PhOpenProcessClientId( ProcessHandle, DesiredAccess, &basicInfo.ClientId ); return status; } /** * Gets basic information for a thread. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param BasicInformation A variable which receives the information. * \return Successful or errant status. */ NTSTATUS PhGetThreadBasicInformation( _In_ HANDLE ThreadHandle, _Out_ PTHREAD_BASIC_INFORMATION BasicInformation ) { return NtQueryInformationThread( ThreadHandle, ThreadBasicInformation, BasicInformation, sizeof(THREAD_BASIC_INFORMATION), NULL ); } /** * Retrieves the base priority of a thread. * * \param[in] ThreadHandle A handle to the thread whose base priority is to be retrieved. * \param[out] Increment A pointer to a variable that receives the base priority value (KPRIORITY). * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadBasePriority( _In_ HANDLE ThreadHandle, _Out_ PKPRIORITY Increment ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo); if (NT_SUCCESS(status)) { *Increment = basicInfo.BasePriority; } return status; //return NtQueryInformationThread( // ThreadHandle, // ThreadBasePriority, // Increment, // sizeof(LONG), // NULL // ); } /** * Retrieves the Thread Environment Block (TEB) base address for a thread. * * \param[in] ThreadHandle A handle to the thread whose TEB base address is to be retrieved. * \param[out] TebBaseAddress A pointer to a variable that receives the TEB base address as an ULONG_PTR. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadTeb( _In_ HANDLE ThreadHandle, _Out_ PULONG_PTR TebBaseAddress ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo); if (NT_SUCCESS(status)) { if (!basicInfo.TebBaseAddress) return STATUS_UNSUCCESSFUL; *TebBaseAddress = (ULONG_PTR)basicInfo.TebBaseAddress; } return status; } /** * Retrieves the Thread Environment Block (TEB32) base address for a thread. * * \param[in] ThreadHandle A handle to the thread whose TEB32 base address is to be retrieved. * \param[out] TebBaseAddress A pointer to a variable that receives the TEB base address as an ULONG_PTR. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadTeb32( _In_ HANDLE ThreadHandle, _Out_ PULONG_PTR TebBaseAddress ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo); if (NT_SUCCESS(status)) { if (!basicInfo.TebBaseAddress) return STATUS_UNSUCCESSFUL; *TebBaseAddress = (ULONG_PTR)WOW64_GET_TEB32(basicInfo.TebBaseAddress); } return status; } /** * Gets a thread's Win32 start address. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param StartAddress A variable which receives the start address of the thread. * \return Successful or errant status. */ NTSTATUS PhGetThreadStartAddress( _In_ HANDLE ThreadHandle, _Out_ PULONG_PTR StartAddress ) { return NtQueryInformationThread( ThreadHandle, ThreadQuerySetWin32StartAddress, StartAddress, sizeof(ULONG_PTR), NULL ); } /** * Gets a thread's I/O priority. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param IoPriority A variable which receives the I/O priority of the thread. * \return Successful or errant status. */ NTSTATUS PhGetThreadIoPriority( _In_ HANDLE ThreadHandle, _Out_ IO_PRIORITY_HINT *IoPriority ) { return NtQueryInformationThread( ThreadHandle, ThreadIoPriority, IoPriority, sizeof(IO_PRIORITY_HINT), NULL ); } /** * Gets a thread's page priority. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param PagePriority A variable which receives the page priority of the thread. * \return Successful or errant status. */ NTSTATUS PhGetThreadPagePriority( _In_ HANDLE ThreadHandle, _Out_ PULONG PagePriority ) { NTSTATUS status; PAGE_PRIORITY_INFORMATION pagePriorityInfo; status = NtQueryInformationThread( ThreadHandle, ThreadPagePriority, &pagePriorityInfo, sizeof(PAGE_PRIORITY_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *PagePriority = pagePriorityInfo.PagePriority; } return status; } /** * Gets a thread's dynamic boosting. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param PriorityBoostDisabled A variable which receives the dynamic boosting state. * \return Successful or errant status. */ NTSTATUS PhGetThreadPriorityBoost( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN PriorityBoostDisabled ) { NTSTATUS status; ULONG priorityBoost; status = NtQueryInformationThread( ThreadHandle, ThreadPriorityBoost, &priorityBoost, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *PriorityBoostDisabled = !!priorityBoost; } return status; } /** * Gets a thread's performance counter. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param PerformanceCounter A variable which receives the 64-bit performance counter. * \return Successful or errant status. */ NTSTATUS PhGetThreadPerformanceCounter( _In_ HANDLE ThreadHandle, _Out_ PLARGE_INTEGER PerformanceCounter ) { NTSTATUS status; LARGE_INTEGER performanceCounter; status = NtQueryInformationThread( ThreadHandle, ThreadPerformanceCount, &performanceCounter, sizeof(LARGE_INTEGER), NULL ); if (NT_SUCCESS(status)) { *PerformanceCounter = performanceCounter; } return status; } /** * Gets a thread's cycle count. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION access. * \param CycleTime A variable which receives the 64-bit cycle time. * \return Successful or errant status. */ NTSTATUS PhGetThreadCycleTime( _In_ HANDLE ThreadHandle, _Out_ PULONG64 CycleTime ) { NTSTATUS status; THREAD_CYCLE_TIME_INFORMATION cycleTimeInfo; status = NtQueryInformationThread( ThreadHandle, ThreadCycleTime, &cycleTimeInfo, sizeof(THREAD_CYCLE_TIME_INFORMATION), NULL ); if (NT_SUCCESS(status)) { *CycleTime = cycleTimeInfo.AccumulatedCycles; } return status; } /** * Retrieves the ideal processor for a thread. * * \param[in] ThreadHandle A handle to the thread whose ideal processor is to be retrieved. * \param[out] ProcessorNumber A pointer to a PROCESSOR_NUMBER structure that receives the ideal processor information. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadIdealProcessor( _In_ HANDLE ThreadHandle, _Out_ PPROCESSOR_NUMBER ProcessorNumber ) { return NtQueryInformationThread( ThreadHandle, ThreadIdealProcessorEx, ProcessorNumber, sizeof(PROCESSOR_NUMBER), NULL ); } /** * Retrieves the suspend count for a thread. * * \param[in] ThreadHandle A handle to the thread whose suspend count is to be retrieved. * \param[out] SuspendCount A pointer to a variable that receives the suspend count. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadSuspendCount( _In_ HANDLE ThreadHandle, _Out_ PULONG SuspendCount ) { return NtQueryInformationThread( ThreadHandle, ThreadSuspendCount, SuspendCount, sizeof(ULONG), NULL ); } /** * Retrieves the WOW64 context for a thread. * * \param[in] ThreadHandle A handle to the thread whose WOW64 context is to be retrieved. * \param[out] Context A pointer to a WOW64_CONTEXT structure that receives the context. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadWow64Context( _In_ HANDLE ThreadHandle, _Out_ PWOW64_CONTEXT Context ) { return NtQueryInformationThread( ThreadHandle, ThreadWow64Context, Context, sizeof(WOW64_CONTEXT), NULL ); } #if defined(_ARM64_) /** * Retrieves the ARM32 context for a thread on ARM64 systems. * * \param[in] ThreadHandle A handle to the thread whose ARM32 context is to be retrieved. * \param[out] Context A pointer to an ARM_NT_CONTEXT structure that receives the context. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadArm32Context( _In_ HANDLE ThreadHandle, _Out_ PARM_NT_CONTEXT Context ) { return NtQueryInformationThread( ThreadHandle, ThreadWow64Context, Context, sizeof(ARM_NT_CONTEXT), NULL ); } #endif /** * Retrieves the break on termination state for a thread. * * \param[in] ThreadHandle A handle to the thread. * \param[out] BreakOnTermination A pointer to a variable that receives the break on termination state. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadBreakOnTermination( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN BreakOnTermination ) { NTSTATUS status; ULONG breakOnTermination; status = NtQueryInformationThread( ThreadHandle, ThreadBreakOnTermination, &breakOnTermination, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *BreakOnTermination = !!breakOnTermination; } return status; } /** * Sets the break on termination state for a thread. * * \param[in] ThreadHandle A handle to the thread. * \param[in] BreakOnTermination TRUE to enable break on termination, FALSE to disable. * \return Successful or errant status. */ NTSTATUS PhSetThreadBreakOnTermination( _In_ HANDLE ThreadHandle, _In_ BOOLEAN BreakOnTermination ) { ULONG breakOnTermination; breakOnTermination = BreakOnTermination ? 1 : 0; return NtSetInformationThread( ThreadHandle, ThreadBreakOnTermination, &breakOnTermination, sizeof(ULONG) ); } /** * Retrieves the container ID for a thread. * * \param[in] ThreadHandle A handle to the thread. * \param[out] ContainerId A pointer to a GUID structure that receives the container ID. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadContainerId( _In_ HANDLE ThreadHandle, _In_ PGUID ContainerId ) { NTSTATUS status; GUID threadContainerId; status = NtQueryInformationThread( ThreadHandle, ThreadContainerId, &threadContainerId, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { memcpy(ContainerId, &threadContainerId, sizeof(GUID)); } return status; } /** * Retrieves the I/O pending state for a thread. * * \param[in] ThreadHandle A handle to the thread whose I/O pending state is to be retrieved. * \param[out] IsIoPending A pointer to a variable that receives the I/O pending state. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadIsIoPending( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN IsIoPending ) { NTSTATUS status; ULONG isIoPending; status = NtQueryInformationThread( ThreadHandle, ThreadIsIoPending, &isIoPending, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *IsIoPending = !!isIoPending; } return status; } /** * Gets time information for a thread. * * \param ThreadHandle A handle to a thread. * \param Times A variable which receives the information. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadTimes( _In_ HANDLE ThreadHandle, _Out_ PKERNEL_USER_TIMES Times ) { return NtQueryInformationThread( ThreadHandle, ThreadTimes, Times, sizeof(KERNEL_USER_TIMES), NULL ); } /** * Retrieves the termination state for a thread. * * \param[in] ThreadHandle A handle to the thread whose termination state is to be retrieved. * \param[out] IsTerminated A pointer to a variable that receives the termination state (TRUE if terminated). * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadIsTerminated( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN IsTerminated ) { NTSTATUS status; ULONG threadIsTerminated; status = NtQueryInformationThread( ThreadHandle, ThreadIsTerminated, &threadIsTerminated, sizeof(ULONG), NULL ); if (NT_SUCCESS(status)) { *IsTerminated = !!threadIsTerminated; } return status; } /** * Determines if a thread is terminated by waiting with zero timeout. * * \param[in] ThreadHandle A handle to the thread. * \return TRUE if the thread is terminated, FALSE otherwise. */ BOOLEAN PhGetThreadIsTerminated2( _In_ HANDLE ThreadHandle ) { NTSTATUS status; LARGE_INTEGER timeout; memset(&timeout, 0, sizeof(LARGE_INTEGER)); status = NtWaitForSingleObject( ThreadHandle, FALSE, &timeout ); return status == STATUS_WAIT_0; } /** * Retrieves the group affinity for a thread. * * \param[in] ThreadHandle A handle to the thread whose group affinity is to be retrieved. * \param[out] GroupAffinity A pointer to a GROUP_AFFINITY structure that receives the group affinity. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadGroupAffinity( _In_ HANDLE ThreadHandle, _Out_ PGROUP_AFFINITY GroupAffinity ) { ULONG returnLength; return NtQueryInformationThread( ThreadHandle, ThreadGroupInformation, GroupAffinity, sizeof(GROUP_AFFINITY), &returnLength ); } /** * Retrieves the index information for a thread. * * \param[in] ThreadHandle A handle to the thread whose index information is to be retrieved. * \param[out] ThreadIndex A pointer to a THREAD_INDEX_INFORMATION structure that receives the index information. * \return Successful or errant status. * \remarks The handle must have THREAD_QUERY_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadIndexInformation( _In_ HANDLE ThreadHandle, _Out_ PTHREAD_INDEX_INFORMATION ThreadIndex ) { ULONG returnLength; return NtQueryInformationThread( ThreadHandle, ThreadIndexInformation, ThreadIndex, sizeof(THREAD_INDEX_INFORMATION), &returnLength ); } /** * Terminates a thread. * * \param[in] ThreadHandle A handle to the thread to be terminated. * \param[in] ExitStatus The exit status for the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhTerminateThread( _In_ HANDLE ThreadHandle, _In_ NTSTATUS ExitStatus ) { NTSTATUS status; status = NtTerminateThread( ThreadHandle, ExitStatus ); return status; } /** * Retrieves the context of a thread. * * \param[in] ThreadHandle The handle to the thread. * \param[in,out] ThreadContext A pointer to the CONTEXT structure that receives the thread context. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetContextThread( _In_ HANDLE ThreadHandle, _Inout_ PCONTEXT ThreadContext ) { NTSTATUS status; status = NtGetContextThread( ThreadHandle, ThreadContext ); return status; } /** * Atomically queries raw bytes from a thread's TEB at a specified offset. * * \param[in] ThreadHandle Handle to target thread. * \param[in,out] TebInformation Buffer to receive the bytes. * \param[in] TebOffset Offset (in bytes) from TEB base. * \param[in] BytesToRead Number of bytes to read. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadTebInformationAtomic( _In_ HANDLE ThreadHandle, _Inout_bytecount_(BytesToRead) PVOID TebInformation, _In_ ULONG TebOffset, _In_ ULONG BytesToRead ) { NTSTATUS status; THREAD_TEB_INFORMATION threadInfo; ULONG returnLength; if (WindowsVersion < WINDOWS_11_24H2) return STATUS_NOT_SUPPORTED; threadInfo.TebInformation = TebInformation; threadInfo.TebOffset = TebOffset; // FIELD_OFFSET(TEB, Value); threadInfo.BytesToRead = BytesToRead; // RTL_FIELD_SIZE(TEB, Value); status = NtQueryInformationThread( ThreadHandle, ThreadTebInformationAtomic, &threadInfo, sizeof(THREAD_TEB_INFORMATION), &returnLength ); return status; } /** * Retrieves a thread's name (Set by SetThreadDescription API). * * \param[in] ThreadHandle Handle to thread (THREAD_QUERY_LIMITED_INFORMATION). * \param[out] ThreadName Receives allocated PPH_STRING containing the name. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadName( _In_ HANDLE ThreadHandle, _Out_ PPH_STRING *ThreadName ) { NTSTATUS status; PTHREAD_NAME_INFORMATION buffer; ULONG bufferSize; ULONG returnLength; if (WindowsVersion < WINDOWS_10) return STATUS_NOT_SUPPORTED; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = NtQueryInformationThread( ThreadHandle, ThreadNameInformation, buffer, bufferSize, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); status = NtQueryInformationThread( ThreadHandle, ThreadNameInformation, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status)) { // Note: Some threads have UNICODE_NULL as their name. (dmex) if (RtlIsNullOrEmptyUnicodeString(&buffer->ThreadName)) { PhFree(buffer); return STATUS_UNSUCCESSFUL; } *ThreadName = PhCreateStringFromUnicodeString(&buffer->ThreadName); } PhFree(buffer); return status; } /** * Sets the description (thread name) for a thread. * * \param[in] ThreadHandle Handle to thread (THREAD_SET_LIMITED_INFORMATION). * \param[in] ThreadName Wide string for new name. * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadName( _In_ HANDLE ThreadHandle, _In_ PCWSTR ThreadName ) { NTSTATUS status; THREAD_NAME_INFORMATION threadNameInfo; if (WindowsVersion < WINDOWS_10) return STATUS_NOT_SUPPORTED; memset(&threadNameInfo, 0, sizeof(THREAD_NAME_INFORMATION)); status = RtlInitUnicodeStringEx( &threadNameInfo.ThreadName, ThreadName ); if (!NT_SUCCESS(status)) return status; status = NtSetInformationThread( ThreadHandle, ThreadNameInformation, &threadNameInfo, sizeof(THREAD_NAME_INFORMATION) ); return status; } /** * Gets a thread's affinity mask. * * \param[in] ThreadHandle A handle to a thread. * \param[out] AffinityMask The affinity mask. * \return NTSTATUS Successful or errant status. * \remarks The handle must have THREAD_SET_LIMITED_INFORMATION access. */ NTSTATUS PhGetThreadAffinityMask( _In_ HANDLE ThreadHandle, _Out_ PKAFFINITY AffinityMask ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo); if (NT_SUCCESS(status)) { *AffinityMask = basicInfo.AffinityMask; } return status; //return NtQueryInformationThread( // ThreadHandle, // ThreadAffinityMask, // &AffinityMask, // sizeof(KAFFINITY), // NULL // ); } /** * Sets a thread's affinity mask. * * \param[in] ThreadHandle A handle to a thread. * \param[in] AffinityMask The new affinity mask. * \return NTSTATUS Successful or errant status. * \remarks The handle must have THREAD_SET_LIMITED_INFORMATION access. */ NTSTATUS PhSetThreadAffinityMask( _In_ HANDLE ThreadHandle, _In_ KAFFINITY AffinityMask ) { NTSTATUS status; status = NtSetInformationThread( ThreadHandle, ThreadAffinityMask, &AffinityMask, sizeof(KAFFINITY) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadAffinityMask, &AffinityMask, sizeof(KAFFINITY) ); } return status; } /** * Sets thread base priority using a CLIENT_ID (system-wide). * * \param[in] ClientId Target thread identifier. * \param[in] Increment New base priority value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadBasePriorityClientId( _In_ CLIENT_ID ClientId, _In_ KPRIORITY Increment ) { NTSTATUS status; SYSTEM_THREAD_CID_PRIORITY_INFORMATION threadInfo; threadInfo.ClientId = ClientId; threadInfo.Priority = Increment; status = NtSetSystemInformation( SystemThreadPriorityClientIdInformation, &threadInfo, sizeof(SYSTEM_THREAD_CID_PRIORITY_INFORMATION) ); if (status == STATUS_PENDING) status = STATUS_SUCCESS; return status; } /** * Sets a thread's base priority. * * \param[in] ThreadHandle Handle to thread. * \param[in] Increment New priority value (KPRIORITY). * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadBasePriority( _In_ HANDLE ThreadHandle, _In_ KPRIORITY Increment ) { NTSTATUS status; status = NtSetInformationThread( ThreadHandle, ThreadBasePriority, &Increment, sizeof(KPRIORITY) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadBasePriority, &Increment, sizeof(KPRIORITY) ); } return status; } /** * Sets a thread's I/O priority. * * \param[in] ThreadHandle A handle to a thread. * \param[in] IoPriority The new I/O priority. * \return NTSTATUS Successful or errant status. * \remarks The handle must have THREAD_SET_LIMITED_INFORMATION access. */ NTSTATUS PhSetThreadIoPriority( _In_ HANDLE ThreadHandle, _In_ IO_PRIORITY_HINT IoPriority ) { NTSTATUS status; status = NtSetInformationThread( ThreadHandle, ThreadIoPriority, &IoPriority, sizeof(IO_PRIORITY_HINT) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadIoPriority, &IoPriority, sizeof(IO_PRIORITY_HINT) ); } return status; } /** * Sets a thread's page priority. * * \param[in] ThreadHandle Thread handle. * \param[in] PagePriority New page priority value (1..5 typical). * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadPagePriority( _In_ HANDLE ThreadHandle, _In_ ULONG PagePriority ) { NTSTATUS status; PAGE_PRIORITY_INFORMATION pagePriorityInfo; pagePriorityInfo.PagePriority = PagePriority; status = NtSetInformationThread( ThreadHandle, ThreadPagePriority, &pagePriorityInfo, sizeof(PAGE_PRIORITY_INFORMATION) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadPagePriority, &pagePriorityInfo, sizeof(PAGE_PRIORITY_INFORMATION) ); } return status; } /** * Enables or disables priority boost for a thread. * * \param[in] ThreadHandle Thread handle. * \param[in] DisablePriorityBoost TRUE to disable boost, FALSE to enable. * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadPriorityBoost( _In_ HANDLE ThreadHandle, _In_ BOOLEAN DisablePriorityBoost ) { NTSTATUS status; ULONG priorityBoost; priorityBoost = DisablePriorityBoost ? 1 : 0; status = NtSetInformationThread( ThreadHandle, ThreadPriorityBoost, &priorityBoost, sizeof(ULONG) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadPriorityBoost, &priorityBoost, sizeof(ULONG) ); } return status; } /** * Retrieves the current power throttling state applied to the specified thread. * * \param[in] ThreadHandle Handle to the thread whose power throttling state is to be queried. * \param[out] PowerThrottlingState Pointer to a POWER_THROTTLING_THREAD_STATE structure that receives the throttling state. * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadPowerThrottlingState( _In_ HANDLE ThreadHandle, _Out_ PPOWER_THROTTLING_THREAD_STATE PowerThrottlingState ) { NTSTATUS status; POWER_THROTTLING_THREAD_STATE threadPowerThrottlingState; memset(&threadPowerThrottlingState, 0, sizeof(POWER_THROTTLING_THREAD_STATE)); threadPowerThrottlingState.Version = POWER_THROTTLING_THREAD_CURRENT_VERSION; status = NtQueryInformationThread( ThreadHandle, ThreadPowerThrottlingState, &threadPowerThrottlingState, sizeof(POWER_THROTTLING_THREAD_STATE), NULL ); if (NT_SUCCESS(status)) { *PowerThrottlingState = threadPowerThrottlingState; } return status; } /** * Sets a thread's ideal processor (ThreadIdealProcessorEx). * * \param[in] ULONG Thread handle. * \param[in] ProcessorNumber Desired processor number/group. * \param[out] PreviousIdealProcessor Receives previous value if provided. * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadIdealProcessor( _In_ HANDLE ThreadHandle, _In_ PPROCESSOR_NUMBER ProcessorNumber, _Out_opt_ PPROCESSOR_NUMBER PreviousIdealProcessor ) { NTSTATUS status; PROCESSOR_NUMBER processorNumber; processorNumber = *ProcessorNumber; status = NtSetInformationThread( ThreadHandle, ThreadIdealProcessorEx, &processorNumber, sizeof(PROCESSOR_NUMBER) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadIdealProcessorEx, &processorNumber, sizeof(PROCESSOR_NUMBER) ); } if (PreviousIdealProcessor) *PreviousIdealProcessor = processorNumber; return status; } /** * Sets a thread's group affinity. * * \param[in] ThreadHandle Thread handle. * \param[in] GroupAffinity New affinity data. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetThreadGroupAffinity( _In_ HANDLE ThreadHandle, _In_ GROUP_AFFINITY GroupAffinity ) { NTSTATUS status; status = NtSetInformationThread( ThreadHandle, ThreadGroupInformation, &GroupAffinity, sizeof(GROUP_AFFINITY) ); if ((status == STATUS_ACCESS_DENIED) && (KsiLevel() == KphLevelMax)) { status = KphSetInformationThread( ThreadHandle, KphThreadGroupInformation, &GroupAffinity, sizeof(GROUP_AFFINITY) ); } return status; } /** * The PhGetThreadLastSystemCall function returns the last system call of a thread. * * \param[in] ThreadHandle A handle to the thread. * \param[out] LastSystemCall The last system call of the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadLastSystemCall( _In_ HANDLE ThreadHandle, _Out_ PTHREAD_LAST_SYSCALL_INFORMATION LastSystemCall ) { if (WindowsVersion < WINDOWS_8) { return NtQueryInformationThread( ThreadHandle, ThreadLastSystemCall, LastSystemCall, FIELD_OFFSET(THREAD_LAST_SYSCALL_INFORMATION, WaitTime), NULL ); } return NtQueryInformationThread( ThreadHandle, ThreadLastSystemCall, LastSystemCall, sizeof(THREAD_LAST_SYSCALL_INFORMATION), NULL ); } // rev from Advapi32!ImpersonateAnonymousToken (dmex) /** * The PhCreateImpersonationToken function creates an anonymous logon token. * * \param[in] ThreadHandle A handle to the thread. * \param[out] TokenHandle A handle to the token. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateImpersonationToken( _In_ HANDLE ThreadHandle, _Out_ PHANDLE TokenHandle ) { NTSTATUS status; HANDLE tokenHandle; SECURITY_QUALITY_OF_SERVICE securityService; status = PhRevertImpersonationToken(ThreadHandle); if (!NT_SUCCESS(status)) return status; securityService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); securityService.ImpersonationLevel = SecurityImpersonation; securityService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; securityService.EffectiveOnly = FALSE; status = NtImpersonateThread( ThreadHandle, ThreadHandle, &securityService ); if (!NT_SUCCESS(status)) return status; status = PhOpenThreadToken( ThreadHandle, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, FALSE, &tokenHandle ); if (NT_SUCCESS(status)) { *TokenHandle = tokenHandle; } return status; } // rev from Advapi32!ImpersonateLoggedOnUser (dmex) /** * The PhImpersonateToken function enables the specified thread to impersonate the security context of a token. * * \param[in] ThreadHandle A handle to the thread. * \param[in] TokenHandle A handle to the token. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhImpersonateToken( _In_ HANDLE ThreadHandle, _In_ HANDLE TokenHandle ) { NTSTATUS status; TOKEN_TYPE tokenType; ULONG returnLength; status = NtQueryInformationToken( TokenHandle, TokenType, &tokenType, sizeof(TOKEN_TYPE), &returnLength ); if (!NT_SUCCESS(status)) return status; if (tokenType == TokenPrimary) { SECURITY_QUALITY_OF_SERVICE securityService; OBJECT_ATTRIBUTES objectAttributes; HANDLE tokenHandle; memset(&securityService, 0, sizeof(SECURITY_QUALITY_OF_SERVICE)); securityService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); securityService.ImpersonationLevel = SecurityImpersonation; securityService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; securityService.EffectiveOnly = FALSE; InitializeObjectAttributesEx( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL, &securityService ); status = NtDuplicateToken( TokenHandle, TOKEN_IMPERSONATE | TOKEN_QUERY, &objectAttributes, FALSE, TokenImpersonation, &tokenHandle ); if (!NT_SUCCESS(status)) return status; status = NtSetInformationThread( ThreadHandle, ThreadImpersonationToken, &tokenHandle, sizeof(HANDLE) ); NtClose(tokenHandle); } else { status = NtSetInformationThread( ThreadHandle, ThreadImpersonationToken, &TokenHandle, sizeof(HANDLE) ); } return status; } // rev from Advapi32!RevertToSelf (dmex) /** * The PhRevertImpersonationToken function terminates the impersonation of a security context. * * \param[in] ThreadHandle A handle to the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhRevertImpersonationToken( _In_ HANDLE ThreadHandle ) { HANDLE tokenHandle = NULL; return NtSetInformationThread( ThreadHandle, ThreadImpersonationToken, &tokenHandle, sizeof(HANDLE) ); } /** * Retrieves the last error status of a thread. * * \param[in] ThreadHandle A handle to the thread. * \param[in] ProcessHandle A handle to the process. * \param[out] LastStatusValue The last status of the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadLastStatusValue( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PNTSTATUS LastStatusValue ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, LastStatusValue)), LastStatusValue, sizeof(NTSTATUS), NULL ); } else #endif { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, LastStatusValue)), // LastErrorValue/ExceptionCode LastStatusValue, sizeof(NTSTATUS), NULL ); } return status; } /** * Retrieves statistics about COM multi-threaded apartment (MTA) usage in a process. * * \param[in] ProcessHandle A handle to the process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param[out] MTAInits The total number of MTA references in the process. * \param[out] MTAIncInits The number of MTA references from CoIncrementMTAUsage. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessMTAUsage( _In_ HANDLE ProcessHandle, _Out_opt_ PULONG MTAInits, _Out_opt_ PULONG MTAIncInits ) { NTSTATUS status; #ifdef _WIN64 BOOLEAN isWow64; #endif static PH_INITONCE initOnce = PH_INITONCE_INIT; static PMTA_USAGE_GLOBALS mtaUsageGlobals = NULL; if (!MTAInits && !MTAIncInits) return STATUS_INVALID_PARAMETER; #ifdef _WIN64 if (!NT_SUCCESS(status = PhGetProcessIsWow64(ProcessHandle, &isWow64))) return status; if (isWow64) return STATUS_NOT_SUPPORTED; #endif if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_8) { PVOID combase; PMTA_USAGE_GLOBALS (WINAPI* CoGetMTAUsageInfo_I)(VOID); if (combase = PhGetLoaderEntryDllBaseZ(L"combase.dll")) { // combase exports CoGetMTAUsageInfo as ordinal 70 CoGetMTAUsageInfo_I = PhGetDllBaseProcedureAddress(combase, NULL, 70); if (CoGetMTAUsageInfo_I) { // CoGetMTAUsageInfo returns addresses of several global variables we can read mtaUsageGlobals = CoGetMTAUsageInfo_I(); } } } PhEndInitOnce(&initOnce); } if (!mtaUsageGlobals) return STATUS_UNSUCCESSFUL; if (MTAInits) { status = PhReadVirtualMemory( ProcessHandle, mtaUsageGlobals->MTAInits, MTAInits, sizeof(ULONG), NULL ); if (!NT_SUCCESS(status)) return status; } if (MTAIncInits) { status = PhReadVirtualMemory( ProcessHandle, mtaUsageGlobals->MTAIncInits, MTAIncInits, sizeof(ULONG), NULL ); if (!NT_SUCCESS(status)) return status; } return STATUS_SUCCESS; } /** * Retrieves COM apartment flags and init count of a thread. * * \param[in] ThreadHandle A handle to the thread. The handle must have * THREAD_QUERY_LIMITED_INFORMATION access. * \param[in] ProcessHandle A handle to the process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param[out] ApartmentFlags The COM apartment flags of the thread. * \param[out] ComInits The number of times the thread initialized COM. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadApartmentFlags( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PULONG ApartmentFlags, _Out_opt_ PULONG ComInits ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; PVOID apartmentStateOffset; PVOID oletlsBaseAddress; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 if (!NT_SUCCESS(status = PhGetProcessIsWow64(ProcessHandle, &isWow64))) return status; if (isWow64) { ULONG oletlsDataAddress32 = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, ReservedForOle)), &oletlsDataAddress32, sizeof(ULONG), NULL ); oletlsBaseAddress = UlongToPtr(oletlsDataAddress32); } else #endif { ULONG_PTR oletlsDataAddress = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, ReservedForOle)), &oletlsDataAddress, sizeof(ULONG_PTR), NULL ); oletlsBaseAddress = (PVOID)oletlsDataAddress; } if (!NT_SUCCESS(status)) return status; if (!oletlsBaseAddress) { // Return a special error to indicate that we successfully determined // that the thread has no associated COM state. (diversenok) return NTSTATUS_FROM_WIN32(CO_E_NOTINITIALIZED); } #ifdef _WIN64 if (isWow64) apartmentStateOffset = PTR_ADD_OFFSET(oletlsBaseAddress, UFIELD_OFFSET(SOleTlsData32, Flags)); else apartmentStateOffset = PTR_ADD_OFFSET(oletlsBaseAddress, UFIELD_OFFSET(SOleTlsData, Flags)); #else apartmentStateOffset = PTR_ADD_OFFSET(oletlsBaseAddress, UFIELD_OFFSET(SOleTlsData, Flags)); #endif status = PhReadVirtualMemory( ProcessHandle, apartmentStateOffset, ApartmentFlags, sizeof(ULONG), NULL ); if (!NT_SUCCESS(status)) return status; if (ComInits) { PVOID comInitsOffset; #ifdef _WIN64 if (isWow64) comInitsOffset = PTR_ADD_OFFSET(oletlsBaseAddress, UFIELD_OFFSET(SOleTlsData32, ComInits)); else comInitsOffset = PTR_ADD_OFFSET(oletlsBaseAddress, UFIELD_OFFSET(SOleTlsData, ComInits)); #else comInitsOffset = PTR_ADD_OFFSET(oletlsBaseAddress, UFIELD_OFFSET(SOleTlsData, ComInits)); #endif status = PhReadVirtualMemory( ProcessHandle, comInitsOffset, ComInits, sizeof(ULONG), NULL ); } return status; } /** * Determines COM apartment type of a thread, similar to CoGetApartmentType. * * \param[in] ThreadHandle A handle to the thread. The handle must have * THREAD_QUERY_LIMITED_INFORMATION access. * \param[in] ProcessHandle A handle to the process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param[out] ApartmentInfo The COM apartment information of the thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadApartment( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_APARTMENT_INFO ApartmentInfo ) { NTSTATUS status; PH_APARTMENT_INFO info = { 0 }; // // N.B. Most information about the thread's apartment comes from OLE TLS data in TEB. // Without it, threads can still implicitly belong to the multi-threaded apartment (MTA) // as long as one exists in the process. (diversenok) // // Read OLE TLS flags status = PhGetThreadApartmentFlags(ThreadHandle, ProcessHandle, &info.Flags, &info.ComInits); if (status == NTSTATUS_FROM_WIN32(CO_E_NOTINITIALIZED)) { // For our purposes, no OLE TLS data is equivalent to empty flags info.Flags = 0; info.ComInits = 0; status = STATUS_SUCCESS; } if (!NT_SUCCESS(status)) return status; if (info.Flags & OLETLS_APARTMENTTHREADED) { // // N.B. Single-threaded apartments (STAs) belong to one of the three sub-types: // - Main STA: the first (classic) STA created in the process. It has the responsibility of hosting // all components with no ThreadingModel and ThreadingModel=Single (which are equivalent). // - Classic STA: a reentrant single-threaded apartment, usually referred to as just STA. // - Application STA (ASTA): a non-reentrant single-threaded apartment used primarily by WinRT. // if (info.Flags & OLETLS_APPLICATION_STA) { // The non-reentrancy requirement of ASTA means it cannot serve as the main STA info.Type = PH_APARTMENT_TYPE_APPLICATION_STA; } else { THREAD_BASIC_INFORMATION basicInfo; BOOLEAN isMainSta = FALSE; // // N.B. There is no flag to distinguish between main and non-main classic STAs. // Internally, CoGetApartmentType compares the caller's thread ID to the thread ID // stored in a private global variable (which we cannot access). Instead, we can // check if the specified thread owns the main STA window - a message-only window // with a known class and name. (diversenok) // if (NT_SUCCESS(PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) { CLIENT_ID clientId; HWND hwnd = NULL; do { // Find the next main STA window hwnd = FindWindowExW( HWND_MESSAGE, hwnd, L"OleMainThreadWndClass", L"OleMainThreadWndName" ); // Check if it belongs to the specified thread ID } while (hwnd && NT_SUCCESS(PhGetWindowClientId(hwnd, &clientId)) && (clientId.UniqueProcess != basicInfo.ClientId.UniqueProcess || clientId.UniqueThread != basicInfo.ClientId.UniqueThread)); isMainSta = !!hwnd; } info.Type = isMainSta ? PH_APARTMENT_TYPE_MAIN_STA : PH_APARTMENT_TYPE_STA; } } else if (info.Flags & (OLETLS_MULTITHREADED | OLETLS_DISPATCHTHREAD)) { // CoGetApartmentType treats explicit MTA threads and dispatch threads equally info.Type = PH_APARTMENT_TYPE_MTA; } else { // // N.B. The thread lacks an explicit apartment. A single MTA init, however, is // enough to put all apartmentless threads into implicit MTA. The existence of MTA // can be checked by reading the process-wide MTA usage counter. (diversenok) // if (!NT_SUCCESS(status = PhGetProcessMTAUsage(ProcessHandle, &info.ComInits, NULL))) return status; if (info.ComInits > 0) info.Type = PH_APARTMENT_TYPE_IMPLICIT_MTA; else return NTSTATUS_FROM_WIN32(CO_E_NOTINITIALIZED); } // // N.B. Threads can temporarily enter the neutral apartment on top of their existing apartment. // Neutral apartment is often abbreviated to NA, NTA, or TNA. (diversenok) // info.InNeutral = !!(info.Flags & OLETLS_INNEUTRALAPT); *ApartmentInfo = info; return STATUS_SUCCESS; } // rev from advapi32!WctGetCOMInfo (dmex) /** * If a thread is blocked on a COM call, we can retrieve COM ownership information using these functions. * Retrieves COM information when a thread is blocked on a COM call. * * \param[in] ThreadHandle A handle to the thread. * \param[in] ProcessHandle A handle to a process. * \param[out] ApartmentCallState The COM call information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadApartmentCallState( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_COM_CALLSTATE ApartmentCallState ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif PVOID oletlsBaseAddress = NULL; if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { ULONG oletlsDataAddress32 = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, ReservedForOle)), &oletlsDataAddress32, sizeof(ULONG), NULL ); oletlsBaseAddress = UlongToPtr(oletlsDataAddress32); } else #endif { ULONG_PTR oletlsDataAddress = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, ReservedForOle)), &oletlsDataAddress, sizeof(ULONG_PTR), NULL ); oletlsBaseAddress = (PVOID)oletlsDataAddress; } if (NT_SUCCESS(status) && oletlsBaseAddress) { typedef enum _CALL_STATE_TYPE { CALL_STATE_TYPE_OUTGOING, // tagOutgoingCallData CALL_STATE_TYPE_INCOMING, // tagIncomingCallData CALL_STATE_TYPE_ACTIVATION // tagOutgoingActivationData } CALL_STATE_TYPE; typedef struct tagOutgoingCallData // private { ULONG dwServerPID; ULONG dwServerTID; } tagOutgoingCallData, *PtagOutgoingCallData; typedef struct tagIncomingCallData // private { ULONG dwClientPID; } tagIncomingCallData, *PtagIncomingCallData; typedef struct tagOutgoingActivationData // private { GUID guidServer; } tagOutgoingActivationData, *PtagOutgoingActivationData; static HRESULT (WINAPI* CoGetCallState_I)( // rev _In_ CALL_STATE_TYPE Type, _Out_ PULONG OffSet ) = NULL; //static HRESULT (WINAPI* CoGetActivationState_I)( // rev // _In_ LPCLSID Clsid, // _In_ ULONG ClientTid, // _Out_ PULONG ServerPid // ) = NULL; static PH_INITONCE initOnce = PH_INITONCE_INIT; ULONG outgoingCallDataOffset = 0; ULONG incomingCallDataOffset = 0; ULONG outgoingActivationDataOffset = 0; tagOutgoingCallData outgoingCallData = { 0 }; tagIncomingCallData incomingCallData = { 0 }; tagOutgoingActivationData outgoingActivationData = { 0 }; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhGetLoaderEntryDllBaseZ(L"combase.dll")) { CoGetCallState_I = PhGetDllBaseProcedureAddress(baseAddress, "CoGetCallState", 0); //CoGetActivationState_I = PhGetDllBaseProcedureAddress(baseAddress, "CoGetActivationState", 0); } PhEndInitOnce(&initOnce); } if (HR_SUCCESS(CoGetCallState_I(CALL_STATE_TYPE_OUTGOING, &outgoingCallDataOffset)) && outgoingCallDataOffset) { PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(oletlsBaseAddress, outgoingCallDataOffset), &outgoingCallData, sizeof(tagOutgoingCallData), NULL ); } if (HR_SUCCESS(CoGetCallState_I(CALL_STATE_TYPE_INCOMING, &incomingCallDataOffset)) && incomingCallDataOffset) { PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(oletlsBaseAddress, incomingCallDataOffset), &incomingCallData, sizeof(tagIncomingCallData), NULL ); } if (HR_SUCCESS(CoGetCallState_I(CALL_STATE_TYPE_ACTIVATION, &outgoingActivationDataOffset)) && outgoingActivationDataOffset) { PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(oletlsBaseAddress, outgoingActivationDataOffset), &outgoingActivationData, sizeof(tagOutgoingActivationData), NULL ); } memset(ApartmentCallState, 0, sizeof(PH_COM_CALLSTATE)); ApartmentCallState->ServerPID = outgoingCallData.dwServerPID != 0 ? outgoingCallData.dwServerPID : ULONG_MAX; ApartmentCallState->ServerTID = outgoingCallData.dwServerTID != 0 ? outgoingCallData.dwServerTID : ULONG_MAX; ApartmentCallState->ClientPID = incomingCallData.dwClientPID != 0 ? incomingCallData.dwClientPID : ULONG_MAX; memcpy(&ApartmentCallState->ServerGuid, &outgoingActivationData.guidServer, sizeof(GUID)); } else { status = STATUS_UNSUCCESSFUL; } return status; } /** * Determines if a thread has an associated RPC state. * * \param[in] ThreadHandle A handle to the thread. The handle must have * THREAD_QUERY_LIMITED_INFORMATION access. * \param[in] ProcessHandle A handle to the process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param[out] HasRpcState Whether the thread has allocated RPC state. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadRpcState( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN HasRpcState ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 if (!NT_SUCCESS(status = PhGetProcessIsWow64(ProcessHandle, &isWow64))) return status; if (isWow64) { typeof(RTL_FIELD_TYPE(TEB32, ReservedForNtRpc)) reservedForNtRpc32 = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, ReservedForNtRpc)), &reservedForNtRpc32, sizeof(RTL_FIELD_TYPE(TEB32, ReservedForNtRpc)), NULL ); *HasRpcState = !!reservedForNtRpc32; } else #endif { typeof(RTL_FIELD_TYPE(TEB, ReservedForNtRpc)) reservedForNtRpc = NULL; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, ReservedForNtRpc)), &reservedForNtRpc, sizeof(RTL_FIELD_TYPE(TEB, ReservedForNtRpc)), NULL ); *HasRpcState = !!reservedForNtRpc; } return status; } // rev from advapi32!WctGetCritSecInfo (dmex) /** * Retrieves the thread identifier when a thread is blocked on a critical section. * * \param[in] ThreadHandle A handle to the thread. * \param[in] ProcessId The ID of a process. * \param[out] ThreadId The ID of the thread owning the critical section. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadCriticalSectionOwnerThread( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessId, _Out_ PULONG ThreadId ) { NTSTATUS status; PRTL_DEBUG_INFORMATION debugBuffer; if (WindowsVersion < WINDOWS_11) return STATUS_UNSUCCESSFUL; if (!(debugBuffer = RtlCreateQueryDebugBuffer(0, FALSE))) return STATUS_UNSUCCESSFUL; debugBuffer->CriticalSectionOwnerThread = ThreadHandle; status = RtlQueryProcessDebugInformation( ProcessId, RTL_QUERY_PROCESS_NONINVASIVE_CS_OWNER, // TODO: RTL_QUERY_PROCESS_CS_OWNER (dmex) debugBuffer ); if (!NT_SUCCESS(status)) { RtlDestroyQueryDebugBuffer(debugBuffer); return status; } if (!debugBuffer->Reserved[0]) { RtlDestroyQueryDebugBuffer(debugBuffer); return STATUS_UNSUCCESSFUL; } *ThreadId = PtrToUlong(debugBuffer->Reserved[0]); RtlDestroyQueryDebugBuffer(debugBuffer); return STATUS_SUCCESS; } // rev from advapi32!WctGetSocketInfo (dmex) /** * Retrieves the connection state when a thread is blocked on a socket. * * \param[in] ThreadHandle A handle to the thread. * \param[in] ProcessHandle A handle to a process. * \param[out] ThreadSocketState The state of the socket. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadSocketState( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PPH_THREAD_SOCKET_STATE ThreadSocketState ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif typeof(RTL_FIELD_TYPE(TEB, WinSockData)) winsockHandleAddress = NULL; if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { typeof(RTL_FIELD_TYPE(TEB32, WinSockData)) winsockDataAddress = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, WinSockData)), &winsockDataAddress, sizeof(RTL_FIELD_TYPE(TEB32, WinSockData)), NULL ); winsockHandleAddress = UlongToHandle(winsockDataAddress); } else #endif { typeof(RTL_FIELD_TYPE(TEB, WinSockData)) winsockDataAddress = NULL; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, WinSockData)), &winsockDataAddress, sizeof(RTL_FIELD_TYPE(TEB, WinSockData)), NULL ); winsockHandleAddress = winsockDataAddress; } if (NT_SUCCESS(status) && winsockHandleAddress) { #if defined(PHLIB_SOCKET_STATE_WINSOCK) static LONG (WINAPI* LPFN_WSASTARTUP)( _In_ WORD wVersionRequested, _Out_ PVOID* lpWSAData ); static LONG (WINAPI* LPFN_GETSOCKOPT)( _In_ UINT_PTR s, _In_ LONG level, _In_ LONG optname, _Out_writes_bytes_(*optlen) char FAR* optval, _Inout_ LONG FAR* optlen ); static LONG (WINAPI* LPFN_CLOSESOCKET)( _In_ ULONG_PTR s ); static LONG (WINAPI* LPFN_WSACLEANUP)( void ); static PH_INITONCE initOnce = PH_INITONCE_INIT; #ifndef WINSOCK_VERSION #define WINSOCK_VERSION MAKEWORD(2,2) #endif #ifndef SOCKET_ERROR #define SOCKET_ERROR (-1) #endif #ifndef SOL_SOCKET #define SOL_SOCKET 0xffff #endif #ifndef SO_BSP_STATE #define SO_BSP_STATE 0x1009 #endif typedef struct _SOCKET_ADDRESS { _Field_size_bytes_(iSockaddrLength) PVOID lpSockaddr; // _When_(lpSockaddr->sa_family == AF_INET, _Field_range_(>=, sizeof(SOCKADDR_IN))) // _When_(lpSockaddr->sa_family == AF_INET6, _Field_range_(>=, sizeof(SOCKADDR_IN6))) LONG iSockaddrLength; } SOCKET_ADDRESS, *PSOCKET_ADDRESS, *LPSOCKET_ADDRESS; typedef struct _CSADDR_INFO { SOCKET_ADDRESS LocalAddr; SOCKET_ADDRESS RemoteAddr; LONG iSocketType; LONG iProtocol; } CSADDR_INFO, *PCSADDR_INFO, FAR* LPCSADDR_INFO; PVOID wsaStartupData; #endif HANDLE winsockTargetHandle; #if defined(PHLIB_SOCKET_STATE_WINSOCK) if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"ws2_32.dll")) { LPFN_WSASTARTUP = PhGetDllBaseProcedureAddress(baseAddress, "WSAStartup", 0); LPFN_GETSOCKOPT = PhGetDllBaseProcedureAddress(baseAddress, "getsockopt", 0); //LPFN_GETSOCKNAME = PhGetDllBaseProcedureAddress(baseAddress, "getsockname", 0); //LPFN_GETPEERNAME = PhGetDllBaseProcedureAddress(baseAddress, "getpeername", 0); LPFN_CLOSESOCKET = PhGetDllBaseProcedureAddress(baseAddress, "closesocket", 0); LPFN_WSACLEANUP = PhGetDllBaseProcedureAddress(baseAddress, "WSACleanup", 0); } PhEndInitOnce(&initOnce); } if (LPFN_WSASTARTUP(WINSOCK_VERSION, &wsaStartupData) != 0) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } #endif status = NtDuplicateObject( ProcessHandle, winsockHandleAddress, NtCurrentProcess(), &winsockTargetHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (NT_SUCCESS(status)) { OBJECT_BASIC_INFORMATION winsockTargetBasicInfo; status = PhGetObjectBasicInformation( ProcessHandle, winsockTargetHandle, &winsockTargetBasicInfo ); if (NT_SUCCESS(status)) { ULONG winsockAddressInfoLength = sizeof(CSADDR_INFO); CSADDR_INFO winsockAddressInfo; status = PhAfdQuerySocketOption( winsockTargetHandle, SOL_SOCKET, SO_BSP_STATE, &winsockAddressInfo, winsockAddressInfoLength, &winsockAddressInfoLength ); if (NT_SUCCESS(status)) { if (winsockAddressInfo.iProtocol == 6) { if (winsockAddressInfo.LocalAddr.lpSockaddr && winsockAddressInfo.RemoteAddr.lpSockaddr) *ThreadSocketState = PH_THREAD_SOCKET_STATE_SHARED; else *ThreadSocketState = PH_THREAD_SOCKET_STATE_DISCONNECTED; } else { *ThreadSocketState = PH_THREAD_SOCKET_STATE_NOT_TCPIP; } } #if defined(PHLIB_SOCKET_STATE_WINSOCK) if (LPFN_GETSOCKOPT((UINT_PTR)winsockTargetHandle, SOL_SOCKET, SO_BSP_STATE, (PCHAR)&winsockAddressInfo, &winsockAddressInfoLength) != SOCKET_ERROR) { if (winsockAddressInfo.iProtocol == 6) { if (winsockAddressInfo.LocalAddr.lpSockaddr && winsockAddressInfo.RemoteAddr.lpSockaddr) *ThreadSocketState = PH_THREAD_SOCKET_STATE_SHARED; else *ThreadSocketState = PH_THREAD_SOCKET_STATE_DISCONNECTED; } else *ThreadSocketState = PH_THREAD_SOCKET_STATE_NOT_TCPIP; } else { status = STATUS_UNSUCCESSFUL; // WSAGetLastError(); } #endif } #if defined(PHLIB_SOCKET_STATE_WINSOCK) LPFN_CLOSESOCKET((UINT_PTR)winsockTargetHandle); #endif NtClose(winsockTargetHandle); } #if defined(PHLIB_SOCKET_STATE_WINSOCK) LPFN_WSACLEANUP(); #endif } else { status = STATUS_UNSUCCESSFUL; } return status; } /** * Retrieves stack base/limit pointers for a thread. * * \param[in] ThreadHandle Thread handle. * \param[in] ProcessHandle Process handle. * \param[out] LowPart Receives stack base address. * \param[out] HighPart Receives stack limit address. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadStackLimits( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PULONG_PTR LowPart, _Out_ PULONG_PTR HighPart ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; PVOID stackBaseAddress; PVOID stackLimitAddress; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { typeof(RTL_FIELD_TYPE(TEB32, NtTib)) ntTib32 = { 0 }; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, NtTib)), &ntTib32, sizeof(RTL_FIELD_TYPE(TEB32, NtTib)), NULL ); stackBaseAddress = UlongToPtr(ntTib32.StackBase); stackLimitAddress = UlongToPtr(ntTib32.StackLimit); } else #endif { typeof(RTL_FIELD_TYPE(TEB, NtTib)) ntTib = { 0 }; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, NtTib)), &ntTib, sizeof(RTL_FIELD_TYPE(TEB, NtTib)), NULL ); stackBaseAddress = ntTib.StackBase; stackLimitAddress = ntTib.StackLimit; } if (NT_SUCCESS(status)) { *LowPart = (ULONG_PTR)stackBaseAddress; *HighPart = (ULONG_PTR)stackLimitAddress; } return status; } /** * Computes stack usage and total reserved size for a thread. * * \param[in] ThreadHandle Thread handle. * \param[in] ProcessHandle Process handle. * \param[out] StackUsage Bytes currently committed (base - limit). * \param[out] StackLimit Total reserved size (base - allocation base). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadStackSize( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PULONG_PTR StackUsage, _Out_ PULONG_PTR StackLimit ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; PVOID stackBaseAddress; PVOID stackLimitAddress; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { typeof(RTL_FIELD_TYPE(TEB32, NtTib)) ntTib32 = { 0 }; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, NtTib)), &ntTib32, sizeof(RTL_FIELD_TYPE(TEB32, NtTib)), NULL ); stackBaseAddress = UlongToPtr(ntTib32.StackBase); stackLimitAddress = UlongToPtr(ntTib32.StackLimit); } else #endif { typeof(RTL_FIELD_TYPE(TEB, NtTib)) ntTib = { 0 }; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, NtTib)), &ntTib, sizeof(RTL_FIELD_TYPE(TEB, NtTib)), NULL ); stackBaseAddress = ntTib.StackBase; stackLimitAddress = ntTib.StackLimit; } if (NT_SUCCESS(status)) { MEMORY_BASIC_INFORMATION memoryBasicInformation; memset(&memoryBasicInformation, 0, sizeof(MEMORY_BASIC_INFORMATION)); status = NtQueryVirtualMemory( ProcessHandle, stackLimitAddress, MemoryBasicInformation, &memoryBasicInformation, sizeof(MEMORY_BASIC_INFORMATION), NULL ); if (NT_SUCCESS(status)) { // TEB->DeallocationStack == memoryBasicInfo.AllocationBase *StackUsage = (ULONG_PTR)PTR_SUB_OFFSET(stackBaseAddress, stackLimitAddress); *StackLimit = (ULONG_PTR)PTR_SUB_OFFSET(stackBaseAddress, memoryBasicInformation.AllocationBase); } } return status; } /** * Determines whether a thread has fiber data. * * \param[in] ThreadHandle Thread handle. * \param[in] ProcessHandle Process handle. * \param[out] ThreadIsFiber TRUE if fiber data present. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadIsFiber( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN ThreadIsFiber ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; BOOLEAN threadIsFiber; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif if (!NT_SUCCESS(status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) return status; #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { typeof(RTL_FIELD_TYPE(TEB32, SameTebFlags)) flags = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(WOW64_GET_TEB32(basicInfo.TebBaseAddress), UFIELD_OFFSET(TEB32, SameTebFlags)), &flags, sizeof(RTL_FIELD_TYPE(TEB32, SameTebFlags)), NULL ); threadIsFiber = _bittest((LONG CONST*)&flags, 2); // HasFiberData offset (dmex) } else #endif { typeof(RTL_FIELD_TYPE(TEB, SameTebFlags)) flags = 0; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, UFIELD_OFFSET(TEB, SameTebFlags)), &flags, sizeof(RTL_FIELD_TYPE(TEB, SameTebFlags)), NULL ); threadIsFiber = _bittest((LONG CONST*)&flags, 2); // HasFiberData offset (dmex) } if (NT_SUCCESS(status)) { *ThreadIsFiber = threadIsFiber; } return status; } // rev from SwitchToThread (dmex) /** * Causes the calling thread to yield execution to another thread that is ready to run on the * current processor. The operating system selects the next thread to be executed. * * \remarks The operating system will not switch execution to another processor, even if that processor is idle or is running a thread of lower priority. * \return If calling the SwitchToThread function caused the operating system to switch execution to another thread, the return value is nonzero. * \rthere are no other threads ready to execute, the operating system does not switch execution to another thread, and the return value is zero. */ BOOLEAN PhSwitchToThread( VOID ) { LARGE_INTEGER interval = { 0 }; return PhDelayExecutionEx(FALSE, &interval) != STATUS_NO_YIELD_PERFORMED; } /** * Determines runtime library path set (ntdll/kernel32/user32) for a process, * including WOW64/ARM32 variants. * * \param[in] ProcessHandle Process handle. * \param[out] RuntimeLibrary Receives pointer to predefined library set. * \param[out] IsWow64Process TRUE if target is WOW64/alternate architecture. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessRuntimeLibrary( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_RUNTIME_LIBRARY* RuntimeLibrary, _Out_opt_ PBOOLEAN IsWow64Process ) { static PH_PROCESS_RUNTIME_LIBRARY NativeRuntime = { PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\ntdll.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\kernel32.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\System32\\user32.dll"), }; #ifdef _WIN64 static PH_PROCESS_RUNTIME_LIBRARY Wow64Runtime = { PH_STRINGREF_INIT(L"\\SystemRoot\\SysWOW64\\ntdll.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\SysWOW64\\kernel32.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\SysWOW64\\user32.dll"), }; #ifdef _M_ARM64 static PH_PROCESS_RUNTIME_LIBRARY Arm32Runtime = { PH_STRINGREF_INIT(L"\\SystemRoot\\SysArm32\\ntdll.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\SysArm32\\kernel32.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\SysArm32\\user32.dll"), }; static PH_PROCESS_RUNTIME_LIBRARY Chpe32Runtime = { PH_STRINGREF_INIT(L"\\SystemRoot\\SyChpe32\\ntdll.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\SyChpe32\\kernel32.dll"), PH_STRINGREF_INIT(L"\\SystemRoot\\SyChpe32\\user32.dll"), }; #endif #endif *RuntimeLibrary = &NativeRuntime; if (IsWow64Process) *IsWow64Process = FALSE; #ifdef _WIN64 NTSTATUS status; #ifdef _M_ARM64 USHORT machine; status = PhGetProcessArchitecture(ProcessHandle, &machine); if (!NT_SUCCESS(status)) return status; if (machine != IMAGE_FILE_MACHINE_TARGET_HOST) { switch (machine) { case IMAGE_FILE_MACHINE_I386: case IMAGE_FILE_MACHINE_CHPE_X86: { *RuntimeLibrary = &Chpe32Runtime; if (IsWow64Process) *IsWow64Process = TRUE; } break; case IMAGE_FILE_MACHINE_ARMNT: { *RuntimeLibrary = &Arm32Runtime; if (IsWow64Process) *IsWow64Process = TRUE; } break; case IMAGE_FILE_MACHINE_AMD64: case IMAGE_FILE_MACHINE_ARM64: break; default: return STATUS_INVALID_PARAMETER; } } #else BOOLEAN isWow64 = FALSE; status = PhGetProcessIsWow64(ProcessHandle, &isWow64); if (!NT_SUCCESS(status)) return status; if (isWow64) { *RuntimeLibrary = &Wow64Runtime; if (IsWow64Process) *IsWow64Process = TRUE; } #endif #endif return STATUS_SUCCESS; } /** * Loads the specified module into the process's address space using standard LoadLibraryW provided * by the operating system. * * \param[in] ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ * and PROCESS_VM_WRITE access. * \param[in] FileName The file name of the DLL to inject. * \param[in] Timeout The timeout, in milliseconds, for the process to load the DLL. * \return NTSTATUS Successful or errant status. * \remarks If the process does not load the DLL before the timeout expires it may crash. Choose the * timeout value carefully. */ NTSTATUS PhLoadDllProcess( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF FileName, _In_opt_ ULONG Timeout ) { NTSTATUS status; PVOID fileNameBaseAddress = NULL; PVOID loadLibraryW = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; if (KphProcessLevel(ProcessHandle) > KphLevelMed) { return STATUS_ACCESS_DENIED; } status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "LoadLibraryW", &loadLibraryW, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhAllocateVirtualMemory( ProcessHandle, &fileNameBaseAddress, FileName->Length + sizeof(UNICODE_NULL), MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWriteVirtualMemory( ProcessHandle, fileNameBaseAddress, FileName->Buffer, FileName->Length + sizeof(UNICODE_NULL), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, 0, 0, 0, 0, loadLibraryW, fileNameBaseAddress, &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWaitForSingleObject(threadHandle, Timeout); if (!NT_SUCCESS(status)) goto CleanupExit; CleanupExit: if (threadHandle) NtClose(threadHandle); if (powerRequestHandle) PhDestroyExecutionRequiredRequest(powerRequestHandle); if (fileNameBaseAddress) PhFreeVirtualMemory(ProcessHandle, fileNameBaseAddress, MEM_RELEASE); return status; } /** * Loads the specified module into the process's address space using standard Asynchronous Procedure Call (APC) * routines provided by the operating system. * * \param[in] ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ * and PROCESS_VM_WRITE access. * \param[in] FileName The file name of the DLL to inject. * \param[in]Timeout The timeout, in milliseconds, for the process to load the DLL. * \return NTSTATUS Successful or errant status. * \remarks If the process does not load the DLL before the timeout expires it may crash. Choose the * timeout value carefully. */ NTSTATUS PhLoadDllProcessApcThread( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF FileName, _In_opt_ ULONG Timeout ) { NTSTATUS status; PVOID fileNameBaseAddress = NULL; PVOID loadLibraryW = NULL; PVOID rtlExitUserThread = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; if (KphProcessLevel(ProcessHandle) > KphLevelMed) { return STATUS_ACCESS_DENIED; } status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "LoadLibraryW", &loadLibraryW, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserThread", &rtlExitUserThread, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhAllocateVirtualMemory( ProcessHandle, &fileNameBaseAddress, FileName->Length + sizeof(UNICODE_NULL), MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWriteVirtualMemory( ProcessHandle, fileNameBaseAddress, FileName->Buffer, FileName->Length + sizeof(UNICODE_NULL), NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, rtlExitUserThread, LongToPtr(STATUS_SUCCESS), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = NtQueueApcThread( threadHandle, loadLibraryW, fileNameBaseAddress, NULL, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWaitForSingleObject(threadHandle, Timeout); if (!NT_SUCCESS(status)) goto CleanupExit; CleanupExit: if (threadHandle) NtClose(threadHandle); if (powerRequestHandle) PhDestroyExecutionRequiredRequest(powerRequestHandle); if (fileNameBaseAddress) PhFreeVirtualMemory(ProcessHandle, fileNameBaseAddress, MEM_RELEASE); return status; } /** * Causes a process to unload a DLL. * * \param[in] ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ * and PROCESS_VM_WRITE access. * \param[in]BaseAddress The base address of the DLL to unload. * \param[in] Timeout The timeout, in milliseconds, for the process to unload the DLL. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhUnloadDllProcess( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_opt_ ULONG Timeout ) { NTSTATUS status; HANDLE threadHandle; HANDLE powerRequestHandle = NULL; THREAD_BASIC_INFORMATION basicInfo; PVOID freeLibrary = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; // No point trying to set the load count on Windows 8 and higher, because NT now uses a DAG of // loader nodes. (wj32) if (WindowsVersion < WINDOWS_8) { #ifdef _WIN64 BOOLEAN isWow64 = FALSE; #endif status = PhSetProcessModuleLoadCount( ProcessHandle, BaseAddress, 1 ); #ifdef _WIN64 PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64 && status == STATUS_DLL_NOT_FOUND) { // The DLL might be 32-bit. status = PhSetProcessModuleLoadCount32( ProcessHandle, BaseAddress, 1 ); } #endif if (!NT_SUCCESS(status)) return status; } status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "FreeLibrary", &freeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) return status; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, 0, 0, 0, 0, freeLibrary, BaseAddress, &threadHandle, NULL ); if (!NT_SUCCESS(status)) return status; status = PhWaitForSingleObject(threadHandle, Timeout); if (status == STATUS_WAIT_0) { status = PhGetThreadBasicInformation(threadHandle, &basicInfo); if (NT_SUCCESS(status)) status = basicInfo.ExitStatus; } NtClose(threadHandle); if (powerRequestHandle) PhDestroyExecutionRequiredRequest(powerRequestHandle); return status; } /** * Sets an environment variable in a process. * * \param[in] ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ * and PROCESS_VM_WRITE access. * \param[in] Name The name of the environment variable to set. * \param[in] Value The new value of the environment variable. If this parameter is NULL, the * environment variable is deleted. * \param[in] Timeout The timeout, in milliseconds, for the process to set the environment variable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetEnvironmentVariableRemote( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF Name, _In_opt_ PPH_STRINGREF Value, _In_opt_ PLARGE_INTEGER Timeout ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInformation; PVOID nameBaseAddress = NULL; PVOID valueBaseAddress = NULL; SIZE_T nameAllocationSize = 0; SIZE_T valueAllocationSize = 0; PVOID rtlExitUserThread = NULL; PVOID setEnvironmentVariableW = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; #ifdef _WIN64 BOOLEAN isWow64; #endif nameAllocationSize = Name->Length + sizeof(UNICODE_NULL); if (Value) valueAllocationSize = Value->Length + sizeof(UNICODE_NULL); status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, #ifdef _WIN64 &isWow64 #else NULL #endif ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserThread", &rtlExitUserThread, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "SetEnvironmentVariableW", &setEnvironmentVariableW, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhAllocateVirtualMemory( ProcessHandle, &nameBaseAddress, nameAllocationSize, MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWriteVirtualMemory( ProcessHandle, nameBaseAddress, Name->Buffer, Name->Length, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (Value) { status = PhAllocateVirtualMemory( ProcessHandle, &valueBaseAddress, valueAllocationSize, MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWriteVirtualMemory( ProcessHandle, valueBaseAddress, Value->Buffer, Value->Length, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; } if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, rtlExitUserThread, LongToPtr(STATUS_SUCCESS), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; #ifdef _WIN64 if (isWow64) { status = RtlQueueApcWow64Thread( threadHandle, setEnvironmentVariableW, nameBaseAddress, valueBaseAddress, NULL ); } else { #endif status = NtQueueApcThread( threadHandle, setEnvironmentVariableW, nameBaseAddress, valueBaseAddress, NULL ); #ifdef _WIN64 } #endif if (!NT_SUCCESS(status)) goto CleanupExit; status = NtResumeThread(threadHandle, NULL); // Execute the pending APC (dmex) if (!NT_SUCCESS(status)) goto CleanupExit; status = NtWaitForSingleObject(threadHandle, FALSE, Timeout); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetThreadBasicInformation(threadHandle, &basicInformation); if (!NT_SUCCESS(status)) goto CleanupExit; status = basicInformation.ExitStatus; CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } if (nameBaseAddress) { nameAllocationSize = 0; NtFreeVirtualMemory( ProcessHandle, &nameBaseAddress, &nameAllocationSize, MEM_RELEASE ); } if (valueBaseAddress) { valueAllocationSize = 0; NtFreeVirtualMemory( ProcessHandle, &valueBaseAddress, &valueAllocationSize, MEM_RELEASE ); } return status; } // based on https://www.drdobbs.com/a-safer-alternative-to-terminateprocess/184416547 (dmex) /** * Safe process termination via remote RtlExitUserProcess in the context of the remote process. * * \param[in] ProcessHandle A handle to the process to be terminated. * \param[in] ExitStatus The exit status code to be used when terminating the process. * \param[in] Timeout Optional. The timeout, in milliseconds, to wait for the termination thread to complete. * If NULL, the function will wait indefinitely. * \return NTSTATUS Successful or errant status. * \remarks This function attempts to terminate the specified process by creating a remote thread * that calls RtlExitUserProcess. On Windows 8 and later, it creates an execution required power request * to prevent deadlocks during the termination operation. The function cleans up any handles it creates before returning. */ NTSTATUS PhTerminateProcessAlternative( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus, _In_opt_ ULONG Timeout ) { NTSTATUS status; PVOID rtlExitUserProcess = NULL; HANDLE powerRequestHandle = NULL; HANDLE threadHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserProcess", &rtlExitUserProcess, NULL ); if (!NT_SUCCESS(status)) return status; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, 0, 0, 0, 0, rtlExitUserProcess, LongToPtr(ExitStatus), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWaitForSingleObject(threadHandle, Timeout); CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } return status; } /** * Retrieves a copy of the system DLL init block for the process. * * \param[in] ProcessHandle A handle to the process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. * \param[out] SystemDllInitBlock A buffer for a version-independent copy of LdrSystemDllInitBlock. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessSystemDllInitBlock( _In_ HANDLE ProcessHandle, _Out_ PPS_SYSTEM_DLL_INIT_BLOCK SystemDllInitBlock ) { NTSTATUS status; PS_SYSTEM_DLL_INIT_BLOCK systemDllInitBlock = { 0 }; PVOID ldrSystemDllInitBlockAddress; ULONG expectedSize; // N.B. Aside from having three revisions, PS_SYSTEM_DLL_INIT_BLOCK // has different fields available on different OS versions. Determine // the maximum number of bytes we can read. (diversenok) if (WindowsVersion >= WINDOWS_11_24H2) expectedSize = sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V3); else if (WindowsVersion >= PHNT_WINDOWS_10_20H1) expectedSize = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK_V3, MitigationAuditOptionsMap); else if (WindowsVersion >= PHNT_WINDOWS_10_RS3) expectedSize = sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V2); else if (WindowsVersion >= PHNT_WINDOWS_10_RS2) expectedSize = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK_V2, Wow64CfgBitMapSize); else if (WindowsVersion >= PHNT_WINDOWS_10) expectedSize = sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V1); else if (WindowsVersion >= PHNT_WINDOWS_8_1) expectedSize = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK_V1, CfgBitMapSize); else if (WindowsVersion >= PHNT_WINDOWS_8) expectedSize = RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK_V1, MitigationOptions); else return STATUS_NOT_SUPPORTED; status = PhGetProcedureAddressRemoteZ( ProcessHandle, L"\\SystemRoot\\System32\\ntdll.dll", "LdrSystemDllInitBlock", &ldrSystemDllInitBlockAddress, NULL ); if (!NT_SUCCESS(status)) return status; status = PhReadVirtualMemory( ProcessHandle, ldrSystemDllInitBlockAddress, &systemDllInitBlock, expectedSize, NULL ); if (!NT_SUCCESS(status)) return status; if (systemDllInitBlock.Size > expectedSize) systemDllInitBlock.Size = expectedSize; status = PhCaptureSystemDllInitBlock( &systemDllInitBlock, SystemDllInitBlock ); return status; } /** * Retrieves the CrossProcessFlags from the target process's PEB (Process Environment Block). * * \param[in] ProcessHandle Handle to the process whose cross-process flags are to be retrieved. * \param[in] ProcessFlags Pointer to a ULONG variable that receives the cross-process flags. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessCrossProcessFlags( _In_ HANDLE ProcessHandle, _Out_ PULONG ProcessFlags ) { NTSTATUS status; ULONG crossProcessFlags = 0; PVOID pebBaseAddress; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB32, CrossProcessFlags)), &crossProcessFlags, sizeof(ULONG), NULL ); } else #endif { status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB, CrossProcessFlags)), &crossProcessFlags, sizeof(ULONG), NULL ); } if (NT_SUCCESS(status)) { *ProcessFlags = crossProcessFlags; } CleanupExit: return status; } /** * Retrieves the active ANSI code page of a process (PEB ActiveCodePage or ntdll variable). * * \param[in] ProcessHandle Process handle. * \param[out] ProcessCodePage Receives code page ID. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessCodePage( _In_ HANDLE ProcessHandle, _Out_ PUSHORT ProcessCodePage ) { NTSTATUS status; USHORT codePage = 0; if (WindowsVersion >= WINDOWS_11) { PVOID pebBaseAddress; #ifdef _WIN64 BOOLEAN isWow64 = FALSE; PhGetProcessIsWow64(ProcessHandle, &isWow64); if (isWow64) { status = PhGetProcessPeb32(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB32, ActiveCodePage)), &codePage, sizeof(USHORT), NULL ); } else #endif { status = PhGetProcessPeb(ProcessHandle, &pebBaseAddress); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(pebBaseAddress, UFIELD_OFFSET(PEB, ActiveCodePage)), &codePage, sizeof(USHORT), NULL ); } } else { PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; PVOID nlsAnsiCodePage; status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "NlsAnsiCodePage", &nlsAnsiCodePage, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhReadVirtualMemory( ProcessHandle, nlsAnsiCodePage, &codePage, sizeof(USHORT), NULL ); } if (NT_SUCCESS(status)) { *ProcessCodePage = codePage; } CleanupExit: return status; } /** * Executes GetConsoleCP or GetConsoleOutputCP inside remote process and returns its code page. * * \param[in] ProcessHandle Target process. * \param[in] ConsoleOutputCP TRUE for output, FALSE for input code page. * \param[out] ConsoleCodePage Receives code page. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessConsoleCodePage( _In_ HANDLE ProcessHandle, _In_ BOOLEAN ConsoleOutputCP, _Out_ PUSHORT ConsoleCodePage ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInformation; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PVOID getConsoleCP = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, ConsoleOutputCP ? "GetConsoleOutputCP" : "GetConsoleCP", &getConsoleCP, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) return status; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, 0, 0, 0, 0, getConsoleCP, NULL, &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWaitForSingleObject(threadHandle, 5000); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetThreadBasicInformation(threadHandle, &basicInformation); if (!NT_SUCCESS(status)) goto CleanupExit; *ConsoleCodePage = (USHORT)basicInformation.ExitStatus; CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } return status; } /** * Flushes remote process heaps by invoking RtlFlushHeaps through a queued APC. * * \param[in] ProcessHandle Target process. * \param[in] Timeout Optional timeout. * \return NTSTATUS Successful or errant status. * \remarks Uses suspended thread with queued APC; waits for completion (5s). */ NTSTATUS PhFlushProcessHeapsRemote( _In_ HANDLE ProcessHandle, _In_opt_ PLARGE_INTEGER Timeout ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInformation; PVOID rtlExitUserThread = NULL; PVOID rtlFlushHeaps = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; #ifdef _WIN64 BOOLEAN isWow64; #endif status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, #ifdef _WIN64 &isWow64 #else NULL #endif ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserThread", &rtlExitUserThread, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlFlushHeaps", &rtlFlushHeaps, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, rtlExitUserThread, LongToPtr(STATUS_SUCCESS), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; #ifdef _WIN64 if (isWow64) { status = RtlQueueApcWow64Thread( threadHandle, rtlFlushHeaps, NULL, NULL, NULL ); } else { #endif status = NtQueueApcThreadEx( threadHandle, QUEUE_USER_APC_SPECIAL_USER_APC, rtlFlushHeaps, NULL, NULL, NULL ); #ifdef _WIN64 } #endif if (!NT_SUCCESS(status)) goto CleanupExit; status = NtResumeThread(threadHandle, NULL); // Execute the pending APC (dmex) if (!NT_SUCCESS(status)) goto CleanupExit; status = NtWaitForSingleObject(threadHandle, FALSE, Timeout); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetThreadBasicInformation(threadHandle, &basicInformation); if (!NT_SUCCESS(status)) goto CleanupExit; status = basicInformation.ExitStatus; CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } return status; } /** * Invokes a procedure in the context of the owning thread for the window. * * \param[in] WindowHandle The handle of the window. * \param[in] ApcRoutine The procedure to be invoked. * \param[in] ApcArgument1 The first argument to be passed to the procedure. * \param[in] ApcArgument2 The second argument to be passed to the procedure. * \param[in] ApcArgument3 The third argument to be passed to the procedure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhInvokeWindowProcedureRemote( _In_ HWND WindowHandle, _In_ PPS_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ) { NTSTATUS status; HANDLE processHande = NULL; HANDLE threadHande = NULL; HANDLE powerHandle = NULL; CLIENT_ID clientId; // Get the client ID of the window. status = PhGetWindowClientId(WindowHandle, &clientId); if (!NT_SUCCESS(status)) return status; // Open the process associated with the window. status = PhOpenProcessClientId( &processHande, PROCESS_ALL_ACCESS, &clientId ); if (!NT_SUCCESS(status)) goto CleanupExit; // Open the thread associated with the window. status = PhOpenThreadClientId( &threadHande, THREAD_ALL_ACCESS, // THREAD_ALERT &clientId ); if (!NT_SUCCESS(status)) goto CleanupExit; // Create an execution required request for the process (Windows 8 and above) if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(processHande, &powerHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } // Queue a Special user-mode APC to execute within the context of the message loop. status = NtQueueApcThreadEx( threadHande, QUEUE_USER_APC_SPECIAL_USER_APC, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3 ); CleanupExit: if (threadHande) NtClose(threadHande); if (processHande) NtClose(processHande); if (powerHandle) PhDestroyExecutionRequiredRequest(powerHandle); return status; } /** * Destroys the specified window in a process. * * \param[in] ProcessHandle A handle to a process. The handle must have PROCESS_SET_LIMITED_INFORMATION access. * \param[in] WindowHandle A handle to the window to be destroyed. * \return NTSTATUS Successful or errant status. * \remarks A thread cannot call DestroyWindow for a window created by a different thread, * unless we queue a special APC to the owner thread. */ NTSTATUS PhDestroyWindowRemote( _In_ HANDLE ProcessHandle, _In_ HWND WindowHandle ) { NTSTATUS status; PVOID destroyWindow = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->User32FileName, "DestroyWindow", &destroyWindow, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhInvokeWindowProcedureRemote( WindowHandle, destroyWindow, (PVOID)WindowHandle, NULL, NULL ); CleanupExit: return status; } /** * Posts WM_QUIT (exit code) to a window's message loop via PostQuitMessage in remote context. * * \param[in] ProcessHandle Process handle. * \param[in] WindowHandle Window handle. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhPostWindowQuitMessageRemote( _In_ HANDLE ProcessHandle, _In_ HWND WindowHandle ) { NTSTATUS status; PVOID postQuitMessage = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, NULL ); if (!NT_SUCCESS(status)) return status; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->User32FileName, "PostQuitMessage", &postQuitMessage, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhInvokeWindowProcedureRemote( WindowHandle, postQuitMessage, UlongToPtr(EXIT_SUCCESS), NULL, NULL ); CleanupExit: return status; } // https://learn.microsoft.com/en-us/windows/win32/multimedia/obtaining-and-setting-timer-resolution /** * Sets process timer resolution (TimeBeginPeriod) via remote APC invocation. * * \param[in] ProcessHandle Process handle. * \param[in] Period Requested timer resolution in ms. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessTimerResolutionRemote( _In_ HANDLE ProcessHandle, _In_ ULONG Period ) { NTSTATUS status; PVOID rtlExitUserThread = NULL; PVOID timeBeginPeriod = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; LARGE_INTEGER timeout; #ifdef _WIN64 BOOLEAN isWow64; #endif status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, #ifdef _WIN64 & isWow64 #else NULL #endif ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserThread", &rtlExitUserThread, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "TimeBeginPeriod", &timeBeginPeriod, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, rtlExitUserThread, LongToPtr(STATUS_SUCCESS), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; #ifdef _WIN64 if (isWow64) { status = RtlQueueApcWow64Thread( threadHandle, timeBeginPeriod, UlongToPtr(Period), NULL, NULL ); } else { #endif status = NtQueueApcThread( threadHandle, timeBeginPeriod, UlongToPtr(Period), NULL, NULL ); #ifdef _WIN64 } #endif if (!NT_SUCCESS(status)) goto CleanupExit; status = NtResumeThread(threadHandle, NULL); if (!NT_SUCCESS(status)) goto CleanupExit; status = NtWaitForSingleObject(threadHandle, FALSE, PhTimeoutFromMilliseconds(&timeout, 5000)); if (!NT_SUCCESS(status)) goto CleanupExit; CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } return status; } /** * Alternate variant for setting timer resolution (same semantics as PhSetProcessTimerResolutionRemote). * * \param[in] ProcessHandle Process handle. * \param[in] Period Requested period. * \returns NTSTATUS Successful or errant status. */ NTSTATUS PhSetProcessTimerResolutionRemote2( _In_ HANDLE ProcessHandle, _In_ ULONG Period ) { NTSTATUS status; PVOID rtlExitUserThread = NULL; PVOID timeBeginPeriod = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; #ifdef _WIN64 BOOLEAN isWow64; #endif status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, #ifdef _WIN64 & isWow64 #else NULL #endif ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserThread", &rtlExitUserThread, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "TimeBeginPeriod", &timeBeginPeriod, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, rtlExitUserThread, LongToPtr(STATUS_SUCCESS), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; #ifdef _WIN64 if (isWow64) { status = RtlQueueApcWow64Thread( threadHandle, timeBeginPeriod, UlongToPtr(Period), NULL, NULL ); } else { #endif status = NtQueueApcThread( threadHandle, timeBeginPeriod, UlongToPtr(Period), NULL, NULL ); #ifdef _WIN64 } #endif if (!NT_SUCCESS(status)) goto CleanupExit; status = NtResumeThread(threadHandle, NULL); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWaitForSingleObject(threadHandle, 5000); if (!NT_SUCCESS(status)) goto CleanupExit; CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } return status; } /** * Sets handle flags (e.g. HANDLE_FLAG_INHERIT, HANDLE_FLAG_PROTECT_FROM_CLOSE) in a remote process. * * \param[in] ProcessHandle Target process. * \param[in] RemoteHandle Handle value in remote process. * \param[in] Mask Bitmask of flags to modify. * \param[in] Flags New flag values. * \return NTSTATUS Successful or errant status. * \remarks Invokes SetHandleInformation via APC onto suspended thread. */ NTSTATUS PhSetHandleInformationRemote( _In_ HANDLE ProcessHandle, _In_ HANDLE RemoteHandle, _In_ ULONG Mask, _In_ ULONG Flags ) { NTSTATUS status; PVOID rtlExitUserThread = NULL; PVOID setHandleInformation = NULL; HANDLE threadHandle = NULL; HANDLE powerRequestHandle = NULL; PPH_PROCESS_RUNTIME_LIBRARY runtimeLibrary; THREAD_BASIC_INFORMATION basicInformation; #ifdef _WIN64 BOOLEAN isWow64; #endif status = PhGetProcessRuntimeLibrary( ProcessHandle, &runtimeLibrary, #ifdef _WIN64 & isWow64 #else NULL #endif ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->NtdllFileName, "RtlExitUserThread", &rtlExitUserThread, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetProcedureAddressRemote( ProcessHandle, &runtimeLibrary->Kernel32FileName, "SetHandleInformation", &setHandleInformation, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; if (WindowsVersion >= WINDOWS_8) { status = PhCreateExecutionRequiredRequest(ProcessHandle, &powerRequestHandle); if (!NT_SUCCESS(status)) goto CleanupExit; } status = PhCreateUserThread( ProcessHandle, NULL, THREAD_ALL_ACCESS, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, 0, 0, 0, rtlExitUserThread, LongToPtr(STATUS_SUCCESS), &threadHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; #ifdef _WIN64 if (isWow64) { status = RtlQueueApcWow64Thread( threadHandle, setHandleInformation, RemoteHandle, UlongToPtr(Mask), UlongToPtr(Flags) ); } else { #endif status = NtQueueApcThread( threadHandle, setHandleInformation, RemoteHandle, UlongToPtr(Mask), UlongToPtr(Flags) ); #ifdef _WIN64 } #endif if (!NT_SUCCESS(status)) goto CleanupExit; status = NtResumeThread(threadHandle, NULL); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhWaitForSingleObject(threadHandle, 5000); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetThreadBasicInformation(threadHandle, &basicInformation); if (!NT_SUCCESS(status)) goto CleanupExit; status = basicInformation.ExitStatus; CleanupExit: if (threadHandle) { NtClose(threadHandle); } if (powerRequestHandle) { PhDestroyExecutionRequiredRequest(powerRequestHandle); } return status; } ================================================ FILE: phlib/nativetoken.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include /** * Queries information about the token of the current process. */ PH_TOKEN_ATTRIBUTES PhGetOwnTokenAttributes( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PH_TOKEN_ATTRIBUTES attributes = { NULL, {0}, 0, NULL }; if (PhBeginInitOnce(&initOnce)) { BOOLEAN elevated = TRUE; TOKEN_ELEVATION_TYPE elevationType = TokenElevationTypeFull; if (WindowsVersion >= WINDOWS_8_1) { attributes.TokenHandle = NtCurrentProcessToken(); } else { HANDLE tokenHandle; if (NT_SUCCESS(PhOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &tokenHandle))) { attributes.TokenHandle = tokenHandle; } } if (attributes.TokenHandle) { PH_TOKEN_USER tokenUser; PhGetTokenElevation(attributes.TokenHandle, &elevated); PhGetTokenElevationType(attributes.TokenHandle, &elevationType); if (NT_SUCCESS(PhGetTokenUser(attributes.TokenHandle, &tokenUser))) { attributes.TokenSid = PhAllocateCopy(tokenUser.User.Sid, PhLengthSid(tokenUser.User.Sid)); } } attributes.Elevated = elevated; attributes.ElevationType = elevationType; PhEndInitOnce(&initOnce); } return attributes; } /** * Opens a process token. * * \param ProcessHandle A handle to a process. * \param DesiredAccess The desired access to the token. * \param TokenHandle A variable which receives a handle to the token. */ NTSTATUS PhOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ) { NTSTATUS status; KPH_LEVEL level; level = KsiLevel(); if ((level >= KphLevelMed) && (DesiredAccess & KPH_TOKEN_READ_ACCESS) == DesiredAccess) { status = KphOpenProcessToken( ProcessHandle, DesiredAccess, TokenHandle ); } else { status = NtOpenProcessToken( ProcessHandle, DesiredAccess, TokenHandle ); if (status == STATUS_ACCESS_DENIED && (level == KphLevelMax)) { status = KphOpenProcessToken( ProcessHandle, DesiredAccess, TokenHandle ); } } return status; } /** * Public API to open a process token using only NtOpenProcessToken. * * \param ProcessHandle A handle to a process. * \param DesiredAccess The desired access to the token. * \param TokenHandle Receives a handle to the token on success. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenProcessTokenPublic( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ) { return NtOpenProcessToken( ProcessHandle, DesiredAccess, TokenHandle ); } /** * Opens a thread token by calling NtOpenThreadToken. * * \param ThreadHandle A handle to a thread. * \param DesiredAccess The desired access to the token. * \param OpenAsSelf Whether to open the token using the process security context. * \param TokenHandle Receives a handle to the token on success. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenThreadToken( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _Out_ PHANDLE TokenHandle ) { NTSTATUS status; status = NtOpenThreadToken( ThreadHandle, DesiredAccess, OpenAsSelf, TokenHandle ); return status; } /** * Queries variable-sized information for a token. Allocates a buffer of the * appropriate size and returns it via \a Buffer. * * \param TokenHandle A handle to a token. * \param TokenInformationClass The information class to retrieve. * \param Buffer Receives a pointer to an allocated buffer containing the information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpQueryTokenVariableSize( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG returnLength; returnLength = 0; bufferSize = 0x80; buffer = PhAllocate(bufferSize); status = NtQueryInformationToken( TokenHandle, TokenInformationClass, buffer, bufferSize, &returnLength ); if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); status = NtQueryInformationToken( TokenHandle, TokenInformationClass, buffer, bufferSize, &returnLength ); } if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); } return status; } /** * Alias for PhpQueryTokenVariableSize. * * \param TokenHandle A handle to a token. * \param TokenInformationClass The information class to retrieve. * \param Buffer Receives a pointer to an allocated buffer containing the information. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhQueryTokenVariableSize( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID *Buffer ) { return PhpQueryTokenVariableSize( TokenHandle, TokenInformationClass, Buffer ); } /** * Retrieves the type of a token (primary or impersonation). * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param Type A variable which receives the token type (primary or impersonation). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenType( _In_ HANDLE TokenHandle, _Out_ PTOKEN_TYPE Type ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenType, Type, sizeof(TOKEN_TYPE), &returnLength ); } /** * Gets a token's session ID. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param SessionId A variable which receives the session ID. * \return Successful or errant status. */ NTSTATUS PhGetTokenSessionId( _In_ HANDLE TokenHandle, _Out_ PULONG SessionId ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenSessionId, SessionId, sizeof(ULONG), &returnLength ); } /** * Gets a token's elevation type. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param ElevationType A variable which receives the elevation type. * \return Successful or errant status. */ NTSTATUS PhGetTokenElevationType( _In_ HANDLE TokenHandle, _Out_ PTOKEN_ELEVATION_TYPE ElevationType ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenElevationType, ElevationType, sizeof(TOKEN_ELEVATION_TYPE), &returnLength ); } /** * Gets whether a token is elevated. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param TokenIsElevated A variable which receives a boolean indicating whether the token is elevated. * \return Successful or errant status. */ NTSTATUS PhGetTokenElevation( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN TokenIsElevated ) { NTSTATUS status; TOKEN_ELEVATION elevation; ULONG returnLength; status = NtQueryInformationToken( TokenHandle, TokenElevation, &elevation, sizeof(TOKEN_ELEVATION), &returnLength ); if (NT_SUCCESS(status)) { *TokenIsElevated = !!elevation.TokenIsElevated; } return status; } /** * Gets a token's statistics. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param Statistics A variable which receives the token's statistics. * \return Successful or errant status. */ NTSTATUS PhGetTokenStatistics( _In_ HANDLE TokenHandle, _Out_ PTOKEN_STATISTICS Statistics ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenStatistics, Statistics, sizeof(TOKEN_STATISTICS), &returnLength ); } /** * Gets a token's source. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY_SOURCE access. * \param Source A variable which receives the token's source. * \return Successful or errant status. */ NTSTATUS PhGetTokenSource( _In_ HANDLE TokenHandle, _Out_ PTOKEN_SOURCE Source ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenSource, Source, sizeof(TOKEN_SOURCE), &returnLength ); } /** * Gets a handle to a token's linked token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param LinkedTokenHandle A variable which receives a handle to the linked token. You must close * the handle using NtClose() when you no longer need it. * \return Successful or errant status. */ NTSTATUS PhGetTokenLinkedToken( _In_ HANDLE TokenHandle, _Out_ PHANDLE LinkedTokenHandle ) { NTSTATUS status; ULONG returnLength; TOKEN_LINKED_TOKEN linkedToken; status = NtQueryInformationToken( TokenHandle, TokenLinkedToken, &linkedToken, sizeof(TOKEN_LINKED_TOKEN), &returnLength ); if (NT_SUCCESS(status)) { *LinkedTokenHandle = linkedToken.LinkedToken; } return status; } NTSTATUS PhGetTokenIsRestricted( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsRestricted ) { NTSTATUS status; ULONG returnLength; ULONG restricted; status = NtQueryInformationToken( TokenHandle, TokenIsRestricted, &restricted, sizeof(ULONG), &returnLength ); if (NT_SUCCESS(status)) { *IsRestricted = !!restricted; } return status; } /** * Gets whether virtualization is allowed for a token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param IsVirtualizationAllowed A variable which receives a boolean indicating whether * virtualization is allowed for the token. * \return Successful or errant status. */ NTSTATUS PhGetTokenIsVirtualizationAllowed( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsVirtualizationAllowed ) { NTSTATUS status; ULONG returnLength; ULONG virtualizationAllowed; status = NtQueryInformationToken( TokenHandle, TokenVirtualizationAllowed, &virtualizationAllowed, sizeof(ULONG), &returnLength ); if (NT_SUCCESS(status)) { *IsVirtualizationAllowed = !!virtualizationAllowed; } return status; } /** * Gets whether virtualization is enabled for a token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param IsVirtualizationEnabled A variable which receives a boolean indicating whether * virtualization is enabled for the token. * \return Successful or errant status. */ NTSTATUS PhGetTokenIsVirtualizationEnabled( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsVirtualizationEnabled ) { NTSTATUS status; ULONG returnLength; ULONG virtualizationEnabled; status = NtQueryInformationToken( TokenHandle, TokenVirtualizationEnabled, &virtualizationEnabled, sizeof(ULONG), &returnLength ); if (!NT_SUCCESS(status)) return status; *IsVirtualizationEnabled = !!virtualizationEnabled; return status; } /** * Gets UIAccess flag for a token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param IsUIAccessEnabled A variable which receives a boolean indicating whether * UIAccess is enabled for the token. * \return Successful or errant status. */ NTSTATUS PhGetTokenUIAccess( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsUIAccessEnabled ) { NTSTATUS status; ULONG returnLength; ULONG uiAccess; status = NtQueryInformationToken( TokenHandle, TokenUIAccess, &uiAccess, sizeof(ULONG), &returnLength ); if (!NT_SUCCESS(status)) return status; *IsUIAccessEnabled = !!uiAccess; return status; } /** * Sets UIAccess flag for a token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_ADJUST_DEFAULT access. * \param IsUIAccessEnabled The new flag state. * \remarks Enabling UIAccess requires SeTcbPrivilege. * \return Successful or errant status. */ NTSTATUS PhSetTokenUIAccess( _In_ HANDLE TokenHandle, _In_ BOOLEAN IsUIAccessEnabled ) { ULONG uiAccess; uiAccess = IsUIAccessEnabled ? 1 : 0; return NtSetInformationToken( TokenHandle, TokenUIAccess, &uiAccess, sizeof(ULONG) ); } /** * Gets SandBoxInert flag for a token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param IsSandBoxInert A variable which receives a boolean indicating whether * AppLocker rules or Software Restriction Policies are enabled for the token. * \return Successful or errant status. */ NTSTATUS PhGetTokenIsSandBoxInert( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsSandBoxInert ) { NTSTATUS status; ULONG returnLength; ULONG sandBoxInert; status = NtQueryInformationToken( TokenHandle, TokenSandBoxInert, &sandBoxInert, sizeof(ULONG), &returnLength ); if (!NT_SUCCESS(status)) return status; *IsSandBoxInert = !!sandBoxInert; return status; } /** * Gets Mandatory Policy for a token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param MandatoryPolicy A variable which receives a set of mandatory integrity * policies enforced for the token. * \return Successful or errant status. */ NTSTATUS PhGetTokenMandatoryPolicy( _In_ HANDLE TokenHandle, _Out_ PTOKEN_MANDATORY_POLICY MandatoryPolicy ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenMandatoryPolicy, MandatoryPolicy, sizeof(TOKEN_MANDATORY_POLICY), &returnLength ); } /** * The TOKEN_ORIGIN structure contains information about the origin of the logon session. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param Origin A variable which receives the Locally unique identifier (LUID) for the logon session. * \return Successful or errant status. */ NTSTATUS PhGetTokenOrigin( _In_ HANDLE TokenHandle, _Out_ PTOKEN_ORIGIN Origin ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenOrigin, Origin, sizeof(TOKEN_ORIGIN), &returnLength ); } /** * Gets a value that is nonzero if the token is an app container token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param IsAppContainer Any callers who check the TokenIsAppContainer and have it return 0 should * also verify that the caller token is not an identify level impersonation token. * \return Successful or errant status. */ NTSTATUS PhGetTokenIsAppContainer( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsAppContainer ) { NTSTATUS status; ULONG returnLength; ULONG isAppContainer; status = NtQueryInformationToken( TokenHandle, TokenIsAppContainer, &isAppContainer, sizeof(ULONG), &returnLength ); if (!NT_SUCCESS(status)) return status; *IsAppContainer = !!isAppContainer; return status; } /** * Gets a value that includes the app container number for the token. * * \param TokenHandle A handle to a token. The handle must have TOKEN_QUERY access. * \param AppContainerNumber The app container number for the token. * \return Successful or errant status. */ NTSTATUS PhGetTokenAppContainerNumber( _In_ HANDLE TokenHandle, _Out_ PULONG AppContainerNumber ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenAppContainerNumber, AppContainerNumber, sizeof(ULONG), &returnLength ); } /** * Gets a token's user SID and returns a copy of the SID. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param User Receives a pointer to a newly allocated SID copy. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenUserCopy( _In_ HANDLE TokenHandle, _Out_ PSID* User ) { NTSTATUS status; ULONG returnLength; UCHAR tokenUserBuffer[TOKEN_USER_MAX_SIZE]; PTOKEN_USER tokenUser = (PTOKEN_USER)tokenUserBuffer; status = NtQueryInformationToken( TokenHandle, TokenUser, tokenUser, sizeof(tokenUserBuffer), &returnLength ); if (NT_SUCCESS(status)) { *User = PhAllocateCopy(tokenUser->User.Sid, PhLengthSid(tokenUser->User.Sid)); } return status; } /** * Gets a token's user information into a caller-provided PH_TOKEN_USER buffer. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param User Receives the token user information (PH_TOKEN_USER sized buffer). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenUser( _In_ HANDLE TokenHandle, _Out_ PPH_TOKEN_USER User ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenUser, User, sizeof(PH_TOKEN_USER), // SE_TOKEN_USER &returnLength ); } /** * Gets a token's owner SID and returns a copy of the SID. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param Owner Receives a pointer to a newly allocated SID copy. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenOwnerCopy( _In_ HANDLE TokenHandle, _Out_ PSID* Owner ) { NTSTATUS status; UCHAR tokenOwnerBuffer[TOKEN_OWNER_MAX_SIZE]; PTOKEN_OWNER tokenOwner = (PTOKEN_OWNER)tokenOwnerBuffer; ULONG returnLength; status = NtQueryInformationToken( TokenHandle, TokenOwner, tokenOwner, sizeof(tokenOwnerBuffer), &returnLength ); if (NT_SUCCESS(status)) { *Owner = PhAllocateCopy(tokenOwner->Owner, PhLengthSid(tokenOwner->Owner)); } return status; } /** * Gets a token's owner information into a caller-provided PH_TOKEN_OWNER buffer. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param Owner Receives the token owner information (PH_TOKEN_OWNER sized buffer). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenOwner( _In_ HANDLE TokenHandle, _Out_ PPH_TOKEN_OWNER Owner ) { ULONG returnLength; return NtQueryInformationToken( TokenHandle, TokenOwner, Owner, sizeof(PH_TOKEN_OWNER), &returnLength ); } /** * Gets a token's primary group information. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param PrimaryGroup Receives a pointer to the allocated TOKEN_PRIMARY_GROUP structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenPrimaryGroup( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIMARY_GROUP *PrimaryGroup ) { return PhpQueryTokenVariableSize( TokenHandle, TokenPrimaryGroup, PrimaryGroup ); } /** * Gets a token's default DACL. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param DefaultDacl Receives a pointer to the allocated TOKEN_DEFAULT_DACL structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenDefaultDacl( _In_ HANDLE TokenHandle, _Out_ PTOKEN_DEFAULT_DACL* DefaultDacl ) { NTSTATUS status; PTOKEN_DEFAULT_DACL defaultDacl; status = PhQueryTokenVariableSize( TokenHandle, TokenDefaultDacl, &defaultDacl ); if (NT_SUCCESS(status)) { if (defaultDacl->DefaultDacl) { *DefaultDacl = defaultDacl; } else { status = STATUS_INVALID_SECURITY_DESCR; PhFree(defaultDacl); } } return status; } /** * Gets a token's groups. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param Groups Receives a pointer to the allocated TOKEN_GROUPS structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenGroups( _In_ HANDLE TokenHandle, _Out_ PTOKEN_GROUPS *Groups ) { return PhpQueryTokenVariableSize( TokenHandle, TokenGroups, Groups ); } /** * Gets a token's restricted SIDs. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param RestrictedSids Receives a pointer to the allocated TOKEN_GROUPS structure describing restricted SIDs. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenRestrictedSids( _In_ HANDLE TokenHandle, _Out_ PTOKEN_GROUPS* RestrictedSids ) { return PhpQueryTokenVariableSize( TokenHandle, TokenRestrictedSids, RestrictedSids ); } /** * Gets a token's privileges. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param Privileges Receives a pointer to the allocated TOKEN_PRIVILEGES structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenPrivileges( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIVILEGES *Privileges ) { return PhpQueryTokenVariableSize( TokenHandle, TokenPrivileges, Privileges ); } /** * Gets a token's process trust level information. * * \param TokenHandle A handle to a token. Must have appropriate access for TokenProcessTrustLevel. * \param TrustLevel Receives a pointer to the allocated TOKEN_PROCESS_TRUST_LEVEL structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenTrustLevel( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PROCESS_TRUST_LEVEL *TrustLevel ) { return PhpQueryTokenVariableSize( TokenHandle, TokenProcessTrustLevel, TrustLevel ); } /** * Gets a token's AppContainer SID. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param AppContainerSid Receives the PH_TOKEN_APPCONTAINER structure. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenAppContainerSid( _In_ HANDLE TokenHandle, _Out_ PPH_TOKEN_APPCONTAINER AppContainerSid ) { NTSTATUS status; ULONG returnLength; status = NtQueryInformationToken( TokenHandle, TokenAppContainerSid, AppContainerSid, sizeof(PH_TOKEN_APPCONTAINER), &returnLength ); if (NT_SUCCESS(status) && !AppContainerSid->AppContainer.Sid) { status = STATUS_NOT_FOUND; } return status; } /** * Gets a copy of a token's AppContainer SID. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param AppContainerSid Receives a pointer to a newly allocated SID copy. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenAppContainerSidCopy( _In_ HANDLE TokenHandle, _Out_ PSID* AppContainerSid ) { NTSTATUS status; UCHAR tokenAppContainerSidBuffer[TOKEN_APPCONTAINER_SID_MAX_SIZE]; PTOKEN_APPCONTAINER_INFORMATION tokenAppContainerSid = (PTOKEN_APPCONTAINER_INFORMATION)tokenAppContainerSidBuffer; ULONG returnLength; status = NtQueryInformationToken( TokenHandle, TokenAppContainerSid, tokenAppContainerSid, sizeof(tokenAppContainerSidBuffer), &returnLength ); if (NT_SUCCESS(status)) { if (tokenAppContainerSid->TokenAppContainer) { *AppContainerSid = PhAllocateCopy(tokenAppContainerSid->TokenAppContainer, PhLengthSid(tokenAppContainerSid->TokenAppContainer)); } else { status = STATUS_NOT_FOUND; } } return status; } /** * Retrieves token security attributes. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param SecurityAttributes Receives pointer to the allocated TOKEN_SECURITY_ATTRIBUTES_INFORMATION. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenSecurityAttributes( _In_ HANDLE TokenHandle, _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION* SecurityAttributes ) { return PhpQueryTokenVariableSize( TokenHandle, TokenSecurityAttributes, SecurityAttributes ); } /** * Retrieves specific security attribute values for a token by attribute name. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param AttributeName The attribute name to query (stringref). * \param SecurityAttributes Receives pointer to the allocated TOKEN_SECURITY_ATTRIBUTES_INFORMATION. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenSecurityAttribute( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF AttributeName, _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION* SecurityAttributes ) { NTSTATUS status; UNICODE_STRING attributeName[1]; PTOKEN_SECURITY_ATTRIBUTES_INFORMATION buffer; ULONG bufferLength; ULONG returnLength; if (!PhStringRefToUnicodeString(AttributeName, &attributeName[0])) return STATUS_NAME_TOO_LONG; returnLength = 0; bufferLength = 0x200; buffer = PhAllocate(bufferLength); status = NtQuerySecurityAttributesToken( TokenHandle, attributeName, RTL_NUMBER_OF(attributeName), buffer, bufferLength, &returnLength ); if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); bufferLength = returnLength; buffer = PhAllocate(bufferLength); status = NtQuerySecurityAttributesToken( TokenHandle, attributeName, RTL_NUMBER_OF(attributeName), buffer, bufferLength, &returnLength ); } if (NT_SUCCESS(status)) { if (returnLength == sizeof(TOKEN_SECURITY_ATTRIBUTES_INFORMATION)) { PhFree(buffer); return STATUS_NOT_FOUND; } *SecurityAttributes = buffer; } else { PhFree(buffer); } return status; } /** * Determines whether a named security attribute exists on a token. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param AttributeName The attribute name to query (stringref). * \param SecurityAttributeExists Receives TRUE if attribute exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhDoesTokenSecurityAttributeExist( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF AttributeName, _Out_ PBOOLEAN SecurityAttributeExists ) { NTSTATUS status; UNICODE_STRING attributeName; ULONG returnLength; if (!PhStringRefToUnicodeString(AttributeName, &attributeName)) return STATUS_NAME_TOO_LONG; status = NtQuerySecurityAttributesToken( TokenHandle, &attributeName, 1, NULL, 0, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { *SecurityAttributeExists = TRUE; return STATUS_SUCCESS; } return status; } /** * Finds a security attribute entry by name within a TOKEN_SECURITY_ATTRIBUTES_INFORMATION block. * * \param Attributes Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION to search. * \param AttributeName The attribute name to find (stringref). * \return PTOKEN_SECURITY_ATTRIBUTE_V1 Pointer to the attribute entry if found, NULL otherwise. */ PTOKEN_SECURITY_ATTRIBUTE_V1 PhFindTokenSecurityAttributeName( _In_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes, _In_ PCPH_STRINGREF AttributeName ) { for (ULONG i = 0; i < Attributes->AttributeCount; i++) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = &Attributes->AttributeV1[i]; PH_STRINGREF attributeName; PhUnicodeStringToStringRef(&attribute->Name, &attributeName); if (PhEqualStringRef(&attributeName, AttributeName, FALSE)) { return attribute; } } return NULL; } /** * Determines whether a token represents a full-trust (system) package. * This checks for the presence of the WIN://SYSAPPID attribute and ensures the * token is not an AppContainer. * * \param TokenHandle A handle to a token. * \return BOOLEAN TRUE if token is a full-trust package, FALSE otherwise. */ BOOLEAN PhGetTokenIsFullTrustPackage( _In_ HANDLE TokenHandle ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://SYSAPPID"); BOOLEAN tokenIsStronglyNamedAttribute = FALSE; BOOLEAN tokenIsAppContainer = FALSE; if (NT_SUCCESS(PhDoesTokenSecurityAttributeExist(TokenHandle, &attributeName, &tokenIsStronglyNamedAttribute)) && tokenIsStronglyNamedAttribute) { if (NT_SUCCESS(PhGetTokenIsAppContainer(TokenHandle, &tokenIsAppContainer))) { if (tokenIsAppContainer) return FALSE; } return TRUE; } return FALSE; } /** * Determines whether a token is a process user service (SCM user service) by checking the WIN://SCMUserService attribute. * * \param TokenHandle A handle to a token. * \param IsStronglyNamed Receives TRUE if the attribute exists. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenIsProcessUserService( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsStronglyNamed ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://SCMUserService"); BOOLEAN attributeExists = FALSE; NTSTATUS status; status = PhDoesTokenSecurityAttributeExist(TokenHandle, &attributeName, &attributeExists); if (NT_SUCCESS(status)) { *IsStronglyNamed = attributeExists; } return status; } /** * Determines whether a process is strongly named by querying extended basic info. * * \param ProcessHandle A handle to the process. * \param IsStronglyNamed Receives TRUE if the process is strongly named. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetProcessIsStronglyNamed( _In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsStronglyNamed ) { NTSTATUS status; PROCESS_EXTENDED_BASIC_INFORMATION basicInfo; status = PhGetProcessExtendedBasicInformation(ProcessHandle, &basicInfo); if (NT_SUCCESS(status)) { *IsStronglyNamed = !!basicInfo.IsStronglyNamed; } return status; } /** * Determines whether a token is strongly named by checking the WIN://SYSAPPID attribute. * * \param TokenHandle A handle to a token. * \param IsStronglyNamed Receives TRUE if token is strongly named. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenIsStronglyNamed( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsStronglyNamed ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://SYSAPPID"); BOOLEAN attributeExists = FALSE; NTSTATUS status; status = PhDoesTokenSecurityAttributeExist(TokenHandle, &attributeName, &attributeExists); if (NT_SUCCESS(status)) { *IsStronglyNamed = attributeExists; } return status; } /** * Determines whether a process is a full-trust package and not an AppContainer. * * \param ProcessHandle A handle to the process. * \return BOOLEAN TRUE if process is a full-trust package, FALSE otherwise. */ BOOLEAN PhGetProcessIsFullTrustPackage( _In_ HANDLE ProcessHandle ) { BOOLEAN processIsStronglyNamed = FALSE; BOOLEAN tokenIsAppContainer = FALSE; if (NT_SUCCESS(PhGetProcessIsStronglyNamed(ProcessHandle, &processIsStronglyNamed))) { if (processIsStronglyNamed) { HANDLE tokenHandle; if (NT_SUCCESS(PhOpenProcessToken(ProcessHandle, TOKEN_QUERY, &tokenHandle))) { PhGetTokenIsAppContainer(tokenHandle, &tokenIsAppContainer); NtClose(tokenHandle); } if (tokenIsAppContainer) return FALSE; return TRUE; } } return FALSE; } /** * Retrieves the package full name for a process by opening its token and querying. * * \param ProcessHandle A handle to the process. * \return PPH_STRING The package full name string object, or NULL if not available. */ PPH_STRING PhGetProcessPackageFullName( _In_ HANDLE ProcessHandle ) { HANDLE tokenHandle; PPH_STRING packageName = NULL; if (NT_SUCCESS(PhOpenProcessToken(ProcessHandle, TOKEN_QUERY, &tokenHandle))) { PhGetTokenPackageFullName(tokenHandle, &packageName); NtClose(tokenHandle); } return packageName; } /** * Determines whether a token is a less-privileged AppContainer by checking for the WIN://NOALLAPPPKG attribute. * * \param TokenHandle A handle to a token. * \param IsLessPrivilegedAppContainer Receives TRUE if the attribute indicates less-privileged AppContainer. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenIsLessPrivilegedAppContainer( _In_ HANDLE TokenHandle, _Out_ PBOOLEAN IsLessPrivilegedAppContainer ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://NOALLAPPPKG"); NTSTATUS status; BOOLEAN attributeExists = FALSE; status = PhDoesTokenSecurityAttributeExist( TokenHandle, &attributeName, &attributeExists ); if (NT_SUCCESS(status) && attributeExists) *IsLessPrivilegedAppContainer = TRUE; else *IsLessPrivilegedAppContainer = FALSE; // TODO: NtQueryInformationToken(TokenIsLessPrivilegedAppContainer); return status; } /** * Helper to retrieve a 64-bit value from a token security attribute. * * \param TokenHandle A handle to a token. * \param Name The attribute name (stringref). * \param ValueIndex Index of the value to retrieve. * \return ULONG64 The retrieved value, or MAXULONG64 if not present. */ ULONG64 PhGetTokenSecurityAttributeValueUlong64( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF Name, _In_ ULONG ValueIndex ) { ULONG64 value = MAXULONG64; PTOKEN_SECURITY_ATTRIBUTES_INFORMATION info; if (NT_SUCCESS(PhGetTokenSecurityAttribute(TokenHandle, Name, &info))) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = PhFindTokenSecurityAttributeName(info, Name); if (attribute && attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 && ValueIndex < attribute->ValueCount) { value = attribute->Values.Uint64[ValueIndex]; } PhFree(info); } return value; } /** * Helper to retrieve a string value from a token security attribute. * * \param TokenHandle A handle to a token. * \param Name The attribute name (stringref). * \param ValueIndex Index of the value to retrieve. * \return PPH_STRING The retrieved string object or NULL if not present. */ PPH_STRING PhGetTokenSecurityAttributeValueString( _In_ HANDLE TokenHandle, _In_ PCPH_STRINGREF Name, _In_ ULONG ValueIndex ) { PPH_STRING value = NULL; PTOKEN_SECURITY_ATTRIBUTES_INFORMATION info; if (NT_SUCCESS(PhGetTokenSecurityAttribute(TokenHandle, Name, &info))) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = PhFindTokenSecurityAttributeName(info, Name); if (attribute && attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING && ValueIndex < attribute->ValueCount) { value = PhCreateStringFromUnicodeString(&attribute->Values.String[ValueIndex]); } PhFree(info); } return value; } // rev from GetApplicationUserModelId/GetApplicationUserModelIdFromToken (dmex) /** * Retrieves the Application User Model ID (AUMID) for a token's package. * * \param TokenHandle A handle to a token. * \return PPH_STRING The AUMID string or NULL if not available. * \remarks Constructs the AUMID from the SYSAPPID attribute values (family and relative id) * as "!". */ PPH_STRING PhGetTokenPackageApplicationUserModelId( _In_ HANDLE TokenHandle ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://SYSAPPID"); static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"!"); PTOKEN_SECURITY_ATTRIBUTES_INFORMATION info; PPH_STRING applicationUserModelId = NULL; if (NT_SUCCESS(PhGetTokenSecurityAttribute(TokenHandle, &attributeName, &info))) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = PhFindTokenSecurityAttributeName(info, &attributeName); if (attribute && attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING && attribute->ValueCount >= 3) { PPH_STRING relativeIdName; PPH_STRING packageFamilyName; relativeIdName = PhCreateStringFromUnicodeString(&attribute->Values.String[1]); packageFamilyName = PhCreateStringFromUnicodeString(&attribute->Values.String[2]); applicationUserModelId = PhConcatStringRef3( &packageFamilyName->sr, &separator, &relativeIdName->sr ); PhDereferenceObject(packageFamilyName); PhDereferenceObject(relativeIdName); } PhFree(info); } return applicationUserModelId; } /** * Retrieves the package full name for a token from the SYSAPPID attribute. * * \param TokenHandle A handle to a token. * \return PPH_STRING The package full name string object, or NULL if not available. */ NTSTATUS PhGetTokenPackageFullName( _In_ HANDLE TokenHandle, _Out_ PPH_STRING* PackageFullName ) { static CONST PH_STRINGREF attributeName = PH_STRINGREF_INIT(L"WIN://SYSAPPID"); PTOKEN_SECURITY_ATTRIBUTES_INFORMATION info; PPH_STRING packageFullName = NULL; NTSTATUS status; status = PhGetTokenSecurityAttribute( TokenHandle, &attributeName, &info ); if (NT_SUCCESS(status)) { PTOKEN_SECURITY_ATTRIBUTE_V1 attribute = PhFindTokenSecurityAttributeName(info, &attributeName); if (attribute && attribute->ValueType == TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING) { packageFullName = PhCreateStringFromUnicodeString(&attribute->Values.String[0]); } else { status = STATUS_OBJECT_TYPE_MISMATCH; } PhFree(info); } *PackageFullName = packageFullName; return status; } /** * Retrieves the named object path of a token. * * \param TokenHandle A handle to a token. * \param Sid Optional SID to query a named path for (may be NULL). * \param ObjectPath Receives the created string object for the object path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenNamedObjectPath( _In_ HANDLE TokenHandle, _In_opt_ PSID Sid, _Out_ PPH_STRING* ObjectPath ) { NTSTATUS status; UNICODE_STRING objectPath; if (!RtlGetTokenNamedObjectPath_Import()) return STATUS_NOT_SUPPORTED; RtlInitEmptyUnicodeString(&objectPath, NULL, 0); status = RtlGetTokenNamedObjectPath_Import()( TokenHandle, Sid, &objectPath ); if (NT_SUCCESS(status)) { *ObjectPath = PhCreateStringFromUnicodeString(&objectPath); RtlFreeUnicodeString(&objectPath); } return status; } /** * Retrieves an AppContainer named object path if available. * * \param TokenHandle A handle to a token. * \param AppContainerSid Optional AppContainer SID to query for (may be NULL to use token's AppContainer). * \param RelativePath If TRUE, request a relative path. * \param ObjectPath Receives the created string object for the object path. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetAppContainerNamedObjectPath( _In_ HANDLE TokenHandle, _In_opt_ PSID AppContainerSid, _In_ BOOLEAN RelativePath, _Out_ PPH_STRING* ObjectPath ) { NTSTATUS status; UNICODE_STRING objectPath; if (!RtlGetAppContainerNamedObjectPath_Import()) return STATUS_UNSUCCESSFUL; RtlInitEmptyUnicodeString(&objectPath, NULL, 0); status = RtlGetAppContainerNamedObjectPath_Import()( TokenHandle, AppContainerSid, RelativePath, &objectPath ); if (NT_SUCCESS(status)) { *ObjectPath = PhCreateStringFromUnicodeString(&objectPath); RtlFreeUnicodeString(&objectPath); } return status; } /** * Checks whether the specified privilege is enabled for the token. * * \param TokenHandle A handle to a token. * \param Privilege The privilege constant (as ULONG) to check. * \return BOOLEAN TRUE if the privilege is enabled and used for access, FALSE otherwise. */ BOOLEAN PhPrivilegeCheck( _In_ HANDLE TokenHandle, _In_ ULONG Privilege ) { CHAR privilegesBuffer[FIELD_OFFSET(PRIVILEGE_SET, Privilege) + sizeof(LUID_AND_ATTRIBUTES) * 1]; PPRIVILEGE_SET requiredPrivileges; BOOLEAN result = FALSE; requiredPrivileges = (PPRIVILEGE_SET)privilegesBuffer; requiredPrivileges->PrivilegeCount = 1; requiredPrivileges->Control = PRIVILEGE_SET_ALL_NECESSARY; requiredPrivileges->Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; requiredPrivileges->Privilege[0].Luid = RtlConvertUlongToLuid(Privilege); NtPrivilegeCheck(TokenHandle, requiredPrivileges, &result); return result; } /** * Checks whether a privilege is present in the token and was used for access. * This function returns TRUE either when the privileged was used for access * (SE_PRIVILEGE_USED_FOR_ACCESS) or when NtPrivilegeCheck indicates success * and the attributes were set accordingly. * * \param TokenHandle A handle to a token. * \param Privilege The privilege constant (as ULONG) to check. * \return BOOLEAN TRUE if privilege was used for access, FALSE otherwise. */ BOOLEAN PhPrivilegeCheckAny( _In_ HANDLE TokenHandle, _In_ ULONG Privilege ) { CHAR privilegesBuffer[FIELD_OFFSET(PRIVILEGE_SET, Privilege) + sizeof(LUID_AND_ATTRIBUTES) * 1]; PPRIVILEGE_SET requiredPrivileges; BOOLEAN result = FALSE; requiredPrivileges = (PPRIVILEGE_SET)privilegesBuffer; requiredPrivileges->PrivilegeCount = 1; requiredPrivileges->Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; requiredPrivileges->Privilege[0].Luid = RtlConvertUlongToLuid(Privilege); NtPrivilegeCheck(TokenHandle, requiredPrivileges, &result); if (requiredPrivileges->Privilege[0].Attributes == SE_PRIVILEGE_USED_FOR_ACCESS) return TRUE; return FALSE; } /** * Modifies a token privilege. Can specify privilege by name or by LUID. * * \param TokenHandle A handle to a token with TOKEN_ADJUST_PRIVILEGES access. * \param PrivilegeName Optional privilege name (NULL if PrivilegeLuid supplied). * \param PrivilegeLuid Optional pointer to LUID (NULL if PrivilegeName supplied). * \param Attributes New attributes for the privilege (e.g. SE_PRIVILEGE_ENABLED or 0). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetTokenPrivilege( _In_ HANDLE TokenHandle, _In_opt_ PCWSTR PrivilegeName, _In_opt_ PLUID PrivilegeLuid, _In_ ULONG Attributes ) { NTSTATUS status; TOKEN_PRIVILEGES privileges; privileges.PrivilegeCount = 1; privileges.Privileges[0].Attributes = Attributes; if (PrivilegeLuid) { privileges.Privileges[0].Luid = *PrivilegeLuid; } else if (PrivilegeName) { PH_STRINGREF privilegeName; PhInitializeStringRefLongHint(&privilegeName, PrivilegeName); status = PhLookupPrivilegeValue( &privilegeName, &privileges.Privileges[0].Luid ); if (!NT_SUCCESS(status)) return status; } else { return STATUS_INVALID_PARAMETER; } status = NtAdjustPrivilegesToken( TokenHandle, FALSE, &privileges, 0, NULL, NULL ); if (!NT_SUCCESS(status)) return status; if (status == STATUS_NOT_ALL_ASSIGNED) { return STATUS_UNSUCCESSFUL; } return status; } /** * Convenience wrapper to set a privilege by numeric constant. * * \param TokenHandle A handle to a token with TOKEN_ADJUST_PRIVILEGES access. * \param Privilege The privilege constant to change (LONG). * \param Attributes New attribute flags. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetTokenPrivilege2( _In_ HANDLE TokenHandle, _In_ LONG Privilege, _In_ ULONG Attributes ) { LUID privilegeLuid; privilegeLuid = RtlConvertLongToLuid(Privilege); return PhSetTokenPrivilege(TokenHandle, NULL, &privilegeLuid, Attributes); } /** * Adjusts a privilege for the current process token. * * \param PrivilegeName Optional name of privilege to change (NULL if Privilege provided). * \param Privilege Optional numeric privilege constant (0 if PrivilegeName provided). * \param Enable TRUE to enable, FALSE to disable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhAdjustPrivilege( _In_opt_ PCWSTR PrivilegeName, _In_opt_ LONG Privilege, _In_ BOOLEAN Enable ) { NTSTATUS status; HANDLE tokenHandle; TOKEN_PRIVILEGES privileges; status = NtOpenProcessToken( NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tokenHandle ); if (!NT_SUCCESS(status)) return status; privileges.PrivilegeCount = 1; privileges.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0; if (Privilege) { LUID privilegeLuid; privilegeLuid = RtlConvertLongToLuid(Privilege); privileges.Privileges[0].Luid = privilegeLuid; } else if (PrivilegeName) { PH_STRINGREF privilegeName; PhInitializeStringRefLongHint(&privilegeName, PrivilegeName); status = PhLookupPrivilegeValue( &privilegeName, &privileges.Privileges[0].Luid ); if (!NT_SUCCESS(status)) { NtClose(tokenHandle); return status; } } else { NtClose(tokenHandle); return STATUS_INVALID_PARAMETER_1; } status = NtAdjustPrivilegesToken( tokenHandle, FALSE, &privileges, 0, NULL, NULL ); NtClose(tokenHandle); if (status == STATUS_NOT_ALL_ASSIGNED) return STATUS_PRIVILEGE_NOT_HELD; return status; } /** * Modifies a token group by name or SID. * * \param TokenHandle A handle to a token with TOKEN_ADJUST_GROUPS access. * \param GroupName Optional group name to lookup (NULL if GroupSid supplied). * \param GroupSid Optional group SID to set (NULL if GroupName supplied). * \param Attributes New attributes for the group. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetTokenGroups( _In_ HANDLE TokenHandle, _In_opt_ PCWSTR GroupName, _In_opt_ PSID GroupSid, _In_ ULONG Attributes ) { NTSTATUS status; TOKEN_GROUPS groups; groups.GroupCount = 1; groups.Groups[0].Attributes = Attributes; if (GroupSid) { groups.Groups[0].Sid = GroupSid; } else if (GroupName) { PH_STRINGREF groupName; PhInitializeStringRefLongHint(&groupName, GroupName); if (!NT_SUCCESS(status = PhLookupName(&groupName, &groups.Groups[0].Sid, NULL, NULL))) return status; } else { return STATUS_INVALID_PARAMETER; } status = NtAdjustGroupsToken( TokenHandle, FALSE, &groups, 0, NULL, NULL ); if (GroupName && groups.Groups[0].Sid) PhFree(groups.Groups[0].Sid); return status; } /** * Sets the session ID for a token. * * \param TokenHandle A handle to a token with appropriate access. * \param SessionId The session id to set. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetTokenSessionId( _In_ HANDLE TokenHandle, _In_ ULONG SessionId ) { return NtSetInformationToken( TokenHandle, TokenSessionId, &SessionId, sizeof(ULONG) ); } /** * Enables or disables virtualization for a token. * * \param TokenHandle A handle to a token with TOKEN_WRITE access. * \param IsVirtualizationEnabled TRUE to enable, FALSE to disable. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhSetTokenIsVirtualizationEnabled( _In_ HANDLE TokenHandle, _In_ BOOLEAN IsVirtualizationEnabled ) { ULONG virtualizationEnabled; virtualizationEnabled = IsVirtualizationEnabled; return NtSetInformationToken( TokenHandle, TokenVirtualizationEnabled, &virtualizationEnabled, sizeof(ULONG) ); } /** * Gets a token's integrity level RID and an optional human-readable string. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param IntegrityLevelRID Receives the integrity-level RID (last subauthority). * \param IntegrityString Receives a pointer to a static descriptive string (optional). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenIntegrityLevelRID( _In_ HANDLE TokenHandle, _Out_opt_ PMANDATORY_LEVEL_RID IntegrityLevelRID, _Out_opt_ PWSTR *IntegrityString ) { NTSTATUS status; UCHAR mandatoryLabelBuffer[TOKEN_INTEGRITY_LEVEL_MAX_SIZE]; PTOKEN_MANDATORY_LABEL mandatoryLabel = (PTOKEN_MANDATORY_LABEL)mandatoryLabelBuffer; ULONG returnLength; ULONG subAuthoritiesCount; ULONG subAuthority; PWSTR integrityString; status = NtQueryInformationToken( TokenHandle, TokenIntegrityLevel, mandatoryLabel, sizeof(mandatoryLabelBuffer), &returnLength ); if (!NT_SUCCESS(status)) return status; subAuthoritiesCount = *PhSubAuthorityCountSid(mandatoryLabel->Label.Sid); if (subAuthoritiesCount > 0) { subAuthority = *PhSubAuthoritySid(mandatoryLabel->Label.Sid, subAuthoritiesCount - 1); } else { subAuthority = SECURITY_MANDATORY_UNTRUSTED_RID; } if (IntegrityString) { switch (subAuthority) { case SECURITY_MANDATORY_UNTRUSTED_RID: integrityString = L"Untrusted"; break; case SECURITY_MANDATORY_LOW_RID: integrityString = L"Low"; break; case SECURITY_MANDATORY_MEDIUM_RID: integrityString = L"Medium"; break; case SECURITY_MANDATORY_MEDIUM_PLUS_RID: integrityString = L"Medium+"; break; case SECURITY_MANDATORY_HIGH_RID: integrityString = L"High"; break; case SECURITY_MANDATORY_SYSTEM_RID: integrityString = L"System"; break; case SECURITY_MANDATORY_PROTECTED_PROCESS_RID: integrityString = L"Protected"; break; default: integrityString = L"Other"; break; } *IntegrityString = integrityString; } if (IntegrityLevelRID) *IntegrityLevelRID = subAuthority; return status; } /** * Gets a token's integrity level as a well-known enumerated value. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param IntegrityLevel Receives the mapped MANDATORY_LEVEL enumeration (optional). * \param IntegrityString Receives a static descriptive string (optional). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenIntegrityLevel( _In_ HANDLE TokenHandle, _Out_opt_ PMANDATORY_LEVEL IntegrityLevel, _Out_opt_ PWSTR *IntegrityString ) { NTSTATUS status; MANDATORY_LEVEL_RID integrityLevelRID; MANDATORY_LEVEL integrityLevel; status = PhGetTokenIntegrityLevelRID(TokenHandle, &integrityLevelRID, IntegrityString); if (!NT_SUCCESS(status)) return status; if (IntegrityLevel) { switch (integrityLevelRID) { case SECURITY_MANDATORY_UNTRUSTED_RID: integrityLevel = MandatoryLevelUntrusted; break; case SECURITY_MANDATORY_LOW_RID: integrityLevel = MandatoryLevelLow; break; case SECURITY_MANDATORY_MEDIUM_RID: integrityLevel = MandatoryLevelMedium; break; case SECURITY_MANDATORY_MEDIUM_PLUS_RID: integrityLevel = MandatoryLevelMedium; break; case SECURITY_MANDATORY_HIGH_RID: integrityLevel = MandatoryLevelHigh; break; case SECURITY_MANDATORY_SYSTEM_RID: integrityLevel = MandatoryLevelSystem; break; case SECURITY_MANDATORY_PROTECTED_PROCESS_RID: integrityLevel = MandatoryLevelSecureProcess; break; default: return STATUS_UNSUCCESSFUL; } *IntegrityLevel = integrityLevel; } return status; } typedef struct _PH_INTEGRITY_LEVEL_STRING_ENTRY { PH_STRINGREF String; PH_INTEGRITY_LEVEL IntegrityLevel; } PH_INTEGRITY_LEVEL_STRING_ENTRY, *PPH_INTEGRITY_LEVEL_STRING_ENTRY; /** * Gets a token's integrity level with extended information and a mapped stringref. * * \param TokenHandle A handle to a token. Must have TOKEN_QUERY access. * \param IntegrityLevel Receives the PH_INTEGRITY_LEVEL (as a Level value) if provided. * \param IntegrityString Receives a pointer to a static PH_STRINGREF describing the level. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenIntegrityLevelEx( _In_ HANDLE TokenHandle, _Out_opt_ PPH_INTEGRITY_LEVEL IntegrityLevel, _Out_opt_ PCPH_STRINGREF* IntegrityString ) { static CONST PH_STRINGREF integrityLevelDefaultString = PH_STRINGREF_INIT(L"Other"); static CONST PH_INTEGRITY_LEVEL_STRING_ENTRY integrityLevelStringTable[] = { { PH_STRINGREF_INIT(L"Untrusted"), { .Mandatory = MandatoryLevelUntrusted } }, { PH_STRINGREF_INIT(L"Low"), {.Mandatory = MandatoryLevelLow }}, { PH_STRINGREF_INIT(L"Medium"), { .Mandatory = MandatoryLevelMedium } }, { PH_STRINGREF_INIT(L"Medium+"), { .Mandatory = MandatoryLevelMedium, .Plus = TRUE } }, { PH_STRINGREF_INIT(L"High"), { .Mandatory = MandatoryLevelHigh, } }, { PH_STRINGREF_INIT(L"System"), { .Mandatory = MandatoryLevelSystem, } }, { PH_STRINGREF_INIT(L"Secure"), { .Mandatory = MandatoryLevelSecureProcess, } }, { PH_STRINGREF_INIT(L"Untrusted (AppContainer)"), { .Mandatory = MandatoryLevelUntrusted, .AppContainer = TRUE, } }, { PH_STRINGREF_INIT(L"Low (AppContainer)"), {.Mandatory = MandatoryLevelLow, .AppContainer = TRUE, } }, { PH_STRINGREF_INIT(L"Medium (AppContainer)"), { .Mandatory = MandatoryLevelMedium, .AppContainer = TRUE, } }, { PH_STRINGREF_INIT(L"Medium+ (AppContainer)"), { .Mandatory = MandatoryLevelMedium, .AppContainer = TRUE, .Plus = TRUE, } }, { PH_STRINGREF_INIT(L"High (AppContainer)"), { .Mandatory = MandatoryLevelHigh, .AppContainer = TRUE, } }, { PH_STRINGREF_INIT(L"System (AppContainer)"), { .Mandatory = MandatoryLevelSystem, .AppContainer = TRUE, } }, { PH_STRINGREF_INIT(L"Secure (AppContainer)"), { .Mandatory = MandatoryLevelSecureProcess, .AppContainer = TRUE, } }, }; NTSTATUS status; PH_INTEGRITY_LEVEL integrityLevel; MANDATORY_LEVEL_RID integrityLevelRID; BOOLEAN tokenIsAppContainer; integrityLevel.Level = 0; if (!NT_SUCCESS(status = PhGetTokenIntegrityLevelRID(TokenHandle, &integrityLevelRID, NULL))) return status; if (IntegrityLevel) { switch (integrityLevelRID) { case SECURITY_MANDATORY_UNTRUSTED_RID: integrityLevel.Mandatory = MandatoryLevelUntrusted; break; case SECURITY_MANDATORY_LOW_RID: integrityLevel.Mandatory = MandatoryLevelLow; break; case SECURITY_MANDATORY_MEDIUM_RID: integrityLevel.Mandatory = MandatoryLevelMedium; break; case SECURITY_MANDATORY_MEDIUM_PLUS_RID: integrityLevel.Mandatory = MandatoryLevelMedium; integrityLevel.Plus = TRUE; break; case SECURITY_MANDATORY_HIGH_RID: integrityLevel.Mandatory = MandatoryLevelHigh; break; case SECURITY_MANDATORY_SYSTEM_RID: integrityLevel.Mandatory = MandatoryLevelSystem; break; case SECURITY_MANDATORY_PROTECTED_PROCESS_RID: integrityLevel.Mandatory = MandatoryLevelSecureProcess; break; default: return STATUS_UNSUCCESSFUL; } } if (NT_SUCCESS(PhGetTokenIsAppContainer(TokenHandle, &tokenIsAppContainer)) && tokenIsAppContainer) integrityLevel.AppContainer = TRUE; if (IntegrityLevel) IntegrityLevel->Level = integrityLevel.Level; if (!IntegrityString) return STATUS_SUCCESS; *IntegrityString = &integrityLevelDefaultString; for (ULONG i = 0; i < RTL_NUMBER_OF(integrityLevelStringTable); i++) { if (integrityLevelStringTable[i].IntegrityLevel.Level == integrityLevel.Level) { *IntegrityString = &integrityLevelStringTable[i].String; break; } } return STATUS_SUCCESS; } /** * Parses the token process trust level SID into protection type and level and * optionally returns readable strings and the SID string. * * \param TokenHandle A handle to a token. * \param ProtectionType Receives the protection type RID (optional). * \param ProtectionLevel Receives the protection level RID (optional). * \param TrustLevelString Receives a newly created or concatenated string describing the protection (optional). * \param TrustLevelSidString Receives a string SID representation of the trust-level SID (optional). * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetTokenProcessTrustLevelRID( _In_ HANDLE TokenHandle, _Out_opt_ PULONG ProtectionType, _Out_opt_ PULONG ProtectionLevel, _Out_opt_ PPH_STRING* TrustLevelString, _Out_opt_ PPH_STRING* TrustLevelSidString ) { NTSTATUS status; PTOKEN_PROCESS_TRUST_LEVEL trustLevel; ULONG subAuthoritiesCount; ULONG protectionType; ULONG protectionLevel; status = PhGetTokenTrustLevel(TokenHandle, &trustLevel); if (!NT_SUCCESS(status)) return status; if (!trustLevel->TrustLevelSid) return STATUS_UNSUCCESSFUL; if (!PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(trustLevel->TrustLevelSid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_PROCESS_TRUST_AUTHORITY)) return STATUS_INVALID_SUB_AUTHORITY; subAuthoritiesCount = *PhSubAuthorityCountSid(trustLevel->TrustLevelSid); if (subAuthoritiesCount == SECURITY_PROCESS_TRUST_AUTHORITY_RID_COUNT) { protectionType = *PhSubAuthoritySid(trustLevel->TrustLevelSid, 0); protectionLevel = *PhSubAuthoritySid(trustLevel->TrustLevelSid, 1); } else { protectionType = SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID; protectionLevel = SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID; } if (ProtectionType) *ProtectionType = protectionType; if (ProtectionLevel) *ProtectionLevel = protectionLevel; if (TrustLevelString) { static CONST PH_STRINGREF UnknownProtectionString = PH_STRINGREF_INIT(L"Unknown"); static CONST PH_STRINGREF ProtectionTypeString[] = { PH_STRINGREF_INIT(L"None"), PH_STRINGREF_INIT(L"Full"), PH_STRINGREF_INIT(L"Lite"), }; static CONST PH_STRINGREF ProtectionLevelString[] = { PH_STRINGREF_INIT(L" (None)"), PH_STRINGREF_INIT(L" (WinTcb)"), PH_STRINGREF_INIT(L" (Windows)"), PH_STRINGREF_INIT(L" (StoreApp)"), PH_STRINGREF_INIT(L" (Antimalware)"), PH_STRINGREF_INIT(L" (Authenticode)"), }; PCPH_STRINGREF protectionTypeString = NULL; PCPH_STRINGREF protectionLevelString = NULL; switch (protectionType) { case SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID: protectionTypeString = &ProtectionTypeString[0]; break; case SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID: protectionTypeString = &ProtectionTypeString[1]; break; case SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID: protectionTypeString = &ProtectionTypeString[2]; break; } switch (protectionLevel) { case SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID: protectionLevelString = &ProtectionLevelString[0]; break; case SECURITY_PROCESS_PROTECTION_LEVEL_WINTCB_RID: protectionLevelString = &ProtectionLevelString[1]; break; case SECURITY_PROCESS_PROTECTION_LEVEL_WINDOWS_RID: protectionLevelString = &ProtectionLevelString[2]; break; case SECURITY_PROCESS_PROTECTION_LEVEL_APP_RID: protectionLevelString = &ProtectionLevelString[3]; break; case SECURITY_PROCESS_PROTECTION_LEVEL_ANTIMALWARE_RID: protectionLevelString = &ProtectionLevelString[4]; break; case SECURITY_PROCESS_PROTECTION_LEVEL_AUTHENTICODE_RID: protectionLevelString = &ProtectionLevelString[5]; break; } if (protectionTypeString && protectionLevelString) *TrustLevelString = PhConcatStringRef2(protectionTypeString, protectionLevelString); else *TrustLevelString = PhCreateString2(&UnknownProtectionString); } if (TrustLevelSidString) { *TrustLevelSidString = PhSidToStringSid(trustLevel->TrustLevelSid); } PhFree(trustLevel); return status; } ================================================ FILE: phlib/nativetxn.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include NTSTATUS PhpQueryTransactionManagerVariableSize( _In_ HANDLE TransactionManagerHandle, _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x100; if (!NtQueryInformationTransactionManager_Import()) return STATUS_NOT_SUPPORTED; buffer = PhAllocate(bufferSize); while (TRUE) { status = NtQueryInformationTransactionManager_Import()( TransactionManagerHandle, TransactionManagerInformationClass, buffer, bufferSize, NULL ); if (status == STATUS_BUFFER_OVERFLOW) { PhFree(buffer); bufferSize *= 2; if (bufferSize > 1 * 1024 * 1024) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } else { break; } } if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); } return status; } NTSTATUS PhGetTransactionManagerBasicInformation( _In_ HANDLE TransactionManagerHandle, _Out_ PTRANSACTIONMANAGER_BASIC_INFORMATION BasicInformation ) { memset(BasicInformation, 0, sizeof(TRANSACTIONMANAGER_BASIC_INFORMATION)); if (NtQueryInformationTransactionManager_Import()) { return NtQueryInformationTransactionManager_Import()( TransactionManagerHandle, TransactionManagerBasicInformation, BasicInformation, sizeof(TRANSACTIONMANAGER_BASIC_INFORMATION), NULL ); } else { return STATUS_NOT_SUPPORTED; } } NTSTATUS PhGetTransactionManagerLogFileName( _In_ HANDLE TransactionManagerHandle, _Out_ PPH_STRING *LogFileName ) { NTSTATUS status; PTRANSACTIONMANAGER_LOGPATH_INFORMATION logPathInfo; status = PhpQueryTransactionManagerVariableSize( TransactionManagerHandle, TransactionManagerLogPathInformation, &logPathInfo ); if (!NT_SUCCESS(status)) return status; if (logPathInfo->LogPathLength == 0) { *LogFileName = PhReferenceEmptyString(); } else { *LogFileName = PhCreateStringEx( logPathInfo->LogPath, logPathInfo->LogPathLength ); } PhFree(logPathInfo); return status; } NTSTATUS PhpQueryTransactionVariableSize( _In_ HANDLE TransactionHandle, _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x100; if (!NtQueryInformationTransaction_Import()) return STATUS_NOT_SUPPORTED; buffer = PhAllocate(bufferSize); while (TRUE) { status = NtQueryInformationTransaction_Import()( TransactionHandle, TransactionInformationClass, buffer, bufferSize, NULL ); if (status == STATUS_BUFFER_OVERFLOW) { PhFree(buffer); bufferSize *= 2; if (bufferSize > 1 * 1024 * 1024) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } else { break; } } if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); } return status; } NTSTATUS PhGetTransactionBasicInformation( _In_ HANDLE TransactionHandle, _Out_ PTRANSACTION_BASIC_INFORMATION BasicInformation ) { memset(BasicInformation, 0, sizeof(TRANSACTION_BASIC_INFORMATION)); if (NtQueryInformationTransaction_Import()) { return NtQueryInformationTransaction_Import()( TransactionHandle, TransactionBasicInformation, BasicInformation, sizeof(TRANSACTION_BASIC_INFORMATION), NULL ); } else { return STATUS_NOT_SUPPORTED; } } NTSTATUS PhGetTransactionPropertiesInformation( _In_ HANDLE TransactionHandle, _Out_opt_ PLARGE_INTEGER Timeout, _Out_opt_ TRANSACTION_OUTCOME *Outcome, _Out_opt_ PPH_STRING *Description ) { NTSTATUS status; PTRANSACTION_PROPERTIES_INFORMATION propertiesInfo; status = PhpQueryTransactionVariableSize( TransactionHandle, TransactionPropertiesInformation, &propertiesInfo ); if (!NT_SUCCESS(status)) return status; if (Timeout) { *Timeout = propertiesInfo->Timeout; } if (Outcome) { *Outcome = propertiesInfo->Outcome; } if (Description) { *Description = PhCreateStringEx( propertiesInfo->Description, propertiesInfo->DescriptionLength ); } PhFree(propertiesInfo); return status; } NTSTATUS PhpQueryResourceManagerVariableSize( _In_ HANDLE ResourceManagerHandle, _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, _Out_ PVOID *Buffer ) { NTSTATUS status; PVOID buffer; ULONG bufferSize = 0x100; if (!NtQueryInformationResourceManager_Import()) return STATUS_NOT_SUPPORTED; buffer = PhAllocate(bufferSize); while (TRUE) { status = NtQueryInformationResourceManager_Import()( ResourceManagerHandle, ResourceManagerInformationClass, buffer, bufferSize, NULL ); if (status == STATUS_BUFFER_OVERFLOW) { PhFree(buffer); bufferSize *= 2; if (bufferSize > 1 * 1024 * 1024) return STATUS_INSUFFICIENT_RESOURCES; buffer = PhAllocate(bufferSize); } else { break; } } if (NT_SUCCESS(status)) { *Buffer = buffer; } else { PhFree(buffer); } return status; } NTSTATUS PhGetResourceManagerBasicInformation( _In_ HANDLE ResourceManagerHandle, _Out_opt_ PGUID Guid, _Out_opt_ PPH_STRING *Description ) { NTSTATUS status; PRESOURCEMANAGER_BASIC_INFORMATION basicInfo; status = PhpQueryResourceManagerVariableSize( ResourceManagerHandle, ResourceManagerBasicInformation, &basicInfo ); if (!NT_SUCCESS(status)) return status; if (Guid) { *Guid = basicInfo->ResourceManagerId; } if (Description) { if (basicInfo->DescriptionLength == 0) { *Description = PhReferenceEmptyString(); } else { *Description = PhCreateStringEx( basicInfo->Description, basicInfo->DescriptionLength ); } } PhFree(basicInfo); return status; } NTSTATUS PhGetEnlistmentBasicInformation( _In_ HANDLE EnlistmentHandle, _Out_ PENLISTMENT_BASIC_INFORMATION BasicInformation ) { memset(BasicInformation, 0, sizeof(ENLISTMENT_BASIC_INFORMATION)); if (NtQueryInformationEnlistment_Import()) { return NtQueryInformationEnlistment_Import()( EnlistmentHandle, EnlistmentBasicInformation, BasicInformation, sizeof(ENLISTMENT_BASIC_INFORMATION), NULL ); } else { return STATUS_NOT_SUPPORTED; } } ================================================ FILE: phlib/nativeuser.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2024 * */ #include #include #include #include /** * Attach this process to the console of another process. * * This function first frees any existing console association for this process by calling * `PhFreeConsole` to avoid leaking console handles stored in the process environment block (PEB). * It then calls the Win32 `AttachConsole` API using the numeric process identifier derived from * `ProcessId`. If `AttachConsole` succeeds, the function returns `STATUS_SUCCESS`. Otherwise * it converts the last Win32 error into an NTSTATUS via `PhGetLastWin32ErrorAsNtStatus`. * \param[in] ProcessId Handle representing the target process whose console we want to attach to. * The handle value is converted to an unsigned long before calling `AttachConsole`. * \return NTSTATUS STATUS_SUCCESS on success; translated Win32 error as NTSTATUS on failure. */ NTSTATUS PhAttachConsole( _In_ HANDLE ProcessId ) { PhFreeConsole(); if (AttachConsole(HandleToUlong(ProcessId))) { return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } /** * Free the current console and clear PEB console-related fields. * * \remarks The FreeConsole API doesn't zero handles it created and cached in the current * process environment block (PEB). It'll close the handle but does not zero the fields. * When these values are later recycled by the kernel with a new handle, the values in the PEB * are now pointing to valid objects and start getting passed to console functions despite * these handles are some other object. This causes all sorts of issues including crashes * and data corruption. To avoid these issues, we manually zero the PEB fields. */ VOID PhFreeConsole( VOID ) { PRTL_USER_PROCESS_PARAMETERS processParameters; FreeConsole(); // Note: FreeConsole leaks the StandardInput, StandardOutput, StandardError and ConsoleHandle. // The console API is not thread-safe and these values must be set to null or we run into issues // with all the other console functions since they continue using these values, we also run into // issues with strict handle checking. (dmex) processParameters = NtCurrentPeb()->ProcessParameters; processParameters->StandardInput = NULL; processParameters->StandardOutput = NULL; processParameters->StandardError = NULL; processParameters->ConsoleHandle = NULL; } /** * Retrieve a standard I/O handle for the current process. * * \param[in] StdHandle One of `STD_INPUT_HANDLE`, `STD_OUTPUT_HANDLE` or `STD_ERROR_HANDLE`. * \return HANDLE The appropriate standard handle. On older Windows versions, returns the value * from the PEB's `ProcessParameters`. If `StdHandle` is invalid on those versions, * returns `INVALID_HANDLE_VALUE`. On newer versions, returns the value returned by `GetStdHandle`. */ HANDLE PhGetStdHandle( _In_ ULONG StdHandle ) { if (WindowsVersion < WINDOWS_NEW) { switch (StdHandle) { case STD_INPUT_HANDLE: return NtCurrentPeb()->ProcessParameters->StandardInput; case STD_OUTPUT_HANDLE: return NtCurrentPeb()->ProcessParameters->StandardOutput; case STD_ERROR_HANDLE: return NtCurrentPeb()->ProcessParameters->StandardError; } return INVALID_HANDLE_VALUE; } else { return GetStdHandle(StdHandle); } } /** * Query the list of process identifiers attached to a console. * * \param[in] ProcessId Handle to the process whose console should be queried. * \param[in] ProcessCount Number of entries the `ProcessList` buffer can hold. * \param[out] ProcessList Buffer that receives the list of process identifiers (ULONG values). * \param[out] ProcessTotal Receives the total number of processes attached to the console. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetConsoleProcessList( _In_ HANDLE ProcessId, _In_ ULONG ProcessCount, _Out_writes_(ProcessCount) PULONG ProcessList, _Out_ PULONG ProcessTotal ) { NTSTATUS status; status = PhAttachConsole(ProcessId); if (NT_SUCCESS(status)) { if (*ProcessTotal = GetConsoleProcessList(ProcessList, ProcessCount)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); } PhFreeConsole(); return status; } /** * Update the console foreground window for a console process. * * \param[in] ProcessHandle Handle to the target console process. * \param[in] Foreground Non-zero to set the foreground flag; zero to clear it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConsoleSetForeground( _In_ HANDLE ProcessHandle, _In_ BOOLEAN Foreground ) { NTSTATUS status; CONSOLESETFOREGROUND consoleInfo; if (!ConsoleControl_Import()) return STATUS_NOT_SUPPORTED; consoleInfo.ProcessHandle = ProcessHandle; consoleInfo.Foreground = !!Foreground; status = ConsoleControl_Import()( ConsoleSetForeground, &consoleInfo, sizeof(CONSOLESETFOREGROUND) ); return status; } /** * Notify the console subsystem that a console application created a new window. * * \param[in] ProcessID Handle representing the process that created the new window. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConsoleNotifyWindow( _In_ HANDLE ProcessID ) { NTSTATUS status; CONSOLE_PROCESS_INFO consoleProcessInfo; if (!ConsoleControl_Import()) return STATUS_NOT_SUPPORTED; consoleProcessInfo.Flags = CPI_NEWPROCESSWINDOW; consoleProcessInfo.ProcessID = HandleToUlong(ProcessID); status = ConsoleControl_Import()( ConsoleNotifyConsoleApplication, &consoleProcessInfo, sizeof(CONSOLE_PROCESS_INFO) ); return status; } /** * Updates the psuedo owner of the console window. * * \param[in] ProcessID Handle representing the process whose console window owner is being set. * \param[in] ThreadId Handle representing the thread associated with the window owner. * \param[in] WindowHandle Window handle (HWND) to associate with the console process/thread. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhConsoleSetWindow( _In_ HANDLE ProcessID, _In_ HANDLE ThreadId, _In_ HWND WindowHandle ) { NTSTATUS status; CONSOLEWINDOWOWNER consoleInfo; if (!ConsoleControl_Import()) return STATUS_NOT_SUPPORTED; consoleInfo.ProcessId = HandleToUlong(ProcessID); consoleInfo.ThreadId = HandleToUlong(ThreadId); consoleInfo.WindowHandle = WindowHandle; status = ConsoleControl_Import()( ConsoleSetWindowOwner, &consoleInfo, sizeof(CONSOLEWINDOWOWNER) ); return status; } /** * \brief Request the console subsystem to end a console task (send console event). * * Builds a `CONSOLEENDTASK` structure and invokes the `ConsoleEndTask` `ConsoleControl` operation. * The `ConsoleEventCode` is set to `CTRL_C_EVENT` and `ConsoleFlags` is zeroed. * * \param[in] ProcessId Handle of the process whose console task should be ended. * \param[in] WindowHandle Window handle (HWND) associated with the console to be signaled. * \return NTSTATUS Successful or errant status. * \remarks The semantics of ending a console task are determined by the console subsystem; callers * should ensure they understand the impact of sending `CTRL_C_EVENT` to the target console. */ NTSTATUS PhConsoleEndTask( _In_ HANDLE ProcessId, _In_ HWND WindowHandle ) { NTSTATUS status; CONSOLEENDTASK consoleInfo; if (!ConsoleControl_Import()) return STATUS_NOT_SUPPORTED; consoleInfo.ProcessId = ProcessId; consoleInfo.WindowHandle = WindowHandle; consoleInfo.ConsoleEventCode = CTRL_C_EVENT; consoleInfo.ConsoleFlags = 0; status = ConsoleControl_Import()( ConsoleEndTask, &consoleInfo, sizeof(CONSOLEENDTASK) ); return status; } ================================================ FILE: phlib/phlib.vcxproj ================================================ Debug Win32 Debug x64 Debug ARM64 Release Win32 Release x64 Release ARM64 17.0 {477D0215-F252-41A1-874B-F27E3EA1ED17} Win32Proj phlib phlib $(LatestTargetPlatformVersion) StaticLibrary StaticLibrary StaticLibrary StaticLibrary StaticLibrary StaticLibrary $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)bin\$(Configuration)$(PlatformArchitecture)\ $(ProjectDir)obj\$(Configuration)$(PlatformArchitecture)\ $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;%(AdditionalIncludeDirectories) _PHLIB_;%(PreprocessorDefinitions) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);..\tools\thirdparty\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) kphlib_um.lib;thirdparty.lib;%(AdditionalDependencies) $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;%(AdditionalIncludeDirectories) _PHLIB_;%(PreprocessorDefinitions) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);..\tools\thirdparty\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) kphlib_um.lib;thirdparty.lib;%(AdditionalDependencies) $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;%(AdditionalIncludeDirectories) _PHLIB_;%(PreprocessorDefinitions) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);..\tools\thirdparty\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) kphlib_um.lib;thirdparty.lib;%(AdditionalDependencies) $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;%(AdditionalIncludeDirectories) _PHLIB_;%(PreprocessorDefinitions) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);..\tools\thirdparty\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) kphlib_um.lib;thirdparty.lib;%(AdditionalDependencies) $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;%(AdditionalIncludeDirectories) _PHLIB_;%(PreprocessorDefinitions) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);..\tools\thirdparty\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) kphlib_um.lib;thirdparty.lib;%(AdditionalDependencies) $(SolutionDir)phnt\include;$(SolutionDir)phlib\include;$(SolutionDir)kphlib\include;%(AdditionalIncludeDirectories) _PHLIB_;%(PreprocessorDefinitions) $(SolutionDir)kphlib\bin\$(Configuration)$(PlatformArchitecture);..\tools\thirdparty\bin\$(Configuration)$(PlatformArchitecture);%(AdditionalLibraryDirectories) kphlib_um.lib;thirdparty.lib;%(AdditionalDependencies) ================================================ FILE: phlib/phlib.vcxproj.filters ================================================  {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hpp;hxx;hm;inl;inc;xsd Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files ================================================ FILE: phlib/provider.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ /* * Provider objects allow a function to be executed periodically. This is managed by a * synchronization timer object which is signaled periodically. The use of a timer object as opposed * to a simple sleep call means that the length of time a provider function takes to execute has no * effect on the interval between runs. * * In contrast to callback objects, the context passed to provider functions must be * reference-counted objects. This means that it is not guaranteed that the function will not be in * execution after the unregister operation is complete. However, the since the context object is * reference-counted, there are no safety issues. * * Providers can be boosted, which causes them to be run immediately ignoring the interval. This is * separate to the periodic runs, and does not cause the next periodic run to be missed. Providers, * even when boosted, always run on the same provider thread. The other option would be to have the * boosting thread run the provider function directly, which would involve unnecessary blocking and * synchronization. */ #include #include #include #ifdef DEBUG PPH_LIST PhDbgProviderList; PH_QUEUED_LOCK PhDbgProviderListLock = PH_QUEUED_LOCK_INIT; #endif /** * Initializes a provider thread. * * \param ProviderThread A pointer to a provider thread object. * \param Interval The interval between each run, in milliseconds. */ VOID PhInitializeProviderThread( _Out_ PPH_PROVIDER_THREAD ProviderThread, _In_ ULONG Interval ) { ProviderThread->ThreadHandle = NULL; ProviderThread->TimerHandle = NULL; ProviderThread->Interval = Interval; ProviderThread->State = ProviderThreadStopped; PhInitializeQueuedLock(&ProviderThread->Lock); InitializeListHead(&ProviderThread->ListHead); ProviderThread->BoostCount = 0; ProviderThread->Flags = 0; #ifdef DEBUG PhAcquireQueuedLockExclusive(&PhDbgProviderListLock); if (!PhDbgProviderList) PhDbgProviderList = PhCreateList(4); PhAddItemList(PhDbgProviderList, ProviderThread); PhReleaseQueuedLockExclusive(&PhDbgProviderListLock); #endif } /** * Frees resources used by a provider thread. * * \param ProviderThread A pointer to a provider thread object. */ VOID PhDeleteProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread ) { #ifdef DEBUG ULONG index; #endif // Nothing #ifdef DEBUG PhAcquireQueuedLockExclusive(&PhDbgProviderListLock); if ((index = PhFindItemList(PhDbgProviderList, ProviderThread)) != ULONG_MAX) PhRemoveItemList(PhDbgProviderList, index); PhReleaseQueuedLockExclusive(&PhDbgProviderListLock); #endif } /** * The start routine for the provider thread. * * \param Parameter A pointer to user-defined data passed to the thread. * \return NTSTATUS status code indicating success or failure of the thread routine. */ _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI PhpProviderThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; PPH_PROVIDER_THREAD providerThread = (PPH_PROVIDER_THREAD)Parameter; NTSTATUS status = STATUS_SUCCESS; PLIST_ENTRY listEntry; PPH_PROVIDER_REGISTRATION registration; PPH_PROVIDER_FUNCTION providerFunction; PVOID object; LIST_ENTRY tempListHead; PhSetThreadName(NtCurrentThread(), L"ProviderThread"); PhInitializeAutoPool(&autoPool); while (providerThread->State != ProviderThreadStopping) { // Keep removing and executing providers from the list until there are no more. Each removed // provider will be placed on the temporary list. After this is done, all providers on the // temporary list will be re-added to the list again. // // The key to this working safely with the other functions (boost, register, unregister) is // that at all times when the mutex is not acquired every single provider must be in a list // (main list or the temp list). InitializeListHead(&tempListHead); PhAcquireQueuedLockExclusive(&providerThread->Lock); // Main loop. // We check the status variable for STATUS_ALERTED, which means that someone is requesting // that a provider be boosted. Note that if they alert this thread while we are not waiting // on the timer, when we do perform the wait it will return immediately with STATUS_ALERTED. while (TRUE) { if (status == STATUS_ALERTED) { // Check if we have any more providers to boost. Note that this always works because // boosted providers are always in front of normal providers. Therefore we will // never mistakenly boost normal providers. if (providerThread->BoostCount == 0) break; } listEntry = RemoveHeadList(&providerThread->ListHead); if (listEntry == &providerThread->ListHead) break; registration = CONTAINING_RECORD(listEntry, PH_PROVIDER_REGISTRATION, ListEntry); // Add the provider to the temp list. InsertTailList(&tempListHead, listEntry); if (status != STATUS_ALERTED) { if (!registration->Enabled || registration->Unregistering) continue; } else { // If we're boosting providers, we don't care if they are enabled or not. However, // we have to make sure any providers which are being unregistered get a chance to // fix the boost count. if (registration->Unregistering) { PhReleaseQueuedLockExclusive(&providerThread->Lock); PhAcquireQueuedLockExclusive(&providerThread->Lock); continue; } } if (status == STATUS_ALERTED) { assert(registration->Boosting); registration->Boosting = FALSE; providerThread->BoostCount--; } providerFunction = registration->Function; object = registration->Object; if (object) PhReferenceObject(object); registration->RunId++; PhReleaseQueuedLockExclusive(&providerThread->Lock); if (PhAcquireRundownProtection(®istration->RundownProtect)) { providerFunction(object); PhReleaseRundownProtection(®istration->RundownProtect); } PhDrainAutoPool(&autoPool); PhAcquireQueuedLockExclusive(&providerThread->Lock); if (object) PhDereferenceObject(object); } // Re-add the items in the temp list to the main list. while ((listEntry = RemoveHeadList(&tempListHead)) != &tempListHead) { registration = CONTAINING_RECORD(listEntry, PH_PROVIDER_REGISTRATION, ListEntry); // We must insert boosted providers at the front of the list in order to maintain the // condition that boosted providers are always in front of normal providers. This occurs // when the timer is signaled just before a boosting provider alerts our thread. if (!registration->Boosting) InsertTailList(&providerThread->ListHead, listEntry); else InsertHeadList(&providerThread->ListHead, listEntry); } PhReleaseQueuedLockExclusive(&providerThread->Lock); // Perform an alertable wait so we can be woken up by someone telling us to boost providers, // or to terminate. status = NtWaitForSingleObject( providerThread->TimerHandle, TRUE, NULL ); } PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } /** * Starts a provider thread. * * \param ProviderThread A pointer to a provider thread object. */ NTSTATUS PhStartProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread ) { NTSTATUS status; if (ProviderThread->State != ProviderThreadStopped) return STATUS_PENDING; // // Create the synchronization timer. // if (WindowsVersion >= WINDOWS_11 && ProviderThread->UseHighResolution && NtCreateTimer2_Import()) { status = NtCreateTimer2_Import()( &ProviderThread->TimerHandle, NULL, NULL, TIMER2_BUILD_ATTRIBUTES(SynchronizationTimer, TRUE), TIMER_ALL_ACCESS ); } else { status = STATUS_UNSUCCESSFUL; } if (!NT_SUCCESS(status)) { OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); status = NtCreateTimer( &ProviderThread->TimerHandle, TIMER_ALL_ACCESS, &objectAttributes, SynchronizationTimer ); } if (!NT_SUCCESS(status)) return status; // Set the run interval for the timer. status = PhSetIntervalProviderThread( ProviderThread, ProviderThread->Interval ); if (!NT_SUCCESS(status)) { NtClose(ProviderThread->TimerHandle); ProviderThread->TimerHandle = NULL; return status; } // Create and start the thread. status = PhCreateUserThread( NtCurrentProcess(), NULL, THREAD_ALL_ACCESS, // THREAD_ALERT | SYNCHRONIZE, 0, 0, 0, 0, PhpProviderThreadStart, ProviderThread, &ProviderThread->ThreadHandle, NULL ); if (!NT_SUCCESS(status)) { NtClose(ProviderThread->TimerHandle); ProviderThread->TimerHandle = NULL; return status; } ProviderThread->State = ProviderThreadRunning; return STATUS_SUCCESS; } /** * Stops a provider thread. * * \param ProviderThread A pointer to a provider thread object. */ VOID PhStopProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread ) { if (ProviderThread->State != ProviderThreadRunning) return; // Verify all providers are unregistered PhAcquireQueuedLockExclusive(&ProviderThread->Lock); if (!IsListEmpty(&ProviderThread->ListHead)) { PhReleaseQueuedLockExclusive(&ProviderThread->Lock); assert(FALSE && "Stopping provider thread with active registrations"); } else { PhReleaseQueuedLockExclusive(&ProviderThread->Lock); } // Signal to the thread that we are shutting down, and wait for it to exit. ProviderThread->State = ProviderThreadStopping; NtAlertThread(ProviderThread->ThreadHandle); // wake it up NtWaitForSingleObject(ProviderThread->ThreadHandle, FALSE, NULL); // Free resources. NtClose(ProviderThread->ThreadHandle); ProviderThread->ThreadHandle = NULL; NtClose(ProviderThread->TimerHandle); ProviderThread->TimerHandle = NULL; ProviderThread->State = ProviderThreadStopped; } /** * Sets the run interval for a provider thread. * * \param ProviderThread A pointer to a provider thread object. * \param Interval The interval between each run, in milliseconds. */ NTSTATUS PhSetIntervalProviderThread( _Inout_ PPH_PROVIDER_THREAD ProviderThread, _In_ LONG Interval ) { LARGE_INTEGER interval; if (Interval < 0) return STATUS_INVALID_PARAMETER; // Prevent intervals > 24 hours (86400000 ms) if (Interval > (24 * 60 * 60 * 1000)) return STATUS_INVALID_PARAMETER; if (!ProviderThread->TimerHandle) return STATUS_INVALID_HANDLE; ProviderThread->Interval = Interval; interval.QuadPart = -(LONGLONG)UInt32x32To64(Interval, PH_TIMEOUT_MS); if (WindowsVersion >= WINDOWS_11 && ProviderThread->UseHighResolution && NtSetTimer2_Import()) { LARGE_INTEGER period; T2_SET_PARAMETERS timerParameters; period.QuadPart = UInt32x32To64(Interval, PH_TIMEOUT_MS); memset(&timerParameters, 0, sizeof(T2_SET_PARAMETERS)); timerParameters.Version = TIMER2_SET_PARAMETERS_CURRENT_VERSION; timerParameters.NoWakeTolerance = 0; return NtSetTimer2_Import()( ProviderThread->TimerHandle, &interval, &period, &timerParameters ); } return NtSetTimer( ProviderThread->TimerHandle, &interval, NULL, NULL, FALSE, Interval, NULL ); } /** * Registers a provider with a provider thread. * * \param ProviderThread A pointer to a provider thread object. * \param Function The provider function. * \param Object A pointer to an object to pass to the provider function. The object must be managed * by the reference-counting system. * \param Registration A variable which receives registration information for the provider. * \remarks The provider is initially disabled. Call PhSetEnabledProvider() to enable it. */ VOID PhRegisterProvider( _Inout_ PPH_PROVIDER_THREAD ProviderThread, _In_ PPH_PROVIDER_FUNCTION Function, _In_opt_ PVOID Object, _Out_ PPH_PROVIDER_REGISTRATION Registration ) { PhInitializeRundownProtection(&Registration->RundownProtect); Registration->ProviderThread = ProviderThread; Registration->Function = Function; Registration->Object = Object; Registration->RunId = 0; Registration->Enabled = FALSE; Registration->Unregistering = FALSE; Registration->Boosting = FALSE; if (Object) PhReferenceObject(Object); PhAcquireQueuedLockExclusive(&ProviderThread->Lock); InsertTailList(&ProviderThread->ListHead, &Registration->ListEntry); PhReleaseQueuedLockExclusive(&ProviderThread->Lock); } /** * Unregisters a provider. * * \param Registration A pointer to the registration object for a provider. * \remarks The provider function may still be in execution once this function returns. */ VOID PhUnregisterProvider( _Inout_ PPH_PROVIDER_REGISTRATION Registration ) { PPH_PROVIDER_THREAD providerThread; providerThread = Registration->ProviderThread; Registration->Unregistering = TRUE; // There are two possibilities for removal: // 1. The provider is removed while the thread is not in the main loop. This is the normal case. // 2. The provider is removed while the thread is in the main loop. In that case the provider // will be removed from the temp list and so it won't be re-added to the main list. PhAcquireQueuedLockExclusive(&providerThread->Lock); RemoveEntryList(&Registration->ListEntry); // Fix the boost count. if (Registration->Boosting) providerThread->BoostCount--; PhReleaseQueuedLockExclusive(&providerThread->Lock); PhWaitForRundownProtection(&Registration->RundownProtect); // Reacquire the lock to safely dereference the object PhAcquireQueuedLockExclusive(&providerThread->Lock); // The user-supplied object must be dereferenced // while the mutex is held. if (Registration->Object) PhDereferenceObject(Registration->Object); PhReleaseQueuedLockExclusive(&providerThread->Lock); } /** * Causes a provider to be queued for immediate execution. * * \param Registration A pointer to the registration object for a provider. * \param FutureRunId A variable which receives the run ID of the future run. * \return TRUE if the operation was successful; FALSE if the provider is being unregistered, the * provider is already being boosted, or the provider thread is not running. * \remarks Boosted providers will be run immediately, ignoring the run interval. Boosting will not * however affect the normal runs. */ _Use_decl_annotations_ BOOLEAN PhBoostProvider( _Inout_ PPH_PROVIDER_REGISTRATION Registration, _Out_opt_ PULONG FutureRunId ) { PPH_PROVIDER_THREAD providerThread; ULONG futureRunId; providerThread = Registration->ProviderThread; // Simply move to the provider to the front of the list. This works even if the provider is // currently in the temp list. PhAcquireQueuedLockExclusive(&providerThread->Lock); // Abort if the provider is already being boosted, unregistering, or the provider thread is stopping/stopped. if (Registration->Unregistering || Registration->Boosting || providerThread->State != ProviderThreadRunning) { PhReleaseQueuedLockExclusive(&providerThread->Lock); return FALSE; } RemoveEntryList(&Registration->ListEntry); InsertHeadList(&providerThread->ListHead, &Registration->ListEntry); Registration->Boosting = TRUE; providerThread->BoostCount++; futureRunId = Registration->RunId + 1; PhReleaseQueuedLockExclusive(&providerThread->Lock); // Wake up the thread. NtAlertThread(providerThread->ThreadHandle); if (FutureRunId) *FutureRunId = futureRunId; return TRUE; } /** * Gets the current run ID of a provider. * * \param Registration A pointer to the registration object for a provider. */ ULONG PhGetRunIdProvider( _In_ PPH_PROVIDER_REGISTRATION Registration ) { return Registration->RunId; } /** * Gets whether a provider is enabled. * * \param Registration A pointer to the registration object for a provider. */ BOOLEAN PhGetEnabledProvider( _In_ PPH_PROVIDER_REGISTRATION Registration ) { PPH_PROVIDER_THREAD providerThread; BOOLEAN enabled; providerThread = Registration->ProviderThread; PhAcquireQueuedLockShared(&providerThread->Lock); enabled = !!Registration->Enabled; PhReleaseQueuedLockShared(&providerThread->Lock); return enabled; } /** * Sets whether a provider is enabled. * * \param Registration A pointer to the registration object for a provider. * \param Enabled TRUE if the provider is enabled, otherwise FALSE. */ VOID PhSetEnabledProvider( _Inout_ PPH_PROVIDER_REGISTRATION Registration, _In_ BOOLEAN Enabled ) { PPH_PROVIDER_THREAD providerThread; providerThread = Registration->ProviderThread; PhAcquireQueuedLockExclusive(&providerThread->Lock); Registration->Enabled = Enabled; PhReleaseQueuedLockExclusive(&providerThread->Lock); } /** * Sets whether a provider thread uses a high-resolution timer. * * \param ProviderThread A pointer to the provider thread object. * \param UseHighResolutionTimer TRUE to use a high-resolution timer, otherwise FALSE. */ VOID PhSetHighResolutionProvider( _Inout_ PPH_PROVIDER_THREAD ProviderThread, _In_ BOOLEAN UseHighResolution ) { ProviderThread->UseHighResolution = !!UseHighResolution; } ================================================ FILE: phlib/queuedlock.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * */ /* * Queued lock, a.k.a. push lock (kernel-mode) or slim reader-writer lock (user-mode). * * The queued lock is: * * Around 10% faster than the fast lock. * * Only the size of a pointer. * * Low on resource usage (no additional kernel objects are created for blocking). * * The usual flags are used for contention-free acquire/release. When there is contention, * stack-based wait blocks are chained. The first wait block contains the shared owners count which * is decremented by shared releasers. * * Naturally these wait blocks would be chained in FILO order, but list optimization is done for two * purposes: * * Finding the last wait block (where the shared owners count is stored). This is implemented by * the Last pointer. * * Unblocking the wait blocks in FIFO order. This is implemented by the Previous pointer. * * The optimization is incremental - each optimization run will stop at the first optimized wait * block. Any needed optimization is completed just before waking waiters. * * The waiters list/chain has the following restrictions: * * At any time wait blocks may be pushed onto the list. * * While waking waiters, the list may not be traversed nor optimized. * * When there are multiple shared owners, shared releasers may traverse the list (to find the last * wait block). This is not an issue because waiters wouldn't be woken until there are no more * shared owners. * * List optimization may be done at any time except for when someone else is waking waiters. This * is controlled by the traversing bit. * * The traversing bit has the following rules: * * The list may be optimized only after the traversing bit is set, checking that it wasn't set * already. If it was set, it would indicate that someone else is optimizing the list or waking * waiters. * * Before waking waiters the traversing bit must be set. If it was set already, just clear the * owned bit. * * If during list optimization the owned bit is detected to be cleared, the function begins waking * waiters. This is because the owned bit is cleared when a releaser fails to set the traversing * bit. * * Blocking is implemented through a process-wide keyed event. A spin count is also used before * blocking on the keyed event. * * Queued locks can act as condition variables, with wait, pulse and pulse all support. Waiters are * released in FIFO order. * * Queued locks can act as wake events. These are designed for tiny one-bit locks which share a * single event to block on. Spurious wake-ups are a part of normal operation. */ #include #include #include #include VOID FASTCALL PhpfOptimizeQueuedLockList( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value ); VOID FASTCALL PhpfWakeQueuedLock( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value ); VOID FASTCALL PhpfWakeQueuedLockEx( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value, _In_ BOOLEAN IgnoreOwned, _In_ BOOLEAN WakeAll ); static HANDLE PhQueuedLockKeyedEventHandle; static ULONG PhQueuedLockSpinCount = 2000; NTSTATUS PhQueuedLockInitialization( VOID ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); status = NtCreateKeyedEvent( &PhQueuedLockKeyedEventHandle, KEYEDEVENT_ALL_ACCESS, &objectAttributes, 0 ); if (NT_SUCCESS(status)) return status; if (PhSystemBasicInformation.NumberOfProcessors > 1) PhQueuedLockSpinCount = 4000; else PhQueuedLockSpinCount = 0; return status; } /** * Pushes a wait block onto a queued lock's waiters list. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * \param Exclusive Whether the wait block is in exclusive mode. * \param WaitBlock A variable which receives the resulting wait block structure. * \param Optimize A variable which receives a boolean indicating whether to optimize the waiters * list. * \param NewValue The old value of the queued lock. This value is useful only if the function * returns FALSE. * \param CurrentValue The new value of the queued lock. This value is useful only if the function * returns TRUE. * * \return TRUE if the wait block was pushed onto the waiters list, otherwise FALSE. * * \remarks * \li The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_OWNED. * \li Do not move the wait block location after this function is called. * \li The \a Optimize boolean is a hint to call PhpfOptimizeQueuedLockList() if the function * succeeds. It is recommended, but not essential that this occurs. * \li Call PhpBlockOnQueuedWaitBlock() to wait for the wait block to be unblocked. */ FORCEINLINE BOOLEAN PhpPushQueuedWaitBlock( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value, _In_ BOOLEAN Exclusive, _Out_ PPH_QUEUED_WAIT_BLOCK WaitBlock, _Out_ PBOOLEAN Optimize, _Out_ PULONG_PTR NewValue, _Out_ PULONG_PTR CurrentValue ) { ULONG_PTR newValue; BOOLEAN optimize; WaitBlock->Previous = NULL; // set later by optimization optimize = FALSE; if (Exclusive) WaitBlock->Flags = PH_QUEUED_WAITER_EXCLUSIVE | PH_QUEUED_WAITER_SPINNING; else WaitBlock->Flags = PH_QUEUED_WAITER_SPINNING; if (Value & PH_QUEUED_LOCK_WAITERS) { // We're not the first waiter. WaitBlock->Last = NULL; // set later by optimization WaitBlock->Next = PhGetQueuedLockWaitBlock(Value); WaitBlock->SharedOwners = 0; // Push our wait block onto the list. // Set the traversing bit because we'll be optimizing the list. newValue = ((ULONG_PTR)WaitBlock) | (Value & PH_QUEUED_LOCK_FLAGS) | PH_QUEUED_LOCK_TRAVERSING; if (!(Value & PH_QUEUED_LOCK_TRAVERSING)) optimize = TRUE; } else { // We're the first waiter. WaitBlock->Last = WaitBlock; // indicate that this is the last wait block if (Exclusive) { // We're the first waiter. Save the shared owners count. WaitBlock->SharedOwners = (ULONG)PhGetQueuedLockSharedOwners(Value); if (WaitBlock->SharedOwners > 1) { newValue = ((ULONG_PTR)WaitBlock) | PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_WAITERS | PH_QUEUED_LOCK_MULTIPLE_SHARED; } else { newValue = ((ULONG_PTR)WaitBlock) | PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_WAITERS; } } else { // We're waiting in shared mode, which means there can't be any shared owners (otherwise // we would've acquired the lock already). WaitBlock->SharedOwners = 0; newValue = ((ULONG_PTR)WaitBlock) | PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_WAITERS; } } *Optimize = optimize; *CurrentValue = newValue; newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)Value ); *NewValue = newValue; return newValue == Value; } /** * Finds the last wait block in the waiters list. * * \param Value The current value of the queued lock. * * \return A pointer to the last wait block. * * \remarks The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_WAITERS, * \ref PH_QUEUED_LOCK_MULTIPLE_SHARED or * \ref PH_QUEUED_LOCK_TRAVERSING. */ FORCEINLINE PPH_QUEUED_WAIT_BLOCK PhpFindLastQueuedWaitBlock( _In_ ULONG_PTR Value ) { PPH_QUEUED_WAIT_BLOCK waitBlock; PPH_QUEUED_WAIT_BLOCK lastWaitBlock; waitBlock = PhGetQueuedLockWaitBlock(Value); // Traverse the list until we find the last wait block. // The Last pointer should be set by list optimization, allowing us to skip all, if not most of // the wait blocks. while (TRUE) { lastWaitBlock = waitBlock->Last; if (lastWaitBlock) { // Follow the Last pointer. This can mean two things: the pointer was set by list // optimization, or this wait block is actually the last wait block (set when it was // pushed onto the list). waitBlock = lastWaitBlock; break; } waitBlock = waitBlock->Next; } return waitBlock; } /** * Waits for a wait block to be unblocked. * * \param WaitBlock A wait block. * \param Spin TRUE to spin, FALSE to block immediately. * \param Timeout A timeout value. */ _May_raise_ FORCEINLINE NTSTATUS PhpBlockOnQueuedWaitBlock( _Inout_ PPH_QUEUED_WAIT_BLOCK WaitBlock, _In_ BOOLEAN Spin, _In_opt_ PLARGE_INTEGER Timeout ) { NTSTATUS status; ULONG i; if (Spin) { PHLIB_INC_STATISTIC(QlBlockSpins); for (i = PhQueuedLockSpinCount; i != 0; i--) { if (!(ReadULongAcquire(&WaitBlock->Flags) & PH_QUEUED_WAITER_SPINNING)) return STATUS_SUCCESS; YieldProcessor(); } } if (_interlockedbittestandreset((PLONG)&WaitBlock->Flags, PH_QUEUED_WAITER_SPINNING_SHIFT)) { PHLIB_INC_STATISTIC(QlBlockWaits); status = NtWaitForKeyedEvent( PhQueuedLockKeyedEventHandle, WaitBlock, FALSE, Timeout ); // If an error occurred (timeout is not an error), raise an exception as it is nearly // impossible to recover from this situation. if (!NT_SUCCESS(status)) PhRaiseStatus(status); } else { status = STATUS_SUCCESS; } return status; } /** * Unblocks a wait block. * * \param WaitBlock A wait block. * * \remarks The wait block is in an undefined state after it is unblocked. Do not attempt to read * any values from it. All relevant information should be saved before unblocking the wait block. */ _May_raise_ FORCEINLINE VOID PhpUnblockQueuedWaitBlock( _Inout_ PPH_QUEUED_WAIT_BLOCK WaitBlock ) { NTSTATUS status; if (!_interlockedbittestandreset((PLONG)&WaitBlock->Flags, PH_QUEUED_WAITER_SPINNING_SHIFT)) { if (!NT_SUCCESS(status = NtReleaseKeyedEvent( PhQueuedLockKeyedEventHandle, WaitBlock, FALSE, NULL ))) PhRaiseStatus(status); } } /** * Optimizes a queued lock waiters list. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * \param IgnoreOwned TRUE to ignore lock state, FALSE to conduct normal checks. * * \remarks The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_WAITERS, \ref PH_QUEUED_LOCK_TRAVERSING. */ FORCEINLINE VOID PhpOptimizeQueuedLockListEx( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value, _In_ BOOLEAN IgnoreOwned ) { ULONG_PTR value; ULONG_PTR newValue; PPH_QUEUED_WAIT_BLOCK waitBlock; PPH_QUEUED_WAIT_BLOCK firstWaitBlock; PPH_QUEUED_WAIT_BLOCK lastWaitBlock; PPH_QUEUED_WAIT_BLOCK previousWaitBlock; value = ReadULongPtrAcquire(&Value); while (TRUE) { assert(value & PH_QUEUED_LOCK_TRAVERSING); if (!IgnoreOwned && !(value & PH_QUEUED_LOCK_OWNED)) { // Someone has requested that we wake waiters. PhpfWakeQueuedLock(QueuedLock, value); break; } // Perform the optimization. waitBlock = PhGetQueuedLockWaitBlock(value); firstWaitBlock = waitBlock; while (TRUE) { lastWaitBlock = waitBlock->Last; if (lastWaitBlock) { // Save a pointer to the last wait block in the first wait block and stop // optimizing. // // We don't need to continue setting Previous pointers because the last optimization // run would have set them already. firstWaitBlock->Last = lastWaitBlock; break; } previousWaitBlock = waitBlock; waitBlock = waitBlock->Next; waitBlock->Previous = previousWaitBlock; } // Try to clear the traversing bit. newValue = value - PH_QUEUED_LOCK_TRAVERSING; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) break; // Either someone pushed a wait block onto the list or someone released ownership. In either // case we need to go back. value = newValue; } } /** * Optimizes a queued lock waiters list. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * * \remarks The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_WAITERS, \ref PH_QUEUED_LOCK_TRAVERSING. */ VOID FASTCALL PhpfOptimizeQueuedLockList( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value ) { PhpOptimizeQueuedLockListEx(QueuedLock, Value, FALSE); } /** * Dequeues the appropriate number of wait blocks in a queued lock. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * \param IgnoreOwned TRUE to ignore lock state, FALSE to conduct normal checks. * \param WakeAll TRUE to remove all wait blocks, FALSE to decide based on the wait block type. */ FORCEINLINE PPH_QUEUED_WAIT_BLOCK PhpPrepareToWakeQueuedLock( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value, _In_ BOOLEAN IgnoreOwned, _In_ BOOLEAN WakeAll ) { ULONG_PTR value; ULONG_PTR newValue; PPH_QUEUED_WAIT_BLOCK waitBlock; PPH_QUEUED_WAIT_BLOCK firstWaitBlock; PPH_QUEUED_WAIT_BLOCK lastWaitBlock; PPH_QUEUED_WAIT_BLOCK previousWaitBlock; value = ReadULongPtrAcquire(&Value); while (TRUE) { // If there are multiple shared owners, no one is going to wake waiters since the lock would // still be owned. Also if there are multiple shared owners they may be traversing the list. // While that is safe when done concurrently with list optimization, we may be removing and // waking waiters. assert(!(value & PH_QUEUED_LOCK_MULTIPLE_SHARED)); assert(IgnoreOwned || (value & PH_QUEUED_LOCK_TRAVERSING)); // There's no point in waking a waiter if the lock is owned. Clear the traversing bit. while (!IgnoreOwned && (value & PH_QUEUED_LOCK_OWNED)) { newValue = value - PH_QUEUED_LOCK_TRAVERSING; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) return NULL; value = newValue; } // Finish up any needed optimization (setting the Previous pointers) while finding the last // wait block. waitBlock = PhGetQueuedLockWaitBlock(value); firstWaitBlock = waitBlock; while (TRUE) { lastWaitBlock = waitBlock->Last; if (lastWaitBlock) { waitBlock = lastWaitBlock; break; } previousWaitBlock = waitBlock; waitBlock = waitBlock->Next; waitBlock->Previous = previousWaitBlock; } // Unlink the relevant wait blocks and clear the traversing bit before we wake waiters. if ( !WakeAll && (waitBlock->Flags & PH_QUEUED_WAITER_EXCLUSIVE) && (previousWaitBlock = waitBlock->Previous) ) { // We have an exclusive waiter and there are multiple waiters. We'll only be waking this // waiter. // Unlink the wait block from the list. Although other wait blocks may have their Last // pointers set to this wait block, the algorithm to find the last wait block will stop // here. Likewise the Next pointers are never followed beyond this point, so we don't // need to clear those. firstWaitBlock->Last = previousWaitBlock; // Make sure we only wake this waiter. waitBlock->Previous = NULL; if (!IgnoreOwned) { // Clear the traversing bit. _InterlockedExchangeAddPointer((PLONG_PTR)&QueuedLock->Value, -(LONG_PTR)PH_QUEUED_LOCK_TRAVERSING); } break; } else { // We're waking an exclusive waiter and there is only one waiter, or we are waking a // shared waiter and possibly others. newValue = 0; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) break; // Someone changed the lock (acquired it or pushed a wait block). value = newValue; } } return waitBlock; } /** * Wakes waiters in a queued lock. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * * \remarks The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_WAITERS, \ref PH_QUEUED_LOCK_TRAVERSING. The function assumes the following * flags are not set: * \ref PH_QUEUED_LOCK_MULTIPLE_SHARED. */ VOID FASTCALL PhpfWakeQueuedLock( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value ) { PPH_QUEUED_WAIT_BLOCK waitBlock; PPH_QUEUED_WAIT_BLOCK previousWaitBlock; waitBlock = PhpPrepareToWakeQueuedLock(QueuedLock, Value, FALSE, FALSE); // Wake waiters. while (waitBlock) { previousWaitBlock = waitBlock->Previous; PhpUnblockQueuedWaitBlock(waitBlock); waitBlock = previousWaitBlock; } } /** * Wakes waiters in a queued lock. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * \param IgnoreOwned TRUE to ignore lock state, FALSE to conduct normal checks. * \param WakeAll TRUE to wake all waiters, FALSE to decide based on the wait block type. * * \remarks The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_WAITERS, \ref PH_QUEUED_LOCK_TRAVERSING. The function assumes the following * flags are not set: * \ref PH_QUEUED_LOCK_MULTIPLE_SHARED. */ VOID FASTCALL PhpfWakeQueuedLockEx( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value, _In_ BOOLEAN IgnoreOwned, _In_ BOOLEAN WakeAll ) { PPH_QUEUED_WAIT_BLOCK waitBlock; PPH_QUEUED_WAIT_BLOCK previousWaitBlock; waitBlock = PhpPrepareToWakeQueuedLock(QueuedLock, Value, IgnoreOwned, WakeAll); // Wake waiters. while (waitBlock) { previousWaitBlock = waitBlock->Previous; PhpUnblockQueuedWaitBlock(waitBlock); waitBlock = previousWaitBlock; } } /** * Acquires a queued lock in exclusive mode. * * \param QueuedLock A queued lock. */ VOID FASTCALL PhfAcquireQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { ULONG_PTR value; ULONG_PTR newValue; ULONG_PTR currentValue; BOOLEAN optimize; PH_QUEUED_WAIT_BLOCK waitBlock; value = ReadULongPtrAcquire(&QueuedLock->Value); while (TRUE) { if (!(value & PH_QUEUED_LOCK_OWNED)) { if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)(value + PH_QUEUED_LOCK_OWNED), (PVOID)value )) == value) break; } else { if (PhpPushQueuedWaitBlock( QueuedLock, value, TRUE, &waitBlock, &optimize, &newValue, ¤tValue )) { if (optimize) PhpfOptimizeQueuedLockList(QueuedLock, currentValue); PHLIB_INC_STATISTIC(QlAcquireExclusiveBlocks); PhpBlockOnQueuedWaitBlock(&waitBlock, TRUE, NULL); } } value = newValue; } } /** * Acquires a queued lock in shared mode. * * \param QueuedLock A queued lock. */ VOID FASTCALL PhfAcquireQueuedLockShared( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { ULONG_PTR value; ULONG_PTR newValue; ULONG_PTR currentValue; BOOLEAN optimize; PH_QUEUED_WAIT_BLOCK waitBlock; value = ReadULongPtrAcquire(&QueuedLock->Value); while (TRUE) { // We can't acquire if there are waiters for two reasons: // // We want to prioritize exclusive acquires over shared acquires. There's currently no fast, // safe way of finding the last wait block and incrementing the shared owners count here. if ( !(value & PH_QUEUED_LOCK_WAITERS) && (!(value & PH_QUEUED_LOCK_OWNED) || (PhGetQueuedLockSharedOwners(value) > 0)) ) { newValue = (value + PH_QUEUED_LOCK_SHARED_INC) | PH_QUEUED_LOCK_OWNED; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) break; } else { if (PhpPushQueuedWaitBlock( QueuedLock, value, FALSE, &waitBlock, &optimize, &newValue, ¤tValue )) { if (optimize) PhpfOptimizeQueuedLockList(QueuedLock, currentValue); PHLIB_INC_STATISTIC(QlAcquireSharedBlocks); PhpBlockOnQueuedWaitBlock(&waitBlock, TRUE, NULL); } } value = newValue; } } /** * Releases a queued lock in exclusive mode. * * \param QueuedLock A queued lock. */ VOID FASTCALL PhfReleaseQueuedLockExclusive( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { ULONG_PTR value; ULONG_PTR newValue; ULONG_PTR currentValue; value = ReadULongPtrAcquire(&QueuedLock->Value); while (TRUE) { assert(value & PH_QUEUED_LOCK_OWNED); assert((value & PH_QUEUED_LOCK_WAITERS) || (PhGetQueuedLockSharedOwners(value) == 0)); if ((value & (PH_QUEUED_LOCK_WAITERS | PH_QUEUED_LOCK_TRAVERSING)) != PH_QUEUED_LOCK_WAITERS) { // There are no waiters or someone is traversing the list. // // If there are no waiters, we're simply releasing ownership. If someone is traversing // the list, clearing the owned bit is a signal for them to wake waiters. newValue = value - PH_QUEUED_LOCK_OWNED; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) break; } else { // We need to wake waiters and no one is traversing the list. // Try to set the traversing bit and wake waiters. newValue = value - PH_QUEUED_LOCK_OWNED + PH_QUEUED_LOCK_TRAVERSING; currentValue = newValue; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) { PhpfWakeQueuedLock(QueuedLock, currentValue); break; } } value = newValue; } } /** * Wakes waiters in a queued lock for releasing it in exclusive mode. * * \param QueuedLock A queued lock. * \param Value The current value of the queued lock. * * \remarks The function assumes the following flags are set: * \ref PH_QUEUED_LOCK_WAITERS. The function assumes the following flags are not set: * \ref PH_QUEUED_LOCK_MULTIPLE_SHARED, \ref PH_QUEUED_LOCK_TRAVERSING. */ VOID FASTCALL PhfWakeForReleaseQueuedLock( _Inout_ PPH_QUEUED_LOCK QueuedLock, _In_ ULONG_PTR Value ) { ULONG_PTR newValue; newValue = Value + PH_QUEUED_LOCK_TRAVERSING; if ((ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)Value ) == Value) { PhpfWakeQueuedLock(QueuedLock, newValue); } } /** * Releases a queued lock in shared mode. * * \param QueuedLock A queued lock. */ VOID FASTCALL PhfReleaseQueuedLockShared( _Inout_ PPH_QUEUED_LOCK QueuedLock ) { ULONG_PTR value; ULONG_PTR newValue; ULONG_PTR currentValue; PPH_QUEUED_WAIT_BLOCK waitBlock; value = ReadULongPtrAcquire(&QueuedLock->Value); while (!(value & PH_QUEUED_LOCK_WAITERS)) { assert(value & PH_QUEUED_LOCK_OWNED); assert((value & PH_QUEUED_LOCK_WAITERS) || (PhGetQueuedLockSharedOwners(value) > 0)); if (PhGetQueuedLockSharedOwners(value) > 1) newValue = value - PH_QUEUED_LOCK_SHARED_INC; else newValue = 0; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) return; value = newValue; } if (value & PH_QUEUED_LOCK_MULTIPLE_SHARED) { // Unfortunately we have to find the last wait block and decrement the shared owners count. waitBlock = PhpFindLastQueuedWaitBlock(value); if ((ULONG)_InterlockedDecrement((PLONG)&waitBlock->SharedOwners) > 0) return; } while (TRUE) { if (value & PH_QUEUED_LOCK_TRAVERSING) { newValue = value & ~(PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_MULTIPLE_SHARED); if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) break; } else { newValue = (value & ~(PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_MULTIPLE_SHARED)) | PH_QUEUED_LOCK_TRAVERSING; currentValue = newValue; if ((newValue = (ULONG_PTR)(PULONG_PTR)_InterlockedCompareExchangePointer( (volatile PVOID *)&QueuedLock->Value, (PVOID)newValue, (PVOID)value )) == value) { PhpfWakeQueuedLock(QueuedLock, currentValue); break; } } value = newValue; } } /** * Wakes one thread sleeping on a condition variable. * * \param Condition A condition variable. * * \remarks The associated lock must be acquired before calling the function. */ VOID FASTCALL PhfPulseCondition( _Inout_ PPH_CONDITION Condition ) { if (Condition->Value & PH_QUEUED_LOCK_WAITERS) PhpfWakeQueuedLockEx(Condition, Condition->Value, TRUE, FALSE); } /** * Wakes all threads sleeping on a condition variable. * * \param Condition A condition variable. * * \remarks The associated lock must be acquired before calling the function. */ VOID FASTCALL PhfPulseAllCondition( _Inout_ PPH_CONDITION Condition ) { if (Condition->Value & PH_QUEUED_LOCK_WAITERS) PhpfWakeQueuedLockEx(Condition, Condition->Value, TRUE, TRUE); } /** * Sleeps on a condition variable. * * \param Condition A condition variable. * \param Lock A queued lock to release/acquire in exclusive mode. * \param Timeout Not implemented. * * \remarks The associated lock must be acquired before calling the function. */ _Use_decl_annotations_ VOID FASTCALL PhfWaitForCondition( _Inout_ PPH_CONDITION Condition, _Inout_ PPH_QUEUED_LOCK Lock, _In_opt_ PLARGE_INTEGER Timeout ) { ULONG_PTR value; ULONG_PTR currentValue; PH_QUEUED_WAIT_BLOCK waitBlock; BOOLEAN optimize; value = ReadULongPtrAcquire(&Condition->Value); while (TRUE) { if (PhpPushQueuedWaitBlock( Condition, value, TRUE, &waitBlock, &optimize, &value, ¤tValue )) { if (optimize) { PhpOptimizeQueuedLockListEx(Condition, currentValue, TRUE); } PhReleaseQueuedLockExclusive(Lock); PhpBlockOnQueuedWaitBlock(&waitBlock, FALSE, NULL); // Don't use the inline variant; it is extremely likely that the lock is still owned. PhfAcquireQueuedLockExclusive(Lock); break; } } } /** * Sleeps on a condition variable. * * \param Condition A condition variable. * \param Lock A pointer to a lock. * \param Flags A combination of flags controlling the operation. * \param Timeout Not implemented. */ VOID FASTCALL PhfWaitForConditionEx( _Inout_ PPH_CONDITION Condition, _Inout_ PVOID Lock, _In_ ULONG Flags, _In_opt_ PLARGE_INTEGER Timeout ) { ULONG_PTR value; ULONG_PTR currentValue; PH_QUEUED_WAIT_BLOCK waitBlock; BOOLEAN optimize; value = ReadULongPtrAcquire(&Condition->Value); while (TRUE) { if (PhpPushQueuedWaitBlock( Condition, value, TRUE, &waitBlock, &optimize, &value, ¤tValue )) { if (optimize) { PhpOptimizeQueuedLockListEx(Condition, currentValue, TRUE); } switch (Flags & PH_CONDITION_WAIT_LOCK_TYPE_MASK) { case PH_CONDITION_WAIT_QUEUED_LOCK: __analysis_assume_lock_acquired(*(PPH_QUEUED_LOCK)Lock); if (!(Flags & PH_CONDITION_WAIT_SHARED)) PhReleaseQueuedLockExclusive((PPH_QUEUED_LOCK)Lock); else PhReleaseQueuedLockShared((PPH_QUEUED_LOCK)Lock); break; case PH_CONDITION_WAIT_CRITICAL_SECTION: __analysis_assume_lock_acquired(*(PRTL_CRITICAL_SECTION)Lock); RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Lock); break; case PH_CONDITION_WAIT_FAST_LOCK: __analysis_assume_lock_acquired(*(PPH_FAST_LOCK)Lock); if (!(Flags & PH_CONDITION_WAIT_SHARED)) PhReleaseFastLockExclusive((PPH_FAST_LOCK)Lock); else PhReleaseFastLockShared((PPH_FAST_LOCK)Lock); break; } if (!(Flags & PH_CONDITION_WAIT_SPIN)) { PhpBlockOnQueuedWaitBlock(&waitBlock, FALSE, NULL); } else { PhpBlockOnQueuedWaitBlock(&waitBlock, TRUE, NULL); } switch (Flags & PH_CONDITION_WAIT_LOCK_TYPE_MASK) { case PH_CONDITION_WAIT_QUEUED_LOCK: if (!(Flags & PH_CONDITION_WAIT_SHARED)) PhfAcquireQueuedLockExclusive((PPH_QUEUED_LOCK)Lock); else PhfAcquireQueuedLockShared((PPH_QUEUED_LOCK)Lock); break; case PH_CONDITION_WAIT_CRITICAL_SECTION: RtlEnterCriticalSection((PRTL_CRITICAL_SECTION)Lock); break; case PH_CONDITION_WAIT_FAST_LOCK: if (!(Flags & PH_CONDITION_WAIT_SHARED)) PhAcquireFastLockExclusive((PPH_FAST_LOCK)Lock); else PhAcquireFastLockShared((PPH_FAST_LOCK)Lock); break; } break; } } } /** * Queues a wait block to a wake event. * * \param WakeEvent A wake event. * \param WaitBlock A wait block. * * \remarks If you later determine that the wait should not occur, you must call PhfSetWakeEvent() * to dequeue the wait block. */ VOID FASTCALL PhfQueueWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Out_ PPH_QUEUED_WAIT_BLOCK WaitBlock ) { PPH_QUEUED_WAIT_BLOCK value; PPH_QUEUED_WAIT_BLOCK newValue; WaitBlock->Flags = PH_QUEUED_WAITER_SPINNING; value = _InterlockedCompareExchangePointer((volatile PVOID *)&WakeEvent->Value, NULL, NULL); while (TRUE) { WaitBlock->Next = value; if ((newValue = _InterlockedCompareExchangePointer( (volatile PVOID *)&WakeEvent->Value, WaitBlock, value )) == value) break; value = newValue; } } /** * Sets a wake event, unblocking all queued wait blocks. * * \param WakeEvent A wake event. * \param WaitBlock A wait block for a cancelled wait, otherwise NULL. */ VOID FASTCALL PhfSetWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock ) { PPH_QUEUED_WAIT_BLOCK waitBlock; PPH_QUEUED_WAIT_BLOCK nextWaitBlock; // Pop all waiters and unblock them. waitBlock = _InterlockedExchangePointer((volatile PVOID *)&WakeEvent->Value, NULL); while (waitBlock) { nextWaitBlock = waitBlock->Next; PhpUnblockQueuedWaitBlock(waitBlock); waitBlock = nextWaitBlock; } if (WaitBlock) { // We're cancelling a wait; the thread called this function instead of PhfWaitForWakeEvent. // This will remove all waiters from the list. However, we may not have popped and unblocked // the cancelled wait block ourselves. Another thread may have popped all waiters but not // unblocked them yet at this point: // // 1. This thread: calls PhfQueueWakeEvent. // 2. This thread: code determines that the wait should be cancelled. // 3. Other thread: calls PhfSetWakeEvent and pops our wait block off. It hasn't unblocked // any wait blocks yet. // 4. This thread: calls PhfSetWakeEvent. Since all wait blocks have been popped, we don't // do anything. The caller function exits, making our wait block invalid. // 5. Other thread: tries to unblock our wait block. Anything could happen, since our caller // already returned. // // The solution is to (always) wait for an unblock. Note that the check below for the // spinning flag is not required, but it is a small optimization. If the wait block has been // unblocked (i.e. the spinning flag is cleared), then there's no danger. if (WaitBlock->Flags & PH_QUEUED_WAITER_SPINNING) PhpBlockOnQueuedWaitBlock(WaitBlock, FALSE, NULL); } } /** * Waits for a wake event to be set. * * \param WakeEvent A wake event. * \param WaitBlock A wait block previously queued to the wake event using PhfQueueWakeEvent(). * \param Spin TRUE to spin on the wake event before blocking, FALSE to block immediately. * \param Timeout A timeout value. * * \remarks Wake events are subject to spurious wakeups. You should call this function in a loop * which checks a predicate. */ NTSTATUS FASTCALL PhfWaitForWakeEvent( _Inout_ PPH_WAKE_EVENT WakeEvent, _Inout_ PPH_QUEUED_WAIT_BLOCK WaitBlock, _In_ BOOLEAN Spin, _In_opt_ PLARGE_INTEGER Timeout ) { NTSTATUS status; status = PhpBlockOnQueuedWaitBlock(WaitBlock, Spin, Timeout); if (status != STATUS_SUCCESS) { // Probably a timeout. There's no way of unlinking the wait block safely, so just wake // everyone. PhSetWakeEvent(WakeEvent, WaitBlock); } return status; } ================================================ FILE: phlib/ref.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #include #include #include #include PPH_OBJECT_TYPE PhObjectTypeObject = NULL; SLIST_HEADER PhObjectDeferDeleteListHead; PH_FREE_LIST PhObjectSmallFreeList; PPH_OBJECT_TYPE PhAllocType = NULL; ULONG PhObjectTypeCount = 0; PPH_OBJECT_TYPE PhObjectTypeTable[PH_OBJECT_TYPE_TABLE_SIZE]; static ULONG PhpAutoPoolTlsIndex; #ifdef DEBUG LIST_ENTRY PhDbgObjectListHead; PH_QUEUED_LOCK PhDbgObjectListLock = PH_QUEUED_LOCK_INIT; PPH_CREATE_OBJECT_HOOK PhDbgCreateObjectHook = NULL; #endif #define REF_STAT_UP(Name) PHLIB_INC_STATISTIC(Name) /** * Initializes the object manager module. */ NTSTATUS PhRefInitialization( VOID ) { PH_OBJECT_TYPE dummyObjectType; #ifdef DEBUG InitializeListHead(&PhDbgObjectListHead); #endif PhInitializeSListHead(&PhObjectDeferDeleteListHead); PhInitializeFreeList( &PhObjectSmallFreeList, PhAddObjectHeaderSize(PH_OBJECT_SMALL_OBJECT_SIZE), PH_OBJECT_SMALL_OBJECT_COUNT ); // Create the fundamental object type. memset(&dummyObjectType, 0, sizeof(PH_OBJECT_TYPE)); PhObjectTypeObject = &dummyObjectType; // PhCreateObject expects an object type. PhObjectTypeTable[0] = &dummyObjectType; // PhCreateObject also expects PhObjectTypeTable[0] to be filled in. PhObjectTypeObject = PhCreateObjectType(L"Type", 0, NULL); // Now that the fundamental object type exists, fix it up. PhObjectToObjectHeader(PhObjectTypeObject)->TypeIndex = PhObjectTypeObject->TypeIndex; PhObjectTypeObject->NumberOfObjects = 1; // Create the allocated memory object type. PhAllocType = PhCreateObjectType(L"Alloc", 0, NULL); // Reserve a slot for the auto pool. PhpAutoPoolTlsIndex = PhTlsAlloc(); if (PhpAutoPoolTlsIndex == TLS_OUT_OF_INDEXES) return STATUS_NO_MEMORY; return STATUS_SUCCESS; } /** * Allocates a object. * * \param ObjectSize The size of the object. * \param ObjectType The type of the object. * * \return A pointer to the newly allocated object. */ _May_raise_ PVOID PhCreateObject( _In_ SIZE_T ObjectSize, _In_ PPH_OBJECT_TYPE ObjectType ) { PPH_OBJECT_HEADER objectHeader; // Allocate storage for the object. Note that this includes the object header followed by the // object body. objectHeader = PhpAllocateObject(ObjectType, ObjectSize); // Object type statistics. _InterlockedIncrement((PLONG)&ObjectType->NumberOfObjects); // Initialize the object header. objectHeader->RefCount = 1; objectHeader->TypeIndex = ObjectType->TypeIndex; // objectHeader->Flags is set by PhpAllocateObject. REF_STAT_UP(RefObjectsCreated); #ifdef DEBUG { USHORT capturedFrames; capturedFrames = RtlCaptureStackBackTrace(1, 16, objectHeader->StackBackTrace, NULL); memset( &objectHeader->StackBackTrace[capturedFrames], 0, sizeof(objectHeader->StackBackTrace) - capturedFrames * sizeof(PVOID) ); } PhAcquireQueuedLockExclusive(&PhDbgObjectListLock); InsertTailList(&PhDbgObjectListHead, &objectHeader->ObjectListEntry); PhReleaseQueuedLockExclusive(&PhDbgObjectListLock); { PPH_CREATE_OBJECT_HOOK dbgCreateObjectHook; dbgCreateObjectHook = PhDbgCreateObjectHook; if (dbgCreateObjectHook) { dbgCreateObjectHook( PhObjectHeaderToObject(objectHeader), ObjectSize, 0, ObjectType ); } } #endif return PhObjectHeaderToObject(objectHeader); } /** * References the specified object. * * \param Object A pointer to the object to reference. * * \return The object. */ PVOID PhReferenceObject( _In_ PVOID Object ) { PPH_OBJECT_HEADER objectHeader; objectHeader = PhObjectToObjectHeader(Object); // Increment the reference count. _InterlockedIncrement(&objectHeader->RefCount); return Object; } /** * References the specified object. * * \param Object A pointer to the object to reference. * \param RefCount The number of references to add. * * \return The object. */ _May_raise_ PVOID PhReferenceObjectEx( _In_ PVOID Object, _In_ LONG RefCount ) { PPH_OBJECT_HEADER objectHeader; LONG oldRefCount; assert(RefCount >= 0); objectHeader = PhObjectToObjectHeader(Object); // Increase the reference count. oldRefCount = _InterlockedExchangeAdd(&objectHeader->RefCount, RefCount); return Object; } /** * Attempts to reference an object and fails if it is being destroyed. * * \param Object The object to reference if it is not being deleted. * * \return The object itself if the object was referenced, NULL if it was being deleted and was not * referenced. * * \remarks This function is useful if a reference to an object is held, protected by a mutex, and * the delete procedure of the object's type attempts to acquire the mutex. If this function is * called while the mutex is owned, you can avoid referencing an object that is being destroyed. */ PVOID PhReferenceObjectSafe( _In_ PVOID Object ) { PPH_OBJECT_HEADER objectHeader; objectHeader = PhObjectToObjectHeader(Object); // Increase the reference count only if it positive already (atomically). if (PhpInterlockedIncrementSafe(&objectHeader->RefCount)) return Object; else return NULL; } /** * Dereferences the specified object. * The object will be freed if its reference count reaches 0. * * \param Object A pointer to the object to dereference. */ VOID PhDereferenceObject( _In_ _Post_invalid_ PVOID Object ) { PPH_OBJECT_HEADER objectHeader; LONG newRefCount; objectHeader = PhObjectToObjectHeader(Object); // Decrement the reference count. newRefCount = _InterlockedDecrement(&objectHeader->RefCount); ASSUME_ASSERT(newRefCount >= 0); // Free the object if it has 0 references. if (newRefCount == 0) { PhpFreeObject(objectHeader); } } /** * Dereferences the specified object. * The object will be freed in a worker thread if its reference count reaches 0. * * \param Object A pointer to the object to dereference. */ VOID PhDereferenceObjectDeferDelete( _In_ _Post_invalid_ PVOID Object ) { PhDereferenceObjectEx(Object, 1, TRUE); } /** * Dereferences the specified object. * The object will be freed if its reference count reaches 0. * * \param Object A pointer to the object to dereference. * \param RefCount The number of references to remove. * \param DeferDelete Whether to defer deletion of the object. */ _May_raise_ VOID PhDereferenceObjectEx( _In_ PVOID Object, _In_ LONG RefCount, _In_ BOOLEAN DeferDelete ) { PPH_OBJECT_HEADER objectHeader; LONG oldRefCount; LONG newRefCount; assert(!(RefCount < 0)); objectHeader = PhObjectToObjectHeader(Object); // Decrease the reference count. oldRefCount = _InterlockedExchangeAdd(&objectHeader->RefCount, -RefCount); newRefCount = oldRefCount - RefCount; // Free the object if it has 0 references. if (newRefCount == 0) { if (DeferDelete) { PhpDeferDeleteObject(objectHeader); } else { // Free the object. PhpFreeObject(objectHeader); } } else if (newRefCount < 0) { PhRaiseStatus(STATUS_INVALID_PARAMETER); } } /** * Gets an object's reference count. * * \param Object A pointer to an object. * * \return The object's reference count. */ ULONG PhGetObjectRefCount( _In_ PVOID Object ) { return PhObjectToObjectHeader(Object)->RefCount; } /** * Gets an object's type. * * \param Object A pointer to an object. * * \return A pointer to a type object. */ PPH_OBJECT_TYPE PhGetObjectType( _In_ PVOID Object ) { return PhObjectTypeTable[PhObjectToObjectHeader(Object)->TypeIndex]; } /** * Creates an object type. * * \param Name The name of the type. * \param Flags A combination of flags affecting the behaviour of the object type. * \param DeleteProcedure A callback function that is executed when an object of this type is about * to be freed (i.e. when its reference count is 0). * * \return A pointer to the newly created object type. * * \remarks Do not reference or dereference the object type once it is created. */ PPH_OBJECT_TYPE PhCreateObjectType( _In_ PCWSTR Name, _In_ ULONG Flags, _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure ) { return PhCreateObjectTypeEx( Name, Flags, DeleteProcedure, NULL ); } /** * Creates an object type. * * \param Name The name of the type. * \param Flags A combination of flags affecting the behavior of the object type. * \param DeleteProcedure A callback function that is executed when an object of this type is about * to be freed (i.e. when its reference count is 0). * \param Parameters A structure containing additional parameters for the object type. * * \return A pointer to the newly created object type. * * \remarks Do not reference or dereference the object type once it is created. */ PPH_OBJECT_TYPE PhCreateObjectTypeEx( _In_ PCWSTR Name, _In_ ULONG Flags, _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure, _In_opt_ PPH_OBJECT_TYPE_PARAMETERS Parameters ) { PPH_OBJECT_TYPE objectType; // Check the flags. if ((Flags & PH_OBJECT_TYPE_VALID_FLAGS) != Flags) /* Valid flag mask */ PhRaiseStatus(STATUS_INVALID_PARAMETER_3); if ((Flags & (PH_OBJECT_TYPE_USE_FREE_LIST | PH_OBJECT_TYPE_TRY_USE_FREE_LIST)) == (PH_OBJECT_TYPE_USE_FREE_LIST | PH_OBJECT_TYPE_TRY_USE_FREE_LIST)) PhRaiseStatus(STATUS_INVALID_PARAMETER_3); if ((Flags & (PH_OBJECT_TYPE_USE_FREE_LIST | PH_OBJECT_TYPE_TRY_USE_FREE_LIST)) && !Parameters) PhRaiseStatus(STATUS_INVALID_PARAMETER_MIX); // Create the type object. objectType = PhCreateObject(sizeof(PH_OBJECT_TYPE), PhObjectTypeObject); // Initialize the type object. objectType->Flags = (USHORT)Flags; objectType->TypeIndex = (USHORT)_InterlockedIncrement(&PhObjectTypeCount) - 1; objectType->NumberOfObjects = 0; objectType->DeleteProcedure = DeleteProcedure; objectType->Name = Name; assert(InterlockedCompareExchange(&PhObjectTypeCount, 0, 0) < PH_OBJECT_TYPE_TABLE_SIZE); PhObjectTypeTable[objectType->TypeIndex] = objectType; if (Parameters) { if (Flags & (PH_OBJECT_TYPE_USE_FREE_LIST | PH_OBJECT_TYPE_TRY_USE_FREE_LIST)) { PhInitializeFreeList( &objectType->FreeList, PhAddObjectHeaderSize(Parameters->FreeListSize), Parameters->FreeListCount ); } } return objectType; } /** * Gets information about an object type. * * \param ObjectType A pointer to an object type. * \param Information A variable which receives information about the object type. */ VOID PhGetObjectTypeInformation( _In_ PPH_OBJECT_TYPE ObjectType, _Out_ PPH_OBJECT_TYPE_INFORMATION Information ) { Information->Name = ObjectType->Name; Information->NumberOfObjects = ObjectType->NumberOfObjects; Information->Flags = ObjectType->Flags; Information->TypeIndex = ObjectType->TypeIndex; } /** * Allocates storage for an object. * * \param ObjectType The type of the object. * \param ObjectSize The size of the object, excluding the header. */ PPH_OBJECT_HEADER PhpAllocateObject( _In_ PPH_OBJECT_TYPE ObjectType, _In_ SIZE_T ObjectSize ) { PPH_OBJECT_HEADER objectHeader; if (ObjectType->Flags & PH_OBJECT_TYPE_USE_FREE_LIST) { assert(ObjectType->FreeList.Size == PhAddObjectHeaderSize(ObjectSize)); objectHeader = PhAllocateFromFreeList(&ObjectType->FreeList); objectHeader->Flags = PH_OBJECT_FROM_TYPE_FREE_LIST; REF_STAT_UP(RefObjectsAllocatedFromTypeFreeList); } else if (ObjectSize <= PH_OBJECT_SMALL_OBJECT_SIZE) { objectHeader = PhAllocateFromFreeList(&PhObjectSmallFreeList); objectHeader->Flags = PH_OBJECT_FROM_SMALL_FREE_LIST; REF_STAT_UP(RefObjectsAllocatedFromSmallFreeList); } else if (ObjectType->Flags & PH_OBJECT_TYPE_TRY_USE_FREE_LIST && PhAddObjectHeaderSize(ObjectSize) <= ObjectType->FreeList.Size) { objectHeader = PhAllocateFromFreeList(&ObjectType->FreeList); objectHeader->Flags = PH_OBJECT_FROM_TYPE_FREE_LIST; REF_STAT_UP(RefObjectsAllocatedFromTypeFreeList); } else { objectHeader = PhAllocate(PhAddObjectHeaderSize(ObjectSize)); objectHeader->Flags = 0; REF_STAT_UP(RefObjectsAllocated); } return objectHeader; } /** * Calls the delete procedure for an object and frees its allocated storage. * * \param ObjectHeader A pointer to the object header of an allocated object. */ VOID PhpFreeObject( _In_ PPH_OBJECT_HEADER ObjectHeader ) { PPH_OBJECT_TYPE objectType; objectType = PhObjectTypeTable[ObjectHeader->TypeIndex]; // Object type statistics. _InterlockedDecrement(&objectType->NumberOfObjects); #ifdef DEBUG PhAcquireQueuedLockExclusive(&PhDbgObjectListLock); RemoveEntryList(&ObjectHeader->ObjectListEntry); PhReleaseQueuedLockExclusive(&PhDbgObjectListLock); #endif REF_STAT_UP(RefObjectsDestroyed); // Call the delete procedure if we have one. if (objectType->DeleteProcedure) { objectType->DeleteProcedure(PhObjectHeaderToObject(ObjectHeader), 0); } if (ObjectHeader->Flags & PH_OBJECT_FROM_TYPE_FREE_LIST) { PhFreeToFreeList(&objectType->FreeList, ObjectHeader); REF_STAT_UP(RefObjectsFreedToTypeFreeList); } else if (ObjectHeader->Flags & PH_OBJECT_FROM_SMALL_FREE_LIST) { PhFreeToFreeList(&PhObjectSmallFreeList, ObjectHeader); REF_STAT_UP(RefObjectsFreedToSmallFreeList); } else { PhFree(ObjectHeader); REF_STAT_UP(RefObjectsFreed); } } /** * Queues an object for deletion. * * \param ObjectHeader A pointer to the object header of the object to delete. */ VOID PhpDeferDeleteObject( _In_ PPH_OBJECT_HEADER ObjectHeader ) { PSLIST_ENTRY oldFirstEntry; // Save TypeIndex and Flags since they get overwritten when we push the object onto the defer // delete list. PH_CLANG_DIAGNOSTIC_PUSH(); PH_CLANG_DIAGNOSTIC_IGNORED("-Wsingle-bit-bitfield-constant-conversion"); ObjectHeader->DeferDelete = 1; PH_CLANG_DIAGNOSTIC_POP(); MemoryBarrier(); ObjectHeader->SavedTypeIndex = ObjectHeader->TypeIndex; ObjectHeader->SavedFlags = ObjectHeader->Flags; oldFirstEntry = RtlFirstEntrySList(&PhObjectDeferDeleteListHead); RtlInterlockedPushEntrySList(&PhObjectDeferDeleteListHead, &ObjectHeader->DeferDeleteListEntry); REF_STAT_UP(RefObjectsDeleteDeferred); // Was the to-free list empty before? If so, we need to queue a work item. if (!oldFirstEntry) { PhQueueItemWorkQueue(PhGetGlobalWorkQueue(), PhpDeferDeleteObjectRoutine, NULL); } } /** * Removes and frees objects from the to-free list. */ _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpDeferDeleteObjectRoutine( _In_ PVOID Parameter ) { PSLIST_ENTRY listEntry; PPH_OBJECT_HEADER objectHeader; // Clear the list and obtain the first object to free. listEntry = RtlInterlockedFlushSList(&PhObjectDeferDeleteListHead); while (listEntry) { objectHeader = CONTAINING_RECORD(listEntry, PH_OBJECT_HEADER, DeferDeleteListEntry); listEntry = listEntry->Next; // Restore TypeIndex and Flags. objectHeader->TypeIndex = (USHORT)objectHeader->SavedTypeIndex; objectHeader->Flags = (UCHAR)objectHeader->SavedFlags; PhpFreeObject(objectHeader); } return STATUS_SUCCESS; } /** * Creates a reference-counted memory block. * * \param Size The number of bytes to allocate. * * \return A pointer to the memory block. */ PVOID PhCreateAlloc( _In_ SIZE_T Size ) { return PhCreateObject(Size, PhAllocType); } /** * Gets the current auto-dereference pool for the current thread. */ FORCEINLINE PPH_AUTO_POOL PhpGetCurrentAutoPool( VOID ) { return (PPH_AUTO_POOL)PhTlsGetValue(PhpAutoPoolTlsIndex); } /** * Sets the current auto-dereference pool for the current thread. */ _May_raise_ FORCEINLINE VOID PhpSetCurrentAutoPool( _In_ PPH_AUTO_POOL AutoPool ) { if (!NT_SUCCESS(PhTlsSetValue(PhpAutoPoolTlsIndex, AutoPool))) PhRaiseStatus(STATUS_UNSUCCESSFUL); #ifdef DEBUG { PPHP_BASE_THREAD_DBG dbg; dbg = (PPHP_BASE_THREAD_DBG)PhTlsGetValue(PhDbgThreadDbgTlsIndex); if (dbg) { dbg->CurrentAutoPool = AutoPool; } } #endif } /** * Initializes an auto-dereference pool and sets it as the current pool for the current thread. You * must call PhDeleteAutoPool() before storage for the auto-dereference pool is freed. * * \remarks Always store auto-dereference pools in local variables, and do not share the pool with * any other functions. */ VOID PhInitializeAutoPool( _Out_ PPH_AUTO_POOL AutoPool ) { AutoPool->StaticCount = 0; AutoPool->DynamicCount = 0; AutoPool->DynamicAllocated = 0; AutoPool->DynamicObjects = NULL; // Add the pool to the stack. AutoPool->NextPool = PhpGetCurrentAutoPool(); PhpSetCurrentAutoPool(AutoPool); REF_STAT_UP(RefAutoPoolsCreated); } /** * Deletes an auto-dereference pool. The function will dereference any objects currently in the * pool. If a pool other than the current pool is passed to the function, an exception is raised. * * \param AutoPool The auto-dereference pool to delete. */ _May_raise_ VOID PhDeleteAutoPool( _In_ _Post_invalid_ PPH_AUTO_POOL AutoPool ) { PhDrainAutoPool(AutoPool); if (PhpGetCurrentAutoPool() != AutoPool) PhRaiseStatus(STATUS_UNSUCCESSFUL); // Remove the pool from the stack. PhpSetCurrentAutoPool(AutoPool->NextPool); // Free the dynamic array if it hasn't been freed yet. if (AutoPool->DynamicObjects) PhFree(AutoPool->DynamicObjects); REF_STAT_UP(RefAutoPoolsDestroyed); } /** * Dereferences and removes all objects in an auto-release pool. * * \param AutoPool The auto-release pool to drain. */ VOID PhDrainAutoPool( _In_ PPH_AUTO_POOL AutoPool ) { PhDereferenceObjects(AutoPool->StaticObjects, AutoPool->StaticCount); AutoPool->StaticCount = 0; if (AutoPool->DynamicObjects) { PhDereferenceObjects(AutoPool->DynamicObjects, AutoPool->DynamicCount); AutoPool->DynamicCount = 0; if (AutoPool->DynamicAllocated > PH_AUTO_POOL_DYNAMIC_BIG_SIZE) { AutoPool->DynamicAllocated = 0; PhFree(AutoPool->DynamicObjects); AutoPool->DynamicObjects = NULL; } } } /** * Adds an object to the current auto-dereference pool for the current thread. If the current thread * does not have an auto-dereference pool, the function raises an exception. * * \param Object A pointer to an object. The object will be dereferenced when the current * auto-dereference pool is drained or freed. */ _May_raise_ PVOID PhAutoDereferenceObject( _In_opt_ PVOID Object ) { PPH_AUTO_POOL autoPool = PhpGetCurrentAutoPool(); #ifdef DEBUG // If we don't have an auto-dereference pool, we don't want to leak the object (unlike what // Apple does with NSAutoreleasePool). if (!autoPool) PhRaiseStatus(STATUS_UNSUCCESSFUL); #endif if (!Object) return NULL; // See if we can use the static array. if (autoPool->StaticCount < PH_AUTO_POOL_STATIC_SIZE) { autoPool->StaticObjects[autoPool->StaticCount++] = Object; return Object; } // Use the dynamic array. // Allocate the array if we haven't already. if (!autoPool->DynamicObjects) { autoPool->DynamicAllocated = 64; autoPool->DynamicObjects = PhAllocate( sizeof(PVOID) * autoPool->DynamicAllocated ); REF_STAT_UP(RefAutoPoolsDynamicAllocated); } // See if we need to resize the array. if (autoPool->DynamicCount == autoPool->DynamicAllocated) { autoPool->DynamicAllocated *= 2; autoPool->DynamicObjects = PhReAllocate( autoPool->DynamicObjects, sizeof(PVOID) * autoPool->DynamicAllocated ); REF_STAT_UP(RefAutoPoolsDynamicResized); } autoPool->DynamicObjects[autoPool->DynamicCount++] = Object; return Object; } ================================================ FILE: phlib/searchbox.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2012-2023 * jxy-s 2023-2024 * */ #include #include #include #include #include #include #include typedef struct _PH_SEARCHCONTROL_BUTTON { union { ULONG Flags; struct { ULONG Hot : 1; ULONG Pushed : 1; ULONG Active : 1; ULONG Error : 1; ULONG Spare : 28; }; }; ULONG Index; ULONG ImageIndex; ULONG ActiveImageIndex; HWND TooltipHandle; } PH_SEARCHCONTROL_BUTTON, *PPH_SEARCHCONTROL_BUTTON; #define PH_SC_BUTTON_COUNT 3 typedef struct _PH_SEARCHCONTROL_CONTEXT { union { ULONG Flags; struct { ULONG Hot : 1; ULONG HotTrack : 1; ULONG WindowFocus : 1; ULONG UseSearchPointer : 1; ULONG Spare : 28; }; }; HWND ParentWindowHandle; HWND PreviousFocusWindowHandle; LONG WindowDpi; PCWSTR RegexSetting; PCWSTR CaseSetting; PVOID ImageBaseAddress; PCWSTR SearchButtonResource; PCWSTR SearchButtonActiveResource; PCWSTR RegexButtonResource; PCWSTR CaseButtonResource; PH_SEARCHCONTROL_BUTTON SearchButton; PH_SEARCHCONTROL_BUTTON RegexButton; PH_SEARCHCONTROL_BUTTON CaseButton; LONG ButtonWidth; LONG BorderSize; LONG ImageWidth; LONG ImageHeight; WNDPROC DefaultWindowProc; HFONT WindowFont; HIMAGELIST ImageListHandle; PPH_STRING CueBannerText; HDC BufferedDc; HBITMAP BufferedOldBitmap; HBITMAP BufferedBitmap; RECT BufferedContextRect; HBRUSH FrameBrush; HBRUSH WindowBrush; ULONG SearchDelayMs; PPH_SEARCHCONTROL_CALLBACK Callback; PVOID CallbackContext; PH_STRINGREF SearchboxText; WCHAR SearchboxTextBuffer[0x100]; ULONG64 SearchPointer; LONG SearchboxRegexError; PCRE2_SIZE SearchboxRegexErrorOffset; pcre2_code* SearchboxRegexCode; pcre2_match_data* SearchboxRegexMatchData; } PH_SEARCHCONTROL_CONTEXT, *PPH_SEARCHCONTROL_CONTEXT; VOID PhpSearchControlCreateBufferedContext( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ HDC Hdc, _In_ PRECT BufferRect ) { Context->BufferedDc = CreateCompatibleDC(Hdc); if (!Context->BufferedDc) return; Context->BufferedContextRect = *BufferRect; Context->BufferedBitmap = CreateCompatibleBitmap( Hdc, Context->BufferedContextRect.right, Context->BufferedContextRect.bottom ); Context->BufferedOldBitmap = SelectBitmap(Context->BufferedDc, Context->BufferedBitmap); } VOID PhpSearchControlDestroyBufferedContext( _In_ PPH_SEARCHCONTROL_CONTEXT Context ) { if (Context->BufferedDc && Context->BufferedOldBitmap) { SelectBitmap(Context->BufferedDc, Context->BufferedOldBitmap); } if (Context->BufferedBitmap) { DeleteBitmap(Context->BufferedBitmap); Context->BufferedBitmap = NULL; } if (Context->BufferedDc) { DeleteDC(Context->BufferedDc); Context->BufferedDc = NULL; } } VOID PhpSearchControlInitializeFont( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ HWND WindowHandle ) { if (Context->WindowFont) { DeleteFont(Context->WindowFont); Context->WindowFont = NULL; } Context->WindowFont = PhCreateCommonFont(10, FW_MEDIUM, WindowHandle, Context->WindowDpi); } VOID PhpSearchControlInitializeTheme( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ HWND WindowHandle ) { LONG borderSize; borderSize = PhGetSystemMetrics(SM_CXBORDER, Context->WindowDpi); Context->CaseButton.Index = 0; Context->RegexButton.Index = 1; Context->SearchButton.Index = 2; Context->ButtonWidth = PhGetDpi(20, Context->WindowDpi); Context->BorderSize = borderSize; Context->FrameBrush = GetSysColorBrush(COLOR_WINDOWFRAME); Context->WindowBrush = GetSysColorBrush(COLOR_WINDOW); if (PhIsThemeActive()) { HTHEME themeHandle; if (themeHandle = PhOpenThemeData(WindowHandle, VSCLASS_EDIT, Context->WindowDpi)) { if (PhGetThemeInt(themeHandle, 0, 0, TMT_BORDERSIZE, &borderSize)) { Context->BorderSize = borderSize; } PhCloseThemeData(themeHandle); } } } VOID PhpSearchControlInitializeImages( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ HWND WindowHandle ) { HBITMAP bitmap; Context->ImageWidth = PhGetSystemMetrics(SM_CXSMICON, Context->WindowDpi) + PhGetDpi(4, Context->WindowDpi); Context->ImageHeight = PhGetSystemMetrics(SM_CYSMICON, Context->WindowDpi) + PhGetDpi(4, Context->WindowDpi); if (Context->ImageListHandle) { PhImageListSetIconSize( Context->ImageListHandle, Context->ImageWidth, Context->ImageHeight ); } else { Context->ImageListHandle = PhImageListCreate( Context->ImageWidth, Context->ImageHeight, ILC_MASK | ILC_COLOR32, 2, 0 ); } PhImageListSetImageCount(Context->ImageListHandle, 4); // Search Button Context->SearchButton.ImageIndex = ULONG_MAX; Context->SearchButton.ActiveImageIndex = ULONG_MAX; bitmap = PhLoadImageFormatFromResource(Context->ImageBaseAddress, Context->SearchButtonResource, L"PNG", PH_IMAGE_FORMAT_TYPE_PNG, Context->ImageWidth, Context->ImageHeight); if (bitmap) { Context->SearchButton.ImageIndex = 0; PhImageListReplace(Context->ImageListHandle, 0, bitmap, NULL); DeleteBitmap(bitmap); } bitmap = PhLoadImageFormatFromResource(Context->ImageBaseAddress, Context->SearchButtonActiveResource, L"PNG", PH_IMAGE_FORMAT_TYPE_PNG, Context->ImageWidth, Context->ImageHeight); if (bitmap) { Context->SearchButton.ActiveImageIndex = 1; PhImageListReplace(Context->ImageListHandle, 1, bitmap, NULL); DeleteBitmap(bitmap); } // Regex Button Context->RegexButton.ImageIndex = ULONG_MAX; Context->RegexButton.ActiveImageIndex = ULONG_MAX; bitmap = PhLoadImageFormatFromResource(Context->ImageBaseAddress, Context->RegexButtonResource, L"PNG", PH_IMAGE_FORMAT_TYPE_PNG, Context->ImageWidth, Context->ImageHeight); if (bitmap) { Context->RegexButton.ImageIndex = 2; PhImageListReplace(Context->ImageListHandle, 2, bitmap, NULL); DeleteBitmap(bitmap); } // Case-Sensitivity Button Context->CaseButton.ImageIndex = ULONG_MAX; Context->CaseButton.ActiveImageIndex = ULONG_MAX; bitmap = PhLoadImageFormatFromResource(Context->ImageBaseAddress, Context->CaseButtonResource, L"PNG", PH_IMAGE_FORMAT_TYPE_PNG, Context->ImageWidth, Context->ImageHeight); if (bitmap) { Context->CaseButton.ImageIndex = 3; PhImageListReplace(Context->ImageListHandle, 3, bitmap, NULL); DeleteBitmap(bitmap); } } VOID PhpSearchControlButtonRect( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ PPH_SEARCHCONTROL_BUTTON Button, _In_ PRECT WindowRect, _Out_ PRECT ButtonRect ) { memcpy(ButtonRect, WindowRect, sizeof(RECT)); ButtonRect->left = ((ButtonRect->right - Context->ButtonWidth) - Context->BorderSize - 1); ButtonRect->top += Context->BorderSize; ButtonRect->right -= Context->BorderSize; ButtonRect->bottom -= Context->BorderSize; // Shift the button rect to the left based on the button index. ButtonRect->left -= ((Context->ButtonWidth + Context->BorderSize - 1) * (PH_SC_BUTTON_COUNT - 1 - Button->Index)); ButtonRect->right -= ((Context->ButtonWidth + Context->BorderSize - 1) * (PH_SC_BUTTON_COUNT - 1 - Button->Index)); } VOID PhpSearchControlCreateTooltip( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ PPH_SEARCHCONTROL_BUTTON Button, _In_ HWND ParentWindow, _In_ PRECT TooltipRect, _In_ PWSTR TooltipText ) { TOOLINFO toolInfo; if (Button->TooltipHandle) return; Button->TooltipHandle = PhCreateWindowEx( TOOLTIPS_CLASS, NULL, WS_POPUP | TTS_ALWAYSTIP | TTS_NOPREFIX | TTS_NOANIMATE | TTS_NOFADE, WS_EX_TOPMOST | WS_EX_TRANSPARENT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, ParentWindow, NULL, NULL, NULL ); SetWindowPos( Button->TooltipHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE | SWP_NOACTIVATE ); MapWindowRect(HWND_DESKTOP, ParentWindow, TooltipRect); PhInflateRect(TooltipRect, -1, -1); memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.uFlags = TTF_TRANSPARENT | TTF_SUBCLASS; toolInfo.hwnd = ParentWindow; toolInfo.lpszText = TooltipText; toolInfo.rect = *TooltipRect; SendMessage(Button->TooltipHandle, TTM_ADDTOOL, 0, (LPARAM)&toolInfo); SendMessage(Button->TooltipHandle, TTM_SETDELAYTIME, TTDT_INITIAL, 0); SendMessage(Button->TooltipHandle, TTM_SETDELAYTIME, TTDT_AUTOPOP, MAXSHORT); SendMessage(Button->TooltipHandle, TTM_SETMAXTIPWIDTH, 0, MAXSHORT); SendMessage(Button->TooltipHandle, TTM_POPUP, 0, 0); } VOID PhpSearchControlThemeChanged( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ HWND WindowHandle ) { PhpSearchControlInitializeFont(Context, WindowHandle); PhpSearchControlInitializeTheme(Context, WindowHandle); PhpSearchControlInitializeImages(Context, WindowHandle); // Reset the client area margins. CallWindowProc(Context->DefaultWindowProc, WindowHandle, EM_SETMARGINS, EC_LEFTMARGIN, MAKELPARAM(0, 0)); // Refresh the non-client area. SetWindowPos(WindowHandle, NULL, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOSIZE | SWP_FRAMECHANGED); // Force the edit control to update its non-client area. RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } VOID PhpSearchDrawWindow( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC Hdc, _In_ PRECT WindowRect ) { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, PhThemeWindowBackground2Color); SelectBrush(Hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(Hdc, WindowRect->left, WindowRect->top, 1, WindowRect->bottom - WindowRect->top, PATCOPY); PatBlt(Hdc, WindowRect->right - 1, WindowRect->top, 1, WindowRect->bottom - WindowRect->top, PATCOPY); PatBlt(Hdc, WindowRect->left, WindowRect->top, WindowRect->right - WindowRect->left, 1, PATCOPY); PatBlt(Hdc, WindowRect->left, WindowRect->bottom - 1, WindowRect->right - WindowRect->left, 1, PATCOPY); SetDCBrushColor(Hdc, RGB(60, 60, 60)); SelectBrush(Hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(Hdc, WindowRect->left + 1, WindowRect->top + 1, 1, WindowRect->bottom - WindowRect->top - 2, PATCOPY); PatBlt(Hdc, WindowRect->right - 2, WindowRect->top + 1, 1, WindowRect->bottom - WindowRect->top - 2, PATCOPY); PatBlt(Hdc, WindowRect->left + 1, WindowRect->top + 1, WindowRect->right - WindowRect->left - 2, 1, PATCOPY); PatBlt(Hdc, WindowRect->left + 1, WindowRect->bottom - 2, WindowRect->right - WindowRect->left - 2, 1, PATCOPY); } } VOID PhpSearchDrawButton( _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ PPH_SEARCHCONTROL_BUTTON Button, _In_ HWND WindowHandle, _In_ HDC Hdc, _In_ PRECT WindowRect ) { RECT buttonRect; PhpSearchControlButtonRect(Context, Button, WindowRect, &buttonRect); if (Button->Pushed) { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(99, 99, 99)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(Hdc, RGB(153, 209, 255)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } } else if (Button->Hot) { if (Button->Active && Button->ActiveImageIndex == ULONG_MAX) { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(54, 54, 54)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(Hdc, RGB(133, 199, 255)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } } else { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(78, 78, 78)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(Hdc, RGB(205, 232, 255)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } } } else if (Button->Error) { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(100, 28, 30)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(Hdc, RGB(255, 155, 155)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } } else if (Button->Active && Button->ActiveImageIndex == ULONG_MAX) { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(44, 44, 44)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(Hdc, RGB(123, 189, 255)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } } else { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(60, 60, 60)); FillRect(Hdc, &buttonRect, PhGetStockBrush(DC_BRUSH)); } else { FillRect(Hdc, &buttonRect, Context->WindowBrush); } } if (Button->Active && Button->ActiveImageIndex != ULONG_MAX) { PhImageListDrawIcon( Context->ImageListHandle, Button->ActiveImageIndex, Hdc, buttonRect.left + 1 /*offset*/ + ((buttonRect.right - buttonRect.left) - Context->ImageWidth) / 2, buttonRect.top + ((buttonRect.bottom - buttonRect.top) - Context->ImageHeight) / 2, ILD_TRANSPARENT, FALSE ); } else { PhImageListDrawIcon( Context->ImageListHandle, Button->ImageIndex, Hdc, buttonRect.left + 1 /*offset*/ + ((buttonRect.right - buttonRect.left) - Context->ImageWidth) / 2, buttonRect.top + ((buttonRect.bottom - buttonRect.top) - Context->ImageHeight) / 2, ILD_TRANSPARENT, FALSE ); } } VOID PhpSearchUpdateRegex( _In_ HWND WindowHandle, _In_ PPH_SEARCHCONTROL_CONTEXT Context ) { ULONG flags; Context->RegexButton.Error = FALSE; Context->SearchboxRegexError = 0; Context->SearchboxRegexErrorOffset = 0; if (Context->SearchboxRegexCode) { pcre2_code_free(Context->SearchboxRegexCode); Context->SearchboxRegexCode = NULL; } if (Context->SearchboxRegexMatchData) { pcre2_match_data_free(Context->SearchboxRegexMatchData); Context->SearchboxRegexMatchData = NULL; } if (!Context->RegexButton.Active || Context->SearchboxText.Length == 0) return; if (Context->CaseButton.Active) flags = PCRE2_DOTALL; else flags = PCRE2_CASELESS | PCRE2_DOTALL; Context->SearchboxRegexCode = pcre2_compile( Context->SearchboxText.Buffer, Context->SearchboxText.Length / sizeof(WCHAR), flags, &Context->SearchboxRegexError, &Context->SearchboxRegexErrorOffset, NULL ); if (!Context->SearchboxRegexCode) { Context->RegexButton.Error = TRUE; return; } Context->SearchboxRegexMatchData = pcre2_match_data_create_from_pattern( Context->SearchboxRegexCode, NULL ); } BOOLEAN PhGetSearchTextToBuffer( _In_ HWND WindowHandle, _In_ PPH_SEARCHCONTROL_CONTEXT Context, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_ PSIZE_T ReturnLength ) { SIZE_T returnLength; returnLength = CallWindowProc( Context->DefaultWindowProc, WindowHandle, WM_GETTEXT, BufferLength, (LPARAM)Buffer ); if (returnLength != 0) { *ReturnLength = returnLength; return TRUE; } memset(Buffer, UNICODE_NULL, sizeof(UNICODE_NULL)); *ReturnLength = 0; return TRUE; } BOOLEAN PhpSearchUpdateText( _In_ HWND WindowHandle, _In_ PPH_SEARCHCONTROL_CONTEXT Context, _In_ BOOLEAN Force ) { ULONG_PTR matchHandle; PH_STRINGREF newSearchboxText; SIZE_T searchboxTextBufferLength; WCHAR searchboxTextBuffer[0x100]; //if (PhGetWindowTextLength(WindowHandle) == 0) //{ // return FALSE; //} if (!PhGetSearchTextToBuffer( WindowHandle, Context, searchboxTextBuffer, RTL_NUMBER_OF(searchboxTextBuffer), &searchboxTextBufferLength )) { return FALSE; } newSearchboxText.Buffer = searchboxTextBuffer; newSearchboxText.Length = searchboxTextBufferLength * sizeof(WCHAR); Context->SearchButton.Active = (newSearchboxText.Length > 0); if (!Force && PhEqualStringRef(&newSearchboxText, &Context->SearchboxText, FALSE)) return FALSE; if (memcpy_s(Context->SearchboxTextBuffer, sizeof(Context->SearchboxTextBuffer), newSearchboxText.Buffer, newSearchboxText.Length)) return FALSE; Context->SearchboxText.Buffer = Context->SearchboxTextBuffer; Context->SearchboxText.Length = searchboxTextBufferLength * sizeof(WCHAR); Context->UseSearchPointer = PhStringToUInt64(&newSearchboxText, 0, &Context->SearchPointer); PhpSearchUpdateRegex(WindowHandle, Context); if (!Context->Callback) return TRUE; matchHandle = (Context->SearchboxText.Length == 0 || (Context->RegexButton.Active && !Context->SearchboxRegexCode)) ? 0 : (ULONG_PTR)Context; Context->Callback(matchHandle, Context->CallbackContext); return TRUE; } void PhpSearchRestoreFocus( _In_ PPH_SEARCHCONTROL_CONTEXT Context ) { if (Context->PreviousFocusWindowHandle) { SetFocus(Context->PreviousFocusWindowHandle); Context->PreviousFocusWindowHandle = NULL; } } LRESULT CALLBACK PhpSearchWndSubclassProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_SEARCHCONTROL_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(WindowHandle, SHRT_MAX))) return 0; oldWndProc = context->DefaultWindowProc; switch (WindowMessage) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, SHRT_MAX); PhSetWindowProcedure(WindowHandle, oldWndProc); if (context->WindowFont) { DeleteFont(context->WindowFont); context->WindowFont = NULL; } if (context->ImageListHandle) { PhImageListDestroy(context->ImageListHandle); context->ImageListHandle = NULL; } if (context->CueBannerText) { PhDereferenceObject(context->CueBannerText); context->CueBannerText = NULL; } if (context->SearchboxRegexCode) { pcre2_code_free(context->SearchboxRegexCode); } if (context->SearchboxRegexMatchData) { pcre2_match_data_free(context->SearchboxRegexMatchData); } if (context->CaseButton.TooltipHandle) { DestroyWindow(context->CaseButton.TooltipHandle); context->CaseButton.TooltipHandle = NULL; } if (context->RegexButton.TooltipHandle) { DestroyWindow(context->RegexButton.TooltipHandle); context->RegexButton.TooltipHandle = NULL; } if (context->SearchButton.TooltipHandle) { DestroyWindow(context->SearchButton.TooltipHandle); context->SearchButton.TooltipHandle = NULL; } PhpSearchControlDestroyBufferedContext(context); PhFree(context); } break; case WM_ERASEBKGND: return TRUE; case WM_NCCALCSIZE: { LPNCCALCSIZE_PARAMS ncCalcSize = (NCCALCSIZE_PARAMS*)lParam; // Let Windows handle the non-client defaults. CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); // Deflate the client area to accommodate the custom button. ncCalcSize->rgrc[0].right -= (context->ButtonWidth * PH_SC_BUTTON_COUNT); } return 0; case WM_NCPAINT: { RECT windowRect; HDC hdc; ULONG flags; HRGN updateRegion; if (!PhGetWindowRect(WindowHandle, &windowRect)) break; updateRegion = (HRGN)wParam; if (updateRegion == HRGN_FULL) updateRegion = NULL; flags = DCX_WINDOW | DCX_CACHE | DCX_USESTYLE; if (updateRegion) flags |= DCX_INTERSECTRGN | DCX_NODELETERGN; if (hdc = GetDCEx(WindowHandle, updateRegion, flags)) { RECT windowRectStart; RECT bufferRect; // Adjust the coordinates (start from 0,0). PhOffsetRect(&windowRect, -windowRect.left, -windowRect.top); windowRectStart = windowRect; // Exclude client area. ExcludeClipRect( hdc, windowRect.left + (context->BorderSize + 1), windowRect.top + (context->BorderSize + 1), windowRect.right - (context->ButtonWidth * PH_SC_BUTTON_COUNT) - (context->BorderSize + 1), windowRect.bottom - (context->BorderSize + 1) ); bufferRect.left = 0; bufferRect.top = 0; bufferRect.right = windowRect.right - windowRect.left; bufferRect.bottom = windowRect.bottom - windowRect.top; if (context->BufferedDc && ( context->BufferedContextRect.right < bufferRect.right || context->BufferedContextRect.bottom < bufferRect.bottom)) { PhpSearchControlDestroyBufferedContext(context); } if (!context->BufferedDc) { PhpSearchControlCreateBufferedContext(context, hdc, &bufferRect); } if (!context->BufferedDc) { ReleaseDC(WindowHandle, hdc); break; } if (GetFocus() == WindowHandle) { FrameRect(context->BufferedDc, &windowRect, GetSysColorBrush(COLOR_HOTLIGHT)); PhInflateRect(&windowRect, -1, -1); FrameRect(context->BufferedDc, &windowRect, context->WindowBrush); } else if (context->Hot) { if (PhEnableThemeSupport) { SetDCBrushColor(context->BufferedDc, PhThemeWindowHighlight2Color); FrameRect(context->BufferedDc, &windowRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(context->BufferedDc, RGB(43, 43, 43)); FrameRect(context->BufferedDc, &windowRect, PhGetStockBrush(DC_BRUSH)); } PhInflateRect(&windowRect, -1, -1); FrameRect(context->BufferedDc, &windowRect, context->WindowBrush); } else { FrameRect(context->BufferedDc, &windowRect, context->FrameBrush); PhInflateRect(&windowRect, -1, -1); FrameRect(context->BufferedDc, &windowRect, context->WindowBrush); } PhpSearchDrawWindow(context, WindowHandle, context->BufferedDc, &windowRectStart); PhpSearchDrawButton(context, &context->SearchButton, WindowHandle, context->BufferedDc, &windowRectStart); PhpSearchDrawButton(context, &context->RegexButton, WindowHandle, context->BufferedDc, &windowRectStart); PhpSearchDrawButton(context, &context->CaseButton, WindowHandle, context->BufferedDc, &windowRectStart); BitBlt( hdc, bufferRect.left, bufferRect.top, bufferRect.right, bufferRect.bottom, context->BufferedDc, 0, 0, SRCCOPY ); ReleaseDC(WindowHandle, hdc); } } return 0; case WM_NCHITTEST: { POINT windowPoint; RECT windowRect; RECT buttonRect; // Get the screen coordinates of the mouse. //if (!PhGetCursorPos(&windowPoint)) // break; windowPoint.x = GET_X_LPARAM(lParam); windowPoint.y = GET_Y_LPARAM(lParam); // Get the screen coordinates of the window. if (!PhGetWindowRect(WindowHandle, &windowRect)) break; // Get the position of the inserted buttons. PhpSearchControlButtonRect(context, &context->SearchButton, &windowRect, &buttonRect); if (PhPtInRect(&buttonRect, &windowPoint)) return HTBORDER; PhpSearchControlButtonRect(context, &context->RegexButton, &windowRect, &buttonRect); if (PhPtInRect(&buttonRect, &windowPoint)) return HTBORDER; PhpSearchControlButtonRect(context, &context->CaseButton, &windowRect, &buttonRect); if (PhPtInRect(&buttonRect, &windowPoint)) return HTBORDER; } break; case WM_NCLBUTTONDOWN: { UINT codeHitTest = (UINT)wParam; POINT windowPoint; RECT windowRect; RECT buttonRect; // Get the screen coordinates of the mouse. //if (!PhGetMessagePos(&windowPoint)) // break; windowPoint.x = GET_X_LPARAM(lParam); windowPoint.y = GET_Y_LPARAM(lParam); // Get the screen coordinates of the window. if (!PhGetWindowRect(WindowHandle, &windowRect)) break; PhpSearchControlButtonRect(context, &context->SearchButton, &windowRect, &buttonRect); context->SearchButton.Pushed = PhPtInRect(&buttonRect, &windowPoint); PhpSearchControlButtonRect(context, &context->RegexButton, &windowRect, &buttonRect); context->RegexButton.Pushed = PhPtInRect(&buttonRect, &windowPoint); PhpSearchControlButtonRect(context, &context->CaseButton, &windowRect, &buttonRect); context->CaseButton.Pushed = PhPtInRect(&buttonRect, &windowPoint); SetCapture(WindowHandle); RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } break; case WM_LBUTTONUP: { POINT windowPoint; RECT windowRect; RECT buttonRect; // Get the screen coordinates of the mouse. if (!PhGetMessagePos(&windowPoint)) break; // Get the screen coordinates of the window. if (!PhGetWindowRect(WindowHandle, &windowRect)) break; PhpSearchControlButtonRect(context, &context->SearchButton, &windowRect, &buttonRect); if (PhPtInRect(&buttonRect, &windowPoint)) { SetFocus(WindowHandle); PhSetWindowText(WindowHandle, L""); PhpSearchUpdateText(WindowHandle, context, FALSE); } PhpSearchControlButtonRect(context, &context->RegexButton, &windowRect, &buttonRect); if (PhPtInRect(&buttonRect, &windowPoint)) { context->RegexButton.Active = !context->RegexButton.Active; PhSetIntegerSetting(context->RegexSetting, context->RegexButton.Active); PhpSearchUpdateText(WindowHandle, context, TRUE); } PhpSearchControlButtonRect(context, &context->CaseButton, &windowRect, &buttonRect); if (PhPtInRect(&buttonRect, &windowPoint)) { context->CaseButton.Active = !context->CaseButton.Active; PhSetIntegerSetting(context->CaseSetting, context->CaseButton.Active); PhpSearchUpdateText(WindowHandle, context, FALSE); } if (GetCapture() == WindowHandle) { context->SearchButton.Pushed = FALSE; context->RegexButton.Pushed = FALSE; context->CaseButton.Pushed = FALSE; ReleaseCapture(); } RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } break; case WM_CONTEXTMENU: { POINT windowPoint; PPH_EMENU menu; PPH_EMENU item; ULONG selStart; ULONG selEnd; windowPoint.x = GET_X_LPARAM(lParam); windowPoint.y = GET_Y_LPARAM(lParam); CallWindowProc(oldWndProc, WindowHandle, EM_GETSEL, (WPARAM)&selStart, (LPARAM)&selEnd); menu = PhCreateEMenu(); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 1, L"Undo", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 2, L"Cut", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 3, L"Copy", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 4, L"Paste", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 5, L"Delete", NULL, NULL), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuSeparator(), ULONG_MAX); PhInsertEMenuItem(menu, PhCreateEMenuItem(0, 6, L"Select All", NULL, NULL), ULONG_MAX); if (selStart == selEnd) { PhEnableEMenuItem(menu, 2, FALSE); PhEnableEMenuItem(menu, 3, FALSE); PhEnableEMenuItem(menu, 6, FALSE); } item = PhShowEMenu( menu, WindowHandle, PH_EMENU_SHOW_SEND_COMMAND | PH_EMENU_SHOW_LEFTRIGHT, PH_ALIGN_LEFT | PH_ALIGN_TOP, windowPoint.x, windowPoint.y ); if (item) { PPH_STRING text = PhGetWindowText(WindowHandle); switch (item->Id) { case 1: { CallWindowProc(oldWndProc, WindowHandle, EM_UNDO, 0, 0); PhpSearchUpdateText(WindowHandle, context, FALSE); } break; case 2: { PPH_STRING selectedText = PH_AUTO(PhSubstring(text, selStart, selEnd - selStart)); PPH_STRING startText = PH_AUTO(PhSubstring(text, 0, selStart)); PPH_STRING endText = PH_AUTO(PhSubstring(text, selEnd, text->Length / sizeof(WCHAR))); PPH_STRING newText = PH_AUTO(PhConcatStringRef2(&startText->sr, &endText->sr)); PhSetClipboardString(WindowHandle, &selectedText->sr); PhSetWindowText(WindowHandle, newText->Buffer); PhpSearchUpdateText(WindowHandle, context, FALSE); } break; case 3: { PPH_STRING selectedText = PH_AUTO(PhSubstring(text, selStart, selEnd - selStart)); PhSetClipboardString(WindowHandle, &selectedText->sr); } break; case 4: { PPH_STRING clipText = PH_AUTO(PhGetClipboardString(WindowHandle)); PPH_STRING startText = PH_AUTO(PhSubstring(text, 0, selStart)); PPH_STRING endText = PH_AUTO(PhSubstring(text, selEnd, text->Length / sizeof(WCHAR))); PPH_STRING newText = PH_AUTO(PhConcatStringRef3(&startText->sr, &clipText->sr, &endText->sr)); PhSetWindowText(WindowHandle, newText->Buffer); PhpSearchUpdateText(WindowHandle, context, FALSE); } break; case 5: { PPH_STRING startText = PH_AUTO(PhSubstring(text, 0, selStart)); PPH_STRING endText = PH_AUTO(PhSubstring(text, selEnd, text->Length / sizeof(WCHAR))); PPH_STRING newText = PH_AUTO(PhConcatStringRef2(&startText->sr, &endText->sr)); PhSetWindowText(WindowHandle, newText->Buffer); PhpSearchUpdateText(WindowHandle, context, FALSE); } break; case 6: { CallWindowProc(oldWndProc, WindowHandle, EM_SETSEL, 0, -1); } break; } PhDereferenceObject(text); } PhDestroyEMenu(menu); } return FALSE; case WM_CUT: case WM_CLEAR: case WM_PASTE: case WM_UNDO: case WM_KEYUP: case WM_SETTEXT: { LRESULT result = CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); PhpSearchUpdateText(WindowHandle, context, FALSE); RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); return result; } break; case WM_SETFOCUS: { context->WindowFocus = TRUE; context->PreviousFocusWindowHandle = (HWND)wParam; } break; case WM_KILLFOCUS: { context->WindowFocus = FALSE; RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } break; case WM_SETTINGCHANGE: case WM_SYSCOLORCHANGE: case WM_THEMECHANGED: { PhpSearchControlThemeChanged(context, WindowHandle); } break; case WM_DPICHANGED_AFTERPARENT: { context->WindowDpi = PhGetWindowDpi(context->ParentWindowHandle); PhpSearchControlThemeChanged(context, WindowHandle); } break; case WM_MOUSEMOVE: case WM_NCMOUSEMOVE: { POINT windowPoint; RECT windowRect; RECT buttonRect; // Get the screen coordinates of the mouse. if (!PhGetMessagePos(&windowPoint)) break; // Get the screen coordinates of the window. if (!PhGetWindowRect(WindowHandle, &windowRect)) break; context->Hot = PhPtInRect(&windowRect, &windowPoint); PhpSearchControlButtonRect(context, &context->RegexButton, &windowRect, &buttonRect); context->RegexButton.Hot = PhPtInRect(&buttonRect, &windowPoint); if (context->RegexButton.Hot) { PhpSearchControlCreateTooltip(context, &context->RegexButton, WindowHandle, &buttonRect, L"Regular Expression"); } PhpSearchControlButtonRect(context, &context->CaseButton, &windowRect, &buttonRect); context->CaseButton.Hot = PhPtInRect(&buttonRect, &windowPoint); if (context->CaseButton.Hot) { PhpSearchControlCreateTooltip(context, &context->CaseButton, WindowHandle, &buttonRect, L"Match Case"); } PhpSearchControlButtonRect(context, &context->SearchButton, &windowRect, &buttonRect); context->SearchButton.Hot = PhPtInRect(&buttonRect, &windowPoint); if (context->SearchButton.Hot) { PhpSearchControlCreateTooltip(context, &context->SearchButton, WindowHandle, &buttonRect, L"Clear Search"); } // Check that the mouse is within the inserted button. if (!context->HotTrack) { TRACKMOUSEEVENT trackMouseEvent; trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); trackMouseEvent.dwFlags = TME_LEAVE | TME_NONCLIENT; trackMouseEvent.hwndTrack = WindowHandle; trackMouseEvent.dwHoverTime = 0; context->HotTrack = TRUE; TrackMouseEvent(&trackMouseEvent); } RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } break; case WM_MOUSELEAVE: case WM_NCMOUSELEAVE: { POINT windowPoint; RECT windowRect; RECT buttonRect; context->HotTrack = FALSE; if (!PhGetMessagePos(&windowPoint)) break; if (!PhGetWindowRect(WindowHandle, &windowRect)) break; context->Hot = PhPtInRect(&windowRect, &windowPoint); PhpSearchControlButtonRect(context, &context->SearchButton, &windowRect, &buttonRect); context->SearchButton.Hot = PhPtInRect(&buttonRect, &windowPoint); PhpSearchControlButtonRect(context, &context->RegexButton, &windowRect, &buttonRect); context->RegexButton.Hot = PhPtInRect(&buttonRect, &windowPoint); PhpSearchControlButtonRect(context, &context->CaseButton, &windowRect, &buttonRect); context->CaseButton.Hot = PhPtInRect(&buttonRect, &windowPoint); RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } break; case WM_PAINT: { if ( PhIsNullOrEmptyString(context->CueBannerText) || context->WindowFocus || // GetFocus() == WindowHandle || CallWindowProc(oldWndProc, WindowHandle, WM_GETTEXTLENGTH, 0, 0) > 0 // Edit_GetTextLength ) { goto SubclassWndProc; } PAINTSTRUCT paintStruct; RECT clientRect; HDC hdc; if (hdc = BeginPaint(WindowHandle, &paintStruct)) { HDC bufferDc; HFONT oldFont; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; clientRect = paintStruct.rcPaint; bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, clientRect.right, clientRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); SetBkMode(bufferDc, TRANSPARENT); if (PhEnableThemeSupport) { SetTextColor(bufferDc, RGB(170, 170, 170)); SetDCBrushColor(bufferDc, RGB(60, 60, 60)); FillRect(bufferDc, &clientRect, PhGetStockBrush(DC_BRUSH)); } else { SetTextColor(bufferDc, GetSysColor(COLOR_GRAYTEXT)); FillRect(bufferDc, &clientRect, context->WindowBrush); } oldFont = SelectFont(bufferDc, context->WindowFont); clientRect.left += 2; DrawText( bufferDc, context->CueBannerText->Buffer, (UINT)context->CueBannerText->Length / sizeof(WCHAR), &clientRect, DT_LEFT | DT_VCENTER | DT_SINGLELINE | DT_NOCLIP ); clientRect.left -= 2; SelectFont(bufferDc, oldFont); BitBlt(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom, bufferDc, 0, 0, SRCCOPY); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); EndPaint(WindowHandle, &paintStruct); } } return 0; case WM_KEYDOWN: { // Delete previous word for ctrl+backspace (thanks to Katayama Hirofumi MZ) (modified) (dmex) if (wParam == VK_BACK && GetAsyncKeyState(VK_CONTROL) < 0) { LONG textStart = 0; LONG textEnd = 0; LONG textLength; textLength = (LONG)CallWindowProc(oldWndProc, WindowHandle, WM_GETTEXTLENGTH, 0, 0); CallWindowProc(oldWndProc, WindowHandle, EM_GETSEL, (WPARAM)&textStart, (LPARAM)&textEnd); if (textLength > 0 && textStart == textEnd) { ULONG textBufferLength; WCHAR textBuffer[0x100]; if (!NT_SUCCESS(PhGetWindowTextToBuffer(WindowHandle, 0, textBuffer, RTL_NUMBER_OF(textBuffer), &textBufferLength))) { break; } for (; 0 < textStart; --textStart) { if (textBuffer[textStart - 1] == L' ' && iswalnum(textBuffer[textStart])) { CallWindowProc(oldWndProc, WindowHandle, EM_SETSEL, textStart, textEnd); CallWindowProc(oldWndProc, WindowHandle, EM_REPLACESEL, TRUE, (LPARAM)L""); return 1; } } if (textStart == 0) { PhSetWindowText(WindowHandle, L""); PhpSearchUpdateText(WindowHandle, context, FALSE); return 1; } } } // Clear search and restore focus for esc key else if (wParam == VK_ESCAPE) { PhSetWindowText(WindowHandle, L""); PhpSearchUpdateText(WindowHandle, context, FALSE); PhpSearchRestoreFocus(context); return 1; } // Up/down arrows will just restore previous focus without clearing search else if (wParam == VK_DOWN || wParam == VK_UP) { PhpSearchRestoreFocus(context); return 1; } } break; case WM_CHAR: { // Delete previous word for ctrl+backspace (dmex) if (wParam == VK_F16 && GetAsyncKeyState(VK_CONTROL) < 0) return 1; } break; case WM_GETDLGCODE: { // Intercept esc key (otherwise it would get sent to parent window) if (wParam == VK_ESCAPE && ((MSG*)lParam)->message == WM_KEYDOWN) return DLGC_WANTMESSAGE; } break; case EM_SETCUEBANNER: { PWSTR text = (PWSTR)lParam; PhMoveReference(&context->CueBannerText, PhCreateString(text)); RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); } return TRUE; } SubclassWndProc: return CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); //DefaultWndProc: // return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } VOID PhCreateSearchControlEx( _In_ HWND ParentWindowHandle, _In_ HWND SearchWindowHandle, _In_opt_ PCWSTR BannerText, _In_ PVOID ImageBaseAddress, _In_ PCWSTR SearchButtonResource, _In_ PCWSTR SearchButtonActiveResource, _In_ PCWSTR RegexButtonResource, _In_ PCWSTR CaseButtonResource, _In_ PCWSTR RegexSetting, _In_ PCWSTR CaseSetting, _In_ PPH_SEARCHCONTROL_CALLBACK Callback, _In_opt_ PVOID Context ) { PPH_SEARCHCONTROL_CONTEXT context; context = PhAllocateZero(sizeof(PH_SEARCHCONTROL_CONTEXT)); context->ParentWindowHandle = ParentWindowHandle; context->CueBannerText = BannerText ? PhCreateString(BannerText) : NULL; context->WindowDpi = PhGetWindowDpi(ParentWindowHandle); context->RegexSetting = RegexSetting; context->CaseSetting = CaseSetting; context->ImageBaseAddress = ImageBaseAddress; context->SearchButtonResource = SearchButtonResource; context->SearchButtonActiveResource = SearchButtonActiveResource; context->RegexButtonResource = RegexButtonResource; context->CaseButtonResource = CaseButtonResource; context->Callback = Callback; context->CallbackContext = Context; context->RegexButton.Active = !!PhGetIntegerSetting(context->RegexSetting); context->CaseButton.Active = !!PhGetIntegerSetting(context->CaseSetting); // Subclass the Edit control window procedure. context->DefaultWindowProc = PhGetWindowProcedure(SearchWindowHandle); PhSetWindowContext(SearchWindowHandle, SHRT_MAX, context); PhSetWindowProcedure(SearchWindowHandle, PhpSearchWndSubclassProc); // Initialize the theme parameters. PhpSearchControlThemeChanged(context, SearchWindowHandle); } VOID PhSearchControlClear( _In_ HWND SearchWindowHandle ) { SetFocus(SearchWindowHandle); PhSetWindowText(SearchWindowHandle, L""); } BOOLEAN PhSearchControlMatch( _In_ ULONG_PTR MatchHandle, _In_ PCPH_STRINGREF Text ) { PPH_SEARCHCONTROL_CONTEXT context; context = (PPH_SEARCHCONTROL_CONTEXT)MatchHandle; if (!context) return FALSE; if (context->RegexButton.Active) { if (pcre2_match( context->SearchboxRegexCode, Text->Buffer, Text->Length / sizeof(WCHAR), 0, 0, context->SearchboxRegexMatchData, NULL ) >= 0) { return TRUE; } } else if (context->CaseButton.Active) { if (PhFindStringInStringRef(Text, &context->SearchboxText, FALSE) != MAXULONG_PTR) return TRUE; } else { if (PhFindStringInStringRef(Text, &context->SearchboxText, TRUE) != MAXULONG_PTR) return TRUE; } return FALSE; } BOOLEAN PhSearchControlMatchZ( _In_ ULONG_PTR MatchHandle, _In_ PCWSTR Text ) { PH_STRINGREF text; PhInitializeStringRef(&text, Text); return PhSearchControlMatch(MatchHandle, &text); } BOOLEAN PhSearchControlMatchLongHintZ( _In_ ULONG_PTR MatchHandle, _In_ PCWSTR Text ) { PH_STRINGREF text; PhInitializeStringRefLongHint(&text, Text); return PhSearchControlMatch(MatchHandle, &text); } BOOLEAN PhSearchControlMatchPointer( _In_ ULONG_PTR MatchHandle, _In_ PVOID Pointer ) { PPH_SEARCHCONTROL_CONTEXT context; context = (PPH_SEARCHCONTROL_CONTEXT)MatchHandle; if (!Pointer || !context || !context->UseSearchPointer) return FALSE; return ((ULONG64)Pointer == context->SearchPointer); } BOOLEAN PhSearchControlMatchPointerRange( _In_ ULONG_PTR MatchHandle, _In_ PVOID Pointer, _In_ SIZE_T Size ) { PPH_SEARCHCONTROL_CONTEXT context; PVOID pointerEnd; context = (PPH_SEARCHCONTROL_CONTEXT)MatchHandle; if (!context || !context->UseSearchPointer) return FALSE; pointerEnd = PTR_ADD_OFFSET(Pointer, Size); return ((context->SearchPointer >= (ULONG64)Pointer) && (context->SearchPointer < (ULONG64)pointerEnd)); } ================================================ FILE: phlib/secdata.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #define ACCESS_ENTRIES(Type) static const PH_ACCESS_ENTRY Ph##Type##AccessEntries[] = #define ACCESS_ENTRY(Type, HasSynchronize) \ { TEXT(#Type), (PPH_ACCESS_ENTRY)Ph##Type##AccessEntries, sizeof(Ph##Type##AccessEntries), HasSynchronize } typedef struct _PH_SPECIFIC_TYPE { PCWSTR Type; PPH_ACCESS_ENTRY AccessEntries; ULONG SizeOfAccessEntries; BOOLEAN HasSynchronize; } PH_SPECIFIC_TYPE, *PPH_SPECIFIC_TYPE; ACCESS_ENTRIES(Standard) { { L"Synchronize", SYNCHRONIZE, FALSE, TRUE, NULL }, { L"Delete", DELETE, FALSE, TRUE, NULL }, { L"Read permissions", READ_CONTROL, FALSE, TRUE, L"Read control" }, { L"Change permissions", WRITE_DAC, FALSE, TRUE, L"Write DAC" }, { L"Take ownership", WRITE_OWNER, FALSE, TRUE, L"Write owner" } }; ACCESS_ENTRIES(AlpcPort) { { L"Full control", PORT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Connect", PORT_CONNECT, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(DebugObject) { { L"Full control", DEBUG_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read events", DEBUG_READ_EVENT, TRUE, TRUE, NULL }, { L"Assign processes", DEBUG_PROCESS_ASSIGN, TRUE, TRUE, NULL }, { L"Query information", DEBUG_QUERY_INFORMATION, TRUE, TRUE, NULL }, { L"Set information", DEBUG_SET_INFORMATION, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Desktop) { { L"Full control", DESKTOP_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", DESKTOP_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", DESKTOP_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", DESKTOP_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Enumerate", DESKTOP_ENUMERATE, FALSE, TRUE, NULL }, { L"Read objects", DESKTOP_READOBJECTS, FALSE, TRUE, NULL }, { L"Playback journals", DESKTOP_JOURNALPLAYBACK, FALSE, TRUE, NULL }, { L"Write objects", DESKTOP_WRITEOBJECTS, FALSE, TRUE, NULL }, { L"Create windows", DESKTOP_CREATEWINDOW, FALSE, TRUE, NULL }, { L"Create menus", DESKTOP_CREATEMENU, FALSE, TRUE, NULL }, { L"Create window hooks", DESKTOP_HOOKCONTROL, FALSE, TRUE, NULL }, { L"Record journals", DESKTOP_JOURNALRECORD, FALSE, TRUE, NULL }, { L"Switch desktop", DESKTOP_SWITCHDESKTOP, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(Directory) { { L"Full control", DIRECTORY_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", DIRECTORY_QUERY, TRUE, TRUE, NULL }, { L"Traverse", DIRECTORY_TRAVERSE, TRUE, TRUE, NULL }, { L"Create objects", DIRECTORY_CREATE_OBJECT, TRUE, TRUE, NULL }, { L"Create subdirectories", DIRECTORY_CREATE_SUBDIRECTORY, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(EtwConsumer) { { L"Full control", WMIGUID_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", WMIGUID_QUERY, TRUE, TRUE, NULL }, { L"Read", WMIGUID_SET, TRUE, TRUE, NULL }, { L"Notification", WMIGUID_NOTIFICATION, TRUE, TRUE, NULL }, { L"Read description", WMIGUID_READ_DESCRIPTION, TRUE, TRUE, NULL }, { L"Execute", WMIGUID_EXECUTE, TRUE, TRUE, NULL }, { L"Create realtime", TRACELOG_CREATE_REALTIME, TRUE, TRUE, NULL }, { L"Create logfile", TRACELOG_CREATE_ONDISK, TRUE, TRUE, NULL }, { L"GUID enable", TRACELOG_GUID_ENABLE, TRUE, TRUE, NULL }, { L"Access kernel logger", TRACELOG_ACCESS_KERNEL_LOGGER, TRUE, TRUE, NULL }, { L"Log events", TRACELOG_LOG_EVENT, TRUE, TRUE, NULL }, { L"Access realtime", TRACELOG_ACCESS_REALTIME, TRUE, TRUE, NULL }, { L"Register guids", TRACELOG_REGISTER_GUIDS, TRUE, TRUE, NULL }, { L"Join group", TRACELOG_JOIN_GROUP, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(EtwRegistration) { { L"Full control", WMIGUID_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", WMIGUID_QUERY, TRUE, TRUE, NULL }, { L"Read", WMIGUID_SET, TRUE, TRUE, NULL }, { L"Notification", WMIGUID_NOTIFICATION, TRUE, TRUE, NULL }, { L"Read description", WMIGUID_READ_DESCRIPTION, TRUE, TRUE, NULL }, { L"Execute", WMIGUID_EXECUTE, TRUE, TRUE, NULL }, { L"Create realtime", TRACELOG_CREATE_REALTIME, TRUE, TRUE, NULL }, { L"Create logfile", TRACELOG_CREATE_ONDISK, TRUE, TRUE, NULL }, { L"GUID enable", TRACELOG_GUID_ENABLE, TRUE, TRUE, NULL }, { L"Access kernel logger", TRACELOG_ACCESS_KERNEL_LOGGER, TRUE, TRUE, NULL }, { L"Log events", TRACELOG_LOG_EVENT, TRUE, TRUE, NULL }, { L"Access realtime", TRACELOG_ACCESS_REALTIME, TRUE, TRUE, NULL }, { L"Register guids", TRACELOG_REGISTER_GUIDS, TRUE, TRUE, NULL }, { L"Join group", TRACELOG_JOIN_GROUP, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Event) { { L"Full control", EVENT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", EVENT_QUERY_STATE, TRUE, TRUE, NULL }, { L"Modify", EVENT_MODIFY_STATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(EventPair) { { L"Full control", EVENT_PAIR_ALL_ACCESS, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(File) { { L"Full control", FILE_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read & execute", FILE_GENERIC_READ | FILE_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Read", FILE_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", FILE_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Traverse folder / execute file", FILE_EXECUTE, FALSE, TRUE, L"Execute" }, { L"List folder / read data", FILE_READ_DATA, FALSE, TRUE, L"Read data" }, { L"Read attributes", FILE_READ_ATTRIBUTES, FALSE, TRUE, NULL }, { L"Read extended attributes", FILE_READ_EA, FALSE, TRUE, L"Read EA" }, { L"Create files / write data", FILE_WRITE_DATA, FALSE, TRUE, L"Write data" }, { L"Create folders / append data", FILE_APPEND_DATA, FALSE, TRUE, L"Append data" }, { L"Write attributes", FILE_WRITE_ATTRIBUTES, FALSE, TRUE, NULL }, { L"Write extended attributes", FILE_WRITE_EA, FALSE, TRUE, L"Write EA" }, { L"Delete subfolders and files", FILE_DELETE_CHILD, FALSE, TRUE, L"Delete child" } }; ACCESS_ENTRIES(FilterConnectionPort) { { L"Full control", FLT_PORT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Connect", FLT_PORT_CONNECT, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(IoCompletion) { { L"Full control", IO_COMPLETION_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", IO_COMPLETION_QUERY_STATE, TRUE, TRUE, NULL }, { L"Modify", IO_COMPLETION_MODIFY_STATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Job) { { L"Full control", JOB_OBJECT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", JOB_OBJECT_QUERY, TRUE, TRUE, NULL }, { L"Assign processes", JOB_OBJECT_ASSIGN_PROCESS, TRUE, TRUE, NULL }, { L"Set attributes", JOB_OBJECT_SET_ATTRIBUTES, TRUE, TRUE, NULL }, { L"Set security attributes", JOB_OBJECT_SET_SECURITY_ATTRIBUTES, TRUE, TRUE, NULL }, { L"Terminate", JOB_OBJECT_TERMINATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Key) { { L"Full control", KEY_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", KEY_READ, TRUE, FALSE, NULL }, { L"Write", KEY_WRITE, TRUE, FALSE, NULL }, //{ L"Execute", KEY_EXECUTE, TRUE, FALSE }, // KEY_EXECUTE has the same value as KEY_READ (dmex) { L"Enumerate subkeys", KEY_ENUMERATE_SUB_KEYS, FALSE, TRUE, NULL }, { L"Query values", KEY_QUERY_VALUE, FALSE, TRUE, NULL }, { L"Notify", KEY_NOTIFY, FALSE, TRUE, NULL }, { L"Set values", KEY_SET_VALUE, FALSE, TRUE, NULL }, { L"Create subkeys", KEY_CREATE_SUB_KEY, FALSE, TRUE, NULL }, { L"Create links", KEY_CREATE_LINK, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(KeyedEvent) { { L"Full control", KEYEDEVENT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Wait", KEYEDEVENT_WAIT, TRUE, TRUE, NULL }, { L"Wake", KEYEDEVENT_WAKE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(LsaAccount) { { L"Full control", ACCOUNT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", ACCOUNT_READ, TRUE, FALSE, NULL }, { L"Write", ACCOUNT_WRITE, TRUE, FALSE, NULL }, { L"Execute", ACCOUNT_EXECUTE, TRUE, FALSE, NULL }, { L"View", ACCOUNT_VIEW, FALSE, TRUE, NULL }, { L"Adjust privileges", ACCOUNT_ADJUST_PRIVILEGES, FALSE, TRUE, NULL }, { L"Adjust quotas", ACCOUNT_ADJUST_QUOTAS, FALSE, TRUE, NULL }, { L"Adjust system access", ACCOUNT_ADJUST_SYSTEM_ACCESS, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(LsaPolicy) { { L"Full control", POLICY_ALL_ACCESS | POLICY_NOTIFICATION, TRUE, TRUE, NULL }, { L"Read", POLICY_READ, TRUE, FALSE, NULL }, { L"Write", POLICY_WRITE, TRUE, FALSE, NULL }, { L"Execute", POLICY_EXECUTE | POLICY_NOTIFICATION, TRUE, FALSE, NULL }, { L"View local information", POLICY_VIEW_LOCAL_INFORMATION, FALSE, TRUE, NULL }, { L"View audit information", POLICY_VIEW_AUDIT_INFORMATION, FALSE, TRUE, NULL }, { L"Get private information", POLICY_GET_PRIVATE_INFORMATION, FALSE, TRUE, NULL }, { L"Administer trust", POLICY_TRUST_ADMIN, FALSE, TRUE, NULL }, { L"Create account", POLICY_CREATE_ACCOUNT, FALSE, TRUE, NULL }, { L"Create secret", POLICY_CREATE_SECRET, FALSE, TRUE, NULL }, { L"Create privilege", POLICY_CREATE_PRIVILEGE, FALSE, TRUE, NULL }, { L"Set default quota limits", POLICY_SET_DEFAULT_QUOTA_LIMITS, FALSE, TRUE, NULL }, { L"Set audit requirements", POLICY_SET_AUDIT_REQUIREMENTS, FALSE, TRUE, NULL }, { L"Administer audit log", POLICY_AUDIT_LOG_ADMIN, FALSE, TRUE, NULL }, { L"Administer server", POLICY_SERVER_ADMIN, FALSE, TRUE, NULL }, { L"Lookup names", POLICY_LOOKUP_NAMES, FALSE, TRUE, NULL }, { L"Get notifications", POLICY_NOTIFICATION, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(LsaSecret) { { L"Full control", SECRET_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", SECRET_READ, TRUE, FALSE, NULL }, { L"Write", SECRET_WRITE, TRUE, FALSE, NULL }, { L"Execute", SECRET_EXECUTE, TRUE, FALSE, NULL }, { L"Set value", SECRET_SET_VALUE, FALSE, TRUE, NULL }, { L"Query value", SECRET_QUERY_VALUE, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(LsaTrusted) { { L"Full control", TRUSTED_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", TRUSTED_READ, TRUE, FALSE, NULL }, { L"Write", TRUSTED_WRITE, TRUE, FALSE, NULL }, { L"Execute", TRUSTED_EXECUTE, TRUE, FALSE, NULL }, { L"Query domain name", TRUSTED_QUERY_DOMAIN_NAME, FALSE, TRUE, NULL }, { L"Query controllers", TRUSTED_QUERY_CONTROLLERS, FALSE, TRUE, NULL }, { L"Set controllers", TRUSTED_SET_CONTROLLERS, FALSE, TRUE, NULL }, { L"Query POSIX", TRUSTED_QUERY_POSIX, FALSE, TRUE, NULL }, { L"Set POSIX", TRUSTED_SET_POSIX, FALSE, TRUE, NULL }, { L"Query authentication", TRUSTED_QUERY_AUTH, FALSE, TRUE, NULL }, { L"Set authentication", TRUSTED_SET_AUTH, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(Mutant) { { L"Full control", MUTANT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", MUTANT_QUERY_STATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Partition) { { L"Full control", MEMORY_PARTITION_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", MEMORY_PARTITION_QUERY_ACCESS, TRUE, TRUE, NULL }, { L"Modify", MEMORY_PARTITION_MODIFY_ACCESS, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Process) { { L"Full control", STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff, TRUE, TRUE, NULL }, { L"Query information", PROCESS_QUERY_INFORMATION, TRUE, TRUE, NULL }, { L"Set information", PROCESS_SET_INFORMATION, TRUE, TRUE, NULL }, { L"Set quotas", PROCESS_SET_QUOTA, TRUE, TRUE, NULL }, { L"Set session ID", PROCESS_SET_SESSIONID, TRUE, TRUE, NULL }, { L"Create threads", PROCESS_CREATE_THREAD, TRUE, TRUE, NULL }, { L"Create processes", PROCESS_CREATE_PROCESS, TRUE, TRUE, NULL }, { L"Modify memory", PROCESS_VM_OPERATION, TRUE, TRUE, L"VM operation" }, { L"Read memory", PROCESS_VM_READ, TRUE, TRUE, L"VM read" }, { L"Write memory", PROCESS_VM_WRITE, TRUE, TRUE, L"VM write" }, { L"Duplicate handles", PROCESS_DUP_HANDLE, TRUE, TRUE, NULL }, { L"Suspend / resume / set port", PROCESS_SUSPEND_RESUME, TRUE, TRUE, L"Suspend/resume" }, { L"Terminate", PROCESS_TERMINATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Process60) { { L"Full control", STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | SPECIFIC_RIGHTS_ALL, TRUE, TRUE, NULL }, // PROCESS_ALL_ACCESS { L"Query limited information", PROCESS_QUERY_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Query information", PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Set information", PROCESS_SET_INFORMATION, TRUE, TRUE, NULL }, { L"Set limited information", PROCESS_SET_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Set quotas", PROCESS_SET_QUOTA, TRUE, TRUE, NULL }, { L"Set session ID", PROCESS_SET_SESSIONID, TRUE, TRUE, NULL }, { L"Create threads", PROCESS_CREATE_THREAD, TRUE, TRUE, NULL }, { L"Create processes", PROCESS_CREATE_PROCESS, TRUE, TRUE, NULL }, { L"Modify memory", PROCESS_VM_OPERATION, TRUE, TRUE, L"VM operation" }, { L"Read memory", PROCESS_VM_READ, TRUE, TRUE, L"VM read" }, { L"Write memory", PROCESS_VM_WRITE, TRUE, TRUE, L"VM write" }, { L"Duplicate handles", PROCESS_DUP_HANDLE, TRUE, TRUE, NULL }, { L"Suspend / resume / set port", PROCESS_SUSPEND_RESUME, TRUE, TRUE, L"Suspend/resume" }, { L"Terminate", PROCESS_TERMINATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Profile) { { L"Full control", PROFILE_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Control", PROFILE_CONTROL, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(SamAlias) { { L"Full control", ALIAS_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", ALIAS_READ, TRUE, FALSE, NULL }, { L"Write", ALIAS_WRITE, TRUE, FALSE, NULL }, { L"Execute", ALIAS_EXECUTE, TRUE, FALSE }, { L"Read information", ALIAS_READ_INFORMATION, FALSE, TRUE, NULL }, { L"Write account", ALIAS_WRITE_ACCOUNT, FALSE, TRUE, NULL }, { L"Add member", ALIAS_ADD_MEMBER, FALSE, TRUE, NULL }, { L"Remove member", ALIAS_REMOVE_MEMBER, FALSE, TRUE, NULL }, { L"List members", ALIAS_LIST_MEMBERS, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(SamDomain) { { L"Full control", DOMAIN_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", DOMAIN_READ, TRUE, FALSE, NULL }, { L"Write", DOMAIN_WRITE, TRUE, FALSE, NULL }, { L"Execute", DOMAIN_EXECUTE, TRUE, FALSE, NULL }, { L"Read password parameters", DOMAIN_READ_PASSWORD_PARAMETERS, FALSE, TRUE, NULL }, { L"Write password parameters", DOMAIN_WRITE_PASSWORD_PARAMS, FALSE, TRUE, NULL }, { L"Read other parameters", DOMAIN_READ_OTHER_PARAMETERS, FALSE, TRUE, NULL }, { L"Write other parameters", DOMAIN_WRITE_OTHER_PARAMETERS, FALSE, TRUE, NULL }, { L"Create user", DOMAIN_CREATE_USER, FALSE, TRUE, NULL }, { L"Create group", DOMAIN_CREATE_GROUP, FALSE, TRUE, NULL }, { L"Create alias", DOMAIN_CREATE_ALIAS, FALSE, TRUE, NULL }, { L"Get alias membership", DOMAIN_GET_ALIAS_MEMBERSHIP, FALSE, TRUE, NULL }, { L"List accounts", DOMAIN_LIST_ACCOUNTS, FALSE, TRUE, NULL }, { L"Lookup", DOMAIN_LOOKUP, FALSE, TRUE, NULL }, { L"Administer server", DOMAIN_ADMINISTER_SERVER, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(SamGroup) { { L"Full control", GROUP_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", GROUP_READ, TRUE, FALSE, NULL }, { L"Write", GROUP_WRITE, TRUE, FALSE, NULL }, { L"Execute", GROUP_EXECUTE, TRUE, FALSE, NULL }, { L"Read information", GROUP_READ_INFORMATION, FALSE, TRUE, NULL }, { L"Write account", GROUP_WRITE_ACCOUNT, FALSE, TRUE, NULL }, { L"Add member", GROUP_ADD_MEMBER, FALSE, TRUE, NULL }, { L"Remove member", GROUP_REMOVE_MEMBER, FALSE, TRUE, NULL }, { L"List members", GROUP_LIST_MEMBERS, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(SamServer) { { L"Full control", SAM_SERVER_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", SAM_SERVER_READ, TRUE, FALSE, NULL }, { L"Write", SAM_SERVER_WRITE, TRUE, FALSE, NULL }, { L"Execute", SAM_SERVER_EXECUTE, TRUE, FALSE, NULL }, { L"Connect", SAM_SERVER_CONNECT, FALSE, TRUE, NULL }, { L"Shutdown", SAM_SERVER_SHUTDOWN, FALSE, TRUE, NULL }, { L"Initialize", SAM_SERVER_INITIALIZE, FALSE, TRUE, NULL }, { L"Create domain", SAM_SERVER_CREATE_DOMAIN, FALSE, TRUE, NULL }, { L"Enumerate domains", SAM_SERVER_ENUMERATE_DOMAINS, FALSE, TRUE, NULL }, { L"Lookup domain", SAM_SERVER_LOOKUP_DOMAIN, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(SamUser) { { L"Full control", USER_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", USER_READ, TRUE, FALSE, NULL }, { L"Write", USER_WRITE, TRUE, FALSE, NULL }, { L"Execute", USER_EXECUTE, TRUE, FALSE, NULL }, { L"Read general", USER_READ_GENERAL, FALSE, TRUE, NULL }, { L"Read preferences", USER_READ_PREFERENCES, FALSE, TRUE, NULL }, { L"Write preferences", USER_WRITE_PREFERENCES, FALSE, TRUE, NULL }, { L"Read logon", USER_READ_LOGON, FALSE, TRUE, NULL }, { L"Read account", USER_READ_ACCOUNT, FALSE, TRUE, NULL }, { L"Write account", USER_WRITE_ACCOUNT, FALSE, TRUE, NULL }, { L"Change password", USER_CHANGE_PASSWORD, FALSE, TRUE, NULL }, { L"Force password change", USER_FORCE_PASSWORD_CHANGE, FALSE, TRUE, NULL }, { L"List groups", USER_LIST_GROUPS, FALSE, TRUE, NULL }, { L"Read group information", USER_READ_GROUP_INFORMATION, FALSE, TRUE, NULL }, { L"Write group information", USER_WRITE_GROUP_INFORMATION, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(Section) { { L"Full control", SECTION_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", SECTION_QUERY, TRUE, TRUE, NULL }, { L"Map for read", SECTION_MAP_READ, TRUE, TRUE, L"Map read" }, { L"Map for write", SECTION_MAP_WRITE, TRUE, TRUE, L"Map write" }, { L"Map for execute", SECTION_MAP_EXECUTE, TRUE, TRUE, L"Map execute" }, { L"Map for execute (explicit)", SECTION_MAP_EXECUTE_EXPLICIT, TRUE, TRUE, L"Map execute explicit" }, { L"Extend size", SECTION_EXTEND_SIZE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Semaphore) { { L"Full control", SEMAPHORE_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", SEMAPHORE_QUERY_STATE, TRUE, TRUE, NULL }, { L"Modify", SEMAPHORE_MODIFY_STATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Service) { { L"Full control", SERVICE_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query status", SERVICE_QUERY_STATUS, TRUE, TRUE, NULL }, { L"Query configuration", SERVICE_QUERY_CONFIG, TRUE, TRUE, NULL }, { L"Modify configuration", SERVICE_CHANGE_CONFIG, TRUE, TRUE, NULL }, { L"Enumerate dependents", SERVICE_ENUMERATE_DEPENDENTS, TRUE, TRUE, NULL }, { L"Start", SERVICE_START, TRUE, TRUE, NULL }, { L"Stop", SERVICE_STOP, TRUE, TRUE, NULL }, { L"Pause / continue", SERVICE_PAUSE_CONTINUE, TRUE, TRUE, L"Pause/continue" }, { L"Interrogate", SERVICE_INTERROGATE, TRUE, TRUE, NULL }, { L"User-defined control", SERVICE_USER_DEFINED_CONTROL, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(SCManager) { { L"Full control", SC_MANAGER_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Create service", SC_MANAGER_CREATE_SERVICE, TRUE, TRUE, NULL }, { L"Connect", SC_MANAGER_CONNECT, TRUE, TRUE, NULL }, { L"Enumerate services", SC_MANAGER_ENUMERATE_SERVICE, TRUE, TRUE, NULL }, { L"Lock", SC_MANAGER_LOCK, TRUE, TRUE, NULL }, { L"Modify boot config", SC_MANAGER_MODIFY_BOOT_CONFIG, TRUE, TRUE, NULL }, { L"Query lock status", SC_MANAGER_QUERY_LOCK_STATUS, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Session) { { L"Full control", SESSION_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", SESSION_QUERY_ACCESS, TRUE, TRUE, NULL }, { L"Modify", SESSION_MODIFY_ACCESS, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(SymbolicLink) { { L"Full control", SYMBOLIC_LINK_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Full control (extended)", SYMBOLIC_LINK_ALL_ACCESS_EX, TRUE, TRUE, NULL }, { L"Query", SYMBOLIC_LINK_QUERY, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Thread) { { L"Full control", STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff, TRUE, TRUE, NULL }, { L"Query information", THREAD_QUERY_INFORMATION, TRUE, TRUE, NULL }, { L"Set information", THREAD_SET_INFORMATION, TRUE, TRUE, NULL }, { L"Get context", THREAD_GET_CONTEXT, TRUE, TRUE, NULL }, { L"Set context", THREAD_SET_CONTEXT, TRUE, TRUE, NULL }, { L"Set token", THREAD_SET_THREAD_TOKEN, TRUE, TRUE, NULL }, { L"Alert", THREAD_ALERT, TRUE, TRUE, NULL }, { L"Impersonate", THREAD_IMPERSONATE, TRUE, TRUE, NULL }, { L"Direct impersonate", THREAD_DIRECT_IMPERSONATION, TRUE, TRUE, NULL }, { L"Suspend / resume", THREAD_SUSPEND_RESUME, TRUE, TRUE, L"Suspend/resume" }, { L"Terminate", THREAD_TERMINATE, TRUE, TRUE, NULL }, }; ACCESS_ENTRIES(Thread60) { { L"Full control", STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | SPECIFIC_RIGHTS_ALL, TRUE, TRUE, NULL }, // THREAD_ALL_ACCESS { L"Query limited information", THREAD_QUERY_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Query information", THREAD_QUERY_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Set limited information", THREAD_SET_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Set information", THREAD_SET_INFORMATION | THREAD_SET_LIMITED_INFORMATION, TRUE, TRUE, NULL }, { L"Get context", THREAD_GET_CONTEXT, TRUE, TRUE, NULL }, { L"Set context", THREAD_SET_CONTEXT, TRUE, TRUE, NULL }, { L"Set token", THREAD_SET_THREAD_TOKEN, TRUE, TRUE, NULL }, { L"Alert", THREAD_ALERT, TRUE, TRUE, NULL }, { L"Impersonate", THREAD_IMPERSONATE, TRUE, TRUE, NULL }, { L"Direct impersonate", THREAD_DIRECT_IMPERSONATION, TRUE, TRUE, NULL }, { L"Suspend / resume", THREAD_SUSPEND_RESUME, TRUE, TRUE, L"Suspend/resume" }, { L"Terminate", THREAD_TERMINATE, TRUE, TRUE, NULL }, }; ACCESS_ENTRIES(Timer) { { L"Full control", TIMER_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query", TIMER_QUERY_STATE, TRUE, TRUE, NULL }, { L"Modify", TIMER_MODIFY_STATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(TmEn) { { L"Full control", ENLISTMENT_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", ENLISTMENT_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", ENLISTMENT_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", ENLISTMENT_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Query information", ENLISTMENT_QUERY_INFORMATION, FALSE, TRUE, NULL }, { L"Set information", ENLISTMENT_SET_INFORMATION, FALSE, TRUE, NULL }, { L"Recover", ENLISTMENT_RECOVER, FALSE, TRUE, NULL }, { L"Subordinate rights", ENLISTMENT_SUBORDINATE_RIGHTS, FALSE, TRUE, NULL }, { L"Superior rights", ENLISTMENT_SUPERIOR_RIGHTS, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(TmRm) { { L"Full control", RESOURCEMANAGER_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", RESOURCEMANAGER_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", RESOURCEMANAGER_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", RESOURCEMANAGER_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Query information", RESOURCEMANAGER_QUERY_INFORMATION, FALSE, TRUE, NULL }, { L"Set information", RESOURCEMANAGER_SET_INFORMATION, FALSE, TRUE, NULL }, { L"Get notifications", RESOURCEMANAGER_GET_NOTIFICATION, FALSE, TRUE, NULL }, { L"Enlist", RESOURCEMANAGER_ENLIST, FALSE, TRUE, NULL }, { L"Recover", RESOURCEMANAGER_RECOVER, FALSE, TRUE, NULL }, { L"Register protocols", RESOURCEMANAGER_REGISTER_PROTOCOL, FALSE, TRUE, NULL }, { L"Complete propagation", RESOURCEMANAGER_COMPLETE_PROPAGATION, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(TmTm) { { L"Full control", TRANSACTIONMANAGER_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", TRANSACTIONMANAGER_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", TRANSACTIONMANAGER_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", TRANSACTIONMANAGER_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Query information", TRANSACTIONMANAGER_QUERY_INFORMATION, FALSE, TRUE, NULL }, { L"Set information", TRANSACTIONMANAGER_SET_INFORMATION, FALSE, TRUE, NULL }, { L"Recover", TRANSACTIONMANAGER_RECOVER, FALSE, TRUE, NULL }, { L"Rename", TRANSACTIONMANAGER_RENAME, FALSE, TRUE, NULL }, { L"Create resource manager", TRANSACTIONMANAGER_CREATE_RM, FALSE, TRUE, NULL }, { L"Bind transactions", TRANSACTIONMANAGER_BIND_TRANSACTION, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(TmTx) { { L"Full control", TRANSACTION_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", TRANSACTION_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", TRANSACTION_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", TRANSACTION_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Query information", TRANSACTION_QUERY_INFORMATION, FALSE, TRUE, NULL }, { L"Set information", TRANSACTION_SET_INFORMATION, FALSE, TRUE, NULL }, { L"Enlist", TRANSACTION_ENLIST, FALSE, TRUE, NULL }, { L"Commit", TRANSACTION_COMMIT, FALSE, TRUE, NULL }, { L"Rollback", TRANSACTION_ROLLBACK, FALSE, TRUE, NULL }, { L"Propagate", TRANSACTION_PROPAGATE, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(Token) { { L"Full control", TOKEN_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", TOKEN_READ, FALSE, FALSE, NULL }, { L"Write", TOKEN_WRITE, FALSE, FALSE, NULL }, { L"Execute", TOKEN_EXECUTE, FALSE, FALSE, NULL }, { L"Adjust privileges", TOKEN_ADJUST_PRIVILEGES, TRUE, TRUE, NULL }, { L"Adjust groups", TOKEN_ADJUST_GROUPS, TRUE, TRUE, NULL }, { L"Adjust defaults", TOKEN_ADJUST_DEFAULT, TRUE, TRUE, NULL }, { L"Adjust session ID", TOKEN_ADJUST_SESSIONID, TRUE, TRUE, NULL }, { L"Assign as primary token", TOKEN_ASSIGN_PRIMARY, TRUE, TRUE, L"Assign primary" }, { L"Duplicate", TOKEN_DUPLICATE, TRUE, TRUE, NULL }, { L"Impersonate", TOKEN_IMPERSONATE, TRUE, TRUE, NULL }, { L"Query", TOKEN_QUERY, TRUE, TRUE, NULL }, { L"Query source", TOKEN_QUERY_SOURCE, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(TokenDefault) { { L"Full control", GENERIC_ALL, TRUE, TRUE, NULL }, { L"Read", GENERIC_READ, TRUE, TRUE, NULL }, { L"Write", GENERIC_WRITE, TRUE, TRUE, NULL }, { L"Execute", GENERIC_EXECUTE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(TpWorkerFactory) { { L"Full control", WORKER_FACTORY_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Release worker", WORKER_FACTORY_RELEASE_WORKER, FALSE, TRUE, NULL }, { L"Ready worker", WORKER_FACTORY_READY_WORKER, FALSE, TRUE, NULL }, { L"Wait", WORKER_FACTORY_WAIT, FALSE, TRUE, NULL }, { L"Set information", WORKER_FACTORY_SET_INFORMATION, FALSE, TRUE, NULL }, { L"Query information", WORKER_FACTORY_QUERY_INFORMATION, FALSE, TRUE, NULL }, { L"Shutdown", WORKER_FACTORY_SHUTDOWN, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(Type) { { L"Full control", OBJECT_TYPE_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Create", OBJECT_TYPE_CREATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(WaitCompletionPacket) { { L"Full control", OBJECT_TYPE_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Modify state", OBJECT_TYPE_CREATE, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(Wbem) { { L"Enable account", WBEM_ENABLE, TRUE, TRUE, NULL }, { L"Execute methods", WBEM_METHOD_EXECUTE, TRUE, TRUE, NULL }, { L"Full write", WBEM_FULL_WRITE_REP, TRUE, TRUE, NULL }, { L"Partial write", WBEM_PARTIAL_WRITE_REP, TRUE, TRUE, NULL }, { L"Provider write", WBEM_WRITE_PROVIDER, TRUE, TRUE, NULL }, { L"Remote enable", WBEM_REMOTE_ACCESS, TRUE, TRUE, NULL }, { L"Get notifications", WBEM_RIGHT_SUBSCRIBE, TRUE, TRUE, NULL }, { L"Read description", WBEM_RIGHT_PUBLISH, TRUE, TRUE, NULL } }; ACCESS_ENTRIES(WindowStation) { { L"Full control", WINSTA_ALL_ACCESS | STANDARD_RIGHTS_REQUIRED, TRUE, TRUE, NULL }, { L"Read", WINSTA_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", WINSTA_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", WINSTA_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Enumerate", WINSTA_ENUMERATE, FALSE, TRUE, NULL }, { L"Enumerate desktops", WINSTA_ENUMDESKTOPS, FALSE, TRUE, NULL }, { L"Read attributes", WINSTA_READATTRIBUTES, FALSE, TRUE, NULL }, { L"Read screen", WINSTA_READSCREEN, FALSE, TRUE, NULL }, { L"Access clipboard", WINSTA_ACCESSCLIPBOARD, FALSE, TRUE, NULL }, { L"Access global atoms", WINSTA_ACCESSGLOBALATOMS, FALSE, TRUE, NULL }, { L"Create desktop", WINSTA_CREATEDESKTOP, FALSE, TRUE, NULL }, { L"Write attributes", WINSTA_WRITEATTRIBUTES, FALSE, TRUE, NULL }, { L"Exit windows", WINSTA_EXITWINDOWS, FALSE, TRUE, NULL } }; ACCESS_ENTRIES(WmiGuid) { { L"Full control", WMIGUID_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Read", WMIGUID_GENERIC_READ, TRUE, FALSE, NULL }, { L"Write", WMIGUID_GENERIC_WRITE, TRUE, FALSE, NULL }, { L"Execute", WMIGUID_GENERIC_EXECUTE, TRUE, FALSE, NULL }, { L"Query information", WMIGUID_QUERY, FALSE, TRUE, NULL }, { L"Set information", WMIGUID_SET, FALSE, TRUE, NULL }, { L"Get notifications", WMIGUID_NOTIFICATION, FALSE, TRUE, NULL }, { L"Read description", WMIGUID_READ_DESCRIPTION, FALSE, TRUE, NULL }, { L"Execute", WMIGUID_EXECUTE, FALSE, TRUE, NULL }, { L"Create real-time logs", TRACELOG_CREATE_REALTIME, FALSE, TRUE, L"Create real-time" }, { L"Create on disk logs", TRACELOG_CREATE_ONDISK, FALSE, TRUE, L"Create on disk" }, { L"Enable provider GUIDs", TRACELOG_GUID_ENABLE, FALSE, TRUE, L"Enable GUIDs" }, { L"Access kernel logger", TRACELOG_ACCESS_KERNEL_LOGGER, FALSE, TRUE, NULL }, { L"Log events", TRACELOG_LOG_EVENT, FALSE, TRUE, NULL }, { L"Access real-time events", TRACELOG_ACCESS_REALTIME, FALSE, TRUE, L"Access real-time" }, { L"Register provider GUIDs", TRACELOG_REGISTER_GUIDS, FALSE, TRUE, L"Register GUIDs" } }; ACCESS_ENTRIES(Rdp) { { L"Full control", WTS_SECURITY_ALL_ACCESS, TRUE, TRUE, NULL }, { L"Query information", WTS_SECURITY_QUERY_INFORMATION, TRUE, TRUE, NULL }, { L"Set information", WTS_SECURITY_SET_INFORMATION, TRUE, TRUE, NULL }, { L"Reset", WTS_SECURITY_RESET, FALSE, TRUE, NULL }, { L"Virtual channels", WTS_SECURITY_VIRTUAL_CHANNELS, FALSE, TRUE, NULL }, { L"Remote control", WTS_SECURITY_REMOTE_CONTROL, FALSE, TRUE, NULL }, { L"Logon", WTS_SECURITY_LOGON, FALSE, TRUE, NULL }, { L"Logoff", WTS_SECURITY_LOGOFF, FALSE, TRUE, NULL }, { L"Message", WTS_SECURITY_MESSAGE, FALSE, TRUE, NULL }, { L"Connect", WTS_SECURITY_CONNECT, FALSE, TRUE, NULL }, { L"Disconnect", WTS_SECURITY_DISCONNECT, FALSE, TRUE, NULL }, { L"Guest access", WTS_SECURITY_GUEST_ACCESS, FALSE, TRUE, NULL }, { L"Guest access (current)", WTS_SECURITY_CURRENT_GUEST_ACCESS, FALSE, TRUE, NULL }, { L"User access", WTS_SECURITY_USER_ACCESS, FALSE, TRUE, NULL }, { L"User access (current)", WTS_SECURITY_SET_INFORMATION | WTS_SECURITY_RESET | WTS_SECURITY_VIRTUAL_CHANNELS | WTS_SECURITY_LOGOFF | WTS_SECURITY_DISCONNECT, FALSE, TRUE, NULL }, // WTS_SECURITY_CURRENT_USER_ACCESS }; ACCESS_ENTRIES(ComAccess) { { L"Full control", COM_RIGHTS_EXECUTE | COM_RIGHTS_EXECUTE_LOCAL | COM_RIGHTS_EXECUTE_REMOTE, TRUE, TRUE, NULL }, { L"Execute", COM_RIGHTS_EXECUTE, TRUE, TRUE, NULL }, { L"Execute local", COM_RIGHTS_EXECUTE_LOCAL, TRUE, TRUE, NULL }, { L"Execute remote", COM_RIGHTS_EXECUTE_REMOTE, TRUE, TRUE, NULL }, }; ACCESS_ENTRIES(ComLaunch) { { L"Full control", COM_RIGHTS_EXECUTE | COM_RIGHTS_EXECUTE_LOCAL | COM_RIGHTS_EXECUTE_REMOTE | COM_RIGHTS_ACTIVATE_LOCAL | COM_RIGHTS_ACTIVATE_REMOTE, TRUE, TRUE, NULL }, { L"Execute", COM_RIGHTS_EXECUTE, TRUE, TRUE, NULL }, { L"Execute local", COM_RIGHTS_EXECUTE_LOCAL, TRUE, TRUE, NULL }, { L"Execute remote", COM_RIGHTS_EXECUTE_REMOTE, TRUE, TRUE, NULL }, { L"Activate local", COM_RIGHTS_ACTIVATE_LOCAL, TRUE, TRUE, NULL }, { L"Activate remote", COM_RIGHTS_ACTIVATE_REMOTE, TRUE, TRUE, NULL }, }; static const PH_SPECIFIC_TYPE PhSpecificTypes[] = { ACCESS_ENTRY(AlpcPort, TRUE), ACCESS_ENTRY(DebugObject, TRUE), ACCESS_ENTRY(Desktop, FALSE), ACCESS_ENTRY(Directory, FALSE), ACCESS_ENTRY(EtwConsumer, FALSE), ACCESS_ENTRY(EtwRegistration, FALSE), ACCESS_ENTRY(Event, TRUE), ACCESS_ENTRY(EventPair, TRUE), ACCESS_ENTRY(File, TRUE), ACCESS_ENTRY(FilterConnectionPort, FALSE), ACCESS_ENTRY(IoCompletion, TRUE), ACCESS_ENTRY(Job, TRUE), ACCESS_ENTRY(Key, FALSE), ACCESS_ENTRY(KeyedEvent, FALSE), ACCESS_ENTRY(LsaAccount, FALSE), ACCESS_ENTRY(LsaPolicy, FALSE), ACCESS_ENTRY(LsaSecret, FALSE), ACCESS_ENTRY(LsaTrusted, FALSE), ACCESS_ENTRY(Mutant, TRUE), ACCESS_ENTRY(Partition, TRUE), ACCESS_ENTRY(Process, TRUE), ACCESS_ENTRY(Process60, TRUE), ACCESS_ENTRY(Profile, FALSE), ACCESS_ENTRY(SamAlias, FALSE), ACCESS_ENTRY(SamDomain, FALSE), ACCESS_ENTRY(SamGroup, FALSE), ACCESS_ENTRY(SamServer, FALSE), ACCESS_ENTRY(SamUser, FALSE), ACCESS_ENTRY(Section, FALSE), ACCESS_ENTRY(Semaphore, TRUE), ACCESS_ENTRY(Service, FALSE), ACCESS_ENTRY(SCManager, FALSE), ACCESS_ENTRY(Session, FALSE), ACCESS_ENTRY(SymbolicLink, FALSE), ACCESS_ENTRY(Thread, TRUE), ACCESS_ENTRY(Thread60, TRUE), ACCESS_ENTRY(Timer, TRUE), ACCESS_ENTRY(TmEn, FALSE), ACCESS_ENTRY(TmRm, FALSE), ACCESS_ENTRY(TmTm, FALSE), ACCESS_ENTRY(TmTx, FALSE), ACCESS_ENTRY(Token, FALSE), ACCESS_ENTRY(TokenDefault, FALSE), ACCESS_ENTRY(TpWorkerFactory, FALSE), ACCESS_ENTRY(Type, FALSE), ACCESS_ENTRY(WaitCompletionPacket, FALSE), ACCESS_ENTRY(Wbem, FALSE), ACCESS_ENTRY(WindowStation, FALSE), ACCESS_ENTRY(WmiGuid, TRUE), ACCESS_ENTRY(Rdp, FALSE), ACCESS_ENTRY(ComAccess, FALSE), ACCESS_ENTRY(ComLaunch, FALSE), }; /** * Gets access entries for an object type. * * \param Type The name of the object type. * \param AccessEntries A variable which receives an array of access entry structures. You must free * the buffer with PhFree() when you no longer need it. * \param NumberOfAccessEntries A variable which receives the number of access entry structures * returned in * \a AccessEntries. */ BOOLEAN PhGetAccessEntries( _In_ PCWSTR Type, _Out_ PPH_ACCESS_ENTRY *AccessEntries, _Out_ PULONG NumberOfAccessEntries ) { ULONG i; PPH_SPECIFIC_TYPE specificType = NULL; PPH_ACCESS_ENTRY accessEntries; if (PhEqualStringZ(Type, L"ALPC Port", TRUE)) { Type = L"AlpcPort"; } else if (PhEqualStringZ(Type, L"Port", TRUE)) { Type = L"AlpcPort"; } else if (PhEqualStringZ(Type, L"WaitablePort", TRUE)) { Type = L"AlpcPort"; } else if (PhEqualStringZ(Type, L"Process", TRUE)) { Type = L"Process60"; } else if (PhEqualStringZ(Type, L"Thread", TRUE)) { Type = L"Thread60"; } else if (PhEqualStringZ(Type, L"FileObject", TRUE)) { Type = L"File"; } else if (PhEqualStringZ(Type, L"Device", TRUE)) { Type = L"File"; } else if (PhEqualStringZ(Type, L"Driver", TRUE)) { Type = L"File"; } else if (PhEqualStringZ(Type, L"PowerDefault", TRUE)) { Type = L"Key"; } else if (PhEqualStringZ(Type, L"RdpDefault", TRUE)) { Type = L"Rdp"; } else if (PhEqualStringZ(Type, L"WmiDefault", TRUE)) { // WBEM doesn't allow StandardAccessEntries (dmex) for (i = 0; i < RTL_NUMBER_OF(PhSpecificTypes); i++) { if (PhEqualStringZ(PhSpecificTypes[i].Type, L"Wbem", TRUE)) { specificType = (PPH_SPECIFIC_TYPE)&PhSpecificTypes[i]; break; } } if (specificType) { accessEntries = PhAllocate(specificType->SizeOfAccessEntries); memcpy(accessEntries, specificType->AccessEntries, specificType->SizeOfAccessEntries); *AccessEntries = accessEntries; *NumberOfAccessEntries = specificType->SizeOfAccessEntries / sizeof(PH_ACCESS_ENTRY); return TRUE; } } // Find the specific type. for (i = 0; i < sizeof(PhSpecificTypes) / sizeof(PH_SPECIFIC_TYPE); i++) { if (PhEqualStringZ(PhSpecificTypes[i].Type, Type, TRUE)) { specificType = (PPH_SPECIFIC_TYPE)&PhSpecificTypes[i]; break; } } if (specificType) { ULONG sizeOfEntries; // Copy the specific access entries and append the standard access entries. if (specificType->HasSynchronize) sizeOfEntries = specificType->SizeOfAccessEntries + sizeof(PhStandardAccessEntries); else sizeOfEntries = specificType->SizeOfAccessEntries + sizeof(PhStandardAccessEntries) - sizeof(PH_ACCESS_ENTRY); accessEntries = PhAllocate(sizeOfEntries); memcpy(accessEntries, specificType->AccessEntries, specificType->SizeOfAccessEntries); if (specificType->HasSynchronize) { memcpy( PTR_ADD_OFFSET(accessEntries, specificType->SizeOfAccessEntries), PhStandardAccessEntries, sizeof(PhStandardAccessEntries) ); } else { memcpy( PTR_ADD_OFFSET(accessEntries, specificType->SizeOfAccessEntries), &PhStandardAccessEntries[1], sizeof(PhStandardAccessEntries) - sizeof(PH_ACCESS_ENTRY) ); } *AccessEntries = accessEntries; *NumberOfAccessEntries = sizeOfEntries / sizeof(PH_ACCESS_ENTRY); } else { *AccessEntries = PhAllocateCopy((PVOID)PhStandardAccessEntries, sizeof(PhStandardAccessEntries)); *NumberOfAccessEntries = sizeof(PhStandardAccessEntries) / sizeof(PH_ACCESS_ENTRY); } return TRUE; } static int __cdecl PhpAccessEntryCompare( _In_ const void *elem1, _In_ const void *elem2 ) { const PH_ACCESS_ENTRY* entry1 = (const PH_ACCESS_ENTRY*)elem1; const PH_ACCESS_ENTRY* entry2 = (const PH_ACCESS_ENTRY*)elem2; return uintcmp(PhCountBits(entry2->Access), PhCountBits(entry1->Access)); } /** * Creates a string representation of an access mask. * * \param Access The access mask. * \param AccessEntries An array of access entry structures. You can call PhGetAccessEntries() to * retrieve the access entry structures for a standard object type. * \param NumberOfAccessEntries The number of elements in \a AccessEntries. * * \return The string representation of \a Access. */ PPH_STRING PhGetAccessString( _In_ ACCESS_MASK Access, _In_ PPH_ACCESS_ENTRY AccessEntries, _In_ ULONG NumberOfAccessEntries ) { PH_STRING_BUILDER stringBuilder; PPH_ACCESS_ENTRY accessEntries; PBOOLEAN matched; ULONG i; ULONG j; PhInitializeStringBuilder(&stringBuilder, 32); // Sort the access entries according to how many access rights they include. accessEntries = PhAllocateCopy(AccessEntries, NumberOfAccessEntries * sizeof(PH_ACCESS_ENTRY)); qsort(accessEntries, NumberOfAccessEntries, sizeof(PH_ACCESS_ENTRY), PhpAccessEntryCompare); matched = PhAllocate(NumberOfAccessEntries * sizeof(BOOLEAN)); memset(matched, 0, NumberOfAccessEntries * sizeof(BOOLEAN)); for (i = 0; i < NumberOfAccessEntries; i++) { // We make sure we haven't matched this access entry yet. This ensures that we won't get // duplicates, e.g. FILE_GENERIC_READ includes FILE_READ_DATA, and we don't want to display // both to the user. if ( !matched[i] && ((Access & accessEntries[i].Access) == accessEntries[i].Access) ) { if (accessEntries[i].ShortName) PhAppendStringBuilder2(&stringBuilder, accessEntries[i].ShortName); else PhAppendStringBuilder2(&stringBuilder, accessEntries[i].Name); PhAppendStringBuilder2(&stringBuilder, L", "); // Disable equal or more specific entries. for (j = i; j < NumberOfAccessEntries; j++) { if ((accessEntries[i].Access | accessEntries[j].Access) == accessEntries[i].Access) matched[j] = TRUE; } } } // Remove the trailing ", ". if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); PhFree(matched); PhFree(accessEntries); return PhFinalStringBuilderString(&stringBuilder); } ================================================ FILE: phlib/secedit.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include BOOLEAN PhEnableSecurityAdvancedDialog = FALSE; BOOLEAN PhEnableSecurityDialogThread = TRUE; static const ISecurityInformationVtbl PhSecurityInformation_VTable = { PhSecurityInformation_QueryInterface, PhSecurityInformation_AddRef, PhSecurityInformation_Release, PhSecurityInformation_GetObjectInformation, PhSecurityInformation_GetSecurity, PhSecurityInformation_SetSecurity, PhSecurityInformation_GetAccessRights, PhSecurityInformation_MapGeneric, PhSecurityInformation_GetInheritTypes, PhSecurityInformation_PropertySheetPageCallback }; static const ISecurityInformation2Vtbl PhSecurityInformation_VTable2 = { PhSecurityInformation2_QueryInterface, PhSecurityInformation2_AddRef, PhSecurityInformation2_Release, PhSecurityInformation2_IsDaclCanonical, PhSecurityInformation2_LookupSids }; static const ISecurityInformation3Vtbl PhSecurityInformation_VTable3 = { PhSecurityInformation3_QueryInterface, PhSecurityInformation3_AddRef, PhSecurityInformation3_Release, PhSecurityInformation3_GetFullResourceName, PhSecurityInformation3_OpenElevatedEditor }; static const IDataObjectVtbl PhDataObject_VTable = { PhSecurityDataObject_QueryInterface, PhSecurityDataObject_AddRef, PhSecurityDataObject_Release, PhSecurityDataObject_GetData, PhSecurityDataObject_GetDataHere, PhSecurityDataObject_QueryGetData, PhSecurityDataObject_GetCanonicalFormatEtc, PhSecurityDataObject_SetData, PhSecurityDataObject_EnumFormatEtc, PhSecurityDataObject_DAdvise, PhSecurityDataObject_DUnadvise, PhSecurityDataObject_EnumDAdvise }; static const ISecurityObjectTypeInfoExVtbl PhSecurityObjectTypeInfo_VTable3 = { PhSecurityObjectTypeInfo_QueryInterface, PhSecurityObjectTypeInfo_AddRef, PhSecurityObjectTypeInfo_Release, PhSecurityObjectTypeInfo_GetInheritSource }; static const IEffectivePermissionVtbl PhEffectivePermission_VTable = { PhEffectivePermission_QueryInterface, PhEffectivePermission_AddRef, PhEffectivePermission_Release, PhEffectivePermission_GetEffectivePermission }; static VOID PhEditSecurityAdvanced( _In_ PVOID Context ) { PhSecurityInformation* this = (PhSecurityInformation*)Context; if (WindowsVersion > WINDOWS_7 && PhEnableSecurityAdvancedDialog) EditSecurityAdvanced(this->WindowHandle, Context, COMBINE_PAGE_ACTIVATION(SI_PAGE_PERM, SI_SHOW_PERM_ACTIVATED)); else EditSecurity(this->WindowHandle, Context); PhSecurityInformation_Release(Context); } _Function_class_(USER_THREAD_START_ROUTINE) static NTSTATUS PhEditSecurityAdvancedThread( _In_ PVOID Context ) { PhEditSecurityAdvanced(Context); return STATUS_SUCCESS; } /** * Creates a security editor page. * * \param ObjectName The name of the object. * \param ObjectType The type name of the object. * \param OpenObject An optional procedure for opening the object. * \param CloseObject An optional procedure for closing the object. * \param Context A user-defined value to pass to the callback functions. */ PVOID PhCreateSecurityPage( _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ) { ISecurityInformation *info; PVOID page; info = PhSecurityInformation_Create( NULL, ObjectName, ObjectType, OpenObject, CloseObject, NULL, NULL, Context, TRUE ); page = CreateSecurityPage(info); PhSecurityInformation_Release(info); return page; } /** * Displays a security editor dialog. * * \param WindowHandle The parent window of the dialog. * \param ObjectName The name of the object. * \param ObjectType The type of object. * \param OpenObject An optional procedure for opening the object. * \param CloseObject An optional procedure for closing the object. * \param Context A user-defined value to pass to the callback functions. */ VOID PhEditSecurity( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_opt_ PPH_OPEN_OBJECT OpenObject, _In_opt_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PVOID Context ) { ISecurityInformation *info; info = PhSecurityInformation_Create( WindowHandle, ObjectName, ObjectType, OpenObject, CloseObject, NULL, NULL, Context, FALSE ); if (PhEnableSecurityDialogThread) PhCreateThread2(PhEditSecurityAdvancedThread, info); else PhEditSecurityAdvanced(info); } /** * Displays a security editor dialog. * * \param WindowHandle The parent window of the dialog. * \param ObjectName The name of the object. * \param ObjectType The type of object. * \param OpenObject An optional procedure for opening the object. * \param CloseObject An optional procedure for closing the object. * \param GetObjectSecurity A callback function executed to retrieve the security descriptor of the object. * \param SetObjectSecurity A callback function executed to modify the security descriptor of the object. * \param Context A user-defined value to pass to the callback functions. */ VOID PhEditSecurityEx( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_opt_ PPH_OPEN_OBJECT OpenObject, _In_opt_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PPH_GET_OBJECT_SECURITY GetObjectSecurity, _In_opt_ PPH_SET_OBJECT_SECURITY SetObjectSecurity, _In_opt_ PVOID Context ) { ISecurityInformation *info; info = PhSecurityInformation_Create( WindowHandle, ObjectName, ObjectType, OpenObject, CloseObject, GetObjectSecurity, SetObjectSecurity, Context, FALSE ); if (PhEnableSecurityDialogThread) PhCreateThread2(PhEditSecurityAdvancedThread, info); else PhEditSecurityAdvanced(info); } ISecurityInformation *PhSecurityInformation_Create( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR ObjectName, _In_ PCWSTR ObjectType, _In_ PPH_OPEN_OBJECT OpenObject, _In_ PPH_CLOSE_OBJECT CloseObject, _In_opt_ PPH_GET_OBJECT_SECURITY GetObjectSecurity, _In_opt_ PPH_SET_OBJECT_SECURITY SetObjectSecurity, _In_opt_ PVOID Context, _In_ BOOLEAN IsPage ) { PhSecurityInformation *info; ULONG i; info = PhAllocateZero(sizeof(PhSecurityInformation)); info->VTable = &PhSecurityInformation_VTable; info->RefCount = 1; info->WindowHandle = WindowHandle; info->ObjectNameString = ObjectName ? PhCreateString(ObjectName) : NULL; info->ObjectTypeString = PhCreateString(ObjectType); info->ObjectType = PhSecurityObjectType(info->ObjectTypeString); info->OpenObject = OpenObject; info->CloseObject = CloseObject; info->GetObjectSecurity = GetObjectSecurity; info->SetObjectSecurity = SetObjectSecurity; info->Context = Context; info->IsPage = IsPage; if (PhGetAccessEntries(ObjectType, &info->AccessEntriesArray, &info->NumberOfAccessEntries)) { info->AccessEntries = PhAllocateZero(sizeof(SI_ACCESS) * info->NumberOfAccessEntries); for (i = 0; i < info->NumberOfAccessEntries; i++) { info->AccessEntries[i].pszName = info->AccessEntriesArray[i].Name; info->AccessEntries[i].mask = info->AccessEntriesArray[i].Access; if (info->AccessEntriesArray[i].General) SetFlag(info->AccessEntries[i].dwFlags, SI_ACCESS_GENERAL); if (info->AccessEntriesArray[i].Specific) SetFlag(info->AccessEntries[i].dwFlags, SI_ACCESS_SPECIFIC); if (info->ObjectType == PH_SE_FILE_OBJECT_TYPE) SetFlag(info->AccessEntries[i].dwFlags, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE); } } if (info->ObjectTypeString) { GENERIC_MAPPING genericMapping; if (NT_SUCCESS(PhGetObjectTypeMask(&info->ObjectTypeString->sr, &genericMapping))) { memcpy(&info->GenericMapping, &genericMapping, sizeof(genericMapping)); info->HaveGenericMapping = TRUE; } } if (PhIsNullOrEmptyString(info->ObjectNameString)) { // Note: The ACUI dialog doesn't allow empty strings for the object name. (dmex) PhMoveReference(&info->ObjectNameString, PhCreateString(L"Unknown")); } return (ISecurityInformation *)info; } HRESULT STDMETHODCALLTYPE PhSecurityInformation_QueryInterface( _In_ ISecurityInformation *This, _In_ REFIID Riid, _Out_ PVOID *Object ) { PhSecurityInformation *this = (PhSecurityInformation *)This; if ( IsEqualIID(Riid, &IID_IUnknown) || IsEqualIID(Riid, &IID_ISecurityInformation) ) { PhSecurityInformation_AddRef(This); *Object = This; return S_OK; } else if (IsEqualGUID(Riid, &IID_ISecurityInformation2)) { if (WindowsVersion >= WINDOWS_8) { PhSecurityInformation2 *info; info = PhAllocateZero(sizeof(PhSecurityInformation2)); info->VTable = &PhSecurityInformation_VTable2; info->Context = this; info->RefCount = 1; *Object = info; return S_OK; } } else if (IsEqualGUID(Riid, &IID_ISecurityInformation3)) { if (WindowsVersion >= WINDOWS_8) { PhSecurityInformation3 *info; info = PhAllocateZero(sizeof(PhSecurityInformation3)); info->VTable = &PhSecurityInformation_VTable3; info->Context = this; info->RefCount = 1; *Object = info; return S_OK; } } else if (IsEqualGUID(Riid, &IID_ISecurityObjectTypeInfo)) { if (WindowsVersion >= WINDOWS_8) { PhSecurityObjectTypeInfo* info; info = PhAllocateZero(sizeof(PhSecurityObjectTypeInfo)); info->VTable = &PhSecurityObjectTypeInfo_VTable3; info->Context = this; info->RefCount = 1; *Object = info; return S_OK; } } else if (IsEqualGUID(Riid, &IID_IEffectivePermission)) { PhEffectivePermission* info; info = PhAllocateZero(sizeof(PhEffectivePermission)); info->VTable = &PhEffectivePermission_VTable; info->Context = this; info->RefCount = 1; *Object = info; return S_OK; } *Object = NULL; return E_NOINTERFACE; } ULONG STDMETHODCALLTYPE PhSecurityInformation_AddRef( _In_ ISecurityInformation *This ) { PhSecurityInformation *this = (PhSecurityInformation *)This; this->RefCount++; return this->RefCount; } ULONG STDMETHODCALLTYPE PhSecurityInformation_Release( _In_ ISecurityInformation *This ) { PhSecurityInformation *this = (PhSecurityInformation *)This; this->RefCount--; if (this->RefCount == 0) { if (this->CloseObject) this->CloseObject(NULL, TRUE, this->Context); if (this->ObjectNameString) PhDereferenceObject(this->ObjectNameString); if (this->ObjectTypeString) PhDereferenceObject(this->ObjectTypeString); if (this->AccessEntries) PhFree(this->AccessEntries); if (this->AccessEntriesArray) PhFree(this->AccessEntriesArray); PhFree(this); return 0; } return this->RefCount; } HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetObjectInformation( _In_ ISecurityInformation *This, _Out_ PSI_OBJECT_INFO ObjectInfo ) { PhSecurityInformation *this = (PhSecurityInformation *)This; memset(ObjectInfo, 0, sizeof(SI_OBJECT_INFO)); ObjectInfo->dwFlags = SI_EDIT_ALL | SI_ADVANCED | SI_EDIT_EFFECTIVE; ObjectInfo->pszObjectName = PhGetString(this->ObjectNameString); if (WindowsVersion >= WINDOWS_8) { SetFlag(ObjectInfo->dwFlags, SI_VIEW_ONLY | SI_EDIT_EFFECTIVE); } switch (this->ObjectType) { case PH_SE_FILE_OBJECT_TYPE: { SetFlag(ObjectInfo->dwFlags, SI_ENABLE_EDIT_ATTRIBUTE_CONDITION | SI_MAY_WRITE); // SI_RESET | SI_READONLY // Check if the string is a filename or directory. if (this->ObjectNameString && PhFindLastCharInString(this->ObjectNameString, 0, OBJ_NAME_PATH_SEPARATOR) == SIZE_MAX) { SetFlag(ObjectInfo->dwFlags, SI_CONTAINER); // directory } } break; case PH_SE_TOKENDEF_OBJECT_TYPE: { ClearFlag(ObjectInfo->dwFlags, SI_EDIT_OWNER | SI_EDIT_AUDITS); } break; case PH_SE_POWERDEF_OBJECT_TYPE: { ClearFlag(ObjectInfo->dwFlags, SI_EDIT_AUDITS); SetFlag(ObjectInfo->dwFlags, SI_NO_ACL_PROTECT | SI_NO_TREE_APPLY | SI_CONTAINER | SI_OWNER_READONLY); } break; case PH_SE_RDPDEF_OBJECT_TYPE: { ClearFlag(ObjectInfo->dwFlags, SI_EDIT_OWNER); SetFlag(ObjectInfo->dwFlags, SI_NO_ACL_PROTECT | SI_NO_TREE_APPLY); } break; case PH_SE_WMIDEF_OBJECT_TYPE: { SetFlag(ObjectInfo->dwFlags, SI_CONTAINER | SI_OWNER_READONLY); } break; } return S_OK; } HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetSecurity( _In_ ISecurityInformation *This, _In_ SECURITY_INFORMATION RequestedInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, _In_ BOOL Default ) { PhSecurityInformation *this = (PhSecurityInformation *)This; NTSTATUS status; PSECURITY_DESCRIPTOR securityDescriptor; ULONG sdLength; PSECURITY_DESCRIPTOR newSd; //if (Default) //{ // securityDescriptor = PhAllocateZero(SECURITY_DESCRIPTOR_MIN_LENGTH); // // status = RtlCreateSecurityDescriptor( // securityDescriptor, // SECURITY_DESCRIPTOR_REVISION // ); // // if (!NT_SUCCESS(status)) // return HRESULT_FROM_WIN32(PhNtStatusToDosError(status)); // // status = RtlSetDaclSecurityDescriptor(securityDescriptor, TRUE, NULL, FALSE); // // if (!NT_SUCCESS(status)) // return HRESULT_FROM_WIN32(PhNtStatusToDosError(status)); //} //else { if (this->GetObjectSecurity) { PH_STD_OBJECT_SECURITY objectSecurity; objectSecurity.ObjectContext = this; objectSecurity.Context = this->Context; status = this->GetObjectSecurity( &securityDescriptor, RequestedInformation, &objectSecurity ); } else { status = PhStdGetObjectSecurity( &securityDescriptor, RequestedInformation, this ); } if (!NT_SUCCESS(status)) { // Note: The ACUI doesn't support HRESULT_FROM_NT (dmex) return HRESULT_FROM_WIN32(PhNtStatusToDosError(status)); } } sdLength = RtlLengthSecurityDescriptor(securityDescriptor); newSd = LocalAlloc(LPTR, sdLength); memcpy(newSd, securityDescriptor, sdLength); PhFree(securityDescriptor); *SecurityDescriptor = newSd; return S_OK; } HRESULT STDMETHODCALLTYPE PhSecurityInformation_SetSecurity( _In_ ISecurityInformation *This, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { PhSecurityInformation *this = (PhSecurityInformation *)This; NTSTATUS status; if (this->SetObjectSecurity) { PH_STD_OBJECT_SECURITY objectSecurity; objectSecurity.ObjectContext = this; objectSecurity.Context = this->Context; status = this->SetObjectSecurity( SecurityDescriptor, SecurityInformation, &objectSecurity ); } else { status = PhStdSetObjectSecurity( SecurityDescriptor, SecurityInformation, this ); } // Note: The ACUI doesn't support HRESULT_FROM_NT (dmex) return HRESULT_FROM_WIN32(PhNtStatusToDosError(status)); } HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetAccessRights( _In_ ISecurityInformation *This, _In_ PCGUID ObjectType, _In_ ULONG Flags, _Out_ PSI_ACCESS *Access, _Out_ PULONG Accesses, _Out_ PULONG DefaultAccess ) { PhSecurityInformation *this = (PhSecurityInformation *)This; *Access = this->AccessEntries; *Accesses = this->NumberOfAccessEntries; *DefaultAccess = 0; return S_OK; } HRESULT STDMETHODCALLTYPE PhSecurityInformation_MapGeneric( _In_ ISecurityInformation *This, _In_ PCGUID ObjectType, _In_ PUCHAR AceFlags, _Inout_ PACCESS_MASK Mask ) { PhSecurityInformation* this = (PhSecurityInformation*)This; if (this->ObjectType == PH_SE_FILE_OBJECT_TYPE) { static GENERIC_MAPPING genericMappings = { FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_ALL_ACCESS }; PhMapGenericMask(Mask, &genericMappings); } else { if (this->HaveGenericMapping) { PhMapGenericMask(Mask, &this->GenericMapping); } } return S_OK; } HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetInheritTypes( _In_ ISecurityInformation *This, _Out_ PSI_INHERIT_TYPE *InheritTypes, _Out_ PULONG InheritTypesCount ) { PhSecurityInformation* this = (PhSecurityInformation*)This; if (this->ObjectType == PH_SE_WMIDEF_OBJECT_TYPE) { static const SI_INHERIT_TYPE inheritTypes[] = { { NULL, 0, L"This namespace only" }, { NULL, CONTAINER_INHERIT_ACE, L"This namespace and subnamespaces" }, { NULL, INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE, L"Subnamespaces only" }, }; *InheritTypes = (PSI_INHERIT_TYPE)inheritTypes; *InheritTypesCount = RTL_NUMBER_OF(inheritTypes); return S_OK; } else { static const SI_INHERIT_TYPE inheritTypes[] = { { NULL, 0, L"This folder only" }, { NULL, CONTAINER_INHERIT_ACE, L"This folder, subfolders and files" }, { NULL, INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE, L"Subfolders and files only" }, }; *InheritTypes = (PSI_INHERIT_TYPE)inheritTypes; *InheritTypesCount = RTL_NUMBER_OF(inheritTypes); return S_OK; } } HRESULT STDMETHODCALLTYPE PhSecurityInformation_PropertySheetPageCallback( _In_ ISecurityInformation *This, _In_ HWND hwnd, _In_ UINT uMsg, _In_ SI_PAGE_TYPE uPage ) { PhSecurityInformation *this = (PhSecurityInformation *)This; if (uMsg == PSPCB_SI_INITDIALOG) { // Center the security editor window. if (!this->IsPage) PhCenterWindow(GetParent(hwnd), GetParent(GetParent(hwnd))); if (this->IsPage) PhInitializeWindowTheme(hwnd, PhEnableThemeSupport); else PhInitializeWindowTheme(GetParent(hwnd), PhEnableThemeSupport); } return E_NOTIMPL; } // ISecurityInformation2 HRESULT STDMETHODCALLTYPE PhSecurityInformation2_QueryInterface( _In_ ISecurityInformation2 *This, _In_ REFIID Riid, _Out_ PVOID *Object ) { if ( IsEqualIID(Riid, &IID_IUnknown) || IsEqualIID(Riid, &IID_ISecurityInformation2) ) { PhSecurityInformation2_AddRef(This); *Object = This; return S_OK; } *Object = NULL; return E_NOINTERFACE; } ULONG STDMETHODCALLTYPE PhSecurityInformation2_AddRef( _In_ ISecurityInformation2 *This ) { PhSecurityInformation2 *this = (PhSecurityInformation2 *)This; this->RefCount++; return this->RefCount; } ULONG STDMETHODCALLTYPE PhSecurityInformation2_Release( _In_ ISecurityInformation2 *This ) { PhSecurityInformation2 *this = (PhSecurityInformation2 *)This; this->RefCount--; if (this->RefCount == 0) { PhFree(this); return 0; } return this->RefCount; } BOOL STDMETHODCALLTYPE PhSecurityInformation2_IsDaclCanonical( _In_ ISecurityInformation2 *This, _In_ PACL pDacl ) { return TRUE; } HRESULT STDMETHODCALLTYPE PhSecurityInformation2_LookupSids( _In_ ISecurityInformation2 *This, _In_ ULONG cSids, _In_ PSID *rgpSids, _Out_ LPDATAOBJECT *ppdo ) { PhSecurityInformation2 *this = (PhSecurityInformation2 *)This; PhSecurityIDataObject *dataObject; dataObject = PhAllocateZero(sizeof(PhSecurityInformation)); dataObject->VTable = &PhDataObject_VTable; dataObject->Context = this->Context; dataObject->RefCount = 1; dataObject->SidCount = cSids; dataObject->Sids = rgpSids; dataObject->NameCache = PhCreateList(1); *ppdo = (LPDATAOBJECT)dataObject; return S_OK; } // ISecurityInformation3 HRESULT STDMETHODCALLTYPE PhSecurityInformation3_QueryInterface( _In_ ISecurityInformation3 *This, _In_ REFIID Riid, _Out_ PVOID *Object ) { if ( IsEqualIID(Riid, &IID_IUnknown) || IsEqualIID(Riid, &IID_ISecurityInformation3) ) { PhSecurityInformation3_AddRef(This); *Object = This; return S_OK; } *Object = NULL; return E_NOINTERFACE; } ULONG STDMETHODCALLTYPE PhSecurityInformation3_AddRef( _In_ ISecurityInformation3 *This ) { PhSecurityInformation3 *this = (PhSecurityInformation3 *)This; this->RefCount++; return this->RefCount; } ULONG STDMETHODCALLTYPE PhSecurityInformation3_Release( _In_ ISecurityInformation3 *This ) { PhSecurityInformation3 *this = (PhSecurityInformation3 *)This; this->RefCount--; if (this->RefCount == 0) { PhFree(this); return 0; } return this->RefCount; } HRESULT STDMETHODCALLTYPE PhSecurityInformation3_GetFullResourceName( _In_ ISecurityInformation3 *This, _Outptr_ PWSTR *ResourceName ) { PhSecurityInformation3 *this = (PhSecurityInformation3 *)This; *ResourceName = PhGetString(this->Context->ObjectNameString); return S_OK; } HRESULT STDMETHODCALLTYPE PhSecurityInformation3_OpenElevatedEditor( _In_ ISecurityInformation3 *This, _In_ HWND hWnd, _In_ SI_PAGE_TYPE uPage ) { PhSecurityInformation3 *this = (PhSecurityInformation3 *)This; return E_NOTIMPL; } // IDataObject HRESULT STDMETHODCALLTYPE PhSecurityDataObject_QueryInterface( _In_ IDataObject *This, _In_ REFIID Riid, _COM_Outptr_ PVOID *Object ) { if ( IsEqualIID(Riid, &IID_IUnknown) || IsEqualIID(Riid, &IID_IDataObject) ) { PhSecurityDataObject_AddRef(This); *Object = This; return S_OK; } *Object = NULL; return E_NOINTERFACE; } ULONG STDMETHODCALLTYPE PhSecurityDataObject_AddRef( _In_ IDataObject *This ) { PhSecurityIDataObject *this = (PhSecurityIDataObject *)This; this->RefCount++; return this->RefCount; } ULONG STDMETHODCALLTYPE PhSecurityDataObject_Release( _In_ IDataObject *This ) { PhSecurityIDataObject *this = (PhSecurityIDataObject *)This; this->RefCount--; if (this->RefCount == 0) { PhDereferenceObjects(this->NameCache->Items, this->NameCache->Count); PhDereferenceObject(this->NameCache); PhFree(this); return 0; } return this->RefCount; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_GetData( _In_ IDataObject *This, _In_ FORMATETC *Format, _Out_ STGMEDIUM *Medium ) { PhSecurityIDataObject *this = (PhSecurityIDataObject *)This; PSID_INFO_LIST sidInfoList; sidInfoList = (PSID_INFO_LIST)GlobalAlloc(GMEM_ZEROINIT, sizeof(SID_INFO_LIST) + (sizeof(SID_INFO) * this->SidCount)); if (!sidInfoList) { Medium = NULL; return HRESULT_FROM_WIN32(ERROR_OUTOFMEMORY); } sidInfoList->cItems = this->SidCount; for (ULONG i = 0; i < this->SidCount; i++) { SID_INFO sidInfo; PPH_STRING sidString; SID_NAME_USE sidNameUse; memset(&sidInfo, 0, sizeof(SID_INFO)); sidInfo.pSid = this->Sids[i]; if (sidString = PhGetSidFullName(sidInfo.pSid, FALSE, &sidNameUse)) { switch (sidNameUse) { case SidTypeUser: case SidTypeLogonSession: case SidTypeDeletedAccount: sidInfo.pwzClass = L"User"; break; case SidTypeAlias: case SidTypeGroup: case SidTypeWellKnownGroup: sidInfo.pwzClass = L"Group"; break; case SidTypeDomain: case SidTypeComputer: sidInfo.pwzClass = L"Computer"; break; } sidInfo.pwzCommonName = PhGetString(sidString); PhAddItemList(this->NameCache, sidString); } else if (sidString = PhGetAppContainerPackageName(sidInfo.pSid)) { PhMoveReference(&sidString, PhConcatStringRefZ(&sidString->sr, L" (APP_PACKAGE)")); sidInfo.pwzCommonName = PhGetString(sidString); PhAddItemList(this->NameCache, sidString); } else if (sidString = PhGetAppContainerName(sidInfo.pSid)) { PhMoveReference(&sidString, PhConcatStringRefZ(&sidString->sr, L" (APP_CONTAINER)")); sidInfo.pwzCommonName = PhGetString(sidString); PhAddItemList(this->NameCache, sidString); } else if (sidString = PhGetCapabilitySidName(sidInfo.pSid)) { PhMoveReference(&sidString, PhConcatStringRefZ(&sidString->sr, L" (APP_CAPABILITY)")); sidInfo.pwzCommonName = PhGetString(sidString); PhAddItemList(this->NameCache, sidString); } else { if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(sidInfo.pSid), &(SID_IDENTIFIER_AUTHORITY)SECURITY_NT_AUTHORITY)) { ULONG subAuthority = *PhSubAuthoritySid(sidInfo.pSid, 0); switch (subAuthority) { case SECURITY_UMFD_BASE_RID: { PhMoveReference(&sidString, PhCreateString(L"Font Driver Host\\UMFD")); sidInfo.pwzCommonName = PhGetString(sidString); PhAddItemList(this->NameCache, sidString); } break; } } else if (PhEqualIdentifierAuthoritySid(PhIdentifierAuthoritySid(sidInfo.pSid), PhIdentifierAuthoritySid(PhSeCloudActiveDirectorySid()))) { ULONG subAuthority = *PhSubAuthoritySid(sidInfo.pSid, 0); if (subAuthority == 1) { PhMoveReference(&sidString, PhGetAzureDirectoryObjectSid(sidInfo.pSid)); sidInfo.pwzCommonName = PhGetString(sidString); PhAddItemList(this->NameCache, sidString); } } } sidInfoList->aSidInfo[i] = sidInfo; } Medium->tymed = TYMED_HGLOBAL; Medium->hGlobal = (HGLOBAL)sidInfoList; return S_OK; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_GetDataHere( _In_ IDataObject *This, _In_ FORMATETC *pformatetc, _Inout_ STGMEDIUM *pmedium ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_QueryGetData( _In_ IDataObject *This, _In_opt_ FORMATETC *pformatetc ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_GetCanonicalFormatEtc( _In_ IDataObject * This, _In_opt_ FORMATETC *pformatectIn, _Out_ FORMATETC *pformatetcOut ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_SetData( _In_ IDataObject *This, _In_ FORMATETC *pformatetc, _In_ STGMEDIUM *pmedium, _In_ BOOL fRelease ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_EnumFormatEtc( _In_ IDataObject *This, _In_ ULONG dwDirection, _Out_opt_ IEnumFORMATETC **ppenumFormatEtc ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_DAdvise( _In_ IDataObject *This, _In_ FORMATETC *pformatetc, _In_ ULONG advf, _In_opt_ IAdviseSink *pAdvSink, _Out_ ULONG *pdwConnection ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_DUnadvise( _In_ IDataObject *This, _In_ ULONG dwConnection ) { return E_NOTIMPL; } HRESULT STDMETHODCALLTYPE PhSecurityDataObject_EnumDAdvise( _In_ IDataObject *This, _Out_opt_ IEnumSTATDATA **ppenumAdvise ) { return E_NOTIMPL; } // ISecurityObjectTypeInfo HRESULT STDMETHODCALLTYPE PhSecurityObjectTypeInfo_QueryInterface( _In_ ISecurityObjectTypeInfoEx* This, _In_ REFIID Riid, _Out_ PVOID* Object ) { if ( IsEqualIID(Riid, &IID_IUnknown) || IsEqualIID(Riid, &IID_ISecurityObjectTypeInfo) ) { PhSecurityObjectTypeInfo_AddRef(This); *Object = This; return S_OK; } *Object = NULL; return E_NOINTERFACE; } ULONG STDMETHODCALLTYPE PhSecurityObjectTypeInfo_AddRef( _In_ ISecurityObjectTypeInfoEx* This ) { PhSecurityObjectTypeInfo* this = (PhSecurityObjectTypeInfo*)This; this->RefCount++; return this->RefCount; } ULONG STDMETHODCALLTYPE PhSecurityObjectTypeInfo_Release( _In_ ISecurityObjectTypeInfoEx* This ) { PhSecurityObjectTypeInfo* this = (PhSecurityObjectTypeInfo*)This; this->RefCount--; if (this->RefCount == 0) { PhFree(this); return 0; } return this->RefCount; } HRESULT STDMETHODCALLTYPE PhSecurityObjectTypeInfo_GetInheritSource( _In_ ISecurityObjectTypeInfoEx* This, _In_ SECURITY_INFORMATION SecurityInfo, _In_ PACL Acl, _Out_ PINHERITED_FROM* InheritArray ) { static GENERIC_MAPPING genericMappings = { FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_ALL_ACCESS }; PhSecurityObjectTypeInfo* this = (PhSecurityObjectTypeInfo*)This; PINHERITED_FROM result; ULONG status; if (PhIsNullOrEmptyString(this->Context->ObjectNameString)) return HRESULT_FROM_WIN32(ERROR_INVALID_STATE); if (this->Context->ObjectType != PH_SE_FILE_OBJECT_TYPE) return HRESULT_FROM_WIN32(ERROR_INVALID_STATE); if (!(result = (PINHERITED_FROM)LocalAlloc(LPTR, ((ULONGLONG)Acl->AceCount + 1) * sizeof(INHERITED_FROM)))) return HRESULT_FROM_WIN32(ERROR_OUTOFMEMORY); if ((status = GetInheritanceSource( PhGetString(this->Context->ObjectNameString), SE_FILE_OBJECT, SecurityInfo, TRUE, // Container NULL, 0, Acl, NULL, &genericMappings, result )) == ERROR_SUCCESS) { *InheritArray = result; } else { LocalFree(result); } return HRESULT_FROM_WIN32(status); } // IEffectivePermission HRESULT STDMETHODCALLTYPE PhEffectivePermission_QueryInterface( _In_ IEffectivePermission* This, _In_ REFIID Riid, _Out_ PVOID* Object ) { if ( IsEqualIID(Riid, &IID_IUnknown) || IsEqualIID(Riid, &IID_IEffectivePermission) ) { PhEffectivePermission_AddRef(This); *Object = This; return S_OK; } *Object = NULL; return E_NOINTERFACE; } ULONG STDMETHODCALLTYPE PhEffectivePermission_AddRef( _In_ IEffectivePermission* This ) { PhEffectivePermission* this = (PhEffectivePermission*)This; this->RefCount++; return this->RefCount; } ULONG STDMETHODCALLTYPE PhEffectivePermission_Release( _In_ IEffectivePermission* This ) { PhEffectivePermission* this = (PhEffectivePermission*)This; this->RefCount--; if (this->RefCount == 0) { PhFree(this); return 0; } return this->RefCount; } HRESULT STDMETHODCALLTYPE PhEffectivePermission_GetEffectivePermission( _In_ IEffectivePermission* This, _In_ LPCGUID GuidObjectType, _In_ PSID UserSid, _In_ LPCWSTR ServerName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ POBJECT_TYPE_LIST* ObjectTypeList, _Out_ PULONG ObjectTypeListLength, _Out_ PACCESS_MASK* GrantedAccessList, _Out_ PULONG GrantedAccessListLength ) { static OBJECT_TYPE_LIST defaultObjectTypeList[1] = { 0 }; NTSTATUS status; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PACL dacl = NULL; PACCESS_MASK accessRights; TRUSTEE trustee; status = PhGetDaclSecurityDescriptorNotNull( SecurityDescriptor, &present, &defaulted, &dacl ); if (NT_SUCCESS(status)) { if (dacl && (accessRights = (PACCESS_MASK)LocalAlloc(LPTR, sizeof(PACCESS_MASK) + sizeof(ACCESS_MASK)))) { PhBuildTrusteeWithSid(&trustee, UserSid); status = GetEffectiveRightsFromAcl(dacl, &trustee, accessRights); if (status == ERROR_SUCCESS) { *ObjectTypeList = defaultObjectTypeList; *ObjectTypeListLength = 1; *GrantedAccessList = accessRights; *GrantedAccessListLength = 1; return S_OK; } else { LocalFree(accessRights); return HRESULT_FROM_WIN32(status); } } return HRESULT_FROM_WIN32(ERROR_OUTOFMEMORY); } return HRESULT_FROM_WIN32(PhNtStatusToDosError(status)); } NTSTATUS PhpGetObjectSecurityWithTimeout( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ) { NTSTATUS status; ULONG bufferSize; PVOID buffer; bufferSize = 0x100; buffer = PhAllocate(bufferSize); // This is required (especially for File objects) because some drivers don't seem to handle // QuerySecurity properly. (wj32) memset(buffer, 0, bufferSize); status = PhCallNtQuerySecurityObjectWithTimeout( Handle, SecurityInformation, buffer, bufferSize, &bufferSize ); if (status == STATUS_BUFFER_TOO_SMALL) { PhFree(buffer); buffer = PhAllocate(bufferSize); memset(buffer, 0, bufferSize); status = PhCallNtQuerySecurityObjectWithTimeout( Handle, SecurityInformation, buffer, bufferSize, &bufferSize ); } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *SecurityDescriptor = (PSECURITY_DESCRIPTOR)buffer; return status; } /** * Retrieves the security descriptor of an object. * * \param SecurityDescriptor A variable which receives a pointer to the security descriptor of the * object. The security descriptor must be freed using PhFree() when no longer needed. * \param SecurityInformation The security information to retrieve. * \param Context A pointer to a PH_STD_OBJECT_SECURITY structure describing the object. * * \remarks This function may be used for the \a GetObjectSecurity callback in * PhCreateSecurityPage() or PhEditSecurity(). */ NTSTATUS PhStdGetObjectSecurity( _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PVOID Context ) { PhSecurityInformation *this = (PhSecurityInformation *)Context; NTSTATUS status; HANDLE handle; status = this->OpenObject( &handle, PhGetAccessForGetSecurity(SecurityInformation), this->Context ); if (!NT_SUCCESS(status)) return status; switch (this->ObjectType) { case PH_SE_FILE_OBJECT_TYPE: status = PhpGetObjectSecurityWithTimeout(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_SERVICE_OBJECT_TYPE: status = PhGetServiceObjectSecurity(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_LSA_OBJECT_TYPE: status = PhLsaQuerySecurityObject(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_SAM_OBJECT_TYPE: status = PhSamQuerySecurityObject(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_TOKENDEF_OBJECT_TYPE: status = PhGetSeObjectSecurityTokenDefault(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_POWERDEF_OBJECT_TYPE: status = PhGetSeObjectSecurityPowerGuid(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_RDPDEF_OBJECT_TYPE: status = PhpGetRemoteDesktopSecurityDescriptor(SecurityDescriptor); break; case PH_SE_WMIDEF_OBJECT_TYPE: status = PhGetWmiNamespaceSecurityDescriptor(SecurityDescriptor); break; case PH_SE_COMACCESSDEF_OBJECT_TYPE: case PH_SE_COMLAUNCHDEF_OBJECT_TYPE: status = PhGetComSecurityDescriptor((COMSD)handle, SecurityDescriptor); break; case PH_SE_DEFAULT_OBJECT_TYPE: default: status = PhGetObjectSecurity(handle, SecurityInformation, SecurityDescriptor); break; } if (this->CloseObject) { this->CloseObject( handle, FALSE, this->Context ); } return status; } /** * Modifies the security descriptor of an object. * * \param SecurityDescriptor A security descriptor containing security information to set. * \param SecurityInformation The security information to retrieve. * \param Context A pointer to a PH_STD_OBJECT_SECURITY structure describing the object. * * \remarks This function may be used for the \a SetObjectSecurity callback in * PhCreateSecurityPage() or PhEditSecurity(). */ NTSTATUS PhStdSetObjectSecurity( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PVOID Context ) { PhSecurityInformation *this = (PhSecurityInformation *)Context; NTSTATUS status; HANDLE handle; status = this->OpenObject( &handle, PhGetAccessForSetSecurity(SecurityInformation), this->Context ); if (!NT_SUCCESS(status)) return status; switch (this->ObjectType) { case PH_SE_FILE_OBJECT_TYPE: status = PhSetObjectSecurity(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_SERVICE_OBJECT_TYPE: status = PhSetServiceObjectSecurity(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_LSA_OBJECT_TYPE: status = LsaSetSecurityObject(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_SAM_OBJECT_TYPE: status = STATUS_NOT_SUPPORTED; // SamSetSecurityObject(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_TOKENDEF_OBJECT_TYPE: status = PhSetSeObjectSecurityTokenDefault(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_POWERDEF_OBJECT_TYPE: status = PhSetSeObjectSecurityPowerGuid(handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_RDPDEF_OBJECT_TYPE: status = PhpSetRemoteDesktopSecurityDescriptor(SecurityDescriptor); break; case PH_SE_WMIDEF_OBJECT_TYPE: status = PhSetWmiNamespaceSecurityDescriptor(SecurityDescriptor); break; case PH_SE_COMACCESSDEF_OBJECT_TYPE: case PH_SE_COMLAUNCHDEF_OBJECT_TYPE: status = PhSetComSecurityDescriptor((COMSD)handle, SecurityInformation, SecurityDescriptor); break; case PH_SE_DEFAULT_OBJECT_TYPE: default: status = PhSetObjectSecurity(handle, SecurityInformation, SecurityDescriptor); break; } if (this->CloseObject) { this->CloseObject( handle, FALSE, this->Context ); } return status; } NTSTATUS PhGetSeObjectSecurity( _In_ HANDLE Handle, _In_ ULONG ObjectType, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ) { ULONG win32Result; PSECURITY_DESCRIPTOR securityDescriptor; win32Result = GetSecurityInfo( Handle, ObjectType, SecurityInformation, NULL, NULL, NULL, NULL, &securityDescriptor ); if (win32Result != ERROR_SUCCESS) { *SecurityDescriptor = NULL; return PhDosErrorToNtStatus(win32Result); } *SecurityDescriptor = PhAllocateCopy(securityDescriptor, RtlLengthSecurityDescriptor(securityDescriptor)); LocalFree(securityDescriptor); return STATUS_SUCCESS; } NTSTATUS PhSetSeObjectSecurity( _In_ HANDLE Handle, _In_ ULONG ObjectType, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { ULONG win32Result; SECURITY_INFORMATION securityInformation = 0; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PSID owner = NULL; PSID group = NULL; PACL dacl = NULL; PACL sacl = NULL; if (FlagOn(SecurityInformation, OWNER_SECURITY_INFORMATION)) { if (NT_SUCCESS(PhGetOwnerSecurityDescriptor(SecurityDescriptor, &owner, &defaulted))) SetFlag(securityInformation, OWNER_SECURITY_INFORMATION); } if (FlagOn(SecurityInformation, GROUP_SECURITY_INFORMATION)) { if (NT_SUCCESS(PhGetGroupSecurityDescriptor(SecurityDescriptor, &group, &defaulted))) SetFlag(securityInformation, GROUP_SECURITY_INFORMATION); } if (FlagOn(SecurityInformation, DACL_SECURITY_INFORMATION)) { if (NT_SUCCESS(PhGetDaclSecurityDescriptor(SecurityDescriptor, &present, &dacl, &defaulted)) && present) SetFlag(securityInformation, DACL_SECURITY_INFORMATION); } if (FlagOn(SecurityInformation, SACL_SECURITY_INFORMATION)) { if (NT_SUCCESS(PhGetSaclSecurityDescriptor(SecurityDescriptor, &present, &sacl, &defaulted)) && present) SetFlag(securityInformation, SACL_SECURITY_INFORMATION); } if (ObjectType == SE_FILE_OBJECT) // probably works with other types but haven't checked (dmex) { SECURITY_DESCRIPTOR_CONTROL control; ULONG revision; if (NT_SUCCESS(PhGetControlSecurityDescriptor(SecurityDescriptor, &control, &revision))) { if (FlagOn(SecurityInformation, DACL_SECURITY_INFORMATION)) { if (FlagOn(control, SE_DACL_PROTECTED)) SetFlag(securityInformation, PROTECTED_DACL_SECURITY_INFORMATION); else SetFlag(securityInformation, UNPROTECTED_DACL_SECURITY_INFORMATION); } if (FlagOn(SecurityInformation, SACL_SECURITY_INFORMATION)) { if (FlagOn(control, SE_SACL_PROTECTED)) SetFlag(securityInformation, PROTECTED_SACL_SECURITY_INFORMATION); else SetFlag(securityInformation, UNPROTECTED_SACL_SECURITY_INFORMATION); } } } win32Result = SetSecurityInfo( Handle, ObjectType, securityInformation, // SecurityInformation owner, group, dacl, sacl ); if (win32Result != ERROR_SUCCESS) return PhDosErrorToNtStatus(win32Result); return STATUS_SUCCESS; } NTSTATUS PhLsaQuerySecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { NTSTATUS status; PSECURITY_DESCRIPTOR securityDescriptor; status = LsaQuerySecurityObject( Handle, SecurityInformation, &securityDescriptor ); if (NT_SUCCESS(status)) { *SecurityDescriptor = PhAllocateCopy( securityDescriptor, RtlLengthSecurityDescriptor(securityDescriptor) ); LsaFreeMemory(securityDescriptor); } return status; } NTSTATUS PhSamQuerySecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { //NTSTATUS status; //PSECURITY_DESCRIPTOR securityDescriptor; // //status = SamQuerySecurityObject( // Handle, // SecurityInformation, // &securityDescriptor // ); // //if (NT_SUCCESS(status)) //{ // *SecurityDescriptor = PhAllocateCopy( // securityDescriptor, // RtlLengthSecurityDescriptor(securityDescriptor) // ); // SamFreeMemory(securityDescriptor); //} // //return status; return STATUS_NOT_SUPPORTED; } NTSTATUS PhGetSeObjectSecurityTokenDefault( _In_ HANDLE TokenHandle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ) { NTSTATUS status; PTOKEN_DEFAULT_DACL defaultDacl; status = PhGetTokenDefaultDacl( TokenHandle, &defaultDacl ); if (NT_SUCCESS(status)) { ULONG allocationLength; ULONG allocationLengthRelative = 0; PSECURITY_DESCRIPTOR securityDescriptor; PSECURITY_DESCRIPTOR securityRelative = NULL; allocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH + defaultDacl->DefaultDacl->AclSize; securityDescriptor = PhAllocateZero(allocationLength); status = PhCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhSetDaclSecurityDescriptor(securityDescriptor, TRUE, defaultDacl->DefaultDacl, FALSE); if (!NT_SUCCESS(status)) goto CleanupExit; assert(allocationLength == RtlLengthSecurityDescriptor(securityDescriptor)); status = RtlAbsoluteToSelfRelativeSD(securityDescriptor, NULL, &allocationLengthRelative); if (status != STATUS_BUFFER_TOO_SMALL) goto CleanupExit; securityRelative = PhAllocateZero(allocationLengthRelative); status = RtlAbsoluteToSelfRelativeSD(securityDescriptor, securityRelative, &allocationLengthRelative); if (!NT_SUCCESS(status)) goto CleanupExit; assert(allocationLengthRelative == RtlLengthSecurityDescriptor(securityRelative)); CleanupExit: *SecurityDescriptor = securityRelative; assert(RtlValidSecurityDescriptor(securityDescriptor)); PhFree(securityDescriptor); PhFree(defaultDacl); } return status; } NTSTATUS PhSetSeObjectSecurityTokenDefault( _In_ HANDLE TokenHandle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { NTSTATUS status; BOOLEAN present = FALSE; BOOLEAN defaulted = FALSE; PACL dacl = NULL; status = PhGetDaclSecurityDescriptorNotNull( SecurityDescriptor, &present, &defaulted, &dacl ); if (NT_SUCCESS(status)) { TOKEN_DEFAULT_DACL defaultDacl; defaultDacl.DefaultDacl = dacl; status = NtSetInformationToken( TokenHandle, TokenDefaultDacl, &defaultDacl, sizeof(TOKEN_DEFAULT_DACL) ); } return status; } NTSTATUS PhGetSeObjectSecurityPowerGuid( _In_ HANDLE Object, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { NTSTATUS status; PSECURITY_DESCRIPTOR securityDescriptor; PPH_STRING powerPolicySddl; status = PhpGetPowerPolicySecurityDescriptor(&powerPolicySddl); if (NT_SUCCESS(status)) { if (securityDescriptor = PhGetSecurityDescriptorFromString(PhGetString(powerPolicySddl))) { if (FlagOn(SecurityInformation, OWNER_SECURITY_INFORMATION)) { PhSetOwnerSecurityDescriptor(securityDescriptor, PhSeAdministratorsSid(), TRUE); } if (FlagOn(SecurityInformation, GROUP_SECURITY_INFORMATION)) { PhSetGroupSecurityDescriptor(securityDescriptor, PhSeAdministratorsSid(), TRUE); } *SecurityDescriptor = PhAllocateCopy( securityDescriptor, RtlLengthSecurityDescriptor(securityDescriptor) ); PhFree(securityDescriptor); } else { status = STATUS_INVALID_SECURITY_DESCR; } PhDereferenceObject(powerPolicySddl); } return status; } NTSTATUS PhSetSeObjectSecurityPowerGuid( _In_ HANDLE Object, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { NTSTATUS status; PPH_STRING powerPolicySddl; // kludge the descriptor into the correct SDDL format required by powercfg (dmex) // 1) The owner must always be the built-in domain administrator. // 2) The group must always be NT AUTHORITY\SYSTEM. // 3) Remove the INHERIT_REQ flag (not required but makes the sddl consistent with powercfg). PhSetOwnerSecurityDescriptor(SecurityDescriptor, PhSeAdministratorsSid(), TRUE); PhSetGroupSecurityDescriptor(SecurityDescriptor, (PSID)&PhSeLocalSystemSid, TRUE); PhSetControlSecurityDescriptor(SecurityDescriptor, SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ, SE_DACL_PROTECTED); if (NT_SUCCESS(status = PhGetSecurityDescriptorAsString( SecurityDescriptor, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION, &powerPolicySddl ))) { status = PhpSetPowerPolicySecurityDescriptor(powerPolicySddl); PhDereferenceObject(powerPolicySddl); } return status; } PH_SE_OBJECT_TYPE PhSecurityObjectType( _In_ PPH_STRING ObjectType ) { if (PhEqualString2(ObjectType, L"File", TRUE)) return PH_SE_FILE_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"FileObject", TRUE)) return PH_SE_FILE_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"Service", TRUE)) return PH_SE_SERVICE_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"SCManager", TRUE)) return PH_SE_SERVICE_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"TokenDefault", TRUE)) return PH_SE_TOKENDEF_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"PowerDefault", TRUE)) return PH_SE_POWERDEF_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"RdpDefault", TRUE)) return PH_SE_RDPDEF_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"WmiDefault", TRUE)) return PH_SE_WMIDEF_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"ComAccess", TRUE)) return PH_SE_COMACCESSDEF_OBJECT_TYPE; if (PhEqualString2(ObjectType, L"ComLaunch", TRUE)) return PH_SE_COMLAUNCHDEF_OBJECT_TYPE; if ( PhEqualString2(ObjectType, L"LsaAccount", TRUE) || PhEqualString2(ObjectType, L"LsaPolicy", TRUE) || PhEqualString2(ObjectType, L"LsaSecret", TRUE) || PhEqualString2(ObjectType, L"LsaTrusted", TRUE) ) { return PH_SE_LSA_OBJECT_TYPE; } if ( PhEqualString2(ObjectType, L"SamAlias", TRUE) || PhEqualString2(ObjectType, L"SamDomain", TRUE) || PhEqualString2(ObjectType, L"SamGroup", TRUE) || PhEqualString2(ObjectType, L"SamServer", TRUE) || PhEqualString2(ObjectType, L"SamUser", TRUE) ) { return PH_SE_SAM_OBJECT_TYPE; } return PH_SE_DEFAULT_OBJECT_TYPE; } ================================================ FILE: phlib/secwmi.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2016-2024 * */ #include #include #include #include #include #include #include #include DEFINE_GUID(CLSID_WbemLocator, 0x4590f811, 0x1d3a, 0x11d0, 0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24); DEFINE_GUID(IID_IWbemLocator, 0xdc12a687, 0x737f, 0x11cf, 0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24); typeof(&PowerGetActiveScheme) PowerGetActiveScheme_I = NULL; typeof(&PowerSetActiveScheme) PowerSetActiveScheme_I = NULL; typeof(&PowerRestoreDefaultPowerSchemes) PowerRestoreDefaultPowerSchemes_I = NULL; _PowerReadSecurityDescriptor PowerReadSecurityDescriptor_I = NULL; _PowerWriteSecurityDescriptor PowerWriteSecurityDescriptor_I = NULL; typeof(&WTSGetListenerSecurityW) WTSGetListenerSecurity_I = NULL; typeof(&WTSSetListenerSecurityW) WTSSetListenerSecurity_I = NULL; HRESULT PhGetWbemLocatorClass( _Out_ struct IWbemLocator** WbemLocatorClass ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID imageBaseAddress = NULL; HRESULT status; if (PhBeginInitOnce(&initOnce)) { PPH_STRING systemFileName; if (systemFileName = PhGetSystemDirectoryWin32Z(L"\\wbem\\wbemprox.dll")) { imageBaseAddress = PhLoadLibrary(PhGetString(systemFileName)); PhDereferenceObject(systemFileName); } { typedef void (WINAPI* _SetOaNoCache)(void); _SetOaNoCache SetOaNoCache_I; if (SetOaNoCache_I = PhGetModuleProcAddress(L"oleaut32.dll", "SetOaNoCache")) { SetOaNoCache_I(); } } PhEndInitOnce(&initOnce); } status = PhGetClassObjectDllBase( imageBaseAddress, &CLSID_WbemLocator, &IID_IWbemLocator, WbemLocatorClass ); return status; } PVOID PhpInitializePowerPolicyApi( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID imageBaseAddress = NULL; if (PhBeginInitOnce(&initOnce)) { imageBaseAddress = PhLoadLibrary(L"powrprof.dll"); PhEndInitOnce(&initOnce); } return imageBaseAddress; } PVOID PhpInitializeRemoteDesktopServiceApi( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static PVOID imageBaseAddress = NULL; if (PhBeginInitOnce(&initOnce)) { imageBaseAddress = PhLoadLibrary(L"wtsapi32.dll"); PhEndInitOnce(&initOnce); } return imageBaseAddress; } HRESULT PhCoSetProxyBlanket( _In_ IUnknown* InterfacePtr ) { HRESULT status; IClientSecurity* clientSecurity; status = IUnknown_QueryInterface( InterfacePtr, &IID_IClientSecurity, &clientSecurity ); if (SUCCEEDED(status)) { status = IClientSecurity_SetBlanket( clientSecurity, InterfacePtr, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE ); IClientSecurity_Release(InterfacePtr); } return status; } HRESULT PhGetWbemClassObjectDependency( _Out_ PVOID* WbemClassObjectDependency, _In_ IWbemClassObject* WbemClassObject, _In_ IWbemServices* WbemServices, _In_ PCWSTR Name ) { HRESULT status; IWbemClassObject* dependency; VARIANT variant = { 0 }; status = IWbemClassObject_Get( WbemClassObject, Name, 0, &variant, NULL, NULL ); if (SUCCEEDED(status)) { status = IWbemServices_GetObject( WbemServices, V_BSTR(&variant), WBEM_FLAG_RETURN_WBEM_COMPLETE, NULL, &dependency, NULL ); if (SUCCEEDED(status)) { *WbemClassObjectDependency = dependency; } SysFreeString(V_BSTR(&variant)); } return status; } PPH_STRING PhGetWbemClassObjectString( _In_ PVOID WbemClassObject, _In_ PCWSTR Name ) { PPH_STRING string = NULL; VARIANT variant = { 0 }; if (SUCCEEDED(IWbemClassObject_Get((IWbemClassObject*)WbemClassObject, Name, 0, &variant, NULL, 0))) { if (V_BSTR(&variant)) // Can be null (dmex) { string = PhCreateString(V_BSTR(&variant)); } VariantClear(&variant); } return string; } ULONG64 PhGetWbemClassObjectUlong64( _In_ PVOID WbemClassObject, _In_ PCWSTR Name ) { VARIANT variant; RtlZeroMemory(&variant, sizeof(VARIANT)); if (SUCCEEDED(IWbemClassObject_Get((IWbemClassObject*)WbemClassObject, Name, 0, &variant, NULL, 0))) { return V_UI8(&variant); } return ULONG64_MAX; } PVOID PhGetWbemClassObjectUlongPtr( _In_ PVOID WbemClassObject, _In_ PCWSTR Name ) { VARIANT variant; RtlZeroMemory(&variant, sizeof(VARIANT)); if (SUCCEEDED(IWbemClassObject_Get((IWbemClassObject*)WbemClassObject, Name, 0, &variant, NULL, 0))) { return (PVOID)V_UINT_PTR(&variant); } return NULL; } // Power policy security descriptors NTSTATUS PhpGetPowerPolicySecurityDescriptor( _Out_ PPH_STRING* StringSecurityDescriptor ) { ULONG status; PWSTR stringSecurityDescriptor; PGUID policyGuid; if (!(PowerGetActiveScheme_I && PowerReadSecurityDescriptor_I)) { PVOID imageBaseAddress; if (imageBaseAddress = PhpInitializePowerPolicyApi()) { PowerGetActiveScheme_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "PowerGetActiveScheme", 0); PowerReadSecurityDescriptor_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "PowerReadSecurityDescriptor", 0); } else { return STATUS_DLL_NOT_FOUND; } } if (!(PowerGetActiveScheme_I && PowerReadSecurityDescriptor_I)) return STATUS_PROCEDURE_NOT_FOUND; // We can use GUIDs for schemes, policies or other values but we only query the default scheme. (dmex) status = PowerGetActiveScheme_I( NULL, &policyGuid ); if (status != ERROR_SUCCESS) return PhDosErrorToNtStatus(status); // PowerReadSecurityDescriptor/PowerWriteSecurityDescriptor both use the same SDDL // format as registry keys and are RPC wrappers for this registry key: // HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\SecurityDescriptors status = PowerReadSecurityDescriptor_I( ACCESS_DEFAULT_SECURITY_DESCRIPTOR, // ACCESS_ACTIVE_SCHEME? policyGuid, &stringSecurityDescriptor ); if (status == ERROR_SUCCESS) { if (StringSecurityDescriptor) { *StringSecurityDescriptor = PhCreateString(stringSecurityDescriptor); } LocalFree(stringSecurityDescriptor); } LocalFree(policyGuid); return PhDosErrorToNtStatus(status); } NTSTATUS PhpSetPowerPolicySecurityDescriptor( _In_ PPH_STRING StringSecurityDescriptor ) { ULONG status; PGUID policyGuid; if (!(PowerGetActiveScheme_I && PowerWriteSecurityDescriptor_I)) { PVOID imageBaseAddress; if (imageBaseAddress = PhpInitializePowerPolicyApi()) { PowerGetActiveScheme_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "PowerGetActiveScheme", 0); PowerWriteSecurityDescriptor_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "PowerWriteSecurityDescriptor", 0); } else { return STATUS_DLL_NOT_FOUND; } } if (!(PowerGetActiveScheme_I && PowerWriteSecurityDescriptor_I)) return STATUS_PROCEDURE_NOT_FOUND; status = PowerGetActiveScheme_I( NULL, &policyGuid ); if (status != ERROR_SUCCESS) return PhDosErrorToNtStatus(status); status = PowerWriteSecurityDescriptor_I( ACCESS_DEFAULT_SECURITY_DESCRIPTOR, policyGuid, // Todo: Pass the GUID from the original query. PhGetString(StringSecurityDescriptor) ); //if (status == ERROR_SUCCESS) //{ // // refresh/reapply the current scheme. // status = PowerSetActiveScheme_I(NULL, policyGuid); //} LocalFree(policyGuid); return PhDosErrorToNtStatus(status); } // Terminal server security descriptors NTSTATUS PhpGetRemoteDesktopSecurityDescriptor( _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { BOOL status; ULONG securityDescriptorLength = 0; PSECURITY_DESCRIPTOR securityDescriptor = NULL; if (!WTSGetListenerSecurity_I) { PVOID imageBaseAddress; if (imageBaseAddress = PhpInitializeRemoteDesktopServiceApi()) WTSGetListenerSecurity_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "WTSGetListenerSecurityW", 0); else return STATUS_DLL_NOT_FOUND; } if (!WTSGetListenerSecurity_I) return STATUS_PROCEDURE_NOT_FOUND; // Todo: Add support for SI_RESET using the default security descriptor: // HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultSecurity status = WTSGetListenerSecurity_I( WTS_CURRENT_SERVER_HANDLE, NULL, 0, L"Rdp-Tcp", // or "Console" DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION, securityDescriptor, 0, &securityDescriptorLength ); if (!(!status && securityDescriptorLength)) return STATUS_INVALID_SECURITY_DESCR; securityDescriptor = PhAllocateZero(securityDescriptorLength); status = WTSGetListenerSecurity_I( WTS_CURRENT_SERVER_HANDLE, NULL, 0, L"Rdp-Tcp", // or "Console" DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION, securityDescriptor, securityDescriptorLength, &securityDescriptorLength ); if (status) { if (SecurityDescriptor) { *SecurityDescriptor = securityDescriptor; return STATUS_SUCCESS; } } return STATUS_INVALID_SECURITY_DESCR; } NTSTATUS PhpSetRemoteDesktopSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { if (!WTSSetListenerSecurity_I) { PVOID imageBaseAddress; if (imageBaseAddress = PhpInitializeRemoteDesktopServiceApi()) WTSSetListenerSecurity_I = PhGetDllBaseProcedureAddress(imageBaseAddress, "WTSSetListenerSecurityW", 0); else return STATUS_DLL_NOT_FOUND; } if (!WTSSetListenerSecurity_I) return STATUS_PROCEDURE_NOT_FOUND; if (WTSSetListenerSecurity_I( WTS_CURRENT_SERVER_HANDLE, NULL, 0, L"RDP-Tcp", DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION, SecurityDescriptor )) { return STATUS_SUCCESS; } return STATUS_INVALID_SECURITY_DESCR; } // WBEM security descriptors NTSTATUS PhGetWmiNamespaceSecurityDescriptor( _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { HRESULT status; PVOID securityDescriptor = NULL; PVOID securityDescriptorData = NULL; BSTR wbemResourceString = NULL; BSTR wbemObjectString = NULL; BSTR wbemMethodString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IWbemClassObject* wbemClassObject = NULL; IWbemClassObject* wbemGetSDClassObject = 0; VARIANT variantArrayValue = { 0 }; VARIANT variantReturnValue = { 0 }; status = PhGetWbemLocatorClass( &wbemLocator ); if (HR_FAILED(status)) goto CleanupExit; wbemResourceString = PhStringZToBSTR(L"Root"); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (HR_FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; wbemObjectString = PhStringZToBSTR(L"__SystemSecurity"); status = IWbemServices_GetObject( wbemServices, wbemObjectString, 0, NULL, &wbemClassObject, NULL ); if (HR_FAILED(status)) goto CleanupExit; wbemMethodString = PhStringZToBSTR(L"GetSD"); status = IWbemServices_ExecMethod( wbemServices, wbemObjectString, wbemMethodString, 0, NULL, wbemClassObject, &wbemGetSDClassObject, NULL ); if (HR_FAILED(status)) goto CleanupExit; status = IWbemClassObject_Get( wbemGetSDClassObject, L"ReturnValue", 0, &variantReturnValue, NULL, NULL ); if (HR_FAILED(status)) goto CleanupExit; if (V_UI4(&variantReturnValue) != ERROR_SUCCESS) { status = HRESULT_FROM_WIN32(V_UI4(&variantReturnValue)); goto CleanupExit; } status = IWbemClassObject_Get( wbemGetSDClassObject, L"SD", 0, &variantArrayValue, NULL, NULL ); if (HR_FAILED(status)) goto CleanupExit; status = SafeArrayAccessData(V_ARRAY(&variantArrayValue), &securityDescriptorData); if (HR_FAILED(status)) goto CleanupExit; // The Wbem security descriptor is relative but the ACUI // dialog automatically converts the descriptor for us // so we don't have to convert just validate. (dmex) if (RtlValidSecurityDescriptor(securityDescriptorData)) { securityDescriptor = PhAllocateCopy( securityDescriptorData, RtlLengthSecurityDescriptor(securityDescriptorData) ); } SafeArrayUnaccessData(V_ARRAY(&variantArrayValue)); CleanupExit: if (wbemGetSDClassObject) IWbemClassObject_Release(wbemGetSDClassObject); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemClassObject) IWbemClassObject_Release(wbemClassObject); if (wbemLocator) IWbemLocator_Release(wbemLocator); VariantClear(&variantArrayValue); if (wbemMethodString) SysFreeString(wbemMethodString); if (wbemObjectString) SysFreeString(wbemObjectString); if (wbemResourceString) SysFreeString(wbemResourceString); if (HR_SUCCESS(status) && securityDescriptor) { *SecurityDescriptor = securityDescriptor; return STATUS_SUCCESS; } if (securityDescriptor) { PhFree(securityDescriptor); } if (status == WBEM_E_ACCESS_DENIED) return STATUS_ACCESS_DENIED; if (status == WBEM_E_INVALID_PARAMETER) return STATUS_INVALID_PARAMETER; return STATUS_INVALID_SECURITY_DESCR; } NTSTATUS PhSetWmiNamespaceSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { HRESULT status; BSTR wbemResourceString = NULL; BSTR wbemObjectString = NULL; BSTR wbemMethodString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IWbemClassObject* wbemClassObject = NULL; IWbemClassObject* wbemSetSDClassObject = NULL; PVOID safeArrayData = NULL; LPSAFEARRAY safeArray = NULL; SAFEARRAYBOUND safeArrayBounds; PSECURITY_DESCRIPTOR relativeSecurityDescriptor = NULL; ULONG relativeSecurityDescriptorLength = 0; BOOLEAN freeSecurityDescriptor = FALSE; VARIANT variantArrayValue = { 0 }; VARIANT variantReturnValue = { 0 }; PSID administratorsSid; // kludge the descriptor into the correct format required by wmimgmt (dmex) // 1) The owner must always be the built-in domain administrator. // 2) The group must always be the built-in domain administrator. administratorsSid = PhSeAdministratorsSid(); PhSetOwnerSecurityDescriptor(SecurityDescriptor, administratorsSid, TRUE); PhSetGroupSecurityDescriptor(SecurityDescriptor, administratorsSid, TRUE); status = PhGetWbemLocatorClass( &wbemLocator ); if (HR_FAILED(status)) goto CleanupExit; wbemResourceString = PhStringZToBSTR(L"Root"); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (HR_FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; wbemObjectString = PhStringZToBSTR(L"__SystemSecurity"); status = IWbemServices_GetObject( wbemServices, wbemObjectString, 0, NULL, &wbemClassObject, NULL ); if (HR_FAILED(status)) goto CleanupExit; if (RtlValidRelativeSecurityDescriptor( SecurityDescriptor, RtlLengthSecurityDescriptor(SecurityDescriptor), OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION )) { relativeSecurityDescriptor = SecurityDescriptor; relativeSecurityDescriptorLength = RtlLengthSecurityDescriptor(SecurityDescriptor); } else { NTSTATUS ntstatus; ntstatus = RtlAbsoluteToSelfRelativeSD( SecurityDescriptor, NULL, &relativeSecurityDescriptorLength ); if (ntstatus != STATUS_BUFFER_TOO_SMALL) { // Note: HR>WIN32>NT required for correct WMI error messages (dmex) status = HRESULT_FROM_WIN32(PhNtStatusToDosError(ntstatus)); goto CleanupExit; } relativeSecurityDescriptor = PhAllocate(relativeSecurityDescriptorLength); ntstatus = RtlAbsoluteToSelfRelativeSD( SecurityDescriptor, relativeSecurityDescriptor, &relativeSecurityDescriptorLength ); if (!NT_SUCCESS(ntstatus)) { PhFree(relativeSecurityDescriptor); // Note: HR>WIN32>NT required for correct WMI error messages (dmex) status = HRESULT_FROM_WIN32(PhNtStatusToDosError(ntstatus)); goto CleanupExit; } freeSecurityDescriptor = TRUE; } safeArrayBounds.lLbound = 0; safeArrayBounds.cElements = relativeSecurityDescriptorLength; if (!(safeArray = SafeArrayCreate(VT_UI1, 1, &safeArrayBounds))) { status = STATUS_NO_MEMORY; goto CleanupExit; } status = SafeArrayAccessData(safeArray, &safeArrayData); if (HR_FAILED(status)) goto CleanupExit; memcpy( safeArrayData, relativeSecurityDescriptor, relativeSecurityDescriptorLength ); status = SafeArrayUnaccessData(safeArray); if (HR_FAILED(status)) goto CleanupExit; V_VT(&variantArrayValue) = VT_ARRAY | VT_UI1; V_ARRAY(&variantArrayValue) = safeArray; status = IWbemClassObject_Put( wbemClassObject, L"SD", 0, &variantArrayValue, CIM_EMPTY ); if (HR_FAILED(status)) goto CleanupExit; wbemMethodString = PhStringZToBSTR(L"SetSD"); status = IWbemServices_ExecMethod( wbemServices, wbemObjectString, wbemMethodString, 0, NULL, wbemClassObject, &wbemSetSDClassObject, NULL ); if (HR_FAILED(status)) goto CleanupExit; status = IWbemClassObject_Get( wbemSetSDClassObject, L"ReturnValue", 0, &variantReturnValue, NULL, NULL ); if (HR_FAILED(status)) goto CleanupExit; if (V_UI4(&variantReturnValue) != ERROR_SUCCESS) { status = HRESULT_FROM_WIN32(V_UI4(&variantReturnValue)); } CleanupExit: if (wbemSetSDClassObject) IWbemClassObject_Release(wbemSetSDClassObject); if (wbemClassObject) IWbemClassObject_Release(wbemClassObject); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemLocator) IWbemLocator_Release(wbemLocator); if (freeSecurityDescriptor && relativeSecurityDescriptor) PhFree(relativeSecurityDescriptor); VariantClear(&variantArrayValue); //if (safeArray) SafeArrayDestroy(safeArray); if (wbemMethodString) SysFreeString(wbemMethodString); if (wbemObjectString) SysFreeString(wbemObjectString); if (wbemResourceString) SysFreeString(wbemResourceString); if (HR_SUCCESS(status)) { return STATUS_SUCCESS; } if (status == WBEM_E_ACCESS_DENIED) return STATUS_ACCESS_DENIED; if (status == WBEM_E_INVALID_PARAMETER) return STATUS_INVALID_PARAMETER; return STATUS_INVALID_SECURITY_DESCR; } static PH_STRINGREF OleKeyName = PH_STRINGREF_INIT(L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Ole"); static PH_STRINGREF OlePermissionValueName[] = { PH_STRINGREF_INIT(L"DefaultLaunchPermission"), PH_STRINGREF_INIT(L"DefaultAccessPermission"), PH_STRINGREF_INIT(L"MachineLaunchRestriction"), PH_STRINGREF_INIT(L"MachineAccessRestriction"), }; /** * Read a COM access/launch policy security descriptor override from the registry. * * \param ComSDType The type of a security descriptor to read. * \param SecurityDescriptor A security descriptor buffer. */ NTSTATUS PhGetComSecurityDescriptorOverride( _In_ COMSD ComSDType, _Outptr_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { NTSTATUS status; HANDLE keyHandle = NULL; PKEY_VALUE_PARTIAL_INFORMATION value = NULL; if (ComSDType >= RTL_NUMBER_OF(OlePermissionValueName)) return STATUS_INVALID_PARAMETER; status = PhOpenKey(&keyHandle, KEY_QUERY_VALUE, NULL, &OleKeyName, OBJ_CASE_INSENSITIVE); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhQueryValueKey( keyHandle, &OlePermissionValueName[ComSDType], KeyValuePartialInformation, &value ); if (!NT_SUCCESS(status)) goto CleanupExit; if (!RtlValidRelativeSecurityDescriptor( (PSECURITY_DESCRIPTOR)value->Data, value->DataLength, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION )) { status = STATUS_INVALID_SECURITY_DESCR; goto CleanupExit; } *SecurityDescriptor = PhAllocateCopy(value->Data, value->DataLength); CleanupExit: if (keyHandle) NtClose(keyHandle); if (value) PhFree(value); return status; } /** * Query a COM access/launch policy security descriptor. * * \param ComSDType The type of a security descriptor to query. * \param SecurityDescriptor A security descriptor buffer. */ NTSTATUS PhGetComSecurityDescriptor( _In_ COMSD ComSDType, _Outptr_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { NTSTATUS status; HRESULT hresult; PSECURITY_DESCRIPTOR securityDescriptor = NULL; status = PhGetComSecurityDescriptorOverride(ComSDType, SecurityDescriptor); if (NT_SUCCESS(status) || (status != STATUS_OBJECT_NAME_NOT_FOUND)) return status; hresult = CoGetSystemSecurityPermissions(ComSDType, &securityDescriptor); if (HR_FAILED(hresult)) { switch (hresult) { case E_ACCESSDENIED: return STATUS_ACCESS_DENIED; case E_OUTOFMEMORY: return STATUS_NO_MEMORY; case E_INVALIDARG: return STATUS_INVALID_PARAMETER; } return STATUS_UNSUCCESSFUL; } if (!RtlValidSecurityDescriptor(securityDescriptor)) { status = STATUS_INVALID_SECURITY_DESCR; goto CleanupExit; } *SecurityDescriptor = PhAllocateCopy( securityDescriptor, RtlLengthSecurityDescriptor(securityDescriptor) ); CleanupExit: if (securityDescriptor) LocalFree(securityDescriptor); return STATUS_SUCCESS; } /** * Adjust a COM access/launch policy security descriptor. * * \param ComSDType The type of a security descriptor to read. * \param SecurityInformation The security information to change. * \param SecurityDescriptor A security descriptor buffer. */ NTSTATUS PhSetComSecurityDescriptor( _In_ COMSD ComSDType, _In_ ULONG SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { NTSTATUS status; HANDLE keyHandle = NULL; PSECURITY_DESCRIPTOR originalSecurityDescriptor = NULL; PSECURITY_DESCRIPTOR mergedSecurityDescriptor = NULL; if (ComSDType >= RTL_NUMBER_OF(OlePermissionValueName)) return STATUS_INVALID_PARAMETER; status = PhOpenKey(&keyHandle, KEY_SET_VALUE, NULL, &OleKeyName, OBJ_CASE_INSENSITIVE); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetComSecurityDescriptor(ComSDType, &originalSecurityDescriptor); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhMergeSecurityDescriptors( originalSecurityDescriptor, SecurityDescriptor, SecurityInformation, &mergedSecurityDescriptor ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhSetValueKey( keyHandle, &OlePermissionValueName[ComSDType], REG_BINARY, mergedSecurityDescriptor, RtlLengthSecurityDescriptor(mergedSecurityDescriptor) ); if (NT_SUCCESS(status)) { // Notify RPCSS about the change UpdateDCOMSettings(); } CleanupExit: if (keyHandle) NtClose(keyHandle); if (originalSecurityDescriptor) PhFree(originalSecurityDescriptor); if (mergedSecurityDescriptor) PhFree(mergedSecurityDescriptor); return status; } HRESULT PhRestartDefenderOfflineScan( VOID ) { HRESULT status; BSTR wbemResourceString = NULL; BSTR wbemObjectString = NULL; BSTR wbemMethodString = NULL; IWbemLocator* wbemLocator = NULL; IWbemServices* wbemServices = NULL; IWbemClassObject* wbemClassObject = NULL; IWbemClassObject* wbemStartClassObject = NULL; VARIANT variantReturnValue = { 0 }; status = PhGetWbemLocatorClass( &wbemLocator ); if (HR_FAILED(status)) goto CleanupExit; wbemResourceString = PhStringZToBSTR(L"Root\\Microsoft\\Windows\\Defender"); status = IWbemLocator_ConnectServer( wbemLocator, wbemResourceString, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &wbemServices ); if (HR_FAILED(status)) goto CleanupExit; status = PhCoSetProxyBlanket( (IUnknown*)wbemServices ); if (HR_FAILED(status)) goto CleanupExit; wbemObjectString = PhStringZToBSTR(L"MSFT_MpWDOScan"); status = IWbemServices_GetObject( wbemServices, wbemObjectString, 0, NULL, &wbemClassObject, NULL ); if (HR_FAILED(status)) goto CleanupExit; wbemMethodString = PhStringZToBSTR(L"Start"); status = IWbemServices_ExecMethod( wbemServices, wbemObjectString, wbemMethodString, 0, NULL, wbemClassObject, &wbemStartClassObject, NULL ); if (HR_FAILED(status)) goto CleanupExit; status = IWbemClassObject_Get( wbemStartClassObject, L"ReturnValue", 0, &variantReturnValue, NULL, NULL ); if (HR_FAILED(status)) goto CleanupExit; if (V_UI4(&variantReturnValue) != ERROR_SUCCESS) { status = HRESULT_FROM_WIN32(V_UI4(&variantReturnValue)); goto CleanupExit; } CleanupExit: if (wbemStartClassObject) IWbemClassObject_Release(wbemStartClassObject); if (wbemServices) IWbemServices_Release(wbemServices); if (wbemClassObject) IWbemClassObject_Release(wbemClassObject); if (wbemLocator) IWbemLocator_Release(wbemLocator); if (wbemMethodString) SysFreeString(wbemMethodString); if (wbemObjectString) SysFreeString(wbemObjectString); if (wbemResourceString) SysFreeString(wbemResourceString); return status; } ================================================ FILE: phlib/settings.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2016 * dmex 2017-2022 * */ /* * This file contains a program-specific settings system. All possible * settings are defined at program startup and added to a hashtable. * The values of these settings can then be read in from a XML file or * saved to a XML file at any time. Settings which are not recognized * are added to a list of "ignored settings"; this is necessary to * support plugin settings, as we don't want their settings to get * deleted whenever the plugins are disabled. * * The get/set functions are very strict. If the wrong function is used * (the get-integer-setting function is used on a string setting) or * the setting does not exist, an exception will be raised. */ #include #include #include #include #include #include #include #include #include #include PPH_HASHTABLE PhSettingsHashtable; PH_QUEUED_LOCK PhSettingsLock = PH_QUEUED_LOCK_INIT; PPH_LIST PhIgnoredSettings; // Settings store descriptors (priority order: lower = higher priority) static const PH_SETTINGS_STORE_DESCRIPTOR PhSettingsStores[] = { { SettingsFormatJson, L".json", TRUE, TRUE, FALSE, 1 }, { SettingsFormatXml, L".xml", TRUE, FALSE, TRUE, 2 }, { SettingsFormatKey, L".dat", TRUE, FALSE, FALSE, 3 }, { SettingsFormatReg, NULL, FALSE, FALSE, FALSE, 4 }, { SettingsFormatBin, L".bin", TRUE, FALSE, FALSE, 5 }, }; #define PH_SETTINGS_STORE_COUNT RTL_NUMBER_OF(PhSettingsStores) // Track which format was loaded PH_SETTINGS_FORMAT PhSettingsLoadedFormat = SettingsFormatJson; #define PH_SETTINGS_BIN_SIGNATURE 0x4E485042 // 'BPHN' #define PH_SETTINGS_BIN_VERSION 1 #include typedef struct _PH_SETTINGS_BIN_HEADER { ULONG Signature; ULONG Version; ULONG NumberOfSettings; } PH_SETTINGS_BIN_HEADER, *PPH_SETTINGS_BIN_HEADER; typedef struct _PH_SETTINGS_BIN_SETTING { ULONG NameLength; // in bytes ULONG Type; ULONG ValueLength; // in bytes } PH_SETTINGS_BIN_SETTING, *PPH_SETTINGS_BIN_SETTING; #include _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN NTAPI PhSettingsHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_SETTING setting1 = (PPH_SETTING)Entry1; PPH_SETTING setting2 = (PPH_SETTING)Entry2; return PhEqualStringRef(&setting1->Name, &setting2->Name, TRUE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG NTAPI PhSettingsHashtableHashFunction( _In_ PVOID Entry ) { PPH_SETTING setting = (PPH_SETTING)Entry; return PhHashStringRefEx(&setting->Name, TRUE, PH_STRING_HASH_XXH32); } VOID PhSettingsInitialization( VOID ) { PhSettingsHashtable = PhCreateHashtable( sizeof(PH_SETTING), PhSettingsHashtableEqualFunction, PhSettingsHashtableHashFunction, 512 ); PhIgnoredSettings = PhCreateList(1); } PPH_STRING PhSettingToString( _In_ PH_SETTING_TYPE Type, _In_ PPH_SETTING Setting ) { switch (Type) { case StringSettingType: { if (!Setting->u.Pointer) return PhReferenceEmptyString(); PhReferenceObject(Setting->u.Pointer); return (PPH_STRING)Setting->u.Pointer; } break; case IntegerSettingType: { PH_FORMAT format[1]; // %x PhInitFormatX(&format[0], Setting->u.Integer); return PhFormat(format, RTL_NUMBER_OF(format), 0); } break; case IntegerPairSettingType: { PPH_INTEGER_PAIR integerPair = &Setting->u.IntegerPair; PH_FORMAT format[3]; // %ld,%ld PhInitFormatD(&format[0], integerPair->X); PhInitFormatC(&format[1], L','); PhInitFormatD(&format[2], integerPair->Y); return PhFormat(format, RTL_NUMBER_OF(format), 0); } break; case ScalableIntegerPairSettingType: { PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair = Setting->u.Pointer; PH_FORMAT format[6]; if (!scalableIntegerPair) return PhReferenceEmptyString(); // @%lu|%ld,%ld PhInitFormatC(&format[0], L'@'); PhInitFormatU(&format[1], scalableIntegerPair->Scale); PhInitFormatC(&format[2], L'|'); PhInitFormatD(&format[3], scalableIntegerPair->X); PhInitFormatC(&format[4], L','); PhInitFormatD(&format[5], scalableIntegerPair->Y); return PhFormat(format, RTL_NUMBER_OF(format), 0); } break; } return PhReferenceEmptyString(); } BOOLEAN PhSettingFromString( _In_ PH_SETTING_TYPE Type, _In_ PCPH_STRINGREF StringRef, _In_opt_ PPH_STRING String, _Inout_ PPH_SETTING Setting ) { switch (Type) { case StringSettingType: { if (String) { PhSetReference(&Setting->u.Pointer, String); } else { Setting->u.Pointer = PhCreateString2(StringRef); } return TRUE; } break; case IntegerSettingType: { ULONG64 integer; if (PhStringToInteger64(StringRef, 16, &integer)) { Setting->u.Integer = (ULONG)integer; return TRUE; } else { return FALSE; } } break; case IntegerPairSettingType: { LONG64 x; LONG64 y; PH_STRINGREF xString; PH_STRINGREF yString; if (!PhSplitStringRefAtChar(StringRef, L',', &xString, &yString)) return FALSE; if (PhStringToInteger64(&xString, 10, &x) && PhStringToInteger64(&yString, 10, &y)) { Setting->u.IntegerPair.X = (LONG)x; Setting->u.IntegerPair.Y = (LONG)y; return TRUE; } else { return FALSE; } } break; case ScalableIntegerPairSettingType: { LONG64 scale; LONG64 x; LONG64 y; PH_STRINGREF stringRef; PH_STRINGREF firstPart; PH_STRINGREF secondPart; PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair; stringRef = *StringRef; if (stringRef.Length != 0 && stringRef.Buffer[0] == L'@') { PhSkipStringRef(&stringRef, sizeof(WCHAR)); if (!PhSplitStringRefAtChar(&stringRef, L'|', &firstPart, &stringRef)) return FALSE; if (!PhStringToInteger64(&firstPart, 10, &scale)) return FALSE; } else { scale = USER_DEFAULT_SCREEN_DPI; } if (!PhSplitStringRefAtChar(&stringRef, L',', &firstPart, &secondPart)) return FALSE; if (PhStringToInteger64(&firstPart, 10, &x) && PhStringToInteger64(&secondPart, 10, &y)) { scalableIntegerPair = PhAllocateZero(sizeof(PH_SCALABLE_INTEGER_PAIR)); scalableIntegerPair->X = (LONG)x; scalableIntegerPair->Y = (LONG)y; scalableIntegerPair->Scale = (ULONG)scale; Setting->u.Pointer = scalableIntegerPair; return TRUE; } else { return FALSE; } } break; } return FALSE; } static VOID PhpFreeSettingValue( _In_ PH_SETTING_TYPE Type, _In_ PPH_SETTING Setting ) { switch (Type) { case StringSettingType: PhClearReference(&Setting->u.Pointer); break; case ScalableIntegerPairSettingType: PhFree(Setting->u.Pointer); Setting->u.Pointer = NULL; break; } } static PVOID PhpLookupSetting( _In_ PCPH_STRINGREF Name ) { PH_SETTING lookupSetting; PPH_SETTING setting; lookupSetting.Name = *Name; setting = (PPH_SETTING)PhFindEntryHashtable( PhSettingsHashtable, &lookupSetting ); return setting; } VOID PhEnumSettings( _In_ PPH_SETTINGS_ENUM_CALLBACK Callback, _In_ PVOID Context ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SETTING setting; PhAcquireQueuedLockExclusive(&PhSettingsLock); PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { if (!Callback(setting, Context)) break; } PhReleaseQueuedLockExclusive(&PhSettingsLock); } ULONG PhGetIntegerStringRefSetting( _In_ PCPH_STRINGREF Name ) { PPH_SETTING setting; ULONG value; PhAcquireQueuedLockShared(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting && setting->Type == IntegerSettingType); if (setting && setting->Type == IntegerSettingType) { value = setting->u.Integer; } else { value = 0; } PhReleaseQueuedLockShared(&PhSettingsLock); return value; } BOOLEAN PhGetIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _Out_ PPH_INTEGER_PAIR IntegerPair ) { BOOLEAN result; PPH_SETTING setting; PH_INTEGER_PAIR value; PhAcquireQueuedLockShared(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting && setting->Type == IntegerPairSettingType); if (setting && setting->Type == IntegerPairSettingType) { value = setting->u.IntegerPair; result = TRUE; } else { RtlZeroMemory(&value, sizeof(PH_INTEGER_PAIR)); result = FALSE; } PhReleaseQueuedLockShared(&PhSettingsLock); RtlZeroMemory(IntegerPair, sizeof(PH_INTEGER_PAIR)); RtlCopyMemory(IntegerPair, &value, sizeof(PH_INTEGER_PAIR)); return result; } BOOLEAN PhGetScalableIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ BOOLEAN ScaleToDpi, _In_ LONG Dpi, _Out_ PPH_SCALABLE_INTEGER_PAIR* ScalableIntegerPair ) { BOOLEAN result; PPH_SETTING setting; PPH_SCALABLE_INTEGER_PAIR value; PhAcquireQueuedLockShared(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting && setting->Type == ScalableIntegerPairSettingType); if (setting && setting->Type == ScalableIntegerPairSettingType) { value = setting->u.Pointer; result = TRUE; } else { value = NULL; result = FALSE; } PhReleaseQueuedLockShared(&PhSettingsLock); if (ScaleToDpi) { if (value->Scale != Dpi && value->Scale != 0) { value->X = PhMultiplyDivideSigned(value->X, Dpi, value->Scale); value->Y = PhMultiplyDivideSigned(value->Y, Dpi, value->Scale); value->Scale = Dpi; } } *ScalableIntegerPair = value; return result; } PPH_STRING PhGetStringRefSetting( _In_ PCPH_STRINGREF Name ) { PPH_SETTING setting; PPH_STRING value = NULL; PhAcquireQueuedLockShared(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting && setting->Type == StringSettingType); if (setting && setting->Type == StringSettingType) { if (setting->u.Pointer) { PhSetReference(&value, setting->u.Pointer); } } PhReleaseQueuedLockShared(&PhSettingsLock); if (PhIsNullOrEmptyString(value)) { value = PhReferenceEmptyString(); } return value; } BOOLEAN PhGetBinarySetting( _In_ PCPH_STRINGREF Name, _Out_ PVOID Buffer ) { PPH_STRING setting; BOOLEAN result; setting = PhGetStringRefSetting(Name); result = PhHexStringToBuffer(&setting->sr, (PUCHAR)Buffer); PhDereferenceObject(setting); return result; } VOID PhSetIntegerStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ ULONG Value ) { PPH_SETTING setting; PhAcquireQueuedLockExclusive(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting); if (setting && setting->Type == IntegerSettingType) { setting->u.Integer = Value; } PhReleaseQueuedLockExclusive(&PhSettingsLock); } VOID PhSetIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ PPH_INTEGER_PAIR Value ) { PPH_SETTING setting; PhAcquireQueuedLockExclusive(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting); if (setting && setting->Type == IntegerPairSettingType) { memcpy(&setting->u.IntegerPair, Value, sizeof(PH_INTEGER_PAIR)); } PhReleaseQueuedLockExclusive(&PhSettingsLock); } VOID PhSetScalableIntegerPairStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ PPH_SCALABLE_INTEGER_PAIR Value ) { PPH_SETTING setting; PhAcquireQueuedLockExclusive(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting); if (setting && setting->Type == ScalableIntegerPairSettingType) { PhpFreeSettingValue(ScalableIntegerPairSettingType, setting); setting->u.Pointer = PhAllocateCopy(Value, sizeof(PH_SCALABLE_INTEGER_PAIR)); } PhReleaseQueuedLockExclusive(&PhSettingsLock); } VOID PhSetScalableIntegerPairStringRefSetting2( _In_ PCPH_STRINGREF Name, _In_ PPH_INTEGER_PAIR Value, _In_ LONG dpiValue ) { PH_SCALABLE_INTEGER_PAIR scalableIntegerPair; ZeroMemory(&scalableIntegerPair, sizeof(PH_SCALABLE_INTEGER_PAIR)); memcpy(&scalableIntegerPair.Pair, Value, sizeof(PH_INTEGER_PAIR)); scalableIntegerPair.Scale = dpiValue; PhSetScalableIntegerPairStringRefSetting(Name, &scalableIntegerPair); } VOID PhSetStringRefSetting( _In_ PCPH_STRINGREF Name, _In_ PCPH_STRINGREF Value ) { PPH_SETTING setting; PhAcquireQueuedLockExclusive(&PhSettingsLock); setting = PhpLookupSetting(Name); assert(setting); if (setting && setting->Type == StringSettingType) { PhpFreeSettingValue(StringSettingType, setting); setting->u.Pointer = PhCreateString2(Value); } PhReleaseQueuedLockExclusive(&PhSettingsLock); } VOID PhpFreeIgnoredSetting( _In_ PPH_SETTING Setting ) { PhFree(Setting->Name.Buffer); PhDereferenceObject(Setting->u.Pointer); PhFree(Setting); } VOID PhpClearIgnoredSettings( VOID ) { ULONG i; PhAcquireQueuedLockExclusive(&PhSettingsLock); for (i = 0; i < PhIgnoredSettings->Count; i++) { PhpFreeIgnoredSetting(PhIgnoredSettings->Items[i]); } PhClearList(PhIgnoredSettings); PhReleaseQueuedLockExclusive(&PhSettingsLock); } VOID PhClearIgnoredSettings( VOID ) { PhpClearIgnoredSettings(); } ULONG PhCountIgnoredSettings( VOID ) { ULONG count; PhAcquireQueuedLockShared(&PhSettingsLock); count = PhIgnoredSettings->Count; PhReleaseQueuedLockShared(&PhSettingsLock); return count; } VOID PhConvertIgnoredSettings( VOID ) { PPH_SETTING ignoredSetting; PPH_SETTING setting; ULONG i; PhAcquireQueuedLockExclusive(&PhSettingsLock); for (i = 0; i < PhIgnoredSettings->Count; i++) { ignoredSetting = PhIgnoredSettings->Items[i]; setting = PhpLookupSetting(&ignoredSetting->Name); if (setting) { PhpFreeSettingValue(setting->Type, setting); if (!PhSettingFromString( setting->Type, &((PPH_STRING)ignoredSetting->u.Pointer)->sr, ignoredSetting->u.Pointer, setting )) { PhSettingFromString( setting->Type, &setting->DefaultValue, NULL, setting ); } PhpFreeIgnoredSetting(ignoredSetting); PhRemoveItemList(PhIgnoredSettings, i); i--; } } PhReleaseQueuedLockExclusive(&PhSettingsLock); } NTSTATUS PhLoadSettingsBin( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PVOID viewBase; SIZE_T viewSize; PPH_SETTINGS_BIN_HEADER header; PBYTE pointer; PBYTE limit; status = PhMapViewOfEntireFileEx(FileName, NULL, &viewBase, &viewSize); if (!NT_SUCCESS(status)) return status; if (viewSize < sizeof(PH_SETTINGS_BIN_HEADER)) { PhUnmapViewOfSection(NtCurrentProcess(), viewBase); return STATUS_FILE_CORRUPT_ERROR; } header = (PPH_SETTINGS_BIN_HEADER)viewBase; if (header->Signature != PH_SETTINGS_BIN_SIGNATURE || header->Version != PH_SETTINGS_BIN_VERSION) { PhUnmapViewOfSection(NtCurrentProcess(), viewBase); return STATUS_FILE_CORRUPT_ERROR; } PhpClearIgnoredSettings(); PhAcquireQueuedLockExclusive(&PhSettingsLock); pointer = (PBYTE)viewBase + sizeof(PH_SETTINGS_BIN_HEADER); limit = (PBYTE)viewBase + viewSize; for (ULONG i = 0; i < header->NumberOfSettings; i++) { PPH_SETTINGS_BIN_SETTING entry; PPH_SETTING setting; PH_STRINGREF settingName; PH_STRINGREF settingValue; if (pointer + sizeof(PH_SETTINGS_BIN_SETTING) > limit) break; entry = (PPH_SETTINGS_BIN_SETTING)pointer; pointer += sizeof(PH_SETTINGS_BIN_SETTING); if (pointer + entry->NameLength + entry->ValueLength > limit) break; settingName.Buffer = (PWCH)pointer; settingName.Length = entry->NameLength; pointer += entry->NameLength; settingValue.Buffer = (PWCH)pointer; settingValue.Length = entry->ValueLength; pointer += entry->ValueLength; if (setting = PhpLookupSetting(&settingName)) { PhpFreeSettingValue(setting->Type, setting); if (!PhSettingFromString( setting->Type, &settingValue, NULL, setting )) { PhSettingFromString( setting->Type, &setting->DefaultValue, NULL, setting ); } } else { setting = PhAllocateZero(sizeof(PH_SETTING)); setting->Type = StringSettingType; setting->Name.Buffer = PhAllocateCopy(settingName.Buffer, settingName.Length + sizeof(WCHAR)); setting->Name.Length = settingName.Length; setting->Name.Buffer[settingName.Length / sizeof(WCHAR)] = 0; setting->u.Pointer = PhCreateString2(&settingValue); PhAddItemList(PhIgnoredSettings, setting); } } PhReleaseQueuedLockExclusive(&PhSettingsLock); PhUnmapViewOfSection(NtCurrentProcess(), viewBase); return STATUS_SUCCESS; } NTSTATUS PhSaveSettingsBin( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SETTING setting; PH_SETTINGS_BIN_HEADER header; SIZE_T totalSize = 0; PBYTE buffer; PBYTE pointer; HANDLE fileHandle; IO_STATUS_BLOCK isb; PhAcquireQueuedLockShared(&PhSettingsLock); // Calculate total size required totalSize = sizeof(PH_SETTINGS_BIN_HEADER); PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { PPH_STRING settingValue = PhSettingToString(setting->Type, setting); totalSize += sizeof(PH_SETTINGS_BIN_SETTING) + setting->Name.Length + settingValue->Length; PhDereferenceObject(settingValue); } for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) { setting = PhIgnoredSettings->Items[i]; PPH_STRING settingValue = setting->u.Pointer; totalSize += sizeof(PH_SETTINGS_BIN_SETTING) + setting->Name.Length + settingValue->Length; } buffer = PhAllocate(totalSize); pointer = buffer; __analysis_assume(pointer <= (PBYTE)buffer + totalSize); header.Signature = PH_SETTINGS_BIN_SIGNATURE; header.Version = PH_SETTINGS_BIN_VERSION; header.NumberOfSettings = PhSettingsHashtable->Count + PhIgnoredSettings->Count; __analysis_assume(pointer + sizeof(PH_SETTINGS_BIN_HEADER) <= (PBYTE)buffer + totalSize); memcpy(pointer, &header, sizeof(PH_SETTINGS_BIN_HEADER)); pointer += sizeof(PH_SETTINGS_BIN_HEADER); PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { PPH_STRING settingValue = PhSettingToString(setting->Type, setting); PH_SETTINGS_BIN_SETTING entry; entry.NameLength = (ULONG)setting->Name.Length; entry.Type = (ULONG)setting->Type; entry.ValueLength = (ULONG)settingValue->Length; memcpy(pointer, &entry, sizeof(PH_SETTINGS_BIN_SETTING)); pointer += sizeof(PH_SETTINGS_BIN_SETTING); memcpy(pointer, setting->Name.Buffer, setting->Name.Length); pointer += setting->Name.Length; memcpy(pointer, settingValue->Buffer, settingValue->Length); pointer += settingValue->Length; PhDereferenceObject(settingValue); } for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) { setting = PhIgnoredSettings->Items[i]; PPH_STRING settingValue = setting->u.Pointer; PH_SETTINGS_BIN_SETTING entry; entry.NameLength = (ULONG)setting->Name.Length; entry.Type = (ULONG)setting->Type; entry.ValueLength = (ULONG)settingValue->Length; memcpy(pointer, &entry, sizeof(PH_SETTINGS_BIN_SETTING)); pointer += sizeof(PH_SETTINGS_BIN_SETTING); memcpy(pointer, setting->Name.Buffer, setting->Name.Length); pointer += setting->Name.Length; memcpy(pointer, settingValue->Buffer, settingValue->Length); pointer += settingValue->Length; } PhReleaseQueuedLockShared(&PhSettingsLock); status = PhCreateFile( &fileHandle, FileName, FILE_GENERIC_WRITE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = NtWriteFile(fileHandle, NULL, NULL, NULL, &isb, buffer, (ULONG)totalSize, NULL, NULL); NtClose(fileHandle); } PhFree(buffer); return status; } _Function_class_(PH_ENUM_KEY_CALLBACK) static BOOLEAN NTAPI PhSettingsKeyCallback( _In_ HANDLE RootDirectory, _In_ PKEY_VALUE_FULL_INFORMATION Information, _In_opt_ PVOID Context ) { PH_STRINGREF settingName; PH_STRINGREF settingValue; PPH_SETTING setting; settingName.Buffer = Information->Name; settingName.Length = Information->NameLength; settingValue.Buffer = PTR_ADD_OFFSET(Information, Information->DataOffset); settingValue.Length = Information->DataLength - (Information->Type == REG_SZ ? sizeof(UNICODE_NULL) : 0); if (setting = PhpLookupSetting(&settingName)) { PhpFreeSettingValue(setting->Type, setting); switch (setting->Type) { case StringSettingType: { if (PhSettingFromString( setting->Type, &settingValue, NULL, setting )) { return TRUE; } if (PhSettingFromString( setting->Type, &setting->DefaultValue, NULL, setting )) { return TRUE; } } break; case IntegerSettingType: { if (Information->Type == REG_DWORD) { PLARGE_INTEGER value = PTR_ADD_OFFSET(Information, Information->DataOffset); setting->u.Integer = value->LowPart; return TRUE; } else if (Information->Type == REG_SZ) { if (PhSettingFromString(setting->Type, &settingValue, NULL, setting)) return TRUE; } } break; case IntegerPairSettingType: { if (Information->Type == REG_QWORD) { PLARGE_INTEGER value = PTR_ADD_OFFSET(Information, Information->DataOffset); setting->u.IntegerPair.X = (LONG)value->LowPart; setting->u.IntegerPair.Y = (LONG)value->HighPart; return TRUE; } else if (Information->Type == REG_SZ) { if (PhSettingFromString(setting->Type, &settingValue, NULL, setting)) return TRUE; } } break; case ScalableIntegerPairSettingType: { if (Information->Type == REG_BINARY) { PPH_SCALABLE_INTEGER_PAIR value = PTR_ADD_OFFSET(Information, Information->DataOffset); setting->u.Pointer = PhAllocateCopy(value, sizeof(PH_SCALABLE_INTEGER_PAIR)); return TRUE; } else if (Information->Type == REG_SZ) { if (PhSettingFromString(setting->Type, &settingValue, NULL, setting)) return TRUE; } } break; } assert(FALSE); } else { setting = PhAllocateZero(sizeof(PH_SETTING)); setting->Type = StringSettingType; setting->Name.Buffer = PhAllocateCopy(settingName.Buffer, settingName.Length + sizeof(WCHAR)); setting->Name.Length = settingName.Length; setting->u.Pointer = PhCreateString2(&settingValue); PhAddItemList(PhIgnoredSettings, setting); } return TRUE; } static VOID PhpSaveSettingsToKey( _In_ HANDLE KeyHandle ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SETTING setting; PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { switch (setting->Type) { case StringSettingType: { PPH_STRING value = (PPH_STRING)setting->u.Pointer; if (PhIsNullOrEmptyString(value)) { PhDeleteValueKey(KeyHandle, &setting->Name); } else { PhSetValueKey( KeyHandle, &setting->Name, REG_SZ, value->Buffer, (ULONG)value->Length + sizeof(UNICODE_NULL) ); } } break; case IntegerSettingType: { if (setting->u.Integer) { PhSetValueKey( KeyHandle, &setting->Name, REG_DWORD, &setting->u.Integer, sizeof(setting->u.Integer) ); } else { PhDeleteValueKey(KeyHandle, &setting->Name); } } break; case IntegerPairSettingType: { PPH_INTEGER_PAIR integerPair = &setting->u.IntegerPair; LARGE_INTEGER value; value.LowPart = integerPair->X; value.HighPart = integerPair->Y; if (value.QuadPart) { PhSetValueKey( KeyHandle, &setting->Name, REG_QWORD, &value.QuadPart, sizeof(value.QuadPart) ); } else { PhDeleteValueKey(KeyHandle, &setting->Name); } } break; case ScalableIntegerPairSettingType: { PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair = setting->u.Pointer; if (scalableIntegerPair && scalableIntegerPair->X && scalableIntegerPair->Y && scalableIntegerPair->Scale) { PhSetValueKey( KeyHandle, &setting->Name, REG_BINARY, scalableIntegerPair, sizeof(PH_SCALABLE_INTEGER_PAIR) ); } else { PhDeleteValueKey(KeyHandle, &setting->Name); } } break; default: { PPH_STRING settingValue = PhSettingToString(setting->Type, setting); PhSetValueKey( KeyHandle, &setting->Name, REG_SZ, settingValue->Buffer, (ULONG)settingValue->Length + sizeof(UNICODE_NULL) ); PhDereferenceObject(settingValue); } break; } } for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) { setting = PhIgnoredSettings->Items[i]; switch (setting->Type) { case StringSettingType: { PPH_STRING value = (PPH_STRING)setting->u.Pointer; if (PhIsNullOrEmptyString(value)) { PhDeleteValueKey(KeyHandle, &setting->Name); } else { PhSetValueKey( KeyHandle, &setting->Name, REG_SZ, value->Buffer, (ULONG)value->Length + sizeof(UNICODE_NULL) ); } } break; case IntegerSettingType: { if (setting->u.Integer) { PhSetValueKey( KeyHandle, &setting->Name, REG_DWORD, &setting->u.Integer, sizeof(setting->u.Integer) ); } else { PhDeleteValueKey(KeyHandle, &setting->Name); } } break; case IntegerPairSettingType: { PPH_INTEGER_PAIR integerPair = &setting->u.IntegerPair; LARGE_INTEGER value; value.LowPart = integerPair->X; value.HighPart = integerPair->Y; if (value.QuadPart) { PhSetValueKey( KeyHandle, &setting->Name, REG_QWORD, &value.QuadPart, sizeof(value.QuadPart) ); } else { PhDeleteValueKey(KeyHandle, &setting->Name); } } break; case ScalableIntegerPairSettingType: { PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair = setting->u.Pointer; if (scalableIntegerPair && scalableIntegerPair->X && scalableIntegerPair->Y && scalableIntegerPair->Scale) { PhSetValueKey( KeyHandle, &setting->Name, REG_BINARY, scalableIntegerPair, sizeof(PH_SCALABLE_INTEGER_PAIR) ); } else { PhDeleteValueKey(KeyHandle, &setting->Name); } } break; default: { PPH_STRING settingValue = PhSettingToString(setting->Type, setting); PhSetValueKey( KeyHandle, &setting->Name, REG_SZ, settingValue->Buffer, (ULONG)settingValue->Length + sizeof(UNICODE_NULL) ); PhDereferenceObject(settingValue); } break; } } } NTSTATUS PhLoadSettingsAppKey( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; HANDLE keyHandle; status = PhLoadAppKey( &keyHandle, FileName, KEY_ALL_ACCESS, REG_APP_HIVE | REG_PROCESS_PRIVATE | REG_HIVE_NO_RM ); if (!NT_SUCCESS(status)) return status; PhAcquireQueuedLockExclusive(&PhSettingsLock); status = PhEnumerateValueKey( keyHandle, KeyValueFullInformation, PhSettingsKeyCallback, NULL ); PhReleaseQueuedLockExclusive(&PhSettingsLock); NtClose(keyHandle); return status; } NTSTATUS PhSaveSettingsAppKey( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; HANDLE keyHandle; status = PhLoadAppKey( &keyHandle, FileName, KEY_ALL_ACCESS, REG_APP_HIVE | REG_PROCESS_PRIVATE | REG_HIVE_NO_RM ); if (!NT_SUCCESS(status)) return status; PhAcquireQueuedLockShared(&PhSettingsLock); PhpSaveSettingsToKey(keyHandle); PhReleaseQueuedLockShared(&PhSettingsLock); NtClose(keyHandle); return status; } NTSTATUS PhLoadSettingsKey( VOID ) { static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"Software\\SystemInformer"); NTSTATUS status; HANDLE keyHandle; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &keyName, 0 ); if (!NT_SUCCESS(status)) return status; PhAcquireQueuedLockExclusive(&PhSettingsLock); status = PhEnumerateValueKey( keyHandle, KeyValueFullInformation, PhSettingsKeyCallback, NULL ); PhReleaseQueuedLockExclusive(&PhSettingsLock); NtClose(keyHandle); return status; } NTSTATUS PhSaveSettingsKey( VOID ) { static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"Software\\SystemInformer"); NTSTATUS status; HANDLE keyHandle; status = PhCreateKey( &keyHandle, KEY_WRITE, PH_KEY_CURRENT_USER, &keyName, 0, 0, NULL ); if (!NT_SUCCESS(status)) return status; PhAcquireQueuedLockShared(&PhSettingsLock); PhpSaveSettingsToKey(keyHandle); PhReleaseQueuedLockShared(&PhSettingsLock); NtClose(keyHandle); return status; } static BOOLEAN PhLoadSettingsEnumJsonCallback( _In_ PVOID Object, _In_ PCSTR Key, _In_ PVOID Value, _In_opt_ PVOID Context ) { PPH_SETTING setting; PPH_STRING settingName; settingName = PhZeroExtendToUtf16(Key); if (setting = PhpLookupSetting(&settingName->sr)) { PhpFreeSettingValue(setting->Type, setting); switch (setting->Type) { case IntegerSettingType: { if (PhGetJsonObjectType(Value) == PH_JSON_OBJECT_TYPE_INT) { setting->u.Integer = PhGetJsonUInt32Object(Value); break; } } goto DefaultCase; case IntegerPairSettingType: { if (PhGetJsonObjectType(Value) == PH_JSON_OBJECT_TYPE_INT) { ULARGE_INTEGER value; value.QuadPart = PhGetJsonUInt64Object(Value); setting->u.IntegerPair.X = (LONG)value.LowPart; setting->u.IntegerPair.Y = (LONG)value.HighPart; break; } } goto DefaultCase; case StringSettingType: case ScalableIntegerPairSettingType: DefaultCase: { PPH_STRING settingValue; settingValue = PhGetJsonObjectString(Value); if (settingValue) { PhSetReference(&setting->u.Pointer, settingValue); } else { setting->u.Pointer = PhReferenceEmptyString(); } if (!PhSettingFromString( setting->Type, &settingValue->sr, settingValue, setting )) { PhSettingFromString( setting->Type, &setting->DefaultValue, NULL, setting ); } } break; } } else { PPH_STRING settingValue; settingValue = PhGetJsonObjectString(Value); setting = PhAllocateZero(sizeof(PH_SETTING)); setting->Type = StringSettingType; setting->Name.Buffer = PhAllocateCopy(settingName->Buffer, settingName->Length + sizeof(WCHAR)); setting->Name.Length = settingName->Length; PhReferenceObject(settingValue); setting->u.Pointer = settingValue; PhAddItemList(PhIgnoredSettings, setting); } PhDereferenceObject(settingName); return TRUE; } NTSTATUS PhLoadSettingsJson( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PVOID object; status = PhLoadJsonObjectFromFile(&object, FileName); if (NT_SUCCESS(status)) { if (PhGetJsonObjectType(object) == PH_JSON_OBJECT_TYPE_OBJECT) { PhAcquireQueuedLockExclusive(&PhSettingsLock); PhEnumJsonArrayObject(object, PhLoadSettingsEnumJsonCallback, NULL); PhReleaseQueuedLockExclusive(&PhSettingsLock); } PhFreeJsonObject(object); } return status; } NTSTATUS PhSaveSettingsJson( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PVOID object; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SETTING setting; PPH_LIST strings = NULL; object = PhCreateJsonObject(); if (!object) return STATUS_FILE_CORRUPT_ERROR; strings = PhCreateList(1); PhAcquireQueuedLockShared(&PhSettingsLock); PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { switch (setting->Type) { //case IntegerSettingType: // { // PPH_BYTES stringName = PhConvertStringRefToUtf8(&setting->Name); // PhAddJsonObjectInt64(object, stringName->Buffer, setting->u.Integer); // PhAddItemList(strings, stringName); // } // break; //case IntegerPairSettingType: // { // PPH_BYTES stringName = PhConvertStringRefToUtf8(&setting->Name); // ULARGE_INTEGER value; // // value.LowPart = setting->u.IntegerPair.X; // value.HighPart = setting->u.IntegerPair.Y; // PhAddJsonObjectUInt64(object, stringName->Buffer, value.QuadPart); // PhAddItemList(strings, stringName); // } // break; case IntegerSettingType: case IntegerPairSettingType: case StringSettingType: case ScalableIntegerPairSettingType: { PPH_STRING stringSetting; PPH_BYTES stringName; PPH_BYTES stringValue; stringName = PhConvertStringRefToUtf8(&setting->Name); stringSetting = PhSettingToString(setting->Type, setting); stringValue = PhConvertStringToUtf8(stringSetting); PhAddJsonObject2(object, stringName->Buffer, stringValue->Buffer, stringValue->Length); PhAddItemList(strings, stringValue); PhAddItemList(strings, stringSetting); PhAddItemList(strings, stringName); } break; } } for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) { PPH_STRING stringSetting; PPH_BYTES stringName; PPH_BYTES stringValue; setting = PhIgnoredSettings->Items[i]; stringSetting = setting->u.Pointer; stringName = PhConvertStringRefToUtf8(&setting->Name); stringValue = PhConvertStringToUtf8(stringSetting); PhAddJsonObject2(object, stringName->Buffer, stringValue->Buffer, stringValue->Length); PhAddItemList(strings, stringValue); PhAddItemList(strings, stringName); } PhReleaseQueuedLockShared(&PhSettingsLock); status = PhSaveJsonObjectToFile( FileName, object, PH_JSON_TO_STRING_PRETTY ); PhFreeJsonObject(object); PhDereferenceObjects(strings->Items, strings->Count); PhDereferenceObject(strings); return status; } NTSTATUS PhLoadSettingsXml( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PVOID topNode; PVOID currentNode; PPH_SETTING setting; PPH_STRING settingName; PPH_STRING settingValue; PhpClearIgnoredSettings(); if (!NT_SUCCESS(status = PhLoadXmlObjectFromFile(FileName, &topNode))) return status; if (!topNode) // Return corrupt status and reset the settings. return STATUS_FILE_CORRUPT_ERROR; PhAcquireQueuedLockExclusive(&PhSettingsLock); currentNode = PhGetXmlNodeFirstChild(topNode); while (currentNode) { if (settingName = PhGetXmlNodeAttributeText(currentNode, "name")) { PH_STRINGREF name = settingName->sr; if (PhIsLegacyPrefix(&name)) { PhSkipStringRef(&name, 14 * sizeof(WCHAR)); } settingValue = PhGetXmlNodeOpaqueText(currentNode); { if (setting = PhpLookupSetting(&name)) { PhpFreeSettingValue(setting->Type, setting); if (!PhSettingFromString( setting->Type, &settingValue->sr, settingValue, setting )) { PhSettingFromString( setting->Type, &setting->DefaultValue, NULL, setting ); } } else { setting = PhAllocateZero(sizeof(PH_SETTING)); setting->Type = StringSettingType; setting->Name.Buffer = PhAllocateCopy(settingName->Buffer, settingName->Length + sizeof(WCHAR)); setting->Name.Length = settingName->Length; PhReferenceObject(settingValue); setting->u.Pointer = settingValue; PhAddItemList(PhIgnoredSettings, setting); } } PhDereferenceObject(settingValue); PhDereferenceObject(settingName); } currentNode = PhGetXmlNodeNextChild(currentNode); } PhFreeXmlObject(topNode); PhReleaseQueuedLockExclusive(&PhSettingsLock); return STATUS_SUCCESS; } //static BOOLEAN PhXmlLiteInitialized( // VOID // ) //{ // static PH_INITONCE initOnce = PH_INITONCE_INIT; // static BOOLEAN XmlLiteInitialized = FALSE; // // if (PhBeginInitOnce(&initOnce)) // { // if (CreateXmlReader_Import() && CreateXmlWriter_Import() && SHCreateStreamOnFileEx_Import()) // { // XmlLiteInitialized = TRUE; // } // // PhEndInitOnce(&initOnce); // } // // return XmlLiteInitialized; //} // //HRESULT PhLoadSettingsXmlRead( // _In_ PCWSTR FileName // ) //{ // HRESULT status; // IXmlReader* xmlReader = NULL; // IStream* fileStream = NULL; // PPH_SETTING setting; // SIZE_T settingBufferLength; // WCHAR settingBuffer[0x1000]; // PH_STRINGREF settingName; // PH_STRINGREF settingValue; // XmlNodeType nodeType; // PCWSTR nodeName; // PCWSTR attrName; // // status = SHCreateStreamOnFileEx_Import()( // FileName, // STGM_READ | STGM_SIMPLE, // FILE_ATTRIBUTE_NORMAL, // FALSE, // NULL, // &fileStream // ); // // if (HR_FAILED(status)) // goto CleanupExit; // // status = CreateXmlReader_Import()(&IID_IXmlReader, &xmlReader, NULL); // // if (HR_FAILED(status)) // goto CleanupExit; // // IXmlReader_SetProperty(xmlReader, XmlReaderProperty_DtdProcessing, DtdProcessing_Prohibit); // // status = IXmlReader_SetInput(xmlReader, (IUnknown*)fileStream); // // if (HR_FAILED(status)) // goto CleanupExit; // // while (HR_SUCCESS(IXmlReader_Read(xmlReader, &nodeType))) // { // if (nodeType == XmlNodeType_Element) // { // if (HR_SUCCESS(IXmlReader_GetLocalName(xmlReader, &nodeName, NULL))) // { // if (PhEqualStringZ(nodeName, L"setting", TRUE)) // { // if (HR_SUCCESS(IXmlReader_MoveToFirstAttribute(xmlReader))) // { // if (HR_SUCCESS(IXmlReader_GetLocalName(xmlReader, &attrName, NULL))) // { // if (PhEqualStringZ(attrName, L"name", TRUE)) // { // ULONG nameStringLength = 0; // PCWSTR nameStringBuffer; // // if (HR_SUCCESS(IXmlReader_GetValue(xmlReader, &nameStringBuffer, &nameStringLength))) // { // settingBufferLength = nameStringLength * sizeof(WCHAR); // // if (settingBufferLength % 2 != 0) // continue; // if (settingBufferLength > sizeof(settingBuffer)) // continue; // // // Note: IXmlReader_GetValue returns a pointer to the string offset in the IStream buffer. // // Copy the string since since the offset might be invalid after the next buffer read. (dmex) // memcpy(settingBuffer, nameStringBuffer, settingBufferLength); // settingName.Buffer = settingBuffer; // settingName.Length = settingBufferLength; // // if (HR_SUCCESS(IXmlReader_Read(xmlReader, &nodeType)) && nodeType == XmlNodeType_Text) // { // ULONG valueStringLength = 0; // PCWSTR valueStringBuffer; // // if (HR_SUCCESS(IXmlReader_GetValue(xmlReader, &valueStringBuffer, &valueStringLength))) // { // settingBufferLength = valueStringLength * sizeof(WCHAR); // // if (settingBufferLength % 2 != 0) // continue; // // settingValue.Buffer = (PWCH)valueStringBuffer; // settingValue.Length = settingBufferLength; // // { // setting = PhpLookupSetting(&settingName); // // if (setting) // { // PhpFreeSettingValue(setting->Type, setting); // // if (!PhSettingFromString( // setting->Type, // &settingValue, // NULL, // setting // )) // { // PhSettingFromString( // setting->Type, // &setting->DefaultValue, // NULL, // setting // ); // } // } // else // { // setting = PhAllocate(sizeof(PH_SETTING)); // setting->Name.Buffer = PhAllocateCopy(settingName.Buffer, settingName.Length + sizeof(UNICODE_NULL)); // setting->Name.Length = settingName.Length; // setting->u.Pointer = PhCreateString2(&settingValue); // // PhAddItemList(PhIgnoredSettings, setting); // } // } // } // } // } // } // } // } // } // } // } // } // //CleanupExit: // if (xmlReader) IXmlReader_Release(xmlReader); // if (fileStream) IStream_Release(fileStream); // // return status; //} // //NTSTATUS PhLoadSettingsXmlLite( // _In_ PCPH_STRINGREF FileName // ) //{ // HRESULT status; // PPH_STRING fileNameWin32; // // fileNameWin32 = PhResolveDevicePrefix(FileName); // // if (PhIsNullOrEmptyString(fileNameWin32)) // return STATUS_UNSUCCESSFUL; // // PhMoveReference(&fileNameWin32, PhConcatStringRef2(&PhWin32ExtendedPathPrefix, &fileNameWin32->sr)); // // PhpClearIgnoredSettings(); // // PhAcquireQueuedLockExclusive(&PhSettingsLock); // status = PhLoadSettingsXmlRead(PhGetString(fileNameWin32)); // PhReleaseQueuedLockExclusive(&PhSettingsLock); // // PhDereferenceObject(fileNameWin32); // // if (HR_FAILED(status)) // return STATUS_UNSUCCESSFUL; // HRESULT_CODE(status); // return STATUS_SUCCESS; //} // //DEFINE_GUID(IID_IXmlWriterLite, 0x862494C6, 0x1310, 0x4AAD, 0xB3, 0xCD, 0x2D, 0xBE, 0xEB, 0xF6, 0x70, 0xD3); // //HRESULT PhSaveSettingsXmlWrite( // _In_ PCWSTR FileName // ) //{ // HRESULT status; // PH_AUTO_POOL autoPool; // IStream* fileStream = NULL; // PH_HASHTABLE_ENUM_CONTEXT enumContext; // PPH_SETTING setting; // // status = SHCreateStreamOnFileEx_Import()( // FileName, // STGM_WRITE | STGM_CREATE, // FILE_ATTRIBUTE_NORMAL, // TRUE, // NULL, // &fileStream // ); // // if (HR_FAILED(status)) // return status; // // PhInitializeAutoPool(&autoPool); // // { // IXmlWriter* xmlWriter = NULL; // // status = CreateXmlWriter_Import()(&IID_IXmlWriter, &xmlWriter, NULL); // // if (HR_FAILED(status)) // goto CleanupExit; // // IXmlWriter_SetProperty(xmlWriter, XmlWriterProperty_Indent, TRUE); // IXmlWriter_SetProperty(xmlWriter, XmlWriterProperty_OmitXmlDeclaration, TRUE); // // status = IXmlWriter_SetOutput(xmlWriter, (IUnknown*)fileStream); // // if (HR_FAILED(status)) // goto CleanupExit; // // IXmlWriter_WriteStartElement(xmlWriter, NULL, L"settings", NULL); // // PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); // // while (setting = PhNextEnumHashtable(&enumContext)) // { // PPH_STRING settingValue; // // settingValue = PH_AUTO_T(PH_STRING, PhSettingToString(setting->Type, setting)); // IXmlWriter_WriteStartElement(xmlWriter, NULL, L"setting", NULL); // IXmlWriter_WriteAttributeString(xmlWriter, NULL, L"name", NULL, PhGetStringRefZ(&setting->Name)); // IXmlWriter_WriteString(xmlWriter, PhGetStringRefZ(&settingValue->sr)); // IXmlWriter_WriteEndElement(xmlWriter); // } // // for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) // { // PPH_STRING settingValue; // // setting = PhIgnoredSettings->Items[i]; // settingValue = setting->u.Pointer; // // IXmlWriter_WriteStartElement(xmlWriter, NULL, L"setting", NULL); // IXmlWriter_WriteAttributeString(xmlWriter, NULL, L"name", NULL, PhGetStringRefZ(&setting->Name)); // IXmlWriter_WriteString(xmlWriter, PhGetStringRefZ(&settingValue->sr)); // IXmlWriter_WriteEndElement(xmlWriter); // } // // IXmlWriter_WriteEndElement(xmlWriter); // // status = IXmlWriter_Flush(xmlWriter); // // IXmlWriter_Release(xmlWriter); // } // // //{ // // IXmlWriterLite* xmlWriterLite = NULL; // // // // status = CreateXmlWriter_Import()(&IID_IXmlWriterLite, &xmlWriterLite, NULL); // // // // if (HR_FAILED(status)) // // goto CleanupExit; // // // // status = IXmlWriterLite_SetOutput(xmlWriterLite, (IUnknown*)fileStream); // // // // if (HR_FAILED(status)) // // goto CleanupExit; // // // IXmlWriterLite_WriteStartElement(xmlWriterLite, L"settings", 8); // // IXmlWriterLite_WriteWhitespace(xmlWriterLite, L"\n"); // // // // PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); // // // // while (setting = PhNextEnumHashtable(&enumContext)) // // { // // PPH_STRING settingValue; // // // // settingValue = PhSettingToString(setting->Type, setting); // // IXmlWriterLite_WriteStartElement(xmlWriterLite, L"setting", 7); // // IXmlWriterLite_WriteAttributeString(xmlWriterLite, L"name", 4, setting->Name.Buffer, (ULONG)setting->Name.Length / sizeof(WCHAR)); // // IXmlWriterLite_WriteString(xmlWriterLite, PhGetStringRefZ(&settingValue->sr)); // // //IXmlWriterLite_WriteChars(xmlWriterLite, settingValue->Buffer, (ULONG)settingValue->Length / sizeof(WCHAR)); // // IXmlWriterLite_WriteEndElement(xmlWriterLite, L"setting", 7); // // IXmlWriterLite_WriteWhitespace(xmlWriterLite, L"\n"); // // PhDereferenceObject(settingValue); // // } // // // // // Write the ignored settings. // // // // for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) // // { // // PPH_STRING settingValue; // // // // setting = PhIgnoredSettings->Items[i]; // // settingValue = setting->u.Pointer; // // IXmlWriterLite_WriteStartElement(xmlWriterLite, L"setting", 7); // // IXmlWriterLite_WriteAttributeString(xmlWriterLite, L"name", 4, setting->Name.Buffer, (ULONG)setting->Name.Length / sizeof(WCHAR)); // // IXmlWriterLite_WriteString(xmlWriterLite, PhGetStringRefZ(&settingValue->sr)); // // IXmlWriterLite_WriteEndElement(xmlWriterLite, L"setting", 7); // // IXmlWriterLite_WriteWhitespace(xmlWriterLite, L"\n"); // // } // // // // IXmlWriterLite_WriteEndElement(xmlWriterLite, L"settings", 8); // // // status = IXmlWriterLite_Flush(xmlWriterLite); // // // // IXmlWriterLite_Release(xmlWriterLite); // //} // //CleanupExit: // //IStream_Commit(fileStream, STGC_DEFAULT); // IStream_Release(fileStream); // // PhDeleteAutoPool(&autoPool); // // return status; //} // //NTSTATUS PhSaveSettingsXmlLite( // _In_ PCPH_STRINGREF FileName // ) //{ // static CONST PH_STRINGREF extension = PH_STRINGREF_INIT(L".tmp"); // HRESULT status; // PPH_STRING fileNameWin32; // PPH_STRING fileNameTempWin32; // // fileNameWin32 = PhResolveDevicePrefix(FileName); // // if (PhIsNullOrEmptyString(fileNameWin32)) // return STATUS_UNSUCCESSFUL; // // // TODO: Write XmlLite to buffer and atomic rename (same as PhSaveXmlObjectToFile) (dmex) // PhMoveReference(&fileNameWin32, PhConcatStringRef2(&PhWin32ExtendedPathPrefix, &fileNameWin32->sr)); // fileNameTempWin32 = PhConcatStringRef2(&fileNameWin32->sr, &extension); // // PhpClearIgnoredSettings(); // // PhAcquireQueuedLockShared(&PhSettingsLock); // status = PhSaveSettingsXmlWrite(PhGetString(fileNameTempWin32)); // PhReleaseQueuedLockShared(&PhSettingsLock); // // if (HR_FAILED(status)) // { // PhDereferenceObject(fileNameTempWin32); // PhDereferenceObject(fileNameWin32); // return STATUS_UNSUCCESSFUL; // HRESULT_CODE(status); // } // // status = PhMoveFileWin32( // PhGetString(fileNameTempWin32), // PhGetString(fileNameWin32), // FALSE // ); // // PhDereferenceObject(fileNameTempWin32); // PhDereferenceObject(fileNameWin32); // return status; //} PCSTR PhpSettingsSaveCallback( _In_ PVOID cbdata, _In_ PVOID node, _In_ LONG when ) { PCSTR elementName; if (!(elementName = PhGetXmlNodeElementText(node))) return NULL; if (PhEqualBytesZ(elementName, "setting", TRUE)) { if (when == MXML_WS_BEFORE_OPEN) return " "; else if (when == MXML_WS_AFTER_CLOSE) return "\r\n"; } else if (PhEqualBytesZ(elementName, "settings", TRUE)) { if (when == MXML_WS_AFTER_OPEN) return "\r\n"; } return NULL; } PVOID PhpCreateSettingElement( _Inout_ PVOID ParentNode, _In_ PCPH_STRINGREF SettingName, _In_ PCPH_STRINGREF SettingValue ) { PVOID settingNode; PPH_BYTES settingNameUtf8; PPH_BYTES settingValueUtf8; // Create the setting element. settingNode = PhCreateXmlNode(ParentNode, "setting"); settingNameUtf8 = PhConvertUtf16ToUtf8Ex(SettingName->Buffer, SettingName->Length); PhSetXmlNodeAttributeText(settingNode, "name", settingNameUtf8->Buffer); PhDereferenceObject(settingNameUtf8); // Set the value. settingValueUtf8 = PhConvertUtf16ToUtf8Ex(SettingValue->Buffer, SettingValue->Length); PhCreateXmlOpaqueNode(settingNode, settingValueUtf8->Buffer); PhDereferenceObject(settingValueUtf8); return settingNode; } NTSTATUS PhSaveSettingsXml( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; PVOID topNode; PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SETTING setting; topNode = PhCreateXmlNode(NULL, "settings"); PhAcquireQueuedLockShared(&PhSettingsLock); PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { PPH_STRING settingValue; settingValue = PhSettingToString(setting->Type, setting); PhpCreateSettingElement(topNode, &setting->Name, &settingValue->sr); PhDereferenceObject(settingValue); } // Write the ignored settings. for (ULONG i = 0; i < PhIgnoredSettings->Count; i++) { PPH_STRING settingValue; setting = PhIgnoredSettings->Items[i]; settingValue = setting->u.Pointer; PhpCreateSettingElement(topNode, &setting->Name, &settingValue->sr); } PhReleaseQueuedLockShared(&PhSettingsLock); status = PhSaveXmlObjectToFile( FileName, topNode, PhpSettingsSaveCallback ); PhFreeXmlObject(topNode); if (status == STATUS_SHARING_VIOLATION) // Skip multiple instances (dmex) status = STATUS_SUCCESS; return status; } typedef struct _PH_SETTINGS_DISCOVERY_RESULT { PH_SETTINGS_FORMAT Format; PPH_STRING FilePath; LARGE_INTEGER LastWriteTime; BOOLEAN Found; } PH_SETTINGS_DISCOVERY_RESULT, *PPH_SETTINGS_DISCOVERY_RESULT; static ULONG PhpDiscoverSettingsStores( _In_opt_ PPH_STRING BasePath, _In_opt_ PCWSTR DefaultName, _Out_writes_(PH_SETTINGS_STORE_COUNT) PPH_SETTINGS_DISCOVERY_RESULT Results, _In_ ULONG ResultCount, _Out_opt_ PBOOLEAN IsPortable ) { ULONG foundCount = 0; RtlZeroMemory(Results, sizeof(PH_SETTINGS_DISCOVERY_RESULT) * ResultCount); if (IsPortable) *IsPortable = FALSE; if (!BasePath) { PPH_STRING searchPath; // 1. Portable if (searchPath = PhGetApplicationFileNameZ(L".settings")) { foundCount = PhpDiscoverSettingsStores(searchPath, DefaultName, Results, ResultCount, NULL); PhDereferenceObject(searchPath); if (foundCount > 0) { if (IsPortable) *IsPortable = TRUE; return foundCount; } } // 2. AppData if (DefaultName && (searchPath = PhGetRoamingAppDataDirectoryZ(DefaultName, TRUE))) { foundCount = PhpDiscoverSettingsStores(searchPath, DefaultName, Results, ResultCount, NULL); PhDereferenceObject(searchPath); if (foundCount > 0) return foundCount; } } for (ULONG i = 0; i < PH_SETTINGS_STORE_COUNT; i++) // ... (omitting lines for brevity, but I will include them in the real tool call) { const PH_SETTINGS_STORE_DESCRIPTOR* store = &PhSettingsStores[i]; Results[i].Format = store->Format; Results[i].Found = FALSE; if (store->IsFileBased) { if (!BasePath) continue; PPH_STRING filePath = PhConcatStringRefZ(&BasePath->sr, store->Extension); if (PhDoesFileExist(&filePath->sr)) { FILE_NETWORK_OPEN_INFORMATION networkOpenInfo; if (NT_SUCCESS(PhQueryFullAttributesFile(&filePath->sr, &networkOpenInfo))) { Results[i].Found = TRUE; Results[i].FilePath = filePath; Results[i].LastWriteTime = networkOpenInfo.LastWriteTime; foundCount++; } else { PhDereferenceObject(filePath); } } else { PhDereferenceObject(filePath); } } else if (store->Format == SettingsFormatReg) { if (BasePath) continue; static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"Software\\SystemInformer"); HANDLE keyHandle; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &keyName, 0 ))) { //LARGE_INTEGER lastwriteTime = { 0 }; //PhQueryKeyLastWriteTime(keyHandle, &lastwriteTime); Results[i].Found = TRUE; Results[i].FilePath = NULL; //Results[i].LastWriteTime = lastwriteTime; foundCount++; NtClose(keyHandle); } } } return foundCount; } static LONG PhpSelectBestSettingsStore( _In_reads_(PH_SETTINGS_STORE_COUNT) PPH_SETTINGS_DISCOVERY_RESULT Results ) { LONG preferredIndex = -1; LONG newestIndex = -1; LONG highestPriorityIndex = -1; LARGE_INTEGER newestTime = { 0 }; LONG highestPriority = INT_MAX; for (ULONG i = 0; i < PH_SETTINGS_STORE_COUNT; i++) { if (!Results[i].Found) continue; if (PhSettingsStores[i].IsPreferred) { preferredIndex = i; } if (PhSettingsStores[i].IsFileBased) { if (Results[i].LastWriteTime.QuadPart > newestTime.QuadPart) { newestTime = Results[i].LastWriteTime; newestIndex = i; } } if (PhSettingsStores[i].Priority < highestPriority) { highestPriority = PhSettingsStores[i].Priority; highestPriorityIndex = i; } } if (preferredIndex >= 0) return preferredIndex; if (newestIndex >= 0) return newestIndex; return highestPriorityIndex; } static VOID PhpFreeDiscoveryResults( _In_reads_(PH_SETTINGS_STORE_COUNT) PPH_SETTINGS_DISCOVERY_RESULT Results ) { for (ULONG i = 0; i < PH_SETTINGS_STORE_COUNT; i++) { if (Results[i].FilePath) { PhDereferenceObject(Results[i].FilePath); Results[i].FilePath = NULL; } } } NTSTATUS PhLoadSettingsAutoDetect( _In_opt_ PPH_STRING BasePath, _In_opt_ PCWSTR DefaultName, _Out_opt_ PPH_STRING* ActualPath, _Out_opt_ PH_SETTINGS_FORMAT* ActualFormat, _Out_opt_ PBOOLEAN IsPortable ) { PH_SETTINGS_DISCOVERY_RESULT results[PH_SETTINGS_STORE_COUNT]; NTSTATUS status = STATUS_NOT_FOUND; LONG selectedIndex; ULONG foundCount; foundCount = PhpDiscoverSettingsStores(BasePath, DefaultName, results, PH_SETTINGS_STORE_COUNT, IsPortable); if (foundCount == 0) { if (ActualPath) { PPH_STRING searchPath = NULL; if (BasePath) { searchPath = PhReferenceObject(BasePath); } else if (DefaultName) { searchPath = PhGetRoamingAppDataDirectoryZ(DefaultName, TRUE); } if (searchPath) { for (ULONG i = 0; i < PH_SETTINGS_STORE_COUNT; i++) { if (PhSettingsStores[i].IsPreferred && PhSettingsStores[i].IsFileBased) { *ActualPath = PhConcatStringRefZ(&searchPath->sr, PhSettingsStores[i].Extension); if (ActualFormat) *ActualFormat = PhSettingsStores[i].Format; break; } } PhDereferenceObject(searchPath); } } return STATUS_OBJECT_NAME_NOT_FOUND; } selectedIndex = PhpSelectBestSettingsStore(results); if (selectedIndex < 0) { status = STATUS_NOT_FOUND; goto Cleanup; } const PH_SETTINGS_STORE_DESCRIPTOR* selectedStore = &PhSettingsStores[selectedIndex]; switch (selectedStore->Format) { case SettingsFormatJson: status = PhLoadSettingsJson(&results[selectedIndex].FilePath->sr); break; case SettingsFormatXml: status = PhLoadSettingsXml(&results[selectedIndex].FilePath->sr); break; case SettingsFormatKey: status = PhLoadSettingsAppKey(&results[selectedIndex].FilePath->sr); break; case SettingsFormatReg: status = PhLoadSettingsKey(); break; case SettingsFormatBin: status = PhLoadSettingsBin(&results[selectedIndex].FilePath->sr); break; default: status = STATUS_NOT_SUPPORTED; break; } if (NT_SUCCESS(status)) { if (ActualPath) { if (results[selectedIndex].FilePath) *ActualPath = PhReferenceObject(results[selectedIndex].FilePath); else *ActualPath = NULL; } if (ActualFormat) *ActualFormat = selectedStore->Format; PhSettingsLoadedFormat = selectedStore->Format; } Cleanup: PhpFreeDiscoveryResults(results); return status; } NTSTATUS PhLoadSettings( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status = STATUS_INVALID_PARAMETER; // Detect format from extension for (ULONG i = 0; i < PH_SETTINGS_STORE_COUNT; i++) { if (PhSettingsStores[i].IsFileBased && PhEndsWithStringRef2(FileName, PhSettingsStores[i].Extension, TRUE)) { PhSettingsLoadedFormat = PhSettingsStores[i].Format; switch (PhSettingsStores[i].Format) { case SettingsFormatBin: status = PhLoadSettingsBin(FileName); break; case SettingsFormatJson: status = PhLoadSettingsJson(FileName); break; case SettingsFormatXml: status = PhLoadSettingsXml(FileName); break; case SettingsFormatKey: status = PhLoadSettingsAppKey(FileName); break; } break; } } return status; } NTSTATUS PhSaveSettings( _In_opt_ PCPH_STRINGREF FileName ) { NTSTATUS status = STATUS_INVALID_PARAMETER; switch (PhSettingsLoadedFormat) { case SettingsFormatJson: { if (FileName) { status = PhSaveSettingsJson(FileName); } } break; case SettingsFormatXml: { if (FileName) { status = PhSaveSettingsXml(FileName); } } break; case SettingsFormatKey: { if (FileName) { status = PhSaveSettingsAppKey(FileName); } } break; case SettingsFormatReg: { status = PhSaveSettingsKey(); } break; case SettingsFormatBin: { if (FileName) { status = PhSaveSettingsBin(FileName); } } break; } return status; } VOID PhResetSettings( _In_ HWND hwnd ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_SETTING setting; PhAcquireQueuedLockExclusive(&PhSettingsLock); PhBeginEnumHashtable(PhSettingsHashtable, &enumContext); while (setting = PhNextEnumHashtable(&enumContext)) { PhpFreeSettingValue(setting->Type, setting); PhSettingFromString(setting->Type, &setting->DefaultValue, NULL, setting); } PhReleaseQueuedLockExclusive(&PhSettingsLock); } NTSTATUS PhResetSettingsFile( _In_ PCPH_STRINGREF FileName ) { NTSTATUS status; HANDLE fileHandle; PVOID data = NULL; SIZE_T dataLength = 0; CHAR jsonData[] = "{}"; CHAR xmlData[] = ""; PH_SETTINGS_FORMAT detectedFormat = SettingsFormatJson; PH_SETTINGS_BIN_HEADER binData = { PH_SETTINGS_BIN_SIGNATURE, PH_SETTINGS_BIN_VERSION, 0 }; // Detect format from file extension for (ULONG i = 0; i < PH_SETTINGS_STORE_COUNT; i++) { if (PhSettingsStores[i].IsFileBased && PhEndsWithStringRef2(FileName, PhSettingsStores[i].Extension, TRUE)) { detectedFormat = PhSettingsStores[i].Format; break; } } // Select appropriate reset data based on format switch (detectedFormat) { case SettingsFormatJson: data = jsonData; dataLength = sizeof(jsonData) - 1; break; case SettingsFormatXml: data = xmlData; dataLength = sizeof(xmlData) - 1; break; case SettingsFormatKey: // For AppKey/DAT files, delete and recreate is better PhDeleteFile(FileName); return STATUS_SUCCESS; case SettingsFormatReg: // Registry format doesn't use file - should not be called return STATUS_NOT_SUPPORTED; case SettingsFormatBin: data = &binData; dataLength = sizeof(PH_SETTINGS_BIN_HEADER); break; default: // Unknown format - default to JSON data = jsonData; dataLength = sizeof(jsonData) - 1; break; } // Overwrite the file with empty valid content status = PhCreateFile( &fileHandle, FileName, FILE_GENERIC_WRITE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { PhWriteFile(fileHandle, data, (ULONG)dataLength, NULL, NULL); NtClose(fileHandle); } return status; } VOID PhAddSetting( _In_ PH_SETTING_TYPE Type, _In_ PCPH_STRINGREF Name, _In_ PCPH_STRINGREF DefaultValue ) { PH_SETTING setting; memset(&setting, 0, sizeof(PH_SETTING)); setting.Type = Type; setting.Name = *Name; setting.DefaultValue = *DefaultValue; memset(&setting.u, 0, sizeof(setting.u)); PhSettingFromString(Type, &setting.DefaultValue, NULL, &setting); PhAddEntryHashtable(PhSettingsHashtable, &setting); } VOID PhAddSettings( _In_ PPH_SETTING_CREATE Settings, _In_ ULONG NumberOfSettings ) { ULONG i; PhAcquireQueuedLockExclusive(&PhSettingsLock); for (i = 0; i < NumberOfSettings; i++) { PH_STRINGREF name; PH_STRINGREF defaultValue; PhInitializeStringRefLongHint(&name, Settings[i].Name); PhInitializeStringRefLongHint(&defaultValue, Settings[i].DefaultValue); PhAddSetting(Settings[i].Type, &name, &defaultValue); } PhReleaseQueuedLockExclusive(&PhSettingsLock); } PPH_SETTING PhGetSetting( _In_ PCPH_STRINGREF Name ) { PPH_SETTING setting; PhAcquireQueuedLockShared(&PhSettingsLock); setting = PhpLookupSetting(Name); PhReleaseQueuedLockShared(&PhSettingsLock); return setting; } VOID PhLoadWindowPlacementFromRectangle( _In_ PCWSTR PositionSettingName, _In_ PCWSTR SizeSettingName, _Inout_ PPH_RECTANGLE WindowRectangle ) { PH_INTEGER_PAIR windowIntegerPair = { 0 }; PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair = NULL; LONG windowDpi; RECT windowRect; windowIntegerPair = PhGetIntegerPairSetting(PositionSettingName); scalableIntegerPair = PhGetScalableIntegerPairSetting(SizeSettingName, FALSE, 0); memset(WindowRectangle, 0, sizeof(PH_RECTANGLE)); WindowRectangle->Position = windowIntegerPair; WindowRectangle->Size = scalableIntegerPair->Pair; PhRectangleToRect(&windowRect, WindowRectangle); windowDpi = PhGetMonitorDpi(NULL, &windowRect); PhScalableIntegerPairToScale(scalableIntegerPair, windowDpi); PhAdjustRectangleToWorkingArea(NULL, WindowRectangle); } BOOLEAN PhLoadWindowPlacementFromSetting( _In_opt_ PCWSTR PositionSettingName, _In_opt_ PCWSTR SizeSettingName, _In_ HWND WindowHandle ) { if (PositionSettingName && SizeSettingName) { PH_INTEGER_PAIR windowIntegerPair = { 0 }; PPH_SCALABLE_INTEGER_PAIR scalableIntegerPair = NULL; PH_RECTANGLE windowRectangle = { 0 }; LONG dpi; RECT rectForAdjust; windowIntegerPair = PhGetIntegerPairSetting(PositionSettingName); scalableIntegerPair = PhGetScalableIntegerPairSetting(SizeSettingName, FALSE, 0); windowRectangle.Position = windowIntegerPair; windowRectangle.Size = scalableIntegerPair->Pair; if (windowRectangle.Position.X == 0) return FALSE; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); // Update the window position before querying the DPI or changing the size. (dmex) SetWindowPos( WindowHandle, NULL, windowRectangle.Left, windowRectangle.Top, 0, 0, SWP_NOACTIVATE | SWP_NOREDRAW | SWP_NOSIZE | SWP_NOZORDER ); //dpi = PhGetMonitorDpiFromRect(&windowRectangle); dpi = PhGetWindowDpi(WindowHandle); PhScalableIntegerPairToScale(scalableIntegerPair, dpi); RtlZeroMemory(&windowRectangle, sizeof(PH_RECTANGLE)); windowRectangle.Position = windowIntegerPair; windowRectangle.Size = scalableIntegerPair->Pair; // Let the window adjust for the minimum size if needed. PhRectangleToRect(&rectForAdjust, &windowRectangle); SendMessage(WindowHandle, WM_SIZING, WMSZ_BOTTOMRIGHT, (LPARAM)&rectForAdjust); PhRectToRectangle(&windowRectangle, &rectForAdjust); MoveWindow(WindowHandle, windowRectangle.Left, windowRectangle.Top, windowRectangle.Width, windowRectangle.Height, FALSE); } else { PH_RECTANGLE windowRectangle = { 0 }; PH_INTEGER_PAIR position = { 0 }; PH_INTEGER_PAIR size; ULONG flags; LONG dpi; flags = SWP_NOACTIVATE | SWP_NOMOVE | SWP_NOREDRAW | SWP_NOSIZE | SWP_NOZORDER; if (PositionSettingName) { position = PhGetIntegerPairSetting(PositionSettingName); ClearFlag(flags, SWP_NOMOVE); } else { position.X = 0; position.Y = 0; } if (SizeSettingName) { //RECT rect; // //windowRectangle.Position = position; //rect = PhRectangleToRect(windowRectangle); //dpi = PhGetMonitorDpi(&rect); dpi = PhGetWindowDpi(WindowHandle); size = PhGetScalableIntegerPairSetting(SizeSettingName, TRUE, dpi)->Pair; ClearFlag(flags, SWP_NOSIZE); } else { RECT windowRect; //size.X = 16; //size.Y = 16; if (!PhGetWindowRect(WindowHandle, &windowRect)) return FALSE; size.X = windowRect.right - windowRect.left; size.Y = windowRect.bottom - windowRect.top; } // Make sure the window doesn't get positioned on disconnected monitors. (dmex) windowRectangle.Position = position; windowRectangle.Size = size; PhAdjustRectangleToWorkingArea(NULL, &windowRectangle); SetWindowPos(WindowHandle, NULL, windowRectangle.Left, windowRectangle.Top, size.X, size.Y, flags); } return TRUE; } VOID PhSaveWindowPlacementToSetting( _In_opt_ PCWSTR PositionSettingName, _In_opt_ PCWSTR SizeSettingName, _In_ HWND WindowHandle ) { WINDOWPLACEMENT placement = { sizeof(placement) }; PH_RECTANGLE windowRectangle; MONITORINFO monitorInfo = { sizeof(MONITORINFO) }; //RECT rect; LONG dpi; GetWindowPlacement(WindowHandle, &placement); PhRectToRectangle(&windowRectangle, &placement.rcNormalPosition); // The rectangle is in workspace coordinates. Convert the values back to screen coordinates. if (GetMonitorInfo(MonitorFromRect(&placement.rcNormalPosition, MONITOR_DEFAULTTOPRIMARY), &monitorInfo)) { windowRectangle.Left += monitorInfo.rcWork.left - monitorInfo.rcMonitor.left; windowRectangle.Top += monitorInfo.rcWork.top - monitorInfo.rcMonitor.top; } //PhRectangleToRect(&rect, &windowRectangle); //dpi = PhGetMonitorDpi(&rect); dpi = PhGetWindowDpi(WindowHandle); if (PositionSettingName) PhSetIntegerPairSetting(PositionSettingName, windowRectangle.Position); if (SizeSettingName) PhSetScalableIntegerPairSetting2(SizeSettingName, windowRectangle.Size, dpi); } BOOLEAN PhLoadListViewColumnSettings( _In_ HWND ListViewHandle, _In_ PPH_STRING Settings ) { #define ORDER_LIMIT 50 PH_STRINGREF remainingPart; ULONG columnIndex; ULONG orderArray[ORDER_LIMIT]; // HACK, but reasonable limit ULONG maxOrder; LONG dpi = 0; #ifdef DEBUG HWND headerHandle = ListView_GetHeader(ListViewHandle); assert(Header_GetItemCount(headerHandle) < ORDER_LIMIT); #endif if (PhIsNullOrEmptyString(Settings)) return FALSE; remainingPart = Settings->sr; columnIndex = 0; memset(orderArray, 0, sizeof(orderArray)); maxOrder = 0; if (WindowsVersion >= WINDOWS_10) { dpi = PhGetWindowDpi(ListViewHandle); } while (remainingPart.Length != 0) { PH_STRINGREF columnPart; PH_STRINGREF orderPart; PH_STRINGREF widthPart; ULONG64 integer; ULONG order; LONG width; LVCOLUMN lvColumn; PhSplitStringRefAtChar(&remainingPart, L'|', &columnPart, &remainingPart); if (columnPart.Length == 0) return FALSE; PhSplitStringRefAtChar(&columnPart, L',', &orderPart, &widthPart); if (orderPart.Length == 0 || widthPart.Length == 0) return FALSE; // Order if (!PhStringToInteger64(&orderPart, 10, &integer)) return FALSE; order = (ULONG)integer; if (order < ORDER_LIMIT) { orderArray[order] = columnIndex; if (maxOrder < order + 1) maxOrder = order + 1; } // Width if (!PhStringToInteger64(&widthPart, 10, &integer)) return FALSE; width = (LONG)integer; lvColumn.mask = LVCF_WIDTH; lvColumn.cx = WindowsVersion >= WINDOWS_10 ? PhScaleToDisplay(width, dpi) : width; ListView_SetColumn(ListViewHandle, columnIndex, &lvColumn); columnIndex++; } ListView_SetColumnOrderArray(ListViewHandle, maxOrder, orderArray); return TRUE; } PPH_STRING PhSaveListViewColumnSettings( _In_ HWND ListViewHandle ) { PH_STRING_BUILDER stringBuilder; ULONG i = 0; LVCOLUMN lvColumn; LONG dpiValue; PhInitializeStringBuilder(&stringBuilder, 20); dpiValue = PhGetWindowDpi(ListViewHandle); //{ // PH_FORMAT format[3]; // SIZE_T returnLength; // WCHAR buffer[PH_INT64_STR_LEN_1]; // // // @%lu| // PhInitFormatC(&format[0], L'@'); // PhInitFormatU(&format[1], dpiValue); // PhInitFormatC(&format[2], L'|'); // // if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) // { // PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); // } // else // { // PhAppendFormatStringBuilder(&stringBuilder, L"@%lu|", dpiValue); // } //} lvColumn.mask = LVCF_WIDTH | LVCF_ORDER; while (ListView_GetColumn(ListViewHandle, i, &lvColumn)) { PH_FORMAT format[4]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // %u,%u| PhInitFormatU(&format[0], lvColumn.iOrder); PhInitFormatC(&format[1], L','); PhInitFormatU(&format[2], WindowsVersion >= WINDOWS_10 ? PhScaleToDefault(lvColumn.cx, dpiValue) : lvColumn.cx); PhInitFormatC(&format[3], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &stringBuilder, L"%u,%u|", lvColumn.iOrder, WindowsVersion >= WINDOWS_10 ? PhScaleToDefault(lvColumn.cx, dpiValue) : lvColumn.cx ); } i++; } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); return PhFinalStringBuilderString(&stringBuilder); } BOOLEAN PhLoadIListViewColumnSettings( _In_ IListView* ListView, _In_ PPH_STRING Settings ) { #define ORDER_LIMIT 50 HWND headerHandle = NULL; PH_STRINGREF remainingPart; ULONG columnIndex; ULONG orderArray[ORDER_LIMIT]; // HACK, but reasonable limit ULONG maxOrder; LONG dpi = 0; if (!SUCCEEDED(IListView_GetHeaderControl(ListView, &headerHandle))) return FALSE; #ifdef DEBUG assert(Header_GetItemCount(headerHandle) < ORDER_LIMIT); #endif if (PhIsNullOrEmptyString(Settings)) return FALSE; remainingPart = Settings->sr; columnIndex = 0; memset(orderArray, 0, sizeof(orderArray)); maxOrder = 0; //if (remainingPart.Length != 0 && remainingPart.Buffer[0] == L'@') //{ // PH_STRINGREF scalePart; // LONG64 integer; // // PhSkipStringRef(&remainingPart, sizeof(WCHAR)); // PhSplitStringRefAtChar(&remainingPart, L'|', &scalePart, &remainingPart); // // if (scalePart.Length == 0 || !PhStringToInteger64(&scalePart, 10, &integer)) // return FALSE; // // scale = (LONG)integer; //} if (WindowsVersion >= WINDOWS_10) { dpi = PhGetWindowDpi(headerHandle); } while (remainingPart.Length != 0) { PH_STRINGREF columnPart; PH_STRINGREF orderPart; PH_STRINGREF widthPart; ULONG64 integer; ULONG order; LONG width; LVCOLUMN lvColumn; PhSplitStringRefAtChar(&remainingPart, L'|', &columnPart, &remainingPart); if (columnPart.Length == 0) return FALSE; PhSplitStringRefAtChar(&columnPart, L',', &orderPart, &widthPart); if (orderPart.Length == 0 || widthPart.Length == 0) return FALSE; // Order if (!PhStringToInteger64(&orderPart, 10, &integer)) return FALSE; order = (ULONG)integer; if (order < ORDER_LIMIT) { orderArray[order] = columnIndex; if (maxOrder < order + 1) maxOrder = order + 1; } // Width if (!PhStringToInteger64(&widthPart, 10, &integer)) return FALSE; width = (LONG)integer; lvColumn.mask = LVCF_WIDTH; lvColumn.cx = WindowsVersion >= WINDOWS_10 ? PhScaleToDisplay(width, dpi) : width; IListView_SetColumn(ListView, columnIndex, &lvColumn); columnIndex++; } IListView_SetColumnOrderArray(ListView, maxOrder, orderArray); return TRUE; } PPH_STRING PhSaveIListViewColumnSettings( _In_ IListView* ListView ) { HWND headerHandle = NULL; PH_STRING_BUILDER stringBuilder; ULONG i = 0; LVCOLUMN lvColumn; LONG dpiValue = 0; if (!SUCCEEDED(IListView_GetHeaderControl(ListView, &headerHandle))) return NULL; PhInitializeStringBuilder(&stringBuilder, 20); if (WindowsVersion >= WINDOWS_10) { dpiValue = PhGetWindowDpi(headerHandle); } //{ // PH_FORMAT format[3]; // SIZE_T returnLength; // WCHAR buffer[PH_INT64_STR_LEN_1]; // // // @%lu| // PhInitFormatC(&format[0], L'@'); // PhInitFormatU(&format[1], dpiValue); // PhInitFormatC(&format[2], L'|'); // // if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) // { // PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); // } // else // { // PhAppendFormatStringBuilder(&stringBuilder, L"@%lu|", dpiValue); // } //} memset(&lvColumn, 0, sizeof(LVCOLUMN)); lvColumn.mask = LVCF_WIDTH | LVCF_ORDER; while (SUCCEEDED(IListView_GetColumn(ListView, i, &lvColumn))) { PH_FORMAT format[4]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; // %u,%u| PhInitFormatU(&format[0], lvColumn.iOrder); PhInitFormatC(&format[1], L','); PhInitFormatU(&format[2], WindowsVersion >= WINDOWS_10 ? PhScaleToDefault(lvColumn.cx, dpiValue) : lvColumn.cx); PhInitFormatC(&format[3], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &stringBuilder, L"%u,%u|", lvColumn.iOrder, WindowsVersion >= WINDOWS_10 ? PhScaleToDefault(lvColumn.cx, dpiValue) : lvColumn.cx ); } i++; } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); return PhFinalStringBuilderString(&stringBuilder); } VOID PhLoadListViewColumnsFromSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ) { PPH_STRING string; string = PhGetStringSetting(Name); PhLoadListViewColumnSettings(ListViewHandle, string); PhDereferenceObject(string); } VOID PhSaveListViewColumnsToSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ) { PPH_STRING string; string = PhSaveListViewColumnSettings(ListViewHandle); PhSetStringSetting2(Name, &string->sr); PhDereferenceObject(string); } VOID PhLoadIListViewColumnsFromSetting( _In_ PCWSTR Name, _In_ IListView* ListViewClass ) { PPH_STRING string; string = PhGetStringSetting(Name); PhLoadIListViewColumnSettings(ListViewClass, string); PhDereferenceObject(string); } VOID PhSaveIListViewColumnsToSetting( _In_ PCWSTR Name, _In_ IListView* ListViewClass ) { PPH_STRING string; string = PhSaveIListViewColumnSettings(ListViewClass); PhSetStringSetting2(Name, &string->sr); PhDereferenceObject(string); } VOID PhLoadListViewSortColumnsFromSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ) { PPH_STRING string; ULONG sortColumn = 0; PH_SORT_ORDER sortOrder = AscendingSortOrder; PH_STRINGREF remainingPart; string = PhGetStringSetting(Name); if (PhIsNullOrEmptyString(string)) return; remainingPart = string->sr; if (remainingPart.Length != 0) { PH_STRINGREF columnPart; PH_STRINGREF orderPart; ULONG64 integer; if (!PhSplitStringRefAtChar(&remainingPart, L',', &columnPart, &orderPart)) return; if (!PhStringToInteger64(&columnPart, 10, &integer)) return; sortColumn = (ULONG)integer; if (!PhStringToInteger64(&orderPart, 10, &integer)) return; sortOrder = (ULONG)integer; } ExtendedListView_SetSort(ListViewHandle, sortColumn, sortOrder); PhDereferenceObject(string); } VOID PhSaveListViewSortColumnsToSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ) { PPH_STRING string; ULONG sortColumn = 0; PH_SORT_ORDER sortOrder = AscendingSortOrder; if (ExtendedListView_GetSort(ListViewHandle, &sortColumn, &sortOrder)) { PH_FORMAT format[3]; // %lu,%lu PhInitFormatU(&format[0], sortColumn); PhInitFormatC(&format[1], L','); PhInitFormatU(&format[2], sortOrder); string = PhFormat(format, RTL_NUMBER_OF(format), 0); } else { string = PhCreateString(L"0,0"); } PhSetStringSetting2(Name, &string->sr); PhDereferenceObject(string); } VOID PhLoadListViewGroupStatesFromSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ) { ULONG64 countInteger; PPH_STRING settingsString; PH_STRINGREF remaining; PH_STRINGREF part; settingsString = PhaGetStringSetting(Name); remaining = settingsString->sr; if (remaining.Length == 0) return; if (!PhSplitStringRefAtChar(&remaining, L'|', &part, &remaining)) return; if (!PhStringToInteger64(&part, 10, &countInteger)) return; for (LONG index = 0; index < (LONG)countInteger; index++) { ULONG64 groupId; ULONG64 stateMask; PH_STRINGREF groupIdPart; PH_STRINGREF stateMaskPart; if (remaining.Length == 0) break; PhSplitStringRefAtChar(&remaining, L'|', &groupIdPart, &remaining); if (groupIdPart.Length == 0) break; PhSplitStringRefAtChar(&remaining, L'|', &stateMaskPart, &remaining); if (stateMaskPart.Length == 0) break; if (!PhStringToInteger64(&groupIdPart, 10, &groupId)) break; if (!PhStringToInteger64(&stateMaskPart, 10, &stateMask)) break; ListView_SetGroupState( ListViewHandle, (LONG)groupId, LVGS_NORMAL | LVGS_COLLAPSED, (UINT)stateMask ); } } VOID PhSaveListViewGroupStatesToSetting( _In_ PCWSTR Name, _In_ HWND ListViewHandle ) { LONG index; LONG count; PPH_STRING settingsString; PH_STRING_BUILDER stringBuilder; PhInitializeStringBuilder(&stringBuilder, 100); count = (LONG)ListView_GetGroupCount(ListViewHandle); PhAppendFormatStringBuilder( &stringBuilder, L"%d|", count ); for (index = 0; index < count; index++) { LVGROUP group; PH_FORMAT format[4]; SIZE_T returnLength; WCHAR buffer[PH_INT64_STR_LEN_1]; memset(&group, 0, sizeof(LVGROUP)); group.cbSize = sizeof(LVGROUP); group.mask = LVGF_GROUPID | LVGF_STATE; group.stateMask = LVGS_NORMAL | LVGS_COLLAPSED; if (ListView_GetGroupInfoByIndex(ListViewHandle, index, &group) == -1) continue; PhInitFormatD(&format[0], group.iGroupId); PhInitFormatC(&format[1], L'|'); PhInitFormatU(&format[2], group.state); PhInitFormatC(&format[3], L'|'); if (PhFormatToBuffer(format, RTL_NUMBER_OF(format), buffer, sizeof(buffer), &returnLength)) { PhAppendStringBuilderEx(&stringBuilder, buffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder( &stringBuilder, L"%d|%u|", group.iGroupId, group.state ); } } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); settingsString = PhFinalStringBuilderString(&stringBuilder); PhSetStringSetting2(Name, &settingsString->sr); PhDereferenceObject(settingsString); } VOID PhLoadCustomColorList( _In_ PCWSTR Name, _In_ PULONG CustomColorList, _In_ ULONG CustomColorCount ) { PPH_STRING settingsString; PH_STRINGREF remaining; PH_STRINGREF part; if (CustomColorCount != 16) return; settingsString = PhGetStringSetting(Name); if (PhIsNullOrEmptyString(settingsString)) goto CleanupExit; remaining = PhGetStringRef(settingsString); for (ULONG i = 0; i < CustomColorCount; i++) { ULONG64 integer = 0; if (remaining.Length == 0) break; PhSplitStringRefAtChar(&remaining, L',', &part, &remaining); if (PhStringToInteger64(&part, 10, &integer)) { CustomColorList[i] = (COLORREF)integer; } } CleanupExit: PhClearReference(&settingsString); } VOID PhSaveCustomColorList( _In_ PCWSTR Name, _In_ PULONG CustomColorList, _In_ ULONG CustomColorCount ) { PH_STRING_BUILDER stringBuilder; if (CustomColorCount != 16) return; PhInitializeStringBuilder(&stringBuilder, 100); for (ULONG i = 0; i < CustomColorCount; i++) { PH_FORMAT format[2]; SIZE_T returnLength; WCHAR formatBuffer[0x100]; PhInitFormatU(&format[0], CustomColorList[i]); PhInitFormatC(&format[1], L','); if (PhFormatToBuffer( format, RTL_NUMBER_OF(format), formatBuffer, sizeof(formatBuffer), &returnLength )) { PhAppendStringBuilderEx(&stringBuilder, formatBuffer, returnLength - sizeof(UNICODE_NULL)); } else { PhAppendFormatStringBuilder(&stringBuilder, L"%lu,", CustomColorList[i]); } } if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); PhSetStringSetting2(Name, &stringBuilder.String->sr); PhDeleteStringBuilder(&stringBuilder); } static VOID PhBytesStripSubstringZ( _In_ PSTR String, _In_ PCSTR SubString ) { SIZE_T length = PhCountBytesZ(SubString); if (length == 0) return; PSTR offset = strstr(String, SubString); while (offset) { // Calculate the size of the remaining string (including null terminator) in bytes // and shift it over the substring to be removed. memmove(offset, offset + length, (PhCountBytesZ(offset + length) + 1) * sizeof(CHAR)); // Rescan from the beginning of the string to handle nested occurrences offset = strstr(String, SubString); } } static VOID PhStringStripSubstringZ( _In_ PWSTR String, _In_ PCWSTR SubString ) { SIZE_T length = PhCountStringZ(SubString); if (length == 0) return; PWSTR offset = wcsstr(String, SubString); while (offset) { // Calculate the size of the remaining string (including null terminator) in bytes // and shift it over the substring to be removed. memmove(offset, offset + length, (PhCountStringZ(offset + length) + 1) * sizeof(WCHAR)); // Rescan from the beginning of the string to handle nested occurrences offset = wcsstr(String, SubString); } } static PPH_STRING PhRemoveSubstringFromStringSafe( _In_ PPH_STRING String, _In_ PCPH_STRINGREF Separator, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF firstPart; PH_STRINGREF secondPart; PH_STRINGREF remainingPart; PH_STRING_BUILDER stringBuilder; if (!String || !String->Buffer || !Separator || Separator->Length == 0) return NULL; remainingPart = PhGetStringRef(String); PhInitializeStringBuilder(&stringBuilder, 0x1000); while (remainingPart.Length != 0) { if (!PhSplitStringRefAtString(&remainingPart, Separator, IgnoreCase, &firstPart, &secondPart)) break; PhAppendStringBuilder(&stringBuilder, &firstPart); } if (remainingPart.Length) { PhAppendStringBuilder(&stringBuilder, &remainingPart); } return PhFinalStringBuilderString(&stringBuilder); } static PPH_STRING PhRemoveSubstringFromString( _In_ PPH_STRING String, _In_ PCPH_STRINGREF Substring, _In_ BOOLEAN IgnoreCase ) { PH_STRING_BUILDER stringBuilder; PH_STRINGREF remainingPart; PH_STRINGREF stringPart; remainingPart = PhGetStringRef(String); PhInitializeStringBuilder(&stringBuilder, String->Length); while (PhSplitStringRefAtString(&remainingPart, Substring, IgnoreCase, &stringPart, &remainingPart)) { PhAppendStringBuilder(&stringBuilder, &stringPart); } // If 'remainingPart' still has the same length as the original string, // it means the Substring was never found. Return the original to save memory. //if (remainingPart.Length == String->Length) //{ // PhDeleteStringBuilder(&stringBuilder); // return PhReferenceObject(String); //} // Append the final chunk (or the whole string if no Substring was found) if (remainingPart.Length) { PhAppendStringBuilder(&stringBuilder, &remainingPart); } return PhFinalStringBuilderString(&stringBuilder); } static VOID PhRemoveSubstringFromStringUnsafe( _In_ PPH_STRING String, _In_ PCPH_STRINGREF Separator, _In_ BOOLEAN IgnoreCase ) { PH_STRINGREF firstPart; PH_STRINGREF secondPart; PH_STRINGREF remainingPart; PH_STRING_BUILDER stringBuilder; remainingPart = PhGetStringRef(String); PhInitializeStringBuilder(&stringBuilder, 0x1000); while (remainingPart.Length != 0) { if (!PhSplitStringRefAtString(&remainingPart, Separator, TRUE, &firstPart, &secondPart)) break; // Calculate the destination pointer (end of the first part) PWSTR destination = (PWSTR)PTR_ADD_OFFSET(firstPart.Buffer, firstPart.Length); // Calculate the source pointer (start of the second part) PWSTR source = secondPart.Buffer; // Move the remaining part of the string (including the null terminator) // over the substring we want to remove. memmove(destination, source, secondPart.Length + sizeof(UNICODE_NULL)); // Update the Length field. String->Length -= Separator->Length; // Re-initialize the stringRef to the modified string to continue searching. // This is necessary because the string length has changed. // Since we modified the buffer in-place, the 'STRINGREF' view is now stale. // Re-initialize it to the new string state to find subsequent occurrences. remainingPart.Buffer = String->Buffer; remainingPart.Length = String->Length; } } NTSTATUS PhConvertSettingsXmlToJson( _In_ PCPH_STRINGREF XmlFileName, _In_ PCPH_STRINGREF JsonFileName ) { NTSTATUS status; HANDLE fileHandle; PPH_BYTES fileContent; PVOID topNode = NULL; PVOID currentNode; PVOID object = NULL; PPH_STRING settingName; PPH_STRING settingValue; PPH_LIST strings = NULL; status = PhCreateFile( &fileHandle, XmlFileName, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhGetFileText( &fileContent, fileHandle, FALSE ); NtClose(fileHandle); if (!NT_SUCCESS(status)) goto CleanupExit; topNode = PhLoadXmlObjectFromString(fileContent->Buffer); PhDereferenceObject(fileContent); if (!topNode) { status = STATUS_FILE_CORRUPT_ERROR; goto CleanupExit; } if (!(object = PhCreateJsonObject())) { status = STATUS_INSUFFICIENT_RESOURCES; goto CleanupExit; } if (!(currentNode = PhGetXmlNodeFirstChild(topNode))) { status = STATUS_FILE_CORRUPT_ERROR; goto CleanupExit; } strings = PhCreateList(1); while (currentNode) { if (settingName = PhGetXmlNodeAttributeText(currentNode, "name")) { PH_STRINGREF name = settingName->sr; if (PhIsLegacyPrefix(&name)) { PhSkipStringRef(&name, 14 * sizeof(WCHAR)); } if (settingValue = PhGetXmlNodeOpaqueText(currentNode)) { PPH_BYTES stringName; PPH_BYTES stringValue; stringName = PhConvertStringRefToUtf8(&name); stringValue = PhConvertStringRefToUtf8(&settingValue->sr); PhAddJsonObject2( object, stringName->Buffer, stringValue->Buffer, stringValue->Length ); PhAddItemList(strings, stringName); PhAddItemList(strings, stringValue); PhDereferenceObject(settingValue); } PhDereferenceObject(settingName); } currentNode = PhGetXmlNodeNextChild(currentNode); } status = PhSaveJsonObjectToFile( JsonFileName, object, PH_JSON_TO_STRING_PLAIN | PH_JSON_TO_STRING_PRETTY ); //if (!NT_SUCCESS(status)) // goto CleanupExit; // //status = PhMoveFile( // XmlFileName, // &convertFilePath->sr, // NULL // ); CleanupExit: if (object) { PhFreeJsonObject(object); } if (topNode) { PhFreeXmlObject(topNode); } if (strings) { PhDereferenceObjects(strings->Items, strings->Count); PhDereferenceObject(strings); } return status; } ================================================ FILE: phlib/strsrch.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010 * dmex 2017-2023 * jxy-s 2024 * */ #include #include typedef struct _PH_STRING_SEARCH_CONEXT { ULONG MinimumLength; BOOLEAN ExtendedCharSet; PPH_STRING_SEARCH_CALLBACK Callback; PVOID CallbackContext; WCHAR Buffer[PAGE_SIZE * 2]; } PH_STRING_SEARCH_CONEXT, *PPH_STRING_SEARCH_CONEXT; typedef enum _PH_CHAR_TYPE { PhCharTypeNone, PhCharTypePrintable, PhCharTypeNULL, PhCharTypeUTF16High, } PH_CHAR_TYPE, *PPH_CHAR_TYPE; typedef enum _PH_CHAR_PATTERN { PhCharPatternNone = 0, PhCharPatternASCII, PhCharPatternUnicode, } PH_CHAR_PATTERN, *PPH_CHAR_PATTERN; FORCEINLINE PH_CHAR_TYPE PhpClassifyByte( _In_ BYTE Byte, _In_ BOOLEAN ExtendedCharSet, _In_ BOOLEAN CheckUTF16High ) { if (Byte == 0) { return PhCharTypeNULL; } else if (ExtendedCharSet ? PhCharIsPrintableEx[Byte] : PhCharIsPrintable[Byte]) { return PhCharTypePrintable; } else if (CheckUTF16High && !PhIsUTF16HighSurrogateHighByte[Byte] && !PhIsUTF16LowSurrogateHighByte[Byte] && PhIsUTF16StandaloneHighByte[Byte] && (ExtendedCharSet ? TRUE : PhIsUTF16PrintableHighByte[Byte])) { return PhCharTypeUTF16High; } else { return PhCharTypeNone; } } BOOLEAN PhpSearchStrings( _In_ PPH_STRING_SEARCH_CONEXT Context, _In_reads_bytes_(Length) PBYTE Buffer, _In_ SIZE_T Length ) { BYTE byte = 0; // current byte BYTE byte1 = 0; // byte at position i-1 BYTE byte2 = 0; // byte at position i-2 BYTE byte3 = 0; // byte at position i-3 PH_CHAR_TYPE charType = PhCharTypeNone; // classification of byte PH_CHAR_TYPE charType1 = PhCharTypeNone; // classification of byte1 PH_CHAR_TYPE charType2 = PhCharTypeNone; // classification of byte2 PH_CHAR_TYPE charType3 = PhCharTypeNone; // classification of byte3 PH_CHAR_PATTERN pattern = PhCharPatternNone; ULONG length = 0; for (SIZE_T i = 0; i < Length; i++) { BOOLEAN checkUTF8High = FALSE; byte = Buffer[i]; // Classify the current byte. // Only check for UTF-16 high bytes when extended character sets is // enabled and NOT preceded by UTF-16 high or NULL. This prevents // misclassifying low bytes in UTF-16 sequences as high bytes. if (Context->ExtendedCharSet && charType1 != PhCharTypeUTF16High && charType1 != PhCharTypeNULL) { checkUTF8High = TRUE; } charType = PhpClassifyByte(byte, Context->ExtendedCharSet, checkUTF8High); // Pattern: [Printable][Printable][Printable] - ANSI string detection if (charType2 == PhCharTypePrintable && charType1 == PhCharTypePrintable && charType == PhCharTypePrintable) { if (pattern == PhCharPatternNone) { assert(length == 0); pattern = PhCharPatternASCII; Context->Buffer[length++] = byte2; Context->Buffer[length++] = byte1; Context->Buffer[length++] = byte; } else if (pattern == PhCharPatternASCII) { if (length < RTL_NUMBER_OF(Context->Buffer)) Context->Buffer[length++] = byte; } else if (length >= Context->MinimumLength) { goto CreateResult; } else { length = 0; pattern = PhCharPatternNone; } } // Pattern: [Printable][NULL][Printable] - ASCII-Unicode string detection else if (charType2 == PhCharTypePrintable && charType1 == PhCharTypeNULL && charType == PhCharTypePrintable) { if (pattern == PhCharPatternNone) { assert(length == 0); pattern = PhCharPatternUnicode; Context->Buffer[length++] = byte2; Context->Buffer[length++] = byte; } else if (pattern == PhCharPatternUnicode) { if (length < RTL_NUMBER_OF(Context->Buffer)) Context->Buffer[length++] = byte; } else if (length >= Context->MinimumLength) { goto CreateResult; } else { length = 0; pattern = PhCharPatternNone; } } // Pattern: [NULL][Printable][NULL] - ASCII-Unicode continuation // Handles the NULL between printable characters in ASCII-Unicode strings else if (pattern == PhCharPatternUnicode && charType2 == PhCharTypeNULL && charType1 == PhCharTypePrintable && charType == PhCharTypeNULL) { NOTHING; // Keep tracking, waiting for next printable or UTF-16 high byte } // Pattern: [NULL][Printable][NULL][None] - ASCII-Unicode to UTF-16 BMP transition // Handles transition point where ASCII-Unicode meets UTF-16 BMP else if (pattern == PhCharPatternUnicode && charType3 == PhCharTypeNULL && charType2 == PhCharTypePrintable && charType1 == PhCharTypeNULL && charType == PhCharTypeNone) { NOTHING; // Keep tracking, next byte should be UTF-16 high byte } // Pattern: [UTF16High|NULL][!UTF16High][UTF16High] - UTF-16 BMP character detection // Detects UTF-16 characters: [low_byte][high_byte] else if ((charType2 == PhCharTypeUTF16High || charType2 == PhCharTypeNULL) && charType1 != PhCharTypeUTF16High && charType == PhCharTypeUTF16High) { if (pattern == PhCharPatternNone) { assert(length == 0); pattern = PhCharPatternUnicode; Context->Buffer[length++] = MAKEWORD(byte1, byte); } else if (pattern == PhCharPatternUnicode) { if (length < RTL_NUMBER_OF(Context->Buffer)) Context->Buffer[length++] = MAKEWORD(byte1, byte); } else if (length >= Context->MinimumLength) { goto CreateResult; } else { length = 0; pattern = PhCharPatternNone; } } // Pattern: [UTF16High|NULL][!UTF16High][UTF16High][!UTF16High] - UTF-16 BMP continuation // Handles the low byte of the next character in a UTF-16 sequence else if (pattern == PhCharPatternUnicode && (charType3 == PhCharTypeUTF16High || charType3 == PhCharTypeNULL) && charType2 != PhCharTypeUTF16High && charType1 == PhCharTypeUTF16High && charType != PhCharTypeUTF16High) { NOTHING; // Keep tracking, waiting for next UTF-16 high byte } // Pattern: [!UTF16High][UTF16High][Printable][NULL] - UTF-16 BMP to ASCII-Unicode transition // Handles transition from UTF-16 BMP back to ASCII-Unicode else if (pattern == PhCharPatternUnicode && charType3 != PhCharTypeUTF16High && charType2 == PhCharTypeUTF16High && charType1 == PhCharTypePrintable && charType == PhCharTypeNULL) { if (length < RTL_NUMBER_OF(Context->Buffer)) Context->Buffer[length++] = byte1; } else if (pattern != PhCharPatternNone && length >= Context->MinimumLength) { goto CreateResult; } else { length = 0; pattern = PhCharPatternNone; } goto AfterCreateResult; CreateResult: { PH_STRING_SEARCH_RESULT result; ULONG lengthInBytes; ULONG bias; BOOLEAN isWide; BOOLEAN isFinished; lengthInBytes = length; bias = (charType == PhCharTypePrintable); isWide = (pattern != PhCharPatternASCII); if (isWide) { lengthInBytes *= 2; } result.Unicode = isWide; result.Address = PTR_ADD_OFFSET(Buffer, i - bias - lengthInBytes); result.Length = lengthInBytes; result.String = PhCreateStringEx( Context->Buffer, 2 * min(length, RTL_NUMBER_OF(Context->Buffer)) ); isFinished = Context->Callback(&result, Context->CallbackContext); PhClearReference(&result.String); pattern = PhCharPatternNone; length = 0; if (isFinished) return TRUE; } AfterCreateResult: byte3 = byte2; byte2 = byte1; byte1 = byte; charType3 = charType2; charType2 = charType1; charType1 = charType; } return FALSE; } NTSTATUS PhSearchStrings( _In_ ULONG MinimumLength, _In_ BOOLEAN ExtendedCharSet, _In_ PPH_STRING_SEARCH_NEXT_BUFFER NextBuffer, _In_ PPH_STRING_SEARCH_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status; PPH_STRING_SEARCH_CONEXT context; PVOID buffer; SIZE_T length; if (!MinimumLength) return STATUS_INVALID_PARAMETER; context = PhAllocateZero(sizeof(PH_STRING_SEARCH_CONEXT)); context->MinimumLength = MinimumLength; context->ExtendedCharSet = ExtendedCharSet; context->Callback = Callback; context->CallbackContext = Context; buffer = NULL; length = 0; while (NT_SUCCESS(status = NextBuffer(&buffer, &length, Context))) { if (!length) break; if (PhpSearchStrings(context, buffer, length)) break; } PhFree(context); return status; } ================================================ FILE: phlib/svcsup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2012 * dmex 2019-2024 * */ #include #include #include #include static CONST PH_STRINGREF PhpServiceUnknownString = PH_STRINGREF_INIT(L"Unknown"); static CONST PH_KEY_VALUE_PAIR PhpServiceStatePairs[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"Stopped"), SERVICE_STOPPED), SIP(SREF(L"Start pending"), SERVICE_START_PENDING), SIP(SREF(L"Stop pending"), SERVICE_STOP_PENDING), SIP(SREF(L"Running"), SERVICE_RUNNING), SIP(SREF(L"Continue pending"), SERVICE_CONTINUE_PENDING), SIP(SREF(L"Pause pending"), SERVICE_PAUSE_PENDING), SIP(SREF(L"Paused"), SERVICE_PAUSED) }; static CONST PH_KEY_VALUE_PAIR PhpServiceTypePairs[] = { SIP(SREF(L"Unknown"), 0), SIP(SREF(L"Driver"), SERVICE_KERNEL_DRIVER), SIP(SREF(L"FS driver"), SERVICE_FILE_SYSTEM_DRIVER), SIP(SREF(L"Own process"), SERVICE_WIN32_OWN_PROCESS), SIP(SREF(L"Share process"), SERVICE_WIN32_SHARE_PROCESS), SIP(SREF(L"Own interactive process"), SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS), SIP(SREF(L"Share interactive process"), SERVICE_WIN32_SHARE_PROCESS | SERVICE_INTERACTIVE_PROCESS), SIP(SREF(L"User own process"), SERVICE_USER_OWN_PROCESS), SIP(SREF(L"User own process (instance)"), SERVICE_USER_OWN_PROCESS | SERVICE_USERSERVICE_INSTANCE), SIP(SREF(L"User share process"), SERVICE_USER_SHARE_PROCESS), SIP(SREF(L"User share process (instance)"), SERVICE_USER_SHARE_PROCESS | SERVICE_USERSERVICE_INSTANCE), SIP(SREF(L"Package own process"), SERVICE_PKG_SERVICE | SERVICE_WIN32_OWN_PROCESS), SIP(SREF(L"Package share process"), SERVICE_PKG_SERVICE | SERVICE_WIN32_SHARE_PROCESS), }; static CONST PH_KEY_VALUE_PAIR PhpServiceStartTypePairs[] = { SIP(SREF(L"Boot start"), SERVICE_BOOT_START), SIP(SREF(L"System start"), SERVICE_SYSTEM_START), SIP(SREF(L"Auto start"), SERVICE_AUTO_START), SIP(SREF(L"Demand start"), SERVICE_DEMAND_START), SIP(SREF(L"Disabled"), SERVICE_DISABLED), }; static CONST PH_KEY_VALUE_PAIR PhpServiceErrorControlPairs[] = { SIP(SREF(L"Ignore"), SERVICE_ERROR_IGNORE), SIP(SREF(L"Normal"), SERVICE_ERROR_NORMAL), SIP(SREF(L"Severe"), SERVICE_ERROR_SEVERE), SIP(SREF(L"Critical"), SERVICE_ERROR_CRITICAL) }; CONST PPH_STRINGREF PhServiceTypeStrings[] = { SREF(L"Driver"), SREF(L"FS driver"), SREF(L"Own process"), SREF(L"Share process"), SREF(L"Own interactive process"), SREF(L"Share interactive process"), SREF(L"User own process"), SREF(L"User own process (instance)"), SREF(L"User share process"), SREF(L"User share process (instance)"), SREF(L"Package own process"), SREF(L"Package share process"), }; CONST PPH_STRINGREF PhServiceStartTypeStrings[5] = { SREF(L"Disabled"), SREF(L"Boot start"), SREF(L"System start"), SREF(L"Auto start"), SREF(L"Demand start"), }; CONST PPH_STRINGREF PhServiceErrorControlStrings[4] = { SREF(L"Ignore"), SREF(L"Normal"), SREF(L"Severe"), SREF(L"Critical"), }; /** * Gets a cached service manager handle. * * \return Service manager handle, or NULL if failed. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagerw */ SC_HANDLE PhGetServiceManagerHandle( VOID ) { static SC_HANDLE cachedServiceManagerHandle = NULL; SC_HANDLE serviceManagerHandle; SC_HANDLE newServiceManagerHandle; // Use the cached value if possible. serviceManagerHandle = ReadPointerAcquire(&cachedServiceManagerHandle); // If there is no cached handle, open one. if (!serviceManagerHandle) { if (newServiceManagerHandle = OpenSCManager( NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE )) { // We succeeded in opening a policy handle, and since we did not have a cached handle // before, we will now store it. serviceManagerHandle = InterlockedCompareExchangePointer( &cachedServiceManagerHandle, newServiceManagerHandle, NULL ); if (!serviceManagerHandle) { // Success. Use our handle. serviceManagerHandle = newServiceManagerHandle; } else { // Someone already placed a handle in the cache. Close our handle and use their handle. PhCloseServiceHandle(newServiceManagerHandle); } } } return serviceManagerHandle; } /** * Enumerates all services. * * \param Services Receives a pointer to service status array. Caller must free with PhFree. * \param NumberOfServices Receives the number of services enumerated. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-enumservicesstatusexw */ NTSTATUS PhEnumServices( _Out_ LPENUM_SERVICE_STATUS_PROCESS* Services, _Out_ PULONG NumberOfServices ) { static ULONG initialBufferSize = 0x8000; NTSTATUS status; SC_HANDLE scManagerHandle; ULONG type; PVOID buffer; ULONG bufferSize; ULONG returnLength; ULONG servicesReturned; if (WindowsVersion >= WINDOWS_10_RS1) { type = SERVICE_TYPE_ALL; } else if (WindowsVersion >= WINDOWS_10) { type = SERVICE_WIN32 | SERVICE_ADAPTER | SERVICE_DRIVER | SERVICE_INTERACTIVE_PROCESS | SERVICE_USER_SERVICE | SERVICE_USERSERVICE_INSTANCE; } else { type = SERVICE_DRIVER | SERVICE_WIN32; } scManagerHandle = PhGetServiceManagerHandle(); bufferSize = initialBufferSize; buffer = PhAllocate(bufferSize); if (EnumServicesStatusEx( scManagerHandle, SC_ENUM_PROCESS_INFO, type, SERVICE_STATE_ALL, (PBYTE)buffer, bufferSize, &returnLength, &servicesReturned, NULL, NULL )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } if (status == STATUS_MORE_ENTRIES) { PhFree(buffer); bufferSize += returnLength; buffer = PhAllocate(bufferSize); if (EnumServicesStatusEx( scManagerHandle, SC_ENUM_PROCESS_INFO, type, SERVICE_STATE_ALL, (PBYTE)buffer, bufferSize, &returnLength, &servicesReturned, NULL, NULL )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } if (bufferSize <= 0x20000) initialBufferSize = bufferSize; *Services = buffer; *NumberOfServices = servicesReturned; return status; } /** * Enumerates services that depend on the specified service. * * \param ServiceHandle Handle to the service. * \param DependentServices Receives a pointer to dependent services array. Caller must free with PhFree. * \param NumberOfDependentServices Receives the number of dependent services. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-enumdependentservicesw */ NTSTATUS PhEnumDependentServices( _In_ SC_HANDLE ServiceHandle, _Out_ LPENUM_SERVICE_STATUS* DependentServices, _Out_ PULONG NumberOfDependentServices ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; ULONG returnLength; ULONG servicesReturned; bufferSize = 0x800; buffer = PhAllocate(bufferSize); if (EnumDependentServices( ServiceHandle, SERVICE_STATE_ALL, buffer, bufferSize, &returnLength, &servicesReturned )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } if (status == STATUS_MORE_ENTRIES) { PhFree(buffer); bufferSize = returnLength; buffer = PhAllocate(bufferSize); if (EnumDependentServices( ServiceHandle, SERVICE_STATE_ALL, buffer, bufferSize, &returnLength, &servicesReturned )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } } if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } *DependentServices = buffer; *NumberOfDependentServices = servicesReturned; return status; } /** * Opens a handle to the service control manager. * * \param ServiceManagerHandle Receives the service manager handle. * \param DatabaseName Name of the service control manager database, or NULL for the default. * \param DesiredAccess Access rights for the handle. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagerw */ NTSTATUS PhOpenServiceManager( _Out_ PSC_HANDLE ServiceManagerHandle, _In_opt_ PCWSTR DatabaseName, _In_ ACCESS_MASK DesiredAccess ) { SC_HANDLE serviceManagerHandle; if (serviceManagerHandle = OpenSCManager(NULL, DatabaseName, DesiredAccess)) { *ServiceManagerHandle = serviceManagerHandle; return STATUS_SUCCESS; } else { *ServiceManagerHandle = NULL; return PhGetLastWin32ErrorAsNtStatus(); } } /** * Opens a handle to a service. * * \param ServiceHandle Receives the service handle. * \param DesiredAccess Access rights for the handle. * \param ServiceName Name of the service. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicew */ NTSTATUS PhOpenService( _Out_ PSC_HANDLE ServiceHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCWSTR ServiceName ) { SC_HANDLE serviceHandle; if (serviceHandle = OpenService(PhGetServiceManagerHandle(), ServiceName, DesiredAccess)) { *ServiceHandle = serviceHandle; return STATUS_SUCCESS; } *ServiceHandle = NULL; return PhGetLastWin32ErrorAsNtStatus(); } /** * Opens a registry key for a service. * * \param KeyHandle Receives the key handle. * \param DesiredAccess Access rights for the handle. * \param ServiceName Name of the service. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhOpenServiceKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PPH_STRINGREF ServiceName ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services"); static PH_INITONCE initOnce = PH_INITONCE_INIT; static HANDLE servicesKeyHandle = NULL; NTSTATUS status = STATUS_UNSUCCESSFUL; PPH_STRING serviceName; if (PhBeginInitOnce(&initOnce)) { status = PhOpenKey(&servicesKeyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &servicesKeyName, 0); PhEndInitOnce(&initOnce); } if (servicesKeyHandle) { status = PhOpenKey(KeyHandle, DesiredAccess, servicesKeyHandle, ServiceName, 0); } if (NT_SUCCESS(status)) { if (serviceName = PhGetServiceKeyName(ServiceName)) { status = PhOpenKey( KeyHandle, DesiredAccess, PH_KEY_LOCAL_MACHINE, &serviceName->sr, 0 ); PhDereferenceObject(serviceName); } else { status = STATUS_NO_MEMORY; } } return status; } /** * Closes a service handle. * * \param ServiceHandle Handle to close. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-closeservicehandle */ NTSTATUS PhCloseServiceHandle( _In_ SC_HANDLE ServiceHandle ) { if (CloseServiceHandle(ServiceHandle)) return STATUS_SUCCESS; return PhGetLastWin32ErrorAsNtStatus(); } /** * Creates a service. * * \param ServiceHandle Receives the service handle. * \param ServiceName Name of the service to create. * \param DisplayName Display name of the service, or NULL. * \param DesiredAccess Access rights for the handle. * \param ServiceType Service type. * \param StartType Service start type. * \param ErrorControl Error control level. * \param BinaryPathName Path to the service binary, or NULL. * \param UserName User account for the service, or NULL. * \param Password Password for the user account, or NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicew */ NTSTATUS PhCreateService( _Out_ PSC_HANDLE ServiceHandle, _In_ PCWSTR ServiceName, _In_opt_ PCWSTR DisplayName, _In_ ULONG DesiredAccess, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR UserName, _In_opt_ PCWSTR Password ) { NTSTATUS status; SC_HANDLE scManagerHandle; SC_HANDLE serviceHandle; status = PhOpenServiceManager(&scManagerHandle, NULL, SC_MANAGER_CREATE_SERVICE); if (NT_SUCCESS(status)) { if (serviceHandle = CreateService( scManagerHandle, ServiceName, DisplayName, DesiredAccess, ServiceType, StartType, ErrorControl, BinaryPathName, NULL, NULL, NULL, UserName, Password )) { *ServiceHandle = serviceHandle; status = STATUS_SUCCESS; } else { *ServiceHandle = NULL; status = PhGetLastWin32ErrorAsNtStatus(); } PhCloseServiceHandle(scManagerHandle); } return status; } /** * Changes the configuration of a service. * * \param ServiceHandle Handle to the service. * \param ServiceType Service type, or SERVICE_NO_CHANGE. * \param StartType Service start type, or SERVICE_NO_CHANGE. * \param ErrorControl Error control level, or SERVICE_NO_CHANGE. * \param BinaryPathName Path to the service binary, or NULL. * \param LoadOrderGroup Load order group, or NULL. * \param TagId Receives the tag identifier, or NULL. * \param Dependencies List of dependencies, or NULL. * \param ServiceStartName User account for the service, or NULL. * \param Password Password for the user account, or NULL. * \param DisplayName Display name of the service, or NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-changeserviceconfigw */ NTSTATUS PhChangeServiceConfig( _In_ SC_HANDLE ServiceHandle, _In_ ULONG ServiceType, _In_ ULONG StartType, _In_ ULONG ErrorControl, _In_opt_ PCWSTR BinaryPathName, _In_opt_ PCWSTR LoadOrderGroup, _Out_opt_ PULONG TagId, _In_opt_ PCWSTR Dependencies, _In_opt_ PCWSTR ServiceStartName, _In_opt_ PCWSTR Password, _In_opt_ PCWSTR DisplayName ) { NTSTATUS status; if (ChangeServiceConfig( ServiceHandle, ServiceType, StartType, ErrorControl, BinaryPathName, LoadOrderGroup, TagId, Dependencies, ServiceStartName, Password, DisplayName )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } return status; } /** * Changes optional configuration parameters of a service. * * \param ServiceHandle Handle to the service. * \param ServiceConfigLevel Configuration information level. * \param Buffer Configuration data, or NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-changeserviceconfig2w */ NTSTATUS PhChangeServiceConfig2( _In_ SC_HANDLE ServiceHandle, _In_ ULONG ServiceConfigLevel, _In_opt_ PVOID Buffer ) { NTSTATUS status; if (ChangeServiceConfig2(ServiceHandle, ServiceConfigLevel, Buffer)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Enumerates services that depend on the specified service (variant). * * \param ServiceHandle Handle to the service. * \param Buffer Buffer to receive dependent services, or NULL. * \param BufferLength Size of the buffer in bytes. * \param ReturnLength Receives the required buffer size. * \param NumberOfServices Receives the number of dependent services. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-enumdependentservicesw */ NTSTATUS PhEnumDependentServices2( _In_ SC_HANDLE ServiceHandle, _Out_writes_bytes_opt_(BufferLength) LPENUM_SERVICE_STATUSW Buffer, _In_ ULONG BufferLength, _Out_ PULONG ReturnLength, _Out_ PULONG NumberOfServices ) { NTSTATUS status; if (EnumDependentServices(ServiceHandle, SERVICE_STATE_ALL, Buffer, BufferLength, ReturnLength, NumberOfServices)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Queries service configuration. * * \param ServiceHandle Handle to the service. * \param Buffer Buffer to receive configuration, or NULL. * \param BufferLength Size of the buffer in bytes. * \param ReturnLength Receives the required buffer size, or NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryserviceconfigw */ NTSTATUS PhQueryServiceConfig( _In_ SC_HANDLE ServiceHandle, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; ULONG returnLength = 0; if (QueryServiceConfig(ServiceHandle, Buffer, BufferLength, &returnLength)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); if (ReturnLength) *ReturnLength = returnLength; return status; } /** * Queries optional service configuration parameters. * * \param ServiceHandle Handle to the service. * \param ServiceConfigLevel Configuration information level. * \param Buffer Buffer to receive configuration, or NULL. * \param BufferLength Size of the buffer in bytes. * \param ReturnLength Receives the required buffer size, or NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryserviceconfig2w */ NTSTATUS PhQueryServiceConfig2( _In_ SC_HANDLE ServiceHandle, _In_ ULONG ServiceConfigLevel, _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; ULONG returnLength = 0; if (QueryServiceConfig2(ServiceHandle, ServiceConfigLevel, (PBYTE)Buffer, BufferLength, &returnLength)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); if (ReturnLength) *ReturnLength = returnLength; return status; } /** * Retrieves security descriptor for a service. * * \param ServiceHandle Handle to the service. * \param SecurityInformation Security information to retrieve. * \param SecurityDescriptor Receives a pointer to the security descriptor. Caller must free with PhFree. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryserviceobjectsecurity */ NTSTATUS PhGetServiceObjectSecurity( _In_ SC_HANDLE ServiceHandle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; if (QueryServiceObjectSecurity(ServiceHandle, SecurityInformation, NULL, 0, &bufferSize)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); if (status == STATUS_BUFFER_TOO_SMALL && bufferSize) { buffer = PhAllocate(bufferSize); memset(buffer, 0, bufferSize); if (QueryServiceObjectSecurity(ServiceHandle, SecurityInformation, buffer, bufferSize, &bufferSize)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); if (NT_SUCCESS(status)) { *SecurityDescriptor = buffer; return STATUS_SUCCESS; } else { PhFree(buffer); } } if (NT_SUCCESS(status) && !bufferSize) { status = STATUS_INVALID_SECURITY_DESCR; } *SecurityDescriptor = NULL; return status; } /** * Sets the security descriptor for a service object. * * \param ServiceHandle Handle to the service. * \param SecurityInformation Specifies the type of security information to set. * \param SecurityDescriptor Pointer to a SECURITY_DESCRIPTOR structure containing the new security descriptor. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-setserviceobjectsecurity */ NTSTATUS PhSetServiceObjectSecurity( _In_ SC_HANDLE ServiceHandle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ) { NTSTATUS status; if (SetServiceObjectSecurity(ServiceHandle, SecurityInformation, SecurityDescriptor)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Queries the current status of a specified service. * * \param ServiceHandle A handle to the service. This handle must have the SERVICE_QUERY_STATUS access right. * \param ServiceStatus A pointer to a SERVICE_STATUS_PROCESS structure that receives the status information for the service. * \return Returns an NTSTATUS code indicating success or failure of the operation. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryservicestatusex */ NTSTATUS PhQueryServiceStatus( _In_ SC_HANDLE ServiceHandle, _Out_ LPSERVICE_STATUS_PROCESS ServiceStatus ) { NTSTATUS status; ULONG returnLength = 0; memset(ServiceStatus, 0, sizeof(SERVICE_STATUS_PROCESS)); if (QueryServiceStatusEx( ServiceHandle, SC_STATUS_PROCESS_INFO, (PBYTE)ServiceStatus, sizeof(SERVICE_STATUS_PROCESS), &returnLength )) { status = STATUS_SUCCESS; } else { status = PhGetLastWin32ErrorAsNtStatus(); } return status; } /** * Queries variable-sized information about a service. * * \param ServiceHandle Handle to the service to query. * \param InfoLevel The information level specifying the type of service information to retrieve. * \param ServiceConfig Pointer to a variable containing the requested service information. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryserviceconfig2w */ NTSTATUS PhQueryServiceVariableSize( _In_ SC_HANDLE ServiceHandle, _In_ ULONG InfoLevel, _Out_ PVOID* ServiceConfig ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; bufferSize = 0x100; buffer = PhAllocate(bufferSize); status = PhQueryServiceConfig2( ServiceHandle, InfoLevel, buffer, bufferSize, &bufferSize ); if (!NT_SUCCESS(status)) { PhFree(buffer); buffer = PhAllocate(bufferSize); status = PhQueryServiceConfig2( ServiceHandle, InfoLevel, buffer, bufferSize, &bufferSize ); if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } } *ServiceConfig = buffer; return status; } /** * Sends a continue control code to a service. * * \param ServiceHandle Handle to the service. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhContinueService( _In_ SC_HANDLE ServiceHandle ) { NTSTATUS status; SERVICE_STATUS serviceStatus; if (ControlService(ServiceHandle, SERVICE_CONTROL_CONTINUE, &serviceStatus)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Sends a pause control code to a service. * * \param ServiceHandle Handle to the service. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhPauseService( _In_ SC_HANDLE ServiceHandle ) { NTSTATUS status; SERVICE_STATUS serviceStatus; if (ControlService(ServiceHandle, SERVICE_CONTROL_PAUSE, &serviceStatus)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Deletes a service from the service control manager database. * * \param ServiceHandle Handle to the service. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-deleteservice */ NTSTATUS PhDeleteService( _In_ SC_HANDLE ServiceHandle ) { NTSTATUS status; if (DeleteService(ServiceHandle)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Starts a service. * * \param ServiceHandle Handle to the service. * \param NumberOfServiceArgs Number of arguments in the ServiceArgVectors array. * \param ServiceArgVectors Array of arguments to pass to the service, or NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicew */ NTSTATUS PhStartService( _In_ SC_HANDLE ServiceHandle, _In_ ULONG NumberOfServiceArgs, _In_reads_opt_(NumberOfServiceArgs) PCWSTR* ServiceArgVectors ) { NTSTATUS status; if (StartService(ServiceHandle, NumberOfServiceArgs, ServiceArgVectors)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Sends a stop control code to a service. * * \param ServiceHandle Handle to the service. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhStopService( _In_ SC_HANDLE ServiceHandle ) { NTSTATUS status; SERVICE_STATUS serviceStatus; if (ControlService(ServiceHandle, SERVICE_CONTROL_STOP, &serviceStatus)) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); return status; } /** * Retrieves the configuration of a service. * * \param ServiceHandle Handle to the service. * \param ServiceConfig Receives a pointer to the service configuration. Caller must free with PhFree. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceConfig( _In_ SC_HANDLE ServiceHandle, _Out_ LPQUERY_SERVICE_CONFIG* ServiceConfig ) { NTSTATUS status; PVOID buffer; ULONG bufferSize; bufferSize = 0x200; buffer = PhAllocate(bufferSize); status = PhQueryServiceConfig( ServiceHandle, buffer, bufferSize, &bufferSize ); if (!NT_SUCCESS(status)) { PhFree(buffer); buffer = PhAllocate(bufferSize); status = PhQueryServiceConfig( ServiceHandle, buffer, bufferSize, &bufferSize ); if (!NT_SUCCESS(status)) { PhFree(buffer); return status; } } *ServiceConfig = buffer; return status; } /** * Retrieves the description string for a service. * * \param ServiceHandle Handle to the service. * \return A PPH_STRING containing the service description, or NULL if not found. */ PPH_STRING PhGetServiceDescription( _In_ SC_HANDLE ServiceHandle ) { PPH_STRING description = NULL; LPSERVICE_DESCRIPTION serviceDescription; if (NT_SUCCESS(PhQueryServiceVariableSize(ServiceHandle, SERVICE_CONFIG_DESCRIPTION, &serviceDescription))) { if (serviceDescription->lpDescription) description = PhCreateString(serviceDescription->lpDescription); PhFree(serviceDescription); return description; } else { return NULL; } } PPH_STRING PhGetServiceDescriptionKey( _In_ PPH_STRINGREF ServiceName ) { NTSTATUS status; HANDLE keyHandle; PPH_STRING description = NULL; status = PhOpenServiceKey( &keyHandle, KEY_QUERY_VALUE, ServiceName ); if (NT_SUCCESS(status)) { PPH_STRING descriptionString; PPH_STRING serviceDescriptionString; if (descriptionString = PhQueryRegistryStringZ(keyHandle, L"Description")) { if (serviceDescriptionString = PhLoadIndirectString(&descriptionString->sr)) PhMoveReference(&description, serviceDescriptionString); else PhSwapReference(&description, descriptionString); PhDereferenceObject(descriptionString); } NtClose(keyHandle); } else { PhMoveReference(&description, PhGetStatusMessage(status, 0)); } return description; } /** * Retrieves the delayed auto-start setting for a service. * * \param ServiceHandle Handle to the service. * \param DelayedAutoStart Receives TRUE if delayed auto-start is enabled. * \return TRUE if successful, FALSE otherwise. */ NTSTATUS PhGetServiceDelayedAutoStart( _In_ SC_HANDLE ServiceHandle, _Out_ PBOOLEAN DelayedAutoStart ) { NTSTATUS status; SERVICE_DELAYED_AUTO_START_INFO delayedAutoStartInfo; status = PhQueryServiceConfig2( ServiceHandle, SERVICE_CONFIG_DELAYED_AUTO_START_INFO, &delayedAutoStartInfo, sizeof(SERVICE_DELAYED_AUTO_START_INFO), NULL ); if (NT_SUCCESS(status)) { *DelayedAutoStart = !!delayedAutoStartInfo.fDelayedAutostart; } return status; } /** * Sets the delayed auto-start setting for a service. * * \param ServiceHandle Handle to the service. * \param DelayedAutoStart TRUE to enable delayed auto-start, FALSE to disable. * \return TRUE if successful, FALSE otherwise. */ NTSTATUS PhSetServiceDelayedAutoStart( _In_ SC_HANDLE ServiceHandle, _In_ BOOLEAN DelayedAutoStart ) { SERVICE_DELAYED_AUTO_START_INFO delayedAutoStartInfo; delayedAutoStartInfo.fDelayedAutostart = DelayedAutoStart; return PhChangeServiceConfig2( ServiceHandle, SERVICE_CONFIG_DELAYED_AUTO_START_INFO, &delayedAutoStartInfo ); } /** * Retrieves the trigger information for a service. * * \param ServiceHandle Handle to the service. * \param ServiceTriggerInfo Receives a pointer to the trigger information. Caller must free with PhFree. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceTriggerInfo( _In_ SC_HANDLE ServiceHandle, _Out_opt_ PSERVICE_TRIGGER_INFO* ServiceTriggerInfo ) { NTSTATUS status; PVOID buffer = NULL; ULONG bufferSize = 0; SERVICE_TRIGGER_INFO triggerInfo; if (ServiceTriggerInfo) *ServiceTriggerInfo = NULL; status = PhQueryServiceConfig2( ServiceHandle, SERVICE_CONFIG_TRIGGER_INFO, &triggerInfo, sizeof(SERVICE_TRIGGER_INFO), &bufferSize ); if (NT_SUCCESS(status)) { // The fixed-size struct was sufficient (e.g., no triggers or no variable list). if (ServiceTriggerInfo) { buffer = PhAllocate(sizeof(SERVICE_TRIGGER_INFO)); if (!buffer) return STATUS_NO_MEMORY; memcpy(buffer, &triggerInfo, sizeof(SERVICE_TRIGGER_INFO)); *ServiceTriggerInfo = buffer; } return STATUS_SUCCESS; } if (status == STATUS_BUFFER_TOO_SMALL) { if (bufferSize == 0) return STATUS_INVALID_BUFFER_SIZE; // If the caller does not want it, just report success. if (!ServiceTriggerInfo) return STATUS_SUCCESS; buffer = PhAllocate(bufferSize); if (!buffer) return STATUS_NO_MEMORY; status = PhQueryServiceConfig2( ServiceHandle, SERVICE_CONFIG_TRIGGER_INFO, buffer, bufferSize, &bufferSize ); if (NT_SUCCESS(status)) { *ServiceTriggerInfo = buffer; return STATUS_SUCCESS; } } if (buffer) { PhFree(buffer); } return status; } /** * Retrieves the service state. * * \param ServiceState The service state value (e.g., SERVICE_RUNNING, SERVICE_STOPPED). * \return A pointer to a string reference describing the service state, or "Unknown" if not found. */ PCPH_STRINGREF PhGetServiceStateString( _In_ ULONG ServiceState ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhpServiceStatePairs, sizeof(PhpServiceStatePairs), ServiceState, &string )) { return string; } return &PhpServiceUnknownString; } /** * Retrieves the display type. * * \param ServiceType The service type value (e.g., SERVICE_WIN32_OWN_PROCESS). * \return A pointer to a string reference describing the service type, or "Unknown" if not found. */ PCPH_STRINGREF PhGetServiceTypeString( _In_ ULONG ServiceType ) { PCPH_STRINGREF string; if (PhFindStringRefSiKeyValuePairs( PhpServiceTypePairs, sizeof(PhpServiceTypePairs), ServiceType, &string )) { return string; } return &PhpServiceUnknownString; } /** * Converts a service type string to its corresponding integer value. * * \param ServiceType A pointer to a string reference containing the service type name. * \return The integer value of the service type, or ULONG_MAX if not found. */ ULONG PhGetServiceTypeInteger( _In_ PPH_STRINGREF ServiceType ) { ULONG integer; if (PhFindIntegerSiKeyValuePairsStringRef( PhpServiceTypePairs, sizeof(PhpServiceTypePairs), ServiceType, &integer )) return integer; else return ULONG_MAX; } /** * Retrieves the display string for a service start type value. * * \param ServiceStartType The service start type value (e.g., SERVICE_AUTO_START). * \return A pointer to a string reference describing the start type, or "Unknown" if not found. */ PCPH_STRINGREF PhGetServiceStartTypeString( _In_ ULONG ServiceStartType ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhpServiceStartTypePairs, sizeof(PhpServiceStartTypePairs), ServiceStartType, &string )) { return string; } return &PhpServiceUnknownString; } /** * Converts a service start type string to its corresponding integer value. * * \param ServiceStartType A pointer to a string reference containing the start type name. * \return The integer value of the start type, or ULONG_MAX if not found. */ ULONG PhGetServiceStartTypeInteger( _In_ PPH_STRINGREF ServiceStartType ) { ULONG integer; if (PhFindIntegerSiKeyValuePairsStringRef( PhpServiceStartTypePairs, sizeof(PhpServiceStartTypePairs), ServiceStartType, &integer )) return integer; else return ULONG_MAX; } /** * Retrieves the display string for a service error control value. * * \param ServiceErrorControl The service error control value (e.g., SERVICE_ERROR_NORMAL). * \return A pointer to a string reference describing the error control, or "Unknown" if not found. */ PCPH_STRINGREF PhGetServiceErrorControlString( _In_ ULONG ServiceErrorControl ) { PCPH_STRINGREF string; if (PhIndexStringRefSiKeyValuePairs( PhpServiceErrorControlPairs, sizeof(PhpServiceErrorControlPairs), ServiceErrorControl, &string )) { return string; } return &PhpServiceUnknownString; } /** * Converts a service error control string to its corresponding integer value. * * \param ServiceErrorControl A pointer to a string reference containing the error control name. * \return The integer value of the error control, or ULONG_MAX if not found. */ ULONG PhGetServiceErrorControlInteger( _In_ PPH_STRINGREF ServiceErrorControl ) { ULONG integer; if (PhFindIntegerSiKeyValuePairsStringRef( PhpServiceErrorControlPairs, sizeof(PhpServiceErrorControlPairs), ServiceErrorControl, &integer )) return integer; else return ULONG_MAX; } /** * Retrieves the service name associated with a service tag in a process. * * \param ProcessId The process ID to query. * \param ServiceTag The service tag value. * \return A newly allocated PPH_STRING containing the service name, or NULL if not found. */ PPH_STRING PhGetServiceNameFromTag( _In_ HANDLE ProcessId, _In_ PVOID ServiceTag ) { static typeof(&I_QueryTagInformation) QueryTagInformation_I = NULL; PPH_STRING serviceName = NULL; TAG_INFO_NAME_FROM_TAG nameFromTag; if (!QueryTagInformation_I) { QueryTagInformation_I = PhGetDllProcedureAddressZ(L"sechost.dll", "I_QueryTagInformation", 0); } if (!QueryTagInformation_I) return NULL; memset(&nameFromTag, 0, sizeof(TAG_INFO_NAME_FROM_TAG)); nameFromTag.InParams.ProcessId = HandleToUlong(ProcessId); nameFromTag.InParams.ServiceTag = PtrToUlong(ServiceTag); QueryTagInformation_I(NULL, eTagInfoLevelNameFromTag, &nameFromTag); if (nameFromTag.OutParams.Name) { serviceName = PhCreateString(nameFromTag.OutParams.Name); LocalFree((HLOCAL)nameFromTag.OutParams.Name); } return serviceName; } /** * Retrieves a comma-separated list of service names referencing a module in a process. * * \param ProcessId The process ID to query. * \param ModuleName The name of the module to check for service references. * \return A newly allocated PPH_STRING containing the service names, or NULL if not found. */ PPH_STRING PhGetServiceNameForModuleReference( _In_ HANDLE ProcessId, _In_ PCWSTR ModuleName ) { static typeof(&I_QueryTagInformation) QueryTagInformation_I = NULL; PPH_STRING serviceNames = NULL; TAG_INFO_NAMES_REFERENCING_MODULE moduleNameRef; if (!QueryTagInformation_I) { if (WindowsVersion >= WINDOWS_8_1) { QueryTagInformation_I = PhGetDllProcedureAddressZ(L"sechost.dll", "I_QueryTagInformation", 0); } if (!QueryTagInformation_I) QueryTagInformation_I = PhGetDllProcedureAddressZ(L"advapi32.dll", "I_QueryTagInformation", 0); } if (!QueryTagInformation_I) return NULL; memset(&moduleNameRef, 0, sizeof(TAG_INFO_NAMES_REFERENCING_MODULE)); moduleNameRef.InParams.ProcessId = HandleToUlong(ProcessId); moduleNameRef.InParams.ModuleName = ModuleName; QueryTagInformation_I(NULL, eTagInfoLevelNamesReferencingModule, &moduleNameRef); if (moduleNameRef.OutParams.Names) { PH_STRING_BUILDER sb; PCWSTR serviceName; PhInitializeStringBuilder(&sb, 0x40); for (serviceName = moduleNameRef.OutParams.Names; *serviceName; serviceName += PhCountStringZ(serviceName) + 1) PhAppendFormatStringBuilder(&sb, L"%s, ", serviceName); if (sb.String->Length != 0) PhRemoveEndStringBuilder(&sb, 2); serviceNames = PhFinalStringBuilderString(&sb); LocalFree((HLOCAL)moduleNameRef.OutParams.Names); } return serviceNames; } /** * Retrieves the service tag value for a thread in a process. * * \param ThreadHandle Handle to the thread. * \param ProcessHandle Handle to the process containing the thread. * \param ServiceTag Receives the service tag value. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetThreadServiceTag( _In_ HANDLE ThreadHandle, _In_ HANDLE ProcessHandle, _Out_ PVOID *ServiceTag ) { NTSTATUS status; THREAD_BASIC_INFORMATION basicInfo; status = PhGetThreadBasicInformation(ThreadHandle, &basicInfo); if (NT_SUCCESS(status)) { status = PhReadVirtualMemory( ProcessHandle, PTR_ADD_OFFSET(basicInfo.TebBaseAddress, FIELD_OFFSET(TEB, SubProcessTag)), ServiceTag, sizeof(PVOID), NULL ); } return status; } /** * Builds the full registry key name for a service. * * \param ServiceName The service name as a string reference. * \return A newly allocated PPH_STRING containing the full registry key name. */ PPH_STRING PhGetServiceKeyName( _In_ PPH_STRINGREF ServiceName ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services"); return PhConcatStringRef3(&servicesKeyName, &PhNtPathSeparatorString, ServiceName); } /** * Builds the full registry key name for a service's Parameters subkey. * * \param ServiceName The service name as a string reference. * \return A newly allocated PPH_STRING containing the full Parameters subkey name. */ PPH_STRING PhGetServiceParametersKeyName( _In_ PPH_STRINGREF ServiceName ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services"); static CONST PH_STRINGREF parametersKeyName = PH_STRINGREF_INIT(L"\\Parameters"); return PhConcatStringRef4(&servicesKeyName, &PhNtPathSeparatorString, ServiceName, ¶metersKeyName); } /** * Attempts to determine the file name of a service's binary or DLL. * * \param ServiceType The service type flags. * \param ServicePathName The service's binary path name. * \param ServiceName The service name as a string reference. * \return A newly allocated PPH_STRING containing the file name, or NULL if not found. */ PPH_STRING PhGetServiceConfigFileName( _In_ ULONG ServiceType, _In_opt_ PCWSTR ServicePathName, _In_ PPH_STRINGREF ServiceName ) { NTSTATUS status; PPH_STRING fileName = NULL; status = PhGetServiceDllParameter(ServiceType, ServiceName, &fileName); if (!NT_SUCCESS(status)) { if (ServicePathName && ServicePathName[0]) { PPH_STRING commandLine = PhCreateString(ServicePathName); if (FlagOn(ServiceType, SERVICE_WIN32)) { PPH_STRING fileFullName = NULL; PH_STRINGREF dummyFileName = { 0 }; PH_STRINGREF dummyArguments = { 0 }; if (PhParseCommandLineFuzzy(&commandLine->sr, &dummyFileName, &dummyArguments, &fileFullName)) { PhSwapReference(&fileName, fileFullName); } else { PhSwapReference(&fileName, PhGetFileName(commandLine)); } PhClearReference(&fileFullName); } else { PhMoveReference(&fileName, PhGetFileName(commandLine)); } PhDereferenceObject(commandLine); } } return fileName; } /** * Attempts to determine the file name of a service's binary or DLL (variant). * * \param ServiceType The service type flags. * \param ServicePathName The service's binary path name. * \param ServiceName The service name as a string reference. * \param ServiceFileName Receives a pointer to the file name string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceConfigFileName2( _In_ ULONG ServiceType, _In_opt_ PCWSTR ServicePathName, _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING* ServiceFileName ) { NTSTATUS status; PPH_STRING fileName = NULL; status = PhGetServiceDllParameter(ServiceType, ServiceName, &fileName); if (!NT_SUCCESS(status)) { if (ServicePathName && ServicePathName[0]) { PPH_STRING commandLine = PhCreateString(ServicePathName); if (FlagOn(ServiceType, SERVICE_WIN32)) { PPH_STRING fileFullName = NULL; PH_STRINGREF dummyFileName = { 0 }; PH_STRINGREF dummyArguments = { 0 }; if (PhParseCommandLineFuzzy(&commandLine->sr, &dummyFileName, &dummyArguments, &fileFullName)) { PhSwapReference(&fileName, fileFullName); } else { PhSwapReference(&fileName, PhGetFileName(commandLine)); } PhClearReference(&fileFullName); } else { PhMoveReference(&fileName, PhGetFileName(commandLine)); } if (!PhIsNullOrEmptyString(fileName)) { *ServiceFileName = fileName; status = STATUS_SUCCESS; } PhDereferenceObject(commandLine); } } else { *ServiceFileName = fileName; } return status; } /** * Retrieves the file name of a service's binary or DLL using a service handle. * * \param ServiceHandle Handle to the service. * \param ServiceName The service name as a string reference. * \param ServiceFileName Receives a pointer to the file name string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceHandleFileName( _In_ SC_HANDLE ServiceHandle, _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING* ServiceFileName ) { NTSTATUS status; PPH_STRING fileName; LPQUERY_SERVICE_CONFIG config; status = PhGetServiceConfig(ServiceHandle, &config); if (NT_SUCCESS(status)) { status = PhGetServiceConfigFileName2( config->dwServiceType, config->lpBinaryPathName, ServiceName, &fileName ); if (NT_SUCCESS(status)) { *ServiceFileName = fileName; } PhFree(config); } return status; } /** * Retrieves the file name of a service's binary or DLL from the registry. * * \param ServiceName The service name as a string reference. * \param ServiceFileName Receives a pointer to the file name string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceFileName( _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING* ServiceFileName ) { PPH_STRING serviceDllString = NULL; NTSTATUS status; HANDLE keyHandle; status = PhOpenServiceKey( &keyHandle, KEY_READ, ServiceName ); if (NT_SUCCESS(status)) { if (serviceDllString = PhQueryRegistryStringZ(keyHandle, L"ImagePath")) { PPH_STRING expandedString; if (expandedString = PhExpandEnvironmentStrings(&serviceDllString->sr)) { PH_STRINGREF fileName; PH_STRINGREF arguments; if (PhParseCommandLineFuzzy(&expandedString->sr, &fileName, &arguments, NULL)) { PhMoveReference(&serviceDllString, PhCreateString2(&fileName)); } else { PhSwapReference(&serviceDllString, expandedString); } PhDereferenceObject(expandedString); } } else { status = STATUS_NOT_FOUND; } NtClose(keyHandle); } if (NT_SUCCESS(status)) { *ServiceFileName = serviceDllString; } else { PhClearReference(&serviceDllString); } return status; } /** * Retrieves the ServiceDll value for a service from the registry. * * \param ServiceKeyName The full registry key name for the service. * \param ServiceDll Receives a pointer to the ServiceDll string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhpGetServiceDllName( _In_ PPH_STRING ServiceKeyName, _Out_ PPH_STRING* ServiceDll ) { PPH_STRING serviceDllString = NULL; NTSTATUS status; HANDLE keyHandle; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &ServiceKeyName->sr, 0 ); if (NT_SUCCESS(status)) { if (serviceDllString = PhQueryRegistryStringZ(keyHandle, L"ServiceDll")) { PPH_STRING expandedString; if (expandedString = PhExpandEnvironmentStrings(&serviceDllString->sr)) { PhMoveReference(&serviceDllString, expandedString); } } else { status = STATUS_NOT_FOUND; } NtClose(keyHandle); } if (NT_SUCCESS(status)) { *ServiceDll = serviceDllString; } else { PhClearReference(&serviceDllString); } return status; } /** * Retrieves the ServiceDll parameter for a service, handling user service instances. * * \param ServiceType The service type flags. * \param ServiceName The service name as a string reference. * \param ServiceDll Receives a pointer to the ServiceDll string. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceDllParameter( _In_ ULONG ServiceType, _In_ PPH_STRINGREF ServiceName, _Out_ PPH_STRING *ServiceDll ) { NTSTATUS status; PPH_STRING serviceDllString; PPH_STRING keyName; if (FlagOn(ServiceType, SERVICE_USERSERVICE_INSTANCE)) { PH_STRINGREF hostServiceName; PH_STRINGREF userSessionLuid; // The SCM creates multiple "user service instance" processes for each user session with the following template: // [Host Service Instance Name]_[LUID for Session] // The SCM internally uses the ServiceDll of the "host service instance" for all "user service instance" processes/services // and we need to parse the user service template and query the "host service instance" configuration. (hsebs) if (PhSplitStringRefAtLastChar(ServiceName, L'_', &hostServiceName, &userSessionLuid)) { keyName = PhGetServiceParametersKeyName(&hostServiceName); } else { keyName = PhGetServiceParametersKeyName(ServiceName); } } else { keyName = PhGetServiceParametersKeyName(ServiceName); } status = PhpGetServiceDllName( keyName, &serviceDllString ); PhDereferenceObject(keyName); if (NT_SUCCESS(status)) { *ServiceDll = serviceDllString; return STATUS_SUCCESS; } if ( (WindowsVersion == WINDOWS_8 || WindowsVersion == WINDOWS_8_1) && (status == STATUS_OBJECT_NAME_NOT_FOUND || status == STATUS_NOT_FOUND) ) { keyName = PhGetServiceKeyName(ServiceName); // Windows 8 places the ServiceDll for some services in the root key. (dmex) status = PhpGetServiceDllName( keyName, &serviceDllString ); PhDereferenceObject(keyName); if (NT_SUCCESS(status)) { *ServiceDll = serviceDllString; return STATUS_SUCCESS; } } return status; } /** * Retrieves the AppUserModelId value for a service from the registry. * * \param ServiceName The service name as a string reference. * \return A PPH_STRING containing the AppUserModelId, or NULL if not found. */ PPH_STRING PhGetServiceAppUserModelId( _In_ PPH_STRINGREF ServiceName ) { PPH_STRING serviceAppUserModelId = NULL; HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, ServiceName ))) { serviceAppUserModelId = PhQueryRegistryStringZ(keyHandle, L"AppUserModelId"); NtClose(keyHandle); } return serviceAppUserModelId; } /** * Retrieves the BootFlags value for a service from the registry. * * \param ServiceName The service name as a string reference. * \return The BootFlags value, or 0 if not found. */ ULONG PhGetServiceBootFlags( _In_ PPH_STRINGREF ServiceName ) { ULONG serviceBootFlags = 0; HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, ServiceName ))) { serviceBootFlags = PhQueryRegistryUlongZ(keyHandle, L"BootFlags"); NtClose(keyHandle); } if (serviceBootFlags == ULONG_MAX) { PPH_STRING serviceKeyName; serviceKeyName = PhGetServiceParametersKeyName(ServiceName); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &serviceKeyName->sr, 0 ))) { serviceBootFlags = PhQueryRegistryUlongZ(keyHandle, L"BootFlags"); NtClose(keyHandle); } PhDereferenceObject(serviceKeyName); } return serviceBootFlags; } /** * Retrieves the UserServiceFlags value for a service from the registry. * * \param ServiceName The service name as a string reference. * \return The UserServiceFlags value, or 0 if not found. */ ULONG PhGetServiceUserFlags( _In_ PPH_STRINGREF ServiceName ) { ULONG userServiceFlags = 0; HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, ServiceName ))) { userServiceFlags = PhQueryRegistryUlongZ(keyHandle, L"UserServiceFlags"); NtClose(keyHandle); } if (userServiceFlags == ULONG_MAX) userServiceFlags = 0; return userServiceFlags; } /** * Retrieves the PackageFullName value for a service. * * \param ServiceName Name of the service. * \return A PPH_STRING containing the PackageFullName, or NULL if not found. */ PPH_STRING PhGetServicePackageFullName( _In_ PPH_STRINGREF ServiceName ) { PPH_STRING servicePackageName = NULL; HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, ServiceName ))) { servicePackageName = PhQueryRegistryStringZ(keyHandle, L"PackageFullName"); NtClose(keyHandle); } return servicePackageName; } /** * Queries the Group value for a service. * * \param ServiceName Name of the service. * \return A PPH_STRING containing the GroupName, or NULL if not found. */ PPH_STRING PhGetServiceGroupName( _In_ PPH_STRINGREF ServiceName ) { PPH_STRING groupName = NULL; HANDLE keyHandle; if (NT_SUCCESS(PhOpenServiceKey( &keyHandle, KEY_READ, ServiceName ))) { groupName = PhQueryRegistryStringZ(keyHandle, L"Group"); NtClose(keyHandle); } return groupName; } PPH_STRING PhGetEarlyStartServices( VOID ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control"); PPH_STRING earlyStartServices = NULL; NTSTATUS status; HANDLE keyHandle; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &servicesKeyName, 0 ); if (NT_SUCCESS(status)) { earlyStartServices = PhQueryRegistryStringZ(keyHandle, L"EarlyStartServices"); NtClose(keyHandle); } return earlyStartServices; } PPH_STRING PhGetSvchostGroup( _In_ PPH_STRINGREF GroupName ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"); PPH_STRING string = NULL; NTSTATUS status; HANDLE keyHandle; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &servicesKeyName, 0 ); if (NT_SUCCESS(status)) { string = PhQueryRegistryString(keyHandle, GroupName); NtClose(keyHandle); } return string; } PPH_STRING PhGetSvchostGroupKeyName( _In_ PPH_STRINGREF GroupName ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"); static CONST PH_STRINGREF servicesKeySeperatorName = PH_STRINGREF_INIT(L"\\"); return PhConcatStringRef3(&servicesKeyName, &servicesKeySeperatorName, GroupName); } PPH_SVC_HOST_POLICY_INFO PhGetSvchostGroupPolicy( _In_ PPH_STRINGREF ServiceName ) { PPH_SVC_HOST_POLICY_INFO policyInfo = NULL; PPH_STRING keyName; NTSTATUS status; HANDLE keyHandle; keyName = PhGetServiceKeyName(ServiceName); status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName->sr, 0 ); if (NT_SUCCESS(status)) { policyInfo = PhAllocateZero(sizeof(PH_SVC_HOST_POLICY_INFO)); policyInfo->AuthenticationCapabilities = PhQueryRegistryUlongZ(keyHandle, L"AuthenticationCapabilities"); policyInfo->AuthenticationLevel = PhQueryRegistryUlongZ(keyHandle, L"AuthenticationLevel"); policyInfo->BinarySignaturePolicy = PhQueryRegistryUlongZ(keyHandle, L"BinarySignaturePolicy"); policyInfo->CoInitializeSecurityAllowComCapability = PhQueryRegistryUlongZ(keyHandle, L"CoInitializeSecurityAllowComCapability"); policyInfo->CoInitializeSecurityAllowCrossContainer = PhQueryRegistryUlongZ(keyHandle, L"CoInitializeSecurityAllowInteractiveUsers"); policyInfo->CoInitializeSecurityAllowLowBox = PhQueryRegistryUlongZ(keyHandle, L"CoInitializeSecurityAllowLowBox"); policyInfo->CoInitializeSecurityParam = PhQueryRegistryUlongZ(keyHandle, L"CoInitializeSecurityParam"); policyInfo->COM_UnmarshalingPolicy = PhQueryRegistryUlongZ(keyHandle, L"COM_UnmarshalingPolicy"); policyInfo->DefaultRpcStackSize = PhQueryRegistryUlongZ(keyHandle, L"DefaultRpcStackSize"); policyInfo->DynamicCodePolicy = PhQueryRegistryUlongZ(keyHandle, L"DynamicCodePolicy"); policyInfo->ImpersonationLevel = PhQueryRegistryUlongZ(keyHandle, L"ImpersonationLevel"); policyInfo->RedirectionTrustPolicy = PhQueryRegistryUlongZ(keyHandle, L"RedirectionTrustPolicy"); policyInfo->RpcExceptionFilterMode = PhQueryRegistryUlongZ(keyHandle, L"RpcExceptionFilterMode"); //KEY_VALUE_PARTIAL_INFORMATION keyValueInfo; //status = PhQueryValueKeyZ( // keyHandle, // L"COMAccessPermissionsSD", // KeyValuePartialInformation, // &keyValueInfo // ); NtClose(keyHandle); } PhDereferenceObject(keyName); return policyInfo; } NTSTATUS PhWaitForServiceStatus( _In_ SC_HANDLE ServiceHandle, _In_ ULONG WaitForState, _In_ ULONG Timeout ) { NTSTATUS status; SERVICE_STATUS_PROCESS serviceStatus; ULONG64 startTick; ULONG64 lastProgressTick; ULONG serviceCheck; status = PhQueryServiceStatus(ServiceHandle, &serviceStatus); if (!NT_SUCCESS(status)) return status; if (serviceStatus.dwCurrentState == WaitForState) return STATUS_SUCCESS; startTick = NtGetTickCount64(); lastProgressTick = startTick; serviceCheck = serviceStatus.dwCheckPoint; while ( serviceStatus.dwCurrentState == SERVICE_START_PENDING || serviceStatus.dwCurrentState == SERVICE_STOP_PENDING || serviceStatus.dwCurrentState == SERVICE_CONTINUE_PENDING || serviceStatus.dwCurrentState == SERVICE_PAUSE_PENDING ) { ULONG statusWaitHint = serviceStatus.dwWaitHint / 10; ULONG64 nowTick; if (statusWaitHint < 1000) statusWaitHint = 1000; if (statusWaitHint > 10000) statusWaitHint = 10000; PhDelayExecution(statusWaitHint); status = PhQueryServiceStatus(ServiceHandle, &serviceStatus); if (!NT_SUCCESS(status)) return status; if (serviceStatus.dwCurrentState == WaitForState) return STATUS_SUCCESS; if (!( serviceStatus.dwCurrentState == SERVICE_START_PENDING || serviceStatus.dwCurrentState == SERVICE_STOP_PENDING || serviceStatus.dwCurrentState == SERVICE_CONTINUE_PENDING || serviceStatus.dwCurrentState == SERVICE_PAUSE_PENDING )) { return STATUS_SUCCESS; } nowTick = NtGetTickCount64(); if (serviceStatus.dwCheckPoint > serviceCheck) { serviceCheck = serviceStatus.dwCheckPoint; lastProgressTick = nowTick; } else if ((nowTick - lastProgressTick) > serviceStatus.dwWaitHint) { // Service doesn't report progress. } if (Timeout && (nowTick - startTick) > Timeout) { return STATUS_TIMEOUT; // STATUS_IO_TIMEOUT } } return STATUS_SUCCESS; } /** * Queries whether a service is configured for SafeBoot (Safe Mode or Safe Mode with Networking). * * \param ServiceName Name of the service. * \param DriverName Name of the service. * \param SafeModeNormal Receives TRUE if the service is configured to start in Safe Mode. * \param SafeModeNetwork Receives TRUE if the service is configured to start in Safe Mode with Network. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceSafeBootStart( _In_opt_ PPH_STRINGREF ServiceName, _In_opt_ PPH_STRINGREF DriverName, _Out_ PBOOLEAN SafeModeNormal, _Out_ PBOOLEAN SafeModeNetwork ) { static CONST PH_STRINGREF keyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control\\SafeBoot"); static CONST PH_STRINGREF keyNameSafeBoot[] = { PH_STRINGREF_INIT(L"Minimal"), PH_STRINGREF_INIT(L"Network") }; NTSTATUS status; HANDLE safeBootKeyHandle = NULL; HANDLE groupKeyHandle = NULL; HANDLE serviceKeyHandle = NULL; BOOLEAN safeModeNormalFound = FALSE; BOOLEAN safeModeNetworkFound = FALSE; *SafeModeNormal = FALSE; *SafeModeNetwork = FALSE; status = PhOpenKey( &safeBootKeyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName, 0 ); if (!NT_SUCCESS(status)) return status; for (ULONG i = 0; i < RTL_NUMBER_OF(keyNameSafeBoot); i++) { if (NT_SUCCESS(PhOpenKey( &groupKeyHandle, KEY_READ, safeBootKeyHandle, &keyNameSafeBoot[i], 0 ))) { if (ServiceName && PhOpenKey( &serviceKeyHandle, KEY_READ, groupKeyHandle, ServiceName, 0 )) { if (i == 0) safeModeNormalFound = TRUE; else if (i == 1) safeModeNetworkFound = TRUE; NtClose(serviceKeyHandle); } if (DriverName && PhOpenKey( &serviceKeyHandle, KEY_READ, groupKeyHandle, DriverName, 0 )) { if (i == 0) safeModeNormalFound = TRUE; else if (i == 1) safeModeNetworkFound = TRUE; NtClose(serviceKeyHandle); } NtClose(groupKeyHandle); } } NtClose(safeBootKeyHandle); *SafeModeNormal = safeModeNormalFound; *SafeModeNetwork = safeModeNetworkFound; return STATUS_SUCCESS; } /** * Retrieves the security descriptor for a service directly from the registry. * * \param ServiceName Name of the service. * \param SecurityDescriptor Receives a pointer to the security descriptor. Caller must free with PhFree. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetServiceRegistrySecurityDescriptor( _In_ PPH_STRINGREF ServiceName, _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor ) { static const PH_STRINGREF securityKeyName = PH_STRINGREF_INIT(L"Security"); NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE keyHandle = NULL; PKEY_VALUE_PARTIAL_INFORMATION keyValueInfo; PPH_STRING serviceKeyName = NULL; PVOID buffer = NULL; ULONG bufferSize = 0; ULONG resultLength = 0; *SecurityDescriptor = NULL; // Build the full registry path: System\CurrentControlSet\Services\\Security serviceKeyName = PhGetServiceKeyName(ServiceName); if (!serviceKeyName) { return STATUS_NO_MEMORY; } // Append "\Security" to the service key name PhSwapReference(&serviceKeyName, PhConcatStringRef3( &serviceKeyName->sr, &PhNtPathSeparatorString, &securityKeyName )); status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &serviceKeyName->sr, 0 ); PhDereferenceObject(serviceKeyName); if (!NT_SUCCESS(status)) return status; status = PhQueryValueKey( keyHandle, &securityKeyName, KeyValuePartialInformation, &keyValueInfo ); if (NT_SUCCESS(status)) { if (keyValueInfo->Type == REG_BINARY) { RtlMoveMemory(SecurityDescriptor, keyValueInfo->Data, keyValueInfo->DataLength); return STATUS_SUCCESS; } else { status = STATUS_INVALID_SECURITY_DESCR; } NtClose(keyHandle); } else if (NT_SUCCESS(status) && bufferSize == 0) { status = STATUS_INVALID_SECURITY_DESCR; } PhFree(buffer); return status; } /** * Builds the full registry key name for a service into a caller-supplied buffer. * * \param ServiceName Name of the service. * \param Buffer Buffer to receive the key name. * \param BufferLength Length of the buffer in characters. * \param RequiredLength Receives the required length in characters (including null terminator). * \return TRUE if successful, FALSE if the buffer is too small. */ _Success_(return) BOOLEAN PhGetServiceKeyNameToBuffer( _In_ PPH_STRINGREF ServiceName, _Out_writes_to_opt_(BufferLength, *RequiredLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T RequiredLength ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services"); SIZE_T totalLength = servicesKeyName.Length / sizeof(WCHAR) + ServiceName->Length / sizeof(WCHAR); SIZE_T requiredLength = totalLength + 1; if (RequiredLength) { *RequiredLength = requiredLength; } if (BufferLength < requiredLength) return FALSE; memcpy(Buffer, servicesKeyName.Buffer, servicesKeyName.Length); memcpy(Buffer + (servicesKeyName.Length / sizeof(WCHAR)), ServiceName->Buffer, ServiceName->Length); Buffer[totalLength] = 0; return TRUE; } /** * Builds the full registry key name for a service's Parameters subkey into a caller-supplied buffer. * * \param ServiceName Name of the service. * \param Buffer Buffer to receive the key name. * \param BufferLength Length of the buffer in characters. * \param RequiredLength Receives the required length in characters (including null terminator). * \return TRUE if successful, FALSE if the buffer is too small. */ _Success_(return) BOOLEAN PhGetServiceParametersKeyNameToBuffer( _In_ PPH_STRINGREF ServiceName, _Out_writes_to_opt_(BufferLength, *RequiredLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T RequiredLength ) { static CONST PH_STRINGREF servicesKeyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Services"); static CONST PH_STRINGREF parametersKeyName = PH_STRINGREF_INIT(L"\\Parameters"); SIZE_T totalLength; SIZE_T requiredLength; totalLength = servicesKeyName.Length / sizeof(WCHAR) + ServiceName->Length / sizeof(WCHAR) + parametersKeyName.Length / sizeof(WCHAR); requiredLength = totalLength + 1; if (RequiredLength) { *RequiredLength = requiredLength; } if (BufferLength < requiredLength) { return FALSE; } memcpy(Buffer, servicesKeyName.Buffer, servicesKeyName.Length); memcpy(Buffer + (servicesKeyName.Length / sizeof(WCHAR)), ServiceName->Buffer, ServiceName->Length); memcpy(Buffer + (servicesKeyName.Length / sizeof(WCHAR)) + (ServiceName->Length / sizeof(WCHAR)), parametersKeyName.Buffer, parametersKeyName.Length); Buffer[totalLength] = 0; return TRUE; } ================================================ FILE: phlib/symprv.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * dmex 2017-2023 * */ #include #include #include #include #include #include #include #include #include #include #include #if defined(_ARM64_) #define PH_THREAD_STACK_NATIVE_MACHINE IMAGE_FILE_MACHINE_ARM64 #elif defined(_AMD64_) #define PH_THREAD_STACK_NATIVE_MACHINE IMAGE_FILE_MACHINE_AMD64 #else #define PH_THREAD_STACK_NATIVE_MACHINE IMAGE_FILE_MACHINE_I386 #endif #if defined(_ARM64_) #define PAC_DECODE_ADDRESS(Address) ((Address) & ~(USER_SHARED_DATA->UserPointerAuthMask)) #endif typedef struct _PH_SYMBOL_MODULE { LIST_ENTRY ListEntry; PH_AVL_LINKS Links; PVOID BaseAddress; ULONG Size; PPH_STRING FileName; USHORT Machine; USHORT MappedMachine; } PH_SYMBOL_MODULE, *PPH_SYMBOL_MODULE; _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpSymbolProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ); BOOLEAN PhpRegisterSymbolProvider( _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider ); VOID PhpUnregisterSymbolProvider( _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider ); VOID PhpFreeSymbolModule( _In_ PPH_SYMBOL_MODULE SymbolModule ); _Function_class_(PH_AVL_TREE_COMPARE_FUNCTION) LONG NTAPI PhpSymbolModuleCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ); PPH_OBJECT_TYPE PhSymbolProviderType = NULL; PH_CALLBACK_DECLARE(PhSymbolEventCallback); static PH_INITONCE PhSymInitOnce = PH_INITONCE_INIT; static HANDLE PhNextFakeHandle = (HANDLE)0; static PH_FAST_LOCK PhSymMutex = PH_FAST_LOCK_INIT; #if defined(PH_SYMEVNT_WORKQUEUE) static PH_FREE_LIST PhSymEventFreeList; #endif #define PH_LOCK_SYMBOLS() PhAcquireFastLockExclusive(&PhSymMutex) #define PH_UNLOCK_SYMBOLS() PhReleaseFastLockExclusive(&PhSymMutex) typeof(&SymInitializeW) SymInitializeW_I = NULL; typeof(&SymCleanup) SymCleanup_I = NULL; typeof(&SymEnumSymbolsW) SymEnumSymbolsW_I = NULL; typeof(&SymFromAddrW) SymFromAddrW_I = NULL; typeof(&SymFromNameW) SymFromNameW_I = NULL; typeof(&SymGetLineFromAddrW64) SymGetLineFromAddrW64_I = NULL; typeof(&SymLoadModuleExW) SymLoadModuleExW_I = NULL; typeof(&SymGetOptions) SymGetOptions_I = NULL; typeof(&SymSetOptions) SymSetOptions_I = NULL; typeof(&SymSetSearchPathW) SymSetSearchPathW_I = NULL; typeof(&SymFunctionTableAccess64) SymFunctionTableAccess64_I = NULL; typeof(&SymGetModuleBase64) SymGetModuleBase64_I = NULL; typeof(&SymRegisterCallbackW64) SymRegisterCallbackW64_I = NULL; typeof(&StackWalk64) StackWalk64_I = NULL; typeof(&StackWalkEx) StackWalkEx_I = NULL; typeof(&SymFromInlineContextW) SymFromInlineContextW_I = NULL; typeof(&SymGetLineFromInlineContextW) SymGetLineFromInlineContextW_I = NULL; typeof(&MiniDumpWriteDump) MiniDumpWriteDump_I = NULL; typeof(&UnDecorateSymbolNameW) UnDecorateSymbolNameW_I = NULL; _SymGetDiaSource SymGetDiaSource_I = NULL; _SymGetDiaSession SymGetDiaSession_I = NULL; _SymFreeDiaString SymFreeDiaString_I = NULL; static ULONG PhSymbolProviderInternalOptions = PH_SYMOPT_VERIFY_MICROSOFT_CHAIN; PPH_SYMBOL_PROVIDER PhCreateSymbolProvider( _In_opt_ HANDLE ProcessId ) { static PH_INITONCE symbolProviderInitOnce = PH_INITONCE_INIT; PPH_SYMBOL_PROVIDER symbolProvider; if (PhBeginInitOnce(&symbolProviderInitOnce)) { PhSymbolProviderType = PhCreateObjectType(L"SymbolProvider", 0, PhpSymbolProviderDeleteProcedure); PhEndInitOnce(&symbolProviderInitOnce); } symbolProvider = PhCreateObject(sizeof(PH_SYMBOL_PROVIDER), PhSymbolProviderType); memset(symbolProvider, 0, sizeof(PH_SYMBOL_PROVIDER)); InitializeListHead(&symbolProvider->ModulesListHead); PhInitializeQueuedLock(&symbolProvider->ModulesListLock); PhInitializeAvlTree(&symbolProvider->ModulesSet, PhpSymbolModuleCompareFunction); PhInitializeInitOnce(&symbolProvider->InitOnce); if (ProcessId) { static const ACCESS_MASK accesses[] = { //STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xfff, // pre-Vista full access PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, MAXIMUM_ALLOWED }; // Try to open the process with many different accesses. // This handle will be re-used when walking stacks, and doing various other things. for (ULONG i = 0; i < sizeof(accesses) / sizeof(ACCESS_MASK); i++) { if (NT_SUCCESS(PhOpenProcess(&symbolProvider->ProcessHandle, accesses[i], ProcessId))) { symbolProvider->IsRealHandle = TRUE; break; } } } if (!symbolProvider->IsRealHandle) { HANDLE fakeHandle; // Just generate a fake handle. fakeHandle = (HANDLE)_InterlockedExchangeAddPointer((PLONG_PTR)&PhNextFakeHandle, 4); // Add one to make sure it isn't divisible by 4 (so it can't be mistaken for a real handle). symbolProvider->ProcessHandle = (HANDLE)((ULONG_PTR)fakeHandle + 1); } return symbolProvider; } _Function_class_(PH_TYPE_DELETE_PROCEDURE) VOID NTAPI PhpSymbolProviderDeleteProcedure( _In_ PVOID Object, _In_ ULONG Flags ) { PPH_SYMBOL_PROVIDER symbolProvider = (PPH_SYMBOL_PROVIDER)Object; PLIST_ENTRY listEntry; PhpUnregisterSymbolProvider(symbolProvider); listEntry = symbolProvider->ModulesListHead.Flink; while (listEntry != &symbolProvider->ModulesListHead) { PPH_SYMBOL_MODULE module; module = CONTAINING_RECORD(listEntry, PH_SYMBOL_MODULE, ListEntry); listEntry = listEntry->Flink; PhpFreeSymbolModule(module); } if (symbolProvider->IsRealHandle) NtClose(symbolProvider->ProcessHandle); } #if defined(PH_SYMEVNT_WORKQUEUE) _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpSymbolProviderCallbackWorkItem( _In_ PVOID Context ) { PPH_SYMBOL_EVENT_DATA data = Context; PhInvokeCallback(&PhSymbolEventCallback, data); PhClearReference(&data->EventMessage); PhFreeToFreeList(&PhSymEventFreeList, data); return STATUS_SUCCESS; } #endif static VOID PhpSymbolProviderInvokeCallback( _In_ ULONG EventType, _In_opt_ PPH_STRING EventMessage, _In_opt_ ULONG64 EventProgress ) { #if defined(PH_SYMEVNT_WORKQUEUE) PPH_SYMBOL_EVENT_DATA data; data = PhAllocateFromFreeList(&PhSymEventFreeList); memset(data, 0, sizeof(PH_SYMBOL_EVENT_DATA)); data->EventType = EventType; data->EventProgress = EventProgress; PhSetReference(&data->EventMessage, EventMessage); if (!NT_SUCCESS(PhQueueUserWorkItem(PhpSymbolProviderCallbackWorkItem, data))) { PhClearReference(&data->EventMessage); PhFreeToFreeList(&PhSymEventFreeList, data); } #else PH_SYMBOL_EVENT_DATA data; memset(&data, 0, sizeof(PH_SYMBOL_EVENT_DATA)); data.EventType = EventType; data.EventMessage = EventMessage; data.EventProgress = EventProgress; PhInvokeCallback(&PhSymbolEventCallback, &data); #endif } static VOID PhpSymbolProviderEventCallback( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG ActionCode, _In_ ULONG64 CallbackData ) { static PPH_STRING PhSymbolProviderEventMessageText = NULL; switch (ActionCode) { case CBA_DEFERRED_SYMBOL_LOAD_START: { PIMAGEHLP_DEFERRED_SYMBOL_LOADW64 callbackData = (PIMAGEHLP_DEFERRED_SYMBOL_LOADW64)CallbackData; PPH_STRING fileName; if (PhGetModuleFromAddress(SymbolProvider, (PVOID)callbackData->BaseOfImage, &fileName)) { PPH_STRING baseName = PhGetBaseName(fileName); PH_FORMAT format[3]; // Loading symbols for %s... PhInitFormatS(&format[0], L"Loading symbols for "); PhInitFormatS(&format[1], PhGetStringOrDefault(baseName, L"image")); PhInitFormatS(&format[2], L"..."); PhMoveReference(&PhSymbolProviderEventMessageText, PhFormat(format, RTL_NUMBER_OF(format), 0)); PhpSymbolProviderInvokeCallback(PH_SYMBOL_EVENT_TYPE_LOAD_START, PhSymbolProviderEventMessageText, 0); PhClearReference(&baseName); PhDereferenceObject(fileName); } else { PH_FORMAT format[3]; // Loading symbols for %s... PhInitFormatS(&format[0], L"Loading symbols for "); PhInitFormatS(&format[1], L"image"); PhInitFormatS(&format[2], L"..."); PhMoveReference(&PhSymbolProviderEventMessageText, PhFormat(format, RTL_NUMBER_OF(format), 0)); PhpSymbolProviderInvokeCallback(PH_SYMBOL_EVENT_TYPE_LOAD_START, PhSymbolProviderEventMessageText, 0); } } break; case CBA_DEFERRED_SYMBOL_LOAD_COMPLETE: { PhClearReference(&PhSymbolProviderEventMessageText); PhpSymbolProviderInvokeCallback(PH_SYMBOL_EVENT_TYPE_LOAD_END, NULL, 0); } break; case CBA_XML_LOG: { PH_STRINGREF xmlStringRef; PhInitializeStringRefLongHint(&xmlStringRef, (PCWSTR)CallbackData); if (PhStartsWithStringRef2(&xmlStringRef, L""); if (progressEndIndex != SIZE_MAX) progressValueLength = progressEndIndex - progressStartIndex; if (progressValueLength != 0) { PPH_STRING valueString; ULONG64 integer = 0; valueString = PhSubstring( string, progressStartIndex + (RTL_NUMBER_OF(L"percent=\"") - 1), progressValueLength - (RTL_NUMBER_OF(L"percent=\"") - 1) ); if (PhStringToUInt64(&valueString->sr, 10, &integer)) { PPH_STRING status; PH_FORMAT format[4]; // %s %I64u%% PhInitFormatS(&format[0], PhGetStringOrEmpty(PhSymbolProviderEventMessageText)); PhInitFormatS(&format[1], L" "); PhInitFormatSR(&format[2], valueString->sr); PhInitFormatC(&format[3], L'%'); status = PhFormat(format, RTL_NUMBER_OF(format), 0); PhpSymbolProviderInvokeCallback(PH_SYMBOL_EVENT_TYPE_PROGRESS, status, integer); PhDereferenceObject(status); } PhDereferenceObject(valueString); } PhDereferenceObject(string); } } break; } } BOOL CALLBACK PhpSymbolCallbackFunction( _In_ HANDLE ProcessHandle, _In_ ULONG ActionCode, _In_opt_ ULONG64 CallbackData, _In_opt_ ULONG64 UserContext ) { PPH_SYMBOL_PROVIDER symbolProvider = (PPH_SYMBOL_PROVIDER)UserContext; if (!IsListEmpty(&PhSymbolEventCallback.ListHead)) { PhpSymbolProviderEventCallback(symbolProvider, ActionCode, CallbackData); } switch (ActionCode) { case CBA_DEFERRED_SYMBOL_LOAD_START: { PIMAGEHLP_DEFERRED_SYMBOL_LOADW64 callbackData = (PIMAGEHLP_DEFERRED_SYMBOL_LOADW64)CallbackData; PPH_STRING fileName; HANDLE fileHandle; if (PhGetModuleFromAddress(symbolProvider, (PVOID)callbackData->BaseOfImage, &fileName)) { if (NT_SUCCESS(PhCreateFile( &fileHandle, &fileName->sr, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { callbackData->FileName[0] = UNICODE_NULL; callbackData->hFile = fileHandle; PhDereferenceObject(fileName); return TRUE; } PhDereferenceObject(fileName); } } return FALSE; case CBA_DEFERRED_SYMBOL_LOAD_COMPLETE: { PIMAGEHLP_DEFERRED_SYMBOL_LOADW64 callbackData = (PIMAGEHLP_DEFERRED_SYMBOL_LOADW64)CallbackData; if (callbackData->hFile) { NtClose(callbackData->hFile); callbackData->hFile = NULL; } } return TRUE; // case CBA_READ_MEMORY: //#ifndef _ARM64_ // { // PIMAGEHLP_CBA_READ_MEMORY callbackData = (PIMAGEHLP_CBA_READ_MEMORY)CallbackData; // // if (symbolProvider->IsRealHandle) // { // if (NT_SUCCESS(PhReadVirtualMemory( // ProcessHandle, // (PVOID)callbackData->addr, // callbackData->buf, // (SIZE_T)callbackData->bytes, // (PSIZE_T)callbackData->bytesread // ))) // { // return TRUE; // } // } // } //#endif // return FALSE; case CBA_DEFERRED_SYMBOL_LOAD_CANCEL: { if (symbolProvider->Terminating) return TRUE; } break; } return FALSE; } VOID PhpSymbolProviderCompleteInitialization( VOID ) { static CONST PH_STRINGREF windowsKitsRootKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows Kits\\Installed Roots"); static CONST PH_STRINGREF dbgcoreFileName = PH_STRINGREF_INIT(L"dbgcore.dll"); // dbghelp.dll dependency required for MiniDumpWriteDump (dmex) static CONST PH_STRINGREF dbghelpFileName = PH_STRINGREF_INIT(L"dbghelp.dll"); static CONST PH_STRINGREF symsrvFileName = PH_STRINGREF_INIT(L"symsrv.dll"); PPH_STRING winsdkPath; PVOID dbgcoreHandle; PVOID dbghelpHandle; PVOID symsrvHandle; HANDLE keyHandle; if ( PhGetLoaderEntryDllBase(NULL, &dbgcoreFileName) && PhGetLoaderEntryDllBase(NULL, &dbghelpFileName) && PhGetLoaderEntryDllBase(NULL, &symsrvFileName) ) { return; } #if defined(PH_SYMEVNT_WORKQUEUE) PhInitializeFreeList(&PhSymEventFreeList, sizeof(PH_SYMBOL_EVENT_DATA), 5); #endif winsdkPath = NULL; dbgcoreHandle = NULL; dbghelpHandle = NULL; symsrvHandle = NULL; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &windowsKitsRootKeyName, 0 ))) { PhMoveReference(&winsdkPath, PhQueryRegistryStringZ(keyHandle, L"KitsRoot10")); // Windows 10 SDK if (PhIsNullOrEmptyString(winsdkPath)) PhMoveReference(&winsdkPath, PhQueryRegistryStringZ(keyHandle, L"KitsRoot81")); // Windows 8.1 SDK if (PhIsNullOrEmptyString(winsdkPath)) PhMoveReference(&winsdkPath, PhQueryRegistryStringZ(keyHandle, L"KitsRoot")); // Windows 8 SDK NtClose(keyHandle); } if (winsdkPath) { PPH_STRING dbgcoreName; PPH_STRING dbghelpName; PPH_STRING symsrvName; #if defined(_AMD64_) PhMoveReference(&winsdkPath, PhConcatStringRefZ(&winsdkPath->sr, L"\\Debuggers\\x64\\")); #elif defined(_ARM64_) PhMoveReference(&winsdkPath, PhConcatStringRefZ(&winsdkPath->sr, L"\\Debuggers\\arm64\\")); #else PhMoveReference(&winsdkPath, PhConcatStringRefZ(&winsdkPath->sr, L"\\Debuggers\\x86\\")); #endif if (dbgcoreName = PhConcatStringRef3(&PhWin32ExtendedPathPrefix, &winsdkPath->sr, &dbgcoreFileName)) { dbgcoreHandle = PhLoadLibrary(PhGetString(dbgcoreName)); PhDereferenceObject(dbgcoreName); } if (dbghelpName = PhConcatStringRef3(&PhWin32ExtendedPathPrefix, &winsdkPath->sr, &dbghelpFileName)) { dbghelpHandle = PhLoadLibrary(PhGetString(dbghelpName)); PhDereferenceObject(dbghelpName); } if (symsrvName = PhConcatStringRef3(&PhWin32ExtendedPathPrefix, &winsdkPath->sr, &symsrvFileName)) { symsrvHandle = PhLoadLibrary(PhGetString(symsrvName)); PhDereferenceObject(symsrvName); } PhDereferenceObject(winsdkPath); } if (!dbghelpHandle) { PPH_STRING applicationDirectory; PPH_STRING dbgcoreName; PPH_STRING dbghelpName; PPH_STRING symsrvName; if (applicationDirectory = PhGetApplicationDirectoryWin32()) { if (dbgcoreName = PhConcatStringRef3(&PhWin32ExtendedPathPrefix, &applicationDirectory->sr, &dbgcoreFileName)) { dbgcoreHandle = PhLoadLibrary(dbgcoreName->Buffer); PhDereferenceObject(dbgcoreName); } if (dbghelpName = PhConcatStringRef3(&PhWin32ExtendedPathPrefix, &applicationDirectory->sr, &dbghelpFileName)) { dbghelpHandle = PhLoadLibrary(dbghelpName->Buffer); PhDereferenceObject(dbghelpName); } if (symsrvName = PhConcatStringRef3(&PhWin32ExtendedPathPrefix, &applicationDirectory->sr, &symsrvFileName)) { symsrvHandle = PhLoadLibrary(symsrvName->Buffer); PhDereferenceObject(symsrvName); } PhDereferenceObject(applicationDirectory); } } if (!dbgcoreHandle) dbgcoreHandle = PhLoadLibrary(L"dbgcore.dll"); if (!dbghelpHandle) dbghelpHandle = PhLoadLibrary(L"dbghelp.dll"); if (!symsrvHandle) symsrvHandle = PhLoadLibrary(L"symsrv.dll"); if (dbgcoreHandle) { MiniDumpWriteDump_I = PhGetDllBaseProcedureAddress(dbgcoreHandle, "MiniDumpWriteDump", 0); } if (dbghelpHandle) { SymInitializeW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymInitializeW", 0); SymCleanup_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymCleanup", 0); SymFromAddrW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymFromAddrW", 0); SymFromNameW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymFromNameW", 0); SymGetLineFromAddrW64_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymGetLineFromAddrW64", 0); SymLoadModuleExW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymLoadModuleExW", 0); SymGetOptions_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymGetOptions", 0); SymSetOptions_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymSetOptions", 0); SymSetSearchPathW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymSetSearchPathW", 0); SymFunctionTableAccess64_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymFunctionTableAccess64", 0); SymGetModuleBase64_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymGetModuleBase64", 0); SymRegisterCallbackW64_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymRegisterCallbackW64", 0); StackWalk64_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "StackWalk64", 0); StackWalkEx_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "StackWalkEx", 0); SymFromInlineContextW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymFromInlineContextW", 0); SymGetLineFromInlineContextW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "SymGetLineFromInlineContextW", 0); UnDecorateSymbolNameW_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "UnDecorateSymbolNameW", 0); if (!MiniDumpWriteDump_I) { MiniDumpWriteDump_I = PhGetDllBaseProcedureAddress(dbghelpHandle, "MiniDumpWriteDump", 0); } } } BOOLEAN PhpRegisterSymbolProvider( _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider ) { if (PhBeginInitOnce(&PhSymInitOnce)) { PhpSymbolProviderCompleteInitialization(); if (SymGetOptions_I && SymSetOptions_I) { PH_LOCK_SYMBOLS(); SymSetOptions_I( SymGetOptions_I() | SYMOPT_AUTO_PUBLICS | SYMOPT_CASE_INSENSITIVE | SYMOPT_DEFERRED_LOADS | SYMOPT_FAIL_CRITICAL_ERRORS | SYMOPT_INCLUDE_32BIT_MODULES | SYMOPT_LOAD_LINES | SYMOPT_OMAP_FIND_NEAREST | SYMOPT_UNDNAME // | SYMOPT_DEBUG ); PH_UNLOCK_SYMBOLS(); } PhEndInitOnce(&PhSymInitOnce); } if (!SymbolProvider) return FALSE; if (PhBeginInitOnce(&SymbolProvider->InitOnce)) { if (SymInitializeW_I) { PH_LOCK_SYMBOLS(); SymInitializeW_I(SymbolProvider->ProcessHandle, NULL, FALSE); if (SymRegisterCallbackW64_I) SymRegisterCallbackW64_I(SymbolProvider->ProcessHandle, PhpSymbolCallbackFunction, (ULONG64)SymbolProvider); PH_UNLOCK_SYMBOLS(); SymbolProvider->IsRegistered = TRUE; } PhEndInitOnce(&SymbolProvider->InitOnce); } return SymbolProvider->IsRegistered; } VOID PhpUnregisterSymbolProvider( _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider ) { if (!SymbolProvider) return; if (SymbolProvider->Terminating) return; SymbolProvider->Terminating = TRUE; if (SymCleanup_I) { if (SymbolProvider->IsRegistered) { PH_LOCK_SYMBOLS(); SymCleanup_I(SymbolProvider->ProcessHandle); PH_UNLOCK_SYMBOLS(); } SymbolProvider->IsRegistered = FALSE; } } VOID PhpFreeSymbolModule( _In_ PPH_SYMBOL_MODULE SymbolModule ) { if (SymbolModule->FileName) PhDereferenceObject(SymbolModule->FileName); PhFree(SymbolModule); } _Function_class_(PH_AVL_TREE_COMPARE_FUNCTION) LONG NTAPI PhpSymbolModuleCompareFunction( _In_ PPH_AVL_LINKS Links1, _In_ PPH_AVL_LINKS Links2 ) { PPH_SYMBOL_MODULE symbolModule1 = CONTAINING_RECORD(Links1, PH_SYMBOL_MODULE, Links); PPH_SYMBOL_MODULE symbolModule2 = CONTAINING_RECORD(Links2, PH_SYMBOL_MODULE, Links); return uintptrcmp((ULONG_PTR)symbolModule1->BaseAddress, (ULONG_PTR)symbolModule2->BaseAddress); } _Success_(return) BOOLEAN PhGetLineFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_ PPH_STRING *FileName, _Out_opt_ PULONG Displacement, _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information ) { IMAGEHLP_LINEW64 line; BOOL result; ULONG displacement; PPH_STRING fileName; if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymGetLineFromAddrW64_I) return FALSE; line.SizeOfStruct = sizeof(IMAGEHLP_LINEW64); PH_LOCK_SYMBOLS(); result = SymGetLineFromAddrW64_I( SymbolProvider->ProcessHandle, (ULONG64)Address, &displacement, &line ); PH_UNLOCK_SYMBOLS(); if (result) fileName = PhCreateString(line.FileName); else return FALSE; *FileName = fileName; if (Displacement) *Displacement = displacement; if (Information) { Information->LineNumber = line.LineNumber; Information->Address = line.Address; } return TRUE; } _Success_(return != 0) PVOID PhGetModuleFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_opt_ PPH_STRING *FileName ) { PH_SYMBOL_MODULE lookupModule; PPH_AVL_LINKS links; PPH_SYMBOL_MODULE module; PPH_STRING foundFileName; PVOID foundBaseAddress; foundFileName = NULL; foundBaseAddress = NULL; PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock); // Do an approximate search on the modules set to locate the module with the largest // base address that is still smaller than the given address. lookupModule.BaseAddress = Address; links = PhUpperDualBoundElementAvlTree(&SymbolProvider->ModulesSet, &lookupModule.Links); if (links) { module = CONTAINING_RECORD(links, PH_SYMBOL_MODULE, Links); if ((ULONG_PTR)Address < (ULONG_PTR)PTR_ADD_OFFSET(module->BaseAddress, module->Size)) { PhSetReference(&foundFileName, module->FileName); foundBaseAddress = module->BaseAddress; } } PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock); if (foundFileName) { if (FileName) { *FileName = foundFileName; } else { PhDereferenceObject(foundFileName); } } return foundBaseAddress; } PPH_SYMBOL_MODULE PhGetSymbolModuleFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address ) { PPH_SYMBOL_MODULE module = NULL; PH_SYMBOL_MODULE lookupModule; PPH_AVL_LINKS links; PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock); // Do an approximate search on the modules set to locate the module with the largest // base address that is still smaller than the given address. lookupModule.BaseAddress = Address; links = PhUpperDualBoundElementAvlTree(&SymbolProvider->ModulesSet, &lookupModule.Links); if (links) { PPH_SYMBOL_MODULE entry = CONTAINING_RECORD(links, PH_SYMBOL_MODULE, Links); if ((ULONG_PTR)Address < (ULONG_PTR)PTR_ADD_OFFSET(entry->BaseAddress, entry->Size)) { module = entry; } } PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock); return module; } USHORT PhpGetMachineForAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_opt_ HANDLE ProcessHandle, _In_ PVOID Address ) { PH_SYMBOL_MODULE lookupModule; PPH_AVL_LINKS links; PPH_SYMBOL_MODULE module; USHORT machine; #ifdef _ARM64_ BOOLEAN isEcCode; #endif machine = IMAGE_FILE_MACHINE_UNKNOWN; PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock); // Do an approximate search on the modules set to locate the module with the largest // base address that is still smaller than the given address. lookupModule.BaseAddress = Address; links = PhUpperDualBoundElementAvlTree(&SymbolProvider->ModulesSet, &lookupModule.Links); if (links) { module = CONTAINING_RECORD(links, PH_SYMBOL_MODULE, Links); if (module->Machine && ((ULONG_PTR)Address < (ULONG_PTR)PTR_ADD_OFFSET(module->BaseAddress, module->Size))) machine = module->Machine; } PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock); if (!ProcessHandle) return machine; #ifdef _ARM64_ if (machine == IMAGE_FILE_MACHINE_UNKNOWN) { if (NT_SUCCESS(PhIsEcCode(ProcessHandle, Address, &isEcCode))) { if (isEcCode) machine = IMAGE_FILE_MACHINE_ARM64EC; else machine = IMAGE_FILE_MACHINE_AMD64; } } else if (machine == IMAGE_FILE_MACHINE_ARM64 || machine == IMAGE_FILE_MACHINE_AMD64) { if (NT_SUCCESS(PhIsEcCode(ProcessHandle, Address, &isEcCode)) && isEcCode) machine = IMAGE_FILE_MACHINE_ARM64EC; } #endif return machine; } VOID PhpSymbolInfoAnsiToUnicode( _Out_ PSYMBOL_INFOW SymbolInfoW, _In_ PSYMBOL_INFO SymbolInfoA ) { SymbolInfoW->TypeIndex = SymbolInfoA->TypeIndex; SymbolInfoW->Index = SymbolInfoA->Index; SymbolInfoW->Size = SymbolInfoA->Size; SymbolInfoW->ModBase = SymbolInfoA->ModBase; SymbolInfoW->Flags = SymbolInfoA->Flags; SymbolInfoW->Value = SymbolInfoA->Value; SymbolInfoW->Address = SymbolInfoA->Address; SymbolInfoW->Register = SymbolInfoA->Register; SymbolInfoW->Scope = SymbolInfoA->Scope; SymbolInfoW->Tag = SymbolInfoA->Tag; SymbolInfoW->NameLen = 0; if (SymbolInfoA->NameLen != 0 && SymbolInfoW->MaxNameLen != 0) { ULONG copyCount; copyCount = min(SymbolInfoA->NameLen, SymbolInfoW->MaxNameLen - 1); if (NT_SUCCESS(PhCopyStringZFromMultiByte( SymbolInfoA->Name, copyCount, SymbolInfoW->Name, SymbolInfoW->MaxNameLen, NULL ))) { SymbolInfoW->NameLen = copyCount; } } } _Success_(return != NULL) PPH_STRING PhGetSymbolFromAddress( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel, _Out_opt_ PPH_STRING *FileName, _Out_opt_ PPH_STRING *SymbolName, _Out_opt_ PULONG64 Displacement ) { PSYMBOL_INFOW symbolInfo; ULONG nameLength; PPH_STRING symbol = NULL; PH_SYMBOL_RESOLVE_LEVEL resolveLevel; ULONG64 displacement; PPH_STRING modFileName = NULL; PPH_STRING modBaseName = NULL; PVOID modBase = NULL; PPH_STRING symbolName = NULL; if (Address == NULL) { if (ResolveLevel) *ResolveLevel = PhsrlInvalid; if (FileName) *FileName = NULL; if (SymbolName) *SymbolName = NULL; if (Displacement) *Displacement = 0; return NULL; } if (!PhpRegisterSymbolProvider(SymbolProvider)) return NULL; if (!SymFromAddrW_I) return NULL; symbolInfo = PhAllocateZero(FIELD_OFFSET(SYMBOL_INFOW, Name[PH_MAX_SYMBOL_NAME_LEN])); symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); symbolInfo->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN; // Get the symbol name. PH_LOCK_SYMBOLS(); // Note that we don't care whether this call succeeds or not, based on the assumption that it // will not write to the symbolInfo structure if it fails. We've already zeroed the structure, // so we can deal with it. SymFromAddrW_I( SymbolProvider->ProcessHandle, (ULONG64)Address, &displacement, symbolInfo ); nameLength = symbolInfo->NameLen; if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN) { PhFree(symbolInfo); symbolInfo = PhAllocateZero(FIELD_OFFSET(SYMBOL_INFOW, Name[nameLength + sizeof(UNICODE_NULL)])); symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); symbolInfo->MaxNameLen = nameLength + sizeof(UNICODE_NULL); SymFromAddrW_I( SymbolProvider->ProcessHandle, (ULONG64)Address, &displacement, symbolInfo ); } PH_UNLOCK_SYMBOLS(); // Find the module name. if (symbolInfo->ModBase == 0) { modBase = PhGetModuleFromAddress( SymbolProvider, Address, &modFileName ); } else { modBase = PhGetModuleFromAddress( SymbolProvider, (PVOID)symbolInfo->ModBase, &modFileName ); } // If we don't have a module name, return an address. if (!modFileName) { resolveLevel = PhsrlAddress; symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); PhPrintPointer(symbol->Buffer, (PVOID)Address); PhTrimToNullTerminatorString(symbol); goto CleanupExit; } modBaseName = PhGetBaseName(modFileName); // If we have a module name but not a symbol name, return the module plus an offset: // module+offset. if (symbolInfo->NameLen == 0) { PH_FORMAT format[3]; resolveLevel = PhsrlModule; PhInitFormatSR(&format[0], modBaseName->sr); PhInitFormatS(&format[1], L"+0x"); PhInitFormatIX(&format[2], (ULONG_PTR)Address - (ULONG_PTR)modBase); symbol = PhFormat(format, 3, modBaseName->Length + 6 + 32); goto CleanupExit; } // If we have everything, return the full symbol name: module!symbol+offset. symbolName = PhCreateStringEx(symbolInfo->Name, symbolInfo->NameLen * sizeof(WCHAR)); PhTrimToNullTerminatorString(symbolName); // SymFromAddr doesn't give us the correct name length for vm protected binaries (dmex) resolveLevel = PhsrlFunction; if (displacement == 0) { PH_FORMAT format[3]; PhInitFormatSR(&format[0], modBaseName->sr); PhInitFormatC(&format[1], L'!'); PhInitFormatSR(&format[2], symbolName->sr); symbol = PhFormat(format, 3, modBaseName->Length + 2 + symbolName->Length); } else { PH_FORMAT format[5]; PhInitFormatSR(&format[0], modBaseName->sr); PhInitFormatC(&format[1], L'!'); PhInitFormatSR(&format[2], symbolName->sr); PhInitFormatS(&format[3], L"+0x"); PhInitFormatIX(&format[4], (ULONG_PTR)displacement); symbol = PhFormat(format, 5, modBaseName->Length + 2 + symbolName->Length + 6 + 32); } CleanupExit: if (ResolveLevel) *ResolveLevel = resolveLevel; if (FileName) PhSetReference(FileName, modFileName); if (SymbolName) PhSetReference(SymbolName, symbolName); if (Displacement) *Displacement = displacement; PhClearReference(&modFileName); PhClearReference(&modBaseName); PhClearReference(&symbolName); PhFree(symbolInfo); return symbol; } _Success_(return) BOOLEAN PhGetSymbolFromName( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PCWSTR Name, _Out_ PPH_SYMBOL_INFORMATION Information ) { PSYMBOL_INFOW symbolInfo; UCHAR symbolInfoBuffer[FIELD_OFFSET(SYMBOL_INFOW, Name) + PH_MAX_SYMBOL_NAME_LEN * sizeof(WCHAR)]; BOOL result; if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymFromNameW_I) return FALSE; symbolInfo = (PSYMBOL_INFOW)symbolInfoBuffer; memset(symbolInfo, 0, sizeof(SYMBOL_INFOW)); symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); symbolInfo->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN; // Get the symbol information. PH_LOCK_SYMBOLS(); result = SymFromNameW_I( SymbolProvider->ProcessHandle, Name, symbolInfo ); PH_UNLOCK_SYMBOLS(); if (!result) return FALSE; Information->Address = (PVOID)symbolInfo->Address; Information->ModuleBase = (PVOID)symbolInfo->ModBase; Information->Index = symbolInfo->Index; Information->Size = symbolInfo->Size; return TRUE; } PPH_SYMBOL_MODULE PhpCreateSymbolModule( _In_ HANDLE ProcessHandle, _In_ PPH_STRING FileName, _In_ PVOID BaseAddress, _In_ ULONG Size ) { PPH_SYMBOL_MODULE symbolModule; symbolModule = PhAllocateZero(sizeof(PH_SYMBOL_MODULE)); symbolModule->BaseAddress = BaseAddress; symbolModule->Size = Size; PhSetReference(&symbolModule->FileName, FileName); #if defined(_ARM64_) PH_MAPPED_IMAGE mappedImage; if (NT_SUCCESS(PhLoadMappedImageHeaderPageSize(&FileName->sr, NULL, &mappedImage))) { if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) symbolModule->Machine = mappedImage.NtHeaders->FileHeader.Machine; else if (mappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) symbolModule->Machine = mappedImage.NtHeaders32->FileHeader.Machine; PhUnloadMappedImage(&mappedImage); } #endif return symbolModule; } BOOLEAN PhLoadModuleSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_STRING FileName, _In_ PVOID BaseAddress, _In_ ULONG Size ) { ULONG64 baseAddress; PPH_SYMBOL_MODULE symbolModule = NULL; PPH_AVL_LINKS existingLinks; PH_SYMBOL_MODULE lookupSymbolModule; if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymLoadModuleExW_I) return FALSE; // Check for duplicates. It is better to do this before calling SymLoadModuleExW, because it // seems to force symbol loading when it is called twice on the same module even if deferred // loading is enabled. PhAcquireQueuedLockExclusive(&SymbolProvider->ModulesListLock); lookupSymbolModule.BaseAddress = BaseAddress; existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links); PhReleaseQueuedLockExclusive(&SymbolProvider->ModulesListLock); if (existingLinks) return TRUE; PH_LOCK_SYMBOLS(); baseAddress = SymLoadModuleExW_I( SymbolProvider->ProcessHandle, NULL, NULL, NULL, (ULONG64)BaseAddress, Size, NULL, 0 ); PH_UNLOCK_SYMBOLS(); // Add the module to the list, even if we couldn't load symbols for the module. PhAcquireQueuedLockExclusive(&SymbolProvider->ModulesListLock); // Check for duplicates again. lookupSymbolModule.BaseAddress = BaseAddress; existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links); if (!existingLinks) { symbolModule = PhpCreateSymbolModule(SymbolProvider->ProcessHandle, FileName, BaseAddress, Size); existingLinks = PhAddElementAvlTree(&SymbolProvider->ModulesSet, &symbolModule->Links); assert(!existingLinks); InsertTailList(&SymbolProvider->ModulesListHead, &symbolModule->ListEntry); } PhReleaseQueuedLockExclusive(&SymbolProvider->ModulesListLock); if (baseAddress) return TRUE; else return FALSE; } BOOLEAN PhLoadFileNameSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_STRING FileName, _In_ PVOID BaseAddress, _In_ ULONG Size ) { ULONG64 baseAddress; PPH_SYMBOL_MODULE symbolModule = NULL; PPH_AVL_LINKS existingLinks; PH_SYMBOL_MODULE lookupSymbolModule; if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymLoadModuleExW_I) return FALSE; PhAcquireQueuedLockExclusive(&SymbolProvider->ModulesListLock); lookupSymbolModule.BaseAddress = BaseAddress; existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links); PhReleaseQueuedLockExclusive(&SymbolProvider->ModulesListLock); if (existingLinks) return TRUE; PH_LOCK_SYMBOLS(); baseAddress = SymLoadModuleExW_I( SymbolProvider->ProcessHandle, NULL, FileName->Buffer, NULL, (ULONG64)BaseAddress, Size, NULL, 0 ); PH_UNLOCK_SYMBOLS(); PhAcquireQueuedLockExclusive(&SymbolProvider->ModulesListLock); lookupSymbolModule.BaseAddress = BaseAddress; existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links); if (!existingLinks) { symbolModule = PhpCreateSymbolModule(SymbolProvider->ProcessHandle, FileName, BaseAddress, Size); PhSetReference(&symbolModule->FileName, FileName); existingLinks = PhAddElementAvlTree(&SymbolProvider->ModulesSet, &symbolModule->Links); assert(!existingLinks); InsertTailList(&SymbolProvider->ModulesListHead, &symbolModule->ListEntry); } PhReleaseQueuedLockExclusive(&SymbolProvider->ModulesListLock); if (baseAddress) return TRUE; else return FALSE; } typedef struct _PH_LOAD_SYMBOLS_CONTEXT { PPH_SYMBOL_PROVIDER SymbolProvider; HANDLE ProcessId; } PH_LOAD_SYMBOLS_CONTEXT, *PPH_LOAD_SYMBOLS_CONTEXT; _Function_class_(PH_ENUM_GENERIC_MODULES_CALLBACK) static BOOLEAN NTAPI PhpSymbolProviderEnumModulesCallback( _In_ PPH_MODULE_INFO Module, _In_ PVOID Context ) { PPH_LOAD_SYMBOLS_CONTEXT context = Context; // If we're loading kernel module symbols for a process other than System, ignore modules which // are in user space. This may happen in Windows 7. if ( WindowsVersion < WINDOWS_8 && context->ProcessId != SYSTEM_PROCESS_ID ) { if ((ULONG_PTR)Module->BaseAddress <= PhSystemBasicInformation.MaximumUserModeAddress) { return TRUE; } } PhLoadModuleSymbolProvider( context->SymbolProvider, Module->FileName, Module->BaseAddress, Module->Size ); return TRUE; } VOID PhLoadSymbolProviderModules( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ HANDLE ProcessId ) { PH_LOAD_SYMBOLS_CONTEXT context; memset(&context, 0, sizeof(PH_LOAD_SYMBOLS_CONTEXT)); context.SymbolProvider = SymbolProvider; // Load symbols for process modules. if (ProcessId != SYSTEM_IDLE_PROCESS_ID && SymbolProvider->IsRealHandle) { PhEnumGenericModules( ProcessId, SymbolProvider->ProcessHandle, PH_ENUM_GENERIC_MAPPED_IMAGES, PhpSymbolProviderEnumModulesCallback, &context ); } // Load symbols for kernel modules. { PhEnumGenericModules( SYSTEM_PROCESS_ID, NULL, 0, PhpSymbolProviderEnumModulesCallback, &context ); } // Load symbols for ntdll.dll and kernel32.dll. { static CONST PH_STRINGREF fileNames[] = { PH_STRINGREF_INIT(L"ntdll.dll"), PH_STRINGREF_INIT(L"kernel32.dll"), }; for (ULONG i = 0; i < RTL_NUMBER_OF(fileNames); i++) { PVOID baseAddress; ULONG sizeOfImage; PPH_STRING fileName; if (PhGetLoaderEntryData(&fileNames[i], &baseAddress, &sizeOfImage, &fileName)) { PhLoadModuleSymbolProvider(SymbolProvider, fileName, baseAddress, sizeOfImage); PhDereferenceObject(fileName); } } } } NTSTATUS PhLoadModulesForVirtualSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_opt_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle ) { NTSTATUS status; PH_LOAD_SYMBOLS_CONTEXT context; HANDLE processHandle = NULL; BOOLEAN closeHandle = FALSE; memset(&context, 0, sizeof(PH_LOAD_SYMBOLS_CONTEXT)); context.SymbolProvider = SymbolProvider; if (SymbolProvider->IsRealHandle) { processHandle = SymbolProvider->ProcessHandle; status = STATUS_SUCCESS; } else if (ProcessHandle) { processHandle = ProcessHandle; status = STATUS_SUCCESS; } else if (ProcessId) { status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, ProcessId ); if (NT_SUCCESS(status)) { closeHandle = TRUE; } } else { status = STATUS_INVALID_PARAMETER_1; } if (!NT_SUCCESS(status)) return status; // Load symbols for process modules. if (ProcessId != SYSTEM_IDLE_PROCESS_ID && processHandle) { PhEnumGenericModules( ProcessId, processHandle, PH_ENUM_GENERIC_MAPPED_IMAGES, PhpSymbolProviderEnumModulesCallback, &context ); } // Load symbols for kernel modules. { PhEnumGenericModules( SYSTEM_PROCESS_ID, NULL, 0, PhpSymbolProviderEnumModulesCallback, &context ); } // Load symbols for ntdll.dll and kernel32.dll (dmex) { static CONST PH_STRINGREF fileNames[] = { PH_STRINGREF_INIT(L"ntdll.dll"), PH_STRINGREF_INIT(L"kernel32.dll"), }; for (ULONG i = 0; i < RTL_NUMBER_OF(fileNames); i++) { PVOID baseAddress; ULONG sizeOfImage; PPH_STRING fileName; if (PhGetLoaderEntryData(&fileNames[i], &baseAddress, &sizeOfImage, &fileName)) { PhLoadModuleSymbolProvider(SymbolProvider, fileName, baseAddress, sizeOfImage); PhDereferenceObject(fileName); } } } if (closeHandle && processHandle) { NtClose(processHandle); } return status; } static const PH_FLAG_MAPPING PhSymbolProviderOptions[] = { { PH_SYMOPT_UNDNAME, SYMOPT_UNDNAME }, }; VOID PhSetOptionsSymbolProvider( _In_ ULONG Mask, _In_ ULONG Value ) { ULONG options; ULONG mask = 0; ULONG value = 0; ULONG internalMask; internalMask = Mask & PH_SYMOPT_VERIFY_MICROSOFT_CHAIN; if (internalMask) { PhSymbolProviderInternalOptions = (PhSymbolProviderInternalOptions & ~internalMask) | (Value & internalMask); } PhpRegisterSymbolProvider(NULL); if (!SymGetOptions_I || !SymSetOptions_I) return; PhMapFlags1( &mask, Mask, PhSymbolProviderOptions, ARRAYSIZE(PhSymbolProviderOptions) ); PhMapFlags1( &value, Value, PhSymbolProviderOptions, ARRAYSIZE(PhSymbolProviderOptions) ); PH_LOCK_SYMBOLS(); options = SymGetOptions_I(); options &= ~mask; options |= value; SymSetOptions_I(options); PH_UNLOCK_SYMBOLS(); } VOID PhSetSearchPathSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PCWSTR Path ) { PhpRegisterSymbolProvider(SymbolProvider); if (!SymSetSearchPathW_I) return; PH_LOCK_SYMBOLS(); SymSetSearchPathW_I(SymbolProvider->ProcessHandle, Path); PH_UNLOCK_SYMBOLS(); } #ifdef _WIN64 NTSTATUS PhpLookupDynamicFunctionTable( _In_ HANDLE ProcessHandle, _In_ ULONG64 Address, _Out_opt_ PDYNAMIC_FUNCTION_TABLE *FunctionTableAddress, _Out_opt_ PDYNAMIC_FUNCTION_TABLE FunctionTable, _Out_writes_bytes_opt_(OutOfProcessCallbackDllBufferSize) PWCHAR OutOfProcessCallbackDllBuffer, _In_ ULONG OutOfProcessCallbackDllBufferSize, _Out_opt_ PUNICODE_STRING OutOfProcessCallbackDllString ) { NTSTATUS status; PLIST_ENTRY (NTAPI *rtlGetFunctionTableListHead)(VOID); PLIST_ENTRY tableListHead; LIST_ENTRY tableListHeadEntry; PLIST_ENTRY tableListEntry; PDYNAMIC_FUNCTION_TABLE functionTableAddress; DYNAMIC_FUNCTION_TABLE functionTable; ULONG count; SIZE_T numberOfBytesRead; ULONG i; BOOLEAN foundNull; rtlGetFunctionTableListHead = PhGetDllProcedureAddressZ(L"ntdll.dll", "RtlGetFunctionTableListHead", 0); if (!rtlGetFunctionTableListHead) return STATUS_PROCEDURE_NOT_FOUND; tableListHead = rtlGetFunctionTableListHead(); // Find the function table entry for this address. if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, tableListHead, &tableListHeadEntry, sizeof(LIST_ENTRY), NULL ))) return status; tableListEntry = tableListHeadEntry.Flink; count = 0; // make sure we can't be forced into an infinite loop by crafted data while (tableListEntry != tableListHead && count < PH_ENUM_PROCESS_MODULES_LIMIT) { functionTableAddress = CONTAINING_RECORD(tableListEntry, DYNAMIC_FUNCTION_TABLE, ListEntry); if (!NT_SUCCESS(status = PhReadVirtualMemory( ProcessHandle, functionTableAddress, &functionTable, sizeof(DYNAMIC_FUNCTION_TABLE), NULL ))) return status; if (Address >= functionTable.MinimumAddress && Address < functionTable.MaximumAddress) { if (OutOfProcessCallbackDllBuffer) { if (functionTable.OutOfProcessCallbackDll) { // Read the out-of-process callback DLL path. We don't have a length, so we'll // just have to read as much as possible. memset(OutOfProcessCallbackDllBuffer, 0xff, OutOfProcessCallbackDllBufferSize); status = PhReadVirtualMemory( ProcessHandle, functionTable.OutOfProcessCallbackDll, OutOfProcessCallbackDllBuffer, OutOfProcessCallbackDllBufferSize, &numberOfBytesRead ); if (status != STATUS_PARTIAL_COPY && !NT_SUCCESS(status)) return status; foundNull = FALSE; for (i = 0; i < OutOfProcessCallbackDllBufferSize / sizeof(WCHAR); i++) { if (OutOfProcessCallbackDllBuffer[i] == 0) { foundNull = TRUE; if (OutOfProcessCallbackDllString) { OutOfProcessCallbackDllString->Buffer = OutOfProcessCallbackDllBuffer; OutOfProcessCallbackDllString->Length = (USHORT)(i * sizeof(WCHAR)); OutOfProcessCallbackDllString->MaximumLength = OutOfProcessCallbackDllString->Length; } break; } } // If there was no null terminator, then we didn't read the whole string in. // Fail the operation. if (!foundNull) return STATUS_BUFFER_OVERFLOW; } else { OutOfProcessCallbackDllBuffer[0] = UNICODE_NULL; if (OutOfProcessCallbackDllString) { OutOfProcessCallbackDllString->Buffer = NULL; OutOfProcessCallbackDllString->Length = 0; OutOfProcessCallbackDllString->MaximumLength = 0; } } } if (FunctionTableAddress) *FunctionTableAddress = functionTableAddress; if (FunctionTable) *FunctionTable = functionTable; return STATUS_SUCCESS; } tableListEntry = functionTable.ListEntry.Flink; count++; } return STATUS_NOT_FOUND; } PRUNTIME_FUNCTION PhpLookupFunctionEntry( _In_ PRUNTIME_FUNCTION Functions, _In_ ULONG NumberOfFunctions, _In_ BOOLEAN Sorted, _In_ ULONG64 RelativeControlPc ) { LONG low; LONG high; ULONG i; if (Sorted) { if (NumberOfFunctions == 0) return NULL; low = 0; high = NumberOfFunctions - 1; do { i = (low + high) / 2; if (RelativeControlPc < Functions[i].BeginAddress) high = i - 1; #ifdef _ARM64_ else if (RelativeControlPc >= (Functions[i].BeginAddress + Functions[i].FunctionLength)) #else else if (RelativeControlPc >= Functions[i].EndAddress) #endif low = i + 1; else return &Functions[i]; } while (low <= high); } else { for (i = 0; i < NumberOfFunctions; i++) { #ifdef _ARM64_ if (RelativeControlPc >= Functions[i].BeginAddress && RelativeControlPc < (Functions[i].BeginAddress + Functions[i].FunctionLength)) #else if (RelativeControlPc >= Functions[i].BeginAddress && RelativeControlPc < Functions[i].EndAddress) #endif return &Functions[i]; } } return NULL; } NTSTATUS PhpAccessCallbackFunctionTable( _In_ HANDLE ProcessHandle, _In_ PVOID FunctionTableAddress, _In_ PUNICODE_STRING OutOfProcessCallbackDllString, _Out_ PRUNTIME_FUNCTION *Functions, _Out_ PULONG NumberOfFunctions ) { static CONST PH_STRINGREF knownFunctionTableDllsKeyName = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownFunctionTableDlls"); NTSTATUS status; HANDLE keyHandle; ULONG returnLength; PVOID dllHandle; ANSI_STRING outOfProcessFunctionTableCallbackName; POUT_OF_PROCESS_FUNCTION_TABLE_CALLBACK outOfProcessFunctionTableCallback; if (!OutOfProcessCallbackDllString->Buffer) return STATUS_INVALID_PARAMETER; // Don't load DLLs from arbitrary locations. Check if this is a known function table DLL. if (!NT_SUCCESS(status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &knownFunctionTableDllsKeyName, 0 ))) return status; status = NtQueryValueKey(keyHandle, OutOfProcessCallbackDllString, KeyValuePartialInformation, NULL, 0, &returnLength); NtClose(keyHandle); if (status == STATUS_OBJECT_NAME_NOT_FOUND) { PH_STRINGREF fileName; PhUnicodeStringToStringRef(OutOfProcessCallbackDllString, &fileName); // Verify the signature is valid and the certificate chained to Microsoft (dmex) if (FlagOn(PhSymbolProviderInternalOptions, PH_SYMOPT_VERIFY_MICROSOFT_CHAIN) && !PhVerifyFileIsChainedToMicrosoft(&fileName, FALSE)) { return STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT; } } status = LdrLoadDll(NULL, NULL, OutOfProcessCallbackDllString, &dllHandle); if (!NT_SUCCESS(status)) return status; RtlInitAnsiString(&outOfProcessFunctionTableCallbackName, OUT_OF_PROCESS_FUNCTION_TABLE_CALLBACK_EXPORT_NAME); status = LdrGetProcedureAddress(dllHandle, &outOfProcessFunctionTableCallbackName, 0, (PVOID *)&outOfProcessFunctionTableCallback); if (NT_SUCCESS(status)) { status = outOfProcessFunctionTableCallback( ProcessHandle, FunctionTableAddress, NumberOfFunctions, Functions ); } LdrUnloadDll(dllHandle); return status; } NTSTATUS PhpAccessNormalFunctionTable( _In_ HANDLE ProcessHandle, _In_ PDYNAMIC_FUNCTION_TABLE FunctionTable, _Out_ PRUNTIME_FUNCTION *Functions, _Out_ PULONG NumberOfFunctions ) { NTSTATUS status; SIZE_T bufferSize; PRUNTIME_FUNCTION functions; // Put a reasonable limit on the number of entries we read. if (FunctionTable->EntryCount > 0x100000) return STATUS_BUFFER_OVERFLOW; bufferSize = FunctionTable->EntryCount * sizeof(RUNTIME_FUNCTION); functions = PhAllocatePage(bufferSize, NULL); if (!functions) return STATUS_NO_MEMORY; status = PhReadVirtualMemory(ProcessHandle, FunctionTable->FunctionTable, functions, bufferSize, NULL); if (NT_SUCCESS(status)) { *Functions = functions; *NumberOfFunctions = FunctionTable->EntryCount; } else { PhFreePage(functions); } return status; } NTSTATUS PhAccessOutOfProcessFunctionEntry( _In_ HANDLE ProcessHandle, _In_ ULONG64 ControlPc, _Out_ PRUNTIME_FUNCTION Function ) { NTSTATUS status; PDYNAMIC_FUNCTION_TABLE functionTableAddress; DYNAMIC_FUNCTION_TABLE functionTable; WCHAR outOfProcessCallbackDll[512]; UNICODE_STRING outOfProcessCallbackDllString; PRUNTIME_FUNCTION functions; ULONG numberOfFunctions; PRUNTIME_FUNCTION function; if (!NT_SUCCESS(status = PhpLookupDynamicFunctionTable( ProcessHandle, ControlPc, &functionTableAddress, &functionTable, outOfProcessCallbackDll, sizeof(outOfProcessCallbackDll), &outOfProcessCallbackDllString ))) { return status; } if (functionTable.Type == RF_CALLBACK) { if (!NT_SUCCESS(status = PhpAccessCallbackFunctionTable( ProcessHandle, functionTableAddress, &outOfProcessCallbackDllString, &functions, &numberOfFunctions ))) { return status; } function = PhpLookupFunctionEntry(functions, numberOfFunctions, FALSE, ControlPc - functionTable.BaseAddress); if (function) *Function = *function; else status = STATUS_NOT_FOUND; RtlFreeHeap(RtlProcessHeap(), 0, functions); } else { if (!NT_SUCCESS(status = PhpAccessNormalFunctionTable( ProcessHandle, &functionTable, &functions, &numberOfFunctions ))) { return status; } function = PhpLookupFunctionEntry(functions, numberOfFunctions, functionTable.Type == RF_SORTED, ControlPc - functionTable.BaseAddress); if (function) *Function = *function; else status = STATUS_NOT_FOUND; PhFreePage(functions); } return status; } #endif ULONG64 __stdcall PhGetModuleBase64( _In_ HANDLE hProcess, _In_ ULONG64 dwAddr ) { ULONG64 base; #ifdef _WIN64 DYNAMIC_FUNCTION_TABLE functionTable; #endif #ifdef _WIN64 if (NT_SUCCESS(PhpLookupDynamicFunctionTable( hProcess, dwAddr, NULL, &functionTable, NULL, 0, NULL ))) { base = functionTable.BaseAddress; } else { base = 0; } #else base = 0; #endif if (base == 0 && SymGetModuleBase64_I) base = SymGetModuleBase64_I(hProcess, dwAddr); return base; } PVOID __stdcall PhFunctionTableAccess64( _In_ HANDLE hProcess, _In_ ULONG64 AddrBase ) { #ifdef _WIN64 static RUNTIME_FUNCTION lastRuntimeFunction; #endif PVOID entry; #ifdef _WIN64 if (NT_SUCCESS(PhAccessOutOfProcessFunctionEntry(hProcess, AddrBase, &lastRuntimeFunction))) entry = &lastRuntimeFunction; else entry = NULL; #else entry = NULL; #endif if (!entry && SymFunctionTableAccess64_I) entry = SymFunctionTableAccess64_I(hProcess, AddrBase); return entry; } /** * Walks a thread's stack. * * \param MachineType The architecture type of the computer for which the stack trace is generated. * \param ProcessHandle A handle to the thread's parent process. The handle must have * PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access. If a symbol provider is being used, pass * its process handle and specify the symbol provider in \a SymbolProvider. * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION, * THREAD_GET_CONTEXT and THREAD_SUSPEND_RESUME access. The handle can have any access for kernel * stack walking. * \param StackFrame A pointer to a STACKFRAME_EX structure. This structure receives information for the next frame, if the function call succeeds. * \param ContextRecord A pointer to a CONTEXT structure. * \param SymbolProvider The associated symbol provider. * \param ReadMemoryRoutine A callback routine that provides memory read services. * \param FunctionTableAccessRoutine A callback routine that provides access to the run-time function table for the process. * \param GetModuleBaseRoutine A callback routine that provides a module base for any given virtual address. * \param TranslateAddress A callback routine that provides address translation for 16-bit addresses. * * \return Successful or errant status. */ BOOLEAN PhStackWalk( _In_ ULONG MachineType, _In_ HANDLE ProcessHandle, _In_ HANDLE ThreadHandle, _Inout_ LPSTACKFRAME_EX StackFrame, _Inout_ PVOID ContextRecord, _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress ) { BOOL result = FALSE; PhpRegisterSymbolProvider(SymbolProvider); if (!FunctionTableAccessRoutine) { if (MachineType == IMAGE_FILE_MACHINE_AMD64) FunctionTableAccessRoutine = PhFunctionTableAccess64; else FunctionTableAccessRoutine = SymFunctionTableAccess64_I; } if (!GetModuleBaseRoutine) { if (MachineType == IMAGE_FILE_MACHINE_AMD64) GetModuleBaseRoutine = PhGetModuleBase64; else GetModuleBaseRoutine = SymGetModuleBase64_I; } PH_LOCK_SYMBOLS(); if (PhSymbolProviderInlineContextSupported()) { result = StackWalkEx_I( MachineType, ProcessHandle, ThreadHandle, StackFrame, ContextRecord, ReadMemoryRoutine, FunctionTableAccessRoutine, GetModuleBaseRoutine, TranslateAddress, SYM_STKWALK_DEFAULT ); } else if (StackWalk64_I) { result = StackWalk64_I( MachineType, ProcessHandle, ThreadHandle, (LPSTACKFRAME64)StackFrame, ContextRecord, ReadMemoryRoutine, FunctionTableAccessRoutine, GetModuleBaseRoutine, TranslateAddress ); } PH_UNLOCK_SYMBOLS(); if (result) return TRUE; return FALSE; } HRESULT PhWriteMiniDumpProcess( _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId, _In_ HANDLE FileHandle, _In_ MINIDUMP_TYPE DumpType, _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam ) { PhpRegisterSymbolProvider(NULL); if (!MiniDumpWriteDump_I) { return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); } if (!MiniDumpWriteDump_I( ProcessHandle, HandleToUlong(ProcessId), FileHandle, DumpType, ExceptionParam, UserStreamParam, CallbackParam )) { return (HRESULT)PhGetLastError(); } return S_OK; } /** * Converts a STACKFRAME64 structure to a PH_THREAD_STACK_FRAME structure. * * \param StackFrame A pointer to the STACKFRAME64 structure to convert. * \param Machine Machine to set in the resulting structure. * \param Flags Flags to set in the resulting structure. * \param ThreadStackFrame A pointer to the resulting PH_THREAD_STACK_FRAME structure. */ VOID PhConvertStackFrame( _In_ CONST STACKFRAME_EX *StackFrame, _In_ USHORT Machine, _In_ USHORT Flags, _Out_ PPH_THREAD_STACK_FRAME ThreadStackFrame ) { memset(ThreadStackFrame, 0, sizeof(ThreadStackFrame->Params)); ThreadStackFrame->PcAddress = (PVOID)StackFrame->AddrPC.Offset; ThreadStackFrame->ReturnAddress = (PVOID)StackFrame->AddrReturn.Offset; ThreadStackFrame->FrameAddress = (PVOID)StackFrame->AddrFrame.Offset; ThreadStackFrame->StackAddress = (PVOID)StackFrame->AddrStack.Offset; ThreadStackFrame->BStoreAddress = (PVOID)StackFrame->AddrBStore.Offset; for (ULONG i = 0; i < 4; i++) ThreadStackFrame->Params[i] = (PVOID)StackFrame->Params[i]; ThreadStackFrame->Machine = Machine; ThreadStackFrame->Flags = Flags; if (StackFrame->FuncTableEntry) ThreadStackFrame->Flags |= PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT; ThreadStackFrame->InlineFrameContext = StackFrame->InlineFrameContext; } /** * Walks a thread's stack. * * \param ThreadHandle A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION, * THREAD_GET_CONTEXT and THREAD_SUSPEND_RESUME access. The handle can have any access for kernel * stack walking. * \param ProcessHandle A handle to the thread's parent process. The handle must have * PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access. If a symbol provider is being used, pass * its process handle and specify the symbol provider in \a SymbolProvider. * \param ClientId The client ID identifying the thread. * \param SymbolProvider The associated symbol provider. * \param Flags A combination of flags. * \li \c PH_WALK_USER_STACK Walks the native user thread context stack. * \li \c PH_WALK_USER_WOW64_STACK Walks the Wow64 user thread context stack. On x86 systems this * flag is ignored. On ARM64 systems this includes ARM stack (ThreadWow64Context ARM_NT_CONTEXT). * \li \c PH_WALK_KERNEL_STACK Walks the kernel stack. This flag is ignored if there is no active * KSystemInformer connection. * \param Callback A callback function which is executed for each stack frame. * \param Context A user-defined value to pass to the callback function. */ NTSTATUS PhWalkThreadStack( _In_ HANDLE ThreadHandle, _In_opt_ HANDLE ProcessHandle, _In_opt_ PCLIENT_ID ClientId, _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG Flags, _In_ PPH_WALK_THREAD_STACK_CALLBACK Callback, _In_opt_ PVOID Context ) { NTSTATUS status = STATUS_SUCCESS; BOOLEAN suspended = FALSE; BOOLEAN deepfreeze = FALSE; BOOLEAN processOpened = FALSE; BOOLEAN isCurrentThread = FALSE; BOOLEAN isSystemThread = FALSE; THREAD_BASIC_INFORMATION basicInfo; HANDLE stateChangeHandle = NULL; // Open a handle to the process if we weren't given one. if (!ProcessHandle) { if ((KsiLevel() >= KphLevelMed) || !ClientId) { if (!NT_SUCCESS(status = PhOpenThreadProcess( ThreadHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, &ProcessHandle ))) return status; } else { if (!NT_SUCCESS(status = PhOpenProcess( &ProcessHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, ClientId->UniqueProcess ))) return status; } processOpened = TRUE; } // Determine if the caller specified the current thread. if (ClientId) { if (ClientId->UniqueThread == NtCurrentThreadId()) isCurrentThread = TRUE; if (ClientId->UniqueProcess == SYSTEM_IDLE_PROCESS_ID || ClientId->UniqueProcess == SYSTEM_PROCESS_ID) isSystemThread = TRUE; } else { if (ThreadHandle == NtCurrentThread()) { isCurrentThread = TRUE; } else if (NT_SUCCESS(PhGetThreadBasicInformation(ThreadHandle, &basicInfo))) { if (basicInfo.ClientId.UniqueThread == NtCurrentThreadId()) isCurrentThread = TRUE; if (basicInfo.ClientId.UniqueProcess == SYSTEM_IDLE_PROCESS_ID || basicInfo.ClientId.UniqueProcess == SYSTEM_PROCESS_ID) isSystemThread = TRUE; } } // Make sure this isn't a kernel-mode thread. if (!isSystemThread) { ULONG_PTR startAddress; if (NT_SUCCESS(PhGetThreadStartAddress(ThreadHandle, &startAddress))) { if (startAddress > PhSystemBasicInformation.MaximumUserModeAddress) { isSystemThread = TRUE; } } } // Suspend the thread to avoid inaccurate results. Don't suspend if we're walking the stack of // the current thread or a kernel-mode thread. if (!isCurrentThread && !isSystemThread) { if (WindowsVersion >= WINDOWS_11) { // Note: NtSuspendThread does not always suspend the thread due to race conditions in the kernel and third party processes. // Windows 11 added state change support and fixed these and other bugs. We need to freeze the thread for an accurate result. (dmex) // https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/controlling-processes-and-threads#freezing-and-suspending-threads if (NT_SUCCESS(PhFreezeThread(&stateChangeHandle, ThreadHandle))) { deepfreeze = TRUE; } } if (NT_SUCCESS(NtSuspendThread(ThreadHandle, NULL))) { suspended = TRUE; } } // Kernel stack walk. if ((Flags & PH_WALK_KERNEL_STACK) && (KsiLevel() >= KphLevelMed)) { PVOID stack[256 - 2]; // See MAX_STACK_DEPTH ULONG capturedFrames = 0; ULONG i; if (NT_SUCCESS(KphCaptureStackBackTraceThread( ThreadHandle, 0, sizeof(stack) / sizeof(PVOID), stack, &capturedFrames, NULL, KPH_STACK_BACK_TRACE_SKIP_KPH ))) { PH_THREAD_STACK_FRAME threadStackFrame; memset(&threadStackFrame, 0, sizeof(PH_THREAD_STACK_FRAME)); for (i = 0; i < capturedFrames; i++) { threadStackFrame.PcAddress = stack[i]; threadStackFrame.Machine = PH_THREAD_STACK_NATIVE_MACHINE; threadStackFrame.Flags = PH_THREAD_STACK_FRAME_KERNEL; if ((ULONG_PTR)stack[i] <= PhSystemBasicInformation.MaximumUserModeAddress) break; if (!Callback(&threadStackFrame, Context)) { goto ResumeExit; } } } } if (Flags & PH_WALK_USER_STACK) { STACKFRAME_EX stackFrame; PH_THREAD_STACK_FRAME threadStackFrame; ULONG machine; PVOID contextRecord; CONTEXT context; #if defined(_ARM64_) ARM64EC_NT_CONTEXT ecContext; STACKFRAME_EX virtualFrame; ULONG virtualMachine; #endif contextRecord = &context; machine = PH_THREAD_STACK_NATIVE_MACHINE; memset(&context, 0, sizeof(context)); context.ContextFlags = CONTEXT_ALL; context.ContextFlags |= CONTEXT_EXCEPTION_REQUEST; if (!NT_SUCCESS(status = PhGetContextThread(ThreadHandle, &context))) goto SkipUserStack; memset(&stackFrame, 0, sizeof(STACKFRAME_EX)); stackFrame.StackFrameSize = sizeof(STACKFRAME_EX); #if defined(_ARM64_) memset(&virtualFrame, 0, sizeof(STACKFRAME_EX)); virtualFrame.AddrReturn.Offset = MAXULONG64; #endif // Program counter, Stack pointer, Frame pointer #if defined(_ARM64_) stackFrame.AddrPC.Mode = AddrModeFlat; stackFrame.AddrPC.Offset = context.Pc; stackFrame.AddrStack.Mode = AddrModeFlat; stackFrame.AddrStack.Offset = context.Sp; stackFrame.AddrFrame.Mode = AddrModeFlat; stackFrame.AddrFrame.Offset = context.Fp; #elif defined(_AMD64_) stackFrame.AddrPC.Mode = AddrModeFlat; stackFrame.AddrPC.Offset = context.Rip; stackFrame.AddrStack.Mode = AddrModeFlat; stackFrame.AddrStack.Offset = context.Rsp; stackFrame.AddrFrame.Mode = AddrModeFlat; stackFrame.AddrFrame.Offset = context.Rbp; #else stackFrame.AddrPC.Mode = AddrModeFlat; stackFrame.AddrPC.Offset = context.Eip; stackFrame.AddrStack.Mode = AddrModeFlat; stackFrame.AddrStack.Offset = context.Esp; stackFrame.AddrFrame.Mode = AddrModeFlat; stackFrame.AddrFrame.Offset = context.Ebp; #endif while (TRUE) { if (!PhStackWalk( machine, ProcessHandle, ThreadHandle, &stackFrame, contextRecord, SymbolProvider, NULL, NULL, NULL, NULL )) { #if defined(_ARM64_) goto CheckFinalARM64VirtualFrame; #else break; #endif } #if defined(_ARM64_) // Strip any PAC bits from the addresses. stackFrame.AddrPC.Offset = PAC_DECODE_ADDRESS(stackFrame.AddrPC.Offset); stackFrame.AddrReturn.Offset = PAC_DECODE_ADDRESS(stackFrame.AddrReturn.Offset); if (contextRecord == &ecContext) { ecContext.Pc = PAC_DECODE_ADDRESS(ecContext.Pc); ecContext.Lr = PAC_DECODE_ADDRESS(ecContext.Lr); } else { context.Pc = PAC_DECODE_ADDRESS(context.Pc); context.Lr = PAC_DECODE_ADDRESS(context.Lr); } #endif // If we have an invalid instruction pointer, break. if (!stackFrame.AddrPC.Offset || stackFrame.AddrPC.Offset == ULONG64_MAX) { #if defined(_ARM64_) CheckFinalARM64VirtualFrame: // If we're in the middle of processing a virtual frame and reach here we still // need to process the virtual frame (it is the final frame). Do not do this for // ARM64EC since it will point to narnia (the final fame is already processed). if (!virtualFrame.AddrReturn.Offset && virtualMachine != IMAGE_FILE_MACHINE_ARM64EC) { // Convert the stack frame and execute the callback. PhConvertStackFrame(&virtualFrame, (USHORT)virtualMachine, 0, &threadStackFrame); if (!Callback(&threadStackFrame, Context)) goto ResumeExit; } #endif break; } #if defined(_ARM64_) USHORT frameMachine; // TODO(jxy-s) // // Much of the stack walk handling for EC code is in dbgeng and not dbghelp. Since we // only rely on dbghelp we need some special handling too. The following are known // issues with possible solutions. These need more time to investigate: // // - ARM64EC (Inline frame) seem to be missing. Probably needs special handling or the // "virtual frames" are messing up the existing inline frame resolution. For context // dbgeng.dll appears to have "virtual frames" as we do here, but we likely need some // additional handling for inline frames. // - .NET under ARM64 emulation seems to eventually walk into strange frames, x64 is // known to be affected, other arches on ARM64 need tested too. Seems to be a bug in // dbghelp.dll because dbgeng.dll (e.g. windbg.exe) seems to be broken here too. frameMachine = PhpGetMachineForAddress(SymbolProvider, ProcessHandle, (PVOID)stackFrame.AddrPC.Offset); if (machine != frameMachine) { // switch the effective machine machine = frameMachine; if (frameMachine == IMAGE_FILE_MACHINE_AMD64 && contextRecord != &ecContext) { PhNativeContextToEcContext(&ecContext, &context, TRUE); contextRecord = &ecContext; } else if (contextRecord != &context) { PhEcContextToNativeContext(&context, &ecContext); contextRecord = &context; } } if (!virtualFrame.AddrReturn.Offset) { // We stored a frame without a return address to process later, do it now. virtualFrame.AddrReturn = stackFrame.AddrPC; // Convert the stack frame and execute the callback. PhConvertStackFrame(&virtualFrame, (USHORT)virtualMachine, 0, &threadStackFrame); if (!Callback(&threadStackFrame, Context)) goto ResumeExit; virtualFrame.AddrReturn.Offset = MAXULONG64; } if (!stackFrame.AddrReturn.Offset) { // Track this as a temporary virtual frame and continue to try to resolve the next // frame. If we do, during the next loop we will use use the the program counter as // the return address and invoke the callback. virtualFrame = stackFrame; virtualMachine = machine; continue; } #endif // Convert the stack frame and execute the callback. PhConvertStackFrame(&stackFrame, (USHORT)machine, 0, &threadStackFrame); if (!Callback(&threadStackFrame, Context)) goto ResumeExit; #if defined(_X86_) // (x86 only) Allow the user to change Eip, Esp and Ebp. context.Eip = PtrToUlong(threadStackFrame.PcAddress); stackFrame.AddrPC.Offset = PtrToUlong(threadStackFrame.PcAddress); context.Ebp = PtrToUlong(threadStackFrame.FrameAddress); stackFrame.AddrFrame.Offset = PtrToUlong(threadStackFrame.FrameAddress); context.Esp = PtrToUlong(threadStackFrame.StackAddress); stackFrame.AddrStack.Offset = PtrToUlong(threadStackFrame.StackAddress); #endif } } SkipUserStack: #if defined(_WIN64) // WOW64 stack walk. if (Flags & PH_WALK_USER_WOW64_STACK) { STACKFRAME_EX stackFrame; PH_THREAD_STACK_FRAME threadStackFrame; WOW64_CONTEXT context; memset(&context, 0, sizeof(WOW64_CONTEXT)); context.ContextFlags = WOW64_CONTEXT_ALL; context.ContextFlags |= CONTEXT_EXCEPTION_REQUEST; if (!NT_SUCCESS(status = PhGetThreadWow64Context(ThreadHandle, &context))) goto SkipI386Stack; memset(&stackFrame, 0, sizeof(STACKFRAME_EX)); stackFrame.StackFrameSize = sizeof(STACKFRAME_EX); stackFrame.AddrPC.Mode = AddrModeFlat; stackFrame.AddrPC.Offset = context.Eip; stackFrame.AddrStack.Mode = AddrModeFlat; stackFrame.AddrStack.Offset = context.Esp; stackFrame.AddrFrame.Mode = AddrModeFlat; stackFrame.AddrFrame.Offset = context.Ebp; while (TRUE) { if (!PhStackWalk( IMAGE_FILE_MACHINE_I386, ProcessHandle, ThreadHandle, &stackFrame, &context, SymbolProvider, NULL, NULL, NULL, NULL )) { break; } // TODO(jxy-s) // // Restore CHPE frame detection and fix x86 stack walking on ARM64. Even dbgeng.dll // seems to struggle here but it will at least show CHPE frames. We use to have support // for this I removed it in the last chunk of ARM64 fixes since I wasn't happy with it. // If we have an invalid instruction pointer, break. if (!stackFrame.AddrPC.Offset || stackFrame.AddrPC.Offset == ULONG64_MAX) break; // Convert the stack frame and execute the callback. PhConvertStackFrame(&stackFrame, IMAGE_FILE_MACHINE_I386, 0, &threadStackFrame); if (!Callback(&threadStackFrame, Context)) goto ResumeExit; #if !defined(_ARM64_) // (x86 only) Allow extensions to fixup the Eip, Esp and Ebp addresses. // Note: Managed environments like .NET manage their own stack frames, // and don't align with native expectations. Extensions like DotNetTools // query the CLR runtime debug interface and provide the correct addresses // as required to show correct thread call stacks and execution context. (dnex) context.Eip = PtrToUlong(threadStackFrame.PcAddress); stackFrame.AddrPC.Offset = PtrToUlong(threadStackFrame.PcAddress); context.Ebp = PtrToUlong(threadStackFrame.FrameAddress); stackFrame.AddrFrame.Offset = PtrToUlong(threadStackFrame.FrameAddress); context.Esp = PtrToUlong(threadStackFrame.StackAddress); stackFrame.AddrStack.Offset = PtrToUlong(threadStackFrame.StackAddress); #endif } } SkipI386Stack: #endif #if defined(_ARM64_) // Arm32 stack walk. if (Flags & PH_WALK_USER_WOW64_STACK) { STACKFRAME_EX stackFrame; PH_THREAD_STACK_FRAME threadStackFrame; ARM_NT_CONTEXT context; memset(&context, 0, sizeof(ARM_NT_CONTEXT)); context.ContextFlags = CONTEXT_ARM_ALL; context.ContextFlags |= CONTEXT_EXCEPTION_REQUEST; // ThreadWow64Context ARM_NT_CONTEXT if (!NT_SUCCESS(status = PhGetThreadArm32Context(ThreadHandle, &context))) goto SkipARMStack; memset(&stackFrame, 0, sizeof(STACKFRAME_EX)); stackFrame.StackFrameSize = sizeof(STACKFRAME_EX); stackFrame.AddrPC.Mode = AddrModeFlat; stackFrame.AddrPC.Offset = context.Pc; stackFrame.AddrStack.Mode = AddrModeFlat; stackFrame.AddrStack.Offset = context.Sp; stackFrame.AddrFrame.Mode = AddrModeFlat; stackFrame.AddrFrame.Offset = 0; while (TRUE) { if (!PhStackWalk( IMAGE_FILE_MACHINE_ARMNT, ProcessHandle, ThreadHandle, &stackFrame, &context, SymbolProvider, NULL, NULL, NULL, NULL )) { break; } // If we have an invalid instruction pointer, break. if (!stackFrame.AddrPC.Offset || stackFrame.AddrPC.Offset == ULONG64_MAX) break; // Convert the stack frame and execute the callback. PhConvertStackFrame(&stackFrame, IMAGE_FILE_MACHINE_ARMNT, 0, &threadStackFrame); if (!Callback(&threadStackFrame, Context)) goto ResumeExit; } } SkipARMStack: #endif ResumeExit: if (suspended) { NtResumeThread(ThreadHandle, NULL); } if (stateChangeHandle) { PhThawThread(stateChangeHandle, ThreadHandle); NtClose(stateChangeHandle); } if (processOpened) { NtClose(ProcessHandle); } return status; } PPH_STRING PhUndecorateSymbolName( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PCWSTR DecoratedName ) { PPH_STRING undecoratedSymbolName = NULL; PWSTR undecoratedBuffer; ULONG result; PhpRegisterSymbolProvider(SymbolProvider); if (!UnDecorateSymbolNameW_I) return NULL; // lucasg: there is no way to know the resulting length of an undecorated name. // If there is not enough space, the function does not fail and instead returns a truncated name. undecoratedBuffer = PhAllocate(PAGE_SIZE * sizeof(WCHAR)); //memset(undecoratedBuffer, 0, PAGE_SIZE * sizeof(WCHAR)); PH_LOCK_SYMBOLS(); result = UnDecorateSymbolNameW_I( DecoratedName, undecoratedBuffer, PAGE_SIZE, UNDNAME_COMPLETE ); PH_UNLOCK_SYMBOLS(); if (result != 0) undecoratedSymbolName = PhCreateStringEx(undecoratedBuffer, result * sizeof(WCHAR)); PhFree(undecoratedBuffer); return undecoratedSymbolName; } typedef struct _PH_ENUMERATE_SYMBOLS_CONTEXT { PVOID UserContext; PPH_ENUMERATE_SYMBOLS_CALLBACK UserCallback; } PH_ENUMERATE_SYMBOLS_CONTEXT, *PPH_ENUMERATE_SYMBOLS_CONTEXT; BOOL CALLBACK PhEnumerateSymbolsCallback( _In_ PSYMBOL_INFOW SymbolInfo, _In_ ULONG SymbolSize, _In_ PVOID Context ) { PPH_ENUMERATE_SYMBOLS_CONTEXT context = (PPH_ENUMERATE_SYMBOLS_CONTEXT)Context; BOOLEAN result; PH_SYMBOL_INFO symbolInfo = { 0 }; if (SymbolInfo->MaxNameLen) { SIZE_T SuggestedLength; symbolInfo.Name.Buffer = SymbolInfo->Name; symbolInfo.Name.Length = min(SymbolInfo->NameLen, SymbolInfo->MaxNameLen - 1) * sizeof(WCHAR); // NameLen is unreliable, might be greater that expected SuggestedLength = PhCountStringZ(symbolInfo.Name.Buffer) * sizeof(WCHAR); symbolInfo.Name.Length = min(symbolInfo.Name.Length, SuggestedLength); } else { PhInitializeEmptyStringRef(&symbolInfo.Name); } symbolInfo.TypeIndex = SymbolInfo->TypeIndex; symbolInfo.Index = SymbolInfo->Index; symbolInfo.Size = SymbolInfo->Size; symbolInfo.ModBase = SymbolInfo->ModBase; symbolInfo.Flags = SymbolInfo->Flags; symbolInfo.Value = SymbolInfo->Value; symbolInfo.Address = SymbolInfo->Address; symbolInfo.Register = SymbolInfo->Register; symbolInfo.Scope = SymbolInfo->Scope; symbolInfo.Tag = SymbolInfo->Tag; result = context->UserCallback(&symbolInfo, SymbolSize, context->UserContext); if (result) return TRUE; return FALSE; } BOOLEAN PhEnumerateSymbols( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ HANDLE ProcessHandle, _In_ PVOID BaseOfDll, _In_opt_ PCWSTR Mask, _In_ PPH_ENUMERATE_SYMBOLS_CALLBACK EnumSymbolsCallback, _In_opt_ PVOID UserContext ) { BOOL result; PH_ENUMERATE_SYMBOLS_CONTEXT enumContext; if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymEnumSymbolsW_I) SymEnumSymbolsW_I = PhGetDllProcedureAddressZ(L"dbghelp.dll", "SymEnumSymbolsW", 0); if (!SymEnumSymbolsW_I) { SetLastError(ERROR_PROC_NOT_FOUND); return FALSE; } memset(&enumContext, 0, sizeof(PH_ENUMERATE_SYMBOLS_CONTEXT)); enumContext.UserContext = UserContext; enumContext.UserCallback = EnumSymbolsCallback; PH_LOCK_SYMBOLS(); result = SymEnumSymbolsW_I( ProcessHandle, (ULONG64)BaseOfDll, Mask, PhEnumerateSymbolsCallback, &enumContext ); PH_UNLOCK_SYMBOLS(); if (result) return TRUE; return FALSE; } _Success_(return) BOOLEAN PhGetSymbolProviderDiaSource( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID BaseOfDll, _Out_ PVOID* DiaSource ) { BOOLEAN result; PVOID source; // IDiaDataSource COM interface if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymGetDiaSource_I) SymGetDiaSource_I = PhGetDllProcedureAddressZ(L"dbghelp.dll", "SymGetDiaSource", 0); if (!SymGetDiaSource_I) return FALSE; //PH_LOCK_SYMBOLS(); result = !!SymGetDiaSource_I( SymbolProvider->ProcessHandle, (ULONGLONG)BaseOfDll, &source ); //GetLastError(); // returns HRESULT //PH_UNLOCK_SYMBOLS(); if (result) { *DiaSource = source; return TRUE; } return FALSE; } _Success_(return) BOOLEAN PhGetSymbolProviderDiaSession( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID BaseOfDll, _Out_ PVOID* DiaSession ) { BOOLEAN result; PVOID session; // IDiaSession COM interface if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymGetDiaSession_I) SymGetDiaSession_I = PhGetDllProcedureAddressZ(L"dbghelp.dll", "SymGetDiaSession", 0); if (!SymGetDiaSession_I) return FALSE; //PH_LOCK_SYMBOLS(); result = !!SymGetDiaSession_I( SymbolProvider->ProcessHandle, (ULONGLONG)BaseOfDll, &session ); //GetLastError(); // returns HRESULT //PH_UNLOCK_SYMBOLS(); if (result) { *DiaSession = session; return TRUE; } return FALSE; } VOID PhSymbolProviderFreeDiaString( _In_ PCWSTR DiaString ) { if ((SymGetDiaSession_I || SymGetDiaSource_I) && !SymFreeDiaString_I) SymFreeDiaString_I = PhGetDllProcedureAddressZ(L"dbghelp.dll", "SymFreeDiaString", 0); if (!SymFreeDiaString_I) return; SymFreeDiaString_I(DiaString); } BOOLEAN PhSymbolProviderInlineContextSupported( VOID ) { return StackWalkEx_I && SymFromInlineContextW_I; } _Success_(return != NULL) PPH_STRING PhGetSymbolFromInlineContext( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_THREAD_STACK_FRAME StackFrame, _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel, _Out_opt_ PPH_STRING *FileName, _Out_opt_ PPH_STRING *SymbolName, _Out_opt_ PULONG64 Displacement, _Out_opt_ PPVOID BaseAddress ) { PSYMBOL_INFOW symbolInfo; ULONG nameLength; PPH_STRING symbol = NULL; PH_SYMBOL_RESOLVE_LEVEL resolveLevel; ULONG64 displacement; PPH_STRING modFileName = NULL; PPH_STRING modBaseName = NULL; PVOID modBase = NULL; PPH_STRING symbolName = NULL; if (StackFrame->PcAddress == 0) { if (ResolveLevel) *ResolveLevel = PhsrlInvalid; if (FileName) *FileName = NULL; if (SymbolName) *SymbolName = NULL; if (Displacement) *Displacement = 0; if (BaseAddress) *BaseAddress = NULL; return NULL; } if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymFromInlineContextW_I) return NULL; symbolInfo = PhAllocateZero(FIELD_OFFSET(SYMBOL_INFOW, Name) + PH_MAX_SYMBOL_NAME_LEN * sizeof(WCHAR)); symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); symbolInfo->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN; PH_LOCK_SYMBOLS(); SymFromInlineContextW_I( SymbolProvider->ProcessHandle, (ULONG64)StackFrame->PcAddress, StackFrame->InlineFrameContext, &displacement, symbolInfo ); nameLength = symbolInfo->NameLen; if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN) { PhFree(symbolInfo); symbolInfo = PhAllocateZero(FIELD_OFFSET(SYMBOL_INFOW, Name) + nameLength * sizeof(WCHAR) + sizeof(UNICODE_NULL)); symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); symbolInfo->MaxNameLen = nameLength + 1; SymFromInlineContextW_I( SymbolProvider->ProcessHandle, (ULONG64)StackFrame->PcAddress, StackFrame->InlineFrameContext, &displacement, symbolInfo ); } PH_UNLOCK_SYMBOLS(); if (symbolInfo->ModBase == 0) { modBase = PhGetModuleFromAddress( SymbolProvider, StackFrame->PcAddress, &modFileName ); } else { modBase = PhGetModuleFromAddress( SymbolProvider, (PVOID)symbolInfo->ModBase, &modFileName ); } if (!modFileName) { resolveLevel = PhsrlAddress; symbol = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); PhPrintPointer(symbol->Buffer, (PVOID)(ULONG64)StackFrame->PcAddress); PhTrimToNullTerminatorString(symbol); goto CleanupExit; } modBaseName = PhGetBaseName(modFileName); if (symbolInfo->NameLen == 0) { PH_FORMAT format[3]; resolveLevel = PhsrlModule; PhInitFormatSR(&format[0], modBaseName->sr); PhInitFormatS(&format[1], L"+0x"); PhInitFormatIX(&format[2], (ULONG_PTR)((ULONG_PTR)StackFrame->PcAddress - (ULONG_PTR)modBase)); symbol = PhFormat(format, 3, modBaseName->Length + 6 + 32); goto CleanupExit; } symbolName = PhCreateStringEx(symbolInfo->Name, symbolInfo->NameLen * sizeof(WCHAR)); PhTrimToNullTerminatorString(symbolName); resolveLevel = PhsrlFunction; if (displacement == 0) { PH_FORMAT format[3]; PhInitFormatSR(&format[0], modBaseName->sr); PhInitFormatC(&format[1], L'!'); PhInitFormatSR(&format[2], symbolName->sr); symbol = PhFormat(format, 3, modBaseName->Length + 2 + symbolName->Length); } else { PH_FORMAT format[5]; PhInitFormatSR(&format[0], modBaseName->sr); PhInitFormatC(&format[1], L'!'); PhInitFormatSR(&format[2], symbolName->sr); PhInitFormatS(&format[3], L"+0x"); PhInitFormatIX(&format[4], (ULONG_PTR)displacement); symbol = PhFormat(format, 5, modBaseName->Length + 2 + symbolName->Length + 6 + 32); } CleanupExit: if (ResolveLevel) *ResolveLevel = resolveLevel; if (FileName) PhSetReference(FileName, modFileName); if (SymbolName) PhSetReference(SymbolName, symbolName); if (Displacement) *Displacement = displacement; if (BaseAddress) *BaseAddress = symbolInfo->ModBase ? (PVOID)symbolInfo->ModBase : modBase; PhClearReference(&modFileName); PhClearReference(&modBaseName); PhClearReference(&symbolName); PhFree(symbolInfo); return symbol; } _Success_(return) BOOLEAN PhGetLineFromInlineContext( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PPH_THREAD_STACK_FRAME StackFrame, _In_opt_ PVOID BaseAddress, _Out_ PPH_STRING *FileName, _Out_opt_ PULONG Displacement, _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information ) { IMAGEHLP_LINEW64 line; BOOL result; ULONG displacement; PPH_STRING fileName; if (!PhpRegisterSymbolProvider(SymbolProvider)) return FALSE; if (!SymGetLineFromInlineContextW_I) return FALSE; line.SizeOfStruct = sizeof(IMAGEHLP_LINEW64); PH_LOCK_SYMBOLS(); result = SymGetLineFromInlineContextW_I( SymbolProvider->ProcessHandle, (ULONG64)StackFrame->PcAddress, StackFrame->InlineFrameContext, (ULONG64)BaseAddress, &displacement, &line ); PH_UNLOCK_SYMBOLS(); if (result) fileName = PhCreateString(line.FileName); else return FALSE; *FileName = fileName; if (Displacement) *Displacement = displacement; if (Information) { Information->LineNumber = line.LineNumber; Information->Address = line.Address; } return TRUE; } // Note: StackWalk64 doesn't support inline frames, so right before calling PhGetSymbolFromAddress // we can call this function to get the inline frames and manually insert them without much effort. // StackWalkEx provides inline frames by default and does not require this function. This function // is basically obsolete an unused because we're using StackWalkEx by default. (dmex) //PPH_LIST PhGetInlineStackSymbolsFromAddress( // _In_ PPH_SYMBOL_PROVIDER SymbolProvider, // _In_ PPH_THREAD_STACK_FRAME StackFrame, // _In_ BOOLEAN IncludeLineInformation // ) //{ // static _SymAddrIncludeInlineTrace SymAddrIncludeInlineTrace_I = NULL; // static _SymQueryInlineTrace SymQueryInlineTrace_I = NULL; // PPH_LIST inlineSymbolList = NULL; // ULONG64 inlineFrameAddress = 0; // ULONG inlineFrameCount = 0; // ULONG inlineFrameContext = 0; // ULONG inlineFrameIndex = 0; // // if (StackFrame->PcAddress == 0) // return NULL; // // if (!PhpRegisterSymbolProvider(SymbolProvider)) // return NULL; // // if (!SymAddrIncludeInlineTrace_I) // SymAddrIncludeInlineTrace_I = PhGetDllProcedureAddressZ(L"dbghelp.dll", "SymAddrIncludeInlineTrace", 0); // if (!SymQueryInlineTrace_I) // SymQueryInlineTrace_I = PhGetDllProcedureAddressZ(L"dbghelp.dll", "SymQueryInlineTrace", 0); // // if (!( // SymAddrIncludeInlineTrace_I && // SymQueryInlineTrace_I && // SymFromInlineContextW_I && // SymGetLineFromInlineContextW_I // )) // { // return NULL; // } // // PH_LOCK_SYMBOLS(); // // inlineFrameAddress = (ULONG64)StackFrame->PcAddress - sizeof(BYTE); // inlineFrameCount = SymAddrIncludeInlineTrace_I( // SymbolProvider->ProcessHandle, // inlineFrameAddress // ); // // if (inlineFrameCount == 0) // { // PH_UNLOCK_SYMBOLS(); // return NULL; // } // // if (!SymQueryInlineTrace_I( // SymbolProvider->ProcessHandle, // inlineFrameAddress, // INLINE_FRAME_CONTEXT_INIT, // inlineFrameAddress, // inlineFrameAddress, // &inlineFrameContext, // &inlineFrameIndex // )) // { // PH_UNLOCK_SYMBOLS(); // return NULL; // } // // inlineSymbolList = PhCreateList(1); // // for (ULONG i = 0; i < inlineFrameCount; i++) // { // BOOL result = FALSE; // ULONG64 inlineFrameDisplacement = 0; // ULONG64 modBaseAddress = 0; // PPH_STRING modFileName = NULL; // PPH_STRING modBaseName = NULL; // PSYMBOL_INFOW symbolInfo; // ULONG nameLength = 0; // // symbolInfo = PhAllocateZero(FIELD_OFFSET(SYMBOL_INFOW, Name) + PH_MAX_SYMBOL_NAME_LEN * sizeof(WCHAR)); // symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); // symbolInfo->MaxNameLen = PH_MAX_SYMBOL_NAME_LEN; // // result = SymFromInlineContextW_I( // SymbolProvider->ProcessHandle, // inlineFrameAddress, // inlineFrameContext, // &inlineFrameDisplacement, // symbolInfo // ); // nameLength = symbolInfo->NameLen; // // if (nameLength + 1 > PH_MAX_SYMBOL_NAME_LEN) // { // PhFree(symbolInfo); // symbolInfo = PhAllocateZero(FIELD_OFFSET(SYMBOL_INFOW, Name) + nameLength * sizeof(WCHAR) + sizeof(UNICODE_NULL)); // symbolInfo->SizeOfStruct = sizeof(SYMBOL_INFOW); // symbolInfo->MaxNameLen = nameLength + 1; // // result = SymFromInlineContextW_I( // SymbolProvider->ProcessHandle, // inlineFrameAddress, // inlineFrameContext, // &inlineFrameDisplacement, // symbolInfo // ); // } // // if (!result) // { // inlineFrameContext++; // PhFree(symbolInfo); // continue; // } // // if (symbolInfo->ModBase == 0) // { // modBaseAddress = PhGetModuleFromAddress( // SymbolProvider, // inlineFrameAddress, // &modFileName // ); // } // else // { // PH_SYMBOL_MODULE lookupSymbolModule; // PPH_AVL_LINKS existingLinks; // PPH_SYMBOL_MODULE symbolModule; // // lookupSymbolModule.BaseAddress = symbolInfo->ModBase; // // PhAcquireQueuedLockShared(&SymbolProvider->ModulesListLock); // // existingLinks = PhFindElementAvlTree(&SymbolProvider->ModulesSet, &lookupSymbolModule.Links); // // if (existingLinks) // { // symbolModule = CONTAINING_RECORD(existingLinks, PH_SYMBOL_MODULE, Links); // PhSetReference(&modFileName, symbolModule->FileName); // } // // PhReleaseQueuedLockShared(&SymbolProvider->ModulesListLock); // } // // if (modFileName) // { // modBaseName = PhGetBaseName(modFileName); // } // // if (result) // { // PPH_INLINE_STACK_FRAME inlineStackFrame; // // inlineStackFrame = PhAllocate(sizeof(PH_INLINE_STACK_FRAME)); // memset(inlineStackFrame, 0, sizeof(PH_INLINE_STACK_FRAME)); // // if (modFileName) // { // PhSetReference(&inlineStackFrame->FileName, modFileName); // // if (symbolInfo->NameLen == 0) // { // PH_FORMAT format[3]; // // inlineStackFrame->ResolveLevel = PhsrlModule; // // PhInitFormatSR(&format[0], modBaseName->sr); // PhInitFormatS(&format[1], L"+0x"); // PhInitFormatIX(&format[2], (ULONG_PTR)(inlineFrameAddress - modBaseAddress + inlineFrameDisplacement + sizeof(BYTE))); // // address + inlineFrameDisplacement + sizeof(BYTE) ?? // // inlineStackFrame->Symbol = PhFormat(format, 3, modBaseName->Length + 6 + 32); // } // else // { // PPH_STRING symbolName; // // inlineStackFrame->ResolveLevel = PhsrlFunction; // // symbolName = PhCreateStringEx(symbolInfo->Name, symbolInfo->NameLen * sizeof(WCHAR)); // PhTrimToNullTerminatorString(symbolName); // // if (inlineFrameDisplacement == 0) // { // PH_FORMAT format[3]; // // PhInitFormatSR(&format[0], modBaseName->sr); // PhInitFormatC(&format[1], L'!'); // PhInitFormatSR(&format[2], symbolName->sr); // // inlineStackFrame->Symbol = PhFormat(format, 3, modBaseName->Length + 2 + symbolName->Length); // } // else // { // PH_FORMAT format[5]; // // PhInitFormatSR(&format[0], modBaseName->sr); // PhInitFormatC(&format[1], L'!'); // PhInitFormatSR(&format[2], symbolName->sr); // PhInitFormatS(&format[3], L"+0x"); // PhInitFormatIX(&format[4], (ULONG_PTR)inlineFrameDisplacement + sizeof(BYTE)); // add byte to match the windbg displacement (dmex) // // inlineStackFrame->Symbol = PhFormat(format, 5, modBaseName->Length + 2 + symbolName->Length + 6 + 32); // } // // PhDereferenceObject(symbolName); // } // } // else // { // PPH_STRING symbolName; // // inlineStackFrame->ResolveLevel = PhsrlAddress; // // symbolName = PhCreateStringEx(NULL, PH_PTR_STR_LEN * sizeof(WCHAR)); // PhPrintPointer(symbolName->Buffer, (PVOID)inlineFrameAddress); // PhTrimToNullTerminatorString(symbolName); // // inlineStackFrame->Symbol = symbolName; // } // // if (inlineStackFrame->Symbol) // { // PhMoveReference( // &inlineStackFrame->Symbol, // PhConcatStringRefZ(&inlineStackFrame->Symbol->sr, L" (Inline function)") // ); // } // // if (IncludeLineInformation) // { // IMAGEHLP_LINEW64 line; // ULONG lineInlineDisplacement = 0; // // memset(&line, 0, sizeof(IMAGEHLP_LINEW64)); // line.SizeOfStruct = sizeof(IMAGEHLP_LINEW64); // // if (SymGetLineFromInlineContextW_I( // SymbolProvider->ProcessHandle, // inlineFrameAddress, // inlineFrameContext, // symbolInfo->ModBase, // optional // &lineInlineDisplacement, // &line // )) // { // inlineStackFrame->LineAddress = line.Address; // inlineStackFrame->LineNumber = line.LineNumber; // inlineStackFrame->LineDisplacement = lineInlineDisplacement; // inlineStackFrame->LineFileName = PhCreateString(line.FileName); // } // } // // PhAddItemList(inlineSymbolList, inlineStackFrame); // } // // inlineFrameContext++; // PhClearReference(&modFileName); // PhClearReference(&modBaseName); // PhFree(symbolInfo); // } // // PH_UNLOCK_SYMBOLS(); // // return inlineSymbolList; //} // //VOID PhFreeInlineStackSymbols( // _In_ PPH_LIST InlineSymbolList // ) //{ // for (ULONG i = 0; i < InlineSymbolList->Count; i++) // { // PPH_INLINE_STACK_FRAME inlineStackFrame = InlineSymbolList->Items[i]; // // PhClearReference(&inlineStackFrame->Symbol); // PhClearReference(&inlineStackFrame->FileName); // PhClearReference(&inlineStackFrame->LineFileName); // PhFree(inlineStackFrame); // } // // PhDereferenceObject(InlineSymbolList); //} CV_CFL_LANG PhGetDiaSymbolCompilandInformation( _In_ IDiaLineNumber* LineNumber ) { CV_CFL_LANG compilandLanguage = ULONG_MAX; ULONG count; IDiaSymbol* compiland; IDiaSymbol* symbol; IDiaEnumSymbols* enumSymbols; if (IDiaLineNumber_get_compiland(LineNumber, &compiland) == S_OK) { if (IDiaSymbol_findChildren(compiland, SymTagCompilandDetails, NULL, nsNone, &enumSymbols) == S_OK) { while (IDiaEnumSymbols_Next(enumSymbols, 1, &symbol, &count) == S_OK) { ULONG language; if (IDiaSymbol_get_language(symbol, &language) == S_OK) { compilandLanguage = language; break; } IDiaSymbol_Release(symbol); } IDiaEnumSymbols_Release(enumSymbols); } IDiaSymbol_Release(compiland); } return compilandLanguage; } PPH_STRING PhGetDiaSymbolLineInformation( _In_ IDiaSession* Session, _In_ IDiaSymbol* Symbol, _In_ PVOID Address, _In_ ULONG Length ) { IDiaLineNumber* symbolLineNumber; CV_CFL_LANG language = ULONG_MAX; if (IDiaSymbol_getSrcLineOnTypeDefn(Symbol, &symbolLineNumber) == S_OK) { language = PhGetDiaSymbolCompilandInformation(symbolLineNumber); IDiaLineNumber_Release(symbolLineNumber); } else { ULONG count; IDiaEnumLineNumbers* enumLineNumbers; if (IDiaSession_findLinesByVA(Session, (ULONGLONG)Address, Length, &enumLineNumbers) == S_OK) { if (IDiaEnumLineNumbers_Next(enumLineNumbers, 1, &symbolLineNumber, &count) == S_OK) { language = PhGetDiaSymbolCompilandInformation(symbolLineNumber); IDiaLineNumber_Release(symbolLineNumber); } IDiaEnumLineNumbers_Release(enumLineNumbers); } } switch (language) { case CV_CFL_C: return PhCreateString(L"C"); case CV_CFL_CXX: return PhCreateString(L"C++"); case CV_CFL_FORTRAN: return PhCreateString(L"FORTRAN"); case CV_CFL_MASM: return PhCreateString(L"MASM"); case CV_CFL_PASCAL: return PhCreateString(L"PASCAL"); case CV_CFL_BASIC: return PhCreateString(L"BASIC"); case CV_CFL_COBOL: return PhCreateString(L"COBOL"); case CV_CFL_LINK: return PhCreateString(L"LINK"); case CV_CFL_CVTRES: return PhCreateString(L"CVTRES"); case CV_CFL_CVTPGD: return PhCreateString(L"CVTPGD"); case CV_CFL_CSHARP: return PhCreateString(L"C#"); case CV_CFL_VB: return PhCreateString(L"Visual Basic"); case CV_CFL_ILASM: return PhCreateString(L"ILASM (CLR)"); case CV_CFL_JAVA: return PhCreateString(L"JAVA"); case CV_CFL_JSCRIPT: return PhCreateString(L"JSCRIPT"); case CV_CFL_MSIL: return PhCreateString(L"MSIL"); case CV_CFL_HLSL: return PhCreateString(L"HLSL (High Level Shader Language)"); case CV_CFL_OBJC: return PhCreateString(L"Objective-C"); case CV_CFL_OBJCXX: return PhCreateString(L"Objective-C++"); case CV_CFL_SWIFT: return PhCreateString(L"SWIFT"); case CV_CFL_ALIASOBJ: return PhCreateString(L"ALIASOBJ"); case CV_CFL_RUST: return PhCreateString(L"RUST"); } return NULL; } // SymTagCompilandDetails : https://learn.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/compilanddetails // SymTagFunction: https://learn.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/function-debug-interface-access-sdk PPH_STRING PhGetDiaSymbolExtraInformation( _In_ IDiaSymbol* Symbol ) { PH_STRING_BUILDER stringBuilder; BOOL symbolBoolean = FALSE; ULONG64 symbolValue = 0; PhInitializeStringBuilder(&stringBuilder, 0x100); if (IDiaSymbol_get_isStripped(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Stripped, "); } if (IDiaSymbol_get_isStatic(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Static, "); } if (IDiaSymbol_get_inlSpec(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Inline, "); } if (IDiaSymbol_get_isHotpatchable(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Hotpatchable, "); } if (IDiaSymbol_get_hasAlloca(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has Alloca, "); } if (IDiaSymbol_get_hasInlAsm(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has Inline ASM, "); } if (IDiaSymbol_get_hasSetJump(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has SetJump, "); } if (IDiaSymbol_get_hasLongJump(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has LongJump, "); } if (IDiaSymbol_get_hasSEH(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has SEH, "); } if (IDiaSymbol_get_hasSecurityChecks(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has SecurityChecks, "); } if (IDiaSymbol_get_hasControlFlowCheck(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"Has CFG, "); } if (IDiaSymbol_get_isOptimizedForSpeed(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"OptimizedForSpeed, "); } if (IDiaSymbol_get_isPGO(Symbol, &symbolBoolean) == S_OK && symbolBoolean) { PhAppendStringBuilder2(&stringBuilder, L"PGO, "); } if (IDiaSymbol_get_exceptionHandlerVirtualAddress(Symbol, &symbolValue) == S_OK && symbolValue) { PhAppendFormatStringBuilder(&stringBuilder, L"Has exception handler (0x%p), ", (PVOID)symbolValue); } if (PhEndsWithString2(stringBuilder.String, L", ", FALSE)) PhRemoveEndStringBuilder(&stringBuilder, 2); return PhFinalStringBuilderString(&stringBuilder); } _Success_(return) BOOLEAN PhGetDiaSymbolInformation( _In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PVOID Address, _Out_ PPH_DIA_SYMBOL_INFORMATION SymbolInformation ) { PH_DIA_SYMBOL_INFORMATION symbolInfo = { 0 }; PVOID baseAddress; IDiaSession* datasession; IDiaSymbol* symbol; baseAddress = PhGetModuleFromAddress(SymbolProvider, Address, NULL); if (baseAddress == 0) return FALSE; if (!PhGetSymbolProviderDiaSession(SymbolProvider, baseAddress, &datasession)) return FALSE; if (IDiaSession_findSymbolByVA(datasession, (ULONGLONG)Address, SymTagFunction, &symbol) == S_OK) { BSTR symbolUndecoratedName = NULL; ULONG64 symbolLength = 0; if (IDiaSymbol_get_length(symbol, &symbolLength) == S_OK) { symbolInfo.FunctionLength = (ULONG)symbolLength; symbolInfo.SymbolLangugage = PhGetDiaSymbolLineInformation( datasession, symbol, Address, (ULONG)symbolLength ); } if (IDiaSymbol_get_undecoratedName(symbol, &symbolUndecoratedName) == S_OK) { symbolInfo.UndecoratedName = PhCreateString(symbolUndecoratedName); PhSymbolProviderFreeDiaString(symbolUndecoratedName); } symbolInfo.SymbolInformation = PhGetDiaSymbolExtraInformation(symbol); } IDiaSession_Release(datasession); memcpy(SymbolInformation, &symbolInfo, sizeof(PH_DIA_SYMBOL_INFORMATION)); return TRUE; } VOID PhUnregisterSymbolProvider( _In_ PPH_SYMBOL_PROVIDER SymbolProvider ) { PhpUnregisterSymbolProvider(SymbolProvider); } ================================================ FILE: phlib/symprv_std.cpp ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2023 * */ #include #include #include #include using namespace std; EXTERN_C VOID PhPrintCurrentStacktrace( VOID ) { #ifdef DEBUG stacktrace trace = stacktrace::current(1); string result = to_string(trace); OutputDebugStringA(result.c_str()); #endif } EXTERN_C PPH_STRING PhGetStacktraceAsString( VOID ) { #ifdef DEBUG stacktrace trace = stacktrace::current(1); string result = to_string(trace); return PhConvertUtf8ToUtf16(result.c_str()); #else return NULL; #endif } EXTERN_C PPH_STRING PhGetStacktraceSymbolFromAddress( _In_ PVOID Address ) { #ifdef DEBUG string result; __std_stacktrace_address_to_string( Address, &result, _Stacktrace_string_fill_impl ); return PhConvertUtf8ToUtf16(result.c_str()); #else return NULL; #endif } EXTERN_C PPH_STRING PhGetObjectTypeStacktraceToString( _In_ PVOID Object ) { #ifdef DEBUG PPH_OBJECT_HEADER objectHeader = PhObjectToObjectHeader(Object); string result; __std_stacktrace_to_string( objectHeader->StackBackTrace, ARRAYSIZE(objectHeader->StackBackTrace), &result, _Stacktrace_string_fill_impl ); return PhConvertUtf8ToUtf16(result.c_str()); #else return NULL; #endif } ================================================ FILE: phlib/sync.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2010-2015 * */ /* * This file contains code for several synchronization objects. * * Event. This is a lightweight notification event object that does not create a kernel event object * until needed. Additionally, the kernel event object is automatically freed when no longer needed. * Note that PhfResetEvent is NOT thread-safe. * * Barrier. This is a non-traditional implementation of a barrier, built on the wake event object. I * have identified three types of participants in this process: * 1. The slaves, who wait for the master to release them. This is the main mechanism through which * the threads are synchronized. * 2. The master, who is the last thread to wait on the barrier. This thread triggers the waking * process, and waits until all slaves have woken. * 3. The observers, who are simply threads which were slaves before, were woken, and have tried to * wait on the barrier again before all other slaves have woken. * * Rundown protection. This object allows a thread to wait until all other threads have finished * using a particular resource before freeing the resource. * * Init-once. This is a lightweight one-time initialization mechanism which uses the event object * for any required blocking. The overhead is very small - only a single inlined comparison. */ #include /** * Initializes an event object. * * \param Event A pointer to an event object. */ VOID FASTCALL PhfInitializeEvent( _Out_ PPH_EVENT Event ) { Event->Value = PH_EVENT_REFCOUNT_INC; WritePointerRelease(&Event->EventHandle, NULL); } /** * Dereferences the event object used by an event. * * \param Event A pointer to an event object. * \param EventHandle The current value of the event object. */ FORCEINLINE VOID PhpDereferenceEvent( _Inout_ PPH_EVENT Event, _In_opt_ HANDLE EventHandle ) { ULONG_PTR value; value = _InterlockedExchangeAddPointer((PLONG_PTR)&Event->Value, -PH_EVENT_REFCOUNT_INC); // See if the reference count has become 0. if (((value >> PH_EVENT_REFCOUNT_SHIFT) & PH_EVENT_REFCOUNT_MASK) - 1 == 0) { if (EventHandle) { NtClose(EventHandle); Event->EventHandle = NULL; } } } /** * References the event object used by an event. * * \param Event A pointer to an event object. */ FORCEINLINE VOID PhpReferenceEvent( _Inout_ PPH_EVENT Event ) { _InterlockedExchangeAddPointer((PLONG_PTR)&Event->Value, PH_EVENT_REFCOUNT_INC); } /** * Sets an event object. Any threads waiting on the event will be released. * * \param Event A pointer to an event object. */ VOID FASTCALL PhfSetEvent( _Inout_ PPH_EVENT Event ) { // Only proceed if the event isn't set already. if (!_InterlockedBitTestAndSetPointer((PLONG_PTR)&Event->Value, PH_EVENT_SET_SHIFT)) { HANDLE eventHandle; eventHandle = ReadPointerAcquire(&Event->EventHandle); if (eventHandle) { NtSetEvent(eventHandle, NULL); } PhpDereferenceEvent(Event, eventHandle); } } /** * Waits for an event object to be set. * * \param Event A pointer to an event object. * \param Timeout The timeout value. * * \return TRUE if the event object was set before the timeout period expired, otherwise FALSE. * * \remarks To test the event, use PhTestEvent() instead of using a timeout of zero. */ BOOLEAN FASTCALL PhfWaitForEvent( _Inout_ PPH_EVENT Event, _In_opt_ PLARGE_INTEGER Timeout ) { BOOLEAN result; ULONG_PTR value; HANDLE eventHandle; value = ReadULongPtrAcquire(&Event->Value); // Shortcut: if the event is set, return immediately. if (value & PH_EVENT_SET) return TRUE; // Shortcut: if the timeout is 0, return immediately if the event isn't set. if (Timeout && Timeout->QuadPart == 0) return FALSE; // Prevent the event from being invalidated. PhpReferenceEvent(Event); eventHandle = ReadPointerAcquire(&Event->EventHandle); if (!eventHandle) { OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL); NtCreateEvent(&eventHandle, EVENT_ALL_ACCESS, &objectAttributes, NotificationEvent, FALSE); assert(eventHandle); // Try to set the event handle to our event. if (_InterlockedCompareExchangePointer( &Event->EventHandle, eventHandle, NULL ) != NULL) { // Someone else set the event before we did. NtClose(eventHandle); eventHandle = ReadPointerAcquire(&Event->EventHandle); } } // Essential: check the event one last time to see if it is set. if (!(ReadULongPtrAcquire(&Event->Value) & PH_EVENT_SET)) { result = NtWaitForSingleObject(eventHandle, FALSE, Timeout) == STATUS_WAIT_0; } else { result = TRUE; } PhpDereferenceEvent(Event, eventHandle); return result; } /** * Resets an event's state. * * \param Event A pointer to an event object. * * \remarks This function is not thread-safe. Make sure no other threads are using the event when * you call this function. */ VOID FASTCALL PhfResetEvent( _Inout_ PPH_EVENT Event ) { //assert(!Event->EventHandle); if (PhTestEvent(Event)) { WriteULongPtrRelease(&Event->Value, PH_EVENT_REFCOUNT_INC); } } VOID FASTCALL PhfInitializeBarrier( _Out_ PPH_BARRIER Barrier, _In_ ULONG_PTR Target ) { Barrier->Value = Target << PH_BARRIER_TARGET_SHIFT; PhInitializeWakeEvent(&Barrier->WakeEvent); } FORCEINLINE VOID PhpBlockOnBarrier( _Inout_ PPH_BARRIER Barrier, _In_ ULONG Role, _In_ BOOLEAN Spin ) { PH_QUEUED_WAIT_BLOCK waitBlock; ULONG_PTR cancel; PhQueueWakeEvent(&Barrier->WakeEvent, &waitBlock); cancel = 0; switch (Role) { case PH_BARRIER_MASTER: cancel = ((Barrier->Value >> PH_BARRIER_COUNT_SHIFT) & PH_BARRIER_COUNT_MASK) == 1; break; case PH_BARRIER_SLAVE: cancel = Barrier->Value & PH_BARRIER_WAKING; break; case PH_BARRIER_OBSERVER: cancel = !(Barrier->Value & PH_BARRIER_WAKING); break; default: ASSUME_NO_DEFAULT; } if (cancel) { PhSetWakeEvent(&Barrier->WakeEvent, &waitBlock); return; } PhWaitForWakeEvent(&Barrier->WakeEvent, &waitBlock, Spin, NULL); } /** * Waits until all threads are blocking on the barrier, and resets the state of the barrier. * * \param Barrier A barrier. * \param Spin TRUE to spin on the barrier before blocking, FALSE to block immediately. * * \return TRUE for an unspecified thread after each phase, and FALSE for all other threads. * * \remarks By checking the return value of the function, in each phase an action can be performed * exactly once. This could, for example, involve merging the results of calculations. */ BOOLEAN FASTCALL PhfWaitForBarrier( _Inout_ PPH_BARRIER Barrier, _In_ BOOLEAN Spin ) { ULONG_PTR value; ULONG_PTR newValue; ULONG_PTR count; ULONG_PTR target; value = ReadULongPtrAcquire(&Barrier->Value); while (TRUE) { if (!(value & PH_BARRIER_WAKING)) { count = (value >> PH_BARRIER_COUNT_SHIFT) & PH_BARRIER_COUNT_MASK; target = (value >> PH_BARRIER_TARGET_SHIFT) & PH_BARRIER_TARGET_MASK; assert(count != target); count++; if (count != target) newValue = value + PH_BARRIER_COUNT_INC; else newValue = value + PH_BARRIER_COUNT_INC + PH_BARRIER_WAKING; if ((newValue = (ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Barrier->Value, (PVOID)newValue, (PVOID)value )) == value) { if (count != target) { // Wait for the master signal (the last thread to reach the barrier). // Once we get it, decrement the count to allow the master to continue. do { PhpBlockOnBarrier(Barrier, PH_BARRIER_SLAVE, Spin); } while (!(Barrier->Value & PH_BARRIER_WAKING)); value = _InterlockedExchangeAddPointer((PLONG_PTR)&Barrier->Value, -PH_BARRIER_COUNT_INC); if (((value >> PH_BARRIER_COUNT_SHIFT) & PH_BARRIER_COUNT_MASK) - 1 == 1) { PhSetWakeEvent(&Barrier->WakeEvent, NULL); // for the master } return FALSE; } else { // We're the last one to reach the barrier, so we become the master. // Wake the slaves and wait for them to decrease the count to 1. This is so that // we know the slaves have woken and we don't clear the waking bit before they // wake. PhSetWakeEvent(&Barrier->WakeEvent, NULL); // for slaves do { PhpBlockOnBarrier(Barrier, PH_BARRIER_MASTER, Spin); } while (((Barrier->Value >> PH_BARRIER_COUNT_SHIFT) & PH_BARRIER_COUNT_MASK) != 1); _InterlockedExchangeAddPointer((PLONG_PTR)&Barrier->Value, -(PH_BARRIER_WAKING + PH_BARRIER_COUNT_INC)); PhSetWakeEvent(&Barrier->WakeEvent, NULL); // for observers return TRUE; } } } else { // We're too early; other threads are still waking. Wait for them to finish. PhpBlockOnBarrier(Barrier, PH_BARRIER_OBSERVER, Spin); newValue = Barrier->Value; } value = newValue; } } VOID FASTCALL PhfInitializeRundownProtection( _Out_ PPH_RUNDOWN_PROTECT Protection ) { Protection->Value = 0; } BOOLEAN FASTCALL PhfAcquireRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ) { ULONG_PTR value; // Increment the reference count only if rundown has not started. while (TRUE) { value = ReadULongPtrAcquire(&Protection->Value); if (value & PH_RUNDOWN_ACTIVE) return FALSE; if ((ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)(value + PH_RUNDOWN_REF_INC), (PVOID)value ) == value) return TRUE; } } VOID FASTCALL PhfReleaseRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ) { ULONG_PTR value; while (TRUE) { value = ReadULongPtrAcquire(&Protection->Value); if (value & PH_RUNDOWN_ACTIVE) { PPH_RUNDOWN_WAIT_BLOCK waitBlock; // Since rundown is active, the reference count has been moved to the waiter's wait // block. If we are the last user, we must wake up the waiter. waitBlock = (PPH_RUNDOWN_WAIT_BLOCK)(value & ~PH_RUNDOWN_ACTIVE); if (_InterlockedDecrementPointer(&waitBlock->Count) == 0) { PhSetEvent(&waitBlock->WakeEvent); } break; } else { // Decrement the reference count normally. if ((ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)(value - PH_RUNDOWN_REF_INC), (PVOID)value ) == value) break; } } } VOID FASTCALL PhfWaitForRundownProtection( _Inout_ PPH_RUNDOWN_PROTECT Protection ) { ULONG_PTR value; ULONG_PTR count; PH_RUNDOWN_WAIT_BLOCK waitBlock; BOOLEAN waitBlockInitialized; // Fast path. If the reference count is 0 or rundown has already been completed, return. value = (ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)PH_RUNDOWN_ACTIVE, (PVOID)0 ); if (value == 0 || value == PH_RUNDOWN_ACTIVE) return; waitBlockInitialized = FALSE; while (TRUE) { value = ReadULongPtrAcquire(&Protection->Value); count = value >> PH_RUNDOWN_REF_SHIFT; // Initialize the wait block if necessary. if (count != 0 && !waitBlockInitialized) { PhInitializeEvent(&waitBlock.WakeEvent); waitBlockInitialized = TRUE; } // Save the existing reference count. waitBlock.Count = count; if ((ULONG_PTR)_InterlockedCompareExchangePointer( (PVOID *)&Protection->Value, (PVOID)((ULONG_PTR)&waitBlock | PH_RUNDOWN_ACTIVE), (PVOID)value ) == value) { if (count != 0) PhWaitForEvent(&waitBlock.WakeEvent, NULL); break; } } } VOID FASTCALL PhfInitializeInitOnce( _Out_ PPH_INITONCE InitOnce ) { PhInitializeEvent(&InitOnce->Event); } BOOLEAN FASTCALL PhfBeginInitOnce( _Inout_ PPH_INITONCE InitOnce ) { if (!_InterlockedBitTestAndSetPointer(&InitOnce->Event.Value, PH_INITONCE_INITIALIZING_SHIFT)) return TRUE; PhWaitForEvent(&InitOnce->Event, NULL); return FALSE; } VOID FASTCALL PhfEndInitOnce( _Inout_ PPH_INITONCE InitOnce ) { PhSetEvent(&InitOnce->Event); } ================================================ FILE: phlib/theme.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2018-2023 * */ #include #include #include #include #include #include #include #include typedef struct _PHP_THEME_WINDOW_TAB_CONTEXT { WNDPROC DefaultWindowProc; BOOLEAN MouseActive; POINT CursorPos; } PHP_THEME_WINDOW_TAB_CONTEXT, *PPHP_THEME_WINDOW_TAB_CONTEXT; typedef struct _PHP_THEME_WINDOW_STATUSBAR_CONTEXT { WNDPROC DefaultWindowProc; struct { BOOLEAN Flags; union { BOOLEAN NonMouseActive : 1; BOOLEAN MouseActive : 1; BOOLEAN HotTrack : 1; BOOLEAN Hot : 1; BOOLEAN Spare : 4; }; }; HTHEME ThemeHandle; POINT CursorPos; HDC BufferedDc; HBITMAP BufferedOldBitmap; HBITMAP BufferedBitmap; RECT BufferedContextRect; } PHP_THEME_WINDOW_STATUSBAR_CONTEXT, *PPHP_THEME_WINDOW_STATUSBAR_CONTEXT; typedef struct _PHP_THEME_WINDOW_COMBO_CONTEXT { WNDPROC DefaultWindowProc; HTHEME ThemeHandle; POINT CursorPos; } PHP_THEME_WINDOW_COMBO_CONTEXT, *PPHP_THEME_WINDOW_COMBO_CONTEXT; _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhpThemeWindowEnumChildWindows( _In_ HWND WindowHandle, _In_opt_ PVOID Context ); _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhpReInitializeThemeWindowEnumChildWindows( _In_ HWND WindowHandle, _In_opt_ PVOID Context ); LRESULT CALLBACK PhpThemeWindowSubclassProc( _In_ HWND hWnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); LRESULT CALLBACK PhpThemeWindowGroupBoxSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); LRESULT CALLBACK PhpThemeWindowTabControlWndSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); LRESULT CALLBACK PhpThemeWindowListBoxControlSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); LRESULT CALLBACK PhpThemeWindowComboBoxControlSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); LRESULT CALLBACK PhpThemeWindowACLUISubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ); // Win10-RS5 (uxtheme.dll ordinal 132) BOOL (WINAPI *ShouldAppsUseDarkMode_I)( VOID ) = NULL; // Win10-RS5 (uxtheme.dll ordinal 138) BOOL (WINAPI *ShouldSystemUseDarkMode_I)( VOID ) = NULL; // Win10-RS5 (uxtheme.dll ordinal 136) BOOL (WINAPI* FlushMenuThemes_I)( VOID ) = NULL; typedef enum _PreferredAppMode { PreferredAppModeDisabled, PreferredAppModeDarkOnDark, PreferredAppModeDarkAlways } PreferredAppMode; // Win10-RS5 (uxtheme.dll ordinal 135) // Win10 build 17763: AllowDarkModeForApp(BOOL) // Win10 build 18334: SetPreferredAppMode(enum PreferredAppMode) BOOL (WINAPI* SetPreferredAppMode_I)( _In_ PreferredAppMode AppMode ) = NULL; // Win10-RS5 (uxtheme.dll ordinal 139) BOOL (WINAPI *IsDarkModeAllowedForApp_I)( _In_ HWND WindowHandle ) = NULL; //HRESULT (WINAPI* DwmGetColorizationColor_I)( // _Out_ PULONG Colorization, // _Out_ PBOOL OpaqueBlend // ); #ifdef DEBUG #define DEBUG_BEGINPAINT_RECT(WindowHandle, RcPaint) \ {\ RECT rect;\ GetClientRect((WindowHandle), &rect);\ assert(EqualRect(&rect, &(RcPaint)));\ } #else #define DEBUG_BEGINPAINT_RECT(RcPaint) #endif BOOLEAN PhEnableThemeSupport = FALSE; BOOLEAN PhEnableThemeAcrylicSupport = FALSE; BOOLEAN PhEnableThemeAcrylicWindowSupport = FALSE; BOOLEAN PhEnableThemeNativeButtons = FALSE; BOOLEAN PhEnableThemeListviewBorder = FALSE; HBRUSH PhThemeWindowBackgroundBrush = NULL; COLORREF PhThemeWindowForegroundColor = RGB(28, 28, 28); COLORREF PhThemeWindowBackgroundColor = RGB(43, 43, 43); COLORREF PhThemeWindowBackground2Color = RGB(65, 65, 65); COLORREF PhThemeWindowHighlightColor = RGB(128, 128, 128); COLORREF PhThemeWindowHighlight2Color = RGB(143, 143, 143); COLORREF PhThemeWindowTextColor = RGB(255, 255, 255); VOID PhInitializeWindowTheme( _In_ HWND WindowHandle, _In_ BOOLEAN EnableThemeSupport ) { if (EnableThemeSupport && WindowsVersion >= WINDOWS_10_RS5) { static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_10_19H2) { PVOID baseAddress; if (!(baseAddress = PhGetLoaderEntryDllBaseZ(L"uxtheme.dll"))) baseAddress = PhLoadLibrary(L"uxtheme.dll"); if (baseAddress) { SetPreferredAppMode_I = PhGetDllBaseProcedureAddress(baseAddress, NULL, 135); //FlushMenuThemes_I = PhGetDllBaseProcedureAddress(baseAddress, NULL, 136); } if (SetPreferredAppMode_I) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetPreferredAppMode_I(PreferredAppModeDisabled); // break; //case 1: // Old colors SetPreferredAppMode_I(PreferredAppModeDarkAlways); } //if (FlushMenuThemes_I) // FlushMenuThemes_I(); } PhEndInitOnce(&initOnce); } } PhInitializeThemeWindowFrame(WindowHandle); if (!PhThemeWindowBackgroundBrush) { //HBRUSH brush = PhThemeWindowBackgroundBrush; PhThemeWindowBackgroundBrush = CreateSolidBrush(PhThemeWindowBackgroundColor); //if (brush) DeleteBrush(brush); } if (EnableThemeSupport) { WNDPROC defaultWindowProc; defaultWindowProc = (WNDPROC)GetWindowLongPtr(WindowHandle, GWLP_WNDPROC); if (defaultWindowProc != PhpThemeWindowSubclassProc) { PhSetWindowContext(WindowHandle, LONG_MAX, defaultWindowProc); SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)PhpThemeWindowSubclassProc); if (WindowsVersion >= WINDOWS_10_RS5) { WCHAR windowClassName[MAX_PATH]; if (!GetClassName(WindowHandle, windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; if (PhEqualStringZ(windowClassName, L"PhTreeNew", FALSE) || PhEqualStringZ(windowClassName, WC_LISTVIEW, FALSE)) PhAllowDarkModeForWindow(WindowHandle, TRUE); // HACK for dynamically generated plugin tabs } } PhEnumChildWindows( WindowHandle, PhpThemeWindowEnumChildWindows, NULL ); InvalidateRect(WindowHandle, NULL, FALSE); // HACK } else { //EnableThemeDialogTexture(WindowHandle, ETDT_ENABLETAB); } } VOID PhInitializeWindowThemeEx( _In_ HWND WindowHandle ) { static CONST PH_STRINGREF keyPath = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"); HANDLE keyHandle; BOOLEAN enableThemeSupport = FALSE; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &keyPath, 0 ))) { enableThemeSupport = !PhQueryRegistryUlongZ(keyHandle, L"AppsUseLightTheme"); NtClose(keyHandle); } PhInitializeWindowTheme(WindowHandle, enableThemeSupport); } VOID PhReInitializeWindowTheme( _In_ HWND WindowHandle ) { HWND currentWindow = NULL; PhInitializeThemeWindowFrame(WindowHandle); if (!PhEnableThemeSupport) return; if (!PhThemeWindowBackgroundBrush) { //HBRUSH brush = PhThemeWindowBackgroundBrush; PhThemeWindowBackgroundBrush = CreateSolidBrush(PhThemeWindowBackgroundColor); //if (brush) DeleteBrush(brush); } PhEnumChildWindows( WindowHandle, PhpReInitializeThemeWindowEnumChildWindows, NULL ); do { if (currentWindow = FindWindowEx(NULL, currentWindow, NULL, NULL)) { ULONG processID = 0; GetWindowThreadProcessId(currentWindow, &processID); if (UlongToHandle(processID) == NtCurrentProcessId()) { WCHAR windowClassName[MAX_PATH]; if (!GetClassName(currentWindow, windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; //dprintf("PhReInitializeWindowTheme: %S\r\n", windowClassName); if (currentWindow != WindowHandle) { if (PhEqualStringZ(windowClassName, L"#32770", FALSE)) { PhEnumChildWindows( currentWindow, PhpReInitializeThemeWindowEnumChildWindows, NULL ); //PhReInitializeWindowTheme(currentWindow); } InvalidateRect(currentWindow, NULL, TRUE); } } } } while (currentWindow); InvalidateRect(WindowHandle, NULL, FALSE); } #define DWMWA_USE_IMMERSIVE_DARK_MODE_BEFORE_20H1 19 #ifndef DWMWA_USE_IMMERSIVE_DARK_MODE #define DWMWA_USE_IMMERSIVE_DARK_MODE 20 #endif #ifndef DWMWA_CAPTION_COLOR #define DWMWA_CAPTION_COLOR 35 #endif #ifndef DWMWA_SYSTEMBACKDROP_TYPE #define DWMWA_SYSTEMBACKDROP_TYPE 38 #endif HRESULT PhGetWindowThemeAttribute( _In_ HWND WindowHandle, _In_ ULONG AttributeId, _Out_writes_bytes_(AttributeLength) PVOID Attribute, _In_ ULONG AttributeLength ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HRESULT (WINAPI* DwmGetWindowAttribute_I)( _In_ HWND WindowHandle, _In_ ULONG AttributeId, _Out_writes_bytes_(AttributeLength) PVOID Attribute, _In_ ULONG AttributeLength ); if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"dwmapi.dll")) { DwmGetWindowAttribute_I = PhGetDllBaseProcedureAddress(baseAddress, "DwmGetWindowAttribute", 0); } PhEndInitOnce(&initOnce); } if (!DwmGetWindowAttribute_I) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); return DwmGetWindowAttribute_I(WindowHandle, AttributeId, Attribute, AttributeLength); } HRESULT PhSetWindowThemeAttribute( _In_ HWND WindowHandle, _In_ ULONG AttributeId, _In_reads_bytes_(AttributeLength) PVOID Attribute, _In_ ULONG AttributeLength ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HRESULT (WINAPI* DwmSetWindowAttribute_I)( _In_ HWND WindowHandle, _In_ ULONG AttributeId, _In_reads_bytes_(AttributeLength) PVOID Attribute, _In_ ULONG AttributeLength ); if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"dwmapi.dll")) { DwmSetWindowAttribute_I = PhGetDllBaseProcedureAddress(baseAddress, "DwmSetWindowAttribute", 0); } PhEndInitOnce(&initOnce); } if (!DwmSetWindowAttribute_I) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); return DwmSetWindowAttribute_I(WindowHandle, AttributeId, Attribute, AttributeLength); } VOID PhInitializeThemeWindowFrame( _In_ HWND WindowHandle ) { if (WindowsVersion >= WINDOWS_10_RS5) { BOOL boolAttribute; ULONG ulongAttribute; if (PhEnableThemeSupport) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // { // boolAttribute = FALSE; // // if (FAILED(PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE, &boolAttribute, sizeof(BOOL)))) // { // PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE_BEFORE_20H1, &boolAttribute, sizeof(BOOL)); // } // // //if (WindowsVersion > WINDOWS_11) // //{ // // PhSetWindowThemeAttribute(WindowHandle, DWMWA_CAPTION_COLOR, NULL, 0); // //} // } // break; //case 1: // Old colors boolAttribute = TRUE; if (FAILED(PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE, &boolAttribute, sizeof(BOOL)))) { PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE_BEFORE_20H1, &boolAttribute, sizeof(BOOL)); } if (WindowsVersion >= WINDOWS_11) { PhSetWindowThemeAttribute(WindowHandle, DWMWA_CAPTION_COLOR, &PhThemeWindowBackgroundColor, sizeof(COLORREF)); } } if (WindowsVersion >= WINDOWS_11_22H2) { ulongAttribute = 1; PhSetWindowThemeAttribute(WindowHandle, DWMWA_SYSTEMBACKDROP_TYPE, &ulongAttribute, sizeof(ULONG)); } } } VOID PhWindowThemeSetDarkMode( _In_ HWND WindowHandle, _In_ BOOLEAN EnableDarkMode ) { //BOOL boolAttribute; if (EnableDarkMode && PhEnableThemeSupport) // ShouldAppsUseDarkMode_I() { PhSetControlTheme(WindowHandle, L"DarkMode_Explorer"); //PhSetControlTheme(WindowHandle, L"DarkMode_ItemsView"); //if (WindowsVersion >= WINDOWS_11) //{ // boolAttribute = TRUE; // // if (FAILED(PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE, &boolAttribute, sizeof(BOOL)))) // { // PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE_BEFORE_20H1, &boolAttribute, sizeof(BOOL)); // } //} } else { PhSetControlTheme(WindowHandle, L"Explorer"); //PhSetControlTheme(WindowHandle, L"ItemsView"); //if (WindowsVersion >= WINDOWS_11) //{ // boolAttribute = FALSE; // // if (FAILED(PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE, &boolAttribute, sizeof(BOOL)))) // { // PhSetWindowThemeAttribute(WindowHandle, DWMWA_USE_IMMERSIVE_DARK_MODE_BEFORE_20H1, &boolAttribute, sizeof(BOOL)); // } //} } } HBRUSH PhWindowThemeControlColor( _In_ HWND WindowHandle, _In_ HDC Hdc, _In_ HWND ChildWindowHandle, _In_ LONG Type ) { SetBkMode(Hdc, TRANSPARENT); switch (Type) { case CTLCOLOR_EDIT: { if (PhEnableThemeSupport) { SetTextColor(Hdc, PhThemeWindowTextColor); SetDCBrushColor(Hdc, RGB(60, 60, 60)); return PhGetStockBrush(DC_BRUSH); } else { SetTextColor(Hdc, GetSysColor(COLOR_WINDOWTEXT)); return GetSysColorBrush(COLOR_WINDOW); } } break; case CTLCOLOR_SCROLLBAR: { if (PhEnableThemeSupport) { SetDCBrushColor(Hdc, RGB(23, 23, 23)); return PhGetStockBrush(DC_BRUSH); } else { return GetSysColorBrush(COLOR_SCROLLBAR); } } break; case CTLCOLOR_MSGBOX: case CTLCOLOR_LISTBOX: case CTLCOLOR_BTN: case CTLCOLOR_DLG: case CTLCOLOR_STATIC: { if (PhEnableThemeSupport) { SetTextColor(Hdc, PhThemeWindowTextColor); return PhThemeWindowBackgroundBrush; } else { SetTextColor(Hdc, GetSysColor(COLOR_WINDOWTEXT)); return GetSysColorBrush(COLOR_WINDOW); } } break; } return (HBRUSH)DefWindowProc(WindowHandle, Type, (WPARAM)Hdc, (LPARAM)ChildWindowHandle); } VOID PhWindowThemeMainMenuBorder( _In_ HWND WindowHandle ) { if (GetMenu(WindowHandle)) { RECT clientRect; RECT windowRect; HDC hdc; if (!PhGetClientRect(WindowHandle, &clientRect)) return; if (!PhGetWindowRect(WindowHandle, &windowRect)) return; MapWindowPoints(WindowHandle, NULL, (PPOINT)&clientRect, 2); PhOffsetRect(&clientRect, -windowRect.left, -windowRect.top); // the rcBar is offset by the window rect (thanks to adzm) (dmex) RECT rcAnnoyingLine = clientRect; rcAnnoyingLine.bottom = rcAnnoyingLine.top; rcAnnoyingLine.top--; if (hdc = GetWindowDC(WindowHandle)) { if (PhEnableThemeSupport) { FillRect(hdc, &rcAnnoyingLine, PhThemeWindowBackgroundBrush); } else { FillRect(hdc, &rcAnnoyingLine, (HBRUSH)(COLOR_WINDOW + 1)); } ReleaseDC(WindowHandle, hdc); } } } VOID PhInitializeThemeWindowTabControl( _In_ HWND TabControlWindow ) { PPHP_THEME_WINDOW_TAB_CONTEXT context; context = PhAllocateZero(sizeof(PHP_THEME_WINDOW_TAB_CONTEXT)); context->DefaultWindowProc = (WNDPROC)GetWindowLongPtr(TabControlWindow, GWLP_WNDPROC); context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; PhSetWindowContext(TabControlWindow, LONG_MAX, context); SetWindowLongPtr(TabControlWindow, GWLP_WNDPROC, (LONG_PTR)PhpThemeWindowTabControlWndSubclassProc); InvalidateRect(TabControlWindow, NULL, FALSE); } VOID PhInitializeThemeWindowGroupBox( _In_ HWND GroupBoxHandle ) { WNDPROC groupboxWindowProc; groupboxWindowProc = (WNDPROC)GetWindowLongPtr(GroupBoxHandle, GWLP_WNDPROC); PhSetWindowContext(GroupBoxHandle, LONG_MAX, groupboxWindowProc); SetWindowLongPtr(GroupBoxHandle, GWLP_WNDPROC, (LONG_PTR)PhpThemeWindowGroupBoxSubclassProc); InvalidateRect(GroupBoxHandle, NULL, FALSE); } VOID PhInitializeWindowThemeMainMenu( _In_ HMENU MenuHandle ) { MENUINFO menuInfo; if (!PhEnableThemeSupport) return; memset(&menuInfo, 0, sizeof(MENUINFO)); menuInfo.cbSize = sizeof(MENUINFO); menuInfo.fMask = MIM_BACKGROUND | MIM_APPLYTOSUBMENUS; menuInfo.hbrBack = PhThemeWindowBackgroundBrush; SetMenuInfo(MenuHandle, &menuInfo); } VOID PhInitializeWindowThemeListboxControl( _In_ HWND ListBoxControl ) { PPHP_THEME_WINDOW_STATUSBAR_CONTEXT context; context = PhAllocateZero(sizeof(PHP_THEME_WINDOW_STATUSBAR_CONTEXT)); context->DefaultWindowProc = (WNDPROC)GetWindowLongPtr(ListBoxControl, GWLP_WNDPROC); context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; PhSetWindowContext(ListBoxControl, LONG_MAX, context); SetWindowLongPtr(ListBoxControl, GWLP_WNDPROC, (LONG_PTR)PhpThemeWindowListBoxControlSubclassProc); InvalidateRect(ListBoxControl, NULL, FALSE); SetWindowPos(ListBoxControl, HWND_TOP, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_NOOWNERZORDER | SWP_FRAMECHANGED); } VOID PhInitializeWindowThemeComboboxControl( _In_ HWND ComboBoxControl ) { PPHP_THEME_WINDOW_COMBO_CONTEXT context; context = PhAllocateZero(sizeof(PHP_THEME_WINDOW_COMBO_CONTEXT)); context->DefaultWindowProc = (WNDPROC)GetWindowLongPtr(ComboBoxControl, GWLP_WNDPROC); context->ThemeHandle = PhOpenThemeData(ComboBoxControl, VSCLASS_COMBOBOX, PhGetWindowDpi(ComboBoxControl)); context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; PhSetWindowContext(ComboBoxControl, LONG_MAX, context); SetWindowLongPtr(ComboBoxControl, GWLP_WNDPROC, (LONG_PTR)PhpThemeWindowComboBoxControlSubclassProc); InvalidateRect(ComboBoxControl, NULL, FALSE); } VOID PhInitializeWindowThemeACLUI( _In_ HWND ACLUIControl ) { PhSetWindowContext(ACLUIControl, LONG_MAX, (PVOID)GetWindowLongPtr(ACLUIControl, GWLP_WNDPROC)); SetWindowLongPtr(ACLUIControl, GWLP_WNDPROC, (LONG_PTR)PhpThemeWindowACLUISubclassProc); InvalidateRect(ACLUIControl, NULL, FALSE); } _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhpThemeWindowEnumChildWindows( _In_ HWND WindowHandle, _In_opt_ PVOID Context ) { WCHAR windowClassName[MAX_PATH]; PhEnumChildWindows( WindowHandle, PhpThemeWindowEnumChildWindows, NULL ); if (PhGetWindowContext(WindowHandle, LONG_MAX)) // HACK return TRUE; if (!GetClassName(WindowHandle, windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; //dprintf("PhpThemeWindowEnumChildWindows: %S\r\n", windowClassName); if (PhEqualStringZ(windowClassName, L"#32770", TRUE)) { PhInitializeWindowTheme(WindowHandle, TRUE); } else if (PhEqualStringZ(windowClassName, WC_BUTTON, FALSE)) { LONG_PTR style = PhGetWindowStyle(WindowHandle); if ((style & BS_GROUPBOX) == BS_GROUPBOX) { PhInitializeThemeWindowGroupBox(WindowHandle); } else // apply theme for CheckBox, Radio (Dart Vanya) { PhWindowThemeSetDarkMode(WindowHandle, TRUE); } } else if (PhEqualStringZ(windowClassName, WC_TABCONTROL, FALSE)) { PhInitializeThemeWindowTabControl(WindowHandle); } else if (PhEqualStringZ(windowClassName, WC_SCROLLBAR, FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhWindowThemeSetDarkMode(WindowHandle, FALSE); // break; //case 1: // Old colors PhWindowThemeSetDarkMode(WindowHandle, TRUE); } } else if (PhEqualStringZ(windowClassName, WC_LISTVIEW, FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { HWND tooltipWindow = ListView_GetToolTips(WindowHandle); //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhSetControlTheme(WindowHandle, L"explorer"); // PhSetControlTheme(tooltipWindow, L""); // break; //case 1: // Old colors //PhWindowThemeSetDarkMode(WindowHandle, TRUE); PhAllowDarkModeForWindow(WindowHandle, TRUE); PhSetControlTheme(WindowHandle, L"DarkMode_ItemsView"); PhWindowThemeSetDarkMode(tooltipWindow, TRUE); } if (PhEnableThemeListviewBorder) { PhSetWindowStyle(WindowHandle, WS_BORDER, WS_BORDER); PhSetWindowExStyle(WindowHandle, WS_EX_CLIENTEDGE, WS_EX_CLIENTEDGE); } else { PhSetWindowStyle(WindowHandle, WS_BORDER, 0); PhSetWindowExStyle(WindowHandle, WS_EX_CLIENTEDGE, 0); } SetWindowPos(WindowHandle, HWND_TOP, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_NOOWNERZORDER | SWP_FRAMECHANGED); //switch (PhpThemeColorMode) //{ //case 0: // New colors // ListView_SetBkColor(WindowHandle, RGB(0xff, 0xff, 0xff)); // ListView_SetTextBkColor(WindowHandle, RGB(0xff, 0xff, 0xff)); // ListView_SetTextColor(WindowHandle, RGB(0x0, 0x0, 0x0)); // break; //case 1: // Old colors ListView_SetBkColor(WindowHandle, PhThemeWindowBackgroundColor); // RGB(30, 30, 30) ListView_SetTextBkColor(WindowHandle, PhThemeWindowBackgroundColor); // RGB(30, 30, 30) ListView_SetTextColor(WindowHandle, PhThemeWindowTextColor); } else if (PhEqualStringZ(windowClassName, WC_TREEVIEW, FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { HWND tooltipWindow = TreeView_GetToolTips(WindowHandle); PhWindowThemeSetDarkMode(WindowHandle, TRUE); PhWindowThemeSetDarkMode(tooltipWindow, TRUE); } TreeView_SetBkColor(WindowHandle, PhThemeWindowBackgroundColor);// RGB(30, 30, 30)); //TreeView_SetTextBkColor(WindowHandle, RGB(30, 30, 30)); TreeView_SetTextColor(WindowHandle, PhThemeWindowTextColor); //InvalidateRect(WindowHandle, NULL, FALSE); } else if (PhEqualStringZ(windowClassName, L"RICHEDIT50W", FALSE)) { if (PhEnableThemeListviewBorder) PhSetWindowStyle(WindowHandle, WS_BORDER, WS_BORDER); else PhSetWindowStyle(WindowHandle, WS_BORDER, 0); SetWindowPos(WindowHandle, HWND_TOP, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_NOOWNERZORDER | SWP_FRAMECHANGED); #define EM_SETBKGNDCOLOR (WM_USER + 67) //switch (PhpThemeColorMode) //{ //case 0: // New colors // SendMessage(WindowHandle, EM_SETBKGNDCOLOR, 0, RGB(0xff, 0xff, 0xff)); // break; //case 1: // Old colors SendMessage(WindowHandle, EM_SETBKGNDCOLOR, 0, RGB(30, 30, 30)); PhWindowThemeSetDarkMode(WindowHandle, TRUE); //InvalidateRect(WindowHandle, NULL, FALSE); } else if (PhEqualStringZ(windowClassName, L"PhTreeNew", FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { HWND tooltipWindow = TreeNew_GetTooltips(WindowHandle); //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhSetControlTheme(tooltipWindow, L""); // PhSetControlTheme(WindowHandle, L""); // break; //case 1: // Old colors PhWindowThemeSetDarkMode(tooltipWindow, TRUE); PhWindowThemeSetDarkMode(WindowHandle, TRUE); PhAllowDarkModeForWindow(WindowHandle, TRUE); } if (PhEnableThemeListviewBorder) PhSetWindowExStyle(WindowHandle, WS_EX_CLIENTEDGE, WS_EX_CLIENTEDGE); else PhSetWindowExStyle(WindowHandle, WS_EX_CLIENTEDGE, 0); SetWindowPos(WindowHandle, HWND_TOP, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_NOOWNERZORDER | SWP_FRAMECHANGED); //switch (PhpThemeColorMode) //{ //case 0: // New colors // TreeNew_ThemeSupport(WindowHandle, FALSE); // break; //case 1: // Old colors TreeNew_ThemeSupport(WindowHandle, TRUE); //InvalidateRect(WindowHandle, NULL, TRUE); } else if ( PhEqualStringZ(windowClassName, WC_LISTBOX, FALSE) || PhEqualStringZ(windowClassName, L"ComboLBox", FALSE) ) { if (WindowsVersion >= WINDOWS_10_RS5) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhSetControlTheme(WindowHandle, L"explorer"); // break; //case 1: // Old colors PhWindowThemeSetDarkMode(WindowHandle, TRUE); } PhInitializeWindowThemeListboxControl(WindowHandle); } else if (PhEqualStringZ(windowClassName, WC_COMBOBOX, FALSE)) { COMBOBOXINFO info = { sizeof(COMBOBOXINFO) }; if (SendMessage(WindowHandle, CB_GETCOMBOBOXINFO, 0, (LPARAM)&info)) { //if (info.hwndItem) //{ // SendMessage(info.hwndItem, EM_SETMARGINS, EC_LEFTMARGIN, MAKELPARAM(0, 0)); //} if (info.hwndList) { PhWindowThemeSetDarkMode(info.hwndList, TRUE); } } //if ((PhGetWindowStyle(WindowHandle) & CBS_DROPDOWNLIST) != CBS_DROPDOWNLIST) { PhInitializeWindowThemeComboboxControl(WindowHandle); } } else if (PhEqualStringZ(windowClassName, L"CHECKLIST_ACLUI", FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhSetControlTheme(WindowHandle, L"explorer"); // break; //case 1: // Old colors PhWindowThemeSetDarkMode(WindowHandle, TRUE); } PhInitializeWindowThemeACLUI(WindowHandle); } else if (PhEqualStringZ(windowClassName, WC_EDIT, FALSE)) { // Fix scrollbar on multiline edit (Dart Vanya) if (PhGetWindowStyle(WindowHandle) & ES_MULTILINE) { PhWindowThemeSetDarkMode(WindowHandle, TRUE); } } else if (PhEqualStringZ(windowClassName, WC_LINK, FALSE)) { // SysLink theme support (Dart Vanya) PhAllowDarkModeForWindow(WindowHandle, TRUE); } return TRUE; } _Function_class_(PH_WINDOW_ENUM_CALLBACK) BOOLEAN CALLBACK PhpReInitializeThemeWindowEnumChildWindows( _In_ HWND WindowHandle, _In_opt_ PVOID Context ) { WCHAR windowClassName[MAX_PATH]; PhEnumChildWindows( WindowHandle, PhpReInitializeThemeWindowEnumChildWindows, NULL ); if (!GetClassName(WindowHandle, windowClassName, RTL_NUMBER_OF(windowClassName))) windowClassName[0] = UNICODE_NULL; if (PhEqualStringZ(windowClassName, WC_LISTVIEW, FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhSetControlTheme(WindowHandle, L"explorer"); // break; //case 1: // Old colors PhWindowThemeSetDarkMode(WindowHandle, TRUE); } //switch (PhpThemeColorMode) //{ //case 0: // New colors // ListView_SetBkColor(WindowHandle, RGB(0xff, 0xff, 0xff)); // ListView_SetTextBkColor(WindowHandle, RGB(0xff, 0xff, 0xff)); // ListView_SetTextColor(WindowHandle, RGB(0x0, 0x0, 0x0)); // break; //case 1: // Old colors ListView_SetBkColor(WindowHandle, PhThemeWindowBackgroundColor); // RGB(30, 30, 30) ListView_SetTextBkColor(WindowHandle, PhThemeWindowBackgroundColor); // RGB(30, 30, 30) ListView_SetTextColor(WindowHandle, PhThemeWindowTextColor); } else if (PhEqualStringZ(windowClassName, WC_SCROLLBAR, FALSE)) { if (WindowsVersion >= WINDOWS_10_RS5) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // PhSetControlTheme(WindowHandle, L""); // break; //case 1: // Old colors PhWindowThemeSetDarkMode(WindowHandle, TRUE); } } else if (PhEqualStringZ(windowClassName, L"PhTreeNew", FALSE)) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // TreeNew_ThemeSupport(WindowHandle, FALSE); // PhSetControlTheme(WindowHandle, L""); // break; //case 1: // Old colors TreeNew_ThemeSupport(WindowHandle, TRUE); PhWindowThemeSetDarkMode(WindowHandle, TRUE); } else if (PhEqualStringZ(windowClassName, WC_EDIT, FALSE)) { SendMessage(WindowHandle, WM_THEMECHANGED, 0, 0); // searchbox.c } InvalidateRect(WindowHandle, NULL, TRUE); return TRUE; } BOOLEAN PhThemeWindowDrawItem( _In_ HWND WindowHandle, _In_ PDRAWITEMSTRUCT DrawInfo ) { BOOLEAN isGrayed = (DrawInfo->itemState & CDIS_GRAYED) == CDIS_GRAYED; BOOLEAN isChecked = (DrawInfo->itemState & CDIS_CHECKED) == CDIS_CHECKED; BOOLEAN isDisabled = (DrawInfo->itemState & CDIS_DISABLED) == CDIS_DISABLED; BOOLEAN isSelected = (DrawInfo->itemState & CDIS_SELECTED) == CDIS_SELECTED; //BOOLEAN isHighlighted = (DrawInfo->itemState & CDIS_HOT) == CDIS_HOT; BOOLEAN isFocused = (DrawInfo->itemState & CDIS_FOCUS) == CDIS_FOCUS; //BOOLEAN isGrayed = (DrawInfo->itemState & ODS_GRAYED) == ODS_GRAYED; //BOOLEAN isChecked = (DrawInfo->itemState & ODS_CHECKED) == ODS_CHECKED; //BOOLEAN isDisabled = (DrawInfo->itemState & ODS_DISABLED) == ODS_DISABLED; //BOOLEAN isSelected = (DrawInfo->itemState & ODS_SELECTED) == ODS_SELECTED; BOOLEAN isHighlighted = (DrawInfo->itemState & ODS_HOTLIGHT) == ODS_HOTLIGHT; SetBkMode(DrawInfo->hDC, TRANSPARENT); switch (DrawInfo->CtlType) { case ODT_MENU: { PPH_EMENU_ITEM menuItemInfo = (PPH_EMENU_ITEM)DrawInfo->itemData; RECT rect = DrawInfo->rcItem; LONG dpiValue = PhGetWindowDpi(WindowHandle); ULONG drawTextFlags = DT_SINGLELINE | DT_NOCLIP; //HFONT fontHandle; //HFONT oldFont = NULL; if (DrawInfo->itemState & ODS_NOACCEL) { drawTextFlags |= DT_HIDEPREFIX; } //if (fontHandle = PhCreateMessageFont(dpiValue)) //{ // oldFont = SelectFont(DrawInfo->hDC, fontHandle); //} // //FillRect( // DrawInfo->hDC, // &DrawInfo->rcItem, // CreateSolidBrush(RGB(0, 0, 0)) // ); //SetTextColor(DrawInfo->hDC, RGB(0xff, 0xff, 0xff)); if (DrawInfo->itemState & ODS_HOTLIGHT) { SetTextColor(DrawInfo->hDC, PhThemeWindowTextColor); SetDCBrushColor(DrawInfo->hDC, PhThemeWindowHighlightColor); FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); } else if (isDisabled) { SetTextColor(DrawInfo->hDC, GetSysColor(COLOR_GRAYTEXT)); FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhThemeWindowBackgroundBrush); } else if (isSelected) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetTextColor(DrawInfo->hDC, PhThemeWindowTextColor); // SetDCBrushColor(DrawInfo->hDC, PhThemeWindowBackgroundColor); // break; SetTextColor(DrawInfo->hDC, PhThemeWindowTextColor); SetDCBrushColor(DrawInfo->hDC, PhThemeWindowHighlightColor); FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); } else { //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetTextColor(DrawInfo->hDC, GetSysColor(COLOR_WINDOWTEXT)); // SetDCBrushColor(DrawInfo->hDC, RGB(0xff, 0xff, 0xff)); // FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); // break; SetTextColor(DrawInfo->hDC, GetSysColor(COLOR_HIGHLIGHTTEXT)); FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhThemeWindowBackgroundBrush); } if (isChecked) { static CONST PH_STRINGREF menuCheckText = PH_STRINGREF_INIT(L"\u2713"); COLORREF oldTextColor; //HFONT marlettFontHandle = CreateFont( // 0, 0, 0, 0, // FW_DONTCARE, // FALSE, // FALSE, // FALSE, // DEFAULT_CHARSET, // OUT_OUTLINE_PRECIS, // CLIP_DEFAULT_PRECIS, // CLEARTYPE_QUALITY, // VARIABLE_PITCH, // L"Arial Unicode MS" // ); oldTextColor = SetTextColor(DrawInfo->hDC, PhThemeWindowTextColor); DrawInfo->rcItem.left += PhGetDpi(8, dpiValue); DrawInfo->rcItem.top += PhGetDpi(3, dpiValue); DrawText( DrawInfo->hDC, menuCheckText.Buffer, (UINT)menuCheckText.Length / sizeof(WCHAR), &DrawInfo->rcItem, DT_VCENTER | DT_NOCLIP ); DrawInfo->rcItem.left -= PhGetDpi(8, dpiValue); DrawInfo->rcItem.top -= PhGetDpi(3, dpiValue); SetTextColor(DrawInfo->hDC, oldTextColor); } if (menuItemInfo->Flags & PH_EMENU_SEPARATOR) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetDCBrushColor(DrawInfo->hDC, RGB(0xff, 0xff, 0xff)); // FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); // break; //case 1: // Old colors //SetDCBrushColor(DrawInfo->hDC, PhThemeWindowBackgroundColor); // PhThemeWindowForegroundColor FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhThemeWindowBackgroundBrush); //DrawInfo->rcItem.top += PhGetDpi(1, dpiValue); //DrawInfo->rcItem.bottom -= PhGetDpi(2, dpiValue); //DrawFocusRect(drawInfo->hDC, &drawInfo->rcItem); // +5 font margin, +1 extra padding //INT cxMenuCheck = GetSystemMetrics(SM_CXMENUCHECK) + (GetSystemMetrics(SM_CXEDGE) * 2) + 5 + 1; INT cyEdge = PhGetSystemMetrics(SM_CYEDGE, dpiValue); // //SetRect( // &DrawInfo->rcItem, // DrawInfo->rcItem.left + cxMenuCheck, // 25 // DrawInfo->rcItem.top + cyEdge, // DrawInfo->rcItem.right, // DrawInfo->rcItem.bottom - cyEdge // ); SetDCBrushColor(DrawInfo->hDC, RGB(0x5f, 0x5f, 0x5f)); SelectBrush(DrawInfo->hDC, PhGetStockBrush(DC_BRUSH)); PatBlt(DrawInfo->hDC, DrawInfo->rcItem.left, DrawInfo->rcItem.top + cyEdge, DrawInfo->rcItem.right - DrawInfo->rcItem.left, 1, PATCOPY); //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetDCBrushColor(DrawInfo->hDC, RGB(0xff, 0xff, 0xff)); // FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); // break; //case 1: // Old colors // SetDCBrushColor(DrawInfo->hDC, RGB(78, 78, 78)); // FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); // break; //} //DrawEdge(drawInfo->hDC, &drawInfo->rcItem, BDR_RAISEDINNER, BF_TOP); } else { PH_STRINGREF part = { 0 }; PH_STRINGREF firstPart = { 0 }; PH_STRINGREF secondPart = { 0 }; PhInitializeStringRefLongHint(&part, menuItemInfo->Text); PhSplitStringRefAtLastChar(&part, L'\b', &firstPart, &secondPart); //SetDCBrushColor(DrawInfo->hDC, PhThemeWindowForegroundColor); //FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); if (menuItemInfo->Bitmap) { HDC bufferDc; BLENDFUNCTION blendFunction; blendFunction.BlendOp = AC_SRC_OVER; blendFunction.BlendFlags = 0; blendFunction.SourceConstantAlpha = 255; blendFunction.AlphaFormat = AC_SRC_ALPHA; bufferDc = CreateCompatibleDC(DrawInfo->hDC); SelectBitmap(bufferDc, menuItemInfo->Bitmap); GdiAlphaBlend( DrawInfo->hDC, DrawInfo->rcItem.left + 4, DrawInfo->rcItem.top + 4, PhGetSystemMetrics(SM_CXSMICON, dpiValue), PhGetSystemMetrics(SM_CYSMICON, dpiValue), bufferDc, 0, 0, PhGetSystemMetrics(SM_CXSMICON, dpiValue), PhGetSystemMetrics(SM_CYSMICON, dpiValue), blendFunction ); DeleteDC(bufferDc); } DrawInfo->rcItem.left += PhGetDpi(25, dpiValue); DrawInfo->rcItem.right -= PhGetDpi(25, dpiValue); if ((menuItemInfo->Flags & PH_EMENU_MAINMENU) == PH_EMENU_MAINMENU) { if (firstPart.Length) { DrawText( DrawInfo->hDC, firstPart.Buffer, (UINT)firstPart.Length / sizeof(WCHAR), &DrawInfo->rcItem, DT_LEFT | DT_SINGLELINE | DT_CENTER | DT_VCENTER | drawTextFlags ); } } else { if (firstPart.Length) { DrawText( DrawInfo->hDC, firstPart.Buffer, (UINT)firstPart.Length / sizeof(WCHAR), &DrawInfo->rcItem, DT_LEFT | DT_VCENTER | drawTextFlags ); } } if (secondPart.Length) { DrawText( DrawInfo->hDC, secondPart.Buffer, (UINT)secondPart.Length / sizeof(WCHAR), &DrawInfo->rcItem, DT_RIGHT | DT_VCENTER | drawTextFlags ); } } //if (oldFont) //{ // SelectFont(DrawInfo->hDC, oldFont); //} if (menuItemInfo->Items && menuItemInfo->Items->Count && (menuItemInfo->Flags & PH_EMENU_MAINMENU) != PH_EMENU_MAINMENU) { HTHEME themeHandle; if (themeHandle = PhOpenThemeData(DrawInfo->hwndItem, VSCLASS_MENU, dpiValue)) { //if (IsThemeBackgroundPartiallyTransparent(themeHandle, MENU_POPUPSUBMENU, isDisabled ? MSM_DISABLED : MSM_NORMAL)) // DrawThemeParentBackground(DrawInfo->hwndItem, DrawInfo->hDC, NULL); rect.left = rect.right - PhGetDpi(25, dpiValue); PhDrawThemeBackground( themeHandle, DrawInfo->hDC, MENU_POPUPSUBMENU, isDisabled ? MSM_DISABLED : MSM_NORMAL, &rect, NULL ); PhCloseThemeData(themeHandle); } } ExcludeClipRect(DrawInfo->hDC, rect.left, rect.top, rect.right, rect.bottom); // exclude last //if (fontHandle) //{ // DeleteFont(fontHandle); //} return TRUE; } case ODT_COMBOBOX: { SetTextColor(DrawInfo->hDC, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetDCBrushColor(DrawInfo->hDC, PhThemeWindowForegroundColor); FillRect(DrawInfo->hDC, &DrawInfo->rcItem, PhGetStockBrush(DC_BRUSH)); INT length = ComboBox_GetLBTextLen(DrawInfo->hwndItem, DrawInfo->itemID); if (length == CB_ERR) break; if (length < MAX_PATH) { WCHAR comboText[MAX_PATH] = L""; if (ComboBox_GetLBText(DrawInfo->hwndItem, DrawInfo->itemID, comboText) == CB_ERR) break; DrawText( DrawInfo->hDC, comboText, (UINT)PhCountStringZ(comboText), &DrawInfo->rcItem, DT_LEFT | DT_END_ELLIPSIS | DT_SINGLELINE ); } return TRUE; } break; } return FALSE; } BOOLEAN PhThemeWindowMeasureItem( _In_ HWND WindowHandle, _In_ PMEASUREITEMSTRUCT DrawInfo ) { if (DrawInfo->CtlType == ODT_MENU) { PPH_EMENU_ITEM menuItemInfo = (PPH_EMENU_ITEM)DrawInfo->itemData; LONG dpiValue = PhGetWindowDpi(WindowHandle); DrawInfo->itemWidth = PhGetDpi(100, dpiValue); DrawInfo->itemHeight = PhGetDpi(100, dpiValue); if ((menuItemInfo->Flags & PH_EMENU_SEPARATOR) == PH_EMENU_SEPARATOR) { DrawInfo->itemHeight = PhGetSystemMetrics(SM_CYMENU, dpiValue) >> 2; } else if (menuItemInfo->Text) { //HFONT fontHandle; HDC hdc; //fontHandle = PhCreateMessageFont(dpiValue); if (hdc = GetDC(WindowHandle)) { PCWSTR text; SIZE_T textCount; SIZE textSize; //HFONT oldFont = NULL; INT cyborder = PhGetSystemMetrics(SM_CYBORDER, dpiValue); INT cymenu = PhGetSystemMetrics(SM_CYMENU, dpiValue); text = menuItemInfo->Text; textCount = PhCountStringZ(text); //if (fontHandle) //{ // oldFont = SelectFont(hdc, fontHandle); //} if ((menuItemInfo->Flags & PH_EMENU_MAINMENU) == PH_EMENU_MAINMENU) { if (GetTextExtentPoint32(hdc, text, (ULONG)textCount, &textSize)) { DrawInfo->itemWidth = textSize.cx + (cyborder * 2); DrawInfo->itemHeight = cymenu + (cyborder * 2) + 1; } } else { if (GetTextExtentPoint32(hdc, text, (ULONG)textCount, &textSize)) { DrawInfo->itemWidth = textSize.cx + (cyborder * 2) + PhGetDpi(90, dpiValue); // HACK DrawInfo->itemHeight = cymenu + (cyborder * 2) + PhGetDpi(1, dpiValue); } } //if (oldFont) //{ // SelectFont(hdc, oldFont); //} ReleaseDC(WindowHandle, hdc); } //if (fontHandle) //{ // DeleteFont(fontHandle); //} } return TRUE; } return FALSE; } // TODO: Use imagelist instead of loading images from uxtheme. //HIMAGELIST CreateTreeViewCheckBoxes(HWND hwnd, int cx, int cy) //{ // const int frames = 6; // // // Get a DC for our window. // HDC hdcScreen = GetDC(hwnd); // // // Get a button theme for the window, if available. // HTHEME htheme = OpenThemeData(hwnd, L"button"); // // // If there is a theme, then ask it for the size // // of a checkbox and use that size. // if (htheme) // { // SIZE size; // PhGetThemePartSize(htheme, hdcScreen, BP_CHECKBOX, CBS_UNCHECKEDNORMAL, NULL, TS_DRAW, &size); // cx = size.cx; // cy = size.cy; // } // // // Create a 32bpp bitmap that holds the desired number of frames. // BITMAPINFO bi = { sizeof(BITMAPINFOHEADER), cx * frames, cy, 1, 32 }; // void* p; // HBITMAP hbmCheckboxes = CreateDIBSection(hdcScreen, &bi, DIB_RGB_COLORS, &p, NULL, 0); // // // Create a compatible memory DC. // HDC hdcMem = CreateCompatibleDC(hdcScreen); // // // Select our bitmap into it so we can draw to it. // HBITMAP hbmOld = SelectBitmap(hdcMem, hbmCheckboxes); // // // Set up the rectangle into which we do our drawing. // RECT rc = { 0, 0, cx, cy }; // // // Frame 0 is not used. Draw nothing. // PhOffsetRect(&rc, cx, 0); // // if (htheme) // { // // Frame 1: Unchecked. // PhDrawThemeBackground(htheme, hdcMem, BP_CHECKBOX, CBS_UNCHECKEDNORMAL, &rc, NULL); // PhOffsetRect(&rc, cx, 0); // // // Frame 2: Checked. // PhDrawThemeBackground(htheme, hdcMem, BP_CHECKBOX, CBS_CHECKEDNORMAL, &rc, NULL); // PhOffsetRect(&rc, cx, 0); // // // Frame 3: Indeterminate. // PhDrawThemeBackground(htheme, hdcMem, BP_CHECKBOX, CBS_MIXEDNORMAL, &rc, NULL); // PhOffsetRect(&rc, cx, 0); // // // Frame 4: Disabled, unchecked. // PhDrawThemeBackground(htheme, hdcMem, BP_CHECKBOX, CBS_UNCHECKEDDISABLED, &rc, NULL); // PhOffsetRect(&rc, cx, 0); // // // Frame 5: Disabled, checked. // PhDrawThemeBackground(htheme, hdcMem, BP_CHECKBOX, CBS_CHECKEDDISABLED, &rc, NULL); // // // Done with the theme. // PhCloseThemeData(htheme); // } // else // { // // Flags common to all of our DrawFrameControl calls: // // Draw a flat checkbox. // UINT baseFlags = DFCS_FLAT | DFCS_BUTTONCHECK; // // // Frame 1: Unchecked. // DrawFrameControl(hdcMem, &rc, DFC_BUTTON, baseFlags); // PhOffsetRect(&rc, cx, 0); // // // Frame 2: Checked. // DrawFrameControl(hdcMem, &rc, DFC_BUTTON, baseFlags | DFCS_CHECKED); // PhOffsetRect(&rc, cx, 0); // // // Frame 3: Indeterminate. // DrawFrameControl(hdcMem, &rc, DFC_BUTTON, baseFlags | DFCS_CHECKED | DFCS_BUTTON3STATE); // PhOffsetRect(&rc, cx, 0); // // // Frame 4: Disabled, unchecked. // DrawFrameControl(hdcMem, &rc, DFC_BUTTON, baseFlags | DFCS_INACTIVE); // PhOffsetRect(&rc, cx, 0); // // // Frame 5: Disabled, checked. // DrawFrameControl(hdcMem, &rc, DFC_BUTTON, baseFlags | DFCS_INACTIVE | DFCS_CHECKED); // } // // // The bitmap is ready. Clean up. // SelectBitmap(hdcMem, hbmOld); // DeleteDC(hdcMem); // ReleaseDC(hwnd, hdcScreen); // // // Create an imagelist from this bitmap. // HIMAGELIST himl = PhImageListCreate(cx, cy, ILC_COLOR, frames, frames); // PhImageListAddBitmap(himl, hbmCheckboxes, NULL); // // // Don't need the bitmap any more. // DeleteObject(hbmCheckboxes); // // return himl; //} // //VOID OnThemeChange(HWND hwnd) // WM_THEMECHANGE //{ // // Rebuild the state images to match the new theme. // HIMAGELIST himl = CreateTreeViewCheckBoxes(g_hwndChild, 16, 16); // ImageList_Destroy(TreeView_SetImageList(g_hwndChild, himl, TVSIL_STATE)); //} VOID PhThemeDrawButtonIcon( _In_ LPNMCUSTOMDRAW DrawInfo, _In_ HICON ButtonIcon, _In_ PRECT ButtonRect, _In_ LONG WindowDpi ) { BOOL result; ICONINFO iconInfo; BITMAP bmp; LONG width = PhGetSystemMetrics(SM_CXSMICON, WindowDpi); LONG height = PhGetSystemMetrics(SM_CYSMICON, WindowDpi); memset(&iconInfo, 0, sizeof(ICONINFO)); memset(&bmp, 0, sizeof(BITMAP)); result = GetIconInfo(ButtonIcon, &iconInfo); if (iconInfo.hbmColor) { if (GetObject(iconInfo.hbmColor, sizeof(BITMAP), &bmp)) { width = bmp.bmWidth; height = bmp.bmHeight; } DeleteBitmap(iconInfo.hbmColor); } else if (iconInfo.hbmMask) { if (GetObject(iconInfo.hbmMask, sizeof(BITMAP), &bmp)) { width = bmp.bmWidth; height = bmp.bmHeight / 2; } DeleteBitmap(iconInfo.hbmMask); } DrawIconEx( DrawInfo->hdc, ButtonRect->left + ((ButtonRect->right - ButtonRect->left) - width) / 2, ButtonRect->top + ((ButtonRect->bottom - ButtonRect->top) - height) / 2, ButtonIcon, width, height, 0, NULL, DI_NORMAL ); if (!result) // HACK { BUTTON_IMAGELIST imageList = { 0 }; if (Button_GetImageList(DrawInfo->hdr.hwndFrom, &imageList) && imageList.himl) { ButtonRect->left += PhGetDpi(1, WindowDpi); PhImageListDrawIcon( imageList.himl, 0, DrawInfo->hdc, ButtonRect->left, // + ((ButtonRect->right - ButtonRect->left) - width) / 2, ButtonRect->top + ((ButtonRect->bottom - ButtonRect->top) - height) / 2, ILD_NORMAL, FALSE ); ButtonRect->left += PhGetDpi(5, WindowDpi); } } } LRESULT CALLBACK PhThemeWindowDrawButton( _In_ LPNMCUSTOMDRAW DrawInfo ) { ULONG buttonStyle; buttonStyle = PhGetWindowStyle(DrawInfo->hdr.hwndFrom); // COMMANDLINK unsupported if ((buttonStyle & BS_COMMANDLINK) == BS_COMMANDLINK || (buttonStyle & BS_DEFCOMMANDLINK) == BS_DEFCOMMANDLINK) return CDRF_DODEFAULT; BOOLEAN isGrayed = (DrawInfo->uItemState & CDIS_GRAYED) == CDIS_GRAYED; BOOLEAN isChecked = (DrawInfo->uItemState & CDIS_CHECKED) == CDIS_CHECKED; BOOLEAN isMixed = (DrawInfo->uItemState & CDIS_INDETERMINATE) == CDIS_INDETERMINATE; BOOLEAN isDisabled = (DrawInfo->uItemState & CDIS_DISABLED) == CDIS_DISABLED; BOOLEAN isSelected = (DrawInfo->uItemState & CDIS_SELECTED) == CDIS_SELECTED; BOOLEAN isHighlighted = (DrawInfo->uItemState & CDIS_HOT) == CDIS_HOT; BOOLEAN isFocused = (DrawInfo->uItemState & CDIS_FOCUS) == CDIS_FOCUS; BOOLEAN isKeyboardFocused = isFocused && (DrawInfo->uItemState & CDIS_SHOWKEYBOARDCUES) == CDIS_SHOWKEYBOARDCUES; RECT bufferRect = { 0, 0, DrawInfo->rc.right - DrawInfo->rc.left, DrawInfo->rc.bottom - DrawInfo->rc.top }; switch (DrawInfo->dwDrawStage) { case CDDS_PREPAINT: { PPH_STRING buttonText; HICON buttonIcon; LONG dpiValue; BOOLEAN isCheckbox = (buttonStyle & BS_AUTOCHECKBOX) == BS_AUTOCHECKBOX || (buttonStyle & BS_AUTO3STATE) == BS_AUTO3STATE; BOOLEAN isRadio = (buttonStyle & BS_AUTORADIOBUTTON) == BS_AUTORADIOBUTTON; if (!isCheckbox && !isRadio && PhEnableThemeNativeButtons && !PhEnableThemeAcrylicWindowSupport) return CDRF_DODEFAULT; dpiValue = PhGetWindowDpi(DrawInfo->hdr.hwndFrom); buttonText = PhGetWindowText(DrawInfo->hdr.hwndFrom); if (!(buttonIcon = Static_GetIcon(DrawInfo->hdr.hwndFrom, 0))) buttonIcon = (HICON)SendMessage(DrawInfo->hdr.hwndFrom, BM_GETIMAGE, IMAGE_ICON, 0); // Add support for disabled and tristate checkboxes, support for radio with multiline (ex. TaskDialog) (Dart Vanya) if (isCheckbox || isRadio) { INT state = isCheckbox ? CBS_UNCHECKEDNORMAL : RBS_UNCHECKEDNORMAL; HTHEME themeHandle; isChecked = Button_GetCheck(DrawInfo->hdr.hwndFrom) & BST_CHECKED; isMixed = Button_GetCheck(DrawInfo->hdr.hwndFrom) & BST_INDETERMINATE; if (isCheckbox) { if (isDisabled) state = isChecked ? CBS_CHECKEDDISABLED : isMixed ? CBS_MIXEDDISABLED : CBS_UNCHECKEDDISABLED; else if (isSelected) state = isChecked ? CBS_CHECKEDPRESSED : isMixed ? CBS_MIXEDPRESSED : CBS_UNCHECKEDPRESSED; else if (isHighlighted) state = isChecked ? CBS_CHECKEDHOT : isMixed ? CBS_MIXEDHOT : CBS_UNCHECKEDHOT; else state = isChecked ? CBS_CHECKEDNORMAL : isMixed ? CBS_MIXEDNORMAL : CBS_UNCHECKEDNORMAL; } else { if (isDisabled) state = isChecked ? RBS_CHECKEDDISABLED : RBS_UNCHECKEDDISABLED; else if (isSelected) state = isChecked ? RBS_CHECKEDPRESSED : RBS_UNCHECKEDPRESSED; else if (isHighlighted) state = isChecked ? RBS_CHECKEDHOT : RBS_UNCHECKEDHOT; else state = isChecked ? RBS_CHECKEDNORMAL : RBS_UNCHECKEDNORMAL; } if (buttonIcon) { if (isSelected || isChecked) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // //SetTextColor(DrawInfo->hdc, RGB(0, 0, 0xff)); // SetDCBrushColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHT)); // break; //case 1: // Old colors SetTextColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetDCBrushColor(DrawInfo->hdc, RGB(78, 78, 78)); FillRect(DrawInfo->hdc, &DrawInfo->rc, PhGetStockBrush(DC_BRUSH)); } else if (isHighlighted) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // //SetTextColor(DrawInfo->hdc, RGB(0, 0, 0xff)); // SetDCBrushColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHT)); // break; //case 1: // Old colors SetTextColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetDCBrushColor(DrawInfo->hdc, PhThemeWindowBackground2Color); FillRect(DrawInfo->hdc, &DrawInfo->rc, PhGetStockBrush(DC_BRUSH)); } else { SetTextColor(DrawInfo->hdc, !isDisabled ? PhThemeWindowTextColor : RGB(0x9B, 0x9B, 0x9B)); //SetDCBrushColor(DrawInfo->hdc, PhThemeWindowBackgroundColor); // WindowForegroundColor FillRect(DrawInfo->hdc, &DrawInfo->rc, PhThemeWindowBackgroundBrush); } SetDCBrushColor(DrawInfo->hdc, PhThemeWindowBackground2Color); FrameRect(DrawInfo->hdc, &DrawInfo->rc, PhGetStockBrush(DC_BRUSH)); PhThemeDrawButtonIcon(DrawInfo, buttonIcon, &bufferRect, dpiValue); } else { SetBkMode(DrawInfo->hdc, TRANSPARENT); SetTextColor(DrawInfo->hdc, !isDisabled ? PhThemeWindowTextColor : RGB(0x9B, 0x9B, 0x9B)); if (themeHandle = PhOpenThemeData(DrawInfo->hdr.hwndFrom, VSCLASS_BUTTON, dpiValue)) { SIZE checkBoxSize = { 0 }; SIZE textSize = { 0 }; INT linesCount; PhGetThemePartSize( themeHandle, DrawInfo->hdc, isCheckbox ? BP_CHECKBOX : BP_RADIOBUTTON, state, &bufferRect, THEMEPARTSIZE_TRUE, &checkBoxSize ); GetTextExtentPoint32W(DrawInfo->hdc, L"T", 1, &textSize); bufferRect.left = 0; bufferRect.right = checkBoxSize.cx; linesCount = (bufferRect.bottom - bufferRect.top) / textSize.cy; if (linesCount > 1) bufferRect.bottom -= textSize.cy * (linesCount - 1); // HACK (very sensitive value) //if (IsThemeBackgroundPartiallyTransparent(themeHandle, isCheckbox ? BP_CHECKBOX : BP_RADIOBUTTON, state)) // DrawThemeParentBackground(DrawInfo->hdr.hwndFrom, DrawInfo->hdc, NULL); PhDrawThemeBackground( themeHandle, DrawInfo->hdc, isCheckbox ? BP_CHECKBOX : BP_RADIOBUTTON, state, &bufferRect, NULL ); bufferRect = DrawInfo->rc; bufferRect.left = checkBoxSize.cx + 4; // TNP_ICON_RIGHT_PADDING if (linesCount == 1) { DrawText( DrawInfo->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &bufferRect, DT_LEFT | DT_SINGLELINE | DT_VCENTER | (!isKeyboardFocused ? DT_HIDEPREFIX : 0) ); } else { DrawText( DrawInfo->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &bufferRect, DT_LEFT | DT_TOP | DT_CALCRECT | (!isKeyboardFocused ? DT_HIDEPREFIX : 0) ); bufferRect.top = (DrawInfo->rc.bottom - DrawInfo->rc.top) / 2 - (bufferRect.bottom - bufferRect.top) / 2 - 1; bufferRect.bottom = DrawInfo->rc.bottom, bufferRect.right = DrawInfo->rc.right; DrawText( DrawInfo->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &bufferRect, DT_LEFT | DT_TOP | (!isKeyboardFocused ? DT_HIDEPREFIX : 0) ); } if (isKeyboardFocused) { DrawText( DrawInfo->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &bufferRect, DT_LEFT | DT_TOP | DT_CALCRECT ); PhInflateRect(&bufferRect, 1, 0); bufferRect.top += 1, bufferRect.bottom += 2; if (bufferRect.bottom > DrawInfo->rc.bottom - 1) bufferRect.bottom = DrawInfo->rc.bottom - 1; for (INT i = 0; i < bufferRect.right - bufferRect.left - 1; i += 2) SetPixel(DrawInfo->hdc, bufferRect.left + i + 1, bufferRect.bottom, PhThemeWindowHighlight2Color); for (INT i = 0; i < bufferRect.bottom - bufferRect.top - 1; i += 2) SetPixel(DrawInfo->hdc, bufferRect.right, bufferRect.bottom - i - 1, PhThemeWindowHighlight2Color); for (INT i = 0; i < bufferRect.right - bufferRect.left - 1; i += 2) SetPixel(DrawInfo->hdc, bufferRect.right - i - 1, bufferRect.top, PhThemeWindowHighlight2Color); for (INT i = 0; i < bufferRect.bottom - bufferRect.top - 1; i += 2) SetPixel(DrawInfo->hdc, bufferRect.left, bufferRect.top + i + 1, PhThemeWindowHighlight2Color); } PhCloseThemeData(themeHandle); } else { if (isChecked) { HFONT newFont = PhDuplicateFontWithNewHeight(PhApplicationFont, 16, dpiValue); HFONT oldFont; oldFont = SelectFont(DrawInfo->hdc, newFont); DrawText( DrawInfo->hdc, L"\u2611", 1, &DrawInfo->rc, DT_LEFT | DT_SINGLELINE | DT_VCENTER ); SelectFont(DrawInfo->hdc, oldFont); DeleteFont(newFont); } else { HFONT newFont = PhDuplicateFontWithNewHeight(PhApplicationFont, 22, dpiValue); HFONT oldFont; oldFont = SelectFont(DrawInfo->hdc, newFont); DrawText( DrawInfo->hdc, L"\u2610", 1, &DrawInfo->rc, DT_LEFT | DT_SINGLELINE | DT_VCENTER ); SelectFont(DrawInfo->hdc, oldFont); DeleteFont(newFont); } bufferRect.left = 17; bufferRect.right = DrawInfo->rc.right; DrawText( DrawInfo->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &bufferRect, DT_LEFT | DT_VCENTER | DT_SINGLELINE | (!isKeyboardFocused ? DT_HIDEPREFIX : 0) ); } } } else { if (isSelected) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // //SetTextColor(DrawInfo->hdc, RGB(0, 0, 0xff)); // SetDCBrushColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHT)); // break; //case 1: // Old colors SetTextColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetDCBrushColor(DrawInfo->hdc, RGB(78, 78, 78)); FillRect(DrawInfo->hdc, &DrawInfo->rc, PhGetStockBrush(DC_BRUSH)); } else if (isHighlighted) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // //SetTextColor(DrawInfo->hdc, RGB(0, 0, 0xff)); // SetDCBrushColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHT)); // break; //case 1: // Old colors SetTextColor(DrawInfo->hdc, GetSysColor(COLOR_HIGHLIGHTTEXT)); SetDCBrushColor(DrawInfo->hdc, PhThemeWindowBackground2Color); FillRect(DrawInfo->hdc, &DrawInfo->rc, PhGetStockBrush(DC_BRUSH)); } else { SetTextColor(DrawInfo->hdc, !isDisabled ? PhThemeWindowTextColor : RGB(0x9B, 0x9B, 0x9B)); //SetDCBrushColor(DrawInfo->hdc, PhThemeWindowBackgroundColor); // WindowForegroundColor FillRect(DrawInfo->hdc, &DrawInfo->rc, PhThemeWindowBackgroundBrush); } SetBkMode(DrawInfo->hdc, TRANSPARENT); SetDCBrushColor(DrawInfo->hdc, !isFocused ? PhThemeWindowBackground2Color : PhThemeWindowHighlightColor); FrameRect(DrawInfo->hdc, &DrawInfo->rc, PhGetStockBrush(DC_BRUSH)); PhThemeDrawButtonIcon(DrawInfo, buttonIcon, &bufferRect, dpiValue); if ((buttonStyle & BS_ICON) != BS_ICON) { DrawText( DrawInfo->hdc, buttonText->Buffer, (UINT)buttonText->Length / sizeof(WCHAR), &bufferRect, DT_CENTER | DT_SINGLELINE | DT_VCENTER | (!isKeyboardFocused ? DT_HIDEPREFIX : 0) ); } } PhDereferenceObject(buttonText); } return CDRF_SKIPDEFAULT; } return CDRF_DODEFAULT; } LRESULT CALLBACK PhThemeWindowDrawRebar( _In_ LPNMCUSTOMDRAW DrawInfo ) { // temp chevron workaround until location/state supported. if (DrawInfo->dwDrawStage != CDDS_PREPAINT) return CDRF_DODEFAULT; switch (DrawInfo->dwDrawStage) { case CDDS_PREPAINT: { //REBARBANDINFO bandinfo = { sizeof(REBARBANDINFO), RBBIM_CHILD | RBBIM_STYLE | RBBIM_CHEVRONLOCATION | RBBIM_CHEVRONSTATE }; //BOOL havebandinfo = (BOOL)SendMessage(DrawInfo->hdr.hwndFrom, RB_GETBANDINFO, DrawInfo->dwItemSpec, (LPARAM)&bandinfo); SetTextColor(DrawInfo->hdc, PhThemeWindowTextColor); FillRect(DrawInfo->hdc, &DrawInfo->rc, PhThemeWindowBackgroundBrush); } return CDRF_NOTIFYITEMDRAW; case CDDS_ITEMPREPAINT: { } return CDRF_SKIPDEFAULT; } return CDRF_DODEFAULT; } LRESULT CALLBACK PhThemeWindowDrawToolbar( _In_ LPNMTBCUSTOMDRAW DrawInfo ) { switch (DrawInfo->nmcd.dwDrawStage) { case CDDS_PREPAINT: return CDRF_NOTIFYITEMDRAW | CDRF_NOTIFYPOSTPAINT; case CDDS_ITEMPREPAINT: { TBBUTTONINFO buttonInfo = { sizeof(TBBUTTONINFO), TBIF_STYLE | TBIF_COMMAND | TBIF_STATE | TBIF_IMAGE }; SetBkMode(DrawInfo->nmcd.hdc, TRANSPARENT); LONG dpiValue; INT bitmapWidth = 0; INT bitmapHeight = 0; ULONG currentIndex = (ULONG)SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_COMMANDTOINDEX, DrawInfo->nmcd.dwItemSpec, 0 ); BOOLEAN isHighlighted = SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_GETHOTITEM, 0, 0 ) == currentIndex; BOOLEAN isMouseDown = SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_ISBUTTONPRESSED, DrawInfo->nmcd.dwItemSpec, 0 ) == 0; BOOLEAN isEnabled = SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_ISBUTTONENABLED, DrawInfo->nmcd.dwItemSpec, 0 ) != 0; if (SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_GETBUTTONINFO, (ULONG)DrawInfo->nmcd.dwItemSpec, (LPARAM)&buttonInfo ) == INT_ERROR) { break; } BOOLEAN isDropDown = !!(buttonInfo.fsStyle & BTNS_WHOLEDROPDOWN); //if (isMouseDown) //{ // SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); // SetDCBrushColor(DrawInfo->nmcd.hdc, RGB(0xff, 0xff, 0xff)); // FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); //} if (isHighlighted) { //INT stateId; //// Themed background //if (node->Selected) //{ // if (i == Context->HotNodeIndex) // stateId = TREIS_HOTSELECTED; // else if (!Context->HasFocus) // stateId = TREIS_SELECTEDNOTFOCUS; // else // stateId = TREIS_SELECTED; //} //else //{ // if (i == Context->HotNodeIndex) // stateId = TREIS_HOT; // else // stateId = INT_MAX; //} //// Themed background //if (stateId != INT_MAX) //if (!Context->FixedColumnVisible) //{ // rowRect.left = Context->NormalLeft - hScrollPosition; //} //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); // SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowBackgroundColor); // FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); // break; //case 1: // Old colors // SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); // SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowHighlightColor); // FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); // break; //} SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowHighlightColor); FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); } else { //switch (PhpThemeColorMode) //{ //case 0: // New colors // SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); // RGB(0x0, 0x0, 0x0)); // SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowBackgroundColor); // GetSysColor(COLOR_3DFACE));// RGB(0xff, 0xff, 0xff)); // FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); // break; //case 1: // Old colors // SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); // SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowBackgroundColor); //PhThemeWindowForegroundColor); // FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); // break; //} BOOLEAN isPressed = buttonInfo.fsState & TBSTATE_PRESSED; SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); // RGB(0x0, 0x0, 0x0)); //SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowBackgroundColor); // GetSysColor(COLOR_3DFACE));// RGB(0xff, 0xff, 0xff)); if (!isPressed) FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhThemeWindowBackgroundBrush); else { SetDCBrushColor(DrawInfo->nmcd.hdc, RGB(0x60, 0x60, 0x60)); FillRect(DrawInfo->nmcd.hdc, &DrawInfo->nmcd.rc, PhGetStockBrush(DC_BRUSH)); } } dpiValue = PhGetWindowDpi(DrawInfo->nmcd.hdr.hwndFrom); SelectFont(DrawInfo->nmcd.hdc, GetWindowFont(DrawInfo->nmcd.hdr.hwndFrom)); if (buttonInfo.iImage != I_IMAGECALLBACK) { HIMAGELIST toolbarImageList; if (toolbarImageList = (HIMAGELIST)SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_GETIMAGELIST, 0, 0 )) { LONG x; LONG y; PhImageListGetIconSize(toolbarImageList, &bitmapWidth, &bitmapHeight); if (buttonInfo.fsStyle & BTNS_SHOWTEXT) { DrawInfo->nmcd.rc.left += PhGetSystemMetrics(SM_CXEDGE, dpiValue); // PhGetDpi(5, dpiValue); x = DrawInfo->nmcd.rc.left;// + ((DrawInfo->nmcd.rc.right - DrawInfo->nmcd.rc.left) - PhSmallIconSize.X) / 2; y = DrawInfo->nmcd.rc.top + ((DrawInfo->nmcd.rc.bottom - DrawInfo->nmcd.rc.top) - bitmapHeight) / 2; } else { x = DrawInfo->nmcd.rc.left + ((DrawInfo->nmcd.rc.right - DrawInfo->nmcd.rc.left) - bitmapWidth) / 2 - (isDropDown * 4); y = DrawInfo->nmcd.rc.top + ((DrawInfo->nmcd.rc.bottom - DrawInfo->nmcd.rc.top) - bitmapHeight) / 2; } PhImageListDrawIcon( toolbarImageList, buttonInfo.iImage, DrawInfo->nmcd.hdc, x, y, ILD_NORMAL, !isEnabled ); if (isDropDown) { HDC hdc = DrawInfo->nmcd.hdc; LPRECT rc = &DrawInfo->nmcd.rc; int triangleLeft = rc->right - 11, triangleTop = (rc->bottom - rc->top) / 2 - 2; POINT vertices[] = { {triangleLeft, triangleTop}, {triangleLeft + 6, triangleTop}, {triangleLeft + 3, triangleTop + 3} }; SetDCPenColor(hdc, RGB(0xDE, 0xDE, 0xDE)); SetDCBrushColor(hdc, RGB(0xDE, 0xDE, 0xDE)); SelectPen(hdc, PhGetStockPen(DC_PEN)); SelectBrush(hdc, PhGetStockBrush(DC_BRUSH)); Polygon(hdc, vertices, _countof(vertices)); } //return CDRF_SKIPDEFAULT | CDRF_NOTIFYPOSTPAINT; } } else { return CDRF_DODEFAULT; // Required for I_IMAGECALLBACK (dmex) } if (buttonInfo.fsStyle & BTNS_SHOWTEXT) { RECT textRect = DrawInfo->nmcd.rc; WCHAR buttonText[MAX_PATH] = L""; SendMessage( DrawInfo->nmcd.hdr.hwndFrom, TB_GETBUTTONTEXT, (ULONG)DrawInfo->nmcd.dwItemSpec, (LPARAM)buttonText ); textRect.left += bitmapWidth - (isDropDown * 12); // PhGetDpi(10, dpiValue); DrawText( DrawInfo->nmcd.hdc, buttonText, (UINT)PhCountStringZ(buttonText), &textRect, DT_CENTER | DT_VCENTER | DT_SINGLELINE | DT_HIDEPREFIX ); } //DrawInfo->clrText = RGB(0x0, 0xff, 0); //return TBCDRF_USECDCOLORS | CDRF_NEWFONT; } return CDRF_SKIPDEFAULT; } return CDRF_DODEFAULT; } LRESULT CALLBACK PhpThemeWindowDrawListViewGroup( _In_ LPNMLVCUSTOMDRAW DrawInfo ) { switch (DrawInfo->nmcd.dwDrawStage) { case CDDS_PREPAINT: { LONG dpiValue = PhGetWindowDpi(DrawInfo->nmcd.hdr.hwndFrom); HFONT fontHandle = NULL; HFONT oldFontHandle = NULL; LVGROUP groupInfo; { NONCLIENTMETRICS metrics = { sizeof(NONCLIENTMETRICS) }; if (PhGetSystemParametersInfo(SPI_GETNONCLIENTMETRICS, sizeof(metrics), &metrics, dpiValue)) { metrics.lfMessageFont.lfHeight = PhGetDpi(-11, dpiValue); metrics.lfMessageFont.lfWeight = FW_BOLD; fontHandle = CreateFontIndirect(&metrics.lfMessageFont); } } SetBkMode(DrawInfo->nmcd.hdc, TRANSPARENT); //SelectFont(DrawInfo->nmcd.hdc, GetWindowFont(DrawInfo->nmcd.hdr.hwndFrom)); if (fontHandle) { oldFontHandle = SelectFont(DrawInfo->nmcd.hdc, fontHandle); } memset(&groupInfo, 0, sizeof(LVGROUP)); groupInfo.cbSize = sizeof(LVGROUP); groupInfo.mask = LVGF_HEADER; if (ListView_GetGroupInfo(DrawInfo->nmcd.hdr.hwndFrom, (ULONG)DrawInfo->nmcd.dwItemSpec, &groupInfo) != INT_ERROR) { SetTextColor(DrawInfo->nmcd.hdc, PhThemeWindowTextColor); SetDCBrushColor(DrawInfo->nmcd.hdc, PhThemeWindowBackground2Color); DrawInfo->rcText.top += PhGetDpi(2, dpiValue); DrawInfo->rcText.bottom -= PhGetDpi(2, dpiValue); FillRect(DrawInfo->nmcd.hdc, &DrawInfo->rcText, PhGetStockBrush(DC_BRUSH)); DrawInfo->rcText.top -= PhGetDpi(2, dpiValue); DrawInfo->rcText.bottom += PhGetDpi(2, dpiValue); if (groupInfo.pszHeader) { DrawInfo->rcText.left += PhGetDpi(10, dpiValue); DrawText( DrawInfo->nmcd.hdc, groupInfo.pszHeader, (UINT)PhCountStringZ(groupInfo.pszHeader), &DrawInfo->rcText, DT_LEFT | DT_VCENTER | DT_SINGLELINE | DT_HIDEPREFIX ); DrawInfo->rcText.left -= PhGetDpi(10, dpiValue); } } if (oldFontHandle) { SelectFont(DrawInfo->nmcd.hdc, oldFontHandle); } if (fontHandle) { DeleteFont(fontHandle); } } return CDRF_SKIPDEFAULT; } return CDRF_DODEFAULT; } LRESULT CALLBACK PhpThemeWindowSubclassProc( _In_ HWND hWnd, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { WNDPROC oldWndProc; if (!(oldWndProc = PhGetWindowContext(hWnd, LONG_MAX))) return FALSE; switch (uMsg) { case WM_NCDESTROY: { PhRemoveWindowContext(hWnd, LONG_MAX); SetWindowLongPtr(hWnd, GWLP_WNDPROC, (LONG_PTR)oldWndProc); } break; case WM_NOTIFY: { LPNMHDR data = (LPNMHDR)lParam; switch (data->code) { case NM_CUSTOMDRAW: { LPNMCUSTOMDRAW customDraw = (LPNMCUSTOMDRAW)lParam; WCHAR className[MAX_PATH]; if (!GetClassName(customDraw->hdr.hwndFrom, className, RTL_NUMBER_OF(className))) className[0] = UNICODE_NULL; if (PhEqualStringZ(className, WC_BUTTON, FALSE)) { return PhThemeWindowDrawButton(customDraw); } else if (PhEqualStringZ(className, REBARCLASSNAME, FALSE)) { return PhThemeWindowDrawRebar(customDraw); } else if (PhEqualStringZ(className, TOOLBARCLASSNAME, FALSE)) { return PhThemeWindowDrawToolbar((LPNMTBCUSTOMDRAW)customDraw); } else if (PhEqualStringZ(className, WC_LISTVIEW, FALSE)) { LPNMLVCUSTOMDRAW listViewCustomDraw = (LPNMLVCUSTOMDRAW)customDraw; if (listViewCustomDraw->dwItemType == LVCDI_GROUP) { return PhpThemeWindowDrawListViewGroup(listViewCustomDraw); } } else { //dprintf("NM_CUSTOMDRAW: %S\r\n", className); } } } } break; case WM_CTLCOLOREDIT: { HDC hdc = (HDC)wParam; //Fix typing in multiline edit (Dart Vanya) if (PhGetWindowStyle((HWND)lParam) & ES_MULTILINE) SetBkColor(hdc, PhThemeWindowBackground2Color); else SetBkMode(hdc, TRANSPARENT); SetTextColor(hdc, PhThemeWindowTextColor); SetDCBrushColor(hdc, PhThemeWindowBackground2Color); return (INT_PTR)PhGetStockBrush(DC_BRUSH); } break; case WM_CTLCOLORBTN: case WM_CTLCOLORDLG: case WM_CTLCOLORSTATIC: case WM_CTLCOLORLISTBOX: { HDC hdc = (HDC)wParam; if (uMsg == WM_CTLCOLORBTN) // for correct drawing of system KEYBOARDCUES SetBkColor(hdc, PhThemeWindowBackground2Color); else SetBkMode(hdc, TRANSPARENT); SetTextColor(hdc, PhThemeWindowTextColor); return (INT_PTR)PhThemeWindowBackgroundBrush; } break; case WM_MEASUREITEM: if (PhThemeWindowMeasureItem(hWnd, (LPMEASUREITEMSTRUCT)lParam)) return TRUE; break; case WM_DRAWITEM: if (PhThemeWindowDrawItem(hWnd, (LPDRAWITEMSTRUCT)lParam)) return TRUE; break; case WM_NCPAINT: case WM_NCACTIVATE: { LRESULT result = CallWindowProc(oldWndProc, hWnd, uMsg, wParam, lParam); PhWindowThemeMainMenuBorder(hWnd); return result; } break; } return CallWindowProc(oldWndProc, hWnd, uMsg, wParam, lParam); } VOID ThemeWindowRenderGroupBoxControl( _In_ HWND WindowHandle, _In_ HDC bufferDc, _In_ PRECT clientRect, _In_ WNDPROC WindowProcedure ) { ULONG returnLength; WCHAR text[0x80]; LONG dpiValue; SetBkMode(bufferDc, TRANSPARENT); SelectFont(bufferDc, GetWindowFont(WindowHandle)); SetDCBrushColor(bufferDc, PhThemeWindowBackground2Color); FrameRect(bufferDc, clientRect, PhGetStockBrush(DC_BRUSH)); dpiValue = PhGetWindowDpi(WindowHandle); if (NT_SUCCESS(PhGetWindowTextToBuffer(WindowHandle, PH_GET_WINDOW_TEXT_INTERNAL, text, RTL_NUMBER_OF(text), &returnLength))) { SIZE nameSize = { 0 }; RECT bufferRect; GetTextExtentPoint32( bufferDc, text, returnLength, &nameSize ); bufferRect.left = 0; bufferRect.top = 0; bufferRect.right = clientRect->right; bufferRect.bottom = nameSize.cy; SetTextColor(bufferDc, PhThemeWindowTextColor); SetDCBrushColor(bufferDc, PhThemeWindowBackground2Color); FillRect(bufferDc, &bufferRect, PhGetStockBrush(DC_BRUSH)); bufferRect.left += PhGetDpi(10, dpiValue); DrawText( bufferDc, text, returnLength, &bufferRect, DT_LEFT | DT_END_ELLIPSIS | DT_SINGLELINE ); bufferRect.left -= PhGetDpi(10, dpiValue); } } LRESULT CALLBACK PhpThemeWindowGroupBoxSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { WNDPROC oldWndProc; if (!(oldWndProc = PhGetWindowContext(WindowHandle, LONG_MAX))) return FALSE; switch (uMsg) { case WM_NCDESTROY: { SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)oldWndProc); PhRemoveWindowContext(WindowHandle, LONG_MAX); } break; case WM_ERASEBKGND: { HDC hdc = (HDC)wParam; RECT clientRect; if (!PhGetClientRect(WindowHandle, &clientRect)) break; ThemeWindowRenderGroupBoxControl(WindowHandle, hdc, &clientRect, oldWndProc); } return TRUE; case WM_ENABLE: if (!wParam) // fix drawing when window visible and switches to disabled return 0; break; case WM_PAINT: { PAINTSTRUCT ps; BeginPaint(WindowHandle, &ps); EndPaint(WindowHandle, &ps); } return 0; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); } VOID ThemeWindowRenderTabControl( _In_ PPHP_THEME_WINDOW_TAB_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC bufferDc, _In_ PRECT clientRect, _In_ WNDPROC WindowProcedure ) { //RECT windowRect; //GetWindowRect(WindowHandle, &windowRect); //CallWindowProc(WindowProcedure, WindowHandle, WM_PRINTCLIENT, (WPARAM)bufferDc, PRF_CLIENT); //TabCtrl_AdjustRect(WindowHandle, FALSE, clientRect); // Make sure we don't paint in the client area. //ExcludeClipRect(bufferDc, clientRect->left, clientRect->top, clientRect->right, clientRect->bottom); //windowRect.right -= windowRect.left; //windowRect.bottom -= windowRect.top; //windowRect.left = 0; //windowRect.top = 0; //clientRect->left = windowRect.left; //clientRect->top = windowRect.top; //clientRect->right = windowRect.right; //clientRect->bottom = windowRect.bottom; SetBkMode(bufferDc, TRANSPARENT); SelectFont(bufferDc, GetWindowFont(WindowHandle)); SetTextColor(bufferDc, PhThemeWindowTextColor); FillRect(bufferDc, clientRect, PhThemeWindowBackgroundBrush); //switch (PhpThemeColorMode) //{ //case 0: // New colors // { // //SetTextColor(DrawInfo->hdc, RGB(0x0, 0x0, 0x0)); // //SetDCBrushColor(DrawInfo->hdc, GetSysColor(COLOR_3DFACE)); // RGB(0xff, 0xff, 0xff)); // } // break; //case 1: // Old colors // { // //SetTextColor(DrawInfo->hdc, RGB(0xff, 0xff, 0xff)); // //SetDCBrushColor(DrawInfo->hdc, PhThemeWindowBackground2Color); // } // break; //} //switch (PhpThemeColorMode) //{ //case 0: // New colors // //SetTextColor(hdc, RGB(0x0, 0xff, 0x0)); // SetDCBrushColor(hdc, GetSysColor(COLOR_3DFACE));// PhThemeWindowTextColor); // FillRect(hdc, &clientRect, PhGetStockBrush(DC_BRUSH)); // break; //case 1: // Old colors // //SetTextColor(hdc, PhThemeWindowTextColor); // SetDCBrushColor(hdc, RPhThemeWindowBackground2Color); // FillRect(hdc, &clientRect, PhGetStockBrush(DC_BRUSH)); // break; //} INT currentSelection = TabCtrl_GetCurSel(WindowHandle); INT count = TabCtrl_GetItemCount(WindowHandle); RECT itemRect = { 0 }; //RECT itemRectHighlighted; //INT itemHighlighted = INT_ERROR; INT headerBottom; INT oldTop; oldTop = clientRect->top; TabCtrl_GetItemRect(WindowHandle, 0, &itemRect); clientRect->top += (itemRect.bottom - itemRect.top) * TabCtrl_GetRowCount(WindowHandle) + 2; //SetDCBrushColor(bufferDc, PhThemeWindowBackground2Color); //FrameRect(bufferDc, clientRect, PhGetStockBrush(DC_BRUSH)); headerBottom = clientRect->top; clientRect->top = oldTop; TCITEM tabItem; WCHAR tabHeaderText[MAX_PATH] = L""; memset(&tabItem, 0, sizeof(TCITEM)); tabItem.mask = TCIF_TEXT | TCIF_IMAGE | TCIF_STATE; tabItem.dwStateMask = TCIS_BUTTONPRESSED | TCIS_HIGHLIGHTED; tabItem.cchTextMax = RTL_NUMBER_OF(tabHeaderText); tabItem.pszText = tabHeaderText; for (INT i = 0; i < count; i++) { if (i == currentSelection) continue; TabCtrl_GetItemRect(WindowHandle, i, &itemRect); PhOffsetRect(&itemRect, 2, 2); itemRect.bottom += itemRect.bottom + 1 < headerBottom ? 1 : -1; itemRect.right += itemRect.right + 1 < clientRect->right; if (PhPtInRect(&itemRect, &Context->CursorPos)) { //switch (PhpThemeColorMode) //{ //case 0: // New colors // { // if (currentSelection == i) // { // SetTextColor(bufferDc, RGB(0xff, 0xff, 0xff)); // SetDCBrushColor(bufferDc, PhThemeWindowHighlightColor); // FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); // } // else // { // SetTextColor(bufferDc, PhThemeWindowTextColor); // SetDCBrushColor(bufferDc, PhThemeWindowBackgroundColor); // FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); // } // } // break; //case 1: // Old colors //SetTextColor(bufferDc, PhThemeWindowTextColor); SetDCBrushColor(bufferDc, PhThemeWindowHighlightColor); FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); //itemRectHighlighted = itemRect; //itemHighlighted = i; //continue; } else { //switch (PhpThemeColorMode) //{ //case 0: // New colors // { // if (currentSelection == i) // { // SetTextColor(bufferDc, RGB(0x0, 0x0, 0x0)); // SetDCBrushColor(bufferDc, RGB(0xff, 0xff, 0xff)); // FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); // } // else // { // SetTextColor(bufferDc, RGB(0, 0, 0)); // SetDCBrushColor(bufferDc, GetSysColor(COLOR_3DFACE));// PhThemeWindowTextColor); // FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); // } // } // break; //case 1: // Old colors { // SetTextColor(bufferDc, PhThemeWindowTextColor); SetDCBrushColor(bufferDc, PhThemeWindowBackgroundColor); FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); //SetDCBrushColor(bufferDc, PhThemeWindowBackground2Color); //FrameRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); } } { if (TabCtrl_GetItem(WindowHandle, i, &tabItem)) { DrawText( bufferDc, tabItem.pszText, (UINT)PhCountStringZ(tabItem.pszText), &itemRect, DT_CENTER | DT_VCENTER | DT_SINGLELINE | DT_HIDEPREFIX ); } } } { TabCtrl_GetItemRect(WindowHandle, currentSelection, &itemRect); PhOffsetRect(&itemRect, 2, 2); itemRect.bottom += itemRect.bottom + 1 < headerBottom ? 1 : -1; itemRect.right += itemRect.right + 1 < clientRect->right; PhInflateRect(&itemRect, 1, 1); // draw selected tab slightly bigger itemRect.bottom -= 1; SetDCBrushColor(bufferDc, PhPtInRect(&itemRect, &Context->CursorPos) ? PhThemeWindowHighlightColor : RGB(0x50, 0x50, 0x50)); FillRect(bufferDc, &itemRect, PhGetStockBrush(DC_BRUSH)); if (TabCtrl_GetItem(WindowHandle, currentSelection, &tabItem)) { DrawText( bufferDc, tabItem.pszText, (UINT)PhCountStringZ(tabItem.pszText), &itemRect, DT_CENTER | DT_VCENTER | DT_SINGLELINE | DT_HIDEPREFIX ); } //if (itemHighlighted != INT_ERROR) //{ // SetDCBrushColor(bufferDc, PhThemeWindowHighlightColor); // FillRect(bufferDc, &itemRectHighlighted, PhGetStockBrush(DC_BRUSH)); // if (TabCtrl_GetItem(WindowHandle, itemHighlighted, &tabItem)) // { // DrawText( // bufferDc, // tabItem.pszText, // (UINT)PhCountStringZ(tabItem.pszText), // &itemRectHighlighted, // DT_CENTER | DT_VCENTER | DT_SINGLELINE | DT_HIDEPREFIX // ); // } //} } } LRESULT CALLBACK PhpThemeWindowTabControlWndSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_THEME_WINDOW_TAB_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(WindowHandle, LONG_MAX))) return FALSE; oldWndProc = context->DefaultWindowProc; switch (uMsg) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, LONG_MAX); SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)oldWndProc); PhFree(context); } break; case WM_ERASEBKGND: return TRUE; case WM_MOUSEMOVE: { //INT count; //INT i; // //count = TabCtrl_GetItemCount(WindowHandle); // //for (i = 0; i < count; i++) //{ // RECT rect = { 0, 0, 0, 0 }; // TCITEM entry = // { // TCIF_STATE, // 0, // TCIS_HIGHLIGHTED // }; // // TabCtrl_GetItemRect(WindowHandle, i, &rect); // entry.dwState = PhPtInRect(&rect, context->CursorPos) ? TCIS_HIGHLIGHTED : 0; // TabCtrl_SetItem(WindowHandle, i, &entry); //} if (!context->MouseActive) { TRACKMOUSEEVENT trackEvent = { sizeof(TRACKMOUSEEVENT), TME_LEAVE, WindowHandle, 0 }; TrackMouseEvent(&trackEvent); context->MouseActive = TRUE; } context->CursorPos.x = GET_X_LPARAM(lParam); context->CursorPos.y = GET_Y_LPARAM(lParam); InvalidateRect(WindowHandle, NULL, FALSE); } break; case WM_MOUSELEAVE: { //INT count; //INT i; // //count = TabCtrl_GetItemCount(WindowHandle); // //for (i = 0; i < count; i++) //{ // TCITEM entry = // { // TCIF_STATE, // 0, // TCIS_HIGHLIGHTED // }; // // TabCtrl_SetItem(WindowHandle, i, &entry); //} context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; context->MouseActive = FALSE; InvalidateRect(WindowHandle, NULL, FALSE); } break; case WM_PAINT: { //PAINTSTRUCT ps; //HDC BufferedHDC; //HPAINTBUFFER BufferedPaint; // //if (!BeginPaint(WindowHandle, &ps)) // break; // //DEBUG_BEGINPAINT_RECT(WindowHandle, ps.rcPaint); // //{ // RECT clientRect; // GetClientRect(WindowHandle, &clientRect); // //CallWindowProc(oldWndProc, WindowHandle, WM_PAINT, wParam, lParam); // TabCtrl_AdjustRect(WindowHandle, FALSE, &clientRect); // ExcludeClipRect(ps.hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom); //} // //if (BufferedPaint = BeginBufferedPaint(ps.hdc, &ps.rcPaint, BPBF_COMPATIBLEBITMAP, NULL, &BufferedHDC)) //{ // ThemeWindowRenderTabControl(context, WindowHandle, BufferedHDC, &ps.rcPaint, oldWndProc); // EndBufferedPaint(BufferedPaint, TRUE); //} //else { RECT clientRect; HDC hdc; HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; if (!PhGetClientRect(WindowHandle, &clientRect)) break; hdc = GetDC(WindowHandle); bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, clientRect.right, clientRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); { RECT clientRect2 = clientRect; TabCtrl_AdjustRect(WindowHandle, FALSE, &clientRect2); ExcludeClipRect(hdc, clientRect2.left, clientRect2.top, clientRect2.right, clientRect2.bottom); } ThemeWindowRenderTabControl(context, WindowHandle, bufferDc, &clientRect, oldWndProc); BitBlt(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom, bufferDc, 0, 0, SRCCOPY); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); ReleaseDC(WindowHandle, hdc); } //EndPaint(WindowHandle, &ps); } goto DefaultWndProc; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); DefaultWndProc: return DefWindowProc(WindowHandle, uMsg, wParam, lParam); } LRESULT CALLBACK PhpThemeWindowListBoxControlSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_THEME_WINDOW_STATUSBAR_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(WindowHandle, LONG_MAX))) return FALSE; oldWndProc = context->DefaultWindowProc; switch (uMsg) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, LONG_MAX); SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)oldWndProc); } break; //case WM_MOUSEMOVE: //case WM_NCMOUSEMOVE: // { // POINT windowPoint; // RECT windowRect; // // GetCursorPos(&windowPoint); // GetWindowRect(WindowHandle, &windowRect); // context->Hot = PhPtInRect(&windowRect, windowPoint); // // if (!context->HotTrack) // { // TRACKMOUSEEVENT trackMouseEvent; // trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); // trackMouseEvent.dwFlags = TME_LEAVE; // trackMouseEvent.hwndTrack = WindowHandle; // trackMouseEvent.dwHoverTime = 0; // // context->HotTrack = TRUE; // // TrackMouseEvent(&trackMouseEvent); // } // // RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); // } // break; //case WM_MOUSELEAVE: //case WM_NCMOUSELEAVE: // { // POINT windowPoint; // RECT windowRect; // // context->HotTrack = FALSE; // // GetCursorPos(&windowPoint); // GetWindowRect(WindowHandle, &windowRect); // context->Hot = PhPtInRect(&windowRect, windowPoint); // // RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); // } // break; //case WM_CAPTURECHANGED: // { // POINT windowPoint; // RECT windowRect; // // GetCursorPos(&windowPoint); // GetWindowRect(WindowHandle, &windowRect); // context->Hot = PhPtInRect(&windowRect, windowPoint); // // RedrawWindow(WindowHandle, NULL, NULL, RDW_FRAME | RDW_INVALIDATE); // } // break; case WM_NCCALCSIZE: { LPNCCALCSIZE_PARAMS ncCalcSize = (NCCALCSIZE_PARAMS*)lParam; CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); PhInflateRect(&ncCalcSize->rgrc[0], 1, 1); } return 0; case WM_NCPAINT: { HDC hdc; ULONG flags; RECT clientRect; RECT windowRect; HRGN updateRegion; LONG dpiValue = PhGetWindowDpi(WindowHandle); INT cxEdge = PhGetSystemMetrics(SM_CXEDGE, dpiValue); INT cyEdge = PhGetSystemMetrics(SM_CYEDGE, dpiValue); updateRegion = (HRGN)wParam; if (!PhGetWindowRect(WindowHandle, &windowRect)) break; // draw the scrollbar without the border. { HRGN rectregion = CreateRectRgn( windowRect.left + cxEdge, windowRect.top + cyEdge, windowRect.right - cxEdge, windowRect.bottom - cyEdge ); if (updateRegion != HRGN_FULL) CombineRgn(rectregion, rectregion, updateRegion, RGN_AND); DefWindowProc(WindowHandle, WM_NCPAINT, (WPARAM)rectregion, 0); DeleteRgn(rectregion); } if (updateRegion == HRGN_FULL) updateRegion = NULL; flags = DCX_WINDOW | DCX_CACHE | DCX_USESTYLE; if (updateRegion) flags |= DCX_INTERSECTRGN | DCX_NODELETERGN; if (hdc = GetDCEx(WindowHandle, updateRegion, flags)) { PhOffsetRect(&windowRect, -windowRect.left, -windowRect.top); clientRect = windowRect; clientRect.left += cxEdge; clientRect.top += cyEdge; clientRect.right -= cxEdge; clientRect.bottom -= cyEdge; { SCROLLBARINFO scrollInfo = { sizeof(SCROLLBARINFO) }; if (GetScrollBarInfo(WindowHandle, OBJID_VSCROLL, &scrollInfo)) { if ((scrollInfo.rgstate[0] & STATE_SYSTEM_INVISIBLE) == 0) { clientRect.right -= PhGetSystemMetrics(SM_CXVSCROLL, dpiValue); } } } ExcludeClipRect(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom); if (context->Hot) { SetDCBrushColor(hdc, PhThemeWindowHighlightColor); FrameRect(hdc, &windowRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(hdc, PhThemeWindowBackground2Color); FrameRect(hdc, &windowRect, GetSysColorBrush(COLOR_WINDOWFRAME)); } ReleaseDC(WindowHandle, hdc); return TRUE; } } break; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); } VOID ThemeWindowRenderComboBox( _In_ PPHP_THEME_WINDOW_COMBO_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC bufferDc, _In_ PRECT clientRect, _In_ WNDPROC WindowProcedure ) { RECT bufferRect = { 0, 0, clientRect->right - clientRect->left, clientRect->bottom - clientRect->top }; ULONG windowStyle = PhGetWindowStyle(WindowHandle); //BOOLEAN isFocused = GetFocus() == WindowHandle; SetBkMode(bufferDc, TRANSPARENT); SelectFont(bufferDc, CallWindowProc(WindowProcedure, WindowHandle, WM_GETFONT, 0, 0)); SetDCBrushColor(bufferDc, PhThemeWindowBackground2Color); FillRect(bufferDc, clientRect, PhGetStockBrush(DC_BRUSH)); if (PhPtInRect(clientRect, &Context->CursorPos)) { SetDCBrushColor(bufferDc, PhThemeWindowHighlight2Color); // RGB(0, 120, 212) : RGB(68, 68, 68)); } else { SetDCBrushColor(bufferDc, GetSysColor(COLOR_WINDOWFRAME));// RGB(0, 120, 212) : RGB(68, 68, 68)); } SetTextColor(bufferDc, PhThemeWindowTextColor); FrameRect(bufferDc, clientRect, PhGetStockBrush(DC_BRUSH)); if (Context->ThemeHandle) { SIZE dropdownSize = { 0 }; PhGetThemePartSize( Context->ThemeHandle, bufferDc, CP_DROPDOWNBUTTONRIGHT, CBXSR_NORMAL, NULL, THEMEPARTSIZE_TRUE, &dropdownSize ); bufferRect.left = clientRect->right - dropdownSize.cy; PhDrawThemeBackground( Context->ThemeHandle, bufferDc, CP_DROPDOWNBUTTONRIGHT, CBXSR_DISABLED, &bufferRect, NULL ); bufferRect.left = 0; } else { DrawFrameControl(bufferDc, &bufferRect, DFC_SCROLL, DFCS_SCROLLDOWN); } if ((windowStyle & CBS_DROPDOWNLIST) == CBS_DROPDOWNLIST) { INT index = ComboBox_GetCurSel(WindowHandle); if (index == CB_ERR) return; INT length = ComboBox_GetLBTextLen(WindowHandle, index); if (length == CB_ERR) return; if (length < MAX_PATH) { WCHAR comboText[MAX_PATH] = L""; if (ComboBox_GetLBText(WindowHandle, index, comboText) == CB_ERR) return; bufferRect.left += 5; bufferRect.right -= 15; // info.rcItem.right DrawText( bufferDc, comboText, (UINT)PhCountStringZ(comboText), &bufferRect, DT_LEFT | DT_VCENTER | DT_SINGLELINE | DT_END_ELLIPSIS ); } } } VOID ThemeWindowComboBoxExcludeRect( _In_ PPHP_THEME_WINDOW_COMBO_CONTEXT Context, _In_ HWND WindowHandle, _In_ HDC Hdc, _In_ PRECT clientRect, _In_ WNDPROC WindowProcedure ) { ULONG windowStyle = PhGetWindowStyle(WindowHandle); if ((windowStyle & CBS_DROPDOWNLIST) != CBS_DROPDOWNLIST || (windowStyle & CBS_DROPDOWN) != CBS_DROPDOWN) { COMBOBOXINFO info = { sizeof(COMBOBOXINFO) }; if (CallWindowProc(WindowProcedure, WindowHandle, CB_GETCOMBOBOXINFO, 0, (LPARAM)&info)) { //INT borderSize = 0; //if (Context->ThemeHandle) //{ // if (PhGetThemeInt(Context->ThemeHandle, 0, 0, TMT_BORDERSIZE, &borderSize)) // { // borderSize = borderSize * 2; // } //} ExcludeClipRect( Hdc, info.rcItem.left, info.rcItem.top, info.rcItem.right, info.rcItem.bottom ); } } } LRESULT CALLBACK PhpThemeWindowComboBoxControlSubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPHP_THEME_WINDOW_COMBO_CONTEXT context; WNDPROC oldWndProc; if (!(context = PhGetWindowContext(WindowHandle, LONG_MAX))) return FALSE; oldWndProc = context->DefaultWindowProc; switch (uMsg) { case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, LONG_MAX); SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)oldWndProc); if (context->ThemeHandle) { PhCloseThemeData(context->ThemeHandle); } PhFree(context); } break; case WM_THEMECHANGED: { if (context->ThemeHandle) { PhCloseThemeData(context->ThemeHandle); context->ThemeHandle = NULL; } context->ThemeHandle = PhOpenThemeData(WindowHandle, VSCLASS_COMBOBOX, PhGetWindowDpi(WindowHandle)); } break; case WM_ERASEBKGND: return TRUE; case WM_MOUSEMOVE: { context->CursorPos.x = GET_X_LPARAM(lParam); context->CursorPos.y = GET_Y_LPARAM(lParam); } break; case WM_MOUSELEAVE: { context->CursorPos.x = LONG_MIN; context->CursorPos.y = LONG_MIN; } break; case WM_PAINT: { //PAINTSTRUCT ps; //HDC BufferedHDC; //HPAINTBUFFER BufferedPaint; // //if (!BeginPaint(WindowHandle, &ps)) // break; // //DEBUG_BEGINPAINT_RECT(WindowHandle, ps.rcPaint); // //if (BufferedPaint = BeginBufferedPaint(ps.hdc, &ps.rcPaint, BPBF_COMPATIBLEBITMAP, NULL, &BufferedHDC)) //{ // ThemeWindowComboBoxExcludeRect(WindowHandle, ps.hdc, &ps.rcPaint, oldWndProc, context); // ThemeWindowRenderComboBox(WindowHandle, BufferedHDC, &ps.rcPaint, oldWndProc, context); // EndBufferedPaint(BufferedPaint, TRUE); //} //else { RECT clientRect; HDC hdc; HDC bufferDc; HBITMAP bufferBitmap; HBITMAP oldBufferBitmap; if (!PhGetClientRect(WindowHandle, &clientRect)) break; hdc = GetDC(WindowHandle); bufferDc = CreateCompatibleDC(hdc); bufferBitmap = CreateCompatibleBitmap(hdc, clientRect.right, clientRect.bottom); oldBufferBitmap = SelectBitmap(bufferDc, bufferBitmap); ThemeWindowComboBoxExcludeRect(context, WindowHandle, hdc, &clientRect, oldWndProc); ThemeWindowRenderComboBox(context, WindowHandle, bufferDc, &clientRect, oldWndProc); BitBlt(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom, bufferDc, 0, 0, SRCCOPY); SelectBitmap(bufferDc, oldBufferBitmap); DeleteBitmap(bufferBitmap); DeleteDC(bufferDc); ReleaseDC(WindowHandle, hdc); } //EndPaint(WindowHandle, &ps); } goto DefaultWndProc; } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); DefaultWndProc: return DefWindowProc(WindowHandle, uMsg, wParam, lParam); } LRESULT CALLBACK PhpThemeWindowACLUISubclassProc( _In_ HWND WindowHandle, _In_ UINT uMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { WNDPROC oldWndProc; if (!(oldWndProc = PhGetWindowContext(WindowHandle, LONG_MAX))) return FALSE; switch (uMsg) { case WM_VSCROLL: case WM_MOUSEWHEEL: InvalidateRect(WindowHandle, NULL, FALSE); break; case WM_NOTIFY: { LPNMHDR data = (LPNMHDR)lParam; if (data->code == NM_CUSTOMDRAW) { LPNMCUSTOMDRAW customDraw = (LPNMCUSTOMDRAW)lParam; WCHAR className[MAX_PATH]; if (customDraw->dwDrawStage == CDDS_PREPAINT && !(customDraw->uItemState & CDIS_FOCUS)) { if (!GetClassName(customDraw->hdr.hwndFrom, className, RTL_NUMBER_OF(className))) className[0] = UNICODE_NULL; if (PhEqualStringZ(className, WC_BUTTON, FALSE)) { HDC hdc = GetDC(WindowHandle); RECT rectControl = customDraw->rc; PhInflateRect(&rectControl, 2, 2); MapWindowRect(customDraw->hdr.hwndFrom, WindowHandle, &rectControl); FillRect(hdc, &rectControl, PhThemeWindowBackgroundBrush); // fix the annoying white border left by the previous active control ReleaseDC(WindowHandle, hdc); } } } } break; case WM_NCDESTROY: { PhRemoveWindowContext(WindowHandle, LONG_MAX); SetWindowLongPtr(WindowHandle, GWLP_WNDPROC, (LONG_PTR)oldWndProc); } break; case WM_ERASEBKGND: { HDC hdc = (HDC)wParam; RECT clientRect; GetClipBox(hdc, &clientRect); FillRect(hdc, &clientRect, PhThemeWindowBackgroundBrush); } return TRUE; case WM_CTLCOLORSTATIC: { HDC hdc = (HDC)wParam; SetBkMode(hdc, TRANSPARENT); SetTextColor(hdc, PhThemeWindowTextColor); return (INT_PTR)PhThemeWindowBackgroundBrush; } } return CallWindowProc(oldWndProc, WindowHandle, uMsg, wParam, lParam); } ================================================ FILE: phlib/treenew.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2011-2016 * dmex 2017-2023 * */ /* * The tree new is a tree view with columns. Unlike the old tree list control, which was a wrapper * around the list view control, this control was written from scratch. * * Current issues not included in any comments: * * Adding, removing or changing columns does not cause invalidation. * * It is not possible to change a column to make it fixed. The current fixed column must be * removed and the new fixed column must then be added. * * When there are no visible normal columns, the space usually occupied by the normal column * headers is filled with a solid background color. We should catch this and paint the usual * themed background there instead. * * It is not possible to update any TN_STYLE_* flags after the control is created. * * Possible additions: * * More flexible mouse input callbacks to allow custom controls inside columns. * * Allow custom drawn columns to customize their behaviour when TN_FLAG_ITEM_DRAG_SELECT is set * (e.g. disable drag selection over certain areas). * * Virtual mode */ #include #include #include #include #include /** * Initializes the treenew window class. * \return RTL_ATOM Returns an atom representing the initialized window class. */ RTL_ATOM PhTreeNewInitialization( VOID ) { WNDCLASSEX wcex; memset(&wcex, 0, sizeof(WNDCLASSEX)); wcex.cbSize = sizeof(WNDCLASSEX); wcex.style = CS_DBLCLKS | CS_GLOBALCLASS; wcex.lpfnWndProc = PhTnpWndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = sizeof(PVOID); wcex.hInstance = NtCurrentImageBase(); wcex.hCursor = PhLoadCursor(NULL, IDC_ARROW); wcex.lpszClassName = PH_TREENEW_CLASSNAME; return RegisterClassEx(&wcex); } /** * Window procedure for the treenew control. * * \param WindowHandle Handle to the window receiving the message. * \param WindowMessage The message identifier. * \param wParam Additional message-specific information (depends on the message). * \param lParam Additional message-specific information (depends on the message). * \return The result of the message processing (depends on the message). */ LRESULT CALLBACK PhTnpWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_TREENEW_CONTEXT context; if (WindowMessage == WM_NCCREATE) { context = PhTnpCreateTreeNewContext(); PhSetWindowContextEx(WindowHandle, context); } else { context = PhGetWindowContextEx(WindowHandle); } if (!context) return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); if (context->Tracking && (GetAsyncKeyState(VK_ESCAPE) & 0x1)) { PhTnpCancelTrack(context); } // Note: if we have suspended restructuring, we *cannot* access any nodes, because all node // pointers are now invalid. Below, we disable all input. switch (WindowMessage) { case WM_CREATE: { if (!PhTnpOnCreate(WindowHandle, context, (CREATESTRUCT *)lParam)) return -1; } return 0; case WM_DESTROY: { context->Callback(WindowHandle, TreeNewDestroying, NULL, NULL, context->CallbackContext); } return 0; case WM_NCDESTROY: { PhRemoveWindowContextEx(WindowHandle); PhTnpDestroyTreeNewContext(context); } return 0; case WM_SIZE: { PhTnpOnSize(WindowHandle, context); } break; case WM_ERASEBKGND: return TRUE; case WM_PAINT: { PhTnpOnPaint(WindowHandle, context); } return 0; case WM_PRINTCLIENT: { if (!context->SuspendUpdateStructure) PhTnpOnPrintClient(WindowHandle, context, (HDC)wParam, (ULONG)lParam); } return 0; case WM_NCPAINT: { if (PhTnpOnNcPaint(WindowHandle, context, (HRGN)wParam)) return 0; } break; case WM_GETFONT: return (LRESULT)context->Font; case WM_SETFONT: { PhTnpOnSetFont(WindowHandle, context, (HFONT)wParam, LOWORD(lParam)); } break; case WM_STYLECHANGED: { PhTnpOnStyleChanged(WindowHandle, context, (LONG)wParam, (STYLESTRUCT *)lParam); } break; case WM_SETTINGCHANGE: { PhTnpOnSettingChange(WindowHandle, context); } break; case WM_THEMECHANGED: { PhTnpOnThemeChanged(WindowHandle, context); } break; case WM_DPICHANGED_AFTERPARENT: { PhTnpOnDpiChanged(WindowHandle, context); } break; case WM_GETDLGCODE: { return PhTnpOnGetDlgCode(WindowHandle, context, (ULONG)wParam, (PMSG)lParam); } break; case WM_ACTIVATE: { if (LOWORD(wParam) == WA_INACTIVE) { // Hide tooltip when window is deactivated PhTnpPopTooltip(context); } } break; case WM_SETFOCUS: { context->HasFocus = TRUE; InvalidateRect(context->Handle, NULL, FALSE); } return 0; case WM_KILLFOCUS: { //if (!context->ContextMenuActive && !(context->Style & TN_STYLE_ALWAYS_SHOW_SELECTION)) // PhTnpSelectRange(context, -1, -1, TN_SELECT_RESET, NULL, NULL); context->HasFocus = FALSE; // Immediately hide tooltip on focus loss. PhTnpPopTooltip(context); InvalidateRect(context->Handle, NULL, FALSE); } return 0; case WM_SETCURSOR: { if (PhTnpOnSetCursor(WindowHandle, context, (HWND)wParam, LOWORD(lParam), HIWORD(lParam))) return TRUE; } break; case WM_TIMER: { PhTnpOnTimer(WindowHandle, context, (ULONG)wParam); } return 0; case WM_MOUSEMOVE: { context->MouseLocation.x = GET_X_LPARAM(lParam); context->MouseLocation.y = GET_Y_LPARAM(lParam); if (context->SuspendUpdateStructure) context->SuspendUpdateMoveMouse = TRUE; else { PhTnpOnMouseMove(WindowHandle, context, (ULONG)wParam, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } } break; case WM_MOUSELEAVE: { //if (!context->ContextMenuActive && !(context->Style & TN_STYLE_ALWAYS_SHOW_SELECTION)) //{ // ULONG changedStart; // ULONG changedEnd; // RECT rect; // // PhTnpSelectRange(context, -1, -1, TN_SELECT_RESET, &changedStart, &changedEnd); // // if (PhTnpGetRowRects(context, changedStart, changedEnd, TRUE, &rect)) // { // InvalidateRect(context->Handle, &rect, FALSE); // } //} if (!context->SuspendUpdateStructure) PhTnpOnMouseLeave(WindowHandle, context); } break; case WM_LBUTTONDOWN: case WM_LBUTTONUP: case WM_LBUTTONDBLCLK: case WM_RBUTTONDOWN: case WM_RBUTTONUP: case WM_RBUTTONDBLCLK: case WM_MBUTTONDOWN: case WM_MBUTTONUP: case WM_MBUTTONDBLCLK: { if (!context->SuspendUpdateStructure) PhTnpOnXxxButtonXxx(WindowHandle, context, WindowMessage, (ULONG)wParam, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } break; case WM_CAPTURECHANGED: { PhTnpOnCaptureChanged(WindowHandle, context); } break; case WM_KEYDOWN: { if (!context->SuspendUpdateStructure) PhTnpOnKeyDown(WindowHandle, context, (ULONG)wParam, (ULONG)lParam); } break; case WM_CHAR: { if (!context->SuspendUpdateStructure) PhTnpOnChar(WindowHandle, context, (ULONG)wParam, (ULONG)lParam); } return 0; case WM_MOUSEWHEEL: { PhTnpOnMouseWheel(WindowHandle, context, (SHORT)HIWORD(wParam), LOWORD(wParam), GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } break; case WM_MOUSEHWHEEL: { PhTnpOnMouseHWheel(WindowHandle, context, (SHORT)HIWORD(wParam), LOWORD(wParam), GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } break; case WM_CONTEXTMENU: { if (!context->SuspendUpdateStructure) PhTnpOnContextMenu(WindowHandle, context, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam)); } return 0; case WM_VSCROLL: { PhTnpOnVScroll(WindowHandle, context, LOWORD(wParam), HIWORD(wParam)); } return 0; case WM_HSCROLL: { PhTnpOnHScroll(WindowHandle, context, LOWORD(wParam), HIWORD(wParam)); } return 0; case WM_NOTIFY: { LRESULT result; if (PhTnpOnNotify(WindowHandle, context, (NMHDR *)lParam, &result)) return result; } break; case WM_MEASUREITEM: if (context->ThemeSupport && PhThemeWindowMeasureItem(WindowHandle, (LPMEASUREITEMSTRUCT)lParam)) return TRUE; break; case WM_DRAWITEM: if (PhThemeWindowDrawItem(WindowHandle, (LPDRAWITEMSTRUCT)lParam)) return TRUE; break; case WM_CTLCOLORSCROLLBAR: if (context->ThemeSupport) return HANDLE_WM_CTLCOLORSCROLLBAR(WindowHandle, wParam, lParam, PhWindowThemeControlColor); break; case WM_CTLCOLORSTATIC: if (context->ThemeSupport) return HANDLE_WM_CTLCOLORSTATIC(WindowHandle, wParam, lParam, PhWindowThemeControlColor); break; } if (WindowMessage >= TNM_FIRST && WindowMessage <= TNM_LAST) { return PhTnpOnUserMessage(WindowHandle, context, WindowMessage, wParam, lParam); } switch (WindowMessage) { case WM_MOUSEMOVE: case WM_LBUTTONDOWN: case WM_LBUTTONUP: case WM_RBUTTONDOWN: case WM_RBUTTONUP: case WM_MBUTTONDOWN: case WM_MBUTTONUP: { if (context->TooltipsHandle) { MSG message; message.hwnd = WindowHandle; message.message = WindowMessage; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } } break; } return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } /** * Default null callback function for the treenew control. * * \param WindowHandle Handle to the treenew window. * \param Message The treenew message identifier. * \param Parameter1 First message-specific parameter. * \param Parameter2 Second message-specific parameter. * \param Context User-defined context pointer. * \return Always returns FALSE. */ _Function_class_(PH_TREENEW_CALLBACK) BOOLEAN NTAPI PhTnpNullCallback( _In_ HWND WindowHandle, _In_ PH_TREENEW_MESSAGE Message, _In_opt_ PVOID Parameter1, _In_opt_ PVOID Parameter2, _In_opt_ PVOID Context ) { return FALSE; } /** * Creates a new PPH_TREENEW_CONTEXT structure for use with the treenew control. * \return A pointer to the newly created PPH_TREENEW_CONTEXT structure. */ PPH_TREENEW_CONTEXT PhTnpCreateTreeNewContext( VOID ) { PPH_TREENEW_CONTEXT context; context = PhAllocateZero(sizeof(PH_TREENEW_CONTEXT)); context->FixedWidthMinimum = 20; context->RowHeight = 1; // must never be 0 context->HotNodeIndex = ULONG_MAX; context->Callback = PhTnpNullCallback; context->FlatList = PhCreateList(32); context->TooltipIndex = ULONG_MAX; context->TooltipId = ULONG_MAX; context->TooltipColumnId = ULONG_MAX; context->EnableRedraw = 1; context->DefaultBackColor = GetSysColor(COLOR_WINDOW); // RGB(0xff, 0xff, 0xff) context->DefaultForeColor = GetSysColor(COLOR_WINDOWTEXT); // RGB(0x00, 0x00, 0x00) return context; } /** * Destroys a treenew context. * \param Context A pointer to the PPH_TREENEW_CONTEXT structure to be destroyed. */ VOID PhTnpDestroyTreeNewContext( _In_ PPH_TREENEW_CONTEXT Context ) { if (Context->Columns) { for (ULONG i = 0; i < Context->NextId; i++) { if (Context->Columns[i]) PhFree(Context->Columns[i]); } PhFree(Context->Columns); } if (Context->ColumnsByDisplay) PhFree(Context->ColumnsByDisplay); PhDereferenceObject(Context->FlatList); if (Context->FontOwned) DeleteFont(Context->Font); if (Context->ThemeData) PhCloseThemeData(Context->ThemeData); if (Context->SearchString) PhFree(Context->SearchString); if (Context->TooltipText) PhDereferenceObject(Context->TooltipText); if (Context->BufferedContext) PhTnpDestroyBufferedContext(Context); if (Context->SuspendUpdateRegion) DeleteRgn(Context->SuspendUpdateRegion); if (Context->HeaderThemeHandle) PhCloseThemeData(Context->HeaderThemeHandle); if (Context->HeaderBoldFontHandle) DeleteFont(Context->HeaderBoldFontHandle); PhFree(Context); } /** * Handles the creation message of a treenew control. * * \param WindowHandle The handle to the window being created for the tree new control. * \param Context A pointer to the PPH_TREENEW_CONTEXT structure that holds the context for the tree new control. * \param CreateStruct A pointer to a constant CREATESTRUCT structure containing the creation parameters. * \return TRUE if the creation and initialization were successful; otherwise, FALSE. */ BOOLEAN PhTnpOnCreate( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ CONST CREATESTRUCT *CreateStruct ) { ULONG headerStyle; PPH_TREENEW_CREATEPARAMS createParamaters; Context->Handle = WindowHandle; Context->InstanceHandle = CreateStruct->hInstance; Context->Style = CreateStruct->style; Context->ExtendedStyle = CreateStruct->dwExStyle; createParamaters = CreateStruct->lpCreateParams; if (Context->Style & TN_STYLE_DOUBLE_BUFFERED) Context->DoubleBuffered = TRUE; if ((Context->Style & TN_STYLE_ANIMATE_DIVIDER) && Context->DoubleBuffered) Context->AnimateDivider = TRUE; headerStyle = HDS_HORZ | HDS_FULLDRAG; if (!(Context->Style & TN_STYLE_NO_COLUMN_SORT)) headerStyle |= HDS_BUTTONS; if (!(Context->Style & TN_STYLE_NO_COLUMN_HEADER)) headerStyle |= WS_VISIBLE; if (createParamaters) { if (Context->Style & TN_STYLE_CUSTOM_COLORS && RTL_CONTAINS_FIELD(createParamaters, createParamaters->Size, SelectionColor)) { Context->CustomTextColor = createParamaters->TextColor ? createParamaters->TextColor : RGB(0xff, 0xff, 0xff); Context->CustomFocusColor = createParamaters->FocusColor ? createParamaters->FocusColor : RGB(0x0, 0x0, 0xff); Context->CustomSelectedColor = createParamaters->SelectionColor ? createParamaters->SelectionColor : RGB(0x0, 0x0, 0x80); Context->CustomColors = TRUE; } else { Context->CustomTextColor = GetSysColor(COLOR_WINDOWTEXT); Context->CustomFocusColor = GetSysColor(COLOR_HOTLIGHT); Context->CustomSelectedColor = GetSysColor(COLOR_HIGHLIGHT); } if (RTL_CONTAINS_FIELD(createParamaters, createParamaters->Size, RowHeight) && createParamaters->RowHeight) { Context->CustomRowHeight = TRUE; Context->RowHeight = max(createParamaters->RowHeight, 1); } } else { Context->CustomTextColor = GetSysColor(COLOR_WINDOWTEXT); Context->CustomFocusColor = GetSysColor(COLOR_HOTLIGHT); Context->CustomSelectedColor = GetSysColor(COLOR_HIGHLIGHT); } if (Context->Style & TN_STYLE_CUSTOM_HEADERDRAW) Context->HeaderCustomDraw = TRUE; if (!(Context->FixedHeaderHandle = PhCreateWindow( WC_HEADER, NULL, WS_CHILD | WS_CLIPSIBLINGS | headerStyle, 0, 0, 0, 0, WindowHandle, NULL, CreateStruct->hInstance, NULL ))) { return FALSE; } if (!(Context->Style & TN_STYLE_NO_COLUMN_REORDER)) headerStyle |= HDS_DRAGDROP; if (!(Context->HeaderHandle = PhCreateWindow( WC_HEADER, NULL, WS_CHILD | WS_CLIPSIBLINGS | headerStyle, 0, 0, 0, 0, WindowHandle, NULL, CreateStruct->hInstance, NULL ))) { return FALSE; } if (!(Context->VScrollHandle = PhCreateWindow( WC_SCROLLBAR, NULL, WS_CHILD | WS_CLIPSIBLINGS | WS_VISIBLE | SBS_VERT, 0, 0, 0, 0, WindowHandle, NULL, CreateStruct->hInstance, NULL ))) { return FALSE; } if (!(Context->HScrollHandle = PhCreateWindow( WC_SCROLLBAR, NULL, WS_CHILD | WS_CLIPSIBLINGS | WS_VISIBLE | SBS_HORZ, 0, 0, 0, 0, WindowHandle, NULL, CreateStruct->hInstance, NULL ))) { return FALSE; } if (!(Context->FillerBoxHandle = PhCreateWindow( WC_STATIC, NULL, WS_CHILD | WS_CLIPSIBLINGS | WS_VISIBLE, 0, 0, 0, 0, WindowHandle, NULL, CreateStruct->hInstance, NULL ))) { return FALSE; } #if defined(DEBUG) CLIENT_ID clientId; assert(NT_SUCCESS(PhGetWindowClientId(WindowHandle, &clientId))); Context->UniqueThread = clientId.UniqueThread; #endif PhTnpUpdateSystemMetrics(Context); PhTnpSetFont(Context, NULL, FALSE); // use default font PhTnpInitializeTooltips(Context); return TRUE; } /** * Handles the WM_SIZE message for the treenew control. * * \param WindowHandle Handle to the window being resized. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnSize( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { if (!PhGetClientRect(WindowHandle, &Context->ClientRect)) return; if (Context->BufferedContext && ( Context->BufferedContextRect.right < Context->ClientRect.right || Context->BufferedContextRect.bottom < Context->ClientRect.bottom)) { // Invalidate the buffered context because the client size has increased. PhTnpDestroyBufferedContext(Context); } PhTnpLayout(Context); if (Context->TooltipsHandle) { TOOLINFO toolInfo; memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.hwnd = WindowHandle; toolInfo.uId = TNP_TOOLTIPS_ITEM; toolInfo.rect = Context->ClientRect; SendMessage(Context->TooltipsHandle, TTM_NEWTOOLRECT, 0, (LPARAM)&toolInfo); } } /** * Handles the WM_SETFONT message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Font Handle to the font to set, or NULL for default. * \param Redraw Whether to redraw the control after setting the font. */ VOID PhTnpOnSetFont( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ HFONT Font, _In_ LOGICAL Redraw ) { PhTnpSetFont(Context, Font, !!Redraw); PhTnpLayout(Context); } /** * Handles the WM_STYLECHANGED message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Type Specifies whether the style or extended style changed. * \param StyleStruct Pointer to a STYLESTRUCT structure with style information. */ VOID PhTnpOnStyleChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Type, _In_ STYLESTRUCT *StyleStruct ) { if (Type == GWL_EXSTYLE) Context->ExtendedStyle = StyleStruct->styleNew; } /** * Handles the WM_SETTINGCHANGE message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnSettingChange( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { PhTnpUpdateSystemMetrics(Context); PhTnpUpdateTextMetrics(Context); PhTnpLayout(Context); } /** * Handles the WM_THEMECHANGED message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnThemeChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { PhTnpUpdateThemeData(Context); } /** * Handles the WM_DPICHANGED_AFTERPARENT message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnDpiChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { LONG oldWindowDpi = Context->WindowDpi; PhTnpSetRedraw(Context, FALSE); PhTnpUpdateSystemMetrics(Context); PhTnpUpdateTextMetrics(Context); PhTnpUpdateThemeData(Context); PhTnpUpdateColumnHeadersDpiChanged(Context, oldWindowDpi, Context->WindowDpi); { PH_TREENEW_DPICHANGED_EVENT dpiChangedEvent; memset(&dpiChangedEvent, 0, sizeof(PH_TREENEW_DPICHANGED_EVENT)); dpiChangedEvent.OldWindowDpi = oldWindowDpi; dpiChangedEvent.NewWindowDpi = Context->WindowDpi; Context->Callback(Context->Handle, TreeNewDpiChanged, &dpiChangedEvent, NULL, Context->CallbackContext); } PhTnpSetRedraw(Context, TRUE); PhTnpLayout(Context); } /** * Handles the WM_GETDLGCODE message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param VirtualKey The virtual key code. * \param Message Optional pointer to a MSG structure. * \return The dialog code flags. */ ULONG PhTnpOnGetDlgCode( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey, _In_opt_ PMSG Message ) { ULONG code = 0; if (Context->Callback(WindowHandle, TreeNewGetDialogCode, UlongToPtr(VirtualKey), &code, Context->CallbackContext)) { return code; } return DLGC_WANTARROWS | DLGC_WANTCHARS; } /** * Handles the WM_PAINT message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnPaint( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { RECT updateRect; HDC hdc; PAINTSTRUCT paintStruct; if (GetUpdateRect(WindowHandle, &updateRect, FALSE) && (updateRect.left | updateRect.right | updateRect.top | updateRect.bottom)) { if (Context->EnableRedraw <= 0) { HRGN updateRegion; updateRegion = CreateRectRgn(0, 0, 0, 0); GetUpdateRgn(WindowHandle, updateRegion, FALSE); if (!Context->SuspendUpdateRegion) { Context->SuspendUpdateRegion = updateRegion; } else { CombineRgn(Context->SuspendUpdateRegion, Context->SuspendUpdateRegion, updateRegion, RGN_OR); DeleteRgn(updateRegion); } // Pretend we painted something; this ensures the update region is validated properly. if (BeginPaint(WindowHandle, &paintStruct)) EndPaint(WindowHandle, &paintStruct); return; } if (hdc = BeginPaint(WindowHandle, &paintStruct)) { updateRect = paintStruct.rcPaint; if (Context->DoubleBuffered) { if (!Context->BufferedContext) { PhTnpCreateBufferedContext(Context, hdc); } } if (Context->BufferedContext) { PhTnpPaint(WindowHandle, Context, Context->BufferedContext, &updateRect); BitBlt( hdc, updateRect.left, updateRect.top, updateRect.right - updateRect.left, updateRect.bottom - updateRect.top, Context->BufferedContext, updateRect.left, updateRect.top, SRCCOPY ); } else { PhTnpPaint(WindowHandle, Context, hdc, &updateRect); } EndPaint(WindowHandle, &paintStruct); } } } /** * Handles the WM_PRINTCLIENT message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param hdc Device context to print to. * \param Flags Print flags. */ VOID PhTnpOnPrintClient( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ ULONG Flags ) { PhTnpPaint(WindowHandle, Context, hdc, &Context->ClientRect); } /** * Handles the WM_NCPAINT message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param UpdateRegion Optional region to update. * \return TRUE if the non-client area was painted, FALSE otherwise. */ BOOLEAN PhTnpOnNcPaint( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ HRGN UpdateRegion ) { PhTnpInitializeThemeData(Context); // Themed border if ((Context->ExtendedStyle & WS_EX_CLIENTEDGE) && Context->ThemeData) { HDC hdc; ULONG flags; if (UpdateRegion == HRGN_FULL) UpdateRegion = NULL; // Note the use of undocumented flags below. GetDCEx doesn't work without these. flags = DCX_WINDOW | DCX_CACHE | DCX_USESTYLE; if (UpdateRegion) flags |= DCX_INTERSECTRGN | DCX_NODELETERGN; if (hdc = GetDCEx(WindowHandle, UpdateRegion, flags)) { PhTnpDrawThemedBorder(Context, hdc); ReleaseDC(WindowHandle, hdc); return TRUE; } } return FALSE; } /** * Handles the WM_SETCURSOR message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param CursorWindowHandle Handle to the window receiving the cursor. * \param HitTest Hit test value. * \param Source Source of the cursor event. * \return TRUE if the cursor was set, FALSE otherwise. */ BOOLEAN PhTnpOnSetCursor( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ HWND CursorWindowHandle, _In_ ULONG HitTest, _In_ ULONG Source ) { POINT point; if ( PhGetClientPos(WindowHandle, &point) && TNP_HIT_TEST_FIXED_DIVIDER(point.x, Context) ) { PhSetCursor(PhLoadDividerCursor()); return TRUE; } if (Context->Cursor) { PhSetCursor(Context->Cursor); return TRUE; } return FALSE; } /** * Handles the WM_TIMER message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Id Timer identifier. */ VOID PhTnpOnTimer( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id ) { if (Id == TNP_TIMER_ANIMATE_DIVIDER) { RECT dividerRect; dividerRect.left = Context->FixedWidth; dividerRect.top = Context->HeaderHeight; dividerRect.right = Context->FixedWidth + 1; dividerRect.bottom = Context->ClientRect.bottom; if (Context->AnimateDividerFadingIn) { Context->DividerHot += TNP_ANIMATE_DIVIDER_INCREMENT; if (Context->DividerHot >= 100) { Context->DividerHot = 100; Context->AnimateDividerFadingIn = FALSE; PhKillTimer(WindowHandle, TNP_TIMER_ANIMATE_DIVIDER); } InvalidateRect(WindowHandle, ÷rRect, FALSE); } else if (Context->AnimateDividerFadingOut) { if (Context->DividerHot <= TNP_ANIMATE_DIVIDER_DECREMENT) { Context->DividerHot = 0; Context->AnimateDividerFadingOut = FALSE; PhKillTimer(WindowHandle, TNP_TIMER_ANIMATE_DIVIDER); } else { Context->DividerHot -= TNP_ANIMATE_DIVIDER_DECREMENT; } InvalidateRect(WindowHandle, ÷rRect, FALSE); } } } /** * Handles the WM_MOUSEMOVE message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param VirtualKeys Virtual key flags. * \param CursorX X coordinate of the cursor. * \param CursorY Y coordinate of the cursor. */ VOID PhTnpOnMouseMove( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ) { if (FlagOn(Context->Style, TN_STYLE_DRAG_REORDER_ROWS)) { // Reorder drag in progress: update target and caret, swallow normal processing (dmex) if (Context->ReorderDragActive) { if (Context->ReorderJustStarted) { Context->ReorderJustStarted = FALSE; } if (Context->ReorderCursor) { PhSetCursor(Context->ReorderCursor); } PhTnpReorderUpdate(Context, CursorX, CursorY); return; } } TRACKMOUSEEVENT trackMouseEvent; trackMouseEvent.cbSize = sizeof(TRACKMOUSEEVENT); trackMouseEvent.dwFlags = TME_LEAVE; trackMouseEvent.hwndTrack = WindowHandle; trackMouseEvent.dwHoverTime = 0; TrackMouseEvent(&trackMouseEvent); if (Context->Tracking) { ULONG newFixedWidth; newFixedWidth = Context->TrackOldFixedWidth + (CursorX - Context->TrackStartX); PhTnpSetFixedWidth(Context, newFixedWidth); } PhTnpProcessMoveMouse(Context, CursorX, CursorY); } /** * Handles the WM_MOUSELEAVE message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnMouseLeave( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { RECT rect; if (Context->HotNodeIndex != ULONG_MAX && Context->ThemeData) { // Update the old hot node because it may have a different non-hot background and plus minus part. if (PhTnpGetRowRects(Context, Context->HotNodeIndex, Context->HotNodeIndex, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } Context->HotNodeIndex = ULONG_MAX; if (Context->AnimateDivider && Context->FixedDividerVisible) { if ((Context->DividerHot != 0 || Context->AnimateDividerFadingIn) && !Context->AnimateDividerFadingOut) { // Fade out the divider. Context->AnimateDividerFadingOut = TRUE; Context->AnimateDividerFadingIn = FALSE; PhSetTimer(Context->Handle, TNP_TIMER_ANIMATE_DIVIDER, TNP_ANIMATE_DIVIDER_INTERVAL, NULL); } } if (Context->TooltipIndex != ULONG_MAX || Context->TooltipId != ULONG_MAX) { // Hide the tooltip when the mouse leaves the window or we lose focus. This fixes a certain tooltip bug // when hovering over an item to show the tooltip while alt-tabbing causes the tooltip to remain stuck // on screen. There's also a similar issue when a window steals focus just as the tooltip becomes visible // and also causes the tooltip to remain stuck on screen. Popping here fixes both issues. (dmex) PhTnpPopTooltip(Context); } } /** * Handles mouse button messages (down, up, double-click) for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Message Mouse message identifier. * \param VirtualKeys Virtual key flags. * \param CursorX X coordinate of the cursor. * \param CursorY Y coordinate of the cursor. */ VOID PhTnpOnXxxButtonXxx( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Message, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ) { BOOLEAN startingTracking; PH_TREENEW_HIT_TEST hitTest; LOGICAL controlKey; LOGICAL shiftKey; RECT rect; ULONG changedStart; ULONG changedEnd; ULONG clickMessage; // Focus if (Message == WM_LBUTTONDOWN || Message == WM_RBUTTONDOWN) SetFocus(WindowHandle); // Divider tracking startingTracking = FALSE; switch (Message) { case WM_LBUTTONDOWN: { if (TNP_HIT_TEST_FIXED_DIVIDER(CursorX, Context)) { startingTracking = TRUE; Context->Tracking = TRUE; Context->TrackStartX = CursorX; Context->TrackOldFixedWidth = Context->FixedWidth; SetCapture(WindowHandle); PhSetTimer(WindowHandle, TNP_TIMER_NULL, 100, NULL); // make sure we get messages once in a while so we can detect the escape key GetAsyncKeyState(VK_ESCAPE); } } break; case WM_LBUTTONUP: { if (Context->Tracking) { ReleaseCapture(); } } break; case WM_RBUTTONDOWN: { if (Context->Tracking) { PhTnpCancelTrack(Context); } } break; } if (!startingTracking && Context->Tracking) // still OK to process further if the user is only starting to drag the divider return; hitTest.Point.x = CursorX; hitTest.Point.y = CursorY; hitTest.InFlags = TN_TEST_COLUMN | TN_TEST_SUBITEM; PhTnpHitTest(Context, &hitTest); if (FlagOn(Context->Style, TN_STYLE_DRAG_REORDER_ROWS)) { // Begin reorder drag if: // - TN_STYLE_DRAG_REORDER_ROWS flag enabled // - Left button down on item content (not plus/minus, not divider) // - Ctrl is held (to avoid conflict with drag selection) if (Message == WM_LBUTTONDOWN && (VirtualKeys & MK_CONTROL) && (hitTest.Flags & TN_HIT_ITEM) && !(hitTest.Flags & (TN_HIT_ITEM_PLUSMINUS | TN_HIT_DIVIDER))) { PH_TREENEW_REORDER_EVENT reorderEvent = { 0 }; memset(&reorderEvent, 0, sizeof(PH_TREENEW_REORDER_EVENT)); reorderEvent.Source = hitTest.Node; reorderEvent.Target = hitTest.Node; reorderEvent.DropAfter = FALSE; reorderEvent.Allow = TRUE; Context->Callback(Context->Handle, TreeNewReorderBegin, &reorderEvent, NULL, Context->CallbackContext); if (reorderEvent.Allow) { ULONG saveIndex = hitTest.Node ? hitTest.Node->Index : ULONG_MAX; ULONG cancelledByMessage = 0; if (PhTnpDetectDrag(Context, CursorX, CursorY, TRUE, &cancelledByMessage)) { // Begin drag-reorder if (saveIndex != ULONG_MAX && saveIndex < Context->FlatList->Count) { PhTnpReorderBegin(Context, saveIndex); PhTnpReorderUpdateCaretRect(Context); InvalidateRect(Context->Handle, &Context->ReorderInsertRect, FALSE); return; // swallow normal selection behavior } } else { // If detection consumed up-event, don't duplicate if (cancelledByMessage == WM_LBUTTONUP) return; } } } // Commit/cancel on mouse up if in reorder mode if (Message == WM_LBUTTONUP && Context->ReorderDragActive) { PhTnpReorderCommit(Context); return; } if (Message == WM_RBUTTONDOWN && Context->ReorderDragActive) { PhTnpReorderCancel(Context); return; } } controlKey = VirtualKeys & MK_CONTROL; shiftKey = VirtualKeys & MK_SHIFT; // Plus minus glyph if ((hitTest.Flags & TN_HIT_ITEM_PLUSMINUS) && Message == WM_LBUTTONDOWN) { PhTnpSetExpandedNode(Context, hitTest.Node, !hitTest.Node->Expanded); } // Selection if (!(hitTest.Flags & TN_HIT_ITEM_PLUSMINUS) && (Message == WM_LBUTTONDOWN || Message == WM_RBUTTONDOWN)) { LOGICAL allowDragSelect; PH_TREENEW_CELL_PARTS parts; PhTnpPopTooltip(Context); allowDragSelect = TRUE; if (hitTest.Flags & TN_HIT_ITEM) { allowDragSelect = FALSE; Context->FocusNode = hitTest.Node; if (Context->ExtendedFlags & TN_FLAG_ITEM_DRAG_SELECT) { // To allow drag selection to begin even if the cursor is on an item, we check if // the cursor is on the item icon or text. Exceptions are: // * When the item is already selected // * When user is beginning to drag the divider if (!hitTest.Node->Selected && !startingTracking) { if (PhTnpGetCellParts(Context, hitTest.Node->Index, hitTest.Column, TN_MEASURE_TEXT, &parts)) { allowDragSelect = TRUE; if ((parts.Flags & TN_PART_ICON) && CursorX >= parts.IconRect.left && CursorX < parts.IconRect.right) allowDragSelect = FALSE; if ((parts.Flags & TN_PART_CONTENT) && (parts.Flags & TN_PART_TEXT)) { if (CursorX >= parts.TextRect.left && CursorX < parts.TextRect.right) allowDragSelect = FALSE; } } } } PhTnpProcessSelectNode(Context, hitTest.Node, controlKey, shiftKey, Message == WM_RBUTTONDOWN); } if (allowDragSelect) { BOOLEAN dragSelect; ULONG indexToSelect; BOOLEAN selectionProcessed; BOOLEAN showContextMenu; dragSelect = FALSE; indexToSelect = ULONG_MAX; selectionProcessed = FALSE; showContextMenu = FALSE; if (!(hitTest.Flags & (TN_HIT_LEFT | TN_HIT_RIGHT | TN_HIT_ABOVE | TN_HIT_BELOW)) && !startingTracking) // don't interfere with divider { BOOLEAN result; ULONG saveIndex; ULONG saveId; ULONG cancelledByMessage; // Check for drag selection. PhTnpDetectDrag has its own message loop, so we need to // clear our pointers before we continue or we will have some access violations when // items get deleted. if (hitTest.Node) saveIndex = hitTest.Node->Index; else saveIndex = ULONG_MAX; if (hitTest.Column) saveId = hitTest.Column->Id; else saveId = ULONG_MAX; result = PhTnpDetectDrag(Context, CursorX, CursorY, TRUE, &cancelledByMessage); // Restore the pointers. if (saveIndex == ULONG_MAX) hitTest.Node = NULL; else if (saveIndex < Context->FlatList->Count) hitTest.Node = Context->FlatList->Items[saveIndex]; else return; if (saveId != ULONG_MAX && !(hitTest.Column = PhTnpLookupColumnById(Context, saveId))) return; if (result) { dragSelect = TRUE; if ((hitTest.Flags & TN_HIT_ITEM) && (Context->ExtendedFlags & TN_FLAG_ITEM_DRAG_SELECT)) { // Include the current node before starting the drag selection, otherwise // the user will never be able to select the current node. if (hitTest.Node) { indexToSelect = hitTest.Node->Index; } } } else { if ((Message == WM_LBUTTONDOWN && cancelledByMessage == WM_LBUTTONUP) || (Message == WM_RBUTTONDOWN && cancelledByMessage == WM_RBUTTONUP)) { POINT point; if ((hitTest.Flags & TN_HIT_ITEM) && (Context->ExtendedFlags & TN_FLAG_ITEM_DRAG_SELECT)) { // The user isn't performing a drag selection, so prevent deselection. selectionProcessed = TRUE; } // The button up message gets consumed by PhTnpDetectDrag, so send the mouse // event here. // Check if the cursor stayed in the same place. if ( PhGetClientPos(Context->Handle, &point) && point.x == CursorX && point.y == CursorY ) { PhTnpSendMouseEvent( Context, Message == WM_LBUTTONDOWN ? TreeNewLeftClick : TreeNewRightClick, CursorX, CursorY, hitTest.Node, hitTest.Column, VirtualKeys ); } if (Message == WM_RBUTTONDOWN) showContextMenu = TRUE; } } } if (!selectionProcessed && !controlKey && !shiftKey) { // Nothing: deselect everything. PhTnpSelectRange(Context, indexToSelect, indexToSelect, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(WindowHandle, &rect, FALSE); } } if (dragSelect) { PhTnpDragSelect(Context, CursorX, CursorY); } if (showContextMenu) { SendMessage(Context->Handle, WM_CONTEXTMENU, (WPARAM)Context->Handle, GetMessagePos()); } return; } } // Click, double-click // Note: If TN_FLAG_ITEM_DRAG_SELECT is enabled, the code below that processes WM_xBUTTONDOWN // and WM_xBUTTONUP messages only takes effect when the user clicks directly on an item's icon // or text. clickMessage = ULONG_MAX; if (Message == WM_LBUTTONDOWN || Message == WM_RBUTTONDOWN || Message == WM_MBUTTONDOWN) { if (Context->MouseDownLast != 0 && Context->MouseDownLast != Message) { // User pressed one button and pressed the other without letting go of the first one. // This counts as a click. if (Context->MouseDownLast == WM_LBUTTONDOWN) clickMessage = TreeNewLeftClick; else if (Context->MouseDownLast == WM_RBUTTONDOWN) clickMessage = TreeNewRightClick; else clickMessage = TreeNewMiddleClick; } Context->MouseDownLast = Message; Context->MouseDownLocation.x = CursorX; Context->MouseDownLocation.y = CursorY; } else if (Message == WM_LBUTTONUP || Message == WM_RBUTTONUP || Message == WM_MBUTTONUP) { if (Context->MouseDownLast != 0 && Context->MouseDownLocation.x == CursorX && Context->MouseDownLocation.y == CursorY) { if (Context->MouseDownLast == WM_LBUTTONDOWN) clickMessage = TreeNewLeftClick; else if (Context->MouseDownLast == WM_RBUTTONDOWN) clickMessage = TreeNewRightClick; else clickMessage = TreeNewMiddleClick; } Context->MouseDownLast = 0; } else if (Message == WM_LBUTTONDBLCLK) { clickMessage = TreeNewLeftDoubleClick; } else if (Message == WM_RBUTTONDBLCLK) { clickMessage = TreeNewRightDoubleClick; } if (!(hitTest.Flags & TN_HIT_ITEM_PLUSMINUS) && clickMessage != ULONG_MAX) { PhTnpSendMouseEvent(Context, clickMessage, CursorX, CursorY, hitTest.Node, hitTest.Column, VirtualKeys); } } /** * Handles the WM_CAPTURECHANGED message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpOnCaptureChanged( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context ) { Context->Tracking = FALSE; PhKillTimer(WindowHandle, TNP_TIMER_NULL); if (FlagOn(Context->Style, TN_STYLE_DRAG_REORDER_ROWS)) { if (Context->ReorderDragActive && !Context->ReorderJustStarted) PhTnpReorderCancel(Context); } } /** * Handles the WM_KEYDOWN message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param VirtualKey Virtual key code. * \param Data Additional key data. */ VOID PhTnpOnKeyDown( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey, _In_ ULONG Data ) { PH_TREENEW_KEY_EVENT keyEvent; if (FlagOn(Context->Style, TN_STYLE_DRAG_REORDER_ROWS)) { // Cancel reorder drag with ESC if (Context->ReorderDragActive && VirtualKey == VK_ESCAPE) { PhTnpReorderCancel(Context); return; } } keyEvent.Handled = FALSE; keyEvent.VirtualKey = VirtualKey; keyEvent.Data = Data; Context->Callback(Context->Handle, TreeNewKeyDown, &keyEvent, NULL, Context->CallbackContext); if (keyEvent.Handled) return; if (PhTnpProcessFocusKey(Context, VirtualKey)) return; if (PhTnpProcessNodeKey(Context, VirtualKey)) return; // handle standard key presses switch (VirtualKey) { case 'A': if (GetKeyState(VK_CONTROL) < 0) TreeNew_SelectRange(WindowHandle, 0, -1); return; } // pass unhandled key presses to parent SendMessage(GetParent(WindowHandle), WM_KEYDOWN, VirtualKey, Data); } /** * Handles the WM_CHAR message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Character The character code. * \param Data Additional data. */ VOID PhTnpOnChar( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Character, _In_ ULONG Data ) { // Make sure the character is printable. if (Character >= ' ' && Character <= '~') { PhTnpProcessSearchKey(Context, Character); } } /** * Handles the WM_MOUSEWHEEL message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Distance Wheel delta. * \param VirtualKeys Virtual key flags. * \param CursorX X coordinate of the cursor. * \param CursorY Y coordinate of the cursor. */ VOID PhTnpOnMouseWheel( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ) { // The normal mouse wheel can affect both the vertical scrollbar and the horizontal scrollbar, // but the vertical scrollbar takes precedence. if (Context->VScrollVisible) { PhTnpProcessMouseVWheel(Context, -Distance); } else if (Context->HScrollVisible) { PhTnpProcessMouseHWheel(Context, -Distance); } } /** * Handles the WM_MOUSEHWHEEL message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Distance Wheel delta. * \param VirtualKeys Virtual key flags. * \param CursorX X coordinate of the cursor. * \param CursorY Y coordinate of the cursor. */ VOID PhTnpOnMouseHWheel( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance, _In_ ULONG VirtualKeys, _In_ LONG CursorX, _In_ LONG CursorY ) { PhTnpProcessMouseHWheel(Context, Distance); } /** * Handles the WM_CONTEXTMENU message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param CursorScreenX X coordinate of the context menu (screen coordinates). * \param CursorScreenY Y coordinate of the context menu (screen coordinates). */ VOID PhTnpOnContextMenu( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorScreenX, _In_ LONG CursorScreenY ) { POINT clientPoint; BOOLEAN keyboardInvoked; PH_TREENEW_HIT_TEST hitTest; PH_TREENEW_CONTEXT_MENU contextMenu; if (CursorScreenX == INT_ERROR && CursorScreenY == INT_ERROR) { ULONG i; BOOLEAN found; RECT windowRect; RECT rect; keyboardInvoked = TRUE; // Context menu was invoked via keyboard. Display the context menu at the selected item. found = FALSE; for (i = 0; i < Context->FlatList->Count; i++) { if (((PPH_TREENEW_NODE)Context->FlatList->Items[i])->Selected) { found = TRUE; break; } } if (found && PhTnpGetRowRects(Context, i, i, FALSE, &rect) && rect.top >= Context->ClientRect.top && rect.top < Context->ClientRect.bottom) { clientPoint.x = rect.left + Context->SmallIconWidth / 2; clientPoint.y = rect.top + Context->RowHeight / 2; } else { clientPoint.x = 0; clientPoint.y = 0; } PhGetWindowRect(WindowHandle, &windowRect); CursorScreenX = windowRect.left + clientPoint.x; CursorScreenY = windowRect.top + clientPoint.y; } else { keyboardInvoked = FALSE; clientPoint.x = CursorScreenX; clientPoint.y = CursorScreenY; ScreenToClient(WindowHandle, &clientPoint); if (clientPoint.y < Context->HeaderHeight) { // Already handled by TreeNewHeaderRightClick. return; } } hitTest.Point = clientPoint; hitTest.InFlags = TN_TEST_COLUMN; PhTnpHitTest(Context, &hitTest); contextMenu.Location.x = CursorScreenX; contextMenu.Location.y = CursorScreenY; contextMenu.ClientLocation = clientPoint; contextMenu.Node = hitTest.Node; contextMenu.Column = hitTest.Column; contextMenu.KeyboardInvoked = keyboardInvoked; Context->ContextMenuActive = TRUE; Context->Callback(WindowHandle, TreeNewContextMenu, &contextMenu, NULL, Context->CallbackContext); Context->ContextMenuActive = FALSE; } /** * Handles the WM_VSCROLL message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Request Scroll request type. * \param Position Scroll position. */ VOID PhTnpOnVScroll( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Request, _In_ USHORT Position ) { SCROLLINFO scrollInfo; LONG oldPosition; scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_ALL; GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; switch (Request) { case SB_LINEUP: scrollInfo.nPos--; break; case SB_LINEDOWN: scrollInfo.nPos++; break; case SB_PAGEUP: scrollInfo.nPos -= scrollInfo.nPage; break; case SB_PAGEDOWN: scrollInfo.nPos += scrollInfo.nPage; break; case SB_THUMBPOSITION: // Touch scrolling seems to give us Position but not nTrackPos. The problem is that Position // is a 16-bit value, so don't use it if we have too many rows. if (Context->FlatList->Count <= 0xffff) scrollInfo.nPos = Position; break; case SB_THUMBTRACK: scrollInfo.nPos = scrollInfo.nTrackPos; break; case SB_TOP: scrollInfo.nPos = 0; break; case SB_BOTTOM: scrollInfo.nPos = MAXINT; break; } scrollInfo.fMask = SIF_POS; SetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo, TRUE); GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); if (scrollInfo.nPos != oldPosition) { Context->VScrollPosition = scrollInfo.nPos; PhTnpProcessScroll(Context, scrollInfo.nPos - oldPosition, 0); } } /** * Handles the WM_HSCROLL message for the treenew control. * * \param WindowHandle Handle to the window. * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Request Scroll request type. * \param Position Scroll position. */ VOID PhTnpOnHScroll( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Request, _In_ USHORT Position ) { SCROLLINFO scrollInfo; LONG oldPosition; scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_ALL; GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; switch (Request) { case SB_LINELEFT: scrollInfo.nPos -= Context->TextMetrics.tmAveCharWidth; break; case SB_LINERIGHT: scrollInfo.nPos += Context->TextMetrics.tmAveCharWidth; break; case SB_PAGELEFT: scrollInfo.nPos -= scrollInfo.nPage; break; case SB_PAGERIGHT: scrollInfo.nPos += scrollInfo.nPage; break; case SB_THUMBPOSITION: // Touch scrolling seems to give us Position but not nTrackPos. The problem is that Position // is a 16-bit value, so don't use it if we have too many rows. if (Context->FlatList->Count <= 0xffff) scrollInfo.nPos = Position; break; case SB_THUMBTRACK: scrollInfo.nPos = scrollInfo.nTrackPos; break; case SB_LEFT: scrollInfo.nPos = 0; break; case SB_RIGHT: scrollInfo.nPos = MAXINT; break; } scrollInfo.fMask = SIF_POS; SetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo, TRUE); GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); if (scrollInfo.nPos != oldPosition) { Context->HScrollPosition = scrollInfo.nPos; PhTnpProcessScroll(Context, 0, scrollInfo.nPos - oldPosition); } } /** * Handles WM_NOTIFY messages from child controls. * * \param WindowHandle Handle to the treenew window. * \param Context Pointer to the treenew context structure. * \param Header Pointer to the NMHDR notification structure. * \param Result Pointer to receive the message result. * \return TRUE if the message was handled, FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpOnNotify( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ NMHDR *Header, _Out_ LRESULT *Result ) { switch (Header->code) { case HDN_ITEMCHANGING: case HDN_ITEMCHANGED: { NMHEADER *nmHeader = (NMHEADER *)Header; if (Header->code == HDN_ITEMCHANGING && Header->hwndFrom == Context->FixedHeaderHandle) { if (nmHeader->pitem->mask & HDI_WIDTH) { if (Context->FixedColumnVisible) { Context->FixedWidth = nmHeader->pitem->cxy - 1; if (Context->FixedWidth < Context->FixedWidthMinimum) Context->FixedWidth = Context->FixedWidthMinimum; Context->NormalLeft = Context->FixedWidth + 1; nmHeader->pitem->cxy = Context->FixedWidth + 1; } else { Context->FixedWidth = 0; Context->NormalLeft = 0; } } } if (Header->hwndFrom == Context->FixedHeaderHandle || Header->hwndFrom == Context->HeaderHandle) { if (nmHeader->pitem->mask & HDI_WIDTH) { // A column has been resized. Update our stored information. PhTnpUpdateColumnHeaders(Context); PhTnpUpdateColumnMaps(Context); if (Header->code == HDN_ITEMCHANGING) { HDITEM item; item.mask = HDI_WIDTH | HDI_LPARAM; if (Header_GetItem(Header->hwndFrom, nmHeader->iItem, &item)) { Context->ResizingColumn = (PPH_TREENEW_COLUMN)item.lParam; Context->OldColumnWidth = item.cxy; } else { Context->ResizingColumn = NULL; Context->OldColumnWidth = -1; } } else if (Header->code == HDN_ITEMCHANGED) { if (Context->ResizingColumn) { LONG delta; delta = nmHeader->pitem->cxy - Context->OldColumnWidth; if (delta != 0) { PhTnpProcessResizeColumn(Context, Context->ResizingColumn, delta); Context->Callback(Context->Handle, TreeNewColumnResized, Context->ResizingColumn, NULL, Context->CallbackContext); } Context->ResizingColumn = NULL; // Redraw the entire window if we are displaying empty text. if (Context->FlatList->Count == 0 && Context->EmptyText.Length != 0) InvalidateRect(Context->Handle, NULL, FALSE); } else { // An error occurred during HDN_ITEMCHANGED, so redraw the entire window. InvalidateRect(Context->Handle, NULL, FALSE); } } } } } break; case HDN_ITEMCLICK: { if ((Header->hwndFrom == Context->FixedHeaderHandle || Header->hwndFrom == Context->HeaderHandle) && !(Context->Style & TN_STYLE_NO_COLUMN_SORT)) { NMHEADER *nmHeader = (NMHEADER *)Header; HDITEM item; PPH_TREENEW_COLUMN column; // A column has been clicked, so update the sort state. item.mask = HDI_LPARAM; if (Header_GetItem(Header->hwndFrom, nmHeader->iItem, &item)) { column = (PPH_TREENEW_COLUMN)item.lParam; PhTnpProcessSortColumn(Context, column); } } } break; case HDN_ENDDRAG: case NM_RELEASEDCAPTURE: { if (Header->hwndFrom == Context->HeaderHandle) { // Columns have been re-ordered, so refresh our information. // Note: The fixed column cannot be re-ordered. PhTnpUpdateColumnHeaders(Context); PhTnpUpdateColumnMaps(Context); Context->Callback(Context->Handle, TreeNewColumnReordered, NULL, NULL, Context->CallbackContext); InvalidateRect(Context->Handle, NULL, FALSE); } // We need to invalidate the header but hwndFrom doesn't match HeaderHandle, // instead we'll always invalidate? (dmex) if (Context->ThemeSupport) { InvalidateRect(Context->HeaderHandle, NULL, FALSE); } } break; case HDN_DIVIDERDBLCLICK: { if (Header->hwndFrom == Context->FixedHeaderHandle || Header->hwndFrom == Context->HeaderHandle) { NMHEADER *nmHeader = (NMHEADER *)Header; HDITEM item; if (Context->SuspendUpdateStructure) break; item.mask = HDI_LPARAM; if (Header_GetItem(Header->hwndFrom, nmHeader->iItem, &item)) { PhTnpAutoSizeColumnHeader( Context, Header->hwndFrom, (PPH_TREENEW_COLUMN)item.lParam, 0 ); } } } break; case NM_RCLICK: { if (Header->hwndFrom == Context->FixedHeaderHandle || Header->hwndFrom == Context->HeaderHandle) { PH_TREENEW_HEADER_MOUSE_EVENT mouseEvent; ULONG position; position = GetMessagePos(); mouseEvent.ScreenLocation.x = GET_X_LPARAM(position); mouseEvent.ScreenLocation.y = GET_Y_LPARAM(position); mouseEvent.Location = mouseEvent.ScreenLocation; ScreenToClient(WindowHandle, &mouseEvent.Location); mouseEvent.HeaderLocation = mouseEvent.ScreenLocation; ScreenToClient(Header->hwndFrom, &mouseEvent.HeaderLocation); mouseEvent.Column = PhTnpHitTestHeader(Context, Header->hwndFrom == Context->FixedHeaderHandle, &mouseEvent.HeaderLocation, NULL); Context->Callback(WindowHandle, TreeNewHeaderRightClick, &mouseEvent, NULL, Context->CallbackContext); } } break; case TTN_GETDISPINFO: { if (Header->hwndFrom == Context->TooltipsHandle) { NMTTDISPINFO *info = (NMTTDISPINFO *)Header; POINT point; PPH_STRING string; if (PhGetClientPos(WindowHandle, &point)) { if (PhTnpGetTooltipText(Context, &point, &string)) { info->lpszText = string->Buffer; break; } } } } break; case TTN_SHOW: { if (Header->hwndFrom == Context->TooltipsHandle) { *Result = PhTnpPrepareTooltipShow(Context); return TRUE; } } break; case TTN_POP: { if (Header->hwndFrom == Context->TooltipsHandle) { PhTnpPrepareTooltipPop(Context); } } break; case NM_CUSTOMDRAW: { if (Header->hwndFrom == Context->FixedHeaderHandle || Header->hwndFrom == Context->HeaderHandle) { LPNMCUSTOMDRAW customDraw = (LPNMCUSTOMDRAW)Header; switch (customDraw->dwDrawStage) { case CDDS_PREPAINT: { *Result = CDRF_NOTIFYITEMDRAW; } return TRUE; case CDDS_ITEMPREPAINT: { if (TnHeaderCustomPaint(Context, customDraw)) { *Result = CDRF_SKIPDEFAULT; } else { *Result = CDRF_DODEFAULT; } } return TRUE; } } } break; } return FALSE; } /** * Processes treenew-specific user messages (TNM_* messages). * * \param WindowHandle Handle to the treenew window. * \param Context Pointer to the treenew context structure. * \param Message The treenew message identifier. * \param WParam First message-specific parameter. * \param LParam Second message-specific parameter. * \return The result of the message processing. */ LRESULT PhTnpOnUserMessage( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Message, _In_ ULONG_PTR WParam, _In_ ULONG_PTR LParam ) { switch (Message) { case TNM_SETCALLBACK: { Context->Callback = (PPH_TREENEW_CALLBACK)LParam; Context->CallbackContext = (PVOID)WParam; if (!Context->Callback) Context->Callback = PhTnpNullCallback; } return TRUE; case TNM_NODESSTRUCTURED: { if (Context->EnableRedraw <= 0) { Context->SuspendUpdateStructure = TRUE; Context->SuspendUpdateLayout = TRUE; InvalidateRect(Context->Handle, NULL, FALSE); return TRUE; } PhTnpRestructureNodes(Context); PhTnpLayout(Context); InvalidateRect(Context->Handle, NULL, FALSE); } return TRUE; case TNM_ADDCOLUMN: return PhTnpAddColumn(Context, (PPH_TREENEW_COLUMN)LParam); case TNM_REMOVECOLUMN: return PhTnpRemoveColumn(Context, (ULONG)WParam); case TNM_GETCOLUMN: return PhTnpCopyColumn(Context, (ULONG)WParam, (PPH_TREENEW_COLUMN)LParam); case TNM_SETCOLUMN: { PPH_TREENEW_COLUMN column = (PPH_TREENEW_COLUMN)LParam; return PhTnpChangeColumn(Context, (ULONG)WParam, column->Id, column); } break; case TNM_GETCOLUMNORDERARRAY: { ULONG count = (ULONG)WParam; PULONG order = (PULONG)LParam; ULONG i; if (count != Context->NumberOfColumnsByDisplay) return FALSE; for (i = 0; i < count; i++) { order[i] = Context->ColumnsByDisplay[i]->Id; } } return TRUE; case TNM_SETCOLUMNORDERARRAY: { ULONG count = (ULONG)WParam; PULONG order = (PULONG)LParam; ULONG i; PULONG newOrder; PPH_TREENEW_COLUMN column; if (count) { newOrder = PhAllocate(count * sizeof(ULONG)); for (i = 0; i < count; i++) { if (!(column = PhTnpLookupColumnById(Context, order[i]))) { PhFree(newOrder); return FALSE; } newOrder[i] = column->s.ViewIndex; } if (!Header_SetOrderArray(Context->HeaderHandle, count, newOrder)) { PhFree(newOrder); return FALSE; } PhFree(newOrder); } PhTnpUpdateColumnHeaders(Context); PhTnpUpdateColumnMaps(Context); } return TRUE; case TNM_SETCURSOR: { Context->Cursor = (HCURSOR)LParam; } return TRUE; case TNM_GETSORT: { PULONG sortColumn = (PULONG)WParam; PPH_SORT_ORDER sortOrder = (PPH_SORT_ORDER)LParam; if (sortColumn) *sortColumn = Context->SortColumn; if (sortOrder) *sortOrder = Context->SortOrder; } return TRUE; case TNM_SETSORT: { ULONG sortColumn = (ULONG)WParam; PH_SORT_ORDER sortOrder = (PH_SORT_ORDER)LParam; PH_TREENEW_SORT_CHANGED_EVENT sortOrderEvent; PPH_TREENEW_COLUMN column; if (sortColumn == Context->SortColumn && sortOrder == Context->SortOrder) { return TRUE; // Nothing to change (dmex) } if (sortOrder != NoSortOrder) { if (!(column = PhTnpLookupColumnById(Context, sortColumn))) return FALSE; } else { sortColumn = 0; column = NULL; } Context->SortColumn = sortColumn; Context->SortOrder = sortOrder; PhTnpSetColumnHeaderSortIcon(Context, column); memset(&sortOrderEvent, 0, sizeof(PH_TREENEW_SORT_CHANGED_EVENT)); sortOrderEvent.SortColumn = sortColumn; sortOrderEvent.SortOrder = sortOrder; Context->Callback(Context->Handle, TreeNewSortChanged, &sortOrderEvent, NULL, Context->CallbackContext); } return TRUE; case TNM_SETTRISTATE: Context->TriState = !!WParam; return TRUE; case TNM_ENSUREVISIBLE: return PhTnpEnsureVisibleNode(Context, ((PPH_TREENEW_NODE)LParam)->Index); case TNM_SCROLL: PhTnpScroll(Context, (LONG)WParam, (LONG)LParam); return TRUE; case TNM_GETFLATNODECOUNT: if (!Context->SuspendUpdateStructure) return (LRESULT)Context->FlatList->Count; else return 0; case TNM_GETFLATNODE: { ULONG index = (ULONG)WParam; if (index >= Context->FlatList->Count) return (LRESULT)NULL; return (LRESULT)Context->FlatList->Items[index]; } break; case TNM_GETCELLTEXT: { PPH_TREENEW_GET_CELL_TEXT getCellText = (PPH_TREENEW_GET_CELL_TEXT)LParam; return PhTnpGetCellText( Context, getCellText->Node, getCellText->Id, &getCellText->Text ); } break; case TNM_SETNODEEXPANDED: PhTnpSetExpandedNode(Context, (PPH_TREENEW_NODE)LParam, !!WParam); return TRUE; case TNM_GETMAXID: return (LRESULT)(Context->NextId - 1); case TNM_SETMAXID: { ULONG maxId = (ULONG)WParam; if (Context->NextId < maxId + 1) { Context->NextId = maxId + 1; if (Context->AllocatedColumns < Context->NextId) { PhTnpExpandAllocatedColumns(Context); } } } return TRUE; case TNM_INVALIDATENODE: { PPH_TREENEW_NODE node = (PPH_TREENEW_NODE)LParam; RECT rect; if (!node->Visible) return FALSE; if (!PhTnpGetRowRects(Context, node->Index, node->Index, TRUE, &rect)) return FALSE; InvalidateRect(WindowHandle, &rect, FALSE); } return TRUE; case TNM_INVALIDATENODES: { RECT rect; if (!PhTnpGetRowRects(Context, (ULONG)WParam, (ULONG)LParam, TRUE, &rect)) return FALSE; InvalidateRect(WindowHandle, &rect, FALSE); } return TRUE; case TNM_GETFIXEDHEADER: return (LRESULT)Context->FixedHeaderHandle; case TNM_GETHEADER: return (LRESULT)Context->HeaderHandle; case TNM_GETTOOLTIPS: return (LRESULT)Context->TooltipsHandle; case TNM_SELECTRANGE: case TNM_DESELECTRANGE: { ULONG flags; ULONG changedStart; ULONG changedEnd; RECT rect; flags = 0; if (Message == TNM_DESELECTRANGE) flags |= TN_SELECT_DESELECT; PhTnpSelectRange(Context, (ULONG)WParam, (ULONG)LParam, flags, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(WindowHandle, &rect, FALSE); } } return TRUE; case TNM_GETCOLUMNCOUNT: return (LRESULT)Context->NumberOfColumns; case TNM_SETREDRAW: PhTnpSetRedraw(Context, !!WParam); return (LRESULT)Context->EnableRedraw; case TNM_GETVIEWPARTS: { PPH_TREENEW_VIEW_PARTS parts = (PPH_TREENEW_VIEW_PARTS)LParam; parts->ClientRect = Context->ClientRect; parts->HeaderHeight = Context->HeaderHeight; parts->RowHeight = Context->RowHeight; parts->VScrollWidth = Context->VScrollVisible ? Context->VScrollWidth : 0; parts->HScrollHeight = Context->HScrollHeight ? Context->HScrollHeight : 0; parts->VScrollPosition = Context->VScrollPosition; parts->HScrollPosition = Context->HScrollPosition; parts->FixedWidth = Context->FixedWidth; parts->NormalLeft = Context->NormalLeft; parts->NormalWidth = Context->TotalViewX; parts->ScrollTickCount = (NtGetTickCount64() - Context->ScrollTickCount); } return TRUE; case TNM_GETFIXEDCOLUMN: return (LRESULT)Context->FixedColumn; case TNM_GETFIRSTCOLUMN: return (LRESULT)Context->FirstColumn; case TNM_SETFOCUSNODE: Context->FocusNode = (PPH_TREENEW_NODE)LParam; return TRUE; case TNM_SETMARKNODE: Context->MarkNodeIndex = ((PPH_TREENEW_NODE)LParam)->Index; return TRUE; case TNM_SETHOTNODE: PhTnpSetHotNode(Context, (PPH_TREENEW_NODE)LParam, FALSE); return TRUE; case TNM_SETEXTENDEDFLAGS: Context->ExtendedFlags = (Context->ExtendedFlags & ~(ULONG)WParam) | ((ULONG)LParam & (ULONG)WParam); return TRUE; case TNM_GETCALLBACK: { PPH_TREENEW_CALLBACK *callback = (PPH_TREENEW_CALLBACK *)LParam; PVOID *callbackContext = (PVOID *)WParam; if (callback) { if (Context->Callback != PhTnpNullCallback) *callback = Context->Callback; else *callback = NULL; } if (callbackContext) { *callbackContext = Context->CallbackContext; } } return TRUE; case TNM_HITTEST: PhTnpHitTest(Context, (PPH_TREENEW_HIT_TEST)LParam); return TRUE; case TNM_GETVISIBLECOLUMNCOUNT: return Context->NumberOfColumnsByDisplay + (Context->FixedColumnVisible ? 1 : 0); case TNM_AUTOSIZECOLUMN: { ULONG id = (ULONG)WParam; ULONG flags = (ULONG)LParam; PPH_TREENEW_COLUMN column; if (!(column = PhTnpLookupColumnById(Context, id))) return FALSE; if (!column->Visible) return FALSE; PhTnpAutoSizeColumnHeader( Context, column->Fixed ? Context->FixedHeaderHandle : Context->HeaderHandle, column, flags ); } return TRUE; case TNM_SETEMPTYTEXT: { PPH_STRINGREF text = (PPH_STRINGREF)LParam; ULONG flags = (ULONG)WParam; Context->EmptyText = *text; } return TRUE; case TNM_SETROWHEIGHT: { LONG rowHeight = (LONG)WParam; if (rowHeight != 0) { Context->CustomRowHeight = TRUE; Context->RowHeight = rowHeight; } else { Context->CustomRowHeight = FALSE; PhTnpUpdateTextMetrics(Context); } } return TRUE; case TNM_ISFLATNODEVALID: return !Context->SuspendUpdateStructure; case TNM_THEMESUPPORT: Context->ThemeSupport = !!WParam; return TRUE; case TNM_SETIMAGELIST: { Context->ImageListSupport = !!WParam; Context->ImageListHandle = (HIMAGELIST)WParam; } return TRUE; case TNM_SETCOLUMNTEXTCACHE: { PPH_TREENEW_SET_HEADER_CACHE headerCache = (PPH_TREENEW_SET_HEADER_CACHE)WParam; Context->HeaderColumnCacheMax = headerCache->HeaderTreeColumnMax; Context->HeaderStringCache = headerCache->HeaderTreeColumnStringCache; Context->HeaderTextCache = headerCache->HeaderTreeColumnTextCache; } return TRUE; case TNM_ENSUREVISIBLEINDEX: return PhTnpEnsureVisibleNode(Context, (ULONG)LParam); case TNM_GETVISIBLECOLUMN: { ULONG index = (ULONG)WParam; if (index >= Context->NumberOfColumnsByDisplay + (Context->FixedColumnVisible ? 1 : 0)) return FALSE; index = Context->ColumnsByDisplay[index - (Context->FixedColumnVisible ? 1 : 0)]->Id; return PhTnpCopyColumn(Context, index, (PPH_TREENEW_COLUMN)LParam); } break; case TNM_GETVISIBLECOLUMNARRAY: { ULONG count = (ULONG)WParam; PULONG visible = (PULONG)LParam; for (ULONG i = 0; i < count; i++) { if (visible[i] >= Context->AllocatedColumns) return FALSE; visible[i] = Context->Columns[visible[i]]->Visible; } } return TRUE; case TNM_GETSELECTEDCOUNT: { ULONG i; ULONG visibleCount; ULONG selectedCount; PPH_TREENEW_NODE node; if (Context->SuspendUpdateStructure) visibleCount = 0; else visibleCount = Context->FlatList->Count; selectedCount = 0; for (i = 0; i < visibleCount; i++) { node = Context->FlatList->Items[i]; if (node->Selected) { selectedCount++; } } return (LRESULT)selectedCount; } break; case TNM_GETSELECTEDNODE: { ULONG i; ULONG visibleCount; PPH_TREENEW_NODE node; if (Context->SuspendUpdateStructure) visibleCount = 0; else visibleCount = Context->FlatList->Count; for (i = 0; i < visibleCount; i++) { node = Context->FlatList->Items[i]; if (node->Selected) { return (LRESULT)node; } } } break; case TNM_FOCUSMARKSELECT: { PPH_TREENEW_NODE node = (PPH_TREENEW_NODE)LParam; SetFocus(WindowHandle); Context->FocusNode = node; // TNM_SETFOCUSNODE Context->MarkNodeIndex = node->Index; // TNM_SETMARKNODE PhTnpOnUserMessage(WindowHandle, Context, TNM_DESELECTRANGE, 0, -1); PhTnpOnUserMessage(WindowHandle, Context, TNM_SELECTRANGE, node->Index, node->Index); PhTnpEnsureVisibleNode(Context, node->Index); // TNM_ENSUREVISIBLE PhTnpOnUserMessage(WindowHandle, Context, TNM_INVALIDATENODES, node->Index, node->Index); } return TRUE; case TNM_FOCUSVISIBLENODE: { ULONG i; ULONG visibleCount; PPH_TREENEW_NODE node; if (Context->SuspendUpdateStructure) visibleCount = 0; else visibleCount = Context->FlatList->Count; for (i = 0; i < visibleCount; i++) { node = Context->FlatList->Items[i]; // Select the first visible node. if (node->Visible) { SetFocus(WindowHandle); Context->FocusNode = node; // TNM_SETFOCUSNODE Context->MarkNodeIndex = node->Index; // TNM_SETMARKNODE PhTnpOnUserMessage(WindowHandle, Context, TNM_DESELECTRANGE, 0, -1); PhTnpOnUserMessage(WindowHandle, Context, TNM_SELECTRANGE, node->Index, node->Index); PhTnpEnsureVisibleNode(Context, node->Index); // TNM_ENSUREVISIBLE PhTnpOnUserMessage(WindowHandle, Context, TNM_INVALIDATENODES, node->Index, node->Index); return TRUE; } } } break; case TNM_GETCELLPARTS: { PPH_TREENEW_GET_CELL_PARTS getCellParts = (PPH_TREENEW_GET_CELL_PARTS)LParam; if (getCellParts->Node && getCellParts->Column) { ULONG measureFlags = 0; PH_TREENEW_CELL_PARTS cellparts; if (FlagOn(getCellParts->Flags, TN_MEASURE_TEXT)) { measureFlags |= TN_MEASURE_TEXT; } RtlZeroMemory(&cellparts, sizeof(PH_TREENEW_CELL_PARTS)); if (PhTnpGetCellParts( Context, getCellParts->Node->Index, getCellParts->Column, measureFlags, &cellparts )) { RtlCopyMemory(&getCellParts->Parts, &cellparts, sizeof(PH_TREENEW_CELL_PARTS)); return TRUE; } } } break; } return 0; } /** * Sets the font for the treenew control and updates related metrics. * * \param Context Pointer to the treenew context structure. * \param Font Handle to the font to set, or NULL to use the default font. * \param Redraw TRUE to redraw the control after setting the font, FALSE otherwise. */ VOID PhTnpSetFont( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ HFONT Font, _In_ BOOLEAN Redraw ) { LOGFONT logFont; if (Context->FontOwned) { DeleteFont(Context->Font); Context->FontOwned = FALSE; } Context->Font = Font; if (!Context->Font) { if (PhGetSystemParametersInfo(SPI_GETICONTITLELOGFONT, sizeof(LOGFONT), &logFont, Context->WindowDpi)) { Context->Font = CreateFontIndirect(&logFont); Context->FontOwned = TRUE; } } SetWindowFont(Context->FixedHeaderHandle, Context->Font, Redraw); SetWindowFont(Context->HeaderHandle, Context->Font, Redraw); if (Context->TooltipsHandle) { SetWindowFont(Context->TooltipsHandle, Context->Font, FALSE); Context->TooltipFont = Context->Font; } PhTnpUpdateTextMetrics(Context); } /** * Updates the cached system metrics used by the treenew control. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpUpdateSystemMetrics( _In_ PPH_TREENEW_CONTEXT Context ) { Context->WindowDpi = PhGetWindowDpi(Context->Handle); Context->VScrollWidth = PhGetSystemMetrics(SM_CXVSCROLL, Context->WindowDpi); Context->HScrollHeight = PhGetSystemMetrics(SM_CYHSCROLL, Context->WindowDpi); Context->SystemBorderX = PhGetSystemMetrics(SM_CXBORDER, Context->WindowDpi); Context->SystemBorderY = PhGetSystemMetrics(SM_CYBORDER, Context->WindowDpi); Context->SystemEdgeX = PhGetSystemMetrics(SM_CXEDGE, Context->WindowDpi); Context->SystemEdgeY = PhGetSystemMetrics(SM_CYEDGE, Context->WindowDpi); Context->SystemDragX = PhGetSystemMetrics(SM_CXDRAG, Context->WindowDpi); Context->SystemDragY = PhGetSystemMetrics(SM_CYDRAG, Context->WindowDpi); Context->SmallIconWidth = PhGetSystemMetrics(SM_CXSMICON, Context->WindowDpi); Context->SmallIconHeight = PhGetSystemMetrics(SM_CYSMICON, Context->WindowDpi); Context->CellMarginLeft = PhGetDpi(TNP_CELL_LEFT_MARGIN, Context->WindowDpi); Context->CellMarginRight = PhGetDpi(TNP_CELL_RIGHT_MARGIN, Context->WindowDpi); Context->IconRightPadding = PhGetDpi(TNP_ICON_RIGHT_PADDING, Context->WindowDpi); Context->TextMarginPadding = PhGetDpi(6 + 6, Context->WindowDpi); Context->HeaderTextPadding = PhGetDpi(5, Context->WindowDpi); Context->HeaderTextMargin = PhGetDpi(2, Context->WindowDpi); Context->HeaderRowMargin = PhGetDpi(1, Context->WindowDpi); if (Context->SystemDragX < 2) Context->SystemDragX = 2; if (Context->SystemDragY < 2) Context->SystemDragY = 2; } /** * Updates the text metrics and row height for the treenew control. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpUpdateTextMetrics( _In_ PPH_TREENEW_CONTEXT Context ) { HDC hdc; if (hdc = GetDC(Context->Handle)) { SelectFont(hdc, Context->Font); GetTextMetrics(hdc, &Context->TextMetrics); if (!Context->CustomRowHeight) { // Below we try to match the row height as calculated by the list view, even if it // involves magic numbers. On Vista and above there seems to be extra padding. Context->RowHeight = Context->TextMetrics.tmHeight; if (Context->Style & TN_STYLE_ICONS) { if (Context->RowHeight < Context->SmallIconWidth) Context->RowHeight = Context->SmallIconWidth; } else { if (!(Context->Style & TN_STYLE_THIN_ROWS)) Context->RowHeight += 1; // HACK } Context->RowHeight += Context->HeaderRowMargin; // HACK if (!(Context->Style & TN_STYLE_THIN_ROWS)) Context->RowHeight += Context->HeaderTextMargin; // HACK } ReleaseDC(Context->Handle, hdc); } } /** * Updates the theme data and colors for the treenew control. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpUpdateThemeData( _In_ PPH_TREENEW_CONTEXT Context ) { Context->DefaultBackColor = GetSysColor(COLOR_WINDOW); Context->DefaultForeColor = GetSysColor(COLOR_WINDOWTEXT); Context->ThemeActive = !!PhIsThemeActive(); if (Context->ThemeData) { PhCloseThemeData(Context->ThemeData); Context->ThemeData = NULL; } Context->ThemeData = PhOpenThemeData(Context->Handle, VSCLASS_TREEVIEW, Context->WindowDpi); if (Context->ThemeData) { Context->ThemeHasItemBackground = !!PhIsThemePartDefined(Context->ThemeData, TVP_TREEITEM, 0); Context->ThemeHasGlyph = !!PhIsThemePartDefined(Context->ThemeData, TVP_GLYPH, 0); Context->ThemeHasHotGlyph = !!PhIsThemePartDefined(Context->ThemeData, TVP_HOTGLYPH, 0); } else { Context->ThemeHasItemBackground = FALSE; Context->ThemeHasGlyph = FALSE; Context->ThemeHasHotGlyph = FALSE; } } /** * Initializes the theme data for the treenew control on first use. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpInitializeThemeData( _In_ PPH_TREENEW_CONTEXT Context ) { if (!Context->ThemeInitialized) { PhTnpUpdateThemeData(Context); Context->ThemeInitialized = TRUE; } } /** * Cancels any active tracking operation in the treenew control. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpCancelTrack( _In_ PPH_TREENEW_CONTEXT Context ) { PhTnpSetFixedWidth(Context, Context->TrackOldFixedWidth); ReleaseCapture(); } /** * Recalculates the layout of all treenew control elements. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpLayout( _In_ PPH_TREENEW_CONTEXT Context ) { RECT clientRect; if (Context->EnableRedraw <= 0) { Context->SuspendUpdateLayout = TRUE; return; } clientRect = Context->ClientRect; PhTnpUpdateScrollBars(Context); // Vertical scroll bar if (Context->VScrollVisible) { MoveWindow( Context->VScrollHandle, clientRect.right - Context->VScrollWidth, 0, Context->VScrollWidth, clientRect.bottom - (Context->HScrollVisible ? Context->HScrollHeight : 0), TRUE ); } // Horizontal scroll bar if (Context->HScrollVisible) { MoveWindow( Context->HScrollHandle, Context->NormalLeft, clientRect.bottom - Context->HScrollHeight, clientRect.right - Context->NormalLeft - (Context->VScrollVisible ? Context->VScrollWidth : 0), Context->HScrollHeight, TRUE ); } // Filler box if (Context->VScrollVisible && Context->HScrollVisible) { MoveWindow( Context->FillerBoxHandle, clientRect.right - Context->VScrollWidth, clientRect.bottom - Context->HScrollHeight, Context->VScrollWidth, Context->HScrollHeight, TRUE ); } PhTnpLayoutHeader(Context); // Redraw the entire window if we are displaying empty text. if (Context->FlatList->Count == 0 && Context->EmptyText.Length != 0) InvalidateRect(Context->Handle, NULL, FALSE); } /** * Recalculates the layout of the header controls. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpLayoutHeader( _In_ PPH_TREENEW_CONTEXT Context ) { RECT rect; HDLAYOUT hdl; WINDOWPOS windowPos; hdl.prc = ▭ hdl.pwpos = &windowPos; if (!(Context->Style & TN_STYLE_NO_COLUMN_HEADER)) { LONG headerHeight = 0; if (Context->HeaderCustomDraw) { // HACK: Use the row height instead of querying the font. (dmex) if (Context->RowHeight) { headerHeight = Context->RowHeight + 1; } else { TEXTMETRIC textMetrics; HDC hdc; if (hdc = GetDC(Context->FixedHeaderHandle)) { SelectFont(hdc, GetWindowFont(Context->FixedHeaderHandle)); GetTextMetrics(hdc, &textMetrics); // Below we try to match the height as calculated by the header, even if it // involves magic numbers. On Vista and above there seems to be extra padding. headerHeight = textMetrics.tmHeight; ReleaseDC(Context->FixedHeaderHandle, hdc); } headerHeight += 5; // Add magic padding } } // Fixed portion header control rect.left = 0; rect.top = 0; rect.right = Context->NormalLeft; rect.bottom = Context->ClientRect.bottom; Header_Layout(Context->FixedHeaderHandle, &hdl); SetWindowPos(Context->FixedHeaderHandle, NULL, windowPos.x, windowPos.y, windowPos.cx, windowPos.cy + headerHeight, windowPos.flags); Context->HeaderHeight = windowPos.cy + headerHeight; // Normal portion header control rect.left = Context->NormalLeft - Context->HScrollPosition; rect.top = 0; rect.right = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); rect.bottom = Context->ClientRect.bottom; Header_Layout(Context->HeaderHandle, &hdl); SetWindowPos(Context->HeaderHandle, NULL, windowPos.x, windowPos.y, windowPos.cx, windowPos.cy + headerHeight, windowPos.flags); } else { Context->HeaderHeight = 0; } if (Context->TooltipsHandle) { TOOLINFO toolInfo; memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.hwnd = Context->FixedHeaderHandle; toolInfo.uId = TNP_TOOLTIPS_FIXED_HEADER; if (PhGetClientRect(Context->FixedHeaderHandle, &toolInfo.rect)) { SendMessage(Context->TooltipsHandle, TTM_NEWTOOLRECT, 0, (LPARAM)&toolInfo); } memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.hwnd = Context->HeaderHandle; toolInfo.uId = TNP_TOOLTIPS_HEADER; if (PhGetClientRect(Context->HeaderHandle, &toolInfo.rect)) { SendMessage(Context->TooltipsHandle, TTM_NEWTOOLRECT, 0, (LPARAM)&toolInfo); } } } /** * Sets the width of the fixed column. * * \param Context Pointer to the treenew context structure. * \param FixedWidth The new width for the fixed column. */ VOID PhTnpSetFixedWidth( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG FixedWidth ) { HDITEM item; if (Context->FixedColumnVisible) { Context->FixedWidth = FixedWidth; if (Context->FixedWidth < Context->FixedWidthMinimum) Context->FixedWidth = Context->FixedWidthMinimum; Context->NormalLeft = Context->FixedWidth + 1; item.mask = HDI_WIDTH; item.cxy = Context->FixedWidth + 1; Header_SetItem(Context->FixedHeaderHandle, 0, &item); } else { Context->FixedWidth = 0; Context->NormalLeft = 0; } } /** * Enables or disables redrawing of the treenew control. * * \param Context Pointer to the treenew context structure. * \param Redraw TRUE to enable redrawing, FALSE to disable. */ VOID PhTnpSetRedraw( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Redraw ) { if (Redraw) Context->EnableRedraw++; else Context->EnableRedraw--; if (Context->EnableRedraw == 1) { if (Context->SuspendUpdateStructure) { PhTnpRestructureNodes(Context); } if (Context->SuspendUpdateLayout) { PhTnpLayout(Context); } if (Context->SuspendUpdateMoveMouse) { POINT point; if (PhGetClientPos(Context->Handle, &point)) { PhTnpProcessMoveMouse(Context, point.x, point.y); } } Context->SuspendUpdateStructure = FALSE; Context->SuspendUpdateLayout = FALSE; Context->SuspendUpdateMoveMouse = FALSE; if (Context->SuspendUpdateRegion) { InvalidateRgn(Context->Handle, Context->SuspendUpdateRegion, FALSE); DeleteRgn(Context->SuspendUpdateRegion); Context->SuspendUpdateRegion = NULL; } } } /** * Sends a mouse event notification to the callback function. * * \param Context Pointer to the treenew context structure. * \param Message The mouse event message type. * \param CursorX The X coordinate of the cursor. * \param CursorY The Y coordinate of the cursor. * \param Node Pointer to the node under the cursor, if any. * \param Column Pointer to the column under the cursor, if any. * \param VirtualKeys The state of virtual keys. */ VOID PhTnpSendMouseEvent( _In_ PPH_TREENEW_CONTEXT Context, _In_ PH_TREENEW_MESSAGE Message, _In_ LONG CursorX, _In_ LONG CursorY, _In_opt_ PPH_TREENEW_NODE Node, _In_opt_ PPH_TREENEW_COLUMN Column, _In_ ULONG VirtualKeys ) { PH_TREENEW_MOUSE_EVENT mouseEvent; mouseEvent.Location.x = CursorX; mouseEvent.Location.y = CursorY; mouseEvent.Node = Node; mouseEvent.Column = Column; mouseEvent.KeyFlags = VirtualKeys; Context->Callback(Context->Handle, Message, &mouseEvent, NULL, Context->CallbackContext); } /** * Looks up a column by its unique identifier. * * \param Context Pointer to the treenew context structure. * \param Id The column identifier to search for. * \return Pointer to the column structure if found, NULL otherwise. */ PPH_TREENEW_COLUMN PhTnpLookupColumnById( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id ) { if (Id >= Context->AllocatedColumns) return NULL; return Context->Columns[Id]; } /** * Adds a new column to the treenew control. * * \param Context Pointer to the treenew context structure. * \param Column Pointer to the column structure to add. * \return TRUE if the column was added successfully, FALSE otherwise. */ BOOLEAN PhTnpAddColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column ) { PPH_TREENEW_COLUMN realColumn; // Check if a column with the same ID already exists. if (Column->Id < Context->AllocatedColumns && Context->Columns[Column->Id]) return FALSE; if (Context->NextId < Column->Id + 1) Context->NextId = Column->Id + 1; realColumn = PhAllocateCopy(Column, sizeof(PH_TREENEW_COLUMN)); if (realColumn->DpiScaleOnAdd) { if (WindowsVersion >= WINDOWS_10) { realColumn->Width = PhGetDpi(realColumn->Width, Context->WindowDpi); } realColumn->DpiScaleOnAdd = FALSE; } if (Context->AllocatedColumns < Context->NextId) { PhTnpExpandAllocatedColumns(Context); } Context->Columns[Column->Id] = realColumn; Context->NumberOfColumns++; if (realColumn->Fixed) { if (Context->FixedColumn) { // We already have a fixed column, and we can't have two. Make this new column un-fixed. realColumn->Fixed = FALSE; } else { Context->FixedColumn = realColumn; } realColumn->DisplayIndex = 0; realColumn->s.ViewX = 0; } if (realColumn->Visible) { BOOLEAN updateHeaders; updateHeaders = FALSE; assert(Context->NumberOfColumnsByDisplay == (ULONG)Header_GetItemCount(Context->HeaderHandle)); //if (!realColumn->Fixed && realColumn->DisplayIndex != Header_GetItemCount(Context->HeaderHandle)) if (!realColumn->Fixed && realColumn->DisplayIndex != Context->NumberOfColumnsByDisplay) updateHeaders = TRUE; realColumn->s.ViewIndex = PhTnpInsertColumnHeader(Context, realColumn); if (updateHeaders) PhTnpUpdateColumnHeaders(Context); } else { realColumn->s.ViewIndex = -1; } PhTnpUpdateColumnMaps(Context); if (realColumn->Visible) PhTnpLayout(Context); return TRUE; } /** * Removes a column from the tree view control by its ID. * * This function deletes the specified column, updates the layout if necessary, * and frees associated resources. The column is removed from the internal columns array, * and the column maps are updated accordingly. * * \param Context Pointer to the tree-new context. * \param Id The ID of the column to remove. * \return TRUE if the column was removed; FALSE if the column was not found. */ BOOLEAN PhTnpRemoveColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id ) { PPH_TREENEW_COLUMN realColumn; BOOLEAN updateLayout; if (!(realColumn = PhTnpLookupColumnById(Context, Id))) return FALSE; updateLayout = FALSE; if (realColumn->Visible) updateLayout = TRUE; PhTnpDeleteColumnHeader(Context, realColumn); Context->Columns[realColumn->Id] = NULL; PhFree(realColumn); PhTnpUpdateColumnMaps(Context); if (updateLayout) PhTnpLayout(Context); Context->NumberOfColumns--; return TRUE; } /** * Copies the data of a column by its ID into a provided column structure. * * This function looks up the column by ID and copies its data into the output structure. * * \param Context Pointer to the tree-new context. * \param Id The ID of the column to copy. * \param Column Pointer to a PH_TREENEW_COLUMN structure to receive the data. * \return TRUE if the column was found and copied; FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpCopyColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Id, _Out_ PPH_TREENEW_COLUMN Column ) { PPH_TREENEW_COLUMN realColumn; if (!(realColumn = PhTnpLookupColumnById(Context, Id))) return FALSE; memcpy(Column, realColumn, sizeof(PH_TREENEW_COLUMN)); return TRUE; } /** * Changes the properties of a column by its ID and a mask. * * This function updates the specified properties of a column, such as visibility, width, * alignment, display index, and other attributes, according to the provided mask and column data. * It handles layout and header updates as needed. * * \param Context Pointer to the tree-new context. * \param Mask Bitmask specifying which properties to update. * \param Id The ID of the column to change. * \param Column Pointer to a PH_TREENEW_COLUMN structure containing new values. * \return TRUE if the column was found and updated; FALSE otherwise. */ BOOLEAN PhTnpChangeColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Mask, _In_ ULONG Id, _In_ PPH_TREENEW_COLUMN Column ) { PPH_TREENEW_COLUMN realColumn; BOOLEAN addingOrRemoving; if (!(realColumn = PhTnpLookupColumnById(Context, Id))) return FALSE; addingOrRemoving = FALSE; if (Mask & TN_COLUMN_FLAG_VISIBLE) { if (realColumn->Visible != Column->Visible) { addingOrRemoving = TRUE; } } if (Mask & TN_COLUMN_FLAG_CUSTOMDRAW) { realColumn->CustomDraw = Column->CustomDraw; } if (Mask & TN_COLUMN_FLAG_SORTDESCENDING) { realColumn->SortDescending = Column->SortDescending; } if (Mask & (TN_COLUMN_TEXT | TN_COLUMN_WIDTH | TN_COLUMN_ALIGNMENT | TN_COLUMN_DISPLAYINDEX)) { BOOLEAN updateHeaders; BOOLEAN updateMaps; BOOLEAN updateLayout; updateHeaders = FALSE; updateMaps = FALSE; updateLayout = FALSE; if (Mask & TN_COLUMN_TEXT) { realColumn->Text = Column->Text; } if (Mask & TN_COLUMN_WIDTH) { realColumn->Width = Column->Width; updateMaps = TRUE; } if (Mask & TN_COLUMN_ALIGNMENT) { realColumn->Alignment = Column->Alignment; } if (Mask & TN_COLUMN_DISPLAYINDEX) { realColumn->DisplayIndex = Column->DisplayIndex; updateHeaders = TRUE; updateMaps = TRUE; updateLayout = TRUE; } if (!addingOrRemoving && realColumn->Visible) { PhTnpChangeColumnHeader(Context, Mask, realColumn); if (updateHeaders) PhTnpUpdateColumnHeaders(Context); if (updateMaps) PhTnpUpdateColumnMaps(Context); if (updateLayout) PhTnpLayout(Context); } } if (Mask & TN_COLUMN_CONTEXT) { realColumn->Context = Column->Context; } if (Mask & TN_COLUMN_TEXTFLAGS) { realColumn->TextFlags = Column->TextFlags; } if (addingOrRemoving) { if (Column->Visible) { BOOLEAN updateHeaders; updateHeaders = FALSE; if (realColumn->Fixed) { realColumn->DisplayIndex = 0; } else { if (Mask & TN_COLUMN_DISPLAYINDEX) updateHeaders = TRUE; else realColumn->DisplayIndex = Header_GetItemCount(Context->HeaderHandle); } realColumn->s.ViewIndex = PhTnpInsertColumnHeader(Context, realColumn); if (updateHeaders) PhTnpUpdateColumnHeaders(Context); } else { PhTnpDeleteColumnHeader(Context, realColumn); } PhTnpUpdateColumnMaps(Context); PhTnpLayout(Context); } return TRUE; } /** * Expands the allocated columns array for the tree view control. * * This function doubles the size of the columns array when more space is needed, * or initializes it if not already allocated. It ensures that the array is large enough * to accommodate all columns, and zeroes the newly allocated memory. * * \param Context Pointer to the tree-new context. */ VOID PhTnpExpandAllocatedColumns( _In_ PPH_TREENEW_CONTEXT Context ) { if (Context->Columns) { ULONG oldAllocatedColumns; oldAllocatedColumns = Context->AllocatedColumns; Context->AllocatedColumns *= 2; if (Context->AllocatedColumns < Context->NextId) Context->AllocatedColumns = Context->NextId; Context->Columns = PhReAllocate( Context->Columns, Context->AllocatedColumns * sizeof(PPH_TREENEW_COLUMN) ); // Zero the newly allocated portion. memset( &Context->Columns[oldAllocatedColumns], 0, (Context->AllocatedColumns - oldAllocatedColumns) * sizeof(PPH_TREENEW_COLUMN) ); } else { Context->AllocatedColumns = 16; if (Context->AllocatedColumns < Context->NextId) Context->AllocatedColumns = Context->NextId; Context->Columns = PhAllocate( Context->AllocatedColumns * sizeof(PPH_TREENEW_COLUMN) ); memset(Context->Columns, 0, Context->AllocatedColumns * sizeof(PPH_TREENEW_COLUMN)); } } /** * Updates the internal column mapping arrays. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpUpdateColumnMaps( _In_ PPH_TREENEW_CONTEXT Context ) { ULONG i; LONG x; if (Context->AllocatedColumnsByDisplay < Context->NumberOfColumns) { if (Context->ColumnsByDisplay) PhFree(Context->ColumnsByDisplay); Context->ColumnsByDisplay = PhAllocate(sizeof(PPH_TREENEW_COLUMN) * Context->NumberOfColumns); Context->AllocatedColumnsByDisplay = Context->NumberOfColumns; } memset(Context->ColumnsByDisplay, 0, sizeof(PPH_TREENEW_COLUMN) * Context->AllocatedColumnsByDisplay); for (i = 0; i < Context->NextId; i++) { if (!Context->Columns[i]) continue; if (Context->Columns[i]->Visible && !Context->Columns[i]->Fixed && Context->Columns[i]->DisplayIndex != ULONG_MAX) { if (Context->Columns[i]->DisplayIndex >= Context->NumberOfColumns) { PhRaiseStatus(STATUS_INTERNAL_ERROR); return; } Context->ColumnsByDisplay[Context->Columns[i]->DisplayIndex] = Context->Columns[i]; } } x = 0; for (i = 0; i < Context->AllocatedColumnsByDisplay; i++) { if (!Context->ColumnsByDisplay[i]) break; Context->ColumnsByDisplay[i]->s.ViewX = x; x += Context->ColumnsByDisplay[i]->Width; } Context->NumberOfColumnsByDisplay = i; Context->TotalViewX = x; if (Context->FixedColumnVisible) Context->FirstColumn = Context->FixedColumn; else if (Context->NumberOfColumnsByDisplay != 0) Context->FirstColumn = Context->ColumnsByDisplay[0]; else Context->FirstColumn = NULL; if (Context->NumberOfColumnsByDisplay != 0) Context->LastColumn = Context->ColumnsByDisplay[Context->NumberOfColumnsByDisplay - 1]; else if (Context->FixedColumnVisible) Context->LastColumn = Context->FixedColumn; else Context->LastColumn = NULL; } /** * Inserts a column header into the appropriate header control. * * \param Context Pointer to the treenew context structure. * \param Column Pointer to the column structure. * \return The index of the inserted header item, or -1 on failure. */ LONG PhTnpInsertColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column ) { HDITEM item; if (Column->Fixed) { if (Column->Width < Context->FixedWidthMinimum) Column->Width = Context->FixedWidthMinimum; Context->FixedWidth = Column->Width; Context->NormalLeft = Context->FixedWidth + 1; Context->FixedColumnVisible = TRUE; if (!(Context->Style & TN_STYLE_NO_DIVIDER)) Context->FixedDividerVisible = TRUE; } memset(&item, 0, sizeof(HDITEM)); item.mask = HDI_WIDTH | HDI_TEXT | HDI_FORMAT | HDI_LPARAM | HDI_ORDER; item.cxy = Column->Width; item.pszText = (PWSTR)Column->Text; item.fmt = 0; item.lParam = (LPARAM)Column; if (Column->Fixed) item.cxy++; if (Column->Fixed) item.iOrder = 0; else item.iOrder = Column->DisplayIndex; if (Column->Alignment & PH_ALIGN_LEFT) item.fmt |= HDF_LEFT; else if (Column->Alignment & PH_ALIGN_RIGHT) item.fmt |= HDF_RIGHT; else item.fmt |= HDF_CENTER; if (Column->Id == Context->SortColumn) { if (Context->SortOrder == AscendingSortOrder) item.fmt |= HDF_SORTUP; else if (Context->SortOrder == DescendingSortOrder) item.fmt |= HDF_SORTDOWN; } Column->Visible = TRUE; if (Column->Fixed) return Header_InsertItem(Context->FixedHeaderHandle, 0, &item); else return Header_InsertItem(Context->HeaderHandle, MAXINT, &item); } /** * Changes the properties of a column header. * * \param Context Pointer to the treenew context structure. * \param Mask Bitmask specifying which properties to update. * \param Column Pointer to the column structure. */ VOID PhTnpChangeColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Mask, _In_ PPH_TREENEW_COLUMN Column ) { HDITEM item; memset(&item, 0, sizeof(HDITEM)); item.mask = 0; if (Mask & TN_COLUMN_TEXT) { item.mask |= HDI_TEXT; item.pszText = (PWSTR)Column->Text; } if (Mask & TN_COLUMN_WIDTH) { item.mask |= HDI_WIDTH; item.cxy = Column->Width; if (Column->Fixed) item.cxy++; } if (Mask & TN_COLUMN_ALIGNMENT) { item.mask |= HDI_FORMAT; item.fmt = 0; if (Column->Alignment & PH_ALIGN_LEFT) item.fmt |= HDF_LEFT; else if (Column->Alignment & PH_ALIGN_RIGHT) item.fmt |= HDF_RIGHT; else item.fmt |= HDF_CENTER; if (Column->Id == Context->SortColumn) { if (Context->SortOrder == AscendingSortOrder) item.fmt |= HDF_SORTUP; else if (Context->SortOrder == DescendingSortOrder) item.fmt |= HDF_SORTDOWN; } } if (Mask & TN_COLUMN_DISPLAYINDEX) { item.mask |= HDI_ORDER; if (Column->Fixed) item.iOrder = 0; else item.iOrder = Column->DisplayIndex; } if (Column->Fixed) Header_SetItem(Context->FixedHeaderHandle, 0, &item); else Header_SetItem(Context->HeaderHandle, Column->s.ViewIndex, &item); } /** * Deletes a column header from the header control. * * \param Context Pointer to the treenew context structure. * \param Column Pointer to the column structure. */ VOID PhTnpDeleteColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _Inout_ PPH_TREENEW_COLUMN Column ) { if (Column->Fixed) { Context->FixedColumn = NULL; Context->FixedWidth = 0; Context->NormalLeft = 0; Context->FixedColumnVisible = FALSE; Context->FixedDividerVisible = FALSE; } if (Column->Fixed) Header_DeleteItem(Context->FixedHeaderHandle, Column->s.ViewIndex); else Header_DeleteItem(Context->HeaderHandle, Column->s.ViewIndex); Column->Visible = FALSE; Column->s.ViewIndex = -1; PhTnpUpdateColumnHeaders(Context); } /** * Updates all column headers to reflect current column states. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpUpdateColumnHeaders( _In_ PPH_TREENEW_CONTEXT Context ) { LONG count; LONG i; HDITEM item; PPH_TREENEW_COLUMN column; item.mask = HDI_WIDTH | HDI_LPARAM | HDI_ORDER; // Fixed column if (Context->FixedColumnVisible && Header_GetItem(Context->FixedHeaderHandle, 0, &item)) { column = Context->FixedColumn; column->Width = item.cxy - 1; } // Normal columns count = Header_GetItemCount(Context->HeaderHandle); if (count != INT_ERROR) { for (i = 0; i < count; i++) { if (Header_GetItem(Context->HeaderHandle, i, &item)) { column = (PPH_TREENEW_COLUMN)item.lParam; column->s.ViewIndex = i; column->Width = item.cxy; column->DisplayIndex = item.iOrder; } } } } /** * Updates column headers after a DPI change. * * \param Context Pointer to the treenew context structure. * \param OldWindowDpi The previous DPI value. * \param NewWindowDpi The new DPI value. */ VOID PhTnpUpdateColumnHeadersDpiChanged( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG OldWindowDpi, _In_ LONG NewWindowDpi ) { LONG count; LONG i; HDITEM item; PPH_TREENEW_COLUMN column; item.mask = HDI_WIDTH | HDI_LPARAM; // Fixed column if (Context->FixedColumnVisible && Header_GetItem(Context->FixedHeaderHandle, 0, &item)) { column = Context->FixedColumn; column->Width = PhMultiplyDivideSigned(item.cxy, NewWindowDpi, OldWindowDpi); PhTnpChangeColumn(Context, TN_COLUMN_WIDTH, column->Id, column); } // Normal columns count = Header_GetItemCount(Context->HeaderHandle); if (count != INT_ERROR) { for (i = 0; i < count; i++) { if (Header_GetItem(Context->HeaderHandle, i, &item)) { column = (PPH_TREENEW_COLUMN)item.lParam; column->Width = PhMultiplyDivideSigned(item.cxy, NewWindowDpi, OldWindowDpi); PhTnpChangeColumn(Context, TN_COLUMN_WIDTH, column->Id, column); } } } } /** * Processes a column resize operation. * * \param Context Pointer to the treenew context structure. * \param Column Pointer to the column being resized. * \param Delta The change in width. */ VOID PhTnpProcessResizeColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column, _In_ LONG Delta ) { RECT rect; LONG columnLeft; if (Column->Fixed) { columnLeft = 0; } else { columnLeft = Context->NormalLeft + Column->s.ViewX - Context->HScrollPosition; } // Scroll the content to the right of the column. // // Clip the scroll area to the new width, or the old width if that is further to the left. We // may have the WS_CLIPCHILDREN style set, so we need to remove the horizontal scrollbar from // the rectangle, otherwise ScrollWindowEx will want to invalidate the entire region! (The // horizontal scrollbar is an overlapping child control.) rect.left = columnLeft + Column->Width; rect.top = Context->HeaderHeight; rect.right = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); rect.bottom = Context->ClientRect.bottom - (Context->HScrollVisible ? Context->HScrollHeight : 0); if (Delta > 0) rect.left -= Delta; // old width // Scroll the window. ScrollWindowEx( Context->Handle, Delta, 0, &rect, &rect, NULL, NULL, SW_INVALIDATE ); UpdateWindow(Context->Handle); // required if (Context->HScrollVisible) { // We excluded the bottom region - invalidate it now. rect.top = rect.bottom; rect.bottom = Context->ClientRect.bottom; InvalidateRect(Context->Handle, &rect, FALSE); } PhTnpLayout(Context); // Redraw the whole column because the content may depend on the width (e.g. text ellipsis). rect.left = columnLeft; rect.top = Context->HeaderHeight; rect.right = columnLeft + Column->Width; RedrawWindow(Context->Handle, &rect, NULL, RDW_INVALIDATE | RDW_UPDATENOW); // must be RedrawWindow } /** * Processes a column sort operation. * * \param Context Pointer to the treenew context structure. * \param NewColumn Pointer to the column being sorted. */ VOID PhTnpProcessSortColumn( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN NewColumn ) { PH_TREENEW_SORT_CHANGED_EVENT sortOrderEvent; if (NewColumn->Id == Context->SortColumn) { if (Context->TriState) { if (!NewColumn->SortDescending) { // Ascending -> Descending -> None if (Context->SortOrder == AscendingSortOrder) Context->SortOrder = DescendingSortOrder; else if (Context->SortOrder == DescendingSortOrder) Context->SortOrder = NoSortOrder; else Context->SortOrder = AscendingSortOrder; } else { // Descending -> Ascending -> None if (Context->SortOrder == DescendingSortOrder) Context->SortOrder = AscendingSortOrder; else if (Context->SortOrder == AscendingSortOrder) Context->SortOrder = NoSortOrder; else Context->SortOrder = DescendingSortOrder; } } else { if (Context->SortOrder == AscendingSortOrder) Context->SortOrder = DescendingSortOrder; else Context->SortOrder = AscendingSortOrder; } } else { Context->SortColumn = NewColumn->Id; if (!NewColumn->SortDescending) Context->SortOrder = AscendingSortOrder; else Context->SortOrder = DescendingSortOrder; } PhTnpSetColumnHeaderSortIcon(Context, NewColumn); memset(&sortOrderEvent, 0, sizeof(PH_TREENEW_SORT_CHANGED_EVENT)); sortOrderEvent.SortColumn = Context->SortColumn; sortOrderEvent.SortOrder = Context->SortOrder; Context->Callback(Context->Handle, TreeNewSortChanged, &sortOrderEvent, NULL, Context->CallbackContext); } /** * Sets the sort icon on a column header. * * \param Context Pointer to the treenew context structure. * \param SortColumnPointer Pointer to the column being sorted, or NULL to look it up. * \return TRUE if the icon was set successfully, FALSE otherwise. */ BOOLEAN PhTnpSetColumnHeaderSortIcon( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ PPH_TREENEW_COLUMN SortColumnPointer ) { if (Context->SortOrder == NoSortOrder) { PhSetHeaderSortIcon( Context->FixedHeaderHandle, -1, NoSortOrder ); PhSetHeaderSortIcon( Context->HeaderHandle, -1, NoSortOrder ); return TRUE; } if (!SortColumnPointer) { if (!(SortColumnPointer = PhTnpLookupColumnById(Context, Context->SortColumn))) return FALSE; } if (SortColumnPointer->Fixed) { PhSetHeaderSortIcon( Context->FixedHeaderHandle, 0, Context->SortOrder ); PhSetHeaderSortIcon( Context->HeaderHandle, -1, NoSortOrder ); } else { PhSetHeaderSortIcon( Context->FixedHeaderHandle, -1, NoSortOrder ); PhSetHeaderSortIcon( Context->HeaderHandle, SortColumnPointer->s.ViewIndex, Context->SortOrder ); } return TRUE; } /** * Automatically sizes a column header to fit its content. * * \param Context Pointer to the treenew context structure. * \param HeaderHandle Handle to the header control. * \param Column Pointer to the column to auto-size. * \param Flags Flags controlling the auto-size behavior. */ VOID PhTnpAutoSizeColumnHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ HWND HeaderHandle, _In_ PPH_TREENEW_COLUMN Column, _In_ ULONG Flags ) { LONG newWidth; HDITEM item; if (Flags & TN_AUTOSIZE_REMAINING_SPACE) { newWidth = Context->ClientRect.right - (Context->TotalViewX - Column->Width); if (Context->FixedColumn) newWidth -= Context->FixedColumn->Width; if (Context->VScrollVisible) newWidth -= Context->VScrollWidth; if (newWidth <= 0) return; } else { ULONG i; LONG maximumWidth; PH_TREENEW_CELL_PARTS parts; LONG width; if (Context->FlatList->Count == 0) return; if (Column->CustomDraw) return; maximumWidth = 0; for (i = 0; i < Context->FlatList->Count; i++) { if (PhTnpGetCellParts(Context, i, Column, TN_MEASURE_TEXT, &parts) && (parts.Flags & TN_PART_CELL) && (parts.Flags & TN_PART_CONTENT) && (parts.Flags & TN_PART_TEXT)) { width = parts.TextRect.right - parts.TextRect.left; // text width width += parts.ContentRect.left - parts.CellRect.left; // left padding if (maximumWidth < width) maximumWidth = width; } } newWidth = maximumWidth + Context->CellMarginRight; // right padding if (Column->Fixed) newWidth++; // Check the column header text width. if (Column->Text) { PCWSTR text; SIZE_T textCount; HDC hdc; SIZE textSize; text = Column->Text; textCount = PhCountStringZ(text); if (hdc = GetDC(Context->Handle)) { SelectFont(hdc, Context->Font); if (GetTextExtentPoint32(hdc, text, (ULONG)textCount, &textSize)) { if (newWidth < textSize.cx + Context->TextMarginPadding) // HACK: Magic values (same as our cell margins?) newWidth = textSize.cx + Context->TextMarginPadding; } ReleaseDC(Context->Handle, hdc); } } // Check the custom header text width. (dmex) if (Context->HeaderCustomDraw) { PH_STRINGREF headerString; if (PhTnpGetColumnHeaderText( Context, Column, &headerString )) { HDC hdc; SIZE textSize; if (hdc = GetDC(Context->Handle)) { SelectFont(hdc, Context->HeaderBoldFontHandle); if (GetTextExtentPoint32(hdc, headerString.Buffer, (ULONG)headerString.Length / sizeof(WCHAR), &textSize)) { if (newWidth < textSize.cx + Context->TextMarginPadding) // HACK: Magic values (same as our cell margins?) newWidth = textSize.cx + Context->TextMarginPadding; } ReleaseDC(Context->Handle, hdc); } } } } item.mask = HDI_WIDTH; item.cxy = newWidth; Header_SetItem(HeaderHandle, Column->s.ViewIndex, &item); } /** * Gets the list of child nodes for a given node. * * \param Context Pointer to the treenew context structure. * \param Node Pointer to the parent node, or NULL for root nodes. * \param Children Pointer to receive the array of child nodes. * \param NumberOfChildren Pointer to receive the number of children. * \return TRUE if the operation succeeded, FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpGetNodeChildren( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ PPH_TREENEW_NODE Node, _Out_ PPH_TREENEW_NODE **Children, _Out_ PULONG NumberOfChildren ) { PH_TREENEW_GET_CHILDREN getChildren; getChildren.Flags = 0; getChildren.Node = Node; getChildren.Children = NULL; getChildren.NumberOfChildren = 0; if (Context->Callback( Context->Handle, TreeNewGetChildren, &getChildren, NULL, Context->CallbackContext )) { *Children = getChildren.Children; *NumberOfChildren = getChildren.NumberOfChildren; return TRUE; } return FALSE; } /** * Determines whether a node is a leaf node (has no children). * * \param Context Pointer to the treenew context structure. * \param Node Pointer to the node to check. * \return TRUE if the node is a leaf, FALSE otherwise. */ BOOLEAN PhTnpIsNodeLeaf( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node ) { PH_TREENEW_IS_LEAF isLeaf; isLeaf.Flags = 0; isLeaf.Node = Node; isLeaf.IsLeaf = TRUE; if (Context->Callback( Context->Handle, TreeNewIsLeaf, &isLeaf, NULL, Context->CallbackContext )) { return isLeaf.IsLeaf; } // Doesn't matter, decide when we do the get-children callback. return FALSE; } /** * Retrieves the text for a specific cell. * * \param Context Pointer to the treenew context structure. * \param Node Pointer to the node. * \param Id The column ID. * \param Text Pointer to receive the cell text as a string reference. * \return TRUE if text was retrieved, FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpGetCellText( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ ULONG Id, _Out_ PPH_STRINGREF Text ) { PH_TREENEW_GET_CELL_TEXT getCellText; if (Id < Node->TextCacheSize && Node->TextCache[Id].Buffer) { *Text = Node->TextCache[Id]; return TRUE; } getCellText.Flags = 0; getCellText.Node = Node; getCellText.Id = Id; PhInitializeEmptyStringRef(&getCellText.Text); if (Context->Callback( Context->Handle, TreeNewGetCellText, &getCellText, NULL, Context->CallbackContext ) && getCellText.Text.Buffer) { *Text = getCellText.Text; if ((getCellText.Flags & TN_CACHE) && Id < Node->TextCacheSize) Node->TextCache[Id] = getCellText.Text; return TRUE; } return FALSE; } /** * Restructures the flat list of visible nodes based on the tree hierarchy. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpRestructureNodes( _In_ PPH_TREENEW_CONTEXT Context ) { PPH_TREENEW_NODE *children; ULONG numberOfChildren; ULONG i; if (!PhTnpGetNodeChildren(Context, NULL, &children, &numberOfChildren)) return; // We try to preserve the hot node, the focused node and the selection mark node. At this point // all node pointers must be regarded as invalid, so we must not follow any pointers. Context->FocusNodeFound = FALSE; PhClearList(Context->FlatList); Context->CanAnyExpand = FALSE; for (i = 0; i < numberOfChildren; i++) { PhTnpInsertNodeChildren(Context, children[i], 0); } if (!Context->FocusNodeFound) Context->FocusNode = NULL; // focused node is no longer present if (Context->HotNodeIndex >= Context->FlatList->Count) // covers -1 case as well Context->HotNodeIndex = ULONG_MAX; if (Context->MarkNodeIndex >= Context->FlatList->Count) Context->MarkNodeIndex = ULONG_MAX; } /** * Inserts child nodes into the flat list recursively. * * \param Context Pointer to the treenew context structure. * \param Node Pointer to the parent node. * \param Level The nesting level of the children. */ VOID PhTnpInsertNodeChildren( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ ULONG Level ) { PPH_TREENEW_NODE *children; ULONG numberOfChildren; ULONG i; ULONG nextLevel; if (Node->Visible) { Node->Level = Level; Node->Index = Context->FlatList->Count; PhAddItemList(Context->FlatList, Node); if (Context->FocusNode == Node) Context->FocusNodeFound = TRUE; nextLevel = Level + 1; } else { nextLevel = 0; // children of this node should be level 0 } if (!(Node->s.IsLeaf = PhTnpIsNodeLeaf(Context, Node))) { Context->CanAnyExpand = TRUE; if (Node->Expanded) { if (PhTnpGetNodeChildren(Context, Node, &children, &numberOfChildren)) { for (i = 0; i < numberOfChildren; i++) { PhTnpInsertNodeChildren(Context, children[i], nextLevel); } if (numberOfChildren == 0) Node->s.IsLeaf = TRUE; } } } } /** * Sets the expanded state of a node. * * \param Context Pointer to the treenew context structure. * \param Node Pointer to the node. * \param Expanded TRUE to expand the node, FALSE to collapse it. */ VOID PhTnpSetExpandedNode( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ BOOLEAN Expanded ) { if (Node->Expanded != Expanded) { PH_TREENEW_NODE_EVENT nodeEvent; memset(&nodeEvent, 0, sizeof(PH_TREENEW_NODE_EVENT)); Context->Callback(Context->Handle, TreeNewNodeExpanding, Node, &nodeEvent, Context->CallbackContext); if (!nodeEvent.Handled) { if (!Expanded) { ULONG i; PPH_TREENEW_NODE node; BOOLEAN changed; // Make sure no children are selected - we don't want invisible selected nodes. Note // that this does not cause any UI changes by itself, since we are hiding the nodes. changed = FALSE; for (i = Node->Index + 1; i < Context->FlatList->Count; i++) { node = Context->FlatList->Items[i]; if (node->Level <= Node->Level) break; // no more children if (node->Selected) { node->Selected = FALSE; changed = TRUE; } } if (changed) { Context->Callback(Context->Handle, TreeNewSelectionChanged, NULL, NULL, Context->CallbackContext); } } Node->Expanded = Expanded; PhTnpRestructureNodes(Context); // We need to update the window before the scrollbars get updated in order for the // scroll processing to work properly. InvalidateRect(Context->Handle, NULL, FALSE); UpdateWindow(Context->Handle); PhTnpLayout(Context); } } } /** * Calculates the positions and sizes of all parts of a cell. * * \param Context Pointer to the treenew context structure. * \param Index The index of the row. * \param Column Pointer to the column, or NULL for the fixed column. * \param Flags Flags controlling which parts to calculate. * \param Parts Pointer to receive the cell parts information. * \return TRUE if successful, FALSE otherwise. */ BOOLEAN PhTnpGetCellParts( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Index, _In_opt_ PPH_TREENEW_COLUMN Column, _In_ ULONG Flags, _Out_ PPH_TREENEW_CELL_PARTS Parts ) { PPH_TREENEW_NODE node; LONG viewWidth; LONG nodeY; LONG iconVerticalMargin; LONG currentX; if (Index >= Context->FlatList->Count) return FALSE; node = Context->FlatList->Items[Index]; nodeY = Context->HeaderHeight + ((LONG)Index - Context->VScrollPosition) * Context->RowHeight; Parts->Flags = 0; Parts->RowRect.left = 0; Parts->RowRect.right = Context->NormalLeft + Context->TotalViewX - Context->HScrollPosition; Parts->RowRect.top = nodeY; Parts->RowRect.bottom = nodeY + Context->RowHeight; viewWidth = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); if (Parts->RowRect.right > viewWidth) Parts->RowRect.right = viewWidth; if (!Column) return TRUE; if (!Column->Visible) return FALSE; iconVerticalMargin = (Context->RowHeight - Context->SmallIconHeight) / 2; if (Column->Fixed) { currentX = 0; } else { currentX = Context->NormalLeft + Column->s.ViewX - Context->HScrollPosition; } Parts->Flags |= TN_PART_CELL; Parts->CellRect.left = currentX; Parts->CellRect.right = currentX + Column->Width; Parts->CellRect.top = Parts->RowRect.top; Parts->CellRect.bottom = Parts->RowRect.bottom; currentX += Context->CellMarginLeft; if (Column == Context->FirstColumn) { currentX += (LONG)node->Level * Context->SmallIconWidth; if (Context->CanAnyExpand) { if (!node->s.IsLeaf) { Parts->Flags |= TN_PART_PLUSMINUS; Parts->PlusMinusRect.left = currentX; Parts->PlusMinusRect.right = currentX + Context->SmallIconWidth; Parts->PlusMinusRect.top = Parts->RowRect.top + iconVerticalMargin; Parts->PlusMinusRect.bottom = Parts->RowRect.bottom - iconVerticalMargin; } currentX += Context->SmallIconWidth; } if (node->Icon) { Parts->Flags |= TN_PART_ICON; Parts->IconRect.left = currentX; Parts->IconRect.right = currentX + Context->SmallIconWidth; Parts->IconRect.top = Parts->RowRect.top + iconVerticalMargin; Parts->IconRect.bottom = Parts->RowRect.bottom - iconVerticalMargin; currentX += Context->SmallIconWidth + Context->IconRightPadding; } } Parts->Flags |= TN_PART_CONTENT; Parts->ContentRect.left = currentX; Parts->ContentRect.right = Parts->CellRect.right - Context->CellMarginRight; Parts->ContentRect.top = Parts->RowRect.top; Parts->ContentRect.bottom = Parts->RowRect.bottom; if (Flags & TN_MEASURE_TEXT) { HDC hdc; PH_STRINGREF text; HFONT font; SIZE textSize; if (hdc = GetDC(Context->Handle)) { PhTnpPrepareRowForDraw(Context, hdc, node); if (PhTnpGetCellText(Context, node, Column->Id, &text)) { if (node->Font) font = node->Font; else font = Context->Font; SelectFont(hdc, font); if (GetTextExtentPoint32(hdc, text.Buffer, (ULONG)text.Length / sizeof(WCHAR), &textSize)) { Parts->Flags |= TN_PART_TEXT; Parts->TextRect.left = currentX; Parts->TextRect.right = currentX + textSize.cx; Parts->TextRect.top = Parts->RowRect.top + (Context->RowHeight - textSize.cy) / 2; Parts->TextRect.bottom = Parts->RowRect.bottom - (Context->RowHeight - textSize.cy) / 2; if (Column->TextFlags & DT_CENTER) { Parts->TextRect.left = Parts->ContentRect.left / 2 + (Parts->ContentRect.right - textSize.cx) / 2; Parts->TextRect.right = Parts->ContentRect.left + textSize.cx; } else if (Column->TextFlags & DT_RIGHT) { Parts->TextRect.right = Parts->ContentRect.right; Parts->TextRect.left = Parts->TextRect.right - textSize.cx; } Parts->Text = text; Parts->Font = font; } } ReleaseDC(Context->Handle, hdc); } } return TRUE; } _Success_(return) BOOLEAN PhTnpGetRowRects( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Start, _In_ ULONG End, _In_ BOOLEAN Clip, _Out_ PRECT Rect ) { LONG startY; LONG endY; LONG viewWidth; if (End >= Context->FlatList->Count) return FALSE; if (Start > End) return FALSE; startY = Context->HeaderHeight + ((LONG)Start - Context->VScrollPosition) * Context->RowHeight; endY = Context->HeaderHeight + ((LONG)End - Context->VScrollPosition) * Context->RowHeight; Rect->left = 0; Rect->right = Context->NormalLeft + Context->TotalViewX - Context->HScrollPosition; Rect->top = startY; Rect->bottom = endY + Context->RowHeight; viewWidth = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); if (Rect->right > viewWidth) Rect->right = viewWidth; if (Clip) { if (Rect->top < Context->HeaderHeight) Rect->top = Context->HeaderHeight; if (Rect->bottom > Context->ClientRect.bottom) Rect->bottom = Context->ClientRect.bottom; } return TRUE; } /** * Performs hit testing to determine what element is at a given point. * * \param Context Pointer to the treenew context structure. * \param HitTest Pointer to the hit test structure (Point input, other fields output). */ VOID PhTnpHitTest( _In_ PPH_TREENEW_CONTEXT Context, _Inout_ PPH_TREENEW_HIT_TEST HitTest ) { RECT clientRect; LONG x; LONG y; ULONG index; PPH_TREENEW_NODE node; HitTest->Flags = 0; HitTest->Node = NULL; HitTest->Column = NULL; clientRect = Context->ClientRect; x = HitTest->Point.x; y = HitTest->Point.y; if (x < 0) HitTest->Flags |= TN_HIT_LEFT; if (x >= clientRect.right) HitTest->Flags |= TN_HIT_RIGHT; if (y < 0) HitTest->Flags |= TN_HIT_ABOVE; if (y >= clientRect.bottom) HitTest->Flags |= TN_HIT_BELOW; if (HitTest->Flags == 0) { if (TNP_HIT_TEST_FIXED_DIVIDER(x, Context)) { HitTest->Flags |= TN_HIT_DIVIDER; } if (y >= Context->HeaderHeight && x < Context->FixedWidth + Context->TotalViewX) { index = (y - Context->HeaderHeight) / Context->RowHeight + Context->VScrollPosition; if (index < Context->FlatList->Count) { HitTest->Flags |= TN_HIT_ITEM; node = Context->FlatList->Items[index]; HitTest->Node = node; if (HitTest->InFlags & TN_TEST_COLUMN) { PPH_TREENEW_COLUMN column; LONG columnX; column = NULL; if (x < Context->FixedWidth && Context->FixedColumnVisible) { column = Context->FixedColumn; columnX = 0; } else { LONG currentX; ULONG i; PPH_TREENEW_COLUMN currentColumn; currentX = Context->NormalLeft - Context->HScrollPosition; for (i = 0; i < Context->NumberOfColumnsByDisplay; i++) { currentColumn = Context->ColumnsByDisplay[i]; if (x >= currentX && x < currentX + currentColumn->Width) { column = currentColumn; columnX = currentX; break; } currentX += currentColumn->Width; } } HitTest->Column = column; if (column && (HitTest->InFlags & TN_TEST_SUBITEM)) { BOOLEAN isFirstColumn; LONG currentX; LONG width; isFirstColumn = HitTest->Column == Context->FirstColumn; currentX = columnX; currentX += Context->CellMarginLeft; if (isFirstColumn) { width = Context->SmallIconWidth; currentX += (LONG)node->Level * width; if (!node->s.IsLeaf) { if (x >= currentX && x < currentX + width) HitTest->Flags |= TN_HIT_ITEM_PLUSMINUS; currentX += width; } if (node->Icon) { if (x >= currentX && x < currentX + width) HitTest->Flags |= TN_HIT_ITEM_ICON; currentX += width + Context->IconRightPadding; } } if (x >= currentX) { HitTest->Flags |= TN_HIT_ITEM_CONTENT; } } } } } } } /** * Selects a range of nodes. * * \param Context Pointer to the treenew context structure. * \param Start The starting node index. * \param End The ending node index. * \param Flags Flags controlling the selection behavior. * \param ChangedStart Pointer to receive the start of the changed range, or NULL. * \param ChangedEnd Pointer to receive the end of the changed range, or NULL. */ VOID PhTnpSelectRange( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Start, _In_ ULONG End, _In_ ULONG Flags, _Out_opt_ PULONG ChangedStart, _Out_opt_ PULONG ChangedEnd ) { ULONG maximum; ULONG i; PPH_TREENEW_NODE node; BOOLEAN targetValue; ULONG changedStart; ULONG changedEnd; if (Context->FlatList->Count == 0) return; maximum = Context->FlatList->Count - 1; if (End > maximum) { End = maximum; } if (Start > End) { // Start is too big, so the selection range becomes empty. // Set it to max + 1 so that Reset still works. Start = maximum + 1; End = 0; } targetValue = !(Flags & TN_SELECT_DESELECT); changedStart = maximum; changedEnd = 0; if (Flags & TN_SELECT_RESET) { for (i = 0; i < Start; i++) { node = Context->FlatList->Items[i]; if (node->Selected) { node->Selected = FALSE; if (changedStart > i) changedStart = i; if (changedEnd < i) changedEnd = i; } } } for (i = Start; i <= End; i++) { node = Context->FlatList->Items[i]; if (!node->Unselectable && ((Flags & TN_SELECT_TOGGLE) || node->Selected != targetValue)) { node->Selected = !node->Selected; if (changedStart > i) changedStart = i; if (changedEnd < i) changedEnd = i; } } if (Flags & TN_SELECT_RESET) { for (i = End + 1; i <= maximum; i++) { node = Context->FlatList->Items[i]; if (node->Selected) { node->Selected = FALSE; if (changedStart > i) changedStart = i; if (changedEnd < i) changedEnd = i; } } } if (changedStart <= changedEnd) { Context->Callback(Context->Handle, TreeNewSelectionChanged, NULL, NULL, Context->CallbackContext); } if (ChangedStart) *ChangedStart = changedStart; if (ChangedEnd) *ChangedEnd = changedEnd; } /** * Sets the hot node (the node under the mouse cursor). * * \param Context Pointer to the treenew context structure. * \param NewHotNode Pointer to the new hot node, or NULL to clear. * \param NewPlusMinusHot TRUE if the plus/minus glyph is hot, FALSE otherwise. */ VOID PhTnpSetHotNode( _In_ PPH_TREENEW_CONTEXT Context, _In_opt_ PPH_TREENEW_NODE NewHotNode, _In_ BOOLEAN NewPlusMinusHot ) { ULONG newHotNodeIndex; RECT rowRect; BOOLEAN needsInvalidate; if (NewHotNode) newHotNodeIndex = NewHotNode->Index; else newHotNodeIndex = ULONG_MAX; needsInvalidate = FALSE; if (Context->HotNodeIndex != newHotNodeIndex) { if (Context->HotNodeIndex != ULONG_MAX) { if (Context->ThemeData && PhTnpGetRowRects(Context, Context->HotNodeIndex, Context->HotNodeIndex, TRUE, &rowRect)) { // Update the old hot node because it may have a different non-hot background and // plus minus part. InvalidateRect(Context->Handle, &rowRect, FALSE); } } Context->HotNodeIndex = newHotNodeIndex; if (NewHotNode) { needsInvalidate = TRUE; } } if (NewHotNode) { if (NewHotNode->s.PlusMinusHot != NewPlusMinusHot) { NewHotNode->s.PlusMinusHot = NewPlusMinusHot; needsInvalidate = TRUE; } if (needsInvalidate && Context->ThemeData && PhTnpGetRowRects(Context, newHotNodeIndex, newHotNodeIndex, TRUE, &rowRect)) { InvalidateRect(Context->Handle, &rowRect, FALSE); } } } /** * Processes node selection in response to mouse or keyboard input. * * \param Context Pointer to the treenew context structure. * \param Node Pointer to the node to select. * \param ControlKey TRUE if the Control key is pressed, FALSE otherwise. * \param ShiftKey TRUE if the Shift key is pressed, FALSE otherwise. * \param RightButton TRUE if the right mouse button was used, FALSE otherwise. */ VOID PhTnpProcessSelectNode( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_NODE Node, _In_ LOGICAL ControlKey, _In_ LOGICAL ShiftKey, _In_ LOGICAL RightButton ) { ULONG changedStart; ULONG changedEnd; RECT rect; if (RightButton) { // Right button: // If the current node is selected, then do nothing. This is to allow context menus to // operate on multiple items. // If the current node is not selected, select only that node. if (!ControlKey && !ShiftKey && !Node->Selected) { PhTnpSelectRange(Context, Node->Index, Node->Index, TN_SELECT_RESET, &changedStart, &changedEnd); Context->MarkNodeIndex = Node->Index; if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } } else if (ShiftKey && Context->MarkNodeIndex != ULONG_MAX) { ULONG start; ULONG end; // Shift key: select a range from the selection mark node to the current node. if (Node->Index > Context->MarkNodeIndex) { start = Context->MarkNodeIndex; end = Node->Index; } else { start = Node->Index; end = Context->MarkNodeIndex; } PhTnpSelectRange(Context, start, end, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } else if (ControlKey) { // Control key: toggle the selection on the current node, and also make it the selection // mark. PhTnpSelectRange(Context, Node->Index, Node->Index, TN_SELECT_TOGGLE, NULL, NULL); Context->MarkNodeIndex = Node->Index; if (PhTnpGetRowRects(Context, Node->Index, Node->Index, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } else { // Normal: select the current node, and also make it the selection mark. PhTnpSelectRange(Context, Node->Index, Node->Index, TN_SELECT_RESET, &changedStart, &changedEnd); Context->MarkNodeIndex = Node->Index; if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } } /** * Ensures that the specified node is visible within the tree new control. * * This function scrolls the view if necessary to bring the node at the given index * into the visible area of the control. If the node is already fully visible, no action is taken. * * \param Context Pointer to the tree new context structure. * \param Index The index of the node to make visible. * \return TRUE if the node is (or was made) visible; FALSE if the index is out of range. */ BOOLEAN PhTnpEnsureVisibleNode( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Index ) { LONG viewTop; LONG viewBottom; LONG rowTop; LONG rowBottom; LONG deltaY; LONG deltaRows; if (Index >= Context->FlatList->Count) return FALSE; viewTop = Context->HeaderHeight; viewBottom = Context->ClientRect.bottom - (Context->HScrollVisible ? Context->HScrollHeight : 0); rowTop = Context->HeaderHeight + ((LONG)Index - Context->VScrollPosition) * Context->RowHeight; rowBottom = rowTop + Context->RowHeight; // Check if the row is fully visible. if (rowTop >= viewTop && rowBottom <= viewBottom) return TRUE; deltaY = rowTop - viewTop; if (deltaY > 0) { // The row is below the view area. We want to scroll the row into view at the bottom of the // screen. We need to round up when dividing to make sure the node becomes fully visible. deltaY = rowBottom - viewBottom; deltaRows = (deltaY + Context->RowHeight - 1) / Context->RowHeight; // divide, round up } else { deltaRows = deltaY / Context->RowHeight; } PhTnpScroll(Context, deltaRows, 0); return TRUE; } /** * Processes mouse movement within the tree new control. * * This function handles mouse movement events by performing hit testing to determine * the node and column under the cursor, updating the hot node state, managing divider * animation, and handling tooltip display logic. * * \param Context Pointer to the tree new context structure. * \param CursorX The X coordinate of the mouse cursor. * \param CursorY The Y coordinate of the mouse cursor. */ VOID PhTnpProcessMoveMouse( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY ) { PH_TREENEW_HIT_TEST hitTest; PPH_TREENEW_NODE hotNode; hitTest.Point.x = CursorX; hitTest.Point.y = CursorY; hitTest.InFlags = TN_TEST_COLUMN | TN_TEST_SUBITEM; PhTnpHitTest(Context, &hitTest); if (hitTest.Flags & TN_HIT_ITEM) hotNode = hitTest.Node; else hotNode = NULL; PhTnpSetHotNode(Context, hotNode, !!(hitTest.Flags & TN_HIT_ITEM_PLUSMINUS)); if (Context->AnimateDivider && Context->FixedDividerVisible) { if (hitTest.Flags & TN_HIT_DIVIDER) { if ((Context->DividerHot < 100 || Context->AnimateDividerFadingOut) && !Context->AnimateDividerFadingIn) { // Begin fading in the divider. Context->AnimateDividerFadingIn = TRUE; Context->AnimateDividerFadingOut = FALSE; PhSetTimer(Context->Handle, TNP_TIMER_ANIMATE_DIVIDER, TNP_ANIMATE_DIVIDER_INTERVAL, NULL); } } else { if ((Context->DividerHot != 0 || Context->AnimateDividerFadingIn) && !Context->AnimateDividerFadingOut) { Context->AnimateDividerFadingOut = TRUE; Context->AnimateDividerFadingIn = FALSE; PhSetTimer(Context->Handle, TNP_TIMER_ANIMATE_DIVIDER, TNP_ANIMATE_DIVIDER_INTERVAL, NULL); } } } if (Context->TooltipsHandle) { ULONG index; ULONG id; if (!(hitTest.Flags & TN_HIT_DIVIDER)) { index = hitTest.Node ? hitTest.Node->Index : ULONG_MAX; id = hitTest.Column ? hitTest.Column->Id : ULONG_MAX; } else { index = ULONG_MAX; id = ULONG_MAX; } // This pops unnecessarily - when the cell has no tooltip text, and the user is moving the // mouse over it. However these unnecessary calls seem to fix a certain tooltip bug (move // the mouse around very quickly over the last column and the blank space to the right, and // no more tooltips will appear). if (Context->TooltipIndex != index || Context->TooltipId != id) { PhTnpPopTooltip(Context); } } } /** * Processes vertical mouse wheel events for the tree new control. * * This function handles vertical scrolling when the user rotates the mouse wheel. * It calculates the number of lines to scroll based on system settings and updates the vertical * scroll position accordingly, including handling partial scrolls and direction changes. * It also manages tooltip updates after scrolling. * * \param Context Pointer to the tree new context structure. * \param Distance The wheel delta value indicating the amount and direction of scrolling. */ VOID PhTnpProcessMouseVWheel( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance ) { ULONG wheelScrollLines; FLOAT linesToScroll; LONG wholeLinesToScroll; SCROLLINFO scrollInfo; LONG oldPosition; if (!PhGetSystemParametersInfo(SPI_GETWHEELSCROLLLINES, 0, &wheelScrollLines, 0)) { wheelScrollLines = PhGetDpi(3, Context->WindowDpi); } // If page scrolling is enabled, use the number of visible rows. if (wheelScrollLines == ULONG_MAX) wheelScrollLines = (Context->ClientRect.bottom - Context->HeaderHeight - (Context->HScrollVisible ? Context->HScrollHeight : 0)) / Context->RowHeight; // Zero the remainder if the direction changed. if ((Context->VScrollRemainder > 0) != (Distance > 0)) Context->VScrollRemainder = 0; linesToScroll = (FLOAT)wheelScrollLines * Distance / WHEEL_DELTA + Context->VScrollRemainder; wholeLinesToScroll = (LONG)linesToScroll; Context->VScrollRemainder = linesToScroll - wholeLinesToScroll; scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_ALL; GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; scrollInfo.nPos += wholeLinesToScroll; scrollInfo.fMask = SIF_POS; SetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo, TRUE); GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); if (scrollInfo.nPos != oldPosition) { Context->VScrollPosition = scrollInfo.nPos; PhTnpProcessScroll(Context, scrollInfo.nPos - oldPosition, 0); if (Context->TooltipsHandle) { MSG message; POINT point; PhTnpPopTooltip(Context); if ( PhGetClientPos(Context->Handle, &point) && point.x >= 0 && point.y >= 0 && point.x < Context->ClientRect.right && point.y < Context->ClientRect.bottom ) { // Send a fake mouse move message for the new node that the mouse may be hovering over. message.hwnd = Context->Handle; message.message = WM_MOUSEMOVE; message.wParam = 0; message.lParam = MAKELPARAM(point.x, point.y); SendMessage(Context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } } } } /** * Processes horizontal mouse wheel events for the tree new control. * * This function handles horizontal scrolling when the user rotates the mouse wheel horizontally. * It calculates the number of characters to scroll based on system settings and updates the horizontal * scroll position accordingly, including handling partial scrolls and direction changes. * * \param Context Pointer to the tree new context structure. * \param Distance The wheel delta value indicating the amount and direction of scrolling. */ VOID PhTnpProcessMouseHWheel( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG Distance ) { ULONG wheelScrollChars; FLOAT pixelsToScroll; LONG wholePixelsToScroll; SCROLLINFO scrollInfo; LONG oldPosition; if (!PhGetSystemParametersInfo(SPI_GETWHEELSCROLLCHARS, 0, &wheelScrollChars, 0)) { wheelScrollChars = PhGetDpi(3, Context->WindowDpi); } // Zero the remainder if the direction changed. if ((Context->HScrollRemainder > 0) != (Distance > 0)) Context->HScrollRemainder = 0; pixelsToScroll = (FLOAT)wheelScrollChars * Context->TextMetrics.tmAveCharWidth * Distance / WHEEL_DELTA + Context->HScrollRemainder; wholePixelsToScroll = (LONG)pixelsToScroll; Context->HScrollRemainder = pixelsToScroll - wholePixelsToScroll; scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_ALL; GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; scrollInfo.nPos += wholePixelsToScroll; scrollInfo.fMask = SIF_POS; SetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo, TRUE); GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); if (scrollInfo.nPos != oldPosition) { Context->HScrollPosition = scrollInfo.nPos; PhTnpProcessScroll(Context, 0, scrollInfo.nPos - oldPosition); } } /** * Processes focus navigation keys for the tree new control. * * This function handles keyboard navigation for moving the focus between nodes in the tree new control, * such as Up, Down, Home, End, Page Up, and Page Down keys. It updates the focused node, selection mark, * and selection range as appropriate, and ensures the focused node is visible. * * \param Context Pointer to the tree new context structure. * \param VirtualKey The virtual key code to process (e.g., VK_UP, VK_DOWN, VK_HOME, VK_END, VK_PRIOR, VK_NEXT). * \return TRUE if the key was handled; otherwise, FALSE. */ BOOLEAN PhTnpProcessFocusKey( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey ) { ULONG count; ULONG index; BOOLEAN controlKey; BOOLEAN shiftKey; ULONG start; ULONG end; ULONG changedStart; ULONG changedEnd; RECT rect; if (VirtualKey != VK_UP && VirtualKey != VK_DOWN && VirtualKey != VK_HOME && VirtualKey != VK_END && VirtualKey != VK_PRIOR && VirtualKey != VK_NEXT) { return FALSE; } count = Context->FlatList->Count; if (count == 0) return TRUE; // Find the new node to focus. switch (VirtualKey) { case VK_UP: { if (Context->FocusNode && Context->FocusNode->Index > 0) { index = Context->FocusNode->Index - 1; } else { index = 0; } } break; case VK_DOWN: { if (Context->FocusNode) { index = Context->FocusNode->Index + 1; if (index >= count) index = count - 1; } else { index = 0; } } break; case VK_HOME: index = 0; break; case VK_END: index = count - 1; break; case VK_PRIOR: case VK_NEXT: { LONG rowsPerPage; if (Context->FocusNode) index = Context->FocusNode->Index; else index = 0; rowsPerPage = Context->ClientRect.bottom - Context->HeaderHeight - (Context->HScrollVisible ? Context->HScrollHeight : 0); if (rowsPerPage < 0) return TRUE; rowsPerPage = rowsPerPage / Context->RowHeight - 1; if (rowsPerPage < 0) return TRUE; if (VirtualKey == VK_PRIOR) { ULONG startOfPageIndex; startOfPageIndex = Context->VScrollPosition; if (index > startOfPageIndex) { index = startOfPageIndex; } else { // Already at or before the start of the page. Go back a page. if (index >= (ULONG)rowsPerPage) index -= rowsPerPage; else index = 0; } } else { ULONG endOfPageIndex; endOfPageIndex = Context->VScrollPosition + rowsPerPage; if (endOfPageIndex >= count) endOfPageIndex = count - 1; if (index < endOfPageIndex) { index = endOfPageIndex; } else { // Already at or after the end of the page. Go forward a page. index += rowsPerPage; if (index >= count) index = count - 1; } } } break; default: { index = 0; } break; } // Select the relevant nodes. controlKey = GetKeyState(VK_CONTROL) < 0; shiftKey = GetKeyState(VK_SHIFT) < 0; Context->FocusNode = Context->FlatList->Items[index]; PhTnpSetHotNode(Context, Context->FocusNode, FALSE); if (shiftKey && Context->MarkNodeIndex != ULONG_MAX) { if (index > Context->MarkNodeIndex) { start = Context->MarkNodeIndex; end = index; } else { start = index; end = Context->MarkNodeIndex; } PhTnpSelectRange(Context, start, end, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } else if (!controlKey) { Context->MarkNodeIndex = Context->FocusNode->Index; PhTnpSelectRange(Context, index, index, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } PhTnpEnsureVisibleNode(Context, index); PhTnpPopTooltip(Context); return TRUE; } /** * Processes a key event for the focused node in the tree new control. * * This function handles keyboard input such as space, left, right, and plus keys when a node is focused. * It manages node selection, expansion/collapse, and navigation based on the key pressed and modifier keys. * * \param Context Pointer to the tree new context structure. * \param VirtualKey The virtual key code of the key event to process. * \return TRUE if the key was handled; otherwise, FALSE. */ BOOLEAN PhTnpProcessNodeKey( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKey ) { BOOLEAN controlKey; BOOLEAN shiftKey; ULONG changedStart; ULONG changedEnd; RECT rect; if (VirtualKey != VK_SPACE && VirtualKey != VK_LEFT && VirtualKey != VK_RIGHT && VirtualKey != VK_ADD && VirtualKey != VK_OEM_PLUS) { return FALSE; } if (!Context->FocusNode) return TRUE; controlKey = GetKeyState(VK_CONTROL) < 0; shiftKey = GetKeyState(VK_SHIFT) < 0; switch (VirtualKey) { case VK_SPACE: { if (controlKey) { // Control key: toggle the selection on the focused node. Context->MarkNodeIndex = Context->FocusNode->Index; PhTnpSelectRange(Context, Context->FocusNode->Index, Context->FocusNode->Index, TN_SELECT_TOGGLE, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } else if (shiftKey) { ULONG start; ULONG end; // Shift key: select a range from the selection mark node to the focused node. if (Context->FocusNode->Index > Context->MarkNodeIndex) { start = Context->MarkNodeIndex; end = Context->FocusNode->Index; } else { start = Context->FocusNode->Index; end = Context->MarkNodeIndex; } PhTnpSelectRange(Context, start, end, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } } break; case VK_LEFT: { ULONG i; ULONG targetLevel; PPH_TREENEW_NODE newNode; // If the node is expanded, collapse it. Otherwise, select the node's parent. if (!Context->FocusNode->s.IsLeaf && Context->FocusNode->Expanded) { PhTnpSetExpandedNode(Context, Context->FocusNode, FALSE); } else if (Context->FocusNode->Level != 0) { i = Context->FocusNode->Index; targetLevel = Context->FocusNode->Level - 1; while (i != 0) { i--; newNode = Context->FlatList->Items[i]; if (newNode->Level == targetLevel) { Context->FocusNode = newNode; Context->MarkNodeIndex = newNode->Index; PhTnpEnsureVisibleNode(Context, i); PhTnpSetHotNode(Context, newNode, FALSE); PhTnpSelectRange(Context, i, i, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } PhTnpPopTooltip(Context); break; } } } } break; case VK_RIGHT: { PPH_TREENEW_NODE newNode; if (!Context->FocusNode->s.IsLeaf) { // If the node is collapsed, expand it. Otherwise, select the node's first child. if (!Context->FocusNode->Expanded) { PhTnpSetExpandedNode(Context, Context->FocusNode, TRUE); } else { if (Context->FocusNode->Index + 1 < Context->FlatList->Count) { newNode = Context->FlatList->Items[Context->FocusNode->Index + 1]; if (newNode->Level == Context->FocusNode->Level + 1) { Context->FocusNode = newNode; Context->MarkNodeIndex = newNode->Index; PhTnpEnsureVisibleNode(Context, Context->FocusNode->Index + 1); PhTnpSetHotNode(Context, newNode, FALSE); PhTnpSelectRange(Context, Context->FocusNode->Index, Context->FocusNode->Index, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } PhTnpPopTooltip(Context); } } } } } break; case VK_ADD: case VK_OEM_PLUS: { if ((VirtualKey == VK_ADD && controlKey) || (VirtualKey == VK_OEM_PLUS && controlKey && shiftKey)) { ULONG i; if (Context->FixedColumnVisible) PhTnpAutoSizeColumnHeader(Context, Context->FixedHeaderHandle, Context->FixedColumn, 0); for (i = 0; i < Context->NumberOfColumnsByDisplay; i++) PhTnpAutoSizeColumnHeader(Context, Context->HeaderHandle, Context->ColumnsByDisplay[i], 0); } } break; } return TRUE; } /** * Processes a character input for incremental search in the tree view control. * * This function handles character input (typically from WM_CHAR) to perform incremental * search within the tree view. It manages the search buffer, handles timeouts, and * updates the focused node and selection based on the search result. * * \param Context Pointer to the tree view context. * \param Character The character code to process for search. */ VOID PhTnpProcessSearchKey( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG Character ) { LONG messageTime; BOOLEAN newSearch; PH_TREENEW_SEARCH_EVENT searchEvent; PPH_TREENEW_NODE foundNode; ULONG changedStart; ULONG changedEnd; RECT rect; if (Context->FlatList->Count == 0) return; messageTime = GetMessageTime(); newSearch = FALSE; // Check if the search timed out. if (messageTime - Context->SearchMessageTime > PH_TREENEW_SEARCH_TIMEOUT) { Context->SearchStringCount = 0; Context->SearchFailed = FALSE; newSearch = TRUE; Context->SearchSingleCharMode = TRUE; } Context->SearchMessageTime = messageTime; // Append the character to the search buffer. if (!Context->SearchString) { Context->AllocatedSearchString = 32; Context->SearchString = PhAllocateSafe(Context->AllocatedSearchString * sizeof(WCHAR)); newSearch = TRUE; Context->SearchSingleCharMode = TRUE; } if (!Context->SearchString) { Context->SearchFailed = TRUE; return; } if (Context->SearchStringCount > PH_TREENEW_SEARCH_MAXIMUM_LENGTH) { // The search string has become too long. Fail the search. if (!Context->SearchFailed) { MessageBeep(MB_OK); Context->SearchFailed = TRUE; return; } } else if (Context->SearchStringCount == Context->AllocatedSearchString) { Context->AllocatedSearchString *= 2; Context->SearchString = PhReAllocateSafe(Context->SearchString, Context->AllocatedSearchString * sizeof(WCHAR)); if (!Context->SearchString) { Context->SearchFailed = TRUE; return; } } Context->SearchString[Context->SearchStringCount++] = (WCHAR)Character; if (Context->SearchString[Context->SearchStringCount - 1] != Context->SearchString[0]) { // The user has stopped typing the same character (or never started). Turn single-character // search off. Context->SearchSingleCharMode = FALSE; } searchEvent.FoundIndex = INT_ERROR; if (Context->FocusNode) { searchEvent.StartIndex = Context->FocusNode->Index; if (newSearch || Context->SearchSingleCharMode) { // If it's a new search, start at the next item so the user doesn't find the same item // again. searchEvent.StartIndex++; if (searchEvent.StartIndex == Context->FlatList->Count) searchEvent.StartIndex = 0; } } else { searchEvent.StartIndex = 0; } searchEvent.String.Buffer = Context->SearchString; if (!Context->SearchSingleCharMode) searchEvent.String.Length = Context->SearchStringCount * sizeof(WCHAR); else searchEvent.String.Length = sizeof(WCHAR); // Give the user a chance to modify how the search is performed. if (!Context->Callback(Context->Handle, TreeNewIncrementalSearch, &searchEvent, NULL, Context->CallbackContext)) { // Use the default search function. if (!PhTnpDefaultIncrementalSearch(Context, &searchEvent, TRUE, TRUE)) { return; } } if (searchEvent.FoundIndex == INT_ERROR && !Context->SearchFailed) { // No search result. Beep to indicate an error, and set the flag so we don't beep again. But // don't beep if the first character was a space, because that's used for other purposes // elsewhere (see PhTnpProcessNodeKey). if (searchEvent.String.Buffer[0] != L' ') { MessageBeep(MB_OK); } Context->SearchFailed = TRUE; return; } if (searchEvent.FoundIndex < 0 || searchEvent.FoundIndex >= (LONG)Context->FlatList->Count) return; foundNode = Context->FlatList->Items[searchEvent.FoundIndex]; Context->FocusNode = foundNode; PhTnpEnsureVisibleNode(Context, searchEvent.FoundIndex); PhTnpSetHotNode(Context, foundNode, FALSE); PhTnpSelectRange(Context, searchEvent.FoundIndex, searchEvent.FoundIndex, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } PhTnpPopTooltip(Context); } /** * Performs the default incremental search in the tree view. * * This function searches for a node whose text matches the search string, starting from a given index. * It supports partial and wrapped searches. * * \param Context Pointer to the tree view context. * \param SearchEvent Pointer to the search event structure, updated with the found index. * \param Partial TRUE to allow partial matches; FALSE for exact matches. * \param Wrap TRUE to wrap around the list; FALSE to stop at the end. * \return TRUE if the search was performed; FALSE otherwise. */ BOOLEAN PhTnpDefaultIncrementalSearch( _In_ PPH_TREENEW_CONTEXT Context, _Inout_ PPH_TREENEW_SEARCH_EVENT SearchEvent, _In_ BOOLEAN Partial, _In_ BOOLEAN Wrap ) { LONG startIndex; LONG currentIndex; LONG foundIndex; BOOLEAN firstTime; if (Context->FlatList->Count == 0) return FALSE; if (!Context->FirstColumn) return FALSE; startIndex = SearchEvent->StartIndex; currentIndex = startIndex; foundIndex = INT_ERROR; firstTime = TRUE; while (TRUE) { PH_STRINGREF text; if (currentIndex >= (LONG)Context->FlatList->Count) { if (Wrap) currentIndex = 0; else break; } // We use the firstTime variable instead of a simpler check because we want to include the // current item in the search. E.g. the current item is the only item beginning with "Z". If // the user searches for "Z", we want to return the current item as being found. if (!firstTime && currentIndex == startIndex) break; if (PhTnpGetCellText(Context, Context->FlatList->Items[currentIndex], Context->FirstColumn->Id, &text)) { if (Partial) { if (PhStartsWithStringRef(&text, &SearchEvent->String, TRUE)) { foundIndex = currentIndex; break; } } else { if (PhEqualStringRef(&text, &SearchEvent->String, TRUE)) { foundIndex = currentIndex; break; } } } currentIndex++; firstTime = FALSE; } SearchEvent->FoundIndex = foundIndex; return TRUE; } /** * Updates the scroll bars for the tree view control. * * This function recalculates and updates the visibility, range, and position of the vertical and horizontal scroll bars * based on the current content and client area size. It also manages the filler box visibility and triggers scrolling if needed. * * \param Context Pointer to the tree view context. */ VOID PhTnpUpdateScrollBars( _In_ PPH_TREENEW_CONTEXT Context ) { RECT clientRect; LONG width; LONG height; LONG contentWidth; LONG contentHeight; SCROLLINFO scrollInfo; LONG oldPosition; LONG deltaRows; LONG deltaX; LOGICAL oldHScrollVisible; RECT rect; clientRect = Context->ClientRect; width = clientRect.right - Context->FixedWidth; height = clientRect.bottom - Context->HeaderHeight; contentWidth = Context->TotalViewX; contentHeight = (LONG)Context->FlatList->Count * Context->RowHeight; if (contentHeight > height) { // We need a vertical scrollbar, so we can't use that area of the screen for content. width -= Context->VScrollWidth; } if (contentWidth > width) { height -= Context->HScrollHeight; } // Vertical scroll bar scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_POS; GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; scrollInfo.fMask = SIF_RANGE | SIF_PAGE; scrollInfo.nMin = 0; scrollInfo.nMax = Context->FlatList->Count != 0 ? Context->FlatList->Count - 1 : 0; scrollInfo.nPage = height / Context->RowHeight; SetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo, TRUE); // The scroll position may have changed due to the modified scroll range. scrollInfo.fMask = SIF_POS; GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); deltaRows = scrollInfo.nPos - oldPosition; Context->VScrollPosition = scrollInfo.nPos; if (contentHeight > height && contentHeight != 0) { if (!Context->VScrollVisible) { ShowWindow(Context->VScrollHandle, SW_SHOW); Context->VScrollVisible = TRUE; } } else { if (Context->VScrollVisible) { ShowWindow(Context->VScrollHandle, SW_HIDE); Context->VScrollVisible = FALSE; } } // Horizontal scroll bar scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_POS; GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; scrollInfo.fMask = SIF_RANGE | SIF_PAGE; scrollInfo.nMin = 0; scrollInfo.nMax = contentWidth != 0 ? contentWidth - 1 : 0; scrollInfo.nPage = width; SetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo, TRUE); scrollInfo.fMask = SIF_POS; GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); deltaX = scrollInfo.nPos - oldPosition; Context->HScrollPosition = scrollInfo.nPos; oldHScrollVisible = Context->HScrollVisible; if (contentWidth > width && contentWidth != 0) { if (!Context->HScrollVisible) { ShowWindow(Context->HScrollHandle, SW_SHOW); Context->HScrollVisible = TRUE; } } else { if (Context->HScrollVisible) { ShowWindow(Context->HScrollHandle, SW_HIDE); Context->HScrollVisible = FALSE; } } if ((Context->HScrollVisible != oldHScrollVisible) && Context->FixedDividerVisible && Context->AnimateDivider) { rect.left = Context->FixedWidth; rect.top = Context->HeaderHeight; rect.right = Context->FixedWidth + 1; rect.bottom = Context->ClientRect.bottom; InvalidateRect(Context->Handle, &rect, FALSE); } if (deltaRows != 0 || deltaX != 0) PhTnpProcessScroll(Context, deltaRows, deltaX); if (Context->VScrollVisible && Context->HScrollVisible) { if (!Context->FillerBoxVisible) { ShowWindow(Context->FillerBoxHandle, SW_SHOW); Context->FillerBoxVisible = TRUE; } } else { if (Context->FillerBoxVisible) { ShowWindow(Context->FillerBoxHandle, SW_HIDE); Context->FillerBoxVisible = FALSE; } } } /** * Scrolls the tree view by the specified number of rows and columns. * * This function adjusts the scroll bar positions and triggers a redraw if the scroll position changes. * * \param Context Pointer to the tree view context. * \param DeltaRows Number of rows to scroll vertically (can be MINLONG or MAXLONG for extremes). * \param DeltaX Number of pixels to scroll horizontally (can be MINLONG or MAXLONG for extremes). */ VOID PhTnpScroll( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG DeltaRows, _In_ LONG DeltaX ) { SCROLLINFO scrollInfo; LONG oldPosition; LONG deltaRows; LONG deltaX; deltaRows = 0; deltaX = 0; scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_POS; if (DeltaRows != 0 && Context->VScrollVisible) { GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; if (DeltaRows == MINLONG) scrollInfo.nPos = 0; else if (DeltaRows == MAXLONG) scrollInfo.nPos = Context->FlatList->Count - 1; else scrollInfo.nPos += DeltaRows; SetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo, TRUE); GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); Context->VScrollPosition = scrollInfo.nPos; deltaRows = scrollInfo.nPos - oldPosition; } if (DeltaX != 0 && Context->HScrollVisible) { GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); oldPosition = scrollInfo.nPos; if (DeltaX == MINLONG) scrollInfo.nPos = 0; else if (DeltaX == MAXLONG) scrollInfo.nPos = Context->TotalViewX; else scrollInfo.nPos += DeltaX; SetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo, TRUE); GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); Context->HScrollPosition = scrollInfo.nPos; deltaX = scrollInfo.nPos - oldPosition; } if (deltaRows != 0 || deltaX != 0) PhTnpProcessScroll(Context, deltaRows, deltaX); } /** * Processes the actual scrolling of the tree view window. * * This function performs the window scrolling operation for both vertical and horizontal directions, * updates the header layout, and records the scroll tick count. * * \param Context Pointer to the tree view context. * \param DeltaRows Number of rows to scroll vertically. * \param DeltaX Number of pixels to scroll horizontally. */ VOID PhTnpProcessScroll( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG DeltaRows, _In_ LONG DeltaX ) { RECT rect; LONG deltaY; rect.top = Context->HeaderHeight; rect.bottom = Context->ClientRect.bottom; if (DeltaX == 0) { rect.left = 0; rect.right = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); ScrollWindowEx( Context->Handle, 0, -DeltaRows * Context->RowHeight, &rect, NULL, NULL, NULL, SW_INVALIDATE ); } else { // Don't scroll if there are no rows. This is especially important if the user wants us to // display empty text. if (Context->FlatList->Count != 0) { deltaY = DeltaRows * Context->RowHeight; // If we're scrolling vertically as well, we need to scroll the fixed part and the // normal part separately. if (DeltaRows != 0) { rect.left = 0; rect.right = Context->NormalLeft; ScrollWindowEx( Context->Handle, 0, -deltaY, &rect, &rect, NULL, NULL, SW_INVALIDATE ); } rect.left = Context->NormalLeft; rect.right = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); ScrollWindowEx( Context->Handle, -DeltaX, -deltaY, &rect, &rect, NULL, NULL, SW_INVALIDATE ); } PhTnpLayoutHeader(Context); } Context->ScrollTickCount = NtGetTickCount64(); } /** * Determines if the tree view can scroll in the specified direction. * * This function checks the scroll bar positions and ranges to determine if scrolling is possible * in the given direction (horizontal/vertical, positive/negative). * * \param Context Pointer to the tree view context. * \param Horizontal TRUE to check horizontal scrolling; FALSE for vertical. * \param Positive TRUE to check forward (right/down); FALSE for backward (left/up). * \return TRUE if scrolling is possible; FALSE otherwise. */ BOOLEAN PhTnpCanScroll( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Horizontal, _In_ BOOLEAN Positive ) { SCROLLINFO scrollInfo; scrollInfo.cbSize = sizeof(SCROLLINFO); scrollInfo.fMask = SIF_RANGE | SIF_PAGE | SIF_POS; if (!Horizontal) GetScrollInfo(Context->VScrollHandle, SB_CTL, &scrollInfo); else GetScrollInfo(Context->HScrollHandle, SB_CTL, &scrollInfo); if (Positive) { if (scrollInfo.nPage != 0) scrollInfo.nMax -= scrollInfo.nPage - 1; return scrollInfo.nPos < scrollInfo.nMax; } else { return scrollInfo.nPos > scrollInfo.nMin; } } /** * Paints the tree view control. * * This function handles the drawing of all visible rows, columns, and cells in the tree view, * including themed and non-themed backgrounds, selection, and custom colors. It also manages * the drawing of fixed and normal columns and handles the painting of empty space. * * \param WindowHandle Handle to the tree view window. * \param Context Pointer to the tree view context. * \param hdc Handle to the device context for painting. * \param PaintRect Pointer to the rectangle to be painted. */ VOID PhTnpPaint( _In_ HWND WindowHandle, _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ PRECT PaintRect ) { RECT viewRect; LONG vScrollPosition; LONG hScrollPosition; LONG firstRowToUpdate; LONG lastRowToUpdate; LONG i; LONG j; PPH_TREENEW_NODE node; PPH_TREENEW_COLUMN column; RECT rowRect; LONG x; BOOLEAN fixedUpdate; LONG normalUpdateLeftX; LONG normalUpdateRightX; LONG normalUpdateLeftIndex; LONG normalUpdateRightIndex; LONG normalTotalX; RECT cellRect; HRGN oldClipRegion; PhTnpInitializeThemeData(Context); viewRect = Context->ClientRect; if (Context->VScrollVisible) viewRect.right -= Context->VScrollWidth; vScrollPosition = Context->VScrollPosition; hScrollPosition = Context->HScrollPosition; // Calculate the indices of the first and last rows that need painting. These indices are // relative to the top of the view area. firstRowToUpdate = (PaintRect->top - Context->HeaderHeight) / Context->RowHeight; lastRowToUpdate = (PaintRect->bottom - 1 - Context->HeaderHeight) / Context->RowHeight; // minus one since bottom is exclusive if (firstRowToUpdate < 0) firstRowToUpdate = 0; rowRect.left = 0; rowRect.top = Context->HeaderHeight + firstRowToUpdate * Context->RowHeight; rowRect.right = Context->NormalLeft + Context->TotalViewX - Context->HScrollPosition; rowRect.bottom = rowRect.top + Context->RowHeight; // Change the indices to absolute row indices. firstRowToUpdate += vScrollPosition; lastRowToUpdate += vScrollPosition; if (lastRowToUpdate >= (LONG)Context->FlatList->Count) lastRowToUpdate = Context->FlatList->Count - 1; // becomes -1 when there are no items, handled correctly by loop below // Determine whether the fixed column needs painting, and which normal columns need painting. fixedUpdate = FALSE; if (Context->FixedColumnVisible && PaintRect->left < Context->FixedWidth) fixedUpdate = TRUE; x = Context->NormalLeft - hScrollPosition; normalUpdateLeftX = viewRect.right; normalUpdateLeftIndex = 0; normalUpdateRightX = 0; normalUpdateRightIndex = -1; for (j = 0; j < (LONG)Context->NumberOfColumnsByDisplay; j++) { column = Context->ColumnsByDisplay[j]; if (x + column->Width >= Context->NormalLeft && x + column->Width > PaintRect->left && x < PaintRect->right) { if (normalUpdateLeftX > x) { normalUpdateLeftX = x; normalUpdateLeftIndex = j; } if (normalUpdateRightX < x + column->Width) { normalUpdateRightX = x + column->Width; normalUpdateRightIndex = j; } } x += column->Width; } normalTotalX = x; if (normalUpdateRightIndex >= (LONG)Context->NumberOfColumnsByDisplay) normalUpdateRightIndex = Context->NumberOfColumnsByDisplay - 1; // Paint the rows. SelectFont(hdc, Context->Font); SetBkMode(hdc, TRANSPARENT); for (i = firstRowToUpdate; i <= lastRowToUpdate; i++) { node = Context->FlatList->Items[i]; // Prepare the row for drawing. PhTnpPrepareRowForDraw(Context, hdc, node); if (Context->ThemeSupport) { HDC tempDc; HBITMAP bitmap; HBITMAP oldBitmap; RECT tempRect; BLENDFUNCTION blendFunction; SetTextColor(hdc, PhThemeWindowTextColor); SetDCBrushColor(hdc, PhThemeWindowBackgroundColor); FillRect(hdc, &rowRect, PhGetStockBrush(DC_BRUSH)); if (tempDc = CreateCompatibleDC(hdc)) { if (bitmap = CreateCompatibleBitmap(hdc, 1, 1)) { // Fill in the selection rectangle. oldBitmap = SelectBitmap(tempDc, bitmap); tempRect.left = 0; tempRect.top = 0; tempRect.right = 1; tempRect.bottom = 1; SetTextColor(tempDc, node->s.DrawForeColor); if (node->s.DrawBackColor != 16777215) { SetDCBrushColor(tempDc, node->s.DrawBackColor); FillRect(tempDc, &tempRect, PhGetStockBrush(DC_BRUSH)); } else { SetDCBrushColor(tempDc, PhThemeWindowBackgroundColor); FillRect(tempDc, &tempRect, PhGetStockBrush(DC_BRUSH)); } blendFunction.BlendOp = AC_SRC_OVER; blendFunction.BlendFlags = 0; blendFunction.SourceConstantAlpha = 96; blendFunction.AlphaFormat = 0; GdiAlphaBlend( hdc, rowRect.left, rowRect.top, rowRect.right - rowRect.left, rowRect.bottom - rowRect.top, tempDc, 0, 0, 1, 1, blendFunction ); // Draw the outline of the selection rectangle (Dart Vanya) if (Context->HasFocus && node->Selected) { //SetDCBrushColor(hdc, RGB(0xF0, 0xF0, 0xF0)); FrameRect(hdc, &rowRect, GetSysColorBrush(COLOR_WINDOW)); } SelectBitmap(tempDc, oldBitmap); DeleteBitmap(bitmap); } DeleteDC(tempDc); } } else { if (node->Selected && (Context->CustomColors || !Context->ThemeHasItemBackground)) { // Non-themed background if (Context->HasFocus) { if (Context->CustomColors) { SetTextColor(hdc, Context->CustomTextColor); SetDCBrushColor(hdc, Context->CustomFocusColor); FillRect(hdc, &rowRect, PhGetStockBrush(DC_BRUSH)); } else { SetTextColor(hdc, GetSysColor(COLOR_HIGHLIGHTTEXT)); FillRect(hdc, &rowRect, GetSysColorBrush(COLOR_HIGHLIGHT)); } } else { if (Context->CustomColors) { SetTextColor(hdc, Context->CustomTextColor); SetDCBrushColor(hdc, Context->CustomSelectedColor); FillRect(hdc, &rowRect, PhGetStockBrush(DC_BRUSH)); } else { SetTextColor(hdc, GetSysColor(COLOR_BTNTEXT)); FillRect(hdc, &rowRect, GetSysColorBrush(COLOR_BTNFACE)); } } } else { SetTextColor(hdc, node->s.DrawForeColor); SetDCBrushColor(hdc, node->s.DrawBackColor); FillRect(hdc, &rowRect, PhGetStockBrush(DC_BRUSH)); } } if (!Context->CustomColors && Context->ThemeHasItemBackground) { INT stateId; // Themed background if (node->Selected) { if (i == Context->HotNodeIndex) stateId = TREIS_HOTSELECTED; else if (!Context->HasFocus) stateId = TREIS_SELECTEDNOTFOCUS; else stateId = TREIS_SELECTED; } else { if (i == Context->HotNodeIndex) stateId = TREIS_HOT; else stateId = INT_MAX; } // Themed background if (stateId != INT_MAX) { if (!Context->FixedColumnVisible) { rowRect.left = Context->NormalLeft - hScrollPosition; } PhDrawThemeBackground( Context->ThemeData, hdc, TVP_TREEITEM, stateId, &rowRect, PaintRect ); } } // Paint the fixed column. cellRect.top = rowRect.top; cellRect.bottom = rowRect.bottom; if (fixedUpdate) { cellRect.left = 0; cellRect.right = Context->FixedWidth; PhTnpDrawCell(Context, hdc, &cellRect, node, Context->FixedColumn, i, -1); } // Paint the normal columns. if (normalUpdateLeftX < normalUpdateRightX) { cellRect.left = normalUpdateLeftX; cellRect.right = cellRect.left; oldClipRegion = CreateRectRgn(0, 0, 0, 0); if (GetClipRgn(hdc, oldClipRegion) != 1) { DeleteRgn(oldClipRegion); oldClipRegion = NULL; } IntersectClipRect(hdc, Context->NormalLeft, cellRect.top, viewRect.right, cellRect.bottom); for (j = normalUpdateLeftIndex; j <= normalUpdateRightIndex; j++) { column = Context->ColumnsByDisplay[j]; cellRect.left = cellRect.right; cellRect.right = cellRect.left + column->Width; PhTnpDrawCell(Context, hdc, &cellRect, node, column, i, j); } SelectClipRgn(hdc, oldClipRegion); if (oldClipRegion) { DeleteRgn(oldClipRegion); } } rowRect.top += Context->RowHeight; rowRect.bottom += Context->RowHeight; } if (lastRowToUpdate == Context->FlatList->Count - 1) // works even if there are no items { // Fill the rest of the space on the bottom with the window color. rowRect.bottom = viewRect.bottom; if (Context->ThemeSupport) { SetTextColor(hdc, PhThemeWindowTextColor); SetDCBrushColor(hdc, PhThemeWindowBackgroundColor); FillRect(hdc, &rowRect, PhGetStockBrush(DC_BRUSH)); } else { FillRect(hdc, &rowRect, (HBRUSH)(COLOR_WINDOW + 1)); } } if (normalTotalX < viewRect.right && viewRect.right > PaintRect->left && normalTotalX < PaintRect->right) { // Fill the rest of the space on the right with the window color. rowRect.left = normalTotalX; rowRect.top = Context->HeaderHeight; rowRect.right = viewRect.right; rowRect.bottom = viewRect.bottom; if (Context->ThemeSupport) { SetTextColor(hdc, PhThemeWindowTextColor); SetDCBrushColor(hdc, PhThemeWindowBackgroundColor); FillRect(hdc, &rowRect, PhGetStockBrush(DC_BRUSH)); } else { FillRect(hdc, &rowRect, (HBRUSH)(COLOR_WINDOW + 1)); } } if (Context->FlatList->Count == 0 && Context->EmptyText.Length != 0) { RECT textRect; textRect.left = 20; textRect.top = Context->HeaderHeight + PhGetDpi(10, Context->WindowDpi); textRect.right = viewRect.right - PhGetDpi(20, Context->WindowDpi); textRect.bottom = viewRect.bottom - Context->HeaderTextPadding; if (Context->ThemeSupport) SetTextColor(hdc, PhThemeWindowTextColor); else SetTextColor(hdc, GetSysColor(COLOR_GRAYTEXT)); DrawText( hdc, Context->EmptyText.Buffer, (ULONG)Context->EmptyText.Length / 2, &textRect, DT_NOPREFIX | DT_CENTER | DT_END_ELLIPSIS ); } if (Context->FixedDividerVisible && Context->FixedWidth >= PaintRect->left && Context->FixedWidth < PaintRect->right) { PhTnpDrawDivider(Context, hdc); } if (Context->DragSelectionActive) { PhTnpDrawSelectionRectangle(Context, hdc, &Context->DragRect); } if (FlagOn(Context->Style, TN_STYLE_DRAG_REORDER_ROWS)) { if (Context->ReorderDragActive) { PhTnpDrawInsertionCaret(Context, hdc); } } if (Context->HeaderCustomDraw) { //if (Context->FixedColumnVisible && Context->FixedHeaderHandle) //{ // InvalidateRect(Context->FixedHeaderHandle, NULL, FALSE); //} // TODO: // 1) PhTickProcessNodes excludes the header when invalidating the treelist. // 2) This invalidates the whole header even when nothing changes. // We can add a callback similar to TreeNewGetHeaderText that returns TRUE // for headers that have custom text and need invalidating? (dmex) if (Context->HeaderHandle && !Context->Tracking) // GetCapture() != Context->HeaderHandle) { InvalidateRect(Context->HeaderHandle, NULL, FALSE); } } } /** * Prepares a tree new node for drawing. * * This function prepares the specified tree new node for drawing by performing * necessary calculations or setups using the provided device context and context. * * \param Context A pointer to the tree new context. * \param hdc The handle to the device context used for drawing. * \param Node A pointer to the tree new node to prepare for drawing. */ VOID PhTnpPrepareRowForDraw( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _Inout_ PPH_TREENEW_NODE Node ) { if (!Node->s.CachedColorValid) { PH_TREENEW_GET_NODE_COLOR getNodeColor; getNodeColor.Flags = 0; getNodeColor.Node = Node; getNodeColor.BackColor = Context->DefaultBackColor; getNodeColor.ForeColor = Context->DefaultForeColor; if (Context->Callback( Context->Handle, TreeNewGetNodeColor, &getNodeColor, NULL, Context->CallbackContext )) { Node->BackColor = getNodeColor.BackColor; Node->ForeColor = getNodeColor.ForeColor; Node->UseAutoForeColor = !!(getNodeColor.Flags & TN_AUTO_FORECOLOR); if (getNodeColor.Flags & TN_CACHE) Node->s.CachedColorValid = TRUE; } else { Node->BackColor = getNodeColor.BackColor; Node->ForeColor = getNodeColor.ForeColor; } } Node->s.DrawForeColor = Node->ForeColor; if (Node->UseTempBackColor) Node->s.DrawBackColor = Node->TempBackColor; else Node->s.DrawBackColor = Node->BackColor; if (!Node->s.CachedFontValid) { PH_TREENEW_GET_NODE_FONT getNodeFont; getNodeFont.Flags = 0; getNodeFont.Node = Node; getNodeFont.Font = NULL; if (Context->Callback( Context->Handle, TreeNewGetNodeFont, &getNodeFont, NULL, Context->CallbackContext )) { Node->Font = getNodeFont.Font; if (getNodeFont.Flags & TN_CACHE) Node->s.CachedFontValid = TRUE; } else { Node->Font = NULL; } } if (!Node->s.CachedIconValid) { PH_TREENEW_GET_NODE_ICON getNodeIcon; getNodeIcon.Flags = 0; getNodeIcon.Node = Node; getNodeIcon.Icon = NULL; if (Context->Callback( Context->Handle, TreeNewGetNodeIcon, &getNodeIcon, NULL, Context->CallbackContext )) { Node->Icon = getNodeIcon.Icon; if (getNodeIcon.Flags & TN_CACHE) Node->s.CachedIconValid = TRUE; } else { Node->Icon = NULL; } } if (Node->UseAutoForeColor || Node->UseTempBackColor) { if (PhGetColorBrightness(Node->s.DrawBackColor) > 100) // slightly less than half Node->s.DrawForeColor = RGB(0x00, 0x00, 0x00); else Node->s.DrawForeColor = RGB(0xff, 0xff, 0xff); } } /** * Draws a cell in the tree new control. * * This function renders the content of a specific cell within the tree new control, * including text, icons, and other visual elements based on the provided node and column. * * \param Context A pointer to the PPH_TREENEW_CONTEXT structure containing the tree new context. * \param hdc A handle to the device context used for drawing operations. * \param CellRect A pointer to a RECT structure defining the boundaries of the cell to draw. * \param Node A pointer to the PPH_TREENEW_NODE structure representing the node associated with the cell. * \param Column A pointer to the PPH_TREENEW_COLUMN structure representing the column. * \param RowIndex The index of the row containing the cell. * \param ColumnIndex The index of the column containing the cell. */ VOID PhTnpDrawCell( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ PRECT CellRect, _In_ PPH_TREENEW_NODE Node, _In_ PPH_TREENEW_COLUMN Column, _In_ LONG RowIndex, _In_ LONG ColumnIndex ) { HFONT font; // font to use HFONT oldFont = NULL; PH_STRINGREF text; // text to draw RECT textRect; // working rectangle, modified as needed ULONG textFlags; // DT_* flags LONG iconVerticalMargin; // top/bottom margin for icons (determined using height of small icon) LONG width; LONG height; font = Node->Font; textFlags = Column->TextFlags; if (Column->Alignment & PH_ALIGN_MONOSPACE_FONT) { font = PhMonospaceFont; } textRect = *CellRect; width = Context->SmallIconWidth; height = Context->SmallIconHeight; // Initial margins used by default list view textRect.left += Context->CellMarginLeft; textRect.right -= Context->CellMarginRight; // icon margin = (height of row - height of small icon) / 2 iconVerticalMargin = ((textRect.bottom - textRect.top) - height) / 2; textRect.top += iconVerticalMargin; textRect.bottom -= iconVerticalMargin; if (Column == Context->FirstColumn) { BOOLEAN needsClip = FALSE; HRGN oldClipRegion = NULL; textRect.left += Node->Level * width; // The icon may need to be clipped if the column is too small. needsClip = Column->Width < textRect.left + (Context->CanAnyExpand ? width : 0) + (Node->Icon ? width : 0); if (needsClip) { oldClipRegion = CreateRectRgn(0, 0, 0, 0); if (GetClipRgn(hdc, oldClipRegion) != 1) { DeleteRgn(oldClipRegion); oldClipRegion = NULL; } // Clip contents to the column. IntersectClipRect(hdc, CellRect->left, textRect.top, CellRect->right, textRect.bottom); } if (Context->CanAnyExpand) // flag is used so we can avoid indenting when it's a flat list { BOOLEAN drewUsingTheme = FALSE; RECT themeRect; if (!Node->s.IsLeaf) { // Draw the plus/minus glyph. themeRect.left = textRect.left; themeRect.right = themeRect.left + width; //themeRect.left = textRect.right; //themeRect.right = textRect.right - SmallIconWidth; themeRect.top = textRect.top; themeRect.bottom = themeRect.top + height; if (Context->ThemeHasGlyph) { INT partId; INT stateId; partId = (RowIndex == Context->HotNodeIndex && Node->s.PlusMinusHot && Context->ThemeHasHotGlyph) ? TVP_HOTGLYPH : TVP_GLYPH; stateId = Node->Expanded ? GLPS_OPENED : GLPS_CLOSED; if (PhDrawThemeBackground( Context->ThemeData, hdc, partId, stateId, &themeRect, NULL )) { drewUsingTheme = TRUE; } } if (!drewUsingTheme) { ULONG glyphWidth; ULONG glyphHeight; RECT glyphRect; glyphWidth = width / 2; glyphHeight = height / 2; glyphRect.left = textRect.left + (width - glyphWidth) / 2; glyphRect.right = glyphRect.left + glyphWidth; //glyphRect.left = textRect.right + (SmallIconWidth - glyphWidth) / 2; //glyphRect.right = glyphRect.left - glyphWidth; glyphRect.top = textRect.top + (height - glyphHeight) / 2; glyphRect.bottom = glyphRect.top + glyphHeight; PhTnpDrawPlusMinusGlyph(hdc, &glyphRect, !Node->Expanded); } } textRect.left += width; } // Draw the icon. if (Context->ImageListSupport) { //LONG right = textRect.right; //textRect.right = textRect.left + SmallIconWidth; //FillRect(hdc, &textRect, GetSysColorBrush(COLOR_HOTLIGHT)); //textRect.right = right; PhImageListDrawEx( Context->ImageListHandle, (ULONG)(ULONG_PTR)Node->Icon, // HACK (dmex) hdc, textRect.left, textRect.top, width, height, CLR_DEFAULT, CLR_NONE, ILD_NORMAL | ILD_TRANSPARENT, ILS_NORMAL ); textRect.left += width + Context->IconRightPadding; } else if (Node->Icon) { DrawIconEx( hdc, textRect.left, textRect.top, Node->Icon, width, height, 0, NULL, DI_NORMAL ); textRect.left += width + Context->IconRightPadding; } if (needsClip) { SelectClipRgn(hdc, oldClipRegion); if (oldClipRegion) DeleteRgn(oldClipRegion); } if (textRect.left > textRect.right) textRect.left = textRect.right; } if (Column->CustomDraw) { BOOLEAN result; PH_TREENEW_CUSTOM_DRAW customDraw; INT savedDc; customDraw.Node = Node; customDraw.Column = Column; customDraw.Dc = hdc; customDraw.CellRect = *CellRect; customDraw.TextRect = textRect; // Fix up the rectangles before giving them to the user. if (customDraw.CellRect.left > customDraw.CellRect.right) customDraw.CellRect.left = customDraw.CellRect.right; if (customDraw.TextRect.left > customDraw.TextRect.right) customDraw.TextRect.left = customDraw.TextRect.right; savedDc = SaveDC(hdc); result = Context->Callback(Context->Handle, TreeNewCustomDraw, &customDraw, NULL, Context->CallbackContext); RestoreDC(hdc, savedDc); if (result) return; } if (PhTnpGetCellText(Context, Node, Column->Id, &text)) { if (!(textFlags & (DT_PATH_ELLIPSIS | DT_WORD_ELLIPSIS))) textFlags |= DT_END_ELLIPSIS; textFlags |= DT_NOPREFIX | DT_VCENTER | DT_SINGLELINE; textRect.top = CellRect->top; textRect.bottom = CellRect->bottom; if (font) oldFont = SelectFont(hdc, font); DrawText( hdc, text.Buffer, (ULONG)text.Length / 2, &textRect, textFlags ); if (oldFont) SelectFont(hdc, oldFont); } } /** * Draws the divider line between the fixed and normal columns. * * \param Context Pointer to the treenew context structure. * \param hdc Device context handle. */ VOID PhTnpDrawDivider( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc ) { POINT points[2]; if (Context->AnimateDivider) { if (Context->DividerHot == 0 && !Context->HScrollVisible) return; // divider is invisible if (Context->DividerHot < 100) { BLENDFUNCTION blendFunction; // We need to draw and alpha blend the divider. // We can use the extra column allocated in the buffered context to initially draw the // divider. points[0].x = Context->ClientRect.right; points[0].y = Context->HeaderHeight; points[1].x = Context->ClientRect.right; points[1].y = Context->ClientRect.bottom; SetDCPenColor(Context->BufferedContext, RGB(0x77, 0x77, 0x77)); SelectPen(Context->BufferedContext, PhGetStockPen(DC_PEN)); Polyline(Context->BufferedContext, points, 2); blendFunction.BlendOp = AC_SRC_OVER; blendFunction.BlendFlags = 0; blendFunction.AlphaFormat = 0; // If the horizontal scroll bar is visible, we need to display a line even if the // divider is not hot. In this case we increase the base alpha value. if (!Context->HScrollVisible) blendFunction.SourceConstantAlpha = (UCHAR)(Context->DividerHot * 255 / 100); else blendFunction.SourceConstantAlpha = 55 + (UCHAR)(Context->DividerHot * 2); GdiAlphaBlend( hdc, Context->FixedWidth, Context->HeaderHeight, 1, Context->ClientRect.bottom - Context->HeaderHeight, Context->BufferedContext, Context->ClientRect.right, Context->HeaderHeight, 1, Context->ClientRect.bottom - Context->HeaderHeight, blendFunction ); return; } } points[0].x = Context->FixedWidth; points[0].y = Context->HeaderHeight; points[1].x = Context->FixedWidth; points[1].y = Context->ClientRect.bottom; SetDCPenColor(hdc, RGB(0x77, 0x77, 0x77)); SelectPen(hdc, PhGetStockPen(DC_PEN)); Polyline(hdc, points, 2); } /** * Draws the plus/minus glyph for expanding/collapsing tree nodes. * * \param hdc Device context handle. * \param Rect Pointer to the bounding rectangle for the glyph. * \param Plus TRUE to draw a plus sign, FALSE to draw a minus sign. */ VOID PhTnpDrawPlusMinusGlyph( _In_ HDC hdc, _In_ PRECT Rect, _In_ BOOLEAN Plus ) { INT savedDc; ULONG width; ULONG height; POINT points[2]; savedDc = SaveDC(hdc); SelectPen(hdc, PhGetStockPen(DC_PEN)); SetDCPenColor(hdc, RGB(0x55, 0x55, 0x55)); SelectBrush(hdc, PhGetStockBrush(DC_BRUSH)); SetDCBrushColor(hdc, RGB(0xff, 0xff, 0xff)); width = Rect->right - Rect->left; height = Rect->bottom - Rect->top; // Draw the rectangle. Rectangle(hdc, Rect->left, Rect->top, Rect->right + 1, Rect->bottom + 1); SetDCPenColor(hdc, RGB(0x00, 0x00, 0x00)); // Draw the horizontal line. points[0].x = Rect->left + 2; points[0].y = Rect->top + height / 2; points[1].x = Rect->right - 2 + 1; points[1].y = points[0].y; Polyline(hdc, points, 2); if (Plus) { // Draw the vertical line. points[0].x = Rect->left + width / 2; points[0].y = Rect->top + 2; points[1].x = points[0].x; points[1].y = Rect->bottom - 2 + 1; Polyline(hdc, points, 2); } RestoreDC(hdc, savedDc); } /** * Draws the selection rectangle around selected items. * * \param Context Pointer to the treenew context structure. * \param hdc Device context handle. * \param Rect Pointer to the rectangle to draw. */ VOID PhTnpDrawSelectionRectangle( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc, _In_ PRECT Rect ) { RECT rect; BOOLEAN drewWithAlpha; rect = *Rect; // MSDN says FrameRect/DrawFocusRect doesn't draw anything if bottom <= top or right <= left. // That's complete rubbish. if (rect.right - rect.left == 0 || rect.bottom - rect.top == 0) return; drewWithAlpha = FALSE; if (Context->SelectionRectangleAlpha) { HDC tempDc; HBITMAP bitmap; HBITMAP oldBitmap; RECT tempRect; BLENDFUNCTION blendFunction; if (tempDc = CreateCompatibleDC(hdc)) { if (bitmap = CreateCompatibleBitmap(hdc, 1, 1)) { // Draw the outline of the selection rectangle. FrameRect(hdc, &rect, GetSysColorBrush(COLOR_HIGHLIGHT)); // Fill in the selection rectangle. oldBitmap = SelectBitmap(tempDc, bitmap); tempRect.left = 0; tempRect.top = 0; tempRect.right = 1; tempRect.bottom = 1; FillRect(tempDc, &tempRect, (HBRUSH)(COLOR_HOTLIGHT + 1)); blendFunction.BlendOp = AC_SRC_OVER; blendFunction.BlendFlags = 0; blendFunction.SourceConstantAlpha = 70; blendFunction.AlphaFormat = 0; GdiAlphaBlend( hdc, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, tempDc, 0, 0, 1, 1, blendFunction ); drewWithAlpha = TRUE; SelectBitmap(tempDc, oldBitmap); DeleteBitmap(bitmap); } DeleteDC(tempDc); } } if (!drewWithAlpha) { DrawFocusRect(hdc, &rect); } } /** * Draws the themed border around the control. * * \param Context Pointer to the treenew context structure. * \param hdc Device context handle. */ VOID PhTnpDrawThemedBorder( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC hdc ) { RECT windowRect; RECT clientRect; LONG sizingBorderWidth; LONG borderX; LONG borderY; if (!PhGetWindowRect(Context->Handle, &windowRect)) return; windowRect.right -= windowRect.left; windowRect.bottom -= windowRect.top; windowRect.left = 0; windowRect.top = 0; clientRect.left = windowRect.left + Context->SystemEdgeX; clientRect.top = windowRect.top + Context->SystemEdgeY; clientRect.right = windowRect.right - Context->SystemEdgeX; clientRect.bottom = windowRect.bottom - Context->SystemEdgeY; // Make sure we don't paint in the client area. ExcludeClipRect(hdc, clientRect.left, clientRect.top, clientRect.right, clientRect.bottom); // Draw the themed border. PhDrawThemeBackground(Context->ThemeData, hdc, 0, 0, &windowRect, NULL); // Calculate the size of the border we just drew, and fill in the rest of the space if we didn't // fully paint the region. if (PhGetThemeInt(Context->ThemeData, 0, 0, TMT_SIZINGBORDERWIDTH, &sizingBorderWidth)) { borderX = sizingBorderWidth; borderY = sizingBorderWidth; } else { borderX = Context->SystemBorderX; borderY = Context->SystemBorderY; } if (borderX < Context->SystemEdgeX || borderY < Context->SystemEdgeY) { windowRect.left += Context->SystemEdgeX - borderX; windowRect.top += Context->SystemEdgeY - borderY; windowRect.right -= Context->SystemEdgeX - borderX; windowRect.bottom -= Context->SystemEdgeY - borderY; FillRect(hdc, &windowRect, (HBRUSH)(COLOR_WINDOW + 1)); } } /** * Initializes the tooltip control for the treenew control. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpInitializeTooltips( _In_ PPH_TREENEW_CONTEXT Context ) { TOOLINFO toolInfo; Context->TooltipsHandle = PhCreateWindowEx( TOOLTIPS_CLASS, NULL, WS_POPUP | TTS_NOANIMATE | TTS_NOFADE | TTS_NOPREFIX | TTS_ALWAYSTIP, WS_EX_TOPMOST | WS_EX_TRANSPARENT, // solves double-click problem (wj32) CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, NULL, NULL ); if (!Context->TooltipsHandle) return; // Item tooltips memset(&toolInfo, 0, sizeof(TOOLINFO)); toolInfo.cbSize = sizeof(TOOLINFO); toolInfo.uFlags = TTF_TRANSPARENT; toolInfo.hwnd = Context->Handle; toolInfo.uId = TNP_TOOLTIPS_ITEM; toolInfo.lpszText = LPSTR_TEXTCALLBACK; toolInfo.lParam = TNP_TOOLTIPS_ITEM; SendMessage(Context->TooltipsHandle, TTM_ADDTOOL, 0, (LPARAM)&toolInfo); // Fixed column tooltips toolInfo.uFlags = 0; toolInfo.hwnd = Context->FixedHeaderHandle; toolInfo.uId = TNP_TOOLTIPS_FIXED_HEADER; toolInfo.lpszText = LPSTR_TEXTCALLBACK; toolInfo.lParam = TNP_TOOLTIPS_FIXED_HEADER; SendMessage(Context->TooltipsHandle, TTM_ADDTOOL, 0, (LPARAM)&toolInfo); // Normal column tooltips toolInfo.uFlags = 0; toolInfo.hwnd = Context->HeaderHandle; toolInfo.uId = TNP_TOOLTIPS_HEADER; toolInfo.lpszText = LPSTR_TEXTCALLBACK; toolInfo.lParam = TNP_TOOLTIPS_HEADER; SendMessage(Context->TooltipsHandle, TTM_ADDTOOL, 0, (LPARAM)&toolInfo); SetWindowPos( Context->TooltipsHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE | SWP_NOACTIVATE ); if (Context->HeaderCustomDraw) { Context->HeaderHotColumn = ULONG_MAX; Context->HeaderThemeHandle = PhOpenThemeData(Context->HeaderHandle, VSCLASS_HEADER, Context->WindowDpi); } // Hook the header control window procedures so we can forward mouse messages to the tooltip control. Context->HeaderWindowProc = PhGetWindowProcedure(Context->HeaderHandle); PhSetWindowContext(Context->HeaderHandle, MAXCHAR, Context); PhSetWindowProcedure(Context->HeaderHandle, PhTnpHeaderHookWndProc); Context->FixedHeaderWindowProc = PhGetWindowProcedure(Context->FixedHeaderHandle); PhSetWindowContext(Context->FixedHeaderHandle, MAXCHAR, Context); PhSetWindowProcedure(Context->FixedHeaderHandle, PhTnpHeaderHookWndProc); SendMessage(Context->TooltipsHandle, TTM_SETMAXTIPWIDTH, 0, MAXSHORT); // no limit SetWindowFont(Context->TooltipsHandle, Context->Font, FALSE); Context->TooltipFont = Context->Font; } /** * Retrieves the tooltip text for a cell at a given point. * * \param Context Pointer to the treenew context structure. * \param Point Pointer to the point to test. * \param Text Pointer to receive the tooltip text. * \return TRUE if tooltip text was retrieved, FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpGetTooltipText( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPOINT Point, _Out_ PPH_STRING *Text ) { PH_TREENEW_HIT_TEST hitTest; BOOLEAN unfoldingTooltip; BOOLEAN unfoldingTooltipFromViewCancelled; PH_TREENEW_CELL_PARTS parts; LONG viewRight; PH_TREENEW_GET_CELL_TOOLTIP getCellTooltip; hitTest.Point = *Point; hitTest.InFlags = TN_TEST_COLUMN | TN_TEST_SUBITEM; PhTnpHitTest(Context, &hitTest); if (Context->DragSelectionActive) return FALSE; if (!(hitTest.Flags & TN_HIT_ITEM)) return FALSE; if (hitTest.Flags & (TN_HIT_ITEM_PLUSMINUS | TN_HIT_DIVIDER)) return FALSE; if (!hitTest.Column) return FALSE; if (Context->TooltipIndex != hitTest.Node->Index || Context->TooltipId != hitTest.Column->Id) { Context->TooltipIndex = hitTest.Node->Index; Context->TooltipId = hitTest.Column->Id; getCellTooltip.Flags = 0; getCellTooltip.Node = hitTest.Node; getCellTooltip.Column = hitTest.Column; getCellTooltip.Unfolding = FALSE; PhInitializeEmptyStringRef(&getCellTooltip.Text); getCellTooltip.Font = Context->Font; getCellTooltip.MaximumWidth = ULONG_MAX; unfoldingTooltip = FALSE; unfoldingTooltipFromViewCancelled = FALSE; if (!(Context->ExtendedFlags & TN_FLAG_NO_UNFOLDING_TOOLTIPS) && PhTnpGetCellParts(Context, hitTest.Node->Index, hitTest.Column, TN_MEASURE_TEXT, &parts) && (parts.Flags & TN_PART_CONTENT) && (parts.Flags & TN_PART_TEXT)) { viewRight = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); // Use an unfolding tooltip if the text was truncated within the column, or the text // extends beyond the view area in either direction. if (parts.TextRect.left < parts.ContentRect.left || parts.TextRect.right > parts.ContentRect.right) { unfoldingTooltip = TRUE; } else if ((!hitTest.Column->Fixed && parts.TextRect.left < Context->NormalLeft) || parts.TextRect.right > viewRight) { // Only show view-based unfolding tooltips if the mouse is over the text itself. if (Point->x >= parts.TextRect.left && Point->x < parts.TextRect.right) unfoldingTooltip = TRUE; else unfoldingTooltipFromViewCancelled = TRUE; } if (unfoldingTooltip) { getCellTooltip.Unfolding = TRUE; getCellTooltip.Text = parts.Text; getCellTooltip.Font = parts.Font; // try to use the same font as the cell Context->TooltipRect = parts.TextRect; } } Context->Callback(Context->Handle, TreeNewGetCellTooltip, &getCellTooltip, NULL, Context->CallbackContext); Context->TooltipUnfolding = getCellTooltip.Unfolding; if (getCellTooltip.Text.Buffer && getCellTooltip.Text.Length != 0) { PhMoveReference(&Context->TooltipText, PhCreateString2(&getCellTooltip.Text)); } else { PhClearReference(&Context->TooltipText); if (unfoldingTooltipFromViewCancelled) { // We may need to show the view-based unfolding tooltip if the mouse moves over the // text in the future. Reset the index and ID to make sure we keep checking. Context->TooltipIndex = ULONG_MAX; Context->TooltipId = ULONG_MAX; } } Context->NewTooltipFont = getCellTooltip.Font; if (!Context->NewTooltipFont) Context->NewTooltipFont = Context->Font; if (getCellTooltip.MaximumWidth <= MAXSHORT) // seems to be the maximum value that the tooltip control supports SendMessage(Context->TooltipsHandle, TTM_SETMAXTIPWIDTH, 0, getCellTooltip.MaximumWidth); else SendMessage(Context->TooltipsHandle, TTM_SETMAXTIPWIDTH, 0, MAXSHORT); } if (Context->TooltipText) { *Text = Context->TooltipText; return TRUE; } return FALSE; } /** * Prepares to show the tooltip. * * \param Context Pointer to the treenew context structure. * \return TRUE if the tooltip should be shown, FALSE otherwise. */ BOOLEAN PhTnpPrepareTooltipShow( _In_ PPH_TREENEW_CONTEXT Context ) { RECT rect; if (Context->TooltipFont != Context->NewTooltipFont) { Context->TooltipFont = Context->NewTooltipFont; SetWindowFont(Context->TooltipsHandle, Context->TooltipFont, FALSE); } if (!Context->TooltipUnfolding) { SetWindowPos( Context->TooltipsHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOACTIVATE | SWP_HIDEWINDOW ); return FALSE; } rect = Context->TooltipRect; SendMessage(Context->TooltipsHandle, TTM_ADJUSTRECT, TRUE, (LPARAM)&rect); MapWindowRect(Context->Handle, NULL, &rect); SetWindowPos( Context->TooltipsHandle, HWND_TOPMOST, rect.left, rect.top, 0, 0, SWP_NOSIZE | SWP_NOACTIVATE | SWP_HIDEWINDOW ); return TRUE; } VOID PhTnpPrepareTooltipPop( _In_ PPH_TREENEW_CONTEXT Context ) { Context->TooltipIndex = ULONG_MAX; Context->TooltipId = ULONG_MAX; Context->TooltipColumnId = ULONG_MAX; } /** * Hides the tooltip. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpPopTooltip( _In_ PPH_TREENEW_CONTEXT Context ) { if (Context->TooltipsHandle) { SendMessage(Context->TooltipsHandle, TTM_POP, 0, 0); PhTnpPrepareTooltipPop(Context); } } /** * Performs hit testing on the header control. * * \param Context Pointer to the treenew context structure. * \param Fixed TRUE to test the fixed header, FALSE for the normal header. * \param Point Pointer to the point to test. * \param ItemRect Pointer to receive the item rectangle, or NULL. * \return Pointer to the column under the point, or NULL. */ PPH_TREENEW_COLUMN PhTnpHitTestHeader( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Fixed, _In_ PPOINT Point, _Out_opt_ PRECT ItemRect ) { PPH_TREENEW_COLUMN column; RECT itemRect; if (ItemRect) { memset(ItemRect, 0, sizeof(RECT)); } if (Fixed) { if (!Context->FixedColumnVisible) return NULL; column = Context->FixedColumn; if (!Header_GetItemRect(Context->FixedHeaderHandle, 0, &itemRect)) return NULL; } else { HDHITTESTINFO hitTestInfo; hitTestInfo.pt = *Point; hitTestInfo.flags = 0; hitTestInfo.iItem = INT_ERROR; if (SendMessage(Context->HeaderHandle, HDM_HITTEST, 0, (LPARAM)&hitTestInfo) != INT_ERROR && hitTestInfo.iItem != INT_ERROR) { HDITEM item; item.mask = HDI_LPARAM; if (!Header_GetItem(Context->HeaderHandle, hitTestInfo.iItem, &item)) return NULL; column = (PPH_TREENEW_COLUMN)item.lParam; if (!Header_GetItemRect(Context->HeaderHandle, hitTestInfo.iItem, &itemRect)) return NULL; } else { return NULL; } } if (ItemRect) *ItemRect = itemRect; return column; } /** * Retrieves the tooltip text for a header column. * * \param Context Pointer to the treenew context structure. * \param Fixed TRUE if this is the fixed header, FALSE for normal header. * \param Point Pointer to the point under the cursor. * \param Text Pointer to receive the tooltip text. * \return TRUE if tooltip text was retrieved, FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpGetHeaderTooltipText( _In_ PPH_TREENEW_CONTEXT Context, _In_ BOOLEAN Fixed, _In_ PPOINT Point, _Out_ PPH_STRING *Text ) { LOGICAL result; PPH_TREENEW_COLUMN column; RECT itemRect; PCWSTR text; SIZE_T textCount; HFONT oldFont; HDC hdc; SIZE textSize; column = PhTnpHitTestHeader(Context, Fixed, Point, &itemRect); if (!column) return FALSE; if (Context->TooltipColumnId != column->Id) { // Determine if the tooltip needs to be shown. text = column->Text; textCount = PhCountStringZ(text); if (!(hdc = GetDC(Context->Handle))) return FALSE; oldFont = SelectFont(hdc, Context->Font); result = GetTextExtentPoint32(hdc, text, (ULONG)textCount, &textSize); if (oldFont) SelectFont(hdc, oldFont); ReleaseDC(Context->Handle, hdc); if (!result) return FALSE; if (textSize.cx + Context->TextMarginPadding <= itemRect.right - itemRect.left) // HACK: Magic values (same as our cell margins?) return FALSE; Context->TooltipColumnId = column->Id; PhMoveReference(&Context->TooltipText, PhCreateStringEx(text, textCount * sizeof(WCHAR))); } *Text = Context->TooltipText; // Always use the default parameters for column header tooltips. Context->NewTooltipFont = Context->Font; Context->TooltipUnfolding = FALSE; SendMessage(Context->TooltipsHandle, TTM_SETMAXTIPWIDTH, 0, TNP_TOOLTIPS_DEFAULT_MAXIMUM_WIDTH); return TRUE; } /** * Retrieves the text for a column header. * * \param Context Pointer to the treenew context structure. * \param Column Pointer to the column. * \param Text Pointer to receive the header text as a string reference. * \return TRUE if text was retrieved, FALSE otherwise. */ _Success_(return) BOOLEAN PhTnpGetColumnHeaderText( _In_ PPH_TREENEW_CONTEXT Context, _In_ PPH_TREENEW_COLUMN Column, _Out_ PPH_STRINGREF Text ) { if (Column->Id > Context->HeaderColumnCacheMax) return FALSE; if (Context->HeaderStringCache && Context->HeaderStringCache[Column->Id].Length) { *Text = Context->HeaderStringCache[Column->Id]; return TRUE; } if (Context->HeaderTextCache) { PH_TREENEW_GET_HEADER_TEXT getHeaderText; PhInitializeEmptyStringRef(&getHeaderText.Text); getHeaderText.Column = Column; getHeaderText.TextCache = (PWSTR)&((WCHAR(*)[PH_TREENEW_HEADER_TEXT_SIZE_MAX])Context->HeaderTextCache)[Column->Id]; // HACK (dmex) getHeaderText.TextCacheSize = PH_TREENEW_HEADER_TEXT_SIZE_MAX * sizeof(WCHAR); if (Context->Callback( Context->Handle, TreeNewGetHeaderText, &getHeaderText, NULL, Context->CallbackContext ) && getHeaderText.Text.Buffer) { *Text = getHeaderText.Text; if (Context->HeaderStringCache) // (getHeaderText.Flags & TN_CACHE) { Context->HeaderStringCache[Column->Id] = getHeaderText.Text; } return TRUE; } } return FALSE; } BOOLEAN TnHeaderCustomPaint( _In_ PPH_TREENEW_CONTEXT Context, _In_ LPNMCUSTOMDRAW CustomDraw ) { PPH_TREENEW_COLUMN column; if (!Context->HeaderCustomDraw) return FALSE; if (!(column = (PPH_TREENEW_COLUMN)CustomDraw->lItemlParam)) return FALSE; SetBkMode(CustomDraw->hdc, TRANSPARENT); if (Context->HeaderHotColumn != ULONG_MAX && Context->HeaderHotColumn == column->Id) { if (Context->ThemeSupport) { SetDCBrushColor(CustomDraw->hdc, PhThemeWindowBackground2Color); // PhThemeWindowHighlightColor FillRect(CustomDraw->hdc, &CustomDraw->rc, PhGetStockBrush(DC_BRUSH)); if (Context->HeaderDragging && Context->HeaderHotColumn != ULONG_MAX && Context->HeaderHotColumn == column->Id) { SetDCBrushColor(CustomDraw->hdc, RGB(0, 0, 229)); SelectBrush(CustomDraw->hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(CustomDraw->hdc, CustomDraw->rc.right - 2, CustomDraw->rc.top, 2, CustomDraw->rc.bottom - CustomDraw->rc.top, PATCOPY); } else { SetDCBrushColor(CustomDraw->hdc, Context->ThemeSupport ? RGB(0x5f, 0x5f, 0x5f) : RGB(229, 229, 229)); SelectBrush(CustomDraw->hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(CustomDraw->hdc, CustomDraw->rc.right - 1, CustomDraw->rc.top, 1, CustomDraw->rc.bottom - CustomDraw->rc.top, PATCOPY); //PatBlt(CustomDraw->hdc, CustomDraw->rc.left, CustomDraw->rc.bottom - 1, CustomDraw->rc.right - CustomDraw->rc.left, 1, PATCOPY); } } else { if (Context->HeaderThemeHandle) { INT state; if (CustomDraw->uItemState == (CDIS_SHOWKEYBOARDCUES | CDIS_SELECTED)) state = HIS_PRESSED; else state = HIS_HOT; PhDrawThemeBackground( Context->HeaderThemeHandle, CustomDraw->hdc, HP_HEADERITEM, state, &CustomDraw->rc, NULL ); } else { FillRect(CustomDraw->hdc, &CustomDraw->rc, (HBRUSH)(COLOR_HIGHLIGHT + 1)); } } } else { if (Context->ThemeSupport) { SetDCBrushColor(CustomDraw->hdc, PhThemeWindowBackgroundColor); FillRect(CustomDraw->hdc, &CustomDraw->rc, PhGetStockBrush(DC_BRUSH)); if (Context->HeaderDragging && Context->HeaderHotColumn != ULONG_MAX && Context->HeaderHotColumn == column->Id) { SetDCBrushColor(CustomDraw->hdc, RGB(0, 0, 229)); SelectBrush(CustomDraw->hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(CustomDraw->hdc, CustomDraw->rc.right - 2, CustomDraw->rc.top, 2, CustomDraw->rc.bottom - CustomDraw->rc.top, PATCOPY); } else { SetDCBrushColor(CustomDraw->hdc, Context->ThemeSupport ? RGB(0x5f, 0x5f, 0x5f) : RGB(229, 229, 229)); SelectBrush(CustomDraw->hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(CustomDraw->hdc, CustomDraw->rc.right - 1, CustomDraw->rc.top, 1, CustomDraw->rc.bottom - CustomDraw->rc.top, PATCOPY); //PatBlt(Hdc, CustomDraw->rc.left, CustomDraw->rc.bottom - 1, CustomDraw->rc.right - CustomDraw->rc.left, 1, PATCOPY); } } else if (Context->HeaderThemeHandle) { PhDrawThemeBackground( Context->HeaderThemeHandle, CustomDraw->hdc, HP_HEADERITEM, HIS_NORMAL, &CustomDraw->rc, NULL ); } else { FillRect(CustomDraw->hdc, &CustomDraw->rc, (HBRUSH)(COLOR_WINDOW + 1)); } } if (column->Text) { PCWSTR textBuffer; LONG textLength; RECT textRect; HFONT oldFont; PH_STRINGREF headerString; ULONG fmt = 0; LONG sdf = 0; if (FlagOn(column->Alignment, PH_ALIGN_LEFT)) SetFlag(fmt, HDF_LEFT); else if (FlagOn(column->Alignment, PH_ALIGN_RIGHT)) SetFlag(fmt, HDF_RIGHT); else SetFlag(fmt, HDF_CENTER); if (column->Id == Context->SortColumn) { if (Context->SortOrder == AscendingSortOrder) SetFlag(fmt, HDF_SORTUP); else if (Context->SortOrder == DescendingSortOrder) SetFlag(fmt, HDF_SORTDOWN); if (FlagOn(fmt, HDF_SORTDOWN)) sdf = HSAS_SORTEDDOWN; else if (FlagOn(fmt, HDF_SORTUP)) sdf = HSAS_SORTEDUP; } textBuffer = column->Text; textLength = (LONG)PhCountStringZ(column->Text); textRect = CustomDraw->rc; textRect.left += Context->HeaderTextPadding; textRect.right -= Context->HeaderTextPadding; textRect.bottom -= Context->HeaderTextPadding; textRect.top += Context->HeaderTextMargin; SetTextColor(CustomDraw->hdc, Context->ThemeSupport ? RGB(0x8f, 0x8f, 0x8f) : RGB(97, 116, 139)); // RGB(178, 178, 178) oldFont = SelectFont(CustomDraw->hdc, Context->Font); if (FlagOn(fmt, HDF_RIGHT)) { DrawText( CustomDraw->hdc, textBuffer, textLength, &textRect, DT_SINGLELINE | DT_HIDEPREFIX | DT_WORD_ELLIPSIS | DT_BOTTOM | DT_RIGHT); } else { DrawText(CustomDraw->hdc, textBuffer, textLength, &textRect, DT_SINGLELINE | DT_HIDEPREFIX | DT_WORD_ELLIPSIS | DT_BOTTOM | DT_LEFT); } SelectFont(CustomDraw->hdc, oldFont); if (PhTnpGetColumnHeaderText(Context, column, &headerString)) { SetTextColor(CustomDraw->hdc, Context->ThemeSupport ? RGB(0xff, 0xff, 0xff) : RGB(0, 0, 0)); oldFont = SelectFont(CustomDraw->hdc, Context->HeaderBoldFontHandle); DrawText( CustomDraw->hdc, headerString.Buffer, (LONG)headerString.Length / (LONG)sizeof(WCHAR), &textRect, DT_SINGLELINE | DT_HIDEPREFIX | DT_WORD_ELLIPSIS | DT_TOP | DT_RIGHT); if (oldFont) SelectFont(CustomDraw->hdc, oldFont); } //DrawEdge(CustomDraw->hdc, &CustomDraw->rc, EDGE_SUNKEN, BF_SOFT | BF_RIGHT); SetDCBrushColor(CustomDraw->hdc, Context->ThemeSupport ? RGB(0x5f, 0x5f, 0x5f) : RGB(229, 229, 229)); HBRUSH oldBrush = SelectBrush(CustomDraw->hdc, PhGetStockBrush(DC_BRUSH)); PatBlt(CustomDraw->hdc, CustomDraw->rc.right - 1, CustomDraw->rc.top, 1, CustomDraw->rc.bottom - CustomDraw->rc.top, PATCOPY); SelectBrush(CustomDraw->hdc, oldBrush); if (FlagOn(fmt, HDF_SORTDOWN | HDF_SORTUP)) { if (Context->HeaderThemeHandle) { SIZE sortArrowSize = { 0 }; PhGetThemePartSize( Context->HeaderThemeHandle, CustomDraw->hdc, HP_HEADERSORTARROW, sdf, NULL, THEMEPARTSIZE_TRUE, &sortArrowSize ); CustomDraw->rc.bottom = sortArrowSize.cy; PhDrawThemeBackground( Context->HeaderThemeHandle, CustomDraw->hdc, HP_HEADERSORTARROW, sdf, &CustomDraw->rc, NULL ); } } } return TRUE; } /** * Creates a buffered paint context for the header. * * \param Context Pointer to the treenew context structure. * \param Hdc The device context handle. * \param BufferRect Pointer to the buffer rectangle. */ VOID PhTnpHeaderCreateBufferedContext( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC Hdc, _In_ PRECT BufferRect ) { Context->HeaderBufferedDc = CreateCompatibleDC(Hdc); if (!Context->HeaderBufferedDc) return; Context->HeaderBufferedContextRect = *BufferRect; Context->HeaderBufferedBitmap = CreateCompatibleBitmap( Hdc, Context->HeaderBufferedContextRect.right, Context->HeaderBufferedContextRect.bottom ); Context->HeaderBufferedOldBitmap = SelectBitmap(Context->HeaderBufferedDc, Context->HeaderBufferedBitmap); } /** * Destroys the buffered paint context for the header. * * \param Context Pointer to the treenew context structure. */ VOID PhTnpHeaderDestroyBufferedContext( _In_ PPH_TREENEW_CONTEXT Context ) { if (Context->HeaderBufferedDc && Context->HeaderBufferedOldBitmap) { SelectBitmap(Context->HeaderBufferedDc, Context->HeaderBufferedOldBitmap); Context->HeaderBufferedOldBitmap = NULL; } if (Context->HeaderBufferedBitmap) { DeleteBitmap(Context->HeaderBufferedBitmap); Context->HeaderBufferedBitmap = NULL; } if (Context->HeaderBufferedDc) { DeleteDC(Context->HeaderBufferedDc); Context->HeaderBufferedDc = NULL; } } /** * Window procedure hook for the header control. * * \param WindowHandle Handle to the header window. * \param WindowMessage The message identifier. * \param wParam Additional message-specific information. * \param lParam Additional message-specific information. * \return The result of the message processing. */ LRESULT CALLBACK PhTnpHeaderHookWndProc( _In_ HWND WindowHandle, _In_ UINT WindowMessage, _In_ WPARAM wParam, _In_ LPARAM lParam ) { PPH_TREENEW_CONTEXT context; WNDPROC oldWndProc; if (context = PhGetWindowContext(WindowHandle, MAXCHAR)) { if (WindowHandle == context->FixedHeaderHandle) oldWndProc = context->FixedHeaderWindowProc; else oldWndProc = context->HeaderWindowProc; } else { return DefWindowProc(WindowHandle, WindowMessage, wParam, lParam); } switch (WindowMessage) { case WM_DESTROY: { PhSetWindowProcedure(WindowHandle, oldWndProc); PhRemoveWindowContext(WindowHandle, MAXCHAR); PhTnpHeaderDestroyBufferedContext(context); } break; case WM_MOUSEMOVE: { POINT point; PPH_TREENEW_COLUMN column; ULONG id; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); column = PhTnpHitTestHeader(context, WindowHandle == context->FixedHeaderHandle, &point, NULL); if (column) id = column->Id; else id = -1; if (context->TooltipColumnId != id) { PhTnpPopTooltip(context); } } break; case WM_NOTIFY: { NMHDR *header = (NMHDR *)lParam; switch (header->code) { case TTN_GETDISPINFO: { if (header->hwndFrom == context->TooltipsHandle) { NMTTDISPINFO *info = (NMTTDISPINFO *)header; POINT point; PPH_STRING string; if (PhGetClientPos(WindowHandle, &point)) { if (PhTnpGetHeaderTooltipText(context, info->lParam == TNP_TOOLTIPS_FIXED_HEADER, &point, &string)) { info->lpszText = string->Buffer; break; } } } } break; case TTN_SHOW: { if (header->hwndFrom == context->TooltipsHandle) { return PhTnpPrepareTooltipShow(context); } } break; case TTN_POP: { if (header->hwndFrom == context->TooltipsHandle) { PhTnpPrepareTooltipPop(context); } } break; } } break; } switch (WindowMessage) { //case WM_MOUSEMOVE: //case WM_LBUTTONDOWN: //case WM_LBUTTONUP: case WM_RBUTTONDOWN: case WM_RBUTTONUP: case WM_MBUTTONDOWN: case WM_MBUTTONUP: { if (context->TooltipsHandle) { MSG message; message.hwnd = WindowHandle; message.message = WindowMessage; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } } break; case WM_SETFONT: { HFONT fontHandle = (HFONT)wParam; LOGFONT logFont; if (!context->HeaderCustomDraw) break; if (context->HeaderBoldFontHandle) { DeleteFont(context->HeaderBoldFontHandle); context->HeaderBoldFontHandle = NULL; } if (GetObject(fontHandle, sizeof(LOGFONT), &logFont)) { logFont.lfHeight -= context->HeaderTextMargin; context->HeaderBoldFontHandle = CreateFontIndirect(&logFont); //context->HeaderBoldFontHandle = PhDuplicateFontWithNewHeight(fontHandle, -14); } } break; case WM_MOUSEMOVE: { BOOLEAN redraw = FALSE; if (context->TooltipsHandle) { MSG message; message.hwnd = WindowHandle; message.message = WindowMessage; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } if (!context->HeaderCustomDraw) break; //if (GetCapture() == WindowHandle) // break; if (!context->HeaderDragging) { ULONG hitcolumn; POINT point; PPH_TREENEW_COLUMN column; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); column = PhTnpHitTestHeader(context, WindowHandle == context->FixedHeaderHandle, &point, NULL); hitcolumn = column ? column->Id : ULONG_MAX; if (context->HeaderHotColumn != hitcolumn) { context->HeaderHotColumn = hitcolumn; //redraw = TRUE; } redraw = TRUE; } if (!context->HeaderMouseActive) { TRACKMOUSEEVENT trackEvent = { sizeof(TRACKMOUSEEVENT), TME_LEAVE, WindowHandle, 0 }; TrackMouseEvent(&trackEvent); context->HeaderMouseActive = TRUE; redraw = TRUE; } if (redraw) { InvalidateRect(WindowHandle, NULL, FALSE); } } break; case WM_CONTEXTMENU: { LRESULT result; if (!context->HeaderCustomDraw) break; result = CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); InvalidateRect(WindowHandle, NULL, FALSE); return result; } break; case WM_LBUTTONDOWN: { LRESULT result; ULONG hitcolumn; POINT point; PPH_TREENEW_COLUMN column; if (context->TooltipsHandle) { MSG message; message.hwnd = WindowHandle; message.message = WindowMessage; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } if (!context->HeaderCustomDraw) break; point.x = GET_X_LPARAM(lParam); point.y = GET_Y_LPARAM(lParam); column = PhTnpHitTestHeader(context, WindowHandle == context->FixedHeaderHandle, &point, NULL); hitcolumn = column ? column->Id : ULONG_MAX; if (context->HeaderHotColumn != hitcolumn) { context->HeaderHotColumn = hitcolumn; //redraw = TRUE; } InvalidateRect(WindowHandle, NULL, FALSE); result = CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); context->HeaderDragging = TRUE; return result; } break; case WM_LBUTTONUP: { LRESULT result; if (context->TooltipsHandle) { MSG message; message.hwnd = WindowHandle; message.message = WindowMessage; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } if (!context->HeaderCustomDraw) break; result = CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); context->HeaderDragging = FALSE; return result; } break; case WM_MOUSELEAVE: { LRESULT result; if (context->TooltipsHandle) { MSG message; message.hwnd = WindowHandle; message.message = WindowMessage; message.wParam = wParam; message.lParam = lParam; SendMessage(context->TooltipsHandle, TTM_RELAYEVENT, 0, (LPARAM)&message); } if (!context->HeaderCustomDraw) break; result = CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); context->HeaderMouseActive = FALSE; context->HeaderHotColumn = ULONG_MAX; //if (GetCapture() != WindowHandle) //{ // InvalidateRect(WindowHandle, NULL, FALSE); //} InvalidateRect(WindowHandle, NULL, FALSE); return result; } break; case WM_THEMECHANGED: { if (context->HeaderThemeHandle) { PhCloseThemeData(context->HeaderThemeHandle); context->HeaderThemeHandle = NULL; } context->HeaderThemeHandle = PhOpenThemeData(WindowHandle, VSCLASS_HEADER, context->WindowDpi); } break; } return CallWindowProc(oldWndProc, WindowHandle, WindowMessage, wParam, lParam); } /** * Detects the start of a drag operation. * * \param Context Pointer to the treenew context structure. * \param CursorX The X coordinate of the cursor. * \param CursorY The Y coordinate of the cursor. * \param DispatchMessages TRUE to dispatch messages during drag detection, FALSE otherwise. * \param CancelledByMessage Pointer to receive the message that cancelled the drag, or NULL. * \return TRUE if a drag was detected, FALSE otherwise. */ BOOLEAN PhTnpDetectDrag( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY, _In_ BOOLEAN DispatchMessages, _Out_opt_ PULONG CancelledByMessage ) { RECT dragRect; MSG msg; // Capture mouse input and see if the user moves the mouse beyond the drag rectangle. dragRect.left = CursorX - Context->SystemDragX; dragRect.top = CursorY - Context->SystemDragY; dragRect.right = CursorX + Context->SystemDragX; dragRect.bottom = CursorY + Context->SystemDragY; MapWindowRect(Context->Handle, NULL, &dragRect); SetCapture(Context->Handle); if (CancelledByMessage) *CancelledByMessage = 0; do { // It seems that GetMessage dispatches nonqueued messages directly from kernel-mode, so we // have to use PeekMessage and WaitMessage in order to process WM_CAPTURECHANGED messages. if (PeekMessage(&msg, NULL, 0, 0, PM_REMOVE)) { switch (msg.message) { case WM_LBUTTONDOWN: case WM_LBUTTONUP: case WM_RBUTTONDOWN: case WM_RBUTTONUP: ReleaseCapture(); if (CancelledByMessage) *CancelledByMessage = msg.message; break; case WM_MOUSEMOVE: if (msg.pt.x < dragRect.left || msg.pt.x >= dragRect.right || msg.pt.y < dragRect.top || msg.pt.y >= dragRect.bottom) { if (IsWindow(Context->Handle)) return TRUE; else return FALSE; } break; default: if (DispatchMessages) { TranslateMessage(&msg); DispatchMessage(&msg); } break; } } else { WaitMessage(); } } while (IsWindow(Context->Handle) && GetCapture() == Context->Handle); return FALSE; } /** * Performs drag selection of nodes. * * \param Context Pointer to the treenew context structure. * \param CursorX The starting X coordinate of the cursor. * \param CursorY The starting Y coordinate of the cursor. */ VOID PhTnpDragSelect( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY ) { MSG msg; LONG cursorX; LONG cursorY; BOOLEAN originFixed; RECT dragRect; RECT oldDragRect; RECT windowRect; POINT cursorPoint; BOOLEAN showContextMenu; cursorX = CursorX; cursorY = CursorY; originFixed = cursorX < Context->FixedWidth; dragRect.left = cursorX; dragRect.top = cursorY; dragRect.right = cursorX; dragRect.bottom = cursorY; oldDragRect = dragRect; Context->DragRect = dragRect; Context->DragSelectionActive = TRUE; if (Context->DoubleBuffered) Context->SelectionRectangleAlpha = TRUE; // TODO: Make sure the monitor's color depth is sufficient for alpha-blended selection // rectangles. if (!PhGetWindowRect(Context->Handle, &windowRect)) return; cursorPoint.x = windowRect.left + cursorX; cursorPoint.y = windowRect.top + cursorY; showContextMenu = FALSE; SetCapture(Context->Handle); while (TRUE) { if (!PeekMessage(&msg, NULL, 0, 0, PM_REMOVE)) { BOOLEAN leftOrRight; BOOLEAN aboveOrBelow; // If the cursor is outside of the window, generate some messages so the window keeps // scrolling. leftOrRight = cursorPoint.x < windowRect.left || cursorPoint.x > windowRect.right; aboveOrBelow = cursorPoint.y < windowRect.top || cursorPoint.y > windowRect.bottom; if ((Context->VScrollVisible && aboveOrBelow && PhTnpCanScroll(Context, FALSE, cursorPoint.y > windowRect.bottom)) || (Context->HScrollVisible && leftOrRight && PhTnpCanScroll(Context, TRUE, cursorPoint.x > windowRect.right))) { SetCursorPos(cursorPoint.x, cursorPoint.y); } else { WaitMessage(); } goto EndOfLoop; } cursorPoint = msg.pt; switch (msg.message) { case WM_LBUTTONDOWN: case WM_LBUTTONUP: case WM_RBUTTONDOWN: case WM_MBUTTONDOWN: case WM_MBUTTONUP: ReleaseCapture(); goto EndOfLoop; case WM_RBUTTONUP: ReleaseCapture(); showContextMenu = TRUE; goto EndOfLoop; case WM_MOUSEMOVE: { LONG newCursorX; LONG newCursorY; LONG deltaRows; LONG deltaX; LONG oldVScrollPosition; LONG oldHScrollPosition; LONG newDeltaX; LONG newDeltaY; LONG viewLeft; LONG viewTop; LONG viewRight; LONG viewBottom; LONG temp; RECT totalRect; newCursorX = GET_X_LPARAM(msg.lParam); newCursorY = GET_Y_LPARAM(msg.lParam); // Scroll the window if the cursor is outside of it. deltaRows = 0; deltaX = 0; if (Context->VScrollVisible) { if (cursorPoint.y < windowRect.top) deltaRows = -(windowRect.top - cursorPoint.y + Context->RowHeight - 1) / Context->RowHeight; // scroll up else if (cursorPoint.y >= windowRect.bottom) deltaRows = (cursorPoint.y - windowRect.bottom + Context->RowHeight - 1) / Context->RowHeight; // scroll down } if (Context->HScrollVisible) { if (cursorPoint.x < windowRect.left) deltaX = -(windowRect.left - cursorPoint.x); // scroll left else if (cursorPoint.x >= windowRect.right) deltaX = cursorPoint.x - windowRect.right; // scroll right } oldVScrollPosition = Context->VScrollPosition; oldHScrollPosition = Context->HScrollPosition; if (deltaRows != 0 || deltaX != 0) PhTnpScroll(Context, deltaRows, deltaX); newDeltaX = oldHScrollPosition - Context->HScrollPosition; newDeltaY = (oldVScrollPosition - Context->VScrollPosition) * Context->RowHeight; // Adjust our original drag point for the scrolling. if (!originFixed) cursorX += newDeltaX; cursorY += newDeltaY; // Adjust the old drag rectangle for the scrolling. if (!originFixed) oldDragRect.left += newDeltaX; oldDragRect.top += newDeltaY; if (!originFixed) oldDragRect.right += newDeltaX; oldDragRect.bottom += newDeltaY; // Ensure that the new cursor position is within the content area. viewLeft = Context->FixedColumnVisible ? 0 : -Context->HScrollPosition; viewTop = Context->HeaderHeight - Context->VScrollPosition; viewRight = Context->NormalLeft + Context->TotalViewX - Context->HScrollPosition; viewBottom = Context->HeaderHeight + ((LONG)Context->FlatList->Count - Context->VScrollPosition) * Context->RowHeight; temp = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); viewRight = max(viewRight, temp); temp = Context->ClientRect.bottom - ((!Context->FixedColumnVisible && Context->HScrollVisible) ? Context->HScrollHeight : 0); viewBottom = max(viewBottom, temp); if (newCursorX < viewLeft) newCursorX = viewLeft; if (newCursorX > viewRight) newCursorX = viewRight; if (newCursorY < viewTop) newCursorY = viewTop; if (newCursorY > viewBottom) newCursorY = viewBottom; // Create the new drag rectangle. if (cursorX < newCursorX) { dragRect.left = cursorX; dragRect.right = newCursorX; } else { dragRect.left = newCursorX; dragRect.right = cursorX; } if (cursorY < newCursorY) { dragRect.top = cursorY; dragRect.bottom = newCursorY; } else { dragRect.top = newCursorY; dragRect.bottom = cursorY; } // Has anything changed from before? if (dragRect.left == oldDragRect.left && dragRect.top == oldDragRect.top && dragRect.right == oldDragRect.right && dragRect.bottom == oldDragRect.bottom) { break; } Context->DragRect = dragRect; // Process the selection. totalRect.left = min(dragRect.left, oldDragRect.left); totalRect.top = min(dragRect.top, oldDragRect.top); totalRect.right = max(dragRect.right, oldDragRect.right); totalRect.bottom = max(dragRect.bottom, oldDragRect.bottom); PhTnpProcessDragSelect(Context, (ULONG)msg.wParam, &oldDragRect, &dragRect, &totalRect); // Redraw the drag rectangle. RedrawWindow(Context->Handle, &totalRect, NULL, RDW_INVALIDATE | RDW_UPDATENOW); oldDragRect = dragRect; } break; case WM_MOUSELEAVE: break; // don't process case WM_MOUSEWHEEL: break; // don't process case WM_KEYDOWN: if (msg.wParam == VK_ESCAPE) { ULONG changedStart; ULONG changedEnd; RECT rect; PhTnpSelectRange(Context, ULONG_MAX, ULONG_MAX, TN_SELECT_RESET, &changedStart, &changedEnd); if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } ReleaseCapture(); } break; // don't process case WM_CHAR: break; // don't process default: TranslateMessage(&msg); DispatchMessage(&msg); break; } EndOfLoop: if (GetCapture() != Context->Handle) break; } Context->DragSelectionActive = FALSE; RedrawWindow(Context->Handle, &dragRect, NULL, RDW_INVALIDATE | RDW_UPDATENOW); if (showContextMenu) { // Display a context menu at the original drag point. SendMessage(Context->Handle, WM_CONTEXTMENU, (WPARAM)Context->Handle, MAKELPARAM(windowRect.left + CursorX, windowRect.top + CursorY)); } } /** * Processes drag selection based on mouse movement. * * \param Context Pointer to the treenew context structure. * \param VirtualKeys The state of virtual keys. * \param OldRect Pointer to the previous drag rectangle. * \param NewRect Pointer to the new drag rectangle. * \param TotalRect Pointer to the total drag rectangle. */ VOID PhTnpProcessDragSelect( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG VirtualKeys, _In_ PRECT OldRect, _In_ PRECT NewRect, _In_ PRECT TotalRect ) { LONG firstRow; LONG lastRow; RECT rowRect; LONG i; PPH_TREENEW_NODE node; LONG changedStart; LONG changedEnd; RECT rect; // Determine which rows we need to test. The divisions below must be done on positive integers // to ensure correct rounding. firstRow = (TotalRect->top - Context->HeaderHeight + Context->VScrollPosition * Context->RowHeight) / Context->RowHeight; lastRow = (TotalRect->bottom - 1 - Context->HeaderHeight + Context->VScrollPosition * Context->RowHeight) / Context->RowHeight; if (firstRow < 0) firstRow = 0; if (lastRow >= (LONG)Context->FlatList->Count) lastRow = Context->FlatList->Count - 1; rowRect.left = 0; rowRect.top = Context->HeaderHeight + (firstRow - Context->VScrollPosition) * Context->RowHeight; rowRect.right = Context->NormalLeft + Context->TotalViewX - Context->HScrollPosition; rowRect.bottom = rowRect.top + Context->RowHeight; changedStart = lastRow; changedEnd = firstRow; // Process the rows. for (i = firstRow; i <= lastRow; i++) { BOOLEAN inOldRect; BOOLEAN inNewRect; node = Context->FlatList->Items[i]; inOldRect = rowRect.top < OldRect->bottom && rowRect.bottom > OldRect->top && rowRect.left < OldRect->right && rowRect.right > OldRect->left; inNewRect = rowRect.top < NewRect->bottom && rowRect.bottom > NewRect->top && rowRect.left < NewRect->right && rowRect.right > NewRect->left; if (VirtualKeys & MK_CONTROL) { if (!node->Unselectable && inOldRect != inNewRect) { node->Selected = !node->Selected; if (changedStart > i) changedStart = i; if (changedEnd < i) changedEnd = i; } } else { if (!node->Unselectable && inOldRect != inNewRect) { node->Selected = inNewRect; if (changedStart > i) changedStart = i; if (changedEnd < i) changedEnd = i; } } rowRect.top = rowRect.bottom; rowRect.bottom += Context->RowHeight; } if (changedStart <= changedEnd) { Context->Callback(Context->Handle, TreeNewSelectionChanged, NULL, NULL, Context->CallbackContext); } if (PhTnpGetRowRects(Context, changedStart, changedEnd, TRUE, &rect)) { InvalidateRect(Context->Handle, &rect, FALSE); } } /** * Creates a buffered device context and bitmap for double-buffered drawing. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Hdc Handle to the device context to be buffered. */ VOID PhTnpCreateBufferedContext( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC Hdc ) { Context->BufferedContext = CreateCompatibleDC(Hdc); if (!Context->BufferedContext) return; Context->BufferedContextRect = Context->ClientRect; Context->BufferedBitmap = CreateCompatibleBitmap( Hdc, Context->BufferedContextRect.right + 1, // leave one extra pixel for divider animation Context->BufferedContextRect.bottom ); if (!Context->BufferedBitmap) { DeleteDC(Context->BufferedContext); Context->BufferedContext = NULL; return; } Context->BufferedOldBitmap = SelectBitmap(Context->BufferedContext, Context->BufferedBitmap); } /** * Destroys the buffered device context and bitmap, cleaning up resources. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpDestroyBufferedContext( _In_ PPH_TREENEW_CONTEXT Context ) { // The original bitmap must be selected back into the context, otherwise the bitmap can't be // deleted. if (Context->BufferedOldBitmap) { SelectBitmap(Context->BufferedContext, Context->BufferedOldBitmap); Context->BufferedOldBitmap = NULL; } if (Context->BufferedBitmap) { DeleteBitmap(Context->BufferedBitmap); Context->BufferedBitmap = NULL; } if (Context->BufferedContext) { DeleteDC(Context->BufferedContext); Context->BufferedContext = NULL; } } /** * Sends a message to a TreeNew window, handling custom messages if needed. * * \param WindowHandle Handle to the window. * \param WindowMessage Message to send. * \param wParam WPARAM for the message. * \param lParam LPARAM for the message. * \return The result of the message processing. */ LRESULT PhTnSendMessage( _In_ HWND WindowHandle, _In_ ULONG WindowMessage, _Pre_maybenull_ _Post_valid_ WPARAM wParam, _Pre_maybenull_ _Post_valid_ LPARAM lParam ) { if (WindowMessage >= TNM_FIRST && WindowMessage <= TNM_LAST) { #if defined(DEBUG) PPH_TREENEW_CONTEXT context; #else PVOID context; #endif if (context = PhGetWindowContextEx(WindowHandle)) { #if defined(DEBUG) assert(context->UniqueThread == NtCurrentThreadId()); #endif return PhTnpOnUserMessage(WindowHandle, context, WindowMessage, wParam, lParam); } } #if defined(DEBUG) assert(FALSE); #endif return SendMessage(WindowHandle, WindowMessage, wParam, lParam); } // // Drag-reorder // /** * Draws the insertion caret for drag-reorder operations. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param Hdc Handle to the device context to draw on. */ VOID PhTnpDrawInsertionCaret( _In_ PPH_TREENEW_CONTEXT Context, _In_ HDC Hdc ) { RECT r; HPEN old; COLORREF prev; r = Context->ReorderInsertRect; if (r.right <= r.left || r.bottom <= r.top) return; old = SelectPen(Hdc, PhGetStockPen(DC_PEN)); prev = SetDCPenColor(Hdc, RGB(0, 120, 215)); // Windows accent blue-ish POINT pts[2]; pts[0].x = r.left; pts[0].y = (r.top + r.bottom) / 2; pts[1].x = r.right; pts[1].y = pts[0].y; Polyline(Hdc, pts, 2); SetDCPenColor(Hdc, prev); if (old) SelectPen(Hdc, old); } /** * Invalidates the region occupied by the drag-reorder insertion caret. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpReorderInvalidateCaret( _In_ PPH_TREENEW_CONTEXT Context ) { if (Context->ReorderInsertRect.right > Context->ReorderInsertRect.left && Context->ReorderInsertRect.bottom > Context->ReorderInsertRect.top) { InvalidateRect(Context->Handle, &Context->ReorderInsertRect, FALSE); } } /** * Updates the rectangle for the drag-reorder insertion caret based on the current target index. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpReorderUpdateCaretRect( _In_ PPH_TREENEW_CONTEXT Context ) { // Compute y position for insertion caret LONG viewLeft = 0; LONG viewRight = Context->ClientRect.right - (Context->VScrollVisible ? Context->VScrollWidth : 0); LONG rowYTop = Context->HeaderHeight + ((LONG)Context->ReorderTargetIndex - Context->VScrollPosition) * Context->RowHeight; if (Context->ReorderDropAfter) { rowYTop += Context->RowHeight; } RECT rect; rect.left = viewLeft; rect.right = viewRight; rect.top = rowYTop - 1; rect.bottom = rowYTop + 1; memcpy(&Context->ReorderInsertRect, &rect, sizeof(RECT)); } /** * Begins a drag-reorder operation. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param SourceIndex Index of the node being dragged. */ VOID PhTnpReorderBegin( _In_ PPH_TREENEW_CONTEXT Context, _In_ ULONG SourceIndex ) { Context->ReorderDragActive = TRUE; Context->ReorderSourceIndex = SourceIndex; Context->ReorderTargetIndex = SourceIndex; Context->ReorderDropAfter = FALSE; Context->ReorderJustStarted = TRUE; SetCapture(Context->Handle); if (!Context->ReorderCursor) Context->ReorderCursor = PhLoadCursor(NULL, IDC_SIZENS); } /** * Cancels an active drag-reorder operation and notifies the callback. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpReorderCancel( _In_ PPH_TREENEW_CONTEXT Context ) { if (!Context->ReorderDragActive) return; { PH_TREENEW_REORDER_EVENT reorderEvent; memset(&reorderEvent, 0, sizeof(PH_TREENEW_REORDER_EVENT)); reorderEvent.Source = (Context->ReorderSourceIndex < Context->FlatList->Count) ? (PPH_TREENEW_NODE)Context->FlatList->Items[Context->ReorderSourceIndex] : NULL; reorderEvent.Target = (Context->ReorderTargetIndex < Context->FlatList->Count) ? (PPH_TREENEW_NODE)Context->FlatList->Items[Context->ReorderTargetIndex] : NULL; reorderEvent.DropAfter = Context->ReorderDropAfter; Context->Callback(Context->Handle, TreeNewReorderCancel, &reorderEvent, NULL, Context->CallbackContext); } PhTnpReorderInvalidateCaret(Context); memset(&Context->ReorderInsertRect, 0, sizeof(Context->ReorderInsertRect)); Context->ReorderDragActive = FALSE; ReleaseCapture(); InvalidateRect(Context->Handle, NULL, FALSE); } /** * Commits a drag-reorder operation, notifies the callback, and updates the UI. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. */ VOID PhTnpReorderCommit( _In_ PPH_TREENEW_CONTEXT Context ) { PH_TREENEW_REORDER_EVENT reorderEvent; if (!Context->ReorderDragActive) return; // No-op if same place //if (Context->ReorderSourceIndex == Context->ReorderTargetIndex && // !Context->ReorderDropAfter) //{ // PhTnpReorderCancel(Context); // return; //} memset(&reorderEvent, 0, sizeof(PH_TREENEW_REORDER_EVENT)); reorderEvent.Source = (Context->ReorderSourceIndex < Context->FlatList->Count) ? (PPH_TREENEW_NODE)Context->FlatList->Items[Context->ReorderSourceIndex] : NULL; reorderEvent.Target = (Context->ReorderTargetIndex < Context->FlatList->Count) ? (PPH_TREENEW_NODE)Context->FlatList->Items[Context->ReorderTargetIndex] : NULL; reorderEvent.DropAfter = Context->ReorderDropAfter; reorderEvent.Allow = TRUE; Context->Callback(Context->Handle, TreeNewReorderCommit, &reorderEvent, NULL, Context->CallbackContext); PhTnpReorderInvalidateCaret(Context); Context->ReorderInsertRect = (RECT){ 0 }; Context->ReorderDragActive = FALSE; ReleaseCapture(); // Parent should reorder underlying data and then trigger TNM_NODESSTRUCTURED InvalidateRect(Context->Handle, NULL, FALSE); } /** * Updates the drag-reorder target index and caret based on the current cursor position. * * \param Context Pointer to the PPH_TREENEW_CONTEXT structure. * \param CursorX X coordinate of the cursor. * \param CursorY Y coordinate of the cursor. */ VOID PhTnpReorderUpdate( _In_ PPH_TREENEW_CONTEXT Context, _In_ LONG CursorX, _In_ LONG CursorY ) { LONG y; ULONG idx; if (Context->FlatList->Count == 0) return; // Update target index and caret based on cursor position y = CursorY; if (y < Context->HeaderHeight) y = Context->HeaderHeight; idx = (y - Context->HeaderHeight) / Context->RowHeight + Context->VScrollPosition; if (idx >= Context->FlatList->Count) idx = Context->FlatList->Count - 1; BOOLEAN dropAfter = FALSE; LONG localYTop = Context->HeaderHeight + ((LONG)idx - Context->VScrollPosition) * Context->RowHeight; LONG mid = localYTop + (Context->RowHeight / 2); if (CursorY >= mid) { dropAfter = TRUE; } if (idx != Context->ReorderTargetIndex || dropAfter != Context->ReorderDropAfter) { PH_TREENEW_REORDER_EVENT reorderEvent; memset(&reorderEvent, 0, sizeof(PH_TREENEW_REORDER_EVENT)); reorderEvent.Source = (Context->ReorderSourceIndex < Context->FlatList->Count) ? (PPH_TREENEW_NODE)Context->FlatList->Items[Context->ReorderSourceIndex] : NULL; reorderEvent.Target = (idx < Context->FlatList->Count) ? (PPH_TREENEW_NODE)Context->FlatList->Items[idx] : NULL; reorderEvent.DropAfter = dropAfter; reorderEvent.Allow = TRUE; Context->Callback(Context->Handle, TreeNewReorderOver, &reorderEvent, NULL, Context->CallbackContext); if (reorderEvent.Allow) { PhTnpReorderInvalidateCaret(Context); Context->ReorderTargetIndex = idx; Context->ReorderDropAfter = dropAfter; PhTnpReorderUpdateCaretRect(Context); InvalidateRect(Context->Handle, &Context->ReorderInsertRect, FALSE); } } } ================================================ FILE: phlib/util.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * dmex 2017-2024 * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #if defined(PH_BUILD_MSIX) #include #include #endif DECLSPEC_SELECTANY CONST WCHAR *PhSizeUnitNames[7] = { L"B", L"kB", L"MB", L"GB", L"TB", L"PB", L"EB" }; DECLSPEC_SELECTANY ULONG PhMaxSizeUnit = ULONG_MAX; DECLSPEC_SELECTANY USHORT PhMaxPrecisionUnit = 2; DECLSPEC_SELECTANY FLOAT PhMaxPrecisionLimit = 0.01f; /** * Ensures a rectangle is positioned within the specified bounds. * * \param Rectangle The rectangle to be adjusted. * \param Bounds The bounds. * * \remarks If the rectangle is too large to fit inside the bounds, it is positioned at the top-left * of the bounds. */ VOID PhAdjustRectangleToBounds( _Inout_ PPH_RECTANGLE Rectangle, _In_ PPH_RECTANGLE Bounds ) { if (Rectangle->Left + Rectangle->Width > Bounds->Left + Bounds->Width) Rectangle->Left = Bounds->Left + Bounds->Width - Rectangle->Width; if (Rectangle->Top + Rectangle->Height > Bounds->Top + Bounds->Height) Rectangle->Top = Bounds->Top + Bounds->Height - Rectangle->Height; if (Rectangle->Left < Bounds->Left) Rectangle->Left = Bounds->Left; if (Rectangle->Top < Bounds->Top) Rectangle->Top = Bounds->Top; if (Rectangle->Width > Bounds->Width) Rectangle->Width = Bounds->Width; if (Rectangle->Height > Bounds->Height) Rectangle->Height = Bounds->Height; } /** * Positions a rectangle in the center of the specified bounds. * * \param Rectangle The rectangle to be adjusted. * \param Bounds The bounds. */ VOID PhCenterRectangle( _Inout_ PPH_RECTANGLE Rectangle, _In_ PPH_RECTANGLE Bounds ) { Rectangle->Left = Bounds->Left + (Bounds->Width - Rectangle->Width) / 2; Rectangle->Top = Bounds->Top + (Bounds->Height - Rectangle->Height) / 2; } /** * Ensures a rectangle is positioned within the working area of the specified window's monitor. * * \param WindowHandle A handle to a window. If NULL, the monitor closest to \a Rectangle is used. * \param Rectangle The rectangle to be adjusted. */ VOID PhAdjustRectangleToWorkingArea( _In_opt_ HWND WindowHandle, _Inout_ PPH_RECTANGLE Rectangle ) { HMONITOR monitor; MONITORINFO monitorInfo; if (WindowHandle) { monitor = MonitorFromWindow(WindowHandle, MONITOR_DEFAULTTONEAREST); } else { RECT rect = { 0 }; PhRectangleToRect(&rect, Rectangle); monitor = MonitorFromRect(&rect, MONITOR_DEFAULTTONEAREST); } RtlZeroMemory(&monitorInfo, sizeof(MONITORINFO)); monitorInfo.cbSize = sizeof(MONITORINFO); if (GetMonitorInfo(monitor, &monitorInfo)) { PH_RECTANGLE bounds = { 0 }; PhRectToRectangle(&bounds, &monitorInfo.rcWork); PhAdjustRectangleToBounds(Rectangle, &bounds); } } /** * Centers a window. * * \param WindowHandle The window to center. * \param ParentWindowHandle If specified, the window will be positioned at the center of this * window. Otherwise, the window will be positioned at the center of the monitor. */ VOID PhCenterWindow( _In_ HWND WindowHandle, _In_opt_ HWND ParentWindowHandle ) { if (ParentWindowHandle) { RECT rect, parentRect; PH_RECTANGLE rectangle = { 0 }; PH_RECTANGLE parentRectangle = { 0 }; if (!IsWindowVisible(ParentWindowHandle) || IsMinimized(ParentWindowHandle)) return; if (!PhGetWindowRect(WindowHandle, &rect)) return; if (!PhGetWindowRect(ParentWindowHandle, &parentRect)) return; PhRectToRectangle(&rectangle, &rect); PhRectToRectangle(&parentRectangle, &parentRect); PhCenterRectangle(&rectangle, &parentRectangle); PhAdjustRectangleToWorkingArea(WindowHandle, &rectangle); MoveWindow(WindowHandle, rectangle.Left, rectangle.Top, rectangle.Width, rectangle.Height, FALSE); } else { MONITORINFO monitorInfo; RtlZeroMemory(&monitorInfo, sizeof(MONITORINFO)); monitorInfo.cbSize = sizeof(MONITORINFO); if (GetMonitorInfo( MonitorFromWindow(WindowHandle, MONITOR_DEFAULTTONEAREST), &monitorInfo )) { RECT rect; PH_RECTANGLE rectangle = { 0 };; PH_RECTANGLE bounds = { 0 };; if (!PhGetWindowRect(WindowHandle, &rect)) return; PhRectToRectangle(&rectangle, &rect); PhRectToRectangle(&bounds, &monitorInfo.rcWork); PhCenterRectangle(&rectangle, &bounds); MoveWindow(WindowHandle, rectangle.Left, rectangle.Top, rectangle.Width, rectangle.Height, FALSE); } } } /** * Moves a window to the specified monitor. * * \param WindowHandle The window to move. * \param MonitorHandle The monitor to move the window to. * \return Successful or errant status. */ NTSTATUS PhMoveWindowToMonitor( _In_ HWND WindowHandle, _In_ HMONITOR MonitorHandle ) { MONITORINFO currentMonitorInfo; MONITORINFO targetMonitorInfo; PH_RECTANGLE rectangle = { 0 }; PH_RECTANGLE bounds = { 0 }; HMONITOR monitor; RECT windowRect; RECT targetRect; // Get window position if (!PhGetWindowRect(WindowHandle, &windowRect)) return PhGetLastWin32ErrorAsNtStatus(); // Get current monitor memset(¤tMonitorInfo, 0, sizeof(MONITORINFO)); currentMonitorInfo.cbSize = sizeof(currentMonitorInfo); monitor = MonitorFromWindow(WindowHandle, MONITOR_DEFAULTTONEAREST); if (!GetMonitorInfo(monitor, ¤tMonitorInfo)) return PhGetLastWin32ErrorAsNtStatus(); // Get target monitor memset(&targetMonitorInfo, 0, sizeof(MONITORINFO)); targetMonitorInfo.cbSize = sizeof(targetMonitorInfo); if (!GetMonitorInfo(MonitorHandle, &targetMonitorInfo)) return PhGetLastWin32ErrorAsNtStatus(); // Calculate relative position RECT currentMonitorRect = currentMonitorInfo.rcMonitor; LONG left = windowRect.left - currentMonitorRect.left; LONG top = windowRect.top - currentMonitorRect.top; LONG width = windowRect.right - windowRect.left; LONG height = windowRect.bottom - windowRect.top; targetRect.left = targetMonitorInfo.rcMonitor.left + left; targetRect.top = targetMonitorInfo.rcMonitor.top + top; targetRect.right = targetRect.left + width; targetRect.bottom = targetRect.top + height; // Adjust relative position PhRectToRectangle(&rectangle, &targetRect); PhRectToRectangle(&bounds, &targetMonitorInfo.rcWork); PhAdjustRectangleToBounds(&rectangle, &bounds); MoveWindow(WindowHandle, rectangle.Left, rectangle.Top, rectangle.Width, rectangle.Height, TRUE); return STATUS_SUCCESS; } /** * Retrieves the system default locale identifier. * \return The system default locale identifier. */ LCID PhGetSystemDefaultLCID( VOID ) { #if defined(PHNT_NATIVE_LOCALE) return GetSystemDefaultLCID(); #else LCID localeId = LOCALE_SYSTEM_DEFAULT; // rev from GetSystemDefaultLCID (dmex) if (NT_SUCCESS(NtQueryDefaultLocale(FALSE, &localeId))) return localeId; return MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT); #endif } /** * Retrieves the user default locale identifier. * \return The user default locale identifier. */ LCID PhGetUserDefaultLCID( VOID ) { #if defined(PHNT_NATIVE_LOCALE) return GetUserDefaultLCID(); #else LCID localeId = LOCALE_USER_DEFAULT; // rev from GetUserDefaultLCID (dmex) if (NT_SUCCESS(NtQueryDefaultLocale(TRUE, &localeId))) return localeId; return MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT); #endif } /** * Retrieves a boolean value from the user locale information. * * \param LCType The type of locale information to retrieve. * \return TRUE if the value is '1', otherwise FALSE. */ BOOLEAN PhGetUserLocaleInfoBool( _In_ LCTYPE LCType ) { WCHAR value[4]; if (GetLocaleInfoEx(LOCALE_NAME_USER_DEFAULT, LCType, value, 4)) { if (value[0] == L'1') return TRUE; } return FALSE; } /** * Retrieves the locale identifier for the current thread. * \return The locale identifier for the current thread. */ LCID PhGetCurrentThreadLCID( VOID ) { #if defined(PHNT_NATIVE_LOCALE) return GetThreadLocale(); #else PTEB currentTeb; // rev from GetThreadLocale (dmex) currentTeb = NtCurrentTeb(); if (!currentTeb->CurrentLocale) currentTeb->CurrentLocale = PhGetUserDefaultLCID(); if (currentTeb->CurrentLocale == LOCALE_CUSTOM_DEFAULT) currentTeb->CurrentLocale = MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT); if (currentTeb->CurrentLocale == LOCALE_CUSTOM_UNSPECIFIED) currentTeb->CurrentLocale = MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT); return currentTeb->CurrentLocale; #endif } /** * Retrieves the system default language identifier. * \return The system default language identifier. */ LANGID PhGetSystemDefaultLangID( VOID ) { #if defined(PHNT_NATIVE_LOCALE) return GetSystemDefaultLangID(); #else // rev from GetSystemDefaultLangID (dmex) return LANGIDFROMLCID(PhGetSystemDefaultLCID()); #endif } /** * Retrieves the user default language identifier. * \return The user default language identifier. */ LANGID PhGetUserDefaultLangID( VOID ) { #if defined(PHNT_NATIVE_LOCALE) return GetUserDefaultLangID(); #else // rev from GetUserDefaultLangID (dmex) return LANGIDFROMLCID(PhGetUserDefaultLCID()); #endif } /** * Retrieves the user default UI language identifier. * \return The user default UI language identifier. */ LANGID PhGetUserDefaultUILanguage( VOID ) { #if defined(PHNT_NATIVE_LOCALE) return GetUserDefaultUILanguage(); #else LANGID languageId; // rev from GetUserDefaultUILanguage (dmex) if (NT_SUCCESS(NtQueryDefaultUILanguage(&languageId))) return languageId; if (NT_SUCCESS(NtQueryInstallUILanguage(&languageId))) return languageId; return MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT); #endif } /** * Retrieves the user default locale name. * \return A string containing the user default locale name. */ PPH_STRING PhGetUserDefaultLocaleName( VOID ) { #if defined(PHNT_NATIVE_LOCALE) ULONG localNameLength; WCHAR localeName[LOCALE_NAME_MAX_LENGTH] = { UNICODE_NULL }; localNameLength = GetUserDefaultLocaleName(localeName, RTL_NUMBER_OF(localeName)); if (localNameLength > sizeof(UNICODE_NULL)) { return PhCreateStringEx(localeName, localNameLength - sizeof(UNICODE_NULL)); } #else UNICODE_STRING localeNameUs; WCHAR localeName[LOCALE_NAME_MAX_LENGTH] = { UNICODE_NULL }; // rev from GetUserDefaultLocaleName (dmex) RtlInitEmptyUnicodeString(&localeNameUs, localeName, sizeof(localeName)); if (NT_SUCCESS(RtlLcidToLocaleName(PhGetUserDefaultLCID(), &localeNameUs, 0, FALSE))) { return PhCreateStringFromUnicodeString(&localeNameUs); } #endif return NULL; } /** * Converts a locale identifier to a locale name. * * \param lcid The locale identifier. * \return A string containing the locale name. */ PPH_STRING PhLCIDToLocaleName( _In_ LCID lcid ) { #if defined(PHNT_NATIVE_LOCALE) ULONG localNameLength; WCHAR localeName[LOCALE_NAME_MAX_LENGTH] = { UNICODE_NULL }; localNameLength = LCIDToLocaleName(lcid, localeName, RTL_NUMBER_OF(localeName), 0); if (localNameLength > sizeof(UNICODE_NULL)) { return PhCreateStringEx(localeName, localNameLength - sizeof(UNICODE_NULL)); } #else UNICODE_STRING localeNameUs; WCHAR localeName[LOCALE_NAME_MAX_LENGTH] = { UNICODE_NULL }; // rev from LCIDToLocaleName (dmex) RtlInitEmptyUnicodeString(&localeNameUs, localeName, sizeof(localeName)); if (lcid) { if (NT_SUCCESS(RtlLcidToLocaleName(lcid, &localeNameUs, 0, FALSE))) { return PhCreateStringFromUnicodeString(&localeNameUs); } } else // Return the current user locale when zero is specified. { if (NT_SUCCESS(RtlLcidToLocaleName(PhGetUserDefaultLCID(), &localeNameUs, 0, FALSE))) { return PhCreateStringFromUnicodeString(&localeNameUs); } } #endif return NULL; } /** * Converts a LARGE_INTEGER time value to a SYSTEMTIME structure. * * \param SystemTime The destination SYSTEMTIME structure. * \param LargeInteger The source LARGE_INTEGER time value. */ VOID PhLargeIntegerToSystemTime( _Out_ PSYSTEMTIME SystemTime, _In_ PLARGE_INTEGER LargeInteger ) { #if defined(PHNT_NATIVE_TIME) FILETIME fileTime; fileTime.dwLowDateTime = LargeInteger->LowPart; fileTime.dwHighDateTime = LargeInteger->HighPart; FileTimeToSystemTime(&fileTime, SystemTime); #else TIME_FIELDS timeFields; RtlZeroMemory(&timeFields, sizeof(TIME_FIELDS)); RtlTimeToTimeFields(LargeInteger, &timeFields); SystemTime->wYear = timeFields.Year; SystemTime->wMonth = timeFields.Month; SystemTime->wDay = timeFields.Day; SystemTime->wHour = timeFields.Hour; SystemTime->wMinute = timeFields.Minute; SystemTime->wSecond = timeFields.Second; SystemTime->wMilliseconds = timeFields.Milliseconds; SystemTime->wDayOfWeek = timeFields.Weekday; #endif } BOOLEAN PhSystemTimeToLargeInteger( _Out_ PLARGE_INTEGER LargeInteger, _In_ PSYSTEMTIME SystemTime ) { #if defined(PHNT_NATIVE_TIME) FILETIME fileTime; if (!SystemTimeToFileTime(SystemTime, &fileTime)) return FALSE; LargeInteger->LowPart = fileTime.dwLowDateTime; LargeInteger->HighPart = fileTime.dwHighDateTime; return TRUE; #else TIME_FIELDS timeFields; RtlZeroMemory(&timeFields, sizeof(TIME_FIELDS)); timeFields.Year = SystemTime->wYear; timeFields.Month = SystemTime->wMonth; timeFields.Day = SystemTime->wDay; timeFields.Hour = SystemTime->wHour; timeFields.Minute = SystemTime->wMinute; timeFields.Second = SystemTime->wSecond; timeFields.Milliseconds = SystemTime->wMilliseconds; timeFields.Weekday = SystemTime->wDayOfWeek; return RtlTimeFieldsToTime(&timeFields, LargeInteger); #endif } VOID PhLargeIntegerToLocalSystemTime( _Out_ PSYSTEMTIME SystemTime, _In_ PLARGE_INTEGER LargeInteger ) { #if defined(PHNT_NATIVE_TIME) FILETIME fileTime; FILETIME newFileTime; fileTime.dwLowDateTime = LargeInteger->LowPart; fileTime.dwHighDateTime = LargeInteger->HighPart; FileTimeToLocalFileTime(&fileTime, &newFileTime); FileTimeToSystemTime(&newFileTime, SystemTime); #else LARGE_INTEGER timeZoneBias; LARGE_INTEGER fileTime; PhQueryTimeZoneBias(&timeZoneBias); fileTime.LowPart = LargeInteger->LowPart; fileTime.HighPart = LargeInteger->HighPart; fileTime.QuadPart -= timeZoneBias.QuadPart; PhLargeIntegerToSystemTime(SystemTime, &fileTime); #endif } BOOLEAN PhLocalSystemTimeToLargeInteger( _Out_ PLARGE_INTEGER LargeInteger, _In_ PSYSTEMTIME SystemTime ) { LARGE_INTEGER timeZoneBias; if (!PhSystemTimeToLargeInteger(LargeInteger, SystemTime)) return FALSE; PhQueryTimeZoneBias(&timeZoneBias); LargeInteger->QuadPart += timeZoneBias.QuadPart; return TRUE; } BOOLEAN PhSystemTimeToTzSpecificLocalTime( _In_ CONST SYSTEMTIME* UniversalTime, _Out_ PSYSTEMTIME LocalTime ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&SystemTimeToTzSpecificLocalTimeEx) SystemTimeToTzSpecificLocalTimeEx_I = NULL; if (PhBeginInitOnce(&initOnce)) { SystemTimeToTzSpecificLocalTimeEx_I = PhGetDllProcedureAddressZ(L"kernel32.dll", "SystemTimeToTzSpecificLocalTimeEx", 0); PhEndInitOnce(&initOnce); } memset(LocalTime, 0, sizeof(SYSTEMTIME)); if (SystemTimeToTzSpecificLocalTimeEx_I) { return !!SystemTimeToTzSpecificLocalTimeEx_I(NULL, UniversalTime, LocalTime); } return !!SystemTimeToTzSpecificLocalTime(NULL, UniversalTime, LocalTime); } /** * Gets a string stored in a DLL's message table. * * \param DllHandle The base address of the DLL. * \param MessageTableId The identifier of the message table. * \param MessageLanguageId The language ID of the message. * \param MessageId The identifier of the message. * * \return A pointer to a string containing the message. You must free the string using * PhDereferenceObject() when you no longer need it. */ PPH_STRING PhGetMessage( _In_ PVOID DllHandle, _In_ ULONG MessageTableId, _In_ ULONG MessageLanguageId, _In_ ULONG MessageId ) { NTSTATUS status; PMESSAGE_RESOURCE_ENTRY messageEntry; status = RtlFindMessage( DllHandle, MessageTableId, MessageLanguageId, MessageId, &messageEntry ); // Try using the system LANGID. if (!NT_SUCCESS(status)) { status = RtlFindMessage( DllHandle, MessageTableId, PhGetSystemDefaultLangID(), MessageId, &messageEntry ); } // Try using U.S. English. if (!NT_SUCCESS(status)) { status = RtlFindMessage( DllHandle, MessageTableId, MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), MessageId, &messageEntry ); } if (!NT_SUCCESS(status)) return NULL; // dmex: We don't support parsing insert sequences. if (messageEntry->Text[0] == L'%') return NULL; if (messageEntry->Flags & MESSAGE_RESOURCE_UNICODE) return PhCreateStringEx((PWCHAR)messageEntry->Text, messageEntry->Length); else if (messageEntry->Flags & MESSAGE_RESOURCE_UTF8) return PhConvertUtf8ToUtf16Ex((PCHAR)messageEntry->Text, messageEntry->Length); else return PhConvertMultiByteToUtf16Ex((PCHAR)messageEntry->Text, messageEntry->Length); } /** * Gets a message describing a NT status value. * * \param Status The NT status value. */ PPH_STRING PhGetNtMessage( _In_ NTSTATUS Status ) { PPH_STRING message; if (NT_CUSTOMER(Status)) message = PhGetMessage(PhGetLoaderEntryDllBase(NULL, NULL), 0xb, PhGetUserDefaultLangID(), (ULONG)Status); else if (!NT_NTWIN32(Status)) message = PhGetMessage(PhGetLoaderEntryDllBaseZ(L"ntdll.dll"), 0xb, PhGetUserDefaultLangID(), (ULONG)Status); else message = PhGetWin32Message(PhNtStatusToDosError(Status)); if (PhIsNullOrEmptyString(message)) return message; PhTrimToNullTerminatorString(message); // Remove any trailing newline. if (message->Length >= 2 * sizeof(WCHAR) && message->Buffer[message->Length / sizeof(WCHAR) - 2] == L'\r' && message->Buffer[message->Length / sizeof(WCHAR) - 1] == L'\n') { PhMoveReference(&message, PhCreateStringEx(message->Buffer, message->Length - 2 * sizeof(WCHAR))); } // Fix those messages which are formatted like: // {Asdf}\r\nAsdf asdf asdf... if (message->Buffer[0] == L'{') { PH_STRINGREF titlePart; PH_STRINGREF remainingPart; if (PhSplitStringRefAtChar(&message->sr, L'\n', &titlePart, &remainingPart)) PhMoveReference(&message, PhCreateString2(&remainingPart)); } return message; } /** * Gets a message describing a Win32 error code. * * \param Result The Win32 error code. */ PPH_STRING PhGetWin32Message( _In_ ULONG Result ) { PPH_STRING message; message = PhGetMessage(PhGetLoaderEntryDllBaseZ(L"kernel32.dll"), 0xb, PhGetUserDefaultLangID(), Result); if (message) { PhTrimToNullTerminatorString(message); // Remove any trailing newline. if (message && message->Length >= 2 * sizeof(WCHAR) && message->Buffer[message->Length / sizeof(WCHAR) - 2] == L'\r' && message->Buffer[message->Length / sizeof(WCHAR) - 1] == L'\n') { PhMoveReference(&message, PhCreateStringEx(message->Buffer, message->Length - 2 * sizeof(WCHAR))); } } else { message = PhGetWin32FormatMessage(Result); } return message; } PPH_STRING PhGetWin32FormatMessage( _In_ ULONG Result ) { PPH_STRING messageString = NULL; ULONG messageLength = 0; PWSTR messageBuffer = NULL; messageLength = FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM, NULL, Result, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (PWSTR)&messageBuffer, 0, NULL ); if (messageBuffer) { if (messageLength) { ULONG_PTR index; PH_STRINGREF string; string.Buffer = messageBuffer; string.Length = messageLength * sizeof(WCHAR); if ((index = PhFindStringInStringRefZ(&string, L"\r\n", FALSE)) != SIZE_MAX) messageString = PhCreateStringEx(messageBuffer, index * sizeof(WCHAR)); else messageString = PhCreateStringEx(messageBuffer, messageLength * sizeof(WCHAR)); } LocalFree(messageBuffer); } return messageString; } PPH_STRING PhGetNtFormatMessage( _In_ NTSTATUS Status ) { PPH_STRING messageString = NULL; ULONG messageLength = 0; PWSTR messageBuffer = NULL; messageLength = FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_FROM_SYSTEM, PhGetLoaderEntryDllBaseZ(RtlNtdllName), Status, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (PWSTR)&messageBuffer, 0, NULL ); if (messageBuffer) { if (messageLength) { ULONG_PTR index; PH_STRINGREF string; string.Buffer = messageBuffer; string.Length = messageLength * sizeof(WCHAR); if ((index = PhFindStringInStringRefZ(&string, L"\r\n", FALSE)) != SIZE_MAX) messageString = PhCreateStringEx(messageBuffer, index * sizeof(WCHAR)); else messageString = PhCreateStringEx(messageBuffer, messageLength * sizeof(WCHAR)); } LocalFree(messageBuffer); } return messageString; } /** * Displays a message box. * * \param WindowHandle The owner window of the message box. * \param Type The type of message box to display. * \param Format A format string. * \return The user's response. */ LONG PhShowMessage( _In_opt_ HWND WindowHandle, _In_ ULONG Type, _In_ PCWSTR Format, ... ) { LONG result; va_list argptr; PPH_STRING message; va_start(argptr, Format); message = PhFormatString_V(Format, argptr); va_end(argptr); if (!message) return INT_ERROR; result = MessageBox(WindowHandle, message->Buffer, PhApplicationName, Type); PhDereferenceObject(message); return result; } static const PH_FLAG_MAPPING PhShowMessageTaskDialogButtonFlagMappings[] = { { TD_OK_BUTTON, TDCBF_OK_BUTTON }, { TD_YES_BUTTON, TDCBF_YES_BUTTON }, { TD_NO_BUTTON, TDCBF_NO_BUTTON }, { TD_CANCEL_BUTTON, TDCBF_CANCEL_BUTTON }, { TD_RETRY_BUTTON, TDCBF_RETRY_BUTTON }, { TD_CLOSE_BUTTON, TDCBF_CLOSE_BUTTON }, }; LONG PhShowMessage2( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _In_ PCWSTR Format, ... ) { ULONG result; va_list argptr; PPH_STRING message; TASKDIALOGCONFIG config; ULONG buttonsFlags; va_start(argptr, Format); message = PhFormatString_V(Format, argptr); va_end(argptr); if (!message) return INT_ERROR; buttonsFlags = 0; PhMapFlags1( &buttonsFlags, Buttons, PhShowMessageTaskDialogButtonFlagMappings, ARRAYSIZE(PhShowMessageTaskDialogButtonFlagMappings) ); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | ((WindowHandle && IsWindowVisible(WindowHandle) && !IsMinimized(WindowHandle)) ? TDF_POSITION_RELATIVE_TO_WINDOW : 0); config.dwCommonButtons = buttonsFlags; config.hwndParent = WindowHandle; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = Icon; config.pszMainInstruction = Title; config.pszContent = message->Buffer; if (PhShowTaskDialog( &config, &result, NULL, NULL )) { PhDereferenceObject(message); return result; } else { PhDereferenceObject(message); return INT_ERROR; } } /** * Internal worker for displaying a message with a "Don't show this message again" checkbox. * * \param WindowHandle The owner window. * \param Buttons The buttons to display. * \param Icon The icon to display. * \param Title The title of the message. * \param Result Receives the selected button. * \param Checked Receives the state of the checkbox. * \param Format The format string. * \param ArgPtr The argument list. * \return TRUE if the dialog was shown, otherwise FALSE. */ BOOLEAN PhpShowMessageOneTime( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _Out_opt_ PLONG Result, _Out_opt_ PBOOLEAN Checked, _In_ PCWSTR Format, _In_ va_list ArgPtr ) { ULONG result; PPH_STRING message; TASKDIALOGCONFIG config; BOOLEAN checked = FALSE; ULONG buttonsFlags; if (Result) *Result = INT_ERROR; if (Checked) *Checked = FALSE; message = PhFormatString_V(Format, ArgPtr); if (!message) return FALSE; buttonsFlags = 0; PhMapFlags1( &buttonsFlags, Buttons, PhShowMessageTaskDialogButtonFlagMappings, ARRAYSIZE(PhShowMessageTaskDialogButtonFlagMappings) ); memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | ((WindowHandle && IsWindowVisible(WindowHandle) && !IsMinimized(WindowHandle)) ? TDF_POSITION_RELATIVE_TO_WINDOW : 0); config.dwCommonButtons = buttonsFlags; config.hwndParent = WindowHandle; config.pszWindowTitle = PhApplicationName; config.pszMainIcon = Icon; config.pszMainInstruction = Title; config.pszContent = PhGetString(message); config.pszVerificationText = L"Don't show this message again"; config.cxWidth = 200; if (PhShowTaskDialog( &config, &result, NULL, &checked )) { PhDereferenceObject(message); if (Result) *Result = result; if (Checked) *Checked = !!checked; return TRUE; } else { PhDereferenceObject(message); return FALSE; } } /** * Displays a message with a "Don't show this message again" checkbox. * * \param WindowHandle The owner window. * \param Buttons The buttons to display. * \param Icon The icon to display. * \param Title The title of the message. * \param Format The format string. * \return TRUE if the checkbox was checked, otherwise FALSE. */ BOOLEAN PhShowMessageOneTime( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _In_ PCWSTR Format, ... ) { BOOLEAN checked; va_list argptr; va_start(argptr, Format); PhpShowMessageOneTime(WindowHandle, Buttons, Icon, Title, NULL, &checked, Format, argptr); va_end(argptr); return checked; } /** * Displays a message with a "Don't show this message again" checkbox. * * \param WindowHandle The owner window. * \param Buttons The buttons to display. * \param Icon The icon to display. * \param Title The title of the message. * \param Checked Receives the state of the checkbox. * \param Format The format string. * \return The selected button. */ LONG PhShowMessageOneTime2( _In_opt_ HWND WindowHandle, _In_ ULONG Buttons, _In_opt_ PCWSTR Icon, _In_opt_ PCWSTR Title, _Out_opt_ PBOOLEAN Checked, _In_ PCWSTR Format, ... ) { LONG result; va_list argptr; va_start(argptr, Format); PhpShowMessageOneTime(WindowHandle, Buttons, Icon, Title, &result, Checked, Format, argptr); va_end(argptr); return result; } /** * Displays a task dialog. * * \param Config The task dialog configuration. * \param Button Receives the selected button. * \param RadioButton Receives the selected radio button. * \param FlagChecked Receives the state of the verification checkbox. * \return TRUE if the task dialog was shown, otherwise FALSE. */ _Success_(return) BOOLEAN PhShowTaskDialog( _In_ PTASKDIALOGCONFIG Config, _Out_opt_ PULONG Button, _Out_opt_ PULONG RadioButton, _Out_opt_ PBOOLEAN FlagChecked ) { HRESULT status; LONG button; LONG radio; BOOL selected; status = TaskDialogIndirect( Config, &button, &radio, &selected ); if (HR_SUCCESS(status)) { if (Button) *Button = button; if (RadioButton) *RadioButton = radio; if (FlagChecked) *FlagChecked = !!selected; return TRUE; } return FALSE; // PhDosErrorToNtStatus(HRESULT_CODE(status)); } /** * Retrieves a status message for a NTSTATUS value or Win32 error code. * * \param Status A NTSTATUS value. * \param Win32Result A Win32 error code, or 0 to derive it from the status. * \return A string containing the status message. */ PPH_STRING PhGetStatusMessage( _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { if (!Win32Result) { // In some cases we want the simple Win32 messages. if ( Status == STATUS_ACCESS_DENIED || Status == STATUS_ACCESS_VIOLATION || Status == STATUS_NO_SUCH_FILE ) { Win32Result = RtlNtStatusToDosErrorNoTeb(Status); } // Process NTSTATUS values with the NT-Win32 facility. else if (NT_NTWIN32(Status)) { Win32Result = WIN32_FROM_NTSTATUS(Status); } else if (NT_FACILITY(Status) == FACILTIY_MUI_ERROR_CODE) { Win32Result = Status; // needed by PhGetLastWin32ErrorAsNtStatus(CERT_E_REVOKED) (dmex) } } if (Win32Result) return PhGetWin32Message(Win32Result); else return PhGetNtMessage(Status); } /** * Displays an error message for a NTSTATUS value or Win32 error code. * * \param WindowHandle The owner window of the message box. * \param Message A message describing the operation that failed. * \param Status A NTSTATUS value, or 0 if there is none. * \param Win32Result A Win32 error code, or 0 if there is none. */ VOID PhShowStatus( _In_opt_ HWND WindowHandle, _In_opt_ PCWSTR Message, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { PPH_STRING statusMessage; if (statusMessage = PhGetStatusMessage(Status, Win32Result)) { if (Message) PhShowError2(WindowHandle, Message, L"%s", PhGetString(statusMessage)); else PhShowError2(WindowHandle, L"Unable to perform the operation.", L"%s", PhGetString(statusMessage)); PhDereferenceObject(statusMessage); } else { if (Message) PhShowError2(WindowHandle, L"Unable to perform the operation.", L"%s", Message); else PhShowStatus(WindowHandle, L"Unable to perform the operation.", STATUS_UNSUCCESSFUL, 0); } } /** * Displays an error message for a NTSTATUS value or Win32 error code, and allows the user to cancel * the current operation. * * \param WindowHandle The owner window of the message box. * \param Message A message describing the operation that failed. * \param Status A NTSTATUS value, or 0 if there is none. * \param Win32Result A Win32 error code, or 0 if there is none. * \return TRUE if the user wishes to continue with the current operation, otherwise FALSE. */ BOOLEAN PhShowContinueStatus( _In_ HWND WindowHandle, _In_opt_ PCWSTR Message, _In_ NTSTATUS Status, _In_opt_ ULONG Win32Result ) { PPH_STRING statusMessage; LONG result; statusMessage = PhGetStatusMessage(Status, Win32Result); if (Message && statusMessage) result = PhShowMessage2(WindowHandle, TD_OK_BUTTON | TD_CLOSE_BUTTON, TD_ERROR_ICON, Message, L"%s", PhGetString(statusMessage)); else if (Message) result = PhShowMessage2(WindowHandle, TD_OK_BUTTON | TD_CANCEL_BUTTON, TD_ERROR_ICON, L"Unable to perform the operation.", L"%s", Message); else if (statusMessage) result = PhShowMessage2(WindowHandle, TD_OK_BUTTON | TD_CANCEL_BUTTON, TD_ERROR_ICON, L"Unable to perform the operation.", L"%s", PhGetString(statusMessage)); else result = PhShowMessage2(WindowHandle, TD_OK_BUTTON | TD_CANCEL_BUTTON, TD_ERROR_ICON, L"Unable to perform the operation.", L""); if (statusMessage) PhDereferenceObject(statusMessage); return result == IDOK; } /** * Displays a confirmation message. * * \param WindowHandle The owner window of the message box. * \param Verb A verb describing the operation, e.g. "terminate". * \param Object The object of the operation, e.g. "the process". * \param Message A message describing the operation. * \param Warning TRUE to display the confirmation message as a warning, otherwise FALSE. * \return TRUE if the user wishes to continue, otherwise FALSE. */ BOOLEAN PhShowConfirmMessage( _In_ HWND WindowHandle, _In_ PCWSTR Verb, _In_ PCWSTR Object, _In_opt_ PCWSTR Message, _In_ BOOLEAN Warning ) { PPH_STRING verb; PPH_STRING verbCaps; PPH_STRING action; // Make sure the verb is all lowercase. verb = PhaLowerString(PhaCreateString(Verb)); // "terminate" -> "Terminate" verbCaps = PhaDuplicateString(verb); if (verbCaps->Length > 0) verbCaps->Buffer[0] = PhUpcaseUnicodeChar(verbCaps->Buffer[0]); // "terminate", "the process" -> "terminate the process" action = PhaConcatStrings(3, verb->Buffer, L" ", Object); { ULONG button; TASKDIALOGCONFIG config; TASKDIALOG_BUTTON buttons[2]; memset(&config, 0, sizeof(TASKDIALOGCONFIG)); config.cbSize = sizeof(TASKDIALOGCONFIG); config.hwndParent = WindowHandle; config.hInstance = NtCurrentImageBase(); config.dwFlags = TDF_ALLOW_DIALOG_CANCELLATION | ((WindowHandle && IsWindowVisible(WindowHandle) && !IsMinimized(WindowHandle)) ? TDF_POSITION_RELATIVE_TO_WINDOW : 0); config.pszWindowTitle = PhApplicationName; config.pszMainIcon = Warning ? TD_WARNING_ICON : TD_INFORMATION_ICON; config.pszMainInstruction = PhaConcatStrings(3, L"Do you want to ", action->Buffer, L"?")->Buffer; if (Message) config.pszContent = PhaConcatStrings2(Message, L" Are you sure you want to continue?")->Buffer; buttons[0].nButtonID = IDYES; buttons[0].pszButtonText = verbCaps->Buffer; buttons[1].nButtonID = IDNO; buttons[1].pszButtonText = L"Cancel"; config.cButtons = 2; config.pButtons = buttons; config.nDefaultButton = IDYES; config.cxWidth = 200; if (PhShowTaskDialog( &config, &button, NULL, NULL )) { return button == IDYES; } if (PhShowMessage( WindowHandle, MB_YESNO | MB_ICONWARNING | MB_DEFBUTTON2, L"Are you sure you want to %s?", action->Buffer ) == IDYES) { return TRUE; } return FALSE; } } /** * Creates a random (type 4) UUID. * * \param Guid The destination UUID. */ VOID PhGenerateGuid( _Out_ PGUID Guid ) { ULARGE_INTEGER seed; // The top/sign bit is always unusable for RtlRandomEx (the result is always unsigned), so we'll // take the bottom 24 bits. We need 128 bits in total, so we'll call the function 6 times. ULONG random[6]; ULONG i; seed.QuadPart = PhReadPerformanceCounter(); for (i = 0; i < 6; i++) random[i] = RtlRandomEx(&seed.LowPart); // random[0] is usable *(PUSHORT)&Guid->Data1 = (USHORT)random[0]; // top byte from random[0] is usable *((PUSHORT)&Guid->Data1 + 1) = (USHORT)((random[0] >> 16) | (random[1] & 0xff)); // top 2 bytes from random[1] are usable Guid->Data2 = (SHORT)(random[1] >> 8); // random[2] is usable Guid->Data3 = (SHORT)random[2]; // top byte from random[2] is usable *(PUSHORT)&Guid->Data4[0] = (USHORT)((random[2] >> 16) | (random[3] & 0xff)); // top 2 bytes from random[3] are usable *(PUSHORT)&Guid->Data4[2] = (USHORT)(random[3] >> 8); // random[4] is usable *(PUSHORT)&Guid->Data4[4] = (USHORT)random[4]; // top byte from random[4] is usable *(PUSHORT)&Guid->Data4[6] = (USHORT)((random[4] >> 16) | (random[5] & 0xff)); ((PGUID_EX)Guid)->s2.Version = GUID_VERSION_RANDOM; ((PGUID_EX)Guid)->s2.Variant &= ~GUID_VARIANT_STANDARD_MASK; ((PGUID_EX)Guid)->s2.Variant |= GUID_VARIANT_STANDARD; } // rev from kernelbase (dmex) //VOID PhGenerateGuid2( // _Out_ PGUID Guid // ) //{ // LARGE_INTEGER seed; // PUSHORT buffer; // ULONG count; // // PhQuerySystemTime(&seed); // buffer = (PUSHORT)Guid; // count = 8; // // do // { // *buffer = (USHORT)RtlRandomEx(&seed.LowPart); // buffer = PTR_ADD_OFFSET(buffer, sizeof(USHORT)); // } while (--count); //} /** * Creates a name-based (type 3 or 5) UUID. * * \param Guid The destination UUID. * \param Namespace The UUID of the namespace. * \param Name The input name. * \param NameLength The length of the input name, not including the null terminator if present. * \param Version The type of UUID. * \li \c GUID_VERSION_MD5 Creates a type 3, MD5-based UUID. * \li \c GUID_VERSION_SHA1 Creates a type 5, SHA1-based UUID. */ VOID PhGenerateGuidFromName( _Out_ PGUID Guid, _In_ PGUID Namespace, _In_ PCHAR Name, _In_ ULONG NameLength, _In_ UCHAR Version ) { PGUID_EX guid; PUCHAR data; ULONG dataLength; GUID ns; UCHAR hash[20]; // Convert the namespace to big endian. ns = *Namespace; PhReverseGuid(&ns); // Compute the hash of the namespace concatenated with the name. dataLength = 16 + NameLength; data = PhAllocate(dataLength); memcpy(data, &ns, 16); memcpy(&data[16], Name, NameLength); if (Version == GUID_VERSION_MD5) { MD5_CTX context; MD5Init(&context); MD5Update(&context, data, dataLength); MD5Final(&context); memcpy(hash, context.digest, 16); } else { A_SHA_CTX context; A_SHAInit(&context); A_SHAUpdate(&context, data, dataLength); A_SHAFinal(&context, hash); Version = GUID_VERSION_SHA1; } PhFree(data); guid = (PGUID_EX)Guid; memcpy(guid->Data, hash, 16); PhReverseGuid(&guid->Guid); guid->s2.Version = Version; guid->s2.Variant &= ~GUID_VARIANT_STANDARD_MASK; guid->s2.Variant |= GUID_VARIANT_STANDARD; } // rev from ntoskrnl.exe!RtlGenerateClass5Guid (dmex) /** * Creates a type 5 (SHA1-based) UUID. * * \param NamespaceGuid The UUID of the namespace. * \param Buffer The input buffer. * \param BufferSize The size of the input buffer. * \param Guid The destination UUID. */ VOID PhGenerateClass5Guid( _In_ REFGUID NamespaceGuid, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _Out_ PGUID Guid ) { A_SHA_CTX context; GUID data; PGUID_EX guid; UCHAR hash[20]; data = *NamespaceGuid; data.Data1 = _byteswap_ulong(NamespaceGuid->Data1); data.Data2 = _rotr16(NamespaceGuid->Data2, 8); data.Data3 = _rotr16(NamespaceGuid->Data3, 8); A_SHAInit(&context); A_SHAUpdate(&context, (PUCHAR)&data, sizeof(GUID)); A_SHAUpdate(&context, Buffer, BufferSize); A_SHAFinal(&context, hash); guid = (PGUID_EX)Guid; memcpy(guid->Data, hash, sizeof(GUID)); guid->Guid.Data1 = _byteswap_ulong(guid->Guid.Data1); guid->Guid.Data2 = _rotr16(guid->Guid.Data2, 8); guid->Guid.Data3 = _rotr16(guid->Guid.Data3, 8); guid->s2.Version = GUID_VERSION_SHA1; guid->s2.Variant &= ~GUID_VARIANT_STANDARD_MASK; guid->s2.Variant |= GUID_VARIANT_STANDARD; } /** * Creates a Hardware ID UUID. * * \param Buffer The input buffer. * \param BufferSize The size of the input buffer. * \param Guid The destination UUID. * \remarks rev from Windows SDK\\ComputerHardwareIds.exe (dmex) * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/computerhardwareids * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/install/specifying-hardware-ids-for-a-computer */ VOID PhGenerateHardwareIDGuid( _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ ULONG BufferSize, _Out_ PGUID Guid ) { PhGenerateClass5Guid(&GUID_NAMESPACE_MICROSOFT, Buffer, BufferSize, Guid); } /** * Fills a buffer with random uppercase alphabetical characters. * * \param Buffer The buffer to fill with random characters, plus a null terminator. * \param Count The number of characters available in the buffer, including space for the null * terminator. */ VOID PhGenerateRandomAlphaString( _Out_writes_z_(Count) PWSTR Buffer, _In_ SIZE_T Count ) { ULARGE_INTEGER seed; ULONG i; if (Count == 0) return; seed.QuadPart = PhReadPerformanceCounter(); for (i = 0; i < Count - 1; i++) { Buffer[i] = L'A' + (RtlRandomEx(&seed.LowPart) % 26); } Buffer[Count - 1] = UNICODE_NULL; } /** * Fills a buffer with random numeric characters. * * \param Buffer The buffer to fill with random characters, plus a null terminator. * \param Count The number of characters available in the buffer, including space for the null * terminator. */ VOID PhGenerateRandomNumericString( _Out_writes_z_(Count) PWSTR Buffer, _In_ SIZE_T Count ) { ULARGE_INTEGER seed; ULONG i; if (Count == 0) return; seed.QuadPart = PhReadPerformanceCounter(); for (i = 0; i < Count - 1; i++) { Buffer[i] = L'0' + (RtlRandomEx(&seed.LowPart) % 10); } Buffer[Count - 1] = UNICODE_NULL; } /** * Generates a random 64-bit number. * * \return A random 64-bit number. */ ULONG64 PhGenerateRandomNumber64( VOID ) { ULARGE_INTEGER seed; ULARGE_INTEGER value; seed.QuadPart = PhReadPerformanceCounter(); value.LowPart = RtlRandomEx(&seed.LowPart); value.HighPart = RtlRandomEx(&seed.LowPart); return value.QuadPart; } /** * Generates a random number. * * \param Number Receives the random number. * \return TRUE if the random number was generated, otherwise FALSE. */ BOOLEAN PhGenerateRandomNumber( _Out_ PLARGE_INTEGER Number ) { memset(Number, 0, sizeof(LARGE_INTEGER)); #ifndef _M_ARM64 if (PhIsProcessorFeaturePresent(PF_RDRAND_INSTRUCTION_AVAILABLE)) { ULONG count = 0; #ifdef _M_X64 while (TRUE) { if (_rdrand64_step(&Number->QuadPart)) break; if (++count >= 10) return FALSE; } #else ULONG low = 0; ULONG high = 0; while (TRUE) { if (_rdrand32_step(&low) && _rdrand32_step(&high)) { Number->LowPart = low; Number->HighPart = high; break; } if (++count >= 10) return FALSE; } #endif return TRUE; } #endif Number->QuadPart = PhGenerateRandomNumber64(); return TRUE; } /** * Generates a random seed. * * \param Seed Receives the random seed. * \return TRUE if the random seed was generated, otherwise FALSE. */ BOOLEAN PhGenerateRandomSeed( _Out_ PLARGE_INTEGER Seed ) { memset(Seed, 0, sizeof(LARGE_INTEGER)); //#ifndef _M_ARM64 // if (PhIsProcessorFeaturePresent(PF_RDRAND_INSTRUCTION_AVAILABLE)) // { //#ifdef _M_X64 // if (_rdseed64_step(&Seed->QuadPart)) // return TRUE; //#else // if (_rdseed32_step(&Seed->LowPart)) // return TRUE; //#endif // } //#endif return PhQueryPerformanceCounter(Seed); } /** * Modifies a string to ensure it is within the specified length. * * \param String The input string. * \param DesiredCount The desired number of characters in the new string. If necessary, parts of * the string are replaced with an ellipsis to indicate characters have been omitted. * \return The new string. */ PPH_STRING PhEllipsisString( _In_ PPH_STRING String, _In_ SIZE_T DesiredCount ) { if ( String->Length / sizeof(WCHAR) <= DesiredCount || DesiredCount < 3 ) { return PhReferenceObject(String); } else { PPH_STRING string; string = PhCreateStringEx(NULL, DesiredCount * sizeof(WCHAR)); memcpy(string->Buffer, String->Buffer, (DesiredCount - 3) * sizeof(WCHAR)); memcpy(&string->Buffer[DesiredCount - 3], L"...", 6); return string; } } /** * Modifies a string to ensure it is within the specified length, parsing the string as a path. * * \param String The input string. * \param DesiredCount The desired number of characters in the new string. If necessary, parts of * the string are replaced with an ellipsis to indicate characters have been omitted. * \return The new string. */ PPH_STRING PhEllipsisStringPath( _In_ PPH_STRING String, _In_ SIZE_T DesiredCount ) { ULONG_PTR secondPartIndex; secondPartIndex = PhFindLastCharInString(String, 0, OBJ_NAME_PATH_SEPARATOR); if (secondPartIndex == SIZE_MAX) secondPartIndex = PhFindLastCharInString(String, 0, OBJ_NAME_ALTPATH_SEPARATOR); if (secondPartIndex == SIZE_MAX) return PhEllipsisString(String, DesiredCount); if ( String->Length / sizeof(WCHAR) <= DesiredCount || DesiredCount < 3 ) { return PhReferenceObject(String); } else { PPH_STRING string; ULONG_PTR firstPartCopyLength; ULONG_PTR secondPartCopyLength; string = PhCreateStringEx(NULL, DesiredCount * sizeof(WCHAR)); secondPartCopyLength = String->Length / sizeof(WCHAR) - secondPartIndex; // Check if we have enough space for the entire second part of the string. if (secondPartCopyLength + 3 <= DesiredCount) { // Yes, copy part of the first part and the entire second part. firstPartCopyLength = DesiredCount - secondPartCopyLength - 3; } else { // No, copy part of both, from the beginning of the first part and the end of the second // part. firstPartCopyLength = (DesiredCount - 3) / sizeof(WCHAR); secondPartCopyLength = DesiredCount - 3 - firstPartCopyLength; secondPartIndex = String->Length / sizeof(WCHAR) - secondPartCopyLength; } memcpy( string->Buffer, String->Buffer, firstPartCopyLength * sizeof(WCHAR) ); memcpy( &string->Buffer[firstPartCopyLength], L"...", 6 ); memcpy( &string->Buffer[firstPartCopyLength + 3], &String->Buffer[secondPartIndex], secondPartCopyLength * sizeof(WCHAR) ); return string; } } /** * Internal worker for matching a pattern against a string. * * \param Pattern The pattern. * \param String The string. * \param IgnoreCase Whether to ignore case. * \return TRUE if the pattern matches the string, otherwise FALSE. */ FORCEINLINE BOOLEAN PhpMatchWildcards( _In_ PCWSTR Pattern, _In_ PCWSTR String, _In_ BOOLEAN IgnoreCase ) { PCWCHAR s, p; BOOLEAN star = FALSE; // Code is from http://xoomer.virgilio.it/acantato/dev/wildcard/wildmatch.html LoopStart: for (s = String, p = Pattern; *s; s++, p++) { switch (*p) { case L'?': break; case L'*': star = TRUE; String = s; Pattern = p; do { Pattern++; } while (*Pattern == L'*'); if (!*Pattern) return TRUE; goto LoopStart; default: if (!IgnoreCase) { if (*s != *p) goto StarCheck; } else { if (PhUpcaseUnicodeChar(*s) != PhUpcaseUnicodeChar(*p)) goto StarCheck; } break; } } while (*p == L'*') p++; return (!*p); StarCheck: if (!star) return FALSE; String++; goto LoopStart; } /** * Matches a pattern against a string. * * \param Pattern The pattern, which can contain asterisks and question marks. * \param String The string which the pattern is matched against. * \param IgnoreCase Whether to ignore character cases. */ BOOLEAN PhMatchWildcards( _In_ PCWSTR Pattern, _In_ PCWSTR String, _In_ BOOLEAN IgnoreCase ) { if (IgnoreCase) return PhpMatchWildcards(Pattern, String, TRUE); else return PhpMatchWildcards(Pattern, String, FALSE); } /** * Escapes a string for prefix characters (ampersands). * * \param String The string to process. * * \return The escaped string, with each ampersand replaced by 2 ampersands. */ PPH_STRING PhEscapeStringForMenuPrefix( _In_ PCPH_STRINGREF String ) { PH_STRING_BUILDER stringBuilder; SIZE_T i; SIZE_T length; PWCHAR runStart; SIZE_T runCount = 0; length = String->Length / sizeof(WCHAR); runStart = NULL; PhInitializeStringBuilder(&stringBuilder, String->Length); for (i = 0; i < length; i++) { switch (String->Buffer[i]) { case L'&': if (runStart) { PhAppendStringBuilderEx(&stringBuilder, runStart, runCount * sizeof(WCHAR)); runStart = NULL; } PhAppendStringBuilder2(&stringBuilder, L"&&"); break; default: if (runStart) { runCount++; } else { runStart = &String->Buffer[i]; runCount = 1; } break; } } if (runStart) PhAppendStringBuilderEx(&stringBuilder, runStart, runCount * sizeof(WCHAR)); return PhFinalStringBuilderString(&stringBuilder); } /** * Compares two strings, ignoring prefix characters (ampersands). * * \param A The first string. * \param B The second string. * \param IgnoreCase Whether to ignore character cases. * \param MatchIfPrefix Specify TRUE to return 0 when \a A is a prefix of \a B. */ LONG PhCompareUnicodeStringZIgnoreMenuPrefix( _In_ PCWSTR A, _In_ PCWSTR B, _In_ BOOLEAN IgnoreCase, _In_ BOOLEAN MatchIfPrefix ) { WCHAR t; if (!A || !B) return -1; if (!IgnoreCase) { while (TRUE) { // This takes care of double ampersands as well (they are treated as one literal // ampersand). if (*A == L'&') A++; if (*B == L'&') B++; t = *A; if (t == UNICODE_NULL) { if (MatchIfPrefix) return 0; break; } if (t != *B) break; A++; B++; } return C_2uTo4(t) - C_2uTo4(*B); } else { while (TRUE) { if (*A == L'&') A++; if (*B == L'&') B++; t = *A; if (t == UNICODE_NULL) { if (MatchIfPrefix) return 0; break; } if (PhUpcaseUnicodeChar(t) != PhUpcaseUnicodeChar(*B)) break; A++; B++; } return C_2uTo4(t) - C_2uTo4(*B); } } /** * Formats UTC system time in ISO 8601 format. * * \param SystemTime The UTC time structure. If NULL, the current UTC time is used. * * \return A string in the ISO 8601 format. */ PPH_STRING PhFormatSystemTimeISO( _In_opt_ PSYSTEMTIME SystemTime ) { SYSTEMTIME systemTime; if (SystemTime) { systemTime = *SystemTime; } else { LARGE_INTEGER timeStamp; PhQuerySystemTime(&timeStamp); PhLargeIntegerToSystemTime(&systemTime, &timeStamp); } return PhFormatString( L"%04u-%02u-%02uT%02u:%02u:%02u.%03uZ", systemTime.wYear, systemTime.wMonth, systemTime.wDay, systemTime.wHour, systemTime.wMinute, systemTime.wSecond, systemTime.wMilliseconds ); } /** * Formats local system time in ISO 8601 format, including the time zone offset. * * \param SystemTime The local time structure. If NULL, the current local time is used. * * \return A string in the ISO 8601 format. */ PPH_STRING PhFormatLocalSystemTimeISO( _In_opt_ PSYSTEMTIME SystemTime ) { SYSTEMTIME systemTime; LARGE_INTEGER timeZoneBias; CHAR sign; USHORT timeZoneHours; USHORT timeZoneMinutes; if (SystemTime) { systemTime = *SystemTime; } else { LARGE_INTEGER timeStamp; PhQuerySystemTime(&timeStamp); PhLargeIntegerToLocalSystemTime(&systemTime, &timeStamp); } PhQueryTimeZoneBias(&timeZoneBias); if (timeZoneBias.QuadPart == 0) { return PhFormatSystemTimeISO(&systemTime); } // // N.B. Bias is subtracted from system time therefore positive is west of // UTC and negative is east of UTC. // if (timeZoneBias.QuadPart > 0) { sign = '-'; timeZoneHours = (USHORT)((timeZoneBias.QuadPart / 600000000LL) / 60); timeZoneMinutes = (USHORT)((timeZoneBias.QuadPart / 600000000LL) % 60); } else { sign = '+'; timeZoneHours = (USHORT)((-timeZoneBias.QuadPart / 600000000LL) / 60); timeZoneMinutes = (USHORT)((-timeZoneBias.QuadPart / 600000000LL) % 60); } return PhFormatString( L"%04u-%02u-%02uT%02u:%02u:%02u.%03u%c%02u:%02u", systemTime.wYear, systemTime.wMonth, systemTime.wDay, systemTime.wHour, systemTime.wMinute, systemTime.wSecond, systemTime.wMilliseconds, sign, timeZoneHours, timeZoneMinutes ); } /** * Formats a date using the user's default locale. * * \param Date The time structure. If NULL, the current time is used. * \param Format The format of the date. If NULL, the format appropriate to the user's locale is * used. */ PPH_STRING PhFormatDate( _In_opt_ PSYSTEMTIME Date, _In_opt_ PCWSTR Format ) { PPH_STRING string; LONG bufferSize; bufferSize = GetDateFormatEx(LOCALE_NAME_USER_DEFAULT, 0, Date, Format, NULL, 0, NULL); string = PhCreateStringEx(NULL, bufferSize * sizeof(WCHAR)); if (!GetDateFormatEx(LOCALE_NAME_USER_DEFAULT, 0, Date, Format, string->Buffer, bufferSize, NULL)) { PhDereferenceObject(string); return NULL; } PhTrimToNullTerminatorString(string); return string; } /** * Formats a time using the user's default locale. * * \param Time The time structure. If NULL, the current time is used. * \param Format The format of the time. If NULL, the format appropriate to the user's locale is * used. */ PPH_STRING PhFormatTime( _In_opt_ PSYSTEMTIME Time, _In_opt_ PCWSTR Format ) { PPH_STRING string; LONG bufferSize; bufferSize = GetTimeFormatEx(LOCALE_NAME_USER_DEFAULT, 0, Time, Format, NULL, 0); string = PhCreateStringEx(NULL, bufferSize * sizeof(WCHAR)); if (!GetTimeFormatEx(LOCALE_NAME_USER_DEFAULT, 0, Time, Format, string->Buffer, bufferSize)) { PhDereferenceObject(string); return NULL; } PhTrimToNullTerminatorString(string); return string; } /** * Formats a date and time using the user's default locale. * * \param DateTime The time structure. If NULL, the current time is used. * * \return A string containing the time, a space character, then the date. */ PPH_STRING PhFormatDateTime( _In_opt_ PSYSTEMTIME DateTime ) { PPH_STRING string; LONG timeBufferSize; LONG dateBufferSize; ULONG count; timeBufferSize = GetTimeFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, NULL, 0); dateBufferSize = GetDateFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, NULL, 0, NULL); string = PhCreateStringEx(NULL, ((SIZE_T)timeBufferSize + 1 + dateBufferSize) * sizeof(WCHAR)); if (!GetTimeFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, &string->Buffer[0], timeBufferSize)) { PhDereferenceObject(string); return NULL; } count = (ULONG)PhCountStringZ(string->Buffer); string->Buffer[count] = L' '; if (!GetDateFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, &string->Buffer[count + 1], dateBufferSize, NULL)) { PhDereferenceObject(string); return NULL; } PhTrimToNullTerminatorString(string); return string; } /** * Formats a date and time using the user's default locale to a buffer. * * \param DateTime The time structure. If NULL, the current time is used. * \param Buffer The destination buffer. * \param BufferLength The size of the destination buffer, in bytes. * \param ReturnLength Receives the number of bytes written to the buffer. * \return TRUE if the date and time were formatted, otherwise FALSE. */ _Success_(return) BOOLEAN PhFormatDateTimeToBuffer( _In_opt_ PSYSTEMTIME DateTime, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _In_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { SIZE_T returnLength; LONG timeBufferSize; LONG dateBufferSize; timeBufferSize = GetTimeFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, NULL, 0); dateBufferSize = GetDateFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, NULL, 0, NULL); returnLength = ((SIZE_T)timeBufferSize + 1 + (SIZE_T)dateBufferSize) * sizeof(WCHAR); if (returnLength >= BufferLength) goto CleanupExit; if (!GetTimeFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, &Buffer[0], timeBufferSize)) goto CleanupExit; Buffer[timeBufferSize - 1] = L' '; if (!GetDateFormatEx(LOCALE_NAME_USER_DEFAULT, 0, DateTime, NULL, &Buffer[timeBufferSize], dateBufferSize, NULL)) goto CleanupExit; if (ReturnLength) *ReturnLength = returnLength - sizeof(UNICODE_NULL); // HACK Buffer[returnLength] = UNICODE_NULL; return TRUE; CleanupExit: if (ReturnLength) *ReturnLength = returnLength; return FALSE; } /** * Formats a time span. * * \param Ticks The number of ticks. * \param Mode The format mode. * \return A string containing the formatted time span. */ PPH_STRING PhFormatTimeSpan( _In_ ULONG64 Ticks, _In_opt_ ULONG Mode ) { PPH_STRING string; string = PhCreateStringEx(NULL, PH_TIMESPAN_STR_LEN * sizeof(WCHAR)); PhPrintTimeSpan(string->Buffer, Ticks, Mode); PhTrimToNullTerminatorString(string); return string; } /** * Formats a time span with extended options. * * \param Ticks The number of ticks. * \param Mode The format mode. * \return A string containing the formatted time span. */ PPH_STRING PhFormatTimeSpanEx( _In_ ULONG64 Ticks, _In_opt_ ULONG Mode ) { SIZE_T returnLength; WCHAR buffer[PH_TIMESPAN_STR_LEN_1]; if (PhPrintTimeSpanToBuffer( Ticks, Mode, buffer, PH_TIMESPAN_STR_LEN, &returnLength )) { PH_STRINGREF string; string.Length = returnLength - sizeof(UNICODE_NULL); string.Buffer = buffer; return PhCreateString2(&string); } return PhReferenceEmptyString(); } /** * Formats a relative time span. * * \param TimeSpan The time span, in ticks. */ PPH_STRING PhFormatTimeSpanRelative( _In_ ULONG64 TimeSpan ) { PPH_STRING string; FLOAT days; FLOAT weeks; FLOAT fortnights; FLOAT months; FLOAT years; FLOAT centuries; days = (FLOAT)TimeSpan / (FLOAT)PH_TICKS_PER_DAY; weeks = days / 7; fortnights = weeks / 2; years = days / 365.2425f; months = years * 12; centuries = years / 100; if (centuries >= 1) { string = PhFormatString(L"%u %s", (ULONG)centuries, (ULONG)centuries == 1 ? L"century" : L"centuries"); } else if (years >= 1) { string = PhFormatString(L"%u %s", (ULONG)years, (ULONG)years == 1 ? L"year" : L"years"); } else if (months >= 1) { string = PhFormatString(L"%u %s", (ULONG)months, (ULONG)months == 1 ? L"month" : L"months"); } else if (fortnights >= 1) { string = PhFormatString(L"%u %s", (ULONG)fortnights, (ULONG)fortnights == 1 ? L"fortnight" : L"fortnights"); } else if (weeks >= 1) { string = PhFormatString(L"%u %s", (ULONG)weeks, (ULONG)weeks == 1 ? L"week" : L"weeks"); } else { FLOAT milliseconds; FLOAT seconds; FLOAT minutes; FLOAT hours; ULONG secondsPartial; ULONG minutesPartial; ULONG hoursPartial; milliseconds = (FLOAT)TimeSpan / (FLOAT)PH_TICKS_PER_MS; seconds = (FLOAT)TimeSpan / (FLOAT)PH_TICKS_PER_SEC; minutes = (FLOAT)TimeSpan / (FLOAT)PH_TICKS_PER_MIN; hours = (FLOAT)TimeSpan / (FLOAT)PH_TICKS_PER_HOUR; if (days >= 1) { hoursPartial = (ULONG)PH_TICKS_PARTIAL_HOURS(TimeSpan); if (hoursPartial >= 1) { string = PhFormatString( L"%u %s and %u %s", (ULONG)days, (ULONG)days == 1 ? L"day" : L"days", hoursPartial, hoursPartial == 1 ? L"hour" : L"hours" ); } else { string = PhFormatString(L"%u %s", (ULONG)days, (ULONG)days == 1 ? L"day" : L"days"); } } else if (hours >= 1) { minutesPartial = (ULONG)PH_TICKS_PARTIAL_MIN(TimeSpan); if (minutesPartial >= 1) { string = PhFormatString( L"%u %s and %u %s", (ULONG)hours, (ULONG)hours == 1 ? L"hour" : L"hours", (ULONG)minutesPartial, (ULONG)minutesPartial == 1 ? L"minute" : L"minutes" ); } else { string = PhFormatString(L"%u %s", (ULONG)hours, (ULONG)hours == 1 ? L"hour" : L"hours"); } } else if (minutes >= 1) { secondsPartial = (ULONG)PH_TICKS_PARTIAL_SEC(TimeSpan); if (secondsPartial >= 1) { string = PhFormatString( L"%u %s and %u %s", (ULONG)minutes, (ULONG)minutes == 1 ? L"minute" : L"minutes", (ULONG)secondsPartial, (ULONG)secondsPartial == 1 ? L"second" : L"seconds" ); } else { string = PhFormatString(L"%u %s", (ULONG)minutes, (ULONG)minutes == 1 ? L"minute" : L"minutes"); } } else if (seconds >= 1) { string = PhFormatString(L"%u %s", (ULONG)seconds, (ULONG)seconds == 1 ? L"second" : L"seconds"); } else if (milliseconds >= 1) { string = PhFormatString(L"%u %s", (ULONG)milliseconds, (ULONG)milliseconds == 1 ? L"millisecond" : L"milliseconds"); } else { string = PhCreateString(L"a very short time"); } } // Turn 1 into "a", e.g. 1 minute -> a minute if (PhStartsWithString2(string, L"1 ", FALSE)) { // Special vowel case: a hour -> an hour if (string->Buffer[2] != L'h') PhMoveReference(&string, PhConcatStrings2(L"a ", &string->Buffer[2])); else PhMoveReference(&string, PhConcatStrings2(L"an ", &string->Buffer[2])); } return string; } /** * Formats a 64-bit unsigned integer. * * \param Value The integer. * \param GroupDigits TRUE to group digits, otherwise FALSE. */ PPH_STRING PhFormatUInt64( _In_ ULONG64 Value, _In_ BOOLEAN GroupDigits ) { PH_FORMAT format; format.Type = UInt64FormatType | (GroupDigits ? FormatGroupDigits : 0); format.u.UInt64 = Value; return PhFormat(&format, 1, 0); } /** * Formats a 64-bit unsigned integer using Metric (SI) Prefixes (1000=1k, 1000000=1M, 1000000000000=1B) * https://en.wikipedia.org/wiki/Metric_prefix * * \param Value The integer. * \param GroupDigits TRUE to group digits, otherwise FALSE. */ PPH_STRING PhFormatUInt64Prefix( _In_ ULONG64 Value, _In_ BOOLEAN GroupDigits ) { DOUBLE number = (DOUBLE)Value; ULONG i = 0; PH_FORMAT format[2]; while ( number >= 1000 && i + 1 < (ULONG)RTL_NUMBER_OF(PhPrefixUnitNamesCounted) && i < PhMaxSizeUnit ) { number /= 1000; i++; } format[0].Type = DoubleFormatType | FormatUsePrecision | FormatCropZeros | (GroupDigits ? FormatGroupDigits : 0); format[0].Precision = 2; format[0].u.Double = number; PhInitFormatSR(&format[1], PhPrefixUnitNamesCounted[i]); return PhFormat(format, 2, 0); } /** * Formats a 64-bit unsigned integer using Data-rate (SI) Prefixes (1000=1Bps, 1000000=1Kbps, 1000000000000=1Mbps) * https://en.wikipedia.org/wiki/Data-rate_units * * \param Value The integer. * \param GroupDigits TRUE to group digits, otherwise FALSE. */ PPH_STRING PhFormatUInt64BitratePrefix( _In_ ULONG64 Value, _In_ BOOLEAN GroupDigits ) { DOUBLE number = (DOUBLE)Value; ULONG i = 0; PH_FORMAT format[2]; while ( number >= 1000 && i + 1 < (ULONG)RTL_NUMBER_OF(PhSiPrefixUnitNamesCounted) && i < PhMaxSizeUnit ) { number /= 1000; i++; } format[0].Type = DoubleFormatType | FormatUsePrecision | (GroupDigits ? FormatGroupDigits : 0); format[0].Precision = 1; format[0].u.Double = number; PhInitFormatSR(&format[1], PhSiPrefixUnitNamesCounted[i]); return PhFormat(format, 2, 0); } /** * Formats a decimal string. * * \param Value The decimal string. * \param FractionalDigits The number of fractional digits. * \param GroupDigits TRUE to group digits, otherwise FALSE. * \return A string containing the formatted decimal. */ PPH_STRING PhFormatDecimal( _In_ PCWSTR Value, _In_ ULONG FractionalDigits, _In_ BOOLEAN GroupDigits ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static WCHAR decimalSeparator[4]; static WCHAR thousandSeparator[4]; PPH_STRING string; NUMBERFMT format; ULONG bufferSize; if (PhBeginInitOnce(&initOnce)) { if (!GetLocaleInfoEx(LOCALE_NAME_USER_DEFAULT, LOCALE_SDECIMAL, decimalSeparator, 4)) { decimalSeparator[0] = L'.'; decimalSeparator[1] = UNICODE_NULL; } if (!GetLocaleInfoEx(LOCALE_NAME_USER_DEFAULT, LOCALE_STHOUSAND, thousandSeparator, 4)) { thousandSeparator[0] = L','; thousandSeparator[1] = UNICODE_NULL; } PhEndInitOnce(&initOnce); } format.NumDigits = FractionalDigits; format.LeadingZero = 0; format.Grouping = GroupDigits ? 3 : 0; format.lpDecimalSep = decimalSeparator; format.lpThousandSep = thousandSeparator; format.NegativeOrder = 1; bufferSize = GetNumberFormatEx(LOCALE_NAME_USER_DEFAULT, 0, Value, &format, NULL, 0); string = PhCreateStringEx(NULL, bufferSize * sizeof(WCHAR)); if (!GetNumberFormatEx(LOCALE_NAME_USER_DEFAULT, 0, Value, &format, string->Buffer, bufferSize)) { PhDereferenceObject(string); return NULL; } PhTrimToNullTerminatorString(string); return string; } /** * Gets a string representing a size. * * \param Size The size value. * \param MaxSizeUnit The largest unit of size to use, -1 to use PhMaxSizeUnit, or -2 for no limit. * \li \c 0 Bytes. * \li \c 1 Kilobytes. * \li \c 2 Megabytes. * \li \c 3 Gigabytes. * \li \c 4 Terabytes. * \li \c 5 Petabytes. * \li \c 6 Exabytes. */ PPH_STRING PhFormatSize( _In_ ULONG64 Size, _In_ ULONG MaxSizeUnit ) { PH_FORMAT format; // PhFormat handles this better than the old method. format.Type = SizeFormatType | FormatUseRadix; format.Radix = (UCHAR)(MaxSizeUnit != ULONG_MAX ? MaxSizeUnit : PhMaxSizeUnit); format.u.Size = Size; return PhFormat(&format, 1, 0); } /** * Gets a string representing a size. * * \param Size The size value. * \param MaxSizeUnit The largest unit of size to use, -1 to use PhMaxSizeUnit, or -2 for no limit. * \param Buffer A buffer. If NULL, no data is written. * \param BufferLength The number of bytes available in \a Buffer, including space for the null terminator. * \param ReturnLength The number of bytes required to hold the string, including the null terminator. */ BOOLEAN PhFormatSizeToBuffer( _In_ ULONG64 Size, _In_ ULONG MaxSizeUnit, _Out_writes_bytes_opt_(BufferLength) PWSTR Buffer, _In_opt_ SIZE_T BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { PH_FORMAT format; // PhFormat handles this better than the old method. format.Type = SizeFormatType | FormatUseRadix; format.Radix = (UCHAR)(MaxSizeUnit != ULONG_MAX ? MaxSizeUnit : PhMaxSizeUnit); format.u.Size = Size; return PhFormatToBuffer(&format, 1, Buffer, BufferLength, ReturnLength); } /** * Converts a UUID to its string representation. * * \param Guid A UUID. */ PPH_STRING PhFormatGuid( _In_ PGUID Guid ) { PPH_STRING string; UNICODE_STRING unicodeString; if (!NT_SUCCESS(RtlStringFromGUID(Guid, &unicodeString))) return NULL; string = PhCreateStringFromUnicodeString(&unicodeString); RtlFreeUnicodeString(&unicodeString); return string; } /** * Converts a UUID to its string representation. * * \param Guid A UUID. * \param Buffer A buffer. If NULL, no data is written. * \param BufferLength The number of bytes available in Buffer, including space for the null terminator. * \param ReturnLength The number of bytes required to hold the string, including the null terminator. */ NTSTATUS PhFormatGuidToBuffer( _In_ PGUID Guid, _Writable_bytes_(BufferLength) _When_(BufferLength != 0, _Notnull_) PWCHAR Buffer, _In_opt_ USHORT BufferLength, _Out_opt_ PSIZE_T ReturnLength ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&RtlStringFromGUIDEx) RtlStringFromGUIDEx_I = NULL; NTSTATUS status; UNICODE_STRING unicodeString; if (WindowsVersion < WINDOWS_10) { PPH_STRING guid = PhFormatGuid(Guid); if (BufferLength < guid->Length) { if (ReturnLength) *ReturnLength = guid->Length + sizeof(UNICODE_NULL); PhDereferenceObject(guid); return STATUS_BUFFER_TOO_SMALL; } memcpy(Buffer, guid->Buffer, BufferLength); if (ReturnLength) *ReturnLength = guid->Length + sizeof(UNICODE_NULL); PhDereferenceObject(guid); return STATUS_SUCCESS; } if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_10) { RtlStringFromGUIDEx_I = PhGetDllProcedureAddressZ(RtlNtdllName, "RtlStringFromGUIDEx", 0); } PhEndInitOnce(&initOnce); } if (!RtlStringFromGUIDEx_I) return STATUS_PROCEDURE_NOT_FOUND; RtlInitEmptyUnicodeString(&unicodeString, Buffer, BufferLength); status = RtlStringFromGUIDEx_I( Guid, &unicodeString, FALSE ); if (NT_SUCCESS(status)) { if (ReturnLength) { *ReturnLength = unicodeString.Length + sizeof(UNICODE_NULL); } } return status; } /** * Converts a string to its UUID representation. * * \param GuidString The string representation of the UUID. * \param Guid Receives the UUID. * \return Successful or errant status. */ NTSTATUS PhStringToGuid( _In_ PCPH_STRINGREF GuidString, _Out_ PGUID Guid ) { UNICODE_STRING unicodeString; if (!PhStringRefToUnicodeString(GuidString, &unicodeString)) return STATUS_BUFFER_OVERFLOW; return RtlGUIDFromString(&unicodeString, Guid); } /** * Retrieves image version information for a file. * * \param FileName The file name. * \param VersionInfo A version information block. You must free this using PhFree() when you no longer need it. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhGetFileVersionInfo( _In_ PCWSTR FileName, _Out_ PVOID* VersionInfo ) { NTSTATUS status; PVOID libraryModule; PVOID versionInfo; libraryModule = LoadLibraryEx( FileName, NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE ); if (!libraryModule) { return PhGetLastWin32ErrorAsNtStatus(); } status = PhLoadResourceCopy( libraryModule, MAKEINTRESOURCE(VS_VERSION_INFO), VS_FILE_INFO, NULL, &versionInfo ); if (NT_SUCCESS(status)) { if (PhIsFileVersionInfo32(versionInfo)) { PhFreeLibrary(libraryModule); *VersionInfo = versionInfo; return STATUS_SUCCESS; } else { status = STATUS_NOT_FOUND; } PhFree(versionInfo); } PhFreeLibrary(libraryModule); return status; } NTSTATUS PhGetFileVersionInfoEx( _In_ PCPH_STRINGREF FileName, _Out_ PVOID* VersionInfo ) { NTSTATUS status; PVOID imageBaseAddress; PVOID versionInfo; status = PhLoadLibraryAsImageResource(FileName, TRUE, &imageBaseAddress); if (!NT_SUCCESS(status)) return status; //if (LdrResFindResource_Import()) //{ // PVOID resourceBuffer = NULL; // SIZE_T resourceLength = 0; // // if (NT_SUCCESS(LdrResFindResource_Import()( // imageBaseAddress, // VS_FILE_INFO, // MAKEINTRESOURCE(VS_VERSION_INFO), // MAKEINTRESOURCE(MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL)), // &resourceBuffer, // &resourceLength, // NULL, // NULL, // 0 // ))) // { // *VersionInfo = PhAllocateCopy(resourceBuffer, resourceLength); // PhFreeLibraryAsImageResource(imageBaseAddress); // return STATUS_SUCCESS; // } //} // MUI version information if (PRIMARYLANGID(LANGIDFROMLCID(PhGetCurrentThreadLCID())) != LANG_ENGLISH) { PVOID resourceDllBase; SIZE_T resourceDllSize; if (NT_SUCCESS(LdrLoadAlternateResourceModule(imageBaseAddress, &resourceDllBase, &resourceDllSize, 0))) { if (NT_SUCCESS(PhLoadResourceCopy( resourceDllBase, MAKEINTRESOURCE(VS_VERSION_INFO), VS_FILE_INFO, NULL, &versionInfo ))) { if (PhIsFileVersionInfo32(versionInfo)) { LdrUnloadAlternateResourceModule(resourceDllBase); PhFreeLibraryAsImageResource(imageBaseAddress); *VersionInfo = versionInfo; return STATUS_SUCCESS; } PhFree(versionInfo); } LdrUnloadAlternateResourceModule(resourceDllBase); } } // EXE version information { status = PhLoadResourceCopy( imageBaseAddress, MAKEINTRESOURCE(VS_VERSION_INFO), VS_FILE_INFO, NULL, &versionInfo ); if (NT_SUCCESS(status)) { if (PhIsFileVersionInfo32(versionInfo)) { PhFreeLibraryAsImageResource(imageBaseAddress); *VersionInfo = versionInfo; return STATUS_SUCCESS; } else { status = STATUS_NOT_FOUND; } PhFree(versionInfo); } } PhFreeLibraryAsImageResource(imageBaseAddress); return status; } PVOID PhGetFileVersionInfoValue( _In_ PVS_VERSION_INFO_STRUCT32 VersionInfo ) { const PCWSTR keyOffset = VersionInfo->Key + PhCountStringZ(VersionInfo->Key) + 1; return PTR_ADD_OFFSET(VersionInfo, ALIGN_UP(PTR_SUB_OFFSET(keyOffset, VersionInfo), ULONG)); } NTSTATUS PhGetFileVersionInfoKey( _In_ PVS_VERSION_INFO_STRUCT32 VersionInfo, _In_ SIZE_T KeyLength, _In_ PCWSTR Key, _Out_opt_ PVOID* Buffer ) { PVOID value; ULONG valueOffset; PVS_VERSION_INFO_STRUCT32 child; if (!(value = PhGetFileVersionInfoValue(VersionInfo))) return STATUS_NOT_FOUND; valueOffset = VersionInfo->ValueLength * (VersionInfo->Type ? sizeof(WCHAR) : sizeof(CHAR)); child = PTR_ADD_OFFSET(value, ALIGN_UP(valueOffset, ULONG)); while ((ULONG_PTR)child < (ULONG_PTR)PTR_ADD_OFFSET(VersionInfo, VersionInfo->Length)) { if (_wcsnicmp(child->Key, Key, KeyLength) == 0 && child->Key[KeyLength] == UNICODE_NULL) { if (Buffer) *Buffer = child; return STATUS_SUCCESS; } if (child->Length == 0) break; child = PTR_ADD_OFFSET(child, ALIGN_UP(child->Length, ULONG)); } return STATUS_NOT_FOUND; } NTSTATUS PhGetFileVersionVarFileInfoValue( _In_ PVOID VersionInfo, _In_ PCPH_STRINGREF KeyName, _Out_opt_ PVOID* Buffer, _Out_opt_ PULONG BufferLength ) { static CONST PH_STRINGREF varfileBlockName = PH_STRINGREF_INIT(L"VarFileInfo"); PVS_VERSION_INFO_STRUCT32 varfileBlockInfo; PVS_VERSION_INFO_STRUCT32 varfileBlockValue; NTSTATUS status; status = PhGetFileVersionInfoKey( VersionInfo, varfileBlockName.Length / sizeof(WCHAR), varfileBlockName.Buffer, &varfileBlockInfo ); if (NT_SUCCESS(status)) { status = PhGetFileVersionInfoKey( varfileBlockInfo, KeyName->Length / sizeof(WCHAR), KeyName->Buffer, &varfileBlockValue ); if (NT_SUCCESS(status)) { if (BufferLength) *BufferLength = varfileBlockValue->ValueLength; if (Buffer) *Buffer = PhGetFileVersionInfoValue(varfileBlockValue); } } return status; } VS_FIXEDFILEINFO* PhGetFileVersionFixedInfo( _In_ PVOID VersionInfo ) { VS_FIXEDFILEINFO* fileInfo; fileInfo = PhGetFileVersionInfoValue(VersionInfo); if (fileInfo && fileInfo->dwSignature == VS_FFI_SIGNATURE) { return fileInfo; } else { return NULL; } } /** * Retrieves the language ID and code page used by a version information block. * * \param VersionInfo The version information block. */ ULONG PhGetFileVersionInfoLangCodePage( _In_ PVOID VersionInfo ) { PLANGANDCODEPAGE codePage; ULONG codePageLength; if (NT_SUCCESS(PhGetFileVersionVarFileInfoValueZ(VersionInfo, L"Translation", &codePage, &codePageLength))) { //for (ULONG i = 0; i < (codePageLength / sizeof(LANGANDCODEPAGE)); i++) return ((ULONG)codePage[0].Language << 16) + codePage[0].CodePage; // Combine the language ID and code page. } return (MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US) << 16) + 1252; } /** * Retrieves a string in a version information block. * * \param VersionInfo The version information block. * \param SubBlock The path to the sub-block. */ PPH_STRING PhGetFileVersionInfoString( _In_ PVOID VersionInfo, _In_ PCWSTR SubBlock ) { NTSTATUS status; PH_STRINGREF name; PWSTR buffer; ULONG length; PhInitializeStringRefLongHint(&name, SubBlock); status = PhGetFileVersionVarFileInfoValue( VersionInfo, &name, &buffer, &length ); if (!NT_SUCCESS(status)) return NULL; return PhCreateStringZ2(buffer, length * sizeof(WCHAR)); } /** * Retrieves a string in a version information block. * * \param VersionInfo The version information block. * \param LangCodePage The language ID and code page of the string. * \param KeyName The name of the string. */ PPH_STRING PhGetFileVersionInfoString2( _In_ PVOID VersionInfo, _In_ ULONG LangCodePage, _In_ PCPH_STRINGREF KeyName ) { static CONST PH_STRINGREF blockInfoName = PH_STRINGREF_INIT(L"StringFileInfo"); PVS_VERSION_INFO_STRUCT32 blockStringInfo; PVS_VERSION_INFO_STRUCT32 blockLangInfo; PVS_VERSION_INFO_STRUCT32 stringNameBlockInfo; NTSTATUS status; PVOID stringNameBlockValue; SIZE_T returnLength; PH_FORMAT format[3]; WCHAR langNameString[65]; status = PhGetFileVersionInfoKey( VersionInfo, blockInfoName.Length / sizeof(WCHAR), blockInfoName.Buffer, &blockStringInfo ); if (!NT_SUCCESS(status)) return NULL; PhInitFormatX(&format[0], LangCodePage); format[0].Type |= FormatPadZeros | FormatUpperCase; format[0].Width = 8; if (!PhFormatToBuffer(format, 1, langNameString, sizeof(langNameString), &returnLength)) return NULL; status = PhGetFileVersionInfoKey( blockStringInfo, returnLength / sizeof(WCHAR) - sizeof(ANSI_NULL), langNameString, &blockLangInfo ); if (!NT_SUCCESS(status)) return NULL; status = PhGetFileVersionInfoKey( blockLangInfo, KeyName->Length / sizeof(WCHAR), KeyName->Buffer, &stringNameBlockInfo ); if (!NT_SUCCESS(status)) return NULL; if (!(stringNameBlockValue = PhGetFileVersionInfoValue(stringNameBlockInfo))) return NULL; return PhCreateStringZ2( stringNameBlockValue, stringNameBlockInfo->ValueLength * sizeof(WCHAR) ); } PPH_STRING PhGetFileVersionInfoStringEx( _In_ PVOID VersionInfo, _In_ ULONG LangCodePage, _In_ PCPH_STRINGREF KeyName ) { PPH_STRING string; // Use the default language code page. if (string = PhGetFileVersionInfoString2(VersionInfo, LangCodePage, KeyName)) return string; // Use the windows-1252 code page. if (string = PhGetFileVersionInfoString2(VersionInfo, (LangCodePage & 0xffff0000) + 1252, KeyName)) return string; // Use the UTF-16 code page. if (string = PhGetFileVersionInfoString2(VersionInfo, (LangCodePage & 0xffff0000) + 1200, KeyName)) return string; // Use the default language (US English). if (string = PhGetFileVersionInfoString2(VersionInfo, (MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US) << 16) + 1252, KeyName)) return string; // Use the default language (US English). if (string = PhGetFileVersionInfoString2(VersionInfo, (MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US) << 16) + 1200, KeyName)) return string; // Use the default language (US English). if (string = PhGetFileVersionInfoString2(VersionInfo, (MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US) << 16) + 0, KeyName)) return string; return NULL; } VOID PhpGetImageVersionInfoFields( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PVOID VersionInfo, _In_ ULONG LangCodePage ) { static CONST PH_STRINGREF companyName = PH_STRINGREF_INIT(L"CompanyName"); static CONST PH_STRINGREF fileDescription = PH_STRINGREF_INIT(L"FileDescription"); static CONST PH_STRINGREF productName = PH_STRINGREF_INIT(L"ProductName"); ImageVersionInfo->CompanyName = PhGetFileVersionInfoStringEx(VersionInfo, LangCodePage, &companyName); ImageVersionInfo->FileDescription = PhGetFileVersionInfoStringEx(VersionInfo, LangCodePage, &fileDescription); ImageVersionInfo->ProductName = PhGetFileVersionInfoStringEx(VersionInfo, LangCodePage, &productName); } VOID PhpGetImageVersionVersionString( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PVOID VersionInfo ) { VS_FIXEDFILEINFO* rootBlock; // The version information is language-independent and must be read from the root block. if (rootBlock = PhGetFileVersionFixedInfo(VersionInfo)) { PH_FORMAT fileVersionFormat[7]; PhInitFormatU(&fileVersionFormat[0], HIWORD(rootBlock->dwFileVersionMS)); PhInitFormatC(&fileVersionFormat[1], L'.'); PhInitFormatU(&fileVersionFormat[2], LOWORD(rootBlock->dwFileVersionMS)); PhInitFormatC(&fileVersionFormat[3], L'.'); PhInitFormatU(&fileVersionFormat[4], HIWORD(rootBlock->dwFileVersionLS)); PhInitFormatC(&fileVersionFormat[5], L'.'); PhInitFormatU(&fileVersionFormat[6], LOWORD(rootBlock->dwFileVersionLS)); ImageVersionInfo->FileVersion = PhFormat(fileVersionFormat, RTL_NUMBER_OF(fileVersionFormat), 64); } else { ImageVersionInfo->FileVersion = NULL; } } VOID PhpGetImageVersionVersionStringEx( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PVOID VersionInfo, _In_ ULONG LangCodePage ) { static CONST PH_STRINGREF fileVersion = PH_STRINGREF_INIT(L"FileVersion"); VS_FIXEDFILEINFO* rootBlock; PPH_STRING versionString; if (versionString = PhGetFileVersionInfoStringEx(VersionInfo, LangCodePage, &fileVersion)) { ImageVersionInfo->FileVersion = versionString; return; } if (rootBlock = PhGetFileVersionFixedInfo(VersionInfo)) { PH_FORMAT fileVersionFormat[7]; PhInitFormatU(&fileVersionFormat[0], HIWORD(rootBlock->dwFileVersionMS)); PhInitFormatC(&fileVersionFormat[1], L'.'); PhInitFormatU(&fileVersionFormat[2], LOWORD(rootBlock->dwFileVersionMS)); PhInitFormatC(&fileVersionFormat[3], L'.'); PhInitFormatU(&fileVersionFormat[4], HIWORD(rootBlock->dwFileVersionLS)); PhInitFormatC(&fileVersionFormat[5], L'.'); PhInitFormatU(&fileVersionFormat[6], LOWORD(rootBlock->dwFileVersionLS)); ImageVersionInfo->FileVersion = PhFormat(fileVersionFormat, RTL_NUMBER_OF(fileVersionFormat), 64); } else { ImageVersionInfo->FileVersion = NULL; } } /** * Initializes a structure with version information. * * \param ImageVersionInfo The version information structure. * \param FileName The file name of an image. */ NTSTATUS PhInitializeImageVersionInfo( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PCWSTR FileName ) { NTSTATUS status; PVOID versionInfo; ULONG langCodePage; status = PhGetFileVersionInfo(FileName, &versionInfo); if (!NT_SUCCESS(status)) return status; langCodePage = PhGetFileVersionInfoLangCodePage(versionInfo); PhpGetImageVersionVersionString(ImageVersionInfo, versionInfo); PhpGetImageVersionInfoFields(ImageVersionInfo, versionInfo, langCodePage); PhFree(versionInfo); return status; } NTSTATUS PhInitializeImageVersionInfoEx( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN ExtendedVersionInfo ) { NTSTATUS status; PVOID versionInfo; ULONG langCodePage; status = PhGetFileVersionInfoEx(FileName, &versionInfo); if (!NT_SUCCESS(status)) return status; langCodePage = PhGetFileVersionInfoLangCodePage(versionInfo); if (ExtendedVersionInfo) PhpGetImageVersionVersionStringEx(ImageVersionInfo, versionInfo, langCodePage); else PhpGetImageVersionVersionString(ImageVersionInfo, versionInfo); PhpGetImageVersionInfoFields(ImageVersionInfo, versionInfo, langCodePage); PhFree(versionInfo); return status; } /** * Frees a version information structure initialized by PhInitializeImageVersionInfo(). * * \param ImageVersionInfo The version information structure. */ VOID PhDeleteImageVersionInfo( _Inout_ PPH_IMAGE_VERSION_INFO ImageVersionInfo ) { if (ImageVersionInfo->CompanyName) PhDereferenceObject(ImageVersionInfo->CompanyName); if (ImageVersionInfo->FileDescription) PhDereferenceObject(ImageVersionInfo->FileDescription); if (ImageVersionInfo->FileVersion) PhDereferenceObject(ImageVersionInfo->FileVersion); if (ImageVersionInfo->ProductName) PhDereferenceObject(ImageVersionInfo->ProductName); } PPH_STRING PhFormatImageVersionInfo( _In_opt_ PPH_STRING FileName, _In_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_opt_ PCPH_STRINGREF Indent, _In_opt_ ULONG LineLimit ) { PH_STRING_BUILDER stringBuilder; if (LineLimit == 0) LineLimit = ULONG_MAX; PhInitializeStringBuilder(&stringBuilder, 40); // File name if (!PhIsNullOrEmptyString(FileName)) { PPH_STRING temp; if (Indent) PhAppendStringBuilder(&stringBuilder, Indent); temp = PhEllipsisStringPath(FileName, LineLimit); PhAppendStringBuilder(&stringBuilder, &temp->sr); PhDereferenceObject(temp); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } // File description & version if (!( PhIsNullOrEmptyString(ImageVersionInfo->FileDescription) && PhIsNullOrEmptyString(ImageVersionInfo->FileVersion) )) { PPH_STRING tempDescription = NULL; PPH_STRING tempVersion = NULL; ULONG limitForDescription; ULONG limitForVersion; if (LineLimit != ULONG_MAX) { limitForVersion = (LineLimit - 1) / 4; // 1/4 space for version (and space character) limitForDescription = LineLimit - limitForVersion; } else { limitForDescription = ULONG_MAX; limitForVersion = ULONG_MAX; } if (!PhIsNullOrEmptyString(ImageVersionInfo->FileDescription)) { tempDescription = PhEllipsisString( ImageVersionInfo->FileDescription, limitForDescription ); } if (!PhIsNullOrEmptyString(ImageVersionInfo->FileVersion)) { tempVersion = PhEllipsisString( ImageVersionInfo->FileVersion, limitForVersion ); } if (Indent) PhAppendStringBuilder(&stringBuilder, Indent); if (tempDescription) { PhAppendStringBuilder(&stringBuilder, &tempDescription->sr); if (tempVersion) PhAppendCharStringBuilder(&stringBuilder, L' '); } if (tempVersion) PhAppendStringBuilder(&stringBuilder, &tempVersion->sr); if (tempDescription) PhDereferenceObject(tempDescription); if (tempVersion) PhDereferenceObject(tempVersion); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } // File company if (!PhIsNullOrEmptyString(ImageVersionInfo->CompanyName)) { PPH_STRING temp; if (Indent) PhAppendStringBuilder(&stringBuilder, Indent); temp = PhEllipsisString(ImageVersionInfo->CompanyName, LineLimit); PhAppendStringBuilder(&stringBuilder, &temp->sr); PhDereferenceObject(temp); PhAppendCharStringBuilder(&stringBuilder, L'\n'); } // Remove the extra newline. if (stringBuilder.String->Length != 0) PhRemoveEndStringBuilder(&stringBuilder, 1); return PhFinalStringBuilderString(&stringBuilder); } typedef struct _PH_FILE_VERSIONINFO_CACHE_ENTRY { PPH_STRING FileName; PPH_STRING CompanyName; PPH_STRING FileDescription; PPH_STRING FileVersion; PPH_STRING ProductName; } PH_FILE_VERSIONINFO_CACHE_ENTRY, *PPH_FILE_VERSIONINFO_CACHE_ENTRY; static PPH_HASHTABLE PhpImageVersionInfoCacheHashtable = NULL; static PH_QUEUED_LOCK PhpImageVersionInfoCacheLock = PH_QUEUED_LOCK_INIT; _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) static BOOLEAN PhpImageVersionInfoCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_FILE_VERSIONINFO_CACHE_ENTRY entry1 = Entry1; PPH_FILE_VERSIONINFO_CACHE_ENTRY entry2 = Entry2; return PhEqualString(entry1->FileName, entry2->FileName, FALSE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) static ULONG PhpImageVersionInfoCacheHashtableHashFunction( _In_ PVOID Entry ) { PPH_FILE_VERSIONINFO_CACHE_ENTRY entry = Entry; return PhHashStringRefEx(&entry->FileName->sr, FALSE, PH_STRING_HASH_XXH32); } NTSTATUS PhInitializeImageVersionInfoCached( _Out_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PPH_STRING FileName, _In_ BOOLEAN IsSubsystemProcess, _In_ BOOLEAN ExtendedVersion ) { PH_IMAGE_VERSION_INFO versionInfo = { 0 }; PH_FILE_VERSIONINFO_CACHE_ENTRY newEntry; if (PhpImageVersionInfoCacheHashtable) { PPH_FILE_VERSIONINFO_CACHE_ENTRY entry; PH_FILE_VERSIONINFO_CACHE_ENTRY lookupEntry; lookupEntry.FileName = FileName; PhAcquireQueuedLockShared(&PhpImageVersionInfoCacheLock); entry = PhFindEntryHashtable(PhpImageVersionInfoCacheHashtable, &lookupEntry); PhReleaseQueuedLockShared(&PhpImageVersionInfoCacheLock); if (entry) { PhSetReference(&ImageVersionInfo->CompanyName, entry->CompanyName); PhSetReference(&ImageVersionInfo->FileDescription, entry->FileDescription); PhSetReference(&ImageVersionInfo->FileVersion, entry->FileVersion); PhSetReference(&ImageVersionInfo->ProductName, entry->ProductName); return STATUS_SUCCESS; } } if (IsSubsystemProcess) { if (!NT_SUCCESS(PhInitializeLxssImageVersionInfo(&versionInfo, &FileName->sr))) { // Note: If the function fails the version info is empty. For extra performance // we still update the cache with a reference to the filename (without version info) // and just return the empty result from the cache instead of loading the same file again. // We flush every few hours so the cache doesn't waste memory or become state. (dmex) } } else { if (!NT_SUCCESS(PhInitializeImageVersionInfoEx(&versionInfo, &FileName->sr, ExtendedVersion))) { // Note: If the function fails the version info is empty. For extra performance // we still update the cache with a reference to the filename (without version info) // and just return the empty result from the cache instead of loading the same file again. // We flush every few hours so the cache doesn't waste memory or become state. (dmex) } } if (!PhpImageVersionInfoCacheHashtable) { PhpImageVersionInfoCacheHashtable = PhCreateHashtable( sizeof(PH_FILE_VERSIONINFO_CACHE_ENTRY), PhpImageVersionInfoCacheHashtableEqualFunction, PhpImageVersionInfoCacheHashtableHashFunction, 100 ); } PhSetReference(&newEntry.FileName, FileName); PhSetReference(&newEntry.CompanyName, versionInfo.CompanyName); PhSetReference(&newEntry.FileDescription, versionInfo.FileDescription); PhSetReference(&newEntry.FileVersion, versionInfo.FileVersion); PhSetReference(&newEntry.ProductName, versionInfo.ProductName); PhAcquireQueuedLockExclusive(&PhpImageVersionInfoCacheLock); PhAddEntryHashtable(PhpImageVersionInfoCacheHashtable, &newEntry); PhReleaseQueuedLockExclusive(&PhpImageVersionInfoCacheLock); ImageVersionInfo->CompanyName = versionInfo.CompanyName; ImageVersionInfo->FileDescription = versionInfo.FileDescription; ImageVersionInfo->FileVersion = versionInfo.FileVersion; ImageVersionInfo->ProductName = versionInfo.ProductName; return STATUS_SUCCESS; } VOID PhFlushImageVersionInfoCache( VOID ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_FILE_VERSIONINFO_CACHE_ENTRY entry; if (!PhpImageVersionInfoCacheHashtable) return; PhAcquireQueuedLockExclusive(&PhpImageVersionInfoCacheLock); PhBeginEnumHashtable(PhpImageVersionInfoCacheHashtable, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { if (entry->FileName) PhDereferenceObject(entry->FileName); if (entry->CompanyName) PhDereferenceObject(entry->CompanyName); if (entry->FileDescription) PhDereferenceObject(entry->FileDescription); if (entry->FileVersion) PhDereferenceObject(entry->FileVersion); if (entry->ProductName) PhDereferenceObject(entry->ProductName); } PhClearReference(&PhpImageVersionInfoCacheHashtable); PhpImageVersionInfoCacheHashtable = PhCreateHashtable( sizeof(PH_FILE_VERSIONINFO_CACHE_ENTRY), PhpImageVersionInfoCacheHashtableEqualFunction, PhpImageVersionInfoCacheHashtableHashFunction, 100 ); PhReleaseQueuedLockExclusive(&PhpImageVersionInfoCacheLock); } /** * Retrieves the full path and file name of the specified file. * * \param FileName The name of the file. * \param BufferLength The size of the buffer to receive the null-terminated string for the drive and path. * \param Buffer A pointer to a buffer that receives the null-terminated string for the drive and path. * \param FilePart A variable which receives the index of the base name. * \param BytesRequired The length of the string including the terminating null character. * \return Successful or errant status. */ NTSTATUS PhGetFullPathName( _In_ PCWSTR FileName, _In_ SIZE_T BufferLength, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _Out_opt_ PWSTR* FilePart, _Out_opt_ PULONG BytesRequired ) { NTSTATUS status; ULONG bufferLength; ULONG bytesRequired; status = RtlSizeTToULong( BufferLength, &bufferLength ); if (!NT_SUCCESS(status)) return status; bytesRequired = 0; status = RtlGetFullPathName_UEx( FileName, bufferLength, // * sizeof(WCHAR) Buffer, FilePart, &bytesRequired ); if (!NT_SUCCESS(status)) return status; if (BytesRequired) { *BytesRequired = bytesRequired; /* / sizeof(WCHAR) */ } if (BufferLength < bytesRequired) return STATUS_BUFFER_TOO_SMALL; return STATUS_SUCCESS; } /** * Gets an absolute file name. * * \param FileName A file name. * \param FullPath An absolute file name, or NULL if the function failed. * \param IndexOfFileName A variable which receives the index of the base name. * * \return Successful or errant status. */ NTSTATUS PhGetFullPath( _In_ PCWSTR FileName, _Out_ PPH_STRING *FullPath, _Out_opt_ PULONG IndexOfFileName ) { NTSTATUS status; PPH_STRING fullPath; ULONG fullPathLength; ULONG returnLength = 0; PWSTR filePart = NULL; fullPathLength = DOS_MAX_PATH_LENGTH; fullPath = PhCreateStringEx(NULL, fullPathLength); status = PhGetFullPathName( FileName, fullPath->Length + sizeof(UNICODE_NULL), fullPath->Buffer, &filePart, &returnLength ); if (status == STATUS_BUFFER_TOO_SMALL && returnLength > sizeof(UNICODE_NULL)) { PhDereferenceObject(fullPath); fullPathLength = returnLength - sizeof(UNICODE_NULL); fullPath = PhCreateStringEx(NULL, fullPathLength); status = PhGetFullPathName( FileName, fullPath->Length + sizeof(UNICODE_NULL), fullPath->Buffer, &filePart, &returnLength ); } if (!NT_SUCCESS(status)) { PhDereferenceObject(fullPath); return status; } PhTrimToNullTerminatorString(fullPath); *FullPath = fullPath; if (IndexOfFileName) { if (filePart) { // The path points to a file. *IndexOfFileName = (ULONG)(filePart - fullPath->Buffer); } else { // The path points to a directory. *IndexOfFileName = ULONG_MAX; } } return status; } /** * Expands environment variables in a string. * * \param String The string. */ PPH_STRING PhExpandEnvironmentStrings( _In_ PCPH_STRINGREF String ) { NTSTATUS status; UNICODE_STRING inputString; UNICODE_STRING outputString; PPH_STRING string; ULONG bufferLength; if (!PhStringRefToUnicodeString(String, &inputString)) return NULL; bufferLength = 0x100; string = PhCreateStringEx(NULL, bufferLength); outputString.MaximumLength = (USHORT)bufferLength; outputString.Length = 0; outputString.Buffer = string->Buffer; status = RtlExpandEnvironmentStrings_U( NULL, &inputString, &outputString, &bufferLength ); if (status == STATUS_BUFFER_TOO_SMALL) { PhDereferenceObject(string); string = PhCreateStringEx(NULL, bufferLength); outputString.MaximumLength = (USHORT)bufferLength; outputString.Length = 0; outputString.Buffer = string->Buffer; status = RtlExpandEnvironmentStrings_U( NULL, &inputString, &outputString, &bufferLength ); } if (!NT_SUCCESS(status)) { PhDereferenceObject(string); return NULL; } string->Length = outputString.Length; string->Buffer[string->Length / sizeof(WCHAR)] = UNICODE_NULL; // make sure there is a null terminator return string; } /** * Gets the base name from a file name. * * \param FileName The file name. */ PPH_STRING PhGetBaseName( _In_ PPH_STRING FileName ) { PH_STRINGREF pathPart; PH_STRINGREF baseNamePart; if (!PhSplitStringRefAtLastChar(&FileName->sr, OBJ_NAME_PATH_SEPARATOR, &pathPart, &baseNamePart)) { return PhReferenceObject(FileName); } return PhCreateString2(&baseNamePart); } /** * Changes the extension of the base name in a file path. * * This function locates the last path separator and the last dot in the file name. * If both are found and the dot is after the last path separator, it replaces the extension * with the specified new extension. Otherwise, it appends the new extension to the file name. * * \param FileName The input file name as a string reference. * \param FileExtension The new file extension as a string reference. * \return A new string with the base name's extension changed, or the original file name with the extension appended if no dot is found. */ PPH_STRING PhGetBaseNameChangeExtension( _In_ PCPH_STRINGREF FileName, _In_ PCPH_STRINGREF FileExtension ) { ULONG_PTR indexOfBackslash; ULONG_PTR indexOfLastDot; PH_STRINGREF baseFileName; PH_STRINGREF baseFilePath; if ((indexOfBackslash = PhFindLastCharInStringRef(FileName, OBJ_NAME_PATH_SEPARATOR, FALSE)) == SIZE_MAX) return PhConcatStringRef2(FileName, FileExtension); if ((indexOfLastDot = PhFindLastCharInStringRef(FileName, L'.', FALSE)) == SIZE_MAX) return PhConcatStringRef2(FileName, FileExtension); if (indexOfLastDot < indexOfBackslash) return PhConcatStringRef2(FileName, FileExtension); baseFileName.Buffer = FileName->Buffer + indexOfBackslash + 1; baseFileName.Length = (indexOfLastDot - indexOfBackslash - 1) * sizeof(WCHAR); baseFilePath.Buffer = FileName->Buffer; baseFilePath.Length = (indexOfBackslash + 1) * sizeof(WCHAR); return PhConcatStringRef3(&baseFilePath, &baseFileName, FileExtension); } /** * Splits a file path into its base path and base file name components. * * This function separates the input file name into the directory path and the file name. * If both output pointers are provided, both components are set if available. * If only one output pointer is provided, only that component is set. * * \param FileName The input file name as a string reference. * \param BasePathName Optional pointer to receive the base path component. * \param BaseFileName Optional pointer to receive the base file name component. * \return TRUE if the split was successful and the requested components are available, otherwise FALSE. */ _Success_(return) BOOLEAN PhGetBasePath( _In_ PCPH_STRINGREF FileName, _Out_opt_ PPH_STRINGREF BasePathName, _Out_opt_ PPH_STRINGREF BaseFileName ) { PH_STRINGREF basePathPart; PH_STRINGREF baseNamePart; if (!PhSplitStringRefAtLastChar(FileName, OBJ_NAME_PATH_SEPARATOR, &basePathPart, &baseNamePart)) return FALSE; if (BasePathName && BaseFileName) { if (basePathPart.Length && baseNamePart.Length) { BasePathName->Length = basePathPart.Length; BasePathName->Buffer = basePathPart.Buffer; BaseFileName->Length = baseNamePart.Length; BaseFileName->Buffer = baseNamePart.Buffer; return TRUE; } return FALSE; } if (BasePathName && basePathPart.Length) { BasePathName->Length = basePathPart.Length; BasePathName->Buffer = basePathPart.Buffer; return TRUE; } if (BaseFileName && baseNamePart.Length) { BaseFileName->Length = baseNamePart.Length; BaseFileName->Buffer = baseNamePart.Buffer; return TRUE; } return FALSE; } /** * Gets the parent directory from a file name. * * \param FileName The file name. */ PPH_STRING PhGetBaseDirectory( _In_ PPH_STRING FileName ) { PH_STRINGREF pathPart; PH_STRINGREF baseNamePart; if (!PhSplitStringRefAtLastChar(&FileName->sr, OBJ_NAME_PATH_SEPARATOR, &pathPart, &baseNamePart)) return NULL; return PhCreateString2(&pathPart); } /** * Retrieves the system directory path. */ PPH_STRING PhGetSystemDirectory( VOID ) { static CONST PH_STRINGREF system32String = PH_STRINGREF_INIT(L"\\System32"); static PPH_STRING cachedSystemDirectory = NULL; PH_STRINGREF systemRootString; PPH_STRING systemDirectory; PPH_STRING previousSystemDirectory; // Use the cached value if possible. if (systemDirectory = ReadPointerAcquire(&cachedSystemDirectory)) return PhReferenceObject(systemDirectory); PhGetSystemRoot(&systemRootString); systemDirectory = PhConcatStringRef2(&systemRootString, &system32String); PhReferenceObject(systemDirectory); if (previousSystemDirectory = InterlockedExchangePointer(&cachedSystemDirectory, systemDirectory)) { PhDereferenceObject(previousSystemDirectory); } return systemDirectory; } /** * Retrieves the path to the Windows System32 directory in Win32 format, optionally appending a subpath. * * \param AppendPath Optional string to append to the System32 directory path. * \return A pointer to a string containing the full path to the System32 directory (with optional appended path). */ PPH_STRING PhGetSystemDirectoryWin32( _In_opt_ PCPH_STRINGREF AppendPath ) { static CONST PH_STRINGREF system32String = PH_STRINGREF_INIT(L"\\System32"); PH_STRINGREF systemRootString; PhGetSystemRoot(&systemRootString); if (AppendPath) { return PhConcatStringRef3(&systemRootString, &system32String, AppendPath); } return PhConcatStringRef2(&systemRootString, &system32String); } /** * Retrieves the Windows system root directory path. * * This function returns the system root directory path as a PH_STRINGREF. * The value is cached after the first call for subsequent use. * The returned string does not include a trailing backslash. */ VOID PhGetSystemRoot( _Out_ PPH_STRINGREF SystemRoot ) { static PH_STRINGREF systemRoot; PH_STRINGREF localSystemRoot; SIZE_T count; if (systemRoot.Buffer) { *SystemRoot = systemRoot; return; } localSystemRoot.Buffer = RtlGetNtSystemRoot(); count = PhCountStringZ(localSystemRoot.Buffer); localSystemRoot.Length = count * sizeof(WCHAR); // Make sure the system root string doesn't have a trailing backslash. if (localSystemRoot.Buffer[count - 1] == OBJ_NAME_PATH_SEPARATOR) localSystemRoot.Length -= sizeof(WCHAR); *SystemRoot = localSystemRoot; systemRoot.Length = localSystemRoot.Length; MemoryBarrier(); systemRoot.Buffer = localSystemRoot.Buffer; } /** * Retrieves the native NT path of the Windows system root directory. * * This function returns the system root directory path in native NT format as a PH_STRINGREF. * The value is cached after the first call for subsequent use. */ VOID PhGetNtSystemRoot( _Out_ PPH_STRINGREF NtSystemRoot ) { static PPH_STRING systemRootNative; if (PhIsNullOrEmptyString(systemRootNative)) { PH_STRINGREF localSystemRoot; PhGetSystemRoot(&localSystemRoot); systemRootNative = PhDosPathNameToNtPathName(&localSystemRoot); } *NtSystemRoot = systemRootNative->sr; } /** * Retrieves the Windows directory path. */ PPH_STRING PhGetWindowsDirectory( _In_opt_ PCPH_STRINGREF AppendPath ) { PH_STRINGREF systemRoot; PPH_STRING systemRootNative; PhGetSystemRoot(&systemRoot); systemRootNative = PhDosPathNameToNtPathName(&systemRoot); if (systemRootNative && AppendPath) { PhMoveReference(&systemRootNative, PhConcatStringRef2(&systemRootNative->sr, AppendPath)); } return systemRootNative; } /** * Retrieves the Windows directory path. */ PPH_STRING PhGetWindowsDirectoryWin32( _In_opt_ PCPH_STRINGREF AppendPath ) { PH_STRINGREF systemRoot; PhGetSystemRoot(&systemRoot); if (AppendPath) { return PhConcatStringRef2(&systemRoot, AppendPath); } return PhCreateString2(&systemRoot); } /** * Retrieves the native file name of the current process image. */ PPH_STRING PhGetApplicationFileName( VOID ) { static PPH_STRING cachedFileName = NULL; PPH_STRING fileName; if (fileName = ReadPointerAcquire(&cachedFileName)) { return PhReferenceObject(fileName); } if (!NT_SUCCESS(PhGetProcessImageFileName(NtCurrentProcess(), &fileName))) { if (!NT_SUCCESS(PhGetProcessImageFileNameByProcessId(NtCurrentProcessId(), &fileName))) { if (!NT_SUCCESS(PhGetProcessMappedFileName(NtCurrentProcess(), NtCurrentImageBase(), &fileName))) { if (fileName = PhGetDllFileName(NtCurrentImageBase(), NULL)) { PPH_STRING fullPath; if (NT_SUCCESS(PhGetFullPath(PhGetString(fileName), &fullPath, NULL))) { PhMoveReference(&fileName, fullPath); } PhMoveReference(&fileName, PhDosPathNameToNtPathName(&fileName->sr)); } } } } // Update the cached file name with atomic semantics (dmex) if (!InterlockedCompareExchangePointer( &cachedFileName, fileName, NULL )) { PhReferenceObject(fileName); } return fileName; } /** * Retrieves the file name of the current process image. */ PPH_STRING PhGetApplicationFileNameWin32( VOID ) { static PPH_STRING cachedFileName = NULL; PPH_STRING fileName; PPH_STRING string; if (fileName = ReadPointerAcquire(&cachedFileName)) { return PhReferenceObject(fileName); } if (fileName = PhGetDllFileName(NtCurrentImageBase(), NULL)) { if (NT_SUCCESS(PhGetFullPath(PhGetString(fileName), &string, NULL))) { PhMoveReference(&fileName, string); } } //if (NT_SUCCESS(PhGetProcessImageFileNameWin32(NtCurrentProcess(), &fileName))) // PhMoveReference(&fileName, PhGetFileName(fileName)); // //if (!NT_SUCCESS(PhGetProcessImageFileNameWin32(NtCurrentProcess(), &fileName))) //{ // if (!NT_SUCCESS(PhGetProcessMappedFileName(NtCurrentProcess(), PhInstanceHandle, &fileName))) // { // if (!NT_SUCCESS(PhGetProcessImageFileNameByProcessId(NtCurrentProcessId(), &fileName))) // { // PhMoveReference(&fileName, PhGetFileName(fileName)); // } // } if (!InterlockedCompareExchangePointer( &cachedFileName, fileName, NULL )) { PhReferenceObject(fileName); } return fileName; } /** * Retrieves the directory path of the current process image (native NT path). * * This function returns the directory containing the executable image of the current process. * The result is cached for subsequent calls to improve performance. * \return A pointer to a string containing the directory path. */ PPH_STRING PhGetApplicationDirectory( VOID ) { static PPH_STRING cachedDirectoryPath = NULL; PPH_STRING directoryPath; PPH_STRING fileName; // Read the cached directory path with acquire semantics if (directoryPath = ReadPointerAcquire(&cachedDirectoryPath)) { return PhReferenceObject(directoryPath); } // Get the application file name if (fileName = PhGetApplicationFileName()) { ULONG_PTR indexOfFileName; // Find the last path separator in the file name indexOfFileName = PhFindLastCharInString(fileName, 0, OBJ_NAME_PATH_SEPARATOR); if (indexOfFileName != SIZE_MAX) indexOfFileName++; else indexOfFileName = 0; // Extract the directory path from the file name if (indexOfFileName != 0) { directoryPath = PhSubstring(fileName, 0, indexOfFileName); } PhDereferenceObject(fileName); } // Atomically set the cached directory path if it is currently NULL if (!InterlockedCompareExchangePointer( &cachedDirectoryPath, directoryPath, NULL )) { PhReferenceObject(directoryPath); } return directoryPath; } /** * Retrieves the directory path of the current process image (Win32 path). * * This function returns the directory containing the executable image of the current process, * using the Win32 path format. The result is cached for subsequent calls to improve performance. * \return A pointer to a string containing the directory path. */ PPH_STRING PhGetApplicationDirectoryWin32( VOID ) { static PPH_STRING cachedDirectoryPath = NULL; PPH_STRING directoryPath; PPH_STRING fileName; if (directoryPath = ReadPointerAcquire(&cachedDirectoryPath)) { return PhReferenceObject(directoryPath); } if (fileName = PhGetApplicationFileNameWin32()) { ULONG_PTR indexOfFileName; indexOfFileName = PhFindLastCharInString(fileName, 0, OBJ_NAME_PATH_SEPARATOR); if (indexOfFileName != SIZE_MAX) indexOfFileName++; else indexOfFileName = 0; // Extract the directory path from the file name if (indexOfFileName != 0) { directoryPath = PhSubstring(fileName, 0, indexOfFileName); } PhDereferenceObject(fileName); } // Atomically set the cached directory path if it is currently NULL if (!InterlockedCompareExchangePointer( &cachedDirectoryPath, directoryPath, NULL )) { PhReferenceObject(directoryPath); } return directoryPath; } /** * Gets the full path to a file in the application's directory. * * \param FileName The file name to append to the application directory. * \param NativeFileName TRUE to use the native NT path, FALSE for Win32 path. * \return A pointer to a string containing the full path, or NULL if the directory could not be determined. */ PPH_STRING PhGetApplicationDirectoryFileName( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ) { PPH_STRING applicationFileName = NULL; PPH_STRING applicationDirectory; if (NativeFileName) applicationDirectory = PhGetApplicationDirectory(); else applicationDirectory = PhGetApplicationDirectoryWin32(); if (applicationDirectory) { applicationFileName = PhConcatStringRef2(&applicationDirectory->sr, FileName); PhDereferenceObject(applicationDirectory); } return applicationFileName; } /** * Gets a temporary file name in the system temporary directory, using a random alpha string. * * \return A pointer to a string containing the full path to the temporary file. */ PPH_STRING PhGetTemporaryDirectoryRandomAlphaFileName( VOID ) { PH_STRINGREF randomAlphaString; WCHAR randomAlphaStringBuffer[33] = L""; PhGenerateRandomAlphaString(randomAlphaStringBuffer, RTL_NUMBER_OF(randomAlphaStringBuffer)); randomAlphaStringBuffer[0] = OBJ_NAME_PATH_SEPARATOR; randomAlphaString.Buffer = randomAlphaStringBuffer; randomAlphaString.Length = sizeof(randomAlphaStringBuffer) - sizeof(UNICODE_NULL); return PhGetTemporaryDirectory(&randomAlphaString); } /** * Gets the local application data directory for System Informer, optionally appending a file name. * * \param FileName The file name to append, or NULL to return the directory only. * \param NativeFileName TRUE to use the native NT path, FALSE for Win32 path. * \return A pointer to a string containing the full path, or NULL if the directory could not be determined. */ PPH_STRING PhGetLocalAppDataDirectory( _In_opt_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ) { PPH_STRING localAppDataFileName = NULL; PPH_STRING localAppDataDirectory; if (localAppDataDirectory = PhGetKnownLocationZ(PH_FOLDERID_LocalAppData, L"\\SystemInformer\\", NativeFileName)) { if (!FileName) return localAppDataDirectory; localAppDataFileName = PhConcatStringRef2(&localAppDataDirectory->sr, FileName); PhReferenceObject(localAppDataDirectory); } return localAppDataFileName; } /** * Gets the roaming application data directory for System Informer, optionally appending a file name. * * \param FileName The file name to append, or NULL to return the directory only. * \param NativeFileName TRUE to use the native NT path, FALSE for Win32 path. * \return A pointer to a string containing the full path, or NULL if the directory could not be determined. */ PPH_STRING PhGetRoamingAppDataDirectory( _In_opt_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ) { PPH_STRING roamingAppDataFileName = NULL; PPH_STRING roamingAppDataDirectory; if (roamingAppDataDirectory = PhGetKnownLocationZ(PH_FOLDERID_RoamingAppData, L"\\SystemInformer\\", NativeFileName)) { if (!FileName) return roamingAppDataDirectory; roamingAppDataFileName = PhConcatStringRef2(&roamingAppDataDirectory->sr, FileName); PhReferenceObject(roamingAppDataDirectory); } return roamingAppDataFileName; } /** * Gets the full path to a file in the application's directory. * * \param FileName The file name to append to the application directory. * \param NativeFileName TRUE to use the native NT path, FALSE for Win32 path. * \return A pointer to a string containing the full path, or NULL if the directory could not be determined. */ PPH_STRING PhGetApplicationDataFileName( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ) { PPH_STRING applicationDataFileName; // Check the current directory. (dmex) if (applicationDataFileName = PhGetApplicationDirectoryFileName(FileName, NativeFileName)) { if (NativeFileName) { if (PhDoesFileExist(&applicationDataFileName->sr)) return applicationDataFileName; } else { if (PhDoesFileExistWin32(PhGetString(applicationDataFileName))) return applicationDataFileName; } PhClearReference(&applicationDataFileName); } // Return the appdata directory. (dmex) applicationDataFileName = PhGetRoamingAppDataDirectory(FileName, NativeFileName); return applicationDataFileName; } #if defined(PH_SHGETFOLDERPATH) /** * Gets a known location as a file name. * * \param Folder A CSIDL value representing the known location. * \param AppendPath A string to append to the folder path. */ //PPH_STRING PhGetKnownLocation( // _In_ ULONG Folder, // _In_opt_ PWSTR AppendPath // ) //{ // PPH_STRING path; // SIZE_T appendPathLength; // // if (!SHGetFolderPathW_Import()) // return NULL; // // if (AppendPath) // appendPathLength = PhCountStringZ(AppendPath) * sizeof(WCHAR); // else // appendPathLength = 0; // // path = PhCreateStringEx(NULL, MAX_PATH * sizeof(WCHAR) + appendPathLength); // // if (SUCCEEDED(SHGetFolderPathW_Import()( // NULL, // Folder, // NULL, // SHGFP_TYPE_CURRENT, // path->Buffer // ))) // { // PhTrimToNullTerminatorString(path); // // if (AppendPath) // { // memcpy(&path->Buffer[path->Length / sizeof(WCHAR)], AppendPath, appendPathLength + sizeof(UNICODE_NULL)); // +2 for null terminator // path->Length += appendPathLength; // } // // return path; // } // // PhDereferenceObject(path); // // return NULL; //} #endif /** * Retrieves the full path of a known folder. * * \param Folder A reference that identifies the folder. * \param AppendPath The string to append to the path. * \param NativeFileName A boolean to return the native path or Win32 path. */ PPH_STRING PhGetKnownLocation( _In_ ULONG Folder, _In_opt_ PCPH_STRINGREF AppendPath, _In_ BOOLEAN NativeFileName ) { #if !defined(PH_BUILD_MSIX) switch (Folder) { case PH_FOLDERID_LocalAppData: { static CONST PH_STRINGREF variableName = PH_STRINGREF_INIT(L"LOCALAPPDATA"); static CONST PH_STRINGREF variableNameProfile = PH_STRINGREF_INIT(L"USERPROFILE"); NTSTATUS status; PH_STRINGREF variableValue; WCHAR variableBuffer[DOS_MAX_PATH_LENGTH]; PhInitializeBufferStringRef(&variableValue, variableBuffer, sizeof(variableBuffer)); status = PhQueryEnvironmentVariableStringRef( NULL, &variableName, &variableValue ); if (!NT_SUCCESS(status)) { status = PhQueryEnvironmentVariableStringRef( NULL, &variableNameProfile, &variableValue ); } if (NT_SUCCESS(status)) { PPH_STRING fileName; if (AppendPath) { if (NativeFileName) { if (fileName = PhDosPathNameToNtPathName(&variableValue)) { PhMoveReference(&fileName, PhConcatStringRef2(&fileName->sr, AppendPath)); } else { fileName = NULL; } } else { fileName = PhConcatStringRef2(&variableValue, AppendPath); } } else { if (NativeFileName) fileName = PhDosPathNameToNtPathName(&variableValue); else fileName = PhCreateString2(&variableValue); } return fileName; } } break; case PH_FOLDERID_RoamingAppData: { static CONST PH_STRINGREF variableName = PH_STRINGREF_INIT(L"APPDATA"); static CONST PH_STRINGREF variableNameProfile = PH_STRINGREF_INIT(L"USERPROFILE"); NTSTATUS status; PH_STRINGREF variableValue; WCHAR variableBuffer[DOS_MAX_PATH_LENGTH]; PhInitializeBufferStringRef(&variableValue, variableBuffer, sizeof(variableBuffer)); status = PhQueryEnvironmentVariableStringRef( NULL, &variableName, &variableValue ); if (!NT_SUCCESS(status)) { status = PhQueryEnvironmentVariableStringRef( NULL, &variableNameProfile, &variableValue ); } if (NT_SUCCESS(status)) { PPH_STRING fileName; if (AppendPath) { if (NativeFileName) { if (fileName = PhDosPathNameToNtPathName(&variableValue)) { PhMoveReference(&fileName, PhConcatStringRef2(&fileName->sr, AppendPath)); } else { fileName = NULL; } } else { fileName = PhConcatStringRef2(&variableValue, AppendPath); } } else { if (NativeFileName) { fileName = PhDosPathNameToNtPathName(&variableValue); } else { fileName = PhCreateString2(&variableValue); } } return fileName; } } break; //case PH_FOLDERID_ProgramFiles: // { // PPH_STRING value; // // if (value = PhExpandEnvironmentStringsZ(L"%ProgramFiles%")) // { // if (AppendPath) // { // PhMoveReference(&value, PhConcatStringRef2(&value->sr, AppendPath)); // } // // return value; // } // } // break; case PH_FOLDERID_ProgramData: { static CONST PH_STRINGREF variableName = PH_STRINGREF_INIT(L"PROGRAMDATA"); NTSTATUS status; PH_STRINGREF variableValue; WCHAR variableBuffer[DOS_MAX_PATH_LENGTH]; PhInitializeBufferStringRef(&variableValue, variableBuffer, sizeof(variableBuffer)); status = PhQueryEnvironmentVariableStringRef( NULL, &variableName, &variableValue ); if (NT_SUCCESS(status)) { PPH_STRING fileName; if (AppendPath) { if (NativeFileName) { if (fileName = PhDosPathNameToNtPathName(&variableValue)) { PhMoveReference(&fileName, PhConcatStringRef2(&fileName->sr, AppendPath)); } else { fileName = NULL; } } else { fileName = PhConcatStringRef2(&variableValue, AppendPath); } } else { if (NativeFileName) { fileName = PhDosPathNameToNtPathName(&variableValue); } else { fileName = PhCreateString2(&variableValue); } } return fileName; } } break; } #else switch (Folder) { case PH_FOLDERID_LocalAppData: { PPH_STRING value; if (value = PhGetKnownFolderPath(&FOLDERID_LocalAppData, AppendPath)) { if (NativeFileName) { PhMoveReference(&value, PhDosPathNameToNtPathName(&value->sr)); } return value; } } break; case PH_FOLDERID_RoamingAppData: { PPH_STRING value; if (value = PhGetKnownFolderPath(&FOLDERID_RoamingAppData, AppendPath)) { if (NativeFileName) { PhMoveReference(&value, PhDosPathNameToNtPathName(&value->sr)); } return value; } } break; //case PH_FOLDERID_ProgramFiles: // return PhGetKnownFolderPath(&FOLDERID_ProgramFiles, AppendPath); case PH_FOLDERID_ProgramData: { PPH_STRING value; if (value = PhGetKnownFolderPath(&FOLDERID_ProgramData, AppendPath)) { if (NativeFileName) { PhMoveReference(&value, PhDosPathNameToNtPathName(&value->sr)); } return value; } } break; } #endif return NULL; } /** * Retrieves the full path of a known folder. * * \param Folder A pointer to the GUID that identifies the known folder. * \param AppendPath An optional string to append to the folder path. * \return A pointer to a string containing the full path of the known folder, or NULL if the operation fails. */ PPH_STRING PhGetKnownFolderPath( _In_ PCGUID Folder, _In_opt_ PCPH_STRINGREF AppendPath ) { return PhGetKnownFolderPathEx(Folder, 0, NULL, AppendPath); } /** * Flag mapping table for known folder path retrieval. * * Maps PH_KF_FLAG_* values to corresponding KF_FLAG_* values for use with SHGetKnownFolderPath. */ static const PH_FLAG_MAPPING PhpKnownFolderFlagMappings[] = { { PH_KF_FLAG_FORCE_PACKAGE_REDIRECTION, KF_FLAG_FORCE_APP_DATA_REDIRECTION }, { PH_KF_FLAG_FORCE_APPCONTAINER_REDIRECTION, KF_FLAG_FORCE_APPCONTAINER_REDIRECTION }, }; /** * Retrieves the full path of a known folder optionally using a token handle and additional flags. * * \param Folder A pointer to the GUID that identifies the known folder. * \param Flags Flags controlling folder path retrieval (see PH_KF_FLAG_*). * \param TokenHandle An optional token handle for user-specific folder resolution. * \param AppendPath An optional string to append to the folder path. * \return A pointer to a string containing the full path of the known folder, or NULL if the operation fails. */ PPH_STRING PhGetKnownFolderPathEx( _In_ PCGUID Folder, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _In_opt_ PCPH_STRINGREF AppendPath ) { PPH_STRING path; ULONG flags; PWSTR knownFolderBuffer; SIZE_T knownFolderLength; SIZE_T knownAppendLength; flags = 0; PhMapFlags1(&flags, Flags, PhpKnownFolderFlagMappings, ARRAYSIZE(PhpKnownFolderFlagMappings)); if (FAILED(PhShellGetKnownFolderPath( Folder, flags | KF_FLAG_DONT_VERIFY, TokenHandle, &knownFolderBuffer ))) { return NULL; } knownFolderLength = PhCountStringZ(knownFolderBuffer) * sizeof(WCHAR); knownAppendLength = AppendPath ? AppendPath->Length : 0; path = PhCreateStringEx(NULL, knownFolderLength + knownAppendLength); memcpy( path->Buffer, knownFolderBuffer, knownFolderLength ); if (AppendPath) { memcpy( PTR_ADD_OFFSET(path->Buffer, knownFolderLength), AppendPath->Buffer, knownAppendLength ); } CoTaskMemFree(knownFolderBuffer); return path; } // rev from GetTempPath2W (dmex) /** * Retrieves the path to the system temporary directory, optionally appending a subpath. * * This function determines the appropriate temporary directory for the current user or process context. * - If running as an elevated process with the LocalSystem SID, it returns the system root's "SystemTemp" directory if it exists. * - Otherwise, it checks the "TMP", "TEMP", and "USERPROFILE" environment variables in order, returning the first valid path found. * - If an AppendPath is provided, it is concatenated to the selected temporary directory. * * \param AppendPath Optional string to append to the temporary directory path. * \return A pointer to a string containing the full path to the temporary directory (with optional appended path), * \remarks * - If running as LocalSystem, the function prefers the "SystemTemp" directory under the system root. * - The function checks environment variables in the order: "TMP", "TEMP", "USERPROFILE". * - If no environment variable yields a valid path, the function returns NULL. * - The returned path is suitable for creating temporary files or directories. * - The function supports both native NT paths and Win32 paths, depending on context. */ PPH_STRING PhGetTemporaryDirectory( _In_opt_ PCPH_STRINGREF AppendPath ) { static CONST PH_STRINGREF variableNameTmp = PH_STRINGREF_INIT(L"TMP"); static CONST PH_STRINGREF variableNameTemp = PH_STRINGREF_INIT(L"TEMP"); static CONST PH_STRINGREF variableNameProfile = PH_STRINGREF_INIT(L"USERPROFILE"); NTSTATUS status; PH_STRINGREF variableValue; WCHAR variableBuffer[DOS_MAX_PATH_LENGTH]; if ( PhGetOwnTokenAttributes().Elevated && PhEqualSid(PhGetOwnTokenAttributes().TokenSid, &PhSeLocalSystemSid) ) { static CONST PH_STRINGREF systemTemp = PH_STRINGREF_INIT(L"SystemTemp"); PH_STRINGREF systemRoot; PPH_STRING systemPath; PhGetSystemRoot(&systemRoot); if (AppendPath) { systemPath = PhConcatStringRef4(&systemRoot, &PhNtPathSeparatorString, &systemTemp, AppendPath); } else { systemPath = PhConcatStringRef3(&systemRoot, &PhNtPathSeparatorString, &systemTemp); } if (PhDoesDirectoryExistWin32(PhGetString(systemPath))) // Required for Windows 7/8 (dmex) { return systemPath; } PhDereferenceObject(systemPath); } PhInitializeBufferStringRef(&variableValue, variableBuffer, sizeof(variableBuffer)); status = PhQueryEnvironmentVariableStringRef( NULL, &variableNameTmp, &variableValue ); if (!NT_SUCCESS(status)) { PhInitializeBufferStringRef(&variableValue, variableBuffer, sizeof(variableBuffer)); status = PhQueryEnvironmentVariableStringRef( NULL, &variableNameTemp, &variableValue ); if (!NT_SUCCESS(status)) { PhInitializeBufferStringRef(&variableValue, variableBuffer, sizeof(variableBuffer)); status = PhQueryEnvironmentVariableStringRef( NULL, &variableNameProfile, &variableValue ); } } if (NT_SUCCESS(status)) { if (AppendPath) { return PhConcatStringRef2(&variableValue, AppendPath); } return PhCreateString2(&variableValue); } return NULL; } /** * Waits on multiple objects while processing window messages. * * \param WindowHandle The window to process messages for, or NULL to process all messages for the current thread. * \param NumberOfHandles The number of handles specified in \a Handles. This must not be greater than MAXIMUM_WAIT_OBJECTS - 1. * \param Handles An array of handles. * \param Timeout The number of milliseconds to wait on the objects, or INFINITE for no timeout. * \param WakeMask The input types for which an input event object handle will be added to the array of object handles. * \remarks The wait is always in WaitAny mode. Passing a specific HWND to PeekMessage filters out thread messages * (e.g., WM_QUIT) and messages for other windows on the same thread. If you expect full pumping, the HWND must be NULL. */ NTSTATUS PhWaitForMultipleObjectsAndPump( _In_opt_ HWND WindowHandle, _In_ ULONG NumberOfHandles, _In_ PHANDLE Handles, _In_ ULONG Timeout, _In_ ULONG WakeMask ) { NTSTATUS status; ULONG64 startTickCount; ULONG64 currentTickCount; ULONG64 currentTimeout; startTickCount = NtGetTickCount64(); currentTimeout = Timeout; while (TRUE) { status = MsgWaitForMultipleObjects( NumberOfHandles, Handles, FALSE, (ULONG)currentTimeout, WakeMask ); if ( status >= STATUS_WAIT_0 && status < (NTSTATUS)(STATUS_WAIT_0 + NumberOfHandles) || status >= STATUS_ABANDONED_WAIT_0 && status < (NTSTATUS)(STATUS_ABANDONED_WAIT_0 + NumberOfHandles) ) { return status; } else if (status == (STATUS_WAIT_0 + NumberOfHandles)) { MSG msg; // Pump messages while (PeekMessage(&msg, WindowHandle, 0, 0, PM_REMOVE)) { TranslateMessage(&msg); DispatchMessage(&msg); } } else { return status; } // Recompute the timeout value. if (Timeout != INFINITE) { currentTickCount = NtGetTickCount64(); currentTimeout = Timeout - (currentTickCount - startTickCount); if ((LONG64)currentTimeout < 0) return STATUS_TIMEOUT; } } } /** * Creates a native process and an initial thread. * * \param FileName The Win32 file name of the image. * \param CommandLine The command line string to pass to the process. This string cannot be used to * specify the image to execute. * \param Environment The environment block for the process. Specify NULL to use the environment of * the current process. * \param CurrentDirectory The current directory string to pass to the process. * \param Information Additional parameters to pass to the process. * \param Flags A combination of the following: * \li \c PH_CREATE_PROCESS_INHERIT_HANDLES Inheritable handles will be duplicated to the process * from the parent process. * \li \c PH_CREATE_PROCESS_SUSPENDED The initial thread will be created suspended. * \li \c PH_CREATE_PROCESS_BREAKAWAY_FROM_JOB The process will not be assigned to the job object * associated with the parent process. * \li \c PH_CREATE_PROCESS_NEW_CONSOLE The process will have its own console, instead of inheriting * the console of the parent process. * \param ParentProcessHandle The process from which the new process will inherit attributes. * Specify NULL for the current process. * \param ClientId A variable which receives the identifier of the initial thread. * \param ProcessHandle A variable which receives a handle to the process. * \param ThreadHandle A variable which receives a handle to the initial thread. */ NTSTATUS PhCreateProcess( _In_ PCWSTR FileName, _In_opt_ PCPH_STRINGREF CommandLine, _In_opt_ PVOID Environment, _In_opt_ PCPH_STRINGREF CurrentDirectory, _In_opt_ PPH_CREATE_PROCESS_INFO Information, _In_ ULONG Flags, _In_opt_ HANDLE ParentProcessHandle, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ) { NTSTATUS status; RTL_USER_PROCESS_INFORMATION processInfo; PRTL_USER_PROCESS_PARAMETERS parameters; UNICODE_STRING fileName; UNICODE_STRING commandLine; UNICODE_STRING currentDirectory; PUNICODE_STRING windowTitle; PUNICODE_STRING desktopInfo; status = PhDosLongPathNameToNtPathNameWithStatus( FileName, &fileName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; if (CommandLine) { if (!PhStringRefToUnicodeString(CommandLine, &commandLine)) return STATUS_NAME_TOO_LONG; } if (CurrentDirectory) { if (!PhStringRefToUnicodeString(CurrentDirectory, ¤tDirectory)) return STATUS_NAME_TOO_LONG; } if (Information) { windowTitle = Information->WindowTitle; desktopInfo = Information->DesktopInfo; } else { windowTitle = NULL; desktopInfo = NULL; } if (!windowTitle) windowTitle = &fileName; if (!desktopInfo) desktopInfo = &NtCurrentPeb()->ProcessParameters->DesktopInfo; status = RtlCreateProcessParameters( ¶meters, &fileName, Information ? Information->DllPath : NULL, CurrentDirectory ? ¤tDirectory : NULL, CommandLine ? &commandLine : &fileName, Environment, windowTitle, desktopInfo, Information ? Information->ShellInfo : NULL, Information ? Information->RuntimeData : NULL ); if (NT_SUCCESS(status)) { status = RtlCreateUserProcess( &fileName, 0, parameters, NULL, NULL, ParentProcessHandle, !!(Flags & PH_CREATE_PROCESS_INHERIT_HANDLES), NULL, NULL, &processInfo ); RtlDestroyProcessParameters(parameters); } RtlFreeUnicodeString(&fileName); if (NT_SUCCESS(status)) { if (!(Flags & PH_CREATE_PROCESS_SUSPENDED)) NtResumeThread(processInfo.ThreadHandle, NULL); if (ClientId) *ClientId = processInfo.ClientId; if (ProcessHandle) *ProcessHandle = processInfo.ProcessHandle; else NtClose(processInfo.ProcessHandle); if (ThreadHandle) *ThreadHandle = processInfo.ThreadHandle; else NtClose(processInfo.ThreadHandle); } return status; } /** * Creates a Win32 process and an initial thread. * * \param FileName The Win32 file name of the image. * \param CommandLine The command line to execute. This can be specified instead of \a FileName to * indicate the image to execute. * \param Environment The environment block for the process. Specify NULL to use the environment of * the current process. * \param CurrentDirectory The current directory string to pass to the process. * \param Flags See PhCreateProcess(). * \param TokenHandle The token of the process. Specify NULL for the token of the parent process. * \param ProcessHandle A variable which receives a handle to the process. * \param ThreadHandle A variable which receives a handle to the initial thread. */ NTSTATUS PhCreateProcessWin32( _In_opt_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine, _In_opt_ PVOID Environment, _In_opt_ PCWSTR CurrentDirectory, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ) { return PhCreateProcessWin32Ex( FileName, CommandLine, Environment, CurrentDirectory, NULL, Flags, TokenHandle, NULL, ProcessHandle, ThreadHandle ); } static const PH_FLAG_MAPPING PhpCreateProcessMappings[] = { { PH_CREATE_PROCESS_DEBUG, DEBUG_PROCESS }, { PH_CREATE_PROCESS_DEBUG_ONLY_THIS_PROCESS, DEBUG_ONLY_THIS_PROCESS }, { PH_CREATE_PROCESS_SUSPENDED, CREATE_SUSPENDED }, { PH_CREATE_PROCESS_NEW_CONSOLE, CREATE_NEW_CONSOLE }, { PH_CREATE_PROCESS_UNICODE_ENVIRONMENT, CREATE_UNICODE_ENVIRONMENT }, { PH_CREATE_PROCESS_EXTENDED_STARTUPINFO, EXTENDED_STARTUPINFO_PRESENT }, { PH_CREATE_PROCESS_BREAKAWAY_FROM_JOB, CREATE_BREAKAWAY_FROM_JOB }, { PH_CREATE_PROCESS_DEFAULT_ERROR_MODE, CREATE_DEFAULT_ERROR_MODE }, }; FORCEINLINE VOID PhpConvertProcessInformation( _In_ PPROCESS_INFORMATION ProcessInfo, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ) { if (ClientId) { ClientId->UniqueProcess = UlongToHandle(ProcessInfo->dwProcessId); ClientId->UniqueThread = UlongToHandle(ProcessInfo->dwThreadId); } if (ProcessHandle) *ProcessHandle = ProcessInfo->hProcess; else if (ProcessInfo->hProcess) NtClose(ProcessInfo->hProcess); if (ThreadHandle) *ThreadHandle = ProcessInfo->hThread; else if (ProcessInfo->hThread) NtClose(ProcessInfo->hThread); } /** * Creates a Win32 process and an initial thread. * * \param FileName The Win32 file name of the image. * \param CommandLine The command line to execute. This can be specified instead of \a FileName to * indicate the image to execute. * \param Environment The environment block for the process. Specify NULL to use the environment of * the current process. * \param CurrentDirectory The current directory string to pass to the process. * \param StartupInfo A STARTUPINFO structure containing additional parameters for the process. * \param Flags See PhCreateProcess(). * \param TokenHandle The token of the process. Specify NULL for the token of the parent process. * \param ClientId A variable which receives the identifier of the initial thread. * \param ProcessHandle A variable which receives a handle to the process. * \param ThreadHandle A variable which receives a handle to the initial thread. */ NTSTATUS PhCreateProcessWin32Ex( _In_opt_ PCWSTR FileName, _In_opt_ PCWSTR CommandLine, _In_opt_ PVOID Environment, _In_opt_ PCWSTR CurrentDirectory, _In_opt_ PVOID StartupInfo, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ) { NTSTATUS status; PPH_STRING fileName = NULL; PPH_STRING commandLine = NULL; PPH_STRING currentDirectory = NULL; STARTUPINFOEX startupInfo; PROCESS_INFORMATION processInfo = { 0 }; ULONG newFlags; if (CommandLine) // duplicate because CreateProcess modifies the string (wj32) commandLine = PhCreateString(CommandLine); if (FileName) fileName = PhCreateString(FileName); else { PH_STRINGREF commandLineFileName; PH_STRINGREF commandLineArguments; PhParseCommandLineFuzzy(&commandLine->sr, &commandLineFileName, &commandLineArguments, &fileName); if (PhIsNullOrEmptyString(fileName)) PhMoveReference(&fileName, PhCreateString2(&commandLineFileName)); // Escape the commandline (or uncomment CommandLineToArgvW to clear the filename when it contains \\program files\\) (dmex) { static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); static CONST PH_STRINGREF space = PH_STRINGREF_INIT(L" "); PPH_STRING escaped; escaped = PhConcatStringRef3(&separator, &commandLineFileName, &separator); if (commandLineArguments.Length) { PhMoveReference(&escaped, PhConcatStringRef3(&escaped->sr, &space, &commandLineArguments)); } PhMoveReference(&commandLine, escaped); } //INT cmdlineArgCount; //PWSTR* cmdlineArgList; // //// Try extract the filename or CreateProcess might execute the wrong executable. (dmex) //if (commandLine && (cmdlineArgList = PhCommandLineToArgv(commandLine->Buffer, &cmdlineArgCount))) //{ // PhMoveReference(&fileName, PhCreateString(cmdlineArgList[0])); // LocalFree(cmdlineArgList); //} if (fileName && !PhDoesFileExistWin32(PhGetString(fileName))) { PPH_STRING filePath; // The user typed a name without a path so attempt to locate the executable. (dmex) if (filePath = PhSearchFilePath(PhGetString(fileName), L".exe")) PhMoveReference(&fileName, filePath); else PhClearReference(&fileName); } } // Set the current directory to the same location as the target executable // or CreateProcess uses our current directory. (dmex) if (CurrentDirectory) currentDirectory = PhCreateString(CurrentDirectory); else { if (!PhIsNullOrEmptyString(fileName)) currentDirectory = PhGetBaseDirectory(fileName); } newFlags = 0; PhMapFlags1(&newFlags, Flags, PhpCreateProcessMappings, sizeof(PhpCreateProcessMappings) / sizeof(PH_FLAG_MAPPING)); if (!StartupInfo) { SetFlag(newFlags, EXTENDED_STARTUPINFO_PRESENT); memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); } if (TokenHandle) { if (CreateProcessAsUser( TokenHandle, PhGetString(fileName), PhGetString(commandLine), NULL, NULL, !!(Flags & PH_CREATE_PROCESS_INHERIT_HANDLES), newFlags, Environment, PhGetString(currentDirectory), StartupInfo ? StartupInfo : &startupInfo, &processInfo )) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); } else { if (CreateProcess( PhGetString(fileName), PhGetString(commandLine), NULL, NULL, !!(Flags & PH_CREATE_PROCESS_INHERIT_HANDLES), newFlags, Environment, PhGetString(currentDirectory), StartupInfo ? StartupInfo : &startupInfo, &processInfo )) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); } if (fileName) PhDereferenceObject(fileName); if (commandLine) PhDereferenceObject(commandLine); if (currentDirectory) PhDereferenceObject(currentDirectory); if (NT_SUCCESS(status)) { if (ClientId) { ClientId->UniqueProcess = UlongToHandle(processInfo.dwProcessId); ClientId->UniqueThread = UlongToHandle(processInfo.dwThreadId); } if (ProcessHandle) { *ProcessHandle = processInfo.hProcess; } else if (processInfo.hProcess) { NtClose(processInfo.hProcess); } if (ThreadHandle) { *ThreadHandle = processInfo.hThread; } else if (processInfo.hThread) { NtClose(processInfo.hThread); } } else { if (processInfo.hProcess) NtClose(processInfo.hProcess); if (processInfo.hThread) NtClose(processInfo.hThread); } return status; } /** * Creates a Win32 process and an initial thread under the specified user. * * \param Information Parameters specifying how to create the process. * \param Flags See PhCreateProcess(). Additional flags may be used: * \li \c PH_CREATE_PROCESS_USE_PROCESS_TOKEN Use the token of the process specified by * \a ProcessIdWithToken in \a Information. * \li \c PH_CREATE_PROCESS_USE_SESSION_TOKEN Use the token of the session specified by * \a SessionIdWithToken in \a Information. * \li \c PH_CREATE_PROCESS_USE_LINKED_TOKEN Use the linked token to create the process; this causes * the process to be elevated or unelevated depending on the specified options. * \li \c PH_CREATE_PROCESS_SET_SESSION_ID \a SessionId is specified in \a Information. * \li \c PH_CREATE_PROCESS_WITH_PROFILE Load the user profile, if supported. * \param StartupInfo A STARTUPINFO structure containing additional parameters for the process. * \param ClientId A variable which receives the identifier of the initial thread. * \param ProcessHandle A variable which receives a handle to the process. * \param ThreadHandle A variable which receives a handle to the initial thread. */ NTSTATUS PhCreateProcessAsUser( _In_ PPH_CREATE_PROCESS_AS_USER_INFO Information, _In_ ULONG Flags, _In_opt_ PVOID StartupInfo, _Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PHANDLE ProcessHandle, _Out_opt_ PHANDLE ThreadHandle ) { NTSTATUS status; HANDLE tokenHandle; BOOLEAN needsDuplicate = FALSE; PVOID defaultEnvironment = NULL; STARTUPINFOEX startupInfo; if ((Flags & PH_CREATE_PROCESS_USE_PROCESS_TOKEN) && (Flags & PH_CREATE_PROCESS_USE_SESSION_TOKEN)) return STATUS_INVALID_PARAMETER_2; if (!Information->ApplicationName && !Information->CommandLine) return STATUS_INVALID_PARAMETER_MIX; if (!StartupInfo) { RtlZeroMemory(&startupInfo, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW; startupInfo.StartupInfo.wShowWindow = SW_NORMAL; startupInfo.StartupInfo.lpDesktop = (PWSTR)Information->DesktopName; } // Try to use CreateProcessWithLogonW if we need to load the user profile. // This isn't compatible with some options. if (Flags & PH_CREATE_PROCESS_WITH_PROFILE) { BOOLEAN useWithLogon; useWithLogon = TRUE; if (Flags & (PH_CREATE_PROCESS_USE_PROCESS_TOKEN | PH_CREATE_PROCESS_USE_SESSION_TOKEN)) useWithLogon = FALSE; if (Flags & PH_CREATE_PROCESS_USE_LINKED_TOKEN) useWithLogon = FALSE; if (Flags & PH_CREATE_PROCESS_SET_SESSION_ID) { ULONG sessionId = ULONG_MAX; PhGetProcessSessionId(NtCurrentProcess(), &sessionId); if (Information->SessionId != sessionId) useWithLogon = FALSE; } if (Information->LogonType && Information->LogonType != LOGON32_LOGON_INTERACTIVE) useWithLogon = FALSE; if (useWithLogon) { PPH_STRING applicationName = NULL; PPH_STRING commandLine = NULL; PPH_STRING currentDirectory = NULL; PROCESS_INFORMATION processInfo = { NULL }; ULONG newFlags = 0; if (!Information->LogonFlags) Information->LogonFlags = LOGON_WITH_PROFILE; if (Information->ApplicationName) { applicationName = PhCreateString(Information->ApplicationName); } if (Information->CommandLine) // duplicate because CreateProcess modifies the string { commandLine = PhCreateString(Information->CommandLine); } if (Information->CurrentDirectory) { currentDirectory = PhCreateString(Information->CurrentDirectory); } if (!Information->Environment) { SetFlag(Flags, PH_CREATE_PROCESS_UNICODE_ENVIRONMENT); } PhMapFlags1(&newFlags, Flags, PhpCreateProcessMappings, sizeof(PhpCreateProcessMappings) / sizeof(PH_FLAG_MAPPING)); if (CreateProcessWithLogonW( Information->UserName, Information->DomainName, Information->Password, Information->LogonFlags, PhGetString(applicationName), PhGetString(commandLine), newFlags, Information->Environment, PhGetString(currentDirectory), StartupInfo ? StartupInfo : &startupInfo, &processInfo )) status = STATUS_SUCCESS; else status = PhGetLastWin32ErrorAsNtStatus(); if (applicationName) PhDereferenceObject(applicationName); if (commandLine) PhDereferenceObject(commandLine); if (currentDirectory) PhDereferenceObject(currentDirectory); if (NT_SUCCESS(status)) { if (ClientId) { ClientId->UniqueProcess = UlongToHandle(processInfo.dwProcessId); ClientId->UniqueThread = UlongToHandle(processInfo.dwThreadId); } if (ProcessHandle) { *ProcessHandle = processInfo.hProcess; } else if (processInfo.hProcess) { NtClose(processInfo.hProcess); } if (ThreadHandle) { *ThreadHandle = processInfo.hThread; } else if (processInfo.hThread) { NtClose(processInfo.hThread); } } else { if (processInfo.hProcess) NtClose(processInfo.hProcess); if (processInfo.hThread) NtClose(processInfo.hThread); } return status; } } // Get the token handle. Various methods are supported. if (Flags & PH_CREATE_PROCESS_USE_PROCESS_TOKEN) { HANDLE processHandle; if (!NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_LIMITED_INFORMATION, Information->ProcessIdWithToken ))) return status; status = PhOpenProcessToken( processHandle, TOKEN_ALL_ACCESS, &tokenHandle ); NtClose(processHandle); if (!NT_SUCCESS(status)) return status; if (Flags & PH_CREATE_PROCESS_SET_SESSION_ID) needsDuplicate = TRUE; // can't set the session ID of a token in use by a process } else if (Flags & PH_CREATE_PROCESS_USE_SESSION_TOKEN) { WINSTATIONUSERTOKEN userToken; ULONG returnLength; memset(&userToken, 0, sizeof(WINSTATIONUSERTOKEN)); userToken.ProcessId = NtCurrentProcessId(); userToken.ThreadId = NtCurrentThreadId(); if (!WinStationQueryInformationW( WINSTATION_CURRENT_SERVER, Information->SessionIdWithToken, WinStationUserToken, &userToken, sizeof(WINSTATIONUSERTOKEN), &returnLength )) { return PhGetLastWin32ErrorAsNtStatus(); } tokenHandle = userToken.UserToken; if (Flags & PH_CREATE_PROCESS_SET_SESSION_ID) needsDuplicate = TRUE; // not sure if this is necessary } else { ULONG logonType; if (Information->LogonType) { logonType = Information->LogonType; } else { logonType = LOGON32_LOGON_INTERACTIVE; // Check if this is a service logon. if (PhEqualStringZ(Information->DomainName, L"NT AUTHORITY", TRUE)) { if (PhEqualStringZ(Information->UserName, L"SYSTEM", TRUE) || PhEqualStringZ(Information->UserName, L"LOCAL SERVICE", TRUE) || PhEqualStringZ(Information->UserName, L"NETWORK SERVICE", TRUE)) { logonType = LOGON32_LOGON_SERVICE; } } } if (!LogonUser( Information->UserName, Information->DomainName, Information->Password, logonType, LOGON32_PROVIDER_DEFAULT, &tokenHandle )) return PhGetLastWin32ErrorAsNtStatus(); } if (Flags & PH_CREATE_PROCESS_USE_LINKED_TOKEN) { HANDLE linkedTokenHandle; TOKEN_TYPE tokenType; // NtQueryInformationToken normally returns an impersonation token with // SecurityIdentification, but if the process is running with SeTcbPrivilege, it returns a // primary token. We can never duplicate a SecurityIdentification impersonation token to // make it a primary token, so we just check if the token is primary before using it. if (NT_SUCCESS(PhGetTokenLinkedToken(tokenHandle, &linkedTokenHandle))) { if (NT_SUCCESS(PhGetTokenType(linkedTokenHandle, &tokenType)) && tokenType == TokenPrimary) { NtClose(tokenHandle); tokenHandle = linkedTokenHandle; needsDuplicate = FALSE; // the linked token that is returned is always a copy, so no need to duplicate } else { NtClose(linkedTokenHandle); } } } if (needsDuplicate) { HANDLE newTokenHandle; OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, 0, NULL, NULL ); status = NtDuplicateToken( tokenHandle, TOKEN_ALL_ACCESS, &objectAttributes, FALSE, TokenPrimary, &newTokenHandle ); NtClose(tokenHandle); if (!NT_SUCCESS(status)) return status; tokenHandle = newTokenHandle; } // Set the session ID if needed. if (Flags & PH_CREATE_PROCESS_SET_SESSION_ID) { if (!NT_SUCCESS(status = PhSetTokenSessionId( tokenHandle, Information->SessionId ))) { NtClose(tokenHandle); return status; } } // Set the UIAccess flag if needed. if (Flags & PH_CREATE_PROCESS_SET_UIACCESS) { if (!NT_SUCCESS(status = PhSetTokenUIAccess( tokenHandle, TRUE ))) { NtClose(tokenHandle); return status; } } if (!Information->Environment) { PhCreateEnvironmentBlock(&defaultEnvironment, tokenHandle, FALSE); if (defaultEnvironment) Flags |= PH_CREATE_PROCESS_UNICODE_ENVIRONMENT; } status = PhCreateProcessWin32Ex( Information->ApplicationName, Information->CommandLine, Information->Environment ? Information->Environment : defaultEnvironment, Information->CurrentDirectory, StartupInfo ? StartupInfo : &startupInfo, Flags, tokenHandle, ClientId, ProcessHandle, ThreadHandle ); if (defaultEnvironment) { PhDestroyEnvironmentBlock(defaultEnvironment); } NtClose(tokenHandle); return status; } /** * Filters a token to create a limited user security context. * * \param TokenHandle A handle to an existing token. The handle must have TOKEN_DUPLICATE, * TOKEN_QUERY, TOKEN_ADJUST_GROUPS, TOKEN_ADJUST_DEFAULT, READ_CONTROL and WRITE_DAC access. * \param NewTokenHandle A variable which receives a handle to the filtered token. The handle will * have the same granted access as \a TokenHandle. */ NTSTATUS PhFilterTokenForLimitedUser( _In_ HANDLE TokenHandle, _Out_ PHANDLE NewTokenHandle ) { static SID_IDENTIFIER_AUTHORITY mandatoryLabelAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; static const LUID_AND_ATTRIBUTES defaultAllowedPrivileges[] = { { { SE_SHUTDOWN_PRIVILEGE, 0 }, 0 }, { { SE_CHANGE_NOTIFY_PRIVILEGE, 0 }, 0 }, { { SE_UNDOCK_PRIVILEGE, 0 }, 0 }, { { SE_INC_WORKING_SET_PRIVILEGE, 0 }, 0 }, { { SE_TIME_ZONE_PRIVILEGE, 0 }, 0 } }; NTSTATUS status; PSID administratorsSid = PhSeAdministratorsSid(); PSID usersSid = PhSeUsersSid(); UCHAR sidsToDisableBuffer[FIELD_OFFSET(TOKEN_GROUPS, Groups) + sizeof(SID_AND_ATTRIBUTES)]; PTOKEN_GROUPS sidsToDisable; ULONG i; ULONG j; ULONG deleteIndex; BOOLEAN found; PTOKEN_PRIVILEGES privilegesOfToken; PTOKEN_PRIVILEGES privilegesOfUsers; PTOKEN_PRIVILEGES privilegesToDelete; UCHAR lowMandatoryLevelSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG)]; PSID lowMandatoryLevelSid; TOKEN_MANDATORY_LABEL mandatoryLabel; PSECURITY_DESCRIPTOR currentSecurityDescriptor; BOOLEAN currentDaclPresent; BOOLEAN currentDaclDefaulted; PACL currentDacl; PH_TOKEN_USER currentUser; PACE_HEADER currentAce; ULONG newDaclLength; PACL newDacl; SECURITY_DESCRIPTOR newSecurityDescriptor; TOKEN_DEFAULT_DACL newDefaultDacl; HANDLE newTokenHandle; // Set up the SIDs to Disable structure. sidsToDisable = (PTOKEN_GROUPS)sidsToDisableBuffer; sidsToDisable->GroupCount = 1; sidsToDisable->Groups[0].Sid = administratorsSid; sidsToDisable->Groups[0].Attributes = 0; // Set up the Privileges to Delete structure. // Get the privileges that the input token contains. if (!NT_SUCCESS(status = PhGetTokenPrivileges(TokenHandle, &privilegesOfToken))) return status; // Get the privileges of the Users group - the privileges that we are going to allow. if (!NT_SUCCESS(PhGetAccountPrivileges(usersSid, &privilegesOfUsers))) { // Unsuccessful, so use the default set of privileges. privilegesOfUsers = PhAllocate(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(defaultAllowedPrivileges)); privilegesOfUsers->PrivilegeCount = sizeof(defaultAllowedPrivileges) / sizeof(LUID_AND_ATTRIBUTES); memcpy(privilegesOfUsers->Privileges, defaultAllowedPrivileges, sizeof(defaultAllowedPrivileges)); } // Allocate storage for the privileges we need to delete. The worst case scenario is that all // privileges in the token need to be deleted. privilegesToDelete = PhAllocate(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(LUID_AND_ATTRIBUTES) * privilegesOfToken->PrivilegeCount); deleteIndex = 0; // Compute the privileges that we need to delete. for (i = 0; i < privilegesOfToken->PrivilegeCount; i++) { found = FALSE; // Is the privilege allowed? for (j = 0; j < privilegesOfUsers->PrivilegeCount; j++) { if (RtlIsEqualLuid(&privilegesOfToken->Privileges[i].Luid, &privilegesOfUsers->Privileges[j].Luid)) { found = TRUE; break; } } if (!found) { // This privilege needs to be deleted. privilegesToDelete->Privileges[deleteIndex].Attributes = 0; privilegesToDelete->Privileges[deleteIndex].Luid = privilegesOfToken->Privileges[i].Luid; deleteIndex++; } } privilegesToDelete->PrivilegeCount = deleteIndex; // Filter the token. status = NtFilterToken( TokenHandle, 0, sidsToDisable, privilegesToDelete, NULL, &newTokenHandle ); PhFree(privilegesToDelete); PhFree(privilegesOfUsers); PhFree(privilegesOfToken); if (!NT_SUCCESS(status)) return status; // Set the integrity level to Low if we're on Vista and above. { lowMandatoryLevelSid = (PSID)lowMandatoryLevelSidBuffer; PhInitializeSid(lowMandatoryLevelSid, &mandatoryLabelAuthority, 1); *PhSubAuthoritySid(lowMandatoryLevelSid, 0) = SECURITY_MANDATORY_LOW_RID; mandatoryLabel.Label.Sid = lowMandatoryLevelSid; mandatoryLabel.Label.Attributes = SE_GROUP_INTEGRITY; NtSetInformationToken(newTokenHandle, TokenIntegrityLevel, &mandatoryLabel, sizeof(TOKEN_MANDATORY_LABEL)); } // Fix up the security descriptor and default DACL. if (NT_SUCCESS(PhGetObjectSecurity(newTokenHandle, DACL_SECURITY_INFORMATION, ¤tSecurityDescriptor))) { if (NT_SUCCESS(PhGetTokenUser(TokenHandle, ¤tUser))) { if (!NT_SUCCESS(PhGetDaclSecurityDescriptor( currentSecurityDescriptor, ¤tDaclPresent, ¤tDacl, ¤tDaclDefaulted ))) { currentDaclPresent = FALSE; } newDaclLength = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + PhLengthSid(currentUser.User.Sid); if (currentDaclPresent && currentDacl) newDaclLength += currentDacl->AclSize - sizeof(ACL); newDacl = PhAllocateZero(newDaclLength); PhCreateAcl(newDacl, newDaclLength, ACL_REVISION); // Add the existing DACL entries. if (currentDaclPresent && currentDacl) { for (i = 0; i < currentDacl->AceCount; i++) { if (NT_SUCCESS(PhGetAce(currentDacl, i, ¤tAce))) { status = PhAddAce(newDacl, ACL_REVISION, ULONG_MAX, currentAce, currentAce->AceSize); if (!NT_SUCCESS(status)) break; } } } // Allow access for the current user. if (NT_SUCCESS(status)) { status = PhAddAccessAllowedAce(newDacl, ACL_REVISION, GENERIC_ALL, currentUser.User.Sid); } // Set the security descriptor of the new token. if (NT_SUCCESS(status)) { status = PhCreateSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); } if (NT_SUCCESS(status)) { status = PhSetDaclSecurityDescriptor(&newSecurityDescriptor, TRUE, newDacl, FALSE); } if (NT_SUCCESS(status)) { assert(RtlValidSecurityDescriptor(&newSecurityDescriptor)); status = PhSetObjectSecurity(newTokenHandle, DACL_SECURITY_INFORMATION, &newSecurityDescriptor); } // Set the default DACL. newDefaultDacl.DefaultDacl = newDacl; NtSetInformationToken(newTokenHandle, TokenDefaultDacl, &newDefaultDacl, sizeof(TOKEN_DEFAULT_DACL)); PhFree(newDacl); } PhFree(currentSecurityDescriptor); } *NewTokenHandle = newTokenHandle; return STATUS_SUCCESS; } /** * Converts a security descriptor to its string representation. * * \param SecurityDescriptor The security descriptor. * \param SecurityInformation The security information to include in the string. * \param SecurityDescriptorString Receives the string representation of the security descriptor. * \return Successful or errant status. */ NTSTATUS PhGetSecurityDescriptorAsString( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PPH_STRING* SecurityDescriptorString ) { ULONG stringSecurityDescriptorLength = 0; PWSTR stringSecurityDescriptor = NULL; if (!ConvertSecurityDescriptorToStringSecurityDescriptorW_Import()) return STATUS_PROCEDURE_NOT_FOUND; if (ConvertSecurityDescriptorToStringSecurityDescriptorW_Import()( SecurityDescriptor, SDDL_REVISION, SecurityInformation, &stringSecurityDescriptor, &stringSecurityDescriptorLength )) { if (stringSecurityDescriptorLength & 1) // validate the string length { LocalFree(stringSecurityDescriptor); return STATUS_FAIL_CHECK; } *SecurityDescriptorString = PhCreateStringEx( stringSecurityDescriptor, stringSecurityDescriptorLength * sizeof(WCHAR) ); LocalFree(stringSecurityDescriptor); return STATUS_SUCCESS; } return PhGetLastWin32ErrorAsNtStatus(); } /** * Converts a string representation of a security descriptor to its binary representation. * * \param SecurityDescriptorString The string representation of the security descriptor. * \return A pointer to the security descriptor, or NULL if the operation fails. */ PSECURITY_DESCRIPTOR PhGetSecurityDescriptorFromString( _In_ PCWSTR SecurityDescriptorString ) { PVOID securityDescriptor = NULL; ULONG securityDescriptorLength = 0; PSECURITY_DESCRIPTOR securityDescriptorBuffer = NULL; if (!ConvertStringSecurityDescriptorToSecurityDescriptorW_Import()) return NULL; if (ConvertStringSecurityDescriptorToSecurityDescriptorW_Import()( SecurityDescriptorString, SDDL_REVISION, &securityDescriptorBuffer, &securityDescriptorLength ) && securityDescriptorBuffer && securityDescriptorLength ) { securityDescriptor = PhAllocateCopy( securityDescriptorBuffer, securityDescriptorLength ); assert(securityDescriptorLength == RtlLengthSecurityDescriptor(securityDescriptor)); LocalFree(securityDescriptorBuffer); } return securityDescriptor; } /** * Retrieves the string representation of an object's security descriptor. * * \param Handle A handle to the object. * \param SecurityDescriptorString Receives the string representation of the security descriptor. * \return Successful or errant status. */ NTSTATUS PhGetObjectSecurityDescriptorAsString( _In_ HANDLE Handle, _Out_ PPH_STRING* SecurityDescriptorString ) { NTSTATUS status; PSECURITY_DESCRIPTOR securityDescriptor; PPH_STRING securityDescriptorString; status = PhGetObjectSecurity( Handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION | ATTRIBUTE_SECURITY_INFORMATION | SCOPE_SECURITY_INFORMATION, &securityDescriptor ); if (!NT_SUCCESS(status)) return status; status = PhGetSecurityDescriptorAsString( securityDescriptor, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION | ATTRIBUTE_SECURITY_INFORMATION | SCOPE_SECURITY_INFORMATION, &securityDescriptorString ); PhFree(securityDescriptor); if (NT_SUCCESS(status)) { *SecurityDescriptorString = securityDescriptorString; } return status; } /** * Opens a file or location through the shell. * * \param ExecInfo A pointer to a SHELLEXECUTEINFO structure that contains and receives information about the application being executed. * * \return Successful or errant status. */ BOOLEAN PhShellExecuteWin32( _Inout_ PSHELLEXECUTEINFOW ExecInfo ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&ShellExecuteExW) ShellExecuteExW_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { ShellExecuteExW_I = PhGetDllBaseProcedureAddress(baseAddress, "ShellExecuteExW", 0); } PhEndInitOnce(&initOnce); } if (!ShellExecuteExW_I) return FALSE; return !!ShellExecuteExW_I(ExecInfo); } /** * Opens a file or location through the shell. * * \param WindowHandle The window to display user interface components on. * \param FileName A file name or location. * \param Parameters The parameters to pass to the executed application. */ VOID PhShellExecute( _In_opt_ HWND WindowHandle, _In_ PCWSTR FileName, _In_opt_ PCWSTR Parameters ) { SHELLEXECUTEINFO info; memset(&info, 0, sizeof(SHELLEXECUTEINFO)); info.cbSize = sizeof(SHELLEXECUTEINFO); info.lpFile = FileName; info.lpParameters = Parameters; info.fMask = SEE_MASK_FLAG_NO_UI | SEE_MASK_NOASYNC; info.nShow = SW_SHOW; info.hwnd = WindowHandle; if (!PhShellExecuteWin32(&info)) { PhShowStatus(WindowHandle, L"Unable to execute the program.", 0, PhGetLastError()); } } /** * Opens a file or location through the shell. * * \param WindowHandle The window to display user interface components on. * \param FileName A file name or location. * \param Parameters The parameters to pass to the executed application. * \param Directory The default working directory. If this value is NULL, the current process working directory is used. * \param ShowWindowType A value specifying how to show the application. * \param Flags A combination of the following: * \li \c PH_SHELL_EXECUTE_ADMIN Execute the application elevated. * \li \c PH_SHELL_EXECUTE_PUMP_MESSAGES Waits on the application while pumping messages, if * \a Timeout is specified. * \param Timeout The number of milliseconds to wait on the application, or 0 to return immediately * after the application is started. * \param ProcessHandle A variable which receives a handle to the new process. */ NTSTATUS PhShellExecuteEx( _In_opt_ HWND WindowHandle, _In_ PCWSTR FileName, _In_opt_ PCWSTR Parameters, _In_opt_ PCWSTR Directory, _In_ LONG ShowWindowType, _In_ ULONG Flags, _In_opt_ ULONG Timeout, _Out_opt_ PHANDLE ProcessHandle ) { SHELLEXECUTEINFO info; memset(&info, 0, sizeof(SHELLEXECUTEINFO)); info.cbSize = sizeof(SHELLEXECUTEINFO); info.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_NOASYNC | SEE_MASK_FLAG_NO_UI | SEE_MASK_NOZONECHECKS; info.hwnd = WindowHandle; info.lpFile = FileName; info.lpParameters = Parameters; info.lpDirectory = Directory; info.nShow = ShowWindowType; if (FlagOn(Flags, PH_SHELL_EXECUTE_ADMIN)) { info.lpVerb = L"runas"; } if (PhShellExecuteWin32(&info)) { if (Timeout) { if (FlagOn(Flags, PH_SHELL_EXECUTE_PUMP_MESSAGES)) { PhWaitForMultipleObjectsAndPump(NULL, 1, &info.hProcess, Timeout, QS_ALLEVENTS); } else { if (info.hProcess) { PhWaitForSingleObject(info.hProcess, Timeout); } } } if (ProcessHandle) *ProcessHandle = info.hProcess; else if (info.hProcess) NtClose(info.hProcess); return STATUS_SUCCESS; } else { if (ProcessHandle) *ProcessHandle = NULL; return PhGetLastWin32ErrorAsNtStatus(); } } /** * Opens Windows Explorer with a file selected. * * \param WindowHandle A handle to the parent window. * \param FileName A file name. */ VOID PhShellExploreFile( _In_ HWND WindowHandle, _In_ PCWSTR FileName ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&SHOpenFolderAndSelectItems) SHOpenFolderAndSelectItems_I = NULL; static typeof(&SHParseDisplayName) SHParseDisplayName_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { SHOpenFolderAndSelectItems_I = PhGetDllBaseProcedureAddress(baseAddress, "SHOpenFolderAndSelectItems", 0); SHParseDisplayName_I = PhGetDllBaseProcedureAddress(baseAddress, "SHParseDisplayName", 0); } PhEndInitOnce(&initOnce); } if (SHOpenFolderAndSelectItems_I && SHParseDisplayName_I) { LPITEMIDLIST item; if (SUCCEEDED(SHParseDisplayName_I(FileName, NULL, &item, 0, NULL))) { SHOpenFolderAndSelectItems_I(item, 0, NULL, 0); CoTaskMemFree(item); } else { PhShowError2(WindowHandle, L"The location could not be found.", L"%s", FileName); } } else { PPH_STRING selectFileName; selectFileName = PhConcatStrings2(L"/select,", FileName); PhShellExecute(WindowHandle, L"explorer.exe", selectFileName->Buffer); PhDereferenceObject(selectFileName); } } /** * Shows properties for a file. * * \param WindowHandle A handle to the parent window. * \param FileName A file name. */ VOID PhShellProperties( _In_ HWND WindowHandle, _In_ PCWSTR FileName ) { SHELLEXECUTEINFO info; memset(&info, 0, sizeof(SHELLEXECUTEINFO)); info.cbSize = sizeof(SHELLEXECUTEINFO); info.lpFile = FileName; info.nShow = SW_SHOW; info.fMask = SEE_MASK_INVOKEIDLIST | SEE_MASK_FLAG_NO_UI; info.lpVerb = L"properties"; info.hwnd = WindowHandle; if (!PhShellExecuteWin32(&info)) { PhShowStatus(WindowHandle, L"Unable to execute the program.", 0, PhGetLastError()); } } /** * Sends a message to the taskbar's notification area. * * \param Message A value that specifies the action to be taken by this function. * \param NotifyIconData A pointer to a NOTIFYICONDATA structure. The content of the structure depends on the value of Message. * * \return Successful or errant status. */ BOOLEAN PhShellNotifyIcon( _In_ ULONG Message, _In_ PNOTIFYICONDATAW NotifyIconData ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&Shell_NotifyIconW) Shell_NotifyIconW_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { Shell_NotifyIconW_I = PhGetDllBaseProcedureAddress(baseAddress, "Shell_NotifyIconW", 0); } PhEndInitOnce(&initOnce); } if (!Shell_NotifyIconW_I) return FALSE; return !!Shell_NotifyIconW_I(Message, NotifyIconData); } /** * Retrieves the full path of a known folder. * * \param rfid A reference that identifies the folder. * \param Flags Flags that control how the folder is retrieved. * \param TokenHandle An access token that represents a particular user. * \param FolderPath Receives the path of the known folder. * \return Successful or errant status. */ HRESULT PhShellGetKnownFolderPath( _In_ PCGUID rfid, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _Outptr_ PWSTR* FolderPath ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&SHGetKnownFolderPath) SHGetKnownFolderPath_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { SHGetKnownFolderPath_I = PhGetDllBaseProcedureAddress(baseAddress, "SHGetKnownFolderPath", 0); } PhEndInitOnce(&initOnce); } if (!SHGetKnownFolderPath_I) return E_FAIL; return SHGetKnownFolderPath_I(rfid, Flags, TokenHandle, FolderPath); } /** * Retrieves an IShellItem object for a known folder. * * \param rfid A reference that identifies the folder. * \param Flags Flags that control how the folder is retrieved. * \param TokenHandle An access token that represents a particular user. * \param riid A reference to the IID of the requested interface. * \param ppv Receives the interface pointer. * \return Successful or errant status. */ HRESULT PhShellGetKnownFolderItem( _In_ PCGUID rfid, _In_ ULONG Flags, _In_opt_ HANDLE TokenHandle, _In_ REFIID riid, _Outptr_ PVOID* ppv ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&SHGetKnownFolderItem) SHGetKnownFolderItem_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { SHGetKnownFolderItem_I = PhGetDllBaseProcedureAddress(baseAddress, "SHGetKnownFolderItem", 0); } PhEndInitOnce(&initOnce); } if (!SHGetKnownFolderItem_I) return E_FAIL; return SHGetKnownFolderItem_I(rfid, Flags, TokenHandle, riid, ppv); } /** * Expands registry name abbreviations. * * \param KeyName The key name. * \param Computer TRUE to prepend "Computer" or "My Computer" for use with the Registry Editor. */ PPH_STRING PhExpandKeyName( _In_ PPH_STRING KeyName, _In_ BOOLEAN Computer ) { PPH_STRING keyName; PPH_STRING tempString; if (PhStartsWithString2(KeyName, L"HKCU", TRUE)) { keyName = PhConcatStrings2(L"HKEY_CURRENT_USER", &KeyName->Buffer[4]); } else if (PhStartsWithString2(KeyName, L"HKU", TRUE)) { keyName = PhConcatStrings2(L"HKEY_USERS", &KeyName->Buffer[3]); } else if (PhStartsWithString2(KeyName, L"HKCR", TRUE)) { keyName = PhConcatStrings2(L"HKEY_CLASSES_ROOT", &KeyName->Buffer[4]); } else if (PhStartsWithString2(KeyName, L"HKLM", TRUE)) { keyName = PhConcatStrings2(L"HKEY_LOCAL_MACHINE", &KeyName->Buffer[4]); } else { PhSetReference(&keyName, KeyName); } if (Computer) { tempString = PhConcatStrings2(L"Computer\\", keyName->Buffer); PhDereferenceObject(keyName); keyName = tempString; } return keyName; } /** * Gets a registry string value. * * \param KeyHandle A handle to the key. * \param ValueName The name of the value. * \return A pointer to a string containing the value, or NULL if the function failed. You must free * the string using PhDereferenceObject() when you no longer need it. */ PPH_STRING PhQueryRegistryString( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ) { PPH_STRING string = NULL; PKEY_VALUE_PARTIAL_INFORMATION buffer; if (NT_SUCCESS(PhQueryValueKey(KeyHandle, ValueName, KeyValuePartialInformation, &buffer))) { if (buffer->Type == REG_SZ || buffer->Type == REG_MULTI_SZ || buffer->Type == REG_EXPAND_SZ) { if (!(buffer->DataLength & 1)) // validate the string length { if (buffer->DataLength >= sizeof(UNICODE_NULL)) string = PhCreateStringEx((PWCHAR)buffer->Data, buffer->DataLength - sizeof(UNICODE_NULL)); else string = PhReferenceEmptyString(); } } PhFree(buffer); } return string; } /** * Gets a registry ULONG value. * * \param KeyHandle A handle to the key. * \param ValueName The name of the value. * \return The value, or ULONG_MAX if the function failed. */ ULONG PhQueryRegistryUlong( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ) { ULONG ulong = ULONG_MAX; PKEY_VALUE_PARTIAL_INFORMATION buffer; if (NT_SUCCESS(PhQueryValueKey(KeyHandle, ValueName, KeyValuePartialInformation, &buffer))) { if (buffer->Type == REG_DWORD) { if (buffer->DataLength == sizeof(ULONG)) ulong = *(PULONG)buffer->Data; } PhFree(buffer); } return ulong; } /** * Gets a registry ULONG64 value. * * \param KeyHandle A handle to the key. * \param ValueName The name of the value. * \return The value, or ULLONG_MAX if the function failed. */ ULONG64 PhQueryRegistryUlong64( _In_ HANDLE KeyHandle, _In_opt_ PCPH_STRINGREF ValueName ) { ULONG64 ulong64 = ULLONG_MAX; PKEY_VALUE_PARTIAL_INFORMATION buffer; if (NT_SUCCESS(PhQueryValueKey(KeyHandle, ValueName, KeyValuePartialInformation, &buffer))) { if (buffer->Type == REG_DWORD) { if (buffer->DataLength == sizeof(ULONG)) ulong64 = *(PULONG)buffer->Data; } else if (buffer->Type == REG_QWORD) { if (buffer->DataLength == sizeof(ULONG64)) ulong64 = *(PULONG64)buffer->Data; } PhFree(buffer); } return ulong64; } /** * Maps flags from one set to another. * * \param Value2 A pointer to the destination flags. * \param Value1 The source flags. * \param Mappings An array of flag mappings. * \param NumberOfMappings The number of mappings. */ VOID PhMapFlags1( _Inout_ PULONG Value2, _In_ ULONG Value1, _In_ const PH_FLAG_MAPPING *Mappings, _In_ ULONG NumberOfMappings ) { ULONG i; ULONG value2; value2 = *Value2; if (value2 != 0) { // There are existing flags. Map the flags we know about by clearing/setting them. The flags // we don't know about won't be affected. for (i = 0; i < NumberOfMappings; i++) { if (Value1 & Mappings[i].Flag1) value2 |= Mappings[i].Flag2; else value2 &= ~Mappings[i].Flag2; } } else { // There are no existing flags, which means we can build the value from scratch, with no // clearing needed. for (i = 0; i < NumberOfMappings; i++) { if (Value1 & Mappings[i].Flag1) value2 |= Mappings[i].Flag2; } } *Value2 = value2; } /** * Maps flags from one set to another. * * \param Value1 A pointer to the destination flags. * \param Value2 The source flags. * \param Mappings An array of flag mappings. * \param NumberOfMappings The number of mappings. */ VOID PhMapFlags2( _Inout_ PULONG Value1, _In_ ULONG Value2, _In_ const PH_FLAG_MAPPING *Mappings, _In_ ULONG NumberOfMappings ) { ULONG i; ULONG value1; value1 = *Value1; if (value1 != 0) { for (i = 0; i < NumberOfMappings; i++) { if (Value2 & Mappings[i].Flag2) value1 |= Mappings[i].Flag1; else value1 &= ~Mappings[i].Flag1; } } else { for (i = 0; i < NumberOfMappings; i++) { if (Value2 & Mappings[i].Flag2) value1 |= Mappings[i].Flag1; } } *Value1 = value1; } /** * Internal hook procedure for the file dialog. * * \param hdlg The handle to the file dialog. * \param uiMsg The message. * \param wParam The first message parameter. * \param lParam The second message parameter. * \return The message result. */ UINT_PTR CALLBACK PhpOpenFileNameHookProc( _In_ HWND hdlg, _In_ UINT uiMsg, _In_ WPARAM wParam, _In_ LPARAM lParam ) { switch (uiMsg) { case WM_NOTIFY: { LPOFNOTIFY header = (LPOFNOTIFY)lParam; // We can't use CDN_FILEOK because it's not sent if the buffer is too small, defeating // the entire purpose of this callback function. switch (header->hdr.code) { case CDN_SELCHANGE: { ULONG returnLength; returnLength = CommDlg_OpenSave_GetFilePath( header->hdr.hwndFrom, header->lpOFN->lpstrFile, header->lpOFN->nMaxFile ); if ((LONG)returnLength > 0 && returnLength > header->lpOFN->nMaxFile) { PhFree(header->lpOFN->lpstrFile); header->lpOFN->nMaxFile = returnLength + 0x200; // pre-allocate some more header->lpOFN->lpstrFile = PhAllocate(header->lpOFN->nMaxFile * sizeof(WCHAR)); returnLength = CommDlg_OpenSave_GetFilePath( header->hdr.hwndFrom, header->lpOFN->lpstrFile, header->lpOFN->nMaxFile ); } } break; } } break; } return FALSE; } /** * Internal function to create an OPENFILENAME structure. * * \return A pointer to the OPENFILENAME structure. */ OPENFILENAME *PhpCreateOpenFileName( VOID ) { OPENFILENAME *ofn; ofn = PhAllocateZero(sizeof(OPENFILENAME)); ofn->lStructSize = sizeof(OPENFILENAME); ofn->nMaxFile = 0x400; ofn->lpstrFile = PhAllocate(ofn->nMaxFile * sizeof(WCHAR)); ofn->lpstrFileTitle = NULL; ofn->Flags = OFN_ENABLEHOOK | OFN_EXPLORER; ofn->lpfnHook = PhpOpenFileNameHookProc; ofn->lpstrFile[0] = UNICODE_NULL; return ofn; } /** * Internal function to free an OPENFILENAME structure. * * \param OpenFileName The structure to free. */ VOID PhpFreeOpenFileName( _In_ OPENFILENAME *OpenFileName ) { if (OpenFileName->lpstrFilter) PhFree((PVOID)OpenFileName->lpstrFilter); if (OpenFileName->lpstrFile) PhFree((PVOID)OpenFileName->lpstrFile); PhFree(OpenFileName); } typedef struct _PHP_FILE_DIALOG { BOOLEAN UseIFileDialog; BOOLEAN Save; union { OPENFILENAME *OpenFileName; IFileDialog *FileDialog; } u; } PHP_FILE_DIALOG, *PPHP_FILE_DIALOG; /** * Internal function to create a PHP_FILE_DIALOG structure. * * \param Save TRUE if this is a save dialog, FALSE for an open dialog. * \param OpenFileName An optional OPENFILENAME structure. * \param FileDialog An optional IFileDialog interface. * \return A pointer to the PHP_FILE_DIALOG structure. */ PPHP_FILE_DIALOG PhpCreateFileDialog( _In_ BOOLEAN Save, _In_opt_ OPENFILENAME *OpenFileName, _In_opt_ IFileDialog *FileDialog ) { PPHP_FILE_DIALOG fileDialog; assert(!!OpenFileName != !!FileDialog); fileDialog = PhAllocate(sizeof(PHP_FILE_DIALOG)); fileDialog->Save = Save; if (OpenFileName) { fileDialog->UseIFileDialog = FALSE; fileDialog->u.OpenFileName = OpenFileName; } else if (FileDialog) { fileDialog->UseIFileDialog = TRUE; fileDialog->u.FileDialog = FileDialog; } else { PhRaiseStatus(STATUS_INVALID_PARAMETER); } return fileDialog; } /** * Creates a file dialog for the user to select a file to open. * * \return An opaque pointer representing the file dialog. You must free the file dialog using * PhFreeFileDialog() when you no longer need it. */ PVOID PhCreateOpenFileDialog( VOID ) { IFileDialog *fileDialog; if (SUCCEEDED(PhGetClassObject( L"comdlg32.dll", &CLSID_FileOpenDialog, &IID_IFileDialog, &fileDialog ))) { // The default options are fine. return PhpCreateFileDialog(FALSE, NULL, fileDialog); } return NULL; } /** * Creates a file dialog for the user to select a file to save to. * * \return An opaque pointer representing the file dialog. You must free the file dialog using * PhFreeFileDialog() when you no longer need it. */ PVOID PhCreateSaveFileDialog( VOID ) { IFileDialog *fileDialog; if (SUCCEEDED(PhGetClassObject( L"comdlg32.dll", &CLSID_FileSaveDialog, &IID_IFileDialog, &fileDialog ))) { // The default options are fine. return PhpCreateFileDialog(TRUE, NULL, fileDialog); } return NULL; } /** * Frees a file dialog. * * \param FileDialog The file dialog. */ VOID PhFreeFileDialog( _In_ PVOID FileDialog ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { IFileDialog_Release(fileDialog->u.FileDialog); } else { PhpFreeOpenFileName(fileDialog->u.OpenFileName); } PhFree(fileDialog); } /** * Shows a file dialog to the user. * * \param WindowHandle A handle to the parent window. * \param FileDialog The file dialog. * * \return TRUE if the user selected a file, FALSE if the user cancelled the operation or an error * occurred. */ BOOLEAN PhShowFileDialog( _In_opt_ HWND WindowHandle, _In_ PVOID FileDialog ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { // Set a blank default extension. This will have an effect when the user selects a different // file type. IFileDialog_SetDefaultExtension(fileDialog->u.FileDialog, L""); return SUCCEEDED(IFileDialog_Show(fileDialog->u.FileDialog, WindowHandle)); } else { OPENFILENAME *ofn = fileDialog->u.OpenFileName; ofn->hwndOwner = WindowHandle; // Determine whether the structure represents a open or save dialog and call the appropriate // function. if (!fileDialog->Save) { return GetOpenFileName(ofn); } else { return GetSaveFileName(ofn); } } } static const PH_FLAG_MAPPING PhpFileDialogIfdMappings[] = { { PH_FILEDIALOG_CREATEPROMPT, FOS_CREATEPROMPT }, { PH_FILEDIALOG_PATHMUSTEXIST, FOS_PATHMUSTEXIST }, { PH_FILEDIALOG_FILEMUSTEXIST, FOS_FILEMUSTEXIST }, { PH_FILEDIALOG_SHOWHIDDEN, FOS_FORCESHOWHIDDEN }, { PH_FILEDIALOG_NODEREFERENCELINKS, FOS_NODEREFERENCELINKS }, { PH_FILEDIALOG_OVERWRITEPROMPT, FOS_OVERWRITEPROMPT }, { PH_FILEDIALOG_DEFAULTEXPANDED, FOS_DEFAULTNOMINIMODE }, { PH_FILEDIALOG_STRICTFILETYPES, FOS_STRICTFILETYPES }, { PH_FILEDIALOG_PICKFOLDERS, FOS_PICKFOLDERS }, { PH_FILEDIALOG_NOPATHVALIDATE, FOS_NOVALIDATE }, { PH_FILEDIALOG_DONTADDTORECENT, FOS_DONTADDTORECENT }, }; static const PH_FLAG_MAPPING PhpFileDialogOfnMappings[] = { { PH_FILEDIALOG_CREATEPROMPT, OFN_CREATEPROMPT }, { PH_FILEDIALOG_PATHMUSTEXIST, OFN_PATHMUSTEXIST }, { PH_FILEDIALOG_FILEMUSTEXIST, OFN_FILEMUSTEXIST }, { PH_FILEDIALOG_SHOWHIDDEN, OFN_FORCESHOWHIDDEN }, { PH_FILEDIALOG_NODEREFERENCELINKS, OFN_NODEREFERENCELINKS }, { PH_FILEDIALOG_OVERWRITEPROMPT, OFN_OVERWRITEPROMPT }, { PH_FILEDIALOG_NOPATHVALIDATE, OFN_NOVALIDATE }, { PH_FILEDIALOG_DONTADDTORECENT, OFN_DONTADDTORECENT }, }; /** * Gets the options for a file dialog. * * \param FileDialog The file dialog. * * \return The currently enabled options. See the documentation for PhSetFileDialogOptions() for * details. */ ULONG PhGetFileDialogOptions( _In_ PVOID FileDialog ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { FILEOPENDIALOGOPTIONS dialogOptions; ULONG options; if (SUCCEEDED(IFileDialog_GetOptions(fileDialog->u.FileDialog, &dialogOptions))) { options = 0; PhMapFlags2( &options, dialogOptions, PhpFileDialogIfdMappings, sizeof(PhpFileDialogIfdMappings) / sizeof(PH_FLAG_MAPPING) ); return options; } else { return 0; } } else { OPENFILENAME *ofn = fileDialog->u.OpenFileName; ULONG options; options = 0; PhMapFlags2( &options, ofn->Flags, PhpFileDialogOfnMappings, sizeof(PhpFileDialogOfnMappings) / sizeof(PH_FLAG_MAPPING) ); return options; } } /** * Sets the options for a file dialog. * * \param FileDialog The file dialog. * \param Options A combination of flags specifying the options. * \li \c PH_FILEDIALOG_CREATEPROMPT A prompt for creation will be displayed when the selected item * does not exist. This is only valid for Save dialogs. * \li \c PH_FILEDIALOG_PATHMUSTEXIST The selected item must be in an existing folder. This is * enabled by default. * \li \c PH_FILEDIALOG_FILEMUSTEXIST The selected item must exist. This is enabled by default and * is only valid for Open dialogs. * \li \c PH_FILEDIALOG_SHOWHIDDEN Items with the System and Hidden attributes will be displayed. * \li \c PH_FILEDIALOG_NODEREFERENCELINKS Shortcuts will not be followed, allowing .lnk files to be * opened. * \li \c PH_FILEDIALOG_OVERWRITEPROMPT An overwrite prompt will be displayed if an existing item is * selected. This is enabled by default and is only valid for Save dialogs. * \li \c PH_FILEDIALOG_DEFAULTEXPANDED The file dialog should be expanded by default (i.e. the * folder browser should be displayed). This is only valid for Save dialogs. */ VOID PhSetFileDialogOptions( _In_ PVOID FileDialog, _In_ ULONG Options ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { FILEOPENDIALOGOPTIONS dialogOptions; if (SUCCEEDED(IFileDialog_GetOptions(fileDialog->u.FileDialog, &dialogOptions))) { PhMapFlags1( &dialogOptions, Options, PhpFileDialogIfdMappings, sizeof(PhpFileDialogIfdMappings) / sizeof(PH_FLAG_MAPPING) ); IFileDialog_SetOptions(fileDialog->u.FileDialog, dialogOptions); } } else { OPENFILENAME *ofn = fileDialog->u.OpenFileName; PhMapFlags1( &ofn->Flags, Options, PhpFileDialogOfnMappings, sizeof(PhpFileDialogOfnMappings) / sizeof(PH_FLAG_MAPPING) ); } } /** * Gets the index of the currently selected file type filter for a file dialog. * * \param FileDialog The file dialog. * * \return The one-based index of the selected file type, or 0 if an error occurred. */ ULONG PhGetFileDialogFilterIndex( _In_ PVOID FileDialog ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { ULONG index; if (SUCCEEDED(IFileDialog_GetFileTypeIndex(fileDialog->u.FileDialog, &index))) { return index; } else { return 0; } } else { OPENFILENAME *ofn = fileDialog->u.OpenFileName; return ofn->nFilterIndex; } } /** * Sets the file type filter for a file dialog. * * \param FileDialog The file dialog. * \param Filters A pointer to an array of file type structures. * \param NumberOfFilters The number of file types. */ VOID PhSetFileDialogFilter( _In_ PVOID FileDialog, _In_ PPH_FILETYPE_FILTER Filters, _In_ ULONG NumberOfFilters ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { IFileDialog_SetFileTypes( fileDialog->u.FileDialog, NumberOfFilters, (COMDLG_FILTERSPEC *)Filters ); } else { OPENFILENAME *ofn = fileDialog->u.OpenFileName; PPH_STRING filterString; PH_STRING_BUILDER filterBuilder; ULONG i; PhInitializeStringBuilder(&filterBuilder, 10); for (i = 0; i < NumberOfFilters; i++) { PhAppendStringBuilder2(&filterBuilder, Filters[i].Name); PhAppendCharStringBuilder(&filterBuilder, 0); PhAppendStringBuilder2(&filterBuilder, Filters[i].Filter); PhAppendCharStringBuilder(&filterBuilder, 0); } filterString = PhFinalStringBuilderString(&filterBuilder); if (ofn->lpstrFilter) PhFree((PVOID)ofn->lpstrFilter); ofn->lpstrFilter = PhAllocateCopy(filterString->Buffer, filterString->Length + sizeof(UNICODE_NULL)); PhDereferenceObject(filterString); } } /** * Gets the file name selected in a file dialog. * * \param FileDialog The file dialog. * * \return A pointer to a string containing the file name. You must free the string using * PhDereferenceObject() when you no longer need it. */ PPH_STRING PhGetFileDialogFileName( _In_ PVOID FileDialog ) { PPHP_FILE_DIALOG fileDialog = FileDialog; if (fileDialog->UseIFileDialog) { IShellItem *result; PPH_STRING fileName = NULL; if (SUCCEEDED(IFileDialog_GetResult(fileDialog->u.FileDialog, &result))) { PWSTR name; if (SUCCEEDED(IShellItem_GetDisplayName(result, SIGDN_FILESYSPATH, &name))) { fileName = PhCreateString(name); CoTaskMemFree(name); } IShellItem_Release(result); } if (PhIsNullOrEmptyString(fileName)) { PWSTR name; if (SUCCEEDED(IFileDialog_GetFileName(fileDialog->u.FileDialog, &name))) { fileName = PhCreateString(name); CoTaskMemFree(name); } } if (PhIsNullOrEmptyString(fileName)) { // NOTE: When the user selects IShellItem types with SIGDN_URL from the OpenFileDialog/SaveFileDialog // the shell returns S_OK for the file dialog then immediately returns E_FAIL when we query the filename. // This case was unexpected, and plugins/legacy callers will auto-dereference the filename when the dialog // returns success, so return an empty string to prevent plugins/legacy callers referencing invalid memory. (dmex) PhMoveReference(&fileName, PhReferenceEmptyString()); } return fileName; } else { return PhCreateString(fileDialog->u.OpenFileName->lpstrFile); } } /** * Sets the file name of a file dialog. * * \param FileDialog The file dialog. * \param FileName The new file name. */ VOID PhSetFileDialogFileName( _In_ PVOID FileDialog, _In_ PCWSTR FileName ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&SHParseDisplayName) SHParseDisplayName_I = NULL; static typeof(&SHCreateItemFromIDList) SHCreateItemFromIDList_I = NULL; PPHP_FILE_DIALOG fileDialog = FileDialog; PH_STRINGREF fileName; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { SHParseDisplayName_I = PhGetDllBaseProcedureAddress(baseAddress, "SHParseDisplayName", 0); SHCreateItemFromIDList_I = PhGetDllBaseProcedureAddress(baseAddress, "SHCreateItemFromIDList", 0); } PhEndInitOnce(&initOnce); } PhInitializeStringRefLongHint(&fileName, FileName); if (fileDialog->UseIFileDialog) { IShellItem *shellItem = NULL; PH_STRINGREF pathNamePart; PH_STRINGREF baseNamePart; if (PhGetBasePath(&fileName, &pathNamePart, &baseNamePart) && SHParseDisplayName_I && SHCreateItemFromIDList_I) { LPITEMIDLIST item; PPH_STRING pathName; pathName = PhCreateString2(&pathNamePart); if (SUCCEEDED(SHParseDisplayName_I(pathName->Buffer, NULL, &item, 0, NULL))) { SHCreateItemFromIDList_I(item, &IID_IShellItem, &shellItem); CoTaskMemFree(item); } PhDereferenceObject(pathName); } if (shellItem) { IFileDialog_SetFolder(fileDialog->u.FileDialog, shellItem); IFileDialog_SetFileName(fileDialog->u.FileDialog, baseNamePart.Buffer); IShellItem_Release(shellItem); } else { IFileDialog_SetFileName(fileDialog->u.FileDialog, FileName); } } else { OPENFILENAME *ofn = fileDialog->u.OpenFileName; if (PhFindCharInStringRef(&fileName, L'/', FALSE) != SIZE_MAX || PhFindCharInStringRef(&fileName, L'\"', FALSE) != SIZE_MAX) { // It refuses to take any filenames with a slash or quotation mark. return; } PhFree(ofn->lpstrFile); ofn->nMaxFile = (ULONG)__max(fileName.Length / sizeof(WCHAR) + 1, 0x400); ofn->lpstrFile = PhAllocate(ofn->nMaxFile * sizeof(WCHAR)); memcpy(ofn->lpstrFile, fileName.Buffer, fileName.Length + sizeof(UNICODE_NULL)); } } /** * Determines if an executable image is packed. * * \param FileName The file name of the image. * \param IsPacked A variable that receives TRUE if the image is packed, otherwise FALSE. * \param NumberOfModules A variable that receives the number of DLLs that the image imports * functions from. * \param NumberOfFunctions A variable that receives the number of functions that the image imports. */ NTSTATUS PhIsExecutablePacked( _In_ PPH_STRING FileName, _Out_ PBOOLEAN IsPacked, _Out_opt_ PULONG NumberOfModules, _Out_opt_ PULONG NumberOfFunctions ) { // An image is packed if: // // 1. It references fewer than 3 modules, and // 2. It imports fewer than 5 functions, and // 3. It does not use the Native subsystem. // // Or: // // 1. The function-to-module ratio is lower than 3 (on average fewer than 3 functions are // imported from each module), and // 2. It references more than 2 modules but fewer than 6 modules. // // Or: // // 1. The function-to-module ratio is lower than 2 (on average fewer than 2 functions are // imported from each module), and // 2. It references more than 5 modules but fewer than 31 modules. // // Or: // // 1. It does not have a section named ".text". // // An image is not considered to be packed if it has only one import from a module named // "mscoree.dll". NTSTATUS status; PH_MAPPED_IMAGE mappedImage; PH_MAPPED_IMAGE_IMPORTS imports; PH_MAPPED_IMAGE_IMPORT_DLL importDll; ULONG i; //ULONG limitNumberOfSections; ULONG limitNumberOfModules; ULONG numberOfModules; ULONG numberOfFunctions = 0; BOOLEAN hasTextSection = FALSE; BOOLEAN isModuleMscoree = FALSE; BOOLEAN isPacked; status = PhLoadMappedImageEx( &FileName->sr, NULL, &mappedImage ); if (!NT_SUCCESS(status)) return status; // Go through the sections and look for the ".text" section. #if defined(PH_ISEXECUTABLEPACKED_SECTION) limitNumberOfSections = min(mappedImage.NumberOfSections, 64); for (i = 0; i < limitNumberOfSections; i++) { WCHAR sectionName[IMAGE_SIZEOF_SHORT_NAME + 1]; if (NT_SUCCESS(PhGetMappedImageSectionName( &mappedImage.Sections[i], sectionName, RTL_NUMBER_OF(sectionName), NULL ))) { if (PhEqualStringZ(sectionName, ".text", TRUE)) { hasTextSection = TRUE; break; } } } #else hasTextSection = TRUE; #endif status = PhGetMappedImageImports( &imports, &mappedImage ); if (!NT_SUCCESS(status)) goto CleanupExit; // Get the module and function totals. numberOfModules = imports.NumberOfDlls; limitNumberOfModules = __min(numberOfModules, 64); for (i = 0; i < limitNumberOfModules; i++) { if (!NT_SUCCESS(status = PhGetMappedImageImportDll( &imports, i, &importDll ))) goto CleanupExit; if (PhEqualBytesZ(importDll.Name, "mscoree.dll", TRUE)) isModuleMscoree = TRUE; numberOfFunctions += importDll.NumberOfEntries; } // Determine if the image is packed. if ( numberOfModules != 0 && ( // Rule 1 (numberOfModules < 3 && numberOfFunctions < 5 && mappedImage.NtHeaders->OptionalHeader.Subsystem != IMAGE_SUBSYSTEM_NATIVE) || // Rule 2 ((numberOfFunctions / numberOfModules) < 3 && numberOfModules > 2 && numberOfModules < 5) || // Rule 3 ((numberOfFunctions / numberOfModules) < 2 && numberOfModules > 4 && numberOfModules < 31) || // Rule 4 !hasTextSection ) && // Additional .NET rule !(numberOfModules == 1 && numberOfFunctions == 1 && isModuleMscoree) ) { isPacked = TRUE; } else { isPacked = FALSE; } *IsPacked = isPacked; if (NumberOfModules) *NumberOfModules = numberOfModules; if (NumberOfFunctions) *NumberOfFunctions = numberOfFunctions; CleanupExit: PhUnloadMappedImage(&mappedImage); return status; } /** * \brief CRC-32 (Ethernet, ZIP - polynomial 0xedb88320 - TEST=0xEEEA93B8) * * \param Crc Crc * \param Buffer Buffer * \param Length Length * \return Crc */ ULONG PhCrc32( _In_ ULONG Crc, _In_reads_(Length) PUCHAR Buffer, _In_ SIZE_T Length ) { Crc ^= 0xffffffff; while (Length--) Crc = (Crc >> 8) ^ PhCrc32Table[(Crc ^ *Buffer++) & 0xff]; return Crc ^ 0xffffffff; } /** * \brief CRC-32C (iSCSI - polynomial 0x82f63b78 - TEST=0xEFF7F083) * * \param Crc Crc * \param Buffer Buffer * \param Length Length * \return Crc */ ULONG PhCrc32C( _In_ ULONG Crc, _In_reads_(Length) PVOID Buffer, _In_ SIZE_T Length ) { #if defined(_WIN64) SIZE_T u64_blocks = Length / sizeof(ULONG64); SIZE_T u64_remaining = Length % sizeof(ULONG64); #else SIZE_T u64_remaining = Length; #endif SIZE_T u32_blocks = u64_remaining / sizeof(ULONG); SIZE_T u32_remaining = u64_remaining % sizeof(ULONG); SIZE_T u16_blocks = u32_remaining / sizeof(USHORT); SIZE_T u8_blocks = u32_remaining % sizeof(UCHAR); Crc ^= 0xffffffff; #if defined(_WIN64) while (u64_blocks--) { #if defined(_M_ARM64) Crc = __crc32d(Crc, *(PULONG64)Buffer); #else Crc = (ULONG)_mm_crc32_u64(Crc, *(PULONG64)Buffer); #endif Buffer = (PULONG64)Buffer + 1; } #endif while (u32_blocks--) { #if defined(_M_ARM64) Crc = __crc32w(Crc, *(PULONG)Buffer); #else Crc = _mm_crc32_u32(Crc, *(PULONG)Buffer); #endif Buffer = (PULONG)Buffer + 1; } while (u16_blocks--) { #if defined(_M_ARM64) Crc = __crc32h(Crc, *(PUSHORT)Buffer); #else Crc = _mm_crc32_u16(Crc, *(PUSHORT)Buffer); #endif Buffer = (PUSHORT)Buffer + 1; } while (u8_blocks--) { #if defined(_M_ARM64) Crc = __crc32b(Crc, *(PUCHAR)Buffer); #else Crc = _mm_crc32_u8(Crc, *(PUCHAR)Buffer); #endif Buffer = (PUCHAR)Buffer + 1; } return Crc ^ 0xffffffff; } static_assert(RTL_FIELD_SIZE(PH_HASH_CONTEXT, Context) >= sizeof(MD5_CTX), "RTL_FIELD_SIZE(PH_HASH_CONTEXT, Context) >= sizeof(MD5_CTX)"); static_assert(RTL_FIELD_SIZE(PH_HASH_CONTEXT, Context) >= sizeof(A_SHA_CTX), "RTL_FIELD_SIZE(PH_HASH_CONTEXT, Context) >= sizeof(A_SHA_CTX)"); static_assert(RTL_FIELD_SIZE(PH_HASH_CONTEXT, Context) >= sizeof(sha256_context), "RTL_FIELD_SIZE(PH_HASH_CONTEXT, Context) >= sizeof(sha256_context)"); /** * Initializes hashing. * * \param Context A hashing context structure. * \param Algorithm The hash algorithm to use: * \li \c Md5HashAlgorithm MD5 (128 bits) * \li \c Sha1HashAlgorithm SHA-1 (160 bits) * \li \c Crc32HashAlgorithm CRC-32-IEEE 802.3 (32 bits) * \li \c Sha256HashAlgorithm SHA-256 (256 bits) * \return NTSTATUS Successful or errant status. */ NTSTATUS PhInitializeHash( _Out_ PPH_HASH_CONTEXT Context, _In_ PH_HASH_ALGORITHM Algorithm ) { Context->Algorithm = Algorithm; switch (Algorithm) { case Crc32HashAlgorithm: case Crc32CHashAlgorithm: Context->Context[0] = 0; return STATUS_SUCCESS; case Md5HashAlgorithm: MD5Init((MD5_CTX *)Context->Context); return STATUS_SUCCESS; case Sha1HashAlgorithm: A_SHAInit((A_SHA_CTX *)Context->Context); return STATUS_SUCCESS; case Sha256HashAlgorithm: sha256_starts((sha256_context *)Context->Context); return STATUS_SUCCESS; default: return STATUS_INVALID_PARAMETER_2; } } /** * Hashes a block of data. * * \param Context A hashing context structure. * \param Buffer The block of data. * \param Length The number of bytes in the block. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhUpdateHash( _In_ PPH_HASH_CONTEXT Context, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ) { switch (Context->Algorithm) { case Crc32HashAlgorithm: Context->Context[0] = PhCrc32(Context->Context[0], (PUCHAR)Buffer, Length); return STATUS_SUCCESS; case Crc32CHashAlgorithm: Context->Context[0] = PhCrc32C(Context->Context[0], (PUCHAR)Buffer, Length); return STATUS_SUCCESS; case Md5HashAlgorithm: MD5Update((MD5_CTX *)Context->Context, (PUCHAR)Buffer, Length); return STATUS_SUCCESS; case Sha1HashAlgorithm: A_SHAUpdate((A_SHA_CTX *)Context->Context, (PUCHAR)Buffer, Length); return STATUS_SUCCESS; case Sha256HashAlgorithm: sha256_update((sha256_context *)Context->Context, (PUCHAR)Buffer, Length); return STATUS_SUCCESS; default: return STATUS_INVALID_PARAMETER; } } /** * Computes the final hash value. * * \param Context A hashing context structure. * \param Hash A buffer which receives the final hash value. * \param HashLength The size of the buffer, in bytes. * \param ReturnLength A variable which receives the required size of the buffer, in bytes. */ NTSTATUS PhFinalHash( _In_ PPH_HASH_CONTEXT Context, _Out_writes_bytes_(HashLength) PVOID Hash, _In_ ULONG HashLength, _Out_opt_ PULONG ReturnLength ) { NTSTATUS status; switch (Context->Algorithm) { case Crc32HashAlgorithm: case Crc32CHashAlgorithm: { if (HashLength >= PH_HASH_CRC32_LENGTH) { *(PULONG)Hash = Context->Context[0]; status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnLength) { *ReturnLength = PH_HASH_CRC32_LENGTH; } } break; case Md5HashAlgorithm: { if (HashLength >= PH_HASH_MD5_LENGTH) { MD5Final((MD5_CTX*)Context->Context); memcpy(Hash, ((MD5_CTX*)Context->Context)->digest, PH_HASH_MD5_LENGTH); status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnLength) { *ReturnLength = PH_HASH_MD5_LENGTH; } } break; case Sha1HashAlgorithm: { if (HashLength >= PH_HASH_SHA1_LENGTH) { A_SHAFinal((A_SHA_CTX*)Context->Context, (PUCHAR)Hash); status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnLength) *ReturnLength = PH_HASH_SHA1_LENGTH; } break; case Sha256HashAlgorithm: { if (HashLength >= PH_HASH_SHA256_LENGTH) { sha256_finish((sha256_context*)Context->Context, (PUCHAR)Hash); status = STATUS_SUCCESS; } else { status = STATUS_BUFFER_TOO_SMALL; } if (ReturnLength) { *ReturnLength = PH_HASH_SHA256_LENGTH; } } break; default: { if (ReturnLength) { *ReturnLength = 0; } status = STATUS_INVALID_PARAMETER; } break; } return status; } /** * Parses one part of a command line string. Quotation marks and backslashes are handled * appropriately. * * \param CommandLine The entire command line string. * \param Index The starting index of the command line part to be parsed. There should be no leading * whitespace at this index. The index is updated to point to the end of the command line part. */ PPH_STRING PhParseCommandLinePart( _In_ PCPH_STRINGREF CommandLine, _Inout_ PULONG_PTR Index ) { PH_STRING_BUILDER stringBuilder; SIZE_T length; SIZE_T i; ULONG numberOfBackslashes; BOOLEAN inQuote; BOOLEAN endOfValue; length = CommandLine->Length / sizeof(WCHAR); i = *Index; // This function follows the rules used by CommandLineToArgvW: // // * 2n backslashes and a quotation mark produces n backslashes and a quotation mark // (non-literal). // * 2n + 1 backslashes and a quotation mark produces n and a quotation mark (literal). // * n backslashes and no quotation mark produces n backslashes. PhInitializeStringBuilder(&stringBuilder, 0x80); numberOfBackslashes = 0; inQuote = FALSE; endOfValue = FALSE; for (; i < length; i++) { switch (CommandLine->Buffer[i]) { case L'\\': numberOfBackslashes++; break; case L'\"': if (numberOfBackslashes != 0) { if (numberOfBackslashes & 1) { numberOfBackslashes /= 2; if (numberOfBackslashes != 0) { PhAppendCharStringBuilder2(&stringBuilder, OBJ_NAME_PATH_SEPARATOR, numberOfBackslashes); numberOfBackslashes = 0; } PhAppendCharStringBuilder(&stringBuilder, L'\"'); break; } else { numberOfBackslashes /= 2; PhAppendCharStringBuilder2(&stringBuilder, OBJ_NAME_PATH_SEPARATOR, numberOfBackslashes); numberOfBackslashes = 0; } } if (!inQuote) inQuote = TRUE; else inQuote = FALSE; break; default: if (numberOfBackslashes != 0) { PhAppendCharStringBuilder2(&stringBuilder, OBJ_NAME_PATH_SEPARATOR, numberOfBackslashes); numberOfBackslashes = 0; } if (CommandLine->Buffer[i] == L' ' && !inQuote) { endOfValue = TRUE; } else { PhAppendCharStringBuilder(&stringBuilder, CommandLine->Buffer[i]); } break; } if (endOfValue) break; } *Index = i; return PhFinalStringBuilderString(&stringBuilder); } /** * Parses a command line string. * * \param CommandLine The command line string. * \param Options An array of supported command line options. * \param NumberOfOptions The number of elements in \a Options. * \param Flags A combination of flags. * \li \c PH_COMMAND_LINE_IGNORE_UNKNOWN_OPTIONS Unknown command line options are ignored instead of * failing the function. * \li \c PH_COMMAND_LINE_IGNORE_FIRST_PART The first part of the command line string is ignored. * This is used when the first part of the string contains the executable file name. * \param Callback A callback function to execute for each command line option found. * \param Context A user-defined value to pass to \a Callback. */ BOOLEAN PhParseCommandLine( _In_ PCPH_STRINGREF CommandLine, _In_opt_ PCPH_COMMAND_LINE_OPTION Options, _In_ ULONG NumberOfOptions, _In_ ULONG Flags, _In_ PPH_COMMAND_LINE_CALLBACK Callback, _In_opt_ PVOID Context ) { SIZE_T i; SIZE_T j; SIZE_T length; BOOLEAN cont = TRUE; BOOLEAN wasFirst = TRUE; PH_STRINGREF optionName; PCPH_COMMAND_LINE_OPTION option = NULL; PPH_STRING optionValue; if (CommandLine->Length == 0) return TRUE; i = 0; length = CommandLine->Length / sizeof(WCHAR); while (TRUE) { // Skip spaces. while (i < length && CommandLine->Buffer[i] == L' ') i++; if (i >= length) break; if (option && (option->Type == MandatoryArgumentType || (option->Type == OptionalArgumentType && CommandLine->Buffer[i] != L'-'))) { // Read the value and execute the callback function. optionValue = PhParseCommandLinePart(CommandLine, &i); cont = Callback(option, optionValue, Context); PhDereferenceObject(optionValue); if (!cont) break; option = NULL; } else if (CommandLine->Buffer[i] == L'-') { ULONG_PTR originalIndex; SIZE_T optionNameLength; // Read the option (only alphanumeric characters allowed). // Skip the dash. i++; originalIndex = i; for (; i < length; i++) { if (!iswalnum(CommandLine->Buffer[i]) && CommandLine->Buffer[i] != L'-') break; } optionNameLength = i - originalIndex; optionName.Buffer = &CommandLine->Buffer[originalIndex]; optionName.Length = optionNameLength * sizeof(WCHAR); // Take care of any pending optional argument. if (option && option->Type == OptionalArgumentType) { cont = Callback(option, NULL, Context); if (!cont) break; option = NULL; } // Find the option descriptor. option = NULL; for (j = 0; j < NumberOfOptions; j++) { if (PhEqualStringRef2(&optionName, Options[j].Name, FALSE)) { option = &Options[j]; break; } } if (!option && !(Flags & PH_COMMAND_LINE_IGNORE_UNKNOWN_OPTIONS)) return FALSE; if (option && option->Type == NoArgumentType) { cont = Callback(option, NULL, Context); if (!cont) break; option = NULL; } wasFirst = FALSE; } else { PPH_STRING value; value = PhParseCommandLinePart(CommandLine, &i); if ((Flags & PH_COMMAND_LINE_IGNORE_FIRST_PART) && wasFirst) { PhDereferenceObject(value); value = NULL; } if (value) { cont = Callback(NULL, value, Context); PhDereferenceObject(value); if (!cont) break; } wasFirst = FALSE; } } if (cont && option && option->Type == OptionalArgumentType) Callback(option, NULL, Context); return TRUE; } /** * Escapes a string for use in a command line. * * \param String The string to escape. * \return The escaped string. * \remarks Only the double quotation mark is escaped. */ PPH_STRING PhEscapeCommandLinePart( _In_ PCPH_STRINGREF String ) { static CONST PH_STRINGREF backslashAndQuote = PH_STRINGREF_INIT(L"\\\""); PH_STRING_BUILDER stringBuilder; ULONG numberOfBackslashes; SIZE_T length; ULONG i; length = String->Length / sizeof(WCHAR); PhInitializeStringBuilder(&stringBuilder, String->Length / sizeof(WCHAR) * 3); numberOfBackslashes = 0; // Simply replacing " with \" won't work here. See PhParseCommandLinePart for the quoting rules. for (i = 0; i < length; i++) { switch (String->Buffer[i]) { case L'\\': numberOfBackslashes++; break; case L'\"': if (numberOfBackslashes != 0) { PhAppendCharStringBuilder2(&stringBuilder, OBJ_NAME_PATH_SEPARATOR, UInt32x32To64(numberOfBackslashes, 2)); numberOfBackslashes = 0; } PhAppendStringBuilder(&stringBuilder, &backslashAndQuote); break; default: if (numberOfBackslashes != 0) { PhAppendCharStringBuilder2(&stringBuilder, OBJ_NAME_PATH_SEPARATOR, numberOfBackslashes); numberOfBackslashes = 0; } PhAppendCharStringBuilder(&stringBuilder, String->Buffer[i]); break; } } return PhFinalStringBuilderString(&stringBuilder); } /** * Parses a command line string. If the string does not contain quotation marks around the file name * part, the function determines the file name to use. * * \param CommandLine The command line string. * \param FileName A variable which receives the part of \a CommandLine that contains the file name. * \param Arguments A variable which receives the part of \a CommandLine that contains the arguments. * \param FullFileName A variable which receives the full path and file name. This may be NULL if * the file was not found. */ BOOLEAN PhParseCommandLineFuzzy( _In_ PCPH_STRINGREF CommandLine, _Out_ PPH_STRINGREF FileName, _Out_ PPH_STRINGREF Arguments, _Out_opt_ PPH_STRING *FullFileName ) { static CONST PH_STRINGREF whitespace = PH_STRINGREF_INIT(L" \t"); PH_STRINGREF commandLine; PH_STRINGREF temp; PH_STRINGREF currentPart; PH_STRINGREF remainingPart; PPH_STRING filePath; commandLine = *CommandLine; PhTrimStringRef(&commandLine, &whitespace, 0); if (commandLine.Length == 0) { PhInitializeEmptyStringRef(FileName); PhInitializeEmptyStringRef(Arguments); if (FullFileName) *FullFileName = NULL; return FALSE; } if (*commandLine.Buffer == L'"') { PH_STRINGREF arguments; PhSkipStringRef(&commandLine, sizeof(WCHAR)); // Find the matching quote character and we have our file name. if (!PhSplitStringRefAtChar(&commandLine, L'"', &commandLine, &arguments)) { PhSkipStringRef(&commandLine, -(LONG_PTR)sizeof(WCHAR)); // Unskip the initial quote character *FileName = commandLine; PhInitializeEmptyStringRef(Arguments); if (FullFileName) *FullFileName = NULL; return FALSE; } PhTrimStringRef(&arguments, &whitespace, PH_TRIM_START_ONLY); *FileName = commandLine; *Arguments = arguments; if (FullFileName) { PPH_STRING tempCommandLine; tempCommandLine = PhCreateString2(&commandLine); if (filePath = PhSearchFilePath(tempCommandLine->Buffer, L".exe")) { *FullFileName = filePath; } else { *FullFileName = NULL; } PhDereferenceObject(tempCommandLine); } return TRUE; } // Try to find an existing executable file, starting with the first part of the command line and // successively restoring the rest of the command line. // For example, in "C:\Program Files\Internet Explorer\iexplore", we try to match: // * "C:\Program" // * "C:\Program Files\Internet" // * "C:\Program Files\Internet " // * "C:\Program Files\Internet " // * "C:\Program Files\Internet Explorer\iexplore" // // Note that we do not trim whitespace in each part because filenames can contain trailing // whitespace before the extension (e.g. "Internet .exe"). temp.Buffer = PhAllocate(commandLine.Length + sizeof(UNICODE_NULL)); memcpy(temp.Buffer, commandLine.Buffer, commandLine.Length); temp.Buffer[commandLine.Length / sizeof(WCHAR)] = UNICODE_NULL; temp.Length = commandLine.Length; remainingPart = temp; while (remainingPart.Length != 0) { WCHAR originalChar = UNICODE_NULL; BOOLEAN found; found = PhSplitStringRefAtChar(&remainingPart, L' ', ¤tPart, &remainingPart); if (found) { originalChar = *(remainingPart.Buffer - 1); *(remainingPart.Buffer - 1) = UNICODE_NULL; } filePath = PhSearchFilePath(temp.Buffer, L".exe"); if (found) { *(remainingPart.Buffer - 1) = originalChar; } if (filePath) { FileName->Buffer = commandLine.Buffer; FileName->Length = (SIZE_T)PTR_SUB_OFFSET(currentPart.Buffer, temp.Buffer) + currentPart.Length; if (Arguments) { PhTrimStringRef(&remainingPart, &whitespace, PH_TRIM_START_ONLY); if (remainingPart.Length) { Arguments->Buffer = PTR_ADD_OFFSET(commandLine.Buffer, PTR_SUB_OFFSET(remainingPart.Buffer, temp.Buffer)); Arguments->Length = commandLine.Length - (SIZE_T)PTR_SUB_OFFSET(remainingPart.Buffer, temp.Buffer); } else { PhInitializeEmptyStringRef(Arguments); } } if (FullFileName) *FullFileName = filePath; else PhDereferenceObject(filePath); PhFree(temp.Buffer); return TRUE; } } PhFree(temp.Buffer); *FileName = *CommandLine; PhInitializeEmptyStringRef(Arguments); if (FullFileName) *FullFileName = NULL; return FALSE; } /** * Parses a Unicode command line string and returns an array of pointers to the command line arguments, along with a count of such arguments. * * \param CommandLine Pointer to a null-terminated Unicode string that contains the full command line. If this parameter is an empty string the function returns the path to the current executable file. * \param NumberOfArguments The number of array elements returned, similar to argc. * \return A pointer to an array of LPWSTR values, similar to argv. If the function fails, the return value is NULL. */ _Success_(return != NULL) PWSTR* PhCommandLineToArgv( _In_ PCWSTR CommandLine, _Out_ PLONG NumberOfArguments ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&CommandLineToArgvW) CommandLineToArgvW_I = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"shell32.dll")) { CommandLineToArgvW_I = PhGetDllBaseProcedureAddress(baseAddress, "CommandLineToArgvW", 0); } PhEndInitOnce(&initOnce); } if (!CommandLineToArgvW_I) return NULL; return CommandLineToArgvW_I(CommandLine, NumberOfArguments); } /** * Converts a command line string to a list of strings. * * \param CommandLine The command line string. * \return A pointer to a list containing the command line arguments. */ PPH_LIST PhCommandLineToList( _In_ PCWSTR CommandLine ) { PPH_LIST commandLineList = NULL; LONG commandLineCount; PWSTR* commandLineArray; if (commandLineArray = PhCommandLineToArgv(CommandLine, &commandLineCount)) { commandLineList = PhCreateList(commandLineCount); for (LONG i = 0; i < commandLineCount; i++) PhAddItemList(commandLineList, PhCreateString(commandLineArray[i])); LocalFree(commandLineArray); } return commandLineList; } /** * Quotes spaces in a command line string. * * \param CommandLine The command line string. * \return A pointer to a string containing the quoted command line. */ PPH_STRING PhCommandLineQuoteSpaces( _In_ PCPH_STRINGREF CommandLine ) { static CONST PH_STRINGREF separator = PH_STRINGREF_INIT(L"\""); static CONST PH_STRINGREF space = PH_STRINGREF_INIT(L" "); PH_STRINGREF commandLineFileName; PH_STRINGREF commandLineArguments; PPH_STRING fileNameEscaped; PPH_STRING argumentsEscaped; if (!PhParseCommandLineFuzzy(CommandLine, &commandLineFileName, &commandLineArguments, NULL)) return NULL; fileNameEscaped = PhConcatStringRef3(&separator, &commandLineFileName, &separator); if (commandLineArguments.Length) { argumentsEscaped = PhConcatStringRef3(&separator, &commandLineArguments, &separator); PhMoveReference(&argumentsEscaped, PhConcatStringRef3(&fileNameEscaped->sr, &space, &argumentsEscaped->sr)); PhMoveReference(&fileNameEscaped, PhConcatStringRef3(&separator, &argumentsEscaped->sr, &separator)); } return fileNameEscaped; } /** * Searches for a file in the system path. * * \param FileName The name of the file to search for. * \param Extension An optional extension to append to the file name. * \return A pointer to a string containing the full path to the file, or NULL if not found. */ PPH_STRING PhSearchFilePath( _In_ PCWSTR FileName, _In_opt_ PCWSTR Extension ) { PPH_STRING fullPath; ULONG bufferSize; ULONG returnLength; FILE_BASIC_INFORMATION basicInfo; bufferSize = MAX_PATH; fullPath = PhCreateStringEx(NULL, bufferSize * sizeof(WCHAR)); returnLength = SearchPath( NULL, FileName, Extension, (ULONG)fullPath->Length / sizeof(WCHAR), fullPath->Buffer, NULL ); if (returnLength == 0 && returnLength <= bufferSize) goto CleanupExit; if (returnLength > bufferSize) { bufferSize = returnLength; PhDereferenceObject(fullPath); fullPath = PhCreateStringEx(NULL, bufferSize * sizeof(WCHAR)); returnLength = SearchPath( NULL, FileName, Extension, (ULONG)fullPath->Length / sizeof(WCHAR), fullPath->Buffer, NULL ); } if (returnLength == 0 && returnLength <= bufferSize) goto CleanupExit; PhTrimToNullTerminatorString(fullPath); // Make sure this is not a directory. if (!NT_SUCCESS(PhQueryAttributesFileWin32(fullPath->Buffer, &basicInfo))) goto CleanupExit; if (FlagOn(basicInfo.FileAttributes, FILE_ATTRIBUTE_DIRECTORY)) goto CleanupExit; return fullPath; CleanupExit: PhDereferenceObject(fullPath); return NULL; } //PPH_STRING PhCreateCacheFile( // _In_ PPH_STRING FileName // ) //{ // PPH_STRING tempFileName; // PPH_STRING cachefileName; // // if (tempFileName = PhGetTemporaryDirectoryRandomAlphaFileName()) // { // cachefileName = PhConcatStringRef3( // &tempFileName->sr, // &PhNtPathSeparatorString, // &FileName->sr // ); // // if (NT_SUCCESS(PhCreateDirectoryFullPathWin32(&cachefileName->sr))) // { // PhDereferenceObject(tempFileName); // return cachefileName; // } // // PhDereferenceObject(cachefileName); // PhDereferenceObject(tempFileName); // } // // return NULL; //} /** * Creates a cache file. * * \param PortableDirectory TRUE to use the application directory, FALSE to use the roaming app data directory. * \param FileName The name of the file. * \param NativeFileName TRUE to return a native path, FALSE for a Win32 path. * \return A pointer to a string containing the full path to the cache file. */ PPH_STRING PhCreateCacheFile( _In_ BOOLEAN PortableDirectory, _In_ PPH_STRING FileName, _In_ BOOLEAN NativeFileName ) { static CONST PH_STRINGREF settingsDirectory = PH_STRINGREF_INIT(L"cache"); PPH_STRING cacheDirectory; PPH_STRING cacheFilePath; PH_STRINGREF randomAlphaStringRef; WCHAR randomAlphaString[32] = L""; if (PortableDirectory) cacheDirectory = PhGetApplicationDirectoryFileName(&settingsDirectory, TRUE); else cacheDirectory = PhGetRoamingAppDataDirectory(&settingsDirectory, TRUE); if (PhIsNullOrEmptyString(cacheDirectory)) return NULL; PhGenerateRandomAlphaString(randomAlphaString, RTL_NUMBER_OF(randomAlphaString)); randomAlphaStringRef.Buffer = randomAlphaString; randomAlphaStringRef.Length = sizeof(randomAlphaString) - sizeof(UNICODE_NULL); cacheFilePath = PhConcatStringRef3( &cacheDirectory->sr, &PhNtPathSeparatorString, &randomAlphaStringRef ); PhMoveReference(&cacheFilePath, PhConcatStringRef3( &cacheFilePath->sr, &PhNtPathSeparatorString, &FileName->sr )); if (!NT_SUCCESS(PhCreateDirectoryFullPath(&cacheFilePath->sr))) { PhDereferenceObject(cacheFilePath); PhDereferenceObject(cacheDirectory); return NULL; } if (NativeFileName) { PPH_STRING cacheFileName; if (cacheFileName = PhDosPathNameToNtPathName(&cacheFilePath->sr)) { PhMoveReference(&cacheFilePath, cacheFileName); } } else { PPH_STRING cacheFileName; if (cacheFileName = PhResolveDevicePrefix(&cacheFilePath->sr)) { PhMoveReference(&cacheFilePath, cacheFileName); } } PhDereferenceObject(cacheDirectory); return cacheFilePath; } //VOID PhDeleteCacheFile( // _In_ PPH_STRING FileName // ) //{ // PPH_STRING cacheDirectory; // // if (PhDoesFileExistWin32(PhGetString(FileName))) // { // PhDeleteFileWin32(PhGetString(FileName)); // } // // if (cacheDirectory = PhGetBaseDirectory(FileName)) // { // PhDeleteDirectoryWin32(&cacheDirectory->sr); // PhDereferenceObject(cacheDirectory); // } //} /** * Deletes a cache file and its containing directory. * * \param FileName The name of the file. * \param NativeFileName TRUE if the file name is a native path, FALSE otherwise. */ VOID PhDeleteCacheFile( _In_ PPH_STRING FileName, _In_ BOOLEAN NativeFileName ) { if (NativeFileName) { if (PhDoesFileExist(&FileName->sr)) { PhDeleteDirectoryFullPath(&FileName->sr); } } else { PPH_STRING cacheDirectory; PPH_STRING cacheFullFilePath; ULONG indexOfFileName = ULONG_MAX; if (PhDoesFileExistWin32(PhGetString(FileName))) { PhDeleteFileWin32(PhGetString(FileName)); } if (NT_SUCCESS(PhGetFullPath(PhGetString(FileName), &cacheFullFilePath, &indexOfFileName))) { if (indexOfFileName != ULONG_MAX && (cacheDirectory = PhSubstring(cacheFullFilePath, 0, indexOfFileName))) { PhDeleteDirectoryWin32(&cacheDirectory->sr); PhDereferenceObject(cacheDirectory); } PhDereferenceObject(cacheFullFilePath); } } } /** * Clears the cache directory. * * \param PortableDirectory TRUE if the application is in portable mode, FALSE otherwise. */ VOID PhClearCacheDirectory( _In_ BOOLEAN PortableDirectory ) { static CONST PH_STRINGREF settingsDirectory = PH_STRINGREF_INIT(L"cache"); PPH_STRING cacheDirectory; if (PortableDirectory) cacheDirectory = PhGetApplicationDirectoryFileName(&settingsDirectory, TRUE); else cacheDirectory = PhGetRoamingAppDataDirectory(&settingsDirectory, TRUE); if (cacheDirectory) { PhDeleteDirectory(&cacheDirectory->sr); PhDereferenceObject(cacheDirectory); } } /** * Retrieves a handle to the private namespace for System Informer. * * \return A handle to the private namespace. */ HANDLE PhGetNamespaceHandle( VOID ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HANDLE directoryHandle = NULL; if (PhBeginInitOnce(&initOnce)) { UCHAR securityDescriptorBuffer[SECURITY_DESCRIPTOR_MIN_LENGTH + 0x70]; PSID administratorsSid = PhSeAdministratorsSid(); UNICODE_STRING objectName; OBJECT_ATTRIBUTES objectAttributes; PSECURITY_DESCRIPTOR securityDescriptor; ULONG sdAllocationLength; PACL dacl; // Create the default namespace DACL. sdAllocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH + (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&PhSeLocalSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(administratorsSid) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + PhLengthSid(&PhSeInteractiveSid); securityDescriptor = (PSECURITY_DESCRIPTOR)securityDescriptorBuffer; dacl = PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH); PhCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION); PhCreateAcl(dacl, sdAllocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION); PhAddAccessAllowedAce(dacl, ACL_REVISION, DIRECTORY_ALL_ACCESS, &PhSeLocalSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, DIRECTORY_ALL_ACCESS, administratorsSid); PhAddAccessAllowedAce(dacl, ACL_REVISION, DIRECTORY_QUERY | DIRECTORY_TRAVERSE | DIRECTORY_CREATE_OBJECT, &PhSeInteractiveSid); PhSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE); RtlInitUnicodeString(&objectName, L"\\BaseNamedObjects\\SystemInformer"); InitializeObjectAttributes( &objectAttributes, &objectName, OBJ_OPENIF | (WindowsVersion < WINDOWS_10 ? 0 : OBJ_DONT_REPARSE), NULL, securityDescriptor ); NtCreateDirectoryObject(&directoryHandle, MAXIMUM_ALLOWED, &objectAttributes); assert(RtlValidSecurityDescriptor(securityDescriptor)); assert(sdAllocationLength < sizeof(securityDescriptorBuffer)); assert(RtlLengthSecurityDescriptor(securityDescriptor) < sizeof(securityDescriptorBuffer)); PhEndInitOnce(&initOnce); } return directoryHandle; } /** * Retrieves the hung window represented by a ghost window. * If the specified window is not a ghost window, the function returns NULL. * * \param WindowHandle The handle to the ghost window. * \return The handle to the original hung window if successful, otherwise NULL. */ HWND PhHungWindowFromGhostWindow( _In_ HWND WindowHandle ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; // This is an undocumented function exported by user32.dll that // retrieves the hung window represented by a ghost window. (wj32) static HWND (WINAPI *HungWindowFromGhostWindow_I)( _In_ HWND GhostWindowHandle ); if (PhBeginInitOnce(&initOnce)) { HungWindowFromGhostWindow_I = PhGetDllProcedureAddressZ(L"user32.dll", "HungWindowFromGhostWindow", 0); PhEndInitOnce(&initOnce); } if (!HungWindowFromGhostWindow_I) return NULL; // The call will return NULL if the window wasn't actually a ghost window. (wj32) return HungWindowFromGhostWindow_I(WindowHandle); } /** * Reads all data from a file into a buffer. * * \param FileHandle A handle to the file. * \param Buffer Receives a pointer to the buffer containing the file data. * \param BufferLength Receives the length of the buffer. * \return Successful or errant status. */ NTSTATUS PhGetFileData( _In_ HANDLE FileHandle, _Out_ PVOID* Buffer, _Out_ PULONG BufferLength ) { NTSTATUS status; PSTR data = NULL; ULONG allocatedLength; ULONG dataLength; ULONG returnLength; IO_STATUS_BLOCK isb; BYTE buffer[PAGE_SIZE * 2]; allocatedLength = sizeof(buffer); data = PhAllocate(allocatedLength); dataLength = 0; while (NT_SUCCESS(status = NtReadFile( FileHandle, NULL, NULL, NULL, &isb, buffer, sizeof(buffer), NULL, NULL ))) { returnLength = (ULONG)isb.Information; if (returnLength == 0) break; if (allocatedLength < dataLength + returnLength) { allocatedLength *= 2; data = PhReAllocate(data, allocatedLength); } memcpy(data + dataLength, buffer, returnLength); dataLength += returnLength; } if (status == STATUS_END_OF_FILE) { status = STATUS_SUCCESS; } if (status == STATUS_PIPE_BROKEN) { status = STATUS_SUCCESS; } if (!NT_SUCCESS(status)) { PhFree(data); *Buffer = NULL; *BufferLength = 0; return status; } if (allocatedLength < dataLength + sizeof(ANSI_NULL)) { allocatedLength++; data = PhReAllocate(data, allocatedLength); } data[dataLength] = ANSI_NULL; *Buffer = data; *BufferLength = dataLength; return status; } /** * Reads all text from a file. * * \param String Receives a pointer to the string containing the file text. * \param FileHandle A handle to the file. * \param Unicode TRUE to return a Unicode string, FALSE to return an ANSI string. * \return Successful or errant status. */ NTSTATUS PhGetFileText( _Out_ PVOID* String, _In_ HANDLE FileHandle, _In_ BOOLEAN Unicode ) { NTSTATUS status; ULONG dataLength; PSTR data; status = PhGetFileData( FileHandle, &data, &dataLength ); if (NT_SUCCESS(status)) { if (dataLength) { if (Unicode) *String = PhConvertUtf8ToUtf16Ex(data, dataLength); else *String = PhCreateBytesEx(data, dataLength); } else { *String = PhReferenceEmptyString(); } PhFree(data); } return status; } /** * Reads all text from a file. * * \param String Receives a pointer to the string containing the file text. * \param FileName The name of the file. * \param Unicode TRUE to return a Unicode string, FALSE to return an ANSI string. * \return Successful or errant status. */ NTSTATUS PhFileReadAllText( _Out_ PVOID* String, _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN Unicode ) { NTSTATUS status; HANDLE fileHandle; status = PhCreateFile( &fileHandle, FileName, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = PhGetFileText( String, fileHandle, Unicode ); NtClose(fileHandle); } return status; } /** * Reads all text from a file. * * \param String Receives a pointer to the string containing the file text. * \param FileName The Win32 name of the file. * \param Unicode TRUE to return a Unicode string, FALSE to return an ANSI string. * \return Successful or errant status. */ NTSTATUS PhFileReadAllTextWin32( _Out_ PVOID* String, _In_ PCWSTR FileName, _In_ BOOLEAN Unicode ) { NTSTATUS status; HANDLE fileHandle; status = PhCreateFileWin32( &fileHandle, FileName, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = PhGetFileText( String, fileHandle, Unicode ); NtClose(fileHandle); } return status; } /** * Writes text to a file. * * \param FileName The name of the file. * \param String The text to write. * \return Successful or errant status. */ NTSTATUS PhFileWriteAllText( _In_ PCPH_STRINGREF FileName, _In_ PCPH_STRINGREF String ) { NTSTATUS status; HANDLE fileHandle; status = PhCreateFile( &fileHandle, FileName, FILE_GENERIC_WRITE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = PhWriteFile( fileHandle, String->Buffer, (ULONG)String->Length, NULL, NULL ); NtClose(fileHandle); } return status; } /** * Retrieves a class object from a DLL. * * \param DllBase The base address of the DLL. * \param Rclsid The class identifier. * \param Riid The interface identifier. * \param Ppv Receives the interface pointer. * \return Successful or errant status. */ HRESULT PhGetClassObjectDllBase( _In_ PVOID DllBase, _In_ REFCLSID Rclsid, _In_ REFIID Riid, _Out_ PVOID* Ppv ) { HRESULT (WINAPI* DllGetClassObject_I)(_In_ REFCLSID rclsid, _In_ REFIID riid, _COM_Outptr_ PVOID* ppv); HRESULT status; IClassFactory* classFactory; if (!(DllGetClassObject_I = PhGetDllBaseProcedureAddress(DllBase, "DllGetClassObject", 0))) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); status = DllGetClassObject_I( Rclsid, &IID_IClassFactory, &classFactory ); if (SUCCEEDED(status)) { status = IClassFactory_CreateInstance( classFactory, NULL, Riid, Ppv ); IClassFactory_Release(classFactory); } return status; } /** * \brief Provides a pointer to an interface on a class object associated with a specified CLSID. * Most class objects implement the IClassFactory interface. You would then call CreateInstance to * create an uninitialized object. It is not always necessary to go through this process however. * * \param DllName The file containing the object to initialize. * \param Rclsid A pointer to the class identifier of the object to be created. * \param Riid Reference to the identifier of the interface to communicate with the class object. * \a Typically this value is IID_IClassFactory, although other values such as IID_IClassFactory2 which supports a form of licensing are allowed. * \param Ppv The address of pointer variable that contains the requested interface. * \return Successful or errant status. */ HRESULT PhGetClassObject( _In_ PCWSTR DllName, _In_ REFCLSID Rclsid, _In_ REFIID Riid, _Out_ PVOID* Ppv ) { #if defined(PH_BUILD_MSIX) HRESULT status; IClassFactory* classFactory; status = CoGetClassObject( Rclsid, CLSCTX_INPROC_SERVER, NULL, &IID_IClassFactory, &classFactory ); if (HR_SUCCESS(status)) { status = IClassFactory_CreateInstance( classFactory, NULL, Riid, Ppv ); IClassFactory_Release(classFactory); } return status; #else PVOID baseAddress; PH_STRINGREF baseDllName; PhInitializeStringRefLongHint(&baseDllName, DllName); if (!(baseAddress = PhGetLoaderEntryDllBase(NULL, &baseDllName))) { if (!(baseAddress = PhLoadLibrary(DllName))) return HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND); } return PhGetClassObjectDllBase(baseAddress, Rclsid, Riid, Ppv); #endif } /** * Retrieves an activation factory from a DLL. * * \param DllBase The base address of the DLL. * \param RuntimeClass The runtime class name. * \param Riid The interface identifier. * \param Ppv Receives the interface pointer. * \return Successful or errant status. */ HRESULT PhGetActivationFactoryDllBase( _In_ PVOID DllBase, _In_ PCWSTR RuntimeClass, _In_ REFIID Riid, _Out_ PVOID* Ppv ) { HRESULT (WINAPI* DllGetActivationFactory_I)(_In_ HSTRING RuntimeClassId, _Out_ PVOID* ActivationFactory); HRESULT status; HSTRING_REFERENCE string; IActivationFactory* activationFactory; if (FAILED(status = PhCreateWindowsRuntimeStringReference(RuntimeClass, &string))) return status; if (!(DllGetActivationFactory_I = PhGetDllBaseProcedureAddress(DllBase, "DllGetActivationFactory", 0))) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); status = DllGetActivationFactory_I( HSTRING_FROM_STRING(string), &activationFactory ); if (SUCCEEDED(status)) { status = IActivationFactory_QueryInterface( activationFactory, Riid, Ppv ); IActivationFactory_Release(activationFactory); } return status; } /** * \brief Activates the specified Windows Runtime class. * * \param DllName The file containing the object to initialize. * \param RuntimeClass The class identifier string that is associated with the activatable runtime class. * \param Riid The reference ID of the interface. * \param Ppv The activation factory. * \return Successful or errant status. */ HRESULT PhGetActivationFactory( _In_ PCWSTR DllName, _In_ PCWSTR RuntimeClass, _In_ REFIID Riid, _Out_ PVOID* Ppv ) { #if defined(PH_BUILD_MSIX) static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&WindowsCreateStringReference) WindowsCreateStringReference_I = NULL; static typeof(&RoGetActivationFactory) RoGetActivationFactory_I = NULL; HRESULT status; HSTRING runtimeClassStringHandle = NULL; HSTRING_HEADER runtimeClassStringHeader; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"combase.dll")) { WindowsCreateStringReference_I = PhGetDllBaseProcedureAddress(baseAddress, "WindowsCreateStringReference", 0); RoGetActivationFactory_I = PhGetDllBaseProcedureAddress(baseAddress, "RoGetActivationFactory", 0); } PhEndInitOnce(&initOnce); } if (!(WindowsCreateStringReference_I && RoGetActivationFactory_I)) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); status = WindowsCreateStringReference_I( RuntimeClass, (UINT32)PhCountStringZ(RuntimeClass), &runtimeClassStringHeader, &runtimeClassStringHandle ); if (HR_SUCCESS(status)) { status = RoGetActivationFactory_I( runtimeClassStringHandle, Riid, Ppv ); } return status; #else PVOID baseAddress; PH_STRINGREF baseDllName; PhInitializeStringRefLongHint(&baseDllName, DllName); if (!(baseAddress = PhGetLoaderEntryDllBase(NULL, &baseDllName))) { if (!(baseAddress = PhLoadLibrary(DllName))) return HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND); } return PhGetActivationFactoryDllBase(baseAddress, RuntimeClass, Riid, Ppv); #endif } /** * Activates an instance of a Windows Runtime class from a specified DLL base address. * * This function attempts to create and return an instance of a Windows Runtime class (specified by * the class name) from a loaded DLL image. It uses the DllGetActivationFactory export if available * to obtain the activation factory, then calls IActivationFactory::ActivateInstance to create the * object and query the requested interface. * * \param DllBase The base address of the loaded DLL containing the Windows Runtime class. * \param RuntimeClass The name of the runtime class to activate (e.g., L"Windows.Storage.StorageFile"). * \param Riid The interface identifier (IID) of the interface to retrieve from the created instance. * \param Ppv A pointer that receives the interface pointer requested in Riid. * \return Returns an HRESULT indicating success or failure. * * \remarks * - This function is typically used for COM/WinRT activation scenarios where the class is not * registered globally but is available in a specific DLL. * - The function first creates an HSTRING reference for the class name, then calls the * DllGetActivationFactory export to obtain an activation factory. It then calls * IActivationFactory::ActivateInstance to create the object and queries the requested * interface. * - The caller must ensure that the DLL is loaded and that the class is available. * - On success, the caller is responsible for releasing the returned interface pointer. */ HRESULT PhActivateInstanceDllBase( _In_ PVOID DllBase, _In_ PCWSTR RuntimeClass, _In_ REFIID Riid, _Out_ PVOID* Ppv ) { HRESULT (WINAPI* DllGetActivationFactory_I)(_In_ HSTRING RuntimeClassId, _Out_ PVOID * ActivationFactory); HRESULT status; HSTRING_REFERENCE string; IActivationFactory* activationFactory; IInspectable* inspectableObject; if (FAILED(status = PhCreateWindowsRuntimeStringReference(RuntimeClass, &string))) return status; if (!(DllGetActivationFactory_I = PhGetDllBaseProcedureAddress(DllBase, "DllGetActivationFactory", 0))) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); status = DllGetActivationFactory_I( HSTRING_FROM_STRING(string), &activationFactory ); if (SUCCEEDED(status)) { status = IActivationFactory_ActivateInstance( activationFactory, &inspectableObject ); if (SUCCEEDED(status)) { status = IInspectable_QueryInterface( inspectableObject, Riid, Ppv ); IInspectable_Release(inspectableObject); } IActivationFactory_Release(activationFactory); } return status; } /** * \brief Activates the specified Windows Runtime class. * * \param DllName The file containing the object to initialize. * \param RuntimeClass The class identifier string that is associated with the activatable runtime class. * \param Riid The reference ID of the interface. * \param Ppv A pointer to the activated instance of the runtime class. * \return Successful or errant status. */ HRESULT PhActivateInstance( _In_ PCWSTR DllName, _In_ PCWSTR RuntimeClass, _In_ REFIID Riid, _Out_ PVOID* Ppv ) { #if defined(PH_BUILD_MSIX) static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&WindowsCreateStringReference) WindowsCreateStringReference_I = NULL; static typeof(&RoActivateInstance) RoActivateInstance_I = NULL; HRESULT status; HSTRING runtimeClassStringHandle = NULL; HSTRING_HEADER runtimeClassStringHeader; IInspectable* inspectableObject; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"combase.dll")) { WindowsCreateStringReference_I = PhGetDllBaseProcedureAddress(baseAddress, "WindowsCreateStringReference", 0); RoActivateInstance_I = PhGetDllBaseProcedureAddress(baseAddress, "RoActivateInstance", 0); } PhEndInitOnce(&initOnce); } if (!(WindowsCreateStringReference_I && RoActivateInstance_I)) return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND); status = WindowsCreateStringReference_I( RuntimeClass, (UINT32)PhCountStringZ(RuntimeClass), &runtimeClassStringHeader, &runtimeClassStringHandle ); if (HR_SUCCESS(status)) { status = RoActivateInstance_I( runtimeClassStringHandle, &inspectableObject ); if (HR_SUCCESS(status)) { status = IInspectable_QueryInterface( inspectableObject, Riid, Ppv ); IInspectable_Release(inspectableObject); } } return status; #else PVOID baseAddress; PH_STRINGREF baseDllName; PhInitializeStringRefLongHint(&baseDllName, DllName); if (!(baseAddress = PhGetLoaderEntryDllBase(NULL, &baseDllName))) { if (!(baseAddress = PhLoadLibrary(DllName))) return HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND); } return PhActivateInstanceDllBase(baseAddress, RuntimeClass, Riid, Ppv); #endif } #if defined(PH_NATIVE_RING_BUFFER) // This function creates a ring buffer by allocating a pagefile-backed section // and mapping two views of that section next to each other. This way if the // last record in the buffer wraps it can still be accessed in a linear fashion // using its base VA. (Win10 RS5 and above only) (dmex) // Based on Win32 version: https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc2#examples /** * Creates a ring buffer. * * \param BufferSize The size of the buffer. * \param RingBuffer Receives a pointer to the ring buffer. * \param SecondaryView Receives a pointer to the secondary view of the buffer. * \return Successful or errant status. */ NTSTATUS PhCreateRingBuffer( _In_ SIZE_T BufferSize, _Out_ PVOID* RingBuffer, _Out_ PVOID* SecondaryView ) { NTSTATUS status; SIZE_T regionSize; LARGE_INTEGER sectionSize; HANDLE sectionHandle = NULL; PVOID placeholder1 = NULL; PVOID placeholder2 = NULL; PVOID sectionView1 = NULL; PVOID sectionView2 = NULL; if ((BufferSize % PhSystemBasicInformation.AllocationGranularity) != 0) return STATUS_UNSUCCESSFUL; // // Reserve a placeholder region where the buffer will be mapped. // regionSize = 2 * BufferSize; status = NtAllocateVirtualMemoryEx( NtCurrentProcess(), &placeholder1, ®ionSize, MEM_RESERVE | MEM_RESERVE_PLACEHOLDER, PAGE_NOACCESS, NULL, 0 ); if (!NT_SUCCESS(status)) goto CleanupExit; // // Split the placeholder region into two regions of equal size. // regionSize = BufferSize; status = NtFreeVirtualMemory( NtCurrentProcess(), &placeholder1, ®ionSize, MEM_RELEASE | MEM_PRESERVE_PLACEHOLDER ); if (!NT_SUCCESS(status)) goto CleanupExit; placeholder2 = PTR_ADD_OFFSET(placeholder1, BufferSize); // // Create a pagefile-backed section for the buffer. // sectionSize.QuadPart = BufferSize; status = NtCreateSectionEx( §ionHandle, SECTION_ALL_ACCESS, NULL, §ionSize, PAGE_READWRITE, SEC_COMMIT, NULL, NULL, 0 ); if (!NT_SUCCESS(status)) goto CleanupExit; // // Map the section into the first placeholder region. // regionSize = BufferSize; sectionView1 = placeholder1; status = NtMapViewOfSectionEx( sectionHandle, NtCurrentProcess(), §ionView1, 0, ®ionSize, MEM_REPLACE_PLACEHOLDER, PAGE_READWRITE, NULL, 0 ); if (!NT_SUCCESS(status)) goto CleanupExit; // // Ownership transferred, don't free this now. // placeholder1 = NULL; // // Map the section into the second placeholder region. // regionSize = BufferSize; sectionView2 = placeholder2; status = NtMapViewOfSectionEx( sectionHandle, NtCurrentProcess(), §ionView2, 0, ®ionSize, MEM_REPLACE_PLACEHOLDER, PAGE_READWRITE, NULL, 0 ); if (!NT_SUCCESS(status)) goto CleanupExit; // // Success, return both mapped views to the caller. // *RingBuffer = sectionView1; *SecondaryView = sectionView2; #ifdef DEBUG // assert the buffer wraps properly. ((PCHAR)sectionView1)[0] = 'a'; assert(((PCHAR)sectionView1)[BufferSize] == 'a'); #endif placeholder2 = NULL; sectionView1 = NULL; sectionView2 = NULL; CleanupExit: if (sectionHandle) { NtClose(sectionHandle); } if (placeholder1) { regionSize = 0; NtFreeVirtualMemory(NtCurrentProcess(), placeholder1, ®ionSize, MEM_RELEASE); } if (placeholder2) { regionSize = 0; NtFreeVirtualMemory(NtCurrentProcess(), placeholder2, ®ionSize, MEM_RELEASE); } if (sectionView1) PhUnmapViewOfSection(NtCurrentProcess(), sectionView1); if (sectionView2) PhUnmapViewOfSection(NtCurrentProcess(), sectionView2); return status; } #endif /** * Suspends the current thread for a specified interval. * * This function delays execution for the given interval, optionally allowing the wait to be alertable. * On Windows 11 and later, it uses RtlDelayExecution if available; otherwise, it falls back to NtDelayExecution. * * \param Alertable If TRUE, the wait is alertable and can be interrupted by an APC; otherwise, the wait is not alertable. * \param DelayInterval A pointer to a LARGE_INTEGER that specifies the interval to wait, in 100-nanosecond units. A negative value indicates relative time. * \return An NTSTATUS code indicating success or failure of the delay operation. * \note * RtlDelayExecution is preferred on Windows 11 and later because it provides additional logic and optimizations * over NtDelayExecution and ensures more efficient and robust thread suspension on modern Windows versions plus * future compatibility with OS-level enhancements * * RtlDelayExecution: * - Wraps NtDelayExecution/ZwDelayExecution and adds additional logic before and after the system call. * - Spin-Wait Optimization: If the delay interval is zero (i.e., a "yield" or very short sleep), and certain internal * configuration variables are set, it may perform a short spin-wait (using _mm_pause()) before calling the system call. * This is to avoid excessive context switches and improve performance for very short waits. * - Performance Counter Tracking: Uses RtlQueryPerformanceCounter to track the time since the last sleep and adjust spin-waiting accordingly. * - TEB State Tracking: Updates fields in the thread environment block (TEB), such as SpinCallCount and LastSleepCounter, to manage spin-wait heuristics. * - Adaptive Backoff: The amount of spin-waiting can increase if the thread is calling delay execution in rapid succession, up to a configured maximum. * - Resets Spin Count on Real Wait: if the delay was not interrupted (STATUS_ALERTED), resets the spin count. */ NTSTATUS PhDelayExecutionEx( _In_ BOOLEAN Alertable, _In_ PLARGE_INTEGER DelayInterval ) { if (WindowsVersion >= WINDOWS_11 && RtlDelayExecution_Import()) { return RtlDelayExecution_Import()(Alertable, DelayInterval); } return NtDelayExecution(Alertable, DelayInterval); } /** * Suspends the current thread for a specified number of milliseconds. * * This function delays execution for the specified number of milliseconds. If the value is INFINITE, * the thread is suspended indefinitely. Otherwise, the delay is converted to a negative relative interval * in 100-nanosecond units and passed to PhDelayExecutionEx. * * \note * On Windows 11 and later, PhDelayExecutionEx uses RtlDelayExecution, which provides improved behavior * for short waits and better compatibility with future Windows updates. * \param Milliseconds The number of milliseconds to delay. Use INFINITE to wait indefinitely. * \return An NTSTATUS code indicating success or failure of the delay operation. */ NTSTATUS PhDelayExecution( _In_ ULONG Milliseconds ) { if (Milliseconds == INFINITE) { LARGE_INTEGER interval; interval.QuadPart = LLONG_MIN; return PhDelayExecutionEx(FALSE, &interval); } else { LARGE_INTEGER interval; interval.QuadPart = -(LONGLONG)UInt32x32To64(Milliseconds, PH_TIMEOUT_MS); return PhDelayExecutionEx(FALSE, &interval); } } /** * Computes a case-insensitive hash value for a Unicode string using a specified hash factor. * * This function is used for hashing API Set names in the Windows API Set schema resolution logic. * It iterates over each character in the string, normalizes uppercase ASCII letters to lowercase, * and accumulates the hash using the provided hash factor. * * \param String A pointer to a PH_STRINGREF structure representing the Unicode string to hash. * \param HashFactor The multiplier used in the hash calculation (typically provided by the schema). * \return The computed hash value as an unsigned long. */ FORCEINLINE ULONG PhApiSetHashString( _In_ PCPH_STRINGREF String, _In_ ULONG HashFactor ) { ULONG hash = 0; for (ULONG i = 0; i < String->Length / sizeof(WCHAR); i++) { hash = hash * HashFactor + ((USHORT)(String->Buffer[i] - L'A') <= L'Z' - L'A' ? String->Buffer[i] + L'a' - L'A' : String->Buffer[i]); } return hash; } /** * Resolves an API Set name to a host DLL name. * * \param[in] Schema The API Set definition, such as PEB->ApiSetMap. * \param[in] ApiSetName The name of the API Set, with or without a .dll extension. * \param[in] ParentName An optional name of the parent (importing) module. * \param[out] HostBinary The resolved name of the DLL. * \return Successful or errant status. */ NTSTATUS PhApiSetResolveToHost( _In_ PAPI_SET_NAMESPACE Schema, _In_ PCPH_STRINGREF ApiSetName, _In_opt_ PCPH_STRINGREF ParentName, _Out_ PPH_STRINGREF HostBinary ) { PH_STRINGREF parentNameFilePart; if (ApiSetName->Length >= 4 * sizeof(WCHAR)) { // Extract and downcase the first 4 characters ULONGLONG apisetNameBufferPrefix = ((PULONGLONG)ApiSetName->Buffer)[0] & 0xFFFFFFDFFFDFFFDF; // Verify the API Set prefixes if (apisetNameBufferPrefix != 0x2D004900500041ULL && // L"api-" apisetNameBufferPrefix != 0x2D005400580045ULL) // L"ext-" return STATUS_INVALID_PARAMETER; } else { return STATUS_INVALID_PARAMETER; } if (ParentName) { // If given a path, we are only interested in the file component if (!PhGetBasePath(ParentName, NULL, &parentNameFilePart)) { parentNameFilePart.Buffer = ParentName->Buffer; parentNameFilePart.Length = ParentName->Length; } } switch (Schema->Version) { case API_SET_SCHEMA_VERSION_V6: { PAPI_SET_NAMESPACE_ENTRY namespaceEntries = PTR_ADD_OFFSET(Schema, Schema->EntryOffset); PAPI_SET_NAMESPACE_ENTRY namespaceEntry; PAPI_SET_HASH_ENTRY hashEntries = PTR_ADD_OFFSET(Schema, Schema->HashOffset); PAPI_SET_HASH_ENTRY hashEntry; PAPI_SET_VALUE_ENTRY valueEntry; PH_STRINGREF apisetNamespacePart; PH_STRINGREF apisetNameHashedPart; ULONG_PTR hyphenIndex; ULONG hash; LONG minIndex; LONG maxIndex; LONG midIndex; LONG comparison; if (!Schema->Count) return STATUS_NOT_FOUND; if (Schema->Count > MAXINT32) return STATUS_INTEGER_OVERFLOW; // The hash covers the length up to but not including the last hyphen hyphenIndex = PhFindLastCharInStringRef(ApiSetName, L'-', FALSE); // There must be a hyphen if it passed the prefix check assert(hyphenIndex != SIZE_MAX); apisetNameHashedPart.Buffer = ApiSetName->Buffer; apisetNameHashedPart.Length = hyphenIndex * sizeof(WCHAR); hash = PhApiSetHashString(&apisetNameHashedPart, Schema->HashFactor); minIndex = 0; maxIndex = Schema->Count - 1; // Perform a binary search for the API Set name hash do { midIndex = (maxIndex + minIndex) / 2; hashEntry = &hashEntries[midIndex]; if (hash < hashEntry->Hash) maxIndex = midIndex - 1; else if (hash > hashEntry->Hash) minIndex = midIndex + 1; else { namespaceEntry = &namespaceEntries[hashEntry->Index]; // Verify the API Set name matches, in addition to its hash apisetNamespacePart.Buffer = PTR_ADD_OFFSET(Schema, namespaceEntry->NameOffset); apisetNamespacePart.Length = namespaceEntry->HashedLength; comparison = PhCompareStringRef( &apisetNameHashedPart, &apisetNamespacePart, TRUE ); //comparison = RtlCompareUnicodeStrings( // apiSetNameHashedPart.Buffer, // apiSetNameHashedPart.Length / sizeof(WCHAR), // PTR_ADD_OFFSET(Schema, namespaceEntry->NameOffset), // namespaceEntry->HashedLength / sizeof(WCHAR), // TRUE // ); if (comparison < 0) maxIndex = midIndex - 1; else if (comparison > 0) minIndex = midIndex + 1; else break; } if (minIndex > maxIndex) return STATUS_NOT_FOUND; } while (TRUE); valueEntry = PTR_ADD_OFFSET(Schema, namespaceEntry->ValueOffset); // Try module-specific search if (ParentName && namespaceEntry->ValueCount > 1) { if (namespaceEntry->ValueCount > MAXINT32) return STATUS_INTEGER_OVERFLOW; minIndex = 0; maxIndex = namespaceEntry->ValueCount - 1; // Perform binary search for the parent name do { midIndex = (maxIndex + minIndex) / 2; apisetNamespacePart.Buffer = PTR_ADD_OFFSET(Schema, valueEntry[midIndex].NameOffset); apisetNamespacePart.Length = valueEntry[midIndex].NameLength; comparison = PhCompareStringRef( &parentNameFilePart, &apisetNamespacePart, TRUE ); //comparison = RtlCompareUnicodeStrings( // parentNameFilePart.Buffer, // parentNameFilePart.Length / sizeof(WCHAR), // PTR_ADD_OFFSET(Schema, valueEntry[midIndex].NameOffset), // valueEntry[midIndex].NameLength / sizeof(WCHAR), // TRUE // ); if (comparison < 0) maxIndex = midIndex - 1; else if (comparison > 0) minIndex = midIndex + 1; else { if (!valueEntry[midIndex].ValueLength) return STATUS_APISET_NOT_HOSTED; // Return the parent-specific result HostBinary->Buffer = PTR_ADD_OFFSET(Schema, valueEntry[midIndex].ValueOffset); HostBinary->Length = valueEntry[midIndex].ValueLength; return STATUS_SUCCESS; } // No match; fall back to the default value if (minIndex > maxIndex) break; } while (TRUE); } // Use the default value if (namespaceEntry->ValueCount) { if (!valueEntry[0].ValueLength) return STATUS_APISET_NOT_HOSTED; HostBinary->Buffer = PTR_ADD_OFFSET(Schema, valueEntry[0].ValueOffset); HostBinary->Length = valueEntry[0].ValueLength; return STATUS_SUCCESS; } return STATUS_NOT_FOUND; } break; case API_SET_SCHEMA_VERSION_V4: { PAPI_SET_NAMESPACE_ARRAY_V4 schema = (PAPI_SET_NAMESPACE_ARRAY_V4)Schema; PAPI_SET_VALUE_ARRAY_V4 valueArray; PH_STRINGREF apisetNamespacePart; PH_STRINGREF apisetNameShort; LONG comparison; LONG minIndex; LONG maxIndex; LONG midIndex; if (!schema->Count) return STATUS_NOT_FOUND; if (schema->Count > MAXINT32) return STATUS_INTEGER_OVERFLOW; // Should be covered by the prefix check assert(ApiSetName->Length >= 4 * sizeof(WCHAR)); // Skip the "api-" and "ext-" prefixes apisetNameShort.Buffer = ApiSetName->Buffer + 4; apisetNameShort.Length = ApiSetName->Length - 4 * sizeof(WCHAR); // Ignore file extension (when present) if (apisetNameShort.Length >= 4 * sizeof(WCHAR) && apisetNameShort.Buffer[apisetNameShort.Length / sizeof(WCHAR) - 4] == L'.') apisetNameShort.Length -= 4 * sizeof(WCHAR); minIndex = 0; maxIndex = schema->Count - 1; // Perform a binary search for the API Set name do { midIndex = (maxIndex + minIndex) / 2; apisetNamespacePart.Buffer = PTR_ADD_OFFSET(schema, schema->Array[midIndex].NameOffset); apisetNamespacePart.Length = schema->Array[midIndex].NameLength; comparison = PhCompareStringRef( &apisetNameShort, &apisetNamespacePart, TRUE ); //comparison = RtlCompareUnicodeStrings( // apisetNameShort.Buffer, // apisetNameShort.Length / sizeof(WCHAR), // PTR_ADD_OFFSET(schema, schema->Array[midIndex].NameOffset), // schema->Array[midIndex].NameLength / sizeof(WCHAR), // TRUE // ); if (comparison < 0) maxIndex = midIndex - 1; else if (comparison > 0) minIndex = midIndex + 1; else break; if (minIndex > maxIndex) return STATUS_NOT_FOUND; } while (TRUE); valueArray = PTR_ADD_OFFSET(schema, schema->Array[midIndex].DataOffset); // Try module-specific search if (ParentName && valueArray->Count > 1) { if (valueArray->Count > MAXINT32) return STATUS_INTEGER_OVERFLOW; minIndex = 0; maxIndex = valueArray->Count - 1; // Perform binary search for the parent name do { midIndex = (maxIndex + minIndex) / 2; apisetNamespacePart.Buffer = PTR_ADD_OFFSET(schema, valueArray->Array[midIndex].NameOffset); apisetNamespacePart.Length = valueArray->Array[midIndex].NameLength; comparison = PhCompareStringRef( &parentNameFilePart, &apisetNamespacePart, TRUE ); //comparison = RtlCompareUnicodeStrings( // parentNameFilePart.Buffer, // parentNameFilePart.Length / sizeof(WCHAR), // PTR_ADD_OFFSET(schema, valueArray->Array[midIndex].NameOffset), // valueArray->Array[midIndex].NameLength / sizeof(WCHAR), // TRUE // ); if (comparison < 0) maxIndex = midIndex - 1; else if (comparison > 0) minIndex = midIndex + 1; else { if (!valueArray->Array[midIndex].ValueLength) return STATUS_APISET_NOT_HOSTED; // Return the parent-specific result HostBinary->Buffer = PTR_ADD_OFFSET(schema, valueArray->Array[midIndex].ValueOffset); HostBinary->Length = valueArray->Array[midIndex].ValueLength; return STATUS_SUCCESS; } // No match; fall back to the default value if (minIndex > maxIndex) break; } while (TRUE); } // Use the default value if (valueArray->Count) { if (!valueArray->Array[0].ValueLength) return STATUS_APISET_NOT_HOSTED; HostBinary->Buffer = PTR_ADD_OFFSET(schema, valueArray->Array[0].ValueOffset); HostBinary->Length = valueArray->Array[0].ValueLength; return STATUS_SUCCESS; } return STATUS_NOT_FOUND; } break; case API_SET_SCHEMA_VERSION_V2: { PAPI_SET_NAMESPACE_ARRAY_V2 schema = (PAPI_SET_NAMESPACE_ARRAY_V2)Schema; PAPI_SET_VALUE_ARRAY_V2 valueArray; PH_STRINGREF apisetNamespacePart; PH_STRINGREF apiSetNameShort; LONG comparison; LONG minIndex; LONG maxIndex; LONG midIndex; if (!schema->Count) return STATUS_NOT_FOUND; if (schema->Count > MAXINT32) return STATUS_INTEGER_OVERFLOW; // Should be covered by the prefix check assert(ApiSetName->Length >= 4 * sizeof(WCHAR)); // Skip the "api-" and "ext-" prefixes apiSetNameShort.Buffer = ApiSetName->Buffer + 4; apiSetNameShort.Length = ApiSetName->Length - 4 * sizeof(WCHAR); // Ignore file extension (when present) if (apiSetNameShort.Length >= 4 * sizeof(WCHAR) && apiSetNameShort.Buffer[apiSetNameShort.Length / sizeof(WCHAR) - 4] == L'.') apiSetNameShort.Length -= 4 * sizeof(WCHAR); minIndex = 0; maxIndex = schema->Count - 1; // Perform a binary search for the API Set name do { midIndex = (maxIndex + minIndex) / 2; apisetNamespacePart.Buffer = PTR_ADD_OFFSET(schema, schema->Array[midIndex].NameOffset); apisetNamespacePart.Length = schema->Array[midIndex].NameLength; comparison = PhCompareStringRef( &apiSetNameShort, &apisetNamespacePart, TRUE ); //comparison = RtlCompareUnicodeStrings( // apiSetNameShort.Buffer, // apiSetNameShort.Length / sizeof(WCHAR), // PTR_ADD_OFFSET(schema, schema->Array[midIndex].NameOffset), // schema->Array[midIndex].NameLength / sizeof(WCHAR), // TRUE // ); if (comparison < 0) maxIndex = midIndex - 1; else if (comparison > 0) minIndex = midIndex + 1; else break; if (minIndex > maxIndex) return STATUS_NOT_FOUND; } while (TRUE); valueArray = PTR_ADD_OFFSET(schema, schema->Array[midIndex].DataOffset); // Try module-specific search if (ParentName && valueArray->Count > 1) { if (valueArray->Count > MAXINT32) return STATUS_INTEGER_OVERFLOW; minIndex = 0; maxIndex = valueArray->Count - 1; // Perform binary search for the parent name do { midIndex = (maxIndex + minIndex) / 2; apisetNamespacePart.Buffer = PTR_ADD_OFFSET(schema, valueArray->Array[midIndex].NameOffset); apisetNamespacePart.Length = valueArray->Array[midIndex].NameLength; comparison = PhCompareStringRef( &apiSetNameShort, &apisetNamespacePart, TRUE ); //comparison = RtlCompareUnicodeStrings( // parentNameFilePart.Buffer, // parentNameFilePart.Length / sizeof(WCHAR), // PTR_ADD_OFFSET(schema, valueArray->Array[midIndex].NameOffset), // valueArray->Array[midIndex].NameLength / sizeof(WCHAR), // TRUE // ); if (comparison < 0) maxIndex = midIndex - 1; else if (comparison > 0) minIndex = midIndex + 1; else { if (!valueArray->Array[midIndex].ValueLength) return STATUS_APISET_NOT_HOSTED; // Return the parent-specific result HostBinary->Buffer = PTR_ADD_OFFSET(schema, valueArray->Array[midIndex].ValueOffset); HostBinary->Length = valueArray->Array[midIndex].ValueLength; return STATUS_SUCCESS; } // No match; fall back to the default value if (minIndex > maxIndex) break; } while (TRUE); } // Use the default value if (valueArray->Count) { if (!valueArray->Array[0].ValueLength) return STATUS_APISET_NOT_HOSTED; HostBinary->Buffer = PTR_ADD_OFFSET(schema, valueArray->Array[0].ValueOffset); HostBinary->Length = valueArray->Array[0].ValueLength; return STATUS_SUCCESS; } return STATUS_NOT_FOUND; } break; } return STATUS_UNKNOWN_REVISION; } /** * Creates a process as the interactive user using the Windows Desktop Controller (WDC) API. * * This function attempts to launch a process in the context of the currently active interactive user session. * It uses the undocumented WdcRunTaskAsInteractiveUser function from wdc.dll, if available, to perform the operation. * * \param CommandLine The command line to execute. This should include the full path to the executable and any arguments. * \param CurrentDirectory The working directory for the new process. May be NULL to use the default. * \return HRESULT Returns S_OK on success, or an error HRESULT code on failure. * \remarks This function is only available on Windows 10 and later, and requires wdc.dll to be present. */ HRESULT PhCreateProcessAsInteractiveUser( _In_ PCWSTR CommandLine, _In_ PCWSTR CurrentDirectory ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static HRESULT (WINAPI* WdcRunTaskAsInteractiveUser_I)( _In_ PCWSTR CommandLine, _In_ PCWSTR CurrentDirectory, _In_opt_ ULONG Flags ) = NULL; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"wdc.dll")) { WdcRunTaskAsInteractiveUser_I = PhGetDllBaseProcedureAddress(baseAddress, "WdcRunTaskAsInteractiveUser", 0); } PhEndInitOnce(&initOnce); } if (WdcRunTaskAsInteractiveUser_I) { return WdcRunTaskAsInteractiveUser_I(CommandLine, CurrentDirectory, 0); } return E_NOTIMPL; } /** * Clones a process by creating a new process object that is a copy of the specified process. * * This function opens the source process with PROCESS_CREATE_PROCESS access and uses NtCreateProcessEx * to create a new process that inherits from the specified process. The new process is created in a suspended state * and inherits handles and address space from the parent process. * * \param[out] ProcessHandle A pointer that receives a handle to the newly created (cloned) process. * \param[in] ProcessId The process ID (handle) of the process to clone. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhCreateProcessClone( _Out_ PHANDLE ProcessHandle, _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle; HANDLE cloneProcessHandle; OBJECT_ATTRIBUTES objectAttributes; status = PhOpenProcess( &processHandle, PROCESS_CREATE_PROCESS, ProcessId ); if (!NT_SUCCESS(status)) return status; InitializeObjectAttributes( &objectAttributes, NULL, 0, NULL, NULL ); status = NtCreateProcessEx( &cloneProcessHandle, PROCESS_ALL_ACCESS, &objectAttributes, processHandle, PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT | PROCESS_CREATE_FLAGS_INHERIT_HANDLES | PROCESS_CREATE_FLAGS_CREATE_SUSPENDED, NULL, NULL, NULL, 0 ); NtClose(processHandle); if (NT_SUCCESS(status)) { *ProcessHandle = cloneProcessHandle; } return status; } /** * Creates a reflection (clone) of a process using RtlCreateProcessReflection. * * \param ReflectionInformation Pointer to a PROCESS_REFLECTION_INFORMATION structure that receives information about the reflected process. * \param ProcessHandle Handle to the process to reflect. * \return NTSTATUS Successful or errant status. * \remarks On success, the caller is responsible for releasing handles in the returned structure using PhFreeProcessReflection(). */ NTSTATUS PhCreateProcessReflection( _Out_ PPROCESS_REFLECTION_INFORMATION ReflectionInformation, _In_ HANDLE ProcessHandle ) { NTSTATUS status; PROCESS_REFLECTION_INFORMATION reflectionInfo = { 0 }; status = RtlCreateProcessReflection( ProcessHandle, RTL_PROCESS_REFLECTION_FLAGS_INHERIT_HANDLES, NULL, NULL, NULL, &reflectionInfo ); if (NT_SUCCESS(status)) { *ReflectionInformation = reflectionInfo; } return status; } /** * Frees resources associated with a process reflection created by PhCreateProcessReflection. * * \param ReflectionInformation Pointer to a PROCESS_REFLECTION_INFORMATION structure previously initialized by PhCreateProcessReflection. * \remarks This function closes the thread and process handles and terminates the reflected process. */ VOID PhFreeProcessReflection( _In_ PPROCESS_REFLECTION_INFORMATION ReflectionInformation ) { if (ReflectionInformation->ReflectionThreadHandle) { NtClose(ReflectionInformation->ReflectionThreadHandle); } if (ReflectionInformation->ReflectionProcessHandle) { NtTerminateProcess(ReflectionInformation->ReflectionProcessHandle, STATUS_SUCCESS); NtClose(ReflectionInformation->ReflectionProcessHandle); } } /** * Captures a snapshot of a process using the Process Snapshotting API. * * \param SnapshotHandle Receives a handle to the process snapshot. * \param ProcessHandle Handle to the process to snapshot. * \return NTSTATUS code indicating success or failure. * \remarks The caller must release the snapshot using PhFreeProcessSnapshot(). */ NTSTATUS PhCreateProcessSnapshot( _Out_ PHANDLE SnapshotHandle, _In_ HANDLE ProcessHandle ) { NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE snapshotHandle = NULL; if (!PssNtCaptureSnapshot_Import()) return STATUS_PROCEDURE_NOT_FOUND; status = PssNtCaptureSnapshot_Import()( &snapshotHandle, ProcessHandle, PSS_CAPTURE_VA_CLONE | PSS_CAPTURE_HANDLES | PSS_CAPTURE_HANDLE_NAME_INFORMATION | PSS_CAPTURE_HANDLE_BASIC_INFORMATION | PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION | PSS_CAPTURE_HANDLE_TRACE | PSS_CAPTURE_THREADS | PSS_CAPTURE_THREAD_CONTEXT | PSS_CAPTURE_THREAD_CONTEXT_EXTENDED | PSS_CAPTURE_VA_SPACE | PSS_CAPTURE_VA_SPACE_SECTION_INFORMATION | PSS_CREATE_BREAKAWAY | PSS_CREATE_BREAKAWAY_OPTIONAL | PSS_CREATE_USE_VM_ALLOCATIONS, CONTEXT_ALL // WOW64_CONTEXT_ALL? ); if (NT_SUCCESS(status)) { *SnapshotHandle = snapshotHandle; } return status; } /** * Frees a process snapshot and associated resources. * * \param SnapshotHandle Handle to the process snapshot. * \param ProcessHandle Handle to the original process. */ VOID PhFreeProcessSnapshot( _In_ HANDLE SnapshotHandle, _In_ HANDLE ProcessHandle ) { if (PssNtQuerySnapshot_Import()) { PSS_VA_CLONE_INFORMATION processInfo = { 0 }; PSS_HANDLE_TRACE_INFORMATION handleInfo = { 0 }; if (NT_SUCCESS(PssNtQuerySnapshot_Import()( SnapshotHandle, PSSNT_QUERY_VA_CLONE_INFORMATION, &processInfo, sizeof(PSS_VA_CLONE_INFORMATION) ))) { if (processInfo.VaCloneHandle) { NtClose(processInfo.VaCloneHandle); } } if (NT_SUCCESS(PssNtQuerySnapshot_Import()( SnapshotHandle, PSSNT_QUERY_HANDLE_TRACE_INFORMATION, &handleInfo, sizeof(PSS_HANDLE_TRACE_INFORMATION) ))) { if (handleInfo.SectionHandle) { NtClose(handleInfo.SectionHandle); } } } if (PssNtFreeRemoteSnapshot_Import()) { PssNtFreeRemoteSnapshot_Import()(ProcessHandle, SnapshotHandle); } if (PssNtFreeSnapshot_Import()) { PssNtFreeSnapshot_Import()(SnapshotHandle); } } /** * Creates a process with redirected input/output, optionally providing input and capturing output. * * \param CommandLine The command line to execute (as a PPH_STRING). * \param CommandInput Optional input to write to the process's standard input. * \param CommandOutput Optional pointer to receive the process's standard output as a PPH_STRING. * \return NTSTATUS code indicating the process exit status or error. */ NTSTATUS PhCreateProcessRedirection( _In_opt_ PCPH_STRINGREF FileName, _In_opt_ PCPH_STRINGREF CommandLine, _In_opt_ PCPH_STRINGREF CommandInput, _Out_opt_ PPH_STRING *CommandOutput ) { static SECURITY_ATTRIBUTES securityAttributes = { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE }; NTSTATUS status; PPH_STRING output = NULL; STARTUPINFOEX startupInfo = { 0 }; HANDLE processHandle = NULL; HANDLE outputReadHandle = NULL; HANDLE outputWriteHandle = NULL; HANDLE inputReadHandle = NULL; HANDLE inputWriteHandle = NULL; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; HANDLE handleList[2]; #if defined(PH_BUILD_MSIX) ULONG appPolicy; #endif PROCESS_BASIC_INFORMATION basicInfo; status = PhCreatePipeEx( &inputReadHandle, &inputWriteHandle, &securityAttributes, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreatePipeEx( &outputReadHandle, &outputWriteHandle, NULL, &securityAttributes ); if (!NT_SUCCESS(status)) goto CleanupExit; #if !defined(PH_BUILD_MSIX) status = PhInitializeProcThreadAttributeList(&attributeList, 1); if (!NT_SUCCESS(status)) goto CleanupExit; handleList[0] = inputReadHandle; handleList[1] = outputWriteHandle; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_HANDLE_LIST, handleList, sizeof(handleList) ); if (!NT_SUCCESS(status)) goto CleanupExit; #else status = PhInitializeProcThreadAttributeList(&attributeList, 2); if (!NT_SUCCESS(status)) goto CleanupExit; handleList[0] = inputReadHandle; handleList[1] = outputWriteHandle; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_HANDLE_LIST, handleList, sizeof(handleList) ); if (!NT_SUCCESS(status)) goto CleanupExit; appPolicy = PROCESS_CREATION_DESKTOP_APP_BREAKAWAY_OVERRIDE; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_DESKTOP_APP_POLICY, &appPolicy, sizeof(ULONG) ); if (!NT_SUCCESS(status)) goto CleanupExit; #endif memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_FORCEOFFFEEDBACK | STARTF_USESTDHANDLES; startupInfo.StartupInfo.wShowWindow = SW_HIDE; startupInfo.StartupInfo.hStdInput = inputReadHandle; startupInfo.StartupInfo.hStdOutput = outputWriteHandle; startupInfo.StartupInfo.hStdError = outputWriteHandle; startupInfo.lpAttributeList = attributeList; status = PhCreateProcessWin32Ex( PhGetStringRefZ(FileName), PhGetStringRefZ(CommandLine), NULL, NULL, &startupInfo, PH_CREATE_PROCESS_INHERIT_HANDLES | PH_CREATE_PROCESS_NEW_CONSOLE | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO, NULL, NULL, &processHandle, NULL ); NtClose(inputReadHandle); inputReadHandle = NULL; NtClose(outputWriteHandle); outputWriteHandle = NULL; if (!NT_SUCCESS(status)) goto CleanupExit; if (CommandInput) { PhWriteFile( inputWriteHandle, CommandInput->Buffer, (ULONG)CommandInput->Length, NULL, NULL ); } status = PhGetFileText(&output, outputReadHandle, TRUE); if (!NT_SUCCESS(status)) goto CleanupExit; //if (PhIsNullOrEmptyString(output)) //{ // status = STATUS_UNSUCCESSFUL; // goto CleanupExit; //} status = PhGetProcessBasicInformation(processHandle, &basicInfo); if (!NT_SUCCESS(status)) goto CleanupExit; status = basicInfo.ExitStatus; CleanupExit: if (processHandle) NtClose(processHandle); if (outputWriteHandle) NtClose(outputWriteHandle); if (outputReadHandle) NtClose(outputReadHandle); if (inputReadHandle) NtClose(inputReadHandle); if (inputWriteHandle) NtClose(inputWriteHandle); if (attributeList) PhDeleteProcThreadAttributeList(attributeList); if (CommandOutput) *CommandOutput = output; else PhClearReference(&output); return status; } // rev from InitializeProcThreadAttributeList (dmex) /** * Initializes a PROC_THREAD_ATTRIBUTE_LIST structure for process/thread attribute updates. * * \param AttributeList Receives a pointer to the allocated attribute list. * \param AttributeCount The number of attributes to reserve space for. * \return NTSTATUS code indicating success or failure. * \remarks The caller must free the attribute list using PhDeleteProcThreadAttributeList(). */ NTSTATUS PhInitializeProcThreadAttributeList( _Out_ PPROC_THREAD_ATTRIBUTE_LIST* AttributeList, _In_ ULONG AttributeCount ) { #if defined(PHNT_NATIVE_PROCATTRIBUTELIST) PPROC_THREAD_ATTRIBUTE_LIST attributeList; SIZE_T attributeListLength; InitializeProcThreadAttributeList(NULL, AttributeCount, 0, &attributeListLength); attributeList = PhAllocateZero(attributeListLength); attributeList->AttributeCount = AttributeCount; *AttributeList = attributeList; return STATUS_SUCCESS; #else PPROC_THREAD_ATTRIBUTE_LIST attributeList; SIZE_T attributeListLength; attributeListLength = FIELD_OFFSET(PROC_THREAD_ATTRIBUTE_LIST, Attributes); attributeListLength += sizeof(PROC_THREAD_ATTRIBUTE) * AttributeCount; attributeList = PhAllocateZero(attributeListLength); attributeList->AttributeCount = AttributeCount; *AttributeList = attributeList; return STATUS_SUCCESS; #endif } // rev from DeleteProcThreadAttributeList (dmex) /** * Frees a PROC_THREAD_ATTRIBUTE_LIST structure previously allocated by PhInitializeProcThreadAttributeList. * * \param AttributeList Pointer to the attribute list to free. * \return NTSTATUS code indicating success or failure. */ NTSTATUS PhDeleteProcThreadAttributeList( _In_ PPROC_THREAD_ATTRIBUTE_LIST AttributeList ) { PhFree(AttributeList); return STATUS_SUCCESS; } // rev from UpdateProcThreadAttribute (dmex) /** * Updates a process/thread attribute in a PROC_THREAD_ATTRIBUTE_LIST. * * \param AttributeList Pointer to the attribute list. * \param AttributeNumber The attribute to update (e.g., PROC_THREAD_ATTRIBUTE_HANDLE_LIST). * \param Buffer Pointer to the attribute data. * \param BufferLength Size of the attribute data in bytes. * \return NTSTATUS code indicating success or failure. */ NTSTATUS PhUpdateProcThreadAttribute( _In_ PPROC_THREAD_ATTRIBUTE_LIST AttributeList, _In_ ULONG_PTR AttributeNumber, _In_ PVOID Buffer, _In_ SIZE_T BufferLength ) { #if defined(PHNT_NATIVE_PROCATTRIBUTELIST) if (!UpdateProcThreadAttribute(AttributeList, 0, AttributeNumber, Buffer, BufferLength, NULL, NULL)) return STATUS_NO_MEMORY; return STATUS_SUCCESS; #else if (AttributeList->LastAttribute >= AttributeList->AttributeCount) return STATUS_NO_MEMORY; AttributeList->PresentFlags |= (1 << (AttributeNumber & PROC_THREAD_ATTRIBUTE_NUMBER)); AttributeList->Attributes[AttributeList->LastAttribute].Attribute = AttributeNumber; AttributeList->Attributes[AttributeList->LastAttribute].Size = BufferLength; AttributeList->Attributes[AttributeList->LastAttribute].Value = (ULONG_PTR)Buffer; AttributeList->LastAttribute++; return STATUS_SUCCESS; #endif } /** * Retrieves the active computer name from the registry. * * \return A PPH_STRING containing the active computer name, or NULL if not found. */ PPH_STRING PhGetActiveComputerName( VOID ) { //static PH_STRINGREF keyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName"); PPH_STRING keyName; PPH_STRING computerName = NULL; HANDLE keyHandle; PH_FORMAT format[8]; PhInitFormatS(&format[0], L"System\\CurrentControlSet\\Control"); PhInitFormatC(&format[1], OBJ_NAME_PATH_SEPARATOR); PhInitFormatS(&format[2], L"Computer"); PhInitFormatS(&format[3], L"Name"); PhInitFormatC(&format[4], OBJ_NAME_PATH_SEPARATOR); PhInitFormatS(&format[5], L"Active"); PhInitFormatS(&format[6], L"Computer"); PhInitFormatS(&format[7], L"Name"); keyName = PhFormat(format, RTL_NUMBER_OF(format), 0); if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, PH_KEY_LOCAL_MACHINE, &keyName->sr, 0 ))) { computerName = PhQueryRegistryStringZ(keyHandle, L"ComputerName"); NtClose(keyHandle); } //WCHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; //ULONG length = MAX_COMPUTERNAME_LENGTH + 1; // //if (GetComputerNameW(computerName, &length)) //{ // return PhCreateStringEx(computerName, length * sizeof(WCHAR)); //} PhDereferenceObject(keyName); return computerName; } /** * Finds a property in an array of device properties. * * \param Key The property key to find. * \param Store The property store to find. * \param PropertiesCount The number of properties in the array. * \param Properties The array of properties. * \return A pointer to the property, or NULL if not found. */ PDEVPROPERTY PhDevFindProperty( _In_ PDEVPROPKEY Key, _In_ ULONG Store, _In_ ULONG PropertiesCount, _In_reads_(PropertiesCount) PDEVPROPERTY Properties ) { for (ULONG i = 0; i < PropertiesCount; i++) { PDEVPROPERTY property = &Properties[i]; if (RtlEqualMemory(&property->CompKey.Key, Key, sizeof(DEVPROPKEY)) && property->CompKey.Store == Store) { return property; } } return NULL; } /** * Queries device objects using the DevGetObjects API. * * \param ObjectType The type of device object to query. * \param QueryFlags Flags controlling the query. * \param RequestedPropertiesCount Number of requested properties. * \param RequestedProperties Array of requested property keys. * \param FilterExpressionCount Number of filter expressions. * \param FilterExpressions Array of filter expressions. * \param ObjectCount Receives the number of objects returned. * \param Objects Receives a pointer to the array of device objects. * \return HRESULT indicating success or failure. * \remarks The returned objects must be freed with PhDevFreeObjects(). */ HRESULT PhDevGetObjects( _In_ DEV_OBJECT_TYPE ObjectType, _In_ DEV_QUERY_FLAGS QueryFlags, _In_ ULONG RequestedPropertiesCount, _In_reads_opt_(RequestedPropertiesCount) const DEVPROPCOMPKEY* RequestedProperties, _In_ ULONG FilterExpressionCount, _In_reads_opt_(FilterExpressionCount) const DEVPROP_FILTER_EXPRESSION* FilterExpressions, _Out_ PULONG ObjectCount, _Outptr_result_buffer_(*ObjectCount) const DEV_OBJECT** Objects ) { HRESULT status; if (!DevGetObjects_Import()) return E_FAIL; status = DevGetObjects_Import()( ObjectType, QueryFlags, RequestedPropertiesCount, RequestedProperties, FilterExpressionCount, FilterExpressions, ObjectCount, Objects ); if (SUCCEEDED(status)) { if (*ObjectCount == 0) { status = E_FAIL; } } return status; } /** * Frees device objects previously returned by PhDevGetObjects. * * \param ObjectCount Number of objects. * \param Objects Pointer to the array of device objects. */ VOID PhDevFreeObjects( _In_ ULONG ObjectCount, _In_reads_(ObjectCount) const DEV_OBJECT* Objects ) { if (DevFreeObjects_Import()) { DevFreeObjects_Import()(ObjectCount, Objects); } } /** * Queries properties of a device object. * * \param ObjectType The type of device object. * \param ObjectId The object ID. * \param QueryFlags Flags controlling the query. * \param RequestedPropertiesCount Number of requested properties. * \param RequestedProperties Array of requested property keys. * \param PropertiesCount Receives the number of properties returned. * \param Properties Receives a pointer to the array of properties. * \return HRESULT indicating success or failure. * \remarks The returned properties must be freed with PhDevFreeObjectProperties(). */ HRESULT PhDevGetObjectProperties( _In_ DEV_OBJECT_TYPE ObjectType, _In_ PCWSTR ObjectId, _In_ DEV_QUERY_FLAGS QueryFlags, _In_ ULONG RequestedPropertiesCount, _In_reads_(RequestedPropertiesCount) const DEVPROPCOMPKEY* RequestedProperties, _Out_ PULONG PropertiesCount, _Outptr_result_buffer_(*PropertiesCount) const DEVPROPERTY** Properties ) { if (!DevGetObjectProperties_Import()) return E_FAIL; return DevGetObjectProperties_Import()( ObjectType, ObjectId, QueryFlags, RequestedPropertiesCount, RequestedProperties, PropertiesCount, Properties ); } /** * Frees device object properties previously returned by PhDevGetObjectProperties. * * \param PropertiesCount Number of properties. * \param Properties Pointer to the array of properties. */ VOID PhDevFreeObjectProperties( _In_ ULONG PropertiesCount, _In_reads_(PropertiesCount) const DEVPROPERTY* Properties ) { if (DevFreeObjectProperties_Import()) { DevFreeObjectProperties_Import()(PropertiesCount, Properties); } } /** * Creates a device object query using the DevCreateObjectQuery API. * * \param ObjectType The type of device object. * \param QueryFlags Flags controlling the query. * \param RequestedPropertiesCount Number of requested properties. * \param RequestedProperties Array of requested property keys. * \param FilterExpressionCount Number of filter expressions. * \param Filter Array of filter expressions. * \param Callback Callback function to receive query results. * \param Context User-defined context for the callback. * \param DevQuery Receives the query handle. * \return HRESULT indicating success or failure. * \remarks The query handle must be closed with PhDevCloseObjectQuery(). */ HRESULT PhDevCreateObjectQuery( _In_ DEV_OBJECT_TYPE ObjectType, _In_ DEV_QUERY_FLAGS QueryFlags, _In_ ULONG RequestedPropertiesCount, _In_reads_opt_(RequestedPropertiesCount) const DEVPROPCOMPKEY* RequestedProperties, _In_ ULONG FilterExpressionCount, _In_reads_opt_(FilterExpressionCount) const DEVPROP_FILTER_EXPRESSION* Filter, _In_ PDEV_QUERY_RESULT_CALLBACK Callback, _In_opt_ PVOID Context, _Out_ PHDEVQUERY DevQuery ) { *DevQuery = NULL; if (!DevCreateObjectQuery_Import()) return E_FAIL; return DevCreateObjectQuery_Import()( ObjectType, QueryFlags, RequestedPropertiesCount, RequestedProperties, FilterExpressionCount, Filter, Callback, Context, DevQuery ); } /** * Closes a device object query handle. * * \param QueryHandle The query handle to close. */ VOID PhDevCloseObjectQuery( _In_ HDEVQUERY QueryHandle ) { if (DevCloseObjectQuery_Import()) { DevCloseObjectQuery_Import()(QueryHandle); } } /** * Modern replacement for CM_Open_DevInst_Key using PhDevGetObjects. * * \param DeviceInstanceId The stable Device Instance ID string. * \param DesiredAccess Registry access mask. * \param Flags PH_DEVKEY_* flags. * \param KeyHandle Pointer to receive the handle. */ NTSTATUS PhDevOpenObjectKey( _In_ PPH_STRING DeviceInstanceId, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG Flags, _Out_ PHANDLE KeyHandle ) { NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG objectCount = 0; const DEV_OBJECT* objects = NULL; DEVPROP_FILTER_EXPRESSION filter[1]; DEVPROPCOMPKEY driverPropKey[1]; filter[0].Operator = DEVPROP_OPERATOR_EQUALS; filter[0].Property.CompKey.Key = DEVPKEY_Device_InstanceId; filter[0].Property.CompKey.Store = DEVPROP_STORE_SYSTEM; filter[0].Property.CompKey.LocaleName = NULL; filter[0].Property.Type = DEVPROP_TYPE_STRING; filter[0].Property.BufferSize = (ULONG)DeviceInstanceId->Length + sizeof(UNICODE_NULL); filter[0].Property.Buffer = DeviceInstanceId->Buffer; // Request the Driver (Software) property if needed driverPropKey[0].Key = DEVPKEY_Device_Driver; driverPropKey[0].Store = DEVPROP_STORE_SYSTEM; driverPropKey[0].LocaleName = NULL; if (HR_SUCCESS(PhDevGetObjects( DevObjectTypeDevice, DevQueryFlagNone, BooleanFlagOn(Flags, PH_DEVKEY_SOFTWARE) ? RTL_NUMBER_OF(driverPropKey) : 0, BooleanFlagOn(Flags, PH_DEVKEY_SOFTWARE) ? driverPropKey : NULL, RTL_NUMBER_OF(filter), filter, &objectCount, &objects )) && objectCount > 0) { PPH_STRING registryPath = NULL; if (FlagOn(Flags, PH_DEVKEY_SOFTWARE)) { // SOFTWARE (Driver) Key: \Registry\Machine\System\CurrentControlSet\Control\Class\{GUID}\xxxx for (ULONG i = 0; i < objects[0].cPropertyCount; i++) { if ( IsEqualGUID(&objects[0].pProperties[i].CompKey.Key.fmtid, &DEVPKEY_Device_Driver.fmtid) && objects[0].pProperties[i].CompKey.Key.pid == DEVPKEY_Device_Driver.pid ) { if (objects[0].pProperties[i].Type == DEVPROP_TYPE_STRING) { static const PH_STRINGREF keyName = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Control\\Class\\"); PH_STRINGREF value; PhInitializeStringRefLongHint(&value, (PCWSTR)objects[0].pProperties[i].Buffer); registryPath = PhConcatStringRef2(&keyName, &value); } break; } } } else if (FlagOn(Flags, PH_DEVKEY_HARDWARE)) { // HARDWARE Key: \Registry\Machine\System\CurrentControlSet\Enum\{InstanceID}\Device Parameters static const PH_STRINGREF base = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Enum\\"); static const PH_STRINGREF suffix = PH_STRINGREF_INIT(L"\\Device Parameters"); registryPath = PhConcatStringRef3(&base, &DeviceInstanceId->sr, &suffix); } else if (FlagOn(Flags, PH_DEVKEY_USER)) { // USER Key: \Registry\User\{SID}\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\{InstanceID} PPH_STRING userSid; if (userSid = PhGetTokenUserString(PhGetOwnTokenAttributes().TokenHandle, FALSE)) { status = PhOpenKey( KeyHandle, DesiredAccess, PH_KEY_USERS, &userSid->sr, OBJ_CASE_INSENSITIVE ); if (NT_SUCCESS(status)) { static const PH_STRINGREF base = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\DeviceAccess\\"); HANDLE subKey; PPH_STRING subKeyPath; subKeyPath = PhConcatStringRef2(&base, &DeviceInstanceId->sr); status = PhOpenKey( &subKey, DesiredAccess, *KeyHandle, &subKeyPath->sr, OBJ_CASE_INSENSITIVE ); NtClose(*KeyHandle); PhDereferenceObject(subKeyPath); if (NT_SUCCESS(status)) { *KeyHandle = subKey; } } PhDereferenceObject(userSid); } } else if (FlagOn(Flags, PH_DEVKEY_CONFIG)) { static const PH_STRINGREF base = PH_STRINGREF_INIT(L"System\\CurrentControlSet\\Enum\\"); static const PH_STRINGREF suffix = PH_STRINGREF_INIT(L"\\Device Parameters\\Configuration"); // CONFIG Key: \Registry\Machine\System\CurrentControlSet\Enum\{InstanceID}\Device Parameters\Configuration registryPath = PhConcatStringRef3(&base, &DeviceInstanceId->sr, &suffix); } if (registryPath) { status = PhOpenKey( KeyHandle, DesiredAccess, PH_KEY_LOCAL_MACHINE, ®istryPath->sr, OBJ_CASE_INSENSITIVE ); PhDereferenceObject(registryPath); } PhDevFreeObjects(objectCount, objects); } return status; } /** * Creates a taskbar list object for progress and overlay icon management. * * \param TaskbarHandle Receives the ITaskbarList3 interface pointer as a HANDLE. * \return HRESULT indicating success or failure. * \remarks The returned handle must be released with PhTaskbarListDestroy(). */ HRESULT PhTaskbarListCreate( _Out_ PHANDLE TaskbarHandle ) { HRESULT status; ITaskbarList3* taskbarListClass; status = PhGetClassObject( L"explorerframe.dll", &CLSID_TaskbarList, &IID_ITaskbarList3, &taskbarListClass ); if (SUCCEEDED(status)) { status = ITaskbarList3_HrInit(taskbarListClass); if (FAILED(status)) { ITaskbarList3_Release(taskbarListClass); taskbarListClass = NULL; } } if (SUCCEEDED(status)) { *TaskbarHandle = taskbarListClass; } return status; } /** * Releases a taskbar list object previously created by PhTaskbarListCreate. * * \param TaskbarHandle The taskbar handle to release. */ VOID PhTaskbarListDestroy( _In_ HANDLE TaskbarHandle ) { ITaskbarList3_Release((ITaskbarList3*)TaskbarHandle); } /** * Sets the progress value for a window on the taskbar. * * \param TaskbarHandle The taskbar handle. * \param WindowHandle The window handle. * \param Completed The completed value. * \param Total The total value. */ VOID PhTaskbarListSetProgressValue( _In_ HANDLE TaskbarHandle, _In_ HWND WindowHandle, _In_ ULONGLONG Completed, _In_ ULONGLONG Total ) { ITaskbarList3_SetProgressValue((ITaskbarList3*)TaskbarHandle, WindowHandle, Completed, Total); } /** * Sets the progress state for a window on the taskbar. * * \param TaskbarHandle The taskbar handle. * \param WindowHandle The window handle. * \param Flags Progress state flags (PH_TBLF_*). */ VOID PhTaskbarListSetProgressState( _In_ HANDLE TaskbarHandle, _In_ HWND WindowHandle, _In_ ULONG Flags ) { static CONST PH_FLAG_MAPPING PhTaskbarListFlagMappings[] = { { PH_TBLF_NOPROGRESS, TBPF_NOPROGRESS }, { PH_TBLF_INDETERMINATE, TBPF_INDETERMINATE }, { PH_TBLF_NORMAL, TBPF_NORMAL }, { PH_TBLF_ERROR, TBPF_ERROR }, { PH_TBLF_PAUSED, TBPF_PAUSED }, }; ULONG flags; flags = 0; PhMapFlags1(&flags, Flags, PhTaskbarListFlagMappings, RTL_NUMBER_OF(PhTaskbarListFlagMappings)); ITaskbarList3_SetProgressState((ITaskbarList3*)TaskbarHandle, WindowHandle, flags); } /** * Sets an overlay icon for a window on the taskbar. * * \param TaskbarHandle The taskbar handle. * \param WindowHandle The window handle. * \param IconHandle The icon handle to set as overlay. * \param IconDescription Optional description for accessibility. */ VOID PhTaskbarListSetOverlayIcon( _In_ HANDLE TaskbarHandle, _In_ HWND WindowHandle, _In_opt_ HICON IconHandle, _In_opt_ PCWSTR IconDescription ) { ITaskbarList3_SetOverlayIcon((ITaskbarList3*)TaskbarHandle, WindowHandle, IconHandle, IconDescription); } /** * Determines if DirectX is currently running in exclusive full-screen mode. * * \return TRUE if DirectX is running full-screen, otherwise FALSE. */ BOOLEAN PhIsDirectXRunningFullScreen( VOID ) { static typeof(&D3DKMTCheckExclusiveOwnership) D3DKMTCheckExclusiveOwnership_I = NULL; static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"gdi32.dll")) { D3DKMTCheckExclusiveOwnership_I = PhGetDllBaseProcedureAddress(baseAddress, "D3DKMTCheckExclusiveOwnership", 0); } PhEndInitOnce(&initOnce); } if (!D3DKMTCheckExclusiveOwnership_I) return FALSE; return D3DKMTCheckExclusiveOwnership_I(); } /** * Releases exclusive ownership of the display from a DirectX full-screen process. * * \param ProcessHandle Handle to the process to restore. * \return NTSTATUS code indicating success or failure. */ NTSTATUS PhRestoreFromDirectXRunningFullScreen( _In_ HANDLE ProcessHandle ) { static typeof(&D3DKMTReleaseProcessVidPnSourceOwners) D3DKMTReleaseProcessVidPnSourceOwners_I = NULL; static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"gdi32.dll")) { D3DKMTReleaseProcessVidPnSourceOwners_I = PhGetDllBaseProcedureAddress(baseAddress, "D3DKMTReleaseProcessVidPnSourceOwners", 0); } PhEndInitOnce(&initOnce); } if (!D3DKMTReleaseProcessVidPnSourceOwners_I) return STATUS_PROCEDURE_NOT_FOUND; return D3DKMTReleaseProcessVidPnSourceOwners_I(ProcessHandle); } /** * Queries exclusive ownership information for DirectX video present network (VidPn) sources. * * \param QueryExclusiveOwnership Pointer to a D3DKMT_QUERYVIDPNEXCLUSIVEOWNERSHIP structure. * \return NTSTATUS code indicating success or failure. */ NTSTATUS PhQueryDirectXExclusiveOwnership( _Inout_ PD3DKMT_QUERYVIDPNEXCLUSIVEOWNERSHIP QueryExclusiveOwnership ) { static typeof(&D3DKMTQueryVidPnExclusiveOwnership) D3DKMTQueryVidPnExclusiveOwnership_I = NULL; // same typedef as NtGdiDdDDIQueryVidPnExclusiveOwnership static PH_INITONCE initOnce = PH_INITONCE_INIT; if (PhBeginInitOnce(&initOnce)) { PVOID baseAddress; if (baseAddress = PhLoadLibrary(L"gdi32.dll")) // win32u.dll { D3DKMTQueryVidPnExclusiveOwnership_I = PhGetDllBaseProcedureAddress(baseAddress, "D3DKMTQueryVidPnExclusiveOwnership", 0); } PhEndInitOnce(&initOnce); } if (!D3DKMTQueryVidPnExclusiveOwnership_I) return FALSE; return D3DKMTQueryVidPnExclusiveOwnership_I(QueryExclusiveOwnership); } typedef struct _PH_ENDSESSION_CONTEXT { CLIENT_ID ClientId; ULONG_PTR Result; // Result from the last successful PhSendMessageTimeout BOOLEAN Valid; // TRUE if FinalResult contains a valid value } PH_ENDSESSION_CONTEXT, * PPH_ENDSESSION_CONTEXT; /** * Callback used to send WM_QUERYENDSESSION/WM_ENDSESSION to windows of a specific process. * * Enumerates all top-level windows and, for those belonging to the process specified by Context, * sends WM_QUERYENDSESSION and, if accepted, WM_ENDSESSION messages. * * \param WindowHandle Handle to the window being enumerated. * \param Context Pointer to the process ID (as CLIENT_ID) to match against window's process. * \return TRUE to continue enumeration, FALSE to stop. */ _Function_class_(PH_WINDOW_ENUM_CALLBACK) static BOOLEAN CALLBACK PhQueryEndSessionCallback( _In_ HWND WindowHandle, _In_opt_ PVOID Context ) { PPH_ENDSESSION_CONTEXT context = (PPH_ENDSESSION_CONTEXT)Context; CLIENT_ID processId; // Skip invisible windows; they do not respond to session‑end queries. if (!IsWindowVisible(WindowHandle)) return TRUE; // Check whether this window belongs to the target process. if ( NT_SUCCESS(PhGetWindowClientId(WindowHandle, &processId)) && processId.UniqueProcess == context->ClientId.UniqueProcess ) { ULONG_PTR result = 0; // Ask the window whether it consents to session termination. if (PhSendMessageTimeout( WindowHandle, WM_QUERYENDSESSION, 0, ENDSESSION_CLOSEAPP, 5000, &result )) { // If the window agrees, notify it that the session is ending. if (result) { if (PhSendMessageTimeout( WindowHandle, WM_ENDSESSION, TRUE, ENDSESSION_LOGOFF, 5000, &result )) { context->Result = result; context->Valid = TRUE; } } return FALSE; } } return TRUE; } /** * Sends WM_QUERYENDSESSION/WM_ENDSESSION messages to all windows belonging to the specified process. * * \param WindowHandle Handle to a window of the process. * \return NTSTATUS Successful or errant status. */ NTSTATUS PhEndWindowSession( _In_ HWND WindowHandle ) { NTSTATUS status; CLIENT_ID clientId; PH_ENDSESSION_CONTEXT context; status = PhGetWindowClientId(WindowHandle, &clientId); if (!NT_SUCCESS(status)) return status; RtlZeroMemory(&context, sizeof(PH_ENDSESSION_CONTEXT)); context.ClientId = clientId; status = PhEnumWindows(PhQueryEndSessionCallback, &clientId); if (!NT_SUCCESS(status)) return status; if (context.Valid && context.Result != 0) return STATUS_SUCCESS; return STATUS_FAIL_CHECK; } static CONST PPH_STRINGREF PhLuidKnownTypeStrings[] = { SREF(L"SYSTEM"), SREF(L"PROTECTED_TO_SYSTEM"), SREF(L"NETWORKSERVICE"), SREF(L"LOCALSERVICE"), SREF(L"ANONYMOUS_LOGON"), SREF(L"IUSER"), }; /** * Returns a string representation for well‑known authentication LUIDs. * * \param Luid Pointer to the LUID to classify. * \return A PCPH_STRINGREF containing the name of the known LUID, or NULL if the * LUID is not one of the recognized well‑known identifiers. */ PCPH_STRINGREF PhGetLuidKnownTypeToString( _In_ PLUID Luid ) { if (RtlIsEqualLuid(Luid, &((LUID)SYSTEM_LUID))) { return (PCPH_STRINGREF)&PhLuidKnownTypeStrings[0]; } else if (RtlIsEqualLuid(Luid, &((LUID)PROTECTED_TO_SYSTEM_LUID))) { return (PCPH_STRINGREF)&PhLuidKnownTypeStrings[1]; } else if (RtlIsEqualLuid(Luid, &((LUID)NETWORKSERVICE_LUID))) { return (PCPH_STRINGREF)&PhLuidKnownTypeStrings[2]; } else if (RtlIsEqualLuid(Luid, &((LUID)LOCALSERVICE_LUID))) { return (PCPH_STRINGREF)&PhLuidKnownTypeStrings[3]; } else if (RtlIsEqualLuid(Luid, &((LUID)ANONYMOUS_LOGON_LUID))) { return (PCPH_STRINGREF)&PhLuidKnownTypeStrings[4]; } else if (RtlIsEqualLuid(Luid, &((LUID)IUSER_LUID))) { return (PCPH_STRINGREF)&PhLuidKnownTypeStrings[5]; } return NULL; } ================================================ FILE: phlib/verify.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2013 * dmex 2016-2023 * */ #define PH_ENABLE_VERIFY_CACHE #include #include #include #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS #include #include #include #include _CryptCATAdminCalcHashFromFileHandle CryptCATAdminCalcHashFromFileHandle; _CryptCATAdminCalcHashFromFileHandle2 CryptCATAdminCalcHashFromFileHandle2; _CryptCATAdminAcquireContext CryptCATAdminAcquireContext; _CryptCATAdminAcquireContext2 CryptCATAdminAcquireContext2; _CryptCATAdminEnumCatalogFromHash CryptCATAdminEnumCatalogFromHash; _CryptCATCatalogInfoFromContext CryptCATCatalogInfoFromContext; _CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseCatalogContext; _CryptCATAdminReleaseContext CryptCATAdminReleaseContext; //_WTHelperProvDataFromStateData WTHelperProvDataFromStateData_I; //_WTHelperGetProvSignerFromChain WTHelperGetProvSignerFromChain_I; _WinVerifyTrust WinVerifyTrust_I; typeof(&CertNameToStrW) CertNameToStr_I; typeof(&CertGetEnhancedKeyUsage) CertGetEnhancedKeyUsage_I; typeof(&CertDuplicateCertificateContext) CertDuplicateCertificateContext_I; typeof(&CertFreeCertificateContext) CertFreeCertificateContext_I; static PH_INITONCE PhpVerifyInitOnce = PH_INITONCE_INIT; static CONST GUID WinTrustActionGenericVerifyV2 = WINTRUST_ACTION_GENERIC_VERIFY_V2; static CONST GUID DriverActionVerify = DRIVER_ACTION_VERIFY; #ifdef PH_ENABLE_VERIFY_CACHE static PPH_HASHTABLE PhpVerifyCacheHashTable = NULL; static PH_QUEUED_LOCK PhpVerifyCacheLock = PH_QUEUED_LOCK_INIT; #endif static VOID PhpVerifyInitialization( VOID ) { PVOID wintrust; PVOID crypt32; if (wintrust = PhLoadLibrary(L"wintrust.dll")) { CryptCATAdminCalcHashFromFileHandle = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminCalcHashFromFileHandle", 0); CryptCATAdminCalcHashFromFileHandle2 = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminCalcHashFromFileHandle2", 0); CryptCATAdminAcquireContext = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminAcquireContext", 0); CryptCATAdminAcquireContext2 = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminAcquireContext2", 0); CryptCATAdminEnumCatalogFromHash = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminEnumCatalogFromHash", 0); CryptCATCatalogInfoFromContext = PhGetDllBaseProcedureAddress(wintrust, "CryptCATCatalogInfoFromContext", 0); CryptCATAdminReleaseCatalogContext = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminReleaseCatalogContext", 0); CryptCATAdminReleaseContext = PhGetDllBaseProcedureAddress(wintrust, "CryptCATAdminReleaseContext", 0); //WTHelperProvDataFromStateData_I = PhGetDllBaseProcedureAddress(wintrust, "WTHelperProvDataFromStateData", 0); //WTHelperGetProvSignerFromChain_I = PhGetDllBaseProcedureAddress(wintrust, "WTHelperGetProvSignerFromChain", 0); WinVerifyTrust_I = PhGetDllBaseProcedureAddress(wintrust, "WinVerifyTrust", 0); } if (crypt32 = PhLoadLibrary(L"crypt32.dll")) { CertNameToStr_I = PhGetDllBaseProcedureAddress(crypt32, "CertNameToStrW", 0); CertGetEnhancedKeyUsage_I = PhGetDllBaseProcedureAddress(crypt32, "CertGetEnhancedKeyUsage", 0); CertDuplicateCertificateContext_I = PhGetDllBaseProcedureAddress(crypt32, "CertDuplicateCertificateContext", 0); CertFreeCertificateContext_I = PhGetDllBaseProcedureAddress(crypt32, "CertFreeCertificateContext", 0); } if ( CryptCATAdminCalcHashFromFileHandle && CryptCATAdminAcquireContext && CryptCATAdminEnumCatalogFromHash && CryptCATCatalogInfoFromContext && CryptCATAdminReleaseCatalogContext && CryptCATAdminReleaseContext && WinVerifyTrust_I && CertNameToStr_I && CertDuplicateCertificateContext_I && CertFreeCertificateContext_I ) { PhpVerifyCacheHashTable = PhCreateHashtable( sizeof(PH_VERIFY_CACHE_ENTRY), PhpVerifyCacheHashtableEqualFunction, PhpVerifyCacheHashtableHashFunction, 100 ); } } VERIFY_RESULT PhpStatusToVerifyResult( _In_ LONG Status ) { switch (Status) { case 0: return VrTrusted; case TRUST_E_NOSIGNATURE: return VrNoSignature; case CERT_E_EXPIRED: return VrExpired; case CERT_E_REVOKED: return VrRevoked; case TRUST_E_EXPLICIT_DISTRUST: return VrDistrust; case CRYPT_E_SECURITY_SETTINGS: return VrSecuritySettings; case TRUST_E_BAD_DIGEST: return VrBadSignature; default: return VrSecuritySettings; } } // WTHelperProvDataFromStateData (dmex) PCRYPT_PROVIDER_DATA PhGetCryptProviderDataFromStateData( _In_ HANDLE StateData ) { return (PCRYPT_PROVIDER_DATA)StateData; } // WTHelperGetProvSignerFromChain (dmex) PCRYPT_PROVIDER_SGNR PhGetCryptProviderSignerFromChain( _In_ PCRYPT_PROVIDER_DATA ProvData, _In_ ULONG SignerIndex, _In_ BOOLEAN CounterSigner, _In_ ULONG CounterSignerIndex ) { PCRYPT_PROVIDER_SGNR signer; if (!ProvData || SignerIndex >= ProvData->csSigners) return NULL; signer = &ProvData->pasSigners[SignerIndex]; if (CounterSigner) { if (CounterSignerIndex < signer->csCounterSigners) { return &signer->pasCounterSigners[CounterSignerIndex]; } } return signer; } // rev from WTHelperIsChainedToMicrosoft (dmex) BOOLEAN PhIsChainedToMicrosoft( _In_ PCCERT_CONTEXT Certificate, _In_ HCERTSTORE SiblingStore, _In_ BOOLEAN IncludeMicrosoftTestRootCerts ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static typeof(&CertOpenStore) CertOpenStore_I = NULL; static typeof(&CertAddStoreToCollection) CertAddStoreToCollection_I = NULL; static typeof(&CertGetCertificateChain) CertGetCertificateChain_I = NULL; static typeof(&CertVerifyCertificateChainPolicy) CertVerifyCertificateChainPolicy_I = NULL; static typeof(&CertFreeCertificateChain) CertFreeCertificateChain_I = NULL; static typeof(&CertCloseStore) CertCloseStore_I = NULL; BOOLEAN status = FALSE; HCERTSTORE cryptStoreHandle; CERT_CHAIN_POLICY_PARA policyPara = { sizeof(CERT_CHAIN_POLICY_PARA) }; CERT_CHAIN_POLICY_STATUS policyStatus = { sizeof(CERT_CHAIN_POLICY_STATUS) }; CERT_CHAIN_PARA chainPara = { sizeof(CERT_CHAIN_PARA) }; PCCERT_CHAIN_CONTEXT chainContext; if (!(Certificate && SiblingStore)) return FALSE; if (PhBeginInitOnce(&initOnce)) { PVOID crypt32; if (crypt32 = PhLoadLibrary(L"crypt32.dll")) { CertOpenStore_I = PhGetDllBaseProcedureAddress(crypt32, "CertOpenStore", 0); CertAddStoreToCollection_I = PhGetDllBaseProcedureAddress(crypt32, "CertAddStoreToCollection", 0); CertGetCertificateChain_I = PhGetDllBaseProcedureAddress(crypt32, "CertGetCertificateChain", 0); CertVerifyCertificateChainPolicy_I = PhGetDllBaseProcedureAddress(crypt32, "CertVerifyCertificateChainPolicy", 0); CertFreeCertificateChain_I = PhGetDllBaseProcedureAddress(crypt32, "CertFreeCertificateChain", 0); CertCloseStore_I = PhGetDllBaseProcedureAddress(crypt32, "CertCloseStore", 0); } PhEndInitOnce(&initOnce); } if (!( CertOpenStore_I && CertAddStoreToCollection_I && CertGetCertificateChain_I && CertVerifyCertificateChainPolicy_I && CertFreeCertificateChain_I && CertCloseStore_I )) { return FALSE; } if (cryptStoreHandle = CertOpenStore_I(CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, 0, 0)) { if (CertAddStoreToCollection_I(cryptStoreHandle, SiblingStore, 0, 0)) { //if (IncludeMicrosoftTestRootCerts) //{ // PVOID wintrust = PhGetLoaderEntryDllBaseZ(L"wintrust.dll"); // ULONG resourceLength; // PVOID resourceBuffer; // // policyPara.dwFlags = MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG; // // if (PhLoadResource(wintrust, MAKEINTRESOURCE(1), L"MSTESTROOT", &resourceLength, &resourceBuffer)) // { // CERT_BLOB certificateBlob = { resourceLength, resourceBuffer }; // HCERTSTORE siblingStore = NULL; // // if (CryptQueryObject( // CERT_QUERY_OBJECT_BLOB, // &certificateBlob, // CERT_QUERY_CONTENT_FLAG_CERT, // CERT_QUERY_FORMAT_FLAG_ALL, // 0, 0, 0, 0, // &siblingStore, // 0, // 0 // )) // { // CertAddStoreToCollection(cryptStoreHandle, siblingStore, 0, 0); // } // } // // if (PhLoadResource(wintrust, MAKEINTRESOURCE(2), L"MSTESTROOT", &resourceLength, &resourceBuffer)) // { // CERT_BLOB certificateBlob = { resourceLength, resourceBuffer }; // HCERTSTORE siblingStore = NULL; // // if (CryptQueryObject( // CERT_QUERY_OBJECT_BLOB, // &certificateBlob, // CERT_QUERY_CONTENT_FLAG_CERT, // CERT_QUERY_FORMAT_FLAG_ALL, // 0, 0, 0, 0, // &siblingStore, // 0, // 0 // )) // { // CertAddStoreToCollection(cryptStoreHandle, siblingStore, 0, 0); // } // } //} if (CertGetCertificateChain_I( HCCE_CURRENT_USER, Certificate, 0, cryptStoreHandle, &chainPara, 0, 0, &chainContext )) { if (CertVerifyCertificateChainPolicy_I( CERT_CHAIN_POLICY_MICROSOFT_ROOT, chainContext, &policyPara, &policyStatus )) { status = (policyStatus.dwError == ERROR_SUCCESS); } CertFreeCertificateChain_I(chainContext); } } CertCloseStore_I(cryptStoreHandle, 0); } return status; } NTSTATUS PhpGetSignaturesFromStateData( _In_ HANDLE StateData, _Out_ PCERT_CONTEXT **Signatures, _Out_ PULONG NumberOfSignatures ) { PCRYPT_PROVIDER_DATA provData; PCRYPT_PROVIDER_SGNR sgnr; PCERT_CONTEXT *signatures; ULONG i; ULONG numberOfSignatures; ULONG index; provData = PhGetCryptProviderDataFromStateData(StateData); if (!provData) { *Signatures = NULL; *NumberOfSignatures = 0; return STATUS_UNSUCCESSFUL; } i = 0; numberOfSignatures = 0; while (sgnr = PhGetCryptProviderSignerFromChain(provData, i, FALSE, 0)) { if (sgnr->csCertChain != 0) numberOfSignatures++; i++; } if (numberOfSignatures != 0) { signatures = PhAllocate(numberOfSignatures * sizeof(PCERT_CONTEXT)); i = 0; index = 0; while (sgnr = PhGetCryptProviderSignerFromChain(provData, i, FALSE, 0)) { if (sgnr->csCertChain != 0) signatures[index++] = (PCERT_CONTEXT)CertDuplicateCertificateContext_I(sgnr->pasCertChain[0].pCert); i++; } } else { signatures = NULL; } *Signatures = signatures; *NumberOfSignatures = numberOfSignatures; return STATUS_SUCCESS; } VOID PhpViewSignerInfo( _In_ PPH_VERIFY_FILE_INFO Information, _In_ HANDLE StateData ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static _CryptUIDlgViewSignerInfo cryptUIDlgViewSignerInfo; if (PhBeginInitOnce(&initOnce)) { HMODULE cryptui; if (cryptui = PhLoadLibrary(L"cryptui.dll")) { cryptUIDlgViewSignerInfo = PhGetDllBaseProcedureAddress(cryptui, "CryptUIDlgViewSignerInfoW", 0); } PhEndInitOnce(&initOnce); } if (cryptUIDlgViewSignerInfo) { CRYPTUI_VIEWSIGNERINFO_STRUCT viewSignerInfo = { sizeof(CRYPTUI_VIEWSIGNERINFO_STRUCT) }; PCRYPT_PROVIDER_DATA provData; PCRYPT_PROVIDER_SGNR sgnr; if (!(provData = PhGetCryptProviderDataFromStateData(StateData))) return; if (!(sgnr = PhGetCryptProviderSignerFromChain(provData, 0, FALSE, 0))) return; viewSignerInfo.hwndParent = Information->hWnd; viewSignerInfo.pSignerInfo = sgnr->psSigner; viewSignerInfo.hMsg = provData->hMsg; viewSignerInfo.pszOID = szOID_PKIX_KP_CODE_SIGNING; cryptUIDlgViewSignerInfo(&viewSignerInfo); } } VERIFY_RESULT PhpVerifyFile( _In_ PPH_VERIFY_FILE_INFO Information, _In_ ULONG UnionChoice, _In_ PVOID UnionData, _In_ PCGUID ActionId, _In_opt_ PVOID PolicyCallbackData, _Out_ PCERT_CONTEXT **Signatures, _Out_ PULONG NumberOfSignatures ) { LONG status; WINTRUST_DATA trustData; memset(&trustData, 0, sizeof(WINTRUST_DATA)); trustData.cbStruct = sizeof(WINTRUST_DATA); trustData.pPolicyCallbackData = PolicyCallbackData; trustData.dwUIChoice = WTD_UI_NONE; trustData.fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN; trustData.dwUnionChoice = UnionChoice; trustData.dwStateAction = WTD_STATEACTION_VERIFY; trustData.dwProvFlags = WTD_SAFER_FLAG | WTD_DISABLE_MD2_MD4; trustData.pFile = UnionData; if (UnionChoice == WTD_CHOICE_CATALOG) trustData.pCatalog = UnionData; if (FlagOn(Information->Flags, PH_VERIFY_PREVENT_NETWORK_ACCESS)) { trustData.fdwRevocationChecks = WTD_REVOKE_NONE; trustData.dwProvFlags |= WTD_CACHE_ONLY_URL_RETRIEVAL; } status = WinVerifyTrust_I(INVALID_HANDLE_VALUE, ActionId, &trustData); PhpGetSignaturesFromStateData(trustData.hWVTStateData, Signatures, NumberOfSignatures); if (status == 0 && (Information->Flags & PH_VERIFY_VIEW_PROPERTIES)) PhpViewSignerInfo(Information, trustData.hWVTStateData); // Close the state data. trustData.dwStateAction = WTD_STATEACTION_CLOSE; WinVerifyTrust_I(INVALID_HANDLE_VALUE, ActionId, &trustData); return PhpStatusToVerifyResult(status); } NTSTATUS PhpCalculateFileHash( _In_ HANDLE FileHandle, _In_opt_ PCWSTR HashAlgorithm, _Out_ PUCHAR *FileHash, _Out_ PULONG FileHashLength, _Out_ HANDLE *CatAdminHandle ) { HANDLE catAdminHandle; PUCHAR fileHash; ULONG fileHashLength; CERT_STRONG_SIGN_PARA strongSigPolicy; memset(&strongSigPolicy, 0, sizeof(CERT_STRONG_SIGN_PARA)); strongSigPolicy.cbSize = sizeof(CERT_STRONG_SIGN_PARA); strongSigPolicy.dwInfoChoice = CERT_STRONG_SIGN_OID_INFO_CHOICE; strongSigPolicy.pszOID = szOID_CERT_STRONG_SIGN_OS_CURRENT; if (CryptCATAdminAcquireContext2) { if (!CryptCATAdminAcquireContext2(&catAdminHandle, &DriverActionVerify, HashAlgorithm, &strongSigPolicy, 0)) return PhGetLastWin32ErrorAsNtStatus(); } else { if (!CryptCATAdminAcquireContext(&catAdminHandle, &DriverActionVerify, 0)) return PhGetLastWin32ErrorAsNtStatus(); } fileHashLength = 32; fileHash = PhAllocate(fileHashLength); if (CryptCATAdminCalcHashFromFileHandle2) { if (!CryptCATAdminCalcHashFromFileHandle2(catAdminHandle, FileHandle, &fileHashLength, fileHash, 0)) { PhFree(fileHash); fileHash = PhAllocate(fileHashLength); if (!CryptCATAdminCalcHashFromFileHandle2(catAdminHandle, FileHandle, &fileHashLength, fileHash, 0)) { CryptCATAdminReleaseContext(catAdminHandle, 0); PhFree(fileHash); return PhGetLastWin32ErrorAsNtStatus(); } } } else { if (!CryptCATAdminCalcHashFromFileHandle(FileHandle, &fileHashLength, fileHash, 0)) { PhFree(fileHash); fileHash = PhAllocate(fileHashLength); if (!CryptCATAdminCalcHashFromFileHandle(FileHandle, &fileHashLength, fileHash, 0)) { CryptCATAdminReleaseContext(catAdminHandle, 0); PhFree(fileHash); return PhGetLastWin32ErrorAsNtStatus(); } } } *FileHash = fileHash; *FileHashLength = fileHashLength; *CatAdminHandle = catAdminHandle; return STATUS_SUCCESS; } NTSTATUS PhpVerifyGetHashFromFileHandle( _In_ HANDLE FileHandle, _In_opt_ PCWSTR HashAlgorithm, _Out_writes_bytes_(HashTagLength) PWSTR HashTagBuffer, _In_ ULONG HashTagLength, _Out_writes_bytes_to_(*FileHashLength, *FileHashLength) PUCHAR FileHashBuffer, _Inout_ PULONG FileHashLength, _Out_ HANDLE *CatAdminHandle ) { HANDLE catAdminHandle; CERT_STRONG_SIGN_PARA strongSigPolicy; memset(&strongSigPolicy, 0, sizeof(CERT_STRONG_SIGN_PARA)); strongSigPolicy.cbSize = sizeof(CERT_STRONG_SIGN_PARA); strongSigPolicy.dwInfoChoice = CERT_STRONG_SIGN_OID_INFO_CHOICE; strongSigPolicy.pszOID = szOID_CERT_STRONG_SIGN_OS_CURRENT; if (CryptCATAdminAcquireContext2) { if (!CryptCATAdminAcquireContext2(&catAdminHandle, &DriverActionVerify, HashAlgorithm, &strongSigPolicy, 0)) { if (!CryptCATAdminAcquireContext(&catAdminHandle, &DriverActionVerify, 0)) return PhGetLastWin32ErrorAsNtStatus(); } } else { if (!CryptCATAdminAcquireContext(&catAdminHandle, &DriverActionVerify, 0)) return PhGetLastWin32ErrorAsNtStatus(); } if (CryptCATAdminCalcHashFromFileHandle2) { if (!CryptCATAdminCalcHashFromFileHandle2(catAdminHandle, FileHandle, FileHashLength, FileHashBuffer, 0)) { CryptCATAdminReleaseContext(catAdminHandle, 0); return PhGetLastWin32ErrorAsNtStatus(); } } else { if (!CryptCATAdminCalcHashFromFileHandle(FileHandle, FileHashLength, FileHashBuffer, 0)) { CryptCATAdminReleaseContext(catAdminHandle, 0); return PhGetLastWin32ErrorAsNtStatus(); } } if (!PhBufferToHexStringBuffer(FileHashBuffer, *FileHashLength, TRUE, HashTagBuffer, HashTagLength, NULL)) { CryptCATAdminReleaseContext(catAdminHandle, 0); return PhGetLastWin32ErrorAsNtStatus(); } *CatAdminHandle = catAdminHandle; return STATUS_SUCCESS; } VERIFY_RESULT PhpVerifyFileFromCatalog( _In_ PPH_VERIFY_FILE_INFO Information, _In_ HANDLE FileHandle, _In_opt_ PCWSTR HashAlgorithm, _Out_ PCERT_CONTEXT **Signatures, _Out_ PULONG NumberOfSignatures ) { VERIFY_RESULT verifyResult = VrUnknown; PCERT_CONTEXT *signatures; ULONG numberOfSignatures; WINTRUST_CATALOG_INFO catalogInfo; LARGE_INTEGER fileSize; ULONG fileSizeLimit; ULONG fileHashLength = 32; // bytes UCHAR fileHash[32]; ULONG fileHashTagLength = 128; // wchar WCHAR fileHashTag[64 + 1]; HANDLE catAdminHandle; HANDLE catInfoHandle; *Signatures = NULL; *NumberOfSignatures = 0; if (!NT_SUCCESS(PhGetFileSize(FileHandle, &fileSize))) return VrNoSignature; signatures = NULL; numberOfSignatures = 0; if (Information->FileSizeLimitForHash != ULONG_MAX) { fileSizeLimit = PH_VERIFY_DEFAULT_SIZE_LIMIT; if (Information->FileSizeLimitForHash != 0) fileSizeLimit = Information->FileSizeLimitForHash; if (fileSize.QuadPart > fileSizeLimit) return VrNoSignature; } if (!NT_SUCCESS(PhpVerifyGetHashFromFileHandle( FileHandle, HashAlgorithm, fileHashTag, fileHashTagLength, fileHash, &fileHashLength, &catAdminHandle ))) { return VrBadSignature; } // Search the system catalogs. catInfoHandle = CryptCATAdminEnumCatalogFromHash( catAdminHandle, fileHash, fileHashLength, 0, NULL ); if (catInfoHandle) { CATALOG_INFO ci = { sizeof(CATALOG_INFO) }; DRIVER_VER_INFO verInfo = { 0 }; if (CryptCATCatalogInfoFromContext(catInfoHandle, &ci, 0)) { // Disable OS version checking by passing in a DRIVER_VER_INFO structure. verInfo.cbStruct = sizeof(DRIVER_VER_INFO); memset(&catalogInfo, 0, sizeof(catalogInfo)); catalogInfo.cbStruct = sizeof(catalogInfo); catalogInfo.pcwszCatalogFilePath = ci.wszCatalogFile; catalogInfo.pcwszMemberFilePath = NULL; // Information->FileName catalogInfo.hMemberFile = FileHandle; catalogInfo.pcwszMemberTag = fileHashTag; catalogInfo.pbCalculatedFileHash = fileHash; catalogInfo.cbCalculatedFileHash = fileHashLength; catalogInfo.hCatAdmin = catAdminHandle; verifyResult = PhpVerifyFile(Information, WTD_CHOICE_CATALOG, &catalogInfo, &DriverActionVerify, &verInfo, &signatures, &numberOfSignatures); if (verInfo.pcSignerCertContext) CertFreeCertificateContext_I(verInfo.pcSignerCertContext); } CryptCATAdminReleaseCatalogContext(catAdminHandle, catInfoHandle, 0); } else { // Search any user-supplied catalogs. for (ULONG i = 0; i < Information->NumberOfCatalogFileNames; i++) { PhFreeVerifySignatures(signatures, numberOfSignatures); memset(&catalogInfo, 0, sizeof(catalogInfo)); catalogInfo.cbStruct = sizeof(catalogInfo); catalogInfo.pcwszCatalogFilePath = Information->CatalogFileNames[i]; catalogInfo.pcwszMemberFilePath = NULL; // Information->FileName catalogInfo.hMemberFile = FileHandle; catalogInfo.pcwszMemberTag = fileHashTag; catalogInfo.pbCalculatedFileHash = fileHash; catalogInfo.cbCalculatedFileHash = fileHashLength; catalogInfo.hCatAdmin = catAdminHandle; verifyResult = PhpVerifyFile(Information, WTD_CHOICE_CATALOG, &catalogInfo, &WinTrustActionGenericVerifyV2, NULL, &signatures, &numberOfSignatures); if (verifyResult == VrTrusted) break; } } CryptCATAdminReleaseContext(catAdminHandle, 0); *Signatures = signatures; *NumberOfSignatures = numberOfSignatures; return verifyResult; } NTSTATUS PhVerifyFileEx( _In_ PPH_VERIFY_FILE_INFO Information, _Out_ VERIFY_RESULT *VerifyResult, _Out_opt_ PCERT_CONTEXT **Signatures, _Out_opt_ PULONG NumberOfSignatures ) { VERIFY_RESULT verifyResult; PCERT_CONTEXT *signatures; ULONG numberOfSignatures; WINTRUST_FILE_INFO fileInfo; if (PhBeginInitOnce(&PhpVerifyInitOnce)) { PhpVerifyInitialization(); PhEndInitOnce(&PhpVerifyInitOnce); } if (!PhpVerifyCacheHashTable) return STATUS_NOT_SUPPORTED; memset(&fileInfo, 0, sizeof(WINTRUST_FILE_INFO)); fileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO); fileInfo.pgKnownSubject = (PGUID)&WINTRUST_KNOWN_SUBJECT_PE_IMAGE; fileInfo.hFile = Information->FileHandle; verifyResult = PhpVerifyFile( Information, WTD_CHOICE_FILE, &fileInfo, &WinTrustActionGenericVerifyV2, NULL, &signatures, &numberOfSignatures ); if (verifyResult == VrNoSignature) { if (CryptCATAdminAcquireContext2 && CryptCATAdminCalcHashFromFileHandle2) { PhFreeVerifySignatures(signatures, numberOfSignatures); verifyResult = PhpVerifyFileFromCatalog( Information, Information->FileHandle, BCRYPT_SHA256_ALGORITHM, &signatures, &numberOfSignatures ); } if (verifyResult != VrTrusted) { PhFreeVerifySignatures(signatures, numberOfSignatures); verifyResult = PhpVerifyFileFromCatalog( Information, Information->FileHandle, BCRYPT_SHA1_ALGORITHM, &signatures, &numberOfSignatures ); if (verifyResult == VrUnknown) verifyResult = VrNoSignature; } } *VerifyResult = verifyResult; if (Signatures) *Signatures = signatures; else PhFreeVerifySignatures(signatures, numberOfSignatures); if (NumberOfSignatures) *NumberOfSignatures = numberOfSignatures; return STATUS_SUCCESS; } VOID PhFreeVerifySignatures( _In_opt_ PCERT_CONTEXT *Signatures, _In_ ULONG NumberOfSignatures ) { if (Signatures) { for (ULONG i = 0; i < NumberOfSignatures; i++) CertFreeCertificateContext_I(Signatures[i]); PhFree(Signatures); } } PPH_STRING PhpGetCertNameString( _In_ PCERT_NAME_BLOB Blob ) { PPH_STRING string; ULONG bufferSize; // CertNameToStr doesn't give us the correct buffer size unless we don't provide a buffer at // all. bufferSize = CertNameToStr_I( X509_ASN_ENCODING, Blob, CERT_X500_NAME_STR, NULL, 0 ); string = PhCreateStringEx(NULL, bufferSize * sizeof(WCHAR)); CertNameToStr_I( X509_ASN_ENCODING, Blob, CERT_X500_NAME_STR, string->Buffer, bufferSize ); if (string->Length > sizeof(UNICODE_NULL)) string->Length -= sizeof(UNICODE_NULL); // PhTrimToNullTerminatorString(string); return string; } PPH_STRING PhpGetX500Value( _In_ PPH_STRINGREF String, _In_ PPH_STRINGREF KeyName ) { WCHAR keyNamePlusEqualsBuffer[10]; PH_STRINGREF keyNamePlusEquals; SIZE_T keyNameLength; PH_STRINGREF firstPart; PH_STRINGREF remainingPart; keyNameLength = KeyName->Length / sizeof(WCHAR); assert(!(keyNameLength > sizeof(keyNamePlusEquals) / sizeof(WCHAR) - 1)); keyNamePlusEquals.Buffer = keyNamePlusEqualsBuffer; keyNamePlusEquals.Length = (keyNameLength + 1) * sizeof(WCHAR); memcpy(keyNamePlusEquals.Buffer, KeyName->Buffer, KeyName->Length); keyNamePlusEquals.Buffer[keyNameLength] = L'='; // Find "Key=". if (!PhSplitStringRefAtString(String, &keyNamePlusEquals, FALSE, &firstPart, &remainingPart)) return NULL; if (remainingPart.Length == 0) return NULL; // Is the value quoted? If so, return the part inside the quotes. if (remainingPart.Buffer[0] == L'"') { PhSkipStringRef(&remainingPart, sizeof(WCHAR)); if (!PhSplitStringRefAtChar(&remainingPart, L'"', &firstPart, &remainingPart)) return NULL; return PhCreateString2(&firstPart); } else { PhSplitStringRefAtChar(&remainingPart, L',', &firstPart, &remainingPart); return PhCreateString2(&firstPart); } } PPH_STRING PhGetSignerNameFromCertificate( _In_ PCERT_CONTEXT Certificate ) { PCERT_INFO certInfo; PH_STRINGREF keyName; PPH_STRING name; PPH_STRING value; // Cert context -> Cert info certInfo = Certificate->pCertInfo; if (!certInfo) return NULL; // Cert info subject -> Subject X.500 string name = PhpGetCertNameString(&certInfo->Subject); // Subject X.500 string -> CN or OU value PhInitializeStringRef(&keyName, L"CN"); value = PhpGetX500Value(&name->sr, &keyName); if (!value) { PhInitializeStringRef(&keyName, L"OU"); value = PhpGetX500Value(&name->sr, &keyName); } PhDereferenceObject(name); return value; } NTSTATUS PhGetSystemComponentFromCertificate( _In_ PCERT_CONTEXT Certificate ) { UCHAR usageBuffer[256]; ULONG usageLength = sizeof(usageBuffer); PCERT_ENHKEY_USAGE usage = (PCERT_ENHKEY_USAGE)usageBuffer; if (!CertGetEnhancedKeyUsage_I(Certificate, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, usage, &usageLength)) return PhGetLastWin32ErrorAsNtStatus(); for (ULONG i = 0; i < usage->cUsageIdentifier; i++) { if (PhEqualBytesZ(usage->rgpszUsageIdentifier[i], szOID_NT5_CRYPTO, FALSE)) // Windows System Component Verification (dmex) { return STATUS_SUCCESS; } } return STATUS_NOT_FOUND; } PH_STRINGREF PhVerifyResultToStringRef( _In_ VERIFY_RESULT Result ) { static CONST PH_STRINGREF Results[] = { { 0, NULL }, PH_STRINGREF_INIT(L"No signature"), PH_STRINGREF_INIT(L"Trusted"), PH_STRINGREF_INIT(L"Expired certificate"), PH_STRINGREF_INIT(L"Revoked certificate"), PH_STRINGREF_INIT(L"Not trusted"), PH_STRINGREF_INIT(L"Security policy failure"), PH_STRINGREF_INIT(L"Invalid hash"), }; if (Result < RTL_NUMBER_OF(Results)) return Results[Result]; else return Results[0]; } /** * Verifies a file's digital signature. * * \param FileName A file name. * \param SignerName A variable which receives a pointer to a string containing the signer name. You * must free the string using PhDereferenceObject() when you no longer need it. Note that the signer * name may be NULL if it is not valid. * * \return A VERIFY_RESULT value. */ VERIFY_RESULT PhVerifyFile( _In_ PCWSTR FileName, _Out_opt_ PPH_STRING *SignerName ) { PH_VERIFY_FILE_INFO info = { 0 }; HANDLE fileHandle; VERIFY_RESULT verifyResult; PCERT_CONTEXT *signatures; ULONG numberOfSignatures; if (!NT_SUCCESS(PhCreateFileWin32( &fileHandle, FileName, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { if (SignerName) *SignerName = NULL; return VrUnknown; } info.Flags = PH_VERIFY_PREVENT_NETWORK_ACCESS; info.FileHandle = fileHandle; if (NT_SUCCESS(PhVerifyFileEx(&info, &verifyResult, &signatures, &numberOfSignatures))) { if (SignerName) { *SignerName = NULL; if (numberOfSignatures != 0) *SignerName = PhGetSignerNameFromCertificate(signatures[0]); } PhFreeVerifySignatures(signatures, numberOfSignatures); NtClose(fileHandle); return verifyResult; } else { if (SignerName) *SignerName = NULL; NtClose(fileHandle); return VrUnknown; } } BOOLEAN PhVerifyFileIsChainedToMicrosoft( _In_ PCPH_STRINGREF FileName, _In_ BOOLEAN NativeFileName ) { BOOLEAN result = FALSE; PH_VERIFY_FILE_INFO info = { 0 }; HANDLE fileHandle; VERIFY_RESULT verifyResult; PCERT_CONTEXT *signatures; ULONG numberOfSignatures; if (NativeFileName) { if (!NT_SUCCESS(PhCreateFile( &fileHandle, FileName, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { return FALSE; } } else { if (!NT_SUCCESS(PhCreateFileWin32( &fileHandle, PhGetStringRefZ(FileName), FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { return FALSE; } } info.Flags = PH_VERIFY_PREVENT_NETWORK_ACCESS; info.FileHandle = fileHandle; if (NT_SUCCESS(PhVerifyFileEx(&info, &verifyResult, &signatures, &numberOfSignatures))) { if (verifyResult == VrTrusted && numberOfSignatures != 0) { result = PhIsChainedToMicrosoft( signatures[0], signatures[0]->hCertStore, FALSE ); } PhFreeVerifySignatures(signatures, numberOfSignatures); } NtClose(fileHandle); return result; } _Function_class_(PH_HASHTABLE_EQUAL_FUNCTION) BOOLEAN PhpVerifyCacheHashtableEqualFunction( _In_ PVOID Entry1, _In_ PVOID Entry2 ) { PPH_VERIFY_CACHE_ENTRY entry1 = Entry1; PPH_VERIFY_CACHE_ENTRY entry2 = Entry2; return entry1->SequenceNumber == entry2->SequenceNumber && PhEqualString(entry1->FileName, entry2->FileName, FALSE); } _Function_class_(PH_HASHTABLE_HASH_FUNCTION) ULONG PhpVerifyCacheHashtableHashFunction( _In_ PVOID Entry ) { PPH_VERIFY_CACHE_ENTRY entry = Entry; return PhHashInt64(entry->SequenceNumber) ^ PhHashStringRefEx(&entry->FileName->sr, FALSE, PH_STRING_HASH_XXH32); } VOID PhFlushVerifyCache( VOID ) { PH_HASHTABLE_ENUM_CONTEXT enumContext; PPH_VERIFY_CACHE_ENTRY entry; if (!PhpVerifyCacheHashTable) return; PhAcquireQueuedLockExclusive(&PhpVerifyCacheLock); PhBeginEnumHashtable(PhpVerifyCacheHashTable, &enumContext); while (entry = PhNextEnumHashtable(&enumContext)) { if (entry->FileName) PhDereferenceObject(entry->FileName); if (entry->VerifySignerName) PhDereferenceObject(entry->VerifySignerName); } PhDereferenceObject(PhpVerifyCacheHashTable); PhpVerifyCacheHashTable = PhCreateHashtable( sizeof(PH_VERIFY_CACHE_ENTRY), PhpVerifyCacheHashtableEqualFunction, PhpVerifyCacheHashtableHashFunction, 100 ); PhReleaseQueuedLockExclusive(&PhpVerifyCacheLock); } VERIFY_RESULT PhVerifyFileWithAdditionalCatalog( _In_ PPH_VERIFY_FILE_INFO Information, _In_opt_ PPH_STRING PackageFullName, _Out_opt_ PPH_STRING *SignerName ) { static CONST PH_STRINGREF codeIntegrityFileName = PH_STRINGREF_INIT(L"\\AppxMetadata\\CodeIntegrity.cat"); VERIFY_RESULT result; PPH_STRING additionalCatalogFileName = NULL; PCERT_CONTEXT *signatures; ULONG numberOfSignatures; if (PackageFullName) { PPH_STRING packagePath; if (packagePath = PhGetPackagePath(PackageFullName)) { additionalCatalogFileName = PhConcatStringRef2(&packagePath->sr, &codeIntegrityFileName); PhDereferenceObject(packagePath); } } if (additionalCatalogFileName) { Information->NumberOfCatalogFileNames = 1; Information->CatalogFileNames = &additionalCatalogFileName->Buffer; } if (!NT_SUCCESS(PhVerifyFileEx(Information, &result, &signatures, &numberOfSignatures))) { result = VrUnknown; signatures = NULL; numberOfSignatures = 0; } if (additionalCatalogFileName) PhDereferenceObject(additionalCatalogFileName); if (SignerName) { if (numberOfSignatures != 0) *SignerName = PhGetSignerNameFromCertificate(signatures[0]); else *SignerName = NULL; } PhFreeVerifySignatures(signatures, numberOfSignatures); return result; } /** * Verifies a file's digital signature, using a cached result if possible. * * \param FileName A file name. * \param PackageFullName An associated package name. * \param SignerName A variable which receives a pointer to a string containing the signer name. You * must free the string using PhDereferenceObject() when you no longer need it. Note that the signer * name may be NULL if it is not valid. * \param NativeFileName Specify TRUE if the file name is a native path. * \param CachedOnly Specify TRUE to fail the function when no cached result exists. * * \return A VERIFY_RESULT value. */ VERIFY_RESULT PhVerifyFileCached( _In_ PPH_STRING FileName, _In_opt_ PPH_STRING PackageFullName, _Out_opt_ PPH_STRING *SignerName, _In_ BOOLEAN NativeFileName, _In_ BOOLEAN CachedOnly ) { #ifdef PH_ENABLE_VERIFY_CACHE HANDLE fileHandle; LONGLONG sequenceNumber = 0; if (PhBeginInitOnce(&PhpVerifyInitOnce)) { PhpVerifyInitialization(); PhEndInitOnce(&PhpVerifyInitOnce); } if (!PhpVerifyCacheHashTable) { if (SignerName) *SignerName = NULL; return VrUnknown; } if (NativeFileName) { if (!NT_SUCCESS(PhCreateFile( &fileHandle, &FileName->sr, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { if (SignerName) *SignerName = NULL; return VrUnknown; } } else { if (!NT_SUCCESS(PhCreateFileWin32( &fileHandle, FileName->Buffer, FILE_READ_DATA | FILE_READ_ATTRIBUTES | SYNCHRONIZE, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ))) { if (SignerName) *SignerName = NULL; return VrUnknown; } } PhSetFileIoPriorityHint(fileHandle, IoPriorityVeryLow); { PPH_VERIFY_CACHE_ENTRY entry; PH_VERIFY_CACHE_ENTRY lookupEntry; PhGetFileUsn(fileHandle, &sequenceNumber); lookupEntry.FileName = FileName; lookupEntry.SequenceNumber = sequenceNumber; PhAcquireQueuedLockShared(&PhpVerifyCacheLock); if (entry = PhFindEntryHashtable(PhpVerifyCacheHashTable, &lookupEntry)) { VERIFY_RESULT verifyResult = entry->VerifyResult; if (SignerName) PhSetReference(SignerName, entry->VerifySignerName); PhReleaseQueuedLockShared(&PhpVerifyCacheLock); NtClose(fileHandle); return verifyResult; } PhReleaseQueuedLockShared(&PhpVerifyCacheLock); } { VERIFY_RESULT result; PPH_STRING signerName; if (!CachedOnly) { PH_VERIFY_FILE_INFO info; memset(&info, 0, sizeof(PH_VERIFY_FILE_INFO)); info.Flags = PH_VERIFY_PREVENT_NETWORK_ACCESS; info.FileHandle = fileHandle; result = PhVerifyFileWithAdditionalCatalog(&info, PackageFullName, &signerName); if (result != VrTrusted) PhClearReference(&signerName); } else { result = VrUnknown; signerName = NULL; } if (!CachedOnly) // if (result != VrUnknown) { PH_VERIFY_CACHE_ENTRY newEntry; newEntry.FileName = FileName; newEntry.SequenceNumber = sequenceNumber; newEntry.VerifyResult = result; newEntry.VerifySignerName = signerName; PhAcquireQueuedLockExclusive(&PhpVerifyCacheLock); if (PhAddEntryHashtable(PhpVerifyCacheHashTable, &newEntry)) { // We successfully added the cache entry. Add references. PhReferenceObject(FileName); if (signerName) PhReferenceObject(signerName); } PhReleaseQueuedLockExclusive(&PhpVerifyCacheLock); } if (SignerName) { *SignerName = signerName; } else { if (signerName) PhDereferenceObject(signerName); } NtClose(fileHandle); return result; } #else VERIFY_RESULT result; PPH_STRING signerName; PH_VERIFY_FILE_INFO info; memset(&info, 0, sizeof(PH_VERIFY_FILE_INFO)); info.FileName = FileName->Buffer; info.Flags = PH_VERIFY_PREVENT_NETWORK_ACCESS; result = PhVerifyFileWithAdditionalCatalog(&info, PackageFullName, &signerName); if (result != VrTrusted) PhClearReference(&signerName); if (SignerName) { *SignerName = signerName; } else { if (signerName) PhDereferenceObject(signerName); } return result; #endif } #if (PH_VERIFY_FUTURE) VERIFY_RESULT PhpSignatureStateToVerifyResult( _In_ LONG Status ) { switch (Status) { case SIGNATURE_STATE_VALID: case SIGNATURE_STATE_TRUSTED: return VrTrusted; case SIGNATURE_STATE_UNSIGNED_MISSING: return VrNoSignature; // TRUST_E_NOSIGNATURE case SIGNATURE_STATE_UNSIGNED_UNSUPPORTED: return VrNoSignature; // TRUST_E_NOSIGNATURE case SIGNATURE_STATE_UNSIGNED_POLICY: return VrNoSignature; // TRUST_E_NOSIGNATURE case SIGNATURE_STATE_INVALID_CORRUPT: return VrBadSignature; // TRUST_E_BAD_DIGEST case SIGNATURE_STATE_INVALID_POLICY: return VrSecuritySettings; // CRYPT_E_BAD_MSG case SIGNATURE_STATE_UNTRUSTED: return VrDistrust; // TRUST_E_EXPLICIT_DISTRUST default: return VrSecuritySettings; } } VERIFY_RESULT PhVerifyFileSignatureInfo( _In_ PPH_VERIFY_FILE_INFO Information, _In_opt_ PCWSTR FileName, _In_opt_ HANDLE FileHandle, _Out_ PCERT_CONTEXT** Signatures, _Out_ PULONG NumberOfSignatures ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static _WTGetSignatureInfo WTGetSignatureInfo_I = NULL; VERIFY_RESULT verifyResult = VrNoSignature; SIGNATURE_INFO signatureInfo = { sizeof(SIGNATURE_INFO) }; PVOID certificateContext = NULL; HANDLE verifyTrustStateData = NULL; HRESULT status; if (PhBeginInitOnce(&initOnce)) { PVOID wintrust; if (wintrust = PhLoadLibrary(L"wintrust.dll")) { WTGetSignatureInfo_I = PhGetDllBaseProcedureAddress(wintrust, "WTGetSignatureInfo", 0); } PhEndInitOnce(&initOnce); } if (!WTGetSignatureInfo_I) { *Signatures = NULL; *NumberOfSignatures = 0; return VrUnknown; } status = WTGetSignatureInfo_I( FileName, FileHandle, SIF_AUTHENTICODE_SIGNED | SIF_CATALOG_SIGNED | SIF_BASE_VERIFICATION, &signatureInfo, &certificateContext, &verifyTrustStateData ); if (!SUCCEEDED(status)) { *Signatures = NULL; *NumberOfSignatures = 0; return VrUnknown; } verifyResult = PhpSignatureStateToVerifyResult(signatureInfo.nSignatureState); PhpGetSignaturesFromStateData(verifyTrustStateData, Signatures, NumberOfSignatures); if (status == S_OK && verifyTrustStateData && (Information->Flags & PH_VERIFY_VIEW_PROPERTIES)) PhpViewSignerInfo(Information, verifyTrustStateData); if (verifyTrustStateData && WinVerifyTrust_I) { WINTRUST_DATA verifyTrustData; memset(&verifyTrustData, 0, sizeof(WINTRUST_DATA)); verifyTrustData.cbStruct = sizeof(WINTRUST_DATA); verifyTrustData.dwUIChoice = WTD_UI_NONE; verifyTrustData.dwUnionChoice = WTD_CHOICE_BLOB; verifyTrustData.dwStateAction = WTD_STATEACTION_CLOSE; verifyTrustData.hWVTStateData = verifyTrustStateData; WinVerifyTrust_I(INVALID_HANDLE_VALUE, &WinTrustActionGenericVerifyV2, &verifyTrustData); } if (certificateContext && CertFreeCertificateContext_I) { CertFreeCertificateContext_I(certificateContext); } return verifyResult; } PPH_STRING PhGetProgramNameFromMessage( _In_ HCRYPTMSG CryptMsgHandle ) { PPH_STRING signerName = NULL; ULONG signerInfoLength = 0; PCMSG_SIGNER_INFO signerInfo; if (!CryptMsgGetParam( CryptMsgHandle, CMSG_SIGNER_INFO_PARAM, 0, NULL, &signerInfoLength )) { return NULL; } signerInfo = PhAllocate(signerInfoLength); if (!CryptMsgGetParam( CryptMsgHandle, CMSG_SIGNER_INFO_PARAM, 0, signerInfo, &signerInfoLength )) { PhFree(signerInfo); return NULL; } for (ULONG i = 0; i < signerInfo->AuthAttrs.cAttr; i++) { if (PhEqualBytesZ(SPC_SP_OPUS_INFO_OBJID, signerInfo->AuthAttrs.rgAttr[i].pszObjId, TRUE)) { ULONG opusInfoLength = 0; PSPC_SP_OPUS_INFO opusInfo; if (!CryptDecodeObjectEx( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, SPC_SP_OPUS_INFO_OBJID, signerInfo->AuthAttrs.rgAttr[i].rgValue[0].pbData, signerInfo->AuthAttrs.rgAttr[i].rgValue[0].cbData, CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG, NULL, &opusInfo, &opusInfoLength )) { goto CleanupExit; } if (opusInfo->pwszProgramName) { signerName = PhCreateString(opusInfo->pwszProgramName); } LocalFree(opusInfo); break; } } CleanupExit: PhFree(signerInfo); return signerName; } // rev from WTHelperIsChainedToMicrosoftFromStateData (dmex) BOOLEAN PhIsChainedToMicrosoftFromStateData( _In_ HANDLE StateData, _In_ BOOLEAN IncludeMicrosoftTestRootCerts ) { BOOLEAN status = FALSE; PCRYPT_PROVIDER_DATA provData; PCRYPT_PROVIDER_SGNR provSigner; HCERTSTORE cryptStoreHandle; provData = PhGetCryptProviderDataFromStateData(StateData); if (!provData) return FALSE; provSigner = PhGetCryptProviderSignerFromChain(provData, 0, FALSE, 0); if (!provSigner) return FALSE; cryptStoreHandle = CertOpenStore( CERT_STORE_PROV_MSG, provData->dwEncoding, 0, 0, provData->hMsg ); if (!cryptStoreHandle) return FALSE; status = PhIsChainedToMicrosoft( provSigner->pasCertChain->pCert, cryptStoreHandle, IncludeMicrosoftTestRootCerts ); CertCloseStore(cryptStoreHandle, 0); return status; } // rev from ChainToMicrosoftRoot (dmex) BOOLEAN PhVerifyCertificateChainToMicrosoftRoot( _In_ PCCERT_CHAIN_CONTEXT ChainContext, _In_ BOOLEAN CheckOsBinary ) { CERT_CHAIN_POLICY_PARA policyPara = { sizeof(CERT_CHAIN_POLICY_PARA) }; CERT_CHAIN_POLICY_STATUS policyStatus = { sizeof(CERT_CHAIN_POLICY_STATUS) }; if (CheckOsBinary) { SetFlag(policyPara.dwFlags, MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG); // MicrosoftWindows vs MicrosoftCorporation } if (CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_MICROSOFT_ROOT, ChainContext, &policyPara, &policyStatus)) { if (policyStatus.dwError == ERROR_SUCCESS) return TRUE; } return FALSE; } // rev from IsMicrosoftRootChain (dmex) BOOLEAN PhVerifyCertificateIsMicrosoftRootChain( _In_ PCCERT_CHAIN_CONTEXT ChainContext ) { static PH_INITONCE initOnce = PH_INITONCE_INIT; static BOOLEAN InsiderBuild = FALSE; CERT_CHAIN_POLICY_PARA policyPara = { sizeof(CERT_CHAIN_POLICY_PARA) }; CERT_CHAIN_POLICY_STATUS policyStatus = { sizeof(CERT_CHAIN_POLICY_STATUS) }; if (PhBeginInitOnce(&initOnce)) { SYSTEM_CODEINTEGRITY_INFORMATION integrityInfo; if (NT_SUCCESS(NtQuerySystemInformation( SystemCodeIntegrityInformation, &integrityInfo, sizeof(SYSTEM_CODEINTEGRITY_INFORMATION), NULL ))) { if (BooleanFlagOn(integrityInfo.CodeIntegrityOptions, CODEINTEGRITY_OPTION_FLIGHTING_ENABLED) || BooleanFlagOn(integrityInfo.CodeIntegrityOptions, CODEINTEGRITY_OPTION_TEST_BUILD)) { InsiderBuild = TRUE; } } PhEndInitOnce(&initOnce); } if (InsiderBuild) { policyPara.dwFlags = MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG; // required } if (CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_MICROSOFT_ROOT, ChainContext, &policyPara, &policyStatus)) { if (policyStatus.dwError == ERROR_SUCCESS) return TRUE; } return FALSE; } #include #pragma comment(lib, "crypt32.lib") #include typedef struct _SPC_PE_IMAGE_PAGE_HASHES_V1 { ULONG PageOffset; BYTE PageHash[20]; // SHA-1 } SPC_PE_IMAGE_PAGE_HASHES_V1, *PSPC_PE_IMAGE_PAGE_HASHES_V1; typedef struct _SPC_PE_IMAGE_PAGE_HASHES_V2 { ULONG PageOffset; BYTE PageHash[32]; // SHA-256 } SPC_PE_IMAGE_PAGE_HASHES_V2, *PSPC_PE_IMAGE_PAGE_HASHES_V2; #include // Based on peview PvEnumSpcAuthenticodePageHashes (dmex) PPH_LIST PhEnumSpcAuthenticodePageHashesFromStateData( _In_ HANDLE StateData ) { PPH_LIST pageHashList = NULL; PCRYPT_PROVIDER_DATA provData; PPROVDATA_SIP provSipData; PSIP_INDIRECT_DATA indirectData; PSPC_PE_IMAGE_DATA spcPeImageDataBuffer = NULL; ULONG spcPeImageDataLength = 0; // WintrustSetDefaultIncludePEPageHashes(TRUE); if (!(provData = PhGetCryptProviderDataFromStateData(StateData))) return FALSE; if (!(provSipData = provData->pPDSip)) return FALSE; if (!(indirectData = provSipData->psIndirectData)) return FALSE; if (!PhEqualBytesZ(indirectData->Data.pszObjId, SPC_PE_IMAGE_DATA_OBJID, FALSE)) return FALSE; if (!CryptDecodeObjectEx( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, SPC_PE_IMAGE_DATA_STRUCT, indirectData->Data.Value.pbData, indirectData->Data.Value.cbData, CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG, NULL, &spcPeImageDataBuffer, &spcPeImageDataLength )) { return FALSE; } if ( spcPeImageDataBuffer->pFile->dwLinkChoice == SPC_MONIKER_LINK_CHOICE && RtlEqualMemory(spcPeImageDataBuffer->pFile->Moniker.ClassId, (SPC_UUID)SpcSerializedObjectAttributesClassId, sizeof((SPC_UUID)SpcSerializedObjectAttributesClassId)) ) { ULONG spcSerializedObjectAttributesLength = 0; PCRYPT_ATTRIBUTES spcSerializedObjectAttributesBuffer = NULL; if (CryptDecodeObjectEx( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, PKCS_ATTRIBUTES, spcPeImageDataBuffer->pFile->Moniker.SerializedData.pbData, spcPeImageDataBuffer->pFile->Moniker.SerializedData.cbData, CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG, NULL, &spcSerializedObjectAttributesBuffer, &spcSerializedObjectAttributesLength )) { for (ULONG i = 0; i < spcSerializedObjectAttributesBuffer->cAttr; i++) { CRYPT_ATTRIBUTE spcSerializedObjectBuffer = spcSerializedObjectAttributesBuffer->rgAttr[i]; PCRYPT_DATA_BLOB spcImagePageHashesBuffer = NULL; ULONG spcImagePageHashesLength = 0; // for (ULONG j = 0; j < spcSerializedObjectBuffer.cValue; j++) if (CryptDecodeObjectEx( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_OCTET_STRING, spcSerializedObjectBuffer.rgValue->pbData, spcSerializedObjectBuffer.rgValue->cbData, CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG, NULL, &spcImagePageHashesBuffer, &spcImagePageHashesLength )) { if (PhEqualBytesZ(spcSerializedObjectBuffer.pszObjId, SPC_PE_IMAGE_PAGE_HASHES_V1_OBJID, FALSE)) { ULONG count = spcImagePageHashesBuffer->cbData / sizeof(SPC_PE_IMAGE_PAGE_HASHES_V1); pageHashList = PhCreateList(count); for (ULONG k = 0; k < count; k++) { PSPC_PE_IMAGE_PAGE_HASHES_V1 entry = PTR_ADD_OFFSET(spcImagePageHashesBuffer->pbData, sizeof(SPC_PE_IMAGE_PAGE_HASHES_V1) * k); PSPC_PE_IMAGE_PAGE_HASHES_V2 thunk; thunk = PhAllocateZero(sizeof(SPC_PE_IMAGE_PAGE_HASHES_V2)); thunk->PageOffset = entry->PageOffset; memcpy_s(thunk->PageHash, sizeof(thunk->PageHash), entry->PageHash, sizeof(entry->PageHash)); PhAddItemList(pageHashList, thunk); } } else if (PhEqualBytesZ(spcSerializedObjectBuffer.pszObjId, SPC_PE_IMAGE_PAGE_HASHES_V2_OBJID, FALSE)) { ULONG count = spcImagePageHashesBuffer->cbData / sizeof(SPC_PE_IMAGE_PAGE_HASHES_V2); pageHashList = PhCreateList(count); for (ULONG k = 0; k < count; k++) { PSPC_PE_IMAGE_PAGE_HASHES_V2 entry = PTR_ADD_OFFSET(spcImagePageHashesBuffer->pbData, sizeof(SPC_PE_IMAGE_PAGE_HASHES_V2) * k); PhAddItemList(pageHashList, PhAllocateCopy(entry, sizeof(SPC_PE_IMAGE_PAGE_HASHES_V2))); } } LocalFree(spcImagePageHashesBuffer); } } LocalFree(spcSerializedObjectAttributesBuffer); } } LocalFree(spcPeImageDataBuffer); return pageHashList; } #endif ================================================ FILE: phlib/workqueue.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * wj32 2009-2016 * */ #include #include #include #include #include #include static PH_INITONCE PhWorkQueueInitOnce = PH_INITONCE_INIT; static PH_FREE_LIST PhWorkQueueItemFreeList; static PH_INITONCE PhGlobalWorkQueueInitOnce = PH_INITONCE_INIT; static PH_WORK_QUEUE PhGlobalWorkQueue; #ifdef DEBUG PPH_LIST PhDbgWorkQueueList; PH_QUEUED_LOCK PhDbgWorkQueueListLock = PH_QUEUED_LOCK_INIT; #endif /** * Initializes a work queue. * * \param WorkQueue A work queue object. * \param MinimumThreads The suggested minimum number of threads to keep alive, even when there is * no work to be performed. * \param MaximumThreads The suggested maximum number of threads to create. * \param NoWorkTimeout The number of milliseconds after which threads without work will terminate. */ VOID PhInitializeWorkQueue( _Out_ PPH_WORK_QUEUE WorkQueue, _In_ ULONG MinimumThreads, _In_ ULONG MaximumThreads, _In_ ULONG NoWorkTimeout ) { if (PhBeginInitOnce(&PhWorkQueueInitOnce)) { PhInitializeFreeList(&PhWorkQueueItemFreeList, sizeof(PH_WORK_QUEUE_ITEM), 32); #ifdef DEBUG PhDbgWorkQueueList = PhCreateList(4); #endif PhEndInitOnce(&PhWorkQueueInitOnce); } PhInitializeRundownProtection(&WorkQueue->RundownProtect); WorkQueue->Terminating = FALSE; InitializeListHead(&WorkQueue->QueueListHead); PhInitializeQueuedLock(&WorkQueue->QueueLock); PhInitializeCondition(&WorkQueue->QueueEmptyCondition); WorkQueue->MinimumThreads = MinimumThreads; WorkQueue->MaximumThreads = MaximumThreads; WorkQueue->NoWorkTimeout = NoWorkTimeout; PhInitializeQueuedLock(&WorkQueue->StateLock); WorkQueue->SemaphoreHandle = NULL; WorkQueue->CurrentThreads = 0; WorkQueue->BusyCount = 0; #ifdef DEBUG PhAcquireQueuedLockExclusive(&PhDbgWorkQueueListLock); PhAddItemList(PhDbgWorkQueueList, WorkQueue); PhReleaseQueuedLockExclusive(&PhDbgWorkQueueListLock); #endif } /** * Frees resources used by a work queue. * * \param WorkQueue A work queue object. */ VOID PhDeleteWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue ) { PLIST_ENTRY listEntry; PPH_WORK_QUEUE_ITEM workQueueItem; #ifdef DEBUG ULONG index; #endif #ifdef DEBUG PhAcquireQueuedLockExclusive(&PhDbgWorkQueueListLock); if ((index = PhFindItemList(PhDbgWorkQueueList, WorkQueue)) != ULONG_MAX) PhRemoveItemList(PhDbgWorkQueueList, index); PhReleaseQueuedLockExclusive(&PhDbgWorkQueueListLock); #endif // Wait for all worker threads to exit. WorkQueue->Terminating = TRUE; MemoryBarrier(); if (WorkQueue->SemaphoreHandle) NtReleaseSemaphore(WorkQueue->SemaphoreHandle, WorkQueue->CurrentThreads, NULL); PhWaitForRundownProtection(&WorkQueue->RundownProtect); // Free all un-executed work items. listEntry = WorkQueue->QueueListHead.Flink; while (listEntry != &WorkQueue->QueueListHead) { workQueueItem = CONTAINING_RECORD(listEntry, PH_WORK_QUEUE_ITEM, ListEntry); listEntry = listEntry->Flink; PhpDestroyWorkQueueItem(workQueueItem); } if (WorkQueue->SemaphoreHandle) NtClose(WorkQueue->SemaphoreHandle); } /** * Waits for all queued work items to be executed. * * \param WorkQueue A work queue object. */ VOID PhWaitForWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue ) { PhAcquireQueuedLockExclusive(&WorkQueue->QueueLock); while (!IsListEmpty(&WorkQueue->QueueListHead)) PhWaitForCondition(&WorkQueue->QueueEmptyCondition, &WorkQueue->QueueLock, NULL); PhReleaseQueuedLockExclusive(&WorkQueue->QueueLock); } /** * Queues a work item to a work queue. * * \param WorkQueue A work queue object. * \param Function A function to execute. * \param Context A user-defined value to pass to the function. */ VOID PhQueueItemWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue, _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context ) { PhQueueItemWorkQueueEx(WorkQueue, Function, Context, NULL, NULL); } /** * Queues a work item to a work queue. * * \param WorkQueue A work queue object. * \param Function A function to execute. * \param Context A user-defined value to pass to the function. * \param DeleteFunction A callback function that is executed when the work queue item is about to * be freed. * \param Environment Execution environment parameters (e.g. priority). */ VOID PhQueueItemWorkQueueEx( _Inout_ PPH_WORK_QUEUE WorkQueue, _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context, _In_opt_ PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION DeleteFunction, _In_opt_ PPH_WORK_QUEUE_ENVIRONMENT Environment ) { PPH_WORK_QUEUE_ITEM workQueueItem; workQueueItem = PhpCreateWorkQueueItem(Function, Context, DeleteFunction, Environment); // Enqueue the work item. PhAcquireQueuedLockExclusive(&WorkQueue->QueueLock); InsertTailList(&WorkQueue->QueueListHead, &workQueueItem->ListEntry); _InterlockedIncrement(&WorkQueue->BusyCount); PhReleaseQueuedLockExclusive(&WorkQueue->QueueLock); // Signal the semaphore once to let a worker thread continue. NtReleaseSemaphore(PhpGetSemaphoreWorkQueue(WorkQueue), 1, NULL); PHLIB_INC_STATISTIC(WqWorkItemsQueued); // Check if all worker threads are currently busy, and if we can create more threads. if (WorkQueue->BusyCount >= WorkQueue->CurrentThreads && WorkQueue->CurrentThreads < WorkQueue->MaximumThreads) { // Lock and re-check. PhAcquireQueuedLockExclusive(&WorkQueue->StateLock); if (WorkQueue->CurrentThreads < WorkQueue->MaximumThreads) PhpCreateWorkQueueThread(WorkQueue); PhReleaseQueuedLockExclusive(&WorkQueue->StateLock); } } VOID PhInitializeWorkQueueEnvironment( _Out_ PPH_WORK_QUEUE_ENVIRONMENT Environment ) { PhpGetDefaultWorkQueueEnvironment(Environment); } /** Returns a pointer to the default shared work queue. */ PPH_WORK_QUEUE PhGetGlobalWorkQueue( VOID ) { if (PhBeginInitOnce(&PhGlobalWorkQueueInitOnce)) { PhInitializeWorkQueue( &PhGlobalWorkQueue, 0, 3, 1000 ); PhEndInitOnce(&PhGlobalWorkQueueInitOnce); } return &PhGlobalWorkQueue; } VOID PhpGetDefaultWorkQueueEnvironment( _Out_ PPH_WORK_QUEUE_ENVIRONMENT Environment ) { memset(Environment, 0, sizeof(PH_WORK_QUEUE_ENVIRONMENT)); Environment->BasePriority = THREAD_PRIORITY_NORMAL; Environment->IoPriority = IoPriorityNormal; Environment->PagePriority = MEMORY_PRIORITY_NORMAL; Environment->ForceUpdate = FALSE; } VOID PhpUpdateWorkQueueEnvironment( _Inout_ PPH_WORK_QUEUE_ENVIRONMENT CurrentEnvironment, _In_ PPH_WORK_QUEUE_ENVIRONMENT NewEnvironment ) { if (CurrentEnvironment->BasePriority != NewEnvironment->BasePriority || NewEnvironment->ForceUpdate) { LONG increment; increment = NewEnvironment->BasePriority; if (NT_SUCCESS(PhSetThreadBasePriority(NtCurrentThread(), increment))) { CurrentEnvironment->BasePriority = NewEnvironment->BasePriority; } } if (CurrentEnvironment->IoPriority != NewEnvironment->IoPriority || NewEnvironment->ForceUpdate) { IO_PRIORITY_HINT ioPriority; ioPriority = NewEnvironment->IoPriority; if (NT_SUCCESS(PhSetThreadIoPriority(NtCurrentThread(), ioPriority))) { CurrentEnvironment->IoPriority = NewEnvironment->IoPriority; } } if (CurrentEnvironment->PagePriority != NewEnvironment->PagePriority || NewEnvironment->ForceUpdate) { ULONG pagePriority; pagePriority = NewEnvironment->PagePriority; if (NT_SUCCESS(PhSetThreadPagePriority(NtCurrentThread(), pagePriority))) { CurrentEnvironment->PagePriority = NewEnvironment->PagePriority; } } } PPH_WORK_QUEUE_ITEM PhpCreateWorkQueueItem( _In_ PUSER_THREAD_START_ROUTINE Function, _In_opt_ PVOID Context, _In_opt_ PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION DeleteFunction, _In_opt_ PPH_WORK_QUEUE_ENVIRONMENT Environment ) { PPH_WORK_QUEUE_ITEM workQueueItem; workQueueItem = PhAllocateFromFreeList(&PhWorkQueueItemFreeList); workQueueItem->Function = Function; workQueueItem->Context = Context; workQueueItem->DeleteFunction = DeleteFunction; if (Environment) workQueueItem->Environment = *Environment; else PhpGetDefaultWorkQueueEnvironment(&workQueueItem->Environment); return workQueueItem; } VOID PhpDestroyWorkQueueItem( _In_ PPH_WORK_QUEUE_ITEM WorkQueueItem ) { if (WorkQueueItem->DeleteFunction) WorkQueueItem->DeleteFunction(WorkQueueItem->Function, WorkQueueItem->Context); PhFreeToFreeList(&PhWorkQueueItemFreeList, WorkQueueItem); } VOID PhpExecuteWorkQueueItem( _Inout_ PPH_WORK_QUEUE_ITEM WorkQueueItem ) { WorkQueueItem->Function(WorkQueueItem->Context); } HANDLE PhpGetSemaphoreWorkQueue( _Inout_ PPH_WORK_QUEUE WorkQueue ) { HANDLE semaphoreHandle; semaphoreHandle = WorkQueue->SemaphoreHandle; if (!semaphoreHandle) { OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, OBJ_EXCLUSIVE, NULL, NULL ); NtCreateSemaphore( &semaphoreHandle, SEMAPHORE_ALL_ACCESS, &objectAttributes, 0, MAXLONG ); assert(semaphoreHandle); if (_InterlockedCompareExchangePointer( &WorkQueue->SemaphoreHandle, semaphoreHandle, NULL ) != NULL) { // Someone else created the semaphore before we did. NtClose(semaphoreHandle); semaphoreHandle = WorkQueue->SemaphoreHandle; } } return semaphoreHandle; } BOOLEAN PhpCreateWorkQueueThread( _Inout_ PPH_WORK_QUEUE WorkQueue ) { HANDLE threadHandle; // Make sure the structure doesn't get deleted while the thread is running. if (!PhAcquireRundownProtection(&WorkQueue->RundownProtect)) return FALSE; if (NT_SUCCESS(PhCreateThreadEx( &threadHandle, PhpWorkQueueThreadStart, WorkQueue ))) { PHLIB_INC_STATISTIC(WqWorkQueueThreadsCreated); WorkQueue->CurrentThreads++; NtClose(threadHandle); return TRUE; } else { PHLIB_INC_STATISTIC(WqWorkQueueThreadsCreateFailed); PhReleaseRundownProtection(&WorkQueue->RundownProtect); return FALSE; } } _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS PhpWorkQueueThreadStart( _In_ PVOID Parameter ) { PH_AUTO_POOL autoPool; PPH_WORK_QUEUE workQueue = (PPH_WORK_QUEUE)Parameter; PH_WORK_QUEUE_ENVIRONMENT currentEnvironment; PhInitializeAutoPool(&autoPool); PhpGetDefaultWorkQueueEnvironment(¤tEnvironment); while (TRUE) { NTSTATUS status; HANDLE semaphoreHandle; LARGE_INTEGER timeout; PPH_WORK_QUEUE_ITEM workQueueItem = NULL; // Check if we have more threads than the limit. if (workQueue->CurrentThreads > workQueue->MaximumThreads) { BOOLEAN terminate = FALSE; // Lock and re-check. PhAcquireQueuedLockExclusive(&workQueue->StateLock); // Check the minimum as well. if (workQueue->CurrentThreads > workQueue->MaximumThreads && workQueue->CurrentThreads > workQueue->MinimumThreads) { workQueue->CurrentThreads--; terminate = TRUE; } PhReleaseQueuedLockExclusive(&workQueue->StateLock); if (terminate) break; } semaphoreHandle = PhpGetSemaphoreWorkQueue(workQueue); if (!workQueue->Terminating) { // Wait for work. status = NtWaitForSingleObject( semaphoreHandle, FALSE, PhTimeoutFromMilliseconds(&timeout, workQueue->NoWorkTimeout) ); } else { status = STATUS_UNSUCCESSFUL; } if (status == STATUS_WAIT_0 && !workQueue->Terminating) { PLIST_ENTRY listEntry; // Dequeue the work item. PhAcquireQueuedLockExclusive(&workQueue->QueueLock); listEntry = RemoveHeadList(&workQueue->QueueListHead); if (IsListEmpty(&workQueue->QueueListHead)) PhPulseCondition(&workQueue->QueueEmptyCondition); PhReleaseQueuedLockExclusive(&workQueue->QueueLock); // Make sure we got work. if (listEntry != &workQueue->QueueListHead) { workQueueItem = CONTAINING_RECORD(listEntry, PH_WORK_QUEUE_ITEM, ListEntry); PhpUpdateWorkQueueEnvironment(¤tEnvironment, &workQueueItem->Environment); PhpExecuteWorkQueueItem(workQueueItem); _InterlockedDecrement(&workQueue->BusyCount); PhpDestroyWorkQueueItem(workQueueItem); } } else { BOOLEAN terminate = FALSE; // No work arrived before the timeout passed, or we are terminating, or some error // occurred. Terminate the thread. PhAcquireQueuedLockExclusive(&workQueue->StateLock); if (workQueue->Terminating || workQueue->CurrentThreads > workQueue->MinimumThreads) { workQueue->CurrentThreads--; terminate = TRUE; } PhReleaseQueuedLockExclusive(&workQueue->StateLock); if (terminate) break; } PhDrainAutoPool(&autoPool); } PhReleaseRundownProtection(&workQueue->RundownProtect); PhDeleteAutoPool(&autoPool); return STATUS_SUCCESS; } ================================================ FILE: phlib/wslsup.c ================================================ /* * Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. * * This file is part of System Informer. * * Authors: * * dmex 2019-2025 * */ #include #include typedef struct _PH_WSL_ENUM_CONTEXT { BOOLEAN Found; PPH_STRINGREF FileName; PPH_STRING DistributionGuid; PPH_STRING DistributionName; PPH_STRING DistributionPath; PPH_STRING TranslatedPath; } PH_WSL_ENUM_CONTEXT, *PPH_WSL_ENUM_CONTEXT; _Function_class_(PH_ENUM_KEY_CALLBACK) BOOLEAN NTAPI PhWslDistributionNamesCallback( _In_ HANDLE RootDirectory, _In_ PVOID Information, _In_ PVOID Context ) { PKEY_BASIC_INFORMATION information = (PKEY_BASIC_INFORMATION)Information; PPH_WSL_ENUM_CONTEXT context = (PPH_WSL_ENUM_CONTEXT)Context; HANDLE keyHandle; PH_STRINGREF keyName; keyName.Buffer = information->Name; keyName.Length = information->NameLength; if (NT_SUCCESS(PhOpenKey( &keyHandle, KEY_READ, RootDirectory, &keyName, 0 ))) { PPH_STRING lxssBasePathName; if (lxssBasePathName = PhQueryRegistryStringZ(keyHandle, L"BasePath")) { PhMoveReference(&lxssBasePathName, PhDosPathNameToNtPathName(&lxssBasePathName->sr)); if (lxssBasePathName && PhStartsWithStringRef(context->FileName, &lxssBasePathName->sr, TRUE)) { PPH_STRING lxssDistributionName; if (lxssDistributionName = PhQueryRegistryStringZ(keyHandle, L"DistributionName")) { context->Found = TRUE; context->DistributionGuid = PhCreateString2(&keyName); context->DistributionName = lxssDistributionName; context->DistributionPath = lxssBasePathName; if (context->TranslatedPath = PhCreateString2(context->FileName)) { PhSkipStringRef(&context->TranslatedPath->sr, lxssBasePathName->Length); PhSkipStringRef(&context->TranslatedPath->sr, sizeof(L"rootfs")); } NtClose(keyHandle); return FALSE; } } PhClearReference(&lxssBasePathName); } NtClose(keyHandle); } return TRUE; } NTSTATUS PhGetWslDistributionFromPath( _In_ PPH_STRINGREF FileName, _Out_opt_ PPH_STRING *DistributionGuid, _Out_opt_ PPH_STRING *DistributionName, _Out_opt_ PPH_STRING *DistributionPath, _Out_opt_ PPH_STRING *TranslatedPath ) { static CONST PH_STRINGREF lxssKeyPath = PH_STRINGREF_INIT(L"Software\\Microsoft\\Windows\\CurrentVersion\\Lxss"); PH_WSL_ENUM_CONTEXT enumContext; NTSTATUS status; HANDLE keyHandle; memset(&enumContext, 0, sizeof(PH_WSL_ENUM_CONTEXT)); enumContext.Found = FALSE; enumContext.FileName = FileName; status = PhOpenKey( &keyHandle, KEY_READ, PH_KEY_CURRENT_USER, &lxssKeyPath, 0 ); if (NT_SUCCESS(status)) { status = PhEnumerateKey( keyHandle, KeyBasicInformation, PhWslDistributionNamesCallback, &enumContext ); NtClose(keyHandle); } if (NT_SUCCESS(status)) { if (enumContext.Found) { if (DistributionGuid) *DistributionGuid = enumContext.DistributionGuid; else PhClearReference(&enumContext.DistributionGuid); if (DistributionName) *DistributionName = enumContext.DistributionName; else PhClearReference(&enumContext.DistributionName); if (DistributionPath) *DistributionPath = enumContext.DistributionPath; else PhClearReference(&enumContext.DistributionPath); if (TranslatedPath) *TranslatedPath = PhConvertNtPathSeperatorToAltSeperator(enumContext.TranslatedPath); else PhClearReference(&enumContext.TranslatedPath); } else { status = STATUS_NOT_FOUND; } } return status; } PPH_STRING PhGetWslDistributionCommandLine( _In_ PPH_STRING DistributionGuid, _In_ PPH_STRING DistributionName, _In_ PPH_STRING CommandLine ) { PH_FORMAT format[4]; PPH_STRING systemDirectory; PPH_STRING commandLine; // "wsl.exe -u root -d %s -e %s" if (DistributionGuid) { PhInitFormatS(&format[0], L"wsl.exe --shell-type none --user root --distribution-id "); PhInitFormatSR(&format[1], DistributionGuid->sr); } else { PhInitFormatS(&format[0], L"wsl.exe --shell-type none --user root --distribution "); PhInitFormatSR(&format[1], DistributionName->sr); } PhInitFormatS(&format[2], L" -e "); PhInitFormatSR(&format[3], CommandLine->sr); if (commandLine = PhFormat(format, RTL_NUMBER_OF(format), 0)) { if (systemDirectory = PhGetSystemDirectory()) { PhMoveReference(&commandLine, PhConcatStringRef3( &systemDirectory->sr, &PhNtPathSeparatorString, &commandLine->sr )); PhDereferenceObject(systemDirectory); } return commandLine; } return NULL; } PPH_STRING PhGetWslPathCommandLine( _In_ PPH_STRING win32FileName ) { PH_FORMAT format[3]; PhInitFormatS(&format[0], L"wslpath -a -u \""); PhInitFormatSR(&format[1], win32FileName->sr); PhInitFormatC(&format[2], L'\"'); return PhFormat(format, RTL_NUMBER_OF(format), 0x100); } NTSTATUS PhDosPathNameToWslPathName( _In_ PPH_STRINGREF FileName, _Out_ PPH_STRING* LxssFileName ) { NTSTATUS status = STATUS_UNSUCCESSFUL; PPH_STRING win32FileName = NULL; PPH_STRING distributionGuid = NULL; PPH_STRING distributionName = NULL; PPH_STRING commandLine = NULL; PPH_STRING commandResult = NULL; win32FileName = PhCreateString2(FileName); PhMoveReference(&win32FileName, PhGetFileName(win32FileName)); if (PhIsNullOrEmptyString(win32FileName)) goto CleanupExit; commandLine = PhGetWslPathCommandLine(win32FileName); if (PhIsNullOrEmptyString(win32FileName)) goto CleanupExit; status = PhGetWslDistributionFromPath( FileName, &distributionGuid, &distributionName, NULL, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreateProcessLxss( distributionGuid, distributionName, commandLine, &commandResult ); if (!NT_SUCCESS(status)) goto CleanupExit; if (PhEndsWithString2(commandResult, L"\n", FALSE)) { commandResult->Length -= sizeof(WCHAR[1]); commandResult->Buffer[commandResult->Length / sizeof(WCHAR)] = UNICODE_NULL; } *LxssFileName = PhReferenceObject(commandResult); status = STATUS_SUCCESS; CleanupExit: PhClearReference(&commandResult); PhClearReference(&commandLine); PhClearReference(&distributionName); PhClearReference(&distributionGuid); PhClearReference(&win32FileName); return status; } NTSTATUS PhWslQueryDistroProcessCommandLine( _In_ PPH_STRINGREF FileName, _In_ ULONG LxssProcessId, _Out_ PPH_STRING* Result ) { NTSTATUS status; PPH_STRING distributionGuid = NULL; PPH_STRING distributionName = NULL; PPH_STRING distributionCommand = NULL; PPH_STRING distributionResult = NULL; PH_FORMAT format[5]; status = PhGetWslDistributionFromPath( FileName, &distributionGuid, &distributionName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; PhInitFormatS(&format[0], L"\\Device\\Mup\\wsl.localhost\\"); PhInitFormatSR(&format[1], distributionName->sr); PhInitFormatS(&format[2], L"\\proc\\"); PhInitFormatIU(&format[3], LxssProcessId); PhInitFormatS(&format[4], L"\\cmdline"); if (distributionCommand = PhFormat(format, RTL_NUMBER_OF(format), 0x100)) { HANDLE fileHandle; status = PhCreateFile( &fileHandle, &distributionCommand->sr, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = PhGetFileText( &distributionResult, fileHandle, TRUE ); NtClose(fileHandle); } if (status == STATUS_ACCESS_DENIED) { PPH_STRING commandLine; PPH_STRING commandResult; // Note: The WSL P9 Multiple UNC Provider (MUP) doesn't allow administrators to read /proc unless the distro wsl.conf default user is root. // Changing the default user to root fixes permission issues when accessing files from Windows but results in everything owned by root and inaccessible from WSL. // We can workaround the issue by creating a root process using 'wsl.exe -u root' and pipe the /proc content via standard output. // This is significantly slower (very slow) but works, and avoids hard requirements on user preferences and distro configuration. PhInitFormatS(&format[0], L"cat /proc/"); PhInitFormatIU(&format[1], LxssProcessId); PhInitFormatS(&format[2], L"/cmdline"); if (commandLine = PhFormat(format, 3, 0x100)) { status = PhCreateProcessLxss( distributionGuid, distributionName, commandLine, &commandResult ); if (NT_SUCCESS(status)) { distributionResult = commandResult; } PhDereferenceObject(commandLine); } } PhDereferenceObject(distributionCommand); } PhDereferenceObject(distributionName); PhDereferenceObject(distributionGuid); if (distributionResult) { *Result = distributionResult; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } NTSTATUS PhWslQueryDistroProcessEnvironment( _In_ PPH_STRINGREF FileName, _In_ ULONG LxssProcessId, _Out_ PPH_STRING* Result ) { NTSTATUS status; PPH_STRING distributionGuid = NULL; PPH_STRING distributionName = NULL; PPH_STRING distributionCommand = NULL; PPH_STRING distributionResult = NULL; PH_FORMAT format[5]; status = PhGetWslDistributionFromPath( FileName, &distributionGuid, &distributionName, NULL, NULL ); if (!NT_SUCCESS(status)) return status; PhInitFormatS(&format[0], L"\\Device\\Mup\\wsl.localhost\\"); PhInitFormatSR(&format[1], distributionName->sr); PhInitFormatS(&format[2], L"\\proc\\"); PhInitFormatIU(&format[3], LxssProcessId); PhInitFormatS(&format[4], L"\\environ"); if (distributionCommand = PhFormat(format, RTL_NUMBER_OF(format), 0x100)) { HANDLE fileHandle; status = PhCreateFile( &fileHandle, &distributionCommand->sr, FILE_GENERIC_READ, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (NT_SUCCESS(status)) { status = PhGetFileText( &distributionResult, fileHandle, TRUE ); NtClose(fileHandle); } if (status == STATUS_ACCESS_DENIED) { PPH_STRING commandLine; PPH_STRING commandResult; // Note: The WSL P9 Multiple UNC Provider (MUP) doesn't allow administrators to read /proc unless the distro wsl.conf default user is root. // Changing the default user to root fixes permission issues when accessing files from Windows but results in everything owned by root and inaccessible from WSL. // We can workaround the issue by creating a root process using 'wsl.exe -u root' and pipe the /proc content via standard output. // This is significantly slower (very slow) but works, and avoids hard requirements on user preferences and distro configuration. PhInitFormatS(&format[0], L"cat /proc/"); PhInitFormatIU(&format[1], LxssProcessId); PhInitFormatS(&format[2], L"/environ"); if (commandLine = PhFormat(format, 3, 0x100)) { status = PhCreateProcessLxss( distributionGuid, distributionName, commandLine, &commandResult ); if (NT_SUCCESS(status)) { distributionResult = commandResult; } PhDereferenceObject(commandLine); } } PhDereferenceObject(distributionCommand); } PhDereferenceObject(distributionName); PhDereferenceObject(distributionGuid); if (distributionResult) { *Result = distributionResult; return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } NTSTATUS PhWslQueryRpmPackageFromFileName( _In_ PPH_STRING DistributionGuid, _In_ PPH_STRING DistributionName, _In_ PPH_STRING LxssFileName, _Out_ PPH_STRING* Result ) { NTSTATUS status; PPH_STRING commandLine; PPH_STRING commandResult; PH_FORMAT format[3]; // "rpm -qf %s --queryformat \"%%{VERSION}|%%{VENDOR}|%%{SUMMARY}\"" PhInitFormatS(&format[0], L"rpm -qf \""); PhInitFormatSR(&format[1], LxssFileName->sr); PhInitFormatS(&format[2], L"\" --queryformat \"%%{VERSION}|%%{VENDOR}|%%{SUMMARY}\""); commandLine = PhFormat(format, RTL_NUMBER_OF(format), 0x100); status = PhCreateProcessLxss( DistributionGuid, DistributionName, commandLine, &commandResult ); if (NT_SUCCESS(status)) { *Result = commandResult; } PhDereferenceObject(commandLine); return status; } NTSTATUS PhWslQueryDebianPackageFromFileName( _In_ PPH_STRING DistributionGuid, _In_ PPH_STRING DistributionName, _In_ PPH_STRING LxssFileName, _Out_ PPH_STRING* Result ) { NTSTATUS status; PPH_STRING commandLine; PPH_STRING lxssCommandResult = NULL; PPH_STRING lxssPackageName = NULL; PH_FORMAT format[3]; // "dpkg -S %s" PhInitFormatS(&format[0], L"dpkg -S \""); PhInitFormatSR(&format[1], LxssFileName->sr); PhInitFormatS(&format[2], L"\""); commandLine = PhFormat(format, RTL_NUMBER_OF(format), 0x100); status = PhCreateProcessLxss( DistributionGuid, DistributionName, commandLine, &lxssCommandResult ); if (!NT_SUCCESS(status)) { // The dpkg metadata doesn't contain information for symbolic links // from "/usr/bin -> /bin" so remove the /usr prefix and try again. (dmex) if (PhStartsWithString2(LxssFileName, L"/usr", FALSE)) { PhSkipStringRef(&LxssFileName->sr, sizeof(WCHAR[4])); // "dpkg -S %s" PhInitFormatS(&format[0], L"dpkg -S \""); PhInitFormatSR(&format[1], LxssFileName->sr); PhInitFormatS(&format[2], L"\""); PhMoveReference(&commandLine, PhFormat(format, RTL_NUMBER_OF(format), 0x100)); status = PhCreateProcessLxss( DistributionGuid, DistributionName, commandLine, &lxssCommandResult ); if (!NT_SUCCESS(status)) { goto CleanupExit; } } else { goto CleanupExit; } } if (!PhIsNullOrEmptyString(lxssCommandResult)) { PH_STRINGREF remainingPart; PH_STRINGREF packagePart; if (PhSplitStringRefAtChar(&lxssCommandResult->sr, L':', &packagePart, &remainingPart)) { lxssPackageName = PhCreateString2(&packagePart); } PhClearReference(&lxssCommandResult); } if (PhIsNullOrEmptyString(lxssPackageName)) goto CleanupExit; // "dpkg-query -W -f=${Version}|${Maintainer}|${binary:Summary} %s" PhInitFormatS(&format[0], L"dpkg-query -W -f=${Version}|${Maintainer}|${binary:Summary} \""); PhInitFormatSR(&format[1], lxssPackageName->sr); PhInitFormatS(&format[2], L"\""); PhMoveReference(&commandLine, PhFormat(format, RTL_NUMBER_OF(format), 0x100)); status = PhCreateProcessLxss( DistributionGuid, DistributionName, commandLine, &lxssCommandResult ); if (!NT_SUCCESS(status)) goto CleanupExit; *Result = PhReferenceObject(lxssCommandResult); CleanupExit: if (lxssPackageName) PhDereferenceObject(lxssPackageName); if (lxssCommandResult) PhDereferenceObject(lxssCommandResult); if (commandLine) PhDereferenceObject(commandLine); return status; } NTSTATUS PhWslParsePackageVersionInfo( _Inout_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PPH_STRING LxssCommandResult ) { PH_STRINGREF remainingPart; PH_STRINGREF companyPart; PH_STRINGREF descriptionPart; PH_STRINGREF versionPart; if (PhIsNullOrEmptyString(LxssCommandResult)) return STATUS_UNSUCCESSFUL; remainingPart = PhGetStringRef(LxssCommandResult); PhSplitStringRefAtChar(&remainingPart, L'|', &versionPart, &remainingPart); PhSplitStringRefAtChar(&remainingPart, L'|', &companyPart, &remainingPart); PhSplitStringRefAtChar(&remainingPart, L'|', &descriptionPart, &remainingPart); if (versionPart.Length != 0 && !ImageVersionInfo->FileVersion) { ImageVersionInfo->FileVersion = PhCreateString2(&versionPart); } if (companyPart.Length != 0 && !ImageVersionInfo->CompanyName) { ImageVersionInfo->CompanyName = PhCreateString2(&companyPart); } if (descriptionPart.Length != 0 && !ImageVersionInfo->FileDescription) { ImageVersionInfo->FileDescription = PhCreateString2(&descriptionPart); } return STATUS_SUCCESS; } NTSTATUS PhInitializeLxssImageVersionInfo( _Inout_ PPH_IMAGE_VERSION_INFO ImageVersionInfo, _In_ PPH_STRINGREF FileName ) { NTSTATUS success; PPH_STRING distributionGuid = NULL; PPH_STRING distributionName = NULL; PPH_STRING distributionCommand = NULL; PPH_STRING translatedPath = NULL; success = PhGetWslDistributionFromPath( FileName, &distributionGuid, &distributionName, NULL, &translatedPath ); if (!NT_SUCCESS(success)) return success; if (PhEqualString2(translatedPath, L"/init", FALSE)) { success = STATUS_UNSUCCESSFUL; goto CleanupExit; } success = PhWslQueryDebianPackageFromFileName( distributionGuid, distributionName, translatedPath, &distributionCommand ); if (NT_SUCCESS(success)) { success = PhWslParsePackageVersionInfo(ImageVersionInfo, distributionCommand); if (NT_SUCCESS(success)) goto CleanupExit; } success = PhWslQueryRpmPackageFromFileName( distributionGuid, distributionName, translatedPath, &distributionCommand ); if (NT_SUCCESS(success)) { success = PhWslParsePackageVersionInfo(ImageVersionInfo, distributionCommand); if (NT_SUCCESS(success)) goto CleanupExit; } CleanupExit: PhClearReference(&distributionCommand); PhClearReference(&distributionName); PhClearReference(&distributionGuid); PhClearReference(&translatedPath); return success; } NTSTATUS PhCreateProcessLxss( _In_ PPH_STRING DistributionGuid, _In_ PPH_STRING DistributionName, _In_ PPH_STRING DistributionCommand, _Out_ PPH_STRING *Result ) { static SECURITY_ATTRIBUTES securityAttributes = { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE }; #if defined(PH_WSL_PSEUDOCONSOLE) static typeof(&CreatePseudoConsole) CreatePseudoConsole_I = NULL; static typeof(&ClosePseudoConsole) ClosePseudoConsole_I = NULL; static PH_INITONCE initOnce = PH_INITONCE_INIT; HPCON pseudoConsoleHandle = NULL; #endif NTSTATUS status; PPH_STRING distributionCommand = NULL; PPH_STRING distributionCommandLine; HANDLE processHandle = NULL; HANDLE outputReadHandle = NULL, outputWriteHandle = NULL; HANDLE inputReadHandle = NULL, inputWriteHandle = NULL; PPROC_THREAD_ATTRIBUTE_LIST attributeList = NULL; HANDLE handleList[2]; STARTUPINFOEX startupInfo = { 0 }; PROCESS_BASIC_INFORMATION basicInfo; #if defined(PH_WSL_PSEUDOCONSOLE) if (PhBeginInitOnce(&initOnce)) { if (WindowsVersion >= WINDOWS_10_RS5) { PVOID baseAddress; if (baseAddress = PhGetLoaderEntryDllBaseZ(L"kernelbase.dll")) { CreatePseudoConsole_I = PhGetDllBaseProcedureAddress(baseAddress, "CreatePseudoConsole", 0); ClosePseudoConsole_I = PhGetDllBaseProcedureAddress(baseAddress, "ClosePseudoConsole", 0); } } PhEndInitOnce(&initOnce); } if (!CreatePseudoConsole_I || !ClosePseudoConsole_I) return STATUS_PROCEDURE_NOT_FOUND; #endif distributionCommandLine = PhGetWslDistributionCommandLine( DistributionGuid, DistributionName, DistributionCommand ); if (PhIsNullOrEmptyString(distributionCommandLine)) return STATUS_OBJECT_NAME_NOT_FOUND; status = PhCreatePipeEx( &outputReadHandle, &outputWriteHandle, NULL, &securityAttributes ); if (!NT_SUCCESS(status)) goto CleanupExit; status = PhCreatePipeEx( &inputReadHandle, &inputWriteHandle, &securityAttributes, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; #if defined(PH_WSL_PSEUDOCONSOLE) COORD coord = { 80, 25 }; if (HR_FAILED(CreatePseudoConsole_I(coord, inputReadHandle, outputWriteHandle, 0, &pseudoConsoleHandle))) { status = STATUS_UNSUCCESSFUL; goto CleanupExit; } #endif status = PhInitializeProcThreadAttributeList(&attributeList, 2); if (!NT_SUCCESS(status)) goto CleanupExit; handleList[0] = inputReadHandle; handleList[1] = outputWriteHandle; status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_HANDLE_LIST, handleList, sizeof(handleList) ); if (!NT_SUCCESS(status)) goto CleanupExit; #if defined(PH_WSL_PSEUDOCONSOLE) status = PhUpdateProcThreadAttribute( attributeList, PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE, pseudoConsoleHandle, sizeof(pseudoConsoleHandle) ); if (!NT_SUCCESS(status)) goto CleanupExit; #endif memset(&startupInfo, 0, sizeof(STARTUPINFOEX)); startupInfo.StartupInfo.cb = sizeof(STARTUPINFOEX); startupInfo.StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_FORCEOFFFEEDBACK | STARTF_USESTDHANDLES; startupInfo.StartupInfo.wShowWindow = SW_HIDE; startupInfo.StartupInfo.hStdInput = inputReadHandle; startupInfo.StartupInfo.hStdOutput = outputWriteHandle; startupInfo.StartupInfo.hStdError = outputWriteHandle; startupInfo.lpAttributeList = attributeList; status = PhCreateProcessWin32Ex( NULL, PhGetString(distributionCommandLine), NULL, NULL, &startupInfo, PH_CREATE_PROCESS_INHERIT_HANDLES | PH_CREATE_PROCESS_NEW_CONSOLE | PH_CREATE_PROCESS_DEFAULT_ERROR_MODE | PH_CREATE_PROCESS_EXTENDED_STARTUPINFO, NULL, NULL, &processHandle, NULL ); if (!NT_SUCCESS(status)) goto CleanupExit; // Close the handles. (dmex) NtClose(inputReadHandle); inputReadHandle = NULL; NtClose(outputWriteHandle); outputWriteHandle = NULL; // Read the pipe data. (dmex) status = PhGetFileText(&distributionCommand, outputReadHandle, TRUE); if (!NT_SUCCESS(status)) goto CleanupExit; // Get the exit code after we finish reading the data from the pipe. (dmex) status = PhGetProcessBasicInformation(processHandle, &basicInfo); if (!NT_SUCCESS(status)) goto CleanupExit; status = basicInfo.ExitStatus; if (!NT_SUCCESS(status)) goto CleanupExit; *Result = PhReferenceObject(distributionCommand); CleanupExit: if (processHandle) NtClose(processHandle); #if defined(PH_WSL_PSEUDOCONSOLE) if (pseudoConsoleHandle) ClosePseudoConsole_I(pseudoConsoleHandle); #endif if (outputWriteHandle) NtClose(outputWriteHandle); if (outputReadHandle) NtClose(outputReadHandle); if (inputReadHandle) NtClose(inputReadHandle); if (inputWriteHandle) NtClose(inputWriteHandle); if (attributeList) PhDeleteProcThreadAttributeList(attributeList); if (distributionCommand) PhDereferenceObject(distributionCommand); if (distributionCommandLine) PhDereferenceObject(distributionCommandLine); return status; } ================================================ FILE: phnt/CMakeLists.txt ================================================ # # Copyright (c) 2022 Winsider Seminars & Solutions, Inc. All rights reserved. # # This file is part of System Informer. # project(phnt) add_library(phnt INTERFACE) target_include_directories(phnt INTERFACE "${CMAKE_CURRENT_SOURCE_DIR}/include" ) ================================================ FILE: phnt/README.md ================================================ This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information. ## Usage First make sure that your program is using the latest Windows SDK. These header files are designed to be used by user-mode programs. Instead of `#include `, place ``` #include #include ``` at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. By default, only definitions present in Windows XP are included into your program. To change this, use one of the following: ``` #define PHNT_VERSION PHNT_WINDOWS_XP // Windows XP #define PHNT_VERSION PHNT_WINDOWS_SERVER_2003 // Windows Server 2003 #define PHNT_VERSION PHNT_WINDOWS_VISTA // Windows Vista #define PHNT_VERSION PHNT_WINDOWS_7 // Windows 7 #define PHNT_VERSION PHNT_WINDOWS_8 // Windows 8 #define PHNT_VERSION PHNT_WINDOWS_8_1 // Windows 8.1 #define PHNT_VERSION PHNT_WINDOWS_10 // Windows 10 #define PHNT_VERSION PHNT_WINDOWS_11 // Windows 11 ``` ================================================ FILE: phnt/include/ntafd.h ================================================ /* * Ancillary Function Driver definitions * * This file is part of System Informer. */ #ifndef _NTAFD_H #define _NTAFD_H #include #include #include // private #define AFD_DEVICE_NAME L"\\Device\\Afd" // private // Extended Attributes #define AfdOpenPacket "AfdOpenPacketXX" // AFD_OPEN_PACKET #define AfdSwOpenPacket "AfdSwOpenPacket" // AFD_SWITCH_OPEN_PACKET // rev #define AfdRioRDOpenPacket "AfdRioRDOpenPacket" // void // rev // private typedef struct _AFD_ENDPOINT_FLAGS { union { struct { UCHAR ConnectionLess : 1; UCHAR : 3; UCHAR MessageMode : 1; UCHAR : 3; UCHAR Raw : 1; UCHAR : 3; UCHAR Multipoint : 1; UCHAR : 3; UCHAR C_Root : 1; UCHAR : 3; UCHAR D_Root : 1; UCHAR : 3; UCHAR IgnoreTDI : 1; UCHAR : 3; UCHAR RioSocket : 1; UCHAR : 3; }; ULONG EndpointFlags; }; } AFD_ENDPOINT_FLAGS, *PAFD_ENDPOINT_FLAGS; // private // Transport device names #define DD_TCP_DEVICE_NAME L"\\Device\\Tcp" #define DD_TCPV6_DEVICE_NAME L"\\Device\\Tcp6" #define DD_UDP_DEVICE_NAME L"\\Device\\Udp" #define DD_UDPV6_DEVICE_NAME L"\\Device\\Udp6" #define DD_RAW_IP_DEVICE_NAME L"\\Device\\RawIp" #define DD_RAW_IPV6_DEVICE_NAME L"\\Device\\RawIp6" // private typedef struct _AFD_OPEN_PACKET { _In_ AFD_ENDPOINT_FLAGS __f; _In_opt_ GROUP GroupID; _In_ LONG AddressFamily; // AF_* _In_ LONG SocketType; // SOCK_* _In_ LONG Protocol; // IPPROTO_*, BTHPROTO_*, HV_PROTOCOL_*, etc. _In_opt_ ULONG TransportDeviceNameLength; // Note: specifying a device changes the transport mode _Field_size_bytes_opt_(TransportDeviceNameLength) WCHAR TransportDeviceName[ANYSIZE_ARRAY]; } AFD_OPEN_PACKET, *PAFD_OPEN_PACKET; // rev (FILE_FULL_EA_INFORMATION + AfdOpenPacket + AFD_OPEN_PACKET) _Struct_size_bytes_(NextEntryOffset) typedef struct _AFD_OPEN_PACKET_FULL_EA { ULONG NextEntryOffset; UCHAR Flags; UCHAR EaNameLength; // sizeof(AfdOpenPacket) - sizeof(ANSI_NULL); USHORT EaValueLength; // sizeof(AFD_OPEN_PACKET) CHAR EaName[sizeof(AfdOpenPacket)]; AFD_OPEN_PACKET OpenPacket; } AFD_OPEN_PACKET_FULL_EA, *PAFD_OPEN_PACKET_FULL_EA; // private typedef struct _AFD_SWITCH_OPEN_PACKET { HANDLE CompletionPort; HANDLE CompletionEvent; } AFD_SWITCH_OPEN_PACKET, *PAFD_SWITCH_OPEN_PACKET; // // Since Vista, sockets can use different modes of transport: TLI, TDI, and hybrid. The mode is selected // based on whether the caller specifies the transport device at socket creation and whether this device // is suitable for hybrid operation. No device means TLI, which is the most common choice. // // The transport mode affects which structures AFD uses for IOCTLs on the socket: // - TLI sockets use *_TL structures (where applicable) and SOCKADDR for addresses. // - TDI and hybrid sockets use non-TL structures and TDI_ADDRESS_INFO for addresses. // // private // IOCTL function numbers #define AFD_BIND 0 // in: AFD_BIND_INFO_TL; out: SOCKADDR /or/ in: AFD_BIND_INFO; out: TDI_ADDRESS_INFO (depending on transport mode) #define AFD_CONNECT 1 // in: AFD_CONNECT_JOIN_INFO_TL or AFD_CONNECT_JOIN_INFO (depending on transport mode); out (opt): IO_STATUS_BLOCK #define AFD_START_LISTEN 2 // in: AFD_LISTEN_INFO #define AFD_WAIT_FOR_LISTEN 3 // out: AFD_LISTEN_RESPONSE_INFO_TL or AFD_LISTEN_RESPONSE_INFO (depending on transport mode) #define AFD_ACCEPT 4 // in: AFD_ACCEPT_INFO #define AFD_RECEIVE 5 // in: AFD_RECV_INFO #define AFD_RECEIVE_DATAGRAM 6 // in: AFD_DATAGRAM_INFO #define AFD_SEND 7 // in: AFD_SEND_INFO #define AFD_SEND_DATAGRAM 8 // in: AFD_SEND_DATAGRAM_INFO #define AFD_POLL 9 // in, out: AFD_POLL_INFO #define AFD_PARTIAL_DISCONNECT 10 // in: AFD_PARTIAL_DISCONNECT_INFO #define AFD_GET_ADDRESS 11 // out: AFD_ADDRESS (SOCKADDR or TDI_ADDRESS_INFO, depending on transport mode) #define AFD_QUERY_RECEIVE_INFO 12 // out: AFD_RECEIVE_INFORMATION #define AFD_QUERY_HANDLES 13 // in: ULONG (AFD_QUERY_*); out: AFD_HANDLE_INFO #define AFD_SET_INFORMATION 14 // in: AFD_INFORMATION #define AFD_GET_REMOTE_ADDRESS 15 // out: AFD_ADDRESS (SOCKADDR or TDI_ADDRESS_INFO, depending on transport mode) #define AFD_GET_CONTEXT 16 // out: SOCK_SHARED_INFO (on Win32 level) or custom data #define AFD_SET_CONTEXT 17 // in: SOCK_SHARED_INFO (on Win32 level) or custom data; out: AFD_ADDRESS (SOCKADDR or TDI_ADDRESS_INFO, depending on transport mode; output buffer must be inside the input buffer) #define AFD_SET_CONNECT_DATA 18 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SET_CONNECT_OPTIONS 19 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SET_DISCONNECT_DATA 20 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SET_DISCONNECT_OPTIONS 21 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_GET_CONNECT_DATA 22 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_GET_CONNECT_OPTIONS 23 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_GET_DISCONNECT_DATA 24 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_GET_DISCONNECT_OPTIONS 25 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SIZE_CONNECT_DATA 26 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SIZE_CONNECT_OPTIONS 27 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SIZE_DISCONNECT_DATA 28 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_SIZE_DISCONNECT_OPTIONS 29 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: payload #define AFD_GET_INFORMATION 30 // in, out: AFD_INFORMATION #define AFD_TRANSMIT_FILE 31 // in: AFD_TRANSMIT_FILE_INFO; out (opt): BOOLEAN #define AFD_SUPER_ACCEPT 32 // in: AFD_SUPER_ACCEPT_INFO; out: received data + local address + remote address (at offsets according to the input) #define AFD_EVENT_SELECT 33 // in: AFD_EVENT_SELECT_INFO #define AFD_ENUM_NETWORK_EVENTS 34 // in (opt): HANDLE; out: AFD_ENUM_NETWORK_EVENTS_INFO #define AFD_DEFER_ACCEPT 35 // in: AFD_DEFER_ACCEPT_INFO #define AFD_WAIT_FOR_LISTEN_LIFO 36 // out: AFD_LISTEN_RESPONSE_INFO_TL or AFD_LISTEN_RESPONSE_INFO (depending on transport mode) #define AFD_SET_QOS 37 // in: AFD_QOS_INFO #define AFD_GET_QOS 38 // out: AFD_QOS_INFO #define AFD_NO_OPERATION 39 // in (opt): IO_STATUS_BLOCK #define AFD_VALIDATE_GROUP 40 // in: AFD_VALIDATE_GROUP_INFO #define AFD_GET_UNACCEPTED_CONNECT_DATA 41 // in: AFD_UNACCEPTED_CONNECT_DATA_INFO; out: AFD_UNACCEPTED_CONNECT_DATA_INFO (when LengthOnly is set) or received data #define AFD_ROUTING_INTERFACE_QUERY 42 // in: TRANSPORT_ADDRESS; out: SOCKADDR #define AFD_ROUTING_INTERFACE_CHANGE 43 // in: AFD_TRANSPORT_IOCTL_INFO #define AFD_ADDRESS_LIST_QUERY 44 // in: USHORT (TDI_ADDRESS_TYPE_*/AF_*); out: TRANSPORT_ADDRESS #define AFD_ADDRESS_LIST_CHANGE 45 // in: AFD_TRANSPORT_IOCTL_INFO #define AFD_JOIN_LEAF 46 // in: AFD_CONNECT_JOIN_INFO_TL or AFD_CONNECT_JOIN_INFO (depending on transport mode); out (opt): IO_STATUS_BLOCK #define AFD_TRANSPORT_IOCTL 47 // in: AFD_TL_IO_CONTROL_INFO; out: variable #define AFD_TRANSMIT_PACKETS 48 // in: AFD_TPACKETS_INFO; out (opt): BOOLEAN #define AFD_SUPER_CONNECT 49 // in: AFD_SUPER_CONNECT_INFO_TL or AFD_SUPER_CONNECT_INFO (depending on transport mode); out: payload #define AFD_SUPER_DISCONNECT 50 // in: AFD_SUPER_DISCONNECT_INFO #define AFD_RECEIVE_MESSAGE 51 // in: AFD_MESSAGE_INFO #define AFD_SEND_MESSAGE 52 // in: AFD_MESSAGE_INFO // rev // since VISTA // breaks layout; values below are different on XP #define AFD_SWITCH_CEMENT_SAN 53 // in: AFD_SWITCH_CONTEXT_INFO #define AFD_SWITCH_SET_EVENTS 54 // in: AFD_SWITCH_EVENT_INFO #define AFD_SWITCH_RESET_EVENTS 55 // in: AFD_SWITCH_EVENT_INFO #define AFD_SWITCH_CONNECT_IND 56 // in: AFD_SWITCH_CONNECT_INFO; out: AFD_SWITCH_ACCEPT_INFO #define AFD_SWITCH_CMPL_ACCEPT 57 // in: AFD_SWITCH_CONTEXT_INFO; out: payload #define AFD_SWITCH_CMPL_REQUEST 58 // in: AFD_SWITCH_REQUEST_INFO; out: payload #define AFD_SWITCH_CMPL_IO 59 // in: IO_STATUS_BLOCK #define AFD_SWITCH_REFRESH_ENDP 60 // in: AFD_SWITCH_CONTEXT_INFO #define AFD_SWITCH_GET_PHYSICAL_ADDR 61 // deprecated #define AFD_SWITCH_ACQUIRE_CTX 62 // in: AFD_SWITCH_ACQUIRE_CTX_INFO; out: payload #define AFD_SWITCH_TRANSFER_CTX 63 // in: AFD_SWITCH_TRANSFER_CTX_INFO #define AFD_SWITCH_GET_SERVICE_PID 64 // in/out: void; returns PID in IO_STATUS_BLOCK.Information #define AFD_SWITCH_SET_SERVICE_PROCESS 65 // in/out: void #define AFD_SWITCH_PROVIDER_CHANGE 66 // in/out: void #define AFD_SWITCH_ADDRLIST_CHANGE 67 // in: AFD_TRANSPORT_IOCTL_INFO #define AFD_UNBIND 68 // in: AFD_UNBIND_INFO // rev // since VISTA #define AFD_SQM 69 // in: AFD_SQM_INFO // rev // since WIN7 #define AFD_RIO 70 // in/out: AFD_RIO_COMMAND_HEADER // rev // since WIN8 #define AFD_TRANSFER_BEGIN 71 // in/out: void // rev // since TH1 #define AFD_TRANSFER_END 72 // in/out: void // rev // since TH1 #define AFD_NOTIFY 73 // rev // since 22H2 // private // Note: different bit layout from CTL_CODE #define FSCTL_AFD_BASE FILE_DEVICE_NETWORK #define _AFD_CONTROL_CODE(Request, Method) (FSCTL_AFD_BASE << 12 | (Request) << 2 | (Method)) // private // IOCTLs #define IOCTL_AFD_BIND _AFD_CONTROL_CODE(AFD_BIND, METHOD_NEITHER) // 0x12003 #define IOCTL_AFD_CONNECT _AFD_CONTROL_CODE(AFD_CONNECT, METHOD_NEITHER) // 0x12007 #define IOCTL_AFD_START_LISTEN _AFD_CONTROL_CODE(AFD_START_LISTEN, METHOD_NEITHER) // 0x1200B #define IOCTL_AFD_WAIT_FOR_LISTEN _AFD_CONTROL_CODE(AFD_WAIT_FOR_LISTEN, METHOD_BUFFERED) // 0x1200C #define IOCTL_AFD_ACCEPT _AFD_CONTROL_CODE(AFD_ACCEPT, METHOD_BUFFERED) // 0x12010 #define IOCTL_AFD_RECEIVE _AFD_CONTROL_CODE(AFD_RECEIVE, METHOD_NEITHER) // 0x12017 #define IOCTL_AFD_RECEIVE_DATAGRAM _AFD_CONTROL_CODE(AFD_RECEIVE_DATAGRAM, METHOD_NEITHER) // 0x1201B #define IOCTL_AFD_SEND _AFD_CONTROL_CODE(AFD_SEND, METHOD_NEITHER) // 0x1201F #define IOCTL_AFD_SEND_DATAGRAM _AFD_CONTROL_CODE(AFD_SEND_DATAGRAM, METHOD_NEITHER) // 0x12023 #define IOCTL_AFD_POLL _AFD_CONTROL_CODE(AFD_POLL, METHOD_BUFFERED) // 0x12024 #define IOCTL_AFD_PARTIAL_DISCONNECT _AFD_CONTROL_CODE(AFD_PARTIAL_DISCONNECT, METHOD_NEITHER) // 0x1202B #define IOCTL_AFD_GET_ADDRESS _AFD_CONTROL_CODE(AFD_GET_ADDRESS, METHOD_NEITHER) // 0x1202F #define IOCTL_AFD_QUERY_RECEIVE_INFO _AFD_CONTROL_CODE(AFD_QUERY_RECEIVE_INFO, METHOD_NEITHER) // 0x12033 #define IOCTL_AFD_QUERY_HANDLES _AFD_CONTROL_CODE(AFD_QUERY_HANDLES, METHOD_NEITHER) // 0x12037 #define IOCTL_AFD_SET_INFORMATION _AFD_CONTROL_CODE(AFD_SET_INFORMATION, METHOD_NEITHER) // 0x1203B #define IOCTL_AFD_GET_REMOTE_ADDRESS _AFD_CONTROL_CODE(AFD_GET_REMOTE_ADDRESS, METHOD_NEITHER) // 0x1203F #define IOCTL_AFD_GET_CONTEXT _AFD_CONTROL_CODE(AFD_GET_CONTEXT, METHOD_NEITHER) // 0x12043 #define IOCTL_AFD_SET_CONTEXT _AFD_CONTROL_CODE(AFD_SET_CONTEXT, METHOD_NEITHER) // 0x12047 #define IOCTL_AFD_SET_CONNECT_DATA _AFD_CONTROL_CODE(AFD_SET_CONNECT_DATA, METHOD_NEITHER) // 0x1204B #define IOCTL_AFD_SET_CONNECT_OPTIONS _AFD_CONTROL_CODE(AFD_SET_CONNECT_OPTIONS, METHOD_NEITHER) // 0x1204F #define IOCTL_AFD_SET_DISCONNECT_DATA _AFD_CONTROL_CODE(AFD_SET_DISCONNECT_DATA, METHOD_NEITHER) // 0x12053 #define IOCTL_AFD_SET_DISCONNECT_OPTIONS _AFD_CONTROL_CODE(AFD_SET_DISCONNECT_OPTIONS, METHOD_NEITHER) // 0x12057 #define IOCTL_AFD_GET_CONNECT_DATA _AFD_CONTROL_CODE(AFD_GET_CONNECT_DATA, METHOD_NEITHER) // 0x1205B #define IOCTL_AFD_GET_CONNECT_OPTIONS _AFD_CONTROL_CODE(AFD_GET_CONNECT_OPTIONS, METHOD_NEITHER) // 0x1205F #define IOCTL_AFD_GET_DISCONNECT_DATA _AFD_CONTROL_CODE(AFD_GET_DISCONNECT_DATA, METHOD_NEITHER) // 0x12063 #define IOCTL_AFD_GET_DISCONNECT_OPTIONS _AFD_CONTROL_CODE(AFD_GET_DISCONNECT_OPTIONS, METHOD_NEITHER) // 0x12067 #define IOCTL_AFD_SIZE_CONNECT_DATA _AFD_CONTROL_CODE(AFD_SIZE_CONNECT_DATA, METHOD_NEITHER) // 0x1206B #define IOCTL_AFD_SIZE_CONNECT_OPTIONS _AFD_CONTROL_CODE(AFD_SIZE_CONNECT_OPTIONS, METHOD_NEITHER) // 0x1206F #define IOCTL_AFD_SIZE_DISCONNECT_DATA _AFD_CONTROL_CODE(AFD_SIZE_DISCONNECT_DATA, METHOD_NEITHER) // 0x12073 #define IOCTL_AFD_SIZE_DISCONNECT_OPTIONS _AFD_CONTROL_CODE(AFD_SIZE_DISCONNECT_OPTIONS, METHOD_NEITHER) // 0x12077 #define IOCTL_AFD_GET_INFORMATION _AFD_CONTROL_CODE(AFD_GET_INFORMATION, METHOD_NEITHER) // 0x1207B #define IOCTL_AFD_TRANSMIT_FILE _AFD_CONTROL_CODE(AFD_TRANSMIT_FILE, METHOD_NEITHER) // 0x1207F #define IOCTL_AFD_SUPER_ACCEPT _AFD_CONTROL_CODE(AFD_SUPER_ACCEPT, METHOD_NEITHER) // 0x12083 #define IOCTL_AFD_EVENT_SELECT _AFD_CONTROL_CODE(AFD_EVENT_SELECT, METHOD_NEITHER) // 0x12087 #define IOCTL_AFD_ENUM_NETWORK_EVENTS _AFD_CONTROL_CODE(AFD_ENUM_NETWORK_EVENTS, METHOD_NEITHER) // 0x1208B #define IOCTL_AFD_DEFER_ACCEPT _AFD_CONTROL_CODE(AFD_DEFER_ACCEPT, METHOD_BUFFERED) // 0x1208C #define IOCTL_AFD_WAIT_FOR_LISTEN_LIFO _AFD_CONTROL_CODE(AFD_WAIT_FOR_LISTEN_LIFO, METHOD_BUFFERED) // 0x12090 #define IOCTL_AFD_SET_QOS _AFD_CONTROL_CODE(AFD_SET_QOS, METHOD_BUFFERED) // 0x12094 #define IOCTL_AFD_GET_QOS _AFD_CONTROL_CODE(AFD_GET_QOS, METHOD_BUFFERED) // 0x12098 #define IOCTL_AFD_NO_OPERATION _AFD_CONTROL_CODE(AFD_NO_OPERATION, METHOD_NEITHER) // 0x1209F #define IOCTL_AFD_VALIDATE_GROUP _AFD_CONTROL_CODE(AFD_VALIDATE_GROUP, METHOD_BUFFERED) // 0x120A0 #define IOCTL_AFD_GET_UNACCEPTED_CONNECT_DATA _AFD_CONTROL_CODE(AFD_GET_UNACCEPTED_CONNECT_DATA, METHOD_NEITHER) // 0x120A7 #define IOCTL_AFD_ROUTING_INTERFACE_QUERY _AFD_CONTROL_CODE(AFD_ROUTING_INTERFACE_QUERY, METHOD_NEITHER) // 0x120AB #define IOCTL_AFD_ROUTING_INTERFACE_CHANGE _AFD_CONTROL_CODE(AFD_ROUTING_INTERFACE_CHANGE, METHOD_BUFFERED) // 0x120AC #define IOCTL_AFD_ADDRESS_LIST_QUERY _AFD_CONTROL_CODE(AFD_ADDRESS_LIST_QUERY, METHOD_NEITHER) // 0x120B3 #define IOCTL_AFD_ADDRESS_LIST_CHANGE _AFD_CONTROL_CODE(AFD_ADDRESS_LIST_CHANGE, METHOD_BUFFERED) // 0x120B4 #define IOCTL_AFD_JOIN_LEAF _AFD_CONTROL_CODE(AFD_JOIN_LEAF, METHOD_NEITHER) // 0x120BB #define IOCTL_AFD_TRANSPORT_IOCTL _AFD_CONTROL_CODE(AFD_TRANSPORT_IOCTL, METHOD_NEITHER) // 0x120BF #define IOCTL_AFD_TRANSMIT_PACKETS _AFD_CONTROL_CODE(AFD_TRANSMIT_PACKETS, METHOD_NEITHER) // 0x120C3 #define IOCTL_AFD_SUPER_CONNECT _AFD_CONTROL_CODE(AFD_SUPER_CONNECT, METHOD_NEITHER) // 0x120C7 #define IOCTL_AFD_SUPER_DISCONNECT _AFD_CONTROL_CODE(AFD_SUPER_DISCONNECT, METHOD_NEITHER) // 0x120CB #define IOCTL_AFD_RECEIVE_MESSAGE _AFD_CONTROL_CODE(AFD_RECEIVE_MESSAGE, METHOD_NEITHER) // 0x120CF #define IOCTL_AFD_SEND_MESSAGE _AFD_CONTROL_CODE(AFD_SEND_MESSAGE, METHOD_NEITHER) // 0x120D3 // rev // since VISTA #define IOCTL_AFD_SWITCH_CEMENT_SAN _AFD_CONTROL_CODE(AFD_SWITCH_CEMENT_SAN, METHOD_NEITHER) // 0x120D7 #define IOCTL_AFD_SWITCH_SET_EVENTS _AFD_CONTROL_CODE(AFD_SWITCH_SET_EVENTS, METHOD_NEITHER) // 0x120DB #define IOCTL_AFD_SWITCH_RESET_EVENTS _AFD_CONTROL_CODE(AFD_SWITCH_RESET_EVENTS, METHOD_NEITHER) // 0x120DF #define IOCTL_AFD_SWITCH_CONNECT_IND _AFD_CONTROL_CODE(AFD_SWITCH_CONNECT_IND, METHOD_OUT_DIRECT) // 0x120E2 #define IOCTL_AFD_SWITCH_CMPL_ACCEPT _AFD_CONTROL_CODE(AFD_SWITCH_CMPL_ACCEPT, METHOD_NEITHER) // 0x120E7 #define IOCTL_AFD_SWITCH_CMPL_REQUEST _AFD_CONTROL_CODE(AFD_SWITCH_CMPL_REQUEST, METHOD_NEITHER) // 0x120EB #define IOCTL_AFD_SWITCH_CMPL_IO _AFD_CONTROL_CODE(AFD_SWITCH_CMPL_IO, METHOD_NEITHER) // 0x120EF #define IOCTL_AFD_SWITCH_REFRESH_ENDP _AFD_CONTROL_CODE(AFD_SWITCH_REFRESH_ENDP, METHOD_NEITHER) // 0x120F3 #define IOCTL_AFD_SWITCH_GET_PHYSICAL_ADDR _AFD_CONTROL_CODE(AFD_SWITCH_GET_PHYSICAL_ADDR, METHOD_NEITHER) // 0x120F7 #define IOCTL_AFD_SWITCH_ACQUIRE_CTX _AFD_CONTROL_CODE(AFD_SWITCH_ACQUIRE_CTX, METHOD_NEITHER) // 0x120FB #define IOCTL_AFD_SWITCH_TRANSFER_CTX _AFD_CONTROL_CODE(AFD_SWITCH_TRANSFER_CTX, METHOD_NEITHER) // 0x120FF #define IOCTL_AFD_SWITCH_GET_SERVICE_PID _AFD_CONTROL_CODE(AFD_SWITCH_GET_SERVICE_PID, METHOD_NEITHER) // 0x12103 #define IOCTL_AFD_SWITCH_SET_SERVICE_PROCESS _AFD_CONTROL_CODE(AFD_SWITCH_SET_SERVICE_PROCESS, METHOD_NEITHER) // 0x12107 #define IOCTL_AFD_SWITCH_PROVIDER_CHANGE _AFD_CONTROL_CODE(AFD_SWITCH_PROVIDER_CHANGE, METHOD_NEITHER) // 0x1210B #define IOCTL_AFD_SWITCH_ADDRLIST_CHANGE _AFD_CONTROL_CODE(AFD_SWITCH_ADDRLIST_CHANGE, METHOD_BUFFERED) // 0x1210C #define IOCTL_AFD_UNBIND _AFD_CONTROL_CODE(AFD_UNBIND, METHOD_NEITHER) // 0x12113 // rev #define IOCTL_AFD_SQM _AFD_CONTROL_CODE(AFD_SQM, METHOD_NEITHER) // 0x12117 // rev // since WIN7 #define IOCTL_AFD_RIO _AFD_CONTROL_CODE(AFD_RIO, METHOD_NEITHER) // 0x1211B // rev // since WIN8 #define IOCTL_AFD_TRANSFER_BEGIN _AFD_CONTROL_CODE(AFD_TRANSFER_BEGIN, METHOD_NEITHER) // 0x1211F // rev // since TH1 #define IOCTL_AFD_TRANSFER_END _AFD_CONTROL_CODE(AFD_TRANSFER_END, METHOD_NEITHER) // 0x12123 // rev #define IOCTL_AFD_NOTIFY _AFD_CONTROL_CODE(AFD_NOTIFY, METHOD_NEITHER) // 0x12127 // rev // since 22H2 #include // rev - a union for TLI/TDI socket addresses typedef union _AFD_ADDRESS { SOCKADDR_STORAGE TliAddress; TDI_ADDRESS_INFO TdiAddress; struct { // // TDI_ADDRESS_INFO includes an embedded socket address that starts at AddressType (which corresponds to sa_family). // // ---------------- | ------------------------- | // | ULONG ActivityCount | // | ------------------------- | --------------------- | // | | ULONG TAAddressCount | // | | --------------------- | ---------------------------- | // | | | USHORT AddressLength | // TDI_ADDRESS_INFO | TRANSPORT_ADDRESS Address | | ---------------------------- | ---------- | ---------------- | // | | TA_ADDRESS Address[1] | USHORT AddressType | | USHORT sa_family | // | | | ---------------------------- | SOCKADDR | ---------------- | // | | | UCHAR Address[AddressLength] | (embedded) | ... | // | | | ... | | | // ---------------- | ------------------------- | --------------------- | ---------------------------- | ---------- | ---------------- | // UCHAR Padding[10]; // RTL_SIZEOF_THROUGH_FIELD(TDI_ADDRESS_INFO, Address.Address[0].AddressLength) SOCKADDR_STORAGE EmbeddedAddress; } TdiAddressUnpacked; } AFD_ADDRESS, *PAFD_ADDRESS; #include // private // Bind share access #define AFD_NORMALADDRUSE 0 #define AFD_REUSEADDRESS 1 #define AFD_WILDCARDADDRESS 2 #define AFD_EXCLUSIVEADDRUSE 3 // private typedef struct _AFD_BIND_INFO { ULONG ShareAccess; TRANSPORT_ADDRESS Address; } AFD_BIND_INFO, *PAFD_BIND_INFO; // private typedef struct _AFD_BIND_INFO_TL { ULONG ShareAccess; SOCKADDR Address; } AFD_BIND_INFO_TL, *PAFD_BIND_INFO_TL; // private typedef struct _AFD_CONNECT_JOIN_INFO { BOOLEAN SanActive; HANDLE RootEndpoint; HANDLE ConnectEndpoint; TRANSPORT_ADDRESS RemoteAddress; } AFD_CONNECT_JOIN_INFO, *PAFD_CONNECT_JOIN_INFO; // private typedef struct _AFD_CONNECT_JOIN_INFO_TL { BOOLEAN SanActive; HANDLE RootEndpoint; HANDLE ConnectEndpoint; SOCKADDR RemoteAddress; } AFD_CONNECT_JOIN_INFO_TL, *PAFD_CONNECT_JOIN_INFO_TL; // private typedef struct _AFD_LISTEN_INFO { BOOLEAN SanActive; ULONG MaximumConnectionQueue; BOOLEAN UseDelayedAcceptance; } AFD_LISTEN_INFO, *PAFD_LISTEN_INFO; // private typedef struct _AFD_LISTEN_RESPONSE_INFO { LONG Sequence; TRANSPORT_ADDRESS RemoteAddress; } AFD_LISTEN_RESPONSE_INFO, *PAFD_LISTEN_RESPONSE_INFO; // private typedef struct _AFD_LISTEN_RESPONSE_INFO_TL { LONG Sequence; SOCKADDR RemoteAddress; } AFD_LISTEN_RESPONSE_INFO_TL, *PAFD_LISTEN_RESPONSE_INFO_TL; // private typedef struct _AFD_ACCEPT_INFO { BOOLEAN SanActive; LONG Sequence; HANDLE AcceptHandle; } AFD_ACCEPT_INFO, *PAFD_ACCEPT_INFO; // private // AfdFlags #define AFD_NO_FAST_IO 0x0001 #define AFD_OVERLAPPED 0x0002 // private typedef struct _AFD_RECV_INFO { _Field_size_(BufferCount) LPWSABUF BufferArray; ULONG BufferCount; ULONG AfdFlags; ULONG TdiFlags; // TDI_RECEIVE_* } AFD_RECV_INFO, *PAFD_RECV_INFO; // private typedef struct _AFD_DATAGRAM_INFO { _Field_size_(BufferCount) LPWSABUF BufferArray; ULONG BufferCount; ULONG AfdFlags; ULONG TdiFlags; // TDI_RECEIVE_* PVOID Address; PULONG AddressLength; } AFD_DATAGRAM_INFO, *PAFD_DATAGRAM_INFO; // private typedef struct _AFD_SEND_INFO { _Field_size_(BufferCount) LPWSABUF BufferArray; ULONG BufferCount; ULONG AfdFlags; ULONG TdiFlags; // TDI_RECEIVE_* } AFD_SEND_INFO, *PAFD_SEND_INFO; // private typedef struct _AFD_SEND_DATAGRAM_INFO { _Field_size_(BufferCount) LPWSABUF BufferArray; ULONG BufferCount; ULONG AfdFlags; TDI_REQUEST_SEND_DATAGRAM TdiRequest; TDI_CONNECTION_INFORMATION TdiConnInfo; } AFD_SEND_DATAGRAM_INFO, *PAFD_SEND_DATAGRAM_INFO; // private // Poll event bit numbers #define AFD_POLL_RECEIVE_BIT 0 #define AFD_POLL_RECEIVE_EXPEDITED_BIT 1 #define AFD_POLL_SEND_BIT 2 #define AFD_POLL_DISCONNECT_BIT 3 #define AFD_POLL_ABORT_BIT 4 #define AFD_POLL_LOCAL_CLOSE_BIT 5 #define AFD_POLL_CONNECT_BIT 6 #define AFD_POLL_ACCEPT_BIT 7 #define AFD_POLL_CONNECT_FAIL_BIT 8 #define AFD_POLL_QOS_BIT 9 #define AFD_POLL_GROUP_QOS_BIT 10 #define AFD_POLL_ROUTING_IF_CHANGE_BIT 11 #define AFD_POLL_ADDRESS_LIST_CHANGE_BIT 12 #define AFD_NUM_POLL_EVENTS 13 // private // Poll event flags #define AFD_POLL_RECEIVE (1 << AFD_POLL_RECEIVE_BIT) // 0x0001 #define AFD_POLL_RECEIVE_EXPEDITED (1 << AFD_POLL_RECEIVE_EXPEDITED_BIT) // 0x0002 #define AFD_POLL_SEND (1 << AFD_POLL_SEND_BIT) // 0x0004 #define AFD_POLL_DISCONNECT (1 << AFD_POLL_DISCONNECT_BIT) // 0x0008 #define AFD_POLL_ABORT (1 << AFD_POLL_ABORT_BIT) // 0x0010 #define AFD_POLL_LOCAL_CLOSE (1 << AFD_POLL_LOCAL_CLOSE_BIT) // 0x0020 #define AFD_POLL_CONNECT (1 << AFD_POLL_CONNECT_BIT) // 0x0040 #define AFD_POLL_ACCEPT (1 << AFD_POLL_ACCEPT_BIT) // 0x0080 #define AFD_POLL_CONNECT_FAIL (1 << AFD_POLL_CONNECT_FAIL_BIT) // 0x0100 #define AFD_POLL_QOS (1 << AFD_POLL_QOS_BIT) // 0x0200 #define AFD_POLL_GROUP_QOS (1 << AFD_POLL_GROUP_QOS_BIT) // 0x0400 #define AFD_POLL_ROUTING_IF_CHANGE (1 << AFD_POLL_ROUTING_IF_CHANGE_BIT) // 0x0800 #define AFD_POLL_ADDRESS_LIST_CHANGE (1 << AFD_POLL_ADDRESS_LIST_CHANGE_BIT) // 0x1000 #define AFD_POLL_ALL ((1 << AFD_NUM_POLL_EVENTS) - 1) // 0x1FFF #define AFD_POLL_SANCOUNTS_UPDATED 0x80000000 // private typedef struct _AFD_POLL_HANDLE_INFO { HANDLE Handle; ULONG PollEvents; // AFD_POLL_* NTSTATUS Status; } AFD_POLL_HANDLE_INFO, *PAFD_POLL_HANDLE_INFO; // private typedef struct _AFD_POLL_INFO { LARGE_INTEGER Timeout; ULONG NumberOfHandles; BOOLEAN Unique; _Field_size_(NumberOfHandles) AFD_POLL_HANDLE_INFO Handles[ANYSIZE_ARRAY]; } AFD_POLL_INFO, *PAFD_POLL_INFO; // private // Disconnect flags #define AFD_PARTIAL_DISCONNECT_SEND 0x01 #define AFD_PARTIAL_DISCONNECT_RECEIVE 0x02 #define AFD_ABORTIVE_DISCONNECT 0x04 #define AFD_UNCONNECT_DATAGRAM 0x08 // private typedef struct _AFD_PARTIAL_DISCONNECT_INFO { ULONG DisconnectMode; LARGE_INTEGER Timeout; } AFD_PARTIAL_DISCONNECT_INFO, *PAFD_PARTIAL_DISCONNECT_INFO; // private typedef struct _AFD_RECEIVE_INFORMATION { ULONG BytesAvailable; ULONG ExpeditedBytesAvailable; } AFD_RECEIVE_INFORMATION, *PAFD_RECEIVE_INFORMATION; // private // Handle query flags #define AFD_QUERY_ADDRESS_HANDLE 0x01 #define AFD_QUERY_CONNECTION_HANDLE 0x02 // private typedef struct _AFD_HANDLE_INFO { HANDLE TdiAddressHandle; HANDLE TdiConnectionHandle; } AFD_HANDLE_INFO, *PAFD_HANDLE_INFO; // private // InformationType #define AFD_INLINE_MODE 1 // s: BOOLEAN #define AFD_NONBLOCKING_MODE 2 // s: BOOLEAN #define AFD_MAX_SEND_SIZE 3 // q: ULONG #define AFD_SENDS_PENDING 4 // q: ULONG #define AFD_MAX_PATH_SEND_SIZE 5 // q: ULONG #define AFD_RECEIVE_WINDOW_SIZE 6 // q; s: ULONG #define AFD_SEND_WINDOW_SIZE 7 // q; s: ULONG #define AFD_CONNECT_TIME 8 // q: ULONG (in seconds) #define AFD_CIRCULAR_QUEUEING 9 // s: BOOLEAN #define AFD_GROUP_ID_AND_TYPE 10 // q: AFD_GROUP_INFO #define AFD_REPORT_PORT_UNREACHABLE 11 // s: BOOLEAN #define AFD_REPORT_NETWORK_UNREACHABLE 12 // s: BOOLEAN // rev #define AFD_DELIVERY_STATUS 14 // q: SIO_DELIVERY_STATUS // rev #define AFD_CANCEL_TL 15 // s: void // rev // private typedef enum _AFD_GROUP_TYPE { GroupTypeNeither = 0, GroupTypeUnconstrained = SG_UNCONSTRAINED_GROUP, GroupTypeConstrained = SG_CONSTRAINED_GROUP, } AFD_GROUP_TYPE, *PAFD_GROUP_TYPE; // private typedef struct _AFD_GROUP_INFO { GROUP GroupID; AFD_GROUP_TYPE GroupType; } AFD_GROUP_INFO, *PAFD_GROUP_INFO; // private typedef struct _SIO_DELIVERY_STATUS { BOOLEAN DeliveryAvailable; ULONG PendedReceiveRequests; } SIO_DELIVERY_STATUS, *PSIO_DELIVERY_STATUS; // private typedef struct _AFD_INFORMATION { ULONG InformationType; union { BOOLEAN Boolean; ULONG Ulong; LARGE_INTEGER LargeInteger; AFD_GROUP_INFO GroupInfo; // rev SIO_DELIVERY_STATUS DeliveryStatus; // rev } Information; } AFD_INFORMATION, *PAFD_INFORMATION; // private typedef enum _SOCKET_STATE { SocketStateInitializing = -1, SocketStateOpen = 0, SocketStateBound = 1, SocketStateBoundSpecific = 2, SocketStateConnected = 3, SocketStateClosing = 4, } SOCKET_STATE, *PSOCKET_STATE; // private typedef struct _SOCK_SHARED_INFO { SOCKET_STATE State; LONG AddressFamily; // AF_* LONG SocketType; // SOCK_* LONG Protocol; // IPPROTO_*, BTHPROTO_*, HV_PROTOCOL_*, etc. LONG LocalAddressLength; LONG RemoteAddressLength; LINGER LingerInfo; ULONG SendTimeout; // in milliseconds ULONG ReceiveTimeout; // in milliseconds ULONG ReceiveBufferSize; ULONG SendBufferSize; union { USHORT Flags; struct { USHORT Listening : 1; USHORT Broadcast : 1; USHORT Debug : 1; USHORT OobInline : 1; USHORT ReuseAddresses : 1; USHORT ExclusiveAddressUse : 1; USHORT NonBlocking : 1; USHORT DontUseWildcard : 1; USHORT ReceiveShutdown : 1; USHORT SendShutdown : 1; USHORT ConditionalAccept : 1; USHORT IsSANSocket : 1; USHORT fIsTLI : 1; USHORT Rio : 1; USHORT ReceiveBufferSizeSet : 1; USHORT SendBufferSizeSet : 1; }; }; ULONG CreationFlags; // WSA_FLAG_* ULONG CatalogEntryId; ULONG ServiceFlags1; // XP1_* ULONG ProviderFlags; // PFL_* GROUP GroupID; AFD_GROUP_TYPE GroupType; LONG GroupPriority; LONG LastError; union { HWND AsyncSelecthWnd; ULONGLONG AsyncSelectWnd64; }; ULONG AsyncSelectSerialNumber; ULONG AsyncSelectwMsg; LONG AsyncSelectlEvent; LONG DisabledAsyncSelectEvents; GUID ProviderId; } SOCK_SHARED_INFO, *PSOCK_SHARED_INFO; // private typedef struct _AFD_UNACCEPTED_CONNECT_DATA_INFO { LONG Sequence; ULONG ConnectDataLength; BOOLEAN LengthOnly; } AFD_UNACCEPTED_CONNECT_DATA_INFO, *PAFD_UNACCEPTED_CONNECT_DATA_INFO; // private // Transmit flags #define AFD_TF_DISCONNECT 0x01 #define AFD_TF_REUSE_SOCKET 0x02 #define AFD_TF_WRITE_BEHIND 0x04 #define AFD_TF_USE_DEFAULT_WORKER 0x00 #define AFD_TF_USE_SYSTEM_THREAD 0x10 #define AFD_TF_USE_KERNEL_APC 0x20 #define AFD_TF_WORKER_KIND_MASK 0x30 // private typedef struct _AFD_TRANSMIT_FILE_INFO { LARGE_INTEGER Offset; LARGE_INTEGER WriteLength; ULONG SendPacketLength; HANDLE FileHandle; PVOID Head; ULONG HeadLength; PVOID Tail; ULONG TailLength; ULONG Flags; // AFD_TF_* } AFD_TRANSMIT_FILE_INFO, *PAFD_TRANSMIT_FILE_INFO; // private typedef struct _AFD_SUPER_ACCEPT_INFO { BOOLEAN SanActive; BOOLEAN FixAddressAlignment; HANDLE AcceptHandle; ULONG ReceiveDataLength; ULONG LocalAddressLength; ULONG RemoteAddressLength; } AFD_SUPER_ACCEPT_INFO, *PAFD_SUPER_ACCEPT_INFO; // private typedef struct _AFD_EVENT_SELECT_INFO { HANDLE Event; ULONG PollEvents; // AFD_POLL_* } AFD_EVENT_SELECT_INFO, *PAFD_EVENT_SELECT_INFO; // private typedef struct _AFD_ENUM_NETWORK_EVENTS_INFO { ULONG PollEvents; // AFD_POLL_* NTSTATUS EventStatus[AFD_NUM_POLL_EVENTS]; } AFD_ENUM_NETWORK_EVENTS_INFO, *PAFD_ENUM_NETWORK_EVENTS_INFO; // private typedef struct _AFD_DEFER_ACCEPT_INFO { LONG Sequence; BOOLEAN Reject; } AFD_DEFER_ACCEPT_INFO, *PAFD_DEFER_ACCEPT_INFO; // private typedef struct _AFD_QOS_INFO { QOS Qos; BOOLEAN GroupQos; } AFD_QOS_INFO, *PAFD_QOS_INFO; // private typedef struct _AFD_VALIDATE_GROUP_INFO { GROUP GroupID; TRANSPORT_ADDRESS RemoteAddress; } AFD_VALIDATE_GROUP_INFO, *PAFD_VALIDATE_GROUP_INFO; // private typedef struct _AFD_TRANSPORT_IOCTL_INFO { HANDLE Handle; _Field_size_bytes_(InputBufferLength) PVOID InputBuffer; ULONG InputBufferLength; ULONG IoControlCode; ULONG AfdFlags; ULONG PollEvent; } AFD_TRANSPORT_IOCTL_INFO, *PAFD_TRANSPORT_IOCTL_INFO; // rev - HV_PROTOCOL_RAW-level option in addition to ones in hvsocket.h #define HVSOCKET_CONTAINER_PASSTHRU 0x02 // q: ULONG // private typedef enum TL_IO_CONTROL_TYPE { TlEndpointIoControlType = 0, // not supported TlSetSockOptIoControlType = 1, // setsockopt TlGetSockOptIoControlType = 2, // getsockopt TlSocketIoControlType = 3, // ioctlsocket // Level must be 0 } TL_IO_CONTROL_TYPE, *PTL_IO_CONTROL_TYPE; // private typedef struct _AFD_TL_IO_CONTROL_INFO { TL_IO_CONTROL_TYPE Type; ULONG Level; // SOL_* or IPPROTO_* or HV_PROTOCOL_RAW ULONG IoControlCode; // SIO_*, SO_*, IP_*, IPV6_*, TCP_*, UDP_*, HVSOCKET_*, etc. (depending on type and level) BOOLEAN EndpointIoctl; // must be TRUE _Field_size_bytes_(InputBufferLength) PVOID InputBuffer; SIZE_T InputBufferLength; } AFD_TL_IO_CONTROL_INFO, *PAFD_TL_IO_CONTROL_INFO; // private typedef struct _AFD_TPACKETS_INFO { _Field_size_(ElementCount) PTRANSMIT_PACKETS_ELEMENT ElementArray; ULONG ElementCount; ULONG SendSize; ULONG Flags; } AFD_TPACKETS_INFO, *PAFD_TPACKETS_INFO; // private typedef struct _AFD_SUPER_CONNECT_INFO { BOOLEAN SanActive; TRANSPORT_ADDRESS RemoteAddress; } AFD_SUPER_CONNECT_INFO, *PAFD_SUPER_CONNECT_INFO; // rev typedef struct _AFD_SUPER_CONNECT_INFO_TL { BOOLEAN SanActive; SOCKADDR RemoteAddress; } AFD_SUPER_CONNECT_INFO_TL, *PAFD_SUPER_CONNECT_INFO_TL; // private typedef struct _AFD_SUPER_DISCONNECT_INFO { ULONG Flags; // same as partial disconnect } AFD_SUPER_DISCONNECT_INFO, *PAFD_SUPER_DISCONNECT_INFO; // private typedef struct _AFD_MESSAGE_INFO { AFD_DATAGRAM_INFO dgi; _Field_size_bytes_(ControlLength) PVOID ControlBuffer; PULONG ControlLength; PULONG MsgFlags; } AFD_MESSAGE_INFO, *PAFD_MESSAGE_INFO; // private typedef struct _AFD_SWITCH_CONTEXT { LONG EventsActive; LONG RcvCount; LONG ExpCount; LONG SndCount; BOOLEAN SelectFlag; } AFD_SWITCH_CONTEXT, *PAFD_SWITCH_CONTEXT; // private typedef struct _AFD_SWITCH_CONTEXT_INFO { HANDLE SocketHandle; PAFD_SWITCH_CONTEXT SwitchContext; } AFD_SWITCH_CONTEXT_INFO, *PAFD_SWITCH_CONTEXT_INFO; // private typedef struct _AFD_SWITCH_EVENT_INFO { HANDLE SocketHandle; PAFD_SWITCH_CONTEXT SwitchContext; ULONG EventBit; // AFD_POLL_*_BIT NTSTATUS Status; } AFD_SWITCH_EVENT_INFO, *PAFD_SWITCH_EVENT_INFO; // private typedef struct _AFD_SWITCH_CONNECT_INFO { HANDLE ListenHandle; PAFD_SWITCH_CONTEXT SwitchContext; TRANSPORT_ADDRESS RemoteAddress; } AFD_SWITCH_CONNECT_INFO, *PAFD_SWITCH_CONNECT_INFO; // private typedef struct _AFD_SWITCH_ACCEPT_INFO { HANDLE AcceptHandle; ULONG ReceiveLength; } AFD_SWITCH_ACCEPT_INFO, *PAFD_SWITCH_ACCEPT_INFO; // private typedef struct _AFD_SWITCH_REQUEST_INFO { HANDLE SocketHandle; PAFD_SWITCH_CONTEXT SwitchContext; PVOID RequestContext; NTSTATUS RequestStatus; ULONG DataOffset; } AFD_SWITCH_REQUEST_INFO, *PAFD_SWITCH_REQUEST_INFO; // private typedef struct _AFD_SWITCH_ACQUIRE_CTX_INFO { HANDLE SocketHandle; PAFD_SWITCH_CONTEXT SwitchContext; PVOID SocketCtxBuf; ULONG SocketCtxBufSize; } AFD_SWITCH_ACQUIRE_CTX_INFO, *PAFD_SWITCH_ACQUIRE_CTX_INFO; // private typedef struct _AFD_SWITCH_TRANSFER_CTX_INFO { HANDLE SocketHandle; PAFD_SWITCH_CONTEXT SwitchContext; PVOID RequestContext; PVOID SocketCtxBuf; ULONG SocketCtxBufSize; _Field_size_(RcvBufferCount) LPWSABUF RcvBufferArray; ULONG RcvBufferCount; NTSTATUS Status; } AFD_SWITCH_TRANSFER_CTX_INFO, *PAFD_SWITCH_TRANSFER_CTX_INFO; // private typedef struct _AFD_UNBIND_INFO { LONG AddressFamily; // AF_* LONG Protocol; // IPPROTO_*, BTHPROTO_*, HV_PROTOCOL_*, etc. } AFD_UNBIND_INFO, *PAFD_UNBIND_INFO; // rev // SQM Control Codes #define AFD_SQM_CONTROL_CODE_STORE 1 #define AFD_SQM_CONTROL_CODE_SWEEP -1 // private typedef struct _AFD_SQM_CONTROL { ULONG Code; // AFD_SQM_CONTROL_CODE_* } AFD_SQM_CONTROL, *PAFD_SQM_CONTROL; // private typedef struct _WINSOCK_SQM_SOCKTYPE_DESC { ULONG StreamTCP : 1; ULONG StreamOther : 1; ULONG DatagramUDP : 1; ULONG DatagramUDPMulticast : 1; ULONG DatagramOther : 1; ULONG RawTCP : 1; ULONG RawUDP : 1; ULONG RawOther : 1; ULONG OtherSocketTypes : 1; ULONG IPv6Socket : 1; ULONG ProviderLoadedWSD : 1; ULONG ProviderLoadedLSP : 1; ULONG ProviderLoadedMultiLSP : 1; ULONG NonMswsockBSP : 1; } WINSOCK_SQM_SOCKTYPE_DESC, *PWINSOCK_SQM_SOCKTYPE_DESC; // private typedef struct _WINSOCK_SQM_SOCKTYPE_COUNTS { ULONG MaxStreamSocketsConn; ULONG MaxStreamSocketsListen; ULONG MaxDatagramSockets; ULONG MaxRawSockets; ULONG MaxOtherSockets; } WINSOCK_SQM_SOCKTYPE_COUNTS, *PWINSOCK_SQM_SOCKTYPE_COUNTS; // private typedef struct _WINSOCK_SQM_NONCORE_FUNC { ULONG Select : 1; ULONG WSAPoll : 1; ULONG StreamWSAEventSelect : 1; ULONG StreamWSAAsyncSelect : 1; ULONG TransmitFile : 1; ULONG StreamTransmitPackets : 1; ULONG DisconnectEx : 1; ULONG SocketReuse : 1; ULONG StreamDuplicateSocket : 1; ULONG ReadWriteFile : 1; ULONG OOBSendRecv : 1; ULONG StreamSoSndTimeO : 1; ULONG StreamSoRcvTimeO : 1; ULONG MsgWaitAll : 1; ULONG StreamNonCoreSOLOptions : 1; ULONG StreamNonCoreTCPOptions : 1; ULONG StreamNonCoreIPOptions : 1; ULONG StreamNonCoreOtherOptions : 1; ULONG StreamNonCoreIOCTLs : 1; ULONG StreamNonCoreWSASocket : 1; ULONG NonCoreRecv : 1; ULONG NonCoreSend : 1; ULONG StreamNonCoreWSAIoctl : 1; ULONG NonCoreWSAAccept : 1; ULONG StreamNonCoreWSAConnect : 1; ULONG StreamWSAJoinLeaf : 1; ULONG StreamWSAGetQoSByName : 1; ULONG WSASendDisconnect : 1; ULONG WSARecvDisconnect : 1; } WINSOCK_SQM_NONCORE_FUNC, *PWINSOCK_SQM_NONCORE_FUNC; // private typedef struct _WINSOCK_SQM_DEPRECATION_LIST { ULONG bEnumProtocols : 1; ULONG bGetNameByType : 1; ULONG bGetService : 1; ULONG bGetTypeByName : 1; ULONG bSetService : 1; ULONG bWSACancelBlockingCall : 1; ULONG bWSAIsBlocking : 1; ULONG bWSASetBlockingHook : 1; ULONG bWSAUnhookBlockingHook : 1; ULONG bGetAddressByName : 1; ULONG bGetHostByAddr : 1; ULONG bGetHostByName : 1; ULONG bGetHostName : 1; ULONG bGetProtoByName : 1; ULONG bGetProtoByNumber : 1; ULONG bGetServByName : 1; ULONG bGetServByPort : 1; ULONG bInetAddr : 1; ULONG bInetNtoa : 1; ULONG bWSAAsyncGetHostByAddr : 1; ULONG bWSAAsyncGetHostByName : 1; ULONG bWSAAsyncGetProtoByName : 1; ULONG bWSAAsyncGetProtoByNumber : 1; ULONG bWSAAsyncGetServByName : 1; ULONG bWSAAsyncGetServByPort : 1; ULONG bWSACancelAsyncRequest : 1; ULONG bWSARecvEx : 1; } WINSOCK_SQM_DEPRECATION_LIST, *PWINSOCK_SQM_DEPRECATION_LIST; // private typedef struct _WINSOCK_SQM_SOCK_OPTIONS { ULONG SoSndBuf : 1; ULONG SoRcvBuf : 1; ULONG SoSndBuf0 : 1; ULONG SoRcvBuf0 : 1; ULONG SoKeepAliveOn : 1; ULONG SoReuseAddrOn : 1; ULONG SoExclusiveAddrUseOn : 1; ULONG SoLingerOn : 1; ULONG SoLingerOn0 : 1; ULONG SoRandomizePortOn : 1; ULONG SoPortScaleOn : 1; ULONG SoCondAcceptOn : 1; ULONG SoOobInlineOn : 1; ULONG SoOther : 1; ULONG TCPNoDelayOn : 1; ULONG TCPOther : 1; ULONG IPV6V6OnlyOff : 1; ULONG IPV6ProtectLevel : 1; ULONG IPOther : 1; ULONG LevelOther : 1; ULONG ISBQuery : 1; ULONG ISBNotify : 1; ULONG AddressQuery : 1; ULONG AddressNotify : 1; ULONG RouteQuery : 1; ULONG RouteNotify : 1; ULONG FionbioOn : 1; ULONG Fionread : 1; ULONG Siocatmark : 1; ULONG Siokeepalivevals : 1; ULONG Siosetcompatmode : 1; ULONG Sioportreserve : 1; } WINSOCK_SQM_SOCK_OPTIONS, *PWINSOCK_SQM_SOCK_OPTIONS; // private typedef struct _WINSOCK_SQM_MISC_BEHAVIOR { ULONG SendEverPended : 1; ULONG RecvEverPended : 1; ULONG ShutdownSend : 1; ULONG ShutdownRecv : 1; ULONG WSASocketProtocol : 1; } WINSOCK_SQM_MISC_BEHAVIOR, *PWINSOCK_SQM_MISC_BEHAVIOR; // private typedef struct _AFD_SQM_INFO { AFD_SQM_CONTROL Control; WCHAR AppName[16]; WCHAR LSPName[16]; ULONG AppVersion; WINSOCK_SQM_SOCKTYPE_DESC SocketTypeDescriptor; WINSOCK_SQM_SOCKTYPE_COUNTS SocketTypeCounts; WINSOCK_SQM_NONCORE_FUNC NonCoreFunctions; WINSOCK_SQM_DEPRECATION_LIST DeprecationList; WINSOCK_SQM_SOCK_OPTIONS SocketOptions; WINSOCK_SQM_MISC_BEHAVIOR MiscBehavior; } AFD_SQM_INFO, *PAFD_SQM_INFO; // private typedef enum _AFD_RIO_COMMAND { AfdRioCommandIdCreateCq = 0, // in: AFD_RIO_COMMAND_CREATE_CQ; out: AFD_RIO_COMMAND_CREATE_CQ_RESULT AfdRioCommandIdDestroyCq = 1, // in: AFD_RIO_COMMAND_DESTROY_CQ AfdRioCommandIdNotifyCq = 2, // in: AFD_RIO_COMMAND_NOTIFY_CQ AfdRioCommandIdCreateRqPair = 3, // in: AFD_RIO_COMMAND_CREATE_RQ_PAIR AfdRioCommandIdRegisterBuffer = 4, // in: AFD_RIO_COMMAND_REGISTER_BUFFER; out: AFD_RIO_COMMAND_REGISTER_BUFFER_RESULT AfdRioCommandIdDeregisterBuffer = 5, // in: AFD_RIO_COMMAND_DEREGISTER_BUFFER AfdRioCommandIdPokeSend = 6, // in: AFD_RIO_COMMAND_POKE_SEND AfdRioCommandIdPokeReceive = 7, // in: AFD_RIO_COMMAND_POKE_RECEIVE AfdRioCommandIdResizeCq = 8, // in: AFD_RIO_COMMAND_RESIZE_CQ AfdRioCommandIdResizeRqPair = 9, // in: AFD_RIO_COMMAND_RESIZE_RQ_PAIR AfdRioCommandIdMaximum = 10, } AFD_RIO_COMMAND, *PAFD_RIO_COMMAND; // private typedef struct _AFD_RIO_COMMAND_HEADER { AFD_RIO_COMMAND Command; } AFD_RIO_COMMAND_HEADER, *PAFD_RIO_COMMAND_HEADER; // private typedef enum _AFD_RIO_NOTIFICATION_COMPLETION_TYPE { AfdRioNoCompletion = 0, AfdRioEventCompletion = 1, AfdRioIocpCompletion = 2, } AFD_RIO_NOTIFICATION_COMPLETION_TYPE, *PAFD_RIO_NOTIFICATION_COMPLETION_TYPE; // private typedef struct _AFD_RIO_COMPLETION_QUEUE { ULONG QHead; ULONG QTail; BOOLEAN Corrupted; RIORESULT QEntry[ANYSIZE_ARRAY]; } AFD_RIO_COMPLETION_QUEUE, *PAFD_RIO_COMPLETION_QUEUE; // private typedef struct _AFD_RIO_COMMAND_CREATE_CQ { AFD_RIO_COMMAND_HEADER Header; ULONG QSize; AFD_RIO_NOTIFICATION_COMPLETION_TYPE NotificationType; ULONGLONG NotificationHandle; ULONGLONG NotificationContext; ULONGLONG NotificationContext2; ULONG BufferSize; ULONGLONG Buffer; // PAFD_RIO_COMPLETION_QUEUE } AFD_RIO_COMMAND_CREATE_CQ, *PAFD_RIO_COMMAND_CREATE_CQ; // private typedef struct _AFD_RIO_COMMAND_CREATE_CQ_RESULT { ULONG CqId; } AFD_RIO_COMMAND_CREATE_CQ_RESULT, *PAFD_RIO_COMMAND_CREATE_CQ_RESULT; // private typedef struct _AFD_RIO_COMMAND_DESTROY_CQ { AFD_RIO_COMMAND_HEADER Header; ULONG CqId; } AFD_RIO_COMMAND_DESTROY_CQ, *PAFD_RIO_COMMAND_DESTROY_CQ; // private typedef struct _AFD_RIO_COMMAND_NOTIFY_CQ { AFD_RIO_COMMAND_HEADER Header; ULONG Index; } AFD_RIO_COMMAND_NOTIFY_CQ, *PAFD_RIO_COMMAND_NOTIFY_CQ; // private typedef struct _AFD_RIO_BUF { ULONG BufferId; ULONG Offset; ULONG Length; } AFD_RIO_BUF, *PAFD_RIO_BUF; // private typedef struct _AFD_RIO_REQUEST_QUEUE_ENTRY { AFD_RIO_BUF Data; AFD_RIO_BUF SourceAddress; AFD_RIO_BUF DestinationAddress; AFD_RIO_BUF Control; AFD_RIO_BUF FlagsBuffer; ULONG Flags; ULONGLONG Context; } AFD_RIO_REQUEST_QUEUE_ENTRY, *PAFD_RIO_REQUEST_QUEUE_ENTRY; // private typedef struct _AFD_RIO_REQUEST_QUEUE { ULONG Start; ULONG End; BOOLEAN PokeRequired; AFD_RIO_REQUEST_QUEUE_ENTRY Entries[ANYSIZE_ARRAY]; } AFD_RIO_REQUEST_QUEUE, *PAFD_RIO_REQUEST_QUEUE; // private typedef struct _AFD_RIO_COMMAND_CREATE_RQ_PAIR { AFD_RIO_COMMAND_HEADER Header; ULONG SendCompletionQueue; ULONG ReceiveCompletionQueue; ULONG SendQueueEntryCount; ULONG SendQueueBufferSize; ULONGLONG SendQueueBuffer; // PAFD_RIO_REQUEST_QUEUE ULONG ReceiveQueueEntryCount; ULONG ReceiveQueueBufferSize; ULONGLONG ReceiveQueueBuffer; // PAFD_RIO_REQUEST_QUEUE ULONGLONG EndpointHandle; ULONGLONG SocketContext; } AFD_RIO_COMMAND_CREATE_RQ_PAIR, *PAFD_RIO_COMMAND_CREATE_RQ_PAIR; // private typedef struct _AFD_RIO_COMMAND_REGISTER_BUFFER { AFD_RIO_COMMAND_HEADER Header; ULONGLONG Buffer; ULONG BufferLength; } AFD_RIO_COMMAND_REGISTER_BUFFER, *PAFD_RIO_COMMAND_REGISTER_BUFFER; // private typedef struct _AFD_RIO_COMMAND_REGISTER_BUFFER_RESULT { ULONG BufferId; } AFD_RIO_COMMAND_REGISTER_BUFFER_RESULT, *PAFD_RIO_COMMAND_REGISTER_BUFFER_RESULT; // private typedef struct _AFD_RIO_COMMAND_DEREGISTER_BUFFER { AFD_RIO_COMMAND_HEADER Header; ULONG BufferId; } AFD_RIO_COMMAND_DEREGISTER_BUFFER, *PAFD_RIO_COMMAND_DEREGISTER_BUFFER; // private typedef struct _AFD_RIO_COMMAND_POKE_SEND { AFD_RIO_COMMAND_HEADER Header; } AFD_RIO_COMMAND_POKE_SEND, *PAFD_RIO_COMMAND_POKE_SEND; // private typedef struct _AFD_RIO_COMMAND_POKE_RECEIVE { AFD_RIO_COMMAND_HEADER Header; } AFD_RIO_COMMAND_POKE_RECEIVE, *PAFD_RIO_COMMAND_POKE_RECEIVE; // private typedef struct _AFD_RIO_COMMAND_RESIZE_CQ { AFD_RIO_COMMAND_HEADER Header; ULONG CqId; ULONG QSize; ULONG BufferSize; ULONGLONG Buffer; } AFD_RIO_COMMAND_RESIZE_CQ, *PAFD_RIO_COMMAND_RESIZE_CQ; // private typedef struct _AFD_RIO_COMMAND_RESIZE_RQ_PAIR { AFD_RIO_COMMAND_HEADER Header; ULONG SendQueueEntryCount; ULONG SendQueueBufferSize; ULONGLONG SendQueueBuffer; ULONG ReceiveQueueEntryCount; ULONG ReceiveQueueBufferSize; ULONGLONG ReceiveQueueBuffer; } AFD_RIO_COMMAND_RESIZE_RQ_PAIR, *PAFD_RIO_COMMAND_RESIZE_RQ_PAIR; #endif ================================================ FILE: phnt/include/ntbcd.h ================================================ [File too large to display: 130.2 KB] ================================================ FILE: phnt/include/ntdbg.h ================================================ /* * Debugger support functions * * This file is part of System Informer. */ #ifndef _NTDBG_H #define _NTDBG_H // // Debugging // /** * Causes a user-mode breakpoint to occur. */ NTSYSAPI VOID NTAPI DbgUserBreakPoint( VOID ); /** * Causes a breakpoint to occur. */ NTSYSAPI VOID NTAPI DbgBreakPoint( VOID ); /** * Causes a breakpoint to occur with a specific status. * * \param Status The status code to be associated with the breakpoint. */ NTSYSAPI VOID NTAPI DbgBreakPointWithStatus( _In_ ULONG Status ); #define DBG_STATUS_CONTROL_C 1 #define DBG_STATUS_SYSRQ 2 #define DBG_STATUS_BUGCHECK_FIRST 3 #define DBG_STATUS_BUGCHECK_SECOND 4 #define DBG_STATUS_FATAL 5 #define DBG_STATUS_DEBUG_CONTROL 6 #define DBG_STATUS_WORKER 7 /** * Sends a message to the kernel debugger. * * \param Format A pointer to a printf-style format string. * \param ... Arguments for the format string. * \return ULONG The number of characters printed. */ NTSYSAPI ULONG STDAPIVCALLTYPE DbgPrint( _In_z_ _Printf_format_string_ PCCH Format, ... ); /** * Sends a message to the kernel debugger with a component ID and level. * * \param ComponentId The ID of the component that is sending the message. * \param Level The importance level of the message. * \param Format A pointer to a printf-style format string. * \param ... Arguments for the format string. * \return ULONG The number of characters printed. */ NTSYSAPI ULONG STDAPIVCALLTYPE DbgPrintEx( _In_ ULONG ComponentId, _In_ ULONG Level, _In_z_ _Printf_format_string_ PCCH Format, ... ); /** * Sends a message to the kernel debugger with a component ID and level (va_list version). * * \param ComponentId The ID of the component that is sending the message. * \param Level The importance level of the message. * \param Format A pointer to a printf-style format string. * \param arglist A list of arguments for the format string. * \return ULONG The number of characters printed. */ NTSYSAPI ULONG NTAPI vDbgPrintEx( _In_ ULONG ComponentId, _In_ ULONG Level, _In_z_ PCCH Format, _In_ va_list arglist ); /** * Sends a message to the kernel debugger with a prefix, component ID, and level. * * \param Prefix A pointer to a string to be prefixed to the message. * \param ComponentId The ID of the component that is sending the message. * \param Level The importance level of the message. * \param Format A pointer to a printf-style format string. * \param arglist A list of arguments for the format string. * \return ULONG The number of characters printed. */ NTSYSAPI ULONG NTAPI vDbgPrintExWithPrefix( _In_z_ PCCH Prefix, _In_ ULONG ComponentId, _In_ ULONG Level, _In_z_ PCCH Format, _In_ va_list arglist ); /** * Sends a message to the kernel debugger and returns Control-C status. * * \param Format A pointer to a printf-style format string. * \param ... Arguments for the format string. * \return ULONG The number of characters printed. */ NTSYSAPI ULONG STDAPIVCALLTYPE DbgPrintReturnControlC( _In_z_ _Printf_format_string_ PCCH Format, ... ); /** * Queries the debug filter state for a component. * * \param ComponentId The ID of the component. * \param Level The importance level. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgQueryDebugFilterState( _In_ ULONG ComponentId, _In_ ULONG Level ); /** * Sets the debug filter state for a component. * * \param ComponentId The ID of the component. * \param Level The importance level. * \param State The new state for the filter. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgSetDebugFilterState( _In_ ULONG ComponentId, _In_ ULONG Level, _In_ BOOLEAN State ); /** * Prompts the user for input. * * \param Prompt A pointer to the prompt string. * \param Response A pointer to the buffer that receives the user response. * \param Length The length of the response buffer, in bytes. * \return ULONG The number of characters in the response. */ NTSYSAPI ULONG NTAPI DbgPrompt( _In_ PCCH Prompt, _Out_writes_bytes_(Length) PCH Response, _In_ ULONG Length ); // // Definitions // /** * The DBGKM_EXCEPTION structure contains exception information for a debug event. */ typedef struct _DBGKM_EXCEPTION { EXCEPTION_RECORD ExceptionRecord; ULONG FirstChance; } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; /** * The DBGKM_CREATE_THREAD structure contains information about a newly created thread. */ typedef struct _DBGKM_CREATE_THREAD { ULONG SubSystemKey; PVOID StartAddress; } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; /** * The DBGKM_CREATE_PROCESS structure contains information about a newly created process. */ typedef struct _DBGKM_CREATE_PROCESS { ULONG SubSystemKey; HANDLE FileHandle; PVOID BaseOfImage; ULONG DebugInfoFileOffset; ULONG DebugInfoSize; DBGKM_CREATE_THREAD InitialThread; } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; /** * The DBGKM_EXIT_THREAD structure contains the exit status of a thread. */ typedef struct _DBGKM_EXIT_THREAD { NTSTATUS ExitStatus; } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; /** * The DBGKM_EXIT_PROCESS structure contains the exit status of a process. */ typedef struct _DBGKM_EXIT_PROCESS { NTSTATUS ExitStatus; } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; /** * The DBGKM_LOAD_DLL structure contains information about a loaded DLL. */ typedef struct _DBGKM_LOAD_DLL { HANDLE FileHandle; PVOID BaseOfDll; ULONG DebugInfoFileOffset; ULONG DebugInfoSize; PVOID NamePointer; } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; /** * The DBGKM_UNLOAD_DLL structure contains the base address of an unloaded DLL. */ typedef struct _DBGKM_UNLOAD_DLL { PVOID BaseAddress; } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; /** * The DBG_STATE enumeration defines the state of a debug object. */ typedef enum _DBG_STATE { DbgIdle, DbgReplyPending, DbgCreateThreadStateChange, DbgCreateProcessStateChange, DbgExitThreadStateChange, DbgExitProcessStateChange, DbgExceptionStateChange, DbgBreakpointStateChange, DbgSingleStepStateChange, DbgLoadDllStateChange, DbgUnloadDllStateChange } DBG_STATE, *PDBG_STATE; /** * The DBGUI_CREATE_THREAD structure contains UI-level information about a newly created thread. */ typedef struct _DBGUI_CREATE_THREAD { HANDLE HandleToThread; DBGKM_CREATE_THREAD NewThread; } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; /** * The DBGUI_CREATE_PROCESS structure contains UI-level information about a newly created process. */ typedef struct _DBGUI_CREATE_PROCESS { HANDLE HandleToProcess; HANDLE HandleToThread; DBGKM_CREATE_PROCESS NewProcess; } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; /** * The DBGUI_WAIT_STATE_CHANGE structure contains information about a debug state change. */ typedef struct _DBGUI_WAIT_STATE_CHANGE { DBG_STATE NewState; CLIENT_ID AppClientId; union { DBGKM_EXCEPTION Exception; DBGUI_CREATE_THREAD CreateThread; DBGUI_CREATE_PROCESS CreateProcessInfo; DBGKM_EXIT_THREAD ExitThread; DBGKM_EXIT_PROCESS ExitProcess; DBGKM_LOAD_DLL LoadDll; DBGKM_UNLOAD_DLL UnloadDll; } StateInfo; } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; #define DEBUG_READ_EVENT 0x0001 #define DEBUG_PROCESS_ASSIGN 0x0002 #define DEBUG_SET_INFORMATION 0x0004 #define DEBUG_QUERY_INFORMATION 0x0008 #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ DEBUG_QUERY_INFORMATION) #define DEBUG_KILL_ON_CLOSE 0x1 /** * The DEBUGOBJECTINFOCLASS enumeration defines the information classes for debug objects. */ typedef enum _DEBUGOBJECTINFOCLASS { DebugObjectUnusedInformation, DebugObjectKillProcessOnExitInformation, // s: ULONG MaxDebugObjectInfoClass } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; // // System calls // /** * Creates a debug object. * * \param DebugObjectHandle A pointer to a variable that receives the debug object handle. * \param DesiredAccess The access rights desired for the debug object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the debug object. * \param Flags Flags for the debug object creation. (DEBUG_KILL_ON_CLOSE) * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateDebugObject( _Out_ PHANDLE DebugObjectHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG Flags ); /** * Attaches a debugger to an active process. * * \param ProcessHandle A handle to the process to be debugged. * \param DebugObjectHandle A handle to the debug object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDebugActiveProcess( _In_ HANDLE ProcessHandle, _In_ HANDLE DebugObjectHandle ); /** * Continues a thread that was stopped by a debug event. * * \param DebugObjectHandle A handle to the debug object. * \param ClientId A pointer to a CLIENT_ID structure that identifies the thread to be continued. * \param ContinueStatus The status code to use when continuing the thread. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDebugContinue( _In_ HANDLE DebugObjectHandle, _In_ PCLIENT_ID ClientId, _In_ NTSTATUS ContinueStatus ); /** * Stops debugging a process. * * \param ProcessHandle A handle to the process. * \param DebugObjectHandle A handle to the debug object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtRemoveProcessDebug( _In_ HANDLE ProcessHandle, _In_ HANDLE DebugObjectHandle ); /** * Sets information for a debug object. * * \param DebugObjectHandle A handle to the debug object. * \param DebugObjectInformationClass The information class to be set. * \param DebugInformation A pointer to the buffer that contains the information. * \param DebugInformationLength The length of the information buffer, in bytes. * \param ReturnLength Optional. A pointer to a variable that receives the number of bytes returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationDebugObject( _In_ HANDLE DebugObjectHandle, _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, _In_reads_bytes_(DebugInformationLength) PVOID DebugInformation, _In_ ULONG DebugInformationLength, _Out_opt_ PULONG ReturnLength ); /** * Waits for a debug event to occur. * * \param DebugObjectHandle A handle to the debug object. * \param Alertable Specifies whether the wait is alertable. * \param Timeout Optional. A pointer to a LARGE_INTEGER structure that specifies the timeout. * \param WaitStateChange A pointer to a DBGUI_WAIT_STATE_CHANGE structure that receives information about the debug event. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitForDebugEvent( _In_ HANDLE DebugObjectHandle, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout, _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange ); // // Debugging UI // /** * Connects the current thread to the debugger. * * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiConnectToDbg( VOID ); /** * Retrieves the debug object handle for the current thread. * * \return HANDLE The debug object handle. */ NTSYSAPI HANDLE NTAPI DbgUiGetThreadDebugObject( VOID ); /** * Sets the debug object handle for the current thread. * * \param DebugObject The debug object handle. */ NTSYSAPI VOID NTAPI DbgUiSetThreadDebugObject( _In_ HANDLE DebugObject ); /** * Waits for a debug state change. * * \param StateChange A pointer to a DBGUI_WAIT_STATE_CHANGE structure that receives the state change information. * \param Timeout Optional. A pointer to a LARGE_INTEGER structure that specifies the timeout. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiWaitStateChange( _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, _In_opt_ PLARGE_INTEGER Timeout ); /** * Continues a debug state change. * * \param AppClientId A pointer to a CLIENT_ID structure that identifies the thread to be continued. * \param ContinueStatus The status code to use when continuing the thread. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiContinue( _In_ PCLIENT_ID AppClientId, _In_ NTSTATUS ContinueStatus ); /** * Stops debugging a process. * * \param Process A handle to the process. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiStopDebugging( _In_ HANDLE Process ); /** * Attaches a debugger to an active process. * * \param Process A handle to the process. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiDebugActiveProcess( _In_ HANDLE Process ); /** * Remotely triggers a breakpoint in a process. * * \param Context A pointer to the context for the breakpoint. */ NTSYSAPI VOID NTAPI DbgUiRemoteBreakin( _In_ PVOID Context ); /** * Issues a remote breakpoint in a process. * * \param Process A handle to the process. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiIssueRemoteBreakin( _In_ HANDLE Process ); /** * Converts a state change structure to a debug event structure. * * \param StateChange A pointer to a DBGUI_WAIT_STATE_CHANGE structure. * \param DebugEvent A pointer to a DEBUG_EVENT structure that receives the converted information. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiConvertStateChangeStructure( _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, _Out_ LPDEBUG_EVENT DebugEvent ); /** * Converts a state change structure to a debug event structure (extended). * * \param StateChange A pointer to a DBGUI_WAIT_STATE_CHANGE structure. * \param DebugEvent A pointer to a DEBUG_EVENT structure that receives the converted information. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI DbgUiConvertStateChangeStructureEx( _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, _Out_ LPDEBUG_EVENT DebugEvent ); typedef struct _EVENT_FILTER_DESCRIPTOR *PEVENT_FILTER_DESCRIPTOR; /** * A callback function that receives event enabled notifications. */ typedef _Function_class_(ENABLECALLBACK) VOID NTAPI ENABLECALLBACK( _In_ LPCGUID SourceId, _In_ ULONG IsEnabled, _In_ UCHAR Level, _In_ ULONGLONG MatchAnyKeyword, _In_ ULONGLONG MatchAllKeyword, _In_opt_ PEVENT_FILTER_DESCRIPTOR FilterData, _Inout_opt_ PVOID CallbackContext ); typedef ENABLECALLBACK* PENABLECALLBACK; typedef ULONGLONG REGHANDLE, *PREGHANDLE; /** * Registers an ETW event provider. * * \param ProviderId A pointer to the provider ID. * \param EnableCallback Optional. A pointer to the enable callback function. * \param CallbackContext Optional. A pointer to the callback context. * \param RegHandle A pointer to a variable that receives the registration handle. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI EtwEventRegister( _In_ LPCGUID ProviderId, _In_opt_ PENABLECALLBACK EnableCallback, _In_opt_ PVOID CallbackContext, _Out_ PREGHANDLE RegHandle ); #endif // _NTDBG_H ================================================ FILE: phnt/include/ntexapi.h ================================================ /* * Executive support library functions * * This file is part of System Informer. */ #ifndef _NTEXAPI_H #define _NTEXAPI_H typedef struct _TEB* PTEB; typedef struct _COUNTED_REASON_CONTEXT* PCOUNTED_REASON_CONTEXT; typedef struct _FILE_IO_COMPLETION_INFORMATION* PFILE_IO_COMPLETION_INFORMATION; typedef struct _PORT_MESSAGE* PPORT_MESSAGE; typedef struct _IMAGE_EXPORT_DIRECTORY* PIMAGE_EXPORT_DIRECTORY; typedef struct _FILE_OBJECT* PFILE_OBJECT; typedef struct _DEVICE_OBJECT* PDEVICE_OBJECT; typedef struct _IRP* PIRP; typedef struct _RTL_BITMAP* PRTL_BITMAP; #if (PHNT_MODE != PHNT_MODE_KERNEL) // // Thread execution // /** * The NtDelayExecution routine suspends the current thread until the specified condition is met. * * \param Alertable The function returns when either the time-out period has elapsed or when the APC function is called. * \param DelayInterval The time interval for which execution is to be suspended, in milliseconds. * - A value of zero causes the thread to relinquish the remainder of its time slice to any other thread that is ready to run. * - If there are no other threads ready to run, the function returns immediately, and the thread continues execution. * - A value of INFINITE indicates that the suspension should not time out. * \return NTSTATUS Successful or errant status. The return value is STATUS_USER_APC when Alertable is TRUE, and the function returned due to one or more I/O completion callback functions. * \remarks Note that a ready thread is not guaranteed to run immediately. Consequently, the thread will not run until some arbitrary time after the sleep interval elapses, * based upon the system "tick" frequency and the load factor from other processes. * \see https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleepex */ NTSYSCALLAPI NTSTATUS NTAPI NtDelayExecution( _In_ BOOLEAN Alertable, _In_ PLARGE_INTEGER DelayInterval ); // // Firmware environment values // /** * Retrieves the value of the specified firmware environment variable. * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. * * \param VariableName The name of the firmware environment variable. The pointer must not be NULL. * \param VariableValue A pointer to a buffer that receives the value of the specified firmware environment variable. * \param ValueLength The size of the \c VariableValue buffer, in bytes. * \param ReturnLength If the function succeeds, the return length is the number of bytes stored in the \c VariableValue buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemEnvironmentValue( _In_ PCUNICODE_STRING VariableName, _Out_writes_bytes_(ValueLength) PWSTR VariableValue, _In_ USHORT ValueLength, _Out_opt_ PUSHORT ReturnLength ); // The firmware environment variable is stored in non-volatile memory (e.g. NVRAM). #define EFI_VARIABLE_NON_VOLATILE 0x00000001 // The firmware environment variable can be accessed during boot service. #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 // The firmware environment variable can be accessed at runtime. #define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 // Indicates hardware related errors encountered at runtime. #define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x00000008 // Indicates an authentication requirement that must be met before writing to this firmware environment variable. #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 // Indicates authentication and time stamp requirements that must be met before writing to this firmware environment variable. // When this attribute is set, the buffer, represented by Buffer, will begin with an instance of a complete (and serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. #define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020 // Append an existing environment variable with the value of Buffer. If the firmware does not support the operation, the function returns ERROR_INVALID_FUNCTION. #define EFI_VARIABLE_APPEND_WRITE 0x00000040 // The firmware environment variable will return metadata in addition to variable data. #define EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS 0x00000080 /** * Retrieves the value of the specified firmware environment variable and its attributes. * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. * * \param VariableName The name of the firmware environment variable. The pointer must not be NULL. * \param VendorGuid The GUID that represents the namespace of the firmware environment variable. * \param Buffer A pointer to a buffer that receives the value of the specified firmware environment variable. * \param BufferLength The size of the \c Buffer, in bytes. * \param Attributes Bitmask identifying UEFI variable attributes associated with the variable. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemEnvironmentValueEx( _In_ PCUNICODE_STRING VariableName, _In_ PCGUID VendorGuid, _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, _Inout_ PULONG BufferLength, _Out_opt_ PULONG Attributes // EFI_VARIABLE_* ); /** * Sets the value of the specified firmware environment variable. * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. * * \param VariableName The name of the firmware environment variable. The pointer must not be NULL. * \param VariableValue A pointer to the new value for the firmware environment variable. * If this parameter is zero, the firmware environment variable is deleted. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetSystemEnvironmentValue( _In_ PCUNICODE_STRING VariableName, _In_ PCUNICODE_STRING VariableValue ); /** * Sets the value of the specified firmware environment variable and the attributes that indicate how this variable is stored and maintained. * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. * * \param VariableName The name of the firmware environment variable. The pointer must not be NULL. * \param VendorGuid The GUID that represents the namespace of the firmware environment variable. * \param Buffer A pointer to the new value for the firmware environment variable. * \param BufferLength The size of the pValue buffer, in bytes. * Unless the VARIABLE_ATTRIBUTE_APPEND_WRITE, VARIABLE_ATTRIBUTE_AUTHENTICATED_WRITE_ACCESS, * or VARIABLE_ATTRIBUTE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS variable attribute is set via dwAttributes, * setting this value to zero will result in the deletion of this variable. * \param Attributes Bitmask to set UEFI variable attributes associated with the variable. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetSystemEnvironmentValueEx( _In_ PCUNICODE_STRING VariableName, _In_ PCGUID VendorGuid, _In_reads_bytes_opt_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength, // 0 = delete variable _In_ ULONG Attributes // EFI_VARIABLE_* ); typedef enum _SYSTEM_ENVIRONMENT_INFORMATION_CLASS { SystemEnvironmentNameInformation = 1, // q: VARIABLE_NAME SystemEnvironmentValueInformation = 2, // q: VARIABLE_NAME_AND_VALUE MaxSystemEnvironmentInfoClass } SYSTEM_ENVIRONMENT_INFORMATION_CLASS; _Struct_size_bytes_(NextEntryOffset) typedef struct _VARIABLE_NAME { ULONG NextEntryOffset; GUID VendorGuid; WCHAR Name[ANYSIZE_ARRAY]; } VARIABLE_NAME, *PVARIABLE_NAME; _Struct_size_bytes_(NextEntryOffset) typedef struct _VARIABLE_NAME_AND_VALUE { ULONG NextEntryOffset; ULONG ValueOffset; ULONG ValueLength; ULONG Attributes; GUID VendorGuid; WCHAR Name[ANYSIZE_ARRAY]; //BYTE Value[ANYSIZE_ARRAY]; } VARIABLE_NAME_AND_VALUE, *PVARIABLE_NAME_AND_VALUE; /** * The NtEnumerateSystemEnvironmentValuesEx routine enumerates system environment values with extended information. * * \param InformationClass The class of system environment information to retrieve. * \param Buffer Pointer to a buffer that receives the system environment values data. * \param BufferLength Pointer to a ULONG variable that specifies the size of the Buffer on input. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateSystemEnvironmentValuesEx( _In_ ULONG InformationClass, // SYSTEM_ENVIRONMENT_INFORMATION_CLASS _Out_ PVOID Buffer, _Inout_ PULONG BufferLength ); // // EFI // // private typedef struct _BOOT_ENTRY { ULONG Version; ULONG Length; ULONG Id; ULONG Attributes; ULONG FriendlyNameOffset; ULONG BootFilePathOffset; ULONG OsOptionsLength; _Field_size_bytes_(OsOptionsLength) UCHAR OsOptions[1]; } BOOT_ENTRY, *PBOOT_ENTRY; // private _Struct_size_bytes_(NextEntryOffset) typedef struct _BOOT_ENTRY_LIST { ULONG NextEntryOffset; BOOT_ENTRY BootEntry; } BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST; // private typedef struct _BOOT_OPTIONS { ULONG Version; ULONG Length; ULONG Timeout; ULONG CurrentBootEntryId; ULONG NextBootEntryId; _Field_size_bytes_(Length) WCHAR HeadlessRedirection[1]; } BOOT_OPTIONS, *PBOOT_OPTIONS; // private typedef struct _FILE_PATH { ULONG Version; ULONG Length; ULONG Type; _Field_size_bytes_(Length) UCHAR FilePath[1]; } FILE_PATH, *PFILE_PATH; // private typedef struct _EFI_DRIVER_ENTRY { ULONG Version; ULONG Length; ULONG Id; ULONG FriendlyNameOffset; ULONG DriverFilePathOffset; } EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; // private _Struct_size_bytes_(NextEntryOffset) typedef struct _EFI_DRIVER_ENTRY_LIST { ULONG NextEntryOffset; EFI_DRIVER_ENTRY DriverEntry; } EFI_DRIVER_ENTRY_LIST, *PEFI_DRIVER_ENTRY_LIST; /** * The NtAddBootEntry routine adds a new boot entry to the system boot configuration. * * \param BootEntry A pointer to a BOOT_ENTRY structure that specifies the boot entry to be added. * \param Id A pointer to a variable that receives the identifier of the new boot entry. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAddBootEntry( _In_ PBOOT_ENTRY BootEntry, _Out_opt_ PULONG Id ); /** * The NtDeleteBootEntry routine deletes an existing boot entry from the system boot configuration. * * \param Id The identifier of the boot entry to be deleted. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteBootEntry( _In_ ULONG Id ); /** * The NtModifyBootEntry routine modifies an existing boot entry in the system boot configuration. * * \param BootEntry A pointer to a BOOT_ENTRY structure that specifies the new boot entry information. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtModifyBootEntry( _In_ PBOOT_ENTRY BootEntry ); /** * The NtEnumerateBootEntries routine retrieves information about all boot entries in the system boot configuration. * * \param Buffer A pointer to a buffer that receives the boot entries information. * \param BufferLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateBootEntries( _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, _Inout_ PULONG BufferLength ); /** * The NtQueryBootEntryOrder routine retrieves the current boot entry order. * * \param Ids A pointer to a buffer that receives the identifiers of the boot entries in the current boot order. * \param Count A pointer to a variable that specifies the number of entries in the buffer. On return, it contains the number of entries returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryBootEntryOrder( _Out_writes_opt_(*Count) PULONG Ids, _Inout_ PULONG Count ); /** * The NtSetBootEntryOrder routine sets the boot entry order. * * \param Ids A pointer to a buffer that specifies the identifiers of the boot entries in the desired boot order. * \param Count The number of entries in the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetBootEntryOrder( _In_reads_(Count) PULONG Ids, _In_ ULONG Count ); /** * The NtQueryBootOptions routine retrieves the current boot options. * * \param BootOptions A pointer to a buffer that receives the boot options. * \param BootOptionsLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryBootOptions( _Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions, _Inout_ PULONG BootOptionsLength ); /** * The NtSetBootOptions routine sets the boot options. * * \param BootOptions A pointer to a BOOT_OPTIONS structure that specifies the new boot options. * \param FieldsToChange A bitmask that specifies which fields in the BOOT_OPTIONS structure are to be changed. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetBootOptions( _In_ PBOOT_OPTIONS BootOptions, _In_ ULONG FieldsToChange ); /** * The NtTranslateFilePath routine translates a file path from one format to another. * * \param InputFilePath A pointer to a FILE_PATH structure that specifies the input file path. * \param OutputType The type of the output file path. * \param OutputFilePath A pointer to a buffer that receives the translated file path. * \param OutputFilePathLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtTranslateFilePath( _In_ PFILE_PATH InputFilePath, _In_ ULONG OutputType, _Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath, _Inout_opt_ PULONG OutputFilePathLength ); /** * The NtAddDriverEntry routine adds a new driver entry to the system boot configuration. * * \param DriverEntry A pointer to an EFI_DRIVER_ENTRY structure that specifies the driver entry to be added. * \param Id A pointer to a variable that receives the identifier of the new driver entry. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAddDriverEntry( _In_ PEFI_DRIVER_ENTRY DriverEntry, _Out_opt_ PULONG Id ); /** * The NtDeleteDriverEntry routine deletes an existing driver entry from the system boot configuration. * * \param Id The identifier of the driver entry to be deleted. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteDriverEntry( _In_ ULONG Id ); /** * The NtModifyDriverEntry routine modifies an existing driver entry in the system boot configuration. * * \param DriverEntry A pointer to an EFI_DRIVER_ENTRY structure that specifies the new driver entry information. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtModifyDriverEntry( _In_ PEFI_DRIVER_ENTRY DriverEntry ); /** * The NtEnumerateDriverEntries routine retrieves information about all driver entries in the system boot configuration. * * \param Buffer A pointer to a buffer that receives the driver entries information. * \param BufferLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateDriverEntries( _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, _Inout_ PULONG BufferLength ); /** * The NtQueryDriverEntryOrder routine retrieves the current driver entry order. * * \param Ids A pointer to a buffer that receives the identifiers of the driver entries in the current driver order. * \param Count A pointer to a variable that specifies the number of entries in the buffer. On return, it contains the number of entries returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryDriverEntryOrder( _Out_writes_opt_(*Count) PULONG Ids, _Inout_ PULONG Count ); /** * The NtSetDriverEntryOrder routine sets the driver entry order. * * \param Ids A pointer to a buffer that specifies the identifiers of the driver entries in the desired driver order. * \param Count The number of entries in the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetDriverEntryOrder( _In_reads_(Count) PULONG Ids, _In_ ULONG Count ); typedef enum _FILTER_BOOT_OPTION_OPERATION { FilterBootOptionOperationOpenSystemStore, FilterBootOptionOperationSetElement, FilterBootOptionOperationDeleteElement, FilterBootOptionOperationMax } FILTER_BOOT_OPTION_OPERATION; #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtFilterBootOption routine filters boot options based on the specified operation, object type, and element type. * * \param FilterOperation The operation to be performed on the boot option. This can be one of the values from the FILTER_BOOT_OPTION_OPERATION enumeration. * \param ObjectType The type of the object to be filtered. * \param ElementType The type of the element within the object to be filtered. * \param Data A pointer to a buffer that contains the data to be used in the filter operation. This parameter is optional and can be NULL. * \param DataSize The size, in bytes, of the data buffer pointed to by the Data parameter. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtFilterBootOption( _In_ FILTER_BOOT_OPTION_OPERATION FilterOperation, _In_ ULONG ObjectType, _In_ ULONG ElementType, _In_reads_bytes_opt_(DataSize) PVOID Data, _In_ ULONG DataSize ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) // // Event // #ifndef EVENT_QUERY_STATE #define EVENT_QUERY_STATE 0x0001 #endif #ifndef EVENT_MODIFY_STATE #define EVENT_MODIFY_STATE 0x0002 #endif #ifndef EVENT_ALL_ACCESS #define EVENT_ALL_ACCESS (EVENT_QUERY_STATE|EVENT_MODIFY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) #endif /** * The EVENT_INFORMATION_CLASS specifies the type of information to be retrieved about an event object. */ typedef enum _EVENT_INFORMATION_CLASS { EventBasicInformation } EVENT_INFORMATION_CLASS; /** * The EVENT_BASIC_INFORMATION structure contains basic information about an event object. */ typedef struct _EVENT_BASIC_INFORMATION { EVENT_TYPE EventType; // The type of the event object (NotificationEvent or SynchronizationEvent). LONG EventState; // The current state of the event object. Nonzero if the event is signaled; zero if not signaled. } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION; /** * The NtCreateEvent routine creates an event object, sets the initial state of the event to the specified value, * and opens a handle to the object with the specified desired access. * * \param EventHandle A pointer to a variable that receives the event object handle. * \param DesiredAccess The access mask that specifies the requested access to the event object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \param EventType The type of the event, which can be SynchronizationEvent or a NotificationEvent. * \param InitialState The initial state of the event object. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwcreateevent */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateEvent( _Out_ PHANDLE EventHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ EVENT_TYPE EventType, _In_ BOOLEAN InitialState ); /** * The NtOpenEvent routine opens a handle to an existing event object. * * \param EventHandle A pointer to a variable that receives the event object handle. * \param DesiredAccess The access mask that specifies the requested access to the event object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenEvent( _Out_ PHANDLE EventHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtSetEvent routine sets an event object to the signaled state. * * \param EventHandle A handle to the event object. * \param PreviousState A pointer to a variable that receives the previous state of the event object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetEvent( _In_ HANDLE EventHandle, _Out_opt_ PLONG PreviousState ); #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * The NtSetEventEx routine sets an event object to the signaled state and optionally acquires a lock. * * \param ThreadId A handle to the thread. * \param Lock A pointer to an RTL_SRWLOCK structure that specifies the lock to acquire. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetEventEx( _In_ HANDLE ThreadId, _In_opt_ PRTL_SRWLOCK Lock ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_11) /** * The NtSetEventBoostPriority routine sets an event object to the signaled state and boosts the priority of threads waiting on the event. * * \param EventHandle A handle to the event object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetEventBoostPriority( _In_ HANDLE EventHandle ); /** * The NtClearEvent routine sets an event object to the not-signaled state. * * \param EventHandle A handle to the event object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtClearEvent( _In_ HANDLE EventHandle ); /** * The NtResetEvent routine sets an event object to the not-signaled state and optionally returns the previous state. * * \param EventHandle A handle to the event object. * \param PreviousState A pointer to a variable that receives the previous state of the event object. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-resetevent */ NTSYSCALLAPI NTSTATUS NTAPI NtResetEvent( _In_ HANDLE EventHandle, _Out_opt_ PLONG PreviousState ); /** * The NtPulseEvent routine sets an event object to the signaled state and then resets it to the not-signaled state after releasing the appropriate number of waiting threads. * * \param EventHandle A handle to the event object. * \param PreviousState A pointer to a variable that receives the previous state of the event object. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-pulseevent */ NTSYSCALLAPI NTSTATUS NTAPI NtPulseEvent( _In_ HANDLE EventHandle, _Out_opt_ PLONG PreviousState ); /** * The NtQueryEvent routine retrieves information about an event object. * * \param EventHandle A handle to the event object. * \param EventInformationClass The type of information to be retrieved. * \param EventInformation A pointer to a buffer that receives the requested information. * \param EventInformationLength The size of the buffer pointed to by EventInformation. * \param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryEvent( _In_ HANDLE EventHandle, _In_ EVENT_INFORMATION_CLASS EventInformationClass, _Out_writes_bytes_(EventInformationLength) PVOID EventInformation, _In_ ULONG EventInformationLength, _Out_opt_ PULONG ReturnLength ); // // Event Pair // #define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) /** * The NtCreateEventPair routine creates an event pair object and opens a handle to the object with the specified desired access. * * \remark Event Pairs are used to communicate with protected subsystems (see Context Switches). * \param EventPairHandle A pointer to a variable that receives the event pair object handle. * \param DesiredAccess The access mask that specifies the requested access to the event pair object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateEventPair( _Out_ PHANDLE EventPairHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtOpenEventPair routine opens a handle to an existing event pair object. * * \param EventPairHandle A pointer to a variable that receives the event pair object handle. * \param DesiredAccess The access mask that specifies the requested access to the event pair object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenEventPair( _Out_ PHANDLE EventPairHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtSetLowEventPair routine sets the low event in an event pair to the signaled state. * * \param EventPairHandle A handle to the event pair object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetLowEventPair( _In_ HANDLE EventPairHandle ); /** * The NtSetHighEventPair routine sets the high event in an event pair to the signaled state. * * \param EventPairHandle A handle to the event pair object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetHighEventPair( _In_ HANDLE EventPairHandle ); /** * The NtWaitLowEventPair routine waits for the low event in an event pair to be set to the signaled state. * * \param EventPairHandle A handle to the event pair object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitLowEventPair( _In_ HANDLE EventPairHandle ); /** * The NtWaitHighEventPair routine waits for the high event in an event pair to be set to the signaled state. * * \param EventPairHandle A handle to the event pair object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitHighEventPair( _In_ HANDLE EventPairHandle ); /** * The NtSetLowWaitHighEventPair routine sets the low event in an event pair to the signaled state and waits for the high event to be set to the signaled state. * * \param EventPairHandle A handle to the event pair object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetLowWaitHighEventPair( _In_ HANDLE EventPairHandle ); /** * The NtSetHighWaitLowEventPair routine sets the high event in an event pair to the signaled state and waits for the low event to be set to the signaled state. * * \param EventPairHandle A handle to the event pair object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetHighWaitLowEventPair( _In_ HANDLE EventPairHandle ); // // Mutant // #ifndef MUTANT_QUERY_STATE #define MUTANT_QUERY_STATE 0x0001 #endif #ifndef MUTANT_ALL_ACCESS #define MUTANT_ALL_ACCESS (MUTANT_QUERY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) #endif typedef enum _MUTANT_INFORMATION_CLASS { MutantBasicInformation, // MUTANT_BASIC_INFORMATION MutantOwnerInformation // MUTANT_OWNER_INFORMATION } MUTANT_INFORMATION_CLASS; /** * The MUTANT_BASIC_INFORMATION structure contains basic information about a mutant object. */ typedef struct _MUTANT_BASIC_INFORMATION { LONG CurrentCount; BOOLEAN OwnedByCaller; BOOLEAN AbandonedState; } MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION; /** * The MUTANT_OWNER_INFORMATION structure contains information about the owner of a mutant object. */ typedef struct _MUTANT_OWNER_INFORMATION { CLIENT_ID ClientId; } MUTANT_OWNER_INFORMATION, *PMUTANT_OWNER_INFORMATION; /** * The NtCreateMutant routine creates a mutant object, sets the initial state of the mutant to the specified value, * and opens a handle to the object with the specified desired access. * * \param MutantHandle A pointer to a variable that receives the mutant object handle. * \param DesiredAccess The access mask that specifies the requested access to the mutant object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \param InitialOwner If TRUE, the calling thread is the initial owner of the mutant object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN InitialOwner ); /** * The NtOpenMutant routine opens a handle to an existing mutant object. * * \param MutantHandle A pointer to a variable that receives the mutant object handle. * \param DesiredAccess The access mask that specifies the requested access to the mutant object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtReleaseMutant routine releases ownership of a mutant object. * * \param MutantHandle A handle to the mutant object. * \param PreviousCount A pointer to a variable that receives the previous count of the mutant object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtReleaseMutant( _In_ HANDLE MutantHandle, _Out_opt_ PLONG PreviousCount ); /** * The NtQueryMutant routine retrieves information about a mutant object. * * \param MutantHandle A handle to the mutant object. * \param MutantInformationClass The type of information to be retrieved. * \param MutantInformation A pointer to a buffer that receives the requested information. * \param MutantInformationLength The size of the buffer pointed to by MutantInformation. * \param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryMutant( _In_ HANDLE MutantHandle, _In_ MUTANT_INFORMATION_CLASS MutantInformationClass, _Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation, _In_ ULONG MutantInformationLength, _Out_opt_ PULONG ReturnLength ); // // Semaphore // #ifndef SEMAPHORE_QUERY_STATE #define SEMAPHORE_QUERY_STATE 0x0001 #endif #ifndef SEMAPHORE_MODIFY_STATE #define SEMAPHORE_MODIFY_STATE 0x0002 #endif #ifndef SEMAPHORE_ALL_ACCESS #define SEMAPHORE_ALL_ACCESS (SEMAPHORE_QUERY_STATE|SEMAPHORE_MODIFY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) #endif typedef enum _SEMAPHORE_INFORMATION_CLASS { SemaphoreBasicInformation } SEMAPHORE_INFORMATION_CLASS; /** * The SEMAPHORE_BASIC_INFORMATION structure contains basic information about a semaphore object. */ typedef struct _SEMAPHORE_BASIC_INFORMATION { LONG CurrentCount; LONG MaximumCount; } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; /** * The NtCreateSemaphore routine creates a semaphore object, sets the initial count of the semaphore to the specified value, * and opens a handle to the object with the specified desired access. * * \param SemaphoreHandle A pointer to a variable that receives the semaphore object handle. * \param DesiredAccess The access mask that specifies the requested access to the semaphore object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \param InitialCount The initial count of the semaphore object. * \param MaximumCount The maximum count of the semaphore object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateSemaphore( _Out_ PHANDLE SemaphoreHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ LONG InitialCount, _In_ LONG MaximumCount ); /** * The NtOpenSemaphore routine opens a handle to an existing semaphore object. * * \param SemaphoreHandle A pointer to a variable that receives the semaphore object handle. * \param DesiredAccess The access mask that specifies the requested access to the semaphore object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenSemaphore( _Out_ PHANDLE SemaphoreHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtReleaseSemaphore routine increases the count of the specified semaphore object by a specified amount. * * \param SemaphoreHandle A handle to the semaphore object. * \param ReleaseCount The amount by which the semaphore object's count is to be increased. * \param PreviousCount A pointer to a variable that receives the previous count of the semaphore object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtReleaseSemaphore( _In_ HANDLE SemaphoreHandle, _In_ LONG ReleaseCount, _Out_opt_ PLONG PreviousCount ); /** * The NtQuerySemaphore routine retrieves information about a semaphore object. * * \param SemaphoreHandle A handle to the semaphore object. * \param SemaphoreInformationClass The type of information to be retrieved. * \param SemaphoreInformation A pointer to a buffer that receives the requested information. * \param SemaphoreInformationLength The size of the buffer pointed to by SemaphoreInformation. * \param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySemaphore( _In_ HANDLE SemaphoreHandle, _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, _Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation, _In_ ULONG SemaphoreInformationLength, _Out_opt_ PULONG ReturnLength ); // // Timer // #ifndef TIMER_QUERY_STATE #define TIMER_QUERY_STATE 0x0001 #endif #ifndef TIMER_MODIFY_STATE #define TIMER_MODIFY_STATE 0x0002 #endif #ifndef TIMER_ALL_ACCESS #define TIMER_ALL_ACCESS (TIMER_QUERY_STATE|TIMER_MODIFY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) #endif typedef enum _TIMER_INFORMATION_CLASS { TimerBasicInformation // TIMER_BASIC_INFORMATION } TIMER_INFORMATION_CLASS; typedef enum _TIMER_SET_INFORMATION_CLASS { TimerSetCoalescableTimer, // TIMER_SET_COALESCABLE_TIMER_INFO MaxTimerInfoClass } TIMER_SET_INFORMATION_CLASS; /** * The TIMER_BASIC_INFORMATION structure contains basic information about a timer object. */ typedef struct _TIMER_BASIC_INFORMATION { LARGE_INTEGER RemainingTime; BOOLEAN TimerState; } TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; typedef _Function_class_(TIMER_APC_ROUTINE) VOID NTAPI TIMER_APC_ROUTINE( _In_ PVOID TimerContext, _In_ ULONG TimerLowValue, _In_ LONG TimerHighValue ); typedef TIMER_APC_ROUTINE* PTIMER_APC_ROUTINE; typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO { _In_ LARGE_INTEGER DueTime; _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine; _In_opt_ PVOID TimerContext; _In_opt_ PCOUNTED_REASON_CONTEXT WakeContext; _In_opt_ ULONG Period; _In_ ULONG TolerableDelay; _Out_opt_ PBOOLEAN PreviousState; } TIMER_SET_COALESCABLE_TIMER_INFO, *PTIMER_SET_COALESCABLE_TIMER_INFO; /** * The NtCreateTimer routine creates a timer object. * * \param TimerHandle A pointer to a variable that receives the handle to the timer object. * \param DesiredAccess The access mask that specifies the requested access to the timer object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \param TimerType The type of the timer object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateTimer( _Out_ PHANDLE TimerHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ TIMER_TYPE TimerType ); /** * The NtOpenTimer routine opens a handle to an existing timer object. * * \param TimerHandle A pointer to a variable that receives the handle to the timer object. * \param DesiredAccess The access mask that specifies the requested access to the timer object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenTimer( _Out_ PHANDLE TimerHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtSetTimer routine sets a timer object to the signaled state after a specified interval. * * \param TimerHandle A handle to the timer object. * \param DueTime A pointer to a LARGE_INTEGER that specifies the absolute or relative time at which the timer is to be set to the signaled state. * \param TimerApcRoutine An optional pointer to a function to be called when the timer is signaled. * \param TimerContext An optional pointer to a context to be passed to the APC routine. * \param ResumeTimer If TRUE, resumes the timer; otherwise, sets a new timer. * \param Period The period of the timer, in milliseconds. If zero, the timer is signaled once. * \param PreviousState A pointer to a variable that receives the previous state of the timer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetTimer( _In_ HANDLE TimerHandle, _In_ PLARGE_INTEGER DueTime, _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, _In_opt_ PVOID TimerContext, _In_ BOOLEAN ResumeTimer, _In_opt_ LONG Period, _Out_opt_ PBOOLEAN PreviousState ); /** * The NtSetTimerEx routine sets extended information for a timer object. * * \param TimerHandle A handle to the timer object. * \param TimerSetInformationClass The class of information to set. * \param TimerSetInformation A pointer to a buffer that contains the information to set. * \param TimerSetInformationLength The size of the buffer, in bytes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetTimerEx( _In_ HANDLE TimerHandle, _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, _Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation, _In_ ULONG TimerSetInformationLength ); /** * The NtCancelTimer routine Cancels a timer object. * * \param TimerHandle A handle to the timer object. * \param CurrentState A pointer to a variable that receives the current state of the timer object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCancelTimer( _In_ HANDLE TimerHandle, _Out_opt_ PBOOLEAN CurrentState ); /** * The NtQueryTimer routine retrieves information about a timer object. * * \param TimerHandle A handle to the timer object. * \param TimerInformationClass The class of information to retrieve. * \param TimerInformation A pointer to a buffer that receives the requested information. * \param TimerInformationLength The size of the buffer, in bytes. * \param ReturnLength A pointer to a variable that receives the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryTimer( _In_ HANDLE TimerHandle, _In_ TIMER_INFORMATION_CLASS TimerInformationClass, _Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation, _In_ ULONG TimerInformationLength, _Out_opt_ PULONG ReturnLength ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // ExCheckValidIRTimerId typedef enum _IR_TIMER_PROVIDER_INDEX { IR_TIMER_PROVIDER_TESTIDENTIFIER, // Token(Service SID) IR_TIMER_PROVIDER_BROKERINFRASTRUCTURE, // Token(Service SID) IR_TIMER_PROVIDER_TIMEBROKERSVC, // Token(Service SID) IR_TIMER_PROVIDER_LFSVC, IR_TIMER_PROVIDER_WINLOGON, IR_TIMER_PROVIDER_POWER, IR_TIMER_PROVIDER_SENSORSERVICE, IR_TIMER_PROVIDER_NTOSPO, IR_TIMER_PROVIDER_ACPI, IR_TIMER_PROVIDER_BUTTON, IR_TIMER_PROVIDER_MSGPIOCLX, IR_TIMER_PROVIDER_BUTTONCONVERTER, IR_TIMER_PROVIDER_MSGPIOWIN32, IR_TIMER_PROVIDER_KNETPWRDEPBROKER, IR_TIMER_PROVIDER_CMBATT, IR_TIMER_PROVIDER_BTHPORT, IR_TIMER_PROVIDER_AUDIOSRV, // TOKEN(SERVICE SID) IR_TIMER_PROVIDER_ARTESTIDENTIFIER, // TOKEN(SERVICE SID) IR_TIMER_PROVIDER_BATTC, IR_TIMER_PROVIDER_MAXINDEX } IR_TIMER_PROVIDER_INDEX; //CONST USHORT IR_TIMER_PROVIDER_ID_MAX[] = //{ // 1, // IR_TIMER_PROVIDER_TESTIDENTIFIER // 1, // IR_TIMER_PROVIDER_BROKERINFRASTRUCTURE // 1, // IR_TIMER_PROVIDER_TIMEBROKERSVC // 11, // IR_TIMER_PROVIDER_LFSVC (0x0B) // 1, // IR_TIMER_PROVIDER_WINLOGON // 2, // IR_TIMER_PROVIDER_POWER // 1, // IR_TIMER_PROVIDER_SENSORSERVICE // 6, // IR_TIMER_PROVIDER_NTOSPO // 1, // IR_TIMER_PROVIDER_ACPI // 1, // IR_TIMER_PROVIDER_BUTTON // 2, // MsGpioClx // 1, // ButtonConverter // 2, // MsGpioWin32 // 2, // KNetPwrDepBroker // 1, // Cmbatt // 2, // Bthport // 1, // AudioSrv // 1, // ArTestIdentifier // 1 // Battc //}; // rev #define IR_TIMERID_PROVIDER(TimerId) ((USHORT)HIWORD((ULONG)(TimerId))) #define IR_TIMERID_ID(TimerId) ((USHORT)LOWORD((ULONG)(TimerId))) #define IR_TIMERID_IS_NONZERO(TimerId) (IR_TIMERID_ID(TimerId) != 0) #define IR_TIMERID_ATTRIBUTES(ProviderIndex, ProviderId) \ ((ULONG)MAKELONG((USHORT)(ProviderId), (USHORT)(ProviderIndex))) /** * The NtCreateIRTimer routine creates an IR timer object. * IR timers are interruptdriven and designed for high-resolution timing in system components. * * \param TimerHandle A pointer to a variable that receives the handle to the IR timer object. * \param TimerId A pointer to a timer identifier that specifies the provider. * \param DesiredAccess The access mask that specifies the requested access to the timer object. * \return NTSTATUS Successful or errant status. * \remarks The TimerId must be non-NULL and point to a valid timer identifier. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateIRTimer( _Out_ PHANDLE TimerHandle, _In_ PULONG TimerId, _In_ ACCESS_MASK DesiredAccess ); /** * The NtSetIRTimer routine sets an IR timer object. * * \param TimerHandle A handle to the IR timer object. * \param DueTime An optional pointer to a LARGE_INTEGER that specifies * the time at which the timer is to be set to the signaled state. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetIRTimer( _In_ HANDLE TimerHandle, _In_opt_ PLARGE_INTEGER DueTime ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) #if (PHNT_VERSION >= PHNT_WINDOWS_10) // // NtCreateTimer2 Attributes // #define TIMER2_ATTRIBUTE_IR_TIMER 0x00000002UL #define TIMER2_ATTRIBUTE_HIGH_RESOLUTION 0x00000004UL #define TIMER2_ATTRIBUTE_NOTIFICATION 0x80000000UL // rev #define TIMER2_ATTRIBUTE_KNOWN_MASK (TIMER2_ATTRIBUTE_IR_TIMER | TIMER2_ATTRIBUTE_HIGH_RESOLUTION | TIMER2_ATTRIBUTE_NOTIFICATION) #define TIMER2_ATTRIBUTE_RESERVED_MASK (~TIMER2_ATTRIBUTE_KNOWN_MASK) #define TIMER2_ATTRIBUTE_FOR_TYPE(T) \ (((T) == NotificationTimer) ? TIMER2_ATTRIBUTE_NOTIFICATION : 0) // Build attributes for a *non-IR* timer // - T: TIMER_TYPE (NotificationTimer/SynchronizationTimer) // - R: bool for HighResolution // #define TIMER2_BUILD_ATTRIBUTES(T, R) \ (TIMER2_ATTRIBUTE_FOR_TYPE(T) | ((R) ? TIMER2_ATTRIBUTE_HIGH_RESOLUTION : 0)) // Build attributes for an *IR* timer // - R: bool for HighResolution // #define TIMER2_BUILD_IR_ATTRIBUTES(R) \ (TIMER2_ATTRIBUTE_IR_TIMER | ((R) ? TIMER2_ATTRIBUTE_HIGH_RESOLUTION : 0)) // rev typedef union _TIMER2_ATTRIBUTES { ULONG Value; struct { ULONG Reserved0 : 1; // bit 0 (reserved) ULONG IrTimer : 1; // bit 1 == TIMER2_ATTRIBUTE_IR_TIMER ULONG HighResolution : 1; // bit 2 == TIMER2_ATTRIBUTE_HIGH_RESOLUTION ULONG Reserved1 : 28; // bits [3..30] (reserved) TIMER_TYPE NotificationType : 1; // bit 31 == TIMER2_ATTRIBUTE_NOTIFICATION }; } TIMER2_ATTRIBUTES; /** * The NtCreateTimer2 routine creates a timer object. * * \param TimerHandle A pointer to a variable that receives the handle to the timer object. * \param TimerId For IR timers: A pointer to ULONG TIMERID (non-NULL). For non-IR timers: must be NULL. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \param Attributes Timer attributes (TIMER_TYPE). * \param DesiredAccess The access mask that specifies the requested access to the timer object. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createwaitabletimerexw */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateTimer2( _Out_ PHANDLE TimerHandle, _In_opt_ PULONG TimerId, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG Attributes, _In_ ACCESS_MASK DesiredAccess ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) // rev #define TIMER2_SET_PARAMETERS_CURRENT_VERSION 0 // rev /** * The T2_SET_PARAMETERS structure configures the high-resolution or coalescable timers, * and specify a "no-wake tolerance" value, which controls how much the kernel * may delay the timers for coalescing or power efficiency. * \remarks Setting NoWakeTolerance to 0 requests **no coalescing** and the most precise * wake-up behavior the system can provide. */ typedef struct _T2_SET_PARAMETERS_V0 { /** * Structure version. Must be set to zero. */ ULONG Version; /** * Reserved. */ ULONG Reserved; /** * Maximum tolerable delay (in 100-ns units) for timer coalescing. * - Set to 0 for **no coalescing** (strict wake-up). * - Set to a positive value to allow the kernel to delay the timer * by up to this amount for power efficiency. * Example: * If NoWakeTolerance = 0 --> High-resolution, best precision, min jitter, zero coalescing, low power savings. * If NoWakeTolerance > 0 --> Normal-resolution, allow up to this value of coalescing, normal power savings. * If NoWakeTolerance = -1 --> Low-resolution, worst precision, max jitter, max coalescing, max power savings. */ LONGLONG NoWakeTolerance; } T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; typedef PVOID PT2_CANCEL_PARAMETERS; #if (PHNT_VERSION >= PHNT_WINDOWS_10) /** * The NtSetTimer2 routine activates the timer object for a specified interval with optional periodic behavior. * * \param TimerHandle A handle to the timer object to set. * \param DueTime A pointer to a LARGE_INTEGER specifying the absolute or relative time when the timer should expire. * \param Period An optional pointer to a LARGE_INTEGER specifying the period for periodic timer notifications, in 100-nanosecond intervals. If NULL, the timer is non-periodic. * \param Parameters A pointer to a T2_SET_PARAMETERS structure containing additional timer configuration parameters. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-setwaitabletimer */ NTSYSCALLAPI NTSTATUS NTAPI NtSetTimer2( _In_ HANDLE TimerHandle, _In_ PLARGE_INTEGER DueTime, _In_opt_ PLARGE_INTEGER Period, _In_opt_ PT2_SET_PARAMETERS Parameters ); /** * The NtCancelTimer2 routine sets the specified waitable timer to the inactive state. * * \param TimerHandle A handle to the timer object to set. * \param Parameters A pointer to a PT2_CANCEL_PARAMETERS structure containing additional parameters. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-cancelwaitabletimer */ NTSYSCALLAPI NTSTATUS NTAPI NtCancelTimer2( _In_ HANDLE TimerHandle, _In_ PT2_CANCEL_PARAMETERS Parameters ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) // // Profile // #define PROFILE_CONTROL 0x0001 #define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL) /** * The NtCreateProfile routine creates a profile object for performance monitoring. * * \param ProfileHandle A pointer to a variable that receives the handle to the profile object. * \param Process Optional handle to the process to be profiled. If NULL, the current process is used. * \param ProfileBase The base address of the region to be profiled. * \param ProfileSize The size, in bytes, of the region to be profiled. * \param BucketSize The size, in bytes, of each bucket in the profile buffer. * \param Buffer A pointer to a buffer that receives the profile data. * \param BufferSize The size, in bytes, of the buffer. * \param ProfileSource The source of the profiling data (KPROFILE_SOURCE). * \param Affinity The processor affinity mask indicating which processors to profile. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateProfile( _Out_ PHANDLE ProfileHandle, _In_opt_ HANDLE Process, _In_ PVOID ProfileBase, _In_ SIZE_T ProfileSize, _In_ ULONG BucketSize, _In_reads_bytes_(BufferSize) PULONG Buffer, _In_ ULONG BufferSize, _In_ KPROFILE_SOURCE ProfileSource, _In_ KAFFINITY Affinity ); /** * The NtCreateProfileEx routine creates a profile object for performance monitoring with group affinity. * * \param ProfileHandle A pointer to a variable that receives the handle to the profile object. * \param Process Optional handle to the process to be profiled. If NULL, the current process is used. * \param ProfileBase The base address of the region to be profiled. * \param ProfileSize The size, in bytes, of the region to be profiled. * \param BucketSize The size, in bytes, of each bucket in the profile buffer. * \param Buffer A pointer to a buffer that receives the profile data. * \param BufferSize The size, in bytes, of the buffer. * \param ProfileSource The source of the profiling data (KPROFILE_SOURCE). * \param GroupCount The number of group affinities provided. * \param GroupAffinity A pointer to an array of GROUP_AFFINITY structures specifying processor groups to profile. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateProfileEx( _Out_ PHANDLE ProfileHandle, _In_opt_ HANDLE Process, _In_ PVOID ProfileBase, _In_ SIZE_T ProfileSize, _In_ ULONG BucketSize, _In_reads_bytes_(BufferSize) PULONG Buffer, _In_ ULONG BufferSize, _In_ KPROFILE_SOURCE ProfileSource, _In_ USHORT GroupCount, _In_reads_(GroupCount) PGROUP_AFFINITY GroupAffinity ); /** * The NtStartProfile routine starts the specified profile object. * * \param ProfileHandle A handle to the profile object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtStartProfile( _In_ HANDLE ProfileHandle ); /** * The NtStopProfile routine stops the specified profile object. * * \param ProfileHandle A handle to the profile object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtStopProfile( _In_ HANDLE ProfileHandle ); /** * The NtQueryIntervalProfile routine retrieves the interval for the specified profile source. * * \param ProfileSource The profile source (KPROFILE_SOURCE) to query. * \param Interval A pointer to a variable that receives the interval, in 100-nanosecond units. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryIntervalProfile( _In_ KPROFILE_SOURCE ProfileSource, _Out_ PULONG Interval ); /** * The NtSetIntervalProfile routine sets the interval for the specified profile source. * * \param Interval The interval, in 100-nanosecond units, to set. * \param Source The profile source (KPROFILE_SOURCE) to set the interval for. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetIntervalProfile( _In_ ULONG Interval, _In_ KPROFILE_SOURCE Source ); // // Keyed Event // #define KEYEDEVENT_WAIT 0x0001 #define KEYEDEVENT_WAKE 0x0002 #define KEYEDEVENT_ALL_ACCESS \ (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE) /** * The NtCreateKeyedEvent routine creates a keyed event object and returns a handle to it. * * \param KeyedEventHandle A pointer to a variable that receives the handle to the keyed event object. * \param DesiredAccess The access mask that specifies the requested access to the keyed event object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \param Flags Reserved. Must be zero. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateKeyedEvent( _Out_ PHANDLE KeyedEventHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG Flags ); /** * The NtOpenKeyedEvent routine opens a handle to an existing keyed event object. * * \param KeyedEventHandle A pointer to a variable that receives the handle to the keyed event object. * \param DesiredAccess The access mask that specifies the requested access to the keyed event object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenKeyedEvent( _Out_ PHANDLE KeyedEventHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtReleaseKeyedEvent routine releases a thread that is waiting on a keyed event with the specified key value. * * \param KeyedEventHandle Optional handle to the keyed event object. If NULL, the default keyed event is used. * \param KeyValue The key value that identifies the waiting thread to release. * \param Alertable Specifies whether the call is alertable (can be interrupted by APCs). * \param Timeout Optional pointer to a timeout value (in 100-nanosecond intervals). If NULL, waits indefinitely. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtReleaseKeyedEvent( _In_opt_ HANDLE KeyedEventHandle, _In_ PVOID KeyValue, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout ); /** * The NtWaitForKeyedEvent routine waits for a keyed event to be released with the specified key value. * * \param KeyedEventHandle Optional handle to the keyed event object. If NULL, the default keyed event is used. * \param KeyValue The key value to wait for. * \param Alertable Specifies whether the call is alertable (can be interrupted by APCs). * \param Timeout Optional pointer to a timeout value (in 100-nanosecond intervals). If NULL, waits indefinitely. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitForKeyedEvent( _In_opt_ HANDLE KeyedEventHandle, _In_ PVOID KeyValue, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout ); // // UMS // /** * The NtUmsThreadYield routine yields control to the user-mode scheduling (UMS) scheduler thread on which the calling UMS worker thread is running. * Note: As of Windows 11, user-mode scheduling is not supported. All calls fail with the error STATUS_NOT_SUPPORTED. * * \param SchedulerParam Optional handle to the keyed event object. If NULL, the default keyed event is used. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-umsthreadyield */ NTSYSCALLAPI NTSTATUS NTAPI NtUmsThreadYield( _In_ PVOID SchedulerParam ); // // WNF // // begin_private typedef struct _WNF_STATE_NAME { union { ULONGLONG Value; ULONG Data[2]; struct { ULONG64 Version : 4; ULONG64 NameLifetime : 2; ULONG64 DataScope : 4; ULONG64 PermanentData : 1; ULONG64 Unique : 53; }; }; } WNF_STATE_NAME, *PWNF_STATE_NAME; typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; typedef enum _WNF_STATE_NAME_LIFETIME { WnfWellKnownStateName, WnfPermanentStateName, WnfPersistentStateName, WnfTemporaryStateName } WNF_STATE_NAME_LIFETIME; typedef enum _WNF_STATE_NAME_INFORMATION { WnfInfoStateNameExist, WnfInfoSubscribersPresent, WnfInfoIsQuiescent } WNF_STATE_NAME_INFORMATION; typedef enum _WNF_DATA_SCOPE { WnfDataScopeSystem, WnfDataScopeSession, WnfDataScopeUser, WnfDataScopeProcess, WnfDataScopeMachine, // REDSTONE3 WnfDataScopePhysicalMachine, // WIN11 } WNF_DATA_SCOPE; typedef struct _WNF_TYPE_ID { GUID TypeId; } WNF_TYPE_ID, *PWNF_TYPE_ID; typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; // rev typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; typedef struct _WNF_DELIVERY_DESCRIPTOR { ULONGLONG SubscriptionId; WNF_STATE_NAME StateName; WNF_CHANGE_STAMP ChangeStamp; ULONG StateDataSize; ULONG EventMask; WNF_TYPE_ID TypeId; ULONG StateDataOffset; } WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; // end_private #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtCreateWnfStateName routine creates a new WNF (Windows Notification Facility) state name. * * \param StateName Pointer to a WNF_STATE_NAME structure that receives the created state name. * \param NameLifetime The lifetime of the state name (see WNF_STATE_NAME_LIFETIME). * \param DataScope The data scope for the state name (see WNF_DATA_SCOPE). * \param PersistData If TRUE, the state data is persistent. * \param TypeId Optional pointer to a WNF_TYPE_ID structure specifying the type of the state data. * \param MaximumStateSize The maximum size, in bytes, of the state data. * \param SecurityDescriptor Pointer to a security descriptor for the state name. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateWnfStateName( _Out_ PWNF_STATE_NAME StateName, _In_ WNF_STATE_NAME_LIFETIME NameLifetime, _In_ WNF_DATA_SCOPE DataScope, _In_ BOOLEAN PersistData, _In_opt_ PCWNF_TYPE_ID TypeId, _In_ ULONG MaximumStateSize, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); /** * The NtDeleteWnfStateName routine deletes an existing WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME to delete. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteWnfStateName( _In_ PCWNF_STATE_NAME StateName ); /** * The NtUpdateWnfStateData routine updates the data associated with a WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME to update. * \param Buffer Pointer to the data buffer to write. * \param Length Length, in bytes, of the data buffer. * \param TypeId Optional pointer to a WNF_TYPE_ID structure specifying the type of the state data. * \param ExplicitScope Optional pointer to a security identifier (SID) for explicit scope. * \param MatchingChangeStamp The change stamp to match for update. * \param CheckStamp If TRUE, the change stamp is checked before updating. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtUpdateWnfStateData( _In_ PCWNF_STATE_NAME StateName, _In_reads_bytes_opt_(Length) const VOID* Buffer, _In_opt_ ULONG Length, _In_opt_ PCWNF_TYPE_ID TypeId, _In_opt_ PCSID ExplicitScope, _In_ WNF_CHANGE_STAMP MatchingChangeStamp, _In_ LOGICAL CheckStamp ); /** * The NtDeleteWnfStateData routine deletes the data associated with a WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME whose data is to be deleted. * \param ExplicitScope Optional pointer to a security identifier (SID) for explicit scope. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteWnfStateData( _In_ PCWNF_STATE_NAME StateName, _In_opt_ PCSID ExplicitScope ); /** * The NtQueryWnfStateData routine queries the data associated with a WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME to query. * \param TypeId Optional pointer to a WNF_TYPE_ID structure specifying the type of the state data. * \param ExplicitScope Optional pointer to a security identifier (SID) for explicit scope. * \param ChangeStamp Pointer to a variable that receives the change stamp. * \param Buffer Pointer to a buffer that receives the state data. * \param BufferLength On input, the size of the buffer in bytes; on output, the number of bytes written. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryWnfStateData( _In_ PCWNF_STATE_NAME StateName, _In_opt_ PCWNF_TYPE_ID TypeId, _In_opt_ PCSID ExplicitScope, _Out_ PWNF_CHANGE_STAMP ChangeStamp, _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, _Inout_ PULONG BufferLength ); /** * The NtQueryWnfStateNameInformation routine queries information about a WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME to query. * \param NameInfoClass The information class to query (see WNF_STATE_NAME_INFORMATION). * \param ExplicitScope Optional pointer to a security identifier (SID) for explicit scope. * \param Buffer Pointer to a buffer that receives the requested information. * \param BufferLength The size, in bytes, of the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryWnfStateNameInformation( _In_ PCWNF_STATE_NAME StateName, _In_ WNF_STATE_NAME_INFORMATION NameInfoClass, _In_opt_ PCSID ExplicitScope, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength ); /** * The NtSubscribeWnfStateChange routine subscribes to state change notifications for a WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME to subscribe to. * \param ChangeStamp Optional change stamp to start receiving notifications from. * \param EventMask Bitmask specifying which events to subscribe to. * \param SubscriptionId Optional pointer to a variable that receives the subscription ID. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSubscribeWnfStateChange( _In_ PCWNF_STATE_NAME StateName, _In_opt_ WNF_CHANGE_STAMP ChangeStamp, _In_ ULONG EventMask, _Out_opt_ PULONG64 SubscriptionId ); /** * The NtUnsubscribeWnfStateChange routine unsubscribes from state change notifications for a WNF state name. * * \param StateName Pointer to the WNF_STATE_NAME to unsubscribe from. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtUnsubscribeWnfStateChange( _In_ PCWNF_STATE_NAME StateName ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) #if (PHNT_VERSION >= PHNT_WINDOWS_10) /** * The NtGetCompleteWnfStateSubscription routine retrieves the complete WNF state subscription information. * * \param OldDescriptorStateName Optional pointer to the previous state name. * \param OldSubscriptionId Optional pointer to the previous subscription ID. * \param OldDescriptorEventMask Optional previous event mask. * \param OldDescriptorStatus Optional previous descriptor status. * \param NewDeliveryDescriptor Pointer to a buffer that receives the new delivery descriptor. * \param DescriptorSize The size, in bytes, of the delivery descriptor buffer. * \return NTSTATUS code indicating success or failure. */ NTSYSCALLAPI NTSTATUS NTAPI NtGetCompleteWnfStateSubscription( _In_opt_ PWNF_STATE_NAME OldDescriptorStateName, _In_opt_ ULONG64 *OldSubscriptionId, _In_opt_ ULONG OldDescriptorEventMask, _In_opt_ ULONG OldDescriptorStatus, _Out_writes_bytes_(DescriptorSize) PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, _In_ ULONG DescriptorSize ); /** * The NtSetWnfProcessNotificationEvent routine sets a process notification event for WNF state changes. * * \param NotificationEvent Handle to the event object to be signaled on state change. * \return NTSTATUS code indicating success or failure. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetWnfProcessNotificationEvent( _In_ HANDLE NotificationEvent ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) // // Worker factory // // begin_rev #define WORKER_FACTORY_RELEASE_WORKER 0x0001 #define WORKER_FACTORY_WAIT 0x0002 #define WORKER_FACTORY_SET_INFORMATION 0x0004 #define WORKER_FACTORY_QUERY_INFORMATION 0x0008 #define WORKER_FACTORY_READY_WORKER 0x0010 #define WORKER_FACTORY_SHUTDOWN 0x0020 #define WORKER_FACTORY_ALL_ACCESS ( \ STANDARD_RIGHTS_REQUIRED | \ WORKER_FACTORY_RELEASE_WORKER | \ WORKER_FACTORY_WAIT | \ WORKER_FACTORY_SET_INFORMATION | \ WORKER_FACTORY_QUERY_INFORMATION | \ WORKER_FACTORY_READY_WORKER | \ WORKER_FACTORY_SHUTDOWN \ ) // end_rev // begin_private typedef enum _WORKERFACTORYINFOCLASS { WorkerFactoryTimeout, // LARGE_INTEGER WorkerFactoryRetryTimeout, // LARGE_INTEGER WorkerFactoryIdleTimeout, // s: LARGE_INTEGER WorkerFactoryBindingCount, // s: ULONG WorkerFactoryThreadMinimum, // s: ULONG WorkerFactoryThreadMaximum, // s: ULONG WorkerFactoryPaused, // ULONG or BOOLEAN WorkerFactoryBasicInformation, // q: WORKER_FACTORY_BASIC_INFORMATION WorkerFactoryAdjustThreadGoal, WorkerFactoryCallbackType, WorkerFactoryStackInformation, // 10 WorkerFactoryThreadBasePriority, // s: ULONG WorkerFactoryTimeoutWaiters, // s: ULONG, since THRESHOLD WorkerFactoryFlags, // s: ULONG WorkerFactoryThreadSoftMaximum, // s: ULONG WorkerFactoryThreadCpuSets, // since REDSTONE5 MaxWorkerFactoryInfoClass } WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; typedef struct _WORKER_FACTORY_BASIC_INFORMATION { LARGE_INTEGER Timeout; LARGE_INTEGER RetryTimeout; LARGE_INTEGER IdleTimeout; BOOLEAN Paused; BOOLEAN TimerSet; BOOLEAN QueuedToExWorker; BOOLEAN MayCreate; BOOLEAN CreateInProgress; BOOLEAN InsertedIntoQueue; BOOLEAN Shutdown; ULONG BindingCount; ULONG ThreadMinimum; ULONG ThreadMaximum; ULONG PendingWorkerCount; ULONG WaitingWorkerCount; ULONG TotalWorkerCount; ULONG ReleaseCount; LONGLONG InfiniteWaitGoal; PVOID StartRoutine; PVOID StartParameter; HANDLE ProcessId; SIZE_T StackReserve; SIZE_T StackCommit; NTSTATUS LastThreadCreationStatus; } WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION; // end_private NTSYSCALLAPI NTSTATUS NTAPI NtCreateWorkerFactory( _Out_ PHANDLE WorkerFactoryHandleReturn, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE CompletionPortHandle, _In_ HANDLE WorkerProcessHandle, _In_ PVOID StartRoutine, _In_opt_ PVOID StartParameter, _In_opt_ ULONG MaxThreadCount, _In_opt_ SIZE_T StackReserve, _In_opt_ SIZE_T StackCommit ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationWorkerFactory( _In_ HANDLE WorkerFactoryHandle, _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, _Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation, _In_ ULONG WorkerFactoryInformationLength, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationWorkerFactory( _In_ HANDLE WorkerFactoryHandle, _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, _In_reads_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation, _In_ ULONG WorkerFactoryInformationLength ); NTSYSCALLAPI NTSTATUS NTAPI NtShutdownWorkerFactory( _In_ HANDLE WorkerFactoryHandle, _Inout_ volatile LONG *PendingWorkerCount ); NTSYSCALLAPI NTSTATUS NTAPI NtReleaseWorkerFactoryWorker( _In_ HANDLE WorkerFactoryHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtWorkerFactoryWorkerReady( _In_ HANDLE WorkerFactoryHandle ); typedef struct _WORKER_FACTORY_DEFERRED_WORK { PPORT_MESSAGE AlpcSendMessage; PVOID AlpcSendMessagePort; ULONG AlpcSendMessageFlags; ULONG Flags; } WORKER_FACTORY_DEFERRED_WORK, *PWORKER_FACTORY_DEFERRED_WORK; #if (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtWaitForWorkViaWorkerFactory( _In_ HANDLE WorkerFactoryHandle, _Out_writes_to_(Count, *PacketsReturned) PFILE_IO_COMPLETION_INFORMATION MiniPackets, _In_ ULONG Count, _Out_ PULONG PacketsReturned, _In_ PVOID DeferredWork // PWORKER_FACTORY_DEFERRED_WORK ); #else NTSYSCALLAPI NTSTATUS NTAPI NtWaitForWorkViaWorkerFactory( _In_ HANDLE WorkerFactoryHandle, _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) // // Time // /** * The NtQuerySystemTime routine obtains the current system time. * * \param SystemTime A pointer to a LARGE_INTEGER structure that receives the system time. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysystemtime */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemTime( _Out_ PLARGE_INTEGER SystemTime ); /** * The NtSetSystemTime routine sets the current system time and date. The system time is expressed in Coordinated Universal Time (UTC). * * \param SystemTime A pointer to a LARGE_INTEGER structure that that contains the new system date and time. * \param PreviousTime A pointer to a LARGE_INTEGER structure that that contains the previous system time. * \return NTSTATUS Successful or errant status. * \remarks The calling process must have the SE_SYSTEMTIME_NAME privilege. * \see https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-setsystemtime */ NTSYSCALLAPI NTSTATUS NTAPI NtSetSystemTime( _In_opt_ PLARGE_INTEGER SystemTime, _Out_opt_ PLARGE_INTEGER PreviousTime ); /** * The NtQueryTimerResolution routine retrieves the range and current value of the system interrupt timer. * * \param MaximumTime The maximum timer resolution, in 100-nanosecond units. * \param MinimumTime The minimum timer resolution, in 100-nanosecond units. * \param CurrentTime The current timer resolution, in 100-nanosecond units. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryTimerResolution( _Out_ PULONG MaximumTime, _Out_ PULONG MinimumTime, _Out_ PULONG CurrentTime ); /** * The NtSetTimerResolution routine sets the system interrupt timer resolution to the specified value. * * \param DesiredTime The desired timer resolution, in 100-nanosecond units. * \param SetResolution If TRUE, the timer resolution is set to the value specified by DesiredTime. If FALSE, the timer resolution is reset to the default value. * \param ActualTime The actual timer resolution, in 100-nanosecond units. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetTimerResolution( _In_ ULONG DesiredTime, _In_ BOOLEAN SetResolution, _Out_ PULONG ActualTime ); // // Performance Counters // /** * The NtQueryPerformanceCounter routine retrieves the current value of the performance counter, * which is a high resolution (<1us) time stamp that can be used for time-interval measurements. * * \param PerformanceCounter A pointer to a variable that receives the current performance-counter value, in 100-nanosecond units. * \param PerformanceFrequency A pointer to a variable that receives the current performance-frequency value, in 100-nanosecond units. * \return NTSTATUS Successful or errant status. * \remarks On systems that run Windows XP or later, the function will always succeed and will thus never return zero. Use RtlQueryPerformanceCounter instead since no system calls are required. * \sa https://learn.microsoft.com/en-us/windows/win32/api/profileapi/nf-profileapi-queryperformancecounter */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryPerformanceCounter( _Out_ PLARGE_INTEGER PerformanceCounter, _Out_opt_ PLARGE_INTEGER PerformanceFrequency ); #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // rev /** * The NtQueryAuxiliaryCounterFrequency routine queries the auxiliary counter frequency. (The auxiliary counter is generally the HPET hardware timer). * * \param AuxiliaryCounterFrequency A pointer to an output buffer that contains the specified auxiliary counter frequency. If the auxiliary counter is not supported, the value in the output buffer will be undefined. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/realtimeapiset/nf-realtimeapiset-queryauxiliarycounterfrequency */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryAuxiliaryCounterFrequency( _Out_ PULONG64 AuxiliaryCounterFrequency ); // rev /** * The NtConvertBetweenAuxiliaryCounterAndPerformanceCounter routine converts the specified performance counter value to the corresponding auxiliary counter value; * optionally provides the estimated conversion error in nanoseconds due to latencies and maximum possible drift. * * \param ConvertAuxiliaryToPerformanceCounter If TRUE, the value will be converted from AUX to QPC. If FALSE, the value will be converted from QPC to AUX. * \param PerformanceOrAuxiliaryCounterValue The performance counter value to convert. * \param ConvertedValue On success, contains the converted auxiliary counter value. Will be undefined if the function fails. * \param ConversionError On success, contains the estimated conversion error, in nanoseconds. Will be undefined if the function fails. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/realtimeapiset/nf-realtimeapiset-convertperformancecountertoauxiliarycounter */ NTSYSCALLAPI NTSTATUS NTAPI NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( _In_ BOOLEAN ConvertAuxiliaryToPerformanceCounter, _In_ PULONG64 PerformanceOrAuxiliaryCounterValue, _Out_ PULONG64 ConvertedValue, _Out_opt_ PULONG64 ConversionError ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // // LUIDs // NTSYSCALLAPI NTSTATUS NTAPI NtAllocateLocallyUniqueId( _Out_ PLUID Luid ); // // UUIDs // NTSYSCALLAPI NTSTATUS NTAPI NtSetUuidSeed( _In_ PCHAR Seed ); NTSYSCALLAPI NTSTATUS NTAPI NtAllocateUuids( _Out_ PULARGE_INTEGER Time, _Out_ PULONG Range, _Out_ PULONG Sequence, _Out_ PCHAR Seed ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // System Information // // rev // private typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION SystemPathInformation, // q: not implemented SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) SystemFlagsInformation, // qs: SYSTEM_FLAGS_INFORMATION SystemCallTimeInformation, // q: SYSTEM_CALL_TIME_INFORMATION // not implemented // 10 SystemModuleInformation, // q: RTL_PROCESS_MODULES SystemLocksInformation, // q: RTL_PROCESS_LOCKS SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES SystemPagedPoolInformation, // q: not implemented SystemNonPagedPoolInformation, // q: not implemented SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO SystemVdmBopInformation, // q: not implemented // 20 SystemFileCacheInformation, // qs: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) SystemDpcBehaviorInformation, // qs: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) SystemFullMemoryInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION // not implemented SystemLoadGdiDriverInformation, // s: (kernel-mode only) SystemUnloadGdiDriverInformation, // s: (kernel-mode only) SystemTimeAdjustmentInformation, // qs: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) SystemSummaryMemoryInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION // not implemented SystemMirrorMemoryInformation, // qs: (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 SystemPerformanceTraceInformation, // qs: (type depends on EVENT_TRACE_INFORMATION_CLASS) SystemObsolete0, // q: not implemented SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION SystemRegistryQuotaInformation, // qs: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) SystemExtendServiceTableInformation, // s: (requires SeLoadDriverPrivilege) // loads win32k only SystemPrioritySeparation, // s: (requires SeTcbPrivilege) SystemVerifierAddDriverInformation, // s: UNICODE_STRING (requires SeDebugPrivilege) // 40 SystemVerifierRemoveDriverInformation, // s: UNICODE_STRING (requires SeDebugPrivilege) SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION SystemCurrentTimeZoneInformation, // qs: RTL_TIME_ZONE_INFORMATION SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) SystemSessionCreate, // q: not implemented SystemSessionDetach, // q: not implemented SystemSessionInformation, // q: not implemented (SYSTEM_SESSION_INFORMATION) SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 SystemVerifierInformation, // qs: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) SystemVerifierThunkExtend, // qs: (kernel-mode only) SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION SystemLoadGdiDriverInSystemSpace, // qs: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION SystemPrefetcherInformation, // qs: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation SystemExtendedProcessInformation, // q: SYSTEM_EXTENDED_PROCESS_INFORMATION SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment SystemComPlusPackage, // qs: ULONG SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60 SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX SystemLostDelayedWriteInformation, // q: ULONG SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION SystemHotpatchInformation, // qs: SYSTEM_HOTPATCH_CODE_INFORMATION SystemObjectSecurityMode, // q: ULONG // 70 SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) SystemWatchdogTimerInformation, // qs: out: SYSTEM_WATCHDOG_TIMER_INFORMATION (EX in: ULONG WATCHDOG_INFORMATION_CLASS) // NtQuerySystemInformationEx SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx SystemWow64SharedInformationObsolete, // q: not implemented SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) SystemFirmwareTableInformation, // q: SYSTEM_FIRMWARE_TABLE_INFORMATION SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX // since VISTA SystemVerifierTriageInformation, // q: not implemented SystemSuperfetchInformation, // qs: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) // NtQuerySystemInformationEx SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx SystemVerifierCancellationInformation, // q: SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation SystemProcessorPowerInformationEx, // q: not implemented SystemRefTraceInformation, // qs: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation SystemSpecialPoolInformation, // qs: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION SystemErrorPortInformation, // s: HANDLE (requires SeTcbPrivilege) SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION SystemVerifierInformationEx, // qs: SYSTEM_VERIFIER_INFORMATION_EX SystemTimeZoneInformation, // qs: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) SystemCoverageInformation, // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) SystemPrefetchPatchInformation, // q: SYSTEM_PREFETCH_PATCH_INFORMATION SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 100 SystemNumaProximityNodeInformation, // qs: SYSTEM_NUMA_PROXIMITY_MAP SystemDynamicTimeZoneInformation, // qs: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION (requires SeLoadDriverPrivilege) SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // NtQuerySystemInformationEx // KeQueryLogicalProcessorRelationship SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx SystemStoreInformation, // qs: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION SystemCpuQuotaInformation, // qs: PS_CPU_QUOTA_QUERY_INFORMATION SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION SystemErrorPortTimeouts, // q: SYSTEM_ERROR_PORT_TIMEOUTS SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION SystemTpmBootEntropyInformation, // q: BOOT_ENTROPY_NT_RESULT // ExQueryBootEntropyInformation SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) // NtQuerySystemInformationEx SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 SystemBootGraphicsInformation, // qs: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) SystemScrubPhysicalMemoryInformation, // qs: MEMORY_SCRUB_INFORMATION SystemBadPageInformation, // q: SYSTEM_BAD_PAGE_INFORMATION SystemProcessorProfileControlArea, // qs: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 SystemEntropyInterruptTimingInformation, // qs: SYSTEM_ENTROPY_TIMING_INFORMATION SystemConsoleInformation, // qs: SYSTEM_CONSOLE_INFORMATION // (requires SeLoadDriverPrivilege) SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // since WINBLUE SystemCriticalProcessErrorLogInformation, // q: CRITICAL_PROCESS_EXCEPTION_DATA SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION SystemEntropyInterruptTimingRawInformation, // qs: SYSTEM_ENTROPY_TIMING_INFORMATION SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION SystemFullProcessInformation, // q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX SystemBootMetadataInformation, // q: (requires SeTcbPrivilege) // 150 SystemSoftRebootInformation, // q: ULONG SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives) SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 160 SystemVmGenerationCountInformation, // s: PHYSICAL_ADDRESS (kernel-mode only) (vmgencounter.sys) SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION SystemKernelDebuggerFlags, // q: SYSTEM_KERNEL_DEBUGGER_FLAGS SystemCodeIntegrityPolicyInformation, // qs: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION SystemHardwareSecurityTestInterfaceResultsInformation, // q: SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION SystemAllowedCpuSetsInformation, // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION SystemCodeIntegrityPolicyFullInformation, // q: SystemAffinitizedInterruptProcessorInformation, // q: KAFFINITY_EX // (requires SeIncreaseBasePriorityPrivilege) SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION SystemWin32WerStartCallout, // s: SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // NtQuerySystemInformationEx // since REDSTONE SystemInterruptSteeringInformation, // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx SystemSupportedProcessorArchitectures, // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 180 SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 SystemControlFlowTransition, // qs: (Warbird/Encrypt/Decrypt/Execute) SystemKernelDebuggingAllowed, // s: ULONG SystemActivityModerationExeState, // s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE SystemActivityModerationUserSettings, // q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS SystemCodeIntegrityPoliciesFullInformation, // qs: NtQuerySystemInformationEx SystemCodeIntegrityUnlockInformation, // q: SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 SystemIntegrityQuotaInformation, // s: SYSTEM_INTEGRITY_QUOTA_INFORMATION (requires SeDebugPrivilege) SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 SystemSecureDumpEncryptionInformation, // qs: NtQuerySystemInformationEx // (q: requires SeDebugPrivilege) (s: requires SeTcbPrivilege) SystemWriteConstraintInformation, // q: SYSTEM_WRITE_CONSTRAINT_INFORMATION SystemKernelVaShadowInformation, // q: SYSTEM_KERNEL_VA_SHADOW_INFORMATION SystemHypervisorSharedPageInformation, // q: SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 SystemFirmwareBootPerformanceInformation, // q: SystemCodeIntegrityVerificationInformation, // q: SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION SystemFirmwarePartitionInformation, // q: SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 SystemSpeculationControlInformation, // q: SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. SystemDmaGuardPolicyInformation, // q: SYSTEM_DMA_GUARD_POLICY_INFORMATION SystemEnclaveLaunchControlInformation, // q: SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION SystemWorkloadAllowedCpuSetsInformation, // q: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 SystemCodeIntegrityUnlockModeInformation, // q: SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION SystemLeapSecondInformation, // qs: SYSTEM_LEAP_SECOND_INFORMATION // (s: requires SeSystemtimePrivilege) SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION // (s: requires SeDebugPrivilege) SystemSecurityModelInformation, // q: SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 SystemCodeIntegritySyntheticCacheInformation, // qs: NtQuerySystemInformationEx SystemFeatureConfigurationInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210 SystemFeatureConfigurationSectionInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx SystemFeatureUsageSubscriptionInformation, // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE SystemSecureSpeculationControlInformation, // q: SECURE_SPECULATION_CONTROL_INFORMATION SystemSpacesBootInformation, // qs: // since 20H2 SystemFwRamdiskInformation, // q: SYSTEM_FIRMWARE_RAMDISK_INFORMATION SystemWheaIpmiHardwareInformation, // q: SystemDifSetRuleClassInformation, // s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege) SystemDifClearRuleClassInformation, // s: NULL (requires SeDebugPrivilege) SystemDifApplyPluginVerificationOnDriver, // q: SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) SystemDifRemovePluginVerificationOnDriver, // q: SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) // 220 SystemShadowStackInformation, // q: SYSTEM_SHADOW_STACK_INFORMATION SystemBuildVersionInformation, // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx SystemPoolLimitInformation, // q: SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) // NtQuerySystemInformationEx SystemCodeIntegrityAddDynamicStore, // q: CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners SystemCodeIntegrityClearDynamicStores, // q: CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners SystemDifPoolTrackingInformation, // s: SYSTEM_DIF_POOL_TRACKING_INFORMATION (requires SeDebugPrivilege) SystemPoolZeroingInformation, // q: SYSTEM_POOL_ZEROING_INFORMATION SystemDpcWatchdogInformation, // qs: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION SystemDpcWatchdogInformation2, // qs: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 SystemSingleProcessorRelationshipInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) // NtQuerySystemInformationEx SystemXfgCheckFailureInformation, // q: SYSTEM_XFG_FAILURE_INFORMATION SystemIommuStateInformation, // q: SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 SystemHypervisorMinrootInformation, // q: SYSTEM_HYPERVISOR_MINROOT_INFORMATION SystemHypervisorBootPagesInformation, // q: SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION SystemPointerAuthInformation, // q: SYSTEM_POINTER_AUTH_INFORMATION SystemSecureKernelDebuggerInformation, // qs: NtQuerySystemInformationEx SystemOriginalImageFeatureInformation, // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx SystemMemoryNumaInformation, // q: SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT // NtQuerySystemInformationEx SystemMemoryNumaPerformanceInformation, // q: SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 SystemCodeIntegritySignedPoliciesFullInformation, // qs: NtQuerySystemInformationEx SystemSecureCoreInformation, // qs: SystemSecureSecretsInformation SystemTrustedAppsRuntimeInformation, // q: SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION SystemBadPageInformationEx, // q: SYSTEM_BAD_PAGE_INFORMATION SystemResourceDeadlockTimeout, // q: ULONG SystemBreakOnContextUnwindFailureInformation, // q: ULONG (requires SeDebugPrivilege) SystemOslRamdiskInformation, // q: SYSTEM_OSL_RAMDISK_INFORMATION SystemCodeIntegrityPolicyManagementInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT // since 25H2 SystemMemoryNumaCacheInformation, // q: SystemProcessorFeaturesBitMapInformation, // q: ULONG64[2] // RTL_BITMAP_EX // RtlInitializeBitMapEx // 250 SystemRefTraceInformationEx, // q: SYSTEM_REF_TRACE_INFORMATION_EX SystemBasicProcessInformation, // q: SYSTEM_BASICPROCESS_INFORMATION SystemHandleCountInformation, // q: SYSTEM_HANDLECOUNT_INFORMATION SystemRuntimeAttestationReport, // q: SYSTEM_RUNTIME_REPORT_INPUT SystemPoolTagInformation2, // q: SYSTEM_POOLTAG_INFORMATION2 // since 26H1 MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS; /** * The SYSTEM_BASIC_INFORMATION structure contains basic information about the current system. */ typedef struct _SYSTEM_BASIC_INFORMATION { ULONG Reserved; // Reserved ULONG TimerResolution; // The resolution of the timer, in milliseconds. // NtQueryTimerResolution ULONG PageSize; // The page size and the granularity of page protection and commitment. ULONG NumberOfPhysicalPages; // The number of physical pages in the system. // KUSER_SHARED_DATA->NumberOfPhysicalPages ULONG LowestPhysicalPageNumber; // The lowest memory page accessible to applications and dynamic-link libraries (DLLs). ULONG HighestPhysicalPageNumber; // The highest memory page accessible to applications and dynamic-link libraries (DLLs). ULONG AllocationGranularity; // The granularity for the starting address at which virtual memory can be allocated. ULONG_PTR MinimumUserModeAddress; // A pointer to the lowest memory address accessible to applications and dynamic-link libraries (DLLs). ULONG_PTR MaximumUserModeAddress; // A pointer to the highest memory address accessible to applications and dynamic-link libraries (DLLs). KAFFINITY ActiveProcessorsAffinityMask; // A mask representing the set of processors configured in the current processor group. // deprecated UCHAR NumberOfProcessors; // The number of logical processors in the current processor group. // deprecated } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; // SYSTEM_PROCESSOR_INFORMATION // ProcessorFeatureBits (see also SYSTEM_PROCESSOR_FEATURES_INFORMATION) #define KF32_V86_VIS 0x00000001 // Virtual 8086 mode. #define KF32_RDTSC 0x00000002 // RDTSC (Read Time-Stamp Counter) instruction. #define KF32_CR4 0x00000004 // CR4 (Control Register 4) register. #define KF32_CMOV 0x00000008 // CMOV (Conditional Move) instruction. #define KF32_GLOBAL_PAGE 0x00000010 // Global memory pages. #define KF32_LARGE_PAGE 0x00000020 // Large memory pages. #define KF32_MTRR 0x00000040 // MTRR (Memory Type Range Registers). #define KF32_CMPXCHG8B 0x00000080 // CMPXCHG8B (CompareExchange) instruction. #define KF32_MMX 0x00000100 // MMX (MultiMedia eXtensions). #define KF32_WORKING_PTE 0x00000200 // PTE (Page Table Entries). #define KF32_PAT 0x00000400 // PAT (Page Attribute Table). #define KF32_FXSR 0x00000800 // FXSR (Floating Point Extended Save and Restore). #define KF32_FAST_SYSCALL 0x00001000 // Fast system calls. #define KF32_XMMI 0x00002000 // XMMI (Streaming SIMD Extensions - 32-bit). #define KF32_3DNOW 0x00004000 // AMD 3DNow! technology. #define KF32_AMDK6MTRR 0x00008000 // AMD K6 MTRR. #define KF32_XMMI64 0x00010000 // XMMI (Streaming SIMD Extensions - 64-bit). #define KF32_DTS 0x00020000 // DTS (Digital Thermal Sensor). #define KF32_TM2 0x00040000 // TM2 (Thermal Monitor 2). #define KF32_EST 0x00080000 // EST (Enhanced SpeedStep Technology). #define KF32_IA64 0x00100000 // Intel Itanium architecture. #define KF32_3DNOW2 0x00200000 // AMD 3DNow! technology, version 2. #define KF32_VMX 0x00400000 // VMX (Virtual Machine Extensions). #define KF32_SMX 0x00800000 // SMX (Safer Mode Extensions). #define KF32_EST2 0x01000000 // EST (Enhanced SpeedStep Technology), version 2. #define KF32_SSSE3 0x02000000 // SSSE3 (Supplemental Streaming SIMD Extensions 3). #define KF32_CX16 0x04000000 // CMPXCHG16B instruction. #define KF32_ETPRD 0x08000000 // ETPRD (Enhanced Time-Stamp Counter Priority Rotation Disable). #define KF32_PDCM 0x10000000 // PDCM (Performance and Debug Capability MSR). #define KF32_NOEXECUTE 0x20000000 // No-Execute (NX) bit. #define KF32_GLOBAL_32BIT_EXECUTE 0x40000000 #define KF32_GLOBAL_32BIT_NOEXECUTE 0x80000000 /** * The SYSTEM_PROCESSOR_INFORMATION structure contains information about the current processor. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/ns-sysinfoapi-system_info */ typedef struct _SYSTEM_PROCESSOR_INFORMATION { USHORT ProcessorArchitecture; USHORT ProcessorLevel; USHORT ProcessorRevision; USHORT MaximumProcessors; ULONG ProcessorFeatureBits; } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; /** * The SYSTEM_PERFORMANCE_INFORMATION structure contains detailed system-wide performance statistics. */ typedef struct _SYSTEM_PERFORMANCE_INFORMATION { LARGE_INTEGER IdleProcessTime; // Total time spent by the idle process (in 100ns units). Used to calculate overall CPU idle percentage; combine with per-processor stats for system CPU usage. LARGE_INTEGER IoReadTransferCount; // Total bytes read by all I/O operations system-wide. Combine with IoWriteTransferCount and IoOtherTransferCount for total I/O throughput. LARGE_INTEGER IoWriteTransferCount; // Total bytes written by all I/O operations system-wide. Use with IoReadTransferCount for disk throughput analysis. LARGE_INTEGER IoOtherTransferCount; // Total bytes transferred by non-read/write I/O operations (e.g., device control). Add to above for total I/O. ULONG IoReadOperationCount; // Number of read I/O operations. Use with IoReadTransferCount to get average read size per operation. ULONG IoWriteOperationCount; // Number of write I/O operations. Use with IoWriteTransferCount for average write size per operation. ULONG IoOtherOperationCount; // Number of non-read/write I/O operations. Combine with above for total I/O operation count. */ ULONG AvailablePages; // Number of free physical memory pages available for immediate allocation to processes. (Display: Value * PageSize for bytes). Indicates instantly available RAM. ULONG CommittedPages; // Number of committed virtual memory pages (backed by RAM or pagefile). Use with CommitLimit to assess memory pressure and overcommit risk. ULONG CommitLimit; // Maximum number of pages that can be committed (RAM + pagefile). Compare with CommittedPages to determine available commit space. ULONG PeakCommitment; // Highest number of committed pages since boot. Tracks historical maximum memory commitment. ULONG PageFaultCount; // Total number of page faults (both soft and hard) since boot. Includes all types of faults. ULONG CopyOnWriteCount; // Number of page faults due to copy-on-write events. Subset of PageFaultCount. Indicates process memory sharing and forking activity. ULONG TransitionCount; // Number of page faults due to transition from standby to active. Subset of PageFaultCount. Indicates memory reactivation from standby lists. ULONG CacheTransitionCount; // Number of page faults due to cache transitions. Subset of TransitionCount. Indicates faults resolved from the system cache. ULONG DemandZeroCount; // Number of page faults resolved by zeroing a page (demand-zero). Subset of PageFaultCount. Indicates new memory allocations. ULONG PageReadCount; // Number of pages read from disk to resolve faults. Use with PageReadIoCount for read efficiency (pages per I/O). ULONG PageReadIoCount; // Number of I/O operations for page reads. Compare with PageReadCount for average pages per I/O. ULONG CacheReadCount; // Number of pages read from the system cache. Use with CacheIoCount for cache hit/miss analysis. ULONG CacheIoCount; // Number of I/O operations for cache reads. Compare with CacheReadCount for average pages per cache I/O. ULONG DirtyPagesWriteCount; // Number of dirty pages written to disk (writeback). Use with DirtyWriteIoCount for write efficiency. ULONG DirtyWriteIoCount; // Number of I/O operations for dirty page writes. Compare with DirtyPagesWriteCount for average pages per write I/O. ULONG MappedPagesWriteCount; // Number of mapped pages written (e.g., memory-mapped files). Use with MappedWriteIoCount for mapped file activity. ULONG MappedWriteIoCount; // Number of I/O operations for mapped page writes. Compare with MappedPagesWriteCount for average mapped write size. ULONG PagedPoolPages; // Number of pages used by the paged pool (kernel memory that can be paged out). Combine with NonPagedPoolPages for total pool usage. ULONG NonPagedPoolPages; // Number of pages used by the nonpaged pool (kernel memory that must remain resident). Combine with PagedPoolPages for total pool usage. ULONG PagedPoolAllocs; // Number of paged pool allocations. Use with PagedPoolFrees for leak detection and pool usage trends. ULONG PagedPoolFrees; // Number of paged pool frees. Compare with PagedPoolAllocs to detect leaks or fragmentation. ULONG NonPagedPoolAllocs; // Number of nonpaged pool allocations. Use with NonPagedPoolFrees for leak detection. ULONG NonPagedPoolFrees; // Number of nonpaged pool frees. Compare with NonPagedPoolAllocs for pool usage. ULONG FreeSystemPtes; // Number of free system page table entries (PTEs). Low values may indicate kernel memory exhaustion or fragmentation. ULONG ResidentSystemCodePage; // Number of resident pages for system code (kernel and drivers). Use with TotalSystemCodePages for residency ratio. ULONG TotalSystemDriverPages; // Total pages used by system drivers. Combine with TotalSystemCodePages for total kernel code usage. ULONG TotalSystemCodePages; // Total pages used by system code (kernel + drivers). Use with ResidentSystemCodePage for residency analysis. ULONG NonPagedPoolLookasideHits; // Hits in nonpaged pool lookaside lists. Higher values indicate efficient small nonpaged allocations. ULONG PagedPoolLookasideHits; // Hits in paged pool lookaside lists. Higher values indicate efficient small paged allocations. ULONG AvailablePagedPoolPages; // Number of free pages in the paged pool. Monitor for pool exhaustion or fragmentation. ULONG ResidentSystemCachePage; // Resident pages in the system cache. Use with ResidentPagedPoolPage for cache residency analysis. ULONG ResidentPagedPoolPage; // Resident pages in the paged pool. Indicates how much of the paged pool is currently resident in RAM. ULONG ResidentSystemDriverPage; // Resident pages for system drivers. Use with TotalSystemDriverPages for residency ratio. ULONG CcFastReadNoWait; // Fast cache reads completed without waiting. Use with CcFastReadWait for cache performance analysis. ULONG CcFastReadWait; // Fast cache reads that required waiting. Compare with CcFastReadNoWait to assess cache latency. ULONG CcFastReadResourceMiss; // Fast cache read misses due to resource contention. Indicates cache bottlenecks. ULONG CcFastReadNotPossible; // Fast cache reads not possible (e.g., file not cached). Indicates cache limitations or bypasses. ULONG CcFastMdlReadNoWait; // Fast MDL (Memory Descriptor List) reads completed without waiting. Use with CcFastMdlReadWait. ULONG CcFastMdlReadWait; // Fast MDL reads that required waiting. Compare with CcFastMdlReadNoWait. ULONG CcFastMdlReadResourceMiss; // Fast MDL read misses due to resource contention. Indicates MDL bottlenecks. ULONG CcFastMdlReadNotPossible; // Fast MDL reads not possible. Indicates MDL limitations or cache bypass. ULONG CcMapDataNoWait; // Cache map data operations completed without waiting. Use with CcMapDataWait for mapping efficiency. ULONG CcMapDataWait; // Cache map data operations that required waiting. Compare with CcMapDataNoWait. ULONG CcMapDataNoWaitMiss; // Cache map data misses without waiting. Indicates mapping bottlenecks. ULONG CcMapDataWaitMiss; // Cache map data misses with waiting. Indicates mapping bottlenecks under contention. ULONG CcPinMappedDataCount; // Number of pinned mapped data pages. Indicates how much data is locked in cache for I/O. ULONG CcPinReadNoWait; // Pin reads completed without waiting. Use with CcPinReadWait for pinning efficiency. ULONG CcPinReadWait; // Pin reads that required waiting. Compare with CcPinReadNoWait. ULONG CcPinReadNoWaitMiss; // Pin read misses without waiting. Indicates pinning bottlenecks. ULONG CcPinReadWaitMiss; // Pin read misses with waiting. Indicates pinning bottlenecks under contention. ULONG CcCopyReadNoWait; // Copy reads completed without waiting. Use with CcCopyReadWait for copy efficiency. ULONG CcCopyReadWait; // Copy reads that required waiting. Compare with CcCopyReadNoWait. ULONG CcCopyReadNoWaitMiss; // Copy read misses without waiting. Indicates copy bottlenecks. ULONG CcCopyReadWaitMiss; // Copy read misses with waiting. Indicates copy bottlenecks under contention. ULONG CcMdlReadNoWait; // MDL reads completed without waiting. Use with CcMdlReadWait for MDL efficiency. ULONG CcMdlReadWait; // MDL reads that required waiting. Compare with CcMdlReadNoWait. ULONG CcMdlReadNoWaitMiss; // MDL read misses without waiting. Indicates MDL bottlenecks. ULONG CcMdlReadWaitMiss; // MDL read misses with waiting. Indicates MDL bottlenecks under contention. ULONG CcReadAheadIos; // Number of read-ahead I/O operations. Indicates cache prefetching activity. ULONG CcLazyWriteIos; // Number of lazy write I/O operations. Indicates deferred write activity by the cache manager. ULONG CcLazyWritePages; // Number of pages written by the lazy writer. Use with CcLazyWriteIos for writeback efficiency. ULONG CcDataFlushes; // Number of cache data flushes. Indicates cache consistency operations (e.g., file close). ULONG CcDataPages; // Number of pages flushed from cache. Use with CcDataFlushes for average flush size. ULONG ContextSwitches; // Number of context switches system-wide. Use for CPU scheduling and multitasking analysis. ULONG FirstLevelTbFills; // First-level translation buffer (TLB) fills. Indicates TLB efficiency and memory access patterns. ULONG SecondLevelTbFills; // Second-level TLB fills. Indicates deeper TLB misses and memory access patterns. ULONG SystemCalls; // Number of system calls made. Use for syscall activity and system workload analysis. ULONGLONG CcTotalDirtyPages; // Total number of dirty pages in the cache (since Windows 10/Threshold). Use with CcDirtyPageThreshold for writeback policy. // since THRESHOLD ULONGLONG CcDirtyPageThreshold; // Dirty page threshold for the cache. Compare with CcTotalDirtyPages to determine if writeback is needed. LONGLONG ResidentAvailablePages; // Number of available pages that are resident in memory. Combine with AvailablePages for residency analysis. ULONGLONG SharedCommittedPages; // Number of committed pages that are shared (e.g., mapped by multiple processes). Useful for shared memory analysis. ULONGLONG MdlPagesAllocated; // Number of pages allocated for MDLs (since Windows 11 24H2). Indicates MDL resource usage. // since 24H2 ULONGLONG PfnDatabaseCommittedPages; // Number of pages committed for the PFN (Page Frame Number) database. Kernel memory usage for tracking physical pages. ULONGLONG SystemPageTableCommittedPages; // Number of pages committed for system page tables. Kernel memory usage for virtual-to-physical mapping structures. ULONGLONG ContiguousPagesAllocated; // Number of contiguous pages allocated. Indicates large memory allocations (e.g., for DMA or drivers). } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; /** * The SYSTEM_TIMEOFDAY_INFORMATION structure contains information about the system uptime. */ typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { LARGE_INTEGER BootTime; // Number of 100-nanosecond intervals since the system was started. LARGE_INTEGER CurrentTime; // The current system date and time. LARGE_INTEGER TimeZoneBias; // Number of 100-nanosecond intervals between local time and Coordinated Universal Time (UTC). ULONG TimeZoneId; // The current system time zone identifier. ULONG Reserved; // Reserved ULONGLONG BootTimeBias; // Number of 100-nanosecond intervals between the boot time and Coordinated Universal Time (UTC). ULONGLONG SleepTimeBias; // Number of 100-nanosecond intervals between the sleep time and Coordinated Universal Time (UTC). } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; /** * The SYSTEM_THREAD_INFORMATION structure contains information about a thread running on a system. * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/e82d73e4-cedb-4077-9099-d58f3459722f */ typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; // Number of 100-nanosecond intervals spent executing kernel code. LARGE_INTEGER UserTime; // Number of 100-nanosecond intervals spent executing user code. LARGE_INTEGER CreateTime; // The date and time when the thread was created. ULONG WaitTime; // The current time spent in ready queue or waiting (depending on the thread state). PVOID StartAddress; // The initial start address of the thread. CLIENT_ID ClientId; // The identifier of the thread and the process owning the thread. KPRIORITY Priority; // The dynamic priority of the thread. KPRIORITY BasePriority; // The starting priority of the thread. ULONG ContextSwitches; // The total number of context switches performed. KTHREAD_STATE ThreadState; // The current state of the thread. KWAIT_REASON WaitReason; // The current reason the thread is waiting. } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; /** * The SYSTEM_PROCESS_INFORMATION structure contains information about a process running on a system. */ _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; // The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. ULONG NumberOfThreads; // The NumberOfThreads member contains the number of threads in the process. ULONGLONG WorkingSetPrivateSize; // The total private memory that a process currently has allocated and is physically resident in memory. // since VISTA ULONG HardFaultCount; // The total number of hard faults for data from disk rather than from in-memory pages. // since WIN7 ULONG NumberOfThreadsHighWatermark; // The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. ULONGLONG CycleTime; // The sum of the cycle time of all threads in the process. LARGE_INTEGER CreateTime; // Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes. LARGE_INTEGER UserTime; // Number of 100-nanosecond intervals the process has executed in user mode. LARGE_INTEGER KernelTime; // Number of 100-nanosecond intervals the process has executed in kernel mode. UNICODE_STRING ImageName; // The file name of the executable image. KPRIORITY BasePriority; // The starting priority of the process. HANDLE UniqueProcessId; // The identifier of the process. HANDLE InheritedFromUniqueProcessId; // The identifier of the process that created this process. Not updated and incorrectly refers to processes with recycled identifiers. ULONG HandleCount; // The current number of open handles used by the process. ULONG SessionId; // The identifier of the Remote Desktop Services session under which the specified process is running. ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) SIZE_T PeakVirtualSize; // The peak size, in bytes, of the virtual memory used by the process. SIZE_T VirtualSize; // The current size, in bytes, of virtual memory used by the process. ULONG PageFaultCount; // The total number of page faults for data that is not currently in memory. The value wraps around to zero on average 24 hours. SIZE_T PeakWorkingSetSize; // The peak size, in kilobytes, of the working set of the process. SIZE_T WorkingSetSize; // The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. SIZE_T QuotaPeakPagedPoolUsage; // The peak quota charged to the process for pool usage, in bytes. SIZE_T QuotaPagedPoolUsage; // The quota charged to the process for paged pool usage, in bytes. SIZE_T QuotaPeakNonPagedPoolUsage; // The peak quota charged to the process for nonpaged pool usage, in bytes. SIZE_T QuotaNonPagedPoolUsage; // The current quota charged to the process for nonpaged pool usage. SIZE_T PagefileUsage; // The total number of bytes of page file storage in use by the process. SIZE_T PeakPagefileUsage; // The maximum number of bytes of page-file storage used by the process. SIZE_T PrivatePageCount; // The number of memory pages allocated for the use by the process. LARGE_INTEGER ReadOperationCount; // The total number of read operations performed. LARGE_INTEGER WriteOperationCount; // The total number of write operations performed. LARGE_INTEGER OtherOperationCount; // The total number of I/O operations performed other than read and write operations. LARGE_INTEGER ReadTransferCount; // The total number of bytes read during a read operation. LARGE_INTEGER WriteTransferCount; // The total number of bytes written during a write operation. LARGE_INTEGER OtherTransferCount; // The total number of bytes transferred during operations other than read and write operations. SYSTEM_THREAD_INFORMATION Threads[1]; // This type is not defined in the structure but was added for convenience. } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; // private typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION { union { SYSTEM_THREAD_INFORMATION ThreadInfo; struct { ULONGLONG KernelTime; // Number of 100-nanosecond intervals spent executing kernel code. ULONGLONG UserTime; // Number of 100-nanosecond intervals spent executing user code. ULONGLONG CreateTime; // The date and time when the thread was created. ULONG WaitTime; // The current time spent in ready queue or waiting (depending on the thread state). PVOID StartAddress; // The initial start address of the thread. CLIENT_ID ClientId; // The identifier of the thread and the process owning the thread. KPRIORITY Priority; // The dynamic priority of the thread. KPRIORITY BasePriority; // The starting priority of the thread. ULONG ContextSwitches; // The total number of context switches performed. KTHREAD_STATE ThreadState; // The current state of the thread. KWAIT_REASON WaitReason; // The current reason the thread is waiting. } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; PVOID StackBase; // The lower boundary of the current thread stack. PVOID StackLimit; // The upper boundary of the current thread stack. PVOID Win32StartAddress; // The thread's Win32 start address. PVOID TebBaseAddress; // The base address of the memory region containing the TEB structure. // since VISTA ULONG_PTR Reserved2; ULONG_PTR Reserved3; ULONG_PTR Reserved4; } SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; /** * The SYSTEM_EXTENDED_PROCESS_INFORMATION structure contains extended information about a process running on a system. * https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-system_extended_process_information */ _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_EXTENDED_PROCESS_INFORMATION { ULONG NextEntryOffset; // The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0. ULONG NumberOfThreads; // The NumberOfThreads member contains the number of threads in the process. ULONGLONG WorkingSetPrivateSize; // The total private memory that a process currently has allocated and is physically resident in memory. // since VISTA ULONG HardFaultCount; // The total number of hard faults for data from disk rather than from in-memory pages. // since WIN7 ULONG NumberOfThreadsHighWatermark; // The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management. ULONGLONG CycleTime; // The sum of the cycle time of all threads in the process. ULONGLONG CreateTime; // Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes. ULONGLONG UserTime; // Number of 100-nanosecond intervals the process has executed in user mode. ULONGLONG KernelTime; // Number of 100-nanosecond intervals the process has executed in kernel mode. UNICODE_STRING ImageName; // The file name of the executable image. KPRIORITY BasePriority; // The starting priority of the process. HANDLE UniqueProcessId; // The identifier of the process. HANDLE InheritedFromUniqueProcessId; // The identifier of the process that created this process. Not updated and incorrectly refers to processes with recycled identifiers. ULONG HandleCount; // The current number of open handles used by the process. ULONG SessionId; // The identifier of the Remote Desktop Services session under which the specified process is running. HANDLE UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) SIZE_T PeakVirtualSize; // The peak size, in bytes, of the virtual memory used by the process. SIZE_T VirtualSize; // The current size, in bytes, of virtual memory used by the process. ULONG PageFaultCount; // The total number of page faults for data that is not currently in memory. The value wraps around to zero on average 24 hours. SIZE_T PeakWorkingSetSize; // The peak size, in kilobytes, of the working set of the process. SIZE_T WorkingSetSize; // The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault. SIZE_T QuotaPeakPagedPoolUsage; // The peak quota charged to the process for pool usage, in bytes. SIZE_T QuotaPagedPoolUsage; // The quota charged to the process for paged pool usage, in bytes. SIZE_T QuotaPeakNonPagedPoolUsage; // The peak quota charged to the process for nonpaged pool usage, in bytes. SIZE_T QuotaNonPagedPoolUsage; // The current quota charged to the process for nonpaged pool usage. SIZE_T PagefileUsage; // The total number of bytes of page file storage in use by the process. SIZE_T PeakPagefileUsage; // The maximum number of bytes of page-file storage used by the process. SIZE_T PrivatePageCount; // The number of memory pages allocated for the use by the process. ULONGLONG ReadOperationCount; // The total number of read operations performed. ULONGLONG WriteOperationCount; // The total number of write operations performed. ULONGLONG OtherOperationCount; // The total number of I/O operations performed other than read and write operations. ULONGLONG ReadTransferCount; // The total number of bytes read during a read operation. ULONGLONG WriteTransferCount; // The total number of bytes written during a write operation. ULONGLONG OtherTransferCount; // The total number of bytes transferred during operations other than read and write operations. SYSTEM_THREAD_INFORMATION Threads[1]; // This type is not defined in the structure but was added for convenience. // SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation } SYSTEM_EXTENDED_PROCESS_INFORMATION, *PSYSTEM_EXTENDED_PROCESS_INFORMATION; typedef struct _SYSTEM_CALL_COUNT_INFORMATION { ULONG Length; ULONG NumberOfTables; } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION; typedef struct _SYSTEM_DEVICE_INFORMATION { ULONG NumberOfDisks; ULONG NumberOfFloppies; ULONG NumberOfCdRoms; ULONG NumberOfTapes; ULONG NumberOfSerialPorts; ULONG NumberOfParallelPorts; } SYSTEM_DEVICE_INFORMATION, *PSYSTEM_DEVICE_INFORMATION; /** * The SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION structure contains information about the performance of each processor installed in the system. * https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation#system_processor_performance_information */ typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION { LARGE_INTEGER IdleTime; // The IdleTime member contains the amount of time that the system has been idle, in 100-nanosecond intervals. LARGE_INTEGER KernelTime; // The KernelTime member contains the amount of time that the system has spent executing in Kernel mode (including all threads in all processes, on all processors), in 100-nanosecond intervals. LARGE_INTEGER UserTime; // The UserTime member contains the amount of time that the system has spent executing in User mode (including all threads in all processes, on all processors), in 100-nanosecond intervals. LARGE_INTEGER DpcTime; // The DpcTime member contains the amount of time that the system has spent processing deferred procedure calls (DPCs), in 100-nanosecond intervals. LARGE_INTEGER InterruptTime; // The InterruptTime member contains the amount of time that the system has spent processing hardware interrupts, in 100-nanosecond intervals. ULONG InterruptCount; // The InterruptCount member contains the number of interrupts that have occurred, as counted by the system. ULONG Spare0; } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION; typedef struct _SYSTEM_FLAGS_INFORMATION { union { ULONG Flags; // NtGlobalFlag struct { ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION; // private typedef struct _SYSTEM_CALL_TIME_INFORMATION { ULONG Length; ULONG TotalCalls; LARGE_INTEGER TimeOfCalls[1]; } SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION; // RTL_PROCESS_LOCK_INFORMATION Type #define RTL_CRITSECT_TYPE 0 #define RTL_RESOURCE_TYPE 1 // private typedef struct _RTL_PROCESS_LOCK_INFORMATION { PVOID Address; USHORT Type; USHORT CreatorBackTraceIndex; HANDLE OwningThread; LONG LockCount; ULONG ContentionCount; ULONG EntryCount; LONG RecursionCount; ULONG NumberOfWaitingShared; ULONG NumberOfWaitingExclusive; } RTL_PROCESS_LOCK_INFORMATION, *PRTL_PROCESS_LOCK_INFORMATION; // private typedef struct _RTL_PROCESS_LOCKS { ULONG NumberOfLocks; _Field_size_(NumberOfLocks) RTL_PROCESS_LOCK_INFORMATION Locks[1]; } RTL_PROCESS_LOCKS, *PRTL_PROCESS_LOCKS; // private typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION { PCHAR SymbolicBackTrace; ULONG TraceCount; USHORT Index; USHORT Depth; PVOID BackTrace[32]; } RTL_PROCESS_BACKTRACE_INFORMATION, *PRTL_PROCESS_BACKTRACE_INFORMATION; // private typedef struct _RTL_PROCESS_BACKTRACES { SIZE_T CommittedMemory; SIZE_T ReservedMemory; ULONG NumberOfBackTraceLookups; ULONG NumberOfBackTraces; _Field_size_(NumberOfBackTraces) RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1]; } RTL_PROCESS_BACKTRACES, *PRTL_PROCESS_BACKTRACES; // Note: This information class is deprecated since values are limited to 65535. Use SystemExtendedHandleInformation instead. typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; _Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_OBJECTTYPE_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfObjects; ULONG NumberOfHandles; ULONG TypeIndex; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ACCESS_MASK ValidAccessMask; ULONG PoolType; BOOLEAN SecurityRequired; BOOLEAN WaitableObject; UNICODE_STRING TypeName; } SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_OBJECT_INFORMATION { ULONG NextEntryOffset; PVOID Object; HANDLE CreatorUniqueProcess; USHORT CreatorBackTraceIndex; USHORT Flags; LONG PointerCount; LONG HandleCount; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; HANDLE ExclusiveProcessId; PSECURITY_DESCRIPTOR SecurityDescriptor; UNICODE_STRING NameInfo; } SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_PAGEFILE_INFORMATION { ULONG NextEntryOffset; ULONG TotalSize; ULONG TotalInUse; ULONG PeakUsage; UNICODE_STRING PageFileName; } SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION; typedef struct _SYSTEM_VDM_INSTEMUL_INFO { ULONG SegmentNotPresent; ULONG VdmOpcode0F; ULONG OpcodeESPrefix; ULONG OpcodeCSPrefix; ULONG OpcodeSSPrefix; ULONG OpcodeDSPrefix; ULONG OpcodeFSPrefix; ULONG OpcodeGSPrefix; ULONG OpcodeOPER32Prefix; ULONG OpcodeADDR32Prefix; ULONG OpcodeINSB; ULONG OpcodeINSW; ULONG OpcodeOUTSB; ULONG OpcodeOUTSW; ULONG OpcodePUSHF; ULONG OpcodePOPF; ULONG OpcodeINTnn; ULONG OpcodeINTO; ULONG OpcodeIRET; ULONG OpcodeINBimm; ULONG OpcodeINWimm; ULONG OpcodeOUTBimm; ULONG OpcodeOUTWimm; ULONG OpcodeINB; ULONG OpcodeINW; ULONG OpcodeOUTB; ULONG OpcodeOUTW; ULONG OpcodeLOCKPrefix; ULONG OpcodeREPNEPrefix; ULONG OpcodeREPPrefix; ULONG OpcodeHLT; ULONG OpcodeCLI; ULONG OpcodeSTI; ULONG BopCount; } SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; #define MM_WORKING_SET_MAX_HARD_ENABLE 0x1 #define MM_WORKING_SET_MAX_HARD_DISABLE 0x2 #define MM_WORKING_SET_MIN_HARD_ENABLE 0x4 #define MM_WORKING_SET_MIN_HARD_DISABLE 0x8 typedef struct _SYSTEM_FILECACHE_INFORMATION { SIZE_T CurrentSize; SIZE_T PeakSize; ULONG PageFaultCount; SIZE_T MinimumWorkingSet; SIZE_T MaximumWorkingSet; SIZE_T CurrentSizeIncludingTransitionInPages; SIZE_T PeakSizeIncludingTransitionInPages; ULONG TransitionRePurposeCount; ULONG Flags; } SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION; // Can be used instead of SYSTEM_FILECACHE_INFORMATION typedef struct _SYSTEM_BASIC_WORKING_SET_INFORMATION { SIZE_T CurrentSize; SIZE_T PeakSize; ULONG PageFaultCount; } SYSTEM_BASIC_WORKING_SET_INFORMATION, *PSYSTEM_BASIC_WORKING_SET_INFORMATION; typedef struct _SYSTEM_POOLTAG { union { UCHAR Tag[4]; ULONG TagUlong; } DUMMYUNIONNAME; ULONG PagedAllocs; ULONG PagedFrees; SIZE_T PagedUsed; ULONG NonPagedAllocs; ULONG NonPagedFrees; SIZE_T NonPagedUsed; } SYSTEM_POOLTAG, *PSYSTEM_POOLTAG; typedef struct _SYSTEM_POOLTAG_INFORMATION { ULONG Count; _Field_size_(Count) SYSTEM_POOLTAG TagInfo[1]; } SYSTEM_POOLTAG_INFORMATION, *PSYSTEM_POOLTAG_INFORMATION; typedef struct _SYSTEM_INTERRUPT_INFORMATION { ULONG ContextSwitches; ULONG DpcCount; ULONG DpcRate; ULONG TimeIncrement; ULONG DpcBypassCount; ULONG ApcBypassCount; } SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION; typedef struct _SYSTEM_DPC_BEHAVIOR_INFORMATION { ULONG Spare; ULONG DpcQueueDepth; ULONG MinimumDpcRate; ULONG AdjustDpcThreshold; ULONG IdealDpcRate; } SYSTEM_DPC_BEHAVIOR_INFORMATION, *PSYSTEM_DPC_BEHAVIOR_INFORMATION; typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION { ULONG TimeAdjustment; ULONG TimeIncrement; BOOLEAN Enable; } SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION; typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE { ULONGLONG TimeAdjustment; ULONGLONG TimeIncrement; BOOLEAN Enable; } SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE; typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION { ULONG TimeAdjustment; BOOLEAN Enable; } SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION; typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE { ULONGLONG TimeAdjustment; BOOLEAN Enable; } SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE, *PSYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE; typedef enum _EVENT_TRACE_INFORMATION_CLASS { EventTraceKernelVersionInformation, // EVENT_TRACE_VERSION_INFORMATION EventTraceGroupMaskInformation, // EVENT_TRACE_GROUPMASK_INFORMATION EventTracePerformanceInformation, // EVENT_TRACE_PERFORMANCE_INFORMATION EventTraceTimeProfileInformation, // EVENT_TRACE_TIME_PROFILE_INFORMATION EventTraceSessionSecurityInformation, // EVENT_TRACE_SESSION_SECURITY_INFORMATION EventTraceSpinlockInformation, // EVENT_TRACE_SPINLOCK_INFORMATION EventTraceStackTracingInformation, // EVENT_TRACE_STACK_TRACING_INFORMATION EventTraceExecutiveResourceInformation, // EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION EventTraceHeapTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION EventTraceHeapSummaryTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION EventTracePoolTagFilterInformation, // EVENT_TRACE_POOLTAG_FILTER_INFORMATION EventTracePebsTracingInformation, // EVENT_TRACE_PEBS_TRACING_INFORMATION EventTraceProfileConfigInformation, // EVENT_TRACE_PROFILE_CONFIG_INFORMATION EventTraceProfileSourceListInformation, // EVENT_TRACE_PROFILE_LIST_INFORMATION EventTraceProfileEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION EventTraceProfileCounterListInformation, // EVENT_TRACE_PROFILE_COUNTER_INFORMATION EventTraceStackCachingInformation, // EVENT_TRACE_STACK_CACHING_INFORMATION EventTraceObjectTypeFilterInformation, // EVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION EventTraceLastBranchConfigurationInformation, // REDSTONE3 EventTraceLastBranchEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION EventTraceProfileSourceAddInformation, // EVENT_TRACE_PROFILE_ADD_INFORMATION // REDSTONE4 EventTraceProfileSourceRemoveInformation, // EVENT_TRACE_PROFILE_REMOVE_INFORMATION EventTraceProcessorTraceConfigurationInformation, EventTraceProcessorTraceEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION EventTraceCoverageSamplerInformation, // EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION EventTraceUnifiedStackCachingInformation, // since 21H1 EventTraceContextRegisterTraceInformation, // TRACE_CONTEXT_REGISTER_INFO // 24H2 MaxEventTraceInfoClass } EVENT_TRACE_INFORMATION_CLASS; typedef struct _EVENT_TRACE_VERSION_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG EventTraceKernelVersion; } EVENT_TRACE_VERSION_INFORMATION, *PEVENT_TRACE_VERSION_INFORMATION; typedef struct _EVENT_TRACE_GROUPMASK_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; TRACEHANDLE TraceHandle; ULONG Masks[8]; // PERFINFO_GROUPMASK } EVENT_TRACE_GROUPMASK_INFORMATION, *PEVENT_TRACE_GROUPMASK_INFORMATION; typedef struct _EVENT_TRACE_PERFORMANCE_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; LARGE_INTEGER LogfileBytesWritten; } EVENT_TRACE_PERFORMANCE_INFORMATION, *PEVENT_TRACE_PERFORMANCE_INFORMATION; typedef struct _EVENT_TRACE_TIME_PROFILE_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG ProfileInterval; } EVENT_TRACE_TIME_PROFILE_INFORMATION, *PEVENT_TRACE_TIME_PROFILE_INFORMATION; typedef struct _EVENT_TRACE_SESSION_SECURITY_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG SecurityInformation; TRACEHANDLE TraceHandle; UCHAR SecurityDescriptor[1]; } EVENT_TRACE_SESSION_SECURITY_INFORMATION, *PEVENT_TRACE_SESSION_SECURITY_INFORMATION; typedef struct _EVENT_TRACE_SPINLOCK_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG SpinLockSpinThreshold; ULONG SpinLockAcquireSampleRate; ULONG SpinLockContentionSampleRate; ULONG SpinLockHoldThreshold; } EVENT_TRACE_SPINLOCK_INFORMATION, *PEVENT_TRACE_SPINLOCK_INFORMATION; typedef struct _EVENT_TRACE_SYSTEM_EVENT_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; TRACEHANDLE TraceHandle; ULONG HookId[1]; } EVENT_TRACE_SYSTEM_EVENT_INFORMATION, *PEVENT_TRACE_SYSTEM_EVENT_INFORMATION; typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_STACK_TRACING_INFORMATION, *PEVENT_TRACE_STACK_TRACING_INFORMATION; typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_PEBS_TRACING_INFORMATION, *PEVENT_TRACE_PEBS_TRACING_INFORMATION; typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_PROFILE_EVENT_INFORMATION, *PEVENT_TRACE_PROFILE_EVENT_INFORMATION; typedef struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG ReleaseSamplingRate; ULONG ContentionSamplingRate; ULONG NumberOfExcessiveTimeouts; } EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION, *PEVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION; typedef struct _EVENT_TRACE_HEAP_TRACING_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG ProcessId[1]; } EVENT_TRACE_HEAP_TRACING_INFORMATION, *PEVENT_TRACE_HEAP_TRACING_INFORMATION; typedef struct _EVENT_TRACE_TAG_FILTER_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; TRACEHANDLE TraceHandle; ULONG Filter[1]; } EVENT_TRACE_TAG_FILTER_INFORMATION, *PEVENT_TRACE_TAG_FILTER_INFORMATION; typedef EVENT_TRACE_TAG_FILTER_INFORMATION EVENT_TRACE_POOLTAG_FILTER_INFORMATION, *PEVENT_TRACE_POOLTAG_FILTER_INFORMATION; typedef EVENT_TRACE_TAG_FILTER_INFORMATION EVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION, *PEVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION; // ProfileSource #define ETW_MAX_PROFILING_SOURCES 4 #define ETW_MAX_PMC_EVENTS 4 #define ETW_MAX_PMC_COUNTERS 4 typedef struct _EVENT_TRACE_PROFILE_COUNTER_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; TRACEHANDLE TraceHandle; ULONG ProfileSource[1]; } EVENT_TRACE_PROFILE_COUNTER_INFORMATION, *PEVENT_TRACE_PROFILE_COUNTER_INFORMATION; typedef EVENT_TRACE_PROFILE_COUNTER_INFORMATION EVENT_TRACE_PROFILE_CONFIG_INFORMATION, *PEVENT_TRACE_PROFILE_CONFIG_INFORMATION; //_Struct_size_bytes_(NextEntryOffset) //typedef struct _PROFILE_SOURCE_INFO //{ // ULONG NextEntryOffset; // ULONG Source; // ULONG MinInterval; // ULONG MaxInterval; // PVOID Reserved; // WCHAR Description[1]; //} PROFILE_SOURCE_INFO, *PPROFILE_SOURCE_INFO; typedef struct _PROFILE_SOURCE_INFO *PPROFILE_SOURCE_INFO; typedef struct _EVENT_TRACE_PROFILE_LIST_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; ULONG Spare; PPROFILE_SOURCE_INFO Profile[1]; } EVENT_TRACE_PROFILE_LIST_INFORMATION, *PEVENT_TRACE_PROFILE_LIST_INFORMATION; typedef struct _EVENT_TRACE_STACK_CACHING_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; TRACEHANDLE TraceHandle; BOOLEAN Enabled; UCHAR Reserved[3]; ULONG CacheSize; ULONG BucketCount; } EVENT_TRACE_STACK_CACHING_INFORMATION, *PEVENT_TRACE_STACK_CACHING_INFORMATION; typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; TRACEHANDLE TraceHandle; BOOLEAN PersistTraceBuffers; WCHAR FileName[1]; } EVENT_TRACE_SOFT_RESTART_INFORMATION, *PEVENT_TRACE_SOFT_RESTART_INFORMATION; typedef enum _EVENT_TRACE_PROFILE_ADD_INFORMATION_VERSIONS { EventTraceProfileAddInformationMinVersion = 0x2, EventTraceProfileAddInformationV2 = 0x2, EventTraceProfileAddInformationV3 = 0x3, EventTraceProfileAddInformationMaxVersion = 0x3, } EVENT_TRACE_PROFILE_ADD_INFORMATION_VERSIONS; typedef union _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 { struct { UCHAR PerfEvtEventSelect; UCHAR PerfEvtUnitSelect; UCHAR PerfEvtCMask; UCHAR PerfEvtCInv; UCHAR PerfEvtAnyThread; UCHAR PerfEvtEdgeDetect; } Intel; struct { UCHAR PerfEvtEventSelect; UCHAR PerfEvtUnitSelect; } Amd; struct { ULONG PerfEvtType; UCHAR AllowsHalt; } Arm; } EVENT_TRACE_PROFILE_ADD_INFORMATION_V2; typedef union _EVENT_TRACE_PROFILE_ADD_INFORMATION_V3 { struct { UCHAR PerfEvtEventSelect; UCHAR PerfEvtUnitSelect; UCHAR PerfEvtCMask; UCHAR PerfEvtCInv; UCHAR PerfEvtAnyThread; UCHAR PerfEvtEdgeDetect; } Intel; struct { USHORT PerfEvtEventSelect; UCHAR PerfEvtUnitSelect; UCHAR PerfEvtCMask; UCHAR PerfEvtCInv; UCHAR PerfEvtEdgeDetect; UCHAR PerfEvtHostGuest; UCHAR PerfPmuType; } Amd; struct { ULONG PerfEvtType; UCHAR AllowsHalt; } Arm; } EVENT_TRACE_PROFILE_ADD_INFORMATION_V3; typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; UCHAR Version; union { EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 V2; EVENT_TRACE_PROFILE_ADD_INFORMATION_V3 V3; }; ULONG CpuInfoHierarchy[0x3]; ULONG InitialInterval; BOOLEAN Persist; WCHAR ProfileSourceDescription[0x1]; } EVENT_TRACE_PROFILE_ADD_INFORMATION, *PEVENT_TRACE_PROFILE_ADD_INFORMATION; typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; KPROFILE_SOURCE ProfileSource; ULONG CpuInfoHierarchy[0x3]; } EVENT_TRACE_PROFILE_REMOVE_INFORMATION, *PEVENT_TRACE_PROFILE_REMOVE_INFORMATION; typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; UCHAR CoverageSamplerInformationClass; UCHAR MajorVersion; UCHAR MinorVersion; UCHAR Reserved; HANDLE SamplerHandle; } EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION, *PEVENT_TRACE_COVERAGE_SAMPLER_INFORMATION; //typedef struct _TRACE_CONTEXT_REGISTER_INFO //{ // ETW_CONTEXT_REGISTER_TYPES RegisterTypes; // ULONG Reserved; //} TRACE_CONTEXT_REGISTER_INFO, *PTRACE_CONTEXT_REGISTER_INFO; typedef struct _SYSTEM_EXCEPTION_INFORMATION { ULONG AlignmentFixupCount; ULONG ExceptionDispatchCount; ULONG FloatingEmulationCount; ULONG ByteWordEmulationCount; } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; typedef enum _SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS { SystemCrashDumpDisable, SystemCrashDumpReconfigure, SystemCrashDumpInitializationComplete } SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS, *PSYSTEM_CRASH_DUMP_CONFIGURATION_CLASS; typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION { SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS CrashDumpConfigurationClass; } SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION; typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { BOOLEAN KernelDebuggerEnabled; BOOLEAN KernelDebuggerNotPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION { ULONG ContextSwitches; ULONG FindAny; ULONG FindLast; ULONG FindIdeal; ULONG IdleAny; ULONG IdleCurrent; ULONG IdleLast; ULONG IdleIdeal; ULONG PreemptAny; ULONG PreemptCurrent; ULONG PreemptLast; ULONG SwitchToIdle; } SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { ULONG RegistryQuotaAllowed; ULONG RegistryQuotaUsed; SIZE_T PagedPoolSize; } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; typedef struct _SYSTEM_PROCESSOR_IDLE_INFORMATION { ULONGLONG IdleTime; ULONGLONG C1Time; ULONGLONG C2Time; ULONGLONG C3Time; ULONG C1Transitions; ULONG C2Transitions; ULONG C3Transitions; ULONG Padding; } SYSTEM_PROCESSOR_IDLE_INFORMATION, *PSYSTEM_PROCESSOR_IDLE_INFORMATION; typedef struct _SYSTEM_LEGACY_DRIVER_INFORMATION { ULONG VetoType; UNICODE_STRING VetoList; } SYSTEM_LEGACY_DRIVER_INFORMATION, *PSYSTEM_LEGACY_DRIVER_INFORMATION; typedef struct _SYSTEM_LOOKASIDE_INFORMATION { USHORT CurrentDepth; USHORT MaximumDepth; ULONG TotalAllocates; ULONG AllocateMisses; ULONG TotalFrees; ULONG FreeMisses; ULONG Type; ULONG Tag; ULONG Size; } SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; // private typedef struct _SYSTEM_RANGE_START_INFORMATION { ULONG_PTR SystemRangeStart; } SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_VERIFIER_INFORMATION_LEGACY // pre-19H1 { ULONG NextEntryOffset; ULONG Level; UNICODE_STRING DriverName; ULONG RaiseIrqls; ULONG AcquireSpinLocks; ULONG SynchronizeExecutions; ULONG AllocationsAttempted; ULONG AllocationsSucceeded; ULONG AllocationsSucceededSpecialPool; ULONG AllocationsWithNoTag; ULONG TrimRequests; ULONG Trims; ULONG AllocationsFailed; ULONG AllocationsFailedDeliberately; ULONG Loads; ULONG Unloads; ULONG UnTrackedPool; ULONG CurrentPagedPoolAllocations; ULONG CurrentNonPagedPoolAllocations; ULONG PeakPagedPoolAllocations; ULONG PeakNonPagedPoolAllocations; SIZE_T PagedPoolUsageInBytes; SIZE_T NonPagedPoolUsageInBytes; SIZE_T PeakPagedPoolUsageInBytes; SIZE_T PeakNonPagedPoolUsageInBytes; } SYSTEM_VERIFIER_INFORMATION_LEGACY, *PSYSTEM_VERIFIER_INFORMATION_LEGACY; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_VERIFIER_INFORMATION { ULONG NextEntryOffset; ULONG Level; ULONG RuleClasses[2]; ULONG TriageContext; ULONG AreAllDriversBeingVerified; UNICODE_STRING DriverName; ULONG RaiseIrqls; ULONG AcquireSpinLocks; ULONG SynchronizeExecutions; ULONG AllocationsAttempted; ULONG AllocationsSucceeded; ULONG AllocationsSucceededSpecialPool; ULONG AllocationsWithNoTag; ULONG TrimRequests; ULONG Trims; ULONG AllocationsFailed; ULONG AllocationsFailedDeliberately; ULONG Loads; ULONG Unloads; ULONG UnTrackedPool; ULONG CurrentPagedPoolAllocations; ULONG CurrentNonPagedPoolAllocations; ULONG PeakPagedPoolAllocations; ULONG PeakNonPagedPoolAllocations; SIZE_T PagedPoolUsageInBytes; SIZE_T NonPagedPoolUsageInBytes; SIZE_T PeakPagedPoolUsageInBytes; SIZE_T PeakNonPagedPoolUsageInBytes; } SYSTEM_VERIFIER_INFORMATION, *PSYSTEM_VERIFIER_INFORMATION; // private typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION { ULONG SessionId; ULONG BufferSize; PVOID Buffer; } SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef struct _SYSTEM_GDI_DRIVER_INFORMATION { UNICODE_STRING DriverName; PVOID ImageAddress; PVOID SectionPointer; PVOID EntryPoint; PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; ULONG ImageLength; } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // geoffchappell #ifdef _WIN64 #define MAXIMUM_NODE_COUNT 0x40 #else #define MAXIMUM_NODE_COUNT 0x10 #endif // private typedef struct _SYSTEM_NUMA_INFORMATION { ULONG HighestNodeNumber; ULONG Reserved; union { GROUP_AFFINITY ActiveProcessorsGroupAffinity[MAXIMUM_NODE_COUNT]; ULONGLONG AvailableMemory[MAXIMUM_NODE_COUNT]; ULONGLONG Pad[MAXIMUM_NODE_COUNT * 2]; } DUMMYUNIONNAME; } SYSTEM_NUMA_INFORMATION, *PSYSTEM_NUMA_INFORMATION; typedef struct _SYSTEM_PROCESSOR_POWER_INFORMATION { UCHAR CurrentFrequency; UCHAR ThermalLimitFrequency; UCHAR ConstantThrottleFrequency; UCHAR DegradedThrottleFrequency; UCHAR LastBusyFrequency; UCHAR LastC3Frequency; UCHAR LastAdjustedBusyFrequency; UCHAR ProcessorMinThrottle; UCHAR ProcessorMaxThrottle; ULONG NumberOfFrequencies; ULONG PromotionCount; ULONG DemotionCount; ULONG ErrorCount; ULONG RetryCount; ULONGLONG CurrentFrequencyTime; ULONGLONG CurrentProcessorTime; ULONGLONG CurrentProcessorIdleTime; ULONGLONG LastProcessorTime; ULONGLONG LastProcessorIdleTime; ULONGLONG Energy; } SYSTEM_PROCESSOR_POWER_INFORMATION, *PSYSTEM_PROCESSOR_POWER_INFORMATION; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; HANDLE UniqueProcessId; HANDLE HandleValue; ACCESS_MASK GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; _Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; typedef struct _SYSTEM_BIGPOOL_ENTRY { union { PVOID VirtualAddress; ULONG_PTR NonPaged : 1; }; SIZE_T SizeInBytes; union { UCHAR Tag[4]; ULONG TagUlong; }; } SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY; typedef struct _SYSTEM_BIGPOOL_INFORMATION { ULONG Count; _Field_size_(Count) SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; } SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION; typedef struct _SYSTEM_POOL_ENTRY { BOOLEAN Allocated; BOOLEAN Spare0; USHORT AllocatorBackTraceIndex; ULONG Size; union { UCHAR Tag[4]; ULONG TagUlong; PVOID ProcessChargedQuota; }; } SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY; typedef struct _SYSTEM_POOL_INFORMATION { SIZE_T TotalSize; PVOID FirstEntry; USHORT EntryOverhead; BOOLEAN PoolTagPresent; BOOLEAN Spare0; ULONG NumberOfEntries; _Field_size_(NumberOfEntries) SYSTEM_POOL_ENTRY Entries[1]; } SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION { SIZE_T NextEntryOffset; ULONG SessionId; ULONG Count; _Field_size_(Count) SYSTEM_POOLTAG TagInfo[1]; } SYSTEM_SESSION_POOLTAG_INFORMATION, *PSYSTEM_SESSION_POOLTAG_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION { SIZE_T NextEntryOffset; ULONG SessionId; ULONG ViewFailures; SIZE_T NumberOfBytesAvailable; SIZE_T NumberOfBytesAvailableContiguous; } SYSTEM_SESSION_MAPPED_VIEW_INFORMATION, *PSYSTEM_SESSION_MAPPED_VIEW_INFORMATION; typedef enum _WATCHDOG_HANDLER_ACTION { WdActionSetTimeoutValue, WdActionQueryTimeoutValue, WdActionResetTimer, WdActionStopTimer, WdActionStartTimer, WdActionSetTriggerAction, WdActionQueryTriggerAction, WdActionQueryState } WATCHDOG_HANDLER_ACTION; typedef _Function_class_(SYSTEM_WATCHDOG_HANDLER) NTSTATUS NTAPI SYSTEM_WATCHDOG_HANDLER( _In_ WATCHDOG_HANDLER_ACTION Action, _In_ PVOID Context, _Inout_ PULONG DataValue, _In_ BOOLEAN NoLocks ); typedef SYSTEM_WATCHDOG_HANDLER* PSYSTEM_WATCHDOG_HANDLER; // private typedef struct _SYSTEM_WATCHDOG_HANDLER_INFORMATION { PSYSTEM_WATCHDOG_HANDLER WdHandler; PVOID Context; } SYSTEM_WATCHDOG_HANDLER_INFORMATION, *PSYSTEM_WATCHDOG_HANDLER_INFORMATION; typedef enum _WATCHDOG_INFORMATION_CLASS { WdInfoTimeoutValue = 0, WdInfoResetTimer = 1, WdInfoStopTimer = 2, WdInfoStartTimer = 3, WdInfoTriggerAction = 4, WdInfoState = 5, WdInfoTriggerReset = 6, WdInfoNop = 7, WdInfoGeneratedLastReset = 8, WdInfoInvalid = 9, } WATCHDOG_INFORMATION_CLASS; // private typedef struct _SYSTEM_WATCHDOG_TIMER_INFORMATION { WATCHDOG_INFORMATION_CLASS WdInfoClass; ULONG DataValue; } SYSTEM_WATCHDOG_TIMER_INFORMATION, *PSYSTEM_WATCHDOG_TIMER_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION { SystemFirmwareTableEnumerate, SystemFirmwareTableGet, SystemFirmwareTableMax } SYSTEM_FIRMWARE_TABLE_ACTION; // private typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION { ULONG ProviderSignature; // (same as the GetSystemFirmwareTable function) SYSTEM_FIRMWARE_TABLE_ACTION Action; ULONG TableID; ULONG TableBufferLength; _Field_size_bytes_(TableBufferLength) UCHAR TableBuffer[1]; } SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef _Function_class_(FNFTH) NTSTATUS STDAPIVCALLTYPE FNFTH( _Inout_ PSYSTEM_FIRMWARE_TABLE_INFORMATION SystemFirmwareTableInfo ); typedef FNFTH* PFNFTH; // private typedef struct _SYSTEM_FIRMWARE_TABLE_HANDLER { ULONG ProviderSignature; BOOLEAN Register; PFNFTH FirmwareTableHandler; PVOID DriverObject; } SYSTEM_FIRMWARE_TABLE_HANDLER, *PSYSTEM_FIRMWARE_TABLE_HANDLER; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef struct _SYSTEM_MEMORY_LIST_INFORMATION { SIZE_T ZeroPageCount; SIZE_T FreePageCount; SIZE_T ModifiedPageCount; SIZE_T ModifiedNoWritePageCount; SIZE_T BadPageCount; SIZE_T PageCountByPriority[8]; SIZE_T RepurposedPagesByPriority[8]; SIZE_T ModifiedPageCountPageFile; } SYSTEM_MEMORY_LIST_INFORMATION, *PSYSTEM_MEMORY_LIST_INFORMATION; // private typedef enum _SYSTEM_MEMORY_LIST_COMMAND { MemoryCaptureAccessedBits, MemoryCaptureAndResetAccessedBits, MemoryEmptyWorkingSets, MemoryFlushModifiedList, MemoryPurgeStandbyList, MemoryPurgeLowPriorityStandbyList, MemoryCommandMax } SYSTEM_MEMORY_LIST_COMMAND; /** * The SYSTEM_THREAD_CID_PRIORITY_INFORMATION structure is used with NtSetSystemInformation * to set the priority of a thread by its client ID (process ID and thread ID) without * requiring a thread handle. * * \remarks This structure is used with the SystemThreadPriorityClientIdInformation * information class (0x52). The caller must have SeIncreaseBasePriorityPrivilege * to raise a thread's priority above normal. */ typedef struct _SYSTEM_THREAD_CID_PRIORITY_INFORMATION { CLIENT_ID ClientId; // The process and thread identifiers of the target thread. KPRIORITY Priority; // The new priority value to assign to the thread. } SYSTEM_THREAD_CID_PRIORITY_INFORMATION, *PSYSTEM_THREAD_CID_PRIORITY_INFORMATION; /** * The SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION structure contains the cumulative number of clock cycles a logical processor * has spent running its idle thread, deferred procedure calls (DPCs) and interrupt service routines (ISRs) since it became active. * \see https://learn.microsoft.com/en-us/windows/win32/api/realtimeapiset/nf-realtimeapiset-queryidleprocessorcycletimeex */ typedef struct _SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION { ULONGLONG CycleTime; } SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION, *PSYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION; // private typedef struct _SYSTEM_VERIFIER_ISSUE { ULONGLONG IssueType; PVOID Address; ULONGLONG Parameters[2]; } SYSTEM_VERIFIER_ISSUE, *PSYSTEM_VERIFIER_ISSUE; // private typedef struct _SYSTEM_VERIFIER_CANCELLATION_INFORMATION { ULONG CancelProbability; ULONG CancelThreshold; ULONG CompletionThreshold; ULONG CancellationVerifierDisabled; ULONG AvailableIssues; SYSTEM_VERIFIER_ISSUE Issues[128]; } SYSTEM_VERIFIER_CANCELLATION_INFORMATION, *PSYSTEM_VERIFIER_CANCELLATION_INFORMATION; // private typedef struct _SYSTEM_REF_TRACE_INFORMATION { BOOLEAN TraceEnable; BOOLEAN TracePermanent; UNICODE_STRING TraceProcessName; UNICODE_STRING TracePoolTags; } SYSTEM_REF_TRACE_INFORMATION, *PSYSTEM_REF_TRACE_INFORMATION; // private typedef struct _SYSTEM_SPECIAL_POOL_INFORMATION { ULONG PoolTag; ULONG Flags; } SYSTEM_SPECIAL_POOL_INFORMATION, *PSYSTEM_SPECIAL_POOL_INFORMATION; /** * The SYSTEM_PROCESS_ID_INFORMATION structure retrieves the executable image * name associated with a specific process ID. The caller supplies a process ID, * and on return the system fills the UNICODE_STRING with the corresponding image path. */ typedef struct _SYSTEM_PROCESS_ID_INFORMATION { HANDLE ProcessId; UNICODE_STRING ImageName; } SYSTEM_PROCESS_ID_INFORMATION, *PSYSTEM_PROCESS_ID_INFORMATION; // private typedef struct _SYSTEM_HYPERVISOR_QUERY_INFORMATION { BOOLEAN HypervisorConnected; BOOLEAN HypervisorDebuggingEnabled; BOOLEAN HypervisorPresent; BOOLEAN Spare0[5]; ULONGLONG EnabledEnlightenments; } SYSTEM_HYPERVISOR_QUERY_INFORMATION, *PSYSTEM_HYPERVISOR_QUERY_INFORMATION; // private typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION { GUID BootIdentifier; FIRMWARE_TYPE FirmwareType; union { ULONGLONG BootFlags; struct { ULONGLONG DbgMenuOsSelection : 1; // REDSTONE4 ULONGLONG DbgHiberBoot : 1; ULONGLONG DbgSoftBoot : 1; ULONGLONG DbgMeasuredLaunch : 1; ULONGLONG DbgMeasuredLaunchCapable : 1; // 19H1 ULONGLONG DbgSystemHiveReplace : 1; ULONGLONG DbgMeasuredLaunchSmmProtections : 1; ULONGLONG DbgMeasuredLaunchSmmLevel : 7; // 20H1 ULONGLONG DbgBugCheckRecovery : 1; // 24H2 ULONGLONG DbgFASR : 1; ULONGLONG DbgUseCachedBcd : 1; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; // private typedef struct _SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION { ULONG FlagsToEnable; ULONG FlagsToDisable; } SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION, *PSYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION; // private typedef enum _COVERAGE_REQUEST_CODES { CoverageAllModules = 0, CoverageSearchByHash = 1, CoverageSearchByName = 2 } COVERAGE_REQUEST_CODES; // private typedef struct _COVERAGE_MODULE_REQUEST { COVERAGE_REQUEST_CODES RequestType; union { UCHAR MD5Hash[16]; UNICODE_STRING ModuleName; } SearchInfo; } COVERAGE_MODULE_REQUEST, *PCOVERAGE_MODULE_REQUEST; // private typedef struct _COVERAGE_MODULE_INFO { ULONG ModuleInfoSize; ULONG IsBinaryLoaded; UNICODE_STRING ModulePathName; ULONG CoverageSectionSize; UCHAR CoverageSection[1]; } COVERAGE_MODULE_INFO, *PCOVERAGE_MODULE_INFO; // private typedef struct _COVERAGE_MODULES { ULONG ListAndReset; ULONG NumberOfModules; COVERAGE_MODULE_REQUEST ModuleRequestInfo; COVERAGE_MODULE_INFO Modules[1]; } COVERAGE_MODULES, *PCOVERAGE_MODULES; // private typedef struct _SYSTEM_PREFETCH_PATCH_INFORMATION { ULONG PrefetchPatchCount; } SYSTEM_PREFETCH_PATCH_INFORMATION, *PSYSTEM_PREFETCH_PATCH_INFORMATION; // private typedef struct _SYSTEM_VERIFIER_FAULTS_INFORMATION { ULONG Probability; ULONG MaxProbability; UNICODE_STRING PoolTags; UNICODE_STRING Applications; } SYSTEM_VERIFIER_FAULTS_INFORMATION, *PSYSTEM_VERIFIER_FAULTS_INFORMATION; // private typedef struct _SYSTEM_VERIFIER_INFORMATION_EX { ULONG VerifyMode; ULONG OptionChanges; UNICODE_STRING PreviousBucketName; ULONG IrpCancelTimeoutMsec; ULONG VerifierExtensionEnabled; #ifdef _WIN64 ULONG Reserved[1]; #else ULONG Reserved[3]; #endif } SYSTEM_VERIFIER_INFORMATION_EX, *PSYSTEM_VERIFIER_INFORMATION_EX; // private typedef struct _SYSTEM_SYSTEM_PARTITION_INFORMATION { UNICODE_STRING SystemPartition; } SYSTEM_SYSTEM_PARTITION_INFORMATION, *PSYSTEM_SYSTEM_PARTITION_INFORMATION; // private typedef struct _SYSTEM_SYSTEM_DISK_INFORMATION { UNICODE_STRING SystemDisk; } SYSTEM_SYSTEM_DISK_INFORMATION, *PSYSTEM_SYSTEM_DISK_INFORMATION; // private typedef struct _SYSTEM_NUMA_PROXIMITY_MAP { ULONG NodeProximityId; USHORT NodeNumber; } SYSTEM_NUMA_PROXIMITY_MAP, *PSYSTEM_NUMA_PROXIMITY_MAP; // private (Windows 8.1 and above) typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT { ULONGLONG Hits; UCHAR PercentFrequency; } SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT; // private (Windows 8.1 and above) typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION { ULONG ProcessorNumber; ULONG StateCount; _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1]; } SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION; // private (Windows 7 and Windows 8) typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 { ULONG Hits; UCHAR PercentFrequency; } SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8; // private (Windows 7 and Windows 8) typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8 { ULONG ProcessorNumber; ULONG StateCount; _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 States[1]; } SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8; // private typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION { ULONG ProcessorCount; ULONG Offsets[1]; } SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION, *PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION; #define CODEINTEGRITY_OPTION_ENABLED 0x01 #define CODEINTEGRITY_OPTION_TESTSIGN 0x02 #define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04 #define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08 #define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10 #define CODEINTEGRITY_OPTION_TEST_BUILD 0x20 #define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40 #define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80 #define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100 #define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200 #define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400 #define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800 #define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000 #define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000 #define CODEINTEGRITY_OPTION_WHQL_ENFORCEMENT_ENABLED 0x4000 #define CODEINTEGRITY_OPTION_WHQL_AUDITMODE_ENABLED 0x8000 // private typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION { ULONG Length; union { ULONG CodeIntegrityOptions; struct { ULONG Enabled : 1; // CODEINTEGRITY_OPTION_ENABLED ULONG TestSign : 1; // CODEINTEGRITY_OPTION_TESTSIGN ULONG UmciEnabled : 1; // CODEINTEGRITY_OPTION_UMCI_ENABLED ULONG UmciAuditModeEnabled : 1; // CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED ULONG UmciExclusionPathsEnabled : 1; // CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED ULONG TestBuild : 1; // CODEINTEGRITY_OPTION_TEST_BUILD ULONG PreproductionBuild : 1; // CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD ULONG DebugModeEnabled : 1; // CODEINTEGRITY_OPTION_DEBUGMODE_ENABLE ULONG FlightBuild : 1; // CODEINTEGRITY_OPTION_FLIGHT_BUILD ULONG FlightingEnabled : 1; // CODEINTEGRITY_OPTION_FLIGHTING_ENABLED ULONG HvciKmciEnabled : 1; // CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED ULONG HvciKmciAuditModeEnabled : 1; // CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED ULONG HvciKmciStrictModeEnabled : 1; // CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED ULONG HvciIumEnabled : 1; // CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED ULONG WhqlEnforcementEnabled : 1; // CODEINTEGRITY_OPTION_WHQL_ENFORCEMENT_ENABLED ULONG WhqlAuditModeEnabled : 1; // CODEINTEGRITY_OPTION_WHQL_AUDITMODE_ENABLED ULONG Spare : 16; }; }; } SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION; // rev // Loads mcupdate.dll via ntosext.sys to perform microcode updates. #define PROCESSOR_MICROCODE_OPERATION_LOAD 0x01 // rev // Unloads mcupdate.dll via ntosext.sys to preform microcode updates. #define PROCESSOR_MICROCODE_OPERATION_UNLOAD 0x02 // private typedef struct _SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION { ULONG Operation; } SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION, *PSYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION; // private typedef enum _SYSTEM_VA_TYPE { SystemVaTypeAll, SystemVaTypeNonPagedPool, SystemVaTypePagedPool, SystemVaTypeSystemCache, SystemVaTypeSystemPtes, SystemVaTypeSessionSpace, SystemVaTypeMax } SYSTEM_VA_TYPE, *PSYSTEM_VA_TYPE; // private typedef struct _SYSTEM_VA_LIST_INFORMATION { SIZE_T VirtualSize; SIZE_T VirtualPeak; SIZE_T VirtualLimit; SIZE_T AllocationFailures; } SYSTEM_VA_LIST_INFORMATION, *PSYSTEM_VA_LIST_INFORMATION; // private //typedef enum _LOGICAL_PROCESSOR_RELATIONSHIP //{ // RelationProcessorCore, // RelationNumaNode, // RelationCache, // RelationProcessorPackage, // RelationGroup, // RelationProcessorDie, // RelationNumaNodeEx, // RelationProcessorModule, // RelationAll = 0xffff //} LOGICAL_PROCESSOR_RELATIONSHIP; // // private //typedef struct _SYSTEM_LOGICAL_PROCESSOR_INFORMATION //{ // ULONG_PTR ProcessorMask; // LOGICAL_PROCESSOR_RELATIONSHIP Relationship; // union // { // struct // { // UCHAR Flags; // } ProcessorCore; // struct // { // ULONG NodeNumber; // } NumaNode; // CACHE_DESCRIPTOR Cache; // ULONGLONG Reserved[2]; // }; //} SYSTEM_LOGICAL_PROCESSOR_INFORMATION, *PSYSTEM_LOGICAL_PROCESSOR_INFORMATION; // // private //typedef struct _PROCESSOR_RELATIONSHIP //{ // UCHAR Flags; // UCHAR EfficiencyClass; // UCHAR Reserved[20]; // USHORT GroupCount; // _Field_size_(GroupCount) GROUP_AFFINITY GroupMask[ANYSIZE_ARRAY]; //} PROCESSOR_RELATIONSHIP, *PPROCESSOR_RELATIONSHIP; // // private //typedef struct _NUMA_NODE_RELATIONSHIP //{ // ULONG NodeNumber; // UCHAR Reserved[18]; // USHORT GroupCount; // union // { // GROUP_AFFINITY GroupMask; // _Field_size_(GroupCount) GROUP_AFFINITY GroupMasks[ANYSIZE_ARRAY]; // }; //} NUMA_NODE_RELATIONSHIP, *PNUMA_NODE_RELATIONSHIP; // // private //typedef struct _CACHE_RELATIONSHIP //{ // UCHAR Level; // UCHAR Associativity; // USHORT LineSize; // ULONG CacheSize; // PROCESSOR_CACHE_TYPE Type; // UCHAR Reserved[18]; // USHORT GroupCount; // union // { // GROUP_AFFINITY GroupMask; // _Field_size_(GroupCount) GROUP_AFFINITY GroupMasks[ANYSIZE_ARRAY]; // }; //} CACHE_RELATIONSHIP, *PCACHE_RELATIONSHIP; // // private //typedef struct _PROCESSOR_GROUP_INFO //{ // UCHAR MaximumProcessorCount; // UCHAR ActiveProcessorCount; // UCHAR Reserved[38]; // KAFFINITY ActiveProcessorMask; //} PROCESSOR_GROUP_INFO, *PPROCESSOR_GROUP_INFO; // // private //typedef struct _GROUP_RELATIONSHIP //{ // USHORT MaximumGroupCount; // USHORT ActiveGroupCount; // UCHAR Reserved[20]; // _Field_size_(ActiveGroupCount) PROCESSOR_GROUP_INFO GroupInfo[ANYSIZE_ARRAY]; //} GROUP_RELATIONSHIP, *PGROUP_RELATIONSHIP; // // private //typedef _Struct_size_bytes_(Size) struct _SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX //{ // LOGICAL_PROCESSOR_RELATIONSHIP Relationship; // ULONG Size; // _Field_size_bytes_(Size - (sizeof(LOGICAL_PROCESSOR_RELATIONSHIP) + sizeof(ULONG))) union // { // PROCESSOR_RELATIONSHIP Processor; // NUMA_NODE_RELATIONSHIP NumaNode; // CACHE_RELATIONSHIP Cache; // GROUP_RELATIONSHIP Group; // }; //} SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX, *PSYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX; // rev typedef enum _STORE_INFORMATION_CLASS { StorePageRequest = 1, // q: Not implemented StoreStatsRequest = 2, // q: SM_STATS_REQUEST // SmProcessStatsRequest StoreCreateRequest = 3, // s: SM_CREATE_REQUEST (requires SeProfileSingleProcessPrivilege) StoreDeleteRequest = 4, // s: SM_DELETE_REQUEST (requires SeProfileSingleProcessPrivilege) StoreListRequest = 5, // q: SM_STORE_LIST_REQUEST // SM_STORE_LIST_REQUEST_EX // SmProcessListRequest StoreEmptyRequest = 7, // q: Not implemented CacheListRequest = 8, // q: SMC_CACHE_LIST_REQUEST // SmcProcessListRequest CacheCreateRequest = 9, // s: SMC_CACHE_CREATE_REQUEST (requires SeProfileSingleProcessPrivilege) // SmcProcessCreateRequest CacheDeleteRequest = 10, // s: SMC_CACHE_DELETE_REQUEST (requires SeProfileSingleProcessPrivilege) // SmcProcessDeleteRequest CacheStoreCreateRequest = 11, // s: SMC_STORE_CREATE_REQUEST (requires SeProfileSingleProcessPrivilege) // SmcProcessStoreCreateRequest CacheStoreDeleteRequest = 12, // s: SMC_STORE_DELETE_REQUEST (requires SeProfileSingleProcessPrivilege) // SmcProcessStoreDeleteRequest CacheStatsRequest = 13, // q: SMC_CACHE_STATS_REQUEST // SmcProcessStatsRequest RegistrationRequest = 15, // q: SM_REGISTRATION_REQUEST (requires SeProfileSingleProcessPrivilege) // SmProcessRegistrationRequest GlobalCacheStatsRequest = 16, // q: Not implemented StoreResizeRequest = 17, // s: SM_STORE_RESIZE_REQUEST (requires SeProfileSingleProcessPrivilege) // SmProcessResizeRequest CacheStoreResizeRequest = 18, // s: SM_STORE_CACHE_RESIZE_REQUEST (requires SeProfileSingleProcessPrivilege) // SmcProcessResizeRequest SmConfigRequest = 19, // s: SM_CONFIG_REQUEST (requires SeProfileSingleProcessPrivilege) StoreHighMemoryPriorityRequest = 20, // s: SM_STORE_HIGH_MEMORY_PRIORITY_REQUEST (requires SeProfileSingleProcessPrivilege) SystemStoreTrimRequest = 21, // s: SM_SYSTEM_STORE_TRIM_REQUEST (requires SeProfileSingleProcessPrivilege) // SmProcessSystemStoreTrimRequest MemCompressionInfoRequest = 22, // q: SM_STORE_COMPRESSION_INFORMATION_REQUEST // SmProcessCompressionInfoRequest StoreExistsForProcess = 23, // q: SM_SYSTEM_STORE_EXISTS_FOR_PROCESS // SmProcessProcessStoreInfoRequest // 25H2 CompressionReadStatsRequest = 24, // q: SM_COMPRESSION_READ_STATS_REQUEST // SmProcessCompressionReadStatsRequest CompressionAcceleratorRequest = 25, // q: SM_COMPRESSION_ACCELERATOR_REQUEST // SmProcessCompressionAcceleratorRequest StoreInformationMax } STORE_INFORMATION_CLASS; // rev #define SYSTEM_STORE_INFORMATION_VERSION 1 // rev typedef struct _SYSTEM_STORE_INFORMATION { _In_ ULONG Version; _In_ STORE_INFORMATION_CLASS StoreInformationClass; _Inout_ PVOID Data; _Inout_ ULONG Length; } SYSTEM_STORE_INFORMATION, *PSYSTEM_STORE_INFORMATION; #define SYSTEM_STORE_STATS_INFORMATION_VERSION 2 typedef enum _ST_STATS_LEVEL { StStatsLevelBasic = 0, StStatsLevelIoStats = 1, StStatsLevelRegionSpace = 2, // requires SeProfileSingleProcessPrivilege StStatsLevelSpaceBitmap = 3, // requires SeProfileSingleProcessPrivilege StStatsLevelMax = 4 } ST_STATS_LEVEL; typedef struct _SM_STATS_REQUEST { ULONG Version : 8; // SYSTEM_STORE_STATS_INFORMATION_VERSION ULONG DetailLevel : 8; // ST_STATS_LEVEL ULONG StoreId : 16; ULONG BufferSize; PVOID Buffer; // PST_STATS } SM_STATS_REQUEST, *PSM_STATS_REQUEST; typedef struct _ST_DATA_MGR_STATS { ULONG RegionCount; ULONG PagesStored; ULONG UniquePagesStored; ULONG LazyCleanupRegionCount; struct { ULONG RegionsInUse; ULONG SpaceUsed; } Space[8]; } ST_DATA_MGR_STATS, *PST_DATA_MGR_STATS; typedef struct _ST_IO_STATS_PERIOD { ULONG PageCounts[5]; } ST_IO_STATS_PERIOD, *PST_IO_STATS_PERIOD; typedef struct _ST_IO_STATS { ULONG PeriodCount; ST_IO_STATS_PERIOD Periods[64]; } ST_IO_STATS, *PST_IO_STATS; typedef struct _ST_READ_LATENCY_BUCKET { ULONG LatencyUs; ULONG Count; } ST_READ_LATENCY_BUCKET, *PST_READ_LATENCY_BUCKET; typedef struct _ST_READ_LATENCY_STATS { ST_READ_LATENCY_BUCKET Buckets[8]; } ST_READ_LATENCY_STATS, *PST_READ_LATENCY_STATS; // rev typedef struct _ST_STATS_REGION_INFO { USHORT SpaceUsed; UCHAR Priority; UCHAR Spare; } ST_STATS_REGION_INFO, *PST_STATS_REGION_INFO; // rev typedef struct _ST_STATS_SPACE_BITMAP { SIZE_T CompressedBytes; ULONG BytesPerBit; UCHAR StoreBitmap[1]; } ST_STATS_SPACE_BITMAP, *PST_STATS_SPACE_BITMAP; // rev typedef struct _ST_STATS { ULONG Version : 8; ULONG Level : 4; ULONG StoreType : 4; ULONG NoDuplication : 1; ULONG NoCompression : 1; ULONG EncryptionStrength : 12; ULONG VirtualRegions : 1; ULONG Spare0 : 1; ULONG Size; USHORT CompressionFormat; USHORT Spare; struct { ULONG RegionSize; ULONG RegionCount; ULONG RegionCountMax; ULONG Granularity; ST_DATA_MGR_STATS UserData; ST_DATA_MGR_STATS Metadata; } Basic; struct { ST_IO_STATS IoStats; ST_READ_LATENCY_STATS ReadLatencyStats; } Io; // ST_STATS_REGION_INFO[RegionCountMax] // ST_STATS_SPACE_BITMAP } ST_STATS, *PST_STATS; #define SYSTEM_STORE_CREATE_INFORMATION_VERSION 6 typedef enum _SM_STORE_TYPE { StoreTypeInMemory=0, StoreTypeFile=1, StoreTypeMax=2 } SM_STORE_TYPE; typedef struct _SM_STORE_BASIC_PARAMS { union { struct { ULONG StoreType : 8; // SM_STORE_TYPE ULONG NoDuplication : 1; ULONG FailNoCompression : 1; ULONG NoCompression : 1 ; ULONG NoEncryption : 1; ULONG NoEvictOnAdd : 1; ULONG PerformsFileIo : 1; ULONG VdlNotSet : 1 ; ULONG UseIntermediateAddBuffer : 1; ULONG CompressNoHuff : 1; ULONG LockActiveRegions : 1; ULONG VirtualRegions : 1; ULONG Spare : 13; } DUMMYSTRUCTNAME; ULONG StoreFlags; } DUMMYUNIONNAME; ULONG Granularity; ULONG RegionSize; ULONG RegionCountMax; } SM_STORE_BASIC_PARAMS, *PSM_STORE_BASIC_PARAMS; typedef struct _SMKM_REGION_EXTENT { ULONG RegionCount; SIZE_T ByteOffset; } SMKM_REGION_EXTENT, *PSMKM_REGION_EXTENT; typedef struct _SMKM_FILE_INFO { HANDLE FileHandle; PFILE_OBJECT FileObject; PFILE_OBJECT VolumeFileObject; PDEVICE_OBJECT VolumeDeviceObject; HANDLE VolumePnpHandle; PIRP UsageNotificationIrp; PSMKM_REGION_EXTENT Extents; ULONG ExtentCount; } SMKM_FILE_INFO, *PSMKM_FILE_INFO; typedef struct _SM_STORE_CACHE_BACKED_PARAMS { ULONG SectorSize; PCHAR EncryptionKey; ULONG EncryptionKeySize; PSMKM_FILE_INFO FileInfo; PVOID EtaContext; PRTL_BITMAP StoreRegionBitmap; } SM_STORE_CACHE_BACKED_PARAMS, *PSM_STORE_CACHE_BACKED_PARAMS; typedef struct _SM_STORE_PARAMETERS { SM_STORE_BASIC_PARAMS Store; ULONG Priority; ULONG Flags; SM_STORE_CACHE_BACKED_PARAMS CacheBacked; } SM_STORE_PARAMETERS, *PSM_STORE_PARAMETERS; typedef struct _SM_CREATE_REQUEST { ULONG Version : 8; // SYSTEM_STORE_CREATE_INFORMATION_VERSION ULONG AcquireReference : 1; ULONG KeyedStore : 1; ULONG Spare : 22; SM_STORE_PARAMETERS Params; ULONG StoreId; } SM_CREATE_REQUEST, *PSM_CREATE_REQUEST; #define SYSTEM_STORE_DELETE_INFORMATION_VERSION 1 typedef struct _SM_DELETE_REQUEST { ULONG Version : 8; // SYSTEM_STORE_DELETE_INFORMATION_VERSION ULONG Spare : 24; ULONG StoreId; } SM_DELETE_REQUEST, *PSM_DELETE_REQUEST; #define SYSTEM_STORE_LIST_INFORMATION_VERSION 2 typedef struct _SM_STORE_LIST_REQUEST { ULONG Version : 8; // SYSTEM_STORE_LIST_INFORMATION_VERSION ULONG StoreCount : 8; // = 0 ULONG ExtendedRequest : 1; // SM_STORE_LIST_REQUEST_EX if set ULONG Spare : 15; ULONG StoreId[32]; } SM_STORE_LIST_REQUEST, *PSM_STORE_LIST_REQUEST; typedef struct _SM_STORE_LIST_REQUEST_EX { SM_STORE_LIST_REQUEST Request; WCHAR NameBuffer[32][64]; } SM_STORE_LIST_REQUEST_EX, *PSM_STORE_LIST_REQUEST_EX; #define SYSTEM_CACHE_LIST_INFORMATION_VERSION 2 typedef struct _SMC_CACHE_LIST_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_LIST_INFORMATION_VERSION ULONG CacheCount : 8; // = 0 ULONG Spare : 16; ULONG CacheId[16]; } SMC_CACHE_LIST_REQUEST, *PSMC_CACHE_LIST_REQUEST; #define SYSTEM_CACHE_CREATE_INFORMATION_VERSION 3 typedef struct _SMC_CACHE_PARAMETERS { SIZE_T CacheFileSize; ULONG StoreAlignment; ULONG PerformsFileIo : 1; ULONG VdlNotSet : 1; ULONG Spare : 30; ULONG CacheFlags; ULONG Priority; } SMC_CACHE_PARAMETERS, *PSMC_CACHE_PARAMETERS; typedef struct _SMC_CACHE_CREATE_PARAMETERS { SMC_CACHE_PARAMETERS CacheParameters; WCHAR TemplateFilePath[512]; } SMC_CACHE_CREATE_PARAMETERS, *PSMC_CACHE_CREATE_PARAMETERS; typedef struct _SMC_CACHE_CREATE_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_CREATE_INFORMATION_VERSION ULONG Spare : 24; ULONG CacheId; SMC_CACHE_CREATE_PARAMETERS CacheCreateParams; } SMC_CACHE_CREATE_REQUEST, *PSMC_CACHE_CREATE_REQUEST; #define SYSTEM_CACHE_DELETE_INFORMATION_VERSION 1 typedef struct _SMC_CACHE_DELETE_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_DELETE_INFORMATION_VERSION ULONG Spare : 24; ULONG CacheId; } SMC_CACHE_DELETE_REQUEST, *PSMC_CACHE_DELETE_REQUEST; #define SYSTEM_CACHE_STORE_CREATE_INFORMATION_VERSION 2 typedef enum _SM_STORE_MANAGER_TYPE { SmStoreManagerTypePhysical = 0, SmStoreManagerTypeVirtual = 1, SmStoreManagerTypeMax = 2 } SM_STORE_MANAGER_TYPE; typedef struct _SMC_STORE_CREATE_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_STORE_CREATE_INFORMATION_VERSION ULONG Spare : 24; SM_STORE_BASIC_PARAMS StoreParams; ULONG CacheId; SM_STORE_MANAGER_TYPE StoreManagerType; ULONG StoreId; } SMC_STORE_CREATE_REQUEST, *PSMC_STORE_CREATE_REQUEST; #define SYSTEM_CACHE_STORE_DELETE_INFORMATION_VERSION 1 typedef struct _SMC_STORE_DELETE_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_STORE_DELETE_INFORMATION_VERSION ULONG Spare : 24; ULONG CacheId; SM_STORE_MANAGER_TYPE StoreManagerType; ULONG StoreId; } SMC_STORE_DELETE_REQUEST, *PSMC_STORE_DELETE_REQUEST; #define SYSTEM_CACHE_STATS_INFORMATION_VERSION 3 typedef struct _SMC_CACHE_STATS { SIZE_T TotalFileSize; ULONG StoreCount; ULONG RegionCount; ULONG RegionSizeBytes; ULONG FileCount : 6; ULONG PerformsFileIo : 1; ULONG Spare : 25; ULONG StoreIds[16]; ULONG PhysicalStoreBitmap; ULONG Priority; WCHAR TemplateFilePath[512]; } SMC_CACHE_STATS, *PSMC_CACHE_STATS; typedef struct _SMC_CACHE_STATS_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_STATS_INFORMATION_VERSION ULONG NoFilePath : 1; // Skip TemplateFilePath when set ULONG Spare : 23; ULONG CacheId; // cache to query for statistics SMC_CACHE_STATS CacheStats; } SMC_CACHE_STATS_REQUEST, *PSMC_CACHE_STATS_REQUEST; #define SYSTEM_STORE_REGISTRATION_INFORMATION_VERSION 2 typedef struct _SM_REGISTRATION_INFO { HANDLE CachesUpdatedEvent; } SM_REGISTRATION_INFO, *PSM_REGISTRATION_INFO; typedef struct _SM_REGISTRATION_REQUEST { ULONG Version : 8; // SYSTEM_STORE_REGISTRATION_INFORMATION_VERSION ULONG Spare : 24; SM_REGISTRATION_INFO RegInfo; } SM_REGISTRATION_REQUEST, *PSM_REGISTRATION_REQUEST; #define SYSTEM_STORE_RESIZE_INFORMATION_VERSION 6 typedef struct _SM_STORE_RESIZE_REQUEST { ULONG Version : 8; // SYSTEM_STORE_RESIZE_INFORMATION_VERSION ULONG AddRegions : 1; ULONG Spare : 23; ULONG StoreId; ULONG NumberOfRegions; PRTL_BITMAP RegionBitmap; } SM_STORE_RESIZE_REQUEST, *PSM_STORE_RESIZE_REQUEST; #define SYSTEM_CACHE_STORE_RESIZE_INFORMATION_VERSION 1 typedef struct _SM_STORE_CACHE_RESIZE_REQUEST { ULONG Version : 8; // SYSTEM_CACHE_STORE_RESIZE_INFORMATION_VERSION ULONG AddRegions : 1; ULONG Spare : 23; ULONG CacheId; ULONG StoreId; SM_STORE_MANAGER_TYPE StoreManagerType; ULONG RegionCount; } SM_STORE_CACHE_RESIZE_REQUEST, *PSM_STORE_CACHE_RESIZE_REQUEST; #define SYSTEM_STORE_CONFIG_INFORMATION_VERSION 4 typedef enum _SM_CONFIG_TYPE { SmConfigDirtyPageCompression = 0, SmConfigAsyncInswap = 1, SmConfigPrefetchSeekThreshold = 2, SmConfigTypeMax = 3 } SM_CONFIG_TYPE; // rev typedef struct _SM_CONFIG_REQUEST { ULONG Version : 8; // SYSTEM_STORE_CONFIG_INFORMATION_VERSION ULONG Spare : 16; ULONG ConfigType : 8; // SM_CONFIG_TYPE ULONG ConfigValue; } SM_CONFIG_REQUEST, *PSM_CONFIG_REQUEST; // rev #define SYSTEM_STORE_PRIORITY_REQUEST_VERSION 1 // rev #define SYSTEM_STORE_PRIORITY_FLAG_REQUIRE_HANDLE 0x00000100u // required #define SYSTEM_STORE_PRIORITY_FLAG_SET_PRIORITY 0x00000200u // rev typedef struct _SM_STORE_MEMORY_PRIORITY_REQUEST { ULONG Version : 8; // SYSTEM_STORE_PRIORITY_REQUEST_VERSION ULONG Flags : 24; HANDLE ProcessHandle; // in // PROCESS_SET_INFORMATION access required } SM_STORE_MEMORY_PRIORITY_REQUEST, *PSM_STORE_MEMORY_PRIORITY_REQUEST; // rev typedef struct _SM_SYSTEM_STORE_TRIM_REQUEST { ULONG Version : 8; // SYSTEM_STORE_TRIM_INFORMATION_VERSION ULONG Spare : 24; SIZE_T PagesToTrim; // TrimFlags // must be non-zero HANDLE PartitionHandle; // since 24H2 } SM_SYSTEM_STORE_TRIM_REQUEST, *PSM_SYSTEM_STORE_TRIM_REQUEST; // rev #define SYSTEM_STORE_TRIM_INFORMATION_VERSION_V1 1 // WIN10 #define SYSTEM_STORE_TRIM_INFORMATION_VERSION_V2 2 // 24H2 #define SYSTEM_STORE_TRIM_INFORMATION_VERSION SYSTEM_STORE_TRIM_INFORMATION_VERSION_V1 // rev #define SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1 RTL_SIZEOF_THROUGH_FIELD(SM_SYSTEM_STORE_TRIM_REQUEST, PagesToTrim) // WIN10 #define SYSTEM_STORE_TRIM_INFORMATION_SIZE_V2 RTL_SIZEOF_THROUGH_FIELD(SM_SYSTEM_STORE_TRIM_REQUEST, PartitionHandle) // 24H2 #define SYSTEM_STORE_TRIM_INFORMATION_SIZE SYSTEM_STORE_TRIM_INFORMATION_SIZE_V2 #ifdef _WIN64 static_assert(SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1 == 16, "SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1 must equal 16"); static_assert(SYSTEM_STORE_TRIM_INFORMATION_SIZE_V2 == 24, "SYSTEM_STORE_TRIM_INFORMATION_SIZE_V2 must equal 24"); #else static_assert(SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1 == 8, "SYSTEM_STORE_TRIM_INFORMATION_SIZE_V1 must equal 8"); static_assert(SYSTEM_STORE_TRIM_INFORMATION_SIZE_V2 == 12, "SYSTEM_STORE_TRIM_INFORMATION_SIZE_V2 must equal 12"); #endif // rev typedef struct _SM_STORE_COMPRESSION_INFORMATION_REQUEST { ULONG Version : 8; // SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION ULONG Spare : 24; ULONG CompressionPid; ULONG WorkingSetSize; SIZE_T TotalDataCompressed; SIZE_T TotalCompressedSize; SIZE_T TotalUniqueDataCompressed; HANDLE PartitionHandle; // since 24H2 } SM_STORE_COMPRESSION_INFORMATION_REQUEST, *PSM_STORE_COMPRESSION_INFORMATION_REQUEST; // rev #define SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION_V1 3 // WIN10 #define SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION_V2 4 // 24H2 #define SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION_V2 // rev #define SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V1 RTL_SIZEOF_THROUGH_FIELD(SM_STORE_COMPRESSION_INFORMATION_REQUEST, TotalUniqueDataCompressed) // WIN10 #define SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V2 RTL_SIZEOF_THROUGH_FIELD(SM_STORE_COMPRESSION_INFORMATION_REQUEST, PartitionHandle) // 24H2 #define SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V2 #ifdef _WIN64 static_assert(SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V1 == 40, "SM_STORE_COMPRESSION_INFORMATION_REQUEST_V1 must equal 40"); static_assert(SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V2 == 48, "SM_STORE_COMPRESSION_INFORMATION_REQUEST_V2 must equal 48"); #else static_assert(SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V1 == 24, "SM_STORE_COMPRESSION_INFORMATION_REQUEST_V1 must equal 24"); static_assert(SYSTEM_STORE_COMPRESSION_INFORMATION_SIZE_V2 == 28, "SM_STORE_COMPRESSION_INFORMATION_REQUEST_V2 must equal 28"); #endif // rev #define SYSTEM_STORE_EXISTS_FOR_PROCESS_VERSION 1 // rev typedef struct _SM_SYSTEM_STORE_EXISTS_FOR_PROCESS { ULONG Version : 8; ULONG Spare : 24; HANDLE ProcessHandle; // in // PROCESS_QUERY_INFORMATION access required BOOLEAN StoreExists; // out } SM_SYSTEM_STORE_EXISTS_FOR_PROCESS, *PSM_SYSTEM_STORE_EXISTS_FOR_PROCESS; // rev typedef struct _SM_COMPRESSION_READ_STATS { ULONGLONG Counters[17]; ULONGLONG TailValue; } SM_COMPRESSION_READ_STATS, * PSM_COMPRESSION_READ_STATS; // rev #define SYSTEM_STORE_COMPRESSION_READ_STATS_VERSION 1 // rev typedef struct _SM_COMPRESSION_READ_STATS_REQUEST { ULONG Version : 8; // SYSTEM_STORE_COMPRESSION_READ_STATS_VERSION ULONG Spare : 24; ULONG Flags; // must be zero HANDLE PartitionHandle; // optional SM_COMPRESSION_READ_STATS Stats; // output } SM_COMPRESSION_READ_STATS_REQUEST, *PSM_COMPRESSION_READ_STATS_REQUEST; // rev #define SYSTEM_STORE_ACCELERATOR_REQUEST_VERSION 1 // rev typedef struct _SM_COMPRESSION_ACCELERATOR_REQUEST { ULONG Version : 8; // SYSTEM_STORE_ACCELERATOR_REQUEST_VERSION ULONG Spare : 24; ULONG Flags; // must be zero HANDLE PartitionHandle; // optional ULONG AcceleratorValue; // output } SM_COMPRESSION_ACCELERATOR_REQUEST, *PSM_COMPRESSION_ACCELERATOR_REQUEST; // private typedef struct _SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS { HANDLE KeyHandle; PUNICODE_STRING ValueNamePointer; PULONG RequiredLengthPointer; PUCHAR Buffer; ULONG BufferLength; ULONG Type; PUCHAR AppendBuffer; ULONG AppendBufferLength; BOOLEAN CreateIfDoesntExist; BOOLEAN TruncateExistingValue; } SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS, *PSYSTEM_REGISTRY_APPEND_STRING_PARAMETERS; // msdn typedef struct _SYSTEM_VHD_BOOT_INFORMATION { BOOLEAN OsDiskIsVhd; ULONG OsVhdFilePathOffset; WCHAR OsVhdParentVolume[1]; } SYSTEM_VHD_BOOT_INFORMATION, *PSYSTEM_VHD_BOOT_INFORMATION; // private typedef struct _PS_CPU_QUOTA_QUERY_ENTRY { ULONG SessionId; ULONG Weight; } PS_CPU_QUOTA_QUERY_ENTRY, *PPS_CPU_QUOTA_QUERY_ENTRY; // private typedef struct _PS_CPU_QUOTA_QUERY_INFORMATION { ULONG SessionCount; PS_CPU_QUOTA_QUERY_ENTRY SessionInformation[1]; } PS_CPU_QUOTA_QUERY_INFORMATION, *PPS_CPU_QUOTA_QUERY_INFORMATION; // private typedef struct _SYSTEM_ERROR_PORT_TIMEOUTS { ULONG StartTimeout; ULONG CommTimeout; } SYSTEM_ERROR_PORT_TIMEOUTS, *PSYSTEM_ERROR_PORT_TIMEOUTS; // private typedef struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION { ULONG LowPriorityReadOperationCount; ULONG LowPriorityWriteOperationCount; ULONG KernelBumpedToNormalOperations; ULONG LowPriorityPagingReadOperations; ULONG KernelPagingReadsBumpedToNormal; ULONG LowPriorityPagingWriteOperations; ULONG KernelPagingWritesBumpedToNormal; ULONG BoostedThreadedIrpCount; ULONG BoostedPagingIrpCount; ULONG BlanketBoostCount; } SYSTEM_LOW_PRIORITY_IO_INFORMATION, *PSYSTEM_LOW_PRIORITY_IO_INFORMATION; // symbols typedef enum _BOOT_ENTROPY_SOURCE_RESULT_CODE { BootEntropySourceStructureUninitialized, BootEntropySourceDisabledByPolicy, BootEntropySourceNotPresent, BootEntropySourceError, BootEntropySourceSuccess } BOOT_ENTROPY_SOURCE_RESULT_CODE; typedef enum _BOOT_ENTROPY_SOURCE_ID { BootEntropySourceNone = 0, BootEntropySourceSeedfile = 1, BootEntropySourceExternal = 2, BootEntropySourceTpm = 3, BootEntropySourceRdrand = 4, BootEntropySourceTime = 5, BootEntropySourceAcpiOem0 = 6, BootEntropySourceUefi = 7, BootEntropySourceCng = 8, BootEntropySourceTcbTpm = 9, BootEntropySourceTcbRdrand = 10, BootMaxEntropySources = 10 } BOOT_ENTROPY_SOURCE_ID, *PBOOT_ENTROPY_SOURCE_ID; // Contents of KeLoaderBlock->Extension->TpmBootEntropyResult (TPM_BOOT_ENTROPY_LDR_RESULT). // EntropyData is truncated to 40 bytes. // private typedef struct _TPM_BOOT_ENTROPY_NT_RESULT { ULONGLONG Policy; BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; NTSTATUS ResultStatus; ULONGLONG Time; ULONG EntropyLength; UCHAR EntropyData[40]; } TPM_BOOT_ENTROPY_NT_RESULT, *PTPM_BOOT_ENTROPY_NT_RESULT; // private typedef struct _BOOT_ENTROPY_SOURCE_NT_RESULT { BOOT_ENTROPY_SOURCE_ID SourceId; ULONG64 Policy; BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; NTSTATUS ResultStatus; ULONGLONG Time; ULONG EntropyLength; UCHAR EntropyData[64]; } BOOT_ENTROPY_SOURCE_NT_RESULT, *PBOOT_ENTROPY_SOURCE_NT_RESULT; // private typedef struct _BOOT_ENTROPY_NT_RESULT { ULONG maxEntropySources; BOOT_ENTROPY_SOURCE_NT_RESULT EntropySourceResult[10]; UCHAR SeedBytesForCng[48]; } BOOT_ENTROPY_NT_RESULT, *PBOOT_ENTROPY_NT_RESULT; // private typedef struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION { SYSTEM_VERIFIER_INFORMATION Legacy; ULONG RaiseIrqls; ULONG AcquireSpinLocks; ULONG SynchronizeExecutions; ULONG AllocationsWithNoTag; ULONG AllocationsFailed; ULONG AllocationsFailedDeliberately; SIZE_T LockedBytes; SIZE_T PeakLockedBytes; SIZE_T MappedLockedBytes; SIZE_T PeakMappedLockedBytes; SIZE_T MappedIoSpaceBytes; SIZE_T PeakMappedIoSpaceBytes; SIZE_T PagesForMdlBytes; SIZE_T PeakPagesForMdlBytes; SIZE_T ContiguousMemoryBytes; SIZE_T PeakContiguousMemoryBytes; ULONG ExecutePoolTypes; // REDSTONE2 ULONG ExecutePageProtections; ULONG ExecutePageMappings; ULONG ExecuteWriteSections; ULONG SectionAlignmentFailures; ULONG UnsupportedRelocs; ULONG IATInExecutableSection; } SYSTEM_VERIFIER_COUNTERS_INFORMATION, *PSYSTEM_VERIFIER_COUNTERS_INFORMATION; // private typedef struct _SYSTEM_ACPI_AUDIT_INFORMATION { ULONG RsdpCount; ULONG SameRsdt : 1; ULONG SlicPresent : 1; ULONG SlicDifferent : 1; } SYSTEM_ACPI_AUDIT_INFORMATION, *PSYSTEM_ACPI_AUDIT_INFORMATION; // private typedef struct _SYSTEM_BASIC_PERFORMANCE_INFORMATION { SIZE_T AvailablePages; SIZE_T CommittedPages; SIZE_T CommitLimit; SIZE_T PeakCommitment; } SYSTEM_BASIC_PERFORMANCE_INFORMATION, *PSYSTEM_BASIC_PERFORMANCE_INFORMATION; // begin_msdn typedef struct _QUERY_PERFORMANCE_COUNTER_FLAGS { union { struct { ULONG KernelTransition : 1; ULONG Reserved : 31; }; ULONG ul; }; } QUERY_PERFORMANCE_COUNTER_FLAGS; typedef struct _SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION { ULONG Version; QUERY_PERFORMANCE_COUNTER_FLAGS Flags; QUERY_PERFORMANCE_COUNTER_FLAGS ValidFlags; } SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION, *PSYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION; // end_msdn // private typedef enum _SYSTEM_PIXEL_FORMAT { SystemPixelFormatUnknown, SystemPixelFormatR8G8B8, SystemPixelFormatR8G8B8X8, SystemPixelFormatB8G8R8, SystemPixelFormatB8G8R8X8 } SYSTEM_PIXEL_FORMAT; // private typedef struct _SYSTEM_BOOT_GRAPHICS_INFORMATION { LARGE_INTEGER FrameBuffer; ULONG Width; ULONG Height; ULONG PixelStride; ULONG Flags; SYSTEM_PIXEL_FORMAT Format; ULONG DisplayRotation; } SYSTEM_BOOT_GRAPHICS_INFORMATION, *PSYSTEM_BOOT_GRAPHICS_INFORMATION; // private typedef struct _MEMORY_SCRUB_INFORMATION { HANDLE Handle; SIZE_T PagesScrubbed; } MEMORY_SCRUB_INFORMATION, *PMEMORY_SCRUB_INFORMATION; // private typedef union _SYSTEM_BAD_PAGE_INFORMATION { #ifdef _WIN64 ULONG_PTR PhysicalPageNumber : 52; #else ULONG PhysicalPageNumber : 20; #endif ULONG_PTR Reserved : 10; ULONG_PTR Pending : 1; ULONG_PTR Poisoned : 1; } SYSTEM_BAD_PAGE_INFORMATION, *PSYSTEM_BAD_PAGE_INFORMATION; // private typedef struct _PEBS_DS_SAVE_AREA32 { ULONG BtsBufferBase; ULONG BtsIndex; ULONG BtsAbsoluteMaximum; ULONG BtsInterruptThreshold; ULONG PebsBufferBase; ULONG PebsIndex; ULONG PebsAbsoluteMaximum; ULONG PebsInterruptThreshold; ULONG PebsGpCounterReset[8]; ULONG PebsFixedCounterReset[4]; } PEBS_DS_SAVE_AREA32, *PPEBS_DS_SAVE_AREA32; // private typedef struct _PEBS_DS_SAVE_AREA64 { ULONGLONG BtsBufferBase; ULONGLONG BtsIndex; ULONGLONG BtsAbsoluteMaximum; ULONGLONG BtsInterruptThreshold; ULONGLONG PebsBufferBase; ULONGLONG PebsIndex; ULONGLONG PebsAbsoluteMaximum; ULONGLONG PebsInterruptThreshold; ULONGLONG PebsGpCounterReset[8]; ULONGLONG PebsFixedCounterReset[4]; } PEBS_DS_SAVE_AREA64, *PPEBS_DS_SAVE_AREA64; // private typedef union _PEBS_DS_SAVE_AREA { PEBS_DS_SAVE_AREA32 As32Bit; PEBS_DS_SAVE_AREA64 As64Bit; } PEBS_DS_SAVE_AREA, *PPEBS_DS_SAVE_AREA; // private typedef struct _PROCESSOR_PROFILE_CONTROL_AREA { PEBS_DS_SAVE_AREA PebsDsSaveArea; } PROCESSOR_PROFILE_CONTROL_AREA, *PPROCESSOR_PROFILE_CONTROL_AREA; // private typedef struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA { PROCESSOR_PROFILE_CONTROL_AREA ProcessorProfileControlArea; BOOLEAN Allocate; } SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA, *PSYSTEM_PROCESSOR_PROFILE_CONTROL_AREA; // private typedef struct _MEMORY_COMBINE_INFORMATION { HANDLE Handle; SIZE_T PagesCombined; } MEMORY_COMBINE_INFORMATION, *PMEMORY_COMBINE_INFORMATION; // rev #define MEMORY_COMBINE_FLAGS_COMMON_PAGES_ONLY 0x4 // private typedef struct _MEMORY_COMBINE_INFORMATION_EX { HANDLE Handle; SIZE_T PagesCombined; ULONG Flags; } MEMORY_COMBINE_INFORMATION_EX, *PMEMORY_COMBINE_INFORMATION_EX; // private typedef struct _MEMORY_COMBINE_INFORMATION_EX2 { HANDLE Handle; SIZE_T PagesCombined; ULONG Flags; HANDLE ProcessHandle; } MEMORY_COMBINE_INFORMATION_EX2, *PMEMORY_COMBINE_INFORMATION_EX2; // private typedef struct _SYSTEM_ENTROPY_TIMING_INFORMATION { VOID (NTAPI *EntropyRoutine)(PVOID, ULONG); VOID (NTAPI *InitializationRoutine)(PVOID, ULONG, PVOID); PVOID InitializationContext; } SYSTEM_ENTROPY_TIMING_INFORMATION, *PSYSTEM_ENTROPY_TIMING_INFORMATION; // private typedef struct _SYSTEM_CONSOLE_INFORMATION { ULONG DriverLoaded : 1; ULONG Spare : 31; } SYSTEM_CONSOLE_INFORMATION, *PSYSTEM_CONSOLE_INFORMATION; // private typedef struct _SYSTEM_PLATFORM_BINARY_INFORMATION { ULONG64 PhysicalAddress; PVOID HandoffBuffer; PVOID CommandLineBuffer; ULONG HandoffBufferSize; ULONG CommandLineBufferSize; } SYSTEM_PLATFORM_BINARY_INFORMATION, *PSYSTEM_PLATFORM_BINARY_INFORMATION; // private typedef struct _SYSTEM_POLICY_INFORMATION { PVOID InputData; PVOID OutputData; ULONG InputDataSize; ULONG OutputDataSize; ULONG Version; } SYSTEM_POLICY_INFORMATION, *PSYSTEM_POLICY_INFORMATION; // private typedef struct _SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION { ULONG NumberOfLogicalProcessors; ULONG NumberOfCores; } SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION, *PSYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION; // private typedef struct _SYSTEM_DEVICE_DATA_INFORMATION { UNICODE_STRING DeviceId; UNICODE_STRING DataName; ULONG DataType; ULONG DataBufferLength; PVOID DataBuffer; } SYSTEM_DEVICE_DATA_INFORMATION, *PSYSTEM_DEVICE_DATA_INFORMATION; // private typedef struct _PHYSICAL_CHANNEL_RUN { ULONG NodeNumber; ULONG ChannelNumber; ULONGLONG BasePage; ULONGLONG PageCount; ULONG Flags; } PHYSICAL_CHANNEL_RUN, *PPHYSICAL_CHANNEL_RUN; // private typedef struct _SYSTEM_MEMORY_TOPOLOGY_INFORMATION { ULONGLONG NumberOfRuns; ULONG NumberOfNodes; ULONG NumberOfChannels; PHYSICAL_CHANNEL_RUN Run[1]; } SYSTEM_MEMORY_TOPOLOGY_INFORMATION, *PSYSTEM_MEMORY_TOPOLOGY_INFORMATION; // private typedef struct _SYSTEM_MEMORY_CHANNEL_INFORMATION { ULONG ChannelNumber; ULONG ChannelHeatIndex; ULONGLONG TotalPageCount; ULONGLONG ZeroPageCount; ULONGLONG FreePageCount; ULONGLONG StandbyPageCount; } SYSTEM_MEMORY_CHANNEL_INFORMATION, *PSYSTEM_MEMORY_CHANNEL_INFORMATION; // private typedef struct _SYSTEM_BOOT_LOGO_INFORMATION { ULONG Flags; ULONG BitmapOffset; } SYSTEM_BOOT_LOGO_INFORMATION, *PSYSTEM_BOOT_LOGO_INFORMATION; // private typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX { LARGE_INTEGER IdleTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER DpcTime; LARGE_INTEGER InterruptTime; ULONG InterruptCount; ULONG Spare0; LARGE_INTEGER AvailableTime; LARGE_INTEGER Spare1; LARGE_INTEGER Spare2; } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX; // private typedef struct _CRITICAL_PROCESS_EXCEPTION_DATA { GUID ReportId; UNICODE_STRING ModuleName; ULONG ModuleTimestamp; ULONG ModuleSize; ULONG_PTR Offset; } CRITICAL_PROCESS_EXCEPTION_DATA, *PCRITICAL_PROCESS_EXCEPTION_DATA; // private typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION { GUID PolicyPublisher; ULONG PolicyVersion; ULONG PolicyOptions; } SYSTEM_SECUREBOOT_POLICY_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_INFORMATION; // private _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_PAGEFILE_INFORMATION_EX { union // union declaration for convenience (dmex) { SYSTEM_PAGEFILE_INFORMATION Info; struct { ULONG NextEntryOffset; ULONG TotalSize; ULONG TotalInUse; ULONG PeakUsage; UNICODE_STRING PageFileName; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONG MinimumSize; ULONG MaximumSize; } SYSTEM_PAGEFILE_INFORMATION_EX, *PSYSTEM_PAGEFILE_INFORMATION_EX; // private typedef struct _SYSTEM_SECUREBOOT_INFORMATION { BOOLEAN SecureBootEnabled; BOOLEAN SecureBootCapable; } SYSTEM_SECUREBOOT_INFORMATION, *PSYSTEM_SECUREBOOT_INFORMATION; // private typedef struct _PROCESS_DISK_COUNTERS { ULONGLONG BytesRead; ULONGLONG BytesWritten; ULONGLONG ReadOperationCount; ULONGLONG WriteOperationCount; ULONGLONG FlushOperationCount; } PROCESS_DISK_COUNTERS, *PPROCESS_DISK_COUNTERS; // private typedef union _ENERGY_STATE_DURATION { ULONGLONG Value; struct { ULONG LastChangeTime; ULONG Duration : 31; ULONG IsInState : 1; } DUMMYSTRUCTNAME; } ENERGY_STATE_DURATION, *PENERGY_STATE_DURATION; typedef struct _PROCESS_ENERGY_VALUES { ULONGLONG Cycles[4][2]; ULONGLONG DiskEnergy; ULONGLONG NetworkTailEnergy; ULONGLONG MBBTailEnergy; ULONGLONG NetworkTxRxBytes; ULONGLONG MBBTxRxBytes; union { ENERGY_STATE_DURATION Durations[3]; struct { ENERGY_STATE_DURATION ForegroundDuration; ENERGY_STATE_DURATION DesktopVisibleDuration; ENERGY_STATE_DURATION PSMForegroundDuration; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONG CompositionRendered; ULONG CompositionDirtyGenerated; ULONG CompositionDirtyPropagated; ULONG Reserved1; ULONGLONG AttributedCycles[4][2]; ULONGLONG WorkOnBehalfCycles[4][2]; } PROCESS_ENERGY_VALUES, *PPROCESS_ENERGY_VALUES; typedef union _TIMELINE_BITMAP { ULONGLONG Value; struct { ULONG EndTime; ULONG Bitmap; }; } TIMELINE_BITMAP, *PTIMELINE_BITMAP; typedef struct _PROCESS_ENERGY_VALUES_EXTENSION { union { TIMELINE_BITMAP Timelines[14]; // 9 for REDSTONE2, 14 for REDSTONE3/4/5 struct { TIMELINE_BITMAP CpuTimeline; TIMELINE_BITMAP DiskTimeline; TIMELINE_BITMAP NetworkTimeline; TIMELINE_BITMAP MBBTimeline; TIMELINE_BITMAP ForegroundTimeline; TIMELINE_BITMAP DesktopVisibleTimeline; TIMELINE_BITMAP CompositionRenderedTimeline; TIMELINE_BITMAP CompositionDirtyGeneratedTimeline; TIMELINE_BITMAP CompositionDirtyPropagatedTimeline; TIMELINE_BITMAP InputTimeline; // REDSTONE3 TIMELINE_BITMAP AudioInTimeline; TIMELINE_BITMAP AudioOutTimeline; TIMELINE_BITMAP DisplayRequiredTimeline; TIMELINE_BITMAP KeyboardInputTimeline; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; union // REDSTONE3 { ENERGY_STATE_DURATION Durations[5]; struct { ENERGY_STATE_DURATION InputDuration; ENERGY_STATE_DURATION AudioInDuration; ENERGY_STATE_DURATION AudioOutDuration; ENERGY_STATE_DURATION DisplayRequiredDuration; ENERGY_STATE_DURATION PSMBackgroundDuration; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONG KeyboardInput; ULONG MouseInput; } PROCESS_ENERGY_VALUES_EXTENSION, *PPROCESS_ENERGY_VALUES_EXTENSION; typedef struct _PROCESS_EXTENDED_ENERGY_VALUES { PROCESS_ENERGY_VALUES Base; PROCESS_ENERGY_VALUES_EXTENSION Extension; } PROCESS_EXTENDED_ENERGY_VALUES, *PPROCESS_EXTENDED_ENERGY_VALUES; typedef struct _PROCESS_EXTENDED_ENERGY_VALUES_V1 { PROCESS_ENERGY_VALUES Base; PROCESS_ENERGY_VALUES_EXTENSION Extension; ULONG64 NpuWorkUnits; } PROCESS_EXTENDED_ENERGY_VALUES_V1, *PPROCESS_EXTENDED_ENERGY_VALUES_V1; // private typedef enum _SYSTEM_PROCESS_CLASSIFICATION { SystemProcessClassificationNormal, SystemProcessClassificationSystem, SystemProcessClassificationSecureSystem, SystemProcessClassificationMemCompression, SystemProcessClassificationRegistry, // REDSTONE4 SystemProcessClassificationMaximum } SYSTEM_PROCESS_CLASSIFICATION; // private typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION { PROCESS_DISK_COUNTERS DiskCounters; ULONGLONG ContextSwitches; union { ULONG Flags; struct { ULONG HasStrongId : 1; ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION ULONG BackgroundActivityModerated : 1; ULONG Spare : 26; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONG UserSidOffset; ULONG PackageFullNameOffset; // since THRESHOLD PROCESS_ENERGY_VALUES EnergyValues; // since THRESHOLD ULONG AppIdOffset; // since THRESHOLD SIZE_T SharedCommitCharge; // since THRESHOLD2 ULONG JobObjectId; // since REDSTONE ULONG SpareUlong; // since REDSTONE ULONGLONG ProcessSequenceNumber; } SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION; // private typedef struct _SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION { BOOLEAN EfiLauncherEnabled; } SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION, *PSYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION; // private typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX { BOOLEAN DebuggerAllowed; BOOLEAN DebuggerEnabled; BOOLEAN DebuggerPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX; // private typedef struct _SYSTEM_ELAM_CERTIFICATE_INFORMATION { HANDLE ElamDriverFile; } SYSTEM_ELAM_CERTIFICATE_INFORMATION, *PSYSTEM_ELAM_CERTIFICATE_INFORMATION; // private typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 { ULONG Version; ULONG AbnormalResetOccurred; ULONG OfflineMemoryDumpCapable; PVOID ResetDataAddress; ULONG ResetDataSize; } OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2, *POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2; // private typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1 { ULONG Version; ULONG AbnormalResetOccurred; ULONG OfflineMemoryDumpCapable; } OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1, *POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1; // SYSTEM_PROCESSOR_FEATURES_INFORMATION // ProcessorFeatureBits #define KF64_SMEP 0x0000000000000001ULL // Supervisor Mode Execution Protection #define KF64_RDTSC 0x0000000000000002ULL // Read Time-Stamp Counter #define KF64_CR4 0x0000000000000004ULL // CR4 Register Features #define KF64_CMOV 0x0000000000000008ULL // Conditional Move Instructions #define KF64_GLOBAL_PAGE 0x0000000000000010ULL // Global Pages Support #define KF64_LARGE_PAGE 0x0000000000000020ULL // Large Page Support #define KF64_MTRR 0x0000000000000040ULL // Memory Type Range Registers #define KF64_CMPXCHG8B 0x0000000000000080ULL // CMPXCHG8B Instruction #define KF64_MMX 0x0000000000000100ULL // MMX Instructions #define KF64_DTS 0x0000000000000200ULL // Debug Store #define KF64_PAT 0x0000000000000400ULL // Page Attribute Table #define KF64_FXSR 0x0000000000000800ULL // FXSAVE and FXRSTOR Instructions #define KF64_FAST_SYSCALL 0x0000000000001000ULL // Fast System Call #define KF64_XMMI 0x0000000000002000ULL // Streaming SIMD Extensions #define KF64_3DNOW 0x0000000000004000ULL // 3DNow! Instructions #define KF64_AMDK6MTRR 0x0000000000008000ULL // AMD K6 Memory Type Range Registers #define KF64_XMMI64 0x0000000000010000ULL // Streaming SIMD Extensions 2 #define KF64_BRANCH 0x0000000000020000ULL // Branch Prediction #define KF64_XSTATE 0x0000000000800000ULL // Extended States #define KF64_RDRAND 0x0000000100000000ULL // RDRAND Instruction #define KF64_SMAP 0x0000000200000000ULL // Supervisor Mode Access Prevention #define KF64_RDTSCP 0x0000000400000000ULL // RDTSCP Instruction #define KF64_HUGEPAGE 0x0000002000000000ULL // Huge Page Support #define KF64_XSAVES 0x0000004000000000ULL // XSAVES and XRSTORS Instructions #define KF64_FPU_LEAKAGE 0x0000020000000000ULL // FPU Data Leakage Mitigations #define KF64_CAT 0x0000100000000000ULL // Cache Allocation Technology #define KF64_CET_SS 0x0000400000000000ULL // Control-flow Enforcement Technology - Shadow Stack #define KF64_SSSE3 0x0000800000000000ULL // Supplemental Streaming SIMD Extensions 3 #define KF64_SSE4_1 0x0001000000000000ULL // Streaming SIMD Extensions 4.1 #define KF64_SSE4_2 0x0002000000000000ULL // Streaming SIMD Extensions 4.2 #define KF64_XFD 0x0080000000000000ULL // eXtended FPU Data // private typedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION { ULONGLONG ProcessorFeatureBits; ULONGLONG Reserved[3]; } SYSTEM_PROCESSOR_FEATURES_INFORMATION, *PSYSTEM_PROCESSOR_FEATURES_INFORMATION; // EDID v1.4 detailed timing descriptor (18 bytes) typedef struct _SYSTEM_EDID_DETAILED_TIMING_DESCRIPTOR { USHORT PixelClock; // Pixel clock in 10 kHz units UCHAR HorizontalActiveLo; // Horizontal active pixels (low 8 bits) UCHAR HorizontalBlankLo; // Horizontal blanking pixels (low 8 bits) UCHAR HorizontalActiveBlankHi; // High bits for horizontal active/blanking UCHAR VerticalActiveLo; // Vertical active lines (low 8 bits) UCHAR VerticalBlankLo; // Vertical blanking lines (low 8 bits) UCHAR VerticalActiveBlankHi; // High bits for vertical active/blanking UCHAR HorizontalSyncOffsetLo;// Horizontal sync offset (low 8 bits) UCHAR HorizontalSyncPulseWidthLo; // Horizontal sync pulse width (low 8 bits) UCHAR VerticalSyncOffsetPulseWidthLo; // Vertical sync offset/pulse width (low 4 bits each) UCHAR SyncOffsetPulseWidthHi; // High bits for sync offset/pulse width UCHAR HorizontalImageSizeLo; // Horizontal image size in mm (low 8 bits) UCHAR VerticalImageSizeLo; // Vertical image size in mm (low 8 bits) UCHAR ImageSizeHi; // High bits for image size UCHAR HorizontalBorder; // Horizontal border in pixels UCHAR VerticalBorder; // Vertical border in lines UCHAR Flags; // Flags (interlaced, stereo, sync, etc.) } SYSTEM_EDID_DETAILED_TIMING_DESCRIPTOR, *PSYSTEM_EDID_DETAILED_TIMING_DESCRIPTOR; // EDID v1.4 standard data format typedef struct _SYSTEM_EDID_INFORMATION { union { UCHAR Edid[128]; struct { UCHAR Header[8]; // 00h: EDID header (00 FF FF FF FF FF FF 00) UCHAR ManufacturerId[2]; // 08h: Manufacturer ID (big endian) UCHAR ProductCode[2]; // 0Ah: Product code (little endian) UCHAR SerialNumber[4]; // 0Ch: Serial number UCHAR WeekOfManufacture; // 10h: Week of manufacture UCHAR YearOfManufacture; // 11h: Year of manufacture (offset from 1990) UCHAR EdidVersion; // 12h: EDID version (should be 1) UCHAR EdidRevision; // 13h: EDID revision (should be 4) UCHAR VideoInputDefinition; // 14h: Video input parameters UCHAR MaxHorizontalImageSize; // 15h: Max horizontal image size (cm) UCHAR MaxVerticalImageSize; // 16h: Max vertical image size (cm) UCHAR DisplayGamma; // 17h: Display gamma (gamma*100 - 100) UCHAR FeatureSupport; // 18h: DPMS features, color encoding, etc. UCHAR Chromaticity[10]; // 19h: Chromaticity coordinates UCHAR EstablishedTimings[3]; // 23h: Established timings UCHAR StandardTimings[16]; // 26h: Standard timings (8x2 bytes) SYSTEM_EDID_DETAILED_TIMING_DESCRIPTOR DetailedTiming[4]; // 36h: 4 detailed timing descriptors (18 bytes each) UCHAR ExtensionFlag; // 7Eh: Number of (optional) 128-byte extension blocks UCHAR Checksum; // 7Fh: Checksum (sum of all 128 bytes = 0) }; }; } SYSTEM_EDID_INFORMATION, *PSYSTEM_EDID_INFORMATION; // private typedef struct _SYSTEM_MANUFACTURING_INFORMATION { ULONG Options; UNICODE_STRING ProfileName; } SYSTEM_MANUFACTURING_INFORMATION, *PSYSTEM_MANUFACTURING_INFORMATION; // private typedef struct _SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION { BOOLEAN Enabled; } SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION, *PSYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION; // private typedef struct _HV_DETAILS { ULONG Data[4]; } HV_DETAILS, *PHV_DETAILS; // private typedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION { HV_DETAILS HvVendorAndMaxFunction; HV_DETAILS HypervisorInterface; HV_DETAILS HypervisorVersion; HV_DETAILS HvFeatures; HV_DETAILS HwFeatures; HV_DETAILS EnlightenmentInfo; HV_DETAILS ImplementationLimits; } SYSTEM_HYPERVISOR_DETAIL_INFORMATION, *PSYSTEM_HYPERVISOR_DETAIL_INFORMATION; // private typedef struct _SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION { // // First index is bucket (see: PoGetFrequencyBucket) selected based on latest frequency percent // using _KPRCB.PowerState.FrequencyBucketThresholds. // // Second index is _KPRCB.PowerState.ArchitecturalEfficiencyClass, accounting for architecture // dependent KeHeteroSystem and using _KPRCB.PowerState.EarlyBootArchitecturalEfficiencyClass // instead, when appropriate. // ULONGLONG Cycles[4][2]; } SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION, *PSYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION; // private typedef struct _SYSTEM_TPM_INFORMATION { ULONG Flags; } SYSTEM_TPM_INFORMATION, *PSYSTEM_TPM_INFORMATION; // private typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION { BOOLEAN DmaProtectionsAvailable; BOOLEAN DmaProtectionsInUse; BOOLEAN HardwareMbecAvailable; // REDSTONE4 (CVE-2018-3639) BOOLEAN ApicVirtualizationAvailable; // 20H1 } SYSTEM_VSM_PROTECTION_INFORMATION, *PSYSTEM_VSM_PROTECTION_INFORMATION; // private typedef struct _SYSTEM_KERNEL_DEBUGGER_FLAGS { BOOLEAN KernelDebuggerIgnoreUmExceptions; } SYSTEM_KERNEL_DEBUGGER_FLAGS, *PSYSTEM_KERNEL_DEBUGGER_FLAGS; // SYSTEM_CODEINTEGRITYPOLICY_INFORMATION Options #define CODEINTEGRITYPOLICY_OPTION_ENABLED 0x01 #define CODEINTEGRITYPOLICY_OPTION_AUDIT 0x02 #define CODEINTEGRITYPOLICY_OPTION_REQUIRE_WHQL 0x04 #define CODEINTEGRITYPOLICY_OPTION_DISABLED_FLIGHTSIGNING 0x08 #define CODEINTEGRITYPOLICY_OPTION_ENABLED_UMCI 0x10 #define CODEINTEGRITYPOLICY_OPTION_ENABLED_UPDATE_POLICY_NOREBOOT 0x20 #define CODEINTEGRITYPOLICY_OPTION_ENABLED_SECURE_SETTING_POLICY 0x40 #define CODEINTEGRITYPOLICY_OPTION_ENABLED_UNSIGNED_SYSTEMINTEGRITY_POLICY 0x80 #define CODEINTEGRITYPOLICY_OPTION_DYNAMIC_CODE_POLICY_ENABLED 0x100 #define CODEINTEGRITYPOLICY_OPTION_RELOAD_POLICY_NO_REBOOT 0x10000000 // NtSetSystemInformation reloads SiPolicy.p7b #define CODEINTEGRITYPOLICY_OPTION_CONDITIONAL_LOCKDOWN 0x20000000 #define CODEINTEGRITYPOLICY_OPTION_NOLOCKDOWN 0x40000000 #define CODEINTEGRITYPOLICY_OPTION_LOCKDOWN 0x80000000 // SYSTEM_CODEINTEGRITYPOLICY_INFORMATION HVCIOptions #define CODEINTEGRITYPOLICY_HVCIOPTION_ENABLED 0x01 #define CODEINTEGRITYPOLICY_HVCIOPTION_STRICT 0x02 #define CODEINTEGRITYPOLICY_HVCIOPTION_DEBUG 0x04 // private typedef struct _SYSTEM_CODEINTEGRITYPOLICY_INFORMATION { union { ULONG Options; struct { ULONG Enabled : 1; ULONG Audit : 1; ULONG RequireWHQL : 1; ULONG DisabledFlightSigning : 1; ULONG EnabledUMCI : 1; ULONG EnabledUpdatePolicyNoReboot : 1; ULONG EnabledSecureSettingPolicy : 1; ULONG EnabledUnsignedSystemIntegrityPolicy : 1; ULONG DynamicCodePolicyEnabled : 1; ULONG Spare : 19; ULONG ReloadPolicyNoReboot : 1; ULONG ConditionalLockdown : 1; ULONG NoLockdown : 1; ULONG Lockdown : 1; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; union { ULONG HVCIOptions; struct { ULONG HVCIEnabled : 1; ULONG HVCIStrict : 1; ULONG HVCIDebug : 1; ULONG HVCISpare : 29; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONGLONG Version; GUID PolicyGuid; } SYSTEM_CODEINTEGRITYPOLICY_INFORMATION, *PSYSTEM_CODEINTEGRITYPOLICY_INFORMATION; // private typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION { BOOLEAN SecureKernelRunning : 1; BOOLEAN HvciEnabled : 1; BOOLEAN HvciStrictMode : 1; BOOLEAN DebugEnabled : 1; BOOLEAN FirmwarePageProtection : 1; BOOLEAN EncryptionKeyAvailable : 1; BOOLEAN SpareFlags : 2; BOOLEAN TrustletRunning : 1; BOOLEAN HvciDisableAllowed : 1; BOOLEAN HardwareEnforcedVbs : 1; BOOLEAN NoSecrets : 1; BOOLEAN EncryptionKeyPersistent : 1; BOOLEAN HardwareEnforcedHvpt : 1; BOOLEAN HardwareHvptAvailable : 1; BOOLEAN SpareFlags2 : 1; BOOLEAN EncryptionKeyTpmBound : 1; BOOLEAN Spare0[5]; ULONGLONG Spare1; } SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION; // private typedef struct _SYSTEM_SINGLE_MODULE_INFORMATION { PVOID TargetModuleAddress; RTL_PROCESS_MODULE_INFORMATION_EX ExInfo; } SYSTEM_SINGLE_MODULE_INFORMATION, *PSYSTEM_SINGLE_MODULE_INFORMATION; // private typedef struct _SYSTEM_INTERRUPT_CPU_SET_INFORMATION { ULONG Gsiv; USHORT Group; ULONGLONG CpuSets; } SYSTEM_INTERRUPT_CPU_SET_INFORMATION, *PSYSTEM_INTERRUPT_CPU_SET_INFORMATION; // private typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION { SYSTEM_SECUREBOOT_POLICY_INFORMATION PolicyInformation; ULONG PolicySize; UCHAR Policy[1]; } SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION; // private typedef struct _KAFFINITY_EX { USHORT Count; USHORT Size; ULONG Reserved; union { ULONG_PTR Bitmap[1]; ULONG_PTR StaticBitmap[32]; } DUMMYUNIONNAME; } KAFFINITY_EX, *PKAFFINITY_EX; // private typedef struct _SYSTEM_ROOT_SILO_INFORMATION { ULONG NumberOfSilos; ULONG SiloIdList[1]; } SYSTEM_ROOT_SILO_INFORMATION, *PSYSTEM_ROOT_SILO_INFORMATION; // private typedef struct _SYSTEM_CPU_SET_TAG_INFORMATION { ULONGLONG Tag; ULONGLONG CpuSets[1]; } SYSTEM_CPU_SET_TAG_INFORMATION, *PSYSTEM_CPU_SET_TAG_INFORMATION; // private typedef struct _SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION { ULONG ExtentCount; ULONG ValidStructureSize; ULONG NextExtentIndex; ULONG ExtentRestart; ULONG CycleCount; ULONG TimeoutCount; ULONGLONG CycleTime; ULONGLONG CycleTimeMax; ULONGLONG ExtentTime; ULONG ExtentTimeIndex; ULONG ExtentTimeMaxIndex; ULONGLONG ExtentTimeMax; ULONGLONG HyperFlushTimeMax; ULONGLONG TranslateVaTimeMax; ULONGLONG DebugExemptionCount; ULONGLONG TbHitCount; ULONGLONG TbMissCount; ULONGLONG VinaPendingYield; ULONGLONG HashCycles; ULONG HistogramOffset; ULONG HistogramBuckets; ULONG HistogramShift; ULONG Reserved1; ULONGLONG PageNotPresentCount; } SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION, *PSYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION; // private typedef struct _SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION { ULONG PlatformManifestSize; UCHAR PlatformManifest[1]; } SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION, *PSYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION; // private typedef struct _SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT { ULONG Gsiv; UCHAR ControllerInterrupt; UCHAR EdgeInterrupt; UCHAR IsPrimaryInterrupt; GROUP_AFFINITY TargetAffinity; } SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, *PSYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT; // private typedef union _SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT { ULONG AsULONG; struct { ULONG Enabled : 1; ULONG Reserved : 31; }; } SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT, *PSYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT; #if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) // private typedef struct _SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION { ULONG Machine : 16; ULONG KernelMode : 1; ULONG UserMode : 1; ULONG Native : 1; ULONG Process : 1; ULONG WoW64Container : 1; ULONG ReservedZero0 : 11; } SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION, *PSYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION; #endif // NTDDI_WIN10_FE // private /** * The SYSTEM_MEMORY_USAGE_INFORMATION structure contains information about the memory usage of the system. */ typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION { ULONGLONG TotalPhysicalBytes; ULONGLONG AvailableBytes; LONGLONG ResidentAvailableBytes; ULONGLONG CommittedBytes; ULONGLONG SharedCommittedBytes; ULONGLONG CommitLimitBytes; ULONGLONG PeakCommitmentBytes; } SYSTEM_MEMORY_USAGE_INFORMATION, *PSYSTEM_MEMORY_USAGE_INFORMATION; // rev /** * The SYSTEM_CODEINTEGRITY_IMAGE_TYPE constant is used for validating user-mode images (EXE/DLL). */ typedef enum _SYSTEM_CODEINTEGRITY_IMAGE_TYPE { SystemCodeIntegrityImageTypeUser, SystemCodeIntegrityImageTypeKernel, SystemCodeIntegrityImageTypeBoot } SYSTEM_CODEINTEGRITY_IMAGE_TYPE; /** * The SYSTEM_CODEINTEGRITY_IMAGE_TYPE_USER constant is used for validating user-mode images (EXE/DLL). * * Validation includes: * - Digital signature * - User-mode certificate chain validity. * - Compliance policies for user-mode binaries. */ #define SYSTEM_CODEINTEGRITY_IMAGE_TYPE_USER 0 /** * The SYSTEM_CODEINTEGRITY_IMAGE_TYPE_KERNEL constant is used for validating kernel-mode images (SYS/Native). * * Validation includes: * - Signed by a trusted certificate authority (or cross-signed). * - Compliance policies for kernel-mode binaries. */ #define SYSTEM_CODEINTEGRITY_IMAGE_TYPE_KERNEL 1 /** * The SYSTEM_CODEINTEGRITY_IMAGE_TYPE_BOOT constant is used for validating boot-critical images (SYS/Native). * * Validation includes: * - Signed only by Microsoft. * - Compliance policies for boot-critical binaries (Strict WHQL, Secure Boot requirements). */ #define SYSTEM_CODEINTEGRITY_IMAGE_TYPE_BOOT /** * The SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION structure contains information to validate the integrity of an image. * * \note The return status of NtQuerySystemInformation indicates the result of the code integrity validation as determined by the type specified. */ typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION { HANDLE ImageFile; // in: Handle to a file or image to validate. ULONG Type; // in: The type of code integrity policy. // REDSTONE4 } SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, *PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION; /** * The SYSTEM_PHYSICAL_MEMORY_INFORMATION structure retrieves the physical memory layout of the system. * * \remarks The addresses are physical, not virtual. */ typedef struct _SYSTEM_PHYSICAL_MEMORY_INFORMATION { ULONGLONG TotalPhysicalBytes; // Total amount of physical RAM present, in bytes. ULONGLONG LowestPhysicalAddress; // Lowest accessible physical address (byte address). ULONGLONG HighestPhysicalAddress; // Highest accessible physical address (byte address, inclusive). } SYSTEM_PHYSICAL_MEMORY_INFORMATION, *PSYSTEM_PHYSICAL_MEMORY_INFORMATION; /** * The SYSTEM_ACTIVITY_MODERATION_STATE type contains the moderation state applied to an application, * with respect to background throttling, resource reduction, and related heuristics. * * \remarks The state may be assigned automatically by the system or explicitly overridden by the user. */ typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE { SystemActivityModerationStateSystemManaged, // The system applies heuristics based on the appropriate moderation behavior. SystemActivityModerationStateUserManagedAllowThrottling, // User allows the system to throttle the application. SystemActivityModerationStateUserManagedDisableThrottling, // User disables throttling for the application. MaxSystemActivityModerationState // Upper bound for validation; not a real state. } SYSTEM_ACTIVITY_MODERATION_STATE; // private - REDSTONE2 typedef struct _SYSTEM_ACTIVITY_MODERATION_EXE_STATE // REDSTONE3: Renamed SYSTEM_ACTIVITY_MODERATION_INFO { UNICODE_STRING ExePathNt; SYSTEM_ACTIVITY_MODERATION_STATE ModerationState; } SYSTEM_ACTIVITY_MODERATION_EXE_STATE, *PSYSTEM_ACTIVITY_MODERATION_EXE_STATE; typedef enum _SYSTEM_ACTIVITY_MODERATION_APP_TYPE { SystemActivityModerationAppTypeClassic, SystemActivityModerationAppTypePackaged, MaxSystemActivityModerationAppType } SYSTEM_ACTIVITY_MODERATION_APP_TYPE; // private - REDSTONE3 typedef struct _SYSTEM_ACTIVITY_MODERATION_INFO { UNICODE_STRING Identifier; SYSTEM_ACTIVITY_MODERATION_STATE ModerationState; SYSTEM_ACTIVITY_MODERATION_APP_TYPE AppType; } SYSTEM_ACTIVITY_MODERATION_INFO, *PSYSTEM_ACTIVITY_MODERATION_INFO; // rev /** * The SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS structure describes the moderation state * and classification of an application as used by the system's activity moderation framework. * These settings influence how aggressively the system may throttle, defer, or * suppress certain background activities for the application. * * The structure maintains a stable binary layout because it is stored in * serialized policy blobs and consumed by system components that expect * fixed field offsets. */ typedef struct _SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS { LARGE_INTEGER LastUpdatedTime; // Timestamp of the last update to this settings block. SYSTEM_ACTIVITY_MODERATION_STATE ModerationState; // Current moderation state assigned to the application. UCHAR Reserved[4]; // Reserved for future expansion SYSTEM_ACTIVITY_MODERATION_APP_TYPE AppType; // Current application type for moderation purposes. ULONG Flags; // Additional moderation flags. } SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS, *PSYSTEM_ACTIVITY_MODERATION_APP_SETTINGS; /** * The SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS structure provides the activity-moderation * registry location where moderation policies or overrides may be stored. */ typedef struct _SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS { HANDLE UserKeyHandle; // Handle to the user registry key for activity moderation settings. } SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS, *PSYSTEM_ACTIVITY_MODERATION_USER_SETTINGS; // private typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION { union { ULONG Flags; struct { ULONG Locked : 1; ULONG UnlockApplied : 1; // Unlockable field removed 19H1 ULONG UnlockIdValid : 1; ULONG Reserved : 29; }; }; UCHAR UnlockId[32]; // REDSTONE4 } SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, *PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION; // private typedef struct _SYSTEM_FLUSH_INFORMATION { ULONG SupportedFlushMethods; ULONG ProcessorCacheFlushSize; ULONGLONG SystemFlushCapabilities; ULONGLONG Reserved[2]; } SYSTEM_FLUSH_INFORMATION, *PSYSTEM_FLUSH_INFORMATION; // private typedef struct _SYSTEM_WRITE_CONSTRAINT_INFORMATION { ULONG WriteConstraintPolicy; ULONG Reserved; } SYSTEM_WRITE_CONSTRAINT_INFORMATION, *PSYSTEM_WRITE_CONSTRAINT_INFORMATION; // private typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION { union { ULONG KvaShadowFlags; struct { ULONG KvaShadowEnabled : 1; ULONG KvaShadowUserGlobal : 1; ULONG KvaShadowPcid : 1; ULONG KvaShadowInvpcid : 1; ULONG KvaShadowRequired : 1; // REDSTONE4 ULONG KvaShadowRequiredAvailable : 1; ULONG InvalidPteBit : 6; ULONG L1DataCacheFlushSupported : 1; ULONG L1TerminalFaultMitigationPresent : 1; ULONG Reserved : 18; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION; // private /** * The SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION structure contains information * required for code integrity verification of an image. */ typedef struct _SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION { HANDLE FileHandle; ULONG ImageSize; PVOID Image; } SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION, *PSYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION; // rev /** * The SYSTEM_HYPERVISOR_USER_SHARED_DATA structure contains information shared with the hypervisor and user-mode. * * This structure is populated by the hypervisor (when present) to allow user-mode components to perform * high-resolution time calculations without requiring a hypercall or kernel transition. */ typedef struct _SYSTEM_HYPERVISOR_USER_SHARED_DATA { /** * Lock used to synchronize updates to the timing fields. * * The hypervisor increments this value before and after updating the * QPC multiplier and bias. User-mode callers can sample this value * before and after reading the timing fields to detect whether an * update occurred mid-read and retry if necessary. */ volatile ULONG TimeUpdateLock; /** * Reserved field - The hypervisor does not assign this field. */ ULONG Reserved0; /** * Multiplier used to convert hypervisor QPC ticks to host time. * * This value is applied to the hypervisor's virtualized performance * counter to compute a stable, high-resolution timebase. The multiplier * is chosen by the hypervisor based on the underlying hardware timer * source and virtualization mode. */ ULONGLONG QpcMultiplier; /** * Bias applied after QPC multiplication to produce final time. * * The hypervisor uses this bias to align the virtualized QPC value with * the host's notion of system time. Combined with QpcMultiplier, this * allows user-mode components to compute consistent time values even * under virtualization. */ ULONGLONG QpcBias; } SYSTEM_HYPERVISOR_USER_SHARED_DATA, *PSYSTEM_HYPERVISOR_USER_SHARED_DATA; /** * The SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION structure describes * the user-mode mapping of the hypervisor shared page. * * This structure provides the virtual address at which the hypervisor's * user-accessible shared data page is mapped. When a hypervisor is present, * the kernel maps a read-only page into user mode containing timing and * virtualization-related information (see SYSTEM_HYPERVISOR_USER_SHARED_DATA). * * User-mode components can read this page directly to obtain high-resolution * time conversion parameters or other hypervisor-provided data without * requiring a hypercall or kernel transition. */ typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION { /** * User-mode virtual address of the hypervisor shared data page. * If no hypervisor is present, this pointer is NULL. */ PSYSTEM_HYPERVISOR_USER_SHARED_DATA HypervisorSharedUserVa; } SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION, *PSYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION; // private typedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION { UNICODE_STRING FirmwarePartition; } SYSTEM_FIRMWARE_PARTITION_INFORMATION, *PSYSTEM_FIRMWARE_PARTITION_INFORMATION; // private typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION { union { ULONG Flags; struct { ULONG BpbEnabled : 1; ULONG BpbDisabledSystemPolicy : 1; ULONG BpbDisabledNoHardwareSupport : 1; ULONG SpecCtrlEnumerated : 1; ULONG SpecCmdEnumerated : 1; ULONG IbrsPresent : 1; ULONG StibpPresent : 1; ULONG SmepPresent : 1; ULONG SpeculativeStoreBypassDisableAvailable : 1; // REDSTONE4 (CVE-2018-3639) ULONG SpeculativeStoreBypassDisableSupported : 1; ULONG SpeculativeStoreBypassDisabledSystemWide : 1; ULONG SpeculativeStoreBypassDisabledKernel : 1; ULONG SpeculativeStoreBypassDisableRequired : 1; ULONG BpbDisabledKernelToUser : 1; ULONG SpecCtrlRetpolineEnabled : 1; ULONG SpecCtrlImportOptimizationEnabled : 1; ULONG EnhancedIbrs : 1; // since 19H1 ULONG HvL1tfStatusAvailable : 1; ULONG HvL1tfProcessorNotAffected : 1; ULONG HvL1tfMigitationEnabled : 1; ULONG HvL1tfMigitationNotEnabled_Hardware : 1; ULONG HvL1tfMigitationNotEnabled_LoadOption : 1; ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1; ULONG EnhancedIbrsReported : 1; ULONG MdsHardwareProtected : 1; // since 19H2 ULONG MbClearEnabled : 1; ULONG MbClearReported : 1; ULONG ReservedTaa : 4; ULONG Reserved : 1; }; } SpeculationControlFlags; union { ULONG Flags; // since 23H2 struct { ULONG SbdrSsdpHardwareProtected : 1; ULONG FbsdpHardwareProtected : 1; ULONG PsdpHardwareProtected : 1; ULONG FbClearEnabled : 1; ULONG FbClearReported : 1; ULONG BhbEnabled : 1; ULONG BhbDisabledSystemPolicy : 1; ULONG BhbDisabledNoHardwareSupport : 1; ULONG BranchConfusionStatus : 2; ULONG BranchConfusionReported : 1; ULONG RdclHardwareProtectedReported : 1; ULONG RdclHardwareProtected : 1; ULONG Reserved3 : 4; ULONG Reserved4 : 3; ULONG DivideByZeroReported : 1; ULONG DivideByZeroStatus : 1; ULONG Reserved5 : 3; ULONG Reserved : 7; }; } SpeculationControlFlags2; } SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION; // private typedef struct _SYSTEM_DMA_GUARD_POLICY_INFORMATION { BOOLEAN DmaGuardPolicyEnabled; } SYSTEM_DMA_GUARD_POLICY_INFORMATION, *PSYSTEM_DMA_GUARD_POLICY_INFORMATION; // private typedef struct _SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION { UCHAR EnclaveLaunchSigner[32]; } SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION, *PSYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION; // private typedef struct _SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION { ULONGLONG WorkloadClass; ULONGLONG CpuSets[1]; } SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION, *PSYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION; // private typedef struct _SYSTEM_SECURITY_MODEL_INFORMATION { union { ULONG SecurityModelFlags; struct { ULONG ReservedFlag : 1; // SModeAdminlessEnabled ULONG AllowDeviceOwnerProtectionDowngrade : 1; ULONG Reserved : 30; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } SYSTEM_SECURITY_MODEL_INFORMATION, *PSYSTEM_SECURITY_MODEL_INFORMATION; // private typedef union _SECURE_SPECULATION_CONTROL_INFORMATION { ULONG KvaShadowSupported : 1; ULONG KvaShadowEnabled : 1; ULONG KvaShadowUserGlobal : 1; ULONG KvaShadowPcid : 1; ULONG MbClearEnabled : 1; ULONG L1TFMitigated : 1; // since 20H2 ULONG BpbEnabled : 1; ULONG IbrsPresent : 1; ULONG EnhancedIbrs : 1; ULONG StibpPresent : 1; ULONG SsbdSupported : 1; ULONG SsbdRequired : 1; ULONG BpbKernelToUser : 1; ULONG BpbUserToKernel : 1; ULONG ReturnSpeculate : 1; ULONG BranchConfusionSafe : 1; ULONG SsbsEnabledAlways : 1; // 24H2 ULONG SsbsEnabledKernel : 1; ULONG Reserved : 14; } SECURE_SPECULATION_CONTROL_INFORMATION, *PSECURE_SPECULATION_CONTROL_INFORMATION; // private typedef struct _SYSTEM_FIRMWARE_RAMDISK_INFORMATION { ULONG Version; ULONG BlockSize; ULONG_PTR BaseAddress; SIZE_T Size; } SYSTEM_FIRMWARE_RAMDISK_INFORMATION, *PSYSTEM_FIRMWARE_RAMDISK_INFORMATION; // private typedef struct _SYSTEM_SHADOW_STACK_INFORMATION { union { ULONG Flags; struct { ULONG CetCapable : 1; ULONG UserCetAllowed : 1; ULONG ReservedForUserCet : 6; ULONG KernelCetEnabled : 1; ULONG KernelCetAuditModeEnabled : 1; ULONG ReservedForKernelCet : 6; // since Windows 10 build 21387 ULONG Reserved : 16; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } SYSTEM_SHADOW_STACK_INFORMATION, *PSYSTEM_SHADOW_STACK_INFORMATION; // private typedef union _SYSTEM_BUILD_VERSION_INFORMATION_FLAGS { ULONG Value32; struct { ULONG IsTopLevel : 1; ULONG IsChecked : 1; }; } SYSTEM_BUILD_VERSION_INFORMATION_FLAGS, *PSYSTEM_BUILD_VERSION_INFORMATION_FLAGS; // private typedef struct _SYSTEM_BUILD_VERSION_INFORMATION { USHORT LayerNumber; USHORT LayerCount; ULONG OsMajorVersion; ULONG OsMinorVersion; ULONG NtBuildNumber; ULONG NtBuildQfe; UCHAR LayerName[128]; UCHAR NtBuildBranch[128]; UCHAR NtBuildLab[128]; UCHAR NtBuildLabEx[128]; UCHAR NtBuildStamp[26]; UCHAR NtBuildArch[16]; SYSTEM_BUILD_VERSION_INFORMATION_FLAGS Flags; } SYSTEM_BUILD_VERSION_INFORMATION, *PSYSTEM_BUILD_VERSION_INFORMATION; // private typedef struct _SYSTEM_POOL_LIMIT_MEM_INFO { ULONGLONG MemoryLimit; ULONGLONG NotificationLimit; } SYSTEM_POOL_LIMIT_MEM_INFO, *PSYSTEM_POOL_LIMIT_MEM_INFO; // private typedef struct _SYSTEM_POOL_LIMIT_INFO { ULONG PoolTag; SYSTEM_POOL_LIMIT_MEM_INFO MemLimits[2]; WNF_STATE_NAME NotificationHandle; } SYSTEM_POOL_LIMIT_INFO, *PSYSTEM_POOL_LIMIT_INFO; // private typedef struct _SYSTEM_POOL_LIMIT_INFORMATION { ULONG Version; ULONG EntryCount; _Field_size_(EntryCount) SYSTEM_POOL_LIMIT_INFO LimitEntries[1]; } SYSTEM_POOL_LIMIT_INFORMATION, *PSYSTEM_POOL_LIMIT_INFORMATION; // private //typedef struct _SYSTEM_POOL_ZEROING_INFORMATION //{ // BOOLEAN PoolZeroingSupportPresent; //} SYSTEM_POOL_ZEROING_INFORMATION, *PSYSTEM_POOL_ZEROING_INFORMATION; // private typedef struct _HV_MINROOT_NUMA_LPS { ULONG NodeIndex; ULONG_PTR Mask[16]; } HV_MINROOT_NUMA_LPS, *PHV_MINROOT_NUMA_LPS; // private typedef struct _SYSTEM_XFG_FAILURE_INFORMATION { PVOID ReturnAddress; PVOID TargetAddress; ULONG DispatchMode; ULONGLONG XfgValue; } SYSTEM_XFG_FAILURE_INFORMATION, *PSYSTEM_XFG_FAILURE_INFORMATION; // private typedef enum _SYSTEM_IOMMU_STATE { IommuStateBlock, IommuStateUnblock } SYSTEM_IOMMU_STATE; // private typedef struct _SYSTEM_IOMMU_STATE_INFORMATION { SYSTEM_IOMMU_STATE State; PVOID Pdo; } SYSTEM_IOMMU_STATE_INFORMATION, *PSYSTEM_IOMMU_STATE_INFORMATION; // private typedef struct _SYSTEM_HYPERVISOR_MINROOT_INFORMATION { ULONG NumProc; ULONG RootProc; ULONG RootProcNumaNodesSpecified; USHORT RootProcNumaNodes[64]; ULONG RootProcPerCore; ULONG RootProcPerNode; ULONG RootProcNumaNodesLpsSpecified; HV_MINROOT_NUMA_LPS RootProcNumaNodeLps[64]; } SYSTEM_HYPERVISOR_MINROOT_INFORMATION, *PSYSTEM_HYPERVISOR_MINROOT_INFORMATION; // private typedef struct _SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION { ULONG RangeCount; ULONG_PTR RangeArray[1]; } SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION, *PSYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION; // private typedef struct _SYSTEM_POINTER_AUTH_INFORMATION { union { USHORT SupportedFlags; struct { USHORT AddressAuthSupported : 1; USHORT AddressAuthQarma : 1; USHORT GenericAuthSupported : 1; USHORT GenericAuthQarma : 1; USHORT AddressAuthFaulting : 1; USHORT SupportedReserved : 11; }; }; union { USHORT EnabledFlags; struct { USHORT UserPerProcessIpAuthEnabled : 1; USHORT UserGlobalIpAuthEnabled : 1; USHORT UserEnabledReserved : 6; USHORT KernelIpAuthEnabled : 1; USHORT KernelEnabledReserved : 7; }; }; } SYSTEM_POINTER_AUTH_INFORMATION, *PSYSTEM_POINTER_AUTH_INFORMATION; // rev #define SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_VERSION 1 // private typedef struct _SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT { ULONG Version; PWSTR FeatureName; ULONG BornOnVersion; } SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, *PSYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT; // private typedef struct _SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT { ULONG Version; BOOLEAN FeatureIsEnabled; } SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT, *PSYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT; // private typedef struct _SYSTEM_MEMORY_NUMA_INFORMATION_INPUT { ULONG Version; ULONG TargetNodeNumber; ULONG Flags; } SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, *PSYSTEM_MEMORY_NUMA_INFORMATION_INPUT; // private typedef struct _SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT { ULONG Version; ULONG Size; ULONG InitiatorNode; union { ULONG Flags; struct { ULONG IsAttached : 1; ULONG Reserved : 31; }; }; } SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT, *PSYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT; // private typedef enum _SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES { SystemMemoryNumaPerformanceQuery_ReadLatency, SystemMemoryNumaPerformanceQuery_ReadBandwidth, SystemMemoryNumaPerformanceQuery_WriteLatency, SystemMemoryNumaPerformanceQuery_WriteBandwidth, SystemMemoryNumaPerformanceQuery_Latency, SystemMemoryNumaPerformanceQuery_Bandwidth, SystemMemoryNumaPerformanceQuery_AllDataTypes, SystemMemoryNumaPerformanceQuery_MaxDataType } SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES; // private typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT { ULONG Version; ULONG TargetNodeNumber; SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES QueryDataType; ULONG Flags; } SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, *PSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT; // private typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY { ULONG InitiatorNodeNumber; ULONG TargetNodeNumber; SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES DataType; union { BOOLEAN Flags; struct { BOOLEAN MinTransferSizeToAchieveValues : 1; BOOLEAN NonSequentialTransfers : 1; BOOLEAN Reserved : 6; }; }; SIZE_T MinTransferSizeInBytes; ULONG_PTR EntryValue; } SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY, *PSYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY; // private typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT { ULONG Version; ULONG Size; ULONG EntryCount; SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY PerformanceEntries[1]; } SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT, *PSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT; /** * The SYSTEM_OSL_RAMDISK_ENTRY structure describes a single RAM disk region * used by the operating system loader. */ typedef struct _SYSTEM_OSL_RAMDISK_ENTRY { ULONG BlockSize; ULONG_PTR BaseAddress; SIZE_T Size; } SYSTEM_OSL_RAMDISK_ENTRY, *PSYSTEM_OSL_RAMDISK_ENTRY; /** * The SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION structure describes runtime * information related to Trusted Apps support. */ typedef struct _SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION { union { ULONGLONG Flags; struct { ULONGLONG Supported : 1; ULONGLONG Spare : 63; }; }; PVOID RemoteBreakingRoutine; } SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION, *PSYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION; /** * The SYSTEM_OSL_RAMDISK_INFORMATION structure describes a variable-length * array of RAM disk entries used by the operating system loader. */ typedef struct _SYSTEM_OSL_RAMDISK_INFORMATION { ULONG Version; ULONG Count; SYSTEM_OSL_RAMDISK_ENTRY Entries[1]; } SYSTEM_OSL_RAMDISK_INFORMATION, *PSYSTEM_OSL_RAMDISK_INFORMATION; /** * The CI_POLICY_MGMT_OPERATION enumeration specifies the type of Code Integrity * policy management operation requested. */ typedef enum _CI_POLICY_MGMT_OPERATION { CI_POLICY_MGMT_OPERATION_NONE = 0, CI_POLICY_MGMT_OPERATION_OPEN_TX = 1, CI_POLICY_MGMT_OPERATION_COMMIT_TX = 2, CI_POLICY_MGMT_OPERATION_CLOSE_TX = 3, CI_POLICY_MGMT_OPERATION_ADD_POLICY = 4, CI_POLICY_MGMT_OPERATION_REMOVE_POLICY = 5, CI_POLICY_MGMT_OPERATION_GET_POLICY = 6, CI_POLICY_MGMT_OPERATION_GET_POLICY_IDS = 7, CI_POLICY_MGMT_OPERATION_MAX = 8 } CI_POLICY_MGMT_OPERATION; /** * The SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT structure describes parameters * used to manage Code Integrity policies through the system information * interface. */ typedef struct _SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT { CI_POLICY_MGMT_OPERATION Operation; UCHAR UseInProgressState; ULONG Arg1Len; PUCHAR Arg1; ULONG Arg2Len; PUCHAR Arg2; } SYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT, *PSYSTEM_CODEINTEGRITYPOLICY_MANAGEMENT; /** * The SYSTEM_REF_TRACE_INFORMATION_EX structure describes configuration * parameters for object reference tracing. */ typedef struct _SYSTEM_REF_TRACE_INFORMATION_EX { ULONG Version; ULONGLONG MemoryLimits; union { ULONG Flags; struct { ULONG TraceEnable : 1; ULONG TracePermanent : 1; ULONG UseTracePoolTags : 1; ULONG TraceByStacksOnly : 1; ULONG ReservedFlags : 28; }; }; UNICODE_STRING TraceProcessName; UNICODE_STRING TracePoolTags; ULONG MaxObjectRefTraces; ULONG TracedObjectLimit; } SYSTEM_REF_TRACE_INFORMATION_EX, *PSYSTEM_REF_TRACE_INFORMATION_EX; /** * The SYSTEM_BASICPROCESS_INFORMATION structure describes basic process * information returned when enumerating processes. */ _Struct_size_bytes_(NextEntryOffset) typedef struct _SYSTEM_BASICPROCESS_INFORMATION { ULONG NextEntryOffset; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG64 SequenceNumber; UNICODE_STRING ImageName; } SYSTEM_BASICPROCESS_INFORMATION, *PSYSTEM_BASICPROCESS_INFORMATION; /** * The SYSTEM_HANDLECOUNT_INFORMATION structure provides global counts of * processes, threads, and handles in the system. */ typedef struct _SYSTEM_HANDLECOUNT_INFORMATION { ULONG ProcessCount; ULONG ThreadCount; ULONG HandleCount; } SYSTEM_HANDLECOUNT_INFORMATION, *PSYSTEM_HANDLECOUNT_INFORMATION; // // Runtime Report Definitions // #define SYSTEM_RUNTIME_REPORT_INPUT_VERSION_1 1 #define SYSTEM_RUNTIME_REPORT_INPUT_PACKAGE_VERSION_1 1 // private typedef struct _SYSTEM_RUNTIME_REPORT_INPUT { USHORT InputVersion; USHORT PackageVersion; ULONG Reserved; ULONG_PTR ReportTypesBitmap; UCHAR Nonce[32]; } SYSTEM_RUNTIME_REPORT_INPUT, *PSYSTEM_RUNTIME_REPORT_INPUT; #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) // // =============================================== // Runtime Report Package Format: // // ------------------------------------- Signed part Begin // // RUNTIME_REPORT_PACKAGE_HEADER // // BYTE Nonce[RUNTIME_REPORT_NONCE_SIZE] // // RUNTIME_REPORT_DIGEST_HEADER_A // // RUNTIME_REPORT_DIGEST_HEADER_B // ... // ... // // ------------------------------------- Signed part End // // Signature Blob // // ------------------------------------- Authenticated part Begin // // RUNTIME_REPORT_HEADER // REPORT_A // // RUNTIME_REPORT_HEADER // REPORT_B // // ------------------------------------- Authenticated part End // // =============================================== // #define RUNTIME_REPORT_PACKAGE_MAGIC 0x52545250 // = "RTRP" #define RUNTIME_REPORT_PACKAGE_VERSION_CURRENT (1) #define RUNTIME_REPORT_NONCE_SIZE 32 #define RUNTIME_REPORT_DIGEST_MAX_SIZE 64 #define RUNTIME_REPORT_SIGNATURE_SCHEME_SHA512_RSA_PSS_SHA512 (1) // // Runtime Report Type Enumeration // typedef enum _RUNTIME_REPORT_TYPE { RuntimeReportTypeDriver = 0, RuntimeReportTypeCodeIntegrity = 1, RuntimeReportTypeMax } RUNTIME_REPORT_TYPE; // // Macro to convert a report type enum value to a bitmap mask // #define RUNTIME_REPORT_TYPE_TO_MASK(type) (1ULL << (type)) // // Bitmap mask containing all valid report types // #define RUNTIME_REPORT_TYPE_MASK_ALL ((1ULL << RuntimeReportTypeMax) - 1) typedef struct _RUNTIME_REPORT_PACKAGE_HEADER { // // Set to RUNTIME_REPORT_PACKAGE_MAGIC = 0x52545250 ("RTRP") // ULONG Magic; // // The version of the package format // USHORT PackageVersion; // // Number of different report types contained in the package. // USHORT NumberOfReports; // // A bitmap of all the report types in the package. // // Use RUNTIME_REPORT_TYPE_TO_MASK macro to convert enum values to bitmap masks. // Current valid report types: // RuntimeReportTypeDriver = 0 // RuntimeReportTypeCodeIntegrity = 1 // ULONG_PTR ReportTypesBitmap; // // The size of the total package including the package header, // various runtime reports, their digests, and the signature blob. // ULONG PackageSize; // // The type of digest contained in the report digest headers. // // Current valid values: // CALG_SHA_512 (see wincrypt.h) // USHORT ReportDigestType; // // Total size of the signed runtime report digest headers // following the package header. // USHORT TotalReportDigestsSize; // // Reserved field. Must be set to zero. // USHORT Reserved; // // The signature scheme used to sign the runtime reports. // // Current valid values: // RUNTIME_REPORT_SIGNATURE_SCHEME_SHA512_RSA_PSS_SHA512 = 1 // USHORT SignatureScheme; // // Size of the signature blob following the runtime report digests. // ULONG SignatureSize; // // Total size of the authenticated (but unsigned) runtime reports // following the signature blob. // ULONG TotalAuthenticatedReportsSize; } RUNTIME_REPORT_PACKAGE_HEADER, *PRUNTIME_REPORT_PACKAGE_HEADER; typedef struct _RUNTIME_REPORT_DIGEST_HEADER { // // Indicates the type of report that was hashed. // // Current valid values: // RuntimeReportTypeDriver = 0 // RuntimeReportTypeCodeIntegrity = 1 // USHORT ReportType; // // Reserved field. // USHORT Reserved; // // Digest of the report including the report header. // This is a SHA-512 digest. // UCHAR ReportDigest[RUNTIME_REPORT_DIGEST_MAX_SIZE]; } RUNTIME_REPORT_DIGEST_HEADER, *PRUNTIME_REPORT_DIGEST_HEADER; typedef struct _RUNTIME_REPORT_HEADER { // // Indicates the type of report. // // Current valid values: // RuntimeReportTypeDriver = 0 // RuntimeReportTypeCodeIntegrity = 1 // USHORT ReportType; // // Reserved field. // USHORT Reserved; // // The number of bytes consumed by this report, including the header. // ULONG ReportSize; } RUNTIME_REPORT_HEADER, *PRUNTIME_REPORT_HEADER; // // Driver Report Definitions // #define DRIVER_REPORT_DIGEST_MAX_SIZE RUNTIME_REPORT_DIGEST_MAX_SIZE #define DRIVER_REPORT_NAME_MAX_LENGTH 32 typedef struct _DRIVER_INFO_ENTRY { // // Internal name of the driver from the resource section. // CHAR InternalName[DRIVER_REPORT_NAME_MAX_LENGTH]; // // Hash algorithm used to calculate the image digest. // USHORT ImageHashAlgorithm; // // Hash algorithm used to calculate the thumbprint of the leaf certificate // that validates the entire image. // USHORT PublisherThumbprintHashAlgorithm; // // Offset from the start of the driver report to a buffer containing the // digest of the driver image on disk. // ULONG ImageHashOffset; // // Offset from the start of the driver report to a buffer containing the // thumbprint of the leaf certificate validating the entire image // ULONG PublisherThumbprintOffset; // // Number of times that this driver image has been loaded into the system. // USHORT NumberOfLoadingTimes; // // Size and Offset of a string indicating the OEM name stored in the // authenticated OPUS block of the image digital signature. // There is no OEM name for inbox Windows signed drivers. The size does *NOT* // include the NULL terminator (even though the string is NULL-terminated). // USHORT OemNameSize; ULONG OemNameOffset; // // Flags indicating various properties of the current driver image: // - Unloaded - Set to 1 in case the driver is current unloaded. // // - BootDriver - Set to 1 in case the image is a Boot Driver; // 0 otherwise (the image is a Runtime driver). // // - HotPatch - Set to 1 in case the image can be also loaded as Hotpatch; // // - Reserved - Reserved flags bits. // union { struct { USHORT Unloaded : 1; USHORT BootDriver : 1; USHORT HotPatch : 1; USHORT Reserved : 13; }; USHORT AsUInt16; } Flags; USHORT Padding; } DRIVER_INFO_ENTRY, *PDRIVER_INFO_ENTRY; typedef struct _DRIVER_RUNTIME_REPORT { // // The driver runtime report header. // RUNTIME_REPORT_HEADER Header; // // The current number of unique drivers in the report. // USHORT NumberOfDrivers; // // Flags indicating various properties of the report: // - ReportOverflowed - Secure Kernel places a limit on the number of // drivers it can list in the report. If this is set, it indicates // that some loaded drivers might be missing from the report. // // - PartialReport - Indicates whether the report contains only a // subset of NT loaded drivers. // // - IncludeBootDrivers - Set to 1 in case the report includes // boot-loaded drivers; 0 otherwise (in that case the information // is stored in the TCG Log). // // - Reserved - Reserved flags bits. // union { struct { USHORT ReportOverflowed : 1; USHORT PartialReport : 1; USHORT IncludeBootDrivers : 1; USHORT Reserved : 13; }; USHORT AsUInt16; } Flags; // // A list, of size zero up to MaximumDriversRecorded, containing driver entries. // Unloaded drivers are not removed from the list. // DRIVER_INFO_ENTRY DriverEntries[ANYSIZE_ARRAY]; // // After the driver info array the driver runtime report store hashes, // strings and information that are dynamic in size. // // BYTE DynamicBuffer[ANYSIZE_ARRAY]; // // The dynamic buffer, for each driver is composed off: // ImageHash - PublisherHash - OemName. // } DRIVER_RUNTIME_REPORT, *PDRIVER_RUNTIME_REPORT; // // Code Integrity Report Definitions. // typedef struct _CODE_INTEGRITY_RUNTIME_REPORT { // // The Code Integrity runtime report header. // RUNTIME_REPORT_HEADER Header; // // The number of generations (updates) of policy there have been since boot. // The initial generation at boot is 1. // UINT64 CurrentGeneration; // // The number of generations of policy that are in this report. This is // non-zero with the current generation reported first, followed by prior // generations in order of ascending age. // ULONG NumberOfGenerations; } CODE_INTEGRITY_RUNTIME_REPORT; #define CODE_INTEGRITY_REPORT_GENERATION_VERSION_CURRENT (1) typedef struct _CODE_INTEGRITY_REPORT_GENERATION_HEADER { // // Version of this structure. // USHORT Version; // // Reserved Field. // USHORT Reserved; // // The number of bytes consumed by this generation, including this header // and all CODE_INTEGRITY_REPORT_RECORD_HEADER structures and payloads. // ULONG RecordSize; // // Secure Kernel / Hypervisor secure time reference when this policy was // commited. // ULONG64 CommitTime; } CODE_INTEGRITY_REPORT_GENERATION_HEADER; #define CODE_INTEGRITY_REPORT_RECORD_VERSION_CURRENT (1) typedef struct _CODE_INTEGRITY_REPORT_RECORD_HEADER { // // Version of this structure. // USHORT Version; // // Reserved Field. // USHORT Reserved; // // The number of bytes consumed by this record, including this header. // ULONG RecordSize; // // The event code (type) of this record. The same codes as the Measured // Boot TCG Log are used, for example SIPAEVENT_OS_REVOCATION_LIST, and // indicate the structure type of the payload that immediately follows // this header. // ULONG SipaEventCode; } CODE_INTEGRITY_REPORT_RECORD_HEADER; #endif // #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) /** * The SYSTEM_POOLTAG2 structure describes allocation statistics for a single * pool tag, including paged and nonpaged usage. */ typedef struct _SYSTEM_POOLTAG2 { union { UCHAR Tag[4]; ULONG TagUlong; } DUMMYUNIONNAME; SIZE_T PagedAllocs; SIZE_T PagedFrees; SIZE_T PagedUsed; SIZE_T NonPagedAllocs; SIZE_T NonPagedFrees; SIZE_T NonPagedUsed; } SYSTEM_POOLTAG2, *PSYSTEM_POOLTAG2; /** * The SYSTEM_POOLTAG_INFORMATION2 structure describes a variable-length array * of SYSTEM_POOLTAG2 entries representing pool tag usage statistics. */ typedef struct _SYSTEM_POOLTAG_INFORMATION2 { ULONG Count; _Field_size_(Count) SYSTEM_POOLTAG2 TagInfo[1]; } SYSTEM_POOLTAG_INFORMATION2, *PSYSTEM_POOLTAG_INFORMATION2; #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The NtQuerySystemInformation routine queries information about the system. * * \param SystemInformationClass The type of information to be retrieved. * \param SystemInformation A pointer to a buffer that receives the requested information. * \param SystemInformationLength The size of the buffer pointed to by SystemInformation. * \param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/sysinfo/zwquerysysteminformation */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); /** * The NtQuerySystemInformationEx routine queries information about the system. * * \param SystemInformationClass The type of information to be retrieved. * \param InputBuffer Pointer to a caller-allocated input buffer that contains class-specific information. * \param InputBufferLength The size of the buffer pointed to by InputBuffer. * \param SystemInformation A pointer to a buffer that receives the requested information. * \param SystemInformationLength The size of the buffer pointed to by SystemInformation. * \param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/sysinfo/zwquerysysteminformation */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemInformationEx( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); /** * The NtSetSystemInformation routine sets information about the system. * * \param SystemInformationClass The type of information to be set. * \param SystemInformation A pointer to a buffer that receives the requested information. * \param SystemInformationLength The size of the buffer pointed to by SystemInformation. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetSystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation, _In_ ULONG SystemInformationLength ); // // SysDbg APIs // /** * The SYSDBG_COMMAND enumeration specifies the type of system debugger * operation requested through NtSystemDebugControl. */ typedef enum _SYSDBG_COMMAND { SysDbgQueryModuleInformation, // q: DBGKD_DEBUG_DATA_HEADER64 SysDbgQueryTraceInformation, // q: DBGKD_TRACE_DATA SysDbgSetTracepoint, // s: PVOID SysDbgSetSpecialCall, // s: PVOID SysDbgClearSpecialCalls, // s: void SysDbgQuerySpecialCalls, // q: PVOID[] SysDbgBreakPoint, // s: void SysDbgQueryVersion, // q: DBGKD_GET_VERSION64 SysDbgReadVirtual, // q: SYSDBG_VIRTUAL SysDbgWriteVirtual, // s: SYSDBG_VIRTUAL SysDbgReadPhysical, // q: SYSDBG_PHYSICAL // 10 SysDbgWritePhysical, // s: SYSDBG_PHYSICAL SysDbgReadControlSpace, // q: SYSDBG_CONTROL_SPACE SysDbgWriteControlSpace, // s: SYSDBG_CONTROL_SPACE SysDbgReadIoSpace, // q: SYSDBG_IO_SPACE SysDbgWriteIoSpace, // s: SYSDBG_IO_SPACE SysDbgReadMsr, // q: SYSDBG_MSR SysDbgWriteMsr, // s: SYSDBG_MSR SysDbgReadBusData, // q: SYSDBG_BUS_DATA SysDbgWriteBusData, // s: SYSDBG_BUS_DATA SysDbgCheckLowMemory, // q: ULONG // 20 SysDbgEnableKernelDebugger, // s: void SysDbgDisableKernelDebugger, // s: void SysDbgGetAutoKdEnable, // q: ULONG SysDbgSetAutoKdEnable, // s: ULONG SysDbgGetPrintBufferSize, // q: ULONG SysDbgSetPrintBufferSize, // s: ULONG SysDbgGetKdUmExceptionEnable, // q: ULONG SysDbgSetKdUmExceptionEnable, // s: ULONG SysDbgGetTriageDump, // q: SYSDBG_TRIAGE_DUMP SysDbgGetKdBlockEnable, // q: ULONG // 30 SysDbgSetKdBlockEnable, // s: ULONG SysDbgRegisterForUmBreakInfo, // s: HANDLE SysDbgGetUmBreakPid, // q: ULONG SysDbgClearUmBreakPid, // s: void SysDbgGetUmAttachPid, // q: ULONG SysDbgClearUmAttachPid, // s: void SysDbgGetLiveKernelDump, // q: SYSDBG_LIVEDUMP_CONTROL SysDbgKdPullRemoteFile, // q: SYSDBG_KD_PULL_REMOTE_FILE SysDbgMaxInfoClass } SYSDBG_COMMAND, *PSYSDBG_COMMAND; /** * The SYSDBG_VIRTUAL structure describes a request to read or write virtual * memory through the system debugger interface. */ typedef struct _SYSDBG_VIRTUAL { PVOID Address; PVOID Buffer; ULONG Request; } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; /** * The SYSDBG_PHYSICAL structure describes a request to read or write physical * memory through the system debugger interface. */ typedef struct _SYSDBG_PHYSICAL { PHYSICAL_ADDRESS Address; PVOID Buffer; ULONG Request; } SYSDBG_PHYSICAL, *PSYSDBG_PHYSICAL; /** * The SYSDBG_CONTROL_SPACE structure describes a request to access processor * control space through the system debugger interface. */ typedef struct _SYSDBG_CONTROL_SPACE { ULONG64 Address; PVOID Buffer; ULONG Request; ULONG Processor; } SYSDBG_CONTROL_SPACE, *PSYSDBG_CONTROL_SPACE; typedef enum _INTERFACE_TYPE INTERFACE_TYPE; /** * The SYSDBG_IO_SPACE structure describes a request to access I/O space * through the system debugger interface. */ typedef struct _SYSDBG_IO_SPACE { ULONG64 Address; PVOID Buffer; ULONG Request; INTERFACE_TYPE InterfaceType; ULONG BusNumber; ULONG AddressSpace; } SYSDBG_IO_SPACE, *PSYSDBG_IO_SPACE; /** * The SYSDBG_MSR structure describes a request to read or write a model-specific * register (MSR) through the system debugger interface. */ typedef struct _SYSDBG_MSR { ULONG Msr; ULONG64 Data; } SYSDBG_MSR, *PSYSDBG_MSR; typedef enum _BUS_DATA_TYPE BUS_DATA_TYPE; /** * The SYSDBG_BUS_DATA structure describes a request to access bus-specific * configuration data through the system debugger interface. */ typedef struct _SYSDBG_BUS_DATA { ULONG Address; PVOID Buffer; ULONG Request; BUS_DATA_TYPE BusDataType; ULONG BusNumber; ULONG SlotNumber; } SYSDBG_BUS_DATA, *PSYSDBG_BUS_DATA; /** * The SYSDBG_TRIAGE_DUMP structure describes parameters used when generating * a triage dump through the system debugger interface. */ typedef struct _SYSDBG_TRIAGE_DUMP { ULONG Flags; ULONG BugCheckCode; ULONG_PTR BugCheckParam1; ULONG_PTR BugCheckParam2; ULONG_PTR BugCheckParam3; ULONG_PTR BugCheckParam4; ULONG ProcessHandles; ULONG ThreadHandles; PHANDLE Handles; } SYSDBG_TRIAGE_DUMP, *PSYSDBG_TRIAGE_DUMP; /** * The SYSDBG_LIVEDUMP_CONTROL_FLAGS union specifies control flags used when * generating a live kernel dump. */ typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS { struct { ULONG UseDumpStorageStack : 1; ULONG CompressMemoryPagesData : 1; ULONG IncludeUserSpaceMemoryPages : 1; ULONG AbortIfMemoryPressure : 1; // REDSTONE4 ULONG SelectiveDump : 1; // WIN11 ULONG Reserved : 27; }; ULONG AsUlong; } SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS; /** * The SYSDBG_LIVEDUMP_CONTROL_ADDPAGES union specifies additional page * categories to include when generating a live kernel dump. */ typedef union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES { struct { ULONG HypervisorPages : 1; ULONG NonEssentialHypervisorPages : 1; // since WIN11 ULONG Reserved : 30; }; ULONG AsUlong; } SYSDBG_LIVEDUMP_CONTROL_ADDPAGES, *PSYSDBG_LIVEDUMP_CONTROL_ADDPAGES; #define SYSDBG_LIVEDUMP_SELECTIVE_CONTROL_VERSION 1 // rev /** * The SYSDBG_LIVEDUMP_SELECTIVE_CONTROL structure specifies selective dump * options for live kernel dump generation. */ typedef struct _SYSDBG_LIVEDUMP_SELECTIVE_CONTROL { ULONG Version; ULONG Size; union { ULONGLONG Flags; struct { ULONGLONG ThreadKernelStacks : 1; ULONGLONG ReservedFlags : 63; }; }; ULONGLONG Reserved[4]; } SYSDBG_LIVEDUMP_SELECTIVE_CONTROL, *PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL; #define SYSDBG_LIVEDUMP_CONTROL_VERSION_1 1 #define SYSDBG_LIVEDUMP_CONTROL_VERSION_2 2 #define SYSDBG_LIVEDUMP_CONTROL_VERSION SYSDBG_LIVEDUMP_CONTROL_VERSION_2 /** * The SYSDBG_LIVEDUMP_CONTROL_V1 structure describes parameters used when * generating a live kernel dump (version 1). */ typedef struct _SYSDBG_LIVEDUMP_CONTROL_V1 { ULONG Version; ULONG BugCheckCode; ULONG_PTR BugCheckParam1; ULONG_PTR BugCheckParam2; ULONG_PTR BugCheckParam3; ULONG_PTR BugCheckParam4; HANDLE DumpFileHandle; HANDLE CancelEventHandle; SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags; SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl; } SYSDBG_LIVEDUMP_CONTROL_V1, *PSYSDBG_LIVEDUMP_CONTROL_V1; /** * The SYSDBG_LIVEDUMP_CONTROL structure describes parameters used when * generating a live kernel dump (current version). */ typedef struct _SYSDBG_LIVEDUMP_CONTROL { ULONG Version; ULONG BugCheckCode; ULONG_PTR BugCheckParam1; ULONG_PTR BugCheckParam2; ULONG_PTR BugCheckParam3; ULONG_PTR BugCheckParam4; HANDLE DumpFileHandle; HANDLE CancelEventHandle; SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags; SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl; PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL SelectiveControl; // since WIN11 } SYSDBG_LIVEDUMP_CONTROL, *PSYSDBG_LIVEDUMP_CONTROL; /** * The SYSDBG_KD_PULL_REMOTE_FILE structure describes a request to retrieve * a remote file through the kernel debugger transport. */ typedef struct _SYSDBG_KD_PULL_REMOTE_FILE { UNICODE_STRING ImageFileName; } SYSDBG_KD_PULL_REMOTE_FILE, *PSYSDBG_KD_PULL_REMOTE_FILE; /** * The NtSystemDebugControl routine provides system debugging and diagnostic control of the system. * * \param[in] Command The debug control command to execute (of type SYSDBG_COMMAND). * \param[in] InputBuffer Optional pointer to a buffer containing input data for the command. * \param[in] InputBufferLength Length, in bytes, of the input buffer. * \param[out] OutputBuffer Optional pointer to a buffer that receives output data from the command. * \param[in] OutputBufferLength Length, in bytes, of the output buffer. * \param[out] ReturnLength Optional pointer to a variable that receives the number of bytes returned in the output buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSystemDebugControl( _In_ SYSDBG_COMMAND Command, _Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength, _Out_opt_ PULONG ReturnLength ); // // Hard errors // /** * The HARDERROR_RESPONSE_OPTION enumeration specifies the type of user * interface prompt that may be displayed when a hard error occurs. */ typedef enum _HARDERROR_RESPONSE_OPTION { OptionAbortRetryIgnore, OptionOk, OptionOkCancel, OptionRetryCancel, OptionYesNo, OptionYesNoCancel, OptionShutdownSystem, OptionOkNoWait, OptionCancelTryContinue } HARDERROR_RESPONSE_OPTION; /** * The HARDERROR_RESPONSE enumeration specifies the response returned by the * caller or user when handling a hard error condition. */ typedef enum _HARDERROR_RESPONSE { ResponseReturnToCaller, ResponseNotHandled, ResponseAbort, ResponseCancel, ResponseIgnore, ResponseNo, ResponseOk, ResponseRetry, ResponseYes, ResponseTryAgain, ResponseContinue } HARDERROR_RESPONSE; /** * HARDERROR_OVERRIDE_ERRORMODE indicates that the system should ignore the * calling process's error mode when processing a hard error. */ #define HARDERROR_OVERRIDE_ERRORMODE 0x10000000 /** * The NtRaiseHardError routine raises a hard error or serious error dialog box being displayed to the user. * * \param[in] ErrorStatus The NTSTATUS code that describes the error condition. * \param[in] NumberOfParameters The number of parameters in the Parameters array. * \param[in] UnicodeStringParameterMask A bitmask indicating which entries in the Parameters array are Unicode strings. * \param[in] Parameters An array of parameters to be used in the error message. * \param[in] ValidResponseOptions Specifies the valid responses that the user can select in the error dialog. * \param[out] Response Receives the user's response to the error dialog. * \return NTSTATUS Successful or errant status. */ _Analysis_noreturn_ DECLSPEC_NORETURN NTSYSCALLAPI NTSTATUS NTAPI NtRaiseHardError( _In_ NTSTATUS ErrorStatus, _In_ ULONG NumberOfParameters, _In_ ULONG UnicodeStringParameterMask, _In_reads_(NumberOfParameters) PULONG_PTR Parameters, _In_ ULONG ValidResponseOptions, _Out_ PULONG Response ); // // Kernel-user shared data // /** * The ALTERNATIVE_ARCHITECTURE_TYPE enumeration specifies the hardware * architecture variant used by the system. * * \remarks NEC98x86 represents the NEC PC-98 architecture, * supported only on very early Windows releases. */ typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { StandardDesign, NEC98x86, EndAlternatives } ALTERNATIVE_ARCHITECTURE_TYPE; /** * PROCESSOR_FEATURE_MAX defines the maximum number of processor feature flags * that may be reported by the system. */ #define PROCESSOR_FEATURE_MAX 64 /** * MAX_WOW64_SHARED_ENTRIES defines the number of shared entries available to * the WOW64 (Windows-on-Windows 64-bit) subsystem. */ #define MAX_WOW64_SHARED_ENTRIES 16 // // Define NX support policy values. // #define NX_SUPPORT_POLICY_ALWAYSOFF 0 #define NX_SUPPORT_POLICY_ALWAYSON 1 #define NX_SUPPORT_POLICY_OPTIN 2 #define NX_SUPPORT_POLICY_OPTOUT 3 // // SEH chain validation policies. // #define SEH_VALIDATION_POLICY_ON 0 #define SEH_VALIDATION_POLICY_OFF 1 #define SEH_VALIDATION_POLICY_TELEMETRY 2 #define SEH_VALIDATION_POLICY_DEFER 3 // // Global shared data flags and manipulation macros. // #define SHARED_GLOBAL_FLAGS_ERROR_PORT_V 0x0 #define SHARED_GLOBAL_FLAGS_ERROR_PORT \ (1UL << SHARED_GLOBAL_FLAGS_ERROR_PORT_V) #define SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED_V 0x1 #define SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED_V) #define SHARED_GLOBAL_FLAGS_VIRT_ENABLED_V 0x2 #define SHARED_GLOBAL_FLAGS_VIRT_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_VIRT_ENABLED_V) #define SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED_V 0x3 #define SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED_V) #define SHARED_GLOBAL_FLAGS_LKG_ENABLED_V 0x4 #define SHARED_GLOBAL_FLAGS_LKG_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_LKG_ENABLED_V) #define SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED_V 0x5 #define SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED_V) #define SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED_V 0x6 #define SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED_V) #define SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED_V 0x7 #define SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED_V) #define SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU_V 0x8 #define SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU \ (1UL << SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU_V) #define SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU_V 0x9 #define SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU \ (1UL << SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU_V) #define SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED_V 0xA #define SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED \ (1UL << SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED_V) #define SHARED_GLOBAL_FLAGS_SET_GLOBAL_DATA_FLAG 0x40000000 #define SHARED_GLOBAL_FLAGS_CLEAR_GLOBAL_DATA_FLAG 0x80000000 // // Define legal values for the SystemCall member. // #define SYSTEM_CALL_SYSCALL 0 #define SYSTEM_CALL_INT_2E 1 // // Define flags for QPC bypass information. None of these flags may be set // unless bypass is enabled. This is for compat with existing code which // compares this value to zero to detect bypass enablement. // #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_ENABLED (0x01) #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_HV_PAGE (0x02) #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_DISABLE_32BIT (0x04) #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_MFENCE (0x10) #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_LFENCE (0x20) #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_A73_ERRATA (0x40) #define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_RDTSCP (0x80) /** * The KUSER_SHARED_DATA structure contains information shared with user-mode. * * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-kuser_shared_data */ typedef struct _KUSER_SHARED_DATA { // // Current low 32-bit of tick count and tick count multiplier. // // N.B. The tick count is updated each time the clock ticks. // ULONG TickCountLowDeprecated; ULONG TickCountMultiplier; // // Current 64-bit interrupt time in 100ns units. // volatile KSYSTEM_TIME InterruptTime; // // Current 64-bit system time in 100ns units. // volatile KSYSTEM_TIME SystemTime; // // Current 64-bit time zone bias. // volatile KSYSTEM_TIME TimeZoneBias; // // Support image magic number range for the host system. // // N.B. This is an inclusive range. // USHORT ImageNumberLow; USHORT ImageNumberHigh; // // Copy of system root in unicode. // // N.B. This field must be accessed via the RtlGetNtSystemRoot API for // an accurate result. // WCHAR NtSystemRoot[260]; // // Maximum stack trace depth if tracing enabled. // ULONG MaxStackTraceDepth; // // Crypto exponent value. // ULONG CryptoExponent; // // Time zone ID. // ULONG TimeZoneId; // // Minimum size of a large page on the system, in bytes. // // N.B. Returned by GetLargePageMinimum() function. // ULONG LargePageMinimum; // // This value controls the Application Impact Telemetry (AIT) Sampling rate. // // This value determines how frequently the system records AIT events, // which are used by the Application Experience and compatibility // subsystems to evaluate application behavior, performance, and // potential compatibility issues. // // Lower values increase sampling frequency, while higher values reduce it. // The kernel updates this field as part of its internal telemetry and // heuristics logic. // ULONG AitSamplingValue; // // This value controls Application Compatibility (AppCompat) switchback processing. // union { ULONG AppCompatFlag; struct { ULONG SwitchbackEnabled : 1; // Basic switchback processing ULONG ExtendedHeuristics : 1; // Extended switchback heuristics ULONG TelemetryFallback : 1; // Telemetry-driven fallback ULONG Reserved : 29; } AppCompatFlags; }; // // Current Kernel Root RNG state seed version // ULONGLONG RNGSeedVersion; // // This value controls assertion failure handling. // // Historically (prior to Windows 10), this value was also used by // Code Integrity (CI), AppLocker, and related security components to // determine the minimum validation requirements for executable images, // drivers, and privileged operations. // // In modern Windows versions, this field is used primarily by the kernel's // diagnostic and validation infrastructure to decide how assertion failures // should be handled (e.g., logging, debugger break-in, or bugcheck). ULONG GlobalValidationRunlevel; // // Monotonic stamp incremented by the kernel whenever the system's // time zone bias value changes. // // N.B. This field must be accessed via the RtlGetSystemTimeAndBias API for // an accurate result. // This value is read before and after accessing the bias fields to determine // whether the time zone data changed during the read. If the stamp differs, // the caller must re-read the bias values to ensure consistency. // volatile LONG TimeZoneBiasStamp; // // The shared collective build number undecorated with C or F. // GetVersionEx hides the real number // ULONG NtBuildNumber; // // Product type. // // N.B. This field must be accessed via the RtlGetNtProductType API for // an accurate result. // NT_PRODUCT_TYPE NtProductType; BOOLEAN ProductTypeIsValid; BOOLEAN Reserved0[1]; // // Native hardware processor architecture of the running system. // // N.B. User-mode components read this field to determine the true system // architecture, especially in WOW64 scenarios where the process architecture // differs from the native one. // USHORT NativeProcessorArchitecture; // // The NT Version. // // N. B. Note that each process sees a version from its PEB, but if the // process is running with an altered view of the system version, // the following two fields are used to correctly identify the // version // ULONG NtMajorVersion; ULONG NtMinorVersion; // // Processor features. // BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; // // Reserved fields - do not use. // ULONG MaximumUserModeAddressDeprecated; // Deprecated, use SystemBasicInformation instead. ULONG SystemRangeStartDeprecated; // Deprecated, use SystemRangeStartInformation instead. // // Time slippage while in debugger. // volatile ULONG TimeSlip; // // Alternative system architecture, e.g., NEC PC98xx on x86. // ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; // // Boot sequence, incremented for each boot attempt by the OS loader. // ULONG BootId; // // If the system is an evaluation unit, the following field contains the // date and time that the evaluation unit expires. A value of 0 indicates // that there is no expiration. A non-zero value is the UTC absolute time // that the system expires. // LARGE_INTEGER SystemExpirationDate; // // Suite support. // // N.B. This field must be accessed via the RtlGetSuiteMask API for // an accurate result. // ULONG SuiteMask; // // TRUE if a kernel debugger is connected/enabled. // BOOLEAN KdDebuggerEnabled; // // Mitigation policies. // union { UCHAR MitigationPolicies; struct { UCHAR NXSupportPolicy : 2; UCHAR SEHValidationPolicy : 2; UCHAR CurDirDevicesSkippedForDlls : 2; UCHAR Reserved : 2; }; }; // // Measured duration of a single processor yield, in cycles. This is used by // lock packages to determine how many times to spin waiting for a state // change before blocking. // USHORT CyclesPerYield; // // Current console session Id. Always zero on non-TS systems. // // N.B. This field must be accessed via the RtlGetActiveConsoleId API for an // accurate result. // volatile ULONG ActiveConsoleId; // // Force-dismounts cause handles to become invalid. Rather than always // probe handles, a serial number of dismounts is maintained that clients // can use to see if they need to probe handles. // volatile ULONG DismountCount; // // This field indicates the status of the 64-bit COM+ package on the // system. It indicates whether the Intermediate Language (IL) COM+ // images need to use the 64-bit COM+ runtime or the 32-bit COM+ runtime. // ULONG ComPlusPackage; // // Time in tick count for system-wide last user input across all terminal // sessions. For MP performance, it is not updated all the time (e.g. once // a minute per session). It is used for idle detection. // ULONG LastSystemRITEventTickCount; // // Number of physical pages in the system. This can dynamically change as // physical memory can be added or removed from a running system. This // cell is too small to hold the non-truncated value on very large memory // machines so code that needs the full value should access // FullNumberOfPhysicalPages instead. // ULONG NumberOfPhysicalPages; // // True if the system was booted in safe boot mode. // BOOLEAN SafeBootMode; // // Virtualization flags. // union { UCHAR VirtualizationFlags; #if defined(_ARM64_) // // N.B. Keep this bitfield in sync with the one in arc.w. // struct { UCHAR ArchStartedInEl2 : 1; UCHAR QcSlIsSupported : 1; UCHAR : 6; }; #endif }; // // Reserved (available for reuse). // UCHAR Reserved12[2]; // // This is a packed bitfield that contains various flags concerning // the system state. They must be manipulated using interlocked // operations. // // N.B. DbgMultiSessionSku must be accessed via the RtlIsMultiSessionSku // API for an accurate result // union { ULONG SharedDataFlags; struct { // // The following bit fields are for the debugger only. Do not use. // Use the bit definitions instead. // ULONG DbgErrorPortPresent : 1; ULONG DbgElevationEnabled : 1; ULONG DbgVirtEnabled : 1; ULONG DbgInstallerDetectEnabled : 1; ULONG DbgLkgEnabled : 1; ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; ULONG DbgMultiSessionSku : 1; ULONG DbgMultiUsersInSessionSku : 1; ULONG DbgStateSeparationEnabled : 1; ULONG DbgSplitTokenEnabled : 1; ULONG DbgShadowAdminEnabled : 1; ULONG SpareBits : 19; } DUMMYSTRUCTNAME2; } DUMMYUNIONNAME2; // // Reserved padding field to preserve structure alignment and compatibility. // ULONG DataFlagsPad[1]; // // Depending on the processor, the code for fast system call will differ, // Stub code is provided pointers below to access the appropriate code. // // N.B. The following field is only used on 32-bit systems. // ULONGLONG TestRetInstruction; // // Query-performance counter (QPC) frequency, in counts per second. // // N.B. This value represents the fixed frequency of the system's high-resolution // performance counter. It is used by user-mode time routines to convert QPC // ticks into elapsed time without requiring a system call. The frequency is // constant for the lifetime of the system and reflects the hardware or // virtualized timer source selected by the kernel. // LONGLONG QpcFrequency; // // On AMD64, this value is initialized to a nonzero value if the system // operates with an altered view of the system service call mechanism. // ULONG SystemCall; // // Reserved field - do not use. Used to be UserCetAvailableEnvironments. // ULONG Reserved2; // // Full 64 bit version of the number of physical pages in the system. // This can dynamically change as physical memory can be added or removed // from a running system. // ULONGLONG FullNumberOfPhysicalPages; // // Reserved, available for reuse. // ULONGLONG SystemCallPad[1]; // // The 64-bit tick count. // union { volatile KSYSTEM_TIME TickCount; volatile ULONG64 TickCountQuad; struct { ULONG ReservedTickCountOverlay[3]; ULONG TickCountPad[1]; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME3; // // Cookie for encoding pointers system wide. // ULONG Cookie; ULONG CookiePad[1]; // // Client id of the process having the focus in the current // active console session id. // // N.B. This field must be accessed via the // RtlGetConsoleSessionForegroundProcessId API for an accurate result. // LONGLONG ConsoleSessionForegroundProcessId; // // N.B. The following data is used to implement the precise time // services. It is aligned on a 64-byte cache-line boundary and // arranged in the order of typical accesses. // // Placeholder for the (internal) time update lock. // ULONGLONG TimeUpdateLock; // // The performance counter value used to establish the current system time. // ULONGLONG BaselineSystemTimeQpc; // // The performance counter value used to compute the last interrupt time. // ULONGLONG BaselineInterruptTimeQpc; // // The scaled number of system time seconds represented by a single // performance count (this value may vary to achieve time synchronization). // ULONGLONG QpcSystemTimeIncrement; // // The scaled number of interrupt time seconds represented by a single // performance count (this value is constant after the system is booted). // ULONGLONG QpcInterruptTimeIncrement; // // The scaling shift count applied to the performance counter system time // increment. // UCHAR QpcSystemTimeIncrementShift; // // The scaling shift count applied to the performance counter interrupt time // increment. // UCHAR QpcInterruptTimeIncrementShift; // // The count of unparked processors. // USHORT UnparkedProcessorCount; // // A bitmask of enclave features supported on this system. // // N.B. This field must be accessed via the RtlIsEnclaveFeaturePresent API for an // accurate result. // ULONG EnclaveFeatureMask[4]; // // Current coverage round for telemetry based coverage. // ULONG TelemetryCoverageRound; // // The following field is used for ETW user mode global logging // (UMGL). // USHORT UserModeGlobalLogger[16]; // // Settings that can enable the use of Image File Execution Options // from HKCU in addition to the original HKLM. // ULONG ImageFileExecutionOptions; // // Generation of the kernel structure holding system language information // ULONG LangGenerationCount; // // Reserved (available for reuse). // ULONGLONG Reserved4; // // Current 64-bit interrupt time bias in 100ns units. // volatile ULONGLONG InterruptTimeBias; // // Current 64-bit performance counter bias, in performance counter units // before the shift is applied. // volatile ULONGLONG QpcBias; // // Number of active logical processors. // ULONG ActiveProcessorCount; // // Number of active processor groups. // // N.B. This value is volatile because group membership and processor // availability may change dynamically due to hot-add, hot-remove, // or power management events. // volatile UCHAR ActiveGroupCount; // // Reserved (available for re-use). // UCHAR Reserved9; union { USHORT QpcData; struct { // // A bitfield indicating whether performance counter queries can // read the counter directly (bypassing the system call) and flags. // union { volatile UCHAR QpcBypassEnabled; struct { // // QPC may bypass the syscall and use a fast user-mode path. // volatile UCHAR BypassAllowed : 1; // // Hypervisor-assisted QPC conversion. // volatile UCHAR HypervisorAssist : 1; // // Reserved/unused // volatile UCHAR Reserved_2_3 : 2; // // MFENCE before RDTSC in relevant paths. // volatile UCHAR UseMfence : 1; // // LFENCE before RDTSC in relevant paths. // volatile UCHAR UseLfence : 1; // // Reserved/unused // volatile UCHAR Reserved_6 : 1; // // RDTSCP instead of RDTSC in the fast path. // volatile UCHAR UseRdtscp : 1; }; }; // // Reserved, leave as zero for backward compatibility. Was shift // applied to the raw counter value to derive QPC count. // UCHAR QpcReserved; }; }; // // Reserved for future use. // LARGE_INTEGER TimeZoneBiasEffectiveStart; LARGE_INTEGER TimeZoneBiasEffectiveEnd; // // Extended processor state configuration (AMD64 and x86). // XSTATE_CONFIGURATION XState; // // RtlQueryFeatureConfigurationChangeStamp // KSYSTEM_TIME FeatureConfigurationChangeStamp; // // Spare (available for re-use). // ULONG Spare; // // This field holds a mask that is used in the process of authenticating pointers in user mode. // It helps in determining which bits of the pointer are used for authentication in user mode. // ULONG64 UserPointerAuthMask; // // Extended processor state configuration (ARM64). The reserved space for // other architectures is not available for reuse. // #if defined(_ARM64_) XSTATE_CONFIGURATION XStateArm64; #else ULONG Reserved10[210]; #endif } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x000, "KUSER_SHARED_DATA.TickCountLowDeprecated offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x004, "KUSER_SHARED_DATA.TickCountMultiplier offset is incorrect"); static_assert(__alignof(KSYSTEM_TIME) == 0X004, "KSYSTEM_TIME alignment is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x008, "KUSER_SHARED_DATA.InterruptTime offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014, "KUSER_SHARED_DATA.SystemTime offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020, "KUSER_SHARED_DATA.TimeZoneBias offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c, "KUSER_SHARED_DATA.ImageNumberLow offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e, "KUSER_SHARED_DATA.ImageNumberHigh offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030, "KUSER_SHARED_DATA.NtSystemRoot offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238, "KUSER_SHARED_DATA.MaxStackTraceDepth offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c, "KUSER_SHARED_DATA.CryptoExponent offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240, "KUSER_SHARED_DATA.TimeZoneId offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244, "KUSER_SHARED_DATA.LargePageMinimum offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248, "KUSER_SHARED_DATA.AitSamplingValue offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c, "KUSER_SHARED_DATA.AppCompatFlag offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250, "KUSER_SHARED_DATA.RNGSeedVersion offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258, "KUSER_SHARED_DATA.GlobalValidationRunlevel offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c, "KUSER_SHARED_DATA.TimeZoneBiasStamp offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260, "KUSER_SHARED_DATA.NtBuildNumber offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264, "KUSER_SHARED_DATA.NtProductType offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268, "KUSER_SHARED_DATA.ProductTypeIsValid offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a, "KUSER_SHARED_DATA.NativeProcessorArchitecture offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c, "KUSER_SHARED_DATA.NtMajorVersion offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270, "KUSER_SHARED_DATA.NtMinorVersion offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274, "KUSER_SHARED_DATA.ProcessorFeatures offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, MaximumUserModeAddressDeprecated) == 0x2b4, "KUSER_SHARED_DATA.MaximumUserModeAddressDeprecated offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemRangeStartDeprecated) == 0x2b8, "KUSER_SHARED_DATA.SystemRangeStartDeprecated offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc, "KUSER_SHARED_DATA.TimeSlip offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0, "KUSER_SHARED_DATA.AlternativeArchitecture offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8, "KUSER_SHARED_DATA.SystemExpirationDate offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0, "KUSER_SHARED_DATA.SuiteMask offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4, "KUSER_SHARED_DATA.KdDebuggerEnabled offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5, "KUSER_SHARED_DATA.MitigationPolicies offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, CyclesPerYield) == 0x2d6, "KUSER_SHARED_DATA.CyclesPerYield offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8, "KUSER_SHARED_DATA.ActiveConsoleId offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc, "KUSER_SHARED_DATA.DismountCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0, "KUSER_SHARED_DATA.ComPlusPackage offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4, "KUSER_SHARED_DATA.LastSystemRITEventTickCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8, "KUSER_SHARED_DATA.NumberOfPhysicalPages offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec, "KUSER_SHARED_DATA.SafeBootMode offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed, "KUSER_SHARED_DATA.VirtualizationFlags offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee, "KUSER_SHARED_DATA.Reserved12 offset is incorrect"); #if defined(_MSC_EXTENSIONS) static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0, "KUSER_SHARED_DATA.SharedDataFlags offset is incorrect"); #endif static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8, "KUSER_SHARED_DATA.TestRetInstruction offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300, "KUSER_SHARED_DATA.QpcFrequency offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308, "KUSER_SHARED_DATA.SystemCall offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved2) == 0x30c, "KUSER_SHARED_DATA.Reserved2 offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x318, "KUSER_SHARED_DATA.SystemCallPad offset is incorrect (previously 0x310)"); #if defined(_MSC_EXTENSIONS) static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320, "KUSER_SHARED_DATA.TickCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320, "KUSER_SHARED_DATA.TickCountQuad offset is incorrect"); #endif static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330, "KUSER_SHARED_DATA.Cookie offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338, "KUSER_SHARED_DATA.ConsoleSessionForegroundProcessId offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340, "KUSER_SHARED_DATA.TimeUpdateLock offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348, "KUSER_SHARED_DATA.BaselineSystemTimeQpc offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350, "KUSER_SHARED_DATA.BaselineInterruptTimeQpc offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358, "KUSER_SHARED_DATA.QpcSystemTimeIncrement offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360, "KUSER_SHARED_DATA.QpcInterruptTimeIncrement offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368, "KUSER_SHARED_DATA.QpcSystemTimeIncrementShift offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369, "KUSER_SHARED_DATA.QpcInterruptTimeIncrementShift offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a, "KUSER_SHARED_DATA.UnparkedProcessorCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c, "KUSER_SHARED_DATA.EnclaveFeatureMask offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TelemetryCoverageRound) == 0x37c, "KUSER_SHARED_DATA.TelemetryCoverageRound offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380, "KUSER_SHARED_DATA.UserModeGlobalLogger offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0, "KUSER_SHARED_DATA.ImageFileExecutionOptions offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4, "KUSER_SHARED_DATA.LangGenerationCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8, "KUSER_SHARED_DATA.Reserved4 offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0, "KUSER_SHARED_DATA.InterruptTimeBias offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8, "KUSER_SHARED_DATA.QpcBias offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0, "KUSER_SHARED_DATA.ActiveProcessorCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4, "KUSER_SHARED_DATA.ActiveGroupCount offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5, "KUSER_SHARED_DATA.Reserved9 offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6, "KUSER_SHARED_DATA.QpcData offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBypassEnabled) == 0x3c6, "KUSER_SHARED_DATA.QpcBypassEnabled offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, QpcReserved) == 0x3c7, "KUSER_SHARED_DATA.QpcReserved offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8, "KUSER_SHARED_DATA.TimeZoneBiasEffectiveStart offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0, "KUSER_SHARED_DATA.TimeZoneBiasEffectiveEnd offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8, "KUSER_SHARED_DATA.XState offset is incorrect"); #if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x710, "KUSER_SHARED_DATA.FeatureConfigurationChangeStamp offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, UserPointerAuthMask) == 0x720, "KUSER_SHARED_DATA.UserPointerAuthMask offset is incorrect"); #if defined(_ARM64_) static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XStateArm64) == 0x728, "KUSER_SHARED_DATA.XStateArm64 offset is incorrect"); #else static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved10) == 0x728, "KUSER_SHARED_DATA.Reserved10 offset is incorrect"); #endif #if !defined(WINDOWS_IGNORE_PACKING_MISMATCH) static_assert(sizeof(KUSER_SHARED_DATA) == 0xa70, "KUSER_SHARED_DATA size is incorrect (expected 0xa70)"); #endif #else static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x720, "KUSER_SHARED_DATA.FeatureConfigurationChangeStamp offset is incorrect"); static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, UserPointerAuthMask) == 0x730, "KUSER_SHARED_DATA.UserPointerAuthMask offset is incorrect"); #if defined(_ARM64_) static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XStateArm64) == 0x738, "KUSER_SHARED_DATA.XStateArm64 offset is incorrect"); #else static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved10) == 0x738, "KUSER_SHARED_DATA.Reserved10 offset is incorrect"); #endif #if !defined(WINDOWS_IGNORE_PACKING_MISMATCH) static_assert(sizeof(KUSER_SHARED_DATA) == 0xa80, "KUSER_SHARED_DATA size is incorrect (expected 0xa80)"); #endif #endif /** * USER_SHARED_DATA pointer to the Windows KUSER_SHARED_DATA structure at its fixed * user-mode mapping address (0x7FFE0000). * * The Windows kernel exposes a read-only data structure, mapped into every user-mode * process at the fixed virtual address `0x7FFE0000`. This region contains frequently * accessed system information and avoids the overhead of system calls for data that * the kernel updates frequently. The mapping is always present and identical across * all user processes, it provides a fast and efficient way to retrieve system state. */ #define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)0x7ffe0000) /** * The NtGetTickCount64 routine retrieves the number of milliseconds that have elapsed since the system was started. * * \return ULONGLONG The return value is the number of milliseconds that have elapsed since the system was started. * \remarks The resolution of the NtGetTickCount64 function is limited to the resolution of the system timer, * which is typically in the range of 10 milliseconds to 16 milliseconds. The resolution of the NtGetTickCount64 * function is not affected by adjustments made by the GetSystemTimeAdjustment function. * \see https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount64 */ FORCEINLINE ULONGLONG NtGetTickCount64( VOID ) { ULARGE_INTEGER tickCount; #ifdef _WIN64 tickCount.QuadPart = USER_SHARED_DATA->TickCountQuad; #else while (TRUE) { tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time; tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart; if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time) break; YieldProcessor(); } #endif return (UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) + (UInt32x32To64(tickCount.HighPart, USER_SHARED_DATA->TickCountMultiplier) << 8); } /** * The NtGetTickCount routine retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. * * \return ULONG The return value is the number of milliseconds that have elapsed since the system was started. * \remarks The elapsed time is stored as a ULONG value. Therefore, the time will wrap around to zero if the system * is run continuously for 49.7 days. To avoid this problem, use the NtGetTickCount64 function. Otherwise, check * for an overflow condition when comparing times. The resolution of the NtGetTickCount function is limited to * the resolution of the system timer, which is typically in the range of 10 milliseconds to 16 milliseconds. * The resolution of the NtGetTickCount function is not affected by adjustments made by the GetSystemTimeAdjustment function. * \see https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount */ FORCEINLINE ULONG NtGetTickCount( VOID ) { #ifdef _WIN64 return (ULONG)((USER_SHARED_DATA->TickCountQuad * USER_SHARED_DATA->TickCountMultiplier) >> 24); #else ULARGE_INTEGER tickCount; while (TRUE) { tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time; tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart; if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time) break; YieldProcessor(); } return (ULONG)((UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) + UInt32x32To64((tickCount.HighPart << 8) & 0xffffffff, USER_SHARED_DATA->TickCountMultiplier)); #endif } // // Locale // /** * The NtQueryDefaultLocale routine retrieves the default locale identifier for either the user profile or the system. * * \param UserProfile If TRUE, retrieves the user default locale; otherwise, retrieves the system default locale. * \param DefaultLocaleId A pointer that receives the resulting locale identifier (LCID). * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getsystemdefaultlocale * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultlocale */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryDefaultLocale( _In_ BOOLEAN UserProfile, _Out_ PLCID DefaultLocaleId ); /** * The NtSetDefaultLocale routine sets the default locale identifier for either * the user profile or the system. * * \param UserProfile If TRUE, sets the user default locale; otherwise, sets the system default locale. * \param DefaultLocaleId The locale identifier (LCID) to set. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-setthreadlocale */ NTSYSCALLAPI NTSTATUS NTAPI NtSetDefaultLocale( _In_ BOOLEAN UserProfile, _In_ LCID DefaultLocaleId ); /** * The NtQueryInstallUILanguage routine retrieves the system's installed UI language identifier. * * \param InstallUILanguageId A pointer that receives the installed UI language identifier (LANGID). * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getsystemdefaultuilanguage */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInstallUILanguage( _Out_ LANGID *InstallUILanguageId ); /** * The NtFlushInstallUILanguage routine updates the system's installed UI * language and optionally commits the change. * * \param InstallUILanguage The UI language identifier (LANGID) to set. * \param SetComittedFlag If nonzero, commits the language change. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushInstallUILanguage( _In_ LANGID InstallUILanguage, _In_ ULONG SetComittedFlag ); /** * The NtQueryDefaultUILanguage routine retrieves the system's default UI language identifier. * * \param DefaultUILanguageId A pointer that receives the default UI language identifier (LANGID). * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getsystemdefaultuilanguage */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryDefaultUILanguage( _Out_ LANGID *DefaultUILanguageId ); /** * The NtSetDefaultUILanguage routine sets the system's default UI language identifier. * * \param DefaultUILanguageId The UI language identifier (LANGID) to set. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetDefaultUILanguage( _In_ LANGID DefaultUILanguageId ); /** * The NtIsUILanguageComitted routine determines whether the system UI language has been committed. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtIsUILanguageComitted( VOID ); // // NLS // // begin_private NTSYSCALLAPI NTSTATUS NTAPI NtInitializeNlsFiles( _Out_ PVOID *BaseAddress, _Out_ PLCID DefaultLocaleId, _Out_ PLARGE_INTEGER DefaultCasingTableSize, _Out_opt_ PULONG CurrentNLSVersion ); NTSYSCALLAPI NTSTATUS NTAPI NtGetNlsSectionPtr( _In_ ULONG SectionType, _In_ ULONG SectionData, _In_ PVOID ContextData, _Out_ PVOID *SectionPointer, _Out_ PULONG SectionSize ); #if (PHNT_VERSION < PHNT_WINDOWS_7) /** * The NtAcquireCMFViewOwnership routine acquires ownership of the Code Map * File (CMF) view and optionally replaces an existing ownership token. * * \param TimeStamp A pointer that receives the timestamp associated with the * CMF view ownership. * \param tokenTaken A pointer that receives TRUE if the caller successfully * acquired the ownership token, or FALSE if another owner already held it. * \param replaceExisting If TRUE, replaces any existing ownership token. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAcquireCMFViewOwnership( _Out_ PULONGLONG TimeStamp, _Out_ PBOOLEAN tokenTaken, _In_ BOOLEAN replaceExisting ); /** * The NtReleaseCMFViewOwnership routine releases ownership of the Code Map * File (CMF) view previously acquired by NtAcquireCMFViewOwnership. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtReleaseCMFViewOwnership( VOID ); #endif // PHNT_VERSION < PHNT_WINDOWS_7 /** * The `What` flags for NtMapCMFModule. * The `What` parameter is a bitfield controlling: * - Which CMF section to map * - Access rights for CMFCheckAccess() * - Whether to update CMF global flags * - Page protection mode * - CMF cache mode bits (propagate into CMFFlagsCache) * * These determine what access rights are checked and influence whether the mapping is allowed. */ #define CMF_ACCESS_DIRECTORY 0x00000002 // Access check for directory section. #define CMF_ACCESS_SEGMENT 0x00000004 // Access check for segment section. #define CMF_ACCESS_HITS 0x00000008 // Access check for hits section. /** * The `What` flags for NtMapCMFModule. * These determine which CMF section is mapped and directly control the BaseAddress and ViewSizeOut outputs. */ #define CMF_OP_DIRECTORY 0x00000010 // Map directory section (Index ignored) // Affects: BaseAddress, ViewSizeOut #define CMF_OP_SEGMENT 0x00000020 // Map segment section at Index // Affects: BaseAddress, ViewSizeOut #define CMF_OP_HITS 0x00000100 // Map hits section (Index ignored) // Affects: BaseAddress, ViewSizeOut /** * The `What` flags for NtMapCMFModule. * This affects the protection flags passed to MmMapViewOfSection, * which ultimately influences the memory protections of the BaseAddress parameter. */ #define CMF_PROTECT_SPECIAL 0x00000040 // Changes protection from PAGE_READONLY to PAGE_WRITECOPY /** * The `What` flags for NtMapCMFModule. * When this bit is set, the function does not map anything. * Instead, it updates CMFFlagsCache and optionally modifies the directory header. */ #define CMF_UPDATE_FLAGS 0x00020000 // Enter flag-update mode // CacheFlagsOut parameter /** * The `What` flags for NtMapCMFModule. * These bits are extracted from What and written into CMFFlagsCache. * They determine global CMF behavior, including which modules are valid. */ #define CMF_FLAG_A 0x00040000 // May trigger directory header update #define CMF_FLAG_B 0x00080000 // Enables directory update path #define CMF_FLAG_C 0x00100000 // Enables segment unmap path /** * Flags for NtMapCMFModule. * These bits strip all bits outside this mask: */ #define CMF_ALLOWED_MASK 0xFFFFFECF // All valid bits for What /** * Flags for NtMapCMFModule. */ typedef enum _CMF_WHAT_FLAGS { // ---- Access rights (used by CMFCheckAccess) ---- CmfAccessDirectory = 0x00000002, // Access check for directory CmfAccessSegment = 0x00000004, // Access check for segment[Index] CmfAccessHits = 0x00000008, // Access check for hits // ---- Operation selection (controls BaseAddress + ViewSizeOut) ---- CmfDirectoryOp = 0x00000010, // Map directory section CmfSegmentOp = 0x00000020, // Map segment section at Index CmfHitsOp = 0x00000100, // Map hits section // ---- Memory protection modifier ---- CmfSpecialProtect = 0x00000040, // Changes protection for MmMapViewOfSection // ---- Flag update mode (affects CacheFlagsOut only) ---- CmfUpdateFlags = 0x00020000, // Update CMFFlagsCache instead of mapping // ---- CMF cache mode bits (propagate into CMFFlagsCache) ---- CmfFlagA = 0x00040000, // May trigger directory header update CmfFlagB = 0x00080000, // Enables directory update path CmfFlagC = 0x00100000, // Enables segment unmap path } CMF_WHAT_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(CMF_WHAT_FLAGS); /** * The NtMapCMFModule routine maps a Code Map File (CMF) module into memory * and returns information about the cached view. * * \param What Specifies the CMF operation to perform. * \param Index The module index to map. Only valid for CmfSegmentOp operations. * \param CacheIndexOut Optional pointer that receives the cache index. * \param CacheFlagsOut Optional pointer that receives cache flags. * \param ViewSizeOut Optional pointer that receives the size of the mapped view. * \param BaseAddress Optional pointer that receives the base address of the mapped module. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtMapCMFModule( _In_ ULONG What, _In_ ULONG Index, _Out_opt_ PULONG CacheIndexOut, _Out_opt_ PULONG CacheFlagsOut, _Out_opt_ PULONG ViewSizeOut, _Out_opt_ PVOID *BaseAddress ); /** * Flags for NtGetMUIRegistryInfo. * Only the values below are supported. Any other bit results in STATUS_INVALID_PARAMETER. */ typedef enum _MUI_REGISTRY_INFO_FLAGS { MUIRegInfoQuery = 0x1, // Query or load the MUI registry info. MUIRegInfoClear = 0x2, // Clear the cached MUI registry info. MUIRegInfoCommit = 0x8 // Commit/update state (increments counter). } MUI_REGISTRY_INFO_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(MUI_REGISTRY_INFO_FLAGS); /** * Flags for NtGetMUIRegistryInfo. * Only the values below are supported. Any other bit results in STATUS_INVALID_PARAMETER. */ #define MUI_REGINFO_QUERY 0x1 // Query or load the MUI registry info. #define MUI_REGINFO_CLEAR 0x2 // Clear the cached MUI registry info. #define MUI_REGINFO_COMMIT 0x8 // Commit/update state (increments counter). /** * The NtGetMUIRegistryInfo routine retrieves Multilingual User Interface (MUI) * configuration data from the system registry. * * \param Flags Flags that control the type of MUI information returned. * \param DataSize On input, the size of the buffer pointed to by Data. * On output, the required or actual size of the data returned. * \param Data A pointer to the MUI registry information. * \return NTSTATUS Successful or errant status. * \remarks This routine is private and subject to change. */ NTSYSCALLAPI NTSTATUS NTAPI NtGetMUIRegistryInfo( _In_ ULONG Flags, _Inout_ PULONG DataSize, _Out_ PVOID Data ); // end_private // // Global atoms // /** * The NtAddAtom routine adds a Unicode string to the system atom table and * returns the corresponding atom identifier. * * \param AtomName A pointer to a Unicode string containing the atom name. * \param Length The length, in bytes, of the string pointed to by AtomName. * \param Atom An optional pointer that receives the resulting atom identifier. * \return NTSTATUS Successful or errant status. * \remarks If the atom already exists, its reference count is incremented and * the existing atom identifier is returned. * \see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-addatomw */ NTSYSCALLAPI NTSTATUS NTAPI NtAddAtom( _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * ATOM_FLAG_NONE indicates that the atom being created should be placed in * the session-local atom table rather than the global atom table. */ #define ATOM_FLAG_NONE 0x0 /** * ATOM_FLAG_GLOBAL indicates that the atom being created should be placed in * the global atom table rather than the session-local table. * \remarks This flag is only valid starting with Windows 8 and later. */ #define ATOM_FLAG_GLOBAL 0x2 // rev /** * The NtAddAtomEx routine adds a Unicode string to the system atom table with * additional creation flags. * * \param AtomName A pointer to a Unicode string containing the atom name. * \param Length The length, in bytes, of the string pointed to by AtomName. * \param Atom An optional pointer that receives the resulting atom identifier. * \param Flags A set of flags that control atom creation behavior. * \return NTSTATUS Successful or errant status. * \remarks ATOM_FLAG_GLOBAL may be used to create a global atom. * Only ATOM_FLAG_GLOBAL and ATOM_FLAG_NONE are currently supported. * Any other flag value results in STATUS_INVALID_PARAMETER. * \see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-addatomw */ NTSYSCALLAPI NTSTATUS NTAPI NtAddAtomEx( _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom, _In_ ULONG Flags ); #endif // PHNT_VERSION >= PHNT_WINDOWS_8 /** * The NtFindAtom routine retrieves the atom identifier associated with a * Unicode string in the system atom table. * * \param AtomName A pointer to a Unicode string containing the atom name. * \param Length The length, in bytes, of the string pointed to by AtomName. * \param Atom An optional pointer that receives the atom identifier if found. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-findatomw */ NTSYSCALLAPI NTSTATUS NTAPI NtFindAtom( _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom ); /** * The NtDeleteAtom routine decrements the reference count of an atom and * removes it from the system atom table when the count reaches zero. * * \param Atom The atom identifier to delete. * \return NTSTATUS Successful or errant status. * \remarks If the atom is still referenced elsewhere, it is not removed until * its reference count reaches zero. * \see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-deleteatom */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteAtom( _In_ RTL_ATOM Atom ); /** * The ATOM_INFORMATION_CLASS enumeration specifies the type of information * returned when querying atom table data. */ typedef enum _ATOM_INFORMATION_CLASS { AtomBasicInformation, AtomTableInformation } ATOM_INFORMATION_CLASS; /** * The ATOM_BASIC_INFORMATION structure contains basic information about an Atom. */ typedef struct _ATOM_BASIC_INFORMATION { USHORT UsageCount; // The number of times the atom is referenced. USHORT Flags; // Flags associated with the atom. */ USHORT NameLength; // Length, in bytes, of the atom's name. _Field_size_bytes_(NameLength) WCHAR Name[1]; // The atom's name (not null-terminated). } ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION; /** * The ATOM_TABLE_INFORMATION structure contains information about all Atoms from the system atom table. */ typedef struct _ATOM_TABLE_INFORMATION { ULONG NumberOfAtoms; // The number of atoms in the atom table. _Field_size_(NumberOfAtoms) RTL_ATOM Atoms[1]; // Array of atom identifiers. } ATOM_TABLE_INFORMATION, *PATOM_TABLE_INFORMATION; /** * The NtQueryInformationAtom routine retrieves information about a specified atom in the system atom table. * * \param Atom The atom identifier for which information is being queried. * \param AtomInformationClass Specifies the type of information to retrieve. This is an ATOM_INFORMATION_CLASS value. * \param AtomInformation A pointer to a buffer that receives the requested information. * \param AtomInformationLength The size, in bytes, of the AtomInformation buffer. * \param ReturnLength Optional pointer to a variable that receives the number of bytes written to the AtomInformation buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationAtom( _In_ RTL_ATOM Atom, _In_ ATOM_INFORMATION_CLASS AtomInformationClass, _Out_writes_bytes_(AtomInformationLength) PVOID AtomInformation, _In_ ULONG AtomInformationLength, _Out_opt_ PULONG ReturnLength ); // // Global flags // #define FLG_STOP_ON_EXCEPTION 0x00000001 // uk #define FLG_SHOW_LDR_SNAPS 0x00000002 // uk #define FLG_DEBUG_INITIAL_COMMAND 0x00000004 // k #define FLG_STOP_ON_HUNG_GUI 0x00000008 // k #define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010 // u #define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020 // u #define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040 // u #define FLG_HEAP_VALIDATE_ALL 0x00000080 // u #define FLG_APPLICATION_VERIFIER 0x00000100 // u #define FLG_MONITOR_SILENT_PROCESS_EXIT 0x00000200 // uk #define FLG_POOL_ENABLE_TAGGING 0x00000400 // k #define FLG_HEAP_ENABLE_TAGGING 0x00000800 // u #define FLG_USER_STACK_TRACE_DB 0x00001000 // u,32 #define FLG_KERNEL_STACK_TRACE_DB 0x00002000 // k,32 #define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000 // k #define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000 // u #define FLG_DISABLE_STACK_EXTENSION 0x00010000 // u #define FLG_ENABLE_CSRDEBUG 0x00020000 // k #define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 // k #define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000 // k #define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000 // u #define FLG_HEAP_DISABLE_COALESCING 0x00200000 // u #define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 // k #define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000 // k #define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000 // k #define FLG_HEAP_PAGE_ALLOCS 0x02000000 // u #define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000 // k #define FLG_DISABLE_DBGPRINT 0x08000000 // k #define FLG_CRITSEC_EVENT_CREATION 0x10000000 // u #define FLG_LDR_TOP_DOWN 0x20000000 // u,64 #define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000 // k #define FLG_DISABLE_PROTDLLS 0x80000000 // u #define FLG_VALID_BITS 0xfffffdff #define FLG_USERMODE_VALID_BITS (FLG_STOP_ON_EXCEPTION | \ FLG_SHOW_LDR_SNAPS | \ FLG_HEAP_ENABLE_TAIL_CHECK | \ FLG_HEAP_ENABLE_FREE_CHECK | \ FLG_HEAP_VALIDATE_PARAMETERS | \ FLG_HEAP_VALIDATE_ALL | \ FLG_APPLICATION_VERIFIER | \ FLG_HEAP_ENABLE_TAGGING | \ FLG_USER_STACK_TRACE_DB | \ FLG_HEAP_ENABLE_TAG_BY_DLL | \ FLG_DISABLE_STACK_EXTENSION | \ FLG_ENABLE_SYSTEM_CRIT_BREAKS | \ FLG_HEAP_DISABLE_COALESCING | \ FLG_DISABLE_PROTDLLS | \ FLG_HEAP_PAGE_ALLOCS | \ FLG_CRITSEC_EVENT_CREATION | \ FLG_LDR_TOP_DOWN) #define FLG_BOOTONLY_VALID_BITS (FLG_KERNEL_STACK_TRACE_DB | \ FLG_MAINTAIN_OBJECT_TYPELIST | \ FLG_ENABLE_CSRDEBUG | \ FLG_DEBUG_INITIAL_COMMAND | \ FLG_DEBUG_INITIAL_COMMAND_EX | \ FLG_DISABLE_PAGE_KERNEL_STACKS) #define FLG_KERNELMODE_VALID_BITS (FLG_STOP_ON_EXCEPTION | \ FLG_SHOW_LDR_SNAPS | \ FLG_STOP_ON_HUNG_GUI | \ FLG_POOL_ENABLE_TAGGING | \ FLG_ENABLE_KDEBUG_SYMBOL_LOAD | \ FLG_ENABLE_CLOSE_EXCEPTIONS | \ FLG_ENABLE_EXCEPTION_LOGGING | \ FLG_ENABLE_HANDLE_TYPE_TAGGING | \ FLG_DISABLE_DBGPRINT | \ FLG_ENABLE_HANDLE_EXCEPTIONS) // // Licensing // /** * The NtQueryLicenseValue routine retrieves a licensing-related value from the * system licensing database. * * \param ValueName A pointer to a UNICODE_STRING structure that contains the name of the license value to query. * \param Type An optional pointer that receives the type of the returned data. * \param Data An optional buffer that receives the value data. * \param DataSize The size, in bytes, of the buffer pointed to by Data. * \param ResultDataSize A pointer that receives the number of bytes required to store the complete value data. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/slpublic/nf-slpublic-slquerylicensevaluefromapp */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryLicenseValue( _In_ PCUNICODE_STRING ValueName, _Out_opt_ PULONG Type, _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data, _In_ ULONG DataSize, _Out_ PULONG ResultDataSize ); // // Misc. // /** * The NtSetDefaultHardErrorPort routine sets the system's default hard error * port, which is used by the kernel to deliver hard error notifications to a * user-mode process. * * \param DefaultHardErrorPort A handle to a port object that will receive * hard error messages generated by the system. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetDefaultHardErrorPort( _In_ HANDLE DefaultHardErrorPort ); /** * The SHUTDOWN_ACTION enumeration specifies the type of system shutdown to perform. */ typedef enum _SHUTDOWN_ACTION { ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff, ShutdownRebootForRecovery // since WIN11 } SHUTDOWN_ACTION; /** * The NtShutdownSystem routine initiates a system shutdown using the specified * shutdown action. * * \param Action A SHUTDOWN_ACTION value that specifies whether the system * should halt, reboot, power off, or reboot for recovery. * \return NTSTATUS Successful or errant status. * \remarks The calling process must have the SE_SHUTDOWN_NAME privilege. */ NTSYSCALLAPI NTSTATUS NTAPI NtShutdownSystem( _In_ SHUTDOWN_ACTION Action ); /** * The NtDisplayString routine displays a Unicode string on the system display * during early boot or in environments where a console is not yet available. * * \param String A pointer to a UNICODE_STRING structure that contains the text to display. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDisplayString( _In_ PCUNICODE_STRING String ); // // Boot graphics // // rev /** * The NtDrawText routine displays a Unicode string on the system display during * early boot or in environments where a standard console is not yet available. * * \param Text A pointer to a UNICODE_STRING structure that contains the text to draw on the screen. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDrawText( _In_ PCUNICODE_STRING Text ); // // Hot patching // typedef enum _HOT_PATCH_INFORMATION_CLASS { ManageHotPatchLoadPatch = 0, // MANAGE_HOT_PATCH_LOAD_PATCH ManageHotPatchUnloadPatch = 1, // MANAGE_HOT_PATCH_UNLOAD_PATCH ManageHotPatchQueryPatches = 2, // MANAGE_HOT_PATCH_QUERY_PATCHES ManageHotPatchLoadPatchForUser = 3, // MANAGE_HOT_PATCH_LOAD_PATCH ManageHotPatchUnloadPatchForUser = 4, // MANAGE_HOT_PATCH_UNLOAD_PATCH ManageHotPatchQueryPatchesForUser = 5, // MANAGE_HOT_PATCH_QUERY_PATCHES ManageHotPatchQueryActivePatches = 6, // MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES ManageHotPatchApplyImagePatch = 7, // MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH ManageHotPatchQuerySinglePatch = 8, // MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH ManageHotPatchCheckEnabled = 9, // MANAGE_HOT_PATCH_CHECK_ENABLED ManageHotPatchCreatePatchSection = 10, // MANAGE_HOT_PATCH_CREATE_PATCH_SECTION ManageHotPatchMax } HOT_PATCH_INFORMATION_CLASS; /** * The HOT_PATCH_IMAGE_INFO structure contains identifying information about a hot patch image. */ typedef struct _HOT_PATCH_IMAGE_INFO { ULONG CheckSum; // The checksum of the hot patch image. ULONG TimeDateStamp; // The time/date stamp of the hot patch image. } HOT_PATCH_IMAGE_INFO, *PHOT_PATCH_IMAGE_INFO; #define MANAGE_HOT_PATCH_LOAD_PATCH_VERSION 1 /** * The MANAGE_HOT_PATCH_LOAD_PATCH structure describes parameters for loading a hot patch. */ typedef struct _MANAGE_HOT_PATCH_LOAD_PATCH { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_LOAD_PATCH_VERSION. UNICODE_STRING PatchPath; // The path to the hot patch file. union { SID Sid; // The SID of the user for whom the patch is being loaded. UCHAR Buffer[SECURITY_MAX_SID_SIZE]; // Buffer for the SID. } UserSid; HOT_PATCH_IMAGE_INFO BaseInfo; // Identifying information about the base image to patch. } MANAGE_HOT_PATCH_LOAD_PATCH, *PMANAGE_HOT_PATCH_LOAD_PATCH; #define MANAGE_HOT_PATCH_UNLOAD_PATCH_VERSION 1 /** * The MANAGE_HOT_PATCH_UNLOAD_PATCH structure describes parameters for unloading a hot patch. */ typedef struct _MANAGE_HOT_PATCH_UNLOAD_PATCH { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_UNLOAD_PATCH_VERSION. HOT_PATCH_IMAGE_INFO BaseInfo; // Identifying information about the base image to unpatch. union { SID Sid; // The SID of the user for whom the patch is being unloaded. UCHAR Buffer[SECURITY_MAX_SID_SIZE]; // Buffer for the SID. } UserSid; } MANAGE_HOT_PATCH_UNLOAD_PATCH, *PMANAGE_HOT_PATCH_UNLOAD_PATCH; #define MANAGE_HOT_PATCH_QUERY_PATCHES_VERSION 1 /** * The MANAGE_HOT_PATCH_QUERY_PATCHES structure is used to query information about loaded hot patches. */ typedef struct _MANAGE_HOT_PATCH_QUERY_PATCHES { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_QUERY_PATCHES_VERSION. union { SID Sid; // The SID of the user whose patches are being queried. UCHAR Buffer[SECURITY_MAX_SID_SIZE]; // Buffer for the SID. } UserSid; ULONG PatchCount; // The number of patches found. PUNICODE_STRING PatchPathStrings; // Pointer to an array of patch path strings. PHOT_PATCH_IMAGE_INFO BaseInfos; // Pointer to an array of patch image info structures. } MANAGE_HOT_PATCH_QUERY_PATCHES, *PMANAGE_HOT_PATCH_QUERY_PATCHES; #define MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES_VERSION 1 /** * The MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES structure is used to query active hot patches for a process. */ typedef struct _MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES_VERSION. HANDLE ProcessHandle; // Handle to the process being queried. ULONG PatchCount; // The number of active patches. PUNICODE_STRING PatchPathStrings; // Pointer to an array of patch path strings. PHOT_PATCH_IMAGE_INFO BaseInfos; // Pointer to an array of patch image info structures. PULONG PatchSequenceNumbers; // Pointer to an array of patch sequence numbers. } MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES, *PMANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES; #define MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH_VERSION 1 /** * The MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH structure describes parameters for applying a hot patch to an image. */ typedef struct _MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH_VERSION. union { ULONG AllFlags; // All flags as a ULONG. struct { ULONG ApplyReversePatches : 1; // If set, apply reverse patches. ULONG ApplyForwardPatches : 1; // If set, apply forward patches. ULONG Spare : 29; }; }; HANDLE ProcessHandle; // Handle to the process to patch. PVOID BaseImageAddress; // Base address of the image to patch. PVOID PatchImageAddress; // Address of the patch image. } MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH, *PMANAGE_HOT_PATCH_APPLY_IMAGE_PATCH; #define MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH_VERSION 1 /** * The MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH structure is used to query a single hot patch. */ typedef struct _MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH_VERSION. HANDLE ProcessHandle; // Handle to the process being queried. PVOID BaseAddress; // Base address of the image being queried. ULONG Flags; // Query flags. UNICODE_STRING PatchPathString; // The path to the patch being queried. } MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH, *PMANAGE_HOT_PATCH_QUERY_SINGLE_PATCH; #define MANAGE_HOT_PATCH_CHECK_ENABLED_VERSION 1 /** * The MANAGE_HOT_PATCH_CHECK_ENABLED structure is used to check if hot patching is enabled. */ typedef struct _MANAGE_HOT_PATCH_CHECK_ENABLED { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_CHECK_ENABLED_VERSION. ULONG Flags; // Flags for the check operation. } MANAGE_HOT_PATCH_CHECK_ENABLED, *PMANAGE_HOT_PATCH_CHECK_ENABLED; #define MANAGE_HOT_PATCH_CREATE_PATCH_SECTION_VERSION 1 /** * The MANAGE_HOT_PATCH_CREATE_PATCH_SECTION structure describes parameters for creating a hot patch section. */ typedef struct _MANAGE_HOT_PATCH_CREATE_PATCH_SECTION { ULONG Version; // Structure version. Must be MANAGE_HOT_PATCH_CREATE_PATCH_SECTION_VERSION. ULONG Flags; // Creation flags. ACCESS_MASK DesiredAccess; // Desired access mask for the section. ULONG PageProtection; // Page protection flags. ULONG AllocationAttributes; // Allocation attributes. PVOID BaseImageAddress; // Base address of the image for the patch section. HANDLE SectionHandle; // Handle to the created section. } MANAGE_HOT_PATCH_CREATE_PATCH_SECTION, *PMANAGE_HOT_PATCH_CREATE_PATCH_SECTION; #if defined(_WIN64) static_assert(sizeof(MANAGE_HOT_PATCH_LOAD_PATCH) == 0x68, "Size of MANAGE_HOT_PATCH_LOAD_PATCH is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_UNLOAD_PATCH) == 0x50, "Size of MANAGE_HOT_PATCH_UNLOAD_PATCH is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_QUERY_PATCHES) == 0x60, "Size of MANAGE_HOT_PATCH_QUERY_PATCHES is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES) == 0x30, "Size of MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH) == 0x20, "Size of MANAGE_HOT_PATCH_APPLY_IMAGE_PATCH is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH) == 0x30, "Size of MANAGE_HOT_PATCH_QUERY_SINGLE_PATCH is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_CHECK_ENABLED) == 0x8, "Size of MANAGE_HOT_PATCH_CHECK_ENABLED is incorrect"); static_assert(sizeof(MANAGE_HOT_PATCH_CREATE_PATCH_SECTION) == 0x28, "Size of MANAGE_HOT_PATCH_CREATE_PATCH_SECTION is incorrect"); #endif // WIN64 #if (PHNT_VERSION >= PHNT_WINDOWS_11) // rev /** * The NtManageHotPatch routine manages hot patching operations in the system. * * \param[in] HotPatchInformationClass Specifies the type of hot patch information being queried or set. * \param[out] HotPatchInformation A pointer to a buffer that receives or contains the hot patch information, depending on the operation. * \param[in] HotPatchInformationLength The size, in bytes, of the HotPatchInformation buffer. * \param[out] ReturnLength Optional pointer to a variable that receives the number of bytes written to the HotPatchInformation buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtManageHotPatch( _In_ HOT_PATCH_INFORMATION_CLASS HotPatchInformationClass, _Out_writes_bytes_opt_(HotPatchInformationLength) PVOID HotPatchInformation, _In_ ULONG HotPatchInformationLength, _Out_opt_ PULONG ReturnLength ); #endif // PHNT_VERSION >= PHNT_WINDOWS_11 #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // _NTEXAPI_H ================================================ FILE: phnt/include/ntgdi.h ================================================ /* * Graphics device interface support * * This file is part of System Informer. */ #ifndef _NTGDI_H #define _NTGDI_H #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 #define GDI_HANDLE_INDEX_SHIFT 0 #define GDI_HANDLE_INDEX_BITS 16 #define GDI_HANDLE_INDEX_MASK 0xffff #define GDI_HANDLE_TYPE_SHIFT 16 #define GDI_HANDLE_TYPE_BITS 5 #define GDI_HANDLE_TYPE_MASK 0x1f #define GDI_HANDLE_ALTTYPE_SHIFT 21 #define GDI_HANDLE_ALTTYPE_BITS 2 #define GDI_HANDLE_ALTTYPE_MASK 0x3 #define GDI_HANDLE_STOCK_SHIFT 23 #define GDI_HANDLE_STOCK_BITS 1 #define GDI_HANDLE_STOCK_MASK 0x1 #define GDI_HANDLE_UNIQUE_SHIFT 24 #define GDI_HANDLE_UNIQUE_BITS 8 #define GDI_HANDLE_UNIQUE_MASK 0xff #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) // // GDI server-side types // #define GDI_DEF_TYPE 0 // invalid handle #define GDI_DC_TYPE 1 #define GDI_DD_DIRECTDRAW_TYPE 2 #define GDI_DD_SURFACE_TYPE 3 #define GDI_RGN_TYPE 4 #define GDI_SURF_TYPE 5 #define GDI_CLIENTOBJ_TYPE 6 #define GDI_PATH_TYPE 7 #define GDI_PAL_TYPE 8 #define GDI_ICMLCS_TYPE 9 #define GDI_LFONT_TYPE 10 #define GDI_RFONT_TYPE 11 #define GDI_PFE_TYPE 12 #define GDI_PFT_TYPE 13 #define GDI_ICMCXF_TYPE 14 #define GDI_ICMDLL_TYPE 15 #define GDI_BRUSH_TYPE 16 #define GDI_PFF_TYPE 17 // unused #define GDI_CACHE_TYPE 18 // unused #define GDI_SPACE_TYPE 19 #define GDI_DBRUSH_TYPE 20 // unused #define GDI_META_TYPE 21 #define GDI_EFSTATE_TYPE 22 #define GDI_BMFD_TYPE 23 // unused #define GDI_VTFD_TYPE 24 // unused #define GDI_TTFD_TYPE 25 // unused #define GDI_RC_TYPE 26 // unused #define GDI_TEMP_TYPE 27 // unused #define GDI_DRVOBJ_TYPE 28 #define GDI_DCIOBJ_TYPE 29 // unused #define GDI_SPOOL_TYPE 30 // // GDI client-side types // #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) typedef struct _GDI_HANDLE_ENTRY { union { PVOID Object; PVOID NextFree; }; union { struct { USHORT ProcessId; USHORT Lock : 1; USHORT Count : 15; }; ULONG Value; } Owner; USHORT Unique; UCHAR Type; UCHAR Flags; PVOID UserPointer; } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; typedef struct _GDI_SHARED_MEMORY { GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; #endif // _NTGDI_H ================================================ FILE: phnt/include/ntimage.h ================================================ /* * PE format support * * This file is part of System Informer. */ #ifndef _NTIMAGE_H #define _NTIMAGE_H #if (PHNT_MODE != PHNT_MODE_KERNEL) #define IMAGE_FILE_MACHINE_CHPE_X86 0x3A64 #define IMAGE_FILE_MACHINE_ARM64EC 0xA641 #define IMAGE_FILE_MACHINE_ARM64X 0xA64E #endif // (PHNT_MODE != PHNT_MODE_KERNEL) /** * The IMAGE_DEBUG_POGO_ENTRY structure represents a POGO (Profile Guided Optimization) entry. */ typedef struct _IMAGE_DEBUG_POGO_ENTRY { ULONG Rva; ULONG Size; CHAR Name[1]; } IMAGE_DEBUG_POGO_ENTRY, *PIMAGE_DEBUG_POGO_ENTRY; /** * The IMAGE_DEBUG_POGO_SIGNATURE structure represents a POGO signature. */ typedef struct _IMAGE_DEBUG_POGO_SIGNATURE { ULONG Signature; } IMAGE_DEBUG_POGO_SIGNATURE, *PIMAGE_DEBUG_POGO_SIGNATURE; #define IMAGE_DEBUG_POGO_SIGNATURE_LTCG 'LTCG' // coffgrp LTCG (0x4C544347) #define IMAGE_DEBUG_POGO_SIGNATURE_PGI 'PGI\0' // coffgrp PGI (0x50474900) #define IMAGE_DEBUG_POGO_SIGNATURE_PGO 'PGO\0' // coffgrp PGO (0x50474F00) #define IMAGE_DEBUG_POGO_SIGNATURE_PGU 'PGU\0' // coffgrp PGU (0x50475500) #define IMAGE_DEBUG_POGO_SIGNATURE_SPGO 'SPGO' // coffgrp SPGO (0x5350474F) /** * The IMAGE_RELOCATION_RECORD structure represents a relocation record. */ typedef struct _IMAGE_RELOCATION_RECORD { USHORT Offset : 12; USHORT Type : 4; } IMAGE_RELOCATION_RECORD, *PIMAGE_RELOCATION_RECORD; /** * The IMAGE_CHPE_METADATA_X86 structure represents CHPE (Compiled Hybrid Portable Executable) metadata for x86. */ typedef struct _IMAGE_CHPE_METADATA_X86 { ULONG Version; ULONG CHPECodeAddressRangeOffset; ULONG CHPECodeAddressRangeCount; ULONG WowA64ExceptionHandlerFunctionPointer; ULONG WowA64DispatchCallFunctionPointer; ULONG WowA64DispatchIndirectCallFunctionPointer; ULONG WowA64DispatchIndirectCallCfgFunctionPointer; ULONG WowA64DispatchRetFunctionPointer; ULONG WowA64DispatchRetLeafFunctionPointer; ULONG WowA64DispatchJumpFunctionPointer; ULONG CompilerIATPointer; // Present if Version >= 2 ULONG WowA64RdtscFunctionPointer; // Present if Version >= 3 } IMAGE_CHPE_METADATA_X86, *PIMAGE_CHPE_METADATA_X86; /** * The IMAGE_CHPE_RANGE_ENTRY structure represents a CHPE range entry. */ typedef struct _IMAGE_CHPE_RANGE_ENTRY { union { ULONG StartOffset; struct { ULONG NativeCode : 1; ULONG AddressBits : 31; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONG Length; } IMAGE_CHPE_RANGE_ENTRY, *PIMAGE_CHPE_RANGE_ENTRY; /** * The IMAGE_ARM64EC_METADATA structure represents ARM64EC metadata. */ typedef struct _IMAGE_ARM64EC_METADATA { ULONG Version; ULONG CodeMap; ULONG CodeMapCount; ULONG CodeRangesToEntryPoints; ULONG RedirectionMetadata; ULONG tbd__os_arm64x_dispatch_call_no_redirect; ULONG tbd__os_arm64x_dispatch_ret; ULONG tbd__os_arm64x_dispatch_call; ULONG tbd__os_arm64x_dispatch_icall; ULONG tbd__os_arm64x_dispatch_icall_cfg; ULONG AlternateEntryPoint; ULONG AuxiliaryIAT; ULONG CodeRangesToEntryPointsCount; ULONG RedirectionMetadataCount; ULONG GetX64InformationFunctionPointer; ULONG SetX64InformationFunctionPointer; ULONG ExtraRFETable; ULONG ExtraRFETableSize; ULONG __os_arm64x_dispatch_fptr; ULONG AuxiliaryIATCopy; } IMAGE_ARM64EC_METADATA, *PIMAGE_ARM64EC_METADATA; // rev #define IMAGE_ARM64EC_CODE_MAP_TYPE_ARM64 0 #define IMAGE_ARM64EC_CODE_MAP_TYPE_ARM64EC 1 #define IMAGE_ARM64EC_CODE_MAP_TYPE_AMD64 2 // rev /** * The IMAGE_ARM64EC_CODE_MAP_ENTRY structure represents an ARM64EC code map entry. */ typedef struct _IMAGE_ARM64EC_CODE_MAP_ENTRY { union { ULONG StartOffset; struct { ULONG Type : 2; ULONG AddressBits : 30; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; ULONG Length; } IMAGE_ARM64EC_CODE_MAP_ENTRY, *PIMAGE_ARM64EC_CODE_MAP_ENTRY; /** * The IMAGE_ARM64EC_REDIRECTION_ENTRY structure represents an ARM64EC redirection entry. */ typedef struct _IMAGE_ARM64EC_REDIRECTION_ENTRY { ULONG Source; ULONG Destination; } IMAGE_ARM64EC_REDIRECTION_ENTRY, *PIMAGE_ARM64EC_REDIRECTION_ENTRY; /** * The IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT structure represents an ARM64EC code range entry point. */ typedef struct _IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT { ULONG StartRva; ULONG EndRva; ULONG EntryPoint; } IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT, *PIMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT; #define IMAGE_DVRT_ARM64X_FIXUP_TYPE_ZEROFILL 0 #define IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE 1 #define IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA 2 #define IMAGE_DVRT_ARM64X_FIXUP_SIZE_2BYTES 1 #define IMAGE_DVRT_ARM64X_FIXUP_SIZE_4BYTES 2 #define IMAGE_DVRT_ARM64X_FIXUP_SIZE_8BYTES 3 /** * The IMAGE_DVRT_ARM64X_FIXUP_RECORD structure represents an ARM64X fixup record. */ typedef struct _IMAGE_DVRT_ARM64X_FIXUP_RECORD { USHORT Offset : 12; USHORT Type : 2; USHORT Size : 2; // Value of variable Size when IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE } IMAGE_DVRT_ARM64X_FIXUP_RECORD, *PIMAGE_DVRT_ARM64X_FIXUP_RECORD; /** * The IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD structure represents an ARM64X delta fixup record. */ typedef struct _IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD { USHORT Offset : 12; USHORT Type : 2; // IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA USHORT Sign : 1; // 1 = -, 0 = + USHORT Scale : 1; // 1 = 8, 0 = 4 // USHORT Value; // Delta = Value * Scale * Sign } IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD, *PIMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD; /** * The IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION structure represents an ARM64 import control transfer relocation. * * \remarks On ARM64, optimized imported functions use this structure for import control transfer relocations. * This is used with IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER. */ //typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION //{ // ULONG PageRelativeOffset : 10; ///< Offset to the call instruction shifted right by 2 (4-byte aligned instruction) // ULONG IndirectCall : 1; ///< 0 if target instruction is a BR, 1 if BLR // ULONG RegisterIndex : 5; ///< Register index used for the indirect call/jump // ULONG ImportType : 1; ///< 0 if this refers to a static import, 1 for delayload import // ULONG IATIndex : 15; ///< IAT index of the corresponding import (0x7FFF indicates no index) //} IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION, *PIMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION; /** * The IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER structure represents a prologue dynamic relocation header. * * \remarks This structure is followed by PrologueByteCount bytes containing the prologue code. * Used with IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE. */ //#include //typedef struct _IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER //{ // UCHAR PrologueByteCount; // // UCHAR PrologueBytes[PrologueByteCount]; //} IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER, UNALIGNED *PIMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER; //#include /** * The IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER structure represents an epilogue dynamic relocation header. * * \remarks This structure is followed by variable-length branch descriptor data. * Used with IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE. */ //#include //typedef struct _IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER //{ // ULONG EpilogueCount; // UCHAR EpilogueByteCount; // UCHAR BranchDescriptorElementSize; // USHORT BranchDescriptorCount; // // UCHAR BranchDescriptors[...]; // // UCHAR BranchDescriptorBitMap[...]; //} IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER, UNALIGNED *PIMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER; //#include #define IMAGE_DYNAMIC_RELOCATION_ARM64X 0x00000006 #define IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER 0x00000008 #define IMAGE_DYNAMIC_RELOCATION_MM_SHARED_USER_DATA_VA 0x7FFE0000 #define IMAGE_DYNAMIC_RELOCATION_KI_USER_SHARED_DATA64 0xFFFFF78000000000UI64 // Note: The Windows SDK defines UNALIGNED for PIMAGE_IMPORT_DESCRIPTOR but // doesn't include UNALIGNED for PIMAGE_THUNK_DATA (See GH#1694) (dmex) typedef struct _IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA32; typedef struct _IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA64; typedef IMAGE_THUNK_DATA32 UNALIGNED* UNALIGNED_PIMAGE_THUNK_DATA32; typedef IMAGE_THUNK_DATA64 UNALIGNED* UNALIGNED_PIMAGE_THUNK_DATA64; // Note: Required for legacy SDK support (dmex) #if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) #define IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE 0x00000001 #define IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE 0x00000002 #define IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER 0x00000003 #define IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER 0x00000004 #define IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH 0x00000005 #define IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE 0x00000007 /** * The IMAGE_FUNCTION_OVERRIDE_HEADER structure represents a function override header. */ typedef struct _IMAGE_FUNCTION_OVERRIDE_HEADER { ULONG FuncOverrideSize; // IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION FuncOverrideInfo[ANYSIZE_ARRAY]; // FuncOverrideSize bytes in size // IMAGE_BDD_INFO BDDInfo; // BDD region, size in bytes: DVRTEntrySize - sizeof(IMAGE_FUNCTION_OVERRIDE_HEADER) - FuncOverrideSize } IMAGE_FUNCTION_OVERRIDE_HEADER; typedef IMAGE_FUNCTION_OVERRIDE_HEADER UNALIGNED *PIMAGE_FUNCTION_OVERRIDE_HEADER; /** * The IMAGE_BDD_INFO structure represents BDD (Binary Decision Diagram) information. */ typedef struct _IMAGE_BDD_INFO { ULONG Version; // decides the semantics of serialized BDD ULONG BDDSize; // IMAGE_BDD_DYNAMIC_RELOCATION BDDNodes[ANYSIZE_ARRAY]; // BDDSize size in bytes. } IMAGE_BDD_INFO, *PIMAGE_BDD_INFO; /** * The IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION structure represents a function override dynamic relocation. */ typedef struct _IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION { ULONG OriginalRva; // RVA of original function ULONG BDDOffset; // Offset into the BDD region ULONG RvaSize; // Size in bytes taken by RVAs. Must be multiple of sizeof(ULONG). ULONG BaseRelocSize; // Size in bytes taken by BaseRelocs // ULONG RVAs[RvaSize / sizeof(ULONG)]; // Array containing overriding func RVAs. // IMAGE_BASE_RELOCATION BaseRelocs[ANYSIZE_ARRAY]; // ^Base relocations (RVA + Size + TO) // ^Padded with extra TOs for 4B alignment // ^BaseRelocSize size in bytes } IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION, *PIMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION; /** * The IMAGE_BDD_DYNAMIC_RELOCATION structure represents a BDD dynamic relocation. */ typedef struct _IMAGE_BDD_DYNAMIC_RELOCATION { USHORT Left; // Index of FALSE edge in BDD array USHORT Right; // Index of TRUE edge in BDD array ULONG Value; // Either FeatureNumber or Index into RVAs array } IMAGE_BDD_DYNAMIC_RELOCATION, *PIMAGE_BDD_DYNAMIC_RELOCATION; // Function override relocation types in DVRT records. #define IMAGE_FUNCTION_OVERRIDE_INVALID 0 #define IMAGE_FUNCTION_OVERRIDE_X64_REL32 1 // 32-bit relative address from byte following reloc #define IMAGE_FUNCTION_OVERRIDE_ARM64_BRANCH26 2 // 26 bit offset << 2 & sign ext. for B & BL #define IMAGE_FUNCTION_OVERRIDE_ARM64_THUNK 3 #endif // !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) #define IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT 0x40 #define IMAGE_DLLCHARACTERISTICS_EX_HOTPATCH_COMPATIBLE 0x80 #endif // !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) #endif // _NTIMAGE_H ================================================ FILE: phnt/include/ntintsafe.h ================================================ /****************************************************************** * * * ntintsafe.h -- This module defines helper functions to prevent * * integer overflow bugs for drivers. A similar * * file, intsafe.h, is available for applications. * * * * Copyright (c) Microsoft Corp. All rights reserved. * * * ******************************************************************/ #ifndef _NTINTSAFE_H_INCLUDED_ #define _NTINTSAFE_H_INCLUDED_ #include #if (_MSC_VER > 1000) #pragma once #endif #pragma region Application Family or Games Family #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM | WINAPI_PARTITION_GAMES) #include // for _In_, etc. #if _MSC_VER >= 1200 #pragma warning(push) #pragma warning(disable:4668) // #if not_defined treated as #if 0 #endif #if !defined(_W64) #if !defined(__midl) && (defined(_X86_) || defined(_M_IX86) || defined(_ARM_) || defined(_M_ARM)) && (_MSC_VER >= 1300) #define _W64 __w64 #else #define _W64 #endif #endif // // typedefs // typedef char CHAR; typedef signed char INT8; typedef unsigned char UCHAR; typedef unsigned char UINT8; typedef unsigned char BYTE; typedef short SHORT; typedef signed short INT16; typedef unsigned short USHORT; typedef unsigned short UINT16; typedef unsigned short WORD; typedef int INT; typedef signed int INT32; typedef unsigned int UINT; typedef unsigned int UINT32; typedef long LONG; typedef unsigned long ULONG; typedef unsigned long DWORD; typedef __int64 LONGLONG; typedef __int64 LONG64; typedef signed __int64 RtlINT64; typedef unsigned __int64 ULONGLONG; typedef unsigned __int64 DWORDLONG; typedef unsigned __int64 ULONG64; typedef unsigned __int64 DWORD64; typedef unsigned __int64 UINT64; #if (__midl > 501) typedef [public] __int3264 INT_PTR; typedef [public] unsigned __int3264 UINT_PTR; typedef [public] __int3264 LONG_PTR; typedef [public] unsigned __int3264 ULONG_PTR; #else #ifdef _WIN64 typedef __int64 INT_PTR; typedef unsigned __int64 UINT_PTR; typedef __int64 LONG_PTR; typedef unsigned __int64 ULONG_PTR; #else typedef _W64 int INT_PTR; typedef _W64 unsigned int UINT_PTR; typedef _W64 long LONG_PTR; typedef _W64 unsigned long ULONG_PTR; #endif // WIN64 #endif // (__midl > 501) #ifdef _WIN64 typedef __int64 ptrdiff_t; typedef unsigned __int64 size_t; #else typedef _W64 int ptrdiff_t; typedef _W64 unsigned int size_t; #endif typedef ULONG_PTR DWORD_PTR; typedef LONG_PTR SSIZE_T; typedef ULONG_PTR SIZE_T; #undef _USE_INTRINSIC_MULTIPLY128 #if !defined(_M_CEE) && ((defined(_AMD64_) && !defined(_ARM64EC_)) || (defined(_IA64_) && (_MSC_VER >= 1400))) #define _USE_INTRINSIC_MULTIPLY128 #endif #if defined(_USE_INTRINSIC_MULTIPLY128) #ifdef __cplusplus extern "C" { #endif #if !defined(_ARM64EC_) #define UnsignedMultiply128 _umul128 #else #define _umul128 Multiply128 #endif // defined(_ARM64EC_) ULONG64 UnsignedMultiply128( _In_ ULONGLONG ullMultiplicand, _In_ ULONGLONG ullMultiplier, _Out_ ULONGLONG* pullResultHigh); // _Deref_out_range_(==, ullMultiplicand * ullMultiplier) #if !defined(_ARM64EC_) #pragma intrinsic(_umul128) #endif #ifdef __cplusplus } #endif #endif // _USE_INTRINSIC_MULTIPLY128 typedef _Return_type_success_(return >= 0) long NTSTATUS; #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #ifndef SORTPP_PASS // compiletime asserts (failure results in error C2118: negative subscript) #define C_ASSERT(e) typedef char __C_ASSERT__[(e)?1:-1] #else #define C_ASSERT(e) #endif // // UInt32x32To64 macro // #ifndef UInt32x32To64 #if defined(MIDL_PASS) || defined(RC_INVOKED) || defined(_M_CEE_PURE) \ || defined(_68K_) || defined(_MPPC_) \ || defined(_M_IA64) || defined(_M_AMD64) || defined(_M_ARM) || defined(_M_ARM64) \ || defined(_M_HYBRID_X86_ARM64) #define UInt32x32To64(a, b) (((unsigned __int64)((unsigned int)(a))) * ((unsigned __int64)((unsigned int)(b)))) #elif defined(_M_IX86) #define UInt32x32To64(a, b) ((unsigned __int64)(((unsigned __int64)((unsigned int)(a))) * ((unsigned int)(b)))) #else #error Must define a target architecture. #endif #endif // // Min/Max type values // #define INT8_MIN (-127i8 - 1) #define SHORT_MIN (-32768) #define INT16_MIN (-32767i16 - 1) #ifndef INT_MIN #define INT_MIN (-2147483647 - 1) #endif #define INT32_MIN (-2147483647i32 - 1) #ifndef LONG_MIN #define LONG_MIN (-2147483647L - 1) #endif #define LONGLONG_MIN (-9223372036854775807i64 - 1) #define LONG64_MIN (-9223372036854775807i64 - 1) #define INT64_MIN (-9223372036854775807i64 - 1) #define INT128_MIN (-170141183460469231731687303715884105727i128 - 1) #ifdef _WIN64 #define INT_PTR_MIN (-9223372036854775807i64 - 1) #define LONG_PTR_MIN (-9223372036854775807i64 - 1) #define PTRDIFF_T_MIN (-9223372036854775807i64 - 1) #define SSIZE_T_MIN (-9223372036854775807i64 - 1) #else #define INT_PTR_MIN (-2147483647 - 1) #define LONG_PTR_MIN (-2147483647L - 1) #define PTRDIFF_T_MIN (-2147483647 - 1) #define SSIZE_T_MIN (-2147483647L - 1) #endif #define INT8_MAX 127i8 #define UINT8_MAX 0xffui8 #define BYTE_MAX 0xff #define SHORT_MAX 32767 #define INT16_MAX 32767i16 #define USHORT_MAX 0xffff #define UINT16_MAX 0xffffui16 #define WORD_MAX 0xffff #ifndef INT_MAX #define INT_MAX 2147483647 #endif #define INT32_MAX 2147483647i32 #ifndef UINT_MAX #define UINT_MAX 0xffffffff #endif #define UINT32_MAX 0xffffffffui32 #ifndef LONG_MAX #define LONG_MAX 2147483647L #endif #ifndef ULONG_MAX #define ULONG_MAX 0xffffffffUL #endif #define DWORD_MAX 0xffffffffUL #define LONGLONG_MAX 9223372036854775807i64 #define LONG64_MAX 9223372036854775807i64 #define INT64_MAX 9223372036854775807i64 #define ULONGLONG_MAX 0xffffffffffffffffui64 #define DWORDLONG_MAX 0xffffffffffffffffui64 #define ULONG64_MAX 0xffffffffffffffffui64 #define DWORD64_MAX 0xffffffffffffffffui64 #define UINT64_MAX 0xffffffffffffffffui64 #define INT128_MAX 170141183460469231731687303715884105727i128 #define UINT128_MAX 0xffffffffffffffffffffffffffffffffui128 #undef SIZE_T_MAX #ifdef _WIN64 #define INT_PTR_MAX 9223372036854775807i64 #define UINT_PTR_MAX 0xffffffffffffffffui64 #define LONG_PTR_MAX 9223372036854775807i64 #define ULONG_PTR_MAX 0xffffffffffffffffui64 #define DWORD_PTR_MAX 0xffffffffffffffffui64 #define PTRDIFF_T_MAX 9223372036854775807i64 #define SIZE_T_MAX 0xffffffffffffffffui64 #define SSIZE_T_MAX 9223372036854775807i64 #define _SIZE_T_MAX 0xffffffffffffffffui64 #else #define INT_PTR_MAX 2147483647 #define UINT_PTR_MAX 0xffffffff #define LONG_PTR_MAX 2147483647L #define ULONG_PTR_MAX 0xffffffffUL #define DWORD_PTR_MAX 0xffffffffUL #define PTRDIFF_T_MAX 2147483647 #define SIZE_T_MAX 0xffffffff #define SSIZE_T_MAX 2147483647L #define _SIZE_T_MAX 0xffffffffUL #endif // // It is common for -1 to be used as an error value // #define INT8_ERROR (-1i8) #define UINT8_ERROR 0xffui8 #define BYTE_ERROR 0xff #define SHORT_ERROR (-1) #define INT16_ERROR (-1i16) #define USHORT_ERROR 0xffff #define UINT16_ERROR 0xffffui16 #define WORD_ERROR 0xffff #define INT_ERROR (-1) #define INT32_ERROR (-1i32) #define UINT_ERROR 0xffffffff #define UINT32_ERROR 0xffffffffui32 #define LONG_ERROR (-1L) #define ULONG_ERROR 0xffffffffUL #define DWORD_ERROR 0xffffffffUL #define LONGLONG_ERROR (-1i64) #define LONG64_ERROR (-1i64) #define INT64_ERROR (-1i64) #define ULONGLONG_ERROR 0xffffffffffffffffui64 #define DWORDLONG_ERROR 0xffffffffffffffffui64 #define ULONG64_ERROR 0xffffffffffffffffui64 #define UINT64_ERROR 0xffffffffffffffffui64 #ifdef _WIN64 #define INT_PTR_ERROR (-1i64) #define UINT_PTR_ERROR 0xffffffffffffffffui64 #define LONG_PTR_ERROR (-1i64) #define ULONG_PTR_ERROR 0xffffffffffffffffui64 #define DWORD_PTR_ERROR 0xffffffffffffffffui64 #define PTRDIFF_T_ERROR (-1i64) #define SIZE_T_ERROR 0xffffffffffffffffui64 #define SSIZE_T_ERROR (-1i64) #define _SIZE_T_ERROR 0xffffffffffffffffui64 #else #define INT_PTR_ERROR (-1) #define UINT_PTR_ERROR 0xffffffff #define LONG_PTR_ERROR (-1L) #define ULONG_PTR_ERROR 0xffffffffUL #define DWORD_PTR_ERROR 0xffffffffUL #define PTRDIFF_T_ERROR (-1) #define SIZE_T_ERROR 0xffffffff #define SSIZE_T_ERROR (-1L) #define _SIZE_T_ERROR 0xffffffffUL #endif // // We make some assumptions about the sizes of various types. Let's be // explicit about those assumptions and check them. // C_ASSERT(sizeof(USHORT) == 2); C_ASSERT(sizeof(INT) == 4); C_ASSERT(sizeof(UINT) == 4); C_ASSERT(sizeof(LONG) == 4); C_ASSERT(sizeof(ULONG) == 4); C_ASSERT(sizeof(UINT_PTR) == sizeof(ULONG_PTR)); //============================================================================= // Conversion functions // // There are three reasons for having conversion functions: // // 1. We are converting from a signed type to an unsigned type of the same // size, or vice-versa. // // Since we default to only having unsigned math functions, // (see ENABLE_INTSAFE_SIGNED_FUNCTIONS below) we prefer people to convert // to unsigned, do the math, and then convert back to signed. // // 2. We are converting to a smaller type, and we could therefore possibly // overflow. // // 3. We are converting to a bigger type, and we are signed and the type we are // converting to is unsigned. // //============================================================================= // // INT8 -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToUChar( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) UCHAR* pch) { NTSTATUS status; if (i8Operand >= 0) { *pch = (UCHAR)i8Operand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToUInt8( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) UINT8* pu8Result) { NTSTATUS status; if (i8Operand >= 0) { *pu8Result = (UINT8)i8Operand; status = STATUS_SUCCESS; } else { *pu8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> BYTE conversion // #define RtlInt8ToByte RtlInt8ToUInt8 // // INT8 -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToUShort( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) USHORT* pusResult) { NTSTATUS status; if (i8Operand >= 0) { *pusResult = (USHORT)i8Operand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> UINT16 conversion // #define RtlInt8ToUInt16 RtlInt8ToUShort // // INT8 -> WORD conversion // #define RtlInt8ToWord RtlInt8ToUShort // // INT8 -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToUInt( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) UINT* puResult) { NTSTATUS status; if (i8Operand >= 0) { *puResult = (UINT)i8Operand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> UINT32 conversion // #define RtlInt8ToUInt32 RtlInt8ToUInt // // INT8 -> UINT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToUIntPtr( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) UINT_PTR* puResult) { NTSTATUS status; if (i8Operand >= 0) { *puResult = (UINT_PTR)i8Operand; status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> ULONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToULong( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) ULONG* pulResult) { NTSTATUS status; if (i8Operand >= 0) { *pulResult = (ULONG)i8Operand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> ULONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToULongPtr( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) ULONG_PTR* pulResult) { NTSTATUS status; if (i8Operand >= 0) { *pulResult = (ULONG_PTR)i8Operand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> DWORD conversion // #define RtlInt8ToDWord RtlInt8ToULong // // INT8 -> DWORD_PTR conversion // #define RtlInt8ToDWordPtr RtlInt8ToULongPtr // // INT8 -> ULONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlInt8ToULongLong( _In_ INT8 i8Operand, _Out_ _Deref_out_range_(==, i8Operand) ULONGLONG* pullResult) { NTSTATUS status; if (i8Operand >= 0) { *pullResult = (ULONGLONG)i8Operand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT8 -> DWORDLONG conversion // #define RtlInt8ToDWordLong RtlInt8ToULongLong // // INT8 -> ULONG64 conversion // #define RtlInt8ToULong64 RtlInt8ToULongLong // // INT8 -> DWORD64 conversion // #define RtlInt8ToDWord64 RtlInt8ToULongLong // // INT8 -> UINT64 conversion // #define RtlInt8ToUInt64 RtlInt8ToULongLong // // INT8 -> size_t conversion // #define RtlInt8ToSizeT RtlInt8ToUIntPtr // // INT8 -> SIZE_T conversion // #define RtlInt8ToSIZET RtlInt8ToULongPtr // // UINT8 -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUInt8ToInt8( _In_ UINT8 u8Operand, _Out_ _Deref_out_range_(==, u8Operand) INT8* pi8Result) { NTSTATUS status; if (u8Operand <= INT8_MAX) { *pi8Result = (INT8)u8Operand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT8 -> CHAR conversion // __forceinline NTSTATUS RtlUInt8ToChar( _In_ UINT8 u8Operand, _Out_ _Deref_out_range_(==, u8Operand) CHAR* pch) { #ifdef _CHAR_UNSIGNED *pch = (CHAR)u8Operand; return STATUS_SUCCESS; #else return RtlUInt8ToInt8(u8Operand, (INT8*)pch); #endif } // // BYTE -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlByteToInt8( _In_ BYTE bOperand, _Out_ _Deref_out_range_(==, bOperand) INT8* pi8Result) { NTSTATUS status; if (bOperand <= INT8_MAX) { *pi8Result = (INT8)bOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // BYTE -> CHAR conversion // __forceinline NTSTATUS RtlByteToChar( _In_ BYTE bOperand, _Out_ _Deref_out_range_(==, bOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED *pch = (CHAR)bOperand; return STATUS_SUCCESS; #else return RtlByteToInt8(bOperand, (INT8*)pch); #endif } // // SHORT -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToInt8( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) INT8* pi8Result) { NTSTATUS status; if ((sOperand >= INT8_MIN) && (sOperand <= INT8_MAX)) { *pi8Result = (INT8)sOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToUChar( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) UCHAR* pch) { NTSTATUS status; if ((sOperand >= 0) && (sOperand <= 255)) { *pch = (UCHAR)sOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> CHAR conversion // __forceinline NTSTATUS RtlShortToChar( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlShortToUChar(sOperand, (UCHAR*)pch); #else return RtlShortToInt8(sOperand, (INT8*)pch); #endif // _CHAR_UNSIGNED } // // SHORT -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToUInt8( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) UINT8* pui8Result) { NTSTATUS status; if ((sOperand >= 0) && (sOperand <= UINT8_MAX)) { *pui8Result = (UINT8)sOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> BYTE conversion // #define RtlShortToByte RtlShortToUInt8 // // SHORT -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToUShort( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) USHORT* pusResult) { NTSTATUS status; if (sOperand >= 0) { *pusResult = (USHORT)sOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> UINT16 conversion // #define RtlShortToUInt16 RtlShortToUShort // // SHORT -> WORD conversion // #define RtlShortToWord RtlShortToUShort // // SHORT -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToUInt( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) UINT* puResult) { NTSTATUS status; if (sOperand >= 0) { *puResult = (UINT)sOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> UINT32 conversion // #define RtlShortToUInt32 RtlShortToUInt // // SHORT -> UINT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToUIntPtr( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) UINT_PTR* puResult) { NTSTATUS status; if (sOperand >= 0) { *puResult = (UINT_PTR)sOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> ULONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToULong( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) ULONG* pulResult) { NTSTATUS status; if (sOperand >= 0) { *pulResult = (ULONG)sOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> ULONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToULongPtr( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) ULONG_PTR* pulResult) { NTSTATUS status; if (sOperand >= 0) { *pulResult = (ULONG_PTR)sOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> DWORD conversion // #define RtlShortToDWord RtlShortToULong // // SHORT -> DWORD_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToDWordPtr( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) DWORD_PTR* pdwResult) { NTSTATUS status; if (sOperand >= 0) { *pdwResult = (DWORD_PTR)sOperand; status = STATUS_SUCCESS; } else { *pdwResult = DWORD_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> ULONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlShortToULongLong( _In_ SHORT sOperand, _Out_ _Deref_out_range_(==, sOperand) ULONGLONG* pullResult) { NTSTATUS status; if (sOperand >= 0) { *pullResult = (ULONGLONG)sOperand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SHORT -> DWORDLONG conversion // #define RtlShortToDWordLong RtlShortToULongLong // // SHORT -> ULONG64 conversion // #define RtlShortToULong64 RtlShortToULongLong // // SHORT -> DWORD64 conversion // #define RtlShortToDWord64 RtlShortToULongLong // // SHORT -> UINT64 conversion // #define RtlShortToUInt64 RtlShortToULongLong // // SHORT -> size_t conversion // #define RtlShortToSizeT RtlShortToUIntPtr // // SHORT -> SIZE_T conversion // #define RtlShortToSIZET RtlShortToULongPtr // // INT16 -> CHAR conversion // #define RtlInt16ToChar RtlShortToChar // // INT16 -> INT8 conversion // #define RtlInt16ToInt8 RtlShortToInt8 // // INT16 -> UCHAR conversion // #define RtlInt16ToUChar RtlShortToUChar // // INT16 -> UINT8 conversion // #define RtlInt16ToUInt8 RtlShortToUInt8 // // INT16 -> BYTE conversion // #define RtlInt16ToByte RtlShortToUInt8 // // INT16 -> USHORT conversion // #define RtlInt16ToUShort RtlShortToUShort // // INT16 -> UINT16 conversion // #define RtlInt16ToUInt16 RtlShortToUShort // // INT16 -> WORD conversion // #define RtlInt16ToWord RtlShortToUShort // // INT16 -> UINT conversion // #define RtlInt16ToUInt RtlShortToUInt // // INT16 -> UINT32 conversion // #define RtlInt16ToUInt32 RtlShortToUInt // // INT16 -> UINT_PTR conversion // #define RtlInt16ToUIntPtr RtlShortToUIntPtr // // INT16 -> ULONG conversion // #define RtlInt16ToULong RtlShortToULong // // INT16 -> ULONG_PTR conversion // #define RtlInt16ToULongPtr RtlShortToULongPtr // // INT16 -> DWORD conversion // #define RtlInt16ToDWord RtlShortToULong // // INT16 -> DWORD_PTR conversion // #define RtlInt16ToDWordPtr RtlShortToULongPtr // // INT16 -> ULONGLONG conversion // #define RtlInt16ToULongLong RtlShortToULongLong // // INT16 -> DWORDLONG conversion // #define RtlInt16ToDWordLong RtlShortToULongLong // // INT16 -> ULONG64 conversion // #define RtlInt16ToULong64 RtlShortToULongLong // // INT16 -> DWORD64 conversion // #define RtlInt16ToDWord64 RtlShortToULongLong // // INT16 -> UINT64 conversion // #define RtlInt16ToUInt64 RtlShortToULongLong // // INT16 -> size_t conversion // #define RtlInt16ToSizeT RtlShortToUIntPtr // // INT16 -> SIZE_T conversion // #define RtlInt16ToSIZET RtlShortToULongPtr // // USHORT -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUShortToInt8( _In_ USHORT usOperand, _Out_ _Deref_out_range_(==, usOperand) INT8* pi8Result) { NTSTATUS status; if (usOperand <= INT8_MAX) { *pi8Result = (INT8)usOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // USHORT -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlUShortToUChar( _In_ USHORT usOperand, _Out_ _Deref_out_range_(==, usOperand) UCHAR* pch) { NTSTATUS status; if (usOperand <= 255) { *pch = (UCHAR)usOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // USHORT -> CHAR conversion // __forceinline NTSTATUS RtlUShortToChar( _In_ USHORT usOperand, _Out_ _Deref_out_range_(==, usOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlUShortToUChar(usOperand, (UCHAR*)pch); #else return RtlUShortToInt8(usOperand, (INT8*)pch); #endif // _CHAR_UNSIGNED } // // USHORT -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUShortToUInt8( _In_ USHORT usOperand, _Out_ _Deref_out_range_(==, usOperand) UINT8* pui8Result) { NTSTATUS status; if (usOperand <= UINT8_MAX) { *pui8Result = (UINT8)usOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // USHORT -> BYTE conversion // #define RtlUShortToByte RtlUShortToUInt8 // // USHORT -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUShortToShort( _In_ USHORT usOperand, _Out_ _Deref_out_range_(==, usOperand) SHORT* psResult) { NTSTATUS status; if (usOperand <= SHORT_MAX) { *psResult = (SHORT)usOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // USHORT -> INT16 conversion // #define RtlUShortToInt16 RtlUShortToShort // // UINT16 -> CHAR conversion // #define RtlUInt16ToChar RtlUShortToChar // // UINT16 -> INT8 conversion // #define RtlUInt16ToInt8 RtlUShortToInt8 // // UINT16 -> UCHAR conversion // #define RtlUInt16ToUChar RtlUShortToUChar // // UINT16 -> UINT8 conversion // #define RtlUInt16ToUInt8 RtlUShortToUInt8 // // UINT16 -> BYTE conversion // #define RtlUInt16ToByte RtlUShortToUInt8 // // UINT16 -> SHORT conversion // #define RtlUInt16ToShort RtlUShortToShort // // UINT16 -> INT16 conversion // #define RtlUInt16ToInt16 RtlUShortToShort // // WORD -> INT8 conversion // #define RtlWordToInt8 RtlUShortToInt8 // // WORD -> CHAR conversion // #define RtlWordToChar RtlUShortToChar // // WORD -> UCHAR conversion // #define RtlWordToUChar RtlUShortToUChar // // WORD -> UINT8 conversion // #define RtlWordToUInt8 RtlUShortToUInt8 // // WORD -> BYTE conversion // #define RtlWordToByte RtlUShortToUInt8 // // WORD -> SHORT conversion // #define RtlWordToShort RtlUShortToShort // // WORD -> INT16 conversion // #define RtlWordToInt16 RtlUShortToShort // // INT -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToInt8( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) INT8* pi8Result) { NTSTATUS status; if ((iOperand >= INT8_MIN) && (iOperand <= INT8_MAX)) { *pi8Result = (INT8)iOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToUChar( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) UCHAR* pch) { NTSTATUS status; if ((iOperand >= 0) && (iOperand <= 255)) { *pch = (UCHAR)iOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> CHAR conversion // __forceinline NTSTATUS RtlIntToChar( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlIntToUChar(iOperand, (UCHAR*)pch); #else return RtlIntToInt8(iOperand, (INT8*)pch); #endif // _CHAR_UNSIGNED } // // INT -> BYTE conversion // #define RtlIntToByte RtlIntToUInt8 // // INT -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToUInt8( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) UINT8* pui8Result) { NTSTATUS status; if ((iOperand >= 0) && (iOperand <= UINT8_MAX)) { *pui8Result = (UINT8)iOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToShort( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) SHORT* psResult) { NTSTATUS status; if ((iOperand >= SHORT_MIN) && (iOperand <= SHORT_MAX)) { *psResult = (SHORT)iOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> INT16 conversion // #define RtlIntToInt16 RtlIntToShort // // INT -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToUShort( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) USHORT* pusResult) { NTSTATUS status; if ((iOperand >= 0) && (iOperand <= USHORT_MAX)) { *pusResult = (USHORT)iOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> UINT16 conversion // #define RtlIntToUInt16 RtlIntToUShort // // INT -> WORD conversion // #define RtlIntToWord RtlIntToUShort // // INT -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToUInt( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) UINT* puResult) { NTSTATUS status; if (iOperand >= 0) { *puResult = (UINT)iOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> UINT_PTR conversion // #ifdef _WIN64 #define RtlIntToUIntPtr RtlIntToULongLong #else #define RtlIntToUIntPtr RtlIntToUInt #endif // // INT -> ULONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToULong( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) ULONG* pulResult) { NTSTATUS status; if (iOperand >= 0) { *pulResult = (ULONG)iOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> ULONG_PTR conversion // #ifdef _WIN64 #define RtlIntToULongPtr RtlIntToULongLong #else #define RtlIntToULongPtr RtlIntToULong #endif // // INT -> DWORD conversion // #define RtlIntToDWord RtlIntToULong // // INT -> DWORD_PTR conversion // #define RtlIntToDWordPtr RtlIntToULongPtr // // INT -> ULONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntToULongLong( _In_ INT iOperand, _Out_ _Deref_out_range_(==, iOperand) ULONGLONG* pullResult) { NTSTATUS status; if (iOperand >= 0) { *pullResult = (ULONGLONG)iOperand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT -> DWORDLONG conversion // #define RtlIntToDWordLong RtlIntToULongLong // // INT -> ULONG64 conversion // #define RtlIntToULong64 RtlIntToULongLong // // INT -> DWORD64 conversion // #define RtlIntToDWord64 RtlIntToULongLong // // INT -> UINT64 conversion // #define RtlIntToUInt64 RtlIntToULongLong // // INT -> size_t conversion // #define RtlIntToSizeT RtlIntToUIntPtr // // INT -> SIZE_T conversion // #define RtlIntToSIZET RtlIntToULongPtr // // INT32 -> CHAR conversion // #define RtlInt32ToChar RtlIntToChar // // INT32 -> INT328 conversion // #define RtlInt32ToInt8 RtlIntToInt8 // // INT32 -> UCHAR conversion // #define RtlInt32ToUChar RtlIntToUChar // // INT32 -> BYTE conversion // #define RtlInt32ToByte RtlIntToUInt8 // // INT32 -> UINT8 conversion // #define RtlInt32ToUInt8 RtlIntToUInt8 // // INT32 -> SHORT conversion // #define RtlInt32ToShort RtlIntToShort // // INT32 -> INT16 conversion // #define RtlInt32ToInt16 RtlIntToShort // // INT32 -> USHORT conversion // #define RtlInt32ToUShort RtlIntToUShort // // INT32 -> UINT16 conversion // #define RtlInt32ToUInt16 RtlIntToUShort // // INT32 -> WORD conversion // #define RtlInt32ToWord RtlIntToUShort // // INT32 -> UINT conversion // #define RtlInt32ToUInt RtlIntToUInt // // INT32 -> UINT32 conversion // #define RtlInt32ToUInt32 RtlIntToUInt // // INT32 -> UINT_PTR conversion // #define RtlInt32ToUIntPtr RtlIntToUIntPtr // // INT32 -> ULONG conversion // #define RtlInt32ToULong RtlIntToULong // // INT32 -> ULONG_PTR conversion // #define RtlInt32ToULongPtr RtlIntToULongPtr // // INT32 -> DWORD conversion // #define RtlInt32ToDWord RtlIntToULong // // INT32 -> DWORD_PTR conversion // #define RtlInt32ToDWordPtr RtlIntToULongPtr // // INT32 -> ULONGLONG conversion // #define RtlInt32ToULongLong RtlIntToULongLong // // INT32 -> DWORDLONG conversion // #define RtlInt32ToDWordLong RtlIntToULongLong // // INT32 -> ULONG64 conversion // #define RtlInt32ToULong64 RtlIntToULongLong // // INT32 -> DWORD64 conversion // #define RtlInt32ToDWord64 RtlIntToULongLong // // INT32 -> UINT64 conversion // #define RtlInt32ToUInt64 RtlIntToULongLong // // INT32 -> size_t conversion // #define RtlInt32ToSizeT RtlIntToUIntPtr // // INT32 -> SIZE_T conversion // #define RtlInt32ToSIZET RtlIntToULongPtr // // INT_PTR -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToInt8( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) INT8* pi8Result) { NTSTATUS status; if ((iOperand >= INT8_MIN) && (iOperand <= INT8_MAX)) { *pi8Result = (INT8)iOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT_PTR -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToUChar( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) UCHAR* pch) { NTSTATUS status; if ((iOperand >= 0) && (iOperand <= 255)) { *pch = (UCHAR)iOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT_PTR -> CHAR conversion // __forceinline NTSTATUS RtlIntPtrToChar( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlIntPtrToUChar(iOperand, (UCHAR*)pch); #else return RtlIntPtrToInt8(iOperand, (INT8*)pch); #endif // _CHAR_UNSIGNED } // // INT_PTR -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToUInt8( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) UINT8* pui8Result) { NTSTATUS status; if ((iOperand >= 0) && (iOperand <= UINT8_MAX)) { *pui8Result = (UINT8)iOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT_PTR -> BYTE conversion // #define RtlIntPtrToByte RtlIntPtrToUInt8 // // INT_PTR -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToShort( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) SHORT* psResult) { NTSTATUS status; if ((iOperand >= SHORT_MIN) && (iOperand <= SHORT_MAX)) { *psResult = (SHORT)iOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT_PTR -> INT16 conversion // #define RtlIntPtrToInt16 RtlIntPtrToShort // // INT_PTR -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToUShort( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) USHORT* pusResult) { NTSTATUS status; if ((iOperand >= 0) && (iOperand <= USHORT_MAX)) { *pusResult = (USHORT)iOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // INT_PTR -> UINT16 conversion // #define RtlIntPtrToUInt16 RtlIntPtrToUShort // // INT_PTR -> WORD conversion // #define RtlIntPtrToWord RtlIntPtrToUShort // // INT_PTR -> INT conversion // #ifdef _WIN64 #define RtlIntPtrToInt RtlLongLongToInt #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToInt( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) INT* piResult) { *piResult = (INT)iOperand; return STATUS_SUCCESS; } #endif // // INT_PTR -> INT32 conversion // #define RtlIntPtrToInt32 RtlIntPtrToInt // // INT_PTR -> UINT conversion // #ifdef _WIN64 #define RtlIntPtrToUInt RtlLongLongToUInt #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToUInt( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) UINT* puResult) { NTSTATUS status; if (iOperand >= 0) { *puResult = (UINT)iOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // INT_PTR -> UINT32 conversion // #define RtlIntPtrToUInt32 RtlIntPtrToUInt // // INT_PTR -> UINT_PTR conversion // #ifdef _WIN64 #define RtlIntPtrToUIntPtr RtlLongLongToULongLong #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToUIntPtr( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) UINT_PTR* puResult) { NTSTATUS status; if (iOperand >= 0) { *puResult = (UINT_PTR)iOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // INT_PTR -> LONG conversion // #ifdef _WIN64 #define RtlIntPtrToLong RtlLongLongToLong #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToLong( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) LONG* plResult) { *plResult = (LONG)iOperand; return STATUS_SUCCESS; } #endif // // INT_PTR -> LONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToLongPtr( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) LONG_PTR* plResult) { *plResult = (LONG_PTR)iOperand; return STATUS_SUCCESS; } // // INT_PTR -> ULONG conversion // #ifdef _WIN64 #define RtlIntPtrToULong RtlLongLongToULong #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToULong( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) ULONG* pulResult) { NTSTATUS status; if (iOperand >= 0) { *pulResult = (ULONG)iOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // INT_PTR -> ULONG_PTR conversion // #ifdef _WIN64 #define RtlIntPtrToULongPtr RtlLongLongToULongLong #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToULongPtr( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) ULONG_PTR* pulResult) { NTSTATUS status; if (iOperand >= 0) { *pulResult = (ULONG_PTR)iOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // INT_PTR -> DWORD conversion // #define RtlIntPtrToDWord RtlIntPtrToULong // // INT_PTR -> DWORD_PTR conversion // #define RtlIntPtrToDWordPtr RtlIntPtrToULongPtr // // INT_PTR -> ULONGLONG conversion // #ifdef _WIN64 #define RtlIntPtrToULongLong RtlLongLongToULongLong #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrToULongLong( _In_ INT_PTR iOperand, _Out_ _Deref_out_range_(==, iOperand) ULONGLONG* pullResult) { NTSTATUS status; if (iOperand >= 0) { *pullResult = (ULONGLONG)iOperand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // INT_PTR -> DWORDLONG conversion // #define RtlIntPtrToDWordLong RtlIntPtrToULongLong // // INT_PTR -> ULONG64 conversion // #define RtlIntPtrToULong64 RtlIntPtrToULongLong // // INT_PTR -> DWORD64 conversion // #define RtlIntPtrToDWord64 RtlIntPtrToULongLong // // INT_PTR -> UINT64 conversion // #define RtlIntPtrToUInt64 RtlIntPtrToULongLong // // INT_PTR -> size_t conversion // #define RtlIntPtrToSizeT RtlIntPtrToUIntPtr // // INT_PTR -> SIZE_T conversion // #define RtlIntPtrToSIZET RtlIntPtrToULongPtr // // UINT -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToInt8( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) INT8* pi8Result) { NTSTATUS status; if (uOperand <= INT8_MAX) { *pi8Result = (INT8)uOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToUChar( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) UCHAR* pch) { NTSTATUS status; if (uOperand <= 255) { *pch = (UCHAR)uOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> CHAR conversion // __forceinline NTSTATUS RtlUIntToChar( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlUIntToUChar(uOperand, (UCHAR*)pch); #else return RtlUIntToInt8(uOperand, (INT8*)pch); #endif } // // UINT -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToUInt8( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) UINT8* pui8Result) { NTSTATUS status; if (uOperand <= UINT8_MAX) { *pui8Result = (UINT8)uOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> BYTE conversion // #define RtlUIntToByte RtlUIntToUInt8 // // UINT -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToShort( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) SHORT* psResult) { NTSTATUS status; if (uOperand <= SHORT_MAX) { *psResult = (SHORT)uOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> INT16 conversion // #define RtlUIntToInt16 RtlUIntToShort // // UINT -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToUShort( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) USHORT* pusResult) { NTSTATUS status; if (uOperand <= USHORT_MAX) { *pusResult = (USHORT)uOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> UINT16 conversion // #define RtlUIntToUInt16 RtlUIntToUShort // // UINT -> WORD conversion // #define RtlUIntToWord RtlUIntToUShort // // UINT -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToInt( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) INT* piResult) { NTSTATUS status; if (uOperand <= INT_MAX) { *piResult = (INT)uOperand; status = STATUS_SUCCESS; } else { *piResult = INT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> INT32 conversion // #define RtlUIntToInt32 RtlUIntToInt // // UINT -> INT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlUIntToIntPtr( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) INT_PTR* piResult) { *piResult = uOperand; return STATUS_SUCCESS; } #else #define RtlUIntToIntPtr RtlUIntToInt #endif // // UINT -> LONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntToLong( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) LONG* plResult) { NTSTATUS status; if (uOperand <= LONG_MAX) { *plResult = (LONG)uOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT -> LONG_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlUIntToLongPtr( _In_ UINT uOperand, _Out_ _Deref_out_range_(==, uOperand) LONG_PTR* plResult) { *plResult = uOperand; return STATUS_SUCCESS; } #else #define RtlUIntToLongPtr RtlUIntToLong #endif // // UINT -> ptrdiff_t conversion // #define RtlUIntToPtrdiffT RtlUIntToIntPtr // // UINT -> SSIZE_T conversion // #define RtlUIntToSSIZET RtlUIntToLongPtr // // UINT32 -> CHAR conversion // #define RtlUInt32ToChar RtlUIntToChar // // UINT32 -> INT8 conversion // #define RtlUInt32ToInt8 RtlUIntToInt8 // // UINT32 -> UCHAR conversion // #define RtlUInt32ToUChar RtlUIntToUChar // // UINT32 -> UINT8 conversion // #define RtlUInt32ToUInt8 RtlUIntToUInt8 // // UINT32 -> BYTE conversion // #define RtlUInt32ToByte RtlUInt32ToUInt8 // // UINT32 -> SHORT conversion // #define RtlUInt32ToShort RtlUIntToShort // // UINT32 -> INT16 conversion // #define RtlUInt32ToInt16 RtlUIntToShort // // UINT32 -> USHORT conversion // #define RtlUInt32ToUShort RtlUIntToUShort // // UINT32 -> UINT16 conversion // #define RtlUInt32ToUInt16 RtlUIntToUShort // // UINT32 -> WORD conversion // #define RtlUInt32ToWord RtlUIntToUShort // // UINT32 -> INT conversion // #define RtlUInt32ToInt RtlUIntToInt // // UINT32 -> INT_PTR conversion // #define RtlUInt32ToIntPtr RtlUIntToIntPtr // // UINT32 -> INT32 conversion // #define RtlUInt32ToInt32 RtlUIntToInt // // UINT32 -> LONG conversion // #define RtlUInt32ToLong RtlUIntToLong // // UINT32 -> LONG_PTR conversion // #define RtlUInt32ToLongPtr RtlUIntToLongPtr // // UINT32 -> ptrdiff_t conversion // #define RtlUInt32ToPtrdiffT RtlUIntToPtrdiffT // // UINT32 -> SSIZE_T conversion // #define RtlUInt32ToSSIZET RtlUIntToSSIZET // // UINT_PTR -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToInt8( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) INT8* pi8Result) { NTSTATUS status; if (uOperand <= INT8_MAX) { *pi8Result = (INT8)uOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToUChar( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) UCHAR* pch) { NTSTATUS status; if (uOperand <= 255) { *pch = (UCHAR)uOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> CHAR conversion // __forceinline NTSTATUS RtlUIntPtrToChar( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlUIntPtrToUChar(uOperand, (UCHAR*)pch); #else return RtlUIntPtrToInt8(uOperand, (INT8*)pch); #endif } // // UINT_PTR -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToUInt8( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==,uOperand) UINT8* pu8Result) { NTSTATUS status; if (uOperand <= UINT8_MAX) { *pu8Result = (UINT8)uOperand; status = STATUS_SUCCESS; } else { *pu8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> BYTE conversion // #define RtlUIntPtrToByte RtlUIntPtrToUInt8 // // UINT_PTR -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToShort( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) SHORT* psResult) { NTSTATUS status; if (uOperand <= SHORT_MAX) { *psResult = (SHORT)uOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> INT16 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToInt16( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) INT16* pi16Result) { NTSTATUS status; if (uOperand <= INT16_MAX) { *pi16Result = (INT16)uOperand; status = STATUS_SUCCESS; } else { *pi16Result = INT16_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToUShort( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) USHORT* pusResult) { NTSTATUS status; if (uOperand <= USHORT_MAX) { *pusResult = (USHORT)uOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> UINT16 conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToUInt16( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) UINT16* pu16Result) { NTSTATUS status; if (uOperand <= UINT16_MAX) { *pu16Result = (UINT16)uOperand; status = STATUS_SUCCESS; } else { *pu16Result = UINT16_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> WORD conversion // #define RtlUIntPtrToWord RtlUIntPtrToUShort // // UINT_PTR -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToInt( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) INT* piResult) { NTSTATUS status; if (uOperand <= INT_MAX) { *piResult = (INT)uOperand; status = STATUS_SUCCESS; } else { *piResult = INT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> INT32 conversion // #define RtlUIntPtrToInt32 RtlUIntPtrToInt // // UINT_PTR -> INT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToIntPtr( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) INT_PTR* piResult) { NTSTATUS status; if (uOperand <= INT_PTR_MAX) { *piResult = (INT_PTR)uOperand; status = STATUS_SUCCESS; } else { *piResult = INT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> UINT conversion // #ifdef _WIN64 #define RtlUIntPtrToUInt RtlULongLongToUInt #else _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToUInt( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) UINT* puResult) { *puResult = (UINT)uOperand; return STATUS_SUCCESS; } #endif // // UINT_PTR -> UINT32 conversion // #define RtlUIntPtrToUInt32 RtlUIntPtrToUInt // // UINT_PTR -> LONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToLong( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) LONG* plResult) { NTSTATUS status; if (uOperand <= LONG_MAX) { *plResult = (LONG)uOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> LONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToLongPtr( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) LONG_PTR* plResult) { NTSTATUS status; if (uOperand <= LONG_PTR_MAX) { *plResult = (LONG_PTR)uOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT_PTR -> ULONG conversion // #ifdef _WIN64 #define RtlUIntPtrToULong RtlULongLongToULong #else _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToULong( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) ULONG* pulResult) { *pulResult = (ULONG)uOperand; return STATUS_SUCCESS; } #endif // // UINT_PTR -> DWORD conversion // #define RtlUIntPtrToDWord RtlUIntPtrToULong // // UINT_PTR -> LONGLONG conversion // #ifdef _WIN64 #define RtlUIntPtrToLongLong RtlULongLongToLongLong #else _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrToLongLong( _In_ UINT_PTR uOperand, _Out_ _Deref_out_range_(==, uOperand) LONGLONG* pllResult) { *pllResult = (LONGLONG)uOperand; return STATUS_SUCCESS; } #endif // // UINT_PTR -> LONG64 conversion // #define RtlUIntPtrToLong64 RtlUIntPtrToLongLong // // UINT_PTR -> RtlINT64 conversion // #define RtlUIntPtrToInt64 RtlUIntPtrToLongLong // // UINT_PTR -> ptrdiff_t conversion // #define RtlUIntPtrToPtrdiffT RtlUIntPtrToIntPtr // // UINT_PTR -> SSIZE_T conversion // #define RtlUIntPtrToSSIZET RtlUIntPtrToLongPtr // // LONG -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToInt8( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) INT8* pi8Result) { NTSTATUS status; if ((lOperand >= INT8_MIN) && (lOperand <= INT8_MAX)) { *pi8Result = (INT8)lOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToUChar( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) UCHAR* pch) { NTSTATUS status; if ((lOperand >= 0) && (lOperand <= 255)) { *pch = (UCHAR)lOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> CHAR conversion // __forceinline NTSTATUS RtlLongToChar( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlLongToUChar(lOperand, (UCHAR*)pch); #else return RtlLongToInt8(lOperand, (INT8*)pch); #endif } // // LONG -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToUInt8( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) UINT8* pui8Result) { NTSTATUS status; if ((lOperand >= 0) && (lOperand <= UINT8_MAX)) { *pui8Result = (UINT8)lOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> BYTE conversion // #define RtlLongToByte RtlLongToUInt8 // // LONG -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToShort( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) SHORT* psResult) { NTSTATUS status; if ((lOperand >= SHORT_MIN) && (lOperand <= SHORT_MAX)) { *psResult = (SHORT)lOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> INT16 conversion // #define RtlLongToInt16 RtlLongToShort // // LONG -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToUShort( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) USHORT* pusResult) { NTSTATUS status; if ((lOperand >= 0) && (lOperand <= USHORT_MAX)) { *pusResult = (USHORT)lOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> UINT16 conversion // #define RtlLongToUInt16 RtlLongToUShort // // LONG -> WORD conversion // #define RtlLongToWord RtlLongToUShort // // LONG -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToInt( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) INT* piResult) { C_ASSERT(sizeof(INT) == sizeof(LONG)); *piResult = (INT)lOperand; return STATUS_SUCCESS; } // // LONG -> INT32 conversion // #define RtlLongToInt32 RtlLongToInt // // LONG -> INT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlLongToIntPtr( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) INT_PTR* piResult) { *piResult = lOperand; return STATUS_SUCCESS; } #else #define RtlLongToIntPtr RtlLongToInt #endif // // LONG -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToUInt( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) UINT* puResult) { NTSTATUS status; if (lOperand >= 0) { *puResult = (UINT)lOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> UINT32 conversion // #define RtlLongToUInt32 RtlLongToUInt // // LONG -> UINT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlLongToUIntPtr( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) UINT_PTR* puResult) { NTSTATUS status; if (lOperand >= 0) { *puResult = (UINT_PTR)lOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #else #define RtlLongToUIntPtr RtlLongToUInt #endif // // LONG -> ULONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToULong( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) ULONG* pulResult) { NTSTATUS status; if (lOperand >= 0) { *pulResult = (ULONG)lOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> ULONG_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlLongToULongPtr( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) ULONG_PTR* pulResult) { NTSTATUS status; if (lOperand >= 0) { *pulResult = (ULONG_PTR)lOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #else #define RtlLongToULongPtr RtlLongToULong #endif // // LONG -> DWORD conversion // #define RtlLongToDWord RtlLongToULong // // LONG -> DWORD_PTR conversion // #define RtlLongToDWordPtr RtlLongToULongPtr // // LONG -> ULONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongToULongLong( _In_ LONG lOperand, _Out_ _Deref_out_range_(==, lOperand) ULONGLONG* pullResult) { NTSTATUS status; if (lOperand >= 0) { *pullResult = (ULONGLONG)lOperand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG -> DWORDLONG conversion // #define RtlLongToDWordLong RtlLongToULongLong // // LONG -> ULONG64 conversion // #define RtlLongToULong64 RtlLongToULongLong // // LONG -> DWORD64 conversion // #define RtlLongToDWord64 RtlLongToULongLong // // LONG -> UINT64 conversion // #define RtlLongToUInt64 RtlLongToULongLong // // LONG -> ptrdiff_t conversion // #define RtlLongToPtrdiffT RtlLongToIntPtr // // LONG -> size_t conversion // #define RtlLongToSizeT RtlLongToUIntPtr // // LONG -> SIZE_T conversion // #define RtlLongToSIZET RtlLongToULongPtr // // LONG_PTR -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToInt8( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) INT8* pi8Result) { NTSTATUS status; if ((lOperand >= INT8_MIN) && (lOperand <= INT8_MAX)) { *pi8Result = (INT8)lOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToUChar( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) UCHAR* pch) { NTSTATUS status; if ((lOperand >= 0) && (lOperand <= 255)) { *pch = (UCHAR)lOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> CHAR conversion // __forceinline NTSTATUS RtlLongPtrToChar( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlLongPtrToUChar(lOperand, (UCHAR*)pch); #else return RtlLongPtrToInt8(lOperand, (INT8*)pch); #endif } // // LONG_PTR -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToUInt8( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) UINT8* pui8Result) { NTSTATUS status; if ((lOperand >= 0) && (lOperand <= UINT8_MAX)) { *pui8Result = (UINT8)lOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> BYTE conversion // #define RtlLongPtrToByte RtlLongPtrToUInt8 // // LONG_PTR -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToShort( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) SHORT* psResult) { NTSTATUS status; if ((lOperand >= SHORT_MIN) && (lOperand <= SHORT_MAX)) { *psResult = (SHORT)lOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> INT16 conversion // #define RtlLongPtrToInt16 RtlLongPtrToShort // // LONG_PTR -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToUShort( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) USHORT* pusResult) { NTSTATUS status; if ((lOperand >= 0) && (lOperand <= USHORT_MAX)) { *pusResult = (USHORT)lOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> UINT16 conversion // #define RtlLongPtrToUInt16 RtlLongPtrToUShort // // LONG_PTR -> WORD conversion // #define RtlLongPtrToWord RtlLongPtrToUShort // // LONG_PTR -> INT conversion // #ifdef _WIN64 #define RtlLongPtrToInt RtlLongLongToInt #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToInt( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) INT* piResult) { C_ASSERT(sizeof(INT) == sizeof(LONG_PTR)); *piResult = (INT)lOperand; return STATUS_SUCCESS; } #endif // // LONG_PTR -> INT32 conversion // #define RtlLongPtrToInt32 RtlLongPtrToInt // // LONG_PTR -> INT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToIntPtr( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) INT_PTR* piResult) { C_ASSERT(sizeof(LONG_PTR) == sizeof(INT_PTR)); *piResult = (INT_PTR)lOperand; return STATUS_SUCCESS; } // // LONG_PTR -> UINT conversion // #ifdef _WIN64 #define RtlLongPtrToUInt RtlLongLongToUInt #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToUInt( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) UINT* puResult) { NTSTATUS status; if (lOperand >= 0) { *puResult = (UINT)lOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // LONG_PTR -> UINT32 conversion // #define RtlLongPtrToUInt32 RtlLongPtrToUInt // // LONG_PTR -> UINT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToUIntPtr( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) UINT_PTR* puResult) { NTSTATUS status; if (lOperand >= 0) { *puResult = (UINT_PTR)lOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> LONG conversion // #ifdef _WIN64 #define RtlLongPtrToLong RtlLongLongToLong #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToLong( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) LONG* plResult) { *plResult = (LONG)lOperand; return STATUS_SUCCESS; } #endif // // LONG_PTR -> ULONG conversion // #ifdef _WIN64 #define RtlLongPtrToULong RtlLongLongToULong #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToULong( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) ULONG* pulResult) { NTSTATUS status; if (lOperand >= 0) { *pulResult = (ULONG)lOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // // LONG_PTR -> ULONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToULongPtr( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) ULONG_PTR* pulResult) { NTSTATUS status; if (lOperand >= 0) { *pulResult = (ULONG_PTR)lOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> DWORD conversion // #define RtlLongPtrToDWord RtlLongPtrToULong // // LONG_PTR -> DWORD_PTR conversion // #define RtlLongPtrToDWordPtr RtlLongPtrToULongPtr // // LONG_PTR -> ULONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongPtrToULongLong( _In_ LONG_PTR lOperand, _Out_ _Deref_out_range_(==, lOperand) ULONGLONG* pullResult) { NTSTATUS status; if (lOperand >= 0) { *pullResult = (ULONGLONG)lOperand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONG_PTR -> DWORDLONG conversion // #define RtlLongPtrToDWordLong RtlLongPtrToULongLong // // LONG_PTR -> ULONG64 conversion // #define RtlLongPtrToULong64 RtlLongPtrToULongLong // // LONG_PTR -> DWORD64 conversion // #define RtlLongPtrToDWord64 RtlLongPtrToULongLong // // LONG_PTR -> UINT64 conversion // #define RtlLongPtrToUInt64 RtlLongPtrToULongLong // // LONG_PTR -> size_t conversion // #define RtlLongPtrToSizeT RtlLongPtrToUIntPtr // // LONG_PTR -> SIZE_T conversion // #define RtlLongPtrToSIZET RtlLongPtrToULongPtr // // ULONG -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToInt8( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) INT8* pi8Result) { NTSTATUS status; if (ulOperand <= INT8_MAX) { *pi8Result = (INT8)ulOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToUChar( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UCHAR* pch) { NTSTATUS status; if (ulOperand <= 255) { *pch = (UCHAR)ulOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> CHAR conversion // __forceinline NTSTATUS RtlULongToChar( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlULongToUChar(ulOperand, (UCHAR*)pch); #else return RtlULongToInt8(ulOperand, (INT8*)pch); #endif } // // ULONG -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToUInt8( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UINT8* pui8Result) { NTSTATUS status; if (ulOperand <= UINT8_MAX) { *pui8Result = (UINT8)ulOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> BYTE conversion // #define RtlULongToByte RtlULongToUInt8 // // ULONG -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToShort( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) SHORT* psResult) { NTSTATUS status; if (ulOperand <= SHORT_MAX) { *psResult = (SHORT)ulOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> INT16 conversion // #define RtlULongToInt16 RtlULongToShort // // ULONG -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToUShort( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) USHORT* pusResult) { NTSTATUS status; if (ulOperand <= USHORT_MAX) { *pusResult = (USHORT)ulOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> UINT16 conversion // #define RtlULongToUInt16 RtlULongToUShort // // ULONG -> WORD conversion // #define RtlULongToWord RtlULongToUShort // // ULONG -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToInt( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) INT* piResult) { NTSTATUS status; if (ulOperand <= INT_MAX) { *piResult = (INT)ulOperand; status = STATUS_SUCCESS; } else { *piResult = INT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> INT32 conversion // #define RtlULongToInt32 RtlULongToInt // // ULONG -> INT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlULongToIntPtr( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) INT_PTR* piResult) { *piResult = (INT_PTR)ulOperand; return STATUS_SUCCESS; } #else #define RtlULongToIntPtr RtlULongToInt #endif // // ULONG -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToUInt( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UINT* puResult) { C_ASSERT(sizeof(ULONG) == sizeof(UINT)); *puResult = (UINT)ulOperand; return STATUS_SUCCESS; } // // ULONG -> UINT32 conversion // #define RtlULongToUInt32 RtlULongToUInt // // ULONG -> UINT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlULongToUIntPtr( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UINT_PTR* puiResult) { C_ASSERT(sizeof(UINT_PTR) > sizeof(ULONG)); *puiResult = (UINT_PTR)ulOperand; return STATUS_SUCCESS; } #else #define RtlULongToUIntPtr RtlULongToUInt #endif // // ULONG -> LONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongToLong( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) LONG* plResult) { NTSTATUS status; if (ulOperand <= LONG_MAX) { *plResult = (LONG)ulOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG -> LONG_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlULongToLongPtr( _In_ ULONG ulOperand, _Out_ _Deref_out_range_(==, ulOperand) LONG_PTR* plResult) { C_ASSERT(sizeof(LONG_PTR) > sizeof(ULONG)); *plResult = (LONG_PTR)ulOperand; return STATUS_SUCCESS; } #else #define RtlULongToLongPtr RtlULongToLong #endif // // ULONG -> ptrdiff_t conversion // #define RtlULongToPtrdiffT RtlULongToIntPtr // // ULONG -> SSIZE_T conversion // #define RtlULongToSSIZET RtlULongToLongPtr // // ULONG_PTR -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToInt8( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) INT8* pi8Result) { NTSTATUS status; if (ulOperand <= INT8_MAX) { *pi8Result = (INT8)ulOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToUChar( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UCHAR* pch) { NTSTATUS status; if (ulOperand <= 255) { *pch = (UCHAR)ulOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> CHAR conversion // __forceinline NTSTATUS RtlULongPtrToChar( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlULongPtrToUChar(ulOperand, (UCHAR*)pch); #else return RtlULongPtrToInt8(ulOperand, (INT8*)pch); #endif } // // ULONG_PTR -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToUInt8( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UINT8* pui8Result) { NTSTATUS status; if (ulOperand <= UINT8_MAX) { *pui8Result = (UINT8)ulOperand; status = STATUS_SUCCESS; } else { *pui8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> BYTE conversion // #define RtlULongPtrToByte RtlULongPtrToUInt8 // // ULONG_PTR -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToShort( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) SHORT* psResult) { NTSTATUS status; if (ulOperand <= SHORT_MAX) { *psResult = (SHORT)ulOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> INT16 conversion // #define RtlULongPtrToInt16 RtlULongPtrToShort // // ULONG_PTR -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToUShort( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) USHORT* pusResult) { NTSTATUS status; if (ulOperand <= USHORT_MAX) { *pusResult = (USHORT)ulOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> UINT16 conversion // #define RtlULongPtrToUInt16 RtlULongPtrToUShort // // ULONG_PTR -> WORD conversion // #define RtlULongPtrToWord RtlULongPtrToUShort // // ULONG_PTR -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToInt( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) INT* piResult) { NTSTATUS status; if (ulOperand <= INT_MAX) { *piResult = (INT)ulOperand; status = STATUS_SUCCESS; } else { *piResult = INT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> INT32 conversion // #define RtlULongPtrToInt32 RtlULongPtrToInt // // ULONG_PTR -> INT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToIntPtr( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) INT_PTR* piResult) { NTSTATUS status; if (ulOperand <= INT_PTR_MAX) { *piResult = (INT_PTR)ulOperand; status = STATUS_SUCCESS; } else { *piResult = INT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> UINT conversion // #ifdef _WIN64 #define RtlULongPtrToUInt RtlULongLongToUInt #else _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToUInt( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UINT* puResult) { C_ASSERT(sizeof(ULONG_PTR) == sizeof(UINT)); *puResult = (UINT)ulOperand; return STATUS_SUCCESS; } #endif // // ULONG_PTR -> UINT32 conversion // #define RtlULongPtrToUInt32 RtlULongPtrToUInt // // ULONG_PTR -> UINT_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToUIntPtr( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) UINT_PTR* puResult) { *puResult = (UINT_PTR)ulOperand; return STATUS_SUCCESS; } // // ULONG_PTR -> LONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToLong( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) LONG* plResult) { NTSTATUS status; if (ulOperand <= LONG_MAX) { *plResult = (LONG)ulOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> LONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToLongPtr( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) LONG_PTR* plResult) { NTSTATUS status; if (ulOperand <= LONG_PTR_MAX) { *plResult = (LONG_PTR)ulOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR -> ULONG conversion // #ifdef _WIN64 #define RtlULongPtrToULong RtlULongLongToULong #else _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToULong( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) ULONG* pulResult) { *pulResult = (ULONG)ulOperand; return STATUS_SUCCESS; } #endif // // ULONG_PTR -> DWORD conversion // #define RtlULongPtrToDWord RtlULongPtrToULong // // ULONG_PTR -> LONGLONG conversion // #ifdef _WIN64 #define RtlULongPtrToLongLong RtlULongLongToLongLong #else _Must_inspect_result_ __inline NTSTATUS RtlULongPtrToLongLong( _In_ ULONG_PTR ulOperand, _Out_ _Deref_out_range_(==, ulOperand) LONGLONG* pllResult) { *pllResult = (LONGLONG)ulOperand; return STATUS_SUCCESS; } #endif // // ULONG_PTR -> LONG64 conversion // #define RtlULongPtrToLong64 RtlULongPtrToLongLong // // ULONG_PTR -> RtlINT64 // #define RtlULongPtrToInt64 RtlULongPtrToLongLong // // ULONG_PTR -> ptrdiff_t conversion // #define RtlULongPtrToPtrdiffT RtlULongPtrToIntPtr // // ULONG_PTR -> SSIZE_T conversion // #define RtlULongPtrToSSIZET RtlULongPtrToLongPtr // // DWORD -> INT8 conversion // #define RtlDWordToInt8 RtlULongToInt8 // // DWORD -> CHAR conversion // #define RtlDWordToChar RtlULongToChar // // DWORD -> UCHAR conversion // #define RtlDWordToUChar RtlULongToUChar // // DWORD -> UINT8 conversion // #define RtlDWordToUInt8 RtlULongToUInt8 // // DWORD -> BYTE conversion // #define RtlDWordToByte RtlULongToUInt8 // // DWORD -> SHORT conversion // #define RtlDWordToShort RtlULongToShort // // DWORD -> INT16 conversion // #define RtlDWordToInt16 RtlULongToShort // // DWORD -> USHORT conversion // #define RtlDWordToUShort RtlULongToUShort // // DWORD -> UINT16 conversion // #define RtlDWordToUInt16 RtlULongToUShort // // DWORD -> WORD conversion // #define RtlDWordToWord RtlULongToUShort // // DWORD -> INT conversion // #define RtlDWordToInt RtlULongToInt // // DWORD -> INT32 conversion // #define RtlDWordToInt32 RtlULongToInt // // DWORD -> INT_PTR conversion // #define RtlDWordToIntPtr RtlULongToIntPtr // // DWORD -> UINT conversion // #define RtlDWordToUInt RtlULongToUInt // // DWORD -> UINT32 conversion // #define RtlDWordToUInt32 RtlULongToUInt // // DWORD -> UINT_PTR conversion // #define RtlDWordToUIntPtr RtlULongToUIntPtr // // DWORD -> LONG conversion // #define RtlDWordToLong RtlULongToLong // // DWORD -> LONG_PTR conversion // #define RtlDWordToLongPtr RtlULongToLongPtr // // DWORD -> ptrdiff_t conversion // #define RtlDWordToPtrdiffT RtlULongToIntPtr // // DWORD -> SSIZE_T conversion // #define RtlDWordToSSIZET RtlULongToLongPtr // // DWORD_PTR -> INT8 conversion // #define RtlDWordPtrToInt8 RtlULongPtrToInt8 // // DWORD_PTR -> UCHAR conversion // #define RtlDWordPtrToUChar RtlULongPtrToUChar // // DWORD_PTR -> CHAR conversion // #define RtlDWordPtrToChar RtlULongPtrToChar // // DWORD_PTR -> UINT8 conversion // #define RtlDWordPtrToUInt8 RtlULongPtrToUInt8 // // DWORD_PTR -> BYTE conversion // #define RtlDWordPtrToByte RtlULongPtrToUInt8 // // DWORD_PTR -> SHORT conversion // #define RtlDWordPtrToShort RtlULongPtrToShort // // DWORD_PTR -> INT16 conversion // #define RtlDWordPtrToInt16 RtlULongPtrToShort // // DWORD_PTR -> USHORT conversion // #define RtlDWordPtrToUShort RtlULongPtrToUShort // // DWORD_PTR -> UINT16 conversion // #define RtlDWordPtrToUInt16 RtlULongPtrToUShort // // DWORD_PTR -> WORD conversion // #define RtlDWordPtrToWord RtlULongPtrToUShort // // DWORD_PTR -> INT conversion // #define RtlDWordPtrToInt RtlULongPtrToInt // // DWORD_PTR -> INT32 conversion // #define RtlDWordPtrToInt32 RtlULongPtrToInt // // DWORD_PTR -> INT_PTR conversion // #define RtlDWordPtrToIntPtr RtlULongPtrToIntPtr // // DWORD_PTR -> UINT conversion // #define RtlDWordPtrToUInt RtlULongPtrToUInt // // DWORD_PTR -> UINT32 conversion // #define RtlDWordPtrToUInt32 RtlULongPtrToUInt // // DWODR_PTR -> UINT_PTR conversion // #define RtlDWordPtrToUIntPtr RtlULongPtrToUIntPtr // // DWORD_PTR -> LONG conversion // #define RtlDWordPtrToLong RtlULongPtrToLong // // DWORD_PTR -> LONG_PTR conversion // #define RtlDWordPtrToLongPtr RtlULongPtrToLongPtr // // DWORD_PTR -> ULONG conversion // #define RtlDWordPtrToULong RtlULongPtrToULong // // DWORD_PTR -> DWORD conversion // #define RtlDWordPtrToDWord RtlULongPtrToULong // // DWORD_PTR -> LONGLONG conversion // #define RtlDWordPtrToLongLong RtlULongPtrToLongLong // // DWORD_PTR -> LONG64 conversion // #define RtlDWordPtrToLong64 RtlULongPtrToLongLong // // DWORD_PTR -> RtlINT64 conversion // #define RtlDWordPtrToInt64 RtlULongPtrToLongLong // // DWORD_PTR -> ptrdiff_t conversion // #define RtlDWordPtrToPtrdiffT RtlULongPtrToIntPtr // // DWORD_PTR -> SSIZE_T conversion // #define RtlDWordPtrToSSIZET RtlULongPtrToLongPtr // // LONGLONG -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToInt8( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) INT8* pi8Result) { NTSTATUS status; if ((llOperand >= INT8_MIN) && (llOperand <= INT8_MAX)) { *pi8Result = (INT8)llOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToUChar( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) UCHAR* pch) { NTSTATUS status; if ((llOperand >= 0) && (llOperand <= 255)) { *pch = (UCHAR)llOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> CHAR conversion // __forceinline NTSTATUS RtlLongLongToChar( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlLongLongToUChar(llOperand, (UCHAR*)pch); #else return RtlLongLongToInt8(llOperand, (INT8*)pch); #endif } // // LONGLONG -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToUInt8( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) UINT8* pu8Result) { NTSTATUS status; if ((llOperand >= 0) && (llOperand <= UINT8_MAX)) { *pu8Result = (UINT8)llOperand; status = STATUS_SUCCESS; } else { *pu8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> BYTE conversion // #define RtlLongLongToByte RtlLongLongToUInt8 // // LONGLONG -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToShort( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) SHORT* psResult) { NTSTATUS status; if ((llOperand >= SHORT_MIN) && (llOperand <= SHORT_MAX)) { *psResult = (SHORT)llOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> INT16 conversion // #define RtlLongLongToInt16 RtlLongLongToShort // // LONGLONG -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToUShort( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) USHORT* pusResult) { NTSTATUS status; if ((llOperand >= 0) && (llOperand <= USHORT_MAX)) { *pusResult = (USHORT)llOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> UINT16 conversion // #define RtlLongLongToUInt16 RtlLongLongToUShort // // LONGLONG -> WORD conversion // #define RtlLongLongToWord RtlLongLongToUShort // // LONGLONG -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToInt( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) INT* piResult) { NTSTATUS status; if ((llOperand >= INT_MIN) && (llOperand <= INT_MAX)) { *piResult = (INT)llOperand; status = STATUS_SUCCESS; } else { *piResult = INT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> INT32 conversion // #define RtlLongLongToInt32 RtlLongLongToInt // // LONGLONG -> INT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlLongLongToIntPtr( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) INT_PTR* piResult) { *piResult = llOperand; return STATUS_SUCCESS; } #else #define RtlLongLongToIntPtr RtlLongLongToInt #endif // // LONGLONG -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToUInt( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) UINT* puResult) { NTSTATUS status; if ((llOperand >= 0) && (llOperand <= UINT_MAX)) { *puResult = (UINT)llOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> UINT32 conversion // #define RtlLongLongToUInt32 RtlLongLongToUInt // // LONGLONG -> UINT_PTR conversion // #ifdef _WIN64 #define RtlLongLongToUIntPtr RtlLongLongToULongLong #else #define RtlLongLongToUIntPtr RtlLongLongToUInt #endif // // LONGLONG -> LONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToLong( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) LONG* plResult) { NTSTATUS status; if ((llOperand >= LONG_MIN) && (llOperand <= LONG_MAX)) { *plResult = (LONG)llOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> LONG_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlLongLongToLongPtr( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) LONG_PTR* plResult) { *plResult = (LONG_PTR)llOperand; return STATUS_SUCCESS; } #else #define RtlLongLongToLongPtr RtlLongLongToLong #endif // // LONGLONG -> ULONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToULong( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) ULONG* pulResult) { NTSTATUS status; if ((llOperand >= 0) && (llOperand <= ULONG_MAX)) { *pulResult = (ULONG)llOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> ULONG_PTR conversion // #ifdef _WIN64 #define RtlLongLongToULongPtr RtlLongLongToULongLong #else #define RtlLongLongToULongPtr RtlLongLongToULong #endif // // LONGLONG -> DWORD conversion // #define RtlLongLongToDWord RtlLongLongToULong // // LONGLONG -> DWORD_PTR conversion // #define RtlLongLongToDWordPtr RtlLongLongToULongPtr // // LONGLONG -> ULONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlLongLongToULongLong( _In_ LONGLONG llOperand, _Out_ _Deref_out_range_(==, llOperand) ULONGLONG* pullResult) { NTSTATUS status; if (llOperand >= 0) { *pullResult = (ULONGLONG)llOperand; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // LONGLONG -> DWORDLONG conversion // #define RtlLongLongToDWordLong RtlLongLongToULongLong // // LONGLONG -> ULONG64 conversion // #define RtlLongLongToULong64 RtlLongLongToULongLong // // LONGLONG -> DWORD64 conversion // #define RtlLongLongToDWord64 RtlLongLongToULongLong // // LONGLONG -> UINT64 conversion // #define RtlLongLongToUInt64 RtlLongLongToULongLong // // LONGLONG -> ptrdiff_t conversion // #define RtlLongLongToPtrdiffT RtlLongLongToIntPtr // // LONGLONG -> size_t conversion // #define RtlLongLongToSizeT RtlLongLongToUIntPtr // // LONGLONG -> SSIZE_T conversion // #define RtlLongLongToSSIZET RtlLongLongToLongPtr // // LONGLONG -> SIZE_T conversion // #define RtlLongLongToSIZET RtlLongLongToULongPtr // // LONG64 -> CHAR conversion // #define RtlLong64ToChar RtlLongLongToChar // // LONG64 -> INT8 conversion // #define RtlLong64ToInt8 RtlLongLongToInt8 // // LONG64 -> UCHAR conversion // #define RtlLong64ToUChar RtlLongLongToUChar // // LONG64 -> UINT8 conversion // #define RtlLong64ToUInt8 RtlLongLongToUInt8 // // LONG64 -> BYTE conversion // #define RtlLong64ToByte RtlLongLongToUInt8 // // LONG64 -> SHORT conversion // #define RtlLong64ToShort RtlLongLongToShort // // LONG64 -> INT16 conversion // #define RtlLong64ToInt16 RtlLongLongToShort // // LONG64 -> USHORT conversion // #define RtlLong64ToUShort RtlLongLongToUShort // // LONG64 -> UINT16 conversion // #define RtlLong64ToUInt16 RtlLongLongToUShort // // LONG64 -> WORD conversion // #define RtlLong64ToWord RtlLongLongToUShort // // LONG64 -> INT conversion // #define RtlLong64ToInt RtlLongLongToInt // // LONG64 -> INT32 conversion // #define RtlLong64ToInt32 RtlLongLongToInt // // LONG64 -> INT_PTR conversion // #define RtlLong64ToIntPtr RtlLongLongToIntPtr // // LONG64 -> UINT conversion // #define RtlLong64ToUInt RtlLongLongToUInt // // LONG64 -> UINT32 conversion // #define RtlLong64ToUInt32 RtlLongLongToUInt // // LONG64 -> UINT_PTR conversion // #define RtlLong64ToUIntPtr RtlLongLongToUIntPtr // // LONG64 -> LONG conversion // #define RtlLong64ToLong RtlLongLongToLong // // LONG64 -> LONG_PTR conversion // #define RtlLong64ToLongPtr RtlLongLongToLongPtr // // LONG64 -> ULONG conversion // #define RtlLong64ToULong RtlLongLongToULong // // LONG64 -> ULONG_PTR conversion // #define RtlLong64ToULongPtr RtlLongLongToULongPtr // // LONG64 -> DWORD conversion // #define RtlLong64ToDWord RtlLongLongToULong // // LONG64 -> DWORD_PTR conversion // #define RtlLong64ToDWordPtr RtlLongLongToULongPtr // // LONG64 -> ULONGLONG conversion // #define RtlLong64ToULongLong RtlLongLongToULongLong // // LONG64 -> ptrdiff_t conversion // #define RtlLong64ToPtrdiffT RtlLongLongToIntPtr // // LONG64 -> size_t conversion // #define RtlLong64ToSizeT RtlLongLongToUIntPtr // // LONG64 -> SSIZE_T conversion // #define RtlLong64ToSSIZET RtlLongLongToLongPtr // // LONG64 -> SIZE_T conversion // #define RtlLong64ToSIZET RtlLongLongToULongPtr // // RtlINT64 -> CHAR conversion // #define RtlInt64ToChar RtlLongLongToChar // // RtlINT64 -> INT8 conversion // #define RtlInt64ToInt8 RtlLongLongToInt8 // // RtlINT64 -> UCHAR conversion // #define RtlInt64ToUChar RtlLongLongToUChar // // RtlINT64 -> UINT8 conversion // #define RtlInt64ToUInt8 RtlLongLongToUInt8 // // RtlINT64 -> BYTE conversion // #define RtlInt64ToByte RtlLongLongToUInt8 // // RtlINT64 -> SHORT conversion // #define RtlInt64ToShort RtlLongLongToShort // // RtlINT64 -> INT16 conversion // #define RtlInt64ToInt16 RtlLongLongToShort // // RtlINT64 -> USHORT conversion // #define RtlInt64ToUShort RtlLongLongToUShort // // RtlINT64 -> UINT16 conversion // #define RtlInt64ToUInt16 RtlLongLongToUShort // // RtlINT64 -> WORD conversion // #define RtlInt64ToWord RtlLongLongToUShort // // RtlINT64 -> INT conversion // #define RtlInt64ToInt RtlLongLongToInt // // RtlINT64 -> INT32 conversion // #define RtlInt64ToInt32 RtlLongLongToInt // // RtlINT64 -> INT_PTR conversion // #define RtlInt64ToIntPtr RtlLongLongToIntPtr // // RtlINT64 -> UINT conversion // #define RtlInt64ToUInt RtlLongLongToUInt // // RtlINT64 -> UINT32 conversion // #define RtlInt64ToUInt32 RtlLongLongToUInt // // RtlINT64 -> UINT_PTR conversion // #define RtlInt64ToUIntPtr RtlLongLongToUIntPtr // // RtlINT64 -> LONG conversion // #define RtlInt64ToLong RtlLongLongToLong // // RtlINT64 -> LONG_PTR conversion // #define RtlInt64ToLongPtr RtlLongLongToLongPtr // // RtlINT64 -> ULONG conversion // #define RtlInt64ToULong RtlLongLongToULong // // RtlINT64 -> ULONG_PTR conversion // #define RtlInt64ToULongPtr RtlLongLongToULongPtr // // RtlINT64 -> DWORD conversion // #define RtlInt64ToDWord RtlLongLongToULong // // RtlINT64 -> DWORD_PTR conversion // #define RtlInt64ToDWordPtr RtlLongLongToULongPtr // // RtlINT64 -> ULONGLONG conversion // #define RtlInt64ToULongLong RtlLongLongToULongLong // // RtlINT64 -> DWORDLONG conversion // #define RtlInt64ToDWordLong RtlLongLongToULongLong // // RtlINT64 -> ULONG64 conversion // #define RtlInt64ToULong64 RtlLongLongToULongLong // // RtlINT64 -> DWORD64 conversion // #define RtlInt64ToDWord64 RtlLongLongToULongLong // // RtlINT64 -> UINT64 conversion // #define RtlInt64ToUInt64 RtlLongLongToULongLong // // RtlINT64 -> ptrdiff_t conversion // #define RtlInt64ToPtrdiffT RtlLongLongToIntPtr // // RtlINT64 -> size_t conversion // #define RtlInt64ToSizeT RtlLongLongToUIntPtr // // RtlINT64 -> SSIZE_T conversion // #define RtlInt64ToSSIZET RtlLongLongToLongPtr // // RtlINT64 -> SIZE_T conversion // #define RtlInt64ToSIZET RtlLongLongToULongPtr // // ULONGLONG -> INT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToInt8( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) INT8* pi8Result) { NTSTATUS status; if (ullOperand <= INT8_MAX) { *pi8Result = (INT8)ullOperand; status = STATUS_SUCCESS; } else { *pi8Result = INT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> UCHAR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToUChar( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) UCHAR* pch) { NTSTATUS status; if (ullOperand <= 255) { *pch = (UCHAR)ullOperand; status = STATUS_SUCCESS; } else { *pch = '\0'; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> CHAR conversion // __forceinline NTSTATUS RtlULongLongToChar( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) CHAR* pch) { #ifdef _CHAR_UNSIGNED return RtlULongLongToUChar(ullOperand, (UCHAR*)pch); #else return RtlULongLongToInt8(ullOperand, (INT8*)pch); #endif } // // ULONGLONG -> UINT8 conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToUInt8( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) UINT8* pu8Result) { NTSTATUS status; if (ullOperand <= UINT8_MAX) { *pu8Result = (UINT8)ullOperand; status = STATUS_SUCCESS; } else { *pu8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> BYTE conversion // #define RtlULongLongToByte RtlULongLongToUInt8 // // ULONGLONG -> SHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToShort( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) SHORT* psResult) { NTSTATUS status; if (ullOperand <= SHORT_MAX) { *psResult = (SHORT)ullOperand; status = STATUS_SUCCESS; } else { *psResult = SHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> INT16 conversion // #define RtlULongLongToInt16 RtlULongLongToShort // // ULONGLONG -> USHORT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToUShort( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) USHORT* pusResult) { NTSTATUS status; if (ullOperand <= USHORT_MAX) { *pusResult = (USHORT)ullOperand; status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> UINT16 conversion // #define RtlULongLongToUInt16 RtlULongLongToUShort // // ULONGLONG -> WORD conversion // #define RtlULongLongToWord RtlULongLongToUShort // // ULONGLONG -> INT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToInt( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) INT* piResult) { NTSTATUS status; if (ullOperand <= INT_MAX) { *piResult = (INT)ullOperand; status = STATUS_SUCCESS; } else { *piResult = INT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> INT32 conversion // #define RtlULongLongToInt32 RtlULongLongToInt // // ULONGLONG -> INT_PTR conversion // #ifdef _WIN64 #define RtlULongLongToIntPtr RtlULongLongToLongLong #else #define RtlULongLongToIntPtr RtlULongLongToInt #endif // // ULONGLONG -> UINT conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToUInt( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) UINT* puResult) { NTSTATUS status; if (ullOperand <= UINT_MAX) { *puResult = (UINT)ullOperand; status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> UINT32 conversion // #define RtlULongLongToUInt32 RtlULongLongToUInt // // ULONGLONG -> UINT_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlULongLongToUIntPtr( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) UINT_PTR* puResult) { *puResult = ullOperand; return STATUS_SUCCESS; } #else #define RtlULongLongToUIntPtr RtlULongLongToUInt #endif // // ULONGLONG -> LONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToLong( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) LONG* plResult) { NTSTATUS status; if (ullOperand <= LONG_MAX) { *plResult = (LONG)ullOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> LONG_PTR conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToLongPtr( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) LONG_PTR* plResult) { NTSTATUS status; if (ullOperand <= LONG_PTR_MAX) { *plResult = (LONG_PTR)ullOperand; status = STATUS_SUCCESS; } else { *plResult = LONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> ULONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToULong( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) ULONG* pulResult) { NTSTATUS status; if (ullOperand <= ULONG_MAX) { *pulResult = (ULONG)ullOperand; status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> ULONG_PTR conversion // #ifdef _WIN64 _Must_inspect_result_ __inline NTSTATUS RtlULongLongToULongPtr( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) ULONG_PTR* pulResult) { *pulResult = ullOperand; return STATUS_SUCCESS; } #else #define RtlULongLongToULongPtr RtlULongLongToULong #endif // // ULONGLONG -> DWORD conversion // #define RtlULongLongToDWord RtlULongLongToULong // // ULONGLONG -> DWORD_PTR conversion // #define RtlULongLongToDWordPtr RtlULongLongToULongPtr // // ULONGLONG -> LONGLONG conversion // _Must_inspect_result_ __inline NTSTATUS RtlULongLongToLongLong( _In_ ULONGLONG ullOperand, _Out_ _Deref_out_range_(==, ullOperand) LONGLONG* pllResult) { NTSTATUS status; if (ullOperand <= LONGLONG_MAX) { *pllResult = (LONGLONG)ullOperand; status = STATUS_SUCCESS; } else { *pllResult = LONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONGLONG -> RtlINT64 conversion // #define RtlULongLongToInt64 RtlULongLongToLongLong // // ULONGLONG -> LONG64 conversion // #define RtlULongLongToLong64 RtlULongLongToLongLong // // ULONGLONG -> ptrdiff_t conversion // #define RtlULongLongToPtrdiffT RtlULongLongToIntPtr // // ULONGLONG -> size_t conversion // #define RtlULongLongToSizeT RtlULongLongToUIntPtr // // ULONGLONG -> SSIZE_T conversion // #define RtlULongLongToSSIZET RtlULongLongToLongPtr // // ULONGLONG -> SIZE_T conversion // #define RtlULongLongToSIZET RtlULongLongToULongPtr // // DWORDLONG -> CHAR conversion // #define RtlDWordLongToChar RtlULongLongToChar // // DWORDLONG -> INT8 conversion // #define RtlDWordLongToInt8 RtlULongLongToInt8 // // DWORDLONG -> UCHAR conversion // #define RtlDWordLongToUChar RtlULongLongToUChar // // DWORDLONG -> UINT8 conversion // #define RtlDWordLongToUInt8 RtlULongLongToUInt8 // // DWORDLONG -> BYTE conversion // #define RtlDWordLongToByte RtlULongLongToUInt8 // // DWORDLONG -> SHORT conversion // #define RtlDWordLongToShort RtlULongLongToShort // // DWORDLONG -> INT16 conversion // #define RtlDWordLongToInt16 RtlULongLongToShort // // DWORDLONG -> USHORT conversion // #define RtlDWordLongToUShort RtlULongLongToUShort // // DWORDLONG -> UINT16 conversion // #define RtlDWordLongToUInt16 RtlULongLongToUShort // // DWORDLONG -> WORD conversion // #define RtlDWordLongToWord RtlULongLongToUShort // // DWORDLONG -> INT conversion // #define RtlDWordLongToInt RtlULongLongToInt // // DWORDLONG -> INT32 conversion // #define RtlDWordLongToInt32 RtlULongLongToInt // // DWORDLONG -> INT_PTR conversion // #define RtlDWordLongToIntPtr RtlULongLongToIntPtr // // DWORDLONG -> UINT conversion // #define RtlDWordLongToUInt RtlULongLongToUInt // // DWORDLONG -> UINT32 conversion // #define RtlDWordLongToUInt32 RtlULongLongToUInt // // DWORDLONG -> UINT_PTR conversion // #define RtlDWordLongToUIntPtr RtlULongLongToUIntPtr // // DWORDLONG -> LONG conversion // #define RtlDWordLongToLong RtlULongLongToLong // // DWORDLONG -> LONG_PTR conversion // #define RtlDWordLongToLongPtr RtlULongLongToLongPtr // // DWORDLONG -> ULONG conversion // #define RtlDWordLongToULong RtlULongLongToULong // // DWORDLONG -> ULONG_PTR conversion // #define RtlDWordLongToULongPtr RtlULongLongToULongPtr // // DWORDLONG -> DWORD conversion // #define RtlDWordLongToDWord RtlULongLongToULong // // DWORDLONG -> DWORD_PTR conversion // #define RtlDWordLongToDWordPtr RtlULongLongToULongPtr // // DWORDLONG -> LONGLONG conversion // #define RtlDWordLongToLongLong RtlULongLongToLongLong // // DWORDLONG -> LONG64 conversion // #define RtlDWordLongToLong64 RtlULongLongToLongLong // // DWORDLONG -> RtlINT64 conversion // #define RtlDWordLongToInt64 RtlULongLongToLongLong // // DWORDLONG -> ptrdiff_t conversion // #define RtlDWordLongToPtrdiffT RtlULongLongToIntPtr // // DWORDLONG -> size_t conversion // #define RtlDWordLongToSizeT RtlULongLongToUIntPtr // // DWORDLONG -> SSIZE_T conversion // #define RtlDWordLongToSSIZET RtlULongLongToLongPtr // // DWORDLONG -> SIZE_T conversion // #define RtlDWordLongToSIZET RtlULongLongToULongPtr // // ULONG64 -> CHAR conversion // #define RtlULong64ToChar RtlULongLongToChar // // ULONG64 -> INT8 conversion // #define RtlULong64ToInt8 RtlULongLongToInt8 // // ULONG64 -> UCHAR conversion // #define RtlULong64ToUChar RtlULongLongToUChar // // ULONG64 -> UINT8 conversion // #define RtlULong64ToUInt8 RtlULongLongToUInt8 // // ULONG64 -> BYTE conversion // #define RtlULong64ToByte RtlULongLongToUInt8 // // ULONG64 -> SHORT conversion // #define RtlULong64ToShort RtlULongLongToShort // // ULONG64 -> INT16 conversion // #define RtlULong64ToInt16 RtlULongLongToShort // // ULONG64 -> USHORT conversion // #define RtlULong64ToUShort RtlULongLongToUShort // // ULONG64 -> UINT16 conversion // #define RtlULong64ToUInt16 RtlULongLongToUShort // // ULONG64 -> WORD conversion // #define RtlULong64ToWord RtlULongLongToUShort // // ULONG64 -> INT conversion // #define RtlULong64ToInt RtlULongLongToInt // // ULONG64 -> INT32 conversion // #define RtlULong64ToInt32 RtlULongLongToInt // // ULONG64 -> INT_PTR conversion // #define RtlULong64ToIntPtr RtlULongLongToIntPtr // // ULONG64 -> UINT conversion // #define RtlULong64ToUInt RtlULongLongToUInt // // ULONG64 -> UINT32 conversion // #define RtlULong64ToUInt32 RtlULongLongToUInt // // ULONG64 -> UINT_PTR conversion // #define RtlULong64ToUIntPtr RtlULongLongToUIntPtr // // ULONG64 -> LONG conversion // #define RtlULong64ToLong RtlULongLongToLong // // ULONG64 -> LONG_PTR conversion // #define RtlULong64ToLongPtr RtlULongLongToLongPtr // // ULONG64 -> ULONG conversion // #define RtlULong64ToULong RtlULongLongToULong // // ULONG64 -> ULONG_PTR conversion // #define RtlULong64ToULongPtr RtlULongLongToULongPtr // // ULONG64 -> DWORD conversion // #define RtlULong64ToDWord RtlULongLongToULong // // ULONG64 -> DWORD_PTR conversion // #define RtlULong64ToDWordPtr RtlULongLongToULongPtr // // ULONG64 -> LONGLONG conversion // #define RtlULong64ToLongLong RtlULongLongToLongLong // // ULONG64 -> LONG64 conversion // #define RtlULong64ToLong64 RtlULongLongToLongLong // // ULONG64 -> RtlINT64 conversion // #define RtlULong64ToInt64 RtlULongLongToLongLong // // ULONG64 -> ptrdiff_t conversion // #define RtlULong64ToPtrdiffT RtlULongLongToIntPtr // // ULONG64 -> size_t conversion // #define RtlULong64ToSizeT RtlULongLongToUIntPtr // // ULONG64 -> SSIZE_T conversion // #define RtlULong64ToSSIZET RtlULongLongToLongPtr // // ULONG64 -> SIZE_T conversion // #define RtlULong64ToSIZET RtlULongLongToULongPtr // // DWORD64 -> CHAR conversion // #define RtlDWord64ToChar RtlULongLongToChar // // DWORD64 -> INT8 conversion // #define RtlDWord64ToInt8 RtlULongLongToInt8 // // DWORD64 -> UCHAR conversion // #define RtlDWord64ToUChar RtlULongLongToUChar // // DWORD64 -> UINT8 conversion // #define RtlDWord64ToUInt8 RtlULongLongToUInt8 // // DWORD64 -> BYTE conversion // #define RtlDWord64ToByte RtlULongLongToUInt8 // // DWORD64 -> SHORT conversion // #define RtlDWord64ToShort RtlULongLongToShort // // DWORD64 -> INT16 conversion // #define RtlDWord64ToInt16 RtlULongLongToShort // // DWORD64 -> USHORT conversion // #define RtlDWord64ToUShort RtlULongLongToUShort // // DWORD64 -> UINT16 conversion // #define RtlDWord64ToUInt16 RtlULongLongToUShort // // DWORD64 -> WORD conversion // #define RtlDWord64ToWord RtlULongLongToUShort // // DWORD64 -> INT conversion // #define RtlDWord64ToInt RtlULongLongToInt // // DWORD64 -> INT32 conversion // #define RtlDWord64ToInt32 RtlULongLongToInt // // DWORD64 -> INT_PTR conversion // #define RtlDWord64ToIntPtr RtlULongLongToIntPtr // // DWORD64 -> UINT conversion // #define RtlDWord64ToUInt RtlULongLongToUInt // // DWORD64 -> UINT32 conversion // #define RtlDWord64ToUInt32 RtlULongLongToUInt // // DWORD64 -> UINT_PTR conversion // #define RtlDWord64ToUIntPtr RtlULongLongToUIntPtr // // DWORD64 -> LONG conversion // #define RtlDWord64ToLong RtlULongLongToLong // // DWORD64 -> LONG_PTR conversion // #define RtlDWord64ToLongPtr RtlULongLongToLongPtr // // DWORD64 -> ULONG conversion // #define RtlDWord64ToULong RtlULongLongToULong // // DWORD64 -> ULONG_PTR conversion // #define RtlDWord64ToULongPtr RtlULongLongToULongPtr // // DWORD64 -> DWORD conversion // #define RtlDWord64ToDWord RtlULongLongToULong // // DWORD64 -> DWORD_PTR conversion // #define RtlDWord64ToDWordPtr RtlULongLongToULongPtr // // DWORD64 -> LONGLONG conversion // #define RtlDWord64ToLongLong RtlULongLongToLongLong // // DWORD64 -> LONG64 conversion // #define RtlDWord64ToLong64 RtlULongLongToLongLong // // DWORD64 -> RtlINT64 conversion // #define RtlDWord64ToInt64 RtlULongLongToLongLong // // DWORD64 -> ptrdiff_t conversion // #define RtlDWord64ToPtrdiffT RtlULongLongToIntPtr // // DWORD64 -> size_t conversion // #define RtlDWord64ToSizeT RtlULongLongToUIntPtr // // DWORD64 -> SSIZE_T conversion // #define RtlDWord64ToSSIZET RtlULongLongToLongPtr // // DWORD64 -> SIZE_T conversion // #define RtlDWord64ToSIZET RtlULongLongToULongPtr // // UINT64 -> CHAR conversion // #define RtlUInt64ToChar RtlULongLongToChar // // UINT64 -> INT8 conversion // #define RtlUInt64ToInt8 RtlULongLongToInt8 // // UINT64 -> UCHAR conversion // #define RtlUInt64ToUChar RtlULongLongToUChar // // UINT64 -> UINT8 conversion // #define RtlUInt64ToUInt8 RtlULongLongToUInt8 // // UINT64 -> BYTE conversion // #define RtlUInt64ToByte RtlULongLongToUInt8 // // UINT64 -> SHORT conversion // #define RtlUInt64ToShort RtlULongLongToShort // // UINT64 -> INT16 conversion // // #define RtlUInt64ToInt16 RtlULongLongToShort // // UINT64 -> USHORT conversion // #define RtlUInt64ToUShort RtlULongLongToUShort // // UINT64 -> UINT16 conversion // #define RtlUInt64ToUInt16 RtlULongLongToUShort // // UINT64 -> WORD conversion // #define RtlUInt64ToWord RtlULongLongToUShort // // UINT64 -> INT conversion // #define RtlUInt64ToInt RtlULongLongToInt // // UINT64 -> INT32 conversion // #define RtlUInt64ToInt32 RtlULongLongToInt // // UINT64 -> INT_PTR conversion // #define RtlUInt64ToIntPtr RtlULongLongToIntPtr // // UINT64 -> UINT conversion // #define RtlUInt64ToUInt RtlULongLongToUInt // // UINT64 -> UINT32 conversion // #define RtlUInt64ToUInt32 RtlULongLongToUInt // // UINT64 -> UINT_PTR conversion // #define RtlUInt64ToUIntPtr RtlULongLongToUIntPtr // // UINT64 -> LONG conversion // #define RtlUInt64ToLong RtlULongLongToLong // // UINT64 -> LONG_PTR conversion // #define RtlUInt64ToLongPtr RtlULongLongToLongPtr // // UINT64 -> ULONG conversion // #define RtlUInt64ToULong RtlULongLongToULong // // UINT64 -> ULONG_PTR conversion // #define RtlUInt64ToULongPtr RtlULongLongToULongPtr // // UINT64 -> DWORD conversion // #define RtlUInt64ToDWord RtlULongLongToULong // // UINT64 -> DWORD_PTR conversion // #define RtlUInt64ToDWordPtr RtlULongLongToULongPtr // // UINT64 -> LONGLONG conversion // #define RtlUInt64ToLongLong RtlULongLongToLongLong // // UINT64 -> LONG64 conversion // #define RtlUInt64ToLong64 RtlULongLongToLongLong // // UINT64 -> RtlINT64 conversion // #define RtlUInt64ToInt64 RtlULongLongToLongLong // // UINT64 -> ptrdiff_t conversion // #define RtlUInt64ToPtrdiffT RtlULongLongToIntPtr // // UINT64 -> size_t conversion // #define RtlUInt64ToSizeT RtlULongLongToUIntPtr // // UINT64 -> SSIZE_T conversion // #define RtlUInt64ToSSIZET RtlULongLongToLongPtr // // UINT64 -> SIZE_T conversion // #define RtlUInt64ToSIZET RtlULongLongToULongPtr // // ptrdiff_t -> CHAR conversion // #define RtlPtrdiffTToChar RtlIntPtrToChar // // ptrdiff_t -> INT8 conversion // #define RtlPtrdiffTToInt8 RtlIntPtrToInt8 // // ptrdiff_t -> UCHAR conversion // #define RtlPtrdiffTToUChar RtlIntPtrToUChar // // ptrdiff_t -> UINT8 conversion // #define RtlPtrdiffTToUInt8 RtlIntPtrToUInt8 // // ptrdiff_t -> BYTE conversion // #define RtlPtrdiffTToByte RtlIntPtrToUInt8 // // ptrdiff_t -> SHORT conversion // #define RtlPtrdiffTToShort RtlIntPtrToShort // // ptrdiff_t -> INT16 conversion // #define RtlPtrdiffTToInt16 RtlIntPtrToShort // // ptrdiff_t -> USHORT conversion // #define RtlPtrdiffTToUShort RtlIntPtrToUShort // // ptrdiff_t -> UINT16 conversion // #define RtlPtrdiffTToUInt16 RtlIntPtrToUShort // // ptrdiff_t -> WORD conversion // #define RtlPtrdiffTToWord RtlIntPtrToUShort // // ptrdiff_t -> INT conversion // #define RtlPtrdiffTToInt RtlIntPtrToInt // // ptrdiff_t -> INT32 conversion // #define RtlPtrdiffTToInt32 RtlIntPtrToInt // // ptrdiff_t -> UINT conversion // #define RtlPtrdiffTToUInt RtlIntPtrToUInt // // ptrdiff_t -> UINT32 conversion // #define RtlPtrdiffTToUInt32 RtlIntPtrToUInt // // ptrdiff_t -> UINT_PTR conversion // #define RtlPtrdiffTToUIntPtr RtlIntPtrToUIntPtr // // ptrdiff_t -> LONG conversion // #define RtlPtrdiffTToLong RtlIntPtrToLong // // ptrdiff_t -> LONG_PTR conversion // #define RtlPtrdiffTToLongPtr RtlIntPtrToLongPtr // // ptrdiff_t -> ULONG conversion // #define RtlPtrdiffTToULong RtlIntPtrToULong // // ptrdiff_t -> ULONG_PTR conversion // #define RtlPtrdiffTToULongPtr RtlIntPtrToULongPtr // // ptrdiff_t -> DWORD conversion // #define RtlPtrdiffTToDWord RtlIntPtrToULong // // ptrdiff_t -> DWORD_PTR conversion // #define RtlPtrdiffTToDWordPtr RtlIntPtrToULongPtr // // ptrdiff_t -> ULONGLONG conversion // #define RtlPtrdiffTToULongLong RtlIntPtrToULongLong // // ptrdiff_t -> DWORDLONG conversion // #define RtlPtrdiffTToDWordLong RtlIntPtrToULongLong // // ptrdiff_t -> ULONG64 conversion // #define RtlPtrdiffTToULong64 RtlIntPtrToULongLong // // ptrdiff_t -> DWORD64 conversion // #define RtlPtrdiffTToDWord64 RtlIntPtrToULongLong // // ptrdiff_t -> UINT64 conversion // #define RtlPtrdiffTToUInt64 RtlIntPtrToULongLong // // ptrdiff_t -> size_t conversion // #define RtlPtrdiffTToSizeT RtlIntPtrToUIntPtr // // ptrdiff_t -> SIZE_T conversion // #define RtlPtrdiffTToSIZET RtlIntPtrToULongPtr // // size_t -> INT8 conversion // #define RtlSizeTToInt8 RtlUIntPtrToInt8 // // size_t -> UCHAR conversion // #define RtlSizeTToUChar RtlUIntPtrToUChar // // size_t -> CHAR conversion // #define RtlSizeTToChar RtlUIntPtrToChar // // size_t -> UINT8 conversion // #define RtlSizeTToUInt8 RtlUIntPtrToUInt8 // // size_t -> BYTE conversion // #define RtlSizeTToByte RtlUIntPtrToUInt8 // // size_t -> SHORT conversion // #define RtlSizeTToShort RtlUIntPtrToShort // // size_t -> INT16 conversion // #define RtlSizeTToInt16 RtlUIntPtrToShort // // size_t -> USHORT conversion // #define RtlSizeTToUShort RtlUIntPtrToUShort // // size_t -> UINT16 conversion // #define RtlSizeTToUInt16 RtlUIntPtrToUShort // // size_t -> WORD // #define RtlSizeTToWord RtlUIntPtrToUShort // // size_t -> INT conversion // #define RtlSizeTToInt RtlUIntPtrToInt // // size_t -> INT32 conversion // #define RtlSizeTToInt32 RtlUIntPtrToInt // // size_t -> INT_PTR conversion // #define RtlSizeTToIntPtr RtlUIntPtrToIntPtr // // size_t -> UINT conversion // #define RtlSizeTToUInt RtlUIntPtrToUInt // // size_t -> UINT32 conversion // #define RtlSizeTToUInt32 RtlUIntPtrToUInt // // size_t -> LONG conversion // #define RtlSizeTToLong RtlUIntPtrToLong // // size_t -> LONG_PTR conversion // #define RtlSizeTToLongPtr RtlUIntPtrToLongPtr // // size_t -> ULONG conversion // #define RtlSizeTToULong RtlUIntPtrToULong // // size_t -> DWORD conversion // #define RtlSizeTToDWord RtlUIntPtrToULong // // size_t -> LONGLONG conversion // #define RtlSizeTToLongLong RtlUIntPtrToLongLong // // size_t -> LONG64 conversion // #define RtlSizeTToLong64 RtlUIntPtrToLongLong // // size_t -> RtlINT64 // #define RtlSizeTToInt64 RtlUIntPtrToLongLong // // size_t -> ptrdiff_t conversion // #define RtlSizeTToPtrdiffT RtlUIntPtrToIntPtr // // size_t -> SSIZE_T conversion // #define RtlSizeTToSSIZET RtlUIntPtrToLongPtr // // SSIZE_T -> INT8 conversion // #define RtlSSIZETToInt8 RtlLongPtrToInt8 // // SSIZE_T -> UCHAR conversion // #define RtlSSIZETToUChar RtlLongPtrToUChar // // SSIZE_T -> CHAR conversion // #define RtlSSIZETToChar RtlLongPtrToChar // // SSIZE_T -> UINT8 conversion // #define RtlSSIZETToUInt8 RtlLongPtrToUInt8 // // SSIZE_T -> BYTE conversion // #define RtlSSIZETToByte RtlLongPtrToUInt8 // // SSIZE_T -> SHORT conversion // #define RtlSSIZETToShort RtlLongPtrToShort // // SSIZE_T -> INT16 conversion // #define RtlSSIZETToInt16 RtlLongPtrToShort // // SSIZE_T -> USHORT conversion // #define RtlSSIZETToUShort RtlLongPtrToUShort // // SSIZE_T -> UINT16 conversion // #define RtlSSIZETToUInt16 RtlLongPtrToUShort // // SSIZE_T -> WORD conversion // #define RtlSSIZETToWord RtlLongPtrToUShort // // SSIZE_T -> INT conversion // #define RtlSSIZETToInt RtlLongPtrToInt // // SSIZE_T -> INT32 conversion // #define RtlSSIZETToInt32 RtlLongPtrToInt // // SSIZE_T -> INT_PTR conversion // #define RtlSSIZETToIntPtr RtlLongPtrToIntPtr // // SSIZE_T -> UINT conversion // #define RtlSSIZETToUInt RtlLongPtrToUInt // // SSIZE_T -> UINT32 conversion // #define RtlSSIZETToUInt32 RtlLongPtrToUInt // // SSIZE_T -> UINT_PTR conversion // #define RtlSSIZETToUIntPtr RtlLongPtrToUIntPtr // // SSIZE_T -> LONG conversion // #define RtlSSIZETToLong RtlLongPtrToLong // // SSIZE_T -> ULONG conversion // #define RtlSSIZETToULong RtlLongPtrToULong // // SSIZE_T -> ULONG_PTR conversion // #define RtlSSIZETToULongPtr RtlLongPtrToULongPtr // // SSIZE_T -> DWORD conversion // #define RtlSSIZETToDWord RtlLongPtrToULong // // SSIZE_T -> DWORD_PTR conversion // #define RtlSSIZETToDWordPtr RtlLongPtrToULongPtr // // SSIZE_T -> ULONGLONG conversion // #define RtlSSIZETToULongLong RtlLongPtrToULongLong // // SSIZE_T -> DWORDLONG conversion // #define RtlSSIZETToDWordLong RtlLongPtrToULongLong // // SSIZE_T -> ULONG64 conversion // #define RtlSSIZETToULong64 RtlLongPtrToULongLong // // SSIZE_T -> DWORD64 conversion // #define RtlSSIZETToDWord64 RtlLongPtrToULongLong // // SSIZE_T -> UINT64 conversion // #define RtlSSIZETToUInt64 RtlLongPtrToULongLong // // SSIZE_T -> size_t conversion // #define RtlSSIZETToSizeT RtlLongPtrToUIntPtr // // SSIZE_T -> SIZE_T conversion // #define RtlSSIZETToSIZET RtlLongPtrToULongPtr // // SIZE_T -> INT8 conversion // #define RtlSIZETToInt8 RtlULongPtrToInt8 // // SIZE_T -> UCHAR conversion // #define RtlSIZETToUChar RtlULongPtrToUChar // // SIZE_T -> CHAR conversion // #define RtlSIZETToChar RtlULongPtrToChar // // SIZE_T -> UINT8 conversion // #define RtlSIZETToUInt8 RtlULongPtrToUInt8 // // SIZE_T -> BYTE conversion // #define RtlSIZETToByte RtlULongPtrToUInt8 // // SIZE_T -> SHORT conversion // #define RtlSIZETToShort RtlULongPtrToShort // // SIZE_T -> INT16 conversion // #define RtlSIZETToInt16 RtlULongPtrToShort // // SIZE_T -> USHORT conversion // #define RtlSIZETToUShort RtlULongPtrToUShort // // SIZE_T -> UINT16 conversion // #define RtlSIZETToUInt16 RtlULongPtrToUShort // // SIZE_T -> WORD // #define RtlSIZETToWord RtlULongPtrToUShort // // SIZE_T -> INT conversion // #define RtlSIZETToInt RtlULongPtrToInt // // SIZE_T -> INT32 conversion // #define RtlSIZETToInt32 RtlULongPtrToInt // // SIZE_T -> INT_PTR conversion // #define RtlSIZETToIntPtr RtlULongPtrToIntPtr // // SIZE_T -> UINT conversion // #define RtlSIZETToUInt RtlULongPtrToUInt // // SIZE_T -> UINT32 conversion // #define RtlSIZETToUInt32 RtlULongPtrToUInt // // SIZE_T -> UINT_PTR conversion // #define RtlSIZETToUIntPtr RtlULongPtrToUIntPtr // // SIZE_T -> LONG conversion // #define RtlSIZETToLong RtlULongPtrToLong // // SIZE_T -> LONG_PTR conversion // #define RtlSIZETToLongPtr RtlULongPtrToLongPtr // // SIZE_T -> ULONG conversion // #define RtlSIZETToULong RtlULongPtrToULong // // SIZE_T -> DWORD conversion // #define RtlSIZETToDWord RtlULongPtrToULong // // SIZE_T -> LONGLONG conversion // #define RtlSIZETToLongLong RtlULongPtrToLongLong // // SIZE_T -> LONG64 conversion // #define RtlSIZETToLong64 RtlULongPtrToLongLong // // SIZE_T -> RtlINT64 // #define RtlSIZETToInt64 RtlULongPtrToLongLong // // SIZE_T -> ptrdiff_t conversion // #define RtlSIZETToPtrdiffT RtlULongPtrToIntPtr // // SIZE_T -> SSIZE_T conversion // #define RtlSIZETToSSIZET RtlULongPtrToLongPtr //============================================================================= // Addition functions //============================================================================= // // UINT8 addition // _Must_inspect_result_ __inline NTSTATUS RtlUInt8Add( _In_ UINT8 u8Augend, _In_ UINT8 u8Addend, _Out_ _Deref_out_range_(==, u8Augend + u8Addend) UINT8* pu8Result) { NTSTATUS status; if (((UINT8)(u8Augend + u8Addend)) >= u8Augend) { *pu8Result = (UINT8)(u8Augend + u8Addend); status = STATUS_SUCCESS; } else { *pu8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // USHORT addition // _Must_inspect_result_ __inline NTSTATUS RtlUShortAdd( _In_ USHORT usAugend, _In_ USHORT usAddend, _Out_ _Deref_out_range_(==, usAugend + usAddend) USHORT* pusResult) { NTSTATUS status; if (((USHORT)(usAugend + usAddend)) >= usAugend) { *pusResult = (USHORT)(usAugend + usAddend); status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT16 addition // #define RtlUInt16Add RtlUShortAdd // // WORD addition // #define RtlWordAdd RtlUShortAdd // // UINT addition // _Must_inspect_result_ __inline NTSTATUS RtlUIntAdd( _In_ UINT uAugend, _In_ UINT uAddend, _Out_ _Deref_out_range_(==, uAugend + uAddend) UINT* puResult) { NTSTATUS status; if ((uAugend + uAddend) >= uAugend) { *puResult = (uAugend + uAddend); status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT32 addition // #define RtlUInt32Add RtlUIntAdd // // UINT_PTR addition // #ifdef _WIN64 #define RtlUIntPtrAdd RtlULongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrAdd( _In_ UINT_PTR uAugend, _In_ UINT_PTR uAddend, _Out_ _Deref_out_range_(==, uAugend + uAddend) UINT_PTR* puResult) { NTSTATUS status; if ((uAugend + uAddend) >= uAugend) { *puResult = (uAugend + uAddend); status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // ULONG addition // _Must_inspect_result_ __inline NTSTATUS RtlULongAdd( _In_ ULONG ulAugend, _In_ ULONG ulAddend, _Out_ _Deref_out_range_(==, ulAugend + ulAddend) ULONG* pulResult) { NTSTATUS status; if ((ulAugend + ulAddend) >= ulAugend) { *pulResult = (ulAugend + ulAddend); status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR addition // #ifdef _WIN64 #define RtlULongPtrAdd RtlULongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlULongPtrAdd( _In_ ULONG_PTR ulAugend, _In_ ULONG_PTR ulAddend, _Out_ _Deref_out_range_(==, ulAugend + ulAddend) ULONG_PTR* pulResult) { NTSTATUS status; if ((ulAugend + ulAddend) >= ulAugend) { *pulResult = (ulAugend + ulAddend); status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // DWORD addition // #define RtlDWordAdd RtlULongAdd // // DWORD_PTR addition // #ifdef _WIN64 #define RtlDWordPtrAdd RtlULongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlDWordPtrAdd( _In_ DWORD_PTR dwAugend, _In_ DWORD_PTR dwAddend, _Out_ _Deref_out_range_(==, dwAugend + dwAddend) DWORD_PTR* pdwResult) { NTSTATUS status; if ((dwAugend + dwAddend) >= dwAugend) { *pdwResult = (dwAugend + dwAddend); status = STATUS_SUCCESS; } else { *pdwResult = DWORD_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // size_t addition // _Must_inspect_result_ __inline NTSTATUS RtlSizeTAdd( _In_ size_t Augend, _In_ size_t Addend, _Out_ _Deref_out_range_(==, Augend + Addend) size_t* pResult) { NTSTATUS status; if ((Augend + Addend) >= Augend) { *pResult = (Augend + Addend); status = STATUS_SUCCESS; } else { *pResult = SIZE_T_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SIZE_T addition // #ifdef _WIN64 #define RtlSIZETAdd RtlULongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlSIZETAdd( _In_ SIZE_T Augend, _In_ SIZE_T Addend, _Out_ _Deref_out_range_(==, Augend + Addend) SIZE_T* pResult) { NTSTATUS status; if ((Augend + Addend) >= Augend) { *pResult = (Augend + Addend); status = STATUS_SUCCESS; } else { *pResult = _SIZE_T_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // ULONGLONG addition // _Must_inspect_result_ __inline NTSTATUS RtlULongLongAdd( _In_ ULONGLONG ullAugend, _In_ ULONGLONG ullAddend, _Out_ _Deref_out_range_(==, ullAugend + ullAddend) ULONGLONG* pullResult) { NTSTATUS status; if ((ullAugend + ullAddend) >= ullAugend) { *pullResult = (ullAugend + ullAddend); status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // DWORDLONG addition // #define RtlDWordLongAdd RtlULongLongAdd // // ULONG64 addition // #define RtlULong64Add RtlULongLongAdd // // DWORD64 addition // #define RtlDWord64Add RtlULongLongAdd // // UINT64 addition // #define RtlUInt64Add RtlULongLongAdd //============================================================================= // Subtraction functions //============================================================================= // // UINT8 subtraction // _Must_inspect_result_ __inline NTSTATUS RtlUInt8Sub( _In_ UINT8 u8Minuend, _In_ UINT8 u8Subtrahend, _Out_ _Deref_out_range_(==, u8Minuend - u8Subtrahend) UINT8* pu8Result) { NTSTATUS status; if (u8Minuend >= u8Subtrahend) { *pu8Result = (UINT8)(u8Minuend - u8Subtrahend); status = STATUS_SUCCESS; } else { *pu8Result = UINT8_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // USHORT subtraction // _Must_inspect_result_ __inline NTSTATUS RtlUShortSub( _In_ USHORT usMinuend, _In_ USHORT usSubtrahend, _Out_ _Deref_out_range_(==, usMinuend - usSubtrahend) USHORT* pusResult) { NTSTATUS status; if (usMinuend >= usSubtrahend) { *pusResult = (USHORT)(usMinuend - usSubtrahend); status = STATUS_SUCCESS; } else { *pusResult = USHORT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT16 subtraction // #define RtlUInt16Sub RtlUShortSub // // WORD subtraction // #define RtlWordSub RtlUShortSub // // UINT subtraction // _Must_inspect_result_ __inline NTSTATUS RtlUIntSub( _In_ UINT uMinuend, _In_ UINT uSubtrahend, _Out_ _Deref_out_range_(==, uMinuend - uSubtrahend) UINT* puResult) { NTSTATUS status; if (uMinuend >= uSubtrahend) { *puResult = (uMinuend - uSubtrahend); status = STATUS_SUCCESS; } else { *puResult = UINT_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // UINT32 subtraction // #define RtlUInt32Sub RtlUIntSub // // UINT_PTR subtraction // #ifdef _WIN64 #define RtlUIntPtrSub RtlULongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrSub( _In_ UINT_PTR uMinuend, _In_ UINT_PTR uSubtrahend, _Out_ _Deref_out_range_(==, uMinuend - uSubtrahend) UINT_PTR* puResult) { NTSTATUS status; if (uMinuend >= uSubtrahend) { *puResult = (uMinuend - uSubtrahend); status = STATUS_SUCCESS; } else { *puResult = UINT_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // ULONG subtraction // _Must_inspect_result_ __inline NTSTATUS RtlULongSub( _In_ ULONG ulMinuend, _In_ ULONG ulSubtrahend, _Out_ _Deref_out_range_(==, ulMinuend - ulSubtrahend) ULONG* pulResult) { NTSTATUS status; if (ulMinuend >= ulSubtrahend) { *pulResult = (ulMinuend - ulSubtrahend); status = STATUS_SUCCESS; } else { *pulResult = ULONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // ULONG_PTR subtraction // #ifdef _WIN64 #define RtlULongPtrSub RtlULongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlULongPtrSub( _In_ ULONG_PTR ulMinuend, _In_ ULONG_PTR ulSubtrahend, _Out_ _Deref_out_range_(==, ulMinuend - ulSubtrahend) ULONG_PTR* pulResult) { NTSTATUS status; if (ulMinuend >= ulSubtrahend) { *pulResult = (ulMinuend - ulSubtrahend); status = STATUS_SUCCESS; } else { *pulResult = ULONG_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // DWORD subtraction // #define RtlDWordSub RtlULongSub // // DWORD_PTR subtraction // #ifdef _WIN64 #define RtlDWordPtrSub RtlULongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlDWordPtrSub( _In_ DWORD_PTR dwMinuend, _In_ DWORD_PTR dwSubtrahend, _Out_ _Deref_out_range_(==, dwMinuend - dwSubtrahend) DWORD_PTR* pdwResult) { NTSTATUS status; if (dwMinuend >= dwSubtrahend) { *pdwResult = (dwMinuend - dwSubtrahend); status = STATUS_SUCCESS; } else { *pdwResult = DWORD_PTR_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // size_t subtraction // _Must_inspect_result_ __inline NTSTATUS RtlSizeTSub( _In_ size_t Minuend, _In_ size_t Subtrahend, _Out_ _Deref_out_range_(==, Minuend - Subtrahend) size_t* pResult) { NTSTATUS status; if (Minuend >= Subtrahend) { *pResult = (Minuend - Subtrahend); status = STATUS_SUCCESS; } else { *pResult = SIZE_T_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // SIZE_T subtraction // #ifdef _WIN64 #define RtlSIZETSub RtlULongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlSIZETSub( _In_ SIZE_T Minuend, _In_ SIZE_T Subtrahend, _Out_ _Deref_out_range_(==, Minuend - Subtrahend) SIZE_T* pResult) { NTSTATUS status; if (Minuend >= Subtrahend) { *pResult = (Minuend - Subtrahend); status = STATUS_SUCCESS; } else { *pResult = _SIZE_T_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } #endif // _WIN64 // // ULONGLONG subtraction // _Must_inspect_result_ __inline NTSTATUS RtlULongLongSub( _In_ ULONGLONG ullMinuend, _In_ ULONGLONG ullSubtrahend, _Out_ _Deref_out_range_(==, ullMinuend - ullSubtrahend) ULONGLONG* pullResult) { NTSTATUS status; if (ullMinuend >= ullSubtrahend) { *pullResult = (ullMinuend - ullSubtrahend); status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } return status; } // // DWORDLONG subtraction // #define RtlDWordLongSub RtlULongLongSub // // ULONG64 subtraction // #define RtlULong64Sub RtlULongLongSub // // DWORD64 subtraction // #define RtlDWord64Sub RtlULongLongSub // // UINT64 subtraction // #define RtlUInt64Sub RtlULongLongSub //============================================================================= // Multiplication functions //============================================================================= // // UINT8 multiplication // _Must_inspect_result_ __inline NTSTATUS RtlUInt8Mult( _In_ UINT8 u8Multiplicand, _In_ UINT8 u8Multiplier, _Out_ _Deref_out_range_(==, u8Multiplicand * u8Multiplier) UINT8* pu8Result) { UINT uResult = ((UINT)u8Multiplicand) * ((UINT)u8Multiplier); return RtlUIntToUInt8(uResult, pu8Result); } // // USHORT multiplication // _Must_inspect_result_ __inline NTSTATUS RtlUShortMult( _In_ USHORT usMultiplicand, _In_ USHORT usMultiplier, _Out_ _Deref_out_range_(==, usMultiplicand * usMultiplier) USHORT* pusResult) { ULONG ulResult = ((ULONG)usMultiplicand) * ((ULONG)usMultiplier); return RtlULongToUShort(ulResult, pusResult); } // // UINT16 multiplication // #define RtlUInt16Mult RtlUShortMult // // WORD multiplication // #define RtlWordMult RtlUShortMult // // UINT multiplication // _Must_inspect_result_ __inline NTSTATUS RtlUIntMult( _In_ UINT uMultiplicand, _In_ UINT uMultiplier, _Out_ _Deref_out_range_(==, uMultiplicand * uMultiplier) UINT* puResult) { ULONGLONG ull64Result = UInt32x32To64(uMultiplicand, uMultiplier); return RtlULongLongToUInt(ull64Result, puResult); } // // UINT32 multiplication // #define RtlUInt32Mult RtlUIntMult // // UINT_PTR multiplication // #ifdef _WIN64 #define RtlUIntPtrMult RtlULongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlUIntPtrMult( _In_ UINT_PTR uMultiplicand, _In_ UINT_PTR uMultiplier, _Out_ _Deref_out_range_(==, uMultiplicand * uMultiplier) UINT_PTR* puResult) { ULONGLONG ull64Result = UInt32x32To64(uMultiplicand, uMultiplier); return RtlULongLongToUIntPtr(ull64Result, puResult); } #endif // _WIN64 // // ULONG multiplication // _Must_inspect_result_ __inline NTSTATUS RtlULongMult( _In_ ULONG ulMultiplicand, _In_ ULONG ulMultiplier, _Out_ _Deref_out_range_(==, ulMultiplicand * ulMultiplier) ULONG* pulResult) { ULONGLONG ull64Result = UInt32x32To64(ulMultiplicand, ulMultiplier); return RtlULongLongToULong(ull64Result, pulResult); } // // ULONG_PTR multiplication // #ifdef _WIN64 #define RtlULongPtrMult RtlULongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlULongPtrMult( _In_ ULONG_PTR ulMultiplicand, _In_ ULONG_PTR ulMultiplier, _Out_ _Deref_out_range_(==, ulMultiplicand * ulMultiplier) ULONG_PTR* pulResult) { ULONGLONG ull64Result = UInt32x32To64(ulMultiplicand, ulMultiplier); return RtlULongLongToULongPtr(ull64Result, pulResult); } #endif // _WIN64 // // DWORD multiplication // #define RtlDWordMult RtlULongMult // // DWORD_PTR multiplication // #ifdef _WIN64 #define RtlDWordPtrMult RtlULongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlDWordPtrMult( _In_ DWORD_PTR dwMultiplicand, _In_ DWORD_PTR dwMultiplier, _Out_ _Deref_out_range_(==, dwMultiplicand * dwMultiplier) DWORD_PTR* pdwResult) { ULONGLONG ull64Result = UInt32x32To64(dwMultiplicand, dwMultiplier); return RtlULongLongToDWordPtr(ull64Result, pdwResult); } #endif // _WIN64 // // size_t multiplication // #ifdef _WIN64 #define RtlSizeTMult RtlULongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlSizeTMult( _In_ size_t Multiplicand, _In_ size_t Multiplier, _Out_ _Deref_out_range_(==, Multiplicand * Multiplier) size_t* pResult) { ULONGLONG ull64Result = UInt32x32To64(Multiplicand, Multiplier); return RtlULongLongToSizeT(ull64Result, pResult); } #endif // _WIN64 // // SIZE_T multiplication // #ifdef _WIN64 #define RtlSIZETMult RtlULongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlSIZETMult( _In_ SIZE_T Multiplicand, _In_ SIZE_T Multiplier, _Out_ _Deref_out_range_(==, Multiplicand * Multiplier) SIZE_T* pResult) { ULONGLONG ull64Result = UInt32x32To64(Multiplicand, Multiplier); return RtlULongLongToSIZET(ull64Result, pResult); } #endif // _WIN64 // // ULONGLONG multiplication // _Must_inspect_result_ __inline NTSTATUS RtlULongLongMult( _In_ ULONGLONG ullMultiplicand, _In_ ULONGLONG ullMultiplier, _Out_ _Deref_out_range_(==, ullMultiplicand * ullMultiplier) ULONGLONG* pullResult) { NTSTATUS status; #if defined(_USE_INTRINSIC_MULTIPLY128) ULONGLONG ullResultHigh; ULONGLONG ullResultLow; ullResultLow = UnsignedMultiply128(ullMultiplicand, ullMultiplier, &ullResultHigh); if (ullResultHigh == 0) { _Analysis_assume_(ullMultiplicand * ullMultiplier == ullResultLow); *pullResult = ullResultLow; status = STATUS_SUCCESS; } else { *pullResult = ULONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } #else // 64x64 into 128 is like 32.32 x 32.32. // // a.b * c.d = a*(c.d) + .b*(c.d) = a*c + a*.d + .b*c + .b*.d // back in non-decimal notation where A=a*2^32 and C=c*2^32: // A*C + A*d + b*C + b*d // So there are four components to add together. // result = (a*c*2^64) + (a*d*2^32) + (b*c*2^32) + (b*d) // // a * c must be 0 or there would be bits in the high 64-bits // a * d must be less than 2^32 or there would be bits in the high 64-bits // b * c must be less than 2^32 or there would be bits in the high 64-bits // then there must be no overflow of the resulting values summed up. ULONG dw_a; ULONG dw_b; ULONG dw_c; ULONG dw_d; ULONGLONG ad = 0; ULONGLONG bc = 0; ULONGLONG bd = 0; ULONGLONG ullResult = 0; status = STATUS_INTEGER_OVERFLOW; dw_a = (ULONG)(ullMultiplicand >> 32); dw_c = (ULONG)(ullMultiplier >> 32); // common case -- if high dwords are both zero, no chance for overflow if ((dw_a == 0) && (dw_c == 0)) { dw_b = (DWORD)ullMultiplicand; dw_d = (DWORD)ullMultiplier; *pullResult = (((ULONGLONG)dw_b) * (ULONGLONG)dw_d); status = STATUS_SUCCESS; } else { // a * c must be 0 or there would be bits set in the high 64-bits if ((dw_a == 0) || (dw_c == 0)) { dw_d = (DWORD)ullMultiplier; // a * d must be less than 2^32 or there would be bits set in the high 64-bits ad = (((ULONGLONG)dw_a) * (ULONGLONG)dw_d); if ((ad & 0xffffffff00000000) == 0) { dw_b = (DWORD)ullMultiplicand; // b * c must be less than 2^32 or there would be bits set in the high 64-bits bc = (((ULONGLONG)dw_b) * (ULONGLONG)dw_c); if ((bc & 0xffffffff00000000) == 0) { // now sum them all up checking for overflow. // shifting is safe because we already checked for overflow above if (NT_SUCCESS(RtlULongLongAdd(bc << 32, ad << 32, &ullResult))) { // b * d bd = (((ULONGLONG)dw_b) * (ULONGLONG)dw_d); if (NT_SUCCESS(RtlULongLongAdd(ullResult, bd, &ullResult))) { *pullResult = ullResult; status = STATUS_SUCCESS; } } } } } } if (!NT_SUCCESS(status)) { *pullResult = ULONGLONG_ERROR; } #pragma warning(suppress:26071) #endif // _USE_INTRINSIC_MULTIPLY128 return status; } // // DWORDLONG multiplication // #define RtlDWordLongMult RtlULongLongMult // // ULONG64 multiplication // #define RtlULong64Mult RtlULongLongMult // // DWORD64 multiplication // #define RtlDWord64Mult RtlULongLongMult // // UINT64 multiplication // #define RtlUInt64Mult RtlULongLongMult ///////////////////////////////////////////////////////////////////////// // // signed operations // // Strongly consider using unsigned numbers. // // Signed numbers are often used where unsigned numbers should be used. // For example file sizes and array indices should always be unsigned. // (File sizes should be 64bit integers; array indices should be size_t.) // Subtracting a larger positive signed number from a smaller positive // signed number with RtlIntSub will succeed, producing a negative number, // that then must not be used as an array index (but can occasionally be // used as a pointer index.) Similarly for adding a larger magnitude // negative number to a smaller magnitude positive number. // // intsafe.h does not protect you from such errors. It tells you if your // integer operations overflowed, not if you are doing the right thing // with your non-overflowed integers. // // Likewise you can overflow a buffer with a non-overflowed unsigned index. // #if defined(ENABLE_INTSAFE_SIGNED_FUNCTIONS) #if defined(_USE_INTRINSIC_MULTIPLY128) #ifdef __cplusplus extern "C" { #endif #if !defined(_ARM64EC_) #define Multiply128 _mul128 #else #define _mul128 Multiply128 #endif // defined(_ARM64EC_) LONG64 Multiply128( _In_ LONG64 Multiplier, _In_ LONG64 Multiplicand, _Out_ LONG64 *HighProduct ); #if !defined(_ARM64EC_) #pragma intrinsic(_mul128) #endif // !defined(_ARM64EC_) #ifdef __cplusplus } #endif #endif // _USE_INTRINSIC_MULTIPLY128 //============================================================================= // Signed addition functions //============================================================================= // // INT8 Addition // _Must_inspect_result_ __inline NTSTATUS RtlInt8Add( _In_ INT8 i8Augend, _In_ INT8 i8Addend, _Out_ _Deref_out_range_(==, i8Augend + i8Addend) INT8* pi8Result ) { C_ASSERT(sizeof(LONG) > sizeof(INT8)); return RtlLongToInt8(((LONG)i8Augend) + ((LONG)i8Addend), pi8Result); } // // SHORT Addition // _Must_inspect_result_ __inline NTSTATUS RtlShortAdd( _In_ SHORT sAugend, _In_ SHORT sAddend, _Out_ _Deref_out_range_(==, sAugend + sAddend) SHORT* psResult ) { C_ASSERT(sizeof(LONG) > sizeof(SHORT)); return RtlLongToShort(((LONG)sAugend) + ((LONG)sAddend), psResult); } // // INT16 Addition // #define RtlInt16Add RtlShortAdd // // INT Addition // _Must_inspect_result_ __inline NTSTATUS RtlIntAdd( _In_ INT iAugend, _In_ INT iAddend, _Out_ _Deref_out_range_(==, iAugend + iAddend) INT* piResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(INT)); return RtlLongLongToInt(((LONGLONG)iAugend) + ((LONGLONG)iAddend), piResult); } // // INT32 Addition // #define RtlInt32Add RtlIntAdd // // INT_PTR addition // #ifdef _WIN64 #define RtlIntPtrAdd RtlLongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrAdd( _In_ INT_PTR iAugend, _In_ INT_PTR iAddend, _Out_ _Deref_out_range_(==, iAugend + iAddend) INT_PTR* piResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(INT_PTR)); return RtlLongLongToIntPtr(((LONGLONG)iAugend) + ((LONGLONG)iAddend), piResult); } #endif // // LONG Addition // _Must_inspect_result_ __inline NTSTATUS RtlLongAdd( _In_ LONG lAugend, _In_ LONG lAddend, _Out_ _Deref_out_range_(==, lAugend + lAddend) LONG* plResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(LONG)); return RtlLongLongToLong(((LONGLONG)lAugend) + ((LONGLONG)lAddend), plResult); } // // LONG32 Addition // #define RtlLong32Add RtlIntAdd // // LONG_PTR Addition // #ifdef _WIN64 #define RtlLongPtrAdd RtlLongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrAdd( _In_ LONG_PTR lAugend, _In_ LONG_PTR lAddend, _Out_ _Deref_out_range_(==, lAugend + lAddend) LONG_PTR* plResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(LONG_PTR)); return RtlLongLongToLongPtr(((LONGLONG)lAugend) + ((LONGLONG)lAddend), plResult); } #endif // // LONGLONG Addition // _Must_inspect_result_ __inline NTSTATUS RtlLongLongAdd( _In_ LONGLONG llAugend, _In_ LONGLONG llAddend, _Out_ _Deref_out_range_(==, llAugend + llAddend) LONGLONG* pllResult ) { NTSTATUS status; LONGLONG llResult = llAugend + llAddend; // // Adding positive to negative never overflows. // If you add two positive numbers, you expect a positive result. // If you add two negative numbers, you expect a negative result. // Overflow if inputs are the same sign and output is not that sign. // if (((llAugend < 0) == (llAddend < 0)) && ((llAugend < 0) != (llResult < 0))) { *pllResult = LONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } else { *pllResult = llResult; status = STATUS_SUCCESS; } return status; } // // LONG64 Addition // #define RtlLong64Add RtlLongLongAdd // // RtlINT64 Addition // #define RtlInt64Add RtlLongLongAdd // // ptrdiff_t Addition // #ifdef _WIN64 #define RtlPtrdiffTAdd RtlLongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlPtrdiffTAdd( _In_ ptrdiff_t Augend, _In_ ptrdiff_t Addend, _Out_ _Deref_out_range_(==, Augend + Addend) ptrdiff_t* pResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(ptrdiff_t)); return RtlLongLongToPtrdiffT(((LONGLONG)Augend) + ((LONGLONG)Addend), pResult); } #endif // // SSIZE_T Addition // #ifdef _WIN64 #define RtlSSIZETAdd RtlLongLongAdd #else _Must_inspect_result_ __inline NTSTATUS RtlSSIZETAdd( _In_ SSIZE_T Augend, _In_ SSIZE_T Addend, _Out_ _Deref_out_range_(==, Augend + Addend) SSIZE_T* pResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(SSIZE_T)); return RtlLongLongToSSIZET(((LONGLONG)Augend) + ((LONGLONG)Addend), pResult); } #endif //============================================================================= // Signed subtraction functions //============================================================================= // // INT8 Subtraction // _Must_inspect_result_ __inline NTSTATUS RtlInt8Sub( _In_ INT8 i8Minuend, _In_ INT8 i8Subtrahend, _Out_ _Deref_out_range_(==, i8Minuend - i8Subtrahend) INT8* pi8Result ) { C_ASSERT(sizeof(LONG) > sizeof(INT8)); return RtlLongToInt8(((LONG)i8Minuend) - ((LONG)i8Subtrahend), pi8Result); } // // SHORT Subtraction // _Must_inspect_result_ __inline NTSTATUS RtlShortSub( _In_ SHORT sMinuend, _In_ SHORT sSubtrahend, _Out_ _Deref_out_range_(==, sMinuend - sSubtrahend) SHORT* psResult ) { C_ASSERT(sizeof(LONG) > sizeof(SHORT)); return RtlLongToShort(((LONG)sMinuend) - ((LONG)sSubtrahend), psResult); } // // INT16 Subtraction // #define RtlInt16Sub RtlShortSub // // INT Subtraction // _Must_inspect_result_ __inline NTSTATUS RtlIntSub( _In_ INT iMinuend, _In_ INT iSubtrahend, _Out_ _Deref_out_range_(==, iMinuend - iSubtrahend) INT* piResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(INT)); return RtlLongLongToInt(((LONGLONG)iMinuend) - ((LONGLONG)iSubtrahend), piResult); } // // INT32 Subtraction // #define RtlInt32Sub RtlIntSub // // INT_PTR Subtraction // #ifdef _WIN64 #define RtlIntPtrSub RtlLongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrSub( _In_ INT_PTR iMinuend, _In_ INT_PTR iSubtrahend, _Out_ _Deref_out_range_(==, iMinuend - iSubtrahend) INT_PTR* piResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(INT_PTR)); return RtlLongLongToIntPtr(((LONGLONG)iMinuend) - ((LONGLONG)iSubtrahend), piResult); } #endif // // LONG Subtraction // _Must_inspect_result_ __inline NTSTATUS RtlLongSub( _In_ LONG lMinuend, _In_ LONG lSubtrahend, _Out_ _Deref_out_range_(==, lMinuend - lSubtrahend) LONG* plResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(LONG)); return RtlLongLongToLong(((LONGLONG)lMinuend) - ((LONGLONG)lSubtrahend), plResult); } // // LONG32 Subtraction // #define RtlLong32Sub RtlIntSub // // LONG_PTR Subtraction // #ifdef _WIN64 #define RtlLongPtrSub RtlLongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrSub( _In_ LONG_PTR lMinuend, _In_ LONG_PTR lSubtrahend, _Out_ _Deref_out_range_(==, lMinuend - lSubtrahend) LONG_PTR* plResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(LONG_PTR)); return RtlLongLongToLongPtr(((LONGLONG)lMinuend) - ((LONGLONG)lSubtrahend), plResult); } #endif // // RtlLongLongSub // _Must_inspect_result_ __inline NTSTATUS RtlLongLongSub( _In_ LONGLONG llMinuend, _In_ LONGLONG llSubtrahend, _Out_ _Deref_out_range_(==, llMinuend - llSubtrahend) LONGLONG* pllResult ) { NTSTATUS status; LONGLONG llResult = llMinuend - llSubtrahend; // // Subtracting a positive number from a positive number never overflows. // Subtracting a negative number from a negative number never overflows. // If you subtract a negative number from a positive number, you expect a positive result. // If you subtract a positive number from a negative number, you expect a negative result. // Overflow if inputs vary in sign and the output does not have the same sign as the first input. // if (((llMinuend < 0) != (llSubtrahend < 0)) && ((llMinuend < 0) != (llResult < 0))) { *pllResult = LONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } else { *pllResult = llResult; status = STATUS_SUCCESS; } return status; } // // LONG64 Subtraction // #define RtlLong64Sub RtlLongLongSub // // RtlINT64 Subtraction // #define RtlInt64Sub RtlLongLongSub // // ptrdiff_t Subtraction // #ifdef _WIN64 #define RtlPtrdiffTSub RtlLongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlPtrdiffTSub( _In_ ptrdiff_t Minuend, _In_ ptrdiff_t Subtrahend, _Out_ _Deref_out_range_(==, Minuend - Subtrahend) ptrdiff_t* pResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(ptrdiff_t)); return RtlLongLongToPtrdiffT(((LONGLONG)Minuend) - ((LONGLONG)Subtrahend), pResult); } #endif // // SSIZE_T Subtraction // #ifdef _WIN64 #define RtlSSIZETSub RtlLongLongSub #else _Must_inspect_result_ __inline NTSTATUS RtlSSIZETSub( _In_ SSIZE_T Minuend, _In_ SSIZE_T Subtrahend, _Out_ _Deref_out_range_(==, Minuend - Subtrahend) SSIZE_T* pResult) { C_ASSERT(sizeof(LONGLONG) > sizeof(SSIZE_T)); return RtlLongLongToSSIZET(((LONGLONG)Minuend) - ((LONGLONG)Subtrahend), pResult); } #endif //============================================================================= // Signed multiplication functions //============================================================================= // // INT8 multiplication // _Must_inspect_result_ __inline NTSTATUS RtlInt8Mult( _In_ INT8 i8Multiplicand, _In_ INT8 i8Multiplier, _Out_ _Deref_out_range_(==, i8Multiplicand * i8Multiplier) INT8* pi8Result ) { C_ASSERT(sizeof(LONG) > sizeof(INT8)); return RtlLongToInt8(((LONG)i8Multiplier) * ((LONG)i8Multiplicand), pi8Result); } // // SHORT multiplication // _Must_inspect_result_ __inline NTSTATUS RtlShortMult( _In_ SHORT sMultiplicand, _In_ SHORT sMultiplier, _Out_ _Deref_out_range_(==, sMultiplicand * sMultiplier) SHORT* psResult ) { C_ASSERT(sizeof(LONG) > sizeof(SHORT)); return RtlLongToShort(((LONG)sMultiplicand) * ((LONG)sMultiplier), psResult); } // // INT16 multiplication // #define RtlInt16Mult RtlShortMult // // INT multiplication // _Must_inspect_result_ __inline NTSTATUS RtlIntMult( _In_ INT iMultiplicand, _In_ INT iMultiplier, _Out_ _Deref_out_range_(==, iMultiplicand * iMultiplier) INT* piResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(INT)); return RtlLongLongToInt(((LONGLONG)iMultiplicand) * ((LONGLONG)iMultiplier), piResult); } // // INT32 multiplication // #define RtlInt32Mult RtlIntMult // // INT_PTR multiplication // #ifdef _WIN64 #define RtlIntPtrMult RtlLongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlIntPtrMult( _In_ INT_PTR iMultiplicand, _In_ INT_PTR iMultiplier, _Out_ _Deref_out_range_(==, iMultiplicand * iMultiplier) INT_PTR* piResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(INT_PTR)); return RtlLongLongToIntPtr(((LONGLONG)iMultiplicand) * ((LONGLONG)iMultiplier), piResult); } #endif // // LONG multiplication // _Must_inspect_result_ __inline NTSTATUS RtlLongMult( _In_ LONG lMultiplicand, _In_ LONG lMultiplier, _Out_ _Deref_out_range_(==, lMultiplicand * lMultiplier) LONG* plResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(LONG)); return RtlLongLongToLong(((LONGLONG)lMultiplicand) * ((LONGLONG)lMultiplier), plResult); } // // LONG32 multiplication // #define RtlLong32Mult RtlIntMult // // LONG_PTR multiplication // #ifdef _WIN64 #define RtlLongPtrMult RtlLongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlLongPtrMult( _In_ LONG_PTR lMultiplicand, _In_ LONG_PTR lMultiplier, _Out_ _Deref_out_range_(==, lMultiplicand * lMultiplier) LONG_PTR* plResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(LONG_PTR)); return RtlLongLongToLongPtr(((LONGLONG)lMultiplicand) * ((LONGLONG)lMultiplier), plResult); } #endif // // LONGLONG multiplication // _Must_inspect_result_ __inline NTSTATUS RtlLongLongMult( _In_ LONGLONG llMultiplicand, _In_ LONGLONG llMultiplier, _Out_ _Deref_out_range_(==, llMultiplicand * llMultiplier) LONGLONG* pllResult ) { NTSTATUS status; #if defined(_USE_INTRINSIC_MULTIPLY128) LONGLONG llResultHigh; LONGLONG llResultLow; llResultLow = Multiply128(llMultiplicand, llMultiplier, &llResultHigh); if (((llResultLow < 0) && (llResultHigh != -1)) || ((llResultLow >= 0) && (llResultHigh != 0))) { *pllResult = LONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } else { *pllResult = llResultLow; status = STATUS_SUCCESS; } #else // _USE_INTRINSIC_MULTIPLY128 // // Split into sign and magnitude, do unsigned operation, apply sign. // ULONGLONG ullMultiplicand; ULONGLONG ullMultiplier; ULONGLONG ullResult; const ULONGLONG LONGLONG_MIN_MAGNITUDE = ((((ULONGLONG) - (LONGLONG_MIN + 1))) + 1); if (llMultiplicand < 0) { // // Avoid negating the most negative number. // ullMultiplicand = ((ULONGLONG)(- (llMultiplicand + 1))) + 1; } else { ullMultiplicand = (ULONGLONG)llMultiplicand; } if (llMultiplier < 0) { // // Avoid negating the most negative number. // ullMultiplier = ((ULONGLONG)(- (llMultiplier + 1))) + 1; } else { ullMultiplier = (ULONGLONG)llMultiplier; } status = RtlULongLongMult(ullMultiplicand, ullMultiplier, &ullResult); if (NT_SUCCESS(status)) { if ((llMultiplicand < 0) != (llMultiplier < 0)) { if (ullResult > LONGLONG_MIN_MAGNITUDE) { *pllResult = LONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } else { *pllResult = - ((LONGLONG)ullResult); } } else { if (ullResult > LONGLONG_MAX) { *pllResult = LONGLONG_ERROR; status = STATUS_INTEGER_OVERFLOW; } else { *pllResult = (LONGLONG)ullResult; } } } else { *pllResult = LONGLONG_ERROR; } #endif // _USE_INTRINSIC_MULTIPLY128 return status; } // // LONG64 multiplication // #define RtlLong64Mult RtlLongLongMult // // RtlINT64 multiplication // #define RtlInt64Mult RtlLongLongMult // // ptrdiff_t multiplication // #ifdef _WIN64 #define RtlPtrdiffTMult RtlLongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlPtrdiffTMult( _In_ ptrdiff_t Multiplicand, _In_ ptrdiff_t Multiplier, _Out_ _Deref_out_range_(==, Multiplicand * Multiplier) ptrdiff_t* pResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(ptrdiff_t)); return RtlLongLongToPtrdiffT(((LONGLONG)Multiplicand) * ((LONGLONG)Multiplier), pResult); } #endif // // SSIZE_T multiplication // #ifdef _WIN64 #define RtlSSIZETMult RtlLongLongMult #else _Must_inspect_result_ __inline NTSTATUS RtlSSIZETMult( _In_ SSIZE_T Multiplicand, _In_ SSIZE_T Multiplier, _Out_ _Deref_out_range_(==, Multiplicand * Multiplier) SSIZE_T* pResult ) { C_ASSERT(sizeof(LONGLONG) > sizeof(SSIZE_T)); return RtlLongLongToSSIZET(((LONGLONG)Multiplicand) * ((LONGLONG)Multiplier), pResult); } #endif #endif // ENABLE_INTSAFE_SIGNED_FUNCTIONS // // Macros that are no longer used in this header but which clients may // depend on being defined here. // #ifndef LOWORD #define LOWORD(l) ((WORD)(((DWORD_PTR)(l)) & 0xffff)) #endif #ifndef HIWORD #define HIWORD(l) ((WORD)((((DWORD_PTR)(l)) >> 16) & 0xffff)) #endif #ifndef LODWORD #define LODWORD(_qw) ((DWORD)(_qw)) #endif #ifndef HIDWORD #define HIDWORD(_qw) ((DWORD)(((_qw) >> 32) & 0xffffffff)) #endif #if _MSC_VER >= 1200 #pragma warning(pop) #endif #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM | WINAPI_PARTITION_GAMES) */ #pragma endregion #endif // _NTINTSAFE_H_INCLUDED_ ================================================ FILE: phnt/include/ntioapi.h ================================================ /* * File management support * * This file is part of System Informer. */ #ifndef _NTIOAPI_H #define _NTIOAPI_H // // Sharing mode // #define FILE_SHARE_NONE 0x00000000 #define FILE_SHARE_READ 0x00000001 #define FILE_SHARE_WRITE 0x00000002 #define FILE_SHARE_DELETE 0x00000004 // // Create disposition // #define FILE_SUPERSEDE 0x00000000 #define FILE_OPEN 0x00000001 #define FILE_CREATE 0x00000002 #define FILE_OPEN_IF 0x00000003 #define FILE_OVERWRITE 0x00000004 #define FILE_OVERWRITE_IF 0x00000005 #define FILE_MAXIMUM_DISPOSITION 0x00000005 // // Create/open flags // #define FILE_DIRECTORY_FILE 0x00000001 #define FILE_WRITE_THROUGH 0x00000002 #define FILE_SEQUENTIAL_ONLY 0x00000004 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define FILE_NON_DIRECTORY_FILE 0x00000040 #define FILE_CREATE_TREE_CONNECTION 0x00000080 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 #define FILE_NO_EA_KNOWLEDGE 0x00000200 #define FILE_OPEN_REMOTE_INSTANCE 0x00000400 #define FILE_RANDOM_ACCESS 0x00000800 #define FILE_DELETE_ON_CLOSE 0x00001000 #define FILE_OPEN_BY_FILE_ID 0x00002000 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 #define FILE_NO_COMPRESSION 0x00008000 #define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 #define FILE_DISALLOW_EXCLUSIVE 0x00020000 #define FILE_SESSION_AWARE 0x00040000 #define FILE_RESERVE_OPFILTER 0x00100000 #define FILE_OPEN_REPARSE_POINT 0x00200000 #define FILE_OPEN_NO_RECALL 0x00400000 #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 #define TREE_CONNECT_WRITE_THROUGH 0x00000002 #define TREE_CONNECT_NO_CLIENT_BUFFERING 0x00000008 // // Extended create/open flags // #define FILE_CONTAINS_EXTENDED_CREATE_INFORMATION 0x10000000 #define FILE_VALID_EXTENDED_OPTION_FLAGS 0x10000000 typedef struct _EXTENDED_CREATE_DUAL_OPLOCK_KEYS { // // Parent oplock key. // All-zero if not set. // GUID ParentOplockKey; // // Target oplock key. // All-zero if not set. // GUID TargetOplockKey; } EXTENDED_CREATE_DUAL_OPLOCK_KEYS, *PEXTENDED_CREATE_DUAL_OPLOCK_KEYS; typedef struct _EXTENDED_CREATE_INFORMATION { LONGLONG ExtendedCreateFlags; PVOID EaBuffer; ULONG EaLength; //PEXTENDED_CREATE_DUAL_OPLOCK_KEYS DualOplockKeys; // since 24H2 } EXTENDED_CREATE_INFORMATION, *PEXTENDED_CREATE_INFORMATION; typedef struct _EXTENDED_CREATE_INFORMATION_32 { LONGLONG ExtendedCreateFlags; void* POINTER_32 EaBuffer; ULONG EaLength; //PEXTENDED_CREATE_DUAL_OPLOCK_KEYS POINTER_32 DualOplockKeys; // since 24H2 } EXTENDED_CREATE_INFORMATION_32, *PEXTENDED_CREATE_INFORMATION_32; #define EX_CREATE_FLAG_FILE_SOURCE_OPEN_FOR_COPY 0x00000001 #define EX_CREATE_FLAG_FILE_DEST_OPEN_FOR_COPY 0x00000002 #define FILE_VALID_OPTION_FLAGS 0x00ffffff #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 #define FILE_VALID_SET_FLAGS 0x00000036 #define FILE_COPY_STRUCTURED_STORAGE 0x00000041 #define FILE_STRUCTURED_STORAGE 0x00000441 // I/O status information values for NtCreateFile/NtOpenFile #define FILE_SUPERSEDED 0x00000000 #define FILE_OPENED 0x00000001 #define FILE_CREATED 0x00000002 #define FILE_OVERWRITTEN 0x00000003 #define FILE_EXISTS 0x00000004 #define FILE_DOES_NOT_EXIST 0x00000005 // Special ByteOffset parameters #define FILE_WRITE_TO_END_OF_FILE 0xffffffff #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe // Alignment requirement values #define FILE_BYTE_ALIGNMENT 0x00000000 #define FILE_WORD_ALIGNMENT 0x00000001 #define FILE_LONG_ALIGNMENT 0x00000003 #define FILE_QUAD_ALIGNMENT 0x00000007 #define FILE_OCTA_ALIGNMENT 0x0000000f #define FILE_32_BYTE_ALIGNMENT 0x0000001f #define FILE_64_BYTE_ALIGNMENT 0x0000003f #define FILE_128_BYTE_ALIGNMENT 0x0000007f #define FILE_256_BYTE_ALIGNMENT 0x000000ff #define FILE_512_BYTE_ALIGNMENT 0x000001ff // Maximum length of a filename string #define DOS_MAX_COMPONENT_LENGTH 255 #define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) #define MAXIMUM_FILENAME_LENGTH 256 // // Extended attributes // #define FILE_NEED_EA 0x00000080 #define FILE_EA_TYPE_BINARY 0xfffe #define FILE_EA_TYPE_ASCII 0xfffd #define FILE_EA_TYPE_BITMAP 0xfffb #define FILE_EA_TYPE_METAFILE 0xfffa #define FILE_EA_TYPE_ICON 0xfff9 #define FILE_EA_TYPE_EA 0xffee #define FILE_EA_TYPE_MVMT 0xffdf #define FILE_EA_TYPE_MVST 0xffde #define FILE_EA_TYPE_ASN1 0xffdd #define FILE_EA_TYPE_FAMILY_IDS 0xff01 // // Device characteristics // #define FILE_REMOVABLE_MEDIA 0x00000001 #define FILE_READ_ONLY_DEVICE 0x00000002 #define FILE_FLOPPY_DISKETTE 0x00000004 #define FILE_WRITE_ONCE_MEDIA 0x00000008 #define FILE_REMOTE_DEVICE 0x00000010 #define FILE_DEVICE_IS_MOUNTED 0x00000020 #define FILE_VIRTUAL_VOLUME 0x00000040 #define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080 #define FILE_DEVICE_SECURE_OPEN 0x00000100 #define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800 #define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000 #define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000 #define FILE_CHARACTERISTIC_CSV 0x00010000 #define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000 #define FILE_PORTABLE_DEVICE 0x00040000 #define FILE_REMOTE_DEVICE_VSMB 0x00080000 #define FILE_DEVICE_REQUIRE_SECURITY_CHECK 0x00100000 // // Named pipe values // // NamedPipeType for NtCreateNamedPipeFile #define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 #define FILE_PIPE_MESSAGE_TYPE 0x00000001 #define FILE_PIPE_ACCEPT_REMOTE_CLIENTS 0x00000000 #define FILE_PIPE_REJECT_REMOTE_CLIENTS 0x00000002 #define FILE_PIPE_TYPE_VALID_MASK 0x00000003 // CompletionMode for NtCreateNamedPipeFile #define FILE_PIPE_QUEUE_OPERATION 0x00000000 #define FILE_PIPE_COMPLETE_OPERATION 0x00000001 // ReadMode for NtCreateNamedPipeFile #define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 #define FILE_PIPE_MESSAGE_MODE 0x00000001 // NamedPipeConfiguration for NtQueryInformationFile #define FILE_PIPE_INBOUND 0x00000000 #define FILE_PIPE_OUTBOUND 0x00000001 #define FILE_PIPE_FULL_DUPLEX 0x00000002 // NamedPipeState for NtQueryInformationFile #define FILE_PIPE_DISCONNECTED_STATE 0x00000001 #define FILE_PIPE_LISTENING_STATE 0x00000002 #define FILE_PIPE_CONNECTED_STATE 0x00000003 #define FILE_PIPE_CLOSING_STATE 0x00000004 // NamedPipeEnd for NtQueryInformationFile #define FILE_PIPE_CLIENT_END 0x00000000 #define FILE_PIPE_SERVER_END 0x00000001 // Win32 pipe instance limit (0xff) #define FILE_PIPE_UNLIMITED_INSTANCES 0xffffffff // // Mailslot values // #define MAILSLOT_SIZE_AUTO 0 typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef _Function_class_(IO_APC_ROUTINE) VOID NTAPI IO_APC_ROUTINE( _In_ PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved ); typedef IO_APC_ROUTINE* PIO_APC_ROUTINE; // // NtQueryInformationFile/NtSetInformationFile types // typedef enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1, // q: FILE_DIRECTORY_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileFullDirectoryInformation, // q: FILE_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileBothDirectoryInformation, // q: FILE_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileBasicInformation, // qs: FILE_BASIC_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) FileStandardInformation, // q: FILE_STANDARD_INFORMATION, FILE_STANDARD_INFORMATION_EX FileInternalInformation, // q: FILE_INTERNAL_INFORMATION FileEaInformation, // q: FILE_EA_INFORMATION (requires FILE_READ_EA) FileAccessInformation, // q: FILE_ACCESS_INFORMATION FileNameInformation, // q: FILE_NAME_INFORMATION FileRenameInformation, // s: FILE_RENAME_INFORMATION (requires DELETE) // 10 FileLinkInformation, // s: FILE_LINK_INFORMATION FileNamesInformation, // q: FILE_NAMES_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileDispositionInformation, // s: FILE_DISPOSITION_INFORMATION (requires DELETE) FilePositionInformation, // qs: FILE_POSITION_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) FileFullEaInformation, // q: FILE_FULL_EA_INFORMATION (requires FILE_READ_EA) FileModeInformation, // qs: FILE_MODE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) FileAlignmentInformation, // q: FILE_ALIGNMENT_INFORMATION FileAllInformation, // q: FILE_ALL_INFORMATION FileAllocationInformation, // s: FILE_ALLOCATION_INFORMATION (requires FILE_WRITE_DATA) FileEndOfFileInformation, // s: FILE_END_OF_FILE_INFORMATION (requires FILE_WRITE_DATA) // 20 FileAlternateNameInformation, // q: FILE_NAME_INFORMATION FileStreamInformation, // q: FILE_STREAM_INFORMATION FilePipeInformation, // qs: FILE_PIPE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) FilePipeLocalInformation, // q: FILE_PIPE_LOCAL_INFORMATION FilePipeRemoteInformation, // qs: FILE_PIPE_REMOTE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) FileMailslotQueryInformation, // q: FILE_MAILSLOT_QUERY_INFORMATION FileMailslotSetInformation, // s: FILE_MAILSLOT_SET_INFORMATION FileCompressionInformation, // q: FILE_COMPRESSION_INFORMATION FileObjectIdInformation, // q: FILE_OBJECTID_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileCompletionInformation, // s: FILE_COMPLETION_INFORMATION // 30 FileMoveClusterInformation, // s: FILE_MOVE_CLUSTER_INFORMATION (requires FILE_WRITE_DATA) FileQuotaInformation, // q: FILE_QUOTA_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileReparsePointInformation, // q: FILE_REPARSE_POINT_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileNetworkOpenInformation, // q: FILE_NETWORK_OPEN_INFORMATION FileAttributeTagInformation, // q: FILE_ATTRIBUTE_TAG_INFORMATION FileTrackingInformation, // s: FILE_TRACKING_INFORMATION (requires FILE_WRITE_DATA) FileIdBothDirectoryInformation, // q: FILE_ID_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileIdFullDirectoryInformation, // q: FILE_ID_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) FileValidDataLengthInformation, // s: FILE_VALID_DATA_LENGTH_INFORMATION (requires FILE_WRITE_DATA and/or SeManageVolumePrivilege) FileShortNameInformation, // s: FILE_NAME_INFORMATION (requires DELETE) // 40 FileIoCompletionNotificationInformation, // qs: FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since VISTA FileIoStatusBlockRangeInformation, // s: FILE_IOSTATUSBLOCK_RANGE_INFORMATION (requires SeLockMemoryPrivilege) FileIoPriorityHintInformation, // qs: FILE_IO_PRIORITY_HINT_INFORMATION, FILE_IO_PRIORITY_HINT_INFORMATION_EX (q: requires FILE_READ_DATA) FileSfioReserveInformation, // qs: FILE_SFIO_RESERVE_INFORMATION (q: requires FILE_READ_DATA) FileSfioVolumeInformation, // q: FILE_SFIO_VOLUME_INFORMATION FileHardLinkInformation, // q: FILE_LINKS_INFORMATION FileProcessIdsUsingFileInformation, // q: FILE_PROCESS_IDS_USING_FILE_INFORMATION FileNormalizedNameInformation, // q: FILE_NAME_INFORMATION FileNetworkPhysicalNameInformation, // q: FILE_NETWORK_PHYSICAL_NAME_INFORMATION FileIdGlobalTxDirectoryInformation, // q: FILE_ID_GLOBAL_TX_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since WIN7 // 50 FileIsRemoteDeviceInformation, // q: FILE_IS_REMOTE_DEVICE_INFORMATION FileUnusedInformation, // q: FileNumaNodeInformation, // q: FILE_NUMA_NODE_INFORMATION FileStandardLinkInformation, // q: FILE_STANDARD_LINK_INFORMATION FileRemoteProtocolInformation, // q: FILE_REMOTE_PROTOCOL_INFORMATION FileRenameInformationBypassAccessCheck, // s: FILE_RENAME_INFORMATION // (kernel-mode only) // since WIN8 FileLinkInformationBypassAccessCheck, // s: FILE_LINK_INFORMATION // (kernel-mode only) FileVolumeNameInformation, // q: FILE_VOLUME_NAME_INFORMATION FileIdInformation, // q: FILE_ID_INFORMATION FileIdExtdDirectoryInformation, // q: FILE_ID_EXTD_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // 60 FileReplaceCompletionInformation, // s: FILE_COMPLETION_INFORMATION // since WINBLUE FileHardLinkFullIdInformation, // q: FILE_LINK_ENTRY_FULL_ID_INFORMATION // FILE_LINKS_FULL_ID_INFORMATION FileIdExtdBothDirectoryInformation, // q: FILE_ID_EXTD_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since THRESHOLD FileDispositionInformationEx, // s: FILE_DISPOSITION_INFO_EX (requires DELETE) // since REDSTONE FileRenameInformationEx, // s: FILE_RENAME_INFORMATION_EX FileRenameInformationExBypassAccessCheck, // s: FILE_RENAME_INFORMATION_EX // (kernel-mode only) FileDesiredStorageClassInformation, // qs: FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2 FileStatInformation, // q: FILE_STAT_INFORMATION FileMemoryPartitionInformation, // s: FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 FileStatLxInformation, // q: FILE_STAT_LX_INFORMATION (requires FILE_READ_ATTRIBUTES and FILE_READ_EA) // since REDSTONE4 // 70 FileCaseSensitiveInformation, // qs: FILE_CASE_SENSITIVE_INFORMATION FileLinkInformationEx, // s: FILE_LINK_INFORMATION_EX // since REDSTONE5 FileLinkInformationExBypassAccessCheck, // s: FILE_LINK_INFORMATION_EX // (kernel-mode only) FileStorageReserveIdInformation, // qs: FILE_STORAGE_RESERVE_ID_INFORMATION FileCaseSensitiveInformationForceAccessCheck, // qs: FILE_CASE_SENSITIVE_INFORMATION FileKnownFolderInformation, // qs: FILE_KNOWN_FOLDER_INFORMATION // since WIN11 FileStatBasicInformation, // qs: FILE_STAT_BASIC_INFORMATION // since 23H2 FileId64ExtdDirectoryInformation, // q: FILE_ID_64_EXTD_DIR_INFORMATION FileId64ExtdBothDirectoryInformation, // q: FILE_ID_64_EXTD_BOTH_DIR_INFORMATION FileIdAllExtdDirectoryInformation, // q: FILE_ID_ALL_EXTD_DIR_INFORMATION FileIdAllExtdBothDirectoryInformation, // q: FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION FileStreamReservationInformation, // q: FILE_STREAM_RESERVATION_INFORMATION // since 24H2 FileMupProviderInfo, // qs: MUP_PROVIDER_INFORMATION FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; /** * The FILE_BASIC_INFORMATION structure contains timestamps and basic attributes of a file. * \li If you specify a value of zero for any of the XxxTime members, the file system keeps a file's current value for that time. * \li If you specify a value of -1 for any of the XxxTime members, time stamp updates are disabled for I/O operations performed on the file handle. * \li If you specify a value of -2 for any of the XxxTime members, time stamp updates are enabled for I/O operations performed on the file handle. * \remarks To set the members of this structure, the caller must have FILE_WRITE_ATTRIBUTES access to the file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_basic_information */ typedef struct _FILE_BASIC_INFORMATION { LARGE_INTEGER CreationTime; // Specifies the time that the file was created. LARGE_INTEGER LastAccessTime; // Specifies the time that the file was last accessed. LARGE_INTEGER LastWriteTime; // Specifies the time that the file was last written to. LARGE_INTEGER ChangeTime; // Specifies the last time the file was changed. ULONG FileAttributes; // Specifies one or more FILE_ATTRIBUTE_XXX flags. } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; /** * The FILE_STANDARD_INFORMATION structure contains standard information of a file. * \remarks EndOfFile specifies the byte offset to the end of the file. * Because this value is zero-based, it actually refers to the first free byte in the file; that is, it is the offset to the byte immediately following the last valid byte in the file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_standard_information */ typedef struct _FILE_STANDARD_INFORMATION { LARGE_INTEGER AllocationSize; // The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. LARGE_INTEGER EndOfFile; // The end of file location as a byte offset. ULONG NumberOfLinks; // The number of hard links to the file. BOOLEAN DeletePending; // The delete pending status. TRUE indicates that a file deletion has been requested. BOOLEAN Directory; // The file directory status. TRUE indicates the file object represents a directory. } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; /** * The FILE_STANDARD_INFORMATION_EX structure is used as an argument to routines that query or set file information * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_standard_information_ex */ typedef struct _FILE_STANDARD_INFORMATION_EX { LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG NumberOfLinks; BOOLEAN DeletePending; BOOLEAN Directory; BOOLEAN AlternateStream; BOOLEAN MetadataAttribute; } FILE_STANDARD_INFORMATION_EX, *PFILE_STANDARD_INFORMATION_EX; /** * The FILE_INTERNAL_INFORMATION structure is used to query for the file system's 8-byte file reference number for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_internal_information * \remark The IndexNumber member is the same as the FileId member of the FILE_ID_BOTH_DIR_INFORMATION and FILE_ID_FULL_DIR_INFORMATION structures. */ typedef struct _FILE_INTERNAL_INFORMATION { union { ULARGE_INTEGER IndexNumber; struct { ULONGLONG MftRecordIndex : 48; // rev ULONGLONG SequenceNumber : 16; // rev }; }; } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; /** * The FILE_EA_INFORMATION structure is used to query for the size of the extended attributes (EA) for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_ea_information */ typedef struct _FILE_EA_INFORMATION { ULONG EaSize; } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; /** * The FILE_ACCESS_INFORMATION structure is used to query for or set the access rights of a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_access_information */ typedef struct _FILE_ACCESS_INFORMATION { ACCESS_MASK AccessFlags; } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; /** * The FILE_POSITION_INFORMATION structure is used as an argument to routines that query or set file information. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_position_information */ typedef struct _FILE_POSITION_INFORMATION { LARGE_INTEGER CurrentByteOffset; } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; /** * The FILE_MODE_INFORMATION structure is used to query or set the access mode of a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_mode_information */ typedef struct _FILE_MODE_INFORMATION { ULONG Mode; } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; /** * The FILE_ALIGNMENT_INFORMATION structure is used to query or set the buffer alignment required by the underlying device. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_file_alignment_information */ typedef struct _FILE_ALIGNMENT_INFORMATION { ULONG AlignmentRequirement; } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; /** * The FILE_NAME_INFORMATION structure is used to query or set the file name and/or new short name for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_file_name_information */ typedef struct _FILE_NAME_INFORMATION { ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; /** * The FILE_ALL_INFORMATION structure is used as a container for several FILE_XXX_INFORMATION structures. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_all_information */ typedef struct _FILE_ALL_INFORMATION { FILE_BASIC_INFORMATION BasicInformation; FILE_STANDARD_INFORMATION StandardInformation; FILE_INTERNAL_INFORMATION InternalInformation; FILE_EA_INFORMATION EaInformation; FILE_ACCESS_INFORMATION AccessInformation; FILE_POSITION_INFORMATION PositionInformation; FILE_MODE_INFORMATION ModeInformation; FILE_ALIGNMENT_INFORMATION AlignmentInformation; FILE_NAME_INFORMATION NameInformation; } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; /** * The FILE_NETWORK_OPEN_INFORMATION structure is used to query for information that is commonly needed when a file is opened across a network. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_network_open_information */ typedef struct _FILE_NETWORK_OPEN_INFORMATION { LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG FileAttributes; } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; /** * The FILE_ATTRIBUTE_TAG_INFORMATION structure is used to query for attribute and reparse tag information for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_file_attribute_tag_information */ typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { ULONG FileAttributes; ULONG ReparseTag; } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; /** * The FILE_ALLOCATION_INFORMATION structure is used to set the allocation size for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_allocation_information */ typedef struct _FILE_ALLOCATION_INFORMATION { LARGE_INTEGER AllocationSize; } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; /** * The FILE_COMPRESSION_INFORMATION structure describes the state of a compressed data buffer. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_compression_information */ typedef struct _FILE_COMPRESSION_INFORMATION { LARGE_INTEGER CompressedFileSize; USHORT CompressionFormat; UCHAR CompressionUnitShift; UCHAR ChunkShift; UCHAR ClusterShift; UCHAR Reserved[3]; } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; /** * The FILE_DISPOSITION_INFORMATION structure is used to mark a file for deletion. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_file_disposition_information */ typedef struct _FILE_DISPOSITION_INFORMATION { BOOLEAN DeleteFile; } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; /** * The FILE_END_OF_FILE_INFORMATION structure is used to set end-of-file information for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_file_end_of_file_information */ typedef struct _FILE_END_OF_FILE_INFORMATION { LARGE_INTEGER EndOfFile; } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; #define FLAGS_END_OF_FILE_INFO_EX_EXTEND_PAGING 0x00000001 #define FLAGS_END_OF_FILE_INFO_EX_NO_EXTRA_PAGING_EXTEND 0x00000002 #define FLAGS_END_OF_FILE_INFO_EX_TIME_CONSTRAINED 0x00000004 #define FLAGS_DELAY_REASONS_LOG_FILE_FULL 0x00000001 #define FLAGS_DELAY_REASONS_BITMAP_SCANNED 0x00000002 typedef struct _FILE_END_OF_FILE_INFORMATION_EX { LARGE_INTEGER EndOfFile; LARGE_INTEGER PagingFileSizeInMM; LARGE_INTEGER PagingFileMaxSize; ULONG Flags; } FILE_END_OF_FILE_INFORMATION_EX, *PFILE_END_OF_FILE_INFORMATION_EX; /** * The FILE_VALID_DATA_LENGTH_INFORMATION structure is used to set the valid data length information for a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_file_valid_data_length_information */ typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { LARGE_INTEGER ValidDataLength; } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; #define FILE_LINK_REPLACE_IF_EXISTS 0x00000001 // since RS5 #define FILE_LINK_POSIX_SEMANTICS 0x00000002 #define FILE_LINK_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 #define FILE_LINK_NO_INCREASE_AVAILABLE_SPACE 0x00000010 #define FILE_LINK_NO_DECREASE_AVAILABLE_SPACE 0x00000020 #define FILE_LINK_PRESERVE_AVAILABLE_SPACE 0x00000030 #define FILE_LINK_IGNORE_READONLY_ATTRIBUTE 0x00000040 #define FILE_LINK_FORCE_RESIZE_TARGET_SR 0x00000080 // since 19H1 #define FILE_LINK_FORCE_RESIZE_SOURCE_SR 0x00000100 #define FILE_LINK_FORCE_RESIZE_SR 0x00000180 /** * The FILE_LINK_INFORMATION structure is used to create an NTFS hard link to an existing file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_link_information */ typedef struct _FILE_LINK_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; typedef struct _FILE_LINK_INFORMATION_EX { ULONG Flags; HANDLE RootDirectory; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_LINK_INFORMATION_EX, *PFILE_LINK_INFORMATION_EX; typedef struct _FILE_MOVE_CLUSTER_INFORMATION { ULONG ClusterCount; HANDLE RootDirectory; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; /** * The FILE_RENAME_INFORMATION structure is used to rename a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_rename_information */ typedef struct _FILE_RENAME_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; #define FILE_RENAME_REPLACE_IF_EXISTS 0x00000001 // since REDSTONE #define FILE_RENAME_POSIX_SEMANTICS 0x00000002 #define FILE_RENAME_SUPPRESS_PIN_STATE_INHERITANCE 0x00000004 // since REDSTONE3 #define FILE_RENAME_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 // since REDSTONE5 #define FILE_RENAME_NO_INCREASE_AVAILABLE_SPACE 0x00000010 #define FILE_RENAME_NO_DECREASE_AVAILABLE_SPACE 0x00000020 #define FILE_RENAME_PRESERVE_AVAILABLE_SPACE 0x00000030 #define FILE_RENAME_IGNORE_READONLY_ATTRIBUTE 0x00000040 #define FILE_RENAME_FORCE_RESIZE_TARGET_SR 0x00000080 // since 19H1 #define FILE_RENAME_FORCE_RESIZE_SOURCE_SR 0x00000100 #define FILE_RENAME_FORCE_RESIZE_SR 0x00000180 /** * The FILE_RENAME_INFORMATION_EX structure is used to rename a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_rename_information */ typedef struct _FILE_RENAME_INFORMATION_EX { ULONG Flags; HANDLE RootDirectory; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_RENAME_INFORMATION_EX, *PFILE_RENAME_INFORMATION_EX; /** * The FILE_STREAM_INFORMATION structure contains information about a file stream. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_stream_information */ _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_STREAM_INFORMATION { ULONG NextEntryOffset; ULONG StreamNameLength; LARGE_INTEGER StreamSize; LARGE_INTEGER StreamAllocationSize; _Field_size_bytes_(StreamNameLength) WCHAR StreamName[1]; } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; /** * The FILE_TRACKING_INFORMATION structure contains information used for tracking file operations. */ typedef struct _FILE_TRACKING_INFORMATION { HANDLE DestinationFile; ULONG ObjectInformationLength; _Field_size_bytes_(ObjectInformationLength) CHAR ObjectInformation[1]; } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; /** * The FILE_COMPLETION_INFORMATION structure contains the port handle and key for an I/O completion port created for a file handle. * * \remarks he FILE_COMPLETION_INFORMATION structure is used to replace the completion information for a port handle set in Port. * Completion information is replaced with the ZwSetInformationFile routine with the FileInformationClass parameter set to FileReplaceCompletionInformation. * The Port and Key members of FILE_COMPLETION_INFORMATION are set to their new values. To remove an existing completion port for a file handle, Port is set to NULL. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_completion_information */ typedef struct _FILE_COMPLETION_INFORMATION { HANDLE Port; PVOID Key; } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; /** * The FILE_PIPE_INFORMATION structure contains information about a named pipe that is not specific to the local or the remote end of the pipe. * * \remarks If ReadMode is set to FILE_PIPE_BYTE_STREAM_MODE, any attempt to change it must fail with a STATUS_INVALID_PARAMETER error code. * When CompletionMode is set to FILE_PIPE_QUEUE_OPERATION, if the pipe is connected to, read to, or written from, * the operation is not completed until there is data to read, all data is written, or a client is connected. * When CompletionMode is set to FILE_PIPE_COMPLETE_OPERATION, if the pipe is being connected to, read to, or written from, the operation is completed immediately. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_pipe_information */ typedef struct _FILE_PIPE_INFORMATION { ULONG ReadMode; ULONG CompletionMode; } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; /** * The FILE_PIPE_LOCAL_INFORMATION structure contains information about the local end of a named pipe. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_pipe_local_information */ typedef struct _FILE_PIPE_LOCAL_INFORMATION { ULONG NamedPipeType; ULONG NamedPipeConfiguration; ULONG MaximumInstances; ULONG CurrentInstances; ULONG InboundQuota; ULONG ReadDataAvailable; ULONG OutboundQuota; ULONG WriteQuotaAvailable; ULONG NamedPipeState; ULONG NamedPipeEnd; } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; /** * The FILE_PIPE_REMOTE_INFORMATION structure contains information about the remote end of a named pipe. * * \remarks Remote information is not available for local pipes or for the server end of a remote pipe. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_pipe_remote_information */ typedef struct _FILE_PIPE_REMOTE_INFORMATION { LARGE_INTEGER CollectDataTime; // The maximum amount of time, in 100-nanosecond intervals, that elapses before transmission of data from the client machine to the server. ULONG MaximumCollectionCount; // The maximum size, in bytes, of data that will be collected on the client machine before transmission to the server. } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; /** * The FILE_MAILSLOT_QUERY_INFORMATION structure contains information about a mailslot. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_mailslot_query_information */ typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { ULONG MaximumMessageSize; // The maximum size, in bytes, of a single message that can be written to the mailslot, or 0 for a message of any size. ULONG MailslotQuota; // The size, in bytes, of the in-memory pool that is reserved for writes to this mailslot. ULONG NextMessageSize; // The next message size, in bytes. ULONG MessagesAvailable; // The total number of messages waiting to be read from the mailslot. LARGE_INTEGER ReadTimeout; // The time, in milliseconds, that a read operation can wait for a message to be written to the mailslot before a time-out occurs. } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; /** * The FILE_MAILSLOT_SET_INFORMATION structure is used to set a value on a mailslot. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_mailslot_set_information */ typedef struct _FILE_MAILSLOT_SET_INFORMATION { PLARGE_INTEGER ReadTimeout; // The time, in milliseconds, that a read operation can wait for a message to be written to the mailslot before a time-out occurs. } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; /** * The FILE_REPARSE_POINT_INFORMATION structure contains information about a reparse point. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_reparse_point_information */ typedef struct _FILE_REPARSE_POINT_INFORMATION { LONGLONG FileReference; ULONG Tag; } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; /** * The FILE_LINK_ENTRY_INFORMATION structure contains information about a file link entry. */ _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_LINK_ENTRY_INFORMATION { ULONG NextEntryOffset; LONGLONG ParentFileId; // LARGE_INTEGER ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION; /** * The FILE_LINKS_INFORMATION structure contains information about file links. */ typedef struct _FILE_LINKS_INFORMATION { ULONG BytesNeeded; ULONG EntriesReturned; FILE_LINK_ENTRY_INFORMATION Entry; } FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION; /** * The FILE_NETWORK_PHYSICAL_NAME_INFORMATION structure contains information about the network physical name of a file. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_network_physical_name_information */ typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION { ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_NETWORK_PHYSICAL_NAME_INFORMATION, *PFILE_NETWORK_PHYSICAL_NAME_INFORMATION; /** * The FILE_STANDARD_LINK_INFORMATION structure contains standard information about a file link. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-file_standard_link_information */ typedef struct _FILE_STANDARD_LINK_INFORMATION { ULONG NumberOfAccessibleLinks; ULONG TotalNumberOfLinks; BOOLEAN DeletePending; BOOLEAN Directory; } FILE_STANDARD_LINK_INFORMATION, *PFILE_STANDARD_LINK_INFORMATION; typedef struct _FILE_SFIO_RESERVE_INFORMATION { ULONG RequestsPerPeriod; ULONG Period; BOOLEAN RetryFailures; BOOLEAN Discardable; ULONG RequestSize; ULONG NumOutstandingRequests; } FILE_SFIO_RESERVE_INFORMATION, *PFILE_SFIO_RESERVE_INFORMATION; typedef struct _FILE_SFIO_VOLUME_INFORMATION { ULONG MaximumRequestsPerPeriod; ULONG MinimumPeriod; ULONG MinimumTransferSize; } FILE_SFIO_VOLUME_INFORMATION, *PFILE_SFIO_VOLUME_INFORMATION; /** * The IO_PRIORITY_HINT enumeration type specifies the priority hint for an IRP. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_io_priority_hint */ typedef enum _IO_PRIORITY_HINT { IoPriorityVeryLow, // Defragging, content indexing and other background I/Os. IoPriorityLow, // Prefetching for applications. IoPriorityNormal, // Normal I/Os. IoPriorityHigh, // Used by filesystems for checkpoint I/O. IoPriorityCritical, // Used by memory manager. Not available for applications. MaxIoPriorityTypes } IO_PRIORITY_HINT; /** * The FILE_IO_PRIORITY_HINT_INFORMATION structure is used to query and set the default IRP priority hint for requests on the specified file handle. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_io_priority_hint_information */ typedef struct DECLSPEC_ALIGN(8) _FILE_IO_PRIORITY_HINT_INFORMATION { IO_PRIORITY_HINT PriorityHint; } FILE_IO_PRIORITY_HINT_INFORMATION, *PFILE_IO_PRIORITY_HINT_INFORMATION; /** * The FILE_IO_PRIORITY_HINT_INFORMATION_EX structure is used to query and set the default IRP priority hint for requests on the specified file handle. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_io_priority_hint_information */ typedef struct _FILE_IO_PRIORITY_HINT_INFORMATION_EX { IO_PRIORITY_HINT PriorityHint; BOOLEAN BoostOutstanding; } FILE_IO_PRIORITY_HINT_INFORMATION_EX, *PFILE_IO_PRIORITY_HINT_INFORMATION_EX; /** * FILE_SKIP_COMPLETION_PORT_ON_SUCCESS * Skip posting a completion packet to the I/O completion port if the operation completes successfully. */ #define FILE_SKIP_COMPLETION_PORT_ON_SUCCESS 0x1 /** * FILE_SKIP_SET_EVENT_ON_HANDLE * Skip setting the event on the file handle when the operation completes. */ #define FILE_SKIP_SET_EVENT_ON_HANDLE 0x2 /** * FILE_SKIP_SET_USER_EVENT_ON_FAST_IO * Skip setting the user event when a fast I/O operation completes. */ #define FILE_SKIP_SET_USER_EVENT_ON_FAST_IO 0x4 typedef struct _FILE_IO_COMPLETION_NOTIFICATION_INFORMATION { ULONG Flags; } FILE_IO_COMPLETION_NOTIFICATION_INFORMATION, *PFILE_IO_COMPLETION_NOTIFICATION_INFORMATION; typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION { ULONG NumberOfProcessIdsInList; _Field_size_(NumberOfProcessIdsInList) HANDLE ProcessIdList[1]; } FILE_PROCESS_IDS_USING_FILE_INFORMATION, *PFILE_PROCESS_IDS_USING_FILE_INFORMATION; /** * The FILE_IS_REMOTE_DEVICE_INFORMATION structure indicates whether the file system that contains the file is a remote file system. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_is_remote_device_information */ typedef struct _FILE_IS_REMOTE_DEVICE_INFORMATION { BOOLEAN IsRemote; // A value that indicates whether the file system that contains the file is a remote file system. } FILE_IS_REMOTE_DEVICE_INFORMATION, *PFILE_IS_REMOTE_DEVICE_INFORMATION; typedef struct _FILE_NUMA_NODE_INFORMATION { USHORT NodeNumber; } FILE_NUMA_NODE_INFORMATION, *PFILE_NUMA_NODE_INFORMATION; typedef struct _FILE_IOSTATUSBLOCK_RANGE_INFORMATION { PUCHAR IoStatusBlockRange; ULONG Length; } FILE_IOSTATUSBLOCK_RANGE_INFORMATION, *PFILE_IOSTATUSBLOCK_RANGE_INFORMATION; // Win32 FILE_REMOTE_PROTOCOL_INFO typedef struct _FILE_REMOTE_PROTOCOL_INFORMATION { // Structure Version USHORT StructureVersion; // 1 for Win7, 2 for Win8 SMB3, 3 for Blue SMB3, 4 for RS5 USHORT StructureSize; // sizeof(FILE_REMOTE_PROTOCOL_INFORMATION) ULONG Protocol; // Protocol (WNNC_NET_*) defined in winnetwk.h or ntifs.h. // Protocol Version & Type USHORT ProtocolMajorVersion; USHORT ProtocolMinorVersion; USHORT ProtocolRevision; USHORT Reserved; // Protocol-Generic Information ULONG Flags; struct { ULONG Reserved[8]; } GenericReserved; // Protocol specific information union { struct { struct { ULONG Capabilities; } Server; struct { ULONG Capabilities; ULONG ShareFlags; // previoulsly CachingFlags before 21H1 UCHAR ShareType; // RS5 UCHAR Reserved0[3]; ULONG Reserved1; } Share; } Smb2; ULONG Reserved[16]; } ProtocolSpecific; } FILE_REMOTE_PROTOCOL_INFORMATION, *PFILE_REMOTE_PROTOCOL_INFORMATION; #define CHECKSUM_ENFORCEMENT_OFF 0x00000001 typedef struct _FILE_INTEGRITY_STREAM_INFORMATION { USHORT ChecksumAlgorithm; UCHAR ChecksumChunkShift; UCHAR ClusterShift; ULONG Flags; } FILE_INTEGRITY_STREAM_INFORMATION, *PFILE_INTEGRITY_STREAM_INFORMATION; typedef struct _FILE_VOLUME_NAME_INFORMATION { ULONG DeviceNameLength; _Field_size_bytes_(DeviceNameLength) WCHAR DeviceName[1]; } FILE_VOLUME_NAME_INFORMATION, *PFILE_VOLUME_NAME_INFORMATION; #ifndef FILE_INVALID_FILE_ID #define FILE_INVALID_FILE_ID ((LONGLONG)-1LL) #endif // FILE_INVALID_FILE_ID #define FILE_ID_IS_INVALID(FID) ((FID).QuadPart == FILE_INVALID_FILE_ID) #define FILE_ID_128_IS_INVALID(FID128) \ (((FID128).Identifier[0] == (UCHAR)-1) && \ ((FID128).Identifier[1] == (UCHAR)-1) && \ ((FID128).Identifier[2] == (UCHAR)-1) && \ ((FID128).Identifier[3] == (UCHAR)-1) && \ ((FID128).Identifier[4] == (UCHAR)-1) && \ ((FID128).Identifier[5] == (UCHAR)-1) && \ ((FID128).Identifier[6] == (UCHAR)-1) && \ ((FID128).Identifier[7] == (UCHAR)-1) && \ ((FID128).Identifier[8] == (UCHAR)-1) && \ ((FID128).Identifier[9] == (UCHAR)-1) && \ ((FID128).Identifier[10] == (UCHAR)-1) && \ ((FID128).Identifier[11] == (UCHAR)-1) && \ ((FID128).Identifier[12] == (UCHAR)-1) && \ ((FID128).Identifier[13] == (UCHAR)-1) && \ ((FID128).Identifier[14] == (UCHAR)-1) && \ ((FID128).Identifier[15] == (UCHAR)-1)) #define MAKE_INVALID_FILE_ID_128(FID128) { \ ((FID128).Identifier[0] = (UCHAR)-1); \ ((FID128).Identifier[1] = (UCHAR)-1); \ ((FID128).Identifier[2] = (UCHAR)-1); \ ((FID128).Identifier[3] = (UCHAR)-1); \ ((FID128).Identifier[4] = (UCHAR)-1); \ ((FID128).Identifier[5] = (UCHAR)-1); \ ((FID128).Identifier[6] = (UCHAR)-1); \ ((FID128).Identifier[7] = (UCHAR)-1); \ ((FID128).Identifier[8] = (UCHAR)-1); \ ((FID128).Identifier[9] = (UCHAR)-1); \ ((FID128).Identifier[10] = (UCHAR)-1); \ ((FID128).Identifier[11] = (UCHAR)-1); \ ((FID128).Identifier[12] = (UCHAR)-1); \ ((FID128).Identifier[13] = (UCHAR)-1); \ ((FID128).Identifier[14] = (UCHAR)-1); \ ((FID128).Identifier[15] = (UCHAR)-1); \ } /** * The FILE_ID_INFORMATION structure is used to query file identification information. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-file_id_information */ typedef struct _FILE_ID_INFORMATION { ULONGLONG VolumeSerialNumber; union { FILE_ID_128 FileId; struct { union { FILE_INTERNAL_INFORMATION FileInternal; // rev LONGLONG FileIdLowPart; // rev }; LONGLONG FileIdHighPart; // rev }; }; } FILE_ID_INFORMATION, *PFILE_ID_INFORMATION; /** * The FILE_ID_EXTD_DIR_INFORMATION structure is used to query 128-bit file reference number information for the files in a directory. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-file_id_extd_dir_information */ _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_EXTD_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; ULONG ReparsePointTag; FILE_ID_128 FileId; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_EXTD_DIR_INFORMATION, *PFILE_ID_EXTD_DIR_INFORMATION; #define FileIdExtdDirectoryInformationDefinition { \ FileIdExtdDirectoryInformation, \ FIELD_OFFSET(FILE_ID_EXTD_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_EXTD_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_EXTD_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_LINK_ENTRY_FULL_ID_INFORMATION { ULONG NextEntryOffset; FILE_ID_128 ParentFileId; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_LINK_ENTRY_FULL_ID_INFORMATION, *PFILE_LINK_ENTRY_FULL_ID_INFORMATION; typedef struct _FILE_LINKS_FULL_ID_INFORMATION { ULONG BytesNeeded; ULONG EntriesReturned; FILE_LINK_ENTRY_FULL_ID_INFORMATION Entry; } FILE_LINKS_FULL_ID_INFORMATION, *PFILE_LINKS_FULL_ID_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; ULONG ReparsePointTag; FILE_ID_128 FileId; CCHAR ShortNameLength; WCHAR ShortName[12]; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_EXTD_BOTH_DIR_INFORMATION; #define FileIdExtdBothDirectoryInformationDefinition { \ FileIdExtdBothDirectoryInformation, \ FIELD_OFFSET(FILE_ID_EXTD_BOTH_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_EXTD_BOTH_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_EXTD_BOTH_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_64_EXTD_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; ULONG ReparsePointTag; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_64_EXTD_DIR_INFORMATION, *PFILE_ID_64_EXTD_DIR_INFORMATION; #define FileId64ExtdDirectoryInformationDefinition { \ FileId64ExtdDirectoryInformation, \ FIELD_OFFSET(FILE_ID_64_EXTD_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_64_EXTD_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_64_EXTD_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_64_EXTD_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; ULONG ReparsePointTag; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; CCHAR ShortNameLength; WCHAR ShortName[12]; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_64_EXTD_BOTH_DIR_INFORMATION; #define FileId64ExtdBothDirectoryInformationDefinition { \ FileId64ExtdBothDirectoryInformation, \ FIELD_OFFSET(FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_ALL_EXTD_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; ULONG ReparsePointTag; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; FILE_ID_128 FileId128; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_ALL_EXTD_DIR_INFORMATION, *PFILE_ID_ALL_EXTD_DIR_INFORMATION; #define FileIdAllExtdDirectoryInformationDefinition { \ FileIdAllExtdDirectoryInformation, \ FIELD_OFFSET(FILE_ID_ALL_EXTD_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_ALL_EXTD_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_ALL_EXTD_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; ULONG ReparsePointTag; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; FILE_ID_128 FileId128; CCHAR ShortNameLength; WCHAR ShortName[12]; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION; #define FileIdAllExtdBothDirectoryInformationDefinition { \ FileIdAllExtdBothDirectoryInformation, \ FIELD_OFFSET(FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, FileNameLength) \ } #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) typedef struct _FILE_STAT_INFORMATION { LARGE_INTEGER FileId; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG FileAttributes; ULONG ReparseTag; ULONG NumberOfLinks; ACCESS_MASK EffectiveAccess; } FILE_STAT_INFORMATION, *PFILE_STAT_INFORMATION; typedef struct _FILE_STAT_BASIC_INFORMATION { LARGE_INTEGER FileId; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG FileAttributes; ULONG ReparseTag; ULONG NumberOfLinks; ULONG DeviceType; ULONG DeviceCharacteristics; ULONG Reserved; LARGE_INTEGER VolumeSerialNumber; FILE_ID_128 FileId128; } FILE_STAT_BASIC_INFORMATION, *PFILE_STAT_BASIC_INFORMATION; #endif // NTDDI_WIN11_GE /** * The FILE_MEMORY_PARTITION_INFORMATION structure is used to query information about a memory partition. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_memory_partition_information */ typedef struct _FILE_MEMORY_PARTITION_INFORMATION { HANDLE OwnerPartitionHandle; union { struct { UCHAR NoCrossPartitionAccess; UCHAR Spare[3]; }; ULONG AllFlags; } Flags; } FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION; // LxFlags #define LX_FILE_METADATA_HAS_UID 0x1 #define LX_FILE_METADATA_HAS_GID 0x2 #define LX_FILE_METADATA_HAS_MODE 0x4 #define LX_FILE_METADATA_HAS_DEVICE_ID 0x8 #define LX_FILE_CASE_SENSITIVE_DIR 0x10 #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) typedef struct _FILE_STAT_LX_INFORMATION { FILE_INTERNAL_INFORMATION FileId; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG FileAttributes; ULONG ReparseTag; ULONG NumberOfLinks; ACCESS_MASK EffectiveAccess; ULONG LxFlags; ULONG LxUid; ULONG LxGid; ULONG LxMode; ULONG LxDeviceIdMajor; ULONG LxDeviceIdMinor; } FILE_STAT_LX_INFORMATION, *PFILE_STAT_LX_INFORMATION; #endif // NTDDI_WIN11_GE typedef struct _FILE_STORAGE_RESERVE_ID_INFORMATION { STORAGE_RESERVE_ID StorageReserveId; } FILE_STORAGE_RESERVE_ID_INFORMATION, *PFILE_STORAGE_RESERVE_ID_INFORMATION; #define FILE_CS_FLAG_CASE_SENSITIVE_DIR 0x00000001 #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) typedef struct _FILE_CASE_SENSITIVE_INFORMATION { ULONG Flags; } FILE_CASE_SENSITIVE_INFORMATION, *PFILE_CASE_SENSITIVE_INFORMATION; #endif // NTDDI_WIN11_GE typedef enum _FILE_KNOWN_FOLDER_TYPE { KnownFolderNone = 0, KnownFolderDesktop, KnownFolderDocuments, KnownFolderDownloads, KnownFolderMusic, KnownFolderPictures, KnownFolderVideos, KnownFolderOther, KnownFolderMax } FILE_KNOWN_FOLDER_TYPE; typedef struct _FILE_KNOWN_FOLDER_INFORMATION { FILE_KNOWN_FOLDER_TYPE Type; } FILE_KNOWN_FOLDER_INFORMATION, *PFILE_KNOWN_FOLDER_INFORMATION; // private typedef struct _FILE_STREAM_RESERVATION_INFORMATION { ULONG_PTR TrackedReservation; ULONG_PTR EnforcedReservation; } FILE_STREAM_RESERVATION_INFORMATION, *PFILE_STREAM_RESERVATION_INFORMATION; // private typedef struct _MUP_PROVIDER_INFORMATION { ULONG Level; PVOID Buffer; PULONG BufferSize; } MUP_PROVIDER_INFORMATION, *PMUP_PROVIDER_INFORMATION; // // NtQueryDirectoryFile types // _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_INFORMATION_DEFINITION { FILE_INFORMATION_CLASS Class; ULONG NextEntryOffset; ULONG FileNameOffset; ULONG FileNameLengthOffset; } FILE_INFORMATION_DEFINITION, *PFILE_INFORMATION_DEFINITION; _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; #define FileDirectoryInformationDefinition { \ FileDirectoryInformation, \ FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName), \ FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_FULL_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; #define FileFullDirectoryInformationDefinition { \ FileFullDirectoryInformation, \ FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_FULL_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; #define FileIdFullDirectoryInformationDefinition { \ FileIdFullDirectoryInformation, \ FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, NextEntryOffset),\ FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; #define FileBothDirectoryInformationDefinition { \ FileBothDirectoryInformation, \ FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; #define FileIdBothDirectoryInformationDefinition { \ FileIdBothDirectoryInformation, \ FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, NextEntryOffset),\ FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_NAMES_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; #define FileNamesInformationDefinition { \ FileNamesInformation, \ FIELD_OFFSET(FILE_NAMES_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName), \ FIELD_OFFSET(FILE_NAMES_INFORMATION, FileNameLength) \ } _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; union { LARGE_INTEGER FileId; FILE_INTERNAL_INFORMATION FileInternal; // rev }; GUID LockingTransactionId; ULONG TxInfoFlags; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_ID_GLOBAL_TX_DIR_INFORMATION, *PFILE_ID_GLOBAL_TX_DIR_INFORMATION; #define FILE_ID_GLOBAL_TX_DIR_INFO_FLAG_WRITELOCKED 0x00000001 #define FILE_ID_GLOBAL_TX_DIR_INFO_FLAG_VISIBLE_TO_TX 0x00000002 #define FILE_ID_GLOBAL_TX_DIR_INFO_FLAG_VISIBLE_OUTSIDE_TX 0x00000004 #define FileIdGlobalTxDirectoryInformationDefinition { \ FileIdGlobalTxDirectoryInformation, \ FIELD_OFFSET(FILE_ID_GLOBAL_TX_DIR_INFORMATION, NextEntryOffset), \ FIELD_OFFSET(FILE_ID_GLOBAL_TX_DIR_INFORMATION, FileName), \ FIELD_OFFSET(FILE_ID_GLOBAL_TX_DIR_INFORMATION, FileNameLength) \ } typedef struct _FILE_OBJECTID_INFORMATION { ULONGLONG FileReference; UCHAR ObjectId[16]; // GUID union { struct { UCHAR BirthVolumeId[16]; UCHAR BirthObjectId[16]; UCHAR DomainId[16]; }; UCHAR ExtendedInfo[48]; }; } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; typedef struct _FILE_DIRECTORY_NEXT_INFORMATION { ULONG NextEntryOffset; } FILE_DIRECTORY_NEXT_INFORMATION, *PFILE_DIRECTORY_NEXT_INFORMATION; // // NtQueryEaFile/NtSetEaFile types // _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_FULL_EA_INFORMATION { ULONG NextEntryOffset; UCHAR Flags; UCHAR EaNameLength; USHORT EaValueLength; _Field_size_bytes_(EaNameLength) CHAR EaName[1]; // ... // UCHAR EaValue[1] } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_GET_EA_INFORMATION { ULONG NextEntryOffset; UCHAR EaNameLength; _Field_size_bytes_(EaNameLength) CHAR EaName[1]; } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; // // NtQueryQuotaInformationFile/NtSetQuotaInformationFile types // _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_GET_QUOTA_INFORMATION { ULONG NextEntryOffset; ULONG SidLength; _Field_size_bytes_(SidLength) SID Sid; } FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_QUOTA_INFORMATION { ULONG NextEntryOffset; ULONG SidLength; LARGE_INTEGER ChangeTime; LARGE_INTEGER QuotaUsed; LARGE_INTEGER QuotaThreshold; LARGE_INTEGER QuotaLimit; _Field_size_bytes_(SidLength) SID Sid; } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; typedef enum _FSINFOCLASS { FileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION FileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION // SeManageVolumePrivilege FileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION FileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION FileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION FileFsControlInformation, // qs: FILE_FS_CONTROL_INFORMATION // SeManageVolumePrivilege FileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION FileFsObjectIdInformation, // qs: FILE_FS_OBJECTID_INFORMATION // SeRestorePrivilege FileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION FileFsVolumeFlagsInformation, // qs: FILE_FS_VOLUME_FLAGS_INFORMATION // SeManageVolumePrivilege // 10 FileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 FileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION FileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD FileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 FileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 FileFsMaximumInformation } FSINFOCLASS, *PFSINFOCLASS; typedef enum _FSINFOCLASS FS_INFORMATION_CLASS; // // NtQueryVolumeInformation/NtSetVolumeInformation types // typedef struct _FILE_FS_VOLUME_INFORMATION { LARGE_INTEGER VolumeCreationTime; ULONG VolumeSerialNumber; ULONG VolumeLabelLength; BOOLEAN SupportsObjects; _Field_size_bytes_(VolumeLabelLength) WCHAR VolumeLabel[1]; } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; typedef struct _FILE_FS_LABEL_INFORMATION { ULONG VolumeLabelLength; _Field_size_bytes_(VolumeLabelLength) WCHAR VolumeLabel[1]; } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; typedef struct _FILE_FS_SIZE_INFORMATION { LARGE_INTEGER TotalAllocationUnits; LARGE_INTEGER AvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; // FileSystemControlFlags #define FILE_VC_QUOTA_NONE 0x00000000 #define FILE_VC_QUOTA_TRACK 0x00000001 #define FILE_VC_QUOTA_ENFORCE 0x00000002 #define FILE_VC_QUOTA_MASK 0x00000003 #define FILE_VC_CONTENT_INDEX_DISABLED 0x00000008 #define FILE_VC_LOG_QUOTA_THRESHOLD 0x00000010 #define FILE_VC_LOG_QUOTA_LIMIT 0x00000020 #define FILE_VC_LOG_VOLUME_THRESHOLD 0x00000040 #define FILE_VC_LOG_VOLUME_LIMIT 0x00000080 #define FILE_VC_QUOTAS_INCOMPLETE 0x00000100 #define FILE_VC_QUOTAS_REBUILDING 0x00000200 #define FILE_VC_VALID_MASK 0x000003ff typedef struct _FILE_FS_CONTROL_INFORMATION { LARGE_INTEGER FreeSpaceStartFiltering; LARGE_INTEGER FreeSpaceThreshold; LARGE_INTEGER FreeSpaceStopFiltering; LARGE_INTEGER DefaultQuotaThreshold; LARGE_INTEGER DefaultQuotaLimit; ULONG FileSystemControlFlags; // FILE_VC_* } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION; typedef struct _FILE_FS_FULL_SIZE_INFORMATION { LARGE_INTEGER TotalAllocationUnits; LARGE_INTEGER CallerAvailableAllocationUnits; LARGE_INTEGER ActualAvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; typedef struct _FILE_FS_OBJECTID_INFORMATION { UCHAR ObjectId[16]; union { struct { UCHAR BirthVolumeId[16]; UCHAR BirthObjectId[16]; UCHAR DomainId[16]; }; UCHAR ExtendedInfo[48]; }; } FILE_FS_OBJECTID_INFORMATION, *PFILE_FS_OBJECTID_INFORMATION; typedef struct _FILE_FS_DEVICE_INFORMATION { DEVICE_TYPE DeviceType; ULONG Characteristics; } FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { ULONG FileSystemAttributes; LONG MaximumComponentNameLength; ULONG FileSystemNameLength; _Field_size_bytes_(FileSystemNameLength) WCHAR FileSystemName[1]; } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; typedef struct _FILE_FS_DRIVER_PATH_INFORMATION { BOOLEAN DriverInPath; ULONG DriverNameLength; _Field_size_bytes_(DriverNameLength) WCHAR DriverName[1]; } FILE_FS_DRIVER_PATH_INFORMATION, *PFILE_FS_DRIVER_PATH_INFORMATION; typedef struct _FILE_FS_VOLUME_FLAGS_INFORMATION { ULONG Flags; } FILE_FS_VOLUME_FLAGS_INFORMATION, *PFILE_FS_VOLUME_FLAGS_INFORMATION; #define SSINFO_FLAGS_ALIGNED_DEVICE 0x00000001 #define SSINFO_FLAGS_PARTITION_ALIGNED_ON_DEVICE 0x00000002 #define SSINFO_FLAGS_NO_SEEK_PENALTY 0x00000004 #define SSINFO_FLAGS_TRIM_ENABLED 0x00000008 #define SSINFO_FLAGS_BYTE_ADDRESSABLE 0x00000010 // since REDSTONE // If set for Sector and Partition fields, alignment is not known. #define SSINFO_OFFSET_UNKNOWN 0xffffffff typedef struct _FILE_FS_SECTOR_SIZE_INFORMATION { ULONG LogicalBytesPerSector; ULONG PhysicalBytesPerSectorForAtomicity; ULONG PhysicalBytesPerSectorForPerformance; ULONG FileSystemEffectivePhysicalBytesPerSectorForAtomicity; ULONG Flags; // SSINFO_FLAGS_* ULONG ByteOffsetForSectorAlignment; ULONG ByteOffsetForPartitionAlignment; } FILE_FS_SECTOR_SIZE_INFORMATION, *PFILE_FS_SECTOR_SIZE_INFORMATION; typedef struct _FILE_FS_DATA_COPY_INFORMATION { ULONG NumberOfCopies; } FILE_FS_DATA_COPY_INFORMATION, *PFILE_FS_DATA_COPY_INFORMATION; typedef struct _FILE_FS_METADATA_SIZE_INFORMATION { LARGE_INTEGER TotalMetadataAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_METADATA_SIZE_INFORMATION, *PFILE_FS_METADATA_SIZE_INFORMATION; typedef struct _FILE_FS_FULL_SIZE_INFORMATION_EX { ULONGLONG ActualTotalAllocationUnits; ULONGLONG ActualAvailableAllocationUnits; ULONGLONG ActualPoolUnavailableAllocationUnits; ULONGLONG CallerTotalAllocationUnits; ULONGLONG CallerAvailableAllocationUnits; ULONGLONG CallerPoolUnavailableAllocationUnits; ULONGLONG UsedAllocationUnits; ULONGLONG TotalReservedAllocationUnits; ULONGLONG VolumeStorageReserveAllocationUnits; ULONGLONG AvailableCommittedAllocationUnits; ULONGLONG PoolAvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_FULL_SIZE_INFORMATION_EX, *PFILE_FS_FULL_SIZE_INFORMATION_EX; typedef struct _FILE_FS_GUID_INFORMATION { GUID FsGuid; } FILE_FS_GUID_INFORMATION, *PFILE_FS_GUID_INFORMATION; // // System calls // /** * The NtCreateFile routine creates a new file or directory, or opens an existing file, device, directory, or volume. * * \param[out] FileHandle Pointer to a variable that receives a handle to the pipe. * \param[in] DesiredAccess The requested access to the object. * \param[in] ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that contains the object attributes, including pipe name. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[in] AllocationSize The initial allocation size in bytes for the file. Specify a non-zero value to eliminate disk fragmentation, since the file system pre-allocates the file using a contiguous block. * \param[in] FileAttributes The file attributes. Explicitly specified attributes are applied only when the file is created, superseded, or, in some cases, overwritten. * \param[in] ShareAccess The type of share access that the caller would like to use in the file. * \param[in] CreateDisposition Specifies how the file should be handled when the file already exists. * \param[in] CreateOptions Specifies the options to be applied when creating or opening the file. * \param[in] EaBuffer Pointer to an EA buffer used to pass extended attributes. * \param[in] EaLength Length of the EA buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/Winternl/nf-winternl-ntcreatefile */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_opt_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, _In_ ULONG EaLength ); /** * The NtCreateNamedPipeFile routine deletes the specified file. * * \param[out] FileHandle Pointer to a variable that receives a handle to the pipe. * \param[in] DesiredAccess The requested access to the object. * \param[in] ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that contains the object attributes, including pipe name. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[in] ShareAccess Specifies the type of share access for the file. * \param[in] CreateDisposition Specifies how the file should be handled when the file already exists. * \param[in] CreateOptions Specifies the options to be applied when creating or opening the file. * \param[in] NamedPipeType Type of named pipe to create (byte-type or message-type). * \param[in] ReadMode Mode in which to read the pipe (byte-type or message-type). * \param[in] CompletionMode Specifies blocking or non-blocking mode of the pipe. * \param[in] MaximumInstances Maximum number of simultaneous instances of the named pipe. * \param[in] InboundQuota Specifies the pool quota that is reserved for writes to the inbound side of the named pipe. * \param[in] OutboundQuota Specifies the pool quota that is reserved for writes to the inbound side of the named pipe. * \param[in] DefaultTimeout An optional pointer to a timeout value that is used if a timeout value is not specified when waiting for an instance of a named pipe. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/nt-create-named-pipe-file */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateNamedPipeFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ ULONG NamedPipeType, _In_ ULONG ReadMode, _In_ ULONG CompletionMode, _In_ ULONG MaximumInstances, _In_ ULONG InboundQuota, _In_ ULONG OutboundQuota, _In_ PLARGE_INTEGER DefaultTimeout ); NTSYSCALLAPI NTSTATUS NTAPI NtCreateMailslotFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CreateOptions, _In_ ULONG MailslotQuota, _In_ ULONG MaximumMessageSize, _In_ PLARGE_INTEGER ReadTimeout ); /** * The NtOpenFile routine opens an existing file, device, directory, or volume, and returns a handle for the file object. * * \param[out] FileHandle Pointer to a variable that receives a handle to the file. * \param[in] DesiredAccess The requested access to the object. * \param[in] ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that contains the file's attributes, including file name. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[in] ShareAccess Specifies the type of share access for the file. * \param[in] OpenOptions Specifies the options to apply when opening the file. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenfile */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenFile( _Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG ShareAccess, _In_ ULONG OpenOptions ); /** * The NtDeleteFile routine deletes the specified file. * * \param[in] ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that contains the file's attributes, including file name. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwdeletefile */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteFile( _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtFlushBuffersFile routine sends a flush request for the specified file to the file system. * * \param[in] FileHandle A handle to the file whose buffers will be flushed. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwflushbuffersfile */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushBuffersFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); // Flag definitions for NtFlushBuffersFileEx // // If none of the below flags are specified the following will occur for a // given file handle: // - Write any modified data for the given file from the Windows in-memory // cache. // - Commit all pending metadata changes for the given file from the // Windows in-memory cache. // - Send a SYNC command to the underlying storage device to commit all // written data in the devices cache to persistent storage. // // If a volume handle is specified: // - Write all modified data for all files on the volume from the Windows // in-memory cache. // - Commit all pending metadata changes for all files on the volume from // the Windows in-memory cache. // - Send a SYNC command to the underlying storage device to commit all // written data in the devices cache to persistent storage. // // This is equivalent to how NtFlushBuffersFile has always worked. // If set, File data and metadata in the file cache will be written, and the // underlying storage is synchronized to flush its cache. // Windows file systems supported: NTFS, ReFS, FAT, exFAT. // #define FLUSH_FLAGS_FILE_NORMAL 0x00000000 // If set, this operation will write the data for the given file from the // Windows in-memory cache. This will NOT commit any associated metadata // changes. This will NOT send a SYNC to the storage device to flush its // cache. Not supported on volume handles. // #define FLUSH_FLAGS_FILE_DATA_ONLY 0x00000001 // // If set, this operation will commit both the data and metadata changes for // the given file from the Windows in-memory cache. This will NOT send a SYNC // to the storage device to flush its cache. Not supported on volume handles. // #define FLUSH_FLAGS_NO_SYNC 0x00000002 // // If set, this operation will write the data for the given file from the // Windows in-memory cache. It will also try to skip updating the timestamp // as much as possible. This will send a SYNC to the storage device to flush its // cache. Not supported on volume or directory handles. // #define FLUSH_FLAGS_FILE_DATA_SYNC_ONLY 0x00000004 // REDSTONE1 // // If set, this operation will write the data for the given file from the // Windows in-memory cache. It will also try to skip updating the timestamp // as much as possible. This will send a SYNC to the storage device to flush its // cache. Not supported on volume or directory handles. // #define FLUSH_FLAGS_FLUSH_AND_PURGE 0x00000008 // 24H2 #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtFlushBuffersFileEx routine sends a flush request for a given file to the file system. An optional flush operation flag can be set to control how file data is written to storage. * * \param FileHandle A handle to the file object representing the file, directory, device or volume. * \param Flags Flush operation flags. * \param Parameters Pointer to a block with additional parameters. This parameter must currently be set to NULL. * \param ParametersSize The size, in bytes, of the block that Parameters point to. This parameter must currently be set to 0. * \param IoStatusBlock Address of the caller's I/O status block. This parameter is required and cannot be NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntflushbuffersfileex */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushBuffersFileEx( _In_ HANDLE FileHandle, _In_ ULONG Flags, _In_reads_bytes_(ParametersSize) PVOID Parameters, _In_ ULONG ParametersSize, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); #endif // PHNT_VERSION >= PHNT_WINDOWS_8 /** * The NtQueryInformationFile routine returns various kinds of information about a file object. * * \param FileHandle A handle to the file object representing the file or directory. * \param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FileInformation. * \param FileInformation Pointer to a caller-allocated buffer into which the routine writes the requested information about the file object. * \param Length The size, in bytes, of the buffer pointed to by FileInformation. * \param FileInformationClass Specifies the type of information to be returned about the file, in the buffer that FileInformation points to. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID FileInformation, _In_ ULONG Length, _In_ FILE_INFORMATION_CLASS FileInformationClass ); #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) /** * The NtQueryInformationByName routine returns various kinds of information about a file object by file name. * * \param ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that contains the file's attributes, including file name. * \param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FileInformation. * \param FileInformation Pointer to a caller-allocated buffer into which the routine writes the requested information about the file object. * \param Length The size, in bytes, of the buffer pointed to by FileInformation. * \param FileInformationClass Specifies the type of information to be returned about the file, in the buffer that FileInformation points to. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationbyname * \remarks NtQueryInformationByName queries and returns the requested information without opening the actual file, * making it more efficient than NtQueryInformationFile, which requires a file open and subsequent file close. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationByName( _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID FileInformation, _In_ ULONG Length, _In_ FILE_INFORMATION_CLASS FileInformationClass ); #endif // PHNT_VERSION >= PHNT_WINDOWS_10_RS2 /** * The NtSetInformationFile routine changes various kinds of information about a file object. * * \param FileHandle A handle to the file object representing the file or directory. * \param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FileInformation. * \param FileInformation Pointer to a buffer that contains the information to set for the file. * \param Length The size, in bytes, of the buffer pointed to by FileInformation. * \param FileInformationClass The type of information, supplied in the buffer pointed to by FileInformation, to set for the file. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationfile */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_reads_bytes_(Length) PVOID FileInformation, _In_ ULONG Length, _In_ FILE_INFORMATION_CLASS FileInformationClass ); /** * The NtQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle. * * \param[in] FileHandle A handle for the file object that represents the directory for which information is being requested. * \param[in] Event An optional handle for a caller-created event. The event is set to the Signaled state the requested operation is completed. * \param[in] ApcRoutine An address of an optional, caller-supplied APC routine to be called when the requested operation completes. * \param[in] ApcContext An address of an optional, caller-supplied APC or I/O completion object associated with the file object. * \param[out] IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FileInformation. * \param[out] FileInformation A pointer to a buffer that receives the desired information about the file. * \param[in] Length The size, in bytes, of the buffer pointed to by FileInformation. * \param[in] FileInformationClass The type of information to be returned about files in the directory. * \param[in] ReturnSingleEntry Set to TRUE if only a single entry should be returned, FALSE otherwise. * \param[in] FileName An optional pointer to a Unicode string search expression containing the name of a file (or multiple files, if wildcards are used) within the directory. * \param[in] RestartScan Set to TRUE if the scan is to start at the first entry in the directory. Set to FALSE if resuming the scan from a previous call. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntquerydirectoryfile */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryDirectoryFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID FileInformation, _In_ ULONG Length, _In_ FILE_INFORMATION_CLASS FileInformationClass, _In_ BOOLEAN ReturnSingleEntry, _In_opt_ PCUNICODE_STRING FileName, _In_ BOOLEAN RestartScan ); // QueryFlags values for NtQueryDirectoryFileEx /** * The scan will start at the first entry in the directory. If this flag is not set, the scan will resume from where the last query ended. */ #define FILE_QUERY_RESTART_SCAN 0x00000001 /** * Normally the return buffer is packed with as many matching directory entries that fit. * If this flag is set, the file system will return only one directory entry at a time. * This does make the operation less efficient. */ #define FILE_QUERY_RETURN_SINGLE_ENTRY 0x00000002 /** * The scan should start at a specified indexed position in the directory. * This flag can only be set if you generate your own IRP_MJ_DIRECTORY_CONTROL IRP; the index is specified in the IRP. * How the position is specified varies from file system to file system. */ #define FILE_QUERY_INDEX_SPECIFIED 0x00000004 /** * Any file system filters that perform directory virtualization or just-in-time expansion should simply pass the request * through to the file system and return entries that are currently on disk. Not all file systems support this flag. */ #define FILE_QUERY_RETURN_ON_DISK_ENTRIES_ONLY 0x00000008 /** * File systems maintain per-FileObject directory cursor information. When multiple threads do queries using the same FileObject, * access to the per-FileObject structure is single threaded to prevent corruption of the cursor state. * This flag tells the file system to not update per-FileObject cursor state information thus allowing multiple threads * to query in parallel using the same handle. It behaves as if SL_RESTART_SCAN is specified on each call. If a wild card pattern * is given on the next call, the operation will not pick up where the last query ended. * This allows for true asynchronous directory query support. Not all file systems support this flag. */ #define FILE_QUERY_NO_CURSOR_UPDATE 0x00000010 // RS5 #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS3) /** * The NtQueryDirectoryFileEx routine returns various kinds of information about files in the directory specified by a given file handle. * * \param[in] FileHandle A handle for the file object that represents the directory for which information is being requested. * \param[in] Event An optional handle for a caller-created event. The event is set to the Signaled state the requested operation is completed. * \param[in] ApcRoutine An address of an optional, caller-supplied APC routine to be called when the requested operation completes. * \param[in] ApcContext An address of an optional, caller-supplied APC or I/O completion object associated with the file object. * \param[out] IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FileInformation. * \param[out] FileInformation A pointer to a buffer that receives the desired information about the file. * \param[in] Length The size, in bytes, of the buffer pointed to by FileInformation. * \param[in] FileInformationClass The type of information to be returned about files in the directory. * \param[in] QueryFlags One or more of the flags contained in SL_QUERY_DIRECTORY_MASK * \param[in] FileName An optional pointer to a Unicode string search expression containing the name of a file (or multiple files, if wildcards are used) within the directory. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntquerydirectoryfileex */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryDirectoryFileEx( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID FileInformation, _In_ ULONG Length, _In_ FILE_INFORMATION_CLASS FileInformationClass, _In_ ULONG QueryFlags, _In_opt_ PCUNICODE_STRING FileName ); #endif // PHNT_VERSION >= PHNT_WINDOWS_10_RS3 NTSYSCALLAPI NTSTATUS NTAPI NtQueryEaFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_reads_bytes_opt_(EaListLength) PVOID EaList, _In_ ULONG EaListLength, _In_opt_ PULONG EaIndex, _In_ BOOLEAN RestartScan ); NTSYSCALLAPI NTSTATUS NTAPI NtSetEaFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryQuotaInformationFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_reads_bytes_opt_(SidListLength) PVOID SidList, _In_ ULONG SidListLength, _In_opt_ PSID StartSid, _In_ BOOLEAN RestartScan ); NTSYSCALLAPI NTSTATUS NTAPI NtSetQuotaInformationFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length ); /** * The NtQueryVolumeInformationFile routine retrieves information about the volume associated with a given file, directory, storage device, or volume. * * \param[in] FileHandle A handle to the file, directory, storage device, or volume for which volume information is being requested. * \param[out] IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FsInformation. * \param[out] FsInformation A pointer to a caller-allocated buffer that receives the desired information about the volume. * \param[in] Length The size, in bytes, of the buffer pointed to by FsInformation. * \param[in] FsInformationClass The type of information to be returned about the volume. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryvolumeinformationfile */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryVolumeInformationFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID FsInformation, _In_ ULONG Length, _In_ FSINFOCLASS FsInformationClass ); /** * The NtSetVolumeInformationFile routine modifies information about the volume associated with a given file, directory, storage device, or volume. * * \param[in] FileHandle A handle to the file, directory, storage device, or volume for which volume information is being requested. * \param[out] IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FsInformation. * \param[in] FsInformation A pointer to a caller-allocated buffer containing the volume information to be modified. * \param[in] Length The size, in bytes, of the buffer pointed to by FsInformation. * \param[in] FsInformationClass The type of information to set about the volume. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwsetvolumeinformationfile */ NTSYSCALLAPI NTSTATUS NTAPI NtSetVolumeInformationFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_reads_bytes_(Length) PVOID FsInformation, _In_ ULONG Length, _In_ FSINFOCLASS FsInformationClass ); NTSYSCALLAPI NTSTATUS NTAPI NtCancelIoFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); NTSYSCALLAPI NTSTATUS NTAPI NtCancelIoFileEx( _In_ HANDLE FileHandle, _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); NTSYSCALLAPI NTSTATUS NTAPI NtCancelSynchronousIoFile( _In_ HANDLE ThreadHandle, _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); /** * The NtDeviceIoControlFile function sends a control code directly to a specified device driver, causing the corresponding driver to perform the specified operation. * * \param[in] FileHandle A handle to the file object representing the file or directory on which the specified action is to be performed. * \param[in] Event A handle for a caller-created event. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state. * \param[in] ApcRoutine Address of a caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. * \param[in] ApcContext Pointer to a caller-determined context area. This parameter value is used as the APC context if the caller supplies an APC, or is used as the completion context if an I/O completion object has been associated with the file object. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[in] IoControlCode IOCTL_XXX code that indicates which device I/O control operation is to be carried out on, usually by the underlying device driver. * \param[in] InputBuffer Pointer to a caller-allocated input buffer that contains device-specific information to be given to the target driver. * \param[in] InputBufferLength Size, in bytes, of the buffer at InputBuffer. This value is ignored if InputBuffer is NULL. * \param[out] OutputBuffer Pointer to a caller-allocated output buffer in which information is returned from the target driver. * \param[in] OutputBufferLength Size, in bytes, of the buffer at OutputBuffer. This value is ignored if OutputBuffer is NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwdeviceiocontrolfile */ NTSYSCALLAPI NTSTATUS NTAPI NtDeviceIoControlFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG IoControlCode, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ); /** * The NtFsControlFile function sends a control code directly to a file system or filter driver, causing the corresponding driver to perform the specified action. * * \param[in] FileHandle A handle to the file object representing the file or directory on which the specified action is to be performed. * \param[in] Event A handle for a caller-created event. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state. * \param[in] ApcRoutine Address of a caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. * \param[in] ApcContext Pointer to a caller-determined context area. This parameter value is used as the APC context if the caller supplies an APC, or is used as the completion context if an I/O completion object has been associated with the file object. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[in] FsControlCode FSCTL_XXX code that indicates which file system control operation is to be carried out. * \param[in] InputBuffer Pointer to a caller-allocated input buffer that contains device-specific information to be given to the target driver. * \param[in] InputBufferLength Size, in bytes, of the buffer at InputBuffer. This value is ignored if InputBuffer is NULL. * \param[out] OutputBuffer Pointer to a caller-allocated output buffer in which information is returned from the target driver. * \param[in] OutputBufferLength Size, in bytes, of the buffer at OutputBuffer. This value is ignored if OutputBuffer is NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwfscontrolfile */ NTSYSCALLAPI NTSTATUS NTAPI NtFsControlFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG FsControlCode, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ); /** * The NtReadFile function reads data from an open file. * * \param[in] FileHandle A handle to the file object representing the file or directory on which the specified action is to be performed. * \param[in] Event A handle for a caller-created event. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state. * \param[in] ApcRoutine Address of a caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. * \param[in] ApcContext Pointer to a caller-determined context area. This parameter value is used as the APC context if the caller supplies an APC, or is used as the completion context if an I/O completion object has been associated with the file object. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[out] Buffer Pointer to a caller-allocated buffer that receives the data read from the file. * \param[in] Length The size, in bytes, of the buffer pointed to by Buffer. * \param[in] ByteOffset Pointer to a variable that specifies the starting byte offset in the file where the read operation will begin. * \param[in] Key Device and intermediate drivers should set this pointer to NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwreadfile */ NTSYSCALLAPI NTSTATUS NTAPI NtReadFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _In_opt_ PLARGE_INTEGER ByteOffset, _In_opt_ PULONG Key ); /** * The NtWriteFile function writes data to an open file. * * \param[in] FileHandle A handle to the file object representing the file or directory on which the specified action is to be performed. * \param[in] Event A handle for a caller-created event. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state. * \param[in] ApcRoutine Address of a caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. * \param[in] ApcContext Pointer to a caller-determined context area. This parameter value is used as the APC context if the caller supplies an APC, or is used as the completion context if an I/O completion object has been associated with the file object. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. * \param[in] Buffer Pointer to a caller-allocated buffer that contains the data to write to the file. * \param[in] Length The size, in bytes, of the buffer pointed to by Buffer. * \param[in] ByteOffset Pointer to a variable that specifies the starting byte offset in the file for beginning the write operation. * \param[in] Key Device and intermediate drivers should set this pointer to NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwwritefile */ NTSYSCALLAPI NTSTATUS NTAPI NtWriteFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_reads_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _In_opt_ PLARGE_INTEGER ByteOffset, _In_opt_ PULONG Key ); NTSYSCALLAPI NTSTATUS NTAPI NtReadFileScatter( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ PFILE_SEGMENT_ELEMENT SegmentArray, _In_ ULONG Length, _In_opt_ PLARGE_INTEGER ByteOffset, _In_opt_ PULONG Key ); NTSYSCALLAPI NTSTATUS NTAPI NtWriteFileGather( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ PFILE_SEGMENT_ELEMENT SegmentArray, _In_ ULONG Length, _In_opt_ PLARGE_INTEGER ByteOffset, _In_opt_ PULONG Key ); NTSYSCALLAPI NTSTATUS NTAPI NtLockFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ PLARGE_INTEGER ByteOffset, _In_ PLARGE_INTEGER Length, _In_ ULONG Key, _In_ BOOLEAN FailImmediately, _In_ BOOLEAN ExclusiveLock ); NTSYSCALLAPI NTSTATUS NTAPI NtUnlockFile( _In_ HANDLE FileHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ PLARGE_INTEGER ByteOffset, _In_ PLARGE_INTEGER Length, _In_ ULONG Key ); /** * The NtQueryAttributesFile function retrieves basic attributes for the specified file. * * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that supplies the attributes to be used for the file object. * \param FileInformation A pointer to a FILE_BASIC_INFORMATION structure to receive the returned file attribute information. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntqueryattributesfile */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryAttributesFile( _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PFILE_BASIC_INFORMATION FileInformation ); /** * The NtQueryFullAttributesFile function retrieves network open information for the specified file. * * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that supplies the attributes to be used for the file object. * \param FileInformation A pointer to a FILE_NETWORK_OPEN_INFORMATION structure that receives the returned file attributes information. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwqueryfullattributesfile */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryFullAttributesFile( _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ); // // NtNotifyChangeDirectoryFile information // #define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001 // winnt #define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002 // winnt #define FILE_NOTIFY_CHANGE_NAME 0x00000003 #define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004 // winnt #define FILE_NOTIFY_CHANGE_SIZE 0x00000008 // winnt #define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010 // winnt #define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020 // winnt #define FILE_NOTIFY_CHANGE_CREATION 0x00000040 // winnt #define FILE_NOTIFY_CHANGE_EA 0x00000080 #define FILE_NOTIFY_CHANGE_SECURITY 0x00000100 // winnt #define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200 #define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400 #define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800 #define FILE_NOTIFY_VALID_MASK 0x00000fff #define FILE_ACTION_ADDED 0x00000001 // winnt #define FILE_ACTION_REMOVED 0x00000002 // winnt #define FILE_ACTION_MODIFIED 0x00000003 // winnt #define FILE_ACTION_RENAMED_OLD_NAME 0x00000004 // winnt #define FILE_ACTION_RENAMED_NEW_NAME 0x00000005 // winnt #define FILE_ACTION_ADDED_STREAM 0x00000006 #define FILE_ACTION_REMOVED_STREAM 0x00000007 #define FILE_ACTION_MODIFIED_STREAM 0x00000008 #define FILE_ACTION_REMOVED_BY_DELETE 0x00000009 #define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A #define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B NTSYSCALLAPI NTSTATUS NTAPI NtNotifyChangeDirectoryFile( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID Buffer, // FILE_NOTIFY_INFORMATION _In_ ULONG Length, _In_ ULONG CompletionFilter, _In_ BOOLEAN WatchTree ); // private typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS { DirectoryNotifyInformation = 1, // FILE_NOTIFY_INFORMATION DirectoryNotifyExtendedInformation, // FILE_NOTIFY_EXTENDED_INFORMATION DirectoryNotifyFullInformation, // FILE_NOTIFY_FULL_INFORMATION // since 22H2 DirectoryNotifyMaximumInformation } DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; #if !defined(NTDDI_WIN10_RS5) || (NTDDI_VERSION < NTDDI_WIN10_RS5) _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_NOTIFY_INFORMATION { ULONG NextEntryOffset; ULONG Action; ULONG FileNameLength; WCHAR FileName[1]; } FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION; _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_NOTIFY_EXTENDED_INFORMATION { ULONG NextEntryOffset; ULONG Action; LARGE_INTEGER CreationTime; LARGE_INTEGER LastModificationTime; LARGE_INTEGER LastChangeTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER AllocatedLength; LARGE_INTEGER FileSize; ULONG FileAttributes; union { ULONG ReparsePointTag; ULONG EaSize; }; FILE_INTERNAL_INFORMATION FileId; FILE_INTERNAL_INFORMATION ParentFileId; ULONG FileNameLength; WCHAR FileName[1]; } FILE_NOTIFY_EXTENDED_INFORMATION, *PFILE_NOTIFY_EXTENDED_INFORMATION; #endif // NTDDI_WIN10_RS5 #define FILE_NAME_FLAG_HARDLINK 0 // not part of a name pair #define FILE_NAME_FLAG_NTFS 0x01 // NTFS name in a name pair #define FILE_NAME_FLAG_DOS 0x02 // DOS name in a name pair #define FILE_NAME_FLAG_BOTH 0x03 // NTFS+DOS combined name #define FILE_NAME_FLAGS_UNSPECIFIED 0x80 // not specified by file system (do not combine with other flags) #if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) _Struct_size_bytes_(NextEntryOffset) typedef struct _FILE_NOTIFY_FULL_INFORMATION { ULONG NextEntryOffset; ULONG Action; LARGE_INTEGER CreationTime; LARGE_INTEGER LastModificationTime; LARGE_INTEGER LastChangeTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER AllocatedLength; LARGE_INTEGER FileSize; ULONG FileAttributes; union { ULONG ReparsePointTag; ULONG EaSize; }; FILE_INTERNAL_INFORMATION FileId; FILE_INTERNAL_INFORMATION ParentFileId; USHORT FileNameLength; BYTE FileNameFlags; BYTE Reserved; WCHAR FileName[1]; } FILE_NOTIFY_FULL_INFORMATION, *PFILE_NOTIFY_FULL_INFORMATION; #endif // NTDDI_WIN10_NI #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS3) NTSYSCALLAPI NTSTATUS NTAPI NtNotifyChangeDirectoryFileEx( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _Out_writes_bytes_(Length) PVOID Buffer, _In_ ULONG Length, _In_ ULONG CompletionFilter, _In_ BOOLEAN WatchTree, _In_opt_ DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass ); #endif // PHNT_VERSION >= PHNT_WINDOWS_10_RS3 /** * The NtLoadDriver function loads a driver specified by the DriverServiceName parameter. * * \param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to load. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtLoadDriver( _In_ PCUNICODE_STRING DriverServiceName ); /** * The NtUnloadDriver function unloads a driver specified by the DriverServiceName parameter. * * \param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to unload. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtUnloadDriver( _In_ PCUNICODE_STRING DriverServiceName ); // // I/O completion port // #ifndef IO_COMPLETION_QUERY_STATE #define IO_COMPLETION_QUERY_STATE 0x0001 #endif #ifndef IO_COMPLETION_MODIFY_STATE #define IO_COMPLETION_MODIFY_STATE 0x0002 #endif #ifndef IO_COMPLETION_ALL_ACCESS #define IO_COMPLETION_ALL_ACCESS (IO_COMPLETION_QUERY_STATE|IO_COMPLETION_MODIFY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) #endif typedef enum _IO_COMPLETION_INFORMATION_CLASS { IoCompletionBasicInformation } IO_COMPLETION_INFORMATION_CLASS; typedef struct _IO_COMPLETION_BASIC_INFORMATION { LONG Depth; } IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; NTSYSCALLAPI NTSTATUS NTAPI NtCreateIoCompletion( _Out_ PHANDLE IoCompletionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ ULONG NumberOfConcurrentThreads ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenIoCompletion( _Out_ PHANDLE IoCompletionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryIoCompletion( _In_ HANDLE IoCompletionHandle, _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, _Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation, _In_ ULONG IoCompletionInformationLength, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtSetIoCompletion( _In_ HANDLE IoCompletionHandle, _In_opt_ PVOID KeyContext, _In_opt_ PVOID ApcContext, _In_ NTSTATUS IoStatus, _In_ ULONG_PTR IoStatusInformation ); NTSYSCALLAPI NTSTATUS NTAPI NtSetIoCompletionEx( _In_ HANDLE IoCompletionHandle, _In_ HANDLE IoCompletionPacketHandle, _In_opt_ PVOID KeyContext, _In_opt_ PVOID ApcContext, _In_ NTSTATUS IoStatus, _In_ ULONG_PTR IoStatusInformation ); NTSYSCALLAPI NTSTATUS NTAPI NtRemoveIoCompletion( _In_ HANDLE IoCompletionHandle, _Out_ PVOID *KeyContext, _Out_ PVOID *ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_opt_ PLARGE_INTEGER Timeout ); // private typedef struct _FILE_IO_COMPLETION_INFORMATION { PVOID KeyContext; PVOID ApcContext; IO_STATUS_BLOCK IoStatusBlock; } FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; NTSYSCALLAPI NTSTATUS NTAPI NtRemoveIoCompletionEx( _In_ HANDLE IoCompletionHandle, _Out_writes_to_(Count, *NumEntriesRemoved) PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, _In_ ULONG Count, _Out_ PULONG NumEntriesRemoved, _In_opt_ PLARGE_INTEGER Timeout, _In_ BOOLEAN Alertable ); // // Wait completion packet // #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtCreateWaitCompletionPacket routine creates a wait completion packet object. * * A wait completion packet is a kernel object that can be associated with wait * or I/O completion sources and later queried via I/O completion mechanisms. * * \param WaitCompletionPacketHandle Pointer to a variable that receives a handle * to the newly created wait completion packet object. * \param DesiredAccess The access mask that specifies the requested access to * the wait completion packet object. * \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure that * supplies the object name and other attributes. May be NULL. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateWaitCompletionPacket( _Out_ PHANDLE WaitCompletionPacketHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtAssociateWaitCompletionPacket routine associates a wait completion packet * with an I/O completion port or other target object so that a completion packet * will be queued when the target object becomes signaled or an I/O completes. * * This routine links the specified wait completion packet with the target * completion object so the packet will carry the supplied context and status * information when it is delivered. * * \param[in] WaitCompletionPacketHandle Handle to the wait completion packet object. * \param[in] IoCompletionHandle Handle to an I/O completion port (or compatible object) * with which the wait completion packet should be associated. * \param[in] TargetObjectHandle Handle to the object to watch for completion or * signalling (for example, a waitable kernel object). * \param[in] KeyContext Optional pointer to caller-specified context that will be * stored in the completion packet and returned to the consumer. * \param[in] ApcContext Optional pointer to caller-specified APC/context value that * will be stored in the completion packet and returned to the consumer. * \param[in] IoStatus The NTSTATUS value to be placed in the completion packet. * \param[in] IoStatusInformation Additional information ( ULONG_PTR ) to be placed * in the completion packet (commonly used for number of bytes transferred). * \param[out] AlreadySignaled Optional pointer to a BOOLEAN that, on return, is set * to TRUE if the packet was already signaled at the time of association; * otherwise FALSE. May be NULL. * \return NTSTATUS Successful or errant status. * \remarks Use this routine to arrange for notification of a target object's * completion by queuing a wait completion packet containing the * supplied context and status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAssociateWaitCompletionPacket( _In_ HANDLE WaitCompletionPacketHandle, _In_ HANDLE IoCompletionHandle, _In_ HANDLE TargetObjectHandle, _In_opt_ PVOID KeyContext, _In_opt_ PVOID ApcContext, _In_ NTSTATUS IoStatus, _In_ ULONG_PTR IoStatusInformation, _Out_opt_ PBOOLEAN AlreadySignaled ); /** * The NtCancelWaitCompletionPacket routine cancels a previously associated wait * completion packet or removes a signaled packet from its queue. * * \param[in] WaitCompletionPacketHandle Handle to the wait completion packet object to cancel. * \param[in] RemoveSignaledPacket If TRUE and the packet is already signaled, remove * the signaled packet from the target queue; if FALSE, cancellation will * prevent future signaling but will not remove an already queued packet. * \return NTSTATUS Successful or errant status. * \remarks After successful cancellation, the wait completion packet will no * longer be delivered as a result of the previously associated target. */ NTSYSCALLAPI NTSTATUS NTAPI NtCancelWaitCompletionPacket( _In_ HANDLE WaitCompletionPacketHandle, _In_ BOOLEAN RemoveSignaledPacket ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * The NtCopyFileChunk routine copies a contiguous range of bytes (a chunk) * from a source file to a destination file. The operation may be performed * synchronously or asynchronously depending on the file handles and flags. * * \param[in] SourceHandle Handle to the source file. The handle must be opened * with access that allows reading the specified range. * \param[in] DestinationHandle Handle to the destination file. The handle must * be opened with access that allows writing to the specified range. * \param[in] EventHandle Optional handle to an event object. If provided, * the event is set when the operation completes. May be NULL. * \param[out] IoStatusBlock Pointer to an IO_STATUS_BLOCK structure that * receives the final completion status and information about the operation. * \param[in] Length The number of bytes to copy. * \param[in] SourceOffset Pointer to a LARGE_INTEGER specifying the byte * offset in the source file at which copying begins. * \param[in] DestOffset Pointer to a LARGE_INTEGER specifying the byte * offset in the destination file at which copying begins. * \param[in] SourceKey Optional pointer to a source file key. May be NULL. * \param[in] DestKey Optional pointer to a destination file key. May be NULL. * \param[in] Flags Additional flags controlling copy semantics. * \return NTSTATUS Successful or errant status. * \remarks The exact meaning and required privileges for `Flags` and keys may * depend on the Windows version and file system. Consumers should * verify handle access rights and the platform's support for this call. */ NTSYSCALLAPI NTSTATUS NTAPI NtCopyFileChunk( _In_ HANDLE SourceHandle, _In_ HANDLE DestinationHandle, _In_opt_ HANDLE EventHandle, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Length, _In_ PLARGE_INTEGER SourceOffset, _In_ PLARGE_INTEGER DestOffset, _In_opt_ PULONG SourceKey, _In_opt_ PULONG DestKey, _In_ ULONG Flags ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_11) // // I/O Ring // #if (PHNT_VERSION >= PHNT_WINDOWS_11) NTSYSCALLAPI NTSTATUS NTAPI NtCreateIoRing( _Out_ PHANDLE IoRingHandle, _In_ ULONG CreateParametersLength, _In_ PVOID CreateParameters, _In_ ULONG OutputParametersLength, _Out_ PVOID OutputParameters ); NTSYSCALLAPI NTSTATUS NTAPI NtSubmitIoRing( _In_ HANDLE IoRingHandle, _In_ ULONG Flags, _In_opt_ ULONG WaitOperations, _In_opt_ PLARGE_INTEGER Timeout ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryIoRingCapabilities( _In_ SIZE_T IoRingCapabilitiesLength, _Out_ PVOID IoRingCapabilities ); NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationIoRing( _In_ HANDLE IoRingHandle, _In_ ULONG IoRingInformationClass, _In_ ULONG IoRingInformationLength, _In_ PVOID IoRingInformation ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_11) // // Other types // typedef enum _INTERFACE_TYPE { InterfaceTypeUndefined = -1, Internal = 0, Isa = 1, Eisa = 2, MicroChannel = 3, TurboChannel = 4, PCIBus = 5, VMEBus = 6, NuBus = 7, PCMCIABus = 8, CBus = 9, MPIBus = 10, MPSABus = 11, ProcessorInternal = 12, InternalPowerBus = 13, PNPISABus = 14, PNPBus = 15, Vmcs = 16, ACPIBus = 17, MaximumInterfaceType } INTERFACE_TYPE, *PINTERFACE_TYPE; typedef enum _DMA_WIDTH { Width8Bits, Width16Bits, Width32Bits, Width64Bits, WidthNoWrap, MaximumDmaWidth } DMA_WIDTH, *PDMA_WIDTH; typedef enum _DMA_SPEED { Compatible, TypeA, TypeB, TypeC, TypeF, MaximumDmaSpeed } DMA_SPEED, *PDMA_SPEED; typedef enum _BUS_DATA_TYPE { ConfigurationSpaceUndefined = -1, Cmos, EisaConfiguration, Pos, CbusConfiguration, PCIConfiguration, VMEConfiguration, NuBusConfiguration, PCMCIAConfiguration, MPIConfiguration, MPSAConfiguration, PNPISAConfiguration, SgiInternalConfiguration, MaximumBusDataType } BUS_DATA_TYPE, *PBUS_DATA_TYPE; // Control structures // Reparse structure for FSCTL_SET_REPARSE_POINT, FSCTL_GET_REPARSE_POINT, FSCTL_DELETE_REPARSE_POINT #define SYMLINK_FLAG_RELATIVE 0x00000001 #define SYMLINK_DIRECTORY 0x80000000 // If set then this is a directory symlink #define SYMLINK_FILE 0x40000000 // If set then this is a file symlink typedef struct _REPARSE_DATA_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; _Field_size_bytes_(ReparseDataLength) union { struct { USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; ULONG Flags; WCHAR PathBuffer[1]; } SymbolicLinkReparseBuffer; struct { USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; WCHAR PathBuffer[1]; } MountPointReparseBuffer; struct { ULONG StringCount; WCHAR StringList[1]; } AppExecLinkReparseBuffer; struct { UCHAR DataBuffer[1]; } GenericReparseBuffer; }; } REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER; #define REPARSE_DATA_BUFFER_HEADER_SIZE UFIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer) // Reparse structure for FSCTL_SET_REPARSE_POINT_EX typedef struct _REPARSE_DATA_BUFFER_EX { ULONG Flags; // // This is the existing reparse tag on the file if any, if the // caller wants to replace the reparse tag too. // // - To set the reparse data along with the reparse tag that // could be different, pass the current reparse tag of the // file. // // - To update the reparse data while having the same reparse // tag, the caller should give the existing reparse tag in // this ExistingReparseTag field. // // - To set the reparse tag along with reparse data on a file // that doesn't have a reparse tag yet, set this to zero. // // If the ExistingReparseTag does not match the reparse tag on // the file, the FSCTL_SET_REPARSE_POINT_EX would fail with // STATUS_IO_REPARSE_TAG_MISMATCH. NOTE: If a file doesn't have // a reparse tag, ExistingReparseTag should be 0. // ULONG ExistingReparseTag; // For non-Microsoft reparse tags, this is the existing reparse // guid on the file if any, if the caller wants to replace the // reparse tag and / or guid along with the data. // // If ExistingReparseTag is 0, the file is not expected to have // any reparse tags, so ExistingReparseGuid is ignored. And for // non-Microsoft tags ExistingReparseGuid should match the guid // in the file if ExistingReparseTag is non zero. GUID ExistingReparseGuid; // // Reserved // ULONGLONG Reserved; // // Reparse data to set // union { REPARSE_DATA_BUFFER ReparseDataBuffer; REPARSE_GUID_DATA_BUFFER ReparseGuidDataBuffer; }; } REPARSE_DATA_BUFFER_EX, *PREPARSE_DATA_BUFFER_EX; // REPARSE_DATA_BUFFER_EX Flags // // REPARSE_DATA_EX_FLAG_GIVEN_TAG_OR_NONE - Forces the FSCTL to set the // reparse tag if the file has no tag or the tag on the file is same as // the one in ExistingReparseTag. NOTE: If the ExistingReparseTag is // not a Microsoft tag then the ExistingReparseGuid should match if the // file has the ExistingReparseTag. // #define REPARSE_DATA_EX_FLAG_GIVEN_TAG_OR_NONE (0x00000001) #define REPARSE_GUID_DATA_BUFFER_EX_HEADER_SIZE \ UFIELD_OFFSET(REPARSE_DATA_BUFFER_EX, ReparseGuidDataBuffer.GenericReparseBuffer) #define REPARSE_DATA_BUFFER_EX_HEADER_SIZE \ UFIELD_OFFSET(REPARSE_DATA_BUFFER_EX, ReparseDataBuffer.GenericReparseBuffer) // // Named pipe FS control definitions // #define DEVICE_NAMED_PIPE L"\\Device\\NamedPipe\\" #define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_GET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 10, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_GET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_FLUSH CTL_CODE(FILE_DEVICE_NAMED_PIPE, 16, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_PIPE_DISABLE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 17, METHOD_BUFFERED, FILE_ANY_ACCESS) // since REDSTONE #define FSCTL_PIPE_SILO_ARRIVAL CTL_CODE(FILE_DEVICE_NAMED_PIPE, 18, METHOD_BUFFERED, FILE_WRITE_DATA) // since REDSTONE3 #define FSCTL_PIPE_CREATE_SYMLINK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 19, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // requires SeTcbPrivilege #define FSCTL_PIPE_DELETE_SYMLINK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 20, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) #define FSCTL_PIPE_QUERY_CLIENT_PROCESS_V2 CTL_CODE(FILE_DEVICE_NAMED_PIPE, 21, METHOD_BUFFERED, FILE_ANY_ACCESS) // since 19H1 #define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA) // Flags for query event #define FILE_PIPE_READ_DATA 0x00000000 #define FILE_PIPE_WRITE_SPACE 0x00000001 // Input for FSCTL_PIPE_ASSIGN_EVENT typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER { HANDLE EventHandle; ULONG KeyValue; } FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER; // Output for FILE_PIPE_PEEK_BUFFER typedef struct _FILE_PIPE_PEEK_BUFFER { ULONG NamedPipeState; ULONG ReadDataAvailable; ULONG NumberOfMessages; ULONG MessageLength; _Field_size_bytes_(MessageLength) CHAR Data[1]; } FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER; // Output for FSCTL_PIPE_QUERY_EVENT typedef struct _FILE_PIPE_EVENT_BUFFER { ULONG NamedPipeState; ULONG EntryType; ULONG ByteCount; ULONG KeyValue; ULONG NumberRequests; } FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER; // Input for FSCTL_PIPE_WAIT typedef struct _FILE_PIPE_WAIT_FOR_BUFFER { LARGE_INTEGER Timeout; ULONG NameLength; BOOLEAN TimeoutSpecified; _Field_size_bytes_(NameLength) WCHAR Name[1]; } FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER; // Input for FSCTL_PIPE_SET_CLIENT_PROCESS, Output for FSCTL_PIPE_QUERY_CLIENT_PROCESS typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER { #if !defined(BUILD_WOW6432) PVOID ClientSession; PVOID ClientProcess; #else ULONGLONG ClientSession; ULONGLONG ClientProcess; #endif } FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER; // Control structure for FSCTL_PIPE_QUERY_CLIENT_PROCESS_V2 typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_V2 { ULONGLONG ClientSession; #if !defined(BUILD_WOW6432) PVOID ClientProcess; #else ULONGLONG ClientProcess; #endif } FILE_PIPE_CLIENT_PROCESS_BUFFER_V2, *PFILE_PIPE_CLIENT_PROCESS_BUFFER_V2; #define FILE_PIPE_COMPUTER_NAME_LENGTH 15 // Input for FSCTL_PIPE_SET_CLIENT_PROCESS, Output for FSCTL_PIPE_QUERY_CLIENT_PROCESS typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_EX { #if !defined(BUILD_WOW6432) PVOID ClientSession; PVOID ClientProcess; #else ULONGLONG ClientSession; ULONGLONG ClientProcess; #endif USHORT ClientComputerNameLength; // in bytes WCHAR ClientComputerBuffer[FILE_PIPE_COMPUTER_NAME_LENGTH + 1]; // null-terminated } FILE_PIPE_CLIENT_PROCESS_BUFFER_EX, *PFILE_PIPE_CLIENT_PROCESS_BUFFER_EX; // Control structure for FSCTL_PIPE_SILO_ARRIVAL typedef struct _FILE_PIPE_SILO_ARRIVAL_INPUT { HANDLE JobHandle; } FILE_PIPE_SILO_ARRIVAL_INPUT, *PFILE_PIPE_SILO_ARRIVAL_INPUT; // // Flags for create symlink // // // A global symlink will cause resolution of the symlink's target to occur in // the host silo (i.e. not in any current silo). For example, if there is a // symlink at \Device\Silos\37\Device\NamedPipe\symlink then the target will be // resolved as \Device\NamedPipe\target instead of \Device\Silos\37\Device\NamedPipe\target // #define FILE_PIPE_SYMLINK_FLAG_GLOBAL 0x1 // // A relative symlink will cause resolution of the symlink's target to occur relative // to the root of the named pipe file system. For example, if there is a symlink at // \Device\NamedPipe\symlink that has a target called "target", then the target will // be resolved as \Device\NamedPipe\target // #define FILE_PIPE_SYMLINK_FLAG_RELATIVE 0x2 #define FILE_PIPE_SYMLINK_VALID_FLAGS \ (FILE_PIPE_SYMLINK_FLAG_GLOBAL | FILE_PIPE_SYMLINK_FLAG_RELATIVE) // Control structure for FSCTL_PIPE_CREATE_SYMLINK typedef struct _FILE_PIPE_CREATE_SYMLINK_INPUT { USHORT NameOffset; USHORT NameLength; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; ULONG Flags; } FILE_PIPE_CREATE_SYMLINK_INPUT, *PFILE_PIPE_CREATE_SYMLINK_INPUT; // Control structure for FSCTL_PIPE_DELETE_SYMLINK typedef struct _FILE_PIPE_DELETE_SYMLINK_INPUT { USHORT NameOffset; USHORT NameLength; } FILE_PIPE_DELETE_SYMLINK_INPUT, *PFILE_PIPE_DELETE_SYMLINK_INPUT; // Mailslot FS control definitions #define MAILSLOT_CLASS_FIRSTCLASS 1 #define MAILSLOT_CLASS_SECONDCLASS 2 #define FSCTL_MAILSLOT_PEEK CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA) // Output for FSCTL_MAILSLOT_PEEK typedef struct _FILE_MAILSLOT_PEEK_BUFFER { ULONG ReadDataAvailable; ULONG NumberOfMessages; ULONG MessageLength; } FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER; // // Mount manager FS control definitions // #define MOUNTMGR_DEVICE_NAME L"\\Device\\MountPointManager" #define MOUNTMGRCONTROLTYPE 0x0000006D // 'm' #define MOUNTDEVCONTROLTYPE 0x0000004D // 'M' #define IOCTL_MOUNTMGR_CREATE_POINT CTL_CODE(MOUNTMGRCONTROLTYPE, 0, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_DELETE_POINTS CTL_CODE(MOUNTMGRCONTROLTYPE, 1, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_QUERY_POINTS CTL_CODE(MOUNTMGRCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY CTL_CODE(MOUNTMGRCONTROLTYPE, 3, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER CTL_CODE(MOUNTMGRCONTROLTYPE, 4, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_AUTO_DL_ASSIGNMENTS CTL_CODE(MOUNTMGRCONTROLTYPE, 5, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_CREATED CTL_CODE(MOUNTMGRCONTROLTYPE, 6, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_DELETED CTL_CODE(MOUNTMGRCONTROLTYPE, 7, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_CHANGE_NOTIFY CTL_CODE(MOUNTMGRCONTROLTYPE, 8, METHOD_BUFFERED, FILE_READ_ACCESS) #define IOCTL_MOUNTMGR_KEEP_LINKS_WHEN_OFFLINE CTL_CODE(MOUNTMGRCONTROLTYPE, 9, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_CHECK_UNPROCESSED_VOLUMES CTL_CODE(MOUNTMGRCONTROLTYPE, 10, METHOD_BUFFERED, FILE_READ_ACCESS) #define IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION CTL_CODE(MOUNTMGRCONTROLTYPE, 11, METHOD_BUFFERED, FILE_READ_ACCESS) #define IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH CTL_CODE(MOUNTMGRCONTROLTYPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS CTL_CODE(MOUNTMGRCONTROLTYPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_MOUNTMGR_SCRUB_REGISTRY CTL_CODE(MOUNTMGRCONTROLTYPE, 14, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_QUERY_AUTO_MOUNT CTL_CODE(MOUNTMGRCONTROLTYPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_MOUNTMGR_SET_AUTO_MOUNT CTL_CODE(MOUNTMGRCONTROLTYPE, 16, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_BOOT_DL_ASSIGNMENT CTL_CODE(MOUNTMGRCONTROLTYPE, 17, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) // since WIN7 #define IOCTL_MOUNTMGR_TRACELOG_CACHE CTL_CODE(MOUNTMGRCONTROLTYPE, 18, METHOD_BUFFERED, FILE_READ_ACCESS) #define IOCTL_MOUNTMGR_PREPARE_VOLUME_DELETE CTL_CODE(MOUNTMGRCONTROLTYPE, 19, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) #define IOCTL_MOUNTMGR_CANCEL_VOLUME_DELETE CTL_CODE(MOUNTMGRCONTROLTYPE, 20, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) // since WIN8 #define IOCTL_MOUNTMGR_SILO_ARRIVAL CTL_CODE(MOUNTMGRCONTROLTYPE, 21, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) // since RS1 #define IOCTL_MOUNTDEV_QUERY_DEVICE_NAME CTL_CODE(MOUNTDEVCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) // Input structure for IOCTL_MOUNTMGR_CREATE_POINT. typedef struct _MOUNTMGR_CREATE_POINT_INPUT { USHORT SymbolicLinkNameOffset; USHORT SymbolicLinkNameLength; USHORT DeviceNameOffset; USHORT DeviceNameLength; } MOUNTMGR_CREATE_POINT_INPUT, *PMOUNTMGR_CREATE_POINT_INPUT; // Input structure for IOCTL_MOUNTMGR_DELETE_POINTS, IOCTL_MOUNTMGR_QUERY_POINTS, and IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY. typedef struct _MOUNTMGR_MOUNT_POINT { ULONG SymbolicLinkNameOffset; USHORT SymbolicLinkNameLength; USHORT Reserved1; ULONG UniqueIdOffset; USHORT UniqueIdLength; USHORT Reserved2; ULONG DeviceNameOffset; USHORT DeviceNameLength; USHORT Reserved3; } MOUNTMGR_MOUNT_POINT, *PMOUNTMGR_MOUNT_POINT; // Output structure for IOCTL_MOUNTMGR_DELETE_POINTS, IOCTL_MOUNTMGR_QUERY_POINTS, and IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY. _Struct_size_bytes_(Size) typedef struct _MOUNTMGR_MOUNT_POINTS { ULONG Size; ULONG NumberOfMountPoints; _Field_size_(NumberOfMountPoints) MOUNTMGR_MOUNT_POINT MountPoints[1]; } MOUNTMGR_MOUNT_POINTS, *PMOUNTMGR_MOUNT_POINTS; // Input structure for IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER. typedef struct _MOUNTMGR_DRIVE_LETTER_TARGET { USHORT DeviceNameLength; _Field_size_bytes_(DeviceNameLength) WCHAR DeviceName[1]; } MOUNTMGR_DRIVE_LETTER_TARGET, *PMOUNTMGR_DRIVE_LETTER_TARGET; // Output structure for IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER. typedef struct _MOUNTMGR_DRIVE_LETTER_INFORMATION { BOOLEAN DriveLetterWasAssigned; UCHAR CurrentDriveLetter; } MOUNTMGR_DRIVE_LETTER_INFORMATION, *PMOUNTMGR_DRIVE_LETTER_INFORMATION; // Input structure for IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_CREATED and // IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_DELETED. typedef struct _MOUNTMGR_VOLUME_MOUNT_POINT { USHORT SourceVolumeNameOffset; USHORT SourceVolumeNameLength; USHORT TargetVolumeNameOffset; USHORT TargetVolumeNameLength; } MOUNTMGR_VOLUME_MOUNT_POINT, *PMOUNTMGR_VOLUME_MOUNT_POINT; // Input structure for IOCTL_MOUNTMGR_CHANGE_NOTIFY. // Output structure for IOCTL_MOUNTMGR_CHANGE_NOTIFY. typedef struct _MOUNTMGR_CHANGE_NOTIFY_INFO { ULONG EpicNumber; } MOUNTMGR_CHANGE_NOTIFY_INFO, *PMOUNTMGR_CHANGE_NOTIFY_INFO; // Input structure for IOCTL_MOUNTMGR_KEEP_LINKS_WHEN_OFFLINE, // IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION, // IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH, and // IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS. // IOCTL_MOUNTMGR_PREPARE_VOLUME_DELETE // IOCTL_MOUNTMGR_CANCEL_VOLUME_DELETE typedef struct _MOUNTMGR_TARGET_NAME { USHORT DeviceNameLength; _Field_size_bytes_(DeviceNameLength) WCHAR DeviceName[1]; } MOUNTMGR_TARGET_NAME, *PMOUNTMGR_TARGET_NAME; // Input / Output structure for querying / setting the auto-mount setting typedef enum _MOUNTMGR_AUTO_MOUNT_STATE { Disabled = 0, Enabled } MOUNTMGR_AUTO_MOUNT_STATE; // IOCTL_MOUNTMGR_QUERY_AUTO_MOUNT typedef struct _MOUNTMGR_QUERY_AUTO_MOUNT { MOUNTMGR_AUTO_MOUNT_STATE CurrentState; } MOUNTMGR_QUERY_AUTO_MOUNT, *PMOUNTMGR_QUERY_AUTO_MOUNT; // IOCTL_MOUNTMGR_SET_AUTO_MOUNT typedef struct _MOUNTMGR_SET_AUTO_MOUNT { MOUNTMGR_AUTO_MOUNT_STATE NewState; } MOUNTMGR_SET_AUTO_MOUNT, *PMOUNTMGR_SET_AUTO_MOUNT; // Input structure for IOCTL_MOUNTMGR_SILO_ARRIVAL. typedef struct _MOUNTMGR_SILO_ARRIVAL_INPUT { HANDLE JobHandle; } MOUNTMGR_SILO_ARRIVAL_INPUT, *PMOUNTMGR_SILO_ARRIVAL_INPUT; // Macro that defines what a "drive letter" mount point is. This macro can // be used to scan the result from QUERY_POINTS to discover which mount points // are find "drive letter" mount points. #define MOUNTMGR_IS_DRIVE_LETTER(s) ( \ (s)->Length == 28 && \ (s)->Buffer[0] == '\\' && \ (s)->Buffer[1] == 'D' && \ (s)->Buffer[2] == 'o' && \ (s)->Buffer[3] == 's' && \ (s)->Buffer[4] == 'D' && \ (s)->Buffer[5] == 'e' && \ (s)->Buffer[6] == 'v' && \ (s)->Buffer[7] == 'i' && \ (s)->Buffer[8] == 'c' && \ (s)->Buffer[9] == 'e' && \ (s)->Buffer[10] == 's' && \ (s)->Buffer[11] == '\\' && \ (s)->Buffer[12] >= 'A' && \ (s)->Buffer[12] <= 'Z' && \ (s)->Buffer[13] == ':') // Macro that defines what a "volume name" mount point is. This macro can // be used to scan the result from QUERY_POINTS to discover which mount points // are "volume name" mount points. #define MOUNTMGR_IS_VOLUME_NAME(s) ( \ ((s)->Length == 96 || ((s)->Length == 98 && (s)->Buffer[48] == '\\')) && \ (s)->Buffer[0] == '\\' && \ ((s)->Buffer[1] == '?' || (s)->Buffer[1] == '\\') && \ (s)->Buffer[2] == '?' && \ (s)->Buffer[3] == '\\' && \ (s)->Buffer[4] == 'V' && \ (s)->Buffer[5] == 'o' && \ (s)->Buffer[6] == 'l' && \ (s)->Buffer[7] == 'u' && \ (s)->Buffer[8] == 'm' && \ (s)->Buffer[9] == 'e' && \ (s)->Buffer[10] == '{' && \ (s)->Buffer[19] == '-' && \ (s)->Buffer[24] == '-' && \ (s)->Buffer[29] == '-' && \ (s)->Buffer[34] == '-' && \ (s)->Buffer[47] == '}') // Output structure for IOCTL_MOUNTDEV_QUERY_DEVICE_NAME. typedef struct _MOUNTDEV_NAME { USHORT NameLength; _Field_size_bytes_(NameLength) WCHAR Name[1]; } MOUNTDEV_NAME, *PMOUNTDEV_NAME; // Output structure for IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH and IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS. typedef struct _MOUNTMGR_VOLUME_PATHS { ULONG MultiSzLength; _Field_size_bytes_(MultiSzLength) WCHAR MultiSz[1]; } MOUNTMGR_VOLUME_PATHS, *PMOUNTMGR_VOLUME_PATHS; #define MOUNTMGR_IS_DOS_VOLUME_NAME(s) ( \ MOUNTMGR_IS_VOLUME_NAME(s) && \ (s)->Length == 96 && \ (s)->Buffer[1] == '\\') #define MOUNTMGR_IS_DOS_VOLUME_NAME_WB(s) ( \ MOUNTMGR_IS_VOLUME_NAME(s) && \ (s)->Length == 98 && \ (s)->Buffer[1] == '\\') #define MOUNTMGR_IS_NT_VOLUME_NAME(s) ( \ MOUNTMGR_IS_VOLUME_NAME(s) && \ (s)->Length == 96 && \ (s)->Buffer[1] == '?') #define MOUNTMGR_IS_NT_VOLUME_NAME_WB(s) ( \ MOUNTMGR_IS_VOLUME_NAME(s) && \ (s)->Length == 98 && \ (s)->Buffer[1] == '?') // // Filter manager // #define FLT_PORT_CONNECT 0x0001 #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) // rev #define FLT_SYMLINK_NAME L"\\Global??\\FltMgr" #define FLT_MSG_SYMLINK_NAME L"\\Global??\\FltMgrMsg" #define FLT_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgr" #define FLT_MSG_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgrMsg" // private typedef struct _FLT_CONNECT_CONTEXT { PUNICODE_STRING PortName; PUNICODE_STRING64 PortName64; USHORT SizeOfContext; UCHAR Padding[6]; // unused _Field_size_bytes_(SizeOfContext) UCHAR Context[ANYSIZE_ARRAY]; } FLT_CONNECT_CONTEXT, *PFLT_CONNECT_CONTEXT; // rev #define FLT_PORT_EA_NAME "FLTPORT" #define FLT_PORT_CONTEXT_MAX 0xFFE8 // combined FILE_FULL_EA_INFORMATION and FLT_CONNECT_CONTEXT typedef struct _FLT_PORT_FULL_EA { ULONG NextEntryOffset; // 0 UCHAR Flags; // 0 UCHAR EaNameLength; // sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL) USHORT EaValueLength; // RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) + SizeOfContext CHAR EaName[8]; // FLTPORT\0 FLT_CONNECT_CONTEXT EaValue; } FLT_PORT_FULL_EA, *PFLT_PORT_FULL_EA; #define FLT_PORT_FULL_EA_SIZE \ (sizeof(FILE_FULL_EA_INFORMATION) + (sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL))) #define FLT_PORT_FULL_EA_VALUE_SIZE \ RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) // begin_rev // IOCTLs for unlinked FltMgr handles #define FLT_CTL_LOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege #define FLT_CTL_UNLOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege #define FLT_CTL_LINK_HANDLE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_READ_ACCESS) // in: FLT_LINK // specializes the handle #define FLT_CTL_ATTACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_ATTACH #define FLT_CTL_DETACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_INSTANCE_PARAMETERS // IOCTLs for port-specific FltMgrMsg handles (opened using the extended attribute) #define FLT_CTL_SEND_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 6, METHOD_NEITHER, FILE_WRITE_ACCESS) // in, out: filter-specific #define FLT_CTL_GET_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 7, METHOD_NEITHER, FILE_READ_ACCESS) // out: filter-specific #define FLT_CTL_REPLY_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 8, METHOD_NEITHER, FILE_WRITE_ACCESS) // in: filter-specific // IOCTLs for linked FltMgr handles; depend on previously used FLT_LINK_TYPE // // Find first/next: // FILTER - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS // FILTER_VOLUME - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS // FILTER_MANAGER - enumerates all filters; in: FILTER_INFORMATION_CLASS // FILTER_MANAGER_VOLUME - enumerates all volumes; in: FILTER_VOLUME_INFORMATION_CLASS // // Get information: // FILTER - queries filter; in: FILTER_INFORMATION_CLASS // FILTER_INSTANCE - queries instance; in: INSTANCE_INFORMATION_CLASS // #define FLT_CTL_FIND_FIRST CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 9, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) #define FLT_CTL_FIND_NEXT CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) #define FLT_CTL_GET_INFORMATION CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) // end_rev // private typedef struct _FLT_LOAD_PARAMETERS { USHORT FilterNameSize; _Field_size_bytes_(FilterNameSize) WCHAR FilterName[ANYSIZE_ARRAY]; } FLT_LOAD_PARAMETERS, *PFLT_LOAD_PARAMETERS; // private typedef enum _FLT_LINK_TYPE { FILTER = 0, // FLT_FILTER_PARAMETERS FILTER_INSTANCE = 1, // FLT_INSTANCE_PARAMETERS FILTER_VOLUME = 2, // FLT_VOLUME_PARAMETERS FILTER_MANAGER = 3, // nothing FILTER_MANAGER_VOLUME = 4, // nothing } FLT_LINK_TYPE, *PFLT_LINK_TYPE; // private typedef struct _FLT_LINK { FLT_LINK_TYPE Type; ULONG ParametersOffset; // from this struct } FLT_LINK, *PFLT_LINK; // rev typedef struct _FLT_FILTER_PARAMETERS { USHORT FilterNameSize; USHORT FilterNameOffset; // to WCHAR[] from this struct } FLT_FILTER_PARAMETERS, *PFLT_FILTER_PARAMETERS; // private typedef struct _FLT_INSTANCE_PARAMETERS { USHORT FilterNameSize; USHORT FilterNameOffset; // to WCHAR[] from this struct USHORT VolumeNameSize; USHORT VolumeNameOffset; // to WCHAR[] from this struct USHORT InstanceNameSize; USHORT InstanceNameOffset; // to WCHAR[] from this struct } FLT_INSTANCE_PARAMETERS, *PFLT_INSTANCE_PARAMETERS; // rev typedef struct _FLT_VOLUME_PARAMETERS { USHORT VolumeNameSize; USHORT VolumeNameOffset; // to WCHAR[] from this struct } FLT_VOLUME_PARAMETERS, *PFLT_VOLUME_PARAMETERS; // private typedef enum _ATTACH_TYPE { AltitudeBased = 0, InstanceNameBased = 1, } ATTACH_TYPE, *PATTACH_TYPE; // private typedef struct _FLT_ATTACH { USHORT FilterNameSize; USHORT FilterNameOffset; // to WCHAR[] from this struct USHORT VolumeNameSize; USHORT VolumeNameOffset; // to WCHAR[] from this struct ATTACH_TYPE Type; USHORT InstanceNameSize; USHORT InstanceNameOffset; // to WCHAR[] from this struct USHORT AltitudeSize; USHORT AltitudeOffset; // to WCHAR[] from this struct } FLT_ATTACH, *PFLT_ATTACH; // // Multiple UNC Provider // // rev // FSCTLs for \Device\Mup #define FSCTL_MUP_GET_UNC_CACHE_INFO CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_CACHE_INFORMATION #define FSCTL_MUP_GET_UNC_PROVIDER_LIST CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_PROVIDER_INFORMATION #define FSCTL_MUP_GET_SURROGATE_PROVIDER_LIST CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION #define FSCTL_MUP_GET_UNC_HARDENING_CONFIGURATION CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY[] #define FSCTL_MUP_GET_UNC_HARDENING_CONFIGURATION_FOR_PATH CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN; out: MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT // private typedef struct _MUP_FSCTL_UNC_CACHE_ENTRY { ULONG TotalLength; ULONG UncNameOffset; // to WCHAR[] from this struct USHORT UncNameLength; // in bytes ULONG ProviderNameOffset; // to WCHAR[] from this struct USHORT ProviderNameLength; // in bytes ULONG SurrogateNameOffset; // to WCHAR[] from this struct USHORT SurrogateNameLength; // in bytes ULONG ProviderPriority; ULONG EntryTtl; WCHAR Strings[ANYSIZE_ARRAY]; } MUP_FSCTL_UNC_CACHE_ENTRY, *PMUP_FSCTL_UNC_CACHE_ENTRY; // private typedef struct _MUP_FSCTL_UNC_CACHE_INFORMATION { ULONG MaxCacheSize; ULONG CurrentCacheSize; ULONG EntryTimeout; ULONG TotalEntries; MUP_FSCTL_UNC_CACHE_ENTRY CacheEntry[ANYSIZE_ARRAY]; } MUP_FSCTL_UNC_CACHE_INFORMATION, *PMUP_FSCTL_UNC_CACHE_INFORMATION; // private typedef struct _MUP_FSCTL_UNC_PROVIDER_ENTRY { ULONG TotalLength; LONG ReferenceCount; ULONG ProviderPriority; ULONG ProviderState; ULONG ProviderId; USHORT ProviderNameLength; // in bytes WCHAR ProviderName[ANYSIZE_ARRAY]; } MUP_FSCTL_UNC_PROVIDER_ENTRY, *PMUP_FSCTL_UNC_PROVIDER_ENTRY; // private typedef struct _MUP_FSCTL_UNC_PROVIDER_INFORMATION { ULONG TotalEntries; MUP_FSCTL_UNC_PROVIDER_ENTRY ProviderEntry[ANYSIZE_ARRAY]; } MUP_FSCTL_UNC_PROVIDER_INFORMATION, *PMUP_FSCTL_UNC_PROVIDER_INFORMATION; // private typedef struct _MUP_FSCTL_SURROGATE_PROVIDER_ENTRY { ULONG TotalLength; LONG ReferenceCount; ULONG SurrogateType; ULONG SurrogateState; ULONG SurrogatePriority; USHORT SurrogateNameLength; // in bytes WCHAR SurrogateName[ANYSIZE_ARRAY]; } MUP_FSCTL_SURROGATE_PROVIDER_ENTRY, *PMUP_FSCTL_SURROGATE_PROVIDER_ENTRY; // private typedef struct _MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION { ULONG TotalEntries; MUP_FSCTL_SURROGATE_PROVIDER_ENTRY SurrogateEntry[ANYSIZE_ARRAY]; } MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION, *PMUP_FSCTL_SURROGATE_PROVIDER_INFORMATION; // private typedef struct _MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY { ULONG NextOffset; // from this struct ULONG PrefixNameOffset; // to WCHAR[] from this struct USHORT PrefixNameCbLength; // in bytes union { ULONG RequiredHardeningCapabilities; struct { ULONG RequiresMutualAuth : 1; ULONG RequiresIntegrity : 1; ULONG RequiresPrivacy : 1; }; }; ULONGLONG OpenCount; } MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY, *PMUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY; // private typedef struct _MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN { ULONG Size; ULONG UncPathOffset; // to WCHAR[] from this struct USHORT UncPathCbLength; // in bytes } MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN, *PMUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN; // private typedef struct _MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT { ULONG Size; union { ULONG RequiredHardeningCapabilities; struct { ULONG RequiresMutualAuth : 1; ULONG RequiresIntegrity : 1; ULONG RequiresPrivacy : 1; }; }; } MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT, *PMUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT; #if (PHNT_MODE != PHNT_MODE_KERNEL) // // Major Function Codes // #define IRP_MJ_CREATE 0x00 #define IRP_MJ_CREATE_NAMED_PIPE 0x01 #define IRP_MJ_CLOSE 0x02 #define IRP_MJ_READ 0x03 #define IRP_MJ_WRITE 0x04 #define IRP_MJ_QUERY_INFORMATION 0x05 #define IRP_MJ_SET_INFORMATION 0x06 #define IRP_MJ_QUERY_EA 0x07 #define IRP_MJ_SET_EA 0x08 #define IRP_MJ_FLUSH_BUFFERS 0x09 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b #define IRP_MJ_DIRECTORY_CONTROL 0x0c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d #define IRP_MJ_DEVICE_CONTROL 0x0e #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f #define IRP_MJ_SHUTDOWN 0x10 #define IRP_MJ_LOCK_CONTROL 0x11 #define IRP_MJ_CLEANUP 0x12 #define IRP_MJ_CREATE_MAILSLOT 0x13 #define IRP_MJ_QUERY_SECURITY 0x14 #define IRP_MJ_SET_SECURITY 0x15 #define IRP_MJ_POWER 0x16 #define IRP_MJ_SYSTEM_CONTROL 0x17 #define IRP_MJ_DEVICE_CHANGE 0x18 #define IRP_MJ_QUERY_QUOTA 0x19 #define IRP_MJ_SET_QUOTA 0x1a #define IRP_MJ_PNP 0x1b #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... #define IRP_MJ_MAXIMUM_FUNCTION 0x1b #define IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION ((UCHAR)-1) #define IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION ((UCHAR)-2) #define IRP_MJ_ACQUIRE_FOR_MOD_WRITE ((UCHAR)-3) #define IRP_MJ_RELEASE_FOR_MOD_WRITE ((UCHAR)-4) #define IRP_MJ_ACQUIRE_FOR_CC_FLUSH ((UCHAR)-5) #define IRP_MJ_RELEASE_FOR_CC_FLUSH ((UCHAR)-6) #define IRP_MJ_QUERY_OPEN ((UCHAR)-7) #define IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE ((UCHAR)-13) #define IRP_MJ_NETWORK_QUERY_OPEN ((UCHAR)-14) #define IRP_MJ_MDL_READ ((UCHAR)-15) #define IRP_MJ_MDL_READ_COMPLETE ((UCHAR)-16) #define IRP_MJ_PREPARE_MDL_WRITE ((UCHAR)-17) #define IRP_MJ_MDL_WRITE_COMPLETE ((UCHAR)-18) #define IRP_MJ_VOLUME_MOUNT ((UCHAR)-19) #define IRP_MJ_VOLUME_DISMOUNT ((UCHAR)-20) #define FLT_INTERNAL_OPERATION_COUNT 22 // // Minor Function Codes // #define IRP_MN_SCSI_CLASS 0x01 // PNP minor function codes #define IRP_MN_START_DEVICE 0x00 #define IRP_MN_QUERY_REMOVE_DEVICE 0x01 #define IRP_MN_REMOVE_DEVICE 0x02 #define IRP_MN_CANCEL_REMOVE_DEVICE 0x03 #define IRP_MN_STOP_DEVICE 0x04 #define IRP_MN_QUERY_STOP_DEVICE 0x05 #define IRP_MN_CANCEL_STOP_DEVICE 0x06 #define IRP_MN_QUERY_DEVICE_RELATIONS 0x07 #define IRP_MN_QUERY_INTERFACE 0x08 #define IRP_MN_QUERY_CAPABILITIES 0x09 #define IRP_MN_QUERY_RESOURCES 0x0A #define IRP_MN_QUERY_RESOURCE_REQUIREMENTS 0x0B #define IRP_MN_QUERY_DEVICE_TEXT 0x0C #define IRP_MN_FILTER_RESOURCE_REQUIREMENTS 0x0D #define IRP_MN_READ_CONFIG 0x0F #define IRP_MN_WRITE_CONFIG 0x10 #define IRP_MN_EJECT 0x11 #define IRP_MN_SET_LOCK 0x12 #define IRP_MN_QUERY_ID 0x13 #define IRP_MN_QUERY_PNP_DEVICE_STATE 0x14 #define IRP_MN_QUERY_BUS_INFORMATION 0x15 #define IRP_MN_DEVICE_USAGE_NOTIFICATION 0x16 #define IRP_MN_SURPRISE_REMOVAL 0x17 #define IRP_MN_DEVICE_ENUMERATED 0x19 // POWER minor function codes #define IRP_MN_WAIT_WAKE 0x00 #define IRP_MN_POWER_SEQUENCE 0x01 #define IRP_MN_SET_POWER 0x02 #define IRP_MN_QUERY_POWER 0x03 // WMI minor function codes under IRP_MJ_SYSTEM_CONTROL #define IRP_MN_QUERY_ALL_DATA 0x00 #define IRP_MN_QUERY_SINGLE_INSTANCE 0x01 #define IRP_MN_CHANGE_SINGLE_INSTANCE 0x02 #define IRP_MN_CHANGE_SINGLE_ITEM 0x03 #define IRP_MN_ENABLE_EVENTS 0x04 #define IRP_MN_DISABLE_EVENTS 0x05 #define IRP_MN_ENABLE_COLLECTION 0x06 #define IRP_MN_DISABLE_COLLECTION 0x07 #define IRP_MN_REGINFO 0x08 #define IRP_MN_EXECUTE_METHOD 0x09 // Minor code 0x0a is reserved #define IRP_MN_REGINFO_EX 0x0b // Minor code 0x0c is reserved // Minor code 0x0d is reserved // // Filter Manager Callback Data Flags // #define FLTFL_CALLBACK_DATA_REISSUE_MASK 0x0000FFFF #define FLTFL_CALLBACK_DATA_IRP_OPERATION 0x00000001 // Set for Irp operations #define FLTFL_CALLBACK_DATA_FAST_IO_OPERATION 0x00000002 // Set for Fast Io operations #define FLTFL_CALLBACK_DATA_FS_FILTER_OPERATION 0x00000004 // Set for Fs Filter operations #define FLTFL_CALLBACK_DATA_SYSTEM_BUFFER 0x00000008 // Set if the buffer passed in for the i/o was a system buffer #define FLTFL_CALLBACK_DATA_GENERATED_IO 0x00010000 // Set if this is I/O generated by a mini-filter #define FLTFL_CALLBACK_DATA_REISSUED_IO 0x00020000 // Set if this I/O was reissued #define FLTFL_CALLBACK_DATA_DRAINING_IO 0x00040000 // set if this operation is being drained. If set, #define FLTFL_CALLBACK_DATA_POST_OPERATION 0x00080000 // Set if this is a POST operation #define FLTFL_CALLBACK_DATA_NEW_SYSTEM_BUFFER 0x00100000 #define FLTFL_CALLBACK_DATA_DIRTY 0x80000000 // Set by caller if parameters were changed // // IRP Flags // #define IRP_NOCACHE 0x00000001 #define IRP_PAGING_IO 0x00000002 #define IRP_MOUNT_COMPLETION 0x00000002 #define IRP_SYNCHRONOUS_API 0x00000004 #define IRP_ASSOCIATED_IRP 0x00000008 #define IRP_BUFFERED_IO 0x00000010 #define IRP_DEALLOCATE_BUFFER 0x00000020 #define IRP_INPUT_OPERATION 0x00000040 #define IRP_SYNCHRONOUS_PAGING_IO 0x00000040 #define IRP_CREATE_OPERATION 0x00000080 #define IRP_READ_OPERATION 0x00000100 #define IRP_WRITE_OPERATION 0x00000200 #define IRP_CLOSE_OPERATION 0x00000400 #define IRP_DEFER_IO_COMPLETION 0x00000800 #define IRP_OB_QUERY_NAME 0x00001000 #define IRP_HOLD_DEVICE_QUEUE 0x00002000 #define IRP_UM_DRIVER_INITIATED_IO 0x00400000 // // File Object Flags // #define FO_FILE_OPEN 0x00000001 #define FO_SYNCHRONOUS_IO 0x00000002 #define FO_ALERTABLE_IO 0x00000004 #define FO_NO_INTERMEDIATE_BUFFERING 0x00000008 #define FO_WRITE_THROUGH 0x00000010 #define FO_SEQUENTIAL_ONLY 0x00000020 #define FO_CACHE_SUPPORTED 0x00000040 #define FO_NAMED_PIPE 0x00000080 #define FO_STREAM_FILE 0x00000100 #define FO_MAILSLOT 0x00000200 #define FO_GENERATE_AUDIT_ON_CLOSE 0x00000400 #define FO_QUEUE_IRP_TO_THREAD FO_GENERATE_AUDIT_ON_CLOSE #define FO_DIRECT_DEVICE_OPEN 0x00000800 #define FO_FILE_MODIFIED 0x00001000 #define FO_FILE_SIZE_CHANGED 0x00002000 #define FO_CLEANUP_COMPLETE 0x00004000 #define FO_TEMPORARY_FILE 0x00008000 #define FO_DELETE_ON_CLOSE 0x00010000 #define FO_OPENED_CASE_SENSITIVE 0x00020000 #define FO_HANDLE_CREATED 0x00040000 #define FO_FILE_FAST_IO_READ 0x00080000 #define FO_RANDOM_ACCESS 0x00100000 #define FO_FILE_OPEN_CANCELLED 0x00200000 #define FO_VOLUME_OPEN 0x00400000 #define FO_BYPASS_IO_ENABLED 0x00800000 //when set BYPASS IO is enabled on this handle #define FO_REMOTE_ORIGIN 0x01000000 #define FO_DISALLOW_EXCLUSIVE 0x02000000 #define FO_SKIP_COMPLETION_PORT FO_DISALLOW_EXCLUSIVE #define FO_SKIP_SET_EVENT 0x04000000 #define FO_SKIP_SET_FAST_IO 0x08000000 #define FO_INDIRECT_WAIT_OBJECT 0x10000000 #define FO_SECTION_MINSTORE_TREATMENT 0x20000000 // // Define stack location (IO_STACK_LOCATION) flags // #define SL_PENDING_RETURNED 0x01 #define SL_ERROR_RETURNED 0x02 #define SL_INVOKE_ON_CANCEL 0x20 #define SL_INVOKE_ON_SUCCESS 0x40 #define SL_INVOKE_ON_ERROR 0x80 // Create / Create Named Pipe (IRP_MJ_CREATE/IRP_MJ_CREATE_NAMED_PIPE) #define SL_FORCE_ACCESS_CHECK 0x01 #define SL_OPEN_PAGING_FILE 0x02 #define SL_OPEN_TARGET_DIRECTORY 0x04 #define SL_STOP_ON_SYMLINK 0x08 #define SL_IGNORE_READONLY_ATTRIBUTE 0x40 #define SL_CASE_SENSITIVE 0x80 // Read / Write (IRP_MJ_READ/IRP_MJ_WRITE) #define SL_KEY_SPECIFIED 0x01 #define SL_OVERRIDE_VERIFY_VOLUME 0x02 #define SL_WRITE_THROUGH 0x04 #define SL_FT_SEQUENTIAL_WRITE 0x08 #define SL_FORCE_DIRECT_WRITE 0x10 #define SL_REALTIME_STREAM 0x20 // valid only with optical media #define SL_PERSISTENT_MEMORY_FIXED_MAPPING 0x20 // valid only with persistent memory device and IRP_MJ_WRITE #define SL_BYPASS_IO 0x40 // IRP_MJ_FLUSH_BUFFERS #define SL_FORCE_ASYNCHRONOUS 0x01 // Device I/O Control #define SL_READ_ACCESS_GRANTED 0x01 #define SL_WRITE_ACCESS_GRANTED 0x04 // Gap for SL_OVERRIDE_VERIFY_VOLUME // Lock (IRP_MJ_LOCK_CONTROL) #define SL_FAIL_IMMEDIATELY 0x01 #define SL_EXCLUSIVE_LOCK 0x02 // QueryDirectory / QueryEa / QueryQuota (IRP_MJ_DIRECTORY_CONTROL/IRP_MJ_QUERY_EA/IRP_MJ_QUERY_QUOTA)) #define SL_RESTART_SCAN 0x01 #define SL_RETURN_SINGLE_ENTRY 0x02 #define SL_INDEX_SPECIFIED 0x04 #define SL_RETURN_ON_DISK_ENTRIES_ONLY 0x08 #define SL_NO_CURSOR_UPDATE 0x10 #define SL_QUERY_DIRECTORY_MASK 0x1b // NotifyDirectory (IRP_MJ_DIRECTORY_CONTROL) #define SL_WATCH_TREE 0x01 // FileSystemControl (IRP_MJ_FILE_SYSTEM_CONTROL) #define SL_ALLOW_RAW_MOUNT 0x01 // SetInformationFile (IRP_MJ_SET_INFORMATION) / QueryInformationFile #define SL_BYPASS_ACCESS_CHECK 0x01 #define SL_INFO_FORCE_ACCESS_CHECK 0x01 #define SL_INFO_IGNORE_READONLY_ATTRIBUTE 0x40 // same value as IO_IGNORE_READONLY_ATTRIBUTE // // Device Object (DO) flags // #define DO_VERIFY_VOLUME 0x00000002 #define DO_BUFFERED_IO 0x00000004 #define DO_EXCLUSIVE 0x00000008 #define DO_DIRECT_IO 0x00000010 #define DO_MAP_IO_BUFFER 0x00000020 #define DO_DEVICE_INITIALIZING 0x00000080 #define DO_SHUTDOWN_REGISTERED 0x00000800 #define DO_BUS_ENUMERATED_DEVICE 0x00001000 #define DO_POWER_PAGABLE 0x00002000 #define DO_POWER_INRUSH 0x00004000 #define DO_DEVICE_TO_BE_RESET 0x04000000 #define DO_DAX_VOLUME 0x10000000 // pub typedef enum _FS_FILTER_SECTION_SYNC_TYPE { SyncTypeOther = 0, SyncTypeCreateSection } FS_FILTER_SECTION_SYNC_TYPE, *PFS_FILTER_SECTION_SYNC_TYPE; //pub typedef enum _CREATE_FILE_TYPE { CreateFileTypeNone, CreateFileTypeNamedPipe, CreateFileTypeMailslot } CREATE_FILE_TYPE; // pub typedef struct _NAMED_PIPE_CREATE_PARAMETERS { ULONG NamedPipeType; ULONG ReadMode; ULONG CompletionMode; ULONG MaximumInstances; ULONG InboundQuota; ULONG OutboundQuota; LARGE_INTEGER DefaultTimeout; BOOLEAN TimeoutSpecified; } NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS; // pub typedef struct _MAILSLOT_CREATE_PARAMETERS { ULONG MailslotQuota; ULONG MaximumMessageSize; LARGE_INTEGER ReadTimeout; BOOLEAN TimeoutSpecified; } MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS; // pub typedef struct _OPLOCK_KEY_ECP_CONTEXT { GUID OplockKey; ULONG Reserved; } OPLOCK_KEY_ECP_CONTEXT, *POPLOCK_KEY_ECP_CONTEXT; // pub typedef struct _OPLOCK_KEY_CONTEXT { USHORT Version; // OPLOCK_KEY_VERSION_* USHORT Flags; // OPLOCK_KEY_FLAG_* GUID ParentOplockKey; GUID TargetOplockKey; ULONG Reserved; } OPLOCK_KEY_CONTEXT, *POPLOCK_KEY_CONTEXT; #define OPLOCK_KEY_VERSION_WIN7 0x0001 #define OPLOCK_KEY_VERSION_WIN8 0x0002 #define OPLOCK_KEY_FLAG_PARENT_KEY 0x0001 #define OPLOCK_KEY_FLAG_TARGET_KEY 0x0002 // pub #define SUPPORTED_FS_FEATURES_OFFLOAD_READ 0x00000001 #define SUPPORTED_FS_FEATURES_OFFLOAD_WRITE 0x00000002 #define SUPPORTED_FS_FEATURES_QUERY_OPEN 0x00000004 #define SUPPORTED_FS_FEATURES_BYPASS_IO 0x00000008 // WIN11 #define SUPPORTED_FS_FEATURES_VALID_MASK_V3 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \ SUPPORTED_FS_FEATURES_OFFLOAD_WRITE | \ SUPPORTED_FS_FEATURES_QUERY_OPEN | \ SUPPORTED_FS_FEATURES_BYPASS_IO) // WIN10-RS2 #define SUPPORTED_FS_FEATURES_VALID_MASK_V2 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \ SUPPORTED_FS_FEATURES_OFFLOAD_WRITE | \ SUPPORTED_FS_FEATURES_QUERY_OPEN) // WIN8 #define SUPPORTED_FS_FEATURES_VALID_MASK_V1 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \ SUPPORTED_FS_FEATURES_OFFLOAD_WRITE) #define SUPPORTED_FS_FEATURES_VALID_MASK SUPPORTED_FS_FEATURES_VALID_MASK_V3 #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // _NTIOAPI_H ================================================ FILE: phnt/include/ntkeapi.h ================================================ /* * Kernel executive support library * * This file is part of System Informer. */ #ifndef _NTKEAPI_H #define _NTKEAPI_H #if (PHNT_MODE != PHNT_MODE_KERNEL) #define LOW_PRIORITY 0 // Lowest thread priority level #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level #define HIGH_PRIORITY 31 // Highest thread priority level #define MAXIMUM_PRIORITY 32 // Number of thread priority levels #endif // (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _KTHREAD_STATE { Initialized, Ready, Running, Standby, Terminated, Waiting, Transition, DeferredReady, GateWaitObsolete, WaitingForProcessInSwap, MaximumThreadState } KTHREAD_STATE, *PKTHREAD_STATE; // private typedef enum _KHETERO_CPU_POLICY { KHeteroCpuPolicyAll = 0, KHeteroCpuPolicyLarge = 1, KHeteroCpuPolicyLargeOrIdle = 2, KHeteroCpuPolicySmall = 3, KHeteroCpuPolicySmallOrIdle = 4, KHeteroCpuPolicyDynamic = 5, KHeteroCpuPolicyStaticMax = 5, // valid KHeteroCpuPolicyBiasedSmall = 6, KHeteroCpuPolicyBiasedLarge = 7, KHeteroCpuPolicyDefault = 8, KHeteroCpuPolicyMax = 9 } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * KWAIT_REASON identifies the reasons for context switches or the current waiting state. */ typedef enum _KWAIT_REASON { Executive, // Waiting for an executive event. FreePage, // Waiting for a free page. PageIn, // Waiting for a page to be read in. PoolAllocation, // Waiting for a pool allocation. DelayExecution, // Waiting due to a delay execution. // NtDelayExecution Suspended, // Waiting because the thread is suspended. // NtSuspendThread UserRequest, // Waiting due to a user request. // NtWaitForSingleObject WrExecutive, // Waiting for an executive event. WrFreePage, // Waiting for a free page. WrPageIn, // Waiting for a page to be read in. WrPoolAllocation, // Waiting for a pool allocation. // 10 WrDelayExecution, // Waiting due to a delay execution. WrSuspended, // Waiting because the thread is suspended. WrUserRequest, // Waiting due to a user request. WrEventPair, // Waiting for an event pair. // NtCreateEventPair WrQueue, // Waiting for a queue. // NtRemoveIoCompletion WrLpcReceive, // Waiting for an LPC receive. // NtReplyWaitReceivePort WrLpcReply, // Waiting for an LPC reply. // NtRequestWaitReplyPort WrVirtualMemory, // Waiting for virtual memory. WrPageOut, // Waiting for a page to be written out. // NtFlushVirtualMemory WrRendezvous, // Waiting for a rendezvous. // 20 WrKeyedEvent, // Waiting for a keyed event. // NtCreateKeyedEvent WrTerminated, // Waiting for thread termination. WrProcessInSwap, // Waiting for a process to be swapped in. WrCpuRateControl, // Waiting for CPU rate control. WrCalloutStack, // Waiting for a callout stack. WrKernel, // Waiting for a kernel event. WrResource, // Waiting for a resource. WrPushLock, // Waiting for a push lock. WrMutex, // Waiting for a mutex. WrQuantumEnd, // Waiting for the end of a quantum. // 30 WrDispatchInt, // Waiting for a dispatch interrupt. WrPreempted, // Waiting because the thread was preempted. WrYieldExecution, // Waiting to yield execution. WrFastMutex, // Waiting for a fast mutex. WrGuardedMutex, // Waiting for a guarded mutex. WrRundown, // Waiting for a rundown. WrAlertByThreadId, // Waiting for an alert by thread ID. WrDeferredPreempt, // Waiting for a deferred preemption. WrPhysicalFault, // Waiting for a physical fault. WrIoRing, // Waiting for an I/O ring. // 40 WrMdlCache, // Waiting for an MDL cache. WrRcu, // Waiting for read-copy-update (RCU) synchronization. MaximumWaitReason } KWAIT_REASON, *PKWAIT_REASON; typedef enum _KPROFILE_SOURCE { ProfileTime, ProfileAlignmentFixup, ProfileTotalIssues, ProfilePipelineDry, ProfileLoadInstructions, ProfilePipelineFrozen, ProfileBranchInstructions, ProfileTotalNonissues, ProfileDcacheMisses, ProfileIcacheMisses, ProfileCacheMisses, ProfileBranchMispredictions, ProfileStoreInstructions, ProfileFpInstructions, ProfileIntegerInstructions, Profile2Issue, Profile3Issue, Profile4Issue, ProfileSpecialInstructions, ProfileTotalCycles, ProfileIcacheIssues, ProfileDcacheAccesses, ProfileMemoryBarrierCycles, ProfileLoadLinkedIssues, ProfileMaximum } KPROFILE_SOURCE; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtCallbackReturn( _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, _In_ ULONG OutputLength, _In_ NTSTATUS Status ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryDebugFilterState( _In_ ULONG ComponentId, _In_ ULONG Level ); NTSYSCALLAPI NTSTATUS NTAPI NtSetDebugFilterState( _In_ ULONG ComponentId, _In_ ULONG Level, _In_ BOOLEAN State ); NTSYSCALLAPI NTSTATUS NTAPI NtYieldExecution( VOID ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // _NTKEAPI_H ================================================ FILE: phnt/include/ntldr.h ================================================ /* * Loader support functions * * This file is part of System Informer. */ #ifndef _NTLDR_H #define _NTLDR_H typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT; typedef struct _LDRP_LOAD_CONTEXT *PLDRP_LOAD_CONTEXT; // // DLLs // typedef _Function_class_(DLL_INIT_ROUTINE) BOOLEAN NTAPI DLL_INIT_ROUTINE( _In_ PVOID DllHandle, _In_ ULONG Reason, _In_opt_ PVOID Context ); typedef DLL_INIT_ROUTINE* PDLL_INIT_ROUTINE; // private typedef struct _LDR_SERVICE_TAG_RECORD { struct _LDR_SERVICE_TAG_RECORD *Next; ULONG ServiceTag; } LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD; // private typedef struct _LDRP_CSLIST { PSINGLE_LIST_ENTRY Tail; } LDRP_CSLIST, *PLDRP_CSLIST; // private typedef enum _LDR_DDAG_STATE { LdrModulesMerged = -5, LdrModulesInitError = -4, LdrModulesSnapError = -3, LdrModulesUnloaded = -2, LdrModulesUnloading = -1, LdrModulesPlaceHolder = 0, LdrModulesMapping = 1, LdrModulesMapped = 2, LdrModulesWaitingForDependencies = 3, LdrModulesSnapping = 4, LdrModulesSnapped = 5, LdrModulesCondensed = 6, LdrModulesReadyToInit = 7, LdrModulesInitializing = 8, LdrModulesReadyToRun = 9 } LDR_DDAG_STATE; // private typedef struct _LDR_DDAG_NODE { LIST_ENTRY Modules; PLDR_SERVICE_TAG_RECORD ServiceTagList; ULONG LoadCount; ULONG LoadWhileUnloadingCount; // ReferenceCount before WIN10 ULONG LowestLink; // DependencyCount before WIN10 union { LDRP_CSLIST Dependencies; SINGLE_LIST_ENTRY RemovalLink; }; LDRP_CSLIST IncomingDependencies; LDR_DDAG_STATE State; SINGLE_LIST_ENTRY CondenseLink; ULONG PreorderNumber; } LDR_DDAG_NODE, *PLDR_DDAG_NODE; // private typedef struct _LDRP_DEPENDENCY { SINGLE_LIST_ENTRY Link; PLDR_DDAG_NODE ChildNode; SINGLE_LIST_ENTRY BackLink; union { PLDR_DDAG_NODE ParentNode; struct { ULONG ForwarderLink : 1; ULONG SpareFlags : 2; }; }; } LDRP_DEPENDENCY, *PLDRP_DEPENDENCY; // LoadReason typedef enum _LDR_DLL_LOAD_REASON { LoadReasonUnknown = -1, LoadReasonStaticDependency = 0, LoadReasonStaticForwarderDependency = 1, LoadReasonDynamicForwarderDependency = 2, LoadReasonDelayloadDependency = 3, LoadReasonDynamicLoad = 4, LoadReasonAsImageLoad = 5, LoadReasonAsDataLoad = 6, LoadReasonEnclavePrimary = 7, // since REDSTONE3 LoadReasonEnclaveDependency = 8, LoadReasonPatchImage = 9, // since WIN11 } LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON; // HotPatchState typedef enum _LDR_HOT_PATCH_STATE { LdrHotPatchBaseImage, LdrHotPatchNotApplied, LdrHotPatchAppliedReverse, LdrHotPatchAppliedForward, LdrHotPatchFailedToPatch, LdrHotPatchStateMax, } LDR_HOT_PATCH_STATE, *PLDR_HOT_PATCH_STATE; // LDR_DATA_TABLE_ENTRY->Flags #define LDRP_PACKAGED_BINARY 0x00000001 #define LDRP_MARKED_FOR_REMOVAL 0x00000002 #define LDRP_IMAGE_DLL 0x00000004 #define LDRP_LOAD_NOTIFICATIONS_SENT 0x00000008 #define LDRP_TELEMETRY_ENTRY_PROCESSED 0x00000010 #define LDRP_PROCESS_STATIC_IMPORT 0x00000020 #define LDRP_IN_LEGACY_LISTS 0x00000040 #define LDRP_IN_INDEXES 0x00000080 #define LDRP_SHIM_DLL 0x00000100 #define LDRP_IN_EXCEPTION_TABLE 0x00000200 #define LDRP_VERIFIER_PROVIDER 0x00000400 // reserved before WIN11 24H2 #define LDRP_SHIM_ENGINE_CALLOUT_SENT 0x00000800 // reserved before WIN11 24H2 #define LDRP_LOAD_IN_PROGRESS 0x00001000 #define LDRP_LOAD_CONFIG_PROCESSED 0x00002000 // reserved before WIN10 #define LDRP_ENTRY_PROCESSED 0x00004000 #define LDRP_PROTECT_DELAY_LOAD 0x00008000 // reserved before WINBLUE #define LDRP_AUX_IAT_COPY_PRIVATE 0x00010000 // reserved before WIN11 24H2 #define LDRP_DONT_CALL_FOR_THREADS 0x00040000 #define LDRP_PROCESS_ATTACH_CALLED 0x00080000 #define LDRP_PROCESS_ATTACH_FAILED 0x00100000 #define LDRP_SCP_IN_EXCEPTION_TABLE 0x00200000 // LDRP_COR_DEFERRED_VALIDATE before WIN11 24H2 #define LDRP_COR_IMAGE 0x00400000 #define LDRP_DONT_RELOCATE 0x00800000 #define LDRP_COR_IL_ONLY 0x01000000 #define LDRP_CHPE_IMAGE 0x02000000 // reserved before REDSTONE4 #define LDRP_CHPE_EMULATOR_IMAGE 0x04000000 // reserved before WIN11 #define LDRP_REDIRECTED 0x10000000 #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN10 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SigningLevel) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN11 sizeof(LDR_DATA_TABLE_ENTRY) // symbols typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; // PDLL_INIT_ROUTINE ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; union { UCHAR FlagGroup[4]; ULONG Flags; struct { ULONG PackagedBinary : 1; ULONG MarkedForRemoval : 1; ULONG ImageDll : 1; ULONG LoadNotificationsSent : 1; ULONG TelemetryEntryProcessed : 1; ULONG ProcessStaticImport : 1; ULONG InLegacyLists : 1; ULONG InIndexes : 1; ULONG ShimDll : 1; ULONG InExceptionTable : 1; ULONG VerifierProvider : 1; // 24H2 ULONG ShimEngineCalloutSent : 1; // 24H2 ULONG LoadInProgress : 1; ULONG LoadConfigProcessed : 1; // WIN10 ULONG EntryProcessed : 1; ULONG ProtectDelayLoad : 1; // WINBLUE ULONG AuxIatCopyPrivate : 1; // 24H2 ULONG ReservedFlags3 : 1; ULONG DontCallForThreads : 1; ULONG ProcessAttachCalled : 1; ULONG ProcessAttachFailed : 1; ULONG ScpInExceptionTable : 1; // CorDeferredValidate before 24H2 ULONG CorImage : 1; ULONG DontRelocate : 1; ULONG CorILOnly : 1; ULONG ChpeImage : 1; // RS4 ULONG ChpeEmulatorImage : 1; // WIN11 ULONG ReservedFlags5 : 1; ULONG Redirected : 1; ULONG ReservedFlags6 : 2; ULONG CompatDatabaseProcessed : 1; }; }; USHORT ObsoleteLoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; ULONG TimeDateStamp; PACTIVATION_CONTEXT EntryPointActivationContext; PVOID Lock; // RtlAcquireSRWLockExclusive PLDR_DDAG_NODE DdagNode; LIST_ENTRY NodeModuleLink; PLDRP_LOAD_CONTEXT LoadContext; PVOID ParentDllBase; PVOID SwitchBackContext; RTL_BALANCED_NODE BaseAddressIndexNode; RTL_BALANCED_NODE MappingInfoIndexNode; PVOID OriginalBase; LARGE_INTEGER LoadTime; ULONG BaseNameHashValue; LDR_DLL_LOAD_REASON LoadReason; ULONG ImplicitPathOptions; // since WINBLUE ULONG ReferenceCount; // since WIN10 ULONG DependentLoadFlags; // since RS1 UCHAR SigningLevel; // since RS2 ULONG CheckSum; // since WIN11 PVOID ActivePatchImageBase; LDR_HOT_PATCH_STATE HotPatchState; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef const LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY; #define LDR_IS_DATAFILE(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)1) #define LDR_IS_IMAGEMAPPING(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)2) #define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle)) #define LDR_MAPPEDVIEW_TO_DATAFILE(BaseAddress) ((PVOID)(((ULONG_PTR)(BaseAddress)) | (ULONG_PTR)1)) #define LDR_MAPPEDVIEW_TO_IMAGEMAPPING(BaseAddress) ((PVOID)(((ULONG_PTR)(BaseAddress)) | (ULONG_PTR)2)) #define LDR_DATAFILE_TO_MAPPEDVIEW(DllHandle) ((PVOID)(((ULONG_PTR)(DllHandle)) & ~(ULONG_PTR)1)) #define LDR_IMAGEMAPPING_TO_MAPPEDVIEW(DllHandle) ((PVOID)(((ULONG_PTR)(DllHandle)) & ~(ULONG_PTR)2)) #if (PHNT_MODE != PHNT_MODE_KERNEL) // rev LdrLoadDll DllCharacteristics #define LDR_DONT_RESOLVE_DLL_REFERENCES 0x00000002 // IMAGE_FILE_EXECUTABLE_IMAGE maps to DONT_RESOLVE_DLL_REFERENCES #define LDR_PACKAGED_LIBRARY 0x00000004 // LOAD_PACKAGED_LIBRARY #define LDR_REQUIRE_SIGNED_TARGET 0x00800000 // maps to LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (requires /INTEGRITYCHECK) #define LDR_OS_INTEGRITY_CONTINUITY 0x80000000 // maps to LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY // since REDSTONE2 // rev LdrLoadDll DllPath #define LDR_PATH_IS_FLAGS 0x00000001 #define LDR_PATH_VALID_FLAGS 0x00007F08 #define LDR_PATH_WITH_ALTERED_SEARCH_PATH 0x00000008 // LOAD_WITH_ALTERED_SEARCH_PATH #define LDR_PATH_SEARCH_DLL_LOAD_DIR 0x00000100 // LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR #define LDR_PATH_SEARCH_APPLICATION_DIR 0x00000200 // LOAD_LIBRARY_SEARCH_APPLICATION_DIR #define LDR_PATH_SEARCH_USER_DIRS 0x00000400 // LOAD_LIBRARY_SEARCH_USER_DIRS #define LDR_PATH_SEARCH_SYSTEM32 0x00000800 // LOAD_LIBRARY_SEARCH_SYSTEM32 #define LDR_PATH_SEARCH_DEFAULT_DIRS 0x00001000 // LOAD_LIBRARY_SEARCH_DEFAULT_DIRS #define LDR_PATH_SAFE_CURRENT_DIRS 0x00002000 // LOAD_LIBRARY_SAFE_CURRENT_DIRS // since REDSTONE1 #define LDR_PATH_SEARCH_SYSTEM32_NO_FORWARDER 0x00004000 // LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER // since REDSTONE1 /** * The LdrLoadDll routine loads the specified DLL into the address space of the calling process. * * \param DllPath A pointer to a Unicode string specifying the search path for the DLL or a combination of LDR_PATH_* flags. If NULL, the default search order is used. * \param DllCharacteristics A pointer to a variable specifying DLL characteristics. * \param DllName A pointer to a UNICODE_STRING structure containing the name of the DLL to load. * \param DllHandle A pointer that receives the handle to module on success. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexw */ NTSYSAPI NTSTATUS NTAPI LdrLoadDll( _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PCUNICODE_STRING DllName, _Out_ PVOID *DllHandle ); /** * The LdrUnloadDll routine unloads the specified DLL from the address space of the calling process. * * \param DllHandle A handle to the DLL module to unload, as returned by LdrLoadDll. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-freelibrary */ NTSYSAPI NTSTATUS NTAPI LdrUnloadDll( _In_ PVOID DllHandle ); /** * The LdrGetDllHandle routine retrieves a handle to a module that is already loaded in the calling process. * * \param DllPath A pointer to a Unicode string specifying the search path for the DLL or a combination of LDR_PATH_* flags. If NULL, the default search order is used. * \param DllCharacteristics A pointer to a variable specifying DLL characteristics. Can be NULL. * \param DllName A pointer to a UNICODE_STRING structure containing the name of the DLL to find. * \param DllHandle A pointer that receives the handle to the loaded DLL module on success. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandleexw */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandle( _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PCUNICODE_STRING DllName, _Out_ PVOID *DllHandle ); // LdrGetDllHandleEx Flags #define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 #define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 /** * The LdrGetDllHandleEx routine retrieves a handle to a module that is already loaded in the calling process, with extended control over reference counting. * * \param Flags A combination of flags that control behavior: * - LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT: Do not modify the module's reference count. * - LDR_GET_DLL_HANDLE_EX_PIN: Pin the module so it cannot be unloaded for the lifetime of the process. * \param DllPath An optional semicolon-separated search path used to resolve DllName if needed. If NULL, the default module lookup is used. * \param DllCharacteristics Optional pointer to the DLL characteristics (same values accepted by LdrLoadDll). Typically NULL for lookups. * \param DllName The Unicode name of the module to find. Can be a base name (e.g., "ntdll.dll") or a fully-qualified path. * \param DllHandle Receives the module handle on success. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleEx( _In_ ULONG Flags, _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PCUNICODE_STRING DllName, _Out_ PVOID *DllHandle ); // rev /** * The LdrGetDllHandleByMapping routine retrieves a module handle for an image that is already loaded in the calling process, identified by base address. * * \param BaseAddress The base address of a mapped image (image or datafile view). * \param DllHandle Receives the module handle corresponding to the base address. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByMapping( _In_ PVOID BaseAddress, _Out_ PVOID *DllHandle ); // rev /** * The LdrGetDllHandleByName routine retrieves a module handle by base name and/or full path for a DLL already loaded in the calling process. * * \param BaseDllName Optional base file name (e.g., "kernel32.dll"). Note: Matching is case-insensitive. * \param FullDllName Optional fully-qualified path of the module. Note: Matching is case-insensitive. * \param DllHandle Receives the module handle on success. * \return NTSTATUS Successful or errant status. * \remarks At least one of BaseDllName or FullDllName must be supplied. If both are supplied, they must refer to the same module. */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByName( _In_opt_ PCUNICODE_STRING BaseDllName, _In_opt_ PCUNICODE_STRING FullDllName, _Out_ PVOID *DllHandle ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // rev NTSYSAPI NTSTATUS NTAPI LdrGetDllFullName( _In_opt_ PVOID DllHandle, _Out_ PUNICODE_STRING FullDllName ); // rev NTSYSAPI NTSTATUS NTAPI LdrGetDllPath( _In_ PCWSTR DllName, _In_ ULONG Flags, // LOAD_LIBRARY_SEARCH_* _Out_ PWSTR* DllPath, _Out_ PWSTR* SearchPaths ); // rev /** * The LdrGetDllDirectory routine retrieves the application-specific portion of the search path used to locate DLLs for the application. * * \param PathName A pointer to a buffer that receives the application-specific portion of the search path. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getdlldirectoryw */ NTSYSAPI NTSTATUS NTAPI LdrGetDllDirectory( _Out_ PUNICODE_STRING PathName ); // rev /** * The LdrSetDllDirectory routine adds a directory to the search path used to locate DLLs for the application. * * \param PathName The directory to be added to the search path. If this parameter is NULL, the function restores the default search order. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setdlldirectoryw */ NTSYSAPI NTSTATUS NTAPI LdrSetDllDirectory( _In_ PCUNICODE_STRING PathName ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) #define LDR_ADDREF_DLL_PIN 0x00000001 NTSYSAPI NTSTATUS NTAPI LdrAddRefDll( _In_ ULONG Flags, _In_ PVOID DllHandle ); NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddress( _In_ PVOID DllHandle, _In_opt_ PCANSI_STRING ProcedureName, _In_opt_ ULONG ProcedureNumber, _Out_ PVOID *ProcedureAddress ); // rev #define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001 // private NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddressEx( _In_ PVOID DllHandle, _In_opt_ PCANSI_STRING ProcedureName, _In_opt_ ULONG ProcedureNumber, _Out_ PVOID *ProcedureAddress, _In_ ULONG Flags // LDR_GET_PROCEDURE_ADDRESS_* ); NTSYSAPI NTSTATUS NTAPI LdrGetKnownDllSectionHandle( _In_ PCWSTR DllName, _In_ BOOLEAN KnownDlls32, _Out_ PHANDLE SectionHandle ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) // rev NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddressForCaller( _In_ PVOID DllHandle, _In_opt_ PCANSI_STRING ProcedureName, _In_opt_ ULONG ProcedureNumber, _Out_ PVOID *ProcedureAddress, _In_ ULONG Flags, // LDR_GET_PROCEDURE_ADDRESS_* _In_ PVOID CallerAddress ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) #define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 #define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2 NTSYSAPI NTSTATUS NTAPI LdrLockLoaderLock( _In_ ULONG Flags, _Out_opt_ PULONG Disposition, _Out_ PVOID *Cookie ); #define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 NTSYSAPI NTSTATUS NTAPI LdrUnlockLoaderLock( _In_ ULONG Flags, _In_ PVOID Cookie ); // private _Must_inspect_result_ _Maybenull_ NTSYSAPI PIMAGE_BASE_RELOCATION NTAPI LdrProcessRelocationBlock( _In_ ULONG_PTR VA, _In_ ULONG SizeOfBlock, _In_ PUSHORT NextOffset, _In_ LONG_PTR Diff ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // private _Must_inspect_result_ _Maybenull_ NTSYSAPI PIMAGE_BASE_RELOCATION NTAPI LdrProcessRelocationBlockEx( _In_ ULONG Machine, // IMAGE_FILE_MACHINE_AMD64|IMAGE_FILE_MACHINE_ARM|IMAGE_FILE_MACHINE_THUMB|IMAGE_FILE_MACHINE_ARMNT _In_ ULONG_PTR VA, _In_ ULONG SizeOfBlock, _In_ PUSHORT NextOffset, _In_ LONG_PTR Diff ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) typedef _Function_class_(LDR_IMPORT_MODULE_CALLBACK) VOID NTAPI LDR_IMPORT_MODULE_CALLBACK( _In_ PVOID Parameter, _In_ PCSTR ModuleName ); typedef LDR_IMPORT_MODULE_CALLBACK* PLDR_IMPORT_MODULE_CALLBACK; // private NTSYSAPI NTSTATUS NTAPI LdrVerifyImageMatchesChecksum( _In_ HANDLE ImageFileHandle, _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine, _In_ PVOID ImportCallbackParameter, _Out_opt_ PUSHORT ImageCharacteristics ); // private typedef struct _LDR_IMPORT_CALLBACK_INFO { PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine; PVOID ImportCallbackParameter; } LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO; // private typedef struct _LDR_SECTION_INFO { HANDLE SectionHandle; ACCESS_MASK DesiredAccess; POBJECT_ATTRIBUTES ObjA; ULONG SectionPageProtection; ULONG AllocationAttributes; } LDR_SECTION_INFO, *PLDR_SECTION_INFO; // rev #define LDR_VERIFY_IMAGE_FLAG_USE_CALLBACK 0x01 #define LDR_VERIFY_IMAGE_FLAG_USE_SECTION_INFO 0x02 #define LDR_VERIFY_IMAGE_FLAG_RETURN_IMAGE_CHARACTERISTICS 0x04 // private typedef struct _LDR_VERIFY_IMAGE_INFO { ULONG Size; ULONG Flags; // LDR_VERIFY_IMAGE_FLAG_* LDR_IMPORT_CALLBACK_INFO CallbackInfo; LDR_SECTION_INFO SectionInfo; USHORT ImageCharacteristics; } LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO; // private NTSYSAPI NTSTATUS NTAPI LdrVerifyImageMatchesChecksumEx( _In_ HANDLE ImageFileHandle, _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo ); // private NTSYSAPI NTSTATUS NTAPI LdrQueryModuleServiceTags( _In_ PVOID DllHandle, _Out_writes_(*BufferSize) PULONG ServiceTagBuffer, _Inout_ PULONG BufferSize ); // begin_msdn:"DLL Load Notification" #define LDR_DLL_NOTIFICATION_REASON_LOADED 1 #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { ULONG Flags; PUNICODE_STRING FullDllName; PUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA; typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA { ULONG Flags; PCUNICODE_STRING FullDllName; PCUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; typedef union _LDR_DLL_NOTIFICATION_DATA { LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; } LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA; typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA; typedef _Function_class_(LDR_DLL_NOTIFICATION_FUNCTION) VOID NTAPI LDR_DLL_NOTIFICATION_FUNCTION( _In_ ULONG NotificationReason, _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData, _In_opt_ PVOID Context ); typedef LDR_DLL_NOTIFICATION_FUNCTION* PLDR_DLL_NOTIFICATION_FUNCTION; /** * Registers for notification when a DLL is first loaded. This notification occurs before dynamic linking takes place. * * \param Flags This parameter must be zero. * \param NotificationFunction A pointer to an LdrDllNotification notification callback function to call when the DLL is loaded. * \param Context A pointer to context data for the callback function. * \param Cookie A pointer to a variable to receive an identifier for the callback function. This identifier is used to unregister the notification callback function. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/ldrregisterdllnotification */ NTSYSAPI NTSTATUS NTAPI LdrRegisterDllNotification( _In_ ULONG Flags, _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, _In_opt_ PVOID Context, _Out_ PVOID *Cookie ); /** * Cancels DLL load notification previously registered by calling the LdrRegisterDllNotification function. * * \param Cookie A pointer to the callback identifier received from the LdrRegisterDllNotification call that registered for notification. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/ldrunregisterdllnotification */ NTSYSAPI NTSTATUS NTAPI LdrUnregisterDllNotification( _In_ PVOID Cookie ); // end_msdn #if (PHNT_VERSION >= PHNT_WINDOWS_10) // deprecated NTSYSAPI PUNICODE_STRING NTAPI LdrStandardizeSystemPath( _In_ PCUNICODE_STRING SystemPath ); #endif typedef struct _LDR_FAILURE_DATA { NTSTATUS Status; WCHAR DllName[0x20]; WCHAR AdditionalInfo[0x20]; } LDR_FAILURE_DATA, *PLDR_FAILURE_DATA; #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) NTSYSAPI PLDR_FAILURE_DATA NTAPI LdrGetFailureData( VOID ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) // WIN8 to REDSTONE typedef struct _PS_MITIGATION_OPTIONS_MAP_V1 { ULONG64 Map[1]; } PS_MITIGATION_OPTIONS_MAP_V1, *PPS_MITIGATION_OPTIONS_MAP_V1; // private // REDSTONE2 to 19H2 typedef struct _PS_MITIGATION_OPTIONS_MAP_V2 { ULONG64 Map[2]; } PS_MITIGATION_OPTIONS_MAP_V2, *PPS_MITIGATION_OPTIONS_MAP_V2; // private // since 20H1 typedef struct _PS_MITIGATION_OPTIONS_MAP_V3 { ULONG64 Map[3]; } PS_MITIGATION_OPTIONS_MAP_V3, *PPS_MITIGATION_OPTIONS_MAP_V3; typedef PS_MITIGATION_OPTIONS_MAP_V3 PS_MITIGATION_OPTIONS_MAP, *PPS_MITIGATION_OPTIONS_MAP; // private // REDSTONE3 to 19H2 typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP_V2 { ULONG64 Map[2]; } PS_MITIGATION_AUDIT_OPTIONS_MAP_V2, *PPS_MITIGATION_AUDIT_OPTIONS_MAP_V2; // private // since 20H1 typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP_V3 { ULONG64 Map[3]; } PS_MITIGATION_AUDIT_OPTIONS_MAP_V3, *PPS_MITIGATION_AUDIT_OPTIONS_MAP_V3, PS_MITIGATION_AUDIT_OPTIONS_MAP, *PPS_MITIGATION_AUDIT_OPTIONS_MAP; // private // WIN8 to REDSTONE _Struct_size_bytes_(Size) typedef struct _PS_SYSTEM_DLL_INIT_BLOCK_V1 { ULONG Size; ULONG SystemDllWowRelocation; ULONG64 SystemDllNativeRelocation; ULONG Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION as index ULONG RngData; union { ULONG Flags; struct { ULONG CfgOverride : 1; // since REDSTONE ULONG Reserved : 31; }; }; ULONG64 MitigationOptions; ULONG64 CfgBitMap; // since WINBLUE ULONG64 CfgBitMapSize; ULONG64 Wow64CfgBitMap; // since THRESHOLD ULONG64 Wow64CfgBitMapSize; } PS_SYSTEM_DLL_INIT_BLOCK_V1, *PPS_SYSTEM_DLL_INIT_BLOCK_V1; // RS2 - 19H2 _Struct_size_bytes_(Size) typedef struct _PS_SYSTEM_DLL_INIT_BLOCK_V2 { ULONG Size; ULONG64 SystemDllWowRelocation; ULONG64 SystemDllNativeRelocation; ULONG64 Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION as index ULONG RngData; union { ULONG Flags; struct { ULONG CfgOverride : 1; ULONG Reserved : 31; }; }; PS_MITIGATION_OPTIONS_MAP_V2 MitigationOptionsMap; ULONG64 CfgBitMap; ULONG64 CfgBitMapSize; ULONG64 Wow64CfgBitMap; ULONG64 Wow64CfgBitMapSize; PS_MITIGATION_AUDIT_OPTIONS_MAP_V2 MitigationAuditOptionsMap; // since REDSTONE3 } PS_SYSTEM_DLL_INIT_BLOCK_V2, *PPS_SYSTEM_DLL_INIT_BLOCK_V2; // private // since 20H1 _Struct_size_bytes_(Size) typedef struct _PS_SYSTEM_DLL_INIT_BLOCK_V3 { ULONG Size; ULONG64 SystemDllWowRelocation; // effectively since WIN8 ULONG64 SystemDllNativeRelocation; ULONG64 Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION as index ULONG RngData; union { ULONG Flags; struct { ULONG CfgOverride : 1; // effectively since REDSTONE ULONG Reserved : 31; }; }; PS_MITIGATION_OPTIONS_MAP_V3 MitigationOptionsMap; ULONG64 CfgBitMap; // effectively since WINBLUE ULONG64 CfgBitMapSize; ULONG64 Wow64CfgBitMap; // effectively since THRESHOLD ULONG64 Wow64CfgBitMapSize; PS_MITIGATION_AUDIT_OPTIONS_MAP_V3 MitigationAuditOptionsMap; // effectively since REDSTONE3 ULONG64 ScpCfgCheckFunction; // since 24H2 ULONG64 ScpCfgCheckESFunction; ULONG64 ScpCfgDispatchFunction; ULONG64 ScpCfgDispatchESFunction; ULONG64 ScpArm64EcCallCheck; ULONG64 ScpArm64EcCfgCheckFunction; ULONG64 ScpArm64EcCfgCheckESFunction; } PS_SYSTEM_DLL_INIT_BLOCK_V3, *PPS_SYSTEM_DLL_INIT_BLOCK_V3, PS_SYSTEM_DLL_INIT_BLOCK, *PPS_SYSTEM_DLL_INIT_BLOCK; // private #if (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSAPI PS_SYSTEM_DLL_INIT_BLOCK LdrSystemDllInitBlock; #endif // rev see also MEMORY_IMAGE_EXTENSION_INFORMATION typedef struct _RTL_SCPCFG_NTDLL_EXPORTS { PVOID ScpCfgHeader_Nop; PVOID ScpCfgEnd_Nop; PVOID ScpCfgHeader; PVOID ScpCfgEnd; PVOID ScpCfgHeader_ES; PVOID ScpCfgEnd_ES; PVOID ScpCfgHeader_Fptr; PVOID ScpCfgEnd_Fptr; PVOID LdrpGuardDispatchIcallNoESFptr; PVOID __guard_dispatch_icall_fptr; PVOID LdrpGuardCheckIcallNoESFptr; PVOID __guard_check_icall_fptr; PVOID LdrpHandleInvalidUserCallTarget; struct { PVOID NtOpenFile; PVOID NtCreateSection; PVOID NtQueryAttributesFile; PVOID NtOpenSection; PVOID NtMapViewOfSection; } LdrpCriticalLoaderFunctions; } RTL_SCPCFG_NTDLL_EXPORTS, *PRTL_SCPCFG_NTDLL_EXPORTS; // rev #if (PHNT_VERSION >= PHNT_WINDOWS_11_24H2) NTSYSAPI RTL_SCPCFG_NTDLL_EXPORTS RtlpScpCfgNtdllExports; #endif // // Load as data table // // private NTSYSAPI NTSTATUS NTAPI LdrAddLoadAsDataTable( _In_ PVOID DllHandle, _In_opt_ PCWSTR FilePath, _In_ SIZE_T FileSize, _In_ HANDLE FileHandle, _In_opt_ PACTIVATION_CONTEXT ActCtx ); // private NTSYSAPI NTSTATUS NTAPI LdrRemoveLoadAsDataTable( _In_ PVOID DllHandle, _Out_ PVOID *BaseModule, _Out_opt_ PSIZE_T FileSize, _In_ ULONG Flags ); // private NTSYSAPI NTSTATUS NTAPI LdrGetFileNameFromLoadAsDataTable( _In_ PVOID DllHandle, _Out_ PWSTR *FileName ); NTSYSAPI NTSTATUS NTAPI LdrDisableThreadCalloutsForDll( _In_ PVOID DllHandle ); // // Resources // // NtCurrentTeb()->ResourceRetValue // LdrFindResource* and LdrAccessResource typedef struct _LDR_RESLOADER_RET { PVOID Module; PVOID DataEntry; PVOID TargetModule; } LDR_RESLOADER_RET, *PLDR_RESLOADER_RET; /** * The LdrAccessResource function returns a pointer to the first byte of the specified resource in memory. * * \param DllHandle A handle to the DLL. * \param ResourceDataEntry The resource information block. * \param ResourceBuffer The pointer to the specified resource in memory. * \param ResourceLength The size, in bytes, of the specified resource. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadresource */ NTSYSAPI NTSTATUS NTAPI LdrAccessResource( _In_ PVOID DllHandle, _In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry, _Out_opt_ PVOID *ResourceBuffer, _Out_opt_ ULONG *ResourceLength ); /** * The LdrFindResource_U function determines the location of a resource in a DLL. * * \param DllHandle A handle to the DLL. * \param ResourcePath A pointer to an array of Type/Name/Language/(optional)AlternateType. * \param Count The number of elements in the ResourcePath array. * \param ResourceDataEntry The resource information block. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-findresourceexw */ NTSYSAPI NTSTATUS NTAPI LdrFindResource_U( _In_ PVOID DllHandle, _In_reads_(Count) PULONG_PTR ResourcePath, _In_ ULONG Count, _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry ); /** * The LdrFindResourceEx_U function determines the location of a resource in a DLL. * * \param Flags A handle to the DLL. * \param DllHandle A handle to the DLL. * \param ResourcePath A pointer to an array of Type/Name/Language/(optional)AlternateType. * \param Count The number of elements in the ResourcePath array. * \param ResourceDataEntry The resource information block. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-findresourceexw */ NTSYSAPI NTSTATUS NTAPI LdrFindResourceEx_U( _In_ ULONG Flags, _In_ PVOID DllHandle, _In_reads_(Count) PULONG_PTR ResourcePath, _In_ ULONG Count, _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry ); NTSYSAPI NTSTATUS NTAPI LdrFindResourceDirectory_U( _In_ PVOID DllHandle, _In_reads_(Count) PULONG_PTR ResourcePath, _In_ ULONG Count, _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // rev // Flags for LdrResFindResource, LdrpResGetResourceDirectory, LdrResSearchResource #define LDR_RES_REQUIRE_FOUR_KEYS_A 0x00000001u // Enables 4-key mode (variant A) (requires Count==4) #define LDR_RES_ALLOW_ANY 0x00000002u // Permit Count < 3 (else Count must be 3 or 4) #define LDR_RES_OPTIMIZE_SMALL_A 0x00000008u // Cannot combine with LDR_RES_OPTIMIZE_SMALL_B #define LDR_RES_OPTIMIZE_SMALL_B 0x00000010u // Required when using LDR_RES_SPECIAL_DEPENDENCY with LDR_RES_MODE_D_SEARCH //#define LDR_RES_ALT_RETRY 0x00000030u #define LDR_RES_REQUIRE_FOUR_KEYS_B 0x00000040u // Enables 4-key mode (Enable alternate module message) (requires Count==4) // Search mode flags (if not specified, LDR_RES_MODE_A_SEARCH is the default) #define LDR_RES_MODE_A_SEARCH 0x00000100u // Default mode for typical resource lookup. // Exclusive with B/C/D // LdrResRelease #define LDR_RES_MODE_B_SEARCH 0x00000200u // When the resource is loaded as a datafile // LDR_IS_DATAFILE(DllHandle) // Exclusive with A/C/D // LdrResRelease #define LDR_RES_MODE_C_SEARCH 0x00000400u // When precise control over mapping size is needed. // Exclusive with A/B/D // LdrResRelease #define LDR_RES_MODE_D_SEARCH 0x00000800u // When dependency resolution or alternate resources are needed. // Used with LDR_RES_SPECIAL_DEPENDENCY // Exclusive with A/B/C // LdrResRelease // Mapping behavior flags (only valid with LDR_RES_MODE_C or LDR_RES_MODE_D) #define LDR_RES_MAPPING_STRICT 0x00001000u // Default; Fail if mapping size query fails // LdrResRelease #define LDR_RES_MAPPING_LENIENT 0x00002000u // Allow fallback if mapping size query fails // LdrResRelease #define LDR_RES_MAPPING_ALT_RESOURCE 0x00004000u // When the primary resource search fails, try load and search the alternate resource // LdrResRelease // Small/fast lookup optimizations (only valid with LDR_RES_MODE_A or LDR_RES_MODE_B) #define LDR_RES_SPECIAL_DEPENDENCY 0x00008000u // Only valid with (LDR_RES_MODE_D_SEARCH | LDR_RES_OPTIMIZE_SMALL_B) #define LDR_RES_SIZE_FROM_LENGTH_C 0x00020000u // Use *ResourceLength as mapping size; requires LDR_RES_MODE_C #define LDR_RES_SIZE_FROM_LENGTH_AB 0x00080000u // Use *ResourceLength as mapping size; requires LDR_RES_MODE_A or LDR_RES_MODE_B // Internal-only (set by loader on alternate resource retry; callers must not set) #define LDR_RES_INTERNAL_ALT_RETRY 0x01000000u // Group masks #define LDR_RES_MODE_MASK 0x00000F00u // LDR_RES_MODE_A|LDR_RES_MODE_B|LDR_RES_MODE_C|LDR_RES_MODE_D #define LDR_RES_BEHAVIOR_MASK 0x00003000u // LDR_RES_MAPPING_STRICT/LDR_RES_MAPPING_LENIENT #define LDR_RES_SIZEOVERRIDE_MASK 0x000A0000u // LDR_RES_SIZE_FROM_LENGTH_* (0x20000|0x80000) #define LDR_RES_KEY4_MASK (LDR_RES_REQUIRE_FOUR_KEYS_A | LDR_RES_REQUIRE_FOUR_KEYS_B) // Public/caller-visible bit mask (high bits must be zero for callers) #define LDR_RES_PUBLIC_MASK 0x000FFFFFu // Common invalid combinations (useful for validation) #define LDR_RES_INVALID_SMALL_OPT_PAIR 0x00000018u // LDR_RES_OPTIMIZE_SMALL_A|LDR_RES_OPTIMIZE_SMALL_B #define LDR_RES_INVALID_MAPPING_BEHAVIOR_PAIR 0x00003000u // LDR_RES_MAPPING_STRICT|LDR_RES_MAPPING_LENIENT? // rev /** * The LdrResFindResource function finds a resource in a DLL. * * \param DllHandle A handle to the DLL. * \param Type The type of the resource. This parameter can also be MAKEINTRESOURCE(ID), where ID is the integer identifier of the resource. * \param Name The name of the resource. This parameter can also be MAKEINTRESOURCE(ID), where ID is the integer identifier of the resource. * \param Language The language of the resource. This parameter can also be MAKEINTRESOURCE(ID), where ID is the integer identifier of the resource. * \param ResourceBuffer An optional pointer to receive the resource buffer. * \param ResourceLength An optional pointer to receive the resource length. * \param CultureName An optional buffer to receive the culture name. * \param CultureNameLength An optional pointer to receive the length of the culture name. * \param Flags Flags to modify the resource search. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResFindResource( _In_ PVOID DllHandle, _In_ PCWSTR Type, _In_ PCWSTR Name, _In_ PCWSTR Language, _Out_opt_ PVOID* ResourceBuffer, _Out_opt_ PSIZE_T ResourceLength, _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] _Out_opt_ PULONG CultureNameLength, _In_opt_ ULONG Flags ); // rev /** * The LdrResFindResourceDirectory function finds the resource directory containing the specified resource. * * \param DllHandle A handle to the DLL. * \param Type The type of the resource. This parameter can also be MAKEINTRESOURCE(ID), where ID is the integer identifier of the resource. * \param Name The name of the resource. This parameter can also be MAKEINTRESOURCE(ID), where ID is the integer identifier of the resource. * \param ResourceDirectory An optional pointer to receive the resource directory. * \param CultureName An optional buffer to receive the culture name. * \param CultureNameLength An optional pointer to receive the length of the culture name. * \param Flags Flags for the resource search. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResFindResourceDirectory( _In_ PVOID DllHandle, _In_ PCWSTR Type, _In_ PCWSTR Name, _Out_opt_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory, _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] _Out_opt_ PULONG CultureNameLength, _In_opt_ ULONG Flags ); // rev /** * The LdrpResGetResourceDirectory function returns the resource directory for a DLL. * * \param DllHandle A handle to the DLL. * \param Size The size of the image mapping. * \param Flags Flags for the resource search. * \param ResourceDirectory An optional pointer to receive the resource directory. * \param OutHeaders The NT headers of the image. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrpResGetResourceDirectory( _In_ PVOID DllHandle, _In_ SIZE_T Size, _In_ ULONG Flags, _Out_opt_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory, _Out_ PIMAGE_NT_HEADERS* OutHeaders ); // rev /** * The LdrResSearchResource function searches for a resource in a DLL. * * \param DllHandle A handle to the DLL. * \param ResourcePath A pointer to an array of Type/Name/Language/(optional)AlternateType. * \param ResourcePathCount The number of elements in the ResourcePath array. * \param Flags Flags for the resource search. * \param ResourceBuffer An optional pointer to receive the resource buffer. * \param ResourceLength An optional pointer to receive the resource length. * \param CultureName An optional buffer to receive the culture name. * \param CultureNameLength An optional pointer to receive the length of the culture name. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResSearchResource( _In_ PVOID DllHandle, _In_ PULONG_PTR ResourcePath, _In_ ULONG ResourcePathCount, _In_ ULONG Flags, _Out_opt_ PVOID* ResourceBuffer, _Out_opt_ PSIZE_T ResourceLength, _Out_writes_bytes_opt_(*CultureNameLength) PWSTR CultureName, // WCHAR buffer[6] _Out_opt_ PULONG CultureNameLength ); // rev typedef struct _MUI_RC_CONFIG { ULONG Signature; // Magic signature 0xFEEDFACE (-20054323 signed) ULONG Size; // Total size of this structure ULONG Version; // Version (0x10000 = 1.0) ULONG Flags1; // Primary flags field (validated with & 0xFFFFFFF8) ULONG Flags2; // Secondary flags field (validated with & 0xFFFFFFCC) ULONG ValidationField; // Additional validation field ULONG Flags3; // Tertiary flags field (validated with & 0xFFFFFFFC) ULONG Reserved1; // Reserved field ULONG Reserved2; // Reserved field ULONG Reserved3; // Reserved field ULONG Reserved4; // Reserved field ULONG Reserved5; // Reserved field ULONG Reserved6; // Reserved field ULONG Reserved7; // Reserved field ULONG Reserved8; // Reserved field ULONG Reserved9; // Reserved field ULONG Reserved10; // Reserved field // Data section offset/size pairs (validated for bounds checking) ULONG Section1Offset; // First data section offset ULONG Section1Size; // First data section size ULONG Section2Offset; // Second data section offset ULONG Section2Size; // Second data section size ULONG Section3Offset; // Third data section offset ULONG Section3Size; // Third data section size ULONG Section4Offset; // Fourth data section offset ULONG Section4Size; // Fourth data section size ULONG Section5Offset; // Fifth data section offset ULONG Section5Size; // Fifth data section size ULONG Section6Offset; // Sixth data section offset ULONG Section6Size; // Sixth data section size ULONG Section7Offset; // Seventh data section offset ULONG Section7Size; // Seventh data section size ULONG Section8Offset; // Eighth data section offset ULONG Section8Size; // Eighth data section size // Variable length data follows... // The actual data sections referenced by the offset/size pairs above } MUI_RC_CONFIG, *PMUI_RC_CONFIG; // Magic signature constant #define MUI_RC_CONFIG_SIGNATURE 0xFEEDFACE #define MUI_RC_CONFIG_VERSION_1_0 0x10000 // Flag validation masks #define MUI_FLAGS1_VALID_MASK 0xFFFFFFF8 // Only lower 3 bits allowed #define MUI_FLAGS2_VALID_MASK 0xFFFFFFCC // Specific bit pattern #define MUI_FLAGS3_VALID_MASK 0xFFFFFFFC // Only lower 2 bits allowed /** * The LdrResGetRCConfig function retrieves the MUI configuration (resource type 3) for a DLL. * * \param DllHandle A handle to the DLL. * \param Length The length of the configuration buffer. * \param Config A buffer to receive the configuration. * \param Flags Flags for the operation. * \param AlternateResource Indicates if an alternate resource should be loaded. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResGetRCConfig( _In_ PVOID DllHandle, _In_opt_ SIZE_T Length, _Out_writes_bytes_opt_(Length) PMUI_RC_CONFIG* Config, _In_ ULONG Flags, _In_ BOOLEAN AlternateResource // LdrLoadAlternateResourceModule ); /** * The LdrResRelease function releases the alternate resource module or section of an associated DLL. * * \param DllHandle A handle to the DLL. * \param CultureNameOrId An optional culture name or ID. * \param Flags Flags for the operation. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResRelease( _In_ PVOID DllHandle, _In_opt_ PCWSTR CultureNameOrId, // MAKEINTRESOURCE _In_ ULONG Flags ); // rev NTSYSAPI VOID NTAPI LdrpResGetMappingSize( _In_ PVOID BaseAddress, _Out_ PSIZE_T Size, _In_ ULONG Flags, _In_ BOOLEAN GetFileSizeFromLoadAsDataTable ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) // private typedef struct _LDR_ENUM_RESOURCE_ENTRY { union { ULONG_PTR NameOrId; PIMAGE_RESOURCE_DIRECTORY_STRING Name; struct { USHORT Id; USHORT NameIsPresent; }; } Path[3]; PVOID Data; ULONG Size; ULONG Reserved; } LDR_ENUM_RESOURCE_ENTRY, *PLDR_ENUM_RESOURCE_ENTRY; #define NAME_FROM_RESOURCE_ENTRY(RootDirectory, Entry) \ ((Entry)->NameIsString ? (ULONG_PTR)((ULONG_PTR)(RootDirectory) + (ULONG_PTR)((Entry)->NameOffset)) : (Entry)->Id) FORCEINLINE ULONG_PTR NTAPI LdrNameOrIdFromResourceEntry( _In_ PIMAGE_RESOURCE_DIRECTORY ResourceDirectory, _In_ PIMAGE_RESOURCE_DIRECTORY_ENTRY Entry) { if (Entry->NameIsString) return (ULONG_PTR)((ULONG_PTR)ResourceDirectory + (ULONG_PTR)Entry->NameOffset); else return (ULONG_PTR)Entry->Id; } /** * The LdrEnumResources routine enumerates resources of a specified DLL module. * * \param DllHandle Handle to the loaded DLL module whose resources are to be enumerated. * \param ResourceId A pointer to an array of Type/Name/Language/(optional)AlternateType. * \param Count Specifies the number of elements in the ResourceId array. * \param ResourceCount On input, specifies the maximum number of resources to enumerate. On output, receives the actual number of resources enumerated. * \param Resources Pointer to a buffer that receives an array of LDR_ENUM_RESOURCE_ENTRY structures describing the resources. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrEnumResources( _In_ PVOID DllHandle, _In_reads_(Count) PULONG_PTR ResourceId, _In_ ULONG Count, _Inout_ ULONG *ResourceCount, _Out_writes_to_opt_(*ResourceCount, *ResourceCount) PLDR_ENUM_RESOURCE_ENTRY Resources ); /** * The LdrFindEntryForAddress routine retrieves the loader data table entry for a given address within a loaded module. * * \param DllHandle A pointer to an address within the loaded module (such as the base address of the DLL or any address inside the module). * \param Entry On success, receives a pointer to the LDR_DATA_TABLE_ENTRY structure corresponding to the module containing the specified address. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrFindEntryForAddress( _In_ PVOID DllHandle, _Out_ PLDR_DATA_TABLE_ENTRY *Entry ); // rev /** * The LdrLoadAlternateResourceModule routine returns a handle to the language-specific dynamic-link library (DLL) * resource module associated with a DLL that is already loaded for the calling process. * * \param DllHandle A handle to the DLL module to search for a MUI resource. If the language-specific DLL for the MUI is available, * loads the specified module into the address space of the calling process and returns a handle to the module. * \param BaseAddress The base address of the mapped view. * \param Size The size of the mapped view. * \param Flags Reserved * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrLoadAlternateResourceModule( _In_ PVOID DllHandle, _Out_ PVOID *BaseAddress, _Out_opt_ SIZE_T *Size, _In_ ULONG Flags ); // Flags for LdrLoadAlternateResourceModuleEx #define LDR_LOAD_ALT_RESOURCE_MUN_MODE 0x01000000u // Use .mun files instead of .mui files // rev NTSYSAPI NTSTATUS NTAPI LdrLoadAlternateResourceModuleEx( _In_ PVOID DllHandle, _In_ LANGID LanguageId, _Out_ PVOID *BaseAddress, _Out_opt_ SIZE_T *Size, _In_ ULONG Flags ); // rev NTSYSAPI BOOLEAN NTAPI LdrUnloadAlternateResourceModule( _In_ PVOID DllHandle ); // rev NTSYSAPI BOOLEAN NTAPI LdrUnloadAlternateResourceModuleEx( _In_ PVOID DllHandle, _In_ ULONG Flags ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Module information // typedef struct _RTL_PROCESS_MODULE_INFORMATION { PVOID Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; _Field_size_(NumberOfModules) RTL_PROCESS_MODULE_INFORMATION Modules[1]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; // private typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX { USHORT NextOffset; union { RTL_PROCESS_MODULE_INFORMATION BaseInfo; struct { PVOID Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; }; }; ULONG ImageChecksum; ULONG TimeDateStamp; PVOID DefaultBase; } RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSAPI NTSTATUS NTAPI LdrQueryProcessModuleInformation( _In_opt_ PRTL_PROCESS_MODULES ModuleInformation, _In_opt_ ULONG Size, _Out_opt_ PULONG ReturnedSize ); typedef _Function_class_(LDR_ENUM_CALLBACK) VOID NTAPI LDR_ENUM_CALLBACK( _In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ PBOOLEAN Stop ); typedef LDR_ENUM_CALLBACK* PLDR_ENUM_CALLBACK; typedef _Function_class_(LDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION) VOID NTAPI LDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION( _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, _In_opt_ PVOID Context, _Inout_ BOOLEAN *StopEnumeration ); typedef LDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION* PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION; NTSYSAPI NTSTATUS NTAPI LdrEnumerateLoadedModules( _In_ BOOLEAN ReservedFlag, _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION EnumProc, _In_opt_ PVOID Context ); NTSYSAPI NTSTATUS NTAPI LdrOpenImageFileOptionsKey( _In_ PCUNICODE_STRING SubKey, _In_ BOOLEAN Wow64, _Out_ PHANDLE NewKeyHandle ); NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileKeyOption( _In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ ULONG Type, _Out_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnedLength ); NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileExecutionOptions( _In_ PCUNICODE_STRING SubKey, _In_ PCWSTR ValueName, _In_ ULONG ValueSize, _Out_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnedLength ); NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileExecutionOptionsEx( _In_ PCUNICODE_STRING SubKey, _In_ PCWSTR ValueName, _In_ ULONG Type, _Out_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnedLength, _In_ BOOLEAN Wow64 ); // private typedef struct _DELAYLOAD_PROC_DESCRIPTOR { ULONG ImportDescribedByName; union { PCSTR Name; ULONG Ordinal; } Description; } DELAYLOAD_PROC_DESCRIPTOR, *PDELAYLOAD_PROC_DESCRIPTOR; // private typedef struct _DELAYLOAD_INFO { ULONG Size; PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor; PIMAGE_THUNK_DATA ThunkAddress; PCSTR TargetDllName; DELAYLOAD_PROC_DESCRIPTOR TargetApiDescriptor; PVOID TargetModuleBase; PVOID Unused; ULONG LastError; } DELAYLOAD_INFO, *PDELAYLOAD_INFO; // private typedef _Function_class_(DELAYLOAD_FAILURE_DLL_CALLBACK) PVOID NTAPI DELAYLOAD_FAILURE_DLL_CALLBACK( _In_ ULONG NotificationReason, _In_ PDELAYLOAD_INFO DelayloadInfo ); typedef DELAYLOAD_FAILURE_DLL_CALLBACK* PDELAYLOAD_FAILURE_DLL_CALLBACK; // rev typedef _Function_class_(DELAYLOAD_FAILURE_SYSTEM_ROUTINE) PVOID NTAPI DELAYLOAD_FAILURE_SYSTEM_ROUTINE( _In_ PCSTR DllName, _In_ PCSTR ProcedureName ); typedef DELAYLOAD_FAILURE_SYSTEM_ROUTINE* PDELAYLOAD_FAILURE_SYSTEM_ROUTINE; #if (PHNT_VERSION >= PHNT_WINDOWS_10) // rev from QueryOptionalDelayLoadedAPI /** * The LdrQueryOptionalDelayLoadedAPI routine determines whether the specified function in a delay-loaded DLL is available on the system. * * \param ParentModuleBase A handle to the calling module. (NtCurrentImageBase) * \param DllName The file name of the delay-loaded DLL that exports the specified function. This parameter is case-insensitive. * \param ProcedureName The address of a delay-load failure callback function for the specified DLL and process. * \param Flags Reserved; must be 0. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi2/nf-libloaderapi2-queryoptionaldelayloadedapi */ NTSYSAPI NTSTATUS NTAPI LdrQueryOptionalDelayLoadedAPI( _In_ PVOID ParentModuleBase, _In_ PCSTR DllName, _In_ PCSTR ProcedureName, _Reserved_ ULONG Flags ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) #if (PHNT_VERSION >= PHNT_WINDOWS_8) // rev from ResolveDelayLoadedAPI /** * The LdrResolveDelayLoadedAPI routine locates the target function of the specified import and replaces the function pointer in the import thunk with the target of the function implementation. * * \param ParentModuleBase The address of the base of the module importing a delay-loaded function. (NtCurrentImageBase) * \param DelayloadDescriptor The address of the image delay import directory for the module to be loaded. * \param FailureDllHook The address of a delay-load failure callback function for the specified DLL and process. * \param FailureSystemHook The address of a delay-load failure callback function for the specified DLL and process. * \param ThunkAddress The thunk data for the target function. Used to find the specific name table entry of the function. * \param Flags Reserved; must be 0. * \return The address of the import, or the failure stub for it. * \remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/resolvedelayloadedapi */ NTSYSAPI PVOID NTAPI LdrResolveDelayLoadedAPI( _In_ PVOID ParentModuleBase, _In_ PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor, _In_opt_ PDELAYLOAD_FAILURE_DLL_CALLBACK FailureDllHook, _In_opt_ PDELAYLOAD_FAILURE_SYSTEM_ROUTINE FailureSystemHook, // kernel32.DelayLoadFailureHook _Out_ PIMAGE_THUNK_DATA ThunkAddress, _Reserved_ ULONG Flags ); // rev from ResolveDelayLoadsFromDll /** * The LdrResolveDelayLoadsFromDll routine forwards the work in resolving delay-loaded imports from the parent binary to a target binary. * * \param [in] ParentModuleBase The base address of the module that delay loads another binary. * \param [in] TargetDllName The name of the target DLL. * \param [in] Flags Reserved; must be 0. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/resolvedelayloadsfromdll */ NTSYSAPI NTSTATUS NTAPI LdrResolveDelayLoadsFromDll( _In_ PVOID ParentModuleBase, _In_ PCSTR TargetDllName, _Reserved_ ULONG Flags ); // rev from SetDefaultDllDirectories /** * The LdrSetDefaultDllDirectories routine specifies a default set of directories to search when the calling process loads a DLL. * * \param [in] DirectoryFlags The directories to search. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-setdefaultdlldirectories */ NTSYSAPI NTSTATUS NTAPI LdrSetDefaultDllDirectories( _In_ ULONG DirectoryFlags ); // rev from AddDllDirectory /** * The LdrAddDllDirectory routine adds a directory to the process DLL search path. * * \param [in] NewDirectory An absolute path to the directory to add to the search path. For example, to add the directory Dir2 to the process DLL search path, specify \Dir2. * \param [out] Cookie An opaque pointer that can be passed to RemoveDllDirectory to remove the DLL from the process DLL search path. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-adddlldirectory */ NTSYSAPI NTSTATUS NTAPI LdrAddDllDirectory( _In_ PCUNICODE_STRING NewDirectory, _Out_ PDLL_DIRECTORY_COOKIE Cookie ); // rev from RemoveDllDirectory /** * The LdrRemoveDllDirectory routine removes a directory that was added to the process DLL search path by using LdrAddDllDirectory. * * \param [in] Cookie The cookie returned by LdrAddDllDirectory when the directory was added to the search path. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-removedlldirectory */ NTSYSAPI NTSTATUS NTAPI LdrRemoveDllDirectory( _In_ DLL_DIRECTORY_COOKIE Cookie ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) // rev /** * The LdrShutdownProcess routine forcefully terminates the calling program if it is invoked inside a loader callout. Otherwise, it has no effect. */ _Analysis_noreturn_ DECLSPEC_NORETURN NTSYSAPI VOID NTAPI LdrShutdownProcess( VOID ); // rev /** * The LdrShutdownThread routine forcefully terminates the calling thread if it is invoked inside a loader callout. Otherwise, it has no effect. */ _Analysis_noreturn_ DECLSPEC_NORETURN NTSYSAPI VOID NTAPI LdrShutdownThread( VOID ); #if (PHNT_VERSION >= PHNT_WINDOWS_8_1) // rev /** * The LdrSetImplicitPathOptions routine sets implicit path options. * * \param [in] ImplicitPathOptions The implicit path options to set. */ NTSYSAPI NTSTATUS NTAPI LdrSetImplicitPathOptions( _In_ ULONG ImplicitPathOptions ); #endif #if (PHNT_VERSION >= PHNT_WINDOWS_10RS3) // private /** * The LdrControlFlowGuardEnforced routine checks if Control Flow Guard is enforced. * * \return TRUE if Control Flow Guard is enforced, FALSE otherwise. */ NTSYSAPI ULONG NTAPI LdrControlFlowGuardEnforced( VOID ); #endif #if (PHNT_VERSION >= PHNT_WINDOWS_10_19H1) // rev /** * The LdrIsModuleSxsRedirected routine determines whether the specified module is SxS-redirected. * * \param [in] DllHandle A handle to the DLL */ NTSYSAPI BOOLEAN NTAPI LdrIsModuleSxsRedirected( _In_ PVOID DllHandle ); #endif #if (PHNT_VERSION >= PHNT_WINDOWS_10) // rev /** * The LdrUpdatePackageSearchPath routine updates the package search path used by the loader. * * \param [in] SearchPath The new search path. */ NTSYSAPI NTSTATUS NTAPI LdrUpdatePackageSearchPath( _In_ PCWSTR SearchPath ); #endif // rev #define ENCLAVE_STATE_CREATED 0x00000000ul // LdrpCreateSoftwareEnclave initial state #define ENCLAVE_STATE_INITIALIZED 0x00000001ul // ZwInitializeEnclave successful (LdrInitializeEnclave) #define ENCLAVE_STATE_INITIALIZED_VBS 0x00000002ul // only for ENCLAVE_TYPE_VBS (LdrInitializeEnclave) // rev typedef struct _LDR_SOFTWARE_ENCLAVE { LIST_ENTRY Links; // ntdll!LdrpEnclaveList RTL_CRITICAL_SECTION CriticalSection; ULONG EnclaveType; // ENCLAVE_TYPE_* LONG ReferenceCount; ULONG EnclaveState; // ENCLAVE_STATE_* PVOID BaseAddress; SIZE_T Size; PVOID PreviousBaseAddress; LIST_ENTRY Modules; // LDR_DATA_TABLE_ENTRY.InLoadOrderLinks PLDR_DATA_TABLE_ENTRY PrimaryModule; PLDR_DATA_TABLE_ENTRY BCryptModule; PLDR_DATA_TABLE_ENTRY BCryptPrimitivesModule; } LDR_SOFTWARE_ENCLAVE, *PLDR_SOFTWARE_ENCLAVE; #if (PHNT_VERSION >= PHNT_WINDOWS_10) // rev from CreateEnclave /** * The LdrCreateEnclave routine creates a new uninitialized enclave. An enclave is an isolated region of code and data within the address space for an application. Only code that runs within the enclave can access data within the same enclave. * * \param ProcessHandle A handle to the process for which you want to create an enclave. * \param BaseAddress The preferred base address of the enclave. Specify NULL to have the operating system assign the base address. * \param Reserved Reserved. * \param Size The size of the enclave that you want to create, including the size of the code that you will load into the enclave, in bytes. * \param InitialCommitment The amount of memory to commit for the enclave, in bytes. This parameter is not used for virtualization-based security (VBS) enclaves. * \param EnclaveType The architecture type of the enclave that you want to create. To verify that an enclave type is supported, call IsEnclaveTypeSupported. * \param EnclaveInformation A pointer to the architecture-specific information to use to create the enclave. * \param EnclaveInformationLength The length of the structure that the EnclaveInformation parameter points to, in bytes. * For the ENCLAVE_TYPE_SGX and ENCLAVE_TYPE_SGX2 enclave types, this value must be 4096. For the ENCLAVE_TYPE_VBS enclave type, this value must be sizeof(ENCLAVE_CREATE_INFO_VBS), which is 36 bytes. * \param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-createenclave */ NTSYSAPI NTSTATUS NTAPI LdrCreateEnclave( _In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _In_ ULONG Reserved, _In_ SIZE_T Size, _In_ SIZE_T InitialCommitment, _In_ ULONG EnclaveType, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_ PULONG EnclaveError ); // rev from InitializeEnclave /** * The LdrInitializeEnclave routine initializes an enclave that you created and loaded with data. * * \param ProcessHandle A handle to the process for which the enclave was created. * \param BaseAddress Any address within the enclave. * \param EnclaveInformation A pointer to the architecture-specific information to use to initialize the enclave. * \param EnclaveInformationLength The length of the structure that the EnclaveInformation parameter points to, in bytes. * For the ENCLAVE_TYPE_SGX and ENCLAVE_TYPE_SGX2 enclave types, this value must be 4096. For the ENCLAVE_TYPE_VBS enclave type, this value must be sizeof(ENCLAVE_CREATE_INFO_VBS), which is 36 bytes. * \param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-initializeenclave */ NTSYSAPI NTSTATUS NTAPI LdrInitializeEnclave( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_ PULONG EnclaveError ); // rev from DeleteEnclave /** * The LdrDeleteEnclave routine deletes the specified enclave. * * \param BaseAddress The base address of the enclave that you want to delete. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-deleteenclave */ NTSYSAPI NTSTATUS NTAPI LdrDeleteEnclave( _In_ PVOID BaseAddress ); // rev from CallEnclave /** * The LdrCallEnclave routine calls a function within an enclave. LdrCallEnclave can also be called within an enclave to call a function outside of the enclave. * * \param Routine The address of the function that you want to call. * \param Flags The flags to modify the call function. * \param RoutineParamReturn The parameter than you want to pass to the function. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-callenclave */ NTSYSAPI NTSTATUS NTAPI LdrCallEnclave( _In_ PENCLAVE_ROUTINE Routine, _In_ ULONG Flags, // ENCLAVE_CALL_FLAG_* _Inout_ PVOID* RoutineParamReturn ); // rev from LoadEnclaveImage /** * The LdrLoadEnclaveModule routine loads an image and all of its imports into an enclave. * * \param BaseAddress The base address of the enclave in which the module will be loaded. * This address must correspond to an enclave previously created by using LdrCreateEnclave. * \param DllPath A NULL-terminated string that contains the path of the image to load. * \param DllName A NULL-terminated string that contains the name of the image to load. * \return NTSTATUS Successful or errant status. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-loadenclaveimagew */ NTSYSAPI NTSTATUS NTAPI LdrLoadEnclaveModule( _In_ PVOID BaseAddress, _In_opt_ PCWSTR DllPath, _In_ PCUNICODE_STRING DllName ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) /** * The LdrFastFailInLoaderCallout routine forcefully terminates the calling program if it is invoked inside a loader callout. Otherwise, it has no effect. * * \remarks This routine does not catch all potential deadlock cases; it is possible for a thread inside a loader callout * to acquire a lock while some thread outside a loader callout holds the same lock and makes a call into the loader. * In other words, there can be a lock order inversion between the loader lock and a client lock. * https://learn.microsoft.com/en-us/windows/win32/devnotes/ldrfastfailinloadercallout */ NTSYSAPI VOID NTAPI LdrFastFailInLoaderCallout( VOID ); NTSYSAPI BOOLEAN NTAPI LdrFlushAlternateResourceModules( VOID ); // rev NTSYSAPI NTSTATUS NTAPI LdrDllRedirectionCallback( _In_ ULONG Flags, _In_ PCWSTR DllName, _In_opt_ PCWSTR DllPath, _Inout_opt_ PULONG DllCharacteristics, _In_ PVOID CallbackData, _Out_ PCWSTR *EffectiveDllPath ); // rev NTSYSAPI VOID NTAPI LdrSetDllManifestProber( _In_ PVOID Routine ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) NTSYSAPI BOOLEAN LdrpChildNtdll; // DATA export #endif // rev NTSYSAPI NTSTATUS NTAPI LdrAppxHandleIntegrityFailure( _In_ NTSTATUS Status ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // Note: Keep the static asserts below at the end of the file to ensure the structure is correct. #if defined(_WIN64) static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks) == 0x10, "LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks) == 0x20, "LDR_DATA_TABLE_ENTRY.InInitializationOrderLinks offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DllBase) == 0x30, "LDR_DATA_TABLE_ENTRY.DllBase offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, EntryPoint) == 0x38, "LDR_DATA_TABLE_ENTRY.EntryPoint offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SizeOfImage) == 0x40, "LDR_DATA_TABLE_ENTRY.SizeOfImage offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ObsoleteLoadCount) == 0x6c, "LDR_DATA_TABLE_ENTRY.ObsoleteLoadCount offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, TimeDateStamp) == 0x80, "LDR_DATA_TABLE_ENTRY.TimeDateStamp offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) == 0x98, "LDR_DATA_TABLE_ENTRY.DdagNode offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ParentDllBase) == 0xb8, "LDR_DATA_TABLE_ENTRY.ParentDllBase offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, OriginalBase) == 0xf8, "LDR_DATA_TABLE_ENTRY.OriginalBase offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) == 0x108, "LDR_DATA_TABLE_ENTRY.BaseNameHashValue offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, LoadReason) == 0x10c, "LDR_DATA_TABLE_ENTRY.LoadReason offset incorrect"); static_assert(sizeof(LDR_DATA_TABLE_ENTRY) == 0x138, "LDR_DATA_TABLE_ENTRY incorrect size"); #else static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks) == 0x8, "LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks) == 0x10, "LDR_DATA_TABLE_ENTRY.InInitializationOrderLinks offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DllBase) == 0x18, "LDR_DATA_TABLE_ENTRY.DllBase offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, EntryPoint) == 0x1c, "LDR_DATA_TABLE_ENTRY.EntryPoint offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SizeOfImage) == 0x20, "LDR_DATA_TABLE_ENTRY.SizeOfImage offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ObsoleteLoadCount) == 0x38, "LDR_DATA_TABLE_ENTRY.ObsoleteLoadCount offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, TimeDateStamp) == 0x44, "LDR_DATA_TABLE_ENTRY.TimeDateStamp offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) == 0x50, "LDR_DATA_TABLE_ENTRY.DdagNode offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ParentDllBase) == 0x60, "LDR_DATA_TABLE_ENTRY.ParentDllBase offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, OriginalBase) == 0x80, "LDR_DATA_TABLE_ENTRY.OriginalBase offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) == 0x90, "LDR_DATA_TABLE_ENTRY.BaseNameHashValue offset incorrect"); static_assert(UFIELD_OFFSET(LDR_DATA_TABLE_ENTRY, LoadReason) == 0x94, "LDR_DATA_TABLE_ENTRY.LoadReason offset incorrect"); static_assert(sizeof(LDR_DATA_TABLE_ENTRY) == 0xB8, "LDR_DATA_TABLE_ENTRY incorrect size"); #endif #endif // _NTLDR_H ================================================ FILE: phnt/include/ntlpcapi.h ================================================ /* * Local Inter-process Communication support functions * * This file is part of System Informer. */ #ifndef _NTLPCAPI_H #define _NTLPCAPI_H // // ALPC Object Specific Access Rights // #define PORT_CONNECT 0x0001 #define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1) // // ALPC information structures // typedef struct _PORT_MESSAGE { union { struct { CSHORT DataLength; CSHORT TotalLength; } s1; ULONG Length; } u1; union { struct { CSHORT Type; CSHORT DataInfoOffset; } s2; ULONG ZeroInit; } u2; union { CLIENT_ID ClientId; double DoNotUseThisField; }; ULONG MessageId; union { SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages ULONG CallbackId; // only valid for LPC_REQUEST messages }; } PORT_MESSAGE, *PPORT_MESSAGE; typedef struct _PORT_DATA_ENTRY { PVOID Base; ULONG Size; } PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; typedef struct _PORT_DATA_INFORMATION { ULONG CountDataEntries; _Field_size_(CountDataEntries) PORT_DATA_ENTRY DataEntries[1]; } PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; #define LPC_REQUEST 1 #define LPC_REPLY 2 #define LPC_DATAGRAM 3 #define LPC_LOST_REPLY 4 #define LPC_PORT_CLOSED 5 #define LPC_CLIENT_DIED 6 #define LPC_EXCEPTION 7 #define LPC_DEBUG_EVENT 8 #define LPC_ERROR_EVENT 9 #define LPC_CONNECTION_REQUEST 10 #define LPC_CONTINUATION_REQUIRED 0x2000 #define LPC_NO_IMPERSONATE 0x4000 #define LPC_KERNELMODE_MESSAGE 0x8000 #define ALPC_REQUEST (LPC_CONTINUATION_REQUIRED | LPC_REQUEST) #define ALPC_REPLY (LPC_CONTINUATION_REQUIRED | LPC_REPLY) #define ALPC_DATAGRAM (LPC_CONTINUATION_REQUIRED | LPC_DATAGRAM) #define ALPC_LOST_REPLY (LPC_CONTINUATION_REQUIRED | LPC_LOST_REPLY) #define ALPC_PORT_CLOSED (LPC_CONTINUATION_REQUIRED | LPC_PORT_CLOSED) #define ALPC_CLIENT_DIED (LPC_CONTINUATION_REQUIRED | LPC_CLIENT_DIED) #define ALPC_EXCEPTION (LPC_CONTINUATION_REQUIRED | LPC_EXCEPTION) #define ALPC_DEBUG_EVENT (LPC_CONTINUATION_REQUIRED | LPC_DEBUG_EVENT) #define ALPC_ERROR_EVENT (LPC_CONTINUATION_REQUIRED | LPC_ERROR_EVENT) #define ALPC_CONNECTION_REQUEST (LPC_CONTINUATION_REQUIRED | LPC_CONNECTION_REQUEST) #define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE #ifdef _WIN64 #define PORT_MAXIMUM_MESSAGE_LENGTH 512 #else #define PORT_MAXIMUM_MESSAGE_LENGTH 256 #endif #define LPC_MAX_CONNECTION_INFO_SIZE (16 * sizeof(ULONG_PTR)) #define PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH \ ((PORT_MAXIMUM_MESSAGE_LENGTH + sizeof(PORT_MESSAGE) + LPC_MAX_CONNECTION_INFO_SIZE + 0xf) & ~0xf) typedef struct _LPC_CLIENT_DIED_MSG { PORT_MESSAGE PortMsg; LARGE_INTEGER CreateTime; } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; typedef struct _PORT_VIEW { ULONG Length; HANDLE SectionHandle; ULONG SectionOffset; SIZE_T ViewSize; PVOID ViewBase; PVOID ViewRemoteBase; } PORT_VIEW, *PPORT_VIEW; typedef struct _REMOTE_PORT_VIEW { ULONG Length; SIZE_T ViewSize; PVOID ViewBase; } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; // WOW64 definitions // Except in a small number of special cases, WOW64 programs using the LPC APIs must use the 64-bit versions of the // PORT_MESSAGE, PORT_VIEW and REMOTE_PORT_VIEW data structures. Note that we take a different approach than the // official NT headers, which produce 64-bit versions in a 32-bit environment when USE_LPC6432 is defined. typedef struct _PORT_MESSAGE64 { union { struct { CSHORT DataLength; CSHORT TotalLength; } s1; ULONG Length; } u1; union { struct { CSHORT Type; CSHORT DataInfoOffset; } s2; ULONG ZeroInit; } u2; union { CLIENT_ID64 ClientId; double DoNotUseThisField; }; ULONG MessageId; union { ULONGLONG ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages ULONG CallbackId; // only valid for LPC_REQUEST messages }; } PORT_MESSAGE64, *PPORT_MESSAGE64; typedef struct _LPC_CLIENT_DIED_MSG64 { PORT_MESSAGE64 PortMsg; LARGE_INTEGER CreateTime; } LPC_CLIENT_DIED_MSG64, *PLPC_CLIENT_DIED_MSG64; typedef struct _PORT_VIEW64 { ULONG Length; ULONGLONG SectionHandle; ULONG SectionOffset; ULONGLONG ViewSize; ULONGLONG ViewBase; ULONGLONG ViewRemoteBase; } PORT_VIEW64, *PPORT_VIEW64; typedef struct _REMOTE_PORT_VIEW64 { ULONG Length; ULONGLONG ViewSize; ULONGLONG ViewBase; } REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64; // // Port creation // NTSYSCALLAPI NTSTATUS NTAPI NtCreatePort( _Out_ PHANDLE PortHandle, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG MaxConnectionInfoLength, _In_ ULONG MaxMessageLength, _In_opt_ ULONG MaxPoolUsage ); NTSYSCALLAPI NTSTATUS NTAPI NtCreateWaitablePort( _Out_ PHANDLE PortHandle, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG MaxConnectionInfoLength, _In_ ULONG MaxMessageLength, _In_opt_ ULONG MaxPoolUsage ); // // Port connection (client) // NTSYSCALLAPI NTSTATUS NTAPI NtConnectPort( _Out_ PHANDLE PortHandle, _In_ PCUNICODE_STRING PortName, _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, _Inout_opt_ PPORT_VIEW ClientView, _Inout_opt_ PREMOTE_PORT_VIEW ServerView, _Out_opt_ PULONG MaxMessageLength, _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation, _Inout_opt_ PULONG ConnectionInformationLength ); NTSYSCALLAPI NTSTATUS NTAPI NtSecureConnectPort( _Out_ PHANDLE PortHandle, _In_ PCUNICODE_STRING PortName, _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, _Inout_opt_ PPORT_VIEW ClientView, _In_opt_ PSID RequiredServerSid, _Inout_opt_ PREMOTE_PORT_VIEW ServerView, _Out_opt_ PULONG MaxMessageLength, _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation, _Inout_opt_ PULONG ConnectionInformationLength ); // // Port connection (server) // NTSYSCALLAPI NTSTATUS NTAPI NtListenPort( _In_ HANDLE PortHandle, _Out_ PPORT_MESSAGE ConnectionRequest ); NTSYSCALLAPI NTSTATUS NTAPI NtAcceptConnectPort( _Out_ PHANDLE PortHandle, _In_opt_ PVOID PortContext, _In_ PPORT_MESSAGE ConnectionRequest, _In_ BOOLEAN AcceptConnection, _Inout_opt_ PPORT_VIEW ServerView, _Out_opt_ PREMOTE_PORT_VIEW ClientView ); NTSYSCALLAPI NTSTATUS NTAPI NtCompleteConnectPort( _In_ HANDLE PortHandle ); // // General // NTSYSCALLAPI NTSTATUS NTAPI NtRequestPort( _In_ HANDLE PortHandle, _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage ); NTSYSCALLAPI NTSTATUS NTAPI NtRequestWaitReplyPort( _In_ HANDLE PortHandle, _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage, _Out_ PPORT_MESSAGE ReplyMessage ); NTSYSCALLAPI NTSTATUS NTAPI NtReplyPort( _In_ HANDLE PortHandle, _In_reads_bytes_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage ); NTSYSCALLAPI NTSTATUS NTAPI NtReplyWaitReplyPort( _In_ HANDLE PortHandle, _Inout_ PPORT_MESSAGE ReplyMessage ); NTSYSCALLAPI NTSTATUS NTAPI NtReplyWaitReceivePort( _In_ HANDLE PortHandle, _Out_opt_ PVOID *PortContext, _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage, _Out_ PPORT_MESSAGE ReceiveMessage ); NTSYSCALLAPI NTSTATUS NTAPI NtReplyWaitReceivePortEx( _In_ HANDLE PortHandle, _Out_opt_ PVOID *PortContext, _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage, _Out_ PPORT_MESSAGE ReceiveMessage, _In_opt_ PLARGE_INTEGER Timeout ); NTSYSCALLAPI NTSTATUS NTAPI NtImpersonateClientOfPort( _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE Message ); NTSYSCALLAPI NTSTATUS NTAPI NtReadRequestData( _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE Message, _In_ ULONG DataEntryIndex, _Out_writes_bytes_to_(BufferSize, *NumberOfBytesRead) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead ); NTSYSCALLAPI NTSTATUS NTAPI NtWriteRequestData( _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE Message, _In_ ULONG DataEntryIndex, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesWritten ); typedef enum _PORT_INFORMATION_CLASS { PortBasicInformation, PortDumpInformation } PORT_INFORMATION_CLASS; NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationPort( _In_ HANDLE PortHandle, _In_ PORT_INFORMATION_CLASS PortInformationClass, _Out_writes_bytes_to_(Length, *ReturnLength) PVOID PortInformation, _In_ ULONG Length, _Out_opt_ PULONG ReturnLength ); // // Asynchronous Local Inter-process Communication // // rev typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE; #define ALPC_PORFLG_NONE 0x0 #define ALPC_PORFLG_LPC_MODE 0x1000 // kernel only #define ALPC_PORFLG_ALLOW_IMPERSONATION 0x10000 #define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev #define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg #define ALPC_PORFLG_ALLOW_DUP_OBJECT 0x80000 #define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg #define ALPC_PORFLG_WAKE_POLICY1 0x200000 #define ALPC_PORFLG_WAKE_POLICY2 0x400000 #define ALPC_PORFLG_WAKE_POLICY3 0x800000 #define ALPC_PORFLG_DIRECT_MESSAGE 0x1000000 #define ALPC_PORFLG_ALLOW_MULTIHANDLE_ATTRIBUTE 0x2000000 #define ALPC_PORFLG_OBJECT_TYPE_FILE 0x0001 #define ALPC_PORFLG_OBJECT_TYPE_INVALID 0x0002 #define ALPC_PORFLG_OBJECT_TYPE_THREAD 0x0004 #define ALPC_PORFLG_OBJECT_TYPE_SEMAPHORE 0x0008 #define ALPC_PORFLG_OBJECT_TYPE_EVENT 0x0010 #define ALPC_PORFLG_OBJECT_TYPE_PROCESS 0X0020 #define ALPC_PORFLG_OBJECT_TYPE_MUTEX 0x0040 #define ALPC_PORFLG_OBJECT_TYPE_SECTION 0x0080 #define ALPC_PORFLG_OBJECT_TYPE_REGKEY 0x0100 #define ALPC_PORFLG_OBJECT_TYPE_TOKEN 0x0200 #define ALPC_PORFLG_OBJECT_TYPE_COMPOSITION 0x0400 #define ALPC_PORFLG_OBJECT_TYPE_JOB 0x0800 #define ALPC_PORFLG_OBJECT_TYPE_ALL \ (ALPC_PORFLG_OBJECT_TYPE_FILE | ALPC_PORFLG_OBJECT_TYPE_THREAD | \ ALPC_PORFLG_OBJECT_TYPE_SEMAPHORE | ALPC_PORFLG_OBJECT_TYPE_EVENT | \ ALPC_PORFLG_OBJECT_TYPE_PROCESS | ALPC_PORFLG_OBJECT_TYPE_MUTEX | \ ALPC_PORFLG_OBJECT_TYPE_SECTION | ALPC_PORFLG_OBJECT_TYPE_REGKEY | \ ALPC_PORFLG_OBJECT_TYPE_TOKEN | ALPC_PORFLG_OBJECT_TYPE_COMPOSITION | \ ALPC_PORFLG_OBJECT_TYPE_JOB) // symbols typedef struct _ALPC_PORT_ATTRIBUTES { ULONG Flags; SECURITY_QUALITY_OF_SERVICE SecurityQos; SIZE_T MaxMessageLength; SIZE_T MemoryBandwidth; SIZE_T MaxPoolUsage; SIZE_T MaxSectionSize; SIZE_T MaxViewSize; SIZE_T MaxTotalSectionSize; ULONG DupObjectTypes; #ifdef _WIN64 ULONG Reserved; #endif } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; // begin_rev #define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000 #define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000 #define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000 #define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000 // Convenience macro for all message attributes #define ALPC_MESSAGE_ATTRIBUTES_ALL \ (ALPC_MESSAGE_HANDLE_ATTRIBUTE | \ ALPC_MESSAGE_CONTEXT_ATTRIBUTE | \ ALPC_MESSAGE_VIEW_ATTRIBUTE | \ ALPC_MESSAGE_SECURITY_ATTRIBUTE) // end_rev // symbols typedef struct _ALPC_MESSAGE_ATTRIBUTES { ULONG AllocatedAttributes; ULONG ValidAttributes; } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; // symbols typedef struct _ALPC_COMPLETION_LIST_STATE { union { struct { ULONG64 Head : 24; ULONG64 Tail : 24; ULONG64 ActiveThreadCount : 16; } s1; ULONG64 Value; } u1; } ALPC_COMPLETION_LIST_STATE, *PALPC_COMPLETION_LIST_STATE; #define ALPC_COMPLETION_LIST_BUFFER_GRANULARITY_MASK 0x3f // dbg // symbols typedef struct DECLSPEC_ALIGN(128) _ALPC_COMPLETION_LIST_HEADER { ULONG64 StartMagic; ULONG TotalSize; ULONG ListOffset; ULONG ListSize; ULONG BitmapOffset; ULONG BitmapSize; ULONG DataOffset; ULONG DataSize; ULONG AttributeFlags; ULONG AttributeSize; DECLSPEC_ALIGN(128) ALPC_COMPLETION_LIST_STATE State; ULONG LastMessageId; ULONG LastCallbackId; DECLSPEC_ALIGN(128) ULONG PostCount; DECLSPEC_ALIGN(128) ULONG ReturnCount; DECLSPEC_ALIGN(128) ULONG LogSequenceNumber; DECLSPEC_ALIGN(128) RTL_SRWLOCK UserLock; ULONG64 EndMagic; } ALPC_COMPLETION_LIST_HEADER, *PALPC_COMPLETION_LIST_HEADER; // private typedef struct _ALPC_CONTEXT_ATTR { PVOID PortContext; PVOID MessageContext; ULONG Sequence; ULONG MessageId; ULONG CallbackId; } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; // begin_rev #define ALPC_HANDLEFLG_DUPLICATE_SAME_ACCESS 0x10000 #define ALPC_HANDLEFLG_DUPLICATE_SAME_ATTRIBUTES 0x20000 #define ALPC_HANDLEFLG_DUPLICATE_INHERIT 0x80000 // end_rev // private typedef struct _ALPC_HANDLE_ATTR32 { ULONG Flags; ULONG Reserved0; ULONG SameAccess; ULONG SameAttributes; ULONG Indirect; ULONG Inherit; ULONG Reserved1; ULONG Handle; ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex ACCESS_MASK DesiredAccess; ACCESS_MASK GrantedAccess; } ALPC_HANDLE_ATTR32, *PALPC_HANDLE_ATTR32; // private typedef struct _ALPC_HANDLE_ATTR { ULONG Flags; ULONG Reserved0; ULONG SameAccess; ULONG SameAttributes; ULONG Indirect; ULONG Inherit; ULONG Reserved1; HANDLE Handle; PALPC_HANDLE_ATTR32 HandleAttrArray; ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex ULONG HandleCount; ACCESS_MASK DesiredAccess; ACCESS_MASK GrantedAccess; } ALPC_HANDLE_ATTR, *PALPC_HANDLE_ATTR; #define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg #define ALPC_SECFLG_NOSECTIONHANDLE 0x40000 // private typedef struct _ALPC_SECURITY_ATTR { ULONG Flags; PSECURITY_QUALITY_OF_SERVICE QoS; ALPC_HANDLE ContextHandle; // dbg } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; // begin_rev #define ALPC_VIEWFLG_UNMAP_EXISTING 0x10000 #define ALPC_VIEWFLG_AUTO_RELEASE 0x20000 #define ALPC_VIEWFLG_NOT_SECURE 0x40000 // end_rev // private typedef struct _ALPC_DATA_VIEW_ATTR { ULONG Flags; ALPC_HANDLE SectionHandle; PVOID ViewBase; // must be zero on input SIZE_T ViewSize; } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; // private typedef enum _ALPC_PORT_INFORMATION_CLASS { AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT AlpcConnectedSIDInformation, // q: in SID AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION AlpcUnregisterCompletionListInformation, // s: VOID AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG AlpcRegisterCallbackInformation, // s: ALPC_REGISTER_CALLBACK // kernel-mode only AlpcCompletionListRundownInformation, // s: VOID // 10 AlpcWaitForPortReferences, AlpcServerSessionInformation // q: ALPC_SERVER_SESSION_INFORMATION // since 19H2 } ALPC_PORT_INFORMATION_CLASS; // private typedef struct _ALPC_BASIC_INFORMATION { ULONG Flags; ULONG SequenceNo; PVOID PortContext; } ALPC_BASIC_INFORMATION, *PALPC_BASIC_INFORMATION; // private typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT { PVOID CompletionKey; HANDLE CompletionPort; } ALPC_PORT_ASSOCIATE_COMPLETION_PORT, *PALPC_PORT_ASSOCIATE_COMPLETION_PORT; // private typedef struct _ALPC_SERVER_INFORMATION { union { struct { HANDLE ThreadHandle; } In; struct { BOOLEAN ThreadBlocked; HANDLE ConnectedProcessId; UNICODE_STRING ConnectionPortName; } Out; }; } ALPC_SERVER_INFORMATION, *PALPC_SERVER_INFORMATION; // private typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION { PVOID Buffer; ULONG Size; } ALPC_PORT_MESSAGE_ZONE_INFORMATION, *PALPC_PORT_MESSAGE_ZONE_INFORMATION; // private typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION { PVOID Buffer; // PALPC_COMPLETION_LIST_HEADER ULONG Size; ULONG ConcurrencyCount; ULONG AttributeFlags; } ALPC_PORT_COMPLETION_LIST_INFORMATION, *PALPC_PORT_COMPLETION_LIST_INFORMATION; // private typedef struct _ALPC_REGISTER_CALLBACK { PVOID CallbackObject; // PCALLBACK_OBJECT PVOID CallbackContext; } ALPC_REGISTER_CALLBACK, *PALPC_REGISTER_CALLBACK; // private typedef struct _ALPC_SERVER_SESSION_INFORMATION { ULONG SessionId; ULONG ProcessId; } ALPC_SERVER_SESSION_INFORMATION, *PALPC_SERVER_SESSION_INFORMATION; // private typedef enum _ALPC_MESSAGE_INFORMATION_CLASS { AlpcMessageSidInformation, // q: out SID AlpcMessageTokenModifiedIdInformation, // q: out LUID AlpcMessageDirectStatusInformation, AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION MaxAlpcMessageInfoClass } ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION { ULONG Index; ULONG Flags; ULONG Handle; ULONG ObjectType; ACCESS_MASK GrantedAccess; } ALPC_MESSAGE_HANDLE_INFORMATION, *PALPC_MESSAGE_HANDLE_INFORMATION; // begin_private // // System calls // NTSYSCALLAPI NTSTATUS NTAPI NtAlpcCreatePort( _Out_ PHANDLE PortHandle, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcDisconnectPort( _In_ HANDLE PortHandle, _In_ ULONG Flags ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcQueryInformation( _In_opt_ HANDLE PortHandle, _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass, _Inout_updates_bytes_to_(Length, *ReturnLength) PVOID PortInformation, _In_ ULONG Length, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcSetInformation( _In_ HANDLE PortHandle, _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass, _In_reads_bytes_opt_(Length) PVOID PortInformation, _In_ ULONG Length ); #define ALPC_CREATEPORTSECTIONFLG_SECURE 0x40000 // rev NTSYSCALLAPI NTSTATUS NTAPI NtAlpcCreatePortSection( _In_ HANDLE PortHandle, _In_ ULONG Flags, _In_opt_ HANDLE SectionHandle, _In_ SIZE_T SectionSize, _Out_ PALPC_HANDLE AlpcSectionHandle, _Out_ PSIZE_T ActualSectionSize ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcDeletePortSection( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _In_ ALPC_HANDLE SectionHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcCreateResourceReserve( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _In_ SIZE_T MessageSize, _Out_ PULONG ResourceId ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcDeleteResourceReserve( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _In_ ULONG ResourceId ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcCreateSectionView( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcDeleteSectionView( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _In_ PVOID ViewBase ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcCreateSecurityContext( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _Inout_ PALPC_SECURITY_ATTR SecurityAttribute ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcDeleteSecurityContext( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _In_ ALPC_HANDLE ContextHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcRevokeSecurityContext( _In_ HANDLE PortHandle, _Reserved_ ULONG Flags, _In_ ALPC_HANDLE ContextHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcQueryInformationMessage( _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE PortMessage, _In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, _Out_writes_bytes_to_opt_(Length, *ReturnLength) PVOID MessageInformation, _In_ ULONG Length, _Out_opt_ PULONG ReturnLength ); #define ALPC_MSGFLG_REPLY_MESSAGE 0x1 #define ALPC_MSGFLG_LPC_MODE 0x2 #define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg #define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg #define ALPC_MSGFLG_TRACK_PORT_REFERENCES 0x40000 #define ALPC_MSGFLG_WAIT_USER_MODE 0x100000 #define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000 #define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg NTSYSCALLAPI NTSTATUS NTAPI NtAlpcConnectPort( _Out_ PHANDLE PortHandle, _In_ PCUNICODE_STRING PortName, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, _In_ ULONG Flags, _In_opt_ PSID RequiredServerSid, _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, _Inout_opt_ PSIZE_T BufferLength, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, _In_opt_ PLARGE_INTEGER Timeout ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtAlpcConnectPortEx( _Out_ PHANDLE PortHandle, _In_ POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, _In_opt_ POBJECT_ATTRIBUTES ClientPortObjectAttributes, _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, _In_ ULONG Flags, _In_opt_ PSECURITY_DESCRIPTOR ServerSecurityRequirements, _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, _Inout_opt_ PSIZE_T BufferLength, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, _In_opt_ PLARGE_INTEGER Timeout ); #endif NTSYSCALLAPI NTSTATUS NTAPI NtAlpcAcceptConnectPort( _Out_ PHANDLE PortHandle, _In_ HANDLE ConnectionPortHandle, _In_ ULONG Flags, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, _In_opt_ PVOID PortContext, _In_reads_bytes_(ConnectionRequest->u1.s1.TotalLength) PPORT_MESSAGE ConnectionRequest, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes, _In_ BOOLEAN AcceptConnection ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcSendWaitReceivePort( _In_ HANDLE PortHandle, _In_ ULONG Flags, _In_reads_bytes_opt_(SendMessage->u1.s1.TotalLength) PPORT_MESSAGE SendMessage, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes, _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage, _Inout_opt_ PSIZE_T BufferLength, _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes, _In_opt_ PLARGE_INTEGER Timeout ); #define ALPC_CANCELFLG_TRY_CANCEL 0x1 // dbg #define ALPC_CANCELFLG_NO_CONTEXT_CHECK 0x8 #define ALPC_CANCELFLGP_FLUSH 0x10000 // dbg NTSYSCALLAPI NTSTATUS NTAPI NtAlpcCancelMessage( _In_ HANDLE PortHandle, _In_ ULONG Flags, _In_ PALPC_CONTEXT_ATTR MessageContext ); #define ALPC_IMPERSONATEFLG_ANONYMOUS 0x1 #define ALPC_IMPERSONATEFLG_REQUIRE_IMPERSONATE 0x2 //ALPC_IMPERSONATEFLG 0x3-0x10 (SECURITY_IMPERSONATION_LEVEL) NTSYSCALLAPI NTSTATUS NTAPI NtAlpcImpersonateClientOfPort( _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE Message, _In_ PVOID Flags ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) NTSYSCALLAPI NTSTATUS NTAPI NtAlpcImpersonateClientContainerOfPort( _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE Message, _Reserved_ ULONG Flags ); #endif NTSYSCALLAPI NTSTATUS NTAPI NtAlpcOpenSenderProcess( _Out_ PHANDLE ProcessHandle, _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE PortMessage, _Reserved_ ULONG Flags, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtAlpcOpenSenderThread( _Out_ PHANDLE ThreadHandle, _In_ HANDLE PortHandle, _In_ PPORT_MESSAGE PortMessage, _Reserved_ ULONG Flags, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); // // Support functions // NTSYSAPI ULONG NTAPI AlpcMaxAllowedMessageLength( VOID ); // ALPC message attribute flags (internal state) #define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000 // Attribute buffer was allocated #define ALPC_ATTRFLG_VALIDATTR 0x40000000 // Attribute buffer is valid #define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000 // Keep running attribute NTSYSAPI ULONG NTAPI AlpcGetHeaderSize( _In_ ULONG Flags ); NTSYSAPI NTSTATUS NTAPI AlpcInitializeMessageAttribute( _In_ ULONG AttributeFlags, _Out_opt_ PALPC_MESSAGE_ATTRIBUTES Buffer, _In_ SIZE_T BufferSize, _Out_ PSIZE_T RequiredBufferSize ); NTSYSAPI PVOID NTAPI AlpcGetMessageAttribute( _In_ PALPC_MESSAGE_ATTRIBUTES Buffer, _In_ ULONG AttributeFlag ); NTSYSAPI NTSTATUS NTAPI AlpcRegisterCompletionList( _In_ HANDLE PortHandle, _Out_ PALPC_COMPLETION_LIST_HEADER Buffer, _In_ ULONG Size, _In_ ULONG ConcurrencyCount, _In_ ULONG AttributeFlags ); NTSYSAPI NTSTATUS NTAPI AlpcUnregisterCompletionList( _In_ HANDLE PortHandle ); // rev NTSYSAPI NTSTATUS NTAPI AlpcRundownCompletionList( _In_ HANDLE PortHandle ); NTSYSAPI NTSTATUS NTAPI AlpcAdjustCompletionListConcurrencyCount( _In_ HANDLE PortHandle, _In_ ULONG ConcurrencyCount ); NTSYSAPI BOOLEAN NTAPI AlpcRegisterCompletionListWorkerThread( _Inout_ PVOID CompletionList ); NTSYSAPI BOOLEAN NTAPI AlpcUnregisterCompletionListWorkerThread( _Inout_ PVOID CompletionList ); NTSYSAPI VOID NTAPI AlpcGetCompletionListLastMessageInformation( _In_ PVOID CompletionList, _Out_ PULONG LastMessageId, _Out_ PULONG LastCallbackId ); NTSYSAPI ULONG NTAPI AlpcGetOutstandingCompletionListMessageCount( _In_ PVOID CompletionList ); NTSYSAPI PPORT_MESSAGE NTAPI AlpcGetMessageFromCompletionList( _In_ PVOID CompletionList, _Out_opt_ PALPC_MESSAGE_ATTRIBUTES *MessageAttributes ); NTSYSAPI VOID NTAPI AlpcFreeCompletionListMessage( _Inout_ PVOID CompletionList, _In_ PPORT_MESSAGE Message ); NTSYSAPI PALPC_MESSAGE_ATTRIBUTES NTAPI AlpcGetCompletionListMessageAttributes( _In_ PVOID CompletionList, _In_ PPORT_MESSAGE Message ); // end_private #endif ================================================ FILE: phnt/include/ntmisc.h ================================================ /* * Trace Control support functions * * This file is part of System Informer. */ #ifndef _NTMISC_H #define _NTMISC_H // // Apphelp // _Enum_is_bitflag_ typedef enum _AHC_INFO_CLASS { AhcInfoClassSdbQueryResult = 0x00000001, AhcInfoClassSdbSxsOverrideManifest = 0x00000002, AhcInfoClassSdbRunlevelFlags = 0x00000004, AhcInfoClassSdbFusionFlags = 0x00000008, AhcInfoClassSdbInstallerFlags = 0x00000010, AhcInfoClassFusionFlags = 0x00000020, AhcInfoClassTelemetryFlags = 0x00000040, AhcInfoClassInstallDetect = 0x00000080, AhcInfoClassRacEventSent = 0x00000100, AhcInfoClassIsSystemFile = 0x00000200, AhcInfoClassMonitoringFlags = 0x00000400, AhcInfoClassExeType = 0x00000800, } AHC_INFO_CLASS, *PAHC_INFO_CLASS; #define AHC_INFO_CLASS_FILTER_ON_FILETIME_CHANGE \ (AHC_INFO_CLASS)(AhcInfoClassSdbQueryResult | \ AhcInfoClassSdbSxsOverrideManifest | \ AhcInfoClassSdbRunlevelFlags | \ AhcInfoClassSdbFusionFlags | \ AhcInfoClassSdbInstallerFlags | \ AhcInfoClassFusionFlags | \ AhcInfoClassRacEventSent) #define AHC_INFO_CLASS_FILTER_ON_SDB_CHANGE \ (AHC_INFO_CLASS)(AhcInfoClassSdbQueryResult | \ AhcInfoClassSdbSxsOverrideManifest | \ AhcInfoClassSdbRunlevelFlags | \ AhcInfoClassSdbFusionFlags | \ AhcInfoClassSdbInstallerFlags | \ AhcInfoClassInstallDetect) #define AHC_INFO_CLASS_ALL \ (AHC_INFO_CLASS)(AhcInfoClassSdbQueryResult | \ AhcInfoClassSdbSxsOverrideManifest | \ AhcInfoClassSdbRunlevelFlags | \ AhcInfoClassSdbFusionFlags | \ AhcInfoClassSdbInstallerFlags | \ AhcInfoClassFusionFlags | \ AhcInfoClassTelemetryFlags | \ AhcInfoClassInstallDetect | \ AhcInfoClassRacEventSent | \ AhcInfoClassIsSystemFile | \ AhcInfoClassMonitoringFlags | \ AhcInfoClassExeType) #define AHC_INFO_CLASS_INTERNALLY_COMPUTED \ (AHC_INFO_CLASS)(AhcInfoClassSdbQueryResult | \ AhcInfoClassSdbSxsOverrideManifest | \ AhcInfoClassSdbRunlevelFlags | \ AhcInfoClassSdbFusionFlags | \ AhcInfoClassSdbInstallerFlags | \ AhcInfoClassTelemetryFlags | \ AhcInfoClassIsSystemFile | \ AhcInfoClassMonitoringFlags | \ AhcInfoClassExeType) #define AHC_INFO_CLASS_SAFE_FOR_UNPRIVILEGED_UPDATE \ (AHC_INFO_CLASS)(AhcInfoClassInstallDetect | \ AhcInfoClassRacEventSent | \ AhcInfoClassTelemetryFlags | \ AhcInfoClassMonitoringFlags) // // Cache structures and APIs. // typedef enum _AHC_SERVICE_CLASS { ApphelpCacheServiceLookup = 0, ApphelpCacheServiceRemove = 1, ApphelpCacheServiceUpdate = 2, ApphelpCacheServiceClear = 3, ApphelpCacheServiceSnapStatistics = 4, ApphelpCacheServiceSnapCache = 5, ApphelpCacheServiceLookupCdb = 6, ApphelpCacheServiceRefreshCdb = 7, ApphelpCacheServiceMapQuirks = 8, ApphelpCacheServiceHwIdQuery = 9, ApphelpCacheServiceInitProcessData = 10, ApphelpCacheServiceLookupAndWriteToProcess = 11, ApphelpCacheServiceMax } AHC_SERVICE_CLASS; typedef struct _AHC_SERVICE_LOOKUP { AHC_INFO_CLASS InfoClass; // Information to lookup. UINT HintFlags; // Hint flags about cache query. UNICODE_STRING PackageAlias; // Aliased package moniker in a packed string. HANDLE FileHandle; // User space handle to file. HANDLE ProcessHandle; // User space process handle. USHORT ExeType; // Executable bitness. USHORT Padding; // Padding to even USHORTs. UNICODE_STRING ExeSignature; // Executable file signature. PCZZWSTR Environment; // Environment block. UINT EnvironmentSize; // Size of environment block in bytes. } AHC_SERVICE_LOOKUP, *PAHC_SERVICE_LOOKUP; typedef struct _AHC_SERVICE_REMOVE { AHC_INFO_CLASS InfoClass; UNICODE_STRING PackageAlias; HANDLE FileHandle; UNICODE_STRING ExeSignature; } AHC_SERVICE_REMOVE, *PAHC_SERVICE_REMOVE; typedef struct _AHC_SERVICE_UPDATE { AHC_INFO_CLASS InfoClass; UNICODE_STRING PackageAlias; HANDLE FileHandle; UNICODE_STRING ExeSignature; PVOID Data; ULONG DataSize; } AHC_SERVICE_UPDATE, *PAHC_SERVICE_UPDATE; typedef struct _AHC_SERVICE_CLEAR { AHC_INFO_CLASS InfoClass; } AHC_SERVICE_CLEAR, *PAHC_SERVICE_CLEAR; typedef struct _AHC_SERVICE_LOOKUP_CDB { UNICODE_STRING Name; } AHC_SERVICE_LOOKUP_CDB, *PAHC_SERVICE_LOOKUP_CDB; // // AHC_HINT_* flags are used in the HintFlags variable. // #define AHC_HINT_FORCE_BYPASS 0x00000001 #define AHC_HINT_REMOVABLE_MEDIA 0x00000002 #define AHC_HINT_TEMPORARY_DIRECTORY 0x00000004 #define AHC_HINT_USER_PERM_LAYER 0x00000008 #define AHC_HINT_CREATE_PROCESS 0x00000010 #define AHC_HINT_NATIVE_EXE 0x00000020 #define SHIM_CACHE_MAIN_DATABASE_PATH32 L"\\AppPatch\\sysmain.sdb" #define SHIM_CACHE_MAIN_DATABASE_PATH64 L"\\AppPatch\\AppPatch64\\sysmain.sdb" // // Flag definitions for various flag-type information in cache. // #define AHC_CACHE_FLAG_MONITORING_IS_CANDIDATE 0x00000001 // Candidate for monitoring. #define AHC_CACHE_FLAG_MONITORING_IS_COMPLETE 0x00000002 // Monitoring has completed. #define AHC_CACHE_FLAG_MONITORING_VALID_MASK (AHC_CACHE_FLAG_MONITORING_IS_CANDIDATE | \ AHC_CACHE_FLAG_MONITORING_IS_COMPLETE) #define AHC_CACHE_FLAG_TELEMETRY_IS_CANDIDATE 0x00000001 // Candidate for telemetry. #define AHC_CACHE_FLAG_TELEMETRY_HAS_SAMPLED 0x00000002 // Telemetry has run. #define AHC_CACHE_FLAG_TELEMETRY_VALID_MASK (AHC_CACHE_FLAG_TELEMETRY_IS_CANDIDATE | \ AHC_CACHE_FLAG_TELEMETRY_HAS_SAMPLED) #define AHC_CACHE_FLAG_FUSION_HASDOTLOCAL 0x00000001 // Dot local file exists. #define AHC_CACHE_FLAG_FUSION_HASMANIFESTFILE 0x00000002 // Fusion manifest exists. #define AHC_CACHE_FLAG_FUSION_HASMANIFESTRESOURCE 0x00000004 // Fusion manifest resource exists. #define AHC_CACHE_FLAG_FUSION_VALID_MASK (AHC_CACHE_FLAG_FUSION_HASDOTLOCAL | \ AHC_CACHE_FLAG_FUSION_HASMANIFESTFILE | \ AHC_CACHE_FLAG_FUSION_HASMANIFESTRESOURCE) #define AHC_CACHE_FLAG_RAC_EVENTSENT 0x00000001 // Rac event has been sent. #define AHC_CACHE_FLAG_RAC_VALID_MASK (AHC_CACHE_FLAG_RAC_EVENTSENT) #define AHC_CACHE_FLAG_INSTALLDETECT_CLAIMED 0x00000001 // InstallDetect claimed. #define AHC_CACHE_FLAG_INSTALLDETECT_VALID_MASK (AHC_CACHE_FLAG_RAC_EVENTSENT) // // Statistics. // typedef struct _AHC_MAIN_STATISTICS { ULONG Lookup; // Count of lookup calls. ULONG Remove; // Count of remove calls. ULONG Update; // Count of update calls. ULONG Clear; // Count of clear calls. ULONG SnapStatistics; // Count of snap statistics calls. ULONG SnapCache; // Count of snap store calls. } AHC_MAIN_STATISTICS, *PAHC_MAIN_STATISTICS; typedef struct _AHC_STORE_STATISTICS { ULONG LookupHits; // Count of lookup hits. ULONG LookupMisses; // Count of lookup misses. ULONG Inserted; // Count of inserted. ULONG Replaced; // Count of replaced. ULONG Updated; // Count of updates. } AHC_STORE_STATISTICS, *PAHC_STORE_STATISTICS; typedef struct _AHC_STATISTICS { ULONG Size; // Size of the structure. AHC_MAIN_STATISTICS Main; // Main statistics. AHC_STORE_STATISTICS Store; // Store statistics. } AHC_STATISTICS, *PAHC_STATISTICS; typedef struct _AHC_SERVICE_DATAQUERY { AHC_STATISTICS Stats; // Statistics. ULONG DataSize; // Size of data. PBYTE Data; // Data. } AHC_SERVICE_DATAQUERY, *PAHC_SERVICE_DATAQUERY; typedef struct _AHC_SERVICE_DATACACHE { HANDLE FileHandle; // User space handle to file. USHORT ExeType; // Executable bitness. USHORT Padding; // Padding to even USHORTs. UINT HintFlags; // Metadata flags about cache query. HANDLE ProcessHandle; // User space process handle. UNICODE_STRING FileName; // Executable file name. UNICODE_STRING Environment; // Environment block. UNICODE_STRING PackageAlias; // Aliased package moniker in a packed string. ULONG CustomDataSize; // Size of the custom data to cache. PBYTE CustomData; // Pointer to the custom data. } AHC_SERVICE_DATACACHE, *PAHC_SERVICE_DATACACHE; typedef struct _AHC_SERVICE_HWID_QUERY { BOOLEAN QueryResult; // Query result UNICODE_STRING HwId; // Query HwId; can contain wildcards } AHC_SERVICE_HWID_QUERY, *PAHC_SERVICE_HWID_QUERY; typedef struct _AHC_SERVICE_DATA { AHC_SERVICE_LOOKUP Lookup; // Lookup EXE/Package. AHC_SERVICE_UPDATE Update; // Updating flags for a given exe/package. AHC_SERVICE_DATACACHE Cache; // For cache operations. AHC_SERVICE_LOOKUP_CDB LookupCdb; // Lookup cdb. AHC_SERVICE_CLEAR Clear; // Clear flags for all exes/packages. AHC_SERVICE_REMOVE Remove; // Remove EXE/Package. AHC_SERVICE_HWID_QUERY HwIdQuery; // For HWID cache queries. NTSTATUS DriverStatus; // Receive the status from the cache driver. Set error code in IoStatus block causes driver verifier violation. PVOID ParamsOut; // Parameters out data. ULONG ParamsOutSize; // Parameters out size. } AHC_SERVICE_DATA, *PAHC_SERVICE_DATA; NTSYSCALLAPI NTSTATUS NTAPI NtApphelpCacheControl( _In_ AHC_SERVICE_CLASS ServiceClass, _Inout_opt_ PVOID ServiceContext // AHC_SERVICE_DATA ); // // VDM // typedef enum _VDMSERVICECLASS { VdmStartExecution, VdmQueueInterrupt, VdmDelayInterrupt, VdmInitialize, VdmFeatures, VdmSetInt21Handler, VdmQueryDir, VdmPrinterDirectIoOpen, VdmPrinterDirectIoClose, VdmPrinterInitialize, VdmSetLdtEntries, VdmSetProcessLdtInfo, VdmAdlibEmulation, VdmPMCliControl, VdmQueryVdmProcess, VdmPreInitialize } VDMSERVICECLASS, *PVDMSERVICECLASS; NTSYSCALLAPI NTSTATUS NTAPI NtVdmControl( _In_ VDMSERVICECLASS Service, _Inout_ PVOID ServiceData ); // // Sessions // typedef enum _IO_SESSION_EVENT { IoSessionEventIgnore, IoSessionEventCreated, IoSessionEventTerminated, IoSessionEventConnected, IoSessionEventDisconnected, IoSessionEventLogon, IoSessionEventLogoff, IoSessionEventMax } IO_SESSION_EVENT; typedef enum _IO_SESSION_STATE { IoSessionStateCreated = 1, IoSessionStateInitialized = 2, IoSessionStateConnected = 3, IoSessionStateDisconnected = 4, IoSessionStateDisconnectedLoggedOn = 5, IoSessionStateLoggedOn = 6, IoSessionStateLoggedOff = 7, IoSessionStateTerminated = 8, IoSessionStateMax } IO_SESSION_STATE; #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtOpenSession( _Out_ PHANDLE SessionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtNotifyChangeSession( _In_ HANDLE SessionHandle, _In_ ULONG ChangeSequenceNumber, _In_ PLARGE_INTEGER ChangeTimeStamp, _In_ IO_SESSION_EVENT Event, _In_ IO_SESSION_STATE NewState, _In_ IO_SESSION_STATE PreviousState, _In_reads_bytes_opt_(PayloadSize) PVOID Payload, _In_ ULONG PayloadSize ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // ApiSet // NTSYSAPI BOOL NTAPI ApiSetQueryApiSetPresence( _In_ PCUNICODE_STRING Namespace, _Out_ PBOOLEAN Present ); NTSYSAPI BOOL NTAPI ApiSetQueryApiSetPresenceEx( _In_ PCUNICODE_STRING Namespace, _Out_ PBOOLEAN IsInSchema, _Out_ PBOOLEAN Present ); typedef enum _SECURE_SETTING_VALUE_TYPE { SecureSettingValueTypeBoolean = 0, SecureSettingValueTypeUlong = 1, SecureSettingValueTypeBinary = 2, SecureSettingValueTypeString = 3, SecureSettingValueTypeUnknown = 4 } SECURE_SETTING_VALUE_TYPE, *PSECURE_SETTING_VALUE_TYPE; #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS1) // rev NTSYSCALLAPI NTSTATUS NTAPI NtQuerySecurityPolicy( _In_ PCUNICODE_STRING Policy, _In_ PCUNICODE_STRING KeyName, _In_ PCUNICODE_STRING ValueName, _In_ SECURE_SETTING_VALUE_TYPE ValueType, _Out_writes_bytes_opt_(*ValueSize) PVOID Value, _Inout_ PULONG ValueSize ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS1) #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) // rev NTSYSCALLAPI NTSTATUS NTAPI NtCreateCrossVmEvent( _Out_ PHANDLE CrossVmEvent, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG CrossVmEventFlags, _In_ LPCGUID VMID, _In_ LPCGUID ServiceID ); // rev NTSYSCALLAPI NTSTATUS NTAPI NtCreateCrossVmMutant( _Out_ PHANDLE EventHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG CrossVmEventFlags, _In_ LPCGUID VMID, _In_ LPCGUID ServiceID ); // rev NTSYSCALLAPI NTSTATUS NTAPI NtAcquireCrossVmMutant( _In_ HANDLE CrossVmMutant, _In_ PLARGE_INTEGER Timeout ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) // rev NTSYSCALLAPI NTSTATUS NTAPI NtDirectGraphicsCall( _In_ ULONG InputBufferLength, _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG OutputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, _Out_ PULONG ReturnLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) #if (PHNT_VERSION >= PHNT_WINDOWS_11_22H2) // rev NTSYSCALLAPI NTSTATUS NTAPI NtOpenCpuPartition( _Out_ PHANDLE CpuPartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes ); // rev NTSYSCALLAPI NTSTATUS NTAPI NtCreateCpuPartition( _Out_ PHANDLE CpuPartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes ); // rev NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationCpuPartition( _In_ HANDLE CpuPartitionHandle, _In_ ULONG CpuPartitionInformationClass, _In_reads_bytes_(CpuPartitionInformationLength) PVOID CpuPartitionInformation, _In_ ULONG CpuPartitionInformationLength, _Reserved_ PVOID, _Reserved_ ULONG, _Reserved_ ULONG ); // rev NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationCpuPartition( _In_ HANDLE CpuPartitionHandle, _In_ ULONG CpuPartitionInformationClass, _Out_writes_bytes_opt_(CpuPartitionInformationLength) PVOID CpuPartitionInformation, _In_ ULONG CpuPartitionInformationLength, _Out_opt_ PULONG ReturnLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_11_22H2) #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // // Process KeepAlive (also WakeCounter) // typedef enum _PROCESS_ACTIVITY_TYPE { ProcessActivityTypeAudio = 0, ProcessActivityTypeMax = 1 } PROCESS_ACTIVITY_TYPE; // rev NTSYSCALLAPI NTSTATUS NTAPI NtAcquireProcessActivityReference( _Out_ PHANDLE ActivityReferenceHandle, _In_ HANDLE ParentProcessHandle, _In_ ULONG ProcessActivityType // PROCESS_ACTIVITY_TYPE ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // // Appx/Msix Packages // // private typedef struct _PACKAGE_CONTEXT_REFERENCE { PVOID reserved; } *PACKAGE_CONTEXT_REFERENCE; // private typedef enum PackageProperty { PackageProperty_Name = 1, // q: WCHAR[] PackageProperty_Version = 2, // q: WCHAR[] PackageProperty_Architecture = 3, // q: ULONG (PROCESSOR_ARCHITECTURE_*) PackageProperty_ResourceId = 4, // q: WCHAR[] PackageProperty_Publisher = 5, // q: WCHAR[] PackageProperty_PublisherId = 6, // q: WCHAR[] PackageProperty_FamilyName = 7, // q: WCHAR[] PackageProperty_FullName = 8, // q: WCHAR[] PackageProperty_Flags = 9, // q: ULONG PackageProperty_InstalledLocation = 10, // q: WCHAR[] PackageProperty_DisplayName = 11, // q: WCHAR[] PackageProperty_PublisherDisplayName = 12, // q: WCHAR[] PackageProperty_Description = 13, // q: WCHAR[] PackageProperty_Logo = 14, // q: WCHAR[] PackageProperty_PackageOrigin = 15 // q: PackageOrigin } PackageProperty; // private typedef struct _PACKAGE_APPLICATION_CONTEXT_REFERENCE { PVOID reserved; } *PACKAGE_APPLICATION_CONTEXT_REFERENCE; // private typedef enum PackageApplicationProperty { PackageApplicationProperty_Aumid = 1, // q: WCHAR[] PackageApplicationProperty_Praid = 2, // q: WCHAR[] PackageApplicationProperty_DisplayName = 3, // q: WCHAR[] PackageApplicationProperty_Description = 4, // q: WCHAR[] PackageApplicationProperty_Logo = 5, // q: WCHAR[] PackageApplicationProperty_SmallLogo = 6, // q: WCHAR[] PackageApplicationProperty_ForegroundText = 7, // q: ULONG PackageApplicationProperty_ForegroundTextString = 8, // q: WCHAR[] PackageApplicationProperty_BackgroundColor = 9, // q: ULONG PackageApplicationProperty_StartPage = 10, // q: WCHAR[] PackageApplicationProperty_ContentURIRulesCount = 11, // q: ULONG PackageApplicationProperty_ContentURIRules = 12, // q: WCHAR[] (multi-sz) PackageApplicationProperty_StaticContentURIRulesCount = 13, // q: ULONG PackageApplicationProperty_StaticContentURIRules = 14, // q: WCHAR[] (multi-sz) PackageApplicationProperty_DynamicContentURIRulesCount = 15, // q: ULONG PackageApplicationProperty_DynamicContentURIRules = 16 // q: WCHAR[] (multi-sz) } PackageApplicationProperty; // private typedef struct _PACKAGE_RESOURCES_CONTEXT_REFERENCE { PVOID reserved; } *PACKAGE_RESOURCES_CONTEXT_REFERENCE; // private typedef enum PackageResourcesProperty { PackageResourcesProperty_DisplayName = 1, PackageResourcesProperty_PublisherDisplayName = 2, PackageResourcesProperty_Description = 3, PackageResourcesProperty_Logo = 4, PackageResourcesProperty_SmallLogo = 5, PackageResourcesProperty_StartPage = 6 } PackageResourcesProperty; // private typedef struct _PACKAGE_SECURITY_CONTEXT_REFERENCE { PVOID reserved; } *PACKAGE_SECURITY_CONTEXT_REFERENCE; // private typedef enum PackageSecurityProperty { PackageSecurityProperty_SecurityFlags = 1, // q: ULONG PackageSecurityProperty_AppContainerSID = 2, // q: Sid PackageSecurityProperty_CapabilitiesCount = 3, // q: ULONG PackageSecurityProperty_Capabilities = 4 // q: Sid[] } PackageSecurityProperty; // private typedef struct _TARGET_PLATFORM_CONTEXT_REFERENCE { PVOID reserved; } *TARGET_PLATFORM_CONTEXT_REFERENCE; // private typedef enum TargetPlatformProperty { TargetPlatformProperty_Platform = 1, // q: ULONG TargetPlatformProperty_MinVersion = 2, // q: PACKAGE_VERSION TargetPlatformProperty_MaxVersion = 3 // q: PACKAGE_VERSION } TargetPlatformProperty; // private typedef struct _PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE { PVOID reserved; } *PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE; // private typedef enum PackageGlobalizationProperty { PackageGlobalizationProperty_ForceUtf8 = 1, // q: ULONG PackageGlobalizationProperty_UseWindowsDisplayLanguage = 2 // q: ULONG } PackageGlobalizationProperty; #if (PHNT_VERSION >= PHNT_WINDOWS_8_1) // rev WINBASEAPI ULONG WINAPI GetCurrentPackageContext( _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_CONTEXT_REFERENCE *PackageContext ); // rev WINBASEAPI ULONG WINAPI GetPackageContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_CONTEXT_REFERENCE *PackageContext ); // rev WINBASEAPI ULONG WINAPI GetPackageProperty( _In_ PACKAGE_CONTEXT_REFERENCE PackageContext, _In_ PackageProperty PropertyId, _Inout_ PULONG BufferSize, _Out_writes_bytes_(BufferSize) PVOID Buffer ); // rev WINBASEAPI ULONG WINAPI GetPackagePropertyString( _In_ PACKAGE_CONTEXT_REFERENCE PackageContext, _In_ PackageProperty PropertyId, _Inout_ PULONG BufferLength, _Out_writes_(BufferLength) PWSTR Buffer ); // rev WINBASEAPI ULONG WINAPI GetPackageOSMaxVersionTested( _In_ PACKAGE_CONTEXT_REFERENCE PackageContext, _Out_ ULONGLONG *OSMaxVersionTested // PACKAGE_VERSION ); // // Package Application Properties // // rev WINBASEAPI ULONG WINAPI GetCurrentPackageApplicationContext( _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_APPLICATION_CONTEXT_REFERENCE *PackageApplicationContext ); // rev WINBASEAPI ULONG WINAPI GetPackageApplicationContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_APPLICATION_CONTEXT_REFERENCE *PackageApplicationContext ); // rev WINBASEAPI ULONG WINAPI GetPackageApplicationProperty( _In_ PACKAGE_APPLICATION_CONTEXT_REFERENCE PackageApplicationContext, _In_ PackageApplicationProperty PropertyId, _Inout_ PULONG BufferSize, _Out_writes_bytes_(BufferSize) PVOID Buffer ); // rev WINBASEAPI ULONG WINAPI GetPackageApplicationPropertyString( _In_ PACKAGE_APPLICATION_CONTEXT_REFERENCE PackageApplicationContext, _In_ PackageApplicationProperty PropertyId, _Inout_ PULONG BufferLength, _Out_writes_(BufferLength) PWSTR Buffer ); // // Package Resource Properties // // rev WINBASEAPI ULONG WINAPI GetCurrentPackageResourcesContext( _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_RESOURCES_CONTEXT_REFERENCE *PackageResourcesContext ); // rev WINBASEAPI ULONG WINAPI GetPackageResourcesContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_RESOURCES_CONTEXT_REFERENCE *PackageResourcesContext ); // rev WINBASEAPI ULONG WINAPI GetCurrentPackageApplicationResourcesContext( _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_RESOURCES_CONTEXT_REFERENCE *PackageResourcesContext ); // rev WINBASEAPI LONG WINAPI GetPackageApplicationResourcesContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_RESOURCES_CONTEXT_REFERENCE *PackageResourcesContext ); // rev WINBASEAPI LONG WINAPI GetPackageResourcesProperty( _In_ PACKAGE_RESOURCES_CONTEXT_REFERENCE PackageResourcesContext, _In_ PackageResourcesProperty PropertyId, _Inout_ PULONG BufferSize, _Out_writes_bytes_(BufferSize) PVOID Buffer, _Out_opt_ PULONG Flags ); // // Package Security Properties // // rev WINBASEAPI LONG WINAPI GetCurrentPackageSecurityContext( _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_SECURITY_CONTEXT_REFERENCE *PackageSecurityContext ); // rev WINBASEAPI LONG WINAPI GetPackageSecurityContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_SECURITY_CONTEXT_REFERENCE *PackageSecurityContext ); // rev WINBASEAPI LONG WINAPI GetPackageSecurityProperty( _In_ PACKAGE_SECURITY_CONTEXT_REFERENCE PackageSecurityContext, _In_ PackageSecurityProperty PropertyId, _Inout_ PULONG BufferSize, _Out_writes_bytes_(BufferSize) PVOID Buffer ); #endif // PHNT_VERSION >= PHNT_WINDOWS_8_1 #if (PHNT_VERSION >= PHNT_WINDOWS_10) // // Target Platform Properties // // rev WINBASEAPI LONG WINAPI GetCurrentTargetPlatformContext( _Reserved_ ULONG_PTR Unused, _Out_ TARGET_PLATFORM_CONTEXT_REFERENCE *TargetPlatformContext ); WINBASEAPI LONG WINAPI GetTargetPlatformContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _Reserved_ ULONG_PTR Unused, _Out_ TARGET_PLATFORM_CONTEXT_REFERENCE *TargetPlatformContext ); // rev WINBASEAPI LONG WINAPI GetPackageTargetPlatformProperty( _In_ TARGET_PLATFORM_CONTEXT_REFERENCE TargetPlatformContext, _In_ TargetPlatformProperty PropertyId, _Inout_ PULONG BufferSize, _Out_writes_bytes_(BufferSize) PVOID Buffer ); #endif // PHNT_VERSION >= PHNT_WINDOWS_10 #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) // rev WINBASEAPI HRESULT WINAPI GetCurrentPackageInfo3( _In_ ULONG Flags, _In_ ULONG PackagePathType, // PackagePathType _Inout_ PULONG BufferLength, _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, _Out_opt_ PULONG ReturnLength ); // // Package Globalization Properties // // rev WINBASEAPI LONG WINAPI GetCurrentPackageGlobalizationContext( _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE *PackageGlobalizationContext ); // rev WINBASEAPI LONG WINAPI GetPackageGlobalizationContext( _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE _In_ ULONG Index, _Reserved_ ULONG_PTR Unused, _Out_ PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE *PackageGlobalizationContext ); // rev WINBASEAPI LONG WINAPI GetPackageGlobalizationProperty( _In_ PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE PackageGlobalizationContext, _In_ PackageGlobalizationProperty PropertyId, _Inout_ PULONG BufferSize, _Out_writes_bytes_(BufferSize) PVOID Buffer ); #endif // PHNT_VERSION >= PHNT_WINDOWS_10_20H1 // // COM // // private _Enum_is_bitflag_ typedef enum _MTA_HOST_USAGE_FLAGS { MTA_HOST_USAGE_NONE = 0x0, MTA_HOST_USAGE_MTAINITIALIZED = 0x1, MTA_HOST_USAGE_ACTIVATORINITIALIZED = 0x2, MTA_HOST_USAGE_UNLOADCALLED = 0x4, } MTA_HOST_USAGE_FLAGS, *PMTA_HOST_USAGE_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(MTA_HOST_USAGE_FLAGS); // private typedef struct _MTA_USAGE_GLOBALS { _Reserved_ ULONG StackCapture; PULONG MTAInits; // A pointer to the total number of MTA inits PULONG MTAIncInits; // A pointer to the number of MTA inits from CoIncrementMTAUsage PULONG MTAWaiters; // A pointer to the number of callers waiting inside CoWaitMTACompletion PULONG MTAIncrementorSize; // A pointer to the size of the cookie returned by CoIncrementMTAUsage ULONG CompletionTimeOut; // A timeout for CoWaitMTACompletion in milliseconds _Reserved_ PLIST_ENTRY ListEntryHeadMTAUsageIncrementor; _Reserved_ PULONG MTAIncrementorCompleted; _Reserved_ PVOID* MTAUsageCompletedIncrementorHead; PMTA_HOST_USAGE_FLAGS MTAHostUsageFlags; // A pointer to the MTA usage flags // since THRESHOLD } MTA_USAGE_GLOBALS, *PMTA_USAGE_GLOBALS; #if (PHNT_VERSION >= PHNT_WINDOWS_8) // private // combase.dll, ordinal 70 _Success_(return != 0) _Must_inspect_result_ WINBASEAPI PMTA_USAGE_GLOBALS WINAPI CoGetMTAUsageInfo( VOID ); #endif // // COM/OLE // // OLETLSFLAGS #define OLETLS_LOCALTID 0x01 // This TID is in the current process. #define OLETLS_UUIDINITIALIZED 0x02 // This Logical thread is init'd. #define OLETLS_INTHREADDETACH 0x04 // This is in thread detach. #define OLETLS_CHANNELTHREADINITIALZED 0x08// This channel has been init'd #define OLETLS_WOWTHREAD 0x10 // This thread is a 16-bit WOW thread. #define OLETLS_THREADUNINITIALIZING 0x20 // This thread is in CoUninitialize. #define OLETLS_DISABLE_OLE1DDE 0x40 // This thread can't use a DDE window. #define OLETLS_APARTMENTTHREADED 0x80 // This is an STA apartment thread #define OLETLS_MULTITHREADED 0x100 // This is an MTA apartment thread #define OLETLS_IMPERSONATING 0x200 // This thread is impersonating #define OLETLS_DISABLE_EVENTLOGGER 0x400 // Prevent recursion in event logger #define OLETLS_INNEUTRALAPT 0x800 // This thread is in the NTA #define OLETLS_DISPATCHTHREAD 0x1000 // This is a dispatch thread #define OLETLS_HOSTTHREAD 0x2000 // This is a host thread #define OLETLS_ALLOWCOINIT 0x4000 // This thread allows inits #define OLETLS_PENDINGUNINIT 0x8000 // This thread has pending uninit #define OLETLS_FIRSTMTAINIT 0x10000// First thread to attempt an MTA init #define OLETLS_FIRSTNTAINIT 0x20000// First thread to attempt an NTA init #define OLETLS_APTINITIALIZING 0x40000 // Apartment Object is initializing #define OLETLS_UIMSGSINMODALLOOP 0x80000 #define OLETLS_MARSHALING_ERROR_OBJECT 0x100000 // since WIN8 #define OLETLS_WINRT_INITIALIZE 0x200000 // This thread called RoInitialize #define OLETLS_APPLICATION_STA 0x400000 #define OLETLS_IN_SHUTDOWN_CALLBACKS 0x800000 #define OLETLS_POINTER_INPUT_BLOCKED 0x1000000 #define OLETLS_IN_ACTIVATION_FILTER 0x2000000 // since WINBLUE #define OLETLS_ASTATOASTAEXEMPT_QUIRK 0x4000000 #define OLETLS_ASTATOASTAEXEMPT_PROXY 0x8000000 #define OLETLS_ASTATOASTAEXEMPT_INDOUBT 0x10000000 #define OLETLS_DETECTED_USER_INITIALIZED 0x20000000 // since RS3 #define OLETLS_BRIDGE_STA 0x40000000 // since RS5 #define OLETLS_NAINITIALIZING 0x80000000UL // since 19H1 // private typedef struct tagSOleTlsData { PVOID ThreadBase; PVOID SmAllocator; ULONG ApartmentID; ULONG Flags; // OLETLSFLAGS LONG TlsMapIndex; PVOID *TlsSlot; ULONG ComInits; ULONG OleInits; ULONG Calls; PVOID ServerCall; // previously CallInfo (before TH1) PVOID CallObjectCache; // previously FreeAsyncCall (before TH1) PVOID ContextStack; // previously FreeClientCall (before TH1) PVOID ObjServer; ULONG TIDCaller; // ... (other fields are version-dependant) } SOleTlsData, *PSOleTlsData; // private // ole32.dll WINBASEAPI VOID WINAPI UpdateDCOMSettings( VOID ); // // AppCompat // typedef struct tagSDBQUERYRESULT { ULONG Exes[16]; ULONG ExeFlags[16]; ULONG Layers[8]; ULONG LayerFlags; ULONG AppHelp; ULONG ExeCount; ULONG LayerCount; GUID ID; ULONG ExtraFlags; ULONG CustomSDBMap; GUID DB[16]; } SDBQUERYRESULT, *PSDBQUERYRESULT; static_assert(sizeof(SDBQUERYRESULT) == 0x1c8, "SDBQUERYRESULT size mismatch"); typedef struct tagSWITCH_CONTEXT_ATTRIBUTE { ULONG_PTR ContextUpdateCounter; BOOL AllowContextUpdate; BOOL EnableTrace; HANDLE EtwHandle; } SWITCH_CONTEXT_ATTRIBUTE, *PSWITCH_CONTEXT_ATTRIBUTE; #ifdef _WIN64 static_assert(sizeof(SWITCH_CONTEXT_ATTRIBUTE) == 0x18, "SWITCH_CONTEXT_ATTRIBUTE size mismatch"); #else static_assert(sizeof(SWITCH_CONTEXT_ATTRIBUTE) == 0x10, "SWITCH_CONTEXT_ATTRIBUTE size mismatch"); #endif typedef struct tagSWITCH_CONTEXT_DATA { ULONGLONG OsMaxVersionTested; ULONG TargetPlatform; ULONGLONG ContextMinimum; GUID Platform; GUID MinPlatform; ULONG ContextSource; ULONG ElementCount; GUID Elements[48]; } SWITCH_CONTEXT_DATA, * PSWITCH_CONTEXT_DATA; static_assert(sizeof(SWITCH_CONTEXT_DATA) == 0x340, "SWITCH_CONTEXT_DATA size mismatch"); typedef struct tagSWITCH_CONTEXT { SWITCH_CONTEXT_ATTRIBUTE Attribute; SWITCH_CONTEXT_DATA Data; } SWITCH_CONTEXT, *PSWITCH_CONTEXT; #ifdef _WIN64 static_assert(sizeof(SWITCH_CONTEXT) == 0x358, "SWITCH_CONTEXT size mismatch"); #else static_assert(sizeof(SWITCH_CONTEXT) == 0x350, "SWITCH_CONTEXT size mismatch"); #endif typedef struct _SDB_CSTRUCT_COBALT_PROCFLAG { KAFFINITY AffinityMask; ULONG CPUIDEcxOverride; ULONG CPUIDEdxOverride; USHORT ProcessorGroup; USHORT FastSelfModThreshold; USHORT Reserved1; UCHAR Reserved2; UCHAR BackgroundWork : 5; UCHAR CPUIDBrand : 4; UCHAR Reserved3 : 4; UCHAR RdtscScaling : 3; UCHAR Reserved4 : 2; UCHAR UnalignedAtomicApproach : 2; UCHAR Win11Atomics : 2; UCHAR RunOnSingleCore : 1; UCHAR X64CPUID : 1; UCHAR PatchUnaligned : 1; UCHAR InterpreterOrJitter : 1; UCHAR ForceSegmentHeap : 1; UCHAR Reserved5 : 1; UCHAR Reserved6 : 1; union { ULONGLONG Group1AsUINT64; struct _SDB_CSTRUCT_COBALT_PROCFLAG* Specified; }; } SDB_CSTRUCT_COBALT_PROCFLAG, *PSDB_CSTRUCT_COBALT_PROCFLAG; #ifdef _WIN64 static_assert(sizeof(SDB_CSTRUCT_COBALT_PROCFLAG) == 0x28, "SDB_CSTRUCT_COBALT_PROCFLAG size mismatch"); #else static_assert(sizeof(SDB_CSTRUCT_COBALT_PROCFLAG) == 0x20, "SDB_CSTRUCT_COBALT_PROCFLAG size mismatch"); #endif typedef struct _APPCOMPAT_EXE_DATA { ULONG_PTR Reserved[65]; ULONG Size; ULONG Magic; BOOL LoadShimEngine; USHORT ExeType; SDBQUERYRESULT SdbQueryResult; ULONG_PTR DbgLogChannels[128]; SWITCH_CONTEXT SwitchContext; ULONG ParentProcessId; WCHAR ParentImageName[260]; WCHAR ParentCompatLayers[256]; WCHAR ActiveCompatLayers[256]; ULONG ImageFileSize; ULONG ImageCheckSum; BOOL LatestOs; BOOL PackageId; BOOL SwitchBackManifest; BOOL UacManifest; BOOL LegacyInstaller; ULONG RunLevel; ULONG_PTR WinRTFlags; PVOID HookCOM; PVOID ComponentOnDemandEvent; PVOID Quirks; ULONG QuirksSize; SDB_CSTRUCT_COBALT_PROCFLAG CobaltProcFlags; ULONG FullMatchDbSizeCb; ULONG FullMatchDbOffset; } APPCOMPAT_EXE_DATA; #ifdef _WIN64 static_assert(sizeof(APPCOMPAT_EXE_DATA) == 0x11C0, "APPCOMPAT_EXE_DATA size mismatch"); #else static_assert(sizeof(APPCOMPAT_EXE_DATA) == 0xE98, "APPCOMPAT_EXE_DATA size mismatch"); #endif // // Direct3D Kernel Mode Thunk (D3DKMT) // /** * The D3DKMT_GET_PROCESS_LIST structure is used for retrieving a list of process handles using a graphics adapter. * \remarks The caller is responsible for closing the returned process handles. */ // rev typedef struct _D3DKMT_GET_PROCESS_LIST { LUID AdapterLuid; // [in] The locally unique identifier (LUID) for the graphics adapter. ULONG DesiredAccess; // [in] The access rights to request for the process handles. This must be `PROCESS_QUERY_INFORMATION` (0x400). ULONG ProcessHandleCount; // [in, out] On input, specifies the number of handles the `ProcessHandle` member can hold. On output, receives the number of handles returned. HANDLE ProcessHandle; // [out] The first element of an array that receives the process handles. } D3DKMT_GET_PROCESS_LIST, *PD3DKMT_GET_PROCESS_LIST; // rev /** * The D3DKMTGetProcessList function retrieves a list of processes that are using a specific graphics adapter. * * \param[in,out] GetProcessList A pointer to a \ref D3DKMT_GET_PROCESS_LIST structure that contains the processes using the graphics adapter. * \return NTSTATUS Successful or errant status. */ EXTERN_C NTSTATUS NTAPI D3DKMTGetProcessList( _Inout_ PD3DKMT_GET_PROCESS_LIST GetProcessList ); // rev /** * The D3DKMT_ENUM_PROCESS_LIST structure is used for retrieving a list of process identifiers using a graphics adapter. */ typedef struct _D3DKMT_ENUM_PROCESS_LIST { LUID AdapterLuid; // [in] The locally unique identifier (LUID) for the graphics adapter. PULONG ProcessIdBuffer; // [out] A pointer to a buffer that receives the list of process identifiers (PIDs). SIZE_T ProcessIdCount; // [in, out] On input, specifies the number of elements the `ProcessIdBuffer` can hold. On output, receives the number of process IDs returned. } D3DKMT_ENUM_PROCESS_LIST, *PD3DKMT_ENUM_PROCESS_LIST; // rev /** * The D3DKMTEnumProcesses function provides a list of process IDs (PIDs) rather than handles that are using a specific graphics adapter, * which can be more efficient for monitoring purposes. * * \param[in,out] EnumProcessList A pointer to a \ref D3DKMT_ENUM_PROCESS_LIST structure that contains the processes using the graphics adapter. * \return NTSTATUS Successful or errant status. */ EXTERN_C NTSTATUS NTAPI D3DKMTEnumProcesses( _Inout_ PD3DKMT_ENUM_PROCESS_LIST EnumProcessList ); #endif // _NTMISC_H ================================================ FILE: phnt/include/ntmmapi.h ================================================ /* * Memory Manager Support functions * * This file is part of System Informer. */ #ifndef _NTMMAPI_H #define _NTMMAPI_H typedef struct _IO_STATUS_BLOCK* PIO_STATUS_BLOCK; // // Memory Protection Constants // #define PAGE_NOACCESS 0x01 // Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. #define PAGE_READONLY 0x02 // Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. #define PAGE_READWRITE 0x04 // Enables read-only or read/write access to the committed region of pages. #define PAGE_WRITECOPY 0x08 // Enables read-only or copy-on-write access to a mapped view of a file mapping object. #define PAGE_EXECUTE 0x10 // Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. #define PAGE_EXECUTE_READ 0x20 // Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. #define PAGE_EXECUTE_READWRITE 0x40 // Enables execute, read-only, or read/write access to the committed region of pages. #define PAGE_EXECUTE_WRITECOPY 0x80 // Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. #define PAGE_GUARD 0x100 // Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. #define PAGE_NOCACHE 0x200 // Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. #define PAGE_WRITECOMBINE 0x400 // Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. #define PAGE_REVERT_TO_FILE_MAP 0x80000000 // Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. #define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 // Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. #define PAGE_TARGETS_NO_UPDATE 0x40000000 // Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. #define PAGE_TARGETS_INVALID 0x40000000 // Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. #define PAGE_ENCLAVE_UNVALIDATED 0x20000000 // Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. #define PAGE_ENCLAVE_NO_CHANGE 0x20000000 #define PAGE_ENCLAVE_MASK 0x10000000 #define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) #define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) #define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) // // Memory Region and Section Constants // #define MEM_COMMIT 0x00001000 #define MEM_RESERVE 0x00002000 #define MEM_DECOMMIT 0x00004000 #define MEM_RELEASE 0x00008000 #define MEM_FREE 0x00010000 #define MEM_PRIVATE 0x00020000 #define MEM_MAPPED 0x00040000 #define MEM_RESET 0x00080000 #define MEM_TOP_DOWN 0x00100000 #define MEM_WRITE_WATCH 0x00200000 #define MEM_PHYSICAL 0x00400000 #define MEM_ROTATE 0x00800000 #define MEM_DIFFERENT_IMAGE_BASE_OK 0x00800000 #define MEM_RESET_UNDO 0x01000000 #define MEM_LARGE_PAGES 0x20000000 #define MEM_DOS_LIM 0x40000000 #define MEM_4MB_PAGES 0x80000000 #define MEM_64K_PAGES (MEM_LARGE_PAGES | MEM_PHYSICAL) #define MEM_UNMAP_WITH_TRANSIENT_BOOST 0x00000001 #define MEM_COALESCE_PLACEHOLDERS 0x00000001 #define MEM_PRESERVE_PLACEHOLDER 0x00000002 #define MEM_REPLACE_PLACEHOLDER 0x00004000 #define MEM_RESERVE_PLACEHOLDER 0x00040000 #define SEC_HUGE_PAGES 0x00020000 #define SEC_PARTITION_OWNER_HANDLE 0x00040000 #define SEC_64K_PAGES 0x00080000 #define SEC_DRIVER_IMAGE 0x00100000 // rev #define SEC_BASED 0x00200000 #define SEC_NO_CHANGE 0x00400000 #define SEC_FILE 0x00800000 #define SEC_IMAGE 0x01000000 #define SEC_PROTECTED_IMAGE 0x02000000 #define SEC_RESERVE 0x04000000 #define SEC_COMMIT 0x08000000 #define SEC_NOCACHE 0x10000000 #define SEC_GLOBAL 0x20000000 #define SEC_WRITECOMBINE 0x40000000 #define SEC_LARGE_PAGES 0x80000000 #define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) #if (PHNT_MODE == PHNT_MODE_KERNEL) #define MEM_IMAGE SEC_IMAGE #endif #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION MemoryMappedFilenameInformation, // q: UNICODE_STRING MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION MemoryRegionInformationEx, // q: MEMORY_REGION_INFORMATION MemoryPrivilegedBasicInformation, // q: MEMORY_BASIC_INFORMATION MemoryEnclaveImageInformation, // q: MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 MemoryBasicInformationCapped, // q: 10 MemoryPhysicalContiguityInformation, // q: MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 MemoryBadInformation, // q: MEMORY_BAD_INFORMATION // since WIN11 MemoryBadInformationAllProcesses, // qs: not implemented // since 22H1 MemoryImageExtensionInformation, // q: MEMORY_IMAGE_EXTENSION_INFORMATION // since 24H2 MaxMemoryInfoClass } MEMORY_INFORMATION_CLASS; #else #define MemoryBasicInformation 0x0 #define MemoryWorkingSetInformation 0x1 #define MemoryMappedFilenameInformation 0x2 #define MemoryRegionInformation 0x3 #define MemoryWorkingSetExInformation 0x4 #define MemorySharedCommitInformation 0x5 #define MemoryImageInformation 0x6 #define MemoryRegionInformationEx 0x7 #define MemoryPrivilegedBasicInformation 0x8 #define MemoryEnclaveImageInformation 0x9 #define MemoryBasicInformationCapped 0xA #define MemoryPhysicalContiguityInformation 0xB #define MemoryBadInformation 0xC #define MemoryBadInformationAllProcesses 0xD #define MemoryImageExtensionInformation 0xE #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // MEMORY_WORKING_SET_BLOCK->Protection #define MEMORY_BLOCK_NOT_ACCESSED 0 #define MEMORY_BLOCK_READONLY 1 #define MEMORY_BLOCK_EXECUTABLE 2 #define MEMORY_BLOCK_EXECUTABLE_READONLY 3 #define MEMORY_BLOCK_READWRITE 4 #define MEMORY_BLOCK_COPYONWRITE 5 #define MEMORY_BLOCK_EXECUTABLE_READWRITE 6 #define MEMORY_BLOCK_EXECUTABLE_COPYONWRITE 7 #define MEMORY_BLOCK_NOT_ACCESSED_2 8 #define MEMORY_BLOCK_NON_CACHEABLE_READONLY 9 #define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE 10 #define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READONLY 11 #define MEMORY_BLOCK_NON_CACHEABLE_READWRITE 12 #define MEMORY_BLOCK_NON_CACHEABLE_COPYONWRITE 13 #define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READWRITE 14 #define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_COPYONWRITE 15 #define MEMORY_BLOCK_NOT_ACCESSED_3 16 #define MEMORY_BLOCK_GUARD_READONLY 17 #define MEMORY_BLOCK_GUARD_EXECUTABLE 18 #define MEMORY_BLOCK_GUARD_EXECUTABLE_READONLY 19 #define MEMORY_BLOCK_GUARD_READWRITE 20 #define MEMORY_BLOCK_GUARD_COPYONWRITE 21 #define MEMORY_BLOCK_GUARD_EXECUTABLE_READWRITE 22 #define MEMORY_BLOCK_GUARD_EXECUTABLE_COPYONWRITE 23 #define MEMORY_BLOCK_NOT_ACCESSED_4 24 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READONLY 25 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE 26 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READONLY 27 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READWRITE 28 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_COPYONWRITE 29 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READWRITE 30 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_COPYONWRITE 31 /** * The MEMORY_WORKING_SET_BLOCK structure contains working set information for a page. * \sa https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_block */ typedef struct _MEMORY_WORKING_SET_BLOCK { ULONG_PTR Protection : 5; // The protection attributes of the page. This member can be one of above MEMORY_BLOCK_* values. ULONG_PTR ShareCount : 3; // The number of processes that share this page. The maximum value of this member is 7. ULONG_PTR Shared : 1; // If this bit is 1, the page is sharable; otherwise, the page is not sharable. ULONG_PTR Node : 3; // The NUMA node where the physical memory should reside. #ifdef _WIN64 ULONG_PTR VirtualPage : 52; // The address of the page in the virtual address space. #else ULONG VirtualPage : 20; // The address of the page in the virtual address space. #endif } MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK; /** * The MEMORY_WORKING_SET_INFORMATION structure contains working set information for a process. * \sa https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_information */ typedef struct _MEMORY_WORKING_SET_INFORMATION { ULONG_PTR NumberOfEntries; _Field_size_(NumberOfEntries) MEMORY_WORKING_SET_BLOCK WorkingSetInfo[ANYSIZE_ARRAY]; } MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION; // private typedef struct _MEMORY_REGION_INFORMATION { PVOID AllocationBase; // Base address of the allocation. ULONG AllocationProtect; // Page protection when the allocation was created (individual pages can be different from this value). union { ULONG RegionType; struct { ULONG Private : 1; // Region is private to the process (not shared). ULONG MappedDataFile : 1; // Region is a mapped view of a data file (read/write data mapping). ULONG MappedImage : 1; // Region is a mapped view of an image file (executable/DLL mapping). ULONG MappedPageFile : 1; // Region is a mapped view of a pagefile-backed section. ULONG MappedPhysical : 1; // Region is a mapped view of the \Device\PhysicalMemory section. ULONG DirectMapped : 1; // Region is a mapped view of a direct-mapped file. ULONG SoftwareEnclave : 1; // Region is a mapped view of a software enclave. // since REDSTONE3 ULONG PageSize64K : 1; // Region uses 64 KB page size. ULONG PlaceholderReservation : 1; // Region uses placeholder reservations. // since REDSTONE4 ULONG MappedAwe : 1; // 21H1 // Region uses Address Windowing Extensions (AWE). ULONG MappedWriteWatch : 1; // Region uses write-watch protection. ULONG PageSizeLarge : 1; // Region uses large page size. ULONG PageSizeHuge : 1; // Region uses huge page size. ULONG Reserved : 19; }; }; SIZE_T RegionSize; // The combined size of pages in the region. SIZE_T CommitSize; // The commit charge associated with the allocation. ULONG_PTR PartitionId; // 19H1 ULONG_PTR NodePreference; // 20H1 } MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; // private typedef enum _MEMORY_WORKING_SET_EX_LOCATION { MemoryLocationInvalid, MemoryLocationResident, MemoryLocationPagefile, MemoryLocationReserved } MEMORY_WORKING_SET_EX_LOCATION; /** * The MEMORY_WORKING_SET_EX_BLOCK structure contains extended working set information for a page. * \sa https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_ex_block */ typedef union _MEMORY_WORKING_SET_EX_BLOCK { ULONG_PTR Flags; union { struct { ULONG_PTR Valid : 1; // If this bit is 1, the subsequent members are valid; otherwise they should be ignored. ULONG_PTR ShareCount : 3; // The number of processes that share this page. The maximum value of this member is 7. ULONG_PTR Win32Protection : 11; // The memory protection attributes of the page. ULONG_PTR Shared : 1; // If this bit is 1, the page can be shared. ULONG_PTR Node : 6; // The NUMA node. The maximum value of this member is 63. ULONG_PTR Locked : 1; // If this bit is 1, the virtual page is locked in physical memory. ULONG_PTR LargePage : 1; // If this bit is 1, the page is a large page. ULONG_PTR Priority : 3; // The memory priority attributes of the page. ULONG_PTR Reserved : 3; ULONG_PTR SharedOriginal : 1; // If this bit is 1, the page was not modified. ULONG_PTR Bad : 1; // If this bit is 1, the page is has been reported as bad. #ifdef _WIN64 ULONG_PTR Win32GraphicsProtection : 4; // The memory protection attributes of the page. // since 19H1 ULONG_PTR ReservedUlong : 28; #endif }; struct { ULONG_PTR Valid : 1; // If this bit is 0, the subsequent members are valid; otherwise they should be ignored. ULONG_PTR Reserved0 : 14; ULONG_PTR Shared : 1; // If this bit is 1, the page can be shared. ULONG_PTR Reserved1 : 5; ULONG_PTR PageTable : 1; // If this bit is 1, the page is a page table entry. ULONG_PTR Location : 2; // The memory location of the page. MEMORY_WORKING_SET_EX_LOCATION ULONG_PTR Priority : 3; // The memory priority of the page. ULONG_PTR ModifiedList : 1; // If this bit is 1, the page is on the modified standby list. ULONG_PTR Reserved2 : 2; ULONG_PTR SharedOriginal : 1; // If this bit is 1, the page was not modified. ULONG_PTR Bad : 1; // If this bit is 1, the page is has been reported as bad. #ifdef _WIN64 ULONG_PTR ReservedUlong : 32; #endif } Invalid; }; } MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK; /** * The MEMORY_WORKING_SET_EX_INFORMATION structure contains extended working set information for a process. * \sa https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_ex_information */ typedef struct _MEMORY_WORKING_SET_EX_INFORMATION { PVOID VirtualAddress; // The virtual address. MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; // The attributes of the page at VirtualAddress. } MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION; /** * The MEMORY_SHARED_COMMIT_INFORMATION structure contains the total commit size * for a region of memory that is shared between processes. */ typedef struct _MEMORY_SHARED_COMMIT_INFORMATION { SIZE_T CommitSize; } MEMORY_SHARED_COMMIT_INFORMATION, *PMEMORY_SHARED_COMMIT_INFORMATION; // private typedef struct _MEMORY_IMAGE_INFORMATION { PVOID ImageBase; SIZE_T SizeOfImage; union { ULONG ImageFlags; struct { ULONG ImagePartialMap : 1; ULONG ImageNotExecutable : 1; ULONG ImageSigningLevel : 4; // REDSTONE3 ULONG ImageExtensionPresent : 1; // since 24H2 ULONG Reserved : 25; }; }; } MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION; // private typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION { MEMORY_IMAGE_INFORMATION ImageInfo; UCHAR UniqueID[32]; // 32-byte unique identifier for the enclave image. UCHAR AuthorID[32]; // 32-byte identifier for the author/creator of the enclave image. } MEMORY_ENCLAVE_IMAGE_INFORMATION, *PMEMORY_ENCLAVE_IMAGE_INFORMATION; /** * The MEMORY_PHYSICAL_CONTIGUITY_UNIT_STATE structure describes the eligibility state or contiguity unit. */ typedef enum _MEMORY_PHYSICAL_CONTIGUITY_UNIT_STATE { MemoryNotContiguous, MemoryAlignedAndContiguous, MemoryNotResident, MemoryNotEligibleToMakeContiguous, MemoryContiguityStateMax, } MEMORY_PHYSICAL_CONTIGUITY_UNIT_STATE; /** * The MEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION structure describes the per-unit contiguity state. */ typedef struct _MEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION { union { ULONG AllInformation; struct { ULONG State : 2; ULONG Reserved : 30; }; }; } MEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION, *PMEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION; /** * The MEMORY_PHYSICAL_CONTIGUITY_INFORMATION structure describes a virtual range and contiguity unit characteristics for physical contiguity queries. */ typedef struct _MEMORY_PHYSICAL_CONTIGUITY_INFORMATION { PVOID VirtualAddress; ULONG_PTR Size; ULONG_PTR ContiguityUnitSize; ULONG Flags; PMEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION ContiguityUnitInformation; } MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, *PMEMORY_PHYSICAL_CONTIGUITY_INFORMATION; // rev /** * The MEMORY_BAD_INFORMATION structure reports a range of memory that has been marked bad or otherwise problematic. */ typedef struct _MEMORY_BAD_INFORMATION { PVOID BadAddress; // Starting address of the bad memory range. ULONG_PTR Length; // Length in bytes of the bad range. ULONG Flags; // Flags describing the nature of the bad memory. ULONG Reserved; } MEMORY_BAD_INFORMATION, *PMEMORY_BAD_INFORMATION; /** * The RTL_SCP_CFG_ARM64_HEADER structure contains ARM64 SCP/CFG descriptors; RVAs to handlers * and helper routines used when configuring CFG/SCP emulation on ARM64. */ typedef struct _RTL_SCP_CFG_ARM64_HEADER { ULONG EcInvalidCallHandlerRva; // RVA to invalid EC call handler. ULONG EcCfgCheckRva; // RVA to EC CFG check routine. ULONG EcCfgCheckESRva; // RVA to EC CFG check exception stub RVA. ULONG EcCallCheckRva; // RVA to EC call-check routine. ULONG CpuInitializationCompleteLoadRva; // RVA related to CPU init completion load. ULONG LdrpValidateEcCallTargetInitRva; // RVA used by loader validation init. ULONG SyscallFfsSizeRva; // RVA describing syscall FFS size. ULONG SyscallFfsBaseRva; // RVA describing syscall FFS base. } RTL_SCP_CFG_ARM64_HEADER, *PRTL_SCP_CFG_ARM64_HEADER; /** * The RTL_SCP_CFG_PAGE_TYPE enumeration describes page types used by SCP/CFG image extensions. */ typedef enum _RTL_SCP_CFG_PAGE_TYPE { RtlScpCfgPageTypeNop, // No-op / placeholder page. RtlScpCfgPageTypeDefault, // Default handling page. RtlScpCfgPageTypeExportSuppression, // Export-suppression descriptor page. RtlScpCfgPageTypeFptr, // Page that contains function pointers. RtlScpCfgPageTypeMax, // Upper bound for the enum. RtlScpCfgPageTypeNone // Explicit 'none' value. } RTL_SCP_CFG_PAGE_TYPE; /** * The RTL_SCP_CFG_COMMON_HEADER structure contains RVAs to dispatch and check * routines used by SCP/CFG configuration blocks. */ typedef struct _RTL_SCP_CFG_COMMON_HEADER { ULONG CfgDispatchRva; // RVA to CFG dispatch routine. ULONG CfgDispatchESRva; // RVA to CFG dispatch exception stub. ULONG CfgCheckRva; // RVA to CFG checking routine. ULONG CfgCheckESRva; // RVA to CFG checking exception stub. ULONG InvalidCallHandlerRva; // RVA to invalid-call handler. ULONG FnTableRva; // RVA to function-pointer table. } RTL_SCP_CFG_COMMON_HEADER, *PRTL_SCP_CFG_COMMON_HEADER; /** * The RTL_SCP_CFG_HEADER structure contains the common SCP/CFG configuration header. */ typedef struct _RTL_SCP_CFG_HEADER { RTL_SCP_CFG_COMMON_HEADER Common; } RTL_SCP_CFG_HEADER, *PRTL_SCP_CFG_HEADER; /** * The RTL_SCP_CFG_REGION_BOUNDS structure describes inclusive start/end * addresses of an SCP/CFG-protected region. */ typedef struct _RTL_SCP_CFG_REGION_BOUNDS { PVOID StartAddress; // Inclusive start address of the region. PVOID EndAddress; // Inclusive end address of the region. } RTL_SCP_CFG_REGION_BOUNDS, *PRTL_SCP_CFG_REGION_BOUNDS; /** * The RTL_SCP_CFG_NTDLL_EXPORTS structure contains ntdll export descriptors and * region bounds used to implement or validate CFG/SCP behavior at runtime. */ typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS { RTL_SCP_CFG_REGION_BOUNDS ScpRegions[4]; // Array of SCP region bounds (max 4). PVOID CfgDispatchFptr; // Pointer to CFG dispatch function. PVOID CfgDispatchESFptr; // Pointer to CFG dispatch exception stub. PVOID CfgCheckFptr; // Pointer to CFG check function. PVOID CfgCheckESFptr; // Pointer to CFG check exception stub. PVOID IllegalCallHandler; // Pointer to handler invoked for illegal calls. } RTL_SCP_CFG_NTDLL_EXPORTS, *PRTL_SCP_CFG_NTDLL_EXPORTS; /** * The RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC structure contains ARM64-specific ntdll * export descriptors used for EC / ARM64EC handling. */ typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC { PVOID EcInvalidCallHandler; // Pointer to invalid EC call handler. PVOID EcCfgCheckFptr; // Pointer to EC CFG check function. PVOID EcCfgCheckESFptr; // Pointer to EC CFG check exception stub. PVOID EcCallCheckFptr; // Pointer to EC call-check routine. PVOID CpuInitializationComplete; // Pointer to CPU initialization completion routine. PVOID LdrpValidateEcCallTargetInit; // Pointer to loader validation init routine. struct { PVOID SyscallFfsSize; // Pointer to syscall FFS size descriptor. union { PVOID Ptr; // Pointer form of FFS size descriptor. ULONG Value; // Value form of FFS size descriptor. }; }; PVOID SyscallFfsBase; // Pointer to syscall FFS base. } RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC, *PRTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC; /** * The RTL_RETPOLINE_ROUTINES structure contains indices/offsets and jump-table * descriptors used for retpoline/runtime patching. */ typedef struct _RTL_RETPOLINE_ROUTINES { ULONG SwitchtableJump[16]; // Jump offsets for switchtable entries. ULONG CfgIndirectRax; // Index/offset for indirect calls using RAX under CFG. ULONG NonCfgIndirectRax; // Index/offset for indirect calls not under CFG. ULONG ImportR10; // Import slot/index for R10-based imports. ULONG JumpHpat; // Hot-spot jump table offset. } RTL_RETPOLINE_ROUTINES, *PRTL_RETPOLINE_ROUTINES; /** * The RTL_KSCP_ROUTINES structure contains the kernel-side * SCP-related routine descriptors used for XFG/CFG/retpoline support. */ typedef struct _RTL_KSCP_ROUTINES { ULONG UnwindDataOffset; // Offset to unwind data for the routines. RTL_RETPOLINE_ROUTINES RetpolineRoutines; ULONG CfgDispatchSmep; // CFG dispatch variant when SMEP is enabled. ULONG CfgDispatchNoSmep; // CFG dispatch variant when SMEP is not enabled. } RTL_KSCP_ROUTINES, *PRTL_KSCP_ROUTINES; /** * The MEMORY_IMAGE_EXTENSION_TYPE enumeration specifies the supported image extension types. */ typedef enum _MEMORY_IMAGE_EXTENSION_TYPE { MemoryImageExtensionCfgScp, MemoryImageExtensionCfgEmulatedScp, MemoryImageExtensionTypeMax, } MEMORY_IMAGE_EXTENSION_TYPE; /** * The MEMORY_IMAGE_EXTENSION_INFORMATION structure describes an optional image extension * containing additional metadata or features (for example, CFG/SCP related extensions). */ typedef struct _MEMORY_IMAGE_EXTENSION_INFORMATION { MEMORY_IMAGE_EXTENSION_TYPE ExtensionType; // Type of the image extension (MEMORY_IMAGE_EXTENSION_TYPE). ULONG Flags; // Extension-specific flags. PVOID ExtensionImageBaseRva; // Relative virtual address of the extension image base. SIZE_T ExtensionSize; // Size, in bytes, of the extension region. } MEMORY_IMAGE_EXTENSION_INFORMATION, *PMEMORY_IMAGE_EXTENSION_INFORMATION; #define MMPFNLIST_ZERO 0 #define MMPFNLIST_FREE 1 #define MMPFNLIST_STANDBY 2 #define MMPFNLIST_MODIFIED 3 #define MMPFNLIST_MODIFIEDNOWRITE 4 #define MMPFNLIST_BAD 5 #define MMPFNLIST_ACTIVE 6 #define MMPFNLIST_TRANSITION 7 //typedef enum _MMLISTS //{ // ZeroedPageList = 0, // FreePageList = 1, // StandbyPageList = 2, // ModifiedPageList = 3, // ModifiedNoWritePageList = 4, // BadPageList = 5, // ActiveAndValid = 6, // TransitionPage = 7 //} MMLISTS; #define MMPFNUSE_PROCESSPRIVATE 0 #define MMPFNUSE_FILE 1 #define MMPFNUSE_PAGEFILEMAPPED 2 #define MMPFNUSE_PAGETABLE 3 #define MMPFNUSE_PAGEDPOOL 4 #define MMPFNUSE_NONPAGEDPOOL 5 #define MMPFNUSE_SYSTEMPTE 6 #define MMPFNUSE_SESSIONPRIVATE 7 #define MMPFNUSE_METAFILE 8 #define MMPFNUSE_AWEPAGE 9 #define MMPFNUSE_DRIVERLOCKPAGE 10 #define MMPFNUSE_KERNELSTACK 11 //typedef enum _MMPFNUSE //{ // ProcessPrivatePage, // MemoryMappedFilePage, // PageFileMappedPage, // PageTablePage, // PagedPoolPage, // NonPagedPoolPage, // SystemPTEPage, // SessionPrivatePage, // MetafilePage, // AWEPage, // DriverLockedPage, // KernelStackPage //} MMPFNUSE; // private typedef struct _MEMORY_FRAME_INFORMATION { ULONGLONG UseDescription : 4; // MMPFNUSE_* ULONGLONG ListDescription : 3; // MMPFNLIST_* ULONGLONG Cold : 1; // 19H1 ULONGLONG Pinned : 1; // 1 - pinned, 0 - not pinned ULONGLONG DontUse : 48; // *_INFORMATION overlay ULONGLONG Priority : 3; ULONGLONG NonTradeable : 1; ULONGLONG Reserved : 3; } MEMORY_FRAME_INFORMATION, *PMEMORY_FRAME_INFORMATION; // private typedef struct _FILEOFFSET_INFORMATION { ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay ULONGLONG Offset : 48; // mapped files ULONGLONG Reserved : 7; } FILEOFFSET_INFORMATION, *PFILEOFFSET_INFORMATION; // private typedef struct _PAGEDIR_INFORMATION { ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay ULONGLONG PageDirectoryBase : 48; // private pages ULONGLONG Reserved : 7; } PAGEDIR_INFORMATION, *PPAGEDIR_INFORMATION; // private typedef struct _UNIQUE_PROCESS_INFORMATION { ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay ULONGLONG UniqueProcessKey : 48; // ProcessId ULONGLONG Reserved : 7; } UNIQUE_PROCESS_INFORMATION, *PUNIQUE_PROCESS_INFORMATION; // private typedef struct _MMPFN_IDENTITY { union { MEMORY_FRAME_INFORMATION e1; // all FILEOFFSET_INFORMATION e2; // mapped files PAGEDIR_INFORMATION e3; // private pages UNIQUE_PROCESS_INFORMATION e4; // owning process } u1; ULONG_PTR PageFrameIndex; // all union { struct { ULONG_PTR Image : 1; ULONG_PTR Mismatch : 1; } e1; struct { ULONG_PTR CombinedPage; } e2; ULONG_PTR FileObject; // mapped files ULONG_PTR UniqueFileObjectKey; ULONG_PTR ProtoPteAddress; ULONG_PTR VirtualAddress; // everything else } u2; } MMPFN_IDENTITY, *PMMPFN_IDENTITY; typedef struct _MMPFN_MEMSNAP_INFORMATION { ULONG_PTR InitialPageFrameIndex; ULONG_PTR Count; } MMPFN_MEMSNAP_INFORMATION, *PMMPFN_MEMSNAP_INFORMATION; // Flags directly correspond to KPROCESS.Flags, of type KEXECUTE_OPTIONS (named bitfields available). // Flags adjust OS behavior for 32-bit processes only. They are effectively ignored for ARM64 and x64 processes. // [nt!Mi]canGrantExecute = KF_GLOBAL_32BIT_EXECUTE || MEM_EXECUTE_OPTION_ENABLE || (!KF_GLOBAL_32BIT_NOEXECUTE && !MEM_EXECUTE_OPTION_DISABLE) #define MEM_EXECUTE_OPTION_DISABLE 0x1 // respect the NX bit: DEP on, only run code from executable pages #define MEM_EXECUTE_OPTION_ENABLE 0x2 // ignore the NX bit: DEP off, enable executing most of ro/rw memory; trumps over the _DISABLE option #define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4 // do not emulate NX code sequences which look like ATL thunks #define MEM_EXECUTE_OPTION_PERMANENT 0x8 // changing any MEM_EXECUTE_* option for the process is not allowed [anymore] #define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10 // allow non-executable exception handlers (ntdll!RtlIsValidHandler) #define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20 // allow non-MEM_IMAGE exception handlers (ntdll!RtlIsValidHandler) #define MEM_EXECUTE_OPTION_DISABLE_EXCEPTION_CHAIN_VALIDATION 0x40 // don't invoke ntdll!RtlpIsValidExceptionChain to check SEH chain #define MEM_EXECUTE_OPTION_VALID_FLAGS 0x7f // // Virtual memory // #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The NtAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process. * * \param ProcessHandle A handle for the process for which the mapping should be done. * \param BaseAddress A pointer to a variable that will receive the base address of the allocated region of pages. * If the initial value is not zero, the region is allocated at the specified virtual address. * \param ZeroBits The number of high-order address bits that must be zero in the base address of the section view. * This value must be less than 21 and the initial value of BaseAddress must be zero. * \param RegionSize A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages. * \param AllocationType A bitmask containing flags that specify the type of allocation to be performed. * \param PageProtection A bitmask containing page protection flags that specify the protection desired for the committed region of pages. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwallocatevirtualmemory */ _Must_inspect_result_ _When_(return == 0, __drv_allocatesMem(mem)) NTSYSCALLAPI NTSTATUS NTAPI NtAllocateVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection ); #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) /** * The NtAllocateVirtualMemoryEx routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process. * * \param ProcessHandle A handle for the process for which the mapping should be done. * \param BaseAddress A pointer to a variable that will receive the base address of the allocated region of pages. If the initial value is not zero, the region is allocated at the specified virtual address. * \param RegionSize A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages. * \param AllocationType A bitmask containing flags that specify the type of allocation to be performed. * \param PageProtection A bitmask containing page protection flags that specify the protection desired for the committed region of pages. * \param ExtendedParameters An optional pointer to one or more extended parameters of type MEM_EXTENDED_PARAMETER. * \param ExtendedParameterCount Specifies the number of elements in the ExtendedParameters array. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwallocatevirtualmemory */ _Must_inspect_result_ _When_(return == 0, __drv_allocatesMem(Mem)) NTSYSCALLAPI NTSTATUS NTAPI NtAllocateVirtualMemoryEx( _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) /** * The NtFreeVirtualMemory routine frees virtual memory allocated for a process. * * \param ProcessHandle A handle to the process whose virtual memory is to be freed. * \param BaseAddress A pointer to the base address of the region of pages to be freed. * \param RegionSize A pointer to a variable that specifies the size of the region of memory to be freed. * \param FreeType The type of free operation. This parameter can be MEM_DECOMMIT or MEM_RELEASE. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtFreeVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ __drv_freesMem(Mem) PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG FreeType ); /** * The NtReadVirtualMemory routine reads virtual memory from a process. * * \param ProcessHandle A handle to the process whose memory is to be read. * \param BaseAddress A pointer to the base address in the specified process from which to read. * \param Buffer A pointer to a buffer that receives the contents from the address space of the specified process. * \param NumberOfBytesToRead The number of bytes to be read from the specified process. * \param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtReadVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, _In_ SIZE_T NumberOfBytesToRead, _Out_opt_ PSIZE_T NumberOfBytesRead ); // rev /** * The NtWow64ReadVirtualMemory64 routine reads virtual memory of a 64-bit process from a 32-bit process. * * \param ProcessHandle A handle to the process whose memory is to be read. * \param BaseAddress A pointer to the base address in the specified process from which to read. * \param Buffer A pointer to a buffer that receives the contents from the address space of the specified process. * \param NumberOfBytesToRead The number of bytes to be read from the specified process. * \param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI NtWow64ReadVirtualMemory64( _In_ HANDLE ProcessHandle, _In_opt_ ULONGLONG BaseAddress, _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, _In_ ULONGLONG NumberOfBytesToRead, _Out_opt_ PULONGLONG NumberOfBytesRead ); #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * The NtReadVirtualMemoryEx routine reads virtual memory from a process with extended options. * * \param ProcessHandle A handle to the process whose memory is to be read. * \param BaseAddress A pointer to the base address in the specified process from which to read. * \param Buffer A pointer to a buffer that receives the contents from the address space of the specified process. * \param NumberOfBytesToRead The number of bytes to be read from the specified process. * \param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer. * \param Flags Additional flags for the read operation. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtReadVirtualMemoryEx( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, _In_ SIZE_T NumberOfBytesToRead, _Out_opt_ PSIZE_T NumberOfBytesRead, _In_ ULONG Flags ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_11) /** * The NtWriteVirtualMemory routine writes virtual memory to a process. * * \param ProcessHandle A handle to the process whose memory is to be written. * \param BaseAddress A pointer to the base address in the specified process to which to write. * \param Buffer A pointer to the buffer that contains the data to be written to the address space of the specified process. * \param NumberOfBytesToWrite The number of bytes to be written to the specified process. * \param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtWriteVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, _In_ SIZE_T NumberOfBytesToWrite, _Out_opt_ PSIZE_T NumberOfBytesWritten ); // rev /** * The NtWow64WriteVirtualMemory64 routine writes virtual memory to a 64-bit process from a 32-bit process. * * \param ProcessHandle A handle to the process whose memory is to be written. * \param BaseAddress A pointer to the base address in the specified process to which to write. * \param Buffer A pointer to the buffer that contains the data to be written to the address space of the specified process. * \param NumberOfBytesToWrite The number of bytes to be written to the specified process. * \param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI NtWow64WriteVirtualMemory64( _In_ HANDLE ProcessHandle, _In_opt_ ULONGLONG BaseAddress, _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, _In_ ULONGLONG NumberOfBytesToWrite, _Out_opt_ PULONGLONG NumberOfBytesWritten ); /** * The NtProtectVirtualMemory routine changes the protection on a region of virtual memory. * * \param ProcessHandle A handle to the process whose memory protection is to be changed. * \param BaseAddress A pointer to the base address of the region of pages whose access protection attributes are to be changed. * \param RegionSize A pointer to a variable that specifies the size of the region whose access protection attributes are to be changed. * \param NewProtection The memory protection option. This parameter can be one of the memory protection constants. * \param OldProtection A pointer to a variable that receives the previous access protection of the first page in the specified region of pages. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtProtectVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG NewProtection, _Out_ PULONG OldProtection ); /** * The NtQueryVirtualMemory routine queries information about a region of virtual memory in a process. * * \param ProcessHandle A handle to the process whose memory information is to be queried. * \param BaseAddress A pointer to the base address of the region of pages to be queried. * \param MemoryInformationClass The type of information to be queried. * \param MemoryInformation A pointer to a buffer that receives the memory information. * \param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter. * \param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_opt_ PSIZE_T ReturnLength ); // rev /** * The NtWow64QueryVirtualMemory64 routine queries information about a region of virtual memory in a 64-bit process from a 32-bit process. * * \param ProcessHandle A handle to the process whose memory information is to be queried. * \param BaseAddress A pointer to the base address of the region of pages to be queried. * \param MemoryInformationClass The type of information to be queried. * \param MemoryInformation A pointer to a buffer that receives the memory information. * \param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter. * \param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI NtWow64QueryVirtualMemory64( _In_ HANDLE ProcessHandle, _In_opt_ ULONGLONG BaseAddress, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, _In_ ULONGLONG MemoryInformationLength, _Out_opt_ PULONGLONG ReturnLength ); /** * The NtFlushVirtualMemory routine flushes the instruction cache for a specified process. * * \param ProcessHandle A handle to the process whose instruction cache is to be flushed. * \param BaseAddress A pointer to the base address of the memory region to be flushed. * \param RegionSize A pointer to a variable that specifies the size of the region to be flushed. * \param IoStatus A pointer to an IO_STATUS_BLOCK structure that receives the status of the flush operation. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _Out_ PIO_STATUS_BLOCK IoStatus ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL) // begin_private typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS { VmPrefetchInformation, // s: MEMORY_PREFETCH_INFORMATION VmPagePriorityInformation, // s: MEMORY_PAGE_PRIORITY_INFORMATION VmCfgCallTargetInformation, // s: CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2 VmPageDirtyStateInformation, // s: MEMORY_PAGE_DIRTY_STATE_INFORMATION // REDSTONE3 VmImageHotPatchInformation, // s: 19H1 VmPhysicalContiguityInformation, // s: MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // 20H1 // (requires SeLockMemoryPrivilege) VmVirtualMachinePrepopulateInformation, VmRemoveFromWorkingSetInformation, // s: MEMORY_REMOVE_WORKING_SET_INFORMATION MaxVmInfoClass } VIRTUAL_MEMORY_INFORMATION_CLASS; // end_private #else #define VmPrefetchInformation 0x0 #define VmPagePriorityInformation 0x1 #define VmCfgCallTargetInformation 0x2 #define VmPageDirtyStateInformation 0x3 #define VmImageHotPatchInformation 0x4 #define VmPhysicalContiguityInformation 0x5 #define VmVirtualMachinePrepopulateInformation 0x6 #define VmRemoveFromWorkingSetInformation 0x7 #define MaxVmInfoClass 0x8 #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * Attempt to populate specified single or multiple address ranges * into the process working set (bring pages into physical memory). */ #define VM_PREFETCH_TO_WORKING_SET 0x1 // since 24H4 // rev /** * The MEMORY_PREFETCH_INFORMATION structure defines prefetch-control flags that * determine how prefetch operations are executed on the supplied address ranges. * * \remarks The behavior and success of prefetch operations depend on OS policy, * working set limits, privileges, and presence of backing storage. * \sa NtSetInformationVirtualMemory, VIRTUAL_MEMORY_INFORMATION_CLASS, VmPrefetchInformation */ typedef struct _MEMORY_PREFETCH_INFORMATION { ULONG Flags; } MEMORY_PREFETCH_INFORMATION, *PMEMORY_PREFETCH_INFORMATION; // // Page/memory priorities. // #define MEMORY_PRIORITY_LOWEST 0 #define MEMORY_PRIORITY_VERY_LOW 1 #define MEMORY_PRIORITY_LOW 2 #define MEMORY_PRIORITY_MEDIUM 3 #define MEMORY_PRIORITY_BELOW_NORMAL 4 #define MEMORY_PRIORITY_NORMAL 5 #define MEMORY_PRIORITY_ABOVE_NORMAL 6 // rev #define MEMORY_PRIORITY_HIGH 7 // rev // VmPagePriorityInformation typedef struct _MEMORY_PAGE_PRIORITY_INFORMATION { ULONG PagePriority; } MEMORY_PAGE_PRIORITY_INFORMATION, *PMEMORY_PAGE_PRIORITY_INFORMATION; // VmCfgCallTargetInformation typedef struct _CFG_CALL_TARGET_LIST_INFORMATION { ULONG NumberOfEntries; ULONG Reserved; PULONG NumberOfEntriesProcessed; PCFG_CALL_TARGET_INFO CallTargetInfo; PVOID Section; // since REDSTONE5 ULONGLONG FileOffset; } CFG_CALL_TARGET_LIST_INFORMATION, *PCFG_CALL_TARGET_LIST_INFORMATION; // rev // VmPageDirtyStateInformation typedef struct _MEMORY_PAGE_DIRTY_STATE_INFORMATION { ULONG Flags; } MEMORY_PAGE_DIRTY_STATE_INFORMATION, *PMEMORY_PAGE_DIRTY_STATE_INFORMATION; // rev typedef struct _MEMORY_REMOVE_WORKING_SET_INFORMATION { ULONG Flags; } MEMORY_REMOVE_WORKING_SET_INFORMATION, *PMEMORY_REMOVE_WORKING_SET_INFORMATION; #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The MEMORY_RANGE_ENTRY structure describes a contiguous region of virtual address space. */ typedef struct _MEMORY_RANGE_ENTRY { PVOID VirtualAddress; // A pointer to the starting virtual address of the region. SIZE_T NumberOfBytes; // The size, in bytes, of the region. } MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; /** * The NtSetInformationVirtualMemory routine performs an operation on a specified list of address ranges in the user address space of a process. * * \param ProcessHandle Specifies an open handle for the process in the context of which the operation is to be performed. This handle cannot be invalid. * \param VmInformationClass Specifies the type of operation to perform. * \param NumberOfEntries Number of entries in the array pointed to by the VirtualAddresses parameter. This parameter cannot be 0. * \param VirtualAddresses Pointer to an array of MEMORY_RANGE_ENTRY structures in which each entry specifies a virtual address range to be processed. * The virtual address ranges may cover any part of the process address space accessible by the target process. * \param VmInformation A pointer to a buffer that contains memory information. * Note: If VmInformationClass is VmPrefetchInformation, this parameter cannot be this parameter cannot be NULL and must point to a ULONG variable that is set to 0. * \param VmInformationLength The size of the buffer pointed to by VmInformation. * If VmInformationClass is VmPrefetchInformation, this must be sizeof (ULONG). * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwsetinformationvirtualmemory */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationVirtualMemory( _In_ HANDLE ProcessHandle, _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, _In_ SIZE_T NumberOfEntries, _In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses, _In_reads_bytes_(VmInformationLength) PVOID VmInformation, _In_ ULONG VmInformationLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) #define MAP_PROCESS 1 // Process WorkingSet #define MAP_SYSTEM 2 // Physical Memory // (requires SeLockMemoryPrivilege) /** * The NtLockVirtualMemory routine locks the specified region of the process's virtual address space into physical memory, * ensuring that subsequent access to the region will not incur a page fault. * * \param ProcessHandle A handle to the process whose virtual address space is to be locked. * \param BaseAddress A pointer to the base address of the region of pages to be locked. * \param RegionSize The size of the region to be locked, in bytes. The size is rounded up to the nearest multiple of PAGE_SIZE. * \param MapType A bitmask containing one or more flags that specify the type of operations to be performed. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtuallock */ NTSYSCALLAPI NTSTATUS NTAPI NtLockVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG MapType ); /** * The NtUnlockVirtualMemory routine unlocks a specified range of pages in the virtual address space of a process, * enabling the system to swap the pages out to the paging file if necessary. * * \param ProcessHandle A handle to the process whose virtual address space is to be unlocked. * \param BaseAddress A pointer to the base address of the region of pages to be unlocked. * \param RegionSize The size of the region to be unlocked, in bytes. The size is rounded up to the nearest multiple of PAGE_SIZE. * \param MapType A bitmask containing one or more flags that specify the type of operations to be performed. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualunlock */ NTSYSCALLAPI NTSTATUS NTAPI NtUnlockVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG MapType ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Sections // typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, // q; SECTION_BASIC_INFORMATION SectionImageInformation, // q; SECTION_IMAGE_INFORMATION SectionRelocationInformation, // q; ULONG_PTR RelocationDelta // name:wow64:whNtQuerySection_SectionRelocationInformation // since WIN7 SectionOriginalBaseInformation, // q; PVOID BaseAddress // since REDSTONE SectionInternalImageInformation, // q; SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 MaxSectionInfoClass } SECTION_INFORMATION_CLASS; /** * The SECTION_BASIC_INFORMATION structure contains basic information about an image section. * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntquerysection */ typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; // The base virtual address of the section if the section is based. ULONG AllocationAttributes; // The allocation attributes flags. LARGE_INTEGER MaximumSize; // The maximum size of the section in bytes. } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; /** * The SECTION_IMAGE_INFORMATION structure contains detailed information about an image section. */ typedef struct _SECTION_IMAGE_INFORMATION { PVOID TransferAddress; // The address of the image entry point function. ULONG ZeroBits; // The number of high-order address bits that must be zero in the image base address. SIZE_T MaximumStackSize; // The maximum stack size of threads from the PE file header. SIZE_T CommittedStackSize; // The initial stack size of threads from the PE file header. ULONG SubSystemType; // The image subsystem from the PE file header (e.g., Windows GUI, Windows CUI, POSIX). union { struct { USHORT SubSystemMinorVersion; USHORT SubSystemMajorVersion; }; ULONG SubSystemVersion; }; union { struct { USHORT MajorOperatingSystemVersion; USHORT MinorOperatingSystemVersion; }; ULONG OperatingSystemVersion; }; USHORT ImageCharacteristics; // The image characteristics from the PE file header. USHORT DllCharacteristics; // The DLL characteristics flags (e.g., ASLR, NX compatibility). USHORT Machine; // The image architecture (e.g., x86, x64, ARM). BOOLEAN ImageContainsCode; // The image contains native executable code. union { UCHAR ImageFlags; struct { UCHAR ComPlusNativeReady : 1; // The image contains precompiled .NET assembly generated by NGEN (Native Image Generator). UCHAR ComPlusILOnly : 1; // the image contains only Microsoft Intermediate Language (IL) assembly. UCHAR ImageDynamicallyRelocated : 1; // The image was mapped using a random base address rather than the preferred base address. UCHAR ImageMappedFlat : 1; // The image was mapped using a single contiguous region, rather than separate regions for each section. UCHAR BaseBelow4gb : 1; // The image was mapped using a base address below the 4 GB boundary. UCHAR ComPlusPrefer32bit : 1; // The image prefers to run as a 32-bit process, even on a 64-bit system. UCHAR Reserved : 2; }; }; ULONG LoaderFlags; // Reserved by ntdll.dll for the Windows loader. ULONG ImageFileSize; // The size of the image, in bytes, including all headers. ULONG CheckSum; // The image file checksum, from the PE optional header. } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; /** * The SECTION_INTERNAL_IMAGE_INFORMATION structure contains information about Control Flow Guard (CFG) features required by the image section. */ typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION { SECTION_IMAGE_INFORMATION SectionInformation; union { ULONG ExtendedFlags; struct { ULONG ImageExportSuppressionEnabled : 1; ULONG ImageCetShadowStacksReady : 1; // 20H1 ULONG ImageXfgEnabled : 1; // 20H2 ULONG ImageCetShadowStacksStrictMode : 1; ULONG ImageCetSetContextIpValidationRelaxedMode : 1; ULONG ImageCetDynamicApisAllowInProc : 1; ULONG ImageCetDowngradeReserved1 : 1; ULONG ImageCetDowngradeReserved2 : 1; ULONG ImageExportSuppressionInfoPresent : 1; ULONG ImageCfgEnabled : 1; ULONG Reserved : 22; }; }; } SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The SECTION_INHERIT structure specifies how the mapped view of the section is to be shared with child processes. */ typedef enum _SECTION_INHERIT { ViewShare = 1, // The mapped view of the section will be mapped into any child processes created by the process. ViewUnmap = 2 // The mapped view of the section will not be mapped into any child processes created by the process. } SECTION_INHERIT; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The NtCreateSection routine creates a section object. * * \param SectionHandle Pointer to a variable that receives a handle to the section object. * \param DesiredAccess The access mask that specifies the requested access to the section object. * \param ObjectAttributes Pointer to the base virtual address of the view to unmap. This value can be any virtual address within the view. * \param MaximumSize The maximum size, in bytes, of the section. The actual size when backed by the paging file, * or the maximum the file can be extended or mapped when backed by an ordinary file. * \param SectionPageProtection Specifies the protection to place on each page in the section. * \param AllocationAttributes A bitmask of SEC_XXX flags that determines the allocation attributes of the section. * \param FileHandle Optionally specifies a handle for an open file object. If the value of FileHandle is NULL, * the section is backed by the paging file. Otherwise, the section is backed by the specified file. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatesection */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle ); #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) /** * The NtCreateSectionEx routine creates a section object. * * \param SectionHandle Pointer to a variable that receives a handle to the section object. * \param DesiredAccess The access mask that specifies the requested access to the section object. * \param ObjectAttributes Pointer to the base virtual address of the view to unmap. This value can be any virtual address within the view. * \param MaximumSize The maximum size, in bytes, of the section. The actual size when backed by the paging file, * or the maximum the file can be extended or mapped when backed by an ordinary file. * \param SectionPageProtection Specifies the protection to place on each page in the section. * \param AllocationAttributes A bitmask of SEC_XXX flags that determines the allocation attributes of the section. * \param FileHandle Optionally specifies a handle for an open file object. If the value of FileHandle is NULL, * the section is backed by the paging file. Otherwise, the section is backed by the specified file. * \param ExtendedParameters An optional pointer to one or more extended parameters of type MEM_EXTENDED_PARAMETER. * \param ExtendedParameterCount Specifies the number of elements in the ExtendedParameters array. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatesection */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateSectionEx( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) /** * The NtOpenSection routine opens a handle for an existing section object. * * \param SectionHandle Handle to a process object that was previously passed to NtMapViewOfSection. * \param DesiredAccess The access mask that specifies the requested access to the section object. * \param ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwopensection */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * The NtMapViewOfSection routine maps a view of a section into the virtual address space of a subject process. * * \param SectionHandle A handle to an existing section object. * \param ProcessHandle A handle to the object that represents the process that the view should be mapped into. The handle must have been opened with PROCESS_VM_OPERATION access. * \param BaseAddress A pointer to a variable that receives the base address of the view. If the value is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary. * \param ZeroBits The number of high-order address bits that must be zero in the base address of the section view. The value of this parameter must be less than 21 and is used only if BaseAddress is NULL. * \param CommitSize Specifies the size, in bytes, of the initially committed region of the view. CommitSize is meaningful only for page-file backed sections and is rounded up to the nearest multiple of PAGE_SIZE. * \param SectionOffset A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view. * \param ViewSize A pointer to a variable that specifies the size of the view in bytes. If the initial value is zero, NtMapViewOfSection maps a view of the section that starts at SectionOffset and continues to the end of the section. * \param InheritDisposition A value that specifies how the view is to be shared with child processes. * \param AllocationType Specifies the type of allocation to be performed for the specified region of pages. The valid flags are MEM_RESERVE, MEM_TOP_DOWN, MEM_LARGE_PAGES, MEM_DIFFERENT_IMAGE_BASE_OK and MEM_REPLACE_PLACEHOLDER. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified. * \param PageProtection Specifies the page protection to be applied to the mapped view. Not used with SEC_IMAGE, must be set to PAGE_READONLY for SEC_IMAGE_NO_EXECUTE. For non-image sections, the value must be compatible with the section's page protection from NtCreateSection. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection */ NTSYSCALLAPI NTSTATUS NTAPI NtMapViewOfSection( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ SECTION_INHERIT InheritDisposition, _In_ ULONG AllocationType, _In_ ULONG PageProtection ); #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) /** * The NtMapViewOfSectionEx routine maps a view of a section into the virtual address space of a subject process. * * \param SectionHandle A handle to an existing section object. * \param ProcessHandle A handle to the object that represents the process that the view should be mapped into. The handle must have been opened with PROCESS_VM_OPERATION access. * \param BaseAddress A pointer to a variable that receives the base address of the view. If the value is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary. * \param SectionOffset A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view. * \param ViewSize A pointer to a variable that specifies the size of the view in bytes. If the initial value is zero, NtMapViewOfSection maps a view of the section that starts at SectionOffset and continues to the end of the section. * \param AllocationType Specifies the type of allocation to be performed for the specified region of pages. The valid flags are MEM_RESERVE, MEM_TOP_DOWN, MEM_LARGE_PAGES, MEM_DIFFERENT_IMAGE_BASE_OK and MEM_REPLACE_PLACEHOLDER. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified. * \param PageProtection Specifies the page protection to be applied to the mapped view. Not used with SEC_IMAGE, must be set to PAGE_READONLY for SEC_IMAGE_NO_EXECUTE. For non-image sections, the value must be compatible with the section's page protection from NtCreateSection. * \param ExtendedParameters An optional pointer to one or more extended parameters of type MEM_EXTENDED_PARAMETER. * \param ExtendedParameterCount Specifies the number of elements in the ExtendedParameters array. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsectionex */ NTSYSCALLAPI NTSTATUS NTAPI NtMapViewOfSectionEx( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) /** * The NtUnmapViewOfSection routine unmaps a view of a section from the virtual address space of a subject process. * * \param ProcessHandle Handle to a process object that was previously passed to NtMapViewOfSection. * \param BaseAddress Pointer to the base virtual address of the view to unmap. This value can be any virtual address within the view. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwunmapviewofsection */ NTSYSCALLAPI NTSTATUS NTAPI NtUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtUnmapViewOfSectionEx routine unmaps a view of a section from the virtual address space of a subject process. * * \param ProcessHandle Handle to a process object that was previously passed to NtMapViewOfSection. * \param BaseAddress Pointer to the base virtual address of the view to unmap. This value can be any virtual address within the view. * \param Flags Additional flags for the unmap operation. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwunmapviewofsection */ NTSYSCALLAPI NTSTATUS NTAPI NtUnmapViewOfSectionEx( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ ULONG Flags ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtExtendSection( _In_ HANDLE SectionHandle, _Inout_ PLARGE_INTEGER NewSectionSize ); /** * The NtQuerySection routine provides the capability to determine the base address, size, granted access, and allocation of an opened section object. * * \param SectionHandle An open handle to a section object. * \param SectionInformationClass The section information class about which to retrieve information. * \param SectionInformation A pointer to a buffer that receives the specified information. The format and content of the buffer depend on the specified section class. * \param SectionInformationLength Specifies the length in bytes of the section information buffer. * \param ReturnLength An optional pointer which, if specified, receives the number of bytes placed in the section information buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntquerysection */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySection( _In_ HANDLE SectionHandle, _In_ SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, _In_ SIZE_T SectionInformationLength, _Out_opt_ PSIZE_T ReturnLength ); /** * The NtAreMappedFilesTheSame routine determines whether two mapped files are the same. * * \param File1MappedAsAnImage A pointer to the base address of the first file mapped as an image. * \param File2MappedAsFile A pointer to the base address of the second file mapped as a file. * \return NTSTATUS Returns STATUS_SUCCESS if the files are the same; otherwise, an appropriate NTSTATUS error code. */ NTSYSCALLAPI NTSTATUS NTAPI NtAreMappedFilesTheSame( _In_ PVOID File1MappedAsAnImage, _In_ PVOID File2MappedAsFile ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Memory Partitions // #ifndef MEMORY_CURRENT_PARTITION_HANDLE #define MEMORY_CURRENT_PARTITION_HANDLE ((HANDLE)(LONG_PTR)-1) #endif // MEMORY_CURRENT_PARTITION_HANDLE #ifndef MEMORY_SYSTEM_PARTITION_HANDLE #define MEMORY_SYSTEM_PARTITION_HANDLE ((HANDLE)(LONG_PTR)-2) #endif // MEMORY_SYSTEM_PARTITION_HANDLE #ifndef MEMORY_EXISTING_VAD_PARTITION_HANDLE #define MEMORY_EXISTING_VAD_PARTITION_HANDLE ((HANDLE)(LONG_PTR)-3) #endif // MEMORY_EXISTING_VAD_PARTITION_HANDLE #ifndef MEMORY_PARTITION_QUERY_ACCESS #define MEMORY_PARTITION_QUERY_ACCESS 0x0001 #define MEMORY_PARTITION_MODIFY_ACCESS 0x0002 #define MEMORY_PARTITION_ALL_ACCESS \ (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS) #endif // MEMORY_PARTITION_QUERY_ACCESS #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef enum _PARTITION_INFORMATION_CLASS { SystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION SystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 SystemMemoryPartitionSetAttributes, SystemMemoryPartitionNodeInformation, SystemMemoryPartitionCreateLargePages, SystemMemoryPartitionDedicatedMemoryInformation, SystemMemoryPartitionOpenDedicatedMemory, // 10 SystemMemoryPartitionMemoryChargeAttributes, SystemMemoryPartitionClearAttributes, SystemMemoryPartitionSetMemoryThresholds, // since WIN11 SystemMemoryPartitionMemoryListCommand, // since 24H2 SystemMemoryPartitionMax } PARTITION_INFORMATION_CLASS, *PPARTITION_INFORMATION_CLASS; #else #define SystemMemoryPartitionInformation 0x0 #define SystemMemoryPartitionMoveMemory 0x1 #define SystemMemoryPartitionAddPagefile 0x2 #define SystemMemoryPartitionCombineMemory 0x3 #define SystemMemoryPartitionInitialAddMemory 0x4 #define SystemMemoryPartitionGetMemoryEvents 0x5 #define SystemMemoryPartitionSetAttributes 0x6 #define SystemMemoryPartitionNodeInformation 0x7 #define SystemMemoryPartitionCreateLargePages 0x8 #define SystemMemoryPartitionDedicatedMemoryInformation 0x9 #define SystemMemoryPartitionOpenDedicatedMemory 0xA #define SystemMemoryPartitionMemoryChargeAttributes 0xB #define SystemMemoryPartitionClearAttributes 0xC #define SystemMemoryPartitionSetMemoryThresholds 0xD #define SystemMemoryPartitionMemoryListCommand 0xE #define SystemMemoryPartitionMax 0xF #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION { ULONG Flags; ULONG NumaNode; ULONG Channel; ULONG NumberOfNumaNodes; SIZE_T ResidentAvailablePages; SIZE_T CommittedPages; SIZE_T CommitLimit; SIZE_T PeakCommitment; SIZE_T TotalNumberOfPages; SIZE_T AvailablePages; SIZE_T ZeroPages; SIZE_T FreePages; SIZE_T StandbyPages; SIZE_T StandbyPageCountByPriority[8]; // since REDSTONE2 SIZE_T RepurposedPagesByPriority[8]; SIZE_T MaximumCommitLimit; SIZE_T Reserved; // DonatedPagesToPartitions ULONG PartitionId; // since REDSTONE3 } MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION; // private typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION { SIZE_T NumberOfPages; ULONG NumaNode; ULONG Flags; } MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION; // private typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION { UNICODE_STRING PageFileName; LARGE_INTEGER MinimumSize; LARGE_INTEGER MaximumSize; ULONG Flags; } MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION; // private typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION { HANDLE StopHandle; ULONG Flags; SIZE_T TotalNumberOfPages; } MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION; // private typedef struct _MEMORY_PARTITION_PAGE_RANGE { ULONG_PTR StartPage; ULONG_PTR NumberOfPages; } MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE; // private typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION { ULONG Flags; ULONG NumberOfRanges; SIZE_T NumberOfPagesAdded; MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1]; } MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION; // private typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION { union { struct { ULONG CommitEvents : 1; ULONG Spare : 31; }; ULONG AllFlags; } Flags; ULONG HandleAttributes; ACCESS_MASK DesiredAccess; HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition HANDLE HighCommitCondition; // \KernelObjects\HighCommitCondition HANDLE MaximumCommitCondition; // \KernelObjects\MaximumCommitCondition } MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, *PMEMORY_PARTITION_MEMORY_EVENTS_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_VERSION >= PHNT_WINDOWS_10) NTSYSCALLAPI NTSTATUS NTAPI NtCreatePartition( _In_opt_ HANDLE ParentPartitionHandle, _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenPartition( _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtManagePartition( _In_ HANDLE TargetHandle, _In_opt_ HANDLE SourceHandle, _In_ PARTITION_INFORMATION_CLASS PartitionInformationClass, _Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation, _In_ ULONG PartitionInformationLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) // // User physical pages // /** * Maps previously allocated physical memory pages at a specified address in an Address Windowing Extensions (AWE) region. * * \param VirtualAddress A pointer to the starting address of the region of memory to remap. The value of VirtualAddress must be within the address range that the VirtualAlloc function returns when the Address Windowing Extensions (AWE) region is allocated. * \param NumberOfPages The size of the physical memory and virtual address space for which to establish translations, in pages. * \param UserPfnArray A pointer to an array of physical page frame numbers. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-mapuserphysicalpages */ NTSYSCALLAPI NTSTATUS NTAPI NtMapUserPhysicalPages( _In_ PVOID VirtualAddress, _In_ SIZE_T NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); /** * Maps previously allocated physical memory pages at a specified address in an Address Windowing Extensions (AWE) region. * * \param VirtualAddresses A pointer to an array of starting addresses of the regions of memory to remap. The value of VirtualAddress must be within the address range that the VirtualAlloc function returns when the Address Windowing Extensions (AWE) region is allocated. * \param NumberOfPages The size of the physical memory and virtual address space for which to establish translations, in pages. * \param UserPfnArray A pointer to an array of values that indicates how each corresponding page in VirtualAddresses should be treated. A 0 (zero) indicates the entry should be unmapped, and any nonzero value should be mapped. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-mapuserphysicalpagesscatter */ NTSYSCALLAPI NTSTATUS NTAPI NtMapUserPhysicalPagesScatter( _In_reads_(NumberOfPages) PVOID *VirtualAddresses, _In_ SIZE_T NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); /** * Allocates physical memory pages to be mapped and unmapped within any Address Windowing Extensions (AWE) region of a specified process. * * \param ProcessHandle A handle to the process whose physical memory pages are to be allocated within the virtual address space of this process. * \param NumberOfPages The size of the physical memory to allocate, in pages. * \param UserPfnArray A pointer to an array to store the page frame numbers of the allocated memory. Do not attempt to modify this buffer. It contains operating system data, and corruption could be catastrophic. The information in the buffer is not useful to an application. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-allocateuserphysicalpages */ NTSYSCALLAPI NTSTATUS NTAPI NtAllocateUserPhysicalPages( _In_ HANDLE ProcessHandle, _Inout_ PSIZE_T NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) /** * Allocates physical memory pages to be mapped and unmapped within any Address Windowing Extensions (AWE) region of a specified process, with extended parameters. * * \param ProcessHandle A handle to the process whose physical memory pages are to be allocated within the virtual address space of this process. * \param NumberOfPages The size of the physical memory to allocate, in pages. * \param UserPfnArray A pointer to an array to store the page frame numbers of the allocated memory. Do not attempt to modify this buffer. It contains operating system data, and corruption could be catastrophic. The information in the buffer is not useful to an application. * \param ExtendedParameters Pointer to an array of MEM_EXTENDED_PARAMETER structures. * \param ExtendedParameterCount The number of MEM_EXTENDED_PARAMETER in the ExtendedParameters array. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-allocateuserphysicalpages */ NTSYSCALLAPI NTSTATUS NTAPI NtAllocateUserPhysicalPagesEx( _In_ HANDLE ProcessHandle, _Inout_ PULONG_PTR NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) /** * Frees physical memory pages that are allocated previously by using NtAllocateUserPhysicalPages. * * \param ProcessHandle A handle to the process. The function frees memory within the virtual address space of this process. * \param NumberOfPages The size of the physical memory to free, in pages. On return, if the function fails, this parameter indicates the number of pages that are freed. * \param UserPfnArray A pointer to an array of page frame numbers of the allocated memory to be freed. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-freeuserphysicalpages */ NTSYSCALLAPI NTSTATUS NTAPI NtFreeUserPhysicalPages( _In_ HANDLE ProcessHandle, _Inout_ PULONG_PTR NumberOfPages, _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray ); // // Misc. // /** * Retrieves the addresses of the pages that are written to in a region of virtual memory. * * \param ProcessHandle A handle to the process whose watch information is to be queried. * \param Flags Additional flags for the operation. To reset the write-tracking state, set this parameter to WRITE_WATCH_FLAG_RESET. Otherwise, set this parameter to zero. * \param BaseAddress The base address of the memory region for which to retrieve write-tracking information. This address must a region that is allocated using MEM_WRITE_WATCH. * \param RegionSize The size of the memory region for which to retrieve write-tracking information, in bytes. * \param UserAddressArray A pointer to a buffer that receives an array of page addresses that have been written to since the region has been allocated or the write-tracking state has been reset. * \param EntriesInUserAddressArray On input, this variable indicates the size of the UserAddressArray array. On output, the variable receives the number of page addresses that are returned in the array. * \param Granularity A pointer to a variable that receives the page size, in bytes. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-getwritewatch */ NTSYSCALLAPI NTSTATUS NTAPI NtGetWriteWatch( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray, _Inout_ PULONG_PTR EntriesInUserAddressArray, _Out_ PULONG Granularity ); /** * Resets the write-tracking state for a region of virtual memory. * * \param ProcessHandle A handle to the process whose watch information is to be reset. * \param BaseAddress A pointer to the base address of the memory region for which to reset the write-tracking state. * \param RegionSize The size of the memory region for which to reset the write-tracking information, in bytes. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-resetwritewatch */ NTSYSCALLAPI NTSTATUS NTAPI NtResetWriteWatch( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize ); /** * Creates or extends a paging file. * * \param PageFileName The NT path of the paging file to create or extend. * \param MinimumSize A pointer to the minimum size of the paging file, in bytes. * \param MaximumSize A pointer to the maximum size of the paging file, in bytes. * \param Priority The paging file priority. * \return NTSTATUS Successful or errant status. * \remarks The caller must have the SeCreatePagefilePrivilege privilege. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreatePagingFile( _In_ PCUNICODE_STRING PageFileName, _In_ PLARGE_INTEGER MinimumSize, _In_ PLARGE_INTEGER MaximumSize, _In_ ULONG Priority ); /** * Flushes the instruction cache for the specified process. * * \param ProcessHandle A handle to the process whose instruction cache is to be flushed. * \param BaseAddress A pointer to the base address of the memory region to be flushed. This parameter can be NULL. * \param RegionSize The size of the memory region to be flushed, in bytes. * \return NTSTATUS Successful or errant status. * \remarks Applications should call NtFlushInstructionCache if they generate or modify code in memory. The CPU cannot detect the change, and may execute the old code it cached. * \see https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-flushinstructioncache */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushInstructionCache( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ SIZE_T RegionSize ); /** * The NtFlushWriteBuffer routine flushes the write queue of the current processor that is running a thread of the current process. * * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushWriteBuffer( VOID ); /** * The NtFlushProcessWriteBuffers routine flushes the write queue of each processor that is running a thread of the current process. * * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-flushprocesswritebuffers */ NTSYSCALLAPI NTSTATUS NTAPI NtFlushProcessWriteBuffers( VOID ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Enclave support // #if (PHNT_VERSION >= PHNT_WINDOWS_10) /** * Creates a new uninitialized enclave. An enclave is an isolated region of code and data within the address space for an application. * Only code that runs within the enclave can access data within the same enclave. * * \param ProcessHandle A handle to the process for which you want to create an enclave. * \param BaseAddress The preferred base address of the enclave. Specify NULL to have the operating system assign the base address. * \param ZeroBits The number of high-order address bits that must be zero in the base address of the section view. This value must be less than 21 and the initial value of BaseAddress must be zero. * \param Size The size of the enclave that you want to create, including the size of the code that you will load into the enclave, in bytes. VBS enclaves must be a multiple of 2 MB in size. * SGX enclaves must be a power of 2 in size and must have their base aligned to the same power of 2 as the size, with a minimum alignment of 2 MB. As an example, if the enclave is 128 MB, then its base must be aligned to a 128 MB boundary. * \param InitialCommitment The amount of memory to commit for the enclave, in bytes. * \param EnclaveType The architecture type of the enclave that you want to create. To verify that an enclave type is supported, call IsEnclaveTypeSupported. * \param EnclaveInformation A pointer to the architecture-specific information to use to create the enclave. * \param EnclaveInformationLength The length of the structure that the EnclaveInformation parameter points to, in bytes. * For the ENCLAVE_TYPE_SGX and ENCLAVE_TYPE_SGX2 enclave types, this value must be 4096. For the ENCLAVE_TYPE_VBS enclave type, this value must be sizeof(ENCLAVE_CREATE_INFO_VBS), which is 36 bytes. * \param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-createenclave */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateEnclave( _In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T Size, _In_ SIZE_T InitialCommitment, _In_ ULONG EnclaveType, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_opt_ PULONG EnclaveError ); /** * Loads data into an uninitialized enclave that you created by calling NtCreateEnclave. * * \param ProcessHandle A handle to the process for which the enclave was created. * \param BaseAddress The address in the enclave where you want to load the data. * \param Buffer A pointer to the data the you want to load into the enclave. * \param BufferSize The size of the data that you want to load into the enclave, in bytes. This value must be a whole-number multiple of the page size. * \param Protect The memory protection to use for the pages that you want to add to the enclave. * \param PageInformation A pointer to information that describes the pages that you want to add to the enclave. * \param PageInformationLength The length of the structure that the PageInformation parameter points to, in bytes. * \param NumberOfBytesWritten A pointer to a variable that receives the number of bytes that NtLoadEnclaveData copied into the enclave. * \param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-loadenclavedata */ NTSYSCALLAPI NTSTATUS NTAPI NtLoadEnclaveData( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _In_ ULONG Protect, _In_reads_bytes_(PageInformationLength) PVOID PageInformation, _In_ ULONG PageInformationLength, _Out_opt_ PSIZE_T NumberOfBytesWritten, _Out_opt_ PULONG EnclaveError ); /** * Initializes an enclave that you created and loaded with data. * * \param ProcessHandle A handle to the process for which the enclave was created. * \param BaseAddress Any address within the enclave. * \param EnclaveInformation A pointer to architecture-specific information to use to initialize the enclave. * \param EnclaveInformationLength The length of the structure that the EnclaveInformation parameter points to, in bytes. * \param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-initializeenclave */ NTSYSCALLAPI NTSTATUS NTAPI NtInitializeEnclave( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_opt_ PULONG EnclaveError ); // rev #define TERMINATE_ENCLAVE_VALID_FLAGS 0x00000005ul #define TERMINATE_ENCLAVE_FLAG_NO_WAIT 0x00000001ul #define TERMINATE_ENCLAVE_FLAG_WAIT_ERROR 0x00000004ul // STATUS_PENDING -> STATUS_ENCLAVE_NOT_TERMINATED // rev /** * Ends the execution of the threads that are running within an enclave. * * \param BaseAddress The base address of the enclave in which to end the execution of the threads. * \param Flags Additional flags for the termination operation. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-terminateenclave */ NTSYSCALLAPI NTSTATUS NTAPI NtTerminateEnclave( _In_ PVOID BaseAddress, _In_ ULONG Flags // TERMINATE_ENCLAVE_FLAG_* ); #if (PHNT_MODE != PHNT_MODE_KERNEL) // rev #define ENCLAVE_CALL_VALID_FLAGS 0x00000001ul #define ENCLAVE_CALL_FLAG_NO_WAIT 0x00000001ul // rev /** * Calls a function within an enclave. NtCallEnclave can also be called within an enclave to call a function outside of the enclave. * * \param Routine The address of the function that you want to call. * \param Reserved Reserved for dispatch (RtlEnclaveCallDispatch) * \param Flags Additional flags for the call operation. * \param RoutineParamReturn The parameter than you want to pass to the function and return value of the function. * \return NTSTATUS Successful or errant status. * \see https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-callenclave */ NTSYSCALLAPI NTSTATUS NTAPI NtCallEnclave( _In_ PENCLAVE_ROUTINE Routine, _In_ PVOID Reserved, // SelectVsmEnclaveByNumber > 0 // reserved for dispatch (RtlEnclaveCallDispatch) _In_ ULONG Flags, // ENCLAVE_CALL_FLAG_* _Inout_ PVOID* RoutineParamReturn // input routine parameter, output routine return value ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) #endif // _NTMMAPI_H ================================================ FILE: phnt/include/ntnls.h ================================================ /* * National Language Support functions * * This file is part of System Informer. */ #ifndef _NTNLS_H #define _NTNLS_H #define MAXIMUM_LEADBYTES 12 /** * Stores the NLS file formats. * * \sa https://learn.microsoft.com/en-us/previous-versions/mt791523(v=vs.85) */ typedef struct _CPTABLEINFO { USHORT CodePage; // Specifies the code page number. USHORT MaximumCharacterSize; // Specifies the maximum length in bytes of a character. USHORT DefaultChar; // Specifies the default character (MB). USHORT UniDefaultChar; // Specifies the default character (Unicode). USHORT TransDefaultChar; // Specifies the translation of the default character (Unicode). USHORT TransUniDefaultChar; // Specifies the translation of the Unicode default character (MB). USHORT DBCSCodePage; // Specifies non-zero for DBCS code pages. UCHAR LeadByte[MAXIMUM_LEADBYTES]; // Specifies the lead byte ranges. PUSHORT MultiByteTable; // Specifies a pointer to a MB translation table. PVOID WideCharTable; // Specifies a pointer to a WC translation table. PUSHORT DBCSRanges; // Specifies a pointer to DBCS ranges. PUSHORT DBCSOffsets; // Specifies a pointer to DBCS offsets. } CPTABLEINFO, *PCPTABLEINFO; /** * Stores the NLS file formats. * * \sa https://learn.microsoft.com/en-us/previous-versions/mt791531(v=vs.85) */ typedef struct _NLSTABLEINFO { CPTABLEINFO OemTableInfo; // Specifies OEM table. CPTABLEINFO AnsiTableInfo; // Specifies an ANSI table. PUSHORT UpperCaseTable; // Specifies an 844 format uppercase table. PUSHORT LowerCaseTable; // Specifies an 844 format lowercase table. } NLSTABLEINFO, *PNLSTABLEINFO; // // Data exports (ntdll.lib/ntdllp.lib) // #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSAPI USHORT NlsAnsiCodePage; NTSYSAPI BOOLEAN NlsMbCodePageTag; NTSYSAPI BOOLEAN NlsMbOemCodePageTag; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // _NTNLS_H ================================================ FILE: phnt/include/ntobapi.h ================================================ /* * Object Manager support functions * * This file is part of System Informer. */ #ifndef _NTOBAPI_H #define _NTOBAPI_H // // Object Specific Access Rights // #ifndef OBJECT_TYPE_CREATE #define OBJECT_TYPE_CREATE 0x0001 #endif #ifndef OBJECT_TYPE_ALL_ACCESS #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | OBJECT_TYPE_CREATE) #endif // // Directory Object Specific Access Rights // #ifndef DIRECTORY_QUERY #define DIRECTORY_QUERY 0x0001 #endif #ifndef DIRECTORY_TRAVERSE #define DIRECTORY_TRAVERSE 0x0002 #endif #ifndef DIRECTORY_CREATE_OBJECT #define DIRECTORY_CREATE_OBJECT 0x0004 #endif #ifndef DIRECTORY_CREATE_SUBDIRECTORY #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 #endif #ifndef DIRECTORY_ALL_ACCESS #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | DIRECTORY_QUERY | DIRECTORY_TRAVERSE | DIRECTORY_CREATE_OBJECT | DIRECTORY_CREATE_SUBDIRECTORY) #endif // // Symbolic Link Specific Access Rights // #ifndef SYMBOLIC_LINK_QUERY #define SYMBOLIC_LINK_QUERY 0x0001 #endif #ifndef SYMBOLIC_LINK_SET #define SYMBOLIC_LINK_SET 0x0002 #endif #ifndef SYMBOLIC_LINK_ALL_ACCESS #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY) #endif #ifndef SYMBOLIC_LINK_ALL_ACCESS_EX #define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | SPECIFIC_RIGHTS_ALL) #endif // // Object Attribute Flags // #ifndef OBJ_PROTECT_CLOSE #define OBJ_PROTECT_CLOSE 0x00000001 #endif #ifndef OBJ_INHERIT #define OBJ_INHERIT 0x00000002 #endif #ifndef OBJ_AUDIT_OBJECT_CLOSE #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 #endif // // Object Information // #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION ObjectNameInformation, // q: OBJECT_NAME_INFORMATION ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) ObjectSetRefTraceInformation, // since 25H2 MaxObjectInfoClass } OBJECT_INFORMATION_CLASS; #else #define ObjectBasicInformation 0 #define ObjectNameInformation 1 #define ObjectTypeInformation 2 #define ObjectTypesInformation 3 #define ObjectHandleFlagInformation 4 #define ObjectSessionInformation 5 #define ObjectSessionObjectInformation 6 #define ObjectSetRefTraceInformation 7 #define MaxObjectInfoClass 8 #endif // (PHNT_MODE != PHNT_MODE_KERNEL) /** * The OBJECT_BASIC_INFORMATION structure contains basic information about an object. */ typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; // The attributes of the object include whether the object is permanent, can be inherited, and other characteristics. ACCESS_MASK GrantedAccess; // Specifies a mask that represents the granted access when the object was created. ULONG HandleCount; // The number of handles that are currently open for the object. ULONG PointerCount; // The number of references to the object from both handles and other references, such as those from the system. ULONG PagedPoolCharge; // The amount of paged pool memory that the object is using. ULONG NonPagedPoolCharge; // The amount of non-paged pool memory that the object is using. ULONG Reserved[3]; // Reserved for future use. ULONG NameInfoSize; // The size of the name information for the object. ULONG TypeInfoSize; // The size of the type information for the object. ULONG SecurityDescriptorSize; // The size of the security descriptor for the object. LARGE_INTEGER CreationTime; // The time when a symbolic link was created. Not supported for other types of objects. } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The OBJECT_NAME_INFORMATION structure contains the name, if there is one, of a given object. */ typedef struct _OBJECT_NAME_INFORMATION { UNICODE_STRING Name; // The object name (when present) includes a NULL-terminator and all path separators "\" in the name. } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) /** * The OBJECT_NAME_INFORMATION structure contains various statistics and properties about an object type. */ typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING TypeName; ULONG TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG TotalPagedPoolUsage; ULONG TotalNonPagedPoolUsage; ULONG TotalNamePoolUsage; ULONG TotalHandleTableUsage; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles; ULONG HighWaterPagedPoolUsage; ULONG HighWaterNonPagedPoolUsage; ULONG HighWaterNamePoolUsage; ULONG HighWaterHandleTableUsage; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; UCHAR TypeIndex; // since WINBLUE CHAR ReservedByte; ULONG PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; typedef struct _OBJECT_TYPES_INFORMATION { ULONG NumberOfTypes; } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; typedef struct _OBJECT_HANDLE_FLAG_INFORMATION { BOOLEAN Inherit; BOOLEAN ProtectFromClose; } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; // // Objects, handles // #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The NtQueryObject routine retrieves various kinds of object information. * * \param Handle The handle of the object for which information is being queried. * \param ObjectInformationClass The information class indicating the kind of object information to be retrieved. * \param ObjectInformation An optional pointer to a buffer where the requested information is to be returned. * \param ObjectInformationLength The size of the buffer pointed to by the ObjectInformation parameter, in bytes. * \param ReturnLength An optional pointer to a location where the function writes the actual size of the information requested. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryobject */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryObject( _In_opt_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength ); /** * The NtSetInformationObject routine changes various kinds of information about a object. * * \param Handle The handle of the object for which information is being changed. * \param ObjectInformationClass The type of information, supplied in the buffer pointed to by ObjectInformation, to set for the object. * \param ObjectInformation Pointer to a buffer that contains the information to set for the object. * \param ObjectInformationLength The size of the buffer pointed to by the ObjectInformation parameter, in bytes. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationObject( _In_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength ); #define DUPLICATE_CLOSE_SOURCE 0x00000001 // Close the source handle. #define DUPLICATE_SAME_ACCESS 0x00000002 // Instead of using the DesiredAccess parameter, copy the access rights from the source handle to the target handle. #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 // Instead of using the HandleAttributes parameter, copy the attributes from the source handle to the target handle. /** * The NtDuplicateObject routine creates a handle that is a duplicate of the specified source handle. * * \param SourceProcessHandle A handle to the source process for the handle being duplicated. * \param SourceHandle The handle to duplicate. * \param TargetProcessHandle A handle to the target process that is to receive the new handle. This parameter is optional and can be specified as NULL if the DUPLICATE_CLOSE_SOURCE flag is set in Options. * \param TargetHandle A pointer to a HANDLE variable into which the routine writes the new duplicated handle. The duplicated handle is valid in the specified target process. This parameter is optional and can be specified as NULL if no duplicate handle is to be created. * \param DesiredAccess An ACCESS_MASK value that specifies the desired access for the new handle. * \param HandleAttributes A ULONG that specifies the desired attributes for the new handle. * \param Options A set of flags to control the behavior of the duplication operation. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwduplicateobject */ NTSYSCALLAPI NTSTATUS NTAPI NtDuplicateObject( _In_ HANDLE SourceProcessHandle, _In_ HANDLE SourceHandle, _In_opt_ HANDLE TargetProcessHandle, _Out_opt_ PHANDLE TargetHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _In_ ULONG Options ); /** * The NtMakeTemporaryObject routine changes the attributes of an object to make it temporary. * * \param Handle Handle to an object of any type. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmaketemporaryobject */ NTSYSCALLAPI NTSTATUS NTAPI NtMakeTemporaryObject( _In_ HANDLE Handle ); /** * The NtMakePermanentObject routine changes the attributes of an object to make it permanent. * * \param Handle Handle to an object of any type. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmaketemporaryobject */ NTSYSCALLAPI NTSTATUS NTAPI NtMakePermanentObject( _In_ HANDLE Handle ); /** * The NtSignalAndWaitForSingleObject routine signals one object and waits on another object as a single operation. * * \param SignalHandle A handle to the object to be signaled. * \param WaitHandle A handle to the object to wait on. The SYNCHRONIZE access right is required. * \param Alertable If this parameter is TRUE, the function returns when the system queues an I/O completion routine or APC function, and the thread calls the function. * \param Timeout The time-out interval. The function returns if the interval elapses, even if the object's state is nonsignaled and no completion or APC objects are queued. * If zero, the function tests the object's state, checks for queued completion routines or APCs, and returns immediately. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-signalobjectandwait */ NTSYSCALLAPI NTSTATUS NTAPI NtSignalAndWaitForSingleObject( _In_ HANDLE SignalHandle, _In_ HANDLE WaitHandle, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout ); /** * The NtWaitForSingleObject routine waits until the specified object is in the signaled state or the time-out interval elapses. * * \param Handle The handle to the wait object. * \param Alertable The function returns when either the time-out period has elapsed or when the APC function is called. * \param Timeout A pointer to an absolute or relative time over which the wait is to occur. Can be null. If a timeout is specified, * and the object has not attained a state of signaled when the timeout expires, then the wait is automatically satisfied. * If an explicit timeout value of zero is specified, then no wait occurs if the wait cannot be satisfied immediately. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntwaitforsingleobject */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitForSingleObject( _In_ HANDLE Handle, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout ); /** * The NtWaitForMultipleObjects routine waits until one or all of the specified objects are in the signaled state, an I/O completion routine or asynchronous procedure call (APC) is queued to the thread, or the time-out interval elapses. * * \param Count The number of object handles to wait for in the array pointed to by lpHandles. The maximum number of object handles is MAXIMUM_WAIT_OBJECTS. This parameter cannot be zero. * \param Handles An array of object handles. The array can contain handles of objects of different types. It may not contain multiple copies of the same handle. * \param WaitType If this parameter is WaitAll, the function returns when the state of all objects in the Handles array is set to signaled. * \param Alertable f this parameter is TRUE and the thread is in the waiting state, the function returns when the system queues an I/O completion routine or APC, and the thread runs the routine or function. * \param Timeout A pointer to an absolute or relative time over which the wait is to occur. Can be null. If a timeout is specified, * and the object has not attained a state of signaled when the timeout expires, then the wait is automatically satisfied. * If an explicit timeout value of zero is specified, then no wait occurs if the wait cannot be satisfied immediately. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitformultipleobjectsex */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitForMultipleObjects( _In_ ULONG Count, _In_reads_(Count) HANDLE Handles[], _In_ WAIT_TYPE WaitType, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout ); NTSYSCALLAPI NTSTATUS NTAPI NtWaitForMultipleObjects32( _In_ ULONG Count, _In_reads_(Count) LONG Handles[], _In_ WAIT_TYPE WaitType, _In_ BOOLEAN Alertable, _In_opt_ PLARGE_INTEGER Timeout ); /** * The NtSetSecurityObject routine sets an object's security state. * * \param Handle Handle for the object whose security state is to be set. * \param SecurityInformation A SECURITY_INFORMATION value specifying the information to be set. * \param SecurityDescriptor Pointer to the security descriptor to be set for the object. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwsetsecurityobject */ NTSYSCALLAPI NTSTATUS NTAPI NtSetSecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); /** * The NtQuerySecurityObject routine retrieves a copy of an object's security descriptor. * * \param Handle Handle for the object whose security descriptor is to be queried. * \param SecurityInformation A SECURITY_INFORMATION value specifying the information to be queried. * \param SecurityDescriptor Caller-allocated buffer that NtQuerySecurityObject fills with a copy of the specified security descriptor. * \param Length Size, in bytes, of the buffer pointed to by SecurityDescriptor. * \param LengthNeeded Pointer to a caller-allocated variable that receives the number of bytes required to store the copied security descriptor. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntquerysecurityobject */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_writes_bytes_to_opt_(Length, *LengthNeeded) PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Length, _Out_ PULONG LengthNeeded ); /** * The NtClose routine closes the specified handle. * * \param Handle The handle being closed. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwclose */ NTSYSCALLAPI NTSTATUS NTAPI NtClose( _In_ _Post_ptr_invalid_ HANDLE Handle ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) /** * Compares two object handles to determine if they refer to the same underlying kernel object. * * \param FirstObjectHandle The first object handle to compare. * \param SecondObjectHandle The second object handle to compare. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-compareobjecthandles */ NTSYSCALLAPI NTSTATUS NTAPI NtCompareObjects( _In_ HANDLE FirstObjectHandle, _In_ HANDLE SecondObjectHandle ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Directory objects // #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * The NtCreateDirectoryObject routine creates or opens an object-directory object. * * \param DirectoryHandle Pointer to a HANDLE variable that receives a handle to the object directory. * \param DesiredAccess An ACCESS_MASK that specifies the requested access to the directory object. * \param ObjectAttributes The attributes for the directory object. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatedirectoryobject */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateDirectoryObject( _Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtCreateDirectoryObjectEx( _Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ShadowDirectoryHandle, _In_ ULONG Flags ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) /** * Opens an existing directory object. * * \param DirectoryHandle A handle to the newly opened directory object. * \param DesiredAccess An ACCESS_MASK that specifies the requested access to the directory object. * \param ObjectAttributes The attributes for the directory object. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntopendirectoryobject */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenDirectoryObject( _Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); /** * The OBJECT_DIRECTORY_INFORMATION structure contains information about the directory object. */ typedef struct _OBJECT_DIRECTORY_INFORMATION { UNICODE_STRING Name; UNICODE_STRING TypeName; } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; /** * Retrieves information about the specified directory object. * * \param DirectoryHandle A handle to the directory object. This handle must have been opened with the appropriate access rights. * \param Buffer A pointer to a buffer that receives the directory information. * \param Length The size, in bytes, of the buffer pointed to by the Buffer parameter. * \param ReturnSingleEntry A BOOLEAN value that specifies whether to return a single entry or multiple entries. * \param RestartScan A BOOLEAN value that specifies whether to restart the scan from the beginning of the directory. * \param Context A pointer to a variable that maintains the context of the directory enumeration. * \param ReturnLength An optional pointer to a variable that receives the number of bytes returned in the buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntquerydirectoryobject */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryDirectoryObject( _In_ HANDLE DirectoryHandle, _Out_writes_bytes_opt_(Length) PVOID Buffer, _In_ ULONG Length, _In_ BOOLEAN ReturnSingleEntry, _In_ BOOLEAN RestartScan, _Inout_ PULONG Context, _Out_opt_ PULONG ReturnLength ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Private namespaces // #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef enum _BOUNDARY_ENTRY_TYPE { BOUNDARY_ENTRY_TYPE_INVALID, BOUNDARY_ENTRY_TYPE_NAME, BOUNDARY_ENTRY_TYPE_SID, BOUNDARY_ENTRY_TYPE_IL } BOUNDARY_ENTRY_TYPE; // private typedef union _OBJECT_BOUNDARY_VALUE { WCHAR Name[1]; PSID Sid; PSID IntegrityLabel; } OBJECT_BOUNDARY_VALUE, *POBJECT_BOUNDARY_VALUE; // private typedef struct _OBJECT_BOUNDARY_ENTRY { BOUNDARY_ENTRY_TYPE Type; ULONG Size; // OBJECT_BOUNDARY_VALUE Value; } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; // rev #define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 // private typedef struct _OBJECT_BOUNDARY_DESCRIPTOR { ULONG Version; ULONG Items; ULONG TotalSize; union { ULONG Flags; struct { ULONG AddAppContainerSid : 1; ULONG Reserved : 31; }; }; //OBJECT_BOUNDARY_ENTRY Entries[1]; } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; /** * Creates a private namespace. * * \param NamespaceHandle A handle to the newly created private namespace. * \param DesiredAccess An ACCESS_MASK that specifies the requested access to the private namespace. * \param ObjectAttributes The attributes for the private namespace. * \param BoundaryDescriptor A descriptor that defines how the namespace is to be isolated. The RtlCreateBoundaryDescriptor function creates a boundary descriptor. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprivatenamespacea */ NTSYSCALLAPI NTSTATUS NTAPI NtCreatePrivateNamespace( _Out_ PHANDLE NamespaceHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor ); /** * Opens a private namespace. * * \param NamespaceHandle A handle to the newly opened private namespace. * \param DesiredAccess An ACCESS_MASK that specifies the requested access to the private namespace. * \param ObjectAttributes The attributes for the private namespace. * \param BoundaryDescriptor A descriptor that defines how the namespace is to be isolated. The RtlCreateBoundaryDescriptor function creates a boundary descriptor. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openprivatenamespacea */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenPrivateNamespace( _Out_ PHANDLE NamespaceHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor ); /** * Deletes an open namespace handle. * * \param NamespaceHandle A handle to the private namespace. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/namespaceapi/nf-namespaceapi-closeprivatenamespace */ NTSYSCALLAPI NTSTATUS NTAPI NtDeletePrivateNamespace( _In_ HANDLE NamespaceHandle ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Symbolic links // #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtCreateSymbolicLinkObject( _Out_ PHANDLE LinkHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ PCUNICODE_STRING LinkTarget ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenSymbolicLinkObject( _Out_ PHANDLE LinkHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtQuerySymbolicLinkObject( _In_ HANDLE LinkHandle, _Inout_ PUNICODE_STRING LinkTarget, _Out_opt_ PULONG ReturnedLength ); typedef enum _SYMBOLIC_LINK_INFO_CLASS { SymbolicLinkGlobalInformation = 1, // s: ULONG SymbolicLinkAccessMask, // s: ACCESS_MASK MaxnSymbolicLinkInfoClass } SYMBOLIC_LINK_INFO_CLASS; #if (PHNT_VERSION >= PHNT_WINDOWS_10) NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationSymbolicLink( _In_ HANDLE LinkHandle, _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, _In_ ULONG SymbolicLinkInformationLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // _NTOBAPI_H ================================================ FILE: phnt/include/ntpebteb.h ================================================ /* * Process and Thread Environment Block support functions * * This file is part of System Informer. */ #ifndef _NTPEBTEB_H #define _NTPEBTEB_H #ifdef __has_include #if __has_include () #include #endif // __has_include #if __has_include () #include #endif // __has_include #endif // __has_include typedef struct _APPCOMPAT_EXE_DATA APPCOMPAT_EXE_DATA, *PAPPCOMPAT_EXE_DATA; typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; typedef struct _SILO_USER_SHARED_DATA *PSILO_USER_SHARED_DATA; typedef struct _LDR_RESLOADER_RET LDR_RESLOADER_RET, *PLDR_RESLOADER_RET; typedef struct _LEAP_SECOND_DATA *PLEAP_SECOND_DATA; typedef struct _PEB_LDR_DATA PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct tagSOleTlsData SOleTlsData, *PSOleTlsData; typedef struct _KERNEL_CALLBACK_TABLE KERNEL_CALLBACK_TABLE, *PKERNEL_CALLBACK_TABLE; typedef struct _GDI_HANDLE_ENTRY GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; // PEB->AppCompatFlags #define KACF_OLDGETSHORTPATHNAME 0x00000001 #define KACF_VERSIONLIE_NOT_USED 0x00000002 #define KACF_GETTEMPPATH_NOT_USED 0x00000004 #define KACF_GETDISKFREESPACE 0x00000008 #define KACF_FTMFROMCURRENTAPT 0x00000020 #define KACF_DISALLOWORBINDINGCHANGES 0x00000040 #define KACF_OLE32VALIDATEPTRS 0x00000080 #define KACF_DISABLECICERO 0x00000100 #define KACF_OLE32ENABLEASYNCDOCFILE 0x00000200 #define KACF_OLE32ENABLELEGACYEXCEPTIONHANDLING 0x00000400 #define KACF_RPCDISABLENDRCLIENTHARDENING 0x00000800 #define KACF_RPCDISABLENDRMAYBENULL_SIZEIS 0x00001000 #define KACF_DISABLEALLDDEHACK_NOT_USED 0x00002000 #define KACF_RPCDISABLENDR61_RANGE 0x00004000 #define KACF_RPC32ENABLELEGACYEXCEPTIONHANDLING 0x00008000 #define KACF_OLE32DOCFILEUSELEGACYNTFSFLAGS 0x00010000 #define KACF_RPCDISABLENDRCONSTIIDCHECK 0x00020000 #define KACF_USERDISABLEFORWARDERPATCH 0x00040000 #define KACF_OLE32DISABLENEW_WMPAINT_DISPATCH 0x00100000 #define KACF_ADDRESTRICTEDSIDINCOINITIALIZESECURITY 0x00200000 #define KACF_ALLOCDEBUGINFOFORCRITSECTIONS 0x00400000 #define KACF_OLEAUT32ENABLEUNSAFELOADTYPELIBRELATIVE 0x00800000 #define KACF_ALLOWMAXIMIZEDWINDOWGAMMA 0x01000000 #define KACF_DONOTADDTOCACHE 0x80000000 #define KACF_DISABLEPOSIXDELETEFILE 0x100000000 // rev KernelBase!InternalDeleteFileW #define KACF_ENABLE_PROCESS_SYSTEMDPIAWARENESS 0x20000000000000 // rev // Enable Per-Process System DPI Awareness and Opt-in to Per-Process System DPI mode. #define KACF_DISABLE_PROCESS_SYSTEMDPIAWARENESS 0x40000000000000 // rev // Disable Per-Process System DPI Awareness and force legacy DPI behavior. #define KACF_ENABLE_GDI_DPI_SCALING 0x800000000000000 #define KACF_FORCE_DISABLE_GDI_SCALING 0x4000000000000000 // PEB->CrossProcessFlags #define PEB_FLAG_PROCESS_IN_JOB 0x00000001 // Process is part of a job #define PEB_FLAG_PROCESS_INITIALIZING 0x00000002 // Process is initializing #define PEB_FLAG_PROCESS_USING_VEH 0x00000004 // Process is using VEH #define PEB_FLAG_PROCESS_USING_VCH 0x00000008 // Process is using VCH #define PEB_FLAG_PROCESS_USING_FTH 0x00000010 // Process is using FTH #define PEB_FLAG_PROCESS_PREVIOUSLY_THROTTLED 0x00000020 // Process was previously throttled #define PEB_FLAG_PROCESS_CURRENTLY_THROTTLED 0x00000040 // Process is currently throttled #define PEB_FLAG_PROCESS_IMAGES_HOT_PATCHED 0x00000080 // Process images are hot patched (RS5+) // private #define API_SET_SECTION_NAME ".apiset" // private #define API_SET_SCHEMA_VERSION_V2 0x00000002 // WIN7, WIN8 #define API_SET_SCHEMA_VERSION_V4 0x00000004 // WINBLUE #define API_SET_SCHEMA_VERSION_V6 0x00000006 // since THRESHOLD #define API_SET_SCHEMA_VERSION API_SET_SCHEMA_VERSION_V6 // private #define API_SET_SCHEMA_FLAGS_SEALED 0x00000001 #define API_SET_SCHEMA_FLAGS_HOST_EXTENSION 0x00000002 // private #define API_SET_SCHEMA_ENTRY_FLAGS_SEALED 0x00000001 #define API_SET_SCHEMA_ENTRY_FLAGS_EXTENSION 0x00000002 // private typedef struct _API_SET_VALUE_ENTRY_V2 { ULONG NameOffset; // to WCHAR[NameLength / sizeof(WCHAR)], from schema base ULONG NameLength; ULONG ValueOffset; // to WCHAR[ValueLength / sizeof(WCHAR)], from schema base ULONG ValueLength; } API_SET_VALUE_ENTRY_V2, *PAPI_SET_VALUE_ENTRY_V2; // private typedef struct _API_SET_VALUE_ARRAY_V2 { ULONG Count; _Field_size_full_(Count) API_SET_VALUE_ENTRY_V2 Array[ANYSIZE_ARRAY]; } API_SET_VALUE_ARRAY_V2, *PAPI_SET_VALUE_ARRAY_V2; // private typedef struct _API_SET_NAMESPACE_ENTRY_V2 { ULONG NameOffset; // to WCHAR[NameLength / sizeof(WCHAR)], from schema base ULONG NameLength; ULONG DataOffset; // to API_SET_VALUE_ARRAY_V2, from schema base } API_SET_NAMESPACE_ENTRY_V2, *PAPI_SET_NAMESPACE_ENTRY_V2; // private // PEB->ApiSetMap on WIN7, WIN8 typedef struct _API_SET_NAMESPACE_ARRAY_V2 { ULONG Version; // API_SET_SCHEMA_VERSION_V2 ULONG Count; _Field_size_full_(Count) API_SET_NAMESPACE_ENTRY_V2 Array[ANYSIZE_ARRAY]; } API_SET_NAMESPACE_ARRAY_V2, *PAPI_SET_NAMESPACE_ARRAY_V2; // private typedef struct _API_SET_VALUE_ENTRY_V4 { ULONG Flags; ULONG NameOffset; // to WCHAR[NameLength / sizeof(WCHAR)], from schema base ULONG NameLength; ULONG ValueOffset; // to WCHAR[ValueLength / sizeof(WCHAR)], from schema base ULONG ValueLength; } API_SET_VALUE_ENTRY_V4, *PAPI_SET_VALUE_ENTRY_V4; // private typedef struct _API_SET_VALUE_ARRAY_V4 { ULONG Flags; ULONG Count; _Field_size_full_(Count) API_SET_VALUE_ENTRY_V4 Array[ANYSIZE_ARRAY]; } API_SET_VALUE_ARRAY_V4, *PAPI_SET_VALUE_ARRAY_V4; // private typedef struct _API_SET_NAMESPACE_ENTRY_V4 { ULONG Flags; // API_SET_SCHEMA_ENTRY_FLAGS_* ULONG NameOffset; // to WCHAR[NameLength / sizeof(WCHAR)], from schema base ULONG NameLength; ULONG AliasOffset; // to WCHAR[AliasLength / sizeof(WCHAR)], from schema base ULONG AliasLength; ULONG DataOffset; // to API_SET_VALUE_ARRAY_V4, from schema base } API_SET_NAMESPACE_ENTRY_V4, *PAPI_SET_NAMESPACE_ENTRY_V4; // private // PEB->ApiSetMap on WINBLUE typedef struct _API_SET_NAMESPACE_ARRAY_V4 { ULONG Version; // API_SET_SCHEMA_VERSION_V4 ULONG Size; ULONG Flags; // API_SET_SCHEMA_FLAGS_* ULONG Count; _Field_size_full_(Count) API_SET_NAMESPACE_ENTRY_V4 Array[ANYSIZE_ARRAY]; } API_SET_NAMESPACE_ARRAY_V4, *PAPI_SET_NAMESPACE_ARRAY_V4; // private typedef struct _API_SET_VALUE_ENTRY { ULONG Flags; ULONG NameOffset; // to WCHAR[NameLength / sizeof(WCHAR)], from schema base ULONG NameLength; ULONG ValueOffset; // to WCHAR[ValueLength / sizeof(WCHAR)], from schema base ULONG ValueLength; } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; // private typedef struct _API_SET_NAMESPACE_ENTRY { ULONG Flags; // API_SET_SCHEMA_ENTRY_FLAGS_* ULONG NameOffset; // to WCHAR[NameLength / sizeof(WCHAR)], from schema base ULONG NameLength; ULONG HashedLength; ULONG ValueOffset; // to API_SET_VALUE_ENTRY[ValueCount], from schema base ULONG ValueCount; } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; // private typedef struct _API_SET_HASH_ENTRY { ULONG Hash; ULONG Index; } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; // private // PEB->ApiSetMap since THRESHOLD typedef struct _API_SET_NAMESPACE { ULONG Version; // API_SET_SCHEMA_VERSION_V6 ULONG Size; ULONG Flags; // API_SET_SCHEMA_FLAGS_* ULONG Count; ULONG EntryOffset; // to API_SET_NAMESPACE_ENTRY[Count], from this struct base ULONG HashOffset; // to API_SET_HASH_ENTRY[Count], from this struct base ULONG HashFactor; } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; // PEB->TelemetryCoverageHeader typedef struct _TELEMETRY_COVERAGE_HEADER { UCHAR MajorVersion; UCHAR MinorVersion; struct { USHORT TracingEnabled : 1; USHORT Reserved1 : 15; }; ULONG HashTableEntries; ULONG HashIndexMask; ULONG TableUpdateVersion; ULONG TableSizeInBytes; ULONG LastResetTick; ULONG ResetRound; ULONG Reserved2; ULONG RecordedCount; ULONG Reserved3[4]; ULONG HashTable[ANYSIZE_ARRAY]; } TELEMETRY_COVERAGE_HEADER, *PTELEMETRY_COVERAGE_HEADER; typedef struct _WER_RECOVERY_INFO { ULONG Length; PVOID Callback; PVOID Parameter; HANDLE Started; HANDLE Finished; HANDLE InProgress; LONG LastError; BOOL Successful; ULONG PingInterval; ULONG Flags; } WER_RECOVERY_INFO, *PWER_RECOVERY_INFO; typedef struct _WER_FILE { USHORT Flags; WCHAR Path[MAX_PATH]; } WER_FILE, *PWER_FILE; typedef struct _WER_MEMORY { PVOID Address; ULONG Size; } WER_MEMORY, *PWER_MEMORY; typedef struct _WER_GATHER { PVOID Next; USHORT Flags; union { WER_FILE File; WER_MEMORY Memory; } v; } WER_GATHER, *PWER_GATHER; typedef struct _WER_METADATA { PVOID Next; WCHAR Key[64]; WCHAR Value[128]; } WER_METADATA, *PWER_METADATA; typedef struct _WER_RUNTIME_DLL { PVOID Next; ULONG Length; PVOID Context; WCHAR CallbackDllPath[MAX_PATH]; } WER_RUNTIME_DLL, *PWER_RUNTIME_DLL; typedef struct _WER_DUMP_COLLECTION { PVOID Next; ULONG ProcessId; ULONG ThreadId; } WER_DUMP_COLLECTION, *PWER_DUMP_COLLECTION; typedef struct _WER_HEAP_MAIN_HEADER { WCHAR Signature[16]; LIST_ENTRY Links; HANDLE Mutex; PVOID FreeHeap; ULONG FreeCount; } WER_HEAP_MAIN_HEADER, *PWER_HEAP_MAIN_HEADER; #ifndef RESTART_MAX_CMD_LINE #define RESTART_MAX_CMD_LINE 1024 #endif typedef struct _WER_PEB_HEADER_BLOCK { LONG Length; WCHAR Signature[16]; WCHAR AppDataRelativePath[64]; WCHAR RestartCommandLine[RESTART_MAX_CMD_LINE]; WER_RECOVERY_INFO RecoveryInfo; PWER_GATHER Gather; PWER_METADATA MetaData; PWER_RUNTIME_DLL RuntimeDll; PWER_DUMP_COLLECTION DumpCollection; LONG GatherCount; LONG MetaDataCount; LONG DumpCount; LONG Flags; WER_HEAP_MAIN_HEADER MainHeader; PVOID Reserved; } WER_PEB_HEADER_BLOCK, *PWER_PEB_HEADER_BLOCK; #define GDI_HANDLE_BUFFER_SIZE32 34 #define GDI_HANDLE_BUFFER_SIZE64 60 #ifndef _WIN64 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 #else #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 #endif typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; typedef _Function_class_(PS_POST_PROCESS_INIT_ROUTINE) VOID NTAPI PS_POST_PROCESS_INIT_ROUTINE( VOID ); typedef PS_POST_PROCESS_INIT_ROUTINE* PPS_POST_PROCESS_INIT_ROUTINE; #ifndef RTL_FLS_MAXIMUM_AVAILABLE #define RTL_FLS_MAXIMUM_AVAILABLE 128 #endif #ifndef FLS_MAXIMUM_AVAILABLE #define FLS_MAXIMUM_AVAILABLE 4080 #endif #ifndef TLS_MINIMUM_AVAILABLE #define TLS_MINIMUM_AVAILABLE 64 #endif #ifndef TLS_EXPANSION_SLOTS #define TLS_EXPANSION_SLOTS 1024 #endif /** * Process Environment Block (PEB) structure. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb */ typedef struct _PEB { // // The process was cloned with an inherited address space. // BOOLEAN InheritedAddressSpace; // // The process has image file execution options (IFEO). // BOOLEAN ReadImageFileExecOptions; // // The process has a debugger attached. // BOOLEAN BeingDebugged; union { BOOLEAN BitField; struct { BOOLEAN ImageUsesLargePages : 1; // The process uses large image regions (4 MB). BOOLEAN IsProtectedProcess : 1; // The process is a protected process. BOOLEAN IsImageDynamicallyRelocated : 1; // The process image base address was relocated. BOOLEAN SkipPatchingUser32Forwarders : 1; // The process skipped forwarders for User32.dll functions. 1 for 64-bit, 0 for 32-bit. BOOLEAN IsPackagedProcess : 1; // The process is a packaged store process (APPX/MSIX). BOOLEAN IsAppContainerProcess : 1; // The process has an AppContainer token. BOOLEAN IsProtectedProcessLight : 1; // The process is a protected process (light). BOOLEAN IsLongPathAwareProcess : 1; // The process is long path aware. }; }; // // Handle to a mutex for synchronization. // HANDLE Mutant; // // Pointer to the base address of the process image. // PVOID ImageBaseAddress; // // Pointer to the process loader data. // PPEB_LDR_DATA Ldr; // // Pointer to the process parameters. // PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // // Reserved. // PVOID SubSystemData; // // Pointer to the process default heap. // PVOID ProcessHeap; // // Pointer to a critical section used to synchronize access to the PEB. // PRTL_CRITICAL_SECTION FastPebLock; // // Pointer to a singly linked list used by ATL. // PSLIST_HEADER AtlThunkSListPtr; // // Handle to the Image File Execution Options key. // HANDLE IFEOKey; // // Cross process flags. // union { ULONG CrossProcessFlags; struct { ULONG ProcessInJob : 1; // The process is part of a job. ULONG ProcessInitializing : 1; // The process is initializing. ULONG ProcessUsingVEH : 1; // The process is using VEH. ULONG ProcessUsingVCH : 1; // The process is using VCH. ULONG ProcessUsingFTH : 1; // The process is using FTH. ULONG ProcessPreviouslyThrottled : 1; // The process was previously throttled. ULONG ProcessCurrentlyThrottled : 1; // The process is currently throttled. ULONG ProcessImagesHotPatched : 1; // The process images are hot patched. // RS5 ULONG ReservedBits0 : 24; }; }; // // User32 KERNEL_CALLBACK_TABLE (ntuser.h) // union { PKERNEL_CALLBACK_TABLE KernelCallbackTable; PVOID UserSharedInfoPtr; }; // // Reserved. // ULONG SystemReserved; // // Pointer to the Active Template Library (ATL) singly linked list (32-bit) // ULONG AtlThunkSListPtr32; // // Pointer to the API Set Schema. // PAPI_SET_NAMESPACE ApiSetMap; // // Counter for TLS expansion. // ULONG TlsExpansionCounter; // // Pointer to the TLS bitmap. // PRTL_BITMAP TlsBitmap; // // Bits for the TLS bitmap. // ULONG TlsBitmapBits[2]; // // Reserved for CSRSS. // PVOID ReadOnlySharedMemoryBase; // // Pointer to the USER_SHARED_DATA for the current SILO. // PSILO_USER_SHARED_DATA SharedData; // // Reserved for CSRSS. // PVOID* ReadOnlyStaticServerData; // // Pointer to the ANSI code page data. // PCPTABLEINFO AnsiCodePageData; // // Pointer to the OEM code page data. // PCPTABLEINFO OemCodePageData; // // Pointer to the Unicode case table data. // PNLSTABLEINFO UnicodeCaseTableData; // // The total number of system processors. // ULONG NumberOfProcessors; // // Global flags for the system. // union { ULONG NtGlobalFlag; struct { ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS } NtGlobalFlags; }; // // Timeout for critical sections. // LARGE_INTEGER CriticalSectionTimeout; // // Reserved size for heap segments. // SIZE_T HeapSegmentReserve; // // Committed size for heap segments. // SIZE_T HeapSegmentCommit; // // Threshold for decommitting total free heap. // SIZE_T HeapDeCommitTotalFreeThreshold; // // Threshold for decommitting free heap blocks. // SIZE_T HeapDeCommitFreeBlockThreshold; // // Number of process heaps. // ULONG NumberOfHeaps; // // Maximum number of process heaps. // ULONG MaximumNumberOfHeaps; // // Pointer to an array of process heaps. ProcessHeaps is initialized // to point to the first free byte after the PEB and MaximumNumberOfHeaps // is computed from the page size used to hold the PEB, less the fixed // size of this data structure. // PVOID* ProcessHeaps; // // Pointer to the system GDI shared handle table. // PGDI_HANDLE_ENTRY GdiSharedHandleTable; // // Pointer to the process starter helper. // PVOID ProcessStarterHelper; // // The maximum number of GDI function calls during batch operations (GdiSetBatchLimit) // ULONG GdiDCAttributeList; // // Pointer to the loader lock critical section. // PRTL_CRITICAL_SECTION LoaderLock; // // Major version of the operating system. // ULONG OSMajorVersion; // // Minor version of the operating system. // ULONG OSMinorVersion; // // Build number of the operating system. // USHORT OSBuildNumber; // // CSD version of the operating system. // USHORT OSCSDVersion; // // Platform ID of the operating system. // ULONG OSPlatformId; // // Subsystem version of the current process image (PE Headers). // ULONG ImageSubsystem; // // Major version of the current process image subsystem (PE Headers). // ULONG ImageSubsystemMajorVersion; // // Minor version of the current process image subsystem (PE Headers). // ULONG ImageSubsystemMinorVersion; // // Affinity mask for the current process. // KAFFINITY ActiveProcessAffinityMask; // // Temporary buffer for GDI handles accumulated in the current batch. // GDI_HANDLE_BUFFER GdiHandleBuffer; // // Pointer to the post-process initialization routine available for use by the application. // PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; // // Pointer to the TLS expansion bitmap. // PRTL_BITMAP TlsExpansionBitmap; // // Bits for the TLS expansion bitmap. TLS_EXPANSION_SLOTS // ULONG TlsExpansionBitmapBits[32]; // // Session ID of the current process. // ULONG SessionId; // // Application compatibility flags. KACF_* // ULARGE_INTEGER AppCompatFlags; // // Application compatibility flags. KACF_* // ULARGE_INTEGER AppCompatFlagsUser; // // Pointer to the Application SwitchBack Compatibility Engine. // PVOID pShimData; // // Pointer to the Application Compatibility Engine. // PAPPCOMPAT_EXE_DATA AppCompatInfo; // // CSD version string of the operating system. // UNICODE_STRING CSDVersion; // // Pointer to the process activation context. // PACTIVATION_CONTEXT_DATA ActivationContextData; // // Pointer to the process assembly storage map. // PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap; // // Pointer to the system default activation context. // PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData; // // Pointer to the system assembly storage map. // PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap; // // Minimum stack commit size. // SIZE_T MinimumStackCommit; // // since 19H1 (previously FlsCallback to FlsHighIndex) // PVOID SparePointers[2]; // // Pointer to the patch loader data. // PVOID PatchLoaderData; // // Pointer to the CHPE V2 process information. CHPEV2_PROCESS_INFO // PVOID ChpeV2ProcessInfo; // // Packaged process feature state. // ULONG AppModelFeatureState; // // SpareUlongs // ULONG SpareUlongs[2]; // // Active code page. // USHORT ActiveCodePage; // // OEM code page. // USHORT OemCodePage; // // Code page case mapping. // USHORT UseCaseMapping; // // Unused NLS field. // USHORT UnusedNlsField; // // Pointer to the application WER registration data. // PWER_PEB_HEADER_BLOCK WerRegistrationData; // // Pointer to the application WER assert pointer. // PVOID WerShipAssertPtr; // // Pointer to the EC bitmap on ARM64. (Windows 11 and above) // union { PVOID pContextData; // Pointer to the switchback compatibility engine (Windows 7 and below) PVOID EcCodeBitMap; // Pointer to the EC bitmap on ARM64 (Windows 11 and above) // since WIN11 }; // // Reserved. // PVOID ImageHeaderHash; // // ETW tracing flags. // union { ULONG TracingFlags; struct { ULONG HeapTracingEnabled : 1; // ETW heap tracing enabled. ULONG CritSecTracingEnabled : 1; // ETW lock tracing enabled. ULONG LibLoaderTracingEnabled : 1; // ETW loader tracing enabled. ULONG SpareTracingBits : 29; }; }; // // Reserved for CSRSS. // ULONGLONG CsrServerReadOnlySharedMemoryBase; // // Pointer to the thread pool worker list lock. // PRTL_CRITICAL_SECTION TppWorkerpListLock; // // Pointer to the thread pool worker list. // LIST_ENTRY TppWorkerpList; // // Wait on address hash table. (RtlWaitOnAddress) // PVOID WaitOnAddressHashTable[128]; // // Pointer to the telemetry coverage header. // since RS3 // PTELEMETRY_COVERAGE_HEADER TelemetryCoverageHeader; // // Cloud file flags. (ProjFs and Cloud Files) // since RS4 // ULONG CloudFileFlags; // // Cloud file diagnostic flags. // ULONG CloudFileDiagFlags; // // Placeholder compatibility mode. (ProjFs and Cloud Files) // CHAR PlaceholderCompatibilityMode; // // Reserved for placeholder compatibility mode. // CHAR PlaceholderCompatibilityModeReserved[7]; // // Pointer to leap second data. // since RS5 // PLEAP_SECOND_DATA LeapSecondData; // // Leap second flags. // union { ULONG LeapSecondFlags; struct { ULONG SixtySecondEnabled : 1; // Leap seconds enabled. ULONG Reserved : 31; }; }; // // Global flags for the process. // ULONG NtGlobalFlag2; // // Extended feature disable mask (AVX). // since WIN11 // ULONGLONG ExtendedFeatureDisableMask; } PEB, *PPEB; #ifdef _WIN64 static_assert(FIELD_OFFSET(PEB, SessionId) == 0x2C0, "FIELD_OFFSET(PEB, SessionId) is incorrect"); static_assert(sizeof(PEB) == 0x7d0, "Size of PEB is incorrect"); // WIN11 #else static_assert(FIELD_OFFSET(PEB, SessionId) == 0x1D4, "FIELD_OFFSET(PEB, SessionId) is incorrect"); static_assert(sizeof(PEB) == 0x488, "Size of PEB is incorrect"); // WIN11 #endif #define GDI_BATCH_BUFFER_SIZE 310 /** * The GDI_TEB_BATCH structure is used to store information about GDI batch operations. */ typedef struct _GDI_TEB_BATCH { ULONG Offset; ULONG_PTR HDC; ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; } GDI_TEB_BATCH, *PGDI_TEB_BATCH; #define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED (0x00000001) /** * The TEB_ACTIVE_FRAME_CONTEXT structure is used to store information about an active frame context. */ typedef struct _TEB_ACTIVE_FRAME_CONTEXT { ULONG Flags; PCSTR FrameName; } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; /** * The TEB_ACTIVE_FRAME_CONTEXT_EX structure extends TEB_ACTIVE_FRAME_CONTEXT with additional information. */ typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX { TEB_ACTIVE_FRAME_CONTEXT BasicContext; PCSTR SourceLocation; } TEB_ACTIVE_FRAME_CONTEXT_EX, *PTEB_ACTIVE_FRAME_CONTEXT_EX; #define TEB_ACTIVE_FRAME_FLAG_EXTENDED (0x00000001) /** * The TEB_ACTIVE_FRAME structure is used to store information about an active frame. */ typedef struct _TEB_ACTIVE_FRAME { ULONG Flags; struct _TEB_ACTIVE_FRAME *Previous; PTEB_ACTIVE_FRAME_CONTEXT Context; } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; /** * The TEB_ACTIVE_FRAME_EX structure extends TEB_ACTIVE_FRAME with additional information. */ typedef struct _TEB_ACTIVE_FRAME_EX { TEB_ACTIVE_FRAME BasicFrame; PVOID ExtensionIdentifier; } TEB_ACTIVE_FRAME_EX, *PTEB_ACTIVE_FRAME_EX; #define STATIC_UNICODE_BUFFER_LENGTH 261 #define WIN32_CLIENT_INFO_LENGTH 62 #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef struct _CALLBACKWND { HWND hwnd; ULONG_PTR pwnd; PACTIVATION_CONTEXT ActCtx; } CALLBACKWND, *PCALLBACKWND; // private typedef struct tagDPICONTEXTINFO { ULONG dpiContext; LOGICAL Dirty; } DPICONTEXTINFO, *PDPICONTEXTINFO; // private + rev typedef struct tagCLIENTINFO { ULONG_PTR CI_flags; ULONG_PTR Spins; ULONG ExpWinVer; ULONG CompatFlags; ULONG CompatFlags2; ULONG TIFlags; struct tagDESKTOPINFO* DeskInfo; PVOID DesktopBase; // ClientDelta before RS2 HHOOK hkCurrent; ULONG Hooks; CALLBACKWND CallbackWnd; ULONG HookCurrent; LONG InDDEMLCallback; struct tagCLIENTTHREADINFO* ClientThreadInfo; ULONG_PTR HookData; ULONG KeyCache; UCHAR KeyState[8]; ULONG AsyncKeyCache; UCHAR AsyncKeyState[8]; UCHAR AsyncKeyStateRecentDown[8]; HKL hKL; USHORT CodePage; UCHAR DbcsCFOld[2]; UCHAR DbcsCFNew[2]; MSG msgDbcsCB; PULONG RegisteredClasses; HANDLE mmcssHandle; ULONG_PTR CI_exflags; DPICONTEXTINFO dci; } CLIENTINFO, *PCLIENTINFO; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // rev - xor key for ReservedForNtRpc #ifdef _WIN64 #define RPC_THREAD_POINTER_KEY 0xABABABABDEDEDEDEui64 #else #define RPC_THREAD_POINTER_KEY 0xABABABAB #endif /** * Thread Environment Block (TEB) structure. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb */ typedef struct _TEB { // // Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. // NT_TIB NtTib; // // Reserved. // PVOID EnvironmentPointer; // // Client ID for this thread. // CLIENT_ID ClientId; // // A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. // PVOID ActiveRpcHandle; // // A pointer to the __declspec(thread) local storage array. // PVOID ThreadLocalStoragePointer; // // A pointer to the Process Environment Block (PEB), which contains information about the process. // PPEB ProcessEnvironmentBlock; // // The previous Win32 error value for this thread. // ULONG LastErrorValue; // // The number of critical sections currently owned by this thread. // ULONG CountOfOwnedCriticalSections; // // Reserved. // PVOID CsrClientThread; // // Reserved for win32k.sys // PVOID Win32ThreadInfo; // // Reserved for user32.dll // ULONG User32Reserved[26]; // // Reserved for winsrv.dll // ULONG UserReserved[5]; // // Reserved. // PVOID WOW32Reserved; // // The LCID of the current thread. (Kernel32!GetThreadLocale) // LCID CurrentLocale; // // Reserved. // ULONG FpSoftwareStatusRegister; // // Reserved. // PVOID ReservedForDebuggerInstrumentation[16]; #ifdef _WIN64 // // Reserved for floating-point emulation. // PVOID SystemReserved1[25]; // // Per-thread fiber local storage. (Teb->HasFiberData) // PVOID HeapFlsData; // // Reserved. // ULONG_PTR RngState[4]; #else // // Reserved. // PVOID SystemReserved1[26]; #endif // // Placeholder compatibility mode. (ProjFs and Cloud Files) // CHAR PlaceholderCompatibilityMode; // // Indicates whether placeholder hydration is always explicit. // BOOLEAN PlaceholderHydrationAlwaysExplicit; // // ProjFs and Cloud Files (reparse point) file virtualization. // CHAR PlaceholderReserved[10]; // // The process ID (PID) that the current COM server thread is acting on behalf of. // ULONG ProxiedProcessId; // // Pointer to the activation context stack for the current thread. // ACTIVATION_CONTEXT_STACK ActivationStack; // // Opaque operation on behalf of another user or process. // UCHAR WorkingOnBehalfTicket[8]; // // The last exception status for the current thread. // NTSTATUS ExceptionCode; // // Pointer to the activation context stack for the current thread. // PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; // // The stack pointer (SP) of the current system call or exception during instrumentation. // ULONG_PTR InstrumentationCallbackSp; // // The program counter (PC) of the previous system call or exception during instrumentation. // ULONG_PTR InstrumentationCallbackPreviousPc; // // The stack pointer (SP) of the previous system call or exception during instrumentation. // ULONG_PTR InstrumentationCallbackPreviousSp; #ifdef _WIN64 // // The miniversion ID of the current transacted file operation. // ULONG TxFsContext; #endif // // Indicates the state of the system call or exception instrumentation callback. // BOOLEAN InstrumentationCallbackDisabled; #ifdef _WIN64 // // Indicates the state of alignment exceptions for unaligned load/store operations. // BOOLEAN UnalignedLoadStoreExceptions; #endif #ifndef _WIN64 // // SpareBytes. // UCHAR SpareBytes[23]; // // The miniversion ID of the current transacted file operation. // ULONG TxFsContext; #endif // // Reserved for GDI (Win32k). // GDI_TEB_BATCH GdiTebBatch; CLIENT_ID RealClientId; HANDLE GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocalInfo; #if (PHNT_MODE != PHNT_MODE_KERNEL) union { // // User32 (Win32k) thread information. // CLIENTINFO Win32ClientInfo; ULONG_PTR Win32ClientInfoArea[WIN32_CLIENT_INFO_LENGTH]; }; #else ULONG_PTR Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH]; #endif // // Reserved for opengl32.dll // PVOID glDispatchTable[233]; ULONG_PTR glReserved1[29]; PVOID glReserved2; PVOID glSectionInfo; PVOID glSection; PVOID glTable; PVOID glCurrentRC; PVOID glContext; // // The previous status value for this thread. // NTSTATUS LastStatusValue; // // A static string for use by the application. // UNICODE_STRING StaticUnicodeString; // // A static buffer for use by the application. // WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; // // The maximum stack size and indicates the base of the stack. // PVOID DeallocationStack; // // Data for Thread Local Storage. (TlsGetValue) // PVOID TlsSlots[TLS_MINIMUM_AVAILABLE]; // // Reserved for TLS. // LIST_ENTRY TlsLinks; // // Reserved for NTVDM. // PVOID Vdm; // // Reserved for RPC. The pointer is XOR'ed with RPC_THREAD_POINTER_KEY. // PVOID ReservedForNtRpc; // // Reserved for Debugging (DebugActiveProcess). // PVOID DbgSsReserved[2]; // // The error mode for the current thread. (GetThreadErrorMode) // ULONG HardErrorMode; // // Reserved. // #ifdef _WIN64 PVOID Instrumentation[11]; #else PVOID Instrumentation[9]; #endif // // Reserved. // GUID ActivityId; // // The identifier of the service that created the thread. (svchost) // PVOID SubProcessTag; // // Reserved. // PVOID PerflibData; // // Reserved. // PVOID EtwTraceData; // // The address of a socket handle during a blocking socket operation. (WSAStartup) // HANDLE WinSockData; // // The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) // ULONG GdiBatchCount; // // The preferred processor for the current thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) // union { PROCESSOR_NUMBER CurrentIdealProcessor; ULONG IdealProcessorValue; struct { UCHAR ReservedPad0; UCHAR ReservedPad1; UCHAR ReservedPad2; UCHAR IdealProcessor; }; }; // // The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) // ULONG GuaranteedStackBytes; // // Reserved. // PVOID ReservedForPerf; // // Reserved for Object Linking and Embedding (OLE) // PSOleTlsData ReservedForOle; // // Indicates whether the thread is waiting on the loader lock. // ULONG WaitingOnLoaderLock; // // The saved priority state for the thread. // PVOID SavedPriorityState; // // Reserved. // ULONG_PTR ReservedForCodeCoverage; // // Reserved. // PVOID ThreadPoolData; // // Pointer to the TLS (Thread Local Storage) expansion slots for the thread. // PVOID *TlsExpansionSlots; #ifdef _WIN64 PVOID ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore PVOID Unused; // previously BStoreLimit #endif // // The generation of the MUI (Multilingual User Interface) data. // ULONG MuiGeneration; // // Indicates whether the thread is impersonating another security context. // ULONG IsImpersonating; // // Pointer to the NLS (National Language Support) cache. // PVOID NlsCache; // // Pointer to the AppCompat/Shim Engine data. // PVOID pShimData; // // Reserved. // ULONG HeapData; // // Handle to the current transaction associated with the thread. // HANDLE CurrentTransactionHandle; // // Pointer to the active frame for the thread. // PTEB_ACTIVE_FRAME ActiveFrame; // // Reserved for FLS (RtlProcessFlsData). // PVOID FlsData; // // Pointer to the preferred languages for the current thread. (GetThreadPreferredUILanguages) // PVOID PreferredLanguages; // // Pointer to the user-preferred languages for the current thread. (GetUserPreferredUILanguages) // PVOID UserPrefLanguages; // // Pointer to the merged preferred languages for the current thread. (MUI_MERGE_USER_FALLBACK) // PVOID MergedPrefLanguages; // // Indicates whether the thread is impersonating another user's language settings. // ULONG MuiImpersonation; // // Reserved. // union { USHORT CrossTebFlags; USHORT SpareCrossTebBits : 16; }; // // SameTebFlags modify the state and behavior of the current thread. // union { USHORT SameTebFlags; struct { USHORT SafeThunkCall : 1; USHORT InDebugPrint : 1; // Indicates if the thread is currently in a debug print routine. USHORT HasFiberData : 1; // Indicates if the thread has local fiber-local storage (FLS). USHORT SkipThreadAttach : 1; // Indicates if the thread should suppress DLL_THREAD_ATTACH notifications. USHORT WerInShipAssertCode : 1; USHORT RanProcessInit : 1; // Indicates if the thread has run process initialization code. USHORT ClonedThread : 1; // Indicates if the thread is a clone of a different thread. USHORT SuppressDebugMsg : 1; // Indicates if the thread should suppress LOAD_DLL_DEBUG_INFO notifications. USHORT DisableUserStackWalk : 1; USHORT RtlExceptionAttached : 1; USHORT InitialThread : 1; // Indicates if the thread is the initial thread of the process. USHORT SessionAware : 1; USHORT LoadOwner : 1; // Indicates if the thread is the owner of the process loader lock. USHORT LoaderWorker : 1; USHORT SkipLoaderInit : 1; USHORT SkipFileAPIBrokering : 1; }; }; // // Pointer to the callback function that is called when a KTM transaction scope is entered. // PVOID TxnScopeEnterCallback; // // Pointer to the callback function that is called when a KTM transaction scope is exited. /// PVOID TxnScopeExitCallback; // // Pointer to optional context data for use by the application when a KTM transaction scope callback is called. // PVOID TxnScopeContext; // // The lock count of critical sections for the current thread. // ULONG LockCount; // // The offset to the WOW64 (Windows on Windows) TEB for the current thread. // LONG WowTebOffset; // // Pointer to the DLL containing the resource (valid after LdrFindResource_U/LdrResFindResource/etc... returns). // PLDR_RESLOADER_RET ResourceRetValue; // // Reserved for Windows Driver Framework (WDF). // PVOID ReservedForWdf; // // Reserved for the Microsoft C runtime (CRT). // ULONGLONG ReservedForCrt; // // The Host Compute Service (HCS) container identifier. // GUID EffectiveContainerId; // // Reserved for Kernel32!Sleep (SpinWait). // ULONGLONG LastSleepCounter; // since Win11 // // Reserved for Kernel32!Sleep (SpinWait). // ULONG SpinCallCount; // // Extended feature disable mask (AVX). // ULONGLONG ExtendedFeatureDisableMask; // // Reserved. // PVOID SchedulerSharedDataSlot; // since 24H2 // // Reserved. // PVOID HeapWalkContext; // // The primary processor group affinity of the thread. // GROUP_AFFINITY PrimaryGroupAffinity; // // Read-copy-update (RCU) synchronization context. // ULONG Rcu[2]; } TEB, *PTEB; #ifdef _WIN64 static_assert(FIELD_OFFSET(TEB, SchedulerSharedDataSlot) == 0x1850, "Size of TEB is incorrect"); // WIN11 static_assert(sizeof(TEB) == 0x1878, "Size of TEB is incorrect"); // 24H2 #else static_assert(FIELD_OFFSET(TEB, SchedulerSharedDataSlot) == 0x1018, "Size of TEB is incorrect"); // WIN11 static_assert(sizeof(TEB) == 0x1038, "Size of TEB is incorrect"); // 24H2 #endif #endif ================================================ FILE: phnt/include/ntpfapi.h ================================================ /* * Prefetcher (Superfetch) support functions * * This file is part of System Informer. */ #ifndef _NTPFAPI_H #define _NTPFAPI_H // begin_private // // Prefetch // typedef enum _PREFETCHER_INFORMATION_CLASS { PrefetcherRetrieveTrace = 1, // q: PF_RETRIEVE_TRACE PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID PrefetcherSpare1, // q: PrefetcherRetrieveBootLoaderTrace PrefetcherOperationProcess, // s: PF_OPERATION_PROCESS PrefetcherCacheEntryUpdate, // s: PF_CACHE_ENTRY_UPDATE PrefetcherSpare2, PrefetcherAppLaunchScenarioControl, // s: PF_APP_LAUNCH_SCENARIO_CONTROL PrefetcherInformationMax } PREFETCHER_INFORMATION_CLASS; #define PREFETCHER_INFORMATION_VERSION 23 // rev #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev typedef struct _PREFETCHER_INFORMATION { _In_ ULONG Version; _In_ ULONG Magic; _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; _Inout_ PVOID PrefetcherInformation; _Inout_ ULONG PrefetcherInformationLength; } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; // rev typedef struct _PF_RETRIEVE_TRACE { UCHAR Buffer[1]; } PF_RETRIEVE_TRACE, *PPF_RETRIEVE_TRACE; typedef enum _PF_ENABLE_STATUS { PfSvNotSpecified, PfSvEnabled, PfSvDisabled, PfSvMaxEnableStatus } PF_ENABLE_STATUS; // rev typedef struct _PF_TRACE_LIMITS { ULONG MaxNumPages; ULONG MaxNumSections; LONGLONG TimerPeriod; } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; // rev typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS { PF_ENABLE_STATUS EnableStatus[2]; PF_TRACE_LIMITS TraceLimits[2]; ULONG MaxNumActiveTraces; ULONG MaxNumSavedTraces; WCHAR RootDirPath[32]; WCHAR HostingApplicationList[128]; } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; typedef enum _PF_BOOT_PHASE_ID { PfKernelInitPhase = 0, PfBootDriverInitPhase = 90, PfSystemDriverInitPhase = 120, PfSessionManagerInitPhase = 150, PfSMRegistryInitPhase = 180, PfVideoInitPhase = 210, PfPostVideoInitPhase = 240, PfBootAcceptedRegistryInitPhase = 270, PfUserShellReadyPhase = 300, PfMaxBootPhaseId = 900 } PF_BOOT_PHASE_ID; #define PF_SN_OPERATION_PROCESS_VERSION 1 typedef enum _PF_OPERATION_PROCESS_ACTION { PfSnOpProcessBegin = 0, PfSnOpProcessEnd = 1, PfSnOpProcessMax = 2 } PF_OPERATION_PROCESS_ACTION; typedef struct _PF_OPERATION_PROCESS { UCHAR Version; UCHAR Action; // PF_SYSTEM_OPERATION_PROCESS_ACTION USHORT Reserved; ULONG OpFlags; ULONG Value; } PF_OPERATION_PROCESS, *PPF_OPERATION_PROCESS; #define PF_BOOT_CONTROL_VERSION 1 typedef struct _PF_BOOT_CONTROL { ULONG Version; ULONG DisableBootPrefetching; } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; #define PF_CACHE_ENTRY_UPDATE_VERSION 2 typedef struct _PF_CACHE_ENTRY_UPDATE { ULONG Version; UCHAR Name[64]; ULONG NewValue; } PF_CACHE_ENTRY_UPDATE, *PPF_CACHE_ENTRY_UPDATE; #define PF_APP_LAUNCH_SCENARIO_CONTROL_VERSION 1 typedef struct _PF_APP_LAUNCH_SCENARIO_CONTROL { ULONG Version; ULONG Enable; // must be non-zero HANDLE ProcessHandle; } PF_APP_LAUNCH_SCENARIO_CONTROL, *PPF_APP_LAUNCH_SCENARIO_CONTROL; // // Superfetch // // rev typedef enum _SUPERFETCH_INFORMATION_CLASS { SuperfetchRetrieveTrace = 1, // q: PF_SYSTEM_SUPERFETCH_RETRIEVE_TRACE // PfGetCompletedTrace SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS SuperfetchLogEvent, // s: PF_LOG_EVENT_DATA SuperfetchGenerateTrace, // s: PF_GENERATE_TRACE_CONTROL SuperfetchPrefetch, SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST SuperfetchPfnSetPriority, // s: PF_PFN_PRIO_REQUEST // MmSetPfnListInfo SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST SuperfetchSequenceNumberQuery, // q: ULONG SuperfetchScenarioPhase, // s: PF_SCENARIO_PHASE_INFO // 10 SuperfetchWorkerPriority, // s: PF_WORKER_PRIORITY_CONTROL SuperfetchScenarioQuery, // q: PF_SCENARIO_QUERY_INFO SuperfetchScenarioPrefetch, // s: PF_SCENARIO_PREFETCH_INFO SuperfetchRobustnessControl, // s: PF_ROBUSTNESS_CONTROL SuperfetchTimeControl, // s: PF_TIME_CONTROL SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO_V1/V2 SuperfetchTracingControl, // s: PF_ACCESS_TRACING_CONTROL SuperfetchTrimWhileAgingControl, // s: PF_TRIM_WHILE_AGING_CONTROL SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // 20 SuperfetchChannelPowerRequest, SuperfetchMovePages, // s: PF_PFN_PRIO_REQUEST // MmRelocatePfnList SuperfetchVirtualQuery, // q: PF_VIRTUAL_QUERY SuperfetchCombineStatsQuery, // q: PF_PAGECOMBINE_AGGREGATE_STAT SuperfetchSetMinWsAgeRate, // s: PF_MIN_WS_AGE_RATE_CONTROL SuperfetchDeprioritizeOldPagesInWs, // s: PF_DEPRIORITIZE_OLD_PAGES SuperfetchFileExtentsQuery, // q: PF_FILE_EXTENTS_INFO SuperfetchGpuUtilizationQuery, // q: PF_GPU_UTILIZATION_INFO SuperfetchPfnSet, // s: PF_PFN_PRIO_REQUEST // since WIN11 SuperfetchInformationMax } SUPERFETCH_INFORMATION_CLASS; #define SUPERFETCH_INFORMATION_VERSION 45 // rev #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev typedef struct _SUPERFETCH_INFORMATION { _In_ ULONG Version; _In_ ULONG Magic; _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; _Inout_ PVOID SuperfetchInformation; _Inout_ ULONG SuperfetchInformationLength; } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; // rev typedef struct _PF_SYSTEM_SUPERFETCH_RETRIEVE_TRACE { union { struct { ULONGLONG RequestType; // Must be 2 for "get completed trace" ULONGLONG Reserved; // Ignored on input HANDLE PartitionHandle; } Input; struct { ULONGLONG TypeFlags; // 0x0000000000180002 on success ULONGLONG Timestamp; // Scaled TSC value HANDLE PartitionHandle; } Output; // // Raw view of the buffer for opaque access // UCHAR Buffer[ANYSIZE_ARRAY]; }; } PF_SYSTEM_SUPERFETCH_RETRIEVE_TRACE, *PPF_SYSTEM_SUPERFETCH_RETRIEVE_TRACE; // rev typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS { ULONG EnabledComponents; ULONG BootID; ULONG SavedSectInfoTracesMax; ULONG SavedPageAccessTracesMax; ULONG ScenarioPrefetchTimeoutStandby; ULONG ScenarioPrefetchTimeoutHibernate; ULONG ScenarioPrefetchTimeoutHiberBoot; } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; // rev typedef enum _PF_EVENT_TYPE { PfEventTypeImageLoad = 0, PfEventTypeAppLaunch = 1, PfEventTypeStartTrace = 2, PfEventTypeEndTrace = 3, PfEventTypeTimestamp = 4, PfEventTypeOperation = 5, PfEventTypeRepurpose = 6, PfEventTypeForegroundProcess = 7, PfEventTypeTimeRange = 8, PfEventTypeUserInput = 9, PfEventTypeFileAccess = 10, PfEventTypeUnmap = 11, PfEventTypeUtilization = 11, PfEventTypeMemInfo = 12, PfEventTypeFileDelete = 13, PfEventTypeAppExit = 14, PfEventTypeSystemTime = 15, PfEventTypePower = 16, PfEventTypeSessionChange = 17, PfEventTypeHardFaultTimeStamp = 18, PfEventTypeVirtualFree = 19, PfEventTypePerfInfo = 20, PfEventTypeProcessSnapshot = 21, PfEventTypeUserSnapshot = 22, PfEventTypeStreamSequenceNumber = 23, PfEventTypeFileTruncate = 24, PfEventTypeFileRename = 25, PfEventTypeFileCreate = 26, PfEventTypeAgCxContext = 27, PfEventTypePowerAction = 28, PfEventTypeHardFaultTS = 29, PfEventTypeRobustInfo = 30, PfEventTypeFileDefrag = 31, PfEventTypeMax = 32 } PF_EVENT_TYPE; #define PF_LOG_EVENT_DATA_VERSION 1 typedef struct _PF_LOG_EVENT_DATA { ULONG Version; // PF_LOG_EVENT_DATA_VERSION union { ULONG Packed; // [31:7]=DataSize, [6:5]=Flags, [4:0]=EventType (PF_EVENT_TYPE) struct { ULONG DataSize : 25; // in bytes ULONG Flags : 2; ULONG EventType: 5; // 2,3,5,27 accepted by the handler // PF_EVENT_TYPE }; }; PVOID EventData; HANDLE PartitionHandle; } PF_LOG_EVENT_DATA , *PPF_LOG_EVENT_DATA ; typedef struct _PFN_TRIPLET { ULONGLONG MaskOrKey; // Compared against identity with 0x1FFFFFFFFFFFE00 mask ULONGLONG Pfn; // Page frame number ULONGLONG Flags; // Request/result flags } PFN_TRIPLET, *PPFN_TRIPLET; #define PF_PFN_PRIO_REQUEST_VERSION 1 #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 typedef struct _PF_PFN_PRIO_REQUEST { ULONG Version; ULONG RequestFlags; SIZE_T PfnCount; SYSTEM_MEMORY_LIST_INFORMATION MemInfo; union { // Input: (class 6/16) MmQueryPfnList fills identities here MMPFN_IDENTITY PageIdentities[256]; // ANYSIZE_ARRAY // Output: (class 7/29/1D) caller supplies PFN_TRIPLETs here PFN_TRIPLET Entries[256]; // ANYSIZE_ARRAY }; } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE { PfsPrivateSourceKernel, PfsPrivateSourceSession, PfsPrivateSourceProcess, PfsPrivateSourceMax } PFS_PRIVATE_PAGE_SOURCE_TYPE; typedef struct _PFS_PRIVATE_PAGE_SOURCE { PFS_PRIVATE_PAGE_SOURCE_TYPE Type; union { ULONG SessionId; ULONG ProcessId; }; ULONG ImagePathHash; ULONG_PTR UniqueProcessHash; } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; typedef struct _PF_PRIVSOURCE_INFO { PFS_PRIVATE_PAGE_SOURCE DbInfo; PVOID EProcess; SIZE_T WsPrivatePages; SIZE_T TotalPrivatePages; ULONG SessionID; UCHAR ImageName[16]; union { SIZE_T WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. SIZE_T SessionPagedPoolPages; // session only. SIZE_T StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. }; SIZE_T WsTotalPages; // process/session only. ULONG DeepFreezeTimeMs; // process only. ULONG ModernApp : 1; // process only. ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred ULONG Foreground : 1; // process only. ULONG PerProcessStore : 1; // process only. ULONG Spare : 28; } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; // rev #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 #define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYWSPAGES 0x1 #define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYCOMPRESSEDPAGES 0x2 #define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYSKIPPAGES 0x4 // ?? // rev typedef struct _PF_PRIVSOURCE_QUERY_REQUEST { ULONG Version; ULONG Flags; ULONG InfoCount; PF_PRIVSOURCE_INFO InfoArray[1]; } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; // rev typedef enum _PF_PHASED_SCENARIO_TYPE { PfScenarioTypeNone, PfScenarioTypeStandby, PfScenarioTypeHibernate, PfScenarioTypeFUS, PfScenarioTypeMax } PF_PHASED_SCENARIO_TYPE; // rev #define PF_SCENARIO_PHASE_INFO_VERSION 4 // rev typedef struct _PF_SCENARIO_PHASE_INFO { ULONG Version; PF_PHASED_SCENARIO_TYPE ScenType; ULONG PhaseId; ULONG SequenceNumber; ULONG Flags; ULONG FUSUserId; ULONG Reserved0; // pad to 32 bytes (handler expects 32) ULONG Reserved1; } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; // rev typedef struct _PF_WORKER_PRIORITY_CONTROL { ULONG Version; KPRIORITY Priority; // 0..31 (STATUS_INVALID_PARAMETER if >31) HANDLE PartitionHandle; } PF_WORKER_PRIORITY_CONTROL, *PPF_WORKER_PRIORITY_CONTROL; // rev #define PF_SCENARIO_QUERY_INFO_VERSION 4 // rev typedef struct _PF_SCENARIO_QUERY_INFO { ULONG_PTR Version; ULONG_PTR Field1; ULONG_PTR Field2; ULONG_PTR Field3; } PF_SCENARIO_QUERY_INFO , *PPF_SCENARIO_QUERY_INFO; // rev typedef struct _PF_MEMORY_LIST_NODE { ULONGLONG Node : 8; ULONGLONG Spare : 56; ULONGLONG StandbyLowPageCount; ULONGLONG StandbyMediumPageCount; ULONGLONG StandbyHighPageCount; ULONGLONG FreePageCount; ULONGLONG ModifiedPageCount; } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; // rev typedef struct _PF_ROBUST_PROCESS_ENTRY { ULONG ImagePathHash; ULONG Pid; ULONG Alignment; } PF_ROBUST_PROCESS_ENTRY, *PPF_ROBUST_PROCESS_ENTRY; // rev typedef struct _PF_ROBUST_FILE_ENTRY { ULONG FilePathHash; } PF_ROBUST_FILE_ENTRY, *PPF_ROBUST_FILE_ENTRY; // rev typedef enum _PF_ROBUSTNESS_CONTROL_COMMAND { PfRpControlUpdate = 0, PfRpControlReset = 1, PfRpControlRobustAllStart = 2, PfRpControlRobustAllStop = 3, PfRpControlCommandMax = 4 } PF_ROBUSTNESS_CONTROL_COMMAND; // rev #define PF_ROBUSTNESS_CONTROL_VERSION 1 // rev typedef struct _PF_ROBUSTNESS_CONTROL { ULONG Version; PF_ROBUSTNESS_CONTROL_COMMAND Command; ULONG DeprioProcessCount; ULONG ExemptProcessCount; ULONG DeprioFileCount; ULONG ExemptFileCount; PF_ROBUST_PROCESS_ENTRY ProcessEntries[1]; PF_ROBUST_FILE_ENTRY FileEntries[1]; } PF_ROBUSTNESS_CONTROL, *PPF_ROBUSTNESS_CONTROL; // rev typedef struct _PF_SCENARIO_PREFETCH_INFO { ULONG Version; ULONG State; } PF_SCENARIO_PREFETCH_INFO, *PPF_SCENARIO_PREFETCH_INFO; // rev #define PF_TRIM_WHILE_AGING_CONTROL_VERSION_1 1 // rev typedef enum _PF_TRIM_WHILE_AGING_STATE { PfTrimWhileAgingOff = 0, PfTrimWhileAgingLowPriority = 1, PfTrimWhileAgingPassive = 2, PfTrimWhileAgingNormal = 3, PfTrimWhileAgingAggressive = 4, PfTrimWhileAgingMax = 5, } PF_TRIM_WHILE_AGING_STATE, *PPF_TRIM_WHILE_AGING_STATE; // rev typedef struct _PF_TRIM_WHILE_AGING_CONTROL_1 { ULONG Version; PF_TRIM_WHILE_AGING_STATE TrimWhileAgingState; BOOLEAN PrivatePageTrimAge; BOOLEAN SharedPageTrimAge; USHORT Spare; } PF_TRIM_WHILE_AGING_CONTROL_1, *PPF_TRIM_WHILE_AGING_CONTROL_1; #define PF_TRIM_WHILE_AGING_CONTROL_VERSION_2 2 // rev typedef struct _PF_TRIM_WHILE_AGING_CONTROL_2 { ULONG Version; PF_TRIM_WHILE_AGING_STATE TrimWhileAgingState; UCHAR PrivatePageTrimAge; // 0..7 UCHAR SharedPageTrimAge; // 0..7 USHORT Spare; // must be 0 } PF_TRIM_WHILE_AGING_CONTROL_2, *PPF_TRIM_WHILE_AGING_CONTROL_2; // rev typedef struct _PF_TIME_CONTROL { LONG TimeAdjustment; } PF_TIME_CONTROL, *PPF_TIME_CONTROL; #define PF_MEMORY_LIST_INFO_VERSION 1 typedef struct _PF_MEMORY_LIST_INFO { ULONG Version; ULONG Size; ULONG NodeCount; PF_MEMORY_LIST_NODE Nodes[1]; } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; typedef struct _PF_PHYSICAL_MEMORY_RANGE { ULONG_PTR BasePfn; ULONG_PTR PageCount; } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; #define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 { ULONG Version; ULONG RangeCount; PF_PHYSICAL_MEMORY_RANGE Ranges[1]; } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; #define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 { ULONG Version; ULONG Flags; SIZE_T RangeCount; PF_PHYSICAL_MEMORY_RANGE Ranges[1]; } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; // rev typedef struct _PF_START_TRACE_CONTROL { struct { ULONG Type; ULONG Mode; ULONG Flags; ULONG Restart; }; struct { HANDLE PartitionHandle; // in HANDLE TraceHandleOut; // out when Restart == 0 }; } PF_START_TRACE_CONTROL, *PPF_START_TRACE_CONTROL; // rev #define PF_ACCESS_TRACING_CONTROL_VERSION 1 // rev typedef struct _PF_ACCESS_TRACING_CONTROL { ULONG Version; ULONG Command; ULONG ComponentMask; } PF_ACCESS_TRACING_CONTROL, *PPF_ACCESS_TRACING_CONTROL; // rev #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 // rev typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO { ULONG Version; // PF_REPURPOSED_BY_PREFETCH_INFO_VERSION ULONG Reserved; SIZE_T RepurposedByPrefetch; } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; // rev #define PF_VIRTUAL_QUERY_VERSION 1 // rev typedef struct _PF_VIRTUAL_QUERY { ULONG Version; union { ULONG Flags; struct { ULONG FaultInPageTables : 1; ULONG ReportPageTables : 1; ULONG Spare : 30; }; }; PVOID QueryBuffer; // MEMORY_WORKING_SET_EX_INFORMATION[NumberOfPages] (input: VirtualAddress[], output: VirtualAttributes[]) SIZE_T QueryBufferSize; // NumberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION) HANDLE ProcessHandle; } PF_VIRTUAL_QUERY, *PPF_VIRTUAL_QUERY; // rev #define PF_PAGECOMBINE_AGGREGATE_STAT_VERSION 1 // rev typedef struct _PF_PAGECOMBINE_AGGREGATE_STAT { ULONG Version; ULONG CombineScanCount; ULONG CombinedBlocksInUse; ULONG SumCombinedBlocksReferenceCount; } PF_PAGECOMBINE_AGGREGATE_STAT, *PPF_PAGECOMBINE_AGGREGATE_STAT; // rev #define PF_MIN_WS_AGE_RATE_CONTROL_VERSION 1 // rev typedef struct _PF_MIN_WS_AGE_RATE_CONTROL { ULONG Version; ULONG SecondsToOldestAgeRate; } PF_MIN_WS_AGE_RATE_CONTROL, *PPF_MIN_WS_AGE_RATE_CONTROL; // rev #define PF_DEPRIORITIZE_OLD_PAGES_VERSION 3 // rev typedef struct _PF_DEPRIORITIZE_OLD_PAGES { ULONG Version; HANDLE ProcessHandle; union { ULONG Flags; struct { ULONG TargetPriority : 4; ULONG TrimPages : 2; ULONG Spare : 26; }; }; } PF_DEPRIORITIZE_OLD_PAGES, *PPF_DEPRIORITIZE_OLD_PAGES; // rev #define PF_FILE_EXTENTS_INFO_VERSION 1 // rev typedef struct _PF_FILE_EXTENTS_INFO { ULONG Version; PWSTR FilePath; ULONG FilePathSize; ULONG VolumePathSize; LARGE_INTEGER FileIndexNumber; ULONG VolumeSerialNumber; RETRIEVAL_POINTERS_BUFFER ExtentsBuffer; ULONGLONG ExtentsBufferSize; } PF_FILE_EXTENTS_INFO, *PPF_FILE_EXTENTS_INFO; // rev #define PF_FILE_EXTENTS_INFO_VERSION2 2 typedef struct _PF_FILE_EXTENTS_INFO_V2 { ULONG Version; // must be 2 ULONG Reserved0; PWSTR PathUtf16; ULONG PathBytes; // must be even, within bounds ULONG PathMeta; // used to compute an index (>>1) tested for '\\' ULONG ParamA; // must be nonzero and < PathBytes (per checks) ULONG Reserved1; PVOID OutMeta0; PVOID OutBuffer; ULONG OutBufferBytesRequested; ULONG Reserved2; } PF_FILE_EXTENTS_INFO_V2, *PPF_FILE_EXTENTS_INFO_V2; // rev #define PF_GPU_UTILIZATION_INFO_VERSION 1 // rev typedef struct _PF_GPU_UTILIZATION_INFO { ULONG Version; ULONG SessionId; ULONGLONG GpuTime; } PF_GPU_UTILIZATION_INFO, *PPF_GPU_UTILIZATION_INFO; // end_private #endif // _NTPFAPI_H ================================================ FILE: phnt/include/ntpnpapi.h ================================================ /* * Plug and Play support functions * * This file is part of System Informer. */ #ifndef _NTPNPAPI_H #define _NTPNPAPI_H #include typedef enum _PLUGPLAY_EVENT_CATEGORY { HardwareProfileChangeEvent, TargetDeviceChangeEvent, DeviceClassChangeEvent, CustomDeviceEvent, DeviceInstallEvent, DeviceArrivalEvent, PowerEvent, VetoEvent, BlockedDriverEvent, InvalidIDEvent, MaxPlugEventCategory } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; typedef struct _PLUGPLAY_EVENT_BLOCK { GUID EventGuid; PLUGPLAY_EVENT_CATEGORY EventCategory; PULONG Result; ULONG Flags; ULONG TotalSize; PVOID DeviceObject; union { struct { GUID ClassGuid; WCHAR SymbolicLinkName[1]; } DeviceClass; struct { WCHAR DeviceIds[1]; } TargetDevice; struct { WCHAR DeviceId[1]; } InstallDevice; struct { PVOID NotificationStructure; WCHAR DeviceIds[1]; } CustomNotification; struct { PVOID Notification; } ProfileNotification; struct { ULONG NotificationCode; ULONG NotificationData; } PowerNotification; struct { PNP_VETO_TYPE VetoType; WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName } VetoNotification; struct { GUID BlockedDriverGuid; } BlockedDriverNotification; struct { WCHAR ParentId[1]; } InvalidIDNotification; } u; } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; typedef enum _PLUGPLAY_CONTROL_CLASS { PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED MaxPlugPlayControl } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; // private typedef enum _DEVICE_RELATION_TYPE { BusRelations, EjectionRelations, PowerRelations, RemovalRelations, TargetDeviceRelation, SingleBusRelations, TransportRelations } DEVICE_RELATION_TYPE, *PDEVICE_RELATION_TYPE; // private typedef enum _BUS_QUERY_ID_TYPE { BusQueryDeviceID = 0, // \ BusQueryHardwareIDs = 1, // Hardware ids BusQueryCompatibleIDs = 2, // compatible device ids BusQueryInstanceID = 3, // persistent id for this instance of the device BusQueryDeviceSerialNumber = 4, // serial number for this device BusQueryContainerID = 5 // unique id of the device's physical container } BUS_QUERY_ID_TYPE, *PBUS_QUERY_ID_TYPE; // private typedef enum _DEVICE_TEXT_TYPE { DeviceTextDescription = 0, // DeviceDesc property DeviceTextLocationInformation = 1 // DeviceLocation property } DEVICE_TEXT_TYPE, *PDEVICE_TEXT_TYPE; // private typedef enum _DEVICE_USAGE_NOTIFICATION_TYPE { DeviceUsageTypeUndefined, DeviceUsageTypePaging, DeviceUsageTypeHibernation, DeviceUsageTypeDumpFile, DeviceUsageTypeBoot, DeviceUsageTypePostDisplay, DeviceUsageTypeGuestAssigned } DEVICE_USAGE_NOTIFICATION_TYPE, *PDEVICE_USAGE_NOTIFICATION_TYPE; #if (PHNT_VERSION < PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtGetPlugPlayEvent( _In_ HANDLE EventHandle, _In_opt_ PVOID Context, _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, _In_ ULONG EventBufferSize ); #endif // (PHNT_VERSION < PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtPlugPlayControl( _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, _In_ ULONG PnPControlDataLength ); NTSYSCALLAPI NTSTATUS NTAPI NtSerializeBoot( VOID ); NTSYSCALLAPI NTSTATUS NTAPI NtEnableLastKnownGood( VOID ); NTSYSCALLAPI NTSTATUS NTAPI NtDisableLastKnownGood( VOID ); NTSYSCALLAPI NTSTATUS NTAPI NtReplacePartitionUnit( _In_ PCUNICODE_STRING TargetInstancePath, _In_ PCUNICODE_STRING SpareInstancePath, _In_ ULONG Flags ); #endif // _NTPNPAPI_H ================================================ FILE: phnt/include/ntpoapi.h ================================================ [File too large to display: 66.8 KB] ================================================ FILE: phnt/include/ntpsapi.h ================================================ /* * Process support functions * * This file is part of System Informer. */ #ifndef _NTPSAPI_H #define _NTPSAPI_H #include // // Process Object Specific Access Rights // #ifndef PROCESS_TERMINATE #define PROCESS_TERMINATE 0x0001 #endif #ifndef PROCESS_CREATE_THREAD #define PROCESS_CREATE_THREAD 0x0002 #endif #ifndef PROCESS_SET_SESSIONID #define PROCESS_SET_SESSIONID 0x0004 #endif #ifndef PROCESS_VM_OPERATION #define PROCESS_VM_OPERATION 0x0008 #endif #ifndef PROCESS_VM_READ #define PROCESS_VM_READ 0x0010 #endif #ifndef PROCESS_VM_WRITE #define PROCESS_VM_WRITE 0x0020 #endif #ifndef PROCESS_DUP_HANDLE #define PROCESS_DUP_HANDLE 0x0040 #endif #ifndef PROCESS_CREATE_PROCESS #define PROCESS_CREATE_PROCESS 0x0080 #endif #ifndef PROCESS_SET_QUOTA #define PROCESS_SET_QUOTA 0x0100 #endif #ifndef PROCESS_SET_INFORMATION #define PROCESS_SET_INFORMATION 0x0200 #endif #ifndef PROCESS_QUERY_INFORMATION #define PROCESS_QUERY_INFORMATION 0x0400 #endif #ifndef PROCESS_SET_PORT #define PROCESS_SET_PORT 0x0800 #endif #ifndef PROCESS_SUSPEND_RESUME #define PROCESS_SUSPEND_RESUME 0x0800 #endif #ifndef PROCESS_QUERY_LIMITED_INFORMATION #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000 #endif #ifndef PROCESS_SET_LIMITED_INFORMATION #define PROCESS_SET_LIMITED_INFORMATION 0x2000 #endif #ifndef PROCESS_ALL_ACCESS #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | SPECIFIC_RIGHTS_ALL) #else #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF) #endif #endif // // Thread Object Specific Access Rights // #ifndef THREAD_TERMINATE #define THREAD_TERMINATE 0x0001 #endif #ifndef THREAD_SUSPEND_RESUME #define THREAD_SUSPEND_RESUME 0x0002 #endif #ifndef THREAD_ALERT #define THREAD_ALERT 0x0004 #endif #ifndef THREAD_GET_CONTEXT #define THREAD_GET_CONTEXT 0x0008 #endif #ifndef THREAD_SET_CONTEXT #define THREAD_SET_CONTEXT 0x0010 #endif #ifndef THREAD_SET_INFORMATION #define THREAD_SET_INFORMATION 0x0020 #endif #ifndef THREAD_QUERY_INFORMATION #define THREAD_QUERY_INFORMATION 0x0040 #endif #ifndef THREAD_SET_THREAD_TOKEN #define THREAD_SET_THREAD_TOKEN 0x0080 #endif #ifndef THREAD_IMPERSONATE #define THREAD_IMPERSONATE 0x0100 #endif #ifndef THREAD_DIRECT_IMPERSONATION #define THREAD_DIRECT_IMPERSONATION 0x0200 #endif #ifndef THREAD_SET_LIMITED_INFORMATION #define THREAD_SET_LIMITED_INFORMATION 0x0400 #endif #ifndef THREAD_QUERY_LIMITED_INFORMATION #define THREAD_QUERY_LIMITED_INFORMATION 0x0800 #endif #ifndef THREAD_RESUME #define THREAD_RESUME 0x1000 #endif #ifndef THREAD_ALL_ACCESS #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) #define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | SPECIFIC_RIGHTS_ALL) #else #define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF) #endif #endif // // Job Object Specific Access Rights // #ifndef JOB_OBJECT_ASSIGN_PROCESS #define JOB_OBJECT_ASSIGN_PROCESS 0x0001 #endif #ifndef JOB_OBJECT_SET_ATTRIBUTES #define JOB_OBJECT_SET_ATTRIBUTES 0x0002 #endif #ifndef JOB_OBJECT_QUERY #define JOB_OBJECT_QUERY 0x0004 #endif #ifndef JOB_OBJECT_TERMINATE #define JOB_OBJECT_TERMINATE 0x0008 #endif #ifndef JOB_OBJECT_SET_SECURITY_ATTRIBUTES #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010 #endif #ifndef JOB_OBJECT_ALL_ACCESS #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3F) #else #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f) // pre-Vista full access #endif #endif // // Process information structures // /** * The PEB_LDR_DATA structure contains information about the loaded modules for the process. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data */ typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; HANDLE SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID EntryInProgress; BOOLEAN ShutdownInProgress; HANDLE ShutdownThreadId; } PEB_LDR_DATA, *PPEB_LDR_DATA; /** * The INITIAL_TEB structure contains information about the initial stack for a thread. * This structure is used when creating a new thread to specify the stack boundaries and allocation base. * It also contains information about the previous stack if the thread is being recreated. */ typedef struct _INITIAL_TEB { struct { PVOID OldStackBase; // Pointer to the base address of the previous stack. PVOID OldStackLimit; // Pointer to the limit address of the previous stack. } OldInitialTeb; PVOID StackBase; // Pointer to the base address of the new stack. PVOID StackLimit; // Pointer to the limit address of the new stack. PVOID StackAllocationBase; // Pointer to the base address where the stack was allocated. } INITIAL_TEB, *PINITIAL_TEB; // // NtQueryInformationProcess/NtSetInformationProcess types // #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _PROCESSINFOCLASS { ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX ProcessIoCounters, // q: IO_COUNTERS ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 ProcessTimes, // q: KERNEL_USER_TIMES ProcessBasePriority, // s: KPRIORITY ProcessRaisePriority, // s: ULONG ProcessDebugPort, // q: HANDLE ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 ProcessLdtSize, // s: PROCESS_LDT_SIZE ProcessDefaultHardErrorMode, // qs: ULONG ProcessIoPortHandlers, // s: PROCESS_IO_PORT_HANDLER_INFORMATION // (kernel-mode only) ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) ProcessEnableAlignmentFaultFixup, // s: BOOLEAN ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 ProcessAffinityMask, // qs: KAFFINITY, qs: GROUP_AFFINITY ProcessPriorityBoost, // qs: ULONG ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND ProcessWow64Information, // q: ULONG_PTR ProcessImageFileName, // q: UNICODE_STRING ProcessLUIDDeviceMapsEnabled, // q: ULONG ProcessBreakOnTermination, // qs: ULONG ProcessDebugObjectHandle, // q: HANDLE // 30 ProcessDebugFlags, // qs: ULONG ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable ProcessIoPriority, // qs: IO_PRIORITY_HINT ProcessExecuteFlags, // qs: ULONG (MEM_EXECUTE_OPTION_*) ProcessTlsInformation, // qs: PROCESS_TLS_INFORMATION // ProcessResourceManagement ProcessCookie, // q: ULONG ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void ProcessImageFileNameWin32, // q: UNICODE_STRING ProcessImageFileMapping, // q: HANDLE (input) ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE ProcessGroupInformation, // q: USHORT[] ProcessTokenVirtualizationEnabled, // s: ULONG ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION ProcessDynamicFunctionTableInformation, // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL ProcessHandleTable, // q: ULONG[] // since WINBLUE ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) ProcessCommandLineInformation, // q: UNICODE_STRING // 60 ProcessProtectionInformation, // q: PS_PROTECTION ProcessMemoryExhaustion, // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD ProcessFaultInformation, // s: PROCESS_FAULT_INFORMATION ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION ProcessCommitReleaseInformation, // qs: PROCESS_COMMIT_RELEASE_INFORMATION ProcessDefaultCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] // ProcessReserved1Information ProcessAllowedCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] // ProcessReserved2Information ProcessSubsystemProcess, // s: void // EPROCESS->SubsystemProcess ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO ProcessInPrivate, // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70 ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables ProcessIumChallengeResponse, // q: PROCESS_IUM_CHALLENGE_RESPONSE ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION ProcessHighGraphicsPriorityInformation, // q: BOOLEAN; s: BOOLEAN (requires SeTcbPrivilege) ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES_V1 ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE ProcessActivityThrottlePolicy, // qs: PROCESS_ACTIVITY_THROTTLE_POLICY // ProcessReserved3Information ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER ProcessDisableSystemAllowedCpuSets, // s: BOOLEAN // 80 ProcessWakeInformation, // q: PROCESS_WAKE_INFORMATION // (kernel-mode only) ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE ProcessManageWritesToExecutableMemory, // s: MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 ProcessCaptureTrustletLiveDump, // q: ULONG ProcessTelemetryCoverage, // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT ProcessEnclaveInformation, ProcessEnableReadWriteVmLogging, // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION ProcessImageSection, // q: HANDLE ProcessDebugAuthInformation, // s: CiTool.exe --device-id // PplDebugAuthorization // since RS4 // 90 ProcessSystemResourceManagement, // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT ProcessSequenceNumber, // q: ULONGLONG ProcessLoaderDetour, // qs: Obsolete // since RS5 ProcessSecurityDomainInformation, // q: PROCESS_SECURITY_DOMAIN_INFORMATION ProcessCombineSecurityDomainsInformation, // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION ProcessEnableLogging, // qs: PROCESS_LOGGING_INFORMATION ProcessLeapSecondInformation, // qs: PROCESS_LEAP_SECOND_INFORMATION ProcessFiberShadowStackAllocation, // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 ProcessFreeFiberShadowStackAllocation, // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION ProcessAltSystemCallInformation, // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100 ProcessDynamicEHContinuationTargets, // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION ProcessDynamicEnforcedCetCompatibleRanges, // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 ProcessCreateStateChange, // s: Obsolete // since WIN11 ProcessApplyStateChange, // s: Obsolete ProcessEnableOptionalXStateFeatures, // s: ULONG64 // EnableProcessOptionalXStateFeatures ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1 ProcessAssignCpuPartitions, // s: HANDLE ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110 ProcessEffectivePagePriority, // q: ULONG ProcessSchedulerSharedData, // q: SCHEDULER_SHARED_DATA_SLOT_INFORMATION // since 24H2 ProcessSlistRollbackInformation, ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS ProcessFindFirstThreadByTebValue, // q: PROCESS_TEB_VALUE_INFORMATION // NtCurrentProcess ProcessEnclaveAddressSpaceRestriction, // qs: // since 25H2 ProcessAvailableCpus, // q: PROCESS_AVAILABLE_CPUS_INFORMATION MaxProcessInfoClass } PROCESSINFOCLASS; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // NtQueryInformationThread/NtSetInformationThread types // #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _THREADINFOCLASS { ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION ThreadTimes, // q: KERNEL_USER_TIMES ThreadPriority, // s: KPRIORITY (requires SeIncreaseBasePriorityPrivilege) ThreadBasePriority, // s: KPRIORITY ThreadAffinityMask, // s: KAFFINITY ThreadImpersonationToken, // s: HANDLE ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY) ThreadEnableAlignmentFaultFixup, // s: BOOLEAN ThreadEventPair, // q: Obsolete ThreadQuerySetWin32StartAddress, // q: PVOID ThreadZeroTlsCell, // s: ULONG // TlsIndex // 10 ThreadPerformanceCount, // q: LARGE_INTEGER ThreadAmILastThread, // q: ULONG ThreadIdealProcessor, // s: ULONG ThreadPriorityBoost, // qs: ULONG ThreadSetTlsArrayAddress, // s: ULONG_PTR ThreadIsIoPending, // q: ULONG ThreadHideFromDebugger, // q: BOOLEAN; s: void ThreadBreakOnTermination, // qs: ULONG ThreadSwitchLegacyState, // s: void // NtCurrentThread // NPX/FPU ThreadIsTerminated, // q: ULONG // 20 ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION ThreadIoPriority, // qs: IO_PRIORITY_HINT (requires SeIncreaseBasePriorityPrivilege) ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION (requires THREAD_QUERY_LIMITED_INFORMATION) ThreadPagePriority, // qs: PAGE_PRIORITY_INFORMATION ThreadActualBasePriority, // s: LONG (requires SeIncreaseBasePriorityPrivilege) ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) ThreadCSwitchMon, // q: Obsolete ThreadCSwitchPmu, // q: Obsolete ThreadWow64Context, // qs: WOW64_CONTEXT, ARM_NT_CONTEXT since 20H1 ThreadGroupInformation, // qs: GROUP_AFFINITY // 30 ThreadUmsInformation, // q: THREAD_UMS_INFORMATION // Obsolete ThreadCounterProfiling, // q: BOOLEAN; s: THREAD_PROFILING_INFORMATION? ThreadIdealProcessorEx, // qs: PROCESSOR_NUMBER; s: previous PROCESSOR_NUMBER on return ThreadCpuAccountingInformation, // q: BOOLEAN; s: HANDLE (NtOpenSession) // NtCurrentThread // since WIN8 ThreadSuspendCount, // q: ULONG // since WINBLUE ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD ThreadContainerId, // q: GUID ThreadNameInformation, // qs: THREAD_NAME_INFORMATION (requires THREAD_SET_LIMITED_INFORMATION) ThreadSelectedCpuSets, // q: ULONG[] ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40 ThreadActualGroupAffinity, // q: GROUP_AFFINITY // since THRESHOLD2 ThreadDynamicCodePolicyInfo, // q: ULONG; s: ULONG (NtCurrentThread) ThreadExplicitCaseSensitivity, // qs: ULONG; s: 0 disables, otherwise enables // (requires SeDebugPrivilege and PsProtectedSignerAntimalware) ThreadWorkOnBehalfTicket, // q: ALPC_WORK_ON_BEHALF_TICKET // RTL_WORK_ON_BEHALF_TICKET_EX // NtCurrentThread ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 ThreadDbgkWerReportActive, // s: ULONG; s: 0 disables, otherwise enables ThreadAttachContainer, // s: HANDLE (job object) // NtCurrentThread ThreadManageWritesToExecutableMemory, // s: MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 ThreadPowerThrottlingState, // qs: POWER_THROTTLING_THREAD_STATE // since REDSTONE3 (set), WIN11 22H2 (query) ThreadWorkloadClass, // q: THREAD_WORKLOAD_CLASS // since REDSTONE5 // 50 ThreadCreateStateChange, // s: Obsolete // since WIN11 ThreadApplyStateChange, // s: Obsolete ThreadStrongerBadHandleChecks, // s: ULONG // NtCurrentThread // since 22H1 ThreadEffectiveIoPriority, // q: IO_PRIORITY_HINT ThreadEffectivePagePriority, // q: ULONG ThreadUpdateLockOwnership, // s: THREAD_LOCK_OWNERSHIP // since 24H2 ThreadSchedulerSharedDataSlot, // q: SCHEDULER_SHARED_DATA_SLOT_INFORMATION ThreadTebInformationAtomic, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_QUERY_INFORMATION) ThreadIndexInformation, // q: THREAD_INDEX_INFORMATION MaxThreadInfoClass } THREADINFOCLASS; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL) // Use with both ProcessPagePriority and ThreadPagePriority typedef struct _PAGE_PRIORITY_INFORMATION { ULONG PagePriority; } PAGE_PRIORITY_INFORMATION, *PPAGE_PRIORITY_INFORMATION; // // Process information structures // /** * The PROCESS_BASIC_INFORMATION structure contains basic information about a process. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess#process_basic_information */ typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; // The exit status of the process. (GetExitCodeProcess) PPEB PebBaseAddress; // A pointer to the process environment block (PEB) of the process. KAFFINITY AffinityMask; // The affinity mask of the process. (GetProcessAffinityMask) (deprecated) KPRIORITY BasePriority; // The base priority of the process. (GetPriorityClass) HANDLE UniqueProcessId; // The unique identifier of the process. (GetProcessId) HANDLE InheritedFromUniqueProcessId; // The unique identifier of the parent process. } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; /** * The PROCESS_EXTENDED_BASIC_INFORMATION structure contains extended basic information about a process. */ _Struct_size_bytes_(Size) typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { _In_ SIZE_T Size; // The size of the structure, in bytes. This member must be set to sizeof(PROCESS_EXTENDED_BASIC_INFORMATION). union { PROCESS_BASIC_INFORMATION BasicInfo; struct { NTSTATUS ExitStatus; // The exit status of the process. (GetExitCodeProcess) PPEB PebBaseAddress; // A pointer to the process environment block (PEB) of the process. KAFFINITY AffinityMask; // The affinity mask of the process. (GetProcessAffinityMask) (deprecated) KPRIORITY BasePriority; // The base priority of the process. (GetPriorityClass) HANDLE UniqueProcessId; // The unique identifier of the process. (GetProcessId) HANDLE InheritedFromUniqueProcessId; // The unique identifier of the parent process. }; }; union { ULONG Flags; struct { ULONG IsProtectedProcess : 1; ULONG IsWow64Process : 1; ULONG IsProcessDeleting : 1; ULONG IsCrossSessionCreate : 1; ULONG IsFrozen : 1; ULONG IsBackground : 1; // WIN://BGKD ULONG IsStronglyNamed : 1; // WIN://SYSAPPID ULONG IsSecureProcess : 1; ULONG IsSubsystemProcess : 1; ULONG IsTrustedApp : 1; // since 24H2 ULONG SpareBits : 22; }; }; } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; /** * The VM_COUNTERS structure contains various memory usage statistics for a process. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-process_memory_counters */ typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; // The peak virtual address space size of this process, in bytes. SIZE_T VirtualSize; // The virtual address space size of this process, in bytes. ULONG PageFaultCount; // The number of page faults. SIZE_T PeakWorkingSetSize; // The peak working set size, in bytes. SIZE_T WorkingSetSize; // The current working set size, in bytes SIZE_T QuotaPeakPagedPoolUsage; // The peak paged pool usage, in bytes. SIZE_T QuotaPagedPoolUsage; // The current paged pool usage, in bytes. SIZE_T QuotaPeakNonPagedPoolUsage; // The peak non-paged pool usage, in bytes. SIZE_T QuotaNonPagedPoolUsage; // The current non-paged pool usage, in bytes. SIZE_T PagefileUsage; // The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. SIZE_T PeakPagefileUsage; // The peak value in bytes of the Commit Charge during the lifetime of this process. } VM_COUNTERS, *PVM_COUNTERS; /** * The VM_COUNTERS_EX structure extends VM_COUNTERS to include private memory usage. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-process_memory_counters_ex2 */ typedef struct _VM_COUNTERS_EX { SIZE_T PeakVirtualSize; // The peak virtual address space size of this process, in bytes. SIZE_T VirtualSize; // The virtual address space size of this process, in bytes. ULONG PageFaultCount; // The number of page faults. SIZE_T PeakWorkingSetSize; // The peak working set size, in bytes. SIZE_T WorkingSetSize; // The current working set size, in bytes SIZE_T QuotaPeakPagedPoolUsage; // The peak paged pool usage, in bytes. SIZE_T QuotaPagedPoolUsage; // The current paged pool usage, in bytes. SIZE_T QuotaPeakNonPagedPoolUsage; // The peak non-paged pool usage, in bytes. SIZE_T QuotaNonPagedPoolUsage; // The current non-paged pool usage, in bytes. SIZE_T PagefileUsage; // The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. SIZE_T PeakPagefileUsage; // The peak value in bytes of the Commit Charge during the lifetime of this process. SIZE_T PrivateUsage; // Same as PagefileUsage. The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. } VM_COUNTERS_EX, *PVM_COUNTERS_EX; /** * The VM_COUNTERS_EX2 structure extends VM_COUNTERS_EX to include private working set size and shared commit usage. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-process_memory_counters_ex2 */ typedef struct _VM_COUNTERS_EX2 { union { VM_COUNTERS_EX CountersEx; struct { SIZE_T PeakVirtualSize; // The peak virtual address space size of this process, in bytes. SIZE_T VirtualSize; // The virtual address space size of this process, in bytes. ULONG PageFaultCount; // The number of page faults. SIZE_T PeakWorkingSetSize; // The peak working set size, in bytes. SIZE_T WorkingSetSize; // The current working set size, in bytes SIZE_T QuotaPeakPagedPoolUsage; // The peak paged pool usage, in bytes. SIZE_T QuotaPagedPoolUsage; // The current paged pool usage, in bytes. SIZE_T QuotaPeakNonPagedPoolUsage; // The peak non-paged pool usage, in bytes. SIZE_T QuotaNonPagedPoolUsage; // The current non-paged pool usage, in bytes. SIZE_T PagefileUsage; // The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. SIZE_T PeakPagefileUsage; // The peak value in bytes of the Commit Charge during the lifetime of this process. SIZE_T PrivateUsage; // Same as PagefileUsage. The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. }; }; SIZE_T PrivateWorkingSetSize; // The current private working set size, in bytes. SIZE_T SharedCommitUsage; // The current shared commit usage, in bytes. } VM_COUNTERS_EX2, *PVM_COUNTERS_EX2; /** * The KERNEL_USER_TIMES structure contains timing information for a process or thread. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadtimes */ typedef struct _KERNEL_USER_TIMES { LARGE_INTEGER CreateTime; // The creation time of the process or thread. LARGE_INTEGER ExitTime; // The exit time of the process or thread. LARGE_INTEGER KernelTime; // The amount of time the process has executed in kernel mode. LARGE_INTEGER UserTime; // The amount of time the process has executed in user mode. } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; /** * The POOLED_USAGE_AND_LIMITS structure contains information about the usage and limits of paged and non-paged pool memory. */ typedef struct _POOLED_USAGE_AND_LIMITS { SIZE_T PeakPagedPoolUsage; // The peak paged pool usage. SIZE_T PagedPoolUsage; // The current paged pool usage. SIZE_T PagedPoolLimit; // The limit on paged pool usage. SIZE_T PeakNonPagedPoolUsage; // The peak non-paged pool usage. SIZE_T NonPagedPoolUsage; // The current non-paged pool usage. SIZE_T NonPagedPoolLimit; // The limit on non-paged pool usage. SIZE_T PeakPagefileUsage; // The peak pagefile usage. SIZE_T PagefileUsage; // The current pagefile usage. SIZE_T PagefileLimit; // The limit on pagefile usage. } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; #define PROCESS_EXCEPTION_PORT_ALL_STATE_BITS 0x00000003 #define PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS ((ULONG_PTR)((1UL << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1)) /** * The PROCESS_EXCEPTION_PORT structure is used to manage exception ports for a process. */ typedef struct _PROCESS_EXCEPTION_PORT { // // Handle to the exception port. No particular access required. // _In_ HANDLE ExceptionPortHandle; // // Miscellaneous state flags to be cached along with the exception // port in the kernel. // _Inout_ ULONG StateFlags; } PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT; /** * The PROCESS_ACCESS_TOKEN structure is used to manage the security context of a process or thread. * * A process's access token can only be changed if the process has no threads or a single thread that has not yet begun execution. */ typedef struct _PROCESS_ACCESS_TOKEN { // // Handle to Primary token to assign to the process. // TOKEN_ASSIGN_PRIMARY access to this token is needed. // HANDLE Token; // // Handle to the initial thread of the process. // THREAD_QUERY_INFORMATION access to this thread is needed. // // N.B. This field is unused. // HANDLE Thread; } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; #ifndef _LDT_ENTRY_DEFINED #define _LDT_ENTRY_DEFINED typedef struct _LDT_ENTRY { USHORT LimitLow; USHORT BaseLow; union { struct { UCHAR BaseMid; UCHAR Flags1; UCHAR Flags2; UCHAR BaseHi; } Bytes; struct { ULONG BaseMid : 8; ULONG Type : 5; ULONG Dpl : 2; ULONG Pres : 1; ULONG LimitHi : 4; ULONG Sys : 1; ULONG Reserved_0 : 1; ULONG Default_Big : 1; ULONG Granularity : 1; ULONG BaseHi : 8; } Bits; } HighWord; } LDT_ENTRY, *PLDT_ENTRY; #endif // _LDT_ENTRY_DEFINED /** * The PROCESS_LDT_INFORMATION structure is used to manage Local Descriptor Table (LDT) entries for a process. */ typedef struct _PROCESS_LDT_INFORMATION { ULONG Start; ULONG Length; LDT_ENTRY LdtEntries[1]; } PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION; /** * The PROCESS_LDT_SIZE structure is used to specify the size of the Local Descriptor Table (LDT) for a process. */ typedef struct _PROCESS_LDT_SIZE { ULONG Length; } PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE; /** * The PROCESS_WS_WATCH_INFORMATION structure is used to store information about working set watch events for a process. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_ws_watch_information */ typedef struct _PROCESS_WS_WATCH_INFORMATION { PVOID FaultingPc; // A pointer to the instruction that caused the page fault. PVOID FaultingVa; // A pointer to the page that was added to the working set. } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) /** * The PROCESS_WS_WATCH_INFORMATION_EX structure contains extended information about a page added to a process working set. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_ws_watch_information_ex */ typedef struct _PROCESS_WS_WATCH_INFORMATION_EX { union { PROCESS_WS_WATCH_INFORMATION BasicInfo; struct { PVOID FaultingPc; // The address of the instruction that caused the page fault. PVOID FaultingVa; // The virtual address that caused the page fault. }; }; HANDLE FaultingThreadId; // The identifier of the thread that caused the page fault. ULONG_PTR Flags; // This member is reserved for future use. } PROCESS_WS_WATCH_INFORMATION_EX, *PPROCESS_WS_WATCH_INFORMATION_EX; #define PROCESS_PRIORITY_CLASS_UNKNOWN 0 #define PROCESS_PRIORITY_CLASS_IDLE 1 #define PROCESS_PRIORITY_CLASS_NORMAL 2 #define PROCESS_PRIORITY_CLASS_HIGH 3 #define PROCESS_PRIORITY_CLASS_REALTIME 4 #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5 #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6 /** * The PROCESS_PRIORITY_CLASS structure is used to manage the priority class of a process. */ typedef struct _PROCESS_PRIORITY_CLASS { BOOLEAN Foreground; UCHAR PriorityClass; } PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; /** * The PROCESS_PRIORITY_CLASS_EX structure extends PROCESS_PRIORITY_CLASS to include validity flags. */ typedef struct _PROCESS_PRIORITY_CLASS_EX { union { struct { USHORT ForegroundValid : 1; USHORT PriorityClassValid : 1; }; USHORT AllFlags; }; UCHAR PriorityClass; BOOLEAN Foreground; } PROCESS_PRIORITY_CLASS_EX, *PPROCESS_PRIORITY_CLASS_EX; /** * The PROCESS_FOREGROUND_BACKGROUND structure is used to manage the priority class of a process, specifically whether it runs in the foreground or background. */ typedef struct _PROCESS_FOREGROUND_BACKGROUND { BOOLEAN Foreground; } PROCESS_FOREGROUND_BACKGROUND, *PPROCESS_FOREGROUND_BACKGROUND; #if (PHNT_MODE != PHNT_MODE_KERNEL) // DriveType #define DRIVE_UNKNOWN 0 #define DRIVE_NO_ROOT_DIR 1 #define DRIVE_REMOVABLE 2 #define DRIVE_FIXED 3 #define DRIVE_REMOTE 4 #define DRIVE_CDROM 5 #define DRIVE_RAMDISK 6 /** * The PROCESS_DEVICEMAP_INFORMATION structure contains information about a process's device map. */ typedef struct _PROCESS_DEVICEMAP_INFORMATION { union { struct { HANDLE DirectoryHandle; // A handle to a directory object that can be set as the new device map for the process. This handle must have DIRECTORY_TRAVERSE access. } Set; struct { ULONG DriveMap; // A bitmask that indicates which drive letters are currently in use in the process's device map. UCHAR DriveType[32]; // A value that indicates the type of each drive (e.g., local disk, network drive, etc.). // DRIVE_* WinBase.h } Query; }; } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; /** * The PROCESS_LUID_DOSDEVICES_ONLY flag limits the device map to only devices from the current process or logon session. */ #define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001 /** * The PROCESS_DEVICEMAP_INFORMATION_EX structure contains information about a process's device map. */ typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX { union { struct { HANDLE DirectoryHandle; // A handle to a directory object that can be set as the new device map for the process. This handle must have DIRECTORY_TRAVERSE access. } Set; struct { ULONG DriveMap; // A bitmask that indicates which drive letters are currently in use in the process's device map. UCHAR DriveType[32]; // A value that indicates the type of each drive (e.g., local disk, network drive, etc.). // DRIVE_* WinBase.h } Query; }; ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY } PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX; /** * The PROCESS_SESSION_INFORMATION structure is used to store information about the session ID of a process. */ typedef struct _PROCESS_SESSION_INFORMATION { ULONG SessionId; } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; #define PROCESS_HANDLE_EXCEPTIONS_ENABLED 0x00000001 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001 /** * The PROCESS_HANDLE_TRACING_ENABLE structure is used to enable handle tracing for a process. */ typedef struct _PROCESS_HANDLE_TRACING_ENABLE { ULONG Flags; // Flags that control handle tracing. } PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE; /** * The PROCESS_HANDLE_TRACING_MAX_SLOTS macro specifies the maximum number of slots. */ #define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000 /** * The PROCESS_HANDLE_TRACING_ENABLE_EX structure extends PROCESS_HANDLE_TRACING_ENABLE to include the total number of slots. */ typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX { ULONG Flags; // Flags that control handle tracing. ULONG TotalSlots; // Total number of handle tracing slots. } PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX; #define PROCESS_HANDLE_TRACE_TYPE_OPEN 1 #define PROCESS_HANDLE_TRACE_TYPE_CLOSE 2 #define PROCESS_HANDLE_TRACE_TYPE_BADREF 3 /** * The PROCESS_HANDLE_TRACING_ENTRY structure contains information about the handle operation associated with the event. */ typedef struct _PROCESS_HANDLE_TRACING_ENTRY { HANDLE Handle; // The handle associated with the event. CLIENT_ID ClientId; // The process and thread associated with the event. ULONG Type; // The type of handle operation associated with the event. PVOID Stacks[16]; } PROCESS_HANDLE_TRACING_ENTRY, *PPROCESS_HANDLE_TRACING_ENTRY; /** * The PROCESS_HANDLE_TRACING_QUERY structure is used to query all handle events or a specific handle event for a process. */ typedef struct _PROCESS_HANDLE_TRACING_QUERY { _In_opt_ HANDLE Handle; _Out_ ULONG TotalTraces; _Out_ _Field_size_(TotalTraces) PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1]; } PROCESS_HANDLE_TRACING_QUERY, *PPROCESS_HANDLE_TRACING_QUERY; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) /** * The THREAD_TLS_INFORMATION structure contains information about the Thread Local Storage (TLS) data for a thread. */ typedef struct _THREAD_TLS_INFORMATION { ULONG Flags; // Flags that provide additional information about the TLS data. PVOID NewTlsData; // Pointer to the new TLS data. PVOID OldTlsData; // Pointer to the old TLS data. HANDLE ThreadId; // Handle to the thread associated with the TLS data. } THREAD_TLS_INFORMATION, *PTHREAD_TLS_INFORMATION; /** * The PROCESS_TLS_INFORMATION_TYPE enumeration defines the types of TLS operations that can be performed on a process. */ typedef enum _PROCESS_TLS_INFORMATION_TYPE { ProcessTlsReplaceIndex, // Replace the TLS index. ProcessTlsReplaceVector, // Replace the TLS vector. MaxProcessTlsOperation // Maximum value for the enumeration. } PROCESS_TLS_INFORMATION_TYPE, *PPROCESS_TLS_INFORMATION_TYPE; /** * The PROCESS_TLS_INFORMATION structure contains information about the TLS operations for a process. */ typedef struct _PROCESS_TLS_INFORMATION { ULONG Flags; // Flags that provide additional information about the TLS operation. ULONG OperationType; // The type of TLS operation to be performed. ULONG ThreadDataCount; // The number of THREAD_TLS_INFORMATION structures in the ThreadData array. ULONG TlsIndex; // The TLS index to be replaced. ULONG PreviousCount; // The previous count of TLS data. _Field_size_(ThreadDataCount) THREAD_TLS_INFORMATION ThreadData[1]; // Array of THREAD_TLS_INFORMATION structures. } PROCESS_TLS_INFORMATION, *PPROCESS_TLS_INFORMATION; /** * The PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION structure contains information about the instrumentation callback for a process. */ typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION { ULONG Version; // The version of the instrumentation callback information. ULONG Reserved; // Reserved for future use. PVOID Callback; // Pointer to the callback function. } PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, *PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; /** * The PROCESS_STACK_ALLOCATION_INFORMATION structure contains information about the stack allocation for a process. */ typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION { SIZE_T ReserveSize; // The size of the stack to be reserved. SIZE_T ZeroBits; // The number of zero bits in the stack base address. PVOID StackBase; // Pointer to the base of the stack. } PROCESS_STACK_ALLOCATION_INFORMATION, *PPROCESS_STACK_ALLOCATION_INFORMATION; /** * The PROCESS_STACK_ALLOCATION_INFORMATION_EX structure extends PROCESS_STACK_ALLOCATION_INFORMATION to include additional fields. */ typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION_EX { ULONG PreferredNode; // The preferred NUMA node for the stack allocation. ULONG Reserved0; // Reserved for future use. ULONG Reserved1; // Reserved for future use. ULONG Reserved2; // Reserved for future use. PROCESS_STACK_ALLOCATION_INFORMATION AllocInfo; // The stack allocation information. } PROCESS_STACK_ALLOCATION_INFORMATION_EX, *PPROCESS_STACK_ALLOCATION_INFORMATION_EX; /** * The PROCESS_AFFINITY_UPDATE_MODE union is used to specify the affinity update mode for a process. */ typedef struct _PROCESS_AFFINITY_UPDATE_MODE { union { ULONG Flags; struct { ULONG EnableAutoUpdate : 1; // Indicates whether auto-update of affinity is enabled. ULONG Permanent : 1; // Indicates whether the affinity update is permanent. ULONG Reserved : 30; // Reserved for future use. }; }; } PROCESS_AFFINITY_UPDATE_MODE, *PPROCESS_AFFINITY_UPDATE_MODE; /** * The PROCESS_MEMORY_ALLOCATION_MODE union is used to specify the memory allocation mode for a process. */ typedef struct _PROCESS_MEMORY_ALLOCATION_MODE { union { ULONG Flags; struct { ULONG TopDown : 1; // Indicates whether memory allocation should be top-down. ULONG Reserved : 31; // Reserved for future use. }; }; } PROCESS_MEMORY_ALLOCATION_MODE, *PPROCESS_MEMORY_ALLOCATION_MODE; /** * The PROCESS_HANDLE_INFORMATION structure contains information about the handles of a process. */ typedef struct _PROCESS_HANDLE_INFORMATION { ULONG HandleCount; // The number of handles in the process. ULONG HandleCountHighWatermark; // The highest number of handles that the process has had. } PROCESS_HANDLE_INFORMATION, *PPROCESS_HANDLE_INFORMATION; /** * The PROCESS_CYCLE_TIME_INFORMATION structure contains information about the cycle time of a process. */ typedef struct _PROCESS_CYCLE_TIME_INFORMATION { ULONGLONG AccumulatedCycles; // The total number of cycles accumulated by the process. ULONGLONG CurrentCycleCount; // The current cycle count of the process. } PROCESS_CYCLE_TIME_INFORMATION, *PPROCESS_CYCLE_TIME_INFORMATION; /** * The PROCESS_WINDOW_INFORMATION structure contains information about the windows of a process. */ typedef struct _PROCESS_WINDOW_INFORMATION { ULONG WindowFlags; // Flags that provide information about the window. USHORT WindowTitleLength; // The length of the window title. _Field_size_bytes_(WindowTitleLength) WCHAR WindowTitle[1]; // The title of the window. } PROCESS_WINDOW_INFORMATION, *PPROCESS_WINDOW_INFORMATION; /** * The PROCESS_HANDLE_TABLE_ENTRY_INFO structure contains information about a handle table entry of a process. */ typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO { HANDLE HandleValue; // The value of the handle. SIZE_T HandleCount; // The number of references to the handle. SIZE_T PointerCount; // The number of pointers to the handle. ACCESS_MASK GrantedAccess; // The access rights granted to the handle. ULONG ObjectTypeIndex; // The index of the object type. ULONG HandleAttributes; // The attributes of the handle. ULONG Reserved; // Reserved for future use. } PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO; /** * The PROCESS_HANDLE_SNAPSHOT_INFORMATION structure contains information about the handle snapshot of a process. */ typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; _Field_size_(NumberOfHandles) PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1]; } PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) #if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) typedef struct _PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY { union { ULONG Flags; struct { ULONG EnforceRedirectionTrust : 1; ULONG AuditRedirectionTrust : 1; ULONG ReservedFlags : 30; }; }; } PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY, *PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY; #endif // NTDDI_WIN10_FE #if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) typedef struct _PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY { union { ULONG Flags; struct { ULONG EnablePointerAuthUserIp : 1; ULONG ReservedFlags : 31; }; }; } PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY, *PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY; typedef struct _PROCESS_MITIGATION_SEHOP_POLICY { union { ULONG Flags; struct { ULONG EnableSehop : 1; ULONG ReservedFlags : 31; }; }; } PROCESS_MITIGATION_SEHOP_POLICY, *PPROCESS_MITIGATION_SEHOP_POLICY; #endif // NTDDI_WIN10_NI typedef struct _PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2 { union { ULONG Flags; struct { ULONG AssemblyManifestRedirectionTrust : 1; ULONG ReservedFlags : 31; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2, *PPROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2; #if defined(_PHLIB_) // enum PROCESS_MITIGATION_POLICY #define PROCESS_MITIGATION_POLICY ULONG #define ProcessDEPPolicy 0 // The data execution prevention (DEP) policy of the process. #define ProcessASLRPolicy 1 // The Address Space Layout Randomization (ASLR) policy of the process. #define ProcessDynamicCodePolicy 2 // Disables the ability to generate dynamic code or modify existing executable code. #define ProcessStrictHandleCheckPolicy 3 // Enables the ability to generate a fatal error if the process manipulates an invalid handle. #define ProcessSystemCallDisablePolicy 4 // Disables the ability of the process to use NTUser/GDI functions at the lowest layer. #define ProcessMitigationOptionsMask 5 // Returns the mask of valid bits for all the mitigation options on the system. #define ProcessExtensionPointDisablePolicy 6 // Disables the ability of the process to load legacy extension point DLLs. #define ProcessControlFlowGuardPolicy 7 #define ProcessSignaturePolicy 8 // Disables the ability of the process to load images not signed by Microsoft, the Windows Store and the Windows Hardware Quality Labs (WHQL). #define ProcessFontDisablePolicy 9 // Disables the ability of the process to load non-system fonts. #define ProcessImageLoadPolicy 10 // Disables the ability of the process to load images from some locations, such a remote devices or files that have the low mandatory label. #define ProcessSystemCallFilterPolicy 11 #define ProcessPayloadRestrictionPolicy 12 #define ProcessChildProcessPolicy 13 // Disables the ability to create child processes. #define ProcessSideChannelIsolationPolicy 14 #define ProcessUserShadowStackPolicy 15 // since 20H1 #define ProcessRedirectionTrustPolicy 16 #define ProcessUserPointerAuthPolicy 17 #define ProcessSEHOPPolicy 18 #define ProcessActivationContextTrustPolicy 19 #define MaxProcessMitigationPolicy 20 #endif // _PHLIB_ /** * The PROCESS_MITIGATION_POLICY_INFORMATION structure represents the different process mitigation policies. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-process_mitigation_policy */ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION { PROCESS_MITIGATION_POLICY Policy; union { PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy; PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY UserShadowStackPolicy; PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY RedirectionTrustPolicy; PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY UserPointerAuthPolicy; PROCESS_MITIGATION_SEHOP_POLICY SEHOPPolicy; PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2 ActivationContextTrustPolicy; }; } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION; // private typedef struct _DYNAMIC_FUNCTION_TABLE DYNAMIC_FUNCTION_TABLE, *PDYNAMIC_FUNCTION_TABLE; /** * The PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION structure is used to manage dynamic function tables for a process. */ typedef struct _PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION { PDYNAMIC_FUNCTION_TABLE DynamicFunctionTable; // Pointer to the dynamic function table. BOOLEAN Remove; // Indicates whether to remove (TRUE) or add (FALSE) the dynamic function table. } PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION, *PPROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION; /** * The PROCESS_KEEPALIVE_COUNT_INFORMATION structure contains information about the wake and no-wake counts for a process. */ typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION { ULONG WakeCount; // The number of times the process has been awakened. ULONG NoWakeCount; // The number of times the process was not awakened when expected. } PROCESS_KEEPALIVE_COUNT_INFORMATION, *PPROCESS_KEEPALIVE_COUNT_INFORMATION; /** * The PROCESS_REVOKE_FILE_HANDLES_INFORMATION structure revokes handles to the specified device from a process. */ typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION { UNICODE_STRING TargetDevicePath; } PROCESS_REVOKE_FILE_HANDLES_INFORMATION, *PPROCESS_REVOKE_FILE_HANDLES_INFORMATION; // rev #define PROCESS_WORKING_SET_CONTROL_VERSION 3 /** * The PROCESS_WORKING_SET_OPERATION enumeration defines the operation to perform on a process's working set. */ typedef enum _PROCESS_WORKING_SET_OPERATION { ProcessWorkingSetSwap, // Swap the working set of a process to disk. // (requires SeDebugPrivilege) ProcessWorkingSetEmpty, // Remove all pages from the working set of a process. ProcessWorkingSetEmptyPrivatePages, // Remove private pages from the working set of a process. ProcessWorkingSetOperationMax } PROCESS_WORKING_SET_OPERATION; /** * The PROCESS_WORKING_SET_FLAG_EMPTY_PRIVATE_PAGES flag indicates that the operation should target private pages in the working set. * Private pages are those that are not shared with other processes. */ #define PROCESS_WORKING_SET_FLAG_EMPTY_PRIVATE_PAGES 0x01 /** * The PROCESS_WORKING_SET_FLAG_EMPTY_SHARED_PAGES flag indicates that the operation should target shared pages in the working set. * Shared pages are those that are shared between multiple processes. */ #define PROCESS_WORKING_SET_FLAG_EMPTY_SHARED_PAGES 0x02 /** * The PROCESS_WORKING_SET_FLAG_EMPTY_PAGES flag indicates that the operation should target pages in the working set. */ #define PROCESS_WORKING_SET_FLAG_EMPTY_PAGES 0x04 /** * The PROCESS_WORKING_SET_FLAG_COMPRESS flag indicates that the operation should compress the pages before they are removed from the working set. * Compression is typically used in conjunction with other flags to specify that the pages should be compressed as part of the operation. */ #define PROCESS_WORKING_SET_FLAG_COMPRESS 0x08 /** * The PROCESS_WORKING_SET_FLAG_STORE flag indicates that the operation should store the compressed pages. * This is useful when the compressed data might be needed later, allowing for efficient retrieval and decompression when required. * This flag is typically used in conjunction with the PROCESS_WORKING_SET_FLAG_COMPRESS flag to specify that the compressed pages should be stored. */ #define PROCESS_WORKING_SET_FLAG_STORE 0x10 /** * The PROCESS_WORKING_SET_CONTROL structure is used to control the working set of a process. */ typedef struct _PROCESS_WORKING_SET_CONTROL { ULONG Version; PROCESS_WORKING_SET_OPERATION Operation; ULONG Flags; } PROCESS_WORKING_SET_CONTROL, *PPROCESS_WORKING_SET_CONTROL; /** * The PS_PROTECTED_TYPE enumeration defines the types of protection that can be applied to a process. */ typedef enum _PS_PROTECTED_TYPE { PsProtectedTypeNone, // No protection. PsProtectedTypeProtectedLight, // Light protection. PsProtectedTypeProtected, // Full protection. PsProtectedTypeMax } PS_PROTECTED_TYPE; /** * The PS_PROTECTED_SIGNER enumeration defines the types of signers that can be associated with a protected process. */ typedef enum _PS_PROTECTED_SIGNER { PsProtectedSignerNone, // No signer. PsProtectedSignerAuthenticode, // Authenticode signer. PsProtectedSignerCodeGen, // Code generation signer. PsProtectedSignerAntimalware, // Antimalware signer. PsProtectedSignerLsa, // Local Security Authority signer. PsProtectedSignerWindows, // Windows signer. PsProtectedSignerWinTcb, // Windows Trusted Computing Base signer. PsProtectedSignerWinSystem, // Windows system signer. PsProtectedSignerApp, // Application signer. PsProtectedSignerMax } PS_PROTECTED_SIGNER; #define PS_PROTECTED_SIGNER_MASK 0xFF #define PS_PROTECTED_AUDIT_MASK 0x08 #define PS_PROTECTED_TYPE_MASK 0x07 // ProtectionLevel.Level = PsProtectedValue(PsProtectedSignerCodeGen, FALSE, PsProtectedTypeProtectedLight) #define PsProtectedValue(PsSigner, PsAudit, PsType) ( \ (((PsSigner) & PS_PROTECTED_SIGNER_MASK) << 4) | \ (((PsAudit) & PS_PROTECTED_AUDIT_MASK) << 3) | \ (((PsType) & PS_PROTECTED_TYPE_MASK)) \ ) // InitializePsProtection(&ProtectionLevel, PsProtectedSignerCodeGen, FALSE, PsProtectedTypeProtectedLight) #define InitializePsProtection(PsProtectionLevel, PsSigner, PsAudit, PsType) { \ (PsProtectionLevel)->Signer = (PsSigner); \ (PsProtectionLevel)->Audit = (PsAudit); \ (PsProtectionLevel)->Type = (PsType); \ } /** * The PS_PROTECTION structure is used to define the protection level of a process. */ typedef struct _PS_PROTECTION { union { UCHAR Level; struct { UCHAR Type : 3; UCHAR Audit : 1; UCHAR Signer : 4; }; }; } PS_PROTECTION, *PPS_PROTECTION; /** * The PROCESS_MEMORY_EXHAUSTION_TYPE enumeration defines the different memory exhaustion types. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ne-processthreadsapi-process_memory_exhaustion_type */ //typedef enum _PROCESS_MEMORY_EXHAUSTION_TYPE //{ // // Anytime memory management fails an allocation due to an inability to commit memory, // // it will cause the process to trigger a Windows Error Reporting report and then terminate immediately with STATUS_COMMITMENT_LIMIT. // // The failure cannot be caught and handled by the app. // PMETypeFailFastOnCommitFailure, // PMETypeMax //} PROCESS_MEMORY_EXHAUSTION_TYPE, *PPROCESS_MEMORY_EXHAUSTION_TYPE; /** * The PROCESS_MEMORY_EXHAUSTION_INFO structure allows applications to configure * termination if an allocation fails to commit memory. * \sa https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_memory_exhaustion_info */ //typedef struct _PROCESS_MEMORY_EXHAUSTION_INFO //{ // USHORT Version; // Version should be set to PME_CURRENT_VERSION. // USHORT Reserved; // Reserved // PROCESS_MEMORY_EXHAUSTION_TYPE Type; // Type of failure. // ULONG_PTR Value; // Used to turn the feature on or off. //} PROCESS_MEMORY_EXHAUSTION_INFO, *PPROCESS_MEMORY_EXHAUSTION_INFO; // rev PROCESS_FAULT_INFORMATION->FaultFlags #define PROCESS_FAULT_FLAG_MARK_CRASHED 0x00000001 // sets Flags3.Crashed (bit 2) via atomic OR #define PROCESS_FAULT_FLAG_SET_STATE_CRASHED 0x00000002 // sets HangCount to 0x7 #define PROCESS_FAULT_FLAG_ESCALATE_SEVERITY 0x00000004 // sets GhostCount to 0x7 (mask 0x38) #define PROCESS_FAULT_FLAG_SET_TERMINAL_BIT 0x00000008 // sets PrefilterException (bit 6) /** * The PROCESS_FAULT_INFORMATION structure contains information about process faults. */ typedef struct _PROCESS_FAULT_INFORMATION { union { ULONG FaultFlags; struct { ULONG MarkCrashed : 1; // PROCESS_FAULT_FLAG_MARK_CRASHED (0x00000001) ULONG SetStateCrashed : 1; // PROCESS_FAULT_FLAG_SET_STATE_CRASHED (0x00000002) ULONG EscalateSeverity : 1; // PROCESS_FAULT_FLAG_ESCALATE_SEVERITY (0x00000004) ULONG SetTerminalBit : 1; // PROCESS_FAULT_FLAG_SET_TERMINAL_BIT (0x00000008) ULONG Reserved : 28; }; }; ULONG AdditionalInfo; // Reserved for future use. } PROCESS_FAULT_INFORMATION, *PPROCESS_FAULT_INFORMATION; /** * The PROCESS_TELEMETRY_ID_INFORMATION structure contains telemetry information about a process. */ _Struct_size_bytes_(HeaderSize) typedef struct _PROCESS_TELEMETRY_ID_INFORMATION { ULONG HeaderSize; // The size of the structure, in bytes. ULONG ProcessId; // The ID of the process. ULONG64 ProcessStartKey; // The start key of the process. ULONG64 CreateTime; // The creation time of the process. ULONG64 CreateInterruptTime; // The interrupt time at creation. ULONG64 CreateUnbiasedInterruptTime; // The unbiased interrupt time at creation. ULONG64 ProcessSequenceNumber; // The monotonic sequence number of the process. ULONG64 SessionCreateTime; // The session creation time. ULONG SessionId; // The ID of the session. ULONG BootId; // The boot ID. ULONG ImageChecksum; // The checksum of the process image. ULONG ImageTimeDateStamp; // The timestamp of the process image. ULONG UserSidOffset; // The offset to the user SID. ULONG ImagePathOffset; // The offset to the image path. ULONG PackageNameOffset; // The offset to the package name. ULONG RelativeAppNameOffset; // The offset to the relative application name. ULONG CommandLineOffset; // The offset to the command line. } PROCESS_TELEMETRY_ID_INFORMATION, *PPROCESS_TELEMETRY_ID_INFORMATION; /** * The PROCESS_COMMIT_RELEASE_INFORMATION structure contains information about the commit and release of memory for a process. */ typedef struct _PROCESS_COMMIT_RELEASE_INFORMATION { ULONG Version; struct { ULONG Eligible : 1; ULONG ReleaseRepurposedMemResetCommit : 1; ULONG ForceReleaseMemResetCommit : 1; ULONG Spare : 29; }; SIZE_T CommitDebt; SIZE_T CommittedMemResetSize; SIZE_T RepurposedMemResetSize; } PROCESS_COMMIT_RELEASE_INFORMATION, *PPROCESS_COMMIT_RELEASE_INFORMATION; /** * The PROCESS_JOB_MEMORY_INFO structure represents app memory usage at a single point in time. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-app_memory_information */ typedef struct _PROCESS_JOB_MEMORY_INFO { ULONG64 SharedCommitUsage; // The current shared commit usage, in bytes. ULONG64 PrivateCommitUsage; // The current private commit usage, in bytes. ULONG64 PeakPrivateCommitUsage; // The peak private commit usage, in bytes. ULONG64 PrivateCommitLimit; // The private commit limit, in bytes. ULONG64 TotalCommitLimit; // The total commit limit, in bytes. } PROCESS_JOB_MEMORY_INFO, *PPROCESS_JOB_MEMORY_INFO; // rev typedef struct _PROCESS_IUM_CHALLENGE_RESPONSE { BYTE Buffer[0x1000]; // Challenge response buffer. } PROCESS_IUM_CHALLENGE_RESPONSE, *PPROCESS_IUM_CHALLENGE_RESPONSE; /** * The PROCESS_CHILD_PROCESS_INFORMATION structure contains information about child process policies. */ typedef struct _PROCESS_CHILD_PROCESS_INFORMATION { BOOLEAN ProhibitChildProcesses; // Child processes are prohibited. BOOLEAN AlwaysAllowSecureChildProcess; // Secure child processes are always allowed. BOOLEAN AuditProhibitChildProcesses; // Child processes are audited. } PROCESS_CHILD_PROCESS_INFORMATION, *PPROCESS_CHILD_PROCESS_INFORMATION; /** * Defines the current version of the power throttling structure. */ #define POWER_THROTTLING_PROCESS_CURRENT_VERSION 1 /** * Limits the CPU execution speed of the process to reduce power consumption. */ #define POWER_THROTTLING_PROCESS_EXECUTION_SPEED 0x1 /** * The POWER_THROTTLING_PROCESS_DELAYTIMERS flag delays the expiration of waits and timers for the process. * When this flag is set, the process's wait and timer expiration events may be postponed, * which can help reduce power consumption by allowing the system to remain in low-power states longer. */ #define POWER_THROTTLING_PROCESS_DELAYTIMERS 0x2 /** * The POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION flag controls whether calls made by the * process to adjust the system timer resolution (such as timeBeginPeriod or NtSetTimerResolution) * are honored. When this flag is enabled, such requests are ignored. * * This behavior is part of Windows power-throttling mechanism introduced in Windows 11 and is * enabled by default for all processes. Changes to the system timer resolution can alter the * behavior of system timers, wait timeouts, and sleep durations, often causing unintended * side effects in applications. Higher-precision timer resolutions also negatively impact * battery life and overall system performance. * * \note Enabled by default since Windows 11. This may cause performance issues for legacy * applications and games that rely on modifying the system tick resolution. */ #define POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION 0x4 // since WIN11 /** * Valid flags for power throttling process control and state masks. */ #define POWER_THROTTLING_PROCESS_VALID_FLAGS \ ((POWER_THROTTLING_PROCESS_EXECUTION_SPEED | POWER_THROTTLING_PROCESS_DELAYTIMERS | POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION)) /** * The POWER_THROTTLING_PROCESS_STATE structure is used to manage the power throttling state of a process. */ typedef struct _POWER_THROTTLING_PROCESS_STATE { ULONG Version; // The version of the structure. ULONG ControlMask; // A mask that specifies the control settings for power throttling. ULONG StateMask; // A mask that specifies the current state of power throttling. } POWER_THROTTLING_PROCESS_STATE, *PPOWER_THROTTLING_PROCESS_STATE; // private #ifndef PROCESS_POWER_THROTTLING_CURRENT_VERSION #define PROCESS_POWER_THROTTLING_CURRENT_VERSION 1 #endif #ifndef PROCESS_POWER_THROTTLING_EXECUTION_SPEED #define PROCESS_POWER_THROTTLING_EXECUTION_SPEED 0x1 #endif #ifndef PROCESS_POWER_THROTTLING_IGNORE_TIMER_RESOLUTION #define PROCESS_POWER_THROTTLING_IGNORE_TIMER_RESOLUTION 0x4 #endif #ifndef PROCESS_POWER_THROTTLING_VALID_FLAGS #define PROCESS_POWER_THROTTLING_VALID_FLAGS \ ((PROCESS_POWER_THROTTLING_EXECUTION_SPEED | PROCESS_POWER_THROTTLING_IGNORE_TIMER_RESOLUTION)) #endif // private //typedef struct _PROCESS_POWER_THROTTLING_STATE //{ // ULONG Version; // ULONG ControlMask; // ULONG StateMask; //} PROCESS_POWER_THROTTLING_STATE, *PPROCESS_POWER_THROTTLING_STATE; // private typedef enum _PROCESS_ACTIVITY_THROTTLE_POLICY_OP { ProcessActivityThrottlePolicyDisable = 0, ProcessActivityThrottlePolicyEnable = 1, ProcessActivityThrottlePolicyDefault = 2, MaxProcessActivityThrottlePolicy } PROCESS_ACTIVITY_THROTTLE_POLICY_OP; // PROCESS_ACTIVITY_THROTTLE_POLICY PolicyFlags #define PROCESS_ACTIVITY_THROTTLE_EXECUTIONSPEED 0x1 #define PROCESS_ACTIVITY_THROTTLE_DELAYTIMERS 0x2 #define PROCESS_ACTIVITY_THROTTLE_ALL \ ((PROCESS_ACTIVITY_THROTTLE_EXECUTIONSPEED | PROCESS_ACTIVITY_THROTTLE_DELAYTIMERS)) /** * The PROCESS_ACTIVITY_THROTTLE_POLICY structure is used to manage the activity throttle of a process. */ typedef struct _PROCESS_ACTIVITY_THROTTLE_POLICY { PROCESS_ACTIVITY_THROTTLE_POLICY_OP Operation; ULONG PolicyFlags; } PROCESS_ACTIVITY_THROTTLE_POLICY, *PPROCESS_ACTIVITY_THROTTLE_POLICY; // rev (tyranid) #define WIN32K_SYSCALL_FILTER_STATE_ENABLE 0x1 #define WIN32K_SYSCALL_FILTER_STATE_AUDIT 0x2 /** * The WIN32K_SYSCALL_FILTER structure is used to specify filtering options for Win32k system calls. */ typedef struct _WIN32K_SYSCALL_FILTER { ULONG FilterState; // The state of the Win32k syscall filter (e.g., enable, audit). ULONG FilterSet; // The set of Win32k syscalls to be filtered. } WIN32K_SYSCALL_FILTER, *PWIN32K_SYSCALL_FILTER; // private typedef struct _JOBOBJECT_WAKE_FILTER { ULONG HighEdgeFilter; ULONG LowEdgeFilter; } JOBOBJECT_WAKE_FILTER, *PJOBOBJECT_WAKE_FILTER; // private typedef enum _PS_WAKE_REASON { PsWakeReasonUser = 0, PsWakeReasonExecutionRequired = 1, PsWakeReasonKernel = 2, PsWakeReasonInstrumentation = 3, PsWakeReasonPreserveProcess = 4, PsWakeReasonActivityReference = 5, PsWakeReasonWorkOnBehalf = 6, PsMaxWakeReasons = 7, } PS_WAKE_REASON, *PPS_WAKE_REASON; typedef struct _PROCESS_WAKE_INFORMATION { ULONG64 NotificationChannel; ULONG WakeCounters[PsMaxWakeReasons]; JOBOBJECT_WAKE_FILTER WakeFilter; } PROCESS_WAKE_INFORMATION, *PPROCESS_WAKE_INFORMATION; typedef struct _PROCESS_ENERGY_TRACKING_STATE { ULONG StateUpdateMask; ULONG StateDesiredValue; ULONG StateSequence; ULONG UpdateTag : 1; WCHAR Tag[64]; } PROCESS_ENERGY_TRACKING_STATE, *PPROCESS_ENERGY_TRACKING_STATE; /** * The MANAGE_WRITES_TO_EXECUTABLE_MEMORY structure controls write permissions to executable memory * for processes and threads, and provides a signal for kernel write events. */ typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY { ULONG Version : 8; // The version of the structure. ULONG ProcessEnableWriteExceptions : 1; // Enables write exceptions for the process. ULONG ThreadAllowWrites : 1; // Allows the thread to write to executable memory. ULONG Spare : 22; // Reserved for future use. HANDLE KernelWriteToExecutableSignal; // Pointer to kernel signal for write-to-executable events (19H1+). } MANAGE_WRITES_TO_EXECUTABLE_MEMORY, *PMANAGE_WRITES_TO_EXECUTABLE_MEMORY; #define POWER_THROTTLING_THREAD_CURRENT_VERSION 1 #define POWER_THROTTLING_THREAD_EXECUTION_SPEED 0x1 #define POWER_THROTTLING_THREAD_VALID_FLAGS (POWER_THROTTLING_THREAD_EXECUTION_SPEED) /** * The POWER_THROTTLING_THREAD_STATE structure contains the throttling policies of a thread subject to power management. * * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_power_throttling_thread_state */ typedef struct _POWER_THROTTLING_THREAD_STATE { ULONG Version; // The version of this structure. Set to THREAD_POWER_THROTTLING_CURRENT_VERSION. ULONG ControlMask; // Flags that enable the caller to take control of the power throttling mechanism. ULONG StateMask; // Flags that manage the power throttling mechanism on/off state. } POWER_THROTTLING_THREAD_STATE, *PPOWER_THROTTLING_THREAD_STATE; #define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM 1 #define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM 2 #define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V 1UL #define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V 2UL /** * The PROCESS_READWRITEVM_LOGGING_INFORMATION structure provides flags to enable logging * of read and write operations to a process's virtual memory. */ typedef struct _PROCESS_READWRITEVM_LOGGING_INFORMATION { union { UCHAR Flags; struct { UCHAR EnableReadVmLogging : 1; // Enable logging of read operations to virtual memory. UCHAR EnableWriteVmLogging : 1; // Enable logging of write operations to virtual memory. UCHAR Unused : 6; }; }; } PROCESS_READWRITEVM_LOGGING_INFORMATION, *PPROCESS_READWRITEVM_LOGGING_INFORMATION; /** * The PROCESS_UPTIME_INFORMATION structure contains information about the uptime of a process and diagnostic information. */ typedef struct _PROCESS_UPTIME_INFORMATION { ULONGLONG QueryInterruptTime; // The interrupt time when the query was made. ULONGLONG QueryUnbiasedTime; // The unbiased time when the query was made. ULONGLONG EndInterruptTime; // The interrupt time when the process ended. ULONGLONG TimeSinceCreation; // The total time elapsed since the process was created. ULONGLONG Uptime; // The total uptime of the process. ULONGLONG SuspendedTime; // The total time the process was in a suspended state. struct { ULONG HangCount : 4; // The number of times the process was detected as hanging. ULONG GhostCount : 4; // The number of times the process was detected as a ghost process. ULONG Crashed : 1; // Indicates whether the process has crashed (1 if true, 0 otherwise). ULONG Terminated : 1; // Indicates whether the process has been terminated (1 if true, 0 otherwise). }; } PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION; /** * The PROCESS_SYSTEM_RESOURCE_MANAGEMENT union is used to specify system resource management flags for a process. */ typedef struct _PROCESS_SYSTEM_RESOURCE_MANAGEMENT { union { ULONG Flags; struct { ULONG Foreground : 1; // Indicates if the process is a foreground process (1 = foreground, 0 = background). ULONG Reserved : 31; }; }; } PROCESS_SYSTEM_RESOURCE_MANAGEMENT, *PPROCESS_SYSTEM_RESOURCE_MANAGEMENT; /** * The PROCESS_SECURITY_DOMAIN_INFORMATION structure contains the security domain identifier for a process. * * This structure is used to query or set the security domain of a process, which can be used for isolation * and security boundary purposes in Windows. The SecurityDomain field is a 64-bit value that uniquely * identifies the security domain associated with the process. */ typedef struct _PROCESS_SECURITY_DOMAIN_INFORMATION { ULONGLONG SecurityDomain; // The unique identifier of the process's security domain. } PROCESS_SECURITY_DOMAIN_INFORMATION, *PPROCESS_SECURITY_DOMAIN_INFORMATION; /** * The PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION structure combines the security domain of a process. * * This structure contains information required to combine the security domains * of a specified process. It is typically used in system-level or security-related * operations where process security contexts need to be merged or managed. */ typedef struct _PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION { HANDLE ProcessHandle; // The Handle to the process whose security domains are to be combined. } PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION, *PPROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION; /** * The PROCESS_LOGGING_INFORMATION structure provides flags to enable or disable logging * for specific process and thread events, such as virtual memory access, suspend/resume, * execution protection, and impersonation. */ typedef struct _PROCESS_LOGGING_INFORMATION { union { ULONG Flags; struct { ULONG EnableReadVmLogging : 1; // Enables logging of read operations to process virtual memory. ULONG EnableWriteVmLogging : 1; // Enables logging of write operations to process virtual memory. ULONG EnableProcessSuspendResumeLogging : 1; // Enables logging of process suspend and resume events. ULONG EnableThreadSuspendResumeLogging : 1; // Enables logging of thread suspend and resume events. ULONG EnableLocalExecProtectVmLogging : 1; // Enables logging of local execution protection for virtual memory. ULONG EnableRemoteExecProtectVmLogging : 1; // Enables logging of remote execution protection for virtual memory. ULONG EnableImpersonationLogging : 1; // Enables logging of impersonation events. ULONG Reserved : 25; }; }; } PROCESS_LOGGING_INFORMATION, *PPROCESS_LOGGING_INFORMATION; /** * This value changes the seconds field during a positive leap second adjustment by the system. * If enabled, then the seconds field returns any positive leap second (For example: 23:59:59 -> 23:59:60 -> 00:00:00). * If not enabled, then the 59th second preceding a positive leap second will be shown for 2 seconds with the milliseconds * value ticking twice as slow. (For example: 23:59:59 -> 23:59:59.500 -> 00:00:00, which takes 2 seconds in wall clock time). * Note: Leap second adjustments are disabled by default for each process, this flag also does not persist if the process is restarted. */ #define PROCESS_LEAP_SECOND_FLAG_ENABLE_SIXTY_SECOND 0x1 #define PROCESS_LEAP_SECOND_VALID_FLAGS (PROCESS_LEAP_SECOND_INFO_FLAG_ENABLE_SIXTY_SECOND) /** * The PROCESS_LEAP_SECOND_INFORMATION structure contains information about leap second adjustments for a process. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_leap_second_info */ typedef struct _PROCESS_LEAP_SECOND_INFORMATION { ULONG Flags; ULONG Reserved; } PROCESS_LEAP_SECOND_INFORMATION, *PPROCESS_LEAP_SECOND_INFORMATION; typedef struct _PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION { ULONGLONG ReserveSize; ULONGLONG CommitSize; ULONG PreferredNode; ULONG Reserved; PVOID Ssp; } PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION, *PPROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION; typedef struct _PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION { PVOID Ssp; } PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION, *PPROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION; /** * The PROCESS_SYSCALL_PROVIDER_INFORMATION structure contains information about a system call provider * and level for system call filtering or instrumentation. */ typedef struct _PROCESS_SYSCALL_PROVIDER_INFORMATION { GUID ProviderId; // The unique identifier of the system call provider. UCHAR Level; // The level or mode of the provider. } PROCESS_SYSCALL_PROVIDER_INFORMATION, *PPROCESS_SYSCALL_PROVIDER_INFORMATION; /** * Contains dynamic enforced address ranges used by various features related to user-mode Hardware-enforced Stack Protection (HSP). * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_dynamic_enforced_address_range */ //typedef struct _PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE //{ // ULONG_PTR BaseAddress; // SIZE_T Size; // ULONG Flags; //} PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE, *PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE; // //typedef struct _PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION //{ // USHORT NumberOfRanges; // USHORT Reserved; // ULONG Reserved2; // PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE Ranges; //} PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION, *PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION; /** * The PROCESS_MEMBERSHIP_INFORMATION structure contains the Silo identifier of the process. * * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-process_membership_information */ typedef struct _PROCESS_MEMBERSHIP_INFORMATION { ULONG ServerSiloId; } PROCESS_MEMBERSHIP_INFORMATION, *PPROCESS_MEMBERSHIP_INFORMATION; #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) /** * The PROCESS_NETWORK_COUNTERS structure contains network usage statistics for a process. */ typedef struct _PROCESS_NETWORK_COUNTERS { ULONG64 BytesIn; // The total number of bytes received by the process. ULONG64 BytesOut; // The total number of bytes sent by the process. } PROCESS_NETWORK_COUNTERS, *PPROCESS_NETWORK_COUNTERS; #endif /** * The PROCESS_TEB_VALUE_INFORMATION structure contains information from the Thread Environment Block (TEB) for a specific thread. */ typedef struct _PROCESS_TEB_VALUE_INFORMATION { ULONG ThreadId; // The identifier of the thread whose TEB is being queried or modified. ULONG TebOffset; // The offset within the TEB where the value is located. ULONG_PTR Value; // The value at the specified offset in the TEB. } PROCESS_TEB_VALUE_INFORMATION, *PPROCESS_TEB_VALUE_INFORMATION; // rev typedef struct _PROCESS_AVAILABLE_CPUS_INFORMATION { ULONG64 ObservedSequenceNumber; ULONG64 SequenceNumber; ULONG AvailableCpusCount; PKAFFINITY_EX Affinity; } PROCESS_AVAILABLE_CPUS_INFORMATION, *PPROCESS_AVAILABLE_CPUS_INFORMATION; /** * The NtQueryPortInformationProcess function retrieves the status of the current process exception port. * * \return LOGICAL If TRUE, the process exception port is valid. */ NTSYSCALLAPI LOGICAL NTAPI NtQueryPortInformationProcess( VOID ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Thread information structures // /** * The THREAD_BASIC_INFORMATION structure contains basic information about the thread. */ typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; // The exit status of the thread or STATUS_PENDING when the thread has not terminated. (GetExitCodeThread) PTEB TebBaseAddress; // The base address of the memory region containing the TEB structure. (NtCurrentTeb) CLIENT_ID ClientId; // The process and thread identifier of the thread. KAFFINITY AffinityMask; // The affinity mask of the thread. (deprecated) (SetThreadAffinityMask) KPRIORITY Priority; // The current priority of the thread. (GetThreadPriority) KPRIORITY BasePriority; // The current base priority of the thread determined by the thread priority and process priority class. } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; /** * The THREAD_LAST_SYSCALL_INFORMATION structure contains information about the last system call made by a thread. */ typedef struct _THREAD_LAST_SYSCALL_INFORMATION { PVOID FirstArgument; // Pointer to the first argument of the last system call. USHORT SystemCallNumber; // The system call number of the last system call made by the thread. ULONG64 WaitTime; // The time spent waiting for the system call to complete, in milliseconds. } THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION; /** * The THREAD_CYCLE_TIME_INFORMATION structure contains information about the cycle time of a thread. */ typedef struct _THREAD_CYCLE_TIME_INFORMATION { ULONG64 AccumulatedCycles; // The total number of cycles accumulated by the thread. ULONG64 CurrentCycleCount; // The current cycle count of the thread. } THREAD_CYCLE_TIME_INFORMATION, *PTHREAD_CYCLE_TIME_INFORMATION; // RtlAbPostRelease / ReleaseAllUserModeAutoBoostLockHandles typedef struct _THREAD_LOCK_OWNERSHIP { ULONG SrwLock[1]; } THREAD_LOCK_OWNERSHIP, *PTHREAD_LOCK_OWNERSHIP; typedef enum _SCHEDULER_SHARED_DATA_SLOT_ACTION { SchedulerSharedSlotAssign, SchedulerSharedSlotFree, SchedulerSharedSlotQuery } SCHEDULER_SHARED_DATA_SLOT_ACTION; typedef struct _SCHEDULER_SHARED_DATA_SLOT_INFORMATION { SCHEDULER_SHARED_DATA_SLOT_ACTION Action; PVOID SchedulerSharedDataHandle; PVOID Slot; } SCHEDULER_SHARED_DATA_SLOT_INFORMATION, *PSCHEDULER_SHARED_DATA_SLOT_INFORMATION; typedef struct _THREAD_TEB_INFORMATION { _Inout_bytecount_(BytesToRead) PVOID TebInformation; // Buffer to write data into. _In_ ULONG TebOffset; // Offset in TEB to begin reading from. _In_ ULONG BytesToRead; // Number of bytes to read. } THREAD_TEB_INFORMATION, *PTHREAD_TEB_INFORMATION; /** * The COUNTER_READING structure is used to store individual counter data from a hardware counter. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-hardware_counter_data */ typedef struct _COUNTER_READING { HARDWARE_COUNTER_TYPE Type; // Specifies the type of hardware counter data collected. ULONG Index; // An identifier for the specific counter. ULONG64 Start; // The initial value of the counter when measurement started. ULONG64 Total; // The accumulated value of the counter over the measurement period. } COUNTER_READING, *PCOUNTER_READING; #ifndef THREAD_PERFORMANCE_DATA_VERSION #define THREAD_PERFORMANCE_DATA_VERSION 1 #endif /** * The THREAD_PERFORMANCE_DATA structure aggregates various performance metrics for a thread. * * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-performance_data */ _Struct_size_bytes_(Size) typedef struct _THREAD_PERFORMANCE_DATA { USHORT Size; // The size of the structure. USHORT Version; // The version of the structure. Must be set to \ref THREAD_PERFORMANCE_DATA_VERSION. PROCESSOR_NUMBER ProcessorNumber; // The processor number that identifies where the thread is running. ULONG ContextSwitches; // The number of context switches that occurred from the time profiling was enabled. ULONG HwCountersCount; // The number of array elements in the HwCounters array that contain hardware counter data. ULONG64 UpdateCount; // The number of times that the read operation read the data to ensure a consistent snapshot of the data. ULONG64 WaitReasonBitMap; // A bitmask of \ref KWAIT_REASON that identifies the reasons for the context switches that occurred since the last time the data was read. ULONG64 HardwareCounters; // A bitmask of hardware counters used to collect counter data. COUNTER_READING CycleTime; // The cycle time of the thread (excludes the time spent interrupted) from the time profiling was enabled. COUNTER_READING HwCounters[MAX_HW_COUNTERS]; // The \ref COUNTER_READING structure that contains hardware counter data. } THREAD_PERFORMANCE_DATA, *PTHREAD_PERFORMANCE_DATA; #ifndef THREAD_PROFILING_FLAG_DISPATCH #define THREAD_PROFILING_FLAG_DISPATCH 0x00000001 #endif #ifndef THREAD_PROFILING_FLAG_HARDWARE_COUNTERS #define THREAD_PROFILING_FLAG_HARDWARE_COUNTERS 0x00000002 #endif /** * The THREAD_PROFILING_INFORMATION structure contains profiling information and references to performance data. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readthreadprofilingdata */ typedef struct _THREAD_PROFILING_INFORMATION { // To receive hardware performance counter data, set this parameter to a bitmask that identifies the hardware counters to collect. // You can specify up to 16 performance counters. Each bit relates directly to the zero-based hardware counter index for the hardware // performance counters that you configured. Set to zero if you are not collecting hardware counter data. // If you set a bit for a hardware counter that has not been configured, the counter value that is read for that counter is zero. ULONG64 HardwareCounters; // To receive thread profiling data such as context switch count, set this parameter to \ref THREAD_PROFILING_FLAG_DISPATCH. ULONG Flags; // Enable or disable thread profiling on the specified thread. ULONG Enable; // The PERFORMANCE_DATA structure that contains thread profiling and hardware counter data. PTHREAD_PERFORMANCE_DATA PerformanceData; } THREAD_PROFILING_INFORMATION, *PTHREAD_PROFILING_INFORMATION; typedef struct _RTL_UMS_CONTEXT { SINGLE_LIST_ENTRY Link; CONTEXT Context; PVOID Teb; PVOID UserContext; volatile ULONG ScheduledThread : 1; volatile ULONG Suspended : 1; volatile ULONG VolatileContext : 1; volatile ULONG Terminated : 1; volatile ULONG DebugActive : 1; volatile ULONG RunningOnSelfThread : 1; volatile ULONG DenyRunningOnSelfThread : 1; volatile LONG Flags; volatile ULONG64 KernelUpdateLock : 2; volatile ULONG64 PrimaryClientID : 62; volatile ULONG64 ContextLock; struct _RTL_UMS_CONTEXT* PrimaryUmsContext; ULONG SwitchCount; ULONG KernelYieldCount; ULONG MixedYieldCount; ULONG YieldCount; } RTL_UMS_CONTEXT, *PRTL_UMS_CONTEXT; typedef enum _THREAD_UMS_INFORMATION_COMMAND { UmsInformationCommandInvalid, UmsInformationCommandAttach, UmsInformationCommandDetach, UmsInformationCommandQuery } THREAD_UMS_INFORMATION_COMMAND; typedef struct _RTL_UMS_COMPLETION_LIST { PSINGLE_LIST_ENTRY ThreadListHead; PVOID CompletionEvent; ULONG CompletionFlags; SINGLE_LIST_ENTRY InternalListHead; } RTL_UMS_COMPLETION_LIST, *PRTL_UMS_COMPLETION_LIST; typedef struct _THREAD_UMS_INFORMATION { THREAD_UMS_INFORMATION_COMMAND Command; PRTL_UMS_COMPLETION_LIST CompletionList; PRTL_UMS_CONTEXT UmsContext; union { ULONG Flags; struct { ULONG IsUmsSchedulerThread : 1; ULONG IsUmsWorkerThread : 1; ULONG SpareBits : 30; }; }; } THREAD_UMS_INFORMATION, *PTHREAD_UMS_INFORMATION; /** * The THREAD_NAME_INFORMATION structure assigns a description to a thread. * * \remarks The handle must have THREAD_SET_LIMITED_INFORMATION access. * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreaddescription */ typedef struct _THREAD_NAME_INFORMATION { UNICODE_STRING ThreadName; } THREAD_NAME_INFORMATION, *PTHREAD_NAME_INFORMATION; typedef struct _ALPC_WORK_ON_BEHALF_TICKET { ULONG ThreadId; ULONG ThreadCreationTimeLow; } ALPC_WORK_ON_BEHALF_TICKET, *PALPC_WORK_ON_BEHALF_TICKET; typedef struct _RTL_WORK_ON_BEHALF_TICKET_EX { ALPC_WORK_ON_BEHALF_TICKET Ticket; union { ULONG Flags; struct { ULONG CurrentThread : 1; ULONG Reserved1 : 31; }; }; ULONG Reserved2; } RTL_WORK_ON_BEHALF_TICKET_EX, *PRTL_WORK_ON_BEHALF_TICKET_EX; #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _SUBSYSTEM_INFORMATION_TYPE { SubsystemInformationTypeWin32, SubsystemInformationTypeWSL, MaxSubsystemInformationType } SUBSYSTEM_INFORMATION_TYPE; #endif // (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _THREAD_WORKLOAD_CLASS { ThreadWorkloadClassDefault, ThreadWorkloadClassGraphics, MaxThreadWorkloadClass } THREAD_WORKLOAD_CLASS; #if defined(_ARM64_) #define CONTEXT_ARM 0x00200000L #define CONTEXT_ARM_CONTROL (CONTEXT_ARM | 0x1L) #define CONTEXT_ARM_INTEGER (CONTEXT_ARM | 0x2L) #define CONTEXT_ARM_FLOATING_POINT (CONTEXT_ARM | 0x4L) #define CONTEXT_ARM_DEBUG_REGISTERS (CONTEXT_ARM | 0x8L) #define CONTEXT_ARM_FULL (CONTEXT_ARM_CONTROL | CONTEXT_ARM_INTEGER | CONTEXT_ARM_FLOATING_POINT) #define CONTEXT_ARM_ALL (CONTEXT_ARM_CONTROL | CONTEXT_ARM_INTEGER | CONTEXT_ARM_FLOATING_POINT | CONTEXT_ARM_DEBUG_REGISTERS) #define ARM_MAX_BREAKPOINTS 8 #define ARM_MAX_WATCHPOINTS 1 typedef struct _ARM_NT_NEON128 { ULONGLONG Low; LONGLONG High; } ARM_NT_NEON128, *PARM_NT_NEON128; typedef struct DECLSPEC_ALIGN(8) DECLSPEC_NOINITALL _ARM_NT_CONTEXT { // // Control flags. // ULONG ContextFlags; // // Integer registers // ULONG R0; ULONG R1; ULONG R2; ULONG R3; ULONG R4; ULONG R5; ULONG R6; ULONG R7; ULONG R8; ULONG R9; ULONG R10; ULONG R11; ULONG R12; // // Control Registers // ULONG Sp; ULONG Lr; ULONG Pc; ULONG Cpsr; // // Floating Point/NEON Registers // ULONG Fpscr; ULONG Padding; union { ARM_NT_NEON128 Q[16]; ULONGLONG D[32]; ULONG S[32]; } DUMMYUNIONNAME; // // Debug registers // ULONG Bvr[ARM_MAX_BREAKPOINTS]; ULONG Bcr[ARM_MAX_BREAKPOINTS]; ULONG Wvr[ARM_MAX_WATCHPOINTS]; ULONG Wcr[ARM_MAX_WATCHPOINTS]; ULONG Padding2[2]; } ARM_NT_CONTEXT, *PARM_NT_CONTEXT; #endif // _ARM64_ // private typedef struct _THREAD_INDEX_INFORMATION { ULONG Index; ULONG Sequence; } THREAD_INDEX_INFORMATION, *PTHREAD_INDEX_INFORMATION; // // Processes // #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * Creates a new process. * * \param ProcessHandle A pointer to a handle that receives the process object handle. * \param DesiredAccess The access rights desired for the process object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. * \param ParentProcess A handle to the parent process. * \param InheritObjectTable If TRUE, the new process inherits the object table of the parent process. * \param SectionHandle Optional. A handle to a section object to be used for the new process. * \param DebugPort Optional. A handle to a debug port to be used for the new process. * \param TokenHandle Optional. A handle to an access token to be used for the new process. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ BOOLEAN InheritObjectTable, _In_opt_ HANDLE SectionHandle, _In_opt_ HANDLE DebugPort, _In_opt_ HANDLE TokenHandle ); // begin_rev #define PROCESS_CREATE_FLAGS_NONE 0x00000000 #define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008 // NtCreateProcessEx only #define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010 // NtCreateProcessEx only (requires SeLockMemoryPrivilege) #define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020 // NtCreateProcessEx only (requires SeLockMemoryPrivilege) #define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040 // NtCreateUserProcess only #define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // NtCreateProcessEx & NtCreateUserProcess (requires SeLoadDriverPrivilege) #define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_CREATE_SUSPENDED 0x00000200 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_FORCE_BREAKAWAY 0x00000400 // NtCreateProcessEx & NtCreateUserProcess (requires SeTcbPrivilege) #define PROCESS_CREATE_FLAGS_MINIMAL_PROCESS 0x00000800 // NtCreateProcessEx only #define PROCESS_CREATE_FLAGS_RELEASE_SECTION 0x00001000 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_CLONE_MINIMAL 0x00002000 // NtCreateProcessEx only #define PROCESS_CREATE_FLAGS_CLONE_MINIMAL_REDUCED_COMMIT 0x00004000 #define PROCESS_CREATE_FLAGS_AUXILIARY_PROCESS 0x00008000 // NtCreateProcessEx & NtCreateUserProcess (requires SeTcbPrivilege) #define PROCESS_CREATE_FLAGS_CREATE_STORE 0x00020000 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_USE_PROTECTED_ENVIRONMENT 0x00040000 // NtCreateProcessEx & NtCreateUserProcess #define PROCESS_CREATE_FLAGS_IMAGE_EXPANSION_MITIGATION_DISABLE 0x00080000 #define PROCESS_CREATE_FLAGS_PARTITION_CREATE_SLAB_IDENTITY 0x00400000 // NtCreateProcessEx & NtCreateUserProcess (requires SeLockMemoryPrivilege) // end_rev /** * Creates a new process with extended options. * * \param ProcessHandle A pointer to a handle that receives the process object handle. * \param DesiredAccess The access rights desired for the process object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. * \param ParentProcess A handle to the parent process. * \param Flags Flags that control the creation of the process. These flags are defined as PROCESS_CREATE_FLAGS_*. * \param SectionHandle Optional. A handle to a section object to be used for the new process. * \param DebugPort Optional. A handle to a debug port to be used for the new process. * \param TokenHandle Optional. A handle to an access token to be used for the new process. * \param Reserved Reserved for future use. Must be zero. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateProcessEx( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ ULONG Flags, // PROCESS_CREATE_FLAGS_* _In_opt_ HANDLE SectionHandle, _In_opt_ HANDLE DebugPort, _In_opt_ HANDLE TokenHandle, _Reserved_ ULONG Reserved // JobMemberLevel ); /** * Opens an existing process object. * * \param ProcessHandle A pointer to a handle that receives the process object handle. * \param DesiredAccess The access rights desired for the process object. * \param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. * \param ClientId Optional. A pointer to a CLIENT_ID structure that specifies the client ID of the process to be opened. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-ntopenprocess */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PCLIENT_ID ClientId ); /** * Terminates the specified process. * * \param ProcessHandle Optional. A handle to the process to be terminated. If this parameter is NULL, the calling process is terminated. * \param ExitStatus The exit status to be used by the process and the process's termination status. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-zwterminateprocess */ NTSYSCALLAPI NTSTATUS NTAPI NtTerminateProcess( _In_opt_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ); /** * Suspends the specified process. * * \param ProcessHandle A handle to the process to be suspended. * \return NTSTATUS Successful or errant status. * \remarks Use NtCreateProcessStateChange instead. */ NTSYSCALLAPI NTSTATUS NTAPI NtSuspendProcess( _In_ HANDLE ProcessHandle ); /** * Resumes the specified process. * * \param ProcessHandle A handle to the process to be resumed. * \return NTSTATUS Successful or errant status. * \remarks Use NtCreateProcessStateChange instead. */ NTSYSCALLAPI NTSTATUS NTAPI NtResumeProcess( _In_ HANDLE ProcessHandle ); // // Macros // #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1) #define ZwCurrentProcess() NtCurrentProcess() #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2) #define ZwCurrentThread() NtCurrentThread() #define NtCurrentSession() ((HANDLE)(LONG_PTR)-3) #define ZwCurrentSession() NtCurrentSession() #define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock) #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) #define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread) // Windows 8 and above #define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4) // NtOpenProcessToken(NtCurrentProcess()) #define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5) // NtOpenThreadToken(NtCurrentThread()) #define NtCurrentThreadEffectiveToken() ((HANDLE)(LONG_PTR)-6) // NtOpenThreadToken(NtCurrentThread()) + NtOpenProcessToken(NtCurrentProcess()) #define NtCurrentSilo() ((HANDLE)(LONG_PTR)-1) EXTERN_C IMAGE_DOS_HEADER __ImageBase; #define NtCurrentImageBase() ((PVOID)((PIMAGE_DOS_HEADER)&__ImageBase)) #define NtCurrentSessionId() (RtlGetActiveConsoleId()) // USER_SHARED_DATA->ActiveConsoleId //#define NtCurrentLogonId() (NtCurrentPeb()->LogonId) /** * The NtQueryInformationProcess routine retrieves information about the specified process. * * \param ProcessHandle A handle to the process. * \param ProcessInformationClass The type of process information to be retrieved. * \param ProcessInformation A pointer to a buffer that receives the process information. * \param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter. * \param ReturnLength An optional pointer to a variable that receives the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength ); // rev /** * The NtWow64QueryInformationProcess64 routine retrieves information about the specified process. * * \param ProcessHandle A handle to the process. * \param ProcessInformationClass The type of process information to be retrieved. * \param ProcessInformation A pointer to a buffer that receives the process information. * \param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter. * \param ReturnLength An optional pointer to a variable that receives the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI NtWow64QueryInformationProcess64( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength ); /** * The NtSetInformationProcess routine sets information for the specified process. * * \param ProcessHandle A handle to the process. * \param ProcessInformationClass The type of process information to be set. * \param ProcessInformation A pointer to a buffer that contains the process information. * \param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength ); /** * The PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS flag retrieves the previous process in the system. * * When calling NtGetNextProcess, this flag can be specified in the Flags parameter to indicate * that the function should return the previous process in the system enumeration order, * rather than the next process. This can be useful for iterating through processes in reverse order. */ #ifndef PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS #define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001 #endif /** * Retrieves a handle to the next process in the system. * * \param ProcessHandle An optional handle to a process. If this parameter is NULL, the function retrieves the first process in the system. * \param DesiredAccess The access rights desired for the new process handle. * \param HandleAttributes The attributes for the new process handle. * \param Flags Flags that modify the behavior of the function. This can be a combination of the following flags: * - \ref PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS (0x00000001): Retrieve the previous process in the system. * \param NewProcessHandle A pointer to a variable that receives the handle to the next process. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtGetNextProcess( _In_opt_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _In_ ULONG Flags, _Out_ PHANDLE NewProcessHandle ); /** * Retrieves a handle to the next thread in the system. * * \param ProcessHandle A handle to the process for enumeration of threads. * \param ThreadHandle An optional handle to a thread. If this parameter is NULL, the function retrieves the first thread in the process. * \param DesiredAccess The access rights desired for the new thread handle. * \param HandleAttributes The attributes for the new thread handle. * \param Flags Flags that modify the behavior of the function. Unused and should be zero. * \param NewThreadHandle A pointer to a variable that receives the handle to the next thread. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtGetNextThread( _In_ HANDLE ProcessHandle, _In_opt_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _In_opt_ _Reserved_ ULONG Flags, _Out_ PHANDLE NewThreadHandle ); #endif // PHNT_MODE != PHNT_MODE_KERNEL #define STATECHANGE_SET_ATTRIBUTES 0x0001 typedef enum _PROCESS_STATE_CHANGE_TYPE { ProcessStateChangeSuspend, ProcessStateChangeResume, ProcessStateChangeMax, } PROCESS_STATE_CHANGE_TYPE, *PPROCESS_STATE_CHANGE_TYPE; #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * Creates a state change handle for changing the suspension state of a process. * * \param ProcessStateChangeHandle A pointer to a variable that receives the handle. * \param DesiredAccess The access rights desired for the handle. * \param ObjectAttributes Optional attributes for the handle. * \param ProcessHandle A handle to the process. * \param Reserved Reserved for future use. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateProcessStateChange( _Out_ PHANDLE ProcessStateChangeHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_opt_ _Reserved_ ULONG Reserved ); /** * Changes the suspension state of a process. * * \param ProcessStateChangeHandle A handle to the process state change object. * \param ProcessHandle A handle to the process. * \param StateChangeType The type of state change. * \param ExtendedInformation Optional extended information. * \param ExtendedInformationLength The length of the extended information. * \param Reserved Reserved for future use. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtChangeProcessState( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle, _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType, _In_opt_ _Reserved_ PVOID ExtendedInformation, _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength, _In_opt_ _Reserved_ ULONG Reserved ); #endif // PHNT_VERSION >= PHNT_WINDOWS_11 #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * Creates a state change handle for changing the suspension state of a thread. * * \param ThreadStateChangeHandle A pointer to a variable that receives the handle. * \param DesiredAccess The access rights desired for the handle. * \param ObjectAttributes Optional attributes for the handle. * \param ThreadHandle A handle to the thread. * \param Reserved Reserved for future use. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateThreadStateChange( _Out_ PHANDLE ThreadStateChangeHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ThreadHandle, _In_opt_ _Reserved_ ULONG Reserved ); typedef enum _THREAD_STATE_CHANGE_TYPE { ThreadStateChangeSuspend, ThreadStateChangeResume, ThreadStateChangeMax, } THREAD_STATE_CHANGE_TYPE, *PTHREAD_STATE_CHANGE_TYPE; /** * Changes the suspension state of a thread. * * \param ThreadStateChangeHandle A handle to the thread state change object. * \param ThreadHandle A handle to the thread. * \param StateChangeType The type of state change. * \param ExtendedInformation Optional extended information. * \param ExtendedInformationLength The length of the extended information. * \param Reserved Reserved for future use. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtChangeThreadState( _In_ HANDLE ThreadStateChangeHandle, _In_ HANDLE ThreadHandle, _In_ THREAD_STATE_CHANGE_TYPE StateChangeType, _In_opt_ PVOID ExtendedInformation, _In_opt_ SIZE_T ExtendedInformationLength, _In_opt_ ULONG Reserved ); #endif // PHNT_VERSION >= PHNT_WINDOWS_11 // // Threads // #if (PHNT_MODE != PHNT_MODE_KERNEL) /** * Creates a new thread in the specified process. * * \param ThreadHandle A pointer to a handle that receives the thread object handle. * \param DesiredAccess The access rights desired for the thread object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. * \param ProcessHandle A handle to the process in which the thread is to be created. * \param ClientId A pointer to a CLIENT_ID structure that receives the client ID of the new thread. * \param ThreadContext A pointer to a CONTEXT structure that specifies the initial context of the new thread. * \param InitialTeb A pointer to an INITIAL_TEB structure that specifies the initial stack limits of the new thread. * \param CreateSuspended If TRUE, the thread is created in a suspended state. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _Out_ PCLIENT_ID ClientId, _In_ PCONTEXT ThreadContext, _In_ PINITIAL_TEB InitialTeb, _In_ BOOLEAN CreateSuspended ); /** * Opens an existing thread object. * * \param ThreadHandle A pointer to a handle that receives the thread object handle. * \param DesiredAccess The access rights desired for the thread object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. * \param ClientId Optional. A pointer to a CLIENT_ID structure that specifies the client ID of the thread to be opened. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PCLIENT_ID ClientId ); /** * Terminates the specified thread. * * \param ThreadHandle Optional. A handle to the thread to be terminated. If this parameter is NULL, the calling thread is terminated. * \param ExitStatus The exit status to be used by the thread and the thread's termination status. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtTerminateThread( _In_opt_ HANDLE ThreadHandle, _In_ NTSTATUS ExitStatus ); /** * Suspends the specified thread. * * \param ThreadHandle A handle to the thread to be suspended. * \param PreviousSuspendCount Optional. A pointer to a variable that receives the thread's previous suspend count. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSuspendThread( _In_ HANDLE ThreadHandle, _Out_opt_ PULONG PreviousSuspendCount ); /** * Resumes the specified thread. * * \param ThreadHandle A handle to the thread to be resumed. * \param PreviousSuspendCount Optional. A pointer to a variable that receives the thread's previous suspend count. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtResumeThread( _In_ HANDLE ThreadHandle, _Out_opt_ PULONG PreviousSuspendCount ); /** * Retrieves the number of the current processor. * * \return ULONG The number of the current processor. * \sa https://learn.microsoft.com/en-us/windows/win32/procthread/ntgetcurrentprocessornumber */ NTSYSCALLAPI ULONG NTAPI NtGetCurrentProcessorNumber( VOID ); /** * Retrieves the number of the current processor. * * \param ProcessorNumber An optional pointer to a PROCESSOR_NUMBER structure that receives the processor number. * \return ULONG The number of the current processor. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-kegetcurrentprocessornumberex */ NTSYSCALLAPI ULONG NTAPI NtGetCurrentProcessorNumberEx( _Out_opt_ PPROCESSOR_NUMBER ProcessorNumber ); /** * Retrieves the context of the specified thread. * * \param ThreadHandle A handle to the thread. * \param ThreadContext A pointer to a CONTEXT structure that receives the thread context. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtGetContextThread( _In_ HANDLE ThreadHandle, _Inout_ PCONTEXT ThreadContext ); /** * Sets the context of the specified thread. * * \param ThreadHandle A handle to the thread. * \param ThreadContext A pointer to a CONTEXT structure that specifies the thread context. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetContextThread( _In_ HANDLE ThreadHandle, _In_ PCONTEXT ThreadContext ); /** * Retrieves information about the specified thread. * * \param ThreadHandle A handle to the thread. * \param ThreadInformationClass The type of thread information to be retrieved. * \param ThreadInformation A pointer to a buffer that receives the thread information. * \param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter. * \param ReturnLength An optional pointer to a variable that receives the size of the data returned. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ THREADINFOCLASS ThreadInformationClass, _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength ); /** * Sets information for the specified thread. * * \param ThreadHandle A handle to the thread. * \param ThreadInformationClass The type of thread information to be set. * \param ThreadInformation A pointer to a buffer that contains the thread information. * \param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationThread( _In_ HANDLE ThreadHandle, _In_ THREADINFOCLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength ); /** * The NtAlertThread routine alerts the specified thread. * * \param[in] ThreadHandle A handle to the thread to be alerted. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAlertThread( _In_ HANDLE ThreadHandle ); /** * The NtAlertResumeThread routine resumes a specified thread that was previously suspended and alerts the thread. * * \param[in] ThreadHandle A handle to the thread to be resumed and alerted. * \param[out, optional] PreviousSuspendCount An optional pointer to a variable that receives the thread's previous suspend count. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAlertResumeThread( _In_ HANDLE ThreadHandle, _Out_opt_ PULONG PreviousSuspendCount ); /** * The NtTestAlert routine indicates whether the current thread has an alert pending * and executes asynchronous procedure calls (APCs) queued to the current thread. * * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtTestAlert( VOID ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // rev /** * The NtAlertThreadByThreadId routine sends an alert to the specified thread. * * \param ThreadId The thread ID of the thread to be alerted. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAlertThreadByThreadId( _In_ HANDLE ThreadId ); #endif // PHNT_VERSION >= PHNT_WINDOWS_8 #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * The NtAlertThreadByThreadIdEx routine sends an alert to the specified thread by its thread ID, with an optional lock. * * \param ThreadId The thread ID of the thread to be alerted. * \param Lock An optional pointer to an SRW lock to be used during the alert. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAlertThreadByThreadIdEx( _In_ HANDLE ThreadId, _In_opt_ PRTL_SRWLOCK Lock ); /** * Identifies the interpretation of a PS_ALERT_THREAD_EXTENDED_PARAMETER record. * * The current kernel implementation for NtAlertMultipleThreadByThreadId accepts only * PsAlertMultipleExtendedParameterAutoBoostContext (0). Other values are rejected with * STATUS_INVALID_PARAMETER. */ typedef enum _PS_ALERT_THREAD_EXTENDED_PARAMETER_TYPE { /** * AutoBoost context token passed into the kernel's AutoBoost (Ab) bookkeeping. * * The payload (ULong64/Pointer/etc.) is forwarded to internal routines and may be used to * associate the wakeup with a particular synchronization/ownership handoff context. */ PsAlertMultipleExtendedParameterAutoBoostContext = 0, /** * Sentinel / upper bound (not a usable type). */ PsAlertMultipleExtendedParameterMax = 1, } PS_ALERT_THREAD_EXTENDED_PARAMETER_TYPE, *PPS_ALERT_THREAD_EXTENDED_PARAMETER_TYPE; /** * Extended parameter record for NtAlertMultipleThreadByThreadId. * * In the analyzed NtAlertMultipleThreadByThreadId implementation: * - Type must be 0 (PsAlertMultipleExtendedParameterAutoBoostContext). * - The union payload at offset +0x8 is forwarded as an opaque 64-bit context value. */ typedef struct _PS_ALERT_THREAD_EXTENDED_PARAMETER { /** * Parameter type (8-bit) */ ULONGLONG Type : 8; /** * Reserved bits; should be zero. */ ULONGLONG Reserved : 56; /** * Payload value whose meaning depends on Type. * * For Type == PsAlertMultipleExtendedParameterAutoBoostContext, this is treated as an * opaque "AutoBoostContext" token. It may be pointer-like and may use low-bit tagging. */ union { ULONGLONG ULong64; PVOID Pointer; SIZE_T Size; HANDLE Handle; ULONG ULong; UCHAR Boolean; }; } PS_ALERT_THREAD_EXTENDED_PARAMETER, *PPS_ALERT_THREAD_EXTENDED_PARAMETER; /** * The NtAlertMultipleThreadByThreadId routine alerts each target thread specified by thread ID. * Target threads must belong to the caller's current process (cross-process targets fail STATUS_ACCESS_DENIED). * * \param MultipleThreadId A pointer to an array of thread IDs to be alerted. * \param Count The number of thread IDs in the array. * \param ExtendedParameters An optional pointer to one or more extended parameters of type PS_ALERT_THREAD_EXTENDED_PARAMETER. * \param ExtendedParameterCount Specifies the number of elements in the ExtendedParameters array. * \return NTSTATUS Successful or errant status. * \remarks STATUS_ACCESS_DENIED may be returned when the thread belongs to another process. * \note * - Only PS_ALERT_THREAD_EXTENDED_PARAMETER.Type == 0 is currently accepted. * - If multiple extended parameters are provided, the implementation consumes them in order and * the *last* parameter's payload is the one forwarded to the internal alert logic. */ NTSYSCALLAPI NTSTATUS NTAPI NtAlertMultipleThreadByThreadId( _In_ PHANDLE MultipleThreadId, _In_ ULONG Count, _Inout_updates_opt_(ExtendedParameterCount) PPS_ALERT_THREAD_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount ); #endif // PHNT_VERSION >= PHNT_WINDOWS_11 #if (PHNT_VERSION >= PHNT_WINDOWS_8) // rev /** * The NtWaitForAlertByThreadId routine blocks the calling thread until another thread calls NtAlertThreadByThreadId * with a matching address, or until the timeout expires. * * \param Address A unique address used to identify this wait operation. Other threads call * NtAlertThreadByThreadId with this same address to wake the waiting thread. * Can be NULL to wait on the thread ID itself. * \param Timeout Optional timeout value. If NULL, waits indefinitely. If present, specifies * the absolute or relative time to wait before returning STATUS_TIMEOUT. * \return STATUS_SUCCESS if alerted successfully. * \return STATUS_TIMEOUT if the timeout expired before being alerted. * \return STATUS_ALERTED if woken by NtAlertThreadByThreadId. */ NTSYSCALLAPI NTSTATUS NTAPI NtWaitForAlertByThreadId( _In_opt_ PVOID Address, _In_opt_ PLARGE_INTEGER Timeout ); #endif // PHNT_VERSION >= PHNT_WINDOWS_8 /** * Impersonates a client thread. * * \param ServerThreadHandle A handle to the server thread. * \param ClientThreadHandle A handle to the client thread. * \param SecurityQos A pointer to a SECURITY_QUALITY_OF_SERVICE structure that specifies the impersonation level and context tracking mode. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtImpersonateThread( _In_ HANDLE ServerThreadHandle, _In_ HANDLE ClientThreadHandle, _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos ); /** * Registers a thread termination port. * * \param PortHandle A handle to the port to be registered. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtRegisterThreadTerminatePort( _In_ HANDLE PortHandle ); /** * Sets LDT (Local Descriptor Table) entries. * * \param Selector0 The first selector. * \param Entry0Low The low part of the first entry. * \param Entry0Hi The high part of the first entry. * \param Selector1 The second selector. * \param Entry1Low The low part of the second entry. * \param Entry1Hi The high part of the second entry. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetLdtEntries( _In_ ULONG Selector0, _In_ ULONG Entry0Low, _In_ ULONG Entry0Hi, _In_ ULONG Selector1, _In_ ULONG Entry1Low, _In_ ULONG Entry1Hi ); /** * Dispatches the Asynchronous Procedure Call (APC) from the NtQueueApc* functions to the specified routine. * * \param ApcRoutine A pointer to the APC routine to be executed. * \param Parameter Optional. A pointer to a parameter to be passed to the APC routine. * \param ActxContext Optional. A handle to an activation context. */ NTSYSAPI VOID NTAPI RtlDispatchAPC( _In_ PAPCFUNC ApcRoutine, _In_opt_ PVOID Parameter, _In_opt_ HANDLE ActxContext ); /** * A pointer to a function that serves as an APC routine. * * \param ApcArgument1 Optional. A pointer to the first argument to be passed to the APC routine. * \param ApcArgument2 Optional. A pointer to the second argument to be passed to the APC routine. * \param ApcArgument3 Optional. A pointer to the third argument to be passed to the APC routine. */ typedef _Function_class_(PS_APC_ROUTINE) VOID NTAPI PS_APC_ROUTINE( _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); typedef PS_APC_ROUTINE* PPS_APC_ROUTINE; /** * Encodes an APC routine pointer for use in a WOW64 environment. * * \param ApcRoutine The APC routine pointer to be encoded. * \return PVOID The encoded APC routine pointer. */ #define Wow64EncodeApcRoutine(ApcRoutine) \ ((PVOID)((0 - ((LONG_PTR)(ApcRoutine))) << 2)) /** * Decodes an APC routine pointer that was encoded for use in a WOW64 environment. * * \param ApcRoutine The encoded APC routine pointer to be decoded. * \return PVOID The decoded APC routine pointer. */ #define Wow64DecodeApcRoutine(ApcRoutine) \ ((PVOID)(0 - (((LONG_PTR)(ApcRoutine)) >> 2))) /** * Queues an APC (Asynchronous Procedure Call) to a thread. * * \param ThreadHandle Handle to the thread to which the APC is to be queued. * \param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed. * \param ApcArgument1 Optional first argument to be passed to the APC routine. * \param ApcArgument2 Optional second argument to be passed to the APC routine. * \param ApcArgument3 Optional third argument to be passed to the APC routine. * \return NTSTATUS Successful or errant status. * \remarks The APC will be executed in the context of the specified thread when the thread enters an alertable wait state or when any * process calls the NtTestAlert, NtAlertThread, NtAlertResumeThread or NtAlertThreadByThreadId functions. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueueApcThread( _In_ HANDLE ThreadHandle, _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); /** * A special handle value used to queue a user APC (Asynchronous Procedure Call). */ #define QUEUE_USER_APC_SPECIAL_USER_APC ((HANDLE)0x1) /** * Queues an APC (Asynchronous Procedure Call) to a thread. * * \param ThreadHandle Handle to the thread to which the APC is to be queued. * \param ReserveHandle Optional handle to a reserve object. This can be QUEUE_USER_APC_SPECIAL_USER_APC or a handle returned by NtAllocateReserveObject. * \param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed. * \param ApcArgument1 Optional first argument to be passed to the APC routine. * \param ApcArgument2 Optional second argument to be passed to the APC routine. * \param ApcArgument3 Optional third argument to be passed to the APC routine. * \return NTSTATUS Successful or errant status. * \remarks The APC will be executed in the context of the specified thread after the thread enters an alertable wait state or immediately * when QUEUE_USER_APC_SPECIAL_USER_APC is used or NtTestAlert, NtAlertThread, NtAlertResumeThread or NtAlertThreadByThreadId are called. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueueApcThreadEx( _In_ HANDLE ThreadHandle, _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject // QUEUE_USER_APC_SPECIAL_USER_APC _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); /** * The APC_CALLBACK_DATA_CONTEXT structure is used to pass information to the APC callback routine. */ typedef struct _APC_CALLBACK_DATA_CONTEXT { ULONG_PTR Parameter; PCONTEXT ContextRecord; ULONG_PTR Reserved0; ULONG_PTR Reserved1; } APC_CALLBACK_DATA_CONTEXT, *PAPC_CALLBACK_DATA_CONTEXT; #define QUEUE_USER_APC_FLAGS_NONE 0x00000000 #define QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 0x00000001 #define QUEUE_USER_APC_FLAGS_CALLBACK_DATA_CONTEXT 0x00010000 // APC_CALLBACK_DATA_CONTEXT #if (PHNT_VERSION >= PHNT_WINDOWS_11) /** * Queues an Asynchronous Procedure Call (APC) to a specified thread. * * \param ThreadHandle A handle to the thread to which the APC is to be queued. * \param ReserveHandle An optional handle to a reserve object. This can be obtained using NtAllocateReserveObject. * \param ApcFlags Flags that control the behavior of the APC. These flags are defined in QUEUE_USER_APC_FLAGS. * \param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed. * \param ApcArgument1 An optional argument to be passed to the APC routine. * \param ApcArgument2 An optional argument to be passed to the APC routine. * \param ApcArgument3 An optional argument to be passed to the APC routine. * \return NTSTATUS Successful or errant status. * \remarks The APC will be executed in the context of the specified thread when the thread enters an alertable wait state or immediately * when QUEUE_USER_APC_SPECIAL_USER_APC is used or any process calls the NtTestAlert, NtAlertThread, * NtAlertResumeThread or NtAlertThreadByThreadId functions. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueueApcThreadEx2( _In_ HANDLE ThreadHandle, _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject _In_ ULONG ApcFlags, // QUEUE_USER_APC_FLAGS _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); #endif // PHNT_VERSION >= PHNT_WINDOWS_11 #endif // PHNT_MODE != PHNT_MODE_KERNEL // // User processes and threads // #if (PHNT_MODE != PHNT_MODE_KERNEL) // Attributes (Win32 CreateProcess) // PROC_THREAD_ATTRIBUTE_NUM (dmex) #define ProcThreadAttributeParentProcess 0 // in HANDLE #define ProcThreadAttributeExtendedFlags 1 // in ULONG (EXTENDED_PROCESS_CREATION_FLAG_*) #define ProcThreadAttributeHandleList 2 // in HANDLE[] #define ProcThreadAttributeGroupAffinity 3 // in GROUP_AFFINITY // since WIN7 #define ProcThreadAttributePreferredNode 4 // in USHORT #define ProcThreadAttributeIdealProcessor 5 // in PROCESSOR_NUMBER #define ProcThreadAttributeUmsThread 6 // in UMS_CREATE_THREAD_ATTRIBUTES #define ProcThreadAttributeMitigationPolicy 7 // in ULONG, ULONG64, or ULONG64[2] #define ProcThreadAttributePackageFullName 8 // in WCHAR[] // since WIN8 #define ProcThreadAttributeSecurityCapabilities 9 // in SECURITY_CAPABILITIES #define ProcThreadAttributeConsoleReference 10 // BaseGetConsoleReference (kernelbase.dll) #define ProcThreadAttributeProtectionLevel 11 // in ULONG (PROTECTION_LEVEL_*) // since WINBLUE #define ProcThreadAttributeOsMaxVersionTested 12 // in MAXVERSIONTESTED_INFO // since THRESHOLD // (from exe.manifest) #define ProcThreadAttributeJobList 13 // in HANDLE[] #define ProcThreadAttributeChildProcessPolicy 14 // in ULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 #define ProcThreadAttributeAllApplicationPackagesPolicy 15 // in ULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE #define ProcThreadAttributeWin32kFilter 16 // in WIN32K_SYSCALL_FILTER #define ProcThreadAttributeSafeOpenPromptOriginClaim 17 // in SE_SAFE_OPEN_PROMPT_RESULTS #define ProcThreadAttributeDesktopAppPolicy 18 // in ULONG (PROCESS_CREATION_DESKTOP_APP_*) // since RS2 #define ProcThreadAttributeBnoIsolation 19 // in PROC_THREAD_BNOISOLATION_ATTRIBUTE #define ProcThreadAttributePseudoConsole 22 // in HANDLE (HPCON) // since RS5 #define ProcThreadAttributeIsolationManifest 23 // in ISOLATION_MANIFEST_PROPERTIES // rev (diversenok) // since 19H2+ #define ProcThreadAttributeMitigationAuditPolicy 24 // in ULONG, ULONG64, or ULONG64[2] // since 21H1 #define ProcThreadAttributeMachineType 25 // in USHORT // since 21H2 #define ProcThreadAttributeComponentFilter 26 // in ULONG #define ProcThreadAttributeEnableOptionalXStateFeatures 27 // in ULONG64 // since WIN11 #define ProcThreadAttributeCreateStore 28 // ULONG // rev (diversenok) #define ProcThreadAttributeTrustedApp 29 #define ProcThreadAttributeSveVectorLength 30 #define ProcThreadAttributeSmeVectorLength 31 // since 25H2 #ifndef PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS #define PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS \ ProcThreadAttributeValue(ProcThreadAttributeExtendedFlags, FALSE, TRUE, TRUE) #endif #ifndef PROC_THREAD_ATTRIBUTE_PACKAGE_FULL_NAME #define PROC_THREAD_ATTRIBUTE_PACKAGE_FULL_NAME \ ProcThreadAttributeValue(ProcThreadAttributePackageFullName, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_CONSOLE_REFERENCE #define PROC_THREAD_ATTRIBUTE_CONSOLE_REFERENCE \ ProcThreadAttributeValue(ProcThreadAttributeConsoleReference, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_OSMAXVERSIONTESTED #define PROC_THREAD_ATTRIBUTE_OSMAXVERSIONTESTED \ ProcThreadAttributeValue(ProcThreadAttributeOsMaxVersionTested, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM #define PROC_THREAD_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \ ProcThreadAttributeValue(ProcThreadAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_BNO_ISOLATION #define PROC_THREAD_ATTRIBUTE_BNO_ISOLATION \ ProcThreadAttributeValue(ProcThreadAttributeBnoIsolation, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_ISOLATION_MANIFEST #define PROC_THREAD_ATTRIBUTE_ISOLATION_MANIFEST \ ProcThreadAttributeValue(ProcThreadAttributeIsolationManifest, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_CREATE_STORE #define PROC_THREAD_ATTRIBUTE_CREATE_STORE \ ProcThreadAttributeValue(ProcThreadAttributeCreateStore, FALSE, TRUE, FALSE) #endif #ifndef PROC_THREAD_ATTRIBUTE_TRUSTED_APP #define PROC_THREAD_ATTRIBUTE_TRUSTED_APP \ ProcThreadAttributeValue(ProcThreadAttributeTrustedApp, FALSE, TRUE, FALSE) #endif // private typedef struct _PROC_THREAD_ATTRIBUTE { ULONG_PTR Attribute; SIZE_T Size; ULONG_PTR Value; } PROC_THREAD_ATTRIBUTE, *PPROC_THREAD_ATTRIBUTE; /** * The PROC_THREAD_ATTRIBUTE_LIST structure contains the list of attributes for process and thread creation. */ typedef struct _PROC_THREAD_ATTRIBUTE_LIST { ULONG PresentFlags; // A bitmask of flags that indicate the attributes for process and thread creation. ULONG AttributeCount; // The number of attributes in the list. ULONG LastAttribute; // The index of the last attribute in the list. ULONG SpareUlong0; // Reserved for future use. PPROC_THREAD_ATTRIBUTE ExtendedFlagsAttribute; // A pointer to the extended flags attribute. _Field_size_(AttributeCount) PROC_THREAD_ATTRIBUTE Attributes[1]; // An array of attributes. } PROC_THREAD_ATTRIBUTE_LIST, *PPROC_THREAD_ATTRIBUTE_LIST; // private #define EXTENDED_PROCESS_CREATION_FLAG_ELEVATION_HANDLED 0x00000001 #define EXTENDED_PROCESS_CREATION_FLAG_FORCELUA 0x00000002 #define EXTENDED_PROCESS_CREATION_FLAG_FORCE_BREAKAWAY 0x00000004 // requires SeTcbPrivilege // since WINBLUE #define PROTECTION_LEVEL_WINTCB_LIGHT 0x00000000 #define PROTECTION_LEVEL_WINDOWS 0x00000001 #define PROTECTION_LEVEL_WINDOWS_LIGHT 0x00000002 #define PROTECTION_LEVEL_ANTIMALWARE_LIGHT 0x00000003 #define PROTECTION_LEVEL_LSA_LIGHT 0x00000004 #define PROTECTION_LEVEL_WINTCB 0x00000005 #define PROTECTION_LEVEL_CODEGEN_LIGHT 0x00000006 #define PROTECTION_LEVEL_AUTHENTICODE 0x00000007 #define PROTECTION_LEVEL_PPL_APP 0x00000008 #define PROTECTION_LEVEL_SAME 0xFFFFFFFF #define PROTECTION_LEVEL_NONE 0xFFFFFFFE // private typedef enum _SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS { SeSafeOpenExperienceNone = 0x00, SeSafeOpenExperienceCalled = 0x01, SeSafeOpenExperienceAppRepCalled = 0x02, SeSafeOpenExperiencePromptDisplayed = 0x04, SeSafeOpenExperienceUAC = 0x08, SeSafeOpenExperienceUninstaller = 0x10, SeSafeOpenExperienceIgnoreUnknownOrBad = 0x20, SeSafeOpenExperienceDefenderTrustedInstaller = 0x40, SeSafeOpenExperienceMOTWPresent = 0x80, SeSafeOpenExperienceElevatedNoPropagation = 0x100 } SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS; // private typedef struct _SE_SAFE_OPEN_PROMPT_RESULTS { SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS Results; WCHAR Path[MAX_PATH]; } SE_SAFE_OPEN_PROMPT_RESULTS, *PSE_SAFE_OPEN_PROMPT_RESULTS; typedef struct _PROC_THREAD_BNOISOLATION_ATTRIBUTE { BOOL IsolationEnabled; WCHAR IsolationPrefix[0x88]; } PROC_THREAD_BNOISOLATION_ATTRIBUTE, *PPROC_THREAD_BNOISOLATION_ATTRIBUTE; // private typedef struct _ISOLATION_MANIFEST_PROPERTIES { UNICODE_STRING InstancePath; UNICODE_STRING FriendlyName; UNICODE_STRING Description; ULONG_PTR Level; } ISOLATION_MANIFEST_PROPERTIES, *PISOLATION_MANIFEST_PROPERTIES; // // Attributes (Native) // // private typedef enum _PS_ATTRIBUTE_NUM { PsAttributeParentProcess, // in HANDLE PsAttributeDebugObject, // in HANDLE PsAttributeToken, // in HANDLE PsAttributeClientId, // out PCLIENT_ID PsAttributeTebAddress, // out PTEB * PsAttributeImageName, // in PWSTR PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE PsAttributePriorityClass, // in UCHAR PsAttributeErrorMode, // in ULONG PsAttributeStdHandleInfo, // in PPS_STD_HANDLE_INFO // 10 PsAttributeHandleList, // in HANDLE[] PsAttributeGroupAffinity, // in PGROUP_AFFINITY PsAttributePreferredNode, // in PUSHORT PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER PsAttributeUmsThread, // in PUMS_CREATE_THREAD_ATTRIBUTES PsAttributeMitigationOptions, // in PPS_MITIGATION_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_POLICY_*) // since WIN8 PsAttributeProtectionLevel, // in PS_PROTECTION // since WINBLUE PsAttributeSecureProcess, // in PPS_TRUSTLET_CREATE_ATTRIBUTES, since THRESHOLD PsAttributeJobList, // in HANDLE[] PsAttributeChildProcessPolicy, // in PULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 // 20 PsAttributeAllApplicationPackagesPolicy, // in PULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE PsAttributeWin32kFilter, // in PWIN32K_SYSCALL_FILTER PsAttributeSafeOpenPromptOriginClaim, // in SE_SAFE_OPEN_PROMPT_RESULTS PsAttributeBnoIsolation, // in PPS_BNO_ISOLATION_PARAMETERS // since REDSTONE2 PsAttributeDesktopAppPolicy, // in PULONG (PROCESS_CREATION_DESKTOP_APP_*) PsAttributeChpe, // in BOOLEAN // since REDSTONE3 PsAttributeMitigationAuditOptions, // in PPS_MITIGATION_AUDIT_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_AUDIT_POLICY_*) // since 21H1 PsAttributeMachineType, // in USHORT // since 21H2 PsAttributeComponentFilter, // in COMPONENT_FILTER PsAttributeEnableOptionalXStateFeatures, // in ULONG64 // since WIN11 // 30 PsAttributeSupportedMachines, // in ULONG // since 24H2 PsAttributeSveVectorLength, // PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH PsAttributeMax } PS_ATTRIBUTE_NUM; // private #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff #define PS_ATTRIBUTE_THREAD 0x00010000 // may be used with thread creation #define PS_ATTRIBUTE_INPUT 0x00020000 // input only #define PS_ATTRIBUTE_ADDITIVE 0x00040000 // "accumulated" e.g. bitmasks, counters, etc. // begin_rev #define PsAttributeValue(Number, Thread, Input, Additive) \ (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) #define PS_ATTRIBUTE_PARENT_PROCESS \ PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_DEBUG_OBJECT \ PsAttributeValue(PsAttributeDebugObject, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_TOKEN \ PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_CLIENT_ID \ PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) #define PS_ATTRIBUTE_TEB_ADDRESS \ PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) #define PS_ATTRIBUTE_IMAGE_NAME \ PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_IMAGE_INFO \ PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) #define PS_ATTRIBUTE_MEMORY_RESERVE \ PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_PRIORITY_CLASS \ PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_ERROR_MODE \ PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_STD_HANDLE_INFO \ PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_HANDLE_LIST \ PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_GROUP_AFFINITY \ PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) #define PS_ATTRIBUTE_PREFERRED_NODE \ PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_IDEAL_PROCESSOR \ PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) #define PS_ATTRIBUTE_UMS_THREAD \ PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE) #define PS_ATTRIBUTE_MITIGATION_OPTIONS \ PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_PROTECTION_LEVEL \ PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_SECURE_PROCESS \ PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_JOB_LIST \ PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \ PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \ PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_WIN32K_FILTER \ PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \ PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_BNO_ISOLATION \ PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_DESKTOP_APP_POLICY \ PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_CHPE \ PsAttributeValue(PsAttributeChpe, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS \ PsAttributeValue(PsAttributeMitigationAuditOptions, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_MACHINE_TYPE \ PsAttributeValue(PsAttributeMachineType, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_COMPONENT_FILTER \ PsAttributeValue(PsAttributeComponentFilter, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \ PsAttributeValue(PsAttributeEnableOptionalXStateFeatures, TRUE, TRUE, FALSE) // end_rev // begin_private typedef struct _PS_ATTRIBUTE { ULONG_PTR Attribute; SIZE_T Size; union { ULONG_PTR Value; PVOID ValuePtr; }; PSIZE_T ReturnLength; } PS_ATTRIBUTE, *PPS_ATTRIBUTE; _Struct_size_bytes_(TotalLength) typedef struct _PS_ATTRIBUTE_LIST { SIZE_T TotalLength; PS_ATTRIBUTE Attributes[1]; } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; typedef struct _PS_MEMORY_RESERVE { PVOID ReserveAddress; SIZE_T ReserveSize; } PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE; typedef enum _PS_STD_HANDLE_STATE { PsNeverDuplicate, PsRequestDuplicate, // duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem PsAlwaysDuplicate, // always duplicate standard handles PsMaxStdHandleStates } PS_STD_HANDLE_STATE; // begin_rev #define PS_STD_INPUT_HANDLE 0x1 #define PS_STD_OUTPUT_HANDLE 0x2 #define PS_STD_ERROR_HANDLE 0x4 // end_rev typedef struct _PS_STD_HANDLE_INFO { union { ULONG Flags; struct { ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE ULONG PseudoHandleMask : 3; // PS_STD_* }; }; ULONG StdHandleSubsystemType; } PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO; typedef union _PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS { UCHAR Trustlet : 1; UCHAR Ntos : 1; UCHAR WriteHandle : 1; UCHAR ReadHandle : 1; UCHAR Reserved : 4; UCHAR AccessRights; } PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS, *PPS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS; typedef union _PS_TRUSTLET_ATTRIBUTE_TYPE { ULONG AttributeType; struct { UCHAR Version; UCHAR DataCount; UCHAR SemanticType; PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS AccessRights; } DUMMYSTRUCTNAME; } PS_TRUSTLET_ATTRIBUTE_TYPE, *PPS_TRUSTLET_ATTRIBUTE_TYPE; typedef struct _PS_TRUSTLET_ATTRIBUTE_HEADER { PS_TRUSTLET_ATTRIBUTE_TYPE AttributeType; ULONG InstanceNumber : 8; ULONG Reserved : 24; } PS_TRUSTLET_ATTRIBUTE_HEADER, *PPS_TRUSTLET_ATTRIBUTE_HEADER; typedef struct _PS_TRUSTLET_ATTRIBUTE_DATA { PS_TRUSTLET_ATTRIBUTE_HEADER Header; ULONGLONG Data[1]; } PS_TRUSTLET_ATTRIBUTE_DATA, *PPS_TRUSTLET_ATTRIBUTE_DATA; typedef struct _PS_TRUSTLET_CREATE_ATTRIBUTES { ULONGLONG TrustletIdentity; PS_TRUSTLET_ATTRIBUTE_DATA Attributes[1]; } PS_TRUSTLET_CREATE_ATTRIBUTES, *PPS_TRUSTLET_CREATE_ATTRIBUTES; // private typedef struct _PS_BNO_ISOLATION_PARAMETERS { UNICODE_STRING IsolationPrefix; ULONG HandleCount; PVOID *Handles; BOOLEAN IsolationEnabled; } PS_BNO_ISOLATION_PARAMETERS, *PPS_BNO_ISOLATION_PARAMETERS; // private typedef union _PS_PROCESS_CREATION_SVE_VECTOR_LENGTH { ULONG VectorLength : 24; ULONG FlagsReserved : 8; } PS_PROCESS_CREATION_SVE_VECTOR_LENGTH, *PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH; // private typedef enum _PS_MITIGATION_OPTION { PS_MITIGATION_OPTION_NX, PS_MITIGATION_OPTION_SEHOP, PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES, PS_MITIGATION_OPTION_HEAP_TERMINATE, PS_MITIGATION_OPTION_BOTTOM_UP_ASLR, PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR, PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS, PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE, PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE, PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE, PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD, PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES, PS_MITIGATION_OPTION_FONT_DISABLE, PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE, PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL, PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32, PS_MITIGATION_OPTION_RETURN_FLOW_GUARD, PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY, PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD, PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT, PS_MITIGATION_OPTION_ROP_STACKPIVOT, // since REDSTONE3 PS_MITIGATION_OPTION_ROP_CALLER_CHECK, PS_MITIGATION_OPTION_ROP_SIMEXEC, PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER, PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS, PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION, PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER, PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION, PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION, PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE, // since REDSTONE5 PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY, PS_MITIGATION_OPTION_CET_USER_SHADOW_STACKS, PS_MITIGATION_OPTION_USER_CET_SET_CONTEXT_IP_VALIDATION, // since 21H1 PS_MITIGATION_OPTION_BLOCK_NON_CET_BINARIES, PS_MITIGATION_OPTION_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY, PS_MITIGATION_OPTION_REDIRECTION_TRUST, // since 22H1 PS_MITIGATION_OPTION_RESTRICT_CORE_SHARING, PS_MITIGATION_OPTION_FSCTL_SYSTEM_CALL_DISABLE, // since 24H2 } PS_MITIGATION_OPTION; // windows-internals-book:"Chapter 5" typedef enum _PS_CREATE_STATE { PsCreateInitialState, PsCreateFailOnFileOpen, PsCreateFailOnSectionCreate, PsCreateFailExeFormat, PsCreateFailMachineMismatch, PsCreateFailExeName, // Debugger specified PsCreateSuccess, PsCreateMaximumStates } PS_CREATE_STATE; _Struct_size_bytes_(Size) typedef struct _PS_CREATE_INFO { SIZE_T Size; PS_CREATE_STATE State; union { // PsCreateInitialState struct { union { ULONG InitFlags; struct { UCHAR WriteOutputOnExit : 1; UCHAR DetectManifest : 1; UCHAR IFEOSkipDebugger : 1; UCHAR IFEODoNotPropagateKeyState : 1; UCHAR SpareBits1 : 4; UCHAR SpareBits2 : 8; USHORT ProhibitedImageCharacteristics : 16; }; }; ACCESS_MASK AdditionalFileAccess; } InitState; // PsCreateFailOnSectionCreate struct { HANDLE FileHandle; } FailSection; // PsCreateFailExeFormat struct { USHORT DllCharacteristics; } ExeFormat; // PsCreateFailExeName struct { HANDLE IFEOKey; } ExeName; // PsCreateSuccess struct { union { ULONG OutputFlags; struct { UCHAR ProtectedProcess : 1; UCHAR AddressSpaceOverride : 1; UCHAR DevOverrideEnabled : 1; // from Image File Execution Options UCHAR ManifestDetected : 1; UCHAR ProtectedProcessLight : 1; UCHAR SpareBits1 : 3; UCHAR SpareBits2 : 8; USHORT SpareBits3 : 16; }; }; HANDLE FileHandle; HANDLE SectionHandle; ULONGLONG UserProcessParametersNative; ULONG UserProcessParametersWow64; ULONG CurrentParameterFlags; ULONGLONG PebAddressNative; ULONG PebAddressWow64; ULONGLONG ManifestAddress; ULONG ManifestSize; } SuccessState; }; } PS_CREATE_INFO, *PPS_CREATE_INFO; // end_private /** * Creates a new process and primary thread. * * \param ProcessHandle A pointer to a handle that receives the process object handle. * \param ThreadHandle A pointer to a handle that receives the thread object handle. * \param ProcessDesiredAccess The access rights desired for the process object. * \param ThreadDesiredAccess The access rights desired for the thread object. * \param ProcessObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. * \param ThreadObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. * \param ProcessFlags Flags that control the creation of the process. These flags are defined as PROCESS_CREATE_FLAGS_*. * \param ThreadFlags Flags that control the creation of the thread. These flags are defined as THREAD_CREATE_FLAGS_*. * \param ProcessParameters Optional. A pointer to a RTL_USER_PROCESS_PARAMETERS structure that specifies the parameters for the new process. * \param CreateInfo A pointer to a PS_CREATE_INFO structure that specifies additional information for the process creation. * \param AttributeList Optional. A pointer to a list of attributes for the process and thread. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateUserProcess( _Out_ PHANDLE ProcessHandle, _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK ProcessDesiredAccess, _In_ ACCESS_MASK ThreadDesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ProcessObjectAttributes, _In_opt_ PCOBJECT_ATTRIBUTES ThreadObjectAttributes, _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_* _In_opt_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, _Inout_ PPS_CREATE_INFO CreateInfo, _In_opt_ PPS_ATTRIBUTE_LIST AttributeList ); // begin_rev #define THREAD_CREATE_FLAGS_NONE 0x00000000 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 // NtCreateUserProcess & NtCreateThreadEx #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // NtCreateThreadEx only #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 // NtCreateThreadEx only #define THREAD_CREATE_FLAGS_LOADER_WORKER 0x00000010 // NtCreateThreadEx only // since THRESHOLD #define THREAD_CREATE_FLAGS_SKIP_LOADER_INIT 0x00000020 // NtCreateThreadEx only // since REDSTONE2 #define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040 // NtCreateThreadEx only // since 19H1 // end_rev /** * A pointer to a user-defined function that serves as the starting routine for a new thread. * * \param ThreadParameter A pointer to a variable that is passed to the thread. * \return NTSTATUS Successful or errant status. */ typedef _Function_class_(USER_THREAD_START_ROUTINE) NTSTATUS NTAPI USER_THREAD_START_ROUTINE( _In_ PVOID ThreadParameter ); typedef USER_THREAD_START_ROUTINE* PUSER_THREAD_START_ROUTINE; /** * Creates a new thread in the specified process. * * \param ThreadHandle A pointer to a handle that receives the thread object handle. * \param DesiredAccess The access rights desired for the thread object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. * \param ProcessHandle A handle to the process in which the thread is to be created. * \param StartRoutine A pointer to the application-defined function to be executed by the thread. * \param Argument Optional. A pointer to a variable that is passed to the thread. * \param CreateFlags Flags that control the creation of the thread. These flags are defined as THREAD_CREATE_FLAGS_*. * \param ZeroBits The number of zero bits in the starting address of the thread's stack. * \param StackSize The initial size of the thread's stack, in bytes. * \param MaximumStackSize The maximum size of the thread's stack, in bytes. * \param AttributeList Optional. A pointer to a list of attributes for the thread. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateThreadEx( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Argument, _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_* _In_ SIZE_T ZeroBits, _In_ SIZE_T StackSize, _In_ SIZE_T MaximumStackSize, _In_opt_ PPS_ATTRIBUTE_LIST AttributeList ); #endif // PHNT_MODE != PHNT_MODE_KERNEL // // Job objects // #if (PHNT_MODE != PHNT_MODE_KERNEL) // JOBOBJECTINFOCLASS // Note: We don't use an enum since it conflicts with the Windows SDK. #define JOBOBJECTINFOCLASS ULONG #define JobObjectBasicAccountingInformation 1 // q: JOBOBJECT_BASIC_ACCOUNTING_INFORMATION #define JobObjectBasicLimitInformation 2 // qs: JOBOBJECT_BASIC_LIMIT_INFORMATION #define JobObjectBasicProcessIdList 3 // q: JOBOBJECT_BASIC_PROCESS_ID_LIST #define JobObjectBasicUIRestrictions 4 // qs: JOBOBJECT_BASIC_UI_RESTRICTIONS #define JobObjectSecurityLimitInformation 5 // qs: JOBOBJECT_SECURITY_LIMIT_INFORMATION #define JobObjectEndOfJobTimeInformation 6 // qs: JOBOBJECT_END_OF_JOB_TIME_INFORMATION #define JobObjectAssociateCompletionPortInformation 7 // s: JOBOBJECT_ASSOCIATE_COMPLETION_PORT #define JobObjectBasicAndIoAccountingInformation 8 // q: JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION #define JobObjectExtendedLimitInformation 9 // qs: JOBOBJECT_EXTENDED_LIMIT_INFORMATION[V2] #define JobObjectJobSetInformation 10 // q: JOBOBJECT_JOBSET_INFORMATION #define JobObjectGroupInformation 11 // q: USHORT #define JobObjectNotificationLimitInformation 12 // q: JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION #define JobObjectLimitViolationInformation 13 // q: JOBOBJECT_LIMIT_VIOLATION_INFORMATION #define JobObjectGroupInformationEx 14 // qs: GROUP_AFFINITY (ARRAY) #define JobObjectCpuRateControlInformation 15 // qs: JOBOBJECT_CPU_RATE_CONTROL_INFORMATION #define JobObjectCompletionFilter 16 // qs: ULONG #define JobObjectCompletionCounter 17 // qs: ULONG #define JobObjectFreezeInformation 18 // qs: JOBOBJECT_FREEZE_INFORMATION #define JobObjectExtendedAccountingInformation 19 // qs: JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION #define JobObjectWakeInformation 20 // qs: JOBOBJECT_WAKE_INFORMATION #define JobObjectBackgroundInformation 21 // s: BOOLEAN #define JobObjectSchedulingRankBiasInformation 22 // s: JOBOBJECT_SCHEDULING_RANK_BIAS_INFORMATION #define JobObjectTimerVirtualizationInformation 23 // s: JOBOBJECT_TIMER_VIRTUALIZATION_INFORMATION #define JobObjectCycleTimeNotification 24 // s: JOBOBJECT_CYCLE_TIME_NOTIFICATION #define JobObjectClearEvent 25 // s: HANDLE #define JobObjectInterferenceInformation 26 // q: JOBOBJECT_INTERFERENCE_INFORMATION #define JobObjectClearPeakJobMemoryUsed 27 // s: NULL #define JobObjectMemoryUsageInformation 28 // q: JOBOBJECT_MEMORY_USAGE_INFORMATION // JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 #define JobObjectSharedCommit 29 // q: JOBOBJECT_SHARED_COMMIT #define JobObjectContainerId 30 // q: JOBOBJECT_CONTAINER_IDENTIFIER_V2 #define JobObjectIoRateControlInformation 31 // qs: JOBOBJECT_IO_RATE_CONTROL_INFORMATION_NATIVE, JOBOBJECT_IO_RATE_CONTROL_INFORMATION_NATIVE_V2, JOBOBJECT_IO_RATE_CONTROL_INFORMATION_NATIVE_V3 #define JobObjectNetRateControlInformation 32 // qs: JOBOBJECT_NET_RATE_CONTROL_INFORMATION #define JobObjectNotificationLimitInformation2 33 // qs: JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION_2 #define JobObjectLimitViolationInformation2 34 // qs: JOBOBJECT_LIMIT_VIOLATION_INFORMATION_2 #define JobObjectCreateSilo 35 // s: NULL #define JobObjectSiloBasicInformation 36 // q: SILOOBJECT_BASIC_INFORMATION #define JobObjectSiloRootDirectory 37 // q: SILOOBJECT_ROOT_DIRECTORY #define JobObjectServerSiloBasicInformation 38 // q: SERVERSILO_BASIC_INFORMATION #define JobObjectServerSiloUserSharedData 39 // q: SILO_USER_SHARED_DATA // NtQueryInformationJobObject(NULL, 39, Buffer, sizeof(SILO_USER_SHARED_DATA), 0); #define JobObjectServerSiloInitialize 40 // qs: SERVERSILO_INIT_INFORMATION #define JobObjectServerSiloRunningState 41 // s: BOOLEAN #define JobObjectIoAttribution 42 // q: JOBOBJECT_IO_ATTRIBUTION_INFORMATION #define JobObjectMemoryPartitionInformation 43 // qs: JOBOBJECT_MEMORY_PARTITION_INFORMATION #define JobObjectContainerTelemetryId 44 // s: GUID // NtSetInformationJobObject(_In_ PGUID, 44, _In_ PGUID, sizeof(GUID)); // daxexec #define JobObjectSiloSystemRoot 45 // s: UNICODE_STRING #define JobObjectEnergyTrackingState 46 // q: JOBOBJECT_ENERGY_TRACKING_STATE #define JobObjectThreadImpersonationInformation 47 // qs: BOOLEAN #define JobObjectIoPriorityLimit 48 // qs: JOBOBJECT_IO_PRIORITY_LIMIT #define JobObjectPagePriorityLimit 49 // qs: JOBOBJECT_PAGE_PRIORITY_LIMIT #define JobObjectServerSiloDiagnosticInformation 50 // q: SERVERSILO_DIAGNOSTIC_INFORMATION // since 24H2 #define JobObjectNetworkAccountingInformation 51 // q: JOBOBJECT_NETWORK_ACCOUNTING_INFORMATION #define JobObjectCpuPartition 52 // qs: JOBOBJECT_CPU_PARTITION_INFORMATION // since 25H2 #define MaxJobObjectInfoClass 53 // rev // extended limit v2 #define JOB_OBJECT_LIMIT_SILO_READY 0x00400000 /** * The JOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2 structure contains basic and extended limit information for a job object. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_extended_limit_information */ typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2 { JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation; IO_COUNTERS IoInfo; SIZE_T ProcessMemoryLimit; SIZE_T JobMemoryLimit; SIZE_T PeakProcessMemoryUsed; SIZE_T PeakJobMemoryUsed; SIZE_T JobTotalMemoryLimit; } JOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2; // private typedef struct _JOBOBJECT_SCHEDULING_RANK_BIAS_INFORMATION { ULONG SchedulingRankBias; } JOBOBJECT_SCHEDULING_RANK_BIAS_INFORMATION, *PJOBOBJECT_SCHEDULING_RANK_BIAS_INFORMATION; // private typedef struct _JOBOBJECT_TIMER_VIRTUALIZATION_INFORMATION { ULONG TimerVirtualizationEnabled; } JOBOBJECT_TIMER_VIRTUALIZATION_INFORMATION, *PJOBOBJECT_TIMER_VIRTUALIZATION_INFORMATION; // private typedef struct _JOBOBJECT_CYCLE_TIME_NOTIFICATION { HANDLE NotificationChannel; ULONG64 CycleTime; } JOBOBJECT_CYCLE_TIME_NOTIFICATION, *PJOBOBJECT_CYCLE_TIME_NOTIFICATION; // private typedef struct _JOBOBJECT_SHARED_COMMIT { ULONG64 SharedCommit; } JOBOBJECT_SHARED_COMMIT, *PJOBOBJECT_SHARED_COMMIT; // private typedef struct _JOBOBJECT_MEMORY_PARTITION_INFORMATION { ULONG_PTR PartitionId; } JOBOBJECT_MEMORY_PARTITION_INFORMATION, *PJOBOBJECT_MEMORY_PARTITION_INFORMATION; // private typedef struct _JOBOBJECT_CPU_PARTITION_INFORMATION { ULONG_PTR PartitionId; } JOBOBJECT_CPU_PARTITION_INFORMATION, *PJOBOBJECT_CPU_PARTITION_INFORMATION; // private typedef struct _JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION { JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo; IO_COUNTERS IoInfo; PROCESS_DISK_COUNTERS DiskIoInfo; ULONG64 ContextSwitches; LARGE_INTEGER TotalCycleTime; ULONG64 ReadyTime; PROCESS_ENERGY_VALUES EnergyValues; } JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION, *PJOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION; // private typedef struct _JOBOBJECT_WAKE_INFORMATION { HANDLE NotificationChannel; ULONG64 WakeCounters[PsMaxWakeReasons]; } JOBOBJECT_WAKE_INFORMATION, *PJOBOBJECT_WAKE_INFORMATION; // private typedef struct _JOBOBJECT_WAKE_INFORMATION_V1 { HANDLE NotificationChannel; ULONG64 WakeCounters[4]; } JOBOBJECT_WAKE_INFORMATION_V1, *PJOBOBJECT_WAKE_INFORMATION_V1; // private typedef struct _JOBOBJECT_INTERFERENCE_INFORMATION { ULONG64 Count; } JOBOBJECT_INTERFERENCE_INFORMATION, *PJOBOBJECT_INTERFERENCE_INFORMATION; // private typedef struct _JOBOBJECT_FREEZE_INFORMATION { union { ULONG Flags; struct { ULONG FreezeOperation : 1; ULONG FilterOperation : 1; ULONG SwapOperation : 1; ULONG Reserved : 29; }; }; BOOLEAN Freeze; BOOLEAN Swap; UCHAR Reserved0[2]; JOBOBJECT_WAKE_FILTER WakeFilter; } JOBOBJECT_FREEZE_INFORMATION, *PJOBOBJECT_FREEZE_INFORMATION; // private typedef struct _JOBOBJECT_CONTAINER_IDENTIFIER_V2 { GUID ContainerId; GUID ContainerTelemetryId; ULONG JobId; } JOBOBJECT_CONTAINER_IDENTIFIER_V2, *PJOBOBJECT_CONTAINER_IDENTIFIER_V2; // private typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION { ULONG64 JobMemory; ULONG64 PeakJobMemoryUsed; } JOBOBJECT_MEMORY_USAGE_INFORMATION, *PJOBOBJECT_MEMORY_USAGE_INFORMATION; // private typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 { JOBOBJECT_MEMORY_USAGE_INFORMATION BasicInfo; ULONG64 JobSharedMemory; ULONG64 Reserved[2]; } JOBOBJECT_MEMORY_USAGE_INFORMATION_V2, *PJOBOBJECT_MEMORY_USAGE_INFORMATION_V2; // private typedef struct _SILO_USER_SHARED_DATA { ULONG ServiceSessionId; ULONG ActiveConsoleId; LONGLONG ConsoleSessionForegroundProcessId; NT_PRODUCT_TYPE NtProductType; ULONG SuiteMask; ULONG SharedUserSessionId; // since RS2 BOOLEAN IsMultiSessionSku; BOOLEAN IsStateSeparationEnabled; WCHAR NtSystemRoot[260]; USHORT UserModeGlobalLogger[16]; ULONG TimeZoneId; // since 21H2 LONG TimeZoneBiasStamp; KSYSTEM_TIME TimeZoneBias; LARGE_INTEGER TimeZoneBiasEffectiveStart; LARGE_INTEGER TimeZoneBiasEffectiveEnd; } SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA; // rev #define SILO_OBJECT_ROOT_DIRECTORY_SHADOW_ROOT 0x00000001 #define SILO_OBJECT_ROOT_DIRECTORY_INITIALIZE 0x00000002 #define SILO_OBJECT_ROOT_DIRECTORY_SHADOW_DOS_DEVICES 0x00000004 // private typedef struct _SILOOBJECT_ROOT_DIRECTORY { union { ULONG ControlFlags; // SILO_OBJECT_ROOT_DIRECTORY_* UNICODE_STRING Path; }; } SILOOBJECT_ROOT_DIRECTORY, *PSILOOBJECT_ROOT_DIRECTORY; // private typedef struct _SERVERSILO_INIT_INFORMATION { HANDLE DeleteEvent; BOOLEAN IsDownlevelContainer; } SERVERSILO_INIT_INFORMATION, *PSERVERSILO_INIT_INFORMATION; // private typedef struct _JOBOBJECT_ENERGY_TRACKING_STATE { ULONG64 Value; ULONG UpdateMask; ULONG DesiredState; } JOBOBJECT_ENERGY_TRACKING_STATE, *PJOBOBJECT_ENERGY_TRACKING_STATE; // private _Enum_is_bitflag_ typedef enum _JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS { JOBOBJECT_IO_PRIORITY_LIMIT_ENABLE = 0x1, JOBOBJECT_IO_PRIORITY_LIMIT_VALID_FLAGS = 0x1, } JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS); // private typedef struct _JOBOBJECT_IO_PRIORITY_LIMIT { JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS Flags; ULONG Priority; } JOBOBJECT_IO_PRIORITY_LIMIT, *PJOBOBJECT_IO_PRIORITY_LIMIT; // private _Enum_is_bitflag_ typedef enum _JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS { JOBOBJECT_PAGE_PRIORITY_LIMIT_ENABLE = 0x1, JOBOBJECT_PAGE_PRIORITY_LIMIT_VALID_FLAGS = 0x1, } JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS); // private typedef struct _JOBOBJECT_PAGE_PRIORITY_LIMIT { JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS Flags; ULONG Priority; } JOBOBJECT_PAGE_PRIORITY_LIMIT, *PJOBOBJECT_PAGE_PRIORITY_LIMIT; #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) // private typedef struct _SERVERSILO_DIAGNOSTIC_INFORMATION { NTSTATUS ExitStatus; WCHAR CriticalProcessName[15]; } SERVERSILO_DIAGNOSTIC_INFORMATION, *PSERVERSILO_DIAGNOSTIC_INFORMATION; // private typedef struct _JOBOBJECT_NETWORK_ACCOUNTING_INFORMATION { ULONG64 DataBytesIn; ULONG64 DataBytesOut; } JOBOBJECT_NETWORK_ACCOUNTING_INFORMATION, *PJOBOBJECT_NETWORK_ACCOUNTING_INFORMATION; #endif // !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) /** * Creates or opens a job object. * * \param JobHandle A handle to the job object. * \param DesiredAccess The access rights desired for the thread object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * Opens an existing job object. * * \param JobHandle A handle to the job object. * \param DesiredAccess The access rights desired for the thread object. * \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); /** * Assigns a process to an existing job object. * * \param JobHandle A handle to the job object to which the process will be associated. The handle must have the JOB_OBJECT_ASSIGN_PROCESS access right. * \param ProcessHandle A handle to the process to associate with the job object. The handle must have the PROCESS_SET_QUOTA and PROCESS_TERMINATE access rights. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAssignProcessToJobObject( _In_ HANDLE JobHandle, _In_ HANDLE ProcessHandle ); /** * Terminates all processes associated with the job object. If the job is nested, all processes currently associated with the job and all child jobs in the hierarchy are terminated. * * \param JobHandle A handle to the job whose processes will be terminated. The handle must have the JOB_OBJECT_TERMINATE access right. * \param ExitStatus The exit status to be used by all processes and threads in the job object. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtTerminateJobObject( _In_ HANDLE JobHandle, _In_ NTSTATUS ExitStatus ); /** * Checks if a process is associated with a job object. * * \param ProcessHandle A handle to the process to be checked. * \param JobHandle An optional handle to the job object. If this parameter is NULL, the function checks if the process is associated with any job object. * \return NTSTATUS Successful or errant status. * \remarks This function can be used to determine if a process is running within a job object, which can be useful for managing process resources and constraints. */ NTSYSCALLAPI NTSTATUS NTAPI NtIsProcessInJob( _In_ HANDLE ProcessHandle, _In_opt_ HANDLE JobHandle ); /** * Retrieves information about a job object. * * \param JobHandle An optional handle to the job object. If this parameter is NULL, the function retrieves information about the job object associated with the calling process. * \param JobObjectInformationClass The type of job object information to be retrieved. * \param JobObjectInformation A pointer to a buffer that receives the job object information. * \param JobObjectInformationLength The size of the buffer pointed to by the JobObjectInformation parameter. * \param ReturnLength An optional pointer to a variable that receives the size of the data returned. * \return NTSTATUS Successful or errant status. * \remarks This function can be used to query various types of information about a job object, such as accounting information, limit information, and process ID list. */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationJobObject( _In_opt_ HANDLE JobHandle, _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, _In_ ULONG JobObjectInformationLength, _Out_opt_ PULONG ReturnLength ); /** * Sets information for a job object. * * \param JobHandle A handle to the job object. * \param JobObjectInformationClass The type of job object information to be set. * \param JobObjectInformation A pointer to a buffer that contains the job object information. * \param JobObjectInformationLength The size of the buffer pointed to by the JobObjectInformation parameter. * \return NTSTATUS Successful or errant status. * \remarks This function can be used to set various types of information for a job object, such as limit information, UI restrictions, and security limit information. */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationJobObject( _In_ HANDLE JobHandle, _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, _In_ ULONG JobObjectInformationLength ); /** * Creates a set of job objects. * * \param NumJob The number of job objects in the set. * \param UserJobSet A pointer to an array of JOB_SET_ARRAY structures that specify the job objects in the set. * \param Flags Reserved for future use. Must be zero. * \return NTSTATUS Successful or errant status. * \remarks This function can be used to create a set of job objects, which can be useful for managing groups of related processes. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateJobSet( _In_ ULONG NumJob, _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet, _In_ ULONG Flags ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) NTSYSCALLAPI NTSTATUS NTAPI NtRevertContainerImpersonation( VOID ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10) #endif // (PHNT_MODE != PHNT_MODE_KERNEL) // // Reserve objects // #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef enum _MEMORY_RESERVE_TYPE { MemoryReserveUserApc, MemoryReserveIoCompletion, MemoryReserveTypeMax } MEMORY_RESERVE_TYPE; /** * Allocates a memory reserve object. * * \param MemoryReserveHandle Pointer to a variable that receives the memory reserve object handle. * \param ObjectAttributes Pointer to an object attributes structure. * \param Type The type of memory reserve. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtAllocateReserveObject( _Out_ PHANDLE MemoryReserveHandle, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ MEMORY_RESERVE_TYPE Type ); // // Process snapshotting // // Capture/creation flags. _Enum_is_bitflag_ typedef enum _PSSNT_CAPTURE_FLAGS { PSSNT_CAPTURE_NONE = 0x00000000, PSSNT_CAPTURE_VA_CLONE = 0x00000001, PSSNT_CAPTURE_RESERVED_00000002 = 0x00000002, PSSNT_CAPTURE_HANDLES = 0x00000004, PSSNT_CAPTURE_HANDLE_NAME_INFORMATION = 0x00000008, PSSNT_CAPTURE_HANDLE_BASIC_INFORMATION = 0x00000010, PSSNT_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION = 0x00000020, PSSNT_CAPTURE_HANDLE_TRACE = 0x00000040, PSSNT_CAPTURE_THREADS = 0x00000080, PSSNT_CAPTURE_THREAD_CONTEXT = 0x00000100, PSSNT_CAPTURE_THREAD_CONTEXT_EXTENDED = 0x00000200, PSSNT_CAPTURE_RESERVED_00000400 = 0x00000400, PSSNT_CAPTURE_VA_SPACE = 0x00000800, PSSNT_CAPTURE_VA_SPACE_SECTION_INFORMATION = 0x00001000, PSSNT_CAPTURE_IPT_TRACE = 0x00002000, PSSNT_CAPTURE_RESERVED_00004000 = 0x00004000, PSSNT_CREATE_BREAKAWAY_OPTIONAL = 0x04000000, PSSNT_CREATE_BREAKAWAY = 0x08000000, PSSNT_CREATE_FORCE_BREAKAWAY = 0x10000000, PSSNT_CREATE_USE_VM_ALLOCATIONS = 0x20000000, PSSNT_CREATE_MEASURE_PERFORMANCE = 0x40000000, PSSNT_CREATE_RELEASE_SECTION = 0x80000000 } PSSNT_CAPTURE_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(PSSNT_CAPTURE_FLAGS); _Enum_is_bitflag_ typedef enum _PSSNT_DUPLICATE_FLAGS { PSSNT_DUPLICATE_NONE = 0x00, PSSNT_DUPLICATE_CLOSE_SOURCE = 0x01 } PSSNT_DUPLICATE_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(PSSNT_DUPLICATE_FLAGS); typedef enum _PSSNT_QUERY_INFORMATION_CLASS { PSSNT_QUERY_PROCESS_INFORMATION = 0, // PSS_PROCESS_INFORMATION PSSNT_QUERY_VA_CLONE_INFORMATION = 1, // PSS_VA_CLONE_INFORMATION PSSNT_QUERY_AUXILIARY_PAGES_INFORMATION = 2, // PSS_AUXILIARY_PAGES_INFORMATION PSSNT_QUERY_VA_SPACE_INFORMATION = 3, // PSS_VA_SPACE_INFORMATION PSSNT_QUERY_HANDLE_INFORMATION = 4, // PSS_HANDLE_INFORMATION PSSNT_QUERY_THREAD_INFORMATION = 5, // PSS_THREAD_INFORMATION PSSNT_QUERY_HANDLE_TRACE_INFORMATION = 6, // PSS_HANDLE_TRACE_INFORMATION PSSNT_QUERY_PERFORMANCE_COUNTERS = 7 // PSS_PERFORMANCE_COUNTERS } PSSNT_QUERY_INFORMATION_CLASS; #define PSSNT_SIGNATURE_PSSD 'PSSD' // 0x50535344 #if (PHNT_VERSION >= PHNT_WINDOWS_8_1) // rev /** * The PssNtCaptureSnapshot routine captures a snapshot of the specified process. * * \param SnapshotHandle Pointer to a variable that receives the snapshot handle. * \param ProcessHandle Handle to the process. * \param CaptureFlags Flags indicating what to capture. * \param ThreadContextFlags Optional flags for capturing thread context. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI PssNtCaptureSnapshot( _Out_ PHANDLE SnapshotHandle, _In_ HANDLE ProcessHandle, _In_ PSSNT_CAPTURE_FLAGS CaptureFlags, _In_opt_ ULONG ThreadContextFlags ); // rev /** * The PssNtDuplicateSnapshot routine duplicates a process snapshot from one process to another. * * \param SourceProcessHandle Handle to the source process. * \param SnapshotHandle Handle to the snapshot to duplicate. * \param TargetProcessHandle Handle to the target process. * \param TargetSnapshotHandle Pointer to a variable that receives the duplicated snapshot handle. * \param Flags Optional flags for duplication. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI PssNtDuplicateSnapshot( _In_ HANDLE SourceProcessHandle, _In_ HANDLE SnapshotHandle, _In_ HANDLE TargetProcessHandle, _Out_ PHANDLE TargetSnapshotHandle, _In_opt_ PSSNT_DUPLICATE_FLAGS Flags ); // rev /** * The PssNtFreeSnapshot routine frees a snapshot. * * \param SnapshotHandle Handle to the snapshot to free. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI PssNtFreeSnapshot( _In_ HANDLE SnapshotHandle ); // rev /** * The PssNtFreeRemoteSnapshot routine frees a remote process snapshot. * * \param ProcessHandle A handle to the process that contains the snapshot. The handle must have PROCESS_VM_READ, PROCESS_VM_OPERATION, and PROCESS_DUP_HANDLE rights. * \param SnapshotHandle Handle to the snapshot to free. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI PssNtFreeRemoteSnapshot( _In_ HANDLE ProcessHandle, _In_ HANDLE SnapshotHandle ); // rev /** * The PssNtQuerySnapshot routine queries information from the specified snapshot. * * \param SnapshotHandle Handle to the snapshot. * \param InformationClass The information class to query. * \param Buffer Pointer to a buffer that receives the queried information. * \param BufferLength Length of the buffer. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI PssNtQuerySnapshot( _In_ HANDLE SnapshotHandle, _In_ PSSNT_QUERY_INFORMATION_CLASS InformationClass, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength ); // rev typedef struct _PSSNT_WALK_MARKER_INFO { ULONG Signature; // Win32: 0x4D575350 // 'PSSM' HANDLE SectionHandle; } PSSNT_WALK_MARKER_INFO, *PPSSNT_WALK_MARKER_INFO; // rev NTSYSAPI NTSTATUS NTAPI PssNtWalkSnapshot( _In_ HANDLE SnapshotHandle, _In_ ULONG InformationClass, _In_ HANDLE WalkMarkerHandle, _Out_writes_bytes_(BufferLength) PVOID Buffer, _In_ ULONG BufferLength ); // rev NTSYSAPI NTSTATUS NTAPI PssNtFreeWalkMarker( _Inout_ PHANDLE WalkMarkerHandle ); // rev NTSYSAPI NTSTATUS NTAPI PssNtValidateDescriptor( _In_ HANDLE SnapshotHandle, _In_opt_ PVOID ExceptionAddress ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8_1) // rev /** * Flag indicating the type of bulk information to query. */ #define MEMORY_BULK_INFORMATION_FLAG_BASIC 0x00000001 // rev /** * The NTPSS_MEMORY_BULK_INFORMATION structure is used to query basic memory information in bulk for a process. */ typedef struct _NTPSS_MEMORY_BULK_INFORMATION { ULONG QueryFlags; ULONG NumberOfEntries; PVOID NextValidAddress; } NTPSS_MEMORY_BULK_INFORMATION, *PNTPSS_MEMORY_BULK_INFORMATION; #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) // rev /** * Captures virtual address space bulk information for a process. * * \param ProcessHandle Handle to the process. * \param BaseAddress Optional base address to start the capture. * \param BulkInformation Pointer to the memory bulk information structure. * \param BulkInformationLength Length of the memory bulk information structure. * \param ReturnLength Optional pointer to a variable that receives the length of the captured information. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtPssCaptureVaSpaceBulk( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ PNTPSS_MEMORY_BULK_INFORMATION BulkInformation, _In_ SIZE_T BulkInformationLength, _Out_opt_ PSIZE_T ReturnLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) #endif // (PHNT_MODE != PHNT_MODE_KERNEL) #endif // _NTPSAPI_H ================================================ FILE: phnt/include/ntregapi.h ================================================ [File too large to display: 52.9 KB] ================================================ FILE: phnt/include/ntrtl.h ================================================ [File too large to display: 332.3 KB] ================================================ FILE: phnt/include/ntsam.h ================================================ /* * Security Account Manager support functions * * This file is part of System Informer. */ #ifndef _NTSAM_H #define _NTSAM_H // // Types // #define SAM_MAXIMUM_LOOKUP_COUNT (1000) #define SAM_MAXIMUM_LOOKUP_LENGTH (32000) #define SAM_MAX_PASSWORD_LENGTH (256) #define SAM_PASSWORD_ENCRYPTION_SALT_LEN (16) typedef PVOID SAM_HANDLE, *PSAM_HANDLE; typedef ULONG SAM_ENUMERATE_HANDLE, *PSAM_ENUMERATE_HANDLE; typedef struct _SAM_RID_ENUMERATION { ULONG RelativeId; UNICODE_STRING Name; } SAM_RID_ENUMERATION, *PSAM_RID_ENUMERATION; typedef struct _SAM_SID_ENUMERATION { PSID Sid; UNICODE_STRING Name; } SAM_SID_ENUMERATION, *PSAM_SID_ENUMERATION; typedef struct _SAM_BYTE_ARRAY { ULONG Size; _Field_size_bytes_(Size) PUCHAR Data; } SAM_BYTE_ARRAY, *PSAM_BYTE_ARRAY; typedef struct _SAM_BYTE_ARRAY_32K { ULONG Size; _Field_size_bytes_(Size) PUCHAR Data; } SAM_BYTE_ARRAY_32K, *PSAM_BYTE_ARRAY_32K; typedef SAM_BYTE_ARRAY_32K SAM_SHELL_OBJECT_PROPERTIES, *PSAM_SHELL_OBJECT_PROPERTIES; // // Basic // NTSYSAPI NTSTATUS NTAPI SamFreeMemory( _In_ PVOID Buffer ); /** * The SamCloseHandle method closes (that is, releases server-side resources used by) any handle. * * \param SamHandle The object handle. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/55d134df-e257-48ad-8afa-cb2ca45cd3cc */ NTSYSAPI NTSTATUS NTAPI SamCloseHandle( _In_ SAM_HANDLE SamHandle ); NTSYSAPI NTSTATUS NTAPI SamSetSecurityObject( _In_ SAM_HANDLE ObjectHandle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); /** * The SamQuerySecurityObject method queries the access control on a server, domain, user, group, or alias object. * * \param ObjectHandle The "Domain", "User", "Group", or "Alias" object handle. * \param SecurityInformation A bit field that specifies which fields of SecurityDescriptor the client is requesting to be returned. * \param SecurityDescriptor A security descriptor expressing accesses that are specific to the ObjectHandle and the owner and group of the object. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/0ecf8fec-d17e-4a88-b7f1-e0f0f66790db */ NTSYSAPI NTSTATUS NTAPI SamQuerySecurityObject( _In_ SAM_HANDLE ObjectHandle, _In_ SECURITY_INFORMATION SecurityInformation, _Outptr_ PSECURITY_DESCRIPTOR *SecurityDescriptor ); /** * The SamRidToSid method obtains the SID of an account, given a RID. * * \param ObjectHandle The "Domain", "User", "Group", or "Alias" object handle. * \param Rid The RID of the object. * \param Sid The SID of the object referenced by Rid. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/00ff8192-a4f6-45ba-9f65-917e46b6a693 */ NTSYSAPI NTSTATUS NTAPI SamRidToSid( _In_ SAM_HANDLE ObjectHandle, _In_ ULONG Rid, _Outptr_ PSID *Sid ); NTSYSAPI NTSTATUS NTAPI SamQueryLapsManagedAccount( _In_ SAM_HANDLE ObjectHandle, _Outptr_ PSID *AccountSid ); // // Server // #define SAM_SERVER_CONNECT 0x0001 #define SAM_SERVER_SHUTDOWN 0x0002 #define SAM_SERVER_INITIALIZE 0x0004 #define SAM_SERVER_CREATE_DOMAIN 0x0008 #define SAM_SERVER_ENUMERATE_DOMAINS 0x0010 #define SAM_SERVER_LOOKUP_DOMAIN 0x0020 #define SAM_SERVER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ SAM_SERVER_CONNECT | \ SAM_SERVER_INITIALIZE | \ SAM_SERVER_CREATE_DOMAIN | \ SAM_SERVER_SHUTDOWN | \ SAM_SERVER_ENUMERATE_DOMAINS | \ SAM_SERVER_LOOKUP_DOMAIN) #define SAM_SERVER_READ (STANDARD_RIGHTS_READ | \ SAM_SERVER_ENUMERATE_DOMAINS) #define SAM_SERVER_WRITE (STANDARD_RIGHTS_WRITE | \ SAM_SERVER_INITIALIZE | \ SAM_SERVER_CREATE_DOMAIN | \ SAM_SERVER_SHUTDOWN) #define SAM_SERVER_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ SAM_SERVER_CONNECT | \ SAM_SERVER_LOOKUP_DOMAIN) typedef struct _RPC_AUTH_IDENTITY_HANDLE *PRPC_AUTH_IDENTITY_HANDLE; // // Functions // /** * The SamConnect method returns a handle to a server. * * \param ServerName The NETBIOS name of the server; this parameter MAY be ignored on receipt. * \param ServerHandle A handle representing a server. * \param DesiredAccess The access requested for ServerHandle upon output. * \param ObjectAttributes The OBJECT_ATTRIBUTES structure that specifies the properties of the server handle to be opened. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/47492d59-e095-4398-b03e-8a062b989123 */ NTSYSAPI NTSTATUS NTAPI SamConnect( _In_opt_ PCUNICODE_STRING ServerName, _Out_ PSAM_HANDLE ServerHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI SamConnectWithCreds( _In_ PCUNICODE_STRING ServerName, _Out_ PSAM_HANDLE ServerHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ PRPC_AUTH_IDENTITY_HANDLE Creds, _In_ PWCHAR Spn, _Out_ PBOOL DestinationIsWindows2K ); NTSYSAPI NTSTATUS NTAPI SamShutdownSamServer( _In_ SAM_HANDLE ServerHandle ); // // Domain // #define DOMAIN_READ_PASSWORD_PARAMETERS 0x0001 #define DOMAIN_WRITE_PASSWORD_PARAMS 0x0002 #define DOMAIN_READ_OTHER_PARAMETERS 0x0004 #define DOMAIN_WRITE_OTHER_PARAMETERS 0x0008 #define DOMAIN_CREATE_USER 0x0010 #define DOMAIN_CREATE_GROUP 0x0020 #define DOMAIN_CREATE_ALIAS 0x0040 #define DOMAIN_GET_ALIAS_MEMBERSHIP 0x0080 #define DOMAIN_LIST_ACCOUNTS 0x0100 #define DOMAIN_LOOKUP 0x0200 #define DOMAIN_ADMINISTER_SERVER 0x0400 #define DOMAIN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ DOMAIN_READ_OTHER_PARAMETERS | \ DOMAIN_WRITE_OTHER_PARAMETERS | \ DOMAIN_WRITE_PASSWORD_PARAMS | \ DOMAIN_CREATE_USER | \ DOMAIN_CREATE_GROUP | \ DOMAIN_CREATE_ALIAS | \ DOMAIN_GET_ALIAS_MEMBERSHIP | \ DOMAIN_LIST_ACCOUNTS | \ DOMAIN_READ_PASSWORD_PARAMETERS | \ DOMAIN_LOOKUP | \ DOMAIN_ADMINISTER_SERVER) #define DOMAIN_READ (STANDARD_RIGHTS_READ | \ DOMAIN_GET_ALIAS_MEMBERSHIP | \ DOMAIN_READ_OTHER_PARAMETERS) #define DOMAIN_WRITE (STANDARD_RIGHTS_WRITE | \ DOMAIN_WRITE_OTHER_PARAMETERS | \ DOMAIN_WRITE_PASSWORD_PARAMS | \ DOMAIN_CREATE_USER | \ DOMAIN_CREATE_GROUP | \ DOMAIN_CREATE_ALIAS | \ DOMAIN_ADMINISTER_SERVER) #define DOMAIN_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ DOMAIN_READ_PASSWORD_PARAMETERS | \ DOMAIN_LIST_ACCOUNTS | \ DOMAIN_LOOKUP) #define DOMAIN_PROMOTION_INCREMENT { 0x0, 0x10 } #define DOMAIN_PROMOTION_MASK { 0x0, 0xfffffff0 } // // SamQueryInformationDomain/SamSetInformationDomain types // typedef enum _DOMAIN_INFORMATION_CLASS { DomainPasswordInformation = 1, // qs: DOMAIN_PASSWORD_INFORMATION DomainGeneralInformation, // q: DOMAIN_GENERAL_INFORMATION DomainLogoffInformation, // qs: DOMAIN_LOGOFF_INFORMATION DomainOemInformation, // qs: DOMAIN_OEM_INFORMATION DomainNameInformation, // q: DOMAIN_NAME_INFORMATION DomainReplicationInformation, // qs: DOMAIN_REPLICATION_INFORMATION DomainServerRoleInformation, // qs: DOMAIN_SERVER_ROLE_INFORMATION DomainModifiedInformation, // q: DOMAIN_MODIFIED_INFORMATION DomainStateInformation, // qs: DOMAIN_STATE_INFORMATION DomainUasInformation, // qs: DOMAIN_UAS_INFORMATION DomainGeneralInformation2, // q: DOMAIN_GENERAL_INFORMATION2 DomainLockoutInformation, // qs: DOMAIN_LOCKOUT_INFORMATION DomainModifiedInformation2, // q: DOMAIN_MODIFIED_INFORMATION2 DomainMaxInformation } DOMAIN_INFORMATION_CLASS; typedef enum _DOMAIN_SERVER_ENABLE_STATE { DomainServerEnabled = 1, DomainServerDisabled } DOMAIN_SERVER_ENABLE_STATE, *PDOMAIN_SERVER_ENABLE_STATE; typedef enum _DOMAIN_SERVER_ROLE { DomainServerRoleBackup = 2, DomainServerRolePrimary } DOMAIN_SERVER_ROLE, *PDOMAIN_SERVER_ROLE; typedef struct _DOMAIN_GENERAL_INFORMATION { LARGE_INTEGER ForceLogoff; UNICODE_STRING OemInformation; UNICODE_STRING DomainName; UNICODE_STRING ReplicaSourceNodeName; LARGE_INTEGER DomainModifiedCount; DOMAIN_SERVER_ENABLE_STATE DomainServerState; DOMAIN_SERVER_ROLE DomainServerRole; BOOLEAN UasCompatibilityRequired; ULONG UserCount; ULONG GroupCount; ULONG AliasCount; } DOMAIN_GENERAL_INFORMATION, *PDOMAIN_GENERAL_INFORMATION; typedef struct _DOMAIN_GENERAL_INFORMATION2 { DOMAIN_GENERAL_INFORMATION I1; LARGE_INTEGER LockoutDuration; // delta time LARGE_INTEGER LockoutObservationWindow; // delta time USHORT LockoutThreshold; } DOMAIN_GENERAL_INFORMATION2, *PDOMAIN_GENERAL_INFORMATION2; typedef struct _DOMAIN_UAS_INFORMATION { BOOLEAN UasCompatibilityRequired; } DOMAIN_UAS_INFORMATION; #ifndef _DOMAIN_PASSWORD_INFORMATION_DEFINED // defined in ntsecapi.h #define _DOMAIN_PASSWORD_INFORMATION_DEFINED typedef struct _DOMAIN_PASSWORD_INFORMATION { USHORT MinPasswordLength; USHORT PasswordHistoryLength; ULONG PasswordProperties; LARGE_INTEGER MaxPasswordAge; LARGE_INTEGER MinPasswordAge; } DOMAIN_PASSWORD_INFORMATION, *PDOMAIN_PASSWORD_INFORMATION; // // PasswordProperties flags // #define DOMAIN_PASSWORD_COMPLEX 0x00000001L #define DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L #define DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L #define DOMAIN_LOCKOUT_ADMINS 0x00000008L #define DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L #define DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L #define DOMAIN_NO_LM_OWF_CHANGE 0x00000040L #endif // _DOMAIN_PASSWORD_INFORMATION_DEFINED typedef enum _DOMAIN_PASSWORD_CONSTRUCTION { DomainPasswordSimple = 1, DomainPasswordComplex } DOMAIN_PASSWORD_CONSTRUCTION; typedef struct _DOMAIN_LOGOFF_INFORMATION { LARGE_INTEGER ForceLogoff; } DOMAIN_LOGOFF_INFORMATION, *PDOMAIN_LOGOFF_INFORMATION; typedef struct _DOMAIN_OEM_INFORMATION { UNICODE_STRING OemInformation; } DOMAIN_OEM_INFORMATION, *PDOMAIN_OEM_INFORMATION; typedef struct _DOMAIN_NAME_INFORMATION { UNICODE_STRING DomainName; } DOMAIN_NAME_INFORMATION, *PDOMAIN_NAME_INFORMATION; typedef struct _DOMAIN_SERVER_ROLE_INFORMATION { DOMAIN_SERVER_ROLE DomainServerRole; } DOMAIN_SERVER_ROLE_INFORMATION, *PDOMAIN_SERVER_ROLE_INFORMATION; typedef struct _DOMAIN_REPLICATION_INFORMATION { UNICODE_STRING ReplicaSourceNodeName; } DOMAIN_REPLICATION_INFORMATION, *PDOMAIN_REPLICATION_INFORMATION; typedef struct _DOMAIN_MODIFIED_INFORMATION { LARGE_INTEGER DomainModifiedCount; LARGE_INTEGER CreationTime; } DOMAIN_MODIFIED_INFORMATION, *PDOMAIN_MODIFIED_INFORMATION; typedef struct _DOMAIN_MODIFIED_INFORMATION2 { LARGE_INTEGER DomainModifiedCount; LARGE_INTEGER CreationTime; LARGE_INTEGER ModifiedCountAtLastPromotion; } DOMAIN_MODIFIED_INFORMATION2, *PDOMAIN_MODIFIED_INFORMATION2; typedef struct _DOMAIN_STATE_INFORMATION { DOMAIN_SERVER_ENABLE_STATE DomainServerState; } DOMAIN_STATE_INFORMATION, *PDOMAIN_STATE_INFORMATION; typedef struct _DOMAIN_LOCKOUT_INFORMATION { LARGE_INTEGER LockoutDuration; // delta time LARGE_INTEGER LockoutObservationWindow; // delta time USHORT LockoutThreshold; // zero means no lockout } DOMAIN_LOCKOUT_INFORMATION, *PDOMAIN_LOCKOUT_INFORMATION; // // SamQueryDisplayInformation types // typedef enum _DOMAIN_DISPLAY_INFORMATION { DomainDisplayUser = 1, // DOMAIN_DISPLAY_USER DomainDisplayMachine, // DOMAIN_DISPLAY_MACHINE DomainDisplayGroup, // DOMAIN_DISPLAY_GROUP DomainDisplayOemUser, // DOMAIN_DISPLAY_OEM_USER DomainDisplayOemGroup, // DOMAIN_DISPLAY_OEM_GROUP DomainDisplayServer, // DOMAIN_DISPLAY_MACHINE DomainDisplayMax } DOMAIN_DISPLAY_INFORMATION, *PDOMAIN_DISPLAY_INFORMATION; typedef struct _DOMAIN_DISPLAY_USER { ULONG Index; ULONG Rid; ULONG AccountControl; UNICODE_STRING LogonName; UNICODE_STRING AdminComment; UNICODE_STRING FullName; } DOMAIN_DISPLAY_USER, *PDOMAIN_DISPLAY_USER; typedef struct _DOMAIN_DISPLAY_MACHINE { ULONG Index; ULONG Rid; ULONG AccountControl; UNICODE_STRING Machine; UNICODE_STRING Comment; } DOMAIN_DISPLAY_MACHINE, *PDOMAIN_DISPLAY_MACHINE; typedef struct _DOMAIN_DISPLAY_GROUP { ULONG Index; ULONG Rid; ULONG Attributes; UNICODE_STRING Group; UNICODE_STRING Comment; } DOMAIN_DISPLAY_GROUP, *PDOMAIN_DISPLAY_GROUP; typedef struct _DOMAIN_DISPLAY_OEM_USER { ULONG Index; OEM_STRING User; } DOMAIN_DISPLAY_OEM_USER, *PDOMAIN_DISPLAY_OEM_USER; typedef struct _DOMAIN_DISPLAY_OEM_GROUP { ULONG Index; OEM_STRING Group; } DOMAIN_DISPLAY_OEM_GROUP, *PDOMAIN_DISPLAY_OEM_GROUP; // // SamQueryLocalizableAccountsInDomain types // typedef enum _DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION { DomainLocalizableAccountsBasic = 1, } DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION, *PDOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION; typedef struct _DOMAIN_LOCALIZABLE_ACCOUNTS_ENTRY { ULONG Rid; SID_NAME_USE Use; UNICODE_STRING Name; UNICODE_STRING AdminComment; } DOMAIN_LOCALIZABLE_ACCOUNT_ENTRY, *PDOMAIN_LOCALIZABLE_ACCOUNT_ENTRY; typedef struct _DOMAIN_LOCALIZABLE_ACCOUNTS { ULONG Count; _Field_size_(Count) DOMAIN_LOCALIZABLE_ACCOUNT_ENTRY *Entries; } DOMAIN_LOCALIZABLE_ACCOUNTS_BASIC, *PDOMAIN_LOCALIZABLE_ACCOUNTS_BASIC; typedef union _DOMAIN_LOCALIZABLE_INFO_BUFFER { DOMAIN_LOCALIZABLE_ACCOUNTS_BASIC Basic; } DOMAIN_LOCALIZABLE_ACCOUNTS_INFO_BUFFER, *PDOMAIN_LOCALIZABLE_ACCOUNTS_INFO_BUFFER; // // Functions // /** * The SamLookupDomainInSamServer method obtains the SID of a domain, given the object's name. * * \param ServerHandle A handle representing a server. * \param Name A UTF-16 encoded string. * \param DomainId A SID value of a domain that corresponds to the Name. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/47492d59-e095-4398-b03e-8a062b989123 */ NTSYSAPI NTSTATUS NTAPI SamLookupDomainInSamServer( _In_ SAM_HANDLE ServerHandle, _In_ PCUNICODE_STRING Name, _Outptr_ PSID *DomainId ); /** * The SamEnumerateDomainsInSamServer method obtains a listing of all domains hosted by the server side of this protocol. * * \param ServerHandle A handle representing a server. * \param EnumerationContext An opaque value that the server can use to continue an enumeration on a subsequent call. * \param Buffer A listing of domain information. * \param PreferedMaximumLength The requested maximum number of bytes to return in Buffer. * \param CountReturned The count of domain elements returned in Buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/2142fd2d-0854-42c1-a9fb-2fe964e381ce */ NTSYSAPI NTSTATUS NTAPI SamEnumerateDomainsInSamServer( _In_ SAM_HANDLE ServerHandle, _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, _Outptr_ PVOID *Buffer, // PSAM_SID_ENUMERATION *Buffer _In_ ULONG PreferedMaximumLength, _Out_ PULONG CountReturned ); /** * The SamOpenDomain method obtains a handle to a domain, given a SID. * * \param ServerHandle A handle representing a server. * \param DesiredAccess The desired access to the domain. * \param DomainId A SID value of a domain hosted by the server. * \param DomainHandle A handle to the requested domain. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/ba710c90-5b12-42f8-9e5a-d4aacc1329fa */ NTSYSAPI NTSTATUS NTAPI SamOpenDomain( _In_ SAM_HANDLE ServerHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PSID DomainId, _Out_ PSAM_HANDLE DomainHandle ); /** * The SamQueryInformationDomain method obtains attributes from a domain object. * * \param DomainHandle A handle representing a domain. * \param DomainInformationClass An enumeration indicating which attributes to return. * \param Buffer The requested attributes on output. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5d6a2817-caa9-41ca-a269-fd13ecbb4fa8 */ NTSYSAPI NTSTATUS NTAPI SamQueryInformationDomain( _In_ SAM_HANDLE DomainHandle, _In_ DOMAIN_INFORMATION_CLASS DomainInformationClass, _Outptr_ PVOID *Buffer ); /** * The SamSetInformationDomain method updates attributes of a domain object. * * \param DomainHandle A handle representing a domain. * \param DomainInformationClass An enumeration indicating which attributes to update. * \param Buffer The provided attributes on output. * \return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI SamSetInformationDomain( _In_ SAM_HANDLE DomainHandle, _In_ DOMAIN_INFORMATION_CLASS DomainInformationClass, _In_ PVOID Buffer ); /** * The SamLookupNamesInDomain method translates a set of account names into a set of RIDs. * * \param DomainHandle A handle representing a domain. * \param Count The number of elements in Names. * \param Names An array of strings that are to be mapped to RIDs. * \param RelativeIds An array of RIDs of accounts that correspond to the elements in Names. * \param Use An array of SID_NAME_USE enumeration values that describe the type of account for each entry in RelativeIds. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/d91271c6-7b2e-4194-9927-8fabfa429f90 */ NTSYSAPI NTSTATUS NTAPI SamLookupNamesInDomain( _In_ SAM_HANDLE DomainHandle, _In_ ULONG Count, _In_reads_(Count) PCUNICODE_STRING Names, _Out_ _Deref_post_count_(Count) PULONG *RelativeIds, _Out_ _Deref_post_count_(Count) PSID_NAME_USE *Use ); NTSYSAPI NTSTATUS NTAPI SamLookupNamesInDomain2( _In_ SAM_HANDLE DomainHandle, _In_ ULONG Count, _In_reads_(Count) PCUNICODE_STRING Names, _Out_ _Deref_post_count_(Count) PSID* Sids, _Out_ _Deref_post_count_(Count) PSID_NAME_USE* Use ); /** * The SamLookupIdsInDomain method translates a set of RIDs into account names. * * \param DomainHandle A handle representing a domain. * \param Count The number of elements in RelativeIds. * \param RelativeIds An array of RIDs that are to be mapped to account names. * \param Names An array of account names that correspond to the elements in RelativeIds. * \param Use An array of SID_NAME_USE enumeration values that describe the type of account for each entry in RelativeIds. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c870951c-74b3-4714-9857-224595ffc61a */ NTSYSAPI NTSTATUS NTAPI SamLookupIdsInDomain( _In_ SAM_HANDLE DomainHandle, _In_ ULONG Count, _In_reads_(Count) PULONG RelativeIds, _Out_ _Deref_post_count_(Count) PUNICODE_STRING *Names, _Out_ _Deref_post_opt_count_(Count) PSID_NAME_USE *Use ); /** * The SamRemoveMemberFromForeignDomain method removes a member from all aliases. * * \param DomainHandle A handle representing a domain. * \param MemberId The SID to remove from the membership. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/03afc843-584d-473b-834a-3f5a1ac86cce */ NTSYSAPI NTSTATUS NTAPI SamRemoveMemberFromForeignDomain( _In_ SAM_HANDLE DomainHandle, _In_ PSID MemberId ); NTSYSAPI NTSTATUS NTAPI SamQueryLocalizableAccountsInDomain( _In_ SAM_HANDLE Domain, _In_ ULONG Flags, _In_ ULONG LanguageId, _In_ DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION Class, _Outptr_ PVOID *Buffer ); // // Group // #define GROUP_READ_INFORMATION 0x0001 #define GROUP_WRITE_ACCOUNT 0x0002 #define GROUP_ADD_MEMBER 0x0004 #define GROUP_REMOVE_MEMBER 0x0008 #define GROUP_LIST_MEMBERS 0x0010 #define GROUP_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ GROUP_LIST_MEMBERS | \ GROUP_WRITE_ACCOUNT | \ GROUP_ADD_MEMBER | \ GROUP_REMOVE_MEMBER | \ GROUP_READ_INFORMATION) #define GROUP_READ (STANDARD_RIGHTS_READ | \ GROUP_LIST_MEMBERS) #define GROUP_WRITE (STANDARD_RIGHTS_WRITE | \ GROUP_WRITE_ACCOUNT | \ GROUP_ADD_MEMBER | \ GROUP_REMOVE_MEMBER) #define GROUP_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ GROUP_READ_INFORMATION) typedef struct _GROUP_MEMBERSHIP { ULONG RelativeId; ULONG Attributes; } GROUP_MEMBERSHIP, *PGROUP_MEMBERSHIP; // // SamQueryInformationGroup/SamSetInformationGroup types // typedef enum _GROUP_INFORMATION_CLASS { GroupGeneralInformation = 1, // q: GROUP_GENERAL_INFORMATION GroupNameInformation, // qs: GROUP_NAME_INFORMATION GroupAttributeInformation, // qs: GROUP_ATTRIBUTE_INFORMATION GroupAdminCommentInformation, // qs: GROUP_ADM_COMMENT_INFORMATION GroupReplicationInformation, // q: GROUP_REPLICATION_INFORMATION GroupMaxInformation } GROUP_INFORMATION_CLASS; typedef struct _GROUP_GENERAL_INFORMATION { UNICODE_STRING Name; ULONG Attributes; ULONG MemberCount; UNICODE_STRING AdminComment; } GROUP_GENERAL_INFORMATION, *PGROUP_GENERAL_INFORMATION; typedef struct _GROUP_NAME_INFORMATION { UNICODE_STRING Name; } GROUP_NAME_INFORMATION, *PGROUP_NAME_INFORMATION; typedef struct _GROUP_ATTRIBUTE_INFORMATION { ULONG Attributes; } GROUP_ATTRIBUTE_INFORMATION, *PGROUP_ATTRIBUTE_INFORMATION; typedef struct _GROUP_ADM_COMMENT_INFORMATION { UNICODE_STRING AdminComment; } GROUP_ADM_COMMENT_INFORMATION, *PGROUP_ADM_COMMENT_INFORMATION; typedef struct _GROUP_REPLICATION_INFORMATION { LARGE_INTEGER LastWriteTime; } GROUP_REPLICATION_INFORMATION, *PGROUP_REPLICATION_INFORMATION; // // Functions // /** * The SamEnumerateGroupsInDomain method enumerates all groups. * * \param DomainHandle A handle representing a domain. * \param EnumerationContext An opaque value that the server can use to continue an enumeration on a subsequent call. * \param Buffer A listing of group information. * \param PreferedMaximumLength The requested maximum number of bytes to return in Buffer. * \param CountReturned The count of domain elements returned in Buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e0b7a4b7-ecfc-405f-9d7d-32b3cd2cd6c8 */ NTSYSAPI NTSTATUS NTAPI SamEnumerateGroupsInDomain( _In_ SAM_HANDLE DomainHandle, _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION * _In_ ULONG PreferedMaximumLength, _Out_ PULONG CountReturned ); NTSYSAPI NTSTATUS NTAPI SamCreateGroupInDomain( _In_ SAM_HANDLE DomainHandle, _In_ PCUNICODE_STRING AccountName, _In_ ACCESS_MASK DesiredAccess, _Out_ PSAM_HANDLE GroupHandle, _Out_ PULONG RelativeId ); NTSYSAPI NTSTATUS NTAPI SamOpenGroup( _In_ SAM_HANDLE DomainHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG GroupId, _Out_ PSAM_HANDLE GroupHandle ); NTSYSAPI NTSTATUS NTAPI SamDeleteGroup( _In_ SAM_HANDLE GroupHandle ); NTSYSAPI NTSTATUS NTAPI SamQueryInformationGroup( _In_ SAM_HANDLE GroupHandle, _In_ GROUP_INFORMATION_CLASS GroupInformationClass, _Outptr_ PVOID *Buffer ); NTSYSAPI NTSTATUS NTAPI SamSetInformationGroup( _In_ SAM_HANDLE GroupHandle, _In_ GROUP_INFORMATION_CLASS GroupInformationClass, _In_ PVOID Buffer ); NTSYSAPI NTSTATUS NTAPI SamAddMemberToGroup( _In_ SAM_HANDLE GroupHandle, _In_ ULONG MemberId, _In_ ULONG Attributes ); NTSYSAPI NTSTATUS NTAPI SamRemoveMemberFromGroup( _In_ SAM_HANDLE GroupHandle, _In_ ULONG MemberId ); NTSYSAPI NTSTATUS NTAPI SamGetMembersInGroup( _In_ SAM_HANDLE GroupHandle, _Out_ _Deref_post_count_(*MemberCount) PULONG *MemberIds, _Out_ _Deref_post_count_(*MemberCount) PULONG *Attributes, _Out_ PULONG MemberCount ); NTSYSAPI NTSTATUS NTAPI SamSetMemberAttributesOfGroup( _In_ SAM_HANDLE GroupHandle, _In_ ULONG MemberId, _In_ ULONG Attributes ); // // Alias // #define ALIAS_ADD_MEMBER 0x0001 #define ALIAS_REMOVE_MEMBER 0x0002 #define ALIAS_LIST_MEMBERS 0x0004 #define ALIAS_READ_INFORMATION 0x0008 #define ALIAS_WRITE_ACCOUNT 0x0010 #define ALIAS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ ALIAS_READ_INFORMATION | \ ALIAS_WRITE_ACCOUNT | \ ALIAS_LIST_MEMBERS | \ ALIAS_ADD_MEMBER | \ ALIAS_REMOVE_MEMBER) #define ALIAS_READ (STANDARD_RIGHTS_READ | \ ALIAS_LIST_MEMBERS) #define ALIAS_WRITE (STANDARD_RIGHTS_WRITE | \ ALIAS_WRITE_ACCOUNT | \ ALIAS_ADD_MEMBER | \ ALIAS_REMOVE_MEMBER) #define ALIAS_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ ALIAS_READ_INFORMATION) // // SamQueryInformationAlias/SamSetInformationAlias types // typedef enum _ALIAS_INFORMATION_CLASS { AliasGeneralInformation = 1, // q: ALIAS_GENERAL_INFORMATION AliasNameInformation, // qs: ALIAS_NAME_INFORMATION AliasAdminCommentInformation, // qs: ALIAS_ADM_COMMENT_INFORMATION AliasReplicationInformation, // q: ALIAS_REPLICATION_INFORMATION AliasExtendedInformation, // q: ALIAS_EXTENDED_INFORMATION AliasMaxInformation } ALIAS_INFORMATION_CLASS; typedef struct _ALIAS_GENERAL_INFORMATION { UNICODE_STRING Name; ULONG MemberCount; UNICODE_STRING AdminComment; } ALIAS_GENERAL_INFORMATION, *PALIAS_GENERAL_INFORMATION; typedef struct _ALIAS_NAME_INFORMATION { UNICODE_STRING Name; } ALIAS_NAME_INFORMATION, *PALIAS_NAME_INFORMATION; typedef struct _ALIAS_ADM_COMMENT_INFORMATION { UNICODE_STRING AdminComment; } ALIAS_ADM_COMMENT_INFORMATION, *PALIAS_ADM_COMMENT_INFORMATION; typedef struct _ALIAS_REPLICATION_INFORMATION { LARGE_INTEGER LastWriteTime; } ALIAS_REPLICATION_INFORMATION, *PALIAS_REPLICATION_INFORMATION; #define ALIAS_ALL_NAME (0x00000001L) #define ALIAS_ALL_MEMBER_COUNT (0x00000002L) #define ALIAS_ALL_ADMIN_COMMENT (0x00000004L) #define ALIAS_ALL_SHELL_ADMIN_OBJECT_PROPERTIES (0x00000008L) typedef struct _ALIAS_EXTENDED_INFORMATION { ULONG WhichFields; SAM_SHELL_OBJECT_PROPERTIES ShellAdminObjectProperties; } ALIAS_EXTENDED_INFORMATION, *PALIAS_EXTENDED_INFORMATION; // // Functions // NTSYSAPI NTSTATUS NTAPI SamEnumerateAliasesInDomain( _In_ SAM_HANDLE DomainHandle, _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION *Buffer _In_ ULONG PreferedMaximumLength, _Out_ PULONG CountReturned ); NTSYSAPI NTSTATUS NTAPI SamCreateAliasInDomain( _In_ SAM_HANDLE DomainHandle, _In_ PCUNICODE_STRING AccountName, _In_ ACCESS_MASK DesiredAccess, _Out_ PSAM_HANDLE AliasHandle, _Out_ PULONG RelativeId ); NTSYSAPI NTSTATUS NTAPI SamOpenAlias( _In_ SAM_HANDLE DomainHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG AliasId, _Out_ PSAM_HANDLE AliasHandle ); NTSYSAPI NTSTATUS NTAPI SamDeleteAlias( _In_ SAM_HANDLE AliasHandle ); NTSYSAPI NTSTATUS NTAPI SamQueryInformationAlias( _In_ SAM_HANDLE AliasHandle, _In_ ALIAS_INFORMATION_CLASS AliasInformationClass, _Outptr_ PVOID *Buffer ); NTSYSAPI NTSTATUS NTAPI SamSetInformationAlias( _In_ SAM_HANDLE AliasHandle, _In_ ALIAS_INFORMATION_CLASS AliasInformationClass, _In_ PVOID Buffer ); NTSYSAPI NTSTATUS NTAPI SamAddMemberToAlias( _In_ SAM_HANDLE AliasHandle, _In_ PSID MemberId ); NTSYSAPI NTSTATUS NTAPI SamAddMultipleMembersToAlias( _In_ SAM_HANDLE AliasHandle, _In_reads_(MemberCount) PSID *MemberIds, _In_ ULONG MemberCount ); NTSYSAPI NTSTATUS NTAPI SamRemoveMemberFromAlias( _In_ SAM_HANDLE AliasHandle, _In_ PSID MemberId ); NTSYSAPI NTSTATUS NTAPI SamRemoveMultipleMembersFromAlias( _In_ SAM_HANDLE AliasHandle, _In_reads_(MemberCount) PSID *MemberIds, _In_ ULONG MemberCount ); NTSYSAPI NTSTATUS NTAPI SamGetMembersInAlias( _In_ SAM_HANDLE AliasHandle, _Out_ _Deref_post_count_(*MemberCount) PSID **MemberIds, _Out_ PULONG MemberCount ); NTSYSAPI NTSTATUS NTAPI SamGetAliasMembership( _In_ SAM_HANDLE DomainHandle, _In_ ULONG PassedCount, _In_reads_(PassedCount) PSID *Sids, _Out_ PULONG MembershipCount, _Out_ _Deref_post_count_(*MembershipCount) PULONG *Aliases ); // // Group types // #define GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001 #define GROUP_TYPE_ACCOUNT_GROUP 0x00000002 #define GROUP_TYPE_RESOURCE_GROUP 0x00000004 #define GROUP_TYPE_UNIVERSAL_GROUP 0x00000008 #define GROUP_TYPE_APP_BASIC_GROUP 0x00000010 #define GROUP_TYPE_APP_QUERY_GROUP 0x00000020 #define GROUP_TYPE_SECURITY_ENABLED 0x80000000 #define GROUP_TYPE_RESOURCE_BEHAVOIR (GROUP_TYPE_RESOURCE_GROUP | \ GROUP_TYPE_APP_BASIC_GROUP | \ GROUP_TYPE_APP_QUERY_GROUP) // // User // #define USER_READ_GENERAL 0x0001 #define USER_READ_PREFERENCES 0x0002 #define USER_WRITE_PREFERENCES 0x0004 #define USER_READ_LOGON 0x0008 #define USER_READ_ACCOUNT 0x0010 #define USER_WRITE_ACCOUNT 0x0020 #define USER_CHANGE_PASSWORD 0x0040 #define USER_FORCE_PASSWORD_CHANGE 0x0080 #define USER_LIST_GROUPS 0x0100 #define USER_READ_GROUP_INFORMATION 0x0200 #define USER_WRITE_GROUP_INFORMATION 0x0400 #define USER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ USER_READ_PREFERENCES | \ USER_READ_LOGON | \ USER_LIST_GROUPS | \ USER_READ_GROUP_INFORMATION | \ USER_WRITE_PREFERENCES | \ USER_CHANGE_PASSWORD | \ USER_FORCE_PASSWORD_CHANGE | \ USER_READ_GENERAL | \ USER_READ_ACCOUNT | \ USER_WRITE_ACCOUNT | \ USER_WRITE_GROUP_INFORMATION) #define USER_READ (STANDARD_RIGHTS_READ | \ USER_READ_PREFERENCES | \ USER_READ_LOGON | \ USER_READ_ACCOUNT | \ USER_LIST_GROUPS | \ USER_READ_GROUP_INFORMATION) #define USER_WRITE (STANDARD_RIGHTS_WRITE | \ USER_WRITE_PREFERENCES | \ USER_CHANGE_PASSWORD) #define USER_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ USER_READ_GENERAL | \ USER_CHANGE_PASSWORD) // // User account control flags // #define USER_ACCOUNT_DISABLED (0x00000001) #define USER_HOME_DIRECTORY_REQUIRED (0x00000002) #define USER_PASSWORD_NOT_REQUIRED (0x00000004) #define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008) #define USER_NORMAL_ACCOUNT (0x00000010) #define USER_MNS_LOGON_ACCOUNT (0x00000020) #define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040) #define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080) #define USER_SERVER_TRUST_ACCOUNT (0x00000100) #define USER_DONT_EXPIRE_PASSWORD (0x00000200) #define USER_ACCOUNT_AUTO_LOCKED (0x00000400) #define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800) #define USER_SMARTCARD_REQUIRED (0x00001000) #define USER_TRUSTED_FOR_DELEGATION (0x00002000) #define USER_NOT_DELEGATED (0x00004000) #define USER_USE_DES_KEY_ONLY (0x00008000) #define USER_DONT_REQUIRE_PREAUTH (0x00010000) #define USER_PASSWORD_EXPIRED (0x00020000) #define USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (0x00040000) #define USER_NO_AUTH_DATA_REQUIRED (0x00080000) #define USER_PARTIAL_SECRETS_ACCOUNT (0x00100000) #define USER_USE_AES_KEYS (0x00200000) #define NEXT_FREE_ACCOUNT_CONTROL_BIT (USER_USE_AES_KEYS << 1) #define USER_MACHINE_ACCOUNT_MASK ( \ USER_INTERDOMAIN_TRUST_ACCOUNT | \ USER_WORKSTATION_TRUST_ACCOUNT | \ USER_SERVER_TRUST_ACCOUNT \ ) #define USER_ACCOUNT_TYPE_MASK ( \ USER_TEMP_DUPLICATE_ACCOUNT | \ USER_NORMAL_ACCOUNT | \ USER_MACHINE_ACCOUNT_MASK \ ) #define USER_COMPUTED_ACCOUNT_CONTROL_BITS ( \ USER_ACCOUNT_AUTO_LOCKED | \ USER_PASSWORD_EXPIRED \ ) // Logon times may be expressed in day, hour, or minute granularity. #define SAM_DAYS_PER_WEEK (7) #define SAM_HOURS_PER_WEEK (24 * SAM_DAYS_PER_WEEK) #define SAM_MINUTES_PER_WEEK (60 * SAM_HOURS_PER_WEEK) typedef struct _LOGON_HOURS { USHORT UnitsPerWeek; // UnitsPerWeek is the number of equal length time units the week is // divided into. This value is used to compute the length of the bit // string in logon_hours. Must be less than or equal to // SAM_UNITS_PER_WEEK (10080) for this release. // // LogonHours is a bit map of valid logon times. Each bit represents // a unique division in a week. The largest bit map supported is 1260 // bytes (10080 bits), which represents minutes per week. In this case // the first bit (bit 0, byte 0) is Sunday, 00:00:00 - 00-00:59; bit 1, // byte 0 is Sunday, 00:01:00 - 00:01:59, etc. A NULL pointer means // DONT_CHANGE for SamSetInformationUser() calls. PUCHAR LogonHours; } LOGON_HOURS, *PLOGON_HOURS; /** * The SR_SECURITY_DESCRIPTOR structure contains information about the security privileges of the user. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-sr_security_descriptor */ typedef struct _SR_SECURITY_DESCRIPTOR { ULONG Length; // Indicates the size in bytes of the structure. PUCHAR SecurityDescriptor; // Indicates the user's security privileges. } SR_SECURITY_DESCRIPTOR, *PSR_SECURITY_DESCRIPTOR; // // SamQueryInformationUser/SamSetInformationUser types // typedef enum _USER_INFORMATION_CLASS { UserGeneralInformation = 1, // q: USER_GENERAL_INFORMATION UserPreferencesInformation, // qs: USER_PREFERENCES_INFORMATION UserLogonInformation, // q: USER_LOGON_INFORMATION UserLogonHoursInformation, // qs: USER_LOGON_HOURS_INFORMATION UserAccountInformation, // q: USER_ACCOUNT_INFORMATION UserNameInformation, // qs: USER_NAME_INFORMATION UserAccountNameInformation, // qs: USER_ACCOUNT_NAME_INFORMATION UserFullNameInformation, // qs: USER_FULL_NAME_INFORMATION UserPrimaryGroupInformation, // qs: USER_PRIMARY_GROUP_INFORMATION UserHomeInformation, // qs: USER_HOME_INFORMATION // 10 UserScriptInformation, // qs: USER_SCRIPT_INFORMATION UserProfileInformation, // qs: USER_PROFILE_INFORMATION UserAdminCommentInformation, // qs: USER_ADMIN_COMMENT_INFORMATION UserWorkStationsInformation, // qs: USER_WORKSTATIONS_INFORMATION UserSetPasswordInformation, // s: USER_SET_PASSWORD_INFORMATION UserControlInformation, // qs: USER_CONTROL_INFORMATION UserExpiresInformation, // qs: USER_EXPIRES_INFORMATION UserInternal1Information, // qs: USER_INTERNAL1_INFORMATION UserInternal2Information, // qs: USER_INTERNAL2_INFORMATION UserParametersInformation, // qs: USER_PARAMETERS_INFORMATION // 20 UserAllInformation, // qs: USER_ALL_INFORMATION UserInternal3Information, // qs: USER_INTERNAL3_INFORMATION UserInternal4Information, // qs: USER_INTERNAL4_INFORMATION UserInternal5Information, // qs: USER_INTERNAL5_INFORMATION UserInternal4InformationNew, // qs: USER_INTERNAL4_INFORMATION_NEW UserInternal5InformationNew, // qs: USER_INTERNAL5_INFORMATION_NEW UserInternal6Information, // qs: USER_INTERNAL6_INFORMATION UserExtendedInformation, // qs: USER_EXTENDED_INFORMATION UserLogonUIInformation, // q: USER_LOGON_UI_INFORMATION // since VISTA UserAuthInformation, // qs: USER_AUTH_INFORMATION // since WIN10 // 30 UserInternal7Information, // qs: USER_INTERNAL7_INFORMATION // since 20H1 UserInternal8Information, // qs: USER_INTERNAL8_INFORMATION UserMaxInformation } USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS; typedef struct _USER_GENERAL_INFORMATION { UNICODE_STRING UserName; UNICODE_STRING FullName; ULONG PrimaryGroupId; UNICODE_STRING AdminComment; UNICODE_STRING UserComment; } USER_GENERAL_INFORMATION, *PUSER_GENERAL_INFORMATION; typedef struct _USER_PREFERENCES_INFORMATION { UNICODE_STRING UserComment; UNICODE_STRING Reserved1; USHORT CountryCode; USHORT CodePage; } USER_PREFERENCES_INFORMATION, *PUSER_PREFERENCES_INFORMATION; typedef struct _USER_LOGON_INFORMATION { UNICODE_STRING UserName; UNICODE_STRING FullName; ULONG UserId; ULONG PrimaryGroupId; UNICODE_STRING HomeDirectory; UNICODE_STRING HomeDirectoryDrive; UNICODE_STRING ScriptPath; UNICODE_STRING ProfilePath; UNICODE_STRING WorkStations; LARGE_INTEGER LastLogon; LARGE_INTEGER LastLogoff; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER PasswordCanChange; LARGE_INTEGER PasswordMustChange; LOGON_HOURS LogonHours; USHORT BadPasswordCount; USHORT LogonCount; ULONG UserAccountControl; } USER_LOGON_INFORMATION, *PUSER_LOGON_INFORMATION; typedef struct _USER_LOGON_HOURS_INFORMATION { LOGON_HOURS LogonHours; } USER_LOGON_HOURS_INFORMATION, *PUSER_LOGON_HOURS_INFORMATION; typedef struct _USER_ACCOUNT_INFORMATION { UNICODE_STRING UserName; UNICODE_STRING FullName; ULONG UserId; ULONG PrimaryGroupId; UNICODE_STRING HomeDirectory; UNICODE_STRING HomeDirectoryDrive; UNICODE_STRING ScriptPath; UNICODE_STRING ProfilePath; UNICODE_STRING AdminComment; UNICODE_STRING WorkStations; LARGE_INTEGER LastLogon; LARGE_INTEGER LastLogoff; LOGON_HOURS LogonHours; USHORT BadPasswordCount; USHORT LogonCount; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER AccountExpires; ULONG UserAccountControl; } USER_ACCOUNT_INFORMATION, *PUSER_ACCOUNT_INFORMATION; typedef struct _USER_NAME_INFORMATION { UNICODE_STRING UserName; UNICODE_STRING FullName; } USER_NAME_INFORMATION, *PUSER_NAME_INFORMATION; typedef struct _USER_ACCOUNT_NAME_INFORMATION { UNICODE_STRING UserName; } USER_ACCOUNT_NAME_INFORMATION, *PUSER_ACCOUNT_NAME_INFORMATION; typedef struct _USER_FULL_NAME_INFORMATION { UNICODE_STRING FullName; } USER_FULL_NAME_INFORMATION, *PUSER_FULL_NAME_INFORMATION; typedef struct _USER_PRIMARY_GROUP_INFORMATION { ULONG PrimaryGroupId; } USER_PRIMARY_GROUP_INFORMATION, *PUSER_PRIMARY_GROUP_INFORMATION; typedef struct _USER_HOME_INFORMATION { UNICODE_STRING HomeDirectory; UNICODE_STRING HomeDirectoryDrive; } USER_HOME_INFORMATION, *PUSER_HOME_INFORMATION; typedef struct _USER_SCRIPT_INFORMATION { UNICODE_STRING ScriptPath; } USER_SCRIPT_INFORMATION, *PUSER_SCRIPT_INFORMATION; typedef struct _USER_PROFILE_INFORMATION { UNICODE_STRING ProfilePath; } USER_PROFILE_INFORMATION, *PUSER_PROFILE_INFORMATION; typedef struct _USER_ADMIN_COMMENT_INFORMATION { UNICODE_STRING AdminComment; } USER_ADMIN_COMMENT_INFORMATION, *PUSER_ADMIN_COMMENT_INFORMATION; typedef struct _USER_WORKSTATIONS_INFORMATION { UNICODE_STRING WorkStations; } USER_WORKSTATIONS_INFORMATION, *PUSER_WORKSTATIONS_INFORMATION; typedef struct _USER_SET_PASSWORD_INFORMATION { UNICODE_STRING Password; BOOLEAN PasswordExpired; } USER_SET_PASSWORD_INFORMATION, *PUSER_SET_PASSWORD_INFORMATION; typedef struct _USER_CONTROL_INFORMATION { ULONG UserAccountControl; } USER_CONTROL_INFORMATION, *PUSER_CONTROL_INFORMATION; typedef struct _USER_EXPIRES_INFORMATION { LARGE_INTEGER AccountExpires; } USER_EXPIRES_INFORMATION, *PUSER_EXPIRES_INFORMATION; #define CYPHER_BLOCK_LENGTH 8 typedef struct _CYPHER_BLOCK { CHAR data[CYPHER_BLOCK_LENGTH]; } CYPHER_BLOCK, *PCYPHER_BLOCK; typedef struct _ENCRYPTED_NT_OWF_PASSWORD { CYPHER_BLOCK data[2]; } ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD; typedef struct _ENCRYPTED_LM_OWF_PASSWORD { CYPHER_BLOCK data[2]; } ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD; typedef struct _USER_INTERNAL1_INFORMATION { ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword; ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword; BOOLEAN NtPasswordPresent; BOOLEAN LmPasswordPresent; BOOLEAN PasswordExpired; } USER_INTERNAL1_INFORMATION, *PUSER_INTERNAL1_INFORMATION; typedef struct _USER_INTERNAL2_INFORMATION { ULONG StatisticsToApply; LARGE_INTEGER LastLogon; LARGE_INTEGER LastLogoff; USHORT BadPasswordCount; USHORT LogonCount; } USER_INTERNAL2_INFORMATION, *PUSER_INTERNAL2_INFORMATION; typedef struct _USER_PARAMETERS_INFORMATION { UNICODE_STRING Parameters; } USER_PARAMETERS_INFORMATION, *PUSER_PARAMETERS_INFORMATION; // // Flags for WhichFields in USER_ALL_INFORMATION // #define USER_ALL_USERNAME 0x00000001 #define USER_ALL_FULLNAME 0x00000002 #define USER_ALL_USERID 0x00000004 #define USER_ALL_PRIMARYGROUPID 0x00000008 #define USER_ALL_ADMINCOMMENT 0x00000010 #define USER_ALL_USERCOMMENT 0x00000020 #define USER_ALL_HOMEDIRECTORY 0x00000040 #define USER_ALL_HOMEDIRECTORYDRIVE 0x00000080 #define USER_ALL_SCRIPTPATH 0x00000100 #define USER_ALL_PROFILEPATH 0x00000200 #define USER_ALL_WORKSTATIONS 0x00000400 #define USER_ALL_LASTLOGON 0x00000800 #define USER_ALL_LASTLOGOFF 0x00001000 #define USER_ALL_LOGONHOURS 0x00002000 #define USER_ALL_BADPASSWORDCOUNT 0x00004000 #define USER_ALL_LOGONCOUNT 0x00008000 #define USER_ALL_PASSWORDCANCHANGE 0x00010000 #define USER_ALL_PASSWORDMUSTCHANGE 0x00020000 #define USER_ALL_PASSWORDLASTSET 0x00040000 #define USER_ALL_ACCOUNTEXPIRES 0x00080000 #define USER_ALL_USERACCOUNTCONTROL 0x00100000 #define USER_ALL_PARAMETERS 0x00200000 #define USER_ALL_COUNTRYCODE 0x00400000 #define USER_ALL_CODEPAGE 0x00800000 #define USER_ALL_NTPASSWORDPRESENT 0x01000000 // field AND boolean #define USER_ALL_LMPASSWORDPRESENT 0x02000000 // field AND boolean #define USER_ALL_PRIVATEDATA 0x04000000 // field AND boolean #define USER_ALL_PASSWORDEXPIRED 0x08000000 #define USER_ALL_SECURITYDESCRIPTOR 0x10000000 #define USER_ALL_OWFPASSWORD 0x20000000 // boolean #define USER_ALL_UNDEFINED_MASK 0xc0000000 // Fields that require USER_READ_GENERAL access to read. #define USER_ALL_READ_GENERAL_MASK \ (USER_ALL_USERNAME | \ USER_ALL_FULLNAME | \ USER_ALL_USERID | \ USER_ALL_PRIMARYGROUPID | \ USER_ALL_ADMINCOMMENT | \ USER_ALL_USERCOMMENT) // Fields that require USER_READ_LOGON access to read. #define USER_ALL_READ_LOGON_MASK \ (USER_ALL_HOMEDIRECTORY | \ USER_ALL_HOMEDIRECTORYDRIVE | \ USER_ALL_SCRIPTPATH | \ USER_ALL_PROFILEPATH | \ USER_ALL_WORKSTATIONS | \ USER_ALL_LASTLOGON | \ USER_ALL_LASTLOGOFF | \ USER_ALL_LOGONHOURS | \ USER_ALL_BADPASSWORDCOUNT | \ USER_ALL_LOGONCOUNT | \ USER_ALL_PASSWORDCANCHANGE | \ USER_ALL_PASSWORDMUSTCHANGE) // Fields that require USER_READ_ACCOUNT access to read. #define USER_ALL_READ_ACCOUNT_MASK \ (USER_ALL_PASSWORDLASTSET | \ USER_ALL_ACCOUNTEXPIRES | \ USER_ALL_USERACCOUNTCONTROL | \ USER_ALL_PARAMETERS) // Fields that require USER_READ_PREFERENCES access to read. #define USER_ALL_READ_PREFERENCES_MASK \ (USER_ALL_COUNTRYCODE | USER_ALL_CODEPAGE) // Fields that can only be read by trusted clients. #define USER_ALL_READ_TRUSTED_MASK \ (USER_ALL_NTPASSWORDPRESENT | \ USER_ALL_LMPASSWORDPRESENT | \ USER_ALL_PASSWORDEXPIRED | \ USER_ALL_SECURITYDESCRIPTOR | \ USER_ALL_PRIVATEDATA) // Fields that can't be read. #define USER_ALL_READ_CANT_MASK USER_ALL_UNDEFINED_MASK // Fields that require USER_WRITE_ACCOUNT access to write. #define USER_ALL_WRITE_ACCOUNT_MASK \ (USER_ALL_USERNAME | \ USER_ALL_FULLNAME | \ USER_ALL_PRIMARYGROUPID | \ USER_ALL_HOMEDIRECTORY | \ USER_ALL_HOMEDIRECTORYDRIVE | \ USER_ALL_SCRIPTPATH | \ USER_ALL_PROFILEPATH | \ USER_ALL_ADMINCOMMENT | \ USER_ALL_WORKSTATIONS | \ USER_ALL_LOGONHOURS | \ USER_ALL_ACCOUNTEXPIRES | \ USER_ALL_USERACCOUNTCONTROL | \ USER_ALL_PARAMETERS) // Fields that require USER_WRITE_PREFERENCES access to write. #define USER_ALL_WRITE_PREFERENCES_MASK \ (USER_ALL_USERCOMMENT | USER_ALL_COUNTRYCODE | USER_ALL_CODEPAGE) // Fields that require USER_FORCE_PASSWORD_CHANGE access to write. // // Note that non-trusted clients only set the NT password as a // UNICODE string. The wrapper will convert it to an LM password, // OWF and encrypt both versions. Trusted clients can pass in OWF // versions of either or both. #define USER_ALL_WRITE_FORCE_PASSWORD_CHANGE_MASK \ (USER_ALL_NTPASSWORDPRESENT | \ USER_ALL_LMPASSWORDPRESENT | \ USER_ALL_PASSWORDEXPIRED) // Fields that can only be written by trusted clients. #define USER_ALL_WRITE_TRUSTED_MASK \ (USER_ALL_LASTLOGON | \ USER_ALL_LASTLOGOFF | \ USER_ALL_BADPASSWORDCOUNT | \ USER_ALL_LOGONCOUNT | \ USER_ALL_PASSWORDLASTSET | \ USER_ALL_SECURITYDESCRIPTOR | \ USER_ALL_PRIVATEDATA) // Fields that can't be written. #define USER_ALL_WRITE_CANT_MASK \ (USER_ALL_USERID | \ USER_ALL_PASSWORDCANCHANGE | \ USER_ALL_PASSWORDMUSTCHANGE | \ USER_ALL_UNDEFINED_MASK) typedef struct _USER_ALL_INFORMATION { LARGE_INTEGER LastLogon; LARGE_INTEGER LastLogoff; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER AccountExpires; LARGE_INTEGER PasswordCanChange; LARGE_INTEGER PasswordMustChange; UNICODE_STRING UserName; UNICODE_STRING FullName; UNICODE_STRING HomeDirectory; UNICODE_STRING HomeDirectoryDrive; UNICODE_STRING ScriptPath; UNICODE_STRING ProfilePath; UNICODE_STRING AdminComment; UNICODE_STRING WorkStations; UNICODE_STRING UserComment; UNICODE_STRING Parameters; UNICODE_STRING LmPassword; UNICODE_STRING NtPassword; UNICODE_STRING PrivateData; SR_SECURITY_DESCRIPTOR SecurityDescriptor; ULONG UserId; ULONG PrimaryGroupId; ULONG UserAccountControl; ULONG WhichFields; LOGON_HOURS LogonHours; USHORT BadPasswordCount; USHORT LogonCount; USHORT CountryCode; USHORT CodePage; BOOLEAN LmPasswordPresent; BOOLEAN NtPasswordPresent; BOOLEAN PasswordExpired; BOOLEAN PrivateDataSensitive; } USER_ALL_INFORMATION, *PUSER_ALL_INFORMATION; typedef struct _USER_INTERNAL3_INFORMATION { USER_ALL_INFORMATION I1; LARGE_INTEGER LastBadPasswordTime; } USER_INTERNAL3_INFORMATION, *PUSER_INTERNAL3_INFORMATION; typedef struct _ENCRYPTED_USER_PASSWORD { UCHAR Buffer[(SAM_MAX_PASSWORD_LENGTH * 2) + 4]; } ENCRYPTED_USER_PASSWORD, *PENCRYPTED_USER_PASSWORD; typedef struct _USER_INTERNAL4_INFORMATION { USER_ALL_INFORMATION I1; ENCRYPTED_USER_PASSWORD UserPassword; } USER_INTERNAL4_INFORMATION, *PUSER_INTERNAL4_INFORMATION; typedef struct _USER_INTERNAL5_INFORMATION { ENCRYPTED_USER_PASSWORD UserPassword; BOOLEAN PasswordExpired; } USER_INTERNAL5_INFORMATION, *PUSER_INTERNAL5_INFORMATION; typedef struct _ENCRYPTED_USER_PASSWORD_NEW { UCHAR Buffer[(SAM_MAX_PASSWORD_LENGTH * 2) + 4 + SAM_PASSWORD_ENCRYPTION_SALT_LEN]; } ENCRYPTED_USER_PASSWORD_NEW, *PENCRYPTED_USER_PASSWORD_NEW; typedef struct _USER_INTERNAL4_INFORMATION_NEW { USER_ALL_INFORMATION I1; ENCRYPTED_USER_PASSWORD_NEW UserPassword; } USER_INTERNAL4_INFORMATION_NEW, *PUSER_INTERNAL4_INFORMATION_NEW; typedef struct _USER_INTERNAL5_INFORMATION_NEW { ENCRYPTED_USER_PASSWORD_NEW UserPassword; BOOLEAN PasswordExpired; } USER_INTERNAL5_INFORMATION_NEW, *PUSER_INTERNAL5_INFORMATION_NEW; typedef struct _USER_ALLOWED_TO_DELEGATE_TO_LIST { ULONG Size; ULONG NumSPNs; UNICODE_STRING SPNList[ANYSIZE_ARRAY]; } USER_ALLOWED_TO_DELEGATE_TO_LIST, *PUSER_ALLOWED_TO_DELEGATE_TO_LIST; #define USER_EXTENDED_FIELD_UPN 0x00000001L #define USER_EXTENDED_FIELD_A2D2 0x00000002L typedef struct _USER_INTERNAL6_INFORMATION { USER_ALL_INFORMATION I1; LARGE_INTEGER LastBadPasswordTime; ULONG ExtendedFields; BOOLEAN UPNDefaulted; UNICODE_STRING UPN; PUSER_ALLOWED_TO_DELEGATE_TO_LIST A2D2List; } USER_INTERNAL6_INFORMATION, *PUSER_INTERNAL6_INFORMATION; typedef SAM_BYTE_ARRAY_32K SAM_USER_TILE, *PSAM_USER_TILE; // 0xff000fff is reserved for internal callers and implementation. #define USER_EXTENDED_FIELD_USER_TILE (0x00001000L) #define USER_EXTENDED_FIELD_PASSWORD_HINT (0x00002000L) #define USER_EXTENDED_FIELD_DONT_SHOW_IN_LOGON_UI (0x00004000L) #define USER_EXTENDED_FIELD_SHELL_ADMIN_OBJECT_PROPERTIES (0x00008000L) typedef struct _USER_EXTENDED_INFORMATION { ULONG ExtendedWhichFields; SAM_USER_TILE UserTile; UNICODE_STRING PasswordHint; BOOLEAN DontShowInLogonUI; SAM_SHELL_OBJECT_PROPERTIES ShellAdminObjectProperties; } USER_EXTENDED_INFORMATION, *PUSER_EXTENDED_INFORMATION; // For local callers only. typedef struct _USER_LOGON_UI_INFORMATION { BOOLEAN PasswordIsBlank; BOOLEAN AccountIsDisabled; } USER_LOGON_UI_INFORMATION, *PUSER_LOGON_UI_INFORMATION; typedef struct _USER_AUTH_INFORMATION { SAM_BYTE_ARRAY_32K AuthData; } USER_AUTH_INFORMATION, *PUSER_AUTH_INFORMATION; typedef struct _ENCRYPTED_PASSWORD_AES { UCHAR AuthData[64]; UCHAR Salt[SAM_PASSWORD_ENCRYPTION_SALT_LEN]; ULONG cbCipher; PUCHAR Cipher; ULONGLONG PBKDF2Iterations; } ENCRYPTED_PASSWORD_AES, *PENCRYPTED_PASSWORD_AES; typedef struct _USER_INTERNAL7_INFORMATION { ENCRYPTED_PASSWORD_AES UserPassword; BOOLEAN PasswordExpired; } USER_INTERNAL7_INFORMATION, *PUSER_INTERNAL7_INFORMATION; typedef struct _USER_INTERNAL8_INFORMATION { USER_ALL_INFORMATION I1; ENCRYPTED_PASSWORD_AES UserPassword; } USER_INTERNAL8_INFORMATION, *PUSER_INTERNAL8_INFORMATION; // SamChangePasswordUser3 types // Error values: // * SAM_PWD_CHANGE_NO_ERROR // * SAM_PWD_CHANGE_PASSWORD_TOO_SHORT // * SAM_PWD_CHANGE_PWD_IN_HISTORY // * SAM_PWD_CHANGE_USERNAME_IN_PASSWORD // * SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD // * SAM_PWD_CHANGE_MACHINE_PASSWORD_NOT_DEFAULT // * SAM_PWD_CHANGE_FAILED_BY_FILTER typedef struct _USER_PWD_CHANGE_FAILURE_INFORMATION { ULONG ExtendedFailureReason; UNICODE_STRING FilterModuleName; } USER_PWD_CHANGE_FAILURE_INFORMATION, *PUSER_PWD_CHANGE_FAILURE_INFORMATION; // // ExtendedFailureReason values // #define SAM_PWD_CHANGE_NO_ERROR 0 #define SAM_PWD_CHANGE_PASSWORD_TOO_SHORT 1 #define SAM_PWD_CHANGE_PWD_IN_HISTORY 2 #define SAM_PWD_CHANGE_USERNAME_IN_PASSWORD 3 #define SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD 4 #define SAM_PWD_CHANGE_NOT_COMPLEX 5 #define SAM_PWD_CHANGE_MACHINE_PASSWORD_NOT_DEFAULT 6 #define SAM_PWD_CHANGE_FAILED_BY_FILTER 7 #define SAM_PWD_CHANGE_PASSWORD_TOO_LONG 8 #define SAM_PWD_CHANGE_FAILURE_REASON_MAX 8 // // Functions // NTSYSAPI NTSTATUS NTAPI SamEnumerateUsersInDomain( _In_ SAM_HANDLE DomainHandle, _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, _In_ ULONG UserAccountControl, _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION * _In_ ULONG PreferedMaximumLength, _Out_ PULONG CountReturned ); // rev NTSYSAPI NTSTATUS NTAPI SamEnumerateUsersInDomain2( _In_ SAM_HANDLE DomainHandle, _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, _In_ ULONG UserAccountControl, _In_ ULONG Flags, _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION * _In_ ULONG PreferedMaximumLength, _Out_ PULONG CountReturned ); NTSYSAPI NTSTATUS NTAPI SamCreateUserInDomain( _In_ SAM_HANDLE DomainHandle, _In_ PCUNICODE_STRING AccountName, _In_ ACCESS_MASK DesiredAccess, _Out_ PSAM_HANDLE UserHandle, _Out_ PULONG RelativeId ); NTSYSAPI NTSTATUS NTAPI SamCreateUser2InDomain( _In_ SAM_HANDLE DomainHandle, _In_ PCUNICODE_STRING AccountName, _In_ ULONG AccountType, _In_ ACCESS_MASK DesiredAccess, _Out_ PSAM_HANDLE UserHandle, _Out_ PULONG GrantedAccess, _Out_ PULONG RelativeId ); NTSYSAPI NTSTATUS NTAPI SamOpenUser( _In_ SAM_HANDLE DomainHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG UserId, _Out_ PSAM_HANDLE UserHandle ); NTSYSAPI NTSTATUS NTAPI SamDeleteUser( _In_ SAM_HANDLE UserHandle ); NTSYSAPI NTSTATUS NTAPI SamQueryInformationUser( _In_ SAM_HANDLE UserHandle, _In_ USER_INFORMATION_CLASS UserInformationClass, _Outptr_ PVOID *Buffer ); NTSYSAPI NTSTATUS NTAPI SamSetInformationUser( _In_ SAM_HANDLE UserHandle, _In_ USER_INFORMATION_CLASS UserInformationClass, _In_ PVOID Buffer ); NTSYSAPI NTSTATUS NTAPI SamGetGroupsForUser( _In_ SAM_HANDLE UserHandle, _Out_ _Deref_post_count_(*MembershipCount) PGROUP_MEMBERSHIP *Groups, _Out_ PULONG MembershipCount ); NTSYSAPI NTSTATUS NTAPI SamChangePasswordUser( _In_ SAM_HANDLE UserHandle, _In_ PCUNICODE_STRING OldPassword, _In_ PCUNICODE_STRING NewPassword ); NTSYSAPI NTSTATUS NTAPI SamChangePasswordUser2( _In_ PCUNICODE_STRING ServerName, _In_ PCUNICODE_STRING UserName, _In_ PCUNICODE_STRING OldPassword, _In_ PCUNICODE_STRING NewPassword ); NTSYSAPI NTSTATUS NTAPI SamChangePasswordUser3( _In_ PCUNICODE_STRING ServerName, _In_ PCUNICODE_STRING UserName, _In_ PCUNICODE_STRING OldPassword, _In_ PCUNICODE_STRING NewPassword, _Outptr_ PDOMAIN_PASSWORD_INFORMATION *EffectivePasswordPolicy, _Outptr_ PUSER_PWD_CHANGE_FAILURE_INFORMATION *PasswordChangeFailureInfo ); NTSYSAPI NTSTATUS NTAPI SamQueryDisplayInformation( _In_ SAM_HANDLE DomainHandle, _In_ DOMAIN_DISPLAY_INFORMATION DisplayInformation, _In_ ULONG Index, _In_ ULONG EntryCount, _In_ ULONG PreferredMaximumLength, _Out_ PULONG TotalAvailable, _Out_ PULONG TotalReturned, _Out_ PULONG ReturnedEntryCount, _Outptr_ PVOID *SortedBuffer ); /** * The SamGetDisplayEnumerationIndex method obtains an index into an ascending account-name–sorted list of accounts. * * \param DomainHandle A handle representing a domain. * \param DisplayInformation An enumeration indicating which set of objects to return an index. * \param Prefix A string matched against the account name to find a starting point for an enumeration. * \param Index A value to use as input to SamQueryDisplayInformation in order to control the accounts that are returned from that method. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/bd429624-f2d5-4717-8aa2-659952c3e209 */ NTSYSAPI NTSTATUS NTAPI SamGetDisplayEnumerationIndex( _In_ SAM_HANDLE DomainHandle, _In_ DOMAIN_DISPLAY_INFORMATION DisplayInformation, _In_ PCUNICODE_STRING Prefix, _Out_ PULONG Index ); // // Database replication // typedef enum _SECURITY_DB_DELTA_TYPE { SecurityDbNew = 1, SecurityDbRename, SecurityDbDelete, SecurityDbChangeMemberAdd, SecurityDbChangeMemberSet, SecurityDbChangeMemberDel, SecurityDbChange, SecurityDbChangePassword } SECURITY_DB_DELTA_TYPE, *PSECURITY_DB_DELTA_TYPE; typedef enum _SECURITY_DB_OBJECT_TYPE { SecurityDbObjectSamDomain = 1, SecurityDbObjectSamUser, SecurityDbObjectSamGroup, SecurityDbObjectSamAlias, SecurityDbObjectLsaPolicy, SecurityDbObjectLsaTDomain, SecurityDbObjectLsaAccount, SecurityDbObjectLsaSecret } SECURITY_DB_OBJECT_TYPE, *PSECURITY_DB_OBJECT_TYPE; typedef enum _SAM_ACCOUNT_TYPE { SamObjectUser = 1, SamObjectGroup, SamObjectAlias } SAM_ACCOUNT_TYPE, *PSAM_ACCOUNT_TYPE; #define SAM_USER_ACCOUNT (0x00000001) #define SAM_GLOBAL_GROUP_ACCOUNT (0x00000002) #define SAM_LOCAL_GROUP_ACCOUNT (0x00000004) typedef struct _SAM_GROUP_MEMBER_ID { ULONG MemberRid; } SAM_GROUP_MEMBER_ID, *PSAM_GROUP_MEMBER_ID; typedef struct _SAM_ALIAS_MEMBER_ID { PSID MemberSid; } SAM_ALIAS_MEMBER_ID, *PSAM_ALIAS_MEMBER_ID; typedef union _SAM_DELTA_DATA { SAM_GROUP_MEMBER_ID GroupMemberId; SAM_ALIAS_MEMBER_ID AliasMemberId; ULONG AccountControl; } SAM_DELTA_DATA, *PSAM_DELTA_DATA; typedef _Function_class_(SAM_DELTA_NOTIFICATION_ROUTINE) NTSTATUS NTAPI SAM_DELTA_NOTIFICATION_ROUTINE( _In_ PSID DomainSid, _In_ SECURITY_DB_DELTA_TYPE DeltaType, _In_ SECURITY_DB_OBJECT_TYPE ObjectType, _In_ ULONG ObjectRid, _In_opt_ PCUNICODE_STRING ObjectName, _In_ PLARGE_INTEGER ModifiedCount, _In_opt_ PSAM_DELTA_DATA DeltaData ); typedef SAM_DELTA_NOTIFICATION_ROUTINE* PSAM_DELTA_NOTIFICATION_ROUTINE; #define SAM_DELTA_NOTIFY_ROUTINE "DeltaNotify" NTSYSAPI NTSTATUS NTAPI SamRegisterObjectChangeNotification( _In_ SECURITY_DB_OBJECT_TYPE ObjectType, _In_ HANDLE NotificationEventHandle ); NTSYSAPI NTSTATUS NTAPI SamUnregisterObjectChangeNotification( _In_ SECURITY_DB_OBJECT_TYPE ObjectType, _In_ HANDLE NotificationEventHandle ); // // Compatibility mode // #define SAM_SID_COMPATIBILITY_ALL 0 #define SAM_SID_COMPATIBILITY_LAX 1 #define SAM_SID_COMPATIBILITY_STRICT 2 NTSYSAPI NTSTATUS NTAPI SamGetCompatibilityMode( _In_ SAM_HANDLE ObjectHandle, _Out_ ULONG *Mode ); // // Password validation // typedef enum _PASSWORD_POLICY_VALIDATION_TYPE { SamValidateAuthentication = 1, SamValidatePasswordChange, SamValidatePasswordReset } PASSWORD_POLICY_VALIDATION_TYPE; typedef struct _SAM_VALIDATE_PASSWORD_HASH { ULONG Length; _Field_size_bytes_(Length) PUCHAR Hash; } SAM_VALIDATE_PASSWORD_HASH, *PSAM_VALIDATE_PASSWORD_HASH; // Flags for PresentFields in SAM_VALIDATE_PERSISTED_FIELDS #define SAM_VALIDATE_PASSWORD_LAST_SET 0x00000001 #define SAM_VALIDATE_BAD_PASSWORD_TIME 0x00000002 #define SAM_VALIDATE_LOCKOUT_TIME 0x00000004 #define SAM_VALIDATE_BAD_PASSWORD_COUNT 0x00000008 #define SAM_VALIDATE_PASSWORD_HISTORY_LENGTH 0x00000010 #define SAM_VALIDATE_PASSWORD_HISTORY 0x00000020 typedef struct _SAM_VALIDATE_PERSISTED_FIELDS { ULONG PresentFields; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER BadPasswordTime; LARGE_INTEGER LockoutTime; ULONG BadPasswordCount; ULONG PasswordHistoryLength; _Field_size_bytes_(PasswordHistoryLength) PSAM_VALIDATE_PASSWORD_HASH PasswordHistory; } SAM_VALIDATE_PERSISTED_FIELDS, *PSAM_VALIDATE_PERSISTED_FIELDS; typedef enum _SAM_VALIDATE_VALIDATION_STATUS { SamValidateSuccess = 0, SamValidatePasswordMustChange, SamValidateAccountLockedOut, SamValidatePasswordExpired, SamValidatePasswordIncorrect, SamValidatePasswordIsInHistory, SamValidatePasswordTooShort, SamValidatePasswordTooLong, SamValidatePasswordNotComplexEnough, SamValidatePasswordTooRecent, SamValidatePasswordFilterError } SAM_VALIDATE_VALIDATION_STATUS, *PSAM_VALIDATE_VALIDATION_STATUS; typedef struct _SAM_VALIDATE_STANDARD_OUTPUT_ARG { SAM_VALIDATE_PERSISTED_FIELDS ChangedPersistedFields; SAM_VALIDATE_VALIDATION_STATUS ValidationStatus; } SAM_VALIDATE_STANDARD_OUTPUT_ARG, *PSAM_VALIDATE_STANDARD_OUTPUT_ARG; typedef struct _SAM_VALIDATE_AUTHENTICATION_INPUT_ARG { SAM_VALIDATE_PERSISTED_FIELDS InputPersistedFields; BOOLEAN PasswordMatched; } SAM_VALIDATE_AUTHENTICATION_INPUT_ARG, *PSAM_VALIDATE_AUTHENTICATION_INPUT_ARG; typedef struct _SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG { SAM_VALIDATE_PERSISTED_FIELDS InputPersistedFields; UNICODE_STRING ClearPassword; UNICODE_STRING UserAccountName; SAM_VALIDATE_PASSWORD_HASH HashedPassword; BOOLEAN PasswordMatch; // denotes if the old password supplied by user matched or not } SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG, *PSAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG; typedef struct _SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG { SAM_VALIDATE_PERSISTED_FIELDS InputPersistedFields; UNICODE_STRING ClearPassword; UNICODE_STRING UserAccountName; SAM_VALIDATE_PASSWORD_HASH HashedPassword; BOOLEAN PasswordMustChangeAtNextLogon; // looked at only for password reset BOOLEAN ClearLockout; // can be used clear user account lockout } SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG, *PSAM_VALIDATE_PASSWORD_RESET_INPUT_ARG; typedef union _SAM_VALIDATE_INPUT_ARG { SAM_VALIDATE_AUTHENTICATION_INPUT_ARG ValidateAuthenticationInput; SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG ValidatePasswordChangeInput; SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG ValidatePasswordResetInput; } SAM_VALIDATE_INPUT_ARG, *PSAM_VALIDATE_INPUT_ARG; typedef union _SAM_VALIDATE_OUTPUT_ARG { SAM_VALIDATE_STANDARD_OUTPUT_ARG ValidateAuthenticationOutput; SAM_VALIDATE_STANDARD_OUTPUT_ARG ValidatePasswordChangeOutput; SAM_VALIDATE_STANDARD_OUTPUT_ARG ValidatePasswordResetOutput; } SAM_VALIDATE_OUTPUT_ARG, *PSAM_VALIDATE_OUTPUT_ARG; NTSYSAPI NTSTATUS NTAPI SamValidatePassword( _In_opt_ PCUNICODE_STRING ServerName, _In_ PASSWORD_POLICY_VALIDATION_TYPE ValidationType, _In_ PSAM_VALIDATE_INPUT_ARG InputArg, _Out_ PSAM_VALIDATE_OUTPUT_ARG *OutputArg ); // // Generic operation // typedef enum _SAM_GENERIC_OPERATION_TYPE { SamObjectChangeNotificationOperation } SAM_GENERIC_OPERATION_TYPE, *PSAM_GENERIC_OPERATION_TYPE; typedef struct _SAM_OPERATION_OBJCHG_INPUT { BOOLEAN Register; ULONG64 EventHandle; SECURITY_DB_OBJECT_TYPE ObjectType; ULONG ProcessID; } SAM_OPERATION_OBJCHG_INPUT, *PSAM_OPERATION_OBJCHG_INPUT; typedef struct _SAM_OPERATION_OBJCHG_OUTPUT { ULONG Reserved; } SAM_OPERATION_OBJCHG_OUTPUT, *PSAM_OPERATION_OBJCHG_OUTPUT; typedef union _SAM_GENERIC_OPERATION_INPUT { SAM_OPERATION_OBJCHG_INPUT ObjChangeIn; } SAM_GENERIC_OPERATION_INPUT, *PSAM_GENERIC_OPERATION_INPUT; typedef union _SAM_GENERIC_OPERATION_OUTPUT { SAM_OPERATION_OBJCHG_OUTPUT ObjChangeOut; } SAM_GENERIC_OPERATION_OUTPUT, *PSAM_GENERIC_OPERATION_OUTPUT; NTSYSAPI NTSTATUS NTAPI SamPerformGenericOperation( _In_opt_ PCWSTR ServerName, _In_ SAM_GENERIC_OPERATION_TYPE OperationType, _In_ PSAM_GENERIC_OPERATION_INPUT OperationIn, _Out_ PSAM_GENERIC_OPERATION_OUTPUT *OperationOut ); #endif // _NTSAM_H ================================================ FILE: phnt/include/ntseapi.h ================================================ /* * Authorization functions * * This file is part of System Informer. */ #ifndef _NTSEAPI_H #define _NTSEAPI_H // // Privileges // #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) #define SE_CREATE_TOKEN_PRIVILEGE (2L) // Required to create a primary token. #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) // Required to assign the primary token of a process. #define SE_LOCK_MEMORY_PRIVILEGE (4L) // Required to lock physical pages in memory. #define SE_INCREASE_QUOTA_PRIVILEGE (5L) // Required to increase the quota assigned to a process. #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) // Required to create a computer account. #define SE_TCB_PRIVILEGE (7L) // Required to act as part of the Trusted Computer Base. #define SE_SECURITY_PRIVILEGE (8L) // Required to perform a number of security-related functions, such as controlling and viewing audit messages. // Security operator. #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) // Required to take ownership of an object without being granted discretionary access. #define SE_LOAD_DRIVER_PRIVILEGE (10L) // Required to load or unload a device driver. #define SE_SYSTEM_PROFILE_PRIVILEGE (11L) // Required to gather profiling information for the entire system. #define SE_SYSTEMTIME_PRIVILEGE (12L) // Required to modify the system time. #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) // Required to gather profiling information for a single process. #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) // Required to increase the base priority of a process. #define SE_CREATE_PAGEFILE_PRIVILEGE (15L) // Required to create a paging file. #define SE_CREATE_PERMANENT_PRIVILEGE (16L) // Required to create a permanent object. #define SE_BACKUP_PRIVILEGE (17L) // Required to perform backup operations. This privilege causes the system to grant all read access control to any file. #define SE_RESTORE_PRIVILEGE (18L) // Required to perform restore operations. This privilege causes the system to grant all write access control to any file. #define SE_SHUTDOWN_PRIVILEGE (19L) // Required to shut down a local system. #define SE_DEBUG_PRIVILEGE (20L) // Required to debug and adjust memory of any process, ignoring the DACL for the process. #define SE_AUDIT_PRIVILEGE (21L) // Required to generate audit-log entries. #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) // Required to modify UEFI variables of systems that use this type of memory to store configuration information. #define SE_CHANGE_NOTIFY_PRIVILEGE (23L) // Required to receive notifications of changes to files or directories and skip all traversal access checks. It is enabled by default for all users. #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) // Required to shut down a system using a network request. #define SE_UNDOCK_PRIVILEGE (25L) // Required to undock a laptop. #define SE_SYNC_AGENT_PRIVILEGE (26L) // Required for a domain controller to use the Lightweight Directory Access Protocol (LDAP) directory synchronization services. #define SE_ENABLE_DELEGATION_PRIVILEGE (27L) // Required to mark user and computer accounts as trusted for delegation. #define SE_MANAGE_VOLUME_PRIVILEGE (28L) // Required to enable volume management privileges. #define SE_IMPERSONATE_PRIVILEGE (29L) // Required to impersonate a client after authentication. #define SE_CREATE_GLOBAL_PRIVILEGE (30L) // Required to create named file mapping objects in the global namespace during Terminal Services sessions. It is enabled by default for all administrators. #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) // Required to access Credential Manager as a trusted caller. #define SE_RELABEL_PRIVILEGE (32L) // Required to modify the mandatory integrity level of an object. #define SE_INC_WORKING_SET_PRIVILEGE (33L) // Required to allocate more memory for applications that run in the context of users. #define SE_TIME_ZONE_PRIVILEGE (34L) // Required to adjust the time zone associated with the computer's internal clock. #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) // Required to create a symbolic link. #define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L) // Required to obtain an impersonation token for another user in the same session. #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE // // Authz // // begin_rev #if (PHNT_MODE == PHNT_MODE_KERNEL) /** * The TOKEN_INFORMATION_CLASS enumeration contains values that specify the type of information * being assigned to or retrieved from an access token. * * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_information_class */ typedef enum _TOKEN_INFORMATION_CLASS { TokenUser = 1, // q: TOKEN_USER, SE_TOKEN_USER TokenGroups, // q: TOKEN_GROUPS TokenPrivileges, // q: TOKEN_PRIVILEGES TokenOwner, // qs: TOKEN_OWNER TokenPrimaryGroup, // qs: TOKEN_PRIMARY_GROUP TokenDefaultDacl, // qs: TOKEN_DEFAULT_DACL TokenSource, // q: TOKEN_SOURCE TokenType, // q: TOKEN_TYPE TokenImpersonationLevel, // q: SECURITY_IMPERSONATION_LEVEL TokenStatistics, // q: TOKEN_STATISTICS // 10 TokenRestrictedSids, // q: TOKEN_GROUPS TokenSessionId, // qs: ULONG (requires SeTcbPrivilege) TokenGroupsAndPrivileges, // q: TOKEN_GROUPS_AND_PRIVILEGES TokenSessionReference, // s: ULONG (requires SeTcbPrivilege) TokenSandBoxInert, // q: ULONG TokenAuditPolicy, // qs: TOKEN_AUDIT_POLICY (requires SeSecurityPrivilege/SeTcbPrivilege) TokenOrigin, // qs: TOKEN_ORIGIN (requires SeTcbPrivilege) TokenElevationType, // q: TOKEN_ELEVATION_TYPE TokenLinkedToken, // qs: TOKEN_LINKED_TOKEN (requires SeCreateTokenPrivilege) TokenElevation, // q: TOKEN_ELEVATION // 20 TokenHasRestrictions, // q: ULONG TokenAccessInformation, // q: TOKEN_ACCESS_INFORMATION TokenVirtualizationAllowed, // qs: ULONG (requires SeCreateTokenPrivilege) TokenVirtualizationEnabled, // qs: ULONG TokenIntegrityLevel, // qs: TOKEN_MANDATORY_LABEL TokenUIAccess, // qs: ULONG (requires SeTcbPrivilege) TokenMandatoryPolicy, // qs: TOKEN_MANDATORY_POLICY (requires SeTcbPrivilege) TokenLogonSid, // q: TOKEN_GROUPS TokenIsAppContainer, // q: ULONG // since WIN8 TokenCapabilities, // q: TOKEN_GROUPS // 30 TokenAppContainerSid, // q: TOKEN_APPCONTAINER_INFORMATION TokenAppContainerNumber, // q: ULONG TokenUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION TokenDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION TokenRestrictedUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION TokenRestrictedDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION TokenDeviceGroups, // q: TOKEN_GROUPS TokenRestrictedDeviceGroups, // q: TOKEN_GROUPS TokenSecurityAttributes, // qs: TOKEN_SECURITY_ATTRIBUTES_[AND_OPERATION_]INFORMATION (requires SeTcbPrivilege) TokenIsRestricted, // q: ULONG // 40 TokenProcessTrustLevel, // q: TOKEN_PROCESS_TRUST_LEVEL // since WINBLUE TokenPrivateNameSpace, // qs: ULONG (requires SeTcbPrivilege) // since THRESHOLD TokenSingletonAttributes, // q: TOKEN_SECURITY_ATTRIBUTES_INFORMATION // since REDSTONE TokenBnoIsolation, // q: TOKEN_BNO_ISOLATION_INFORMATION // since REDSTONE2 TokenChildProcessFlags, // s: ULONG (requires SeTcbPrivilege) // since REDSTONE3 TokenIsLessPrivilegedAppContainer, // q: ULONG // since REDSTONE5 TokenIsSandboxed, // q: ULONG // since 19H1 TokenIsAppSilo, // q: ULONG // since WIN11 22H2 // previously TokenOriginatingProcessTrustLevel // q: TOKEN_PROCESS_TRUST_LEVEL TokenLoggingInformation, // q: TOKEN_LOGGING_INFORMATION // since 24H2 TokenLearningMode, // q: // since 25H2 MaxTokenInfoClass } TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS; // // Token information structures // /** * The TOKEN_USER structure identifies the user associated with an access token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_user */ typedef struct _TOKEN_USER { SID_AND_ATTRIBUTES User; } TOKEN_USER, *PTOKEN_USER; typedef struct _SE_TOKEN_USER { union { TOKEN_USER TokenUser; SID_AND_ATTRIBUTES User; } DUMMYUNIONNAME; union { SID Sid; BYTE Buffer[SECURITY_MAX_SID_SIZE]; } DUMMYUNIONNAME2; } SE_TOKEN_USER, PSE_TOKEN_USER; #define TOKEN_USER_MAX_SIZE (sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE) /** * The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_groups */ typedef struct _TOKEN_GROUPS { ULONG GroupCount; SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; } TOKEN_GROUPS, *PTOKEN_GROUPS; /** * The TOKEN_PRIVILEGES structure contains information about a set of privileges for an access token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_privileges */ typedef struct _TOKEN_PRIVILEGES { ULONG PrivilegeCount; LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES; /** * The TOKEN_OWNER structure contains the default owner security identifier (SID) that will be applied to newly created objects. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_owner */ typedef struct _TOKEN_OWNER { PSID Owner; } TOKEN_OWNER, *PTOKEN_OWNER; #define TOKEN_OWNER_MAX_SIZE (sizeof(TOKEN_OWNER) + SECURITY_MAX_SID_SIZE) /** * The TOKEN_PRIMARY_GROUP structure specifies a group security identifier (SID) for an access token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_primary_group */ typedef struct _TOKEN_PRIMARY_GROUP { PSID PrimaryGroup; } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; /** * The TOKEN_DEFAULT_DACL structure specifies a discretionary access control list (DACL). * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_default_dacl */ typedef struct _TOKEN_DEFAULT_DACL { PACL DefaultDacl; } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; #define TOKEN_SOURCE_LENGTH 8 /** * The TOKEN_SOURCE structure identifies the source of an access token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_source */ typedef struct _TOKEN_SOURCE { CHAR SourceName[TOKEN_SOURCE_LENGTH]; LUID SourceIdentifier; } TOKEN_SOURCE, *PTOKEN_SOURCE; /** * The TOKEN_TYPE enumeration contains values that differentiate between a primary token and an impersonation token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_type */ typedef enum _TOKEN_TYPE { TokenPrimary = 1, TokenImpersonation } TOKEN_TYPE; typedef struct _TOKEN_USER_CLAIMS { PCLAIMS_BLOB UserClaims; } TOKEN_USER_CLAIMS, *PTOKEN_USER_CLAIMS; typedef struct _TOKEN_DEVICE_CLAIMS { PCLAIMS_BLOB DeviceClaims; } TOKEN_DEVICE_CLAIMS, *PTOKEN_DEVICE_CLAIMS; typedef struct _TOKEN_GROUPS_AND_PRIVILEGES { ULONG SidCount; ULONG SidLength; PSID_AND_ATTRIBUTES Sids; ULONG RestrictedSidCount; ULONG RestrictedSidLength; PSID_AND_ATTRIBUTES RestrictedSids; ULONG PrivilegeCount; ULONG PrivilegeLength; PLUID_AND_ATTRIBUTES Privileges; LUID AuthenticationId; } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES; typedef struct _TOKEN_LINKED_TOKEN { HANDLE LinkedToken; } TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN; typedef struct _TOKEN_ELEVATION { ULONG TokenIsElevated; } TOKEN_ELEVATION, *PTOKEN_ELEVATION; /** * The TOKEN_MANDATORY_POLICY structure specifies the mandatory integrity policy for a token. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_policy */ typedef struct _TOKEN_MANDATORY_LABEL { SID_AND_ATTRIBUTES Label; } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; #define TOKEN_MANDATORY_POLICY_OFF 0x0 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 #define TOKEN_MANDATORY_POLICY_VALID_MASK (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | \ TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) #define TOKEN_INTEGRITY_LEVEL_MAX_SIZE \ ((((ULONG)(sizeof(TOKEN_MANDATORY_LABEL)) + sizeof(PVOID) - 1) & ~(sizeof(PVOID)-1)) + SECURITY_MAX_SID_SIZE) typedef struct _TOKEN_MANDATORY_POLICY { ULONG Policy; } TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY; typedef PVOID PSECURITY_ATTRIBUTES_OPAQUE; typedef struct _TOKEN_ACCESS_INFORMATION { PSID_AND_ATTRIBUTES_HASH SidHash; PSID_AND_ATTRIBUTES_HASH RestrictedSidHash; PTOKEN_PRIVILEGES Privileges; LUID AuthenticationId; TOKEN_TYPE TokenType; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; TOKEN_MANDATORY_POLICY MandatoryPolicy; ULONG Flags; ULONG AppContainerNumber; PSID PackageSid; PSID_AND_ATTRIBUTES_HASH CapabilitiesHash; PSID TrustLevelSid; PSECURITY_ATTRIBUTES_OPAQUE SecurityAttributes; } TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION; typedef struct _TOKEN_LOGGING_INFORMATION { TOKEN_TYPE TokenType; TOKEN_ELEVATION TokenElevation; TOKEN_ELEVATION_TYPE TokenElevationType; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; ULONG IntegrityLevel; SID_AND_ATTRIBUTES User; PSID TrustLevelSid; ULONG SessionId; ULONG AppContainerNumber; LUID AuthenticationId; ULONG GroupCount; ULONG GroupsLength; PSID_AND_ATTRIBUTES Groups; } TOKEN_LOGGING_INFORMATION, *PTOKEN_LOGGING_INFORMATION; #endif // (PHNT_MODE == PHNT_MODE_KERNEL) // // Types // #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03 // Case insensitive attribute value string by default. Unless the flag TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE is set. #define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04 // Fully-qualified binary name. #define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10 // // Flags // // Attribute must not be inherited across process spawns. #define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001 // Attribute value is compared in a case sensitive way. It is valid with string value // or composite type containing string value. For other types of value, this flag // will be ignored. Currently, it is valid with the two types: // TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING and TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN. #define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002 #define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 // Attribute is considered only for Deny Aces. #define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 // Attribute is disabled by default. #define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010 // Attribute is disabled. #define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020 // Attribute is mandatory. #define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040 // Attribute is ignored. #define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \ TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \ TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \ TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \ TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \ TOKEN_SECURITY_ATTRIBUTE_DISABLED | \ TOKEN_SECURITY_ATTRIBUTE_MANDATORY) // Reserve upper 16 bits for custom flags. These should be preserved but not // validated as they do not affect security in any way. #define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000 // end_rev // private // CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE { ULONG64 Version; UNICODE_STRING Name; } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; // private // CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE { PVOID Value; // Pointer is BYTE aligned. ULONG ValueLength; // In bytes } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; // private typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 { UNICODE_STRING Name; USHORT ValueType; USHORT Reserved; ULONG Flags; ULONG ValueCount; union { PLONG64 Int64; PULONG64 Uint64; PUNICODE_STRING String; PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE Fqbn; PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE OctetString; } Values; } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; // private typedef struct _TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1 { UNICODE_STRING Name; USHORT ValueType; USHORT Reserved; ULONG Flags; ULONG ValueCount; union { ULONG Int64[ANYSIZE_ARRAY]; ULONG Uint64[ANYSIZE_ARRAY]; ULONG String[ANYSIZE_ARRAY]; ULONG Fqbn[ANYSIZE_ARRAY]; ULONG OctetString[ANYSIZE_ARRAY]; } Values; } TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1, *PTOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1; // rev #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1 // rev #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 // private typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION { USHORT Version; USHORT Reserved; ULONG AttributeCount; union { PTOKEN_SECURITY_ATTRIBUTE_V1 AttributeV1; }; } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; // private typedef enum _TOKEN_SECURITY_ATTRIBUTE_OPERATION { TOKEN_SECURITY_ATTRIBUTE_OPERATION_NONE, TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, TOKEN_SECURITY_ATTRIBUTE_OPERATION_ADD, TOKEN_SECURITY_ATTRIBUTE_OPERATION_DELETE, TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE } TOKEN_SECURITY_ATTRIBUTE_OPERATION, *PTOKEN_SECURITY_ATTRIBUTE_OPERATION; // private typedef struct _TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION { PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes; PTOKEN_SECURITY_ATTRIBUTE_OPERATION Operations; } TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION; // rev /** * The TOKEN_PROCESS_TRUST_LEVEL structure contains information about * the trust level assigned to a process token. The trust level is * represented by a SID (Security Identifier) pointed to by TrustLevelSid. */ typedef struct _TOKEN_PROCESS_TRUST_LEVEL { PSID TrustLevelSid; } TOKEN_PROCESS_TRUST_LEVEL, *PTOKEN_PROCESS_TRUST_LEVEL; #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) typedef struct _TOKEN_LOGGING_INFORMATION { TOKEN_TYPE TokenType; TOKEN_ELEVATION TokenElevation; TOKEN_ELEVATION_TYPE TokenElevationType; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; ULONG IntegrityLevel; SID_AND_ATTRIBUTES User; PSID TrustLevelSid; ULONG SessionId; ULONG AppContainerNumber; LUID AuthenticationId; ULONG GroupCount; ULONG GroupsLength; PSID_AND_ATTRIBUTES Groups; } TOKEN_LOGGING_INFORMATION, *PTOKEN_LOGGING_INFORMATION; #endif // !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) // // Tokens // /** * The NtCreateToken routine creates a new access token. * * \param TokenHandle Pointer to a variable that receives the handle to the newly created token. * \param DesiredAccess Specifies the requested access rights for the new token. * \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes. * \param Type Specifies the type of token to be created (primary or impersonation). * \param AuthenticationId Pointer to a locally unique identifier (LUID) for the token. * \param ExpirationTime Pointer to a LARGE_INTEGER specifying the expiration time of the token. * \param User Pointer to a TOKEN_USER structure specifying the user account for the token. * \param Groups Pointer to a TOKEN_GROUPS structure specifying the group accounts for the token. * \param Privileges Pointer to a TOKEN_PRIVILEGES structure specifying the privileges for the token. * \param Owner Optional pointer to a TOKEN_OWNER structure specifying the owner SID for the token. * \param PrimaryGroup Pointer to a TOKEN_PRIMARY_GROUP structure specifying the primary group SID for the token. * \param DefaultDacl Optional pointer to a TOKEN_DEFAULT_DACL structure specifying the default DACL for the token. * \param Source Pointer to a TOKEN_SOURCE structure specifying the source of the token. * \return NTSTATUS code indicating success or failure. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateToken( _Out_ PHANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ TOKEN_TYPE Type, _In_ PLUID AuthenticationId, _In_ PLARGE_INTEGER ExpirationTime, _In_ PTOKEN_USER User, _In_ PTOKEN_GROUPS Groups, _In_ PTOKEN_PRIVILEGES Privileges, _In_opt_ PTOKEN_OWNER Owner, _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, _In_ PTOKEN_SOURCE Source ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtCreateLowBoxToken routine creates a new lowbox access token based on an existing token. * * \param TokenHandle Pointer to a variable that receives the handle to the newly created lowbox token. * \param ExistingTokenHandle Handle to an existing token to base the new token on. * \param DesiredAccess Specifies the requested access rights for the new token. * \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes. * \param PackageSid Pointer to a SID structure specifying the package SID for the lowbox token. * \param CapabilityCount Number of capabilities in the Capabilities array. * \param Capabilities Optional pointer to an array of SID_AND_ATTRIBUTES structures specifying capabilities. * \param HandleCount Number of handles in the Handles array. * \param Handles Optional pointer to an array of handles to be associated with the token. * \return NTSTATUS code indicating success or failure. * \sa https://learn.microsoft.com/en-us/windows/win32/secauthz/ntcreatelowboxtoken */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateLowBoxToken( _Out_ PHANDLE TokenHandle, _In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ PSID PackageSid, _In_ ULONG CapabilityCount, _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities, _In_ ULONG HandleCount, _In_reads_opt_(HandleCount) HANDLE *Handles ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtCreateTokenEx routine creates a new access token with extended attributes. * * \param TokenHandle Pointer to a variable that receives the handle to the newly created token. * \param DesiredAccess Specifies the requested access rights for the new token. * \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes. * \param Type Specifies the type of token to be created (primary or impersonation). * \param AuthenticationId Pointer to a locally unique identifier (LUID) for the token. * \param ExpirationTime Pointer to a LARGE_INTEGER specifying the expiration time of the token. * \param User Pointer to a TOKEN_USER structure specifying the user account for the token. * \param Groups Pointer to a TOKEN_GROUPS structure specifying the group accounts for the token. * \param Privileges Pointer to a TOKEN_PRIVILEGES structure specifying the privileges for the token. * \param UserAttributes Optional pointer to a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure specifying user claims. * \param DeviceAttributes Optional pointer to a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure specifying device claims. * \param DeviceGroups Optional pointer to a TOKEN_GROUPS structure specifying device groups. * \param MandatoryPolicy Optional pointer to a TOKEN_MANDATORY_POLICY structure specifying the mandatory policy. * \param Owner Optional pointer to a TOKEN_OWNER structure specifying the owner SID for the token. * \param PrimaryGroup Pointer to a TOKEN_PRIMARY_GROUP structure specifying the primary group SID for the token. * \param DefaultDacl Optional pointer to a TOKEN_DEFAULT_DACL structure specifying the default DACL for the token. * \param Source Pointer to a TOKEN_SOURCE structure specifying the source of the token. * \return NTSTATUS code indicating success or failure. */ NTSYSCALLAPI NTSTATUS NTAPI NtCreateTokenEx( _Out_ PHANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ TOKEN_TYPE Type, _In_ PLUID AuthenticationId, _In_ PLARGE_INTEGER ExpirationTime, _In_ PTOKEN_USER User, _In_ PTOKEN_GROUPS Groups, _In_ PTOKEN_PRIVILEGES Privileges, _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes, _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes, _In_opt_ PTOKEN_GROUPS DeviceGroups, _In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy, _In_opt_ PTOKEN_OWNER Owner, _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, _In_ PTOKEN_SOURCE Source ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token. * * \param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access. * \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. * \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstoken */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ); /** * The NtOpenProcessTokenEx routine opens the access token associated with a process, and returns a handle that can be used to access that token. * * \param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access. * \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. * \param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported. * \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstokenex */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcessTokenEx( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _Out_ PHANDLE TokenHandle ); /** * The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token. * * \param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. * \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. * \param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread. * \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtoken */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenThreadToken( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _Out_ PHANDLE TokenHandle ); /** * The NtOpenThreadTokenEx routine opens the access token associated with a thread, and returns a handle that can be used to access that token. * * \param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. * \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. * \param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread. * \param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported. * \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtokenex */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenThreadTokenEx( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _In_ ULONG HandleAttributes, _Out_ PHANDLE TokenHandle ); /** * The NtDuplicateToken function creates a handle to a new access token that duplicates an existing token. * * \param ExistingTokenHandle A handle to an existing access token that was opened with the TOKEN_DUPLICATE access right. * \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. * \param ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that describes the requested properties for the new token. * \param EffectiveOnly A Boolean value that indicates whether the entire existing token should be duplicated into the new token or just the effective (currently enabled) part of the token. * \param Type Specifies the type of token to create either a primary token or an impersonation token. * \param NewTokenHandle Pointer to a caller-allocated variable that receives a handle to the newly duplicated token. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntduplicatetoken */ NTSYSCALLAPI NTSTATUS NTAPI NtDuplicateToken( _In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE Type, _Out_ PHANDLE NewTokenHandle ); /** * The NtQueryInformationToken routine retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information. * * \param TokenHandle A handle to an existing access token from which information is to be retrieved. If TokenInformationClass is set to TokenSource, the handle must have TOKEN_QUERY_SOURCE access. * For all other TokenInformationClass values, the handle must have TOKEN_QUERY access. * \param TokenInformationClass A value from the TOKEN_INFORMATION_CLASS enumerated type identifying the type of information to be retrieved. * \param TokenInformation Pointer to a caller-allocated buffer that receives the requested information about the token. * \param TokenInformationLength Length, in bytes, of the caller-allocated TokenInformation buffer. * \param ReturnLength Pointer to a caller-allocated variable that receives the actual length, in bytes, of the information returned in the TokenInformation buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationtoken */ NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationToken( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength ); /** * The NtSetInformationToken routine modifies information in a specified token. The calling process must have appropriate access rights to set the information. * * \param TokenHandle A handle to an existing access token which information is to be modified. * \param TokenInformationClass A value from the TOKEN_INFORMATION_CLASS enumerated type identifying the type of information to be modified. * \param TokenInformation Pointer to a caller-allocated buffer containing the information to be modified in the token. * \param TokenInformationLength Length, in bytes, of the caller-allocated TokenInformation buffer. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationtoken */ NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationToken( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength ); /** * The NtAdjustPrivilegesToken routine enables or disables privileges in the specified access token. * * \param TokenHandle Handle to the token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access. * \param DisableAllPrivileges Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all privileges and ignores the NewState parameter. * If it is FALSE, the function modifies privileges based on the information pointed to by the NewState parameter. * \param NewState A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is TRUE, the function ignores this parameter. * \param BufferLength Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL. * \param PreviousState A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any privileges that the function modifies. * \param ReturnLength A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges */ NTSYSCALLAPI NTSTATUS NTAPI NtAdjustPrivilegesToken( _In_ HANDLE TokenHandle, _In_ BOOLEAN DisableAllPrivileges, _In_opt_ PTOKEN_PRIVILEGES NewState, _In_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, _Out_opt_ PULONG ReturnLength ); /** * The NtAdjustGroupsToken routine enables or disables groups in the specified access token. * * \param TokenHandle Handle to the token that contains the groups to be modified. The handle must have TOKEN_ADJUST_GROUPS access. * \param ResetToDefault Specifies whether the function resets the groups to the default state. If this value is TRUE, the function resets all groups to their default state and ignores the NewState parameter. * \param NewState A pointer to a TOKEN_GROUPS structure that specifies an array of groups and their attributes. If ResetToDefault is TRUE, the function ignores this parameter. * \param BufferLength Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL. * \param PreviousState A pointer to a buffer that the function fills with a TOKEN_GROUPS structure that contains the previous state of any groups that the function modifies. * \param ReturnLength A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups */ NTSYSCALLAPI NTSTATUS NTAPI NtAdjustGroupsToken( _In_ HANDLE TokenHandle, _In_ BOOLEAN ResetToDefault, _In_opt_ PTOKEN_GROUPS NewState, _In_opt_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState, _Out_opt_ PULONG ReturnLength ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtAdjustTokenClaimsAndDeviceGroups( _In_ HANDLE TokenHandle, _In_ BOOLEAN UserResetToDefault, _In_ BOOLEAN DeviceResetToDefault, _In_ BOOLEAN DeviceGroupsResetToDefault, _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState, _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState, _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState, _In_ ULONG UserBufferLength, _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState, _In_ ULONG DeviceBufferLength, _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState, _In_ ULONG DeviceGroupsBufferLength, _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups, _Out_opt_ PULONG UserReturnLength, _Out_opt_ PULONG DeviceReturnLength, _Out_opt_ PULONG DeviceGroupsReturnBufferLength ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) // NtFilterToken Flags #define DISABLE_MAX_PRIVILEGE 0x1 // Disables all privileges in the new token except SE_CHANGE_NOTIFY_PRIVILEGE. #define SANDBOX_INERT 0x2 // Stores the TOKEN_SANDBOX_INERT flag in the token. #define LUA_TOKEN 0x4 #define WRITE_RESTRICTED 0x8 /** * The NtFilterToken routine creates a new access token that is a restricted version of an existing access token. * * \param ExistingTokenHandle Handle to a primary or impersonation token. The token can also be a restricted token. This token must already be open for TOKEN_DUPLICATE access. * \param Flags Specifies additional privilege options. * \param SidsToDisable The deny-only SIDs to include in the restricted token. The system uses a deny-only SID to deny access to a securable object. The absence of a deny-only SID does not allow access. * \param PrivilegesToDelete The privileges to delete in the restricted token. This parameter is optional and can be NULL. * \param RestrictedSids The list of restricting SIDs for the new token. This parameter is optional and can be NULL. * \param NewTokenHandle The new restricted token. The new token is the same type, primary or impersonation, as the existing token. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-sefiltertoken */ NTSYSCALLAPI NTSTATUS NTAPI NtFilterToken( _In_ HANDLE ExistingTokenHandle, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PHANDLE NewTokenHandle ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) NTSYSCALLAPI NTSTATUS NTAPI NtFilterTokenEx( _In_ HANDLE ExistingTokenHandle, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _In_ ULONG DisableUserClaimsCount, _In_opt_ PCUNICODE_STRING UserClaimsToDisable, _In_ ULONG DisableDeviceClaimsCount, _In_opt_ PCUNICODE_STRING DeviceClaimsToDisable, _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable, _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes, _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes, _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups, _Out_ PHANDLE NewTokenHandle ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtCompareTokens routine compares two access tokens to determine whether they are equivalent. * * \param FirstTokenHandle Handle to the first access token to compare. The handle must have TOKEN_QUERY access. * \param SecondTokenHandle Handle to the second access token to compare. The handle must have TOKEN_QUERY access. * \param Equal Pointer to a BOOLEAN variable that receives TRUE if the tokens are equivalent, or FALSE otherwise. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/secauthz/ntcomparetokens */ NTSYSCALLAPI NTSTATUS NTAPI NtCompareTokens( _In_ HANDLE FirstTokenHandle, _In_ HANDLE SecondTokenHandle, _Out_ PBOOLEAN Equal ); /** * The NtPrivilegeCheck routine determines whether a specified set of privileges are enabled in the access token of a client. * * \param ClientToken Handle to the access token of the client whose privileges are to be checked. The handle must have TOKEN_QUERY access. * \param RequiredPrivileges Pointer to a PRIVILEGE_SET structure that specifies the set of privileges to be checked. On input, this structure contains the privileges to check. * \param Result Pointer to a BOOLEAN variable that receives TRUE if all specified privileges are enabled, or FALSE otherwise. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-privilegecheck */ NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeCheck( _In_ HANDLE ClientToken, _Inout_ PPRIVILEGE_SET RequiredPrivileges, _Out_ PBOOLEAN Result ); /** * The NtImpersonateAnonymousToken routine causes a thread to impersonate the anonymous token. * * \param ThreadHandle Handle to the thread that will impersonate the anonymous token. The handle must have THREAD_DIRECT_IMPERSONATION access. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtImpersonateAnonymousToken( _In_ HANDLE ThreadHandle ); /** * The NtQuerySecurityAttributesToken routine retrieves security attribute information from an access token. * * \param TokenHandle Handle to the access token from which to retrieve security attributes. The handle must have TOKEN_QUERY access. * \param Attributes Pointer to an array of UNICODE_STRING structures specifying the names of the attributes to query. This parameter can be NULL if NumberOfAttributes is zero. * \param NumberOfAttributes The number of attributes specified in the Attributes array. * \param Buffer Pointer to a buffer that receives the security attribute information. The buffer receives a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure. * \param Length The size, in bytes, of the Buffer parameter. * \param ReturnLength Pointer to a variable that receives the number of bytes required to store the complete security attribute information. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtQuerySecurityAttributesToken( _In_ HANDLE TokenHandle, _In_reads_opt_(NumberOfAttributes) PCUNICODE_STRING Attributes, _In_ ULONG NumberOfAttributes, _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION _In_ ULONG Length, _Out_ PULONG ReturnLength ); // // Access checking // /** * The NtAccessCheck routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token. * * \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access. * \param DesiredAccess Access mask that specifies the access rights to check. * \param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set. * \param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required. * \param GrantedAccess Pointer to an access mask that receives the granted access rights. * \param AccessStatus Pointer to a variable that receives the results of the access check. * \return NTSTATUS code indicating success or failure. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheck */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheck( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus ); /** * The NtAccessCheckByType routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token, taking into account object type information. * * \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param PrincipalSelfSid Optional pointer to a SID structure representing the principal self SID, or NULL. * \param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access. * \param DesiredAccess Access mask that specifies the access rights to check. * \param ObjectTypeList Pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed. * \param ObjectTypeListLength The number of elements in the ObjectTypeList array. * \param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set. * \param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required. * \param GrantedAccess Pointer to an access mask that receives the granted access rights. * \param AccessStatus Pointer to a variable that receives the results of the access check. * \return NTSTATUS code indicating success or failure. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheckbytype */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByType( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus ); /** * The NtAccessCheckByTypeResultList routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token, and returns the results for each object type in a list. * * \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param PrincipalSelfSid Optional pointer to a SID structure representing the principal self SID, or NULL. * \param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access. * \param DesiredAccess Access mask that specifies the access rights to check. * \param ObjectTypeList Pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed. * \param ObjectTypeListLength The number of elements in the ObjectTypeList array. * \param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set. * \param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required. * \param GrantedAccess Pointer to an array of access masks that receive the granted access rights for each object type. * \param AccessStatus Pointer to an array of NTSTATUS values that receive the results of the access check for each object type. * \return NTSTATUS code indicating success or failure. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheckbytyperesultlist */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeResultList( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus ); // // Signing // #define SIGNING_LEVEL_FILE_CACHE_FLAG_NOT_VALIDATED 0x01 #define SIGNING_LEVEL_FILE_CACHE_FLAG_VALIDATE_ONLY 0x04 #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtGetCachedSigningLevel routine retrieves the cached signing level of a file. * * \param File Handle to a file. * \param Flags Pointer to the flags set on the file. * \param SigningLevel Pointer to the signing level. * \param Thumbprint Pointer to the thumbprint. * \param ThumbprintSize Pointer to the thumbprint size. * \param ThumbprintAlgorithm Pointer to the thumbprint algorithm. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-getcachedsigninglevel */ NTSYSCALLAPI NTSTATUS NTAPI NtGetCachedSigningLevel( _In_ HANDLE File, _Out_ PULONG Flags, _Out_ PSE_SIGNING_LEVEL SigningLevel, _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, _Inout_opt_ PULONG ThumbprintSize, _Out_opt_ PULONG ThumbprintAlgorithm ); /** * The NtSetCachedSigningLevel routine sets the cached signing level of a file. * * \param Flags Pointer to the flags set on the file. * \param InputSigningLevel Pointer to the signing level. * \param SourceFiles Pointer to a set of source file handles. * \param SourceFileCount The source file count. * \param TargetFile The target file. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-setcachedsigninglevel */ NTSYSCALLAPI NTSTATUS NTAPI NtSetCachedSigningLevel( _In_ ULONG Flags, _In_ SE_SIGNING_LEVEL InputSigningLevel, _In_reads_(SourceFileCount) PHANDLE SourceFiles, _In_ ULONG SourceFileCount, _In_opt_ HANDLE TargetFile ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_8) // rev typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION { ULONG Size; PVOID Claim; } SE_FILE_CACHE_CLAIM_INFORMATION, *PSE_FILE_CACHE_CLAIM_INFORMATION; // rev typedef struct _SE_SET_FILE_CACHE_INFORMATION { ULONG Size; UNICODE_STRING CatalogDirectoryPath; SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo; } SE_SET_FILE_CACHE_INFORMATION, *PSE_SET_FILE_CACHE_INFORMATION; #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS1) // rev NTSYSCALLAPI NTSTATUS NTAPI NtSetCachedSigningLevel2( _In_ ULONG Flags, _In_ SE_SIGNING_LEVEL InputSigningLevel, _In_reads_(SourceFileCount) PHANDLE SourceFiles, _In_ ULONG SourceFileCount, _In_opt_ HANDLE TargetFile, _In_opt_ SE_SET_FILE_CACHE_INFORMATION* CacheInformation ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS1) #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // rev NTSYSCALLAPI NTSTATUS NTAPI NtCompareSigningLevels( _In_ SE_SIGNING_LEVEL FirstSigningLevel, _In_ SE_SIGNING_LEVEL SecondSigningLevel ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // // Audit alarm // /** * The NtAccessCheckAndAuditAlarm routine determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. * If the security descriptor has a SACL with ACEs that apply to the client, the function generates any necessary audit messages in the security event log. * * \param SubsystemName A pointer to a null-terminated string specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param ObjectTypeName A pointer to a null-terminated string specifying the type of object being created or accessed. * \param ObjectName A pointer to a null-terminated string specifying the name of the object being created or accessed. * \param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param DesiredAccess Access mask that specifies the access rights to check. This mask must have been mapped by the MapGenericMask function to contain no generic access rights. * \param GenericMapping A pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param ObjectCreation Specifies a flag that determines whether the calling application will create a new object when access is granted. * \param GrantedAccess A pointer to an access mask that receives the granted access rights. * \param AccessStatus A pointer to a variable that receives the results of the access check. * \param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-accesscheckandauditalarma */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckAndAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PCUNICODE_STRING ObjectTypeName, _In_ PCUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose ); /** * The NtAccessCheckByTypeAndAuditAlarm routine determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. * If the security descriptor has a SACL with ACEs that apply to the client, the function generates any necessary audit messages in the security event log. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param ObjectTypeName A pointer to a UNICODE_STRING specifying the type of object being created or accessed. * \param ObjectName A pointer to a UNICODE_STRING specifying the name of the object being created or accessed. * \param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param PrincipalSelfSid A pointer to a SID structure representing the principal self SID, or NULL. * \param DesiredAccess Access mask that specifies the access rights to check. This mask must have been mapped by the MapGenericMask function to contain no generic access rights. * \param AuditType Specifies the type of audit event to be generated. * \param Flags Audit event flags. * \param ObjectTypeList A pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed. * \param ObjectTypeListLength The number of elements in the ObjectTypeList array. * \param GenericMapping A pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param ObjectCreation Specifies a flag that determines whether the calling application will create a new object when access is granted. * \param GrantedAccess A pointer to an access mask that receives the granted access rights. * \param AccessStatus A pointer to a variable that receives the results of the access check. * \param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-accesscheckbytypeandauditalarma */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PCUNICODE_STRING ObjectTypeName, _In_ PCUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose ); /** * The NtAccessCheckByTypeResultListAndAuditAlarm routine determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. * It also generates audit messages for each object type in the hierarchy, and returns the results for each object type in a list. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param ObjectTypeName A pointer to a UNICODE_STRING specifying the type of object being created or accessed. * \param ObjectName A pointer to a UNICODE_STRING specifying the name of the object being created or accessed. * \param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param PrincipalSelfSid A pointer to a SID structure representing the principal self SID, or NULL. * \param DesiredAccess Access mask that specifies the access rights to check. * \param AuditType Specifies the type of audit event to be generated. * \param Flags Audit event flags. * \param ObjectTypeList A pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed. * \param ObjectTypeListLength The number of elements in the ObjectTypeList array. * \param GenericMapping A pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param ObjectCreation Specifies a flag that determines whether the calling application will create a new object when access is granted. * \param GrantedAccess A pointer to an array of access masks that receive the granted access rights for each object type. * \param AccessStatus A pointer to an array of NTSTATUS values that receive the results of the access check for each object type. * \param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-accesscheckbytyperesultlistandauditalarma */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PCUNICODE_STRING ObjectTypeName, _In_ PCUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose ); /** * The NtAccessCheckByTypeResultListAndAuditAlarmByHandle routine determines whether a security descriptor grants a specified set of access rights to the client represented by a specified access token. * It also generates audit messages for each object type in the hierarchy, and returns the results for each object type in a list. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param ClientToken Handle to the access token representing the client. * \param ObjectTypeName A pointer to a UNICODE_STRING specifying the type of object being created or accessed. * \param ObjectName A pointer to a UNICODE_STRING specifying the name of the object being created or accessed. * \param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure against which access is checked. * \param PrincipalSelfSid A pointer to a SID structure representing the principal self SID, or NULL. * \param DesiredAccess Access mask that specifies the access rights to check. * \param AuditType Specifies the type of audit event to be generated. * \param Flags Audit event flags. * \param ObjectTypeList A pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed. * \param ObjectTypeListLength The number of elements in the ObjectTypeList array. * \param GenericMapping A pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked. * \param ObjectCreation Specifies a flag that determines whether the calling application will create a new object when access is granted. * \param GrantedAccess A pointer to an array of access masks that receive the granted access rights for each object type. * \param AccessStatus A pointer to an array of NTSTATUS values that receive the results of the access check for each object type. * \param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-accesscheckbytyperesultlistandauditalarmbyhandlea */ NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PCUNICODE_STRING ObjectTypeName, _In_ PCUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose ); /** * The NtOpenObjectAuditAlarm routine generates an audit message in the security event log when an object is opened. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param ObjectTypeName A pointer to a UNICODE_STRING specifying the type of object being opened. * \param ObjectName A pointer to a UNICODE_STRING specifying the name of the object being opened. * \param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure for the object. * \param ClientToken Handle to the access token representing the client. * \param DesiredAccess Access mask that specifies the access rights requested. * \param GrantedAccess Access mask that specifies the access rights granted. * \param Privileges A pointer to a PRIVILEGE_SET structure that specifies the privileges used to gain access, or NULL. * \param ObjectCreation Specifies a flag that determines whether the object is being created. * \param AccessGranted Specifies a flag that determines whether access was granted. * \param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtOpenObjectAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PCUNICODE_STRING ObjectTypeName, _In_ PCUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose ); /** * The NtPrivilegeObjectAuditAlarm routine generates an audit message in the security event log when a privilege is used to access an object. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param ClientToken Handle to the access token representing the client. * \param DesiredAccess Access mask that specifies the access rights requested. * \param Privileges A pointer to a PRIVILEGE_SET structure that specifies the privileges used to gain access. * \param AccessGranted Specifies a flag that determines whether access was granted. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted ); /** * The NtCloseObjectAuditAlarm routine generates an audit message in the security event log when an object handle is closed. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param GenerateOnClose Specifies a flag that determines whether to generate an audit on close. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtCloseObjectAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose ); /** * The NtDeleteObjectAuditAlarm routine generates an audit message in the security event log when an object is deleted. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param HandleId A pointer to a unique value representing the client's handle to the object. * \param GenerateOnClose Specifies a flag that determines whether to generate an audit on close. * \return NTSTATUS Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtDeleteObjectAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose ); /** * The NtPrivilegedServiceAuditAlarm routine generates an audit message in the security event log when a privileged service is accessed. * * \param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function. * \param ServiceName A pointer to a UNICODE_STRING specifying the name of the service being accessed. * \param ClientToken Handle to the access token representing the client. * \param Privileges A pointer to a PRIVILEGE_SET structure that specifies the privileges used to access the service. * \param AccessGranted Specifies a flag that determines whether access was granted. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-privilegedserviceauditalarma */ NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm( _In_ PCUNICODE_STRING SubsystemName, _In_ PCUNICODE_STRING ServiceName, _In_ HANDLE ClientToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted ); // // KSecDD FS control definitions // #define KSEC_DEVICE_NAME L"\\Device\\KSecDD" #define IOCTL_KSEC_CONNECT_LSA CTL_CODE(FILE_DEVICE_KSEC, 0, METHOD_BUFFERED, FILE_WRITE_ACCESS ) #define IOCTL_KSEC_RNG CTL_CODE(FILE_DEVICE_KSEC, 1, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_RNG_REKEY CTL_CODE(FILE_DEVICE_KSEC, 2, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_ENCRYPT_MEMORY CTL_CODE(FILE_DEVICE_KSEC, 3, METHOD_OUT_DIRECT, FILE_ANY_ACCESS ) #define IOCTL_KSEC_DECRYPT_MEMORY CTL_CODE(FILE_DEVICE_KSEC, 4, METHOD_OUT_DIRECT, FILE_ANY_ACCESS ) #define IOCTL_KSEC_ENCRYPT_MEMORY_CROSS_PROC CTL_CODE(FILE_DEVICE_KSEC, 5, METHOD_OUT_DIRECT, FILE_ANY_ACCESS ) #define IOCTL_KSEC_DECRYPT_MEMORY_CROSS_PROC CTL_CODE(FILE_DEVICE_KSEC, 6, METHOD_OUT_DIRECT, FILE_ANY_ACCESS ) #define IOCTL_KSEC_ENCRYPT_MEMORY_SAME_LOGON CTL_CODE(FILE_DEVICE_KSEC, 7, METHOD_OUT_DIRECT, FILE_ANY_ACCESS ) #define IOCTL_KSEC_DECRYPT_MEMORY_SAME_LOGON CTL_CODE(FILE_DEVICE_KSEC, 8, METHOD_OUT_DIRECT, FILE_ANY_ACCESS ) #define IOCTL_KSEC_FIPS_GET_FUNCTION_TABLE CTL_CODE(FILE_DEVICE_KSEC, 9, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_ALLOC_POOL CTL_CODE(FILE_DEVICE_KSEC, 10, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_FREE_POOL CTL_CODE(FILE_DEVICE_KSEC, 11, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_COPY_POOL CTL_CODE(FILE_DEVICE_KSEC, 12, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_DUPLICATE_HANDLE CTL_CODE(FILE_DEVICE_KSEC, 13, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_REGISTER_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 14, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_CLIENT_CALLBACK CTL_CODE(FILE_DEVICE_KSEC, 15, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_GET_BCRYPT_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 16, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_GET_SSL_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 17, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_GET_DEVICECONTROL_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 18, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_ALLOC_VM CTL_CODE(FILE_DEVICE_KSEC, 19, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_FREE_VM CTL_CODE(FILE_DEVICE_KSEC, 20, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_COPY_VM CTL_CODE(FILE_DEVICE_KSEC, 21, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_CLIENT_FREE_VM CTL_CODE(FILE_DEVICE_KSEC, 22, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_INSERT_PROTECTED_PROCESS_ADDRESS CTL_CODE(FILE_DEVICE_KSEC, 23, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_REMOVE_PROTECTED_PROCESS_ADDRESS CTL_CODE(FILE_DEVICE_KSEC, 24, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_GET_BCRYPT_EXTENSION2 CTL_CODE(FILE_DEVICE_KSEC, 25, METHOD_BUFFERED, FILE_ANY_ACCESS ) #define IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS CTL_CODE(FILE_DEVICE_KSEC, 26, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) #define IOCTL_KSEC_IPC_SET_FUNCTION_RETURN CTL_CODE(FILE_DEVICE_KSEC, 27, METHOD_NEITHER, FILE_ANY_ACCESS) #endif // _NTSEAPI_H ================================================ FILE: phnt/include/ntsmss.h ================================================ [File too large to display: 4.5 KB] ================================================ FILE: phnt/include/ntstrsafe.h ================================================ [File too large to display: 402.2 KB] ================================================ FILE: phnt/include/ntsxs.h ================================================ [File too large to display: 22.3 KB] ================================================ FILE: phnt/include/nttmapi.h ================================================ [File too large to display: 8.6 KB] ================================================ FILE: phnt/include/nttp.h ================================================ /* * Thread Pool support functions * * This file is part of System Informer. */ #ifndef _NTTP_H #define _NTTP_H // Some types are already defined in winnt.h. typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; // private typedef _Function_class_(TP_ALPC_CALLBACK) VOID NTAPI TP_ALPC_CALLBACK( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context, _In_ PTP_ALPC Alpc ); typedef TP_ALPC_CALLBACK *PTP_ALPC_CALLBACK; // rev typedef _Function_class_(TP_ALPC_CALLBACK_EX) VOID NTAPI TP_ALPC_CALLBACK_EX( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context, _In_ PTP_ALPC Alpc, _In_ PVOID ApcContext ); typedef TP_ALPC_CALLBACK_EX *PTP_ALPC_CALLBACK_EX; // winbase:CreateThreadpool /** * Allocates a new pool of threads to execute callbacks. * * \param[out] PoolReturn Pointer to a variable that receives the address of the newly allocated thread pool. * \param[in] Reserved Reserved for future use. Must be NULL. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpool */ NTSYSAPI NTSTATUS NTAPI TpAllocPool( _Out_ PTP_POOL *PoolReturn, _Reserved_ PVOID Reserved ); // winbase:CloseThreadpool /** * Closes the specified thread pool. * * \param[in,out] Pool A pointer to a TP_POOL structure that defines the thread pool. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-closethreadpool */ NTSYSAPI VOID NTAPI TpReleasePool( _Inout_ PTP_POOL Pool ); // winbase:SetThreadpoolThreadMaximum /** * Sets the maximum number of threads that the specified thread pool can allocate to process callbacks. * * \param[in,out] Pool A pointer to a TP_POOL structure that defines the thread pool. * \param[in] MaxThreads The maximum number of threads. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-setthreadpoolthreadmaximum */ NTSYSAPI VOID NTAPI TpSetPoolMaxThreads( _Inout_ PTP_POOL Pool, _In_ ULONG MaxThreads ); // winbase:SetThreadpoolThreadMinimum /** * Sets the minimum number of threads that the specified thread pool must make available to process callbacks. * * \param[in,out] Pool A pointer to a TP_POOL structure that defines the thread pool. * \param[in] MinThreads The minimum number of threads. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-setthreadpoolthreadminimum */ NTSYSAPI NTSTATUS NTAPI TpSetPoolMinThreads( _Inout_ PTP_POOL Pool, _In_ ULONG MinThreads ); // winbase:QueryThreadpoolStackInformation /** * Retrieves the stack reserve and commit sizes for threads in the specified thread pool. * * \param[in] Pool A pointer to a TP_POOL structure that defines the thread pool. * \param[out] PoolStackInformation A pointer to a TP_POOL_STACK_INFORMATION structure that receives the stack reserve and commit size. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-querythreadpoolstackinformation */ NTSYSAPI NTSTATUS NTAPI TpQueryPoolStackInformation( _In_ PTP_POOL Pool, _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation ); // winbase:SetThreadpoolStackInformation NTSYSAPI NTSTATUS NTAPI TpSetPoolStackInformation( _Inout_ PTP_POOL Pool, _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation ); // rev NTSYSAPI NTSTATUS NTAPI TpSetPoolThreadBasePriority( _Inout_ PTP_POOL Pool, _In_ ULONG BasePriority ); // winbase:CreateThreadpoolCleanupGroup /** * Creates a cleanup group that applications can use to track one or more thread pool callbacks. * * \param[out] CleanupGroup A pointer to a TP_CLEANUP_GROUP structure of the newly allocated cleanup group. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-createthreadpoolcleanupgroup */ NTSYSAPI NTSTATUS NTAPI TpAllocCleanupGroup( _Out_ PTP_CLEANUP_GROUP *CleanupGroup ); // winbase:CloseThreadpoolCleanupGroup NTSYSAPI VOID NTAPI TpReleaseCleanupGroup( _Inout_ PTP_CLEANUP_GROUP CleanupGroup ); // winbase:CloseThreadpoolCleanupGroupMembers NTSYSAPI VOID NTAPI TpReleaseCleanupGroupMembers( _Inout_ PTP_CLEANUP_GROUP CleanupGroup, _In_ LOGICAL CancelPendingCallbacks, _Inout_opt_ PVOID CleanupParameter ); // winbase:SetEventWhenCallbackReturns NTSYSAPI VOID NTAPI TpCallbackSetEventOnCompletion( _Inout_ PTP_CALLBACK_INSTANCE Instance, _In_ HANDLE Event ); // winbase:ReleaseSemaphoreWhenCallbackReturns NTSYSAPI VOID NTAPI TpCallbackReleaseSemaphoreOnCompletion( _Inout_ PTP_CALLBACK_INSTANCE Instance, _In_ HANDLE Semaphore, _In_ ULONG ReleaseCount ); // winbase:ReleaseMutexWhenCallbackReturns NTSYSAPI VOID NTAPI TpCallbackReleaseMutexOnCompletion( _Inout_ PTP_CALLBACK_INSTANCE Instance, _In_ HANDLE Mutex ); // winbase:LeaveCriticalSectionWhenCallbackReturns NTSYSAPI VOID NTAPI TpCallbackLeaveCriticalSectionOnCompletion( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_ PRTL_CRITICAL_SECTION CriticalSection ); // winbase:FreeLibraryWhenCallbackReturns NTSYSAPI VOID NTAPI TpCallbackUnloadDllOnCompletion( _Inout_ PTP_CALLBACK_INSTANCE Instance, _In_ PVOID DllHandle ); // winbase:CallbackMayRunLong /** * Indicates that the callback may not return quickly. * * \param[in,out] Instance A pointer to a TP_CALLBACK_INSTANCE structure that defines the callback instance. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-callbackmayrunlong */ NTSYSAPI NTSTATUS NTAPI TpCallbackMayRunLong( _Inout_ PTP_CALLBACK_INSTANCE Instance ); // winbase:DisassociateCurrentThreadFromCallback NTSYSAPI VOID NTAPI TpDisassociateCallback( _Inout_ PTP_CALLBACK_INSTANCE Instance ); typedef _Function_class_(TP_CALLBACK_ROUTINE) VOID NTAPI TP_CALLBACK_ROUTINE( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context ); typedef TP_CALLBACK_ROUTINE* PTP_CALLBACK_ROUTINE; // winbase:TrySubmitThreadpoolCallback /** * Requests that a thread pool worker thread call the specified callback function. * * \param[in] Callback The callback function. * \param[in,out] Context Optional application-defined data to pass to the callback function. * \param[in] CallbackEnviron A pointer to a TP_CALLBACK_ENVIRON structure that defines the environment in which to execute the callback function. * \return NTSTATUS Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/api/threadpoolapiset/nf-threadpoolapiset-trysubmitthreadpoolcallback */ NTSYSAPI NTSTATUS NTAPI TpSimpleTryPost( _In_ PTP_CALLBACK_ROUTINE Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // winbase:CreateThreadpoolWork NTSYSAPI NTSTATUS NTAPI TpAllocWork( _Out_ PTP_WORK *WorkReturn, _In_ PTP_WORK_CALLBACK Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // winbase:CloseThreadpoolWork NTSYSAPI VOID NTAPI TpReleaseWork( _Inout_ PTP_WORK Work ); // winbase:SubmitThreadpoolWork NTSYSAPI VOID NTAPI TpPostWork( _Inout_ PTP_WORK Work ); // winbase:WaitForThreadpoolWorkCallbacks NTSYSAPI VOID NTAPI TpWaitForWork( _Inout_ PTP_WORK Work, _In_ LOGICAL CancelPendingCallbacks ); // winbase:CreateThreadpoolTimer NTSYSAPI NTSTATUS NTAPI TpAllocTimer( _Out_ PTP_TIMER *Timer, _In_ PTP_TIMER_CALLBACK Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // winbase:CloseThreadpoolTimer NTSYSAPI VOID NTAPI TpReleaseTimer( _Inout_ PTP_TIMER Timer ); // winbase:SetThreadpoolTimer NTSYSAPI VOID NTAPI TpSetTimer( _Inout_ PTP_TIMER Timer, _In_opt_ PLARGE_INTEGER DueTime, _In_ ULONG Period, _In_opt_ ULONG WindowLength ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // winbase:SetThreadpoolTimerEx NTSYSAPI NTSTATUS NTAPI TpSetTimerEx( _Inout_ PTP_TIMER Timer, _In_opt_ PLARGE_INTEGER DueTime, _In_ ULONG Period, _In_opt_ ULONG WindowLength ); #endif // winbase:IsThreadpoolTimerSet NTSYSAPI LOGICAL NTAPI TpIsTimerSet( _In_ PTP_TIMER Timer ); // winbase:WaitForThreadpoolTimerCallbacks NTSYSAPI VOID NTAPI TpWaitForTimer( _Inout_ PTP_TIMER Timer, _In_ LOGICAL CancelPendingCallbacks ); // winbase:CreateThreadpoolWait NTSYSAPI NTSTATUS NTAPI TpAllocWait( _Out_ PTP_WAIT *WaitReturn, _In_ PTP_WAIT_CALLBACK Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // winbase:CloseThreadpoolWait NTSYSAPI VOID NTAPI TpReleaseWait( _Inout_ PTP_WAIT Wait ); // winbase:SetThreadpoolWait NTSYSAPI VOID NTAPI TpSetWait( _Inout_ PTP_WAIT Wait, _In_opt_ HANDLE Handle, _In_opt_ PLARGE_INTEGER Timeout ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) // winbase:SetThreadpoolWaitEx NTSYSAPI NTSTATUS NTAPI TpSetWaitEx( _Inout_ PTP_WAIT Wait, _In_opt_ HANDLE Handle, _In_opt_ PLARGE_INTEGER Timeout, _In_opt_ PVOID Reserved ); #endif // winbase:WaitForThreadpoolWaitCallbacks NTSYSAPI VOID NTAPI TpWaitForWait( _Inout_ PTP_WAIT Wait, _In_ LOGICAL CancelPendingCallbacks ); // private typedef _Function_class_(TP_IO_CALLBACK) VOID NTAPI TP_IO_CALLBACK( _Inout_ PTP_CALLBACK_INSTANCE Instance, _Inout_opt_ PVOID Context, _In_ PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoSB, _In_ PTP_IO Io ); typedef TP_IO_CALLBACK *PTP_IO_CALLBACK; // winbase:CreateThreadpoolIo NTSYSAPI NTSTATUS NTAPI TpAllocIoCompletion( _Out_ PTP_IO *IoReturn, _In_ HANDLE File, _In_ PTP_IO_CALLBACK Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // winbase:CloseThreadpoolIo NTSYSAPI VOID NTAPI TpReleaseIoCompletion( _Inout_ PTP_IO Io ); // winbase:StartThreadpoolIo NTSYSAPI VOID NTAPI TpStartAsyncIoOperation( _Inout_ PTP_IO Io ); // winbase:CancelThreadpoolIo NTSYSAPI VOID NTAPI TpCancelAsyncIoOperation( _Inout_ PTP_IO Io ); // winbase:WaitForThreadpoolIoCallbacks NTSYSAPI VOID NTAPI TpWaitForIoCompletion( _Inout_ PTP_IO Io, _In_ LOGICAL CancelPendingCallbacks ); // private NTSYSAPI NTSTATUS NTAPI TpAllocAlpcCompletion( _Out_ PTP_ALPC *AlpcReturn, _In_ HANDLE AlpcPort, _In_ PTP_ALPC_CALLBACK Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // rev NTSYSAPI NTSTATUS NTAPI TpAllocAlpcCompletionEx( _Out_ PTP_ALPC *AlpcReturn, _In_ HANDLE AlpcPort, _In_ PTP_ALPC_CALLBACK_EX Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron ); // private NTSYSAPI VOID NTAPI TpReleaseAlpcCompletion( _Inout_ PTP_ALPC Alpc ); // private NTSYSAPI VOID NTAPI TpWaitForAlpcCompletion( _Inout_ PTP_ALPC Alpc ); // rev NTSYSAPI VOID NTAPI TpAlpcRegisterCompletionList( _Inout_ PTP_ALPC Alpc ); // rev NTSYSAPI VOID NTAPI TpAlpcUnregisterCompletionList( _Inout_ PTP_ALPC Alpc ); // private typedef enum _TP_TRACE_TYPE { TpTraceThreadPriority = 1, TpTraceThreadAffinity, MaxTpTraceType } TP_TRACE_TYPE; // private NTSYSAPI VOID NTAPI TpCaptureCaller( _In_ TP_TRACE_TYPE Type ); // private NTSYSAPI VOID NTAPI TpCheckTerminateWorker( _In_ HANDLE Thread ); #endif // _NTTP_H ================================================ FILE: phnt/include/ntuser.h ================================================ /* * Win32k NT User definitions. * * This file is part of System Informer. */ #ifndef _NTUSER_H #define _NTUSER_H typedef enum _USERTHREADINFOCLASS USERTHREADINFOCLASS; NTSYSCALLAPI NTSTATUS NTAPI NtUserAttachThreadInput( _In_ ULONG IdAttach, _In_ ULONG IdAttachTo, _In_ BOOL Attach ); NTSYSCALLAPI HDC NTAPI NtUserBeginPaint( _In_ HWND WindowHandle, _Inout_ LPPAINTSTRUCT lpPaint ); NTSYSCALLAPI BOOL NTAPI NtUserBlockInput( _In_ BOOL BlockInput ); #define FW_BOTH 0 #define FW_16BIT 1 #define FW_32BIT 2 NTSYSCALLAPI HWND NTAPI NtUserFindWindowEx( _In_opt_ HWND hwndParent, _In_opt_ HWND hwndChild, _In_ PCUNICODE_STRING ClassName, _In_ PCUNICODE_STRING WindowName, _In_ ULONG Type // FW_* ); NTSYSCALLAPI NTSTATUS NTAPI NtUserBuildHwndList( _In_opt_ HANDLE DesktopHandle, _In_opt_ HWND ParentWindowHandle, _In_opt_ BOOL IncludeChildren, _In_opt_ BOOL ExcludeImmersive, _In_opt_ ULONG ThreadId, _In_ ULONG HwndListInformationLength, _Out_writes_bytes_(HwndListInformationLength) PVOID HwndListInformation, _Out_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtUserBuildNameList( _In_ HWINSTA WindowStationHandle, // GetProcessWindowStation _In_ ULONG NameListInformationLength, _Out_writes_bytes_(NameListInformationLength) PVOID NameListInformation, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtUserBuildPropList( _In_ HWINSTA WindowStationHandle, _In_ ULONG PropListInformationLength, _Out_writes_bytes_(PropListInformationLength) PVOID PropListInformation, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI BOOL NTAPI NtUserCanCurrentThreadChangeForeground( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserCalculatePopupWindowPosition( _In_ const POINT* anchorPoint, _In_ const SIZE* windowSize, _In_ ULONG flags, _Inout_ RECT* excludeRect, _Inout_ RECT* popupWindowPosition ); NTSYSCALLAPI NTSTATUS NTAPI NtUserCheckAccessForIntegrityLevel( _In_ ULONG ProcessIdFirst, _In_ ULONG ProcessIdSecond, _Out_ PBOOLEAN GrantedAccess ); NTSYSCALLAPI NTSTATUS NTAPI NtUserCheckProcessForClipboardAccess( _In_ ULONG ProcessId, _Out_ PULONG GrantedAccess ); NTSYSCALLAPI BOOL NTAPI NtUserCloseWindowStation( _In_ HWINSTA WindowStationHandle ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) /** * The NtUserDisableProcessWindowFiltering routine disables window filtering * so you can enumerate immersive windows from the desktop. * * \return Successful or errant status. * \sa https://learn.microsoft.com/en-us/windows/win32/sbscs/application-manifests#disableWindowFiltering */ NTSYSCALLAPI BOOL NTAPI NtUserDisableProcessWindowFiltering( VOID ); #endif NTSYSCALLAPI HANDLE NTAPI NtUserGetProp( _In_ HWND WindowHandle, _In_ PCWSTR String ); NTSYSCALLAPI HANDLE NTAPI NtUserGetProp2( _In_ HWND WindowHandle, _In_ PCUNICODE_STRING String ); NTSYSCALLAPI NTSTATUS NTAPI NtUserCreateWindowStation( _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE KeyboardLayoutHandle, _In_opt_ PVOID KeyboardLayoutOffset, _In_opt_ PVOID NlsTableOffset, _In_opt_ PVOID KeyboardDescriptor, _In_opt_ PCUNICODE_STRING LanguageIdString, _In_opt_ ULONG KeyboardLocale ); typedef enum _CONSOLECONTROL { ConsoleSetVDMCursorBounds = 0, // RECT ConsoleNotifyConsoleApplication = 1, // CONSOLE_PROCESS_INFO ConsoleFullscreenSwitch = 2, ConsoleSetCaretInfo = 3, // CONSOLE_CARET_INFO ConsoleSetReserveKeys = 4, ConsoleSetForeground = 5, // CONSOLESETFOREGROUND ConsoleSetWindowOwner = 6, // CONSOLEWINDOWOWNER ConsoleEndTask = 7, // CONSOLEENDTASK } CONSOLECONTROL; #define CPI_NEWPROCESSWINDOW 0x0001 typedef struct _CONSOLE_PROCESS_INFO { ULONG ProcessID; ULONG Flags; } CONSOLE_PROCESS_INFO, *PCONSOLE_PROCESS_INFO; typedef struct _CONSOLE_CARET_INFO { HWND WindowHandle; RECT Rect; } CONSOLE_CARET_INFO, *PCONSOLE_CARET_INFO; typedef struct _CONSOLESETFOREGROUND { HANDLE ProcessHandle; BOOL Foreground; } CONSOLESETFOREGROUND, *PCONSOLESETFOREGROUND; typedef struct _CONSOLEWINDOWOWNER { HWND WindowHandle; ULONG ProcessId; ULONG ThreadId; } CONSOLEWINDOWOWNER, *PCONSOLEWINDOWOWNER; typedef struct _CONSOLEENDTASK { HANDLE ProcessId; HWND WindowHandle; ULONG ConsoleEventCode; ULONG ConsoleFlags; } CONSOLEENDTASK, *PCONSOLEENDTASK; /** * Performs special kernel operations for console host applications. (win32u.dll) * * This includes reparenting the console window, allowing the console to pass foreground rights * on to launched console subsystem applications and terminating attached processes. * * \param Command One of the CONSOLECONTROL values indicating which console control function should be executed. * \param ConsoleInformation A pointer to one of the structures specifying additional data for the requested console control function. * \param ConsoleInformationLength The size of the structure pointed to by the ConsoleInformation parameter. * \return Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtUserConsoleControl( _In_ CONSOLECONTROL Command, _In_reads_bytes_(ConsoleInformationLength) PVOID ConsoleInformation, _In_ ULONG ConsoleInformationLength ); /** * Performs special kernel operations for console host applications. (user32.dll) * * This includes reparenting the console window, allowing the console to pass foreground rights * on to launched console subsystem applications and terminating attached processes. * * \param Command One of the CONSOLECONTROL values indicating which console control function should be executed. * \param ConsoleInformation A pointer to one of the structures specifying additional data for the requested console control function. * \param ConsoleInformationLength The size of the structure pointed to by the ConsoleInformation parameter. * \return Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI ConsoleControl( _In_ CONSOLECONTROL Command, _In_reads_bytes_(ConsoleInformationLength) PVOID ConsoleInformation, _In_ ULONG ConsoleInformationLength ); /** * The NtUserGetClassName routine retrieves a string that specifies the window type. * * \param WindowHandle A handle to the window and, indirectly, the class to which the window belongs. * \param RealClassName Return the superclass or baseclass name when the window is a superclass. * \param ClassName A pointer to a string that receives the window type. * \return A handle to the foreground window, or NULL if no foreground window exists. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-realgetwindowclassw */ NTSYSCALLAPI ULONG NTAPI NtUserGetClassName( _In_ HWND WindowHandle, _In_ BOOL RealClassName, _Out_ PUNICODE_STRING ClassName ); /** * The NtUserGetForegroundWindow routine retrieves a handle to the foreground window. * * \return A handle to the foreground window, or NULL if no foreground window exists. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow */ NTSYSCALLAPI HWND NTAPI NtUserGetForegroundWindow( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserGetIconInfo( _In_ HICON IconOrCursorHandle, _Out_ PICONINFO Iconinfo, _Inout_opt_ PUNICODE_STRING Name, _Inout_opt_ PUNICODE_STRING ResourceId, _Out_opt_ PULONG ColorBits, _In_ LOGICAL IsCursorHandle ); NTSYSCALLAPI BOOL NTAPI NtUserGetIconSize( _In_ HGDIOBJ IconOrCursorHandle, _In_ LOGICAL IsCursorHandle, _Out_ PULONG XX, _Out_ PULONG YY ); /** * The NtUserGetProcessWindowStation routine retrieves the window station handle associated with the current process. * * \return A handle to the window station, or NULL if the operation fails. * \sa https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getprocesswindowstation */ NTSYSCALLAPI HWINSTA NTAPI NtUserGetProcessWindowStation( VOID ); typedef enum _PROCESS_UICONTEXT { PROCESS_UICONTEXT_DESKTOP, PROCESS_UICONTEXT_IMMERSIVE, PROCESS_UICONTEXT_IMMERSIVE_BROKER, PROCESS_UICONTEXT_IMMERSIVE_BROWSER } PROCESS_UICONTEXT; typedef enum _PROCESS_UI_FLAGS { PROCESS_UIF_NONE, PROCESS_UIF_AUTHORING_MODE, PROCESS_UIF_RESTRICTIONS_DISABLED } PROCESS_UI_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(PROCESS_UI_FLAGS); typedef struct _PROCESS_UICONTEXT_INFORMATION { PROCESS_UICONTEXT ProcessUIContext; PROCESS_UI_FLAGS Flags; } PROCESS_UICONTEXT_INFORMATION, *PPROCESS_UICONTEXT_INFORMATION; NTSYSCALLAPI NTSTATUS NTAPI NtUserGetProcessUIContextInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_UICONTEXT_INFORMATION UIContext ); NTSYSCALLAPI BOOL NTAPI GetProcessUIContextInformation( _In_ HANDLE ProcessHandle, _Out_ PPROCESS_UICONTEXT_INFORMATION UIContext ); NTSYSCALLAPI ULONG_PTR NTAPI NtUserGetThreadState( _In_ ULONG UserThreadState ); NTSYSCALLAPI HWND NTAPI NtUserGhostWindowFromHungWindow( _In_ HWND WindowHandle ); NTSYSAPI HWND NTAPI GhostWindowFromHungWindow( _In_ HWND WindowHandle ); NTSYSCALLAPI HWND NTAPI NtUserHungWindowFromGhostWindow( _In_ HWND WindowHandle ); NTSYSAPI HWND NTAPI HungWindowFromGhostWindow( _In_ HWND WindowHandle ); NTSYSCALLAPI ULONG NTAPI NtUserInternalGetWindowText( _In_ HWND WindowHandle, _Out_writes_to_(cchMaxCount, return + 1) LPWSTR pString, _In_ ULONG cchMaxCount ); NTSYSCALLAPI HICON NTAPI NtUserInternalGetWindowIcon( _In_ HWND WindowHandle, _In_ ULONG IconType ); NTSYSCALLAPI HANDLE NTAPI NtUserOpenDesktop( _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG Flags, _In_ ACCESS_MASK DesiredAccess ); /** * Opens the specified window station. * * \param ObjectAttributes The name of the window station to be opened. Window station names are case-insensitive. This window station must belong to the current session. * \param DesiredAccess The access to the window station. * \return Successful or errant status. */ NTSYSCALLAPI HWINSTA NTAPI NtUserOpenWindowStation( _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ACCESS_MASK DesiredAccess ); typedef enum _WINDOWINFOCLASS { WindowProcess = 0, // q: ULONG (Process ID) WindowRealProcess = 1, // q: ULONG (Process ID) WindowThread = 2, // q: ULONG (Thread ID) WindowActiveWindow = 3, // q: HWND WindowFocusWindow = 4, // q: HWND WindowIsHung = 5, // q: BOOLEAN WindowClientBase = 6, // q: PVOID WindowIsForegroundThread = 7, // q: BOOLEAN WindowDefaultImeWindow = 8, // q: HWND WindowDefaultInputContext = 9, // q: HIMC } WINDOWINFOCLASS, *PWINDOWINFOCLASS; NTSYSCALLAPI ULONG_PTR NTAPI NtUserQueryWindow( _In_ HWND WindowHandle, _In_ WINDOWINFOCLASS WindowInfo ); NTSYSCALLAPI HWND NTAPI NtUserSetActiveWindow( _In_ HWND WindowHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtUserSetChildWindowNoActivate( _In_ HWND WindowHandle ); NTSYSCALLAPI HWND NTAPI NtUserSetFocus( _In_ HWND WindowHandle ); // User32 ordinal 2005 NTSYSAPI BOOL NTAPI SetChildWindowNoActivate( _In_ HWND WindowHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtUserSetInformationThread( _In_ HANDLE ThreadHandle, _In_ USERTHREADINFOCLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength ); NTSYSCALLAPI BOOL NTAPI NtUserSetProcessWindowStation( _In_ HWINSTA WindowStationHandle ); // rev // Valid bit masks enforced by NtUserSetProcessWin32Capabilities #define PROC_CAP_FLAGS1_VALID_MASK 0x00000007u // bits 0-2 #define PROC_CAP_FLAGS2_VALID_MASK 0x00000007u // bits 0-2 #define PROC_CAP_ENABLE_VALID_MASK 0x00000001u // bit 0 #define PROC_CAP_DISABLE_VALID_MASK 0x00000001u // bit 0 #define PROC_CAP_FLAGS1_BIT0 0x00000001u #define PROC_CAP_FLAGS1_BIT1 0x00000002u #define PROC_CAP_FLAGS1_BIT2 0x00000004u #define PROC_CAP_FLAGS2_BIT0 0x00000001u #define PROC_CAP_FLAGS2_BIT1 0x00000002u #define PROC_CAP_FLAGS2_BIT2 0x00000004u #define PROC_CAP_ENABLE_BIT0 0x00000001u #define PROC_CAP_DISABLE_BIT0 0x00000001u #define PROC_CAP_FLAGS1_INVALID(x) (((x) & ~PROC_CAP_FLAGS1_VALID_MASK) != 0) #define PROC_CAP_FLAGS2_INVALID(x) (((x) & ~PROC_CAP_FLAGS2_VALID_MASK) != 0) #define PROC_CAP_ENABLE_INVALID(x) (((x) & ~PROC_CAP_ENABLE_VALID_MASK) != 0) #define PROC_CAP_DISABLE_INVALID(x) (((x) & ~PROC_CAP_DISABLE_VALID_MASK) != 0) // rev typedef struct _USER_PROCESS_CAP_ENTRY { HANDLE ProcessHandle; ULONG Flags1; ULONG Flags2; ULONG EnableMask; ULONG DisableMask; } USER_PROCESS_CAP_ENTRY, *PUSER_PROCESS_CAP_ENTRY; // rev typedef struct _USER_PROCESS_CAP_INTERNAL { PVOID ProcessObject; ULONG SessionId; ULONG Reserved; ULONGLONG FlagsPacked; ULONGLONG CapabilityPacked; } USER_PROCESS_CAP_INTERNAL, *PUSER_PROCESS_CAP_INTERNAL; // rev NTSYSCALLAPI NTSTATUS NTAPI NtUserSetProcessWin32Capabilities( _In_reads_(Count) const USER_PROCESS_CAP_ENTRY* Capabilities, _In_ ULONG Count ); // rev /** * The NtUserSetProcessRestrictionExemption routine marks the current process as exempt from certain win32k/user restrictions. * Note: This requires a developer mode/license check. * * \param Enable Indicates whether to enable or disable the exemption. * \return Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtUserSetProcessRestrictionExemption( _In_ BOOL EnableExemption ); // rev /** * The NtUserSetProcessUIAccessZorder routine tweaks window z-order behavior for UIAccess scenarios. * Note: Set only when the process is not elevated. * * \return Successful or errant status. */ NTSYSCALLAPI NTSTATUS NTAPI NtUserSetProcessUIAccessZorder( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserSetWindowPlacement( _In_ HWND WindowHandle, _Inout_ const WINDOWPLACEMENT* lpwndpl ); NTSYSCALLAPI BOOL NTAPI NtUserSetWindowStationUser( _In_ HWINSTA WindowStationHandle, _In_ PLUID UserLogonId, _In_ PSID UserSid, _In_ ULONG UserSidLength ); NTSYSAPI BOOL NTAPI SetWindowStationUser( _In_ HWINSTA WindowStationHandle, _In_ PLUID UserLogonId, _In_ PSID UserSid, _In_ ULONG UserSidLength ); NTSYSCALLAPI NTSTATUS NTAPI NtUserTestForInteractiveUser( _In_ PLUID AuthenticationId ); NTSYSCALLAPI BOOL NTAPI NtUserSwitchDesktop( _In_ HDESK DesktopHandle, _In_opt_ ULONG Flags, _In_opt_ ULONG FadeTime ); NTSYSCALLAPI BOOL NTAPI NtUserSetThreadDesktop( _In_ HDESK DesktopHandle ); NTSYSAPI HWND NTAPI ChildWindowFromPoint( _In_ HWND WindowHandle, _In_ POINT pt ); NTSYSCALLAPI HWND NTAPI NtUserChildWindowFromPointEx( _In_ HWND WindowHandle, _In_ POINT pt, _In_ ULONG flags ); NTSYSCALLAPI BOOL NTAPI NtUserClipCursor( _In_ const RECT* lpRect ); NTSYSCALLAPI BOOL NTAPI NtUserCloseDesktop( _In_ HDESK DesktopHandle ); NTSYSCALLAPI LONG NTAPI NtUserCopyAcceleratorTable( _In_ HACCEL hAccelSrc, _In_ LPACCEL lpAccelDst, _In_ LONG cAccelEntries ); NTSYSCALLAPI HACCEL NTAPI NtUserCreateAcceleratorTable( _In_ LPACCEL paccel, _In_ LONG cAccel ); NTSYSCALLAPI BOOL NTAPI NtUserDeleteMenu( _In_ HMENU MenuHandle, _In_ ULONG Position, _In_ ULONG Flags ); NTSYSCALLAPI BOOL NTAPI NtUserDestroyMenu( _In_ HMENU MenuHandle ); NTSYSCALLAPI BOOL NTAPI NtUserDestroyWindow( _In_ HWND WindowHandle ); NTSYSCALLAPI BOOL NTAPI NtUserDragDetect( _In_ HWND WindowHandle, _In_ POINT pt ); NTSYSCALLAPI ULONG NTAPI NtUserDragObject( _In_ HWND WindowHandleParent, _In_ HWND WindowHandleFrom, _In_ ULONG fmt, _In_ ULONG_PTR data, _In_ HCURSOR hcur ); NTSYSCALLAPI BOOL NTAPI NtUserDrawAnimatedRects( _In_ HWND WindowHandle, _In_ int idAni, _In_ const RECT* lprcFrom, _In_ const RECT* lprcTo ); NTSYSCALLAPI BOOL NTAPI NtUserEndMenu( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserEndPaint( _In_ HWND WindowHandle, _Inout_ const PAINTSTRUCT* lpPaint ); NTSYSCALLAPI BOOL NTAPI NtUserEnumDisplayMonitors( _In_ HDC hdc, _In_ LPCRECT lprcClip, _In_ MONITORENUMPROC lpfnEnum, _In_ LPARAM dwData ); NTSYSCALLAPI HRGN NTAPI NtUserExcludeUpdateRgn( _In_ HDC hDC, _In_ HWND WindowHandle ); NTSYSCALLAPI BOOL NTAPI NtUserFlashWindowEx( _In_ PFLASHWINFO pfwi ); NTSYSCALLAPI HWND NTAPI NtUserGetAncestor( _In_ HWND WindowHandle, _In_ ULONG gaFlags ); NTSYSCALLAPI ULONG NTAPI NtUserGetCaretBlinkTime( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserGetCaretPos( _In_ LPPOINT lpPoint ); NTSYSCALLAPI BOOL NTAPI NtUserGetClipCursor( _In_ LPRECT lpRect ); NTSYSCALLAPI BOOL NTAPI NtUserGetComboBoxInfo( _In_ HWND WindowHandleCombo, _Inout_ PCOMBOBOXINFO pcbi ); NTSYSCALLAPI BOOL NTAPI NtUserGetCurrentInputMessageSource( _Inout_ INPUT_MESSAGE_SOURCE* InputMessageSource ); NTSYSCALLAPI HCURSOR NTAPI NtUserGetCursor( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserGetCursorInfo( _In_ PCURSORINFO pci ); NTSYSCALLAPI HDC NTAPI NtUserGetDCEx( _In_ HWND WindowHandle, _In_ HRGN hrgnClip, _In_ ULONG flags ); NTSYSCALLAPI BOOL NTAPI NtUserGetDisplayAutoRotationPreferences( _In_ ORIENTATION_PREFERENCE* pOrientation ); NTSYSCALLAPI ULONG NTAPI NtUserGetDoubleClickTime( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserGetGUIThreadInfo( _In_ ULONG idThread, _In_ PGUITHREADINFO pgui ); #ifndef GR_GDIOBJECTS #define GR_GDIOBJECTS 0 #endif #ifndef GR_USEROBJECTS #define GR_USEROBJECTS 1 #endif #ifndef GR_GDIOBJECTS_PEAK #define GR_GDIOBJECTS_PEAK 2 #endif #ifndef GR_USEROBJECTS_PEAK #define GR_USEROBJECTS_PEAK 4 #endif NTSYSCALLAPI ULONG NTAPI NtUserGetGuiResources( _In_ HANDLE ProcessHandle, _In_ ULONG Flags ); NTSYSCALLAPI BOOL NTAPI NtUserGetLayeredWindowAttributes( _In_ HWND WindowHandle, _Out_opt_ COLORREF* Key, _Out_opt_ PBYTE Alpha, _Out_opt_ PULONG Flags ); NTSYSCALLAPI ULONG NTAPI NtUserGetListBoxInfo( _In_ HWND WindowHandle ); NTSYSCALLAPI BOOL NTAPI NtUserGetMenuBarInfo( _In_ HWND WindowHandle, _In_ LONG idObject, _In_ LONG idItem, _In_ PMENUBARINFO pmbi ); NTSYSCALLAPI BOOL NTAPI NtUserGetMenuItemRect( _In_ HWND WindowHandle, _In_ HMENU MenuHandle, _In_ ULONG MenuIndex, _In_ PRECT MenuRect ); NTSYSCALLAPI LONG NTAPI NtUserGetMouseMovePointsEx( _In_ ULONG MouseMovePointsSize, _In_ LPMOUSEMOVEPOINT InputBuffer, _Out_ LPMOUSEMOVEPOINT OutputBuffer, _In_ LONG OutputBufferCount, _In_ ULONG Resolution ); NTSYSCALLAPI ULONG NTAPI NtUserGetRawInputData( _In_ HRAWINPUT RawInputData, _In_ ULONG RawInputCommand, _Out_opt_ PVOID RawInputBuffer, _Inout_ PULONG RawInputBufferSize, _In_ ULONG RawInputHeaderSize ); NTSYSCALLAPI ULONG NTAPI NtUserGetRawInputDeviceList( _In_ PRAWINPUTDEVICELIST RawInputDeviceList, _Inout_ PULONG RawInputDeviceCount, _In_ ULONG RawInputDeviceSize ); NTSYSCALLAPI ULONG NTAPI NtUserGetRegisteredRawInputDevices( _Out_opt_ PRAWINPUTDEVICE RawInputDevices, _Inout_ PULONG RawInputDeviceCount, _In_ ULONG RawInputDeviceSize ); NTSYSAPI HWND NTAPI GetSendMessageReceiver( _In_ HANDLE ThreadId ); NTSYSCALLAPI HMENU NTAPI NtUserGetSystemMenu( _In_ HWND WindowHandle, _In_ BOOL Revert ); NTSYSCALLAPI HDESK NTAPI NtUserGetThreadDesktop( _In_ ULONG ThreadId ); NTSYSCALLAPI BOOL NTAPI NtUserGetTitleBarInfo( _In_ HWND WindowHandle, _In_ PTITLEBARINFO pti ); NTSYSCALLAPI BOOL NTAPI NtUserGetObjectInformation( _In_ HANDLE ObjectHandle, _In_ LONG Index, _In_ PVOID vInfo, _In_ ULONG Length, _In_ PULONG LengthNeeded ); NTSYSCALLAPI HDC NTAPI NtUserGetWindowDC( _In_ HWND WindowHandle ); NTSYSCALLAPI BOOL NTAPI NtUserGetWindowPlacement( _In_ HWND WindowHandle, _Inout_ PWINDOWPLACEMENT WindowPlacement ); NTSYSCALLAPI HANDLE NTAPI GetWindowProcessHandle( _In_ HWND WindowHandle, _In_ ACCESS_MASK DesiredAccess ); NTSYSCALLAPI HANDLE NTAPI NtUserGetWindowProcessHandle( _In_ HWND WindowHandle, _In_ ACCESS_MASK DesiredAccess ); NTSYSCALLAPI BOOL NTAPI NtUserHiliteMenuItem( _In_ HWND WindowHandle, _In_ HMENU MenuHandle, _In_ ULONG IDHiliteItem, _In_ ULONG Hilite ); NTSYSCALLAPI BOOL NTAPI NtUserInvalidateRect( _In_ HWND WindowHandle, _In_ const RECT* Rect, _In_ BOOL Erase ); NTSYSCALLAPI BOOL NTAPI NtUserInvalidateRgn( _In_ HWND WindowHandle, _In_ HRGN RgnHandle, _In_ BOOL Erase ); NTSYSCALLAPI BOOL NTAPI NtUserIsTouchWindow( _In_ HWND WindowHandle, _In_ PULONG Flags ); NTSYSCALLAPI BOOL NTAPI NtUserKillTimer( _In_ HWND WindowHandle, _In_ ULONG_PTR IDEvent ); NTSYSCALLAPI BOOL NTAPI NtUserLockWorkStation( VOID ); NTSYSCALLAPI BOOL NTAPI NtUserLogicalToPhysicalPoint( _In_ HWND WindowHandle, _In_ LPPOINT lpPoint ); NTSYSCALLAPI LONG NTAPI NtUserMenuItemFromPoint( _In_ HWND WindowHandle, _In_ HMENU MenuHandle, _In_ POINT ptScreen ); NTSYSCALLAPI BOOL NTAPI NtUserMoveWindow( _In_ HWND WindowHandle, _In_ LONG X, _In_ LONG Y, _In_ LONG Width, _In_ LONG Height, _In_ BOOL Repaint ); NTSYSCALLAPI HDESK NTAPI NtUserOpenInputDesktop( _In_ ULONG Flags, _In_ BOOL Inherit, _In_ ACCESS_MASK DesiredAccess ); NTSYSCALLAPI BOOL NTAPI NtUserPhysicalToLogicalPoint( _In_ HWND WindowHandle, _In_ LPPOINT Point ); NTSYSCALLAPI BOOL NTAPI NtUserPrintWindow( _In_ HWND WindowHandle, _In_ HDC Hdc, _In_ ULONG Flags ); NTSYSCALLAPI NTSTATUS NTAPI NtUserQueryInformationThread( _In_ HANDLE ThreadHandle, _In_ USERTHREADINFOCLASS ThreadInformationClass, _Out_writes_bytes_(*ReturnLength) PVOID ThreadInformation, _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtUserSetInformationThread( _In_ HANDLE ThreadHandle, _In_ USERTHREADINFOCLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength ); NTSYSAPI BOOL NTAPI NtUserQuerySendMessage( _Inout_ PMSG Message ); NTSYSCALLAPI NTSTATUS NTAPI NtUserRaiseLowerShellWindow( _In_ HWND WindowHandle, _In_ BOOLEAN SetWithOptions ); NTSYSCALLAPI BOOL NTAPI NtUserRedrawWindow( _In_ HWND WindowHandle, _In_ const PRECT lprcUpdate, _In_ HRGN hrgnUpdate, _In_ ULONG Flags ); NTSYSCALLAPI HWND NTAPI NtUserRealChildWindowFromPoint( _In_ HWND WindowHandleParent, _In_ POINT ptParentClientCoords ); NTSYSCALLAPI BOOL NTAPI NtUserRegisterHotKey( _In_ HWND WindowHandle, _In_ LONG Id, _In_ ULONG fsModifiers, _In_ ULONG vk ); NTSYSCALLAPI BOOL NTAPI NtUserRemoveMenu( _In_ HMENU MenuHandle, _In_ ULONG Position, _In_ ULONG Flags ); NTSYSCALLAPI ULONG NTAPI NtUserSendInput( _In_ ULONG Count, _In_ LPINPUT Inputs, _In_ LONG Size ); NTSYSCALLAPI HWND NTAPI NtUserSetActiveWindow( _In_ HWND WindowHandle ); NTSYSCALLAPI HWND NTAPI NtUserSetCapture( _In_ HWND WindowHandle ); NTSYSCALLAPI ULONG_PTR NTAPI NtUserSetTimer( _In_ HWND WindowHandle, _In_ ULONG_PTR IDEvent, _In_ ULONG Elapse, _In_ TIMERPROC TimerFunc, _In_ ULONG ToleranceDelay ); NTSYSCALLAPI USHORT NTAPI NtUserSetClassWord( _In_ HWND WindowHandle, _In_ LONG Index, _In_ USHORT NewWord ); NTSYSCALLAPI BOOL NTAPI NtUserSetCursorPos( _In_ LONG X, _In_ LONG Y ); NTSYSCALLAPI HWND NTAPI NtUserSetFocus( _In_ HWND WindowHandle ); NTSYSCALLAPI BOOL NTAPI NtUserSetLayeredWindowAttributes( _In_ HWND WindowHandle, _In_ COLORREF Key, _In_ BYTE Alpha, _In_ ULONG Flags ); NTSYSCALLAPI BOOL NTAPI NtUserSetWindowPos( _In_ HWND WindowHandle, _In_opt_ HWND WindowHandleInsertAfter, _In_ LONG X, _In_ LONG Y, _In_ LONG cx, _In_ LONG cy, _In_ ULONG Flags ); FORCEINLINE BOOL NTAPI NtUserBringWindowToTop( _In_ HWND WindowHandle ) { return NtUserSetWindowPos( WindowHandle, NULL, 0, 0, 0, 0, 3 ); } // Send to the window registered with NtUserRegisterCloakedNotification // when cloak state of the window has changed // wParam - if window cloak state changed contains cloaking value // which can be one/all of the below // DWM_CLOAKED_APP(0x0000001).The window was cloaked by its owner application. // DWM_CLOAKED_SHELL(0x0000002).The window was cloaked by the Shell. // 0 - window is not cloaked // // lParam - 0 (unused) // #define WM_CLOAKED_STATE_CHANGED 0x0347 NTSYSCALLAPI BOOL NTAPI NtUserRegisterCloakedNotification( _In_ HWND WindowHandle, _In_ BOOL Register ); NTSYSCALLAPI USHORT NTAPI NtUserSetWindowWord( _In_ HWND WindowHandle, _In_ LONG Index, _In_ USHORT NewWord ); NTSYSCALLAPI NTSTATUS NTAPI NtUserSetForegroundWindowForApplication( _In_ HWND WindowHandle ); NTSYSCALLAPI HWND NTAPI NtUserShellForegroundBoostProcess( _In_ HANDLE ProcessHandle, _In_ HWND WindowHandle ); NTSYSCALLAPI ULONG NTAPI NtUserSetAdditionalForegroundBoostProcesses( _In_ HWND WindowHandle ); // rev NTSYSCALLAPI ULONG NTAPI NtUserSetAdditionalPowerThrottlingProcess( _In_ HWND WindowHandle, _In_ ULONG ProcessHandlesCount, _In_reads_(ProcessHandlesCount) PHANDLE ProcessHandles ); NTSYSCALLAPI LONG NTAPI NtUserShowCursor( _In_ BOOL Show ); NTSYSCALLAPI BOOL NTAPI NtUserShowWindow( _In_ HWND WindowHandle, _In_ LONG CmdShow ); NTSYSCALLAPI BOOL NTAPI NtUserShowWindowAsync( _In_ HWND WindowHandle, _In_ LONG CmdShow ); NTSYSCALLAPI BOOL NTAPI NtUserShutdownBlockReasonQuery( _In_ HWND WindowHandle, _Out_ PWSTR Buffer, _Inout_ PULONG BufferCount ); NTSYSCALLAPI BOOL NTAPI NtUserShutdownReasonDestroy( _In_ HWND WindowHandle ); NTSYSCALLAPI BOOL NTAPI NtUserTrackMouseEvent( _In_ LPTRACKMOUSEEVENT EventTrack ); NTSYSCALLAPI BOOL NTAPI NtUserTrackPopupMenuEx( _In_ HMENU MenuHandle, _In_ ULONG Flags, _In_ LONG x, _In_ LONG y, _In_ HWND WindowHandle, _In_ LPTPMPARAMS lptpm ); NTSYSCALLAPI BOOL NTAPI NtUserUnhookWinEvent( _In_ HWINEVENTHOOK WinEventHookHandle ); NTSYSCALLAPI BOOL NTAPI NtUserUnregisterHotKey( _In_ HWND WindowHandle, _In_ LONG Id ); NTSYSCALLAPI BOOL NTAPI NtUserUserHandleGrantAccess( _In_ HANDLE UserHandle, _In_ HANDLE Job, _In_ BOOL Grant ); NTSYSCALLAPI BOOL NTAPI NtUserValidateRect( _In_ HWND WindowHandle, _In_ const RECT* Rect ); NTSYSCALLAPI HWND NTAPI NtUserWindowFromDC( _In_ HDC Hdc ); NTSYSCALLAPI HWND NTAPI NtUserWindowFromPhysicalPoint( _In_ POINT Point ); NTSYSCALLAPI HWND NTAPI NtUserWindowFromPoint( _In_ POINT Point ); // rev // valid since 20H1 #define SFI_CREATEMENU 0 // NtUserCallNoParam #define SFI_CREATEPOPUPMENU 1 // NtUserCallNoParam #define SFI_ALLOWFOREGROUNDACTIVATION 2 // NtUserCallNoParam #define SFI_CANCELQUEUEEVENTCOMPLETIONPACKET 3 // NtUserCallNoParam #define SFI_CLEARWAKEMASK 4 // NtUserCallNoParam #define SFI_CREATESYSTEMTHREADS 5 // NtUserCallNoParam #define SFI_DESTROYCARET 6 // NtUserCallNoParam #define SFI_DISABLEPROCESSWINDOWSGHOSTING 7 // NtUserCallNoParam #define SFI_DRAINTHREADCOREMESSAGINGCOMPLETIONS 8 // NtUserCallNoParam #define SFI_GETDEVICECHANGEINFO 9 // NtUserCallNoParam #define SFI_GETIMESHOWSTATUS 10 // NtUserCallNoParam #define SFI_GETINPUTDESKTOP 11 // NtUserCallNoParam #define SFI_GETMESSAGEPOS 12 // NtUserCallNoParam #define SFI_GETQUEUEIOCP 13 // NtUserCallNoParam #define SFI_GETUNPREDICTEDMESSAGEPOS 14 // NtUserCallNoParam #define SFI_HANDLESYSTEMTHREADCREATIONFAILURE 15 // NtUserCallNoParam #define SFI_HIDECURSORNOCAPTURE 16 // NtUserCallNoParam #define SFI_ISQUEUEATTACHED 17 // NtUserCallNoParam #define SFI_LOADCURSORSANDICONS 18 // NtUserCallNoParam #define SFI_LOADUSERAPIHOOK 19 // NtUserCallNoParam #define SFI_PREPAREFORLOGOFF 20 // NtUserCallNoParam #define SFI_REASSOCIATEQUEUEEVENTCOMPLETIONPACKET 21 // NtUserCallNoParam #define SFI_RELEASECAPTURE 22 // NtUserCallNoParam #define SFI_REMOVEQUEUECOMPLETION 23 // NtUserCallNoParam #define SFI_RESETDBLCLK 24 // NtUserCallNoParam #define SFI_ZAPACTIVEANDFOCUS 25 // NtUserCallNoParam #define SFI_REMOTECONSOLESHADOWSTOP 26 // NtUserCallNoParam #define SFI_REMOTEDISCONNECT 27 // NtUserCallNoParam #define SFI_REMOTESHADOWSETUP 30 // NtUserCallNoParam #define SFI_REMOTESHADOWSTOP 31 // NtUserCallNoParam #define SFI_REMOTEPASSTHRUENABLE 32 // NtUserCallNoParam #define SFI_REMOTEPASSTHRUDISABLE 33 // NtUserCallNoParam #define SFI_REMOTECONNECTSTATE 34 // NtUserCallNoParam #define SFI_UPDATEPERUSERIMMENABLING 36 // NtUserCallNoParam #define SFI_USERPOWERCALLOUTWORKER 37 // NtUserCallNoParam #define SFI_WAKERITFORSHUTDOWN 38 // NtUserCallNoParam #define SFI_DOINITMESSAGEPUMPHOOK 39 // NtUserCallNoParam #define SFI_DOUNINITMESSAGEPUMPHOOK 40 // NtUserCallNoParam #define SFI_ENABLEMOUSEINPOINTERFORTHREAD 41 // NtUserCallNoParam #define SFI_DEFERREDDESKTOPROTATION 42 // NtUserCallNoParam #define SFI_ENABLEPERMONITORMENUSCALING 43 // NtUserCallNoParam #define SFI_BEGINDEFERWINDOWPOS 44 // NtUserCallOneParam #define SFI_GETSENDMESSAGERECEIVER 45 // NtUserCallOneParam #define SFI_ALLOWSETFOREGROUNDWINDOW 46 // NtUserCallOneParam #define SFI_CSDDEUNINITIALIZE 47 // NtUserCallOneParam #define SFI_ENUMCLIPBOARDFORMATS 49 // NtUserCallOneParam #define SFI_GETINPUTEVENT 50 // NtUserCallOneParam #define SFI_GETKEYBOARDTYPE 51 // NtUserCallOneParam #define SFI_GETPROCESSDEFAULTLAYOUT 52 // NtUserCallOneParam #define SFI_GETWINSTATIONINFO 53 // NtUserCallOneParam #define SFI_LOCKSETFOREGROUNDWINDOW 54 // NtUserCallOneParam #define SFI_LW_LOADFONTS 55 // NtUserCallOneParam #define SFI_MAPDESKTOPOBJECT 56 // NtUserCallOneParam #define SFI_MESSAGEBEEP 57 // NtUserCallOneParam #define SFI_PLAYEVENTSOUND 58 // NtUserCallOneParam #define SFI_POSTQUITMESSAGE 59 // NtUserCallOneParam #define SFI_REALIZEPALETTE 60 // NtUserCallOneParam #define SFI_REGISTERLPK 61 // NtUserCallOneParam #define SFI_REGISTERSYSTEMTHREAD 62 // NtUserCallOneParam #define SFI_REMOTERECONNECT 63 // NtUserCallOneParam #define SFI_REMOTETHINWIRESTATS 64 // NtUserCallOneParam #define SFI_REMOTENOTIFY 65 // NtUserCallOneParam #define SFI_REPLYMESSAGE 66 // NtUserCallOneParam #define SFI_SETCARETBLINKTIME 67 // NtUserCallOneParam #define SFI_SETDOUBLECLICKTIME 68 // NtUserCallOneParam #define SFI_SETMESSAGEEXTRAINFO 69 // NtUserCallOneParam #define SFI_SETPROCESSDEFAULTLAYOUT 70 // NtUserCallOneParam #define SFI_SETWATERMARKSTRINGS 71 // NtUserCallOneParam #define SFI_SHOWSTARTGLASS 72 // NtUserCallOneParam #define SFI_SWAPMOUSEBUTTON 73 // NtUserCallOneParam #define SFI_WOWMODULEUNLOAD 74 // NtUserCallOneParam #define SFI_DWMLOCKSCREENUPDATES 75 // NtUserCallOneParam #define SFI_ENABLESESSIONFORMMCSS 76 // NtUserCallOneParam #define SFI_SETWAITFORQUEUEATTACH 77 // NtUserCallOneParam #define SFI_THREADMESSAGEQUEUEATTACHED 78 // NtUserCallOneParam #define SFI_ENSUREDPIDEPSYSMETCACHEFORPLATEAU 80 // NtUserCallOneParam #define SFI_FORCEENABLENUMPADTRANSLATION 81 // NtUserCallOneParam #define SFI_SETTSFEVENTSTATE 82 // NtUserCallOneParam #define SFI_SETSHELLCHANGENOTIFYHWND 83 // NtUserCallOneParam #define SFI_DEREGISTERSHELLHOOKWINDOW 84 // NtUserCallHwnd #define SFI_DWP_GETENABLEDPOPUPOFFSET 85 // NtUserCallHwnd #define SFI_GETMODERNAPPWINDOW 86 // NtUserCallHwnd #define SFI_GETWINDOWCONTEXTHELPID 87 // NtUserCallHwnd #define SFI_REGISTERSHELLHOOKWINDOW 88 // NtUserCallHwnd #define SFI_SETMSGBOX 89 // NtUserCallHwnd #define SFI_INITTHREADCOREMESSAGINGIOCP 90 // NtUserCallHwnd, NtUserCallHwndSafe #define SFI_SCHEDULEDISPATCHNOTIFICATION 91 // NtUserCallHwnd, NtUserCallHwndSafe #define SFI_SETPROGMANWINDOW 92 // NtUserCallHwndOpt #define SFI_SETTASKMANWINDOW 93 // NtUserCallHwndOpt #define SFI_GETCLASSICOCUR 94 // NtUserCallHwndParam #define SFI_CLEARWINDOWSTATE 95 // NtUserCallHwndParam #define SFI_KILLSYSTEMTIMER 96 // NtUserCallHwndParam #define SFI_NOTIFYOVERLAYWINDOW 97 // NtUserCallHwndParam #define SFI_SETDIALOGPOINTER 99 // NtUserCallHwndParam #define SFI_SETVISIBLE 100 // NtUserCallHwndParam #define SFI_SETWINDOWCONTEXTHELPID 101 // NtUserCallHwndParam #define SFI_SETWINDOWSTATE 102 // NtUserCallHwndParam #define SFI_REGISTERWINDOWARRANGEMENTCALLOUT 103 // NtUserCallHwndParam #define SFI_ENABLEMODERNAPPWINDOWKEYBOARDINTERCEPT 104 // NtUserCallHwndParam #define SFI_ARRANGEICONICWINDOWS 105 // NtUserCallHwndLock #define SFI_DRAWMENUBAR 106 // NtUserCallHwndLock #define SFI_CHECKIMESHOWSTATUSINTHREAD 107 // NtUserCallHwndLock, NtUserCallHwndLockSafe #define SFI_GETSYSMENUOFFSET 108 // NtUserCallHwndLock #define SFI_REDRAWFRAME 109 // NtUserCallHwndLock #define SFI_REDRAWFRAMEANDHOOK 110 // NtUserCallHwndLock #define SFI_SETDIALOGSYSTEMMENU 111 // NtUserCallHwndLock #define SFI_SETFOREGROUNDWINDOW 112 // NtUserCallHwndLock #define SFI_SETSYSMENU 113 // NtUserCallHwndLock #define SFI_UPDATECLIENTRECT 114 // NtUserCallHwndLock #define SFI_UPDATEWINDOW 115 // NtUserCallHwndLock #define SFI_SETCANCELROTATIONDELAYHINTWINDOW 116 // NtUserCallHwndLock #define SFI_GETWINDOWTRACKINFOASYNC 117 // NtUserCallHwndLock #define SFI_BROADCASTIMESHOWSTATUSCHANGE 118 // NtUserCallHwndParamLock #define SFI_SETMODERNAPPWINDOW 119 // NtUserCallHwndParamLock #define SFI_REDRAWTITLE 120 // NtUserCallHwndParamLock #define SFI_SHOWOWNEDPOPUPS 121 // NtUserCallHwndParamLock #define SFI_SWITCHTOTHISWINDOW 122 // NtUserCallHwndParamLock #define SFI_UPDATEWINDOWS 123 // NtUserCallHwndParamLock #define SFI_VALIDATERGN 124 // NtUserCallHwndParamLock #define SFI_ENABLEWINDOW 125 // NtUserCallHwndParamLock, NtUserCallHwndParamLockSafe #define SFI_CHANGEWINDOWMESSAGEFILTER 126 // NtUserCallTwoParam #define SFI_GETCURSORPOS 127 // NtUserCallTwoParam #define SFI_INITANSIOEM 128 // NtUserCallTwoParam #define SFI_NLSKBDSENDIMENOTIFICATION 129 // NtUserCallTwoParam #define SFI_REGISTERGHOSTWINDOW 130 // NtUserCallTwoParam #define SFI_REGISTERLOGONPROCESS 131 // NtUserCallTwoParam #define SFI_REGISTERSIBLINGFROSTWINDOW 132 // NtUserCallTwoParam #define SFI_REGISTERUSERHUNGAPPHANDLERS 133 // NtUserCallTwoParam #define SFI_REMOTESHADOWCLEANUP 134 // NtUserCallTwoParam #define SFI_REMOTESHADOWSTART 135 // NtUserCallTwoParam #define SFI_SETCARETPOS 136 // NtUserCallTwoParam #define SFI_SETTHREADQUEUEMERGESETTING 137 // NtUserCallTwoParam #define SFI_UNHOOKWINDOWSHOOK 138 // NtUserCallTwoParam #define SFI_ENABLESHELLWINDOWMANAGEMENTBEHAVIOR 139 // NtUserCallTwoParam #define SFI_CITSETINFO 140 // NtUserCallTwoParam #define SFI_SCALESYSTEMMETRICFORDPIWITHOUTCACHE 141 // NtUserCallTwoParam // N.B. // Windows 10 uses NtUserCall* dispatch routines to invoke ~140 functions // by index (note that our index table is valid only since 20H1). // Windows 11 uses the newly introduced syscalls for each function instead. // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallNoParam( _In_ ULONG xpfnProc ); // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallOneParam( _In_ ULONG_PTR Param, _In_ ULONG xpfnProc ); // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwnd( _In_ HWND hwnd, _In_ ULONG xpfnProc ); // private // before WIN11 #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndSafe( _In_ HWND hwnd, _In_ ULONG xpfnProc ); #endif // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndOpt( _In_opt_ HWND hwnd, _In_ ULONG xpfnProc ); // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndParam( _In_ HWND hwnd, _In_ ULONG_PTR Param, _In_ ULONG xpfnProc ); // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndLock( _In_ HWND hwnd, _In_ ULONG xpfnProc ); // private // before WIN11 #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndLockSafe( _In_ HWND hwnd, _In_ ULONG xpfnProc ); #endif // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndParamLock( _In_ HWND hwnd, _In_ ULONG_PTR Param, _In_ ULONG xpfnProc ); // private // before WIN11 #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallHwndParamLockSafe( _In_ HWND hwnd, _In_ ULONG_PTR Param, _In_ ULONG xpfnProc ); #endif // private // before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserCallTwoParam( _In_ ULONG_PTR Param1, _In_ ULONG_PTR Param2, _In_ ULONG xpfnProc ); #if (PHNT_VERSION >= PHNT_WINDOWS_11) // private // NtUserCallNoParam(SFI_CREATEMENU) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HMENU NTAPI NtUserCreateMenu( VOID ); // private // NtUserCallNoParam(SFI_CREATEPOPUPMENU) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HMENU NTAPI NtUserCreatePopupMenu( VOID ); // private // NtUserCallNoParam(SFI_ALLOWFOREGROUNDACTIVATION) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserAllowForegroundActivation( VOID ); // rev // NtUserCallNoParam(SFI_CANCELQUEUEEVENTCOMPLETIONPACKET) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserCancelQueueEventCompletionPacket( VOID ); // private // NtUserCallNoParam(SFI_CLEARWAKEMASK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserClearWakeMask( VOID ); // private // NtUserCallNoParam(SFI_CREATESYSTEMTHREADS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserCreateSystemThreads( VOID ); // private // NtUserCallNoParam(SFI_DESTROYCARET) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDestroyCaret( VOID ); // private // NtUserCallNoParam(SFI_DISABLEPROCESSWINDOWSGHOSTING) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDisableProcessWindowsGhosting( VOID ); // rev // NtUserCallNoParam(SFI_DRAINTHREADCOREMESSAGINGCOMPLETIONS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDrainThreadCoreMessagingCompletions( VOID ); // private // NtUserCallNoParam(SFI_GETDEVICECHANGEINFO) before WIN11 _Success_(return != 0) _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserGetDeviceChangeInfo( VOID ); // private // NtUserCallNoParam(SFI_GETIMESHOWSTATUS) before WIN11 _Success_(return != 0) _Must_inspect_result_ NTSYSCALLAPI LOGICAL NTAPI NtUserGetIMEShowStatus( VOID ); // private // NtUserCallNoParam(SFI_GETINPUTDESKTOP) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HDESK NTAPI NtUserGetInputDesktop( VOID ); // private // NtUserCallNoParam(SFI_GETMESSAGEPOS) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserGetMessagePos( VOID ); // rev // NtUserCallNoParam(SFI_GETQUEUEIOCP) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG_PTR NTAPI NtUserGetQueueIocp( VOID ); // private // NtUserCallNoParam(SFI_GETUNPREDICTEDMESSAGEPOS) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserGetUnpredictedMessagePos( VOID ); // private // NtUserCallNoParam(SFI_HANDLESYSTEMTHREADCREATIONFAILURE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserHandleSystemThreadCreationFailure( VOID ); // private // NtUserCallNoParam(SFI_HIDECURSORNOCAPTURE) before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserHideCursorNoCapture( VOID ); // private // NtUserCallNoParam(SFI_ISQUEUEATTACHED) before WIN11 _Must_inspect_result_ NTSYSCALLAPI LOGICAL NTAPI NtUserIsQueueAttached( VOID ); // private // NtUserCallNoParam(SFI_LOADCURSORSANDICONS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserLoadCursorsAndIcons( VOID ); // private // NtUserCallNoParam(SFI_LOADUSERAPIHOOK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserLoadUserApiHook( VOID ); // private // NtUserCallNoParam(SFI_PREPAREFORLOGOFF) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserPrepareForLogoff( VOID ); // rev // NtUserCallNoParam(SFI_REASSOCIATEQUEUEEVENTCOMPLETIONPACKET) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserReassociateQueueEventCompletionPacket( VOID ); // private // NtUserCallNoParam(SFI_RELEASECAPTURE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserReleaseCapture( VOID ); // rev // NtUserCallNoParam(SFI_REMOVEQUEUECOMPLETION) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRemoveQueueCompletion( VOID ); // private // NtUserCallNoParam(SFI_RESETDBLCLK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserResetDblClk( VOID ); // private // NtUserCallNoParam(SFI_ZAPACTIVEANDFOCUS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserZapActiveAndFocus( VOID ); // private // NtUserCallNoParam(SFI_REMOTECONSOLESHADOWSTOP) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteConsoleShadowStop( VOID ); // private // NtUserCallNoParam(SFI_REMOTEDISCONNECT) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteDisconnect( VOID ); // private // NtUserCallNoParam(SFI_REMOTESHADOWSETUP) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteShadowSetup( VOID ); // private // NtUserCallNoParam(SFI_REMOTESHADOWSTOP) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteShadowStop( VOID ); // private // NtUserCallNoParam(SFI_REMOTEPASSTHRUENABLE) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemotePassthruEnable( VOID ); // private // NtUserCallNoParam(SFI_REMOTEPASSTHRUDISABLE) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemotePassthruDisable( VOID ); // private #define CTX_W32_CONNECT_STATE_CONSOLE 0 #define CTX_W32_CONNECT_STATE_IDLE 1 #define CTX_W32_CONNECT_STATE_EXIT_IN_PROGRESS 2 #define CTX_W32_CONNECT_STATE_CONNECTED 3 #define CTX_W32_CONNECT_STATE_DISCONNECTED 4 // private // NtUserCallNoParam(SFI_REMOTECONNECTSTATE) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserRemoteConnectState( VOID ); // private // NtUserCallNoParam(SFI_UPDATEPERUSERIMMENABLING) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserUpdatePerUserImmEnabling( VOID ); // private // NtUserCallNoParam(SFI_USERPOWERCALLOUTWORKER) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserUserPowerCalloutWorker( VOID ); // private // NtUserCallNoParam(SFI_WAKERITFORSHUTDOWN) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserWakeRITForShutdown( VOID ); // private // NtUserCallNoParam(SFI_DOINITMESSAGEPUMPHOOK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDoInitMessagePumpHook( VOID ); // private // NtUserCallNoParam(SFI_DOUNINITMESSAGEPUMPHOOK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDoUninitMessagePumpHook( VOID ); // rev // NtUserCallNoParam(SFI_ENABLEMOUSEINPOINTERFORTHREAD) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserEnableMouseInPointerForThread( VOID ); // private // NtUserCallNoParam(SFI_DEFERREDDESKTOPROTATION) before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserDeferredDesktopRotation( VOID ); // private // NtUserCallNoParam(SFI_ENABLEPERMONITORMENUSCALING) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserEnablePerMonitorMenuScaling( VOID ); // private // NtUserCallOneParam(SFI_BEGINDEFERWINDOWPOS) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HDWP NTAPI NtUserBeginDeferWindowPos( _In_ ULONG NumWindowsHint ); // private // NtUserCallOneParam(SFI_GETSENDMESSAGERECEIVER) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HWND NTAPI NtUserGetSendMessageReceiver( _In_ ULONG ThreadIdSender ); // private // NtUserCallOneParam(SFI_ALLOWSETFOREGROUNDWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserAllowSetForegroundWindow( _In_ ULONG ProcessId ); // private // NtUserCallOneParam(SFI_CSDDEUNINITIALIZE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserCsDdeUninitialize( _In_ HANDLE hInst ); // private // NtUserCallOneParam(SFI_ENUMCLIPBOARDFORMATS) before WIN11 _Success_(return != 0) _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserEnumClipboardFormats( _In_ ULONG Format ); // private // NtUserCallOneParam(SFI_GETINPUTEVENT) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HANDLE NTAPI NtUserGetInputEvent( _In_ ULONG WakeMask // QS_* WinUser.h ); // rev (MSDN) #define KEYBOARD_TYPE 0 #define KEYBOARD_SUBTYPE 1 #define KEYBOARD_FUNCTION_KEY 2 // private // NtUserCallOneParam(SFI_GETKEYBOARDTYPE) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserGetKeyboardType( _In_ ULONG TypeFlag // KEYBOARD_* ); // private // NtUserCallOneParam(SFI_GETPROCESSDEFAULTLAYOUT) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserGetProcessDefaultLayout( _Out_ PULONG DefaultLayout ); // private #define WPROTOCOLNAME_LENGTH 10 #define WAUDIONAME_LENGTH 10 // private typedef struct tagWSINFO { WCHAR ProtocolName[WPROTOCOLNAME_LENGTH]; WCHAR AudioDriverName[WAUDIONAME_LENGTH]; } WSINFO, *PWSINFO; // private // NtUserCallOneParam(SFI_GETWINSTATIONINFO) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserGetWinStationInfo( _Out_ PWSINFO WsInfo ); // private // NtUserCallOneParam(SFI_LOCKSETFOREGROUNDWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserLockSetForegroundWindow( _In_ ULONG LockCode // LSFW_* WinUser.h ); // private // NtUserCallOneParam(SFI_LW_LOADFONTS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserLW_LoadFonts( _In_ LOGICAL Remote ); // private // NtUserCallOneParam(SFI_MAPDESKTOPOBJECT) before WIN11 _Success_(return != NULL) _Must_inspect_result_ _Ret_maybenull_ NTSYSCALLAPI PVOID NTAPI NtUserMapDesktopObject( _In_ HANDLE h ); // private // NtUserCallOneParam(SFI_MESSAGEBEEP) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserMessageBeep( _In_ ULONG Type // MB_* (MB_ICONMASK) WinUser.h ); // private #define USER_SOUND_DEFAULT 0 #define USER_SOUND_SYSTEMHAND 1 #define USER_SOUND_SYSTEMQUESTION 2 #define USER_SOUND_SYSTEMEXCLAMATION 3 #define USER_SOUND_SYSTEMASTERISK 4 #define USER_SOUND_MENUPOPUP 5 #define USER_SOUND_MENUCOMMAND 6 #define USER_SOUND_OPEN 7 #define USER_SOUND_CLOSE 8 #define USER_SOUND_RESTOREUP 9 #define USER_SOUND_RESTOREDOWN 10 #define USER_SOUND_MINIMIZE 11 #define USER_SOUND_MAXIMIZE 12 #define USER_SOUND_SNAPSHOT 13 // private // NtUserCallOneParam(SFI_PLAYEVENTSOUND) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserPlayEventSound( _In_ ULONG idSound // USER_SOUND_* ); // private // NtUserCallOneParam(SFI_POSTQUITMESSAGE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserPostQuitMessage( _In_ LONG ExitCode ); // private // NtUserCallOneParam(SFI_REALIZEPALETTE) before WIN11 NTSYSCALLAPI ULONG NTAPI NtUserRealizePalette( _In_ HDC hdc ); // private #define LPK_TABBED_TEXT_OUT 0 #define LPK_PSM_TEXT_OUT 1 #define LPK_DRAW_TEXT_EX 2 #define LPK_EDIT_CONTROL 3 // rev #define LPK_FLAG_TABBED_TEXT_OUT (1 << LPK_TABBED_TEXT_OUT) #define LPK_FLAG_PSM_TEXT_OUT (1 << LPK_PSM_TEXT_OUT) #define LPK_FLAG_DRAW_TEXT_EX (1 << LPK_DRAW_TEXT_EX) #define LPK_FLAG_EDIT_CONTROL (1 << LPK_EDIT_CONTROL) // private // NtUserCallOneParam(SFI_REGISTERLPK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterLPK( _In_ ULONG LpkEntryPoints // LPK_FLAG_* ); // private #define RST_DONTATTACHQUEUE 0x00000001 #define RST_DONTJOURNALATTACH 0x00000002 // private // NtUserCallOneParam(SFI_REGISTERSYSTEMTHREAD) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterSystemThread( _In_ ULONG Flags // RST_* ); // private // NtUserCallOneParam(SFI_REMOTERECONNECT) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteReconnect( _In_ struct _DOCONNECTDATA* DoConnectData ); // private // NtUserCallOneParam(SFI_REMOTETHINWIRESTATS) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteThinwireStats( _Out_ struct CACHE_STATISTICS* Stats ); // private // NtUserCallOneParam(SFI_REMOTENOTIFY) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteNotify( _In_ struct _DONOTIFYDATA* DoNotifyData ); // private // NtUserCallOneParam(SFI_REPLYMESSAGE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserReplyMessage( _In_ LRESULT Result ); // private // NtUserCallOneParam(SFI_SETCARETBLINKTIME) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetCaretBlinkTime( _In_ ULONG Milliseconds ); // private // NtUserCallOneParam(SFI_SETDOUBLECLICKTIME) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetDoubleClickTime( _In_ ULONG Milliseconds ); // private // NtUserCallOneParam(SFI_SETMESSAGEEXTRAINFO) before WIN11 NTSYSCALLAPI LPARAM NTAPI NtUserSetMessageExtraInfo( _In_ LPARAM Param ); // private // NtUserCallOneParam(SFI_SETPROCESSDEFAULTLAYOUT) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetProcessDefaultLayout( _In_ ULONG DefaultLayout // LAYOUT_* wingdi.h ); // private // NtUserCallOneParam(SFI_SETWATERMARKSTRINGS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetWatermarkStrings( _In_ PCUNICODE_STRING StringTable ); // private // NtUserCallOneParam(SFI_SHOWSTARTGLASS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserShowStartGlass( _In_ ULONG Timeout ); // private // NtUserCallOneParam(SFI_SWAPMOUSEBUTTON) before WIN11 NTSYSCALLAPI LOGICAL NTAPI NtUserSwapMouseButton( _In_ LOGICAL SwapButtons ); // private // NtUserCallOneParam(SFI_WOWMODULEUNLOAD) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserWOWModuleUnload( _In_ HANDLE Module ); // private // NtUserCallOneParam(SFI_DWMLOCKSCREENUPDATES) before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserDwmLockScreenUpdates( _In_ LOGICAL LockUpdates ); // private // NtUserCallOneParam(SFI_ENABLESESSIONFORMMCSS) before WIN11 _Success_(return != 0) NTSYSCALLAPI ULONG_PTR NTAPI NtUserEnableSessionForMMCSS( _In_ LOGICAL Enable ); // private // NtUserCallOneParam(SFI_SETWAITFORQUEUEATTACH) before WIN11 NTSYSCALLAPI LOGICAL NTAPI NtUserSetWaitForQueueAttach( _In_ LOGICAL Waiting ); // private // NtUserCallOneParam(SFI_THREADMESSAGEQUEUEATTACHED) before WIN11 _Must_inspect_result_ NTSYSCALLAPI LOGICAL NTAPI NtUserThreadMessageQueueAttached( _In_opt_ ULONG ThreadId ); // private // NtUserCallOneParam(SFI_ENSUREDPIDEPSYSMETCACHEFORPLATEAU) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserEnsureDpiDepSysMetCacheForPlateau( _In_ ULONG Dpi ); // private // NtUserCallOneParam(SFI_FORCEENABLENUMPADTRANSLATION) before WIN11 NTSYSCALLAPI UINT_PTR NTAPI NtUserForceEnableNumpadTranslation( _In_ LOGICAL ForceNumlockTranslation ); // rev // NtUserCallOneParam(SFI_SETTSFEVENTSTATE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetTSFEventState( _In_ ULONG StateFlags ); // rev // NtUserCallOneParam(SFI_SETSHELLCHANGENOTIFYHWND) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetShellChangeNotifyHWND( _In_ HWND hwnd ); // private // NtUserCallHwnd(SFI_DEREGISTERSHELLHOOKWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDeregisterShellHookWindow( _In_ HWND hwnd ); // rev // NtUserCallHwnd(SFI_DWP_GETENABLEDPOPUPOFFSET) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG_PTR NTAPI NtUserDWP_GetEnabledPopupOffset( _In_ HWND hwnd ); // private // NtUserCallHwnd(SFI_GETMODERNAPPWINDOW) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HWND NTAPI NtUserGetModernAppWindow( _In_ HWND ShellFrame ); // private // NtUserCallHwnd(SFI_GETWINDOWCONTEXTHELPID) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG NTAPI NtUserGetWindowContextHelpId( _In_ HWND hwnd ); // private // NtUserCallHwnd(SFI_REGISTERSHELLHOOKWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterShellHookWindow( _In_ HWND hwnd ); // private // NtUserCallHwnd(SFI_SETMSGBOX) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetMsgBox( _In_ HWND hwnd ); // rev // NtUserCallHwnd[Safe](SFI_INITTHREADCOREMESSAGINGIOCP) before WIN11 NTSYSCALLAPI ULONG_PTR NTAPI NtUserInitThreadCoreMessagingIocp( _In_ HWND hwnd ); // private // NtUserCallHwnd[Safe](SFI_SCHEDULEDISPATCHNOTIFICATION) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserScheduleDispatchNotification( _In_ HWND hwnd ); // private // NtUserCallHwndOpt(SFI_SETPROGMANWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetProgmanWindow( _In_opt_ HWND hwnd ); // private // NtUserCallHwndOpt(SFI_SETTASKMANWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetTaskmanWindow( _In_opt_ HWND hwnd ); // private // NtUserCallHwndParam(SFI_GETCLASSICOCUR) before WIN11 _Success_(return != NULL) _Must_inspect_result_ NTSYSCALLAPI HCURSOR NTAPI NtUserGetClassIcoCur( _In_ HWND hwnd, _In_ ULONG Index ); // private #define WFWIN40COMPAT 0x0502 #define WFNOANIMATE 0x0710 #define WEFWINDOWEDGE 0x0901 #define WEFCLIENTEDGE 0x0902 #define WEFSTATICEDGE 0x0A02 #define BFRIGHTBUTTON 0x0C20 #define BFRIGHT 0x0D02 #define BFBOTTOM 0x0D08 #define DFLOCALEDIT 0x0C20 #define CBFOWNERDRAWVAR 0x0C20 #define CBFHASSTRINGS 0x0D02 #define CBFDISABLENOSCROLL 0x0D08 #define EFPASSWORD 0x0C20 #define EFCOMBOBOX 0x0D02 #define EFREADONLY 0x0D08 #define SFWIDELINESPACING 0x0C20 #define SFCENTERIMAGE 0x0D02 #define SFREALSIZEIMAGE 0x0D08 #define WFMAXBOX 0x0E01 #define WFTABSTOP 0x0E01 #define WFSYSMENU 0x0E08 #define WFHSCROLL 0x0E10 #define WFVSCROLL 0x0E20 #define WFBORDER 0x0E80 #define WFCLIPCHILDREN 0x0F02 // private // NtUserCallHwndParam(SFI_CLEARWINDOWSTATE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserClearWindowState( _In_ HWND hwnd, _In_ ULONG Flag // WF*, WEF*, BF*, DF*, CBF*, EF*, SF* ); // private // NtUserCallHwndParam(SFI_SETWINDOWSTATE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetWindowState( _In_ HWND hwnd, _In_ ULONG Flag // WF*, WEF*, BF*, DF*, CBF*, EF*, SF* ); // private // NtUserCallHwndParam(SFI_KILLSYSTEMTIMER) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserKillSystemTimer( _In_ HWND hwnd, _In_ UINT_PTR IDEvent ); // private // NtUserCallHwndParam(SFI_NOTIFYOVERLAYWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserNotifyOverlayWindow( _In_ HWND hwnd, _In_ LOGICAL Enable ); // private // NtUserCallHwndParam(SFI_SETDIALOGPOINTER) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetDialogPointer( _In_ HWND hwnd, _In_ ULONG_PTR Ptr ); // private #define SV_UNSET 0x0000 #define SV_SET 0x0001 #define SV_CLRFTRUEVIS 0x0002 #define SV_SKIPCOMPOSE 0x0004 // rev #define SV_CLRFULLSCREEN 0x0008 // rev #define SV_CLRGHOSTVIS 0x0010 // rev // private // NtUserCallHwndParam(SFI_SETVISIBLE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetVisible( _In_ HWND hwnd, _In_ ULONG Flags // SV_* ); // private // NtUserCallHwndParam(SFI_SETWINDOWCONTEXTHELPID) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetWindowContextHelpId( _In_ HWND hwnd, _In_ ULONG ContextId ); // private // NtUserCallHwndParam(SFI_REGISTERWINDOWARRANGEMENTCALLOUT) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterWindowArrangementCallout( _In_ HWND hwnd, _In_ LOGICAL Register ); // private // NtUserCallHwndParam(SFI_ENABLEMODERNAPPWINDOWKEYBOARDINTERCEPT) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserEnableModernAppWindowKeyboardIntercept( _In_ HWND hwnd, _In_ LOGICAL Enable ); // private // NtUserCallHwndLock(SFI_ARRANGEICONICWINDOWS) before WIN11 _Success_(return != 0) NTSYSCALLAPI ULONG NTAPI NtUserArrangeIconicWindows( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_DRAWMENUBAR) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserDrawMenuBar( _In_ HWND hwnd ); // private // NtUserCallHwndLock[Safe](SFI_CHECKIMESHOWSTATUSINTHREAD) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserCheckImeShowStatusInThread( _In_ HWND Ime ); // rev // NtUserCallHwndLock(SFI_GETSYSMENUOFFSET) before WIN11 _Success_(return != 0) _Must_inspect_result_ NTSYSCALLAPI ULONG_PTR NTAPI NtUserGetSysMenuOffset( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_REDRAWFRAME) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRedrawFrame( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_REDRAWFRAMEANDHOOK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRedrawFrameAndHook( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_SETDIALOGSYSTEMMENU) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetDialogSystemMenu( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_SETFOREGROUNDWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetForegroundWindow( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_SETSYSMENU) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetSysMenu( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_UPDATECLIENTRECT) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserUpdateClientRect( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_UPDATEWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserUpdateWindow( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_SETCANCELROTATIONDELAYHINTWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetCancelRotationDelayHintWindow( _In_ HWND hwnd ); // private // NtUserCallHwndLock(SFI_GETWINDOWTRACKINFOASYNC) before WIN11 _Success_(return != 0) NTSYSCALLAPI ULONG_PTR NTAPI NtUserGetWindowTrackInfoAsync( _In_ HWND hwnd ); // private // NtUserCallHwndParamLock(SFI_BROADCASTIMESHOWSTATUSCHANGE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserBroadcastImeShowStatusChange( _In_ HWND Ime, _In_ LOGICAL Show ); // private // NtUserCallHwndParamLock(SFI_SETMODERNAPPWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetModernAppWindow( _In_ HWND ShellFrame, _In_ HWND App ); // private // #define DC_ACTIVE 0x0001 // WinUser.h // #define DC_SMALLCAP 0x0002 // WinUser.h // #define DC_ICON 0x0004 // WinUser.h // #define DC_TEXT 0x0008 // WinUser.h // #define DC_INBUTTON 0x0010 // WinUser.h // #define DC_GRADIENT 0x0020 // WinUser.h #define DC_LAMEBUTTON 0x0400 #define DC_NOVISIBLE 0x0800 // #define DC_BUTTONS 0x1000 // WinUser.h #define DC_NOSENDMSG 0x2000 #define DC_CENTER 0x4000 #define DC_FRAME 0x8000 // private // NtUserCallHwndParamLock(SFI_REDRAWTITLE) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRedrawTitle( _In_ HWND hwnd, _In_ ULONG Flags // DC_* ); // private // NtUserCallHwndParamLock(SFI_SHOWOWNEDPOPUPS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserShowOwnedPopups( _In_ HWND Owner, _In_ LOGICAL Show ); // private // NtUserCallHwndParamLock(SFI_SWITCHTOTHISWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSwitchToThisWindow( _In_ HWND hwnd, _In_ LOGICAL AltTab ); // private // NtUserCallHwndParamLock(SFI_UPDATEWINDOWS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserUpdateWindows( _In_ HWND hwnd, _In_ HRGN hrgn ); // private // NtUserCallHwndParamLock(SFI_VALIDATERGN) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserValidateRgn( _In_ HWND hwnd, _In_ HRGN hrgn ); // private // NtUserCallHwndParamLock[Safe](SFI_ENABLEWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserEnableWindow( _In_ HWND hwnd, _In_ LOGICAL Enable ); // private // NtUserCallTwoParam(SFI_CHANGEWINDOWMESSAGEFILTER) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserChangeWindowMessageFilter( _In_ ULONG Message, _In_ ULONG Flag // MSGFLT_* WinUser.h ); // rev #define CURSOR_POS_TYPE_LOGICAL 1 #define CURSOR_POS_TYPE_SAVED 2 // private // NtUserCallTwoParam(SFI_GETCURSORPOS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserGetCursorPos( _Out_ PPOINT Point, _In_ ULONG CursorPosType // CURSOR_POS_TYPE_* ); // private // NtUserCallTwoParam(SFI_INITANSIOEM) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserInitAnsiOem( _In_reads_(256) PCHAR OemToAnsi, _In_reads_(256) PCHAR AnsiToOem ); // private // NtUserCallTwoParam(SFI_NLSKBDSENDIMENOTIFICATION) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserNlsKbdSendIMENotification( _In_ ULONG ImeOpen, _In_ ULONG ImeConversion ); // private // NtUserCallTwoParam(SFI_REGISTERGHOSTWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterGhostWindow( _In_ HWND Ghost, _In_ HWND Hung ); // private // NtUserCallTwoParam(SFI_REGISTERLOGONPROCESS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterLogonProcess( _In_ ULONG ProcessId, _In_ PLUID LuidConnect ); // private // NtUserCallTwoParam(SFI_REGISTERSIBLINGFROSTWINDOW) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterSiblingFrostWindow( _In_ HWND hwndFrost, _In_ HWND hwnd ); // rev typedef _Function_class_(FNW32ET) VOID APIENTRY FNW32ET(VOID); typedef FNW32ET* PFNW32ET; // private // NtUserCallTwoParam(SFI_REGISTERUSERHUNGAPPHANDLERS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserRegisterUserHungAppHandlers( _In_ PFNW32ET W32EndTask, _In_ HANDLE EventWowExec ); // private // NtUserCallTwoParam(SFI_REMOTESHADOWCLEANUP) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteShadowCleanup( _In_reads_bytes_(ThinwireDataLength) PVOID ThinwireData, _In_ ULONG ThinwireDataLength ); // private // NtUserCallTwoParam(SFI_REMOTESHADOWSTART) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserRemoteShadowStart( _In_reads_bytes_(ThinwireDataLength) PVOID ThinwireData, _In_ ULONG ThinwireDataLength ); // private // NtUserCallTwoParam(SFI_SETCARETPOS) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetCaretPos( _In_ LONG x, _In_ LONG y ); // private // NtUserCallTwoParam(SFI_SETTHREADQUEUEMERGESETTING) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserSetThreadQueueMergeSetting( _In_ ULONG ThreadId, _In_ ULONG Flags ); // private // NtUserCallTwoParam(SFI_UNHOOKWINDOWSHOOK) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserUnhookWindowsHook( _In_ LONG FilterType, _In_ HOOKPROC FilterProc ); // private // NtUserCallTwoParam(SFI_ENABLESHELLWINDOWMANAGEMENTBEHAVIOR) before WIN11 _Success_(return != 0) NTSYSCALLAPI LOGICAL NTAPI NtUserEnableShellWindowManagementBehavior( _In_ ULONG_PTR Param1, _In_ ULONG_PTR Param2 ); // private // NtUserCallTwoParam(SFI_CITSETINFO) before WIN11 NTSYSCALLAPI NTSTATUS NTAPI NtUserCitSetInfo( _In_ ULONG_PTR InfoFlags, _In_ ULONG_PTR Info ); // private // NtUserCallTwoParam(SFI_SCALESYSTEMMETRICFORDPIWITHOUTCACHE) before WIN11 _Must_inspect_result_ NTSYSCALLAPI ULONG_PTR NTAPI NtUserScaleSystemMetricForDPIWithoutCache( _In_ ULONG Metric, _In_ ULONG ToDpi ); #endif // PHNT_VERSION >= PHNT_WINDOWS_11 typedef _Function_class_(FN_DISPATCH) NTSTATUS NTAPI FN_DISPATCH( _In_opt_ PVOID Context ); typedef FN_DISPATCH* PFN_DISPATCH; // Peb!KernelCallbackTable = user32.dll!apfnDispatch typedef struct _KERNEL_CALLBACK_TABLE { PFN_DISPATCH __fnCOPYDATA; PFN_DISPATCH __fnCOPYGLOBALDATA; PFN_DISPATCH __fnEMPTY1; PFN_DISPATCH __fnNCDESTROY; PFN_DISPATCH __fnDWORDOPTINLPMSG; PFN_DISPATCH __fnINOUTDRAG; PFN_DISPATCH __fnGETTEXTLENGTHS1; PFN_DISPATCH __fnINCNTOUTSTRING; PFN_DISPATCH __fnINCNTOUTSTRINGNULL; PFN_DISPATCH __fnINLPCOMPAREITEMSTRUCT; PFN_DISPATCH __fnINLPCREATESTRUCT; PFN_DISPATCH __fnINLPDELETEITEMSTRUCT; PFN_DISPATCH __fnINLPDRAWITEMSTRUCT; PFN_DISPATCH __fnPOPTINLPUINT1; PFN_DISPATCH __fnPOPTINLPUINT2; PFN_DISPATCH __fnINLPMDICREATESTRUCT; PFN_DISPATCH __fnINOUTLPMEASUREITEMSTRUCT; PFN_DISPATCH __fnINLPWINDOWPOS; PFN_DISPATCH __fnINOUTLPPOINT51; PFN_DISPATCH __fnINOUTLPSCROLLINFO; PFN_DISPATCH __fnINOUTLPRECT; PFN_DISPATCH __fnINOUTNCCALCSIZE; PFN_DISPATCH __fnINOUTLPPOINT52; PFN_DISPATCH __fnINPAINTCLIPBRD; PFN_DISPATCH __fnINSIZECLIPBRD; PFN_DISPATCH __fnINDESTROYCLIPBRD; PFN_DISPATCH __fnINSTRINGNULL1; PFN_DISPATCH __fnINSTRINGNULL2; PFN_DISPATCH __fnINDEVICECHANGE; PFN_DISPATCH __fnPOWERBROADCAST; PFN_DISPATCH __fnINLPUAHDRAWMENU1; PFN_DISPATCH __fnOPTOUTLPDWORDOPTOUTLPDWORD1; PFN_DISPATCH __fnOPTOUTLPDWORDOPTOUTLPDWORD2; PFN_DISPATCH __fnOUTDWORDINDWORD; PFN_DISPATCH __fnOUTLPRECT; PFN_DISPATCH __fnOUTSTRING; PFN_DISPATCH __fnPOPTINLPUINT3; PFN_DISPATCH __fnPOUTLPINT; PFN_DISPATCH __fnSENTDDEMSG; PFN_DISPATCH __fnINOUTSTYLECHANGE1; PFN_DISPATCH __fnHkINDWORD; PFN_DISPATCH __fnHkINLPCBTACTIVATESTRUCT; PFN_DISPATCH __fnHkINLPCBTCREATESTRUCT; PFN_DISPATCH __fnHkINLPDEBUGHOOKSTRUCT; PFN_DISPATCH __fnHkINLPMOUSEHOOKSTRUCTEX1; PFN_DISPATCH __fnHkINLPKBDLLHOOKSTRUCT; PFN_DISPATCH __fnHkINLPMSLLHOOKSTRUCT; PFN_DISPATCH __fnHkINLPMSG; PFN_DISPATCH __fnHkINLPRECT; PFN_DISPATCH __fnHkOPTINLPEVENTMSG; PFN_DISPATCH __xxxClientCallDelegateThread; PFN_DISPATCH __ClientCallDummyCallback1; PFN_DISPATCH __ClientCallDummyCallback2; PFN_DISPATCH __fnSHELLWINDOWMANAGEMENTCALLOUT; PFN_DISPATCH __fnSHELLWINDOWMANAGEMENTNOTIFY; PFN_DISPATCH __ClientCallDummyCallback3; PFN_DISPATCH __xxxClientCallDitThread; PFN_DISPATCH __xxxClientEnableMMCSS; PFN_DISPATCH __xxxClientUpdateDpi; PFN_DISPATCH __xxxClientExpandStringW; PFN_DISPATCH __ClientCopyDDEIn1; PFN_DISPATCH __ClientCopyDDEIn2; PFN_DISPATCH __ClientCopyDDEOut1; PFN_DISPATCH __ClientCopyDDEOut2; PFN_DISPATCH __ClientCopyImage; PFN_DISPATCH __ClientEventCallback; PFN_DISPATCH __ClientFindMnemChar; PFN_DISPATCH __ClientFreeDDEHandle; PFN_DISPATCH __ClientFreeLibrary; PFN_DISPATCH __ClientGetCharsetInfo; PFN_DISPATCH __ClientGetDDEFlags; PFN_DISPATCH __ClientGetDDEHookData; PFN_DISPATCH __ClientGetListboxString; PFN_DISPATCH __ClientGetMessageMPH; PFN_DISPATCH __ClientLoadImage; PFN_DISPATCH __ClientLoadLibrary; PFN_DISPATCH __ClientLoadMenu; PFN_DISPATCH __ClientLoadLocalT1Fonts; PFN_DISPATCH __ClientPSMTextOut; PFN_DISPATCH __ClientLpkDrawTextEx; PFN_DISPATCH __ClientExtTextOutW; PFN_DISPATCH __ClientGetTextExtentPointW; PFN_DISPATCH __ClientCharToWchar; PFN_DISPATCH __ClientAddFontResourceW; PFN_DISPATCH __ClientThreadSetup; PFN_DISPATCH __ClientDeliverUserApc; PFN_DISPATCH __ClientNoMemoryPopup; PFN_DISPATCH __ClientMonitorEnumProc; PFN_DISPATCH __ClientCallWinEventProc; PFN_DISPATCH __ClientWaitMessageExMPH; PFN_DISPATCH __ClientCallDummyCallback4; PFN_DISPATCH __ClientCallDummyCallback5; PFN_DISPATCH __ClientImmLoadLayout; PFN_DISPATCH __ClientImmProcessKey; PFN_DISPATCH __fnIMECONTROL; PFN_DISPATCH __fnINWPARAMDBCSCHAR; PFN_DISPATCH __fnGETTEXTLENGTHS2; PFN_DISPATCH __ClientCallDummyCallback6; PFN_DISPATCH __ClientLoadStringW; PFN_DISPATCH __ClientLoadOLE; PFN_DISPATCH __ClientRegisterDragDrop; PFN_DISPATCH __ClientRevokeDragDrop; PFN_DISPATCH __fnINOUTMENUGETOBJECT; PFN_DISPATCH __ClientPrinterThunk; PFN_DISPATCH __fnOUTLPCOMBOBOXINFO; PFN_DISPATCH __fnOUTLPSCROLLBARINFO; PFN_DISPATCH __fnINLPUAHDRAWMENU2; PFN_DISPATCH __fnINLPUAHDRAWMENUITEM; PFN_DISPATCH __fnINLPUAHDRAWMENU3; PFN_DISPATCH __fnINOUTLPUAHMEASUREMENUITEM; PFN_DISPATCH __fnINLPUAHDRAWMENU4; PFN_DISPATCH __fnOUTLPTITLEBARINFOEX; PFN_DISPATCH __fnTOUCH; PFN_DISPATCH __fnGESTURE; PFN_DISPATCH __fnPOPTINLPUINT4; PFN_DISPATCH __fnPOPTINLPUINT5; PFN_DISPATCH __xxxClientCallDefaultInputHandler; PFN_DISPATCH __fnEMPTY2; PFN_DISPATCH __ClientRimDevCallback; PFN_DISPATCH __xxxClientCallMinTouchHitTestingCallback; PFN_DISPATCH __ClientCallLocalMouseHooks; PFN_DISPATCH __xxxClientBroadcastThemeChange; PFN_DISPATCH __xxxClientCallDevCallbackSimple; PFN_DISPATCH __xxxClientAllocWindowClassExtraBytes; PFN_DISPATCH __xxxClientFreeWindowClassExtraBytes; PFN_DISPATCH __fnGETWINDOWDATA; PFN_DISPATCH __fnINOUTSTYLECHANGE2; PFN_DISPATCH __fnHkINLPMOUSEHOOKSTRUCTEX2; PFN_DISPATCH __xxxClientCallDefWindowProc; PFN_DISPATCH __fnSHELLSYNCDISPLAYCHANGED; PFN_DISPATCH __fnHkINLPCHARHOOKSTRUCT; PFN_DISPATCH __fnINTERCEPTEDWINDOWACTION; PFN_DISPATCH __xxxTooltipCallback; PFN_DISPATCH __xxxClientInitPSBInfo; PFN_DISPATCH __xxxClientDoScrollMenu; PFN_DISPATCH __xxxClientEndScroll; PFN_DISPATCH __xxxClientDrawSize; PFN_DISPATCH __xxxClientDrawScrollBar; PFN_DISPATCH __xxxClientHitTestScrollBar; PFN_DISPATCH __xxxClientTrackInit; } KERNEL_CALLBACK_TABLE, *PKERNEL_CALLBACK_TABLE; #endif // _NTUSER_H ================================================ FILE: phnt/include/ntwmi.h ================================================ [File too large to display: 223.1 KB] ================================================ FILE: phnt/include/ntwow64.h ================================================ [File too large to display: 26.0 KB] ================================================ FILE: phnt/include/ntxcapi.h ================================================ [File too large to display: 2.5 KB] ================================================ FILE: phnt/include/ntzwapi.h ================================================ [File too large to display: 105.9 KB] ================================================ FILE: phnt/include/phnt.h ================================================ [File too large to display: 4.3 KB] ================================================ FILE: phnt/include/phnt_ntdef.h ================================================ [File too large to display: 34.2 KB] ================================================ FILE: phnt/include/phnt_windows.h ================================================ [File too large to display: 4.7 KB] ================================================ FILE: phnt/include/smbios.h ================================================ [File too large to display: 116.2 KB] ================================================ FILE: phnt/include/subprocesstag.h ================================================ [File too large to display: 2.8 KB] ================================================ FILE: phnt/include/usermgr.h ================================================ [File too large to display: 3.2 KB] ================================================ FILE: phnt/include/winsta.h ================================================ [File too large to display: 47.9 KB] ================================================ FILE: phnt/meson.build ================================================ [File too large to display: 1.7 KB] ================================================ FILE: phnt/zw_options.txt ================================================ [File too large to display: 393 B] ================================================ FILE: plugins/CMakeLists.txt ================================================ [File too large to display: 475 B] ================================================ FILE: plugins/Directory.Build.props ================================================ [File too large to display: 250 B] ================================================ FILE: plugins/DotNetTools/CHANGELOG.txt ================================================ [File too large to display: 791 B] ================================================ FILE: plugins/DotNetTools/CMakeLists.txt ================================================ [File too large to display: 1.1 KB] ================================================ FILE: plugins/DotNetTools/DotNetTools.rc ================================================ [File too large to display: 2.6 KB] ================================================ FILE: plugins/DotNetTools/DotNetTools.vcxproj ================================================ [File too large to display: 5.3 KB] ================================================ FILE: plugins/DotNetTools/DotNetTools.vcxproj.filters ================================================ [File too large to display: 3.2 KB] ================================================ FILE: plugins/DotNetTools/asmpage.c ================================================ [File too large to display: 85.1 KB] ================================================ FILE: plugins/DotNetTools/clr/LICENSE.TXT ================================================ [File too large to display: 1.1 KB] ================================================ FILE: plugins/DotNetTools/clr/clrdata.h ================================================ [File too large to display: 44.2 KB] ================================================ FILE: plugins/DotNetTools/clr/cor.h ================================================ [File too large to display: 104.8 KB] ================================================ FILE: plugins/DotNetTools/clr/corsym.h ================================================ [File too large to display: 212.9 KB] ================================================ FILE: plugins/DotNetTools/clr/dacprivate.h ================================================ [File too large to display: 35.4 KB] ================================================ FILE: plugins/DotNetTools/clr/dbgappdomain.h ================================================ [File too large to display: 4.7 KB] ================================================ FILE: plugins/DotNetTools/clr/ipcenums.h ================================================ [File too large to display: 2.2 KB] ================================================ FILE: plugins/DotNetTools/clr/ipcheader.h ================================================ [File too large to display: 16.6 KB] ================================================ FILE: plugins/DotNetTools/clr/ipcshared.h ================================================ [File too large to display: 1.9 KB] ================================================ FILE: plugins/DotNetTools/clr/perfcounterdefs.h ================================================ [File too large to display: 12.2 KB] ================================================ FILE: plugins/DotNetTools/clr/sospriv.h ================================================ [File too large to display: 111.9 KB] ================================================ FILE: plugins/DotNetTools/clr/xclrdata.h ================================================ [File too large to display: 281.9 KB] ================================================ FILE: plugins/DotNetTools/clretw.h ================================================ [File too large to display: 7.4 KB] ================================================ FILE: plugins/DotNetTools/clrsup.c ================================================ [File too large to display: 81.7 KB] ================================================ FILE: plugins/DotNetTools/clrsup.h ================================================ [File too large to display: 12.0 KB] ================================================ FILE: plugins/DotNetTools/counters.c ================================================ [File too large to display: 28.6 KB] ================================================ FILE: plugins/DotNetTools/dn.h ================================================ [File too large to display: 3.0 KB] ================================================ FILE: plugins/DotNetTools/main.c ================================================ [File too large to display: 9.1 KB] ================================================ FILE: plugins/DotNetTools/perfpage.c ================================================ [File too large to display: 108.4 KB] ================================================ FILE: plugins/DotNetTools/resource.h ================================================ [File too large to display: 971 B] ================================================ FILE: plugins/DotNetTools/stackext.c ================================================ [File too large to display: 12.3 KB] ================================================ FILE: plugins/DotNetTools/svcext.c ================================================ [File too large to display: 17.2 KB] ================================================ FILE: plugins/DotNetTools/svcext.h ================================================ [File too large to display: 2.8 KB] ================================================ FILE: plugins/DotNetTools/treeext.c ================================================ [File too large to display: 8.8 KB] ================================================ FILE: plugins/DotNetTools/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/ExtendedNotifications/CHANGELOG.txt ================================================ [File too large to display: 123 B] ================================================ FILE: plugins/ExtendedNotifications/CMakeLists.txt ================================================ [File too large to display: 605 B] ================================================ FILE: plugins/ExtendedNotifications/ExtendedNotifications.rc ================================================ [File too large to display: 5.6 KB] ================================================ FILE: plugins/ExtendedNotifications/ExtendedNotifications.vcxproj ================================================ [File too large to display: 3.4 KB] ================================================ FILE: plugins/ExtendedNotifications/ExtendedNotifications.vcxproj.filters ================================================ [File too large to display: 1.4 KB] ================================================ FILE: plugins/ExtendedNotifications/extnoti.h ================================================ [File too large to display: 778 B] ================================================ FILE: plugins/ExtendedNotifications/filelog.c ================================================ [File too large to display: 2.8 KB] ================================================ FILE: plugins/ExtendedNotifications/main.c ================================================ [File too large to display: 31.3 KB] ================================================ FILE: plugins/ExtendedNotifications/resource.h ================================================ [File too large to display: 1.0 KB] ================================================ FILE: plugins/ExtendedNotifications/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/ExtendedServices/CHANGELOG.txt ================================================ [File too large to display: 794 B] ================================================ FILE: plugins/ExtendedServices/CMakeLists.txt ================================================ [File too large to display: 800 B] ================================================ FILE: plugins/ExtendedServices/ExtendedServices.rc ================================================ [File too large to display: 11.9 KB] ================================================ FILE: plugins/ExtendedServices/ExtendedServices.vcxproj ================================================ [File too large to display: 5.3 KB] ================================================ FILE: plugins/ExtendedServices/ExtendedServices.vcxproj.filters ================================================ [File too large to display: 2.0 KB] ================================================ FILE: plugins/ExtendedServices/depend.c ================================================ [File too large to display: 9.6 KB] ================================================ FILE: plugins/ExtendedServices/extsrv.h ================================================ [File too large to display: 3.4 KB] ================================================ FILE: plugins/ExtendedServices/main.c ================================================ [File too large to display: 23.8 KB] ================================================ FILE: plugins/ExtendedServices/other.c ================================================ [File too large to display: 25.2 KB] ================================================ FILE: plugins/ExtendedServices/recovery.c ================================================ [File too large to display: 25.5 KB] ================================================ FILE: plugins/ExtendedServices/resource.h ================================================ [File too large to display: 3.4 KB] ================================================ FILE: plugins/ExtendedServices/srvprgrs.c ================================================ [File too large to display: 4.3 KB] ================================================ FILE: plugins/ExtendedServices/svcpkg.c ================================================ [File too large to display: 11.8 KB] ================================================ FILE: plugins/ExtendedServices/svcpnp.c ================================================ [File too large to display: 25.3 KB] ================================================ FILE: plugins/ExtendedServices/trigger.c ================================================ [File too large to display: 51.7 KB] ================================================ FILE: plugins/ExtendedServices/triggpg.c ================================================ [File too large to display: 6.6 KB] ================================================ FILE: plugins/ExtendedServices/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/ExtendedTools/CHANGELOG.txt ================================================ [File too large to display: 1.4 KB] ================================================ FILE: plugins/ExtendedTools/CMakeLists.txt ================================================ [File too large to display: 3.0 KB] ================================================ FILE: plugins/ExtendedTools/Efi/EfiDevicePath.h ================================================ [File too large to display: 21.5 KB] ================================================ FILE: plugins/ExtendedTools/Efi/EfiTypes.h ================================================ [File too large to display: 6.9 KB] ================================================ FILE: plugins/ExtendedTools/ExtendedTools.rc ================================================ [File too large to display: 28.5 KB] ================================================ FILE: plugins/ExtendedTools/ExtendedTools.vcxproj ================================================ [File too large to display: 9.5 KB] ================================================ FILE: plugins/ExtendedTools/ExtendedTools.vcxproj.filters ================================================ [File too large to display: 10.9 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/ETW/Microsoft_Windows_D3D9.h ================================================ [File too large to display: 1.7 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/ETW/Microsoft_Windows_DXGI.h ================================================ [File too large to display: 2.3 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/ETW/Microsoft_Windows_Dwm_Core.h ================================================ [File too large to display: 3.4 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/ETW/Microsoft_Windows_DxgKrnl.h ================================================ [File too large to display: 10.0 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/ETW/Microsoft_Windows_EventMetadata.h ================================================ [File too large to display: 1.8 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/ETW/Microsoft_Windows_Win32k.h ================================================ [File too large to display: 4.3 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/LICENSE.txt ================================================ [File too large to display: 1.0 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/PresentMon.cpp ================================================ [File too large to display: 15.8 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/PresentMon.hpp ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/PresentMonTraceConsumer.cpp ================================================ [File too large to display: 83.4 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/PresentMonTraceConsumer.hpp ================================================ [File too large to display: 9.8 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/TraceConsumer.cpp ================================================ [File too large to display: 9.8 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/TraceConsumer.hpp ================================================ [File too large to display: 2.7 KB] ================================================ FILE: plugins/ExtendedTools/PresentMon/TraceSession.cpp ================================================ [File too large to display: 17.2 KB] ================================================ FILE: plugins/ExtendedTools/counters.c ================================================ [File too large to display: 82.3 KB] ================================================ FILE: plugins/ExtendedTools/d3dkmt/LICENSE ================================================ [File too large to display: 1.1 KB] ================================================ FILE: plugins/ExtendedTools/d3dkmt/d3dkmdt.h ================================================ [File too large to display: 95.6 KB] ================================================ FILE: plugins/ExtendedTools/d3dkmt/d3dkmthk.h ================================================ [File too large to display: 288.8 KB] ================================================ FILE: plugins/ExtendedTools/d3dkmt/d3dukmdt.h ================================================ [File too large to display: 79.3 KB] ================================================ FILE: plugins/ExtendedTools/disktab.c ================================================ [File too large to display: 42.9 KB] ================================================ FILE: plugins/ExtendedTools/disktabp.h ================================================ [File too large to display: 3.1 KB] ================================================ FILE: plugins/ExtendedTools/efi_guid_list.h ================================================ [File too large to display: 238.4 KB] ================================================ FILE: plugins/ExtendedTools/etwdisk.c ================================================ [File too large to display: 15.2 KB] ================================================ FILE: plugins/ExtendedTools/etwmini.c ================================================ [File too large to display: 9.3 KB] ================================================ FILE: plugins/ExtendedTools/etwmini.h ================================================ [File too large to display: 1.1 KB] ================================================ FILE: plugins/ExtendedTools/etwmon.c ================================================ [File too large to display: 32.2 KB] ================================================ FILE: plugins/ExtendedTools/etwmon.h ================================================ [File too large to display: 2.6 KB] ================================================ FILE: plugins/ExtendedTools/etwprprp.c ================================================ [File too large to display: 40.8 KB] ================================================ FILE: plugins/ExtendedTools/etwstat.c ================================================ [File too large to display: 16.2 KB] ================================================ FILE: plugins/ExtendedTools/etwsys.c ================================================ [File too large to display: 51.2 KB] ================================================ FILE: plugins/ExtendedTools/etwsys.h ================================================ [File too large to display: 2.4 KB] ================================================ FILE: plugins/ExtendedTools/extension/plugin.h ================================================ [File too large to display: 1.2 KB] ================================================ FILE: plugins/ExtendedTools/exttools.h ================================================ [File too large to display: 44.7 KB] ================================================ FILE: plugins/ExtendedTools/firmware.c ================================================ [File too large to display: 13.9 KB] ================================================ FILE: plugins/ExtendedTools/firmware_editor.c ================================================ [File too large to display: 13.2 KB] ================================================ FILE: plugins/ExtendedTools/framemon.cpp ================================================ [File too large to display: 9.0 KB] ================================================ FILE: plugins/ExtendedTools/framemon.h ================================================ [File too large to display: 1.7 KB] ================================================ FILE: plugins/ExtendedTools/frameprp.c ================================================ [File too large to display: 50.2 KB] ================================================ FILE: plugins/ExtendedTools/fwmon.c ================================================ [File too large to display: 67.0 KB] ================================================ FILE: plugins/ExtendedTools/fwtab.c ================================================ [File too large to display: 71.1 KB] ================================================ FILE: plugins/ExtendedTools/gpudetails.c ================================================ [File too large to display: 21.2 KB] ================================================ FILE: plugins/ExtendedTools/gpumini.c ================================================ [File too large to display: 4.2 KB] ================================================ FILE: plugins/ExtendedTools/gpumini.h ================================================ [File too large to display: 678 B] ================================================ FILE: plugins/ExtendedTools/gpumon.c ================================================ [File too large to display: 35.8 KB] ================================================ FILE: plugins/ExtendedTools/gpumon.h ================================================ [File too large to display: 672 B] ================================================ FILE: plugins/ExtendedTools/gpunodes.c ================================================ [File too large to display: 20.9 KB] ================================================ FILE: plugins/ExtendedTools/gpuprprp.c ================================================ [File too large to display: 35.6 KB] ================================================ FILE: plugins/ExtendedTools/gpusys.c ================================================ [File too large to display: 46.8 KB] ================================================ FILE: plugins/ExtendedTools/gpusys.h ================================================ [File too large to display: 1.6 KB] ================================================ FILE: plugins/ExtendedTools/iconext.c ================================================ [File too large to display: 57.7 KB] ================================================ FILE: plugins/ExtendedTools/main.c ================================================ [File too large to display: 68.7 KB] ================================================ FILE: plugins/ExtendedTools/modsrv.c ================================================ [File too large to display: 9.0 KB] ================================================ FILE: plugins/ExtendedTools/namedpipes.c ================================================ [File too large to display: 23.7 KB] ================================================ FILE: plugins/ExtendedTools/npudetails.c ================================================ [File too large to display: 20.7 KB] ================================================ FILE: plugins/ExtendedTools/npumini.c ================================================ [File too large to display: 4.2 KB] ================================================ FILE: plugins/ExtendedTools/npumini.h ================================================ [File too large to display: 698 B] ================================================ FILE: plugins/ExtendedTools/npumon.c ================================================ [File too large to display: 33.9 KB] ================================================ FILE: plugins/ExtendedTools/npumon.h ================================================ [File too large to display: 700 B] ================================================ FILE: plugins/ExtendedTools/npunodes.c ================================================ [File too large to display: 20.8 KB] ================================================ FILE: plugins/ExtendedTools/npuprprp.c ================================================ [File too large to display: 35.6 KB] ================================================ FILE: plugins/ExtendedTools/npusys.c ================================================ [File too large to display: 46.5 KB] ================================================ FILE: plugins/ExtendedTools/npusys.h ================================================ [File too large to display: 1.6 KB] ================================================ FILE: plugins/ExtendedTools/objmgr.c ================================================ [File too large to display: 136.6 KB] ================================================ FILE: plugins/ExtendedTools/objprp.c ================================================ [File too large to display: 95.3 KB] ================================================ FILE: plugins/ExtendedTools/options.c ================================================ [File too large to display: 2.7 KB] ================================================ FILE: plugins/ExtendedTools/pooldb.c ================================================ [File too large to display: 8.6 KB] ================================================ FILE: plugins/ExtendedTools/pooldialog.c ================================================ [File too large to display: 15.0 KB] ================================================ FILE: plugins/ExtendedTools/pooldialogbig.c ================================================ [File too large to display: 7.8 KB] ================================================ FILE: plugins/ExtendedTools/poolmon.h ================================================ [File too large to display: 5.4 KB] ================================================ FILE: plugins/ExtendedTools/pooltree.c ================================================ [File too large to display: 35.6 KB] ================================================ FILE: plugins/ExtendedTools/reparse.c ================================================ [File too large to display: 54.3 KB] ================================================ FILE: plugins/ExtendedTools/resource.h ================================================ [File too large to display: 9.5 KB] ================================================ FILE: plugins/ExtendedTools/smbios.c ================================================ [File too large to display: 176.0 KB] ================================================ FILE: plugins/ExtendedTools/svcext.c ================================================ [File too large to display: 3.7 KB] ================================================ FILE: plugins/ExtendedTools/thrdact.c ================================================ [File too large to display: 1.1 KB] ================================================ FILE: plugins/ExtendedTools/tpm.c ================================================ [File too large to display: 28.8 KB] ================================================ FILE: plugins/ExtendedTools/tpm.h ================================================ [File too large to display: 32.6 KB] ================================================ FILE: plugins/ExtendedTools/tpm_editor.c ================================================ [File too large to display: 11.4 KB] ================================================ FILE: plugins/ExtendedTools/treeext.c ================================================ [File too large to display: 52.6 KB] ================================================ FILE: plugins/ExtendedTools/unldll.c ================================================ [File too large to display: 19.8 KB] ================================================ FILE: plugins/ExtendedTools/utils.c ================================================ [File too large to display: 23.6 KB] ================================================ FILE: plugins/ExtendedTools/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/ExtendedTools/waitchain.c ================================================ [File too large to display: 37.5 KB] ================================================ FILE: plugins/ExtendedTools/wswatch.c ================================================ [File too large to display: 22.4 KB] ================================================ FILE: plugins/HardwareDevices/CHANGELOG.txt ================================================ [File too large to display: 384 B] ================================================ FILE: plugins/HardwareDevices/CMakeLists.txt ================================================ [File too large to display: 1.6 KB] ================================================ FILE: plugins/HardwareDevices/HardwareDevices.rc ================================================ [File too large to display: 15.6 KB] ================================================ FILE: plugins/HardwareDevices/HardwareDevices.vcxproj ================================================ [File too large to display: 6.3 KB] ================================================ FILE: plugins/HardwareDevices/HardwareDevices.vcxproj.filters ================================================ [File too large to display: 4.1 KB] ================================================ FILE: plugins/HardwareDevices/adapter.c ================================================ [File too large to display: 11.3 KB] ================================================ FILE: plugins/HardwareDevices/d3dkmt/LICENSE ================================================ [File too large to display: 1.1 KB] ================================================ FILE: plugins/HardwareDevices/d3dkmt/d3dkmdt.h ================================================ [File too large to display: 95.6 KB] ================================================ FILE: plugins/HardwareDevices/d3dkmt/d3dkmthk.h ================================================ [File too large to display: 288.8 KB] ================================================ FILE: plugins/HardwareDevices/d3dkmt/d3dukmdt.h ================================================ [File too large to display: 79.3 KB] ================================================ FILE: plugins/HardwareDevices/deviceprops.c ================================================ [File too large to display: 51.0 KB] ================================================ FILE: plugins/HardwareDevices/devices.h ================================================ [File too large to display: 50.7 KB] ================================================ FILE: plugins/HardwareDevices/devicetree.c ================================================ [File too large to display: 71.1 KB] ================================================ FILE: plugins/HardwareDevices/disk.c ================================================ [File too large to display: 9.0 KB] ================================================ FILE: plugins/HardwareDevices/diskdetails.c ================================================ [File too large to display: 52.6 KB] ================================================ FILE: plugins/HardwareDevices/diskgraph.c ================================================ [File too large to display: 29.6 KB] ================================================ FILE: plugins/HardwareDevices/disknotify.c ================================================ [File too large to display: 3.0 KB] ================================================ FILE: plugins/HardwareDevices/diskoptions.c ================================================ [File too large to display: 24.7 KB] ================================================ FILE: plugins/HardwareDevices/fmifs.h ================================================ [File too large to display: 11.1 KB] ================================================ FILE: plugins/HardwareDevices/gpu.c ================================================ [File too large to display: 15.4 KB] ================================================ FILE: plugins/HardwareDevices/gpudetails.c ================================================ [File too large to display: 22.5 KB] ================================================ FILE: plugins/HardwareDevices/gpugraph.c ================================================ [File too large to display: 50.9 KB] ================================================ FILE: plugins/HardwareDevices/gpunodes.c ================================================ [File too large to display: 24.0 KB] ================================================ FILE: plugins/HardwareDevices/gpuoptions.c ================================================ [File too large to display: 29.2 KB] ================================================ FILE: plugins/HardwareDevices/graphics.c ================================================ [File too large to display: 30.2 KB] ================================================ FILE: plugins/HardwareDevices/main.c ================================================ [File too large to display: 25.1 KB] ================================================ FILE: plugins/HardwareDevices/ndis.c ================================================ [File too large to display: 20.1 KB] ================================================ FILE: plugins/HardwareDevices/ndiswlan.c ================================================ [File too large to display: 4.0 KB] ================================================ FILE: plugins/HardwareDevices/ndiswlan.h ================================================ [File too large to display: 8.6 KB] ================================================ FILE: plugins/HardwareDevices/netdetails.c ================================================ [File too large to display: 41.1 KB] ================================================ FILE: plugins/HardwareDevices/netgraph.c ================================================ [File too large to display: 31.4 KB] ================================================ FILE: plugins/HardwareDevices/netoptions.c ================================================ [File too large to display: 34.4 KB] ================================================ FILE: plugins/HardwareDevices/power.c ================================================ [File too large to display: 11.0 KB] ================================================ FILE: plugins/HardwareDevices/powergraph.c ================================================ [File too large to display: 33.0 KB] ================================================ FILE: plugins/HardwareDevices/poweroptions.c ================================================ [File too large to display: 24.4 KB] ================================================ FILE: plugins/HardwareDevices/prpsh.c ================================================ [File too large to display: 16.9 KB] ================================================ FILE: plugins/HardwareDevices/prpsh.h ================================================ [File too large to display: 3.2 KB] ================================================ FILE: plugins/HardwareDevices/resource.h ================================================ [File too large to display: 3.9 KB] ================================================ FILE: plugins/HardwareDevices/storage.c ================================================ [File too large to display: 51.4 KB] ================================================ FILE: plugins/HardwareDevices/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/NetworkTools/CMakeLists.txt ================================================ [File too large to display: 1016 B] ================================================ FILE: plugins/NetworkTools/NetworkTools.rc ================================================ [File too large to display: 22.9 KB] ================================================ FILE: plugins/NetworkTools/NetworkTools.vcxproj ================================================ [File too large to display: 15.5 KB] ================================================ FILE: plugins/NetworkTools/NetworkTools.vcxproj.filters ================================================ [File too large to display: 25.9 KB] ================================================ FILE: plugins/NetworkTools/country.c ================================================ [File too large to display: 23.3 KB] ================================================ FILE: plugins/NetworkTools/main.c ================================================ [File too large to display: 38.8 KB] ================================================ FILE: plugins/NetworkTools/nettools.h ================================================ [File too large to display: 9.4 KB] ================================================ FILE: plugins/NetworkTools/options.c ================================================ [File too large to display: 11.4 KB] ================================================ FILE: plugins/NetworkTools/pages.c ================================================ [File too large to display: 9.4 KB] ================================================ FILE: plugins/NetworkTools/ping.c ================================================ [File too large to display: 29.2 KB] ================================================ FILE: plugins/NetworkTools/ports.c ================================================ [File too large to display: 190.1 KB] ================================================ FILE: plugins/NetworkTools/resource.h ================================================ [File too large to display: 12.5 KB] ================================================ FILE: plugins/NetworkTools/resources/licence.txt ================================================ [File too large to display: 99 B] ================================================ FILE: plugins/NetworkTools/tracert.c ================================================ [File too large to display: 41.3 KB] ================================================ FILE: plugins/NetworkTools/tracert.h ================================================ [File too large to display: 2.3 KB] ================================================ FILE: plugins/NetworkTools/tracetree.c ================================================ [File too large to display: 18.5 KB] ================================================ FILE: plugins/NetworkTools/update.c ================================================ [File too large to display: 24.4 KB] ================================================ FILE: plugins/NetworkTools/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/NetworkTools/whois.c ================================================ [File too large to display: 34.5 KB] ================================================ FILE: plugins/OnlineChecks/CHANGELOG.txt ================================================ [File too large to display: 442 B] ================================================ FILE: plugins/OnlineChecks/CMakeLists.txt ================================================ [File too large to display: 674 B] ================================================ FILE: plugins/OnlineChecks/OnlineChecks.rc ================================================ [File too large to display: 3.4 KB] ================================================ FILE: plugins/OnlineChecks/OnlineChecks.vcxproj ================================================ [File too large to display: 3.6 KB] ================================================ FILE: plugins/OnlineChecks/OnlineChecks.vcxproj.filters ================================================ [File too large to display: 2.0 KB] ================================================ FILE: plugins/OnlineChecks/api.c ================================================ [File too large to display: 14.1 KB] ================================================ FILE: plugins/OnlineChecks/main.c ================================================ [File too large to display: 42.8 KB] ================================================ FILE: plugins/OnlineChecks/onlnchk.h ================================================ [File too large to display: 8.8 KB] ================================================ FILE: plugins/OnlineChecks/options.c ================================================ [File too large to display: 6.5 KB] ================================================ FILE: plugins/OnlineChecks/page1.c ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/OnlineChecks/page2.c ================================================ [File too large to display: 4.4 KB] ================================================ FILE: plugins/OnlineChecks/page3.c ================================================ [File too large to display: 6.8 KB] ================================================ FILE: plugins/OnlineChecks/page4.c ================================================ [File too large to display: 1.7 KB] ================================================ FILE: plugins/OnlineChecks/resource.h ================================================ [File too large to display: 1.2 KB] ================================================ FILE: plugins/OnlineChecks/scan.c ================================================ [File too large to display: 33.5 KB] ================================================ FILE: plugins/OnlineChecks/upload.c ================================================ [File too large to display: 65.5 KB] ================================================ FILE: plugins/OnlineChecks/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/Plugins.props ================================================ [File too large to display: 8.6 KB] ================================================ FILE: plugins/Plugins.sln ================================================ [File too large to display: 12.6 KB] ================================================ FILE: plugins/Plugins.slnx ================================================ [File too large to display: 1.4 KB] ================================================ FILE: plugins/ToolStatus/CHANGELOG.txt ================================================ [File too large to display: 1.3 KB] ================================================ FILE: plugins/ToolStatus/CMakeLists.txt ================================================ [File too large to display: 751 B] ================================================ FILE: plugins/ToolStatus/ToolStatus.rc ================================================ [File too large to display: 8.6 KB] ================================================ FILE: plugins/ToolStatus/ToolStatus.vcxproj ================================================ [File too large to display: 5.7 KB] ================================================ FILE: plugins/ToolStatus/ToolStatus.vcxproj.filters ================================================ [File too large to display: 6.6 KB] ================================================ FILE: plugins/ToolStatus/customizesb.c ================================================ [File too large to display: 21.5 KB] ================================================ FILE: plugins/ToolStatus/customizetb.c ================================================ [File too large to display: 32.3 KB] ================================================ FILE: plugins/ToolStatus/filter.c ================================================ [File too large to display: 17.8 KB] ================================================ FILE: plugins/ToolStatus/find.c ================================================ [File too large to display: 18.0 KB] ================================================ FILE: plugins/ToolStatus/graph.c ================================================ [File too large to display: 34.8 KB] ================================================ FILE: plugins/ToolStatus/main.c ================================================ [File too large to display: 74.3 KB] ================================================ FILE: plugins/ToolStatus/options.c ================================================ [File too large to display: 5.0 KB] ================================================ FILE: plugins/ToolStatus/plugin.c ================================================ [File too large to display: 3.7 KB] ================================================ FILE: plugins/ToolStatus/resource.h ================================================ [File too large to display: 2.8 KB] ================================================ FILE: plugins/ToolStatus/statusbar.c ================================================ [File too large to display: 23.3 KB] ================================================ FILE: plugins/ToolStatus/taskbar.c ================================================ [File too large to display: 16.5 KB] ================================================ FILE: plugins/ToolStatus/toolbar.c ================================================ [File too large to display: 30.8 KB] ================================================ FILE: plugins/ToolStatus/toolbarsup.c ================================================ [File too large to display: 5.9 KB] ================================================ FILE: plugins/ToolStatus/toolstatus.h ================================================ [File too large to display: 13.5 KB] ================================================ FILE: plugins/ToolStatus/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/Updater/CHANGELOG.txt ================================================ [File too large to display: 909 B] ================================================ FILE: plugins/Updater/CMakeLists.txt ================================================ [File too large to display: 777 B] ================================================ FILE: plugins/Updater/Updater.rc ================================================ [File too large to display: 3.1 KB] ================================================ FILE: plugins/Updater/Updater.vcxproj ================================================ [File too large to display: 6.4 KB] ================================================ FILE: plugins/Updater/Updater.vcxproj.filters ================================================ [File too large to display: 2.0 KB] ================================================ FILE: plugins/Updater/main.c ================================================ [File too large to display: 7.3 KB] ================================================ FILE: plugins/Updater/options.c ================================================ [File too large to display: 32.7 KB] ================================================ FILE: plugins/Updater/page1.c ================================================ [File too large to display: 4.4 KB] ================================================ FILE: plugins/Updater/page2.c ================================================ [File too large to display: 2.6 KB] ================================================ FILE: plugins/Updater/page3.c ================================================ [File too large to display: 2.8 KB] ================================================ FILE: plugins/Updater/page4.c ================================================ [File too large to display: 2.8 KB] ================================================ FILE: plugins/Updater/page5.c ================================================ [File too large to display: 9.1 KB] ================================================ FILE: plugins/Updater/resource.h ================================================ [File too large to display: 793 B] ================================================ FILE: plugins/Updater/updater.c ================================================ [File too large to display: 43.8 KB] ================================================ FILE: plugins/Updater/updater.h ================================================ [File too large to display: 6.4 KB] ================================================ FILE: plugins/Updater/verify.c ================================================ [File too large to display: 25.1 KB] ================================================ FILE: plugins/Updater/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/UserNotes/CHANGELOG.txt ================================================ [File too large to display: 472 B] ================================================ FILE: plugins/UserNotes/CMakeLists.txt ================================================ [File too large to display: 706 B] ================================================ FILE: plugins/UserNotes/UserNotes.rc ================================================ [File too large to display: 3.3 KB] ================================================ FILE: plugins/UserNotes/UserNotes.vcxproj ================================================ [File too large to display: 4.6 KB] ================================================ FILE: plugins/UserNotes/UserNotes.vcxproj.filters ================================================ [File too large to display: 1.7 KB] ================================================ FILE: plugins/UserNotes/db.c ================================================ [File too large to display: 20.3 KB] ================================================ FILE: plugins/UserNotes/db.h ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/UserNotes/main.c ================================================ [File too large to display: 102.8 KB] ================================================ FILE: plugins/UserNotes/options.c ================================================ [File too large to display: 10.5 KB] ================================================ FILE: plugins/UserNotes/prpcmpage.c ================================================ [File too large to display: 11.8 KB] ================================================ FILE: plugins/UserNotes/resource.h ================================================ [File too large to display: 749 B] ================================================ FILE: plugins/UserNotes/usernotes.h ================================================ [File too large to display: 3.8 KB] ================================================ FILE: plugins/UserNotes/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/WindowExplorer/CHANGELOG.txt ================================================ [File too large to display: 368 B] ================================================ FILE: plugins/WindowExplorer/CMakeLists.txt ================================================ [File too large to display: 986 B] ================================================ FILE: plugins/WindowExplorer/WindowExplorer.rc ================================================ [File too large to display: 4.5 KB] ================================================ FILE: plugins/WindowExplorer/WindowExplorer.vcxproj ================================================ [File too large to display: 5.6 KB] ================================================ FILE: plugins/WindowExplorer/WindowExplorer.vcxproj.filters ================================================ [File too large to display: 1.9 KB] ================================================ FILE: plugins/WindowExplorer/main.c ================================================ [File too large to display: 8.9 KB] ================================================ FILE: plugins/WindowExplorer/prpsh.c ================================================ [File too large to display: 15.3 KB] ================================================ FILE: plugins/WindowExplorer/prpsh.h ================================================ [File too large to display: 3.1 KB] ================================================ FILE: plugins/WindowExplorer/resource.h ================================================ [File too large to display: 2.6 KB] ================================================ FILE: plugins/WindowExplorer/utils.c ================================================ [File too large to display: 1.2 KB] ================================================ FILE: plugins/WindowExplorer/version.rc ================================================ [File too large to display: 2.1 KB] ================================================ FILE: plugins/WindowExplorer/wnddlg.c ================================================ [File too large to display: 78.9 KB] ================================================ FILE: plugins/WindowExplorer/wndexp.h ================================================ [File too large to display: 2.7 KB] ================================================ FILE: plugins/WindowExplorer/wndprp.c ================================================ [File too large to display: 98.3 KB] ================================================ FILE: plugins/WindowExplorer/wndtree.c ================================================ [File too large to display: 20.6 KB] ================================================ FILE: plugins/WindowExplorer/wndtree.h ================================================ [File too large to display: 3.3 KB] ================================================ FILE: plugins/include/commonutil.h ================================================ [File too large to display: 669 B] ================================================ FILE: plugins/include/networktoolsintf.h ================================================ [File too large to display: 1.7 KB] ================================================ FILE: plugins/include/toolstatusintf.h ================================================ [File too large to display: 3.7 KB] ================================================ FILE: plugins/readme.txt ================================================ [File too large to display: 131 B] ================================================ FILE: tools/CMakeLists.txt ================================================ [File too large to display: 180 B] ================================================ FILE: tools/CompileCommandsJson/CompileCommandsJson.cs ================================================ [File too large to display: 8.6 KB] ================================================ FILE: tools/CompileCommandsJson/CompileCommandsJson.csproj ================================================ [File too large to display: 614 B] ================================================ FILE: tools/CompileCommandsJson/CompileCommandsJson.sln ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/CompileCommandsJson/CompileCommandsJson.slnx ================================================ [File too large to display: 279 B] ================================================ FILE: tools/CompileCommandsJson/Properties/PublishProfiles/amd64.pubxml ================================================ [File too large to display: 644 B] ================================================ FILE: tools/CompileCommandsJson/Properties/PublishProfiles/arm64.pubxml ================================================ [File too large to display: 644 B] ================================================ FILE: tools/CustomBuildTool/AzureClient.cs ================================================ [File too large to display: 55.7 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/AuthenticodeKeyVaultSigner.cs ================================================ [File too large to display: 29.0 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/ECDsaKeyVault.cs ================================================ [File too large to display: 12.2 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/ECDsaKeyVaultExtensions.cs ================================================ [File too large to display: 998 B] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/KeyVaultConfigurationDiscoverer.cs ================================================ [File too large to display: 4.6 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/KeyVaultContext.cs ================================================ [File too large to display: 15.1 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/LICENSE.txt ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/MemoryCertificateStore.cs ================================================ [File too large to display: 4.9 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/NativeMethods.cs ================================================ [File too large to display: 7.4 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/RSAKeyVault.cs ================================================ [File too large to display: 5.1 KB] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/RSAKeyVaultExtensions.cs ================================================ [File too large to display: 996 B] ================================================ FILE: tools/CustomBuildTool/AzureSignTool/TimeStampConfiguration.cs ================================================ [File too large to display: 2.4 KB] ================================================ FILE: tools/CustomBuildTool/Build.cs ================================================ [File too large to display: 105.2 KB] ================================================ FILE: tools/CustomBuildTool/BuildAzure.cs ================================================ [File too large to display: 19.9 KB] ================================================ FILE: tools/CustomBuildTool/BuildConfig.cs ================================================ [File too large to display: 5.8 KB] ================================================ FILE: tools/CustomBuildTool/BuildDevOps.cs ================================================ [File too large to display: 17.7 KB] ================================================ FILE: tools/CustomBuildTool/BuildGithub.cs ================================================ [File too large to display: 32.5 KB] ================================================ FILE: tools/CustomBuildTool/BuildHttpClient.cs ================================================ [File too large to display: 10.0 KB] ================================================ FILE: tools/CustomBuildTool/BuildSourceForge.cs ================================================ [File too large to display: 4.4 KB] ================================================ FILE: tools/CustomBuildTool/BuildToolsId.cs ================================================ [File too large to display: 3.9 KB] ================================================ FILE: tools/CustomBuildTool/BuildVerify.cs ================================================ [File too large to display: 27.2 KB] ================================================ FILE: tools/CustomBuildTool/BuildVirusTotal.cs ================================================ [File too large to display: 5.0 KB] ================================================ FILE: tools/CustomBuildTool/BuildVisualStudio.cs ================================================ [File too large to display: 48.1 KB] ================================================ FILE: tools/CustomBuildTool/CustomBuildTool.csproj ================================================ [File too large to display: 7.2 KB] ================================================ FILE: tools/CustomBuildTool/CustomBuildTool.sln ================================================ [File too large to display: 1.7 KB] ================================================ FILE: tools/CustomBuildTool/CustomBuildTool.slnx ================================================ [File too large to display: 351 B] ================================================ FILE: tools/CustomBuildTool/DynData.cs ================================================ [File too large to display: 30.4 KB] ================================================ FILE: tools/CustomBuildTool/GlobalSuppressions.cs ================================================ [File too large to display: 1.6 KB] ================================================ FILE: tools/CustomBuildTool/HeaderGen.cs ================================================ [File too large to display: 18.6 KB] ================================================ FILE: tools/CustomBuildTool/NativeImports.txt ================================================ [File too large to display: 490 B] ================================================ FILE: tools/CustomBuildTool/NativeMethods.json ================================================ [File too large to display: 383 B] ================================================ FILE: tools/CustomBuildTool/NativeMethods.txt ================================================ [File too large to display: 976 B] ================================================ FILE: tools/CustomBuildTool/Program.cs ================================================ [File too large to display: 32.6 KB] ================================================ FILE: tools/CustomBuildTool/Properties/PublishProfiles/amd64.pubxml ================================================ [File too large to display: 650 B] ================================================ FILE: tools/CustomBuildTool/Properties/PublishProfiles/arm64.pubxml ================================================ [File too large to display: 654 B] ================================================ FILE: tools/CustomBuildTool/Utils.cs ================================================ [File too large to display: 94.1 KB] ================================================ FILE: tools/CustomBuildTool/Win32.cs ================================================ [File too large to display: 34.2 KB] ================================================ FILE: tools/CustomBuildTool/Zip.cs ================================================ [File too large to display: 16.8 KB] ================================================ FILE: tools/CustomBuildTool/app.manifest ================================================ [File too large to display: 2.0 KB] ================================================ FILE: tools/CustomCmdTool/CustomCmdTool.sln ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/CustomCmdTool/CustomCmdTool.slnx ================================================ [File too large to display: 163 B] ================================================ FILE: tools/CustomCmdTool/CustomCmdTool.vcxproj ================================================ [File too large to display: 7.3 KB] ================================================ FILE: tools/CustomCmdTool/CustomCmdTool.vcxproj.filters ================================================ [File too large to display: 1.0 KB] ================================================ FILE: tools/CustomCmdTool/app.manifest ================================================ [File too large to display: 1.5 KB] ================================================ FILE: tools/CustomCmdTool/main.c ================================================ [File too large to display: 11.8 KB] ================================================ FILE: tools/CustomDebugTool/CustomDebugTool.slnx ================================================ [File too large to display: 205 B] ================================================ FILE: tools/CustomSetupTool/CustomSetupTool.sln ================================================ [File too large to display: 968 B] ================================================ FILE: tools/CustomSetupTool/CustomSetupTool.slnx ================================================ [File too large to display: 179 B] ================================================ FILE: tools/CustomSetupTool/CustomSetupTool.vcxproj ================================================ [File too large to display: 6.2 KB] ================================================ FILE: tools/CustomSetupTool/CustomSetupTool.vcxproj.filters ================================================ [File too large to display: 2.4 KB] ================================================ FILE: tools/CustomSetupTool/app.manifest ================================================ [File too large to display: 2.1 KB] ================================================ FILE: tools/CustomSetupTool/extract.c ================================================ [File too large to display: 11.6 KB] ================================================ FILE: tools/CustomSetupTool/install.c ================================================ [File too large to display: 2.2 KB] ================================================ FILE: tools/CustomSetupTool/main.c ================================================ [File too large to display: 15.7 KB] ================================================ FILE: tools/CustomSetupTool/resource.h ================================================ [File too large to display: 520 B] ================================================ FILE: tools/CustomSetupTool/resource.rc ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/CustomSetupTool/setup.h ================================================ [File too large to display: 6.4 KB] ================================================ FILE: tools/CustomSetupTool/startpage.c ================================================ [File too large to display: 14.7 KB] ================================================ FILE: tools/CustomSetupTool/uninstall.c ================================================ [File too large to display: 10.0 KB] ================================================ FILE: tools/CustomSetupTool/update.c ================================================ [File too large to display: 6.2 KB] ================================================ FILE: tools/CustomSetupTool/util.c ================================================ [File too large to display: 52.2 KB] ================================================ FILE: tools/CustomSetupTool/version.rc ================================================ [File too large to display: 2.4 KB] ================================================ FILE: tools/CustomSignTool/CustomSignTool.manifest ================================================ [File too large to display: 1.7 KB] ================================================ FILE: tools/CustomSignTool/CustomSignTool.sln ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/CustomSignTool/CustomSignTool.slnx ================================================ [File too large to display: 162 B] ================================================ FILE: tools/CustomSignTool/CustomSignTool.vcxproj ================================================ [File too large to display: 7.7 KB] ================================================ FILE: tools/CustomSignTool/CustomSignTool.vcxproj.filters ================================================ [File too large to display: 1.3 KB] ================================================ FILE: tools/CustomSignTool/main.c ================================================ [File too large to display: 15.1 KB] ================================================ FILE: tools/CustomSignTool/resource.h ================================================ [File too large to display: 433 B] ================================================ FILE: tools/CustomSignTool/resource.rc ================================================ [File too large to display: 1.8 KB] ================================================ FILE: tools/CustomStartTool/CustomStartTool.sln ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/CustomStartTool/CustomStartTool.slnx ================================================ [File too large to display: 205 B] ================================================ FILE: tools/CustomStartTool/CustomStartTool.vcxproj ================================================ [File too large to display: 7.6 KB] ================================================ FILE: tools/CustomStartTool/CustomStartTool.vcxproj.filters ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/CustomStartTool/app.manifest ================================================ [File too large to display: 2.1 KB] ================================================ FILE: tools/CustomStartTool/main.c ================================================ [File too large to display: 5.3 KB] ================================================ FILE: tools/Directory.Build.props ================================================ [File too large to display: 250 B] ================================================ FILE: tools/GenerateZw/GenerateZw.csproj ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/GenerateZw/GenerateZw.sln ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/GenerateZw/GenerateZw.slnx ================================================ [File too large to display: 62 B] ================================================ FILE: tools/GenerateZw/Program.cs ================================================ [File too large to display: 330 B] ================================================ FILE: tools/GenerateZw/Properties/PublishProfiles/64Bit.pubxml ================================================ [File too large to display: 755 B] ================================================ FILE: tools/GenerateZw/ZwGen.cs ================================================ [File too large to display: 4.3 KB] ================================================ FILE: tools/fixlib/fixlib.c ================================================ [File too large to display: 2.9 KB] ================================================ FILE: tools/fixlib/fixlib.sln ================================================ [File too large to display: 1.0 KB] ================================================ FILE: tools/fixlib/fixlib.slnx ================================================ [File too large to display: 196 B] ================================================ FILE: tools/fixlib/fixlib.vcxproj ================================================ [File too large to display: 7.2 KB] ================================================ FILE: tools/fixlib/fixlib.vcxproj.filters ================================================ [File too large to display: 496 B] ================================================ FILE: tools/fixlib_bcd/lib32/bcd.def ================================================ [File too large to display: 1.6 KB] ================================================ FILE: tools/fixlib_bcd/lib64/bcd.def ================================================ [File too large to display: 1.5 KB] ================================================ FILE: tools/fixlib_bcd/make_bcd_lib.cmd ================================================ [File too large to display: 865 B] ================================================ FILE: tools/msix/PackageManifest64.msix.xml ================================================ [File too large to display: 3.4 KB] ================================================ FILE: tools/msix/PackageTemplate.appinstaller ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/msix/PackageTemplate.msix.xml ================================================ [File too large to display: 4.0 KB] ================================================ FILE: tools/msix/build.cmd ================================================ [File too large to display: 828 B] ================================================ FILE: tools/peview/CMakeLists.txt ================================================ [File too large to display: 2.9 KB] ================================================ FILE: tools/peview/appmanifest.c ================================================ [File too large to display: 3.8 KB] ================================================ FILE: tools/peview/attributes.c ================================================ [File too large to display: 10.0 KB] ================================================ FILE: tools/peview/cfgprp.c ================================================ [File too large to display: 8.9 KB] ================================================ FILE: tools/peview/chcol.c ================================================ [File too large to display: 25.3 KB] ================================================ FILE: tools/peview/clrprp.c ================================================ [File too large to display: 18.0 KB] ================================================ FILE: tools/peview/clrprptables.c ================================================ [File too large to display: 6.5 KB] ================================================ FILE: tools/peview/clrtableimportprp.c ================================================ [File too large to display: 6.9 KB] ================================================ FILE: tools/peview/clrtableimports.cpp ================================================ [File too large to display: 26.1 KB] ================================================ FILE: tools/peview/colmgr.c ================================================ [File too large to display: 17.1 KB] ================================================ FILE: tools/peview/colmgr.h ================================================ [File too large to display: 1.8 KB] ================================================ FILE: tools/peview/debugprp.c ================================================ [File too large to display: 7.5 KB] ================================================ FILE: tools/peview/delayhook.c ================================================ [File too large to display: 70.0 KB] ================================================ FILE: tools/peview/disimp.c ================================================ [File too large to display: 79.4 KB] ================================================ FILE: tools/peview/ehcontprp.c ================================================ [File too large to display: 6.9 KB] ================================================ FILE: tools/peview/exlfdynamic.c ================================================ [File too large to display: 5.8 KB] ================================================ FILE: tools/peview/exlfexports.c ================================================ [File too large to display: 3.9 KB] ================================================ FILE: tools/peview/exlfimports.c ================================================ [File too large to display: 3.7 KB] ================================================ FILE: tools/peview/exlfprp.c ================================================ [File too large to display: 13.3 KB] ================================================ FILE: tools/peview/expprp.c ================================================ [File too large to display: 35.1 KB] ================================================ FILE: tools/peview/hashprp.c ================================================ [File too large to display: 51.0 KB] ================================================ FILE: tools/peview/impprp.c ================================================ [File too large to display: 36.2 KB] ================================================ FILE: tools/peview/include/peview.h ================================================ [File too large to display: 17.9 KB] ================================================ FILE: tools/peview/include/prpsh.h ================================================ [File too large to display: 2.4 KB] ================================================ FILE: tools/peview/layout.c ================================================ [File too large to display: 45.0 KB] ================================================ FILE: tools/peview/ldprp.c ================================================ [File too large to display: 23.6 KB] ================================================ FILE: tools/peview/libprp.c ================================================ [File too large to display: 6.0 KB] ================================================ FILE: tools/peview/links.c ================================================ [File too large to display: 8.9 KB] ================================================ FILE: tools/peview/main.c ================================================ [File too large to display: 10.2 KB] ================================================ FILE: tools/peview/mappings.c ================================================ [File too large to display: 7.1 KB] ================================================ FILE: tools/peview/metahost/CorError.h ================================================ [File too large to display: 58.5 KB] ================================================ FILE: tools/peview/metahost/CorHdr.h ================================================ [File too large to display: 93.9 KB] ================================================ FILE: tools/peview/metahost/cor.h ================================================ [File too large to display: 117.7 KB] ================================================ FILE: tools/peview/metahost/gchost.h ================================================ [File too large to display: 9.0 KB] ================================================ FILE: tools/peview/metahost/ivalidator.h ================================================ [File too large to display: 9.6 KB] ================================================ FILE: tools/peview/metahost/ivehandler.h ================================================ [File too large to display: 5.3 KB] ================================================ FILE: tools/peview/metahost/metahost.h ================================================ [File too large to display: 60.9 KB] ================================================ FILE: tools/peview/metahost/mscoree.h ================================================ [File too large to display: 239.7 KB] ================================================ FILE: tools/peview/misc.c ================================================ [File too large to display: 25.8 KB] ================================================ FILE: tools/peview/options.c ================================================ [File too large to display: 14.4 KB] ================================================ FILE: tools/peview/pdb.c ================================================ [File too large to display: 44.1 KB] ================================================ FILE: tools/peview/pdbprp.c ================================================ [File too large to display: 38.3 KB] ================================================ FILE: tools/peview/pechpeprp.c ================================================ [File too large to display: 21.1 KB] ================================================ FILE: tools/peview/pedirprp.c ================================================ [File too large to display: 37.8 KB] ================================================ FILE: tools/peview/pedynrelocprp.c ================================================ [File too large to display: 16.5 KB] ================================================ FILE: tools/peview/peexceptprp.c ================================================ [File too large to display: 22.5 KB] ================================================ FILE: tools/peview/peheaderprp.c ================================================ [File too large to display: 48.7 KB] ================================================ FILE: tools/peview/pemuiprp.c ================================================ [File too large to display: 15.7 KB] ================================================ FILE: tools/peview/pepogoprp.c ================================================ [File too large to display: 18.8 KB] ================================================ FILE: tools/peview/peprp.c ================================================ [File too large to display: 81.4 KB] ================================================ FILE: tools/peview/peprpwnd.c ================================================ [File too large to display: 34.4 KB] ================================================ FILE: tools/peview/perelocprp.c ================================================ [File too large to display: 8.7 KB] ================================================ FILE: tools/peview/pesectionprp.c ================================================ [File too large to display: 47.1 KB] ================================================ FILE: tools/peview/peview.manifest ================================================ [File too large to display: 2.4 KB] ================================================ FILE: tools/peview/peview.rc ================================================ [File too large to display: 28.2 KB] ================================================ FILE: tools/peview/peview.vcxproj ================================================ [File too large to display: 19.9 KB] ================================================ FILE: tools/peview/peview.vcxproj.filters ================================================ [File too large to display: 9.9 KB] ================================================ FILE: tools/peview/previewprp.c ================================================ [File too large to display: 4.4 KB] ================================================ FILE: tools/peview/processes.c ================================================ [File too large to display: 5.7 KB] ================================================ FILE: tools/peview/propstore.c ================================================ [File too large to display: 8.0 KB] ================================================ FILE: tools/peview/prpsh.c ================================================ [File too large to display: 18.7 KB] ================================================ FILE: tools/peview/resource.h ================================================ [File too large to display: 5.2 KB] ================================================ FILE: tools/peview/resprp.c ================================================ [File too large to display: 39.4 KB] ================================================ FILE: tools/peview/richprp.c ================================================ [File too large to display: 17.2 KB] ================================================ FILE: tools/peview/searchbox.c ================================================ [File too large to display: 1.2 KB] ================================================ FILE: tools/peview/secprp.c ================================================ [File too large to display: 51.1 KB] ================================================ FILE: tools/peview/settings.c ================================================ [File too large to display: 8.7 KB] ================================================ FILE: tools/peview/streams.c ================================================ [File too large to display: 12.3 KB] ================================================ FILE: tools/peview/strings.c ================================================ [File too large to display: 34.6 KB] ================================================ FILE: tools/peview/tlsprp.c ================================================ [File too large to display: 5.4 KB] ================================================ FILE: tools/peview/version.rc ================================================ [File too large to display: 2.2 KB] ================================================ FILE: tools/peview/versioninfoprp.c ================================================ [File too large to display: 20.5 KB] ================================================ FILE: tools/peview/volatileprp.c ================================================ [File too large to display: 8.1 KB] ================================================ FILE: tools/tests/phlib-test/main.c ================================================ [File too large to display: 440 B] ================================================ FILE: tools/tests/phlib-test/phlib-test.manifest ================================================ [File too large to display: 1.6 KB] ================================================ FILE: tools/tests/phlib-test/phlib-test.sln ================================================ [File too large to display: 1.7 KB] ================================================ FILE: tools/tests/phlib-test/phlib-test.slnx ================================================ [File too large to display: 232 B] ================================================ FILE: tools/tests/phlib-test/phlib-test.vcxproj ================================================ [File too large to display: 11.7 KB] ================================================ FILE: tools/tests/phlib-test/phlib-test.vcxproj.filters ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/tests/phlib-test/t_avltree.c ================================================ [File too large to display: 2.9 KB] ================================================ FILE: tools/tests/phlib-test/t_basesup.c ================================================ [File too large to display: 13.7 KB] ================================================ FILE: tools/tests/phlib-test/t_format.c ================================================ [File too large to display: 18.7 KB] ================================================ FILE: tools/tests/phlib-test/t_util.c ================================================ [File too large to display: 10.2 KB] ================================================ FILE: tools/tests/phlib-test/tests.h ================================================ [File too large to display: 375 B] ================================================ FILE: tools/thirdparty/CMakeLists.txt ================================================ [File too large to display: 6.0 KB] ================================================ FILE: tools/thirdparty/detours/LICENSE.txt ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/thirdparty/detours/detours.cpp ================================================ [File too large to display: 97.4 KB] ================================================ FILE: tools/thirdparty/detours/detours.h ================================================ [File too large to display: 16.8 KB] ================================================ FILE: tools/thirdparty/detours/disasm.cpp ================================================ [File too large to display: 161.6 KB] ================================================ FILE: tools/thirdparty/detours/disolarm.cpp ================================================ [File too large to display: 58 B] ================================================ FILE: tools/thirdparty/detours/disolarm64.cpp ================================================ [File too large to display: 60 B] ================================================ FILE: tools/thirdparty/detours/disolia64.cpp ================================================ [File too large to display: 59 B] ================================================ FILE: tools/thirdparty/detours/disolx64.cpp ================================================ [File too large to display: 58 B] ================================================ FILE: tools/thirdparty/detours/disolx86.cpp ================================================ [File too large to display: 58 B] ================================================ FILE: tools/thirdparty/detours/modules.cpp ================================================ [File too large to display: 935 B] ================================================ FILE: tools/thirdparty/jsonc/COPYING ================================================ [File too large to display: 2.2 KB] ================================================ FILE: tools/thirdparty/jsonc/ChangeLog ================================================ [File too large to display: 29.6 KB] ================================================ FILE: tools/thirdparty/jsonc/arraylist.c ================================================ [File too large to display: 5.9 KB] ================================================ FILE: tools/thirdparty/jsonc/arraylist.h ================================================ [File too large to display: 2.6 KB] ================================================ FILE: tools/thirdparty/jsonc/config.h ================================================ [File too large to display: 6.1 KB] ================================================ FILE: tools/thirdparty/jsonc/debug.c ================================================ [File too large to display: 1.5 KB] ================================================ FILE: tools/thirdparty/jsonc/debug.h ================================================ [File too large to display: 2.7 KB] ================================================ FILE: tools/thirdparty/jsonc/json.h ================================================ [File too large to display: 836 B] ================================================ FILE: tools/thirdparty/jsonc/json_c_version.c ================================================ [File too large to display: 369 B] ================================================ FILE: tools/thirdparty/jsonc/json_c_version.h ================================================ [File too large to display: 1.3 KB] ================================================ FILE: tools/thirdparty/jsonc/json_config.h ================================================ [File too large to display: 183 B] ================================================ FILE: tools/thirdparty/jsonc/json_inttypes.h ================================================ [File too large to display: 675 B] ================================================ FILE: tools/thirdparty/jsonc/json_object.c ================================================ [File too large to display: 55.2 KB] ================================================ FILE: tools/thirdparty/jsonc/json_object.h ================================================ [File too large to display: 43.9 KB] ================================================ FILE: tools/thirdparty/jsonc/json_object_iterator.c ================================================ [File too large to display: 4.6 KB] ================================================ FILE: tools/thirdparty/jsonc/json_object_iterator.h ================================================ [File too large to display: 8.2 KB] ================================================ FILE: tools/thirdparty/jsonc/json_object_private.h ================================================ [File too large to display: 2.3 KB] ================================================ FILE: tools/thirdparty/jsonc/json_pointer.c ================================================ [File too large to display: 10.1 KB] ================================================ FILE: tools/thirdparty/jsonc/json_pointer.h ================================================ [File too large to display: 4.5 KB] ================================================ FILE: tools/thirdparty/jsonc/json_pointer_private.h ================================================ [File too large to display: 1.3 KB] ================================================ FILE: tools/thirdparty/jsonc/json_tokener.c ================================================ [File too large to display: 48.0 KB] ================================================ FILE: tools/thirdparty/jsonc/json_tokener.h ================================================ [File too large to display: 10.6 KB] ================================================ FILE: tools/thirdparty/jsonc/json_types.h ================================================ [File too large to display: 1.7 KB] ================================================ FILE: tools/thirdparty/jsonc/json_util.c ================================================ [File too large to display: 7.5 KB] ================================================ FILE: tools/thirdparty/jsonc/json_util.h ================================================ [File too large to display: 3.9 KB] ================================================ FILE: tools/thirdparty/jsonc/json_visit.c ================================================ [File too large to display: 4.4 KB] ================================================ FILE: tools/thirdparty/jsonc/json_visit.h ================================================ [File too large to display: 3.1 KB] ================================================ FILE: tools/thirdparty/jsonc/libjson.c ================================================ [File too large to display: 606 B] ================================================ FILE: tools/thirdparty/jsonc/linkhash.c ================================================ [File too large to display: 22.6 KB] ================================================ FILE: tools/thirdparty/jsonc/linkhash.h ================================================ [File too large to display: 12.3 KB] ================================================ FILE: tools/thirdparty/jsonc/math_compat.h ================================================ [File too large to display: 898 B] ================================================ FILE: tools/thirdparty/jsonc/printbuf.c ================================================ [File too large to display: 4.6 KB] ================================================ FILE: tools/thirdparty/jsonc/printbuf.h ================================================ [File too large to display: 4.4 KB] ================================================ FILE: tools/thirdparty/jsonc/random_seed.c ================================================ [File too large to display: 7.5 KB] ================================================ FILE: tools/thirdparty/jsonc/random_seed.h ================================================ [File too large to display: 506 B] ================================================ FILE: tools/thirdparty/jsonc/snprintf_compat.h ================================================ [File too large to display: 1003 B] ================================================ FILE: tools/thirdparty/jsonc/strdup_compat.h ================================================ [File too large to display: 363 B] ================================================ FILE: tools/thirdparty/jsonc/strerror_override.c ================================================ [File too large to display: 2.6 KB] ================================================ FILE: tools/thirdparty/jsonc/strerror_override.h ================================================ [File too large to display: 511 B] ================================================ FILE: tools/thirdparty/jsonc/vasprintf_compat.h ================================================ [File too large to display: 1.3 KB] ================================================ FILE: tools/thirdparty/maxminddb/LICENSE ================================================ [File too large to display: 11.1 KB] ================================================ FILE: tools/thirdparty/maxminddb/data-pool.c ================================================ [File too large to display: 4.1 KB] ================================================ FILE: tools/thirdparty/maxminddb/data-pool.h ================================================ [File too large to display: 1.8 KB] ================================================ FILE: tools/thirdparty/maxminddb/maxminddb-compat-util.h ================================================ [File too large to display: 6.4 KB] ================================================ FILE: tools/thirdparty/maxminddb/maxminddb.c ================================================ [File too large to display: 74.6 KB] ================================================ FILE: tools/thirdparty/maxminddb/maxminddb.h ================================================ [File too large to display: 7.6 KB] ================================================ FILE: tools/thirdparty/maxminddb/maxminddb_config.h ================================================ [File too large to display: 417 B] ================================================ FILE: tools/thirdparty/md5/LICENSE ================================================ [File too large to display: 287 B] ================================================ FILE: tools/thirdparty/md5/md5.c ================================================ [File too large to display: 7.1 KB] ================================================ FILE: tools/thirdparty/md5/md5.h ================================================ [File too large to display: 361 B] ================================================ FILE: tools/thirdparty/miniz/LICENSE ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/thirdparty/miniz/miniz.c ================================================ [File too large to display: 25.4 KB] ================================================ FILE: tools/thirdparty/miniz/miniz.h ================================================ [File too large to display: 27.4 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_common.h ================================================ [File too large to display: 3.0 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_tdef.c ================================================ [File too large to display: 73.6 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_tdef.h ================================================ [File too large to display: 10.5 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_tinfl.c ================================================ [File too large to display: 39.3 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_tinfl.h ================================================ [File too large to display: 8.5 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_zip.c ================================================ [File too large to display: 203.3 KB] ================================================ FILE: tools/thirdparty/miniz/miniz_zip.h ================================================ [File too large to display: 26.1 KB] ================================================ FILE: tools/thirdparty/mxml/LICENSE ================================================ [File too large to display: 11.1 KB] ================================================ FILE: tools/thirdparty/mxml/config.h ================================================ [File too large to display: 1.8 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-attr.c ================================================ [File too large to display: 7.1 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-file.c ================================================ [File too large to display: 59.8 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-get.c ================================================ [File too large to display: 8.9 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-index.c ================================================ [File too large to display: 10.7 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-node.c ================================================ [File too large to display: 23.7 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-options.c ================================================ [File too large to display: 13.8 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-private.c ================================================ [File too large to display: 5.9 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-private.h ================================================ [File too large to display: 4.1 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-search.c ================================================ [File too large to display: 6.4 KB] ================================================ FILE: tools/thirdparty/mxml/mxml-set.c ================================================ [File too large to display: 16.2 KB] ================================================ FILE: tools/thirdparty/mxml/mxml.h ================================================ [File too large to display: 11.3 KB] ================================================ FILE: tools/thirdparty/pcre/LICENCE ================================================ [File too large to display: 3.4 KB] ================================================ FILE: tools/thirdparty/pcre/README ================================================ [File too large to display: 42.2 KB] ================================================ FILE: tools/thirdparty/pcre/config.h ================================================ [File too large to display: 18.2 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2.h ================================================ [File too large to display: 50.4 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_auto_possess.c ================================================ [File too large to display: 40.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_chartables.c ================================================ [File too large to display: 7.6 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_chkdint.c ================================================ [File too large to display: 3.1 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_compile.c ================================================ [File too large to display: 360.1 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_compile.h ================================================ [File too large to display: 12.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_compile_class.c ================================================ [File too large to display: 74.2 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_config.c ================================================ [File too large to display: 7.6 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_context.c ================================================ [File too large to display: 16.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_convert.c ================================================ [File too large to display: 30.3 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_dfa_match.c ================================================ [File too large to display: 139.8 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_dftables.c ================================================ [File too large to display: 9.1 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_error.c ================================================ [File too large to display: 14.5 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_extuni.c ================================================ [File too large to display: 5.3 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_find_bracket.c ================================================ [File too large to display: 6.7 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_fuzzsupport.c ================================================ [File too large to display: 24.7 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_internal.h ================================================ [File too large to display: 101.1 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_intmodedep.h ================================================ [File too large to display: 38.7 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_char_inc.h ================================================ [File too large to display: 64.6 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_compile.c ================================================ [File too large to display: 422.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_match.c ================================================ [File too large to display: 6.7 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_misc.c ================================================ [File too large to display: 6.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_neon_inc.h ================================================ [File too large to display: 8.5 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_simd_inc.h ================================================ [File too large to display: 72.3 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_jit_test.c ================================================ [File too large to display: 107.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_maketables.c ================================================ [File too large to display: 6.4 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_match.c ================================================ [File too large to display: 240.8 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_match_data.c ================================================ [File too large to display: 6.1 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_newline.c ================================================ [File too large to display: 6.2 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_ord2utf.c ================================================ [File too large to display: 3.7 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_pattern_info.c ================================================ [File too large to display: 11.5 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_printint.c ================================================ [File too large to display: 29.2 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_script_run.c ================================================ [File too large to display: 11.6 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_serialize.c ================================================ [File too large to display: 9.8 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_string_utils.c ================================================ [File too large to display: 6.0 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_study.c ================================================ [File too large to display: 58.6 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_substitute.c ================================================ [File too large to display: 51.6 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_substring.c ================================================ [File too large to display: 18.0 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_tables.c ================================================ [File too large to display: 9.5 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_ucd.c ================================================ [File too large to display: 349.9 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_ucp.h ================================================ [File too large to display: 10.2 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_ucptables.c ================================================ [File too large to display: 62.5 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_util.h ================================================ [File too large to display: 5.7 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_valid_utf.c ================================================ [File too large to display: 12.8 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2_xclass.c ================================================ [File too large to display: 15.1 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2posix.c ================================================ [File too large to display: 14.3 KB] ================================================ FILE: tools/thirdparty/pcre/pcre2posix.h ================================================ [File too large to display: 7.2 KB] ================================================ FILE: tools/thirdparty/sha/LICENSE ================================================ [File too large to display: 793 B] ================================================ FILE: tools/thirdparty/sha/sha.c ================================================ [File too large to display: 6.0 KB] ================================================ FILE: tools/thirdparty/sha/sha.h ================================================ [File too large to display: 439 B] ================================================ FILE: tools/thirdparty/sha256/LICENSE ================================================ [File too large to display: 720 B] ================================================ FILE: tools/thirdparty/sha256/sha256.c ================================================ [File too large to display: 10.9 KB] ================================================ FILE: tools/thirdparty/sha256/sha256.h ================================================ [File too large to display: 449 B] ================================================ FILE: tools/thirdparty/ssdeep/COPYING.txt ================================================ [File too large to display: 17.6 KB] ================================================ FILE: tools/thirdparty/ssdeep/fuzzy.c ================================================ [File too large to display: 57.0 KB] ================================================ FILE: tools/thirdparty/ssdeep/fuzzy.h ================================================ [File too large to display: 7.9 KB] ================================================ FILE: tools/thirdparty/thirdparty.sln ================================================ [File too large to display: 1.7 KB] ================================================ FILE: tools/thirdparty/thirdparty.slnx ================================================ [File too large to display: 230 B] ================================================ FILE: tools/thirdparty/thirdparty.vcxproj ================================================ [File too large to display: 18.0 KB] ================================================ FILE: tools/thirdparty/thirdparty.vcxproj.filters ================================================ [File too large to display: 15.0 KB] ================================================ FILE: tools/thirdparty/tlsh/LICENSE ================================================ [File too large to display: 14.4 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh.cpp ================================================ [File too large to display: 7.4 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh.h ================================================ [File too large to display: 6.5 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh_impl.cpp ================================================ [File too large to display: 36.6 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh_impl.h ================================================ [File too large to display: 5.9 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh_util.cpp ================================================ [File too large to display: 218.8 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh_util.h ================================================ [File too large to display: 3.0 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh_win_version.h ================================================ [File too large to display: 721 B] ================================================ FILE: tools/thirdparty/tlsh/tlsh_wrapper.cpp ================================================ [File too large to display: 2.8 KB] ================================================ FILE: tools/thirdparty/tlsh/tlsh_wrapper.h ================================================ [File too large to display: 455 B] ================================================ FILE: tools/thirdparty/winsdk/cvconst.h ================================================ [File too large to display: 116.7 KB] ================================================ FILE: tools/thirdparty/winsdk/dia2.h ================================================ [File too large to display: 1.1 MB] ================================================ FILE: tools/thirdparty/winsdk/dia3.h ================================================ [File too large to display: 24.9 KB] ================================================ FILE: tools/thirdparty/xxhash/CHANGELOG ================================================ [File too large to display: 6.1 KB] ================================================ FILE: tools/thirdparty/xxhash/LICENSE ================================================ [File too large to display: 1.4 KB] ================================================ FILE: tools/thirdparty/xxhash/xxhash.c ================================================ [File too large to display: 2.1 KB] ================================================ FILE: tools/thirdparty/xxhash/xxhash.h ================================================ [File too large to display: 272.9 KB] ================================================ FILE: tools/thirdparty/xxhash/xxhashwrapper.c ================================================ [File too large to display: 5.5 KB] ================================================ FILE: tools/thirdparty/xxhash/xxhashwrapper.h ================================================ [File too large to display: 2.3 KB] ================================================ FILE: tools/thirdparty/zydis/LICENSE ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/thirdparty/zydis/Zydis.c ================================================ [File too large to display: 11.4 MB] ================================================ FILE: tools/thirdparty/zydis/Zydis.h ================================================ [File too large to display: 399.4 KB] ================================================ FILE: tools/versioning/build_version.cmd ================================================ [File too large to display: 1.1 KB] ================================================ FILE: tools/versioning/version.rc ================================================ [File too large to display: 2.0 KB]